Software /
code /
prosody
Annotate
plugins/mod_s2s_auth_certs.lua @ 12956:52fcdfe710ca
storagemanager: Add keyval+ (combined keyval + map) store type
This combines the two most common store types, which modules often end up
opening with both interfaces separately anyway.
As well as combining them, I've taken the opportunity to improve some of the
method names to make them clearer.
author | Matthew Wild <mwild1@gmail.com> |
---|---|
date | Tue, 27 Sep 2022 17:46:27 +0100 |
parent | 12816:02f8b10d73e8 |
child | 12977:74b9e05af71e |
rev | line source |
---|---|
6319
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
1 module:set_global(); |
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
2 |
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
3 local cert_verify_identity = require "util.x509".verify_identity; |
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
4 local NULL = {}; |
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
5 local log = module._log; |
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
6 |
11835
a405884c62f4
mod_s2s_auth_certs: Collect stats on validation results (for #975)
Kim Alvefur <zash@zash.se>
parents:
10454
diff
changeset
|
7 local measure_cert_statuses = module:metric("counter", "checked", "", "Certificate validation results", |
a405884c62f4
mod_s2s_auth_certs: Collect stats on validation results (for #975)
Kim Alvefur <zash@zash.se>
parents:
10454
diff
changeset
|
8 { "chain"; "identity" }) |
a405884c62f4
mod_s2s_auth_certs: Collect stats on validation results (for #975)
Kim Alvefur <zash@zash.se>
parents:
10454
diff
changeset
|
9 |
6319
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
10 module:hook("s2s-check-certificate", function(event) |
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
11 local session, host, cert = event.session, event.host, event.cert; |
12480
7e9ebdc75ce4
net: isolate LuaSec-specifics
Jonas Schäfer <jonas@wielicki.name>
parents:
11835
diff
changeset
|
12 local conn = session.conn; |
6373
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
13 local log = session.log or log; |
6319
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
14 |
12816
02f8b10d73e8
mod_s2s_auth_certs: Validate certificates against secure SRV targets
Kim Alvefur <zash@zash.se>
parents:
12812
diff
changeset
|
15 local secure_hostname = conn.extra and conn.extra.secure_hostname; |
02f8b10d73e8
mod_s2s_auth_certs: Validate certificates against secure SRV targets
Kim Alvefur <zash@zash.se>
parents:
12812
diff
changeset
|
16 |
6373
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
17 if not cert then |
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
18 log("warn", "No certificate provided by %s", host or "unknown host"); |
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
19 return; |
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
20 end |
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
21 |
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
22 local chain_valid, errors; |
12480
7e9ebdc75ce4
net: isolate LuaSec-specifics
Jonas Schäfer <jonas@wielicki.name>
parents:
11835
diff
changeset
|
23 if conn.ssl_peerverification then |
7e9ebdc75ce4
net: isolate LuaSec-specifics
Jonas Schäfer <jonas@wielicki.name>
parents:
11835
diff
changeset
|
24 chain_valid, errors = conn:ssl_peerverification(); |
6373
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
25 else |
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
26 chain_valid, errors = false, { { "Chain verification not supported by this version of LuaSec" } }; |
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
27 end |
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
28 -- Is there any interest in printing out all/the number of errors here? |
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
29 if not chain_valid then |
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
30 log("debug", "certificate chain validation result: invalid"); |
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
31 for depth, t in pairs(errors or NULL) do |
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
32 log("debug", "certificate error(s) at depth %d: %s", depth-1, table.concat(t, ", ")) |
6319
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
33 end |
6373
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
34 session.cert_chain_status = "invalid"; |
10454
6c3fccb75b38
mod_s2s_auth_certs: Save chain validation errors for later use
Kim Alvefur <zash@zash.se>
parents:
10226
diff
changeset
|
35 session.cert_chain_errors = errors; |
6373
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
36 else |
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
37 log("debug", "certificate chain validation result: valid"); |
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
38 session.cert_chain_status = "valid"; |
6319
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
39 |
6373
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
40 -- We'll go ahead and verify the asserted identity if the |
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
41 -- connecting server specified one. |
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
42 if host then |
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
43 if cert_verify_identity(host, "xmpp-server", cert) then |
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
44 session.cert_identity_status = "valid" |
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
45 else |
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
46 session.cert_identity_status = "invalid" |
6319
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
47 end |
6373
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
48 log("debug", "certificate identity validation result: %s", session.cert_identity_status); |
6319
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
49 end |
12816
02f8b10d73e8
mod_s2s_auth_certs: Validate certificates against secure SRV targets
Kim Alvefur <zash@zash.se>
parents:
12812
diff
changeset
|
50 |
02f8b10d73e8
mod_s2s_auth_certs: Validate certificates against secure SRV targets
Kim Alvefur <zash@zash.se>
parents:
12812
diff
changeset
|
51 -- Check for DNSSEC-signed SRV hostname |
02f8b10d73e8
mod_s2s_auth_certs: Validate certificates against secure SRV targets
Kim Alvefur <zash@zash.se>
parents:
12812
diff
changeset
|
52 if secure_hostname and session.cert_identity_status ~= "valid" then |
02f8b10d73e8
mod_s2s_auth_certs: Validate certificates against secure SRV targets
Kim Alvefur <zash@zash.se>
parents:
12812
diff
changeset
|
53 if cert_verify_identity(secure_hostname, "xmpp-server", cert) then |
02f8b10d73e8
mod_s2s_auth_certs: Validate certificates against secure SRV targets
Kim Alvefur <zash@zash.se>
parents:
12812
diff
changeset
|
54 module:log("info", "Secure SRV name delegation %q -> %q", secure_hostname, host); |
02f8b10d73e8
mod_s2s_auth_certs: Validate certificates against secure SRV targets
Kim Alvefur <zash@zash.se>
parents:
12812
diff
changeset
|
55 session.cert_identity_status = "valid" |
02f8b10d73e8
mod_s2s_auth_certs: Validate certificates against secure SRV targets
Kim Alvefur <zash@zash.se>
parents:
12812
diff
changeset
|
56 end |
02f8b10d73e8
mod_s2s_auth_certs: Validate certificates against secure SRV targets
Kim Alvefur <zash@zash.se>
parents:
12812
diff
changeset
|
57 end |
6319
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
58 end |
11835
a405884c62f4
mod_s2s_auth_certs: Collect stats on validation results (for #975)
Kim Alvefur <zash@zash.se>
parents:
10454
diff
changeset
|
59 measure_cert_statuses:with_labels(session.cert_chain_status or "unknown", session.cert_identity_status or "unknown"):add(1); |
6319
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
60 end, 509); |
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
61 |