aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--doc/luaossl.tex12
-rw-r--r--src/openssl.c44
-rw-r--r--src/openssl.ssl.context.lua14
-rw-r--r--src/openssl.ssl.lua14
4 files changed, 84 insertions, 0 deletions
diff --git a/doc/luaossl.tex b/doc/luaossl.tex
index 45c2602..b5ae2f6 100644
--- a/doc/luaossl.tex
+++ b/doc/luaossl.tex
@@ -981,6 +981,12 @@ Sets the supported curves. The string format is a list of colon separated curve
\emph{Only supported since OpenSSL 1.0.2.}
+\subsubsection[\fn{context:setCipherSuites}]{\fn{context:setCipherSuites($string$ [, ...])}}
+
+Sets the supported TLS 1.3 cipher suites. The string format is a list of colon separated curve names similar to \texttt{ctx:setCipherList(...)}.
+
+\emph{Only supported since OpenSSL 1.1.1.}
+
\subsubsection[\fn{context:setEphemeralKey}]{\fn{context:setEphemeralKey($key$)}}
Sets \module{openssl.pkey} object $key$ as the ephemeral key during key exchanges which use that particular key type. Typically $key$ will be either a Diffie-Hellman or Elliptic Curve key.
@@ -1225,6 +1231,12 @@ Sets the supported curves for this SSL connection instance. See \fn{openssl.ssl.
\emph{Only supported since OpenSSL 1.0.2.}
+\subsubsection[\fn{ssl:setCipherSuites}]{\fn{ssl:setCipherSuites($string$ [, ...])}}
+
+Sets the supported TLS 1.3 cipher suites for this SSL connection instance. See \fn{openssl.ssl.context:setCipherSuites}.
+
+\emph{Only supported since OpenSSL 1.1.1.}
+
\subsubsection[\fn{ssl:getAlpnSelected}]{\fn{ssl:getAlpnSelected()}}
Returns the negotiated ALPN protocol as a string.
diff --git a/src/openssl.c b/src/openssl.c
index 7a5031b..e49c0e7 100644
--- a/src/openssl.c
+++ b/src/openssl.c
@@ -287,6 +287,10 @@
#define HAVE_SSL_CTX_GET0_CERTIFICATE (OPENSSL_PREREQ(1,0,2) || LIBRESSL_PREREQ(2,7,0))
#endif
+#ifndef HAVE_SSL_CTX_SET_CIPHERSUITES
+#define HAVE_SSL_CTX_SET_CIPHERSUITES OPENSSL_PREREQ(1,1,1)
+#endif
+
#ifndef HAVE_SSL_CTX_SET_CURVES_LIST
#define HAVE_SSL_CTX_SET_CURVES_LIST (OPENSSL_PREREQ(1,0,2) || LIBRESSL_PREREQ(2,5,1))
#endif
@@ -375,6 +379,10 @@
#define HAVE_SSL_SET1_VERIFY_CERT_STORE OPENSSL_PREREQ(1,0,2)
#endif
+#ifndef HAVE_SSL_SET_CIPHERSUITES
+#define HAVE_SSL_SET_CIPHERSUITES OPENSSL_PREREQ(1,1,1)
+#endif
+
#ifndef HAVE_SSL_SET_CURVES_LIST
#define HAVE_SSL_SET_CURVES_LIST (OPENSSL_PREREQ(1,0,2) || LIBRESSL_PREREQ(2,5,1))
#endif
@@ -8781,6 +8789,21 @@ static int sx_setCurvesList(lua_State *L) {
#endif
+#if HAVE_SSL_CTX_SET_CIPHERSUITES
+static int sx_setCipherSuites(lua_State *L) {
+ SSL_CTX *ctx = checksimple(L, 1, SSL_CTX_CLASS);
+ const char *ciphers = luaL_checkstring(L, 2);
+
+ if (!SSL_CTX_set_ciphersuites(ctx, ciphers))
+ return auxL_error(L, auxL_EOPENSSL, "ssl.context:setCipherSuites");
+
+ lua_pushboolean(L, 1);
+
