--- a/core/portmanager.lua Mon Apr 29 11:27:17 2013 +0100
+++ b/core/portmanager.lua Wed May 01 13:45:42 2013 +0100
@@ -112,6 +112,7 @@
bind_ports = set.new(type(bind_ports) ~= "table" and { bind_ports } or bind_ports );
local mode, ssl = listener.default_mode or "*a";
+ local hooked_ports = {};
for interface in bind_interfaces do
for port in bind_ports do
@@ -152,6 +153,7 @@
if not handler then
log("error", "Failed to open server port %d on %s, %s", port_number, interface, error_to_friendly_message(service_name, port_number, err));
else
+ table.insert(hooked_ports, "["..interface.."]:"..port_number);
log("debug", "Added listening service %s to [%s]:%d", service_name, interface, port_number);
active_services:add(service_name, interface, port_number, {
server = handler;
@@ -162,7 +164,7 @@
end
end
end
- log("info", "Activated service '%s'", service_name);
+ log("info", "Activated service '%s' on %s", service_name, #hooked_ports == 0 and "no ports" or table.concat(hooked_ports, ", "));
return true;
end
--- a/net/server_select.lua Mon Apr 29 11:27:17 2013 +0100
+++ b/net/server_select.lua Wed May 01 13:45:42 2013 +0100
@@ -149,7 +149,8 @@
_sendtimeout = 60000 -- allowed send idle time in secs
_readtimeout = 6 * 60 * 60 -- allowed read idle time in secs
-_maxfd = luasocket._SETSIZE or 1024 -- We should ignore this on Windows. Perhaps by simply setting it to math.huge or something.
+local is_windows = package.config:sub(1,1) == "\\" -- check the directory separator, to detemine whether this is Windows
+_maxfd = luasocket._SETSIZE or (is_windows and math.huge) or 1024 -- max fd number, limit to 1024 by default to prevent glibc buffer overflow, but not on Windows
_maxselectlen = luasocket._SETSIZE or 1024 -- But this still applies on Windows
_maxsslhandshake = 30 -- max handshake round-trips
--- a/plugins/mod_s2s/s2sout.lib.lua Mon Apr 29 11:27:17 2013 +0100
+++ b/plugins/mod_s2s/s2sout.lib.lua Wed May 01 13:45:42 2013 +0100
@@ -13,7 +13,7 @@
local initialize_filters = require "util.filters".initialize;
local idna_to_ascii = require "util.encodings".idna.to_ascii;
local new_ip = require "util.ip".new_ip;
-local rfc3484_dest = require "util.rfc3484".destination;
+local rfc6724_dest = require "util.rfc6724".destination;
local socket = require "socket";
local adns = require "net.adns";
local dns = require "net.dns";
@@ -191,7 +191,7 @@
if have_other_result then
if #IPs > 0 then
- rfc3484_dest(host_session.ip_hosts, sources);
+ rfc6724_dest(host_session.ip_hosts, sources);
for i = 1, #IPs do
IPs[i] = {ip = IPs[i], port = connect_port};
end
@@ -227,7 +227,7 @@
if have_other_result then
if #IPs > 0 then
- rfc3484_dest(host_session.ip_hosts, sources);
+ rfc6724_dest(host_session.ip_hosts, sources);
for i = 1, #IPs do
IPs[i] = {ip = IPs[i], port = connect_port};
end
--- a/prosodyctl Mon Apr 29 11:27:17 2013 +0100
+++ b/prosodyctl Wed May 01 13:45:42 2013 +0100
@@ -660,19 +660,29 @@
end
local conf = openssl.config.new();
conf:from_prosody(hosts, config, arg);
- for k, v in pairs(conf.distinguished_name) do
- local nv;
- if k == "commonName" then
- v = arg[1]
- elseif k == "emailAddress" then
- v = "xmpp@" .. arg[1];
+ show_message("Please provide details to include in the certificate config file.");
+ show_message("Leave the field empty to use the default value or '.' to exclude the field.")
