mirror of
https://github.com/bunkerity/bunkerized-nginx
synced 2023-12-13 21:30:18 +01:00
Merge commit 'c473aa40807f32438ffe34bdfe07f8f0485a6aa4' into dev
This commit is contained in:
commit
576cb81979
52 changed files with 626 additions and 1534 deletions
|
@ -19,7 +19,7 @@ options:
|
|||
perf: Performance Improvements
|
||||
refactor: Code Refactoring
|
||||
header:
|
||||
pattern: "^(\\w*)(?:\\(([\\w\\$\\.\\-\\*\\s\\/]*)\\))?\\s(.*)$"
|
||||
pattern: "^(\\w*)(?:\\(([\\w\\$\\.\\-\\*\\s\\/]*)\\))?:?\\s(.*)$"
|
||||
pattern_maps:
|
||||
- Type
|
||||
- Scope
|
||||
|
|
|
@ -20,7 +20,7 @@ concurrency:
|
|||
jobs:
|
||||
tests:
|
||||
name: Tests
|
||||
runs-on: ubuntu-22.04
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
strategy:
|
||||
fail-fast: false
|
||||
|
@ -29,69 +29,43 @@ jobs:
|
|||
# TODO: arm64
|
||||
# latest and one version older for valgrind and perf test
|
||||
- nginx: "1.19.9"
|
||||
openssl: "1.0.2u"
|
||||
openssl: "1.1.1w"
|
||||
extras: "valgrind"
|
||||
lua_nginx_module: "v0.10.20"
|
||||
lua_resty_core: "v0.1.22"
|
||||
- nginx: "1.19.9"
|
||||
openssl: "1.1.1t"
|
||||
openssl: "3.1.4"
|
||||
openssl_fips: "3.0.8"
|
||||
extras: "valgrind"
|
||||
lua_nginx_module: "v0.10.20"
|
||||
lua_resty_core: "v0.1.22"
|
||||
- nginx: "1.19.9"
|
||||
openssl: "3.0.8"
|
||||
extras: "valgrind"
|
||||
openssl_opts: "enable-fips"
|
||||
lua_nginx_module: "v0.10.20"
|
||||
lua_resty_core: "v0.1.22"
|
||||
nginx_cc_opts: "-Wno-error"
|
||||
- nginx: "1.21.4"
|
||||
openssl: "1.0.2u"
|
||||
extras: "valgrind"
|
||||
lua_nginx_module: "v0.10.21"
|
||||
lua_resty_core: "v0.1.23"
|
||||
- nginx: "1.21.4"
|
||||
openssl: "1.1.1t"
|
||||
openssl: "1.1.1w"
|
||||
extras: "valgrind perf"
|
||||
lua_nginx_module: "v0.10.21"
|
||||
lua_resty_core: "v0.1.23"
|
||||
lua_nginx_module: "v0.10.25"
|
||||
lua_resty_core: "v0.1.27"
|
||||
- nginx: "1.21.4"
|
||||
openssl: "3.0.8"
|
||||
openssl: "3.0.12"
|
||||
openssl_fips: "3.0.8"
|
||||
extras: "valgrind perf"
|
||||
openssl_opts: "enable-fips"
|
||||
lua_nginx_module: "v0.10.21"
|
||||
lua_resty_core: "v0.1.23"
|
||||
lua_nginx_module: "v0.10.25"
|
||||
lua_resty_core: "v0.1.27"
|
||||
nginx_cc_opts: "-Wno-error"
|
||||
- nginx: "1.21.4"
|
||||
openssl: "3.1.0"
|
||||
openssl: "3.1.4"
|
||||
openssl_fips: "3.0.8"
|
||||
extras: "valgrind perf"
|
||||
openssl_opts: "enable-fips"
|
||||
lua_nginx_module: "v0.10.21"
|
||||
lua_resty_core: "v0.1.23"
|
||||
lua_nginx_module: "v0.10.25"
|
||||
lua_resty_core: "v0.1.27"
|
||||
nginx_cc_opts: "-Wno-error"
|
||||
# latest version with EOL 1.1.0
|
||||
- nginx: "1.21.4"
|
||||
openssl: "1.1.0l"
|
||||
lua_nginx_module: "v0.10.21"
|
||||
lua_resty_core: "v0.1.23"
|
||||
# version that kong uses, for fips
|
||||
- nginx: "1.21.4"
|
||||
openssl: "1.0.2u"
|
||||
fips2: "2.0.16"
|
||||
openssl_opts: "fips --with-fipsdir=/home/runner/work/cache/ssl/fips"
|
||||
extras: "valgrind"
|
||||
lua_nginx_module: "v0.10.21"
|
||||
lua_resty_core: "v0.1.23"
|
||||
- nginx: "1.21.4"
|
||||
boringssl: "ae223d6138807a13006342edfeef32e813246b39" # fips-20190808
|
||||
openssl: "3.2.0-alpha1"
|
||||
openssl_fips: "3.0.8"
|
||||
extras: "valgrind perf"
|
||||
lua_nginx_module: "v0.10.21"
|
||||
lua_resty_core: "v0.1.23"
|
||||
- nginx: "1.21.4"
|
||||
boringssl: "853ca1ea1168dff08011e5d42d94609cc0ca2e27" # fips-20210429, not active yet
|
||||
extras: "valgrind perf"
|
||||
lua_nginx_module: "v0.10.21"
|
||||
lua_resty_core: "v0.1.23"
|
||||
lua_nginx_module: "v0.10.25"
|
||||
lua_resty_core: "v0.1.27"
|
||||
nginx_cc_opts: "-Wno-error"
|
||||
|
||||
env:
|
||||
JOBS: 3
|
||||
|
@ -121,7 +95,7 @@ jobs:
|
|||
with:
|
||||
path: |
|
||||
/home/runner/work/cache
|
||||
key: ${{ runner.os }}-${{ hashFiles('**/tests.yml') }}-nginx-${{ matrix.nginx }}-openssl-${{ matrix.openssl }}-${{ matrix.fips2 }}-boringssl-${{ matrix.boringssl }}
|
||||
key: ${{ runner.os }}-${{ hashFiles('**/tests.yml') }}-nginx-${{ matrix.nginx }}-openssl-${{ matrix.openssl }}-fips-${{ matrix.openssl_fips }}
|
||||
|
||||
- name: Setup tools
|
||||
run: |
|
||||
|
@ -149,57 +123,31 @@ jobs:
|
|||
- name: Build OpenSSL
|
||||
if: matrix.boringssl == ''
|
||||
run: |
|
||||
mkdir -p $OPENSSL_PREFIX
|
||||
# fips doesn't seem to support to build parallelly
|
||||
if [ "X${{ matrix.fips2 }}" != "X" ]; then wget https://www.openssl.org/source/old/fips/openssl-fips-${{ matrix.fips2 }}.tar.gz -qO - | tar zxf - ; pushd openssl-fips-${{ matrix.fips2 }}/; FIPSDIR=$OPENSSL_PREFIX/fips ./config; make; make install; popd; fi
|
||||
T=$OPENSSL_PREFIX
|
||||
mkdir -p $T
|
||||
if [ "X$OPENSSL_HASH" != "X" ]; then wget https://github.com/openssl/openssl/archive/$OPENSSL_HASH.tar.gz -qO - | tar zxf ; pushd openssl-$OPENSSL_HASH/; fi
|
||||
if [ "X$OPENSSL_HASH" = "X" ] ; then wget https://www.openssl.org/source/openssl-${{ matrix.openssl }}.tar.gz -qO - | tar zxf -; pushd openssl-${{ matrix.openssl }}/; fi
|
||||
if [ ! -e $OPENSSL_PREFIX/include ]; then ./config shared -d --prefix=$OPENSSL_PREFIX -DPURIFY ${{ matrix.openssl_opts }} > build.log 2>&1 || (cat build.log && exit 1); fi
|
||||
if [ ! -e $OPENSSL_PREFIX/include ]; then make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1); fi
|
||||
if [ ! -e $OPENSSL_PREFIX/include ]; then sudo make PATH=$PATH install_sw > build.log 2>&1 || (cat build.log && exit 1); fi
|
||||
if [ -e $OPENSSL_LIB/libcrypto.so.3 ] && [ ! -e $OPENSSL_LIB/ossl-modules/fips.so ]; then mkdir -p $OPENSSL_PREFIX/ssl; sudo make PATH=$PATH install_fips > build.log 2>&1 || (cat build.log && exit 1); fi
|
||||
if [ ! -e $OPENSSL_PREFIX/lib64 ]; then sudo cp -r $OPENSSL_PREFIX/lib $OPENSSL_PREFIX/lib64; fi
|
||||
mkdir -p $OPENSSL_PREFIX/certs/ && sudo cp -r /etc/ssl/certs/* $OPENSSL_PREFIX/certs/
|
||||
if [ ! -e $T/include ]; then ./config shared -d --prefix=$T -DPURIFY > build.log 2>&1 || (cat build.log && exit 1); fi
|
||||
if [ ! -e $T/include ]; then make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1); fi
|
||||
if [ ! -e $T/include ]; then make PATH=$PATH install_sw > build.log 2>&1 || (cat build.log && exit 1); fi
|
||||
if [ ! -e $T/lib64 ]; then sudo cp -r $T/lib $T/lib64; fi
|
||||
mkdir -p $T/certs/ && sudo cp -r /etc/ssl/certs/* $T/certs/
|
||||
|
||||
- name: Build BoringSSL
|
||||
if: matrix.boringssl != ''
|
||||
- name: Build OpenSSL FIPS module
|
||||
if: matrix.openssl_fips != ''
|
||||
run: |
|
||||
mkdir -p $OPENSSL_PREFIX
|
||||
if [ ! -e $OPENSSL_PREFIX/include ]; then
|
||||
# libtinfo5 is a dependency of clang7 on ubuntu20.04
|
||||
sudo apt-get install -qq -y cmake libtinfo5 unzip libunwind-dev libgcc-9-dev libstdc++-9-dev
|
||||
|
||||
wget https://releases.llvm.org/7.0.1/clang+llvm-7.0.1-x86_64-linux-gnu-ubuntu-18.04.tar.xz -qO - |tar Jxf -
|
||||
export HOME="$PWD"
|
||||
printf "set(CMAKE_C_COMPILER \"clang\")\nset(CMAKE_CXX_COMPILER \"clang++\")\n" > ${HOME}/toolchain
|
||||
export PATH="$PWD/clang+llvm-7.0.1-x86_64-linux-gnu-ubuntu-18.04/bin:$PATH"
|
||||
clang --version
|
||||
|
||||
wget https://dl.google.com/go/go1.12.7.linux-amd64.tar.gz -qO - |tar zxf -
|
||||
export GOPATH="$PWD/gopath"
|
||||
export GOROOT="$PWD/go"
|
||||
export PATH="$GOPATH/bin:$GOROOT/bin:$PATH"
|
||||
go version
|
||||
|
||||
wget https://github.com/ninja-build/ninja/releases/download/v1.9.0/ninja-linux.zip -q
|
||||
unzip -o ninja-linux.zip
|
||||
export PATH="$PWD:$PATH"
|
||||
ninja --version
|
||||
|
||||
wget https://commondatastorage.googleapis.com/chromium-boringssl-fips/boringssl-${{ matrix.boringssl }}.tar.xz -qO - | tar Jxf -; pushd boringssl
|
||||
if [ "${{ matrix.boringssl }}" == "ae223d6138807a13006342edfeef32e813246b39" ]; then
|
||||
patch -p1 < ../t/fixtures/boringssl_fips.patch
|
||||
fi
|
||||
rm -rf build; mkdir build; pushd build
|
||||
cmake -GNinja -DCMAKE_TOOLCHAIN_FILE=${HOME}/toolchain -DFIPS=1 -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIBS=1 .. > build.log 2>&1 || (cat build.log && exit 1)
|
||||
ninja > build.log 2>&1 || (cat build.log && exit 1)
|
||||
|
||||
./tool/bssl isfips
|
||||
|
||||
popd; rm -rf $OPENSSL_INC; cp -r include $OPENSSL_INC
|
||||
mkdir -p $OPENSSL_LIB; cp -r build/*/*.so $OPENSSL_LIB
|
||||
fi
|
||||
mkdir -p $OPENSSL_PREFIX/certs/ && sudo cp -r /etc/ssl/certs/* $OPENSSL_PREFIX/certs/
|
||||
T=${OPENSSL_PREFIX}.fips
|
||||
mkdir -p $T
|
||||
wget https://www.openssl.org/source/openssl-${{ matrix.openssl_fips }}.tar.gz -qO - | tar zxf -; pushd openssl-${{ matrix.openssl_fips }}/
|
||||
if [ -e $OPENSSL_PREFIX/lib64/ossl-modules/fips.so ]; then exit 0; fi
|
||||
./config shared -d --prefix=$T -DPURIFY enable-fips > build.log 2>&1 || (cat build.log && exit 1)
|
||||
make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1)
|
||||
make PATH=$PATH install_sw > build.log 2>&1 || (cat build.log && exit 1)
|
||||
make PATH=$PATH install_fips > build.log 2>&1 || (cat build.log && exit 1)
|
||||
cp $T/lib64/ossl-modules/fips.so $OPENSSL_PREFIX/lib64/ossl-modules/fips.so
|
||||
mkdir -p $OPENSSL_PREFIX/ssl && cp $T/ssl/fipsmodule.cnf $OPENSSL_PREFIX/ssl/fipsmodule.cnf
|
||||
# don't activate by default
|
||||
sed -i "/activate = 1/d" $OPENSSL_PREFIX/ssl/fipsmodule.cnf
|
||||
|
||||
- name: Build LuaJIT
|
||||
env:
|
||||
|
@ -274,34 +222,16 @@ jobs:
|
|||
- name: Run FIPS Test
|
||||
run: |
|
||||
# openssl 3.0
|
||||
if [ -e $OPENSSL_LIB/libcrypto.so.3 ]; then
|
||||
if [ -e $OPENSSL_LIB/ossl-modules/fips.so ]; then
|
||||
echo "FIPS for OpenSSL 3.0"
|
||||
cp t/fixtures/openssl_fips.cnf $OPENSSL_PREFIX/openssl-fips.cnf
|
||||
|
||||
pushd openssl-${{ matrix.openssl }}/;
|
||||
# LD_LIBRARY_PATH=$OPENSSL_LIB $OPENSSL_PREFIX/bin/openssl fipsinstall -out $OPENSSL_PREFIX/fipsmodule.cnf -module $OPENSSL_LIB/ossl-modules/fips.so
|
||||
# don't activate by default
|
||||
sed -i "/activate = 1/d" $OPENSSL_PREFIX/ssl/fipsmodule.cnf
|
||||
cat $OPENSSL_PREFIX/ssl/fipsmodule.cnf >> $OPENSSL_PREFIX/openssl-fips.cnf
|
||||
export OPENSSL_CONF=$OPENSSL_PREFIX/openssl-fips.cnf
|
||||
popd
|
||||
|
||||
export TEST_NGINX_FIPS=1
|
||||
fi
|
||||
|
||||
# openssl 1.0.2 with fips module
|
||||
if [ "X${{ matrix.fips2 }}" != "X" ]; then
|
||||
echo "FIPS for OpenSSL 1.0.2"
|
||||
export TEST_NGINX_FIPS=1
|
||||
fi
|
||||
|
||||
# BoringSSL
|
||||
if [ "X${{ matrix.boringssl }}" != "X" ]; then
|
||||
echo "FIPS for BoringSSL ${{ matrix.boringssl }}"
|
||||
export TEST_NGINX_FIPS=1
|
||||
fi
|
||||
|
||||
if [ "X$TEST_NGINX_FIPS" != "X" ]; then
|
||||
echo "Running FIPS tests"
|
||||
|
||||
export LD_LIBRARY_PATH=$LUAJIT_LIB:$LD_LIBRARY_PATH
|
||||
|
@ -309,6 +239,7 @@ jobs:
|
|||
|
||||
TEST_NGINX_FIPS=1 TEST_NGINX_TIMEOUT=10 prove -j$JOBS -r t/ 2>&1
|
||||
|
||||
TEST_NGINX_TIMEOUT=20 prove -j$JOBS -r t/ 2>&1
|
||||
else
|
||||
echo "FIPS tests are skipped"
|
||||
fi
|
||||
|
||||
|
|
43
src/deps/src/lua-resty-openssl/CHANGELOG.md
vendored
43
src/deps/src/lua-resty-openssl/CHANGELOG.md
vendored
|
@ -2,6 +2,41 @@
|
|||
## [Unreleased]
|
||||
|
||||
|
||||
<a name="1.0.1"></a>
|
||||
## [1.0.1] - 2023-11-07
|
||||
### bug fixes
|
||||
- **jwk:** return error if exporting private key from public key ([#128](https://github.com/fffonion/lua-resty-openssl/issues/128)) [3a1bc27](https://github.com/fffonion/lua-resty-openssl/commit/3a1bc273e2a3f41faa7eb68f2939fd1fc25cdecb)
|
||||
|
||||
|
||||
<a name="1.0.0"></a>
|
||||
## [1.0.0] - 2023-11-03
|
||||
### code refactoring
|
||||
- **\*:** remove unused cdefs [84abc0a](https://github.com/fffonion/lua-resty-openssl/commit/84abc0ab99b3d649c7fe4575cf13867cf96a94ef)
|
||||
- **\*:** BREAKING: drop OpenSSL 1.0.2, 1.1.0 and BoringSSL support [99b493e](https://github.com/fffonion/lua-resty-openssl/commit/99b493e671886e68c07b1b9c9472075c22ce38e9)
|
||||
|
||||
### features
|
||||
- **fips:** add get_fips_version_text [935227b](https://github.com/fffonion/lua-resty-openssl/commit/935227b348ba4416f2f4d671dd94f7910cbf9e61)
|
||||
|
||||
|
||||
<a name="0.8.26"></a>
|
||||
## [0.8.26] - 2023-10-30
|
||||
### bug fixes
|
||||
- **version:** add support for all 3.x versions [1516b4d](https://github.com/fffonion/lua-resty-openssl/commit/1516b4d94ac4621a1b243c14b5133ded81515d28)
|
||||
- **x509.csr:** remove extension before adding it [d6ed964](https://github.com/fffonion/lua-resty-openssl/commit/d6ed9648e39f46f7519413489baf021092ccbc49)
|
||||
|
||||
|
||||
<a name="0.8.25"></a>
|
||||
## [0.8.25] - 2023-09-05
|
||||
### bug fixes
|
||||
- **pkey:** clear error stack when verification fails ([#121](https://github.com/fffonion/lua-resty-openssl/issues/121)) [6e58b28](https://github.com/fffonion/lua-resty-openssl/commit/6e58b28c3d42560631e0c8351befa1434b6fc542)
|
||||
|
||||
|
||||
<a name="0.8.24"></a>
|
||||
## [0.8.24] - 2023-08-07
|
||||
### bug fixes
|
||||
- **ssl:** support ngx_lua 10025 [abaa66e](https://github.com/fffonion/lua-resty-openssl/commit/abaa66ee07ce734580fd29ec6032157c998f6346)
|
||||
|
||||
|
||||
<a name="0.8.23"></a>
|
||||
## [0.8.23] - 2023-06-20
|
||||
### bug fixes
|
||||
|
@ -9,6 +44,7 @@
|
|||
|
||||
### features
|
||||
- **tests:** add performance test ([#112](https://github.com/fffonion/lua-resty-openssl/issues/112)) [100b4e4](https://github.com/fffonion/lua-resty-openssl/commit/100b4e43843a597327be6e5356c64b5ce621fa56)
|
||||
- **x509.store:** add store:check_revocation and add flag to skip check CRL for store:add ([#1](https://github.com/fffonion/lua-resty-openssl/issues/1)) [1a5a4c8](https://github.com/fffonion/lua-resty-openssl/commit/1a5a4c881128ffb65d6eaf47bb3961417ef23f0b)
|
||||
|
||||
|
||||
<a name="0.8.22"></a>
|
||||
|
@ -506,7 +542,12 @@
|
|||
- **x509:** export pubkey [ede4f81](https://github.com/fffonion/lua-resty-openssl/commit/ede4f817cb0fe092ad6f9ab5d6ecdcde864a9fd8)
|
||||
|
||||
|
||||
[Unreleased]: https://github.com/fffonion/lua-resty-openssl/compare/0.8.23...HEAD
|
||||
[Unreleased]: https://github.com/fffonion/lua-resty-openssl/compare/1.0.1...HEAD
|
||||
[1.0.1]: https://github.com/fffonion/lua-resty-openssl/compare/1.0.0...1.0.1
|
||||
[1.0.0]: https://github.com/fffonion/lua-resty-openssl/compare/0.8.26...1.0.0
|
||||
[0.8.26]: https://github.com/fffonion/lua-resty-openssl/compare/0.8.25...0.8.26
|
||||
[0.8.25]: https://github.com/fffonion/lua-resty-openssl/compare/0.8.24...0.8.25
|
||||
[0.8.24]: https://github.com/fffonion/lua-resty-openssl/compare/0.8.23...0.8.24
|
||||
[0.8.23]: https://github.com/fffonion/lua-resty-openssl/compare/0.8.22...0.8.23
|
||||
[0.8.22]: https://github.com/fffonion/lua-resty-openssl/compare/0.8.21...0.8.22
|
||||
[0.8.21]: https://github.com/fffonion/lua-resty-openssl/compare/0.8.20...0.8.21
|
||||
|
|
90
src/deps/src/lua-resty-openssl/README.md
vendored
90
src/deps/src/lua-resty-openssl/README.md
vendored
|
@ -1,8 +1,8 @@
|
|||
# lua-resty-openssl
|
||||
|
||||
FFI-based OpenSSL binding for LuaJIT, supporting OpenSSL 3.1, 3.0, 1.1 and 1.0.2 series.
|
||||
FFI-based OpenSSL binding for LuaJIT, supporting OpenSSL 3.x, 1.1 series.
|
||||
|
||||
BoringSSL is also supported.
|
||||
OpenSSL 1.1.0, 1.0.2 and BoringSSL support has been dropped, but are still available at the [0.x branch](https://github.com/fffonion/lua-resty-openssl/tree/0.x).
