changeset 1131:e7b69d12fbfb

mod_s2s_auth_fingerprint: Add a cert-pinning mode
author Kim Alvefur <zash@zash.se>
date Sun, 04 Aug 2013 18:12:52 +0200
parents 29dcdea3c2be
children 832235cc1910
files mod_s2s_auth_fingerprint/mod_s2s_auth_fingerprint.lua
diffstat 1 files changed, 7 insertions(+), 2 deletions(-) [+]
line wrap: on
line diff
--- a/mod_s2s_auth_fingerprint/mod_s2s_auth_fingerprint.lua	Sat Aug 03 12:38:22 2013 +0200
+++ b/mod_s2s_auth_fingerprint/mod_s2s_auth_fingerprint.lua	Sun Aug 04 18:12:52 2013 +0200
@@ -4,6 +4,7 @@
 module:set_global();
 
 local digest_algo = module:get_option_string(module:get_name().."_digest", "sha1");
+local must_match = module:get_option_boolean("s2s_pin_fingerprints", false);
 
 local fingerprints = {};
 
@@ -27,12 +28,16 @@
 	local session, host, cert = event.session, event.host, event.cert;
 
 	local host_fingerprints = fingerprints[host];
-	if cert and host_fingerprints then
-		local digest = cert:digest(digest_algo);
+	if host_fingerprints then
+		local digest = cert and cert:digest(digest_algo);
 		if host_fingerprints[digest] then
 			session.cert_chain_status = "valid";
 			session.cert_identity_status = "valid";
 			return true;
+		elseif must_match then
+			session.cert_chain_status = "invalid";
+			session.cert_identity_status = "invalid";
+			return false;
 		end
 	end
 end);