comparison mod_s2s_auth_dane/mod_s2s_auth_dane.lua @ 1951:7974a24d29b6

mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure)
author Kim Alvefur <zash@zash.se>
date Mon, 16 Nov 2015 18:03:41 +0100
parents 1950fa6aa0c0
children 6979ee1db9f8
comparison
equal deleted inserted replaced
1950:f118e419a712 1951:7974a24d29b6
266 module:log("debug", "TLSA #%d: %s", i, tostring(tlsa)) 266 module:log("debug", "TLSA #%d: %s", i, tostring(tlsa))
267 local use = tlsa.use; 267 local use = tlsa.use;
268 268
269 if enabled_uses:contains(use) then 269 if enabled_uses:contains(use) then
270 -- DANE-EE or PKIX-EE 270 -- DANE-EE or PKIX-EE
271 if use == 3 or (use == 1 and session.cert_chain_status == "valid") then 271 if use == 3 or use == 1 then
272 -- Should we check if the cert subject matches? 272 -- Should we check if the cert subject matches?
273 local is_match = one_dane_check(tlsa, cert); 273 local is_match = one_dane_check(tlsa, cert);
274 if is_match ~= nil then 274 if is_match ~= nil then
275 supported_found = true; 275 supported_found = true;
276 end
277 if is_match and use == 1 and session.cert_chain_status ~= "valid" then
278 -- for usage 1, PKIX-EE, the chain has to be valid already
279 log("debug", "PKIX-EE TLSA matches untrusted certificate");
280 is_match = false;
276 end 281 end
277 if is_match then 282 if is_match then
278 log("info", "DANE validated ok for %s using %s", host, tlsa:getUsage()); 283 log("info", "DANE validated ok for %s using %s", host, tlsa:getUsage());
279 session.cert_identity_status = "valid"; 284 session.cert_identity_status = "valid";
280 if use == 3 then -- DANE-EE, chain status equals DNSSEC chain status 285 if use == 3 then -- DANE-EE, chain status equals DNSSEC chain status
281 session.cert_chain_status = "valid"; 286 session.cert_chain_status = "valid";
282 -- for usage 1, PKIX-EE, the chain has to be valid already
283 end 287 end
284 match_found = true; 288 match_found = true;
285 break; 289 break;
286 end 290 end
287 -- DANE-TA or PKIX-CA 291 -- DANE-TA or PKIX-CA
288 elseif use == 2 or (use == 0 and session.cert_chain_status == "valid") then 292 elseif use == 2 or use == 0 then
289 supported_found = true; 293 supported_found = true;
290 local chain = session.conn:socket():getpeerchain(); 294 local chain = session.conn:socket():getpeerchain();
291 for c = 1, #chain do 295 for c = 1, #chain do
292 local cacert = chain[c]; 296 local cacert = chain[c];
293 local is_match = one_dane_check(tlsa, cacert); 297 local is_match = one_dane_check(tlsa, cacert);
294 if is_match ~= nil then 298 if is_match ~= nil then
295 supported_found = true; 299 supported_found = true;
296 end 300 end
297 if is_match and cacert:issued(cert, unpack(chain)) then 301 if is_match and not cacert:issued(cert, unpack(chain)) then
302 is_match = false;
303 end
304 if is_match and use == 0 and session.cert_chain_status ~= "valid" then
305 -- for usage 0, PKIX-CA, identity and chain has to be valid already
306 is_match = false;
307 end
308 if is_match then
298 log("info", "DANE validated ok for %s using %s", host, tlsa:getUsage()); 309 log("info", "DANE validated ok for %s using %s", host, tlsa:getUsage());
299 if use == 2 then -- DANE-TA 310 if use == 2 then -- DANE-TA
300 session.cert_identity_status = "valid"; 311 session.cert_identity_status = "valid";
301 if cert_verify_identity(host, "xmpp-server", cert) then 312 if cert_verify_identity(host, "xmpp-server", cert) then
302 session.cert_chain_status = "valid"; 313 session.cert_chain_status = "valid";
303 -- else -- TODO Check against SRV target? 314 -- else -- TODO Check against SRV target?
304 end 315 end
305 -- for usage 0, PKIX-CA, identity and chain has to be valid already
306 end 316 end
307 match_found = true; 317 match_found = true;
308 break; 318 break;
309 end 319 end
310 end 320 end