aboutsummaryrefslogtreecommitdiffstats
path: root/net
Commit message (Collapse)AuthorAgeFilesLines
...
* | net.resolvers.basic: Record hostname coming from secure SRV recordsKim Alvefur2022-12-221-0/+2
| | | | | | | | Will be useful even later...
* | net.resolvers.service: Record DNSSEC security status of SRV recordsKim Alvefur2022-12-221-0/+3
| | | | | | | | Will be useful later.
* | net.resolvers.service: Fix reporting of Bogus DNSSEC resultsKim Alvefur2022-12-211-3/+6
| | | | | | | | | | | | | | | | | | The order of checks led to Bogus results being reported with a generic "unable to resolve service". This had no practical effects as such results are simply empty and the process would stop there. Tested by attempting to establish s2s with dnssec-bogus.sg and observing the error reply.
* | Revert unintentionally committed parts of 12bd40b8e105Kim Alvefur2022-12-211-8/+3
| |
* | mod_c2s,mod_s2s: Adapt to XEP-xxxx: Stream Limits AdvertisementKim Alvefur2022-10-201-3/+8
| | | | | | | | Thanks MattJ
* | net.connect: Clear TODO for Happy Eyeballs / RFC 8305, close #1246Kim Alvefur2022-08-191-1/+0
| | | | | | | | Gotta have the DOAP references!
* | various: Update IETF RFC URLs for tools.ietf.org transitionKim Alvefur2022-08-051-2/+2
| | | | | | | | | | | | See https://www.ietf.org/blog/finalizing-ietf-tools-transition/ Already done in various other places.
* | net.resolvers.basic: Add opt-out argument for DNSSEC security statusKim Alvefur2022-08-021-3/+5
| | | | | | | | | | | | | | This makes explicit which lookups can accept an unsigned response. Insecure (unsigned, as before DNSSEC) A and AAAA records can be used as security would come from TLS, but an insecure TLSA record is worthless.
* | mod_saslauth: Implement RFC 9266 'tls-exporter' channel binding (#1760)Kim Alvefur2022-06-011-0/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | Brings back SCRAM-SHA-*-PLUS from its hiatus brought on by the earlier channel binding method being undefined for TLS 1.3, and the increasing deployment of TLS 1.3. See 1bfd238e05ad and #1542 Requires future version of LuaSec, once support for this key material export method is merged. See https://github.com/brunoos/luasec/pull/187
* | compat: Remove handling of Lua 5.1 location of 'unpack' functionKim Alvefur2022-07-111-1/+1
| |
* | Merge 0.12->trunkKim Alvefur2022-06-191-11/+8
|\|
| * net.unbound: Merge luaunbound and prosody defaults in absence of user config ↵Kim Alvefur2022-06-191-11/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | (fixes #1763) (thanks rgd) add_defaults() is supposed to merge 3 tables, the defaults in luaunbound, the defaults from prosody and any config from the prosody config file. In the case where no `unbound={}` has been in the config, it skips over the merge and returns only the prosody built-in defaults. This results in libunbound skipping reading resolv.conf and uses its default behavior of full recursive resolution. Prior to #1737 there were only two tables, the luaunbound defaults and the prosody config, where bypassing the merge and returning the former did the right thing.
* | net.http.codes: Refresh from registry, many refs now point to RFC9110Kim Alvefur2022-06-131-46/+46
| |
* | net.server: Fix multiple return valuesKim Alvefur2022-06-033-11/+26
| | | | | | | | | | | | | | return foo and foo() crops multiple return values to a single one, so any second return values etc were last, mostly error details. Introduced in 7e9ebdc75ce4
* | net.server_epoll: Add option to defer accept() until data availableKim Alvefur2022-05-151-0/+6
| | | | | | | | | | | | | | | | | | | | This is a Linux(?) socket option that delays the accept signal until there is data available to read. E.g. with HTTP this might mean that a whole request can be handled without going back trough another turn of the main loop, and an initial client <stream> can be responded to. This may have effects on latency and resource use, as the server does not need to allocate resources until really needed.
* | net.server_epoll: Wrap LuaSocket object earlier to reuse option setting methodKim Alvefur2021-07-161-2/+2
| | | | | | | | | | Since it provides some protection and error handling in the form of logging.
* | net.server_epoll: Move call to refresh remote IP address out of wrapperKim Alvefur2021-07-161-1/+3
| | | | | | | | Reduces the side effects of wrapsocket()
* | net.server_epoll: Add support for TCP Fast OpenKim Alvefur2021-07-081-0/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | Requires a patch to LuaSocket adding this socket option, https://github.com/lunarmodules/luasocket/pull/378 sysctl tweaks net.ipv4.tcp_fastopen=3 net.ipv4.tcp_fastopen_blackhole_timeout_sec = 0 net.ipv4.tcp_fastopen_key=$(</proc/sys/kernel/random/uuid) Disabled by default since it an advanced performance tweak unlikely to be needed by most servers.
* | Merge 0.12->trunkKim Alvefur2022-05-161-1/+10
|\|
| * net.unbound: Adjust log level of error to error to errorKim Alvefur2022-05-161-1/+1
| | | | | | | | This error is an error, therefore it should be at the error level
| * net.unbound: Disable use of hosts file by default (fixes #1737)Kim Alvefur2022-05-161-0/+9
| | | | | | | | | | This mirrors the behaviour with net.dns and avoids the initialization issue in #1737
* | net.server_select: Restore dependency on LuaSec to soft for testsKim Alvefur2022-04-271-3/+1
| | | | | | | | | | server_select is used in e.g. storagemanager tests, and some of the CI runners are lacking LuaSec, which resulted in failures.
