Comparison

mod_s2s_auth_dane/mod_s2s_auth_dane.lua @ 1436:3944e364ba88

mod_s2s_auth_dane: Add some more info to log messages
author Kim Alvefur <zash@zash.se>
date Fri, 13 Jun 2014 02:19:52 +0200
parent 1435:cdc8f226a284
child 1437:161bbe0b9dd3
comparison
equal deleted inserted replaced
1435:cdc8f226a284 1436:3944e364ba88
180 local dane = session.dane; 180 local dane = session.dane;
181 if type(dane) == "table" then 181 if type(dane) == "table" then
182 local use, tlsa, match_found, supported_found, chain, leafcert, cacert, is_match; 182 local use, tlsa, match_found, supported_found, chain, leafcert, cacert, is_match;
183 for i = 1, #dane do 183 for i = 1, #dane do
184 tlsa = dane[i].tlsa; 184 tlsa = dane[i].tlsa;
185 module:log("debug", "TLSA %s %s %s %d bytes of data", tlsa:getUsage(), tlsa:getSelector(), tlsa:getMatchType(), #tlsa.data); 185 module:log("debug", "TLSA #%d %s %s %s %d bytes of data", i, tlsa:getUsage(), tlsa:getSelector(), tlsa:getMatchType(), #tlsa.data);
186 use = tlsa.use; 186 use = tlsa.use;
187 187
188 if enabled_uses:contains(use) then 188 if enabled_uses:contains(use) then
189 -- PKIX-EE or DANE-EE 189 -- PKIX-EE or DANE-EE
190 if use == 1 or use == 3 then 190 if use == 1 or use == 3 then
192 is_match = one_dane_check(tlsa, cert); 192 is_match = one_dane_check(tlsa, cert);
193 if is_match ~= nil then 193 if is_match ~= nil then
194 supported_found = true; 194 supported_found = true;
195 end 195 end
196 if is_match then 196 if is_match then
197 log("info", "DANE validation successful"); 197 log("info", "DANE validated ok using %s", tlsa:getUsage());
198 session.cert_identity_status = "valid"; 198 session.cert_identity_status = "valid";
199 if use == 3 then -- DANE-EE, chain status equals DNSSEC chain status 199 if use == 3 then -- DANE-EE, chain status equals DNSSEC chain status
200 session.cert_chain_status = "valid"; 200 session.cert_chain_status = "valid";
201 -- for usage 1, PKIX-EE, the chain has to be valid already 201 -- for usage 1, PKIX-EE, the chain has to be valid already
202 end 202 end
217 if use == 2 and not cacert:issued(leafcert or cacert) then 217 if use == 2 and not cacert:issued(leafcert or cacert) then
218 module:log("debug", "Broken chain"); 218 module:log("debug", "Broken chain");
219 break; 219 break;
220 end 220 end
221 if is_match then 221 if is_match then
222 log("info", "DANE validation successful"); 222 log("info", "DANE validated ok using %s", tlsa:getUsage());
223 if use == 2 then -- DANE-TA 223 if use == 2 then -- DANE-TA
224 session.cert_identity_status = "valid"; 224 session.cert_identity_status = "valid";
225 session.cert_chain_status = "valid"; 225 session.cert_chain_status = "valid";
226 -- for usage 0, PKIX-CA, identity and chain has to be valid already 226 -- for usage 0, PKIX-CA, identity and chain has to be valid already
227 end 227 end
233 end 233 end
234 end 234 end
235 end 235 end
236 if supported_found and not match_found or dane.bogus then 236 if supported_found and not match_found or dane.bogus then
237 -- No TLSA matched or response was bogus 237 -- No TLSA matched or response was bogus
238 log("warn", "DANE validation failed"); 238 local why = "No TLSA matched certificate";
239 if dane.bogus then
240 why = "Bogus: "..tostring(dane.bogus);
241 end
242 log("warn", "DANE validation failed: %s", why);
239 session.cert_identity_status = "invalid"; 243 session.cert_identity_status = "invalid";
240 session.cert_chain_status = "invalid"; 244 session.cert_chain_status = "invalid";
241 end 245 end
242 else 246 else
243 if session.cert_chain_status == "valid" and session.cert_identity_status ~= "valid" 247 if session.cert_chain_status == "valid" and session.cert_identity_status ~= "valid"