Mercurial > prosody-modules

comparison mod_s2s_auth_dane/mod_s2s_auth_dane.lua @ 1261:6a37bd22c8df

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
mod_s2s_auth_dane: Warn about unsupported DANE params
author Kim Alvefur <zash@zash.se>
date Fri, 03 Jan 2014 15:00:05 +0100
parents fc82d8eded7d
children 1e84eebf3f46
comparison
equal deleted inserted replaced
1260:4e14ad802d58 1261:6a37bd22c8df
58 58
59 if select == 0 then 59 if select == 0 then
60 certdata = pem2der(cert:pem()); 60 certdata = pem2der(cert:pem());
61 elseif select == 1 then 61 elseif select == 1 then
62 certdata = pem2der(cert:pubkey()); 62 certdata = pem2der(cert:pubkey());
63 else
64 module:log("warn", "DANE selector %d is unsupported", select);
63 end 65 end
64 if match == 1 then 66 if match == 1 then
65 certdata = hashes.sha256(certdata); 67 certdata = hashes.sha256(certdata);
66 elseif match == 2 then 68 elseif match == 2 then
67 certdata = hashes.sha512(certdata); 69 certdata = hashes.sha512(certdata);
70 elseif match ~= 0 then
71 module:log("warn", "DANE match rule %d is unsupported", match);
72 certdata = nil
68 end 73 end
69 74
70 -- Should we check if the cert subject matches? 75 -- Should we check if the cert subject matches?
71 if certdata == tlsa.data then 76 if certdata and certdata == tlsa.data then
72 (session.log or module._log)("info", "DANE validation successful"); 77 (session.log or module._log)("info", "DANE validation successful");
73 session.cert_identity_status = "valid" 78 session.cert_identity_status = "valid"
74 if use == 3 then 79 if use == 3 then
75 session.cert_chain_status = "valid" 80 session.cert_chain_status = "valid"
76 -- for usage 1 the chain has to be valid already 81 -- for usage 1 the chain has to be valid already
77 end 82 end
78 break; 83 break;
79 end 84 end
80 else 85 else
81 module:log("warn", "DANE %s is unsupported", tlsa:getUsage()); 86 module:log("warn", "DANE %s is unsupported", tlsa:getUsage() or ("usage "..tostring(use)));
82 -- TODO Ca checks needs to loop over the chain and stuff 87 -- TODO Ca checks needs to loop over the chain and stuff
83 end 88 end
84 end 89 end
85 end 90 end
86 91