diff options
-rw-r--r-- | doc/luaossl.pdf | bin | 276077 -> 300041 bytes | |||
-rw-r--r-- | doc/luaossl.tex | 14 | ||||
-rw-r--r-- | src/openssl.c | 57 | ||||
-rw-r--r-- | src/openssl.ssl.context.lua | 14 | ||||
-rw-r--r-- | src/openssl.ssl.lua | 20 |
5 files changed, 102 insertions, 3 deletions
diff --git a/doc/luaossl.pdf b/doc/luaossl.pdf Binary files differindex 25c58ca..81142cb 100644 --- a/doc/luaossl.pdf +++ b/doc/luaossl.pdf diff --git a/doc/luaossl.tex b/doc/luaossl.tex index 5e19e66..7bb85df 100644 --- a/doc/luaossl.tex +++ b/doc/luaossl.tex @@ -933,11 +933,17 @@ Sets the private key \module{openssl.pkey} object $key$ for use during SSL conne Sets the allowed public key and private key algorithm(s). The string format is documented in the \href{http://www.openssl.org/docs/apps/ciphers.html#CIPHER_LIST_FORMAT}{OpenSSL ciphers(1) utility documentation}. +\subsubsection[\fn{context:setCurvesList}]{\fn{context:setCurvesList($string$ [, ...])}} + +Sets the supported curves. The string format is a list of colon separated curve names similar to \texttt{ctx:setCipherList(...)}. A list of supported curves can be found by running \texttt{openssl ecparam -list\_curves}. + +\emph{Only supported since OpenSSL 1.0.2.} + \subsubsection[\fn{context:setEphemeralKey}]{\fn{context:setEphemeralKey($key$)}} Sets \module{openssl.pkey} object $key$ as the ephemeral key during key exchanges which use that particular key type. Typically $key$ will be either a Diffie-Hellman or Elliptic Curve key. -\emph{In order to configure an SSL server to support an ephemeral key exchange cipher suite (i.e. DHE-* and ECDHE-*), the application must explicitly set the ephemeral keys. Simply enabling the cipher suite is not sufficient. The application can statically generate Diffie-Hellman public key parameters, and many servers ship with such a key compiled into the software. Elliptic curve keys are necessarily static, and instantiated by curve name\footnote{\href{http://en.wikipedia.org/w/index.php?title=Comparison\_of\_TLS\_implementations&oldid=629779090\#Supported\_elliptic\_curves}{According to Wikipedia} the most widely supported curve is prime256v1, so to enable ECDHE-* applications can simply do \texttt{ctx:setEphemeralKey(pkey.new\{ type = ``EC'', curve = ``prime256v1'' \})}. To achieve Perfect Forward Secrecy for ECDHE-*, applications must also do \texttt{ctx:setOptions(context.OP\_SINGLE\_ECDH\_USE)}. The \texttt{ctx} object must then be used to configure each SSL session, such as by passing it to \fn{cqueues.socket:starttls()}.}.} +\emph{In order to configure an SSL server to support an ephemeral key exchange cipher suite (i.e. DHE-* and ECDHE-*), the application must explicitly set the ephemeral keys. Simply enabling the cipher suite is not sufficient. The application can statically generate Diffie-Hellman public key parameters, and many servers ship with such a key compiled into the software. Elliptic curve keys are necessarily static, and instantiated by curve name\footnote{OpenSSL < 1.0.2 only supports a single