diff mod_s2s_auth_dane/mod_s2s_auth_dane.lua @ 1333:15912b077370

mod_s2s_auth_dane: Implement experimental method for doing DANE with client certificates on s2sin
author Kim Alvefur <zash@zash.se>
date Sat, 08 Mar 2014 00:00:26 +0100
parents 08a0241f5d2c
children 100da6a5525e
line wrap: on
line diff
--- a/mod_s2s_auth_dane/mod_s2s_auth_dane.lua	Fri Mar 07 23:30:34 2014 +0100
+++ b/mod_s2s_auth_dane/mod_s2s_auth_dane.lua	Sat Mar 08 00:00:26 2014 +0100
@@ -56,8 +56,8 @@
 	local session, cert = event.session, event.cert;
 	local srv_hosts = session.srv_hosts;
 	local srv_choice = session.srv_choice;
-	local choosen = srv_hosts and srv_hosts[srv_choice];
-	if choosen and choosen.dane then
+	local choosen = srv_hosts and srv_hosts[srv_choice] or session;
+	if choosen.dane then
 		local use, select, match, tlsa, certdata, match_found;
 		for i, rr in ipairs(choosen.dane) do
 			tlsa = rr.tlsa;
@@ -114,7 +114,7 @@
 		local session = event.session;
 		local srv_hosts = session.srv_hosts;
 		local srv_choice = session.srv_choice;
-		if srv_hosts[srv_choice].dane and not session.secure then
+		if (session.dane or srv_hosts and srv_hosts[srv_choice].dane) and not session.secure then
 			-- TLSA record but no TLS, not ok.
 			-- TODO Optional?
 			session:close({
@@ -125,6 +125,25 @@
 			return false;
 		end
 	end);
+
+	-- DANE for s2sin
+	-- Looks for TLSA at the same QNAME as the SRV record
+	module:hook("stanza/urn:ietf:params:xml:ns:xmpp-tls:starttls", function(event)
+		local origin = event.origin;
+		if not origin.from_host then return end
+
+		origin.dane = dns_lookup(function(answer)
+			if answer and ( #answer > 0 or answer.bogus ) then
+				origin.dane = answer;
+				for i, tlsa in ipairs(answer) do
+					module:log("debug", "TLSA %s", tostring(tlsa));
+				end
+			else
+				origin.dane = false;
+			end
+			-- "blocking" until TLSA reply, but no race condition
+		end, ("_xmpp-server._tcp.%s"):format(origin.from_host), "TLSA");
+	end, 1);
 end
 
 function module.unload()