Changeset

3765:0731e5432baa

Merge Tobias->trunk
author Matthew Wild <mwild1@gmail.com>
date Fri, 17 Dec 2010 13:50:33 +0000
parents 3764:323169f229fa (current diff) 3761:e5fb26e8faeb (diff)
children 3766:0d7137fee360
files plugins/mod_console.lua util/certverification.lua
diffstat 25 files changed, 1484 insertions(+), 1089 deletions(-) [+]
line wrap: on
line diff
--- a/core/loggingmanager.lua	Tue Dec 14 18:54:55 2010 +0100
+++ b/core/loggingmanager.lua	Fri Dec 17 13:50:33 2010 +0000
@@ -15,7 +15,7 @@
 local io_open, io_write = io.open, io.write;
 local math_max, rep = math.max, string.rep;
 local os_date, os_getenv = os.date, os.getenv;
-local getstyle, getstring = require "util.termcolours".getstyle, require "util.termcolours".getstring;
+local getstyle, setstyle = require "util.termcolours".getstyle, require "util.termcolours".setstyle;
 
 if os.getenv("__FLUSH_LOG") then
 	local io_flush = io.flush;
@@ -217,7 +217,7 @@
 end
 
 do
-	local do_pretty_printing = not os_getenv("WINDIR");
+	local do_pretty_printing = true;
 	
 	local logstyles = {};
 	if do_pretty_printing then
@@ -244,10 +244,14 @@
 			if timestamps then
 				io_write(os_date(timestamps), " ");
 			end
+			io_write(name, rep(" ", sourcewidth-namelen));
+			setstyle(logstyles[level]);
+			io_write(level);
+			setstyle();
 			if ... then
-				io_write(name, rep(" ", sourcewidth-namelen), getstring(logstyles[level], level), "\t", format(message, ...), "\n");
+				io_write("\t", format(message, ...), "\n");
 			else
-				io_write(name, rep(" ", sourcewidth-namelen), getstring(logstyles[level], level), "\t", message, "\n");
+				io_write("\t", message, "\n");
 			end
 		end
 	end
--- a/core/modulemanager.lua	Tue Dec 14 18:54:55 2010 +0100
+++ b/core/modulemanager.lua	Fri Dec 17 13:50:33 2010 +0000
@@ -77,6 +77,13 @@
 	end
 	local modules = global_modules + host_modules;
 	
+	-- COMPAT w/ pre 0.8
+	if modules:contains("console") then
+		log("error", "The mod_console plugin has been renamed to mod_admin_telnet. Please update your config.");
+		modules:remove("console");
+		modules:add("admin_telnet");
+	end
+	
 	if component then
 		load(host, component);
 	end
--- a/core/s2smanager.lua	Tue Dec 14 18:54:55 2010 +0100
+++ b/core/s2smanager.lua	Fri Dec 17 13:50:33 2010 +0000
@@ -27,7 +27,7 @@
 local st = require "stanza";
 local stanza = st.stanza;
 local nameprep = require "util.encodings".stringprep.nameprep;
-local cert_verify_identity = require "util.certverification".verify_identity;
+local cert_verify_identity = require "util.x509".verify_identity;
 
 local fire_event = prosody.events.fire_event;
 local uuid_gen = require "util.uuid".generate;
--- a/core/storagemanager.lua	Tue Dec 14 18:54:55 2010 +0100
+++ b/core/storagemanager.lua	Fri Dec 17 13:50:33 2010 +0000
@@ -11,6 +11,7 @@
 
 local olddm = {}; -- maintain old datamanager, for backwards compatibility
 for k,v in pairs(datamanager) do olddm[k] = v; end
+local prosody = prosody;
 
 module("storagemanager")
 
@@ -25,6 +26,7 @@
 local stores_available = multitable.new();
 
 function initialize_host(host)
+	local host_session = hosts[host];
 	host_session.events.add_handler("item-added/data-driver", function (event)
 		local item = event.item;
 		stores_available:set(host, item.name, item);
@@ -35,19 +37,19 @@
 		stores_available:set(host, item.name, nil);
 	end);
 end
+prosody.events.add_handler("host-activated", initialize_host, 101);
 
 local function load_driver(host, driver_name)
 	if not driver_name then
 		return;
 	end
 	local driver = stores_available:get(host, driver_name);
-	if not driver then
-		if driver_name ~= "internal" then
-			modulemanager.load(host, "storage_"..driver_name);
-			return stores_available:get(host, driver_name);
-		else
-			return setmetatable({host = host}, default_driver_mt);
-		end
+	if driver then return driver; end
+	if driver_name ~= "internal" then
+		modulemanager.load(host, "storage_"..driver_name);
+		return stores_available:get(host, driver_name);
+	else
+		return setmetatable({host = host}, default_driver_mt);
 	end
 end
 
--- a/net/dns.lua	Tue Dec 14 18:54:55 2010 +0100
+++ b/net/dns.lua	Fri Dec 17 13:50:33 2010 +0000
@@ -21,8 +21,8 @@
 local coroutine, io, math, string, table =
       coroutine, io, math, string, table;
 
-local ipairs, next, pairs, print, setmetatable, tostring, assert, error, unpack, select =
-      ipairs, next, pairs, print, setmetatable, tostring, assert, error, unpack, select;
+local ipairs, next, pairs, print, setmetatable, tostring, assert, error, unpack, select, type=
+      ipairs, next, pairs, print, setmetatable, tostring, assert, error, unpack, select, type;
 
 local ztact = { -- public domain 20080404 lua@ztact.com
 	get = function(parent, ...)
@@ -160,29 +160,24 @@
 
 local SRV_tostring;
 
+local function default_rr_tostring(rr)
+	local rr_val = rr.type and rr[rr.type:lower()];
+	if type(rr_val) ~= "string" then
+		return "<UNKNOWN RDATA TYPE>";
+	end
+	return rr_val;
+end
+
+local special_tostrings = {
+	LOC = resolver.LOC_tostring;
+	MX = function (rr) return string.format('%2i %s', rr.pref, rr.mx); end;
+	SRV = SRV_tostring;
+};
 
 local rr_metatable = {};   -- - - - - - - - - - - - - - - - - - -  rr_metatable
 function rr_metatable.__tostring(rr)
-	local s0 = string.format('%2s %-5s %6i %-28s', rr.class, rr.type, rr.ttl, rr.name);
-	local s1 = '';
-	if rr.type == 'A' then
-		s1 = ' '..rr.a;
-	elseif rr.type == 'MX' then
-		s1 = string.format(' %2i %s', rr.pref, rr.mx);
-	elseif rr.type == 'CNAME' then
-		s1 = ' '..rr.cname;
-	elseif rr.type == 'LOC' then
-		s1 = ' '..resolver.LOC_tostring(rr);
-	elseif rr.type == 'NS' then
-		s1 = ' '..rr.ns;
-	elseif rr.type == 'SRV' then
-		s1 = ' '..SRV_tostring(rr);
-	elseif rr.type == 'TXT' then
-		s1 = ' '..rr.txt;
-	else
-		s1 = ' <UNKNOWN RDATA TYPE>';
-	end
-	return s0..s1;
+	local rr_string = (special_tostrings[rr.type] or default_rr_tostring)(rr);
+	return string.format('%2s %-5s %6i %-28s %s', rr.class, rr.type, rr.ttl, rr.name, rr_string);
 end
 
 
@@ -939,6 +934,9 @@
 	return self:peek(qname, qtype, qclass) or self:query(qname, qtype, qclass);
 end
 
+function resolver:tohostname(ip)
+	return dns.lookup(ip:gsub("(%d+)%.(%d+)%.(%d+)%.(%d+)", "%4.%3.%2.%1.in-addr.arpa."), "PTR");
+end
 
 --print ---------------------------------------------------------------- print
 
@@ -1014,6 +1012,10 @@
 	return _resolver:lookup(...);
 end
 
+function dns.tohostname(...)
+	return _resolver:tohostname(...);
+end
+
 function dns.purge(...)    -- - - - - - - - - - - - - - - - - - - - - -  purge
 	return _resolver:purge(...);
 end
--- a/net/httpserver.lua	Tue Dec 14 18:54:55 2010 +0100
+++ b/net/httpserver.lua	Fri Dec 17 13:50:33 2010 +0000
@@ -190,6 +190,7 @@
 		log("warn", "Old syntax of httpserver.new_from_config being used to register %s", handle_request);
 		handle_request, default_options = default_options, { base = handle_request };
 	end
+	ports = ports or {5280};
 	for _, options in ipairs(ports) do
 		local port = default_options.port or 5280;
 		local base = default_options.base;
--- a/net/xmppclient_listener.lua	Tue Dec 14 18:54:55 2010 +0100
+++ b/net/xmppclient_listener.lua	Fri Dec 17 13:50:33 2010 +0000
@@ -10,22 +10,19 @@
 
 local logger = require "logger";
 local log = logger.init("xmppclient_listener");
-local lxp = require "lxp"
 local new_xmpp_stream = require "util.xmppstream".new;
-local sm_new_session = require "core.sessionmanager".new_session;
 
 local connlisteners_register = require "net.connlisteners".register;
 
-local t_insert = table.insert;
-local t_concat = table.concat;
-local t_concatall = function (t, sep) local tt = {}; for _, s in ipairs(t) do t_insert(tt, tostring(s)); end return t_concat(tt, sep); end
-local m_random = math.random;
-local format = string.format;
 local sessionmanager = require "core.sessionmanager";
 local sm_new_session, sm_destroy_session = sessionmanager.new_session, sessionmanager.destroy_session;
 local sm_streamopened = sessionmanager.streamopened;
 local sm_streamclosed = sessionmanager.streamclosed;
 local st = require "util.stanza";
+local xpcall = xpcall;
+local tostring = tostring;
+local type = type;
+local traceback = debug.traceback;
 
 local config = require "core.configmanager";
 local opt_keepalives = config.get("*", "core", "tcp_keepalives");
@@ -62,7 +59,7 @@
 	end
 end
 
-local function handleerr(err) log("error", "Traceback[c2s]: %s: %s", tostring(err), debug.traceback()); end
+local function handleerr(err) log("error", "Traceback[c2s]: %s: %s", tostring(err), traceback()); end
 function stream_callbacks.handlestanza(session, stanza)
 	stanza = session.filter("stanzas/in", stanza);
 	if stanza then
--- a/net/xmppcomponent_listener.lua	Tue Dec 14 18:54:55 2010 +0100
+++ b/net/xmppcomponent_listener.lua	Fri Dec 17 13:50:33 2010 +0000
@@ -10,6 +10,9 @@
 local hosts = _G.hosts;
 
 local t_concat = table.concat;
+local tostring = tostring;
+local type = type;
+local pairs = pairs;
 
 local lxp = require "lxp";
 local logger = require "util.logger";
@@ -162,46 +165,42 @@
 end
 
 --- Component connlistener
+function component_listener.onconnect(conn)
+	local _send = conn.write;
+	local session = { type = "component", conn = conn, send = function (data) return _send(conn, tostring(data)); end };
+
+	-- Logging functions --
+	local conn_name = "jcp"..tostring(conn):match("[a-f0-9]+$");
+	session.log = logger.init(conn_name);
+	session.close = session_close;
+	
+	session.log("info", "Incoming Jabber component connection");
+	
+	local stream = new_xmpp_stream(session, stream_callbacks);
+	session.stream = stream;
+	
+	session.notopen = true;
+	
+	function session.reset_stream()
+		session.notopen = true;
+		session.stream:reset();
+	end
+
+	function session.data(conn, data)
+		local ok, err = stream:feed(data);
+		if ok then return; end
+		log("debug", "Received invalid XML (%s) %d bytes: %s", tostring(err), #data, data:sub(1, 300):gsub("[\r\n]+", " "):gsub("[%z\1-\31]", "_"));
+		session:close("not-well-formed");
+	end
+	
+	session.dispatch_stanza = stream_callbacks.handlestanza;
+
+	sessions[conn] = session;
+end
 function component_listener.onincoming(conn, data)
 	local session = sessions[conn];
-	if not session then
-		local _send = conn.write;
-		session = { type = "component", conn = conn, send = function (data) return _send(conn, tostring(data)); end };
-		sessions[conn] = session;
-
-		-- Logging functions --
-		
-		local conn_name = "jcp"..tostring(conn):match("[a-f0-9]+$");
-		session.log = logger.init(conn_name);
-		session.close = session_close;
-		
-		session.log("info", "Incoming Jabber component connection");
-		
-		local stream = new_xmpp_stream(session, stream_callbacks);
-		session.stream = stream;
-		
-		session.notopen = true;
-		
-		function session.reset_stream()
-			session.notopen = true;
-			session.stream:reset();
-		end
-	
-		function session.data(conn, data)
-			local ok, err = stream:feed(data);
-			if ok then return; end
-			log("debug", "Received invalid XML (%s) %d bytes: %s", tostring(err), #data, data:sub(1, 300):gsub("[\r\n]+", " "):gsub("[%z\1-\31]", "_"));
-			session:close("not-well-formed");
-		end
-		
-		session.dispatch_stanza = stream_callbacks.handlestanza;
-		
-	end
-	if data then
-		session.data(conn, data);
-	end
+	session.data(conn, data);
 end
-	
 function component_listener.ondisconnect(conn, err)
 	local session = sessions[conn];
 	if session then
--- a/net/xmppserver_listener.lua	Tue Dec 14 18:54:55 2010 +0100
+++ b/net/xmppserver_listener.lua	Fri Dec 17 13:50:33 2010 +0000
@@ -7,10 +7,16 @@
 --
 
