diff mod_s2s_auth_dane/mod_s2s_auth_dane.lua @ 1348:6191613959dc

mod_s2s_auth_dane: Make supported DANE usages configurable, default to DANE-EE
author Kim Alvefur <zash@zash.se>
date Fri, 14 Mar 2014 14:18:18 +0100
parents 52b419885f0a
children 350e903b14ff
line wrap: on
line diff
--- a/mod_s2s_auth_dane/mod_s2s_auth_dane.lua	Fri Mar 14 14:15:56 2014 +0100
+++ b/mod_s2s_auth_dane/mod_s2s_auth_dane.lua	Fri Mar 14 14:18:18 2014 +0100
@@ -8,6 +8,8 @@
 
 module:set_global();
 
+local type = type;
+local set = require"util.set";
 local dns_lookup = require"net.adns".lookup;
 local hashes = require"util.hashes";
 local base64 = require"util.encodings".base64;
@@ -25,6 +27,11 @@
 		return base64.decode(data), typ;
 	end
 end
+local use_map = { ["DANE-EE"] = 3; ["DANE-TA"] = 2; ["PKIX-EE"] = 1; ["PKIX-CA"] = 0 }
+
+local implemented_uses = set.new { "DANE-EE", "PKIX-EE" };
+local configured_uses = module:get_option_set("dane_uses", { "DANE-EE" });
+local enabled_uses = set.intersection(implemented_uses, configured_uses) / function(use) return use_map[use] end;
 
 -- TODO Things to test/handle:
 -- Negative or bogus answers
@@ -91,37 +98,39 @@
 			module:log("debug", "TLSA %s %s %s %d bytes of data", tlsa:getUsage(), tlsa:getSelector(), tlsa:getMatchType(), #tlsa.data);
 			use, select, match, certdata = tlsa.use, tlsa.select, tlsa.match;
 
-			-- PKIX-EE or DANE-EE
-			if use == 1 or use == 3 then
-				supported_found = true
+			if enabled_uses:contains(use) then
+				-- PKIX-EE or DANE-EE
+				if use == 1 or use == 3 then
+					supported_found = true
 
-				if select == 0 then
-					certdata = pem2der(cert:pem());
-				elseif select == 1 and cert.pubkey then
-					certdata = pem2der(cert:pubkey()); -- Not supported in stock LuaSec
-				else
-					module:log("warn", "DANE selector %s is unsupported", tlsa:getSelector() or select);
-				end
+					if select == 0 then
+						certdata = pem2der(cert:pem());
+					elseif select == 1 and cert.pubkey then
+						certdata = pem2der(cert:pubkey()); -- Not supported in stock LuaSec
+					else
+						module:log("warn", "DANE selector %s is unsupported", tlsa:getSelector() or select);
+					end
 
-				if match == 1 then
-					certdata = hashes.sha256(certdata);
-				elseif match == 2 then
-					certdata = hashes.sha512(certdata);
-				elseif match ~= 0 then
-					module:log("warn", "DANE match rule %s is unsupported", tlsa:getMatchType() or match);
-					certdata = nil;
-				end
+					if match == 1 then
+						certdata = hashes.sha256(certdata);
+					elseif match == 2 then
+						certdata = hashes.sha512(certdata);
+					elseif match ~= 0 then
+						module:log("warn", "DANE match rule %s is unsupported", tlsa:getMatchType() or match);
+						certdata = nil;
+					end
 
-				-- Should we check if the cert subject matches?
-				if certdata and certdata == tlsa.data then
-					(session.log or module._log)("info", "DANE validation successful");
-					session.cert_identity_status = "valid";
-					if use == 3 then -- DANE-EE, chain status equals DNSSEC chain status
-						session.cert_chain_status = "valid";
-						-- for usage 1, PKIX-EE, the chain has to be valid already
+					-- Should we check if the cert subject matches?
+					if certdata and certdata == tlsa.data then
+						(session.log or module._log)("info", "DANE validation successful");
+						session.cert_identity_status = "valid";
+						if use == 3 then -- DANE-EE, chain status equals DNSSEC chain status
+							session.cert_chain_status = "valid";
+							-- for usage 1, PKIX-EE, the chain has to be valid already
+						end
+						match_found = true;
+						break;
 					end
-					match_found = true;
-					break;
 				end
 			end
 		end