summaryrefslogtreecommitdiff
path: root/src/openssl.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/openssl.c')
-rw-r--r--src/openssl.c575
1 files changed, 476 insertions, 99 deletions
diff --git a/src/openssl.c b/src/openssl.c
index 9fc5b97..1b11207 100644
--- a/src/openssl.c
+++ b/src/openssl.c
@@ -75,7 +75,7 @@
75#include <lualib.h> 75#include <lualib.h>
76#include <lauxlib.h> 76#include <lauxlib.h>
77 77
78#include "compat52.h" 78#include "../vendor/compat53/c-api/compat-5.3.h"
79 79
80#define GNUC_2VER(M, m, p) (((M) * 10000) + ((m) * 100) + (p)) 80#define GNUC_2VER(M, m, p) (((M) * 10000) + ((m) * 100) + (p))
81#define GNUC_PREREQ(M, m, p) (__GNUC__ > 0 && GNUC_2VER(__GNUC__, __GNUC_MINOR__, __GNUC_PATCHLEVEL__) >= GNUC_2VER((M), (m), (p))) 81#define GNUC_PREREQ(M, m, p) (__GNUC__ > 0 && GNUC_2VER(__GNUC__, __GNUC_MINOR__, __GNUC_PATCHLEVEL__) >= GNUC_2VER((M), (m), (p)))
@@ -83,11 +83,16 @@
83#define MSC_2VER(M, m, p) ((((M) + 6) * 10000000) + ((m) * 1000000) + (p)) 83#define MSC_2VER(M, m, p) ((((M) + 6) * 10000000) + ((m) * 1000000) + (p))
84#define MSC_PREREQ(M, m, p) (_MSC_FULL_VER > 0 && _MSC_FULL_VER >= MSC_2VER((M), (m), (p))) 84#define MSC_PREREQ(M, m, p) (_MSC_FULL_VER > 0 && _MSC_FULL_VER >= MSC_2VER((M), (m), (p)))
85 85
86#define OPENSSL_PREREQ(M, m, p) \ 86#ifdef LIBRESSL_VERSION_NUMBER
87 (OPENSSL_VERSION_NUMBER >= (((M) << 28) | ((m) << 20) | ((p) << 12)) && !defined LIBRESSL_VERSION_NUMBER) 87#define OPENSSL_PREREQ(M, m, p) (0)
88
89#define LIBRESSL_PREREQ(M, m, p) \ 88#define LIBRESSL_PREREQ(M, m, p) \
90 (LIBRESSL_VERSION_NUMBER >= (((M) << 28) | ((m) << 20) | ((p) << 12))) 89 (LIBRESSL_VERSION_NUMBER >= (((M) << 28) | ((m) << 20) | ((p) << 12)))
90#else
91#define OPENSSL_PREREQ(M, m, p) \
92 (OPENSSL_VERSION_NUMBER >= (((M) << 28) | ((m) << 20) | ((p) << 12)))
93#define LIBRESSL_PREREQ(M, m, p) (0)
94#endif
95
91 96
92#ifndef __has_builtin 97#ifndef __has_builtin
93#define __has_builtin(x) 0 98#define __has_builtin(x) 0
@@ -146,7 +151,11 @@
146#endif 151#endif
147 152
148#ifndef HAVE_DTLSV1_CLIENT_METHOD 153#ifndef HAVE_DTLSV1_CLIENT_METHOD
149#define HAVE_DTLSV1_CLIENT_METHOD (!defined OPENSSL_NO_DTLS1) 154#ifdef OPENSSL_NO_DTLS1
155#define HAVE_DTLSV1_CLIENT_METHOD (0)
156#else
157#define HAVE_DTLSV1_CLIENT_METHOD (1)
158#endif
150#endif 159#endif
151 160
152#ifndef HAVE_DTLSV1_SERVER_METHOD 161#ifndef HAVE_DTLSV1_SERVER_METHOD
@@ -154,7 +163,11 @@
154#endif 163#endif
155 164
156#ifndef HAVE_DTLS_CLIENT_METHOD 165#ifndef HAVE_DTLS_CLIENT_METHOD
157#define HAVE_DTLS_CLIENT_METHOD (OPENSSL_PREREQ(1,0,2) && !defined OPENSSL_NO_DTLS1) 166#ifdef OPENSSL_NO_DTLS1
167#define HAVE_DTLS_CLIENT_METHOD (0)
168#else
169#define HAVE_DTLS_CLIENT_METHOD OPENSSL_PREREQ(1,0,2)
170#endif
158#endif 171#endif
159 172
160#ifndef HAVE_DTLS_SERVER_METHOD 173#ifndef HAVE_DTLS_SERVER_METHOD
@@ -162,7 +175,11 @@
162#endif 175#endif
163 176
164#ifndef HAVE_DTLSV1_2_CLIENT_METHOD 177#ifndef HAVE_DTLSV1_2_CLIENT_METHOD
165#define HAVE_DTLSV1_2_CLIENT_METHOD (OPENSSL_PREREQ(1,0,2) && !defined OPENSSL_NO_DTLS1) 178#ifdef OPENSSL_NO_DTLS1
179#define HAVE_DTLSV1_2_CLIENT_METHOD (0)
180#else
181#define HAVE_DTLSV1_2_CLIENT_METHOD OPENSSL_PREREQ(1,0,2)
182#endif
166#endif 183#endif
167 184
168#ifndef HAVE_DTLSV1_2_SERVER_METHOD 185#ifndef HAVE_DTLSV1_2_SERVER_METHOD
@@ -229,10 +246,6 @@
229#define HAVE_RSA_GET0_KEY OPENSSL_PREREQ(1,1,0) 246#define HAVE_RSA_GET0_KEY OPENSSL_PREREQ(1,1,0)
230#endif 247#endif
231 248
232#ifndef HAVE_RSA_PKCS1_PSS_PADDING
233#define HAVE_RSA_PKCS1_PSS_PADDING (defined RSA_PKCS1_PSS_PADDING || OPENSSL_PREREQ(1,0,0) || LIBRESSL_PREREQ(2,0,0))
234#endif
235
236#ifndef HAVE_RSA_SET0_CRT_PARAMS 249#ifndef HAVE_RSA_SET0_CRT_PARAMS
237#define HAVE_RSA_SET0_CRT_PARAMS OPENSSL_PREREQ(1,1,0) 250#define HAVE_RSA_SET0_CRT_PARAMS OPENSSL_PREREQ(1,1,0)
238#endif 251#endif
@@ -253,6 +266,14 @@
253#define HAVE_SSL_CTX_GET0_PARAM OPENSSL_PREREQ(1,0,2) 266#define HAVE_SSL_CTX_GET0_PARAM OPENSSL_PREREQ(1,0,2)
254#endif 267#endif
255 268
269#ifndef HAVE_SSL_CTX_SET_CURVES_LIST
270#define HAVE_SSL_CTX_SET_CURVES_LIST (OPENSSL_PREREQ(1,0,2) || LIBRESSL_PREREQ(2,5,1))
271#endif
272
273#ifndef HAVE_SSL_CTX_SET_ECDH_AUTO
274#define HAVE_SSL_CTX_SET_ECDH_AUTO ((OPENSSL_PREREQ(1,0,2) && !OPENSSL_PREREQ(1,1,0)) || LIBRESSL_PREREQ(2,1,2))
275#endif
276
256#ifndef HAVE_SSL_CTX_SET_ALPN_PROTOS 277#ifndef HAVE_SSL_CTX_SET_ALPN_PROTOS
257#define HAVE_SSL_CTX_SET_ALPN_PROTOS (OPENSSL_PREREQ(1,0,2) || LIBRESSL_PREREQ(2,1,3)) 278#define HAVE_SSL_CTX_SET_ALPN_PROTOS (OPENSSL_PREREQ(1,0,2) || LIBRESSL_PREREQ(2,1,3))
258#endif 279#endif
@@ -261,6 +282,10 @@
261#define HAVE_SSL_CTX_SET_ALPN_SELECT_CB HAVE_SSL_CTX_SET_ALPN_PROTOS 282#define HAVE_SSL_CTX_SET_ALPN_SELECT_CB HAVE_SSL_CTX_SET_ALPN_PROTOS
262#endif 283#endif
263 284
285#ifndef HAVE_SSL_CTX_SET_TLSEXT_SERVERNAME_CALLBACK
286#define HAVE_SSL_CTX_SET_TLSEXT_SERVERNAME_CALLBACK OPENSSL_PREREQ(1,0,0)
287#endif
288
