Mercurial > prosody-modules

comparison mod_s2s_auth_dane/mod_s2s_auth_dane.lua @ 1341:f5c256a5f209

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Merge
author Kim Alvefur <zash@zash.se>
date Mon, 10 Mar 2014 00:04:00 +0100
parents 50555c2ccbcd
children 47d3c1c8a176
comparison
equal deleted inserted replaced
1340:3ffd64b4ab59 1341:f5c256a5f209
11 local dns_lookup = require"net.adns".lookup; 11 local dns_lookup = require"net.adns".lookup;
12 local hashes = require"util.hashes"; 12 local hashes = require"util.hashes";
13 local base64 = require"util.encodings".base64; 13 local base64 = require"util.encodings".base64;
14 14
15 local s2sout = module:depends"s2s".route_to_new_session.s2sout; 15 local s2sout = module:depends"s2s".route_to_new_session.s2sout;
16
17 local bogus = {};
16 18
17 local pat = "%-%-%-%-%-BEGIN ([A-Z ]+)%-%-%-%-%-\r?\n".. 19 local pat = "%-%-%-%-%-BEGIN ([A-Z ]+)%-%-%-%-%-\r?\n"..
18 "([0-9A-Za-z=+/\r\n]*)\r?\n%-%-%-%-%-END %1%-%-%-%-%-"; 20 "([0-9A-Za-z=+/\r\n]*)\r?\n%-%-%-%-%-END %1%-%-%-%-%-";
19 local function pem2der(pem) 21 local function pem2der(pem)
20 local typ, data = pem:match(pat); 22 local typ, data = pem:match(pat);
33 -- the original function does A/AAAA resolution before continuing 35 -- the original function does A/AAAA resolution before continuing
34 local _try_connect = s2sout.try_connect; 36 local _try_connect = s2sout.try_connect;
35 function s2sout.try_connect(host_session, connect_host, connect_port, err) 37 function s2sout.try_connect(host_session, connect_host, connect_port, err)
36 local srv_hosts = host_session.srv_hosts; 38 local srv_hosts = host_session.srv_hosts;
37 local srv_choice = host_session.srv_choice; 39 local srv_choice = host_session.srv_choice;
38 if srv_hosts and srv_hosts.answer.secure and not srv_hosts[srv_choice].dane then 40 if srv_hosts and srv_hosts.answer.secure and srv_hosts[srv_choice].dane == nil then
39 srv_hosts[srv_choice].dane = dns_lookup(function(answer) 41 srv_hosts[srv_choice].dane = dns_lookup(function(answer)
40 if answer and ( #answer > 0 or answer.bogus ) then 42 if answer and #answer > 0 and answer.secure then
41 srv_hosts[srv_choice].dane = answer; 43 srv_hosts[srv_choice].dane = answer;
44 elseif answer.bogus then
45 srv_hosts[srv_choice].dane = bogus;
42 else 46 else
43 srv_hosts[srv_choice].dane = false; 47 srv_hosts[srv_choice].dane = false;
44 end 48 end
45 -- "blocking" until TLSA reply, but no race condition 49 -- "blocking" until TLSA reply, but no race condition
46 return _try_connect(host_session, connect_host, connect_port, err); 50 return _try_connect(host_session, connect_host, connect_port, err);
126 end 130 end
127 end); 131 end);
128 132
129 -- DANE for s2sin 133 -- DANE for s2sin
130 -- Looks for TLSA at the same QNAME as the SRV record 134 -- Looks for TLSA at the same QNAME as the SRV record
135 -- FIXME This has a race condition
131 module:hook("s2s-stream-features", function(event) 136 module:hook("s2s-stream-features", function(event)
132 local origin = event.origin; 137 local origin = event.origin;
133 if not origin.from_host or origin.dane ~= nil then return end 138 if not origin.from_host or origin.dane ~= nil then return end
134 139
135 origin.dane = dns_lookup(function(answer) 140 origin.dane = dns_lookup(function(answer)
136 if answer and ( #answer > 0 or answer.bogus ) then 141 if answer and #answer > 0 and answer.secure then
137 origin.dane = answer; 142 srv_hosts[srv_choice].dane = answer;
143 elseif answer.bogus then
144 srv_hosts[srv_choice].dane = bogus;
138 else 145 else
139 origin.dane = false; 146 origin.dane = false;
140 end 147 end
141 -- "blocking" until TLSA reply, but no race condition 148 end, ("_xmpp-server._tcp.%s."):format(origin.from_host), "TLSA");
142 end, ("_xmpp-server._tcp.%s"):format(origin.from_host), "TLSA");
143 end, 1); 149 end, 1);
144 end 150 end
145 151
146 function module.unload() 152 function module.unload()
147 -- Restore the original try_connect function 153 -- Restore the original try_connect function