apitech
/
prosody
mirror of https://github.com/bjc/prosody
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
IMPORTANT: due to a drive failure, as of 13-Mar-2021, the Mercurial repository had to be re-mirrored, which changed every commit SHA. The old SHAs and trees are backed up in the vault branches. Please migrate to the new branches as soon as you can.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
13792 Commits
12 Branches
101 Tags
54 MiB
Tag: Branch: Tree: ea2f97e9ed
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'ea2f97e9ed'
${ noResults }
prosody/util/sslconfig.lua

197 lines
4.8 KiB
Raw Normal View History Unescape

util.sslconfig: More descriptive variable names and also comments
10 years ago
-- util to easily merge multiple sets of LuaSec context options
util.*: Remove use of module() function, make all module functions local and return them in a table at the end
11 years ago
local type = type;
local pairs = pairs;
local rawset = rawset;
net: isolate LuaSec-specifics For this, various accessor functions are now provided directly on the sockets, which reach down into the LuaSec implementation to obtain the information. While this may seem of little gain at first, it hides the implementation detail of the LuaSec+LuaSocket combination that the actual socket and the TLS layer are separate objects. The net gain here is that an alternative implementation does not have to emulate that specific implementation detail and "only" has to expose LuaSec-compatible data structures on the new functions.
4 years ago
local rawget = rawget;
local error = error;
util.*: Remove use of module() function, make all module functions local and return them in a table at the end
11 years ago
local t_concat = table.concat;
local t_insert = table.insert;
local setmetatable = setmetatable;
util: Prefix module imports with prosody namespace
3 years ago
local resolve_path = require"prosody.util.paths".resolve_relative_path;
net: isolate LuaSec-specifics For this, various accessor functions are now provided directly on the sockets, which reach down into the LuaSec implementation to obtain the information. While this may seem of little gain at first, it hides the implementation detail of the LuaSec+LuaSocket combination that the actual socket and the TLS layer are separate objects. The net gain here is that an alternative implementation does not have to emulate that specific implementation detail and "only" has to expose LuaSec-compatible data structures on the new functions.
4 years ago
util.*: Remove use of module() function, make all module functions local and return them in a table at the end
11 years ago
local _ENV = nil;
vairious: Add annotation when an empty environment is set [luacheck]
8 years ago
-- luacheck: std none
util.sslconfig: Add lib to deal with LuaSec SSL context configs
12 years ago
local handlers = { };
local finalisers = { };
local id = function (v) return v end
util.sslconfig: More descriptive variable names and also comments
10 years ago
-- All "handlers" behave like extended rawset(table, key, value) with extra
-- processing usually merging the new value with the old in some reasonable
-- way
-- If a field does not have a defined handler then a new value simply
-- replaces the old.
-- Convert either a list or a set into a special type of set where each
-- item is either positive or negative in order for a later set of options
-- to be able to remove options from this set by filtering out the negative ones
function handlers.options(config, field, new)
local options = config[field] or { };
if type(new) ~= "table" then new = { new } end
for key, value in pairs(new) do
util.sslconfig: Rename variable to avoid name clash [luacheck]
11 years ago
if value == true or value == false then
util.sslconfig: More descriptive variable names and also comments
10 years ago
options[key] = value;
else -- list item
options[value] = true;
util.sslconfig: Add lib to deal with LuaSec SSL context configs
12 years ago
end
end
net: isolate LuaSec-specifics For this, various accessor functions are now provided directly on the sockets, which reach down into the LuaSec implementation to obtain the information. While this may seem of little gain at first, it hides the implementation detail of the LuaSec+LuaSocket combination that the actual socket and the TLS layer are separate objects. The net gain here is that an alternative implementation does not have to emulate that specific implementation detail and "only" has to expose LuaSec-compatible data structures on the new functions.
