prosody-modules
d0e71a3bd2c4
mod_s2s_auth_fingerprint/mod_s2s_auth_fingerprint.lua
Software / code / prosody-modules
Comparison
mod_s2s_auth_fingerprint/mod_s2s_auth_fingerprint.lua @ 938:d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Mon, 25 Mar 2013 03:54:32 +0100 |
| child | 939:1415fc2a0ac0 |
comparison
equal
deleted
inserted
replaced
| 937:5276e1fc26b6 | 938:d0e71a3bd2c4 |
|---|---|
| 1 -- Copyright (C) 2013 Kim Alvefur | |
| 2 -- This file is MIT/X11 licensed. | |
| 3 | |
| 4 module:set_global(); | |
| 5 | |
| 6 local digest_algo = module:get_option_string(module:get_name().."_digest", "sha1"); | |
| 7 | |
| 8 local fingerprints = {}; | |
| 9 | |
| 10 local function hashprep(h) | |
| 11 return tostring(h):lower():gsub(":",""); | |
| 12 end | |
| 13 | |
| 14 for host, set in pairs(module:get_option("s2s_trusted_fingerprints", {})) do | |
| 15 local host_set = {} | |
| 16 if type(set) == "table" then -- list of fingerprints | |
| 17 for i=1,#set do | |
| 18 host_set[hashprep(set[i])] = true; | |
| 19 end | |
| 20 else -- assume single fingerprint | |
| 21 host_set[hashprep(set)] = true; | |
| 22 end | |
| 23 fingerprints[host] = host_set; | |
| 24 end | |
| 25 | |
| 26 module:hook("s2s-check-certificate", function(event) | |
| 27 local session, host, cert = event.session, event.host, event.cert; | |
| 28 | |
| 29 local host_fingerprints = fingerprints[host]; | |
| 30 if host_fingerprints then | |
| 31 local digest = cert:digest(digest_algo); | |
| 32 if host_fingerprints[digest] then | |
| 33 session.cert_chain_status = "valid"; | |
| 34 session.cert_identity_status = "valid"; | |
| 35 return true; | |
| 36 end | |
| 37 end | |
| 38 end); |
