diff options
| -rw-r--r-- | doc/luaossl.pdf | bin | 182545 -> 182982 bytes | |||
| -rw-r--r-- | doc/luaossl.tex | 27 | ||||
| -rw-r--r-- | src/openssl.c | 94 | ||||
| -rw-r--r-- | src/openssl.ssl.context.lua | 30 | ||||
| -rw-r--r-- | src/openssl.ssl.lua | 30 |
5 files changed, 107 insertions, 74 deletions
diff --git a/doc/luaossl.pdf b/doc/luaossl.pdf Binary files differindex fb5679d..b7a09dc 100644 --- a/doc/luaossl.pdf +++ b/doc/luaossl.pdf diff --git a/doc/luaossl.tex b/doc/luaossl.tex index c371dbd..efc6422 100644 --- a/doc/luaossl.tex +++ b/doc/luaossl.tex @@ -1089,23 +1089,24 @@ Sets the private key \module{openssl.pkey} object $key$ for use during SSL conne Sets the allowed public key and private key algorithm(s). The string format is documented in the \href{http://www.openssl.org/docs/apps/ciphers.html#CIPHER_LIST_FORMAT}{OpenSSL ciphers(1) utility documentation}. -\subsubsection[\fn{context:setCurvesList}]{\fn{context:setCurvesList($string$ [, ...])}} - -Sets the supported curves. The string format is a list of colon separated curve names similar to \texttt{ctx:setCipherList(...)}. A list of supported curves can be found by running \texttt{openssl ecparam -list\_curves}. - -\emph{Only supported since OpenSSL 1.0.2.} - \subsubsection[\fn{context:setCipherSuites}]{\fn{context:setCipherSuites($string$ [, ...])}} Sets the supported TLS 1.3 cipher suites. The string format is a list of colon separated curve names similar to \texttt{ctx:setCipherList(...)}. \emph{Only supported since OpenSSL 1.1.1.} +\subsubsection[\fn{context:setGroups}]{\fn{context:setGroups($string$ [, ...])}} + +Sets the supported groups. The string format is a list of colon separated group names similar to \texttt{ctx:setCipherList(...)}. +A list of supported EC groups can be found by running \texttt{openssl ecparam -list\_curves}. + +\emph{Only supported since OpenSSL 1.0.2.} + \subsubsection[\fn{context:setEphemeralKey}]{\fn{context:setEphemeralKey($key$)}} Sets \module{openssl.pkey} object $key$ as the ephemeral key during key exchanges which use that particular key type. Typically $key$ will be either a Diffie-Hellman or Elliptic Curve key. -\emph{In order to configure an SSL server to support an ephemeral key exchange cipher suite (i.e. DHE-* and ECDHE-*), the application must explicitly set the ephemeral keys. Simply enabling the cipher suite is not sufficient. The application can statically generate Diffie-Hellman public key parameters, and many servers ship with such a key compiled into the software. Elliptic curve keys are necessarily static, and instantiated by curve name\footnote{OpenSSL < 1.0.2 only supports a single curve, \href{http://en.wikipedia.org/w/index.php?title=Comparison\_of\_TLS\_implementations&oldid=629779090\#Supported\_elliptic\_curves}{according to Wikipedia} the most widely supported curve is prime256v1, so to enable ECDHE-*, applications can simply do \texttt{ctx:setEphemeralKey(pkey.new\{ type = ``EC'', curve = ``prime256v1'' \})}. To achieve Perfect Forward Secrecy for ECDHE-*, applications must also do \texttt{ctx:setOptions(context.OP\_SINGLE\_ECDH\_USE)}. The \texttt{ctx} object must then be used to configure each SSL session, such as by passing it to \fn{cqueues.socket:starttls()}.}.