Sun, 12 Dec 2010 22:21:36 +0000
context.c: Add crl_check and crl_check_chain verify options
0 | 1 | /*-------------------------------------------------------------------------- |
2 | * LuaSec 0.4 | |
3 | * Copyright (C) 2006-2009 Bruno Silvestre | |
4 | * | |
5 | *--------------------------------------------------------------------------*/ | |
6 | ||
7 | #include <string.h> | |
8 | #include <openssl/ssl.h> | |
9 | #include <openssl/err.h> | |
10 | ||
11 | #include <lua.h> | |
12 | #include <lauxlib.h> | |
13 | ||
14 | #include "context.h" | |
15 | ||
16 | struct ssl_option_s { | |
17 | const char *name; | |
18 | unsigned long code; | |
19 | }; | |
20 | typedef struct ssl_option_s ssl_option_t; | |
21 | ||
34
510432315106
verify: Flag to ignore 'invalid purpose' errors on end cert
Paul Aurich <paul@darkrain42.org>
parents:
30
diff
changeset
|
22 | int luasec_ssl_idx = -1; |
510432315106
verify: Flag to ignore 'invalid purpose' errors on end cert
Paul Aurich <paul@darkrain42.org>
parents:
30
diff
changeset
|
23 | |
28
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
24 | /* The export DH key */ |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
25 | static DH *dh_512 = NULL; |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
26 | /* The larger key (builtin is 2048, caller may specify larger) */ |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
27 | static DH *dh_larger = NULL; |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
28 | |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
29 | /* Generated via "openssl dhparam -2 -noout -C 512 2>/dev/null" */ |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
30 | static unsigned char dh512_p[] = { |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
31 | 0xE4,0x3F,0x75,0x82,0xAD,0x0B,0x28,0xC7,0xEF,0xCE,0xBC,0x3B, |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
32 | 0x14,0xBB,0xA6,0xF4,0xA2,0xE9,0xA6,0x59,0xCF,0x97,0x1C,0x86, |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
33 | 0x43,0x3B,0x92,0x4A,0x6B,0x15,0x4B,0x0C,0xAC,0x8F,0xFA,0x43, |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
34 | 0xE2,0xA8,0xC3,0x3B,0x7B,0x51,0x1B,0x46,0x21,0xBF,0x8C,0x06, |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
35 | 0x6C,0xB1,0x49,0x75,0xC7,0xAC,0x47,0x1D,0x9D,0x64,0xD5,0x99, |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
36 | 0x33,0x86,0xAD,0xEB, |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
37 | }; |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
38 | |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
39 | /* Generated via "openssl dhparam -2 -noout -C 2048 2>/dev/null" */ |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
40 | static unsigned char dh2048_p[] = { |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
41 | 0x9B,0xF4,0xC5,0x57,0x81,0x8F,0xCF,0x31,0x78,0x95,0x04,0xCD, |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
42 | 0xEA,0xCC,0x30,0xEA,0xF7,0xCA,0x76,0xC8,0x8F,0x91,0xEA,0x0E, |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
43 | 0x44,0x8D,0xE2,0x63,0x19,0x3B,0x4D,0x04,0xC8,0x7D,0x0D,0xFF, |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
44 | 0x3D,0x52,0x76,0x02,0xF3,0xCA,0x1C,0x44,0xAF,0x0E,0xA9,0x59, |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
45 | 0x02,0x40,0x75,0xD6,0xED,0x35,0x4D,0x11,0x5B,0x2B,0x73,0x23, |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
46 | 0xE5,0x53,0x0B,0x1F,0xB0,0x47,0xC4,0x7F,0x95,0x5D,0xB0,0xD5, |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
47 | 0xF3,0xD3,0xAB,0x5F,0x28,0x2B,0xEC,0x2C,0x15,0x0B,0x1B,0x0C, |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
48 | 0xD4,0xBE,0x24,0x2F,0xC5,0x07,0x3C,0xE4,0xC5,0xE6,0x16,0x42, |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
49 | 0x4C,0x31,0x04,0xBB,0x80,0x96,0xFF,0x64,0x50,0xA4,0xA5,0xB5, |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
50 | 0xF5,0x3A,0xBA,0x57,0xE4,0xE6,0xC2,0x23,0x0A,0xB6,0x27,0xC4, |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
51 | 0x06,0x01,0x1E,0x98,0x20,0x09,0xC8,0xB7,0x90,0x09,0x86,0x06, |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
52 | 0xAA,0x85,0xE7,0x02,0xC8,0xC6,0xD9,0x1D,0xAB,0x17,0xEE,0x78, |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
