From 40cbe58541b4cca3b95e6639877b019c7d36f57a Mon Sep 17 00:00:00 2001
From: Kim Alvefur <zash@zash.se>
Date: Thu, 3 Jul 2014 15:31:12 +0200
Subject: core.certmanager: Use util.sslconfig

---
 core/certmanager.lua | 85 +++++++++-------------------------------------------
 1 file changed, 14 insertions(+), 71 deletions(-)

(limited to 'core')

diff --git a/core/certmanager.lua b/core/certmanager.lua
index d6a59b9f..1c1518a6 100644
--- a/core/certmanager.lua
+++ b/core/certmanager.lua
@@ -10,13 +10,12 @@ local configmanager = require "core.configmanager";
 local log = require "util.logger".init("certmanager");
 local ssl = ssl;
 local ssl_newcontext = ssl and ssl.newcontext;
+local new_config = require"util.sslconfig".new;
 
 local tostring = tostring;
 local pairs = pairs;
 local type = type;
 local io_open = io.open;
-local t_concat = table.concat;
-local t_insert = table.insert;
 
 local prosody = prosody;
 local resolve_path = require"util.paths".resolve_relative_path;
@@ -55,9 +54,6 @@ local core_defaults = {
 local path_options = { -- These we pass through resolve_path()
 	key = true, certificate = true, cafile = true, capath = true, dhparam = true
 }
-local set_options = {
-	options = true, verify = true, verifyext = true
-}
 
 if ssl and not luasec_has_verifyext and ssl.x509 then
 	-- COMPAT mw/luasec-hg
@@ -66,85 +62,32 @@ if ssl and not luasec_has_verifyext and ssl.x509 then
 	end
 end
 
-local function merge_set(t, o)
-	if type(t) ~= "table" then t = { t } end
-	for k,v in pairs(t) do
-		if v == true or v == false then
-			o[k] = v;
-		else
-			o[v] = true;
-		end
-	end
-	return o;
-end
-
-local protocols = { "sslv2", "sslv3", "tlsv1", "tlsv1_1", "tlsv1_2" };
-for i = 1, #protocols do protocols[protocols[i] .. "+"] = i - 1; end
-
 function create_context(host, mode, user_ssl_config)
-	user_ssl_config = user_ssl_config or {}
-	user_ssl_config.mode = mode;
-
 	if not ssl then return nil, "LuaSec (required for encryption) was not found"; end
 
-	if global_ssl_config then
-		for option,default_value in pairs(global_ssl_config) do
-			if user_ssl_config[option] == nil then
-				user_ssl_config[option] = default_value;
-			end
-		end
-	end
+	local cfg = new_config();
+	cfg:apply(core_defaults);
+	cfg:apply(global_ssl_config);
+	cfg:apply({
+		mode = mode,
+		-- We can't read the password interactively when daemonized
+		password = function() log("error", "Encrypted certificate for %s requires 'ssl' 'password' to be set in config", host); end;
+	});
+	cfg:apply(user_ssl_config);
 
-	for option,default_value in pairs(core_defaults) do
-		if user_ssl_config[option] == nil then
-			user_ssl_config[option] = default_value;
-		end
-	end
-
-	for option in pairs(set_options) do
-		local merged = {};
-		merge_set(core_defaults[option], merged);
-		if global_ssl_config then
-			merge_set(global_ssl_config[option], merged);
-		end
-		merge_set(user_ssl_config[option], merged);
-		local final_array = {};
-		for opt, enable in pairs(merged) do
-			if enable then
-				final_array[#final_array+1] = opt;
-			end
-		end
-		user_ssl_config[option] = final_array;
-	end
+	user_ssl_config = cfg:final();
 
-	local min_protocol = protocols[user_ssl_config.protocol];
-	if min_protocol then
-		user_ssl_config.protocol = "sslv23";
-		for i = 1, min_protocol do
-			t_insert(user_ssl_config.options, "no_"..protocols[i]);
-		end
+	if mode == "server" then
+		if not user_ssl_config.key then return nil, "No key present in SSL/TLS configuration for "..host; end
+		if not user_ssl_config.certificate then return nil, "No certificate present in SSL/TLS configuration for "..host; end
 	end
 
-	-- We can't read the password interactively when daemonized
-	user_ssl_config.password = user_ssl_config.password or
-		function() log("error", "Encrypted certificate for %s requires 'ssl' 'password' to be set in config", host); end;
-
 	for option in pairs(path_options) do
 		if type(user_ssl_config[option]) == "string" then
 			user_ssl_config[option] = resolve_path(config_path, user_ssl_config[option]);
 		end
 	end
 
-	-- Allow the cipher list to be a table
-	if type(user_ssl_config.ciphers) == "table" then
-		user_ssl_config.ciphers = t_concat(user_ssl_config.ciphers, ":")
-	end
-
-	if mode == "server" then
-		if not user_ssl_config.key then return nil, "No key present in SSL/TLS configuration for "..host; end
-		if not user_ssl_config.certificate then return nil, "No certificate present in SSL/TLS configuration for "..host; end
-	end
-
 	-- LuaSec expects dhparam to be a callback that takes two arguments.
 	-- We ignore those because it is mostly used for having a separate
 	-- set of params for EXPORT ciphers, which we don't have by default.
-- 
cgit v1.2.3


From 349d03f965ef0aa20556591c44d290f5d40e7557 Mon Sep 17 00:00:00 2001
From: Kim Alvefur <zash@zash.se>
Date: Thu, 3 Jul 2014 15:32:26 +0200
Subject: core.certmanager: Make create_context() support an arbitrary number
 of option sets, merging all

