# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1388757605 -3600
# Node ID 6a37bd22c8df8f0011a57d463903b3cbc2b615e3
# Parent  4e14ad802d58d141234b6c5cf83b076cf2f8eed8
mod_s2s_auth_dane: Warn about unsupported DANE params

diff -r 4e14ad802d58 -r 6a37bd22c8df mod_s2s_auth_dane/mod_s2s_auth_dane.lua
--- a/mod_s2s_auth_dane/mod_s2s_auth_dane.lua	Fri Jan 03 11:54:13 2014 +0100
+++ b/mod_s2s_auth_dane/mod_s2s_auth_dane.lua	Fri Jan 03 15:00:05 2014 +0100
@@ -60,15 +60,20 @@
 					certdata = pem2der(cert:pem());
 				elseif select == 1 then
 					certdata = pem2der(cert:pubkey());
+				else
+					module:log("warn", "DANE selector %d is unsupported", select);
 				end
 				if match == 1 then
 					certdata = hashes.sha256(certdata);
 				elseif match == 2 then
 					certdata = hashes.sha512(certdata);
+				elseif match ~= 0 then
+					module:log("warn", "DANE match rule %d is unsupported", match);
+					certdata = nil
 				end
 
 				-- Should we check if the cert subject matches?
-				if certdata == tlsa.data then
+				if certdata and certdata == tlsa.data then
 					(session.log or module._log)("info", "DANE validation successful");
 					session.cert_identity_status = "valid"
 					if use == 3 then
@@ -78,7 +83,7 @@
 					break;
 				end
 			else
-				module:log("warn", "DANE %s is unsupported", tlsa:getUsage());
+				module:log("warn", "DANE %s is unsupported", tlsa:getUsage() or ("usage "..tostring(use)));
 				-- TODO Ca checks needs to loop over the chain and stuff
 			end
 		end