Software /
code /
prosody-modules
Changeset
1642:a4a6b4be973a
mod_s2s_auth_dane: Update for recent changes in Zashs LuaSec branch
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Tue, 31 Mar 2015 20:57:34 +0200 |
parents | 1641:1fa25cfb0ad4 |
children | 1643:71538875be48 1644:fc08d841a309 |
files | mod_s2s_auth_dane/mod_s2s_auth_dane.lua |
diffstat | 1 files changed, 9 insertions(+), 15 deletions(-) [+] |
line wrap: on
line diff
--- a/mod_s2s_auth_dane/mod_s2s_auth_dane.lua Tue Mar 31 18:31:13 2015 +0200 +++ b/mod_s2s_auth_dane/mod_s2s_auth_dane.lua Tue Mar 31 20:57:34 2015 +0200 @@ -234,17 +234,17 @@ local log = session.log or module._log; local dane = session.dane; if type(dane) == "table" then - local use, tlsa, match_found, supported_found, chain, leafcert, cacert, is_match; + local match_found, supported_found; for i = 1, #dane do - tlsa = dane[i].tlsa; + local tlsa = dane[i].tlsa; module:log("debug", "TLSA #%d: %s", i, tostring(tlsa)) - use = tlsa.use; + local use = tlsa.use; if enabled_uses:contains(use) then -- PKIX-EE or DANE-EE if use == 1 or use == 3 then -- Should we check if the cert subject matches? - is_match = one_dane_check(tlsa, cert); + local is_match = one_dane_check(tlsa, cert); if is_match ~= nil then supported_found = true; end @@ -260,20 +260,14 @@ end elseif use == 0 or use == 2 then supported_found = true; - if chain == nil then - chain = session.conn:socket():getpeerchain(); - end - for i = 2, #chain do - cacert, leafcert = chain[i], chain[i-1]; - is_match = one_dane_check(tlsa, cacert); + local chain = session.conn:socket():getpeerchain(); + for i = 1, #chain do + local cacert = chain[i]; + local is_match = one_dane_check(tlsa, cacert); if is_match ~= nil then supported_found = true; end - if use == 2 and not cacert:issued(leafcert or cacert) then - module:log("debug", "Broken chain"); - break; - end - if is_match then + if is_match and cacert:issued(cert, unpack(chain)) then log("info", "DANE validated ok for %s using %s", host, tlsa:getUsage()); if use == 2 then -- DANE-TA session.cert_identity_status = "valid";