+ for i, k in ipairs(openssl._DN_order) do
+ local v = conf.distinguished_name[k];
+ if v then
+ local nv;
+ if k == "commonName" then
+ v = arg[1]
+ elseif k == "emailAddress" then
+ v = "xmpp@" .. arg[1];
+ elseif k == "countryName" then
+ local tld = arg[1]:match"%.([a-z]+)$";
+ if tld and #tld == 2 and tld ~= "uk" then
+ v = tld:upper();
+ end
+ end
+ nv = show_prompt(("%s (%s):"):format(k, nv or v));
+ nv = (not nv or nv == "") and v or nv;
+ if nv:find"[\192-\252][\128-\191]+" then
+ conf.req.string_mask = "utf8only"
+ end
+ conf.distinguished_name[k] = nv ~= "." and nv or nil;
end
- nv = show_prompt(("%s (%s):"):format(k, nv or v));
- nv = (not nv or nv == "") and v or nv;
- if nv:find"[\192-\252][\128-\191]+" then
- conf.req.string_mask = "utf8only"
- end
- conf.distinguished_name[k] = nv ~= "." and nv or nil;
end
local conf_file = io.open(conf_filename, "w");
conf_file:write(conf:serialize());
--- a/util/dataforms.lua Mon Apr 29 11:27:17 2013 +0100
+++ b/util/dataforms.lua Wed May 01 13:45:42 2013 +0100
@@ -53,7 +53,7 @@
elseif field_type == "boolean" then
form:tag("value"):text((value and "1") or "0"):up();
elseif field_type == "fixed" then
-
+ form:tag("value"):text(value):up();
elseif field_type == "jid-multi" then
for _, jid in ipairs(value) do
form:tag("value"):text(jid):up();
--- a/util/ip.lua Mon Apr 29 11:27:17 2013 +0100
+++ b/util/ip.lua Wed May 01 13:45:42 2013 +0100
@@ -64,9 +64,6 @@
-- Link-local unicast:
elseif fields[1] == 169 and fields[2] == 254 then
return 0x2;
- -- Site-local unicast:
- elseif (fields[1] == 10) or (fields[1] == 192 and fields[2] == 168) or (fields[1] == 172 and (fields[2] >= 16 and fields[2] < 32)) then
- return 0x5;
-- Global unicast:
else
return 0xE;
@@ -97,6 +94,14 @@
return 0;
elseif commonPrefixLength(ip, new_ip("2002::", "IPv6")) >= 16 then
return 2;
+ elseif commonPrefixLength(ip, new_ip("2001::", "IPv6")) >= 32 then
+ return 5;
+ elseif commonPrefixLength(ip, new_ip("fc00::", "IPv6")) >= 7 then
+ return 13;
+ elseif commonPrefixLength(ip, new_ip("fec0::", "IPv6")) >= 10 then
+ return 11;
+ elseif commonPrefixLength(ip, new_ip("3ffe::", "IPv6")) >= 16 then
+ return 12;
elseif commonPrefixLength(ip, new_ip("::", "IPv6")) >= 96 then
return 3;
elseif commonPrefixLength(ip, new_ip("::ffff:0:0", "IPv6")) >= 96 then
@@ -111,10 +116,18 @@
return 50;
elseif commonPrefixLength(ip, new_ip("2002::", "IPv6")) >= 16 then
return 30;
+ elseif commonPrefixLength(ip, new_ip("2001::", "IPv6")) >= 32 then
+ return 5;
+ elseif commonPrefixLength(ip, new_ip("fc00::", "IPv6")) >= 7 then
+ return 3;
+ elseif commonPrefixLength(ip, new_ip("fec0::", "IPv6")) >= 10 then
+ return 1;
+ elseif commonPrefixLength(ip, new_ip("3ffe::", "IPv6")) >= 16 then
+ return 1;
elseif commonPrefixLength(ip, new_ip("::", "IPv6")) >= 96 then
- return 20;
+ return 1;
elseif commonPrefixLength(ip, new_ip("::ffff:0:0", "IPv6")) >= 96 then
- return 10;
+ return 35;
else
return 40;
end
--- a/util/openssl.lua Mon Apr 29 11:27:17 2013 +0100
+++ b/util/openssl.lua Wed May 01 13:45:42 2013 +0100
@@ -23,11 +23,12 @@
prompt = "no",
},
distinguished_name = {
- commonName = "example.com",
countryName = "GB",
+ -- stateOrProvinceName = "",
localityName = "The Internet",
organizationName = "Your Organisation",
organizationalUnitName = "XMPP Department",
+ commonName = "example.com",
emailAddress = "xmpp@example.com",
},
v3_extensions = {
@@ -43,6 +44,17 @@
}, ssl_config_mt);
end
+local DN_order = {
+ "countryName";
+ "stateOrProvinceName";
+ "localityName";
+ "streetAddress";
+ "organizationName";
+ "organizationalUnitName";
+ "commonName";
+ "emailAddress";
+}
+_M._DN_order = DN_order;
function ssl_config:serialize()
local s = "";
for k, t in pairs(self) do
@@ -53,6 +65,14 @@
s = s .. s_format("%s.%d = %s\n", san, i -1, n[i]);
end
end
+ elseif k == "distinguished_name" then
+ for i=1,#DN_order do
+ local k = DN_order[i]
+ local v = t[k];
+ if v then
+ s = s .. ("%s = %s\n"):format(k, v);
+ end
+ end
else
for k, v in pairs(t) do
s = s .. ("%s = %s\n"):format(k, v);
--- a/util/rfc3484.lua Mon Apr 29 11:27:17 2013 +0100
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,133 +0,0 @@
--- Prosody IM
--- Copyright (C) 2008-2011 Florian Zeitz
---
--- This project is MIT/X11 licensed. Please see the
--- COPYING file in the source package for more information.
