From 4da94eb5c92dc5ac7c86bb047a927a014e6bc760 Mon Sep 17 00:00:00 2001 From: daurnimator Date: Wed, 31 Oct 2018 15:30:24 +1100 Subject: Add ssl:setCipherSuites() and context:setCipherSuites() --- doc/luaossl.tex | 12 ++++++++++++ src/openssl.c | 44 ++++++++++++++++++++++++++++++++++++++++++++ src/openssl.ssl.context.lua | 14 ++++++++++++++ src/openssl.ssl.lua | 14 ++++++++++++++ 4 files changed, 84 insertions(+) diff --git a/doc/luaossl.tex b/doc/luaossl.tex index 45c2602..b5ae2f6 100644 --- a/doc/luaossl.tex +++ b/doc/luaossl.tex @@ -981,6 +981,12 @@ Sets the supported curves. The string format is a list of colon separated curve \emph{Only supported since OpenSSL 1.0.2.} +\subsubsection[\fn{context:setCipherSuites}]{\fn{context:setCipherSuites($string$ [, ...])}} + +Sets the supported TLS 1.3 cipher suites. The string format is a list of colon separated curve names similar to \texttt{ctx:setCipherList(...)}. + +\emph{Only supported since OpenSSL 1.1.1.} + \subsubsection[\fn{context:setEphemeralKey}]{\fn{context:setEphemeralKey($key$)}} Sets \module{openssl.pkey} object $key$ as the ephemeral key during key exchanges which use that particular key type. Typically $key$ will be either a Diffie-Hellman or Elliptic Curve key. @@ -1225,6 +1231,12 @@ Sets the supported curves for this SSL connection instance. See \fn{openssl.ssl. \emph{Only supported since OpenSSL 1.0.2.} +\subsubsection[\fn{ssl:setCipherSuites}]{\fn{ssl:setCipherSuites($string$ [, ...])}} + +Sets the supported TLS 1.3 cipher suites for this SSL connection instance. See \fn{openssl.ssl.context:setCipherSuites}. + +\emph{Only supported since OpenSSL 1.1.1.} + \subsubsection[\fn{ssl:getAlpnSelected}]{\fn{ssl:getAlpnSelected()}} Returns the negotiated ALPN protocol as a string. diff --git a/src/openssl.c b/src/openssl.c index 7a5031b..e49c0e7 100644 --- a/src/openssl.c +++ b/src/openssl.c @@ -287,6 +287,10 @@ #define HAVE_SSL_CTX_GET0_CERTIFICATE (OPENSSL_PREREQ(1,0,2) || LIBRESSL_PREREQ(2,7,0)) #endif +#ifndef HAVE_SSL_CTX_SET_CIPHERSUITES +#define HAVE_SSL_CTX_SET_CIPHERSUITES OPENSSL_PREREQ(1,1,1) +#endif + #ifndef HAVE_SSL_CTX_SET_CURVES_LIST #define HAVE_SSL_CTX_SET_CURVES_LIST (OPENSSL_PREREQ(1,0,2) || LIBRESSL_PREREQ(2,5,1)) #endif @@ -375,6 +379,10 @@ #define HAVE_SSL_SET1_VERIFY_CERT_STORE OPENSSL_PREREQ(1,0,2) #endif +#ifndef HAVE_SSL_SET_CIPHERSUITES +#define HAVE_SSL_SET_CIPHERSUITES OPENSSL_PREREQ(1,1,1) +#endif + #ifndef HAVE_SSL_SET_CURVES_LIST #define HAVE_SSL_SET_CURVES_LIST (OPENSSL_PREREQ(1,0,2) || LIBRESSL_PREREQ(2,5,1)) #endif @@ -8781,6 +8789,21 @@ static int sx_setCurvesList(lua_State *L) { #endif +#if HAVE_SSL_CTX_SET_CIPHERSUITES +static int sx_setCipherSuites(lua_State *L) { + SSL_CTX *ctx = checksimple(L, 1, SSL_CTX_CLASS); + const char *ciphers = luaL_checkstring(L, 2); + + if (!SSL_CTX_set_ciphersuites(ctx, ciphers)) + return