Mercurial > prosody-modules
diff mod_s2s_auth_dane/mod_s2s_auth_dane.lua @ 1701:9b429fc9e8a0
mod_s2s_auth_dane: Simplify cases where there are only one SRV record
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Wed, 06 May 2015 00:53:27 +0200 |
parents | ab3175685f94 |
children | d011b87b7f58 |
line wrap: on
line diff
--- a/mod_s2s_auth_dane/mod_s2s_auth_dane.lua Wed May 06 00:51:46 2015 +0200 +++ b/mod_s2s_auth_dane/mod_s2s_auth_dane.lua Wed May 06 00:53:27 2015 +0200 @@ -105,14 +105,30 @@ return cb(host_session); -- No service ... This shouldn't happen? end local srv_hosts = { answer = answer }; - local dane = {}; - host_session.dane = dane; host_session.srv_hosts = srv_hosts; + local dane; for _, record in ipairs(answer) do t_insert(srv_hosts, record.srv); dns_lookup(function(dane_answer) n = n - 1; - if dane_answer.bogus then + -- There are three kinds of answers + -- Insecure, Secure and Bogus + -- + -- We collect Secure answers for later use + -- + -- Insecure (legacy) answers are simply ignored + -- + -- If we get a Bogus (dnssec error) reply, keep the + -- status around. If there were only bogus replies, the + -- connection will be aborted. If there were at least + -- one non-Bogus reply, we proceed. If none of the + -- replies matched, we consider the connection insecure. + + if (dane_answer.bogus or dane_answer.secure) and not dane then + -- The first answer we care about + -- For services with only one SRV record, this will be the only one + dane = dane_answer; + elseif dane_answer.bogus then dane.bogus = dane_answer.bogus; elseif dane_answer.secure then for _, dane_record in ipairs(dane_answer) do @@ -120,15 +136,18 @@ end end if n == 0 then - if #dane > 0 and dane.bogus then - -- Got at least one non-bogus reply, - -- This should trigger a failure if one of them did not match - host_session.log("warn", "Ignoring bogus replies"); - dane.bogus = nil; - end - if #dane == 0 and dane.bogus == nil then - -- Got no usable data - host_session.dane = false; + if dane then + host_session.dane = dane; + if #dane > 0 and dane.bogus then + -- Got at least one non-bogus reply, + -- This should trigger a failure if one of them did not match + host_session.log("warn", "Ignoring bogus replies"); + dane.bogus = nil; + end + if #dane == 0 and dane.bogus == nil then + -- Got no usable data + host_session.dane = false; + end end return cb(host_session); end