diff options
| author | daurnimator <quae@daurnimator.com> | 2017-08-30 23:12:22 +1000 |
|---|---|---|
| committer | daurnimator <quae@daurnimator.com> | 2017-08-31 01:09:50 +1000 |
| commit | 6679ba855465ea1ff751301ecc16fc7fe3f9cbe9 (patch) | |
| tree | e8a2bcfc430a22d32a7c2f2ef008aa0b61a3c9bb | |
| parent | 52b637bb43c7fbe5ae0d67f939acdaed5e7426f0 (diff) | |
| download | luaossl-6679ba855465ea1ff751301ecc16fc7fe3f9cbe9.tar.gz luaossl-6679ba855465ea1ff751301ecc16fc7fe3f9cbe9.tar.bz2 luaossl-6679ba855465ea1ff751301ecc16fc7fe3f9cbe9.zip | |
Use single method constructor and disable unwanted protocols via options
- In OpenSSL 1.1.0 the individual constructors are deprecated
- The removal of __typeof__ fixes an issue with MSVC
| -rw-r--r-- | src/openssl.c | 92 |
1 files changed, 61 insertions, 31 deletions
diff --git a/src/openssl.c b/src/openssl.c index 2cfad4a..8500815 100644 --- a/src/openssl.c +++ b/src/openssl.c | |||
| @@ -325,12 +325,12 @@ | |||
| 325 | #define HAVE_SSL_UP_REF OPENSSL_PREREQ(1,1,0) | 325 | #define HAVE_SSL_UP_REF OPENSSL_PREREQ(1,1,0) |
| 326 | #endif | 326 | #endif |
| 327 | 327 | ||
| 328 | #ifndef HAVE_SSLV2_CLIENT_METHOD | 328 | #ifndef HAVE_SSL_OP_NO_SSL_MASK |
| 329 | #define HAVE_SSLV2_CLIENT_METHOD (!OPENSSL_PREREQ(1,1,0) && !defined OPENSSL_NO_SSL2) | 329 | #define HAVE_SSL_OP_NO_SSL_MASK OPENSSL_PREREQ(1,0,2) |
| 330 | #endif | 330 | #endif |
| 331 | 331 | ||
| 332 | #ifndef HAVE_SSLV2_SERVER_METHOD | 332 | #ifndef HAVE_SSL_OP_NO_DTLS_MASK |
| 333 | #define HAVE_SSLV2_SERVER_METHOD (!OPENSSL_PREREQ(1,1,0) && !defined OPENSSL_NO_SSL2) | 333 | #define HAVE_SSL_OP_NO_DTLS_MASK OPENSSL_PREREQ(1,1,0) |
| 334 | #endif | 334 | #endif |
| 335 | 335 | ||
| 336 | #ifndef HAVE_STACK_OPENSSL_STRING_FUNCS | 336 | #ifndef HAVE_STACK_OPENSSL_STRING_FUNCS |
| @@ -1686,6 +1686,22 @@ static int compat_SSL_up_ref(SSL *ssl) { | |||
| 1686 | } /* compat_SSL_up_ref() */ | 1686 | } /* compat_SSL_up_ref() */ |
| 1687 | #endif | 1687 | #endif |
| 1688 | 1688 | ||
| 1689 | #if !HAVE_SSL_OP_NO_SSL_MASK | ||
| 1690 | /* SSL_OP_NO_SSL_MASK was introduced in 1.0.2 | ||
| 1691 | 1.0.1 had up to TLSv1_2 | ||
| 1692 | 0.9.8-1.0.0 had up to TLSv1 | ||
| 1693 | */ | ||
| 1694 | #ifdef SSL_OP_NO_TLSv1_2 | ||
| 1695 | #define SSL_OP_NO_SSL_MASK (SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1|SSL_OP_NO_TLSv1_2) | ||
| 1696 | #else | ||
| 1697 | #define SSL_OP_NO_SSL_MASK (SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1) | ||
| 1698 | #endif | ||
| 1699 | #endif | ||
| 1700 | |||
| 1701 | #if !HAVE_SSL_OP_NO_DTLS_MASK && HAVE_DTLS_CLIENT_METHOD | ||
| 1702 | #define SSL_OP_NO_DTLS_MASK (SSL_OP_NO_DTLSv1|SSL_OP_NO_DTLSv1_2) | ||
| 1703 | #endif | ||
| 1704 | |||
| 1689 | #if !HAVE_SSL_CTX_GET0_PARAM | 1705 | #if !HAVE_SSL_CTX_GET0_PARAM |
| 1690 | #define SSL_CTX_get0_param(ctx) compat_SSL_CTX_get0_param((ctx)) | 1706 | #define SSL_CTX_get0_param(ctx) compat_SSL_CTX_get0_param((ctx)) |
| 1691 | 1707 | ||
| @@ -7751,11 +7767,6 @@ int luaopen__openssl_pkcs12(lua_State *L) { | |||
| 7751 | * | 7767 | * |
| 7752 | * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ | 7768 | * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ |
| 7753 | 7769 | ||
| 7754 | /* | ||
