summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/openssl.c142
1 files changed, 104 insertions, 38 deletions
diff --git a/src/openssl.c b/src/openssl.c
index 3b75e63..63c3985 100644
--- a/src/openssl.c
+++ b/src/openssl.c
@@ -76,12 +76,18 @@
76#include "compat52.h" 76#include "compat52.h"
77#endif 77#endif
78 78
79#define OPENSSL_PREREQ(M, m, p) \
80 (OPENSSL_VERSION_NUMBER >= (((M) << 28) | ((m) << 20) | ((p) << 12)) && !defined LIBRESSL_VERSION_NUMBER)
81
82#define LIBRESSL_PREREQ(M, m, p) \
83 (LIBRESSL_VERSION_NUMBER >= (((M) << 28) | ((m) << 20) | ((p) << 12)))
84
79#ifndef HAVE_DLADDR 85#ifndef HAVE_DLADDR
80#define HAVE_DLADDR (!defined _AIX) /* TODO: https://root.cern.ch/drupal/content/aix-and-dladdr */ 86#define HAVE_DLADDR (!defined _AIX) /* TODO: https://root.cern.ch/drupal/content/aix-and-dladdr */
81#endif 87#endif
82 88
83#ifndef HAVE_SSL_CTX_SET_ALPN_PROTOS 89#ifndef HAVE_SSL_CTX_SET_ALPN_PROTOS
84#define HAVE_SSL_CTX_SET_ALPN_PROTOS (OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined LIBRESSL_VERSION_NUMBER) 90#define HAVE_SSL_CTX_SET_ALPN_PROTOS OPENSSL_PREREQ(1, 0, 2)
85#endif 91#endif
86 92
87#ifndef HAVE_SSL_CTX_SET_ALPN_SELECT_CB 93#ifndef HAVE_SSL_CTX_SET_ALPN_SELECT_CB
@@ -96,6 +102,30 @@
96#define HAVE_SSL_GET0_ALPN_SELECTED HAVE_SSL_CTX_SET_ALPN_PROTOS 102#define HAVE_SSL_GET0_ALPN_SELECTED HAVE_SSL_CTX_SET_ALPN_PROTOS
97#endif 103#endif
98 104
105#ifndef HAVE_DTLSV1_CLIENT_METHOD
106#define HAVE_DTLSV1_CLIENT_METHOD (!defined OPENSSL_NO_DTLS1)
107#endif
108
109#ifndef HAVE_DTLSV1_SERVER_METHOD
110#define HAVE_DTLSV1_SERVER_METHOD HAVE_DTLSV1_CLIENT_METHOD
111#endif
112
113#ifndef HAVE_DTLS_CLIENT_METHOD
114#define HAVE_DTLS_CLIENT_METHOD (OPENSSL_PREREQ(1, 0, 2) && !defined OPENSSL_NO_DTLS1)
115#endif
116
117#ifndef HAVE_DTLS_SERVER_METHOD
118#define HAVE_DTLS_SERVER_METHOD HAVE_DTLS_CLIENT_METHOD
119#endif
120
121#ifndef HAVE_DTLSV1_2_CLIENT_METHOD
122#define HAVE_DTLSV1_2_CLIENT_METHOD (OPENSSL_PREREQ(1, 0, 2) && !defined OPENSSL_NO_DTLS1)
123#endif
124
125#ifndef HAVE_DTLSV1_2_SERVER_METHOD
126#define HAVE_DTLSV1_2_SERVER_METHOD HAVE_DTLSV1_2_CLIENT_METHOD
127#endif
128
99#ifndef STRERROR_R_CHAR_P 129#ifndef STRERROR_R_CHAR_P
100#define STRERROR_R_CHAR_P (defined __GLIBC__ && (_GNU_SOURCE || !(_POSIX_C_SOURCE >= 200112L || _XOPEN_SOURCE >= 600))) 130#define STRERROR_R_CHAR_P (defined __GLIBC__ && (_GNU_SOURCE || !(_POSIX_C_SOURCE >= 200112L || _XOPEN_SOURCE >= 600)))
101#endif 131#endif
@@ -279,7 +309,13 @@ static void addclass(lua_State *L, const char *name, const luaL_Reg *methods, co
279} /* addclass() */ 309} /* addclass() */
280 310
281 311
282static int checkoption(struct lua_State *L, int index, const char *def, const char *const opts[]) { 312static int badoption(lua_State *L, int index, const char *opt) {