 
+local tostring = tostring;
+local type = type;
+local xpcall = xpcall;
+local s_format = string.format;
+local traceback = debug.traceback;
 
 local logger = require "logger";
 local log = logger.init("xmppserver_listener");
-local lxp = require "lxp"
+local st = require "util.stanza";
+local connlisteners_register = require "net.connlisteners".register;
 local new_xmpp_stream = require "util.xmppstream".new;
 local s2s_new_incoming = require "core.s2smanager".new_incoming;
 local s2s_streamopened = require "core.s2smanager".streamopened;
@@ -48,7 +54,7 @@
 	end
 end
 
-local function handleerr(err) log("error", "Traceback[s2s]: %s: %s", tostring(err), debug.traceback()); end
+local function handleerr(err) log("error", "Traceback[s2s]: %s: %s", tostring(err), traceback()); end
 function stream_callbacks.handlestanza(session, stanza)
 	if stanza.attr.xmlns == "jabber:client" then --COMPAT: Prosody pre-0.6.2 may send jabber:client
 		stanza.attr.xmlns = nil;
@@ -59,17 +65,6 @@
 	end
 end
 
-local connlisteners_register = require "net.connlisteners".register;
-
-local t_insert = table.insert;
-local t_concat = table.concat;
-local t_concatall = function (t, sep) local tt = {}; for _, s in ipairs(t) do t_insert(tt, tostring(s)); end return t_concat(tt, sep); end
-local m_random = math.random;
-local format = string.format;
-local sessionmanager = require "core.sessionmanager";
-local sm_new_session, sm_destroy_session = sessionmanager.new_session, sessionmanager.destroy_session;
-local st = require "util.stanza";
-
 local sessions = {};
 local xmppserver = { default_port = 5269, default_mode = "*a" };
 
