Sun, 05 Dec 2010 23:45:57 -0800
Clean up the ex_data callers
The best explanation I can come up with here is that I totally missed the existence of SSL_[gs]et_ex_data...
0 | 1 | /*-------------------------------------------------------------------------- |
2 | * LuaSec 0.4 | |
3 | * Copyright (C) 2006-2009 Bruno Silvestre | |
4 | * | |
5 | *--------------------------------------------------------------------------*/ | |
6 | ||
7 | #include <string.h> | |
8 | #include <openssl/ssl.h> | |
9 | #include <openssl/err.h> | |
10 | ||
11 | #include <lua.h> | |
12 | #include <lauxlib.h> | |
13 | ||
14 | #include "context.h" | |
15 | ||
16 | struct ssl_option_s { | |
17 | const char *name; | |
18 | unsigned long code; | |
19 | }; | |
20 | typedef struct ssl_option_s ssl_option_t; | |
21 | ||
38
4ecd7b0e67ea
Clean up the ex_data callers
Paul Aurich <paul@darkrain42.org>
parents:
36
diff
changeset
|
22 | /* index into the SSL storage where the context is. |
4ecd7b0e67ea
Clean up the ex_data callers
Paul Aurich <paul@darkrain42.org>
parents:
36
diff
changeset
|
23 | * see SSL_CTX_get_ex_data(). |
4ecd7b0e67ea
Clean up the ex_data callers
Paul Aurich <paul@darkrain42.org>
parents:
36
diff
changeset
|
24 | */ |
4ecd7b0e67ea
Clean up the ex_data callers
Paul Aurich <paul@darkrain42.org>
parents:
36
diff
changeset
|
25 | static int luasec_sslctx_idx = -1; |
34
510432315106
verify: Flag to ignore 'invalid purpose' errors on end cert
Paul Aurich <paul@darkrain42.org>
parents:
30
diff
changeset
|
26 | |
28
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
27 | /* The export DH key */ |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
28 | static DH *dh_512 = NULL; |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
29 | /* The larger key (builtin is 2048, caller may specify larger) */ |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
30 | static DH *dh_larger = NULL; |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
31 | |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
32 | /* Generated via "openssl dhparam -2 -noout -C 512 2>/dev/null" */ |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
33 | static unsigned char dh512_p[] = { |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
34 | 0xE4,0x3F,0x75,0x82,0xAD,0x0B,0x28,0xC7,0xEF,0xCE,0xBC,0x3B, |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
35 | 0x14,0xBB,0xA6,0xF4,0xA2,0xE9,0xA6,0x59,0xCF,0x97,0x1C,0x86, |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
36 | 0x43,0x3B,0x92,0x4A,0x6B,0x15,0x4B,0x0C,0xAC,0x8F,0xFA,0x43, |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
37 | 0xE2,0xA8,0xC3,0x3B,0x7B,0x51,0x1B,0x46,0x21,0xBF,0x8C,0x06, |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
38 | 0x6C,0xB1,0x49,0x75,0xC7,0xAC,0x47,0x1D,0x9D,0x64,0xD5,0x99, |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
39 | 0x33,0x86,0xAD,0xEB, |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
40 | }; |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
41 | |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
42 | /* Generated via "openssl dhparam -2 -noout -C 2048 2>/dev/null" */ |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
43 | static unsigned char dh2048_p[] = { |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
44 | 0x9B,0xF4,0xC5,0x57,0x81,0x8F,0xCF,0x31,0x78,0x95,0x04,0xCD, |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
45 | 0xEA,0xCC,0x30,0xEA,0xF7,0xCA,0x76,0xC8,0x8F,0x91,0xEA,0x0E, |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
46 | 0x44,0x8D,0xE2,0x63,0x19,0x3B,0x4D,0x04,0xC8,0x7D,0x0D,0xFF, |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
47 | 0x3D,0x52,0x76,0x02,0xF3,0xCA,0x1C,0x44,0xAF,0x0E,0xA9,0x59, |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
48 | 0x02,0x40,0x75,0xD6,0xED,0x35,0x4D,0x11,0x5B,0x2B,0x73,0x23, |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
49 | 0xE5,0x53,0x0B,0x1F,0xB0,0x47,0xC4,0x7F,0x95,0x5D,0xB0,0xD5, |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
50 | 0xF3,0xD3,0xAB,0x5F,0x28,0x2B,0xEC,0x2C,0x15,0x0B,0x1B,0x0C, |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
51 | 0xD4,0xBE,0x24,0x2F,0xC5,0x07,0x3C,0xE4,0xC5,0xE6,0x16,0x42, |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
52 | 0x4C,0x31,0x04,0xBB,0x80,0x96,0xFF,0x64,0x50,0xA4,0xA5,0xB5, |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
53 | 0xF5,0x3A,0xBA,0x57,0xE4,0xE6,0xC2,0x23,0x0A,0xB6,0x27,0xC4, |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
