changeset 1360:6ee395396333

mod_s2s_auth_dnssec_srv: Do something useful for incoming connection
author Kim Alvefur <zash@zash.se>
date Wed, 19 Mar 2014 19:19:46 +0100
parents 74769c0c79f8
children b9213ddb860f
files mod_s2s_auth_dnssec_srv/mod_s2s_auth_dnssec_srv.lua
diffstat 1 files changed, 31 insertions(+), 6 deletions(-) [+]
line wrap: on
line diff
--- a/mod_s2s_auth_dnssec_srv/mod_s2s_auth_dnssec_srv.lua	Wed Mar 19 14:33:10 2014 +0100
+++ b/mod_s2s_auth_dnssec_srv/mod_s2s_auth_dnssec_srv.lua	Wed Mar 19 19:19:46 2014 +0100
@@ -14,18 +14,43 @@
 
 local nameprep = require"util.encodings".stringprep.nameprep;
 local to_unicode = require"util.encodings".idna.to_unicode;
+local to_ascii = require "util.encodings".idna.to_ascii;
 local cert_verify_identity = require "util.x509".verify_identity;
+local dns_lookup = require"net.adns".lookup;
+local t_insert = table.insert;
 
 module:hook("s2s-check-certificate", function(event)
 	local session, cert = event.session, event.cert;
 
 	if session.cert_chain_status == "valid" and session.cert_identity_status ~= "valid"
-	and session.srv_choice and session.srv_hosts.answer and session.srv_hosts.answer.secure then
-		local srv_target = nameprep(to_unicode(session.srv_hosts[session.srv_choice].target:gsub("%.?$","")));
-		(session.log or module._log)("debug", "Comparing certificate with Secure SRV target %s", srv_target);
-		if srv_target and cert_verify_identity(srv_target, "xmpp-server", cert) then
-			(session.log or module._log)("info", "Certificate matches Secure SRV target %s", srv_target);
-			session.cert_identity_status = "valid";
+	and session.srv_hosts.answer and session.srv_hosts.answer.secure then
+		local srv_hosts, srv_choice, srv_target = session.srv_hosts, session.srv_choice;
+		for i = srv_choice or 1, srv_choice or #srv_hosts do
+			srv_target = nameprep(to_unicode(session.srv_hosts[i].target:gsub("%.?$","")));
+			(session.log or module._log)("debug", "Comparing certificate with Secure SRV target %s", srv_target);
+			if srv_target and cert_verify_identity(srv_target, "xmpp-server", cert) then
+				(session.log or module._log)("info", "Certificate matches Secure SRV target %s", srv_target);
+				session.cert_identity_status = "valid";
+				return;
+			end
 		end
 	end
 end);
+
+function module.add_host(module)
+	module:hook("s2s-stream-features", function(event)
+		local host_session = event.origin;
+		local name = to_ascii(host_session.from_host);
+		if not name then return end
+		dns_lookup(function (answer)
+			if not answer.secure or #answer == 1
+				and answer[1].srv.target == "." then return end
+			local srv_hosts = { answer = answer };
+			for _, record in ipairs(answer) do
+				t_insert(srv_hosts, record.srv);
+			end
+			host_session.srv_hosts = srv_hosts;
+		end, "_xmpp-server._tcp."..name..".", "SRV");
+	end);
+end
+