projects / project / luci.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
NIXIO: TLS-Support, bugfixes
[project/luci.git] / libs / nixio / src / tls-context.c
1 /*
2 * nixio - Linux I/O library for lua
3 *
4 * Copyright (C) 2009 Steven Barth <steven@midlink.org>
5 *
6 * Licensed under the Apache License, Version 2.0 (the "License");
7 * you may not use this file except in compliance with the License.
8 * You may obtain a copy of the License at
9 *
10 * http://www.apache.org/licenses/LICENSE-2.0
11 *
12 * Unless required by applicable law or agreed to in writing, software
13 * distributed under the License is distributed on an "AS IS" BASIS,
14 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 * See the License for the specific language governing permissions and
16 * limitations under the License.
17 */
18
19 #include "nixio.h"
20 #include "string.h"
21
22 #ifndef WITHOUT_OPENSSL
23 #include <openssl/ssl.h>
24 #endif
25
26 static SSL_CTX* nixio__checktlsctx(lua_State *L) {
27 SSL_CTX **ctx = (SSL_CTX **)luaL_checkudata(L, 1, NIXIO_TLS_CTX_META);
28 luaL_argcheck(L, *ctx, 1, "invalid context");
29 return *ctx;
30 }
31
32 static int nixio__tls_perror(lua_State *L, int code) {
33 lua_pushnil(L);
34 lua_pushinteger(L, code);
35 return 2;
36 }
37
38 static int nixio__tls_pstatus(lua_State *L, int code) {
39 if (code == 1) {
40 lua_pushboolean(L, 1);
41 return 1;
42 } else {
43 return nixio__tls_perror(L, code);
44 }
45 }
46
47 static int nixio_tls_ctx(lua_State * L) {
48 const char *method = luaL_optlstring(L, 1, "tlsv1", NULL);
49
50 SSL_CTX **ctx = lua_newuserdata(L, sizeof(SSL_CTX *));
51 if (!ctx) {
52 return luaL_error(L, "out of memory");
53 }
54
55 /* create userdata */
56 luaL_getmetatable(L, NIXIO_TLS_CTX_META);
57 lua_setmetatable(L, -2);
58
59 if (!strcmp(method, "tlsv1")) {
60 *ctx = SSL_CTX_new(TLSv1_method());
61 } else if (!strcmp(method, "sslv23")) {
62 *ctx = SSL_CTX_new(SSLv23_method());
63 } else {
64 return luaL_argerror(L, 1, "supported values: tlsv1, sslv23");
65 }
66
67
68 SSL_CTX_set_options(*ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
69
70 if (!(*ctx)) {
71 return luaL_error(L, "unable to create TLS context");
72 }
73
74 return 1;
75 }
76
77 static int nixio_tls_ctx_create(lua_State *L) {
78 SSL_CTX *ctx = nixio__checktlsctx(L);
79 int fd = nixio__checkfd(L, 2);
80
81 SSL **sock = lua_newuserdata(L, sizeof(SSL *));
82 if (!sock) {
83 return luaL_error(L, "out of memory");
84 }
85
86 /* create userdata */
87 luaL_getmetatable(L, NIXIO_TLS_SOCK_META);
88 lua_setmetatable(L, -2);
89
90 *sock = SSL_new(ctx);
91 if (!(*sock)) {
92 return nixio__tls_perror(L, 0);
93 }
94
95 if (SSL_set_fd(*sock, fd) != 1) {
96 return nixio__tls_perror(L, 0);
97 }
98
99 return 1;
100 }
101
102 static int nixio_tls_ctx_set_cert(lua_State *L) {
103 SSL_CTX *ctx = nixio__checktlsctx(L);
104 const char *cert = luaL_checkstring(L, 2);
105 return nixio__tls_pstatus(L, SSL_CTX_use_certificate_chain_file(ctx, cert));
106 }
