Mercurial > prosody-modules
annotate mod_s2s_log_certs/mod_s2s_log_certs.lua @ 2861:afeb06e4cdea
mod_auth_dovecot: Disable debug logging (sensitive data being sent)
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Thu, 04 Jan 2018 05:03:00 +0100 |
parents | 663e5d923ef0 |
children |
rev | line source |
---|---|
1009
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
1 module:set_global(); |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
2 |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
3 local dm_load = require "util.datamanager".load; |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
4 local dm_store = require "util.datamanager".store; |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
5 local datetime = require "util.datetime".datetime; |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
6 |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
7 local do_store = module:get_option_boolean(module:get_name().."_persist", false); |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
8 local digest_algo = module:get_option_string(module:get_name().."_digest", "sha1"); |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
9 |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
10 local function note_cert_digest(event) |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
11 local session, remote_host, cert = event.session, event.host, event.cert; |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
12 |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
13 if not (remote_host and cert and cert.digest) then return end; |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
14 local digest = cert:digest(digest_algo); |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
15 |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
16 local local_host = session.direction == "outgoing" and session.from_host or session.to_host; |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
17 local chain_status = session.cert_chain_status; |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
18 local identity_status = session.cert_identity_status; |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
19 |
1091
79ef0427765f
mod_s2s_log_certs: Minor grammar change
Kim Alvefur <zash@zash.se>
parents:
1009
diff
changeset
|
20 module:log("info", "%s has a %s %s certificate with %s: %s", |
79ef0427765f
mod_s2s_log_certs: Minor grammar change
Kim Alvefur <zash@zash.se>
parents:
1009
diff
changeset
|
21 remote_host, |
1009
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
22 chain_status == "valid" and "trusted" or "untrusted", |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
23 identity_status or "invalid", |
1091
79ef0427765f
mod_s2s_log_certs: Minor grammar change
Kim Alvefur <zash@zash.se>
parents:
1009
diff
changeset
|
24 digest_algo:upper(), |
1009
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
25 digest:upper():gsub("..",":%0"):sub(2)); |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
26 |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
27 if do_store then |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
28 local seen_certs = dm_load(remote_host, local_host, "s2s_certs") or {}; |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
29 |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
30 digest = digest_algo..":"..digest; |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
31 local this_cert = seen_certs[digest] or { first = datetime(); times = 0; } |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
32 this_cert.last = datetime(); |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
33 this_cert.times = this_cert.times + 1; |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
34 seen_certs[digest] = this_cert; |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
35 chain_status = chain_status; |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
36 identity_status = identity_status; |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
37 dm_store(remote_host, local_host, "s2s_certs", seen_certs); |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
38 end |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
39 end |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
40 |
1787
663e5d923ef0
mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks
Kim Alvefur <zash@zash.se>
parents:
1091
diff
changeset
|
41 if module.wrap_event then |
663e5d923ef0
mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks
Kim Alvefur <zash@zash.se>
parents:
1091
diff
changeset
|
42 -- 0.10 |
663e5d923ef0
mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks
Kim Alvefur <zash@zash.se>
parents:
1091
diff
changeset
|
43 module:wrap_event("s2s-check-certificate", function (handlers, event_name, event_data) |
663e5d923ef0
mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks
Kim Alvefur <zash@zash.se>
parents:
1091
diff
changeset
|
44 local ret = handlers(event_name, event_data); |
663e5d923ef0
mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks
Kim Alvefur <zash@zash.se>
parents:
1091
diff
changeset
|
45 note_cert_digest(event_data); |
663e5d923ef0
mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks
Kim Alvefur <zash@zash.se>
parents:
1091
diff
changeset
|
46 return ret; |
663e5d923ef0
mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks
Kim Alvefur <zash@zash.se>
parents:
1091
diff
changeset
|
47 end); |
663e5d923ef0
mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks
Kim Alvefur <zash@zash.se>
parents:
1091
diff
changeset
|
48 else |
663e5d923ef0
mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks
Kim Alvefur <zash@zash.se>
parents:
1091
diff
changeset
|
49 -- 0.9 |
663e5d923ef0
mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks
Kim Alvefur <zash@zash.se>
parents:
1091
diff
changeset
|
50 module:hook("s2s-check-certificate", note_cert_digest, 1000); |
663e5d923ef0
mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks
Kim Alvefur <zash@zash.se>
parents:
1091
diff
changeset
|
51 end |
1009
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
52 --[[ |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
53 function module.add_host(module) |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
54 module:hook("s2s-check-certificate", note_cert_digest, 1000); |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
55 end |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
56 ]] |