Software / code / prosody
Annotate
net/resolvers/basic.lua @ 10224:94e341dee51c
core.certmanager: Move EECDH ciphers before EDH in default cipherstring
The original intent of having kEDH before kEECDH was that if a `dhparam`
file was specified, this would be interpreted as a preference by the
admin for old and well-tested Diffie-Hellman key agreement over newer
elliptic curve ones. Otherwise the faster elliptic curve ciphersuites
would be preferred. This didn't really work as intended since this
affects the ClientHello on outgoing s2s connections, leading to some
servers using poorly configured kEDH.
With Debian shipping OpenSSL settings that enforce a higher security
level, this caused interoperability problems with servers that use DH
params smaller than 2048 bits. E.g. jabber.org at the time of this
writing has 1024 bit DH params.
MattJ says
> Curves have won, and OpenSSL is less weird about them now
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Sun, 25 Aug 2019 20:22:35 +0200 |
| parent | 9691:e11e076f0eb8 |
| child | 10386:cf93a951da37 |
| rev | line source |
|---|---|
|
8531
601681acea73
net.connect: New API for outgoing connections, based on 'service resolvers'
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
1 local adns = require "net.adns"; |
|
8775
ae7cf011e46a
net.resolvers.basic: Support IP address literals
Kim Alvefur <zash@zash.se>
parents:
8531
diff
changeset
|
2 local inet_pton = require "util.net".pton; |
|
9691
e11e076f0eb8
various: Don't rely on _G.unpack existing
Kim Alvefur <zash@zash.se>
parents:
9496
diff
changeset
|
3 local unpack = table.unpack or unpack; -- luacheck: ignore 113 |
|
8531
601681acea73
net.connect: New API for outgoing connections, based on 'service resolvers'
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
4 |
|
601681acea73
net.connect: New API for outgoing connections, based on 'service resolvers'
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
5 local methods = {}; |
|
601681acea73
net.connect: New API for outgoing connections, based on 'service resolvers'
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
6 local resolver_mt = { __index = methods }; |
|
601681acea73
net.connect: New API for outgoing connections, based on 'service resolvers'
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
7 |
|
601681acea73
net.connect: New API for outgoing connections, based on 'service resolvers'
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
8 -- Find the next target to connect to, and |
|
601681acea73
net.connect: New API for outgoing connections, based on 'service resolvers'
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
9 -- pass it to cb() |
|
601681acea73
net.connect: New API for outgoing connections, based on 'service resolvers'
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
10 function methods:next(cb) |
|
601681acea73
net.connect: New API for outgoing connections, based on 'service resolvers'
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
11 if self.targets then |
|
601681acea73
net.connect: New API for outgoing connections, based on 'service resolvers'
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
12 if #self.targets == 0 then |
|
601681acea73
net.connect: New API for outgoing connections, based on 'service resolvers'
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
13 cb(nil); |
|
601681acea73
net.connect: New API for outgoing connections, based on 'service resolvers'
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
14 return; |
|
601681acea73
net.connect: New API for outgoing connections, based on 'service resolvers'
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
15 end |
|
601681acea73
net.connect: New API for outgoing connections, based on 'service resolvers'
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
16 local next_target = table.remove(self.targets, 1); |
|
601681acea73
net.connect: New API for outgoing connections, based on 'service resolvers'
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
17 cb(unpack(next_target, 1, 4)); |
|
601681acea73
net.connect: New API for outgoing connections, based on 'service resolvers'
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
18 return; |
|
601681acea73
net.connect: New API for outgoing connections, based on 'service resolvers'
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
19 end |
|
601681acea73
net.connect: New API for outgoing connections, based on 'service resolvers'
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
20 |
|
601681acea73
net.connect: New API for outgoing connections, based on 'service resolvers'
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
21 local targets = {}; |
|
601681acea73
net.connect: New API for outgoing connections, based on 'service resolvers'
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
22 local n = 2; |
|
601681acea73
net.connect: New API for outgoing connections, based on 'service resolvers'
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
23 local function ready() |
|
601681acea73
net.connect: New API for outgoing connections, based on 'service resolvers'
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
24 n = n - 1; |
|
601681acea73
net.connect: New API for outgoing connections, based on 'service resolvers'
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
25 if n > 0 then return; end |
|
601681acea73
net.connect: New API for outgoing connections, based on 'service resolvers'
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
26 self.targets = targets; |
|
601681acea73
net.connect: New API for outgoing connections, based on 'service resolvers'
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
27 self:next(cb); |
|
601681acea73
net.connect: New API for outgoing connections, based on 'service resolvers'
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
28 end |
|
601681acea73
net.connect: New API for outgoing connections, based on 'service resolvers'
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
29 |
|
8775
ae7cf011e46a
net.resolvers.basic: Support IP address literals
Kim Alvefur <zash@zash.se>
parents:
8531
diff
changeset
|
30 local is_ip = inet_pton(self.hostname); |
|
ae7cf011e46a
net.resolvers.basic: Support IP address literals
Kim Alvefur <zash@zash.se>
parents:
8531
diff
changeset
|
31 if is_ip then |
|
ae7cf011e46a
net.resolvers.basic: Support IP address literals
Kim Alvefur <zash@zash.se>
parents:
8531
diff
changeset
|
32 if #is_ip == 16 then |
|
ae7cf011e46a
net.resolvers.basic: Support IP address literals
Kim Alvefur <zash@zash.se>
parents:
8531
diff
changeset
|
33 cb(self.conn_type.."6", self.hostname, self.port, self.extra); |