} +\emph{In older version of OpenSSL, in order to configure an SSL server to support an ephemeral key exchange cipher suite (i.e. DHE-* and ECDHE-*), the application must explicitly set the ephemeral keys. Simply enabling the cipher suite is not sufficient. The application can statically generate Diffie-Hellman public key parameters, and many servers ship with such a key compiled into the software. Elliptic curve keys are necessarily static, and instantiated by curve name\footnote{OpenSSL < 1.0.2 only supports a single curve, \href{http://en.wikipedia.org/w/index.php?title=Comparison\_of\_TLS\_implementations&oldid=629779090\#Supported\_elliptic\_curves}{according to Wikipedia} the most widely supported curve is prime256v1, so to enable ECDHE-*, applications can simply do \texttt{ctx:setEphemeralKey(pkey.new\{ type = ``EC'', curve = ``prime256v1'' \})}. For OpenSSL versions >= 1.0.2, see \fn{context:setGroups} instead. To achieve Perfect Forward Secrecy for ECDHE-*, applications must also do \texttt{ctx:setOptions(context.OP\_SINGLE\_ECDH\_USE)}. The \texttt{ctx} object must then be used to configure each SSL session, such as by passing it to \fn{cqueues.socket:starttls()}.}.} \emph{In addition, to attain Perfect Forward Secrecy the options \texttt{OP\_SINGLE\_DH\_USE} and \texttt{OP\_SINGLE\_ECDH\_USE} must be set so that OpenSSL discards and regenerates the secret keying parameters for each key exchange.} @@ -1357,18 +1358,18 @@ Returns the SSL/TLS version supported by the client, which should be greater tha Sets the allowed public key and private key algorithm(s). See \fn{openssl.ssl.context:setCipherList}. -\subsubsection[\fn{ssl:setCurvesList}]{\fn{ssl:setCurvesList($string$ [, ...])}} - -Sets the supported curves for this SSL connection instance. See \fn{openssl.ssl.context:setCurvesList}. - -\emph{Only supported since OpenSSL 1.0.2.} - \subsubsection[\fn{ssl:setCipherSuites}]{\fn{ssl:setCipherSuites($string$ [, ...])}} Sets the supported TLS 1.3 cipher suites for this SSL connection instance. See \fn{openssl.ssl.context:setCipherSuites}. \emph{Only supported since OpenSSL 1.1.1.} +\subsubsection[\fn{ssl:setGroups}]{\fn{ssl:setGroups($string$ [, ...])}} + +Sets the supported groups for this SSL connection instance. See \fn{openssl.ssl.context:setGroups}. + +\emph{Only supported since OpenSSL 1.0.2.} + \subsubsection[\fn{ssl:getAlpnSelected}]{\fn{ssl:getAlpnSelected()}} Returns the negotiated ALPN protocol as a string. diff --git a/src/openssl.c b/src/openssl.c index 790b153..620ef4e 100644 --- a/src/openssl.c +++ b/src/openssl.c @@ -355,6 +355,21 @@ #define HAVE_SSL_CTX_SET_CURVES_LIST (OPENSSL_PREREQ(1,0,2) || LIBRESSL_PREREQ(2,5,1)) #endif +#ifndef HAVE_SSL_CTX_SET_GROUPS_LIST +#if OPENSSL_PREREQ(1,1,1) +#define HAVE_SSL_CTX_SET_GROUPS_LIST 1 +#elif HAVE_SSL_CTX_SET_CURVES_LIST +#define SSL_CTX_set1_groups_list SSL_CTX_set1_curves_list +#define HAVE_SSL_CTX_SET_GROUPS_LIST 1 +#else +#define HAVE_SSL_CTX_SET_GROUPS_LIST 0 +#endif +#endif + +#ifndef HAVE_SSL_CTX_SET_GROUPS_LIST +#define HAVE_SSL_CTX_SET_GROUPS_LIST OPENSSL_PREREQ(1,1,1) +#endif + #ifndef HAVE_SSL_CTX_SET_ECDH_AUTO #define HAVE_SSL_CTX_SET_ECDH_AUTO ((OPENSSL_PREREQ(1,0,2) && !OPENSSL_PREREQ(1,1,0)) || LIBRESSL_PREREQ(2,1,2)) #endif @@ -455,6 +470,17 @@ #define HAVE_SSL_SET_CURVES_LIST (OPENSSL_PREREQ(1,0,2) || LIBRESSL_PREREQ(2,5,1)) #endif +#ifndef HAVE_SSL_SET_GROUPS_LIST +#if OPENSSL_PREREQ(1,1,1) +#define HAVE_SSL_SET_GROUPS_LIST 1 +#elif HAVE_SSL_SET_CURVES_LIST +#define SSL_set1_groups_list SSL_set1_curves_list +#define HAVE_SSL_SET_GROUPS_LIST 1 +#else +#define HAVE_SSL_SET_GROUPS_LIST 0 +#endif +#endif + #ifndef HAVE_SSL_SET1_CHAIN #define HAVE_SSL_SET1_CHAIN OPENSSL_PREREQ(1,0,2) #endif @@ -9521,21 +9547,6 @@ static int sx_setCipherList(lua_State *L) { } /* sx_setCipherList() */ -#if HAVE_SSL_CTX_SET_CURVES_LIST -static int sx_setCurvesList(lua_State *L) { - SSL_CTX *ctx = checksimple(L, 1, SSL_CTX_CLASS); - const char *curves = luaL_checkstring(L, 2); - - if (!SSL_CTX_set1_curves_list(ctx, curves)) - return auxL_error(L, auxL_EOPENSSL, "ssl.context:setCurvesList"); - - lua_pushboolean(L, 1); - - return 1; -} /* sx_setCurvesList() */ -#endif - - #if HAVE_SSL_CTX_SET_CIPHERSUITES static int sx_setCipherSuites(lua_State *L) { SSL_CTX *ctx = checksimple(L, 1, SSL_CTX_CLASS); @@ -9596,6 +9607,21 @@ static int sx_setEphemeralKey(lua_State *L) { } /* sx_setEphemeralKey() */ +#if HAVE_SSL_CTX_SET_GROUPS_LIST +static int sx_setGroups(lua_State *L) { + SSL_CTX *ctx = checksimple(L, 1, SSL_CTX_CLASS); + const char *list = luaL_checkstring(L, 2); + + if (!SSL_CTX_set1_groups_list(ctx, list)) + return auxL_error(L, auxL_EOPENSSL, "ssl.context:setGroups"); + + lua_pushboolean(L, 1); + + return 1; +} /* sx_setGroups() */ +#endif + + #if HAVE_SSL_CTX_SET_ALPN_PROTOS static int sx_setAlpnProtos(lua_State *L) { SSL_CTX *ctx = checksimple(L, 1, SSL_CTX_CLASS); @@ -10262,13 +10288,14 @@ static const auxL_Reg sx_methods[] = { #endif { "setPrivateKey", &sx_setPrivateKey }, { "setCipherList", &sx_setCipherList }, -#if HAVE_SSL_CTX_SET_CURVES_LIST - { "setCurvesList", &sx_setCurvesList }, -#endif #if HAVE_SSL_CTX_SET_CIPHERSUITES { "setCipherSuites", &sx_setCipherSuites }, #endif { "setEphemeralKey", &sx_setEphemeralKey }, +#if HAVE_SSL_CTX_SET_GROUPS_LIST + { "setCurvesList", &sx_setGroups }, /* old alias */ + { "setGroups", &sx_setGroups }, +#endif #if HAVE_SSL_CTX_SET_ALPN_PROTOS { "setAlpnProtos", &sx_setAlpnProtos }, #endif @@ -10869,33 +10896,33 @@ static int ssl_setCipherList(lua_State *L) { } /* ssl_setCipherList() */ -#if HAVE_SSL_SET_CURVES_LIST -static int ssl_setCurvesList(lua_State *L) { +#if HAVE_SSL_SET_CIPHERSUITES +static int ssl_setCipherSuites(lua_State *L) { SSL *ssl = checksimple(L, 1, SSL_CLASS); - const char *curves = luaL_checkstring(L, 2); + const char *ciphers = luaL_checkstring(L, 2); - if (!SSL_set1_curves_list(ssl, curves)) - return auxL_error(L, auxL_EOPENSSL, "ssl:setCurvesList"); + if (!SSL_set_ciphersuites(ssl, ciphers)) + return auxL_error(L, auxL_EOPENSSL, "ssl:setCipherSuites"); lua_pushboolean(L, 1); return 1; -} /* ssl_setCurvesList() */ +} /* ssl_setCipherSuites() */ #endif -#if HAVE_SSL_SET_CIPHERSUITES -static int ssl_setCipherSuites(lua_State *L) { +#if HAVE_SSL_SET_GROUPS_LIST +static int ssl_setGroups(lua_State *L) { SSL *ssl = checksimple(L, 1, SSL_CLASS); - const char *ciphers = luaL_checkstring(L, 2); + const char *list = luaL_checkstring(L, 2); - if (!SSL_set_ciphersuites(ssl, ciphers)) - return auxL_error(L, auxL_EOPENSSL, "ssl:setCipherSuites"); + if (!SSL_set1_groups_list(ssl, list)) + return auxL_error(L, auxL_EOPENSSL, "ssl:setGroups"); lua_pushboolean(L, 1); return 1; -} /* ssl_setCipherSuites() */ +} /* ssl_setGroups() */ #endif @@ -11194,12 +11221,13 @@ static const auxL_Reg