comparison mod_s2s_auth_dane/mod_s2s_auth_dane.lua @ 1351:a052740bbf48

mod_s2s_auth_dane: Back to _port._tcp.srvtarget.example.net
author Kim Alvefur <zash@zash.se>
date Tue, 18 Mar 2014 15:12:11 +0100
parents cda335db2cbb
children b0f780d3a24e
comparison
equal deleted inserted replaced
1350:cda335db2cbb 1351:a052740bbf48
17 -- Interaction with Dialback 17 -- Interaction with Dialback
18 18
19 module:set_global(); 19 module:set_global();
20 20
21 local type = type; 21 local type = type;
22 local t_insert = table.insert;
22 local set = require"util.set"; 23 local set = require"util.set";
23 local dns_lookup = require"net.adns".lookup; 24 local dns_lookup = require"net.adns".lookup;
24 local hashes = require"util.hashes"; 25 local hashes = require"util.hashes";
25 local base64 = require"util.encodings".base64; 26 local base64 = require"util.encodings".base64;
26 local idna_to_ascii = require "util.encodings".idna.to_ascii; 27 local idna_to_ascii = require "util.encodings".idna.to_ascii;
39 40
40 local implemented_uses = set.new { "DANE-EE", "PKIX-EE" }; 41 local implemented_uses = set.new { "DANE-EE", "PKIX-EE" };
41 local configured_uses = module:get_option_set("dane_uses", { "DANE-EE" }); 42 local configured_uses = module:get_option_set("dane_uses", { "DANE-EE" });
42 local enabled_uses = set.intersection(implemented_uses, configured_uses) / function(use) return use_map[use] end; 43 local enabled_uses = set.intersection(implemented_uses, configured_uses) / function(use) return use_map[use] end;
43 44
44 local function dane_lookup(host_session, name, cb, a,b,c) 45 local function dane_lookup(host_session, cb, a,b,c,e)
45 if host_session.dane ~= nil then return false; end 46 if host_session.dane ~= nil then return end
46 local ascii_host = name and idna_to_ascii(name); 47 if host_session.direction == "incoming" then
47 if not ascii_host then return false; end 48 local name = idna_to_ascii(host_session.from_host);
48 host_session.dane = dns_lookup(function(answer) 49 if not name then return end
49 if answer and (answer.secure and #answer > 0) or answer.bogus then 50 local handle = dns_lookup(function (answer)
50 host_session.dane = answer; 51 if not answer.secure then return end
51 else 52 if #answer == 1 and answer[1].srv.target == '.' then return end
52 host_session.dane = false; 53 local srv_hosts = { answer = answer };
53 end 54 local dane = {};
54 if cb then return cb(a,b,c); end 55 host_session.dane = dane;
55 end, ("_xmpp-server.%s."):format(ascii_host), "TLSA"); 56 host_session.srv_hosts = srv_hosts;
56 host_session.connecting = true; 57 local n = #answer
57 return true; 58 for _, record in ipairs(answer) do
59 t_insert(srv_hosts, record.srv);
60 dns_lookup(function(dane_answer)
61 n = n - 1;
62 if dane_answer.bogus then
63 t_insert(dane, { bogus = dane_answer.bogus });
64 elseif dane_answer.secure then
65 for _, record in ipairs(dane_answer) do
66 t_insert(dane, record);
67 end
68 end
69 if n == 0 and cb then return cb(a,b,c,e); end
70 end, ("_%d._tcp.%s."):format(record.srv.port, record.srv.target), "TLSA");
71 end
72 end, "_xmpp-server._tcp."..name..".", "SRV");
73 return true;
74 elseif host_session.direction == "outgoing" then
75 local srv_choice = host_session.srv_hosts[host_session.srv_choice];
76 host_session.dane = dns_lookup(function(answer)
77 if answer and (answer.secure and #answer > 0) or answer.bogus then
78 srv_choice.dane = answer;
79 else
80 srv_choice.dane = false;
81 end
82 host_session.dane = srv_choice.dane;
83 if cb then return cb(a,b,c,e); end
84 end, ("_%d._tcp.%s."):format(srv_choice.port, srv_choice.target), "TLSA");
85 return true;
86 end
58 end 87 end
59 88
60 local _attempt_connection = s2sout.attempt_connection; 89 local _try_connect = s2sout.try_connect;
61 function s2sout.attempt_connection(host_session, err) 90 function s2sout.try_connect(host_session, connect_host, connect_port, err)
62 if not err and dane_lookup(host_session, host_session.to_host, _attempt_connection, host_session, err) then 91 if not err and dane_lookup(host_session, _try_connect, host_session, connect_host, connect_port, err) then
63 return true; 92 return true;
64 end 93 end
65 return _attempt_connection(host_session, err); 94 return _try_connect(host_session, connect_host, connect_port, err);
66 end 95 end
67 96
68 function module.add_host(module) 97 function module.add_host(module)
69 module:hook("s2s-stream-features", function(event) 98 module:hook("s2s-stream-features", function(event)
70 local origin = event.origin; 99 -- dane_lookup(origin, origin.from_host);
71 dane_lookup(origin, origin.from_host); 100 dane_lookup(event.origin);
72 end, 1); 101 end, 1);
73 102
74 module:hook("s2s-authenticated", function(event) 103 module:hook("s2s-authenticated", function(event)
75 local session = event.session; 104 local session = event.session;
76 if session.dane and not session.secure then 105 if session.dane and not session.secure then
142 end 171 end
143 end 172 end
144 end); 173 end);
145 174
146 function module.unload() 175 function module.unload()
147 -- Restore the original attempt_connection function 176 -- Restore the original try_connect function
148 s2sout.attempt_connection = _attempt_connection; 177 s2sout.try_connect = _try_connect;
149 end 178 end
150 179