|
||||
|
||||
![Build Status](https://github.com/fffonion/lua-resty-openssl/workflows/Tests/badge.svg) ![luarocks](https://img.shields.io/luarocks/v/fffonion/lua-resty-openssl?color=%232c3e67) ![opm](https://img.shields.io/opm/v/fffonion/lua-resty-openssl?color=%23599059)
|
||||
|
||||
|
@ -20,6 +20,7 @@ Table of Contents
|
|||
+ [openssl.resty_hmac_compat](#opensslresty_hmac_compat)
|
||||
+ [openssl.get_fips_mode](#opensslget_fips_mode)
|
||||
+ [openssl.set_fips_mode](#opensslset_fips_mode)
|
||||
+ [openssl.get_fips_version_text](#opensslget_fips_version_text)
|
||||
+ [openssl.set_default_properties](#opensslset_default_properties)
|
||||
+ [openssl.list_cipher_algorithms](#openssllist_cipher_algorithms)
|
||||
+ [openssl.list_digest_algorithms](#openssllist_digest_algorithms)
|
||||
|
@ -35,8 +36,7 @@ Table of Contents
|
|||
+ [version.version](#versionversion)
|
||||
+ [version.info](#versioninfo)
|
||||
+ [version.OPENSSL_3X](#versionOPENSSL_3X)
|
||||
+ [version.OPENSSL_11](#versionopenssl_11)
|
||||
+ [version.OPENSSL_10](#versionopenssl_10)
|
||||
+ [version.OPENSSL_111](#versionopenssl_111)
|
||||
* [resty.openssl.provider](#restyopensslprovider)
|
||||
+ [provider.load](#providerload)
|
||||
+ [provider.istype](#provideristype)
|
||||
|
@ -295,10 +295,7 @@ Description
|
|||
===========
|
||||
|
||||
`lua-resty-openssl` is a FFI-based OpenSSL binding library, currently
|
||||
supports OpenSSL `3.1.x`, `3.0.x`, `1.1.1`, `1.1.0` and `1.0.2` series.
|
||||
|
||||
**Note: when using with OpenSSL 1.0.2, it's recommanded to not use this library with other FFI-based OpenSSL binding libraries to avoid potential mismatch of `cdef`.**
|
||||
|
||||
supports OpenSSL `3.x` and `1.1.1` series.
|
||||
|
||||
[Back to TOC](#table-of-contents)
|
||||
|
||||
|
@ -321,9 +318,6 @@ using `error()` but instead return as last parameter.
|
|||
Each Lua table returned by `new()` contains a cdata object `ctx`. User are not supposed to manully setting
|
||||
`ffi.gc` or calling corresponding destructor of the `ctx` struct (like `*_free` functions).
|
||||
|
||||
BoringSSL removes some algorithms and not all functionalities below is supported by BoringSSL. Please
|
||||
consul its manual for differences between OpenSSL API.
|
||||
|
||||
[Back to TOC](#table-of-contents)
|
||||
|
||||
## resty.openssl
|
||||
|
@ -443,7 +437,14 @@ print(c:get_provider_name()) -- prints "fips"
|
|||
Compile the module per [security policy](https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3678.pdf)
|
||||
|
||||
Check if FIPS is acticated by running `assert(openssl.set_fips_mode(true))`.
|
||||
BoringSSL doesn't support "turn FIPS mode off" once it's compiled.
|
||||
|
||||
[Back to TOC](#table-of-contents)
|
||||
|
||||
### openssl.get_fips_version_text
|
||||
|
||||
**syntax**: *text, err = openssl.get_fips_version_text()*
|
||||
|
||||
Returns the version text of the FIPS module, only available on OpenSSL 3.x.
|
||||
|
||||
[Back to TOC](#table-of-contents)
|
||||
|
||||
|
@ -596,11 +597,6 @@ Returns various OpenSSL version information. Available values for `types` are:
|
|||
MODULES_DIR
|
||||
CPU_INFO
|
||||
|
||||
For OpenSSL prior to 1.1.x, only `VERSION`, `CFLAGS`, `BUILT_ON`, `PLATFORM`
|
||||
and `DIR` are supported. Please refer to
|
||||
[OPENSSL_VERSION_NUMBER(3)](https://www.openssl.org/docs/manmaster/man3/OPENSSL_VERSION_NUMBER.html)
|
||||
for explanation of each type.
|
||||
|
||||
```lua
|
||||
local version = require("resty.openssl.version")
|
||||
ngx.say(string.format("%x", version.version_num))
|
||||
|
@ -647,23 +643,9 @@ A boolean indicates whether the linked OpenSSL is 3.x series.
|
|||
|
||||
[Back to TOC](#table-of-contents)
|
||||
|
||||
### version.OPENSSL_30
|
||||
### version.OPENSSL_111
|
||||
|
||||
Deprecated: use `version.OPENSSL_3X` is encouraged.
|
||||
|
||||
A boolean indicates whether the linked OpenSSL is 3.0 series.
|
||||
|
||||
[Back to TOC](#table-of-contents)
|
||||
|
||||
### version.OPENSSL_11
|
||||
|
||||
A boolean indicates whether the linked OpenSSL is 1.1 series.
|
||||
|
||||
[Back to TOC](#table-of-contents)
|
||||
|
||||
### version.OPENSSL_10
|
||||
|
||||
A boolean indicates whether the linked OpenSSL is 1.0 series.
|
||||
A boolean indicates whether the linked OpenSSL is 1.1.1 series.
|
||||
|
||||
[Back to TOC](#table-of-contents)
|
||||
|
||||
|
@ -767,10 +749,6 @@ X25519 | Y | Y | | | Y (ECDH) |
|
|||
Ed448 | Y | Y | | Y (PureEdDSA) | |
|
||||
X448 | Y | Y | | | Y (ECDH) |
|
||||
|
||||
`Ed25519`, `X25519`, `Ed448` and `X448` keys are only supported since OpenSSL 1.1.0.
|
||||
|
||||
Note BoringSSL doesn't support `Ed448` and `X448` keys.
|
||||
|
||||
Direct support of encryption and decryption for EC and ECX does not exist, but
|
||||
processes like ECIES is possible with [pkey:derive](#pkeyderive),
|
||||
[kdf](#restyopensslkdf) and [cipher](#restyopensslcipher)
|
||||
|
@ -1067,8 +1045,7 @@ This mode only supports RSA and EC keys.
|
|||
When passing a string as first parameter, `md_alg` parameter will specify the name
|
||||
to use when signing. When `md_alg` is undefined, for RSA and EC keys, this function does SHA256
|
||||
by default. For Ed25519 or Ed448 keys, this function does a PureEdDSA signing,
|
||||
no message digest should be specified and will not be used. BoringSSL doesn't have default
|
||||
digest thus `md_alg` must be specified.
|
||||
no message digest should be specified and will not be used.
|
||||
|
||||
`opts` is a table that accepts additional parameters.
|
||||
|
||||
|
@ -1083,8 +1060,7 @@ obsolete MD5 hash algorithm and will return error on this combination. See
|
|||
for a list of algorithms and associated public key algorithms. Normally, the ECDSA signature
|
||||
is encoded in ASN.1 DER format. If the `opts` table contains a `ecdsa_use_raw` field with
|
||||
a true value, a binary with just the concatenation of binary representation `pr` and `ps` is returned.
|
||||
This is useful for example to send the signature as JWS. This feature
|
||||
is only supported on OpenSSL 1.1.0 or later.
|
||||
This is useful for example to send the signature as JWS.
|
||||
|
||||
[Back to TOC](#table-of-contents)
|
||||
|
||||
|
@ -1106,8 +1082,7 @@ This mode only supports RSA and EC keys.
|
|||
When passing a string as second parameter, `md_alg` parameter will specify the name
|
||||
to use when verifying. When `md_alg` is undefined, for RSA and EC keys, this function does SHA256
|
||||
by default. For Ed25519 or Ed448 keys, this function does a PureEdDSA verification,
|
||||
no message digest should be specified and will not be used. BoringSSL doesn't have default
|
||||
digest thus `md_alg` must be specified.
|
||||
no message digest should be specified and will not be used.
|
||||
|
||||
`opts` is a table that accepts additional parameters.
|
||||
|
||||
|
@ -1118,8 +1093,7 @@ possible to specify PSS salt length by setting `opts.pss_saltlen`.
|
|||
For EC key, this function does a ECDSA verification. Normally, the ECDSA signature
|
||||
should be encoded in ASN.1 DER format. If the `opts` table contains a `ecdsa_use_raw` field with
|
||||
a true value, this library treat `signature` as concatenation of binary representation `pr` and `ps`.
|
||||
This is useful for example to verify the signature as JWS. This feature
|
||||
is only supported on OpenSSL 1.1.0 or later.
|
||||
This is useful for example to verify the signature as JWS.
|
||||
|
||||
```lua
|
||||
-- RSA and EC keys
|
||||
|
@ -1313,8 +1287,7 @@ Creates a `bn` instance from binary string.
|
|||
Exports the BIGNUM value in binary string.
|
||||
|
||||
`bn:to_binary` accepts an optional number argument `padto` that can be
|
||||
used to pad leading zeros to the output to a specific length. This feature
|
||||
is only supported on OpenSSL 1.1.0 or later.
|
||||
used to pad leading zeros to the output to a specific length.
|
||||
|
||||
```lua
|
||||
local b, err = require("resty.openssl.bn").from_binary(ngx.decode_base64("WyU="))
|
||||
|
@ -1860,6 +1833,8 @@ Reset the internal state of `digest` instance as it's just created by [digest.ne
|
|||
It calls [EVP_DigestInit_ex](https://www.openssl.org/docs/manmaster/man3/EVP_DigestInit_ex.html) under
|
||||
the hood.
|
||||
|
||||
User must call this before reusing the same `digest` instance.
|
||||
|
||||
[Back to TOC](#table-of-contents)
|
||||
|
||||
## resty.openssl.hmac
|
||||
|
@ -1929,6 +1904,8 @@ Reset the internal state of `hmac` instance as it's just created by [hmac.new](#
|
|||
It calls [HMAC_Init_ex](https://www.openssl.org/docs/manmaster/man3/HMAC_Init_ex.html) under
|
||||
the hood.
|
||||
|
||||
User must call this before reusing the same `hmac` instance.
|
||||
|
||||
[Back to TOC](#table-of-contents)
|
||||
|
||||
## resty.openssl.mac
|
||||
|
@ -2026,8 +2003,7 @@ instead.
|
|||
|
||||
Derive a key from given material. Various KDFs are supported based on OpenSSL version:
|
||||
|
||||
- On OpenSSL 1.0.2 and later, `PBKDF2`([RFC 2898], [NIST SP 800-132]) is available.
|
||||
- On OpenSSL 1.1.0 and later, `HKDF`([RFC 5869]), `TLS1-PRF`([RFC 2246], [RFC 5246] and [NIST SP 800-135 r1]) and `scrypt`([RFC 7914]) is available.
|
||||
`PBKDF2`([RFC 2898], [NIST SP 800-132]), `HKDF`([RFC 5869]), `TLS1-PRF`([RFC 2246], [RFC 5246] and [NIST SP 800-135 r1]) and `scrypt`([RFC 7914]) is available.
|
||||
|
||||
|
||||
`options` is a table that contains:
|
||||
|
@ -2043,7 +2019,7 @@ Derive a key from given material. Various KDFs are supported based on OpenSSL ve
|
|||
to explictly select provider to fetch algorithms. | |
|
||||
| pbkdf2_iter | number | PBKDF2 iteration count. RFC 2898 suggests an iteration count of at least 1000. Any value less than 1 is treated as a single iteration. | `1` |
|
||||
| hkdf_key | string | HKDF key | **required** |
|
||||
| hkdf_mode | number | HKDF mode to use, one of `kdf.HKDEF_MODE_EXTRACT_AND_EXPAND`, `kdf.HKDEF_MODE_EXTRACT_ONLY` or `kdf.HKDEF_MODE_EXPAND_ONLY`. This is only effective with OpenSSL >= 1.1.1. To learn about mode, please refer to [EVP_PKEY_CTX_set1_hkdf_key(3)](https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_CTX_set1_hkdf_key.html). Note with `kdf.HKDEF_MODE_EXTRACT_ONLY`, `outlen` is ignored and the output will be fixed size of `HMAC-<md>`. | `kdf.HKDEF_MODE_EXTRACT_AND_EXPAND`|
|
||||
| hkdf_mode | number | HKDF mode to use, one of `kdf.HKDEF_MODE_EXTRACT_AND_EXPAND`, `kdf.HKDEF_MODE_EXTRACT_ONLY` or `kdf.HKDEF_MODE_EXPAND_ONLY`. To learn about mode, please refer to [EVP_PKEY_CTX_set1_hkdf_key(3)](https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_CTX_set1_hkdf_key.html). Note with `kdf.HKDEF_MODE_EXTRACT_ONLY`, `outlen` is ignored and the output will be fixed size of `HMAC-<md>`. | `kdf.HKDEF_MODE_EXTRACT_AND_EXPAND`|
|
||||
| hkdf_info | string | HKDF info value | (empty string) |
|
||||
| tls1_prf_secret | string | TLS1-PRF secret | **required** |
|
||||
| tls1_prf_seed | string | TLS1-PRF seed | **required** |
|
||||
|
@ -2182,6 +2158,8 @@ This function is available since OpenSSL 3.0.
|
|||
|
||||
Reset the internal state of `kdf` instance as it's just created by [kdf.new](#kdfnew).
|
||||
|
||||
User must call this before reusing the same `kdf` instance.
|
||||
|
||||
[Back to TOC](#table-of-contents)
|
||||
|
||||
## resty.openssl.objects
|
||||
|
@ -2586,8 +2564,6 @@ Sign the certificate using the private key specified by `pkey`, which must be a
|
|||
parameter to set digest method, whichmust be a [resty.openssl.digest](#restyopenssldigest) instance.
|
||||
Returns a boolean indicating if signing is successful and error if any.
|
||||
|
||||
In BoringSSL when `digest` is not set it's fallback to `SHA256`.
|
||||
|
||||
[Back to TOC](#table-of-contents)
|
||||
|
||||
### x509:verify
|
||||
|
@ -2798,8 +2774,6 @@ Sign the certificate request using the private key specified by `pkey`, which mu
|
|||
parameter to set digest method, whichmust be a [resty.openssl.digest](#restyopenssldigest) instance.
|
||||
Returns a boolean indicating if signing is successful and error if any.
|
||||
|
||||
In BoringSSL when `digest` is not set it's fallback to `SHA256`.
|
||||
|
||||
[Back to TOC](#table-of-contents)
|
||||
|
||||
### csr:verify
|
||||
|
@ -3014,8 +2988,6 @@ Sign the CRL using the private key specified by `pkey`, which must be a
|
|||
parameter to set digest method, whichmust be a [resty.openssl.digest](#restyopenssldigest) instance.
|
||||
Returns a boolean indicating if signing is successful and error if any.
|
||||
|
||||
In BoringSSL when `digest` is not set it's fallback to `SHA256`.
|
||||
|
||||
[Back to TOC](#table-of-contents)
|
||||
|
||||
### crl:verify
|
||||
|
@ -3967,8 +3939,6 @@ to explictly select provider to fetch algorithms.
|
|||
Returns `true` when the certificate isn't revoked,
|
||||
otherwise returns `nil` and error explaining the reason.
|
||||
|
||||
Note this function is supported from OpenSSL 1.1.0 and not supported in BoringSSL.
|
||||
|
||||
[Back to TOC](#table-of-contents)
|
||||
|
||||
## resty.openssl.x509.revoked
|
||||
|
@ -4533,7 +4503,7 @@ Copyright and License
|
|||
|
||||
This module is licensed under the BSD license.
|
||||
|
||||
Copyright (C) 2019-2020, by fffonion <fffonion@gmail.com>.
|
||||
Copyright (C) 2019-2023, by fffonion <fffonion@gmail.com>.
|
||||
|
||||
All rights reserved.
|
||||
|
||||
|
@ -4551,7 +4521,7 @@ See Also
|
|||
========
|
||||
* [luaossl](https://github.com/wahern/luaossl)
|
||||
* [API/ABI changes review for OpenSSL](https://abi-laboratory.pro/index.php?view=timeline&l=openssl)
|
||||
* [OpenSSL API manual](https://www.openssl.org/docs/man1.1.1/man3/)
|
||||
* [OpenSSL API manual](https://www.openssl.org/docs/man3.1/man3/)
|
||||
|
||||
[Back to TOC](#table-of-contents)
|
||||
|
||||
|
|
|
@ -5,7 +5,7 @@ local ffi_str = ffi.string
|
|||
|
||||
local format_error = require("resty.openssl.err").format_error
|
||||
|
||||
local OPENSSL_3X, BORINGSSL
|
||||
local OPENSSL_3X
|
||||
|
||||
local function try_require_modules()
|
||||
package.loaded["resty.openssl.version"] = nil
|
||||
|
@ -13,7 +13,6 @@ local function try_require_modules()
|
|||
local pok, lib = pcall(require, "resty.openssl.version")
|
||||
if pok then
|
||||
OPENSSL_3X = lib.OPENSSL_3X
|
||||
BORINGSSL = lib.BORINGSSL
|
||||
|
||||
require "resty.openssl.include.crypto"
|
||||
require "resty.openssl.include.objects"
|
||||
|
@ -25,7 +24,7 @@ try_require_modules()
|
|||
|
||||
|
||||
local _M = {
|
||||
_VERSION = '0.8.23',
|
||||
_VERSION = '1.0.1',
|
||||
}
|
||||
|
||||
local libcrypto_name
|
||||
|
@ -286,6 +285,14 @@ if OPENSSL_3X then
|
|||
return C.EVP_default_properties_is_fips_enabled(ctx_lib.get_libctx()) == 1
|
||||
end
|
||||
|
||||
function _M.get_fips_version_text()
|
||||
if not fips_provider_ctx then
|
||||
return false, "FIPS mode is not enabled"
|
||||
end
|
||||
|
||||
return fips_provider_ctx:get_params("version")
|
||||
end
|
||||
|
||||
else
|
||||
function _M.set_fips_mode(enable)
|
||||
if (not not enable) == _M.get_fips_mode() then
|
||||
|
@ -302,6 +309,10 @@ else
|
|||
function _M.get_fips_mode()
|
||||
return C.FIPS_mode() == 1
|
||||
end
|
||||
|
||||
function _M.get_fips_version_text()
|
||||
return nil, "openssl.get_fips_version_text not supported on OpenSSL 1.1.1"
|
||||
end
|
||||
end
|
||||
|
||||
function _M.set_default_properties(props)
|
||||
|
@ -362,10 +373,6 @@ local function list_provided(typ)
|
|||
end
|
||||
|
||||
function _M.list_cipher_algorithms()
|
||||
if BORINGSSL then
|
||||
return nil, "openssl.list_cipher_algorithms is not supported on BoringSSL"
|
||||
end
|
||||
|
||||
require "resty.openssl.include.evp.cipher"
|
||||
local ret = list_legacy("EVP_CIPHER",
|
||||
OPENSSL_3X and C.EVP_CIPHER_get_nid or C.EVP_CIPHER_nid)
|
||||
|
@ -381,10 +388,6 @@ function _M.list_cipher_algorithms()
|
|||
end
|
||||
|
||||
function _M.list_digest_algorithms()
|
||||
if BORINGSSL then
|
||||
return nil, "openssl.list_digest_algorithms is not supported on BoringSSL"
|
||||
end
|
||||
|
||||
require "resty.openssl.include.evp.md"
|
||||
local ret = list_legacy("EVP_MD",
|
||||
OPENSSL_3X and C.EVP_MD_get_type or C.EVP_MD_type)
|
||||
|
|
|
@ -202,6 +202,10 @@ end
|
|||
|
||||
function _M.dump_jwk(pkey, is_priv)
|
||||
local jwk
|
||||
if is_priv and not pkey:is_private() then
|
||||
return nil, "jwk.dump_jwk: could not dump public key as private key"
|
||||
end
|
||||
|
||||
if pkey.key_type == evp_macro.EVP_PKEY_RSA then
|
||||
local param_keys = { "n" , "e" }
|
||||
if is_priv then
|
||||
|
|
|
@ -168,6 +168,7 @@ else
|
|||
return ssl.session_ctx
|
||||
end
|
||||
|
||||
-- https://github.com/openresty/stream-lua-nginx-module/blob/master/src/ngx_stream_lua_socket_tcp.h
|
||||
ffi.cdef[[
|
||||
typedef struct ngx_http_lua_socket_tcp_upstream_s
|
||||
ngx_http_lua_socket_tcp_upstream_t;
|
||||
|
@ -213,7 +214,7 @@ else
|
|||
ngx.config.ngx_lua_version and
|
||||
ngx.config.ngx_lua_version
|
||||
|
||||
if ngx_lua_version >= 10019 and ngx_lua_version <= 10021 then
|
||||
if ngx_lua_version >= 10019 and ngx_lua_version <= 10025 then
|
||||
-- https://github.com/openresty/lua-nginx-module/blob/master/src/ngx_http_lua_socket_tcp.h
|
||||
ffi.cdef[[
|
||||
typedef struct {
|
||||
|
|
|
@ -9,7 +9,6 @@ require "resty.openssl.include.bn"
|
|||
local crypto_macro = require("resty.openssl.include.crypto")
|
||||
local ctypes = require "resty.openssl.auxiliary.ctypes"
|
||||
local format_error = require("resty.openssl.err").format_error
|
||||
local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
|
||||
