diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/GNUmakefile | 134 | ||||
| -rw-r--r-- | src/compat52.h | 168 | ||||
| -rw-r--r-- | src/openssl.c | 575 | ||||
| -rw-r--r-- | src/openssl.ssl.context.lua | 14 | ||||
| -rw-r--r-- | src/openssl.ssl.lua | 20 |
5 files changed, 559 insertions, 352 deletions
diff --git a/src/GNUmakefile b/src/GNUmakefile index 9e4fde4..e257ba6 100644 --- a/src/GNUmakefile +++ b/src/GNUmakefile @@ -16,66 +16,46 @@ include $(d)/../GNUmakefile # # C O M P I L A T I O N F L A G S # -OS_$(d) = $(shell $(d)/../mk/vendor.os) -CC_$(d) = $(shell env CC="$(CC) "$(d)/../mk/vendor.cc) -LUAPATH_$(d) = $(shell env CC="$(CC)" CPPFLAGS="$(CPPFLAGS)" LDFLAGS="$(LDFLAGS)" $(<D)/../mk/luapath -krxm3 -I$(DESTDIR)$(includedir) -I/usr/include -I/usr/local/include -P$(DESTDIR)$(bindir) -P$(bindir) -L$(DESTDIR)$(libdir) -L$(libdir) -v$(1) $(2)) - -CPPFLAGS_$(d) = $(CPPFLAGS_$(abspath $(@D)/../..)) -DHAVE_CONFIG_H -CFLAGS_$(d) = $(CFLAGS_$(abspath $(@D)/../..)) -LDFLAGS_$(d) = $(LDFLAGS_$(abspath $(@D)/../..)) -SOFLAGS_$(d) = $(SOFLAGS_$(abspath $(@D)/../..)) - -ifeq ($(CC_$(d)), sunpro) -CPPFLAGS_$(d) += -DOPENSSL_NO_EC -endif - -LDFLAGS_$(d) += -lssl -lcrypto -lpthread -lm - -# NetBSD, FreeBSD, OpenBSD (and presumably descendants) lack any libdl; -# dlopen, et al are part of libc. -ifneq ($(patsubst %BSD,BSD,$(OS_$(d))), BSD) -LDFLAGS_$(d) += -ldl -endif - +CPPFLAGS_$(d) = $(ALL_CPPFLAGS) -DHAVE_CONFIG_H -DCOMPAT53_PREFIX=luaossl +CFLAGS_$(d) = $(ALL_CFLAGS) +SOFLAGS_$(d) = $(ALL_SOFLAGS) +LDFLAGS_$(d) = $(ALL_LDFLAGS) +LIBS_$(d) = $(ALL_LIBS) # # C O M P I L A T I O N R U L E S # +OBJS_$(d) = openssl.o ../vendor/compat53/c-api/compat-5.3.o + $(d)/config.h: $(abspath $(d)/..)/config.h $(CP) $< $@ define BUILD_$(d) -.SECONDARY: liblua$(1)-openssl openssl$(1) +$$(d)/$(1)/openssl.so: $$(addprefix $$(d)/$(1)/, $$(OBJS_$(d))) + $$(CC) -o $$@ $$^ $$(SOFLAGS_$$(abspath $$(@D)/..)) $$(LDFLAGS_$$(abspath $$(@D)/..)) $$(LIBS_$$(abspath $$(@D)/..)) -$$(d)/$(1)/openssl.so: $$(d)/$(1)/openssl.o - $$(CC) -o $$@ $$^ $$(SOFLAGS_$$(abspath $$(@D)/..)) $$(SOFLAGS) $$(LDFLAGS_$$(abspath $$(@D)/..)) $$(LDFLAGS) - -$$(d)/$(1)/openssl.o: $$(d)/openssl.c $$(d)/compat52.h $$(d)/config.h - test "$$(notdir $$(@D))" = "$$(call LUAPATH_$$(<D), $$(notdir $$(@D)), version)" +$$(d)/$(1)/%.o: $$(d)/%.c $$(d)/../vendor/compat53/c-api/compat-5.3.h $$(d)/config.h $$(MKDIR) -p $$(@D) - $$(CC) $$(CFLAGS_$$(<D)) $$(CFLAGS) $$(call LUAPATH_$$(<D), $$(notdir $$(@D)), cppflags) $$(CPPFLAGS_$$(<D)) $$(CPPFLAGS) -c -o $$@ $$< + $$(CC) $$(CFLAGS_$$(<D)) $$(ALL_LUA$(subst .,,$(1))_CPPFLAGS) $$(CPPFLAGS_$$(<D)) -c -o $$@ $$< + +.SECONDARY: liblua$(1)-openssl openssl$(1) openssl -liblua$(1)-openssl openssl$(1): $$(d)/$(1)/openssl.so +liblua$(1)-openssl openssl$(1) openssl: $$(d)/$(1)/openssl.so endef # BUILD_$(d) $(eval $(call BUILD_$(d),5.1)) - $(eval $(call BUILD_$(d),5.2)) - $(eval $(call BUILD_$(d),5.3)) ifneq "$(filter $(abspath $(d)/..)/%, $(abspath $(firstword $(MAKEFILE_LIST))))" "" -.SECONDARY: all5.1 all5.2 all +.SECONDARY: all all5.1 all5.2 all5.3 all5.1: liblua5.1-openssl - all5.2: liblua5.2-openssl - all5.3: liblua5.3-openssl - -all: all5.1 all5.2 +all: $(foreach API,$(strip $(LUA_APIS)),all$(API)) endif @@ -85,8 +65,6 @@ endif # define INSTALL_$(d) -LUAC$(1)_$(d) = $$(or $$(call LUAPATH_$(d), $(1), luac), true) - MODS$(1)_$(d) = \ $$(DESTDIR)$(2)/_openssl.so \ $$(DESTDIR)$(3)/openssl.lua \ @@ -116,42 +94,34 @@ MODS$(1)_$(d) = \ .SECONDARY: liblua$(1)-openssl-install openssl$(1)-install -$$(DESTDIR)$(2)/_openssl.so: $$(d)/$(1)/openssl.so - $$(MKDIR) -p $$(@D) - $$(CP) -fp $$< $$@ +liblua$(1)-openssl-install openssl$(1)-install: $$(MODS$(1)_$$(d)) -$$(DESTDIR)$(3)/openssl.lua: $$(d)/openssl.lua - $$(LUAC$(1)_$(d)) -p $$< +$$(DESTDIR)$(2)/_openssl.so: $$(d)/$(1)/openssl.so $$(MKDIR) -p $$(@D) $$(CP) -p $$< $$@ -$$(DESTDIR)$(3)/openssl/%.lua: $$(d)/openssl.%.lua - $$(LUAC$(1)_$(d)) -p $$< +$$(DESTDIR)$(3)/%.lua: $$(d)/%.lua + $$(LUAC$(subst .,,$(1))) -p $$< $$(MKDIR) -p $$(@D) $$(CP) -p $$< $$@ -# pubkey.lua used to be symbolic link to pkey.lua, but that caused packaging -# headaches. Now it's a stub, but the cp -p in the inference rule will copy -# to the target of the symbolic link, so we need a special install rule to -# clean up the mess. -$$(DESTDIR)$(3)/openssl/pubkey.lua: $$(d)/openssl.pubkey.lua - $$(LUAC$(1)_$(d)) -p $$< +$$(DESTDIR)$(3)/openssl/%.lua: $$(d)/openssl.%.lua + $$(LUAC$(subst .,,$(1))) -p $$< $$(MKDIR) -p $$(@D) - $$(RM) -f $$@ $$(CP) -p $$< $$@ -$$(DESTDIR)$(3)/openssl/x509/%.lua: $$(d)/openssl.x509.%.lua - $$(LUAC$(1)_$(d)) -p $$< +$$(DESTDIR)$(3)/openssl/ocsp/%.lua: $$(d)/ocsp.%.lua + $$(LUAC$(subst .,,$(1))) -p $$< $$(MKDIR) -p $$(@D) $$(CP) -p $$< $$@ -$$(DESTDIR)$(3)/openssl/ssl/%.lua: $$(d)/openssl.ssl.%.lua - $$(LUAC$(1)_$(d)) -p $$< +$$(DESTDIR)$(3)/openssl/x509/%.lua: $$(d)/x509.%.lua + $$(LUAC$(subst .,,$(1))) -p $$< $$(MKDIR) -p $$(@D) $$(CP) -p $$< $$@ -$$(DESTDIR)$(3)/openssl/ssl/%.lua: $$(d)/openssl.ssl.%.lua - $$(LUAC$(1)_$(d)) -p $$< +$$(DESTDIR)$(3)/openssl/ssl/%.lua: $$(d)/ssl.%.lua + $$(LUAC$(subst .,,$(1))) -p $$< $$(MKDIR) -p $$(@D) $$(CP) -p $$< $$@ @@ -161,6 +131,7 @@ liblua$(1)-openssl-install openssl$(1)-install: $$(MODS$(1)_$$(d)) liblua$(1)-openssl-uninstall openssl$(1)-uninstall: $$(RM) -f $$(MODS$(1)_$(d)) + -$$(RMDIR) $$(DESTDIR)$(3)/openssl/ocsp -$$(RMDIR) $$(DESTDIR)$(3)/openssl/x509 -$$(RMDIR) $$(DESTDIR)$(3)/openssl/ssl -$$(RMDIR) $$(DESTDIR)$(3)/openssl @@ -168,31 +139,24 @@ liblua$(1)-openssl-uninstall openssl$(1)-uninstall: endef # INSTALL_$(d) $(eval $(call INSTALL_$(d),5.1,$$(lua51cpath),$$(lua51path))) - $(eval $(call INSTALL_$(d),5.2,$$(lua52cpath),$$(lua52path))) - $(eval $(call INSTALL_$(d),5.3,$$(lua53cpath),$$(lua53path))) ifneq "$(filter $(abspath $(d)/..)