@@ -173,9 +168,9 @@
 	if status == "ssl-handshake-complete" then
 		local session = sessions[conn];
 		if session and session.direction == "outgoing" then
-			local format, to_host, from_host = string.format, session.to_host, session.from_host;
+			local to_host, from_host = session.to_host, session.from_host;
 			session.log("debug", "Sending stream header...");
-			session.sends2s(format([[<stream:stream xmlns='jabber:server' xmlns:db='jabber:server:dialback' xmlns:stream='http://etherx.jabber.org/streams' from='%s' to='%s' version='1.0'>]], from_host, to_host));
+			session.sends2s(s_format([[<stream:stream xmlns='jabber:server' xmlns:db='jabber:server:dialback' xmlns:stream='http://etherx.jabber.org/streams' from='%s' to='%s' version='1.0'>]], from_host, to_host));
 		end
 	end
 end
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/plugins/mod_admin_telnet.lua	Fri Dec 17 13:50:33 2010 +0000
@@ -0,0 +1,759 @@
+-- Prosody IM
+-- Copyright (C) 2008-2010 Matthew Wild
+-- Copyright (C) 2008-2010 Waqas Hussain
+-- 
+-- This project is MIT/X11 licensed. Please see the
+-- COPYING file in the source package for more information.
+--
+
+module.host = "*";
+
+local _G = _G;
+
+local prosody = _G.prosody;
+local hosts = prosody.hosts;
+local connlisteners_register = require "net.connlisteners".register;
+
+local console_listener = { default_port = 5582; default_mode = "*l"; default_interface = "127.0.0.1" };
+
+require "util.iterators";
+local jid_bare = require "util.jid".bare;
+local set, array = require "util.set", require "util.array";
+local cert_verify_identity = require "util.x509".verify_identity;
+
+local commands = {};
+local def_env = {};
+local default_env_mt = { __index = def_env };
+
+prosody.console = { commands = commands, env = def_env };
+
+local function redirect_output(_G, session)
+	local env = setmetatable({ print = session.print }, { __index = function (t, k) return rawget(_G, k); end });
+	env.dofile = function(name)
+		local f, err = loadfile(name);
+		if not f then return f, err; end
+		return setfenv(f, env)();
+	end;
+	return env;
+end
+
+console = {};
+
+function console:new_session(conn)
+	local w = function(s) conn:write(s:gsub("\n", "\r\n")); end;
+	local session = { conn = conn;
+			send = function (t) w(tostring(t)); end;
+			print = function (...)
+				local t = {};
+				for i=1,select("#", ...) do
+					t[i] = tostring(select(i, ...));
+				end
+				w("| "..table.concat(t, "\t").."\n");
+			end;
+			disconnect = function () conn:close(); end;
+			};
+	session.env = setmetatable({}, default_env_mt);
+	
+	-- Load up environment with helper objects
+	for name, t in pairs(def_env) do
+		if type(t) == "table" then
+			session.env[name] = setmetatable({ session = session }, { __index = t });
+		end
+	end
+	
+	return session;
+end
+
+local sessions = {};
+
+function console_listener.onconnect(conn)
+	-- Handle new connection
+	local session = console:new_session(conn);
+	sessions[conn] = session;
+	printbanner(session);
+	session.send(string.char(0));
+end
+
+function console_listener.onincoming(conn, data)
+	local session = sessions[conn];
+
+	-- Handle data
+	(function(session, data)
+		local useglobalenv;
+		
+		if data:match("^>") then
+			data = data:gsub("^>", "");
+			useglobalenv = true;
+		elseif data == "\004" then
+			commands["bye"](session, data);
+			return;
+		else
+			local command = data:lower();
+			command = data:match("^%w+") or data:match("%p");
+			if commands[command] then
+				commands[command](session, data);
+				return;
+			end
+		end
+
+		session.env._ = data;
+		
+		local chunkname = "=console";
+		local chunk, err = loadstring("return "..data, chunkname);
+		if not chunk then
+			chunk, err = loadstring(data, chunkname);
+			if not chunk then
+				err = err:gsub("^%[string .-%]:%d+: ", "");
+				err = err:gsub("^:%d+: ", "");
+				err = err:gsub("'<eof>'", "the end of the line");
+				session.print("Sorry, I couldn't understand that... "..err);
+				return;
+			end
+		end
+		
+		setfenv(chunk, (useglobalenv and redirect_output(_G, session)) or session.env or nil);
+		
+		local ranok, taskok, message = pcall(chunk);
+		
+		if not (ranok or message or useglobalenv) and commands[data:lower()] then
+			commands[data:lower()](session, data);
+			return;
+		end
+		
+		if not ranok then
+			session.print("Fatal error while running command, it did not complete");
+			session.print("Error: "..taskok);
+			return;
+		end
+		
+		if not message then
+			session.print("Result: "..tostring(taskok));
+			return;
+		elseif (not taskok) and message then
+			session.print("Command completed with a problem");
+			session.print("Message: "..tostring(message));
+			return;
+		end
+		
+		session.print("OK: "..tostring(message));
+	end)(session, data);
+	
+	session.send(string.char(0));
+end
+
+function console_listener.ondisconnect(conn, err)
+	local session = sessions[conn];
+	if session then
+		session.disconnect();
+		sessions[conn] = nil;
+	end
+end
+
+connlisteners_register('console', console_listener);
+
+-- Console commands --
+-- These are simple commands, not valid standalone in Lua
+
+function commands.bye(session)
+	session.print("See you! :)");
+	session.disconnect();
+end
+commands.quit, commands.exit = commands.bye, commands.bye;
+
+commands["!"] = function (session, data)
+	if data:match("^!!") and session.env._ then
+		session.print("!> "..session.env._);
+		return console_listener.onincoming(session.conn, session.env._);
+	end
+	local old, new = data:match("^!(.-[^\\])!(.-)!$");
+	if old and new then
+		local ok, res = pcall(string.gsub, session.env._, old, new);
+		if not ok then
+			session.print(res)
+			return;
+		end
+		session.print("!> "..res);
+		return console_listener.onincoming(session.conn, res);
+	end
+	session.print("Sorry, not sure what you want");
+end
+
+
+function commands.help(session, data)
+	local print = session.print;
+	local section = data:match("^help (%w+)");
+	if not section then
+		print [[Commands are divided into multiple sections. For help on a particular section, ]]
+		print [[type: help SECTION (for example, 'help c2s'). Sections are: ]]
+		print [[]]
+		print [[c2s - Commands to manage local client-to-server sessions]]
+		print [[s2s - Commands to manage sessions between this server and others]]
+		print [[module - Commands to load/reload/unload modules/plugins]]
+		print [[host - Commands to activate, deactivate and list virtual hosts]]
+		print [[server - Uptime, version, shutting down, etc.]]
+		print [[config - Reloading the configuration, etc.]]
+		print [[console - Help regarding the console itself]]
+	elseif section == "c2s" then
+		print [[c2s:show(jid) - Show all client sessions with the specified JID (or all if no JID given)]]
+		print [[c2s:show_insecure() - Show all unencrypted client connections]]
+		print [[c2s:show_secure() - Show all encrypted client connections]]
+		print [[c2s:close(jid) - Close all sessions for the specified JID]]
+	elseif section == "s2s" then
+		print [[s2s:show(domain) - Show all s2s connections for the given domain (or all if no domain given)]]
+		print [[s2s:close(from, to) - Close a connection from one domain to another]]
+	elseif section == "module" then
+		print [[module:load(module, host) - Load the specified module on the specified host (or all hosts if none given)]]
+		print [[module:reload(module, host) - The same, but unloads and loads the module (saving state if the module supports it)]]
+		print [[module:unload(module, host) - The same, but just unloads the module from memory]]
+		print [[module:list(host) - List the modules loaded on the specified host]]
+	elseif section == "host" then
+		print [[host:activate(hostname) - Activates the specified host]]
+		print [[host:deactivate(hostname) - Disconnects all clients on this host and deactivates]]
+		print [[host:list() - List the currently-activated hosts]]
+	elseif section == "server" then
+		print [[server:version() - Show the server's version number]]
+		print [[server:uptime() - Show how long the server has been running]]
+		print [[server:shutdown(reason) - Shut down the server, with an optional reason to be broadcast to all connections]]
+	elseif section == "config" then
+		print [[config:reload() - Reload the server configuration. Modules may need to be reloaded for changes to take effect.]]
+	elseif section == "console" then
+		print [[Hey! Welcome to Prosody's admin console.]]
+		print [[First thing, if you're ever wondering how to get out, simply type 'quit'.]]
+		print [[Secondly, note that we don't support the full telnet protocol yet (it's coming)]]
+		print [[so you may have trouble using the arrow keys, etc. depending on your system.]]
+		print [[]]
+		print [[For now we offer a couple of handy shortcuts:]]
+		print [[!! - Repeat the last command]]
+		print [[!old!new! - repeat the last command, but with 'old' replaced by 'new']]
+		print [[]]
+		print [[For those well-versed in Prosody's internals, or taking instruction from those who are,]]
+		print [[you can prefix a command with > to escape the console sandbox, and access everything in]]
+		print [[the running server. Great fun, but be careful not to break anything :)]]
+	end
+	print [[]]
+end
+
+-- Session environment --
+-- Anything in def_env will be accessible within the session as a global variable
+
+def_env.server = {};
+
+function def_env.server:insane_reload()
+	prosody.unlock_globals();
+	dofile "prosody"
+	prosody = _G.prosody;
+	return true, "Server reloaded";
+end
+
+function def_env.server:version()
+	return true, tostring(prosody.version or "unknown");
+end
+
+function def_env.server:uptime()
+	local t = os.time()-prosody.start_time;
+	local seconds = t%60;
+	t = (t - seconds)/60;
+	local minutes = t%60;
+	t = (t - minutes)/60;
+	local hours = t%24;
+	t = (t - hours)/24;
+	local days = t;
+	return true, string.format("This server has been running for %d day%s, %d hour%s and %d minute%s (since %s)",
+		days, (days ~= 1 and "s") or "", hours, (hours ~= 1 and "s") or "",
+		minutes, (minutes ~= 1 and "s") or "", os.date("%c", prosody.start_time));
+end
+
+function def_env.server:shutdown(reason)
+	prosody.shutdown(reason);
+	return true, "Shutdown initiated";
+end
+
+def_env.module = {};
+
+local function get_hosts_set(hosts, module)
+	if type(hosts) == "table" then
+		if hosts[1] then
+			return set.new(hosts);
+		elseif hosts._items then
+			return hosts;
+		end
+	elseif type(hosts) == "string" then
+		return set.new { hosts };
+	elseif hosts == nil then
+		local mm = require "modulemanager";
+		return set.new(array.collect(keys(prosody.hosts)))
+			/ function (host) return prosody.hosts[host].type == "local" or module and mm.is_loaded(host, module); end;
+	end
+end
+
+function def_env.module:load(name, hosts, config)
+	local mm = require "modulemanager";
+	
+	hosts = get_hosts_set(hosts);
+	
+	-- Load the module for each host
+	local ok, err, count = true, nil, 0;
+	for host in hosts do
+		if (not mm.is_loaded(host, name)) then
+			ok, err = mm.load(host, name, config);
+			if not ok then
+				ok = false;
+				self.session.print(err or "Unknown error loading module");
+			else
+				count = count + 1;
+				self.session.print("Loaded for "..host);
+			end
+		end
+	end
+	
+	return ok, (ok and "Module loaded onto "..count.." host"..(count ~= 1 and "s" or "")) or ("Last error: "..tostring(err));	
+end
+
+function def_env.module:unload(name, hosts)
+	local mm = require "modulemanager";
+
+	hosts = get_hosts_set(hosts, name);
+	
+	-- Unload the module for each host
+	local ok, err, count = true, nil, 0;
+	for host in hosts do
+		if mm.is_loaded(host, name) then
+			ok, err = mm.unload(host, name);
+			if not ok then
+				ok = false;
+				self.session.print(err or "Unknown error unloading module");
+			else
+				count = count + 1;
+				self.session.print("Unloaded from "..host);
+			end
+		end
+	end
+	return ok, (ok and "Module unloaded from "..count.." host"..(count ~= 1 and "s" or "")) or ("Last error: "..tostring(err));
+end
+
+function def_env.module:reload(name, hosts)
+	local mm = require "modulemanager";
+
+	hosts = get_hosts_set(hosts, name);
+	
+	-- Reload the module for each host
+	local ok, err, count = true, nil, 0;
+	for host in hosts do
+		if mm.is_loaded(host, name) then
+			ok, err = mm.reload(host, name);
+			if not ok then
+				ok = false;
+				self.session.print(err or "Unknown error reloading module");
+			else
+				count = count + 1;
+				if ok == nil then
+					ok = true;
+				end
+				self.session.print("Reloaded on "..host);
+			end
+		end
+	end
+	return ok, (ok and "Module reloaded on "..count.." host"..(count ~= 1 and "s" or "")) or ("Last error: "..tostring(err));
+end
+
+function def_env.module:list(hosts)
+	if hosts == nil then
+		hosts = array.collect(keys(prosody.hosts));
+	end
+	if type(hosts) == "string" then
+		hosts = { hosts };
+	end
+	if type(hosts) ~= "table" then
+		return false, "Please supply a host or a list of hosts you would like to see";
+	end
+	
+	local print = self.session.print;
+	for _, host in ipairs(hosts) do
+		print(host..":");
+		local modules = array.collect(keys(prosody.hosts[host] and prosody.hosts[host].modules or {})):sort();
+		if #modules == 0 then
+			if prosody.hosts[host] then
+				print("    No modules loaded");
+			else
+				print("    Host not found");
+			end
+		else
+			for _, name in ipairs(modules) do
+				print("    "..name);
+			end
+		end
+	end
+end
+
+def_env.config = {};
+function def_env.config:load(filename, format)
+	local config_load = require "core.configmanager".load;
+	local ok, err = config_load(filename, format);
+	if not ok then
+		return false, err or "Unknown error loading config";
+	end
+	return true, "Config loaded";
+end
+
+function def_env.config:get(host, section, key)
+	local config_get = require "core.configmanager".get
+	return true, tostring(config_get(host, section, key));
+end
+
+function def_env.config:reload()
+	local ok, err = prosody.reload_config();
+	return ok, (ok and "Config reloaded (you may need to reload modules to take effect)") or tostring(err);
+end
+
+def_env.hosts = {};
+function def_env.hosts:list()
+	for host, host_session in pairs(hosts) do
+		self.session.print(host);
+	end
+	return true, "Done";
+end
+
+function def_env.hosts:add(name)
+end
+
+def_env.c2s = {};
+
+local function show_c2s(callback)
+	for hostname, host in pairs(hosts) do
+		for username, user in pairs(host.sessions or {}) do
+			for resource, session in pairs(user.sessions or {}) do
+				local jid = username.."@"..hostname.."/"..resource;
+				callback(jid, session);
+			end
+		end
+	end
+end
+
+function def_env.c2s:show(match_jid)
+	local print, count = self.session.print, 0;
+	local curr_host;
+	show_c2s(function (jid, session)
+		if curr_host ~= session.host then
+			curr_host = session.host;
+			print(curr_host);
+		end
+		if (not match_jid) or jid:match(match_jid) then
+			count = count + 1;
+			local status, priority = "unavailable", tostring(session.priority or "-");
+			if session.presence then
+				status = session.presence:child_with_name("show");
+				if status then
+					status = status:get_text() or "[invalid!]";
+				else
+					status = "available";
+				end
+			end
+			print("   "..jid.." - "..status.."("..priority..")");
+		end		
+	end);
+	return true, "Total: "..count.." clients";
+end
+
+function def_env.c2s:show_insecure(match_jid)
+	local print, count = self.session.print, 0;
+	show_c2s(function (jid, session)
+		if ((not match_jid) or jid:match(match_jid)) and not session.secure then
+			count = count + 1;
+			print(jid);
+		end		
+	end);
+	return true, "Total: "..count.." insecure client connections";
+end
+
+function def_env.c2s:show_secure(match_jid)
+	local print, count = self.session.print, 0;
+	show_c2s(function (jid, session)
+		if ((not match_jid) or jid:match(match_jid)) and session.secure then
+			count = count + 1;
+			print(jid);
+		end		
+	end);
+	return true, "Total: "..count.." secure client connections";
+end
+
+function def_env.c2s:close(match_jid)
+	local print, count = self.session.print, 0;
+	show_c2s(function (jid, session)
+		if jid == match_jid or jid_bare(jid) == match_jid then
+			count = count + 1;
+			session:close();
+		end
+	end);
+	return true, "Total: "..count.." sessions closed";
+end
+
+def_env.s2s = {};
+function def_env.s2s:show(match_jid)
+	local _print = self.session.print;
+	local print = self.session.print;
+	
+	local count_in, count_out = 0,0;
+	
+	for host, host_session in pairs(hosts) do
+		print = function (...) _print(host); _print(...); print = _print; end
+		for remotehost, session in pairs(host_session.s2sout) do
+			if (not match_jid) or remotehost:match(match_jid) or host:match(match_jid) then
+				count_out = count_out + 1;
+				print("    "..host.." -> "..remotehost..(session.cert_identity_status == "valid" and " (secure)" or "")..(session.secure and " (encrypted)" or "")..(session.compressed and " (compressed)" or ""));
+				if session.sendq then
+					print("        There are "..#session.sendq.." queued outgoing stanzas for this connection");
+				end
+				if session.type == "s2sout_unauthed" then
+					if session.connecting then
+						print("        Connection not yet established");
+						if not session.srv_hosts then
+							if not session.conn then
+								print("        We do not yet have a DNS answer for this host's SRV records");
+							else
+								print("        This host has no SRV records, using A record instead");
+							end
+						elseif session.srv_choice then
+							print("        We are on SRV record "..session.srv_choice.." of "..#session.srv_hosts);
+							local srv_choice = session.srv_hosts[session.srv_choice];
+							print("        Using "..(srv_choice.target or ".")..":"..(srv_choice.port or 5269));
+						end
+					elseif session.notopen then
+						print("        The <stream> has not yet been opened");
+					elseif not session.dialback_key then
+						print("        Dialback has not been initiated yet");
+					elseif session.dialback_key then
+						print("        Dialback has been requested, but no result received");
+					end
+				end
+			end
+		end	
+		local subhost_filter = function (h)
+				return (match_jid and h:match(match_jid));
+			end
+		for session in pairs(incoming_s2s) do
+			if session.to_host == host and ((not match_jid) or host:match(match_jid)
+				or (session.from_host and session.from_host:match(match_jid))
+				-- Pft! is what I say to list comprehensions
+				or (session.hosts and #array.collect(keys(session.hosts)):filter(subhost_filter)>0)) then
+				count_in = count_in + 1;
+				print("    "..host.." <- "..(session.from_host or "(unknown)")..(session.cert_identity_status == "valid" and " (secure)" or "")..(session.secure and " (encrypted)" or "")..(session.compressed and " (compressed)" or ""));
+				if session.type == "s2sin_unauthed" then
+						print("        Connection not yet authenticated");
+				end
+				for name in pairs(session.hosts) do
+					if name ~= session.from_host then
+						print("        also hosts "..tostring(name));
+					end
+				end
+			end
+		end
+		
+		print = _print;
+	end
+	
+	for session in pairs(incoming_s2s) do
+		if not session.to_host and ((not match_jid) or session.from_host and session.from_host:match(match_jid)) then
+			count_in = count_in + 1;
+			print("Other incoming s2s connections");
+			print("    (unknown) <- "..(session.from_host or "(unknown)"));			
+		end
+	end
+	
+	return true, "Total: "..count_out.." outgoing, "..count_in.." incoming connections";
+end
+
+local function print_subject(print, subject)
+	for _, entry in ipairs(subject) do
+		print(
+			("    %s: %q"):format(
+				entry.name or entry.oid,
+				entry.value:gsub("[\r\n%z%c]", " ")
+			)
+		);
+	end
+end
+
+function def_env.s2s:showcert(domain)
+	local ser = require "util.serialization".serialize;
+	local print = self.session.print;
+	local domain_sessions = set.new(array.collect(keys(incoming_s2s)))
+		/function(session) return session.from_host == domain; end;
+	for local_host in values(prosody.hosts) do
+		local s2sout = local_host.s2sout;
+		if s2sout and s2sout[domain] then
+			domain_sessions:add(s2sout[domain]);
+		end
+	end
+	local cert_set = {};
+	for session in domain_sessions do
+		local conn = session.conn;
+		conn = conn and conn:socket();
+		if not conn.getpeercertificate then
+			if conn.dohandshake then
+				error("This version of LuaSec does not support certificate viewing");
+			end
+		else
+			local cert = conn:getpeercertificate();
+			if cert then
+				local digest = cert:digest("sha1");
+				if not cert_set[digest] then
+					local chain_valid, chain_err = conn:getpeerchainvalid();
+					cert_set[digest] = {
+						{
+						  from = session.from_host,
+						  to = session.to_host,
+						  direction = session.direction
+						};
+						chain_valid = chain_valid;
+						chain_err = chain_err;
+						cert = cert;
+					};
+				else
+					table.insert(cert_set[digest], {
+						from = session.from_host,
+						to = session.to_host,
+						direction = session.direction
+					});
+				end
+			end
+		end
+	end
+	local domain_certs = array.collect(values(cert_set));
+	-- Phew. We now have a array of unique certificates presented by domain.
+	local print = self.session.print;
+	local n_certs = #domain_certs;
+	
+	if n_certs == 0 then
+		return "No certificates found for "..domain;
+	end
+	
+	local function _capitalize_and_colon(byte)
+		return string.upper(byte)..":";
+	end
+	local function pretty_fingerprint(hash)
+		return hash:gsub("..", _capitalize_and_colon):sub(1, -2);
+	end
+	
+	for cert_info in values(domain_certs) do
+		local cert = cert_info.cert;
+		print("---")
+		print("Fingerprint (SHA1): "..pretty_fingerprint(cert:digest("sha1")));
+		print("");
+		local n_streams = #cert_info;
+		print("Currently used on "..n_streams.." stream"..(n_streams==1 and "" or "s")..":");
+		for _, stream in ipairs(cert_info) do
+			if stream.direction == "incoming" then
+				print("    "..stream.to.." <- "..stream.from);
+			else
+				print("    "..stream.from.." -> "..stream.to);
+			end
+		end
+		print("");
+		local chain_valid, err = cert_info.chain_valid, cert_info.chain_err;
+		local valid_identity = cert_verify_identity(domain, "xmpp-server", cert);
+		print("Trusted certificate: "..(chain_valid and "Yes" or ("No ("..err..")")));
+		print("Issuer: ");
+		print_subject(print, cert:issuer());
+		print("");
+		print("Valid for "..domain..": "..(valid_identity and "Yes" or "No"));
+		print("Subject:");
+		print_subject(print, cert:subject());
+	end
+	print("---");
+	return ("Showing "..n_certs.." certificate"
+		..(n_certs==1 and "" or "s")
+		.." presented by "..domain..".");
+end
+
+function def_env.s2s:close(from, to)
+	local print, count = self.session.print, 0;
+	
+	if not (from and to) then
+		return false, "Syntax: s2s:close('from', 'to') - Closes all s2s sessions from 'from' to 'to'";
+	elseif from == to then
+		return false, "Both from and to are the same... you can't do that :)";
+	end
+	
+	if hosts[from] and not hosts[to] then
+		-- Is an outgoing connection
+		local session = hosts[from].s2sout[to];
+		if not session then
+			print("No outgoing connection from "..from.." to "..to)
+		else
+			(session.close or s2smanager.destroy_session)(session);
+			count = count + 1;
+			print("Closed outgoing session from "..from.." to "..to);
+		end
+	elseif hosts[to] and not hosts[from] then
+		-- Is an incoming connection
+		for session in pairs(incoming_s2s) do
+			if session.to_host == to and session.from_host == from then
+				(session.close or s2smanager.destroy_session)(session);
+				count = count + 1;
+			end
+		end
+		
+		if count == 0 then
+			print("No incoming connections from "..from.." to "..to);
+		else
+			print("Closed "..count.." incoming session"..((count == 1 and "") or "s").." from "..from.." to "..to);
+		end
+	elseif hosts[to] and hosts[from] then
+		return false, "Both of the hostnames you specified are local, there are no s2s sessions to close";
+	else
+		return false, "Neither of the hostnames you specified are being used on this server";
+	end
+	
+	return true, "Closed "..count.." s2s session"..((count == 1 and "") or "s");
+end
+
+def_env.host = {}; def_env.hosts = def_env.host;
+
+function def_env.host:activate(hostname, config)
+	return hostmanager.activate(hostname, config);
+end
+function def_env.host:deactivate(hostname, reason)
+	return hostmanager.deactivate(hostname, reason);
+end
+
+function def_env.host:list()
+	local print = self.session.print;
+	local i = 0;
+	for host in values(array.collect(keys(prosody.hosts)):sort()) do
+		i = i + 1;
+		print(host);
+	end
+	return true, i.." hosts";
+end
+
+-------------
+
+function printbanner(session)
+	local option = config.get("*", "core", "console_banner");
+if option == nil or option == "full" or option == "graphic" then
+session.print [[
+                   ____                \   /     _       
+                    |  _ \ _ __ ___  ___  _-_   __| |_   _ 
+                    | |_) | '__/ _ \/ __|/ _ \ / _` | | | |
+                    |  __/| | | (_) \__ \ |_| | (_| | |_| |
+                    |_|   |_|  \___/|___/\___/ \__,_|\__, |
+                    A study in simplicity            |___/ 
+
+]]
+end
+if option == nil or option == "short" or option == "full" then
+session.print("Welcome to the Prosody administration console. For a list of commands, type: help");
+session.print("You may find more help on using this console in our online documentation at ");
+session.print("http://prosody.im/doc/console\n");
+end
+if option and option ~= "short" and option ~= "full" and option ~= "graphic" then
+	if type(option) == "string" then
+		session.print(option)
+	elseif type(option) == "function" then
+		setfenv(option, redirect_output(_G, session));
+		pcall(option, session);
+	end
+end
+end
+
+prosody.net_activate_ports("console", "console", {5582}, "tcp");
--- a/plugins/mod_bosh.lua	Tue Dec 14 18:54:55 2010 +0100
+++ b/plugins/mod_bosh.lua	Fri Dec 17 13:50:33 2010 +0000
@@ -33,7 +33,6 @@
 local BOSH_DEFAULT_INACTIVITY = tonumber(module:get_option("bosh_max_inactivity")) or 60;
 local BOSH_DEFAULT_POLLING = tonumber(module:get_option("bosh_max_polling")) or 5;
 local BOSH_DEFAULT_REQUESTS = tonumber(module:get_option("bosh_max_requests")) or 2;
-local BOSH_DEFAULT_MAXPAUSE = tonumber(module:get_option("bosh_max_pause")) or 300;
 
