aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--doc/luaossl.pdfbin182545 -> 182982 bytes
-rw-r--r--doc/luaossl.tex27
-rw-r--r--src/openssl.c94
-rw-r--r--src/openssl.ssl.context.lua30
-rw-r--r--src/openssl.ssl.lua30
5 files changed, 107 insertions, 74 deletions
diff --git a/doc/luaossl.pdf b/doc/luaossl.pdf
index fb5679d..b7a09dc 100644
--- a/doc/luaossl.pdf
+++ b/doc/luaossl.pdf
Binary files differ
diff --git a/doc/luaossl.tex b/doc/luaossl.tex
index c371dbd..efc6422 100644
--- a/doc/luaossl.tex
+++ b/doc/luaossl.tex
@@ -1089,23 +1089,24 @@ Sets the private key \module{openssl.pkey} object $key$ for use during SSL conne
Sets the allowed public key and private key algorithm(s). The string format is documented in the \href{http://www.openssl.org/docs/apps/ciphers.html#CIPHER_LIST_FORMAT}{OpenSSL ciphers(1) utility documentation}.
-\subsubsection[\fn{context:setCurvesList}]{\fn{context:setCurvesList($string$ [, ...])}}
-
-Sets the supported curves. The string format is a list of colon separated curve names similar to \texttt{ctx:setCipherList(...)}. A list of supported curves can be found by running \texttt{openssl ecparam -list\_curves}.
-
-\emph{Only supported since OpenSSL 1.0.2.}
-
\subsubsection[\fn{context:setCipherSuites}]{\fn{context:setCipherSuites($string$ [, ...])}}
Sets the supported TLS 1.3 cipher suites. The string format is a list of colon separated curve names similar to \texttt{ctx:setCipherList(...)}.
\emph{Only supported since OpenSSL 1.1.1.}
+\subsubsection[\fn{context:setGroups}]{\fn{context:setGroups($string$ [, ...])}}
+
+Sets the supported groups. The string format is a list of colon separated group names similar to \texttt{ctx:setCipherList(...)}.
+A list of supported EC groups can be found by running \texttt{openssl ecparam -list\_curves}.
+
+\emph{Only supported since OpenSSL 1.0.2.}
+
\subsubsection[\fn{context:setEphemeralKey}]{\fn{context:setEphemeralKey($key$)}}
Sets \module{openssl.pkey} object $key$ as the ephemeral key during key exchanges which use that particular key type. Typically $key$ will be either a Diffie-Hellman or Elliptic Curve key.
-\emph{In order to configure an SSL server to support an ephemeral key exchange cipher suite (i.e. DHE-* and ECDHE-*), the application must explicitly set the ephemeral keys. Simply enabling the cipher suite is not sufficient. The application can statically generate Diffie-Hellman public key parameters, and many servers ship with such a key compiled into the software. Elliptic curve keys are necessarily static, and instantiated by curve name\footnote{OpenSSL < 1.0.2 only supports a single curve, \href{http://en.wikipedia.org/w/index.php?title=Comparison\_of\_TLS\_implementations&oldid=629779090\#Supported\_elliptic\_curves}{according to Wikipedia} the most widely supported curve is prime256v1, so to enable ECDHE-*, applications can simply do \texttt{ctx:setEphemeralKey(pkey.new\{ type = ``EC'', curve = ``prime256v1'' \})}. To achieve Perfect Forward Secrecy for ECDHE-*, applications must also do \texttt{ctx:setOptions(context.OP\_SINGLE\_ECDH\_USE)}. The \texttt{ctx} object must then be used to configure each SSL session, such as by passing it to \fn{cqueues.socket:starttls()}.}.}
+\emph{In older version of OpenSSL, in order to configure an SSL server to support an ephemeral key exchange cipher suite (i.e. DHE-* and ECDHE-*), the application must explicitly set the ephemeral keys. Simply enabling the cipher suite is not sufficient. The application can statically generate Diffie-Hellman public key parameters, and many servers ship with such a key compiled into the software. Elliptic curve keys are necessarily static, and instantiated by curve name\footnote{OpenSSL < 1.0.2 only supports a single curve, \href{http://en.wikipedia.org/w/index.php?title=Comparison\_of\_TLS\_implementations&oldid=629779090\#Supported\_elliptic\_curves}{according to Wikipedia} the most widely supported curve is prime256v1, so to enable ECDHE-*, applications can simply do \texttt{ctx:setEphemeralKey(pkey.new\{ type = ``EC'', curve = ``prime256v1'' \})}. For OpenSSL versions >= 1.0.2, see \fn{context:setGroups} instead. To achieve Perfect Forward Secrecy for ECDHE-*, applications must also do \texttt{ctx:setOptions(context.OP\_SINGLE\_ECDH\_USE)}. The \texttt{ctx} object must then be used to configure each SSL session, such as by passing it to \fn{cqueues.socket:starttls()}.}.}
\emph{In addition, to attain Perfect Forward Secrecy the options \texttt{OP\_SINGLE\_DH\_USE} and \texttt{OP\_SINGLE\_ECDH\_USE} must be set so that OpenSSL discards and regenerates the secret keying parameters for each key exchange.}
@@ -1357,18 +1358,18 @@ Returns the SSL/TLS version supported by the client, which should be greater tha
Sets the allowed public key and private key algorithm(s). See \fn{openssl.ssl.context:setCipherList}.
