Software / code / prosody
Annotate
plugins/mod_s2s_auth_certs.lua @ 11379:5c820553ef82
mod_csi_simple: Set session state to 'flushing' while doing so
May be useful for 3rd party modules.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Tue, 16 Feb 2021 23:09:51 +0100 |
| parent | 10454:6c3fccb75b38 |
| child | 11835:a405884c62f4 |
| rev | line source |
|---|---|
|
6319
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
1 module:set_global(); |
|
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
2 |
|
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
3 local cert_verify_identity = require "util.x509".verify_identity; |
|
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
4 local NULL = {}; |
|
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
5 local log = module._log; |
|
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
6 |
|
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
7 module:hook("s2s-check-certificate", function(event) |
|
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
8 local session, host, cert = event.session, event.host, event.cert; |
|
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
9 local conn = session.conn:socket(); |
|
6373
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
10 local log = session.log or log; |
|
6319
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
11 |
|
6373
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
12 if not cert then |
|
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
13 log("warn", "No certificate provided by %s", host or "unknown host"); |
|
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
14 return; |
|
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
15 end |
|
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
16 |
|
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
17 local chain_valid, errors; |
|
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
18 if conn.getpeerverification then |
|
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
19 chain_valid, errors = conn:getpeerverification(); |
|
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
20 else |
|
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
21 chain_valid, errors = false, { { "Chain verification not supported by this version of LuaSec" } }; |
|
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
22 end |
|
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
23 -- Is there any interest in printing out all/the number of errors here? |
|
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
24 if not chain_valid then |
|
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
25 log("debug", "certificate chain validation result: invalid"); |
|
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
26 for depth, t in pairs(errors or NULL) do |
|
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
27 log("debug", "certificate error(s) at depth %d: %s", depth-1, table.concat(t, ", ")) |
|
6319
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
28 end |
|
6373
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
29 session.cert_chain_status = "invalid"; |
|
10454
6c3fccb75b38
mod_s2s_auth_certs: Save chain validation errors for later use
Kim Alvefur <zash@zash.se>
parents:
10226
diff
changeset
|
30 session.cert_chain_errors = errors; |
|
6373
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
31 else |
|
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
32 log("debug", "certificate chain validation result: valid"); |
|
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
33 session.cert_chain_status = "valid"; |
|
6319
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
34 |
|
6373
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
35 -- We'll go ahead and verify the asserted identity if the |
|
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
36 -- connecting server specified one. |
|
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
37 if host then |
|
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
38 if cert_verify_identity(host, "xmpp-server", cert) then |
|
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
39 session.cert_identity_status = "valid" |
|
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
40 else |
|
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
41 session.cert_identity_status = "invalid" |
|
6319
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
42 end |
|
6373
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
43 log("debug", "certificate identity validation result: %s", session.cert_identity_status); |
|
6319
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
44 end |
|
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
45 end |
|
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
46 end, 509); |
|
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
47 |
