Merge 0.10->trunk

13 files changed, 103 insertions, 28 deletions

diff --git a/core/usermanager.lua b/core/usermanager.lua
index d5132662..f795e8ae 100644
--- a/core/usermanager.lua
+++ b/core/usermanager.lua
@@ -76,8 +76,12 @@ local function get_password(username, host)
 	return hosts[host].users.get_password(username);
 end
 
-local function set_password(username, password, host)
-	return hosts[host].users.set_password(username, password);
+local function set_password(username, password, host, resource)
+	local ok, err = hosts[host].users.set_password(username, password);
+	if ok then
+		prosody.events.fire_event("user-password-changed", { username = username, host = host, resource = resource });
+	end
+	return ok, err;
 end
 
 local function user_exists(username, host)
diff --git a/net/http.lua b/net/http.lua
index d820e471..8364a104 100644
--- a/net/http.lua
+++ b/net/http.lua
@@ -11,6 +11,7 @@ local url = require "socket.url"
 local httpstream_new = require "net.http.parser".new;
 local util_http = require "util.http";
 local events = require "util.events";
+local verify_identity = require"util.x509".verify_identity;
 
 local ssl_available = pcall(require, "ssl");
 
@@ -34,6 +35,26 @@ local listener = { default_port = 80, default_mode = "*a" };
 
 function listener.onconnect(conn)
 	local req = requests[conn];
+
+	-- Validate certificate
+	if not req.insecure and conn:ssl() then
+		local sock = conn:socket();
+		local chain_valid = sock.getpeerverification and sock:getpeerverification();
+		if not chain_valid then
+			req.callback("certificate-chain-invalid", 0, req);
+			req.callback = nil;
+			conn:close();
+			return;
+		end
+		local cert = sock.getpeercertificate and sock:getpeercertificate();
+		if not cert or not verify_identity(req.host, false, cert) then
+			req.callback("certificate-verify-failed", 0, req);
+			req.callback = nil;
+			conn:close();
+			return;
+		end
+	end
+
 	-- Send the request
 	local request_line = { req.method or "GET", " ", req.path, " HTTP/1.1\r\n" };
 	if req.query then
@@ -181,6 +202,7 @@ local function request(self, u, ex, callback)
 				headers[k] = v;
 			end
 		end
+		req.insecure = ex.insecure;
 	end
 
 	log("debug", "Making %s %s request '%s' to %s", req.scheme:upper(), method or "GET", req.id, (ex and ex.suppress_url and host_header) or u);
@@ -196,7 +218,7 @@ local function request(self, u, ex, callback)
 
 	local sslctx = false;
 	if using_https then
-		sslctx = ex and ex.sslctx or { mode = "client", protocol = "sslv23", options = { "no_sslv2", "no_sslv3" } };
+		sslctx = ex and ex.sslctx or self.options and self.options.sslctx;
 	end
 
 	local handler, conn = server.addclient(host, port_number, listener, "*a", sslctx)
@@ -235,17 +257,19 @@ local function new(options)
 			return new(setmetatable(new_options, { __index = options }));
 		end or new;
 		events = events.new();
-		request = request;
 	};
 	return http;
 end
 
-local default_http = new();
+local default_http = new({
+	sslctx = { mode = "client", protocol = "sslv23", options = { "no_sslv2", "no_sslv3" } };
+});
 
 return {
 	request = function (u, ex, callback)
 		return default_http:request(u, ex, callback);
 	end;
+	default = default_http;
 	new = new;
 	events = default_http.events;
 	-- COMPAT
diff --git a/net/websocket.lua b/net/websocket.lua
index 373210d6..777b894c 100644
--- a/net/websocket.lua
+++ b/net/websocket.lua
@@ -38,7 +38,7 @@ function websocket_listeners.ondetach(handler)
 end
 
