zhaozg / lua-openssl / 25780119971

/***

ssl modules to create SSL/TLS server or client, send and recv data over SSL channels.

@module ssl

@usage

  ssl = require('openssl').ssl

*/

#include <openssl/dh.h>

#include <openssl/ec.h>

#include <openssl/rsa.h>

#include <openssl/ssl.h>

#include "openssl.h"

#include "private.h"

#include "ssl_options.h"

#include <stdint.h>

#if OPENSSL_VERSION_NUMBER > 0x30000000

#ifndef SSL_get_peer_certificate

#define SSL_get_peer_certificate SSL_get1_peer_certificate

#endif

#ifndef SSL_DEFAULT_CIPHER_LIST

#define SSL_DEFAULT_CIPHER_LIST OSSL_default_cipher_list()

#endif

#endif

/***

create ssl_ctx object, which mapping to SSL_CTX in openssl.

@function ctx_new

@tparam string protocol support 'SSLv3', 'SSLv23', 'SSLv2', 'TSLv1', 'TSLv1_1','TSLv1_2','TLS',

'DTLSv1','DTLSv1_2', and can be follow by '_server' or '_client', in general you should use 'TLS' to

negotiate highest available SSL/TLS version

@tparam[opt] string support_ciphers, if not given, default of openssl will be used

@treturn openssl.ssl_ctx

*/

#if OPENSSL_VERSION_NUMBER > 0x10100000L

#define TLS_PROTOCOL_TIPS                                                                          \

  "only support TLS, DTLS to negotiate highest available SSL/TLS or DTLS "                         \

  "version above openssl v1.1.0\n"                                                                 \

  "optional followed by _client or _server\n"                                                      \

  "default is TLS\n"

#define DEFAULT_PROTOCOL "TLS"

#else

#define TLS_PROTOCOL_TIPS                                                                          \

  "SSLv23, TLSv1_2, TLSv1_1, TLSv1, DTLSv1_2 or DTLSv1, optional followed by _client or _server\n" \

  "optional followed by _client or _server\n"                                                      \

  "default is SSLv23 to negotiate highest available SSL/TLS\n"

#define DEFAULT_PROTOCOL "SSLv23"

#endif

typedef enum

{

  SSL_CTX_SESSION_ADD = 0,

  SSL_CTX_SESSION_GET,

  SSL_CTX_SESSION_DEL,

#if OPENSSL_VERSION_NUMBER < 0x10100000L

  SSL_CTX_TEMP_DH,

  SSL_CTX_TEMP_RSA,

  SSL_CTX_TEMP_ECDH,

#endif

  SSL_CTX_MAX_IDX

} SSL_CTX_INDEX;

/***

create a new SSL context object

@function new

@tparam[opt="TLS"] string method SSL/TLS protocol method ("TLS", "SSLv23", "TLSv1", "TLSv1_1", "TLSv1_2", etc.)

@treturn openssl.ssl_ctx SSL context object

*/

static int

{

#if OPENSSL_VERSION_NUMBER >= 0x01000000L

  const

#endif

    = NULL;

  const char *ciphers;

  SSL_CTX    *ctx;

#if OPENSSL_VERSION_NUMBER > 0x10100000L

#endif

#if !defined(OPENSSL_NO_DEPRECATED) && !defined(OPENSSL_NO_DTLS1_2_METHOD) && \

  OPENSSL_VERSION_NUMBER < 0x10100000L

    method = DTLSv1_2_method();

    method = DTLSv1_2_server_method();

#endif

#if !defined(OPENSSL_NO_DEPRECATED) && !defined(OPENSSL_NO_DTLS1_METHOD) && \

  OPENSSL_VERSION_NUMBER < 0x10100000L

    method = DTLSv1_method();

    method = DTLSv1_server_method();

#endif

#if !defined(OPENSSL_NO_DEPRECATED) && !defined(OPENSSL_NO_TLS1_2_METHOD) && \

  OPENSSL_VERSION_NUMBER < 0x10100000L

    method = TLSv1_2_method();

    method = TLSv1_2_server_method();

