17 const char *name; |
17 const char *name; |
18 unsigned long code; |
18 unsigned long code; |
19 }; |
19 }; |
20 typedef struct ssl_option_s ssl_option_t; |
20 typedef struct ssl_option_s ssl_option_t; |
21 |
21 |
22 int luasec_ssl_idx = -1; |
22 /* index into the SSL storage where the context is. |
|
23 * see SSL_CTX_get_ex_data(). |
|
24 */ |
|
25 static int luasec_sslctx_idx = -1; |
23 |
26 |
24 /* The export DH key */ |
27 /* The export DH key */ |
25 static DH *dh_512 = NULL; |
28 static DH *dh_512 = NULL; |
26 /* The larger key (builtin is 2048, caller may specify larger) */ |
29 /* The larger key (builtin is 2048, caller may specify larger) */ |
27 static DH *dh_larger = NULL; |
30 static DH *dh_larger = NULL; |
225 static int create(lua_State *L) |
228 static int create(lua_State *L) |
226 { |
229 { |
227 p_context ctx; |
230 p_context ctx; |
228 SSL_METHOD *method; |
231 SSL_METHOD *method; |
229 |
232 |
|
233 if (luasec_sslctx_idx == -1) { |
|
234 luasec_sslctx_idx = SSL_CTX_get_ex_new_index(0, "luasec sslctx context", NULL, NULL, NULL); |
|
235 if (luasec_sslctx_idx == -1) { |
|
236 lua_pushnil(L); |
|
237 lua_pushstring(L, "error creating luasec SSL index"); |
|
238 return 2; |
|
239 } |
|
240 } |
230 method = str2method(luaL_checkstring(L, 1)); |
241 method = str2method(luaL_checkstring(L, 1)); |
231 if (!method) { |
242 if (!method) { |
232 lua_pushnil(L); |
243 lua_pushnil(L); |
233 lua_pushstring(L, "invalid protocol"); |
244 lua_pushstring(L, "invalid protocol"); |
234 return 2; |
245 return 2; |
252 /* |
263 /* |
253 * Support ephemeral diffie-hellman key exchange. This is only needed |
264 * Support ephemeral diffie-hellman key exchange. This is only needed |
254 * for server mode, but clearer to put it here rather than set_mode. |
265 * for server mode, but clearer to put it here rather than set_mode. |
255 */ |
266 */ |
256 SSL_CTX_set_tmp_dh_callback(ctx->context, dh_param_cb); |
267 SSL_CTX_set_tmp_dh_callback(ctx->context, dh_param_cb); |
|
268 SSL_CTX_set_ex_data(ctx->context, luasec_sslctx_idx, ctx); |
|
269 |
257 luaL_getmetatable(L, "SSL:Context"); |
270 luaL_getmetatable(L, "SSL:Context"); |
258 lua_setmetatable(L, -2); |
271 lua_setmetatable(L, -2); |
259 return 1; |
272 return 1; |
260 } |
273 } |
261 |
274 |
390 return 1; |
403 return 1; |
391 } |
404 } |
392 |
405 |
393 int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx) |
406 int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx) |
394 { |
407 { |
|
408 SSL_CTX *context; |
395 SSL *ssl; |
409 SSL *ssl; |
396 p_context ctx = NULL; |
410 p_context l_ctx; |
397 |
411 |
398 /* Short-circuit optimization */ |
412 /* Short-circuit optimization */ |
399 if (preverify_ok) |
413 if (preverify_ok) |
400 return 1; |
414 return 1; |
401 |
415 |
402 ssl = X509_STORE_CTX_get_ex_data(x509_ctx, SSL_get_ex_data_X509_STORE_CTX_idx()); |
416 ssl = X509_STORE_CTX_get_ex_data(x509_ctx, SSL_get_ex_data_X509_STORE_CTX_idx()); |
403 ctx = SSL_get_ex_data(ssl, luasec_ssl_idx); |
417 context = ssl->ctx; |
404 |
418 l_ctx = SSL_CTX_get_ex_data(context, luasec_sslctx_idx); |
405 if (ctx->verify_flags & LUASEC_VERIFY_FLAGS_IGNORE_PURPOSE) { |
419 |
|
420 if (l_ctx->verify_flags & LUASEC_VERIFY_FLAGS_IGNORE_PURPOSE) { |
406 int err, depth; |
421 int err, depth; |
407 |
422 |
408 err = X509_STORE_CTX_get_error(x509_ctx); |
423 err = X509_STORE_CTX_get_error(x509_ctx); |
409 depth = X509_STORE_CTX_get_error_depth(x509_ctx); |
424 depth = X509_STORE_CTX_get_error_depth(x509_ctx); |
410 |
425 |