54 | 0x06,0x01,0x1E,0x98,0x20,0x09,0xC8,0xB7,0x90,0x09,0x86,0x06, |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
55 | 0xAA,0x85,0xE7,0x02,0xC8,0xC6,0xD9,0x1D,0xAB,0x17,0xEE,0x78, |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
56 | 0x73,0x78,0x88,0x7F,0xA7,0xF2,0x34,0xA7,0xDD,0x02,0x16,0x36, |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
57 | 0x0D,0x77,0x16,0x3E,0x95,0xAE,0x02,0xEE,0x36,0x37,0xD5,0x61, |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
58 | 0x5D,0xFE,0xC6,0x0B,0xDF,0xCE,0xB9,0x26,0x31,0x6F,0x34,0x92, |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
59 | 0xBB,0xBB,0x91,0x29,0x77,0x62,0x1D,0x75,0xA0,0x51,0x8D,0x31, |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
60 | 0x4C,0x64,0x4E,0xBF,0xDC,0xE8,0x67,0x17,0x90,0x6A,0x80,0xE9, |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
61 | 0xD7,0xD8,0x56,0x4E,0x85,0x21,0x9C,0xFB,0xE6,0x1B,0xD8,0x05, |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
62 | 0xFD,0x13,0x77,0x00,0x96,0x2D,0x0C,0x2A,0x95,0x1A,0x08,0x82, |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
63 | 0x2E,0xB3,0xE2,0xFC,0xE8,0xA6,0xF1,0x16,0x37,0x57,0x82,0xD6, |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
64 | 0xF5,0xAB,0xA9,0x43,0x8F,0x33,0xB0,0x57,0x38,0x6E,0x61,0xD4, |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
65 | 0xDD,0xE0,0x1C,0xCB, |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
66 | }; |
0 | 67 | |
68 | static ssl_option_t ssl_options[] = { | |
69 | /* OpenSSL 0.9.7 and 0.9.8 */ | |
70 | {"all", SSL_OP_ALL}, | |
71 | {"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE}, | |
72 | {"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS}, | |
73 | {"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA}, | |
74 | {"netscape_ca_dn_bug", SSL_OP_NETSCAPE_CA_DN_BUG}, | |
75 | {"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG}, | |
76 | {"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER}, | |
77 | {"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG}, | |
78 | {"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING}, | |
79 | {"netscape_demo_cipher_change_bug", SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG}, | |
80 | {"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG}, | |
81 | {"no_session_resumption_on_renegotiation", | |
82 | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION}, | |
83 | {"no_sslv2", SSL_OP_NO_SSLv2}, | |
84 | {"no_sslv3", SSL_OP_NO_SSLv3}, | |
85 | {"no_tlsv1", SSL_OP_NO_TLSv1}, | |
86 | {"pkcs1_check_1", SSL_OP_PKCS1_CHECK_1}, | |
87 | {"pkcs1_check_2", SSL_OP_PKCS1_CHECK_2}, | |
88 | {"single_dh_use", SSL_OP_SINGLE_DH_USE}, | |
89 | {"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG}, | |
90 | {"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG}, | |
91 | {"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG}, | |
92 | {"tls_d5_bug", SSL_OP_TLS_D5_BUG}, | |
93 | {"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG}, | |
94 | /* OpenSSL 0.9.8 only */ | |
95 | #if OPENSSL_VERSION_NUMBER > 0x00908000L | |
96 | {"cookie_exchange", SSL_OP_COOKIE_EXCHANGE}, | |
97 | {"no_query_mtu", SSL_OP_NO_QUERY_MTU}, | |
98 | {"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE}, | |
99 | #endif | |
100 | /* OpenSSL 0.9.8f and above */ | |
101 | #if defined(SSL_OP_NO_TICKET) | |
102 | {"no_ticket", SSL_OP_NO_TICKET}, | |
103 | #endif | |
1
5f89e535765a
context.c: Add no_compression option for when supported
Matthew Wild <mwild1@gmail.com>
parents:
0
diff
changeset
|
104 | #if defined(SSL_OP_NO_COMPRESSION) |
5f89e535765a
context.c: Add no_compression option for when supported
Matthew Wild <mwild1@gmail.com>
parents:
0
diff
changeset
|
105 | {"no_compression", SSL_OP_NO_COMPRESSION}, |
5f89e535765a
context.c: Add no_compression option for when supported
Matthew Wild <mwild1@gmail.com>
parents:
0
diff
changeset
|
106 | #endif |
0 | 107 | {NULL, 0L} |
108 | }; | |
109 | ||
110 | /*--------------------------- Auxiliary Functions ----------------------------*/ | |
111 | ||
112 | /** | |
113 | * Return the context. | |
114 | */ | |
34
510432315106
verify: Flag to ignore 'invalid purpose' errors on end cert
Paul Aurich <paul@darkrain42.org>
parents:
30
diff
changeset
|
115 | p_context checkctx(lua_State *L, int idx) |
0 | 116 | { |
117 | return (p_context)luaL_checkudata(L, idx, "SSL:Context"); | |
118 | } | |
119 | ||
120 | /** | |
121 | * Prepare the SSL options flag. | |
122 | */ | |
123 | static int set_option_flag(const char *opt, unsigned long *flag) | |
124 | { | |
125 | ssl_option_t *p; | |
