summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/GNUmakefile134
-rw-r--r--src/compat52.h168
-rw-r--r--src/openssl.c575
-rw-r--r--src/openssl.ssl.context.lua14
-rw-r--r--src/openssl.ssl.lua20
5 files changed, 559 insertions, 352 deletions
diff --git a/src/GNUmakefile b/src/GNUmakefile
index 9e4fde4..e257ba6 100644
--- a/src/GNUmakefile
+++ b/src/GNUmakefile
@@ -16,66 +16,46 @@ include $(d)/../GNUmakefile
16# 16#
17# C O M P I L A T I O N F L A G S 17# C O M P I L A T I O N F L A G S
18# 18#
19OS_$(d) = $(shell $(d)/../mk/vendor.os) 19CPPFLAGS_$(d) = $(ALL_CPPFLAGS) -DHAVE_CONFIG_H -DCOMPAT53_PREFIX=luaossl
20CC_$(d) = $(shell env CC="$(CC) "$(d)/../mk/vendor.cc) 20CFLAGS_$(d) = $(ALL_CFLAGS)
21LUAPATH_$(d) = $(shell env CC="$(CC)" CPPFLAGS="$(CPPFLAGS)" LDFLAGS="$(LDFLAGS)" $(<D)/../mk/luapath -krxm3 -I$(DESTDIR)$(includedir) -I/usr/include -I/usr/local/include -P$(DESTDIR)$(bindir) -P$(bindir) -L$(DESTDIR)$(libdir) -L$(libdir) -v$(1) $(2)) 21SOFLAGS_$(d) = $(ALL_SOFLAGS)
22 22LDFLAGS_$(d) = $(ALL_LDFLAGS)
23CPPFLAGS_$(d) = $(CPPFLAGS_$(abspath $(@D)/../..)) -DHAVE_CONFIG_H 23LIBS_$(d) = $(ALL_LIBS)
24CFLAGS_$(d) = $(CFLAGS_$(abspath $(@D)/../..))
25LDFLAGS_$(d) = $(LDFLAGS_$(abspath $(@D)/../..))
26SOFLAGS_$(d) = $(SOFLAGS_$(abspath $(@D)/../..))
27
28ifeq ($(CC_$(d)), sunpro)
29CPPFLAGS_$(d) += -DOPENSSL_NO_EC
30endif
31
32LDFLAGS_$(d) += -lssl -lcrypto -lpthread -lm
33
34# NetBSD, FreeBSD, OpenBSD (and presumably descendants) lack any libdl;
35# dlopen, et al are part of libc.
36ifneq ($(patsubst %BSD,BSD,$(OS_$(d))), BSD)
37LDFLAGS_$(d) += -ldl
38endif
39
40 24
41# 25#
42# C O M P I L A T I O N R U L E S 26# C O M P I L A T I O N R U L E S
43# 27#
28OBJS_$(d) = openssl.o ../vendor/compat53/c-api/compat-5.3.o
29
44$(d)/config.h: $(abspath $(d)/..)/config.h 30$(d)/config.h: $(abspath $(d)/..)/config.h
45 $(CP) $< $@ 31 $(CP) $< $@
46 32
47define BUILD_$(d) 33define BUILD_$(d)
48 34
49.SECONDARY: liblua$(1)-openssl openssl$(1) 35$$(d)/$(1)/openssl.so: $$(addprefix $$(d)/$(1)/, $$(OBJS_$(d)))
36 $$(CC) -o $$@ $$^ $$(SOFLAGS_$$(abspath $$(@D)/..)) $$(LDFLAGS_$$(abspath $$(@D)/..)) $$(LIBS_$$(abspath $$(@D)/..))
50 37
51$$(d)/$(1)/openssl.so: $$(d)/$(1)/openssl.o 38$$(d)/$(1)/%.o: $$(d)/%.c $$(d)/../vendor/compat53/c-api/compat-5.3.h $$(d)/config.h
52 $$(CC) -o $$@ $$^ $$(SOFLAGS_$$(abspath $$(@D)/..)) $$(SOFLAGS) $$(LDFLAGS_$$(abspath $$(@D)/..)) $$(LDFLAGS)
53
54$$(d)/$(1)/openssl.o: $$(d)/openssl.c $$(d)/compat52.h $$(d)/config.h
55 test "$$(notdir $$(@D))" = "$$(call LUAPATH_$$(<D), $$(notdir $$(@D)), version)"
56 $$(MKDIR) -p $$(@D) 39 $$(MKDIR) -p $$(@D)
57 $$(CC) $$(CFLAGS_$$(<D)) $$(CFLAGS) $$(call LUAPATH_$$(<D), $$(notdir $$(@D)), cppflags) $$(CPPFLAGS_$$(<D)) $$(CPPFLAGS) -c -o $$@ $$< 40 $$(CC) $$(CFLAGS_$$(<D)) $$(ALL_LUA$(subst .,,$(1))_CPPFLAGS) $$(CPPFLAGS_$$(<D)) -c -o $$@ $$<
41
42.SECONDARY: liblua$(1)-openssl openssl$(1) openssl
58 43
59liblua$(1)-openssl openssl$(1): $$(d)/$(1)/openssl.so 44liblua$(1)-openssl openssl$(1) openssl: $$(d)/$(1)/openssl.so
60 45
61endef # BUILD_$(d) 46endef # BUILD_$(d)
62 47
63$(eval $(call BUILD_$(d),5.1)) 48$(eval $(call BUILD_$(d),5.1))
64
65$(eval $(call BUILD_$(d),5.2)) 49$(eval $(call BUILD_$(d),5.2))
66
67$(eval $(call BUILD_$(d),5.3)) 50$(eval $(call BUILD_$(d),5.3))
68 51
69ifneq "$(filter $(abspath $(d)/..)/%, $(abspath $(firstword $(MAKEFILE_LIST))))" "" 52ifneq "$(filter $(abspath $(d)/..)/%, $(abspath $(firstword $(MAKEFILE_LIST))))" ""
70.SECONDARY: all5.1 all5.2 all 53.SECONDARY: all all5.1 all5.2 all5.3
71 54
72all5.1: liblua5.1-openssl 55all5.1: liblua5.1-openssl
73
74all5.2: liblua5.2-openssl 56all5.2: liblua5.2-openssl
75
76all5.3: liblua5.3-openssl 57all5.3: liblua5.3-openssl
77 58all: $(foreach API,$(strip $(LUA_APIS)),all$(API))
78all: all5.1 all5.2
79 59
80endif 60endif
81 61
@@ -85,8 +65,6 @@ endif
85# 65#
86define INSTALL_$(d) 66define INSTALL_$(d)
87 67
88LUAC$(1)_$(d) = $$(or $$(call LUAPATH_$(d), $(1), luac), true)
89
90MODS$(1)_$(d) = \ 68MODS$(1)_$(d) = \
91 $$(DESTDIR)$(2)/_openssl.so \ 69 $$(DESTDIR)$(2)/_openssl.so \
92 $$(DESTDIR)$(3)/openssl.lua \ 70 $$(DESTDIR)$(3)/openssl.lua \
@@ -116,42 +94,34 @@ MODS$(1)_$(d) = \
116 94
117.SECONDARY: liblua$(1)-openssl-install openssl$(1)-install 95.SECONDARY: liblua$(1)-openssl-install openssl$(1)-install
118 96
119$$(DESTDIR)$(2)/_openssl.so: $$(d)/$(1)/openssl.so 97liblua$(1)-openssl-install openssl$(1)-install: $$(MODS$(1)_$$(d))
120 $$(MKDIR) -p $$(@D)
121 $$(CP) -fp $$< $$@
122 98
123$$(DESTDIR)$(3)/openssl.lua: $$(d)/openssl.lua 99$$(DESTDIR)$(2)/_openssl.so: $$(d)/$(1)/openssl.so
124 $$(LUAC$(1)_$(d)) -p $$<
125 $$(MKDIR) -p $$(@D) 100 $$(MKDIR) -p $$(@D)
126 $$(CP) -p $$< $$@ 101 $$(CP) -p $$< $$@
127 102
128$$(DESTDIR)$(3)/openssl/%.lua: $$(d)/openssl.%.lua 103$$(DESTDIR)$(3)/%.lua: $$(d)/%.lua
129 $$(LUAC$(1)_$(d)) -p $$< 104 $$(LUAC$(subst .,,$(1))) -p $$<
130 $$(MKDIR) -p $$(@D) 105 $$(MKDIR) -p $$(@D)
131 $$(CP) -p $$< $$@ 106 $$(CP) -p $$< $$@
132 107
133# pubkey.lua used to be symbolic link to pkey.lua, but that caused packaging 108$$(DESTDIR)$(3)/openssl/%.lua: $$(d)/openssl.%.lua
134# headaches. Now it's a stub, but the cp -p in the inference rule will copy 109 $$(LUAC$(subst .,,$(1))) -p $$<
135# to the target of the symbolic link, so we need a special install rule to
136# clean up the mess.