 local consider_bosh_secure = module:get_option_boolean("consider_bosh_secure");
 
@@ -283,9 +282,17 @@
 		fire_event("stream-features", session, features);
 		--xmpp:version='1.0' xmlns:xmpp='urn:xmpp:xbosh'
 		local response = st.stanza("body", { xmlns = xmlns_bosh,
-									inactivity = tostring(BOSH_DEFAULT_INACTIVITY), polling = tostring(BOSH_DEFAULT_POLLING), requests = tostring(BOSH_DEFAULT_REQUESTS), hold = tostring(session.bosh_hold), maxpause = "120",
-									sid = sid, authid = sid, ver  = '1.6', from = session.host, secure = 'true', ["xmpp:version"] = "1.0",
-									["xmlns:xmpp"] = "urn:xmpp:xbosh", ["xmlns:stream"] = "http://etherx.jabber.org/streams" }):add_child(features);
+			wait = attr.wait,
+			inactivity = tostring(BOSH_DEFAULT_INACTIVITY),
+			polling = tostring(BOSH_DEFAULT_POLLING),
+			requests = tostring(BOSH_DEFAULT_REQUESTS),
+			hold = tostring(session.bosh_hold),
+			sid = sid, authid = sid,
+			ver  = '1.6', from = session.host,
+			secure = 'true', ["xmpp:version"] = "1.0",
+			["xmlns:xmpp"] = "urn:xmpp:xbosh",
+			["xmlns:stream"] = "http://etherx.jabber.org/streams"
+		}):add_child(features);
 		request:send{ headers = default_headers, body = tostring(response) };
 		
