# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1427828254 -7200
# Node ID a4a6b4be973abb3dc861f174a9a8d6c6a4596627
# Parent 1fa25cfb0ad4fe4c41e1300734c7aa680f53343d
mod_s2s_auth_dane: Update for recent changes in Zashs LuaSec branch
diff -r 1fa25cfb0ad4 -r a4a6b4be973a mod_s2s_auth_dane/mod_s2s_auth_dane.lua
--- a/mod_s2s_auth_dane/mod_s2s_auth_dane.lua Tue Mar 31 18:31:13 2015 +0200
+++ b/mod_s2s_auth_dane/mod_s2s_auth_dane.lua Tue Mar 31 20:57:34 2015 +0200
@@ -234,17 +234,17 @@
local log = session.log or module._log;
local dane = session.dane;
if type(dane) == "table" then
- local use, tlsa, match_found, supported_found, chain, leafcert, cacert, is_match;
+ local match_found, supported_found;
for i = 1, #dane do
- tlsa = dane[i].tlsa;
+ local tlsa = dane[i].tlsa;
module:log("debug", "TLSA #%d: %s", i, tostring(tlsa))
- use = tlsa.use;
+ local use = tlsa.use;
if enabled_uses:contains(use) then
-- PKIX-EE or DANE-EE
if use == 1 or use == 3 then
-- Should we check if the cert subject matches?
- is_match = one_dane_check(tlsa, cert);
+ local is_match = one_dane_check(tlsa, cert);
if is_match ~= nil then
supported_found = true;
end
@@ -260,20 +260,14 @@
end
elseif use == 0 or use == 2 then
supported_found = true;
- if chain == nil then
- chain = session.conn:socket():getpeerchain();
- end
- for i = 2, #chain do
- cacert, leafcert = chain[i], chain[i-1];
- is_match = one_dane_check(tlsa, cacert);
+ local chain = session.conn:socket():getpeerchain();
+ for i = 1, #chain do
+ local cacert = chain[i];
+ local is_match = one_dane_check(tlsa, cacert);
if is_match ~= nil then
supported_found = true;
end
- if use == 2 and not cacert:issued(leafcert or cacert) then
- module:log("debug", "Broken chain");
- break;
- end
- if is_match then
+ if is_match and cacert:issued(cert, unpack(chain)) then
log("info", "DANE validated ok for %s using %s", host, tlsa:getUsage());
if use == 2 then -- DANE-TA
session.cert_identity_status = "valid";