126 | for (p = ssl_options; p->name; p++) { | |
127 | if (!strcmp(opt, p->name)) { | |
128 | *flag |= p->code; | |
129 | return 1; | |
130 | } | |
131 | } | |
132 | return 0; | |
133 | } | |
134 | ||
135 | /** | |
136 | * Find the protocol. | |
137 | */ | |
138 | static SSL_METHOD* str2method(const char *method) | |
139 | { | |
140 | if (!strcmp(method, "sslv3")) return SSLv3_method(); | |
141 | if (!strcmp(method, "tlsv1")) return TLSv1_method(); | |
142 | if (!strcmp(method, "sslv23")) return SSLv23_method(); | |
143 | return NULL; | |
144 | } | |
145 | ||
146 | /** | |
147 | * Prepare the SSL handshake verify flag. | |
148 | */ | |
149 | static int set_verify_flag(const char *str, int *flag) | |
150 | { | |
151 | if (!strcmp(str, "none")) { | |
152 | *flag |= SSL_VERIFY_NONE; | |
153 | return 1; | |
154 | } | |
155 | if (!strcmp(str, "peer")) { | |
156 | *flag |= SSL_VERIFY_PEER; | |
157 | return 1; | |
158 | } | |
159 | if (!strcmp(str, "client_once")) { | |
160 | *flag |= SSL_VERIFY_CLIENT_ONCE; | |
161 | return 1; | |
162 | } | |
163 | if (!strcmp(str, "fail_if_no_peer_cert")) { | |
164 | *flag |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT; | |
165 | return 1; | |
166 | } | |
167 | return 0; | |
168 | } | |
169 | ||
170 | /** | |
171 | * Password callback for reading the private key. | |
172 | */ | |
173 | static int passwd_cb(char *buf, int size, int flag, void *udata) | |
174 | { | |
175 | lua_State *L = (lua_State*)udata; | |
176 | switch (lua_type(L, 3)) { | |
177 | case LUA_TFUNCTION: | |
178 | lua_pushvalue(L, 3); | |
179 | lua_call(L, 0, 1); | |
180 | if (lua_type(L, -1) != LUA_TSTRING) | |
181 | return 0; | |
182 | /* fallback */ | |
183 | case LUA_TSTRING: | |
184 | strncpy(buf, lua_tostring(L, -1), size); | |
185 | buf[size-1] = '\0'; | |
186 | return (int)strlen(buf); | |
187 | } | |
188 | return 0; | |
189 | } | |
190 | ||
28
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
191 | static DH *get_dh(const unsigned char *p, int len) |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
192 | { |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
193 | DH *dh = NULL; |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
194 | static unsigned char g[] = { 0x02 }; |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
195 | |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
196 | if ((dh = DH_new()) == NULL) return NULL; |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
197 | dh->p = BN_bin2bn(p, len, NULL); |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
198 | dh->g = BN_bin2bn(g, sizeof(g), NULL); |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
199 | if (dh->p == NULL || dh->g == NULL) { |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
200 | DH_free(dh); |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
201 | return NULL; |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
202 | } |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
203 | |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
204 | return dh; |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
205 | } |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
206 | |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
207 | /** |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
208 | * DH parameter callback |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
209 | */ |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
210 | static DH *dh_param_cb(SSL *ssl, int is_export, int keylength) |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
211 | { |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
212 | /* Logic in postfix and dovecot, but we're using a 2048-bit group... */ |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
213 | if (is_export && keylength == 512) { |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
214 | if (dh_512 == NULL) { dh_512 = get_dh(dh512_p, sizeof(dh512_p)); } |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
215 | return dh_512; |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
216 | } else { |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
217 | if (dh_larger == NULL) { dh_larger = get_dh(dh2048_p, sizeof(dh2048_p)); } |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
218 | return dh_larger; |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
219 | } |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
220 | } |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
221 | |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