 		request.sid = sid;
--- a/plugins/mod_console.lua	Tue Dec 14 18:54:55 2010 +0100
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,759 +0,0 @@
--- Prosody IM
--- Copyright (C) 2008-2010 Matthew Wild
--- Copyright (C) 2008-2010 Waqas Hussain
--- 
--- This project is MIT/X11 licensed. Please see the
--- COPYING file in the source package for more information.
---
-
-module.host = "*";
-
-local _G = _G;
-
-local prosody = _G.prosody;
-local hosts = prosody.hosts;
-local connlisteners_register = require "net.connlisteners".register;
-
-local console_listener = { default_port = 5582; default_mode = "*l"; default_interface = "127.0.0.1" };
-
-require "util.iterators";
-local jid_bare = require "util.jid".bare;
-local set, array = require "util.set", require "util.array";
-local cert_verify_identity = require "util.certverification".verify_identity;
-
-local commands = {};
-local def_env = {};
-local default_env_mt = { __index = def_env };
-
-prosody.console = { commands = commands, env = def_env };
-
-local function redirect_output(_G, session)
-	local env = setmetatable({ print = session.print }, { __index = function (t, k) return rawget(_G, k); end });
-	env.dofile = function(name)
-		local f, err = loadfile(name);
-		if not f then return f, err; end
-		return setfenv(f, env)();
-	end;
-	return env;
-end
-
-console = {};
-
-function console:new_session(conn)
-	local w = function(s) conn:write(s:gsub("\n", "\r\n")); end;
-	local session = { conn = conn;
-			send = function (t) w(tostring(t)); end;
-			print = function (...)
-				local t = {};
-				for i=1,select("#", ...) do
-					t[i] = tostring(select(i, ...));
-				end
-				w("| "..table.concat(t, "\t").."\n");
-			end;
-			disconnect = function () conn:close(); end;
-			};
-	session.env = setmetatable({}, default_env_mt);
-	
-	-- Load up environment with helper objects
-	for name, t in pairs(def_env) do
-		if type(t) == "table" then
-			session.env[name] = setmetatable({ session = session }, { __index = t });
-		end
-	end
-	
-	return session;
-end
-
-local sessions = {};
-
-function console_listener.onconnect(conn)
-	-- Handle new connection
-	local session = console:new_session(conn);
-	sessions[conn] = session;
-	printbanner(session);
-	session.send(string.char(0));
-end
-
-function console_listener.onincoming(conn, data)
-	local session = sessions[conn];
-
-	-- Handle data
-	(function(session, data)
-		local useglobalenv;
-		
-		if data:match("^>") then
-			data = data:gsub("^>", "");
-			useglobalenv = true;
-		elseif data == "\004" then
-			commands["bye"](session, data);
-			return;
-		else
-			local command = data:lower();
-			command = data:match("^%w+") or data:match("%p");
-			if commands[command] then
-				commands[command](session, data);
-				return;
-			end
-		end
-
-		session.env._ = data;
-		
-		local chunkname = "=console";
-		local chunk, err = loadstring("return "..data, chunkname);
-		if not chunk then
-			chunk, err = loadstring(data, chunkname);
-			if not chunk then
-				err = err:gsub("^%[string .-%]:%d+: ", "");
-				err = err:gsub("^:%d+: ", "");
-				err = err:gsub("'<eof>'", "the end of the line");
-				session.print("Sorry, I couldn't understand that... "..err);
-				return;
-			end
-		end
-		
-		setfenv(chunk, (useglobalenv and redirect_output(_G, session)) or session.env or nil);
-		
-		local ranok, taskok, message = pcall(chunk);
-		
-		if not (ranok or message or useglobalenv) and commands[data:lower()] then
-			commands[data:lower()](session, data);
-			return;
-		end
-		
-		if not ranok then
-			session.print("Fatal error while running command, it did not complete");
-			session.print("Error: "..taskok);
-			return;
-		end
-		
-		if not message then
-			session.print("Result: "..tostring(taskok));
-			return;
-		elseif (not taskok) and message then
-			session.print("Command completed with a problem");
-			session.print("Message: "..tostring(message));
-			return;
-		end
-		
-		session.print("OK: "..tostring(message));
-	end)(session, data);
-	
-	session.send(string.char(0));
-end
-
-function console_listener.ondisconnect(conn, err)
-	local session = sessions[conn];
-	if session then
-		session.disconnect();
-		sessions[conn] = nil;
-	end
-end
-
-connlisteners_register('console', console_listener);
-
--- Console commands --
--- These are simple commands, not valid standalone in Lua
-
-function commands.bye(session)
-	session.print("See you! :)");
-	session.disconnect();
-end
-commands.quit, commands.exit = commands.bye, commands.bye;
-
-commands["!"] = function (session, data)
-	if data:match("^!!") and session.env._ then
-		session.print("!> "..session.env._);
-		return console_listener.onincoming(session.conn, session.env._);
-	end
-	local old, new = data:match("^!(.-[^\\])!(.-)!$");
-	if old and new then
-		local ok, res = pcall(string.gsub, session.env._, old, new);
-		if not ok then
-			session.print(res)
-			return;
-		end
-		session.print("!> "..res);
-		return console_listener.onincoming(session.conn, res);
-	end
-	session.print("Sorry, not sure what you want");
-end
-
-
-function commands.help(session, data)
-	local print = session.print;
-	local section = data:match("^help (%w+)");
-	if not section then
-		print [[Commands are divided into multiple sections. For help on a particular section, ]]
-		print [[type: help SECTION (for example, 'help c2s'). Sections are: ]]
-		print [[]]
-		print [[c2s - Commands to manage local client-to-server sessions]]
-		print [[s2s - Commands to manage sessions between this server and others]]
-		print [[module - Commands to load/reload/unload modules/plugins]]
-		print [[host - Commands to activate, deactivate and list virtual hosts]]
-		print [[server - Uptime, version, shutting down, etc.]]
-		print [[config - Reloading the configuration, etc.]]
-		print [[console - Help regarding the console itself]]
-	elseif section == "c2s" then
-		print [[c2s:show(jid) - Show all client sessions with the specified JID (or all if no JID given)]]
-		print [[c2s:show_insecure() - Show all unencrypted client connections]]
-		print [[c2s:show_secure() - Show all encrypted client connections]]
-		print [[c2s:close(jid) - Close all sessions for the specified JID]]
-	elseif section == "s2s" then
-		print [[s2s:show(domain) - Show all s2s connections for the given domain (or all if no domain given)]]
-		print [[s2s:close(from, to) - Close a connection from one domain to another]]
-	elseif section == "module" then
-		print [[module:load(module, host) - Load the specified module on the specified host (or all hosts if none given)]]
-		print [[module:reload(module, host) - The same, but unloads and loads the module (saving state if the module supports it)]]
-		print [[module:unload(module, host) - The same, but just unloads the module from memory]]
-		print [[module:list(host) - List the modules loaded on the specified host]]
-	elseif section == "host" then
-		print [[host:activate(hostname) - Activates the specified host]]
-		print [[host:deactivate(hostname) - Disconnects all clients on this host and deactivates]]
-		print [[host:list() - List the currently-activated hosts]]
-	elseif section == "server" then
-		print [[server:version() - Show the server's version number]]
-		print [[server:uptime() - Show how long the server has been running]]
-		print [[server:shutdown(reason) - Shut down the server, with an optional reason to be broadcast to all connections]]
-	elseif section == "config" then
-		print [[config:reload() - Reload the server configuration. Modules may need to be reloaded for changes to take effect.]]
-	elseif section == "console" then
-		print [[Hey! Welcome to Prosody's admin console.]]
-		print [[First thing, if you're ever wondering how to get out, simply type 'quit'.]]
-		print [[Secondly, note that we don't support the full telnet protocol yet (it's coming)]]
-		print [[so you may have trouble using the arrow keys, etc. depending on your system.]]
-		print [[]]
-		print [[For now we offer a couple of handy shortcuts:]]
-		print [[!! - Repeat the last command]]
-		print [[!old!new! - repeat the last command, but with 'old' replaced by 'new']]
-		print [[]]
-		print [[For those well-versed in Prosody's internals, or taking instruction from those who are,]]
-		print [[you can prefix a command with > to escape the console sandbox, and access everything in]]
-		print [[the running server. Great fun, but be careful not to break anything :)]]
-	end
-	print [[]]
-end
-
--- Session environment --
--- Anything in def_env will be accessible within the session as a global variable
-
-def_env.server = {};
-
-function def_env.server:insane_reload()
-	prosody.unlock_globals();
-	dofile "prosody"
-	prosody = _G.prosody;
-	return true, "Server reloaded";
-end
-
-function def_env.server:version()
-	return true, tostring(prosody.version or "unknown");
-end
-
-function def_env.server:uptime()
-	local t = os.time()-prosody.start_time;
-	local seconds = t%60;
-	t = (t - seconds)/60;
-	local minutes = t%60;
-	t = (t - minutes)/60;
-	local hours = t%24;
-	t = (t - hours)/24;
-	local days = t;
-	return true, string.format("This server has been running for %d day%s, %d hour%s and %d minute%s (since %s)",
-		days, (days ~= 1 and "s") or "", hours, (hours ~= 1 and "s") or "",
-		minutes, (minutes ~= 1 and "s") or "", os.date("%c", prosody.start_time));
-end
-
-function def_env.server:shutdown(reason)
-	prosody.shutdown(reason);
-	return true, "Shutdown initiated";
-end
-
-def_env.module = {};
-
-local function get_hosts_set(hosts, module)
-	if type(hosts) == "table" then
-		if hosts[1] then
-			return set.new(hosts);
-		elseif hosts._items then
-			return hosts;
-		end
-	elseif type(hosts) == "string" then
-		return set.new { hosts };
-	elseif hosts == nil then
-		local mm = require "modulemanager";
-		return set.new(array.collect(keys(prosody.hosts)))
-			/ function (host) return prosody.hosts[host].type == "local" or module and mm.is_loaded(host, module); end;
-	end
-end
-
-function def_env.module:load(name, hosts, config)
-	local mm = require "modulemanager";
-	
-	hosts = get_hosts_set(hosts);
-	
-	-- Load the module for each host
-	local ok, err, count = true, nil, 0;
-	for host in hosts do
-		if (not mm.is_loaded(host, name)) then
-			ok, err = mm.load(host, name, config);
-			if not ok then
-				ok = false;
-				self.session.print(err or "Unknown error loading module");
-			else
-				count = count + 1;
-				self.session.print("Loaded for "..host);
-			end
-		end
-	end
-	
-	return ok, (ok and "Module loaded onto "..count.." host"..(count ~= 1 and "s" or "")) or ("Last error: "..tostring(err));	
-end
-
-function def_env.module:unload(name, hosts)
-	local mm = require "modulemanager";
-
-	hosts = get_hosts_set(hosts, name);
-	
-	-- Unload the module for each host
-	local ok, err, count = true, nil, 0;
-	for host in hosts do
-		if mm.is_loaded(host, name) then
-			ok, err = mm.unload(host, name);
-			if not ok then
-				ok = false;
-				self.session.print(err or "Unknown error unloading module");
-			else
-				count = count + 1;
-				self.session.print("Unloaded from "..host);
-			end
-		end
-	end
-	return ok, (ok and "Module unloaded from "..count.." host"..(count ~= 1 and "s" or "")) or ("Last error: "..tostring(err));
-end
-
-function def_env.module:reload(name, hosts)
-	local mm = require "modulemanager";
-
-	hosts = get_hosts_set(hosts, name);
-	
-	-- Reload the module for each host
-	local ok, err, count = true, nil, 0;
-	for host in hosts do
-		if mm.is_loaded(host, name) then
-			ok, err = mm.reload(host, name);
-			if not ok then
-				ok = false;
-				self.session.print(err or "Unknown error reloading module");
-			else
-				count = count + 1;
-				if ok == nil then
-					ok = true;
-				end
-				self.session.print("Reloaded on "..host);
-			end
-		end
-	end
-	return ok, (ok and "Module reloaded on "..count.." host"..(count ~= 1 and "s" or "")) or ("Last error: "..tostring(err));
-end
-
-function def_env.module:list(hosts)
-	if hosts == nil then
-		hosts = array.collect(keys(prosody.hosts));
-	end
-	if type(hosts) == "string" then
-		hosts = { hosts };
-	end
-	if type(hosts) ~= "table" then
-		return false, "Please supply a host or a list of hosts you would like to see";
-	end
-	
-	local print = self.session.print;
-	for _, host in ipairs(hosts) do
-		print(host..":");
-		local modules = array.collect(keys(prosody.hosts[host] and prosody.hosts[host].modules or {})):sort();
-		if #modules == 0 then
-			if prosody.hosts[host] then
-				print("    No modules loaded");
-			else
-				print("    Host not found");
-			end
-		else
-			for _, name in ipairs(modules) do
-				print("    "..name);
-			end
-		end
-	end
-end
-
-def_env.config = {};
-function def_env.config:load(filename, format)
-	local config_load = require "core.configmanager".load;
-	local ok, err = config_load(filename, format);
-	if not ok then
-		return false, err or "Unknown error loading config";
-	end
-	return true, "Config loaded";
-end
-
-function def_env.config:get(host, section, key)
-	local config_get = require "core.configmanager".get
-	return true, tostring(config_get(host, section, key));
-end
-
-function def_env.config:reload()
-	local ok, err = prosody.reload_config();
-	return ok, (ok and "Config reloaded (you may need to reload modules to take effect)") or tostring(err);
-end
-
-def_env.hosts = {};
-function def_env.hosts:list()
-	for host, host_session in pairs(hosts) do
-		self.session.print(host);
-	end
-	return true, "Done";
-end
-
-function def_env.hosts:add(name)
-end
-
-def_env.c2s = {};
-
-local function show_c2s(callback)
-	for hostname, host in pairs(hosts) do
-		for username, user in pairs(host.sessions or {}) do
-			for resource, session in pairs(user.sessions or {}) do
-				local jid = username.."@"..hostname.."/"..resource;
-				callback(jid, session);
-			end
-		end
-	end
-end
-
-function def_env.c2s:show(match_jid)
-	local print, count = self.session.print, 0;
-	local curr_host;
-	show_c2s(function (jid, session)
-		if curr_host ~= session.host then
-			curr_host = session.host;
-			print(curr_host);
-		end
-		if (not match_jid) or jid:match(match_jid) then
-			count = count + 1;
-			local status, priority = "unavailable", tostring(session.priority or "-");
-			if session.presence then
-				status = session.presence:child_with_name("show");
-				if status then
-					status = status:get_text() or "[invalid!]";
-				else
-					status = "available";
-				end
-			end
-			print("   "..jid.." - "..status.."("..priority..")");
-		end		
-	end);
-	return true, "Total: "..count.." clients";
-end
-
-function def_env.c2s:show_insecure(match_jid)
-	local print, count = self.session.print, 0;
-	show_c2s(function (jid, session)
-		if ((not match_jid) or jid:match(match_jid)) and not session.secure then
-			count = count + 1;
-			print(jid);
-		end		
-	end);
-	return true, "Total: "..count.." insecure client connections";
-end
-
-function def_env.c2s:show_secure(match_jid)
-	local print, count = self.session.print, 0;
-	show_c2s(function (jid, session)
-		if ((not match_jid) or jid:match(match_jid)) and session.secure then
-			count = count + 1;
-			print(jid);
-		end		
-	end);
-	return true, "Total: "..count.." secure client connections";
-end
-
-function def_env.c2s:close(match_jid)
-	local print, count = self.session.print, 0;
-	show_c2s(function (jid, session)
-		if jid == match_jid or jid_bare(jid) == match_jid then
-			count = count + 1;
-			session:close();
-		end
-	end);
-	return true, "Total: "..count.." sessions closed";
-end
-
-def_env.s2s = {};
-function def_env.s2s:show(match_jid)
-	local _print = self.session.print;
-	local print = self.session.print;
-	
-	local count_in, count_out = 0,0;
-	
-	for host, host_session in pairs(hosts) do
-		print = function (...) _print(host); _print(...); print = _print; end
-		for remotehost, session in pairs(host_session.s2sout) do
-			if (not match_jid) or remotehost:match(match_jid) or host:match(match_jid) then
-				count_out = count_out + 1;
-				print("    "..host.." -> "..remotehost..(session.cert_identity_status == "valid" and " (secure)" or "")..(session.secure and " (encrypted)" or "")..(session.compressed and " (compressed)" or ""));
-				if session.sendq then
-					print("        There are "..#session.sendq.." queued outgoing stanzas for this connection");
-				end
-				if session.type == "s2sout_unauthed" then
-					if session.connecting then
-						print("        Connection not yet established");
-						if not session.srv_hosts then
-							if not session.conn then
-								print("        We do not yet have a DNS answer for this host's SRV records");
-							else
-								print("        This host has no SRV records, using A record instead");
-							end
-						elseif session.srv_choice then
-							print("        We are on SRV record "..session.srv_choice.." of "..#session.srv_hosts);
-							local srv_choice = session.srv_hosts[session.srv_choice];
-							print("        Using "..(srv_choice.target or ".")..":"..(srv_choice.port or 5269));
-						end
-					elseif session.notopen then
-						print("        The <stream> has not yet been opened");
-					elseif not session.dialback_key then
-						print("        Dialback has not been initiated yet");
-					elseif session.dialback_key then
-						print("        Dialback has been requested, but no result received");
-					end
-				end
-			end
-		end	
-		local subhost_filter = function (h)
-				return (match_jid and h:match(match_jid));
-			end
-		for session in pairs(incoming_s2s) do
-			if session.to_host == host and ((not match_jid) or host:match(match_jid)
-				or (session.from_host and session.from_host:match(match_jid))
-				-- Pft! is what I say to list comprehensions
-				or (session.hosts and #array.collect(keys(session.hosts)):filter(subhost_filter)>0)) then
-				count_in = count_in + 1;
-				print("    "..host.." <- "..(session.from_host or "(unknown)")..(session.cert_identity_status == "valid" and " (secure)" or "")..(session.secure and " (encrypted)" or "")..(session.compressed and " (compressed)" or ""));
-				if session.type == "s2sin_unauthed" then
-						print("        Connection not yet authenticated");
-				end
-				for name in pairs(session.hosts) do
-					if name ~= session.from_host then
-						print("        also hosts "..tostring(name));
-					end
-				end
-			end
-		end
-		
-		print = _print;
-	end
-	
-	for session in pairs(incoming_s2s) do
-		if not session.to_host and ((not match_jid) or session.from_host and session.from_host:match(match_jid)) then
-			count_in = count_in + 1;
-			print("Other incoming s2s connections");
-			print("    (unknown) <- "..(session.from_host or "(unknown)"));			
-		end
-	end
-	
-	return true, "Total: "..count_out.." outgoing, "..count_in.." incoming connections";
-end
-
-local function print_subject(print, subject)
-	for _, entry in ipairs(subject) do
-		print(
-			("    %s: %q"):format(
-				entry.name or entry.oid,
-				entry.value:gsub("[\r\n%z%c]", " ")
-			)
-		);
-	end
-end
-
-function def_env.s2s:showcert(domain)
-	local ser = require "util.serialization".serialize;
-	local print = self.session.print;
-	local domain_sessions = set.new(array.collect(keys(incoming_s2s)))
-		/function(session) return session.from_host == domain; end;
-	for local_host in values(prosody.hosts) do
-		local s2sout = local_host.s2sout;
-		if s2sout and s2sout[domain] then
-			domain_sessions:add(s2sout[domain]);
-		end
-	end
-	local cert_set = {};
-	for session in domain_sessions do
-		local conn = session.conn;
-		conn = conn and conn:socket();
-		if not conn.getpeercertificate then
-			if conn.dohandshake then
-				error("This version of LuaSec does not support certificate viewing");
-			end
-		else
-			local cert = conn:getpeercertificate();
-			if cert then
-				local digest = cert:digest("sha1");
-				if not cert_set[digest] then
-					local chain_valid, chain_err = conn:getpeerchainvalid();
-					cert_set[digest] = {
-						{
-						  from = session.from_host,
-						  to = session.to_host,
-						  direction = session.direction
-						};
-						chain_valid = chain_valid;
-						chain_err = chain_err;
-						cert = cert;
-					};
-				else
-					table.insert(cert_set[digest], {
-						from = session.from_host,
-						to = session.to_host,
-						direction = session.direction
-					});
-				end
-			end
-		end
-	end
-	local domain_certs = array.collect(values(cert_set));
-	-- Phew. We now have a array of unique certificates presented by domain.
-	local print = self.session.print;
-	local n_certs = #domain_certs;
-	
-	if n_certs == 0 then
-		return "No certificates found for "..domain;
-	end
-	
-	local function _capitalize_and_colon(byte)
-		return string.upper(byte)..":";
-	end
-	local function pretty_fingerprint(hash)
-		return hash:gsub("..", _capitalize_and_colon):sub(1, -2);
-	end
-	
-	for cert_info in values(domain_certs) do
-		local cert = cert_info.cert;
-		print("---")
-		print("Fingerprint (SHA1): "..pretty_fingerprint(cert:digest("sha1")));
-		print("");
-		local n_streams = #cert_info;
-		print("Currently used on "..n_streams.." stream"..(n_streams==1 and "" or "s")..":");
-		for _, stream in ipairs(cert_info) do
-			if stream.direction == "incoming" then
-				print("    "..stream.to.." <- "..stream.from);
-			else
-				print("    "..stream.from.." -> "..stream.to);
-			end
-		end
-		print("");
-		local chain_valid, err = cert_info.chain_valid, cert_info.chain_err;
-		local valid_identity = cert_verify_identity(domain, "xmpp-server", cert);
-		print("Trusted certificate: "..(chain_valid and "Yes" or ("No ("..err..")")));
-		print("Issuer: ");
-		print_subject(print, cert:issuer());
-		print("");
-		print("Valid for "..domain..": "..(valid_identity and "Yes" or "No"));
-		print("Subject:");
-		print_subject(print, cert:subject());
-	end
-	print("---");
-	return ("Showing "..n_certs.." certificate"
-		..(n_certs==1 and "" or "s")
-		.." presented by "..domain..".");
-end
-
-function def_env.s2s:close(from, to)
-	local print, count = self.session.print, 0;
-	
-	if not (from and to) then
-		return false, "Syntax: s2s:close('from', 'to') - Closes all s2s sessions from 'from' to 'to'";
-	elseif from == to then
-		return false, "Both from and to are the same... you can't do that :)";
-	end
-	
-	if hosts[from] and not hosts[to] then
-		-- Is an outgoing connection
-		local session = hosts[from].s2sout[to];
-		if not session then
-			print("No outgoing connection from "..from.." to "..to)
-		else
-			(session.close or s2smanager.destroy_session)(session);
-			count = count + 1;
-			print("Closed outgoing session from "..from.." to "..to);
-		end
-	elseif hosts[to] and not hosts[from] then
-		-- Is an incoming connection
-		for session in pairs(incoming_s2s) do
-			if session.to_host == to and session.from_host == from then
-				(session.close or s2smanager.destroy_session)(session);
-				count = count + 1;
-			end
-		end
-		
-		if count == 0 then
-			print("No incoming connections from "..from.." to "..to);
-		else
-			print("Closed "..count.." incoming session"..((count == 1 and "") or "s").." from "..from.." to "..to);
-		end
-	elseif hosts[to] and hosts[from] then
-		return false, "Both of the hostnames you specified are local, there are no s2s sessions to close";
-	else
-		return false, "Neither of the hostnames you specified are being used on this server";
-	end
-	
-	return true, "Closed "..count.." s2s session"..((count == 1 and "") or "s");
-end
-
-def_env.host = {}; def_env.hosts = def_env.host;
-
-function def_env.host:activate(hostname, config)
-	return hostmanager.activate(hostname, config);
-end
-function def_env.host:deactivate(hostname, reason)
-	return hostmanager.deactivate(hostname, reason);
-end
-
-function def_env.host:list()
-	local print = self.session.print;
-	local i = 0;
-	for host in values(array.collect(keys(prosody.hosts)):sort()) do
-		i = i + 1;
-		print(host);
-	end
-	return true, i.." hosts";
-end
-
--------------
-
-function printbanner(session)
-	local option = config.get("*", "core", "console_banner");
-if option == nil or option == "full" or option == "graphic" then
-session.print [[
-                   ____                \   /     _       
-                    |  _ \ _ __ ___  ___  _-_   __| |_   _ 
-                    | |_) | '__/ _ \/ __|/ _ \ / _` | | | |
-                    |  __/| | | (_) \__ \ |_| | (_| | |_| |
-                    |_|   |_|  \___/|___/\___/ \__,_|\__, |
-                    A study in simplicity            |___/ 
-
-]]
-end
-if option == nil or option == "short" or option == "full" then
-session.print("Welcome to the Prosody administration console. For a list of commands, type: help");
-session.print("You may find more help on using this console in our online documentation at ");
-session.print("http://prosody.im/doc/console\n");
-end
-if option and option ~= "short" and option ~= "full" and option ~= "graphic" then
-	if type(option) == "string" then
-		session.print(option)
-	elseif type(option) == "function" then
-		setfenv(option, redirect_output(_G, session));
-		pcall(option, session);
-	end
-end
-end
-
-prosody.net_activate_ports("console", "console", {5582}, "tcp");
--- a/plugins/mod_pep.lua	Tue Dec 14 18:54:55 2010 +0100
+++ b/plugins/mod_pep.lua	Fri Dec 17 13:50:33 2010 +0000
@@ -134,7 +134,8 @@
 					publish_all(user, recipient, origin);
 				else
 					recipients[user][recipient] = hash;
-					if self or origin.type ~= "c2s" then
+					local from_bare = origin.type == "c2s" and origin.username.."@"..origin.host;
+					if self or origin.type ~= "c2s" or (recipients[from_bare] and recipients[from_bare][origin.full_jid]) ~= hash then
 						origin.send(
 							st.stanza("iq", {from=stanza.attr.to, to=stanza.attr.from, id="disco", type="get"})
 								:query("http://jabber.org/protocol/disco#info")
--- a/plugins/mod_pubsub.lua	Tue Dec 14 18:54:55 2010 +0100
+++ b/plugins/mod_pubsub.lua	Fri Dec 17 13:50:33 2010 +0000
@@ -166,8 +166,40 @@
 