264#ifndef HAVE_SSL_CTX_SET1_CERT_STORE 289#ifndef HAVE_SSL_CTX_SET1_CERT_STORE
265#define HAVE_SSL_CTX_SET1_CERT_STORE (HAVE_SSL_CTX_set1_cert_store || 0) /* backwards compatible with old macro name */ 290#define HAVE_SSL_CTX_SET1_CERT_STORE (HAVE_SSL_CTX_set1_cert_store || 0) /* backwards compatible with old macro name */
266#endif 291#endif
@@ -293,6 +318,10 @@
293#define HAVE_SSL_SET_ALPN_PROTOS HAVE_SSL_CTX_SET_ALPN_PROTOS 318#define HAVE_SSL_SET_ALPN_PROTOS HAVE_SSL_CTX_SET_ALPN_PROTOS
294#endif 319#endif
295 320
321#ifndef HAVE_SSL_SET_CURVES_LIST
322#define HAVE_SSL_SET_CURVES_LIST (OPENSSL_PREREQ(1,0,2) || LIBRESSL_PREREQ(2,5,1))
323#endif
324
296#ifndef HAVE_SSL_SET1_PARAM 325#ifndef HAVE_SSL_SET1_PARAM
297#define HAVE_SSL_SET1_PARAM OPENSSL_PREREQ(1,0,2) 326#define HAVE_SSL_SET1_PARAM OPENSSL_PREREQ(1,0,2)
298#endif 327#endif
@@ -309,12 +338,32 @@
309#define HAVE_SSL_UP_REF OPENSSL_PREREQ(1,1,0) 338#define HAVE_SSL_UP_REF OPENSSL_PREREQ(1,1,0)
310#endif 339#endif
311 340
312#ifndef HAVE_SSLV2_CLIENT_METHOD 341#ifndef HAVE_SSL_OP_NO_SSL_MASK
313#define HAVE_SSLV2_CLIENT_METHOD (!OPENSSL_PREREQ(1,1,0) && !defined OPENSSL_NO_SSL2) 342#define HAVE_SSL_OP_NO_SSL_MASK OPENSSL_PREREQ(1,0,2)
314#endif 343#endif
315 344
316#ifndef HAVE_SSLV2_SERVER_METHOD 345#ifndef HAVE_SSL_OP_NO_DTLS_MASK
317#define HAVE_SSLV2_SERVER_METHOD (!OPENSSL_PREREQ(1,1,0) && !defined OPENSSL_NO_SSL2) 346#define HAVE_SSL_OP_NO_DTLS_MASK OPENSSL_PREREQ(1,1,0)
347#endif
348
349#ifndef HAVE_STACK_OPENSSL_STRING_FUNCS
350#define HAVE_STACK_OPENSSL_STRING_FUNCS (OPENSSL_PREREQ(1,0,0) || LIBRESSL_PREREQ(2,0,0))
351#endif
352
353#ifndef HAVE_X509_CRL_GET0_LASTUPDATE
354#define HAVE_X509_CRL_GET0_LASTUPDATE OPENSSL_PREREQ(1,1,0)
355#endif
356
357#ifndef HAVE_X509_CRL_GET0_NEXTUPDATE
358#define HAVE_X509_CRL_GET0_NEXTUPDATE OPENSSL_PREREQ(1,1,0)
359#endif
360
361#ifndef HAVE_X509_CRL_SET1_LASTUPDATE
362#define HAVE_X509_CRL_SET1_LASTUPDATE OPENSSL_PREREQ(1,1,0)
363#endif
364
365#ifndef HAVE_X509_CRL_SET1_NEXTUPDATE
366#define HAVE_X509_CRL_SET1_NEXTUPDATE OPENSSL_PREREQ(1,1,0)
318#endif 367#endif
319 368
320#ifndef HAVE_X509_GET_SIGNATURE_NID 369#ifndef HAVE_X509_GET_SIGNATURE_NID
@@ -358,7 +407,11 @@
358#endif 407#endif
359 408
360#ifndef STRERROR_R_CHAR_P 409#ifndef STRERROR_R_CHAR_P
361#define STRERROR_R_CHAR_P (defined __GLIBC__ && (_GNU_SOURCE || !(_POSIX_C_SOURCE >= 200112L || _XOPEN_SOURCE >= 600))) 410#ifdef __GLIBC__
411#define STRERROR_R_CHAR_P (_GNU_SOURCE || !(_POSIX_C_SOURCE >= 200112L || _XOPEN_SOURCE >= 600))
412#else
413#define STRERROR_R_CHAR_P (0)
414#endif
362#endif 415#endif
363 416
364#ifndef LIST_HEAD 417#ifndef LIST_HEAD
@@ -678,6 +731,44 @@ static void *loadfield_udata(lua_State *L, int index, const char *k, const char
678} /* loadfield_udata() */ 731} /* loadfield_udata() */
679 732
680 733
734/* Forward declaration */
735static SSL *ssl_push(lua_State *, SSL *);
736
737/* push an ssl object into lua in a way that is safe from OOM
738 * Lua 5.1 does not support normally returning values from lua_cpcall
739 * to return a value, we instead return it via an error object
740 */
741static int ssl_pushsafe_helper(lua_State *L) {
742 ssl_push(L, lua_touserdata(L, 1));
743#if LUA_VERSION_NUM <= 501
744 return lua_error(L);
745#else
746 return 1;
747#endif
748}
749
750static int ssl_pushsafe(lua_State *L, SSL *ssl) {
751 int status;
752#if LUA_VERSION_NUM <= 501
753 status = lua_cpcall(L, ssl_pushsafe_helper, ssl);
754 if (status == LUA_ERRRUN)
755 status = LUA_OK;
756 else if (status == LUA_OK)
757 /* this should be impossible */
758 status = LUA_ERRRUN;
759 else
760 lua_pop(L, 1);
761#else
762 lua_pushcfunction(L, ssl_pushsafe_helper);
763 lua_pushlightuserdata(L, ssl);
764 status = lua_pcall(L, 1, 1, 0);
765 if (status != LUA_OK)
766 lua_pop(L, 1);
767#endif
768 return status;
769}
770
771
681/* 772/*
682 * Auxiliary C routines 773 * Auxiliary C routines
683 * 774 *
@@ -1623,6 +1714,22 @@ static int compat_SSL_up_ref(SSL *ssl) {
1623} /* compat_SSL_up_ref() */ 1714} /* compat_SSL_up_ref() */
1624#endif 1715#endif
1625 1716
1717#if !HAVE_SSL_OP_NO_SSL_MASK
1718/* SSL_OP_NO_SSL_MASK was introduced in 1.0.2
1719 1.0.1 had up to TLSv1_2
1720 0.9.8-1.0.0 had up to TLSv1
1721*/
1722#ifdef SSL_OP_NO_TLSv1_2
1723#define SSL_OP_NO_SSL_MASK (SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1|SSL_OP_NO_TLSv1_2)
1724#else
1725#define SSL_OP_NO_SSL_MASK (SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1)
1726#endif
1727#endif
1728
1729#if !HAVE_SSL_OP_NO_DTLS_MASK && HAVE_DTLS_CLIENT_METHOD
1730#define SSL_OP_NO_DTLS_MASK (SSL_OP_NO_DTLSv1|SSL_OP_NO_DTLSv1_2)
1731#endif
1732
1626#if !HAVE_SSL_CTX_GET0_PARAM 1733#if !HAVE_SSL_CTX_GET0_PARAM
1627#define SSL_CTX_get0_param(ctx) compat_SSL_CTX_get0_param((ctx)) 1734#define SSL_CTX_get0_param(ctx) compat_SSL_CTX_get0_param((ctx))
1628 1735
@@ -1639,6 +1746,12 @@ static int compat_SSL_CTX_set1_param(SSL_CTX *ctx, X509_VERIFY_PARAM *vpm) {
