Software / code / prosody
Annotate
plugins/mod_s2s_auth_certs.lua @ 13357:f424c9f1460b
mod_mam: Use for loop in metadata query
Some storage drivers will perform cleanup after the last iteration, but
if only one step is taken this might be delayed until the garbage
collector gets to it.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Sun, 26 Nov 2023 22:58:11 +0100 |
| parent | 13304:874600c982bd |
| child | 13423:3c219effe707 |
| rev | line source |
|---|---|
|
6319
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
1 module:set_global(); |
|
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
2 |
|
12977
74b9e05af71e
plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
12816
diff
changeset
|
3 local cert_verify_identity = require "prosody.util.x509".verify_identity; |
|
6319
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
4 local NULL = {}; |
|
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
5 local log = module._log; |
|
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
6 |
|
11835
a405884c62f4
mod_s2s_auth_certs: Collect stats on validation results (for #975)
Kim Alvefur <zash@zash.se>
parents:
10454
diff
changeset
|
7 local measure_cert_statuses = module:metric("counter", "checked", "", "Certificate validation results", |
|
a405884c62f4
mod_s2s_auth_certs: Collect stats on validation results (for #975)
Kim Alvefur <zash@zash.se>
parents:
10454
diff
changeset
|
8 { "chain"; "identity" }) |
|
a405884c62f4
mod_s2s_auth_certs: Collect stats on validation results (for #975)
Kim Alvefur <zash@zash.se>
parents:
10454
diff
changeset
|
9 |
|
6319
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
10 module:hook("s2s-check-certificate", function(event) |
|
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
11 local session, host, cert = event.session, event.host, event.cert; |
|
12480
7e9ebdc75ce4
net: isolate LuaSec-specifics
Jonas Schäfer <jonas@wielicki.name>
parents:
11835
diff
changeset
|
12 local conn = session.conn; |
|
6373
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
13 local log = session.log or log; |
|
6319
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
14 |
|
12816
02f8b10d73e8
mod_s2s_auth_certs: Validate certificates against secure SRV targets
Kim Alvefur <zash@zash.se>
parents:
12812
diff
changeset
|
15 local secure_hostname = conn.extra and conn.extra.secure_hostname; |
|
02f8b10d73e8
mod_s2s_auth_certs: Validate certificates against secure SRV targets
Kim Alvefur <zash@zash.se>
parents:
12812
diff
changeset
|
16 |
|
6373
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
17 if not cert then |
|
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
18 log("warn", "No certificate provided by %s", host or "unknown host"); |
|
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
19 return; |
|
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
20 end |
|
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
21 |
|
13304
874600c982bd
mod_s2s_auth_certs: Remove LuaSec compat that moved to net.server
Kim Alvefur <zash@zash.se>
parents:
12977
diff
changeset
|
22 local chain_valid, errors = conn:ssl_peerverification(); |
|
6373
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
23 -- Is there any interest in printing out all/the number of errors here? |
|
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
24 if not chain_valid then |
|
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
25 log("debug", "certificate chain validation result: invalid"); |
|
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
26 for depth, t in pairs(errors or NULL) do |
|
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
27 log("debug", "certificate error(s) at depth %d: %s", depth-1, table.concat(t, ", ")) |
|
6319
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
28 end |
|
6373
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
29 session.cert_chain_status = "invalid"; |
|
10454
6c3fccb75b38
mod_s2s_auth_certs: Save chain validation errors for later use
Kim Alvefur <zash@zash.se>
parents:
10226
diff
changeset
|
30 session.cert_chain_errors = errors; |
|
6373
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
31 else |
|
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
32 log("debug", "certificate chain validation result: valid"); |
|
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
33 session.cert_chain_status = "valid"; |
|
6319
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
34 |
|
6373
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
35 -- We'll go ahead and verify the asserted identity if the |
|
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
36 -- connecting server specified one. |
|
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
37 if host then |
|
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
38 if cert_verify_identity(host, "xmpp-server", cert) then |
|
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
39 session.cert_identity_status = "valid" |
|
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
40 else |
|
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
41 session.cert_identity_status = "invalid" |
|
6319
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
42 end |
|
6373
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
43 log("debug", "certificate identity validation result: %s", session.cert_identity_status); |
|
6319
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
44 end |
|
12816
02f8b10d73e8
mod_s2s_auth_certs: Validate certificates against secure SRV targets
Kim Alvefur <zash@zash.se>
parents:
12812
diff
changeset
|
45 |
|
02f8b10d73e8
mod_s2s_auth_certs: Validate certificates against secure SRV targets
Kim Alvefur <zash@zash.se>
parents:
12812
diff
changeset
|
46 -- Check for DNSSEC-signed SRV hostname |
|
02f8b10d73e8
mod_s2s_auth_certs: Validate certificates against secure SRV targets
Kim Alvefur <zash@zash.se>
parents:
12812
diff
changeset
|
47 if secure_hostname and session.cert_identity_status ~= "valid" then |
|
02f8b10d73e8
mod_s2s_auth_certs: Validate certificates against secure SRV targets
Kim Alvefur <zash@zash.se>
parents:
12812
diff
changeset
|
48 if cert_verify_identity(secure_hostname, "xmpp-server", cert) then |
|
02f8b10d73e8
mod_s2s_auth_certs: Validate certificates against secure SRV targets
Kim Alvefur <zash@zash.se>
parents:
12812
diff
changeset
|
49 module:log("info", "Secure SRV name delegation %q -> %q", secure_hostname, host); |
|
02f8b10d73e8
mod_s2s_auth_certs: Validate certificates against secure SRV targets
Kim Alvefur <zash@zash.se>
parents:
12812
diff
changeset
|
50 session.cert_identity_status = "valid" |
|
02f8b10d73e8
mod_s2s_auth_certs: Validate certificates against secure SRV targets
Kim Alvefur <zash@zash.se>
parents:
12812
diff
changeset
|
51 end |
|
02f8b10d73e8
mod_s2s_auth_certs: Validate certificates against secure SRV targets
Kim Alvefur <zash@zash.se>
parents:
12812
diff
changeset
|
52 end |
|
6319
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
53 end |
|
11835
a405884c62f4
mod_s2s_auth_certs: Collect stats on validation results (for #975)
Kim Alvefur <zash@zash.se>
parents:
10454
diff
changeset
|
54 measure_cert_statuses:with_labels(session.cert_chain_status or "unknown", session.cert_identity_status or "unknown"):add(1); |
|
6319
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
55 end, 509); |
|
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
56 |