222 | |
0 | 223 | /*------------------------------ Lua Functions -------------------------------*/ |
224 | ||
225 | /** | |
226 | * Create a SSL context. | |
227 | */ | |
228 | static int create(lua_State *L) | |
229 | { | |
230 | p_context ctx; | |
231 | SSL_METHOD *method; | |
232 | ||
38
4ecd7b0e67ea
Clean up the ex_data callers
Paul Aurich <paul@darkrain42.org>
parents:
36
diff
changeset
|
233 | if (luasec_sslctx_idx == -1) { |
4ecd7b0e67ea
Clean up the ex_data callers
Paul Aurich <paul@darkrain42.org>
parents:
36
diff
changeset
|
234 | luasec_sslctx_idx = SSL_CTX_get_ex_new_index(0, "luasec sslctx context", NULL, NULL, NULL); |
4ecd7b0e67ea
Clean up the ex_data callers
Paul Aurich <paul@darkrain42.org>
parents:
36
diff
changeset
|
235 | if (luasec_sslctx_idx == -1) { |
4ecd7b0e67ea
Clean up the ex_data callers
Paul Aurich <paul@darkrain42.org>
parents:
36
diff
changeset
|
236 | lua_pushnil(L); |
4ecd7b0e67ea
Clean up the ex_data callers
Paul Aurich <paul@darkrain42.org>
parents:
36
diff
changeset
|
237 | lua_pushstring(L, "error creating luasec SSL index"); |
4ecd7b0e67ea
Clean up the ex_data callers
Paul Aurich <paul@darkrain42.org>
parents:
36
diff
changeset
|
238 | return 2; |
4ecd7b0e67ea
Clean up the ex_data callers
Paul Aurich <paul@darkrain42.org>
parents:
36
diff
changeset
|
239 | } |
4ecd7b0e67ea
Clean up the ex_data callers
Paul Aurich <paul@darkrain42.org>
parents:
36
diff
changeset
|
240 | } |
0 | 241 | method = str2method(luaL_checkstring(L, 1)); |
242 | if (!method) { | |
243 | lua_pushnil(L); | |
244 | lua_pushstring(L, "invalid protocol"); | |
245 | return 2; | |
246 | } | |
247 | ctx = (p_context) lua_newuserdata(L, sizeof(t_context)); | |
248 | if (!ctx) { | |
249 | lua_pushnil(L); | |
250 | lua_pushstring(L, "error creating context"); | |
251 | return 2; | |
252 | } | |
253 | ctx->context = SSL_CTX_new(method); | |
254 | if (!ctx->context) { | |
255 | lua_pushnil(L); | |
256 | lua_pushstring(L, "error creating context"); | |
257 | return 2; | |
258 | } | |
34
510432315106
verify: Flag to ignore 'invalid purpose' errors on end cert
Paul Aurich <paul@darkrain42.org>
parents:
30
diff
changeset
|
259 | ctx->verify_flags = LUASEC_VERIFY_FLAGS_NONE; |
0 | 260 | ctx->mode = MD_CTX_INVALID; |
261 | /* No session support */ | |
262 | SSL_CTX_set_session_cache_mode(ctx->context, SSL_SESS_CACHE_OFF); | |
28
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
263 | /* |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
264 | * Support ephemeral diffie-hellman key exchange. This is only needed |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
265 | * for server mode, but clearer to put it here rather than set_mode. |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
266 | */ |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
267 | SSL_CTX_set_tmp_dh_callback(ctx->context, dh_param_cb); |
38
4ecd7b0e67ea
Clean up the ex_data callers
Paul Aurich <paul@darkrain42.org>
parents:
36
diff
changeset
|
268 | SSL_CTX_set_ex_data(ctx->context, luasec_sslctx_idx, ctx); |
4ecd7b0e67ea
Clean up the ex_data callers
Paul Aurich <paul@darkrain42.org>
parents:
36
diff
changeset
|
269 | |
0 | 270 | luaL_getmetatable(L, "SSL:Context"); |
271 | lua_setmetatable(L, -2); | |
272 | return 1; | |
273 | } | |
274 | ||
275 | /** | |
276 | * Load the trusting certificates. | |
277 | */ | |
278 | static int load_locations(lua_State *L) | |
279 | { | |
280 | SSL_CTX *ctx = ctx_getcontext(L, 1); | |
281 | const char *cafile = luaL_optstring(L, 2, NULL); | |
282 | const char *capath = luaL_optstring(L, 3, NULL); | |
283 | if (SSL_CTX_load_verify_locations(ctx, cafile, capath) != 1) { | |
284 | lua_pushboolean(L, 0); | |
285 | lua_pushfstring(L, "error loading CA locations (%s)", | |
286 | ERR_reason_error_string(ERR_get_error())); | |
287 | return 2; | |
288 | } | |
289 | lua_pushboolean(L, 1); | |
290 | return 1; | |
291 | } | |
292 | ||
293 | /** | |
294 | * Load the certificate file. | |
295 | */ | |
296 | static int load_cert(lua_State *L) | |
297 | { | |
298 | SSL_CTX *ctx = ctx_getcontext(L, 1); | |
299 | const char *filename = luaL_checkstring(L, 2); | |
300 | if (SSL_CTX_use_certificate_chain_file(ctx, filename) != 1) { | |
301 | lua_pushboolean(L, 0); | |
302 | lua_pushfstring(L, "error loading certificate (%s)", | |
303 | ERR_reason_error_string(ERR_get_error())); | |
304 | return 2; | |
305 | } | |
306 | lua_pushboolean(L, 1); | |
307 | return 1; | |
308 | } | |
309 | ||
310 | /** | |
311 | * Load the key file -- only in PEM format. | |
