Annotate

mod_s2s_auth_fingerprint/mod_s2s_auth_fingerprint.lua @ 1324:853a382c9bd6

mod_turncredentials: Advertise the XEP-0215 feature (thanks Gryffus)
author Kim Alvefur <zash@zash.se>
date Fri, 28 Feb 2014 15:36:06 +0100
parent 1166:2b62a3b76d76
child 1325:b21236b6b8d8
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
938
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
1 -- Copyright (C) 2013 Kim Alvefur
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
2 -- This file is MIT/X11 licensed.
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
3
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
4 module:set_global();
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
5
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
6 local digest_algo = module:get_option_string(module:get_name().."_digest", "sha1");
1131
e7b69d12fbfb mod_s2s_auth_fingerprint: Add a cert-pinning mode
Kim Alvefur <zash@zash.se>
parents: 939
diff changeset
7 local must_match = module:get_option_boolean("s2s_pin_fingerprints", false);
1324
853a382c9bd6 mod_turncredentials: Advertise the XEP-0215 feature (thanks Gryffus)
Kim Alvefur <zash@zash.se>
parents: 1166
diff changeset
8 local tofu = module:get_option_boolean("s2s_tofu", false);
938
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
9
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
10 local fingerprints = {};
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
11
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
12 local function hashprep(h)
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
13 return tostring(h):lower():gsub(":","");
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
14 end
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
15
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
16 for host, set in pairs(module:get_option("s2s_trusted_fingerprints", {})) do
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
17 local host_set = {}
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
18 if type(set) == "table" then -- list of fingerprints
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
19 for i=1,#set do
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
20 host_set[hashprep(set[i])] = true;
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
21 end
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
22 else -- assume single fingerprint
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
23 host_set[hashprep(set)] = true;
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
24 end
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
25 fingerprints[host] = host_set;
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
26 end
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
27
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
28 module:hook("s2s-check-certificate", function(event)
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
29 local session, host, cert = event.session, event.host, event.cert;
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
30
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
31 local host_fingerprints = fingerprints[host];
1131
e7b69d12fbfb mod_s2s_auth_fingerprint: Add a cert-pinning mode
Kim Alvefur <zash@zash.se>
parents: 939
diff changeset
32 if host_fingerprints then
e7b69d12fbfb mod_s2s_auth_fingerprint: Add a cert-pinning mode
Kim Alvefur <zash@zash.se>
parents: 939
diff changeset
33 local digest = cert and cert:digest(digest_algo);
938
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
34 if host_fingerprints[digest] then
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
35 session.cert_chain_status = "valid";
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
36 session.cert_identity_status = "valid";
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
37 return true;
1131
e7b69d12fbfb mod_s2s_auth_fingerprint: Add a cert-pinning mode
Kim Alvefur <zash@zash.se>
parents: 939
diff changeset
38 elseif must_match then
e7b69d12fbfb mod_s2s_auth_fingerprint: Add a cert-pinning mode
Kim Alvefur <zash@zash.se>
parents: 939
diff changeset
39 session.cert_chain_status = "invalid";
e7b69d12fbfb mod_s2s_auth_fingerprint: Add a cert-pinning mode
Kim Alvefur <zash@zash.se>
parents: 939
diff changeset
40 session.cert_identity_status = "invalid";
938
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
41 end
1324
853a382c9bd6 mod_turncredentials: Advertise the XEP-0215 feature (thanks Gryffus)
Kim Alvefur <zash@zash.se>
parents: 1166
diff changeset
42 elseif tofu
853a382c9bd6 mod_turncredentials: Advertise the XEP-0215 feature (thanks Gryffus)
Kim Alvefur <zash@zash.se>
parents: 1166
diff changeset
43 and ( session.cert_chain_status ~= "valid"
853a382c9bd6 mod_turncredentials: Advertise the XEP-0215 feature (thanks Gryffus)
Kim Alvefur <zash@zash.se>
parents: 1166
diff changeset
44 or session.cert_identity_status ~= "valid" ) then
853a382c9bd6 mod_turncredentials: Advertise the XEP-0215 feature (thanks Gryffus)
Kim Alvefur <zash@zash.se>
parents: 1166
diff changeset
45 local digest = cert and cert:digest(digest_algo);
853a382c9bd6 mod_turncredentials: Advertise the XEP-0215 feature (thanks Gryffus)
Kim Alvefur <zash@zash.se>
parents: 1166
diff changeset
46 fingerprints[host] = {
853a382c9bd6 mod_turncredentials: Advertise the XEP-0215 feature (thanks Gryffus)
Kim Alvefur <zash@zash.se>
parents: 1166
diff changeset
47 [digest] = true;
853a382c9bd6 mod_turncredentials: Advertise the XEP-0215 feature (thanks Gryffus)
Kim Alvefur <zash@zash.se>
parents: 1166
diff changeset
48 }
938
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
49 end
d0e71a3bd2c4 mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
50 end);
1324
853a382c9bd6 mod_turncredentials: Advertise the XEP-0215 feature (thanks Gryffus)
Kim Alvefur <zash@zash.se>
parents: 1166
diff changeset
51
853a382c9bd6 mod_turncredentials: Advertise the XEP-0215 feature (thanks Gryffus)
Kim Alvefur <zash@zash.se>
parents: 1166
diff changeset
52 function module.save()
853a382c9bd6 mod_turncredentials: Advertise the XEP-0215 feature (thanks Gryffus)
Kim Alvefur <zash@zash.se>
parents: 1166
diff changeset
53 return { fingerprints = fingerprints };
853a382c9bd6 mod_turncredentials: Advertise the XEP-0215 feature (thanks Gryffus)
Kim Alvefur <zash@zash.se>
parents: 1166
diff changeset
54 end
853a382c9bd6 mod_turncredentials: Advertise the XEP-0215 feature (thanks Gryffus)
Kim Alvefur <zash@zash.se>
parents: 1166
diff changeset
55
853a382c9bd6 mod_turncredentials: Advertise the XEP-0215 feature (thanks Gryffus)
Kim Alvefur <zash@zash.se>
parents: 1166
diff changeset
56 function module.restore(state)
853a382c9bd6 mod_turncredentials: Advertise the XEP-0215 feature (thanks Gryffus)
Kim Alvefur <zash@zash.se>
parents: 1166
diff changeset
57 fingerprints = state.fingerprints;
853a382c9bd6 mod_turncredentials: Advertise the XEP-0215 feature (thanks Gryffus)
Kim Alvefur <zash@zash.se>
parents: 1166
diff changeset
58 end