Mercurial > prosody-modules
comparison mod_s2s_auth_dane/mod_s2s_auth_dane.lua @ 1335:faf4bd226cad
mod_s2s_auth_dane: Improve logging
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Sun, 09 Mar 2014 13:43:27 +0100 |
| parents | 100da6a5525e |
| children | ae0558230e3d |
comparison
equal
deleted
inserted
replaced
| 1334:100da6a5525e | 1335:faf4bd226cad |
|---|---|
| 37 local srv_choice = host_session.srv_choice; | 37 local srv_choice = host_session.srv_choice; |
| 38 if srv_hosts and srv_hosts.answer.secure and not srv_hosts[srv_choice].dane then | 38 if srv_hosts and srv_hosts.answer.secure and not srv_hosts[srv_choice].dane then |
| 39 srv_hosts[srv_choice].dane = dns_lookup(function(answer) | 39 srv_hosts[srv_choice].dane = dns_lookup(function(answer) |
| 40 if answer and ( #answer > 0 or answer.bogus ) then | 40 if answer and ( #answer > 0 or answer.bogus ) then |
| 41 srv_hosts[srv_choice].dane = answer; | 41 srv_hosts[srv_choice].dane = answer; |
| 42 for i, tlsa in ipairs(answer) do | |
| 43 module:log("debug", "TLSA %s", tostring(tlsa)); | |
| 44 end | |
| 45 else | 42 else |
| 46 srv_hosts[srv_choice].dane = false; | 43 srv_hosts[srv_choice].dane = false; |
| 47 end | 44 end |
| 48 -- "blocking" until TLSA reply, but no race condition | 45 -- "blocking" until TLSA reply, but no race condition |
| 49 return _try_connect(host_session, connect_host, connect_port, err); | 46 return _try_connect(host_session, connect_host, connect_port, err); |
| 60 local choosen = srv_hosts and srv_hosts[srv_choice] or session; | 57 local choosen = srv_hosts and srv_hosts[srv_choice] or session; |
| 61 if choosen.dane then | 58 if choosen.dane then |
| 62 local use, select, match, tlsa, certdata, match_found; | 59 local use, select, match, tlsa, certdata, match_found; |
| 63 for i, rr in ipairs(choosen.dane) do | 60 for i, rr in ipairs(choosen.dane) do |
| 64 tlsa = rr.tlsa; | 61 tlsa = rr.tlsa; |
| 65 module:log("debug", "TLSA %s", tostring(tlsa)); | 62 module:log("debug", "TLSA %s %s %s %d bytes of data", tlsa:getUsage(), tlsa:getSelector(), tlsa:getMatchType(), #tlsa.data); |
| 66 use, select, match, certdata = tlsa.use, tlsa.select, tlsa.match; | 63 use, select, match, certdata = tlsa.use, tlsa.select, tlsa.match; |
| 67 | 64 |
| 68 -- PKIX-EE or DANE-EE | 65 -- PKIX-EE or DANE-EE |
| 69 if use == 1 or use == 3 then | 66 if use == 1 or use == 3 then |
| 70 | 67 |
| 71 if select == 0 then | 68 if select == 0 then |
| 72 certdata = pem2der(cert:pem()); | 69 certdata = pem2der(cert:pem()); |
| 73 elseif select == 1 and cert.pubkey then | 70 elseif select == 1 and cert.pubkey then |
| 74 certdata = pem2der(cert:pubkey()); -- Not supported in stock LuaSec | 71 certdata = pem2der(cert:pubkey()); -- Not supported in stock LuaSec |
| 75 else | 72 else |
| 76 module:log("warn", "DANE selector %d is unsupported", select); | 73 module:log("warn", "DANE selector %s is unsupported", tlsa:getSelector() or select); |
| 77 end | 74 end |
| 78 | 75 |
| 79 if match == 1 then | 76 if match == 1 then |
| 80 certdata = hashes.sha256(certdata); | 77 certdata = hashes.sha256(certdata); |
| 81 elseif match == 2 then | 78 elseif match == 2 then |
| 82 certdata = hashes.sha512(certdata); | 79 certdata = hashes.sha512(certdata); |
| 83 elseif match ~= 0 then | 80 elseif match ~= 0 then |
| 84 module:log("warn", "DANE match rule %d is unsupported", match); | 81 module:log("warn", "DANE match rule %s is unsupported", tlsa:getMatchType() or match); |
| 85 certdata = nil; | 82 certdata = nil; |
| 86 end | 83 end |
| 87 | 84 |
| 88 -- Should we check if the cert subject matches? | 85 -- Should we check if the cert subject matches? |
| 89 if certdata and certdata == tlsa.data then | 86 if certdata and certdata == tlsa.data then |
| 95 end | 92 end |
| 96 match_found = true; | 93 match_found = true; |
| 97 break; | 94 break; |
| 98 end | 95 end |
| 99 else | 96 else |
| 100 module:log("warn", "DANE %s is unsupported", tlsa:getUsage() or ("usage "..tostring(use))); | 97 module:log("warn", "DANE usage %s is unsupported", tlsa:getUsage() or use); |
| 101 -- PKIX-TA checks needs to loop over the chain and stuff | 98 -- PKIX-TA checks needs to loop over the chain and stuff |
| 102 -- LuaSec does not expose anything for validating a random chain, so DANE-TA is not possible atm | 99 -- LuaSec does not expose anything for validating a random chain, so DANE-TA is not possible atm |
| 103 end | 100 end |
| 104 end | 101 end |
| 105 if not match_found then | 102 if not match_found then |
| 136 if not origin.from_host then return end | 133 if not origin.from_host then return end |
| 137 | 134 |
| 138 origin.dane = dns_lookup(function(answer) | 135 origin.dane = dns_lookup(function(answer) |
| 139 if answer and ( #answer > 0 or answer.bogus ) then | 136 if answer and ( #answer > 0 or answer.bogus ) then |
| 140 origin.dane = answer; | 137 origin.dane = answer; |
| 141 for i, tlsa in ipairs(answer) do | |
| 142 module:log("debug", "TLSA %s", tostring(tlsa)); | |
| 143 end | |
| 144 else | 138 else |
| 145 origin.dane = false; | 139 origin.dane = false; |
| 146 end | 140 end |
| 147 -- "blocking" until TLSA reply, but no race condition | 141 -- "blocking" until TLSA reply, but no race condition |
| 148 end, ("_xmpp-server._tcp.%s"):format(origin.from_host), "TLSA"); | 142 end, ("_xmpp-server._tcp.%s"):format(origin.from_host), "TLSA"); |