53 | 0x73,0x78,0x88,0x7F,0xA7,0xF2,0x34,0xA7,0xDD,0x02,0x16,0x36, |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
54 | 0x0D,0x77,0x16,0x3E,0x95,0xAE,0x02,0xEE,0x36,0x37,0xD5,0x61, |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
55 | 0x5D,0xFE,0xC6,0x0B,0xDF,0xCE,0xB9,0x26,0x31,0x6F,0x34,0x92, |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
56 | 0xBB,0xBB,0x91,0x29,0x77,0x62,0x1D,0x75,0xA0,0x51,0x8D,0x31, |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
57 | 0x4C,0x64,0x4E,0xBF,0xDC,0xE8,0x67,0x17,0x90,0x6A,0x80,0xE9, |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
58 | 0xD7,0xD8,0x56,0x4E,0x85,0x21,0x9C,0xFB,0xE6,0x1B,0xD8,0x05, |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
59 | 0xFD,0x13,0x77,0x00,0x96,0x2D,0x0C,0x2A,0x95,0x1A,0x08,0x82, |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
60 | 0x2E,0xB3,0xE2,0xFC,0xE8,0xA6,0xF1,0x16,0x37,0x57,0x82,0xD6, |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
61 | 0xF5,0xAB,0xA9,0x43,0x8F,0x33,0xB0,0x57,0x38,0x6E,0x61,0xD4, |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
62 | 0xDD,0xE0,0x1C,0xCB, |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
63 | }; |
0 | 64 | |
65 | static ssl_option_t ssl_options[] = { | |
66 | /* OpenSSL 0.9.7 and 0.9.8 */ | |
67 | {"all", SSL_OP_ALL}, | |
68 | {"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE}, | |
69 | {"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS}, | |
70 | {"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA}, | |
71 | {"netscape_ca_dn_bug", SSL_OP_NETSCAPE_CA_DN_BUG}, | |
72 | {"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG}, | |
73 | {"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER}, | |
74 | {"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG}, | |
75 | {"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING}, | |
76 | {"netscape_demo_cipher_change_bug", SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG}, | |
77 | {"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG}, | |
78 | {"no_session_resumption_on_renegotiation", | |
79 | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION}, | |
80 | {"no_sslv2", SSL_OP_NO_SSLv2}, | |
81 | {"no_sslv3", SSL_OP_NO_SSLv3}, | |
82 | {"no_tlsv1", SSL_OP_NO_TLSv1}, | |
83 | {"pkcs1_check_1", SSL_OP_PKCS1_CHECK_1}, | |
84 | {"pkcs1_check_2", SSL_OP_PKCS1_CHECK_2}, | |
85 | {"single_dh_use", SSL_OP_SINGLE_DH_USE}, | |
86 | {"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG}, | |
87 | {"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG}, | |
88 | {"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG}, | |
89 | {"tls_d5_bug", SSL_OP_TLS_D5_BUG}, | |
90 | {"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG}, | |
91 | /* OpenSSL 0.9.8 only */ | |
92 | #if OPENSSL_VERSION_NUMBER > 0x00908000L | |
93 | {"cookie_exchange", SSL_OP_COOKIE_EXCHANGE}, | |
94 | {"no_query_mtu", SSL_OP_NO_QUERY_MTU}, | |
95 | {"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE}, | |
96 | #endif | |
97 | /* OpenSSL 0.9.8f and above */ | |
98 | #if defined(SSL_OP_NO_TICKET) | |
99 | {"no_ticket", SSL_OP_NO_TICKET}, | |
100 | #endif | |
1
5f89e535765a
context.c: Add no_compression option for when supported
Matthew Wild <mwild1@gmail.com>
parents:
0
diff
changeset
|
101 | #if defined(SSL_OP_NO_COMPRESSION) |
5f89e535765a
context.c: Add no_compression option for when supported
Matthew Wild <mwild1@gmail.com>
parents:
0
diff
changeset
|
102 | {"no_compression", SSL_OP_NO_COMPRESSION}, |
5f89e535765a
context.c: Add no_compression option for when supported
Matthew Wild <mwild1@gmail.com>
parents:
0
diff
changeset
|
103 | #endif |
0 | 104 | {NULL, 0L} |
105 | }; | |
106 | ||
107 | /*--------------------------- Auxiliary Functions ----------------------------*/ | |
108 | ||
109 | /** | |
110 | * Return the context. | |
111 | */ | |
34
510432315106
verify: Flag to ignore 'invalid purpose' errors on end cert
Paul Aurich <paul@darkrain42.org>
parents:
30
diff
changeset
|
112 | p_context checkctx(lua_State *L, int idx) |
0 | 113 | { |
114 | return (p_context)luaL_checkudata(L, idx, "SSL:Context"); | |
115 | } | |
116 | ||
117 | /** | |
118 | * Prepare the SSL options flag. | |
119 | */ | |
120 | static int set_option_flag(const char *opt, unsigned long *flag) | |
121 | { | |
