changeset 1261:6a37bd22c8df

mod_s2s_auth_dane: Warn about unsupported DANE params
author Kim Alvefur <zash@zash.se>
date Fri, 03 Jan 2014 15:00:05 +0100
parents 4e14ad802d58
children 1e84eebf3f46
files mod_s2s_auth_dane/mod_s2s_auth_dane.lua
diffstat 1 files changed, 7 insertions(+), 2 deletions(-) [+]
line wrap: on
line diff
--- a/mod_s2s_auth_dane/mod_s2s_auth_dane.lua	Fri Jan 03 11:54:13 2014 +0100
+++ b/mod_s2s_auth_dane/mod_s2s_auth_dane.lua	Fri Jan 03 15:00:05 2014 +0100
@@ -60,15 +60,20 @@
 					certdata = pem2der(cert:pem());
 				elseif select == 1 then
 					certdata = pem2der(cert:pubkey());
+				else
+					module:log("warn", "DANE selector %d is unsupported", select);
 				end
 				if match == 1 then
 					certdata = hashes.sha256(certdata);
 				elseif match == 2 then
 					certdata = hashes.sha512(certdata);
+				elseif match ~= 0 then
+					module:log("warn", "DANE match rule %d is unsupported", match);
+					certdata = nil
 				end
 
 				-- Should we check if the cert subject matches?
-				if certdata == tlsa.data then
+				if certdata and certdata == tlsa.data then
 					(session.log or module._log)("info", "DANE validation successful");
 					session.cert_identity_status = "valid"
 					if use == 3 then
@@ -78,7 +83,7 @@
 					break;
 				end
 			else
-				module:log("warn", "DANE %s is unsupported", tlsa:getUsage());
+				module:log("warn", "DANE %s is unsupported", tlsa:getUsage() or ("usage "..tostring(use)));
 				-- TODO Ca checks needs to loop over the chain and stuff
 			end
 		end