Mercurial > prosody-modules

comparison mod_s2s_auth_dane/mod_s2s_auth_dane.lua @ 1394:50f986deb3f7

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
mod_s2s_auth_dane: Launch DANE queries when sending or receiving stream-features instead of monkeypatching s2sout.lib
author Kim Alvefur <zash@zash.se>
date Sun, 27 Apr 2014 01:24:03 +0200
parents d99c10fc4d19
children 33f132c3f4b7
comparison
equal deleted inserted replaced
1393:4baaa5a66a5a 1394:50f986deb3f7
30 30
31 if not dns_lookup.types or not dns_lookup.types.TLSA then 31 if not dns_lookup.types or not dns_lookup.types.TLSA then
32 module:log("error", "No TLSA support available, DANE will not be supported"); 32 module:log("error", "No TLSA support available, DANE will not be supported");
33 return 33 return
34 end 34 end
35
36 local s2sout = module:depends"s2s".route_to_new_session.s2sout;
37 35
38 local pat = "%-%-%-%-%-BEGIN ([A-Z ]+)%-%-%-%-%-\r?\n".. 36 local pat = "%-%-%-%-%-BEGIN ([A-Z ]+)%-%-%-%-%-\r?\n"..
39 "([0-9A-Za-z=+/\r\n]*)\r?\n%-%-%-%-%-END %1%-%-%-%-%-"; 37 "([0-9A-Za-z=+/\r\n]*)\r?\n%-%-%-%-%-END %1%-%-%-%-%-";
40 local function pem2der(pem) 38 local function pem2der(pem)
41 local typ, data = pem:match(pat); 39 local typ, data = pem:match(pat);
97 end, ("_%d._tcp.%s."):format(srv_choice.port, srv_choice.target), "TLSA"); 95 end, ("_%d._tcp.%s."):format(srv_choice.port, srv_choice.target), "TLSA");
98 return true; 96 return true;
99 end 97 end
100 end 98 end
101 99
102 local _try_connect = s2sout.try_connect;
103 function s2sout.try_connect(host_session, connect_host, connect_port, err)
104 if not err and dane_lookup(host_session, _try_connect, host_session, connect_host, connect_port, err) then
105 return true;
106 end
107 return _try_connect(host_session, connect_host, connect_port, err);
108 end
109
110 function module.add_host(module) 100 function module.add_host(module)
111 module:hook("s2s-stream-features", function(event) 101 local function on_new_s2s(event)
112 -- dane_lookup(origin, origin.from_host);
113 local host_session = event.origin; 102 local host_session = event.origin;
114 if host_session.type == "s2sin" then return end -- Already authenticated 103 if host_session.type == "s2sout" or host_session.type == "s2sin" or host_session.dane ~= nil then return end -- Already authenticated
115 host_session.log("debug", "Pausing connection until DANE lookup is completed"); 104 host_session.log("debug", "Pausing connection until DANE lookup is completed");
116 host_session.conn:pause() 105 host_session.conn:pause()
117 local function resume() 106 local function resume()
118 host_session.log("debug", "DANE lookup completed, resuming connection"); 107 host_session.log("debug", "DANE lookup completed, resuming connection");
119 host_session.conn:resume() 108 host_session.conn:resume()
120 end 109 end
121 if not dane_lookup(host_session, resume) then 110 if not dane_lookup(host_session, resume) then
122 resume(); 111 resume();
123 end 112 end
124 end, 10); 113 end
114
115 -- New outgoing connections
116 module:hook("stanza/http://etherx.jabber.org/streams:features", on_new_s2s, 501);
117 module:hook("s2sout-authenticate-legacy", on_new_s2s, 200);
118
119 -- New incoming connections
120 module:hook("s2s-stream-features", on_new_s2s, 10);
125 121
126 module:hook("s2s-authenticated", function(event) 122 module:hook("s2s-authenticated", function(event)
127 local session = event.session; 123 local session = event.session;
128 if session.dane and not session.secure then 124 if session.dane and not session.secure then
129 -- TLSA record but no TLS, not ok. 125 -- TLSA record but no TLS, not ok.
219 end 215 end
220 end 216 end
221 end 217 end
222 end); 218 end);
223 219
224 function module.unload()
225 -- Restore the original try_connect function
226 s2sout.try_connect = _try_connect;
227 end
228