Mercurial > prosody-modules
view mod_s2s_keysize_policy/mod_s2s_keysize_policy.lua @ 4738:5aee8d86629a
mod_bookmarks2: Fix handling of nick and password elements
This form of child retrieval fails when the stanza elements internally
don't have an 'xmlns' attribute, which can happen sometimes for some
reason, including when they have been constructed via the stanza builder
API. When that is the case then the explicit namespace arguemnt does not
match the nil value of the internal attribute. Calling `:get_child()`
without the namespace argument does the right thing here, with both nil
and the parent namespace as valid values for the internal attribute.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Wed, 03 Nov 2021 21:11:55 +0100 |
parents | 27ffa6521d4e |
children |
line wrap: on
line source
-- mod_s2s_keysize_policy.lua -- Requires LuaSec with this patch: https://github.com/brunoos/luasec/pull/12 module:set_global(); local datetime_parse = require"util.datetime".parse; local pat = "^([JFMAONSD][ceupao][glptbvyncr]) ?(%d%d?) (%d%d):(%d%d):(%d%d) (%d%d%d%d) GMT$"; local months = {Jan=1,Feb=2,Mar=3,Apr=4,May=5,Jun=6,Jul=7,Aug=8,Sep=9,Oct=10,Nov=11,Dec=12}; local function parse_x509_datetime(s) local month, day, hour, min, sec, year = s:match(pat); month = months[month]; return datetime_parse(("%04d-%02d-%02dT%02d:%02d:%02dZ"):format(year, month, day, hour, min, sec)); end local weak_key_cutoff = datetime_parse("2014-01-01T00:00:00Z"); -- From RFC 4492 local weak_key_size = { RSA = 2048, DSA = 2048, DH = 2048, EC = 233, } module:hook("s2s-check-certificate", function(event) local host, session, cert = event.host, event.session, event.cert; if cert and cert.pubkey then local _, key_type, key_size = cert:pubkey(); if key_size < ( weak_key_size[key_type] or 0 ) then local issued = parse_x509_datetime(cert:notbefore()); if issued > weak_key_cutoff then session.log("warn", "%s has a %s-bit %s key issued after 31 December 2013, invalidating trust!", host, key_size, key_type); session.cert_chain_status = "invalid"; session.cert_identity_status = "invalid"; else session.log("warn", "%s has a %s-bit %s key", host, key_size, key_type); end else session.log("info", "%s has a %s-bit %s key", host, key_size, key_type); end end end);