/%, $(abspath $(firstword $(MAKEFILE_LIST))))" "" + .SECONDARY: install5.1 install5.2 install5.3 install install5.1: liblua5.1-openssl-install - install5.2: liblua5.2-openssl-install - install5.3: liblua5.3-openssl-install - -install: install5.1 install5.2 +install: $(foreach API,$(strip $(LUA_APIS)),install$(API)) .PHONY: uninstall5.1 uninstall5.2 uninstall5.3 uninstall uninstall5.1: liblua5.1-openssl-uninstall - uninstall5.2: liblua5.2-openssl-uninstall - uninstall5.3: liblua5.3-openssl-uninstall - -uninstall: uninstall5.1 uninstall5.2 +uninstall: $(foreach API,$(strip $(LUA_APIS)),uninstall$(API)) endif @@ -203,7 +167,7 @@ endif .PHONY: $(d)/clean $(d)/clean~ clean clean~ $(d)/clean: - $(RM) -fr $(@D)/*.so $(@D)/*.o $(@D)/*.dSYM $(@D)/5.1 $(@D)/5.2 $(@D)/5.3 + $(RM) -fr $(@D)/config.h $(@D)/*.dSYM $(@D)/5.1 $(@D)/5.2 $(@D)/5.3 $(d)/clean~: $(d)/clean $(RM) -f $(@D)/*~ @@ -220,27 +184,27 @@ clean~: $(d)/clean~ $(d)/help: @echo - @echo "ext/ targets:" + @echo "src/ targets:" @echo "" - @echo " all - build all binary targets" - @echo "openssl - invokes openssl5.1 and openssl5.2" - @echo "openssl5.1 - build 5.1/openssl.so" - @echo "openssl5.2 - build 5.2/openssl.so" - @echo "openssl5.3 - build 5.3/openssl.so" - @echo "install - invokes install5.1 and install5.2" - @echo "install5.1 - install openssl Lua 5.1 modules" - @echo "install5.2 - install openssl Lua 5.2 modules" - @echo "install5.3 - install openssl Lua 5.3 modules" - @echo "uninstall - invokes uninstall5.1 and uninstall5.2" + @echo " all - build all API targets" + @echo " all5.1 - build 5.1/openssl.so" + @echo " all5.2 - build 5.2/openssl.so" + @echo " all5.3 - build 5.3/openssl.so" + @echo " install - install all API targets" + @echo " install5.1 - install openssl Lua 5.1 modules" + @echo " install5.2 - install openssl Lua 5.2 modules" + @echo " install5.3 - install openssl Lua 5.3 modules" + @echo " uninstall - uninstall all API targets" @echo "uninstall5.1 - uninstall openssl Lua 5.1 modules" @echo "uninstall5.2 - uninstall openssl Lua 5.2 modules" @echo "uninstall5.3 - uninstall openssl Lua 5.3 modules" - @echo " clean - rm binary targets, object files, debugging symbols, etc" - @echo " clean~ - clean + rm *~" - @echo " help - echo this help message" + @echo " clean - rm binary targets, object files, debugging symbols, etc" + @echo " clean~ - clean + rm *~" + @echo " help - echo this help message" @echo "" @echo "Some important Make variables:" @echo "" + @echo ' LUA_APIS - default Lua APIs to target ($(LUA_APIS))' @echo " prefix - path to install root ($(value prefix))" @echo ' lua51path - install path for Lua 5.1 modules ($(value lua51path))' @echo 'lua51cpath - install path for Lua 5.1 C modules ($(value lua51cpath))' @@ -249,6 +213,10 @@ $(d)/help: @echo ' lua53path - install path for Lua 5.3 modules ($(value lua53path))' @echo 'lua53cpath - install path for Lua 5.3 C modules ($(value lua53cpath))' @echo "" + @echo 'LUA51_CPPFLAGS - cpp flags for Lua 5.1 headers ($(LUA51_CPPFLAGS))' + @echo 'LUA52_CPPFLAGS - cpp flags for Lua 5.2 headers ($(LUA52_CPPFLAGS))' + @echo 'LUA53_CPPFLAGS - cpp flags for Lua 5.3 headers ($(LUA53_CPPFLAGS))' + @echo "" @echo "(NOTE: all the common GNU-style paths are supported, including" @echo "prefix, bindir, libdir, datadir, includedir, and DESTDIR.)" @echo "" diff --git a/src/compat52.h b/src/compat52.h deleted file mode 100644 index 163aecb..0000000 --- a/src/compat52.h +++ /dev/null @@ -1,168 +0,0 @@ -/* ========================================================================== - * compat52.h - Routines for Lua 5.2 compatibility - * -------------------------------------------------------------------------- - * Copyright (c) 2012 William Ahern - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the - * "Software"), to deal in the Software without restriction, including - * without limitation the rights to use, copy, modify, merge, publish, - * distribute, sublicense, and/or sell copies of the Software, and to permit - * persons to whom the Software is furnished to do so, subject to the - * following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF - * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN - * NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, - * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR - * OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE - * USE OR OTHER DEALINGS IN THE SOFTWARE. - * ========================================================================== - */ - - -#if LUA_VERSION_NUM < 503 - -#define lua_getfield(L, i, f) (lua_getfield(L, (i), (f)), lua_type(L, -1)) - -#endif - -#if LUA_VERSION_NUM < 502 - -#define LUA_OK 0 - - -static void luaL_setmetatable(lua_State *L, const char *tname) { - luaL_getmetatable(L, tname); - lua_setmetatable(L, -2); -} /* luaL_setmetatable() */ - - -static int lua_absindex(lua_State *L, int idx) { - return (idx > 0 || idx <= LUA_REGISTRYINDEX)? idx : lua_gettop(L) + idx + 1; -} /* lua_absindex() */ - - -static void *luaL_testudata(lua_State *L, int arg, const char *tname) { - void *p = lua_touserdata(L, arg); - int eq; - - if (!p || !lua_getmetatable(L, arg)) - return 0; - - luaL_getmetatable(L, tname); - eq = lua_rawequal(L, -2, -1); - lua_pop(L, 