 module:hook("iq/host/http://jabber.org/protocol/pubsub:pubsub", handle_pubsub_iq);
 
+local disco_info = st.stanza("query", { xmlns = "http://jabber.org/protocol/disco#info" })
+	:tag("identity", { category = "pubsub", type = "service" }):up()
+	:tag("feature", { var = "http://jabber.org/protocol/pubsub" }):up();
+
+module:hook("iq-get/host/http://jabber.org/protocol/disco#info:query", function (event)
+	event.origin.send(st.reply(event.stanza):add_child(disco_info));
+	return true;
+end);
+
+module:hook("iq-get/host/http://jabber.org/protocol/disco#items:query", function (event)
+	local ok, ret = service:get_nodes(event.stanza.attr.from);
+	if not ok then
+		event.origin.send(pubsub_error_reply(stanza, ret));
+	else
+		local reply = st.reply(event.stanza)
+			:tag("query", { xmlns = "http://jabber.org/protocol/disco#items" });
+		for node, node_obj in pairs(ret) do
+			reply:tag("item", { jid = module.host, node = node, name = node_obj.config.name }):up();
+		end
+		event.origin.send(reply);
+	end
+	return true;
+end);
+
 service = pubsub.new({
 	broadcaster = simple_broadcast
 });
 module.environment.service = service;
 
+function module.save()
+	return { service = service };
+end
+
+function module.restore(data)
+	service = data.service;
+	module.environment.service = service;
+end
--- a/plugins/mod_saslauth.lua	Tue Dec 14 18:54:55 2010 +0100
+++ b/plugins/mod_saslauth.lua	Fri Dec 17 13:50:33 2010 +0000
@@ -14,7 +14,7 @@
 local s2s_make_authenticated = require "core.s2smanager".make_authenticated;
 local base64 = require "util.encodings".base64;
 
-local cert_verify_identity = require "util.certverification".verify_identity;
+local cert_verify_identity = require "util.x509".verify_identity;
 
 local nodeprep = require "util.encodings".stringprep.nodeprep;
 local usermanager_get_sasl_handler = require "core.usermanager".get_sasl_handler;
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/plugins/mod_storage_sql.lua	Fri Dec 17 13:50:33 2010 +0000
@@ -0,0 +1,239 @@
+
+--[[
+
+DB Tables:
+	Prosody - key-value, map
+		| host | user | store | key | subkey | type | value |
+	ProsodyArchive - list
+		| host | user | store | key | time | stanzatype | jsonvalue |
+
+Mapping:
+	Roster - Prosody
+		| host | user | "roster" | "contactjid" | item-subkey | type | value |
+		| host | user | "roster" | NULL | NULL | "json" | roster[false] data |
+	Account - Prosody
+		| host | user | "accounts" | "username" | NULL | type | value |
+
+	Offline - ProsodyArchive
+		| host | user | "offline" | "contactjid" | time | "message" | json|XML |
+
+]]
+
+local type = type;
+local tostring = tostring;
+local tonumber = tonumber;
+local pairs = pairs;
+local next = next;
+local setmetatable = setmetatable;
+local json = { stringify = function(s) return require"util.serialization".serialize(s) end, parse = require"util.serialization".deserialze };
+
+local connection = ...;
+local host,user,store = module.host;
+
+do -- process options to get a db connection
+	local DBI = require "DBI";
+
+	local params = module:get_option("sql") or { driver = "SQLite3", database = "prosody.sqlite" };
+	assert(params and params.driver and params.database, "invalid params");
+	
+	prosody.unlock_globals();
+	local dbh, err = DBI.Connect(
+		params.driver, params.database,
+		params.username, params.password,
+		params.host, params.port
+	);
+	prosody.lock_globals();
+	assert(dbh, err);
+
+	dbh:autocommit(false); -- don't commit automatically
+	connection = dbh;
+	
+	if params.driver == "SQLite3" then -- auto initialize
+		local stmt = assert(connection:prepare("SELECT COUNT(*) FROM sqlite_master WHERE type='table' AND name='Prosody';"));
+		local ok = assert(stmt:execute());
+		local count = stmt:fetch()[1];
+		if count == 0 then
+			local stmt = assert(connection:prepare("CREATE TABLE Prosody (host TEXT, user TEXT, store TEXT, key TEXT, subkey TEXT, type TEXT, value TEXT);"));
+			assert(stmt:execute());
+			assert(connection:commit());
+			module:log("debug", "Initialized new SQLite3 database");
+		end
+		--print("===", json.stringify())
+	end
+end
+
+local function serialize(value)
+	local t = type(value);
+	if t == "string" or t == "boolean" or t == "number" then
+		return t, tostring(value);
+	elseif t == "table" then
+		local value,err = json.stringify(value);
+		if value then return "json", value; end
+		return nil, err;
+	end
+	return nil, "Unhandled value type: "..t;
+end
+local function deserialize(t, value)
+	if t == "string" then return value;
+	elseif t == "boolean" then
+		if value == "true" then return true;
+		elseif value == "false" then return false; end
+	elseif t == "number" then return tonumber(value);
+	elseif value == "json" then
+		return json.parse(value);
+	end
+end
+
+local function getsql(sql, ...)
+	-- do prepared statement stuff
+	local stmt, err = connection:prepare(sql);
+	if not stmt then return nil, err; end
+	-- run query
+	local ok, err = stmt:execute(host, user, store, ...);
+	if not ok then return nil, err; end
+	
+	return stmt;
+end
+local function setsql(sql, ...)
+	local stmt, err = getsql(sql, ...);
+	if not stmt then return stmt, err; end
+	return stmt:affected();
+end
+local function transact(...)
+	-- ...
+end
+local function rollback(...)
+	connection:rollback(); -- FIXME check for rollback error?
+	return ...;
+end
+local function commit(...)
+	if not connection:commit() then return nil, "SQL commit failed"; end
+	return ...;
+end
+
+local keyval_store = {};
+keyval_store.__index = keyval_store;
+function keyval_store:get(username)
+	user,store = username,self.store;
+	local stmt, err = getsql("SELECT * FROM Prosody WHERE host IS ? AND user IS ? AND store IS ? AND subkey IS NULL");
+	if not stmt then return nil, err; end
+	
+	local haveany;
+	local result = {};
+	for row in stmt:rows(true) do
+		haveany = true;
+		local k = row.key;
+		local v = deserialize(row.type, row.value);
+		if v then
+			if k then result[k] = v; elseif type(v) == "table" then
+				for a,b in pairs(v) do
+					result[a] = b;
+				end
+			end
+		end
+	end
+	return haveany and result or nil;
+end
+function keyval_store:set(username, data)
+	user,store = username,self.store;
+	-- start transaction
+	local affected, err = setsql("DELETE FROM Prosody WHERE host IS ? AND user IS ? AND store IS ? AND subkey IS NULL");
+	
+	if data and next(data) ~= nil then
+		local extradata = {};
+		for key, value in pairs(data) do
+			if type(key) == "string" then
+				local t, value = serialize(value);
+				if not t then return rollback(t, value); end
+				local ok, err = setsql("INSERT INTO Prosody (host,user,store,key,type,value) VALUES (?,?,?,?,?,?)", key, t, value);
+				if not ok then return rollback(ok, err); end
+			else
+				extradata[key] = value;
+			end
+		end
+		if next(extradata) ~= nil then
+			local t, extradata = serialize(extradata);
+			if not t then return rollback(t, extradata); end
+			local ok, err = setsql("INSERT INTO Prosody (host,user,store,key,type,value) VALUES (?,?,?,?,?,?)", nil, t, extradata);
+			if not ok then return rollback(ok, err); end
+		end
+	end
+	return commit(true);
+end
+
+local map_store = {};
+map_store.__index = map_store;
+function map_store:get(username, key)
+	user,store = username,self.store;
+	local stmt, err = getsql("SELECT * FROM Prosody WHERE host IS ? AND user IS ? AND store IS ? AND key IS ?", key);
+	if not stmt then return nil, err; end
+	
+	local haveany;
+	local result = {};
+	for row in stmt:rows(true) do
+		haveany = true;
+		local k = row.subkey;
+		local v = deserialize(row.type, row.value);
+		if v then
+			if k then result[k] = v; elseif type(v) == "table" then
+				for a,b in pairs(v) do
+					result[a] = b;
+				end
+			end
+		end
+	end
+	return haveany and result or nil;
+end
+function map_store:set(username, key, data)
+	user,store = username,self.store;
+	-- start transaction
+	local affected, err = setsql("DELETE FROM Prosody WHERE host IS ? AND user IS ? AND store IS ? AND key IS ?", key);
+	
+	if data and next(data) ~= nil then
+		local extradata = {};
+		for subkey, value in pairs(data) do
+			if type(subkey) == "string" then
+				local t, value = serialize(value);
+				if not t then return rollback(t, value); end
+				local ok, err = setsql("INSERT INTO Prosody (host,user,store,key,subkey,type,value) VALUES (?,?,?,?,?,?)", key, subkey, t, value);
+				if not ok then return rollback(ok, err); end
+			else
+				extradata[subkey] = value;
+			end
+		end
+		if next(extradata) ~= nil then
+			local t, extradata = serialize(extradata);
+			if not t then return rollback(t, extradata); end
+			local ok, err = setsql("INSERT INTO Prosody (host,user,store,key,subkey,type,value) VALUES (?,?,?,?,?,?)", key, nil, t, extradata);
+			if not ok then return rollback(ok, err); end
+		end
+	end
+	return commit(true);
+end
+
+local list_store = {};
+list_store.__index = list_store;
+function list_store:scan(username, from, to, jid, typ)
+	user,store = username,self.store;
+	
+	local cols = {"from", "to", "jid", "typ"};
+	local vals = { from ,  to ,  jid ,  typ };
+	local stmt, err;
+	local query = "SELECT * FROM ProsodyArchive WHERE host IS ? AND user IS ? AND store IS ?";
+	
+	query = query.." ORDER BY time";
+	--local stmt, err = getsql("SELECT * FROM Prosody WHERE host IS ? AND user IS ? AND store IS ? AND key IS ?", key);
+	
+	return nil, "not-implemented"
+end
+
+local driver = { name = "sql" };
+
+function driver:open(store, typ)
+	if not typ then -- default key-value store
+		return setmetatable({ store = store }, keyval_store);
+	end
+	return nil, "unsupported-store";
+end
+
+module:add_item("data-driver", driver);
--- a/prosody	Tue Dec 14 18:54:55 2010 +0100
+++ b/prosody	Fri Dec 17 13:50:33 2010 +0000
@@ -7,6 +7,8 @@
 -- COPYING file in the source package for more information.
 --
 
