aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/openssl.c142
1 files changed, 104 insertions, 38 deletions
diff --git a/src/openssl.c b/src/openssl.c
index 3b75e63..63c3985 100644
--- a/src/openssl.c
+++ b/src/openssl.c
@@ -76,12 +76,18 @@
#include "compat52.h"
#endif
+#define OPENSSL_PREREQ(M, m, p) \
+ (OPENSSL_VERSION_NUMBER >= (((M) << 28) | ((m) << 20) | ((p) << 12)) && !defined LIBRESSL_VERSION_NUMBER)
+
+#define LIBRESSL_PREREQ(M, m, p) \
+ (LIBRESSL_VERSION_NUMBER >= (((M) << 28) | ((m) << 20) | ((p) << 12)))
+
#ifndef HAVE_DLADDR
#define HAVE_DLADDR (!defined _AIX) /* TODO: https://root.cern.ch/drupal/content/aix-and-dladdr */
#endif
#ifndef HAVE_SSL_CTX_SET_ALPN_PROTOS
-#define HAVE_SSL_CTX_SET_ALPN_PROTOS (OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined LIBRESSL_VERSION_NUMBER)
+#define HAVE_SSL_CTX_SET_ALPN_PROTOS OPENSSL_PREREQ(1, 0, 2)
#endif
#ifndef HAVE_SSL_CTX_SET_ALPN_SELECT_CB
@@ -96,6 +102,30 @@
#define HAVE_SSL_GET0_ALPN_SELECTED HAVE_SSL_CTX_SET_ALPN_PROTOS
#endif
+#ifndef HAVE_DTLSV1_CLIENT_METHOD
+#define HAVE_DTLSV1_CLIENT_METHOD (!defined OPENSSL_NO_DTLS1)
+#endif
+
+#ifndef HAVE_DTLSV1_SERVER_METHOD
+#define HAVE_DTLSV1_SERVER_METHOD HAVE_DTLSV1_CLIENT_METHOD
+#endif
+
+#ifndef HAVE_DTLS_CLIENT_METHOD
+#define HAVE_DTLS_CLIENT_METHOD (OPENSSL_PREREQ(1, 0, 2) && !defined OPENSSL_NO_DTLS1)
+#endif
+
+#ifndef HAVE_DTLS_SERVER_METHOD
+#define HAVE_DTLS_SERVER_METHOD HAVE_DTLS_CLIENT_METHOD
+#endif
+
+#ifndef HAVE_DTLSV1_2_CLIENT_METHOD
+#define HAVE_DTLSV1_2_CLIENT_METHOD (OPENSSL_PREREQ(1, 0, 2) && !defined OPENSSL_NO_DTLS1)
+#endif
+
+#ifndef HAVE_DTLSV1_2_SERVER_METHOD
+#define HAVE_DTLSV1_2_SERVER_METHOD HAVE_DTLSV1_2_CLIENT_METHOD
+#endif
+
#ifndef STRERROR_R_CHAR_P
#define STRERROR_R_CHAR_P (defined __GLIBC__ && (_GNU_SOURCE || !(_POSIX_C_SOURCE >= 200112L || _XOPEN_SOURCE >= 600)))
#endif
@@ -279,7 +309,13 @@ static void addclass(lua_State *L, const char *name, const luaL_Reg *methods, co
} /* addclass() */
-static int checkoption(struct lua_State *L, int index, const char *def, const char *const opts[]) {
+static int badoption(lua_State *L, int index, const char *opt) {
+ opt = (opt)? opt : luaL_checkstring(L, index);
+
+ return luaL_argerror(L, index, lua_pushfstring(L, "invalid option %s", opt));
+} /* badoption() */
+
+static int checkoption(lua_State *L, int index, const char *def, const char *const opts[]) {
const char *opt = (def)? luaL_optstring(L, index, def) : luaL_checkstring(L, index);
int i;
@@ -288,7 +324,7 @@ static int checkoption(struct lua_State *L, int index, const char *def, const ch
return i;
}
- return luaL_argerror(L, index, lua_pushfstring(L, "invalid option %s", opt));
+ return badoption(L, index, opt);
} /* checkoption() */
@@ -820,7 +856,6 @@ static void compat_init_X509_STORE_onfree(void *store, void *data NOTUSED, CRYPT
static int compat_init(void) {
static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
static int store_index = -1, ssl_ctx_index = -1, done;
- X509_STORE *store;
