# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1375632772 -7200
# Node ID e7b69d12fbfbee7c5dda1e415cb6d99b2b795922
# Parent  29dcdea3c2be73292fbee3d1faefd8be21475f50
mod_s2s_auth_fingerprint: Add a cert-pinning mode

diff -r 29dcdea3c2be -r e7b69d12fbfb mod_s2s_auth_fingerprint/mod_s2s_auth_fingerprint.lua
--- a/mod_s2s_auth_fingerprint/mod_s2s_auth_fingerprint.lua	Sat Aug 03 12:38:22 2013 +0200
+++ b/mod_s2s_auth_fingerprint/mod_s2s_auth_fingerprint.lua	Sun Aug 04 18:12:52 2013 +0200
@@ -4,6 +4,7 @@
 module:set_global();
 
 local digest_algo = module:get_option_string(module:get_name().."_digest", "sha1");
+local must_match = module:get_option_boolean("s2s_pin_fingerprints", false);
 
 local fingerprints = {};
 
@@ -27,12 +28,16 @@
 	local session, host, cert = event.session, event.host, event.cert;
 
 	local host_fingerprints = fingerprints[host];
-	if cert and host_fingerprints then
-		local digest = cert:digest(digest_algo);
+	if host_fingerprints then
+		local digest = cert and cert:digest(digest_algo);
 		if host_fingerprints[digest] then
 			session.cert_chain_status = "valid";
 			session.cert_identity_status = "valid";
 			return true;
+		elseif must_match then
+			session.cert_chain_status = "invalid";
+			session.cert_identity_status = "invalid";
+			return false;
 		end
 	end
 end);