diff options
author | Jonas Schäfer <jonas@wielicki.name> | 2022-04-02 11:15:33 +0200 |
---|---|---|
committer | Jonas Schäfer <jonas@wielicki.name> | 2022-04-02 11:15:33 +0200 |
commit | 9f7c3b9ba6c2fde4431cd6f3a12072518b478d69 (patch) | |
tree | 32e0b232600b224369ead1e7c62194b19d549cc0 /util/sslconfig.lua | |
parent | 38346dd6f1dcd963e17722bf175445465d7683f4 (diff) | |
download | prosody-9f7c3b9ba6c2fde4431cd6f3a12072518b478d69.tar.gz prosody-9f7c3b9ba6c2fde4431cd6f3a12072518b478d69.zip |
net: refactor sslconfig to not depend on LuaSec
This now requires that the network backend exposes a tls_builder
function, which essentially wraps the former util.sslconfig.new()
function, passing a factory to create the eventual SSL context.
That allows a net.server backend to pick whatever it likes as SSL
context factory, as long as it understands the config table passed by
the SSL config builder. Heck, a backend could even mock and replace the
entire SSL config builder API.
Diffstat (limited to 'util/sslconfig.lua')
-rw-r--r-- | util/sslconfig.lua | 41 |
1 files changed, 25 insertions, 16 deletions
diff --git a/util/sslconfig.lua b/util/sslconfig.lua index 23fb934c..0078365b 100644 --- a/util/sslconfig.lua +++ b/util/sslconfig.lua @@ -8,12 +8,8 @@ local error = error; local t_concat = table.concat; local t_insert = table.insert; local setmetatable = setmetatable; -local config_path = prosody.paths.config or "."; local resolve_path = require"util.paths".resolve_relative_path; --- TODO: use net.server directly here -local tls_impl = require"net.tls_luasec"; - local _ENV = nil; -- luacheck: std none @@ -78,9 +74,9 @@ finalisers.curveslist = finalisers.ciphers; finalisers.ciphersuites = finalisers.ciphers; -- Path expansion -function finalisers.key(path) +function finalisers.key(path, config) if type(path) == "string" then - return resolve_path(config_path, path); + return resolve_path(config._basedir, path); else return nil end @@ -110,11 +106,13 @@ end -- Merge options from 'new' config into 'config' local function apply(config, new) - -- 0 == cache - rawset(config, 0, nil); + rawset(config, "_cache", nil); if type(new) == "table" then for field, value in pairs(new) do - (handlers[field] or rawset)(config, field, value); + -- exclude keys which are internal to the config builder + if field:sub(1, 1) ~= "_" then + (handlers[field] or rawset)(config, field, value); + end end end return config @@ -124,7 +122,10 @@ end local function final(config) local output = { }; for field, value in pairs(config) do - output[field] = (finalisers[field] or id)(value); + -- exclude keys which are internal to the config builder + if field:sub(1, 1) ~= "_" then + output[field] = (finalisers[field] or id)(value, config); + end end -- Need to handle protocols last because it adds to the options list protocol(output); @@ -132,14 +133,14 @@ local function final(config) end local function build(config) - local cached = rawget(config, 0); + local cached = rawget(config, "_cache"); if cached then return cached, nil end - local ctx, err = tls_impl.new_context(config:final(), config); + local ctx, err = rawget(config, "_context_factory")(config:final(), config); if ctx then - rawset(config, 0, ctx); + rawset(config, "_cache", ctx); end return ctx, err end @@ -156,13 +157,21 @@ local sslopts_mt = { }; -local function new() - return setmetatable({options={}}, sslopts_mt); +-- passing basedir through everything is required to avoid sslconfig depending +-- on prosody.paths.config +local function new(context_factory, basedir) + return setmetatable({ + _context_factory = context_factory, + _basedir = basedir, + options={}, + }, sslopts_mt); end local function clone(config) local result = new(); for k, v in pairs(config) do + -- note that we *do* copy the internal keys on clone -- we have to carry + -- both the factory and the cache with us rawset(result, k, v); end return result @@ -173,5 +182,5 @@ sslopts_mt.__index.clone = clone; return { apply = apply; final = final; - new = new; + _new = new; }; |