2); - - return (eq)? p : 0; -} /* luaL_testudate() */ - - -static void luaL_setfuncs(lua_State *L, const luaL_Reg *l, int nup) { - int i, t = lua_absindex(L, -1 - nup); - - for (; l->name; l++) { - for (i = 0; i < nup; i++) - lua_pushvalue(L, -nup); - lua_pushcclosure(L, l->func, nup); - lua_setfield(L, t, l->name); - } - - lua_pop(L, nup); -} /* luaL_setfuncs() */ - - -#define luaL_newlibtable(L, l) \ - lua_createtable(L, 0, (sizeof (l) / sizeof *(l)) - 1) - -#define luaL_newlib(L, l) \ - (luaL_newlibtable((L), (l)), luaL_setfuncs((L), (l), 0)) - - -static void luaL_requiref(lua_State *L, const char *modname, lua_CFunction openf, int glb) { - lua_pushcfunction(L, openf); - lua_pushstring(L, modname); - lua_call(L, 1, 1); - - lua_getglobal(L, "package"); - lua_getfield(L, -1, "loaded"); - lua_pushvalue(L, -3); - lua_setfield(L, -2, modname); - - lua_pop(L, 2); - - if (glb) { - lua_pushvalue(L, -1); - lua_setglobal(L, modname); - } -} /* luaL_requiref() */ - - -#define lua_resume(L, from, nargs) lua_resume((L), (nargs)) - - -static void lua_rawgetp(lua_State *L, int index, const void *p) { - index = lua_absindex(L, index); - lua_pushlightuserdata(L, (void *)p); - lua_rawget(L, index); -} /* lua_rawgetp() */ - -static void lua_rawsetp(lua_State *L, int index, const void *p) { - index = lua_absindex(L, index); - lua_pushlightuserdata(L, (void *)p); - lua_pushvalue(L, -2); - lua_rawset(L, index); - lua_pop(L, 1); -} /* lua_rawsetp() */ - - -#ifndef LUA_UNSIGNED -#define LUA_UNSIGNED unsigned -#endif - -typedef LUA_UNSIGNED lua_Unsigned; - - -static void lua_pushunsigned(lua_State *L, lua_Unsigned n) { - lua_pushnumber(L, (lua_Number)n); -} /* lua_pushunsigned() */ - -static lua_Unsigned luaL_checkunsigned(lua_State *L, int arg) { - return (lua_Unsigned)luaL_checknumber(L, arg); -} /* luaL_checkunsigned() */ - - -static lua_Unsigned luaL_optunsigned(lua_State *L, int arg, lua_Unsigned def) { - return (lua_Unsigned)luaL_optnumber(L, arg, (lua_Number)def); -} /* luaL_optunsigned() */ - - -#ifndef LUA_FILEHANDLE /* Not defined by earlier LuaJIT releases */ -#define LUA_FILEHANDLE "FILE*" -#endif - -/* - * Lua 5.1 userdata is a simple FILE *, while LuaJIT is a struct with the - * first member a FILE *, similar to Lua 5.2. - */ -typedef struct luaL_Stream { - FILE *f; -} luaL_Stream; - - -#define lua_rawlen(...) lua_objlen(__VA_ARGS__) - - -#define lua_pushstring(...) lua52_pushstring(__VA_ARGS__) - -static const char *lua52_pushstring(lua_State *L, const char *s) { - (lua_pushstring)(L, s); - return lua_tostring(L, -1); -} /* lua52_pushstring() */ - - -#endif /* LUA_VERSION_NUM < 502 */ diff --git a/src/openssl.c b/src/openssl.c index 9fc5b97..1b11207 100644 --- a/src/openssl.c +++ b/src/openssl.c @@ -75,7 +75,7 @@ #include <lualib.h> #include <lauxlib.h> -#include "compat52.h" +#include "../vendor/compat53/c-api/compat-5.3.h" #define GNUC_2VER(M, m, p) (((M) * 10000) + ((m) * 100) + (p)) #define GNUC_PREREQ(M, m, p) (__GNUC__ > 0 && GNUC_2VER(__GNUC__, __GNUC_MINOR__, __GNUC_PATCHLEVEL__) >= GNUC_2VER((M), (m), (p))) @@ -83,11 +83,16 @@ #define MSC_2VER(M, m, p) ((((M) + 6) * 10000000) + ((m) * 1000000) + (p)) #define MSC_PREREQ(M, m, p) (_MSC_FULL_VER > 0 && _MSC_FULL_VER >= MSC_2VER((M), (m), (p))) -#define OPENSSL_PREREQ(M, m, p) \ - (OPENSSL_VERSION_NUMBER >= (((M) << 28) | ((m) << 20) | ((p) << 12)) && !defined LIBRESSL_VERSION_NUMBER) - +#ifdef LIBRESSL_VERSION_NUMBER +#define OPENSSL_PREREQ(M, m, p) (0) #define LIBRESSL_PREREQ(M, m, p) \ (LIBRESSL_VERSION_NUMBER >= (((M) << 28) | ((m) << 20) | ((p) << 12))) +#else +#define OPENSSL_PREREQ(M, m, p) \ + (OPENSSL_VERSION_NUMBER >= (((M) << 28) | ((m) << 20) | ((p) << 12))) +#define LIBRESSL_PREREQ(M, m, p) (0) +#endif + #ifndef __has_builtin #define __has_builtin(x) 0 @@ -146,7 +151,11 @@ #endif #ifndef HAVE_DTLSV1_CLIENT_METHOD -#define HAVE_DTLSV1_CLIENT_METHOD (!defined OPENSSL_NO_DTLS1) +#ifdef OPENSSL_NO_DTLS1 +#define HAVE_DTLSV1_CLIENT_METHOD (0) +#else +#define HAVE_DTLSV1_CLIENT_METHOD (1) +#endif #endif #ifndef HAVE_DTLSV1_SERVER_METHOD @@ -154,7 +163,11 @@ #endif #ifndef HAVE_DTLS_CLIENT_METHOD -#define HAVE_DTLS_CLIENT_METHOD (OPENSSL_PREREQ(1,0,2) && !defined OPENSSL_NO_DTLS1) +#ifdef OPENSSL_NO_DTLS1 +#define HAVE_DTLS_CLIENT_METHOD (0) +#else +#define HAVE_DTLS_CLIENT_METHOD OPENSSL_PREREQ(1,0,2) +#endif #endif #ifndef HAVE_DTLS_SERVER_METHOD @@ -162,7 +175,11 @@ #endif #ifndef HAVE_DTLSV1_2_CLIENT_METHOD -#define HAVE_DTLSV1_2_CLIENT_METHOD (OPENSSL_PREREQ(1,0,2) && !defined OPENSSL_NO_DTLS1) +#ifdef OPENSSL_NO_DTLS1 +#define HAVE_DTLSV1_2_CLIENT_METHOD (0) +#else +#define HAVE_DTLSV1_2_CLIENT_METHOD OPENSSL_PREREQ(1,0,2) +#endif #endif #ifndef HAVE_DTLSV1_2_SERVER_METHOD @@ -229,10 +246,6 @@ #define HAVE_RSA_GET0_KEY OPENSSL_PREREQ(1,1,0) #endif -#ifndef HAVE_RSA_PKCS1_PSS_PADDING -#define HAVE_RSA_PKCS1_PSS_PADDING (defined RSA_PKCS1_PSS_PADDING || OPENSSL_PREREQ(1,0,0) || LIBRESSL_PREREQ(2,0,0)) -#endif - #ifndef HAVE_RSA_SET0_CRT_PARAMS #define HAVE_RSA_SET0_CRT_PARAMS OPENSSL_PREREQ(1,1,0) #endif @@ -253,6 +266,14 @@ #define HAVE_SSL_CTX_GET0_PARAM OPENSSL_PREREQ(1,0,2) #endif +#ifndef HAVE_SSL_CTX_SET_CURVES_LIST +#define HAVE_SSL_CTX_SET_CURVES_LIST (OPENSSL_PREREQ(1,0,2) || LIBRESSL_PREREQ(2,5,1)) +#endif + +#ifndef HAVE_SSL_CTX_SET_ECDH_AUTO +#define HAVE_SSL_CTX_SET_ECDH_AUTO ((OPENSSL_PREREQ(1,0,2) && !OPENSSL_PREREQ(1,1,0)) || LIBRESSL_PREREQ(2,1,2)) +#endif + #ifndef HAVE_SSL_CTX_SET_ALPN_PROTOS #define