Mercurial > prosody-modules
comparison mod_s2s_auth_dane/mod_s2s_auth_dane.lua @ 1642:a4a6b4be973a
mod_s2s_auth_dane: Update for recent changes in Zashs LuaSec branch
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Tue, 31 Mar 2015 20:57:34 +0200 |
| parents | aed20f9e78c8 |
| children | 9a3d2f1479a4 |
comparison
equal
deleted
inserted
replaced
| 1641:1fa25cfb0ad4 | 1642:a4a6b4be973a |
|---|---|
| 232 local session, cert, host = event.session, event.cert, event.host; | 232 local session, cert, host = event.session, event.cert, event.host; |
| 233 if not cert then return end | 233 if not cert then return end |
| 234 local log = session.log or module._log; | 234 local log = session.log or module._log; |
| 235 local dane = session.dane; | 235 local dane = session.dane; |
| 236 if type(dane) == "table" then | 236 if type(dane) == "table" then |
| 237 local use, tlsa, match_found, supported_found, chain, leafcert, cacert, is_match; | 237 local match_found, supported_found; |
| 238 for i = 1, #dane do | 238 for i = 1, #dane do |
| 239 tlsa = dane[i].tlsa; | 239 local tlsa = dane[i].tlsa; |
| 240 module:log("debug", "TLSA #%d: %s", i, tostring(tlsa)) | 240 module:log("debug", "TLSA #%d: %s", i, tostring(tlsa)) |
| 241 use = tlsa.use; | 241 local use = tlsa.use; |
| 242 | 242 |
| 243 if enabled_uses:contains(use) then | 243 if enabled_uses:contains(use) then |
| 244 -- PKIX-EE or DANE-EE | 244 -- PKIX-EE or DANE-EE |
| 245 if use == 1 or use == 3 then | 245 if use == 1 or use == 3 then |
| 246 -- Should we check if the cert subject matches? | 246 -- Should we check if the cert subject matches? |
| 247 is_match = one_dane_check(tlsa, cert); | 247 local is_match = one_dane_check(tlsa, cert); |
| 248 if is_match ~= nil then | 248 if is_match ~= nil then |
| 249 supported_found = true; | 249 supported_found = true; |
| 250 end | 250 end |
| 251 if is_match then | 251 if is_match then |
| 252 log("info", "DANE validated ok for %s using %s", host, tlsa:getUsage()); | 252 log("info", "DANE validated ok for %s using %s", host, tlsa:getUsage()); |
| 258 match_found = true; | 258 match_found = true; |
| 259 break; | 259 break; |
| 260 end | 260 end |
| 261 elseif use == 0 or use == 2 then | 261 elseif use == 0 or use == 2 then |
| 262 supported_found = true; | 262 supported_found = true; |
| 263 if chain == nil then | 263 local chain = session.conn:socket():getpeerchain(); |
| 264 chain = session.conn:socket():getpeerchain(); | 264 for i = 1, #chain do |
| 265 end | 265 local cacert = chain[i]; |
| 266 for i = 2, #chain do | 266 local is_match = one_dane_check(tlsa, cacert); |
| 267 cacert, leafcert = chain[i], chain[i-1]; | |
| 268 is_match = one_dane_check(tlsa, cacert); | |
| 269 if is_match ~= nil then | 267 if is_match ~= nil then |
| 270 supported_found = true; | 268 supported_found = true; |
| 271 end | 269 end |
| 272 if use == 2 and not cacert:issued(leafcert or cacert) then | 270 if is_match and cacert:issued(cert, unpack(chain)) then |
| 273 module:log("debug", "Broken chain"); | |
| 274 break; | |
| 275 end | |
| 276 if is_match then | |
| 277 log("info", "DANE validated ok for %s using %s", host, tlsa:getUsage()); | 271 log("info", "DANE validated ok for %s using %s", host, tlsa:getUsage()); |
| 278 if use == 2 then -- DANE-TA | 272 if use == 2 then -- DANE-TA |
| 279 session.cert_identity_status = "valid"; | 273 session.cert_identity_status = "valid"; |
| 280 session.cert_chain_status = "valid"; | 274 session.cert_chain_status = "valid"; |
| 281 -- for usage 0, PKIX-CA, identity and chain has to be valid already | 275 -- for usage 0, PKIX-CA, identity and chain has to be valid already |