librewolf/bunkerized-nginx
4
0
Fork 1
mirror of https://github.com/bunkerity/bunkerized-nginx synced 2023-12-13 21:30:18 +01:00
Code Issues Projects Releases Wiki Activity

Merge commit 'c473aa40807f32438ffe34bdfe07f8f0485a6aa4' into dev

Browse source
This commit is contained in:
Théophile Diot 2023-11-16 16:55:26 +00:00
commit 576cb81979
No known key found for this signature in database
GPG key ID: 248FEA4BAE400D06
52 changed files with 626 additions and 1534 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
src/deps/src/lua-resty-openssl/.chglog/config.yml vendored
View file

@ -19,7 +19,7 @@ options:
perf: Performance Improvements
refactor: Code Refactoring
header:
pattern: "^(\\w*)(?:\\(([\\w\\$\\.\\-\\*\\s\\/]*)\\))?\\s(.*)$"
pattern: "^(\\w*)(?:\\(([\\w\\$\\.\\-\\*\\s\\/]*)\\))?:?\\s(.*)$"
pattern_maps:
- Type
- Scope

159
src/deps/src/lua-resty-openssl/.github/workflows/tests.yml vendored
View file

@ -20,7 +20,7 @@ concurrency:
jobs:
tests:
name: Tests
runs-on: ubuntu-22.04
runs-on: ubuntu-latest
strategy:
fail-fast: false
@ -29,69 +29,43 @@ jobs:
# TODO: arm64
# latest and one version older for valgrind and perf test
- nginx: "1.19.9"
openssl: "1.0.2u"
openssl: "1.1.1w"
extras: "valgrind"
lua_nginx_module: "v0.10.20"
lua_resty_core: "v0.1.22"
- nginx: "1.19.9"
openssl: "1.1.1t"
openssl: "3.1.4"
openssl_fips: "3.0.8"
extras: "valgrind"
lua_nginx_module: "v0.10.20"
lua_resty_core: "v0.1.22"
- nginx: "1.19.9"
openssl: "3.0.8"
extras: "valgrind"
openssl_opts: "enable-fips"
lua_nginx_module: "v0.10.20"
lua_resty_core: "v0.1.22"
nginx_cc_opts: "-Wno-error"
- nginx: "1.21.4"
openssl: "1.0.2u"
extras: "valgrind"
lua_nginx_module: "v0.10.21"
lua_resty_core: "v0.1.23"
- nginx: "1.21.4"
openssl: "1.1.1t"
openssl: "1.1.1w"
extras: "valgrind perf"
lua_nginx_module: "v0.10.21"
lua_resty_core: "v0.1.23"
lua_nginx_module: "v0.10.25"
lua_resty_core: "v0.1.27"
- nginx: "1.21.4"
openssl: "3.0.8"
openssl: "3.0.12"
openssl_fips: "3.0.8"
extras: "valgrind perf"
openssl_opts: "enable-fips"
lua_nginx_module: "v0.10.21"
lua_resty_core: "v0.1.23"
lua_nginx_module: "v0.10.25"
lua_resty_core: "v0.1.27"
nginx_cc_opts: "-Wno-error"
- nginx: "1.21.4"
openssl: "3.1.0"
openssl: "3.1.4"
openssl_fips: "3.0.8"
extras: "valgrind perf"
openssl_opts: "enable-fips"
lua_nginx_module: "v0.10.21"
lua_resty_core: "v0.1.23"
lua_nginx_module: "v0.10.25"
lua_resty_core: "v0.1.27"
nginx_cc_opts: "-Wno-error"
# latest version with EOL 1.1.0
- nginx: "1.21.4"
openssl: "1.1.0l"
lua_nginx_module: "v0.10.21"
lua_resty_core: "v0.1.23"
# version that kong uses, for fips
- nginx: "1.21.4"
openssl: "1.0.2u"
fips2: "2.0.16"
openssl_opts: "fips --with-fipsdir=/home/runner/work/cache/ssl/fips"
extras: "valgrind"
lua_nginx_module: "v0.10.21"
lua_resty_core: "v0.1.23"
- nginx: "1.21.4"
boringssl: "ae223d6138807a13006342edfeef32e813246b39" # fips-20190808
openssl: "3.2.0-alpha1"
openssl_fips: "3.0.8"
extras: "valgrind perf"
lua_nginx_module: "v0.10.21"
lua_resty_core: "v0.1.23"
- nginx: "1.21.4"
boringssl: "853ca1ea1168dff08011e5d42d94609cc0ca2e27" # fips-20210429, not active yet
extras: "valgrind perf"
lua_nginx_module: "v0.10.21"
lua_resty_core: "v0.1.23"
lua_nginx_module: "v0.10.25"
lua_resty_core: "v0.1.27"
nginx_cc_opts: "-Wno-error"
env:
JOBS: 3
@ -121,7 +95,7 @@ jobs:
with:
path: |
/home/runner/work/cache
key: ${{ runner.os }}-${{ hashFiles('**/tests.yml') }}-nginx-${{ matrix.nginx }}-openssl-${{ matrix.openssl }}-${{ matrix.fips2 }}-boringssl-${{ matrix.boringssl }}
key: ${{ runner.os }}-${{ hashFiles('**/tests.yml') }}-nginx-${{ matrix.nginx }}-openssl-${{ matrix.openssl }}-fips-${{ matrix.openssl_fips }}
- name: Setup tools
run: |
@ -149,57 +123,31 @@ jobs:
- name: Build OpenSSL
if: matrix.boringssl == ''
run: |
mkdir -p $OPENSSL_PREFIX
# fips doesn't seem to support to build parallelly
if [ "X${{ matrix.fips2 }}" != "X" ]; then wget https://www.openssl.org/source/old/fips/openssl-fips-${{ matrix.fips2 }}.tar.gz -qO - | tar zxf - ; pushd openssl-fips-${{ matrix.fips2 }}/; FIPSDIR=$OPENSSL_PREFIX/fips ./config; make; make install; popd; fi
T=$OPENSSL_PREFIX
mkdir -p $T
if [ "X$OPENSSL_HASH" != "X" ]; then wget https://github.com/openssl/openssl/archive/$OPENSSL_HASH.tar.gz -qO - | tar zxf ; pushd openssl-$OPENSSL_HASH/; fi
if [ "X$OPENSSL_HASH" = "X" ] ; then wget https://www.openssl.org/source/openssl-${{ matrix.openssl }}.tar.gz -qO - | tar zxf -; pushd openssl-${{ matrix.openssl }}/; fi
if [ ! -e $OPENSSL_PREFIX/include ]; then ./config shared -d --prefix=$OPENSSL_PREFIX -DPURIFY ${{ matrix.openssl_opts }} > build.log 2>&1 || (cat build.log && exit 1); fi
if [ ! -e $OPENSSL_PREFIX/include ]; then make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1); fi
if [ ! -e $OPENSSL_PREFIX/include ]; then sudo make PATH=$PATH install_sw > build.log 2>&1 || (cat build.log && exit 1); fi
if [ -e $OPENSSL_LIB/libcrypto.so.3 ] && [ ! -e $OPENSSL_LIB/ossl-modules/fips.so ]; then mkdir -p $OPENSSL_PREFIX/ssl; sudo make PATH=$PATH install_fips > build.log 2>&1 || (cat build.log && exit 1); fi
if [ ! -e $OPENSSL_PREFIX/lib64 ]; then sudo cp -r $OPENSSL_PREFIX/lib $OPENSSL_PREFIX/lib64; fi
mkdir -p $OPENSSL_PREFIX/certs/ && sudo cp -r /etc/ssl/certs/* $OPENSSL_PREFIX/certs/
if [ ! -e $T/include ]; then ./config shared -d --prefix=$T -DPURIFY > build.log 2>&1 || (cat build.log && exit 1); fi
if [ ! -e $T/include ]; then make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1); fi
if [ ! -e $T/include ]; then make PATH=$PATH install_sw > build.log 2>&1 || (cat build.log && exit 1); fi
if [ ! -e $T/lib64 ]; then sudo cp -r $T/lib $T/lib64; fi
mkdir -p $T/certs/ && sudo cp -r /etc/ssl/certs/* $T/certs/
- name: Build BoringSSL
if: matrix.boringssl != ''
- name: Build OpenSSL FIPS module
if: matrix.openssl_fips != ''
run: |
mkdir -p $OPENSSL_PREFIX
if [ ! -e $OPENSSL_PREFIX/include ]; then
# libtinfo5 is a dependency of clang7 on ubuntu20.04
sudo apt-get install -qq -y cmake libtinfo5 unzip libunwind-dev libgcc-9-dev libstdc++-9-dev
wget https://releases.llvm.org/7.0.1/clang+llvm-7.0.1-x86_64-linux-gnu-ubuntu-18.04.tar.xz -qO - |tar Jxf -
export HOME="$PWD"
printf "set(CMAKE_C_COMPILER \"clang\")\nset(CMAKE_CXX_COMPILER \"clang++\")\n" > ${HOME}/toolchain
export PATH="$PWD/clang+llvm-7.0.1-x86_64-linux-gnu-ubuntu-18.04/bin:$PATH"
clang --version
wget https://dl.google.com/go/go1.12.7.linux-amd64.tar.gz -qO - |tar zxf -
export GOPATH="$PWD/gopath"
export GOROOT="$PWD/go"
export PATH="$GOPATH/bin:$GOROOT/bin:$PATH"
go version
wget https://github.com/ninja-build/ninja/releases/download/v1.9.0/ninja-linux.zip -q
unzip -o ninja-linux.zip
export PATH="$PWD:$PATH"
ninja --version
wget https://commondatastorage.googleapis.com/chromium-boringssl-fips/boringssl-${{ matrix.boringssl }}.tar.xz -qO - | tar Jxf -; pushd boringssl
if [ "${{ matrix.boringssl }}" == "ae223d6138807a13006342edfeef32e813246b39" ]; then
patch -p1 < ../t/fixtures/boringssl_fips.patch
fi
rm -rf build; mkdir build; pushd build
cmake -GNinja -DCMAKE_TOOLCHAIN_FILE=${HOME}/toolchain -DFIPS=1 -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIBS=1 .. > build.log 2>&1 || (cat build.log && exit 1)
ninja > build.log 2>&1 || (cat build.log && exit 1)
./tool/bssl isfips
popd; rm -rf $OPENSSL_INC; cp -r include $OPENSSL_INC
mkdir -p $OPENSSL_LIB; cp -r build/*/*.so $OPENSSL_LIB
fi
mkdir -p $OPENSSL_PREFIX/certs/ && sudo cp -r /etc/ssl/certs/* $OPENSSL_PREFIX/certs/
T=${OPENSSL_PREFIX}.fips
mkdir -p $T
wget https://www.openssl.org/source/openssl-${{ matrix.openssl_fips }}.tar.gz -qO - | tar zxf -; pushd openssl-${{ matrix.openssl_fips }}/
if [ -e $OPENSSL_PREFIX/lib64/ossl-modules/fips.so ]; then exit 0; fi
./config shared -d --prefix=$T -DPURIFY enable-fips > build.log 2>&1 || (cat build.log && exit 1)
make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1)
make PATH=$PATH install_sw > build.log 2>&1 || (cat build.log && exit 1)
make PATH=$PATH install_fips > build.log 2>&1 || (cat build.log && exit 1)
cp $T/lib64/ossl-modules/fips.so $OPENSSL_PREFIX/lib64/ossl-modules/fips.so
mkdir -p $OPENSSL_PREFIX/ssl && cp $T/ssl/fipsmodule.cnf $OPENSSL_PREFIX/ssl/fipsmodule.cnf
# don't activate by default
sed -i "/activate = 1/d" $OPENSSL_PREFIX/ssl/fipsmodule.cnf
- name: Build LuaJIT
env:
@ -274,34 +222,16 @@ jobs:
- name: Run FIPS Test
run: |
# openssl 3.0
if [ -e $OPENSSL_LIB/libcrypto.so.3 ]; then
if [ -e $OPENSSL_LIB/ossl-modules/fips.so ]; then
echo "FIPS for OpenSSL 3.0"
cp t/fixtures/openssl_fips.cnf $OPENSSL_PREFIX/openssl-fips.cnf
pushd openssl-${{ matrix.openssl }}/;
# LD_LIBRARY_PATH=$OPENSSL_LIB $OPENSSL_PREFIX/bin/openssl fipsinstall -out $OPENSSL_PREFIX/fipsmodule.cnf -module $OPENSSL_LIB/ossl-modules/fips.so
# don't activate by default
sed -i "/activate = 1/d" $OPENSSL_PREFIX/ssl/fipsmodule.cnf
cat $OPENSSL_PREFIX/ssl/fipsmodule.cnf >> $OPENSSL_PREFIX/openssl-fips.cnf
export OPENSSL_CONF=$OPENSSL_PREFIX/openssl-fips.cnf
popd
export TEST_NGINX_FIPS=1
fi
# openssl 1.0.2 with fips module
if [ "X${{ matrix.fips2 }}" != "X" ]; then
echo "FIPS for OpenSSL 1.0.2"
export TEST_NGINX_FIPS=1
fi
# BoringSSL
if [ "X${{ matrix.boringssl }}" != "X" ]; then
echo "FIPS for BoringSSL ${{ matrix.boringssl }}"
export TEST_NGINX_FIPS=1
fi
if [ "X$TEST_NGINX_FIPS" != "X" ]; then
echo "Running FIPS tests"
export LD_LIBRARY_PATH=$LUAJIT_LIB:$LD_LIBRARY_PATH
@ -309,6 +239,7 @@ jobs:
TEST_NGINX_FIPS=1 TEST_NGINX_TIMEOUT=10 prove -j$JOBS -r t/ 2>&1
TEST_NGINX_TIMEOUT=20 prove -j$JOBS -r t/ 2>&1
else
echo "FIPS tests are skipped"
fi

43
src/deps/src/lua-resty-openssl/CHANGELOG.md vendored
View file

@ -2,6 +2,41 @@
## [Unreleased]
<a name="1.0.1"></a>
## [1.0.1] - 2023-11-07
### bug fixes
- **jwk:** return error if exporting private key from public key ([#128](https://github.com/fffonion/lua-resty-openssl/issues/128)) [3a1bc27](https://github.com/fffonion/lua-resty-openssl/commit/3a1bc273e2a3f41faa7eb68f2939fd1fc25cdecb)
<a name="1.0.0"></a>
## [1.0.0] - 2023-11-03
### code refactoring
- **\*:** remove unused cdefs [84abc0a](https://github.com/fffonion/lua-resty-openssl/commit/84abc0ab99b3d649c7fe4575cf13867cf96a94ef)
- **\*:** BREAKING: drop OpenSSL 1.0.2, 1.1.0 and BoringSSL support [99b493e](https://github.com/fffonion/lua-resty-openssl/commit/99b493e671886e68c07b1b9c9472075c22ce38e9)
### features
- **fips:** add get_fips_version_text [935227b](https://github.com/fffonion/lua-resty-openssl/commit/935227b348ba4416f2f4d671dd94f7910cbf9e61)
<a name="0.8.26"></a>
## [0.8.26] - 2023-10-30
### bug fixes
- **version:** add support for all 3.x versions [1516b4d](https://github.com/fffonion/lua-resty-openssl/commit/1516b4d94ac4621a1b243c14b5133ded81515d28)
- **x509.csr:** remove extension before adding it [d6ed964](https://github.com/fffonion/lua-resty-openssl/commit/d6ed9648e39f46f7519413489baf021092ccbc49)
<a name="0.8.25"></a>
## [0.8.25] - 2023-09-05
### bug fixes
- **pkey:** clear error stack when verification fails ([#121](https://github.com/fffonion/lua-resty-openssl/issues/121)) [6e58b28](https://github.com/fffonion/lua-resty-openssl/commit/6e58b28c3d42560631e0c8351befa1434b6fc542)
<a name="0.8.24"></a>
## [0.8.24] - 2023-08-07
### bug fixes
- **ssl:** support ngx_lua 10025 [abaa66e](https://github.com/fffonion/lua-resty-openssl/commit/abaa66ee07ce734580fd29ec6032157c998f6346)
<a name="0.8.23"></a>
## [0.8.23] - 2023-06-20
### bug fixes
@ -9,6 +44,7 @@
### features
- **tests:** add performance test ([#112](https://github.com/fffonion/lua-resty-openssl/issues/112)) [100b4e4](https://github.com/fffonion/lua-resty-openssl/commit/100b4e43843a597327be6e5356c64b5ce621fa56)
- **x509.store:** add store:check_revocation and add flag to skip check CRL for store:add ([#1](https://github.com/fffonion/lua-resty-openssl/issues/1)) [1a5a4c8](https://github.com/fffonion/lua-resty-openssl/commit/1a5a4c881128ffb65d6eaf47bb3961417ef23f0b)
<a name="0.8.22"></a>
@ -506,7 +542,12 @@
- **x509:** export pubkey [ede4f81](https://github.com/fffonion/lua-resty-openssl/commit/ede4f817cb0fe092ad6f9ab5d6ecdcde864a9fd8)
[Unreleased]: https://github.com/fffonion/lua-resty-openssl/compare/0.8.23...HEAD
[Unreleased]: https://github.com/fffonion/lua-resty-openssl/compare/1.0.1...HEAD
[1.0.1]: https://github.com/fffonion/lua-resty-openssl/compare/1.0.0...1.0.1
[1.0.0]: https://github.com/fffonion/lua-resty-openssl/compare/0.8.26...1.0.0
[0.8.26]: https://github.com/fffonion/lua-resty-openssl/compare/0.8.25...0.8.26
[0.8.25]: https://github.com/fffonion/lua-resty-openssl/compare/0.8.24...0.8.25
[0.8.24]: https://github.com/fffonion/lua-resty-openssl/compare/0.8.23...0.8.24
[0.8.23]: https://github.com/fffonion/lua-resty-openssl/compare/0.8.22...0.8.23
[0.8.22]: https://github.com/fffonion/lua-resty-openssl/compare/0.8.21...0.8.22
[0.8.21]: https://github.com/fffonion/lua-resty-openssl/compare/0.8.20...0.8.21

90
src/deps/src/lua-resty-openssl/README.md vendored
View file

@ -1,8 +1,8 @@
# lua-resty-openssl
FFI-based OpenSSL binding for LuaJIT, supporting OpenSSL 3.1, 3.0, 1.1 and 1.0.2 series.