-\subsubsection[\fn{ssl:setCurvesList}]{\fn{ssl:setCurvesList($string$ [, ...])}}
-
-Sets the supported curves for this SSL connection instance. See \fn{openssl.ssl.context:setCurvesList}.
-
-\emph{Only supported since OpenSSL 1.0.2.}
-
\subsubsection[\fn{ssl:setCipherSuites}]{\fn{ssl:setCipherSuites($string$ [, ...])}}
Sets the supported TLS 1.3 cipher suites for this SSL connection instance. See \fn{openssl.ssl.context:setCipherSuites}.
\emph{Only supported since OpenSSL 1.1.1.}
+\subsubsection[\fn{ssl:setGroups}]{\fn{ssl:setGroups($string$ [, ...])}}
+
+Sets the supported groups for this SSL connection instance. See \fn{openssl.ssl.context:setGroups}.
+
+\emph{Only supported since OpenSSL 1.0.2.}
+
\subsubsection[\fn{ssl:getAlpnSelected}]{\fn{ssl:getAlpnSelected()}}
Returns the negotiated ALPN protocol as a string.
diff --git a/src/openssl.c b/src/openssl.c
index 790b153..620ef4e 100644
--- a/src/openssl.c
+++ b/src/openssl.c
@@ -355,6 +355,21 @@
#define HAVE_SSL_CTX_SET_CURVES_LIST (OPENSSL_PREREQ(1,0,2) || LIBRESSL_PREREQ(2,5,1))
#endif
+#ifndef HAVE_SSL_CTX_SET_GROUPS_LIST
+#if OPENSSL_PREREQ(1,1,1)
+#define HAVE_SSL_CTX_SET_GROUPS_LIST 1
+#elif HAVE_SSL_CTX_SET_CURVES_LIST
+#define SSL_CTX_set1_groups_list SSL_CTX_set1_curves_list
+#define HAVE_SSL_CTX_SET_GROUPS_LIST 1
+#else
+#define HAVE_SSL_CTX_SET_GROUPS_LIST 0
+#endif
+#endif
+
+#ifndef HAVE_SSL_CTX_SET_GROUPS_LIST
+#define HAVE_SSL_CTX_SET_GROUPS_LIST OPENSSL_PREREQ(1,1,1)
+#endif
+
#ifndef HAVE_SSL_CTX_SET_ECDH_AUTO
#define HAVE_SSL_CTX_SET_ECDH_AUTO ((OPENSSL_PREREQ(1,0,2) && !OPENSSL_PREREQ(1,1,0)) || LIBRESSL_PREREQ(2,1,2))
#endif
@@ -455,6 +470,17 @@
#define HAVE_SSL_SET_CURVES_LIST (OPENSSL_PREREQ(1,0,2) || LIBRESSL_PREREQ(2,5,1))
#endif
+#ifndef HAVE_SSL_SET_GROUPS_LIST
+#if OPENSSL_PREREQ(1,1,1)
+#define HAVE_SSL_SET_GROUPS_LIST 1
+#elif HAVE_SSL_SET_CURVES_LIST
+#define SSL_set1_groups_list SSL_set1_curves_list
+#define HAVE_SSL_SET_GROUPS_LIST 1
+#else
+#define HAVE_SSL_SET_GROUPS_LIST 0
+#endif
+#endif
+
#ifndef HAVE_SSL_SET1_CHAIN
#define HAVE_SSL_SET1_CHAIN OPENSSL_PREREQ(1,0,2)
#endif
@@ -9521,21 +9547,6 @@ static int sx_setCipherList(lua_State *L) {
} /* sx_setCipherList() */
-#if HAVE_SSL_CTX_SET_CURVES_LIST
-static int sx_setCurvesList(lua_State *L) {
- SSL_CTX *ctx = checksimple(L, 1, SSL_CTX_CLASS);
- const char *curves = luaL_checkstring(L, 2);
-
- if (!SSL_CTX_set1_curves_list(ctx, curves))
- return auxL_error(L, auxL_EOPENSSL, "ssl.context:setCurvesList");
-
- lua_pushboolean(L, 1);
-
- return 1;
-} /* sx_setCurvesList() */
-#endif
-
-
#if HAVE_SSL_CTX_SET_CIPHERSUITES
static int sx_setCipherSuites(lua_State *L) {
SSL_CTX *ctx = checksimple(L, 1, SSL_CTX_CLASS);
@@ -9596,6 +9607,21 @@ static int sx_setEphemeralKey(lua_State *L) {
} /* sx_setEphemeralKey() */
+#if HAVE_SSL_CTX_SET_GROUPS_LIST
+static int sx_setGroups(lua_State *L) {
