Mercurial > prosody-modules
comparison mod_s2s_auth_dane/mod_s2s_auth_dane.lua @ 1351:a052740bbf48
mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Tue, 18 Mar 2014 15:12:11 +0100 |
| parents | cda335db2cbb |
| children | b0f780d3a24e |
comparison
equal
deleted
inserted
replaced
| 1350:cda335db2cbb | 1351:a052740bbf48 |
|---|---|
| 17 -- Interaction with Dialback | 17 -- Interaction with Dialback |
| 18 | 18 |
| 19 module:set_global(); | 19 module:set_global(); |
| 20 | 20 |
| 21 local type = type; | 21 local type = type; |
| 22 local t_insert = table.insert; | |
| 22 local set = require"util.set"; | 23 local set = require"util.set"; |
| 23 local dns_lookup = require"net.adns".lookup; | 24 local dns_lookup = require"net.adns".lookup; |
| 24 local hashes = require"util.hashes"; | 25 local hashes = require"util.hashes"; |
| 25 local base64 = require"util.encodings".base64; | 26 local base64 = require"util.encodings".base64; |
| 26 local idna_to_ascii = require "util.encodings".idna.to_ascii; | 27 local idna_to_ascii = require "util.encodings".idna.to_ascii; |
| 39 | 40 |
| 40 local implemented_uses = set.new { "DANE-EE", "PKIX-EE" }; | 41 local implemented_uses = set.new { "DANE-EE", "PKIX-EE" }; |
| 41 local configured_uses = module:get_option_set("dane_uses", { "DANE-EE" }); | 42 local configured_uses = module:get_option_set("dane_uses", { "DANE-EE" }); |
| 42 local enabled_uses = set.intersection(implemented_uses, configured_uses) / function(use) return use_map[use] end; | 43 local enabled_uses = set.intersection(implemented_uses, configured_uses) / function(use) return use_map[use] end; |
| 43 | 44 |
| 44 local function dane_lookup(host_session, name, cb, a,b,c) | 45 local function dane_lookup(host_session, cb, a,b,c,e) |
| 45 if host_session.dane ~= nil then return false; end | 46 if host_session.dane ~= nil then return end |
| 46 local ascii_host = name and idna_to_ascii(name); | 47 if host_session.direction == "incoming" then |
| 47 if not ascii_host then return false; end | 48 local name = idna_to_ascii(host_session.from_host); |
| 48 host_session.dane = dns_lookup(function(answer) | 49 if not name then return end |
| 49 if answer and (answer.secure and #answer > 0) or answer.bogus then | 50 local handle = dns_lookup(function (answer) |
| 50 host_session.dane = answer; | 51 if not answer.secure then return end |
| 51 else | 52 if #answer == 1 and answer[1].srv.target == '.' then return end |
| 52 host_session.dane = false; | 53 local srv_hosts = { answer = answer }; |
| 53 end | 54 local dane = {}; |
| 54 if cb then return cb(a,b,c); end | 55 host_session.dane = dane; |
| 55 end, ("_xmpp-server.%s."):format(ascii_host), "TLSA"); | 56 host_session.srv_hosts = srv_hosts; |
| 56 host_session.connecting = true; | 57 local n = #answer |
| 57 return true; | 58 for _, record in ipairs(answer) do |
| 59 t_insert(srv_hosts, record.srv); | |
| 60 dns_lookup(function(dane_answer) | |
| 61 n = n - 1; | |
| 62 if dane_answer.bogus then | |
| 63 t_insert(dane, { bogus = dane_answer.bogus }); | |
| 64 elseif dane_answer.secure then | |
| 65 for _, record in ipairs(dane_answer) do | |
| 66 t_insert(dane, record); | |
| 67 end | |
| 68 end | |
| 69 if n == 0 and cb then return cb(a,b,c,e); end | |
| 70 end, ("_%d._tcp.%s."):format(record.srv.port, record.srv.target), "TLSA"); | |
| 71 end | |
| 72 end, "_xmpp-server._tcp."..name..".", "SRV"); | |
| 73 return true; | |
| 74 elseif host_session.direction == "outgoing" then | |
| 75 local srv_choice = host_session.srv_hosts[host_session.srv_choice]; | |
| 76 host_session.dane = dns_lookup(function(answer) | |
| 77 if answer and (answer.secure and #answer > 0) or answer.bogus then | |
| 78 srv_choice.dane = answer; | |
| 79 else | |
| 80 srv_choice.dane = false; | |
| 81 end | |
| 82 host_session.dane = srv_choice.dane; | |
| 83 if cb then return cb(a,b,c,e); end | |
| 84 end, ("_%d._tcp.%s."):format(srv_choice.port, srv_choice.target), "TLSA"); | |
| 85 return true; | |
| 86 end | |
| 58 end | 87 end |
| 59 | 88 |
| 60 local _attempt_connection = s2sout.attempt_connection; | 89 local _try_connect = s2sout.try_connect; |
| 61 function s2sout.attempt_connection(host_session, err) | 90 function s2sout.try_connect(host_session, connect_host, connect_port, err) |
| 62 if not err and dane_lookup(host_session, host_session.to_host, _attempt_connection, host_session, err) then | 91 if not err and dane_lookup(host_session, _try_connect, host_session, connect_host, connect_port, err) then |
| 63 return true; | 92 return true; |
| 64 end | 93 end |
| 65 return _attempt_connection(host_session, err); | 94 return _try_connect(host_session, connect_host, connect_port, err); |
| 66 end | 95 end |
| 67 | 96 |
| 68 function module.add_host(module) | 97 function module.add_host(module) |
| 69 module:hook("s2s-stream-features", function(event) | 98 module:hook("s2s-stream-features", function(event) |
| 70 local origin = event.origin; | 99 -- dane_lookup(origin, origin.from_host); |
| 71 dane_lookup(origin, origin.from_host); | 100 dane_lookup(event.origin); |
| 72 end, 1); | 101 end, 1); |
| 73 | 102 |
| 74 module:hook("s2s-authenticated", function(event) | 103 module:hook("s2s-authenticated", function(event) |
| 75 local session = event.session; | 104 local session = event.session; |
| 76 if session.dane and not session.secure then | 105 if session.dane and not session.secure then |
| 142 end | 171 end |
| 143 end | 172 end |
| 144 end); | 173 end); |
| 145 | 174 |
| 146 function module.unload() | 175 function module.unload() |
| 147 -- Restore the original attempt_connection function | 176 -- Restore the original try_connect function |
| 148 s2sout.attempt_connection = _attempt_connection; | 177 s2sout.try_connect = _try_connect; |
| 149 end | 178 end |
| 150 | 179 |