FFI-based OpenSSL binding for LuaJIT, supporting OpenSSL 3.x, 1.1 series.
BoringSSL is also supported.
OpenSSL 1.1.0, 1.0.2 and BoringSSL support has been dropped, but are still available at the [0.x branch](https://github.com/fffonion/lua-resty-openssl/tree/0.x).
![Build Status](https://github.com/fffonion/lua-resty-openssl/workflows/Tests/badge.svg) ![luarocks](https://img.shields.io/luarocks/v/fffonion/lua-resty-openssl?color=%232c3e67) ![opm](https://img.shields.io/opm/v/fffonion/lua-resty-openssl?color=%23599059)
@ -20,6 +20,7 @@ Table of Contents
+ [openssl.resty_hmac_compat](#opensslresty_hmac_compat)
+ [openssl.get_fips_mode](#opensslget_fips_mode)
+ [openssl.set_fips_mode](#opensslset_fips_mode)
+ [openssl.get_fips_version_text](#opensslget_fips_version_text)
+ [openssl.set_default_properties](#opensslset_default_properties)
+ [openssl.list_cipher_algorithms](#openssllist_cipher_algorithms)
+ [openssl.list_digest_algorithms](#openssllist_digest_algorithms)
@ -35,8 +36,7 @@ Table of Contents
+ [version.version](#versionversion)
+ [version.info](#versioninfo)
+ [version.OPENSSL_3X](#versionOPENSSL_3X)
+ [version.OPENSSL_11](#versionopenssl_11)
+ [version.OPENSSL_10](#versionopenssl_10)
+ [version.OPENSSL_111](#versionopenssl_111)
* [resty.openssl.provider](#restyopensslprovider)
+ [provider.load](#providerload)
+ [provider.istype](#provideristype)
@ -295,10 +295,7 @@ Description
===========
`lua-resty-openssl` is a FFI-based OpenSSL binding library, currently
supports OpenSSL `3.1.x`, `3.0.x`, `1.1.1`, `1.1.0` and `1.0.2` series.
**Note: when using with OpenSSL 1.0.2, it's recommanded to not use this library with other FFI-based OpenSSL binding libraries to avoid potential mismatch of `cdef`.**
supports OpenSSL `3.x` and `1.1.1` series.
[Back to TOC](#table-of-contents)
@ -321,9 +318,6 @@ using `error()` but instead return as last parameter.
Each Lua table returned by `new()` contains a cdata object `ctx`. User are not supposed to manully setting
`ffi.gc` or calling corresponding destructor of the `ctx` struct (like `*_free` functions).
BoringSSL removes some algorithms and not all functionalities below is supported by BoringSSL. Please
consul its manual for differences between OpenSSL API.
[Back to TOC](#table-of-contents)
## resty.openssl
@ -443,7 +437,14 @@ print(c:get_provider_name()) -- prints "fips"
Compile the module per [security policy](https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3678.pdf)
Check if FIPS is acticated by running `assert(openssl.set_fips_mode(true))`.
BoringSSL doesn't support "turn FIPS mode off" once it's compiled.
[Back to TOC](#table-of-contents)
### openssl.get_fips_version_text
**syntax**: *text, err = openssl.get_fips_version_text()*
Returns the version text of the FIPS module, only available on OpenSSL 3.x.
[Back to TOC](#table-of-contents)
@ -596,11 +597,6 @@ Returns various OpenSSL version information. Available values for `types` are:
MODULES_DIR
CPU_INFO
For OpenSSL prior to 1.1.x, only `VERSION`, `CFLAGS`, `BUILT_ON`, `PLATFORM`
and `DIR` are supported. Please refer to
[OPENSSL_VERSION_NUMBER(3)](https://www.openssl.org/docs/manmaster/man3/OPENSSL_VERSION_NUMBER.html)
for explanation of each type.
```lua
local version = require("resty.openssl.version")
ngx.say(string.format("%x", version.version_num))
@ -647,23 +643,9 @@ A boolean indicates whether the linked OpenSSL is 3.x series.
[Back to TOC](#table-of-contents)
### version.OPENSSL_30
### version.OPENSSL_111
Deprecated: use `version.OPENSSL_3X` is encouraged.
A boolean indicates whether the linked OpenSSL is 3.0 series.
[Back to TOC](#table-of-contents)
### version.OPENSSL_11
A boolean indicates whether the linked OpenSSL is 1.1 series.
[Back to TOC](#table-of-contents)
### version.OPENSSL_10
A boolean indicates whether the linked OpenSSL is 1.0 series.
A boolean indicates whether the linked OpenSSL is 1.1.1 series.
[Back to TOC](#table-of-contents)
@ -767,10 +749,6 @@ X25519 | Y | Y | | | Y (ECDH) |
Ed448 | Y | Y | | Y (PureEdDSA) | |
X448 | Y | Y | | | Y (ECDH) |
`Ed25519`, `X25519`, `Ed448` and `X448` keys are only supported since OpenSSL 1.1.0.
Note BoringSSL doesn't support `Ed448` and `X448` keys.
Direct support of encryption and decryption for EC and ECX does not exist, but
processes like ECIES is possible with [pkey:derive](#pkeyderive),
[kdf](#restyopensslkdf) and [cipher](#restyopensslcipher)
@ -1067,8 +1045,7 @@ This mode only supports RSA and EC keys.
When passing a string as first parameter, `md_alg` parameter will specify the name
to use when signing. When `md_alg` is undefined, for RSA and EC keys, this function does SHA256
by default. For Ed25519 or Ed448 keys, this function does a PureEdDSA signing,
no message digest should be specified and will not be used. BoringSSL doesn't have default
digest thus `md_alg` must be specified.
no message digest should be specified and will not be used.
`opts` is a table that accepts additional parameters.
@ -1083,8 +1060,7 @@ obsolete MD5 hash algorithm and will return error on this combination. See
for a list of algorithms and associated public key algorithms. Normally, the ECDSA signature
is encoded in ASN.1 DER format. If the `opts` table contains a `ecdsa_use_raw` field with
a true value, a binary with just the concatenation of binary representation `pr` and `ps` is returned.
This is useful for example to send the signature as JWS. This feature
is only supported on OpenSSL 1.1.0 or later.
This is useful for example to send the signature as JWS.
[Back to TOC](#table-of-contents)
@ -1106,8 +1082,7 @@ This mode only supports RSA and EC keys.
When passing a string as second parameter, `md_alg` parameter will specify the name
to use when verifying. When `md_alg` is undefined, for RSA and EC keys, this function does SHA256
by default. For Ed25519 or Ed448 keys, this function does a PureEdDSA verification,
no message digest should be specified and will not be used. BoringSSL doesn't have default
digest thus `md_alg` must be specified.
no message digest should be specified and will not be used.
`opts` is a table that accepts additional parameters.
@ -1118,8 +1093,7 @@ possible to specify PSS salt length by setting `opts.pss_saltlen`.
For EC key, this function does a ECDSA verification. Normally, the ECDSA signature
should be encoded in ASN.1 DER format. If the `opts` table contains a `ecdsa_use_raw` field with
a true value, this library treat `signature` as concatenation of binary representation `pr` and `ps`.
This is useful for example to verify the signature as JWS. This feature
is only supported on OpenSSL 1.1.0 or later.
This is useful for example to verify the signature as JWS.
```lua
-- RSA and EC keys
@ -1313,8 +1287,7 @@ Creates a `bn` instance from binary string.
Exports the BIGNUM value in binary string.
`bn:to_binary` accepts an optional number argument `padto` that can be
used to pad leading zeros to the output to a specific length. This feature
is only supported on OpenSSL 1.1.0 or later.
used to pad leading zeros to the output to a specific length.
```lua
local b, err = require("resty.openssl.bn").from_binary(ngx.decode_base64("WyU="))
@ -1860,6 +1833,8 @@ Reset the internal state of `digest` instance as it's just created by [digest.ne
It calls [EVP_DigestInit_ex](https://www.openssl.org/docs/manmaster/man3/EVP_DigestInit_ex.html) under
the hood.
User must call this before reusing the same `digest` instance.
[Back to TOC](#table-of-contents)
## resty.openssl.hmac
@ -1929,6 +1904,8 @@ Reset the internal state of `hmac` instance as it's just created by [hmac.new](#
It calls [HMAC_Init_ex](https://www.openssl.org/docs/manmaster/man3/HMAC_Init_ex.html) under
the hood.
User must call this before reusing the same `hmac` instance.
[Back to TOC](#table-of-contents)
## resty.openssl.mac
@ -2026,8 +2003,7 @@ instead.
Derive a key from given material. Various KDFs are supported based on OpenSSL version:
- On OpenSSL 1.0.2 and later, `PBKDF2`([RFC 2898], [NIST SP 800-132]) is available.
- On OpenSSL 1.1.0 and later, `HKDF`([RFC 5869]), `TLS1-PRF`([RFC 2246], [RFC 5246] and [NIST SP 800-135 r1]) and `scrypt`([RFC 7914]) is available.
`PBKDF2`([RFC 2898], [NIST SP 800-132]), `HKDF`([RFC 5869]), `TLS1-PRF`([RFC 2246], [RFC 5246] and [NIST SP 800-135 r1]) and `scrypt`([RFC 7914]) is available.
`options` is a table that contains:
@ -2043,7 +2019,7 @@ Derive a key from given material. Various KDFs are supported based on OpenSSL ve
to explictly select provider to fetch algorithms. | |
| pbkdf2_iter | number | PBKDF2 iteration count. RFC 2898 suggests an iteration count of at least 1000. Any value less than 1 is treated as a single iteration. | `1` |
| hkdf_key | string | HKDF key | **required** |
| hkdf_mode | number | HKDF mode to use, one of `kdf.HKDEF_MODE_EXTRACT_AND_EXPAND`, `kdf.HKDEF_MODE_EXTRACT_ONLY` or `kdf.HKDEF_MODE_EXPAND_ONLY`. This is only effective with OpenSSL >= 1.1.1. To learn about mode, please refer to [EVP_PKEY_CTX_set1_hkdf_key(3)](https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_CTX_set1_hkdf_key.html). Note with `kdf.HKDEF_MODE_EXTRACT_ONLY`, `outlen` is ignored and the output will be fixed size of `HMAC-<md>`. | `kdf.HKDEF_MODE_EXTRACT_AND_EXPAND`|
| hkdf_mode | number | HKDF mode to use, one of `kdf.HKDEF_MODE_EXTRACT_AND_EXPAND`, `kdf.HKDEF_MODE_EXTRACT_ONLY` or `kdf.HKDEF_MODE_EXPAND_ONLY`. To learn about mode, please refer to [EVP_PKEY_CTX_set1_hkdf_key(3)](https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_CTX_set1_hkdf_key.html). Note with `kdf.HKDEF_MODE_EXTRACT_ONLY`, `outlen` is ignored and the output will be fixed size of `HMAC-<md>`. | `kdf.HKDEF_MODE_EXTRACT_AND_EXPAND`|
| hkdf_info | string | HKDF info value | (empty string) |
| tls1_prf_secret | string | TLS1-PRF secret | **required** |
| tls1_prf_seed | string | TLS1-PRF seed | **required** |
@ -2182,6 +2158,8 @@ This function is available since OpenSSL 3.0.
Reset the internal state of `kdf` instance as it's just created by [kdf.new](#kdfnew).
User must call this before reusing the same `kdf` instance.
[Back to TOC](#table-of-contents)
## resty.openssl.objects
@ -2586,8 +2564,6 @@ Sign the certificate using the private key specified by `pkey`, which must be a
parameter to set digest method, whichmust be a [resty.openssl.digest](#restyopenssldigest) instance.
Returns a boolean indicating if signing is successful and error if any.
In BoringSSL when `digest` is not set it's fallback to `SHA256`.
[Back to TOC](#table-of-contents)
### x509:verify
@ -2798,8 +2774,6 @@ Sign the certificate request using the private key specified by `pkey`, which mu
parameter to set digest method, whichmust be a [resty.openssl.digest](#restyopenssldigest) instance.
Returns a boolean indicating if signing is successful and error if any.
In BoringSSL when `digest` is not set it's fallback to `SHA256`.
[Back to TOC](#table-of-contents)
### csr:verify
@ -3014,8 +2988,6 @@ Sign the CRL using the private key specified by `pkey`, which must be a
parameter to set digest method, whichmust be a [resty.openssl.digest](#restyopenssldigest) instance.
Returns a boolean indicating if signing is successful and error if any.
In BoringSSL when `digest` is not set it's fallback to `SHA256`.
[Back to TOC](#table-of-contents)
### crl:verify
@ -3967,8 +3939,6 @@ to explictly select provider to fetch algorithms.
Returns `true` when the certificate isn't revoked,
otherwise returns `nil` and error explaining the reason.
Note this function is supported from OpenSSL 1.1.0 and not supported in BoringSSL.
[Back to TOC](#table-of-contents)
## resty.openssl.x509.revoked
@ -4533,7 +4503,7 @@ Copyright and License
This module is licensed under the BSD license.
Copyright (C) 2019-2020, by fffonion <fffonion@gmail.com>.
Copyright (C) 2019-2023, by fffonion <fffonion@gmail.com>.
All rights reserved.
