X509_STORE_CTX is opaque, fixup store:verify

author: William Ahern <william@25thandclement.com> 2016-10-29 15:06:17 -0700
committer: William Ahern <william@25thandclement.com> 2016-10-29 15:06:17 -0700
commit: d554b2ffccd22b5c345e8efe881811acfa644d27 (patch)
tree: 3b8b0f7398f4f752cd5c3bf67c2299e18afed96d
parent: 1f22a801dc65ec03c543695115fcba4cc0e39ef7 (diff)
download: luaossl-d554b2ffccd22b5c345e8efe881811acfa644d27.tar.gz
luaossl-d554b2ffccd22b5c345e8efe881811acfa644d27.tar.bz2
luaossl-d554b2ffccd22b5c345e8efe881811acfa644d27.zip
1 files changed, 80 insertions, 45 deletions
diff --git a/src/openssl.c b/src/openssl.c
index b95fccf..f05b57a 100644
--- a/src/openssl.c
+++ b/src/openssl.c
@@ -119,6 +119,30 @@
 #define HAVE_DSA_SET0_PQG OPENSSL_PREREQ(1,1,0)
 #endif
+#ifndef HAVE_DTLSV1_CLIENT_METHOD
+#define HAVE_DTLSV1_CLIENT_METHOD (!defined OPENSSL_NO_DTLS1)
+#endif
+#ifndef HAVE_DTLSV1_SERVER_METHOD
+#define HAVE_DTLSV1_SERVER_METHOD HAVE_DTLSV1_CLIENT_METHOD
+#endif
+#ifndef HAVE_DTLS_CLIENT_METHOD
+#define HAVE_DTLS_CLIENT_METHOD (OPENSSL_PREREQ(1,0,2) && !defined OPENSSL_NO_DTLS1)
+#endif
+#ifndef HAVE_DTLS_SERVER_METHOD
+#define HAVE_DTLS_SERVER_METHOD HAVE_DTLS_CLIENT_METHOD
+#endif
+#ifndef HAVE_DTLSV1_2_CLIENT_METHOD
+#define HAVE_DTLSV1_2_CLIENT_METHOD (OPENSSL_PREREQ(1,0,2) && !defined OPENSSL_NO_DTLS1)
+#endif
+#ifndef HAVE_DTLSV1_2_SERVER_METHOD
+#define HAVE_DTLSV1_2_SERVER_METHOD HAVE_DTLSV1_2_CLIENT_METHOD
+#endif
 #ifndef HAVE_EVP_PKEY_GET_DEFAULT_DIGEST_NID
 #define HAVE_EVP_PKEY_GET_DEFAULT_DIGEST_NID OPENSSL_PREREQ(0,9,9)
 #endif
@@ -195,34 +219,18 @@
 #define HAVE_SSL_GET0_ALPN_SELECTED HAVE_SSL_CTX_SET_ALPN_PROTOS
 #endif
-#ifndef HAVE_DTLSV1_CLIENT_METHOD
+#ifndef HAVE_SSL_UP_REF
-#define HAVE_DTLSV1_CLIENT_METHOD (!defined OPENSSL_NO_DTLS1)
+#define HAVE_SSL_UP_REF OPENSSL_PREREQ(1,1,0)
-#endif
-#ifndef HAVE_DTLSV1_SERVER_METHOD
-#define HAVE_DTLSV1_SERVER_METHOD HAVE_DTLSV1_CLIENT_METHOD
-#endif
-#ifndef HAVE_DTLS_CLIENT_METHOD
-#define HAVE_DTLS_CLIENT_METHOD (OPENSSL_PREREQ(1,0,2) && !defined OPENSSL_NO_DTLS1)
-#endif
-#ifndef HAVE_DTLS_SERVER_METHOD
-#define HAVE_DTLS_SERVER_METHOD HAVE_DTLS_CLIENT_METHOD
-#endif
-#ifndef HAVE_DTLSV1_2_CLIENT_METHOD
-#define HAVE_DTLSV1_2_CLIENT_METHOD (OPENSSL_PREREQ(1,0,2) && !defined OPENSSL_NO_DTLS1)
-#endif
-#ifndef HAVE_DTLSV1_2_SERVER_METHOD
-#define HAVE_DTLSV1_2_SERVER_METHOD HAVE_DTLSV1_2_CLIENT_METHOD
 #endif
 #ifndef HAVE_X509_STORE_REFERENCES
 #define HAVE_X509_STORE_REFERENCES (!OPENSSL_PREREQ(1,1,0))
 #endif
+#ifndef HAVE_X509_UP_REF
+#define HAVE_X509_UP_REF OPENSSL_PREREQ(1,1,0)
+#endif
 #ifndef STRERROR_R_CHAR_P
 #define STRERROR_R_CHAR_P (defined __GLIBC__ && (_GNU_SOURCE || !(_POSIX_C_SOURCE >= 200112L || _XOPEN_SOURCE >= 600)))
 #endif