ssl_methods[] = { { "getPeerChain", &ssl_getPeerChain }, { "getCipherInfo", &ssl_getCipherInfo }, { "setCipherList", &ssl_setCipherList }, -#if HAVE_SSL_SET_CURVES_LIST - { "setCurvesList", &ssl_setCurvesList }, -#endif #if HAVE_SSL_SET_CIPHERSUITES { "setCipherSuites", &ssl_setCipherSuites }, #endif +#if HAVE_SSL_SET_GROUPS_LIST + { "setCurvesList", &ssl_setGroups }, /* old alias */ + { "setGroups", &ssl_setGroups }, +#endif { "getHostName", &ssl_getHostName }, { "setHostName", &ssl_setHostName }, { "getVersion", &ssl_getVersion }, diff --git a/src/openssl.ssl.context.lua b/src/openssl.ssl.context.lua index 54cbad7..db1e704 100644 --- a/src/openssl.ssl.context.lua +++ b/src/openssl.ssl.context.lua @@ -13,20 +13,6 @@ local setCipherList; setCipherList = ctx.interpose("setCipherList", function (se return setCipherList(self, ciphers) end) --- Allow passing a vararg of curves, or an array -local setCurvesList = ctx.interpose("setCurvesList", nil) -if setCurvesList then - ctx.interpose("setCurvesList", function (self, curves, ...) - if (...) then - local curves_t = pack(curves, ...) - curves = table.concat(curves_t, ":", 1, curves_t.n) - elseif type(curves) == "table" then - curves = table.concat(curves, ":") - end - return setCurvesList(self, curves) - end) -end - -- Allow passing a vararg of ciphersuites, or an array local setCipherSuites = ctx.interpose("setCipherSuites", nil) if setCipherSuites then @@ -41,4 +27,20 @@ if setCipherSuites then end) end +-- Allow passing a vararg of curves, or an array +local setGroups = ctx.interpose("setGroups", nil) +if setGroups then + local function varargSetGroups(self, group, ...) + if (...) then + local group_t = pack(group, ...) + group = table.concat(group_t, ":", 1, group_t.n) + elseif type(group) == "table" then + group = table.concat(group, ":") + end + return setGroups(self, group) + end + ctx.interpose("setGroups", varargSetGroups) + ctx.interpose("setCurvesList", varargSetGroups) +end + return ctx diff --git a/src/openssl.ssl.lua b/src/openssl.ssl.lua index 22311cd..aa0ad81 100644 --- a/src/openssl.ssl.lua +++ b/src/openssl.ssl.lua @@ -19,20 +19,6 @@ local setCipherList; setCipherList = ssl.interpose("setCipherList", function (se return setCipherList(self, ciphers) end) --- Allow passing a vararg of curves, or an array -local setCurvesList = ssl.interpose("setCurvesList", nil) -if setCurvesList then - ssl.interpose("setCurvesList", function (self, curves, ...) - if (...) then - local curves_t = pack(curves, ...) - curves = table.concat(curves_t, ":", 1, curves_t.n) - elseif type(curves) == "table" then - curves = table.concat(curves, ":") - end - return setCurvesList(self, curves) - end) -end - -- Allow passing a vararg of ciphersuites, or an array local setCipherSuites = ssl.interpose("setCipherSuites", nil) if setCipherSuites then @@ -47,4 +33,20 @@ if setCipherSuites then end) end +-- Allow passing a vararg of curves, or an array +local setGroups = ssl.interpose("setGroups", nil) +if setGroups then + local function varargSetGroups(self, group, ...) + if (...) then + local group_t = pack(group, ...) + group = table.concat(group_t, ":", 1, group_t.n) + elseif type(group) == "table" then + group = table.concat(group, ":") + end + return setGroups(self, group) + end + ssl.interpose("setGroups", varargSetGroups) + ssl.interpose("setCurvesList", varargSetGroups) +end + return ssl |