diff options
author | daurnimator <quae@daurnimator.com> | 2017-08-30 23:12:22 +1000 |
---|---|---|
committer | daurnimator <quae@daurnimator.com> | 2017-08-31 01:09:50 +1000 |
commit | 6679ba855465ea1ff751301ecc16fc7fe3f9cbe9 (patch) | |
tree | e8a2bcfc430a22d32a7c2f2ef008aa0b61a3c9bb | |
parent | 52b637bb43c7fbe5ae0d67f939acdaed5e7426f0 (diff) | |
download | luaossl-6679ba855465ea1ff751301ecc16fc7fe3f9cbe9.tar.gz luaossl-6679ba855465ea1ff751301ecc16fc7fe3f9cbe9.tar.bz2 luaossl-6679ba855465ea1ff751301ecc16fc7fe3f9cbe9.zip |
Use single method constructor and disable unwanted protocols via options
- In OpenSSL 1.1.0 the individual constructors are deprecated
- The removal of __typeof__ fixes an issue with MSVC
-rw-r--r-- | src/openssl.c | 92 |
1 files changed, 61 insertions, 31 deletions
diff --git a/src/openssl.c b/src/openssl.c index 2cfad4a..8500815 100644 --- a/src/openssl.c +++ b/src/openssl.c | |||
@@ -325,12 +325,12 @@ | |||
325 | #define HAVE_SSL_UP_REF OPENSSL_PREREQ(1,1,0) | 325 | #define HAVE_SSL_UP_REF OPENSSL_PREREQ(1,1,0) |
326 | #endif | 326 | #endif |
327 | 327 | ||
328 | #ifndef HAVE_SSLV2_CLIENT_METHOD | 328 | #ifndef HAVE_SSL_OP_NO_SSL_MASK |
329 | #define HAVE_SSLV2_CLIENT_METHOD (!OPENSSL_PREREQ(1,1,0) && !defined OPENSSL_NO_SSL2) | 329 | #define HAVE_SSL_OP_NO_SSL_MASK OPENSSL_PREREQ(1,0,2) |
330 | #endif | 330 | #endif |
331 | 331 | ||
332 | #ifndef HAVE_SSLV2_SERVER_METHOD | 332 | #ifndef HAVE_SSL_OP_NO_DTLS_MASK |
333 | #define HAVE_SSLV2_SERVER_METHOD (!OPENSSL_PREREQ(1,1,0) && !defined OPENSSL_NO_SSL2) | 333 | #define HAVE_SSL_OP_NO_DTLS_MASK OPENSSL_PREREQ(1,1,0) |
334 | #endif | 334 | #endif |
335 | 335 | ||
336 | #ifndef HAVE_STACK_OPENSSL_STRING_FUNCS | 336 | #ifndef HAVE_STACK_OPENSSL_STRING_FUNCS |
@@ -1686,6 +1686,22 @@ static int compat_SSL_up_ref(SSL *ssl) { | |||
1686 | } /* compat_SSL_up_ref() */ | 1686 | } /* compat_SSL_up_ref() */ |
1687 | #endif | 1687 | #endif |
1688 | 1688 | ||
1689 | #if !HAVE_SSL_OP_NO_SSL_MASK | ||
1690 | /* SSL_OP_NO_SSL_MASK was introduced in 1.0.2 | ||
1691 | 1.0.1 had up to TLSv1_2 | ||
1692 | 0.9.8-1.0.0 had up to TLSv1 | ||
1693 | */ | ||
1694 | #ifdef SSL_OP_NO_TLSv1_2 | ||
1695 | #define SSL_OP_NO_SSL_MASK (SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1|SSL_OP_NO_TLSv1_2) | ||
1696 | #else | ||
1697 | #define SSL_OP_NO_SSL_MASK (SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1) | ||
1698 | #endif | ||
1699 | #endif | ||
1700 | |||
1701 | #if !HAVE_SSL_OP_NO_DTLS_MASK && HAVE_DTLS_CLIENT_METHOD | ||
1702 | #define SSL_OP_NO_DTLS_MASK (SSL_OP_NO_DTLSv1|SSL_OP_NO_DTLSv1_2) | ||
1703 | #endif | ||
1704 | |||
1689 | #if !HAVE_SSL_CTX_GET0_PARAM | 1705 | #if !HAVE_SSL_CTX_GET0_PARAM |
1690 | #define SSL_CTX_get0_param(ctx) compat_SSL_CTX_get0_param((ctx)) | 1706 | #define SSL_CTX_get0_param(ctx) compat_SSL_CTX_get0_param((ctx)) |
1691 | 1707 | ||
@@ -7751,11 +7767,6 @@ int luaopen__openssl_pkcs12(lua_State *L) { | |||
7751 | * | 7767 | * |
7752 | * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ | 7768 | * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ |
7753 | 7769 | ||
