diff mod_s2s_auth_dane/mod_s2s_auth_dane.lua @ 1339:50555c2ccbcd

mod_s2s_auth_dane: Improve handling of bogus data
author Kim Alvefur <zash@zash.se>
date Sun, 09 Mar 2014 23:17:17 +0100
parents eca8c480891e
children 47d3c1c8a176
line wrap: on
line diff
--- a/mod_s2s_auth_dane/mod_s2s_auth_dane.lua	Sun Mar 09 23:08:41 2014 +0100
+++ b/mod_s2s_auth_dane/mod_s2s_auth_dane.lua	Sun Mar 09 23:17:17 2014 +0100
@@ -14,6 +14,8 @@
 
 local s2sout = module:depends"s2s".route_to_new_session.s2sout;
 
+local bogus = {};
+
 local pat = "%-%-%-%-%-BEGIN ([A-Z ]+)%-%-%-%-%-\r?\n"..
 "([0-9A-Za-z=+/\r\n]*)\r?\n%-%-%-%-%-END %1%-%-%-%-%-";
 local function pem2der(pem)
@@ -37,8 +39,10 @@
 	local srv_choice = host_session.srv_choice;
 	if srv_hosts and srv_hosts.answer.secure and srv_hosts[srv_choice].dane == nil then
 		srv_hosts[srv_choice].dane = dns_lookup(function(answer)
-			if answer and ( #answer > 0 or answer.bogus ) then
+			if answer and #answer > 0 and answer.secure then
 				srv_hosts[srv_choice].dane = answer;
+			elseif answer.bogus then
+				srv_hosts[srv_choice].dane = bogus;
 			else
 				srv_hosts[srv_choice].dane = false;
 			end
@@ -134,8 +138,10 @@
 		if not origin.from_host or origin.dane ~= nil then return end
 
 		origin.dane = dns_lookup(function(answer)
-			if answer and ( #answer > 0 or answer.bogus ) then
-				origin.dane = answer;
+			if answer and #answer > 0 and answer.secure then
+				srv_hosts[srv_choice].dane = answer;
+			elseif answer.bogus then
+				srv_hosts[srv_choice].dane = bogus;
 			else
 				origin.dane = false;
 			end