mod_s2s_auth_dane_in: Try single TLSA lookup per draft-ietf-dance-client-auth
Moves some complexity from the implementation into DNS operations.
--- a/doc/doap.xml Thu Jan 11 07:53:06 2024 +0100
+++ b/doc/doap.xml Thu Jan 11 07:54:11 2024 +0100
@@ -67,6 +67,7 @@
<implements rdf:resource="https://datatracker.ietf.org/doc/draft-cridland-xmpp-session/">
<!-- since=0.6.0 note=Added in hg:0bbbc9042361 -->
</implements>
+ <implements rdf:resource="https://datatracker.ietf.org/doc/draft-ietf-dance-client-auth"/>
<implements rdf:resource="http://www.unicode.org/reports/tr39/"/>
<implements>
<xmpp:SupportedXep>
--- a/plugins/mod_s2s_auth_dane_in.lua Thu Jan 11 07:53:06 2024 +0100
+++ b/plugins/mod_s2s_auth_dane_in.lua Thu Jan 11 07:54:11 2024 +0100
@@ -24,6 +24,11 @@
return r;
end
+local function ensure_nonempty(r)
+ assert(r[1], "empty");
+ return r;
+end
+
local function flatten(a)
local seen = {};
local ret = {};
@@ -90,10 +95,12 @@
return promise.all(tlsas):next(flatten);
end
- local ret = async.wait_for(promise.all({
- resolver:lookup_promise("_xmpps-server._tcp." .. dns_domain, "SRV"):next(ensure_secure):next(fetch_tlsa);
- resolver:lookup_promise("_xmpp-server._tcp." .. dns_domain, "SRV"):next(ensure_secure):next(fetch_tlsa);
- }):next(flatten));
+ local ret = async.wait_for(resolver:lookup_promise("_xmpp-server." .. dns_domain, "TLSA"):next(ensure_secure):next(ensure_nonempty):catch(function()
+ return promise.all({
+ resolver:lookup_promise("_xmpps-server._tcp." .. dns_domain, "SRV"):next(ensure_secure):next(fetch_tlsa);
+ resolver:lookup_promise("_xmpp-server._tcp." .. dns_domain, "SRV"):next(ensure_secure):next(fetch_tlsa);
+ }):next(flatten);
+ end));
if not ret then
return