diff options
author | daurnimator <quae@daurnimator.com> | 2016-12-19 02:19:04 +1100 |
---|---|---|
committer | daurnimator <quae@daurnimator.com> | 2016-12-20 22:41:45 +1100 |
commit | 55c385971e421c9eed9d5f3e43c8ad768c3cecab (patch) | |
tree | c08bb81893270321a53e5c131c3a67a80142003b | |
parent | b4bf06dcb61dbd735b328f47d8a36afb856d5d16 (diff) | |
download | luaossl-55c385971e421c9eed9d5f3e43c8ad768c3cecab.tar.gz luaossl-55c385971e421c9eed9d5f3e43c8ad768c3cecab.tar.bz2 luaossl-55c385971e421c9eed9d5f3e43c8ad768c3cecab.zip |
OCSP functions required for basic client validation
-rw-r--r-- | src/openssl.c | 245 |
1 files changed, 245 insertions, 0 deletions
diff --git a/src/openssl.c b/src/openssl.c index fa7dd79..59bcf1e 100644 --- a/src/openssl.c +++ b/src/openssl.c | |||
@@ -69,6 +69,7 @@ | |||
69 | #include <openssl/hmac.h> | 69 | #include <openssl/hmac.h> |
70 | #include <openssl/rand.h> | 70 | #include <openssl/rand.h> |
71 | #include <openssl/des.h> | 71 | #include <openssl/des.h> |
72 | #include <openssl/ocsp.h> | ||
72 | 73 | ||
73 | #include <lua.h> | 74 | #include <lua.h> |
74 | #include <lualib.h> | 75 | #include <lualib.h> |
@@ -274,6 +275,14 @@ | |||
274 | #define HAVE_SSL_CTX_CERT_STORE (!OPENSSL_PREREQ(1,1,0)) | 275 | #define HAVE_SSL_CTX_CERT_STORE (!OPENSSL_PREREQ(1,1,0)) |
275 | #endif | 276 | #endif |
276 | 277 | ||
278 | #ifndef HAVE_SSL_CTX_SET_TLSEXT_STATUS_TYPE | ||
279 | #define HAVE_SSL_CTX_SET_TLSEXT_STATUS_TYPE OPENSSL_PREREQ(1,1,0) | ||
280 | #endif | ||
281 | |||
282 | #ifndef HAVE_SSL_CTX_GET_TLSEXT_STATUS_TYPE | ||
283 | #define HAVE_SSL_CTX_GET_TLSEXT_STATUS_TYPE OPENSSL_PREREQ(1,1,0) | ||
284 | #endif | ||
285 | |||
277 | #ifndef HAVE_SSL_GET0_ALPN_SELECTED | 286 | #ifndef HAVE_SSL_GET0_ALPN_SELECTED |
278 | #define HAVE_SSL_GET0_ALPN_SELECTED HAVE_SSL_CTX_SET_ALPN_PROTOS | 287 | #define HAVE_SSL_GET0_ALPN_SELECTED HAVE_SSL_CTX_SET_ALPN_PROTOS |
279 | #endif | 288 | #endif |
@@ -290,6 +299,10 @@ | |||
290 | #define HAVE_SSL_SET1_PARAM OPENSSL_PREREQ(1,0,2) | 299 | #define HAVE_SSL_SET1_PARAM OPENSSL_PREREQ(1,0,2) |
291 | #endif | 300 | #endif |
292 | 301 | ||
302 | #ifndef HAVE_SSL_GET_TLSEXT_STATUS_TYPE | ||
303 | #define HAVE_SSL_GET_TLSEXT_STATUS_TYPE OPENSSL_PREREQ(1,1,0) | ||
304 | #endif | ||
305 | |||
293 | #ifndef HAVE_SSL_UP_REF | 306 | #ifndef HAVE_SSL_UP_REF |
294 | #define HAVE_SSL_UP_REF OPENSSL_PREREQ(1,1,0) | 307 | #define HAVE_SSL_UP_REF OPENSSL_PREREQ(1,1,0) |
295 | #endif | 308 | #endif |
@@ -380,6 +393,8 @@ | |||
380 | #define DIGEST_CLASS "EVP_MD_CTX*" | 393 | #define DIGEST_CLASS "EVP_MD_CTX*" |
381 | #define HMAC_CLASS "HMAC_CTX*" | 394 | #define HMAC_CLASS "HMAC_CTX*" |
