Mercurial Mercurial > prosody > prosody-modules / annotate
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
mod_s2s_keysize_policy/mod_s2s_keysize_policy.lua
author Matthew Wild <mwild1@gmail.com>
Sat, 24 Sep 2022 08:06:11 +0100
changeset 5060 2583bd7eb5d1
parent 2428 27ffa6521d4e
permissions -rw-r--r--
mod_cloud_notify: Add warnings about options including real body/sender
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
1203
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset 
     1
 
-- mod_s2s_keysize_policy.lua
1204
fc42f8484451 mod_s2s_keysize_policy: Add note about required LuaSec patch
Kim Alvefur <zash@zash.se>
parents: 1203
diff changeset 
     2
 
-- Requires LuaSec with this patch: https://github.com/brunoos/luasec/pull/12
1203
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset 
     3
 












5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




     4


module:set_global();












5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




     5














5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




     6


local datetime_parse = require"util.datetime".parse;












5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




     7


local pat = "^([JFMAONSD][ceupao][glptbvyncr])  ?(%d%d?) (%d%d):(%d%d):(%d%d) (%d%d%d%d) GMT$";












5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




     8


local months = {Jan=1,Feb=2,Mar=3,Apr=4,May=5,Jun=6,Jul=7,Aug=8,Sep=9,Oct=10,Nov=11,Dec=12};












5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




     9


local function parse_x509_datetime(s)












5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    10


	local month, day, hour, min, sec, year = s:match(pat); month = months[month];












5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    11


	return datetime_parse(("%04d-%02d-%02dT%02d:%02d:%02dZ"):format(year, month, day, hour, min, sec));












5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    12


end












5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    13














5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    14


local weak_key_cutoff = datetime_parse("2014-01-01T00:00:00Z");












5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    15














5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    16


-- From RFC 4492












5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    17


local weak_key_size = {












5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    18


	RSA = 2048,












5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    19


	DSA = 2048,












5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    20


	DH  = 2048,












5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    21


	EC  =  233,












5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    22


}












5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    23














5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    24


module:hook("s2s-check-certificate", function(event)












5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    25


	local host, session, cert = event.host, event.session, event.cert;












5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    26


	if cert and cert.pubkey then












5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    27


		local _, key_type, key_size = cert:pubkey();












5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    28


		if key_size < ( weak_key_size[key_type] or 0 ) then







1325






b21236b6b8d8
Backed out changeset 853a382c9bd6



Kim Alvefur <zash@zash.se>


parents: 
1324

diff
changeset




    29


			local issued = parse_x509_datetime(cert:notbefore());












b21236b6b8d8
Backed out changeset 853a382c9bd6



Kim Alvefur <zash@zash.se>


parents: 
1324

diff
changeset




    30


			if issued > weak_key_cutoff then







2428






27ffa6521d4e
mod_s2s_keysize_policy: Lower log message to a warning since it is not really a fatal error



Kim Alvefur <zash@zash.se>


parents: 
1325

diff
changeset




    31


				session.log("warn", "%s has a %s-bit %s key issued after 31 December 2013, invalidating trust!", host, key_size, key_type);







1203






5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    32


				session.cert_chain_status = "invalid";












5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    33


				session.cert_identity_status = "invalid";












5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    34


			else












5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    35


				session.log("warn", "%s has a %s-bit %s key", host, key_size, key_type);












5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    36


			end












5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    37


		else












5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    38


			session.log("info", "%s has a %s-bit %s key", host, key_size, key_type);












5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    39


		end












5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    40


	end












5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    41


end);














prosody-modules