HAVE_SSL_CTX_SET_ALPN_PROTOS (OPENSSL_PREREQ(1,0,2) || LIBRESSL_PREREQ(2,1,3)) #endif @@ -261,6 +282,10 @@ #define HAVE_SSL_CTX_SET_ALPN_SELECT_CB HAVE_SSL_CTX_SET_ALPN_PROTOS #endif +#ifndef HAVE_SSL_CTX_SET_TLSEXT_SERVERNAME_CALLBACK +#define HAVE_SSL_CTX_SET_TLSEXT_SERVERNAME_CALLBACK OPENSSL_PREREQ(1,0,0) +#endif + #ifndef HAVE_SSL_CTX_SET1_CERT_STORE #define HAVE_SSL_CTX_SET1_CERT_STORE (HAVE_SSL_CTX_set1_cert_store || 0) /* backwards compatible with old macro name */ #endif @@ -293,6 +318,10 @@ #define HAVE_SSL_SET_ALPN_PROTOS HAVE_SSL_CTX_SET_ALPN_PROTOS #endif +#ifndef HAVE_SSL_SET_CURVES_LIST +#define HAVE_SSL_SET_CURVES_LIST (OPENSSL_PREREQ(1,0,2) || LIBRESSL_PREREQ(2,5,1)) +#endif + #ifndef HAVE_SSL_SET1_PARAM #define HAVE_SSL_SET1_PARAM OPENSSL_PREREQ(1,0,2) #endif @@ -309,12 +338,32 @@ #define HAVE_SSL_UP_REF OPENSSL_PREREQ(1,1,0) #endif -#ifndef HAVE_SSLV2_CLIENT_METHOD -#define HAVE_SSLV2_CLIENT_METHOD (!OPENSSL_PREREQ(1,1,0) && !defined OPENSSL_NO_SSL2) +#ifndef HAVE_SSL_OP_NO_SSL_MASK +#define HAVE_SSL_OP_NO_SSL_MASK OPENSSL_PREREQ(1,0,2) #endif -#ifndef HAVE_SSLV2_SERVER_METHOD -#define HAVE_SSLV2_SERVER_METHOD (!OPENSSL_PREREQ(1,1,0) && !defined OPENSSL_NO_SSL2) +#ifndef HAVE_SSL_OP_NO_DTLS_MASK +#define HAVE_SSL_OP_NO_DTLS_MASK OPENSSL_PREREQ(1,1,0) +#endif + +#ifndef HAVE_STACK_OPENSSL_STRING_FUNCS +#define HAVE_STACK_OPENSSL_STRING_FUNCS (OPENSSL_PREREQ(1,0,0) || LIBRESSL_PREREQ(2,0,0)) +#endif + +#ifndef HAVE_X509_CRL_GET0_LASTUPDATE +#define HAVE_X509_CRL_GET0_LASTUPDATE OPENSSL_PREREQ(1,1,0) +#endif + +#ifndef HAVE_X509_CRL_GET0_NEXTUPDATE +#define HAVE_X509_CRL_GET0_NEXTUPDATE OPENSSL_PREREQ(1,1,0) +#endif + +#ifndef HAVE_X509_CRL_SET1_LASTUPDATE +#define HAVE_X509_CRL_SET1_LASTUPDATE OPENSSL_PREREQ(1,1,0) +#endif + +#ifndef HAVE_X509_CRL_SET1_NEXTUPDATE +#define HAVE_X509_CRL_SET1_NEXTUPDATE OPENSSL_PREREQ(1,1,0) #endif #ifndef HAVE_X509_GET_SIGNATURE_NID @@ -358,7 +407,11 @@ #endif #ifndef STRERROR_R_CHAR_P -#define STRERROR_R_CHAR_P (defined __GLIBC__ && (_GNU_SOURCE || !(_POSIX_C_SOURCE >= 200112L || _XOPEN_SOURCE >= 600))) +#ifdef __GLIBC__ +#define STRERROR_R_CHAR_P (_GNU_SOURCE || !(_POSIX_C_SOURCE >= 200112L || _XOPEN_SOURCE >= 600)) +#else +#define STRERROR_R_CHAR_P (0) +#endif #endif #ifndef LIST_HEAD @@ -678,6 +731,44 @@ static void *loadfield_udata(lua_State *L, int index, const char *k, const char } /* loadfield_udata() */ +/* Forward declaration */ +static SSL *ssl_push(lua_State *, SSL *); + +/* push an ssl object into lua in a way that is safe from OOM + * Lua 5.1 does not support normally returning values from lua_cpcall + * to return a value, we instead return it via an error object + */ +static int ssl_pushsafe_helper(lua_State *L) { + ssl_push(L, lua_touserdata(L, 1)); +#if LUA_VERSION_NUM <= 501 + return lua_error(L); +#else + return 1; +#endif +} + +static int ssl_pushsafe(lua_State *L, SSL *ssl) { + int status; +#if LUA_VERSION_NUM <= 501 + status = lua_cpcall(L, ssl_pushsafe_helper, ssl); + if (status == LUA_ERRRUN) + status = LUA_OK; + else if (status == LUA_OK) + /* this should be impossible */ + status = LUA_ERRRUN; + else + lua_pop(L, 1); +#else + lua_pushcfunction(L, ssl_pushsafe_helper); + lua_pushlightuserdata(L, ssl); + status = lua_pcall(L, 1, 1, 0); + if (status != LUA_OK) + lua_pop(L, 1); +#endif + return status; +} + + /* * Auxiliary C routines * @@ -1623,6 +1714,22 @@ static int compat_SSL_up_ref(SSL *ssl) { } /* compat_SSL_up_ref() */ #endif +#if !HAVE_SSL_OP_NO_SSL_MASK +/* SSL_OP_NO_SSL_MASK was introduced in 1.0.2 + 1.0.1 had up to TLSv1_2 + 0.9.8-1.0.0 had up to TLSv1 +*/ +#ifdef SSL_OP_NO_TLSv1_2 +#define SSL_OP_NO_SSL_MASK (SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1|SSL_OP_NO_TLSv1_2) +#else +#define SSL_OP_NO_SSL_MASK (SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1) +#endif +#endif + +#if !HAVE_SSL_OP_NO_DTLS_MASK && HAVE_DTLS_CLIENT_METHOD +#define SSL_OP_NO_DTLS_MASK (SSL_OP_NO_DTLSv1|SSL_OP_NO_DTLSv1_2) +#endif + #if !HAVE_SSL_CTX_GET0_PARAM #define SSL_CTX_get0_param(ctx) compat_SSL_CTX_get0_param((ctx)) @@ -1639,6 +1746,12 @@ static int compat_SSL_CTX_set1_param(SSL_CTX *ctx, X509_VERIFY_PARAM *vpm) { } /* compat_SSL_CTX_set1_param() */ #endif +#if !HAVE_STACK_OPENSSL_STRING_FUNCS +#define sk_OPENSSL_STRING_num(s) sk_num(s) +#define sk_OPENSSL_STRING_value(s, i) sk_value((s), (i)) +#define sk_OPENSSL_STRING_free(s) X509_email_free(s) +#endif + #if !HAVE_X509_GET0_EXT #define X509_get0_ext(crt, i) X509_get_ext((crt), (i)) #endif @@ -1651,6 +1764,22 @@ static int compat_SSL_CTX_set1_param(SSL_CTX *ctx, X509_VERIFY_PARAM *vpm) { #define X509_CRL_get0_ext(crt, i) X509_CRL_get_ext((crt), (i)) #endif +#if !HAVE_X509_CRL_GET0_LASTUPDATE +#define X509_CRL_get0_lastUpdate(crl) ((const ASN1_TIME*)X509_CRL_get_lastUpdate(crl)) +#endif + +#if !HAVE_X509_CRL_GET0_NEXTUPDATE +#define X509_CRL_get0_nextUpdate(crl) ((const ASN1_TIME*)X509_CRL_get_nextUpdate(crl)) +#endif + +#if !HAVE_X509_CRL_SET1_LASTUPDATE +#define X509_CRL_set1_lastUpdate(crl, s) X509_CRL_set_lastUpdate((crl), (ASN1_TIME*)(s)) +#endif + +#if !HAVE_X509_CRL_SET1_NEXTUPDATE +#define X509_CRL_set1_nextUpdate(crl, s) X509_CRL_set_nextUpdate((crl), (ASN1_TIME*)(s)) +#endif + #if !HAVE_X509_EXTENSION_GET0_OBJECT #define X509_EXTENSION_get0_object(ext) X509_EXTENSION_get_object((ext)) #endif @@ -1784,6 +1913,7 @@ static int compat_init(void) { if (done) goto epilog; +#if defined compat_X509_STORE_free /* * We need to unconditionally install at least one external * application data callback. Because these can never be @@ -1792,7 +1922,6 @@ static int compat_init(void) { if ((error = dl_anchor())) goto epilog; -#if defined compat_X509_STORE_free /* * Test if X509_STORE_free obeys reference counts by installing an * onfree callback. @@ -1929,6 +2058,7 @@ struct ex_data { enum { EX_SSL_CTX_ALPN_SELECT_CB, + EX_SSL_CTX_TLSEXT_SERVERNAME_CB, }; static struct ex_type { @@ -1938,6 +2068,7 @@ static struct ex_type { int (*set_ex_data)(); } ex_type[] = { [EX_SSL_CTX_ALPN_SELECT_CB] = { CRYPTO_EX_INDEX_SSL_CTX, -1, &SSL_CTX_get_ex_data, &SSL_CTX_set_ex_data }, + [EX_SSL_CTX_TLSEXT_SERVERNAME_CB] = { CRYPTO_EX_INDEX_SSL_CTX, -1, &SSL_CTX_get_ex_data, &SSL_CTX_set_ex_data }, }; #if OPENSSL_PREREQ(1,1,0) @@ -3081,7 +3212,8 @@ static int pk_new(lua_State *L) { if (lua_istable(L, 1) || lua_isnil(L, 1)) { int type = EVP_PKEY_RSA; unsigned bits = 1024; - unsigned exp = 65537; + BIGNUM *exp = NULL; + int generator = 2; int curve = NID_X9_62_prime192v1; const char *id; const char *dhparam = NULL; @@ -3111,23 +3243,46 @@ static int pk_new(lua_State *L) { luaL_argcheck(L, type != NID_undef, 1, lua_pushfstring(L, "%s: invalid key type", id)); } - if (loadfield(L, 1, "bits", LUA_TNUMBER, &n)) { - luaL_argcheck(L, n > 0 && n < UINT_MAX, 1, lua_pushfstring(L, "%f: `bits' invalid", n)); - bits = (unsigned)n; - } + switch(type) { + case EVP_PKEY_RSA: + if (loadfield(L, 1, "bits", LUA_TNUMBER, &n)) { + luaL_argcheck(L, n > 0 && n < UINT_MAX, 1, lua_pushfstring(L, "%f: `bits' invalid", n)); + bits = (unsigned)n; + } - if (loadfield(L, 1, "exp", LUA_TNUMBER, &n)) { - luaL_argcheck(L, n > 0 && n < UINT_MAX, 1, lua_pushfstring(L, "%f: `exp' invalid", n)); - exp = (unsigned)n; - } + if (!getfield(L, 1, "exp")) { + exp = checkbig(L, -1); + } else { + /* default to 65537 */ + exp = bn_push(L); + if (!BN_add_word(exp, 65537)) + return auxL_error(L, auxL_EOPENSSL, "pkey.new"); + } + break; + case EVP_PKEY_DH: + /* dhparam field can contain a PEM encoded string. + The "dhparam" field takes precedence over "bits" */ + if (loadfield(L, 1, "dhparam", LUA_TSTRING, &dhparam)) + break; - if (loadfield(L, 1, "curve", LUA_TSTRING, &id)) { - if (!auxS_txt2nid(&curve, id)) - luaL_argerror(L, 1, lua_pushfstring(L, "%s: invalid curve", id)); - } + if (loadfield(L, 1, "bits", LUA_TNUMBER, &n)) { + luaL_argcheck(L, n > 0 && n < UINT_MAX, 1, lua_pushfstring(L, "%f: `bits' invalid", n)); + bits = (unsigned)n; + } - /* dhparam field can contain a PEM encoded string. */ - loadfield(L, 1, "dhparam", LUA_TSTRING, &dhparam); + /* compat: DH used to use the 'exp' field for the generator */ + if (loadfield(L, 1, "generator", LUA_TNUMBER, &n) || loadfield(L, 1, "exp", LUA_TNUMBER, &n)) { + luaL_argcheck(L, n > 0 && n <= INT_MAX, 1, lua_pushfstring(L, "%f: `exp' invalid", n)); + generator = (int)n; + } + break; + case EVP_PKEY_EC: + if (loadfield(L, 1, "curve", LUA_TSTRING, &id)) { + if (!auxS_txt2nid(&curve, id)) + luaL_argerror(L, 1, lua_pushfstring(L, "%s: invalid curve", id)); + } + break; + } creat: if (!(*ud = EVP_PKEY_new())) @@ -3137,9 +3292,14 @@ creat: case EVP_PKEY_RSA: { RSA *rsa; - if (!(rsa = RSA_generate_key(bits, exp, 0, 0))) + if (!(rsa = RSA_new())) return auxL_error(L, auxL_EOPENSSL, "pkey.new"); + if (!RSA_generate_key_ex(rsa, bits, exp, 0)) { + RSA_free(rsa); + return auxL_error(L, auxL_EOPENSSL, "pkey.new"); + } + EVP_PKEY_set1_RSA(*ud, rsa); RSA_free(rsa); @@ -3149,9 +3309,14 @@ creat: case EVP_PKEY_DSA: { DSA *dsa; - if (!(dsa = DSA_generate_parameters(bits, 0, 0, 0, 0, 0, 0))) + if (!(dsa = DSA_new())) return auxL_error(L, auxL_EOPENSSL, "pkey.new"); + if (!DSA_generate_parameters_ex(dsa, bits, 0, 0, 0, 0, 0)) { + DSA_free(dsa); + return auxL_error(L, auxL_EOPENSSL, "pkey.new"); + } + if (!DSA_generate_key(dsa)) { DSA_free(dsa); return auxL_error(L, auxL_EOPENSSL, "pkey.new"); @@ -3179,8 +3344,15 @@ creat: BIO_free(bio); if (!dh) return auxL_error(L, auxL_EOPENSSL, "pkey.new"); - } else if (!(dh = DH_generate_parameters(bits, exp, 0, 0))) - return auxL_error(L, auxL_EOPENSSL, "pkey.new"); + } else { + if (!(dh = DH_new())) + return auxL_error(L, auxL_EOPENSSL, "pkey.new"); + + if (!DH_generate_parameters_ex(dh, bits, generator, 0)) { + DH_free(dh); + return auxL_error(L, auxL_EOPENSSL, "pkey.new"); + } + } if (!DH_generate_key(dh)) { @@ -4319,7 +4491,7 @@ static const auxL_IntegerReg pk_rsa_pad_opts[] = { { "RSA_NO_PADDING", RSA_NO_PADDING }, // no padding { "RSA_PKCS1_OAEP_PADDING", RSA_PKCS1_OAEP_PADDING }, // OAEP padding (encrypt and decrypt only) { "RSA_X931_PADDING", RSA_X931_PADDING }, // (signature operations only) -#if HAVE_RSA_PKCS1_PSS_PADDING +#if RSA_PKCS1_PSS_PADDING { "RSA_PKCS1_PSS_PADDING", RSA_PKCS1_PSS_PADDING }, // (sign and verify only) #endif { NULL, 0 }, @@ -5523,17 +5695,17 @@ static _Bool scan(int *i, char **cp, int n, int signok) { } /* scan() */ -static double timeutc(ASN1_TIME *time) { +static double timeutc(const ASN1_TIME *time) { char buf[32] = "", *cp; struct tm tm = { 0 }; int gmtoff = 0, year, i; - if (!ASN1_TIME_check(time)) + if (!ASN1_TIME_check((ASN1_STRING *)time)) return 0; cp = strncpy(buf, (const char *)ASN1_STRING_get0_data((ASN1_STRING *)time), sizeof buf - 1); - if (ASN1_STRING_type(time) == V_ASN1_GENERALIZEDTIME) { + if (ASN1_STRING_type((ASN1_STRING *)time) == V_ASN1_GENERALIZEDTIME) { if (!scan(&year, &cp, 4, 1)) goto badfmt; } else { @@ -5595,7 +5767,7 @@ badfmt: static int xc_getLifetime(lua_State *L) { X509 *crt = checksimple(L, 1, X509_CERT_CLASS); double begin = INFINITY, end = INFINITY; - ASN1_TIME *time; + const ASN1_TIME *time; if ((time = X509_get_notBefore(crt))) begin = timeutc(time); @@ -6684,10 +6856,21 @@ static int xx_new(lua_State *L) { if (!ok) return auxL_error(L, auxL_EOPENSSL, "x509.crl.new"); } else { + ASN1_TIME *tm; + if (!