summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authordaurnimator <quae@daurnimator.com>2017-08-30 23:12:22 +1000
committerdaurnimator <quae@daurnimator.com>2017-08-31 01:09:50 +1000
commit6679ba855465ea1ff751301ecc16fc7fe3f9cbe9 (patch)
treee8a2bcfc430a22d32a7c2f2ef008aa0b61a3c9bb
parent52b637bb43c7fbe5ae0d67f939acdaed5e7426f0 (diff)
downloadluaossl-6679ba855465ea1ff751301ecc16fc7fe3f9cbe9.tar.gz
luaossl-6679ba855465ea1ff751301ecc16fc7fe3f9cbe9.tar.bz2
luaossl-6679ba855465ea1ff751301ecc16fc7fe3f9cbe9.zip
Use single method constructor and disable unwanted protocols via options
- In OpenSSL 1.1.0 the individual constructors are deprecated - The removal of __typeof__ fixes an issue with MSVC
-rw-r--r--src/openssl.c92
1 files changed, 61 insertions, 31 deletions
diff --git a/src/openssl.c b/src/openssl.c
index 2cfad4a..8500815 100644
--- a/src/openssl.c
+++ b/src/openssl.c
@@ -325,12 +325,12 @@
325#define HAVE_SSL_UP_REF OPENSSL_PREREQ(1,1,0) 325#define HAVE_SSL_UP_REF OPENSSL_PREREQ(1,1,0)
326#endif 326#endif
327 327
328#ifndef HAVE_SSLV2_CLIENT_METHOD 328#ifndef HAVE_SSL_OP_NO_SSL_MASK
329#define HAVE_SSLV2_CLIENT_METHOD (!OPENSSL_PREREQ(1,1,0) && !defined OPENSSL_NO_SSL2) 329#define HAVE_SSL_OP_NO_SSL_MASK OPENSSL_PREREQ(1,0,2)
330#endif 330#endif
331 331
332#ifndef HAVE_SSLV2_SERVER_METHOD 332#ifndef HAVE_SSL_OP_NO_DTLS_MASK
333#define HAVE_SSLV2_SERVER_METHOD (!OPENSSL_PREREQ(1,1,0) && !defined OPENSSL_NO_SSL2) 333#define HAVE_SSL_OP_NO_DTLS_MASK OPENSSL_PREREQ(1,1,0)
334#endif 334#endif
335 335
336#ifndef HAVE_STACK_OPENSSL_STRING_FUNCS 336#ifndef HAVE_STACK_OPENSSL_STRING_FUNCS
@@ -1686,6 +1686,22 @@ static int compat_SSL_up_ref(SSL *ssl) {
1686} /* compat_SSL_up_ref() */ 1686} /* compat_SSL_up_ref() */
1687#endif 1687#endif
1688 1688
1689#if !HAVE_SSL_OP_NO_SSL_MASK
1690/* SSL_OP_NO_SSL_MASK was introduced in 1.0.2
1691 1.0.1 had up to TLSv1_2
1692 0.9.8-1.0.0 had up to TLSv1
1693*/
1694#ifdef SSL_OP_NO_TLSv1_2
1695#define SSL_OP_NO_SSL_MASK (SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1|SSL_OP_NO_TLSv1_2)
1696#else
1697#define SSL_OP_NO_SSL_MASK (SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1)
1698#endif
1699#endif
1700
1701#if !HAVE_SSL_OP_NO_DTLS_MASK && HAVE_DTLS_CLIENT_METHOD
1702#define SSL_OP_NO_DTLS_MASK (SSL_OP_NO_DTLSv1|SSL_OP_NO_DTLSv1_2)
1703#endif
1704
1689#if !HAVE_SSL_CTX_GET0_PARAM 1705#if !HAVE_SSL_CTX_GET0_PARAM
1690#define SSL_CTX_get0_param(ctx) compat_SSL_CTX_get0_param((ctx)) 1706#define SSL_CTX_get0_param(ctx) compat_SSL_CTX_get0_param((ctx))
1691 1707
@@ -7751,11 +7767,6 @@ int luaopen__openssl_pkcs12(lua_State *L) {
7751 * 7767 *
7752 * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ 7768 * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
7753 7769
7754/*
7755 * NOTE: TLS methods and flags were added in tandem. For example, if the
7756 * macro SSL_OP_NO_TLSv1_1 is defined we know TLSv1_1_server_method is also
7757 * declared and defined.