137$$(DESTDIR)$(3)/openssl/pubkey.lua: $$(d)/openssl.pubkey.lua
138 $$(LUAC$(1)_$(d)) -p $$<
139 $$(MKDIR) -p $$(@D) 110 $$(MKDIR) -p $$(@D)
140 $$(RM) -f $$@
141 $$(CP) -p $$< $$@ 111 $$(CP) -p $$< $$@
142 112
143$$(DESTDIR)$(3)/openssl/x509/%.lua: $$(d)/openssl.x509.%.lua 113$$(DESTDIR)$(3)/openssl/ocsp/%.lua: $$(d)/ocsp.%.lua
144 $$(LUAC$(1)_$(d)) -p $$< 114 $$(LUAC$(subst .,,$(1))) -p $$<
145 $$(MKDIR) -p $$(@D) 115 $$(MKDIR) -p $$(@D)
146 $$(CP) -p $$< $$@ 116 $$(CP) -p $$< $$@
147 117
148$$(DESTDIR)$(3)/openssl/ssl/%.lua: $$(d)/openssl.ssl.%.lua 118$$(DESTDIR)$(3)/openssl/x509/%.lua: $$(d)/x509.%.lua
149 $$(LUAC$(1)_$(d)) -p $$< 119 $$(LUAC$(subst .,,$(1))) -p $$<
150 $$(MKDIR) -p $$(@D) 120 $$(MKDIR) -p $$(@D)
151 $$(CP) -p $$< $$@ 121 $$(CP) -p $$< $$@
152 122
153$$(DESTDIR)$(3)/openssl/ssl/%.lua: $$(d)/openssl.ssl.%.lua 123$$(DESTDIR)$(3)/openssl/ssl/%.lua: $$(d)/ssl.%.lua
154 $$(LUAC$(1)_$(d)) -p $$< 124 $$(LUAC$(subst .,,$(1))) -p $$<
155 $$(MKDIR) -p $$(@D) 125 $$(MKDIR) -p $$(@D)
156 $$(CP) -p $$< $$@ 126 $$(CP) -p $$< $$@
157 127
@@ -161,6 +131,7 @@ liblua$(1)-openssl-install openssl$(1)-install: $$(MODS$(1)_$$(d))
161 131
162liblua$(1)-openssl-uninstall openssl$(1)-uninstall: 132liblua$(1)-openssl-uninstall openssl$(1)-uninstall:
163 $$(RM) -f $$(MODS$(1)_$(d)) 133 $$(RM) -f $$(MODS$(1)_$(d))
134 -$$(RMDIR) $$(DESTDIR)$(3)/openssl/ocsp
164 -$$(RMDIR) $$(DESTDIR)$(3)/openssl/x509 135 -$$(RMDIR) $$(DESTDIR)$(3)/openssl/x509
165 -$$(RMDIR) $$(DESTDIR)$(3)/openssl/ssl 136 -$$(RMDIR) $$(DESTDIR)$(3)/openssl/ssl
166 -$$(RMDIR) $$(DESTDIR)$(3)/openssl 137 -$$(RMDIR) $$(DESTDIR)$(3)/openssl
@@ -168,31 +139,24 @@ liblua$(1)-openssl-uninstall openssl$(1)-uninstall:
168endef # INSTALL_$(d) 139endef # INSTALL_$(d)
169 140
170$(eval $(call INSTALL_$(d),5.1,$$(lua51cpath),$$(lua51path))) 141$(eval $(call INSTALL_$(d),5.1,$$(lua51cpath),$$(lua51path)))
171
172$(eval $(call INSTALL_$(d),5.2,$$(lua52cpath),$$(lua52path))) 142$(eval $(call INSTALL_$(d),5.2,$$(lua52cpath),$$(lua52path)))
173
174$(eval $(call INSTALL_$(d),5.3,$$(lua53cpath),$$(lua53path))) 143$(eval $(call INSTALL_$(d),5.3,$$(lua53cpath),$$(lua53path)))
175 144
176ifneq "$(filter $(abspath $(d)/..)/%, $(abspath $(firstword $(MAKEFILE_LIST))))" "" 145ifneq "$(filter $(abspath $(d)/..)/%, $(abspath $(firstword $(MAKEFILE_LIST))))" ""
146
177.SECONDARY: install5.1 install5.2 install5.3 install 147.SECONDARY: install5.1 install5.2 install5.3 install
178 148
179install5.1: liblua5.1-openssl-install 149install5.1: liblua5.1-openssl-install
180
181install5.2: liblua5.2-openssl-install 150install5.2: liblua5.2-openssl-install
182
183install5.3: liblua5.3-openssl-install 151install5.3: liblua5.3-openssl-install
184 152install: $(foreach API,$(strip $(LUA_APIS)),install$(API))
185install: install5.1 install5.2
186 153
187.PHONY: uninstall5.1 uninstall5.2 uninstall5.3 uninstall 154.PHONY: uninstall5.1 uninstall5.2 uninstall5.3 uninstall
188 155
189uninstall5.1: liblua5.1-openssl-uninstall 156uninstall5.1: liblua5.1-openssl-uninstall
190
191uninstall5.2: liblua5.2-openssl-uninstall 157uninstall5.2: liblua5.2-openssl-uninstall
192
193uninstall5.3: liblua5.3-openssl-uninstall 158uninstall5.3: liblua5.3-openssl-uninstall
194 159uninstall: $(foreach API,$(strip $(LUA_APIS)),uninstall$(API))
195uninstall: uninstall5.1 uninstall5.2
196 160
197endif 161endif
198 162
@@ -203,7 +167,7 @@ endif
203.PHONY: $(d)/clean $(d)/clean~ clean clean~ 167.PHONY: $(d)/clean $(d)/clean~ clean clean~
204 168
205$(d)/clean: 169$(d)/clean:
206 $(RM) -fr $(@D)/*.so $(@D)/*.o $(@D)/*.dSYM $(@D)/5.1 $(@D)/5.2 $(@D)/5.3 170 $(RM) -fr $(@D)/config.h $(@D)/*.dSYM $(@D)/5.1 $(@D)/5.2 $(@D)/5.3
207 171
208$(d)/clean~: $(d)/clean 172$(d)/clean~: $(d)/clean
209 $(RM) -f $(@D)/*~ 173 $(RM) -f $(@D)/*~
@@ -220,27 +184,27 @@ clean~: $(d)/clean~
220 184
221$(d)/help: 185$(d)/help:
222 @echo 186 @echo
223 @echo "ext/ targets:" 187 @echo "src/ targets:"
224 @echo "" 188 @echo ""
225 @echo " all - build all binary targets" 189 @echo " all - build all API targets"
226 @echo "openssl - invokes openssl5.1 and openssl5.2" 190 @echo " all5.1 - build 5.1/openssl.so"
227 @echo "openssl5.1 - build 5.1/openssl.so" 191 @echo " all5.2 - build 5.2/openssl.so"
228 @echo "openssl5.2 - build 5.2/openssl.so" 192 @echo " all5.3 - build 5.3/openssl.so"
229 @echo "openssl5.3 - build 5.3/openssl.so" 193 @echo " install - install all API targets"
230 @echo "install - invokes install5.1 and install5.2" 194 @echo " install5.1 - install openssl Lua 5.1 modules"
231 @echo "install5.1 - install openssl Lua 5.1 modules" 195 @echo " install5.2 - install openssl Lua 5.2 modules"
232 @echo "install5.2 - install openssl Lua 5.2 modules" 196 @echo " install5.3 - install openssl Lua 5.3 modules"
233 @echo "install5.3 - install openssl Lua 5.3 modules" 197 @echo " uninstall - uninstall all API targets"
234 @echo "uninstall - invokes uninstall5.1 and uninstall5.2"
235 @echo "uninstall5.1 - uninstall openssl Lua 5.1 modules" 198 @echo "uninstall5.1 - uninstall openssl Lua 5.1 modules"
236 @echo "uninstall5.2 - uninstall openssl Lua 5.2 modules" 199 @echo "uninstall5.2 - uninstall openssl Lua 5.2 modules"
237 @echo "uninstall5.3 - uninstall openssl Lua 5.3 modules" 200 @echo "uninstall5.3 - uninstall openssl Lua 5.3 modules"
238 @echo " clean - rm binary targets, object files, debugging symbols, etc" 201 @echo " clean - rm binary targets, object files, debugging symbols, etc"
239 @echo " clean~ - clean + rm *~" 202 @echo " clean~ - clean + rm *~"
240 @echo " help - echo this help message" 203 @echo " help - echo this help message"
241 @echo "" 204 @echo ""
242 @echo "Some important Make variables:" 205 @echo "Some important Make variables:"
243 @echo "" 206 @echo ""
207 @echo ' LUA_APIS - default Lua APIs to target ($(LUA_APIS))'
244 @echo " prefix - path to install root ($(value prefix))" 208 @echo " prefix - path to install root ($(value prefix))"
245 @echo ' lua51path - install path for Lua 5.1 modules ($(value lua51path))' 209 @echo ' lua51path - install path for Lua 5.1 modules ($(value lua51path))'
246 @echo 'lua51cpath - install path for Lua 5.1 C modules ($(value lua51cpath))' 210 @echo 'lua51cpath - install path for Lua 5.1 C modules ($(value lua51cpath))'
@@ -249,6 +213,10 @@ $(d)/help:
249 @echo ' lua53path - install path for Lua 5.3 modules ($(value lua53path))' 213 @echo ' lua53path - install path for Lua 5.3 modules ($(value lua53path))'
250 @echo 'lua53cpath - install path for Lua 5.3 C modules ($(value lua53cpath))' 214 @echo 'lua53cpath - install path for Lua 5.3 C modules ($(value lua53cpath))'
251 @echo "" 215 @echo ""
216 @echo 'LUA51_CPPFLAGS - cpp flags for Lua 5.1 headers ($(LUA51_CPPFLAGS))'
217 @echo 'LUA52_CPPFLAGS - cpp flags for Lua 5.2 headers ($(LUA52_CPPFLAGS))'
218 @echo 'LUA53_CPPFLAGS - cpp flags for Lua 5.3 headers ($(LUA53_CPPFLAGS))'
219 @echo ""
252 @echo "(NOTE: all the common GNU-style paths are supported, including" 220 @echo "(NOTE: all the common GNU-style paths are supported, including"
253 @echo "prefix, bindir, libdir, datadir, includedir, and DESTDIR.)" 221 @echo "prefix, bindir, libdir, datadir, includedir, and DESTDIR.)"
254 @echo "" 222 @echo ""
diff --git a/src/compat52.h b/src/compat52.h
deleted file mode 100644
index 163aecb..0000000
--- a/src/compat52.h
+++ /dev/null
@@ -1,168 +0,0 @@
1/* ==========================================================================
2 * compat52.h - Routines for Lua 5.2 compatibility
3 * --------------------------------------------------------------------------
4 * Copyright (c) 2012 William Ahern
5 *
6 * Permission is hereby granted, free of charge, to any person obtaining a
7 * copy of this software and associated documentation files (the
8 * "Software"), to deal in the Software without restriction, including
9 * without limitation the rights to use, copy, modify, merge, publish,
10 * distribute, sublicense, and/or sell copies of the Software, and to permit
11 * persons to whom the Software is furnished to do so, subject to the
12 * following conditions:
13 *
14 * The above copyright notice and this permission notice shall be included
15 * in all copies or substantial portions of the Software.
16 *
17 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
18 * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
19 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
20 * NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
21 * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
22 * OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
23 * USE OR OTHER DEALINGS IN THE SOFTWARE.
