Mercurial Mercurial > prosody > prosody-modules / annotate
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
mod_s2s_auth_fingerprint/mod_s2s_auth_fingerprint.lua
author Kim Alvefur <zash@zash.se>
Fri, 28 Feb 2014 15:36:06 +0100
changeset 1324 853a382c9bd6
parent 1166 2b62a3b76d76
child 1325 b21236b6b8d8
permissions -rw-r--r--
mod_turncredentials: Advertise the XEP-0215 feature (thanks Gryffus)
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
938
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset 
     1
 
-- Copyright (C) 2013 Kim Alvefur
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset 
     2
 
-- This file is MIT/X11 licensed.
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset 
     3
 












d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




     4


module:set_global();












d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




     5














d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




     6


local digest_algo = module:get_option_string(module:get_name().."_digest", "sha1");







1131






e7b69d12fbfb
mod_s2s_auth_fingerprint: Add a cert-pinning mode



Kim Alvefur <zash@zash.se>


parents: 
939

diff
changeset




     7


local must_match = module:get_option_boolean("s2s_pin_fingerprints", false);







1324






853a382c9bd6
mod_turncredentials: Advertise the XEP-0215 feature (thanks Gryffus)



Kim Alvefur <zash@zash.se>


parents: 
1166

diff
changeset




     8


local tofu = module:get_option_boolean("s2s_tofu", false);







938






d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




     9














d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    10


local fingerprints = {};












d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    11














d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    12


local function hashprep(h)












d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    13


	return tostring(h):lower():gsub(":","");












d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    14


end












d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    15














d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    16


for host, set in pairs(module:get_option("s2s_trusted_fingerprints", {})) do












d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    17


	local host_set = {}












d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    18


	if type(set) == "table" then -- list of fingerprints












d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    19


		for i=1,#set do












d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    20


			host_set[hashprep(set[i])] = true;












d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    21


		end












d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    22


	else -- assume single fingerprint












d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    23


		host_set[hashprep(set)] = true;












d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    24


	end












d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    25


	fingerprints[host] = host_set;












d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    26


end












d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    27














d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    28


module:hook("s2s-check-certificate", function(event)












d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    29


	local session, host, cert = event.session, event.host, event.cert;












d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    30














d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    31


	local host_fingerprints = fingerprints[host];







1131






e7b69d12fbfb
mod_s2s_auth_fingerprint: Add a cert-pinning mode



Kim Alvefur <zash@zash.se>


parents: 
939

diff
changeset




    32


	if host_fingerprints then












e7b69d12fbfb
mod_s2s_auth_fingerprint: Add a cert-pinning mode



Kim Alvefur <zash@zash.se>


parents: 
939

diff
changeset




    33


		local digest = cert and cert:digest(digest_algo);







938






d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    34


		if host_fingerprints[digest] then












d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    35


			session.cert_chain_status = "valid";












d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    36


			session.cert_identity_status = "valid";












d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    37


			return true;







1131






e7b69d12fbfb
mod_s2s_auth_fingerprint: Add a cert-pinning mode



Kim Alvefur <zash@zash.se>


parents: 
939

diff
changeset




    38


		elseif must_match then












e7b69d12fbfb
mod_s2s_auth_fingerprint: Add a cert-pinning mode



Kim Alvefur <zash@zash.se>


parents: 
939

diff
changeset




    39


			session.cert_chain_status = "invalid";












e7b69d12fbfb
mod_s2s_auth_fingerprint: Add a cert-pinning mode



Kim Alvefur <zash@zash.se>


parents: 
939

diff
changeset




    40


			session.cert_identity_status = "invalid";







938






d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    41


		end







1324






853a382c9bd6
mod_turncredentials: Advertise the XEP-0215 feature (thanks Gryffus)



Kim Alvefur <zash@zash.se>


parents: 
1166

diff
changeset




    42


	elseif tofu












853a382c9bd6
mod_turncredentials: Advertise the XEP-0215 feature (thanks Gryffus)



Kim Alvefur <zash@zash.se>


parents: 
1166

diff
changeset




    43


			and ( session.cert_chain_status ~= "valid"












853a382c9bd6
mod_turncredentials: Advertise the XEP-0215 feature (thanks Gryffus)



Kim Alvefur <zash@zash.se>


parents: 
1166

diff
changeset




    44


			or session.cert_identity_status ~= "valid" ) then












853a382c9bd6
mod_turncredentials: Advertise the XEP-0215 feature (thanks Gryffus)



Kim Alvefur <zash@zash.se>


parents: 
1166

diff
changeset




    45


		local digest = cert and cert:digest(digest_algo);












853a382c9bd6
mod_turncredentials: Advertise the XEP-0215 feature (thanks Gryffus)



Kim Alvefur <zash@zash.se>


parents: 
1166

diff
changeset




    46


		fingerprints[host] = {












853a382c9bd6
mod_turncredentials: Advertise the XEP-0215 feature (thanks Gryffus)



Kim Alvefur <zash@zash.se>


parents: 
1166

diff
changeset




    47


			[digest] = true;












853a382c9bd6
mod_turncredentials: Advertise the XEP-0215 feature (thanks Gryffus)



Kim Alvefur <zash@zash.se>


parents: 
1166

diff
changeset




    48


		}







938






d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    49


	end












d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    50


end);







1324






853a382c9bd6
mod_turncredentials: Advertise the XEP-0215 feature (thanks Gryffus)



Kim Alvefur <zash@zash.se>


parents: 
1166

diff
changeset




    51














853a382c9bd6
mod_turncredentials: Advertise the XEP-0215 feature (thanks Gryffus)



Kim Alvefur <zash@zash.se>


parents: 
1166

diff
changeset




    52


function module.save()












853a382c9bd6
mod_turncredentials: Advertise the XEP-0215 feature (thanks Gryffus)



Kim Alvefur <zash@zash.se>


parents: 
1166

diff
changeset




    53


	return { fingerprints = fingerprints };












853a382c9bd6
mod_turncredentials: Advertise the XEP-0215 feature (thanks Gryffus)



Kim Alvefur <zash@zash.se>


parents: 
1166

diff
changeset




    54


end












853a382c9bd6
mod_turncredentials: Advertise the XEP-0215 feature (thanks Gryffus)



Kim Alvefur <zash@zash.se>


parents: 
1166

diff
changeset




    55














853a382c9bd6
mod_turncredentials: Advertise the XEP-0215 feature (thanks Gryffus)



Kim Alvefur <zash@zash.se>


parents: 
1166

diff
changeset




    56


function module.restore(state)












853a382c9bd6
mod_turncredentials: Advertise the XEP-0215 feature (thanks Gryffus)



Kim Alvefur <zash@zash.se>


parents: 
1166

diff
changeset




    57


	fingerprints = state.fingerprints;












853a382c9bd6
mod_turncredentials: Advertise the XEP-0215 feature (thanks Gryffus)



Kim Alvefur <zash@zash.se>


parents: 
1166

diff
changeset




    58


end














prosody-modules