curve, \href{http://en.wikipedia.org/w/index.php?title=Comparison\_of\_TLS\_implementations&oldid=629779090\#Supported\_elliptic\_curves}{according to Wikipedia} the most widely supported curve is prime256v1, so to enable ECDHE-*, applications can simply do \texttt{ctx:setEphemeralKey(pkey.new\{ type = ``EC'', curve = ``prime256v1'' \})}. To achieve Perfect Forward Secrecy for ECDHE-*, applications must also do \texttt{ctx:setOptions(context.OP\_SINGLE\_ECDH\_USE)}. The \texttt{ctx} object must then be used to configure each SSL session, such as by passing it to \fn{cqueues.socket:starttls()}.}.} \emph{In addition, to attain Perfect Forward Secrecy the options \texttt{OP\_SINGLE\_DH\_USE} and \texttt{OP\_SINGLE\_ECDH\_USE} must be set so that OpenSSL discards and regenerates the secret keying parameters for each key exchange.} @@ -1070,6 +1076,12 @@ TLS1\_2\_VERSION & 16-bit TLSv1.2 identifier (0x0303). \\ Returns the SSL/TLS version supported by the client, which should be greater than or equal to the negotiated version. See \fn{ssl:getVersion}. +\subsubsection[\fn{ssl:setCurvesList}]{\fn{ssl:setCurvesList($string$ [, ...])}} + +Sets the supported curves for this SSL connection instance. See \fn{openssl.ssl.context:setCurvesList}. + +\emph{Only supported since OpenSSL 1.0.2.} + \subsubsection[\fn{ssl:getAlpnSelected}]{\fn{ssl:getAlpnSelected()}} Returns the negotiated ALPN protocol as a string. diff --git a/src/openssl.c b/src/openssl.c index ac053fd..a3e5637 100644 --- a/src/openssl.c +++ b/src/openssl.c @@ -253,6 +253,14 @@ #define HAVE_SSL_CTX_GET0_PARAM OPENSSL_PREREQ(1,0,2) #endif +#ifndef HAVE_SSL_CTX_SET_CURVES_LIST +#define HAVE_SSL_CTX_SET_CURVES_LIST (OPENSSL_PREREQ(1,0,2) || LIBRESSL_PREREQ(2,5,1)) +#endif + +#ifndef HAVE_SSL_CTX_SET_ECDH_AUTO +#define HAVE_SSL_CTX_SET_ECDH_AUTO ((OPENSSL_PREREQ(1,0,2) && !OPENSSL_PREREQ(1,1,0)) || LIBRESSL_PREREQ(2,1,2)) +#endif + #ifndef HAVE_SSL_CTX_SET_ALPN_PROTOS #define HAVE_SSL_CTX_SET_ALPN_PROTOS (OPENSSL_PREREQ(1,0,2) || LIBRESSL_PREREQ(2,1,3)) #endif @@ -297,6 +305,10 @@ #define HAVE_SSL_SET_ALPN_PROTOS HAVE_SSL_CTX_SET_ALPN_PROTOS #endif +#ifndef HAVE_SSL_SET_CURVES_LIST +#define HAVE_SSL_SET_CURVES_LIST (OPENSSL_PREREQ(1,0,2) || LIBRESSL_PREREQ(2,5,1)) +#endif + #ifndef HAVE_SSL_SET1_PARAM #define HAVE_SSL_SET1_PARAM OPENSSL_PREREQ(1,0,2) #endif @@ -7824,6 +7836,15 @@ static int sx_new(lua_State *L) { SSL_CTX_set_options(*ud, options); +#if HAVE_SSL_CTX_SET_ECDH_AUTO + /* OpenSSL 1.0.2 introduced SSL_CTX_set_ecdh_auto to automatically select + * from the curves set via SSL_CTX_set1_curves_list. However as of OpenSSL + * 1.1.0, the functionality was turned on permanently and the option + * removed. */ + if (!SSL_CTX_set_ecdh_auto(*ud, 1)) + return auxL_error(L, auxL_EOPENSSL, "ssl.context.new"); +#endif + return 1; } /* sx_new() */ @@ -7999,6 +8020,21 @@ static int sx_setCipherList(lua_State *L) { } /* sx_setCipherList() */ +#if HAVE_SSL_CTX_SET_CURVES_LIST +static int sx_setCurvesList(lua_State *L) { + SSL_CTX *ctx = checksimple(L, 1, SSL_CTX_CLASS); + const char *curves = luaL_checkstring(L, 2); + + if (!SSL_CTX_set1_curves_list(ctx, curves)) + return