313 opt = (opt)? opt : luaL_checkstring(L, index);
314
315 return luaL_argerror(L, index, lua_pushfstring(L, "invalid option %s", opt));
316} /* badoption() */
317
318static int checkoption(lua_State *L, int index, const char *def, const char *const opts[]) {
283 const char *opt = (def)? luaL_optstring(L, index, def) : luaL_checkstring(L, index); 319 const char *opt = (def)? luaL_optstring(L, index, def) : luaL_checkstring(L, index);
284 int i; 320 int i;
285 321
@@ -288,7 +324,7 @@ static int checkoption(struct lua_State *L, int index, const char *def, const ch
288 return i; 324 return i;
289 } 325 }
290 326
291 return luaL_argerror(L, index, lua_pushfstring(L, "invalid option %s", opt)); 327 return badoption(L, index, opt);
292} /* checkoption() */ 328} /* checkoption() */
293 329
294 330
@@ -820,7 +856,6 @@ static void compat_init_X509_STORE_onfree(void *store, void *data NOTUSED, CRYPT
820static int compat_init(void) { 856static int compat_init(void) {
821 static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER; 857 static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
822 static int store_index = -1, ssl_ctx_index = -1, done; 858 static int store_index = -1, ssl_ctx_index = -1, done;
823 X509_STORE *store;
824 int error = 0; 859 int error = 0;
825 860
826 if ((error = pthread_mutex_lock(&mutex))) 861 if ((error = pthread_mutex_lock(&mutex)))
@@ -1615,7 +1650,6 @@ static int bn__mul(lua_State *L) {
1615 1650
1616static int bn__div(lua_State *L) { 1651static int bn__div(lua_State *L) {
1617 BIGNUM *r, *a, *b; 1652 BIGNUM *r, *a, *b;
1618 BN_CTX *ctx;
1619 1653
1620 bn_prepops(L, &r, &a, &b, 0); 1654 bn_prepops(L, &r, &a, &b, 0);
1621 1655
@@ -1628,7 +1662,6 @@ static int bn__div(lua_State *L) {
1628 1662
1629static int bn__mod(lua_State *L) { 1663static int bn__mod(lua_State *L) {
1630 BIGNUM *r, *a, *b; 1664 BIGNUM *r, *a, *b;
1631 BN_CTX *ctx;
1632 1665
1633 bn_prepops(L, &r, &a, &b, 0); 1666 bn_prepops(L, &r, &a, &b, 0);
1634 1667
@@ -1641,7 +1674,6 @@ static int bn__mod(lua_State *L) {
1641 1674
1642static int bn__pow(lua_State *L) { 1675static int bn__pow(lua_State *L) {
1643 BIGNUM *r, *a, *b; 1676 BIGNUM *r, *a, *b;
1644 BN_CTX *ctx;
1645 1677
1646 bn_prepops(L, &r, &a, &b, 0); 1678 bn_prepops(L, &r, &a, &b, 0);
1647 1679
@@ -2291,7 +2323,6 @@ static int pk__tostring(lua_State *L) {
2291 BIO *bio = getbio(L); 2323 BIO *bio = getbio(L);
2292 char *data; 2324 char *data;
2293 long len; 2325 long len;
2294 int ok = 0;
2295 2326
2296 switch (type) { 2327 switch (type) {
2297 case X509_PEM: 2328 case X509_PEM:
@@ -2845,7 +2876,6 @@ static int xe_new(lua_State *L) {
2845 ASN1_STRING *oct = NULL; 2876 ASN1_STRING *oct = NULL;
