diff options
author | Kim Alvefur <zash@zash.se> | 2024-01-11 07:54:11 +0100 |
---|---|---|
committer | Kim Alvefur <zash@zash.se> | 2024-01-11 07:54:11 +0100 |
commit | 331f2d40e1cc454511cc5955ab4f1222a0e19357 (patch) | |
tree | 526a0f2ac3e1e092aaa1b6217315be9ee226bfb9 /plugins/mod_s2s_auth_dane_in.lua | |
parent | 2dba3989e764de68b04181bd9c32fabb518d583d (diff) | |
download | prosody-331f2d40e1cc454511cc5955ab4f1222a0e19357.tar.gz prosody-331f2d40e1cc454511cc5955ab4f1222a0e19357.zip |
mod_s2s_auth_dane_in: Try single TLSA lookup per draft-ietf-dance-client-auth
Moves some complexity from the implementation into DNS operations.
Diffstat (limited to 'plugins/mod_s2s_auth_dane_in.lua')
-rw-r--r-- | plugins/mod_s2s_auth_dane_in.lua | 15 |
1 files changed, 11 insertions, 4 deletions
diff --git a/plugins/mod_s2s_auth_dane_in.lua b/plugins/mod_s2s_auth_dane_in.lua index 26df0de9..9167e8a9 100644 --- a/plugins/mod_s2s_auth_dane_in.lua +++ b/plugins/mod_s2s_auth_dane_in.lua @@ -24,6 +24,11 @@ local function ensure_secure(r) return r; end +local function ensure_nonempty(r) + assert(r[1], "empty"); + return r; +end + local function flatten(a) local seen = {}; local ret = {}; @@ -90,10 +95,12 @@ module:hook("s2s-check-certificate", function(event) return promise.all(tlsas):next(flatten); end - local ret = async.wait_for(promise.all({ - resolver:lookup_promise("_xmpps-server._tcp." .. dns_domain, "SRV"):next(ensure_secure):next(fetch_tlsa); - resolver:lookup_promise("_xmpp-server._tcp." .. dns_domain, "SRV"):next(ensure_secure):next(fetch_tlsa); - }):next(flatten)); + local ret = async.wait_for(resolver:lookup_promise("_xmpp-server." .. dns_domain, "TLSA"):next(ensure_secure):next(ensure_nonempty):catch(function() + return promise.all({ + resolver:lookup_promise("_xmpps-server._tcp." .. dns_domain, "SRV"):next(ensure_secure):next(fetch_tlsa); + resolver:lookup_promise("_xmpp-server._tcp." .. dns_domain, "SRV"):next(ensure_secure):next(fetch_tlsa); + }):next(flatten); + end)); if not ret then return |