1639} /* compat_SSL_CTX_set1_param() */ 1746} /* compat_SSL_CTX_set1_param() */
1640#endif 1747#endif
1641 1748
1749#if !HAVE_STACK_OPENSSL_STRING_FUNCS
1750#define sk_OPENSSL_STRING_num(s) sk_num(s)
1751#define sk_OPENSSL_STRING_value(s, i) sk_value((s), (i))
1752#define sk_OPENSSL_STRING_free(s) X509_email_free(s)
1753#endif
1754
1642#if !HAVE_X509_GET0_EXT 1755#if !HAVE_X509_GET0_EXT
1643#define X509_get0_ext(crt, i) X509_get_ext((crt), (i)) 1756#define X509_get0_ext(crt, i) X509_get_ext((crt), (i))
1644#endif 1757#endif
@@ -1651,6 +1764,22 @@ static int compat_SSL_CTX_set1_param(SSL_CTX *ctx, X509_VERIFY_PARAM *vpm) {
1651#define X509_CRL_get0_ext(crt, i) X509_CRL_get_ext((crt), (i)) 1764#define X509_CRL_get0_ext(crt, i) X509_CRL_get_ext((crt), (i))
1652#endif 1765#endif
1653 1766
1767#if !HAVE_X509_CRL_GET0_LASTUPDATE
1768#define X509_CRL_get0_lastUpdate(crl) ((const ASN1_TIME*)X509_CRL_get_lastUpdate(crl))
1769#endif
1770
1771#if !HAVE_X509_CRL_GET0_NEXTUPDATE
1772#define X509_CRL_get0_nextUpdate(crl) ((const ASN1_TIME*)X509_CRL_get_nextUpdate(crl))
1773#endif
1774
1775#if !HAVE_X509_CRL_SET1_LASTUPDATE
1776#define X509_CRL_set1_lastUpdate(crl, s) X509_CRL_set_lastUpdate((crl), (ASN1_TIME*)(s))
1777#endif
1778
1779#if !HAVE_X509_CRL_SET1_NEXTUPDATE
1780#define X509_CRL_set1_nextUpdate(crl, s) X509_CRL_set_nextUpdate((crl), (ASN1_TIME*)(s))
1781#endif
1782
1654#if !HAVE_X509_EXTENSION_GET0_OBJECT 1783#if !HAVE_X509_EXTENSION_GET0_OBJECT
1655#define X509_EXTENSION_get0_object(ext) X509_EXTENSION_get_object((ext)) 1784#define X509_EXTENSION_get0_object(ext) X509_EXTENSION_get_object((ext))
1656#endif 1785#endif
@@ -1784,6 +1913,7 @@ static int compat_init(void) {
1784 if (done) 1913 if (done)
1785 goto epilog; 1914 goto epilog;
1786 1915
1916#if defined compat_X509_STORE_free
1787 /* 1917 /*
1788 * We need to unconditionally install at least one external 1918 * We need to unconditionally install at least one external
1789 * application data callback. Because these can never be 1919 * application data callback. Because these can never be
@@ -1792,7 +1922,6 @@ static int compat_init(void) {
1792 if ((error = dl_anchor())) 1922 if ((error = dl_anchor()))
1793 goto epilog; 1923 goto epilog;
1794 1924
1795#if defined compat_X509_STORE_free
1796 /* 1925 /*
1797 * Test if X509_STORE_free obeys reference counts by installing an 1926 * Test if X509_STORE_free obeys reference counts by installing an
1798 * onfree callback. 1927 * onfree callback.
@@ -1929,6 +2058,7 @@ struct ex_data {
1929 2058
1930enum { 2059enum {
1931 EX_SSL_CTX_ALPN_SELECT_CB, 2060 EX_SSL_CTX_ALPN_SELECT_CB,
2061 EX_SSL_CTX_TLSEXT_SERVERNAME_CB,
1932}; 2062};
1933 2063
1934static struct ex_type { 2064static struct ex_type {
@@ -1938,6 +2068,7 @@ static struct ex_type {
1938 int (*set_ex_data)(); 2068 int (*set_ex_data)();
1939} ex_type[] = { 2069} ex_type[] = {
1940 [EX_SSL_CTX_ALPN_SELECT_CB] = { CRYPTO_EX_INDEX_SSL_CTX, -1, &SSL_CTX_get_ex_data, &SSL_CTX_set_ex_data }, 2070 [EX_SSL_CTX_ALPN_SELECT_CB] = { CRYPTO_EX_INDEX_SSL_CTX, -1, &SSL_CTX_get_ex_data, &SSL_CTX_set_ex_data },
2071 [EX_SSL_CTX_TLSEXT_SERVERNAME_CB] = { CRYPTO_EX_INDEX_SSL_CTX, -1, &SSL_CTX_get_ex_data, &SSL_CTX_set_ex_data },
1941}; 2072};
1942 2073
1943#if OPENSSL_PREREQ(1,1,0) 2074#if OPENSSL_PREREQ(1,1,0)
@@ -3081,7 +3212,8 @@ static int pk_new(lua_State *L) {
3081 if (lua_istable(L, 1) || lua_isnil(L, 1)) { 3212 if (lua_istable(L, 1) || lua_isnil(L, 1)) {
3082 int type = EVP_PKEY_RSA; 3213 int type = EVP_PKEY_RSA;
3083 unsigned bits = 1024; 3214 unsigned bits = 1024;
3084 unsigned exp = 65537; 3215 BIGNUM *exp = NULL;
3216 int generator = 2;
3085 int curve = NID_X9_62_prime192v1; 3217 int curve = NID_X9_62_prime192v1;
3086 const char *id; 3218 const char *id;
3087 const char *dhparam = NULL; 3219 const char *dhparam = NULL;
@@ -3111,23 +3243,46 @@ static int pk_new(lua_State *L) {
3111 luaL_argcheck(L, type != NID_undef, 1, lua_pushfstring(L, "%s: invalid key type", id)); 3243 luaL_argcheck(L, type != NID_undef, 1, lua_pushfstring(L, "%s: invalid key type", id));
3112 } 3244 }
3113 3245
3114 if (loadfield(L, 1, "bits", LUA_TNUMBER, &n)) { 3246 switch(type) {
3115 luaL_argcheck(L, n > 0 && n < UINT_MAX, 1, lua_pushfstring(L, "%f: `bits' invalid", n)); 3247 case EVP_PKEY_RSA:
3116 bits = (unsigned)n; 3248 if (loadfield(L, 1, "bits", LUA_TNUMBER, &n)) {
3117 } 3249 luaL_argcheck(L, n > 0 && n < UINT_MAX, 1, lua_pushfstring(L, "%f: `bits' invalid", n));
3250 bits = (unsigned)n;
3251 }
3118 3252
3119 if (loadfield(L, 1, "exp", LUA_TNUMBER, &n)) { 3253 if (!getfield(L, 1, "exp")) {
3120 luaL_argcheck(L, n > 0 && n < UINT_MAX, 1, lua_pushfstring(L, "%f: `exp' invalid", n)); 3254 exp = checkbig(L, -1);
3121 exp = (unsigned)n; 3255 } else {
3122 } 3256 /* default to 65537 */
3257 exp = bn_push(L);
3258 if (!BN_add_word(exp, 65537))
3259 return auxL_error(L, auxL_EOPENSSL, "pkey.new");
3260 }
3261 break;
3262 case EVP_PKEY_DH:
3263 /* dhparam field can contain a PEM encoded string.
