Diff

mod_s2s_auth_dane/mod_s2s_auth_dane.lua @ 2184:7155ed1fb540

Backed out changeset f00cbfb812cd, it only half-worked and broke things
author Kim Alvefur <zash@zash.se>
date Sat, 28 May 2016 13:34:43 +0200
parent 2182:5df3b646c9ad
child 2185:2cbd7876ba14
line wrap: on
line diff
--- a/mod_s2s_auth_dane/mod_s2s_auth_dane.lua	Fri May 27 18:25:17 2016 +0200
+++ b/mod_s2s_auth_dane/mod_s2s_auth_dane.lua	Sat May 28 13:34:43 2016 +0200
@@ -198,7 +198,33 @@
 	end
 end
 
+local function resume(host_session)
+	host_session.log("debug", "DANE lookup completed, resuming connection");
+	host_session.conn:resume()
+end
+
 function module.add_host(module)
+	local function on_new_s2s(event)
+		local host_session = event.origin;
+		if host_session.type == "s2sout" or host_session.type == "s2sin" then
+			return; -- Already authenticated
+		end
+		if host_session.dane ~= nil then
+			return; -- Already done DANE lookup
+		end
+		if dane_lookup(host_session, resume) then
+			host_session.log("debug", "Pausing connection until DANE lookup is completed");
+			host_session.conn:pause()
+		end
+	end
+
+	-- New outgoing connections
+	module:hook("stanza/http://etherx.jabber.org/streams:features", on_new_s2s, 501);
+	module:hook("s2sout-authenticate-legacy", on_new_s2s, 200);
+
+	-- New incoming connections
+	module:hook("s2s-stream-features", on_new_s2s, 10);
+
 	module:hook("s2s-authenticated", function(event)
 		local session = event.session;
 		if session.dane and type(session.dane) == "table" and next(session.dane) ~= nil and not session.secure then
@@ -246,26 +272,11 @@
 	return certdata == tlsa.data;
 end
 
--- Re-run streamopend() to continue
-local function resume(session)
-	local attr = {
-		version = session.version,
-		to = session.to_host,
-		from = session.from_host,
-		id = session.streamid,
-	};
-	session.cert_chain_status = nil;
-	session.open_stream.stream_callbacks.streamopened(session, attr);
-end
-
 module:hook("s2s-check-certificate", function(event)
 	local session, cert, host = event.session, event.cert, event.host;
 	if not cert then return end
 	local log = session.log or module._log;
 	local dane = session.dane;
-	if dane == nil and dane_lookup(session, resume) then
-		return false;
-	end
 	if type(dane) == "table" then
 		local match_found, supported_found;
 		for i = 1, #dane do