From: Petr Špaček Date: Fri, 12 Jan 2018 13:59:59 +0000 (+0100) Subject: policy TLS_FORWARD: improve error reporting for invalid parameters X-Git-Tag: v2.0.0~32^2~6 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=40c64b148fccd57cc1f7e573ce6541b8cb89cc59;p=thirdparty%2Fknot-resolver.git policy TLS_FORWARD: improve error reporting for invalid parameters --- diff --git a/modules/policy/policy.lua b/modules/policy/policy.lua index 7a829954a..9d1628693 100644 --- a/modules/policy/policy.lua +++ b/modules/policy/policy.lua @@ -128,20 +128,25 @@ local function forward(target) end end --- Forward request and all subrequests to upstream over TCP; validate answers +-- Forward request and all subrequests to upstream over TLS; validate answers local function tls_forward(target) local sockaddr_list = {} local addr_list = {} local ca_files = {} local hostnames = {} local pins = {} - if type(target) ~= 'table' then - assert(false, 'wrong TLS_FORWARD target') + if type(target) ~= 'table' or #target < 1 then + error('TLS_FORWARD argument must be a non-empty table') end - for _, upstream_list_entry in pairs(target) do + for idx, upstream_list_entry in pairs(target) do + if type(upstream_list_entry) ~= 'table' then + error('TLS_FORWARD target must be a non-empty table (found ' + .. type(upstream_list_entry) .. ' at position ' .. idx .. ')') + end local upstream_addr = upstream_list_entry[1] if type(upstream_addr) ~= 'string' then - assert(false, 'bad IP address in TLS_FORWARD target') + error('TLS_FORWARD target must start with an IP address (found ' + .. type(upstream_addr) .. ' at the beginning of target position ' .. idx .. ')') end table.insert(sockaddr_list, addr2sock(upstream_addr, 853)) table.insert(addr_list, upstream_addr) diff --git a/modules/policy/policy_test.lua b/modules/policy/policy_test.lua index de46ec58a..65d321027 100644 --- a/modules/policy/policy_test.lua +++ b/modules/policy/policy_test.lua @@ -7,7 +7,8 @@ modules = { 'policy' } local function test_tls_forward() boom(policy.TLS_FORWARD, {}, 'TLS_FORWARD without arguments') boom(policy.TLS_FORWARD, {'1'}, 'TLS_FORWARD with non-table argument') - -- boom(policy.TLS_FORWARD, {{}}, 'TLS_FORWARD with empty table') + boom(policy.TLS_FORWARD, {{}}, 'TLS_FORWARD with empty table') + boom(policy.TLS_FORWARD, {{{}}}, 'TLS_FORWARD with empty target table') boom(policy.TLS_FORWARD, {{{bleble=''}}}, 'TLS_FORWARD with invalid parameters in table') boom(policy.TLS_FORWARD, {{'1'}}, 'TLS_FORWARD with invalid IP address') @@ -16,13 +17,13 @@ local function test_tls_forward() -- boom(policy.TLS_FORWARD, {{{'::1', pin=''}}}, 'TLS_FORWARD with empty pin') -- boom(policy.TLS_FORWARD, {{{'::1', pin='č'}}}, 'TLS_FORWARD with bad pin') - ok(policy.TLS_FORWARD, {{{'::1', pin='ZTNiMGM0NDI5OGZjMWMxNDlhZmJmNGM4OTk2ZmI5MjQyN2FlNDFlNDY0OWI5MzRjYTQ5NTk5MWI3ODUyYjg1NQ=='}}}, 'TLS_FORWARD with base64 pin') - ok(policy.TLS_FORWARD, {{{'::1', pin={ + ok(policy.TLS_FORWARD({{'::1', pin='ZTNiMGM0NDI5OGZjMWMxNDlhZmJmNGM4OTk2ZmI5MjQyN2FlNDFlNDY0OWI5MzRjYTQ5NTk5MWI3ODUyYjg1NQ=='}}), 'TLS_FORWARD with base64 pin') + ok(policy.TLS_FORWARD({{'::1', pin={ 'ZTNiMGM0NDI5OGZjMWMxNDlhZmJmNGM4OTk2ZmI5MjQyN2FlNDFlNDY0OWI5MzRjYTQ5NTk5MWI3ODUyYjg1NQ==', 'MTcwYWUzMGNjZDlmYmE2MzBhZjhjZGE2ODQxZTAwYzZiNjU3OWNlYzc3NmQ0MTllNzAyZTIwYzY5YzQ4OGZmOA==' - }}}}, 'TLS_FORWARD with table of pins') + }}}), 'TLS_FORWARD with table of pins') - ok(policy.TLS_FORWARD, {{{'::1', hostname='test.', ca='/tmp/ca.crt'}}}, 'TLS_FORWARD with hostname + CA cert') + ok(policy.TLS_FORWARD({{'::1', hostname='test.', ca='/tmp/ca.crt'}}), 'TLS_FORWARD with hostname + CA cert') -- boom(policy.TLS_FORWARD, {{{'::1', hostname='test.'}}}, 'TLS_FORWARD with just hostname') -- boom(policy.TLS_FORWARD, {{{'::1', ca='/tmp/ca.crt'}}}, 'TLS_FORWARD with just CA cert') -- boom(policy.TLS_FORWARD, {{{'::1', hostname='', ca='/tmp/ca.crt'}}}, 'TLS_FORWARD with invalid hostname + CA cert')