prosody-modules: comparison mod_s2s_auth_dane/mod_s2s_auth

equal deleted inserted replaced

-:e63dba236a2a
+:5ea6f4e6fa8c
 -- Find applicable TLSA records
 -- Takes a s2sin/out and a callback
 local function dane_lookup(host_session, cb)
 	cb = cb or noop;
+	local log = host_session.log or module._log;
 	if host_session.dane ~= nil then return end -- Has already done a lookup
 	if host_session.direction == "incoming" then
 		if not host_session.from_host then
-			module:log("debug", "Session doesn't have a 'from' host set");
+			log("debug", "Session doesn't have a 'from' host set");
 			return;
 		end
 		-- We don't know what hostname or port to use for Incoming connections
 		-- so we do a SRV lookup and then request TLSA records for each SRV
 		-- Most servers will probably use the same certificate on outgoing
 		-- and incoming connections, so this should work well
 		local name = host_session.from_host and idna_to_ascii(host_session.from_host);
 		if not name then
-			module:log("warn", "Could not convert '%s' to ASCII for DNS lookup", tostring(host_session.from_host));
+			log("warn", "Could not convert '%s' to ASCII for DNS lookup", tostring(host_session.from_host));
 			return;
 		end
 		host_session.dane = dns_lookup(function (answer, err)
 			host_session.dane = false; -- Mark that we already did the lookup
 			if not answer then
-				module:log("debug", "Resolver error: %s", tostring(err));
+				log("debug", "Resolver error: %s", tostring(err));
 				return cb(host_session);
 			end
 			if not answer.secure then
-				module:log("debug", "Results are not secure");
+				log("debug", "Results are not secure");
 				return cb(host_session);
 			end
 			local n = answer.n or #answer;
 			if n == 0 then
 			host_session.srv_hosts = srv_hosts;
 			local dane;
 			for _, record in ipairs(answer) do
 				t_insert(srv_hosts, record.srv);
 				dns_lookup(function(dane_answer)
-					host_session.log("debug", "Got answer for %s:%d", record.srv.target, record.srv.port);
+					log("debug", "Got answer for %s:%d", record.srv.target, record.srv.port);
 					n = n - 1;
 					-- There are three kinds of answers
 					-- Insecure, Secure and Bogus
 					--
 					-- We collect Secure answers for later use
 					-- replies matched, we consider the connection insecure.
 					if (dane_answer.bogus or dane_answer.secure) and not dane then
 						-- The first answer we care about
 						-- For services with only one SRV record, this will be the only one
-						host_session.log("debug", "First secure (or bogus) TLSA")
+						log("debug", "First secure (or bogus) TLSA")
 						dane = dane_answer;
 					elseif dane_answer.bogus then
-						host_session.log("debug", "Got additional bogus TLSA")
+						log("debug", "Got additional bogus TLSA")
 						dane.bogus = dane_answer.bogus;
 					elseif dane_answer.secure then
-						host_session.log("debug", "Got additional secure TLSA")
+						log("debug", "Got additional secure TLSA")
 						for _, dane_record in ipairs(dane_answer) do
 							t_insert(dane, dane_record);
 						end
 					end
 					if n == 0 then
 						if dane then
 							host_session.dane = dane;
 							if #dane > 0 and dane.bogus then
 								-- Got at least one non-bogus reply,
 								-- This should trigger a failure if one of them did not match
-								host_session.log("warn", "Ignoring bogus replies");
+								log("warn", "Ignoring bogus replies");
 								dane.bogus = nil;
 							end
 							if #dane == 0 and dane.bogus == nil then
 								-- Got no usable data
 								host_session.dane = false;
 		session.srv_hosts = nil;
 	end);
 end
 -- Compare one TLSA record against a certificate
-local function one_dane_check(tlsa, cert)
+local function one_dane_check(tlsa, cert, log)
 	local select, match, certdata = tlsa.select, tlsa.match;
 	if select == 0 then
 		certdata = pem2der(cert:pem());
 	elseif select == 1 and cert.pubkey then
 		certdata = pem2der(cert:pubkey());
 	else
-		module:log("warn", "DANE selector %s is unsupported", tlsa:getSelector() or select);
+		log("warn", "DANE selector %s is unsupported", tlsa:getSelector() or select);
 		return;
 	end
 	if match == 1 then
 		certdata = hashes.sha256(certdata);
 	elseif match == 2 then
 		certdata = hashes.sha512(certdata);
 	elseif match ~= 0 then
-		module:log("warn", "DANE match rule %s is unsupported", tlsa:getMatchType() or match);
+		log("warn", "DANE match rule %s is unsupported", tlsa:getMatchType() or match);
 		return;
 	end
 	if #certdata ~= #tlsa.data then
-		module:log("warn", "Length mismatch: Cert: %d, TLSA: %d", #certdata, #tlsa.data);
+		log("warn", "Length mismatch: Cert: %d, TLSA: %d", #certdata, #tlsa.data);
 	end
 	return certdata == tlsa.data;
 end
 module:hook("s2s-check-certificate", function(event)
 	local dane = session.dane;
 	if type(dane) == "table" then
 		local match_found, supported_found;
 		for i = 1, #dane do
 			local tlsa = dane[i].tlsa;
-			module:log("debug", "TLSA #%d: %s", i, tostring(tlsa))
+			log("debug", "TLSA #%d: %s", i, tostring(tlsa))
 			local use = tlsa.use;
 			if enabled_uses:contains(use) then
 				-- DANE-EE or PKIX-EE
 				if use == 3 or use == 1 then
 					-- Should we check if the cert subject matches?
-					local is_match = one_dane_check(tlsa, cert);
+					local is_match = one_dane_check(tlsa, cert, log);
 					if is_match ~= nil then
 						supported_found = true;
 					end
 					if is_match and use == 1 and session.cert_chain_status ~= "valid" then
 						-- for usage 1, PKIX-EE, the chain has to be valid already
 				elseif use == 2 or use == 0 then
 					supported_found = true;
 					local chain = session.conn:socket():getpeerchain();
 					for c = 1, #chain do
 						local cacert = chain[c];
-						local is_match = one_dane_check(tlsa, cacert);
+						local is_match = one_dane_check(tlsa, cacert, log);
 						if is_match ~= nil then
 							supported_found = true;
 						end
 						if is_match and not cacert:issued(cert, unpack(chain)) then
 							is_match = false;

changeset 1974	5ea6f4e6fa8c
parent 1967	98d757dc0771
child 1975	54405541d0ba