#endif

#if !defined(OPENSSL_NO_DEPRECATED) && !defined(OPENSSL_NO_TLS1_1_METHOD) && \

  OPENSSL_VERSION_NUMBER < 0x10100000L

    method = TLSv1_1_method();

    method = TLSv1_1_server_method();

#endif

#if !defined(OPENSSL_NO_DEPRECATED) && !defined(OPENSSL_NO_TLS1_METHOD) && \

  OPENSSL_VERSION_NUMBER < 0x10100000L

    method = TLSv1_method();

    method = TLSv1_server_method();

#endif

#if OPENSSL_VERSION_NUMBER < 0x40000000L && !defined(OPENSSL_NO_SSL3_METHOD)

    method = SSLv3_method();

    method = SSLv3_server_method();

#endif

#ifdef LOAD_SSL_CUSTOM

  LOAD_SSL_CUSTOM

#endif

#if OPENSSL_VERSION_NUMBER > 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)

#else

#endif

}

/***

get alert_type for ssl state

@function alert_type

@tparam number alert

@tparam[opt=false] boolean long

@treturn string alert type

*/

static int

{

  const char *val;

  else

}

/***

get alert_desc for ssl state

@function alert_desc

@tparam number alert

@tparam[opt=false] boolean long

@treturn string alert type

@treturn string desc string, if long set true will return long info

*/

static int

{

  const char *val;

  else

}

/***

create new SSL session object

@function session_new

@treturn ssl_session new SSL session object

*/

static int

{

}

/***

read SSL session from BIO or string data

@function session_read

@tparam bio|string input BIO object or string containing session data (PEM or DER format)

@treturn ssl_session|nil SSL session object or nil on error

*/

static int

{

  }

  }

}

static luaL_Reg R[] = {

  { "ctx_new",      openssl_ssl_ctx_new      },

  { "alert_type",   openssl_ssl_alert_type   },

  { "alert_desc",   openssl_ssl_alert_desc   },

  { "session_new",  openssl_ssl_session_new  },

  { "session_read", openssl_ssl_session_read },

  { NULL,           NULL                     }

};

/* SSL CTX object */

/***

openssl.ssl_ctx object

@type ssl_ctx

*/

/***

tell ssl_ctx use private key and certificate, and check private key

@function use

@tparam openssl.evp_pkey pkey

@tparam openssl.x509 cert

@treturn boolean result return true for ok, or nil followed by errmsg and errval

*/

static int

{

  int       ret;

  } else {

  }

    }

  }

}

/***

add client ca cert and option extra chain cert

@function add

@tparam openssl.x509 clientca

@tparam[opt] table extra_chain_cert_array

@treturn boolean result

*/

static int

{

    size_t i;

    }

  }

}

static int

{

}

/***

get timeout

@function timeout

@return number

*/

/***

set timeout

@function timeout

@tparam number timeout

@treturn number previous timeout

*/

static int

{

  long     t;

  }

}

static const int iMode_options[] = { SSL_MODE_ENABLE_PARTIAL_WRITE,

                                     SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER,

                                     SSL_MODE_AUTO_RETRY,

                                     SSL_MODE_NO_AUTO_CHAIN,

#ifdef SSL_MODE_RELEASE_BUFFERS

                                     SSL_MODE_RELEASE_BUFFERS,

#endif

                                     0 };

static const char *sMode_options[] = { "enable_partial_write",

                                       "accept_moving_write_buffer",

                                       "auto_retry",

                                       "no_auto_chain",

#ifdef SSL_MODE_RELEASE_BUFFERS

                                       "release_buffers",

#endif

                                       NULL };

/***

clean given mode

mode support

'enable_partial_write','accept_moving_write_buffer','auto_retry','no_auto_chain','release_buffers'

@function mode

@tparam boolean clear must be true

@tparam string mode

@param[opt] ...

@treturn string

@treturn ...

