Mercurial > prosody-modules
annotate mod_s2s_keysize_policy/mod_s2s_keysize_policy.lua @ 1268:854a3933cfcd
mod_muc_log_http: URL-encode room names. This allows special characters in room names to work. Ideally this escaping shouldn’t be done in the user visible content, but the module’s template system doesn’t currently allow that.
author | Waqas Hussain <waqas20@gmail.com> |
---|---|
date | Sat, 04 Jan 2014 16:50:57 -0500 |
parents | fc42f8484451 |
children | 853a382c9bd6 |
rev | line source |
---|---|
1203
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
1 -- mod_s2s_keysize_policy.lua |
1204
fc42f8484451
mod_s2s_keysize_policy: Add note about required LuaSec patch
Kim Alvefur <zash@zash.se>
parents:
1203
diff
changeset
|
2 -- Requires LuaSec with this patch: https://github.com/brunoos/luasec/pull/12 |
1203
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
3 |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
4 module:set_global(); |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
5 |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
6 local datetime_parse = require"util.datetime".parse; |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
7 local pat = "^([JFMAONSD][ceupao][glptbvyncr]) ?(%d%d?) (%d%d):(%d%d):(%d%d) (%d%d%d%d) GMT$"; |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
8 local months = {Jan=1,Feb=2,Mar=3,Apr=4,May=5,Jun=6,Jul=7,Aug=8,Sep=9,Oct=10,Nov=11,Dec=12}; |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
9 local function parse_x509_datetime(s) |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
10 local month, day, hour, min, sec, year = s:match(pat); month = months[month]; |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
11 return datetime_parse(("%04d-%02d-%02dT%02d:%02d:%02dZ"):format(year, month, day, hour, min, sec)); |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
12 end |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
13 |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
14 local weak_key_cutoff = datetime_parse("2014-01-01T00:00:00Z"); |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
15 |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
16 -- From RFC 4492 |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
17 local weak_key_size = { |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
18 RSA = 2048, |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
19 DSA = 2048, |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
20 DH = 2048, |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
21 EC = 233, |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
22 } |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
23 |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
24 module:hook("s2s-check-certificate", function(event) |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
25 local host, session, cert = event.host, event.session, event.cert; |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
26 if cert and cert.pubkey then |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
27 local _, key_type, key_size = cert:pubkey(); |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
28 if key_size < ( weak_key_size[key_type] or 0 ) then |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
29 local issued = parse_x509_datetime(cert:notbefore()); |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
30 if issued > weak_key_cutoff then |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
31 session.log("error", "%s has a %s-bit %s key issued after 31 December 2013, invalidating trust!", host, key_size, key_type); |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
32 session.cert_chain_status = "invalid"; |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
33 session.cert_identity_status = "invalid"; |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
34 else |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
35 session.log("warn", "%s has a %s-bit %s key", host, key_size, key_type); |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
36 end |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
37 else |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
38 session.log("info", "%s has a %s-bit %s key", host, key_size, key_type); |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
39 end |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
40 end |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
41 end); |