prosody-modules: mod_tls_policy/mod_tls

annotate mod_tls_policy/mod_tls_policy.lua @ 4362:116c88c28532

mod_http_admin_api: restructure group-related info in API - Return the members of the group right in the get_group_by_id call. This is an O(1) of extra work. - Remove the groups attribute from get_user_by_name as that is O(n) of work and rarely immediately needed. The replacement for the group membership information in the user is for now to use the group API and iterate; future work may fix that.

author	Jonas Schäfer <jonas@wielicki.name>
date	Wed, 20 Jan 2021 15:30:29 +0100
parents	a43ed0d28918
children	1b701f208b1b

rev	line source
1600 1e90054c3ac5 mod_tls_policy: New module to enforce per-host TLS parameter policies Kim Alvefur <zash@zash.se> parents: diff changeset	1
1e90054c3ac5 mod_tls_policy: New module to enforce per-host TLS parameter policies Kim Alvefur <zash@zash.se> parents: diff changeset	2 assert(require"ssl.core".info, "Incompatible LuaSec version");
1e90054c3ac5 mod_tls_policy: New module to enforce per-host TLS parameter policies Kim Alvefur <zash@zash.se> parents: diff changeset	3
1e90054c3ac5 mod_tls_policy: New module to enforce per-host TLS parameter policies Kim Alvefur <zash@zash.se> parents: diff changeset	4 local function hook(event_name, typ, policy)
1e90054c3ac5 mod_tls_policy: New module to enforce per-host TLS parameter policies Kim Alvefur <zash@zash.se> parents: diff changeset	5 if not policy then return end
1e90054c3ac5 mod_tls_policy: New module to enforce per-host TLS parameter policies Kim Alvefur <zash@zash.se> parents: diff changeset	6 if policy == "FS" then
1891 a43ed0d28918 mod_tls_policy: Change the FS shortcut to match on ciphers with (EC)DHE (produces nicer stream error) Kim Alvefur <zash@zash.se> parents: 1615 diff changeset	7 policy = { cipher = "^E?C?DHE%-" };
1600 1e90054c3ac5 mod_tls_policy: New module to enforce per-host TLS parameter policies Kim Alvefur <zash@zash.se> parents: diff changeset	8 elseif type(policy) == "string" then
1e90054c3ac5 mod_tls_policy: New module to enforce per-host TLS parameter policies Kim Alvefur <zash@zash.se> parents: diff changeset	9 policy = { cipher = policy };
1e90054c3ac5 mod_tls_policy: New module to enforce per-host TLS parameter policies Kim Alvefur <zash@zash.se> parents: diff changeset	10 end
1e90054c3ac5 mod_tls_policy: New module to enforce per-host TLS parameter policies Kim Alvefur <zash@zash.se> parents: diff changeset	11
1e90054c3ac5 mod_tls_policy: New module to enforce per-host TLS parameter policies Kim Alvefur <zash@zash.se> parents: diff changeset	12 module:hook(event_name, function (event)
1e90054c3ac5 mod_tls_policy: New module to enforce per-host TLS parameter policies Kim Alvefur <zash@zash.se> parents: diff changeset	13 local origin = event.origin;
1e90054c3ac5 mod_tls_policy: New module to enforce per-host TLS parameter policies Kim Alvefur <zash@zash.se> parents: diff changeset	14 if origin.encrypted then
1e90054c3ac5 mod_tls_policy: New module to enforce per-host TLS parameter policies Kim Alvefur <zash@zash.se> parents: diff changeset	15 local info = origin.conn:socket():info();
1e90054c3ac5 mod_tls_policy: New module to enforce per-host TLS parameter policies Kim Alvefur <zash@zash.se> parents: diff changeset	16 for key, what in pairs(policy) do
1e90054c3ac5 mod_tls_policy: New module to enforce per-host TLS parameter policies Kim Alvefur <zash@zash.se> parents: diff changeset	17 module:log("debug", "Does info[%q] = %s match %s ?", key, tostring(info[key]), tostring(what));
