Mercurial Mercurial > prosody > prosody / annotate
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
plugins/mod_s2s_auth_certs.lua
author Kim Alvefur <zash@zash.se>
Sat, 23 Mar 2024 20:48:19 +0100
changeset 13465 c673ff1075bd
parent 13427 3c219effe707
permissions -rw-r--r--
mod_posix: Move everything to util.startup This allows greater control over the order of events. Notably, the internal ordering between daemonization, initialization of libunbound and setup of signal handling is sensitive. libunbound starts a separate thread for processing DNS requests. If this thread is started before signal handling has been set up, it will not inherit the signal handlers and instead behave as it would have before signal handlers were set up, i.e. cause the whole process to immediately exit. libunbound is usually initialized on the first DNS request, usually triggered by an outgoing s2s connection attempt. If daemonization happens before signals have been set up, signals may not be processed at all.
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
6319
92d009af6eba mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff changeset 
     1
 
module:set_global();
92d009af6eba mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff changeset 
     2
 







12981






74b9e05af71e
plugins: Prefix module imports with prosody namespace



Kim Alvefur <zash@zash.se>


parents: 
12820

diff
changeset




     3


local cert_verify_identity = require "prosody.util.x509".verify_identity;







6319






92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




     4


local log = module._log;












92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




     5









11839






a405884c62f4
mod_s2s_auth_certs: Collect stats on validation results (for #975)



Kim Alvefur <zash@zash.se>


parents: 
10458

diff
changeset




     6


local measure_cert_statuses = module:metric("counter", "checked", "", "Certificate validation results",












a405884c62f4
mod_s2s_auth_certs: Collect stats on validation results (for #975)



Kim Alvefur <zash@zash.se>


parents: 
10458

diff
changeset




     7


	{ "chain"; "identity" })












a405884c62f4
mod_s2s_auth_certs: Collect stats on validation results (for #975)



Kim Alvefur <zash@zash.se>


parents: 
10458

diff
changeset




     8









6319






92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




     9


module:hook("s2s-check-certificate", function(event)












92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    10


	local session, host, cert = event.session, event.host, event.cert;







12484






7e9ebdc75ce4
net: isolate LuaSec-specifics



Jonas Schäfer <jonas@wielicki.name>


parents: 
11839

diff
changeset




    11


	local conn = session.conn;







6373






84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)



Kim Alvefur <zash@zash.se>


parents: 
6320

diff
changeset




    12


	local log = session.log or log;







6319






92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    13









12820






02f8b10d73e8
mod_s2s_auth_certs: Validate certificates against secure SRV targets



Kim Alvefur <zash@zash.se>


parents: 
12816

diff
changeset




    14


	local secure_hostname = conn.extra and conn.extra.secure_hostname;












02f8b10d73e8
mod_s2s_auth_certs: Validate certificates against secure SRV targets



Kim Alvefur <zash@zash.se>


parents: 
12816

diff
changeset




    15









6373






84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)



Kim Alvefur <zash@zash.se>


parents: 
6320

diff
changeset




    16


	if not cert then












84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)



Kim Alvefur <zash@zash.se>


parents: 
6320

diff
changeset




    17


		log("warn", "No certificate provided by %s", host or "unknown host");












84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)



Kim Alvefur <zash@zash.se>


parents: 
6320

diff
changeset




    18


		return;












84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)



Kim Alvefur <zash@zash.se>


parents: 
6320

diff
changeset




    19


	end












84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)



Kim Alvefur <zash@zash.se>


parents: 
6320

diff
changeset




    20









13308






874600c982bd
mod_s2s_auth_certs: Remove LuaSec compat that moved to net.server



Kim Alvefur <zash@zash.se>


parents: 
12981

diff
changeset




    21


	local chain_valid, errors = conn:ssl_peerverification();







6373






84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)



Kim Alvefur <zash@zash.se>


parents: 
6320

diff
changeset




    22


	-- Is there any interest in printing out all/the number of errors here?












84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)



Kim Alvefur <zash@zash.se>


parents: 
6320

diff
changeset




    23


	if not chain_valid then












84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)



Kim Alvefur <zash@zash.se>


parents: 
6320

diff
changeset




    24


		log("debug", "certificate chain validation result: invalid");







13427






3c219effe707
mod_s2s_auth_certs: Handle potential string error



Kim Alvefur <zash@zash.se>


parents: 
13308

diff
changeset




    25


		if type(errors) == "table" then












3c219effe707
mod_s2s_auth_certs: Handle potential string error



Kim Alvefur <zash@zash.se>


parents: 
13308

diff
changeset




    26


			for depth, t in pairs(errors) do












3c219effe707
mod_s2s_auth_certs: Handle potential string error



Kim Alvefur <zash@zash.se>


parents: 
13308

diff
changeset




    27


				log("debug", "certificate error(s) at depth %d: %s", depth-1, table.concat(t, ", "));












