Mercurial > prosody-modules
comparison mod_s2s_auth_dane/mod_s2s_auth_dane.lua @ 1334:100da6a5525e
mod_s2s_auth_dane: More comment changes
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Sun, 09 Mar 2014 13:42:36 +0100 |
| parents | 15912b077370 |
| children | faf4bd226cad |
comparison
equal
deleted
inserted
replaced
| 1333:15912b077370 | 1334:100da6a5525e |
|---|---|
| 25 | 25 |
| 26 -- TODO Things to test/handle: | 26 -- TODO Things to test/handle: |
| 27 -- Negative or bogus answers | 27 -- Negative or bogus answers |
| 28 -- No SRV records | 28 -- No SRV records |
| 29 -- No encryption offered | 29 -- No encryption offered |
| 30 -- Different hostname before and after STARTTLS - mod_s2s should complain | |
| 30 | 31 |
| 31 -- This function is called when a new SRV target has been picked | 32 -- This function is called when a new SRV target has been picked |
| 32 -- the original function does A/AAAA resolution before continuing | 33 -- the original function does A/AAAA resolution before continuing |
| 33 local _try_connect = s2sout.try_connect; | 34 local _try_connect = s2sout.try_connect; |
| 34 function s2sout.try_connect(host_session, connect_host, connect_port, err) | 35 function s2sout.try_connect(host_session, connect_host, connect_port, err) |
| 68 if use == 1 or use == 3 then | 69 if use == 1 or use == 3 then |
| 69 | 70 |
| 70 if select == 0 then | 71 if select == 0 then |
| 71 certdata = pem2der(cert:pem()); | 72 certdata = pem2der(cert:pem()); |
| 72 elseif select == 1 and cert.pubkey then | 73 elseif select == 1 and cert.pubkey then |
| 73 certdata = pem2der(cert:pubkey()); | 74 certdata = pem2der(cert:pubkey()); -- Not supported in stock LuaSec |
| 74 else | 75 else |
| 75 module:log("warn", "DANE selector %d is unsupported", select); | 76 module:log("warn", "DANE selector %d is unsupported", select); |
| 76 end | 77 end |
| 77 | 78 |
| 78 if match == 1 then | 79 if match == 1 then |
| 95 match_found = true; | 96 match_found = true; |
| 96 break; | 97 break; |
| 97 end | 98 end |
| 98 else | 99 else |
| 99 module:log("warn", "DANE %s is unsupported", tlsa:getUsage() or ("usage "..tostring(use))); | 100 module:log("warn", "DANE %s is unsupported", tlsa:getUsage() or ("usage "..tostring(use))); |
| 100 -- TODO CA checks needs to loop over the chain and stuff | 101 -- PKIX-TA checks needs to loop over the chain and stuff |
| 102 -- LuaSec does not expose anything for validating a random chain, so DANE-TA is not possible atm | |
| 101 end | 103 end |
| 102 end | 104 end |
| 103 if not match_found then | 105 if not match_found then |
| 104 -- No TLSA matched or response was bogus | 106 -- No TLSA matched or response was bogus |
| 105 (session.log or module._log)("warn", "DANE validation failed"); | 107 (session.log or module._log)("warn", "DANE validation failed"); |
| 115 local srv_hosts = session.srv_hosts; | 117 local srv_hosts = session.srv_hosts; |
| 116 local srv_choice = session.srv_choice; | 118 local srv_choice = session.srv_choice; |
| 117 if (session.dane or srv_hosts and srv_hosts[srv_choice].dane) and not session.secure then | 119 if (session.dane or srv_hosts and srv_hosts[srv_choice].dane) and not session.secure then |
| 118 -- TLSA record but no TLS, not ok. | 120 -- TLSA record but no TLS, not ok. |
| 119 -- TODO Optional? | 121 -- TODO Optional? |
| 122 -- Bogus replies will trigger this path | |
| 120 session:close({ | 123 session:close({ |
| 121 condition = "policy-violation", | 124 condition = "policy-violation", |
| 122 text = "Encrypted server-to-server communication is required but was not " | 125 text = "Encrypted server-to-server communication is required but was not " |
| 123 ..((session.direction == "outgoing" and "offered") or "used") | 126 ..((session.direction == "outgoing" and "offered") or "used") |
| 124 }); | 127 }); |