Comparison

mod_s2s_auth_dane/mod_s2s_auth_dane.lua @ 1327:b93f45c42044

mod_s2s_auth_dane: Comment updates
author Kim Alvefur <zash@zash.se>
date Wed, 05 Mar 2014 17:38:36 +0100
parent 1325:b21236b6b8d8
child 1328:446fcda4ec45
comparison
equal deleted inserted replaced
1326:afae347928d8 1327:b93f45c42044
23 end 23 end
24 24
25 -- TODO Things to test/handle: 25 -- TODO Things to test/handle:
26 -- Negative or bogus answers 26 -- Negative or bogus answers
27 -- No SRV records 27 -- No SRV records
28 -- No encryption offered
28 29
29 function s2sout.try_connect(host_session, connect_host, connect_port, err) 30 function s2sout.try_connect(host_session, connect_host, connect_port, err)
30 local srv_hosts = host_session.srv_hosts; 31 local srv_hosts = host_session.srv_hosts;
31 local srv_choice = host_session.srv_choice; 32 local srv_choice = host_session.srv_choice;
32 if srv_hosts and srv_hosts.answer.secure and not srv_hosts[srv_choice].dane then 33 if srv_hosts and srv_hosts.answer.secure and not srv_hosts[srv_choice].dane then
40 end, ("_%d._tcp.%s"):format(connect_port, connect_host), "TLSA"); 41 end, ("_%d._tcp.%s"):format(connect_port, connect_host), "TLSA");
41 end 42 end
42 return _try_connect(host_session, connect_host, connect_port, err); 43 return _try_connect(host_session, connect_host, connect_port, err);
43 end 44 end
44 45
46 -- This and the TLSA reply are in a race condition :(
45 module:hook("s2s-check-certificate", function(event) 47 module:hook("s2s-check-certificate", function(event)
46 local session, cert = event.session, event.cert; 48 local session, cert = event.session, event.cert;
47 local srv_hosts = session.srv_hosts; 49 local srv_hosts = session.srv_hosts;
48 local srv_choice = session.srv_choice; 50 local srv_choice = session.srv_choice;
49 local choosen = srv_hosts and srv_hosts[srv_choice]; 51 local choosen = srv_hosts and srv_hosts[srv_choice];
52 for i, rr in ipairs(choosen.dane) do 54 for i, rr in ipairs(choosen.dane) do
53 tlsa = rr.tlsa; 55 tlsa = rr.tlsa;
54 module:log("debug", "TLSA %s", tostring(tlsa)); 56 module:log("debug", "TLSA %s", tostring(tlsa));
55 use, select, match, certdata = tlsa.use, tlsa.select, tlsa.match; 57 use, select, match, certdata = tlsa.use, tlsa.select, tlsa.match;
56 58
59 -- PKIX-EE or DANE-EE
57 if use == 1 or use == 3 then 60 if use == 1 or use == 3 then
58 61
59 if select == 0 then 62 if select == 0 then
60 certdata = pem2der(cert:pem()); 63 certdata = pem2der(cert:pem());
61 elseif select == 1 then 64 elseif select == 1 then
62 certdata = pem2der(cert:pubkey()); 65 certdata = pem2der(cert:pubkey());
63 else 66 else
64 module:log("warn", "DANE selector %d is unsupported", select); 67 module:log("warn", "DANE selector %d is unsupported", select);
65 end 68 end
69
66 if match == 1 then 70 if match == 1 then
67 certdata = hashes.sha256(certdata); 71 certdata = hashes.sha256(certdata);
68 elseif match == 2 then 72 elseif match == 2 then
69 certdata = hashes.sha512(certdata); 73 certdata = hashes.sha512(certdata);
70 elseif match ~= 0 then 74 elseif match ~= 0 then
74 78
75 -- Should we check if the cert subject matches? 79 -- Should we check if the cert subject matches?
76 if certdata and certdata == tlsa.data then 80 if certdata and certdata == tlsa.data then
77 (session.log or module._log)("info", "DANE validation successful"); 81 (session.log or module._log)("info", "DANE validation successful");
78 session.cert_identity_status = "valid"; 82 session.cert_identity_status = "valid";
79 if use == 3 then 83 if use == 3 then -- DANE-EE, chain status equals DNSSEC chain status
80 session.cert_chain_status = "valid"; 84 session.cert_chain_status = "valid";
81 -- for usage 1 the chain has to be valid already 85 -- for usage 1, PKIX-EE, the chain has to be valid already
82 end 86 end
83 match_found = true; 87 match_found = true;
84 break; 88 break;
85 end 89 end
86 else 90 else
87 module:log("warn", "DANE %s is unsupported", tlsa:getUsage() or ("usage "..tostring(use))); 91 module:log("warn", "DANE %s is unsupported", tlsa:getUsage() or ("usage "..tostring(use)));
88 -- TODO Ca checks needs to loop over the chain and stuff 92 -- TODO CA checks needs to loop over the chain and stuff
89 end 93 end
90 end 94 end
91 if not match_found then 95 if not match_found then
92 (session.log or module._log)("warn", "DANE validation failed"); 96 (session.log or module._log)("warn", "DANE validation failed");
93 session.cert_identity_status = "invalid"; 97 session.cert_identity_status = "invalid";