+-- prosody - main executable for Prosody XMPP server
+
 -- Will be modified by configure script if run --
 
 CFG_SOURCEDIR=os.getenv("PROSODY_SRCDIR");
--- a/prosodyctl	Tue Dec 14 18:54:55 2010 +0100
+++ b/prosodyctl	Fri Dec 17 13:50:33 2010 +0000
@@ -1,7 +1,7 @@
 #!/usr/bin/env lua
 -- Prosody IM
--- Copyright (C) 2008-2009 Matthew Wild
--- Copyright (C) 2008-2009 Waqas Hussain
+-- Copyright (C) 2008-2010 Matthew Wild
+-- Copyright (C) 2008-2010 Waqas Hussain
 -- 
 -- This project is MIT/X11 licensed. Please see the
 -- COPYING file in the source package for more information.
@@ -11,18 +11,20 @@
 
 -- Will be modified by configure script if run --
 
-CFG_SOURCEDIR=nil;
+CFG_SOURCEDIR=os.getenv("PROSODY_SRCDIR");
 CFG_CONFIGDIR=os.getenv("PROSODY_CFGDIR");
-CFG_PLUGINDIR=nil;
+CFG_PLUGINDIR=os.getenv("PROSODY_PLUGINDIR");
 CFG_DATADIR=os.getenv("PROSODY_DATADIR");
 
--- -- -- -- -- -- -- ---- -- -- -- -- -- -- -- --
+-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
 
+-- Tell Lua where to find our libraries
 if CFG_SOURCEDIR then
-	package.path = CFG_SOURCEDIR.."/?.lua;"..package.path
-	package.cpath = CFG_SOURCEDIR.."/?.so;"..package.cpath
+	package.path = CFG_SOURCEDIR.."/?.lua;"..package.path;
+	package.cpath = CFG_SOURCEDIR.."/?.so;"..package.cpath;
 end
 
+-- Substitute ~ with path to home directory in data path
 if CFG_DATADIR then
 	if os.getenv("HOME") then
 		CFG_DATADIR = CFG_DATADIR:gsub("^~", os.getenv("HOME"));
@@ -40,9 +42,30 @@
 config = require "core.configmanager"
 
 do
-	-- TODO: Check for other formats when we add support for them
-	-- Use lfs? Make a new conf/ dir?
-	local ok, level, err = config.load((CFG_CONFIGDIR or ".").."/prosody.cfg.lua");
+	local filenames = {};
+	
+	local filename;
+	if arg[1] == "--config" and arg[2] then
+		table.insert(filenames, arg[2]);
+		table.remove(arg, 1); table.remove(arg, 1);
+		if CFG_CONFIGDIR then
+			table.insert(filenames, CFG_CONFIGDIR.."/"..arg[2]);
+		end
+	else
+		for _, format in ipairs(config.parsers()) do
+			table.insert(filenames, (CFG_CONFIGDIR or ".").."/prosody.cfg."..format);
+		end
+	end
+	for _,_filename in ipairs(filenames) do
+		filename = _filename;
+		local file = io.open(filename);
+		if file then
+			file:close();
+			CFG_CONFIGDIR = filename:match("^(.*)[\\/][^\\/]*$");
+			break;
+		end
+	end
+	local ok, level, err = config.load(filename);
 	if not ok then
 		print("\n");
 		print("**************************");
@@ -509,11 +532,8 @@
 		return 1;
 	end
 	
-	local ret = commands.stop(arg);
-	if ret == 0 then
-		ret = commands.start(arg);
-	end
-	return ret;
+	commands.stop(arg);
+	return commands.start(arg);
 end
 
 -- ejabberdctl compatibility
--- a/util-src/windows.c	Tue Dec 14 18:54:55 2010 +0100
+++ b/util-src/windows.c	Fri Dec 17 13:50:33 2010 +0000
@@ -43,9 +43,38 @@
 	}
 }
 
+static void lassert(lua_State *L, BOOL test, char* string) {
+	if (!test) {
+		luaL_error(L, "%s: %d", string, GetLastError());
+	}
+}
+
+static int Lget_consolecolor(lua_State *L) {
+	HWND console = GetStdHandle(STD_OUTPUT_HANDLE);
+	WORD color; DWORD read_len;
+	
+	CONSOLE_SCREEN_BUFFER_INFO info;
+	
+	lassert(L, console != INVALID_HANDLE_VALUE, "GetStdHandle");
+	lassert(L, GetConsoleScreenBufferInfo(console, &info), "GetConsoleScreenBufferInfo");
+	lassert(L, ReadConsoleOutputAttribute(console, &color, sizeof(WORD), info.dwCursorPosition, &read_len), "ReadConsoleOutputAttribute");
+
+	lua_pushnumber(L, color);
+	return 1;
+}
+static int Lset_consolecolor(lua_State *L) {
+	int color = luaL_checkint(L, 1);
+	HWND console = GetStdHandle(STD_OUTPUT_HANDLE);
+	lassert(L, console != INVALID_HANDLE_VALUE, "GetStdHandle");
+	lassert(L, SetConsoleTextAttribute(console, color), "SetConsoleTextAttribute");
+	return 0;
+}
+
 static const luaL_Reg Reg[] =
 {
 	{ "get_nameservers",	Lget_nameservers	},
+	{ "get_consolecolor",	Lget_consolecolor	},
+	{ "set_consolecolor",	Lset_consolecolor	},
 	{ NULL,		NULL	}
 };
 
--- a/util/certverification.lua	Tue Dec 14 18:54:55 2010 +0100
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,211 +0,0 @@
--- Prosody IM
--- Copyright (C) 2010 Matthew Wild
--- Copyright (C) 2010 Paul Aurich
---
--- This project is MIT/X11 licensed. Please see the
--- COPYING file in the source package for more information.
---
-
--- TODO: I feel a fair amount of this logic should be integrated into Luasec,
--- so that everyone isn't re-inventing the wheel.  Dependencies on
--- IDN libraries complicate that.
-
-
--- [TLS-CERTS] - http://tools.ietf.org/html/draft-saintandre-tls-server-id-check-10
--- [XMPP-CORE] - http://tools.ietf.org/html/draft-ietf-xmpp-3920bis-18
--- [SRV-ID]    - http://tools.ietf.org/html/rfc4985
--- [IDNA]      - http://tools.ietf.org/html/rfc5890
--- [LDAP]      - http://tools.ietf.org/html/rfc4519
--- [PKIX]      - http://tools.ietf.org/html/rfc5280
-
-local nameprep = require "util.encodings".stringprep.nameprep;
-local idna_to_ascii = require "util.encodings".idna.to_ascii;
-local log = require "util.logger".init("certverification");
-
-module "certverification"
-
-local oid_commonname = "2.5.4.3"; -- [LDAP] 2.3
-local oid_subjectaltname = "2.5.29.17"; -- [PKIX] 4.2.1.6
-local oid_xmppaddr = "1.3.6.1.5.5.7.8.5"; -- [XMPP-CORE]
-local oid_dnssrv   = "1.3.6.1.5.5.7.8.7"; -- [SRV-ID]
-
--- Compare a hostname (possibly international) with asserted names
--- extracted from a certificate.
--- This function follows the rules laid out in
--- sections 4.4.1 and 4.4.2 of [TLS-CERTS]
---
--- A wildcard ("*") all by itself is allowed only as the left-most label
-local function compare_dnsname(host, asserted_names)
-	-- TODO: Sufficient normalization?  Review relevant specs.
-	local norm_host = idna_to_ascii(host)
-	if norm_host == nil then
-		log("info", "Host %s failed IDNA ToASCII operation", host)
-		return false
-	end
-
-	norm_host = norm_host:lower()
-
-	local host_chopped = norm_host:gsub("^[^.]+%.", "") -- everything after the first label
-
-	for i=1,#asserted_names do
-		local name = asserted_names[i]
-		if norm_host == name:lower() then
-			log("debug", "Cert dNSName %s matched hostname", name);
-			return true
-		end
-
-		-- Allow the left most label to be a "*"
-		if name:match("^%*%.") then
-			local rest_name = name:gsub("^[^.]+%.", "")
-			if host_chopped == rest_name:lower() then
-				log("debug", "Cert dNSName %s matched hostname", name);
-				return true
-			end
-		end
-	end
-
-	return false
-end
-
--- Compare an XMPP domain name with the asserted id-on-xmppAddr
--- identities extracted from a certificate.  Both are UTF8 strings.
---
--- Per [XMPP-CORE], matches against asserted identities don't include
--- wildcards, so we just do a normalize on both and then a string comparison
---
--- TODO: Support for full JIDs?
-local function compare_xmppaddr(host, asserted_names)
-	local norm_host = nameprep(host)
-
-	for i=1,#asserted_names do
-		local name = asserted_names[i]
-
-		-- We only want to match against bare domains right now, not
-		-- those crazy full-er JIDs.
-		if name:match("[@/]") then
-			log("debug", "Ignoring xmppAddr %s because it's not a bare domain", name)
-		else
-			local norm_name = nameprep(name)
-			if norm_name == nil then
-				log("info", "Ignoring xmppAddr %s, failed nameprep!", name)
-			else
-				if norm_host == norm_name then
-					log("debug", "Cert xmppAddr %s matched hostname", name)
-					return true
-				end
-			end
-		end
-	end
-
-	return false
-end
-
--- Compare a host + service against the asserted id-on-dnsSRV (SRV-ID)
--- identities extracted from a certificate.
---
--- Per [SRV-ID], the asserted identities will be encoded in ASCII via ToASCII.
--- Comparison is done case-insensitively, and a wildcard ("*") all by itself
--- is allowed only as the left-most non-service label.
-local function compare_srvname(host, service, asserted_names)
-	local norm_host = idna_to_ascii(host)
-	if norm_host == nil then
-		log("info", "Host %s failed IDNA ToASCII operation", host);
-		return false
-	end
-
-	-- Service names start with a "_"
-	if service:match("^_") == nil then service = "_"..service end
-
-	norm_host = norm_host:lower();
-	local host_chopped = norm_host:gsub("^[^.]+%.", "") -- everything after the first label
-
-	for i=1,#asserted_names do
-		local asserted_service, name = asserted_names[i]:match("^(_[^.]+)%.(.*)");
-		if service == asserted_service then
-			if norm_host == name:lower() then
-				log("debug", "Cert SRVName %s matched hostname", name);
-				return true;
-			end
-
-			-- Allow the left most label to be a "*"
-			if name:match("^%*%.") then
-				local rest_name = name:gsub("^[^.]+%.", "")
-				if host_chopped == rest_name:lower() then
-					log("debug", "Cert SRVName %s matched hostname", name)
-					return true
-				end
-			end
-			if norm_host == name:lower() then
-				log("debug", "Cert SRVName %s matched hostname", name);
-				return true
-			end
-		end
-	end
-
-	return false
-end
-
-function verify_identity(host, service, cert)
-	local ext = cert:extensions()
-	if ext[oid_subjectaltname] then
-		local sans = ext[oid_subjectaltname];
-
-		-- Per [TLS-CERTS] 4.3, 4.4.4, "a client MUST NOT seek a match for a
-		-- reference identifier if the presented identifiers include a DNS-ID
-		-- SRV-ID, URI-ID, or any application-specific identifier types"
-		local had_supported_altnames = false
-
-		if sans[oid_xmppaddr] then
-			had_supported_altnames = true
-			if compare_xmppaddr(host, sans[oid_xmppaddr]) then return true end
-		end
-
-		if sans[oid_dnssrv] then
-			had_supported_altnames = true
-			-- Only check srvNames if the caller specified a service
-			if service and compare_srvname(host, service, sans[oid_dnssrv]) then return true end
-		end
-
-		if sans["dNSName"] then
-			had_supported_altnames = true
-			if compare_dnsname(host, sans["dNSName"]) then return true end
-		end
-
-		-- We don't need URIs, but [TLS-CERTS] is clear.
-		if sans["uniformResourceIdentifier"] then
-			had_supported_altnames = true
-		end
-
-		if had_supported_altnames then return false end
-	end
-
-	-- Extract a common name from the certificate, and check it as if it were
-	-- a dNSName subjectAltName (wildcards may apply for, and receive,
-	-- cat treats)
-	--
-	-- Per [TLS-CERTS] 1.5, a CN-ID is the Common Name from a cert subject
-	-- which has one and only one Common Name
-	local subject = cert:subject()
-	local cn = nil
-	for i=1,#subject do
-		local dn = subject[i]
-		if dn["oid"] == oid_commonname then
-			if cn then
-				log("info", "Certificate has multiple common names")
-				return false
-			end
-
-			cn = dn["value"];
-		end
-	end
-
-	if cn then
-		-- Per [TLS-CERTS] 4.4.4, follow the comparison rules for dNSName SANs.
-		return compare_dnsname(host, { cn })
-	end
-
-	-- If all else fails, well, why should we be any different?
-	return false
-end
-
-return _M;
--- a/util/pubsub.lua	Tue Dec 14 18:54:55 2010 +0100
+++ b/util/pubsub.lua	Fri Dec 17 13:50:33 2010 +0000
@@ -77,4 +77,8 @@
 	end
 end
 