3264 The "dhparam" field takes precedence over "bits" */
3265 if (loadfield(L, 1, "dhparam", LUA_TSTRING, &dhparam))
3266 break;
3123 3267
3124 if (loadfield(L, 1, "curve", LUA_TSTRING, &id)) { 3268 if (loadfield(L, 1, "bits", LUA_TNUMBER, &n)) {
3125 if (!auxS_txt2nid(&curve, id)) 3269 luaL_argcheck(L, n > 0 && n < UINT_MAX, 1, lua_pushfstring(L, "%f: `bits' invalid", n));
3126 luaL_argerror(L, 1, lua_pushfstring(L, "%s: invalid curve", id)); 3270 bits = (unsigned)n;
3127 } 3271 }
3128 3272
3129 /* dhparam field can contain a PEM encoded string. */ 3273 /* compat: DH used to use the 'exp' field for the generator */
3130 loadfield(L, 1, "dhparam", LUA_TSTRING, &dhparam); 3274 if (loadfield(L, 1, "generator", LUA_TNUMBER, &n) || loadfield(L, 1, "exp", LUA_TNUMBER, &n)) {
3275 luaL_argcheck(L, n > 0 && n <= INT_MAX, 1, lua_pushfstring(L, "%f: `exp' invalid", n));
3276 generator = (int)n;
3277 }
3278 break;
3279 case EVP_PKEY_EC:
3280 if (loadfield(L, 1, "curve", LUA_TSTRING, &id)) {
3281 if (!auxS_txt2nid(&curve, id))
3282 luaL_argerror(L, 1, lua_pushfstring(L, "%s: invalid curve", id));
3283 }
3284 break;
3285 }
3131 3286
3132creat: 3287creat:
3133 if (!(*ud = EVP_PKEY_new())) 3288 if (!(*ud = EVP_PKEY_new()))
@@ -3137,9 +3292,14 @@ creat:
3137 case EVP_PKEY_RSA: { 3292 case EVP_PKEY_RSA: {
3138 RSA *rsa; 3293 RSA *rsa;
3139 3294
3140 if (!(rsa = RSA_generate_key(bits, exp, 0, 0))) 3295 if (!(rsa = RSA_new()))
3141 return auxL_error(L, auxL_EOPENSSL, "pkey.new"); 3296 return auxL_error(L, auxL_EOPENSSL, "pkey.new");
3142 3297
3298 if (!RSA_generate_key_ex(rsa, bits, exp, 0)) {
3299 RSA_free(rsa);
3300 return auxL_error(L, auxL_EOPENSSL, "pkey.new");
3301 }
3302
3143 EVP_PKEY_set1_RSA(*ud, rsa); 3303 EVP_PKEY_set1_RSA(*ud, rsa);
3144 3304
3145 RSA_free(rsa); 3305 RSA_free(rsa);
@@ -3149,9 +3309,14 @@ creat:
3149 case EVP_PKEY_DSA: { 3309 case EVP_PKEY_DSA: {
3150 DSA *dsa; 3310 DSA *dsa;
3151 3311
3152 if (!(dsa = DSA_generate_parameters(bits, 0, 0, 0, 0, 0, 0))) 3312 if (!(dsa = DSA_new()))
3153 return auxL_error(L, auxL_EOPENSSL, "pkey.new"); 3313 return auxL_error(L, auxL_EOPENSSL, "pkey.new");
3154 3314
3315 if (!DSA_generate_parameters_ex(dsa, bits, 0, 0, 0, 0, 0)) {
3316 DSA_free(dsa);
3317 return auxL_error(L, auxL_EOPENSSL, "pkey.new");
3318 }
3319
3155 if (!DSA_generate_key(dsa)) { 3320 if (!DSA_generate_key(dsa)) {
3156 DSA_free(dsa); 3321 DSA_free(dsa);
3157 return auxL_error(L, auxL_EOPENSSL, "pkey.new"); 3322 return auxL_error(L, auxL_EOPENSSL, "pkey.new");
@@ -3179,8 +3344,15 @@ creat:
3179 BIO_free(bio); 3344 BIO_free(bio);
3180 if (!dh) 3345 if (!dh)
3181 return auxL_error(L, auxL_EOPENSSL, "pkey.new"); 3346 return auxL_error(L, auxL_EOPENSSL, "pkey.new");
3182 } else if (!(dh = DH_generate_parameters(bits, exp, 0, 0))) 3347 } else {
3183 return auxL_error(L, auxL_EOPENSSL, "pkey.new"); 3348 if (!(dh = DH_new()))
3349 return auxL_error(L, auxL_EOPENSSL, "pkey.new");
3350
3351 if (!DH_generate_parameters_ex(dh, bits, generator, 0)) {
3352 DH_free(dh);
3353 return auxL_error(L, auxL_EOPENSSL, "pkey.new");
3354 }
3355 }
3184 3356
3185 3357
3186 if (!DH_generate_key(dh)) { 3358 if (!DH_generate_key(dh)) {
@@ -4319,7 +4491,7 @@ static const auxL_IntegerReg pk_rsa_pad_opts[] = {
4319 { "RSA_NO_PADDING", RSA_NO_PADDING }, // no padding 4491 { "RSA_NO_PADDING", RSA_NO_PADDING }, // no padding
4320 { "RSA_PKCS1_OAEP_PADDING", RSA_PKCS1_OAEP_PADDING }, // OAEP padding (encrypt and decrypt only) 4492 { "RSA_PKCS1_OAEP_PADDING", RSA_PKCS1_OAEP_PADDING }, // OAEP padding (encrypt and decrypt only)
4321 { "RSA_X931_PADDING", RSA_X931_PADDING }, // (signature operations only) 4493 { "RSA_X931_PADDING", RSA_X931_PADDING }, // (signature operations only)
4322#if HAVE_RSA_PKCS1_PSS_PADDING 4494#if RSA_PKCS1_PSS_PADDING
4323 { "RSA_PKCS1_PSS_PADDING", RSA_PKCS1_PSS_PADDING }, // (sign and verify only) 4495 { "RSA_PKCS1_PSS_PADDING", RSA_PKCS1_PSS_PADDING }, // (sign and verify only)
4324#endif 4496#endif
4325 { NULL, 0 }, 4497 { NULL, 0 },
@@ -5523,17 +5695,17 @@ static _Bool scan(int *i, char **cp, int n, int signok) {
5523} /* scan() */ 5695} /* scan() */
5524 5696
5525 5697
5526static double timeutc(ASN1_TIME *time) { 5698static double timeutc(const ASN1_TIME *time) {
5527 char buf[32] = "", *cp; 5699 char buf[32] = "", *cp;
5528 struct tm tm = { 0 }; 5700 struct tm tm = { 0 };
5529 int gmtoff = 0, year, i; 5701 int gmtoff = 0, year, i;
5530 5702
5531 if (!ASN1_TIME_check(time)) 5703 if (!ASN1_TIME_check((ASN1_STRING *)time))
5532 return 0; 5704 return 0;
5533 5705
5534 cp = strncpy(buf, (const char *)ASN1_STRING_get0_data((ASN1_STRING *)time), sizeof buf - 1); 5706 cp = strncpy(buf, (const char *)ASN1_STRING_get0_data((ASN1_STRING *)time), sizeof buf - 1);
5535 5707
5536 if (ASN1_STRING_type(time) == V_ASN1_GENERALIZEDTIME) { 5708 if (ASN1_STRING_type((ASN1_STRING *)time) == V_ASN1_GENERALIZEDTIME) {
5537 if (!scan(&year, &cp, 4, 1)) 5709 if (!scan(&year, &cp, 4, 1))
5538 goto badfmt; 5710 goto badfmt;
5539 } else { 5711 } else {
@@ -5595,7 +5767,7 @@ badfmt:
5595static int xc_getLifetime(lua_State *L) { 5767static int xc_getLifetime(lua_State *L) {