---
-
-local commonPrefixLength = require"util.ip".commonPrefixLength
-local new_ip = require"util.ip".new_ip;
-
-local function t_sort(t, comp)
- for i = 1, (#t - 1) do
- for j = (i + 1), #t do
- local a, b = t[i], t[j];
- if not comp(a,b) then
- t[i], t[j] = b, a;
- end
- end
- end
-end
-
-local function source(dest, candidates)
- local function comp(ipA, ipB)
- -- Rule 1: Prefer same address
- if dest == ipA then
- return true;
- elseif dest == ipB then
- return false;
- end
-
- -- Rule 2: Prefer appropriate scope
- if ipA.scope < ipB.scope then
- if ipA.scope < dest.scope then
- return false;
- else
- return true;
- end
- elseif ipA.scope > ipB.scope then
- if ipB.scope < dest.scope then
- return true;
- else
- return false;
- end
- end
-
- -- Rule 3: Avoid deprecated addresses
- -- XXX: No way to determine this
- -- Rule 4: Prefer home addresses
- -- XXX: Mobility Address related, no way to determine this
- -- Rule 5: Prefer outgoing interface
- -- XXX: Interface to address relation. No way to determine this
- -- Rule 6: Prefer matching label
- if ipA.label == dest.label and ipB.label ~= dest.label then
- return true;
- elseif ipB.label == dest.label and ipA.label ~= dest.label then
- return false;
- end
-
- -- Rule 7: Prefer public addresses (over temporary ones)
- -- XXX: No way to determine this
- -- Rule 8: Use longest matching prefix
- if commonPrefixLength(ipA, dest) > commonPrefixLength(ipB, dest) then
- return true;
- else
- return false;
- end
- end
-
- t_sort(candidates, comp);
- return candidates[1];
-end
-
-local function destination(candidates, sources)
- local sourceAddrs = {};
- local function comp(ipA, ipB)
- local ipAsource = sourceAddrs[ipA];
- local ipBsource = sourceAddrs[ipB];
- -- Rule 1: Avoid unusable destinations
- -- XXX: No such information
- -- Rule 2: Prefer matching scope
- if ipA.scope == ipAsource.scope and ipB.scope ~= ipBsource.scope then
- return true;
- elseif ipA.scope ~= ipAsource.scope and ipB.scope == ipBsource.scope then
- return false;
- end
-
- -- Rule 3: Avoid deprecated addresses
- -- XXX: No way to determine this
- -- Rule 4: Prefer home addresses
- -- XXX: Mobility Address related, no way to determine this
- -- Rule 5: Prefer matching label
- if ipAsource.label == ipA.label and ipBsource.label ~= ipB.label then
- return true;
- elseif ipBsource.label == ipB.label and ipAsource.label ~= ipA.label then
- return false;
- end
-
- -- Rule 6: Prefer higher precedence
- if ipA.precedence > ipB.precedence then
- return true;
- elseif ipA.precedence < ipB.precedence then
- return false;
- end
-
- -- Rule 7: Prefer native transport
- -- XXX: No way to determine this
- -- Rule 8: Prefer smaller scope
- if ipA.scope < ipB.scope then
- return true;
- elseif ipA.scope > ipB.scope then
- return false;
- end
-
- -- Rule 9: Use longest matching prefix
- if commonPrefixLength(ipA, ipAsource) > commonPrefixLength(ipB, ipBsource) then
- return true;
- elseif commonPrefixLength(ipA, ipAsource) < commonPrefixLength(ipB, ipBsource) then
- return false;
- end
-
- -- Rule 10: Otherwise, leave order unchanged
- return true;
- end
- for _, ip in ipairs(candidates) do
- sourceAddrs[ip] = source(ip, sources);
- end
-
- t_sort(candidates, comp);
- return candidates;
-end
-
-return {source = source,
- destination = destination};
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/util/rfc6724.lua Wed May 01 13:45:42 2013 +0100
@@ -0,0 +1,142 @@
+-- Prosody IM
+-- Copyright (C) 2011-2013 Florian Zeitz
+--
+-- This project is MIT/X11 licensed. Please see the
+-- COPYING file in the source package for more information.
