Mercurial Mercurial > prosody > prosody-modules / annotate
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
mod_s2s_auth_fingerprint/mod_s2s_auth_fingerprint.lua
author Kim Alvefur <zash@zash.se>
Sun, 03 Mar 2024 11:23:40 +0100
changeset 5857 97c9b76867ca
parent 1879 ee2cedb0f691
permissions -rw-r--r--
mod_log_ringbuffer: Detach event handlers on logging reload (thanks Menel) Otherwise the global event handlers accumulate, one added each time logging is reoladed, and each invocation of the signal or event triggers one dump of each created ringbuffer.
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
1380
703041357f89 mod_s2s_auth_fingerprint: Allways pin fingerprints
Kim Alvefur <zash@zash.se>
parents: 1325
diff changeset 
     1
 
-- Copyright (C) 2013-2014 Kim Alvefur
938
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset 
     2
 
-- This file is MIT/X11 licensed.
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset 
     3
 












d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




     4


module:set_global();












d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




     5














d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




     6


local digest_algo = module:get_option_string(module:get_name().."_digest", "sha1");












d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




     7














d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




     8


local fingerprints = {};












d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




     9














d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    10


local function hashprep(h)







1381






11b6170a50f7
mod_s2s_auth_fingerprint: Log current fingerprint and match status



Kim Alvefur <zash@zash.se>


parents: 
1380

diff
changeset




    11


	return tostring(h):gsub(":",""):lower();












11b6170a50f7
mod_s2s_auth_fingerprint: Log current fingerprint and match status



Kim Alvefur <zash@zash.se>


parents: 
1380

diff
changeset




    12


end












11b6170a50f7
mod_s2s_auth_fingerprint: Log current fingerprint and match status



Kim Alvefur <zash@zash.se>


parents: 
1380

diff
changeset




    13














11b6170a50f7
mod_s2s_auth_fingerprint: Log current fingerprint and match status



Kim Alvefur <zash@zash.se>


parents: 
1380

diff
changeset




    14


local function hashfmt(h)







1879






ee2cedb0f691
mod_s2s_auth_fingerprint: Limit number of replacements instead of stripping extra separators



Kim Alvefur <zash@zash.se>


parents: 
1381

diff
changeset




    15


	return h:gsub("..","%0:", #h/2-1):upper();







938






d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    16


end












d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    17














d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    18


for host, set in pairs(module:get_option("s2s_trusted_fingerprints", {})) do












d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    19


	local host_set = {}












d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    20


	if type(set) == "table" then -- list of fingerprints












d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    21


		for i=1,#set do












d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    22


			host_set[hashprep(set[i])] = true;












d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    23


		end












d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    24


	else -- assume single fingerprint












d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    25


		host_set[hashprep(set)] = true;












d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    26


	end












d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    27


	fingerprints[host] = host_set;












d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    28


end












d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    29














d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    30


module:hook("s2s-check-certificate", function(event)












d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    31


	local session, host, cert = event.session, event.host, event.cert;












d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    32














d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    33


	local host_fingerprints = fingerprints[host];







1131






e7b69d12fbfb
mod_s2s_auth_fingerprint: Add a cert-pinning mode



Kim Alvefur <zash@zash.se>


parents: 
939

diff
changeset




    34


	if host_fingerprints then












e7b69d12fbfb
mod_s2s_auth_fingerprint: Add a cert-pinning mode



Kim Alvefur <zash@zash.se>


parents: 
939

diff
changeset




    35


		local digest = cert and cert:digest(digest_algo);







938






d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    36


		if host_fingerprints[digest] then







1381






11b6170a50f7
mod_s2s_auth_fingerprint: Log current fingerprint and match status



Kim Alvefur <zash@zash.se>


parents: 
1380

diff
changeset




    37


			module:log("info", "'%s' matched %s fingerprint %s", host, digest_algo:upper(), hashfmt(digest));







938






d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    38


			session.cert_chain_status = "valid";












d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    39


			session.cert_identity_status = "valid";












d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    40


			return true;







1380






703041357f89
mod_s2s_auth_fingerprint: Allways pin fingerprints



Kim Alvefur <zash@zash.se>


parents: 
1325

diff
changeset




    41


		else







1381






11b6170a50f7
mod_s2s_auth_fingerprint: Log current fingerprint and match status



Kim Alvefur <zash@zash.se>


parents: 
1380

diff
changeset




    42


			module:log("warn", "'%s' has unknown %s fingerprint %s", host, digest_algo:upper(), hashfmt(digest));







1131






e7b69d12fbfb
mod_s2s_auth_fingerprint: Add a cert-pinning mode



Kim Alvefur <zash@zash.se>


parents: 
939

diff
changeset




    43


			session.cert_chain_status = "invalid";












e7b69d12fbfb
mod_s2s_auth_fingerprint: Add a cert-pinning mode



Kim Alvefur <zash@zash.se>


parents: 
939

diff
changeset




    44


			session.cert_identity_status = "invalid";







938






d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    45


		end












d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    46


	end












d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    47


end);














prosody-modules