 local function fail(s, code, reason)
-	module:log("warn", "WebSocket connection failed, closing. %d %s", code, reason);
+	log("warn", "WebSocket connection failed, closing. %d %s", code, reason);
 	s:close(code, reason);
 	s.handler:close();
 	return false
diff --git a/plugins/mod_admin_adhoc.lua b/plugins/mod_admin_adhoc.lua
index 392e715e..f3de6793 100644
--- a/plugins/mod_admin_adhoc.lua
+++ b/plugins/mod_admin_adhoc.lua
@@ -97,7 +97,7 @@ local change_user_password_command_handler = adhoc_simple(change_user_password_l
 	if module_host ~= host then
 		return { status = "completed", error = { message = "Trying to change the password of a user on " .. host .. " but command was sent to " .. module_host}};
 	end
-	if usermanager_user_exists(username, host) and usermanager_set_password(username, fields.password, host) then
+	if usermanager_user_exists(username, host) and usermanager_set_password(username, fields.password, host, nil) then
 		return { status = "completed", info = "Password successfully changed" };
 	else
 		return { status = "completed", error = { message = "User does not exist" } };
diff --git a/plugins/mod_admin_telnet.lua b/plugins/mod_admin_telnet.lua
index eae72e61..b3a5c7ca 100644
--- a/plugins/mod_admin_telnet.lua
+++ b/plugins/mod_admin_telnet.lua
@@ -1067,7 +1067,7 @@ function def_env.user:password(jid, password)
 	elseif not um.user_exists(username, host) then
 		return nil, "No such user";
 	end
-	local ok, err = um.set_password(username, password, host);
+	local ok, err = um.set_password(username, password, host, nil);
 	if ok then
 		return true, "User password changed";
 	else
diff --git a/plugins/mod_auth_internal_hashed.lua b/plugins/mod_auth_internal_hashed.lua
index 53e345e5..35764afb 100644
--- a/plugins/mod_auth_internal_hashed.lua
+++ b/plugins/mod_auth_internal_hashed.lua
@@ -120,7 +120,9 @@ function provider.get_sasl_handler()
 			local credentials = accounts:get(username);
 			if not credentials then return; end
 			if credentials.password then
-				usermanager.set_password(username, credentials.password, host);
+				if provider.set_password(username, credentials.password) == nil then
+					return nil, "Auth failed. Could not set hashed password from plaintext.";
+				end
 				credentials = accounts:get(username);
 				if not credentials then return; end
 			end
diff --git a/plugins/mod_c2s.lua b/plugins/mod_c2s.lua
index f18c2827..3547fe31 100644
--- a/plugins/mod_c2s.lua
+++ b/plugins/mod_c2s.lua
@@ -201,6 +201,18 @@ module:hook_global("user-deleted", function(event)
 	end
 end, 200);
 
+module:hook_global("user-password-changed", function(event)
+	local username, host, resource = event.username, event.host, event.resource;
+	local user = hosts[host].sessions[username];
+	if user and user.sessions then
+		for r, session in pairs(user.sessions) do
+			if r ~= resource then
+				session:close{ condition = "reset", text = "Password changed" };
+			end
+		end
+	end
+end, 200);
+
 function runner_callbacks:ready()
 	self.data.conn:resume();
 end
diff --git a/plugins/mod_disco.lua b/plugins/mod_disco.lua
index 10eb632d..cd07934f 100644
--- a/plugins/mod_disco.lua
+++ b/plugins/mod_disco.lua
@@ -148,7 +148,7 @@ end);
 
 -- Handle caps stream feature
 module:hook("stream-features", function (event)
-	if event.origin.type == "c2s" or event.origin.type == "c2s_unauthed" then
+	if event.origin.type == "c2s" or event.origin.type == "c2s_unbound" then
 		event.features:add_child(get_server_caps_feature());
 	end
 end);
diff --git a/plugins/mod_mam/mod_mam.lua b/plugins/mod_mam/mod_mam.lua
index 1dcce4e4..a86697e8 100644
--- a/plugins/mod_mam/mod_mam.lua
+++ b/plugins/mod_mam/mod_mam.lua
@@ -243,15 +243,19 @@ local function message_handler(event, c2s)
 	local with = jid_bare(c2s and orig_to or orig_from);
 
 	-- Filter out <stanza-id> that claim to be from us
-	stanza:maptags(function (tag)
-		if tag.name == "stanza-id" and tag.attr.xmlns == xmlns_st_id then
-			local by_user, by_host, res = jid_prepped_split(tag.attr.by);
-			if not res and by_host == module.host and by_user == store_user then
-				return nil;
+	if stanza:get_child("stanza-id", xmlns_st_id) then
+		stanza = st.clone(stanza);
+		stanza:maptags(function (tag)
+			if tag.name == "stanza-id" and tag.attr.xmlns == xmlns_st_id then
+				local by_user, by_host, res = jid_prepped_split(tag.attr.by);
+				if not res and by_host == module.host and by_user == store_user then
+					return nil;
+				end
 			end
-		end
-		return tag;
-	end);
+			return tag;
+		end);
+		event.stanza = stanza;
+	end
 
 	-- We store chat messages or normal messages that have a body
 	if not(orig_type == "chat" or (orig_type == "normal" and stanza:get_child("body")) ) then
@@ -268,18 +272,21 @@ local function message_handler(event, c2s)
 		end
 	end
 
+	local clone_for_storage;
 	if not strip_tags:empty() then
-		stanza = st.clone(stanza);
-		stanza:maptags(function (tag)
+		clone_for_storage = st.clone(stanza);
+		clone_for_storage:maptags(function (tag)
 			if strip_tags:contains(tag.attr.xmlns) then
 				return nil;
 			else
 				return tag;
 			end
 		end);
-		if #stanza.tags == 0 then
+		if #clone_for_storage.tags == 0 then
 			return;
 		end
+	else
+		clone_for_storage = stanza;
 	end
 
 	-- Check with the users preferences
@@ -287,12 +294,14 @@ local function message_handler(event, c2s)
 		log("debug", "Archiving stanza: %s", stanza:top_tag());
 
