0
0
Fork 0
mirror of https://github.com/matrix-construct/construct synced 2024-12-26 15:33:54 +01:00

ircd::net::acceptor: Split/cleanup the acceptor configuration related.

This commit is contained in:
Jason Volk 2019-09-30 12:55:53 -07:00
parent 01af00bae0
commit 43a86a428c
2 changed files with 73 additions and 33 deletions

View file

@ -50,6 +50,13 @@ struct ircd::net::acceptor
bool interrupting {false};
ctx::dock joining;
// Internal configuration
void configure_dh(const json::object &);
void configure_certs(const json::object &);
void configure_curves(const json::object &);
void configure_ciphers(const json::object &);
void configure_flags(const json::object &);
void configure_password(const json::object &);
void configure(const json::object &opts);
// Handshake stack

View file

@ -2191,9 +2191,24 @@ ircd::net::acceptor::configure(const json::object &opts)
{
log::debug
{
log, "%s preparing listener socket configuration...", loghead(*this)
log, "%s preparing listener socket configuration...",
loghead(*this)
};
configure_password(opts);
configure_flags(opts);
configure_ciphers(opts);
configure_curves(opts);
configure_certs(opts);
SSL_CTX_set_alpn_select_cb(ssl.native_handle(), ircd_net_acceptor_handle_alpn, this);
SSL_CTX_set_tlsext_servername_callback(ssl.native_handle(), ircd_net_acceptor_handle_sni);
SSL_CTX_set_tlsext_servername_arg(ssl.native_handle(), this);
}
void
ircd::net::acceptor::configure_flags(const json::object &opts)
{
ulong flags(0);
if(opts.get<bool>("ssl_default_workarounds", false))
@ -2218,7 +2233,11 @@ ircd::net::acceptor::configure(const json::object &opts)
flags |= ssl.no_tlsv1_2;
ssl.set_options(flags);
}
void
ircd::net::acceptor::configure_ciphers(const json::object &opts)
{
if(!empty(unquote(opts["ssl_cipher_list"])))
{
const json::string &list
@ -2232,7 +2251,11 @@ ircd::net::acceptor::configure(const json::object &opts)
else if(!empty(string_view(ssl_cipher_list)))
{
assert(ssl.native_handle());
const string_view &list(ssl_cipher_list);
const string_view &list
{
ssl_cipher_list
};
openssl::set_cipher_list(*ssl.native_handle(), list);
}
else if(!empty(string_view(ssl_cipher_blacklist)))
@ -2240,8 +2263,16 @@ ircd::net::acceptor::configure(const json::object &opts)
assert(ssl.native_handle());
std::stringstream res;
const string_view &blacklist(ssl_cipher_blacklist);
const auto ciphers(openssl::cipher_list(*ssl.native_handle(), 0));
const string_view &blacklist
{
ssl_cipher_blacklist
};
const auto ciphers
{
openssl::cipher_list(*ssl.native_handle(), 0)
};
ircd::tokens(ciphers, ':', [&res, &blacklist]
(const string_view &cipher)
{
@ -2253,9 +2284,14 @@ ircd::net::acceptor::configure(const json::object &opts)
std::string list(res.str());
assert(list.empty() || list.back() == ':');
list.pop_back();
openssl::set_cipher_list(*ssl.native_handle(), list);
}
}
void
ircd::net::acceptor::configure_curves(const json::object &opts)
{
if(!empty(unquote(opts["ssl_curve_list"])))
{
const json::string &list
@ -2268,16 +2304,24 @@ ircd::net::acceptor::configure(const json::object &opts)
}
else if(!empty(string_view(ssl_curve_list)))
{
const string_view &list(ssl_curve_list);
const string_view &list
{
ssl_curve_list
};
assert(ssl.native_handle());
openssl::set_curves(*ssl.native_handle(), list);
}
}
void
ircd::net::acceptor::configure_certs(const json::object &opts)
{
if(!empty(unquote(opts["certificate_chain_path"])))
{
const std::string filename
const json::string filename
{
unquote(opts["certificate_chain_path"])
opts["certificate_chain_path"]
};
if(!fs::exists(filename))
@ -2344,12 +2388,16 @@ ircd::net::acceptor::configure(const json::object &opts)
filename
};
}
}
void
ircd::net::acceptor::configure_dh(const json::object &opts)
{
if(!empty(unquote(opts["tmp_dh_path"])))
{
const std::string filename
const json::string filename
{
unquote(opts.at("tmp_dh_path"))
opts.at("tmp_dh_path")
};
if(!fs::exists(filename))
@ -2365,30 +2413,19 @@ ircd::net::acceptor::configure(const json::object &opts)
{
log, "%s using tmp dh file '%s'",
loghead(*this),
filename
};
}
else if(!empty(unquote(opts["tmp_dh"])))
{
const const_buffer buf
{
unquote(opts.at("tmp_dh"))
filename,
};
ssl.use_tmp_dh(buf);
log::info
{
log, "%s using DH params supplied in options (%zu bytes)",
loghead(*this),
size(buf)
};
}
else
{
assert(ssl.native_handle());
openssl::set_ecdh_auto(*ssl.native_handle(), true);
return;
}
assert(ssl.native_handle());
openssl::set_ecdh_auto(*ssl.native_handle(), true);
}
void
ircd::net::acceptor::configure_password(const json::object &opts)
{
//TODO: XXX
ssl.set_password_callback([this]
(const auto &size, const auto &purpose)
@ -2405,10 +2442,6 @@ ircd::net::acceptor::configure(const json::object &opts)
assert(0);
return "foobar";
});
SSL_CTX_set_alpn_select_cb(ssl.native_handle(), ircd_net_acceptor_handle_alpn, this);
SSL_CTX_set_tlsext_servername_callback(ssl.native_handle(), ircd_net_acceptor_handle_sni);
SSL_CTX_set_tlsext_servername_arg(ssl.native_handle(), this);
}
//