@@ -1435,6 +1443,18 @@ static void compat_RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) {
 } /* compat_RSA_set0_key() */
 #endif
+#if !HAVE_SSL_UP_REF
+#define SSL_up_ref(...) compat_SSL_up_ref(__VA_ARGS__)
+static int compat_SSL_up_ref(SSL *ssl) {
+        /* our caller should already have had a proper reference */
+        if (CRYPTO_add(&ssl->references, 1, CRYPTO_LOCK_SSL) < 2)
+                return 0; /* fail */
+        return 1;
+} /* compat_SSL_up_ref() */
+#endif
 #if !HAVE_X509_GET0_EXT
 #define X509_get0_ext(crt, i) X509_get_ext((crt), (i))
 #endif
@@ -1531,6 +1551,18 @@ static void compat_init_X509_STORE_onfree(void *store, void *data NOTUSED, CRYPT
        compat.tmp.store = NULL;
 } /* compat_init_X509_STORE_onfree() */
+#if !HAVE_X509_UP_REF
+#define X509_up_ref(...) compat_X509_up_ref(__VA_ARGS__)
+static int compat_X509_up_ref(X509 *crt) {
+        /* our caller should already have had a proper reference */
+        if (CRYPTO_add(&crt->references, 1, CRYPTO_LOCK_X509) < 2)
+                return 0; /* fail */
+        return 1;
+} /* compat_X509_up_ref() */
+#endif
 static int compat_init(void) {
        static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
        static int store_index = -1, ssl_ctx_index = -1, done;
@@ -6523,7 +6555,7 @@ static void xl_dup(lua_State *L, STACK_OF(X509) *src, _Bool copy) {
                for (i = 0; i < n; i++) {
                        if (!(crt = sk_X509_value(*dst, i)))
                                continue;
-                        CRYPTO_add(&crt->references, 1, CRYPTO_LOCK_X509);
+                        X509_up_ref(crt);
                }
        }
@@ -6708,8 +6740,8 @@ static int xs_verify(lua_State *L) {
        X509_STORE *store = checksimple(L, 1, X509_STORE_CLASS);
        X509 *crt = checksimple(L, 2, X509_CERT_CLASS);
        STACK_OF(X509) *chain = NULL, **proof;
-        X509_STORE_CTX ctx;
+        X509_STORE_CTX *ctx = NULL;
-        int ok, why;
+        int nr = 0, ok, why;
        /* pre-allocate space for a successful return */
        lua_settop(L, 3);
@@ -6720,53 +6752,56 @@ static int xs_verify(lua_State *L) {
                int i, n;
                if (!(chain = sk_X509_dup(checksimple(L, 3, X509_CHAIN_CLASS))))
-                        return auxL_error(L, auxL_EOPENSSL, "x509.store:verify");
+                        goto eossl;
                n = sk_X509_num(chain);
                for (i = 0; i < n; i++) {
                        if (!(elm = sk_X509_value(chain, i)))
                                continue;
-                        CRYPTO_add(&elm->references, 1, CRYPTO_LOCK_X509);
+                        X509_up_ref(elm);
                }
        }
-        if (!X509_STORE_CTX_init(&ctx, store, crt, chain)) {
+        if (!(ctx = X509_STORE_CTX_new()) || !X509_STORE_CTX_init(ctx, store, crt, chain)) {