5596 X509 *crt = checksimple(L, 1, X509_CERT_CLASS); 5768 X509 *crt = checksimple(L, 1, X509_CERT_CLASS);
5597 double begin = INFINITY, end = INFINITY; 5769 double begin = INFINITY, end = INFINITY;
5598 ASN1_TIME *time; 5770 const ASN1_TIME *time;
5599 5771
5600 if ((time = X509_get_notBefore(crt))) 5772 if ((time = X509_get_notBefore(crt)))
5601 begin = timeutc(time); 5773 begin = timeutc(time);
@@ -6684,10 +6856,21 @@ static int xx_new(lua_State *L) {
6684 if (!ok) 6856 if (!ok)
6685 return auxL_error(L, auxL_EOPENSSL, "x509.crl.new"); 6857 return auxL_error(L, auxL_EOPENSSL, "x509.crl.new");
6686 } else { 6858 } else {
6859 ASN1_TIME *tm;
6860
6687 if (!(*ud = X509_CRL_new())) 6861 if (!(*ud = X509_CRL_new()))
6688 return auxL_error(L, auxL_EOPENSSL, "x509.crl.new"); 6862 return auxL_error(L, auxL_EOPENSSL, "x509.crl.new");
6689 6863
6690 X509_gmtime_adj(X509_CRL_get_lastUpdate(*ud), 0); 6864 /* initialize last updated time to now */
6865 if (!(tm = ASN1_TIME_set(NULL, time(NULL))))
6866 return auxL_error(L, auxL_EOPENSSL, "x509.crl.new");
6867
6868 if (!X509_CRL_set1_lastUpdate(*ud, tm)) {
6869 ASN1_TIME_free(tm);
6870 return auxL_error(L, auxL_EOPENSSL, "x509.crl.new");
6871 }
6872
6873 ASN1_TIME_free(tm);
6691 } 6874 }
6692 6875
6693 return 1; 6876 return 1;
@@ -6724,9 +6907,9 @@ static int xx_setVersion(lua_State *L) {
6724static int xx_getLastUpdate(lua_State *L) { 6907static int xx_getLastUpdate(lua_State *L) {
6725 X509_CRL *crl = checksimple(L, 1, X509_CRL_CLASS); 6908 X509_CRL *crl = checksimple(L, 1, X509_CRL_CLASS);
6726 double updated = INFINITY; 6909 double updated = INFINITY;
6727 ASN1_TIME *time; 6910 const ASN1_TIME *time;
6728 6911
6729 if ((time = X509_CRL_get_lastUpdate(crl))) 6912 if ((time = X509_CRL_get0_lastUpdate(crl)))
6730 updated = timeutc(time); 6913 updated = timeutc(time);
6731 6914
6732 if (isfinite(updated)) 6915 if (isfinite(updated))
@@ -6741,23 +6924,30 @@ static int xx_getLastUpdate(lua_State *L) {
6741static int xx_setLastUpdate(lua_State *L) { 6924static int xx_setLastUpdate(lua_State *L) {
6742 X509_CRL *crl = checksimple(L, 1, X509_CRL_CLASS); 6925 X509_CRL *crl = checksimple(L, 1, X509_CRL_CLASS);
6743 double updated = luaL_checknumber(L, 2); 6926 double updated = luaL_checknumber(L, 2);
6927 ASN1_TIME *time;
6744 6928
6745 /* lastUpdate always present */ 6929 if (!(time = ASN1_TIME_set(NULL, updated)))
6746 if (!ASN1_TIME_set(X509_CRL_get_lastUpdate(crl), updated)) 6930 goto error;
6747 return auxL_error(L, auxL_EOPENSSL, "x509.crl:setLastUpdate"); 6931
6932 if (!X509_CRL_set1_lastUpdate(crl, time))
6933 goto error;
6748 6934
6749 lua_pushboolean(L, 1); 6935 lua_pushboolean(L, 1);
6750 6936
6751 return 1; 6937 return 1;
6938error:
6939 ASN1_TIME_free(time);
6940
6941 return auxL_error(L, auxL_EOPENSSL, "x509.crl:setLastUpdate");
6752} /* xx_setLastUpdate() */ 6942} /* xx_setLastUpdate() */
6753 6943
6754 6944
6755static int xx_getNextUpdate(lua_State *L) { 6945static int xx_getNextUpdate(lua_State *L) {
6756 X509_CRL *crl = checksimple(L, 1, X509_CRL_CLASS); 6946 X509_CRL *crl = checksimple(L, 1, X509_CRL_CLASS);
6757 double updateby = INFINITY; 6947 double updateby = INFINITY;
6758 ASN1_TIME *time; 6948 const ASN1_TIME *time;
6759 6949
6760 if ((time = X509_CRL_get_nextUpdate(crl))) 6950 if ((time = X509_CRL_get0_nextUpdate(crl)))
6761 updateby = timeutc(time); 6951 updateby = timeutc(time);
6762 6952
6763 if (isfinite(updateby)) 6953 if (isfinite(updateby))
@@ -6772,30 +6962,19 @@ static int xx_getNextUpdate(lua_State *L) {
6772static int xx_setNextUpdate(lua_State *L) { 6962static int xx_setNextUpdate(lua_State *L) {
6773 X509_CRL *crl = checksimple(L, 1, X509_CRL_CLASS); 6963 X509_CRL *crl = checksimple(L, 1, X509_CRL_CLASS);
6774 double updateby = luaL_checknumber(L, 2); 6964 double updateby = luaL_checknumber(L, 2);
6775 ASN1_TIME *time = NULL; 6965 ASN1_TIME *time;
6776
6777 if (X509_CRL_get_nextUpdate(crl)) {
6778 if (!ASN1_TIME_set(X509_CRL_get_nextUpdate(crl), updateby))
6779 goto error;
6780 } else {
6781 if (!(time = ASN1_TIME_new()))
6782 goto error;
6783
6784 if (!(ASN1_TIME_set(time, updateby)))
6785 goto error;
6786 6966
6787 if (!X509_CRL_set_nextUpdate(crl, time)) 6967 if (!(time = ASN1_TIME_set(NULL, updateby)))
6788 goto error; 6968 goto error;
6789 6969
6790 time = NULL; 6970 if (!X509_CRL_set1_nextUpdate(crl, time))
6791 } 6971 goto error;
6792 6972
6793 lua_pushboolean(L, 1); 6973 lua_pushboolean(L, 1);
6794 6974
6795 return 1; 6975 return 1;
6796error: 6976error:
6797 if (time) 6977 ASN1_TIME_free(time);
6798 ASN1_TIME_free(time);
6799 6978
6800 return auxL_error(L, auxL_EOPENSSL, "x509.crl:setNextUpdate"); 6979 return auxL_error(L, auxL_EOPENSSL, "x509.crl:setNextUpdate");
6801} /* xx_setNextUpdate() */ 6980} /* xx_setNextUpdate() */
@@ -7670,11 +7849,6 @@ int luaopen__openssl_pkcs12(lua_State *L) {
7670 * 7849 *
7671 * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ 7850 * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
7672 7851
7673/*
7674 * NOTE: TLS methods and flags were added in tandem. For example, if the
7675 * macro SSL_OP_NO_TLSv1_1 is defined we know TLSv1_1_server_method is also
7676 * declared and defined.
