# HG changeset patch # User Kim Alvefur # Date 1388758466 -3600 # Node ID 1e84eebf3f467cd5a44f49f6651127710e781e44 # Parent 6a37bd22c8df8f0011a57d463903b3cbc2b615e3 mod_s2s_auth_dane: Invalidate trust if there are TLSA records but no matches, or bogus results diff -r 6a37bd22c8df -r 1e84eebf3f46 mod_s2s_auth_dane/mod_s2s_auth_dane.lua --- a/mod_s2s_auth_dane/mod_s2s_auth_dane.lua Fri Jan 03 15:00:05 2014 +0100 +++ b/mod_s2s_auth_dane/mod_s2s_auth_dane.lua Fri Jan 03 15:14:26 2014 +0100 @@ -31,7 +31,7 @@ local srv_choice = host_session.srv_choice; if srv_hosts and srv_hosts.answer.secure and not srv_hosts[srv_choice].dane then dns_lookup(function(answer) - if answer and #answer > 0 then + if answer and ( #answer > 0 or answer.bogus ) then srv_hosts[srv_choice].dane = answer; for i, tlsa in ipairs(answer) do module:log("debug", "TLSA %s", tostring(tlsa)); @@ -48,7 +48,7 @@ local srv_choice = session.srv_choice; local choosen = srv_hosts and srv_hosts[srv_choice]; if choosen and choosen.dane then - local use, select, match, tlsa, certdata + local use, select, match, tlsa, certdata, match_found for i, rr in ipairs(choosen.dane) do tlsa = rr.tlsa module:log("debug", "TLSA %s", tostring(tlsa)); @@ -80,6 +80,7 @@ session.cert_chain_status = "valid" -- for usage 1 the chain has to be valid already end + match_found = true break; end else @@ -87,9 +88,12 @@ -- TODO Ca checks needs to loop over the chain and stuff end end + if not match_found then + (session.log or module._log)("info", "DANE validation successful"); + session.cert_identity_status = "invalid"; + session.cert_chain_status = "invalid"; + end end - - -- TODO Optionally, if no TLSA record matches, mark connection as untrusted. end); function module.unload()