103 end |
103 end |
104 if n == 1 and answer[1].srv.target == '.' then |
104 if n == 1 and answer[1].srv.target == '.' then |
105 return cb(host_session); -- No service ... This shouldn't happen? |
105 return cb(host_session); -- No service ... This shouldn't happen? |
106 end |
106 end |
107 local srv_hosts = { answer = answer }; |
107 local srv_hosts = { answer = answer }; |
108 local dane = {}; |
|
109 host_session.dane = dane; |
|
110 host_session.srv_hosts = srv_hosts; |
108 host_session.srv_hosts = srv_hosts; |
|
109 local dane; |
111 for _, record in ipairs(answer) do |
110 for _, record in ipairs(answer) do |
112 t_insert(srv_hosts, record.srv); |
111 t_insert(srv_hosts, record.srv); |
113 dns_lookup(function(dane_answer) |
112 dns_lookup(function(dane_answer) |
114 n = n - 1; |
113 n = n - 1; |
115 if dane_answer.bogus then |
114 -- There are three kinds of answers |
|
115 -- Insecure, Secure and Bogus |
|
116 -- |
|
117 -- We collect Secure answers for later use |
|
118 -- |
|
119 -- Insecure (legacy) answers are simply ignored |
|
120 -- |
|
121 -- If we get a Bogus (dnssec error) reply, keep the |
|
122 -- status around. If there were only bogus replies, the |
|
123 -- connection will be aborted. If there were at least |
|
124 -- one non-Bogus reply, we proceed. If none of the |
|
125 -- replies matched, we consider the connection insecure. |
|
126 |
|
127 if (dane_answer.bogus or dane_answer.secure) and not dane then |
|
128 -- The first answer we care about |
|
129 -- For services with only one SRV record, this will be the only one |
|
130 dane = dane_answer; |
|
131 elseif dane_answer.bogus then |
116 dane.bogus = dane_answer.bogus; |
132 dane.bogus = dane_answer.bogus; |
117 elseif dane_answer.secure then |
133 elseif dane_answer.secure then |
118 for _, dane_record in ipairs(dane_answer) do |
134 for _, dane_record in ipairs(dane_answer) do |
119 t_insert(dane, dane_record); |
135 t_insert(dane, dane_record); |
120 end |
136 end |
121 end |
137 end |
122 if n == 0 then |
138 if n == 0 then |
123 if #dane > 0 and dane.bogus then |
139 if dane then |
124 -- Got at least one non-bogus reply, |
140 host_session.dane = dane; |
125 -- This should trigger a failure if one of them did not match |
141 if #dane > 0 and dane.bogus then |
126 host_session.log("warn", "Ignoring bogus replies"); |
142 -- Got at least one non-bogus reply, |
127 dane.bogus = nil; |
143 -- This should trigger a failure if one of them did not match |
128 end |
144 host_session.log("warn", "Ignoring bogus replies"); |
129 if #dane == 0 and dane.bogus == nil then |
145 dane.bogus = nil; |
130 -- Got no usable data |
146 end |
131 host_session.dane = false; |
147 if #dane == 0 and dane.bogus == nil then |
|
148 -- Got no usable data |
|
149 host_session.dane = false; |
|
150 end |
132 end |
151 end |
133 return cb(host_session); |
152 return cb(host_session); |
134 end |
153 end |
135 end, ("_%d._tcp.%s."):format(record.srv.port, record.srv.target), "TLSA"); |
154 end, ("_%d._tcp.%s."):format(record.srv.port, record.srv.target), "TLSA"); |
136 end |
155 end |