You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

122 lines
3.4 KiB
Lua

--[[
Copyright 2016 The Luvit Authors. All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS-IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
--]]
local openssl = require('openssl')
local loadResource
if type(module) == "table" then
function loadResource(path)
return module:load(path)
end
else
loadResource = require('resource').load
end
local bit = require('bit')
local DEFAULT_SECUREPROTOCOL
do
local _, _, V = openssl.version()
local isLibreSSL = V:find('^LibreSSL')
_, _, V = openssl.version(true)
local isTLSv1_3 = not isLibreSSL and V >= 0x10101000
if isTLSv1_3 then
DEFAULT_SECUREPROTOCOL = 'TLS'
else
DEFAULT_SECUREPROTOCOL = 'SSLv23'
end
end
local DEFAULT_CIPHERS = 'TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256:' .. --TLS 1.3
'ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:' .. --TLS 1.2
'RC4:HIGH:!MD5:!aNULL:!EDH' --TLS 1.0
local DEFAULT_CA_STORE
do
local data = assert(loadResource("./root_ca.dat"))
DEFAULT_CA_STORE = openssl.x509.store:new()
local index = 1
local dataLength = #data
while index < dataLength do
local len = bit.bor(bit.lshift(data:byte(index), 8), data:byte(index + 1))
index = index + 2
local cert = assert(openssl.x509.read(data:sub(index, index + len)))
index = index + len
assert(DEFAULT_CA_STORE:add(cert))
end
end
local function returnOne()
return 1
end
return function (options)
local ctx = openssl.ssl.ctx_new(
options.protocol or DEFAULT_SECUREPROTOCOL,
options.ciphers or DEFAULT_CIPHERS)
local key, cert, ca
if options.key then
key = assert(openssl.pkey.read(options.key, true, 'pem'))
end
if options.cert then
cert = {}
for chunk in options.cert:gmatch("%-+BEGIN[^-]+%-+[^-]+%-+END[^-]+%-+") do
cert[#cert + 1] = assert(openssl.x509.read(chunk))
end
end
if options.ca then
if type(options.ca) == "string" then
ca = { assert(openssl.x509.read(options.ca)) }
elseif type(options.ca) == "table" then
ca = {}
for i = 1, #options.ca do
ca[i] = assert(openssl.x509.read(options.ca[i]))
end
else
error("options.ca must be string or table of strings")
end
end
if key and cert then
local first = table.remove(cert, 1)
assert(ctx:use(key, first))
if #cert > 0 then
-- TODO: find out if there is a way to not need to duplicate the last cert here
-- as a dummy fill for the root CA cert
assert(ctx:add(cert[#cert], cert))
end
end
if ca then
local store = openssl.x509.store:new()
for i = 1, #ca do
assert(store:add(ca[i]))
end
ctx:cert_store(store)
elseif DEFAULT_CA_STORE then
ctx:cert_store(DEFAULT_CA_STORE)
end
if not (options.insecure or options.key) then
ctx:verify_mode(openssl.ssl.peer, returnOne)
end
ctx:options(bit.bor(
openssl.ssl.no_sslv2,
openssl.ssl.no_sslv3,
openssl.ssl.no_compression))
return ctx
end