---
 core/certmanager.lua | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

(limited to 'core')

diff --git a/core/certmanager.lua b/core/certmanager.lua
index 1c1518a6..837fe231 100644
--- a/core/certmanager.lua
+++ b/core/certmanager.lua
@@ -16,6 +16,7 @@ local tostring = tostring;
 local pairs = pairs;
 local type = type;
 local io_open = io.open;
+local select = select;
 
 local prosody = prosody;
 local resolve_path = require"util.paths".resolve_relative_path;
@@ -62,7 +63,7 @@ if ssl and not luasec_has_verifyext and ssl.x509 then
 	end
 end
 
-function create_context(host, mode, user_ssl_config)
+function create_context(host, mode, ...)
 	if not ssl then return nil, "LuaSec (required for encryption) was not found"; end
 
 	local cfg = new_config();
@@ -73,9 +74,11 @@ function create_context(host, mode, user_ssl_config)
 		-- We can't read the password interactively when daemonized
 		password = function() log("error", "Encrypted certificate for %s requires 'ssl' 'password' to be set in config", host); end;
 	});
-	cfg:apply(user_ssl_config);
 
-	user_ssl_config = cfg:final();
+	for i = select('#', ...), 1, -1 do
+		cfg:apply(select(i, ...));
+	end
+	local user_ssl_config = cfg:final();
 
 	if mode == "server" then
 		if not user_ssl_config.key then return nil, "No key present in SSL/TLS configuration for "..host; end
-- 
cgit v1.2.3


From c24bed529f750d1b4108502d7d035ae491bac2ef Mon Sep 17 00:00:00 2001
From: Kim Alvefur <zash@zash.se>
Date: Thu, 3 Jul 2014 15:33:11 +0200
Subject: core.portmanager: Simplify and take advantage of new ssl config
 merging in certmanager

---
 core/portmanager.lua | 37 +++++++++----------------------------
 1 file changed, 9 insertions(+), 28 deletions(-)

(limited to 'core')

diff --git a/core/portmanager.lua b/core/portmanager.lua
index 4cbf3eb3..bc2d4264 100644
--- a/core/portmanager.lua
+++ b/core/portmanager.lua
@@ -72,16 +72,6 @@ prosody.events.add_handler("item-removed/net-provider", function (event)
 	unregister_service(item.name, item);
 end);
 
-local function duplicate_ssl_config(ssl_config)
-	local ssl_config = type(ssl_config) == "table" and ssl_config or {};
-
-	local _config = {};
-	for k, v in pairs(ssl_config) do
-		_config[k] = v;
-	end
-	return _config;
-end
-
 --- Public API
 
 function activate(service_name)
@@ -127,24 +117,15 @@ function activate(service_name)
 				local err;
 				-- Create SSL context for this service/port
 				if service_info.encryption == "ssl" then
-					local ssl_config = duplicate_ssl_config((config.get("*", config_prefix.."ssl") and config.get("*", config_prefix.."ssl")[interface])
-								or (config.get("*", config_prefix.."ssl") and config.get("*", config_prefix.."ssl")[port])
-								or config.get("*", config_prefix.."ssl")
-								or (config.get("*", "ssl") and config.get("*", "ssl")[interface])
-								or (config.get("*", "ssl") and config.get("*", "ssl")[port])
-								or config.get("*", "ssl"));
-					-- add default entries for, or override ssl configuration
-					if ssl_config and service_info.ssl_config then
-						for key, value in pairs(service_info.ssl_config) do
-							if not service_info.ssl_config_override and not ssl_config[key] then
-								ssl_config[key] = value;
-							elseif service_info.ssl_config_override then
-								ssl_config[key] = value;
-							end
-						end
-					end
-
-					ssl, err = certmanager.create_context(service_info.name.." port "..port, "server", ssl_config);
+					local global_ssl_config = config.get("*", "ssl") or {};
+					local prefix_ssl_config = config.get("*", config_prefix.."ssl") or global_ssl_config;
+					ssl, err = certmanager.create_context(service_info.name.." port "..port, "server",
+						service_info.ssl_config or {},
+						prefix_ssl_config[interface],
+						prefix_ssl_config[port],
+						prefix_ssl_config,
+						global_ssl_config[interface],
+						global_ssl_config[port]);
 					if not ssl then
 						log("error", "Error binding encrypted port for %s: %s", service_info.name, error_to_friendly_message(service_name, port_number, err) or "unknown error");
 					end
-- 
cgit v1.2.3


From 105ceb9cffa82a84a2f1df4cb0659772f6930526 Mon Sep 17 00:00:00 2001
From: Kim Alvefur <zash@zash.se>
Date: Thu, 22 May 2014 15:21:22 +0200
Subject: hostmanager, mod_dialback: Move generation of dialback secret out of
 core

---
 core/hostmanager.lua | 1 -
 1 file changed, 1 deletion(-)

(limited to 'core')

diff --git a/core/hostmanager.lua b/core/hostmanager.lua
index 91b052d1..d10ecd30 100644
--- a/core/hostmanager.lua
+++ b/core/hostmanager.lua
@@ -74,7 +74,6 @@ function activate(host, host_config)
 		host = host;
 		s2sout = {};
 		events = events_new();
-		dialback_secret = configmanager.get(host, "dialback_secret") or uuid_gen();
 		send = host_send;
 		modules = {};
 	};
-- 
cgit v1.2.3