@usage

 modes = { ssl_ctx:mode('enable_partial_write','accept_moving_write_buffer','auto_retry') },

  for  i, v in ipairs(modes)

    print(v)

 end

 --output 'enable_partial_write','accept_moving_write_buffer','auto_retry'

*/

static int

{

  int      ret;

  int      i;

    } else

    }

    else

  } else

    }

  }

};

/***

get options

@function options

@treturn table string list of current options

*/

/***

set options

@function options

@tparam string option, support "microsoft_sess_id_bug", "netscape_challenge_bug",

"netscape_reuse_cipher_change_bug", "sslref2_reuse_cert_type_bug", "microsoft_big_sslv3_buffer",

"msie_sslv3_rsa_padding","ssleay_080_client_dh_bug",

"tls_d5_bug","tls_block_padding_bug","dont_insert_empty_fragments","all", please to see

ssl_options.h

@treturn table string list of current options after set new option

*/

/***

clear options

@function options

@tparam boolean clear set true to clear options

@tparam string option, support "microsoft_sess_id_bug", "netscape_challenge_bug",

"netscape_reuse_cipher_change_bug", "sslref2_reuse_cert_type_bug", "microsoft_big_sslv3_buffer",

"msie_sslv3_rsa_padding","ssleay_080_client_dh_bug",

"tls_d5_bug","tls_block_padding_bug","dont_insert_empty_fragments","all",  please to see

ssl_options.h

@treturn table string list of current options after clear some option

*/

static int

{

  int      ret;

  int      i;

    } else

      else {

        int         j;

          }

        }

      }

    }

    else

  } else

    }

  }

}

/***

get min_proto_version and max_proto_version

@function version

@treturn[1] integer min_proto_version

@treturn[2] integer man_proto_version

*/

/***

set min_proto_version and max_proto_version

@function options

@tparam integer min

@tparam integer max

@treturn boolean result or fail

*/

#if OPENSSL_VERSION_NUMBER > 0x10100000L

static int

{

  int      ret;

    lua_pushinteger(L, minv);

    lua_pushinteger(L, maxv);

    return 2;

  }

  }

  return openssl_pushresult(L, ret);

}

#endif

/***

get quit_shutdown is set or not

Normally when a SSL connection is finished, the parties must send out

"close notify" alert messages using ***SSL:shutdown"*** for a clean shutdown.

@function quiet_shutdown

@treturn boolean result

*/

/***

set quiet_shutdown

@function quiet_shutdown

@tparam boolean quiet

When setting the "quiet shutdown" flag to 1, ***SSL:shutdown*** will set the internal flags

to SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN. ***SSL:shutdown*** then behaves like

***SSL:set_shutdown*** called with SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN.

The session is thus considered to be shutdown, but no "close notify" alert

is sent to the peer. This behaviour violates the TLS standard.

The default is normal shutdown behaviour as described by the TLS standard.

@treturn boolean result

*/

static int

{

  } else {

  }

};

/***

set verify locations with cafile and capath

ssl_ctx:verify_locations specifies the locations for *ctx*, at

which CA certificates for verification purposes are located. The certificates

available via *CAfile* and *CApath* are trusted.

@function verify_locations

@tparam string cafile

@tparam string capath

@treturn boolean result

*/

static int

{

#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)

#else

#endif

}

/***

get certificate verification store of ssl_ctx

@function cert_store

@treturn x509_store store

*/

/***

set or replaces then certificate verification store of ssl_ctx

@function cert_store

@tparam x509_store store

@treturn x509_store store

*/

static int

{

#if OPENSSL_VERSION_NUMBER > 0x10002000L

  } else {

  }

#else

  luaL_error(L, "NYI, openssl below 1.0.2 not fully support this feature");

  return 0;

#endif

}

#ifndef OPENSSL_NO_ENGINE

/***

set client certificate engine for SSL context

@function set_engine

@tparam openssl.engine eng engine object to use for client certificates

@treturn boolean result true for success

*/

static int

{

}

#endif

/* ssl functions */

/***

create SSL object from SSL context

This function creates a new SSL object from an SSL context. It supports two modes:

