# HG changeset patch # User Kim Alvefur # Date 1398356349 -7200 # Node ID 6bd9681d54b74856ebf25d2cb017da5ebb7a80f5 # Parent 6e1facedcb7405b478068d7b3c5756273eb3f406 mod_s2s_auth_dane: Break out DANE check into a function diff -r 6e1facedcb74 -r 6bd9681d54b7 mod_s2s_auth_dane/mod_s2s_auth_dane.lua --- a/mod_s2s_auth_dane/mod_s2s_auth_dane.lua Tue Apr 22 20:16:40 2014 -0500 +++ b/mod_s2s_auth_dane/mod_s2s_auth_dane.lua Thu Apr 24 18:19:09 2014 +0200 @@ -139,40 +139,49 @@ end); end +local function one_dane_check(tlsa, cert) + local select, match, certdata = tlsa.select, tlsa.match; + + if select == 0 then + certdata = pem2der(cert:pem()); + elseif select == 1 and cert.pubkey then + certdata = pem2der(cert:pubkey()); + else + module:log("warn", "DANE selector %s is unsupported", tlsa:getSelector() or select); + return; + end + + if match == 1 then + certdata = hashes.sha256(certdata); + elseif match == 2 then + certdata = hashes.sha512(certdata); + elseif match ~= 0 then + module:log("warn", "DANE match rule %s is unsupported", tlsa:getMatchType() or match); + return; + end + + return certdata == tlsa.data; +end + module:hook("s2s-check-certificate", function(event) local session, cert = event.session, event.cert; local dane = session.dane; if type(dane) == "table" then - local use, select, match, tlsa, certdata, match_found, supported_found; + local use, tlsa, match_found, supported_found, is_match; for i = 1, #dane do tlsa = dane[i].tlsa; module:log("debug", "TLSA %s %s %s %d bytes of data", tlsa:getUsage(), tlsa:getSelector(), tlsa:getMatchType(), #tlsa.data); - use, select, match, certdata = tlsa.use, tlsa.select, tlsa.match; + use = tlsa.use; if enabled_uses:contains(use) then -- PKIX-EE or DANE-EE if use == 1 or use == 3 then - supported_found = true - - if select == 0 then - certdata = pem2der(cert:pem()); - elseif select == 1 and cert.pubkey then - certdata = pem2der(cert:pubkey()); -- Not supported in stock LuaSec - else - module:log("warn", "DANE selector %s is unsupported", tlsa:getSelector() or select); + -- Should we check if the cert subject matches? + is_match = one_dane_check(tlsa, cert); + if is_match ~= nil then + supported_found = true; end - - if match == 1 then - certdata = certdata and hashes.sha256(certdata); - elseif match == 2 then - certdata = certdata and hashes.sha512(certdata); - elseif match ~= 0 then - module:log("warn", "DANE match rule %s is unsupported", tlsa:getMatchType() or match); - certdata = nil; - end - - -- Should we check if the cert subject matches? - if certdata and certdata == tlsa.data then + if is_match then (session.log or module._log)("info", "DANE validation successful"); session.cert_identity_status = "valid"; if use == 3 then -- DANE-EE, chain status equals DNSSEC chain status