Mercurial > prosody-modules
comparison mod_s2s_auth_dane/mod_s2s_auth_dane.lua @ 1339:50555c2ccbcd
mod_s2s_auth_dane: Improve handling of bogus data
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Sun, 09 Mar 2014 23:17:17 +0100 |
parents | eca8c480891e |
children | 47d3c1c8a176 |
comparison
equal
deleted
inserted
replaced
1338:eca8c480891e | 1339:50555c2ccbcd |
---|---|
11 local dns_lookup = require"net.adns".lookup; | 11 local dns_lookup = require"net.adns".lookup; |
12 local hashes = require"util.hashes"; | 12 local hashes = require"util.hashes"; |
13 local base64 = require"util.encodings".base64; | 13 local base64 = require"util.encodings".base64; |
14 | 14 |
15 local s2sout = module:depends"s2s".route_to_new_session.s2sout; | 15 local s2sout = module:depends"s2s".route_to_new_session.s2sout; |
16 | |
17 local bogus = {}; | |
16 | 18 |
17 local pat = "%-%-%-%-%-BEGIN ([A-Z ]+)%-%-%-%-%-\r?\n".. | 19 local pat = "%-%-%-%-%-BEGIN ([A-Z ]+)%-%-%-%-%-\r?\n".. |
18 "([0-9A-Za-z=+/\r\n]*)\r?\n%-%-%-%-%-END %1%-%-%-%-%-"; | 20 "([0-9A-Za-z=+/\r\n]*)\r?\n%-%-%-%-%-END %1%-%-%-%-%-"; |
19 local function pem2der(pem) | 21 local function pem2der(pem) |
20 local typ, data = pem:match(pat); | 22 local typ, data = pem:match(pat); |
35 function s2sout.try_connect(host_session, connect_host, connect_port, err) | 37 function s2sout.try_connect(host_session, connect_host, connect_port, err) |
36 local srv_hosts = host_session.srv_hosts; | 38 local srv_hosts = host_session.srv_hosts; |
37 local srv_choice = host_session.srv_choice; | 39 local srv_choice = host_session.srv_choice; |
38 if srv_hosts and srv_hosts.answer.secure and srv_hosts[srv_choice].dane == nil then | 40 if srv_hosts and srv_hosts.answer.secure and srv_hosts[srv_choice].dane == nil then |
39 srv_hosts[srv_choice].dane = dns_lookup(function(answer) | 41 srv_hosts[srv_choice].dane = dns_lookup(function(answer) |
40 if answer and ( #answer > 0 or answer.bogus ) then | 42 if answer and #answer > 0 and answer.secure then |
41 srv_hosts[srv_choice].dane = answer; | 43 srv_hosts[srv_choice].dane = answer; |
44 elseif answer.bogus then | |
45 srv_hosts[srv_choice].dane = bogus; | |
42 else | 46 else |
43 srv_hosts[srv_choice].dane = false; | 47 srv_hosts[srv_choice].dane = false; |
44 end | 48 end |
45 -- "blocking" until TLSA reply, but no race condition | 49 -- "blocking" until TLSA reply, but no race condition |
46 return _try_connect(host_session, connect_host, connect_port, err); | 50 return _try_connect(host_session, connect_host, connect_port, err); |
132 module:hook("s2s-stream-features", function(event) | 136 module:hook("s2s-stream-features", function(event) |
133 local origin = event.origin; | 137 local origin = event.origin; |
134 if not origin.from_host or origin.dane ~= nil then return end | 138 if not origin.from_host or origin.dane ~= nil then return end |
135 | 139 |
136 origin.dane = dns_lookup(function(answer) | 140 origin.dane = dns_lookup(function(answer) |
137 if answer and ( #answer > 0 or answer.bogus ) then | 141 if answer and #answer > 0 and answer.secure then |
138 origin.dane = answer; | 142 srv_hosts[srv_choice].dane = answer; |
143 elseif answer.bogus then | |
144 srv_hosts[srv_choice].dane = bogus; | |
139 else | 145 else |
140 origin.dane = false; | 146 origin.dane = false; |
141 end | 147 end |
142 end, ("_xmpp-server._tcp.%s."):format(origin.from_host), "TLSA"); | 148 end, ("_xmpp-server._tcp.%s."):format(origin.from_host), "TLSA"); |
143 end, 1); | 149 end, 1); |