# HG changeset patch # User Kim Alvefur # Date 1394231434 -3600 # Node ID 08a0241f5d2c4860aeae8df466555e53b22a0d33 # Parent dbaa67babeb42cba480a4cd848478ea98271254f mod_s2s_auth_dane: Add some comments diff -r dbaa67babeb4 -r 08a0241f5d2c mod_s2s_auth_dane/mod_s2s_auth_dane.lua --- a/mod_s2s_auth_dane/mod_s2s_auth_dane.lua Thu Mar 06 01:10:21 2014 +0100 +++ b/mod_s2s_auth_dane/mod_s2s_auth_dane.lua Fri Mar 07 23:30:34 2014 +0100 @@ -1,7 +1,9 @@ -- mod_s2s_auth_dane +-- Copyright (C) 2013-2014 Kim Alvefur -- --- Between the DNS lookup and the certificate validation, there is a race condition. --- Solving that probably requires changes to mod_s2s, like using util.async +-- This file is MIT/X11 licensed. +-- +-- Could be done much cleaner if mod_s2s was using util.async module:set_global(); @@ -11,7 +13,6 @@ local base64 = require"util.encodings".base64; local s2sout = module:depends"s2s".route_to_new_session.s2sout; -local _try_connect = s2sout.try_connect; local pat = "%-%-%-%-%-BEGIN ([A-Z ]+)%-%-%-%-%-\r?\n".. "([0-9A-Za-z=+/\r\n]*)\r?\n%-%-%-%-%-END %1%-%-%-%-%-"; @@ -27,6 +28,9 @@ -- No SRV records -- No encryption offered +-- This function is called when a new SRV target has been picked +-- the original function does A/AAAA resolution before continuing +local _try_connect = s2sout.try_connect; function s2sout.try_connect(host_session, connect_host, connect_port, err) local srv_hosts = host_session.srv_hosts; local srv_choice = host_session.srv_choice; @@ -97,6 +101,7 @@ end end if not match_found then + -- No TLSA matched or response was bogus (session.log or module._log)("warn", "DANE validation failed"); session.cert_identity_status = "invalid"; session.cert_chain_status = "invalid"; @@ -111,6 +116,7 @@ local srv_choice = session.srv_choice; if srv_hosts[srv_choice].dane and not session.secure then -- TLSA record but no TLS, not ok. + -- TODO Optional? session:close({ condition = "policy-violation", text = "Encrypted server-to-server communication is required but was not " @@ -122,6 +128,7 @@ end function module.unload() + -- Restore the original try_connect function s2sout.try_connect = _try_connect; end