Comparison

core/certmanager.lua @ 6564:bcf32653cab7

certmanager: Early return from the entire module if LuaSec is unavailable
author Kim Alvefur <zash@zash.se>
date Thu, 05 Feb 2015 15:10:23 +0100
parent 6547:2f65de21ff56
child 6565:ffc0a57889aa
comparison
equal deleted inserted replaced
6563:f0a2bdfd0cea 6564:bcf32653cab7
4 -- 4 --
5 -- This project is MIT/X11 licensed. Please see the 5 -- This project is MIT/X11 licensed. Please see the
6 -- COPYING file in the source package for more information. 6 -- COPYING file in the source package for more information.
7 -- 7 --
8 8
9 local softreq = require"util.dependencies".softreq;
10 local ssl = softreq"ssl";
11 if not ssl then
12 return {
13 create_context = function ()
14 return nil, "LuaSec (required for encryption) was not found";
15 end;
16 reload_ssl_config = function () end;
17 }
18 end
19
9 local configmanager = require "core.configmanager"; 20 local configmanager = require "core.configmanager";
10 local log = require "util.logger".init("certmanager"); 21 local log = require "util.logger".init("certmanager");
11 local ssl = _G.ssl; 22 local ssl_newcontext = ssl.newcontext;
12 local ssl_newcontext = ssl and ssl.newcontext;
13 local new_config = require"util.sslconfig".new; 23 local new_config = require"util.sslconfig".new;
14 24
15 local tostring = tostring; 25 local tostring = tostring;
16 local pairs = pairs; 26 local pairs = pairs;
17 local type = type; 27 local type = type;
21 local prosody = prosody; 31 local prosody = prosody;
22 local resolve_path = require"util.paths".resolve_relative_path; 32 local resolve_path = require"util.paths".resolve_relative_path;
23 local config_path = prosody.paths.config; 33 local config_path = prosody.paths.config;
24 34
25 local luasec_has_noticket, luasec_has_verifyext, luasec_has_no_compression; 35 local luasec_has_noticket, luasec_has_verifyext, luasec_has_no_compression;
26 if ssl then 36 local luasec_major, luasec_minor = ssl._VERSION:match("^(%d+)%.(%d+)");
27 local luasec_major, luasec_minor = ssl._VERSION:match("^(%d+)%.(%d+)"); 37 luasec_has_noticket = tonumber(luasec_major)>0 or tonumber(luasec_minor)>=4;
28 luasec_has_noticket = tonumber(luasec_major)>0 or tonumber(luasec_minor)>=4; 38 luasec_has_verifyext = tonumber(luasec_major)>0 or tonumber(luasec_minor)>=5;
29 luasec_has_verifyext = tonumber(luasec_major)>0 or tonumber(luasec_minor)>=5; 39 luasec_has_no_compression = tonumber(luasec_major)>0 or tonumber(luasec_minor)>=5;
30 luasec_has_no_compression = tonumber(luasec_major)>0 or tonumber(luasec_minor)>=5;
31 end
32 40
33 module "certmanager" 41 module "certmanager"
34 42
35 -- Global SSL options if not overridden per-host 43 -- Global SSL options if not overridden per-host
36 local global_ssl_config = configmanager.get("*", "ssl"); 44 local global_ssl_config = configmanager.get("*", "ssl");
37 45
38 -- Built-in defaults 46 -- Built-in defaults
39 local core_defaults = { 47 local core_defaults = {
40 capath = "/etc/ssl/certs"; 48 capath = "/etc/ssl/certs";
41 protocol = "tlsv1+"; 49 protocol = "tlsv1+";
42 verify = (ssl and ssl.x509 and { "peer", "client_once", }) or "none"; 50 verify = (ssl.x509 and { "peer", "client_once", }) or "none";
43 options = { 51 options = {
44 cipher_server_preference = true; 52 cipher_server_preference = true;
45 no_ticket = luasec_has_noticket; 53 no_ticket = luasec_has_noticket;
46 no_compression = luasec_has_no_compression and configmanager.get("*", "ssl_compression") ~= true; 54 no_compression = luasec_has_no_compression and configmanager.get("*", "ssl_compression") ~= true;
47 -- Has no_compression? Then it has these too... 55 -- Has no_compression? Then it has these too...
54 } 62 }
55 local path_options = { -- These we pass through resolve_path() 63 local path_options = { -- These we pass through resolve_path()
56 key = true, certificate = true, cafile = true, capath = true, dhparam = true 64 key = true, certificate = true, cafile = true, capath = true, dhparam = true
57 } 65 }
58 66
59 if ssl and not luasec_has_verifyext and ssl.x509 then 67 if not luasec_has_verifyext and ssl.x509 then
60 -- COMPAT mw/luasec-hg 68 -- COMPAT mw/luasec-hg
61 for i=1,#core_defaults.verifyext do -- Remove lsec_ prefix 69 for i=1,#core_defaults.verifyext do -- Remove lsec_ prefix
62 core_defaults.verify[#core_defaults.verify+1] = core_defaults.verifyext[i]:sub(6); 70 core_defaults.verify[#core_defaults.verify+1] = core_defaults.verifyext[i]:sub(6);
63 end 71 end
64 end 72 end
65 73
66 function create_context(host, mode, ...) 74 function create_context(host, mode, ...)
67 if not ssl then return nil, "LuaSec (required for encryption) was not found"; end
68
69 local cfg = new_config(); 75 local cfg = new_config();
70 cfg:apply(core_defaults); 76 cfg:apply(core_defaults);
71 cfg:apply(global_ssl_config); 77 cfg:apply(global_ssl_config);
72 cfg:apply({ 78 cfg:apply({
73 mode = mode, 79 mode = mode,