 		-- And stash it
-		local ok = archive:append(store_user, nil, stanza, time_now(), with);
+		local ok = archive:append(store_user, nil, clone_for_storage, time_now(), with);
 		if ok then
+			local clone_for_other_handlers = st.clone(stanza);
 			local id = ok;
-			event.stanza:tag("stanza-id", { xmlns = xmlns_st_id, by = store_user.."@"..host, id = id }):up();
+			clone_for_other_handlers:tag("stanza-id", { xmlns = xmlns_st_id, by = store_user.."@"..host, id = id }):up();
+			event.stanza = clone_for_other_handlers;
 			if cleanup then cleanup[store_user] = true; end
-			module:fire_event("archive-message-added", { origin = origin, stanza = stanza, for_user = store_user, id = id });
+			module:fire_event("archive-message-added", { origin = origin, stanza = clone_for_storage, for_user = store_user, id = id });
 		end
 	else
 		log("debug", "Not archiving stanza: %s (prefs)", stanza:top_tag());
diff --git a/plugins/mod_register.lua b/plugins/mod_register.lua
index fd5339d9..b39ce090 100644
--- a/plugins/mod_register.lua
+++ b/plugins/mod_register.lua
@@ -91,6 +91,7 @@ module:hook("stream-features", function(event)
 	features:add_child(register_stream_feature);
 end);
 
+-- Password change and account deletion handler
 local function handle_registration_stanza(event)
 	local session, stanza = event.origin, event.stanza;
 	local log = session.log or module._log;
@@ -130,7 +131,7 @@ local function handle_registration_stanza(event)
 			local password = query:get_child_text("password");
 			if username and password then
 				if username == session.username then
-					if usermanager_set_password(username, password, session.host) then
+					if usermanager_set_password(username, password, session.host, session.resource) then
 						session.send(st.reply(stanza));
 					else
 						-- TODO unable to write file, file may be locked, etc, what's the correct error?
@@ -207,6 +208,7 @@ local function check_throttle(ip)
 	return throttle:poll(1);
 end
 
+-- In-band registration
 module:hook("stanza/iq/jabber:iq:register:query", function(event)
 	local session, stanza = event.origin, event.stanza;
 	local log = session.log or module._log;
diff --git a/prosody b/prosody
index 7f6b1c2d..cc879f12 100755
--- a/prosody
+++ b/prosody
@@ -321,7 +321,11 @@ function load_secondary_libraries()
 		return function() end
 	end});
 
-	require "net.http"
+	local http = require "net.http"
+	local config_ssl = config.get("*", "ssl")
+	local https_client = config.get("*", "client_https_ssl")
+	http.default.options.sslctx = require "core.certmanager".create_context("client_https port 0", "client",
+		{ capath = config_ssl.capath, cafile = config_ssl.cafile, verify = "peer", }, https_client);
 
 	require "util.array"
 	require "util.datetime"
diff --git a/prosodyctl b/prosodyctl
index d1634c32..53399407 100755
--- a/prosodyctl
+++ b/prosodyctl
@@ -249,6 +249,13 @@ local modulemanager = require "core.modulemanager"
 
 local prosodyctl = require "util.prosodyctl"
 local socket = require "socket"
+
+local http = require "net.http"
+local config_ssl = config.get("*", "ssl")
+local https_client = config.get("*", "client_https_ssl")
+http.default.options.sslctx = require "core.certmanager".create_context("client_https port 0", "client",
+	{ capath = config_ssl.capath, cafile = config_ssl.cafile, verify = "peer", }, https_client);
+
 -----------------------
 
  -- FIXME: Duplicate code waiting for util.startup
@@ -1334,7 +1341,14 @@ function commands.check(arg)
 			print("This version of LuaSec (" .. ssl._VERSION .. ") does not support certificate checking");
 			cert_ok = false
 		else
-			for host in enabled_hosts() do
+			local function skip_bare_jid_hosts(host)
+				if jid_split(host) then
+					-- See issue #779
+					return false;
+				end
+				return true;
+			end
+			for host in it.filter(skip_bare_jid_hosts, enabled_hosts()) do
 				print("Checking certificate for "..host);
 				-- First, let's find out what certificate this host uses.
 				local host_ssl_config = config.rawget(host, "ssl")
diff --git a/util/sql.lua b/util/sql.lua
index 15749911..61d6af41 100644
--- a/util/sql.lua
+++ b/util/sql.lua
@@ -175,7 +175,11 @@ function engine:execute_query(sql, ...)
 	sql = self:prepquery(sql);
 	local stmt = assert(self.conn:prepare(sql));
 	assert(stmt:execute(...));
-	return stmt:rows();
+	local result = {};
+	for row in stmt:rows() do result[#result + 1] = row; end
+	stmt:close();
+	local i = 0;
+	return function() i=i+1; return result[i]; end;
 end
 function engine:execute_update(sql, ...)
 	sql = self:prepquery(sql);