Mercurial > prosody-modules
comparison mod_s2s_auth_dane/mod_s2s_auth_dane.lua @ 1431:33a796b2cb91
mod_s2s_auth_dane: Cache logger to save some table lookups and improve readability
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Wed, 11 Jun 2014 12:50:57 +0200 |
| parents | 8791fa8a18c8 |
| children | 1caf971a2f0f |
comparison
equal
deleted
inserted
replaced
| 1430:18f5f1b13353 | 1431:33a796b2cb91 |
|---|---|
| 174 return certdata == tlsa.data; | 174 return certdata == tlsa.data; |
| 175 end | 175 end |
| 176 | 176 |
| 177 module:hook("s2s-check-certificate", function(event) | 177 module:hook("s2s-check-certificate", function(event) |
| 178 local session, cert = event.session, event.cert; | 178 local session, cert = event.session, event.cert; |
| 179 local log = session.log or module._log; | |
| 179 local dane = session.dane; | 180 local dane = session.dane; |
| 180 if type(dane) == "table" then | 181 if type(dane) == "table" then |
| 181 local use, tlsa, match_found, supported_found, chain, leafcert, cacert, is_match; | 182 local use, tlsa, match_found, supported_found, chain, leafcert, cacert, is_match; |
| 182 for i = 1, #dane do | 183 for i = 1, #dane do |
| 183 tlsa = dane[i].tlsa; | 184 tlsa = dane[i].tlsa; |
| 191 is_match = one_dane_check(tlsa, cert); | 192 is_match = one_dane_check(tlsa, cert); |
| 192 if is_match ~= nil then | 193 if is_match ~= nil then |
| 193 supported_found = true; | 194 supported_found = true; |
| 194 end | 195 end |
| 195 if is_match then | 196 if is_match then |
| 196 (session.log or module._log)("info", "DANE validation successful"); | 197 log("info", "DANE validation successful"); |
| 197 session.cert_identity_status = "valid"; | 198 session.cert_identity_status = "valid"; |
| 198 if use == 3 then -- DANE-EE, chain status equals DNSSEC chain status | 199 if use == 3 then -- DANE-EE, chain status equals DNSSEC chain status |
| 199 session.cert_chain_status = "valid"; | 200 session.cert_chain_status = "valid"; |
| 200 -- for usage 1, PKIX-EE, the chain has to be valid already | 201 -- for usage 1, PKIX-EE, the chain has to be valid already |
| 201 end | 202 end |
| 216 if use == 2 and not cacert:issued(leafcert or cacert) then | 217 if use == 2 and not cacert:issued(leafcert or cacert) then |
| 217 module:log("debug", "Broken chain"); | 218 module:log("debug", "Broken chain"); |
| 218 break; | 219 break; |
| 219 end | 220 end |
| 220 if is_match then | 221 if is_match then |
| 221 (session.log or module._log)("info", "DANE validation successful"); | 222 log("info", "DANE validation successful"); |
| 222 if use == 2 then -- DANE-TA | 223 if use == 2 then -- DANE-TA |
| 223 session.cert_identity_status = "valid"; | 224 session.cert_identity_status = "valid"; |
| 224 session.cert_chain_status = "valid"; | 225 session.cert_chain_status = "valid"; |
| 225 -- for usage 0, PKIX-CA, identity and chain has to be valid already | 226 -- for usage 0, PKIX-CA, identity and chain has to be valid already |
| 226 end | 227 end |
| 232 end | 233 end |
| 233 end | 234 end |
| 234 end | 235 end |
| 235 if supported_found and not match_found or dane.bogus then | 236 if supported_found and not match_found or dane.bogus then |
| 236 -- No TLSA matched or response was bogus | 237 -- No TLSA matched or response was bogus |
| 237 (session.log or module._log)("warn", "DANE validation failed"); | 238 log("warn", "DANE validation failed"); |
| 238 session.cert_identity_status = "invalid"; | 239 session.cert_identity_status = "invalid"; |
| 239 session.cert_chain_status = "invalid"; | 240 session.cert_chain_status = "invalid"; |
| 240 end | 241 end |
| 241 else | 242 else |
| 242 if session.cert_chain_status == "valid" and session.cert_identity_status ~= "valid" | 243 if session.cert_chain_status == "valid" and session.cert_identity_status ~= "valid" |
| 243 and session.srv_hosts and session.srv_hosts.answer and session.srv_hosts.answer.secure then | 244 and session.srv_hosts and session.srv_hosts.answer and session.srv_hosts.answer.secure then |
| 244 local srv_hosts, srv_choice, srv_target = session.srv_hosts, session.srv_choice; | 245 local srv_hosts, srv_choice, srv_target = session.srv_hosts, session.srv_choice; |
| 245 for i = srv_choice or 1, srv_choice or #srv_hosts do | 246 for i = srv_choice or 1, srv_choice or #srv_hosts do |
| 246 srv_target = session.srv_hosts[i].target:gsub("%.?$",""); | 247 srv_target = session.srv_hosts[i].target:gsub("%.?$",""); |
| 247 (session.log or module._log)("debug", "Comparing certificate with Secure SRV target %s", srv_target); | 248 log("debug", "Comparing certificate with Secure SRV target %s", srv_target); |
| 248 srv_target = nameprep(idna_to_unicode()); | 249 srv_target = nameprep(idna_to_unicode()); |
| 249 if srv_target and cert_verify_identity(srv_target, "xmpp-server", cert) then | 250 if srv_target and cert_verify_identity(srv_target, "xmpp-server", cert) then |
| 250 (session.log or module._log)("info", "Certificate matches Secure SRV target %s", srv_target); | 251 log("info", "Certificate matches Secure SRV target %s", srv_target); |
| 251 session.cert_identity_status = "valid"; | 252 session.cert_identity_status = "valid"; |
| 252 return; | 253 return; |
| 253 end | 254 end |
| 254 end | 255 end |
| 255 end | 256 end |