Mercurial > prosody-modules
comparison mod_s2s_auth_dane/mod_s2s_auth_dane.lua @ 1262:1e84eebf3f46
mod_s2s_auth_dane: Invalidate trust if there are TLSA records but no matches, or bogus results
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Fri, 03 Jan 2014 15:14:26 +0100 |
| parents | 6a37bd22c8df |
| children | 020165014e56 |
comparison
equal
deleted
inserted
replaced
| 1261:6a37bd22c8df | 1262:1e84eebf3f46 |
|---|---|
| 29 function s2sout.try_connect(host_session, connect_host, connect_port, err) | 29 function s2sout.try_connect(host_session, connect_host, connect_port, err) |
| 30 local srv_hosts = host_session.srv_hosts; | 30 local srv_hosts = host_session.srv_hosts; |
| 31 local srv_choice = host_session.srv_choice; | 31 local srv_choice = host_session.srv_choice; |
| 32 if srv_hosts and srv_hosts.answer.secure and not srv_hosts[srv_choice].dane then | 32 if srv_hosts and srv_hosts.answer.secure and not srv_hosts[srv_choice].dane then |
| 33 dns_lookup(function(answer) | 33 dns_lookup(function(answer) |
| 34 if answer and #answer > 0 then | 34 if answer and ( #answer > 0 or answer.bogus ) then |
| 35 srv_hosts[srv_choice].dane = answer; | 35 srv_hosts[srv_choice].dane = answer; |
| 36 for i, tlsa in ipairs(answer) do | 36 for i, tlsa in ipairs(answer) do |
| 37 module:log("debug", "TLSA %s", tostring(tlsa)); | 37 module:log("debug", "TLSA %s", tostring(tlsa)); |
| 38 end | 38 end |
| 39 end | 39 end |
| 46 local session, cert = event.session, event.cert; | 46 local session, cert = event.session, event.cert; |
| 47 local srv_hosts = session.srv_hosts; | 47 local srv_hosts = session.srv_hosts; |
| 48 local srv_choice = session.srv_choice; | 48 local srv_choice = session.srv_choice; |
| 49 local choosen = srv_hosts and srv_hosts[srv_choice]; | 49 local choosen = srv_hosts and srv_hosts[srv_choice]; |
| 50 if choosen and choosen.dane then | 50 if choosen and choosen.dane then |
| 51 local use, select, match, tlsa, certdata | 51 local use, select, match, tlsa, certdata, match_found |
| 52 for i, rr in ipairs(choosen.dane) do | 52 for i, rr in ipairs(choosen.dane) do |
| 53 tlsa = rr.tlsa | 53 tlsa = rr.tlsa |
| 54 module:log("debug", "TLSA %s", tostring(tlsa)); | 54 module:log("debug", "TLSA %s", tostring(tlsa)); |
| 55 use, select, match, certdata = tlsa.use, tlsa.select, tlsa.match; | 55 use, select, match, certdata = tlsa.use, tlsa.select, tlsa.match; |
| 56 | 56 |
| 78 session.cert_identity_status = "valid" | 78 session.cert_identity_status = "valid" |
| 79 if use == 3 then | 79 if use == 3 then |
| 80 session.cert_chain_status = "valid" | 80 session.cert_chain_status = "valid" |
| 81 -- for usage 1 the chain has to be valid already | 81 -- for usage 1 the chain has to be valid already |
| 82 end | 82 end |
| 83 match_found = true | |
| 83 break; | 84 break; |
| 84 end | 85 end |
| 85 else | 86 else |
| 86 module:log("warn", "DANE %s is unsupported", tlsa:getUsage() or ("usage "..tostring(use))); | 87 module:log("warn", "DANE %s is unsupported", tlsa:getUsage() or ("usage "..tostring(use))); |
| 87 -- TODO Ca checks needs to loop over the chain and stuff | 88 -- TODO Ca checks needs to loop over the chain and stuff |
| 88 end | 89 end |
| 89 end | 90 end |
| 91 if not match_found then | |
| 92 (session.log or module._log)("info", "DANE validation successful"); | |
| 93 session.cert_identity_status = "invalid"; | |
| 94 session.cert_chain_status = "invalid"; | |
| 95 end | |
| 90 end | 96 end |
| 91 | |
| 92 -- TODO Optionally, if no TLSA record matches, mark connection as untrusted. | |
| 93 end); | 97 end); |
| 94 | 98 |
| 95 function module.unload() | 99 function module.unload() |
| 96 s2sout.try_connect = _try_connect; | 100 s2sout.try_connect = _try_connect; |
| 97 end | 101 end |