Mercurial > prosody-modules
comparison mod_s2s_auth_dane/mod_s2s_auth_dane.lua @ 1344:47d3c1c8a176
mod_s2s_auth_dane: Only invalidate trust if we found any supported DANE records
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Tue, 11 Mar 2014 21:13:40 +0100 |
| parents | 50555c2ccbcd |
| children | 52b419885f0a |
comparison
equal
deleted
inserted
replaced
| 1343:7dbde05b48a9 | 1344:47d3c1c8a176 |
|---|---|
| 58 local session, cert = event.session, event.cert; | 58 local session, cert = event.session, event.cert; |
| 59 local srv_hosts = session.srv_hosts; | 59 local srv_hosts = session.srv_hosts; |
| 60 local srv_choice = session.srv_choice; | 60 local srv_choice = session.srv_choice; |
| 61 local choosen = srv_hosts and srv_hosts[srv_choice] or session; | 61 local choosen = srv_hosts and srv_hosts[srv_choice] or session; |
| 62 if choosen.dane then | 62 if choosen.dane then |
| 63 local use, select, match, tlsa, certdata, match_found; | 63 local use, select, match, tlsa, certdata, match_found, supported_found; |
| 64 for i, rr in ipairs(choosen.dane) do | 64 for i, rr in ipairs(choosen.dane) do |
| 65 tlsa = rr.tlsa; | 65 tlsa = rr.tlsa; |
| 66 module:log("debug", "TLSA %s %s %s %d bytes of data", tlsa:getUsage(), tlsa:getSelector(), tlsa:getMatchType(), #tlsa.data); | 66 module:log("debug", "TLSA %s %s %s %d bytes of data", tlsa:getUsage(), tlsa:getSelector(), tlsa:getMatchType(), #tlsa.data); |
| 67 use, select, match, certdata = tlsa.use, tlsa.select, tlsa.match; | 67 use, select, match, certdata = tlsa.use, tlsa.select, tlsa.match; |
| 68 | 68 |
| 69 -- PKIX-EE or DANE-EE | 69 -- PKIX-EE or DANE-EE |
| 70 if use == 1 or use == 3 then | 70 if use == 1 or use == 3 then |
| 71 supported_found = true | |
| 71 | 72 |
| 72 if select == 0 then | 73 if select == 0 then |
| 73 certdata = pem2der(cert:pem()); | 74 certdata = pem2der(cert:pem()); |
| 74 elseif select == 1 and cert.pubkey then | 75 elseif select == 1 and cert.pubkey then |
| 75 certdata = pem2der(cert:pubkey()); -- Not supported in stock LuaSec | 76 certdata = pem2der(cert:pubkey()); -- Not supported in stock LuaSec |
| 101 module:log("warn", "DANE usage %s is unsupported", tlsa:getUsage() or use); | 102 module:log("warn", "DANE usage %s is unsupported", tlsa:getUsage() or use); |
| 102 -- PKIX-TA checks needs to loop over the chain and stuff | 103 -- PKIX-TA checks needs to loop over the chain and stuff |
| 103 -- LuaSec does not expose anything for validating a random chain, so DANE-TA is not possible atm | 104 -- LuaSec does not expose anything for validating a random chain, so DANE-TA is not possible atm |
| 104 end | 105 end |
| 105 end | 106 end |
| 106 if not match_found then | 107 if supported_found and not match_found then |
| 107 -- No TLSA matched or response was bogus | 108 -- No TLSA matched or response was bogus |
| 108 (session.log or module._log)("warn", "DANE validation failed"); | 109 (session.log or module._log)("warn", "DANE validation failed"); |
| 109 session.cert_identity_status = "invalid"; | 110 session.cert_identity_status = "invalid"; |
| 110 session.cert_chain_status = "invalid"; | 111 session.cert_chain_status = "invalid"; |
| 111 end | 112 end |