* limitations under the License.
*/
-#include "nixio.h"
-#include "string.h"
-
-#ifndef WITHOUT_OPENSSL
-#include <openssl/ssl.h>
-#endif
+#include "nixio-tls.h"
+#include <string.h>
static SSL_CTX* nixio__checktlsctx(lua_State *L) {
SSL_CTX **ctx = (SSL_CTX **)luaL_checkudata(L, 1, NIXIO_TLS_CTX_META);
}
static int nixio_tls_ctx(lua_State * L) {
- const char *method = luaL_optlstring(L, 1, "tlsv1", NULL);
+ const char *method = luaL_optlstring(L, 1, "client", NULL);
+ luaL_getmetatable(L, NIXIO_TLS_CTX_META);
SSL_CTX **ctx = lua_newuserdata(L, sizeof(SSL_CTX *));
if (!ctx) {
return luaL_error(L, "out of memory");
}
/* create userdata */
- luaL_getmetatable(L, NIXIO_TLS_CTX_META);
+ lua_pushvalue(L, -2);
lua_setmetatable(L, -2);
- if (!strcmp(method, "tlsv1")) {
- *ctx = SSL_CTX_new(TLSv1_method());
- } else if (!strcmp(method, "sslv23")) {
- *ctx = SSL_CTX_new(SSLv23_method());
+ if (!strcmp(method, "client")) {
+ *ctx = SSL_CTX_new(TLSv1_client_method());
+ } else if (!strcmp(method, "server")) {
+ *ctx = SSL_CTX_new(TLSv1_server_method());
} else {
- return luaL_argerror(L, 1, "supported values: tlsv1, sslv23");
+ return luaL_argerror(L, 1, "supported values: client, server");
}
-
- SSL_CTX_set_options(*ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
-
if (!(*ctx)) {
return luaL_error(L, "unable to create TLS context");
}
+#ifdef WITH_CYASSL
+ SSL_CTX_set_verify(*ctx, SSL_VERIFY_NONE, NULL);
+#endif
+
return 1;
}
SSL_CTX *ctx = nixio__checktlsctx(L);
int fd = nixio__checkfd(L, 2);
- SSL **sock = lua_newuserdata(L, sizeof(SSL *));
+ lua_createtable(L, 0, 3);
+ nixio_tls_sock *sock = lua_newuserdata(L, sizeof(nixio_tls_sock));
if (!sock) {
return luaL_error(L, "out of memory");
}
+ memset(sock, 0, sizeof(nixio_tls_sock));
/* create userdata */
luaL_getmetatable(L, NIXIO_TLS_SOCK_META);
- lua_setmetatable(L, -2);
+ lua_pushvalue(L, -1);
+ lua_setmetatable(L, -3);
- *sock = SSL_new(ctx);
- if (!(*sock)) {
+ sock->socket = SSL_new(ctx);
+ if (!sock->socket) {
return nixio__tls_perror(L, 0);
}
- if (SSL_set_fd(*sock, fd) != 1) {
+ if (SSL_set_fd(sock->socket, fd) != 1) {
return nixio__tls_perror(L, 0);
}
+ /* save context and socket to prevent GC from collecting them */
+ lua_setmetatable(L, -3);
+ lua_setfield(L, -2, "connection");
+
+ lua_pushvalue(L, 1);
+ lua_setfield(L, -2, "context");
+
+ lua_pushvalue(L, 2);
+ lua_setfield(L, -2, "socket");
+
return 1;
}
static int nixio_tls_ctx_set_cert(lua_State *L) {
SSL_CTX *ctx = nixio__checktlsctx(L);
const char *cert = luaL_checkstring(L, 2);
- return nixio__tls_pstatus(L, SSL_CTX_use_certificate_chain_file(ctx, cert));
+ const char *type = luaL_optstring(L, 3, "chain");
+ int ktype;
+
+ if (!strcmp(type, "chain")) {
+ return nixio__tls_pstatus(L,
+ SSL_CTX_use_certificate_chain_file(ctx, cert));
+ } else if (!strcmp(type, "pem")) {
+ ktype = SSL_FILETYPE_PEM;
+ } else if (!strcmp(type, "asn1")) {
+ ktype = SSL_FILETYPE_ASN1;
+ } else {
+ return luaL_argerror(L, 3, "supported values: chain, pem, asn1");
+ }
+
+ return nixio__tls_pstatus(L,
+ SSL_CTX_use_certificate_file(ctx, cert, ktype));
+}
+
+static int nixio_tls_ctx_set_verify_locations(lua_State *L) {
+ SSL_CTX *ctx = nixio__checktlsctx(L);
+ const char *CAfile = luaL_optstring(L, 2, NULL);
+ const char *CApath = luaL_optstring(L, 3, NULL);
+ return nixio__tls_pstatus(L, SSL_CTX_load_verify_locations(ctx,
+ CAfile, CApath));
}
static int nixio_tls_ctx_set_key(lua_State *L) {
SSL_CTX *ctx = nixio__checktlsctx(L);
const char *cert = luaL_checkstring(L, 2);
- const int ktype = SSL_FILETYPE_PEM;
+ const char *type = luaL_optstring(L, 3, "pem");
+ int ktype;
+
+ if (!strcmp(type, "pem")) {
+ ktype = SSL_FILETYPE_PEM;
+ } else if (!strcmp(type, "asn1")) {
+ ktype = SSL_FILETYPE_ASN1;
+ } else {
+ return luaL_argerror(L, 3, "supported values: pem, asn1");
+ }
+
return nixio__tls_pstatus(L, SSL_CTX_use_PrivateKey_file(ctx, cert, ktype));
}
return nixio__tls_pstatus(L, SSL_CTX_set_cipher_list(ctx, ciphers));
}
-static int nixio_tls_ctx_set_verify_depth(lua_State *L) {
- SSL_CTX *ctx = nixio__checktlsctx(L);
- const int depth = luaL_checkinteger(L, 2);
- SSL_CTX_set_verify_depth(ctx, depth);
- return 0;
-}
-
static int nixio_tls_ctx_set_verify(lua_State *L) {
SSL_CTX *ctx = nixio__checktlsctx(L);
const int j = lua_gettop(L);
/* ctx function table */
static const luaL_reg CTX_M[] = {
{"set_cert", nixio_tls_ctx_set_cert},
+ {"set_verify_locations", nixio_tls_ctx_set_verify_locations},
{"set_key", nixio_tls_ctx_set_key},
{"set_ciphers", nixio_tls_ctx_set_ciphers},
- {"set_verify_depth", nixio_tls_ctx_set_verify_depth},
{"set_verify", nixio_tls_ctx_set_verify},
{"create", nixio_tls_ctx_create},
{"__gc", nixio_tls_ctx__gc},
/* register module functions */
luaL_register(L, NULL, R);
+#if defined (WITH_AXTLS)
+ lua_pushliteral(L, "axtls");
+#elif defined (WITH_CYASSL)
+ lua_pushliteral(L, "cyassl");
+#else
+ lua_pushliteral(L, "openssl");
+#endif
+ lua_setfield(L, -2, "tls_provider");
+
/* create context metatable */
luaL_newmetatable(L, NIXIO_TLS_CTX_META);
lua_pushvalue(L, -1);
lua_setfield(L, -2, "__index");
luaL_register(L, NULL, CTX_M);
- lua_pop(L, 1);
+ lua_setfield(L, -2, "meta_tls_context");
}