Mercurial > prosody-modules
annotate mod_s2s_auth_fingerprint/mod_s2s_auth_fingerprint.lua @ 1268:854a3933cfcd
mod_muc_log_http: URL-encode room names. This allows special characters in room names to work. Ideally this escaping shouldn’t be done in the user visible content, but the module’s template system doesn’t currently allow that.
| author | Waqas Hussain <waqas20@gmail.com> |
|---|---|
| date | Sat, 04 Jan 2014 16:50:57 -0500 |
| parents | 2b62a3b76d76 |
| children | 853a382c9bd6 |
| rev | line source |
|---|---|
|
938
d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
1 -- Copyright (C) 2013 Kim Alvefur |
|
d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
2 -- This file is MIT/X11 licensed. |
|
d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
3 |
|
d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
4 module:set_global(); |
|
d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
5 |
|
d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
6 local digest_algo = module:get_option_string(module:get_name().."_digest", "sha1"); |
|
1131
e7b69d12fbfb
mod_s2s_auth_fingerprint: Add a cert-pinning mode
Kim Alvefur <zash@zash.se>
parents:
939
diff
changeset
|
7 local must_match = module:get_option_boolean("s2s_pin_fingerprints", false); |
|
938
d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
8 |
|
d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
9 local fingerprints = {}; |
|
d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
10 |
|
d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
11 local function hashprep(h) |
|
d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
12 return tostring(h):lower():gsub(":",""); |
|
d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
13 end |
|
d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
14 |
|
d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
15 for host, set in pairs(module:get_option("s2s_trusted_fingerprints", {})) do |
|
d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
16 local host_set = {} |
|
d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
17 if type(set) == "table" then -- list of fingerprints |
|
d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
18 for i=1,#set do |
|
d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
19 host_set[hashprep(set[i])] = true; |
|
d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
20 end |
|
d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
21 else -- assume single fingerprint |
|
d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
22 host_set[hashprep(set)] = true; |
|
d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
23 end |
|
d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
24 fingerprints[host] = host_set; |
|
d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
25 end |
|
d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
26 |
|
d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
27 module:hook("s2s-check-certificate", function(event) |
|
d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
28 local session, host, cert = event.session, event.host, event.cert; |
|
d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
29 |
|
d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
30 local host_fingerprints = fingerprints[host]; |
|
1131
e7b69d12fbfb
mod_s2s_auth_fingerprint: Add a cert-pinning mode
Kim Alvefur <zash@zash.se>
parents:
939
diff
changeset
|
31 if host_fingerprints then |
|
e7b69d12fbfb
mod_s2s_auth_fingerprint: Add a cert-pinning mode
Kim Alvefur <zash@zash.se>
parents:
939
diff
changeset
|
32 local digest = cert and cert:digest(digest_algo); |
|
938
d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
33 if host_fingerprints[digest] then |
|
d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
34 session.cert_chain_status = "valid"; |
|
d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
35 session.cert_identity_status = "valid"; |
|
d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
36 return true; |
|
1131
e7b69d12fbfb
mod_s2s_auth_fingerprint: Add a cert-pinning mode
Kim Alvefur <zash@zash.se>
parents:
939
diff
changeset
|
37 elseif must_match then |
|
e7b69d12fbfb
mod_s2s_auth_fingerprint: Add a cert-pinning mode
Kim Alvefur <zash@zash.se>
parents:
939
diff
changeset
|
38 session.cert_chain_status = "invalid"; |
|
e7b69d12fbfb
mod_s2s_auth_fingerprint: Add a cert-pinning mode
Kim Alvefur <zash@zash.se>
parents:
939
diff
changeset
|
39 session.cert_identity_status = "invalid"; |
|
938
d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
40 end |
|
d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
41 end |
|
d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
42 end); |