7754 | /* | ||
7755 | * NOTE: TLS methods and flags were added in tandem. For example, if the | ||
7756 | * macro SSL_OP_NO_TLSv1_1 is defined we know TLSv1_1_server_method is also | ||
7757 | * declared and defined. | ||
7758 | */ | ||
7759 | static int sx_new(lua_State *L) { | 7770 | static int sx_new(lua_State *L) { |
7760 | static const char *const opts[] = { | 7771 | static const char *const opts[] = { |
7761 | [0] = "SSL", | 7772 | [0] = "SSL", |
@@ -7771,77 +7782,96 @@ static int sx_new(lua_State *L) { | |||
7771 | [14] = "DTLSv1_2", [15] = "DTLSv1.2", | 7782 | [14] = "DTLSv1_2", [15] = "DTLSv1.2", |
7772 | NULL | 7783 | NULL |
7773 | }; | 7784 | }; |
7774 | /* later versions of SSL declare a const qualifier on the return type */ | 7785 | int method_enum; |
7775 | __typeof__(&TLSv1_client_method) method = &TLSv1_client_method; | ||
7776 | _Bool srv; | 7786 | _Bool srv; |
7777 | SSL_CTX **ud; | 7787 | SSL_CTX **ud; |
7778 | int options = 0; | 7788 | int options = 0; |
7779 | 7789 | ||
7780 | lua_settop(L, 2); | 7790 | lua_settop(L, 2); |
7791 | method_enum = auxL_checkoption(L, 1, "TLS", opts, 1); | ||
7781 | srv = lua_toboolean(L, 2); | 7792 | srv = lua_toboolean(L, 2); |
7782 | 7793 | ||
7783 | switch (auxL_checkoption(L, 1, "TLS", opts, 1)) { | 7794 | switch (method_enum) { |
7784 | case 0: /* SSL */ | 7795 | case 0: /* SSL */ |
7785 | method = (srv)? &SSLv23_server_method : &SSLv23_client_method; | ||
7786 | options = SSL_OP_NO_SSLv2; | 7796 | options = SSL_OP_NO_SSLv2; |
7787 | break; | 7797 | break; |
7788 | case 1: /* TLS */ | 7798 | case 1: /* TLS */ |
7789 | method = (srv)? &SSLv23_server_method : &SSLv23_client_method; | ||
7790 | options = SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3; | 7799 | options = SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3; |
7791 | break; | 7800 | break; |
7792 | #if HAVE_SSLV2_CLIENT_METHOD && HAVE_SSLV2_SERVER_METHOD | ||
7793 | case 2: /* SSLv2 */ | 7801 | case 2: /* SSLv2 */ |
7794 | method = (srv)? &SSLv2_server_method : &SSLv2_client_method; | 7802 | options = SSL_OP_NO_SSL_MASK & ~SSL_OP_NO_SSLv2; |
7795 | break; | 7803 | break; |
7796 | #endif | ||
7797 | #ifndef OPENSSL_NO_SSL3 | ||
7798 | case 3: /* SSLv3 */ | 7804 | case 3: /* SSLv3 */ |
7799 | method = (srv)? &SSLv3_server_method : &SSLv3_client_method; | 7805 | options = SSL_OP_NO_SSL_MASK & ~SSL_OP_NO_SSLv3; |
7800 | break; | 7806 | break; |
7801 | #endif | ||
7802 | case 4: /* SSLv23 */ | 7807 | case 4: /* SSLv23 */ |
7803 | method = (srv)? &SSLv23_server_method : &SSLv23_client_method; | ||
7804 | break; | 7808 | break; |
7805 | case 5: /* TLSv1 */ | 7809 | case 5: /* TLSv1 */ |
7806 | case 6: /* TLSv1.0 */ | 7810 | case 6: /* TLSv1.0 */ |
7807 | method = (srv)? &TLSv1_server_method : &TLSv1_client_method; | 7811 | options = SSL_OP_NO_SSL_MASK & ~SSL_OP_NO_TLSv1; |
7808 | break; | 7812 | break; |
7809 | #if defined SSL_OP_NO_TLSv1_1 | 7813 | #if defined SSL_OP_NO_TLSv1_1 |
7810 | case 7: /* TLSv1_1 */ | 7814 | case 7: /* TLSv1_1 */ |
7811 | case 8: /* TLSv1.1 */ | 7815 | case 8: /* TLSv1.1 */ |
