# HG changeset patch # User Kim Alvefur # Date 1394406240 -3600 # Node ID f5c256a5f20976a15793fca20e86e77ada9ab9ba # Parent 3ffd64b4ab59908ad6b2a5e153a0eb0652c15b13# Parent 50555c2ccbcd933afa7d397bb7e0900610c00101 Merge diff -r 3ffd64b4ab59 -r f5c256a5f209 mod_s2s_auth_dane/mod_s2s_auth_dane.lua --- a/mod_s2s_auth_dane/mod_s2s_auth_dane.lua Sun Mar 09 23:35:57 2014 +0100 +++ b/mod_s2s_auth_dane/mod_s2s_auth_dane.lua Mon Mar 10 00:04:00 2014 +0100 @@ -14,6 +14,8 @@ local s2sout = module:depends"s2s".route_to_new_session.s2sout; +local bogus = {}; + local pat = "%-%-%-%-%-BEGIN ([A-Z ]+)%-%-%-%-%-\r?\n".. "([0-9A-Za-z=+/\r\n]*)\r?\n%-%-%-%-%-END %1%-%-%-%-%-"; local function pem2der(pem) @@ -35,10 +37,12 @@ function s2sout.try_connect(host_session, connect_host, connect_port, err) local srv_hosts = host_session.srv_hosts; local srv_choice = host_session.srv_choice; - if srv_hosts and srv_hosts.answer.secure and not srv_hosts[srv_choice].dane then + if srv_hosts and srv_hosts.answer.secure and srv_hosts[srv_choice].dane == nil then srv_hosts[srv_choice].dane = dns_lookup(function(answer) - if answer and ( #answer > 0 or answer.bogus ) then + if answer and #answer > 0 and answer.secure then srv_hosts[srv_choice].dane = answer; + elseif answer.bogus then + srv_hosts[srv_choice].dane = bogus; else srv_hosts[srv_choice].dane = false; end @@ -128,18 +132,20 @@ -- DANE for s2sin -- Looks for TLSA at the same QNAME as the SRV record + -- FIXME This has a race condition module:hook("s2s-stream-features", function(event) local origin = event.origin; if not origin.from_host or origin.dane ~= nil then return end origin.dane = dns_lookup(function(answer) - if answer and ( #answer > 0 or answer.bogus ) then - origin.dane = answer; + if answer and #answer > 0 and answer.secure then + srv_hosts[srv_choice].dane = answer; + elseif answer.bogus then + srv_hosts[srv_choice].dane = bogus; else origin.dane = false; end - -- "blocking" until TLSA reply, but no race condition - end, ("_xmpp-server._tcp.%s"):format(origin.from_host), "TLSA"); + end, ("_xmpp-server._tcp.%s."):format(origin.from_host), "TLSA"); end, 1); end