7677 */
7678static int sx_new(lua_State *L) { 7852static int sx_new(lua_State *L) {
7679 static const char *const opts[] = { 7853 static const char *const opts[] = {
7680 [0] = "SSL", 7854 [0] = "SSL",
@@ -7690,81 +7864,109 @@ static int sx_new(lua_State *L) {
7690 [14] = "DTLSv1_2", [15] = "DTLSv1.2", 7864 [14] = "DTLSv1_2", [15] = "DTLSv1.2",
7691 NULL 7865 NULL
7692 }; 7866 };
7693 /* later versions of SSL declare a const qualifier on the return type */ 7867 int method_enum;
7694 __typeof__(&TLSv1_client_method) method = &TLSv1_client_method;
7695 _Bool srv; 7868 _Bool srv;
7696 SSL_CTX **ud; 7869 SSL_CTX **ud;
7697 int options = 0; 7870 int options = 0;
7698 7871
7699 lua_settop(L, 2); 7872 lua_settop(L, 2);
7873 method_enum = auxL_checkoption(L, 1, "TLS", opts, 1);
7700 srv = lua_toboolean(L, 2); 7874 srv = lua_toboolean(L, 2);
7701 7875
7702 switch (auxL_checkoption(L, 1, "TLS", opts, 1)) { 7876 switch (method_enum) {
7703 case 0: /* SSL */ 7877 case 0: /* SSL */
7704 method = (srv)? &SSLv23_server_method : &SSLv23_client_method;
7705 options = SSL_OP_NO_SSLv2; 7878 options = SSL_OP_NO_SSLv2;
7706 break; 7879 break;
7707 case 1: /* TLS */ 7880 case 1: /* TLS */
7708 method = (srv)? &SSLv23_server_method : &SSLv23_client_method;
7709 options = SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3; 7881 options = SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3;
7710 break; 7882 break;
7711#if HAVE_SSLV2_CLIENT_METHOD && HAVE_SSLV2_SERVER_METHOD
7712 case 2: /* SSLv2 */ 7883 case 2: /* SSLv2 */
7713 method = (srv)? &SSLv2_server_method : &SSLv2_client_method; 7884 options = SSL_OP_NO_SSL_MASK & ~SSL_OP_NO_SSLv2;
7714 break; 7885 break;
7715#endif
7716#ifndef OPENSSL_NO_SSL3
7717 case 3: /* SSLv3 */ 7886 case 3: /* SSLv3 */
7718 method = (srv)? &SSLv3_server_method : &SSLv3_client_method; 7887 options = SSL_OP_NO_SSL_MASK & ~SSL_OP_NO_SSLv3;
7719 break; 7888 break;
7720#endif
7721 case 4: /* SSLv23 */ 7889 case 4: /* SSLv23 */
7722 method = (srv)? &SSLv23_server_method : &SSLv23_client_method;
7723 break; 7890 break;
7724 case 5: /* TLSv1 */ 7891 case 5: /* TLSv1 */
7725 case 6: /* TLSv1.0 */ 7892 case 6: /* TLSv1.0 */
7726 method = (srv)? &TLSv1_server_method : &TLSv1_client_method; 7893 options = SSL_OP_NO_SSL_MASK & ~SSL_OP_NO_TLSv1;
7727 break; 7894 break;
7728#if defined SSL_OP_NO_TLSv1_1 7895#if defined SSL_OP_NO_TLSv1_1
7729 case 7: /* TLSv1_1 */ 7896 case 7: /* TLSv1_1 */
7730 case 8: /* TLSv1.1 */ 7897 case 8: /* TLSv1.1 */
7731 method = (srv)? &TLSv1_1_server_method : &TLSv1_1_client_method; 7898 options = SSL_OP_NO_SSL_MASK & ~SSL_OP_NO_TLSv1_1;
7732 break; 7899 break;
7733#endif 7900#endif
7734#if defined SSL_OP_NO_TLSv1_2 7901#if defined SSL_OP_NO_TLSv1_2
7735 case 9: /* TLSv1_2 */ 7902 case 9: /* TLSv1_2 */
7736 case 10: /* TLSv1.2 */ 7903 case 10: /* TLSv1.2 */
7737 method = (srv)? &TLSv1_2_server_method : &TLSv1_2_client_method; 7904 options = SSL_OP_NO_SSL_MASK & ~SSL_OP_NO_TLSv1_2;
7738 break; 7905 break;
7739#endif 7906#endif
7740#if HAVE_DTLS_CLIENT_METHOD 7907#if HAVE_DTLS_CLIENT_METHOD
7741 case 11: /* DTLS */ 7908 case 11: /* DTLS */
7742 method = (srv)? &DTLS_server_method : &DTLS_client_method;
7743 break; 7909 break;
7744#endif 7910#ifdef SSL_OP_NO_DTLSv1
7745#if HAVE_DTLSV1_CLIENT_METHOD
7746 case 12: /* DTLSv1 */ 7911 case 12: /* DTLSv1 */
7747 case 13: /* DTLSv1.0 */ 7912 case 13: /* DTLSv1.0 */
7748 method = (srv)? &DTLSv1_server_method : &DTLSv1_client_method; 7913 options = SSL_OP_NO_DTLS_MASK & ~SSL_OP_NO_DTLSv1;
7749 break; 7914 break;
7750#endif 7915#endif
7751#if HAVE_DTLSV1_2_CLIENT_METHOD 7916#ifdef SSL_OP_NO_DTLSv1_2
7752 case 14: /* DTLSv1_2 */ 7917 case 14: /* DTLSv1_2 */
7753 case 15: /* DTLSv1.2 */ 7918 case 15: /* DTLSv1.2 */
7754 method = (srv)? &DTLSv1_server_method : &DTLSv1_client_method; 7919 options = SSL_OP_NO_DTLS_MASK & ~SSL_OP_NO_DTLSv1_2;
7755 break; 7920 break;
7756#endif 7921#endif
7922#endif
7757 default: 7923 default:
7758 return luaL_argerror(L, 1, "invalid option"); 7924 return luaL_argerror(L, 1, "invalid option");
7759 } 7925 }
7760 7926
7761 ud = prepsimple(L, SSL_CTX_CLASS); 7927 ud = prepsimple(L, SSL_CTX_CLASS);
7762 7928
7763 if (!(*ud = SSL_CTX_new(method()))) 7929 switch (method_enum) {
7930 case 0: /* SSL */
7931 case 1: /* TLS */
7932 case 2: /* SSLv2 */
7933 case 3: /* SSLv3 */
7934 case 4: /* SSLv23 */
7935 case 5: /* TLSv1 */
7936 case 6: /* TLSv1.0 */
7937 case 7: /* TLSv1_1 */
7938 case 8: /* TLSv1.1 */
7939 case 9: /* TLSv1_2 */
7940 case 10: /* TLSv1.2 */
7941 *ud = SSL_CTX_new(srv?SSLv23_server_method():SSLv23_client_method());
7942 break;
7943#if HAVE_DTLS_CLIENT_METHOD
7944 case 11: /* DTLS */
7945 case 12: /* DTLSv1 */
7946 case 13: /* DTLSv1.0 */
7947 case 14: /* DTLSv1_2 */
7948 case 15: /* DTLSv1.2 */
7949 *ud = SSL_CTX_new(srv?DTLS_server_method():DTLS_client_method());
7950 break;
7951#endif
7952 default:
7953 NOTREACHED;
7954 }
7955
7956 if (!*ud)
7764 return auxL_error(L, auxL_EOPENSSL, "ssl.context.new"); 7957 return auxL_error(L, auxL_EOPENSSL, "ssl.context.new");
7765 7958
7766 SSL_CTX_set_options(*ud, options); 7959 SSL_CTX_set_options(*ud, options);
7767 7960
7961#if HAVE_SSL_CTX_SET_ECDH_AUTO
7962 /* OpenSSL 1.0.2 introduced SSL_CTX_set_ecdh_auto to automatically select
7963 * from the curves set via SSL_CTX_set1_curves_list. However as of OpenSSL
7964 * 1.1.0, the functionality was turned on permanently and the option
7965 * removed. */
7966 if (!SSL_CTX_set_ecdh_auto(*ud, 1))
7967 return auxL_error(L, auxL_EOPENSSL, "ssl.context.new");
7968#endif
7969
7768 return 1; 7970 return 1;
7769} /* sx_new() */ 7971} /* sx_new() */
7770 7972
@@ -7940,6 +8142,21 @@ static int sx_setCipherList(lua_State *L) {