local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X
|
||||
|
||||
local _M = {}
|
||||
|
@ -55,8 +54,6 @@ function _M:to_binary(pad)
|
|||
if pad then
|
||||
if type(pad) ~= "number" then
|
||||
return nil, "bn:to_binary: expect a number at #1"
|
||||
elseif OPENSSL_10 then
|
||||
return nil, "bn:to_binary: padding is only supported on OpenSSL 1.1.0 or later"
|
||||
end
|
||||
end
|
||||
|
||||
|
@ -167,30 +164,18 @@ end
|
|||
-- we only need one per worker
|
||||
local bn_ctx_tmp = C.BN_CTX_new()
|
||||
assert(bn_ctx_tmp ~= nil)
|
||||
if OPENSSL_10 then
|
||||
C.BN_CTX_init(bn_ctx_tmp)
|
||||
end
|
||||
ffi_gc(bn_ctx_tmp, C.BN_CTX_free)
|
||||
|
||||
_M.bn_ctx_tmp = bn_ctx_tmp
|
||||
|
||||
-- mathematics
|
||||
|
||||
local is_negative
|
||||
if OPENSSL_10 then
|
||||
local bn_zero = assert(_M.new(0)).ctx
|
||||
is_negative = function(ctx)
|
||||
return C.BN_cmp(ctx, bn_zero) < 0 and 1 or 0
|
||||
end
|
||||
else
|
||||
is_negative = C.BN_is_negative
|
||||
end
|
||||
function mt.__unm(a)
|
||||
local b = _M.dup(a.ctx)
|
||||
if b == nil then
|
||||
error("BN_dup() failed")
|
||||
end
|
||||
local sign = is_negative(b.ctx)
|
||||
local sign = C.BN_is_negative(b.ctx)
|
||||
C.BN_set_negative(b.ctx, 1-sign)
|
||||
return b
|
||||
end
|
||||
|
@ -366,37 +351,6 @@ function mt.__le(a, b)
|
|||
return C.BN_cmp(a.ctx, b.ctx) <= 0
|
||||
end
|
||||
|
||||
if OPENSSL_10 then
|
||||
-- in openssl 1.0.x those functions are implemented as macros
|
||||
-- don't want to copy paste all structs here
|
||||
-- the followings are definitely slower, but works
|
||||
local bn_zero = assert(_M.new(0)).ctx
|
||||
local bn_one = assert(_M.new(1)).ctx
|
||||
|
||||
function _M:is_zero()
|
||||
return C.BN_cmp(self.ctx, bn_zero) == 0
|
||||
end
|
||||
|
||||
function _M:is_one()
|
||||
return C.BN_cmp(self.ctx, bn_one) == 0
|
||||
end
|
||||
|
||||
function _M:is_word(n)
|
||||
local ctx = C.BN_new()
|
||||
ffi_gc(ctx, C.BN_free)
|
||||
if ctx == nil then
|
||||
return nil, "bn:is_word: BN_new() failed"
|
||||
end
|
||||
if C.BN_set_word(ctx, n) ~= 1 then
|
||||
return nil, "bn:is_word: BN_set_word() failed"
|
||||
end
|
||||
return C.BN_cmp(self.ctx, ctx) == 0
|
||||
end
|
||||
|
||||
function _M:is_odd()
|
||||
return self:to_number() % 2 == 1
|
||||
end
|
||||
else
|
||||
function _M:is_zero()
|
||||
return C.BN_is_zero(self.ctx) == 1
|
||||
end
|
||||
|
@ -412,7 +366,6 @@ else
|
|||
function _M:is_odd()
|
||||
return C.BN_is_odd(self.ctx) == 1
|
||||
end
|
||||
end
|
||||
|
||||
function _M:is_prime(nchecks)
|
||||
if nchecks and type(nchecks) ~= "number" then
|
||||
|
|
|
@ -9,8 +9,6 @@ local evp_macro = require "resty.openssl.include.evp"
|
|||
local ctypes = require "resty.openssl.auxiliary.ctypes"
|
||||
local ctx_lib = require "resty.openssl.ctx"
|
||||
local format_error = require("resty.openssl.err").format_error
|
||||
local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
|
||||
local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER
|
||||
local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X
|
||||
|
||||
local uchar_array = ctypes.uchar_array
|
||||
|
@ -32,18 +30,11 @@ function _M.new(typ, properties)
|
|||
return nil, "cipher.new: expect type to be defined"
|
||||
end
|
||||
|
||||
local ctx
|
||||
if OPENSSL_11_OR_LATER then
|
||||
ctx = C.EVP_CIPHER_CTX_new()
|
||||
ffi_gc(ctx, C.EVP_CIPHER_CTX_free)
|
||||
elseif OPENSSL_10 then
|
||||
ctx = ffi.new('EVP_CIPHER_CTX')
|
||||
C.EVP_CIPHER_CTX_init(ctx)
|
||||
ffi_gc(ctx, C.EVP_CIPHER_CTX_cleanup)
|
||||
end
|
||||
local ctx = C.EVP_CIPHER_CTX_new()
|
||||
if ctx == nil then
|
||||
return nil, "cipher.new: failed to create EVP_CIPHER_CTX"
|
||||
end
|
||||
ffi_gc(ctx, C.EVP_CIPHER_CTX_free)
|
||||
|
||||
local ctyp
|
||||
if OPENSSL_3X then
|
||||
|
|
|
@ -4,8 +4,6 @@ local C = ffi.C
|
|||
require "resty.openssl.include.dh"
|
||||
local bn_lib = require "resty.openssl.bn"
|
||||
|
||||
local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
|
||||
local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER
|
||||
local format_error = require("resty.openssl.err").format_error
|
||||
|
||||
local _M = {}
|
||||
|
@ -18,45 +16,23 @@ function _M.get_parameters(dh_st)
|
|||
return setmetatable(empty_table, {
|
||||
__index = function(_, k)
|
||||
local ptr, ret
|
||||
if OPENSSL_11_OR_LATER then
|
||||
ptr = bn_ptrptr_ct()
|
||||
end
|
||||
|
||||
if OPENSSL_11_OR_LATER then
|
||||
ptr = bn_ptrptr_ct()
|
||||
end
|
||||
|
||||
if k == 'p' then
|
||||
if OPENSSL_11_OR_LATER then
|
||||
C.DH_get0_pqg(dh_st, ptr, nil, nil)
|
||||
end
|
||||
elseif k == 'q' then
|
||||
if OPENSSL_11_OR_LATER then
|
||||
C.DH_get0_pqg(dh_st, nil, ptr, nil)
|
||||
end
|
||||
elseif k == 'g' then
|
||||
if OPENSSL_11_OR_LATER then
|
||||
C.DH_get0_pqg(dh_st, nil, nil, ptr)
|
||||
end
|
||||
elseif k == 'public' then
|
||||
if OPENSSL_11_OR_LATER then
|
||||
C.DH_get0_key(dh_st, ptr, nil)
|
||||
end
|
||||
k = "pub_key"
|
||||
elseif k == 'private' then
|
||||
if OPENSSL_11_OR_LATER then
|
||||
C.DH_get0_key(dh_st, nil, ptr)
|
||||
end
|
||||
k = "priv_key"
|
||||
else
|
||||
return nil, "rsa.get_parameters: unknown parameter \"" .. k .. "\" for RSA key"
|
||||
end
|
||||
|
||||
if OPENSSL_11_OR_LATER then
|
||||
ret = ptr[0]
|
||||
elseif OPENSSL_10 then
|
||||
ret = dh_st[k]
|
||||
end
|
||||
|
||||
if ret == nil then
|
||||
return nil
|
||||
|
@ -85,52 +61,44 @@ function _M.set_parameters(dh_st, opts)
|
|||
local cleanup_from_idx = 1
|
||||
-- dup input
|
||||
local do_set_key, do_set_pqg
|
||||
|
||||
while true do -- luacheck: ignore
|
||||
for k, v in pairs(opts) do
|
||||
opts_bn[k], err = dup_bn_value(v)
|
||||
if err then
|
||||
-- luacheck: ignore
|
||||
err = "dh.set_parameters: cannot process parameter \"" .. k .. "\":" .. err
|
||||
goto cleanup_with_error
|
||||
break
|
||||
end
|
||||
|
||||
if k == "private" or k == "public" then
|
||||
do_set_key = true
|
||||
elseif k == "p" or k == "q" or k == "g" then
|
||||
do_set_pqg = true
|
||||
end
|
||||
end
|
||||
if OPENSSL_11_OR_LATER then
|
||||
|
||||
local code
|
||||
if do_set_key then
|
||||
code = C.DH_set0_key(dh_st, opts_bn["public"], opts_bn["private"])
|
||||
if code == 0 then
|
||||
err = format_error("dh.set_parameters: DH_set0_key")
|
||||
goto cleanup_with_error
|
||||
break
|
||||
end
|
||||
end
|
||||
|
||||
cleanup_from_idx = cleanup_from_idx + 2
|
||||
if do_set_pqg then
|
||||
code = C.DH_set0_pqg(dh_st, opts_bn["p"], opts_bn["q"], opts_bn["g"])
|
||||
if code == 0 then
|
||||
err = format_error("dh.set_parameters: DH_set0_pqg")
|
||||
goto cleanup_with_error
|
||||
break
|
||||
end
|
||||
end
|
||||
return true
|
||||
elseif OPENSSL_10 then
|
||||
for k, v in pairs(opts_bn) do
|
||||
if k == "public" then
|
||||
k = "pub_key"
|
||||
elseif k == "private" then
|
||||
k = "priv_key"
|
||||
end
|
||||
if dh_st[k] ~= nil then
|
||||
C.BN_free(dh_st[k])
|
||||
end
|
||||
dh_st[k]= v
|
||||
end
|
||||
|
||||
return true
|
||||
end
|
||||
|
||||
::cleanup_with_error::
|
||||
for i, k in pairs(_M.params) do
|
||||
if i >= cleanup_from_idx then
|
||||
C.BN_free(opts_bn[k])
|
||||
|
|
|
@ -7,8 +7,6 @@ require "resty.openssl.include.evp.md"
|
|||
local ctypes = require "resty.openssl.auxiliary.ctypes"
|
||||
local ctx_lib = require "resty.openssl.ctx"
|
||||
local format_error = require("resty.openssl.err").format_error
|
||||
local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
|
||||
local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER
|
||||
local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X
|
||||
|
||||
local _M = {}
|
||||
|
@ -17,17 +15,11 @@ local mt = {__index = _M}
|
|||
local md_ctx_ptr_ct = ffi.typeof('EVP_MD_CTX*')
|
||||
|
||||
function _M.new(typ, properties)
|
||||
local ctx
|
||||
if OPENSSL_11_OR_LATER then
|
||||
ctx = C.EVP_MD_CTX_new()
|
||||
ffi_gc(ctx, C.EVP_MD_CTX_free)
|
||||
elseif OPENSSL_10 then
|
||||
ctx = C.EVP_MD_CTX_create()
|
||||
ffi_gc(ctx, C.EVP_MD_CTX_destroy)
|
||||
end
|
||||
local ctx = C.EVP_MD_CTX_new()
|
||||
if ctx == nil then
|
||||
return nil, "digest.new: failed to create EVP_MD_CTX"
|
||||
end
|
||||
ffi_gc(ctx, C.EVP_MD_CTX_free)
|
||||
|
||||
local err_new = string.format("digest.new: invalid digest type \"%s\"", typ)
|
||||
|
||||
|
@ -37,6 +29,7 @@ function _M.new(typ, properties)
|
|||
else
|
||||
if OPENSSL_3X then
|
||||
algo = C.EVP_MD_fetch(ctx_lib.get_libctx(), typ or 'sha1', properties)
|
||||
ffi_gc(algo, C.EVP_MD_free)
|
||||
else
|
||||
algo = C.EVP_get_digestbyname(typ or 'sha1')
|
||||
end
|
||||
|
|
|
@ -5,11 +5,8 @@ local ffi_gc = ffi.gc
|
|||
require "resty.openssl.include.ec"
|
||||
local bn_lib = require "resty.openssl.bn"
|
||||
local objects_lib = require "resty.openssl.objects"
|
||||
local ctypes = require "resty.openssl.auxiliary.ctypes"
|
||||
|
||||
local version_num = require("resty.openssl.version").version_num
|
||||
local format_error = require("resty.openssl.err").format_error
|
||||
local BORINGSSL = require("resty.openssl.version").BORINGSSL
|
||||
|
||||
local _M = {}
|
||||
|
||||
|
@ -38,27 +35,12 @@ function _M.get_parameters(ec_key_st)
|
|||
if point_form == nil then
|
||||
return nil, format_error("ec.get_parameters: EC_KEY_get_conv_form")
|
||||
end
|
||||
if BORINGSSL then
|
||||
local sz = tonumber(C.EC_POINT_point2oct(group, pub_point, point_form, nil, 0, bn_lib.bn_ctx_tmp))
|
||||
if sz <= 0 then
|
||||
return nil, format_error("ec.get_parameters: EC_POINT_point2oct")
|
||||
end
|
||||
local buf = ctypes.uchar_array(sz)
|
||||
C.EC_POINT_point2oct(group, pub_point, point_form, buf, sz, bn_lib.bn_ctx_tmp)
|
||||
buf = ffi.string(buf, sz)
|
||||
local err
|
||||
bn, err = bn_lib.from_binary(buf)
|
||||
if bn == nil then
|
||||
return nil, "ec.get_parameters: bn_lib.from_binary: " .. err
|
||||
end
|
||||
return bn
|
||||
else
|
||||
|
||||
bn = C.EC_POINT_point2bn(group, pub_point, point_form, nil, bn_lib.bn_ctx_tmp)
|
||||
if bn == nil then
|
||||
return nil, format_error("ec.get_parameters: EC_POINT_point2bn")
|
||||
end
|
||||
ffi_gc(bn, C.BN_free)
|
||||
end
|
||||
elseif k == 'private' or k == "priv_key" then
|
||||
-- get0, don't GC
|
||||
bn = C.EC_KEY_get0_private_key(ec_key_st)
|
||||
|
@ -72,17 +54,12 @@ function _M.get_parameters(ec_key_st)
|
|||
return nil, "ec.get_parameters: BN_new() failed"
|
||||
end
|
||||
ffi_gc(bn, C.BN_free)
|
||||
local f
|
||||
if version_num >= 0x10101000 then
|
||||
f = C.EC_POINT_get_affine_coordinates
|
||||
else
|
||||
f = C.EC_POINT_get_affine_coordinates_GFp
|
||||
end
|
||||
|
||||
local code
|
||||
if k == 'x' then
|
||||
code = f(group, pub_point, bn, nil, bn_lib.bn_ctx_tmp)
|
||||
code = C.EC_POINT_get_affine_coordinates(group, pub_point, bn, nil, bn_lib.bn_ctx_tmp)
|
||||
else
|
||||
code = f(group, pub_point, nil, bn, bn_lib.bn_ctx_tmp)
|
||||
code = C.EC_POINT_get_affine_coordinates(group, pub_point, nil, bn, bn_lib.bn_ctx_tmp)
|
||||
end
|
||||
if code ~= 1 then
|
||||
return nil, format_error("ec.get_parameters: EC_POINT_get_affine_coordinates")
|
||||
|
|
|
@ -7,8 +7,6 @@ require "resty.openssl.include.hmac"
|
|||
require "resty.openssl.include.evp.md"
|
||||
local ctypes = require "resty.openssl.auxiliary.ctypes"
|
||||
local format_error = require("resty.openssl.err").format_error
|
||||
local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
|
||||
local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER
|
||||
local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X
|
||||
|
||||
local _M = {}
|
||||
|
@ -20,18 +18,11 @@ local hmac_ctx_ptr_ct = ffi.typeof('HMAC_CTX*')
|
|||
-- Replace with EVP_MAC_* functions for OpenSSL 3.0
|
||||
|
||||
function _M.new(key, typ)
|
||||
local ctx
|
||||
if OPENSSL_11_OR_LATER then
|
||||
ctx = C.HMAC_CTX_new()
|
||||
ffi_gc(ctx, C.HMAC_CTX_free)
|
||||
elseif OPENSSL_10 then
|
||||
ctx = ffi.new('HMAC_CTX')
|
||||
C.HMAC_CTX_init(ctx)
|
||||
ffi_gc(ctx, C.HMAC_CTX_cleanup)
|
||||
end
|
||||
local ctx = C.HMAC_CTX_new()
|
||||
if ctx == nil then
|
||||
return nil, "hmac.new: failed to create HMAC_CTX"
|
||||
end
|
||||
ffi_gc(ctx, C.HMAC_CTX_free)
|
||||
|
||||
local algo = C.EVP_get_digestbyname(typ or 'sha1')
|
||||
if algo == nil then
|
||||
|
|
|
@ -54,38 +54,10 @@ declare_asn1_functions("ASN1_OBJECT")
|
|||
declare_asn1_functions("ASN1_STRING")
|
||||
declare_asn1_functions("ASN1_ENUMERATED")
|
||||
|
||||
local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
|
||||
local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER
|
||||
local BORINGSSL_110 = require("resty.openssl.version").BORINGSSL_110
|
||||
|
||||
local ASN1_STRING_get0_data
|
||||
if OPENSSL_11_OR_LATER then
|
||||
ffi.cdef[[
|
||||
const unsigned char *ASN1_STRING_get0_data(const ASN1_STRING *x);
|
||||
]]
|
||||
ASN1_STRING_get0_data = C.ASN1_STRING_get0_data
|
||||
elseif OPENSSL_10 then
|
||||
ffi.cdef[[
|
||||
unsigned char *ASN1_STRING_data(ASN1_STRING *x);
|
||||
typedef struct ASN1_ENCODING_st {
|
||||
unsigned char *enc; /* DER encoding */
|
||||
long len; /* Length of encoding */
|
||||
int modified; /* set to 1 if 'enc' is invalid */
|
||||
} ASN1_ENCODING;
|
||||
]]
|
||||
ASN1_STRING_get0_data = C.ASN1_STRING_data
|
||||
end
|
||||
|
||||
if BORINGSSL_110 then
|
||||
ffi.cdef [[
|
||||
// required by resty/openssl/include/x509/crl.lua
|
||||
typedef struct ASN1_ENCODING_st {
|
||||
unsigned char *enc; /* DER encoding */
|
||||
long len; /* Length of encoding */
|
||||
int modified; /* set to 1 if 'enc' is invalid */
|
||||
} ASN1_ENCODING;
|
||||
]]
|
||||
end
|
||||
local ASN1_STRING_get0_data = C.ASN1_STRING_get0_data
|
||||
|
||||
return {
|
||||
ASN1_STRING_get0_data = ASN1_STRING_get0_data,
|
||||
|
|
|
@ -9,5 +9,5 @@ ffi.cdef [[
|
|||
BIO *BIO_new(const BIO_METHOD *type);
|
||||
int BIO_free(BIO *a);
|
||||
const BIO_METHOD *BIO_s_mem(void);
|
||||
int BIO_read(BIO *b, void *data, int dlen);
|
||||
// int BIO_read(BIO *b, void *data, int dlen);
|
||||
]]
|
||||
|
|
|
@ -16,7 +16,7 @@ ffi.cdef(
|
|||
void BN_free(BIGNUM *a);
|
||||
|
||||
BN_CTX *BN_CTX_new(void);
|
||||
void BN_CTX_init(BN_CTX *c);
|
||||
// void BN_CTX_init(BN_CTX *c);
|
||||
void BN_CTX_free(BN_CTX *c);
|
||||
|
||||
BIGNUM *BN_dup(const BIGNUM *a);
|
||||
|
|
|
@ -1,37 +1,19 @@
|
|||
local ffi = require "ffi"
|
||||
local C = ffi.C
|
||||
|
||||
local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
|
||||
local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER
|
||||
local BORINGSSL = require("resty.openssl.version").BORINGSSL
|
||||
|
||||
local OPENSSL_free
|
||||
if OPENSSL_10 then
|
||||
ffi.cdef [[
|
||||
void CRYPTO_free(void *ptr);
|
||||
]]
|
||||
OPENSSL_free = C.CRYPTO_free
|
||||
elseif BORINGSSL then
|
||||
ffi.cdef [[
|
||||
void OPENSSL_free(void *ptr);
|
||||
]]
|
||||
OPENSSL_free = C.OPENSSL_free
|
||||
elseif OPENSSL_11_OR_LATER then
|
||||
ffi.cdef [[
|
||||
void CRYPTO_free(void *ptr, const char *file, int line);
|
||||
]]
|
||||
OPENSSL_free = function(ptr)
|
||||
-- file and line is for debuggin only, since we can't know the c file info
|
||||
-- the macro is expanded, just ignore this
|
||||
C.CRYPTO_free(ptr, "", 0)
|
||||
end
|
||||
end
|
||||
|
||||
ffi.cdef [[
|
||||
int FIPS_mode(void);
|
||||
int FIPS_mode_set(int ONOFF);
|
||||
void CRYPTO_free(void *ptr, const char *file, int line);
|
||||
]]
|
||||
|
||||
local OPENSSL_free = function(ptr)
|
||||
-- file and line is for debuggin only, since we can't know the c file info
|
||||
-- the macro is expanded, just ignore this
|
||||
C.CRYPTO_free(ptr, "", 0)
|
||||
end
|
||||
|
||||
|
||||
return {
|
||||
OPENSSL_free = OPENSSL_free,
|
||||
}
|
||||
|
|
|
@ -3,10 +3,7 @@ local C = ffi.C
|
|||
|
||||
require "resty.openssl.include.ossl_typ"
|
||||
require "resty.openssl.include.objects"
|
||||
local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
|
||||
local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER
|
||||
|
||||
if OPENSSL_11_OR_LATER then
|
||||
ffi.cdef [[
|
||||
void DH_get0_pqg(const DH *dh,
|
||||
const BIGNUM **p, const BIGNUM **q, const BIGNUM **g);
|
||||
|
@ -14,39 +11,7 @@ if OPENSSL_11_OR_LATER then
|
|||
void DH_get0_key(const DH *dh,
|
||||
const BIGNUM **pub_key, const BIGNUM **priv_key);
|
||||
int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key);
|
||||
]]
|
||||
elseif OPENSSL_10 then
|
||||
ffi.cdef [[
|
||||
struct dh_st {
|
||||
/*
|
||||
* This first argument is used to pick up errors when a DH is passed
|
||||
* instead of a EVP_PKEY
|
||||
*/
|
||||
int pad;
|
||||
int version;
|
||||
BIGNUM *p;
|
||||
BIGNUM *g;
|
||||
long length; /* optional */
|
||||
BIGNUM *pub_key; /* g^x */
|
||||
BIGNUM *priv_key; /* x */
|
||||
int flags;
|
||||
/*BN_MONT_CTX*/ void *method_mont_p;
|
||||
/* Place holders if we want to do X9.42 DH */
|
||||
BIGNUM *q;
|
||||
BIGNUM *j;
|
||||
unsigned char *seed;
|
||||
int seedlen;
|
||||
BIGNUM *counter;
|
||||
int references;
|
||||
/* trimmer */
|
||||
// CRYPTO_EX_DATA ex_data;
|
||||
// const DH_METHOD *meth;
|
||||
// ENGINE *engine;
|
||||
};
|
||||
]]
|
||||
end
|
||||
|
||||
ffi.cdef [[
|
||||
DH *DH_get_1024_160(void);
|
||||
DH *DH_get_2048_224(void);
|
||||
DH *DH_get_2048_256(void);
|
||||
|
|
|
@ -23,23 +23,13 @@ ffi.cdef [[
|
|||
void EC_GROUP_set_asn1_flag(EC_GROUP *group, int flag);
|
||||
void EC_GROUP_set_point_conversion_form(EC_GROUP *group,
|
||||
point_conversion_form_t form);
|
||||
void EC_GROUP_set_curve_name(EC_GROUP *group, int nid);
|
||||
// void EC_GROUP_set_curve_name(EC_GROUP *group, int nid);
|
||||
int EC_GROUP_get_curve_name(const EC_GROUP *group);
