comparison mod_s2s_auth_dane/mod_s2s_auth_dane.lua @ 1431:33a796b2cb91

mod_s2s_auth_dane: Cache logger to save some table lookups and improve readability
author Kim Alvefur <zash@zash.se>
date Wed, 11 Jun 2014 12:50:57 +0200
parents 8791fa8a18c8
children 1caf971a2f0f
comparison
equal deleted inserted replaced
1430:18f5f1b13353 1431:33a796b2cb91
174 return certdata == tlsa.data; 174 return certdata == tlsa.data;
175 end 175 end
176 176
177 module:hook("s2s-check-certificate", function(event) 177 module:hook("s2s-check-certificate", function(event)
178 local session, cert = event.session, event.cert; 178 local session, cert = event.session, event.cert;
179 local log = session.log or module._log;
179 local dane = session.dane; 180 local dane = session.dane;
180 if type(dane) == "table" then 181 if type(dane) == "table" then
181 local use, tlsa, match_found, supported_found, chain, leafcert, cacert, is_match; 182 local use, tlsa, match_found, supported_found, chain, leafcert, cacert, is_match;
182 for i = 1, #dane do 183 for i = 1, #dane do
183 tlsa = dane[i].tlsa; 184 tlsa = dane[i].tlsa;
191 is_match = one_dane_check(tlsa, cert); 192 is_match = one_dane_check(tlsa, cert);
192 if is_match ~= nil then 193 if is_match ~= nil then
193 supported_found = true; 194 supported_found = true;
194 end 195 end
195 if is_match then 196 if is_match then
196 (session.log or module._log)("info", "DANE validation successful"); 197 log("info", "DANE validation successful");
197 session.cert_identity_status = "valid"; 198 session.cert_identity_status = "valid";
198 if use == 3 then -- DANE-EE, chain status equals DNSSEC chain status 199 if use == 3 then -- DANE-EE, chain status equals DNSSEC chain status
199 session.cert_chain_status = "valid"; 200 session.cert_chain_status = "valid";
200 -- for usage 1, PKIX-EE, the chain has to be valid already 201 -- for usage 1, PKIX-EE, the chain has to be valid already
201 end 202 end
216 if use == 2 and not cacert:issued(leafcert or cacert) then 217 if use == 2 and not cacert:issued(leafcert or cacert) then
217 module:log("debug", "Broken chain"); 218 module:log("debug", "Broken chain");
218 break; 219 break;
219 end 220 end
220 if is_match then 221 if is_match then
221 (session.log or module._log)("info", "DANE validation successful"); 222 log("info", "DANE validation successful");
222 if use == 2 then -- DANE-TA 223 if use == 2 then -- DANE-TA
223 session.cert_identity_status = "valid"; 224 session.cert_identity_status = "valid";
224 session.cert_chain_status = "valid"; 225 session.cert_chain_status = "valid";
225 -- for usage 0, PKIX-CA, identity and chain has to be valid already 226 -- for usage 0, PKIX-CA, identity and chain has to be valid already
226 end 227 end
232 end 233 end
233 end 234 end
234 end 235 end
235 if supported_found and not match_found or dane.bogus then 236 if supported_found and not match_found or dane.bogus then
236 -- No TLSA matched or response was bogus 237 -- No TLSA matched or response was bogus
237 (session.log or module._log)("warn", "DANE validation failed"); 238 log("warn", "DANE validation failed");
238 session.cert_identity_status = "invalid"; 239 session.cert_identity_status = "invalid";
239 session.cert_chain_status = "invalid"; 240 session.cert_chain_status = "invalid";
240 end 241 end
241 else 242 else
242 if session.cert_chain_status == "valid" and session.cert_identity_status ~= "valid" 243 if session.cert_chain_status == "valid" and session.cert_identity_status ~= "valid"
243 and session.srv_hosts and session.srv_hosts.answer and session.srv_hosts.answer.secure then 244 and session.srv_hosts and session.srv_hosts.answer and session.srv_hosts.answer.secure then
244 local srv_hosts, srv_choice, srv_target = session.srv_hosts, session.srv_choice; 245 local srv_hosts, srv_choice, srv_target = session.srv_hosts, session.srv_choice;
245 for i = srv_choice or 1, srv_choice or #srv_hosts do 246 for i = srv_choice or 1, srv_choice or #srv_hosts do
246 srv_target = session.srv_hosts[i].target:gsub("%.?$",""); 247 srv_target = session.srv_hosts[i].target:gsub("%.?$","");
247 (session.log or module._log)("debug", "Comparing certificate with Secure SRV target %s", srv_target); 248 log("debug", "Comparing certificate with Secure SRV target %s", srv_target);
248 srv_target = nameprep(idna_to_unicode()); 249 srv_target = nameprep(idna_to_unicode());
249 if srv_target and cert_verify_identity(srv_target, "xmpp-server", cert) then 250 if srv_target and cert_verify_identity(srv_target, "xmpp-server", cert) then
250 (session.log or module._log)("info", "Certificate matches Secure SRV target %s", srv_target); 251 log("info", "Certificate matches Secure SRV target %s", srv_target);
251 session.cert_identity_status = "valid"; 252 session.cert_identity_status = "valid";
252 return; 253 return;
253 end 254 end
254 end 255 end
255 end 256 end