312 | */ | |
313 | static int load_key(lua_State *L) | |
314 | { | |
315 | int ret = 1; | |
316 | SSL_CTX *ctx = ctx_getcontext(L, 1); | |
317 | const char *filename = luaL_checkstring(L, 2); | |
318 | switch (lua_type(L, 3)) { | |
319 | case LUA_TSTRING: | |
320 | case LUA_TFUNCTION: | |
321 | SSL_CTX_set_default_passwd_cb(ctx, passwd_cb); | |
322 | SSL_CTX_set_default_passwd_cb_userdata(ctx, L); | |
323 | /* fallback */ | |
324 | case LUA_TNIL: | |
325 | if (SSL_CTX_use_PrivateKey_file(ctx, filename, SSL_FILETYPE_PEM) == 1) | |
326 | lua_pushboolean(L, 1); | |
327 | else { | |
328 | ret = 2; | |
329 | lua_pushboolean(L, 0); | |
330 | lua_pushfstring(L, "error loading private key (%s)", | |
331 | ERR_reason_error_string(ERR_get_error())); | |
332 | } | |
333 | SSL_CTX_set_default_passwd_cb(ctx, NULL); | |
334 | SSL_CTX_set_default_passwd_cb_userdata(ctx, NULL); | |
335 | break; | |
336 | default: | |
337 | lua_pushstring(L, "invalid callback value"); | |
338 | lua_error(L); | |
339 | } | |
340 | return ret; | |
341 | } | |
342 | ||
343 | /** | |
28
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
344 | * Load a DH params files. This is a global LuaSec thing. |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
345 | */ |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
346 | static int load_dhparams(lua_State *L) |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
347 | { |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
348 | const char *filename = luaL_checkstring(L, 1); |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
349 | FILE *paramfile; |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
350 | DH *dh; |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
351 | |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
352 | paramfile = fopen(filename, "r"); |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
353 | if (!paramfile) { |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
354 | lua_pushboolean(L, 0); |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
355 | lua_pushfstring(L, "error reading dh param file %s: %s", filename, |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
356 | strerror(errno)); |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
357 | return 2; |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
358 | } |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
359 | |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
360 | dh = PEM_read_DHparams(paramfile, NULL, NULL, NULL); |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
361 | fclose(paramfile); |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
362 | if (!dh) { |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
363 | lua_pushboolean(L, 0); |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
364 | lua_pushfstring(L, "error loading dh param file %s: %s", filename, |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
365 | ERR_reason_error_string(ERR_get_error())); |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
366 | return 2; |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
367 | } |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
368 | |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
369 | if (dh_larger) |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
370 | DH_free(dh_larger); |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
371 | |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
372 | dh_larger = dh; |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
373 | |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
374 | lua_pushboolean(L, 1); |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
375 | return 1; |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
376 | } |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
377 | |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
378 | /** |
0 | 379 | * Set the cipher list. |
380 | */ | |
381 | static int set_cipher(lua_State *L) | |
382 | { | |
383 | SSL_CTX *ctx = ctx_getcontext(L, 1); | |
384 | const char *list = luaL_checkstring(L, 2); | |
385 | if (SSL_CTX_set_cipher_list(ctx, list) != 1) { | |
386 | lua_pushboolean(L, 0); | |
387 | lua_pushfstring(L, "error setting cipher list (%s)", | |
388 | ERR_reason_error_string(ERR_get_error())); | |
389 | return 2; | |
390 | } | |
391 | lua_pushboolean(L, 1); | |
392 | return 1; | |
393 | } | |
394 | ||
395 | /** | |
396 | * Set the depth for certificate checking. | |
397 | */ | |
398 | static int set_depth(lua_State *L) | |