|
||||
|
||||
|
||||
void EC_GROUP_free(EC_GROUP *group);
|
||||
|
||||
BIGNUM *EC_POINT_point2bn(const EC_GROUP *, const EC_POINT *,
|
||||
point_conversion_form_t form, BIGNUM *, BN_CTX *);
|
||||
// for BoringSSL
|
||||
size_t EC_POINT_point2oct(const EC_GROUP *group, const EC_POINT *p,
|
||||
point_conversion_form_t form,
|
||||
unsigned char *buf, size_t len, BN_CTX *ctx);
|
||||
// OpenSSL < 1.1.1
|
||||
int EC_POINT_get_affine_coordinates_GFp(const EC_GROUP *group,
|
||||
const EC_POINT *p,
|
||||
BIGNUM *x, BIGNUM *y, BN_CTX *ctx);
|
||||
// OpenSSL >= 1.1.1
|
||||
int EC_POINT_get_affine_coordinates(const EC_GROUP *group, const EC_POINT *p,
|
||||
BIGNUM *x, BIGNUM *y, BN_CTX *ctx);
|
||||
EC_POINT *EC_POINT_bn2point(const EC_GROUP *group, const BIGNUM *bn,
|
||||
|
|
|
@ -6,21 +6,7 @@ require "resty.openssl.include.ossl_typ"
|
|||
require "resty.openssl.include.err"
|
||||
require "resty.openssl.include.objects"
|
||||
local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X
|
||||
local BORINGSSL = require("resty.openssl.version").BORINGSSL
|
||||
|
||||
if BORINGSSL then
|
||||
ffi.cdef [[
|
||||
int PKCS5_PBKDF2_HMAC(const char *password, size_t password_len,
|
||||
const uint8_t *salt, size_t salt_len,
|
||||
unsigned iterations, const EVP_MD *digest,
|
||||
size_t key_len, uint8_t *out_key);
|
||||
int EVP_PBE_scrypt(const char *password, size_t password_len,
|
||||
const uint8_t *salt, size_t salt_len,
|
||||
uint64_t N, uint64_t r, uint64_t p,
|
||||
size_t max_mem, uint8_t *out_key,
|
||||
size_t key_len);
|
||||
]]
|
||||
else
|
||||
ffi.cdef [[
|
||||
/* KDF */
|
||||
int PKCS5_PBKDF2_HMAC(const char *pass, int passlen,
|
||||
|
@ -32,7 +18,6 @@ else
|
|||
uint64_t N, uint64_t r, uint64_t p, uint64_t maxmem,
|
||||
unsigned char *key, size_t keylen);
|
||||
]]
|
||||
end
|
||||
|
||||
if OPENSSL_3X then
|
||||
require "resty.openssl.include.provider"
|
||||
|
|
|
@ -1,25 +1,22 @@
|
|||
local ffi = require "ffi"
|
||||
|
||||
require "resty.openssl.include.ossl_typ"
|
||||
local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
|
||||
local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER
|
||||
local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X
|
||||
local BORINGSSL = require("resty.openssl.version").BORINGSSL
|
||||
|
||||
ffi.cdef [[
|
||||
// openssl < 3.0
|
||||
int EVP_CIPHER_CTX_block_size(const EVP_CIPHER_CTX *ctx);
|
||||
int EVP_CIPHER_CTX_key_length(const EVP_CIPHER_CTX *ctx);
|
||||
int EVP_CIPHER_CTX_iv_length(const EVP_CIPHER_CTX *ctx);
|
||||
EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void);
|
||||
// int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *c);
|
||||
void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *c);
|
||||
|
||||
int EVP_CIPHER_CTX_set_padding(EVP_CIPHER_CTX *c, int pad);
|
||||
|
||||
const EVP_CIPHER *EVP_CIPHER_CTX_cipher(const EVP_CIPHER_CTX *ctx);
|
||||
const EVP_CIPHER *EVP_get_cipherbyname(const char *name);
|
||||
int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr);
|
||||
int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
|
||||
int *outl, const unsigned char *in, int inl);
|
||||
int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
|
||||
int *outl, const unsigned char *in, int inl);
|
||||
// int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
|
||||
// int *outl, const unsigned char *in, int inl);
|
||||
// int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
|
||||
// int *outl, const unsigned char *in, int inl);
|
||||
|
||||
|
||||
int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx,
|
||||
|
@ -38,24 +35,14 @@ ffi.cdef [[
|
|||
void EVP_CIPHER_do_all_sorted(void (*fn)
|
||||
(const EVP_CIPHER *ciph, const char *from,
|
||||
const char *to, void *x), void *arg);
|
||||
int EVP_CIPHER_nid(const EVP_CIPHER *cipher);
|
||||
]]
|
||||
|
||||
if BORINGSSL then
|
||||
ffi.cdef [[
|
||||
int EVP_BytesToKey(const EVP_CIPHER *type, const EVP_MD *md,
|
||||
const uint8_t *salt, const uint8_t *data,
|
||||
size_t data_len, unsigned count, uint8_t *key,
|
||||
uint8_t *iv);
|
||||
]]
|
||||
else
|
||||
ffi.cdef [[
|
||||
int EVP_BytesToKey(const EVP_CIPHER *type, const EVP_MD *md,
|
||||
const unsigned char *salt,
|
||||
const unsigned char *data, int datal, int count,
|
||||
unsigned char *key, unsigned char *iv);
|
||||
|
||||
]]
|
||||
end
|
||||
|
||||
|
||||
if OPENSSL_3X then
|
||||
require "resty.openssl.include.provider"
|
||||
|
@ -75,8 +62,8 @@ if OPENSSL_3X then
|
|||
void EVP_CIPHER_do_all_provided(OSSL_LIB_CTX *libctx,
|
||||
fake_openssl_cipher_provided_list_fn*,
|
||||
void *arg);
|
||||
int EVP_CIPHER_up_ref(EVP_CIPHER *cipher);
|
||||
void EVP_CIPHER_free(EVP_CIPHER *cipher);
|
||||
// int EVP_CIPHER_up_ref(EVP_CIPHER *cipher);
|
||||
// void EVP_CIPHER_free(EVP_CIPHER *cipher);
|
||||
|
||||
const char *EVP_CIPHER_get0_name(const EVP_CIPHER *cipher);
|
||||
|
||||
|
@ -85,39 +72,12 @@ if OPENSSL_3X then
|
|||
int EVP_CIPHER_CTX_get_params(EVP_CIPHER_CTX *ctx, OSSL_PARAM params[]);
|
||||
const OSSL_PARAM *EVP_CIPHER_CTX_gettable_params(EVP_CIPHER_CTX *ctx);
|
||||
]]
|
||||
end
|
||||
|
||||
if OPENSSL_11_OR_LATER then
|
||||
else
|
||||
ffi.cdef [[
|
||||
EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void);
|
||||
int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *c);
|
||||
void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *c);
|
||||
]]
|
||||
elseif OPENSSL_10 then
|
||||
ffi.cdef [[
|
||||
void EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *a);
|
||||
int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *a);
|
||||
int EVP_CIPHER_CTX_block_size(const EVP_CIPHER_CTX *ctx);
|
||||
int EVP_CIPHER_CTX_key_length(const EVP_CIPHER_CTX *ctx);
|
||||
int EVP_CIPHER_CTX_iv_length(const EVP_CIPHER_CTX *ctx);
|
||||
|
||||
// # define EVP_MAX_IV_LENGTH 16
|
||||
// # define EVP_MAX_BLOCK_LENGTH 32
|
||||
|
||||
struct evp_cipher_ctx_st {
|
||||
const EVP_CIPHER *cipher;
|
||||
ENGINE *engine; /* functional reference if 'cipher' is
|
||||
* ENGINE-provided */
|
||||
int encrypt; /* encrypt or decrypt */
|
||||
int buf_len; /* number we have left */
|
||||
unsigned char oiv[16]; /* original iv EVP_MAX_IV_LENGTH */
|
||||
unsigned char iv[16]; /* working iv EVP_MAX_IV_LENGTH */
|
||||
unsigned char buf[32]; /* saved partial block EVP_MAX_BLOCK_LENGTH */
|
||||
int num; /* used by cfb/ofb/ctr mode */
|
||||
void *app_data; /* application stuff */
|
||||
int key_len; /* May change for variable length cipher */
|
||||
unsigned long flags; /* Various flags */
|
||||
void *cipher_data; /* per EVP data */
|
||||
int final_used;
|
||||
int block_mask;
|
||||
unsigned char final[32]; /* possible final block EVP_MAX_BLOCK_LENGTH */
|
||||
} /* EVP_CIPHER_CTX */ ;
|
||||
int EVP_CIPHER_nid(const EVP_CIPHER *cipher);
|
||||
]]
|
||||
end
|
|
@ -7,7 +7,6 @@ require "resty.openssl.include.evp.md"
|
|||
local evp = require("resty.openssl.include.evp")
|
||||
local ctypes = require "resty.openssl.auxiliary.ctypes"
|
||||
local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X
|
||||
local BORINGSSL = require("resty.openssl.version").BORINGSSL
|
||||
|
||||
local void_ptr = ctypes.void_ptr
|
||||
|
||||
|
@ -27,7 +26,7 @@ if OPENSSL_3X then
|
|||
void EVP_KDF_do_all_provided(OSSL_LIB_CTX *libctx,
|
||||
fake_openssl_kdf_provided_list_fn*,
|
||||
void *arg);
|
||||
int EVP_KDF_up_ref(EVP_KDF *kdf);
|
||||
// int EVP_KDF_up_ref(EVP_KDF *kdf);
|
||||
void EVP_KDF_free(EVP_KDF *kdf);
|
||||
|
||||
const char *EVP_KDF_get0_name(const EVP_KDF *kdf);
|
||||
|
@ -46,11 +45,7 @@ if OPENSSL_3X then
|
|||
int EVP_KDF_CTX_set_params(EVP_KDF_CTX *ctx, const OSSL_PARAM params[]);
|
||||
const OSSL_PARAM *EVP_KDF_CTX_gettable_params(const EVP_KDF_CTX *ctx);
|
||||
const OSSL_PARAM *EVP_KDF_CTX_settable_params(const EVP_KDF_CTX *ctx);
|
||||
]]
|
||||
end
|
||||
|
||||
if OPENSSL_3X or BORINGSSL then
|
||||
ffi.cdef [[
|
||||
int EVP_PKEY_CTX_set_tls1_prf_md(EVP_PKEY_CTX *ctx, const EVP_MD *md);
|
||||
int EVP_PKEY_CTX_set1_tls1_prf_secret(EVP_PKEY_CTX *pctx,
|
||||
const unsigned char *sec, int seclen);
|
||||
|
|
|
@ -26,7 +26,7 @@ ffi.cdef [[
|
|||
void EVP_MAC_do_all_provided(OSSL_LIB_CTX *libctx,
|
||||
fake_openssl_mac_provided_list_fn*,
|
||||
void *arg);
|
||||
int EVP_MAC_up_ref(EVP_MAC *mac);
|
||||
// int EVP_MAC_up_ref(EVP_MAC *mac);
|
||||
void EVP_MAC_free(EVP_MAC *mac);
|
||||
|
||||
const char *EVP_MAC_get0_name(const EVP_MAC *mac);
|
||||
|
|
|
@ -1,8 +1,6 @@
|
|||
local ffi = require "ffi"
|
||||
|
||||
require "resty.openssl.include.ossl_typ"
|
||||
local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
|
||||
local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER
|
||||
local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X
|
||||
|
||||
ffi.cdef [[
|
||||
|
@ -19,9 +17,9 @@ ffi.cdef [[
|
|||
unsigned int *s);
|
||||
|
||||
const EVP_MD *EVP_md_null(void);
|
||||
// openssl < 3.0
|
||||
int EVP_MD_size(const EVP_MD *md);
|
||||
int EVP_MD_type(const EVP_MD *md);
|
||||
|
||||
EVP_MD_CTX *EVP_MD_CTX_new(void);
|
||||
void EVP_MD_CTX_free(EVP_MD_CTX *ctx);
|
||||
|
||||
typedef void* fake_openssl_md_list_fn(const EVP_MD *ciph, const char *from,
|
||||
const char *to, void *x);
|
||||
|
@ -45,7 +43,7 @@ if OPENSSL_3X then
|
|||
void EVP_MD_do_all_provided(OSSL_LIB_CTX *libctx,
|
||||
fake_openssl_md_provided_list_fn*,
|
||||
void *arg);
|
||||
int EVP_MD_up_ref(EVP_MD *md);
|
||||
// int EVP_MD_up_ref(EVP_MD *md);
|
||||
void EVP_MD_free(EVP_MD *md);
|
||||
|
||||
const char *EVP_MD_get0_name(const EVP_MD *md);
|
||||
|
@ -55,32 +53,9 @@ if OPENSSL_3X then
|
|||
int EVP_MD_CTX_get_params(EVP_MD_CTX *ctx, OSSL_PARAM params[]);
|
||||
const OSSL_PARAM *EVP_MD_CTX_gettable_params(EVP_MD_CTX *ctx);
|
||||
]]
|
||||
end
|
||||
|
||||
if OPENSSL_11_OR_LATER then
|
||||
else
|
||||
ffi.cdef [[
|
||||
EVP_MD_CTX *EVP_MD_CTX_new(void);
|
||||
void EVP_MD_CTX_free(EVP_MD_CTX *ctx);
|
||||
]]
|
||||
elseif OPENSSL_10 then
|
||||
ffi.cdef [[
|
||||
EVP_MD_CTX *EVP_MD_CTX_create(void);
|
||||
void EVP_MD_CTX_destroy(EVP_MD_CTX *ctx);
|
||||
|
||||
// crypto/evp/evp.h
|
||||
// only needed for openssl 1.0.x where initializer for HMAC_CTX is not avaiable
|
||||
// HACK: renamed from env_md_ctx_st to evp_md_ctx_st to match typedef (lazily)
|
||||
// it's an internal struct thus name is not exported so we will be fine
|
||||
struct evp_md_ctx_st {
|
||||
const EVP_MD *digest;
|
||||
ENGINE *engine; /* functional reference if 'digest' is
|
||||
* ENGINE-provided */
|
||||
unsigned long flags;
|
||||
void *md_data;
|
||||
/* Public key context for sign/verify */
|
||||
EVP_PKEY_CTX *pctx;
|
||||
/* Update function: usually copied from EVP_MD */
|
||||
int (*update) (EVP_MD_CTX *ctx, const void *data, size_t count);
|
||||
} /* EVP_MD_CTX */ ;
|
||||
int EVP_MD_size(const EVP_MD *md);
|
||||
int EVP_MD_type(const EVP_MD *md);
|
||||
]]
|
||||
end
|
|
@ -4,9 +4,7 @@ local C = ffi.C
|
|||
require "resty.openssl.include.ossl_typ"
|
||||
require "resty.openssl.include.evp.md"
|
||||
local evp = require("resty.openssl.include.evp")
|
||||
local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
|
||||
local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X
|
||||
local BORINGSSL = require("resty.openssl.version").BORINGSSL
|
||||
|
||||
ffi.cdef [[
|
||||
EVP_PKEY *EVP_PKEY_new(void);
|
||||
|
@ -28,8 +26,8 @@ ffi.cdef [[
|
|||
int cmd, int p1, void *p2);
|
||||
// TODO replace EVP_PKEY_CTX_ctrl with EVP_PKEY_CTX_ctrl_str to reduce
|
||||
// some hardcoded macros
|
||||
int EVP_PKEY_CTX_ctrl_str(EVP_PKEY_CTX *ctx, const char *type,
|
||||
const char *value);
|
||||
// int EVP_PKEY_CTX_ctrl_str(EVP_PKEY_CTX *ctx, const char *type,
|
||||
// const char *value);
|
||||
int EVP_PKEY_encrypt_init(EVP_PKEY_CTX *ctx);
|
||||
int EVP_PKEY_encrypt(EVP_PKEY_CTX *ctx,
|
||||
unsigned char *out, size_t *outlen,
|
||||
|
@ -85,6 +83,8 @@ ffi.cdef [[
|
|||
int EVP_PKEY_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey);
|
||||
]]
|
||||
|
||||
local _M = {}
|
||||
|
||||
if OPENSSL_3X then
|
||||
require "resty.openssl.include.provider"
|
||||
|
||||
|
@ -94,55 +94,6 @@ if OPENSSL_3X then
|
|||
int EVP_PKEY_get_base_id(const EVP_PKEY *pkey);
|
||||
int EVP_PKEY_get_size(const EVP_PKEY *pkey);
|
||||
|
||||
const OSSL_PROVIDER *EVP_PKEY_get0_provider(const EVP_PKEY *key);
|
||||
const OSSL_PROVIDER *EVP_PKEY_CTX_get0_provider(const EVP_PKEY_CTX *ctx);
|
||||
|
||||
const OSSL_PARAM *EVP_PKEY_settable_params(const EVP_PKEY *pkey);
|
||||
int EVP_PKEY_set_params(EVP_PKEY *pkey, OSSL_PARAM params[]);
|
||||
int EVP_PKEY_get_params(EVP_PKEY *ctx, OSSL_PARAM params[]);
|
||||
const OSSL_PARAM *EVP_PKEY_gettable_params(EVP_PKEY *ctx);
|
||||
]]
|
||||
end
|
||||
|
||||
if OPENSSL_10 then
|
||||
ffi.cdef [[
|
||||
// crypto/evp/evp.h
|
||||
// only needed for openssl 1.0.x where getters are not available
|
||||
// needed to get key to extract parameters
|
||||
// Note: this struct is trimmed
|
||||
struct evp_pkey_st {
|
||||
int type;
|
||||
int save_type;
|
||||
const EVP_PKEY_ASN1_METHOD *ameth;
|
||||
ENGINE *engine;
|
||||
ENGINE *pmeth_engine;
|
||||
union {
|
||||
void *ptr;
|
||||
struct rsa_st *rsa;
|
||||
struct dsa_st *dsa;
|
||||
struct dh_st *dh;
|
||||
struct ec_key_st *ec;
|
||||
} pkey;
|
||||
// trimmed
|
||||
|
||||
// CRYPTO_REF_COUNT references;
|
||||
// CRYPTO_RWLOCK *lock;
|
||||
// STACK_OF(X509_ATTRIBUTE) *attributes;
|
||||
// int save_parameters;
|
||||
|
||||
// struct {
|
||||
// EVP_KEYMGMT *keymgmt;
|
||||
// void *provkey;
|
||||
// } pkeys[10];
|
||||
// size_t dirty_cnt_copy;
|
||||
};
|
||||
]]
|
||||
end
|
||||
|
||||
local _M = {}
|
||||
|
||||
if OPENSSL_3X or BORINGSSL then
|
||||
ffi.cdef [[
|
||||
int EVP_PKEY_CTX_set_ec_paramgen_curve_nid(EVP_PKEY_CTX *ctx, int nid);
|
||||
int EVP_PKEY_CTX_set_ec_param_enc(EVP_PKEY_CTX *ctx, int param_enc);
|
||||
|
||||
|
@ -153,7 +104,16 @@ if OPENSSL_3X or BORINGSSL then
|
|||
int EVP_PKEY_CTX_set_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int len);
|
||||
|
||||
int EVP_PKEY_CTX_set_dh_paramgen_prime_len(EVP_PKEY_CTX *ctx, int pbits);
|
||||
|
||||
const OSSL_PROVIDER *EVP_PKEY_get0_provider(const EVP_PKEY *key);
|
||||
// const OSSL_PROVIDER *EVP_PKEY_CTX_get0_provider(const EVP_PKEY_CTX *ctx);
|
||||
|
||||
const OSSL_PARAM *EVP_PKEY_settable_params(const EVP_PKEY *pkey);
|
||||
int EVP_PKEY_set_params(EVP_PKEY *pkey, OSSL_PARAM params[]);
|
||||
int EVP_PKEY_get_params(EVP_PKEY *ctx, OSSL_PARAM params[]);
|
||||
const OSSL_PARAM *EVP_PKEY_gettable_params(EVP_PKEY *ctx);
|
||||
]]
|
||||
|
||||
_M.EVP_PKEY_CTX_set_ec_paramgen_curve_nid = function(pctx, nid)
|
||||
return C.EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, nid)
|
||||
end
|
||||
|
|
|
@ -2,47 +2,16 @@ local ffi = require "ffi"
|
|||
|
||||
require "resty.openssl.include.ossl_typ"
|
||||
require "resty.openssl.include.evp"
|
||||
local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
|
||||
local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER
|
||||
local BORINGSSL = require("resty.openssl.version").BORINGSSL
|
||||
|
||||
if BORINGSSL then
|
||||
ffi.cdef [[
|
||||
int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, size_t key_len,
|
||||
const EVP_MD *md, ENGINE *impl);
|
||||
]]
|
||||
else
|
||||
ffi.cdef [[
|
||||
int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len,
|
||||
const EVP_MD *md, ENGINE *impl);
|
||||
]]
|
||||
end
|
||||
|
||||
ffi.cdef [[
|
||||
int HMAC_Update(HMAC_CTX *ctx, const unsigned char *data,
|
||||
size_t len);
|
||||
int HMAC_Final(HMAC_CTX *ctx, unsigned char *md,
|
||||
unsigned int *len);
|
||||
]]
|
||||
|
||||
if OPENSSL_11_OR_LATER then
|
||||
ffi.cdef [[
|
||||
HMAC_CTX *HMAC_CTX_new(void);
|
||||
void HMAC_CTX_free(HMAC_CTX *ctx);
|
||||
]]
|
||||
elseif OPENSSL_10 then
|
||||
ffi.cdef [[
|
||||
// # define HMAC_MAX_MD_CBLOCK 128/* largest known is SHA512 */
|
||||
struct hmac_ctx_st {
|
||||
const EVP_MD *md;
|
||||
EVP_MD_CTX md_ctx;
|
||||
EVP_MD_CTX i_ctx;
|
||||
EVP_MD_CTX o_ctx;
|
||||
unsigned int key_length;
|
||||
unsigned char key[128];
|
||||
};
|
||||
|
||||
void HMAC_CTX_init(HMAC_CTX *ctx);
|
||||
void HMAC_CTX_cleanup(HMAC_CTX *ctx);
|
||||
]]
|
||||
end
|
|
@ -15,7 +15,7 @@ ffi.cdef [[
|
|||
OSSL_PARAM OSSL_PARAM_construct_uint(const char *key, unsigned int *buf);
|
||||
OSSL_PARAM OSSL_PARAM_construct_BN(const char *key, unsigned char *buf,
|
||||
size_t bsize);
|
||||
OSSL_PARAM OSSL_PARAM_construct_double(const char *key, double *buf);
|
||||
// OSSL_PARAM OSSL_PARAM_construct_double(const char *key, double *buf);
|
||||
OSSL_PARAM OSSL_PARAM_construct_utf8_string(const char *key, char *buf,
|
||||
size_t bsize);
|
||||
OSSL_PARAM OSSL_PARAM_construct_octet_string(const char *key, void *buf,
|
||||
|
|
|
@ -2,14 +2,8 @@ local ffi = require "ffi"
|
|||
|
||||
require "resty.openssl.include.ossl_typ"
|
||||
local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X
|
||||
local BORINGSSL = require("resty.openssl.version").BORINGSSL
|
||||
|
||||
if BORINGSSL then
|
||||
ffi.cdef [[
|
||||
int RAND_bytes(uint8_t *buf, size_t num);
|
||||
int RAND_priv_bytes(uint8_t *buf, size_t num);
|
||||
]]
|
||||
elseif OPENSSL_3X then
|
||||
if OPENSSL_3X then
|
||||
ffi.cdef [[
|
||||
int RAND_bytes_ex(OSSL_LIB_CTX *ctx, unsigned char *buf, size_t num,
|
||||
unsigned int strength);
|
||||
|
|
|
@ -1,16 +1,11 @@
|
|||
local ffi = require "ffi"
|
||||
|
||||
require "resty.openssl.include.ossl_typ"
|
||||
local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
