Software /
code /
prosody-modules
Diff
mod_s2s_auth_fingerprint/mod_s2s_auth_fingerprint.lua @ 938:d0e71a3bd2c4
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Mon, 25 Mar 2013 03:54:32 +0100 |
child | 939:1415fc2a0ac0 |
line wrap: on
line diff
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/mod_s2s_auth_fingerprint/mod_s2s_auth_fingerprint.lua Mon Mar 25 03:54:32 2013 +0100 @@ -0,0 +1,38 @@ +-- Copyright (C) 2013 Kim Alvefur +-- This file is MIT/X11 licensed. + +module:set_global(); + +local digest_algo = module:get_option_string(module:get_name().."_digest", "sha1"); + +local fingerprints = {}; + +local function hashprep(h) + return tostring(h):lower():gsub(":",""); +end + +for host, set in pairs(module:get_option("s2s_trusted_fingerprints", {})) do + local host_set = {} + if type(set) == "table" then -- list of fingerprints + for i=1,#set do + host_set[hashprep(set[i])] = true; + end + else -- assume single fingerprint + host_set[hashprep(set)] = true; + end + fingerprints[host] = host_set; +end + +module:hook("s2s-check-certificate", function(event) + local session, host, cert = event.session, event.host, event.cert; + + local host_fingerprints = fingerprints[host]; + if host_fingerprints then + local digest = cert:digest(digest_algo); + if host_fingerprints[digest] then + session.cert_chain_status = "valid"; + session.cert_identity_status = "valid"; + return true; + end + end +end);