1601 c5ca63ac0e1b mod_tls_policy: Fix pattern matching Kim Alvefur <zash@zash.se> parents: 1600 diff changeset	18 if (type(what) == "number" and what < info[key] ) or (type(what) == "string" and not info[key]:match(what)) then
1615 d0fd8a29b724 mod_tls_policy: Include which part of the cipher that did not match the policy in stream error Kim Alvefur <zash@zash.se> parents: 1601 diff changeset	19 origin:close({ condition = "policy-violation", text = ("TLS %s '%s' not acceptable"):format(key, tostring(info[key])) });
1600 1e90054c3ac5 mod_tls_policy: New module to enforce per-host TLS parameter policies Kim Alvefur <zash@zash.se> parents: diff changeset	20 return false;
1e90054c3ac5 mod_tls_policy: New module to enforce per-host TLS parameter policies Kim Alvefur <zash@zash.se> parents: diff changeset	21 end
1e90054c3ac5 mod_tls_policy: New module to enforce per-host TLS parameter policies Kim Alvefur <zash@zash.se> parents: diff changeset	22 module:log("debug", "Seems so");
1e90054c3ac5 mod_tls_policy: New module to enforce per-host TLS parameter policies Kim Alvefur <zash@zash.se> parents: diff changeset	23 end
1e90054c3ac5 mod_tls_policy: New module to enforce per-host TLS parameter policies Kim Alvefur <zash@zash.se> parents: diff changeset	24 module:log("debug", "Policy matches");
1e90054c3ac5 mod_tls_policy: New module to enforce per-host TLS parameter policies Kim Alvefur <zash@zash.se> parents: diff changeset	25 end
1e90054c3ac5 mod_tls_policy: New module to enforce per-host TLS parameter policies Kim Alvefur <zash@zash.se> parents: diff changeset	26 end, 1000);
1e90054c3ac5 mod_tls_policy: New module to enforce per-host TLS parameter policies Kim Alvefur <zash@zash.se> parents: diff changeset	27 end
1e90054c3ac5 mod_tls_policy: New module to enforce per-host TLS parameter policies Kim Alvefur <zash@zash.se> parents: diff changeset	28
1e90054c3ac5 mod_tls_policy: New module to enforce per-host TLS parameter policies Kim Alvefur <zash@zash.se> parents: diff changeset	29 local policy = module:get_option(module.name, {});
1e90054c3ac5 mod_tls_policy: New module to enforce per-host TLS parameter policies Kim Alvefur <zash@zash.se> parents: diff changeset	30
1e90054c3ac5 mod_tls_policy: New module to enforce per-host TLS parameter policies Kim Alvefur <zash@zash.se> parents: diff changeset	31 if type(policy) == "string" then
1e90054c3ac5 mod_tls_policy: New module to enforce per-host TLS parameter policies Kim Alvefur <zash@zash.se> parents: diff changeset	32 policy = { c2s = policy, s2s = policy };
1e90054c3ac5 mod_tls_policy: New module to enforce per-host TLS parameter policies Kim Alvefur <zash@zash.se> parents: diff changeset	33 end
1e90054c3ac5 mod_tls_policy: New module to enforce per-host TLS parameter policies Kim Alvefur <zash@zash.se> parents: diff changeset	34
1e90054c3ac5 mod_tls_policy: New module to enforce per-host TLS parameter policies Kim Alvefur <zash@zash.se> parents: diff changeset	35 hook("stream-features", "c2s", policy.c2s);
1e90054c3ac5 mod_tls_policy: New module to enforce per-host TLS parameter policies Kim Alvefur <zash@zash.se> parents: diff changeset	36 hook("s2s-stream-features", "s2sin", policy.s2sin or policy.s2s);
1e90054c3ac5 mod_tls_policy: New module to enforce per-host TLS parameter policies Kim Alvefur <zash@zash.se> parents: diff changeset	37 hook("stanza/http://etherx.jabber.org/streams:features", "s2sout", policy.s2sout or policy.s2s);

Mercurial > prosody-modules

annotate mod_tls_policy/mod_tls_policy.lua @ 4362:116c88c28532