@ -4551,7 +4521,7 @@ See Also
========
* [luaossl](https://github.com/wahern/luaossl)
* [API/ABI changes review for OpenSSL](https://abi-laboratory.pro/index.php?view=timeline&l=openssl)
* [OpenSSL API manual](https://www.openssl.org/docs/man1.1.1/man3/)
* [OpenSSL API manual](https://www.openssl.org/docs/man3.1/man3/)
[Back to TOC](#table-of-contents)

25
src/deps/src/lua-resty-openssl/lib/resty/openssl.lua vendored
View file

@ -5,7 +5,7 @@ local ffi_str = ffi.string
local format_error = require("resty.openssl.err").format_error
local OPENSSL_3X, BORINGSSL
local OPENSSL_3X
local function try_require_modules()
package.loaded["resty.openssl.version"] = nil
@ -13,7 +13,6 @@ local function try_require_modules()
local pok, lib = pcall(require, "resty.openssl.version")
if pok then
OPENSSL_3X = lib.OPENSSL_3X
BORINGSSL = lib.BORINGSSL
require "resty.openssl.include.crypto"
require "resty.openssl.include.objects"
@ -25,7 +24,7 @@ try_require_modules()
local _M = {
_VERSION = '0.8.23',
_VERSION = '1.0.1',
}
local libcrypto_name
@ -286,6 +285,14 @@ if OPENSSL_3X then
return C.EVP_default_properties_is_fips_enabled(ctx_lib.get_libctx()) == 1
end
function _M.get_fips_version_text()
if not fips_provider_ctx then
return false, "FIPS mode is not enabled"
end
return fips_provider_ctx:get_params("version")
end
else
function _M.set_fips_mode(enable)
if (not not enable) == _M.get_fips_mode() then
@ -302,6 +309,10 @@ else
function _M.get_fips_mode()
return C.FIPS_mode() == 1
end
function _M.get_fips_version_text()
return nil, "openssl.get_fips_version_text not supported on OpenSSL 1.1.1"
end
end
function _M.set_default_properties(props)
@ -362,10 +373,6 @@ local function list_provided(typ)
end
function _M.list_cipher_algorithms()
if BORINGSSL then
return nil, "openssl.list_cipher_algorithms is not supported on BoringSSL"
end
require "resty.openssl.include.evp.cipher"
local ret = list_legacy("EVP_CIPHER",
OPENSSL_3X and C.EVP_CIPHER_get_nid or C.EVP_CIPHER_nid)
@ -381,10 +388,6 @@ function _M.list_cipher_algorithms()
end
function _M.list_digest_algorithms()
if BORINGSSL then
return nil, "openssl.list_digest_algorithms is not supported on BoringSSL"
end
require "resty.openssl.include.evp.md"
local ret = list_legacy("EVP_MD",
OPENSSL_3X and C.EVP_MD_get_type or C.EVP_MD_type)

4
src/deps/src/lua-resty-openssl/lib/resty/openssl/auxiliary/jwk.lua vendored
View file

@ -202,6 +202,10 @@ end
function _M.dump_jwk(pkey, is_priv)
local jwk
if is_priv and not pkey:is_private() then
return nil, "jwk.dump_jwk: could not dump public key as private key"
end
if pkey.key_type == evp_macro.EVP_PKEY_RSA then
local param_keys = { "n" , "e" }
if is_priv then

3
src/deps/src/lua-resty-openssl/lib/resty/openssl/auxiliary/nginx.lua vendored
View file

@ -168,6 +168,7 @@ else
return ssl.session_ctx
end
-- https://github.com/openresty/stream-lua-nginx-module/blob/master/src/ngx_stream_lua_socket_tcp.h
ffi.cdef[[
typedef struct ngx_http_lua_socket_tcp_upstream_s
ngx_http_lua_socket_tcp_upstream_t;
@ -213,7 +214,7 @@ else
ngx.config.ngx_lua_version and
ngx.config.ngx_lua_version
if ngx_lua_version >= 10019 and ngx_lua_version <= 10021 then
if ngx_lua_version >= 10019 and ngx_lua_version <= 10025 then
-- https://github.com/openresty/lua-nginx-module/blob/master/src/ngx_http_lua_socket_tcp.h
ffi.cdef[[
typedef struct {

49
src/deps/src/lua-resty-openssl/lib/resty/openssl/bn.lua vendored
View file

@ -9,7 +9,6 @@ require "resty.openssl.include.bn"
local crypto_macro = require("resty.openssl.include.crypto")
local ctypes = require "resty.openssl.auxiliary.ctypes"
local format_error = require("resty.openssl.err").format_error
local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X
local _M = {}
@ -55,8 +54,6 @@ function _M:to_binary(pad)
if pad then
if type(pad) ~= "number" then
return nil, "bn:to_binary: expect a number at #1"
elseif OPENSSL_10 then
return nil, "bn:to_binary: padding is only supported on OpenSSL 1.1.0 or later"
end
end
@ -167,30 +164,18 @@ end
-- we only need one per worker
local bn_ctx_tmp = C.BN_CTX_new()
assert(bn_ctx_tmp ~= nil)
if OPENSSL_10 then
C.BN_CTX_init(bn_ctx_tmp)
end
ffi_gc(bn_ctx_tmp, C.BN_CTX_free)
_M.bn_ctx_tmp = bn_ctx_tmp
-- mathematics
local is_negative
if OPENSSL_10 then
local bn_zero = assert(_M.new(0)).ctx
is_negative = function(ctx)
return C.BN_cmp(ctx, bn_zero) < 0 and 1 or 0
end
else
is_negative = C.BN_is_negative
end
function mt.__unm(a)
local b = _M.dup(a.ctx)
if b == nil then
error("BN_dup() failed")
end
local sign = is_negative(b.ctx)
local sign = C.BN_is_negative(b.ctx)
C.BN_set_negative(b.ctx, 1-sign)
return b
end
@ -366,37 +351,6 @@ function mt.__le(a, b)
return C.BN_cmp(a.ctx, b.ctx) <= 0
end
if OPENSSL_10 then
-- in openssl 1.0.x those functions are implemented as macros
-- don't want to copy paste all structs here
-- the followings are definitely slower, but works
local bn_zero = assert(_M.new(0)).ctx
local bn_one = assert(_M.new(1)).ctx
function _M:is_zero()
return C.BN_cmp(self.ctx, bn_zero) == 0
end
function _M:is_one()
return C.BN_cmp(self.ctx, bn_one) == 0
end
function _M:is_word(n)
local ctx = C.BN_new()
ffi_gc(ctx, C.BN_free)
if ctx == nil then
return nil, "bn:is_word: BN_new() failed"
end
if C.BN_set_word(ctx, n) ~= 1 then
return nil, "bn:is_word: BN_set_word() failed"
end
return C.BN_cmp(self.ctx, ctx) == 0
end
function _M:is_odd()
return self:to_number() % 2 == 1
end
else
function _M:is_zero()
return C.BN_is_zero(self.ctx) == 1
end
@ -412,7 +366,6 @@ else
function _M:is_odd()
return C.BN_is_odd(self.ctx) == 1
end
end
function _M:is_prime(nchecks)
if nchecks and type(nchecks) ~= "number" then

13
src/deps/src/lua-resty-openssl/lib/resty/openssl/cipher.lua vendored
View file

@ -9,8 +9,6 @@ local evp_macro = require "resty.openssl.include.evp"
local ctypes = require "resty.openssl.auxiliary.ctypes"
local ctx_lib = require "resty.openssl.ctx"
local format_error = require("resty.openssl.err").format_error
local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER
local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X
local uchar_array = ctypes.uchar_array
@ -32,18 +30,11 @@ function _M.new(typ, properties)
return nil, "cipher.new: expect type to be defined"
end
local ctx
if OPENSSL_11_OR_LATER then
ctx = C.EVP_CIPHER_CTX_new()
ffi_gc(ctx, C.EVP_CIPHER_CTX_free)
elseif OPENSSL_10 then
ctx = ffi.new('EVP_CIPHER_CTX')
C.EVP_CIPHER_CTX_init(ctx)
ffi_gc(ctx, C.EVP_CIPHER_CTX_cleanup)
end
local ctx = C.EVP_CIPHER_CTX_new()
if ctx == nil then
return nil, "cipher.new: failed to create EVP_CIPHER_CTX"
end
ffi_gc(ctx, C.EVP_CIPHER_CTX_free)
local ctyp
if OPENSSL_3X then

52
src/deps/src/lua-resty-openssl/lib/resty/openssl/dh.lua vendored
View file

@ -4,8 +4,6 @@ local C = ffi.C
require "resty.openssl.include.dh"
local bn_lib = require "resty.openssl.bn"
local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER
local format_error = require("resty.openssl.err").format_error
local _M = {}
@ -18,45 +16,23 @@ function _M.get_parameters(dh_st)
return setmetatable(empty_table, {
__index = function(_, k)
local ptr, ret
if OPENSSL_11_OR_LATER then
ptr = bn_ptrptr_ct()
end
if OPENSSL_11_OR_LATER then
ptr = bn_ptrptr_ct()
end
if k == 'p' then
if OPENSSL_11_OR_LATER then
C.DH_get0_pqg(dh_st, ptr, nil, nil)
end
elseif k == 'q' then
if OPENSSL_11_OR_LATER then
C.DH_get0_pqg(dh_st, nil, ptr, nil)
end
elseif k == 'g' then
if OPENSSL_11_OR_LATER then
C.DH_get0_pqg(dh_st, nil, nil, ptr)
end
elseif k == 'public' then
if OPENSSL_11_OR_LATER then
C.DH_get0_key(dh_st, ptr, nil)
end
k = "pub_key"
elseif k == 'private' then
if OPENSSL_11_OR_LATER then
C.DH_get0_key(dh_st, nil, ptr)
end
k = "priv_key"
else
return nil, "rsa.get_parameters: unknown parameter \"" .. k .. "\" for RSA key"
end
if OPENSSL_11_OR_LATER then
ret = ptr[0]
elseif OPENSSL_10 then
ret = dh_st[k]
end
if ret == nil then
return nil
@ -85,52 +61,44 @@ function _M.set_parameters(dh_st, opts)
local cleanup_from_idx = 1
-- dup input
local do_set_key, do_set_pqg
while true do -- luacheck: ignore
for k, v in pairs(opts) do
opts_bn[k], err = dup_bn_value(v)
if err then
-- luacheck: ignore
err = "dh.set_parameters: cannot process parameter \"" .. k .. "\":" .. err
goto cleanup_with_error
break
end
if k == "private" or k == "public" then
do_set_key = true
elseif k == "p" or k == "q" or k == "g" then
do_set_pqg = true
end
end
if OPENSSL_11_OR_LATER then
local code
if do_set_key then
code = C.DH_set0_key(dh_st, opts_bn["public"], opts_bn["private"])
if code == 0 then
err = format_error("dh.set_parameters: DH_set0_key")
goto cleanup_with_error
break
end
end
cleanup_from_idx = cleanup_from_idx + 2
if do_set_pqg then
code = C.DH_set0_pqg(dh_st, opts_bn["p"], opts_bn["q"], opts_bn["g"])
if code == 0 then
err = format_error("dh.set_parameters: DH_set0_pqg")
goto cleanup_with_error
break
end
end
return true
elseif OPENSSL_10 then
for k, v in pairs(opts_bn) do
if k == "public" then
k = "pub_key"
elseif k == "private" then
k = "priv_key"
end
if dh_st[k] ~= nil then
C.BN_free(dh_st[k])
end
dh_st[k]= v
end
return true
end
::cleanup_with_error::
for i, k in pairs(_M.params) do
if i >= cleanup_from_idx then
C.BN_free(opts_bn[k])

13
src/deps/src/lua-resty-openssl/lib/resty/openssl/digest.lua vendored
View file

@ -7,8 +7,6 @@ require "resty.openssl.include.evp.md"
local ctypes = require "resty.openssl.auxiliary.ctypes"
local ctx_lib = require "resty.openssl.ctx"
local format_error = require("resty.openssl.err").format_error
local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER
local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X
local _M = {}
@ -17,17 +15,11 @@ local mt = {__index = _M}
local md_ctx_ptr_ct = ffi.typeof('EVP_MD_CTX*')
function _M.new(typ, properties)
local ctx
if OPENSSL_11_OR_LATER then
ctx = C.EVP_MD_CTX_new()
ffi_gc(ctx, C.EVP_MD_CTX_free)
elseif OPENSSL_10 then
ctx = C.EVP_MD_CTX_create()
ffi_gc(ctx, C.EVP_MD_CTX_destroy)
end
local ctx = C.EVP_MD_CTX_new()
if ctx == nil then
return nil, "digest.new: failed to create EVP_MD_CTX"
end
ffi_gc(ctx, C.EVP_MD_CTX_free)
local err_new = string.format("digest.new: invalid digest type \"%s\"", typ)
@ -37,6 +29,7 @@ function _M.new(typ, properties)
else
if OPENSSL_3X then
algo = C.EVP_MD_fetch(ctx_lib.get_libctx(), typ or 'sha1', properties)
ffi_gc(algo, C.EVP_MD_free)
else
algo = C.EVP_get_digestbyname(typ or 'sha1')
end

31
src/deps/src/lua-resty-openssl/lib/resty/openssl/ec.lua vendored
View file

@ -5,11 +5,8 @@ local ffi_gc = ffi.gc
require "resty.openssl.include.ec"
local bn_lib = require "resty.openssl.bn"
local objects_lib = require "resty.openssl.objects"
local ctypes = require "resty.openssl.auxiliary.ctypes"
local version_num = require("resty.openssl.version").version_num
local format_error = require("resty.openssl.err").format_error
local BORINGSSL = require("resty.openssl.version").BORINGSSL
local _M = {}
@ -38,27 +35,12 @@ function _M.get_parameters(ec_key_st)
if point_form == nil then
return nil, format_error("ec.get_parameters: EC_KEY_get_conv_form")
end
if BORINGSSL then
local sz = tonumber(C.EC_POINT_point2oct(group, pub_point, point_form, nil, 0, bn_lib.bn_ctx_tmp))
if sz <= 0 then
return nil, format_error("ec.get_parameters: EC_POINT_point2oct")
end
local buf = ctypes.uchar_array(sz)
C.EC_POINT_point2oct(group, pub_point, point_form, buf, sz, bn_lib.bn_ctx_tmp)
buf = ffi.string(buf, sz)
local err
bn, err = bn_lib.from_binary(buf)
if bn == nil then
return nil, "ec.get_parameters: bn_lib.from_binary: " .. err
end
return bn
else
bn = C.EC_POINT_point2bn(group, pub_point, point_form, nil, bn_lib.bn_ctx_tmp)
if bn == nil then
return nil, format_error("ec.get_parameters: EC_POINT_point2bn")
end
ffi_gc(bn, C.BN_free)
end
elseif k == 'private' or k == "priv_key" then
-- get0, don't GC
bn = C.EC_KEY_get0_private_key(ec_key_st)
@ -72,17 +54,12 @@ function _M.get_parameters(ec_key_st)
return nil, "ec.get_parameters: BN_new() failed"
end
ffi_gc(bn, C.BN_free)
local f
if version_num >= 0x10101000 then
f = C.EC_POINT_get_affine_coordinates
else
f = C.EC_POINT_get_affine_coordinates_GFp
end
local code
if k == 'x' then
code = f(group, pub_point, bn, nil, bn_lib.bn_ctx_tmp)
code = C.EC_POINT_get_affine_coordinates(group, pub_point, bn, nil, bn_lib.bn_ctx_tmp)
else
code = f(group, pub_point, nil, bn, bn_lib.bn_ctx_tmp)
code = C.EC_POINT_get_affine_coordinates(group, pub_point, nil, bn, bn_lib.bn_ctx_tmp)
end
if code ~= 1 then
return nil, format_error("ec.get_parameters: EC_POINT_get_affine_coordinates")

13
src/deps/src/lua-resty-openssl/lib/resty/openssl/hmac.lua vendored
View file

@ -7,8 +7,6 @@ require "resty.openssl.include.hmac"
require "resty.openssl.include.evp.md"
local ctypes = require "resty.openssl.auxiliary.ctypes"
local format_error = require("resty.openssl.err").format_error
local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER
local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X
local _M = {}
@ -20,18 +18,11 @@ local hmac_ctx_ptr_ct = ffi.typeof('HMAC_CTX*')
-- Replace with EVP_MAC_* functions for OpenSSL 3.0
function _M.new(key, typ)
local ctx
if OPENSSL_11_OR_LATER then
ctx = C.HMAC_CTX_new()
ffi_gc(ctx, C.HMAC_CTX_free)
elseif OPENSSL_10 then
ctx = ffi.new('HMAC_CTX')
C.HMAC_CTX_init(ctx)
ffi_gc(ctx, C.HMAC_CTX_cleanup)
end
local ctx = C.HMAC_CTX_new()
if ctx == nil then
return nil, "hmac.new: failed to create HMAC_CTX"
end
ffi_gc(ctx, C.HMAC_CTX_free)
local algo = C.EVP_get_digestbyname(typ or 'sha1')
if algo == nil then

30
src/deps/src/lua-resty-openssl/lib/resty/openssl/include/asn1.lua vendored
View file

@ -54,38 +54,10 @@ declare_asn1_functions("ASN1_OBJECT")
declare_asn1_functions("ASN1_STRING")
declare_asn1_functions("ASN1_ENUMERATED")
local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER
local BORINGSSL_110 = require("resty.openssl.version").BORINGSSL_110
local ASN1_STRING_get0_data
if OPENSSL_11_OR_LATER then
ffi.cdef[[
const unsigned char *ASN1_STRING_get0_data(const ASN1_STRING *x);
]]
ASN1_STRING_get0_data = C.ASN1_STRING_get0_data
elseif OPENSSL_10 then
ffi.cdef[[
unsigned char *ASN1_STRING_data(ASN1_STRING *x);
typedef struct ASN1_ENCODING_st {
unsigned char *enc; /* DER encoding */
long len; /* Length of encoding */
int modified; /* set to 1 if 'enc' is invalid */
} ASN1_ENCODING;
]]
ASN1_STRING_get0_data = C.ASN1_STRING_data
end
if BORINGSSL_110 then
ffi.cdef [[
// required by resty/openssl/include/x509/crl.lua
typedef struct ASN1_ENCODING_st {
unsigned char *enc; /* DER encoding */
long len; /* Length of encoding */
int modified; /* set to 1 if 'enc' is invalid */
