annotate mod_s2s_auth_fingerprint/mod_s2s_auth_fingerprint.lua @ 5713:dde83f6043e6

mod_audit_register: Include hostpart with audit events here too mod_audit seems to expect this to be JIDs, not bare usernames.
author Kim Alvefur <zash@zash.se>
date Mon, 13 Nov 2023 17:23:49 +0100
parents ee2cedb0f691
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
1380
703041357f89 mod_s2s_auth_fingerprint: Allways pin fingerprints
Kim Alvefur <zash@zash.se>
parents: 1325
diff changeset
1 -- Copyright (C) 2013-2014 Kim Alvefur
938
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
2 -- This file is MIT/X11 licensed.
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
3
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
4 module:set_global();
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
5
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
6 local digest_algo = module:get_option_string(module:get_name().."_digest", "sha1");
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
7
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
8 local fingerprints = {};
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
9
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
10 local function hashprep(h)
1381
11b6170a50f7 mod_s2s_auth_fingerprint: Log current fingerprint and match status
Kim Alvefur <zash@zash.se>
parents: 1380
diff changeset
11 return tostring(h):gsub(":",""):lower();
11b6170a50f7 mod_s2s_auth_fingerprint: Log current fingerprint and match status
Kim Alvefur <zash@zash.se>
parents: 1380
diff changeset
12 end
11b6170a50f7 mod_s2s_auth_fingerprint: Log current fingerprint and match status
Kim Alvefur <zash@zash.se>
parents: 1380
diff changeset
13
11b6170a50f7 mod_s2s_auth_fingerprint: Log current fingerprint and match status
Kim Alvefur <zash@zash.se>
parents: 1380
diff changeset
14 local function hashfmt(h)
1875
ee2cedb0f691 mod_s2s_auth_fingerprint: Limit number of replacements instead of stripping extra separators
Kim Alvefur <zash@zash.se>
parents: 1381
diff changeset
15 return h:gsub("..","%0:", #h/2-1):upper();
938
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
16 end
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
17
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
18 for host, set in pairs(module:get_option("s2s_trusted_fingerprints", {})) do
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
19 local host_set = {}
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
20 if type(set) == "table" then -- list of fingerprints
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
21 for i=1,#set do
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
22 host_set[hashprep(set[i])] = true;
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
23 end
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
24 else -- assume single fingerprint
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
25 host_set[hashprep(set)] = true;
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
26 end
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
27 fingerprints[host] = host_set;
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
28 end
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
29
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
30 module:hook("s2s-check-certificate", function(event)
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
31 local session, host, cert = event.session, event.host, event.cert;
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
32
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
33 local host_fingerprints = fingerprints[host];
1131
e7b69d12fbfb mod_s2s_auth_fingerprint: Add a cert-pinning mode
Kim Alvefur <zash@zash.se>
parents: 939
diff changeset
34 if host_fingerprints then
e7b69d12fbfb mod_s2s_auth_fingerprint: Add a cert-pinning mode
Kim Alvefur <zash@zash.se>
parents: 939
diff changeset
35 local digest = cert and cert:digest(digest_algo);
938
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
36 if host_fingerprints[digest] then
1381
11b6170a50f7 mod_s2s_auth_fingerprint: Log current fingerprint and match status
Kim Alvefur <zash@zash.se>
parents: 1380
diff changeset
37 module:log("info", "'%s' matched %s fingerprint %s", host, digest_algo:upper(), hashfmt(digest));
938
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
38 session.cert_chain_status = "valid";
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
39 session.cert_identity_status = "valid";
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
40 return true;
1380
703041357f89 mod_s2s_auth_fingerprint: Allways pin fingerprints
Kim Alvefur <zash@zash.se>
parents: 1325
diff changeset
41 else
1381
11b6170a50f7 mod_s2s_auth_fingerprint: Log current fingerprint and match status
Kim Alvefur <zash@zash.se>
parents: 1380
diff changeset
42 module:log("warn", "'%s' has unknown %s fingerprint %s", host, digest_algo:upper(), hashfmt(digest));
1131
e7b69d12fbfb mod_s2s_auth_fingerprint: Add a cert-pinning mode
Kim Alvefur <zash@zash.se>
parents: 939
diff changeset
43 session.cert_chain_status = "invalid";
e7b69d12fbfb mod_s2s_auth_fingerprint: Add a cert-pinning mode
Kim Alvefur <zash@zash.se>
parents: 939
diff changeset
44 session.cert_identity_status = "invalid";
938
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
45 end
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
46 end
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
47 end);