4 years ago
rawset(config, field, options)
util.sslconfig: Add lib to deal with LuaSec SSL context configs
12 years ago
end
handlers.verifyext = handlers.options;
util.sslconfig: More descriptive variable names and also comments
10 years ago
-- finalisers take something produced by handlers and return what luasec
-- expects it to be
-- Produce a list of "positive" options from the set
function finalisers.options(options)
local output = {};
for opt, enable in pairs(options) do
util.sslconfig: Add lib to deal with LuaSec SSL context configs
12 years ago
if enable then
util.sslconfig: More descriptive variable names and also comments
10 years ago
output[#output+1] = opt;
util.sslconfig: Add lib to deal with LuaSec SSL context configs
12 years ago
end
end
util.sslconfig: More descriptive variable names and also comments
10 years ago
return output;
util.sslconfig: Add lib to deal with LuaSec SSL context configs
12 years ago
end
finalisers.verifyext = finalisers.options;
util.sslconfig: More descriptive variable names and also comments
10 years ago
-- We allow ciphers to be a list
function finalisers.ciphers(cipherlist)
if type(cipherlist) == "table" then
return t_concat(cipherlist, ":");
util.sslconfig: Add lib to deal with LuaSec SSL context configs
12 years ago
end
util.sslconfig: More descriptive variable names and also comments
10 years ago
return cipherlist;
util.sslconfig: Add lib to deal with LuaSec SSL context configs
12 years ago
end
util.sslconfig: Treat 'curveslist', added in LuaSec 0.7, as a colon-separated list, like ciphers (see #879, #943, #951)
8 years ago
-- Curve list too
finalisers.curveslist = finalisers.ciphers;
util.sslconfig: Process TLS 1.3-specific cipher list Same way as with other cipher list options
6 years ago
-- TLS 1.3 ciphers
finalisers.ciphersuites = finalisers.ciphers;
net: isolate LuaSec-specifics For this, various accessor functions are now provided directly on the sockets, which reach down into the LuaSec implementation to obtain the information. While this may seem of little gain at first, it hides the implementation detail of the LuaSec+LuaSocket combination that the actual socket and the TLS layer are separate objects. The net gain here is that an alternative implementation does not have to emulate that specific implementation detail and "only" has to expose LuaSec-compatible data structures on the new functions.
4 years ago
-- Path expansion
net: refactor sslconfig to not depend on LuaSec This now requires that the network backend exposes a tls_builder function, which essentially wraps the former util.sslconfig.new() function, passing a factory to create the eventual SSL context. That allows a net.server backend to pick whatever it likes as SSL context factory, as long as it understands the config table passed by the SSL config builder. Heck, a backend could even mock and replace the entire SSL config builder API.
4 years ago
function finalisers.key(path, config)
net: isolate LuaSec-specifics For this, various accessor functions are now provided directly on the sockets, which reach down into the LuaSec implementation to obtain the information. While this may seem of little gain at first, it hides the implementation detail of the LuaSec+LuaSocket combination that the actual socket and the TLS layer are separate objects. The net gain here is that an alternative implementation does not have to emulate that specific implementation detail and "only" has to expose LuaSec-compatible data structures on the new functions.
4 years ago
if type(path) == "string" then
net: refactor sslconfig to not depend on LuaSec This now requires that the network backend exposes a tls_builder function, which essentially wraps the former util.sslconfig.new() function, passing a factory to create the eventual SSL context. That allows a net.server backend to pick whatever it likes as SSL context factory, as long as it understands the config table passed by the SSL config builder. Heck, a backend could even mock and replace the entire SSL config builder API.
4 years ago
return resolve_path(config._basedir, path);
net: isolate LuaSec-specifics For this, various accessor functions are now provided directly on the sockets, which reach down into the LuaSec implementation to obtain the information. While this may seem of little gain at first, it hides the implementation detail of the LuaSec+LuaSocket combination that the actual socket and the TLS layer are separate objects. The net gain here is that an alternative implementation does not have to emulate that specific implementation detail and "only" has to expose LuaSec-compatible data structures on the new functions.
4 years ago
else
return nil
end
end
finalisers.certificate = finalisers.key;
finalisers.cafile = finalisers.key;
finalisers.capath = finalisers.key;
util.sslconfig: Support DH parameters as literal string Simplifies shipping well-known DH parameters in the config
1 year ago
function finalisers.dhparam(value, config)
if type(value) == "string" then
if value:sub(1, 10) == "-----BEGIN" then
-- literal value
return value;
else
-- assume a filename
return resolve_path(config._basedir, value);
end
end
end
net: isolate LuaSec-specifics For this, various accessor functions are now provided directly on the sockets, which reach down into the LuaSec implementation to obtain the information. While this may seem of little gain at first, it hides the implementation detail of the LuaSec+LuaSocket combination that the actual socket and the TLS layer are separate objects. The net gain here is that an alternative implementation does not have to emulate that specific implementation detail and "only" has to expose LuaSec-compatible data structures on the new functions.