3c219effe707
mod_s2s_auth_certs: Handle potential string error



Kim Alvefur <zash@zash.se>


parents: 
13308

diff
changeset




    28


			end












3c219effe707
mod_s2s_auth_certs: Handle potential string error



Kim Alvefur <zash@zash.se>


parents: 
13308

diff
changeset




    29


		else












3c219effe707
mod_s2s_auth_certs: Handle potential string error



Kim Alvefur <zash@zash.se>


parents: 
13308

diff
changeset




    30


			log("debug", "certificate error: %s", errors);







6319






92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    31


		end







6373






84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)



Kim Alvefur <zash@zash.se>


parents: 
6320

diff
changeset




    32


		session.cert_chain_status = "invalid";







10458






6c3fccb75b38
mod_s2s_auth_certs: Save chain validation errors for later use



Kim Alvefur <zash@zash.se>


parents: 
10230

diff
changeset




    33


		session.cert_chain_errors = errors;







6373






84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)



Kim Alvefur <zash@zash.se>


parents: 
6320

diff
changeset




    34


	else












84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)



Kim Alvefur <zash@zash.se>


parents: 
6320

diff
changeset




    35


		log("debug", "certificate chain validation result: valid");












84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)



Kim Alvefur <zash@zash.se>


parents: 
6320

diff
changeset




    36


		session.cert_chain_status = "valid";







6319






92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    37









6373






84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)



Kim Alvefur <zash@zash.se>


parents: 
6320

diff
changeset




    38


		-- We'll go ahead and verify the asserted identity if the












84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)



Kim Alvefur <zash@zash.se>


parents: 
6320

diff
changeset




    39


		-- connecting server specified one.












84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)



Kim Alvefur <zash@zash.se>


parents: 
6320

diff
changeset




    40


		if host then












84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)



Kim Alvefur <zash@zash.se>


parents: 
6320

diff
changeset




    41


			if cert_verify_identity(host, "xmpp-server", cert) then












84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)



Kim Alvefur <zash@zash.se>


parents: 
6320

diff
changeset




    42


				session.cert_identity_status = "valid"












84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)



Kim Alvefur <zash@zash.se>


parents: 
6320

diff
changeset




    43


			else












84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)



Kim Alvefur <zash@zash.se>


parents: 
6320

diff
changeset




    44


				session.cert_identity_status = "invalid"







6319






92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    45


			end







6373






84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)



Kim Alvefur <zash@zash.se>


parents: 
6320

diff
changeset




    46


			log("debug", "certificate identity validation result: %s", session.cert_identity_status);







6319






92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    47


		end







12820






02f8b10d73e8
mod_s2s_auth_certs: Validate certificates against secure SRV targets



Kim Alvefur <zash@zash.se>


parents: 
12816

diff
changeset




    48














02f8b10d73e8
mod_s2s_auth_certs: Validate certificates against secure SRV targets



Kim Alvefur <zash@zash.se>


parents: 
12816

diff
changeset




    49


		-- Check for DNSSEC-signed SRV hostname












02f8b10d73e8
mod_s2s_auth_certs: Validate certificates against secure SRV targets



Kim Alvefur <zash@zash.se>


parents: 
12816

diff
changeset




    50


		if secure_hostname and session.cert_identity_status ~= "valid" then












02f8b10d73e8
mod_s2s_auth_certs: Validate certificates against secure SRV targets



Kim Alvefur <zash@zash.se>


parents: 
12816

diff
changeset




    51


			if cert_verify_identity(secure_hostname, "xmpp-server", cert) then












02f8b10d73e8
mod_s2s_auth_certs: Validate certificates against secure SRV targets



Kim Alvefur <zash@zash.se>


parents: 
12816

diff
changeset




    52


				module:log("info", "Secure SRV name delegation %q -> %q", secure_hostname, host);












02f8b10d73e8
mod_s2s_auth_certs: Validate certificates against secure SRV targets



Kim Alvefur <zash@zash.se>


parents: 
12816

diff
changeset




    53


				session.cert_identity_status = "valid"












02f8b10d73e8
mod_s2s_auth_certs: Validate certificates against secure SRV targets



Kim Alvefur <zash@zash.se>


parents: 
12816

diff
changeset




    54


			end












02f8b10d73e8
mod_s2s_auth_certs: Validate certificates against secure SRV targets



Kim Alvefur <zash@zash.se>


parents: 
12816

diff
changeset




    55


		end







6319






92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    56


	end







11839






a405884c62f4
mod_s2s_auth_certs: Collect stats on validation results (for #975)



Kim Alvefur <zash@zash.se>


parents: 
10458

diff
changeset




    57


	measure_cert_statuses:with_labels(session.cert_chain_status or "unknown", session.cert_identity_status or "unknown"):add(1);







6319






92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    58


end, 509);












92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    59
















prosody