prosody-modules: mod_s2s_keysize_policy/mod_s2s_keysize

annotate mod_s2s_keysize_policy/mod_s2s_keysize_policy.lua @ 5418:f2c7bb3af600

mod_http_oauth2: Add role selector to consent page List includes all roles available to the user, if more than one. Defaults to either the first role in the scope string or the users primary role. Earlier draft listed all roles, but having options that can't be selected is bad UX and the entire list of all roles on the server could be long, and perhaps even sensitive. Allows e.g. picking a role with fewer permissions than what might otherwise have been selected. UX wise, doing this with more checkboxes or possibly radio buttons would have been confusion and/or looked messier. Fixes the previous situation where unselecting a role would default to the primary role, which could be more permissions than requested.

author	Kim Alvefur <zash@zash.se>
date	Fri, 05 May 2023 01:23:13 +0200
parents	27ffa6521d4e
children

rev	line source
1203 5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	1 -- mod_s2s_keysize_policy.lua
1204 fc42f8484451 mod_s2s_keysize_policy: Add note about required LuaSec patch Kim Alvefur <zash@zash.se> parents: 1203 diff changeset	2 -- Requires LuaSec with this patch: https://github.com/brunoos/luasec/pull/12
1203 5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	3
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	4 module:set_global();
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	5
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	6 local datetime_parse = require"util.datetime".parse;
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	7 local pat = "^([JFMAONSD][ceupao][glptbvyncr]) ?(%d%d?) (%d%d):(%d%d):(%d%d) (%d%d%d%d) GMT$";
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	8 local months = {Jan=1,Feb=2,Mar=3,Apr=4,May=5,Jun=6,Jul=7,Aug=8,Sep=9,Oct=10,Nov=11,Dec=12};
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	9 local function parse_x509_datetime(s)
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	10 local month, day, hour, min, sec, year = s:match(pat); month = months[month];
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	11 return datetime_parse(("%04d-%02d-%02dT%02d:%02d:%02dZ"):format(year, month, day, hour, min, sec));
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	12 end
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	13
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	14 local weak_key_cutoff = datetime_parse("2014-01-01T00:00:00Z");
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	15
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	16 -- From RFC 4492
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	17 local weak_key_size = {
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	18 RSA = 2048,
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	19 DSA = 2048,
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	20 DH = 2048,
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	21 EC = 233,
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	22 }
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	23
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	24 module:hook("s2s-check-certificate", function(event)
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	25 local host, session, cert = event.host, event.session, event.cert;
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	26 if cert and cert.pubkey then
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	27 local _, key_type, key_size = cert:pubkey();
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	28 if key_size < ( weak_key_size[key_type] or 0 ) then
1325 b21236b6b8d8 Backed out changeset 853a382c9bd6 Kim Alvefur <zash@zash.se> parents: 1324 diff changeset	29 local issued = parse_x509_datetime(cert:notbefore());
b21236b6b8d8 Backed out changeset 853a382c9bd6 Kim Alvefur <zash@zash.se> parents: 1324 diff changeset	30 if issued > weak_key_cutoff then
2424 27ffa6521d4e mod_s2s_keysize_policy: Lower log message to a warning since it is not really a fatal error Kim Alvefur <zash@zash.se> parents: 1325 diff changeset	31 session.log("warn", "%s has a %s-bit %s key issued after 31 December 2013, invalidating trust!", host, key_size, key_type);
1203 5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	32 session.cert_chain_status = "invalid";
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	33 session.cert_identity_status = "invalid";
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	34 else
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	35 session.log("warn", "%s has a %s-bit %s key", host, key_size, key_type);
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	36 end
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	37 else
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	38 session.log("info", "%s has a %s-bit %s key", host, key_size, key_type);
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	39 end
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	40 end
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 Kim Alvefur <zash@zash.se> parents: diff changeset	41 end);

Mercurial > prosody-modules

annotate mod_s2s_keysize_policy/mod_s2s_keysize_policy.lua @ 5418:f2c7bb3af600