122 | ssl_option_t *p; | |
123 | for (p = ssl_options; p->name; p++) { | |
124 | if (!strcmp(opt, p->name)) { | |
125 | *flag |= p->code; | |
126 | return 1; | |
127 | } | |
128 | } | |
129 | return 0; | |
130 | } | |
131 | ||
132 | /** | |
133 | * Find the protocol. | |
134 | */ | |
135 | static SSL_METHOD* str2method(const char *method) | |
136 | { | |
137 | if (!strcmp(method, "sslv3")) return SSLv3_method(); | |
138 | if (!strcmp(method, "tlsv1")) return TLSv1_method(); | |
139 | if (!strcmp(method, "sslv23")) return SSLv23_method(); | |
140 | return NULL; | |
141 | } | |
142 | ||
143 | /** | |
144 | * Prepare the SSL handshake verify flag. | |
145 | */ | |
146 | static int set_verify_flag(const char *str, int *flag) | |
147 | { | |
148 | if (!strcmp(str, "none")) { | |
149 | *flag |= SSL_VERIFY_NONE; | |
150 | return 1; | |
151 | } | |
152 | if (!strcmp(str, "peer")) { | |
153 | *flag |= SSL_VERIFY_PEER; | |
154 | return 1; | |
155 | } | |
156 | if (!strcmp(str, "client_once")) { | |
157 | *flag |= SSL_VERIFY_CLIENT_ONCE; | |
158 | return 1; | |
159 | } | |
160 | if (!strcmp(str, "fail_if_no_peer_cert")) { | |
161 | *flag |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT; | |
162 | return 1; | |
163 | } | |
164 | return 0; | |
165 | } | |
166 | ||
167 | /** | |
168 | * Password callback for reading the private key. | |
169 | */ | |
170 | static int passwd_cb(char *buf, int size, int flag, void *udata) | |
171 | { | |
172 | lua_State *L = (lua_State*)udata; | |
173 | switch (lua_type(L, 3)) { | |
174 | case LUA_TFUNCTION: | |
175 | lua_pushvalue(L, 3); | |
176 | lua_call(L, 0, 1); | |
177 | if (lua_type(L, -1) != LUA_TSTRING) | |
178 | return 0; | |
179 | /* fallback */ | |
180 | case LUA_TSTRING: | |
181 | strncpy(buf, lua_tostring(L, -1), size); | |
182 | buf[size-1] = '\0'; | |
183 | return (int)strlen(buf); | |
184 | } | |
185 | return 0; | |
186 | } | |
187 | ||
28
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
188 | static DH *get_dh(const unsigned char *p, int len) |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
189 | { |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
190 | DH *dh = NULL; |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
191 | static unsigned char g[] = { 0x02 }; |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
192 | |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
193 | if ((dh = DH_new()) == NULL) return NULL; |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
194 | dh->p = BN_bin2bn(p, len, NULL); |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
195 | dh->g = BN_bin2bn(g, sizeof(g), NULL); |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
196 | if (dh->p == NULL || dh->g == NULL) { |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
197 | DH_free(dh); |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
198 | return NULL; |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
199 | } |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
200 | |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
201 | return dh; |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
202 | } |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
203 | |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
204 | /** |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
205 | * DH parameter callback |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
206 | */ |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
207 | static DH *dh_param_cb(SSL *ssl, int is_export, int keylength) |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
208 | { |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
209 | /* Logic in postfix and dovecot, but we're using a 2048-bit group... */ |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
210 | if (is_export && keylength == 512) { |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
211 | if (dh_512 == NULL) { dh_512 = get_dh(dh512_p, sizeof(dh512_p)); } |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
212 | return dh_512; |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
213 | } else { |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
214 | if (dh_larger == NULL) { dh_larger = get_dh(dh2048_p, sizeof(dh2048_p)); } |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
