diff options
Diffstat (limited to 'libs/luci-lib-nixio/src/tls-context.c')
-rw-r--r-- | libs/luci-lib-nixio/src/tls-context.c | 248 |
1 files changed, 248 insertions, 0 deletions
diff --git a/libs/luci-lib-nixio/src/tls-context.c b/libs/luci-lib-nixio/src/tls-context.c new file mode 100644 index 0000000000..e9a833f590 --- /dev/null +++ b/libs/luci-lib-nixio/src/tls-context.c @@ -0,0 +1,248 @@ +/* + * nixio - Linux I/O library for lua + * + * Copyright (C) 2009 Steven Barth <steven@midlink.org> + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "nixio-tls.h" +#include <string.h> + +static SSL_CTX* nixio__checktlsctx(lua_State *L) { + SSL_CTX **ctx = (SSL_CTX **)luaL_checkudata(L, 1, NIXIO_TLS_CTX_META); + luaL_argcheck(L, *ctx, 1, "invalid context"); + return *ctx; +} + +static int nixio__tls_perror(lua_State *L, int code) { + lua_pushnil(L); + lua_pushinteger(L, code); + return 2; +} + +static int nixio__tls_pstatus(lua_State *L, int code) { + if (code == 1) { + lua_pushboolean(L, 1); + return 1; + } else { + return nixio__tls_perror(L, code); + } +} + +static int nixio_tls_ctx(lua_State * L) { + const char *method = luaL_optlstring(L, 1, "client", NULL); + + luaL_getmetatable(L, NIXIO_TLS_CTX_META); + SSL_CTX **ctx = lua_newuserdata(L, sizeof(SSL_CTX *)); + if (!ctx) { + return luaL_error(L, "out of memory"); + } + + /* create userdata */ + lua_pushvalue(L, -2); + lua_setmetatable(L, -2); + + if (!strcmp(method, "client")) { + *ctx = SSL_CTX_new(TLSv1_client_method()); + } else if (!strcmp(method, "server")) { + *ctx = SSL_CTX_new(TLSv1_server_method()); + } else { + return luaL_argerror(L, 1, "supported values: client, server"); + } + + if (!(*ctx)) { + return luaL_error(L, "unable to create TLS context"); + } + +#ifdef WITH_CYASSL + SSL_CTX_set_verify(*ctx, SSL_VERIFY_NONE, NULL); +#endif + + return 1; +} + +static int nixio_tls_ctx_create(lua_State *L) { + SSL_CTX *ctx = nixio__checktlsctx(L); + int fd = nixio__checkfd(L, 2); + + lua_createtable(L, 0, 3); + nixio_tls_sock *sock = lua_newuserdata(L, sizeof(nixio_tls_sock)); + if (!sock) { + return luaL_error(L, "out of memory"); + } + memset(sock, 0, sizeof(nixio_tls_sock)); + + /* create userdata */ + luaL_getmetatable(L, NIXIO_TLS_SOCK_META); + lua_pushvalue(L, -1); + lua_setmetatable(L, -3); + + sock->socket = SSL_new(ctx); + if (!sock->socket) { + return nixio__tls_perror(L, 0); + } + + if (SSL_set_fd(sock->socket, fd) != 1) { + return nixio__tls_perror(L, 0); + } + + /* save context and socket to prevent GC from collecting them */ + lua_setmetatable(L, -3); + lua_setfield(L, -2, "connection"); + + lua_pushvalue(L, 1); + lua_setfield(L, -2, "context"); + + lua_pushvalue(L, 2); + lua_setfield(L, -2, "socket"); + + return 1; +} + +static int nixio_tls_ctx_set_cert(lua_State *L) { + SSL_CTX *ctx = nixio__checktlsctx(L); + const char *cert = luaL_checkstring(L, 2); + const char *type = luaL_optstring(L, 3, "chain"); + int ktype; + + if (!strcmp(type, "chain")) { + return nixio__tls_pstatus(L, + SSL_CTX_use_certificate_chain_file(ctx, cert)); + } else if (!strcmp(type, "pem")) { + ktype = SSL_FILETYPE_PEM; + } else if (!strcmp(type, "asn1")) { + ktype = SSL_FILETYPE_ASN1; + } else { + return luaL_argerror(L, 3, "supported values: chain, pem, asn1"); + } + + return nixio__tls_pstatus(L, + SSL_CTX_use_certificate_file(ctx, cert, ktype)); +} + +static