X-Git-Url: https://git.archive.openwrt.org/?a=blobdiff_plain;f=libs%2Fnixio%2Fsrc%2Ftls-context.c;h=e9a833f59065de0c3f3babf66fbebfddc764eb3e;hb=80b5a4b6f88b8ecbcb27bfd062b37e249e78ced9;hp=723f8a85fdfca3610f2cb7c82dd16a10ddce0bbe;hpb=d2b11117f26285186b711271d24733d35e0444a1;p=project%2Fluci.git diff --git a/libs/nixio/src/tls-context.c b/libs/nixio/src/tls-context.c index 723f8a85f..e9a833f59 100644 --- a/libs/nixio/src/tls-context.c +++ b/libs/nixio/src/tls-context.c @@ -16,12 +16,8 @@ * limitations under the License. */ -#include "nixio.h" -#include "string.h" - -#ifndef WITHOUT_OPENSSL -#include -#endif +#include "nixio-tls.h" +#include static SSL_CTX* nixio__checktlsctx(lua_State *L) { SSL_CTX **ctx = (SSL_CTX **)luaL_checkudata(L, 1, NIXIO_TLS_CTX_META); @@ -45,32 +41,34 @@ static int nixio__tls_pstatus(lua_State *L, int code) { } static int nixio_tls_ctx(lua_State * L) { - const char *method = luaL_optlstring(L, 1, "tlsv1", NULL); + const char *method = luaL_optlstring(L, 1, "client", NULL); + luaL_getmetatable(L, NIXIO_TLS_CTX_META); SSL_CTX **ctx = lua_newuserdata(L, sizeof(SSL_CTX *)); if (!ctx) { return luaL_error(L, "out of memory"); } /* create userdata */ - luaL_getmetatable(L, NIXIO_TLS_CTX_META); + lua_pushvalue(L, -2); lua_setmetatable(L, -2); - if (!strcmp(method, "tlsv1")) { - *ctx = SSL_CTX_new(TLSv1_method()); - } else if (!strcmp(method, "sslv23")) { - *ctx = SSL_CTX_new(SSLv23_method()); + if (!strcmp(method, "client")) { + *ctx = SSL_CTX_new(TLSv1_client_method()); + } else if (!strcmp(method, "server")) { + *ctx = SSL_CTX_new(TLSv1_server_method()); } else { - return luaL_argerror(L, 1, "supported values: tlsv1, sslv23"); + return luaL_argerror(L, 1, "supported values: client, server"); } - - SSL_CTX_set_options(*ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); - if (!(*ctx)) { return luaL_error(L, "unable to create TLS context"); } +#ifdef WITH_CYASSL + SSL_CTX_set_verify(*ctx, SSL_VERIFY_NONE, NULL); +#endif + return 1; } @@ -78,37 +76,83 @@ static int nixio_tls_ctx_create(lua_State *L) { SSL_CTX *ctx = nixio__checktlsctx(L); int fd = nixio__checkfd(L, 2); - SSL **sock = lua_newuserdata(L, sizeof(SSL *)); + lua_createtable(L, 0, 3); + nixio_tls_sock *sock = lua_newuserdata(L, sizeof(nixio_tls_sock)); if (!sock) { return luaL_error(L, "out of memory"); } + memset(sock, 0, sizeof(nixio_tls_sock)); /* create userdata */ luaL_getmetatable(L, NIXIO_TLS_SOCK_META); - lua_setmetatable(L, -2); + lua_pushvalue(L, -1); + lua_setmetatable(L, -3); - *sock = SSL_new(ctx); - if (!(*sock)) { + sock->socket = SSL_new(ctx); + if (!sock->socket) { return nixio__tls_perror(L, 0); } - if (SSL_set_fd(*sock, fd) != 1) { + if (SSL_set_fd(sock->socket, fd) != 1) { return nixio__tls_perror(L, 0); } + /* save context and socket to prevent GC from collecting them */ + lua_setmetatable(L, -3); + lua_setfield(L, -2, "connection"); + + lua_pushvalue(L, 1); + lua_setfield(L, -2, "context"); + + lua_pushvalue(L, 2); + lua_setfield(L, -2, "socket"); + return 