399 | { | |
400 | SSL_CTX *ctx = ctx_getcontext(L, 1); | |
401 | SSL_CTX_set_verify_depth(ctx, luaL_checkint(L, 2)); | |
402 | lua_pushboolean(L, 1); | |
403 | return 1; | |
404 | } | |
405 | ||
30
36ed99e1ce1e
ssl.core, context: Add ability to verify and continue, retrieve verification result
Paul Aurich <paul@darkrain42.org>
parents:
28
diff
changeset
|
406 | int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx) |
36ed99e1ce1e
ssl.core, context: Add ability to verify and continue, retrieve verification result
Paul Aurich <paul@darkrain42.org>
parents:
28
diff
changeset
|
407 | { |
38
4ecd7b0e67ea
Clean up the ex_data callers
Paul Aurich <paul@darkrain42.org>
parents:
36
diff
changeset
|
408 | SSL_CTX *context; |
34
510432315106
verify: Flag to ignore 'invalid purpose' errors on end cert
Paul Aurich <paul@darkrain42.org>
parents:
30
diff
changeset
|
409 | SSL *ssl; |
38
4ecd7b0e67ea
Clean up the ex_data callers
Paul Aurich <paul@darkrain42.org>
parents:
36
diff
changeset
|
410 | p_context l_ctx; |
34
510432315106
verify: Flag to ignore 'invalid purpose' errors on end cert
Paul Aurich <paul@darkrain42.org>
parents:
30
diff
changeset
|
411 | |
510432315106
verify: Flag to ignore 'invalid purpose' errors on end cert
Paul Aurich <paul@darkrain42.org>
parents:
30
diff
changeset
|
412 | /* Short-circuit optimization */ |
510432315106
verify: Flag to ignore 'invalid purpose' errors on end cert
Paul Aurich <paul@darkrain42.org>
parents:
30
diff
changeset
|
413 | if (preverify_ok) |
510432315106
verify: Flag to ignore 'invalid purpose' errors on end cert
Paul Aurich <paul@darkrain42.org>
parents:
30
diff
changeset
|
414 | return 1; |
510432315106
verify: Flag to ignore 'invalid purpose' errors on end cert
Paul Aurich <paul@darkrain42.org>
parents:
30
diff
changeset
|
415 | |
510432315106
verify: Flag to ignore 'invalid purpose' errors on end cert
Paul Aurich <paul@darkrain42.org>
parents:
30
diff
changeset
|
416 | ssl = X509_STORE_CTX_get_ex_data(x509_ctx, SSL_get_ex_data_X509_STORE_CTX_idx()); |
38
4ecd7b0e67ea
Clean up the ex_data callers
Paul Aurich <paul@darkrain42.org>
parents:
36
diff
changeset
|
417 | context = ssl->ctx; |
4ecd7b0e67ea
Clean up the ex_data callers
Paul Aurich <paul@darkrain42.org>
parents:
36
diff
changeset
|
418 | l_ctx = SSL_CTX_get_ex_data(context, luasec_sslctx_idx); |
34
510432315106
verify: Flag to ignore 'invalid purpose' errors on end cert
Paul Aurich <paul@darkrain42.org>
parents:
30
diff
changeset
|
419 | |
38
4ecd7b0e67ea
Clean up the ex_data callers
Paul Aurich <paul@darkrain42.org>
parents:
36
diff
changeset
|
420 | if (l_ctx->verify_flags & LUASEC_VERIFY_FLAGS_IGNORE_PURPOSE) { |
34
510432315106
verify: Flag to ignore 'invalid purpose' errors on end cert
Paul Aurich <paul@darkrain42.org>
parents:
30
diff
changeset
|
421 | int err, depth; |
510432315106
verify: Flag to ignore 'invalid purpose' errors on end cert
Paul Aurich <paul@darkrain42.org>
parents:
30
diff
changeset
|
422 | |
510432315106
verify: Flag to ignore 'invalid purpose' errors on end cert
Paul Aurich <paul@darkrain42.org>
parents:
30
diff
changeset
|
423 | err = X509_STORE_CTX_get_error(x509_ctx); |
510432315106
verify: Flag to ignore 'invalid purpose' errors on end cert
Paul Aurich <paul@darkrain42.org>
parents:
30
diff
changeset
|
424 | depth = X509_STORE_CTX_get_error_depth(x509_ctx); |
510432315106
verify: Flag to ignore 'invalid purpose' errors on end cert
Paul Aurich <paul@darkrain42.org>
parents:
30
diff
changeset
|
425 | |
510432315106
verify: Flag to ignore 'invalid purpose' errors on end cert
Paul Aurich <paul@darkrain42.org>
parents:
30
diff
changeset
|
426 | if (depth == 0 && err == X509_V_ERR_INVALID_PURPOSE) { |
510432315106
verify: Flag to ignore 'invalid purpose' errors on end cert
Paul Aurich <paul@darkrain42.org>
parents:
30
diff
changeset
|
427 | /* You see nothing! */ |
510432315106
verify: Flag to ignore 'invalid purpose' errors on end cert
Paul Aurich <paul@darkrain42.org>
parents:
30
diff
changeset
|
428 | X509_STORE_CTX_set_error(x509_ctx, X509_V_OK); |
510432315106
verify: Flag to ignore 'invalid purpose' errors on end cert
Paul Aurich <paul@darkrain42.org>
parents:
30
diff
changeset
|
429 | preverify_ok = 1; |
510432315106
verify: Flag to ignore 'invalid purpose' errors on end cert
Paul Aurich <paul@darkrain42.org>
parents:
30
diff
changeset
|
430 | } |
510432315106
verify: Flag to ignore 'invalid purpose' errors on end cert
Paul Aurich <paul@darkrain42.org>
parents:
30
diff
changeset
|
