Comparison

util/sslconfig.lua @ 12480:7e9ebdc75ce4

net: isolate LuaSec-specifics For this, various accessor functions are now provided directly on the sockets, which reach down into the LuaSec implementation to obtain the information. While this may seem of little gain at first, it hides the implementation detail of the LuaSec+LuaSocket combination that the actual socket and the TLS layer are separate objects. The net gain here is that an alternative implementation does not have to emulate that specific implementation detail and "only" has to expose LuaSec-compatible data structures on the new functions.
author Jonas Schäfer <jonas@wielicki.name>
date Wed, 27 Apr 2022 17:44:14 +0200 (2022-04-27)
parent 10920:c171b4c59bd1
child 12481:2ee27587fec7
comparison
equal deleted inserted replaced
12478:82270a6b1234 12480:7e9ebdc75ce4
1 -- util to easily merge multiple sets of LuaSec context options 1 -- util to easily merge multiple sets of LuaSec context options
2 2
3 local type = type; 3 local type = type;
4 local pairs = pairs; 4 local pairs = pairs;
5 local rawset = rawset; 5 local rawset = rawset;
6 local rawget = rawget;
7 local error = error;
6 local t_concat = table.concat; 8 local t_concat = table.concat;
7 local t_insert = table.insert; 9 local t_insert = table.insert;
8 local setmetatable = setmetatable; 10 local setmetatable = setmetatable;
11 local config_path = prosody.paths.config or ".";
12 local resolve_path = require"util.paths".resolve_relative_path;
13
14 -- TODO: use net.server directly here
15 local tls_impl = require"net.tls_luasec";
9 16
10 local _ENV = nil; 17 local _ENV = nil;
11 -- luacheck: std none 18 -- luacheck: std none
12 19
13 local handlers = { }; 20 local handlers = { };
32 options[key] = value; 39 options[key] = value;
33 else -- list item 40 else -- list item
34 options[value] = true; 41 options[value] = true;
35 end 42 end
36 end 43 end
37 config[field] = options; 44 rawset(config, field, options)
38 end 45 end
39 46
40 handlers.verifyext = handlers.options; 47 handlers.verifyext = handlers.options;
41 48
42 -- finalisers take something produced by handlers and return what luasec 49 -- finalisers take something produced by handlers and return what luasec
68 finalisers.curveslist = finalisers.ciphers; 75 finalisers.curveslist = finalisers.ciphers;
69 76
70 -- TLS 1.3 ciphers 77 -- TLS 1.3 ciphers
71 finalisers.ciphersuites = finalisers.ciphers; 78 finalisers.ciphersuites = finalisers.ciphers;
72 79
80 -- Path expansion
81 function finalisers.key(path)
82 if type(path) == "string" then
83 return resolve_path(config_path, path);
84 else
85 return nil
86 end
87 end
88 finalisers.certificate = finalisers.key;
89 finalisers.cafile = finalisers.key;
90 finalisers.capath = finalisers.key;
91 -- XXX: copied from core/certmanager.lua, but this seems odd, because it would remove a dhparam function from the config
92 finalisers.dhparam = finalisers.key;
93
73 -- protocol = "x" should enable only that protocol 94 -- protocol = "x" should enable only that protocol
74 -- protocol = "x+" should enable x and later versions 95 -- protocol = "x+" should enable x and later versions
75 96
76 local protocols = { "sslv2", "sslv3", "tlsv1", "tlsv1_1", "tlsv1_2", "tlsv1_3" }; 97 local protocols = { "sslv2", "sslv3", "tlsv1", "tlsv1_1", "tlsv1_2", "tlsv1_3" };
77 for i = 1, #protocols do protocols[protocols[i] .. "+"] = i - 1; end 98 for i = 1, #protocols do protocols[protocols[i] .. "+"] = i - 1; end
87 end 108 end
88 end 109 end
89 110
90 -- Merge options from 'new' config into 'config' 111 -- Merge options from 'new' config into 'config'
91 local function apply(config, new) 112 local function apply(config, new)
113 -- 0 == cache
114 rawset(config, 0, nil);
92 if type(new) == "table" then 115 if type(new) == "table" then
93 for field, value in pairs(new) do 116 for field, value in pairs(new) do
94 (handlers[field] or rawset)(config, field, value); 117 (handlers[field] or rawset)(config, field, value);
95 end 118 end
96 end 119 end
120 return config
97 end 121 end
98 122
99 -- Finalize the config into the form LuaSec expects 123 -- Finalize the config into the form LuaSec expects
100 local function final(config) 124 local function final(config)
101 local output = { }; 125 local output = { };
105 -- Need to handle protocols last because it adds to the options list 129 -- Need to handle protocols last because it adds to the options list
106 protocol(output); 130 protocol(output);
107 return output; 131 return output;
108 end 132 end
109 133
134 local function build(config)
135 local cached = rawget(config, 0);
136 if cached then
137 return cached, nil
138 end
139
140 local ctx, err = tls_impl.new_context(config:final(), config);
141 if ctx then
142 rawset(config, 0, ctx);
143 end
144 return ctx, err
145 end
146
110 local sslopts_mt = { 147 local sslopts_mt = {
111 __index = { 148 __index = {
112 apply = apply; 149 apply = apply;
113 final = final; 150 final = final;
151 build = build;
114 }; 152 };
153 __newindex = function()
154 error("SSL config objects cannot be modified directly. Use :apply()")
155 end;
115 }; 156 };
157
116 158
117 local function new() 159 local function new()
118 return setmetatable({options={}}, sslopts_mt); 160 return setmetatable({options={}}, sslopts_mt);
119 end 161 end
162
163 local function clone(config)
164 local result = new();
165 for k, v in pairs(config) do
166 rawset(result, k, v);
167 end
168 return result
169 end
170
171 sslopts_mt.__index.clone = clone;
120 172
121 return { 173 return {
122 apply = apply; 174 apply = apply;
123 final = final; 175 final = final;
124 new = new; 176 new = new;