215 | return dh_larger; |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
216 | } |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
217 | } |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
218 | |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
219 | |
0 | 220 | /*------------------------------ Lua Functions -------------------------------*/ |
221 | ||
222 | /** | |
223 | * Create a SSL context. | |
224 | */ | |
225 | static int create(lua_State *L) | |
226 | { | |
227 | p_context ctx; | |
228 | SSL_METHOD *method; | |
229 | ||
230 | method = str2method(luaL_checkstring(L, 1)); | |
231 | if (!method) { | |
232 | lua_pushnil(L); | |
233 | lua_pushstring(L, "invalid protocol"); | |
234 | return 2; | |
235 | } | |
236 | ctx = (p_context) lua_newuserdata(L, sizeof(t_context)); | |
237 | if (!ctx) { | |
238 | lua_pushnil(L); | |
239 | lua_pushstring(L, "error creating context"); | |
240 | return 2; | |
241 | } | |
242 | ctx->context = SSL_CTX_new(method); | |
243 | if (!ctx->context) { | |
244 | lua_pushnil(L); | |
245 | lua_pushstring(L, "error creating context"); | |
246 | return 2; | |
247 | } | |
34
510432315106
verify: Flag to ignore 'invalid purpose' errors on end cert
Paul Aurich <paul@darkrain42.org>
parents:
30
diff
changeset
|
248 | ctx->verify_flags = LUASEC_VERIFY_FLAGS_NONE; |
0 | 249 | ctx->mode = MD_CTX_INVALID; |
250 | /* No session support */ | |
251 | SSL_CTX_set_session_cache_mode(ctx->context, SSL_SESS_CACHE_OFF); | |
28
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
252 | /* |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
253 | * Support ephemeral diffie-hellman key exchange. This is only needed |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
254 | * for server mode, but clearer to put it here rather than set_mode. |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
255 | */ |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
256 | SSL_CTX_set_tmp_dh_callback(ctx->context, dh_param_cb); |
0 | 257 | luaL_getmetatable(L, "SSL:Context"); |
258 | lua_setmetatable(L, -2); | |
259 | return 1; | |
260 | } | |
261 | ||
262 | /** | |
263 | * Load the trusting certificates. | |
264 | */ | |
265 | static int load_locations(lua_State *L) | |
266 | { | |
267 | SSL_CTX *ctx = ctx_getcontext(L, 1); | |
268 | const char *cafile = luaL_optstring(L, 2, NULL); | |
269 | const char *capath = luaL_optstring(L, 3, NULL); | |
270 | if (SSL_CTX_load_verify_locations(ctx, cafile, capath) != 1) { | |
271 | lua_pushboolean(L, 0); | |
272 | lua_pushfstring(L, "error loading CA locations (%s)", | |
273 | ERR_reason_error_string(ERR_get_error())); | |
274 | return 2; | |
275 | } | |
276 | lua_pushboolean(L, 1); | |
277 | return 1; | |
278 | } | |
279 | ||
280 | /** | |
281 | * Load the certificate file. | |
282 | */ | |
283 | static int load_cert(lua_State *L) | |
284 | { | |
285 | SSL_CTX *ctx = ctx_getcontext(L, 1); | |
286 | const char *filename = luaL_checkstring(L, 2); | |
287 | if (SSL_CTX_use_certificate_chain_file(ctx, filename) != 1) { | |
288 | lua_pushboolean(L, 0); | |
289 | lua_pushfstring(L, "error loading certificate (%s)", | |
290 | ERR_reason_error_string(ERR_get_error())); | |
291 | return 2; | |
292 | } | |
293 | lua_pushboolean(L, 1); | |
294 | return 1; | |
295 | } | |
296 | ||
297 | /** | |
298 | * Load the key file -- only in PEM format. | |
299 | */ | |
300 | static int load_key(lua_State *L) | |
301 | { | |
302 | int ret = 1; | |
303 | SSL_CTX *ctx = ctx_getcontext(L, 1); | |
304 | const char *filename = luaL_checkstring(L, 2); | |
305 | switch (lua_type(L, 3)) { | |
306 | case LUA_TSTRING: | |
307 | case LUA_TFUNCTION: | |
308 | SSL_CTX_set_default_passwd_cb(ctx, passwd_cb); | |
309 | SSL_CTX_set_default_passwd_cb_userdata(ctx, L); | |
310 | /* fallback */ | |
311 | case LUA_TNIL: | |
312 | if (SSL_CTX_use_PrivateKey_file(ctx, filename, SSL_FILETYPE_PEM) == 1) | |
313 | lua_pushboolean(L, 1); | |
314 | else { | |
315 | ret = 2; | |
316 | lua_pushboolean(L, 0); | |
317 | lua_pushfstring(L, "error loading private key (%s)", | |
318 | ERR_reason_error_string(ERR_get_error())); | |
319 | } | |
320 | SSL_CTX_set_default_passwd_cb(ctx, NULL); | |
321 | SSL_CTX_set_default_passwd_cb_userdata(ctx, NULL); | |