(*ud = X509_CRL_new())) return auxL_error(L, auxL_EOPENSSL, "x509.crl.new"); - X509_gmtime_adj(X509_CRL_get_lastUpdate(*ud), 0); + /* initialize last updated time to now */ + if (!(tm = ASN1_TIME_set(NULL, time(NULL)))) + return auxL_error(L, auxL_EOPENSSL, "x509.crl.new"); + + if (!X509_CRL_set1_lastUpdate(*ud, tm)) { + ASN1_TIME_free(tm); + return auxL_error(L, auxL_EOPENSSL, "x509.crl.new"); + } + + ASN1_TIME_free(tm); } return 1; @@ -6724,9 +6907,9 @@ static int xx_setVersion(lua_State *L) { static int xx_getLastUpdate(lua_State *L) { X509_CRL *crl = checksimple(L, 1, X509_CRL_CLASS); double updated = INFINITY; - ASN1_TIME *time; + const ASN1_TIME *time; - if ((time = X509_CRL_get_lastUpdate(crl))) + if ((time = X509_CRL_get0_lastUpdate(crl))) updated = timeutc(time); if (isfinite(updated)) @@ -6741,23 +6924,30 @@ static int xx_getLastUpdate(lua_State *L) { static int xx_setLastUpdate(lua_State *L) { X509_CRL *crl = checksimple(L, 1, X509_CRL_CLASS); double updated = luaL_checknumber(L, 2); + ASN1_TIME *time; - /* lastUpdate always present */ - if (!ASN1_TIME_set(X509_CRL_get_lastUpdate(crl), updated)) - return auxL_error(L, auxL_EOPENSSL, "x509.crl:setLastUpdate"); + if (!(time = ASN1_TIME_set(NULL, updated))) + goto error; + + if (!X509_CRL_set1_lastUpdate(crl, time)) + goto error; lua_pushboolean(L, 1); return 1; +error: + ASN1_TIME_free(time); + + return auxL_error(L, auxL_EOPENSSL, "x509.crl:setLastUpdate"); } /* xx_setLastUpdate() */ static int xx_getNextUpdate(lua_State *L) { X509_CRL *crl = checksimple(L, 1, X509_CRL_CLASS); double updateby = INFINITY; - ASN1_TIME *time; + const ASN1_TIME *time; - if ((time = X509_CRL_get_nextUpdate(crl))) + if ((time = X509_CRL_get0_nextUpdate(crl))) updateby = timeutc(time); if (isfinite(updateby)) @@ -6772,30 +6962,19 @@ static int xx_getNextUpdate(lua_State *L) { static int xx_setNextUpdate(lua_State *L) { X509_CRL *crl = checksimple(L, 1, X509_CRL_CLASS); double updateby = luaL_checknumber(L, 2); - ASN1_TIME *time = NULL; - - if (X509_CRL_get_nextUpdate(crl)) { - if (!ASN1_TIME_set(X509_CRL_get_nextUpdate(crl), updateby)) - goto error; - } else { - if (!(time = ASN1_TIME_new())) - goto error; - - if (!(ASN1_TIME_set(time, updateby))) - goto error; + ASN1_TIME *time; - if (!X509_CRL_set_nextUpdate(crl, time)) - goto error; + if (!(time = ASN1_TIME_set(NULL, updateby))) + goto error; - time = NULL; - } + if (!X509_CRL_set1_nextUpdate(crl, time)) + goto error; lua_pushboolean(L, 1); return 1; error: - if (time) - ASN1_TIME_free(time); + ASN1_TIME_free(time); return auxL_error(L, auxL_EOPENSSL, "x509.crl:setNextUpdate"); } /* xx_setNextUpdate() */ @@ -7670,11 +7849,6 @@ int luaopen__openssl_pkcs12(lua_State *L) { * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ -/* - * NOTE: TLS methods and flags were added in tandem. For example, if the - * macro SSL_OP_NO_TLSv1_1 is defined we know TLSv1_1_server_method is also - * declared and defined. - */ static int sx_new(lua_State *L) { static const char *const opts[] = { [0] = "SSL", @@ -7690,81 +7864,109 @@ static int sx_new(lua_State *L) { [14] = "DTLSv1_2", [15] = "DTLSv1.2", NULL }; - /* later versions of SSL declare a const qualifier on the return type */ - __typeof__(&TLSv1_client_method) method = &TLSv1_client_method; + int method_enum; _Bool srv; SSL_CTX **ud; int options = 0; lua_settop(L, 2); + method_enum = auxL_checkoption(L, 1, "TLS", opts, 1); srv = lua_toboolean(L, 2); - switch (auxL_checkoption(L, 1, "TLS", opts, 1)) { + switch (method_enum) { case 0: /* SSL */ - method = (srv)? &SSLv23_server_method : &SSLv23_client_method; options = SSL_OP_NO_SSLv2; break; case 1: /* TLS */ - method = (srv)? &SSLv23_server_method : &SSLv23_client_method; options = SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3; break; -#if HAVE_SSLV2_CLIENT_METHOD && HAVE_SSLV2_SERVER_METHOD case 2: /* SSLv2 */ - method = (srv)? &SSLv2_server_method : &SSLv2_client_method; + options = SSL_OP_NO_SSL_MASK & ~SSL_OP_NO_SSLv2; break; -#endif -#ifndef OPENSSL_NO_SSL3 case 3: /* SSLv3 */ - method = (srv)? &SSLv3_server_method : &SSLv3_client_method; + options = SSL_OP_NO_SSL_MASK & ~SSL_OP_NO_SSLv3; break; -#endif case 4: /* SSLv23 */ - method = (srv)? &SSLv23_server_method : &SSLv23_client_method; break; case 5: /* TLSv1 */ case 6: /* TLSv1.0 */ - method = (srv)? &TLSv1_server_method : &TLSv1_client_method; + options = SSL_OP_NO_SSL_MASK & ~SSL_OP_NO_TLSv1; break; #if defined SSL_OP_NO_TLSv1_1 case 7: /* TLSv1_1 */ case 8: /* TLSv1.1 */ - method = (srv)? &TLSv1_1_server_method : &TLSv1_1_client_method; + options = SSL_OP_NO_SSL_MASK & ~SSL_OP_NO_TLSv1_1; break; #endif #if defined SSL_OP_NO_TLSv1_2 case 9: /* TLSv1_2 */ case 10: /* TLSv1.2 */ - method = (srv)? &TLSv1_2_server_method : &TLSv1_2_client_method; + options = SSL_OP_NO_SSL_MASK & ~SSL_OP_NO_TLSv1_2; break; #endif #if HAVE_DTLS_CLIENT_METHOD case 11: /* DTLS */ - method = (srv)? &DTLS_server_method : &DTLS_client_method; break; -#endif -#if HAVE_DTLSV1_CLIENT_METHOD +#ifdef SSL_OP_NO_DTLSv1 case 12: /* DTLSv1 */ case 13: /* DTLSv1.0 */ - method = (srv)? &DTLSv1_server_method : &DTLSv1_client_method; + options = SSL_OP_NO_DTLS_MASK & ~SSL_OP_NO_DTLSv1; break; #endif -#if HAVE_DTLSV1_2_CLIENT_METHOD +#ifdef SSL_OP_NO_DTLSv1_2 case 14: /* DTLSv1_2 */ case 15: /* DTLSv1.2 */ - method = (srv)? &DTLSv1_server_method : &DTLSv1_client_method; + options = SSL_OP_NO_DTLS_MASK & ~SSL_OP_NO_DTLSv1_2; break; #endif +#endif default: return luaL_argerror(L, 1, "invalid option"); } ud = prepsimple(L, SSL_CTX_CLASS); - if (!