Mercurial > prosody-modules
comparison mod_s2s_auth_dane/mod_s2s_auth_dane.lua @ 1437:161bbe0b9dd3
mod_s2s_auth_dane: Tweak log messages
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Sun, 15 Jun 2014 02:40:18 +0200 |
| parents | 3944e364ba88 |
| children | 72ef98818b90 |
comparison
equal
deleted
inserted
replaced
| 1436:3944e364ba88 | 1437:161bbe0b9dd3 |
|---|---|
| 172 | 172 |
| 173 return certdata == tlsa.data; | 173 return certdata == tlsa.data; |
| 174 end | 174 end |
| 175 | 175 |
| 176 module:hook("s2s-check-certificate", function(event) | 176 module:hook("s2s-check-certificate", function(event) |
| 177 local session, cert = event.session, event.cert; | 177 local session, cert, host = event.session, event.cert, event.host; |
| 178 if not cert then return end | 178 if not cert then return end |
| 179 local log = session.log or module._log; | 179 local log = session.log or module._log; |
| 180 local dane = session.dane; | 180 local dane = session.dane; |
| 181 if type(dane) == "table" then | 181 if type(dane) == "table" then |
| 182 local use, tlsa, match_found, supported_found, chain, leafcert, cacert, is_match; | 182 local use, tlsa, match_found, supported_found, chain, leafcert, cacert, is_match; |
| 183 for i = 1, #dane do | 183 for i = 1, #dane do |
| 184 tlsa = dane[i].tlsa; | 184 tlsa = dane[i].tlsa; |
| 185 module:log("debug", "TLSA #%d %s %s %s %d bytes of data", i, tlsa:getUsage(), tlsa:getSelector(), tlsa:getMatchType(), #tlsa.data); | 185 module:log("debug", "TLSA #%d: %s", i, tostring(tlsa)) |
| 186 use = tlsa.use; | 186 use = tlsa.use; |
| 187 | 187 |
| 188 if enabled_uses:contains(use) then | 188 if enabled_uses:contains(use) then |
| 189 -- PKIX-EE or DANE-EE | 189 -- PKIX-EE or DANE-EE |
| 190 if use == 1 or use == 3 then | 190 if use == 1 or use == 3 then |
| 192 is_match = one_dane_check(tlsa, cert); | 192 is_match = one_dane_check(tlsa, cert); |
| 193 if is_match ~= nil then | 193 if is_match ~= nil then |
| 194 supported_found = true; | 194 supported_found = true; |
| 195 end | 195 end |
| 196 if is_match then | 196 if is_match then |
| 197 log("info", "DANE validated ok using %s", tlsa:getUsage()); | 197 log("info", "DANE validated ok for %s using %s", host, tlsa:getUsage()); |
| 198 session.cert_identity_status = "valid"; | 198 session.cert_identity_status = "valid"; |
| 199 if use == 3 then -- DANE-EE, chain status equals DNSSEC chain status | 199 if use == 3 then -- DANE-EE, chain status equals DNSSEC chain status |
| 200 session.cert_chain_status = "valid"; | 200 session.cert_chain_status = "valid"; |
| 201 -- for usage 1, PKIX-EE, the chain has to be valid already | 201 -- for usage 1, PKIX-EE, the chain has to be valid already |
| 202 end | 202 end |
| 217 if use == 2 and not cacert:issued(leafcert or cacert) then | 217 if use == 2 and not cacert:issued(leafcert or cacert) then |
| 218 module:log("debug", "Broken chain"); | 218 module:log("debug", "Broken chain"); |
| 219 break; | 219 break; |
| 220 end | 220 end |
| 221 if is_match then | 221 if is_match then |
| 222 log("info", "DANE validated ok using %s", tlsa:getUsage()); | 222 log("info", "DANE validated ok for %s using %s", host, tlsa:getUsage()); |
| 223 if use == 2 then -- DANE-TA | 223 if use == 2 then -- DANE-TA |
| 224 session.cert_identity_status = "valid"; | 224 session.cert_identity_status = "valid"; |
| 225 session.cert_chain_status = "valid"; | 225 session.cert_chain_status = "valid"; |
| 226 -- for usage 0, PKIX-CA, identity and chain has to be valid already | 226 -- for usage 0, PKIX-CA, identity and chain has to be valid already |
| 227 end | 227 end |
| 250 for i = srv_choice or 1, srv_choice or #srv_hosts do | 250 for i = srv_choice or 1, srv_choice or #srv_hosts do |
| 251 srv_target = session.srv_hosts[i].target:gsub("%.?$",""); | 251 srv_target = session.srv_hosts[i].target:gsub("%.?$",""); |
| 252 log("debug", "Comparing certificate with Secure SRV target %s", srv_target); | 252 log("debug", "Comparing certificate with Secure SRV target %s", srv_target); |
| 253 srv_target = nameprep(idna_to_unicode()); | 253 srv_target = nameprep(idna_to_unicode()); |
| 254 if srv_target and cert_verify_identity(srv_target, "xmpp-server", cert) then | 254 if srv_target and cert_verify_identity(srv_target, "xmpp-server", cert) then |
| 255 log("info", "Certificate matches Secure SRV target %s", srv_target); | 255 log("info", "Certificate for %s matches Secure SRV target %s", host, srv_target); |
| 256 session.cert_identity_status = "valid"; | 256 session.cert_identity_status = "valid"; |
| 257 return; | 257 return; |
| 258 end | 258 end |
| 259 end | 259 end |
| 260 end | 260 end |