24 * ==========================================================================
25 */
26
27
28#if LUA_VERSION_NUM < 503
29
30#define lua_getfield(L, i, f) (lua_getfield(L, (i), (f)), lua_type(L, -1))
31
32#endif
33
34#if LUA_VERSION_NUM < 502
35
36#define LUA_OK 0
37
38
39static void luaL_setmetatable(lua_State *L, const char *tname) {
40 luaL_getmetatable(L, tname);
41 lua_setmetatable(L, -2);
42} /* luaL_setmetatable() */
43
44
45static int lua_absindex(lua_State *L, int idx) {
46 return (idx > 0 || idx <= LUA_REGISTRYINDEX)? idx : lua_gettop(L) + idx + 1;
47} /* lua_absindex() */
48
49
50static void *luaL_testudata(lua_State *L, int arg, const char *tname) {
51 void *p = lua_touserdata(L, arg);
52 int eq;
53
54 if (!p || !lua_getmetatable(L, arg))
55 return 0;
56
57 luaL_getmetatable(L, tname);
58 eq = lua_rawequal(L, -2, -1);
59 lua_pop(L, 2);
60
61 return (eq)? p : 0;
62} /* luaL_testudate() */
63
64
65static void luaL_setfuncs(lua_State *L, const luaL_Reg *l, int nup) {
66 int i, t = lua_absindex(L, -1 - nup);
67
68 for (; l->name; l++) {
69 for (i = 0; i < nup; i++)
70 lua_pushvalue(L, -nup);
71 lua_pushcclosure(L, l->func, nup);
72 lua_setfield(L, t, l->name);
73 }
74
75 lua_pop(L, nup);
76} /* luaL_setfuncs() */
77
78
79#define luaL_newlibtable(L, l) \
80 lua_createtable(L, 0, (sizeof (l) / sizeof *(l)) - 1)
81
82#define luaL_newlib(L, l) \
83 (luaL_newlibtable((L), (l)), luaL_setfuncs((L), (l), 0))
84
85
86static void luaL_requiref(lua_State *L, const char *modname, lua_CFunction openf, int glb) {
87 lua_pushcfunction(L, openf);
88 lua_pushstring(L, modname);
89 lua_call(L, 1, 1);
90
91 lua_getglobal(L, "package");
92 lua_getfield(L, -1, "loaded");
93 lua_pushvalue(L, -3);
94 lua_setfield(L, -2, modname);
95
96 lua_pop(L, 2);
97
98 if (glb) {
99 lua_pushvalue(L, -1);
100 lua_setglobal(L, modname);
101 }
102} /* luaL_requiref() */
103
104
105#define lua_resume(L, from, nargs) lua_resume((L), (nargs))
106
107
108static void lua_rawgetp(lua_State *L, int index, const void *p) {
109 index = lua_absindex(L, index);
110 lua_pushlightuserdata(L, (void *)p);
111 lua_rawget(L, index);
112} /* lua_rawgetp() */
113
114static void lua_rawsetp(lua_State *L, int index, const void *p) {
115 index = lua_absindex(L, index);
116 lua_pushlightuserdata(L, (void *)p);
117 lua_pushvalue(L, -2);
118 lua_rawset(L, index);
119 lua_pop(L, 1);
120} /* lua_rawsetp() */
121
122
123#ifndef LUA_UNSIGNED
124#define LUA_UNSIGNED unsigned
125#endif
126
127typedef LUA_UNSIGNED lua_Unsigned;
128
129
130static void lua_pushunsigned(lua_State *L, lua_Unsigned n) {
131 lua_pushnumber(L, (lua_Number)n);
132} /* lua_pushunsigned() */
133
134static lua_Unsigned luaL_checkunsigned(lua_State *L, int arg) {
135 return (lua_Unsigned)luaL_checknumber(L, arg);
136} /* luaL_checkunsigned() */
137
138
139static lua_Unsigned luaL_optunsigned(lua_State *L, int arg, lua_Unsigned def) {
140 return (lua_Unsigned)luaL_optnumber(L, arg, (lua_Number)def);
141} /* luaL_optunsigned() */
142
143
144#ifndef LUA_FILEHANDLE /* Not defined by earlier LuaJIT releases */
145#define LUA_FILEHANDLE "FILE*"
146#endif
147
148/*
149 * Lua 5.1 userdata is a simple FILE *, while LuaJIT is a struct with the
150 * first member a FILE *, similar to Lua 5.2.
151 */
152typedef struct luaL_Stream {
153 FILE *f;
154} luaL_Stream;
155
156
157#define lua_rawlen(...) lua_objlen(__VA_ARGS__)
158
159
160#define lua_pushstring(...) lua52_pushstring(__VA_ARGS__)
161
162static const char *lua52_pushstring(lua_State *L, const char *s) {
163 (lua_pushstring)(L, s);
164 return lua_tostring(L, -1);
165} /* lua52_pushstring() */
166
167
168#endif /* LUA_VERSION_NUM < 502 */
diff --git a/src/openssl.c b/src/openssl.c
index 9fc5b97..1b11207 100644
--- a/src/openssl.c
+++ b/src/openssl.c
@@ -75,7 +75,7 @@
75#include <lualib.h> 75#include <lualib.h>
76#include <lauxlib.h> 76#include <lauxlib.h>
77 77
78#include "compat52.h" 78#include "../vendor/compat53/c-api/compat-5.3.h"
79 79
80#define GNUC_2VER(M, m, p) (((M) * 10000) + ((m) * 100) + (p)) 80#define GNUC_2VER(M, m, p) (((M) * 10000) + ((m) * 100) + (p))
81#define GNUC_PREREQ(M, m, p) (__GNUC__ > 0 && GNUC_2VER(__GNUC__, __GNUC_MINOR__, __GNUC_PATCHLEVEL__) >= GNUC_2VER((M), (m), (p))) 81#define GNUC_PREREQ(M, m, p) (__GNUC__ > 0 && GNUC_2VER(__GNUC__, __GNUC_MINOR__, __GNUC_PATCHLEVEL__) >= GNUC_2VER((M), (m), (p)))
@@ -83,11 +83,16 @@
83#define MSC_2VER(M, m, p) ((((M) + 6) * 10000000) + ((m) * 1000000) + (p)) 83#define MSC_2VER(M, m, p) ((((M) + 6) * 10000000) + ((m) * 1000000) + (p))
84#define MSC_PREREQ(M, m, p) (_MSC_FULL_VER > 0 && _MSC_FULL_VER >= MSC_2VER((M), (m), (p))) 84#define MSC_PREREQ(M, m, p) (_MSC_FULL_VER > 0 && _MSC_FULL_VER >= MSC_2VER((M), (m), (p)))
85 85
86#define OPENSSL_PREREQ(M, m, p) \ 86#ifdef LIBRESSL_VERSION_NUMBER
87 (OPENSSL_VERSION_NUMBER >= (((M) << 28) | ((m) << 20) | ((p) << 12)) && !defined LIBRESSL_VERSION_NUMBER) 87#define OPENSSL_PREREQ(M, m, p) (0)
88
89#define LIBRESSL_PREREQ(M, m, p) \ 88#define LIBRESSL_PREREQ(M, m, p) \
90 (LIBRESSL_VERSION_NUMBER >= (((M) << 28) | ((m) << 20) | ((p) << 12))) 89 (LIBRESSL_VERSION_NUMBER >= (((M) << 28) | ((m) << 20) | ((p) << 12)))
90#else
91#define OPENSSL_PREREQ(M, m, p) \
92 (OPENSSL_VERSION_NUMBER >= (((M) << 28) | ((m) << 20) | ((p) << 12)))
93#define LIBRESSL_PREREQ(M, m, p) (0)
94#endif
95
91 96
92#ifndef __has_builtin 97#ifndef __has_builtin
93#define __has_builtin(x) 0 98#define __has_builtin(x) 0
@@ -146,7 +151,11 @@
146#endif 151#endif
147 152
148#ifndef HAVE_DTLSV1_CLIENT_METHOD 153#ifndef HAVE_DTLSV1_CLIENT_METHOD
149#define HAVE_DTLSV1_CLIENT_METHOD (!defined OPENSSL_NO_DTLS1) 154#ifdef OPENSSL_NO_DTLS1
155#define HAVE_DTLSV1_CLIENT_METHOD (0)
156#else
157#define HAVE_DTLSV1_CLIENT_METHOD (1)
158#endif
150#endif 159#endif
151 160
152#ifndef HAVE_DTLSV1_SERVER_METHOD 161#ifndef HAVE_DTLSV1_SERVER_METHOD
@@ -154,7 +163,11 @@
154#endif 163#endif
155 164
156#ifndef HAVE_DTLS_CLIENT_METHOD 165#ifndef HAVE_DTLS_CLIENT_METHOD
157#define HAVE_DTLS_CLIENT_METHOD (OPENSSL_PREREQ(1,0,2) && !defined OPENSSL_NO_DTLS1) 166#ifdef OPENSSL_NO_DTLS1
167#define HAVE_DTLS_CLIENT_METHOD (0)
168#else
169#define HAVE_DTLS_CLIENT_METHOD OPENSSL_PREREQ(1,0,2)
170#endif
158#endif 171#endif
159 172
160#ifndef HAVE_DTLS_SERVER_METHOD 173#ifndef HAVE_DTLS_SERVER_METHOD
@@ -162,7 +175,11 @@
162#endif 175#endif
163 176
164#ifndef HAVE_DTLSV1_2_CLIENT_METHOD 177#ifndef HAVE_DTLSV1_2_CLIENT_METHOD
165#define HAVE_DTLSV1_2_CLIENT_METHOD (OPENSSL_PREREQ(1,0,2) && !defined OPENSSL_NO_DTLS1) 178#ifdef OPENSSL_NO_DTLS1
179#define HAVE_DTLSV1_2_CLIENT_METHOD (0)
180#else
181#define HAVE_DTLSV1_2_CLIENT_METHOD OPENSSL_PREREQ(1,0,2)
182#endif
166#endif 183#endif
167 184
168#ifndef HAVE_DTLSV1_2_SERVER_METHOD 185#ifndef HAVE_DTLSV1_2_SERVER_METHOD
@@ -229,10 +246,6 @@
229#define HAVE_RSA_GET0_KEY OPENSSL_PREREQ(1,1,0) 246#define HAVE_RSA_GET0_KEY OPENSSL_PREREQ(1,1,0)
230#endif 247#endif
231 248
232#ifndef HAVE_RSA_PKCS1_PSS_PADDING
233#define HAVE_RSA_PKCS1_PSS_PADDING (defined RSA_PKCS1_PSS_PADDING || OPENSSL_PREREQ(1,0,0) || LIBRESSL_PREREQ(2,0,0))
234#endif
235
236#ifndef HAVE_RSA_SET0_CRT_PARAMS 249#ifndef HAVE_RSA_SET0_CRT_PARAMS
237#define HAVE_RSA_SET0_CRT_PARAMS OPENSSL_PREREQ(1,1,0) 250#define HAVE_RSA_SET0_CRT_PARAMS OPENSSL_PREREQ(1,1,0)
238#endif 251#endif
@@ -253,6 +266,14 @@
253#define HAVE_SSL_CTX_GET0_PARAM OPENSSL_PREREQ(1,0,2) 266#define HAVE_SSL_CTX_GET0_PARAM OPENSSL_PREREQ(1,0,2)
254#endif 267#endif
255 268
269#ifndef HAVE_SSL_CTX_SET_CURVES_LIST
270#define HAVE_SSL_CTX_SET_CURVES_LIST (OPENSSL_PREREQ(1,0,2) || LIBRESSL_PREREQ(2,5,1))
271#endif
272
273#ifndef HAVE_SSL_CTX_SET_ECDH_AUTO
274#define HAVE_SSL_CTX_SET_ECDH_AUTO ((OPENSSL_PREREQ(1,0,2) && !OPENSSL_PREREQ(1,1,0)) || LIBRESSL_PREREQ(2,1,2))
275#endif
276
256#ifndef HAVE_SSL_CTX_SET_ALPN_PROTOS 277#ifndef HAVE_SSL_CTX_SET_ALPN_PROTOS