4 years ago
util.sslconfig: More descriptive variable names and also comments
10 years ago
-- protocol = "x" should enable only that protocol
-- protocol = "x+" should enable x and later versions
util.sslconfig: Recognise TLS 1.3 as a protocol version This enables it to understand protocol = "tlsv1_3+"
7 years ago
local protocols = { "sslv2", "sslv3", "tlsv1", "tlsv1_1", "tlsv1_2", "tlsv1_3" };
util.sslconfig: Add lib to deal with LuaSec SSL context configs
12 years ago
for i = 1, #protocols do protocols[protocols[i] .. "+"] = i - 1; end
util.sslconfig: More descriptive variable names and also comments
10 years ago
-- this interacts with ssl.options as well to add no_x
local function protocol(config)
local min_protocol = protocols[config.protocol];
util.sslconfig: Add lib to deal with LuaSec SSL context configs
12 years ago
if min_protocol then
util.sslconfig: More descriptive variable names and also comments
10 years ago
config.protocol = "sslv23";
util.sslconfig: Add lib to deal with LuaSec SSL context configs
12 years ago
for i = 1, min_protocol do
util.sslconfig: More descriptive variable names and also comments
10 years ago
t_insert(config.options, "no_"..protocols[i]);
util.sslconfig: Add lib to deal with LuaSec SSL context configs
12 years ago
end
end
end
util.sslconfig: More descriptive variable names and also comments
10 years ago
-- Merge options from 'new' config into 'config'
local function apply(config, new)
net: refactor sslconfig to not depend on LuaSec This now requires that the network backend exposes a tls_builder function, which essentially wraps the former util.sslconfig.new() function, passing a factory to create the eventual SSL context. That allows a net.server backend to pick whatever it likes as SSL context factory, as long as it understands the config table passed by the SSL config builder. Heck, a backend could even mock and replace the entire SSL config builder API.
4 years ago
rawset(config, "_cache", nil);
util.sslconfig: More descriptive variable names and also comments
10 years ago
if type(new) == "table" then
for field, value in pairs(new) do
net: refactor sslconfig to not depend on LuaSec This now requires that the network backend exposes a tls_builder function, which essentially wraps the former util.sslconfig.new() function, passing a factory to create the eventual SSL context. That allows a net.server backend to pick whatever it likes as SSL context factory, as long as it understands the config table passed by the SSL config builder. Heck, a backend could even mock and replace the entire SSL config builder API.
4 years ago
-- exclude keys which are internal to the config builder
if field:sub(1, 1) ~= "_" then
(handlers[field] or rawset)(config, field, value);
end
util.sslconfig: Add lib to deal with LuaSec SSL context configs
12 years ago
end
end
net: isolate LuaSec-specifics For this, various accessor functions are now provided directly on the sockets, which reach down into the LuaSec implementation to obtain the information. While this may seem of little gain at first, it hides the implementation detail of the LuaSec+LuaSocket combination that the actual socket and the TLS layer are separate objects. The net gain here is that an alternative implementation does not have to emulate that specific implementation detail and "only" has to expose LuaSec-compatible data structures on the new functions.
4 years ago
return config
util.sslconfig: Add lib to deal with LuaSec SSL context configs
12 years ago
end
util.sslconfig: More descriptive variable names and also comments
10 years ago
-- Finalize the config into the form LuaSec expects
local function final(config)
local output = { };
for field, value in pairs(config) do
net: refactor sslconfig to not depend on LuaSec This now requires that the network backend exposes a tls_builder function, which essentially wraps the former util.sslconfig.new() function, passing a factory to create the eventual SSL context. That allows a net.server backend to pick whatever it likes as SSL context factory, as long as it understands the config table passed by the SSL config builder. Heck, a backend could even mock and replace the entire SSL config builder API.
