diff options
| author | daurnimator <quae@daurnimator.com> | 2016-12-19 02:19:04 +1100 |
|---|---|---|
| committer | daurnimator <quae@daurnimator.com> | 2016-12-20 22:41:45 +1100 |
| commit | 55c385971e421c9eed9d5f3e43c8ad768c3cecab (patch) | |
| tree | c08bb81893270321a53e5c131c3a67a80142003b | |
| parent | b4bf06dcb61dbd735b328f47d8a36afb856d5d16 (diff) | |
| download | luaossl-55c385971e421c9eed9d5f3e43c8ad768c3cecab.tar.gz luaossl-55c385971e421c9eed9d5f3e43c8ad768c3cecab.tar.bz2 luaossl-55c385971e421c9eed9d5f3e43c8ad768c3cecab.zip | |
OCSP functions required for basic client validation
| -rw-r--r-- | src/openssl.c | 245 |
1 files changed, 245 insertions, 0 deletions
diff --git a/src/openssl.c b/src/openssl.c index fa7dd79..59bcf1e 100644 --- a/src/openssl.c +++ b/src/openssl.c | |||
| @@ -69,6 +69,7 @@ | |||
| 69 | #include <openssl/hmac.h> | 69 | #include <openssl/hmac.h> |
| 70 | #include <openssl/rand.h> | 70 | #include <openssl/rand.h> |
| 71 | #include <openssl/des.h> | 71 | #include <openssl/des.h> |
| 72 | #include <openssl/ocsp.h> | ||
| 72 | 73 | ||
| 73 | #include <lua.h> | 74 | #include <lua.h> |
| 74 | #include <lualib.h> | 75 | #include <lualib.h> |
| @@ -274,6 +275,14 @@ | |||
| 274 | #define HAVE_SSL_CTX_CERT_STORE (!OPENSSL_PREREQ(1,1,0)) | 275 | #define HAVE_SSL_CTX_CERT_STORE (!OPENSSL_PREREQ(1,1,0)) |
| 275 | #endif | 276 | #endif |
| 276 | 277 | ||
| 278 | #ifndef HAVE_SSL_CTX_SET_TLSEXT_STATUS_TYPE | ||
| 279 | #define HAVE_SSL_CTX_SET_TLSEXT_STATUS_TYPE OPENSSL_PREREQ(1,1,0) | ||
| 280 | #endif | ||
| 281 | |||
| 282 | #ifndef HAVE_SSL_CTX_GET_TLSEXT_STATUS_TYPE | ||
| 283 | #define HAVE_SSL_CTX_GET_TLSEXT_STATUS_TYPE OPENSSL_PREREQ(1,1,0) | ||
| 284 | #endif | ||
| 285 | |||
| 277 | #ifndef HAVE_SSL_GET0_ALPN_SELECTED | 286 | #ifndef HAVE_SSL_GET0_ALPN_SELECTED |
| 278 | #define HAVE_SSL_GET0_ALPN_SELECTED HAVE_SSL_CTX_SET_ALPN_PROTOS | 287 | #define HAVE_SSL_GET0_ALPN_SELECTED HAVE_SSL_CTX_SET_ALPN_PROTOS |
| 279 | #endif | 288 | #endif |
| @@ -290,6 +299,10 @@ | |||
| 290 | #define HAVE_SSL_SET1_PARAM OPENSSL_PREREQ(1,0,2) | 299 | #define HAVE_SSL_SET1_PARAM OPENSSL_PREREQ(1,0,2) |
| 291 | #endif | 300 | #endif |
| 292 | 301 | ||
| 302 | #ifndef HAVE_SSL_GET_TLSEXT_STATUS_TYPE | ||
| 303 | #define HAVE_SSL_GET_TLSEXT_STATUS_TYPE OPENSSL_PREREQ(1,1,0) | ||
| 304 | #endif | ||
| 305 | |||
| 293 | #ifndef HAVE_SSL_UP_REF | 306 | #ifndef HAVE_SSL_UP_REF |
| 294 | #define HAVE_SSL_UP_REF OPENSSL_PREREQ(1,1,0) | 307 | #define HAVE_SSL_UP_REF OPENSSL_PREREQ(1,1,0) |
| 295 | #endif | 308 | #endif |
| @@ -380,6 +393,8 @@ | |||
| 380 | #define DIGEST_CLASS "EVP_MD_CTX*" | 393 | #define DIGEST_CLASS "EVP_MD_CTX*" |
| 381 | #define HMAC_CLASS "HMAC_CTX*" | 394 | #define HMAC_CLASS "HMAC_CTX*" |