} ASN1_ENCODING;
]]
end
local ASN1_STRING_get0_data = C.ASN1_STRING_get0_data
return {
ASN1_STRING_get0_data = ASN1_STRING_get0_data,

2
src/deps/src/lua-resty-openssl/lib/resty/openssl/include/bio.lua vendored
View file

@ -9,5 +9,5 @@ ffi.cdef [[
BIO *BIO_new(const BIO_METHOD *type);
int BIO_free(BIO *a);
const BIO_METHOD *BIO_s_mem(void);
int BIO_read(BIO *b, void *data, int dlen);
// int BIO_read(BIO *b, void *data, int dlen);
]]

2
src/deps/src/lua-resty-openssl/lib/resty/openssl/include/bn.lua vendored
View file

@ -16,7 +16,7 @@ ffi.cdef(
void BN_free(BIGNUM *a);
BN_CTX *BN_CTX_new(void);
void BN_CTX_init(BN_CTX *c);
// void BN_CTX_init(BN_CTX *c);
void BN_CTX_free(BN_CTX *c);
BIGNUM *BN_dup(const BIGNUM *a);

34
src/deps/src/lua-resty-openssl/lib/resty/openssl/include/crypto.lua vendored
View file

@ -1,37 +1,19 @@
local ffi = require "ffi"
local C = ffi.C
local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER
local BORINGSSL = require("resty.openssl.version").BORINGSSL
local OPENSSL_free
if OPENSSL_10 then
ffi.cdef [[
void CRYPTO_free(void *ptr);
]]
OPENSSL_free = C.CRYPTO_free
elseif BORINGSSL then
ffi.cdef [[
void OPENSSL_free(void *ptr);
]]
OPENSSL_free = C.OPENSSL_free
elseif OPENSSL_11_OR_LATER then
ffi.cdef [[
void CRYPTO_free(void *ptr, const char *file, int line);
]]
OPENSSL_free = function(ptr)
-- file and line is for debuggin only, since we can't know the c file info
-- the macro is expanded, just ignore this
C.CRYPTO_free(ptr, "", 0)
end
end
ffi.cdef [[
int FIPS_mode(void);
int FIPS_mode_set(int ONOFF);
void CRYPTO_free(void *ptr, const char *file, int line);
]]
local OPENSSL_free = function(ptr)
-- file and line is for debuggin only, since we can't know the c file info
-- the macro is expanded, just ignore this
C.CRYPTO_free(ptr, "", 0)
end
return {
OPENSSL_free = OPENSSL_free,
}

35
src/deps/src/lua-resty-openssl/lib/resty/openssl/include/dh.lua vendored
View file

@ -3,10 +3,7 @@ local C = ffi.C
require "resty.openssl.include.ossl_typ"
require "resty.openssl.include.objects"
local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER
if OPENSSL_11_OR_LATER then
ffi.cdef [[
void DH_get0_pqg(const DH *dh,
const BIGNUM **p, const BIGNUM **q, const BIGNUM **g);
@ -14,39 +11,7 @@ if OPENSSL_11_OR_LATER then
void DH_get0_key(const DH *dh,
const BIGNUM **pub_key, const BIGNUM **priv_key);
int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key);
]]
elseif OPENSSL_10 then
ffi.cdef [[
struct dh_st {
/*
* This first argument is used to pick up errors when a DH is passed
* instead of a EVP_PKEY
*/
int pad;
int version;
BIGNUM *p;
BIGNUM *g;
long length; /* optional */
BIGNUM *pub_key; /* g^x */
BIGNUM *priv_key; /* x */
int flags;
/*BN_MONT_CTX*/ void *method_mont_p;
/* Place holders if we want to do X9.42 DH */
BIGNUM *q;
BIGNUM *j;
unsigned char *seed;
int seedlen;
BIGNUM *counter;
int references;
/* trimmer */
// CRYPTO_EX_DATA ex_data;
// const DH_METHOD *meth;
// ENGINE *engine;
};
]]
end
ffi.cdef [[
DH *DH_get_1024_160(void);
DH *DH_get_2048_224(void);
DH *DH_get_2048_256(void);

12
src/deps/src/lua-resty-openssl/lib/resty/openssl/include/ec.lua vendored
View file

@ -23,23 +23,13 @@ ffi.cdef [[
void EC_GROUP_set_asn1_flag(EC_GROUP *group, int flag);
void EC_GROUP_set_point_conversion_form(EC_GROUP *group,
point_conversion_form_t form);
void EC_GROUP_set_curve_name(EC_GROUP *group, int nid);
// void EC_GROUP_set_curve_name(EC_GROUP *group, int nid);
int EC_GROUP_get_curve_name(const EC_GROUP *group);
void EC_GROUP_free(EC_GROUP *group);
BIGNUM *EC_POINT_point2bn(const EC_GROUP *, const EC_POINT *,
point_conversion_form_t form, BIGNUM *, BN_CTX *);
// for BoringSSL
size_t EC_POINT_point2oct(const EC_GROUP *group, const EC_POINT *p,
point_conversion_form_t form,
unsigned char *buf, size_t len, BN_CTX *ctx);
// OpenSSL < 1.1.1
int EC_POINT_get_affine_coordinates_GFp(const EC_GROUP *group,
const EC_POINT *p,
BIGNUM *x, BIGNUM *y, BN_CTX *ctx);
// OpenSSL >= 1.1.1
int EC_POINT_get_affine_coordinates(const EC_GROUP *group, const EC_POINT *p,
BIGNUM *x, BIGNUM *y, BN_CTX *ctx);
EC_POINT *EC_POINT_bn2point(const EC_GROUP *group, const BIGNUM *bn,

15
src/deps/src/lua-resty-openssl/lib/resty/openssl/include/evp.lua vendored
View file

@ -6,21 +6,7 @@ require "resty.openssl.include.ossl_typ"
require "resty.openssl.include.err"
require "resty.openssl.include.objects"
local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X
local BORINGSSL = require("resty.openssl.version").BORINGSSL
if BORINGSSL then
ffi.cdef [[
int PKCS5_PBKDF2_HMAC(const char *password, size_t password_len,
const uint8_t *salt, size_t salt_len,
unsigned iterations, const EVP_MD *digest,
size_t key_len, uint8_t *out_key);
int EVP_PBE_scrypt(const char *password, size_t password_len,
const uint8_t *salt, size_t salt_len,
uint64_t N, uint64_t r, uint64_t p,
size_t max_mem, uint8_t *out_key,
size_t key_len);
]]
else
ffi.cdef [[
/* KDF */
int PKCS5_PBKDF2_HMAC(const char *pass, int passlen,
@ -32,7 +18,6 @@ else
uint64_t N, uint64_t r, uint64_t p, uint64_t maxmem,
unsigned char *key, size_t keylen);
]]
end
if OPENSSL_3X then
require "resty.openssl.include.provider"

74
src/deps/src/lua-resty-openssl/lib/resty/openssl/include/evp/cipher.lua vendored
View file

@ -1,25 +1,22 @@
local ffi = require "ffi"
require "resty.openssl.include.ossl_typ"
local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER
local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X
local BORINGSSL = require("resty.openssl.version").BORINGSSL
ffi.cdef [[
// openssl < 3.0
int EVP_CIPHER_CTX_block_size(const EVP_CIPHER_CTX *ctx);
int EVP_CIPHER_CTX_key_length(const EVP_CIPHER_CTX *ctx);
int EVP_CIPHER_CTX_iv_length(const EVP_CIPHER_CTX *ctx);
EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void);
// int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *c);
void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *c);
int EVP_CIPHER_CTX_set_padding(EVP_CIPHER_CTX *c, int pad);
const EVP_CIPHER *EVP_CIPHER_CTX_cipher(const EVP_CIPHER_CTX *ctx);
const EVP_CIPHER *EVP_get_cipherbyname(const char *name);
int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr);
int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
int *outl, const unsigned char *in, int inl);
int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
int *outl, const unsigned char *in, int inl);
// int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
// int *outl, const unsigned char *in, int inl);
// int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
// int *outl, const unsigned char *in, int inl);
int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx,
@ -38,24 +35,14 @@ ffi.cdef [[
void EVP_CIPHER_do_all_sorted(void (*fn)
(const EVP_CIPHER *ciph, const char *from,
const char *to, void *x), void *arg);
int EVP_CIPHER_nid(const EVP_CIPHER *cipher);
]]
if BORINGSSL then
ffi.cdef [[
int EVP_BytesToKey(const EVP_CIPHER *type, const EVP_MD *md,
const uint8_t *salt, const uint8_t *data,
size_t data_len, unsigned count, uint8_t *key,
uint8_t *iv);
]]
else
ffi.cdef [[
int EVP_BytesToKey(const EVP_CIPHER *type, const EVP_MD *md,
const unsigned char *salt,
const unsigned char *data, int datal, int count,
unsigned char *key, unsigned char *iv);
]]
end
if OPENSSL_3X then
require "resty.openssl.include.provider"
@ -75,8 +62,8 @@ if OPENSSL_3X then
void EVP_CIPHER_do_all_provided(OSSL_LIB_CTX *libctx,
fake_openssl_cipher_provided_list_fn*,
void *arg);
int EVP_CIPHER_up_ref(EVP_CIPHER *cipher);
void EVP_CIPHER_free(EVP_CIPHER *cipher);
// int EVP_CIPHER_up_ref(EVP_CIPHER *cipher);
// void EVP_CIPHER_free(EVP_CIPHER *cipher);
const char *EVP_CIPHER_get0_name(const EVP_CIPHER *cipher);
@ -85,39 +72,12 @@ if OPENSSL_3X then
int EVP_CIPHER_CTX_get_params(EVP_CIPHER_CTX *ctx, OSSL_PARAM params[]);
const OSSL_PARAM *EVP_CIPHER_CTX_gettable_params(EVP_CIPHER_CTX *ctx);
]]
end
if OPENSSL_11_OR_LATER then
else
ffi.cdef [[
EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void);
int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *c);
void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *c);
]]
elseif OPENSSL_10 then
ffi.cdef [[
void EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *a);
int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *a);
int EVP_CIPHER_CTX_block_size(const EVP_CIPHER_CTX *ctx);
int EVP_CIPHER_CTX_key_length(const EVP_CIPHER_CTX *ctx);
int EVP_CIPHER_CTX_iv_length(const EVP_CIPHER_CTX *ctx);
// # define EVP_MAX_IV_LENGTH 16
// # define EVP_MAX_BLOCK_LENGTH 32
struct evp_cipher_ctx_st {
const EVP_CIPHER *cipher;
ENGINE *engine; /* functional reference if 'cipher' is
* ENGINE-provided */
int encrypt; /* encrypt or decrypt */
int buf_len; /* number we have left */
unsigned char oiv[16]; /* original iv EVP_MAX_IV_LENGTH */
unsigned char iv[16]; /* working iv EVP_MAX_IV_LENGTH */
unsigned char buf[32]; /* saved partial block EVP_MAX_BLOCK_LENGTH */
int num; /* used by cfb/ofb/ctr mode */
void *app_data; /* application stuff */
int key_len; /* May change for variable length cipher */
unsigned long flags; /* Various flags */
void *cipher_data; /* per EVP data */
int final_used;
int block_mask;
unsigned char final[32]; /* possible final block EVP_MAX_BLOCK_LENGTH */
} /* EVP_CIPHER_CTX */ ;
int EVP_CIPHER_nid(const EVP_CIPHER *cipher);
]]
end

7
src/deps/src/lua-resty-openssl/lib/resty/openssl/include/evp/kdf.lua vendored
View file

@ -7,7 +7,6 @@ require "resty.openssl.include.evp.md"
local evp = require("resty.openssl.include.evp")
local ctypes = require "resty.openssl.auxiliary.ctypes"
local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X
local BORINGSSL = require("resty.openssl.version").BORINGSSL
local void_ptr = ctypes.void_ptr
@ -27,7 +26,7 @@ if OPENSSL_3X then
void EVP_KDF_do_all_provided(OSSL_LIB_CTX *libctx,
fake_openssl_kdf_provided_list_fn*,
void *arg);
int EVP_KDF_up_ref(EVP_KDF *kdf);
// int EVP_KDF_up_ref(EVP_KDF *kdf);
void EVP_KDF_free(EVP_KDF *kdf);
const char *EVP_KDF_get0_name(const EVP_KDF *kdf);
@ -46,11 +45,7 @@ if OPENSSL_3X then
int EVP_KDF_CTX_set_params(EVP_KDF_CTX *ctx, const OSSL_PARAM params[]);
const OSSL_PARAM *EVP_KDF_CTX_gettable_params(const EVP_KDF_CTX *ctx);
const OSSL_PARAM *EVP_KDF_CTX_settable_params(const EVP_KDF_CTX *ctx);
]]
end
if OPENSSL_3X or BORINGSSL then
ffi.cdef [[
int EVP_PKEY_CTX_set_tls1_prf_md(EVP_PKEY_CTX *ctx, const EVP_MD *md);
int EVP_PKEY_CTX_set1_tls1_prf_secret(EVP_PKEY_CTX *pctx,
const unsigned char *sec, int seclen);

2
src/deps/src/lua-resty-openssl/lib/resty/openssl/include/evp/mac.lua vendored
View file

@ -26,7 +26,7 @@ ffi.cdef [[
void EVP_MAC_do_all_provided(OSSL_LIB_CTX *libctx,
fake_openssl_mac_provided_list_fn*,
void *arg);
int EVP_MAC_up_ref(EVP_MAC *mac);
// int EVP_MAC_up_ref(EVP_MAC *mac);
void EVP_MAC_free(EVP_MAC *mac);
const char *EVP_MAC_get0_name(const EVP_MAC *mac);

39
src/deps/src/lua-resty-openssl/lib/resty/openssl/include/evp/md.lua vendored
View file

@ -1,8 +1,6 @@
local ffi = require "ffi"
require "resty.openssl.include.ossl_typ"
local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER
local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X
ffi.cdef [[
@ -19,9 +17,9 @@ ffi.cdef [[
unsigned int *s);
const EVP_MD *EVP_md_null(void);
// openssl < 3.0
int EVP_MD_size(const EVP_MD *md);
int EVP_MD_type(const EVP_MD *md);
EVP_MD_CTX *EVP_MD_CTX_new(void);
void EVP_MD_CTX_free(EVP_MD_CTX *ctx);
typedef void* fake_openssl_md_list_fn(const EVP_MD *ciph, const char *from,
const char *to, void *x);
@ -45,7 +43,7 @@ if OPENSSL_3X then
void EVP_MD_do_all_provided(OSSL_LIB_CTX *libctx,
fake_openssl_md_provided_list_fn*,
void *arg);
int EVP_MD_up_ref(EVP_MD *md);
// int EVP_MD_up_ref(EVP_MD *md);
void EVP_MD_free(EVP_MD *md);
const char *EVP_MD_get0_name(const EVP_MD *md);
@ -55,32 +53,9 @@ if OPENSSL_3X then
int EVP_MD_CTX_get_params(EVP_MD_CTX *ctx, OSSL_PARAM params[]);
const OSSL_PARAM *EVP_MD_CTX_gettable_params(EVP_MD_CTX *ctx);
]]
end
if OPENSSL_11_OR_LATER then
else
ffi.cdef [[
EVP_MD_CTX *EVP_MD_CTX_new(void);
void EVP_MD_CTX_free(EVP_MD_CTX *ctx);
]]
elseif OPENSSL_10 then
ffi.cdef [[
EVP_MD_CTX *EVP_MD_CTX_create(void);
void EVP_MD_CTX_destroy(EVP_MD_CTX *ctx);
// crypto/evp/evp.h
// only needed for openssl 1.0.x where initializer for HMAC_CTX is not avaiable
// HACK: renamed from env_md_ctx_st to evp_md_ctx_st to match typedef (lazily)
// it's an internal struct thus name is not exported so we will be fine
struct evp_md_ctx_st {
const EVP_MD *digest;
ENGINE *engine; /* functional reference if 'digest' is
* ENGINE-provided */
unsigned long flags;
void *md_data;
/* Public key context for sign/verify */
EVP_PKEY_CTX *pctx;
/* Update function: usually copied from EVP_MD */
int (*update) (EVP_MD_CTX *ctx, const void *data, size_t count);
} /* EVP_MD_CTX */ ;
int EVP_MD_size(const EVP_MD *md);
int EVP_MD_type(const EVP_MD *md);
]]
end

66
src/deps/src/lua-resty-openssl/lib/resty/openssl/include/evp/pkey.lua vendored
View file

@ -4,9 +4,7 @@ local C = ffi.C
require "resty.openssl.include.ossl_typ"
require "resty.openssl.include.evp.md"
local evp = require("resty.openssl.include.evp")
local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X
local BORINGSSL = require("resty.openssl.version").BORINGSSL
ffi.cdef [[
EVP_PKEY *EVP_PKEY_new(void);
@ -28,8 +26,8 @@ ffi.cdef [[
int cmd, int p1, void *p2);
// TODO replace EVP_PKEY_CTX_ctrl with EVP_PKEY_CTX_ctrl_str to reduce
// some hardcoded macros
int EVP_PKEY_CTX_ctrl_str(EVP_PKEY_CTX *ctx, const char *type,
const char *value);
// int EVP_PKEY_CTX_ctrl_str(EVP_PKEY_CTX *ctx, const char *type,
// const char *value);
int EVP_PKEY_encrypt_init(EVP_PKEY_CTX *ctx);
int EVP_PKEY_encrypt(EVP_PKEY_CTX *ctx,
unsigned char *out, size_t *outlen,
@ -85,6 +83,8 @@ ffi.cdef [[
int EVP_PKEY_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey);
]]
local _M = {}
if OPENSSL_3X then
require "resty.openssl.include.provider"
@ -94,55 +94,6 @@ if OPENSSL_3X then
int EVP_PKEY_get_base_id(const EVP_PKEY *pkey);
int EVP_PKEY_get_size(const EVP_PKEY *pkey);
const OSSL_PROVIDER *EVP_PKEY_get0_provider(const EVP_PKEY *key);
const OSSL_PROVIDER *EVP_PKEY_CTX_get0_provider(const EVP_PKEY_CTX *ctx);
const OSSL_PARAM *EVP_PKEY_settable_params(const EVP_PKEY *pkey);
int EVP_PKEY_set_params(EVP_PKEY *pkey, OSSL_PARAM params[]);
int EVP_PKEY_get_params(EVP_PKEY *ctx, OSSL_PARAM params[]);
const OSSL_PARAM *EVP_PKEY_gettable_params(EVP_PKEY *ctx);
]]
end
if OPENSSL_10 then
ffi.cdef [[
// crypto/evp/evp.h
// only needed for openssl 1.0.x where getters are not available