4 years ago
-- exclude keys which are internal to the config builder
if field:sub(1, 1) ~= "_" then
output[field] = (finalisers[field] or id)(value, config);
end
util.sslconfig: Add lib to deal with LuaSec SSL context configs
12 years ago
end
util.sslconfig: More descriptive variable names and also comments
10 years ago
-- Need to handle protocols last because it adds to the options list
protocol(output);
return output;
util.sslconfig: Add lib to deal with LuaSec SSL context configs
12 years ago
end
net: isolate LuaSec-specifics For this, various accessor functions are now provided directly on the sockets, which reach down into the LuaSec implementation to obtain the information. While this may seem of little gain at first, it hides the implementation detail of the LuaSec+LuaSocket combination that the actual socket and the TLS layer are separate objects. The net gain here is that an alternative implementation does not have to emulate that specific implementation detail and "only" has to expose LuaSec-compatible data structures on the new functions.
4 years ago
local function build(config)
net: refactor sslconfig to not depend on LuaSec This now requires that the network backend exposes a tls_builder function, which essentially wraps the former util.sslconfig.new() function, passing a factory to create the eventual SSL context. That allows a net.server backend to pick whatever it likes as SSL context factory, as long as it understands the config table passed by the SSL config builder. Heck, a backend could even mock and replace the entire SSL config builder API.
4 years ago
local cached = rawget(config, "_cache");
net: isolate LuaSec-specifics For this, various accessor functions are now provided directly on the sockets, which reach down into the LuaSec implementation to obtain the information. While this may seem of little gain at first, it hides the implementation detail of the LuaSec+LuaSocket combination that the actual socket and the TLS layer are separate objects. The net gain here is that an alternative implementation does not have to emulate that specific implementation detail and "only" has to expose LuaSec-compatible data structures on the new functions.
4 years ago
if cached then
return cached, nil
end
net: refactor sslconfig to not depend on LuaSec This now requires that the network backend exposes a tls_builder function, which essentially wraps the former util.sslconfig.new() function, passing a factory to create the eventual SSL context. That allows a net.server backend to pick whatever it likes as SSL context factory, as long as it understands the config table passed by the SSL config builder. Heck, a backend could even mock and replace the entire SSL config builder API.
4 years ago
local ctx, err = rawget(config, "_context_factory")(config:final(), config);
net: isolate LuaSec-specifics For this, various accessor functions are now provided directly on the sockets, which reach down into the LuaSec implementation to obtain the information. While this may seem of little gain at first, it hides the implementation detail of the LuaSec+LuaSocket combination that the actual socket and the TLS layer are separate objects. The net gain here is that an alternative implementation does not have to emulate that specific implementation detail and "only" has to expose LuaSec-compatible data structures on the new functions.
4 years ago
if ctx then
net: refactor sslconfig to not depend on LuaSec This now requires that the network backend exposes a tls_builder function, which essentially wraps the former util.sslconfig.new() function, passing a factory to create the eventual SSL context. That allows a net.server backend to pick whatever it likes as SSL context factory, as long as it understands the config table passed by the SSL config builder. Heck, a backend could even mock and replace the entire SSL config builder API.
4 years ago
rawset(config, "_cache", ctx);
net: isolate LuaSec-specifics For this, various accessor functions are now provided directly on the sockets, which reach down into the LuaSec implementation to obtain the information. While this may seem of little gain at first, it hides the implementation detail of the LuaSec+LuaSocket combination that the actual socket and the TLS layer are separate objects. The net gain here is that an alternative implementation does not have to emulate that specific implementation detail and "only" has to expose LuaSec-compatible data structures on the new functions.
4 years ago
end
return ctx, err
end
util.sslconfig: Add lib to deal with LuaSec SSL context configs
12 years ago
local sslopts_mt = {
__index = {
apply = apply;
final = final;
net: isolate LuaSec-specifics For this, various accessor functions are now provided directly on the sockets, which reach down into the LuaSec implementation to obtain the information. While this may seem of little gain at first, it hides the implementation detail of the LuaSec+LuaSocket combination that the actual socket and the TLS layer are separate objects. The net gain here is that an alternative implementation does not have to emulate that specific implementation detail and "only" has to expose LuaSec-compatible data structures on the new functions.
