annotate mod_s2s_auth_fingerprint/mod_s2s_auth_fingerprint.lua @ 5383:df11a2cbc7b7

mod_http_oauth2: Implement RFC 7628 Proof Key for Code Exchange Likely to become mandatory in OAuth 2.1. Backwards compatible since the default 'plain' verifier would compare nil with nil if the relevant parameters are left out.
author Kim Alvefur <zash@zash.se>
date Sat, 29 Apr 2023 13:09:46 +0200
parents ee2cedb0f691
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
1380
703041357f89 mod_s2s_auth_fingerprint: Allways pin fingerprints
Kim Alvefur <zash@zash.se>
parents: 1325
diff changeset
1 -- Copyright (C) 2013-2014 Kim Alvefur
938
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
2 -- This file is MIT/X11 licensed.
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
3
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
4 module:set_global();
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
5
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
6 local digest_algo = module:get_option_string(module:get_name().."_digest", "sha1");
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
7
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
8 local fingerprints = {};
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
9
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
10 local function hashprep(h)
1381
11b6170a50f7 mod_s2s_auth_fingerprint: Log current fingerprint and match status
Kim Alvefur <zash@zash.se>
parents: 1380
diff changeset
11 return tostring(h):gsub(":",""):lower();
11b6170a50f7 mod_s2s_auth_fingerprint: Log current fingerprint and match status
Kim Alvefur <zash@zash.se>
parents: 1380
diff changeset
12 end
11b6170a50f7 mod_s2s_auth_fingerprint: Log current fingerprint and match status
Kim Alvefur <zash@zash.se>
parents: 1380
diff changeset
13
11b6170a50f7 mod_s2s_auth_fingerprint: Log current fingerprint and match status
Kim Alvefur <zash@zash.se>
parents: 1380
diff changeset
14 local function hashfmt(h)
1875
ee2cedb0f691 mod_s2s_auth_fingerprint: Limit number of replacements instead of stripping extra separators
Kim Alvefur <zash@zash.se>
parents: 1381
diff changeset
15 return h:gsub("..","%0:", #h/2-1):upper();
938
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
16 end
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
17
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
18 for host, set in pairs(module:get_option("s2s_trusted_fingerprints", {})) do
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
19 local host_set = {}
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
20 if type(set) == "table" then -- list of fingerprints
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
21 for i=1,#set do
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
22 host_set[hashprep(set[i])] = true;
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
23 end
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
24 else -- assume single fingerprint
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
25 host_set[hashprep(set)] = true;
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
26 end
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
27 fingerprints[host] = host_set;
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
28 end
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
29
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
30 module:hook("s2s-check-certificate", function(event)
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
31 local session, host, cert = event.session, event.host, event.cert;
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
32
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
33 local host_fingerprints = fingerprints[host];
1131
e7b69d12fbfb mod_s2s_auth_fingerprint: Add a cert-pinning mode
Kim Alvefur <zash@zash.se>
parents: 939
diff changeset
34 if host_fingerprints then
e7b69d12fbfb mod_s2s_auth_fingerprint: Add a cert-pinning mode
Kim Alvefur <zash@zash.se>
parents: 939
diff changeset
35 local digest = cert and cert:digest(digest_algo);
938
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
36 if host_fingerprints[digest] then
1381
11b6170a50f7 mod_s2s_auth_fingerprint: Log current fingerprint and match status
Kim Alvefur <zash@zash.se>
parents: 1380
diff changeset
37 module:log("info", "'%s' matched %s fingerprint %s", host, digest_algo:upper(), hashfmt(digest));
938
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
38 session.cert_chain_status = "valid";
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
39 session.cert_identity_status = "valid";
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
40 return true;
1380
703041357f89 mod_s2s_auth_fingerprint: Allways pin fingerprints
Kim Alvefur <zash@zash.se>
parents: 1325
diff changeset
41 else
1381
11b6170a50f7 mod_s2s_auth_fingerprint: Log current fingerprint and match status
Kim Alvefur <zash@zash.se>
parents: 1380
diff changeset
42 module:log("warn", "'%s' has unknown %s fingerprint %s", host, digest_algo:upper(), hashfmt(digest));
1131
e7b69d12fbfb mod_s2s_auth_fingerprint: Add a cert-pinning mode
Kim Alvefur <zash@zash.se>
parents: 939
diff changeset
43 session.cert_chain_status = "invalid";
e7b69d12fbfb mod_s2s_auth_fingerprint: Add a cert-pinning mode
Kim Alvefur <zash@zash.se>
parents: 939
diff changeset
44 session.cert_identity_status = "invalid";
938
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
45 end
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
46 end
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
47 end);