2846 CONF *conf = NULL; 2877 CONF *conf = NULL;
2847 X509V3_CTX cbuf = { 0 }, *ctx = NULL; 2878 X509V3_CTX cbuf = { 0 }, *ctx = NULL;
2848 X509_EXTENSION *ext = NULL;
2849 2879
2850 if (!lua_isnil(L, 3)) { 2880 if (!lua_isnil(L, 3)) {
2851 size_t len; 2881 size_t len;
@@ -3199,7 +3229,6 @@ static double timeutc(ASN1_TIME *time) {
3199 char buf[32] = "", *cp; 3229 char buf[32] = "", *cp;
3200 struct tm tm = { 0 }; 3230 struct tm tm = { 0 };
3201 int gmtoff = 0, year, i; 3231 int gmtoff = 0, year, i;
3202 double ts;
3203 3232
3204 if (!ASN1_TIME_check(time)) 3233 if (!ASN1_TIME_check(time))
3205 return 0; 3234 return 0;
@@ -3297,7 +3326,6 @@ static int xc_getLifetime(lua_State *L) {
3297 3326
3298static int xc_setLifetime(lua_State *L) { 3327static int xc_setLifetime(lua_State *L) {
3299 X509 *crt = checksimple(L, 1, X509_CERT_CLASS); 3328 X509 *crt = checksimple(L, 1, X509_CERT_CLASS);
3300 ASN1_TIME *time;
3301 double ut; 3329 double ut;
3302 const char *dt; 3330 const char *dt;
3303 3331
@@ -3757,6 +3785,25 @@ static int xc_setPublicKey(lua_State *L) {
3757} /* xc_setPublicKey() */ 3785} /* xc_setPublicKey() */
3758 3786
3759 3787
3788static int xc_getPublicKeyDigest(lua_State *L) {
3789 ASN1_BIT_STRING *pk = X509_get0_pubkey_bitstr(checksimple(L, 1, X509_CERT_CLASS));
3790 const char *id = luaL_optstring(L, 2, "sha1");
3791 const EVP_MD *md;
3792 unsigned char digest[EVP_MAX_MD_SIZE];
3793 unsigned int len;
3794
3795 if (!(md = EVP_get_digestbyname(id)))
3796 return luaL_error(L, "x509.cert:getPublicKeyDigest: %s: invalid digest type", id);
3797
3798 if (!EVP_Digest(pk->data, pk->length, digest, &len, md, NULL))
3799 return auxL_error(L, auxL_EOPENSSL, "x509.cert:getPublicKeyDigest");
3800
3801 lua_pushlstring(L, (char *)digest, len);
3802
3803 return 1;
3804} /* xc_getPublicKeyDigest() */
3805
3806
3760static const EVP_MD *xc_signature(lua_State *L, int index, EVP_PKEY *key) { 3807static const EVP_MD *xc_signature(lua_State *L, int index, EVP_PKEY *key) {
3761 const char *id; 3808 const char *id;
3762 const EVP_MD *md; 3809 const EVP_MD *md;
@@ -3918,6 +3965,7 @@ static const luaL_Reg xc_methods[] = {
3918 { "isIssuedBy", &xc_isIssuedBy }, 3965 { "isIssuedBy", &xc_isIssuedBy },
3919 { "getPublicKey", &xc_getPublicKey }, 3966 { "getPublicKey", &xc_getPublicKey },
3920 { "setPublicKey", &xc_setPublicKey }, 3967 { "setPublicKey", &xc_setPublicKey },
3968 { "getPublicKeyDigest", &xc_getPublicKeyDigest },
3921 { "sign", &xc_sign }, 3969 { "sign", &xc_sign },
3922 { "text", &xc_text }, 3970 { "text", &xc_text },
3923 { "tostring", &xc__tostring }, 3971 { "tostring", &xc__tostring },
@@ -4246,7 +4294,6 @@ static int xx_getLastUpdate(lua_State *L) {
4246static int xx_setLastUpdate(lua_State *L) { 4294static int xx_setLastUpdate(lua_State *L) {
