Mercurial > prosody-modules
comparison mod_s2s_auth_dane/mod_s2s_auth_dane.lua @ 2184:7155ed1fb540
Backed out changeset f00cbfb812cd, it only half-worked and broke things
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Sat, 28 May 2016 13:34:43 +0200 |
parents | 5df3b646c9ad |
children | 2cbd7876ba14 |
comparison
equal
deleted
inserted
replaced
2183:13a8bbf256dd | 2184:7155ed1fb540 |
---|---|
196 end, ("_%d._tcp.%s."):format(srv_choice.port, srv_choice.target), "TLSA"); | 196 end, ("_%d._tcp.%s."):format(srv_choice.port, srv_choice.target), "TLSA"); |
197 return true; | 197 return true; |
198 end | 198 end |
199 end | 199 end |
200 | 200 |
201 local function resume(host_session) | |
202 host_session.log("debug", "DANE lookup completed, resuming connection"); | |
203 host_session.conn:resume() | |
204 end | |
205 | |
201 function module.add_host(module) | 206 function module.add_host(module) |
207 local function on_new_s2s(event) | |
208 local host_session = event.origin; | |
209 if host_session.type == "s2sout" or host_session.type == "s2sin" then | |
210 return; -- Already authenticated | |
211 end | |
212 if host_session.dane ~= nil then | |
213 return; -- Already done DANE lookup | |
214 end | |
215 if dane_lookup(host_session, resume) then | |
216 host_session.log("debug", "Pausing connection until DANE lookup is completed"); | |
217 host_session.conn:pause() | |
218 end | |
219 end | |
220 | |
221 -- New outgoing connections | |
222 module:hook("stanza/http://etherx.jabber.org/streams:features", on_new_s2s, 501); | |
223 module:hook("s2sout-authenticate-legacy", on_new_s2s, 200); | |
224 | |
225 -- New incoming connections | |
226 module:hook("s2s-stream-features", on_new_s2s, 10); | |
227 | |
202 module:hook("s2s-authenticated", function(event) | 228 module:hook("s2s-authenticated", function(event) |
203 local session = event.session; | 229 local session = event.session; |
204 if session.dane and type(session.dane) == "table" and next(session.dane) ~= nil and not session.secure then | 230 if session.dane and type(session.dane) == "table" and next(session.dane) ~= nil and not session.secure then |
205 -- TLSA record but no TLS, not ok. | 231 -- TLSA record but no TLS, not ok. |
206 -- TODO Optional? | 232 -- TODO Optional? |
244 log("warn", "Length mismatch: Cert: %d, TLSA: %d", #certdata, #tlsa.data); | 270 log("warn", "Length mismatch: Cert: %d, TLSA: %d", #certdata, #tlsa.data); |
245 end | 271 end |
246 return certdata == tlsa.data; | 272 return certdata == tlsa.data; |
247 end | 273 end |
248 | 274 |
249 -- Re-run streamopend() to continue | |
250 local function resume(session) | |
251 local attr = { | |
252 version = session.version, | |
253 to = session.to_host, | |
254 from = session.from_host, | |
255 id = session.streamid, | |
256 }; | |
257 session.cert_chain_status = nil; | |
258 session.open_stream.stream_callbacks.streamopened(session, attr); | |
259 end | |
260 | |
261 module:hook("s2s-check-certificate", function(event) | 275 module:hook("s2s-check-certificate", function(event) |
262 local session, cert, host = event.session, event.cert, event.host; | 276 local session, cert, host = event.session, event.cert, event.host; |
263 if not cert then return end | 277 if not cert then return end |
264 local log = session.log or module._log; | 278 local log = session.log or module._log; |
265 local dane = session.dane; | 279 local dane = session.dane; |
266 if dane == nil and dane_lookup(session, resume) then | |
267 return false; | |
268 end | |
269 if type(dane) == "table" then | 280 if type(dane) == "table" then |
270 local match_found, supported_found; | 281 local match_found, supported_found; |
271 for i = 1, #dane do | 282 for i = 1, #dane do |
272 local tlsa = dane[i].tlsa; | 283 local tlsa = dane[i].tlsa; |
273 log("debug", "TLSA #%d: %s", i, tostring(tlsa)) | 284 log("debug", "TLSA #%d: %s", i, tostring(tlsa)) |