382 | #define CIPHER_CLASS "EVP_CIPHER_CTX*" | 395 | #define CIPHER_CLASS "EVP_CIPHER_CTX*" |
396 | #define OCSP_RESPONSE_CLASS "OCSP_RESPONSE*" | ||
397 | #define OCSP_BASICRESP_CLASS "OCSP_BASICRESP*" | ||
383 | 398 | ||
384 | 399 | ||
385 | #if __GNUC__ | 400 | #if __GNUC__ |
@@ -7916,6 +7931,48 @@ static int sx_setAlpnSelect(lua_State *L) { | |||
7916 | #endif | 7931 | #endif |
7917 | 7932 | ||
7918 | 7933 | ||
7934 | int TLSEXT_STATUSTYPEs[] = { TLSEXT_STATUSTYPE_ocsp }; | ||
7935 | const char *TLSEXT_STATUSTYPEs_names[] = { "ocsp", NULL }; | ||
7936 | #define checkTLSEXT_STATUSTYPE(L, idx) \ | ||
7937 | (TLSEXT_STATUSTYPEs[luaL_checkoption((L), (idx), NULL, TLSEXT_STATUSTYPEs_names)]) | ||
7938 | |||
7939 | |||
7940 | #if HAVE_SSL_CTX_SET_TLSEXT_STATUS_TYPE | ||
7941 | static int sx_setTLSextStatusType(lua_State *L) { | ||
7942 | SSL_CTX *ctx = checksimple(L, 1, SSL_CTX_CLASS); | ||
7943 | int type = checkTLSEXT_STATUSTYPE(L, 2); | ||
7944 | |||
7945 | if(!SSL_CTX_set_tlsext_status_type(ctx, type)) | ||
7946 | return auxL_error(L, auxL_EOPENSSL, "ssl:setTLSextStatusType"); | ||
7947 | |||
7948 | lua_pushboolean(L, 1); | ||
7949 | |||
7950 | return 1; | ||
7951 | } /* sx_setTLSextStatusType() */ | ||
7952 | #endif | ||
7953 | |||
7954 | |||
7955 | #if HAVE_SSL_CTX_GET_TLSEXT_STATUS_TYPE | ||
7956 | static int sx_getTLSextStatusType(lua_State *L) { | ||
7957 | SSL_CTX *ctx = checksimple(L, 1, SSL_CLASS); | ||
7958 | |||
7959 | int type = SSL_CTX_get_tlsext_status_type(ctx); | ||
7960 | switch(type) { | ||
7961 | case -1: | ||
7962 | lua_pushnil(L); | ||
7963 | break; | ||
7964 | case TLSEXT_STATUSTYPE_ocsp: | ||
7965 | lua_pushliteral(L, "ocsp"); | ||
7966 | break; | ||
7967 | default: | ||
7968 | luaL_error(L, "unknown TLS extension %d", type); | ||
7969 | } | ||
7970 | |||
7971 | return 1; | ||
7972 | } /* sx_getTLSextStatusType() */ | ||
7973 | #endif | ||
7974 | |||
7975 | |||
7919 | static int sx__gc(lua_State *L) { | 7976 | static int sx__gc(lua_State *L) { |
7920 | SSL_CTX **ud = luaL_checkudata(L, 1, SSL_CTX_CLASS); | 7977 | SSL_CTX **ud = luaL_checkudata(L, 1, SSL_CTX_CLASS); |
7921 | 7978 | ||
@@ -7948,6 +8005,12 @@ static const auxL_Reg sx_methods[] = { | |||
7948 | #if HAVE_SSL_CTX_SET_ALPN_SELECT_CB | 8005 | #if HAVE_SSL_CTX_SET_ALPN_SELECT_CB |
7949 | { "setAlpnSelect", &sx_setAlpnSelect }, | 8006 | { "setAlpnSelect", &sx_setAlpnSelect }, |
7950 | #endif | 8007 | #endif |
8008 | #if HAVE_SSL_CTX_SET_TLSEXT_STATUS_TYPE | ||
8009 | { "setTLSextStatusType", &sx_setTLSextStatusType }, | ||
8010 | #endif | ||
8011 | #if HAVE_SSL_CTX_GET_TLSEXT_STATUS_TYPE | ||
