view mod_s2s_auth_fingerprint/mod_s2s_auth_fingerprint.lua @ 4210:a0937b5cfdcb

mod_invites_page: Remove preauth URI button This button is incompatible with the majority of XMPP clients around, yet based on feedback from users, many are drawn to click it when they have any XMPP client installed already. In the case where the user already has software installed, we would prefer them to select it from the software list so they can follow the setup process suited to their specific client (we already track which software supports preauth URIs). If their client is not listed, they can still use the manual registration link instead.
author Matthew Wild <mwild1@gmail.com>
date Fri, 16 Oct 2020 11:03:38 +0100
parents ee2cedb0f691
children
line wrap: on
line source

-- Copyright (C) 2013-2014 Kim Alvefur
-- This file is MIT/X11 licensed.

module:set_global();

local digest_algo = module:get_option_string(module:get_name().."_digest", "sha1");

local fingerprints = {};

local function hashprep(h)
	return tostring(h):gsub(":",""):lower();
end

local function hashfmt(h)
	return h:gsub("..","%0:", #h/2-1):upper();
end

for host, set in pairs(module:get_option("s2s_trusted_fingerprints", {})) do
	local host_set = {}
	if type(set) == "table" then -- list of fingerprints
		for i=1,#set do
			host_set[hashprep(set[i])] = true;
		end
	else -- assume single fingerprint
		host_set[hashprep(set)] = true;
	end
	fingerprints[host] = host_set;
end

module:hook("s2s-check-certificate", function(event)
	local session, host, cert = event.session, event.host, event.cert;

	local host_fingerprints = fingerprints[host];
	if host_fingerprints then
		local digest = cert and cert:digest(digest_algo);
		if host_fingerprints[digest] then
			module:log("info", "'%s' matched %s fingerprint %s", host, digest_algo:upper(), hashfmt(digest));
			session.cert_chain_status = "valid";
			session.cert_identity_status = "valid";
			return true;
		else
			module:log("warn", "'%s' has unknown %s fingerprint %s", host, digest_algo:upper(), hashfmt(digest));
			session.cert_chain_status = "invalid";
			session.cert_identity_status = "invalid";
		end
	end
end);