Mercurial > prosody-modules
comparison mod_s2s_auth_dane/mod_s2s_auth_dane.lua @ 1349:350e903b14ff
mod_s2s_auth_dane: Comments and TODOs
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Fri, 14 Mar 2014 14:23:27 +0100 |
| parents | 6191613959dc |
| children | cda335db2cbb |
comparison
equal
deleted
inserted
replaced
| 1348:6191613959dc | 1349:350e903b14ff |
|---|---|
| 1 -- mod_s2s_auth_dane | 1 -- mod_s2s_auth_dane |
| 2 -- Copyright (C) 2013-2014 Kim Alvefur | 2 -- Copyright (C) 2013-2014 Kim Alvefur |
| 3 -- | 3 -- |
| 4 -- This file is MIT/X11 licensed. | 4 -- This file is MIT/X11 licensed. |
| 5 -- | 5 -- |
| 6 -- In your DNS, put | |
| 7 -- _xmpp-server.example.com. IN TLSA 3 0 1 <sha256 hash of certificate> | |
| 8 -- | |
| 9 -- Known issues: | |
| 10 -- Race condition | |
| 6 -- Could be done much cleaner if mod_s2s was using util.async | 11 -- Could be done much cleaner if mod_s2s was using util.async |
| 7 | 12 -- |
| 13 -- TODO Things to test/handle: | |
| 14 -- Negative or bogus answers | |
| 15 -- No encryption offered | |
| 16 -- Different hostname before and after STARTTLS - mod_s2s should complain | |
| 17 -- Interaction with Dialback | |
| 8 | 18 |
| 9 module:set_global(); | 19 module:set_global(); |
| 10 | 20 |
| 11 local type = type; | 21 local type = type; |
| 12 local set = require"util.set"; | 22 local set = require"util.set"; |
| 30 local use_map = { ["DANE-EE"] = 3; ["DANE-TA"] = 2; ["PKIX-EE"] = 1; ["PKIX-CA"] = 0 } | 40 local use_map = { ["DANE-EE"] = 3; ["DANE-TA"] = 2; ["PKIX-EE"] = 1; ["PKIX-CA"] = 0 } |
| 31 | 41 |
| 32 local implemented_uses = set.new { "DANE-EE", "PKIX-EE" }; | 42 local implemented_uses = set.new { "DANE-EE", "PKIX-EE" }; |
| 33 local configured_uses = module:get_option_set("dane_uses", { "DANE-EE" }); | 43 local configured_uses = module:get_option_set("dane_uses", { "DANE-EE" }); |
| 34 local enabled_uses = set.intersection(implemented_uses, configured_uses) / function(use) return use_map[use] end; | 44 local enabled_uses = set.intersection(implemented_uses, configured_uses) / function(use) return use_map[use] end; |
| 35 | |
| 36 -- TODO Things to test/handle: | |
| 37 -- Negative or bogus answers | |
| 38 -- No SRV records | |
| 39 -- No encryption offered | |
| 40 -- Different hostname before and after STARTTLS - mod_s2s should complain | |
| 41 | 45 |
| 42 local function dane_lookup(host_session, name, cb, a,b,c) | 46 local function dane_lookup(host_session, name, cb, a,b,c) |
| 43 if host_session.dane ~= nil then return false; end | 47 if host_session.dane ~= nil then return false; end |
| 44 local ascii_host = name and idna_to_ascii(name); | 48 local ascii_host = name and idna_to_ascii(name); |
| 45 if not ascii_host then return false; end | 49 if not ascii_host then return false; end |