| 382 | #define CIPHER_CLASS "EVP_CIPHER_CTX*" | 395 | #define CIPHER_CLASS "EVP_CIPHER_CTX*" |
| 396 | #define OCSP_RESPONSE_CLASS "OCSP_RESPONSE*" | ||
| 397 | #define OCSP_BASICRESP_CLASS "OCSP_BASICRESP*" | ||
| 383 | 398 | ||
| 384 | 399 | ||
| 385 | #if __GNUC__ | 400 | #if __GNUC__ |
| @@ -7916,6 +7931,48 @@ static int sx_setAlpnSelect(lua_State *L) { | |||
| 7916 | #endif | 7931 | #endif |
| 7917 | 7932 | ||
| 7918 | 7933 | ||
| 7934 | int TLSEXT_STATUSTYPEs[] = { TLSEXT_STATUSTYPE_ocsp }; | ||
| 7935 | const char *TLSEXT_STATUSTYPEs_names[] = { "ocsp", NULL }; | ||
| 7936 | #define checkTLSEXT_STATUSTYPE(L, idx) \ | ||
| 7937 | (TLSEXT_STATUSTYPEs[luaL_checkoption((L), (idx), NULL, TLSEXT_STATUSTYPEs_names)]) | ||
| 7938 | |||
| 7939 | |||
| 7940 | #if HAVE_SSL_CTX_SET_TLSEXT_STATUS_TYPE | ||
| 7941 | static int sx_setTLSextStatusType(lua_State *L) { | ||
| 7942 | SSL_CTX *ctx = checksimple(L, 1, SSL_CTX_CLASS); | ||
| 7943 | int type = checkTLSEXT_STATUSTYPE(L, 2); | ||
| 7944 | |||
| 7945 | if(!SSL_CTX_set_tlsext_status_type(ctx, type)) | ||
| 7946 | return auxL_error(L, auxL_EOPENSSL, "ssl:setTLSextStatusType"); | ||
| 7947 | |||
| 7948 | lua_pushboolean(L, 1); | ||
| 7949 | |||
| 7950 | return 1; | ||
| 7951 | } /* sx_setTLSextStatusType() */ | ||
| 7952 | #endif | ||
| 7953 | |||
| 7954 | |||
| 7955 | #if HAVE_SSL_CTX_GET_TLSEXT_STATUS_TYPE | ||
| 7956 | static int sx_getTLSextStatusType(lua_State *L) { | ||
| 7957 | SSL_CTX *ctx = checksimple(L, 1, SSL_CLASS); | ||
| 7958 | |||
| 7959 | int type = SSL_CTX_get_tlsext_status_type(ctx); | ||
| 7960 | switch(type) { | ||
| 7961 | case -1: | ||
| 7962 | lua_pushnil(L); | ||
| 7963 | break; | ||
| 7964 | case TLSEXT_STATUSTYPE_ocsp: | ||
| 7965 | lua_pushliteral(L, "ocsp"); | ||
| 7966 | break; | ||
| 7967 | default: | ||
| 7968 | luaL_error(L, "unknown TLS extension %d", type); | ||
| 7969 | } | ||
| 7970 | |||
| 7971 | return 1; | ||
| 7972 | } /* sx_getTLSextStatusType() */ | ||
| 7973 | #endif | ||
| 7974 | |||
| 7975 | |||
| 7919 | static int sx__gc(lua_State *L) { | 7976 | static int sx__gc(lua_State *L) { |
| 7920 | SSL_CTX **ud = luaL_checkudata(L, 1, SSL_CTX_CLASS); | 7977 | SSL_CTX **ud = luaL_checkudata(L, 1, SSL_CTX_CLASS); |
| 7921 | 7978 | ||
| @@ -7948,6 +8005,12 @@ static const auxL_Reg sx_methods[] = { | |||
| 7948 | #if HAVE_SSL_CTX_SET_ALPN_SELECT_CB | 8005 | #if HAVE_SSL_CTX_SET_ALPN_SELECT_CB |
| 7949 | { "setAlpnSelect", &sx_setAlpnSelect }, | 8006 | { "setAlpnSelect", &sx_setAlpnSelect }, |
| 7950 | #endif | 8007 | #endif |
| 8008 | #if HAVE_SSL_CTX_SET_TLSEXT_STATUS_TYPE | ||
| 8009 | { "setTLSextStatusType", &sx_setTLSextStatusType }, | ||
| 8010 | #endif | ||
| 8011 | #if HAVE_SSL_CTX_GET_TLSEXT_STATUS_TYPE | ||
| 8012 | { "getTLSextStatusType", &sx_getTLSextStatusType }, | ||