8012 | { "getTLSextStatusType", &sx_getTLSextStatusType }, | ||
8013 | #endif | ||
7951 | { NULL, NULL }, | 8014 | { NULL, NULL }, |
7952 | }; | 8015 | }; |
7953 | 8016 | ||
@@ -8300,6 +8363,63 @@ static int ssl_setAlpnProtos(lua_State *L) { | |||
8300 | #endif | 8363 | #endif |
8301 | 8364 | ||
8302 | 8365 | ||
8366 | static int ssl_setTLSextStatusType(lua_State *L) { | ||
8367 | SSL *ssl = checksimple(L, 1, SSL_CLASS); | ||
8368 | int type = checkTLSEXT_STATUSTYPE(L, 2); | ||
8369 | |||
8370 | if(!SSL_set_tlsext_status_type(ssl, type)) | ||
8371 | return auxL_error(L, auxL_EOPENSSL, "ssl:setTLSextStatusType"); | ||
8372 | |||
8373 | lua_pushboolean(L, 1); | ||
8374 | |||
8375 | return 1; | ||
8376 | } /* ssl_setTLSextStatusType() */ | ||
8377 | |||
8378 | |||
8379 | #if HAVE_SSL_GET_TLSEXT_STATUS_TYPE | ||
8380 | static int ssl_getTLSextStatusType(lua_State *L) { | ||
8381 | SSL *ssl = checksimple(L, 1, SSL_CLASS); | ||
8382 | |||
8383 | int type = SSL_get_tlsext_status_type(ssl); | ||
8384 | switch(type) { | ||
8385 | case -1: | ||
8386 | lua_pushnil(L); | ||
8387 | break; | ||
8388 | case TLSEXT_STATUSTYPE_ocsp: | ||
8389 | lua_pushliteral(L, "ocsp"); | ||
8390 | break; | ||
8391 | default: | ||
8392 | luaL_error(L, "unknown TLS extension %d", type); | ||
8393 | } | ||
8394 | |||
8395 | return 1; | ||
8396 | } /* ssl_getTLSextStatusType() */ | ||
8397 | #endif | ||
8398 | |||
8399 | |||
8400 | static int ssl_getTLSextStatusOCSPResp(lua_State *L) { | ||
8401 | SSL *ssl = checksimple(L, 1, SSL_CLASS); | ||
8402 | |||
8403 | OCSP_RESPONSE **ud = prepsimple(L, OCSP_RESPONSE_CLASS); | ||
8404 | const unsigned char *resp; | ||
8405 | long resp_len; | ||
8406 | |||
8407 | resp_len = SSL_get_tlsext_status_ocsp_resp(ssl, &resp); | ||
8408 | if (resp == NULL) { | ||
8409 | lua_pushnil(L); | ||
8410 | return 1; | ||
8411 | } | ||
8412 | if (resp_len == -1) | ||
8413 | return auxL_error(L, auxL_EOPENSSL, "ssl:getTLSextStatusOCSPResp"); | ||
8414 | |||
8415 | *ud = d2i_OCSP_RESPONSE(NULL, &resp, resp_len); | ||
8416 | if(*ud == NULL) | ||
8417 | return auxL_error(L, auxL_EOPENSSL, "ssl:getTLSextStatusOCSPResp"); | ||
8418 | |||
8419 | return 1; | ||
8420 | } /* ssl_getTLSextStatusOCSPResp() */ | ||
8421 | |||
8422 | |||
8303 | static int ssl__gc(lua_State *L) { | 8423 | static int ssl__gc(lua_State *L) { |
8304 | SSL **ud = luaL_checkudata(L, 1, SSL_CLASS); | 8424 | SSL **ud = luaL_checkudata(L, 1, SSL_CLASS); |
8305 | 8425 | ||
@@ -8332,6 +8452,11 @@ static const auxL_Reg ssl_methods[] = { | |||
8332 | #if HAVE_SSL_SET_ALPN_PROTOS | 8452 | #if HAVE_SSL_SET_ALPN_PROTOS |