// needed to get key to extract parameters
// Note: this struct is trimmed
struct evp_pkey_st {
int type;
int save_type;
const EVP_PKEY_ASN1_METHOD *ameth;
ENGINE *engine;
ENGINE *pmeth_engine;
union {
void *ptr;
struct rsa_st *rsa;
struct dsa_st *dsa;
struct dh_st *dh;
struct ec_key_st *ec;
} pkey;
// trimmed
// CRYPTO_REF_COUNT references;
// CRYPTO_RWLOCK *lock;
// STACK_OF(X509_ATTRIBUTE) *attributes;
// int save_parameters;
// struct {
// EVP_KEYMGMT *keymgmt;
// void *provkey;
// } pkeys[10];
// size_t dirty_cnt_copy;
};
]]
end
local _M = {}
if OPENSSL_3X or BORINGSSL then
ffi.cdef [[
int EVP_PKEY_CTX_set_ec_paramgen_curve_nid(EVP_PKEY_CTX *ctx, int nid);
int EVP_PKEY_CTX_set_ec_param_enc(EVP_PKEY_CTX *ctx, int param_enc);
@ -153,7 +104,16 @@ if OPENSSL_3X or BORINGSSL then
int EVP_PKEY_CTX_set_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int len);
int EVP_PKEY_CTX_set_dh_paramgen_prime_len(EVP_PKEY_CTX *ctx, int pbits);
const OSSL_PROVIDER *EVP_PKEY_get0_provider(const EVP_PKEY *key);
// const OSSL_PROVIDER *EVP_PKEY_CTX_get0_provider(const EVP_PKEY_CTX *ctx);
const OSSL_PARAM *EVP_PKEY_settable_params(const EVP_PKEY *pkey);
int EVP_PKEY_set_params(EVP_PKEY *pkey, OSSL_PARAM params[]);
int EVP_PKEY_get_params(EVP_PKEY *ctx, OSSL_PARAM params[]);
const OSSL_PARAM *EVP_PKEY_gettable_params(EVP_PKEY *ctx);
]]
_M.EVP_PKEY_CTX_set_ec_paramgen_curve_nid = function(pctx, nid)
return C.EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, nid)
end

31
src/deps/src/lua-resty-openssl/lib/resty/openssl/include/hmac.lua vendored
View file

@ -2,47 +2,16 @@ local ffi = require "ffi"
require "resty.openssl.include.ossl_typ"
require "resty.openssl.include.evp"
local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER
local BORINGSSL = require("resty.openssl.version").BORINGSSL
if BORINGSSL then
ffi.cdef [[
int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, size_t key_len,
const EVP_MD *md, ENGINE *impl);
]]
else
ffi.cdef [[
int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len,
const EVP_MD *md, ENGINE *impl);
]]
end
ffi.cdef [[
int HMAC_Update(HMAC_CTX *ctx, const unsigned char *data,
size_t len);
int HMAC_Final(HMAC_CTX *ctx, unsigned char *md,
unsigned int *len);
]]
if OPENSSL_11_OR_LATER then
ffi.cdef [[
HMAC_CTX *HMAC_CTX_new(void);
void HMAC_CTX_free(HMAC_CTX *ctx);
]]
elseif OPENSSL_10 then
ffi.cdef [[
// # define HMAC_MAX_MD_CBLOCK 128/* largest known is SHA512 */
struct hmac_ctx_st {
const EVP_MD *md;
EVP_MD_CTX md_ctx;
EVP_MD_CTX i_ctx;
EVP_MD_CTX o_ctx;
unsigned int key_length;
unsigned char key[128];
};
void HMAC_CTX_init(HMAC_CTX *ctx);
void HMAC_CTX_cleanup(HMAC_CTX *ctx);
]]
end

2
src/deps/src/lua-resty-openssl/lib/resty/openssl/include/param.lua vendored
View file

@ -15,7 +15,7 @@ ffi.cdef [[
OSSL_PARAM OSSL_PARAM_construct_uint(const char *key, unsigned int *buf);
OSSL_PARAM OSSL_PARAM_construct_BN(const char *key, unsigned char *buf,
size_t bsize);
OSSL_PARAM OSSL_PARAM_construct_double(const char *key, double *buf);
// OSSL_PARAM OSSL_PARAM_construct_double(const char *key, double *buf);
OSSL_PARAM OSSL_PARAM_construct_utf8_string(const char *key, char *buf,
size_t bsize);
OSSL_PARAM OSSL_PARAM_construct_octet_string(const char *key, void *buf,

8
src/deps/src/lua-resty-openssl/lib/resty/openssl/include/rand.lua vendored
View file

@ -2,14 +2,8 @@ local ffi = require "ffi"
require "resty.openssl.include.ossl_typ"
local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X
local BORINGSSL = require("resty.openssl.version").BORINGSSL
if BORINGSSL then
ffi.cdef [[
int RAND_bytes(uint8_t *buf, size_t num);
int RAND_priv_bytes(uint8_t *buf, size_t num);
]]
elseif OPENSSL_3X then
if OPENSSL_3X then
ffi.cdef [[
int RAND_bytes_ex(OSSL_LIB_CTX *ctx, unsigned char *buf, size_t num,
unsigned int strength);

39
src/deps/src/lua-resty-openssl/lib/resty/openssl/include/rsa.lua vendored
View file

@ -1,16 +1,11 @@
local ffi = require "ffi"
require "resty.openssl.include.ossl_typ"
local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER
ffi.cdef [[
RSA *RSA_new(void);
void RSA_free(RSA *r);
]]
if OPENSSL_11_OR_LATER then
ffi.cdef [[
void RSA_get0_key(const RSA *r,
const BIGNUM **n, const BIGNUM **e, const BIGNUM **d);
void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q);
@ -23,40 +18,6 @@ if OPENSSL_11_OR_LATER then
int RSA_set0_crt_params(RSA *r,BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp);
struct rsa_st;
]]
elseif OPENSSL_10 then
ffi.cdef [[
// crypto/rsa/rsa_locl.h
// needed to extract parameters
// Note: this struct is trimmed
struct rsa_st {
int pad;
// the following has been changed in OpenSSL 1.1.x to int32_t
long version;
const RSA_METHOD *meth;
ENGINE *engine;
BIGNUM *n;
BIGNUM *e;
BIGNUM *d;
BIGNUM *p;
BIGNUM *q;
BIGNUM *dmp1;
BIGNUM *dmq1;
BIGNUM *iqmp;
// trimmed
// CRYPTO_EX_DATA ex_data;
// int references;
// int flags;
// BN_MONT_CTX *_method_mod_n;
// BN_MONT_CTX *_method_mod_p;
// BN_MONT_CTX *_method_mod_q;
// char *bignum_data;
// BN_BLINDING *blinding;
// BN_BLINDING *mt_blinding;
};
]]
end
return {
paddings = {

30
src/deps/src/lua-resty-openssl/lib/resty/openssl/include/ssl.lua vendored
View file

@ -4,12 +4,11 @@ local C = ffi.C
require "resty.openssl.include.ossl_typ"
require "resty.openssl.include.stack"
local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X
local BORINGSSL = require("resty.openssl.version").BORINGSSL
ffi.cdef [[
// SSL_METHOD
typedef struct ssl_method_st SSL_METHOD;
const SSL_METHOD *TLS_method(void);
// const SSL_METHOD *TLS_method(void);
const SSL_METHOD *TLS_server_method(void);
// SSL_CIPHER
@ -53,7 +52,7 @@ ffi.cdef [[
long SSL_get_options(SSL *ssl);
/*STACK_OF(SSL_CIPHER)*/ OPENSSL_STACK *SSL_get_ciphers(const SSL *ssl);
/*STACK_OF(SSL_CIPHER)*/ OPENSSL_STACK *SSL_CTX_get_ciphers(const SSL_CTX *ctx);
// /*STACK_OF(SSL_CIPHER)*/ OPENSSL_STACK *SSL_CTX_get_ciphers(const SSL_CTX *ctx);
OPENSSL_STACK *SSL_get_peer_cert_chain(const SSL *ssl);
typedef int (*verify_callback)(int preverify_ok, X509_STORE_CTX *x509_ctx);
@ -75,37 +74,16 @@ else
]]
end
if BORINGSSL then
ffi.cdef [[
int SSL_set_min_proto_version(SSL *ssl, int version);
int SSL_set_max_proto_version(SSL *ssl, int version);
]]
end
local SSL_CTRL_SET_MIN_PROTO_VERSION = 123
local SSL_CTRL_SET_MAX_PROTO_VERSION = 124
local SSL_set_min_proto_version
if BORINGSSL then
SSL_set_min_proto_version = function(ctx, version)
return C.SSL_set_min_proto_version(ctx, version)
end
else
SSL_set_min_proto_version = function(ctx, version)
local SSL_set_min_proto_version = function(ctx, version)
return C.SSL_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, version, nil)
end
end
local SSL_set_max_proto_version
if BORINGSSL then
SSL_set_max_proto_version = function(ctx, version)
return C.SSL_set_max_proto_version(ctx, version)
end
else
SSL_set_max_proto_version = function(ctx, version)
local SSL_set_max_proto_version = function(ctx, version)
return C.SSL_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, nil)
end
end
return {
SSL_set_min_proto_version = SSL_set_min_proto_version,

67
src/deps/src/lua-resty-openssl/lib/resty/openssl/include/stack.lua vendored
View file

@ -6,21 +6,11 @@
]]
local ffi = require "ffi"
local C = ffi.C
require "resty.openssl.include.ossl_typ"
local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER
local BORINGSSL = require("resty.openssl.version").BORINGSSL
local _M = {}
ffi.cdef [[
typedef char *OPENSSL_STRING;
]]
if OPENSSL_11_OR_LATER and not BORINGSSL then
ffi.cdef [[
typedef struct stack_st OPENSSL_STACK;
OPENSSL_STACK *OPENSSL_sk_new_null(void);
@ -30,7 +20,7 @@ if OPENSSL_11_OR_LATER and not BORINGSSL then
void *OPENSSL_sk_value(const OPENSSL_STACK *, int);
OPENSSL_STACK *OPENSSL_sk_dup(const OPENSSL_STACK *st);
void OPENSSL_sk_free(OPENSSL_STACK *);
void *OPENSSL_sk_delete(OPENSSL_STACK *st, int loc);
// void *OPENSSL_sk_delete(OPENSSL_STACK *st, int loc);
typedef void (*OPENSSL_sk_freefunc)(void *);
typedef void *(*OPENSSL_sk_copyfunc)(const void *);
@ -38,58 +28,3 @@ if OPENSSL_11_OR_LATER and not BORINGSSL then
OPENSSL_sk_copyfunc c,
OPENSSL_sk_freefunc f);
]]
_M.OPENSSL_sk_pop_free = C.OPENSSL_sk_pop_free
_M.OPENSSL_sk_new_null = C.OPENSSL_sk_new_null
_M.OPENSSL_sk_push = C.OPENSSL_sk_push
_M.OPENSSL_sk_pop_free = C.OPENSSL_sk_pop_free
_M.OPENSSL_sk_num = C.OPENSSL_sk_num
_M.OPENSSL_sk_value = C.OPENSSL_sk_value
_M.OPENSSL_sk_dup = C.OPENSSL_sk_dup
_M.OPENSSL_sk_delete = C.OPENSSL_sk_delete
_M.OPENSSL_sk_free = C.OPENSSL_sk_free
_M.OPENSSL_sk_deep_copy = C.OPENSSL_sk_deep_copy
elseif OPENSSL_10 or BORINGSSL then
ffi.cdef [[
typedef struct stack_st _STACK;
// i made this up
typedef struct stack_st OPENSSL_STACK;
_STACK *sk_new_null(void);
void sk_pop_free(_STACK *st, void (*func) (void *));
_STACK *sk_dup(_STACK *st);
void sk_free(_STACK *st);
_STACK *sk_deep_copy(_STACK *, void *(*)(void *), void (*)(void *));
]]
if BORINGSSL then -- indices are using size_t instead of int
ffi.cdef [[
size_t sk_push(_STACK *st, void *data);
size_t sk_num(const _STACK *);
void *sk_value(const _STACK *, size_t);
void *sk_delete(_STACK *st, size_t loc);
]]
else -- normal OpenSSL 1.0
ffi.cdef [[
int sk_push(_STACK *st, void *data);
int sk_num(const _STACK *);
void *sk_value(const _STACK *, int);
void *sk_delete(_STACK *st, int loc);
]]
end
_M.OPENSSL_sk_pop_free = C.sk_pop_free
_M.OPENSSL_sk_new_null = C.sk_new_null
_M.OPENSSL_sk_push = function(...) return tonumber(C.sk_push(...)) end
_M.OPENSSL_sk_pop_free = C.sk_pop_free
_M.OPENSSL_sk_num = function(...) return tonumber(C.sk_num(...)) end
_M.OPENSSL_sk_value = C.sk_value
_M.OPENSSL_sk_delete = C.sk_delete
_M.OPENSSL_sk_dup = C.sk_dup
_M.OPENSSL_sk_free = C.sk_free
_M.OPENSSL_sk_deep_copy = C.sk_deep_copy
end
return _M

39
src/deps/src/lua-resty-openssl/lib/resty/openssl/include/x509/crl.lua vendored
View file

@ -8,10 +8,6 @@ require "resty.openssl.include.stack"
local asn1_macro = require "resty.openssl.include.asn1"
local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER
local BORINGSSL_110 = require("resty.openssl.version").BORINGSSL_110
asn1_macro.declare_asn1_functions("X509_CRL", asn1_macro.has_new_ex)
ffi.cdef [[
@ -22,7 +18,7 @@ ffi.cdef [[
int X509_CRL_add_ext(X509_CRL *x, X509_EXTENSION *ex, int loc);
X509_EXTENSION *X509_CRL_get_ext(const X509_CRL *x, int loc);
int X509_CRL_get_ext_by_NID(const X509_CRL *x, int nid, int lastpos);
void *X509_CRL_get_ext_d2i(const X509_CRL *x, int nid, int *crit, int *idx);
// void *X509_CRL_get_ext_d2i(const X509_CRL *x, int nid, int *crit, int *idx);
int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md);
int X509_CRL_verify(X509_CRL *a, EVP_PKEY *r);
@ -35,17 +31,14 @@ ffi.cdef [[
int X509_CRL_get0_by_serial(X509_CRL *crl,
X509_REVOKED **ret, ASN1_INTEGER *serial);
int X509_CRL_get0_by_cert(X509_CRL *crl, X509_REVOKED **ret, X509 *x);
// int X509_CRL_get0_by_cert(X509_CRL *crl, X509_REVOKED **ret, X509 *x);
//STACK_OF(X509_REVOKED)
OPENSSL_STACK *X509_CRL_get_REVOKED(X509_CRL *crl);
int X509_CRL_get0_by_serial(X509_CRL *crl,
X509_REVOKED **ret, ASN1_INTEGER *serial);
]]
if OPENSSL_11_OR_LATER then
ffi.cdef [[
int X509_CRL_set1_lastUpdate(X509_CRL *x, const ASN1_TIME *tm);
int X509_CRL_set1_nextUpdate(X509_CRL *x, const ASN1_TIME *tm);
/*const*/ ASN1_TIME *X509_CRL_get0_lastUpdate(const X509_CRL *crl);
@ -56,31 +49,3 @@ if OPENSSL_11_OR_LATER then
int X509_CRL_get_signature_nid(const X509_CRL *crl);
]]
end
if OPENSSL_10 or BORINGSSL_110 then
-- in openssl 1.0.x some getters are direct accessor to struct members (defiend by macros)
ffi.cdef [[
typedef struct X509_crl_info_st {
ASN1_INTEGER *version;
X509_ALGOR *sig_alg;
X509_NAME *issuer;
ASN1_TIME *lastUpdate;
ASN1_TIME *nextUpdate;
// STACK_OF(X509_REVOKED)
OPENSSL_STACK *revoked;
// STACK_OF(X509_EXTENSION)
OPENSSL_STACK /* [0] */ *extensions;
ASN1_ENCODING enc;
} X509_CRL_INFO;
// Note: this struct is trimmed
struct X509_crl_st {
/* actual signature */
X509_CRL_INFO *crl;
// trimmed
} /* X509_CRL */ ;
int X509_CRL_set_lastUpdate(X509_CRL *x, const ASN1_TIME *tm);
int X509_CRL_set_nextUpdate(X509_CRL *x, const ASN1_TIME *tm);
]]
end

39
src/deps/src/lua-resty-openssl/lib/resty/openssl/include/x509/csr.lua vendored
View file

@ -8,10 +8,7 @@ require "resty.openssl.include.stack"
local asn1_macro = require "resty.openssl.include.asn1"
local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER
local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X
local BORINGSSL_110 = require("resty.openssl.version").BORINGSSL_110
asn1_macro.declare_asn1_functions("X509_REQ", asn1_macro.has_new_ex)
@ -23,18 +20,17 @@ ffi.cdef [[
int X509_REQ_set_version(X509_REQ *x, long version);
int X509_REQ_get_attr_count(const X509_REQ *req);
int X509_CRL_add_ext(X509_CRL *x, X509_EXTENSION *ex, int loc);
X509_EXTENSION *X509_CRL_get_ext(const X509_CRL *x, int loc);
int X509_CRL_get_ext_by_NID(const X509_CRL *x, int nid, int lastpos);
int i2d_re_X509_REQ_tbs(X509_REQ *req, unsigned char **pp);
void X509_ATTRIBUTE_free(X509_ATTRIBUTE *a);
int X509_REQ_get_attr_by_NID(const X509_REQ *req, int nid, int lastpos);
// int X509_REQ_get_attr_count(const X509_REQ *req);
// int X509_REQ_get_attr_by_NID(const X509_REQ *req, int nid, int lastpos);
X509_ATTRIBUTE *X509_REQ_delete_attr(X509_REQ *req, int loc);
int *X509_REQ_get_extension_nids(void);
// int *X509_REQ_get_extension_nids(void);
int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md);
int X509_REQ_verify(X509_REQ *a, EVP_PKEY *r);
@ -48,41 +44,16 @@ ffi.cdef [[
int X509_REQ_add_extensions(X509_REQ *req, OPENSSL_STACK *exts);
int X509_REQ_check_private_key(X509_REQ *x, EVP_PKEY *k);
]]
if OPENSSL_11_OR_LATER then
ffi.cdef [[
X509_NAME *X509_REQ_get_subject_name(const X509_REQ *req);
long X509_REQ_get_version(const X509_REQ *req);
int X509_REQ_get_signature_nid(const X509_REQ *crl);
]]
end
if OPENSSL_10 or BORINGSSL_110 then
ffi.cdef [[
typedef struct X509_req_info_st {
ASN1_ENCODING enc;
ASN1_INTEGER *version;
X509_NAME *subject;
/*X509_PUBKEY*/ void *pubkey;
/* d=2 hl=2 l= 0 cons: cont: 00 */
/*STACK_OF(X509_ATTRIBUTE)*/ OPENSSL_STACK *attributes; /* [ 0 ] */
} X509_REQ_INFO;
// Note: this struct is trimmed
typedef struct X509_req_st {
X509_REQ_INFO *req_info;
X509_ALGOR *sig_alg;
// trimmed
//ASN1_BIT_STRING *signature;
//int references;
} X509_REQ;
]]
end
if OPENSSL_3X then
ffi.cdef [[
int X509_REQ_verify_ex(X509_REQ *a, EVP_PKEY *pkey, OSSL_LIB_CTX *libctx,
const char *propq);
// int X509_REQ_verify_ex(X509_REQ *a, EVP_PKEY *pkey, OSSL_LIB_CTX *libctx,