1. Using a file descriptor (fd)

2. Using BIO objects for input/output

@function ssl

@tparam openssl.ssl_ctx ctx SSL context object

@tparam number|openssl.bio fd_or_input File descriptor or input BIO

@tparam[opt=false] boolean|openssl.bio server_or_output Server mode flag or output BIO

@treturn[1] openssl.ssl SSL object on success

@treturn[2] nil on error

@treturn[2] string error message

-- @see OpenSSL function: SSL_new

-- @see OpenSSL function: SSL_set_fd

-- @see OpenSSL function: SSL_set_bio

@usage

  -- Create SSL object from file descriptor

  local ssl_ctx = require('openssl').ssl.ctx_new('TLS')

  local fd = 5  -- Assume fd 5 is a connected socket

  local ssl = ssl_ctx:ssl(fd)

  -- Create SSL server object from BIO

  local bio_in = require('openssl').bio.new('mem')

  local bio_out = require('openssl').bio.new('mem')

  local ssl = ssl_ctx:ssl(bio_in, bio_out, true)  -- true for server mode

*/

static int

{

    /* avoid bi be gc */

    } else

    /* avoid bo be gc */

#if OPENSSL_VERSION_NUMBER > 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)

#else

#endif

  }

  }

    else

    /* ref to ctx */

  } else {

  }

}

/***

create bio object

@function bio

@tparam string host_addr format like 'host:port'

@tparam[opt=false] boolean server, true listen at host_addr,false connect to host_addr

@tparam[opt=true] boolean autoretry ssl operation autoretry mode

@treturn openssl.bio bio object

*/

static int

{

    }

    } else {

    }

    } else

  } else {

  }

}

/***

get verify depth when cert chain veirition

@function verify_depth

@treturn number depth

*/

/***

set verify depth when cert chain veirition

@function verify_depth

@tparam number depth

@treturn number depth

*/

static int

{

  int      depth;

  }

}

static const int iVerifyMode_Options[] = { SSL_VERIFY_NONE,

                                           SSL_VERIFY_PEER,

                                           SSL_VERIFY_FAIL_IF_NO_PEER_CERT,

                                           SSL_VERIFY_CLIENT_ONCE,

                                           0 };

static const char *sVerifyMode_Options[] = { "none",

                                             "peer",

                                             "fail", /* fail_if_no_peer_cert */

                                             "once",

                                             NULL };

/***

get verify_mode, return number mode and all string modes list

@function verify_mode

@treturn number mode_code

@return ...

  none: not verify client cert

  peer: verify client cert

  fail: if client not have cert, will failure

  once: verify client only once.

@usage

  mode = {ctx:verify_mode()}

  print('integer mode',mode[1])

  for i=2, #mode then

    print('string mode:'..mode[i])

  end

*/

/***

set ssl verify mode and callback

@function verify_mode

@tparam number mode, mode set to ctx, must be ssl.none or ssl.peer, and ssl.peer support combine

with ssl.fail or ssl.once

@tparam[opt=nil] function ssl verify callback in lua function, not give will use default openssl

callback, when mode is 'none', will be ignore this verify_cb must be boolean function(verifyarg)

prototype, return true to continue or false to end ssl handshake verifyarg has field 'error',

'error_string','error_depth','current_cert', and 'preverify_ok'

@treturn boolean result

*/

static int

{

      L,

      mode == SSL_VERIFY_NONE

        || (mode & ~(SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT | SSL_VERIFY_CLIENT_ONCE))

             == 0,

      2,

      "must be none or peer(combined with fail, once or none");

    } else {

    }

  } else {

    } else {

        }

        }

      }

    }

  }

}

/***

set certificate verify callback function

@function set_cert_verify

@tparam[opt] function cert_verify_cb with boolean function(verifyargs) prototype, if nil or none

will use openssl default callback verifyargs has field 'error',

'error_string','error_depth','current_cert'

@treturn various return value

*/