+ return 1;
+} /* sx_setCipherSuites() */
+#endif
+
+
static int sx_setEphemeralKey(lua_State *L) {
SSL_CTX *ctx = checksimple(L, 1, SSL_CTX_CLASS);
EVP_PKEY *key = checksimple(L, 2, PKEY_CLASS);
@@ -9463,6 +9486,9 @@ static const auxL_Reg sx_methods[] = {
#if HAVE_SSL_CTX_SET_CURVES_LIST
{ "setCurvesList", &sx_setCurvesList },
#endif
+#if HAVE_SSL_CTX_SET_CIPHERSUITES
+ { "setCipherSuites", &sx_setCipherSuites },
+#endif
{ "setEphemeralKey", &sx_setEphemeralKey },
#if HAVE_SSL_CTX_SET_ALPN_PROTOS
{ "setAlpnProtos", &sx_setAlpnProtos },
@@ -10015,6 +10041,21 @@ static int ssl_setCurvesList(lua_State *L) {
#endif
+#if HAVE_SSL_SET_CIPHERSUITES
+static int ssl_setCipherSuites(lua_State *L) {
+ SSL *ssl = checksimple(L, 1, SSL_CLASS);
+ const char *ciphers = luaL_checkstring(L, 2);
+
+ if (!SSL_set_ciphersuites(ssl, ciphers))
+ return auxL_error(L, auxL_EOPENSSL, "ssl:setCipherSuites");
+
+ lua_pushboolean(L, 1);
+
+ return 1;
+} /* ssl_setCipherSuites() */
+#endif
+
+
static int ssl_getHostName(lua_State *L) {
SSL *ssl = checksimple(L, 1, SSL_CLASS);
const char *host;
@@ -10306,6 +10347,9 @@ static const auxL_Reg ssl_methods[] = {
#if HAVE_SSL_SET_CURVES_LIST
{ "setCurvesList", &ssl_setCurvesList },
#endif
+#if HAVE_SSL_SET_CIPHERSUITES
+ { "setCipherSuites", &ssl_setCipherSuites },
+#endif
{ "getHostName", &ssl_getHostName },
{ "setHostName", &ssl_setHostName },
{ "getVersion", &ssl_getVersion },
diff --git a/src/openssl.ssl.context.lua b/src/openssl.ssl.context.lua
index 3263fb1..54cbad7 100644
--- a/src/openssl.ssl.context.lua
+++ b/src/openssl.ssl.context.lua
@@ -27,4 +27,18 @@ if setCurvesList then
end)
end
+-- Allow passing a vararg of ciphersuites, or an array
+local setCipherSuites = ctx.interpose("setCipherSuites", nil)
+if setCipherSuites then
+ ctx.interpose("setCipherSuites", function (self, ciphers, ...)
+ if (...) then
+ local ciphers_t = pack(ciphers, ...)
+ ciphers = table.concat(ciphers_t, ":", 1, ciphers_t.n)
+ elseif type(ciphers) == "table" then
+ ciphers = table.concat(ciphers, ":")
+ end
+ return setCipherSuites(self, ciphers)
+ end)
+end
+
return ctx
diff --git a/src/openssl.ssl.lua b/src/openssl.ssl.lua
index 2a18024..4f9f82b 100644
--- a/src/openssl.ssl.lua
+++ b/src/openssl.ssl.lua
@@ -22,4 +22,18 @@ if setCurvesList then
end)
end
+-- Allow passing a vararg of ciphersuites, or an array
+local setCipherSuites = ssl.interpose("setCipherSuites", nil)
+if setCipherSuites then
+ ssl.interpose("setCipherSuites", function (self, ciphers, ...)
+ if (...) then
+ local ciphers_t = pack(ciphers, ...)
+ ciphers = table.concat(ciphers_t, ":", 1, ciphers_t.n)
+ elseif type(ciphers) == "table" then
+ ciphers = table.concat(ciphers, ":")
+ end
+ return setCipherSuites(self, ciphers)
+ end)
+end
+
return ssl