Software /
code /
prosody-modules
Comparison
mod_s2s_auth_fingerprint/mod_s2s_auth_fingerprint.lua @ 1131:e7b69d12fbfb
mod_s2s_auth_fingerprint: Add a cert-pinning mode
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Sun, 04 Aug 2013 18:12:52 +0200 |
parent | 939:1415fc2a0ac0 |
child | 1166:2b62a3b76d76 |
comparison
equal
deleted
inserted
replaced
1130:29dcdea3c2be | 1131:e7b69d12fbfb |
---|---|
2 -- This file is MIT/X11 licensed. | 2 -- This file is MIT/X11 licensed. |
3 | 3 |
4 module:set_global(); | 4 module:set_global(); |
5 | 5 |
6 local digest_algo = module:get_option_string(module:get_name().."_digest", "sha1"); | 6 local digest_algo = module:get_option_string(module:get_name().."_digest", "sha1"); |
7 local must_match = module:get_option_boolean("s2s_pin_fingerprints", false); | |
7 | 8 |
8 local fingerprints = {}; | 9 local fingerprints = {}; |
9 | 10 |
10 local function hashprep(h) | 11 local function hashprep(h) |
11 return tostring(h):lower():gsub(":",""); | 12 return tostring(h):lower():gsub(":",""); |
25 | 26 |
26 module:hook("s2s-check-certificate", function(event) | 27 module:hook("s2s-check-certificate", function(event) |
27 local session, host, cert = event.session, event.host, event.cert; | 28 local session, host, cert = event.session, event.host, event.cert; |
28 | 29 |
29 local host_fingerprints = fingerprints[host]; | 30 local host_fingerprints = fingerprints[host]; |
30 if cert and host_fingerprints then | 31 if host_fingerprints then |
31 local digest = cert:digest(digest_algo); | 32 local digest = cert and cert:digest(digest_algo); |
32 if host_fingerprints[digest] then | 33 if host_fingerprints[digest] then |
33 session.cert_chain_status = "valid"; | 34 session.cert_chain_status = "valid"; |
34 session.cert_identity_status = "valid"; | 35 session.cert_identity_status = "valid"; |
35 return true; | 36 return true; |
37 elseif must_match then | |
38 session.cert_chain_status = "invalid"; | |
39 session.cert_identity_status = "invalid"; | |
40 return false; | |
36 end | 41 end |
37 end | 42 end |
38 end); | 43 end); |