| 7755 | * NOTE: TLS methods and flags were added in tandem. For example, if the | ||
| 7756 | * macro SSL_OP_NO_TLSv1_1 is defined we know TLSv1_1_server_method is also | ||
| 7757 | * declared and defined. | ||
| 7758 | */ | ||
| 7759 | static int sx_new(lua_State *L) { | 7770 | static int sx_new(lua_State *L) { |
| 7760 | static const char *const opts[] = { | 7771 | static const char *const opts[] = { |
| 7761 | [0] = "SSL", | 7772 | [0] = "SSL", |
| @@ -7771,77 +7782,96 @@ static int sx_new(lua_State *L) { | |||
| 7771 | [14] = "DTLSv1_2", [15] = "DTLSv1.2", | 7782 | [14] = "DTLSv1_2", [15] = "DTLSv1.2", |
| 7772 | NULL | 7783 | NULL |
| 7773 | }; | 7784 | }; |
| 7774 | /* later versions of SSL declare a const qualifier on the return type */ | 7785 | int method_enum; |
| 7775 | __typeof__(&TLSv1_client_method) method = &TLSv1_client_method; | ||
| 7776 | _Bool srv; | 7786 | _Bool srv; |
| 7777 | SSL_CTX **ud; | 7787 | SSL_CTX **ud; |
| 7778 | int options = 0; | 7788 | int options = 0; |
| 7779 | 7789 | ||
| 7780 | lua_settop(L, 2); | 7790 | lua_settop(L, 2); |
| 7791 | method_enum = auxL_checkoption(L, 1, "TLS", opts, 1); | ||
| 7781 | srv = lua_toboolean(L, 2); | 7792 | srv = lua_toboolean(L, 2); |
| 7782 | 7793 | ||
| 7783 | switch (auxL_checkoption(L, 1, "TLS", opts, 1)) { | 7794 | switch (method_enum) { |
| 7784 | case 0: /* SSL */ | 7795 | case 0: /* SSL */ |
| 7785 | method = (srv)? &SSLv23_server_method : &SSLv23_client_method; | ||
| 7786 | options = SSL_OP_NO_SSLv2; | 7796 | options = SSL_OP_NO_SSLv2; |
| 7787 | break; | 7797 | break; |
| 7788 | case 1: /* TLS */ | 7798 | case 1: /* TLS */ |
| 7789 | method = (srv)? &SSLv23_server_method : &SSLv23_client_method; | ||
| 7790 | options = SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3; | 7799 | options = SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3; |
| 7791 | break; | 7800 | break; |
| 7792 | #if HAVE_SSLV2_CLIENT_METHOD && HAVE_SSLV2_SERVER_METHOD | ||
| 7793 | case 2: /* SSLv2 */ | 7801 | case 2: /* SSLv2 */ |
| 7794 | method = (srv)? &SSLv2_server_method : &SSLv2_client_method; | 7802 | options = SSL_OP_NO_SSL_MASK & ~SSL_OP_NO_SSLv2; |
| 7795 | break; | 7803 | break; |
| 7796 | #endif | ||
| 7797 | #ifndef OPENSSL_NO_SSL3 | ||
| 7798 | case 3: /* SSLv3 */ | 7804 | case 3: /* SSLv3 */ |
| 7799 | method = (srv)? &SSLv3_server_method : &SSLv3_client_method; | 7805 | options = SSL_OP_NO_SSL_MASK & ~SSL_OP_NO_SSLv3; |
| 7800 | break; | 7806 | break; |
| 7801 | #endif | ||
| 7802 | case 4: /* SSLv23 */ | 7807 | case 4: /* SSLv23 */ |
| 7803 | method = (srv)? &SSLv23_server_method : &SSLv23_client_method; | ||
| 7804 | break; | 7808 | break; |
| 7805 | case 5: /* TLSv1 */ | 7809 | case 5: /* TLSv1 */ |
| 7806 | case 6: /* TLSv1.0 */ | 7810 | case 6: /* TLSv1.0 */ |
| 7807 | method = (srv)? &TLSv1_server_method : &TLSv1_client_method; | 7811 | options = SSL_OP_NO_SSL_MASK & ~SSL_OP_NO_TLSv1; |
| 7808 | break; | 7812 | break; |
| 7809 | #if defined SSL_OP_NO_TLSv1_1 | 7813 | #if defined SSL_OP_NO_TLSv1_1 |
| 7810 | case 7: /* TLSv1_1 */ | 7814 | case 7: /* TLSv1_1 */ |
| 7811 | case 8: /* TLSv1.1 */ | 7815 | case 8: /* TLSv1.1 */ |