                sk_X509_pop_free(chain, X509_free);
-                return auxL_error(L, auxL_EOPENSSL, "x509.store:verify");
+                goto eossl;
        }
        ERR_clear_error();
-        ok = X509_verify_cert(&ctx);
+        ok = X509_verify_cert(ctx);
        switch (ok) {
        case 1: /* verified */
-                *proof = X509_STORE_CTX_get1_chain(&ctx);
+                if (!(*proof = X509_STORE_CTX_get1_chain(ctx)))
+                        goto eossl;
-                X509_STORE_CTX_cleanup(&ctx);
-                if (!*proof)
-                        return auxL_error(L, auxL_EOPENSSL, "x509.store:verify");
                lua_pushboolean(L, 1);
                lua_pushvalue(L, -2);
+                nr = 2;
-                return 2;
+                break;
        case 0: /* not verified */
-                why = X509_STORE_CTX_get_error(&ctx);
+                why = X509_STORE_CTX_get_error(ctx);
-                X509_STORE_CTX_cleanup(&ctx);
                lua_pushboolean(L, 0);
                lua_pushstring(L, X509_verify_cert_error_string(why));
+                nr = 2;
-                return 2;
+                break;
        default:
-                X509_STORE_CTX_cleanup(&ctx);
+                goto eossl;
-                return auxL_error(L, auxL_EOPENSSL, "x509.store:verify");
        }
+        X509_STORE_CTX_free(ctx);
+        return nr;
+eossl:
+        if (ctx)
+                X509_STORE_CTX_free(ctx);
+        return auxL_error(L, auxL_EOPENSSL, "x509.store:verify");
 } /* xs_verify() */
@@ -7514,7 +7549,7 @@ int luaopen__openssl_ssl_context(lua_State *L) {
 static SSL *ssl_push(lua_State *L, SSL *ssl) {
        SSL **ud = prepsimple(L, SSL_CLASS);
-        CRYPTO_add(&(ssl)->references, 1, CRYPTO_LOCK_SSL);
+        SSL_up_ref(ssl);
        *ud = ssl;
        return *ud;
author	William Ahern <william@25thandclement.com>	2016-10-29 15:06:17 -0700
committer	William Ahern <william@25thandclement.com>	2016-10-29 15:06:17 -0700
commit	d554b2ffccd22b5c345e8efe881811acfa644d27 (patch)
tree	3b8b0f7398f4f752cd5c3bf67c2299e18afed96d
parent	1f22a801dc65ec03c543695115fcba4cc0e39ef7 (diff)
download	luaossl-d554b2ffccd22b5c345e8efe881811acfa644d27.tar.gz luaossl-d554b2ffccd22b5c345e8efe881811acfa644d27.tar.bz2 luaossl-d554b2ffccd22b5c345e8efe881811acfa644d27.zip

diff --git a/src/openssl.c b/src/openssl.c index b95fccf..f05b57a 100644 --- a/src/openssl.c +++ b/src/openssl.c
@@ -119,6 +119,30 @@
119	#define HAVE_DSA_SET0_PQG OPENSSL_PREREQ(1,1,0)	119	#define HAVE_DSA_SET0_PQG OPENSSL_PREREQ(1,1,0)
120	#endif	120	#endif
121		121
		122	#ifndef HAVE_DTLSV1_CLIENT_METHOD
		123	#define HAVE_DTLSV1_CLIENT_METHOD (!defined OPENSSL_NO_DTLS1)
		124	#endif
		125
		126	#ifndef HAVE_DTLSV1_SERVER_METHOD