// const char *propq);
]]
end

63
src/deps/src/lua-resty-openssl/lib/resty/openssl/include/x509/init.lua vendored
View file

@ -6,10 +6,6 @@ require "resty.openssl.include.pem"
require "resty.openssl.include.stack"
local asn1_macro = require "resty.openssl.include.asn1"
local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER
local BORINGSSL_110 = require("resty.openssl.version").BORINGSSL_110
asn1_macro.declare_asn1_functions("X509", asn1_macro.has_new_ex)
ffi.cdef [[
@ -65,12 +61,9 @@ ffi.cdef [[
int X509_get_signature_nid(const X509 *x);
unsigned char *X509_alias_get0(X509 *x, int *len);
unsigned char *X509_keyid_get0(X509 *x, int *len);
// unsigned char *X509_keyid_get0(X509 *x, int *len);
int X509_check_private_key(X509 *x, EVP_PKEY *k);
]]
if OPENSSL_11_OR_LATER then
ffi.cdef [[
int X509_up_ref(X509 *a);
int X509_set1_notBefore(X509 *x, const ASN1_TIME *tm);
@ -82,57 +75,3 @@ if OPENSSL_11_OR_LATER then
X509_EXTENSION *X509_delete_ext(X509 *x, int loc);
]]
elseif OPENSSL_10 then
ffi.cdef [[
// STACK_OF(X509_EXTENSION)
X509_EXTENSION *X509v3_delete_ext(OPENSSL_STACK *x, int loc);
]]
end
if OPENSSL_10 or BORINGSSL_110 then
-- in openssl 1.0.x some getters are direct accessor to struct members (defiend by macros)
ffi.cdef [[
// crypto/x509/x509.h
typedef struct X509_val_st {
ASN1_TIME *notBefore;
ASN1_TIME *notAfter;
} X509_VAL;
typedef struct X509_algor_st {
ASN1_OBJECT *algorithm;
ASN1_TYPE *parameter;
} X509_ALGOR;
// Note: this struct is trimmed
typedef struct x509_cinf_st {
/*ASN1_INTEGER*/ void *version;
/*ASN1_INTEGER*/ void *serialNumber;
X509_ALGOR *signature;
X509_NAME *issuer;
X509_VAL *validity;
X509_NAME *subject;
/*X509_PUBKEY*/ void *key;
/*ASN1_BIT_STRING*/ void *issuerUID; /* [ 1 ] optional in v2 */
/*ASN1_BIT_STRING*/ void *subjectUID; /* [ 2 ] optional in v2 */
/*STACK_OF(X509_EXTENSION)*/ OPENSSL_STACK *extensions; /* [ 3 ] optional in v3 */
// trimmed
// ASN1_ENCODING enc;
} X509_CINF;
// Note: this struct is trimmed
struct x509_st {
X509_CINF *cert_info;
// trimmed
} X509;
int X509_set_notBefore(X509 *x, const ASN1_TIME *tm);
int X509_set_notAfter(X509 *x, const ASN1_TIME *tm);
ASN1_INTEGER *X509_get_serialNumber(X509 *x);
]]
end
if BORINGSSL_110 then
ffi.cdef [[
ASN1_TIME *X509_get_notBefore(const X509 *x);
ASN1_TIME *X509_get_notAfter(const X509 *x);
]]
end

64
src/deps/src/lua-resty-openssl/lib/resty/openssl/include/x509_vfy.lua vendored
View file

@ -3,20 +3,16 @@ local C = ffi.C
require "resty.openssl.include.ossl_typ"
require "resty.openssl.include.stack"
local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER
local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X
local BORINGSSL = require("resty.openssl.version").BORINGSSL
local BORINGSSL_110 = require("resty.openssl.version").BORINGSSL_110
ffi.cdef [[
X509_STORE *X509_STORE_new(void);
void X509_STORE_free(X509_STORE *v);
/* int X509_STORE_lock(X509_STORE *ctx);
int X509_STORE_unlock(X509_STORE *ctx);
int X509_STORE_up_ref(X509_STORE *v);
// int X509_STORE_lock(X509_STORE *ctx);
// int X509_STORE_unlock(X509_STORE *ctx);
// int X509_STORE_up_ref(X509_STORE *v);
// STACK_OF(X509_OBJECT)
OPENSSL_STACK *X509_STORE_get0_objects(X509_STORE *v);*/
// OPENSSL_STACK *X509_STORE_get0_objects(X509_STORE *v);
int X509_STORE_add_cert(X509_STORE *ctx, X509 *x);
int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x);
@ -39,14 +35,25 @@ ffi.cdef [[
void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags);
int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose);
// int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose);
// STACK_OF(X509_CRL)
void X509_STORE_CTX_set0_crls(X509_STORE_CTX *c, OPENSSL_STACK *sk);
// void X509_STORE_CTX_set0_crls(X509_STORE_CTX *c, OPENSSL_STACK *sk);
int X509_PURPOSE_get_by_sname(char *sname);
X509_PURPOSE *X509_PURPOSE_get0(int idx);
int X509_PURPOSE_get_id(const X509_PURPOSE *xp);
// STACK_OF(X509)
OPENSSL_STACK *X509_STORE_CTX_get0_chain(X509_STORE_CTX *ctx);
typedef int (*X509_STORE_CTX_check_revocation_fn)(X509_STORE_CTX *ctx);
// STACK_OF(X509)
void X509_STORE_CTX_set0_verified_chain(X509_STORE_CTX *ctx, OPENSSL_STACK *sk);
typedef int (*X509_STORE_CTX_check_revocation_fn)(X509_STORE_CTX *ctx);
X509_STORE_CTX_check_revocation_fn X509_STORE_CTX_get_check_revocation(const X509_STORE_CTX *ctx);
// STACK_OF(X509)
void X509_STORE_CTX_set0_verified_chain(X509_STORE_CTX *ctx, OPENSSL_STACK *sk);
]]
local _M = {
@ -76,45 +83,16 @@ local _M = {
},
}
if OPENSSL_10 or BORINGSSL_110 then
ffi.cdef [[
// STACK_OF(X509)
OPENSSL_STACK *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx);
]];
_M.X509_STORE_CTX_get0_chain = C.X509_STORE_CTX_get_chain
elseif OPENSSL_11_OR_LATER then
ffi.cdef [[
// STACK_OF(X509)
OPENSSL_STACK *X509_STORE_CTX_get0_chain(X509_STORE_CTX *ctx);
typedef int (*X509_STORE_CTX_check_revocation_fn)(X509_STORE_CTX *ctx);
// STACK_OF(X509)
void X509_STORE_CTX_set0_verified_chain(X509_STORE_CTX *ctx, OPENSSL_STACK *sk);
]];
_M.X509_STORE_CTX_get0_chain = C.X509_STORE_CTX_get0_chain
end
-- these two apis are supported from 1.1.0 but not supported by boringssl
if not BORINGSSL then
if OPENSSL_11_OR_LATER then
ffi.cdef [[
typedef int (*X509_STORE_CTX_check_revocation_fn)(X509_STORE_CTX *ctx);
X509_STORE_CTX_check_revocation_fn X509_STORE_CTX_get_check_revocation(const X509_STORE_CTX *ctx);
// STACK_OF(X509)
void X509_STORE_CTX_set0_verified_chain(X509_STORE_CTX *ctx, OPENSSL_STACK *sk);
]];
end
end
if OPENSSL_3X then
ffi.cdef [[
X509_STORE_CTX *X509_STORE_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq);
int X509_STORE_set_default_paths_ex(X509_STORE *ctx, OSSL_LIB_CTX *libctx,
const char *propq);
/* int X509_STORE_load_file_ex(X509_STORE *ctx, const char *file,
OSSL_LIB_CTX *libctx, const char *propq);
int X509_STORE_load_store_ex(X509_STORE *ctx, const char *uri,
OSSL_LIB_CTX *libctx, const char *propq); */
// int X509_STORE_load_file_ex(X509_STORE *ctx, const char *file,
// OSSL_LIB_CTX *libctx, const char *propq);
// int X509_STORE_load_store_ex(X509_STORE *ctx, const char *uri,
// OSSL_LIB_CTX *libctx, const char *propq);
int X509_STORE_load_locations_ex(X509_STORE *ctx, const char *file,
const char *dir, OSSL_LIB_CTX *libctx,
const char *propq);

4
src/deps/src/lua-resty-openssl/lib/resty/openssl/include/x509v3.lua vendored
View file

@ -61,8 +61,8 @@ ffi.cdef [[
X509_EXTENSION *X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int ext_nid,
const char *value);
X509_EXTENSION *X509V3_EXT_nconf(CONF *conf, X509V3_CTX *ctx, const char *name,
const char *value);
// X509_EXTENSION *X509V3_EXT_nconf(CONF *conf, X509V3_CTX *ctx, const char *name,
// const char *value);
int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, unsigned long flag,
int indent);

32
src/deps/src/lua-resty-openssl/lib/resty/openssl/kdf.lua vendored
View file

@ -10,9 +10,7 @@ require("resty.openssl.include.evp.pkey")
local kdf_macro = require "resty.openssl.include.evp.kdf"
local ctx_lib = require "resty.openssl.ctx"
local format_error = require("resty.openssl.err").format_error
local version_num = require("resty.openssl.version").version_num
local version_text = require("resty.openssl.version").version_text
local BORINGSSL = require("resty.openssl.version").BORINGSSL
local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X
local ctypes = require "resty.openssl.auxiliary.ctypes"
@ -26,23 +24,17 @@ OpenSSL 3.0 additionally provides Single Step KDF, SSH KDF, PBKDF2, Scrypt, HKDF
From OpenSSL 3.0 the recommended way of performing key derivation is to use the EVP_KDF functions. If compatibility with OpenSSL 1.1.1 is required then a limited set of KDFs can be used via EVP_PKEY_derive.
]]
local NID_id_pbkdf2 = -1
local NID_id_scrypt = -2
local NID_tls1_prf = -3
local NID_hkdf = -4
if version_num >= 0x10002000 then
NID_id_pbkdf2 = C.OBJ_txt2nid("PBKDF2")
local NID_id_pbkdf2 = C.OBJ_txt2nid("PBKDF2")
assert(NID_id_pbkdf2 > 0)
end
if version_num >= 0x10100000 and not BORINGSSL then
NID_hkdf = C.OBJ_txt2nid("HKDF")
local NID_hkdf = C.OBJ_txt2nid("HKDF")
assert(NID_hkdf > 0)
NID_tls1_prf = C.OBJ_txt2nid("TLS1-PRF")
local NID_tls1_prf = C.OBJ_txt2nid("TLS1-PRF")
assert(NID_tls1_prf > 0)
-- we use EVP_PBE_scrypt to do scrypt, so this is supported >= 1.1.0
NID_id_scrypt = C.OBJ_txt2nid("id-scrypt")
local NID_id_scrypt = C.OBJ_txt2nid("id-scrypt")
assert(NID_id_scrypt > 0)
end
local _M = {
HKDEF_MODE_EXTRACT_AND_EXPAND = kdf_macro.EVP_PKEY_HKDEF_MODE_EXTRACT_AND_EXPAND,
@ -93,7 +85,7 @@ end
local function check_hkdf_options(opt)
local mode = opt.hkdf_mode
if not mode or version_num < 0x10101000 then
if not mode then
mode = _M.HKDEF_MODE_EXTRACT_AND_EXPAND
end
@ -184,11 +176,6 @@ function _M.derive(options)
-- begin legacay low level routines
local code
if typ == NID_id_pbkdf2 then
-- make openssl 1.0.2 happy
if version_num < 0x10100000 and not options.pass then
options.pass = ""
pass_len = 0
end
-- https://www.openssl.org/docs/man1.1.0/man3/PKCS5_PBKDF2_HMAC.html
local iter = options.pbkdf2_iter
if iter < 1 then
@ -257,7 +244,6 @@ function _M.derive(options)
return nil, format_error("kdf.derive: EVP_PKEY_CTX_add1_hkdf_info")
end
if options.hkdf_mode then
if version_num >= 0x10101000 then
if kdf_macro.EVP_PKEY_CTX_set_hkdf_mode(ctx, options.hkdf_mode) ~= 1 then
return nil, format_error("kdf.derive: EVP_PKEY_CTX_set_hkdf_mode")
end
@ -271,9 +257,6 @@ function _M.derive(options)
outlen[0] = md_size
buf = ctypes.uchar_array(md_size)
end
else
ngx.log(ngx.WARN, "hkdf_mode is not effective in ", version_text)
end
end
else
return nil, string.format("kdf.derive: unknown type %d", typ)
@ -307,6 +290,7 @@ function _M.new(typ, properties)
if algo == nil then
return nil, format_error(string.format("mac.new: invalid mac type \"%s\"", typ))
end
ffi_gc(algo, C.EVP_KDF_free)
local ctx = C.EVP_KDF_CTX_new(algo)
if ctx == nil then

1
src/deps/src/lua-resty-openssl/lib/resty/openssl/mac.lua vendored
View file

@ -29,6 +29,7 @@ function _M.new(key, typ, cipher, digest, properties)
if algo == nil then
return nil, format_error(string.format("mac.new: invalid mac type \"%s\"", typ))
end
ffi_gc(algo, C.EVP_MAC_free)
local ctx = C.EVP_MAC_CTX_new(algo)
if ctx == nil then

14
src/deps/src/lua-resty-openssl/lib/resty/openssl/pkcs12.lua vendored
View file

@ -5,15 +5,14 @@ local ffi_str = ffi.string
require "resty.openssl.include.pkcs12"
require "resty.openssl.include.bio"
require "resty.openssl.include.stack"
local bio_util = require "resty.openssl.auxiliary.bio"
local format_error = require("resty.openssl.err").format_error
local pkey_lib = require "resty.openssl.pkey"
local x509_lib = require "resty.openssl.x509"
local stack_macro = require "resty.openssl.include.stack"
local stack_lib = require "resty.openssl.stack"
local objects_lib = require "resty.openssl.objects"
local ctx_lib = require "resty.openssl.ctx"
local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X
local stack_of_x509_new = stack_lib.new_of("X509")
@ -54,7 +53,7 @@ local function decode(p12, passphrase)
end
local cacerts
local n = stack_macro.OPENSSL_sk_num(stack)
local n = C.OPENSSL_sk_num(stack)
if n > 0 then
cacerts = {}
local iter = stack_of_x509_iter({ ctx = stack })
@ -123,23 +122,14 @@ local function encode(opts, passphrase, properties)
-- stack lib handles gc
x509stack = stack_of_x509_new()
for _, c in ipairs(cacerts) do
if not OPENSSL_10 then
if C.X509_up_ref(c.ctx) ~= 1 then
return nil, "pkcs12.encode: failed to add cacerts: X509_up_ref failed"
end
end
local ok, err = stack_of_x509_add(x509stack, c.ctx)
if not ok then
return nil, "pkcs12.encode: failed to add cacerts: " .. err
end
end
if OPENSSL_10 then
-- OpenSSL 1.0.2 doesn't have X509_up_ref
-- shallow copy the stack, up_ref for each element
x509stack = C.X509_chain_up_ref(x509stack)
-- use the shallow gc
ffi_gc(x509stack, stack_macro.OPENSSL_sk_free)
end
end
end

49
src/deps/src/lua-resty-openssl/lib/resty/openssl/pkey.lua vendored
View file

@ -27,10 +27,7 @@ local ctypes = require "resty.openssl.auxiliary.ctypes"
local ecdsa_util = require "resty.openssl.auxiliary.ecdsa"
local format_error = require("resty.openssl.err").format_error
local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER
local OPENSSL_111_OR_LATER = require("resty.openssl.version").OPENSSL_111_OR_LATER
local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X
local BORINGSSL = require("resty.openssl.version").BORINGSSL
local ptr_of_uint = ctypes.ptr_of_uint
local ptr_of_size_t = ctypes.ptr_of_size_t
@ -40,20 +37,11 @@ local null = ctypes.null
local load_pem_args = { null, null, null }
local load_der_args = { null }
local get_pkey_key
if OPENSSL_11_OR_LATER then
get_pkey_key = {
local get_pkey_key = {
[evp_macro.EVP_PKEY_RSA] = function(ctx) return C.EVP_PKEY_get0_RSA(ctx) end,
[evp_macro.EVP_PKEY_EC] = function(ctx) return C.EVP_PKEY_get0_EC_KEY(ctx) end,
[evp_macro.EVP_PKEY_DH] = function(ctx) return C.EVP_PKEY_get0_DH(ctx) end
}
else
get_pkey_key = {
[evp_macro.EVP_PKEY_RSA] = function(ctx) return ctx.pkey and ctx.pkey.rsa end,
[evp_macro.EVP_PKEY_EC] = function(ctx) return ctx.pkey and ctx.pkey.ec end,
[evp_macro.EVP_PKEY_DH] = function(ctx) return ctx.pkey and ctx.pkey.dh end,
}
end
local load_rsa_key_funcs
@ -212,17 +200,18 @@ local function generate_param(key_type, config)
if nid == 0 then
return nil, "unknown curve " .. curve
end
if pkey_macro.EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, nid) <= 0 then
return nil, format_error("EVP_PKEY_CTX_ctrl: EC: curve_nid")
end
if not BORINGSSL then
-- use the named-curve encoding for best backward-compatibilty
-- and for playing well with go:crypto/x509
-- # define OPENSSL_EC_NAMED_CURVE 0x001
if pkey_macro.EVP_PKEY_CTX_set_ec_param_enc(pctx, 1) <= 0 then
return nil, format_error("EVP_PKEY_CTX_ctrl: EC: param_enc")
end
end
elseif key_type == evp_macro.EVP_PKEY_DH then
local bits = config.bits
if not config.param and not bits then
@ -530,10 +519,6 @@ function _M:get_key_type()
end
function _M:get_default_digest_type()
if BORINGSSL then
return nil, "BoringSSL doesn't have default digest for pkey"
end
local nid = ptr_of_int()
local code = C.EVP_PKEY_get_default_digest_nid(self.ctx, nid)
if code == -2 then
@ -788,14 +773,6 @@ function _M:sign(digest, md_alg, padding, opts)
end
ret = ffi_str(self.buf, length[0])
elseif type(digest) == "string" then
if not OPENSSL_111_OR_LATER and not BORINGSSL then
-- we can still support earilier version with *Update and *Final
-- but we choose to not relying on the legacy interface for simplicity
