Mercurial > prosody-modules

view mod_s2s_auth_fingerprint/mod_s2s_auth_fingerprint.lua @ 5285:8e1f1eb00b58

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
mod_sasl2_fast: Fix harmless off-by-one error (invalidates existing tokens!) Problem: This was causing the key to become "<token>--cur" instead of the expected "<token>-cur". As the same key was used by the code to both set and get, it still worked. Rationale for change: Although it worked, it's unintended, inconsistent and messy. It increases the chances of future bugs due to the unexpected format. Side-effects of change: Existing '--cur' entries will not be checked after this change, and therefore existing FAST clients will fail to authenticate until they attempt password auth and obtain a new FAST token. Existing '--cur' entries in storage will not be cleaned up by this commit, but this is considered a minor issue, and okay for the relatively few FAST deployments.
author Matthew Wild <mwild1@gmail.com>
date Wed, 29 Mar 2023 16:12:15 +0100
parents ee2cedb0f691
children
line wrap: on
line source

-- Copyright (C) 2013-2014 Kim Alvefur
-- This file is MIT/X11 licensed.

module:set_global();

local digest_algo = module:get_option_string(module:get_name().."_digest", "sha1");

local fingerprints = {};

local function hashprep(h)
	return tostring(h):gsub(":",""):lower();
end

local function hashfmt(h)
	return h:gsub("..","%0:", #h/2-1):upper();
end

for host, set in pairs(module:get_option("s2s_trusted_fingerprints", {})) do
	local host_set = {}
	if type(set) == "table" then -- list of fingerprints
		for i=1,#set do
			host_set[hashprep(set[i])] = true;
		end
	else -- assume single fingerprint
		host_set[hashprep(set)] = true;
	end
	fingerprints[host] = host_set;
end

module:hook("s2s-check-certificate", function(event)
	local session, host, cert = event.session, event.host, event.cert;

	local host_fingerprints = fingerprints[host];
	if host_fingerprints then
		local digest = cert and cert:digest(digest_algo);
		if host_fingerprints[digest] then
			module:log("info", "'%s' matched %s fingerprint %s", host, digest_algo:upper(), hashfmt(digest));
			session.cert_chain_status = "valid";
			session.cert_identity_status = "valid";
			return true;
		else
			module:log("warn", "'%s' has unknown %s fingerprint %s", host, digest_algo:upper(), hashfmt(digest));
			session.cert_chain_status = "invalid";
			session.cert_identity_status = "invalid";
		end
	end
end);