From 9f7c3b9ba6c2fde4431cd6f3a12072518b478d69 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jonas=20Sch=C3=A4fer?= Date: Sat, 2 Apr 2022 11:15:33 +0200 Subject: net: refactor sslconfig to not depend on LuaSec This now requires that the network backend exposes a tls_builder function, which essentially wraps the former util.sslconfig.new() function, passing a factory to create the eventual SSL context. That allows a net.server backend to pick whatever it likes as SSL context factory, as long as it understands the config table passed by the SSL config builder. Heck, a backend could even mock and replace the entire SSL config builder API. --- util/sslconfig.lua | 41 +++++++++++++++++++++++++---------------- 1 file changed, 25 insertions(+), 16 deletions(-) (limited to 'util') diff --git a/util/sslconfig.lua b/util/sslconfig.lua index 23fb934c..0078365b 100644 --- a/util/sslconfig.lua +++ b/util/sslconfig.lua @@ -8,12 +8,8 @@ local error = error; local t_concat = table.concat; local t_insert = table.insert; local setmetatable = setmetatable; -local config_path = prosody.paths.config or "."; local resolve_path = require"util.paths".resolve_relative_path; --- TODO: use net.server directly here -local tls_impl = require"net.tls_luasec"; - local _ENV = nil; -- luacheck: std none @@ -78,9 +74,9 @@ finalisers.curveslist = finalisers.ciphers; finalisers.ciphersuites = finalisers.ciphers; -- Path expansion -function finalisers.key(path) +function finalisers.key(path, config) if type(path) == "string" then - return resolve_path(config_path, path); + return resolve_path(config._basedir, path); else return nil end @@ -110,11 +106,13 @@ end -- Merge options from 'new' config into 'config' local function apply(config, new) - -- 0 == cache - rawset(config, 0, nil); + rawset(config, "_cache", nil); if type(new) == "table" then for field, value in pairs(new) do - (handlers[field] or rawset)(config, field, value); + -- exclude keys which are internal to the config builder + if field:sub(1, 1) ~= "_" then + (handlers[field] or rawset)(config, field, value); + end end end return config @@ -124,7 +122,10 @@ end local function final(config) local output = { }; for field, value in pairs(config) do - output[field] = (finalisers[field] or id)(value); + -- exclude keys which are internal to the config builder + if field:sub(1, 1) ~= "_" then + output[field] = (finalisers[field] or id)(value, config); + end end -- Need to handle protocols last because it adds to the options list protocol(output); @@ -132,14 +133,14 @@ local function final(config) end local function build(config) - local cached = rawget(config, 0); + local cached = rawget(config, "_cache"); if cached then return cached, nil end - local ctx, err = tls_impl.new_context(config:final(), config); + local ctx, err = rawget(config, "_context_factory")(config:final(), config); if ctx then - rawset(config, 0, ctx); + rawset(config, "_cache", ctx); end return ctx, err end @@ -156,13 +157,21 @@ local sslopts_mt = { }; -local function new() - return setmetatable({options={}}, sslopts_mt); +-- passing basedir through everything is required to avoid sslconfig depending +-- on prosody.paths.config +local function new(context_factory, basedir) + return setmetatable({ + _context_factory = context_factory, + _basedir = basedir, + options={}, + }, sslopts_mt); end local function clone(config) local result = new(); for k, v in pairs(config) do + -- note that we *do* copy the internal keys on clone -- we have to carry + -- both the factory and the cache with us rawset(result, k, v); end return result @@ -173,5 +182,5 @@ sslopts_mt.__index.clone = clone; return { apply = apply; final = final; - new = new; + _new = new; }; -- cgit v1.2.3