4247 X509_CRL *crl = checksimple(L, 1, X509_CRL_CLASS); 4295 X509_CRL *crl = checksimple(L, 1, X509_CRL_CLASS);
4248 double updated = luaL_checknumber(L, 2); 4296 double updated = luaL_checknumber(L, 2);
4249 ASN1_TIME *time = NULL;
4250 4297
4251 /* lastUpdate always present */ 4298 /* lastUpdate always present */
4252 if (!ASN1_TIME_set(X509_CRL_get_lastUpdate(crl), updated)) 4299 if (!ASN1_TIME_set(X509_CRL_get_lastUpdate(crl), updated))
@@ -5027,15 +5074,17 @@ int luaopen__openssl_pkcs12(lua_State *L) {
5027 */ 5074 */
5028static int sx_new(lua_State *L) { 5075static int sx_new(lua_State *L) {
5029 static const char *const opts[] = { 5076 static const char *const opts[] = {
5030 "SSLv2", "SSLv3", "SSLv23", 5077 [0] = "SSL",
5031 "TLSv1", "TLSv1.0", 5078 [1] = "TLS",
5032#if defined SSL_OP_NO_TLSv1_1 5079 [2] = "SSLv2",
5033 "TLSv1_1", "TLSv1.1", 5080 [3] = "SSLv3",
5034#endif 5081 [4] = "SSLv23",
5035#if defined SSL_OP_NO_TLSv1_2 5082 [5] = "TLSv1", [6] = "TLSv1.0",
5036 "TLSv1_2", "TLSv1.2", 5083 [7] = "TLSv1_1", [8] = "TLSv1.1",
5037#endif 5084 [9] = "TLSv1_2", [10] = "TLSv1.2",
5038 "SSL", "TLS", 5085 [11] = "DTLS",
5086 [12] = "DTLSv1", [13] = "DTLSv1.0",
5087 [14] = "DTLSv1_2", [15] = "DTLSv1.2",
5039 NULL 5088 NULL
5040 }; 5089 };
5041 /* later versions of SSL declare a const qualifier on the return type */ 5090 /* later versions of SSL declare a const qualifier on the return type */
@@ -5048,41 +5097,60 @@ static int sx_new(lua_State *L) {
5048 srv = lua_toboolean(L, 2); 5097 srv = lua_toboolean(L, 2);
5049 5098
5050 switch (checkoption(L, 1, "TLS", opts)) { 5099 switch (checkoption(L, 1, "TLS", opts)) {
5100 case 0: /* SSL */
5101 method = (srv)? &SSLv23_server_method : &SSLv23_client_method;
5102 options = SSL_OP_NO_SSLv2;
5103 break;
5104 case 1: /* TLS */
5105 method = (srv)? &SSLv23_server_method : &SSLv23_client_method;
5106 options = SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3;
5107 break;
5051#ifndef OPENSSL_NO_SSL2 5108#ifndef OPENSSL_NO_SSL2
5052 case 0: /* SSLv2 */ 5109 case 2: /* SSLv2 */
5053 method = (srv)? &SSLv2_server_method : &SSLv2_client_method; 5110 method = (srv)? &SSLv2_server_method : &SSLv2_client_method;
5054 break; 5111 break;
5055#endif 5112#endif
5056 case 1: /* SSLv3 */ 5113 case 3: /* SSLv3 */
5057 method = (srv)? &SSLv3_server_method : &SSLv3_client_method; 5114 method = (srv)? &SSLv3_server_method : &SSLv3_client_method;
5058 break; 5115 break;
5059 case 2: /* SSLv23 */ 5116 case 4: /* SSLv23 */
5060 method = (srv)? &SSLv23_server_method : &SSLv23_client_method; 5117 method = (srv)? &SSLv23_server_method : &SSLv23_client_method;
5061 break; 5118 break;
5062 case 3: /* TLSv1 */ 5119 case 5: /* TLSv1 */
5063 case 4: /* TLSv1.0 */ 5120 case 6: /* TLSv1.0 */
