changeset 1600:1e90054c3ac5

mod_tls_policy: New module to enforce per-host TLS parameter policies
author Kim Alvefur <zash@zash.se>
date Fri, 30 Jan 2015 12:12:06 +0100 (2015-01-30)
parents 8e006226e4c5
children c5ca63ac0e1b
files mod_tls_policy/mod_tls_policy.lua
diffstat 1 files changed, 37 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/mod_tls_policy/mod_tls_policy.lua	Fri Jan 30 12:12:06 2015 +0100
@@ -0,0 +1,37 @@
+
+assert(require"ssl.core".info, "Incompatible LuaSec version");
+
+local function hook(event_name, typ, policy)
+	if not policy then return end
+	if policy == "FS" then
+		policy = { key = "DH$" };
+	elseif type(policy) == "string" then
+		policy = { cipher = policy };
+	end
+
+	module:hook(event_name, function (event)
+		local origin = event.origin;
+		if origin.encrypted then
+			local info = origin.conn:socket():info();
+			for key, what in pairs(policy) do
+				module:log("debug", "Does info[%q] = %s match %s ?", key, tostring(info[key]), tostring(what));
+				if (type(what) == "number" and what < info[key] ) or (type(what) == "string" and not what:match(info[key])) then
+					origin:close({ condition = "policy-violation", text = "Cipher not acceptable" });
+					return false;
+				end
+				module:log("debug", "Seems so");
+			end
+			module:log("debug", "Policy matches");
+		end
+	end, 1000);
+end
+
+local policy = module:get_option(module.name, {});
+
+if type(policy) == "string" then
+	policy = { c2s = policy, s2s = policy };
+end
+
+hook("stream-features", "c2s", policy.c2s);
+hook("s2s-stream-features", "s2sin", policy.s2sin or policy.s2s);
+hook("stanza/http://etherx.jabber.org/streams:features", "s2sout", policy.s2sout or policy.s2s);