|
ae7cf011e46a
net.resolvers.basic: Support IP address literals
Kim Alvefur <zash@zash.se>
parents:
8531
diff
changeset
|
34 elseif #is_ip == 4 then |
|
9496
4ac3103787cc
net.resolvers.basic: Suffix IPv4 TCP socket types with '4' to match eg 'tcp6'
Kim Alvefur <zash@zash.se>
parents:
8775
diff
changeset
|
35 cb(self.conn_type.."4", self.hostname, self.port, self.extra); |
|
8775
ae7cf011e46a
net.resolvers.basic: Support IP address literals
Kim Alvefur <zash@zash.se>
parents:
8531
diff
changeset
|
36 end |
|
ae7cf011e46a
net.resolvers.basic: Support IP address literals
Kim Alvefur <zash@zash.se>
parents:
8531
diff
changeset
|
37 return; |
|
ae7cf011e46a
net.resolvers.basic: Support IP address literals
Kim Alvefur <zash@zash.se>
parents:
8531
diff
changeset
|
38 end |
|
ae7cf011e46a
net.resolvers.basic: Support IP address literals
Kim Alvefur <zash@zash.se>
parents:
8531
diff
changeset
|
39 |
|
8531
601681acea73
net.connect: New API for outgoing connections, based on 'service resolvers'
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
40 -- Resolve DNS to target list |
|
601681acea73
net.connect: New API for outgoing connections, based on 'service resolvers'
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
41 local dns_resolver = adns.resolver(); |
|
601681acea73
net.connect: New API for outgoing connections, based on 'service resolvers'
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
42 dns_resolver:lookup(function (answer) |
|
601681acea73
net.connect: New API for outgoing connections, based on 'service resolvers'
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
43 if answer then |
|
601681acea73
net.connect: New API for outgoing connections, based on 'service resolvers'
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
44 for _, record in ipairs(answer) do |
|
9496
4ac3103787cc
net.resolvers.basic: Suffix IPv4 TCP socket types with '4' to match eg 'tcp6'
Kim Alvefur <zash@zash.se>
parents:
8775
diff
changeset
|
45 table.insert(targets, { self.conn_type.."4", record.a, self.port, self.extra }); |
|
8531
601681acea73
net.connect: New API for outgoing connections, based on 'service resolvers'
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
46 end |
|
601681acea73
net.connect: New API for outgoing connections, based on 'service resolvers'
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
47 end |
|
601681acea73
net.connect: New API for outgoing connections, based on 'service resolvers'
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
48 ready(); |
|
601681acea73
net.connect: New API for outgoing connections, based on 'service resolvers'
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
49 end, self.hostname, "A", "IN"); |
|
601681acea73
net.connect: New API for outgoing connections, based on 'service resolvers'
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
50 |
|
601681acea73
net.connect: New API for outgoing connections, based on 'service resolvers'
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
51 dns_resolver:lookup(function (answer) |
|
601681acea73
net.connect: New API for outgoing connections, based on 'service resolvers'
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
52 if answer then |
|
601681acea73
net.connect: New API for outgoing connections, based on 'service resolvers'
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
53 for _, record in ipairs(answer) do |
|
601681acea73
net.connect: New API for outgoing connections, based on 'service resolvers'
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
54 table.insert(targets, { self.conn_type.."6", record.aaaa, self.port, self.extra }); |
|
601681acea73
net.connect: New API for outgoing connections, based on 'service resolvers'
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
55 end |
|
601681acea73
net.connect: New API for outgoing connections, based on 'service resolvers'
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
56 end |
|
601681acea73
net.connect: New API for outgoing connections, based on 'service resolvers'
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
57 ready(); |
|
601681acea73
net.connect: New API for outgoing connections, based on 'service resolvers'
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
58 end, self.hostname, "AAAA", "IN"); |
|
601681acea73
net.connect: New API for outgoing connections, based on 'service resolvers'
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
59 end |
|
601681acea73
net.connect: New API for outgoing connections, based on 'service resolvers'
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
60 |
|
601681acea73
net.connect: New API for outgoing connections, based on 'service resolvers'
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
61 local function new(hostname, port, conn_type, extra) |
|
601681acea73
net.connect: New API for outgoing connections, based on 'service resolvers'
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
62 return setmetatable({ |
|
601681acea73
net.connect: New API for outgoing connections, based on 'service resolvers'
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
63 hostname = hostname; |
|
601681acea73
net.connect: New API for outgoing connections, based on 'service resolvers'
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
64 port = port; |
|
601681acea73
net.connect: New API for outgoing connections, based on 'service resolvers'
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
65 conn_type = conn_type or "tcp"; |
|
601681acea73
net.connect: New API for outgoing connections, based on 'service resolvers'
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
66 extra = extra; |
|
601681acea73
net.connect: New API for outgoing connections, based on 'service resolvers'
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
67 }, resolver_mt); |
|
601681acea73
net.connect: New API for outgoing connections, based on 'service resolvers'
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
68 end |
|
601681acea73
net.connect: New API for outgoing connections, based on 'service resolvers'
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
69 |
|
601681acea73
net.connect: New API for outgoing connections, based on 'service resolvers'
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
70 return { |
|
601681acea73
net.connect: New API for outgoing connections, based on 'service resolvers'
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
71 new = new; |
|
601681acea73
net.connect: New API for outgoing connections, based on 'service resolvers'
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
72 }; |
