Mercurial > prosody-modules
comparison mod_s2s_auth_dane/mod_s2s_auth_dane.lua @ 1943:7e04ca0aa757
mod_s2s_auth_dane: Support servers without SRV records by falling back to port 5269 and the bare hostname for TLSA lookups
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Thu, 05 Nov 2015 14:10:11 +0100 |
| parents | 7ba877e2d660 |
| children | 1950fa6aa0c0 |
comparison
equal
deleted
inserted
replaced
| 1942:ff95d983940c | 1943:7e04ca0aa757 |
|---|---|
| 96 return cb(host_session); | 96 return cb(host_session); |
| 97 end | 97 end |
| 98 | 98 |
| 99 local n = answer.n or #answer; | 99 local n = answer.n or #answer; |
| 100 if n == 0 then | 100 if n == 0 then |
| 101 -- No SRV records, we could proceed with the domainname and | 101 -- No SRV records, synthesize fallback host and port |
| 102 -- default port but that will currently not work properly since | 102 -- this may behave oddly for connections in the other direction if |
| 103 -- mod_s2s doesn't keep the answer around for that | 103 -- mod_s2s doesn't keep the answer around |
| 104 return cb(host_session); | 104 answer[1] = { srv = { target = name, port = 5269 } }; |
| 105 end | 105 n = 1; |
| 106 if n == 1 and answer[1].srv.target == '.' then | 106 elseif n == 1 and answer[1].srv.target == '.' then |
| 107 return cb(host_session); -- No service ... This shouldn't happen? | 107 return cb(host_session); -- No service ... This shouldn't happen? |
| 108 end | 108 end |
| 109 local srv_hosts = { answer = answer }; | 109 local srv_hosts = { answer = answer }; |
| 110 host_session.srv_hosts = srv_hosts; | 110 host_session.srv_hosts = srv_hosts; |
| 111 local dane; | 111 local dane; |
| 160 elseif host_session.direction == "outgoing" then | 160 elseif host_session.direction == "outgoing" then |
| 161 -- Prosody has already done SRV lookups for outgoing session, so check if those are secure | 161 -- Prosody has already done SRV lookups for outgoing session, so check if those are secure |
| 162 local srv_hosts = host_session.srv_hosts; | 162 local srv_hosts = host_session.srv_hosts; |
| 163 if not ( srv_hosts and srv_hosts.answer and srv_hosts.answer.secure ) then | 163 if not ( srv_hosts and srv_hosts.answer and srv_hosts.answer.secure ) then |
| 164 return; -- No secure SRV records, fall back to non-DANE mode | 164 return; -- No secure SRV records, fall back to non-DANE mode |
| 165 -- Empty response were not kept by older mod_s2s/s2sout | |
| 165 end | 166 end |
| 166 -- Do TLSA lookup for currently selected SRV record | 167 -- Do TLSA lookup for currently selected SRV record |
| 167 local srv_choice = srv_hosts[host_session.srv_choice]; | 168 local srv_choice = srv_hosts[host_session.srv_choice or 0] or { target = idna_to_ascii(host_session.to_host), port = 5269 }; |
| 168 host_session.dane = dns_lookup(function(answer) | 169 host_session.dane = dns_lookup(function(answer) |
| 169 if answer and ((answer.secure and #answer > 0) or answer.bogus) then | 170 if answer and ((answer.secure and #answer > 0) or answer.bogus) then |
| 170 srv_choice.dane = answer; | 171 srv_choice.dane = answer; |
| 171 else | 172 else |
| 172 srv_choice.dane = false; | 173 srv_choice.dane = false; |