Software / code / prosody
Annotate
plugins/mod_s2s_auth_certs.lua @ 13553:850e4ade7a01
net.server_epoll: Make running out of buffer space a fatal error
Prevent Bad Things from happening when the buffer gets full.
This of course opens up the possibility of intentionally killing
connections by sending much stuff, which need to be mitigated with rate
limits elsewhere.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Sat, 09 Nov 2024 15:42:31 +0100 |
| parent | 13423:3c219effe707 |
| rev | line source |
|---|---|
|
6319
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
1 module:set_global(); |
|
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
2 |
|
12977
74b9e05af71e
plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
12816
diff
changeset
|
3 local cert_verify_identity = require "prosody.util.x509".verify_identity; |
|
6319
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
4 local log = module._log; |
|
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
5 |
|
11835
a405884c62f4
mod_s2s_auth_certs: Collect stats on validation results (for #975)
Kim Alvefur <zash@zash.se>
parents:
10454
diff
changeset
|
6 local measure_cert_statuses = module:metric("counter", "checked", "", "Certificate validation results", |
|
a405884c62f4
mod_s2s_auth_certs: Collect stats on validation results (for #975)
Kim Alvefur <zash@zash.se>
parents:
10454
diff
changeset
|
7 { "chain"; "identity" }) |
|
a405884c62f4
mod_s2s_auth_certs: Collect stats on validation results (for #975)
Kim Alvefur <zash@zash.se>
parents:
10454
diff
changeset
|
8 |
|
6319
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
9 module:hook("s2s-check-certificate", function(event) |
|
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
10 local session, host, cert = event.session, event.host, event.cert; |
|
12480
7e9ebdc75ce4
net: isolate LuaSec-specifics
Jonas Schäfer <jonas@wielicki.name>
parents:
11835
diff
changeset
|
11 local conn = session.conn; |
|
6373
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
12 local log = session.log or log; |
|
6319
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
13 |
|
12816
02f8b10d73e8
mod_s2s_auth_certs: Validate certificates against secure SRV targets
Kim Alvefur <zash@zash.se>
parents:
12812
diff
changeset
|
14 local secure_hostname = conn.extra and conn.extra.secure_hostname; |
|
02f8b10d73e8
mod_s2s_auth_certs: Validate certificates against secure SRV targets
Kim Alvefur <zash@zash.se>
parents:
12812
diff
changeset
|
15 |
|
6373
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
16 if not cert then |
|
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
17 log("warn", "No certificate provided by %s", host or "unknown host"); |
|
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
18 return; |
|
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
19 end |
|
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
20 |
|
13304
874600c982bd
mod_s2s_auth_certs: Remove LuaSec compat that moved to net.server
Kim Alvefur <zash@zash.se>
parents:
12977
diff
changeset
|
21 local chain_valid, errors = conn:ssl_peerverification(); |
|
6373
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
22 -- Is there any interest in printing out all/the number of errors here? |
|
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
23 if not chain_valid then |
|
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
24 log("debug", "certificate chain validation result: invalid"); |
|
13423
3c219effe707
mod_s2s_auth_certs: Handle potential string error
Kim Alvefur <zash@zash.se>
parents:
13304
diff
changeset
|
25 if type(errors) == "table" then |
|
3c219effe707
mod_s2s_auth_certs: Handle potential string error
Kim Alvefur <zash@zash.se>
parents:
13304
diff
changeset
|
26 for depth, t in pairs(errors) do |
|
3c219effe707
mod_s2s_auth_certs: Handle potential string error
Kim Alvefur <zash@zash.se>
parents:
13304
diff
changeset
|
27 log("debug", "certificate error(s) at depth %d: %s", depth-1, table.concat(t, ", ")); |
|
3c219effe707
mod_s2s_auth_certs: Handle potential string error
Kim Alvefur <zash@zash.se>
parents:
13304
diff
changeset
|
28 end |
|
3c219effe707
mod_s2s_auth_certs: Handle potential string error
Kim Alvefur <zash@zash.se>
parents:
13304
diff
changeset
|
29 else |
|
3c219effe707
mod_s2s_auth_certs: Handle potential string error
Kim Alvefur <zash@zash.se>
parents:
13304
diff
changeset
|
30 log("debug", "certificate error: %s", errors); |
|
6319
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
31 end |
|
6373
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
32 session.cert_chain_status = "invalid"; |
|
10454
6c3fccb75b38
mod_s2s_auth_certs: Save chain validation errors for later use
Kim Alvefur <zash@zash.se>
parents:
10226
diff
changeset
|
33 session.cert_chain_errors = errors; |
|
6373
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
34 else |
|
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
35 log("debug", "certificate chain validation result: valid"); |
|
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
36 session.cert_chain_status = "valid"; |
|
6319
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
37 |
|
6373
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
38 -- We'll go ahead and verify the asserted identity if the |
|
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
39 -- connecting server specified one. |
|
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
40 if host then |
|
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
41 if cert_verify_identity(host, "xmpp-server", cert) then |
|
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
42 session.cert_identity_status = "valid" |
|
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
43 else |
|
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
44 session.cert_identity_status = "invalid" |
|
6319
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
45 end |
|
6373
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
46 log("debug", "certificate identity validation result: %s", session.cert_identity_status); |
|
6319
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
47 end |
|
12816
02f8b10d73e8
mod_s2s_auth_certs: Validate certificates against secure SRV targets
Kim Alvefur <zash@zash.se>
parents:
12812
diff
changeset
|
48 |
|
02f8b10d73e8
mod_s2s_auth_certs: Validate certificates against secure SRV targets
Kim Alvefur <zash@zash.se>
parents:
12812
diff
changeset
|
49 -- Check for DNSSEC-signed SRV hostname |
|
02f8b10d73e8
mod_s2s_auth_certs: Validate certificates against secure SRV targets
Kim Alvefur <zash@zash.se>
parents:
12812
diff
changeset
|
50 if secure_hostname and session.cert_identity_status ~= "valid" then |
|
02f8b10d73e8
mod_s2s_auth_certs: Validate certificates against secure SRV targets
Kim Alvefur <zash@zash.se>
parents:
12812
diff
changeset
|
51 if cert_verify_identity(secure_hostname, "xmpp-server", cert) then |
|
02f8b10d73e8
mod_s2s_auth_certs: Validate certificates against secure SRV targets
Kim Alvefur <zash@zash.se>
parents:
12812
diff
changeset
|
52 module:log("info", "Secure SRV name delegation %q -> %q", secure_hostname, host); |
|
02f8b10d73e8
mod_s2s_auth_certs: Validate certificates against secure SRV targets
Kim Alvefur <zash@zash.se>
parents:
12812
diff
changeset
|
53 session.cert_identity_status = "valid" |
|
02f8b10d73e8
mod_s2s_auth_certs: Validate certificates against secure SRV targets
Kim Alvefur <zash@zash.se>
parents:
12812
diff
changeset
|
54 end |
|
02f8b10d73e8
mod_s2s_auth_certs: Validate certificates against secure SRV targets
Kim Alvefur <zash@zash.se>
parents:
12812
diff
changeset
|
55 end |
|
6319
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
56 end |
|
11835
a405884c62f4
mod_s2s_auth_certs: Collect stats on validation results (for #975)
Kim Alvefur <zash@zash.se>
parents:
10454
diff
changeset
|
57 measure_cert_statuses:with_labels(session.cert_chain_status or "unknown", session.cert_identity_status or "unknown"):add(1); |
|
6319
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
58 end, 509); |
|
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
59 |
