author | Matthew Wild <mwild1@gmail.com> |
Tue, 18 Jan 2022 17:01:18 +0000 | |
changeset 4880 | 0f5f2d4475b9 |
parent 4679 | c9397cd5cfe6 |
permissions | -rw-r--r-- |
2208
affccf479f89
mod_s2s_auth_samecert: Authenticate incoming s2s connection if certificate matches that of an established outgoing s2s connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
1 |
module:set_global() |
affccf479f89
mod_s2s_auth_samecert: Authenticate incoming s2s connection if certificate matches that of an established outgoing s2s connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
2 |
|
affccf479f89
mod_s2s_auth_samecert: Authenticate incoming s2s connection if certificate matches that of an established outgoing s2s connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
3 |
local hosts = prosody.hosts; |
affccf479f89
mod_s2s_auth_samecert: Authenticate incoming s2s connection if certificate matches that of an established outgoing s2s connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
4 |
|
affccf479f89
mod_s2s_auth_samecert: Authenticate incoming s2s connection if certificate matches that of an established outgoing s2s connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
5 |
module:hook("s2s-check-certificate", function(event) |
affccf479f89
mod_s2s_auth_samecert: Authenticate incoming s2s connection if certificate matches that of an established outgoing s2s connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
6 |
local session, cert = event.session, event.cert; |
4679
c9397cd5cfe6
mod_s2s_auth_samecert: Handle lack of provided client certificate
Kim Alvefur <zash@zash.se>
parents:
2238
diff
changeset
|
7 |
if not cert or session.direction ~= "incoming" then return end |
c9397cd5cfe6
mod_s2s_auth_samecert: Handle lack of provided client certificate
Kim Alvefur <zash@zash.se>
parents:
2238
diff
changeset
|
8 |
|
2208
affccf479f89
mod_s2s_auth_samecert: Authenticate incoming s2s connection if certificate matches that of an established outgoing s2s connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
9 |
local outgoing = hosts[session.to_host].s2sout[session.from_host]; |
affccf479f89
mod_s2s_auth_samecert: Authenticate incoming s2s connection if certificate matches that of an established outgoing s2s connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
10 |
if outgoing and outgoing.type == "s2sout" and outgoing.secure and outgoing.conn:socket():getpeercertificate():pem() == cert:pem() then |
2238
3024116d6093
mod_s2s_auth_samecert: Log which s2sout has a matching cert
Kim Alvefur <zash@zash.se>
parents:
2208
diff
changeset
|
11 |
session.log("debug", "Certificate matches that of s2sout%s", tostring(outgoing):match("[a-f0-9]+$")); |
2208
affccf479f89
mod_s2s_auth_samecert: Authenticate incoming s2s connection if certificate matches that of an established outgoing s2s connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
12 |
session.cert_identity_status = outgoing.cert_identity_status; |
affccf479f89
mod_s2s_auth_samecert: Authenticate incoming s2s connection if certificate matches that of an established outgoing s2s connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
13 |
session.cert_chain_status = outgoing.cert_chain_status; |
affccf479f89
mod_s2s_auth_samecert: Authenticate incoming s2s connection if certificate matches that of an established outgoing s2s connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
14 |
return true; |
affccf479f89
mod_s2s_auth_samecert: Authenticate incoming s2s connection if certificate matches that of an established outgoing s2s connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
15 |
end |
affccf479f89
mod_s2s_auth_samecert: Authenticate incoming s2s connection if certificate matches that of an established outgoing s2s connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
16 |
end, 1000); |