| 8013 | #endif | ||
| 7951 | { NULL, NULL }, | 8014 | { NULL, NULL }, |
| 7952 | }; | 8015 | }; |
| 7953 | 8016 | ||
| @@ -8300,6 +8363,63 @@ static int ssl_setAlpnProtos(lua_State *L) { | |||
| 8300 | #endif | 8363 | #endif |
| 8301 | 8364 | ||
| 8302 | 8365 | ||
| 8366 | static int ssl_setTLSextStatusType(lua_State *L) { | ||
| 8367 | SSL *ssl = checksimple(L, 1, SSL_CLASS); | ||
| 8368 | int type = checkTLSEXT_STATUSTYPE(L, 2); | ||
| 8369 | |||
| 8370 | if(!SSL_set_tlsext_status_type(ssl, type)) | ||
| 8371 | return auxL_error(L, auxL_EOPENSSL, "ssl:setTLSextStatusType"); | ||
| 8372 | |||
| 8373 | lua_pushboolean(L, 1); | ||
| 8374 | |||
| 8375 | return 1; | ||
| 8376 | } /* ssl_setTLSextStatusType() */ | ||
| 8377 | |||
| 8378 | |||
| 8379 | #if HAVE_SSL_GET_TLSEXT_STATUS_TYPE | ||
| 8380 | static int ssl_getTLSextStatusType(lua_State *L) { | ||
| 8381 | SSL *ssl = checksimple(L, 1, SSL_CLASS); | ||
| 8382 | |||
| 8383 | int type = SSL_get_tlsext_status_type(ssl); | ||
| 8384 | switch(type) { | ||
| 8385 | case -1: | ||
| 8386 | lua_pushnil(L); | ||
| 8387 | break; | ||
| 8388 | case TLSEXT_STATUSTYPE_ocsp: | ||
| 8389 | lua_pushliteral(L, "ocsp"); | ||
| 8390 | break; | ||
| 8391 | default: | ||
| 8392 | luaL_error(L, "unknown TLS extension %d", type); | ||
| 8393 | } | ||
| 8394 | |||
| 8395 | return 1; | ||
| 8396 | } /* ssl_getTLSextStatusType() */ | ||
| 8397 | #endif | ||
| 8398 | |||
| 8399 | |||
| 8400 | static int ssl_getTLSextStatusOCSPResp(lua_State *L) { | ||
| 8401 | SSL *ssl = checksimple(L, 1, SSL_CLASS); | ||
| 8402 | |||
| 8403 | OCSP_RESPONSE **ud = prepsimple(L, OCSP_RESPONSE_CLASS); | ||
| 8404 | const unsigned char *resp; | ||
| 8405 | long resp_len; | ||
| 8406 | |||
| 8407 | resp_len = SSL_get_tlsext_status_ocsp_resp(ssl, &resp); | ||
| 8408 | if (resp == NULL) { | ||
| 8409 | lua_pushnil(L); | ||
| 8410 | return 1; | ||
| 8411 | } | ||
| 8412 | if (resp_len == -1) | ||
| 8413 | return auxL_error(L, auxL_EOPENSSL, "ssl:getTLSextStatusOCSPResp"); | ||
| 8414 | |||
| 8415 | *ud = d2i_OCSP_RESPONSE(NULL, &resp, resp_len); | ||
| 8416 | if(*ud == NULL) | ||
| 8417 | return auxL_error(L, auxL_EOPENSSL, "ssl:getTLSextStatusOCSPResp"); | ||
| 8418 | |||
| 8419 | return 1; | ||
| 8420 | } /* ssl_getTLSextStatusOCSPResp() */ | ||
| 8421 | |||
| 8422 | |||
| 8303 | static int ssl__gc(lua_State *L) { | 8423 | static int ssl__gc(lua_State *L) { |
| 8304 | SSL **ud = luaL_checkudata(L, 1, SSL_CLASS); | 8424 | SSL **ud = luaL_checkudata(L, 1, SSL_CLASS); |
| 8305 | 8425 | ||
| @@ -8332,6 +8452,11 @@ static const auxL_Reg ssl_methods[] = { | |||
| 8332 | #if HAVE_SSL_SET_ALPN_PROTOS | 8452 | #if HAVE_SSL_SET_ALPN_PROTOS |
| 8333 | { "setAlpnProtos", &ssl_setAlpnProtos }, | 8453 | { "setAlpnProtos", &ssl_setAlpnProtos }, |