|
||||
local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER
|
||||
|
||||
ffi.cdef [[
|
||||
RSA *RSA_new(void);
|
||||
void RSA_free(RSA *r);
|
||||
]]
|
||||
|
||||
if OPENSSL_11_OR_LATER then
|
||||
ffi.cdef [[
|
||||
void RSA_get0_key(const RSA *r,
|
||||
const BIGNUM **n, const BIGNUM **e, const BIGNUM **d);
|
||||
void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q);
|
||||
|
@ -23,40 +18,6 @@ if OPENSSL_11_OR_LATER then
|
|||
int RSA_set0_crt_params(RSA *r,BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp);
|
||||
struct rsa_st;
|
||||
]]
|
||||
elseif OPENSSL_10 then
|
||||
ffi.cdef [[
|
||||
// crypto/rsa/rsa_locl.h
|
||||
// needed to extract parameters
|
||||
// Note: this struct is trimmed
|
||||
struct rsa_st {
|
||||
int pad;
|
||||
// the following has been changed in OpenSSL 1.1.x to int32_t
|
||||
long version;
|
||||
const RSA_METHOD *meth;
|
||||
ENGINE *engine;
|
||||
BIGNUM *n;
|
||||
BIGNUM *e;
|
||||
BIGNUM *d;
|
||||
BIGNUM *p;
|
||||
BIGNUM *q;
|
||||
BIGNUM *dmp1;
|
||||
BIGNUM *dmq1;
|
||||
BIGNUM *iqmp;
|
||||
// trimmed
|
||||
|
||||
// CRYPTO_EX_DATA ex_data;
|
||||
// int references;
|
||||
// int flags;
|
||||
// BN_MONT_CTX *_method_mod_n;
|
||||
// BN_MONT_CTX *_method_mod_p;
|
||||
// BN_MONT_CTX *_method_mod_q;
|
||||
|
||||
// char *bignum_data;
|
||||
// BN_BLINDING *blinding;
|
||||
// BN_BLINDING *mt_blinding;
|
||||
};
|
||||
]]
|
||||
end
|
||||
|
||||
return {
|
||||
paddings = {
|
||||
|
|
|
@ -4,12 +4,11 @@ local C = ffi.C
|
|||
require "resty.openssl.include.ossl_typ"
|
||||
require "resty.openssl.include.stack"
|
||||
local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X
|
||||
local BORINGSSL = require("resty.openssl.version").BORINGSSL
|
||||
|
||||
ffi.cdef [[
|
||||
// SSL_METHOD
|
||||
typedef struct ssl_method_st SSL_METHOD;
|
||||
const SSL_METHOD *TLS_method(void);
|
||||
// const SSL_METHOD *TLS_method(void);
|
||||
const SSL_METHOD *TLS_server_method(void);
|
||||
|
||||
// SSL_CIPHER
|
||||
|
@ -53,7 +52,7 @@ ffi.cdef [[
|
|||
long SSL_get_options(SSL *ssl);
|
||||
|
||||
/*STACK_OF(SSL_CIPHER)*/ OPENSSL_STACK *SSL_get_ciphers(const SSL *ssl);
|
||||
/*STACK_OF(SSL_CIPHER)*/ OPENSSL_STACK *SSL_CTX_get_ciphers(const SSL_CTX *ctx);
|
||||
// /*STACK_OF(SSL_CIPHER)*/ OPENSSL_STACK *SSL_CTX_get_ciphers(const SSL_CTX *ctx);
|
||||
OPENSSL_STACK *SSL_get_peer_cert_chain(const SSL *ssl);
|
||||
|
||||
typedef int (*verify_callback)(int preverify_ok, X509_STORE_CTX *x509_ctx);
|
||||
|
@ -75,37 +74,16 @@ else
|
|||
]]
|
||||
end
|
||||
|
||||
if BORINGSSL then
|
||||
ffi.cdef [[
|
||||
int SSL_set_min_proto_version(SSL *ssl, int version);
|
||||
int SSL_set_max_proto_version(SSL *ssl, int version);
|
||||
]]
|
||||
end
|
||||
|
||||
local SSL_CTRL_SET_MIN_PROTO_VERSION = 123
|
||||
local SSL_CTRL_SET_MAX_PROTO_VERSION = 124
|
||||
|
||||
local SSL_set_min_proto_version
|
||||
if BORINGSSL then
|
||||
SSL_set_min_proto_version = function(ctx, version)
|
||||
return C.SSL_set_min_proto_version(ctx, version)
|
||||
end
|
||||
else
|
||||
SSL_set_min_proto_version = function(ctx, version)
|
||||
local SSL_set_min_proto_version = function(ctx, version)
|
||||
return C.SSL_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, version, nil)
|
||||
end
|
||||
end
|
||||
|
||||
local SSL_set_max_proto_version
|
||||
if BORINGSSL then
|
||||
SSL_set_max_proto_version = function(ctx, version)
|
||||
return C.SSL_set_max_proto_version(ctx, version)
|
||||
end
|
||||
else
|
||||
SSL_set_max_proto_version = function(ctx, version)
|
||||
local SSL_set_max_proto_version = function(ctx, version)
|
||||
return C.SSL_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, nil)
|
||||
end
|
||||
end
|
||||
|
||||
return {
|
||||
SSL_set_min_proto_version = SSL_set_min_proto_version,
|
||||
|
|
|
@ -6,21 +6,11 @@
|
|||
]]
|
||||
|
||||
local ffi = require "ffi"
|
||||
local C = ffi.C
|
||||
|
||||
require "resty.openssl.include.ossl_typ"
|
||||
local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
|
||||
local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER
|
||||
local BORINGSSL = require("resty.openssl.version").BORINGSSL
|
||||
|
||||
local _M = {}
|
||||
|
||||
ffi.cdef [[
|
||||
typedef char *OPENSSL_STRING;
|
||||
]]
|
||||
|
||||
if OPENSSL_11_OR_LATER and not BORINGSSL then
|
||||
ffi.cdef [[
|
||||
typedef struct stack_st OPENSSL_STACK;
|
||||
|
||||
OPENSSL_STACK *OPENSSL_sk_new_null(void);
|
||||
|
@ -30,7 +20,7 @@ if OPENSSL_11_OR_LATER and not BORINGSSL then
|
|||
void *OPENSSL_sk_value(const OPENSSL_STACK *, int);
|
||||
OPENSSL_STACK *OPENSSL_sk_dup(const OPENSSL_STACK *st);
|
||||
void OPENSSL_sk_free(OPENSSL_STACK *);
|
||||
void *OPENSSL_sk_delete(OPENSSL_STACK *st, int loc);
|
||||
// void *OPENSSL_sk_delete(OPENSSL_STACK *st, int loc);
|
||||
|
||||
typedef void (*OPENSSL_sk_freefunc)(void *);
|
||||
typedef void *(*OPENSSL_sk_copyfunc)(const void *);
|
||||
|
@ -38,58 +28,3 @@ if OPENSSL_11_OR_LATER and not BORINGSSL then
|
|||
OPENSSL_sk_copyfunc c,
|
||||
OPENSSL_sk_freefunc f);
|
||||
]]
|
||||
_M.OPENSSL_sk_pop_free = C.OPENSSL_sk_pop_free
|
||||
|
||||
_M.OPENSSL_sk_new_null = C.OPENSSL_sk_new_null
|
||||
_M.OPENSSL_sk_push = C.OPENSSL_sk_push
|
||||
_M.OPENSSL_sk_pop_free = C.OPENSSL_sk_pop_free
|
||||
_M.OPENSSL_sk_num = C.OPENSSL_sk_num
|
||||
_M.OPENSSL_sk_value = C.OPENSSL_sk_value
|
||||
_M.OPENSSL_sk_dup = C.OPENSSL_sk_dup
|
||||
_M.OPENSSL_sk_delete = C.OPENSSL_sk_delete
|
||||
_M.OPENSSL_sk_free = C.OPENSSL_sk_free
|
||||
_M.OPENSSL_sk_deep_copy = C.OPENSSL_sk_deep_copy
|
||||
elseif OPENSSL_10 or BORINGSSL then
|
||||
ffi.cdef [[
|
||||
typedef struct stack_st _STACK;
|
||||
// i made this up
|
||||
typedef struct stack_st OPENSSL_STACK;
|
||||
|
||||
_STACK *sk_new_null(void);
|
||||
void sk_pop_free(_STACK *st, void (*func) (void *));
|
||||
_STACK *sk_dup(_STACK *st);
|
||||
void sk_free(_STACK *st);
|
||||
|
||||
_STACK *sk_deep_copy(_STACK *, void *(*)(void *), void (*)(void *));
|
||||
]]
|
||||
|
||||
if BORINGSSL then -- indices are using size_t instead of int
|
||||
ffi.cdef [[
|
||||
size_t sk_push(_STACK *st, void *data);
|
||||
size_t sk_num(const _STACK *);
|
||||
void *sk_value(const _STACK *, size_t);
|
||||
void *sk_delete(_STACK *st, size_t loc);
|
||||
]]
|
||||
else -- normal OpenSSL 1.0
|
||||
ffi.cdef [[
|
||||
int sk_push(_STACK *st, void *data);
|
||||
int sk_num(const _STACK *);
|
||||
void *sk_value(const _STACK *, int);
|
||||
void *sk_delete(_STACK *st, int loc);
|
||||
]]
|
||||
end
|
||||
|
||||
_M.OPENSSL_sk_pop_free = C.sk_pop_free
|
||||
|
||||
_M.OPENSSL_sk_new_null = C.sk_new_null
|
||||
_M.OPENSSL_sk_push = function(...) return tonumber(C.sk_push(...)) end
|
||||
_M.OPENSSL_sk_pop_free = C.sk_pop_free
|
||||
_M.OPENSSL_sk_num = function(...) return tonumber(C.sk_num(...)) end
|
||||
_M.OPENSSL_sk_value = C.sk_value
|
||||
_M.OPENSSL_sk_delete = C.sk_delete
|
||||
_M.OPENSSL_sk_dup = C.sk_dup
|
||||
_M.OPENSSL_sk_free = C.sk_free
|
||||
_M.OPENSSL_sk_deep_copy = C.sk_deep_copy
|
||||
end
|
||||
|
||||
return _M
|
||||
|
|
|
@ -8,10 +8,6 @@ require "resty.openssl.include.stack"
|
|||
|
||||
local asn1_macro = require "resty.openssl.include.asn1"
|
||||
|
||||
local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
|
||||
local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER
|
||||
local BORINGSSL_110 = require("resty.openssl.version").BORINGSSL_110
|
||||
|
||||
asn1_macro.declare_asn1_functions("X509_CRL", asn1_macro.has_new_ex)
|
||||
|
||||
ffi.cdef [[
|
||||
|
@ -22,7 +18,7 @@ ffi.cdef [[
|
|||
int X509_CRL_add_ext(X509_CRL *x, X509_EXTENSION *ex, int loc);
|
||||
X509_EXTENSION *X509_CRL_get_ext(const X509_CRL *x, int loc);
|
||||
int X509_CRL_get_ext_by_NID(const X509_CRL *x, int nid, int lastpos);
|
||||
void *X509_CRL_get_ext_d2i(const X509_CRL *x, int nid, int *crit, int *idx);
|
||||
// void *X509_CRL_get_ext_d2i(const X509_CRL *x, int nid, int *crit, int *idx);
|
||||
|
||||
int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md);
|
||||
int X509_CRL_verify(X509_CRL *a, EVP_PKEY *r);
|
||||
|
@ -35,17 +31,14 @@ ffi.cdef [[
|
|||
|
||||
int X509_CRL_get0_by_serial(X509_CRL *crl,
|
||||
X509_REVOKED **ret, ASN1_INTEGER *serial);
|
||||
int X509_CRL_get0_by_cert(X509_CRL *crl, X509_REVOKED **ret, X509 *x);
|
||||
// int X509_CRL_get0_by_cert(X509_CRL *crl, X509_REVOKED **ret, X509 *x);
|
||||
|
||||
//STACK_OF(X509_REVOKED)
|
||||
OPENSSL_STACK *X509_CRL_get_REVOKED(X509_CRL *crl);
|
||||
|
||||
int X509_CRL_get0_by_serial(X509_CRL *crl,
|
||||
X509_REVOKED **ret, ASN1_INTEGER *serial);
|
||||
]]
|
||||
|
||||
if OPENSSL_11_OR_LATER then
|
||||
ffi.cdef [[
|
||||
int X509_CRL_set1_lastUpdate(X509_CRL *x, const ASN1_TIME *tm);
|
||||
int X509_CRL_set1_nextUpdate(X509_CRL *x, const ASN1_TIME *tm);
|
||||
/*const*/ ASN1_TIME *X509_CRL_get0_lastUpdate(const X509_CRL *crl);
|
||||
|
@ -56,31 +49,3 @@ if OPENSSL_11_OR_LATER then
|
|||
|
||||
int X509_CRL_get_signature_nid(const X509_CRL *crl);
|
||||
]]
|
||||
end
|
||||
if OPENSSL_10 or BORINGSSL_110 then
|
||||
-- in openssl 1.0.x some getters are direct accessor to struct members (defiend by macros)
|
||||
ffi.cdef [[
|
||||
typedef struct X509_crl_info_st {
|
||||
ASN1_INTEGER *version;
|
||||
X509_ALGOR *sig_alg;
|
||||
X509_NAME *issuer;
|
||||
ASN1_TIME *lastUpdate;
|
||||
ASN1_TIME *nextUpdate;
|
||||
// STACK_OF(X509_REVOKED)
|
||||
OPENSSL_STACK *revoked;
|
||||
// STACK_OF(X509_EXTENSION)
|
||||
OPENSSL_STACK /* [0] */ *extensions;
|
||||
ASN1_ENCODING enc;
|
||||
} X509_CRL_INFO;
|
||||
|
||||
// Note: this struct is trimmed
|
||||
struct X509_crl_st {
|
||||
/* actual signature */
|
||||
X509_CRL_INFO *crl;
|
||||
// trimmed
|
||||
} /* X509_CRL */ ;
|
||||
|
||||
int X509_CRL_set_lastUpdate(X509_CRL *x, const ASN1_TIME *tm);
|
||||
int X509_CRL_set_nextUpdate(X509_CRL *x, const ASN1_TIME *tm);
|
||||
]]
|
||||
end
|
||||
|
|
|
@ -8,10 +8,7 @@ require "resty.openssl.include.stack"
|
|||
|
||||
local asn1_macro = require "resty.openssl.include.asn1"
|
||||
|
||||
local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
|
||||
local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER
|
||||
local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X
|
||||
local BORINGSSL_110 = require("resty.openssl.version").BORINGSSL_110
|
||||
|
||||
asn1_macro.declare_asn1_functions("X509_REQ", asn1_macro.has_new_ex)
|
||||
|
||||
|
@ -23,18 +20,17 @@ ffi.cdef [[
|
|||
|
||||
int X509_REQ_set_version(X509_REQ *x, long version);
|
||||
|
||||
int X509_REQ_get_attr_count(const X509_REQ *req);
|
||||
|
||||
int X509_CRL_add_ext(X509_CRL *x, X509_EXTENSION *ex, int loc);
|
||||
X509_EXTENSION *X509_CRL_get_ext(const X509_CRL *x, int loc);
|
||||
int X509_CRL_get_ext_by_NID(const X509_CRL *x, int nid, int lastpos);
|
||||
|
||||
int i2d_re_X509_REQ_tbs(X509_REQ *req, unsigned char **pp);
|
||||
void X509_ATTRIBUTE_free(X509_ATTRIBUTE *a);
|
||||
int X509_REQ_get_attr_by_NID(const X509_REQ *req, int nid, int lastpos);
|
||||
// int X509_REQ_get_attr_count(const X509_REQ *req);
|
||||
// int X509_REQ_get_attr_by_NID(const X509_REQ *req, int nid, int lastpos);
|
||||
X509_ATTRIBUTE *X509_REQ_delete_attr(X509_REQ *req, int loc);
|
||||
|
||||
int *X509_REQ_get_extension_nids(void);
|
||||
// int *X509_REQ_get_extension_nids(void);
|
||||
|
||||
int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md);
|
||||
int X509_REQ_verify(X509_REQ *a, EVP_PKEY *r);
|
||||
|
@ -48,41 +44,16 @@ ffi.cdef [[
|
|||
int X509_REQ_add_extensions(X509_REQ *req, OPENSSL_STACK *exts);
|
||||
|
||||
int X509_REQ_check_private_key(X509_REQ *x, EVP_PKEY *k);
|
||||
]]
|
||||
|
||||
if OPENSSL_11_OR_LATER then
|
||||
ffi.cdef [[
|
||||
X509_NAME *X509_REQ_get_subject_name(const X509_REQ *req);
|
||||
long X509_REQ_get_version(const X509_REQ *req);
|
||||
|
||||
int X509_REQ_get_signature_nid(const X509_REQ *crl);
|
||||
]]
|
||||
end
|
||||
if OPENSSL_10 or BORINGSSL_110 then
|
||||
ffi.cdef [[
|
||||
typedef struct X509_req_info_st {
|
||||
ASN1_ENCODING enc;
|
||||
ASN1_INTEGER *version;
|
||||
X509_NAME *subject;
|
||||
/*X509_PUBKEY*/ void *pubkey;
|
||||
/* d=2 hl=2 l= 0 cons: cont: 00 */
|
||||
/*STACK_OF(X509_ATTRIBUTE)*/ OPENSSL_STACK *attributes; /* [ 0 ] */
|
||||
} X509_REQ_INFO;
|
||||
|
||||
// Note: this struct is trimmed
|
||||
typedef struct X509_req_st {
|
||||
X509_REQ_INFO *req_info;
|
||||
X509_ALGOR *sig_alg;
|
||||
// trimmed
|
||||
//ASN1_BIT_STRING *signature;
|
||||
//int references;
|
||||
} X509_REQ;
|
||||
]]
|
||||
end
|
||||
|
||||
if OPENSSL_3X then
|
||||
ffi.cdef [[
|
||||
int X509_REQ_verify_ex(X509_REQ *a, EVP_PKEY *pkey, OSSL_LIB_CTX *libctx,
|
||||
const char *propq);
|
||||
// int X509_REQ_verify_ex(X509_REQ *a, EVP_PKEY *pkey, OSSL_LIB_CTX *libctx,
|
||||
// const char *propq);
|
||||
]]
|
||||
end
|
||||
|
|
|
@ -6,10 +6,6 @@ require "resty.openssl.include.pem"
|
|||
require "resty.openssl.include.stack"
|
||||
local asn1_macro = require "resty.openssl.include.asn1"
|
||||
|
||||
local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
|
||||
local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER
|
||||
local BORINGSSL_110 = require("resty.openssl.version").BORINGSSL_110
|
||||
|
||||
asn1_macro.declare_asn1_functions("X509", asn1_macro.has_new_ex)
|
||||
|
||||
ffi.cdef [[
|
||||
|
@ -65,12 +61,9 @@ ffi.cdef [[
|
|||
int X509_get_signature_nid(const X509 *x);
|
||||
|
||||
unsigned char *X509_alias_get0(X509 *x, int *len);
|
||||
unsigned char *X509_keyid_get0(X509 *x, int *len);
|
||||
// unsigned char *X509_keyid_get0(X509 *x, int *len);
|
||||
int X509_check_private_key(X509 *x, EVP_PKEY *k);
|
||||
]]
|
||||
|
||||
if OPENSSL_11_OR_LATER then
|
||||
ffi.cdef [[
|
||||
int X509_up_ref(X509 *a);
|
||||
|
||||
int X509_set1_notBefore(X509 *x, const ASN1_TIME *tm);
|
||||
|
@ -82,57 +75,3 @@ if OPENSSL_11_OR_LATER then
|
|||
|
||||
X509_EXTENSION *X509_delete_ext(X509 *x, int loc);
|
||||
]]
|
||||
elseif OPENSSL_10 then
|
||||
ffi.cdef [[
|
||||
// STACK_OF(X509_EXTENSION)
|
||||
X509_EXTENSION *X509v3_delete_ext(OPENSSL_STACK *x, int loc);
|
||||
]]
|
||||
end
|
||||
|
||||
if OPENSSL_10 or BORINGSSL_110 then
|
||||
-- in openssl 1.0.x some getters are direct accessor to struct members (defiend by macros)
|
||||
ffi.cdef [[
|
||||
// crypto/x509/x509.h
|
||||
typedef struct X509_val_st {
|
||||
ASN1_TIME *notBefore;
|
||||
ASN1_TIME *notAfter;
|
||||
} X509_VAL;
|
||||
|
||||
typedef struct X509_algor_st {
|
||||
ASN1_OBJECT *algorithm;
|
||||
ASN1_TYPE *parameter;
|
||||
} X509_ALGOR;
|
||||
|
||||
// Note: this struct is trimmed
|
||||
typedef struct x509_cinf_st {
|
||||
/*ASN1_INTEGER*/ void *version;
|
||||
/*ASN1_INTEGER*/ void *serialNumber;
|
||||
X509_ALGOR *signature;
|
||||
X509_NAME *issuer;
|
||||
X509_VAL *validity;
|
||||
X509_NAME *subject;
|
||||
/*X509_PUBKEY*/ void *key;
|
||||
/*ASN1_BIT_STRING*/ void *issuerUID; /* [ 1 ] optional in v2 */
|
||||
/*ASN1_BIT_STRING*/ void *subjectUID; /* [ 2 ] optional in v2 */
|
||||
/*STACK_OF(X509_EXTENSION)*/ OPENSSL_STACK *extensions; /* [ 3 ] optional in v3 */
|
||||
// trimmed
|
||||
// ASN1_ENCODING enc;
|
||||
} X509_CINF;
|
||||
// Note: this struct is trimmed
|
||||
struct x509_st {
|
||||
X509_CINF *cert_info;
|
||||
// trimmed
|
||||
} X509;
|
||||
|
||||
int X509_set_notBefore(X509 *x, const ASN1_TIME *tm);
|
||||
int X509_set_notAfter(X509 *x, const ASN1_TIME *tm);
|
||||
ASN1_INTEGER *X509_get_serialNumber(X509 *x);
|
||||
]]
|
||||
end
|
||||
|
||||
if BORINGSSL_110 then
|
||||
ffi.cdef [[
|
||||
ASN1_TIME *X509_get_notBefore(const X509 *x);
|
||||
ASN1_TIME *X509_get_notAfter(const X509 *x);
|
||||
]]
|
||||
end
|
||||
|
|
|
@ -3,20 +3,16 @@ local C = ffi.C
|
|||
|
||||
require "resty.openssl.include.ossl_typ"
|
||||
require "resty.openssl.include.stack"
|
||||
local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
|
||||
local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER
|
||||
local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X
|
||||
local BORINGSSL = require("resty.openssl.version").BORINGSSL
|
||||
local BORINGSSL_110 = require("resty.openssl.version").BORINGSSL_110
|
||||
|
||||
ffi.cdef [[
|
||||
X509_STORE *X509_STORE_new(void);
|
||||
void X509_STORE_free(X509_STORE *v);
|
||||
/* int X509_STORE_lock(X509_STORE *ctx);
|
||||
int X509_STORE_unlock(X509_STORE *ctx);
|
||||
int X509_STORE_up_ref(X509_STORE *v);
|
||||
// int X509_STORE_lock(X509_STORE *ctx);
|
||||
// int X509_STORE_unlock(X509_STORE *ctx);
|
||||
// int X509_STORE_up_ref(X509_STORE *v);
|
||||
// STACK_OF(X509_OBJECT)
|
||||
OPENSSL_STACK *X509_STORE_get0_objects(X509_STORE *v);*/
|
||||
// OPENSSL_STACK *X509_STORE_get0_objects(X509_STORE *v);
|
||||
|
||||
int X509_STORE_add_cert(X509_STORE *ctx, X509 *x);
|
||||
int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x);
|
||||
|
@ -39,14 +35,25 @@ ffi.cdef [[
|
|||
|
||||
void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags);
|
||||
|
||||
int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose);
|
||||
// int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose);
|
||||
|
||||
// STACK_OF(X509_CRL)
|
||||
void X509_STORE_CTX_set0_crls(X509_STORE_CTX *c, OPENSSL_STACK *sk);
|
||||
// void X509_STORE_CTX_set0_crls(X509_STORE_CTX *c, OPENSSL_STACK *sk);
|
||||
|
||||
int X509_PURPOSE_get_by_sname(char *sname);
|
||||
X509_PURPOSE *X509_PURPOSE_get0(int idx);
|
||||
int X509_PURPOSE_get_id(const X509_PURPOSE *xp);
|
||||
|
||||
// STACK_OF(X509)
