Mercurial > prosody-hg
comparison core/certmanager.lua @ 6564:bcf32653cab7
certmanager: Early return from the entire module if LuaSec is unavailable
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Thu, 05 Feb 2015 15:10:23 +0100 |
| parents | 2f65de21ff56 |
| children | ffc0a57889aa |
comparison
equal
deleted
inserted
replaced
| 6563:f0a2bdfd0cea | 6564:bcf32653cab7 |
|---|---|
| 4 -- | 4 -- |
| 5 -- This project is MIT/X11 licensed. Please see the | 5 -- This project is MIT/X11 licensed. Please see the |
| 6 -- COPYING file in the source package for more information. | 6 -- COPYING file in the source package for more information. |
| 7 -- | 7 -- |
| 8 | 8 |
| 9 local softreq = require"util.dependencies".softreq; | |
| 10 local ssl = softreq"ssl"; | |
| 11 if not ssl then | |
| 12 return { | |
| 13 create_context = function () | |
| 14 return nil, "LuaSec (required for encryption) was not found"; | |
| 15 end; | |
| 16 reload_ssl_config = function () end; | |
| 17 } | |
| 18 end | |
| 19 | |
| 9 local configmanager = require "core.configmanager"; | 20 local configmanager = require "core.configmanager"; |
| 10 local log = require "util.logger".init("certmanager"); | 21 local log = require "util.logger".init("certmanager"); |
| 11 local ssl = _G.ssl; | 22 local ssl_newcontext = ssl.newcontext; |
| 12 local ssl_newcontext = ssl and ssl.newcontext; | |
| 13 local new_config = require"util.sslconfig".new; | 23 local new_config = require"util.sslconfig".new; |
| 14 | 24 |
| 15 local tostring = tostring; | 25 local tostring = tostring; |
| 16 local pairs = pairs; | 26 local pairs = pairs; |
| 17 local type = type; | 27 local type = type; |
| 21 local prosody = prosody; | 31 local prosody = prosody; |
| 22 local resolve_path = require"util.paths".resolve_relative_path; | 32 local resolve_path = require"util.paths".resolve_relative_path; |
| 23 local config_path = prosody.paths.config; | 33 local config_path = prosody.paths.config; |
| 24 | 34 |
| 25 local luasec_has_noticket, luasec_has_verifyext, luasec_has_no_compression; | 35 local luasec_has_noticket, luasec_has_verifyext, luasec_has_no_compression; |
| 26 if ssl then | 36 local luasec_major, luasec_minor = ssl._VERSION:match("^(%d+)%.(%d+)"); |
| 27 local luasec_major, luasec_minor = ssl._VERSION:match("^(%d+)%.(%d+)"); | 37 luasec_has_noticket = tonumber(luasec_major)>0 or tonumber(luasec_minor)>=4; |
| 28 luasec_has_noticket = tonumber(luasec_major)>0 or tonumber(luasec_minor)>=4; | 38 luasec_has_verifyext = tonumber(luasec_major)>0 or tonumber(luasec_minor)>=5; |
| 29 luasec_has_verifyext = tonumber(luasec_major)>0 or tonumber(luasec_minor)>=5; | 39 luasec_has_no_compression = tonumber(luasec_major)>0 or tonumber(luasec_minor)>=5; |
| 30 luasec_has_no_compression = tonumber(luasec_major)>0 or tonumber(luasec_minor)>=5; | |
| 31 end | |
| 32 | 40 |
| 33 module "certmanager" | 41 module "certmanager" |
| 34 | 42 |
| 35 -- Global SSL options if not overridden per-host | 43 -- Global SSL options if not overridden per-host |
| 36 local global_ssl_config = configmanager.get("*", "ssl"); | 44 local global_ssl_config = configmanager.get("*", "ssl"); |
| 37 | 45 |
| 38 -- Built-in defaults | 46 -- Built-in defaults |
| 39 local core_defaults = { | 47 local core_defaults = { |
| 40 capath = "/etc/ssl/certs"; | 48 capath = "/etc/ssl/certs"; |
| 41 protocol = "tlsv1+"; | 49 protocol = "tlsv1+"; |
| 42 verify = (ssl and ssl.x509 and { "peer", "client_once", }) or "none"; | 50 verify = (ssl.x509 and { "peer", "client_once", }) or "none"; |
| 43 options = { | 51 options = { |
| 44 cipher_server_preference = true; | 52 cipher_server_preference = true; |
| 45 no_ticket = luasec_has_noticket; | 53 no_ticket = luasec_has_noticket; |
| 46 no_compression = luasec_has_no_compression and configmanager.get("*", "ssl_compression") ~= true; | 54 no_compression = luasec_has_no_compression and configmanager.get("*", "ssl_compression") ~= true; |
| 47 -- Has no_compression? Then it has these too... | 55 -- Has no_compression? Then it has these too... |
| 54 } | 62 } |
| 55 local path_options = { -- These we pass through resolve_path() | 63 local path_options = { -- These we pass through resolve_path() |
| 56 key = true, certificate = true, cafile = true, capath = true, dhparam = true | 64 key = true, certificate = true, cafile = true, capath = true, dhparam = true |
| 57 } | 65 } |
| 58 | 66 |
| 59 if ssl and not luasec_has_verifyext and ssl.x509 then | 67 if not luasec_has_verifyext and ssl.x509 then |
| 60 -- COMPAT mw/luasec-hg | 68 -- COMPAT mw/luasec-hg |
| 61 for i=1,#core_defaults.verifyext do -- Remove lsec_ prefix | 69 for i=1,#core_defaults.verifyext do -- Remove lsec_ prefix |
| 62 core_defaults.verify[#core_defaults.verify+1] = core_defaults.verifyext[i]:sub(6); | 70 core_defaults.verify[#core_defaults.verify+1] = core_defaults.verifyext[i]:sub(6); |
| 63 end | 71 end |
| 64 end | 72 end |
| 65 | 73 |
| 66 function create_context(host, mode, ...) | 74 function create_context(host, mode, ...) |
| 67 if not ssl then return nil, "LuaSec (required for encryption) was not found"; end | |
| 68 | |
| 69 local cfg = new_config(); | 75 local cfg = new_config(); |
| 70 cfg:apply(core_defaults); | 76 cfg:apply(core_defaults); |
| 71 cfg:apply(global_ssl_config); | 77 cfg:apply(global_ssl_config); |
| 72 cfg:apply({ | 78 cfg:apply({ |
| 73 mode = mode, | 79 mode = mode, |