		127	#define HAVE_DTLSV1_SERVER_METHOD HAVE_DTLSV1_CLIENT_METHOD
		128	#endif
		129
		130	#ifndef HAVE_DTLS_CLIENT_METHOD
		131	#define HAVE_DTLS_CLIENT_METHOD (OPENSSL_PREREQ(1,0,2) && !defined OPENSSL_NO_DTLS1)
		132	#endif
		133
		134	#ifndef HAVE_DTLS_SERVER_METHOD
		135	#define HAVE_DTLS_SERVER_METHOD HAVE_DTLS_CLIENT_METHOD
		136	#endif
		137
		138	#ifndef HAVE_DTLSV1_2_CLIENT_METHOD
		139	#define HAVE_DTLSV1_2_CLIENT_METHOD (OPENSSL_PREREQ(1,0,2) && !defined OPENSSL_NO_DTLS1)
		140	#endif
		141
		142	#ifndef HAVE_DTLSV1_2_SERVER_METHOD
		143	#define HAVE_DTLSV1_2_SERVER_METHOD HAVE_DTLSV1_2_CLIENT_METHOD
		144	#endif
		145
122	#ifndef HAVE_EVP_PKEY_GET_DEFAULT_DIGEST_NID	146	#ifndef HAVE_EVP_PKEY_GET_DEFAULT_DIGEST_NID
123	#define HAVE_EVP_PKEY_GET_DEFAULT_DIGEST_NID OPENSSL_PREREQ(0,9,9)	147	#define HAVE_EVP_PKEY_GET_DEFAULT_DIGEST_NID OPENSSL_PREREQ(0,9,9)
124	#endif	148	#endif
@@ -195,34 +219,18 @@
195	#define HAVE_SSL_GET0_ALPN_SELECTED HAVE_SSL_CTX_SET_ALPN_PROTOS	219	#define HAVE_SSL_GET0_ALPN_SELECTED HAVE_SSL_CTX_SET_ALPN_PROTOS
196	#endif	220	#endif
197		221
198	#ifndef HAVE_DTLSV1_CLIENT_METHOD	222	#ifndef HAVE_SSL_UP_REF
199	#define HAVE_DTLSV1_CLIENT_METHOD (!defined OPENSSL_NO_DTLS1)	223	#define HAVE_SSL_UP_REF OPENSSL_PREREQ(1,1,0)
200	#endif
201
202	#ifndef HAVE_DTLSV1_SERVER_METHOD
203	#define HAVE_DTLSV1_SERVER_METHOD HAVE_DTLSV1_CLIENT_METHOD
204	#endif
205
206	#ifndef HAVE_DTLS_CLIENT_METHOD
207	#define HAVE_DTLS_CLIENT_METHOD (OPENSSL_PREREQ(1,0,2) && !defined OPENSSL_NO_DTLS1)
208	#endif
209
210	#ifndef HAVE_DTLS_SERVER_METHOD
211	#define HAVE_DTLS_SERVER_METHOD HAVE_DTLS_CLIENT_METHOD
212	#endif
213
214	#ifndef HAVE_DTLSV1_2_CLIENT_METHOD
215	#define HAVE_DTLSV1_2_CLIENT_METHOD (OPENSSL_PREREQ(1,0,2) && !defined OPENSSL_NO_DTLS1)
216	#endif
217
218	#ifndef HAVE_DTLSV1_2_SERVER_METHOD
219	#define HAVE_DTLSV1_2_SERVER_METHOD HAVE_DTLSV1_2_CLIENT_METHOD
220	#endif	224	#endif
221		225
222	#ifndef HAVE_X509_STORE_REFERENCES	226	#ifndef HAVE_X509_STORE_REFERENCES
223	#define HAVE_X509_STORE_REFERENCES (!OPENSSL_PREREQ(1,1,0))	227	#define HAVE_X509_STORE_REFERENCES (!OPENSSL_PREREQ(1,1,0))
224	#endif	228	#endif
225		229
		230	#ifndef HAVE_X509_UP_REF
		231	#define HAVE_X509_UP_REF OPENSSL_PREREQ(1,1,0)
		232	#endif
		233
226	#ifndef STRERROR_R_CHAR_P	234	#ifndef STRERROR_R_CHAR_P
227	#define STRERROR_R_CHAR_P (defined __GLIBC__ && (_GNU_SOURCE \|\| !(_POSIX_C_SOURCE >= 200112L \|\| _XOPEN_SOURCE >= 600)))	235	#define STRERROR_R_CHAR_P (defined __GLIBC__ && (_GNU_SOURCE \|\| !(_POSIX_C_SOURCE >= 200112L \|\| _XOPEN_SOURCE >= 600)))
228	#endif	236	#endif
@@ -1435,6 +1443,18 @@ static void compat_RSA_set0_key(RSA r, BIGNUM n, BIGNUM e, BIGNUM d) {
1435	} /* compat_RSA_set0_key() */	1443	} /* compat_RSA_set0_key() */