|
||||
OPENSSL_STACK *X509_STORE_CTX_get0_chain(X509_STORE_CTX *ctx);
|
||||
typedef int (*X509_STORE_CTX_check_revocation_fn)(X509_STORE_CTX *ctx);
|
||||
// STACK_OF(X509)
|
||||
void X509_STORE_CTX_set0_verified_chain(X509_STORE_CTX *ctx, OPENSSL_STACK *sk);
|
||||
|
||||
typedef int (*X509_STORE_CTX_check_revocation_fn)(X509_STORE_CTX *ctx);
|
||||
X509_STORE_CTX_check_revocation_fn X509_STORE_CTX_get_check_revocation(const X509_STORE_CTX *ctx);
|
||||
// STACK_OF(X509)
|
||||
void X509_STORE_CTX_set0_verified_chain(X509_STORE_CTX *ctx, OPENSSL_STACK *sk);
|
||||
]]
|
||||
|
||||
local _M = {
|
||||
|
@ -76,45 +83,16 @@ local _M = {
|
|||
},
|
||||
}
|
||||
|
||||
if OPENSSL_10 or BORINGSSL_110 then
|
||||
ffi.cdef [[
|
||||
// STACK_OF(X509)
|
||||
OPENSSL_STACK *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx);
|
||||
]];
|
||||
_M.X509_STORE_CTX_get0_chain = C.X509_STORE_CTX_get_chain
|
||||
elseif OPENSSL_11_OR_LATER then
|
||||
ffi.cdef [[
|
||||
// STACK_OF(X509)
|
||||
OPENSSL_STACK *X509_STORE_CTX_get0_chain(X509_STORE_CTX *ctx);
|
||||
typedef int (*X509_STORE_CTX_check_revocation_fn)(X509_STORE_CTX *ctx);
|
||||
// STACK_OF(X509)
|
||||
void X509_STORE_CTX_set0_verified_chain(X509_STORE_CTX *ctx, OPENSSL_STACK *sk);
|
||||
]];
|
||||
_M.X509_STORE_CTX_get0_chain = C.X509_STORE_CTX_get0_chain
|
||||
end
|
||||
|
||||
-- these two apis are supported from 1.1.0 but not supported by boringssl
|
||||
if not BORINGSSL then
|
||||
if OPENSSL_11_OR_LATER then
|
||||
ffi.cdef [[
|
||||
typedef int (*X509_STORE_CTX_check_revocation_fn)(X509_STORE_CTX *ctx);
|
||||
X509_STORE_CTX_check_revocation_fn X509_STORE_CTX_get_check_revocation(const X509_STORE_CTX *ctx);
|
||||
// STACK_OF(X509)
|
||||
void X509_STORE_CTX_set0_verified_chain(X509_STORE_CTX *ctx, OPENSSL_STACK *sk);
|
||||
]];
|
||||
end
|
||||
end
|
||||
|
||||
if OPENSSL_3X then
|
||||
ffi.cdef [[
|
||||
X509_STORE_CTX *X509_STORE_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq);
|
||||
|
||||
int X509_STORE_set_default_paths_ex(X509_STORE *ctx, OSSL_LIB_CTX *libctx,
|
||||
const char *propq);
|
||||
/* int X509_STORE_load_file_ex(X509_STORE *ctx, const char *file,
|
||||
OSSL_LIB_CTX *libctx, const char *propq);
|
||||
int X509_STORE_load_store_ex(X509_STORE *ctx, const char *uri,
|
||||
OSSL_LIB_CTX *libctx, const char *propq); */
|
||||
// int X509_STORE_load_file_ex(X509_STORE *ctx, const char *file,
|
||||
// OSSL_LIB_CTX *libctx, const char *propq);
|
||||
// int X509_STORE_load_store_ex(X509_STORE *ctx, const char *uri,
|
||||
// OSSL_LIB_CTX *libctx, const char *propq);
|
||||
int X509_STORE_load_locations_ex(X509_STORE *ctx, const char *file,
|
||||
const char *dir, OSSL_LIB_CTX *libctx,
|
||||
const char *propq);
|
||||
|
|
|
@ -61,8 +61,8 @@ ffi.cdef [[
|
|||
|
||||
X509_EXTENSION *X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int ext_nid,
|
||||
const char *value);
|
||||
X509_EXTENSION *X509V3_EXT_nconf(CONF *conf, X509V3_CTX *ctx, const char *name,
|
||||
const char *value);
|
||||
// X509_EXTENSION *X509V3_EXT_nconf(CONF *conf, X509V3_CTX *ctx, const char *name,
|
||||
// const char *value);
|
||||
int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, unsigned long flag,
|
||||
int indent);
|
||||
|
||||
|
|
|
@ -10,9 +10,7 @@ require("resty.openssl.include.evp.pkey")
|
|||
local kdf_macro = require "resty.openssl.include.evp.kdf"
|
||||
local ctx_lib = require "resty.openssl.ctx"
|
||||
local format_error = require("resty.openssl.err").format_error
|
||||
local version_num = require("resty.openssl.version").version_num
|
||||
local version_text = require("resty.openssl.version").version_text
|
||||
local BORINGSSL = require("resty.openssl.version").BORINGSSL
|
||||
local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X
|
||||
local ctypes = require "resty.openssl.auxiliary.ctypes"
|
||||
|
||||
|
@ -26,23 +24,17 @@ OpenSSL 3.0 additionally provides Single Step KDF, SSH KDF, PBKDF2, Scrypt, HKDF
|
|||
From OpenSSL 3.0 the recommended way of performing key derivation is to use the EVP_KDF functions. If compatibility with OpenSSL 1.1.1 is required then a limited set of KDFs can be used via EVP_PKEY_derive.
|
||||
]]
|
||||
|
||||
local NID_id_pbkdf2 = -1
|
||||
local NID_id_scrypt = -2
|
||||
local NID_tls1_prf = -3
|
||||
local NID_hkdf = -4
|
||||
if version_num >= 0x10002000 then
|
||||
NID_id_pbkdf2 = C.OBJ_txt2nid("PBKDF2")
|
||||
local NID_id_pbkdf2 = C.OBJ_txt2nid("PBKDF2")
|
||||
assert(NID_id_pbkdf2 > 0)
|
||||
end
|
||||
if version_num >= 0x10100000 and not BORINGSSL then
|
||||
NID_hkdf = C.OBJ_txt2nid("HKDF")
|
||||
|
||||
local NID_hkdf = C.OBJ_txt2nid("HKDF")
|
||||
assert(NID_hkdf > 0)
|
||||
NID_tls1_prf = C.OBJ_txt2nid("TLS1-PRF")
|
||||
|
||||
local NID_tls1_prf = C.OBJ_txt2nid("TLS1-PRF")
|
||||
assert(NID_tls1_prf > 0)
|
||||
-- we use EVP_PBE_scrypt to do scrypt, so this is supported >= 1.1.0
|
||||
NID_id_scrypt = C.OBJ_txt2nid("id-scrypt")
|
||||
local NID_id_scrypt = C.OBJ_txt2nid("id-scrypt")
|
||||
assert(NID_id_scrypt > 0)
|
||||
end
|
||||
|
||||
local _M = {
|
||||
HKDEF_MODE_EXTRACT_AND_EXPAND = kdf_macro.EVP_PKEY_HKDEF_MODE_EXTRACT_AND_EXPAND,
|
||||
|
@ -93,7 +85,7 @@ end
|
|||
|
||||
local function check_hkdf_options(opt)
|
||||
local mode = opt.hkdf_mode
|
||||
if not mode or version_num < 0x10101000 then
|
||||
if not mode then
|
||||
mode = _M.HKDEF_MODE_EXTRACT_AND_EXPAND
|
||||
end
|
||||
|
||||
|
@ -184,11 +176,6 @@ function _M.derive(options)
|
|||
-- begin legacay low level routines
|
||||
local code
|
||||
if typ == NID_id_pbkdf2 then
|
||||
-- make openssl 1.0.2 happy
|
||||
if version_num < 0x10100000 and not options.pass then
|
||||
options.pass = ""
|
||||
pass_len = 0
|
||||
end
|
||||
-- https://www.openssl.org/docs/man1.1.0/man3/PKCS5_PBKDF2_HMAC.html
|
||||
local iter = options.pbkdf2_iter
|
||||
if iter < 1 then
|
||||
|
@ -257,7 +244,6 @@ function _M.derive(options)
|
|||
return nil, format_error("kdf.derive: EVP_PKEY_CTX_add1_hkdf_info")
|
||||
end
|
||||
if options.hkdf_mode then
|
||||
if version_num >= 0x10101000 then
|
||||
if kdf_macro.EVP_PKEY_CTX_set_hkdf_mode(ctx, options.hkdf_mode) ~= 1 then
|
||||
return nil, format_error("kdf.derive: EVP_PKEY_CTX_set_hkdf_mode")
|
||||
end
|
||||
|
@ -271,9 +257,6 @@ function _M.derive(options)
|
|||
outlen[0] = md_size
|
||||
buf = ctypes.uchar_array(md_size)
|
||||
end
|
||||
else
|
||||
ngx.log(ngx.WARN, "hkdf_mode is not effective in ", version_text)
|
||||
end
|
||||
end
|
||||
else
|
||||
return nil, string.format("kdf.derive: unknown type %d", typ)
|
||||
|
@ -307,6 +290,7 @@ function _M.new(typ, properties)
|
|||
if algo == nil then
|
||||
return nil, format_error(string.format("mac.new: invalid mac type \"%s\"", typ))
|
||||
end
|
||||
ffi_gc(algo, C.EVP_KDF_free)
|
||||
|
||||
local ctx = C.EVP_KDF_CTX_new(algo)
|
||||
if ctx == nil then
|
||||
|
|
|
@ -29,6 +29,7 @@ function _M.new(key, typ, cipher, digest, properties)
|
|||
if algo == nil then
|
||||
return nil, format_error(string.format("mac.new: invalid mac type \"%s\"", typ))
|
||||
end
|
||||
ffi_gc(algo, C.EVP_MAC_free)
|
||||
|
||||
local ctx = C.EVP_MAC_CTX_new(algo)
|
||||
if ctx == nil then
|
||||
|
|
|
@ -5,15 +5,14 @@ local ffi_str = ffi.string
|
|||
|
||||
require "resty.openssl.include.pkcs12"
|
||||
require "resty.openssl.include.bio"
|
||||
require "resty.openssl.include.stack"
|
||||
local bio_util = require "resty.openssl.auxiliary.bio"
|
||||
local format_error = require("resty.openssl.err").format_error
|
||||
local pkey_lib = require "resty.openssl.pkey"
|
||||
local x509_lib = require "resty.openssl.x509"
|
||||
local stack_macro = require "resty.openssl.include.stack"
|
||||
local stack_lib = require "resty.openssl.stack"
|
||||
local objects_lib = require "resty.openssl.objects"
|
||||
local ctx_lib = require "resty.openssl.ctx"
|
||||
local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
|
||||
local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X
|
||||
|
||||
local stack_of_x509_new = stack_lib.new_of("X509")
|
||||
|
@ -54,7 +53,7 @@ local function decode(p12, passphrase)
|
|||
end
|
||||
|
||||
local cacerts
|
||||
local n = stack_macro.OPENSSL_sk_num(stack)
|
||||
local n = C.OPENSSL_sk_num(stack)
|
||||
if n > 0 then
|
||||
cacerts = {}
|
||||
local iter = stack_of_x509_iter({ ctx = stack })
|
||||
|
@ -123,23 +122,14 @@ local function encode(opts, passphrase, properties)
|
|||
-- stack lib handles gc
|
||||
x509stack = stack_of_x509_new()
|
||||
for _, c in ipairs(cacerts) do
|
||||
if not OPENSSL_10 then
|
||||
if C.X509_up_ref(c.ctx) ~= 1 then
|
||||
return nil, "pkcs12.encode: failed to add cacerts: X509_up_ref failed"
|
||||
end
|
||||
end
|
||||
local ok, err = stack_of_x509_add(x509stack, c.ctx)
|
||||
if not ok then
|
||||
return nil, "pkcs12.encode: failed to add cacerts: " .. err
|
||||
end
|
||||
end
|
||||
if OPENSSL_10 then
|
||||
-- OpenSSL 1.0.2 doesn't have X509_up_ref
|
||||
-- shallow copy the stack, up_ref for each element
|
||||
x509stack = C.X509_chain_up_ref(x509stack)
|
||||
-- use the shallow gc
|
||||
ffi_gc(x509stack, stack_macro.OPENSSL_sk_free)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
@ -27,10 +27,7 @@ local ctypes = require "resty.openssl.auxiliary.ctypes"
|
|||
local ecdsa_util = require "resty.openssl.auxiliary.ecdsa"
|
||||
local format_error = require("resty.openssl.err").format_error
|
||||
|
||||
local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER
|
||||
local OPENSSL_111_OR_LATER = require("resty.openssl.version").OPENSSL_111_OR_LATER
|
||||
local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X
|
||||
local BORINGSSL = require("resty.openssl.version").BORINGSSL
|
||||
|
||||
local ptr_of_uint = ctypes.ptr_of_uint
|
||||
local ptr_of_size_t = ctypes.ptr_of_size_t
|
||||
|
@ -40,20 +37,11 @@ local null = ctypes.null
|
|||
local load_pem_args = { null, null, null }
|
||||
local load_der_args = { null }
|
||||
|
||||
local get_pkey_key
|
||||
if OPENSSL_11_OR_LATER then
|
||||
get_pkey_key = {
|
||||
local get_pkey_key = {
|
||||
[evp_macro.EVP_PKEY_RSA] = function(ctx) return C.EVP_PKEY_get0_RSA(ctx) end,
|
||||
[evp_macro.EVP_PKEY_EC] = function(ctx) return C.EVP_PKEY_get0_EC_KEY(ctx) end,
|
||||
[evp_macro.EVP_PKEY_DH] = function(ctx) return C.EVP_PKEY_get0_DH(ctx) end
|
||||
}
|
||||
else
|
||||
get_pkey_key = {
|
||||
[evp_macro.EVP_PKEY_RSA] = function(ctx) return ctx.pkey and ctx.pkey.rsa end,
|
||||
[evp_macro.EVP_PKEY_EC] = function(ctx) return ctx.pkey and ctx.pkey.ec end,
|
||||
[evp_macro.EVP_PKEY_DH] = function(ctx) return ctx.pkey and ctx.pkey.dh end,
|
||||
}
|
||||
end
|
||||
|
||||
local load_rsa_key_funcs
|
||||
|
||||
|
@ -212,17 +200,18 @@ local function generate_param(key_type, config)
|
|||
if nid == 0 then
|
||||
return nil, "unknown curve " .. curve
|
||||
end
|
||||
|
||||
if pkey_macro.EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, nid) <= 0 then
|
||||
return nil, format_error("EVP_PKEY_CTX_ctrl: EC: curve_nid")
|
||||
end
|
||||
if not BORINGSSL then
|
||||
|
||||
-- use the named-curve encoding for best backward-compatibilty
|
||||
-- and for playing well with go:crypto/x509
|
||||
-- # define OPENSSL_EC_NAMED_CURVE 0x001
|
||||
if pkey_macro.EVP_PKEY_CTX_set_ec_param_enc(pctx, 1) <= 0 then
|
||||
return nil, format_error("EVP_PKEY_CTX_ctrl: EC: param_enc")
|
||||
end
|
||||
end
|
||||
|
||||
elseif key_type == evp_macro.EVP_PKEY_DH then
|
||||
local bits = config.bits
|
||||
if not config.param and not bits then
|
||||
|
@ -530,10 +519,6 @@ function _M:get_key_type()
|
|||
end
|
||||
|
||||
function _M:get_default_digest_type()
|
||||
if BORINGSSL then
|
||||
return nil, "BoringSSL doesn't have default digest for pkey"
|
||||
end
|
||||
|
||||
local nid = ptr_of_int()
|
||||
local code = C.EVP_PKEY_get_default_digest_nid(self.ctx, nid)
|
||||
if code == -2 then
|
||||
|
@ -788,14 +773,6 @@ function _M:sign(digest, md_alg, padding, opts)
|
|||
end
|
||||
ret = ffi_str(self.buf, length[0])
|
||||
elseif type(digest) == "string" then
|
||||
if not OPENSSL_111_OR_LATER and not BORINGSSL then
|
||||
-- we can still support earilier version with *Update and *Final
|
||||
-- but we choose to not relying on the legacy interface for simplicity
|
||||
return nil, "pkey:sign: new-style sign only available in OpenSSL 1.1.1 (or BoringSSL 1.1.0) or later"
|
||||
elseif BORINGSSL and not md_alg and not self.key_type_is_ecx then
|
||||
return nil, "pkey:sign: BoringSSL doesn't provide default digest, md_alg must be specified"
|
||||
end
|
||||
|
||||
local md_ctx, err = sign_verify_prepare(self, C.EVP_DigestSignInit, md_alg, padding, opts)
|
||||
if err then
|
||||
return nil, err
|
||||
|
@ -811,10 +788,6 @@ function _M:sign(digest, md_alg, padding, opts)
|
|||
end
|
||||
|
||||
if self.key_type == evp_macro.EVP_PKEY_EC and opts and opts.ecdsa_use_raw then
|
||||
if not OPENSSL_11_OR_LATER then
|
||||
return nil, "pkey:sign: opts.ecdsa_use_raw is only supported on OpenSSL 1.1.0 or later"
|
||||
end
|
||||
|
||||
local ec_key = get_pkey_key[evp_macro.EVP_PKEY_EC](self.ctx)
|
||||
|
||||
ret, err = ecdsa_util.sig_der2raw(ret, ec_key)
|
||||
|
@ -833,10 +806,6 @@ function _M:verify(signature, digest, md_alg, padding, opts)
|
|||
local err
|
||||
|
||||
if self.key_type == evp_macro.EVP_PKEY_EC and opts and opts.ecdsa_use_raw then
|
||||
if not OPENSSL_11_OR_LATER then
|
||||
return nil, "pkey:sign: opts.ecdsa_use_raw is only supported on OpenSSL 1.1.0 or later"
|
||||
end
|
||||
|
||||
local ec_key = get_pkey_key[evp_macro.EVP_PKEY_EC](self.ctx)
|
||||
|
||||
signature, err = ecdsa_util.sig_raw2der(signature, ec_key)
|
||||
|
@ -849,14 +818,6 @@ function _M:verify(signature, digest, md_alg, padding, opts)
|
|||
if digest_lib.istype(digest) then
|
||||
code = C.EVP_VerifyFinal(digest.ctx, signature, #signature, self.ctx)
|
||||
elseif type(digest) == "string" then
|
||||
if not OPENSSL_111_OR_LATER and not BORINGSSL then
|
||||
-- we can still support earilier version with *Update and *Final
|
||||
-- but we choose to not relying on the legacy interface for simplicity
|
||||
return nil, "pkey:verify: new-style verify only available in OpenSSL 1.1.1 (or BoringSSL 1.1.0) or later"
|
||||
elseif BORINGSSL and not md_alg and not self.key_type_is_ecx then
|
||||
return nil, "pkey:verify: BoringSSL doesn't provide default digest, md_alg must be specified"
|
||||
end
|
||||
|
||||
local md_ctx, err = sign_verify_prepare(self, C.EVP_DigestVerifyInit, md_alg, padding, opts)
|
||||
if err then
|
||||
return nil, err
|
||||
|
@ -868,7 +829,7 @@ function _M:verify(signature, digest, md_alg, padding, opts)
|
|||
end
|
||||
|
||||
if code == 0 then
|
||||
return false, nil
|
||||
return false, format_error("pkey:verify")
|
||||
elseif code == 1 then
|
||||
return true, nil
|
||||
end
|
||||
|
|
|
@ -2,9 +2,6 @@ local ffi = require "ffi"
|
|||
local C = ffi.C
|
||||
|
||||
local bn_lib = require "resty.openssl.bn"
|
||||
|
||||
local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
|
||||
local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER
|
||||
local format_error = require("resty.openssl.err").format_error
|
||||
|
||||
local _M = {}
|
||||
|
@ -18,51 +15,29 @@ function _M.get_parameters(rsa_st)
|
|||
return setmetatable(empty_table, {
|
||||
__index = function(_, k)
|
||||
local ptr, ret
|
||||
if OPENSSL_11_OR_LATER then
|
||||
ptr = bn_ptrptr_ct()
|
||||
end
|
||||
|
||||
if k == 'n' then
|
||||
if OPENSSL_11_OR_LATER then
|
||||
C.RSA_get0_key(rsa_st, ptr, nil, nil)
|
||||
end
|
||||
elseif k == 'e' then
|
||||
if OPENSSL_11_OR_LATER then
|
||||
C.RSA_get0_key(rsa_st, nil, ptr, nil)
|
||||
end
|
||||
elseif k == 'd' then
|
||||
if OPENSSL_11_OR_LATER then
|
||||
C.RSA_get0_key(rsa_st, nil, nil, ptr)
|
||||
end
|
||||
elseif k == 'p' then
|
||||
if OPENSSL_11_OR_LATER then
|
||||
C.RSA_get0_factors(rsa_st, ptr, nil)
|
||||
end
|
||||
elseif k == 'q' then
|
||||
if OPENSSL_11_OR_LATER then
|
||||
C.RSA_get0_factors(rsa_st, nil, ptr)
|
||||
end
|
||||
elseif k == 'dmp1' then
|
||||
if OPENSSL_11_OR_LATER then
|
||||
C.RSA_get0_crt_params(rsa_st, ptr, nil, nil)
|
||||
end
|
||||
elseif k == 'dmq1' then
|
||||
if OPENSSL_11_OR_LATER then
|
||||
C.RSA_get0_crt_params(rsa_st, nil, ptr, nil)
|
||||
end
|
||||
elseif k == 'iqmp' then
|
||||
if OPENSSL_11_OR_LATER then
|
||||
C.RSA_get0_crt_params(rsa_st, nil, nil, ptr)
|
||||
end
|
||||
else
|
||||
return nil, "rsa.get_parameters: unknown parameter \"" .. k .. "\" for RSA key"
|
||||
end
|
||||
|
||||
if OPENSSL_11_OR_LATER then
|
||||
ret = ptr[0]
|
||||
elseif OPENSSL_10 then
|
||||
ret = rsa_st[k]
|
||||
end
|
||||
|
||||
if ret == nil then
|
||||
return nil
|
||||
|
@ -91,11 +66,14 @@ function _M.set_parameters(rsa_st, opts)
|
|||
local cleanup_from_idx = 1
|
||||
-- dup input
|
||||
local do_set_key, do_set_factors, do_set_crt_params
|
||||
|
||||
while true do -- luacheck: ignore
|
||||
for k, v in pairs(opts) do
|
||||
opts_bn[k], err = dup_bn_value(v)
|
||||
if err then
|
||||
-- luacheck: ignore
|
||||
err = "rsa.set_parameters: cannot process parameter \"" .. k .. "\":" .. err
|
||||
goto cleanup_with_error
|
||||
break
|
||||
end
|
||||
if k == "n" or k == "e" or k == "d" then
|
||||
do_set_key = true
|
||||
|
@ -105,7 +83,7 @@ function _M.set_parameters(rsa_st, opts)
|
|||
do_set_crt_params = true
|
||||
end
|
||||
end
|
||||
if OPENSSL_11_OR_LATER then
|
||||
|
||||
-- "The values n and e must be non-NULL the first time this function is called on a given RSA object."
