Mercurial > prosody-modules
comparison mod_s2s_auth_dane/mod_s2s_auth_dane.lua @ 1339:50555c2ccbcd
mod_s2s_auth_dane: Improve handling of bogus data
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Sun, 09 Mar 2014 23:17:17 +0100 |
| parents | eca8c480891e |
| children | 47d3c1c8a176 |
comparison
equal
deleted
inserted
replaced
| 1338:eca8c480891e | 1339:50555c2ccbcd |
|---|---|
| 11 local dns_lookup = require"net.adns".lookup; | 11 local dns_lookup = require"net.adns".lookup; |
| 12 local hashes = require"util.hashes"; | 12 local hashes = require"util.hashes"; |
| 13 local base64 = require"util.encodings".base64; | 13 local base64 = require"util.encodings".base64; |
| 14 | 14 |
| 15 local s2sout = module:depends"s2s".route_to_new_session.s2sout; | 15 local s2sout = module:depends"s2s".route_to_new_session.s2sout; |
| 16 | |
| 17 local bogus = {}; | |
| 16 | 18 |
| 17 local pat = "%-%-%-%-%-BEGIN ([A-Z ]+)%-%-%-%-%-\r?\n".. | 19 local pat = "%-%-%-%-%-BEGIN ([A-Z ]+)%-%-%-%-%-\r?\n".. |
| 18 "([0-9A-Za-z=+/\r\n]*)\r?\n%-%-%-%-%-END %1%-%-%-%-%-"; | 20 "([0-9A-Za-z=+/\r\n]*)\r?\n%-%-%-%-%-END %1%-%-%-%-%-"; |
| 19 local function pem2der(pem) | 21 local function pem2der(pem) |
| 20 local typ, data = pem:match(pat); | 22 local typ, data = pem:match(pat); |
| 35 function s2sout.try_connect(host_session, connect_host, connect_port, err) | 37 function s2sout.try_connect(host_session, connect_host, connect_port, err) |
| 36 local srv_hosts = host_session.srv_hosts; | 38 local srv_hosts = host_session.srv_hosts; |
| 37 local srv_choice = host_session.srv_choice; | 39 local srv_choice = host_session.srv_choice; |
| 38 if srv_hosts and srv_hosts.answer.secure and srv_hosts[srv_choice].dane == nil then | 40 if srv_hosts and srv_hosts.answer.secure and srv_hosts[srv_choice].dane == nil then |
| 39 srv_hosts[srv_choice].dane = dns_lookup(function(answer) | 41 srv_hosts[srv_choice].dane = dns_lookup(function(answer) |
| 40 if answer and ( #answer > 0 or answer.bogus ) then | 42 if answer and #answer > 0 and answer.secure then |
| 41 srv_hosts[srv_choice].dane = answer; | 43 srv_hosts[srv_choice].dane = answer; |
| 44 elseif answer.bogus then | |
| 45 srv_hosts[srv_choice].dane = bogus; | |
| 42 else | 46 else |
| 43 srv_hosts[srv_choice].dane = false; | 47 srv_hosts[srv_choice].dane = false; |
| 44 end | 48 end |
| 45 -- "blocking" until TLSA reply, but no race condition | 49 -- "blocking" until TLSA reply, but no race condition |
| 46 return _try_connect(host_session, connect_host, connect_port, err); | 50 return _try_connect(host_session, connect_host, connect_port, err); |
| 132 module:hook("s2s-stream-features", function(event) | 136 module:hook("s2s-stream-features", function(event) |
| 133 local origin = event.origin; | 137 local origin = event.origin; |
| 134 if not origin.from_host or origin.dane ~= nil then return end | 138 if not origin.from_host or origin.dane ~= nil then return end |
| 135 | 139 |
| 136 origin.dane = dns_lookup(function(answer) | 140 origin.dane = dns_lookup(function(answer) |
| 137 if answer and ( #answer > 0 or answer.bogus ) then | 141 if answer and #answer > 0 and answer.secure then |
| 138 origin.dane = answer; | 142 srv_hosts[srv_choice].dane = answer; |
| 143 elseif answer.bogus then | |
| 144 srv_hosts[srv_choice].dane = bogus; | |
| 139 else | 145 else |
| 140 origin.dane = false; | 146 origin.dane = false; |
| 141 end | 147 end |
| 142 end, ("_xmpp-server._tcp.%s."):format(origin.from_host), "TLSA"); | 148 end, ("_xmpp-server._tcp.%s."):format(origin.from_host), "TLSA"); |
| 143 end, 1); | 149 end, 1); |