7758 */
7759static int sx_new(lua_State *L) { 7770static int sx_new(lua_State *L) {
7760 static const char *const opts[] = { 7771 static const char *const opts[] = {
7761 [0] = "SSL", 7772 [0] = "SSL",
@@ -7771,77 +7782,96 @@ static int sx_new(lua_State *L) {
7771 [14] = "DTLSv1_2", [15] = "DTLSv1.2", 7782 [14] = "DTLSv1_2", [15] = "DTLSv1.2",
7772 NULL 7783 NULL
7773 }; 7784 };
7774 /* later versions of SSL declare a const qualifier on the return type */ 7785 int method_enum;
7775 __typeof__(&TLSv1_client_method) method = &TLSv1_client_method;
7776 _Bool srv; 7786 _Bool srv;
7777 SSL_CTX **ud; 7787 SSL_CTX **ud;
7778 int options = 0; 7788 int options = 0;
7779 7789
7780 lua_settop(L, 2); 7790 lua_settop(L, 2);
7791 method_enum = auxL_checkoption(L, 1, "TLS", opts, 1);
7781 srv = lua_toboolean(L, 2); 7792 srv = lua_toboolean(L, 2);
7782 7793
7783 switch (auxL_checkoption(L, 1, "TLS", opts, 1)) { 7794 switch (method_enum) {
7784 case 0: /* SSL */ 7795 case 0: /* SSL */
7785 method = (srv)? &SSLv23_server_method : &SSLv23_client_method;
7786 options = SSL_OP_NO_SSLv2; 7796 options = SSL_OP_NO_SSLv2;
7787 break; 7797 break;
7788 case 1: /* TLS */ 7798 case 1: /* TLS */
7789 method = (srv)? &SSLv23_server_method : &SSLv23_client_method;
7790 options = SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3; 7799 options = SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3;
7791 break; 7800 break;
7792#if HAVE_SSLV2_CLIENT_METHOD && HAVE_SSLV2_SERVER_METHOD
7793 case 2: /* SSLv2 */ 7801 case 2: /* SSLv2 */
7794 method = (srv)? &SSLv2_server_method : &SSLv2_client_method; 7802 options = SSL_OP_NO_SSL_MASK & ~SSL_OP_NO_SSLv2;
7795 break; 7803 break;
7796#endif
7797#ifndef OPENSSL_NO_SSL3
7798 case 3: /* SSLv3 */ 7804 case 3: /* SSLv3 */
7799 method = (srv)? &SSLv3_server_method : &SSLv3_client_method; 7805 options = SSL_OP_NO_SSL_MASK & ~SSL_OP_NO_SSLv3;
7800 break; 7806 break;
7801#endif
7802 case 4: /* SSLv23 */ 7807 case 4: /* SSLv23 */
7803 method = (srv)? &SSLv23_server_method : &SSLv23_client_method;
7804 break; 7808 break;
7805 case 5: /* TLSv1 */ 7809 case 5: /* TLSv1 */
7806 case 6: /* TLSv1.0 */ 7810 case 6: /* TLSv1.0 */
7807 method = (srv)? &TLSv1_server_method : &TLSv1_client_method; 7811 options = SSL_OP_NO_SSL_MASK & ~SSL_OP_NO_TLSv1;
7808 break; 7812 break;
7809#if defined SSL_OP_NO_TLSv1_1 7813#if defined SSL_OP_NO_TLSv1_1
7810 case 7: /* TLSv1_1 */ 7814 case 7: /* TLSv1_1 */
7811 case 8: /* TLSv1.1 */ 7815 case 8: /* TLSv1.1 */
7812 method = (srv)? &TLSv1_1_server_method : &TLSv1_1_client_method; 7816 options = SSL_OP_NO_SSL_MASK & ~SSL_OP_NO_TLSv1_1;