|
||||
-- thus we force to set them together
|
||||
local code
|
||||
|
@ -113,37 +91,31 @@ function _M.set_parameters(rsa_st, opts)
|
|||
code = C.RSA_set0_key(rsa_st, opts_bn["n"], opts_bn["e"], opts_bn["d"])
|
||||
if code == 0 then
|
||||
err = format_error("rsa.set_parameters: RSA_set0_key")
|
||||
goto cleanup_with_error
|
||||
break
|
||||
end
|
||||
end
|
||||
|
||||
cleanup_from_idx = cleanup_from_idx + 3
|
||||
if do_set_factors then
|
||||
code = C.RSA_set0_factors(rsa_st, opts_bn["p"], opts_bn["q"])
|
||||
if code == 0 then
|
||||
err = format_error("rsa.set_parameters: RSA_set0_factors")
|
||||
goto cleanup_with_error
|
||||
break
|
||||
end
|
||||
end
|
||||
|
||||
cleanup_from_idx = cleanup_from_idx + 2
|
||||
if do_set_crt_params then
|
||||
code = C.RSA_set0_crt_params(rsa_st, opts_bn["dmp1"], opts_bn["dmq1"], opts_bn["iqmp"])
|
||||
if code == 0 then
|
||||
err = format_error("rsa.set_parameters: RSA_set0_crt_params")
|
||||
goto cleanup_with_error
|
||||
break
|
||||
end
|
||||
end
|
||||
return true
|
||||
elseif OPENSSL_10 then
|
||||
for k, v in pairs(opts_bn) do
|
||||
if rsa_st[k] ~= nil then
|
||||
C.BN_free(rsa_st[k])
|
||||
end
|
||||
rsa_st[k]= v
|
||||
end
|
||||
|
||||
return true
|
||||
end
|
||||
|
||||
::cleanup_with_error::
|
||||
for i, k in pairs(_M.params) do
|
||||
if i >= cleanup_from_idx then
|
||||
C.BN_free(opts_bn[k])
|
||||
|
|
|
@ -10,7 +10,6 @@ local x509_lib = require("resty.openssl.x509")
|
|||
local chain_lib = require("resty.openssl.x509.chain")
|
||||
local stack_lib = require("resty.openssl.stack")
|
||||
local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X
|
||||
local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
|
||||
local format_error = require("resty.openssl.err").format_error
|
||||
|
||||
local _M = {
|
||||
|
@ -265,22 +264,13 @@ function _M:set_options(...)
|
|||
bitmask = bit.bor(bitmask, opt)
|
||||
end
|
||||
|
||||
if OPENSSL_10 then
|
||||
bitmask = C.SSL_ctrl(self.ctx, 32, bitmask, nil) -- SSL_CTRL_OPTIONS
|
||||
else
|
||||
bitmask = C.SSL_set_options(self.ctx, bitmask)
|
||||
end
|
||||
|
||||
return tonumber(bitmask)
|
||||
end
|
||||
|
||||
function _M:get_options(readable)
|
||||
local bitmask
|
||||
if OPENSSL_10 then
|
||||
bitmask = C.SSL_ctrl(self.ctx, 32, 0, nil) -- SSL_CTRL_OPTIONS
|
||||
else
|
||||
bitmask = C.SSL_get_options(self.ctx)
|
||||
end
|
||||
local bitmask = C.SSL_get_options(self.ctx)
|
||||
|
||||
if not readable then
|
||||
return tonumber(bitmask)
|
||||
|
@ -303,11 +293,7 @@ function _M:clear_options(...)
|
|||
bitmask = bit.bor(bitmask, opt)
|
||||
end
|
||||
|
||||
if OPENSSL_10 then
|
||||
bitmask = C.SSL_ctrl(self.ctx, 77, bitmask, nil) -- SSL_CTRL_CLEAR_OPTIONS
|
||||
else
|
||||
bitmask = C.SSL_clear_options(self.ctx, bitmask)
|
||||
end
|
||||
|
||||
return tonumber(bitmask)
|
||||
end
|
||||
|
@ -336,18 +322,10 @@ function _M:set_protocols(...)
|
|||
end
|
||||
|
||||
-- first disable all protocols
|
||||
if OPENSSL_10 then
|
||||
C.SSL_ctrl(self.ctx, 32, ops.SSL_OP_NO_SSL_MASK, nil) -- SSL_CTRL_OPTIONS
|
||||
else
|
||||
C.SSL_set_options(self.ctx, ops.SSL_OP_NO_SSL_MASK)
|
||||
end
|
||||
|
||||
-- then enable selected protocols
|
||||
if OPENSSL_10 then
|
||||
return tonumber(C.SSL_clear_options(self.ctx, bitmask))
|
||||
else
|
||||
return tonumber(C.SSL_ctrl(self.ctx, 77, bitmask, nil)) -- SSL_CTRL_CLEAR_OPTIONS)
|
||||
end
|
||||
end
|
||||
|
||||
return _M
|
|
@ -10,7 +10,7 @@ local C = ffi.C
|
|||
local ffi_cast = ffi.cast
|
||||
local ffi_gc = ffi.gc
|
||||
|
||||
local stack_macro = require "resty.openssl.include.stack"
|
||||
require "resty.openssl.include.stack"
|
||||
local format_error = require("resty.openssl.err").format_error
|
||||
|
||||
local _M = {}
|
||||
|
@ -18,7 +18,7 @@ local _M = {}
|
|||
local function gc_of(typ)
|
||||
local f = C[typ .. "_free"]
|
||||
return function (st)
|
||||
stack_macro.OPENSSL_sk_pop_free(st, f)
|
||||
C.OPENSSL_sk_pop_free(st, f)
|
||||
end
|
||||
end
|
||||
|
||||
|
@ -35,7 +35,7 @@ _M.mt_of = function(typ, convert, index_tbl, no_gc)
|
|||
|
||||
-- starts from 0
|
||||
local function value_at(ctx, i)
|
||||
local elem = stack_macro.OPENSSL_sk_value(ctx, i)
|
||||
local elem = C.OPENSSL_sk_value(ctx, i)
|
||||
if elem == nil then
|
||||
error(format_error("OPENSSL_sk_value"))
|
||||
end
|
||||
|
@ -49,7 +49,7 @@ _M.mt_of = function(typ, convert, index_tbl, no_gc)
|
|||
local function iter(tbl)
|
||||
if not tbl then error("instance is nil") end
|
||||
local i = 0
|
||||
local n = tonumber(stack_macro.OPENSSL_sk_num(tbl.ctx))
|
||||
local n = tonumber(C.OPENSSL_sk_num(tbl.ctx))
|
||||
return function()
|
||||
i = i + 1
|
||||
if i <= n then
|
||||
|
@ -63,7 +63,7 @@ _M.mt_of = function(typ, convert, index_tbl, no_gc)
|
|||
__ipairs = iter,
|
||||
__len = function(tbl)
|
||||
if not tbl then error("instance is nil") end
|
||||
return tonumber(stack_macro.OPENSSL_sk_num(tbl.ctx))
|
||||
return tonumber(C.OPENSSL_sk_num(tbl.ctx))
|
||||
end,
|
||||
__index = function(tbl, k)
|
||||
if not tbl then error("instance is nil") end
|
||||
|
@ -71,7 +71,7 @@ _M.mt_of = function(typ, convert, index_tbl, no_gc)
|
|||
if not i then
|
||||
return index_tbl[k]
|
||||
end
|
||||
local n = stack_macro.OPENSSL_sk_num(tbl.ctx)
|
||||
local n = C.OPENSSL_sk_num(tbl.ctx)
|
||||
if i <= 0 or i > n then
|
||||
return nil
|
||||
end
|
||||
|
@ -88,7 +88,7 @@ end
|
|||
_M.new_of = function(typ)
|
||||
local gc = gc_of(typ)
|
||||
return function()
|
||||
local raw = stack_macro.OPENSSL_sk_new_null()
|
||||
local raw = C.OPENSSL_sk_new_null()
|
||||
if raw == nil then
|
||||
return nil, "stack.new_of: OPENSSL_sk_new_null() failed"
|
||||
end
|
||||
|
@ -104,7 +104,7 @@ _M.add_of = function(typ)
|
|||
if ctx == nil or not ffi.istype(ptr, ctx) then
|
||||
return false, "stack.add_of: expect a " .. typ .. "* at #1"
|
||||
end
|
||||
local code = stack_macro.OPENSSL_sk_push(stack, ctx)
|
||||
local code = C.OPENSSL_sk_push(stack, ctx)
|
||||
if code == 0 then
|
||||
return false, "stack.add_of: OPENSSL_sk_push() failed"
|
||||
end
|
||||
|
@ -118,13 +118,13 @@ _M.dup_of = function(_)
|
|||
if ctx == nil or not ffi.istype(stack_ptr_ct, ctx) then
|
||||
return nil, "stack.dup_of: expect a stack ctx at #1"
|
||||
end
|
||||
local ctx = stack_macro.OPENSSL_sk_dup(ctx)
|
||||
local ctx = C.OPENSSL_sk_dup(ctx)
|
||||
if ctx == nil then
|
||||
return nil, "stack.dup_of: OPENSSL_sk_dup() failed"
|
||||
end
|
||||
-- if the stack is duplicated: since we don't copy the elements
|
||||
-- then we only control gc of the stack itself here
|
||||
ffi_gc(ctx, stack_macro.OPENSSL_sk_free)
|
||||
ffi_gc(ctx, C.OPENSSL_sk_free)
|
||||
return ctx
|
||||
end
|
||||
end
|
||||
|
@ -152,7 +152,7 @@ _M.deep_copy_of = function(typ)
|
|||
local free = C[typ .. "_free"]
|
||||
|
||||
return function(ctx)
|
||||
return stack_macro.OPENSSL_sk_deep_copy(ctx, dup, free)
|
||||
return C.OPENSSL_sk_deep_copy(ctx, dup, free)
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
@ -12,8 +12,6 @@ ffi.cdef[[
|
|||
const char *OpenSSL_version(int t);
|
||||
// >= 3.0
|
||||
const char *OPENSSL_info(int t);
|
||||
// BoringSSL
|
||||
int BORINGSSL_self_test(void);
|
||||
]]
|
||||
|
||||
local version_func, info_func
|
||||
|
@ -88,12 +86,6 @@ else
|
|||
end
|
||||
end
|
||||
|
||||
local BORINGSSL = false
|
||||
pcall(function()
|
||||
local _ = C.BORINGSSL_self_test
|
||||
BORINGSSL = true
|
||||
end)
|
||||
|
||||
return setmetatable({
|
||||
version_num = tonumber(version_num),
|
||||
version_text = ffi_str(version_func(0)),
|
||||
|
@ -103,15 +95,9 @@ return setmetatable({
|
|||
info = function(t)
|
||||
return ffi_str(info_func(t))
|
||||
end,
|
||||
OPENSSL_3X = version_num >= 0x30000000 and version_num < 0x30200000,
|
||||
OPENSSL_30 = version_num >= 0x30000000 and version_num < 0x30100000, -- for backward compat, deprecated
|
||||
OPENSSL_11 = version_num >= 0x10100000 and version_num < 0x10200000,
|
||||
-- the following has implict upper bound of 4.x
|
||||
OPENSSL_3X = version_num >= 0x30000000 and version_num < 0x40000000,
|
||||
OPENSSL_111 = version_num >= 0x10101000 and version_num < 0x10200000,
|
||||
OPENSSL_11_OR_LATER = version_num >= 0x10100000 and version_num < 0x30200000,
|
||||
OPENSSL_111_OR_LATER = version_num >= 0x10101000 and version_num < 0x30200000,
|
||||
OPENSSL_10 = version_num < 0x10100000 and version_num > 0x10000000,
|
||||
BORINGSSL = BORINGSSL,
|
||||
BORINGSSL_110 = BORINGSSL and version_num >= 0x10100000 and version_num < 0x10101000
|
||||
}, {
|
||||
__index = types_table,
|
||||
})
|
|
@ -18,19 +18,13 @@ local txtnid2nid = require("resty.openssl.objects").txtnid2nid
|
|||
local find_sigid_algs = require("resty.openssl.objects").find_sigid_algs
|
||||
local format_error = require("resty.openssl.err").format_error
|
||||
local version = require("resty.openssl.version")
|
||||
local OPENSSL_10 = version.OPENSSL_10
|
||||
local OPENSSL_11_OR_LATER = version.OPENSSL_11_OR_LATER
|
||||
local OPENSSL_3X = version.OPENSSL_3X
|
||||
local BORINGSSL = version.BORINGSSL
|
||||
local BORINGSSL_110 = version.BORINGSSL_110 -- used in boringssl-fips-20190808
|
||||
|
||||
local accessors = {}
|
||||
|
||||
accessors.set_issuer_name = C.X509_CRL_set_issuer_name
|
||||
accessors.set_version = C.X509_CRL_set_version
|
||||
|
||||
|
||||
if OPENSSL_11_OR_LATER and not BORINGSSL_110 then
|
||||
accessors.get_last_update = C.X509_CRL_get0_lastUpdate
|
||||
accessors.set_last_update = C.X509_CRL_set1_lastUpdate
|
||||
accessors.get_next_update = C.X509_CRL_get0_nextUpdate
|
||||
|
@ -38,45 +32,7 @@ if OPENSSL_11_OR_LATER and not BORINGSSL_110 then
|
|||
accessors.get_version = C.X509_CRL_get_version
|
||||
accessors.get_issuer_name = C.X509_CRL_get_issuer -- returns internal ptr
|
||||
accessors.get_signature_nid = C.X509_CRL_get_signature_nid
|
||||
-- BORINGSSL_110 exports X509_CRL_get_signature_nid, but just ignored for simplicity
|
||||
accessors.get_revoked = C.X509_CRL_get_REVOKED
|
||||
elseif OPENSSL_10 or BORINGSSL_110 then
|
||||
accessors.get_last_update = function(crl)
|
||||
if crl == nil or crl.crl == nil then
|
||||
return nil
|
||||
end
|
||||
return crl.crl.lastUpdate
|
||||
end
|
||||
accessors.set_last_update = C.X509_CRL_set_lastUpdate
|
||||
accessors.get_next_update = function(crl)
|
||||
if crl == nil or crl.crl == nil then
|
||||
return nil
|
||||
end
|
||||
return crl.crl.nextUpdate
|
||||
end
|
||||
accessors.set_next_update = C.X509_CRL_set_nextUpdate
|
||||
accessors.get_version = function(crl)
|
||||
if crl == nil or crl.crl == nil then
|
||||
return nil
|
||||
end
|
||||
return C.ASN1_INTEGER_get(crl.crl.version)
|
||||
end
|
||||
accessors.get_issuer_name = function(crl)
|
||||
if crl == nil or crl.crl == nil then
|
||||
return nil
|
||||
end
|
||||
return crl.crl.issuer
|
||||
end
|
||||
accessors.get_signature_nid = function(crl)
|
||||
if crl == nil or crl.crl == nil or crl.crl.sig_alg == nil then
|
||||
return nil
|
||||
end
|
||||
return C.OBJ_obj2nid(crl.crl.sig_alg.algorithm)
|
||||
end
|
||||
accessors.get_revoked = function(crl)
|
||||
return crl.crl.revoked
|
||||
end
|
||||
end
|
||||
|
||||
local function __tostring(self, fmt)
|
||||
if not fmt or fmt == 'PEM' then
|
||||
|
@ -183,10 +139,6 @@ function _M:text()
|
|||
end
|
||||
|
||||
local function revoked_decode(ctx)
|
||||
if OPENSSL_10 then
|
||||
error("x509.crl:revoked_decode: not supported on OpenSSL 1.0")
|
||||
end
|
||||
|
||||
local ret = {}
|
||||
local serial = C.X509_REVOKED_get0_serialNumber(ctx)
|
||||
if serial ~= nil then
|
||||
|
@ -330,8 +282,6 @@ function _M:sign(pkey, digest)
|
|||
return false, "x509.crl:sign: expect a digest instance to have algo member"
|
||||
end
|
||||
digest_algo = digest.algo
|
||||
elseif BORINGSSL then
|
||||
digest_algo = C.EVP_get_digestbyname('sha256')
|
||||
end
|
||||
|
||||
-- returns size of signature if success
|
||||
|
@ -404,19 +354,6 @@ function _M:get_extension(nid_txt, last_pos)
|
|||
return ext, pos+1
|
||||
end
|
||||
|
||||
local X509_CRL_delete_ext
|
||||
if OPENSSL_11_OR_LATER then
|
||||
X509_CRL_delete_ext = C.X509_CRL_delete_ext
|
||||
elseif OPENSSL_10 then
|
||||
X509_CRL_delete_ext = function(ctx, pos)
|
||||
return C.X509v3_delete_ext(ctx.crl.extensions, pos)
|
||||
end
|
||||
else
|
||||
X509_CRL_delete_ext = function(...)
