util.sslconfig: Support DH parameters as literal string

Simplifies shipping well-known DH parameters in the config

2 files changed, 16 insertions, 3 deletions

diff --git a/net/tls_luasec.lua b/net/tls_luasec.lua
index 3af2fc6b..4e4e92ed 100644
--- a/net/tls_luasec.lua
+++ b/net/tls_luasec.lua
@@ -54,7 +54,10 @@ local function new_context(cfg, builder)
 	-- LuaSec expects dhparam to be a callback that takes two arguments.
 	-- We ignore those because it is mostly used for having a separate
 	-- set of params for EXPORT ciphers, which we don't have by default.
-	if type(cfg.dhparam) == "string" then
+	if type(cfg.dhparam) == "string" and cfg.dhparam:sub(1, 10) == "-----BEGIN" then
+		local dhparam = cfg.dhparam;
+		cfg.dhparam = function() return dhparam; end
+	elseif type(cfg.dhparam) == "string" then
 		local f, err = io_open(cfg.dhparam);
 		if not f then return nil, "Could not open DH parameters: "..err end
 		local dhparam = f:read("*a");
diff --git a/util/sslconfig.lua b/util/sslconfig.lua
index 7b0ed34a..01a8adb5 100644
--- a/util/sslconfig.lua
+++ b/util/sslconfig.lua
@@ -84,8 +84,18 @@ end
 finalisers.certificate = finalisers.key;
 finalisers.cafile = finalisers.key;
 finalisers.capath = finalisers.key;
--- XXX: copied from core/certmanager.lua, but this seems odd, because it would remove a dhparam function from the config
-finalisers.dhparam = finalisers.key;
+
+function finalisers.dhparam(value, config)
+	if type(value) == "string" then
+		if value:sub(1, 10) == "-----BEGIN" then
+			-- literal value
+			return value;
+		else
+			-- assume a filename
+			return resolve_path(config._basedir, value);
+		end
+	end
+end
 
 -- protocol = "x" should enable only that protocol
 -- protocol = "x+" should enable x and later versions