8333 | { "setAlpnProtos", &ssl_setAlpnProtos }, | 8453 | { "setAlpnProtos", &ssl_setAlpnProtos }, |
8334 | #endif | 8454 | #endif |
8455 | { "setTLSextStatusType", &ssl_setTLSextStatusType }, | ||
8456 | #if HAVE_SSL_GET_TLSEXT_STATUS_TYPE | ||
8457 | { "getTLSextStatusType", &ssl_getTLSextStatusType }, | ||
8458 | #endif | ||
8459 | { "getTLSextStatusOCSPResp", &ssl_getTLSextStatusOCSPResp }, | ||
8335 | { NULL, NULL }, | 8460 | { NULL, NULL }, |
8336 | }; | 8461 | }; |
8337 | 8462 | ||
@@ -9069,6 +9194,124 @@ int luaopen__openssl_cipher(lua_State *L) { | |||
9069 | 9194 | ||
9070 | 9195 | ||
9071 | /* | 9196 | /* |
9197 | * OCSP | ||
9198 | * | ||
9199 | * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ | ||
9200 | |||
9201 | |||
9202 | static int or_tostring(lua_State *L) { | ||
9203 | OCSP_RESPONSE *resp = checksimple(L, 1, OCSP_RESPONSE_CLASS); | ||
9204 | BIO *bio = getbio(L); | ||
9205 | size_t len; | ||
9206 | char *bytes; | ||
9207 | |||
9208 | if (!OCSP_RESPONSE_print(bio, resp, 0)) | ||
9209 | return auxL_error(L, auxL_EOPENSSL, "OCSP_RESPONSE:tostring"); | ||
9210 | |||
9211 | len = BIO_get_mem_data(bio, &bytes); | ||
9212 | lua_pushlstring(L, bytes, len); | ||
9213 | |||
9214 | return 1; | ||
9215 | } /* or__tostring() */ | ||
9216 | |||
9217 | |||
9218 | static int or_toPEM(lua_State *L) { | ||
9219 | OCSP_RESPONSE *resp = checksimple(L, 1, OCSP_RESPONSE_CLASS); | ||
9220 | BIO *bio = getbio(L); | ||
9221 | size_t len; | ||
9222 | char *bytes; | ||
9223 | |||
9224 | if (!PEM_write_bio_OCSP_RESPONSE(bio, resp)) | ||
9225 | return auxL_error(L, auxL_EOPENSSL, "OCSP_RESPONSE:toPEM"); | ||
9226 | |||
9227 | len = BIO_get_mem_data(bio, &bytes); | ||
9228 | lua_pushlstring(L, bytes, len); | ||
9229 | |||
9230 | return 1; | ||
9231 | } /* or_toPEM() */ | ||
9232 | |||
9233 | |||
9234 | static int or_getBasic(lua_State *L) { | ||
9235 | OCSP_RESPONSE *resp = checksimple(L, 1, OCSP_RESPONSE_CLASS); | ||
9236 | |||
9237 | OCSP_BASICRESP **basic = prepsimple(L, OCSP_BASICRESP_CLASS); | ||
9238 | |||
9239 | *basic = OCSP_response_get1_basic(resp); | ||
9240 | if (!*basic) | ||
9241 | return auxL_error(L, auxL_EOPENSSL, "OCSP_RESPONSE:getBasic"); | ||
9242 | |||
9243 | return 1; | ||
9244 | } /* or_getBasic() */ | ||
9245 | |||
9246 | |||
9247 | static int or__gc(lua_State *L) { | ||
9248 | OCSP_RESPONSE **ud = luaL_checkudata(L, 1, OCSP_RESPONSE_CLASS); | ||
9249 | |||
9250 | if (*ud) { | ||
9251 | OCSP_RESPONSE_free(*ud); | ||
9252 | *ud = NULL; | ||
9253 | } | ||
9254 | |||
9255 | return 0; | ||
9256 | } /* or__gc() */ | ||
9257 | |||
9258 | static const auxL_Reg or_methods[] = { | ||
9259 | { "tostring", &or_tostring }, | ||
