Mercurial > prosody-modules
comparison mod_s2s_auth_dane/mod_s2s_auth_dane.lua @ 1351:a052740bbf48
mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Tue, 18 Mar 2014 15:12:11 +0100 |
parents | cda335db2cbb |
children | b0f780d3a24e |
comparison
equal
deleted
inserted
replaced
1350:cda335db2cbb | 1351:a052740bbf48 |
---|---|
17 -- Interaction with Dialback | 17 -- Interaction with Dialback |
18 | 18 |
19 module:set_global(); | 19 module:set_global(); |
20 | 20 |
21 local type = type; | 21 local type = type; |
22 local t_insert = table.insert; | |
22 local set = require"util.set"; | 23 local set = require"util.set"; |
23 local dns_lookup = require"net.adns".lookup; | 24 local dns_lookup = require"net.adns".lookup; |
24 local hashes = require"util.hashes"; | 25 local hashes = require"util.hashes"; |
25 local base64 = require"util.encodings".base64; | 26 local base64 = require"util.encodings".base64; |
26 local idna_to_ascii = require "util.encodings".idna.to_ascii; | 27 local idna_to_ascii = require "util.encodings".idna.to_ascii; |
39 | 40 |
40 local implemented_uses = set.new { "DANE-EE", "PKIX-EE" }; | 41 local implemented_uses = set.new { "DANE-EE", "PKIX-EE" }; |
41 local configured_uses = module:get_option_set("dane_uses", { "DANE-EE" }); | 42 local configured_uses = module:get_option_set("dane_uses", { "DANE-EE" }); |
42 local enabled_uses = set.intersection(implemented_uses, configured_uses) / function(use) return use_map[use] end; | 43 local enabled_uses = set.intersection(implemented_uses, configured_uses) / function(use) return use_map[use] end; |
43 | 44 |
44 local function dane_lookup(host_session, name, cb, a,b,c) | 45 local function dane_lookup(host_session, cb, a,b,c,e) |
45 if host_session.dane ~= nil then return false; end | 46 if host_session.dane ~= nil then return end |
46 local ascii_host = name and idna_to_ascii(name); | 47 if host_session.direction == "incoming" then |
47 if not ascii_host then return false; end | 48 local name = idna_to_ascii(host_session.from_host); |
48 host_session.dane = dns_lookup(function(answer) | 49 if not name then return end |
49 if answer and (answer.secure and #answer > 0) or answer.bogus then | 50 local handle = dns_lookup(function (answer) |
50 host_session.dane = answer; | 51 if not answer.secure then return end |
51 else | 52 if #answer == 1 and answer[1].srv.target == '.' then return end |
52 host_session.dane = false; | 53 local srv_hosts = { answer = answer }; |
53 end | 54 local dane = {}; |
54 if cb then return cb(a,b,c); end | 55 host_session.dane = dane; |
55 end, ("_xmpp-server.%s."):format(ascii_host), "TLSA"); | 56 host_session.srv_hosts = srv_hosts; |
56 host_session.connecting = true; | 57 local n = #answer |
57 return true; | 58 for _, record in ipairs(answer) do |
59 t_insert(srv_hosts, record.srv); | |
60 dns_lookup(function(dane_answer) | |
61 n = n - 1; | |
62 if dane_answer.bogus then | |
63 t_insert(dane, { bogus = dane_answer.bogus }); | |
64 elseif dane_answer.secure then | |
65 for _, record in ipairs(dane_answer) do | |
66 t_insert(dane, record); | |
67 end | |
68 end | |
69 if n == 0 and cb then return cb(a,b,c,e); end | |
70 end, ("_%d._tcp.%s."):format(record.srv.port, record.srv.target), "TLSA"); | |
71 end | |
72 end, "_xmpp-server._tcp."..name..".", "SRV"); | |
73 return true; | |
74 elseif host_session.direction == "outgoing" then | |
75 local srv_choice = host_session.srv_hosts[host_session.srv_choice]; | |
76 host_session.dane = dns_lookup(function(answer) | |
77 if answer and (answer.secure and #answer > 0) or answer.bogus then | |
78 srv_choice.dane = answer; | |
79 else | |
80 srv_choice.dane = false; | |
81 end | |
82 host_session.dane = srv_choice.dane; | |
83 if cb then return cb(a,b,c,e); end | |
84 end, ("_%d._tcp.%s."):format(srv_choice.port, srv_choice.target), "TLSA"); | |
85 return true; | |
86 end | |
58 end | 87 end |
59 | 88 |
60 local _attempt_connection = s2sout.attempt_connection; | 89 local _try_connect = s2sout.try_connect; |
61 function s2sout.attempt_connection(host_session, err) | 90 function s2sout.try_connect(host_session, connect_host, connect_port, err) |
62 if not err and dane_lookup(host_session, host_session.to_host, _attempt_connection, host_session, err) then | 91 if not err and dane_lookup(host_session, _try_connect, host_session, connect_host, connect_port, err) then |
63 return true; | 92 return true; |
64 end | 93 end |
65 return _attempt_connection(host_session, err); | 94 return _try_connect(host_session, connect_host, connect_port, err); |
66 end | 95 end |
67 | 96 |
68 function module.add_host(module) | 97 function module.add_host(module) |
69 module:hook("s2s-stream-features", function(event) | 98 module:hook("s2s-stream-features", function(event) |
70 local origin = event.origin; | 99 -- dane_lookup(origin, origin.from_host); |
71 dane_lookup(origin, origin.from_host); | 100 dane_lookup(event.origin); |
72 end, 1); | 101 end, 1); |
73 | 102 |
74 module:hook("s2s-authenticated", function(event) | 103 module:hook("s2s-authenticated", function(event) |
75 local session = event.session; | 104 local session = event.session; |
76 if session.dane and not session.secure then | 105 if session.dane and not session.secure then |
142 end | 171 end |
143 end | 172 end |
144 end); | 173 end); |
145 | 174 |
146 function module.unload() | 175 function module.unload() |
147 -- Restore the original attempt_connection function | 176 -- Restore the original try_connect function |
148 s2sout.attempt_connection = _attempt_connection; | 177 s2sout.try_connect = _try_connect; |
149 end | 178 end |
150 | 179 |