257#define HAVE_SSL_CTX_SET_ALPN_PROTOS (OPENSSL_PREREQ(1,0,2) || LIBRESSL_PREREQ(2,1,3)) 278#define HAVE_SSL_CTX_SET_ALPN_PROTOS (OPENSSL_PREREQ(1,0,2) || LIBRESSL_PREREQ(2,1,3))
258#endif 279#endif
@@ -261,6 +282,10 @@
261#define HAVE_SSL_CTX_SET_ALPN_SELECT_CB HAVE_SSL_CTX_SET_ALPN_PROTOS 282#define HAVE_SSL_CTX_SET_ALPN_SELECT_CB HAVE_SSL_CTX_SET_ALPN_PROTOS
262#endif 283#endif
263 284
285#ifndef HAVE_SSL_CTX_SET_TLSEXT_SERVERNAME_CALLBACK
286#define HAVE_SSL_CTX_SET_TLSEXT_SERVERNAME_CALLBACK OPENSSL_PREREQ(1,0,0)
287#endif
288
264#ifndef HAVE_SSL_CTX_SET1_CERT_STORE 289#ifndef HAVE_SSL_CTX_SET1_CERT_STORE
265#define HAVE_SSL_CTX_SET1_CERT_STORE (HAVE_SSL_CTX_set1_cert_store || 0) /* backwards compatible with old macro name */ 290#define HAVE_SSL_CTX_SET1_CERT_STORE (HAVE_SSL_CTX_set1_cert_store || 0) /* backwards compatible with old macro name */
266#endif 291#endif
@@ -293,6 +318,10 @@
293#define HAVE_SSL_SET_ALPN_PROTOS HAVE_SSL_CTX_SET_ALPN_PROTOS 318#define HAVE_SSL_SET_ALPN_PROTOS HAVE_SSL_CTX_SET_ALPN_PROTOS
294#endif 319#endif
295 320
321#ifndef HAVE_SSL_SET_CURVES_LIST
322#define HAVE_SSL_SET_CURVES_LIST (OPENSSL_PREREQ(1,0,2) || LIBRESSL_PREREQ(2,5,1))
323#endif
324
296#ifndef HAVE_SSL_SET1_PARAM 325#ifndef HAVE_SSL_SET1_PARAM
297#define HAVE_SSL_SET1_PARAM OPENSSL_PREREQ(1,0,2) 326#define HAVE_SSL_SET1_PARAM OPENSSL_PREREQ(1,0,2)
298#endif 327#endif
@@ -309,12 +338,32 @@
309#define HAVE_SSL_UP_REF OPENSSL_PREREQ(1,1,0) 338#define HAVE_SSL_UP_REF OPENSSL_PREREQ(1,1,0)
310#endif 339#endif
311 340
312#ifndef HAVE_SSLV2_CLIENT_METHOD 341#ifndef HAVE_SSL_OP_NO_SSL_MASK
313#define HAVE_SSLV2_CLIENT_METHOD (!OPENSSL_PREREQ(1,1,0) && !defined OPENSSL_NO_SSL2) 342#define HAVE_SSL_OP_NO_SSL_MASK OPENSSL_PREREQ(1,0,2)
314#endif 343#endif
315 344
316#ifndef HAVE_SSLV2_SERVER_METHOD 345#ifndef HAVE_SSL_OP_NO_DTLS_MASK
317#define HAVE_SSLV2_SERVER_METHOD (!OPENSSL_PREREQ(1,1,0) && !defined OPENSSL_NO_SSL2) 346#define HAVE_SSL_OP_NO_DTLS_MASK OPENSSL_PREREQ(1,1,0)
347#endif
348
349#ifndef HAVE_STACK_OPENSSL_STRING_FUNCS
350#define HAVE_STACK_OPENSSL_STRING_FUNCS (OPENSSL_PREREQ(1,0,0) || LIBRESSL_PREREQ(2,0,0))
351#endif
352
353#ifndef HAVE_X509_CRL_GET0_LASTUPDATE
354#define HAVE_X509_CRL_GET0_LASTUPDATE OPENSSL_PREREQ(1,1,0)
355#endif
356
357#ifndef HAVE_X509_CRL_GET0_NEXTUPDATE
358#define HAVE_X509_CRL_GET0_NEXTUPDATE OPENSSL_PREREQ(1,1,0)
359#endif
360
361#ifndef HAVE_X509_CRL_SET1_LASTUPDATE
362#define HAVE_X509_CRL_SET1_LASTUPDATE OPENSSL_PREREQ(1,1,0)
363#endif
364
365#ifndef HAVE_X509_CRL_SET1_NEXTUPDATE
366#define HAVE_X509_CRL_SET1_NEXTUPDATE OPENSSL_PREREQ(1,1,0)
318#endif 367#endif
319 368
320#ifndef HAVE_X509_GET_SIGNATURE_NID 369#ifndef HAVE_X509_GET_SIGNATURE_NID
@@ -358,7 +407,11 @@
358#endif 407#endif
359 408
360#ifndef STRERROR_R_CHAR_P 409#ifndef STRERROR_R_CHAR_P
361#define STRERROR_R_CHAR_P (defined __GLIBC__ && (_GNU_SOURCE || !(_POSIX_C_SOURCE >= 200112L || _XOPEN_SOURCE >= 600))) 410#ifdef __GLIBC__
411#define STRERROR_R_CHAR_P (_GNU_SOURCE || !(_POSIX_C_SOURCE >= 200112L || _XOPEN_SOURCE >= 600))
412#else
413#define STRERROR_R_CHAR_P (0)
414#endif
362#endif 415#endif
363 416
364#ifndef LIST_HEAD 417#ifndef LIST_HEAD
@@ -678,6 +731,44 @@ static void *loadfield_udata(lua_State *L, int index, const char *k, const char
678} /* loadfield_udata() */ 731} /* loadfield_udata() */
679 732
680 733
734/* Forward declaration */
735static SSL *ssl_push(lua_State *, SSL *);
736
737/* push an ssl object into lua in a way that is safe from OOM
738 * Lua 5.1 does not support normally returning values from lua_cpcall
739 * to return a value, we instead return it via an error object
740 */
741static int ssl_pushsafe_helper(lua_State *L) {
742 ssl_push(L, lua_touserdata(L, 1));
743#if LUA_VERSION_NUM <= 501
744 return lua_error(L);
745#else
746 return 1;
747#endif
748}
749
750static int ssl_pushsafe(lua_State *L, SSL *ssl) {
751 int status;
752#if LUA_VERSION_NUM <= 501
753 status = lua_cpcall(L, ssl_pushsafe_helper, ssl);
754 if (status == LUA_ERRRUN)
755 status = LUA_OK;
756 else if (status == LUA_OK)
757 /* this should be impossible */
758 status = LUA_ERRRUN;
759 else
760 lua_pop(L, 1);
761#else
762 lua_pushcfunction(L, ssl_pushsafe_helper);
763 lua_pushlightuserdata(L, ssl);
764 status = lua_pcall(L, 1, 1, 0);
765 if (status != LUA_OK)
766 lua_pop(L, 1);
767#endif
768 return status;
769}
770
771
681/* 772/*
682 * Auxiliary C routines 773 * Auxiliary C routines
683 * 774 *
@@ -1623,6 +1714,22 @@ static int compat_SSL_up_ref(SSL *ssl) {
1623} /* compat_SSL_up_ref() */ 1714} /* compat_SSL_up_ref() */
1624#endif 1715#endif
1625 1716
1717#if !HAVE_SSL_OP_NO_SSL_MASK
1718/* SSL_OP_NO_SSL_MASK was introduced in 1.0.2
1719 1.0.1 had up to TLSv1_2
1720 0.9.8-1.0.0 had up to TLSv1
1721*/
1722#ifdef SSL_OP_NO_TLSv1_2
1723#define SSL_OP_NO_SSL_MASK (SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1|SSL_OP_NO_TLSv1_2)
1724#else
1725#define SSL_OP_NO_SSL_MASK (SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1)
1726#endif
1727#endif
1728
1729#if !HAVE_SSL_OP_NO_DTLS_MASK && HAVE_DTLS_CLIENT_METHOD
1730#define SSL_OP_NO_DTLS_MASK (SSL_OP_NO_DTLSv1|SSL_OP_NO_DTLSv1_2)
1731#endif
1732
1626#if !HAVE_SSL_CTX_GET0_PARAM 1733#if !HAVE_SSL_CTX_GET0_PARAM
1627#define SSL_CTX_get0_param(ctx) compat_SSL_CTX_get0_param((ctx)) 1734#define SSL_CTX_get0_param(ctx) compat_SSL_CTX_get0_param((ctx))
1628 1735
@@ -1639,6 +1746,12 @@ static int compat_SSL_CTX_set1_param(SSL_CTX *ctx, X509_VERIFY_PARAM *vpm) {
1639} /* compat_SSL_CTX_set1_param() */ 1746} /* compat_SSL_CTX_set1_param() */
1640#endif 1747#endif
1641 1748
1749#if !HAVE_STACK_OPENSSL_STRING_FUNCS
1750#define sk_OPENSSL_STRING_num(s) sk_num(s)
1751#define sk_OPENSSL_STRING_value(s, i) sk_value((s), (i))
1752#define sk_OPENSSL_STRING_free(s) X509_email_free(s)
1753#endif
1754
1642#if !HAVE_X509_GET0_EXT 1755#if !HAVE_X509_GET0_EXT
1643#define X509_get0_ext(crt, i) X509_get_ext((crt), (i)) 1756#define X509_get0_ext(crt, i) X509_get_ext((crt), (i))
1644#endif 1757#endif
@@ -1651,6 +1764,22 @@ static int compat_SSL_CTX_set1_param(SSL_CTX *ctx, X509_VERIFY_PARAM *vpm) {
1651#define X509_CRL_get0_ext(crt, i) X509_CRL_get_ext((crt), (i)) 1764#define X509_CRL_get0_ext(crt, i) X509_CRL_get_ext((crt), (i))
1652#endif 1765#endif
1653 1766
1767#if !HAVE_X509_CRL_GET0_LASTUPDATE
1768#define X509_CRL_get0_lastUpdate(crl) ((const ASN1_TIME*)X509_CRL_get_lastUpdate(crl))
1769#endif
1770
1771#if !HAVE_X509_CRL_GET0_NEXTUPDATE
1772#define X509_CRL_get0_nextUpdate(crl) ((const ASN1_TIME*)X509_CRL_get_nextUpdate(crl))
1773#endif
1774
1775#if !HAVE_X509_CRL_SET1_LASTUPDATE
1776#define X509_CRL_set1_lastUpdate(crl, s) X509_CRL_set_lastUpdate((crl), (ASN1_TIME*)(s))
1777#endif
1778
1779#if !HAVE_X509_CRL_SET1_NEXTUPDATE
1780#define X509_CRL_set1_nextUpdate(crl, s) X509_CRL_set_nextUpdate((crl), (ASN1_TIME*)(s))
1781#endif
1782
1654#if !HAVE_X509_EXTENSION_GET0_OBJECT 1783#if !HAVE_X509_EXTENSION_GET0_OBJECT
1655#define X509_EXTENSION_get0_object(ext) X509_EXTENSION_get_object((ext)) 1784#define X509_EXTENSION_get0_object(ext) X509_EXTENSION_get_object((ext))
1656#endif 1785#endif
@@ -1784,6 +1913,7 @@ static int compat_init(void) {
1784 if (done) 1913 if (done)
1785 goto epilog; 1914 goto epilog;
1786 1915
1916#if defined compat_X509_STORE_free
1787 /* 1917 /*
1788 * We need to unconditionally install at least one external 1918 * We need to unconditionally install at least one external
1789 * application data callback. Because these can never be 1919 * application data callback. Because these can never be
@@ -1792,7 +1922,6 @@ static int compat_init(void) {
1792 if ((error = dl_anchor())) 1922 if ((error = dl_anchor()))
1793 goto epilog; 1923 goto epilog;
1794 1924
1795#if defined compat_X509_STORE_free
1796 /* 1925 /*
1797 * Test if X509_STORE_free obeys reference counts by installing an 1926 * Test if X509_STORE_free obeys reference counts by installing an
1798 * onfree callback. 1927 * onfree callback.