+--
+
+-- This is used to sort destination addresses by preference
+-- during S2S connections.
+-- We can't hand this off to getaddrinfo, since it blocks
+
+local ip_commonPrefixLength = require"util.ip".commonPrefixLength
+local new_ip = require"util.ip".new_ip;
+
+local function commonPrefixLength(ipA, ipB)
+ local len = ip_commonPrefixLength(ipA, ipB);
+ return len < 64 and len or 64;
+end
+
+local function t_sort(t, comp)
+ for i = 1, (#t - 1) do
+ for j = (i + 1), #t do
+ local a, b = t[i], t[j];
+ if not comp(a,b) then
+ t[i], t[j] = b, a;
+ end
+ end
+ end
+end
+
+local function source(dest, candidates)
+ local function comp(ipA, ipB)
+ -- Rule 1: Prefer same address
+ if dest == ipA then
+ return true;
+ elseif dest == ipB then
+ return false;
+ end
+
+ -- Rule 2: Prefer appropriate scope
+ if ipA.scope < ipB.scope then
+ if ipA.scope < dest.scope then
+ return false;
+ else
+ return true;
+ end
+ elseif ipA.scope > ipB.scope then
+ if ipB.scope < dest.scope then
+ return true;
+ else
+ return false;
+ end
+ end
+
+ -- Rule 3: Avoid deprecated addresses
+ -- XXX: No way to determine this
+ -- Rule 4: Prefer home addresses
+ -- XXX: Mobility Address related, no way to determine this
+ -- Rule 5: Prefer outgoing interface
+ -- XXX: Interface to address relation. No way to determine this
+ -- Rule 6: Prefer matching label
+ if ipA.label == dest.label and ipB.label ~= dest.label then
+ return true;
+ elseif ipB.label == dest.label and ipA.label ~= dest.label then
+ return false;
+ end
+
+ -- Rule 7: Prefer temporary addresses (over public ones)
+ -- XXX: No way to determine this
+ -- Rule 8: Use longest matching prefix
+ if commonPrefixLength(ipA, dest) > commonPrefixLength(ipB, dest) then
+ return true;
+ else
+ return false;
+ end
+ end
+
+ t_sort(candidates, comp);
+ return candidates[1];
+end
+
+local function destination(candidates, sources)
+ local sourceAddrs = {};
+ local function comp(ipA, ipB)
+ local ipAsource = sourceAddrs[ipA];
+ local ipBsource = sourceAddrs[ipB];
+ -- Rule 1: Avoid unusable destinations
+ -- XXX: No such information
+ -- Rule 2: Prefer matching scope
+ if ipA.scope == ipAsource.scope and ipB.scope ~= ipBsource.scope then
+ return true;
+ elseif ipA.scope ~= ipAsource.scope and ipB.scope == ipBsource.scope then
+ return false;
+ end
+
+ -- Rule 3: Avoid deprecated addresses
+ -- XXX: No way to determine this
+ -- Rule 4: Prefer home addresses
+ -- XXX: Mobility Address related, no way to determine this
+ -- Rule 5: Prefer matching label
+ if ipAsource.label == ipA.label and ipBsource.label ~= ipB.label then
+ return true;
+ elseif ipBsource.label == ipB.label and ipAsource.label ~= ipA.label then
+ return false;
+ end
+
+ -- Rule 6: Prefer higher precedence
+ if ipA.precedence > ipB.precedence then
+ return true;
+ elseif ipA.precedence < ipB.precedence then
+ return false;
+ end
+
+ -- Rule 7: Prefer native transport
+ -- XXX: No way to determine this
+ -- Rule 8: Prefer smaller scope
+ if ipA.scope < ipB.scope then
+ return true;
+ elseif ipA.scope > ipB.scope then
+ return false;
+ end
+
+ -- Rule 9: Use longest matching prefix
+ if commonPrefixLength(ipA, ipAsource) > commonPrefixLength(ipB, ipBsource) then
+ return true;
+ elseif commonPrefixLength(ipA, ipAsource) < commonPrefixLength(ipB, ipBsource) then
+ return false;
+ end
+
+ -- Rule 10: Otherwise, leave order unchanged
+ return true;
+ end
+ for _, ip in ipairs(candidates) do
+ sourceAddrs[ip] = source(ip, sources);
+ end
+
+ t_sort(candidates, comp);
+ return candidates;
+end
+
+return {source = source,
+ destination = destination};