| 7812 | method = (srv)? &TLSv1_1_server_method : &TLSv1_1_client_method; | 7816 | options = SSL_OP_NO_SSL_MASK & ~SSL_OP_NO_TLSv1_1; |
| 7813 | break; | 7817 | break; |
| 7814 | #endif | 7818 | #endif |
| 7815 | #if defined SSL_OP_NO_TLSv1_2 | 7819 | #if defined SSL_OP_NO_TLSv1_2 |
| 7816 | case 9: /* TLSv1_2 */ | 7820 | case 9: /* TLSv1_2 */ |
| 7817 | case 10: /* TLSv1.2 */ | 7821 | case 10: /* TLSv1.2 */ |
| 7818 | method = (srv)? &TLSv1_2_server_method : &TLSv1_2_client_method; | 7822 | options = SSL_OP_NO_SSL_MASK & ~SSL_OP_NO_TLSv1_2; |
| 7819 | break; | 7823 | break; |
| 7820 | #endif | 7824 | #endif |
| 7821 | #if HAVE_DTLS_CLIENT_METHOD | 7825 | #if HAVE_DTLS_CLIENT_METHOD |
| 7822 | case 11: /* DTLS */ | 7826 | case 11: /* DTLS */ |
| 7823 | method = (srv)? &DTLS_server_method : &DTLS_client_method; | ||
| 7824 | break; | 7827 | break; |
| 7825 | #endif | 7828 | #ifdef SSL_OP_NO_DTLSv1 |
| 7826 | #if HAVE_DTLSV1_CLIENT_METHOD | ||
| 7827 | case 12: /* DTLSv1 */ | 7829 | case 12: /* DTLSv1 */ |
| 7828 | case 13: /* DTLSv1.0 */ | 7830 | case 13: /* DTLSv1.0 */ |
| 7829 | method = (srv)? &DTLSv1_server_method : &DTLSv1_client_method; | 7831 | options = SSL_OP_NO_DTLS_MASK & ~SSL_OP_NO_DTLSv1; |
| 7830 | break; | 7832 | break; |
| 7831 | #endif | 7833 | #endif |
| 7832 | #if HAVE_DTLSV1_2_CLIENT_METHOD | 7834 | #ifdef SSL_OP_NO_DTLSv1_2 |
| 7833 | case 14: /* DTLSv1_2 */ | 7835 | case 14: /* DTLSv1_2 */ |
| 7834 | case 15: /* DTLSv1.2 */ | 7836 | case 15: /* DTLSv1.2 */ |
| 7835 | method = (srv)? &DTLSv1_server_method : &DTLSv1_client_method; | 7837 | options = SSL_OP_NO_DTLS_MASK & ~SSL_OP_NO_DTLSv1_2; |
| 7836 | break; | 7838 | break; |
| 7837 | #endif | 7839 | #endif |
| 7840 | #endif | ||
| 7838 | default: | 7841 | default: |
| 7839 | return luaL_argerror(L, 1, "invalid option"); | 7842 | return luaL_argerror(L, 1, "invalid option"); |
| 7840 | } | 7843 | } |
| 7841 | 7844 | ||
| 7842 | ud = prepsimple(L, SSL_CTX_CLASS); | 7845 | ud = prepsimple(L, SSL_CTX_CLASS); |
| 7843 | 7846 | ||
| 7844 | if (!(*ud = SSL_CTX_new(method()))) | 7847 | switch (method_enum) { |
| 7848 | case 0: /* SSL */ | ||
| 7849 | case 1: /* TLS */ | ||
| 7850 | case 2: /* SSLv2 */ | ||
| 7851 | case 3: /* SSLv3 */ | ||
| 7852 | case 4: /* SSLv23 */ | ||
| 7853 | case 5: /* TLSv1 */ | ||
| 7854 | case 6: /* TLSv1.0 */ | ||
| 7855 | case 7: /* TLSv1_1 */ | ||
| 7856 | case 8: /* TLSv1.1 */ | ||
| 7857 | case 9: /* TLSv1_2 */ | ||
| 7858 | case 10: /* TLSv1.2 */ | ||
| 7859 | *ud = SSL_CTX_new(srv?SSLv23_server_method():SSLv23_client_method()); | ||
| 7860 | break; | ||
| 7861 | #if HAVE_DTLS_CLIENT_METHOD | ||
| 7862 | case 11: /* DTLS */ | ||
| 7863 | case 12: /* DTLSv1 */ | ||
| 7864 | case 13: /* DTLSv1.0 */ | ||
| 7865 | case 14: /* DTLSv1_2 */ | ||
| 7866 | case 15: /* DTLSv1.2 */ | ||
| 7867 | *ud = SSL_CTX_new(srv?DTLS_server_method():DTLS_client_method()); | ||
| 7868 | break; | ||
| 7869 | #endif | ||
| 7870 | default: | ||
| 7871 | NOTREACHED; | ||
| 7872 | } | ||
| 7873 | |||
| 7874 | if (!*ud) | ||
| 7845 | return auxL_error(L, auxL_EOPENSSL, "ssl.context.new"); | 7875 | return auxL_error(L, auxL_EOPENSSL, "ssl.context.new"); |
| 7846 | 7876 | ||
| 7847 | SSL_CTX_set_options(*ud, options); | 7877 | SSL_CTX_set_options(*ud, options); |