# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1394403437 -3600
# Node ID 50555c2ccbcd933afa7d397bb7e0900610c00101
# Parent  eca8c480891ee754e0141358656756fe3d7cf398
mod_s2s_auth_dane: Improve handling of bogus data

diff -r eca8c480891e -r 50555c2ccbcd mod_s2s_auth_dane/mod_s2s_auth_dane.lua
--- a/mod_s2s_auth_dane/mod_s2s_auth_dane.lua	Sun Mar 09 23:08:41 2014 +0100
+++ b/mod_s2s_auth_dane/mod_s2s_auth_dane.lua	Sun Mar 09 23:17:17 2014 +0100
@@ -14,6 +14,8 @@
 
 local s2sout = module:depends"s2s".route_to_new_session.s2sout;
 
+local bogus = {};
+
 local pat = "%-%-%-%-%-BEGIN ([A-Z ]+)%-%-%-%-%-\r?\n"..
 "([0-9A-Za-z=+/\r\n]*)\r?\n%-%-%-%-%-END %1%-%-%-%-%-";
 local function pem2der(pem)
@@ -37,8 +39,10 @@
 	local srv_choice = host_session.srv_choice;
 	if srv_hosts and srv_hosts.answer.secure and srv_hosts[srv_choice].dane == nil then
 		srv_hosts[srv_choice].dane = dns_lookup(function(answer)
-			if answer and ( #answer > 0 or answer.bogus ) then
+			if answer and #answer > 0 and answer.secure then
 				srv_hosts[srv_choice].dane = answer;
+			elseif answer.bogus then
+				srv_hosts[srv_choice].dane = bogus;
 			else
 				srv_hosts[srv_choice].dane = false;
 			end
@@ -134,8 +138,10 @@
 		if not origin.from_host or origin.dane ~= nil then return end
 
 		origin.dane = dns_lookup(function(answer)
-			if answer and ( #answer > 0 or answer.bogus ) then
-				origin.dane = answer;
+			if answer and #answer > 0 and answer.secure then
+				srv_hosts[srv_choice].dane = answer;
+			elseif answer.bogus then
+				srv_hosts[srv_choice].dane = bogus;
 			else
 				origin.dane = false;
 			end