# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1364180072 -3600
# Node ID d0e71a3bd2c43b9a94a8840a31f2d81330457921
# Parent  5276e1fc26b66555836b130631f4c0be71f117b0
mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.

diff -r 5276e1fc26b6 -r d0e71a3bd2c4 mod_s2s_auth_fingerprint/mod_s2s_auth_fingerprint.lua
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/mod_s2s_auth_fingerprint/mod_s2s_auth_fingerprint.lua	Mon Mar 25 03:54:32 2013 +0100
@@ -0,0 +1,38 @@
+-- Copyright (C) 2013 Kim Alvefur
+-- This file is MIT/X11 licensed.
+
+module:set_global();
+
+local digest_algo = module:get_option_string(module:get_name().."_digest", "sha1");
+
+local fingerprints = {};
+
+local function hashprep(h)
+	return tostring(h):lower():gsub(":","");
+end
+
+for host, set in pairs(module:get_option("s2s_trusted_fingerprints", {})) do
+	local host_set = {}
+	if type(set) == "table" then -- list of fingerprints
+		for i=1,#set do
+			host_set[hashprep(set[i])] = true;
+		end
+	else -- assume single fingerprint
+		host_set[hashprep(set)] = true;
+	end
+	fingerprints[host] = host_set;
+end
+
+module:hook("s2s-check-certificate", function(event)
+	local session, host, cert = event.session, event.host, event.cert;
+
+	local host_fingerprints = fingerprints[host];
+	if host_fingerprints then
+		local digest = cert:digest(digest_algo);
+		if host_fingerprints[digest] then
+			session.cert_chain_status = "valid";
+			session.cert_identity_status = "valid";
+			return true;
+		end
+	end
+end);