return nil, "pkey:sign: new-style sign only available in OpenSSL 1.1.1 (or BoringSSL 1.1.0) or later"
elseif BORINGSSL and not md_alg and not self.key_type_is_ecx then
return nil, "pkey:sign: BoringSSL doesn't provide default digest, md_alg must be specified"
end
local md_ctx, err = sign_verify_prepare(self, C.EVP_DigestSignInit, md_alg, padding, opts)
if err then
return nil, err
@ -811,10 +788,6 @@ function _M:sign(digest, md_alg, padding, opts)
end
if self.key_type == evp_macro.EVP_PKEY_EC and opts and opts.ecdsa_use_raw then
if not OPENSSL_11_OR_LATER then
return nil, "pkey:sign: opts.ecdsa_use_raw is only supported on OpenSSL 1.1.0 or later"
end
local ec_key = get_pkey_key[evp_macro.EVP_PKEY_EC](self.ctx)
ret, err = ecdsa_util.sig_der2raw(ret, ec_key)
@ -833,10 +806,6 @@ function _M:verify(signature, digest, md_alg, padding, opts)
local err
if self.key_type == evp_macro.EVP_PKEY_EC and opts and opts.ecdsa_use_raw then
if not OPENSSL_11_OR_LATER then
return nil, "pkey:sign: opts.ecdsa_use_raw is only supported on OpenSSL 1.1.0 or later"
end
local ec_key = get_pkey_key[evp_macro.EVP_PKEY_EC](self.ctx)
signature, err = ecdsa_util.sig_raw2der(signature, ec_key)
@ -849,14 +818,6 @@ function _M:verify(signature, digest, md_alg, padding, opts)
if digest_lib.istype(digest) then
code = C.EVP_VerifyFinal(digest.ctx, signature, #signature, self.ctx)
elseif type(digest) == "string" then
if not OPENSSL_111_OR_LATER and not BORINGSSL then
-- we can still support earilier version with *Update and *Final
-- but we choose to not relying on the legacy interface for simplicity
return nil, "pkey:verify: new-style verify only available in OpenSSL 1.1.1 (or BoringSSL 1.1.0) or later"
elseif BORINGSSL and not md_alg and not self.key_type_is_ecx then
return nil, "pkey:verify: BoringSSL doesn't provide default digest, md_alg must be specified"
end
local md_ctx, err = sign_verify_prepare(self, C.EVP_DigestVerifyInit, md_alg, padding, opts)
if err then
return nil, err
@ -868,7 +829,7 @@ function _M:verify(signature, digest, md_alg, padding, opts)
end
if code == 0 then
return false, nil
return false, format_error("pkey:verify")
elseif code == 1 then
return true, nil
end

50
src/deps/src/lua-resty-openssl/lib/resty/openssl/rsa.lua vendored
View file

@ -2,9 +2,6 @@ local ffi = require "ffi"
local C = ffi.C
local bn_lib = require "resty.openssl.bn"
local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER
local format_error = require("resty.openssl.err").format_error
local _M = {}
@ -18,51 +15,29 @@ function _M.get_parameters(rsa_st)
return setmetatable(empty_table, {
__index = function(_, k)
local ptr, ret
if OPENSSL_11_OR_LATER then
ptr = bn_ptrptr_ct()
end
if k == 'n' then
if OPENSSL_11_OR_LATER then
C.RSA_get0_key(rsa_st, ptr, nil, nil)
end
elseif k == 'e' then
if OPENSSL_11_OR_LATER then
C.RSA_get0_key(rsa_st, nil, ptr, nil)
end
elseif k == 'd' then
if OPENSSL_11_OR_LATER then
C.RSA_get0_key(rsa_st, nil, nil, ptr)
end
elseif k == 'p' then
if OPENSSL_11_OR_LATER then
C.RSA_get0_factors(rsa_st, ptr, nil)
end
elseif k == 'q' then
if OPENSSL_11_OR_LATER then
C.RSA_get0_factors(rsa_st, nil, ptr)
end
elseif k == 'dmp1' then
if OPENSSL_11_OR_LATER then
C.RSA_get0_crt_params(rsa_st, ptr, nil, nil)
end
elseif k == 'dmq1' then
if OPENSSL_11_OR_LATER then
C.RSA_get0_crt_params(rsa_st, nil, ptr, nil)
end
elseif k == 'iqmp' then
if OPENSSL_11_OR_LATER then
C.RSA_get0_crt_params(rsa_st, nil, nil, ptr)
end
else
return nil, "rsa.get_parameters: unknown parameter \"" .. k .. "\" for RSA key"
end
if OPENSSL_11_OR_LATER then
ret = ptr[0]
elseif OPENSSL_10 then
ret = rsa_st[k]
end
if ret == nil then
return nil
@ -91,11 +66,14 @@ function _M.set_parameters(rsa_st, opts)
local cleanup_from_idx = 1
-- dup input
local do_set_key, do_set_factors, do_set_crt_params
while true do -- luacheck: ignore
for k, v in pairs(opts) do
opts_bn[k], err = dup_bn_value(v)
if err then
-- luacheck: ignore
err = "rsa.set_parameters: cannot process parameter \"" .. k .. "\":" .. err
goto cleanup_with_error
break
end
if k == "n" or k == "e" or k == "d" then
do_set_key = true
@ -105,7 +83,7 @@ function _M.set_parameters(rsa_st, opts)
do_set_crt_params = true
end
end
if OPENSSL_11_OR_LATER then
-- "The values n and e must be non-NULL the first time this function is called on a given RSA object."
-- thus we force to set them together
local code
@ -113,37 +91,31 @@ function _M.set_parameters(rsa_st, opts)
code = C.RSA_set0_key(rsa_st, opts_bn["n"], opts_bn["e"], opts_bn["d"])
if code == 0 then
err = format_error("rsa.set_parameters: RSA_set0_key")
goto cleanup_with_error
break
end
end
cleanup_from_idx = cleanup_from_idx + 3
if do_set_factors then
code = C.RSA_set0_factors(rsa_st, opts_bn["p"], opts_bn["q"])
if code == 0 then
err = format_error("rsa.set_parameters: RSA_set0_factors")
goto cleanup_with_error
break
end
end
cleanup_from_idx = cleanup_from_idx + 2
if do_set_crt_params then
code = C.RSA_set0_crt_params(rsa_st, opts_bn["dmp1"], opts_bn["dmq1"], opts_bn["iqmp"])
if code == 0 then
err = format_error("rsa.set_parameters: RSA_set0_crt_params")
goto cleanup_with_error
break
end
end
return true
elseif OPENSSL_10 then
for k, v in pairs(opts_bn) do
if rsa_st[k] ~= nil then
C.BN_free(rsa_st[k])
end
rsa_st[k]= v
end
return true
end
::cleanup_with_error::
for i, k in pairs(_M.params) do
if i >= cleanup_from_idx then
C.BN_free(opts_bn[k])

24
src/deps/src/lua-resty-openssl/lib/resty/openssl/ssl.lua vendored
View file

@ -10,7 +10,6 @@ local x509_lib = require("resty.openssl.x509")
local chain_lib = require("resty.openssl.x509.chain")
local stack_lib = require("resty.openssl.stack")
local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X
local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
local format_error = require("resty.openssl.err").format_error
local _M = {
@ -265,22 +264,13 @@ function _M:set_options(...)
bitmask = bit.bor(bitmask, opt)
end
if OPENSSL_10 then
bitmask = C.SSL_ctrl(self.ctx, 32, bitmask, nil) -- SSL_CTRL_OPTIONS
else
bitmask = C.SSL_set_options(self.ctx, bitmask)
end
return tonumber(bitmask)
end
function _M:get_options(readable)
local bitmask
if OPENSSL_10 then
bitmask = C.SSL_ctrl(self.ctx, 32, 0, nil) -- SSL_CTRL_OPTIONS
else
bitmask = C.SSL_get_options(self.ctx)
end
local bitmask = C.SSL_get_options(self.ctx)
if not readable then
return tonumber(bitmask)
@ -303,11 +293,7 @@ function _M:clear_options(...)
bitmask = bit.bor(bitmask, opt)
end
if OPENSSL_10 then
bitmask = C.SSL_ctrl(self.ctx, 77, bitmask, nil) -- SSL_CTRL_CLEAR_OPTIONS
else
bitmask = C.SSL_clear_options(self.ctx, bitmask)
end
return tonumber(bitmask)
end
@ -336,18 +322,10 @@ function _M:set_protocols(...)
end
-- first disable all protocols
if OPENSSL_10 then
C.SSL_ctrl(self.ctx, 32, ops.SSL_OP_NO_SSL_MASK, nil) -- SSL_CTRL_OPTIONS
else
C.SSL_set_options(self.ctx, ops.SSL_OP_NO_SSL_MASK)
end
-- then enable selected protocols
if OPENSSL_10 then
return tonumber(C.SSL_clear_options(self.ctx, bitmask))
else
return tonumber(C.SSL_ctrl(self.ctx, 77, bitmask, nil)) -- SSL_CTRL_CLEAR_OPTIONS)
end
end
return _M

22
src/deps/src/lua-resty-openssl/lib/resty/openssl/stack.lua vendored
View file

@ -10,7 +10,7 @@ local C = ffi.C
local ffi_cast = ffi.cast
local ffi_gc = ffi.gc
local stack_macro = require "resty.openssl.include.stack"
require "resty.openssl.include.stack"
local format_error = require("resty.openssl.err").format_error
local _M = {}
@ -18,7 +18,7 @@ local _M = {}
local function gc_of(typ)
local f = C[typ .. "_free"]
return function (st)
stack_macro.OPENSSL_sk_pop_free(st, f)
C.OPENSSL_sk_pop_free(st, f)
end
end
@ -35,7 +35,7 @@ _M.mt_of = function(typ, convert, index_tbl, no_gc)
-- starts from 0
local function value_at(ctx, i)
local elem = stack_macro.OPENSSL_sk_value(ctx, i)
local elem = C.OPENSSL_sk_value(ctx, i)
if elem == nil then
error(format_error("OPENSSL_sk_value"))
end
@ -49,7 +49,7 @@ _M.mt_of = function(typ, convert, index_tbl, no_gc)
local function iter(tbl)
if not tbl then error("instance is nil") end
local i = 0
local n = tonumber(stack_macro.OPENSSL_sk_num(tbl.ctx))
local n = tonumber(C.OPENSSL_sk_num(tbl.ctx))
return function()
i = i + 1
if i <= n then
@ -63,7 +63,7 @@ _M.mt_of = function(typ, convert, index_tbl, no_gc)
__ipairs = iter,
__len = function(tbl)
if not tbl then error("instance is nil") end
return tonumber(stack_macro.OPENSSL_sk_num(tbl.ctx))
return tonumber(C.OPENSSL_sk_num(tbl.ctx))
end,
__index = function(tbl, k)
if not tbl then error("instance is nil") end
@ -71,7 +71,7 @@ _M.mt_of = function(typ, convert, index_tbl, no_gc)
if not i then
return index_tbl[k]
end
local n = stack_macro.OPENSSL_sk_num(tbl.ctx)
local n = C.OPENSSL_sk_num(tbl.ctx)
if i <= 0 or i > n then
return nil
end
@ -88,7 +88,7 @@ end
_M.new_of = function(typ)
local gc = gc_of(typ)
return function()
local raw = stack_macro.OPENSSL_sk_new_null()
local raw = C.OPENSSL_sk_new_null()
if raw == nil then
return nil, "stack.new_of: OPENSSL_sk_new_null() failed"
end
@ -104,7 +104,7 @@ _M.add_of = function(typ)
if ctx == nil or not ffi.istype(ptr, ctx) then
return false, "stack.add_of: expect a " .. typ .. "* at #1"
end
local code = stack_macro.OPENSSL_sk_push(stack, ctx)
local code = C.OPENSSL_sk_push(stack, ctx)
if code == 0 then
return false, "stack.add_of: OPENSSL_sk_push() failed"
end
@ -118,13 +118,13 @@ _M.dup_of = function(_)
if ctx == nil or not ffi.istype(stack_ptr_ct, ctx) then
return nil, "stack.dup_of: expect a stack ctx at #1"
end
local ctx = stack_macro.OPENSSL_sk_dup(ctx)
local ctx = C.OPENSSL_sk_dup(ctx)
if ctx == nil then
return nil, "stack.dup_of: OPENSSL_sk_dup() failed"
end
-- if the stack is duplicated: since we don't copy the elements
-- then we only control gc of the stack itself here
ffi_gc(ctx, stack_macro.OPENSSL_sk_free)
ffi_gc(ctx, C.OPENSSL_sk_free)
return ctx
end
end
@ -152,7 +152,7 @@ _M.deep_copy_of = function(typ)
local free = C[typ .. "_free"]
return function(ctx)
return stack_macro.OPENSSL_sk_deep_copy(ctx, dup, free)
return C.OPENSSL_sk_deep_copy(ctx, dup, free)
end
end

18
src/deps/src/lua-resty-openssl/lib/resty/openssl/version.lua vendored
View file

@ -12,8 +12,6 @@ ffi.cdef[[
const char *OpenSSL_version(int t);
// >= 3.0
const char *OPENSSL_info(int t);
// BoringSSL
int BORINGSSL_self_test(void);
]]
local version_func, info_func
@ -88,12 +86,6 @@ else
end
end
local BORINGSSL = false
pcall(function()
local _ = C.BORINGSSL_self_test
BORINGSSL = true
end)
return setmetatable({
version_num = tonumber(version_num),
version_text = ffi_str(version_func(0)),
@ -103,15 +95,9 @@ return setmetatable({
info = function(t)
return ffi_str(info_func(t))
end,
OPENSSL_3X = version_num >= 0x30000000 and version_num < 0x30200000,
OPENSSL_30 = version_num >= 0x30000000 and version_num < 0x30100000, -- for backward compat, deprecated
OPENSSL_11 = version_num >= 0x10100000 and version_num < 0x10200000,
-- the following has implict upper bound of 4.x
OPENSSL_3X = version_num >= 0x30000000 and version_num < 0x40000000,
OPENSSL_111 = version_num >= 0x10101000 and version_num < 0x10200000,
OPENSSL_11_OR_LATER = version_num >= 0x10100000 and version_num < 0x30200000,
OPENSSL_111_OR_LATER = version_num >= 0x10101000 and version_num < 0x30200000,
OPENSSL_10 = version_num < 0x10100000 and version_num > 0x10000000,
BORINGSSL = BORINGSSL,
BORINGSSL_110 = BORINGSSL and version_num >= 0x10100000 and version_num < 0x10101000
}, {
__index = types_table,
})

65
src/deps/src/lua-resty-openssl/lib/resty/openssl/x509/crl.lua vendored
View file

@ -18,19 +18,13 @@ local txtnid2nid = require("resty.openssl.objects").txtnid2nid
local find_sigid_algs = require("resty.openssl.objects").find_sigid_algs
local format_error = require("resty.openssl.err").format_error
local version = require("resty.openssl.version")
local OPENSSL_10 = version.OPENSSL_10
local OPENSSL_11_OR_LATER = version.OPENSSL_11_OR_LATER
local OPENSSL_3X = version.OPENSSL_3X
local BORINGSSL = version.BORINGSSL
local BORINGSSL_110 = version.BORINGSSL_110 -- used in boringssl-fips-20190808
local accessors = {}
accessors.set_issuer_name = C.X509_CRL_set_issuer_name
accessors.set_version = C.X509_CRL_set_version
if OPENSSL_11_OR_LATER and not BORINGSSL_110 then
accessors.get_last_update = C.X509_CRL_get0_lastUpdate
accessors.set_last_update = C.X509_CRL_set1_lastUpdate
accessors.get_next_update = C.X509_CRL_get0_nextUpdate
@ -38,45 +32,7 @@ if OPENSSL_11_OR_LATER and not BORINGSSL_110 then
accessors.get_version = C.X509_CRL_get_version
accessors.get_issuer_name = C.X509_CRL_get_issuer -- returns internal ptr
accessors.get_signature_nid = C.X509_CRL_get_signature_nid
-- BORINGSSL_110 exports X509_CRL_get_signature_nid, but just ignored for simplicity
accessors.get_revoked = C.X509_CRL_get_REVOKED
elseif OPENSSL_10 or BORINGSSL_110 then
accessors.get_last_update = function(crl)
if crl == nil or crl.crl == nil then
return nil
end
return crl.crl.lastUpdate
end
accessors.set_last_update = C.X509_CRL_set_lastUpdate
accessors.get_next_update = function(crl)
if crl == nil or crl.crl == nil then
return nil
end
return crl.crl.nextUpdate
end
accessors.set_next_update = C.X509_CRL_set_nextUpdate
accessors.get_version = function(crl)
if crl == nil or crl.crl == nil then
return nil
end
return C.ASN1_INTEGER_get(crl.crl.version)
end
accessors.get_issuer_name = function(crl)
if crl == nil or crl.crl == nil then
return nil
end
return crl.crl.issuer
end
accessors.get_signature_nid = function(crl)
if crl == nil or crl.crl == nil or crl.crl.sig_alg == nil then
return nil
end
return C.OBJ_obj2nid(crl.crl.sig_alg.algorithm)
end
accessors.get_revoked = function(crl)
return crl.crl.revoked
end
end
local function __tostring(self, fmt)
if not fmt or fmt == 'PEM' then
@ -183,10 +139,6 @@ function _M:text()
end
local function revoked_decode(ctx)
if OPENSSL_10 then
error("x509.crl:revoked_decode: not supported on OpenSSL 1.0")
end
local ret = {}
local serial = C.X509_REVOKED_get0_serialNumber(ctx)
if serial ~= nil then
@ -330,8 +282,6 @@ function _M:sign(pkey, digest)
return false, "x509.crl:sign: expect a digest instance to have algo member"
end
digest_algo = digest.algo
elseif BORINGSSL then
digest_algo = C.EVP_get_digestbyname('sha256')
end
-- returns size of signature if success
@ -404,19 +354,6 @@ function _M:get_extension(nid_txt, last_pos)
return ext, pos+1
end
local X509_CRL_delete_ext
if OPENSSL_11_OR_LATER then
X509_CRL_delete_ext = C.X509_CRL_delete_ext
elseif OPENSSL_10 then
X509_CRL_delete_ext = function(ctx, pos)
return C.X509v3_delete_ext(ctx.crl.extensions, pos)
end
else
X509_CRL_delete_ext = function(...)