322 | break; | |
323 | default: | |
324 | lua_pushstring(L, "invalid callback value"); | |
325 | lua_error(L); | |
326 | } | |
327 | return ret; | |
328 | } | |
329 | ||
330 | /** | |
28
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
331 | * Load a DH params files. This is a global LuaSec thing. |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
332 | */ |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
333 | static int load_dhparams(lua_State *L) |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
334 | { |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
335 | const char *filename = luaL_checkstring(L, 1); |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
336 | FILE *paramfile; |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
337 | DH *dh; |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
338 | |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
339 | paramfile = fopen(filename, "r"); |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
340 | if (!paramfile) { |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
341 | lua_pushboolean(L, 0); |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
342 | lua_pushfstring(L, "error reading dh param file %s: %s", filename, |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
343 | strerror(errno)); |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
344 | return 2; |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
345 | } |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
346 | |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
347 | dh = PEM_read_DHparams(paramfile, NULL, NULL, NULL); |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
348 | fclose(paramfile); |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
349 | if (!dh) { |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
350 | lua_pushboolean(L, 0); |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
351 | lua_pushfstring(L, "error loading dh param file %s: %s", filename, |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
352 | ERR_reason_error_string(ERR_get_error())); |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
353 | return 2; |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
354 | } |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
355 | |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
356 | if (dh_larger) |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
357 | DH_free(dh_larger); |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
358 | |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
359 | dh_larger = dh; |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
360 | |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
361 | lua_pushboolean(L, 1); |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
362 | return 1; |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
363 | } |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
364 | |
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
365 | /** |
0 | 366 | * Set the cipher list. |
367 | */ | |
368 | static int set_cipher(lua_State *L) | |
369 | { | |
370 | SSL_CTX *ctx = ctx_getcontext(L, 1); | |
371 | const char *list = luaL_checkstring(L, 2); | |
372 | if (SSL_CTX_set_cipher_list(ctx, list) != 1) { | |
373 | lua_pushboolean(L, 0); | |
374 | lua_pushfstring(L, "error setting cipher list (%s)", | |
375 | ERR_reason_error_string(ERR_get_error())); | |
376 | return 2; | |
377 | } | |
378 | lua_pushboolean(L, 1); | |
379 | return 1; | |
380 | } | |
381 | ||
382 | /** | |
383 | * Set the depth for certificate checking. | |
384 | */ | |
385 | static int set_depth(lua_State *L) | |
386 | { | |
387 | SSL_CTX *ctx = ctx_getcontext(L, 1); | |
388 | SSL_CTX_set_verify_depth(ctx, luaL_checkint(L, 2)); | |
389 | lua_pushboolean(L, 1); | |
390 | return 1; | |
391 | } | |
392 | ||
30
36ed99e1ce1e
ssl.core, context: Add ability to verify and continue, retrieve verification result
Paul Aurich <paul@darkrain42.org>
parents:
28
diff
changeset
|
393 | int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx) |
36ed99e1ce1e
ssl.core, context: Add ability to verify and continue, retrieve verification result
Paul Aurich <paul@darkrain42.org>
parents:
28
diff
changeset
|
394 | { |
34
510432315106
