Diff

mod_s2s_auth_dane/mod_s2s_auth_dane.lua @ 1327:b93f45c42044

mod_s2s_auth_dane: Comment updates
author Kim Alvefur <zash@zash.se>
date Wed, 05 Mar 2014 17:38:36 +0100
parent 1325:b21236b6b8d8
child 1328:446fcda4ec45
line wrap: on
line diff
--- a/mod_s2s_auth_dane/mod_s2s_auth_dane.lua	Fri Feb 28 15:41:26 2014 +0100
+++ b/mod_s2s_auth_dane/mod_s2s_auth_dane.lua	Wed Mar 05 17:38:36 2014 +0100
@@ -25,6 +25,7 @@
 -- TODO Things to test/handle:
 -- Negative or bogus answers
 -- No SRV records
+-- No encryption offered
 
 function s2sout.try_connect(host_session, connect_host, connect_port, err)
 	local srv_hosts = host_session.srv_hosts;
@@ -42,6 +43,7 @@
 	return _try_connect(host_session, connect_host, connect_port, err);
 end
 
+-- This and the TLSA reply are in a race condition :(
 module:hook("s2s-check-certificate", function(event)
 	local session, cert = event.session, event.cert;
 	local srv_hosts = session.srv_hosts;
@@ -54,6 +56,7 @@
 			module:log("debug", "TLSA %s", tostring(tlsa));
 			use, select, match, certdata = tlsa.use, tlsa.select, tlsa.match;
 
+			-- PKIX-EE or DANE-EE
 			if use == 1 or use == 3 then
 
 				if select == 0 then
@@ -63,6 +66,7 @@
 				else
 					module:log("warn", "DANE selector %d is unsupported", select);
 				end
+
 				if match == 1 then
 					certdata = hashes.sha256(certdata);
 				elseif match == 2 then
@@ -76,16 +80,16 @@
 				if certdata and certdata == tlsa.data then
 					(session.log or module._log)("info", "DANE validation successful");
 					session.cert_identity_status = "valid";
-					if use == 3 then
+					if use == 3 then -- DANE-EE, chain status equals DNSSEC chain status
 						session.cert_chain_status = "valid";
-						-- for usage 1 the chain has to be valid already
+						-- for usage 1, PKIX-EE, the chain has to be valid already
 					end
 					match_found = true;
 					break;
 				end
 			else
 				module:log("warn", "DANE %s is unsupported", tlsa:getUsage() or ("usage "..tostring(use)));
-				-- TODO Ca checks needs to loop over the chain and stuff
+				-- TODO CA checks needs to loop over the chain and stuff
 			end
 		end
 		if not match_found then