+function service:get_nodes(actor)
+	return true, self.nodes;
+end
+
 return _M;
--- a/util/serialization.lua	Tue Dec 14 18:54:55 2010 +0100
+++ b/util/serialization.lua	Fri Dec 17 13:50:33 2010 +0000
@@ -15,6 +15,10 @@
 local pairs = pairs;
 local next = next;
 
+local loadstring = loadstring;
+local setfenv = setfenv;
+local pcall = pcall;
+
 local debug_traceback = debug.traceback;
 local log = require "util.logger".init("serialization");
 module "serialization"
@@ -24,14 +28,20 @@
 end
 local function basicSerialize (o)
 	if type(o) == "number" or type(o) == "boolean" then
-		return tostring(o);
+		-- no need to check for NaN, as that's not a valid table index
+		if o == 1/0 then return "(1/0)";
+		elseif o == -1/0 then return "(-1/0)";
+		else return tostring(o); end
 	else -- assume it is a string -- FIXME make sure it's a string. throw an error otherwise.
 		return (("%q"):format(tostring(o)):gsub("\\\n", "\\n"));
 	end
 end
 local function _simplesave(o, ind, t, func)
 	if type(o) == "number" then
-		func(t, tostring(o));
+		if o ~= o then func(t, "(0/0)");
+		elseif o == 1/0 then func(t, "(1/0)");
+		elseif o == -1/0 then func(t, "(-1/0)");
+		else func(t, tostring(o)); end
 	elseif type(o) == "string" then
 		func(t, (("%q"):format(o):gsub("\\\n", "\\n")));
 	elseif type(o) == "table" then
@@ -72,7 +82,14 @@
 end
 
 function deserialize(str)
-	error("Not implemented");
+	if type(str) ~= "string" then return nil; end
+	str = "return "..str;
+	local f, err = loadstring(str, "@data");
+	if not f then return nil, err; end
+	setfenv(f, {});
+	local success, ret = pcall(f);
+	if not success then return nil, ret; end
+	return ret;
 end
 
 return _M;
--- a/util/stanza.lua	Tue Dec 14 18:54:55 2010 +0100
+++ b/util/stanza.lua	Fri Dec 17 13:50:33 2010 +0000
@@ -254,7 +254,7 @@
 			end
 		end
 	end
-	return type, condition or "undefined-condition", text or "";
+	return type, condition or "undefined-condition", text;
 end
 
 function stanza_mt.__add(s1, s2)
--- a/util/termcolours.lua	Tue Dec 14 18:54:55 2010 +0100
+++ b/util/termcolours.lua	Fri Dec 17 13:50:33 2010 +0000
@@ -10,6 +10,14 @@
 local t_concat, t_insert = table.concat, table.insert;
 local char, format = string.char, string.format;
 local ipairs = ipairs;
+local io_write = io.write;
+
+local windows;
+if os.getenv("WINDIR") then
+	windows = require "util.windows";
+end
+local orig_color = windows and windows.get_consolecolor and windows.get_consolecolor();
+
 module "termcolours"
 
 local stylemap = {
@@ -19,6 +27,13 @@
 			bold = 1, dark = 2, underline = 4, underlined = 4, normal = 0;
 		}
 
+local winstylemap = {
+	["0"] = orig_color, -- reset
+	["1"] = 7+8, -- bold
+	["1;33"] = 2+4+8, -- bold yellow
+	["1;31"] = 4+8 -- bold red
+}
+
 local fmt_string = char(0x1B).."[%sm%s"..char(0x1B).."[0m";
 function getstring(style, text)
 	if style then
@@ -39,4 +54,26 @@
 	return t_concat(result, ";");
 end
 
+local last = "0";
+function setstyle(style)
+	style = style or "0";
+	if style ~= last then
+		io_write("\27["..style.."m");
+		last = style;
+	end
+end
+
+if windows then
+	function setstyle(style)
+		style = style or "0";
+		if style ~= last then
+			windows.set_consolecolor(winstylemap[style] or orig_color);
+			last = style;
+		end
+	end
+	if not orig_color then
+		function setstyle(style) end
+	end
+end
+
 return _M;
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/util/x509.lua	Fri Dec 17 13:50:33 2010 +0000
@@ -0,0 +1,211 @@
+-- Prosody IM
+-- Copyright (C) 2010 Matthew Wild
+-- Copyright (C) 2010 Paul Aurich
+--
+-- This project is MIT/X11 licensed. Please see the
+-- COPYING file in the source package for more information.
+--
+
+-- TODO: I feel a fair amount of this logic should be integrated into Luasec,
+-- so that everyone isn't re-inventing the wheel.  Dependencies on
+-- IDN libraries complicate that.
+
+
+-- [TLS-CERTS] - http://tools.ietf.org/html/draft-saintandre-tls-server-id-check-10
+-- [XMPP-CORE] - http://tools.ietf.org/html/draft-ietf-xmpp-3920bis-18
+-- [SRV-ID]    - http://tools.ietf.org/html/rfc4985
+-- [IDNA]      - http://tools.ietf.org/html/rfc5890
+-- [LDAP]      - http://tools.ietf.org/html/rfc4519
+-- [PKIX]      - http://tools.ietf.org/html/rfc5280
+
+local nameprep = require "util.encodings".stringprep.nameprep;
+local idna_to_ascii = require "util.encodings".idna.to_ascii;
+local log = require "util.logger".init("x509");
+
+module "x509"
+
+local oid_commonname = "2.5.4.3"; -- [LDAP] 2.3
+local oid_subjectaltname = "2.5.29.17"; -- [PKIX] 4.2.1.6
+local oid_xmppaddr = "1.3.6.1.5.5.7.8.5"; -- [XMPP-CORE]
+local oid_dnssrv   = "1.3.6.1.5.5.7.8.7"; -- [SRV-ID]
+
+-- Compare a hostname (possibly international) with asserted names
+-- extracted from a certificate.
+-- This function follows the rules laid out in
+-- sections 4.4.1 and 4.4.2 of [TLS-CERTS]
+--
+-- A wildcard ("*") all by itself is allowed only as the left-most label
+local function compare_dnsname(host, asserted_names)
+	-- TODO: Sufficient normalization?  Review relevant specs.
+	local norm_host = idna_to_ascii(host)
+	if norm_host == nil then
+		log("info", "Host %s failed IDNA ToASCII operation", host)
+		return false
+	end
+
+	norm_host = norm_host:lower()
+
+	local host_chopped = norm_host:gsub("^[^.]+%.", "") -- everything after the first label
+
+	for i=1,#asserted_names do
+		local name = asserted_names[i]
+		if norm_host == name:lower() then
+			log("debug", "Cert dNSName %s matched hostname", name);
+			return true
+		end
+
+		-- Allow the left most label to be a "*"
+		if name:match("^%*%.") then
+			local rest_name = name:gsub("^[^.]+%.", "")
+			if host_chopped == rest_name:lower() then
+				log("debug", "Cert dNSName %s matched hostname", name);
+				return true
+			end
+		end
+	end
+
+	return false
+end
+
+-- Compare an XMPP domain name with the asserted id-on-xmppAddr
+-- identities extracted from a certificate.  Both are UTF8 strings.
+--
+-- Per [XMPP-CORE], matches against asserted identities don't include
+-- wildcards, so we just do a normalize on both and then a string comparison
+--
+-- TODO: Support for full JIDs?
+local function compare_xmppaddr(host, asserted_names)
+	local norm_host = nameprep(host)
+
+	for i=1,#asserted_names do
+		local name = asserted_names[i]
+
+		-- We only want to match against bare domains right now, not
+		-- those crazy full-er JIDs.
+		if name:match("[@/]") then
+			log("debug", "Ignoring xmppAddr %s because it's not a bare domain", name)
+		else
+			local norm_name = nameprep(name)
+			if norm_name == nil then
+				log("info", "Ignoring xmppAddr %s, failed nameprep!", name)
+			else
+				if norm_host == norm_name then
+					log("debug", "Cert xmppAddr %s matched hostname", name)
+					return true
+				end
+			end
+		end
+	end
+
+	return false
+end
+
+-- Compare a host + service against the asserted id-on-dnsSRV (SRV-ID)
+-- identities extracted from a certificate.
+--
+-- Per [SRV-ID], the asserted identities will be encoded in ASCII via ToASCII.
+-- Comparison is done case-insensitively, and a wildcard ("*") all by itself
+-- is allowed only as the left-most non-service label.
+local function compare_srvname(host, service, asserted_names)
+	local norm_host = idna_to_ascii(host)
+	if norm_host == nil then
+		log("info", "Host %s failed IDNA ToASCII operation", host);
+		return false
+	end
+
+	-- Service names start with a "_"
+	if service:match("^_") == nil then service = "_"..service end
+
+	norm_host = norm_host:lower();
+	local host_chopped = norm_host:gsub("^[^.]+%.", "") -- everything after the first label
+
+	for i=1,#asserted_names do
+		local asserted_service, name = asserted_names[i]:match("^(_[^.]+)%.(.*)");
+		if service == asserted_service then
+			if norm_host == name:lower() then
+				log("debug", "Cert SRVName %s matched hostname", name);
+				return true;
+			end
+
+			-- Allow the left most label to be a "*"
+			if name:match("^%*%.") then
+				local rest_name = name:gsub("^[^.]+%.", "")
+				if host_chopped == rest_name:lower() then
+					log("debug", "Cert SRVName %s matched hostname", name)
+					return true
+				end
+			end
+			if norm_host == name:lower() then
+				log("debug", "Cert SRVName %s matched hostname", name);
+				return true
+			end
+		end
+	end
+
+	return false
+end
+
+function verify_identity(host, service, cert)
+	local ext = cert:extensions()
+	if ext[oid_subjectaltname] then
+		local sans = ext[oid_subjectaltname];
+
+		-- Per [TLS-CERTS] 4.3, 4.4.4, "a client MUST NOT seek a match for a
+		-- reference identifier if the presented identifiers include a DNS-ID
+		-- SRV-ID, URI-ID, or any application-specific identifier types"
+		local had_supported_altnames = false
+
+		if sans[oid_xmppaddr] then
+			had_supported_altnames = true
+			if compare_xmppaddr(host, sans[oid_xmppaddr]) then return true end
+		end
+
+		if sans[oid_dnssrv] then
+			had_supported_altnames = true
+			-- Only check srvNames if the caller specified a service
+			if service and compare_srvname(host, service, sans[oid_dnssrv]) then return true end
+		end
+
+		if sans["dNSName"] then
+			had_supported_altnames = true
+			if compare_dnsname(host, sans["dNSName"]) then return true end
+		end
+
+		-- We don't need URIs, but [TLS-CERTS] is clear.
+		if sans["uniformResourceIdentifier"] then
+			had_supported_altnames = true
+		end
+
+		if had_supported_altnames then return false end
+	end
+
+	-- Extract a common name from the certificate, and check it as if it were
+	-- a dNSName subjectAltName (wildcards may apply for, and receive,
+	-- cat treats)
+	--
+	-- Per [TLS-CERTS] 1.5, a CN-ID is the Common Name from a cert subject
+	-- which has one and only one Common Name
+	local subject = cert:subject()
+	local cn = nil
+	for i=1,#subject do
+		local dn = subject[i]
+		if dn["oid"] == oid_commonname then
+			if cn then
+				log("info", "Certificate has multiple common names")
+				return false
+			end
+
+			cn = dn["value"];
+		end
+	end
+
+	if cn then
+		-- Per [TLS-CERTS] 4.4.4, follow the comparison rules for dNSName SANs.
+		return compare_dnsname(host, { cn })
+	end
+
+	-- If all else fails, well, why should we be any different?
+	return false
+end
+
+return _M;