comparison: src/context.c
src/context.c
- changeset 34
- 510432315106
- parent 30
- 36ed99e1ce1e
- child 36
- 96f23601ce7a
equal
deleted
inserted
replaced
| 33:cc36229b3be1 | 34:510432315106 |
|---|---|
| 16 struct ssl_option_s { | 16 struct ssl_option_s { |
| 17 const char *name; | 17 const char *name; |
| 18 unsigned long code; | 18 unsigned long code; |
| 19 }; | 19 }; |
| 20 typedef struct ssl_option_s ssl_option_t; | 20 typedef struct ssl_option_s ssl_option_t; |
| 21 | |
| 22 int luasec_ssl_idx = -1; | |
| 21 | 23 |
| 22 /* The export DH key */ | 24 /* The export DH key */ |
| 23 static DH *dh_512 = NULL; | 25 static DH *dh_512 = NULL; |
| 24 /* The larger key (builtin is 2048, caller may specify larger) */ | 26 /* The larger key (builtin is 2048, caller may specify larger) */ |
| 25 static DH *dh_larger = NULL; | 27 static DH *dh_larger = NULL; |
| 105 /*--------------------------- Auxiliary Functions ----------------------------*/ | 107 /*--------------------------- Auxiliary Functions ----------------------------*/ |
| 106 | 108 |
| 107 /** | 109 /** |
| 108 * Return the context. | 110 * Return the context. |
| 109 */ | 111 */ |
| 110 static p_context checkctx(lua_State *L, int idx) | 112 p_context checkctx(lua_State *L, int idx) |
| 111 { | 113 { |
| 112 return (p_context)luaL_checkudata(L, idx, "SSL:Context"); | 114 return (p_context)luaL_checkudata(L, idx, "SSL:Context"); |
| 113 } | 115 } |
| 114 | 116 |
| 115 /** | 117 /** |
| 241 if (!ctx->context) { | 243 if (!ctx->context) { |
| 242 lua_pushnil(L); | 244 lua_pushnil(L); |
| 243 lua_pushstring(L, "error creating context"); | 245 lua_pushstring(L, "error creating context"); |
| 244 return 2; | 246 return 2; |
| 245 } | 247 } |
| 248 ctx->verify_flags = LUASEC_VERIFY_FLAGS_NONE; | |
| 246 ctx->mode = MD_CTX_INVALID; | 249 ctx->mode = MD_CTX_INVALID; |
| 247 /* No session support */ | 250 /* No session support */ |
| 248 SSL_CTX_set_session_cache_mode(ctx->context, SSL_SESS_CACHE_OFF); | 251 SSL_CTX_set_session_cache_mode(ctx->context, SSL_SESS_CACHE_OFF); |
| 249 /* | 252 /* |
| 250 * Support ephemeral diffie-hellman key exchange. This is only needed | 253 * Support ephemeral diffie-hellman key exchange. This is only needed |
| 387 return 1; | 390 return 1; |
| 388 } | 391 } |
| 389 | 392 |
| 390 int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx) | 393 int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx) |
| 391 { | 394 { |
| 392 return 1; | 395 SSL *ssl; |
| 396 p_context ctx = NULL; | |
| 397 | |
| 398 /* Short-circuit optimization */ | |
| 399 if (preverify_ok) | |
| 400 return 1; | |
| 401 | |
| 402 ssl = X509_STORE_CTX_get_ex_data(x509_ctx, SSL_get_ex_data_X509_STORE_CTX_idx()); | |
| 403 ctx = SSL_get_ex_data(ssl, luasec_ssl_idx); | |
| 404 | |
| 405 if (ctx->verify_flags & LUASEC_VERIFY_FLAGS_IGNORE_PURPOSE) { | |
| 406 int err, depth; | |
| 407 | |
| 408 err = X509_STORE_CTX_get_error(x509_ctx); | |
| 409 depth = X509_STORE_CTX_get_error_depth(x509_ctx); | |
| 410 | |
| 411 if (depth == 0 && err == X509_V_ERR_INVALID_PURPOSE) { | |
| 412 /* You see nothing! */ | |
| 413 X509_STORE_CTX_set_error(x509_ctx, X509_V_OK); | |
| 414 preverify_ok = 1; | |
| 415 } | |
| 416 } | |
| 417 return (ctx->verify_flags & LUASEC_VERIFY_FLAGS_ALWAYS_CONTINUE ? 1 : preverify_ok); | |
| 393 } | 418 } |
| 394 | 419 |
| 395 /** | 420 /** |
| 396 * Set the handshake verify options. | 421 * Set the handshake verify options. |
| 397 */ | 422 */ |
| 398 static int set_verify(lua_State *L) | 423 static int set_verify(lua_State *L) |
| 399 { | 424 { |
| 400 int i; | 425 int i; |
| 401 int flag = 0; | 426 int flag = 0; |
| 402 int ignore_errors = 0; | 427 int ignore_errors = 0; |
| 403 SSL_CTX *ctx = ctx_getcontext(L, 1); | 428 p_context ctx = checkctx(L, 1); |
| 404 int max = lua_gettop(L); | 429 int max = lua_gettop(L); |
| 405 /* any flag? */ | 430 /* any flag? */ |
| 406 if (max > 1) { | 431 if (max > 1) { |
| 432 ctx->verify_flags = LUASEC_VERIFY_FLAGS_NONE; | |
| 407 for (i = 2; i <= max; i++) { | 433 for (i = 2; i <= max; i++) { |
| 408 const char *s = luaL_checkstring(L, i); | 434 const char *s = luaL_checkstring(L, i); |
| 409 if (!strcmp(s, "continue")) { | 435 if (!strcmp(s, "continue")) { |
| 436 ctx->verify_flags |= LUASEC_VERIFY_FLAGS_ALWAYS_CONTINUE; | |
| 410 ignore_errors = 1; | 437 ignore_errors = 1; |
| 438 } else if (!strcmp(s, "ignore_purpose")) { | |
| 439 ctx->verify_flags |= LUASEC_VERIFY_FLAGS_IGNORE_PURPOSE; | |
| 411 } else if (!set_verify_flag(s, &flag)) { | 440 } else if (!set_verify_flag(s, &flag)) { |
| 412 lua_pushboolean(L, 0); | 441 lua_pushboolean(L, 0); |
| 413 lua_pushstring(L, "invalid verify option"); | 442 lua_pushstring(L, "invalid verify option"); |
| 414 return 2; | 443 return 2; |
| 415 } | 444 } |
| 416 } | 445 } |
| 417 SSL_CTX_set_verify(ctx, flag, ignore_errors ? verify_cb : NULL); | 446 SSL_CTX_set_verify(ctx->context, flag, ctx->verify_flags ? verify_cb : NULL); |
| 418 } | 447 } |
| 419 lua_pushboolean(L, 1); | 448 lua_pushboolean(L, 1); |
| 420 return 1; | 449 return 1; |
| 421 } | 450 } |
| 422 | 451 |
