Software /
code /
prosody-modules
Comparison
mod_s2s_auth_dane/mod_s2s_auth_dane.lua @ 1261:6a37bd22c8df
mod_s2s_auth_dane: Warn about unsupported DANE params
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Fri, 03 Jan 2014 15:00:05 +0100 |
parent | 1258:fc82d8eded7d |
child | 1262:1e84eebf3f46 |
comparison
equal
deleted
inserted
replaced
1260:4e14ad802d58 | 1261:6a37bd22c8df |
---|---|
58 | 58 |
59 if select == 0 then | 59 if select == 0 then |
60 certdata = pem2der(cert:pem()); | 60 certdata = pem2der(cert:pem()); |
61 elseif select == 1 then | 61 elseif select == 1 then |
62 certdata = pem2der(cert:pubkey()); | 62 certdata = pem2der(cert:pubkey()); |
63 else | |
64 module:log("warn", "DANE selector %d is unsupported", select); | |
63 end | 65 end |
64 if match == 1 then | 66 if match == 1 then |
65 certdata = hashes.sha256(certdata); | 67 certdata = hashes.sha256(certdata); |
66 elseif match == 2 then | 68 elseif match == 2 then |
67 certdata = hashes.sha512(certdata); | 69 certdata = hashes.sha512(certdata); |
70 elseif match ~= 0 then | |
71 module:log("warn", "DANE match rule %d is unsupported", match); | |
72 certdata = nil | |
68 end | 73 end |
69 | 74 |
70 -- Should we check if the cert subject matches? | 75 -- Should we check if the cert subject matches? |
71 if certdata == tlsa.data then | 76 if certdata and certdata == tlsa.data then |
72 (session.log or module._log)("info", "DANE validation successful"); | 77 (session.log or module._log)("info", "DANE validation successful"); |
73 session.cert_identity_status = "valid" | 78 session.cert_identity_status = "valid" |
74 if use == 3 then | 79 if use == 3 then |
75 session.cert_chain_status = "valid" | 80 session.cert_chain_status = "valid" |
76 -- for usage 1 the chain has to be valid already | 81 -- for usage 1 the chain has to be valid already |
77 end | 82 end |
78 break; | 83 break; |
79 end | 84 end |
80 else | 85 else |
81 module:log("warn", "DANE %s is unsupported", tlsa:getUsage()); | 86 module:log("warn", "DANE %s is unsupported", tlsa:getUsage() or ("usage "..tostring(use))); |
82 -- TODO Ca checks needs to loop over the chain and stuff | 87 -- TODO Ca checks needs to loop over the chain and stuff |
83 end | 88 end |
84 end | 89 end |
85 end | 90 end |
86 | 91 |