| 8334 | #endif | 8454 | #endif |
| 8455 | { "setTLSextStatusType", &ssl_setTLSextStatusType }, | ||
| 8456 | #if HAVE_SSL_GET_TLSEXT_STATUS_TYPE | ||
| 8457 | { "getTLSextStatusType", &ssl_getTLSextStatusType }, | ||
| 8458 | #endif | ||
| 8459 | { "getTLSextStatusOCSPResp", &ssl_getTLSextStatusOCSPResp }, | ||
| 8335 | { NULL, NULL }, | 8460 | { NULL, NULL }, |
| 8336 | }; | 8461 | }; |
| 8337 | 8462 | ||
| @@ -9069,6 +9194,124 @@ int luaopen__openssl_cipher(lua_State *L) { | |||
| 9069 | 9194 | ||
| 9070 | 9195 | ||
| 9071 | /* | 9196 | /* |
| 9197 | * OCSP | ||
| 9198 | * | ||
| 9199 | * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ | ||
| 9200 | |||
| 9201 | |||
| 9202 | static int or_tostring(lua_State *L) { | ||
| 9203 | OCSP_RESPONSE *resp = checksimple(L, 1, OCSP_RESPONSE_CLASS); | ||
| 9204 | BIO *bio = getbio(L); | ||
| 9205 | size_t len; | ||
| 9206 | char *bytes; | ||
| 9207 | |||
| 9208 | if (!OCSP_RESPONSE_print(bio, resp, 0)) | ||
| 9209 | return auxL_error(L, auxL_EOPENSSL, "OCSP_RESPONSE:tostring"); | ||
| 9210 | |||
| 9211 | len = BIO_get_mem_data(bio, &bytes); | ||
| 9212 | lua_pushlstring(L, bytes, len); | ||
| 9213 | |||
| 9214 | return 1; | ||
| 9215 | } /* or__tostring() */ | ||
| 9216 | |||
| 9217 | |||
| 9218 | static int or_toPEM(lua_State *L) { | ||
| 9219 | OCSP_RESPONSE *resp = checksimple(L, 1, OCSP_RESPONSE_CLASS); | ||
| 9220 | BIO *bio = getbio(L); | ||
| 9221 | size_t len; | ||
| 9222 | char *bytes; | ||
| 9223 | |||
| 9224 | if (!PEM_write_bio_OCSP_RESPONSE(bio, resp)) | ||
| 9225 | return auxL_error(L, auxL_EOPENSSL, "OCSP_RESPONSE:toPEM"); | ||
| 9226 | |||
| 9227 | len = BIO_get_mem_data(bio, &bytes); | ||
| 9228 | lua_pushlstring(L, bytes, len); | ||
| 9229 | |||
| 9230 | return 1; | ||
| 9231 | } /* or_toPEM() */ | ||
| 9232 | |||
| 9233 | |||
| 9234 | static int or_getBasic(lua_State *L) { | ||
| 9235 | OCSP_RESPONSE *resp = checksimple(L, 1, OCSP_RESPONSE_CLASS); | ||
| 9236 | |||
| 9237 | OCSP_BASICRESP **basic = prepsimple(L, OCSP_BASICRESP_CLASS); | ||
| 9238 | |||
| 9239 | *basic = OCSP_response_get1_basic(resp); | ||
| 9240 | if (!*basic) | ||
| 9241 | return auxL_error(L, auxL_EOPENSSL, "OCSP_RESPONSE:getBasic"); | ||
| 9242 | |||
| 9243 | return 1; | ||
| 9244 | } /* or_getBasic() */ | ||
| 9245 | |||
| 9246 | |||
| 9247 | static int or__gc(lua_State *L) { | ||
| 9248 | OCSP_RESPONSE **ud = luaL_checkudata(L, 1, OCSP_RESPONSE_CLASS); | ||
| 9249 | |||
| 9250 | if (*ud) { | ||
| 9251 | OCSP_RESPONSE_free(*ud); | ||
| 9252 | *ud = NULL; | ||
| 9253 | } | ||
| 9254 | |||
| 9255 | return 0; | ||
| 9256 | } /* or__gc() */ | ||
| 9257 | |||
| 9258 | static const auxL_Reg or_methods[] = { | ||
| 9259 | { "tostring", &or_tostring }, | ||
