Mercurial > prosody-modules

comparison mod_s2s_auth_dane/mod_s2s_auth_dane.lua @ 2181:f00cbfb812cd

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
mod_s2s_auth_dane: Attempt a new approach to async lookups that doesn't depend on connection pausing
author Kim Alvefur <zash@zash.se>
date Thu, 26 May 2016 15:35:52 +0200
parents 5e0102a07fdc
children 5df3b646c9ad
comparison
equal deleted inserted replaced
2180:5e0102a07fdc 2181:f00cbfb812cd
196 end, ("_%d._tcp.%s."):format(srv_choice.port, srv_choice.target), "TLSA"); 196 end, ("_%d._tcp.%s."):format(srv_choice.port, srv_choice.target), "TLSA");
197 return true; 197 return true;
198 end 198 end
199 end 199 end
200 200
201 local function resume(host_session)
202 host_session.log("debug", "DANE lookup completed, resuming connection");
203 host_session.conn:resume()
204 end
205
206 function module.add_host(module) 201 function module.add_host(module)
207 local function on_new_s2s(event)
208 local host_session = event.origin;
209 if host_session.type == "s2sout" or host_session.type == "s2sin" then
210 return; -- Already authenticated
211 end
212 if host_session.dane ~= nil then
213 return; -- Already done DANE lookup
214 end
215 if dane_lookup(host_session, resume) then
216 host_session.log("debug", "Pausing connection until DANE lookup is completed");
217 host_session.conn:pause()
218 end
219 end
220
221 -- New outgoing connections
222 module:hook("stanza/http://etherx.jabber.org/streams:features", on_new_s2s, 501);
223 module:hook("s2sout-authenticate-legacy", on_new_s2s, 200);
224
225 -- New incoming connections
226 module:hook("s2s-stream-features", on_new_s2s, 10);
227
228 module:hook("s2s-authenticated", function(event) 202 module:hook("s2s-authenticated", function(event)
229 local session = event.session; 203 local session = event.session;
230 if session.dane and type(session.dane) == "table" and next(session.dane) ~= nil and not session.secure then 204 if session.dane and type(session.dane) == "table" and next(session.dane) ~= nil and not session.secure then
231 -- TLSA record but no TLS, not ok. 205 -- TLSA record but no TLS, not ok.
232 -- TODO Optional? 206 -- TODO Optional?
270 log("warn", "Length mismatch: Cert: %d, TLSA: %d", #certdata, #tlsa.data); 244 log("warn", "Length mismatch: Cert: %d, TLSA: %d", #certdata, #tlsa.data);
271 end 245 end
272 return certdata == tlsa.data; 246 return certdata == tlsa.data;
273 end 247 end
274 248
249 -- Re-run streamopend() to continue
250 local function resume(session)
251 local attr = {
252 version = session.version,
253 to = session.to_host,
254 from = session.from_host,
255 id = session.streamid,
256 };
257 session.cert_chain_status = nil;
258 session.open_stream.stream_callbacks.streamopened(session, attr);
259 end
260
275 module:hook("s2s-check-certificate", function(event) 261 module:hook("s2s-check-certificate", function(event)
276 local session, cert, host = event.session, event.cert, event.host; 262 local session, cert, host = event.session, event.cert, event.host;
277 if not cert then return end 263 if not cert then return end
278 local log = session.log or module._log; 264 local log = session.log or module._log;
279 local dane = session.dane; 265 local dane = session.dane;
266 if dane == nil and dane_lookup(session, resume) then
267 return false;
268 end
280 if type(dane) == "table" then 269 if type(dane) == "table" then
281 local match_found, supported_found; 270 local match_found, supported_found;
282 for i = 1, #dane do 271 for i = 1, #dane do
283 local tlsa = dane[i].tlsa; 272 local tlsa = dane[i].tlsa;
284 log("debug", "TLSA #%d: %s", i, tostring(tlsa)) 273 log("debug", "TLSA #%d: %s", i, tostring(tlsa))