16 struct ssl_option_s { |
16 struct ssl_option_s { |
17 const char *name; |
17 const char *name; |
18 unsigned long code; |
18 unsigned long code; |
19 }; |
19 }; |
20 typedef struct ssl_option_s ssl_option_t; |
20 typedef struct ssl_option_s ssl_option_t; |
|
21 |
|
22 int luasec_ssl_idx = -1; |
21 |
23 |
22 /* The export DH key */ |
24 /* The export DH key */ |
23 static DH *dh_512 = NULL; |
25 static DH *dh_512 = NULL; |
24 /* The larger key (builtin is 2048, caller may specify larger) */ |
26 /* The larger key (builtin is 2048, caller may specify larger) */ |
25 static DH *dh_larger = NULL; |
27 static DH *dh_larger = NULL; |
105 /*--------------------------- Auxiliary Functions ----------------------------*/ |
107 /*--------------------------- Auxiliary Functions ----------------------------*/ |
106 |
108 |
107 /** |
109 /** |
108 * Return the context. |
110 * Return the context. |
109 */ |
111 */ |
110 static p_context checkctx(lua_State *L, int idx) |
112 p_context checkctx(lua_State *L, int idx) |
111 { |
113 { |
112 return (p_context)luaL_checkudata(L, idx, "SSL:Context"); |
114 return (p_context)luaL_checkudata(L, idx, "SSL:Context"); |
113 } |
115 } |
114 |
116 |
115 /** |
117 /** |
241 if (!ctx->context) { |
243 if (!ctx->context) { |
242 lua_pushnil(L); |
244 lua_pushnil(L); |
243 lua_pushstring(L, "error creating context"); |
245 lua_pushstring(L, "error creating context"); |
244 return 2; |
246 return 2; |
245 } |
247 } |
|
248 ctx->verify_flags = LUASEC_VERIFY_FLAGS_NONE; |
246 ctx->mode = MD_CTX_INVALID; |
249 ctx->mode = MD_CTX_INVALID; |
247 /* No session support */ |
250 /* No session support */ |
248 SSL_CTX_set_session_cache_mode(ctx->context, SSL_SESS_CACHE_OFF); |
251 SSL_CTX_set_session_cache_mode(ctx->context, SSL_SESS_CACHE_OFF); |
249 /* |
252 /* |
250 * Support ephemeral diffie-hellman key exchange. This is only needed |
253 * Support ephemeral diffie-hellman key exchange. This is only needed |
387 return 1; |
390 return 1; |
388 } |
391 } |
389 |
392 |
390 int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx) |
393 int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx) |
391 { |
394 { |
392 return 1; |
395 SSL *ssl; |
|
396 p_context ctx = NULL; |
|
397 |
|
398 /* Short-circuit optimization */ |
|
399 if (preverify_ok) |
|
400 return 1; |
|
401 |
|
402 ssl = X509_STORE_CTX_get_ex_data(x509_ctx, SSL_get_ex_data_X509_STORE_CTX_idx()); |
|
403 ctx = SSL_get_ex_data(ssl, luasec_ssl_idx); |
|
404 |
|
405 if (ctx->verify_flags & LUASEC_VERIFY_FLAGS_IGNORE_PURPOSE) { |
|
406 int err, depth; |
|
407 |
|
408 err = X509_STORE_CTX_get_error(x509_ctx); |
|
409 depth = X509_STORE_CTX_get_error_depth(x509_ctx); |
|
410 |
|
411 if (depth == 0 && err == X509_V_ERR_INVALID_PURPOSE) { |
|
412 /* You see nothing! */ |
|
413 X509_STORE_CTX_set_error(x509_ctx, X509_V_OK); |
|
414 preverify_ok = 1; |
|
415 } |
|
416 } |
|
417 return (ctx->verify_flags & LUASEC_VERIFY_FLAGS_ALWAYS_CONTINUE ? 1 : preverify_ok); |
393 } |
418 } |
394 |
419 |
395 /** |
420 /** |
396 * Set the handshake verify options. |
421 * Set the handshake verify options. |
397 */ |
422 */ |
398 static int set_verify(lua_State *L) |
423 static int set_verify(lua_State *L) |
399 { |
424 { |
400 int i; |
425 int i; |
401 int flag = 0; |
426 int flag = 0; |
402 int ignore_errors = 0; |
427 int ignore_errors = 0; |
403 SSL_CTX *ctx = ctx_getcontext(L, 1); |
428 p_context ctx = checkctx(L, 1); |
404 int max = lua_gettop(L); |
429 int max = lua_gettop(L); |
405 /* any flag? */ |
430 /* any flag? */ |
406 if (max > 1) { |
431 if (max > 1) { |
|
432 ctx->verify_flags = LUASEC_VERIFY_FLAGS_NONE; |
407 for (i = 2; i <= max; i++) { |
433 for (i = 2; i <= max; i++) { |
408 const char *s = luaL_checkstring(L, i); |
434 const char *s = luaL_checkstring(L, i); |
409 if (!strcmp(s, "continue")) { |
435 if (!strcmp(s, "continue")) { |
|
436 ctx->verify_flags |= LUASEC_VERIFY_FLAGS_ALWAYS_CONTINUE; |
410 ignore_errors = 1; |
437 ignore_errors = 1; |
|
438 } else if (!strcmp(s, "ignore_purpose")) { |
|
439 ctx->verify_flags |= LUASEC_VERIFY_FLAGS_IGNORE_PURPOSE; |
411 } else if (!set_verify_flag(s, &flag)) { |
440 } else if (!set_verify_flag(s, &flag)) { |
412 lua_pushboolean(L, 0); |
441 lua_pushboolean(L, 0); |
413 lua_pushstring(L, "invalid verify option"); |
442 lua_pushstring(L, "invalid verify option"); |
414 return 2; |
443 return 2; |
415 } |
444 } |
416 } |
445 } |
417 SSL_CTX_set_verify(ctx, flag, ignore_errors ? verify_cb : NULL); |
446 SSL_CTX_set_verify(ctx->context, flag, ctx->verify_flags ? verify_cb : NULL); |
418 } |
447 } |
419 lua_pushboolean(L, 1); |
448 lua_pushboolean(L, 1); |
420 return 1; |
449 return 1; |
421 } |
450 } |
422 |
451 |