| 9260 | { "toPEM", &or_toPEM }, | ||
| 9261 | { "getBasic", &or_getBasic }, | ||
| 9262 | { NULL, NULL }, | ||
| 9263 | }; | ||
| 9264 | |||
| 9265 | static const auxL_Reg or_metatable[] = { | ||
| 9266 | { "__tostring", &or_tostring }, | ||
| 9267 | { "__gc", &or__gc }, | ||
| 9268 | { NULL, NULL }, | ||
| 9269 | }; | ||
| 9270 | |||
| 9271 | |||
| 9272 | static int ob_verify(lua_State *L) { | ||
| 9273 | OCSP_BASICRESP *basic = checksimple(L, 1, OCSP_BASICRESP_CLASS); | ||
| 9274 | STACK_OF(X509) *certs = testsimple(L, 2, X509_CHAIN_CLASS); | ||
| 9275 | X509_STORE *store = testsimple(L, 3, X509_STORE_CLASS); | ||
| 9276 | unsigned long flags = luaL_optinteger(L, 4, 0); | ||
| 9277 | |||
| 9278 | int res = OCSP_basic_verify(basic, certs, store, flags); | ||
| 9279 | if (res == -1) | ||
| 9280 | return auxL_error(L, auxL_EOPENSSL, "OCSP_BASICRESP:verify"); | ||
| 9281 | |||
| 9282 | lua_pushboolean(L, res); | ||
| 9283 | if (res) { | ||
| 9284 | return 1; | ||
| 9285 | } else { | ||
| 9286 | auxL_pusherror(L, auxL_EOPENSSL, NULL); | ||
| 9287 | return 2; | ||
| 9288 | } | ||
| 9289 | } /* ob_verify() */ | ||
| 9290 | |||
| 9291 | |||
| 9292 | static int ob__gc(lua_State *L) { | ||
| 9293 | OCSP_BASICRESP **ud = luaL_checkudata(L, 1, OCSP_BASICRESP_CLASS); | ||
| 9294 | |||
| 9295 | if (*ud) { | ||
| 9296 | OCSP_BASICRESP_free(*ud); | ||
| 9297 | *ud = NULL; | ||
| 9298 | } | ||
| 9299 | |||
| 9300 | return 0; | ||
| 9301 | } /* or__gc() */ | ||
| 9302 | |||
| 9303 | |||
| 9304 | static const auxL_Reg ob_methods[] = { | ||
| 9305 | { "verify", &ob_verify }, | ||
| 9306 | { NULL, NULL }, | ||
| 9307 | }; | ||
| 9308 | |||
| 9309 | static const auxL_Reg ob_metatable[] = { | ||
| 9310 | { "__gc", &ob__gc }, | ||
| 9311 | { NULL, NULL }, | ||
| 9312 | }; | ||
| 9313 | |||
| 9314 | /* | ||
| 9072 | * Rand - openssl.rand | 9315 | * Rand - openssl.rand |
| 9073 | * | 9316 | * |
| 9074 | * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ | 9317 | * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ |
| @@ -9633,5 +9876,7 @@ static void initall(lua_State *L) { | |||
| 9633 | auxL_addclass(L, DIGEST_CLASS, md_methods, md_metatable, 0); | 9876 | auxL_addclass(L, DIGEST_CLASS, md_methods, md_metatable, 0); |
| 9634 | auxL_addclass(L, HMAC_CLASS, hmac_methods, hmac_metatable, 0); | 9877 | auxL_addclass(L, HMAC_CLASS, hmac_methods, hmac_metatable, 0); |
| 9635 | auxL_addclass(L, CIPHER_CLASS, cipher_methods, cipher_metatable, 0); | 9878 | auxL_addclass(L, CIPHER_CLASS, cipher_methods, cipher_metatable, 0); |
| 9879 | auxL_addclass(L, OCSP_RESPONSE_CLASS, or_methods, or_metatable, 0); | ||
| 9880 | auxL_addclass(L, OCSP_BASICRESP_CLASS, ob_methods, ob_metatable, 0); | ||
| 9636 | } /* initall() */ | 9881 | } /* initall() */ |
| 9637 | 9882 | ||