auxL_error(L, auxL_EOPENSSL, "ssl.context:setCurvesList"); + + lua_pushboolean(L, 1); + + return 1; +} /* sx_setCurvesList() */ +#endif + + static int sx_setEphemeralKey(lua_State *L) { SSL_CTX *ctx = checksimple(L, 1, SSL_CTX_CLASS); EVP_PKEY *key = checksimple(L, 2, PKEY_CLASS); @@ -8303,6 +8339,9 @@ static const auxL_Reg sx_methods[] = { { "setCertificate", &sx_setCertificate }, { "setPrivateKey", &sx_setPrivateKey }, { "setCipherList", &sx_setCipherList }, +#if HAVE_SSL_CTX_SET_CURVES_LIST + { "setCurvesList", &sx_setCurvesList }, +#endif { "setEphemeralKey", &sx_setEphemeralKey }, #if HAVE_SSL_CTX_SET_ALPN_PROTOS { "setAlpnProtos", &sx_setAlpnProtos }, @@ -8627,6 +8666,21 @@ static int ssl_getCipherInfo(lua_State *L) { } /* ssl_getCipherInfo() */ +#if HAVE_SSL_SET_CURVES_LIST +static int ssl_setCurvesList(lua_State *L) { + SSL *ssl = checksimple(L, 1, SSL_CLASS); + const char *curves = luaL_checkstring(L, 2); + + if (!SSL_set1_curves_list(ssl, curves)) + return auxL_error(L, auxL_EOPENSSL, "ssl:setCurvesList"); + + lua_pushboolean(L, 1); + + return 1; +} /* ssl_setCurvesList() */ +#endif + + static int ssl_getHostName(lua_State *L) { SSL *ssl = checksimple(L, 1, SSL_CLASS); const char *host; @@ -8881,6 +8935,9 @@ static const auxL_Reg ssl_methods[] = { { "getPeerCertificate", &ssl_getPeerCertificate }, { "getPeerChain", &ssl_getPeerChain }, { "getCipherInfo", &ssl_getCipherInfo }, +#if HAVE_SSL_SET_CURVES_LIST + { "setCurvesList", &ssl_setCurvesList }, +#endif { "getHostName", &ssl_getHostName }, { "setHostName", &ssl_setHostName }, { "getVersion", &ssl_getVersion }, diff --git a/src/openssl.ssl.context.lua b/src/openssl.ssl.context.lua index 2098b54..3263fb1 100644 --- a/src/openssl.ssl.context.lua +++ b/src/openssl.ssl.context.lua @@ -13,4 +13,18 @@ local setCipherList; setCipherList = ctx.interpose("setCipherList", function (se return setCipherList(self, ciphers) end) +-- Allow passing a vararg of curves, or an array +local setCurvesList = ctx.interpose("setCurvesList", nil) +if setCurvesList then + ctx.interpose("setCurvesList", function (self, curves, ...) + if (...) then + local curves_t = pack(curves, ...) + curves = table.concat(curves_t, ":", 1, curves_t.n) + elseif type(curves) == "table" then + curves = table.concat(curves, ":") + end + return setCurvesList(self, curves) + end) +end + return ctx diff --git a/src/openssl.ssl.lua b/src/openssl.ssl.lua index 3c348f6..bf90f29 100644 --- a/src/openssl.ssl.lua +++ b/src/openssl.ssl.lua @@ -1,3 +1,19 @@ -local ctx = require"_openssl.ssl" +local ssl = require"_openssl.ssl" -return ctx +local pack = table.pack or function(...) return { n = select("#", ...); ... } end + +-- Allow passing a vararg of curves, or an array +local setCurvesList = ssl.interpose("setCurvesList", nil) +if setCurvesList then + ssl.interpose("setCurvesList", function (self, curves, ...) + if (...) then + local curves_t = pack(curves, ...) + curves = table.concat(curves_t, ":", 1, curves_t.n) + elseif type(curves) == "table" then + curves = table.concat(curves, ":") + end + return setCurvesList(self, curves) + end) +end + +return ssl |