aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* net.server_epoll: Add option to defer accept() until data availableKim Alvefur2022-05-152-0/+7
| | | | | | | | | | This is a Linux(?) socket option that delays the accept signal until there is data available to read. E.g. with HTTP this might mean that a whole request can be handled without going back trough another turn of the main loop, and an initial client <stream> can be responded to. This may have effects on latency and resource use, as the server does not need to allocate resources until really needed.
* net.server_epoll: Wrap LuaSocket object earlier to reuse option setting methodKim Alvefur2021-07-161-2/+2
| | | | | Since it provides some protection and error handling in the form of logging.
* net.server_epoll: Move call to refresh remote IP address out of wrapperKim Alvefur2021-07-161-1/+3
| | | | Reduces the side effects of wrapsocket()
* net.server_epoll: Add support for TCP Fast OpenKim Alvefur2021-07-082-0/+10
| | | | | | | | | | | | | Requires a patch to LuaSocket adding this socket option, https://github.com/lunarmodules/luasocket/pull/378 sysctl tweaks net.ipv4.tcp_fastopen=3 net.ipv4.tcp_fastopen_blackhole_timeout_sec = 0 net.ipv4.tcp_fastopen_key=$(</proc/sys/kernel/random/uuid) Disabled by default since it an advanced performance tweak unlikely to be needed by most servers.
* Merge 0.12->trunkKim Alvefur2022-05-161-1/+10
|\
| * net.unbound: Adjust log level of error to error to errorKim Alvefur2022-05-161-1/+1
| | | | | | | | This error is an error, therefore it should be at the error level
| * net.unbound: Disable use of hosts file by default (fixes #1737)Kim Alvefur2022-05-161-0/+9
| | | | | | | | | | This mirrors the behaviour with net.dns and avoids the initialization issue in #1737
* | Merge 0.12->trunkKim Alvefur2022-05-161-2/+2
|\|
| * core.certmanager: Expand debug messages about cert lookups in indexKim Alvefur2022-05-161-2/+2
| | | | | | | | | | | | Answers my recurring question of > Using cert "certs/example.com.crt" from index ... for what?
* | Merge 0.12->trunkKim Alvefur2022-05-151-2/+2
|\|
| * mod_admin_shell: Tighten up type checks to fix #1754 (thanks clouded)Kim Alvefur2022-05-151-2/+2
| | | | | | | | | | | | Due to the dummy statistics provider (see core.statsmanager line 250) having a metatable that allows infinite indexing where everything is always the same table, which end up in suf() in the concatenation line.
* | mod_smacks: Initialize queue before sending <enable>Kim Alvefur2022-05-151-1/+1
| | | | | | | | | | | | | | | | Setting the .smacks field enables code paths that expects the queue to be present. The queue is initialized in wrap_session_out(). With opportunistic writes enabled this happens immediately on .sends2s(), so the sending <enable> must happen before OR after these two lines, not in the middle.
* | mod_cron: Remove difference between teal versionKim Alvefur2022-05-151-1/+1
| | | | | | | | | | This previously was considered an error because the module API Teal spec did not document a return value from module:add_timer()
* | teal/moduleapi: Describe timer wrapperKim Alvefur2022-05-151-1/+6
| | | | | | | | Since it's used in mod_cron
* | Merge 0.12->trunkKim Alvefur2022-05-092-2/+9
|\|
| * util.jsonschema: Lua <5.3 compat here tooKim Alvefur2022-05-091-1/+4
| |
| * util.jsonpointer: Fix Lua <5.3 compatKim Alvefur2022-05-091-1/+5
| |
* | util.async: Add Teal description fileKim Alvefur2022-05-082-1/+43
| |
* | Merge 0.12->trunkKim Alvefur2022-05-083-2/+40
|\|
| * util.jsonpointer: Fix off-by-one in array resolutionKim Alvefur2022-05-082-2/+2
| | | | | | | | | | | | Fixes #1753 Not known to be used anywhere
| * util.jsonpointer: Add basic testsKim Alvefur2022-05-081-0/+38
| | | | | | | | Example values from RFC 6901
* | mod_s2s: Log queued stanzas for which no error reply is producedKim Alvefur2022-05-071-0/+2
| | | | | | | | | | | | This would mainly be error stanzas. Good to have some trace of when handling of them are finished.