7813 break; 7817 break;
7814#endif 7818#endif
7815#if defined SSL_OP_NO_TLSv1_2 7819#if defined SSL_OP_NO_TLSv1_2
7816 case 9: /* TLSv1_2 */ 7820 case 9: /* TLSv1_2 */
7817 case 10: /* TLSv1.2 */ 7821 case 10: /* TLSv1.2 */
7818 method = (srv)? &TLSv1_2_server_method : &TLSv1_2_client_method; 7822 options = SSL_OP_NO_SSL_MASK & ~SSL_OP_NO_TLSv1_2;
7819 break; 7823 break;
7820#endif 7824#endif
7821#if HAVE_DTLS_CLIENT_METHOD 7825#if HAVE_DTLS_CLIENT_METHOD
7822 case 11: /* DTLS */ 7826 case 11: /* DTLS */
7823 method = (srv)? &DTLS_server_method : &DTLS_client_method;
7824 break; 7827 break;
7825#endif 7828#ifdef SSL_OP_NO_DTLSv1
7826#if HAVE_DTLSV1_CLIENT_METHOD
7827 case 12: /* DTLSv1 */ 7829 case 12: /* DTLSv1 */
7828 case 13: /* DTLSv1.0 */ 7830 case 13: /* DTLSv1.0 */
7829 method = (srv)? &DTLSv1_server_method : &DTLSv1_client_method; 7831 options = SSL_OP_NO_DTLS_MASK & ~SSL_OP_NO_DTLSv1;
7830 break; 7832 break;
7831#endif 7833#endif
7832#if HAVE_DTLSV1_2_CLIENT_METHOD 7834#ifdef SSL_OP_NO_DTLSv1_2
7833 case 14: /* DTLSv1_2 */ 7835 case 14: /* DTLSv1_2 */
7834 case 15: /* DTLSv1.2 */ 7836 case 15: /* DTLSv1.2 */
7835 method = (srv)? &DTLSv1_server_method : &DTLSv1_client_method; 7837 options = SSL_OP_NO_DTLS_MASK & ~SSL_OP_NO_DTLSv1_2;
7836 break; 7838 break;
7837#endif 7839#endif
7840#endif
7838 default: 7841 default:
7839 return luaL_argerror(L, 1, "invalid option"); 7842 return luaL_argerror(L, 1, "invalid option");
7840 } 7843 }
7841 7844
7842 ud = prepsimple(L, SSL_CTX_CLASS); 7845 ud = prepsimple(L, SSL_CTX_CLASS);
7843 7846
7844 if (!(*ud = SSL_CTX_new(method()))) 7847 switch (method_enum) {
7848 case 0: /* SSL */
7849 case 1: /* TLS */
7850 case 2: /* SSLv2 */
7851 case 3: /* SSLv3 */
7852 case 4: /* SSLv23 */
7853 case 5: /* TLSv1 */
7854 case 6: /* TLSv1.0 */
7855 case 7: /* TLSv1_1 */
7856 case 8: /* TLSv1.1 */
7857 case 9: /* TLSv1_2 */
7858 case 10: /* TLSv1.2 */
7859 *ud = SSL_CTX_new(srv?SSLv23_server_method():SSLv23_client_method());
7860 break;
7861#if HAVE_DTLS_CLIENT_METHOD
7862 case 11: /* DTLS */
7863 case 12: /* DTLSv1 */
7864 case 13: /* DTLSv1.0 */
7865 case 14: /* DTLSv1_2 */
7866 case 15: /* DTLSv1.2 */
7867 *ud = SSL_CTX_new(srv?DTLS_server_method():DTLS_client_method());
7868 break;
7869#endif
7870 default:
7871 NOTREACHED;
7872 }
7873
7874 if (!*ud)
7845 return auxL_error(L, auxL_EOPENSSL, "ssl.context.new"); 7875 return auxL_error(L, auxL_EOPENSSL, "ssl.context.new");
7846 7876
7847 SSL_CTX_set_options(*ud, options); 7877 SSL_CTX_set_options(*ud, options);