431 | } |
38
4ecd7b0e67ea
Clean up the ex_data callers
Paul Aurich <paul@darkrain42.org>
parents:
36
diff
changeset
|
432 | return (l_ctx->verify_flags & LUASEC_VERIFY_FLAGS_ALWAYS_CONTINUE ? 1 : preverify_ok); |
30
36ed99e1ce1e
ssl.core, context: Add ability to verify and continue, retrieve verification result
Paul Aurich <paul@darkrain42.org>
parents:
28
diff
changeset
|
433 | } |
36ed99e1ce1e
ssl.core, context: Add ability to verify and continue, retrieve verification result
Paul Aurich <paul@darkrain42.org>
parents:
28
diff
changeset
|
434 | |
0 | 435 | /** |
436 | * Set the handshake verify options. | |
437 | */ | |
438 | static int set_verify(lua_State *L) | |
439 | { | |
440 | int i; | |
36
96f23601ce7a
context.c: Add crl_check and crl_check_chain verify options
Matthew Wild <mwild1@gmail.com>
parents:
34
diff
changeset
|
441 | int flag = 0, vflag = 0; |
30
36ed99e1ce1e
ssl.core, context: Add ability to verify and continue, retrieve verification result
Paul Aurich <paul@darkrain42.org>
parents:
28
diff
changeset
|
442 | int ignore_errors = 0; |
34
510432315106
verify: Flag to ignore 'invalid purpose' errors on end cert
Paul Aurich <paul@darkrain42.org>
parents:
30
diff
changeset
|
443 | p_context ctx = checkctx(L, 1); |
0 | 444 | int max = lua_gettop(L); |
445 | /* any flag? */ | |
446 | if (max > 1) { | |
34
510432315106
verify: Flag to ignore 'invalid purpose' errors on end cert
Paul Aurich <paul@darkrain42.org>
parents:
30
diff
changeset
|
447 | ctx->verify_flags = LUASEC_VERIFY_FLAGS_NONE; |
0 | 448 | for (i = 2; i <= max; i++) { |
30
36ed99e1ce1e
ssl.core, context: Add ability to verify and continue, retrieve verification result
Paul Aurich <paul@darkrain42.org>
parents:
28
diff
changeset
|
449 | const char *s = luaL_checkstring(L, i); |
36ed99e1ce1e
ssl.core, context: Add ability to verify and continue, retrieve verification result
Paul Aurich <paul@darkrain42.org>
parents:
28
diff
changeset
|
450 | if (!strcmp(s, "continue")) { |
34
510432315106
verify: Flag to ignore 'invalid purpose' errors on end cert
Paul Aurich <paul@darkrain42.org>
parents:
30
diff
changeset
|
451 | ctx->verify_flags |= LUASEC_VERIFY_FLAGS_ALWAYS_CONTINUE; |
30
36ed99e1ce1e
ssl.core, context: Add ability to verify and continue, retrieve verification result
Paul Aurich <paul@darkrain42.org>
parents:
28
diff
changeset
|
452 | ignore_errors = 1; |
34
510432315106
verify: Flag to ignore 'invalid purpose' errors on end cert
Paul Aurich <paul@darkrain42.org>
parents:
30
diff
changeset
|
453 | } else if (!strcmp(s, "ignore_purpose")) { |
510432315106
verify: Flag to ignore 'invalid purpose' errors on end cert
Paul Aurich <paul@darkrain42.org>
parents:
30
diff
changeset
|
454 | ctx->verify_flags |= LUASEC_VERIFY_FLAGS_IGNORE_PURPOSE; |
36
96f23601ce7a
context.c: Add crl_check and crl_check_chain verify options
Matthew Wild <mwild1@gmail.com>
parents:
34
diff
changeset
|
455 | } else if (!strcmp(s, "crl_check")) { |
96f23601ce7a
context.c: Add crl_check and crl_check_chain verify options
Matthew Wild <mwild1@gmail.com>
parents:
34
diff
changeset
|
456 | vflag |= X509_V_FLAG_CRL_CHECK; |
96f23601ce7a
context.c: Add crl_check and crl_check_chain verify options
Matthew Wild <mwild1@gmail.com>
parents:
34
diff
changeset
|
457 | } else if (!strcmp(s, "crl_check_chain")) { |
96f23601ce7a
context.c: Add crl_check and crl_check_chain verify options
Matthew Wild <mwild1@gmail.com>
parents:
34
diff
changeset
|
458 | vflag |= X509_V_FLAG_CRL_CHECK_ALL; |
30
36ed99e1ce1e
ssl.core, context: Add ability to verify and continue, retrieve verification result
Paul Aurich <paul@darkrain42.org>
parents:
28
diff
changeset
|
459 | } else if (!set_verify_flag(s, &flag)) { |
0 | 460 | lua_pushboolean(L, 0); |
461 | lua_pushstring(L, "invalid verify option"); | |
462 | return 2; | |
463 | } | |
464 | } | |
34
510432315106
verify: Flag to ignore 'invalid purpose' errors on end cert
Paul Aurich <paul@darkrain42.org>
parents:
30
diff
changeset
|
465 | SSL_CTX_set_verify(ctx->context, flag, ctx->verify_flags ? verify_cb : NULL); |
36
96f23601ce7a
context.c: Add crl_check and crl_check_chain verify options
Matthew Wild <mwild1@gmail.com>
parents:
34
diff
changeset
|
466 | if(vflag) |
96f23601ce7a
context.c: Add crl_check and crl_check_chain verify options
Matthew Wild <mwild1@gmail.com>
parents:
34
diff
changeset
|
467 | { |
96f23601ce7a
context.c: Add crl_check and crl_check_chain verify options
Matthew Wild <mwild1@gmail.com>
parents:
34
diff
changeset
|