1436	#endif	1444	#endif
1437		1445
		1446	#if !HAVE_SSL_UP_REF
		1447	#define SSL_up_ref(...) compat_SSL_up_ref(__VA_ARGS__)
		1448
		1449	static int compat_SSL_up_ref(SSL *ssl) {
		1450	/* our caller should already have had a proper reference */
		1451	if (CRYPTO_add(&ssl->references, 1, CRYPTO_LOCK_SSL) < 2)
		1452	return 0; /* fail */
		1453
		1454	return 1;
		1455	} /* compat_SSL_up_ref() */
		1456	#endif
		1457
1438	#if !HAVE_X509_GET0_EXT	1458	#if !HAVE_X509_GET0_EXT
1439	#define X509_get0_ext(crt, i) X509_get_ext((crt), (i))	1459	#define X509_get0_ext(crt, i) X509_get_ext((crt), (i))
1440	#endif	1460	#endif
@@ -1531,6 +1551,18 @@ static void compat_init_X509_STORE_onfree(void store, void data NOTUSED, CRYPT
1531	compat.tmp.store = NULL;	1551	compat.tmp.store = NULL;
1532	} /* compat_init_X509_STORE_onfree() */	1552	} /* compat_init_X509_STORE_onfree() */
1533		1553
		1554	#if !HAVE_X509_UP_REF
		1555	#define X509_up_ref(...) compat_X509_up_ref(__VA_ARGS__)
		1556
		1557	static int compat_X509_up_ref(X509 *crt) {
		1558	/* our caller should already have had a proper reference */
		1559	if (CRYPTO_add(&crt->references, 1, CRYPTO_LOCK_X509) < 2)
		1560	return 0; /* fail */
		1561
		1562	return 1;
		1563	} /* compat_X509_up_ref() */
		1564	#endif
		1565
1534	static int compat_init(void) {	1566	static int compat_init(void) {
1535	static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;	1567	static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
1536	static int store_index = -1, ssl_ctx_index = -1, done;	1568	static int store_index = -1, ssl_ctx_index = -1, done;
@@ -6523,7 +6555,7 @@ static void xl_dup(lua_State L, STACK_OF(X509) src, _Bool copy) {
6523	for (i = 0; i < n; i++) {	6555	for (i = 0; i < n; i++) {
6524	if (!(crt = sk_X509_value(*dst, i)))	6556	if (!(crt = sk_X509_value(*dst, i)))
6525	continue;	6557	continue;
6526	CRYPTO_add(&crt->references, 1, CRYPTO_LOCK_X509);	6558	X509_up_ref(crt);
6527	}	6559	}
6528	}	6560	}
6529		6561
@@ -6708,8 +6740,8 @@ static int xs_verify(lua_State *L) {
6708	X509_STORE *store = checksimple(L, 1, X509_STORE_CLASS);	6740	X509_STORE *store = checksimple(L, 1, X509_STORE_CLASS);
6709	X509 *crt = checksimple(L, 2, X509_CERT_CLASS);	6741	X509 *crt = checksimple(L, 2, X509_CERT_CLASS);
6710	STACK_OF(X509) chain = NULL, *proof;	6742	STACK_OF(X509) chain = NULL, *proof;
6711	X509_STORE_CTX ctx;	6743	X509_STORE_CTX *ctx = NULL;
6712	int ok, why;	6744	int nr = 0, ok, why;
6713		6745
6714	/* pre-allocate space for a successful return */	6746	/* pre-allocate space for a successful return */
6715	lua_settop(L, 3);	6747	lua_settop(L, 3);
@@ -6720,53 +6752,56 @@ static int xs_verify(lua_State *L) {
6720	int i, n;	6752	int i, n;
6721		6753