@@ -1929,6 +2058,7 @@ struct ex_data {
1929 2058
1930enum { 2059enum {
1931 EX_SSL_CTX_ALPN_SELECT_CB, 2060 EX_SSL_CTX_ALPN_SELECT_CB,
2061 EX_SSL_CTX_TLSEXT_SERVERNAME_CB,
1932}; 2062};
1933 2063
1934static struct ex_type { 2064static struct ex_type {
@@ -1938,6 +2068,7 @@ static struct ex_type {
1938 int (*set_ex_data)(); 2068 int (*set_ex_data)();
1939} ex_type[] = { 2069} ex_type[] = {
1940 [EX_SSL_CTX_ALPN_SELECT_CB] = { CRYPTO_EX_INDEX_SSL_CTX, -1, &SSL_CTX_get_ex_data, &SSL_CTX_set_ex_data }, 2070 [EX_SSL_CTX_ALPN_SELECT_CB] = { CRYPTO_EX_INDEX_SSL_CTX, -1, &SSL_CTX_get_ex_data, &SSL_CTX_set_ex_data },
2071 [EX_SSL_CTX_TLSEXT_SERVERNAME_CB] = { CRYPTO_EX_INDEX_SSL_CTX, -1, &SSL_CTX_get_ex_data, &SSL_CTX_set_ex_data },
1941}; 2072};
1942 2073
1943#if OPENSSL_PREREQ(1,1,0) 2074#if OPENSSL_PREREQ(1,1,0)
@@ -3081,7 +3212,8 @@ static int pk_new(lua_State *L) {
3081 if (lua_istable(L, 1) || lua_isnil(L, 1)) { 3212 if (lua_istable(L, 1) || lua_isnil(L, 1)) {
3082 int type = EVP_PKEY_RSA; 3213 int type = EVP_PKEY_RSA;
3083 unsigned bits = 1024; 3214 unsigned bits = 1024;
3084 unsigned exp = 65537; 3215 BIGNUM *exp = NULL;
3216 int generator = 2;
3085 int curve = NID_X9_62_prime192v1; 3217 int curve = NID_X9_62_prime192v1;
3086 const char *id; 3218 const char *id;
3087 const char *dhparam = NULL; 3219 const char *dhparam = NULL;
@@ -3111,23 +3243,46 @@ static int pk_new(lua_State *L) {
3111 luaL_argcheck(L, type != NID_undef, 1, lua_pushfstring(L, "%s: invalid key type", id)); 3243 luaL_argcheck(L, type != NID_undef, 1, lua_pushfstring(L, "%s: invalid key type", id));
3112 } 3244 }
3113 3245
3114 if (loadfield(L, 1, "bits", LUA_TNUMBER, &n)) { 3246 switch(type) {
3115 luaL_argcheck(L, n > 0 && n < UINT_MAX, 1, lua_pushfstring(L, "%f: `bits' invalid", n)); 3247 case EVP_PKEY_RSA:
3116 bits = (unsigned)n; 3248 if (loadfield(L, 1, "bits", LUA_TNUMBER, &n)) {
3117 } 3249 luaL_argcheck(L, n > 0 && n < UINT_MAX, 1, lua_pushfstring(L, "%f: `bits' invalid", n));
3250 bits = (unsigned)n;
3251 }
3118 3252
3119 if (loadfield(L, 1, "exp", LUA_TNUMBER, &n)) { 3253 if (!getfield(L, 1, "exp")) {
3120 luaL_argcheck(L, n > 0 && n < UINT_MAX, 1, lua_pushfstring(L, "%f: `exp' invalid", n)); 3254 exp = checkbig(L, -1);
3121 exp = (unsigned)n; 3255 } else {
3122 } 3256 /* default to 65537 */
3257 exp = bn_push(L);
3258 if (!BN_add_word(exp, 65537))
3259 return auxL_error(L, auxL_EOPENSSL, "pkey.new");
3260 }
3261 break;
3262 case EVP_PKEY_DH:
3263 /* dhparam field can contain a PEM encoded string.
3264 The "dhparam" field takes precedence over "bits" */
3265 if (loadfield(L, 1, "dhparam", LUA_TSTRING, &dhparam))
3266 break;
3123 3267
3124 if (loadfield(L, 1, "curve", LUA_TSTRING, &id)) { 3268 if (loadfield(L, 1, "bits", LUA_TNUMBER, &n)) {
3125 if (!auxS_txt2nid(&curve, id)) 3269 luaL_argcheck(L, n > 0 && n < UINT_MAX, 1, lua_pushfstring(L, "%f: `bits' invalid", n));
3126 luaL_argerror(L, 1, lua_pushfstring(L, "%s: invalid curve", id)); 3270 bits = (unsigned)n;
3127 } 3271 }
3128 3272
3129 /* dhparam field can contain a PEM encoded string. */ 3273 /* compat: DH used to use the 'exp' field for the generator */
3130 loadfield(L, 1, "dhparam", LUA_TSTRING, &dhparam); 3274 if (loadfield(L, 1, "generator", LUA_TNUMBER, &n) || loadfield(L, 1, "exp", LUA_TNUMBER, &n)) {
3275 luaL_argcheck(L, n > 0 && n <= INT_MAX, 1, lua_pushfstring(L, "%f: `exp' invalid", n));
3276 generator = (int)n;
3277 }
3278 break;
3279 case EVP_PKEY_EC:
3280 if (loadfield(L, 1, "curve", LUA_TSTRING, &id)) {
3281 if (!auxS_txt2nid(&curve, id))
3282 luaL_argerror(L, 1, lua_pushfstring(L, "%s: invalid curve", id));
3283 }
3284 break;
3285 }
3131 3286
3132creat: 3287creat:
3133 if (!(*ud = EVP_PKEY_new())) 3288 if (!(*ud = EVP_PKEY_new()))
@@ -3137,9 +3292,14 @@ creat:
3137 case EVP_PKEY_RSA: { 3292 case EVP_PKEY_RSA: {
3138 RSA *rsa; 3293 RSA *rsa;
3139 3294
3140 if (!(rsa = RSA_generate_key(bits, exp, 0, 0))) 3295 if (!(rsa = RSA_new()))
3141 return auxL_error(L, auxL_EOPENSSL, "pkey.new"); 3296 return auxL_error(L, auxL_EOPENSSL, "pkey.new");
3142 3297
3298 if (!RSA_generate_key_ex(rsa, bits, exp, 0)) {
3299 RSA_free(rsa);
3300 return auxL_error(L, auxL_EOPENSSL, "pkey.new");
3301 }
3302
3143 EVP_PKEY_set1_RSA(*ud, rsa); 3303 EVP_PKEY_set1_RSA(*ud, rsa);
3144 3304
3145 RSA_free(rsa); 3305 RSA_free(rsa);
@@ -3149,9 +3309,14 @@ creat:
3149 case EVP_PKEY_DSA: { 3309 case EVP_PKEY_DSA: {
3150 DSA *dsa; 3310 DSA *dsa;
3151 3311
3152 if (!(dsa = DSA_generate_parameters(bits, 0, 0, 0, 0, 0, 0))) 3312 if (!(dsa = DSA_new()))
3153 return auxL_error(L, auxL_EOPENSSL, "pkey.new"); 3313 return auxL_error(L, auxL_EOPENSSL, "pkey.new");
3154 3314
3315 if (!DSA_generate_parameters_ex(dsa, bits, 0, 0, 0, 0, 0)) {
3316 DSA_free(dsa);
3317 return auxL_error(L, auxL_EOPENSSL, "pkey.new");
3318 }
3319
3155 if (!DSA_generate_key(dsa)) { 3320 if (!DSA_generate_key(dsa)) {
3156 DSA_free(dsa); 3321 DSA_free(dsa);
3157 return auxL_error(L, auxL_EOPENSSL, "pkey.new"); 3322 return auxL_error(L, auxL_EOPENSSL, "pkey.new");
@@ -3179,8 +3344,15 @@ creat:
3179 BIO_free(bio); 3344 BIO_free(bio);
3180 if (!dh) 3345 if (!dh)
3181 return auxL_error(L, auxL_EOPENSSL, "pkey.new"); 3346 return auxL_error(L, auxL_EOPENSSL, "pkey.new");
3182 } else if (!(dh = DH_generate_parameters(bits, exp, 0, 0))) 3347 } else {
3183 return auxL_error(L, auxL_EOPENSSL, "pkey.new"); 3348 if (!(dh = DH_new()))
3349 return auxL_error(L, auxL_EOPENSSL, "pkey.new");
3350
3351 if (!DH_generate_parameters_ex(dh, bits, generator, 0)) {
3352 DH_free(dh);
3353 return auxL_error(L, auxL_EOPENSSL, "pkey.new");
3354 }
3355 }
3184 3356
3185 3357
3186 if (!DH_generate_key(dh)) { 3358 if (!DH_generate_key(dh)) {
@@ -4319,7 +4491,7 @@ static const auxL_IntegerReg pk_rsa_pad_opts[] = {
4319 { "RSA_NO_PADDING", RSA_NO_PADDING }, // no padding 4491 { "RSA_NO_PADDING", RSA_NO_PADDING }, // no padding
4320 { "RSA_PKCS1_OAEP_PADDING", RSA_PKCS1_OAEP_PADDING }, // OAEP padding (encrypt and decrypt only) 4492 { "RSA_PKCS1_OAEP_PADDING", RSA_PKCS1_OAEP_PADDING }, // OAEP padding (encrypt and decrypt only)
4321 { "RSA_X931_PADDING", RSA_X931_PADDING }, // (signature operations only) 4493 { "RSA_X931_PADDING", RSA_X931_PADDING }, // (signature operations only)
4322#if HAVE_RSA_PKCS1_PSS_PADDING 4494#if RSA_PKCS1_PSS_PADDING
4323 { "RSA_PKCS1_PSS_PADDING", RSA_PKCS1_PSS_PADDING }, // (sign and verify only) 4495 { "RSA_PKCS1_PSS_PADDING", RSA_PKCS1_PSS_PADDING }, // (sign and verify only)
4324#endif 4496#endif
4325 { NULL, 0 }, 4497 { NULL, 0 },
@@ -5523,17 +5695,17 @@ static _Bool scan(int *i, char **cp, int n, int signok) {
5523} /* scan() */ 5695} /* scan() */
5524 5696
5525 5697
5526static double timeutc(ASN1_TIME *time) { 5698static double timeutc(const ASN1_TIME *time) {
5527 char buf[32] = "", *cp; 5699 char buf[32] = "", *cp;
5528 struct tm tm = { 0 }; 5700 struct tm tm = { 0 };
5529 int gmtoff = 0, year, i; 5701 int gmtoff = 0, year, i;
5530 5702
5531 if (!ASN1_TIME_check(time)) 5703 if (!ASN1_TIME_check((ASN1_STRING *)time))
5532 return 0; 5704 return 0;
5533 5705
5534 cp = strncpy(buf, (const char *)ASN1_STRING_get0_data((ASN1_STRING *)time), sizeof buf - 1); 5706 cp = strncpy(buf, (const char *)ASN1_STRING_get0_data((ASN1_STRING *)time), sizeof buf - 1);
5535 5707
5536 if (ASN1_STRING_type(time) == V_ASN1_GENERALIZEDTIME) { 5708 if (ASN1_STRING_type((ASN1_STRING *)time) == V_ASN1_GENERALIZEDTIME) {
5537 if (!scan(&year, &cp, 4, 1)) 5709 if (!scan(&year, &cp, 4, 1))
5538 goto badfmt; 5710 goto badfmt;
5539 } else { 5711 } else {
@@ -5595,7 +5767,7 @@ badfmt:
5595static int xc_getLifetime(lua_State *L) { 5767static int xc_getLifetime(lua_State *L) {
5596 X509 *crt = checksimple(L, 1, X509_CERT_CLASS); 5768 X509 *crt = checksimple(L, 1, X509_CERT_CLASS);
5597 double begin = INFINITY, end = INFINITY; 5769 double begin = INFINITY, end = INFINITY;