int error = 0;
if ((error = pthread_mutex_lock(&mutex)))
@@ -1615,7 +1650,6 @@ static int bn__mul(lua_State *L) {
static int bn__div(lua_State *L) {
BIGNUM *r, *a, *b;
- BN_CTX *ctx;
bn_prepops(L, &r, &a, &b, 0);
@@ -1628,7 +1662,6 @@ static int bn__div(lua_State *L) {
static int bn__mod(lua_State *L) {
BIGNUM *r, *a, *b;
- BN_CTX *ctx;
bn_prepops(L, &r, &a, &b, 0);
@@ -1641,7 +1674,6 @@ static int bn__mod(lua_State *L) {
static int bn__pow(lua_State *L) {
BIGNUM *r, *a, *b;
- BN_CTX *ctx;
bn_prepops(L, &r, &a, &b, 0);
@@ -2291,7 +2323,6 @@ static int pk__tostring(lua_State *L) {
BIO *bio = getbio(L);
char *data;
long len;
- int ok = 0;
switch (type) {
case X509_PEM:
@@ -2845,7 +2876,6 @@ static int xe_new(lua_State *L) {
ASN1_STRING *oct = NULL;
CONF *conf = NULL;
X509V3_CTX cbuf = { 0 }, *ctx = NULL;
- X509_EXTENSION *ext = NULL;
if (!lua_isnil(L, 3)) {
size_t len;
@@ -3199,7 +3229,6 @@ static double timeutc(ASN1_TIME *time) {
char buf[32] = "", *cp;
struct tm tm = { 0 };
int gmtoff = 0, year, i;
- double ts;
if (!ASN1_TIME_check(time))
return 0;
@@ -3297,7 +3326,6 @@ static int xc_getLifetime(lua_State *L) {
static int xc_setLifetime(lua_State *L) {
X509 *crt = checksimple(L, 1, X509_CERT_CLASS);
- ASN1_TIME *time;
double ut;
const char *dt;
@@ -3757,6 +3785,25 @@ static int xc_setPublicKey(lua_State *L) {
} /* xc_setPublicKey() */
+static int xc_getPublicKeyDigest(lua_State *L) {
+ ASN1_BIT_STRING *pk = X509_get0_pubkey_bitstr(checksimple(L, 1, X509_CERT_CLASS));
+ const char *id = luaL_optstring(L, 2, "sha1");
+ const EVP_MD *md;
+ unsigned char digest[EVP_MAX_MD_SIZE];
+ unsigned int len;
+
+ if (!(md = EVP_get_digestbyname(id)))
+ return luaL_error(L, "x509.cert:getPublicKeyDigest: %s: invalid digest type", id);
+
+ if (!EVP_Digest(pk->data, pk->length, digest, &len, md, NULL))
+ return auxL_error(L, auxL_EOPENSSL, "x509.cert:getPublicKeyDigest");
+
+ lua_pushlstring(L, (char *)digest, len);
+
+ return 1;
+} /* xc_getPublicKeyDigest() */
+
+
static const EVP_MD *xc_signature(lua_State *L, int index, EVP_PKEY *key) {
const char *id;
const EVP_MD *md;
@@ -3918,6 +3965,7 @@ static const luaL_Reg xc_methods[] = {
{ "isIssuedBy", &xc_isIssuedBy },
{ "getPublicKey", &xc_getPublicKey },
{ "setPublicKey", &xc_setPublicKey },
+ { "getPublicKeyDigest", &xc_getPublicKeyDigest },
{ "sign", &xc_sign },
{ "text", &xc_text },
{ "tostring", &xc__tostring },
@@ -4246,7 +4294,6 @@ static int xx_getLastUpdate(lua_State *L) {
static int xx_setLastUpdate(lua_State *L) {
X509_CRL *crl = checksimple(L, 1, X509_CRL_CLASS);
double updated = luaL_checknumber(L, 2);
- ASN1_TIME *time = NULL;
/* lastUpdate always present */
if (!ASN1_TIME_set(X509_CRL_get_lastUpdate(crl), updated))
@@ -5027,15 +5074,17 @@ int luaopen__openssl_pkcs12(lua_State *L) {
*/
static int sx_new(lua_State *L) {
static const char *const opts[] = {
- "SSLv2", "SSLv3", "SSLv23",
- "TLSv1", "TLSv1.0",
-#if defined SSL_OP_NO_TLSv1_1
- "TLSv1_1", "TLSv1.1",
-#endif
-#if defined SSL_OP_NO_TLSv1_2