* | net.tls_luasec: Harden dependency on LuaSecKim Alvefur2022-04-271-3/+2
| | | | | | | | | | | | We at some point decided that it was okay to have a hard dependency the TLS library. Especially here since this module is meant to contain all LuaSec specifics.
* | net: refactor sslconfig to not depend on LuaSecJonas Schäfer2022-04-024-0/+25
| | | | | | | | | | | | | | | | | | | | | | This now requires that the network backend exposes a tls_builder function, which essentially wraps the former util.sslconfig.new() function, passing a factory to create the eventual SSL context. That allows a net.server backend to pick whatever it likes as SSL context factory, as long as it understands the config table passed by the SSL config builder. Heck, a backend could even mock and replace the entire SSL config builder API.
* | net: isolate LuaSec-specificsJonas Schäfer2022-04-274-15/+156
| | | | | | | | | | | | | | | | | | | | | | | | | | | | For this, various accessor functions are now provided directly on the sockets, which reach down into the LuaSec implementation to obtain the information. While this may seem of little gain at first, it hides the implementation detail of the LuaSec+LuaSocket combination that the actual socket and the TLS layer are separate objects. The net gain here is that an alternative implementation does not have to emulate that specific implementation detail and "only" has to expose LuaSec-compatible data structures on the new functions.
* | net.connect: Fix accumulation of connection attempt referencesKim Alvefur2022-04-201-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | Connection attempts that failed the Happy Eyeballs race were not unreferenced and would accumulate. Tested by inspecting the 'pending_connections_map' after establishing s2s with a s2s target where the IPv6 port has a -j DROP rule causing it to time out and the IPv4 attempt wins the race. Expected is that the losing connection stays around until net.server timeouts kick in where it should be removed. The map table should tend towards being empty during idle times.
* | net.connect: Improve logging on connection attempt failureMatthew Wild2022-03-211-1/+5
| |
* | net.connect: Improve handling of failure when attempts are still pendingMatthew Wild2022-03-211-3/+11
| | | | | | | | | | This could lead to failure being reported too early, even if some connections have not yet failed.
* | net.resolvers.basic: Fix incorrect field name (thanks CI)Matthew Wild2022-03-181-1/+1
| |
* | net.connect: When more targets are immediately available, try them after a delayMatthew Wild2022-03-181-1/+10
| | | | | | | | RFC 8305
* | net.connect: Support for multiple pending connection attemptsMatthew Wild2022-03-181-5/+10
| |
* | net.resolvers.basic: Indicate to callback if we have more targets availableMatthew Wild2022-03-181-1/+1
| |
* | net.resolvers.basic: Alternate IP address family targets, per RFC 8305Matthew Wild2022-03-181-2/+10
| |
* | net.resolvers.basic: Refactor to remove code duplicationMatthew Wild2022-03-181-80/+72
| | | | | | | | ...and prepare for Happy Eyeballs
* | net.resolvers.service: Honour record 'weight' when picking SRV targetsMatthew Wild2022-03-171-13/+68
|/ | | | #NotHappyEyeballs
* Spelling: Fix various spelling mistakes (thanks timeless)Kim Alvefur2022-03-072-8/+8
| | | | | | Words, sometimes I wonder how they even work Maybe I missed something.
* net.websocket.frames: Replace bit fiddling code with util.structKim Alvefur2022-03-061-48/+13
| | | | | | Fallback code for not having either the string.pack and string.unpack functions available in Lua 5.4 or the struct lib is no longer needed since the struct lib was imported as util.struct in 3ce3633527af
* net.stun: Support for xor-relayed-address attributeMatthew Wild2022-03-051-2/+20
|
* net.stun: Add xor-peer-address helperMatthew Wild2022-03-051-0/+16
|
* net.stun: Factor out address unpack, an operation common to multiple attributesMatthew Wild2022-03-051-11/+12
|
* net.stun: Name some more attributes from TURNMatthew Wild2022-03-051-0/+3
|
* net.stun: Add lookup table generation helper, reduces code duplicationMatthew Wild2022-03-051-16/+15
|
* net.stun: Hyphenate method names for consistencyMatthew Wild2022-03-051-2/+2
|
* net.stun: Use util.bitcompat to deal with bit module variances across Lua ↵Kim Alvefur2022-03-041-0/+1
| | | | versions
* net.stun: Use util.strbitopKim Alvefur2022-03-041-11/+1
| | | | Improves performance since the whole procedure is done in C
* net.stun: New library that implements STUN/TURN parsing/serializationMatthew Wild2022-03-041-0/+292
|
* net.server_epoll: Disable verbose mode by defaultKim Alvefur2022-02-121-2/+1
|
* net.http: Allow using DANE via options or per request settingsKim Alvefur2022-02-051-1/+5
| | | | Dare to enable by default?
* net.connect: Allow passing TLS context from resolverKim Alvefur2022-01-211-1/+2
| | | | | | Only allowing it to be passed directly makes it hard to combine plain (i.e. starttls) and Direct TLS connections in the same connection resolution procedure. But now we can, using chained resolvers!
* net.resolvers.chain: A resolver for combining other resolversKim Alvefur2022-01-211-0/+38
| | | | Say if you wanted to try both _xmpp and _xmpps services