auxL_error(L, auxL_EOPENSSL, "ssl.context:setCipherSuites"); + + lua_pushboolean(L, 1); + + return 1; +} /* sx_setCipherSuites() */ +#endif + + static int sx_setEphemeralKey(lua_State *L) { SSL_CTX *ctx = checksimple(L, 1, SSL_CTX_CLASS); EVP_PKEY *key = checksimple(L, 2, PKEY_CLASS); @@ -9462,6 +9485,9 @@ static const auxL_Reg sx_methods[] = { { "setCipherList", &sx_setCipherList }, #if HAVE_SSL_CTX_SET_CURVES_LIST { "setCurvesList", &sx_setCurvesList }, +#endif +#if HAVE_SSL_CTX_SET_CIPHERSUITES + { "setCipherSuites", &sx_setCipherSuites }, #endif { "setEphemeralKey", &sx_setEphemeralKey }, #if HAVE_SSL_CTX_SET_ALPN_PROTOS @@ -10015,6 +10041,21 @@ static int ssl_setCurvesList(lua_State *L) { #endif +#if HAVE_SSL_SET_CIPHERSUITES +static int ssl_setCipherSuites(lua_State *L) { + SSL *ssl = checksimple(L, 1, SSL_CLASS); + const char *ciphers = luaL_checkstring(L, 2); + + if (!SSL_set_ciphersuites(ssl, ciphers)) + return auxL_error(L, auxL_EOPENSSL, "ssl:setCipherSuites"); + + lua_pushboolean(L, 1); + + return 1; +} /* ssl_setCipherSuites() */ +#endif + + static int ssl_getHostName(lua_State *L) { SSL *ssl = checksimple(L, 1, SSL_CLASS); const char *host; @@ -10305,6 +10346,9 @@ static const auxL_Reg ssl_methods[] = { { "getCipherInfo", &ssl_getCipherInfo }, #if HAVE_SSL_SET_CURVES_LIST { "setCurvesList", &ssl_setCurvesList }, +#endif +#if HAVE_SSL_SET_CIPHERSUITES + { "setCipherSuites", &ssl_setCipherSuites }, #endif { "getHostName", &ssl_getHostName }, { "setHostName", &ssl_setHostName }, diff --git a/src/openssl.ssl.context.lua b/src/openssl.ssl.context.lua index 3263fb1..54cbad7 100644 --- a/src/openssl.ssl.context.lua +++ b/src/openssl.ssl.context.lua @@ -27,4 +27,18 @@ if setCurvesList then end) end +-- Allow passing a vararg of ciphersuites, or an array +local setCipherSuites = ctx.interpose("setCipherSuites", nil) +if setCipherSuites then + ctx.interpose("setCipherSuites", function (self, ciphers, ...) + if (...) then + local ciphers_t = pack(ciphers, ...) + ciphers = table.concat(ciphers_t, ":", 1, ciphers_t.n) + elseif type(ciphers) == "table" then + ciphers = table.concat(ciphers, ":") + end + return setCipherSuites(self, ciphers) + end) +end + return ctx diff --git a/src/openssl.ssl.lua b/src/openssl.ssl.lua index 2a18024..4f9f82b 100644 --- a/src/openssl.ssl.lua +++ b/src/openssl.ssl.lua @@ -22,4 +22,18 @@ if setCurvesList then end) end +-- Allow passing a vararg of ciphersuites, or an array +local setCipherSuites = ssl.interpose("setCipherSuites", nil) +if setCipherSuites then + ssl.interpose("setCipherSuites", function (self, ciphers, ...) + if (...) then + local ciphers_t = pack(ciphers, ...) + ciphers = table.concat(ciphers_t, ":", 1, ciphers_t.n) + elseif type(ciphers) == "table" then + ciphers = table.concat(ciphers, ":") + end + return setCipherSuites(self, ciphers) + end) +end + return ssl -- cgit v1.2.3-59-g8ed1b