107
108 static int nixio_tls_ctx_set_key(lua_State *L) {
109 SSL_CTX *ctx = nixio__checktlsctx(L);
110 const char *cert = luaL_checkstring(L, 2);
111 const int ktype = SSL_FILETYPE_PEM;
112 return nixio__tls_pstatus(L, SSL_CTX_use_PrivateKey_file(ctx, cert, ktype));
113 }
114
115 static int nixio_tls_ctx_set_ciphers(lua_State *L) {
116 SSL_CTX *ctx = nixio__checktlsctx(L);
117 size_t len;
118 const char *ciphers = luaL_checklstring(L, 2, &len);
119 luaL_argcheck(L, len < 255, 2, "cipher string too long");
120 return nixio__tls_pstatus(L, SSL_CTX_set_cipher_list(ctx, ciphers));
121 }
122
123 static int nixio_tls_ctx_set_verify_depth(lua_State *L) {
124 SSL_CTX *ctx = nixio__checktlsctx(L);
125 const int depth = luaL_checkinteger(L, 2);
126 SSL_CTX_set_verify_depth(ctx, depth);
127 return 0;
128 }
129
130 static int nixio_tls_ctx_set_verify(lua_State *L) {
131 SSL_CTX *ctx = nixio__checktlsctx(L);
132 const int j = lua_gettop(L);
133 int flags = 0;
134 for (int i=2; i<=j; i++) {
135 const char *flag = luaL_checkstring(L, i);
136 if (!strcmp(flag, "none")) {
137 flags |= SSL_VERIFY_NONE;
138 } else if (!strcmp(flag, "peer")) {
139 flags |= SSL_VERIFY_PEER;
140 } else if (!strcmp(flag, "verify_fail_if_no_peer_cert")) {
141 flags |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
142 } else if (!strcmp(flag, "client_once")) {
143 flags |= SSL_VERIFY_CLIENT_ONCE;
144 } else {
145 return luaL_argerror(L, i, "supported values: none, peer, "
146 "verify_fail_if_no_peer_cert, client_once");
147 }
148 }
149 SSL_CTX_set_verify(ctx, flags, NULL);
150 return 0;
151 }
152
153 static int nixio_tls_ctx__gc(lua_State *L) {
154 SSL_CTX **ctx = (SSL_CTX **)luaL_checkudata(L, 1, NIXIO_TLS_CTX_META);
155 if (*ctx) {
156 SSL_CTX_free(*ctx);
157 *ctx = NULL;
158 }
159 return 0;
160 }
161
162 static int nixio_tls_ctx__tostring(lua_State *L) {
163 SSL_CTX *ctx = nixio__checktlsctx(L);
164 lua_pushfstring(L, "nixio TLS context: %p", ctx);
165 return 1;
166 }
167
168 /* module table */
169 static const luaL_reg R[] = {
170 {"tls", nixio_tls_ctx},
171 {NULL, NULL}
172 };
173
174 /* ctx function table */
175 static const luaL_reg CTX_M[] = {
176 {"set_cert", nixio_tls_ctx_set_cert},
177 {"set_key", nixio_tls_ctx_set_key},
178 {"set_ciphers", nixio_tls_ctx_set_ciphers},
179 {"set_verify_depth", nixio_tls_ctx_set_verify_depth},
180 {"set_verify", nixio_tls_ctx_set_verify},
181 {"create", nixio_tls_ctx_create},
182 {"__gc", nixio_tls_ctx__gc},
183 {"__tostring", nixio_tls_ctx__tostring},
184 {NULL, NULL}
185 };
186
187
188 void nixio_open_tls_context(lua_State *L) {
189 /* initialize tls library */
190 SSL_load_error_strings();
191 SSL_library_init();
192
193 /* register module functions */
194 luaL_register(L, NULL, R);
195
196 /* create context metatable */
197 luaL_newmetatable(L, NIXIO_TLS_CTX_META);
198 lua_pushvalue(L, -1);
199 lua_setfield(L, -2, "__index");
200 luaL_register(L, NULL, CTX_M);
201 lua_pop(L, 1);
202 }
Lua Configuration Interface (mirror)