prosody
7e9ebdc75ce4
core/certmanager.lua
Software / code / prosody
Comparison
core/certmanager.lua @ 12480:7e9ebdc75ce4
net: isolate LuaSec-specifics
For this, various accessor functions are now provided directly on the
sockets, which reach down into the LuaSec implementation to obtain the
information.
While this may seem of little gain at first, it hides the implementation
detail of the LuaSec+LuaSocket combination that the actual socket and
the TLS layer are separate objects.
The net gain here is that an alternative implementation does not have to
emulate that specific implementation detail and "only" has to expose
LuaSec-compatible data structures on the new functions.
| author | Jonas Schäfer <jonas@wielicki.name> |
|---|---|
| date | Wed, 27 Apr 2022 17:44:14 +0200 |
| parent | 12362:0fd58f54d653 |
| child | 12481:2ee27587fec7 |
comparison
equal
deleted
inserted
replaced
| 12478:82270a6b1234 | 12480:7e9ebdc75ce4 |
|---|---|
| 7 -- | 7 -- |
| 8 | 8 |
| 9 local ssl = require "ssl"; | 9 local ssl = require "ssl"; |
| 10 local configmanager = require "core.configmanager"; | 10 local configmanager = require "core.configmanager"; |
| 11 local log = require "util.logger".init("certmanager"); | 11 local log = require "util.logger".init("certmanager"); |
| 12 local ssl_context = ssl.context or require "ssl.context"; | |
| 13 local ssl_newcontext = ssl.newcontext; | 12 local ssl_newcontext = ssl.newcontext; |
| 14 local new_config = require"util.sslconfig".new; | 13 local new_config = require"util.sslconfig".new; |
| 15 local stat = require "lfs".attributes; | 14 local stat = require "lfs".attributes; |
| 16 | 15 |
| 17 local x509 = require "util.x509"; | 16 local x509 = require "util.x509"; |
| 311 end | 310 end |
| 312 else | 311 else |
| 313 core_defaults.curveslist = nil; | 312 core_defaults.curveslist = nil; |
| 314 end | 313 end |
| 315 | 314 |
| 316 local path_options = { -- These we pass through resolve_path() | |
| 317 key = true, certificate = true, cafile = true, capath = true, dhparam = true | |
| 318 } | |
| 319 | |
| 320 local function create_context(host, mode, ...) | 315 local function create_context(host, mode, ...) |
| 321 local cfg = new_config(); | 316 local cfg = new_config(); |
| 322 cfg:apply(core_defaults); | 317 cfg:apply(core_defaults); |
| 323 local service_name, port = host:match("^(%S+) port (%d+)$"); | 318 local service_name, port = host:match("^(%S+) port (%d+)$"); |
| 324 -- port 0 is used with client-only things that normally don't need certificates, e.g. https | 319 -- port 0 is used with client-only things that normally don't need certificates, e.g. https |
| 350 log("info", "No certificate present in SSL/TLS configuration for %s. SNI will be required.", host); | 345 log("info", "No certificate present in SSL/TLS configuration for %s. SNI will be required.", host); |
| 351 end | 346 end |
| 352 if user_ssl_config.certificate and not user_ssl_config.key then return nil, "No key present in SSL/TLS configuration for "..host; end | 347 if user_ssl_config.certificate and not user_ssl_config.key then return nil, "No key present in SSL/TLS configuration for "..host; end |
| 353 end | 348 end |
| 354 | 349 |
| 355 for option in pairs(path_options) do | 350 local ctx, err = cfg:build(); |
| 356 if type(user_ssl_config[option]) == "string" then | |
| 357 user_ssl_config[option] = resolve_path(config_path, user_ssl_config[option]); | |
| 358 else | |
| 359 user_ssl_config[option] = nil; | |
| 360 end | |
| 361 end | |
| 362 | |
| 363 -- LuaSec expects dhparam to be a callback that takes two arguments. | |
| 364 -- We ignore those because it is mostly used for having a separate | |
| 365 -- set of params for EXPORT ciphers, which we don't have by default. | |
| 366 if type(user_ssl_config.dhparam) == "string" then | |
| 367 local f, err = io_open(user_ssl_config.dhparam); | |
| 368 if not f then return nil, "Could not open DH parameters: "..err end | |
| 369 local dhparam = f:read("*a"); | |
| 370 f:close(); | |
| 371 user_ssl_config.dhparam = function() return dhparam; end | |
| 372 end | |
| 373 | |
| 374 local ctx, err = ssl_newcontext(user_ssl_config); | |
| 375 | |
| 376 -- COMPAT Older LuaSec ignores the cipher list from the config, so we have to take care | |
| 377 -- of it ourselves (W/A for #x) | |
| 378 if ctx and user_ssl_config.ciphers then | |
| 379 local success; | |
| 380 success, err = ssl_context.setcipher(ctx, user_ssl_config.ciphers); | |
| 381 if not success then ctx = nil; end | |
| 382 end | |
| 383 | 351 |
| 384 if not ctx then | 352 if not ctx then |
| 385 err = err or "invalid ssl config" | 353 err = err or "invalid ssl config" |
| 386 local file = err:match("^error loading (.-) %("); | 354 local file = err:match("^error loading (.-) %("); |
| 387 if file then | 355 if file then |