1; } static int nixio_tls_ctx_set_cert(lua_State *L) { SSL_CTX *ctx = nixio__checktlsctx(L); const char *cert = luaL_checkstring(L, 2); - return nixio__tls_pstatus(L, SSL_CTX_use_certificate_chain_file(ctx, cert)); + const char *type = luaL_optstring(L, 3, "chain"); + int ktype; + + if (!strcmp(type, "chain")) { + return nixio__tls_pstatus(L, + SSL_CTX_use_certificate_chain_file(ctx, cert)); + } else if (!strcmp(type, "pem")) { + ktype = SSL_FILETYPE_PEM; + } else if (!strcmp(type, "asn1")) { + ktype = SSL_FILETYPE_ASN1; + } else { + return luaL_argerror(L, 3, "supported values: chain, pem, asn1"); + } + + return nixio__tls_pstatus(L, + SSL_CTX_use_certificate_file(ctx, cert, ktype)); +} + +static int nixio_tls_ctx_set_verify_locations(lua_State *L) { + SSL_CTX *ctx = nixio__checktlsctx(L); + const char *CAfile = luaL_optstring(L, 2, NULL); + const char *CApath = luaL_optstring(L, 3, NULL); + return nixio__tls_pstatus(L, SSL_CTX_load_verify_locations(ctx, + CAfile, CApath)); } static int nixio_tls_ctx_set_key(lua_State *L) { SSL_CTX *ctx = nixio__checktlsctx(L); const char *cert = luaL_checkstring(L, 2); - const int ktype = SSL_FILETYPE_PEM; + const char *type = luaL_optstring(L, 3, "pem"); + int ktype; + + if (!strcmp(type, "pem")) { + ktype = SSL_FILETYPE_PEM; + } else if (!strcmp(type, "asn1")) { + ktype = SSL_FILETYPE_ASN1; + } else { + return luaL_argerror(L, 3, "supported values: pem, asn1"); + } + return nixio__tls_pstatus(L, SSL_CTX_use_PrivateKey_file(ctx, cert, ktype)); } @@ -120,13 +164,6 @@ static int nixio_tls_ctx_set_ciphers(lua_State *L) { return nixio__tls_pstatus(L, SSL_CTX_set_cipher_list(ctx, ciphers)); } -static int nixio_tls_ctx_set_verify_depth(lua_State *L) { - SSL_CTX *ctx = nixio__checktlsctx(L); - const int depth = luaL_checkinteger(L, 2); - SSL_CTX_set_verify_depth(ctx, depth); - return 0; -} - static int nixio_tls_ctx_set_verify(lua_State *L) { SSL_CTX *ctx = nixio__checktlsctx(L); const int j = lua_gettop(L); @@ -174,9 +211,9 @@ static const luaL_reg R[] = { /* ctx function table */ static const luaL_reg CTX_M[] = { {"set_cert", nixio_tls_ctx_set_cert}, + {"set_verify_locations", nixio_tls_ctx_set_verify_locations}, {"set_key", nixio_tls_ctx_set_key}, {"set_ciphers", nixio_tls_ctx_set_ciphers}, - {"set_verify_depth", nixio_tls_ctx_set_verify_depth}, {"set_verify", nixio_tls_ctx_set_verify}, {"create", nixio_tls_ctx_create}, {"__gc", nixio_tls_ctx__gc}, @@ -193,10 +230,19 @@ void nixio_open_tls_context(lua_State *L) { /* register module functions */ luaL_register(L, NULL, R); +#if defined (WITH_AXTLS) + lua_pushliteral(L, "axtls"); +#elif defined (WITH_CYASSL) + lua_pushliteral(L, "cyassl"); +#else + lua_pushliteral(L, "openssl"); +#endif + lua_setfield(L, -2, "tls_provider"); + /* create context metatable */ luaL_newmetatable(L, NIXIO_TLS_CTX_META); lua_pushvalue(L, -1); lua_setfield(L, -2, "__index"); luaL_register(L, NULL, CTX_M); - lua_pop(L, 1); + lua_setfield(L, -2, "meta_tls_context"); }