|
||||
error("X509_CRL_delete_ext undefined")
|
||||
end
|
||||
end
|
||||
|
||||
-- AUTO GENERATED
|
||||
function _M:set_extension(extension, last_pos)
|
||||
if not extension_lib.istype(extension) then
|
||||
|
@ -429,7 +366,7 @@ function _M:set_extension(extension, last_pos)
|
|||
local pos = C.X509_CRL_get_ext_by_NID(self.ctx, nid, last_pos)
|
||||
-- pos may be -1, which means not found, it's fine, we will add new one instead of replace
|
||||
|
||||
local removed = X509_CRL_delete_ext(self.ctx, pos)
|
||||
local removed = C.X509_CRL_delete_ext(self.ctx, pos)
|
||||
C.X509_EXTENSION_free(removed)
|
||||
|
||||
if C.X509_CRL_add_ext(self.ctx, extension.ctx, pos) == nil then
|
||||
|
|
|
@ -7,7 +7,7 @@ require "resty.openssl.include.pem"
|
|||
require "resty.openssl.include.x509v3"
|
||||
require "resty.openssl.include.x509.csr"
|
||||
require "resty.openssl.include.asn1"
|
||||
local stack_macro = require "resty.openssl.include.stack"
|
||||
require "resty.openssl.include.stack"
|
||||
local stack_lib = require "resty.openssl.stack"
|
||||
local pkey_lib = require "resty.openssl.pkey"
|
||||
local digest_lib = require("resty.openssl.digest")
|
||||
|
@ -20,11 +20,7 @@ local txtnid2nid = require("resty.openssl.objects").txtnid2nid
|
|||
local find_sigid_algs = require("resty.openssl.objects").find_sigid_algs
|
||||
local format_error = require("resty.openssl.err").format_error
|
||||
local version = require("resty.openssl.version")
|
||||
local OPENSSL_10 = version.OPENSSL_10
|
||||
local OPENSSL_11_OR_LATER = version.OPENSSL_11_OR_LATER
|
||||
local OPENSSL_3X = version.OPENSSL_3X
|
||||
local BORINGSSL = version.BORINGSSL
|
||||
local BORINGSSL_110 = version.BORINGSSL_110 -- used in boringssl-fips-20190808
|
||||
|
||||
local accessors = {}
|
||||
|
||||
|
@ -32,35 +28,9 @@ accessors.set_subject_name = C.X509_REQ_set_subject_name
|
|||
accessors.get_pubkey = C.X509_REQ_get_pubkey
|
||||
accessors.set_pubkey = C.X509_REQ_set_pubkey
|
||||
accessors.set_version = C.X509_REQ_set_version
|
||||
|
||||
if OPENSSL_11_OR_LATER or BORINGSSL_110 then
|
||||
accessors.get_signature_nid = C.X509_REQ_get_signature_nid
|
||||
elseif OPENSSL_10 then
|
||||
accessors.get_signature_nid = function(csr)
|
||||
if csr == nil or csr.sig_alg == nil then
|
||||
return nil
|
||||
end
|
||||
return C.OBJ_obj2nid(csr.sig_alg.algorithm)
|
||||
end
|
||||
end
|
||||
|
||||
if OPENSSL_11_OR_LATER and not BORINGSSL_110 then
|
||||
accessors.get_subject_name = C.X509_REQ_get_subject_name -- returns internal ptr
|
||||
accessors.get_version = C.X509_REQ_get_version
|
||||
elseif OPENSSL_10 or BORINGSSL_110 then
|
||||
accessors.get_subject_name = function(csr)
|
||||
if csr == nil or csr.req_info == nil then
|
||||
return nil
|
||||
end
|
||||
return csr.req_info.subject
|
||||
end
|
||||
accessors.get_version = function(csr)
|
||||
if csr == nil or csr.req_info == nil then
|
||||
return nil
|
||||
end
|
||||
return C.ASN1_INTEGER_get(csr.req_info.version)
|
||||
end
|
||||
end
|
||||
|
||||
local function __tostring(self, fmt)
|
||||
if not fmt or fmt == 'PEM' then
|
||||
|
@ -226,7 +196,7 @@ local function modify_extension(replace, ctx, nid, toset, crit)
|
|||
-- https://github.com/openssl/openssl/commit/2039ac07b401932fa30a05ade80b3626e189d78a
|
||||
-- introduces a change that a empty stack instead of NULL will be returned in no extension
|
||||
-- is found. so we need to double check the number if it's not NULL.
|
||||
stack_macro.OPENSSL_sk_num(extensions_ptr[0]) > 0
|
||||
C.OPENSSL_sk_num(extensions_ptr[0]) > 0
|
||||
|
||||
local flag
|
||||
if replace then
|
||||
|
@ -245,11 +215,6 @@ local function modify_extension(replace, ctx, nid, toset, crit)
|
|||
return false, format_error("X509V3_add1_i2d", code)
|
||||
end
|
||||
|
||||
code = C.X509_REQ_add_extensions(ctx, extensions_ptr[0])
|
||||
if code ~= 1 then
|
||||
return false, format_error("X509_REQ_add_extensions", code)
|
||||
end
|
||||
|
||||
if need_cleanup then
|
||||
-- cleanup old attributes
|
||||
-- delete the first only, why?
|
||||
|
@ -259,13 +224,14 @@ local function modify_extension(replace, ctx, nid, toset, crit)
|
|||
end
|
||||
end
|
||||
|
||||
-- mark encoded form as invalid so next time it will be re-encoded
|
||||
if OPENSSL_11_OR_LATER then
|
||||
C.i2d_re_X509_REQ_tbs(ctx, nil)
|
||||
else
|
||||
ctx.req_info.enc.modified = 1
|
||||
code = C.X509_REQ_add_extensions(ctx, extensions_ptr[0])
|
||||
if code ~= 1 then
|
||||
return false, format_error("X509_REQ_add_extensions", code)
|
||||
end
|
||||
|
||||
-- mark encoded form as invalid so next time it will be re-encoded
|
||||
C.i2d_re_X509_REQ_tbs(ctx, nil)
|
||||
|
||||
return true
|
||||
end
|
||||
|
||||
|
@ -339,8 +305,6 @@ function _M:sign(pkey, digest)
|
|||
return false, "x509.csr:sign: expect a digest instance to have algo member"
|
||||
end
|
||||
digest_algo = digest.algo
|
||||
elseif BORINGSSL then
|
||||
digest_algo = C.EVP_get_digestbyname('sha256')
|
||||
end
|
||||
|
||||
-- returns size of signature if success
|
||||
|
|
|
@ -16,7 +16,6 @@ local stack_lib = require("resty.openssl.stack")
|
|||
local bio_util = require "resty.openssl.auxiliary.bio"
|
||||
local format_error = require("resty.openssl.err").format_error
|
||||
local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X
|
||||
local BORINGSSL = require("resty.openssl.version").BORINGSSL
|
||||
|
||||
local _M = {}
|
||||
local mt = { __index = _M }
|
||||
|
@ -34,13 +33,7 @@ if OPENSSL_3X then
|
|||
extension_types["issuer_pkey"] = "resty.openssl.pkey"
|
||||
end
|
||||
|
||||
local nconf_load
|
||||
if BORINGSSL then
|
||||
nconf_load = function()
|
||||
return nil, "NCONF_load_bio not exported in BoringSSL"
|
||||
end
|
||||
else
|
||||
nconf_load = function(conf, str)
|
||||
local nconf_load = function(conf, str)
|
||||
local bio = C.BIO_new_mem_buf(str, #str)
|
||||
if bio == nil then
|
||||
return format_error("BIO_new_mem_buf")
|
||||
|
@ -51,7 +44,6 @@ else
|
|||
return format_error("NCONF_load_bio")
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
function _M.new(txtnid, value, data)
|
||||
local nid, err = objects_lib.txtnid2nid(txtnid)
|
||||
|
|
|
@ -8,7 +8,7 @@ require "resty.openssl.include.x509"
|
|||
require "resty.openssl.include.x509v3"
|
||||
require "resty.openssl.include.evp"
|
||||
require "resty.openssl.include.objects"
|
||||
local stack_macro = require("resty.openssl.include.stack")
|
||||
require "resty.openssl.include.stack"
|
||||
local stack_lib = require("resty.openssl.stack")
|
||||
local asn1_lib = require("resty.openssl.asn1")
|
||||
local digest_lib = require("resty.openssl.digest")
|
||||
|
@ -21,11 +21,7 @@ local ctypes = require "resty.openssl.auxiliary.ctypes"
|
|||
local ctx_lib = require "resty.openssl.ctx"
|
||||
local format_error = require("resty.openssl.err").format_error
|
||||
local version = require("resty.openssl.version")
|
||||
local OPENSSL_10 = version.OPENSSL_10
|
||||
local OPENSSL_11_OR_LATER = version.OPENSSL_11_OR_LATER
|
||||
local OPENSSL_3X = version.OPENSSL_3X
|
||||
local BORINGSSL = version.BORINGSSL
|
||||
local BORINGSSL_110 = version.BORINGSSL_110 -- used in boringssl-fips-20190808
|
||||
|
||||
-- accessors provides an openssl version neutral interface to lua layer
|
||||
-- it doesn't handle any error, expect that to be implemented in
|
||||
|
@ -48,49 +44,12 @@ accessors.get_signature_nid = C.X509_get_signature_nid
|
|||
-- parent struct is freed.
|
||||
-- otherwise, use get0, which returns an internal pointer, we don't need to free it up.
|
||||
-- it will be gone together with the parent struct.
|
||||
|
||||
if BORINGSSL_110 then
|
||||
accessors.get_not_before = C.X509_get0_notBefore -- returns internal ptr, we convert to number
|
||||
accessors.set_not_before = C.X509_set_notBefore
|
||||
accessors.get_not_after = C.X509_get0_notAfter -- returns internal ptr, we convert to number
|
||||
accessors.set_not_after = C.X509_set_notAfter
|
||||
accessors.get_version = function(x509)
|
||||
if x509 == nil or x509.cert_info == nil or x509.cert_info.validity == nil then
|
||||
return nil
|
||||
end
|
||||
return C.ASN1_INTEGER_get(x509.cert_info.version)
|
||||
end
|
||||
accessors.get_serial_number = C.X509_get_serialNumber -- returns internal ptr, we convert to bn
|
||||
elseif OPENSSL_11_OR_LATER then
|
||||
accessors.get_not_before = C.X509_get0_notBefore -- returns internal ptr, we convert to number
|
||||
accessors.set_not_before = C.X509_set1_notBefore
|
||||
accessors.get_not_after = C.X509_get0_notAfter -- returns internal ptr, we convert to number
|
||||
accessors.set_not_after = C.X509_set1_notAfter
|
||||
accessors.get_version = C.X509_get_version -- returns int
|
||||
accessors.get_serial_number = C.X509_get0_serialNumber -- returns internal ptr, we convert to bn
|
||||
elseif OPENSSL_10 then
|
||||
accessors.get_not_before = function(x509)
|
||||
if x509 == nil or x509.cert_info == nil or x509.cert_info.validity == nil then
|
||||
return nil
|
||||
end
|
||||
return x509.cert_info.validity.notBefore
|
||||
end
|
||||
accessors.set_not_before = C.X509_set_notBefore
|
||||
accessors.get_not_after = function(x509)
|
||||
if x509 == nil or x509.cert_info == nil or x509.cert_info.validity == nil then
|
||||
return nil
|
||||
end
|
||||
return x509.cert_info.validity.notAfter
|
||||
end
|
||||
accessors.set_not_after = C.X509_set_notAfter
|
||||
accessors.get_version = function(x509)
|
||||
if x509 == nil or x509.cert_info == nil or x509.cert_info.validity == nil then
|
||||
return nil
|
||||
end
|
||||
return C.ASN1_INTEGER_get(x509.cert_info.version)
|
||||
end
|
||||
accessors.get_serial_number = C.X509_get_serialNumber -- returns internal ptr, we convert to bn
|
||||
end
|
||||
|
||||
local function __tostring(self, fmt)
|
||||
if not fmt or fmt == 'PEM' then
|
||||
|
@ -241,7 +200,7 @@ end
|
|||
|
||||
-- note: index is 0 based
|
||||
local OPENSSL_STRING_value_at = function(ctx, i)
|
||||
local ct = ffi_cast("OPENSSL_STRING", stack_macro.OPENSSL_sk_value(ctx, i))
|
||||
local ct = ffi_cast("OPENSSL_STRING", C.OPENSSL_sk_value(ctx, i))
|
||||
if ct == nil then
|
||||
return nil
|
||||
end
|
||||
|
@ -251,7 +210,7 @@ end
|
|||
function _M:get_ocsp_url(return_all)
|
||||
local st = C.X509_get1_ocsp(self.ctx)
|
||||
|
||||
local count = stack_macro.OPENSSL_sk_num(st)
|
||||
local count = C.OPENSSL_sk_num(st)
|
||||
if count == 0 then
|
||||
return
|
||||
end
|
||||
|
@ -324,17 +283,11 @@ local digest_length = ctypes.ptr_of_uint()
|
|||
local digest_buf, digest_buf_size
|
||||
local function digest(self, cfunc, typ, properties)
|
||||
-- TODO: dedup the following with resty.openssl.digest
|
||||
local ctx
|
||||
if OPENSSL_11_OR_LATER then
|
||||
ctx = C.EVP_MD_CTX_new()
|
||||
ffi_gc(ctx, C.EVP_MD_CTX_free)
|
||||
elseif OPENSSL_10 then
|
||||
ctx = C.EVP_MD_CTX_create()
|
||||
ffi_gc(ctx, C.EVP_MD_CTX_destroy)
|
||||
end
|
||||
local ctx = C.EVP_MD_CTX_new()
|
||||
if ctx == nil then
|
||||
return nil, "x509:digest: failed to create EVP_MD_CTX"
|
||||
end
|
||||
ffi_gc(ctx, C.EVP_MD_CTX_free)
|
||||
|
||||
local algo
|
||||
if OPENSSL_3X then
|
||||
|
@ -398,8 +351,6 @@ function _M:sign(pkey, digest)
|
|||
return false, "x509:sign: expect a digest instance to have algo member"
|
||||
end
|
||||
digest_algo = digest.algo
|
||||
elseif BORINGSSL then
|
||||
digest_algo = C.EVP_get_digestbyname('sha256')
|
||||
end
|
||||
|
||||
-- returns size of signature if success
|
||||
|
@ -472,19 +423,6 @@ function _M:get_extension(nid_txt, last_pos)
|
|||
return ext, pos+1
|
||||
end
|
||||
|
||||
local X509_delete_ext
|
||||
if OPENSSL_11_OR_LATER then
|
||||
X509_delete_ext = C.X509_delete_ext
|
||||
elseif OPENSSL_10 then
|
||||
X509_delete_ext = function(ctx, pos)
|
||||
return C.X509v3_delete_ext(ctx.cert_info.extensions, pos)
|
||||
end
|
||||
else
|
||||
X509_delete_ext = function(...)
|
||||
error("X509_delete_ext undefined")
|
||||
end
|
||||
end
|
||||
|
||||
-- AUTO GENERATED
|
||||
function _M:set_extension(extension, last_pos)
|
||||
if not extension_lib.istype(extension) then
|
||||
|
@ -497,7 +435,7 @@ function _M:set_extension(extension, last_pos)
|
|||
local pos = C.X509_get_ext_by_NID(self.ctx, nid, last_pos)
|
||||
-- pos may be -1, which means not found, it's fine, we will add new one instead of replace
|
||||
|
||||
local removed = X509_delete_ext(self.ctx, pos)
|
||||
local removed = C.X509_delete_ext(self.ctx, pos)
|
||||
C.X509_EXTENSION_free(removed)
|
||||
|
||||
if C.X509_add_ext(self.ctx, extension.ctx, pos) == nil then
|
||||
|
|
|
@ -11,9 +11,7 @@ local crl_lib = require "resty.openssl.x509.crl"
|
|||
local ctx_lib = require "resty.openssl.ctx"
|
||||
local format_all_error = require("resty.openssl.err").format_all_error
|
||||
local format_error = require("resty.openssl.err").format_error
|
||||
local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER
|
||||
local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X
|
||||
local BORINGSSL = require("resty.openssl.version").BORINGSSL
|
||||
|
||||
local _M = {}
|
||||
local mt = { __index = _M }
|
||||
|
@ -218,7 +216,7 @@ function _M:verify(x509, chain, return_chain, properties, verify_method, flags)
|
|||
if not return_chain then
|
||||
return true, nil
|
||||
end
|
||||
local ret_chain_ctx = x509_vfy_macro.X509_STORE_CTX_get0_chain(ctx)
|
||||
local ret_chain_ctx = C.X509_STORE_CTX_get0_chain(ctx)
|
||||
return chain_lib.dup(ret_chain_ctx)
|
||||
elseif code == 0 then -- unverified
|
||||
local vfy_code = C.X509_STORE_CTX_get_error(ctx)
|
||||
|
@ -232,14 +230,6 @@ function _M:verify(x509, chain, return_chain, properties, verify_method, flags)
|
|||
end
|
||||
|
||||
function _M:check_revocation(verified_chain, properties)
|
||||
if BORINGSSL then
|
||||
return nil, "x509.store:check_revocation: this API is not supported in BoringSSL"
|
||||
end
|
||||
|
||||
if not OPENSSL_11_OR_LATER then
|
||||
return nil, "x509.store:check_revocation: this API is supported from OpenSSL 1.1.0"
|
||||
end
|
||||
|
||||
if not verified_chain or not chain_lib.istype(verified_chain) then
|
||||
return nil, "x509.store:check_revocation: expect a x509.chain instance at #1"
|
||||
end
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
package = "lua-resty-openssl"
|
||||
version = "0.8.23-1"
|
||||
version = "1.0.1-1"
|
||||
source = {
|
||||
url = "git+https://github.com/fffonion/lua-resty-openssl.git",
|
||||
tag = "0.8.23"
|
||||
tag = "1.0.1"
|
||||
}
|
||||
description = {
|
||||
detailed = "FFI-based OpenSSL binding for LuaJIT.",
|
117
src/deps/src/lua-resty-openssl/scripts/find_unused_cdef.py
vendored
Normal file
117
src/deps/src/lua-resty-openssl/scripts/find_unused_cdef.py
vendored
Normal file
|
@ -0,0 +1,117 @@
|
|||
#!/usr/bin/env python3
|
||||
|
||||
import os
|
||||
import re
|
||||
import sys
|
||||
|
||||
current_script_path = os.path.abspath(sys.argv[0])
|
||||
|
||||
def load_files(path):
|
||||
file_contents = {}
|
||||
for root, _, files in os.walk(path):
|
||||
for file in files:
|
||||
if file.endswith(".lua"):
|
||||
p = os.path.join(root.replace(path, ""), file).lstrip("/")
|
||||
with open(os.path.join(root, file)) as f:
|
||||
file_contents[p] = f.readlines()
|
||||
|
||||
return file_contents
|
||||
|
||||
token = "[a-zA-Z0-9_]"
|
||||
def find_cdefs(files):
|
||||
cdefs = {
|
||||
"funcs": {},
|
||||
"types": {},
|
||||
}
|
||||
|
||||
for path, lines in files.items():
|
||||
start = False
|
||||
for i in range(len(lines)):
|
||||
line = lines[i]
|
||||
if "ffi.cdef" in line:
|
||||
start = True
|
||||
elif "]]" in line and start:
|
||||
start = False
|
||||
|
||||
if start:
|
||||
if re.findall("^\s*//", line): # comment
|
||||
continue
|
||||
|
||||
func = re.findall(f"{token}+[\s\*]+({token}+)\(", line)
|
||||
if func:
|
||||
cdefs["funcs"][func[0]] = f"{path}:{i}"
|
||||
type_ = re.findall(f"typedef.*?({token}+);", line)
|
||||
if type_:
|
||||
cdefs["types"][type_[0]] = f"{path}:{i}"
|
||||
type_ = re.findall(f"}}\s*({token}+);", line)
|
||||
if type_:
|
||||
cdefs["types"][type_[0]] = f"{path}:{i}"
|
||||
|
||||
return cdefs
|
||||
|
||||
# those are dynamically called
|
||||
ignore_list = [
|
||||
"OSSL_PARAM_(?:set|get)_",
|
||||
"PEM_read_bio_",
|
||||
"fake_openssl_",
|
||||
"(?:d2i|i2d)_(?:PUBKEY|PrivateKey)_bio",
|
||||
"_(?:gettable|settable)_params",
|
||||
"_(?:get|set)_params",
|
||||
"_do_all_(?:sorted|provided)",
|
||||
"_get0_name",
|
||||
]
|
||||
|
||||
def check_cdefs(files, cdef):
|
||||
unused = {
|
||||
"funcs": {},
|
||||
"types": {},
|
||||
}
|
||||
undefined = {
|
||||
"funcs": {},
|
||||
"types": {},
|
||||
}
|
||||
|
||||
patterns = {
|
||||
"funcs": "C.%s[^a-zA-Z0-9_]",
|
||||
"types": "%s[^a-zA-Z0-9_]",
|
||||
}
|
||||
|
||||
ignore_regex = "(?:%s)" % "|".join(ignore_list)
|
||||
|
||||
for name, regex_pattern in patterns.items():
|
||||
for token, path in cdef[name].items():
|
||||
found = False
|
||||
for _, lines in files.items():
|
||||
full_content = "".join(lines)
|
||||
if re.findall(regex_pattern % token, full_content):
|
||||
found = True
|
||||
break
|
||||
if not found and not re.findall(ignore_regex, token):
|
||||
unused[name][token] = path
|
||||
|
||||
# TODO: find undefined
|
||||
|
||||
return unused, undefined
|
||||
|
||||
def display(unused, undefined):
|
||||
for name, tokens in unused.items():
|
||||
if len(tokens) == 0:
|
||||
continue
|
||||
|
||||
print(f"Unused {name} ({len(tokens)}):")
|
||||
for token, path in tokens.items():
|
||||
print(f" {token} on {path}")
|
||||
|
||||
for name, tokens in undefined.items():
|
||||
if len(tokens) == 0:
|
||||
continue
|
||||
|
||||
print(f"Undefined {name} ({len(tokens)}):")
|
||||
for token, path in tokens.items():
|
||||
print(f" {token} on {path}")
|
||||
|
||||
|
||||
if __name__ == '__main__':
|
||||
files = load_files(os.path.join(os.path.dirname(current_script_path), "..", "lib"))
|
||||
cdefs = find_cdefs(files)
|
||||
display(*check_cdefs(files, cdefs))
|
|
@ -13,8 +13,6 @@ function _M:sign(pkey, digest)
|
|||
return false, "{{modname}}:sign: expect a digest instance to have algo member"
|
||||
end
|
||||
digest_algo = digest.algo
|
||||
elseif BORINGSSL then
|
||||
digest_algo = C.EVP_get_digestbyname('sha256')
|
||||
end
|
||||
|
||||
-- returns size of signature if success
|
||||
|
@ -89,19 +87,6 @@ function _M:get_extension(nid_txt, last_pos)
|
|||
return ext, pos+1
|
||||
end
|
||||
|
||||
local {{ module.type }}_delete_ext
|
||||
if OPENSSL_11_OR_LATER then
|
||||
{{ module.type }}_delete_ext = C.{{ module.type }}_delete_ext
|
||||
elseif OPENSSL_10 then
|
||||
{{ module.type }}_delete_ext = function(ctx, pos)
|
||||
return C.X509v3_delete_ext(ctx.{{ module.extensions_in_struct }}, pos)
|
||||
end
|
||||
else
|
||||
{{ module.type }}_delete_ext = function(...)
|
||||
error("{{ module.type }}_delete_ext undefined")
|
||||
end
|
||||
end
|
||||
|
||||
-- AUTO GENERATED
|
||||
function _M:set_extension(extension, last_pos)
|
||||
if not extension_lib.istype(extension) then
|
||||
|
@ -114,7 +99,7 @@ function _M:set_extension(extension, last_pos)
|
|||
local pos = C.{{ module.type }}_get_ext_by_NID(self.ctx, nid, last_pos)
|
||||
-- pos may be -1, which means not found, it's fine, we will add new one instead of replace
|
||||
|
||||
local removed = {{ module.type }}_delete_ext(self.ctx, pos)
|
||||
local removed = C.{{ module.type }}_delete_ext(self.ctx, pos)
|
||||
C.X509_EXTENSION_free(removed)
|
||||
|
||||
if C.{{ module.type }}_add_ext(self.ctx, extension.ctx, pos) == nil then
|
||||
|
|
Loading…
Reference in a new issue