comparison mod_s2s_auth_dane/mod_s2s_auth_dane.lua @ 1262:1e84eebf3f46

mod_s2s_auth_dane: Invalidate trust if there are TLSA records but no matches, or bogus results
author Kim Alvefur <zash@zash.se>
date Fri, 03 Jan 2014 15:14:26 +0100
parents 6a37bd22c8df
children 020165014e56
comparison
equal deleted inserted replaced
1261:6a37bd22c8df 1262:1e84eebf3f46
29 function s2sout.try_connect(host_session, connect_host, connect_port, err) 29 function s2sout.try_connect(host_session, connect_host, connect_port, err)
30 local srv_hosts = host_session.srv_hosts; 30 local srv_hosts = host_session.srv_hosts;
31 local srv_choice = host_session.srv_choice; 31 local srv_choice = host_session.srv_choice;
32 if srv_hosts and srv_hosts.answer.secure and not srv_hosts[srv_choice].dane then 32 if srv_hosts and srv_hosts.answer.secure and not srv_hosts[srv_choice].dane then
33 dns_lookup(function(answer) 33 dns_lookup(function(answer)
34 if answer and #answer > 0 then 34 if answer and ( #answer > 0 or answer.bogus ) then
35 srv_hosts[srv_choice].dane = answer; 35 srv_hosts[srv_choice].dane = answer;
36 for i, tlsa in ipairs(answer) do 36 for i, tlsa in ipairs(answer) do
37 module:log("debug", "TLSA %s", tostring(tlsa)); 37 module:log("debug", "TLSA %s", tostring(tlsa));
38 end 38 end
39 end 39 end
46 local session, cert = event.session, event.cert; 46 local session, cert = event.session, event.cert;
47 local srv_hosts = session.srv_hosts; 47 local srv_hosts = session.srv_hosts;
48 local srv_choice = session.srv_choice; 48 local srv_choice = session.srv_choice;
49 local choosen = srv_hosts and srv_hosts[srv_choice]; 49 local choosen = srv_hosts and srv_hosts[srv_choice];
50 if choosen and choosen.dane then 50 if choosen and choosen.dane then
51 local use, select, match, tlsa, certdata 51 local use, select, match, tlsa, certdata, match_found
52 for i, rr in ipairs(choosen.dane) do 52 for i, rr in ipairs(choosen.dane) do
53 tlsa = rr.tlsa 53 tlsa = rr.tlsa
54 module:log("debug", "TLSA %s", tostring(tlsa)); 54 module:log("debug", "TLSA %s", tostring(tlsa));
55 use, select, match, certdata = tlsa.use, tlsa.select, tlsa.match; 55 use, select, match, certdata = tlsa.use, tlsa.select, tlsa.match;
56 56
78 session.cert_identity_status = "valid" 78 session.cert_identity_status = "valid"
79 if use == 3 then 79 if use == 3 then
80 session.cert_chain_status = "valid" 80 session.cert_chain_status = "valid"
81 -- for usage 1 the chain has to be valid already 81 -- for usage 1 the chain has to be valid already
82 end 82 end
83 match_found = true
83 break; 84 break;
84 end 85 end
85 else 86 else
86 module:log("warn", "DANE %s is unsupported", tlsa:getUsage() or ("usage "..tostring(use))); 87 module:log("warn", "DANE %s is unsupported", tlsa:getUsage() or ("usage "..tostring(use)));
87 -- TODO Ca checks needs to loop over the chain and stuff 88 -- TODO Ca checks needs to loop over the chain and stuff
88 end 89 end
89 end 90 end
91 if not match_found then
92 (session.log or module._log)("info", "DANE validation successful");
93 session.cert_identity_status = "invalid";
94 session.cert_chain_status = "invalid";
95 end
90 end 96 end
91
92 -- TODO Optionally, if no TLSA record matches, mark connection as untrusted.
93 end); 97 end);
94 98
95 function module.unload() 99 function module.unload()
96 s2sout.try_connect = _try_connect; 100 s2sout.try_connect = _try_connect;
97 end 101 end