5064 method = (srv)? &TLSv1_server_method : &TLSv1_client_method; 5121 method = (srv)? &TLSv1_server_method : &TLSv1_client_method;
5065 break; 5122 break;
5066#if defined SSL_OP_NO_TLSv1_1 5123#if defined SSL_OP_NO_TLSv1_1
5067 case 5: /* TLSv1_1 */ 5124 case 7: /* TLSv1_1 */
5068 case 6: /* TLSv1.1 */ 5125 case 8: /* TLSv1.1 */
5069 method = (srv)? &TLSv1_1_server_method : &TLSv1_1_client_method; 5126 method = (srv)? &TLSv1_1_server_method : &TLSv1_1_client_method;
5070 break; 5127 break;
5071#endif 5128#endif
5072#if defined SSL_OP_NO_TLSv1_2 5129#if defined SSL_OP_NO_TLSv1_2
5073 case 7: /* TLSv1_2 */ 5130 case 9: /* TLSv1_2 */
5074 case 8: /* TLSv1.2 */ 5131 case 10: /* TLSv1.2 */
5075 method = (srv)? &TLSv1_2_server_method : &TLSv1_2_client_method; 5132 method = (srv)? &TLSv1_2_server_method : &TLSv1_2_client_method;
5076 break; 5133 break;
5077#endif 5134#endif
5078 case 9: /* SSL */ 5135#if HAVE_DTLS_CLIENT_METHOD
5079 method = (srv)? &SSLv23_server_method : &SSLv23_client_method; 5136 case 11: /* DTLS */
5080 options = SSL_OP_NO_SSLv2; 5137 method = (srv)? &DTLS_server_method : &DTLS_client_method;
5081 break; 5138 break;
5082 case 10: /* TLS */ 5139#endif
5083 method = (srv)? &SSLv23_server_method : &SSLv23_client_method; 5140#if HAVE_DTLSV1_CLIENT_METHOD
5084 options = SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3; 5141 case 12: /* DTLSv1 */
5142 case 13: /* DTLSv1.0 */
5143 method = (srv)? &DTLSv1_server_method : &DTLSv1_client_method;
5085 break; 5144 break;
5145#endif
5146#if HAVE_DTLSV1_2_CLIENT_METHOD
5147 case 14: /* DTLSv1_2 */
5148 case 15: /* DTLSv1.2 */
5149 method = (srv)? &DTLSv1_server_method : &DTLSv1_client_method;
5150 break;
5151#endif
5152 default:
5153 return badoption(L, 1, NULL);
5086 } 5154 }
5087 5155
5088 ud = prepsimple(L, SSL_CTX_CLASS); 5156 ud = prepsimple(L, SSL_CTX_CLASS);
@@ -5364,7 +5432,6 @@ noack:
5364 5432
5365static int sx_setAlpnSelect(lua_State *L) { 5433static int sx_setAlpnSelect(lua_State *L) {
5366 SSL_CTX *ctx = checksimple(L, 1, SSL_CTX_CLASS); 5434 SSL_CTX *ctx = checksimple(L, 1, SSL_CTX_CLASS);
5367 struct ex_data *data;
5368 int error; 5435 int error;
5369 5436
5370 luaL_checktype(L, 2, LUA_TFUNCTION); 5437 luaL_checktype(L, 2, LUA_TFUNCTION);
@@ -5848,7 +5915,6 @@ static void md_update_(lua_State *L, EVP_MD_CTX *ctx, int from, int to) {
5848 5915
5849static int md_update(lua_State *L) { 5916static int md_update(lua_State *L) {
5850 EVP_MD_CTX *ctx = luaL_checkudata(L, 1, DIGEST_CLASS); 5917 EVP_MD_CTX *ctx = luaL_checkudata(L, 1, DIGEST_CLASS);
5851 int i;
5852 5918
5853 md_update_(L, ctx, 2, lua_gettop(L)); 5919 md_update_(L, ctx, 2, lua_gettop(L));
5854 5920
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-12-14 22:35:43 +0000