9260 | { "toPEM", &or_toPEM }, | ||
9261 | { "getBasic", &or_getBasic }, | ||
9262 | { NULL, NULL }, | ||
9263 | }; | ||
9264 | |||
9265 | static const auxL_Reg or_metatable[] = { | ||
9266 | { "__tostring", &or_tostring }, | ||
9267 | { "__gc", &or__gc }, | ||
9268 | { NULL, NULL }, | ||
9269 | }; | ||
9270 | |||
9271 | |||
9272 | static int ob_verify(lua_State *L) { | ||
9273 | OCSP_BASICRESP *basic = checksimple(L, 1, OCSP_BASICRESP_CLASS); | ||
9274 | STACK_OF(X509) *certs = testsimple(L, 2, X509_CHAIN_CLASS); | ||
9275 | X509_STORE *store = testsimple(L, 3, X509_STORE_CLASS); | ||
9276 | unsigned long flags = luaL_optinteger(L, 4, 0); | ||
9277 | |||
9278 | int res = OCSP_basic_verify(basic, certs, store, flags); | ||
9279 | if (res == -1) | ||
9280 | return auxL_error(L, auxL_EOPENSSL, "OCSP_BASICRESP:verify"); | ||
9281 | |||
9282 | lua_pushboolean(L, res); | ||
9283 | if (res) { | ||
9284 | return 1; | ||
9285 | } else { | ||
9286 | auxL_pusherror(L, auxL_EOPENSSL, NULL); | ||
9287 | return 2; | ||
9288 | } | ||
9289 | } /* ob_verify() */ | ||
9290 | |||
9291 | |||
9292 | static int ob__gc(lua_State *L) { | ||
9293 | OCSP_BASICRESP **ud = luaL_checkudata(L, 1, OCSP_BASICRESP_CLASS); | ||
9294 | |||
9295 | if (*ud) { | ||
9296 | OCSP_BASICRESP_free(*ud); | ||
9297 | *ud = NULL; | ||
9298 | } | ||
9299 | |||
9300 | return 0; | ||
9301 | } /* or__gc() */ | ||
9302 | |||
9303 | |||
9304 | static const auxL_Reg ob_methods[] = { | ||
9305 | { "verify", &ob_verify }, | ||
9306 | { NULL, NULL }, | ||
9307 | }; | ||
9308 | |||
9309 | static const auxL_Reg ob_metatable[] = { | ||
9310 | { "__gc", &ob__gc }, | ||
9311 | { NULL, NULL }, | ||
9312 | }; | ||
9313 | |||
9314 | /* | ||
9072 | * Rand - openssl.rand | 9315 | * Rand - openssl.rand |
9073 | * | 9316 | * |
9074 | * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ | 9317 | * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ |
@@ -9633,5 +9876,7 @@ static void initall(lua_State *L) { | |||
9633 | auxL_addclass(L, DIGEST_CLASS, md_methods, md_metatable, 0); | 9876 | auxL_addclass(L, DIGEST_CLASS, md_methods, md_metatable, 0); |
9634 | auxL_addclass(L, HMAC_CLASS, hmac_methods, hmac_metatable, 0); | 9877 | auxL_addclass(L, HMAC_CLASS, hmac_methods, hmac_metatable, 0); |
9635 | auxL_addclass(L, CIPHER_CLASS, cipher_methods, cipher_metatable, 0); | 9878 | auxL_addclass(L, CIPHER_CLASS, cipher_methods, cipher_metatable, 0); |
9879 | auxL_addclass(L, OCSP_RESPONSE_CLASS, or_methods, or_metatable, 0); | ||
9880 | auxL_addclass(L, OCSP_BASICRESP_CLASS, ob_methods, ob_metatable, 0); | ||
9636 | } /* initall() */ | 9881 | } /* initall() */ |
9637 | 9882 | ||