int nixio_tls_ctx_set_verify_locations(lua_State *L) { + SSL_CTX *ctx = nixio__checktlsctx(L); + const char *CAfile = luaL_optstring(L, 2, NULL); + const char *CApath = luaL_optstring(L, 3, NULL); + return nixio__tls_pstatus(L, SSL_CTX_load_verify_locations(ctx, + CAfile, CApath)); +} + +static int nixio_tls_ctx_set_key(lua_State *L) { + SSL_CTX *ctx = nixio__checktlsctx(L); + const char *cert = luaL_checkstring(L, 2); + const char *type = luaL_optstring(L, 3, "pem"); + int ktype; + + if (!strcmp(type, "pem")) { + ktype = SSL_FILETYPE_PEM; + } else if (!strcmp(type, "asn1")) { + ktype = SSL_FILETYPE_ASN1; + } else { + return luaL_argerror(L, 3, "supported values: pem, asn1"); + } + + return nixio__tls_pstatus(L, SSL_CTX_use_PrivateKey_file(ctx, cert, ktype)); +} + +static int nixio_tls_ctx_set_ciphers(lua_State *L) { + SSL_CTX *ctx = nixio__checktlsctx(L); + size_t len; + const char *ciphers = luaL_checklstring(L, 2, &len); + luaL_argcheck(L, len < 255, 2, "cipher string too long"); + return nixio__tls_pstatus(L, SSL_CTX_set_cipher_list(ctx, ciphers)); +} + +static int nixio_tls_ctx_set_verify(lua_State *L) { + SSL_CTX *ctx = nixio__checktlsctx(L); + const int j = lua_gettop(L); + int flags = 0; + for (int i=2; i<=j; i++) { + const char *flag = luaL_checkstring(L, i); + if (!strcmp(flag, "none")) { + flags |= SSL_VERIFY_NONE; + } else if (!strcmp(flag, "peer")) { + flags |= SSL_VERIFY_PEER; + } else if (!strcmp(flag, "verify_fail_if_no_peer_cert")) { + flags |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT; + } else if (!strcmp(flag, "client_once")) { + flags |= SSL_VERIFY_CLIENT_ONCE; + } else { + return luaL_argerror(L, i, "supported values: none, peer, " + "verify_fail_if_no_peer_cert, client_once"); + } + } + SSL_CTX_set_verify(ctx, flags, NULL); + return 0; +} + +static int nixio_tls_ctx__gc(lua_State *L) { + SSL_CTX **ctx = (SSL_CTX **)luaL_checkudata(L, 1, NIXIO_TLS_CTX_META); + if (*ctx) { + SSL_CTX_free(*ctx); + *ctx = NULL; + } + return 0; +} + +static int nixio_tls_ctx__tostring(lua_State *L) { + SSL_CTX *ctx = nixio__checktlsctx(L); + lua_pushfstring(L, "nixio TLS context: %p", ctx); + return 1; +} + +/* module table */ +static const luaL_reg R[] = { + {"tls", nixio_tls_ctx}, + {NULL, NULL} +}; + +/* ctx function table */ +static const luaL_reg CTX_M[] = { + {"set_cert", nixio_tls_ctx_set_cert}, + {"set_verify_locations", nixio_tls_ctx_set_verify_locations}, + {"set_key", nixio_tls_ctx_set_key}, + {"set_ciphers", nixio_tls_ctx_set_ciphers}, + {"set_verify", nixio_tls_ctx_set_verify}, + {"create", nixio_tls_ctx_create}, + {"__gc", nixio_tls_ctx__gc}, + {"__tostring", nixio_tls_ctx__tostring}, + {NULL, NULL} +}; + + +void nixio_open_tls_context(lua_State *L) { + /* initialize tls library */ + SSL_load_error_strings(); + SSL_library_init(); + + /* register module functions */ + luaL_register(L, NULL, R); + +#if defined (WITH_AXTLS) + lua_pushliteral(L, "axtls"); +#elif defined (WITH_CYASSL) + lua_pushliteral(L, "cyassl"); +#else + lua_pushliteral(L, "openssl"); +#endif + lua_setfield(L, -2, "tls_provider"); + + /* create context metatable */ + luaL_newmetatable(L, NIXIO_TLS_CTX_META); + lua_pushvalue(L, -1); + lua_setfield(L, -2, "__index"); + luaL_register(L, NULL, CTX_M); + lua_setfield(L, -2, "meta_tls_context"); +} |