verify: Flag to ignore 'invalid purpose' errors on end cert
Paul Aurich <paul@darkrain42.org>
parents:
30
diff
changeset
|
395 | SSL *ssl; |
510432315106
verify: Flag to ignore 'invalid purpose' errors on end cert
Paul Aurich <paul@darkrain42.org>
parents:
30
diff
changeset
|
396 | p_context ctx = NULL; |
510432315106
verify: Flag to ignore 'invalid purpose' errors on end cert
Paul Aurich <paul@darkrain42.org>
parents:
30
diff
changeset
|
397 | |
510432315106
verify: Flag to ignore 'invalid purpose' errors on end cert
Paul Aurich <paul@darkrain42.org>
parents:
30
diff
changeset
|
398 | /* Short-circuit optimization */ |
510432315106
verify: Flag to ignore 'invalid purpose' errors on end cert
Paul Aurich <paul@darkrain42.org>
parents:
30
diff
changeset
|
399 | if (preverify_ok) |
510432315106
verify: Flag to ignore 'invalid purpose' errors on end cert
Paul Aurich <paul@darkrain42.org>
parents:
30
diff
changeset
|
400 | return 1; |
510432315106
verify: Flag to ignore 'invalid purpose' errors on end cert
Paul Aurich <paul@darkrain42.org>
parents:
30
diff
changeset
|
401 | |
510432315106
verify: Flag to ignore 'invalid purpose' errors on end cert
Paul Aurich <paul@darkrain42.org>
parents:
30
diff
changeset
|
402 | ssl = X509_STORE_CTX_get_ex_data(x509_ctx, SSL_get_ex_data_X509_STORE_CTX_idx()); |
510432315106
verify: Flag to ignore 'invalid purpose' errors on end cert
Paul Aurich <paul@darkrain42.org>
parents:
30
diff
changeset
|
403 | ctx = SSL_get_ex_data(ssl, luasec_ssl_idx); |
510432315106
verify: Flag to ignore 'invalid purpose' errors on end cert
Paul Aurich <paul@darkrain42.org>
parents:
30
diff
changeset
|
404 | |
510432315106
verify: Flag to ignore 'invalid purpose' errors on end cert
Paul Aurich <paul@darkrain42.org>
parents:
30
diff
changeset
|
405 | if (ctx->verify_flags & LUASEC_VERIFY_FLAGS_IGNORE_PURPOSE) { |
510432315106
verify: Flag to ignore 'invalid purpose' errors on end cert
Paul Aurich <paul@darkrain42.org>
parents:
30
diff
changeset
|
406 | int err, depth; |
510432315106
verify: Flag to ignore 'invalid purpose' errors on end cert
Paul Aurich <paul@darkrain42.org>
parents:
30
diff
changeset
|
407 | |
510432315106
verify: Flag to ignore 'invalid purpose' errors on end cert
Paul Aurich <paul@darkrain42.org>
parents:
30
diff
changeset
|
408 | err = X509_STORE_CTX_get_error(x509_ctx); |
510432315106
verify: Flag to ignore 'invalid purpose' errors on end cert
Paul Aurich <paul@darkrain42.org>
parents:
30
diff
changeset
|
409 | depth = X509_STORE_CTX_get_error_depth(x509_ctx); |
510432315106
verify: Flag to ignore 'invalid purpose' errors on end cert
Paul Aurich <paul@darkrain42.org>
parents:
30
diff
changeset
|
410 | |
510432315106
verify: Flag to ignore 'invalid purpose' errors on end cert
Paul Aurich <paul@darkrain42.org>
parents:
30
diff
changeset
|
411 | if (depth == 0 && err == X509_V_ERR_INVALID_PURPOSE) { |
510432315106
verify: Flag to ignore 'invalid purpose' errors on end cert
Paul Aurich <paul@darkrain42.org>
parents:
30
diff
changeset
|
412 | /* You see nothing! */ |
510432315106
verify: Flag to ignore 'invalid purpose' errors on end cert
Paul Aurich <paul@darkrain42.org>
parents:
30
diff
changeset
|
413 | X509_STORE_CTX_set_error(x509_ctx, X509_V_OK); |
510432315106
verify: Flag to ignore 'invalid purpose' errors on end cert
Paul Aurich <paul@darkrain42.org>
parents:
30
diff
changeset
|
414 | preverify_ok = 1; |
510432315106
verify: Flag to ignore 'invalid purpose' errors on end cert
Paul Aurich <paul@darkrain42.org>
parents:
30
diff
changeset
|
415 | } |
510432315106
verify: Flag to ignore 'invalid purpose' errors on end cert
Paul Aurich <paul@darkrain42.org>
parents:
30
diff
changeset
|
416 | } |
510432315106
verify: Flag to ignore 'invalid purpose' errors on end cert
Paul Aurich <paul@darkrain42.org>
parents:
30
diff
changeset
|
417 | return (ctx->verify_flags & LUASEC_VERIFY_FLAGS_ALWAYS_CONTINUE ? 1 : preverify_ok); |
30
36ed99e1ce1e
ssl.core, context: Add ability to verify and continue, retrieve verification result
Paul Aurich <paul@darkrain42.org>
parents:
28
diff
changeset
|
418 | } |
36ed99e1ce1e
ssl.core, context: Add ability to verify and continue, retrieve verification result
Paul Aurich <paul@darkrain42.org>
parents:
28
diff
changeset
|
419 | |
0 | 420 | /** |