7940} /* sx_setCipherList() */ 8142} /* sx_setCipherList() */
7941 8143
7942 8144
8145#if HAVE_SSL_CTX_SET_CURVES_LIST
8146static int sx_setCurvesList(lua_State *L) {
8147 SSL_CTX *ctx = checksimple(L, 1, SSL_CTX_CLASS);
8148 const char *curves = luaL_checkstring(L, 2);
8149
8150 if (!SSL_CTX_set1_curves_list(ctx, curves))
8151 return auxL_error(L, auxL_EOPENSSL, "ssl.context:setCurvesList");
8152
8153 lua_pushboolean(L, 1);
8154
8155 return 1;
8156} /* sx_setCurvesList() */
8157#endif
8158
8159
7943static int sx_setEphemeralKey(lua_State *L) { 8160static int sx_setEphemeralKey(lua_State *L) {
7944 SSL_CTX *ctx = checksimple(L, 1, SSL_CTX_CLASS); 8161 SSL_CTX *ctx = checksimple(L, 1, SSL_CTX_CLASS);
7945 EVP_PKEY *key = checksimple(L, 2, PKEY_CLASS); 8162 EVP_PKEY *key = checksimple(L, 2, PKEY_CLASS);
@@ -8013,9 +8230,8 @@ static int sx_setAlpnProtos(lua_State *L) {
8013} /* sx_setAlpnProtos() */ 8230} /* sx_setAlpnProtos() */
8014#endif 8231#endif
8015 8232
8016#if HAVE_SSL_CTX_SET_ALPN_SELECT_CB
8017static SSL *ssl_push(lua_State *, SSL *);
8018 8233
8234#if HAVE_SSL_CTX_SET_ALPN_SELECT_CB
8019static int sx_setAlpnSelect_cb(SSL *ssl, const unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *_ctx) { 8235static int sx_setAlpnSelect_cb(SSL *ssl, const unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *_ctx) {
8020 SSL_CTX *ctx = _ctx; 8236 SSL_CTX *ctx = _ctx;
8021 lua_State *L = NULL; 8237 lua_State *L = NULL;
@@ -8033,12 +8249,12 @@ static int sx_setAlpnSelect_cb(SSL *ssl, const unsigned char **out, unsigned cha
8033 8249
8034 otop = lua_gettop(L) - n; 8250 otop = lua_gettop(L) - n;
8035 8251
8036 /* TODO: Install temporary panic handler to catch OOM errors */
8037
8038 /* pass SSL object as 1st argument */ 8252 /* pass SSL object as 1st argument */
8039 ssl_push(L, ssl); 8253 if (ssl_pushsafe(L, ssl))
8254 goto fatal;
8040 lua_insert(L, otop + 3); 8255 lua_insert(L, otop + 3);
8041 8256
8257 /* TODO: Install temporary panic handler to catch OOM errors */
8042 /* pass table of protocol names as 2nd argument */ 8258 /* pass table of protocol names as 2nd argument */
8043 pushprotos(L, in, inlen); 8259 pushprotos(L, in, inlen);
8044 lua_insert(L, otop + 4); 8260 lua_insert(L, otop + 4);
@@ -8110,6 +8326,74 @@ static int sx_setAlpnSelect(lua_State *L) {
8110#endif 8326#endif
8111 8327
8112 8328
8329#if HAVE_SSL_CTX_SET_TLSEXT_SERVERNAME_CALLBACK
8330static int sx_setHostNameCallback_cb(SSL *ssl, int *ad, void *_ctx) {
8331 SSL_CTX *ctx = _ctx;
8332 lua_State *L = NULL;
8333 size_t n;
8334 int otop, status, ret = SSL_TLSEXT_ERR_ALERT_FATAL;
8335
8336 *ad = SSL_AD_INTERNAL_ERROR;
8337
8338 /* expect at least one value: closure */
8339 if ((n = ex_getdata(&L, EX_SSL_CTX_TLSEXT_SERVERNAME_CB, ctx)) < 1)
8340 return SSL_TLSEXT_ERR_ALERT_FATAL;
8341
8342 otop = lua_gettop(L) - n;
8343
8344 /* pass SSL object as 1st argument */
8345 if (ssl_pushsafe(L, ssl))
8346 goto done;
8347
8348 lua_insert(L, otop + 2);
8349
8350 if (LUA_OK != (status = lua_pcall(L, 1 + (n - 1), 2, 0)))
8351 goto done;
8352
8353 /* callback should return a boolean for OK/NOACK
8354 * or nil + an integer for a controlled error
8355 * everything else will be a fatal internal error
8356 */
8357 if (lua_isboolean(L, -2)) {
8358 ret = lua_toboolean(L, -2) ? SSL_TLSEXT_ERR_OK : SSL_TLSEXT_ERR_NOACK;
8359 } else {
8360 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
8361 if (lua_isnil(L, -2) && lua_isinteger(L, -1))
8362 *ad = lua_tointeger(L, -1);
8363 }
8364
8365done:
8366 lua_settop(L, otop);
8367
8368 return ret;
8369} /* sx_setHostNameCallback_cb() */
8370
8371
8372static int sx_setHostNameCallback(lua_State *L) {
8373 SSL_CTX *ctx = checksimple(L, 1, SSL_CTX_CLASS);
8374 int error;
8375
8376 luaL_checktype(L, 2, LUA_TFUNCTION);
8377
8378 if ((error = ex_setdata(L, EX_SSL_CTX_TLSEXT_SERVERNAME_CB, ctx, lua_gettop(L) - 1))) {
8379 if (error > 0) {
8380 return luaL_error(L, "unable to set hostname selection callback: %s", aux_strerror(error));
8381 } else if (error == auxL_EOPENSSL && !ERR_peek_error()) {
8382 return luaL_error(L, "unable to set hostname selection callback: Unknown internal error");
8383 } else {
8384 return auxL_error(L, error, "ssl.context:setHostNameCallback");
8385 }
8386 }
8387 SSL_CTX_set_tlsext_servername_callback(ctx, sx_setHostNameCallback_cb);
8388 SSL_CTX_set_tlsext_servername_arg(ctx, ctx);
8389
8390 lua_pushboolean(L, 1);
8391
8392 return 1;
8393} /* sx_setHostNameCallback() */
8394#endif
8395
8396
8113int TLSEXT_STATUSTYPEs[] = { TLSEXT_STATUSTYPE_ocsp }; 8397int TLSEXT_STATUSTYPEs[] = { TLSEXT_STATUSTYPE_ocsp };
8114const char *TLSEXT_STATUSTYPEs_names[] = { "ocsp", NULL }; 8398const char *TLSEXT_STATUSTYPEs_names[] = { "ocsp", NULL };
8115#define checkTLSEXT_STATUSTYPE(L, idx) \ 8399#define checkTLSEXT_STATUSTYPE(L, idx) \
@@ -8122,7 +8406,7 @@ static int sx_setTLSextStatusType(lua_State *L) {
8122 int type = checkTLSEXT_STATUSTYPE(L, 2); 8406 int type = checkTLSEXT_STATUSTYPE(L, 2);
8123 8407
8124 if(!SSL_CTX_set_tlsext_status_type(ctx, type)) 8408 if(!SSL_CTX_set_tlsext_status_type(ctx, type))
8125 return auxL_error(L, auxL_EOPENSSL, "ssl:setTLSextStatusType"); 8409 return auxL_error(L, auxL_EOPENSSL, "ssl.context:setTLSextStatusType");
8126 8410
8127 lua_pushboolean(L, 1); 8411 lua_pushboolean(L, 1);
8128 8412
@@ -8177,6 +8461,9 @@ static const auxL_Reg sx_methods[] = {
8177 { "setCertificate", &sx_setCertificate }, 8461 { "setCertificate", &sx_setCertificate },
8178 { "setPrivateKey", &sx_setPrivateKey }, 8462 { "setPrivateKey", &sx_setPrivateKey },
8179 { "setCipherList", &sx_setCipherList }, 8463 { "setCipherList", &sx_setCipherList },