4 years ago
build = build;
util.sslconfig: Add lib to deal with LuaSec SSL context configs
12 years ago
};
net: isolate LuaSec-specifics For this, various accessor functions are now provided directly on the sockets, which reach down into the LuaSec implementation to obtain the information. While this may seem of little gain at first, it hides the implementation detail of the LuaSec+LuaSocket combination that the actual socket and the TLS layer are separate objects. The net gain here is that an alternative implementation does not have to emulate that specific implementation detail and "only" has to expose LuaSec-compatible data structures on the new functions.
4 years ago
__newindex = function()
error("SSL config objects cannot be modified directly. Use :apply()")
end;
util.sslconfig: Add lib to deal with LuaSec SSL context configs
12 years ago
};
net: isolate LuaSec-specifics For this, various accessor functions are now provided directly on the sockets, which reach down into the LuaSec implementation to obtain the information. While this may seem of little gain at first, it hides the implementation detail of the LuaSec+LuaSocket combination that the actual socket and the TLS layer are separate objects. The net gain here is that an alternative implementation does not have to emulate that specific implementation detail and "only" has to expose LuaSec-compatible data structures on the new functions.
4 years ago
net: refactor sslconfig to not depend on LuaSec This now requires that the network backend exposes a tls_builder function, which essentially wraps the former util.sslconfig.new() function, passing a factory to create the eventual SSL context. That allows a net.server backend to pick whatever it likes as SSL context factory, as long as it understands the config table passed by the SSL config builder. Heck, a backend could even mock and replace the entire SSL config builder API.
4 years ago
-- passing basedir through everything is required to avoid sslconfig depending
-- on prosody.paths.config
local function new(context_factory, basedir)
return setmetatable({
_context_factory = context_factory,
_basedir = basedir,
options={},
}, sslopts_mt);
util.sslconfig: Add lib to deal with LuaSec SSL context configs
12 years ago
end
net: isolate LuaSec-specifics For this, various accessor functions are now provided directly on the sockets, which reach down into the LuaSec implementation to obtain the information. While this may seem of little gain at first, it hides the implementation detail of the LuaSec+LuaSocket combination that the actual socket and the TLS layer are separate objects. The net gain here is that an alternative implementation does not have to emulate that specific implementation detail and "only" has to expose LuaSec-compatible data structures on the new functions.
4 years ago
local function clone(config)
local result = new();
for k, v in pairs(config) do
net: refactor sslconfig to not depend on LuaSec This now requires that the network backend exposes a tls_builder function, which essentially wraps the former util.sslconfig.new() function, passing a factory to create the eventual SSL context. That allows a net.server backend to pick whatever it likes as SSL context factory, as long as it understands the config table passed by the SSL config builder. Heck, a backend could even mock and replace the entire SSL config builder API.
4 years ago
-- note that we *do* copy the internal keys on clone -- we have to carry
-- both the factory and the cache with us
net: isolate LuaSec-specifics For this, various accessor functions are now provided directly on the sockets, which reach down into the LuaSec implementation to obtain the information. While this may seem of little gain at first, it hides the implementation detail of the LuaSec+LuaSocket combination that the actual socket and the TLS layer are separate objects. The net gain here is that an alternative implementation does not have to emulate that specific implementation detail and "only" has to expose LuaSec-compatible data structures on the new functions.
4 years ago
rawset(result, k, v);
end
return result
end
sslopts_mt.__index.clone = clone;
util.sslconfig: Add lib to deal with LuaSec SSL context configs
12 years ago
return {
apply = apply;
final = final;
net: refactor sslconfig to not depend on LuaSec This now requires that the network backend exposes a tls_builder function, which essentially wraps the former util.sslconfig.new() function, passing a factory to create the eventual SSL context. That allows a net.server backend to pick whatever it likes as SSL context factory, as long as it understands the config table passed by the SSL config builder. Heck, a backend could even mock and replace the entire SSL config builder API.
4 years ago
_new = new;
util.sslconfig: Add lib to deal with LuaSec SSL context configs
12 years ago
};