421 | * Set the handshake verify options. | |
422 | */ | |
423 | static int set_verify(lua_State *L) | |
424 | { | |
425 | int i; | |
36
96f23601ce7a
context.c: Add crl_check and crl_check_chain verify options
Matthew Wild <mwild1@gmail.com>
parents:
34
diff
changeset
|
426 | int flag = 0, vflag = 0; |
30
36ed99e1ce1e
ssl.core, context: Add ability to verify and continue, retrieve verification result
Paul Aurich <paul@darkrain42.org>
parents:
28
diff
changeset
|
427 | int ignore_errors = 0; |
34
510432315106
verify: Flag to ignore 'invalid purpose' errors on end cert
Paul Aurich <paul@darkrain42.org>
parents:
30
diff
changeset
|
428 | p_context ctx = checkctx(L, 1); |
0 | 429 | int max = lua_gettop(L); |
430 | /* any flag? */ | |
431 | if (max > 1) { | |
34
510432315106
verify: Flag to ignore 'invalid purpose' errors on end cert
Paul Aurich <paul@darkrain42.org>
parents:
30
diff
changeset
|
432 | ctx->verify_flags = LUASEC_VERIFY_FLAGS_NONE; |
0 | 433 | for (i = 2; i <= max; i++) { |
30
36ed99e1ce1e
ssl.core, context: Add ability to verify and continue, retrieve verification result
Paul Aurich <paul@darkrain42.org>
parents:
28
diff
changeset
|
434 | const char *s = luaL_checkstring(L, i); |
36ed99e1ce1e
ssl.core, context: Add ability to verify and continue, retrieve verification result
Paul Aurich <paul@darkrain42.org>
parents:
28
diff
changeset
|
435 | if (!strcmp(s, "continue")) { |
34
510432315106
verify: Flag to ignore 'invalid purpose' errors on end cert
Paul Aurich <paul@darkrain42.org>
parents:
30
diff
changeset
|
436 | ctx->verify_flags |= LUASEC_VERIFY_FLAGS_ALWAYS_CONTINUE; |
30
36ed99e1ce1e
ssl.core, context: Add ability to verify and continue, retrieve verification result
Paul Aurich <paul@darkrain42.org>
parents:
28
diff
changeset
|
437 | ignore_errors = 1; |
34
510432315106
verify: Flag to ignore 'invalid purpose' errors on end cert
Paul Aurich <paul@darkrain42.org>
parents:
30
diff
changeset
|
438 | } else if (!strcmp(s, "ignore_purpose")) { |
510432315106
verify: Flag to ignore 'invalid purpose' errors on end cert
Paul Aurich <paul@darkrain42.org>
parents:
30
diff
changeset
|
439 | ctx->verify_flags |= LUASEC_VERIFY_FLAGS_IGNORE_PURPOSE; |
36
96f23601ce7a
context.c: Add crl_check and crl_check_chain verify options
Matthew Wild <mwild1@gmail.com>
parents:
34
diff
changeset
|
440 | } else if (!strcmp(s, "crl_check")) { |
96f23601ce7a
context.c: Add crl_check and crl_check_chain verify options
Matthew Wild <mwild1@gmail.com>
parents:
34
diff
changeset
|
441 | vflag |= X509_V_FLAG_CRL_CHECK; |
96f23601ce7a
context.c: Add crl_check and crl_check_chain verify options
Matthew Wild <mwild1@gmail.com>
parents:
34
diff
changeset
|
442 | } else if (!strcmp(s, "crl_check_chain")) { |
96f23601ce7a
context.c: Add crl_check and crl_check_chain verify options
Matthew Wild <mwild1@gmail.com>
parents:
34
diff
changeset
|
443 | vflag |= X509_V_FLAG_CRL_CHECK_ALL; |
30
36ed99e1ce1e
ssl.core, context: Add ability to verify and continue, retrieve verification result
Paul Aurich <paul@darkrain42.org>
parents:
28
diff
changeset
|
444 | } else if (!set_verify_flag(s, &flag)) { |
0 | 445 | lua_pushboolean(L, 0); |
446 | lua_pushstring(L, "invalid verify option"); | |
447 | return 2; | |
448 | } | |
449 | } | |
34
510432315106
verify: Flag to ignore 'invalid purpose' errors on end cert
Paul Aurich <paul@darkrain42.org>
parents:
30
diff
changeset
|
450 | SSL_CTX_set_verify(ctx->context, flag, ctx->verify_flags ? verify_cb : NULL); |
36
96f23601ce7a
context.c: Add crl_check and crl_check_chain verify options
Matthew Wild <mwild1@gmail.com>
parents:
34
diff
changeset
|
451 | if(vflag) |
96f23601ce7a
context.c: Add crl_check and crl_check_chain verify options
Matthew Wild <mwild1@gmail.com>
parents:
34
diff
changeset
|
452 | { |
96f23601ce7a
context.c: Add crl_check and crl_check_chain verify options
Matthew Wild <mwild1@gmail.com>
parents:
34
diff
changeset
|
453 | X509_STORE *store = SSL_CTX_get_cert_store(ctx->context); |
96f23601ce7a
context.c: Add crl_check and crl_check_chain verify options
Matthew Wild <mwild1@gmail.com>
parents:
34
diff
changeset
|
454 | X509_STORE_set_flags(store, vflag); |
96f23601ce7a
context.c: Add crl_check and crl_check_chain verify options
Matthew Wild <mwild1@gmail.com>