+ SSL_CTX *ctx = checksimple(L, 1, SSL_CTX_CLASS);
+ const char *list = luaL_checkstring(L, 2);
+
+ if (!SSL_CTX_set1_groups_list(ctx, list))
+ return auxL_error(L, auxL_EOPENSSL, "ssl.context:setGroups");
+
+ lua_pushboolean(L, 1);
+
+ return 1;
+} /* sx_setGroups() */
+#endif
+
+
#if HAVE_SSL_CTX_SET_ALPN_PROTOS
static int sx_setAlpnProtos(lua_State *L) {
SSL_CTX *ctx = checksimple(L, 1, SSL_CTX_CLASS);
@@ -10262,13 +10288,14 @@ static const auxL_Reg sx_methods[] = {
#endif
{ "setPrivateKey", &sx_setPrivateKey },
{ "setCipherList", &sx_setCipherList },
-#if HAVE_SSL_CTX_SET_CURVES_LIST
- { "setCurvesList", &sx_setCurvesList },
-#endif
#if HAVE_SSL_CTX_SET_CIPHERSUITES
{ "setCipherSuites", &sx_setCipherSuites },
#endif
{ "setEphemeralKey", &sx_setEphemeralKey },
+#if HAVE_SSL_CTX_SET_GROUPS_LIST
+ { "setCurvesList", &sx_setGroups }, /* old alias */
+ { "setGroups", &sx_setGroups },
+#endif
#if HAVE_SSL_CTX_SET_ALPN_PROTOS
{ "setAlpnProtos", &sx_setAlpnProtos },
#endif
@@ -10869,33 +10896,33 @@ static int ssl_setCipherList(lua_State *L) {
} /* ssl_setCipherList() */
-#if HAVE_SSL_SET_CURVES_LIST
-static int ssl_setCurvesList(lua_State *L) {
+#if HAVE_SSL_SET_CIPHERSUITES
+static int ssl_setCipherSuites(lua_State *L) {
SSL *ssl = checksimple(L, 1, SSL_CLASS);
- const char *curves = luaL_checkstring(L, 2);
+ const char *ciphers = luaL_checkstring(L, 2);
- if (!SSL_set1_curves_list(ssl, curves))
- return auxL_error(L, auxL_EOPENSSL, "ssl:setCurvesList");
+ if (!SSL_set_ciphersuites(ssl, ciphers))
+ return auxL_error(L, auxL_EOPENSSL, "ssl:setCipherSuites");
lua_pushboolean(L, 1);
return 1;
-} /* ssl_setCurvesList() */
+} /* ssl_setCipherSuites() */
#endif
-#if HAVE_SSL_SET_CIPHERSUITES
-static int ssl_setCipherSuites(lua_State *L) {
+#if HAVE_SSL_SET_GROUPS_LIST
+static int ssl_setGroups(lua_State *L) {
SSL *ssl = checksimple(L, 1, SSL_CLASS);
- const char *ciphers = luaL_checkstring(L, 2);
+ const char *list = luaL_checkstring(L, 2);
- if (!SSL_set_ciphersuites(ssl, ciphers))
- return auxL_error(L, auxL_EOPENSSL, "ssl:setCipherSuites");
+ if (!SSL_set1_groups_list(ssl, list))
+ return auxL_error(L, auxL_EOPENSSL, "ssl:setGroups");
lua_pushboolean(L, 1);
return 1;
-} /* ssl_setCipherSuites() */
+} /* ssl_setGroups() */
#endif
@@ -11194,12 +11221,13 @@ static const auxL_Reg ssl_methods[] = {
{ "getPeerChain", &ssl_getPeerChain },
{ "getCipherInfo", &ssl_getCipherInfo },
{ "setCipherList", &ssl_setCipherList },
-#if HAVE_SSL_SET_CURVES_LIST
- { "setCurvesList", &ssl_setCurvesList },
-#endif
#if HAVE_SSL_SET_CIPHERSUITES
{ "setCipherSuites", &ssl_setCipherSuites },
#endif
+#if HAVE_SSL_SET_GROUPS_LIST
+ { "setCurvesList", &ssl_setGroups }, /* old alias */
+ { "setGroups", &ssl_setGroups },
+#endif
{ "getHostName", &ssl_getHostName },
{ "setHostName", &ssl_setHostName },
{ "getVersion", &ssl_getVersion },
