author | Matthew Wild <mwild1@gmail.com> |
Wed, 27 Mar 2024 15:39:03 +0000 | |
changeset 13470 | 5d9ec2e55d74 |
parent 13427 | 3c219effe707 |
permissions | -rw-r--r-- |
6319
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
1 |
module:set_global(); |
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
2 |
|
12981
74b9e05af71e
plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
12820
diff
changeset
|
3 |
local cert_verify_identity = require "prosody.util.x509".verify_identity; |
6319
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
4 |
local log = module._log; |
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
5 |
|
11839
a405884c62f4
mod_s2s_auth_certs: Collect stats on validation results (for #975)
Kim Alvefur <zash@zash.se>
parents:
10458
diff
changeset
|
6 |
local measure_cert_statuses = module:metric("counter", "checked", "", "Certificate validation results", |
a405884c62f4
mod_s2s_auth_certs: Collect stats on validation results (for #975)
Kim Alvefur <zash@zash.se>
parents:
10458
diff
changeset
|
7 |
{ "chain"; "identity" }) |
a405884c62f4
mod_s2s_auth_certs: Collect stats on validation results (for #975)
Kim Alvefur <zash@zash.se>
parents:
10458
diff
changeset
|
8 |
|
6319
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
9 |
module:hook("s2s-check-certificate", function(event) |
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
10 |
local session, host, cert = event.session, event.host, event.cert; |
12484
7e9ebdc75ce4
net: isolate LuaSec-specifics
Jonas Schäfer <jonas@wielicki.name>
parents:
11839
diff
changeset
|
11 |
local conn = session.conn; |
6373
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
12 |
local log = session.log or log; |
6319
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
13 |
|
12820
02f8b10d73e8
mod_s2s_auth_certs: Validate certificates against secure SRV targets
Kim Alvefur <zash@zash.se>
parents:
12816
diff
changeset
|
14 |
local secure_hostname = conn.extra and conn.extra.secure_hostname; |
02f8b10d73e8
mod_s2s_auth_certs: Validate certificates against secure SRV targets
Kim Alvefur <zash@zash.se>
parents:
12816
diff
changeset
|
15 |
|
6373
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
16 |
if not cert then |
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
17 |
log("warn", "No certificate provided by %s", host or "unknown host"); |
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
18 |
return; |
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
19 |
end |
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
20 |
|
13308
874600c982bd
mod_s2s_auth_certs: Remove LuaSec compat that moved to net.server
Kim Alvefur <zash@zash.se>
parents:
12981
diff
changeset
|
21 |
local chain_valid, errors = conn:ssl_peerverification(); |
6373
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
22 |
-- Is there any interest in printing out all/the number of errors here? |
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
23 |
if not chain_valid then |
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
24 |
log("debug", "certificate chain validation result: invalid"); |
13427
3c219effe707
mod_s2s_auth_certs: Handle potential string error
Kim Alvefur <zash@zash.se>
parents:
13308
diff
changeset
|
25 |
if type(errors) == "table" then |
3c219effe707
mod_s2s_auth_certs: Handle potential string error
Kim Alvefur <zash@zash.se>
parents:
13308
diff
changeset
|
26 |
for depth, t in pairs(errors) do |
3c219effe707
mod_s2s_auth_certs: Handle potential string error
Kim Alvefur <zash@zash.se>
parents:
13308
diff
changeset
|
27 |
log("debug", "certificate error(s) at depth %d: %s", depth-1, table.concat(t, ", ")); |
3c219effe707
mod_s2s_auth_certs: Handle potential string error
Kim Alvefur <zash@zash.se>
parents:
13308
diff
changeset
|
28 |
end |
3c219effe707
mod_s2s_auth_certs: Handle potential string error
Kim Alvefur <zash@zash.se>
parents:
13308
diff
changeset
|
29 |
else |
3c219effe707
mod_s2s_auth_certs: Handle potential string error
Kim Alvefur <zash@zash.se>
parents:
13308
diff
changeset
|
30 |
log("debug", "certificate error: %s", errors); |
6319
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
31 |
end |
6373
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
32 |
session.cert_chain_status = "invalid"; |
10458
6c3fccb75b38
mod_s2s_auth_certs: Save chain validation errors for later use
Kim Alvefur <zash@zash.se>
parents:
10230
diff
changeset
|
33 |
session.cert_chain_errors = errors; |
6373
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
34 |
else |
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
35 |
log("debug", "certificate chain validation result: valid"); |
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
36 |
session.cert_chain_status = "valid"; |
6319
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
37 |
|
6373
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
38 |
-- We'll go ahead and verify the asserted identity if the |
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
39 |
-- connecting server specified one. |
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
40 |
if host then |
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
41 |
if cert_verify_identity(host, "xmpp-server", cert) then |
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
42 |
session.cert_identity_status = "valid" |
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
43 |
else |
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
44 |
session.cert_identity_status = "invalid" |
6319
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
45 |
end |
6373
84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents:
6320
diff
changeset
|
46 |
log("debug", "certificate identity validation result: %s", session.cert_identity_status); |
6319
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
47 |
end |
12820
02f8b10d73e8
mod_s2s_auth_certs: Validate certificates against secure SRV targets
Kim Alvefur <zash@zash.se>
parents:
12816
diff
changeset
|
48 |
|
02f8b10d73e8
mod_s2s_auth_certs: Validate certificates against secure SRV targets
Kim Alvefur <zash@zash.se>
parents:
12816
diff
changeset
|
49 |
-- Check for DNSSEC-signed SRV hostname |
02f8b10d73e8
mod_s2s_auth_certs: Validate certificates against secure SRV targets
Kim Alvefur <zash@zash.se>
parents:
12816
diff
changeset
|
50 |
if secure_hostname and session.cert_identity_status ~= "valid" then |
02f8b10d73e8
mod_s2s_auth_certs: Validate certificates against secure SRV targets
Kim Alvefur <zash@zash.se>
parents:
12816
diff
changeset
|
51 |
if cert_verify_identity(secure_hostname, "xmpp-server", cert) then |
02f8b10d73e8
mod_s2s_auth_certs: Validate certificates against secure SRV targets
Kim Alvefur <zash@zash.se>
parents:
12816
diff
changeset
|
52 |
module:log("info", "Secure SRV name delegation %q -> %q", secure_hostname, host); |
02f8b10d73e8
mod_s2s_auth_certs: Validate certificates against secure SRV targets
Kim Alvefur <zash@zash.se>
parents:
12816
diff
changeset
|
53 |
session.cert_identity_status = "valid" |
02f8b10d73e8
mod_s2s_auth_certs: Validate certificates against secure SRV targets
Kim Alvefur <zash@zash.se>
parents:
12816
diff
changeset
|
54 |
end |
02f8b10d73e8
mod_s2s_auth_certs: Validate certificates against secure SRV targets
Kim Alvefur <zash@zash.se>
parents:
12816
diff
changeset
|
55 |
end |
6319
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
56 |
end |
11839
a405884c62f4
mod_s2s_auth_certs: Collect stats on validation results (for #975)
Kim Alvefur <zash@zash.se>
parents:
10458
diff
changeset
|
57 |
measure_cert_statuses:with_labels(session.cert_chain_status or "unknown", session.cert_identity_status or "unknown"):add(1); |
6319
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
58 |
end, 509); |
92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
59 |