Changeset

1701:9b429fc9e8a0

mod_s2s_auth_dane: Simplify cases where there are only one SRV record
author Kim Alvefur <zash@zash.se>
date Wed, 06 May 2015 00:53:27 +0200
parents 1700:ab3175685f94
children 1702:725ebd494000
files mod_s2s_auth_dane/mod_s2s_auth_dane.lua
diffstat 1 files changed, 31 insertions(+), 12 deletions(-) [+]
line wrap: on
line diff
--- a/mod_s2s_auth_dane/mod_s2s_auth_dane.lua	Wed May 06 00:51:46 2015 +0200
+++ b/mod_s2s_auth_dane/mod_s2s_auth_dane.lua	Wed May 06 00:53:27 2015 +0200
@@ -105,14 +105,30 @@
 				return cb(host_session); -- No service ... This shouldn't happen?
 			end
 			local srv_hosts = { answer = answer };
-			local dane = {};
-			host_session.dane = dane;
 			host_session.srv_hosts = srv_hosts;
+			local dane;
 			for _, record in ipairs(answer) do
 				t_insert(srv_hosts, record.srv);
 				dns_lookup(function(dane_answer)
 					n = n - 1;
-					if dane_answer.bogus then
+					-- There are three kinds of answers
+					-- Insecure, Secure and Bogus
+					--
+					-- We collect Secure answers for later use
+					--
+					-- Insecure (legacy) answers are simply ignored
+					--
+					-- If we get a Bogus (dnssec error) reply, keep the
+					-- status around.  If there were only bogus replies, the
+					-- connection will be aborted.  If there were at least
+					-- one non-Bogus reply, we proceed.  If none of the
+					-- replies matched, we consider the connection insecure.
+
+					if (dane_answer.bogus or dane_answer.secure) and not dane then
+						-- The first answer we care about
+						-- For services with only one SRV record, this will be the only one
+						dane = dane_answer;
+					elseif dane_answer.bogus then
 						dane.bogus = dane_answer.bogus;
 					elseif dane_answer.secure then
 						for _, dane_record in ipairs(dane_answer) do
@@ -120,15 +136,18 @@
 						end
 					end
 					if n == 0 then
-						if #dane > 0 and dane.bogus then
-							-- Got at least one non-bogus reply,
-							-- This should trigger a failure if one of them did not match
-							host_session.log("warn", "Ignoring bogus replies");
-							dane.bogus = nil;
-						end
-						if #dane == 0 and dane.bogus == nil then
-							-- Got no usable data
-							host_session.dane = false;
+						if dane then
+							host_session.dane = dane;
+							if #dane > 0 and dane.bogus then
+								-- Got at least one non-bogus reply,
+								-- This should trigger a failure if one of them did not match
+								host_session.log("warn", "Ignoring bogus replies");
+								dane.bogus = nil;
+							end
+							if #dane == 0 and dane.bogus == nil then
+								-- Got no usable data
+								host_session.dane = false;
+							end
 						end
 						return cb(host_session);
 					end