From fe1fb0b350f86dab6e9cf0a82afc2640bf0212e5 Mon Sep 17 00:00:00 2001 From: Bruno Silvestre Date: Fri, 4 Aug 2017 17:00:12 -0300 Subject: [PATCH] Adding 'curveslist' parameter LuaSec will try to set 'curveslist' parameter first. If the parameter is not present or not supported, LuaSec will try 'curve' parameter. --- src/context.c | 64 ++++++++++++++++++++++++++++++--------------------- src/ssl.lua | 17 ++++++++++---- 2 files changed, 51 insertions(+), 30 deletions(-) diff --git a/src/context.c b/src/context.c index 760355e..af996d3 100644 --- a/src/context.c +++ b/src/context.c @@ -546,17 +546,10 @@ static int set_dhparam(lua_State *L) return 0; } +#if !defined(OPENSSL_NO_EC) /** * Set elliptic curve. */ -#ifdef OPENSSL_NO_EC -static int set_curve(lua_State *L) -{ - lua_pushboolean(L, 0); - lua_pushstring(L, "OpenSSL does not support EC"); - return 2; -} -#else static int set_curve(lua_State *L) { long ret; @@ -565,26 +558,11 @@ static int set_curve(lua_State *L) SSL_CTX_set_options(ctx, SSL_OP_SINGLE_ECDH_USE); -#if defined(SSL_CTRL_SET_ECDH_AUTO) || defined(SSL_CTRL_SET_CURVES_LIST) || defined(SSL_CTX_set1_curves_list) - if (SSL_CTX_set1_curves_list(ctx, str) != 1) { - lua_pushboolean(L, 0); - lua_pushfstring(L, "unknown elliptic curve in \"%s\"", str); - return 2; - } - -#ifdef SSL_CTRL_SET_ECDH_AUTO - SSL_CTX_set_ecdh_auto(ctx, 1); -#endif - - lua_pushboolean(L, 1); - return 1; - -#else /* !defined(SSL_CTRL_SET_CURVES_LIST) */ EC_KEY *key = lsec_find_ec_key(L, str); if (!key) { lua_pushboolean(L, 0); - lua_pushfstring(L, "elliptic curve %s not supported", str); + lua_pushfstring(L, "elliptic curve '%s' not supported", str); return 2; } @@ -598,9 +576,35 @@ static int set_curve(lua_State *L) ERR_reason_error_string(ERR_get_error())); return 2; } + + lua_pushboolean(L, 1); + return 1; +} +#endif + +#if !defined(OPENSSL_NO_EC) && (defined(SSL_CTRL_SET_CURVES_LIST) || defined(SSL_CTX_set1_curves_list) || defined(SSL_CTRL_SET_ECDH_AUTO)) +/** + * Set elliptic curves list. + */ +static int set_curves_list(lua_State *L) +{ + SSL_CTX *ctx = lsec_checkcontext(L, 1); + const char *str = luaL_checkstring(L, 2); + + SSL_CTX_set_options(ctx, SSL_OP_SINGLE_ECDH_USE); + + if (SSL_CTX_set1_curves_list(ctx, str) != 1) { + lua_pushboolean(L, 0); + lua_pushfstring(L, "unknown elliptic curve in \"%s\"", str); + return 2; + } + +#ifdef SSL_CTRL_SET_ECDH_AUTO + SSL_CTX_set_ecdh_auto(ctx, 1); +#endif + lua_pushboolean(L, 1); return 1; -#endif /* defined(SSL_CTRL_SET_CURVES_LIST) */ } #endif @@ -616,10 +620,18 @@ static luaL_Reg funcs[] = { {"setcipher", set_cipher}, {"setdepth", set_depth}, {"setdhparam", set_dhparam}, - {"setcurve", set_curve}, {"setverify", set_verify}, {"setoptions", set_options}, {"setmode", set_mode}, + +#if !defined(OPENSSL_NO_EC) + {"setcurve", set_curve}, +#endif + +#if !defined(OPENSSL_NO_EC) && (defined(SSL_CTRL_SET_CURVES_LIST) || defined(SSL_CTX_set1_curves_list) || defined(SSL_CTRL_SET_ECDH_AUTO)) + {"setcurveslist", set_curves_list}, +#endif + {NULL, NULL} }; diff --git a/src/ssl.lua b/src/ssl.lua index edc0862..3035b69 100644 --- a/src/ssl.lua +++ b/src/ssl.lua @@ -7,6 +7,7 @@ local core = require("ssl.core") local context = require("ssl.context") local x509 = require("ssl.x509") +local config = require("ssl.config") local unpack = table.unpack or unpack @@ -92,11 +93,19 @@ local function newcontext(cfg) end context.setdhparam(ctx, cfg.dhparam) end - -- Set elliptic curve - if cfg.curve then - succ, msg = context.setcurve(ctx, cfg.curve) - if not succ then return nil, msg end + + -- Set elliptic curves + if (not config.algorithms.ec) and (cfg.curve or cfg.curveslist) then + return false, "elliptic curves not supported" end + if config.capabilities.curves_list and cfg.curveslist then + succ, msg = context.setcurveslist(ctx, cfg.curveslist) + if not succ then return nil, msg end + elseif cfg.curve then + succ, msg = context.setcurve(ctx, cfg.curve) + if not succ then return nil, msg end + end + -- Set extra verification options if cfg.verifyext and ctx.setverifyext then succ, msg = optexec(ctx.setverifyext, cfg.verifyext, ctx)