- "TLSv1_2", "TLSv1.2",
-#endif
- "SSL", "TLS",
+ [0] = "SSL",
+ [1] = "TLS",
+ [2] = "SSLv2",
+ [3] = "SSLv3",
+ [4] = "SSLv23",
+ [5] = "TLSv1", [6] = "TLSv1.0",
+ [7] = "TLSv1_1", [8] = "TLSv1.1",
+ [9] = "TLSv1_2", [10] = "TLSv1.2",
+ [11] = "DTLS",
+ [12] = "DTLSv1", [13] = "DTLSv1.0",
+ [14] = "DTLSv1_2", [15] = "DTLSv1.2",
NULL
};
/* later versions of SSL declare a const qualifier on the return type */
@@ -5048,41 +5097,60 @@ static int sx_new(lua_State *L) {
srv = lua_toboolean(L, 2);
switch (checkoption(L, 1, "TLS", opts)) {
+ case 0: /* SSL */
+ method = (srv)? &SSLv23_server_method : &SSLv23_client_method;
+ options = SSL_OP_NO_SSLv2;
+ break;
+ case 1: /* TLS */
+ method = (srv)? &SSLv23_server_method : &SSLv23_client_method;
+ options = SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3;
+ break;
#ifndef OPENSSL_NO_SSL2
- case 0: /* SSLv2 */
+ case 2: /* SSLv2 */
method = (srv)? &SSLv2_server_method : &SSLv2_client_method;
break;
#endif
- case 1: /* SSLv3 */
+ case 3: /* SSLv3 */
method = (srv)? &SSLv3_server_method : &SSLv3_client_method;
break;
- case 2: /* SSLv23 */
+ case 4: /* SSLv23 */
method = (srv)? &SSLv23_server_method : &SSLv23_client_method;
break;
- case 3: /* TLSv1 */
- case 4: /* TLSv1.0 */
+ case 5: /* TLSv1 */
+ case 6: /* TLSv1.0 */
method = (srv)? &TLSv1_server_method : &TLSv1_client_method;
break;
#if defined SSL_OP_NO_TLSv1_1
- case 5: /* TLSv1_1 */
- case 6: /* TLSv1.1 */
+ case 7: /* TLSv1_1 */
+ case 8: /* TLSv1.1 */
method = (srv)? &TLSv1_1_server_method : &TLSv1_1_client_method;
break;
#endif
#if defined SSL_OP_NO_TLSv1_2
- case 7: /* TLSv1_2 */
- case 8: /* TLSv1.2 */
+ case 9: /* TLSv1_2 */
+ case 10: /* TLSv1.2 */
method = (srv)? &TLSv1_2_server_method : &TLSv1_2_client_method;
break;
#endif
- case 9: /* SSL */
- method = (srv)? &SSLv23_server_method : &SSLv23_client_method;
- options = SSL_OP_NO_SSLv2;
+#if HAVE_DTLS_CLIENT_METHOD
+ case 11: /* DTLS */
+ method = (srv)? &DTLS_server_method : &DTLS_client_method;
break;
- case 10: /* TLS */
- method = (srv)? &SSLv23_server_method : &SSLv23_client_method;
- options = SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3;
+#endif
+#if HAVE_DTLSV1_CLIENT_METHOD
+ case 12: /* DTLSv1 */
+ case 13: /* DTLSv1.0 */
+ method = (srv)? &DTLSv1_server_method : &DTLSv1_client_method;
break;
+#endif
+#if HAVE_DTLSV1_2_CLIENT_METHOD
+ case 14: /* DTLSv1_2 */
+ case 15: /* DTLSv1.2 */
+ method = (srv)? &DTLSv1_server_method : &DTLSv1_client_method;
+ break;
+#endif
+ default:
+ return badoption(L, 1, NULL);
}
ud = prepsimple(L, SSL_CTX_CLASS);
@@ -5364,7 +5432,6 @@ noack:
static int sx_setAlpnSelect(lua_State *L) {
SSL_CTX *ctx = checksimple(L, 1, SSL_CTX_CLASS);
- struct ex_data *data;
int error;
luaL_checktype(L, 2, LUA_TFUNCTION);
@@ -5848,7 +5915,6 @@ static void md_update_(lua_State *L, EVP_MD_CTX *ctx, int from, int to) {
static int md_update(lua_State *L) {
EVP_MD_CTX *ctx = luaL_checkudata(L, 1, DIGEST_CLASS);
- int i;
md_update_(L, ctx, 2, lua_gettop(L));