Annotate

plugins/mod_s2s_auth_certs.lua @ 12956:52fcdfe710ca

storagemanager: Add keyval+ (combined keyval + map) store type This combines the two most common store types, which modules often end up opening with both interfaces separately anyway. As well as combining them, I've taken the opportunity to improve some of the method names to make them clearer.
author Matthew Wild <mwild1@gmail.com>
date Tue, 27 Sep 2022 17:46:27 +0100
parent 12816:02f8b10d73e8
child 12977:74b9e05af71e
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
6319
92d009af6eba mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
1 module:set_global();
92d009af6eba mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
2
92d009af6eba mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
3 local cert_verify_identity = require "util.x509".verify_identity;
92d009af6eba mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
4 local NULL = {};
92d009af6eba mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
5 local log = module._log;
92d009af6eba mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
6
11835
a405884c62f4 mod_s2s_auth_certs: Collect stats on validation results (for #975)
Kim Alvefur <zash@zash.se>
parents: 10454
diff changeset
7 local measure_cert_statuses = module:metric("counter", "checked", "", "Certificate validation results",
a405884c62f4 mod_s2s_auth_certs: Collect stats on validation results (for #975)
Kim Alvefur <zash@zash.se>
parents: 10454
diff changeset
8 { "chain"; "identity" })
a405884c62f4 mod_s2s_auth_certs: Collect stats on validation results (for #975)
Kim Alvefur <zash@zash.se>
parents: 10454
diff changeset
9
6319
92d009af6eba mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
10 module:hook("s2s-check-certificate", function(event)
92d009af6eba mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
11 local session, host, cert = event.session, event.host, event.cert;
12480
7e9ebdc75ce4 net: isolate LuaSec-specifics
Jonas Schäfer <jonas@wielicki.name>
parents: 11835
diff changeset
12 local conn = session.conn;
6373
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
13 local log = session.log or log;
6319
92d009af6eba mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
14
12816
02f8b10d73e8 mod_s2s_auth_certs: Validate certificates against secure SRV targets
Kim Alvefur <zash@zash.se>
parents: 12812
diff changeset
15 local secure_hostname = conn.extra and conn.extra.secure_hostname;
02f8b10d73e8 mod_s2s_auth_certs: Validate certificates against secure SRV targets
Kim Alvefur <zash@zash.se>
parents: 12812
diff changeset
16
6373
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
17 if not cert then
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
18 log("warn", "No certificate provided by %s", host or "unknown host");
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
19 return;
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
20 end
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
21
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
22 local chain_valid, errors;
12480
7e9ebdc75ce4 net: isolate LuaSec-specifics
Jonas Schäfer <jonas@wielicki.name>
parents: 11835
diff changeset
23 if conn.ssl_peerverification then
7e9ebdc75ce4 net: isolate LuaSec-specifics
Jonas Schäfer <jonas@wielicki.name>
parents: 11835
diff changeset
24 chain_valid, errors = conn:ssl_peerverification();
6373
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
25 else
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
26 chain_valid, errors = false, { { "Chain verification not supported by this version of LuaSec" } };
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
27 end
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
28 -- Is there any interest in printing out all/the number of errors here?
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
29 if not chain_valid then
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
30 log("debug", "certificate chain validation result: invalid");
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
31 for depth, t in pairs(errors or NULL) do
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
32 log("debug", "certificate error(s) at depth %d: %s", depth-1, table.concat(t, ", "))
6319
92d009af6eba mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
33 end
6373
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
34 session.cert_chain_status = "invalid";
10454
6c3fccb75b38 mod_s2s_auth_certs: Save chain validation errors for later use
Kim Alvefur <zash@zash.se>
parents: 10226
diff changeset
35 session.cert_chain_errors = errors;
6373
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
36 else
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
37 log("debug", "certificate chain validation result: valid");
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
38 session.cert_chain_status = "valid";
6319
92d009af6eba mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
39
6373
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
40 -- We'll go ahead and verify the asserted identity if the
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
41 -- connecting server specified one.
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
42 if host then
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
43 if cert_verify_identity(host, "xmpp-server", cert) then
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
44 session.cert_identity_status = "valid"
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
45 else
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
46 session.cert_identity_status = "invalid"
6319
92d009af6eba mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
47 end
6373
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
48 log("debug", "certificate identity validation result: %s", session.cert_identity_status);
6319
92d009af6eba mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
49 end
12816
02f8b10d73e8 mod_s2s_auth_certs: Validate certificates against secure SRV targets
Kim Alvefur <zash@zash.se>
parents: 12812
diff changeset
50
02f8b10d73e8 mod_s2s_auth_certs: Validate certificates against secure SRV targets
Kim Alvefur <zash@zash.se>
parents: 12812
diff changeset
51 -- Check for DNSSEC-signed SRV hostname
02f8b10d73e8 mod_s2s_auth_certs: Validate certificates against secure SRV targets
Kim Alvefur <zash@zash.se>
parents: 12812
diff changeset
52 if secure_hostname and session.cert_identity_status ~= "valid" then
02f8b10d73e8 mod_s2s_auth_certs: Validate certificates against secure SRV targets
Kim Alvefur <zash@zash.se>
parents: 12812
diff changeset
53 if cert_verify_identity(secure_hostname, "xmpp-server", cert) then
02f8b10d73e8 mod_s2s_auth_certs: Validate certificates against secure SRV targets
Kim Alvefur <zash@zash.se>
parents: 12812
diff changeset
54 module:log("info", "Secure SRV name delegation %q -> %q", secure_hostname, host);
02f8b10d73e8 mod_s2s_auth_certs: Validate certificates against secure SRV targets
Kim Alvefur <zash@zash.se>
parents: 12812
diff changeset
55 session.cert_identity_status = "valid"
02f8b10d73e8 mod_s2s_auth_certs: Validate certificates against secure SRV targets
Kim Alvefur <zash@zash.se>
parents: 12812
diff changeset
56 end
02f8b10d73e8 mod_s2s_auth_certs: Validate certificates against secure SRV targets
Kim Alvefur <zash@zash.se>
parents: 12812
diff changeset
57 end
6319
92d009af6eba mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
58 end
11835
a405884c62f4 mod_s2s_auth_certs: Collect stats on validation results (for #975)
Kim Alvefur <zash@zash.se>
parents: 10454
diff changeset
59 measure_cert_statuses:with_labels(session.cert_chain_status or "unknown", session.cert_identity_status or "unknown"):add(1);
6319
92d009af6eba mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
60 end, 509);
92d009af6eba mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
61