Changeset

1262:1e84eebf3f46

mod_s2s_auth_dane: Invalidate trust if there are TLSA records but no matches, or bogus results
author Kim Alvefur <zash@zash.se>
date Fri, 03 Jan 2014 15:14:26 +0100
parents 1261:6a37bd22c8df
children 1263:fe29627a5ed8
files mod_s2s_auth_dane/mod_s2s_auth_dane.lua
diffstat 1 files changed, 8 insertions(+), 4 deletions(-) [+]
line wrap: on
line diff
--- a/mod_s2s_auth_dane/mod_s2s_auth_dane.lua	Fri Jan 03 15:00:05 2014 +0100
+++ b/mod_s2s_auth_dane/mod_s2s_auth_dane.lua	Fri Jan 03 15:14:26 2014 +0100
@@ -31,7 +31,7 @@
 	local srv_choice = host_session.srv_choice;
 	if srv_hosts and srv_hosts.answer.secure and not srv_hosts[srv_choice].dane then
 		dns_lookup(function(answer)
-			if answer and #answer > 0 then
+			if answer and ( #answer > 0 or answer.bogus ) then
 				srv_hosts[srv_choice].dane = answer;
 				for i, tlsa in ipairs(answer) do
 					module:log("debug", "TLSA %s", tostring(tlsa));
@@ -48,7 +48,7 @@
 	local srv_choice = session.srv_choice;
 	local choosen = srv_hosts and srv_hosts[srv_choice];
 	if choosen and choosen.dane then
-		local use, select, match, tlsa, certdata
+		local use, select, match, tlsa, certdata, match_found
 		for i, rr in ipairs(choosen.dane) do
 			tlsa = rr.tlsa
 			module:log("debug", "TLSA %s", tostring(tlsa));
@@ -80,6 +80,7 @@
 						session.cert_chain_status = "valid"
 						-- for usage 1 the chain has to be valid already
 					end
+					match_found = true
 					break;
 				end
 			else
@@ -87,9 +88,12 @@
 				-- TODO Ca checks needs to loop over the chain and stuff
 			end
 		end
+		if not match_found then
+			(session.log or module._log)("info", "DANE validation successful");
+			session.cert_identity_status = "invalid";
+			session.cert_chain_status = "invalid";
+		end
 	end
-
-	-- TODO Optionally, if no TLSA record matches, mark connection as untrusted.
 end);
 
 function module.unload()