5598 ASN1_TIME *time; 5770 const ASN1_TIME *time;
5599 5771
5600 if ((time = X509_get_notBefore(crt))) 5772 if ((time = X509_get_notBefore(crt)))
5601 begin = timeutc(time); 5773 begin = timeutc(time);
@@ -6684,10 +6856,21 @@ static int xx_new(lua_State *L) {
6684 if (!ok) 6856 if (!ok)
6685 return auxL_error(L, auxL_EOPENSSL, "x509.crl.new"); 6857 return auxL_error(L, auxL_EOPENSSL, "x509.crl.new");
6686 } else { 6858 } else {
6859 ASN1_TIME *tm;
6860
6687 if (!(*ud = X509_CRL_new())) 6861 if (!(*ud = X509_CRL_new()))
6688 return auxL_error(L, auxL_EOPENSSL, "x509.crl.new"); 6862 return auxL_error(L, auxL_EOPENSSL, "x509.crl.new");
6689 6863
6690 X509_gmtime_adj(X509_CRL_get_lastUpdate(*ud), 0); 6864 /* initialize last updated time to now */
6865 if (!(tm = ASN1_TIME_set(NULL, time(NULL))))
6866 return auxL_error(L, auxL_EOPENSSL, "x509.crl.new");
6867
6868 if (!X509_CRL_set1_lastUpdate(*ud, tm)) {
6869 ASN1_TIME_free(tm);
6870 return auxL_error(L, auxL_EOPENSSL, "x509.crl.new");
6871 }
6872
6873 ASN1_TIME_free(tm);
6691 } 6874 }
6692 6875
6693 return 1; 6876 return 1;
@@ -6724,9 +6907,9 @@ static int xx_setVersion(lua_State *L) {
6724static int xx_getLastUpdate(lua_State *L) { 6907static int xx_getLastUpdate(lua_State *L) {
6725 X509_CRL *crl = checksimple(L, 1, X509_CRL_CLASS); 6908 X509_CRL *crl = checksimple(L, 1, X509_CRL_CLASS);
6726 double updated = INFINITY; 6909 double updated = INFINITY;
6727 ASN1_TIME *time; 6910 const ASN1_TIME *time;
6728 6911
6729 if ((time = X509_CRL_get_lastUpdate(crl))) 6912 if ((time = X509_CRL_get0_lastUpdate(crl)))
6730 updated = timeutc(time); 6913 updated = timeutc(time);
6731 6914
6732 if (isfinite(updated)) 6915 if (isfinite(updated))
@@ -6741,23 +6924,30 @@ static int xx_getLastUpdate(lua_State *L) {
6741static int xx_setLastUpdate(lua_State *L) { 6924static int xx_setLastUpdate(lua_State *L) {
6742 X509_CRL *crl = checksimple(L, 1, X509_CRL_CLASS); 6925 X509_CRL *crl = checksimple(L, 1, X509_CRL_CLASS);
6743 double updated = luaL_checknumber(L, 2); 6926 double updated = luaL_checknumber(L, 2);
6927 ASN1_TIME *time;
6744 6928
6745 /* lastUpdate always present */ 6929 if (!(time = ASN1_TIME_set(NULL, updated)))
6746 if (!ASN1_TIME_set(X509_CRL_get_lastUpdate(crl), updated)) 6930 goto error;
6747 return auxL_error(L, auxL_EOPENSSL, "x509.crl:setLastUpdate"); 6931
6932 if (!X509_CRL_set1_lastUpdate(crl, time))
6933 goto error;
6748 6934
6749 lua_pushboolean(L, 1); 6935 lua_pushboolean(L, 1);
6750 6936
6751 return 1; 6937 return 1;
6938error:
6939 ASN1_TIME_free(time);
6940
6941 return auxL_error(L, auxL_EOPENSSL, "x509.crl:setLastUpdate");
6752} /* xx_setLastUpdate() */ 6942} /* xx_setLastUpdate() */
6753 6943
6754 6944
6755static int xx_getNextUpdate(lua_State *L) { 6945static int xx_getNextUpdate(lua_State *L) {
6756 X509_CRL *crl = checksimple(L, 1, X509_CRL_CLASS); 6946 X509_CRL *crl = checksimple(L, 1, X509_CRL_CLASS);
6757 double updateby = INFINITY; 6947 double updateby = INFINITY;
6758 ASN1_TIME *time; 6948 const ASN1_TIME *time;
6759 6949
6760 if ((time = X509_CRL_get_nextUpdate(crl))) 6950 if ((time = X509_CRL_get0_nextUpdate(crl)))
6761 updateby = timeutc(time); 6951 updateby = timeutc(time);
6762 6952
6763 if (isfinite(updateby)) 6953 if (isfinite(updateby))
@@ -6772,30 +6962,19 @@ static int xx_getNextUpdate(lua_State *L) {
6772static int xx_setNextUpdate(lua_State *L) { 6962static int xx_setNextUpdate(lua_State *L) {
6773 X509_CRL *crl = checksimple(L, 1, X509_CRL_CLASS); 6963 X509_CRL *crl = checksimple(L, 1, X509_CRL_CLASS);
6774 double updateby = luaL_checknumber(L, 2); 6964 double updateby = luaL_checknumber(L, 2);
6775 ASN1_TIME *time = NULL; 6965 ASN1_TIME *time;
6776
6777 if (X509_CRL_get_nextUpdate(crl)) {
6778 if (!ASN1_TIME_set(X509_CRL_get_nextUpdate(crl), updateby))
6779 goto error;
6780 } else {
6781 if (!(time = ASN1_TIME_new()))
6782 goto error;
6783
6784 if (!(ASN1_TIME_set(time, updateby)))
6785 goto error;
6786 6966
6787 if (!X509_CRL_set_nextUpdate(crl, time)) 6967 if (!(time = ASN1_TIME_set(NULL, updateby)))
6788 goto error; 6968 goto error;
6789 6969
6790 time = NULL; 6970 if (!X509_CRL_set1_nextUpdate(crl, time))
6791 } 6971 goto error;
6792 6972
6793 lua_pushboolean(L, 1); 6973 lua_pushboolean(L, 1);
6794 6974
6795 return 1; 6975 return 1;
6796error: 6976error:
6797 if (time) 6977 ASN1_TIME_free(time);
6798 ASN1_TIME_free(time);
6799 6978
6800 return auxL_error(L, auxL_EOPENSSL, "x509.crl:setNextUpdate"); 6979 return auxL_error(L, auxL_EOPENSSL, "x509.crl:setNextUpdate");
6801} /* xx_setNextUpdate() */ 6980} /* xx_setNextUpdate() */
@@ -7670,11 +7849,6 @@ int luaopen__openssl_pkcs12(lua_State *L) {
7670 * 7849 *
7671 * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ 7850 * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
7672 7851
7673/*
7674 * NOTE: TLS methods and flags were added in tandem. For example, if the
7675 * macro SSL_OP_NO_TLSv1_1 is defined we know TLSv1_1_server_method is also
7676 * declared and defined.
7677 */
7678static int sx_new(lua_State *L) { 7852static int sx_new(lua_State *L) {
7679 static const char *const opts[] = { 7853 static const char *const opts[] = {
7680 [0] = "SSL", 7854 [0] = "SSL",
@@ -7690,81 +7864,109 @@ static int sx_new(lua_State *L) {
7690 [14] = "DTLSv1_2", [15] = "DTLSv1.2", 7864 [14] = "DTLSv1_2", [15] = "DTLSv1.2",
7691 NULL 7865 NULL
7692 }; 7866 };
7693 /* later versions of SSL declare a const qualifier on the return type */ 7867 int method_enum;
7694 __typeof__(&TLSv1_client_method) method = &TLSv1_client_method;
7695 _Bool srv; 7868 _Bool srv;
7696 SSL_CTX **ud; 7869 SSL_CTX **ud;
7697 int options = 0; 7870 int options = 0;
7698 7871
7699 lua_settop(L, 2); 7872 lua_settop(L, 2);
7873 method_enum = auxL_checkoption(L, 1, "TLS", opts, 1);
7700 srv = lua_toboolean(L, 2); 7874 srv = lua_toboolean(L, 2);
7701 7875
7702 switch (auxL_checkoption(L, 1, "TLS", opts, 1)) { 7876 switch (method_enum) {
7703 case 0: /* SSL */ 7877 case 0: /* SSL */
7704 method = (srv)? &SSLv23_server_method : &SSLv23_client_method;
7705 options = SSL_OP_NO_SSLv2; 7878 options = SSL_OP_NO_SSLv2;
7706 break; 7879 break;
7707 case 1: /* TLS */ 7880 case 1: /* TLS */
7708 method = (srv)? &SSLv23_server_method : &SSLv23_client_method;
7709 options = SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3; 7881 options = SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3;
7710 break; 7882 break;
7711#if HAVE_SSLV2_CLIENT_METHOD && HAVE_SSLV2_SERVER_METHOD
7712 case 2: /* SSLv2 */ 7883 case 2: /* SSLv2 */
7713 method = (srv)? &SSLv2_server_method : &SSLv2_client_method; 7884 options = SSL_OP_NO_SSL_MASK & ~SSL_OP_NO_SSLv2;
7714 break; 7885 break;
7715#endif
7716#ifndef OPENSSL_NO_SSL3
7717 case 3: /* SSLv3 */ 7886 case 3: /* SSLv3 */
7718 method = (srv)? &SSLv3_server_method : &SSLv3_client_method; 7887 options = SSL_OP_NO_SSL_MASK & ~SSL_OP_NO_SSLv3;
7719 break; 7888 break;
7720#endif
7721 case 4: /* SSLv23 */ 7889 case 4: /* SSLv23 */
7722 method = (srv)? &SSLv23_server_method : &SSLv23_client_method;
7723 break; 7890 break;
7724 case 5: /* TLSv1 */ 7891 case 5: /* TLSv1 */
7725 case 6: /* TLSv1.0 */ 7892 case 6: /* TLSv1.0 */
7726 method = (srv)? &TLSv1_server_method : &TLSv1_client_method; 7893 options = SSL_OP_NO_SSL_MASK & ~SSL_OP_NO_TLSv1;
7727 break; 7894 break;
7728#if defined SSL_OP_NO_TLSv1_1 7895#if defined SSL_OP_NO_TLSv1_1
7729 case 7: /* TLSv1_1 */ 7896 case 7: /* TLSv1_1 */
7730 case 8: /* TLSv1.1 */ 7897 case 8: /* TLSv1.1 */
7731 method = (srv)? &TLSv1_1_server_method : &TLSv1_1_client_method; 7898 options = SSL_OP_NO_SSL_MASK & ~SSL_OP_NO_TLSv1_1;
7732 break; 7899 break;
7733#endif 7900#endif
7734#if defined SSL_OP_NO_TLSv1_2 7901#if defined SSL_OP_NO_TLSv1_2
7735 case 9: /* TLSv1_2 */ 7902 case 9: /* TLSv1_2 */
7736 case 10: /* TLSv1.2 */ 7903 case 10: /* TLSv1.2 */
7737 method = (srv)? &TLSv1_2_server_method : &TLSv1_2_client_method; 7904 options = SSL_OP_NO_SSL_MASK & ~SSL_OP_NO_TLSv1_2;
