view mod_s2s_auth_fingerprint/mod_s2s_auth_fingerprint.lua @ 1324:853a382c9bd6

mod_turncredentials: Advertise the XEP-0215 feature (thanks Gryffus)
author Kim Alvefur <zash@zash.se>
date Fri, 28 Feb 2014 15:36:06 +0100
parents 2b62a3b76d76
children b21236b6b8d8
line wrap: on
line source

-- Copyright (C) 2013 Kim Alvefur
-- This file is MIT/X11 licensed.

module:set_global();

local digest_algo = module:get_option_string(module:get_name().."_digest", "sha1");
local must_match = module:get_option_boolean("s2s_pin_fingerprints", false);
local tofu = module:get_option_boolean("s2s_tofu", false);

local fingerprints = {};

local function hashprep(h)
	return tostring(h):lower():gsub(":","");
end

for host, set in pairs(module:get_option("s2s_trusted_fingerprints", {})) do
	local host_set = {}
	if type(set) == "table" then -- list of fingerprints
		for i=1,#set do
			host_set[hashprep(set[i])] = true;
		end
	else -- assume single fingerprint
		host_set[hashprep(set)] = true;
	end
	fingerprints[host] = host_set;
end

module:hook("s2s-check-certificate", function(event)
	local session, host, cert = event.session, event.host, event.cert;

	local host_fingerprints = fingerprints[host];
	if host_fingerprints then
		local digest = cert and cert:digest(digest_algo);
		if host_fingerprints[digest] then
			session.cert_chain_status = "valid";
			session.cert_identity_status = "valid";
			return true;
		elseif must_match then
			session.cert_chain_status = "invalid";
			session.cert_identity_status = "invalid";
		end
	elseif tofu
			and ( session.cert_chain_status ~= "valid"
			or session.cert_identity_status ~= "valid" ) then
		local digest = cert and cert:digest(digest_algo);
		fingerprints[host] = {
			[digest] = true;
		}
	end
end);

function module.save()
	return { fingerprints = fingerprints };
end

function module.restore(state)
	fingerprints = state.fingerprints;
end