Mercurial > prosody-modules
comparison mod_s2s_auth_fingerprint/mod_s2s_auth_fingerprint.lua @ 1381:11b6170a50f7
mod_s2s_auth_fingerprint: Log current fingerprint and match status
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Sat, 05 Apr 2014 13:41:12 +0200 |
parents | 703041357f89 |
children | ee2cedb0f691 |
comparison
equal
deleted
inserted
replaced
1380:703041357f89 | 1381:11b6170a50f7 |
---|---|
6 local digest_algo = module:get_option_string(module:get_name().."_digest", "sha1"); | 6 local digest_algo = module:get_option_string(module:get_name().."_digest", "sha1"); |
7 | 7 |
8 local fingerprints = {}; | 8 local fingerprints = {}; |
9 | 9 |
10 local function hashprep(h) | 10 local function hashprep(h) |
11 return tostring(h):lower():gsub(":",""); | 11 return tostring(h):gsub(":",""):lower(); |
12 end | |
13 | |
14 local function hashfmt(h) | |
15 return h:gsub("..",":%0"):sub(2):upper(); | |
12 end | 16 end |
13 | 17 |
14 for host, set in pairs(module:get_option("s2s_trusted_fingerprints", {})) do | 18 for host, set in pairs(module:get_option("s2s_trusted_fingerprints", {})) do |
15 local host_set = {} | 19 local host_set = {} |
16 if type(set) == "table" then -- list of fingerprints | 20 if type(set) == "table" then -- list of fingerprints |
28 | 32 |
29 local host_fingerprints = fingerprints[host]; | 33 local host_fingerprints = fingerprints[host]; |
30 if host_fingerprints then | 34 if host_fingerprints then |
31 local digest = cert and cert:digest(digest_algo); | 35 local digest = cert and cert:digest(digest_algo); |
32 if host_fingerprints[digest] then | 36 if host_fingerprints[digest] then |
37 module:log("info", "'%s' matched %s fingerprint %s", host, digest_algo:upper(), hashfmt(digest)); | |
33 session.cert_chain_status = "valid"; | 38 session.cert_chain_status = "valid"; |
34 session.cert_identity_status = "valid"; | 39 session.cert_identity_status = "valid"; |
35 return true; | 40 return true; |
36 else | 41 else |
42 module:log("warn", "'%s' has unknown %s fingerprint %s", host, digest_algo:upper(), hashfmt(digest)); | |
37 session.cert_chain_status = "invalid"; | 43 session.cert_chain_status = "invalid"; |
38 session.cert_identity_status = "invalid"; | 44 session.cert_identity_status = "invalid"; |
39 end | 45 end |
40 end | 46 end |
41 end); | 47 end); |