* | mod_s2s: Don't bounce queued error stanzas (thanks Martin)Kim Alvefur2022-05-071-1/+1
| | | | | | | | | | | | | | | | | | The check for the type attr was lost in 11765f0605ec leading to attempts to create error replies for error stanzas, which util.stanza rejects. Tested by sending <message to="reject.badxmpp.eu" type="error"><error/></message> which produced a traceback previously.
* | Merge 0.12->trunkMatthew Wild2022-05-061-1/+5
|\|
| * mod_invites_adhoc: Fall back to generic allow_user_invites for role-less usersMatthew Wild2022-05-061-1/+5
| | | | | | | | Fixes #1752
* | Merge 0.12->trunkKim Alvefur2022-05-053-0/+3
|\|
| * mod_cron: Fix recording last task run time #1751Kim Alvefur2022-05-052-0/+2
| | | | | | | | | | | | | | The type checks, they do nothing! Observed: Tasks that were supposed to run weekly or daily were running each hour.
| * util.prosodyctl.check: turn: Report lack of TURN services as a problem #1749Kim Alvefur2022-05-031-0/+1
| | | | | | | | | | Rationale: It seems unlikely that someone who has not configured any TURN service runs 'prosodyctl check turn' expecting this to be okay.
* | net.server_select: Restore dependency on LuaSec to soft for testsKim Alvefur2022-04-271-3/+1
| | | | | | | | | | server_select is used in e.g. storagemanager tests, and some of the CI runners are lacking LuaSec, which resulted in failures.
* | net.tls_luasec: Harden dependency on LuaSecKim Alvefur2022-04-271-3/+2
| | | | | | | | | | | | We at some point decided that it was okay to have a hard dependency the TLS library. Especially here since this module is meant to contain all LuaSec specifics.
* | Merge 0.12->trunkKim Alvefur2022-04-271-1/+1
|\|
| * core.moduleapi: Fix 'global' property via :context() - #1748Kim Alvefur2022-04-271-1/+1
| | | | | | | | | | | | | | | | | | | | The 'global' property should reflect whether the module API instance represents the global context or a VirtualHost or Component context. However the module:context() method did not override this, leading the property of the previous module shining trough, leading to bugs in code relying on the 'global' property. See also #1736
* | mod_tls: pass target hostname to starttlsJonas Schäfer2021-09-171-1/+1
| | | | | | | | In case the network backend needs it for outgoing SNI or something.
* | mod_tls: tell network backend to stop reading while preparing TLSJonas Schäfer2022-04-021-0/+7
| |
* | mod_tls: Do not offer TLS if the connection is considered secureJonas Schäfer2021-09-171-0/+3
| | | | | | | | | | | | | | | | | | | | This may be necessary if the session.conn object is not exchanged by the network backend when establishing TLS. In that case, the starttls method will always exist and thus that is not a good indicator for offering TLS. However, the secure bit already tells us that TLS has been established or is not to be established on the connection, so we use that instead.
* | net: refactor sslconfig to not depend on LuaSecJonas Schäfer2022-04-026-17/+51
| | | | | | | | | | | | | | | | | | | | | | This now requires that the network backend exposes a tls_builder function, which essentially wraps the former util.sslconfig.new() function, passing a factory to create the eventual SSL context. That allows a net.server backend to pick whatever it likes as SSL context factory, as long as it understands the config table passed by the SSL config builder. Heck, a backend could even mock and replace the entire SSL config builder API.