diff --git a/src/openssl.ssl.context.lua b/src/openssl.ssl.context.lua
index 54cbad7..db1e704 100644
--- a/src/openssl.ssl.context.lua
+++ b/src/openssl.ssl.context.lua
@@ -13,20 +13,6 @@ local setCipherList; setCipherList = ctx.interpose("setCipherList", function (se
return setCipherList(self, ciphers)
end)
--- Allow passing a vararg of curves, or an array
-local setCurvesList = ctx.interpose("setCurvesList", nil)
-if setCurvesList then
- ctx.interpose("setCurvesList", function (self, curves, ...)
- if (...) then
- local curves_t = pack(curves, ...)
- curves = table.concat(curves_t, ":", 1, curves_t.n)
- elseif type(curves) == "table" then
- curves = table.concat(curves, ":")
- end
- return setCurvesList(self, curves)
- end)
-end
-
-- Allow passing a vararg of ciphersuites, or an array
local setCipherSuites = ctx.interpose("setCipherSuites", nil)
if setCipherSuites then
@@ -41,4 +27,20 @@ if setCipherSuites then
end)
end
+-- Allow passing a vararg of curves, or an array
+local setGroups = ctx.interpose("setGroups", nil)
+if setGroups then
+ local function varargSetGroups(self, group, ...)
+ if (...) then
+ local group_t = pack(group, ...)
+ group = table.concat(group_t, ":", 1, group_t.n)
+ elseif type(group) == "table" then
+ group = table.concat(group, ":")
+ end
+ return setGroups(self, group)
+ end
+ ctx.interpose("setGroups", varargSetGroups)
+ ctx.interpose("setCurvesList", varargSetGroups)
+end
+
return ctx
diff --git a/src/openssl.ssl.lua b/src/openssl.ssl.lua
index 22311cd..aa0ad81 100644
--- a/src/openssl.ssl.lua
+++ b/src/openssl.ssl.lua
@@ -19,20 +19,6 @@ local setCipherList; setCipherList = ssl.interpose("setCipherList", function (se
return setCipherList(self, ciphers)
end)
--- Allow passing a vararg of curves, or an array
-local setCurvesList = ssl.interpose("setCurvesList", nil)
-if setCurvesList then
- ssl.interpose("setCurvesList", function (self, curves, ...)
- if (...) then
- local curves_t = pack(curves, ...)
- curves = table.concat(curves_t, ":", 1, curves_t.n)
- elseif type(curves) == "table" then
- curves = table.concat(curves, ":")
- end
- return setCurvesList(self, curves)
- end)
-end
-
-- Allow passing a vararg of ciphersuites, or an array
local setCipherSuites = ssl.interpose("setCipherSuites", nil)
if setCipherSuites then
@@ -47,4 +33,20 @@ if setCipherSuites then
end)
end
+-- Allow passing a vararg of curves, or an array
+local setGroups = ssl.interpose("setGroups", nil)
+if setGroups then
+ local function varargSetGroups(self, group, ...)
+ if (...) then
+ local group_t = pack(group, ...)
+ group = table.concat(group_t, ":", 1, group_t.n)
+ elseif type(group) == "table" then
+ group = table.concat(group, ":")
+ end
+ return setGroups(self, group)
+ end
+ ssl.interpose("setGroups", varargSetGroups)
+ ssl.interpose("setCurvesList", varargSetGroups)
+end
+
return ssl