From f86d1517ce1c6ad3eeebcfb9f57d3689f6f9e943 Mon Sep 17 00:00:00 2001
From: Matthew Wild <mwild1@gmail.com>
Date: Mon, 25 Apr 2022 15:07:49 +0100
Subject: mod_s2s: Improve robustness of outgoing s2s certificate verification

This change ensures we have positively verified the certificates of the server
we are connecting to before marking the session as authenticated. It protects
against situations where the verify-or-close stage of the connection was
interrupted (e.g. due to an uncaught error).

Thanks to Zash for discovery and testing.
---
 plugins/mod_s2s.lua | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/plugins/mod_s2s.lua b/plugins/mod_s2s.lua
index 3ad0f521..e810c6cd 100644
--- a/plugins/mod_s2s.lua
+++ b/plugins/mod_s2s.lua
@@ -349,6 +349,15 @@ function make_authenticated(event)
 			}, nil, "Could not establish encrypted connection to remote server");
 		end
 	end
+
+	if session.type == "s2sout_unauthed" and not session.authenticated_remote and secure_auth and not insecure_domains[host] then
+		session:close({
+			condition = "policy-violation";
+			text = "Failed to verify certificate (internal error)";
+		});
+		return;
+	end
+
 	if hosts[host] then
 		session:close({ condition = "undefined-condition", text = "Attempt to authenticate as a host we serve" });
 	end
@@ -531,6 +540,8 @@ function stream_callbacks._streamopened(session, attr)
 		if session.secure and not session.cert_chain_status then
 			if check_cert_status(session) == false then
 				return;
+			else
+				session.authenticated_remote = true;
 			end
 		end
 
-- 
cgit v1.2.3