# HG changeset patch # User Kim Alvefur # Date 1398555823 -7200 # Node ID cf4e39334ef77b7ff93f3c7f72ae74513afe58fa # Parent 33f132c3f4b7b06afd5546688104bdae75d70775 mod_s2s_auth_dane: Add support for DANE-TA and PKIX-CA (requires LuaSec changes) diff -r 33f132c3f4b7 -r cf4e39334ef7 mod_s2s_auth_dane/mod_s2s_auth_dane.lua --- a/mod_s2s_auth_dane/mod_s2s_auth_dane.lua Sun Apr 27 01:40:20 2014 +0200 +++ b/mod_s2s_auth_dane/mod_s2s_auth_dane.lua Sun Apr 27 01:43:43 2014 +0200 @@ -36,7 +36,14 @@ local use_map = { ["DANE-EE"] = 3; ["DANE-TA"] = 2; ["PKIX-EE"] = 1; ["PKIX-CA"] = 0 } local implemented_uses = set.new { "DANE-EE", "PKIX-EE" }; -local configured_uses = module:get_option_set("dane_uses", { "DANE-EE" }); +if debug.getregistry()["SSL:Certificate"].__index.issued then + -- Need cert:issued() for these + implemented_uses:add("DANE-TA"); + implemented_uses:add("PKIX-CA"); +else + module:log("warn", "Unable to support DANE-TA and PKIX-CA"); +end +local configured_uses = module:get_option_set("dane_uses", { "DANE-EE", "DANE-TA" }); local enabled_uses = set.intersection(implemented_uses, configured_uses) / function(use) return use_map[use] end; local function dane_lookup(host_session, cb, a,b,c,e) @@ -159,7 +166,7 @@ local session, cert = event.session, event.cert; local dane = session.dane; if type(dane) == "table" then - local use, tlsa, match_found, supported_found, is_match; + local use, tlsa, match_found, supported_found, chain, leafcert, cacert, is_match; for i = 1, #dane do tlsa = dane[i].tlsa; module:log("debug", "TLSA %s %s %s %d bytes of data", tlsa:getUsage(), tlsa:getSelector(), tlsa:getMatchType(), #tlsa.data); @@ -183,6 +190,33 @@ match_found = true; break; end + elseif use == 0 or use == 2 then + supported_found = true; + if chain == nil then + chain = session.conn:socket():getpeerchain(); + end + for i = 2, #chain do + cacert, leafcert = chain[i], chain[i-1]; + is_match = one_dane_check(tlsa, cacert); + if is_match ~= nil then + supported_found = true; + end + if use == 2 and not cacert:issued(leafcert or cacert) then + module:log("debug", "Broken chain"); + break; + end + if is_match then + (session.log or module._log)("info", "DANE validation successful"); + if use == 2 then -- DANE-TA + session.cert_identity_status = "valid"; + session.cert_chain_status = "valid"; + -- for usage 0, PKIX-CA, identity and chain has to be valid already + end + match_found = true; + break; + end + end + if match_found then break end end end end