Comparison

mod_s2s_auth_fingerprint/mod_s2s_auth_fingerprint.lua @ 1131:e7b69d12fbfb

mod_s2s_auth_fingerprint: Add a cert-pinning mode
author Kim Alvefur <zash@zash.se>
date Sun, 04 Aug 2013 18:12:52 +0200
parent 939:1415fc2a0ac0
child 1166:2b62a3b76d76
comparison
equal deleted inserted replaced
1130:29dcdea3c2be 1131:e7b69d12fbfb
2 -- This file is MIT/X11 licensed. 2 -- This file is MIT/X11 licensed.
3 3
4 module:set_global(); 4 module:set_global();
5 5
6 local digest_algo = module:get_option_string(module:get_name().."_digest", "sha1"); 6 local digest_algo = module:get_option_string(module:get_name().."_digest", "sha1");
7 local must_match = module:get_option_boolean("s2s_pin_fingerprints", false);
7 8
8 local fingerprints = {}; 9 local fingerprints = {};
9 10
10 local function hashprep(h) 11 local function hashprep(h)
11 return tostring(h):lower():gsub(":",""); 12 return tostring(h):lower():gsub(":","");
25 26
26 module:hook("s2s-check-certificate", function(event) 27 module:hook("s2s-check-certificate", function(event)
27 local session, host, cert = event.session, event.host, event.cert; 28 local session, host, cert = event.session, event.host, event.cert;
28 29
29 local host_fingerprints = fingerprints[host]; 30 local host_fingerprints = fingerprints[host];
30 if cert and host_fingerprints then 31 if host_fingerprints then
31 local digest = cert:digest(digest_algo); 32 local digest = cert and cert:digest(digest_algo);
32 if host_fingerprints[digest] then 33 if host_fingerprints[digest] then
33 session.cert_chain_status = "valid"; 34 session.cert_chain_status = "valid";
34 session.cert_identity_status = "valid"; 35 session.cert_identity_status = "valid";
35 return true; 36 return true;
37 elseif must_match then
38 session.cert_chain_status = "invalid";
39 session.cert_identity_status = "invalid";
40 return false;
36 end 41 end
37 end 42 end
38 end); 43 end);