(*ud = SSL_CTX_new(method()))) + switch (method_enum) { + case 0: /* SSL */ + case 1: /* TLS */ + case 2: /* SSLv2 */ + case 3: /* SSLv3 */ + case 4: /* SSLv23 */ + case 5: /* TLSv1 */ + case 6: /* TLSv1.0 */ + case 7: /* TLSv1_1 */ + case 8: /* TLSv1.1 */ + case 9: /* TLSv1_2 */ + case 10: /* TLSv1.2 */ + *ud = SSL_CTX_new(srv?SSLv23_server_method():SSLv23_client_method()); + break; +#if HAVE_DTLS_CLIENT_METHOD + case 11: /* DTLS */ + case 12: /* DTLSv1 */ + case 13: /* DTLSv1.0 */ + case 14: /* DTLSv1_2 */ + case 15: /* DTLSv1.2 */ + *ud = SSL_CTX_new(srv?DTLS_server_method():DTLS_client_method()); + break; +#endif + default: + NOTREACHED; + } + + if (!*ud) return auxL_error(L, auxL_EOPENSSL, "ssl.context.new"); SSL_CTX_set_options(*ud, options); +#if HAVE_SSL_CTX_SET_ECDH_AUTO + /* OpenSSL 1.0.2 introduced SSL_CTX_set_ecdh_auto to automatically select + * from the curves set via SSL_CTX_set1_curves_list. However as of OpenSSL + * 1.1.0, the functionality was turned on permanently and the option + * removed. */ + if (!SSL_CTX_set_ecdh_auto(*ud, 1)) + return auxL_error(L, auxL_EOPENSSL, "ssl.context.new"); +#endif + return 1; } /* sx_new() */ @@ -7940,6 +8142,21 @@ static int sx_setCipherList(lua_State *L) { } /* sx_setCipherList() */ +#if HAVE_SSL_CTX_SET_CURVES_LIST +static int sx_setCurvesList(lua_State *L) { + SSL_CTX *ctx = checksimple(L, 1, SSL_CTX_CLASS); + const char *curves = luaL_checkstring(L, 2); + + if (!SSL_CTX_set1_curves_list(ctx, curves)) + return auxL_error(L, auxL_EOPENSSL, "ssl.context:setCurvesList"); + + lua_pushboolean(L, 1); + + return 1; +} /* sx_setCurvesList() */ +#endif + + static int sx_setEphemeralKey(lua_State *L) { SSL_CTX *ctx = checksimple(L, 1, SSL_CTX_CLASS); EVP_PKEY *key = checksimple(L, 2, PKEY_CLASS); @@ -8013,9 +8230,8 @@ static int sx_setAlpnProtos(lua_State *L) { } /* sx_setAlpnProtos() */ #endif -#if HAVE_SSL_CTX_SET_ALPN_SELECT_CB -static SSL *ssl_push(lua_State *, SSL *); +#if HAVE_SSL_CTX_SET_ALPN_SELECT_CB static int sx_setAlpnSelect_cb(SSL *ssl, const unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *_ctx) { SSL_CTX *ctx = _ctx; lua_State *L = NULL; @@ -8033,12 +8249,12 @@ static int sx_setAlpnSelect_cb(SSL *ssl, const unsigned char **out, unsigned cha otop = lua_gettop(L) - n; - /* TODO: Install temporary panic handler to catch OOM errors */ - /* pass SSL object as 1st argument */ - ssl_push(L, ssl); + if (ssl_pushsafe(L, ssl)) + goto fatal; lua_insert(L, otop + 3); + /* TODO: Install temporary panic handler to catch OOM errors */ /* pass table of protocol names as 2nd argument */ pushprotos(L, in, inlen); lua_insert(L, otop + 4); @@ -8110,6 +8326,74 @@ static int sx_setAlpnSelect(lua_State *L) { #endif +#if HAVE_SSL_CTX_SET_TLSEXT_SERVERNAME_CALLBACK +static int sx_setHostNameCallback_cb(SSL *ssl, int *ad, void *_ctx) { + SSL_CTX *ctx = _ctx; + lua_State *L = NULL; + size_t n; + int otop, status, ret = SSL_TLSEXT_ERR_ALERT_FATAL; + + *ad = SSL_AD_INTERNAL_ERROR; + + /* expect at least one value: closure */ + if ((n = ex_getdata(&L, EX_SSL_CTX_TLSEXT_SERVERNAME_CB, ctx)) < 1) + return SSL_TLSEXT_ERR_ALERT_FATAL; + + otop = lua_gettop(L) - n; + + /* pass SSL object as 1st argument */ + if (ssl_pushsafe(L, ssl)) + goto done; + + lua_insert(L, otop + 2); + + if (LUA_OK != (status = lua_pcall(L, 1 + (n - 1), 2, 0))) + goto done; + + /* callback should return a boolean for OK/NOACK + * or nil + an integer for a controlled error + * everything else will be a fatal internal error + */ + if (lua_isboolean(L, -2)) { + ret = lua_toboolean(L, -2) ? SSL_TLSEXT_ERR_OK : SSL_TLSEXT_ERR_NOACK; + } else { + ret = SSL_TLSEXT_ERR_ALERT_FATAL; + if (lua_isnil(L, -2) && lua_isinteger(L, -1)) + *ad = lua_tointeger(L, -1); + } + +done: + lua_settop(L, otop); + + return ret; +} /* sx_setHostNameCallback_cb() */ + + +static int sx_setHostNameCallback(lua_State *L) { + SSL_CTX *ctx = checksimple(L, 1, SSL_CTX_CLASS); + int error; + + luaL_checktype(L, 2, LUA_TFUNCTION); + + if ((error = ex_setdata(L, EX_SSL_CTX_TLSEXT_SERVERNAME_CB, ctx, lua_gettop(L) - 1))) { + if (error > 0) { + return luaL_error(L, "unable to set hostname selection callback: %s", aux_strerror(error)); + } else if (error == auxL_EOPENSSL && !ERR_peek_error()) { + return luaL_error(L, "unable to set hostname selection callback: Unknown internal error"); + } else { + return auxL_error(L, error, "ssl.context:setHostNameCallback"); + } + } + SSL_CTX_set_tlsext_servername_callback(ctx, sx_setHostNameCallback_cb); + SSL_CTX_set_tlsext_servername_arg(ctx, ctx); + + lua_pushboolean(L, 1); + + return 1; +} /* sx_setHostNameCallback() */ +#endif + + int TLSEXT_STATUSTYPEs[] = { TLSEXT_STATUSTYPE_ocsp }; const char *TLSEXT_STATUSTYPEs_names[] = { "ocsp", NULL }; #define checkTLSEXT_STATUSTYPE(L, idx) \ @@ -8122,7 +8406,7 @@ static int sx_setTLSextStatusType(lua_State *L) { int type = checkTLSEXT_STATUSTYPE(L, 2); if(!SSL_CTX_set_tlsext_status_type(ctx, type)) - return auxL_error(L, auxL_EOPENSSL, "ssl:setTLSextStatusType"); + return auxL_error(L, auxL_EOPENSSL, "ssl.context:setTLSextStatusType"); lua_pushboolean(L, 1); @@ -8177,6 +8461,9 @@ static const auxL_Reg