7738 break; 7905 break;
7739#endif 7906#endif
7740#if HAVE_DTLS_CLIENT_METHOD 7907#if HAVE_DTLS_CLIENT_METHOD
7741 case 11: /* DTLS */ 7908 case 11: /* DTLS */
7742 method = (srv)? &DTLS_server_method : &DTLS_client_method;
7743 break; 7909 break;
7744#endif 7910#ifdef SSL_OP_NO_DTLSv1
7745#if HAVE_DTLSV1_CLIENT_METHOD
7746 case 12: /* DTLSv1 */ 7911 case 12: /* DTLSv1 */
7747 case 13: /* DTLSv1.0 */ 7912 case 13: /* DTLSv1.0 */
7748 method = (srv)? &DTLSv1_server_method : &DTLSv1_client_method; 7913 options = SSL_OP_NO_DTLS_MASK & ~SSL_OP_NO_DTLSv1;
7749 break; 7914 break;
7750#endif 7915#endif
7751#if HAVE_DTLSV1_2_CLIENT_METHOD 7916#ifdef SSL_OP_NO_DTLSv1_2
7752 case 14: /* DTLSv1_2 */ 7917 case 14: /* DTLSv1_2 */
7753 case 15: /* DTLSv1.2 */ 7918 case 15: /* DTLSv1.2 */
7754 method = (srv)? &DTLSv1_server_method : &DTLSv1_client_method; 7919 options = SSL_OP_NO_DTLS_MASK & ~SSL_OP_NO_DTLSv1_2;
7755 break; 7920 break;
7756#endif 7921#endif
7922#endif
7757 default: 7923 default:
7758 return luaL_argerror(L, 1, "invalid option"); 7924 return luaL_argerror(L, 1, "invalid option");
7759 } 7925 }
7760 7926
7761 ud = prepsimple(L, SSL_CTX_CLASS); 7927 ud = prepsimple(L, SSL_CTX_CLASS);
7762 7928
7763 if (!(*ud = SSL_CTX_new(method()))) 7929 switch (method_enum) {
7930 case 0: /* SSL */
7931 case 1: /* TLS */
7932 case 2: /* SSLv2 */
7933 case 3: /* SSLv3 */
7934 case 4: /* SSLv23 */
7935 case 5: /* TLSv1 */
7936 case 6: /* TLSv1.0 */
7937 case 7: /* TLSv1_1 */
7938 case 8: /* TLSv1.1 */
7939 case 9: /* TLSv1_2 */
7940 case 10: /* TLSv1.2 */
7941 *ud = SSL_CTX_new(srv?SSLv23_server_method():SSLv23_client_method());
7942 break;
7943#if HAVE_DTLS_CLIENT_METHOD
7944 case 11: /* DTLS */
7945 case 12: /* DTLSv1 */
7946 case 13: /* DTLSv1.0 */
7947 case 14: /* DTLSv1_2 */
7948 case 15: /* DTLSv1.2 */
7949 *ud = SSL_CTX_new(srv?DTLS_server_method():DTLS_client_method());
7950 break;
7951#endif
7952 default:
7953 NOTREACHED;
7954 }
7955
7956 if (!*ud)
7764 return auxL_error(L, auxL_EOPENSSL, "ssl.context.new"); 7957 return auxL_error(L, auxL_EOPENSSL, "ssl.context.new");
7765 7958
7766 SSL_CTX_set_options(*ud, options); 7959 SSL_CTX_set_options(*ud, options);
7767 7960
7961#if HAVE_SSL_CTX_SET_ECDH_AUTO
7962 /* OpenSSL 1.0.2 introduced SSL_CTX_set_ecdh_auto to automatically select
7963 * from the curves set via SSL_CTX_set1_curves_list. However as of OpenSSL
7964 * 1.1.0, the functionality was turned on permanently and the option
7965 * removed. */
7966 if (!SSL_CTX_set_ecdh_auto(*ud, 1))
7967 return auxL_error(L, auxL_EOPENSSL, "ssl.context.new");
7968#endif
7969
7768 return 1; 7970 return 1;
7769} /* sx_new() */ 7971} /* sx_new() */
7770 7972
@@ -7940,6 +8142,21 @@ static int sx_setCipherList(lua_State *L) {
7940} /* sx_setCipherList() */ 8142} /* sx_setCipherList() */
7941 8143
7942 8144
8145#if HAVE_SSL_CTX_SET_CURVES_LIST
8146static int sx_setCurvesList(lua_State *L) {
8147 SSL_CTX *ctx = checksimple(L, 1, SSL_CTX_CLASS);
8148 const char *curves = luaL_checkstring(L, 2);
8149
8150 if (!SSL_CTX_set1_curves_list(ctx, curves))
8151 return auxL_error(L, auxL_EOPENSSL, "ssl.context:setCurvesList");
8152
8153 lua_pushboolean(L, 1);
8154
8155 return 1;
8156} /* sx_setCurvesList() */
8157#endif
8158
8159
7943static int sx_setEphemeralKey(lua_State *L) { 8160static int sx_setEphemeralKey(lua_State *L) {
7944 SSL_CTX *ctx = checksimple(L, 1, SSL_CTX_CLASS); 8161 SSL_CTX *ctx = checksimple(L, 1, SSL_CTX_CLASS);
7945 EVP_PKEY *key = checksimple(L, 2, PKEY_CLASS); 8162 EVP_PKEY *key = checksimple(L, 2, PKEY_CLASS);
@@ -8013,9 +8230,8 @@ static int sx_setAlpnProtos(lua_State *L) {
8013} /* sx_setAlpnProtos() */ 8230} /* sx_setAlpnProtos() */
8014#endif 8231#endif
8015 8232
8016#if HAVE_SSL_CTX_SET_ALPN_SELECT_CB
8017static SSL *ssl_push(lua_State *, SSL *);
8018 8233
8234#if HAVE_SSL_CTX_SET_ALPN_SELECT_CB
8019static int sx_setAlpnSelect_cb(SSL *ssl, const unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *_ctx) { 8235static int sx_setAlpnSelect_cb(SSL *ssl, const unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *_ctx) {
8020 SSL_CTX *ctx = _ctx; 8236 SSL_CTX *ctx = _ctx;
8021 lua_State *L = NULL; 8237 lua_State *L = NULL;
@@ -8033,12 +8249,12 @@ static int sx_setAlpnSelect_cb(SSL *ssl, const unsigned char **out, unsigned cha
8033 8249
8034 otop = lua_gettop(L) - n; 8250 otop = lua_gettop(L) - n;
8035 8251
8036 /* TODO: Install temporary panic handler to catch OOM errors */
8037
8038 /* pass SSL object as 1st argument */ 8252 /* pass SSL object as 1st argument */
8039 ssl_push(L, ssl); 8253 if (ssl_pushsafe(L, ssl))
8254 goto fatal;
8040 lua_insert(L, otop + 3); 8255 lua_insert(L, otop + 3);
8041 8256
8257 /* TODO: Install temporary panic handler to catch OOM errors */
8042 /* pass table of protocol names as 2nd argument */ 8258 /* pass table of protocol names as 2nd argument */
8043 pushprotos(L, in, inlen); 8259 pushprotos(L, in, inlen);
8044 lua_insert(L, otop + 4); 8260 lua_insert(L, otop + 4);
@@ -8110,6 +8326,74 @@ static int sx_setAlpnSelect(lua_State *L) {
8110#endif 8326#endif
8111 8327
8112 8328
8329#if HAVE_SSL_CTX_SET_TLSEXT_SERVERNAME_CALLBACK
8330static int sx_setHostNameCallback_cb(SSL *ssl, int *ad, void *_ctx) {
8331 SSL_CTX *ctx = _ctx;
8332 lua_State *L = NULL;
8333 size_t n;
8334 int otop, status, ret = SSL_TLSEXT_ERR_ALERT_FATAL;
8335
8336 *ad = SSL_AD_INTERNAL_ERROR;
8337
8338 /* expect at least one value: closure */
8339 if ((n = ex_getdata(&L, EX_SSL_CTX_TLSEXT_SERVERNAME_CB, ctx)) < 1)
8340 return SSL_TLSEXT_ERR_ALERT_FATAL;
8341
8342 otop = lua_gettop(L) - n;
8343
8344 /* pass SSL object as 1st argument */
8345 if (ssl_pushsafe(L, ssl))
8346 goto done;
8347
8348 lua_insert(L, otop + 2);
8349
8350 if (LUA_OK != (status = lua_pcall(L, 1 + (n - 1), 2, 0)))
8351 goto done;
8352
8353 /* callback should return a boolean for OK/NOACK
8354 * or nil + an integer for a controlled error
8355 * everything else will be a fatal internal error
8356 */
8357 if (lua_isboolean(L, -2)) {
8358 ret = lua_toboolean(L, -2) ? SSL_TLSEXT_ERR_OK : SSL_TLSEXT_ERR_NOACK;
8359 } else {
8360 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
8361 if (lua_isnil(L, -2) && lua_isinteger(L, -1))
8362 *ad = lua_tointeger(L, -1);
8363 }
8364
8365done:
8366 lua_settop(L, otop);
8367
8368 return ret;
8369} /* sx_setHostNameCallback_cb() */
8370
8371
8372static int sx_setHostNameCallback(lua_State *L) {
8373 SSL_CTX *ctx = checksimple(L, 1, SSL_CTX_CLASS);
8374 int error;
8375
8376 luaL_checktype(L, 2, LUA_TFUNCTION);
8377
8378 if ((error = ex_setdata(L, EX_SSL_CTX_TLSEXT_SERVERNAME_CB, ctx, lua_gettop(L) - 1))) {
8379 if (error > 0) {
8380 return luaL_error(L, "unable to set hostname selection callback: %s", aux_strerror(error));
8381 } else if (error == auxL_EOPENSSL && !ERR_peek_error()) {
8382 return luaL_error(L, "unable to set hostname selection callback: Unknown internal error");
8383 } else {
8384 return auxL_error(L, error, "ssl.context:setHostNameCallback");
8385 }
8386 }
8387 SSL_CTX_set_tlsext_servername_callback(ctx, sx_setHostNameCallback_cb);
8388 SSL_CTX_set_tlsext_servername_arg(ctx, ctx);
8389
8390 lua_pushboolean(L, 1);
8391
8392 return 1;
8393} /* sx_setHostNameCallback() */
8394#endif
8395
8396
8113int TLSEXT_STATUSTYPEs[] = { TLSEXT_STATUSTYPE_ocsp }; 8397int TLSEXT_STATUSTYPEs[] = { TLSEXT_STATUSTYPE_ocsp };
8114const char *TLSEXT_STATUSTYPEs_names[] = { "ocsp", NULL }; 8398const char *TLSEXT_STATUSTYPEs_names[] = { "ocsp", NULL };
8115#define checkTLSEXT_STATUSTYPE(L, idx) \ 8399#define checkTLSEXT_STATUSTYPE(L, idx) \
@@ -8122,7 +8406,7 @@ static int sx_setTLSextStatusType(lua_State *L) {
8122 int type = checkTLSEXT_STATUSTYPE(L, 2); 8406 int type = checkTLSEXT_STATUSTYPE(L, 2);
8123 8407
8124 if(!SSL_CTX_set_tlsext_status_type(ctx, type)) 8408 if(!SSL_CTX_set_tlsext_status_type(ctx, type))
