Mercurial > prosody-modules
view mod_s2s_auth_fingerprint/mod_s2s_auth_fingerprint.lua @ 1324:853a382c9bd6
mod_turncredentials: Advertise the XEP-0215 feature (thanks Gryffus)
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Fri, 28 Feb 2014 15:36:06 +0100 |
| parents | 2b62a3b76d76 |
| children | b21236b6b8d8 |
line wrap: on
line source
-- Copyright (C) 2013 Kim Alvefur -- This file is MIT/X11 licensed. module:set_global(); local digest_algo = module:get_option_string(module:get_name().."_digest", "sha1"); local must_match = module:get_option_boolean("s2s_pin_fingerprints", false); local tofu = module:get_option_boolean("s2s_tofu", false); local fingerprints = {}; local function hashprep(h) return tostring(h):lower():gsub(":",""); end for host, set in pairs(module:get_option("s2s_trusted_fingerprints", {})) do local host_set = {} if type(set) == "table" then -- list of fingerprints for i=1,#set do host_set[hashprep(set[i])] = true; end else -- assume single fingerprint host_set[hashprep(set)] = true; end fingerprints[host] = host_set; end module:hook("s2s-check-certificate", function(event) local session, host, cert = event.session, event.host, event.cert; local host_fingerprints = fingerprints[host]; if host_fingerprints then local digest = cert and cert:digest(digest_algo); if host_fingerprints[digest] then session.cert_chain_status = "valid"; session.cert_identity_status = "valid"; return true; elseif must_match then session.cert_chain_status = "invalid"; session.cert_identity_status = "invalid"; end elseif tofu and ( session.cert_chain_status ~= "valid" or session.cert_identity_status ~= "valid" ) then local digest = cert and cert:digest(digest_algo); fingerprints[host] = { [digest] = true; } end end); function module.save() return { fingerprints = fingerprints }; end function module.restore(state) fingerprints = state.fingerprints; end