Merge branch 'curves_list'

3 files changed, 89 insertions, 2 deletions

diff --git a/src/openssl.c b/src/openssl.c
index ac053fd..a3e5637 100644
--- a/src/openssl.c
+++ b/src/openssl.c
@@ -253,6 +253,14 @@
 #define HAVE_SSL_CTX_GET0_PARAM OPENSSL_PREREQ(1,0,2)
 #endif
 
+#ifndef HAVE_SSL_CTX_SET_CURVES_LIST
+#define HAVE_SSL_CTX_SET_CURVES_LIST (OPENSSL_PREREQ(1,0,2) || LIBRESSL_PREREQ(2,5,1))
+#endif
+
+#ifndef HAVE_SSL_CTX_SET_ECDH_AUTO
+#define HAVE_SSL_CTX_SET_ECDH_AUTO ((OPENSSL_PREREQ(1,0,2) && !OPENSSL_PREREQ(1,1,0)) || LIBRESSL_PREREQ(2,1,2))
+#endif
+
 #ifndef HAVE_SSL_CTX_SET_ALPN_PROTOS
 #define HAVE_SSL_CTX_SET_ALPN_PROTOS (OPENSSL_PREREQ(1,0,2) || LIBRESSL_PREREQ(2,1,3))
 #endif
@@ -297,6 +305,10 @@
 #define HAVE_SSL_SET_ALPN_PROTOS HAVE_SSL_CTX_SET_ALPN_PROTOS
 #endif
 
+#ifndef HAVE_SSL_SET_CURVES_LIST
+#define HAVE_SSL_SET_CURVES_LIST (OPENSSL_PREREQ(1,0,2) || LIBRESSL_PREREQ(2,5,1))
+#endif
+
 #ifndef HAVE_SSL_SET1_PARAM
 #define HAVE_SSL_SET1_PARAM OPENSSL_PREREQ(1,0,2)
 #endif
@@ -7824,6 +7836,15 @@ static int sx_new(lua_State *L) {
 
 	SSL_CTX_set_options(*ud, options);
 
+#if HAVE_SSL_CTX_SET_ECDH_AUTO
+	/* OpenSSL 1.0.2 introduced SSL_CTX_set_ecdh_auto to automatically select
+	 * from the curves set via SSL_CTX_set1_curves_list. However as of OpenSSL
+	 * 1.1.0, the functionality was turned on permanently and the option
+	 * removed. */
+	if (!SSL_CTX_set_ecdh_auto(*ud, 1))
+		return auxL_error(L, auxL_EOPENSSL, "ssl.context.new");
+#endif
+
 	return 1;
 } /* sx_new() */
 
@@ -7999,6 +8020,21 @@ static int sx_setCipherList(lua_State *L) {
 } /* sx_setCipherList() */
 
 
+#if HAVE_SSL_CTX_SET_CURVES_LIST
+static int sx_setCurvesList(lua_State *L) {
+	SSL_CTX *ctx = checksimple(L, 1, SSL_CTX_CLASS);
+	const char *curves = luaL_checkstring(L, 2);
+
+	if (!SSL_CTX_set1_curves_list(ctx, curves))
+		return auxL_error(L, auxL_EOPENSSL, "ssl.context:setCurvesList");
+
+	lua_pushboolean(L, 1);
+
+	return 1;
+} /* sx_setCurvesList() */
+#endif
+
+
 static int sx_setEphemeralKey(lua_State *L) {
 	SSL_CTX *ctx = checksimple(L, 1, SSL_CTX_CLASS);
 	EVP_PKEY *key = checksimple(L, 2, PKEY_CLASS);
@@ -8303,6 +8339,9 @@ static const auxL_Reg sx_methods[] = {
 	{ "setCertificate",   &sx_setCertificate },
 	{ "setPrivateKey",    &sx_setPrivateKey },
 	{ "setCipherList",    &sx_setCipherList },
+#if HAVE_SSL_CTX_SET_CURVES_LIST
+	{ "setCurvesList",    &sx_setCurvesList },
+#endif
 	{ "setEphemeralKey",  &sx_setEphemeralKey },
 #if HAVE_SSL_CTX_SET_ALPN_PROTOS
 	{ "setAlpnProtos",    &sx_setAlpnProtos },
@@ -8627,6 +8666,21 @@ static int ssl_getCipherInfo(lua_State *L) {
 } /* ssl_getCipherInfo() */
 
 
+#if HAVE_SSL_SET_CURVES_LIST
+static int ssl_setCurvesList(lua_State *L) {
+	SSL *ssl = checksimple(L, 1, SSL_CLASS);
+	const char *curves = luaL_checkstring(L, 2);
+
+	if (!SSL_set1_curves_list(ssl, curves))
+		return auxL_error(L, auxL_EOPENSSL, "ssl:setCurvesList");
+
+	lua_pushboolean(L, 1);
+
+	return 1;
+} /* ssl_setCurvesList() */
+#endif
+
+
 static int ssl_getHostName(lua_State *L) {
 	SSL *ssl = checksimple(L, 1, SSL_CLASS);
 	const char *host;
@@ -8881,6 +8935,9 @@ static const auxL_Reg ssl_methods[] = {
 	{ "getPeerCertificate", &ssl_getPeerCertificate },
 	{ "getPeerChain",     &ssl_getPeerChain },
 	{ "getCipherInfo",    &ssl_getCipherInfo },
+#if HAVE_SSL_SET_CURVES_LIST
+	{ "setCurvesList",    &ssl_setCurvesList },
+#endif
 	{ "getHostName",      &ssl_getHostName },
 	{ "setHostName",      &ssl_setHostName },
 	{ "getVersion",       &ssl_getVersion },
diff --git a/src/openssl.ssl.context.lua b/src/openssl.ssl.context.lua
index 2098b54..3263fb1 100644
--- a/src/openssl.ssl.context.lua
+++ b/src/openssl.ssl.context.lua
@@ -13,4 +13,18 @@ local setCipherList; setCipherList = ctx.interpose("setCipherList", function (se
 	return setCipherList(self, ciphers)
 end)
 
+-- Allow passing a vararg of curves, or an array
+local setCurvesList = ctx.interpose("setCurvesList", nil)
+if setCurvesList then
+	ctx.interpose("setCurvesList", function (self, curves, ...)
+		if (...) then
+			local curves_t = pack(curves, ...)
+			curves = table.concat(curves_t, ":", 1, curves_t.n)
+		elseif type(curves) == "table" then
+			curves = table.concat(curves, ":")
+		end
+		return setCurvesList(self, curves)
+	end)
+end
+
 return ctx
diff --git a/src/openssl.ssl.lua b/src/openssl.ssl.lua
index 3c348f6..bf90f29 100644
--- a/src/openssl.ssl.lua
+++ b/src/openssl.ssl.lua
@@ -1,3 +1,19 @@
-local ctx = require"_openssl.ssl"
+local ssl = require"_openssl.ssl"
 
-return ctx
+local pack = table.pack or function(...) return { n = select("#", ...); ... } end
+
+-- Allow passing a vararg of curves, or an array
+local setCurvesList = ssl.interpose("setCurvesList", nil)
+if setCurvesList then
+	ssl.interpose("setCurvesList", function (self, curves, ...)
+		if (...) then
+			local curves_t = pack(curves, ...)
+			curves = table.concat(curves_t, ":", 1, curves_t.n)
+		elseif type(curves) == "table" then
+			curves = table.concat(curves, ":")
+		end
+		return setCurvesList(self, curves)
+	end)
+end
+
+return ssl