# HG changeset patch # User Kim Alvefur # Date 1449932518 -3600 # Node ID 5ea6f4e6fa8cc01770dfe2d9a0b7c50967b09d0f # Parent e63dba236a2aed0cd0d7b8584d339b8cbf64232a mod_s2s_auth_dane: Log as much as possible through session logger instance diff -r e63dba236a2a -r 5ea6f4e6fa8c mod_s2s_auth_dane/mod_s2s_auth_dane.lua --- a/mod_s2s_auth_dane/mod_s2s_auth_dane.lua Sat Dec 12 03:30:06 2015 +0100 +++ b/mod_s2s_auth_dane/mod_s2s_auth_dane.lua Sat Dec 12 16:01:58 2015 +0100 @@ -67,11 +67,12 @@ -- Takes a s2sin/out and a callback local function dane_lookup(host_session, cb) cb = cb or noop; + local log = host_session.log or module._log; if host_session.dane ~= nil then return end -- Has already done a lookup if host_session.direction == "incoming" then if not host_session.from_host then - module:log("debug", "Session doesn't have a 'from' host set"); + log("debug", "Session doesn't have a 'from' host set"); return; end -- We don't know what hostname or port to use for Incoming connections @@ -80,19 +81,19 @@ -- and incoming connections, so this should work well local name = host_session.from_host and idna_to_ascii(host_session.from_host); if not name then - module:log("warn", "Could not convert '%s' to ASCII for DNS lookup", tostring(host_session.from_host)); + log("warn", "Could not convert '%s' to ASCII for DNS lookup", tostring(host_session.from_host)); return; end host_session.dane = dns_lookup(function (answer, err) host_session.dane = false; -- Mark that we already did the lookup if not answer then - module:log("debug", "Resolver error: %s", tostring(err)); + log("debug", "Resolver error: %s", tostring(err)); return cb(host_session); end if not answer.secure then - module:log("debug", "Results are not secure"); + log("debug", "Results are not secure"); return cb(host_session); end @@ -112,7 +113,7 @@ for _, record in ipairs(answer) do t_insert(srv_hosts, record.srv); dns_lookup(function(dane_answer) - host_session.log("debug", "Got answer for %s:%d", record.srv.target, record.srv.port); + log("debug", "Got answer for %s:%d", record.srv.target, record.srv.port); n = n - 1; -- There are three kinds of answers -- Insecure, Secure and Bogus @@ -130,13 +131,13 @@ if (dane_answer.bogus or dane_answer.secure) and not dane then -- The first answer we care about -- For services with only one SRV record, this will be the only one - host_session.log("debug", "First secure (or bogus) TLSA") + log("debug", "First secure (or bogus) TLSA") dane = dane_answer; elseif dane_answer.bogus then - host_session.log("debug", "Got additional bogus TLSA") + log("debug", "Got additional bogus TLSA") dane.bogus = dane_answer.bogus; elseif dane_answer.secure then - host_session.log("debug", "Got additional secure TLSA") + log("debug", "Got additional secure TLSA") for _, dane_record in ipairs(dane_answer) do t_insert(dane, dane_record); end @@ -147,7 +148,7 @@ if #dane > 0 and dane.bogus then -- Got at least one non-bogus reply, -- This should trigger a failure if one of them did not match - host_session.log("warn", "Ignoring bogus replies"); + log("warn", "Ignoring bogus replies"); dane.bogus = nil; end if #dane == 0 and dane.bogus == nil then @@ -230,7 +231,7 @@ end -- Compare one TLSA record against a certificate -local function one_dane_check(tlsa, cert) +local function one_dane_check(tlsa, cert, log) local select, match, certdata = tlsa.select, tlsa.match; if select == 0 then @@ -238,7 +239,7 @@ elseif select == 1 and cert.pubkey then certdata = pem2der(cert:pubkey()); else - module:log("warn", "DANE selector %s is unsupported", tlsa:getSelector() or select); + log("warn", "DANE selector %s is unsupported", tlsa:getSelector() or select); return; end @@ -247,12 +248,12 @@ elseif match == 2 then certdata = hashes.sha512(certdata); elseif match ~= 0 then - module:log("warn", "DANE match rule %s is unsupported", tlsa:getMatchType() or match); + log("warn", "DANE match rule %s is unsupported", tlsa:getMatchType() or match); return; end if #certdata ~= #tlsa.data then - module:log("warn", "Length mismatch: Cert: %d, TLSA: %d", #certdata, #tlsa.data); + log("warn", "Length mismatch: Cert: %d, TLSA: %d", #certdata, #tlsa.data); end return certdata == tlsa.data; end @@ -266,14 +267,14 @@ local match_found, supported_found; for i = 1, #dane do local tlsa = dane[i].tlsa; - module:log("debug", "TLSA #%d: %s", i, tostring(tlsa)) + log("debug", "TLSA #%d: %s", i, tostring(tlsa)) local use = tlsa.use; if enabled_uses:contains(use) then -- DANE-EE or PKIX-EE if use == 3 or use == 1 then -- Should we check if the cert subject matches? - local is_match = one_dane_check(tlsa, cert); + local is_match = one_dane_check(tlsa, cert, log); if is_match ~= nil then supported_found = true; end @@ -298,7 +299,7 @@ local chain = session.conn:socket():getpeerchain(); for c = 1, #chain do local cacert = chain[c]; - local is_match = one_dane_check(tlsa, cacert); + local is_match = one_dane_check(tlsa, cacert, log); if is_match ~= nil then supported_found = true; end