7812 | method = (srv)? &TLSv1_1_server_method : &TLSv1_1_client_method; | 7816 | options = SSL_OP_NO_SSL_MASK & ~SSL_OP_NO_TLSv1_1; |
7813 | break; | 7817 | break; |
7814 | #endif | 7818 | #endif |
7815 | #if defined SSL_OP_NO_TLSv1_2 | 7819 | #if defined SSL_OP_NO_TLSv1_2 |
7816 | case 9: /* TLSv1_2 */ | 7820 | case 9: /* TLSv1_2 */ |
7817 | case 10: /* TLSv1.2 */ | 7821 | case 10: /* TLSv1.2 */ |
7818 | method = (srv)? &TLSv1_2_server_method : &TLSv1_2_client_method; | 7822 | options = SSL_OP_NO_SSL_MASK & ~SSL_OP_NO_TLSv1_2; |
7819 | break; | 7823 | break; |
7820 | #endif | 7824 | #endif |
7821 | #if HAVE_DTLS_CLIENT_METHOD | 7825 | #if HAVE_DTLS_CLIENT_METHOD |
7822 | case 11: /* DTLS */ | 7826 | case 11: /* DTLS */ |
7823 | method = (srv)? &DTLS_server_method : &DTLS_client_method; | ||
7824 | break; | 7827 | break; |
7825 | #endif | 7828 | #ifdef SSL_OP_NO_DTLSv1 |
7826 | #if HAVE_DTLSV1_CLIENT_METHOD | ||
7827 | case 12: /* DTLSv1 */ | 7829 | case 12: /* DTLSv1 */ |
7828 | case 13: /* DTLSv1.0 */ | 7830 | case 13: /* DTLSv1.0 */ |
7829 | method = (srv)? &DTLSv1_server_method : &DTLSv1_client_method; | 7831 | options = SSL_OP_NO_DTLS_MASK & ~SSL_OP_NO_DTLSv1; |
7830 | break; | 7832 | break; |
7831 | #endif | 7833 | #endif |
7832 | #if HAVE_DTLSV1_2_CLIENT_METHOD | 7834 | #ifdef SSL_OP_NO_DTLSv1_2 |
7833 | case 14: /* DTLSv1_2 */ | 7835 | case 14: /* DTLSv1_2 */ |
7834 | case 15: /* DTLSv1.2 */ | 7836 | case 15: /* DTLSv1.2 */ |
7835 | method = (srv)? &DTLSv1_server_method : &DTLSv1_client_method; | 7837 | options = SSL_OP_NO_DTLS_MASK & ~SSL_OP_NO_DTLSv1_2; |
7836 | break; | 7838 | break; |
7837 | #endif | 7839 | #endif |
7840 | #endif | ||
7838 | default: | 7841 | default: |
7839 | return luaL_argerror(L, 1, "invalid option"); | 7842 | return luaL_argerror(L, 1, "invalid option"); |
7840 | } | 7843 | } |
7841 | 7844 | ||
7842 | ud = prepsimple(L, SSL_CTX_CLASS); | 7845 | ud = prepsimple(L, SSL_CTX_CLASS); |
7843 | 7846 | ||
7844 | if (!(*ud = SSL_CTX_new(method()))) | 7847 | switch (method_enum) { |
7848 | case 0: /* SSL */ | ||
7849 | case 1: /* TLS */ | ||
7850 | case 2: /* SSLv2 */ | ||
7851 | case 3: /* SSLv3 */ | ||
7852 | case 4: /* SSLv23 */ | ||
7853 | case 5: /* TLSv1 */ | ||
7854 | case 6: /* TLSv1.0 */ | ||
7855 | case 7: /* TLSv1_1 */ | ||
7856 | case 8: /* TLSv1.1 */ | ||
7857 | case 9: /* TLSv1_2 */ | ||
7858 | case 10: /* TLSv1.2 */ | ||
7859 | *ud = SSL_CTX_new(srv?SSLv23_server_method():SSLv23_client_method()); | ||
7860 | break; | ||
7861 | #if HAVE_DTLS_CLIENT_METHOD | ||
7862 | case 11: /* DTLS */ | ||
7863 | case 12: /* DTLSv1 */ | ||
7864 | case 13: /* DTLSv1.0 */ | ||
7865 | case 14: /* DTLSv1_2 */ | ||
7866 | case 15: /* DTLSv1.2 */ | ||
7867 | *ud = SSL_CTX_new(srv?DTLS_server_method():DTLS_client_method()); | ||
7868 | break; | ||
7869 | #endif | ||
7870 | default: | ||
7871 | NOTREACHED; | ||
7872 | } | ||
7873 | |||
7874 | if (!*ud) | ||
7845 | return auxL_error(L, auxL_EOPENSSL, "ssl.context.new"); | 7875 | return auxL_error(L, auxL_EOPENSSL, "ssl.context.new"); |
7846 | 7876 | ||
7847 | SSL_CTX_set_options(*ud, options); | 7877 | SSL_CTX_set_options(*ud, options); |