468 | X509_STORE *store = SSL_CTX_get_cert_store(ctx->context); |
96f23601ce7a
context.c: Add crl_check and crl_check_chain verify options
Matthew Wild <mwild1@gmail.com>
parents:
34
diff
changeset
|
469 | X509_STORE_set_flags(store, vflag); |
96f23601ce7a
context.c: Add crl_check and crl_check_chain verify options
Matthew Wild <mwild1@gmail.com>
parents:
34
diff
changeset
|
470 | } |
0 | 471 | } |
472 | lua_pushboolean(L, 1); | |
473 | return 1; | |
474 | } | |
475 | ||
476 | /** | |
477 | * Set the protocol options. | |
478 | */ | |
479 | static int set_options(lua_State *L) | |
480 | { | |
481 | int i; | |
482 | unsigned long flag = 0L; | |
483 | SSL_CTX *ctx = ctx_getcontext(L, 1); | |
484 | int max = lua_gettop(L); | |
485 | /* any option? */ | |
486 | if (max > 1) { | |
487 | for (i = 2; i <= max; i++) { | |
488 | if (!set_option_flag(luaL_checkstring(L, i), &flag)) { | |
489 | lua_pushboolean(L, 0); | |
490 | lua_pushstring(L, "invalid option"); | |
491 | return 2; | |
492 | } | |
493 | } | |
494 | SSL_CTX_set_options(ctx, flag); | |
495 | } | |
496 | lua_pushboolean(L, 1); | |
497 | return 1; | |
498 | } | |
499 | ||
500 | /** | |
501 | * Set the context mode. | |
502 | */ | |
503 | static int set_mode(lua_State *L) | |
504 | { | |
505 | p_context ctx = checkctx(L, 1); | |
506 | const char *str = luaL_checkstring(L, 2); | |
507 | if (!strcmp("server", str)) { | |
508 | ctx->mode = MD_CTX_SERVER; | |
509 | lua_pushboolean(L, 1); | |
510 | return 1; | |
511 | } | |
512 | if(!strcmp("client", str)) { | |
513 | ctx->mode = MD_CTX_CLIENT; | |
514 | lua_pushboolean(L, 1); | |
515 | return 1; | |
516 | } | |
517 | lua_pushboolean(L, 0); | |
518 | lua_pushstring(L, "invalid mode"); | |
519 | return 1; | |
520 | } | |
521 | ||
522 | /** | |
523 | * Return a pointer to SSL_CTX structure. | |
524 | */ | |
525 | static int raw_ctx(lua_State *L) | |
526 | { | |
527 | p_context ctx = checkctx(L, 1); | |
528 | lua_pushlightuserdata(L, (void*)ctx->context); | |
529 | return 1; | |
530 | } | |
531 | ||
532 | /** | |
533 | * Package functions | |
534 | */ | |
535 | static luaL_Reg funcs[] = { | |
536 | {"create", create}, | |
537 | {"locations", load_locations}, | |
538 | {"loadcert", load_cert}, | |
539 | {"loadkey", load_key}, | |
540 | {"setcipher", set_cipher}, | |
541 | {"setdepth", set_depth}, | |
542 | {"setverify", set_verify}, | |
543 | {"setoptions", set_options}, | |
544 | {"setmode", set_mode}, | |
545 | {"rawcontext", raw_ctx}, | |
28
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
546 | {"loaddhparams", load_dhparams}, |
0 | 547 | {NULL, NULL} |
548 | }; | |
549 | ||
550 | /*-------------------------------- Metamethods -------------------------------*/ | |
551 | ||
552 | /** | |
553 | * Collect SSL context -- GC metamethod. | |
554 | */ | |
555 | static int meth_destroy(lua_State *L) | |
556 | { | |
557 | p_context ctx = checkctx(L, 1); | |
558 | if (ctx->context) { | |
559 | SSL_CTX_free(ctx->context); | |
560 | ctx->context = NULL; | |
561 | } | |
562 | return 0; | |
563 | } | |
564 | ||
565 | /** | |
566 | * Object information -- tostring metamethod. | |
567 | */ | |
568 | static int meth_tostring(lua_State *L) | |
569 | { | |
570 | p_context ctx = checkctx(L, 1); | |
571 | lua_pushfstring(L, "SSL context: %p", ctx); | |
572 | return 1; | |
573 | } | |
574 | ||
575 | /** | |
576 | * Context metamethods. | |
577 | */ | |
578 | static luaL_Reg meta[] = { | |
579 | {"__gc", meth_destroy}, | |
580 | {"__tostring", meth_tostring}, | |
581 | {NULL, NULL} | |
582 | }; | |
583 | ||
584 | ||
585 | /*----------------------------- Public Functions ---------------------------*/ | |
586 | ||
587 | /** | |
588 | * Retrieve the SSL context from the Lua stack. | |
589 | */ | |
590 | SSL_CTX* ctx_getcontext(lua_State *L, int idx) | |
591 | { | |
592 | p_context ctx = checkctx(L, idx); | |
593 | return ctx->context; | |
594 | } | |
595 | ||
596 | /** | |
597 | * Retrieve the mode from the context in the Lua stack. | |
598 | */ | |
599 | char ctx_getmode(lua_State *L, int idx) | |
600 | { | |
601 | p_context ctx = checkctx(L, idx); | |
602 | return ctx->mode; | |
603 | } | |
604 | ||
605 | /*------------------------------ Initialization ------------------------------*/ | |
606 | ||
607 | /** | |
608 | * Registre the module. | |
609 | */ | |
610 | int luaopen_ssl_context(lua_State *L) | |
611 | { | |
612 | luaL_newmetatable(L, "SSL:Context"); | |
613 | luaL_register(L, NULL, meta); | |
614 | luaL_register(L, "ssl.context", funcs); | |
615 | return 1; | |
616 | } |