* | net: isolate LuaSec-specificsJonas Schäfer2022-04-2712-82/+237
| | | | | | | | | | | | | | | | | | | | | | | | | | | | For this, various accessor functions are now provided directly on the sockets, which reach down into the LuaSec implementation to obtain the information. While this may seem of little gain at first, it hides the implementation detail of the LuaSec+LuaSocket combination that the actual socket and the TLS layer are separate objects. The net gain here is that an alternative implementation does not have to emulate that specific implementation detail and "only" has to expose LuaSec-compatible data structures on the new functions.
* | Merge 0.12->trunkMatthew Wild2022-04-252-3/+6
|\|
| * util.argparse: Revise 553c6204fe5b with a different approachMatthew Wild2022-04-252-3/+6
| | | | | | | | | | | | The second return value is (not insensibly) assumed to be an error. Instead of returning a value there in the success case, copy the positional arguments into the existing opts table.
* | Merge 0.12->trunkMatthew Wild2022-04-252-2/+13
|\|
| * util.argparse: Return final 'arg' table with positional arguments for ↵Matthew Wild2022-04-251-2/+2
| | | | | | | | | | | | | | | | convenience This is the same as the input table (which is mutated during processing), but if that table was created on the fly, such as by packing `...` it's convenient if it also gets returned from the parse function.
| * mod_s2s: Improve robustness of outgoing s2s certificate verificationMatthew Wild2022-04-251-0/+11
| | | | | | | | | | | | | | | | | | This change ensures we have positively verified the certificates of the server we are connecting to before marking the session as authenticated. It protects against situations where the verify-or-close stage of the connection was interrupted (e.g. due to an uncaught error). Thanks to Zash for discovery and testing.
* | mod_s2s: Distinguish DANE TLSA errors from generic cert chain errorsKim Alvefur2022-04-251-0/+2
| | | | | | | | | | | | Otherwise it would just report "is not trusted" unless you inspect the logs. This message is sent to to the remote server, and will hopefully show up in their logs, allowing the admin to fix their DANE setup.
* | mod_s2s: Recognise and report errors with CA or intermediate certsKim Alvefur2022-04-251-0/+8
| | | | | | | | | | Should be invoked for cases such as when the Let's Encrypt intermediate certificate expired not too long ago.
* | mod_smacks: Improve activation of smacks on outgoing s2sKim Alvefur2022-04-241-21/+16
| | | | | | | | | | | | | | | | | | Using a timer was a hack to get around that stream features are not available at the right time and sendq stanzas were stored as strings so could not be counted properly. The later has now been fixed and the former is fixed by recording the relevant stream feature on the session so that the correct version of XEP-0198 can be activated once the connection has been authenticated and is ready to start.
* | util.crand: Reduce scope here tooKim Alvefur2022-04-231-2/+2
| | | | | | | | Same as previous commit
* | util.strbitop: Reduce scope of functionsKim Alvefur2022-04-231-3/+3
| | | | | | | | | | | | | | | | | | Equivalent to 'local' in Lua, these functions are exported via the luaopen_ function, which is the only one needing to be visible outside of the file. Pointed out by Link Mauve at some point, but there wasn't really any rush here.
* | net.connect: Fix accumulation of connection attempt referencesKim Alvefur2022-04-201-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | Connection attempts that failed the Happy Eyeballs race were not unreferenced and would accumulate. Tested by inspecting the 'pending_connections_map' after establishing s2s with a s2s target where the IPv6 port has a -j DROP rule causing it to time out and the IPv4 attempt wins the race. Expected is that the losing connection stays around until net.server timeouts kick in where it should be removed. The map table should tend towards being empty during idle times.
* | Merge 0.12->trunkMatthew Wild2022-04-131-2/+2
|\|
| * util.prosodyctl: check turn: ensure a result is always returned from a check ↵Matthew Wild2022-04-131-2/+2
| | | | | | | | (thanks eTaurus)