sx_methods[] = { { "setCertificate", &sx_setCertificate }, { "setPrivateKey", &sx_setPrivateKey }, { "setCipherList", &sx_setCipherList }, +#if HAVE_SSL_CTX_SET_CURVES_LIST + { "setCurvesList", &sx_setCurvesList }, +#endif { "setEphemeralKey", &sx_setEphemeralKey }, #if HAVE_SSL_CTX_SET_ALPN_PROTOS { "setAlpnProtos", &sx_setAlpnProtos }, @@ -8184,6 +8471,9 @@ static const auxL_Reg sx_methods[] = { #if HAVE_SSL_CTX_SET_ALPN_SELECT_CB { "setAlpnSelect", &sx_setAlpnSelect }, #endif +#if HAVE_SSL_CTX_SET_TLSEXT_SERVERNAME_CALLBACK + { "setHostNameCallback", &sx_setHostNameCallback }, +#endif #if HAVE_SSL_CTX_SET_TLSEXT_STATUS_TYPE { "setTLSextStatusType", &sx_setTLSextStatusType }, #endif @@ -8374,6 +8664,33 @@ static int ssl_getParam(lua_State *L) { } /* ssl_getParam() */ +static int ssl_setVerify(lua_State *L) { + SSL *ssl = checksimple(L, 1, SSL_CLASS); + int mode = luaL_optinteger(L, 2, -1); + int depth = luaL_optinteger(L, 3, -1); + + if (mode != -1) + SSL_set_verify(ssl, mode, 0); + + if (depth != -1) + SSL_set_verify_depth(ssl, depth); + + lua_pushboolean(L, 1); + + return 1; +} /* ssl_setVerify() */ + + +static int ssl_getVerify(lua_State *L) { + SSL *ssl = checksimple(L, 1, SSL_CLASS); + + lua_pushinteger(L, SSL_get_verify_mode(ssl)); + lua_pushinteger(L, SSL_get_verify_depth(ssl)); + + return 2; +} /* ssl_getVerify() */ + + static int ssl_getVerifyResult(lua_State *L) { SSL *ssl = checksimple(L, 1, SSL_CLASS); long res = SSL_get_verify_result(ssl); @@ -8383,6 +8700,44 @@ static int ssl_getVerifyResult(lua_State *L) { } /* ssl_getVerifyResult() */ +static int ssl_setCertificate(lua_State *L) { + SSL *ssl = checksimple(L, 1, SSL_CLASS); + X509 *crt = X509_dup(checksimple(L, 2, X509_CERT_CLASS)); + int ok; + + ok = SSL_use_certificate(ssl, crt); + X509_free(crt); + + if (!ok) + return auxL_error(L, auxL_EOPENSSL, "ssl:setCertificate"); + + lua_pushboolean(L, 1); + + return 1; +} /* ssl_setCertificate() */ + + +static int ssl_setPrivateKey(lua_State *L) { + SSL *ssl = checksimple(L, 1, SSL_CLASS); + EVP_PKEY *key = checksimple(L, 2, PKEY_CLASS); + /* + * NOTE: No easy way to dup the key, but a shared reference should + * be okay as keys are less mutable than certificates. + * + * FIXME: SSL_use_PrivateKey will return true even if the + * EVP_PKEY object has no private key. Instead, we'll just get a + * segfault during the SSL handshake. We need to check that a + * private key is actually defined in the object. + */ + if (!SSL_use_PrivateKey(ssl, key)) + return auxL_error(L, auxL_EOPENSSL, "ssl:setPrivateKey"); + + lua_pushboolean(L, 1); + + return 1; +} /* ssl_setPrivateKey() */ + + static int ssl_getPeerCertificate(lua_State *L) { SSL *ssl = checksimple(L, 1, SSL_CLASS); X509 **x509 = prepsimple(L, X509_CERT_CLASS); @@ -8433,6 +8788,21 @@ static int ssl_getCipherInfo(lua_State *L) { } /* ssl_getCipherInfo() */ +#if HAVE_SSL_SET_CURVES_LIST +static int ssl_setCurvesList(lua_State *L) { + SSL *ssl = checksimple(L, 1, SSL_CLASS); + const char *curves = luaL_checkstring(L, 2); + + if (!SSL_set1_curves_list(ssl, curves)) + return auxL_error(L, auxL_EOPENSSL, "ssl:setCurvesList"); + + lua_pushboolean(L, 1); + + return 1; +} /* ssl_setCurvesList() */ +#endif + + static int ssl_getHostName(lua_State *L) { SSL *ssl = checksimple(L, 1, SSL_CLASS); const char *host; @@ -8679,10 +9049,17 @@ static const auxL_Reg ssl_methods[] = { { "clearOptions", &ssl_clearOptions }, { "setParam", &ssl_setParam }, { "getParam", &ssl_getParam }, + { "setVerify", &ssl_setVerify }, + { "getVerify", &ssl_getVerify }, { "getVerifyResult", &ssl_getVerifyResult }, + { "setCertificate", &ssl_setCertificate }, + { "setPrivateKey", &ssl_setPrivateKey }, { "getPeerCertificate", &ssl_getPeerCertificate }, { "getPeerChain", &ssl_getPeerChain }, { "getCipherInfo", &ssl_getCipherInfo }, +#if HAVE_SSL_SET_CURVES_LIST + { "setCurvesList", &ssl_setCurvesList }, +#endif { "getHostName", &ssl_getHostName }, { "setHostName", &ssl_setHostName }, { "getVersion", &ssl_getVersion }, diff --git a/src/openssl.ssl.context.lua b/src/openssl.ssl.context.lua index 2098b54..3263fb1 100644 --- a/src/openssl.ssl.context.lua +++ b/src/openssl.ssl.context.lua @@ -13,4 +13,18 @@ local setCipherList; setCipherList = ctx.interpose("setCipherList", function (se return setCipherList(self, ciphers) end) +-- Allow passing a vararg of curves, or an array +local setCurvesList = ctx.interpose("setCurvesList", nil) +if setCurvesList then + ctx.interpose("setCurvesList", function (self, curves, ...) + if (...) then + local curves_t = pack(curves, ...) + curves = table.concat(curves_t, ":", 1, curves_t.n) + elseif type(curves) == "table" then + curves = table.concat(curves, ":") + end + return setCurvesList(self, curves) + end) +end + return ctx diff --git a/src/openssl.ssl.lua b/src/openssl.ssl.lua index 3c348f6..bf90f29 100644 --- a/src/openssl.ssl.lua +++ b/src/openssl.ssl.lua @@ -1,3 +1,19 @@ -local ctx = require"_openssl.ssl" +local ssl = require"_openssl.ssl" -return ctx +local pack = table.pack or function(...) return { n = select("#", ...); ... } end + +-- Allow passing a vararg of curves, or an array +local setCurvesList = ssl.interpose("setCurvesList", nil) +if setCurvesList then + ssl.interpose("setCurvesList", function (self, curves, ...) + if (...) then + local curves_t = pack(curves, ...) + curves = table.concat(curves_t, ":", 1, curves_t.n) + elseif type(curves) == "table" then + curves = table.concat(curves, ":") + end + return setCurvesList(self, curves) + end) +end + +return ssl |