Software /
code /
prosody-modules
Changeset
1262:1e84eebf3f46
mod_s2s_auth_dane: Invalidate trust if there are TLSA records but no matches, or bogus results
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Fri, 03 Jan 2014 15:14:26 +0100 (2014-01-03) |
parents | 1261:6a37bd22c8df |
children | 1263:fe29627a5ed8 |
files | mod_s2s_auth_dane/mod_s2s_auth_dane.lua |
diffstat | 1 files changed, 8 insertions(+), 4 deletions(-) [+] |
line wrap: on
line diff
--- a/mod_s2s_auth_dane/mod_s2s_auth_dane.lua Fri Jan 03 15:00:05 2014 +0100 +++ b/mod_s2s_auth_dane/mod_s2s_auth_dane.lua Fri Jan 03 15:14:26 2014 +0100 @@ -31,7 +31,7 @@ local srv_choice = host_session.srv_choice; if srv_hosts and srv_hosts.answer.secure and not srv_hosts[srv_choice].dane then dns_lookup(function(answer) - if answer and #answer > 0 then + if answer and ( #answer > 0 or answer.bogus ) then srv_hosts[srv_choice].dane = answer; for i, tlsa in ipairs(answer) do module:log("debug", "TLSA %s", tostring(tlsa)); @@ -48,7 +48,7 @@ local srv_choice = session.srv_choice; local choosen = srv_hosts and srv_hosts[srv_choice]; if choosen and choosen.dane then - local use, select, match, tlsa, certdata + local use, select, match, tlsa, certdata, match_found for i, rr in ipairs(choosen.dane) do tlsa = rr.tlsa module:log("debug", "TLSA %s", tostring(tlsa)); @@ -80,6 +80,7 @@ session.cert_chain_status = "valid" -- for usage 1 the chain has to be valid already end + match_found = true break; end else @@ -87,9 +88,12 @@ -- TODO Ca checks needs to loop over the chain and stuff end end + if not match_found then + (session.log or module._log)("info", "DANE validation successful"); + session.cert_identity_status = "invalid"; + session.cert_chain_status = "invalid"; + end end - - -- TODO Optionally, if no TLSA record matches, mark connection as untrusted. end); function module.unload()