annotate mod_s2s_keysize_policy/mod_s2s_keysize_policy.lua @ 5326:dc058fcc3fe3

mod_audit: Improve filtering options and add documentation to README
author Matthew Wild <mwild1@gmail.com>
date Fri, 07 Apr 2023 13:44:18 +0100
parents 27ffa6521d4e
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
1203
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
1 -- mod_s2s_keysize_policy.lua
1204
fc42f8484451 mod_s2s_keysize_policy: Add note about required LuaSec patch
Kim Alvefur <zash@zash.se>
parents: 1203
diff changeset
2 -- Requires LuaSec with this patch: https://github.com/brunoos/luasec/pull/12
1203
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
3
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
4 module:set_global();
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
5
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
6 local datetime_parse = require"util.datetime".parse;
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
7 local pat = "^([JFMAONSD][ceupao][glptbvyncr]) ?(%d%d?) (%d%d):(%d%d):(%d%d) (%d%d%d%d) GMT$";
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
8 local months = {Jan=1,Feb=2,Mar=3,Apr=4,May=5,Jun=6,Jul=7,Aug=8,Sep=9,Oct=10,Nov=11,Dec=12};
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
9 local function parse_x509_datetime(s)
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
10 local month, day, hour, min, sec, year = s:match(pat); month = months[month];
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
11 return datetime_parse(("%04d-%02d-%02dT%02d:%02d:%02dZ"):format(year, month, day, hour, min, sec));
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
12 end
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
13
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
14 local weak_key_cutoff = datetime_parse("2014-01-01T00:00:00Z");
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
15
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
16 -- From RFC 4492
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
17 local weak_key_size = {
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
18 RSA = 2048,
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
19 DSA = 2048,
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
20 DH = 2048,
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
21 EC = 233,
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
22 }
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
23
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
24 module:hook("s2s-check-certificate", function(event)
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
25 local host, session, cert = event.host, event.session, event.cert;
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
26 if cert and cert.pubkey then
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
27 local _, key_type, key_size = cert:pubkey();
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
28 if key_size < ( weak_key_size[key_type] or 0 ) then
1325
b21236b6b8d8 Backed out changeset 853a382c9bd6
Kim Alvefur <zash@zash.se>
parents: 1324
diff changeset
29 local issued = parse_x509_datetime(cert:notbefore());
b21236b6b8d8 Backed out changeset 853a382c9bd6
Kim Alvefur <zash@zash.se>
parents: 1324
diff changeset
30 if issued > weak_key_cutoff then
2424
27ffa6521d4e mod_s2s_keysize_policy: Lower log message to a warning since it is not really a fatal error
Kim Alvefur <zash@zash.se>
parents: 1325
diff changeset
31 session.log("warn", "%s has a %s-bit %s key issued after 31 December 2013, invalidating trust!", host, key_size, key_type);
1203
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
32 session.cert_chain_status = "invalid";
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
33 session.cert_identity_status = "invalid";
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
34 else
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
35 session.log("warn", "%s has a %s-bit %s key", host, key_size, key_type);
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
36 end
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
37 else
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
38 session.log("info", "%s has a %s-bit %s key", host, key_size, key_type);
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
39 end
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
40 end
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
41 end);