6722	if (!(chain = sk_X509_dup(checksimple(L, 3, X509_CHAIN_CLASS))))	6754	if (!(chain = sk_X509_dup(checksimple(L, 3, X509_CHAIN_CLASS))))
6723	return auxL_error(L, auxL_EOPENSSL, "x509.store:verify");	6755	goto eossl;
6724		6756
6725	n = sk_X509_num(chain);	6757	n = sk_X509_num(chain);
6726		6758
6727	for (i = 0; i < n; i++) {	6759	for (i = 0; i < n; i++) {
6728	if (!(elm = sk_X509_value(chain, i)))	6760	if (!(elm = sk_X509_value(chain, i)))
6729	continue;	6761	continue;
6730	CRYPTO_add(&elm->references, 1, CRYPTO_LOCK_X509);	6762	X509_up_ref(elm);
6731	}	6763	}
6732	}	6764	}
6733		6765
6734	if (!X509_STORE_CTX_init(&ctx, store, crt, chain)) {	6766	if (!(ctx = X509_STORE_CTX_new()) \|\| !X509_STORE_CTX_init(ctx, store, crt, chain)) {
6735	sk_X509_pop_free(chain, X509_free);	6767	sk_X509_pop_free(chain, X509_free);
6736	return auxL_error(L, auxL_EOPENSSL, "x509.store:verify");	6768	goto eossl;
6737	}	6769	}
6738		6770
6739	ERR_clear_error();	6771	ERR_clear_error();
6740		6772
6741	ok = X509_verify_cert(&ctx);	6773	ok = X509_verify_cert(ctx);
6742		6774
6743	switch (ok) {	6775	switch (ok) {
6744	case 1: /* verified */	6776	case 1: /* verified */
6745	*proof = X509_STORE_CTX_get1_chain(&ctx);	6777	if (!(*proof = X509_STORE_CTX_get1_chain(ctx)))
6746		6778	goto eossl;
6747	X509_STORE_CTX_cleanup(&ctx);
6748
6749	if (!*proof)
6750	return auxL_error(L, auxL_EOPENSSL, "x509.store:verify");
6751		6779
6752	lua_pushboolean(L, 1);	6780	lua_pushboolean(L, 1);
6753	lua_pushvalue(L, -2);	6781	lua_pushvalue(L, -2);
		6782	nr = 2;
6754		6783
6755	return 2;	6784	break;
6756	case 0: /* not verified */	6785	case 0: /* not verified */
6757	why = X509_STORE_CTX_get_error(&ctx);	6786	why = X509_STORE_CTX_get_error(ctx);
6758
6759	X509_STORE_CTX_cleanup(&ctx);
6760		6787
6761	lua_pushboolean(L, 0);	6788	lua_pushboolean(L, 0);
6762	lua_pushstring(L, X509_verify_cert_error_string(why));	6789	lua_pushstring(L, X509_verify_cert_error_string(why));
		6790	nr = 2;
6763		6791
6764	return 2;	6792	break;
6765	default:	6793	default:
6766	X509_STORE_CTX_cleanup(&ctx);	6794	goto eossl;
6767
6768	return auxL_error(L, auxL_EOPENSSL, "x509.store:verify");
6769	}	6795	}
		6796
		6797	X509_STORE_CTX_free(ctx);
		6798
		6799	return nr;
		6800	eossl:
		6801	if (ctx)
		6802	X509_STORE_CTX_free(ctx);
		6803
		6804	return auxL_error(L, auxL_EOPENSSL, "x509.store:verify");
6770	} /* xs_verify() */	6805	} /* xs_verify() */
6771		6806
6772		6807
@@ -7514,7 +7549,7 @@ int luaopen__openssl_ssl_context(lua_State *L) {
7514	static SSL ssl_push(lua_State L, SSL *ssl) {	7549	static SSL ssl_push(lua_State L, SSL *ssl) {
7515	SSL **ud = prepsimple(L, SSL_CLASS);	7550	SSL **ud = prepsimple(L, SSL_CLASS);
7516		7551
7517	CRYPTO_add(&(ssl)->references, 1, CRYPTO_LOCK_SSL);	7552	SSL_up_ref(ssl);
7518	*ud = ssl;	7553	*ud = ssl;
7519		7554
7520	return *ud;	7555	return *ud;