prosody
d8e885db9851
plugins/mod_s2s_auth_dane_in.lua
Software / code / prosody
Comparison
plugins/mod_s2s_auth_dane_in.lua @ 13416:d8e885db9851
mod_s2s_auth_dane_in: Simplify result processing
Fewer loops
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Thu, 11 Jan 2024 07:53:06 +0100 |
| parent | 13322:28211ed70b4c |
| child | 13417:b1e2dd6e735b |
comparison
equal
deleted
inserted
replaced
| 13415:f34b33cb1383 | 13416:d8e885db9851 |
|---|---|
| 20 end | 20 end |
| 21 | 21 |
| 22 local function ensure_secure(r) | 22 local function ensure_secure(r) |
| 23 assert(r.secure, "insecure"); | 23 assert(r.secure, "insecure"); |
| 24 return r; | 24 return r; |
| 25 end | |
| 26 | |
| 27 local function flatten(a) | |
| 28 local seen = {}; | |
| 29 local ret = {}; | |
| 30 for _, rrset in ipairs(a) do | |
| 31 for _, rr in ipairs(rrset) do | |
| 32 if not seen[tostring(rr)] then | |
| 33 table.insert(ret, rr); | |
| 34 seen[tostring(rr)] = true; | |
| 35 end | |
| 36 end | |
| 37 end | |
| 38 return ret; | |
| 25 end | 39 end |
| 26 | 40 |
| 27 local lazy_tlsa_mt = { | 41 local lazy_tlsa_mt = { |
| 28 __index = function(t, i) | 42 __index = function(t, i) |
| 29 if i == 1 then | 43 if i == 1 then |
| 71 local tlsas = {}; | 85 local tlsas = {}; |
| 72 for _, rr in ipairs(res) do | 86 for _, rr in ipairs(res) do |
| 73 if rr.srv.target == "." then return {}; end | 87 if rr.srv.target == "." then return {}; end |
| 74 table.insert(tlsas, resolver:lookup_promise(("_%d._tcp.%s"):format(rr.srv.port, rr.srv.target), "TLSA"):next(ensure_secure)); | 88 table.insert(tlsas, resolver:lookup_promise(("_%d._tcp.%s"):format(rr.srv.port, rr.srv.target), "TLSA"):next(ensure_secure)); |
| 75 end | 89 end |
| 76 return promise.all(tlsas); | 90 return promise.all(tlsas):next(flatten); |
| 77 end | 91 end |
| 78 | 92 |
| 79 local ret = async.wait_for(promise.all({ | 93 local ret = async.wait_for(promise.all({ |
| 80 resolver:lookup_promise("_xmpps-server._tcp." .. dns_domain, "SRV"):next(ensure_secure):next(fetch_tlsa); | 94 resolver:lookup_promise("_xmpps-server._tcp." .. dns_domain, "SRV"):next(ensure_secure):next(fetch_tlsa); |
| 81 resolver:lookup_promise("_xmpp-server._tcp." .. dns_domain, "SRV"):next(ensure_secure):next(fetch_tlsa); | 95 resolver:lookup_promise("_xmpp-server._tcp." .. dns_domain, "SRV"):next(ensure_secure):next(fetch_tlsa); |
| 82 })); | 96 }):next(flatten)); |
| 83 | 97 |
| 84 if not ret then | 98 if not ret then |
| 85 return | 99 return |
| 86 end | 100 end |
| 87 | 101 |
| 88 local found_supported = false; | 102 local found_supported = false; |
| 89 for _, by_proto in ipairs(ret) do | 103 for _, rr in ipairs(ret) do |
| 90 for _, by_srv in ipairs(by_proto) do | 104 if rr.tlsa.use == 3 and by_select_match[rr.tlsa.select] and rr.tlsa.match <= 2 then |
| 91 for _, by_target in ipairs(by_srv) do | 105 found_supported = true; |
| 92 for _, rr in ipairs(by_target) do | 106 if rr.tlsa.data == by_select_match[rr.tlsa.select][rr.tlsa.match] then |
| 93 if rr.tlsa.use == 3 and by_select_match[rr.tlsa.select] and rr.tlsa.match <= 2 then | 107 module:log("debug", "%s matches", rr) |
| 94 found_supported = true; | 108 session.cert_chain_status = "valid"; |
| 95 if rr.tlsa.data == by_select_match[rr.tlsa.select][rr.tlsa.match] then | 109 session.cert_identity_status = "valid"; |
| 96 module:log("debug", "%s matches", rr) | 110 return true; |
| 97 session.cert_chain_status = "valid"; | |
| 98 session.cert_identity_status = "valid"; | |
| 99 return true; | |
| 100 end | |
| 101 else | |
| 102 log("debug", "Unsupported DANE TLSA record: %s", rr); | |
| 103 end | |
| 104 end | |
| 105 end | 111 end |
| 112 else | |
| 113 log("debug", "Unsupported DANE TLSA record: %s", rr); | |
| 106 end | 114 end |
| 107 end | 115 end |
| 108 | 116 |
| 109 if found_supported then | 117 if found_supported then |
| 110 session.cert_chain_status = "invalid"; | 118 session.cert_chain_status = "invalid"; |