parents:
34
diff
changeset
|
455 | } |
0 | 456 | } |
457 | lua_pushboolean(L, 1); | |
458 | return 1; | |
459 | } | |
460 | ||
461 | /** | |
462 | * Set the protocol options. | |
463 | */ | |
464 | static int set_options(lua_State *L) | |
465 | { | |
466 | int i; | |
467 | unsigned long flag = 0L; | |
468 | SSL_CTX *ctx = ctx_getcontext(L, 1); | |
469 | int max = lua_gettop(L); | |
470 | /* any option? */ | |
471 | if (max > 1) { | |
472 | for (i = 2; i <= max; i++) { | |
473 | if (!set_option_flag(luaL_checkstring(L, i), &flag)) { | |
474 | lua_pushboolean(L, 0); | |
475 | lua_pushstring(L, "invalid option"); | |
476 | return 2; | |
477 | } | |
478 | } | |
479 | SSL_CTX_set_options(ctx, flag); | |
480 | } | |
481 | lua_pushboolean(L, 1); | |
482 | return 1; | |
483 | } | |
484 | ||
485 | /** | |
486 | * Set the context mode. | |
487 | */ | |
488 | static int set_mode(lua_State *L) | |
489 | { | |
490 | p_context ctx = checkctx(L, 1); | |
491 | const char *str = luaL_checkstring(L, 2); | |
492 | if (!strcmp("server", str)) { | |
493 | ctx->mode = MD_CTX_SERVER; | |
494 | lua_pushboolean(L, 1); | |
495 | return 1; | |
496 | } | |
497 | if(!strcmp("client", str)) { | |
498 | ctx->mode = MD_CTX_CLIENT; | |
499 | lua_pushboolean(L, 1); | |
500 | return 1; | |
501 | } | |
502 | lua_pushboolean(L, 0); | |
503 | lua_pushstring(L, "invalid mode"); | |
504 | return 1; | |
505 | } | |
506 | ||
507 | /** | |
508 | * Return a pointer to SSL_CTX structure. | |
509 | */ | |
510 | static int raw_ctx(lua_State *L) | |
511 | { | |
512 | p_context ctx = checkctx(L, 1); | |
513 | lua_pushlightuserdata(L, (void*)ctx->context); | |
514 | return 1; | |
515 | } | |
516 | ||
517 | /** | |
518 | * Package functions | |
519 | */ | |
520 | static luaL_Reg funcs[] = { | |
521 | {"create", create}, | |
522 | {"locations", load_locations}, | |
523 | {"loadcert", load_cert}, | |
524 | {"loadkey", load_key}, | |
525 | {"setcipher", set_cipher}, | |
526 | {"setdepth", set_depth}, | |
527 | {"setverify", set_verify}, | |
528 | {"setoptions", set_options}, | |
529 | {"setmode", set_mode}, | |
530 | {"rawcontext", raw_ctx}, | |
28
8c61b29d87ec
context: support for diffie-hellman key exchange
Paul Aurich <paul@darkrain42.org>
parents:
1
diff
changeset
|
531 | {"loaddhparams", load_dhparams}, |
0 | 532 | {NULL, NULL} |
533 | }; | |
534 | ||
535 | /*-------------------------------- Metamethods -------------------------------*/ | |
536 | ||
537 | /** | |
538 | * Collect SSL context -- GC metamethod. | |
539 | */ | |
540 | static int meth_destroy(lua_State *L) | |
541 | { | |
542 | p_context ctx = checkctx(L, 1); | |
543 | if (ctx->context) { | |
544 | SSL_CTX_free(ctx->context); | |
545 | ctx->context = NULL; | |
546 | } | |
547 | return 0; | |
548 | } | |
549 | ||
550 | /** | |
551 | * Object information -- tostring metamethod. | |
552 | */ | |
553 | static int meth_tostring(lua_State *L) | |
554 | { | |
555 | p_context ctx = checkctx(L, 1); | |
556 | lua_pushfstring(L, "SSL context: %p", ctx); | |
557 | return 1; | |
558 | } | |
559 | ||
560 | /** | |
561 | * Context metamethods. | |
562 | */ | |
563 | static luaL_Reg meta[] = { | |
564 | {"__gc", meth_destroy}, | |
565 | {"__tostring", meth_tostring}, | |
566 | {NULL, NULL} | |
567 | }; | |
568 | ||
569 | ||
570 | /*----------------------------- Public Functions ---------------------------*/ | |
571 | ||
572 | /** | |
573 | * Retrieve the SSL context from the Lua stack. | |
574 | */ | |
575 | SSL_CTX* ctx_getcontext(lua_State *L, int idx) | |
576 | { | |
577 | p_context ctx = checkctx(L, idx); | |
578 | return ctx->context; | |
579 | } | |
580 | ||
581 | /** | |
582 | * Retrieve the mode from the context in the Lua stack. | |
583 | */ | |
584 | char ctx_getmode(lua_State *L, int idx) | |
585 | { | |
586 | p_context ctx = checkctx(L, idx); | |
587 | return ctx->mode; | |
588 | } | |
589 | ||
590 | /*------------------------------ Initialization ------------------------------*/ | |
591 | ||
592 | /** | |
593 | * Registre the module. | |
594 | */ | |
595 | int luaopen_ssl_context(lua_State *L) | |
596 | { | |
597 | luaL_newmetatable(L, "SSL:Context"); | |
598 | luaL_register(L, NULL, meta); | |
599 | luaL_register(L, "ssl.context", funcs); | |
600 | return 1; | |
601 | } |