87 elseif dane_answer.secure then |
87 elseif dane_answer.secure then |
88 for _, record in ipairs(dane_answer) do |
88 for _, record in ipairs(dane_answer) do |
89 t_insert(dane, record); |
89 t_insert(dane, record); |
90 end |
90 end |
91 end |
91 end |
92 if n == 0 and cb then return cb(a,b,c,e); end |
92 if n == 0 and cb then |
|
93 if #dane == 0 then |
|
94 host_session.dane = false; |
|
95 end |
|
96 return cb(a,b,c,e); |
|
97 end |
93 end, ("_%d._tcp.%s."):format(record.srv.port, record.srv.target), "TLSA"); |
98 end, ("_%d._tcp.%s."):format(record.srv.port, record.srv.target), "TLSA"); |
94 end |
99 end |
95 end, "_xmpp-server._tcp."..name..".", "SRV"); |
100 end, "_xmpp-server._tcp."..name..".", "SRV"); |
96 return true; |
101 return true; |
97 elseif host_session.direction == "outgoing" then |
102 elseif host_session.direction == "outgoing" then |
114 function module.add_host(module) |
119 function module.add_host(module) |
115 local function on_new_s2s(event) |
120 local function on_new_s2s(event) |
116 local host_session = event.origin; |
121 local host_session = event.origin; |
117 if host_session.type == "s2sout" or host_session.type == "s2sin" or host_session.dane ~= nil then return end -- Already authenticated |
122 if host_session.type == "s2sout" or host_session.type == "s2sin" or host_session.dane ~= nil then return end -- Already authenticated |
118 local function resume() |
123 local function resume() |
119 host_session.log("debug", "DANE lookup completed, resuming connection"); |
124 host_session.log("debug", "DANE lookup completed"); |
120 host_session.conn:resume() |
125 host_session.unlock("dane"); |
121 end |
126 end |
122 if dane_lookup(host_session, resume) then |
127 if dane_lookup(host_session, resume) then |
123 host_session.log("debug", "Pausing connection until DANE lookup is completed"); |
128 host_session.log("debug", "Locking session until DANE lookup is completed"); |
124 host_session.conn:pause() |
129 host_session.lock("dane"); |
125 end |
130 end |
126 end |
131 end |
127 |
132 |
128 -- New outgoing connections |
133 -- New outgoing connections |
129 module:hook("stanza/http://etherx.jabber.org/streams:features", on_new_s2s, 501); |
134 module:hook("stanza/http://etherx.jabber.org/streams:features", on_new_s2s, 501); |
132 -- New incoming connections |
137 -- New incoming connections |
133 module:hook("s2s-stream-features", on_new_s2s, 10); |
138 module:hook("s2s-stream-features", on_new_s2s, 10); |
134 |
139 |
135 module:hook("s2s-authenticated", function(event) |
140 module:hook("s2s-authenticated", function(event) |
136 local session = event.session; |
141 local session = event.session; |
137 if session.dane and not session.secure then |
142 if session.dane and next(session.dane) ~= nil and not session.secure then |
138 -- TLSA record but no TLS, not ok. |
143 -- TLSA record but no TLS, not ok. |
139 -- TODO Optional? |
144 -- TODO Optional? |
140 -- Bogus replies should trigger this path |
145 -- Bogus replies should trigger this path |
141 -- How does this interact with Dialback? |
146 -- How does this interact with Dialback? |
142 session:close({ |
147 session:close({ |