Mercurial > prosody-modules
comparison mod_s2s_auth_dane/mod_s2s_auth_dane.lua @ 1701:9b429fc9e8a0
mod_s2s_auth_dane: Simplify cases where there are only one SRV record
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Wed, 06 May 2015 00:53:27 +0200 |
| parents | ab3175685f94 |
| children | d011b87b7f58 |
comparison
equal
deleted
inserted
replaced
| 1700:ab3175685f94 | 1701:9b429fc9e8a0 |
|---|---|
| 103 end | 103 end |
| 104 if n == 1 and answer[1].srv.target == '.' then | 104 if n == 1 and answer[1].srv.target == '.' then |
| 105 return cb(host_session); -- No service ... This shouldn't happen? | 105 return cb(host_session); -- No service ... This shouldn't happen? |
| 106 end | 106 end |
| 107 local srv_hosts = { answer = answer }; | 107 local srv_hosts = { answer = answer }; |
| 108 local dane = {}; | |
| 109 host_session.dane = dane; | |
| 110 host_session.srv_hosts = srv_hosts; | 108 host_session.srv_hosts = srv_hosts; |
| 109 local dane; | |
| 111 for _, record in ipairs(answer) do | 110 for _, record in ipairs(answer) do |
| 112 t_insert(srv_hosts, record.srv); | 111 t_insert(srv_hosts, record.srv); |
| 113 dns_lookup(function(dane_answer) | 112 dns_lookup(function(dane_answer) |
| 114 n = n - 1; | 113 n = n - 1; |
| 115 if dane_answer.bogus then | 114 -- There are three kinds of answers |
| 115 -- Insecure, Secure and Bogus | |
| 116 -- | |
| 117 -- We collect Secure answers for later use | |
| 118 -- | |
| 119 -- Insecure (legacy) answers are simply ignored | |
| 120 -- | |
| 121 -- If we get a Bogus (dnssec error) reply, keep the | |
| 122 -- status around. If there were only bogus replies, the | |
| 123 -- connection will be aborted. If there were at least | |
| 124 -- one non-Bogus reply, we proceed. If none of the | |
| 125 -- replies matched, we consider the connection insecure. | |
| 126 | |
| 127 if (dane_answer.bogus or dane_answer.secure) and not dane then | |
| 128 -- The first answer we care about | |
| 129 -- For services with only one SRV record, this will be the only one | |
| 130 dane = dane_answer; | |
| 131 elseif dane_answer.bogus then | |
| 116 dane.bogus = dane_answer.bogus; | 132 dane.bogus = dane_answer.bogus; |
| 117 elseif dane_answer.secure then | 133 elseif dane_answer.secure then |
| 118 for _, dane_record in ipairs(dane_answer) do | 134 for _, dane_record in ipairs(dane_answer) do |
| 119 t_insert(dane, dane_record); | 135 t_insert(dane, dane_record); |
| 120 end | 136 end |
| 121 end | 137 end |
| 122 if n == 0 then | 138 if n == 0 then |
| 123 if #dane > 0 and dane.bogus then | 139 if dane then |
| 124 -- Got at least one non-bogus reply, | 140 host_session.dane = dane; |
| 125 -- This should trigger a failure if one of them did not match | 141 if #dane > 0 and dane.bogus then |
| 126 host_session.log("warn", "Ignoring bogus replies"); | 142 -- Got at least one non-bogus reply, |
| 127 dane.bogus = nil; | 143 -- This should trigger a failure if one of them did not match |
| 128 end | 144 host_session.log("warn", "Ignoring bogus replies"); |
| 129 if #dane == 0 and dane.bogus == nil then | 145 dane.bogus = nil; |
| 130 -- Got no usable data | 146 end |
| 131 host_session.dane = false; | 147 if #dane == 0 and dane.bogus == nil then |
| 148 -- Got no usable data | |
| 149 host_session.dane = false; | |
| 150 end | |
| 132 end | 151 end |
| 133 return cb(host_session); | 152 return cb(host_session); |
| 134 end | 153 end |
| 135 end, ("_%d._tcp.%s."):format(record.srv.port, record.srv.target), "TLSA"); | 154 end, ("_%d._tcp.%s."):format(record.srv.port, record.srv.target), "TLSA"); |
| 136 end | 155 end |