8464#if HAVE_SSL_CTX_SET_CURVES_LIST
8465 { "setCurvesList", &sx_setCurvesList },
8466#endif
8180 { "setEphemeralKey", &sx_setEphemeralKey }, 8467 { "setEphemeralKey", &sx_setEphemeralKey },
8181#if HAVE_SSL_CTX_SET_ALPN_PROTOS 8468#if HAVE_SSL_CTX_SET_ALPN_PROTOS
8182 { "setAlpnProtos", &sx_setAlpnProtos }, 8469 { "setAlpnProtos", &sx_setAlpnProtos },
@@ -8184,6 +8471,9 @@ static const auxL_Reg sx_methods[] = {
8184#if HAVE_SSL_CTX_SET_ALPN_SELECT_CB 8471#if HAVE_SSL_CTX_SET_ALPN_SELECT_CB
8185 { "setAlpnSelect", &sx_setAlpnSelect }, 8472 { "setAlpnSelect", &sx_setAlpnSelect },
8186#endif 8473#endif
8474#if HAVE_SSL_CTX_SET_TLSEXT_SERVERNAME_CALLBACK
8475 { "setHostNameCallback", &sx_setHostNameCallback },
8476#endif
8187#if HAVE_SSL_CTX_SET_TLSEXT_STATUS_TYPE 8477#if HAVE_SSL_CTX_SET_TLSEXT_STATUS_TYPE
8188 { "setTLSextStatusType", &sx_setTLSextStatusType }, 8478 { "setTLSextStatusType", &sx_setTLSextStatusType },
8189#endif 8479#endif
@@ -8374,6 +8664,33 @@ static int ssl_getParam(lua_State *L) {
8374} /* ssl_getParam() */ 8664} /* ssl_getParam() */
8375 8665
8376 8666
8667static int ssl_setVerify(lua_State *L) {
8668 SSL *ssl = checksimple(L, 1, SSL_CLASS);
8669 int mode = luaL_optinteger(L, 2, -1);
8670 int depth = luaL_optinteger(L, 3, -1);
8671
8672 if (mode != -1)
8673 SSL_set_verify(ssl, mode, 0);
8674
8675 if (depth != -1)
8676 SSL_set_verify_depth(ssl, depth);
8677
8678 lua_pushboolean(L, 1);
8679
8680 return 1;
8681} /* ssl_setVerify() */
8682
8683
8684static int ssl_getVerify(lua_State *L) {
8685 SSL *ssl = checksimple(L, 1, SSL_CLASS);
8686
8687 lua_pushinteger(L, SSL_get_verify_mode(ssl));
8688 lua_pushinteger(L, SSL_get_verify_depth(ssl));
8689
8690 return 2;
8691} /* ssl_getVerify() */
8692
8693
8377static int ssl_getVerifyResult(lua_State *L) { 8694static int ssl_getVerifyResult(lua_State *L) {
8378 SSL *ssl = checksimple(L, 1, SSL_CLASS); 8695 SSL *ssl = checksimple(L, 1, SSL_CLASS);
8379 long res = SSL_get_verify_result(ssl); 8696 long res = SSL_get_verify_result(ssl);
@@ -8383,6 +8700,44 @@ static int ssl_getVerifyResult(lua_State *L) {
8383} /* ssl_getVerifyResult() */ 8700} /* ssl_getVerifyResult() */
8384 8701
8385 8702
8703static int ssl_setCertificate(lua_State *L) {
8704 SSL *ssl = checksimple(L, 1, SSL_CLASS);
8705 X509 *crt = X509_dup(checksimple(L, 2, X509_CERT_CLASS));
8706 int ok;
8707
8708 ok = SSL_use_certificate(ssl, crt);
8709 X509_free(crt);
8710
8711 if (!ok)
8712 return auxL_error(L, auxL_EOPENSSL, "ssl:setCertificate");
8713
8714 lua_pushboolean(L, 1);
8715
8716 return 1;
8717} /* ssl_setCertificate() */
8718
8719
8720static int ssl_setPrivateKey(lua_State *L) {
8721 SSL *ssl = checksimple(L, 1, SSL_CLASS);
8722 EVP_PKEY *key = checksimple(L, 2, PKEY_CLASS);
8723 /*
8724 * NOTE: No easy way to dup the key, but a shared reference should
8725 * be okay as keys are less mutable than certificates.
8726 *
8727 * FIXME: SSL_use_PrivateKey will return true even if the
8728 * EVP_PKEY object has no private key. Instead, we'll just get a
8729 * segfault during the SSL handshake. We need to check that a
8730 * private key is actually defined in the object.
8731 */
8732 if (!SSL_use_PrivateKey(ssl, key))
8733 return auxL_error(L, auxL_EOPENSSL, "ssl:setPrivateKey");
8734
8735 lua_pushboolean(L, 1);
8736
8737 return 1;
8738} /* ssl_setPrivateKey() */
8739
8740
8386static int ssl_getPeerCertificate(lua_State *L) { 8741static int ssl_getPeerCertificate(lua_State *L) {
8387 SSL *ssl = checksimple(L, 1, SSL_CLASS); 8742 SSL *ssl = checksimple(L, 1, SSL_CLASS);
8388 X509 **x509 = prepsimple(L, X509_CERT_CLASS); 8743 X509 **x509 = prepsimple(L, X509_CERT_CLASS);
@@ -8433,6 +8788,21 @@ static int ssl_getCipherInfo(lua_State *L) {
8433} /* ssl_getCipherInfo() */ 8788} /* ssl_getCipherInfo() */
8434 8789
8435 8790
8791#if HAVE_SSL_SET_CURVES_LIST
8792static int ssl_setCurvesList(lua_State *L) {
8793 SSL *ssl = checksimple(L, 1, SSL_CLASS);
8794 const char *curves = luaL_checkstring(L, 2);
8795
8796 if (!SSL_set1_curves_list(ssl, curves))
8797 return auxL_error(L, auxL_EOPENSSL, "ssl:setCurvesList");
8798
8799 lua_pushboolean(L, 1);
8800
8801 return 1;
8802} /* ssl_setCurvesList() */
8803#endif
8804
8805
8436static int ssl_getHostName(lua_State *L) { 8806static int ssl_getHostName(lua_State *L) {
8437 SSL *ssl = checksimple(L, 1, SSL_CLASS); 8807 SSL *ssl = checksimple(L, 1, SSL_CLASS);
8438 const char *host; 8808 const char *host;
@@ -8679,10 +9049,17 @@ static const auxL_Reg ssl_methods[] = {
8679 { "clearOptions", &ssl_clearOptions }, 9049 { "clearOptions", &ssl_clearOptions },
8680 { "setParam", &ssl_setParam }, 9050 { "setParam", &ssl_setParam },
8681 { "getParam", &ssl_getParam }, 9051 { "getParam", &ssl_getParam },
9052 { "setVerify", &ssl_setVerify },
9053 { "getVerify", &ssl_getVerify },
8682 { "getVerifyResult", &ssl_getVerifyResult }, 9054 { "getVerifyResult", &ssl_getVerifyResult },
9055 { "setCertificate", &ssl_setCertificate },
9056 { "setPrivateKey", &ssl_setPrivateKey },
8683 { "getPeerCertificate", &ssl_getPeerCertificate }, 9057 { "getPeerCertificate", &ssl_getPeerCertificate },
8684 { "getPeerChain", &ssl_getPeerChain }, 9058 { "getPeerChain", &ssl_getPeerChain },
8685 { "getCipherInfo", &ssl_getCipherInfo }, 9059 { "getCipherInfo", &ssl_getCipherInfo },
9060#if HAVE_SSL_SET_CURVES_LIST
9061 { "setCurvesList", &ssl_setCurvesList },
9062#endif
8686 { "getHostName", &ssl_getHostName }, 9063 { "getHostName", &ssl_getHostName },
8687 { "setHostName", &ssl_setHostName }, 9064 { "setHostName", &ssl_setHostName },
8688 { "getVersion", &ssl_getVersion }, 9065 { "getVersion", &ssl_getVersion },
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-10-04 12:59:00 +0000