smh

Lua/rpbot/deps/secure-socket/context.lua

@@ -0,0 +1,121 @@
+--[[
+
+Copyright 2016 The Luvit Authors. All Rights Reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS-IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+--]]
+local openssl = require('openssl')
+
+local loadResource
+if type(module) == "table" then
+  function loadResource(path)
+    return module:load(path)
+  end
+else
+  loadResource = require('resource').load
+end
+local bit = require('bit')
+
+local DEFAULT_SECUREPROTOCOL
+do
+  local _, _, V = openssl.version()
+  local isLibreSSL = V:find('^LibreSSL')
+
+  _, _, V = openssl.version(true)
+  local isTLSv1_3 = not isLibreSSL and V > 0x10100000
+
+  if isTLSv1_3 then
+    DEFAULT_SECUREPROTOCOL = 'TLS'
+  else
+    DEFAULT_SECUREPROTOCOL = 'SSLv23'
+  end
+end
+local DEFAULT_CIPHERS = 'TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256:' .. --TLS 1.3
+                        'ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:' ..     --TLS 1.2
+                        'RC4:HIGH:!MD5:!aNULL:!EDH'                         --TLS 1.0
+local DEFAULT_CA_STORE
+do
+  local data = assert(loadResource("./root_ca.dat"))
+  DEFAULT_CA_STORE = openssl.x509.store:new()
+  local index = 1
+  local dataLength = #data
+  while index < dataLength do
+    local len = bit.bor(bit.lshift(data:byte(index), 8), data:byte(index + 1))
+    index = index + 2
+    local cert = assert(openssl.x509.read(data:sub(index, index + len)))
+    index = index + len
+    assert(DEFAULT_CA_STORE:add(cert))
+  end
+end
+
+local function returnOne()
+  return 1
+end
+
+return function (options)
+  local ctx = openssl.ssl.ctx_new(
+    options.protocol or DEFAULT_SECUREPROTOCOL,
+    options.ciphers or DEFAULT_CIPHERS)
+
+  local key, cert, ca
+  if options.key then
+    key = assert(openssl.pkey.read(options.key, true, 'pem'))
+  end
+  if options.cert then
+    cert = {}
+    for chunk in options.cert:gmatch("%-+BEGIN[^-]+%-+[^-]+%-+END[^-]+%-+") do
+      cert[#cert + 1] = assert(openssl.x509.read(chunk))
+    end
+  end
+  if options.ca then
+    if type(options.ca) == "string" then
+      ca = { assert(openssl.x509.read(options.ca)) }
+    elseif type(options.ca) == "table" then
+      ca = {}
+      for i = 1, #options.ca do
+        ca[i] = assert(openssl.x509.read(options.ca[i]))
+      end
+    else
+      error("options.ca must be string or table of strings")
+    end
+  end
+  if key and cert then
+    local first = table.remove(cert, 1)
+    assert(ctx:use(key, first))
+    if #cert > 0 then
+      -- TODO: find out if there is a way to not need to duplicate the last cert here
+      -- as a dummy fill for the root CA cert
+      assert(ctx:add(cert[#cert], cert))
+    end
+  end
+  if ca then
+    local store = openssl.x509.store:new()
+    for i = 1, #ca do
+      assert(store:add(ca[i]))
+    end
+    ctx:cert_store(store)
+  elseif DEFAULT_CA_STORE then
+    ctx:cert_store(DEFAULT_CA_STORE)
+  end
+  if not (options.insecure or options.key) then
+    ctx:verify_mode(openssl.ssl.peer, returnOne)
+  end
+
+  ctx:options(bit.bor(
+    openssl.ssl.no_sslv2,
+    openssl.ssl.no_sslv3,
+    openssl.ssl.no_compression))
+
+  return ctx
+end