8125 return auxL_error(L, auxL_EOPENSSL, "ssl:setTLSextStatusType"); 8409 return auxL_error(L, auxL_EOPENSSL, "ssl.context:setTLSextStatusType");
8126 8410
8127 lua_pushboolean(L, 1); 8411 lua_pushboolean(L, 1);
8128 8412
@@ -8177,6 +8461,9 @@ static const auxL_Reg sx_methods[] = {
8177 { "setCertificate", &sx_setCertificate }, 8461 { "setCertificate", &sx_setCertificate },
8178 { "setPrivateKey", &sx_setPrivateKey }, 8462 { "setPrivateKey", &sx_setPrivateKey },
8179 { "setCipherList", &sx_setCipherList }, 8463 { "setCipherList", &sx_setCipherList },
8464#if HAVE_SSL_CTX_SET_CURVES_LIST
8465 { "setCurvesList", &sx_setCurvesList },
8466#endif
8180 { "setEphemeralKey", &sx_setEphemeralKey }, 8467 { "setEphemeralKey", &sx_setEphemeralKey },
8181#if HAVE_SSL_CTX_SET_ALPN_PROTOS 8468#if HAVE_SSL_CTX_SET_ALPN_PROTOS
8182 { "setAlpnProtos", &sx_setAlpnProtos }, 8469 { "setAlpnProtos", &sx_setAlpnProtos },
@@ -8184,6 +8471,9 @@ static const auxL_Reg sx_methods[] = {
8184#if HAVE_SSL_CTX_SET_ALPN_SELECT_CB 8471#if HAVE_SSL_CTX_SET_ALPN_SELECT_CB
8185 { "setAlpnSelect", &sx_setAlpnSelect }, 8472 { "setAlpnSelect", &sx_setAlpnSelect },
8186#endif 8473#endif
8474#if HAVE_SSL_CTX_SET_TLSEXT_SERVERNAME_CALLBACK
8475 { "setHostNameCallback", &sx_setHostNameCallback },
8476#endif
8187#if HAVE_SSL_CTX_SET_TLSEXT_STATUS_TYPE 8477#if HAVE_SSL_CTX_SET_TLSEXT_STATUS_TYPE
8188 { "setTLSextStatusType", &sx_setTLSextStatusType }, 8478 { "setTLSextStatusType", &sx_setTLSextStatusType },
8189#endif 8479#endif
@@ -8374,6 +8664,33 @@ static int ssl_getParam(lua_State *L) {
8374} /* ssl_getParam() */ 8664} /* ssl_getParam() */
8375 8665
8376 8666
8667static int ssl_setVerify(lua_State *L) {
8668 SSL *ssl = checksimple(L, 1, SSL_CLASS);
8669 int mode = luaL_optinteger(L, 2, -1);
8670 int depth = luaL_optinteger(L, 3, -1);
8671
8672 if (mode != -1)
8673 SSL_set_verify(ssl, mode, 0);
8674
8675 if (depth != -1)
8676 SSL_set_verify_depth(ssl, depth);
8677
8678 lua_pushboolean(L, 1);
8679
8680 return 1;
8681} /* ssl_setVerify() */
8682
8683
8684static int ssl_getVerify(lua_State *L) {
8685 SSL *ssl = checksimple(L, 1, SSL_CLASS);
8686
8687 lua_pushinteger(L, SSL_get_verify_mode(ssl));
8688 lua_pushinteger(L, SSL_get_verify_depth(ssl));
8689
8690 return 2;
8691} /* ssl_getVerify() */
8692
8693
8377static int ssl_getVerifyResult(lua_State *L) { 8694static int ssl_getVerifyResult(lua_State *L) {
8378 SSL *ssl = checksimple(L, 1, SSL_CLASS); 8695 SSL *ssl = checksimple(L, 1, SSL_CLASS);
8379 long res = SSL_get_verify_result(ssl); 8696 long res = SSL_get_verify_result(ssl);
@@ -8383,6 +8700,44 @@ static int ssl_getVerifyResult(lua_State *L) {
8383} /* ssl_getVerifyResult() */ 8700} /* ssl_getVerifyResult() */
8384 8701
8385 8702
8703static int ssl_setCertificate(lua_State *L) {
8704 SSL *ssl = checksimple(L, 1, SSL_CLASS);
8705 X509 *crt = X509_dup(checksimple(L, 2, X509_CERT_CLASS));
8706 int ok;
8707
8708 ok = SSL_use_certificate(ssl, crt);
8709 X509_free(crt);
8710
8711 if (!ok)
8712 return auxL_error(L, auxL_EOPENSSL, "ssl:setCertificate");
8713
8714 lua_pushboolean(L, 1);
8715
8716 return 1;
8717} /* ssl_setCertificate() */
8718
8719
8720static int ssl_setPrivateKey(lua_State *L) {
8721 SSL *ssl = checksimple(L, 1, SSL_CLASS);
8722 EVP_PKEY *key = checksimple(L, 2, PKEY_CLASS);
8723 /*
8724 * NOTE: No easy way to dup the key, but a shared reference should
8725 * be okay as keys are less mutable than certificates.
8726 *
8727 * FIXME: SSL_use_PrivateKey will return true even if the
8728 * EVP_PKEY object has no private key. Instead, we'll just get a
8729 * segfault during the SSL handshake. We need to check that a
8730 * private key is actually defined in the object.
8731 */
8732 if (!SSL_use_PrivateKey(ssl, key))
8733 return auxL_error(L, auxL_EOPENSSL, "ssl:setPrivateKey");
8734
8735 lua_pushboolean(L, 1);
8736
8737 return 1;
8738} /* ssl_setPrivateKey() */
8739
8740
8386static int ssl_getPeerCertificate(lua_State *L) { 8741static int ssl_getPeerCertificate(lua_State *L) {
8387 SSL *ssl = checksimple(L, 1, SSL_CLASS); 8742 SSL *ssl = checksimple(L, 1, SSL_CLASS);
8388 X509 **x509 = prepsimple(L, X509_CERT_CLASS); 8743 X509 **x509 = prepsimple(L, X509_CERT_CLASS);
@@ -8433,6 +8788,21 @@ static int ssl_getCipherInfo(lua_State *L) {
8433} /* ssl_getCipherInfo() */ 8788} /* ssl_getCipherInfo() */
8434 8789
8435 8790
8791#if HAVE_SSL_SET_CURVES_LIST
8792static int ssl_setCurvesList(lua_State *L) {
8793 SSL *ssl = checksimple(L, 1, SSL_CLASS);
8794 const char *curves = luaL_checkstring(L, 2);
8795
8796 if (!SSL_set1_curves_list(ssl, curves))
8797 return auxL_error(L, auxL_EOPENSSL, "ssl:setCurvesList");
8798
8799 lua_pushboolean(L, 1);
8800
8801 return 1;
8802} /* ssl_setCurvesList() */
8803#endif
8804
8805
8436static int ssl_getHostName(lua_State *L) { 8806static int ssl_getHostName(lua_State *L) {
8437 SSL *ssl = checksimple(L, 1, SSL_CLASS); 8807 SSL *ssl = checksimple(L, 1, SSL_CLASS);
8438 const char *host; 8808 const char *host;
@@ -8679,10 +9049,17 @@ static const auxL_Reg ssl_methods[] = {
8679 { "clearOptions", &ssl_clearOptions }, 9049 { "clearOptions", &ssl_clearOptions },
8680 { "setParam", &ssl_setParam }, 9050 { "setParam", &ssl_setParam },
8681 { "getParam", &ssl_getParam }, 9051 { "getParam", &ssl_getParam },
9052 { "setVerify", &ssl_setVerify },
9053 { "getVerify", &ssl_getVerify },
8682 { "getVerifyResult", &ssl_getVerifyResult }, 9054 { "getVerifyResult", &ssl_getVerifyResult },
9055 { "setCertificate", &ssl_setCertificate },
9056 { "setPrivateKey", &ssl_setPrivateKey },
8683 { "getPeerCertificate", &ssl_getPeerCertificate }, 9057 { "getPeerCertificate", &ssl_getPeerCertificate },
8684 { "getPeerChain", &ssl_getPeerChain }, 9058 { "getPeerChain", &ssl_getPeerChain },
8685 { "getCipherInfo", &ssl_getCipherInfo }, 9059 { "getCipherInfo", &ssl_getCipherInfo },
9060#if HAVE_SSL_SET_CURVES_LIST
9061 { "setCurvesList", &ssl_setCurvesList },
9062#endif
8686 { "getHostName", &ssl_getHostName }, 9063 { "getHostName", &ssl_getHostName },
8687 { "setHostName", &ssl_setHostName }, 9064 { "setHostName", &ssl_setHostName },
8688 { "getVersion", &ssl_getVersion }, 9065 { "getVersion", &ssl_getVersion },
diff --git a/src/openssl.ssl.context.lua b/src/openssl.ssl.context.lua
index 2098b54..3263fb1 100644
--- a/src/openssl.ssl.context.lua
+++ b/src/openssl.ssl.context.lua
@@ -13,4 +13,18 @@ local setCipherList; setCipherList = ctx.interpose("setCipherList", function (se
13 return setCipherList(self, ciphers) 13 return setCipherList(self, ciphers)
14end) 14end)
15 15
16-- Allow passing a vararg of curves, or an array
17local setCurvesList = ctx.interpose("setCurvesList", nil)
18if setCurvesList then
19 ctx.interpose("setCurvesList", function (self, curves, ...)
20 if (...) then
21 local curves_t = pack(curves, ...)
22 curves = table.concat(curves_t, ":", 1, curves_t.n)
23 elseif type(curves) == "table" then
24 curves = table.concat(curves, ":")
25 end
26 return setCurvesList(self, curves)
27 end)
28end
29
16return ctx 30return ctx
diff --git a/src/openssl.ssl.lua b/src/openssl.ssl.lua
index 3c348f6..bf90f29 100644
--- a/src/openssl.ssl.lua
+++ b/src/openssl.ssl.lua
@@ -1,3 +1,19 @@
1local ctx = require"_openssl.ssl" 1local ssl = require"_openssl.ssl"
2 2
3return ctx 3local pack = table.pack or function(...) return { n = select("#", ...); ... } end
4
5-- Allow passing a vararg of curves, or an array
6local setCurvesList = ssl.interpose("setCurvesList", nil)
7if setCurvesList then
8 ssl.interpose("setCurvesList", function (self, curves, ...)
9 if (...) then
10 local curves_t = pack(curves, ...)
11 curves = table.concat(curves_t, ":", 1, curves_t.n)
12 elseif type(curves) == "table" then
13 curves = table.concat(curves, ":")
14 end
15 return setCurvesList(self, curves)
16 end)
17end
18
19return ssl
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-08-28 13:22:27 +0000