error("X509_CRL_delete_ext undefined")
end
end
-- AUTO GENERATED
function _M:set_extension(extension, last_pos)
if not extension_lib.istype(extension) then
@ -429,7 +366,7 @@ function _M:set_extension(extension, last_pos)
local pos = C.X509_CRL_get_ext_by_NID(self.ctx, nid, last_pos)
-- pos may be -1, which means not found, it's fine, we will add new one instead of replace
local removed = X509_CRL_delete_ext(self.ctx, pos)
local removed = C.X509_CRL_delete_ext(self.ctx, pos)
C.X509_EXTENSION_free(removed)
if C.X509_CRL_add_ext(self.ctx, extension.ctx, pos) == nil then

52
src/deps/src/lua-resty-openssl/lib/resty/openssl/x509/csr.lua vendored
View file

@ -7,7 +7,7 @@ require "resty.openssl.include.pem"
require "resty.openssl.include.x509v3"
require "resty.openssl.include.x509.csr"
require "resty.openssl.include.asn1"
local stack_macro = require "resty.openssl.include.stack"
require "resty.openssl.include.stack"
local stack_lib = require "resty.openssl.stack"
local pkey_lib = require "resty.openssl.pkey"
local digest_lib = require("resty.openssl.digest")
@ -20,11 +20,7 @@ local txtnid2nid = require("resty.openssl.objects").txtnid2nid
local find_sigid_algs = require("resty.openssl.objects").find_sigid_algs
local format_error = require("resty.openssl.err").format_error
local version = require("resty.openssl.version")
local OPENSSL_10 = version.OPENSSL_10
local OPENSSL_11_OR_LATER = version.OPENSSL_11_OR_LATER
local OPENSSL_3X = version.OPENSSL_3X
local BORINGSSL = version.BORINGSSL
local BORINGSSL_110 = version.BORINGSSL_110 -- used in boringssl-fips-20190808
local accessors = {}
@ -32,35 +28,9 @@ accessors.set_subject_name = C.X509_REQ_set_subject_name
accessors.get_pubkey = C.X509_REQ_get_pubkey
accessors.set_pubkey = C.X509_REQ_set_pubkey
accessors.set_version = C.X509_REQ_set_version
if OPENSSL_11_OR_LATER or BORINGSSL_110 then
accessors.get_signature_nid = C.X509_REQ_get_signature_nid
elseif OPENSSL_10 then
accessors.get_signature_nid = function(csr)
if csr == nil or csr.sig_alg == nil then
return nil
end
return C.OBJ_obj2nid(csr.sig_alg.algorithm)
end
end
if OPENSSL_11_OR_LATER and not BORINGSSL_110 then
accessors.get_subject_name = C.X509_REQ_get_subject_name -- returns internal ptr
accessors.get_version = C.X509_REQ_get_version
elseif OPENSSL_10 or BORINGSSL_110 then
accessors.get_subject_name = function(csr)
if csr == nil or csr.req_info == nil then
return nil
end
return csr.req_info.subject
end
accessors.get_version = function(csr)
if csr == nil or csr.req_info == nil then
return nil
end
return C.ASN1_INTEGER_get(csr.req_info.version)
end
end
local function __tostring(self, fmt)
if not fmt or fmt == 'PEM' then
@ -226,7 +196,7 @@ local function modify_extension(replace, ctx, nid, toset, crit)
-- https://github.com/openssl/openssl/commit/2039ac07b401932fa30a05ade80b3626e189d78a
-- introduces a change that a empty stack instead of NULL will be returned in no extension
-- is found. so we need to double check the number if it's not NULL.
stack_macro.OPENSSL_sk_num(extensions_ptr[0]) > 0
C.OPENSSL_sk_num(extensions_ptr[0]) > 0
local flag
if replace then
@ -245,11 +215,6 @@ local function modify_extension(replace, ctx, nid, toset, crit)
return false, format_error("X509V3_add1_i2d", code)
end
code = C.X509_REQ_add_extensions(ctx, extensions_ptr[0])
if code ~= 1 then
return false, format_error("X509_REQ_add_extensions", code)
end
if need_cleanup then
-- cleanup old attributes
-- delete the first only, why?
@ -259,13 +224,14 @@ local function modify_extension(replace, ctx, nid, toset, crit)
end
end
-- mark encoded form as invalid so next time it will be re-encoded
if OPENSSL_11_OR_LATER then
C.i2d_re_X509_REQ_tbs(ctx, nil)
else
ctx.req_info.enc.modified = 1
code = C.X509_REQ_add_extensions(ctx, extensions_ptr[0])
if code ~= 1 then
return false, format_error("X509_REQ_add_extensions", code)
end
-- mark encoded form as invalid so next time it will be re-encoded
C.i2d_re_X509_REQ_tbs(ctx, nil)
return true
end
@ -339,8 +305,6 @@ function _M:sign(pkey, digest)
return false, "x509.csr:sign: expect a digest instance to have algo member"
end
digest_algo = digest.algo
elseif BORINGSSL then
digest_algo = C.EVP_get_digestbyname('sha256')
end
-- returns size of signature if success

10
src/deps/src/lua-resty-openssl/lib/resty/openssl/x509/extension.lua vendored
View file

@ -16,7 +16,6 @@ local stack_lib = require("resty.openssl.stack")
local bio_util = require "resty.openssl.auxiliary.bio"
local format_error = require("resty.openssl.err").format_error
local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X
local BORINGSSL = require("resty.openssl.version").BORINGSSL
local _M = {}
local mt = { __index = _M }
@ -34,13 +33,7 @@ if OPENSSL_3X then
extension_types["issuer_pkey"] = "resty.openssl.pkey"
end
local nconf_load
if BORINGSSL then
nconf_load = function()
return nil, "NCONF_load_bio not exported in BoringSSL"
end
else
nconf_load = function(conf, str)
local nconf_load = function(conf, str)
local bio = C.BIO_new_mem_buf(str, #str)
if bio == nil then
return format_error("BIO_new_mem_buf")
@ -51,7 +44,6 @@ else
return format_error("NCONF_load_bio")
end
end
end
function _M.new(txtnid, value, data)
local nid, err = objects_lib.txtnid2nid(txtnid)

74
src/deps/src/lua-resty-openssl/lib/resty/openssl/x509/init.lua vendored
View file

@ -8,7 +8,7 @@ require "resty.openssl.include.x509"
require "resty.openssl.include.x509v3"
require "resty.openssl.include.evp"
require "resty.openssl.include.objects"
local stack_macro = require("resty.openssl.include.stack")
require "resty.openssl.include.stack"
local stack_lib = require("resty.openssl.stack")
local asn1_lib = require("resty.openssl.asn1")
local digest_lib = require("resty.openssl.digest")
@ -21,11 +21,7 @@ local ctypes = require "resty.openssl.auxiliary.ctypes"
local ctx_lib = require "resty.openssl.ctx"
local format_error = require("resty.openssl.err").format_error
local version = require("resty.openssl.version")
local OPENSSL_10 = version.OPENSSL_10
local OPENSSL_11_OR_LATER = version.OPENSSL_11_OR_LATER
local OPENSSL_3X = version.OPENSSL_3X
local BORINGSSL = version.BORINGSSL
local BORINGSSL_110 = version.BORINGSSL_110 -- used in boringssl-fips-20190808
-- accessors provides an openssl version neutral interface to lua layer
-- it doesn't handle any error, expect that to be implemented in
@ -48,49 +44,12 @@ accessors.get_signature_nid = C.X509_get_signature_nid
-- parent struct is freed.
-- otherwise, use get0, which returns an internal pointer, we don't need to free it up.
-- it will be gone together with the parent struct.
if BORINGSSL_110 then
accessors.get_not_before = C.X509_get0_notBefore -- returns internal ptr, we convert to number
accessors.set_not_before = C.X509_set_notBefore
accessors.get_not_after = C.X509_get0_notAfter -- returns internal ptr, we convert to number
accessors.set_not_after = C.X509_set_notAfter
accessors.get_version = function(x509)
if x509 == nil or x509.cert_info == nil or x509.cert_info.validity == nil then
return nil
end
return C.ASN1_INTEGER_get(x509.cert_info.version)
end
accessors.get_serial_number = C.X509_get_serialNumber -- returns internal ptr, we convert to bn
elseif OPENSSL_11_OR_LATER then
accessors.get_not_before = C.X509_get0_notBefore -- returns internal ptr, we convert to number
accessors.set_not_before = C.X509_set1_notBefore
accessors.get_not_after = C.X509_get0_notAfter -- returns internal ptr, we convert to number
accessors.set_not_after = C.X509_set1_notAfter
accessors.get_version = C.X509_get_version -- returns int
accessors.get_serial_number = C.X509_get0_serialNumber -- returns internal ptr, we convert to bn
elseif OPENSSL_10 then
accessors.get_not_before = function(x509)
if x509 == nil or x509.cert_info == nil or x509.cert_info.validity == nil then
return nil
end
return x509.cert_info.validity.notBefore
end
accessors.set_not_before = C.X509_set_notBefore
accessors.get_not_after = function(x509)
if x509 == nil or x509.cert_info == nil or x509.cert_info.validity == nil then
return nil
end
return x509.cert_info.validity.notAfter
end
accessors.set_not_after = C.X509_set_notAfter
accessors.get_version = function(x509)
if x509 == nil or x509.cert_info == nil or x509.cert_info.validity == nil then
return nil
end
return C.ASN1_INTEGER_get(x509.cert_info.version)
end
accessors.get_serial_number = C.X509_get_serialNumber -- returns internal ptr, we convert to bn
end
local function __tostring(self, fmt)
if not fmt or fmt == 'PEM' then
@ -241,7 +200,7 @@ end
-- note: index is 0 based
local OPENSSL_STRING_value_at = function(ctx, i)
local ct = ffi_cast("OPENSSL_STRING", stack_macro.OPENSSL_sk_value(ctx, i))
local ct = ffi_cast("OPENSSL_STRING", C.OPENSSL_sk_value(ctx, i))
if ct == nil then
return nil
end
@ -251,7 +210,7 @@ end
function _M:get_ocsp_url(return_all)
local st = C.X509_get1_ocsp(self.ctx)
local count = stack_macro.OPENSSL_sk_num(st)
local count = C.OPENSSL_sk_num(st)
if count == 0 then
return
end
@ -324,17 +283,11 @@ local digest_length = ctypes.ptr_of_uint()
local digest_buf, digest_buf_size
local function digest(self, cfunc, typ, properties)
-- TODO: dedup the following with resty.openssl.digest
local ctx
if OPENSSL_11_OR_LATER then
ctx = C.EVP_MD_CTX_new()
ffi_gc(ctx, C.EVP_MD_CTX_free)
elseif OPENSSL_10 then
ctx = C.EVP_MD_CTX_create()
ffi_gc(ctx, C.EVP_MD_CTX_destroy)
end
local ctx = C.EVP_MD_CTX_new()
if ctx == nil then
return nil, "x509:digest: failed to create EVP_MD_CTX"
end
ffi_gc(ctx, C.EVP_MD_CTX_free)
local algo
if OPENSSL_3X then
@ -398,8 +351,6 @@ function _M:sign(pkey, digest)
return false, "x509:sign: expect a digest instance to have algo member"
end
digest_algo = digest.algo
elseif BORINGSSL then
digest_algo = C.EVP_get_digestbyname('sha256')
end
-- returns size of signature if success
@ -472,19 +423,6 @@ function _M:get_extension(nid_txt, last_pos)
return ext, pos+1
end
local X509_delete_ext
if OPENSSL_11_OR_LATER then
X509_delete_ext = C.X509_delete_ext
elseif OPENSSL_10 then
X509_delete_ext = function(ctx, pos)
return C.X509v3_delete_ext(ctx.cert_info.extensions, pos)
end
else
X509_delete_ext = function(...)
error("X509_delete_ext undefined")
end
end
-- AUTO GENERATED
function _M:set_extension(extension, last_pos)
if not extension_lib.istype(extension) then
@ -497,7 +435,7 @@ function _M:set_extension(extension, last_pos)
local pos = C.X509_get_ext_by_NID(self.ctx, nid, last_pos)
-- pos may be -1, which means not found, it's fine, we will add new one instead of replace
local removed = X509_delete_ext(self.ctx, pos)
local removed = C.X509_delete_ext(self.ctx, pos)
C.X509_EXTENSION_free(removed)
if C.X509_add_ext(self.ctx, extension.ctx, pos) == nil then

12
src/deps/src/lua-resty-openssl/lib/resty/openssl/x509/store.lua vendored
View file

@ -11,9 +11,7 @@ local crl_lib = require "resty.openssl.x509.crl"
local ctx_lib = require "resty.openssl.ctx"
local format_all_error = require("resty.openssl.err").format_all_error
local format_error = require("resty.openssl.err").format_error
local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER
local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X
local BORINGSSL = require("resty.openssl.version").BORINGSSL
local _M = {}
local mt = { __index = _M }
@ -218,7 +216,7 @@ function _M:verify(x509, chain, return_chain, properties, verify_method, flags)
if not return_chain then
return true, nil
end
local ret_chain_ctx = x509_vfy_macro.X509_STORE_CTX_get0_chain(ctx)
local ret_chain_ctx = C.X509_STORE_CTX_get0_chain(ctx)
return chain_lib.dup(ret_chain_ctx)
elseif code == 0 then -- unverified
local vfy_code = C.X509_STORE_CTX_get_error(ctx)
@ -232,14 +230,6 @@ function _M:verify(x509, chain, return_chain, properties, verify_method, flags)
end
function _M:check_revocation(verified_chain, properties)
if BORINGSSL then
return nil, "x509.store:check_revocation: this API is not supported in BoringSSL"
end
if not OPENSSL_11_OR_LATER then
return nil, "x509.store:check_revocation: this API is supported from OpenSSL 1.1.0"
end
if not verified_chain or not chain_lib.istype(verified_chain) then
return nil, "x509.store:check_revocation: expect a x509.chain instance at #1"
end

4
src/deps/src/lua-resty-openssl/lua-resty-openssl-0.8.23-1.rockspec → src/deps/src/lua-resty-openssl/lua-resty-openssl-1.0.1-1.rockspec vendored
View file

@ -1,8 +1,8 @@
package = "lua-resty-openssl"
version = "0.8.23-1"
version = "1.0.1-1"
source = {
url = "git+https://github.com/fffonion/lua-resty-openssl.git",
tag = "0.8.23"
tag = "1.0.1"
}
description = {
detailed = "FFI-based OpenSSL binding for LuaJIT.",

117
src/deps/src/lua-resty-openssl/scripts/find_unused_cdef.py vendored Normal file
View file

@ -0,0 +1,117 @@
#!/usr/bin/env python3
import os
import re
import sys
current_script_path = os.path.abspath(sys.argv[0])
def load_files(path):
file_contents = {}
for root, _, files in os.walk(path):
for file in files:
if file.endswith(".lua"):
p = os.path.join(root.replace(path, ""), file).lstrip("/")
with open(os.path.join(root, file)) as f:
file_contents[p] = f.readlines()
return file_contents
token = "[a-zA-Z0-9_]"
def find_cdefs(files):
cdefs = {
"funcs": {},
"types": {},
}
for path, lines in files.items():
start = False
for i in range(len(lines)):
line = lines[i]
if "ffi.cdef" in line:
start = True
elif "]]" in line and start:
start = False
if start:
if re.findall("^\s*//", line): # comment
continue
func = re.findall(f"{token}+[\s\*]+({token}+)\(", line)
if func:
cdefs["funcs"][func[0]] = f"{path}:{i}"
type_ = re.findall(f"typedef.*?({token}+);", line)
if type_:
cdefs["types"][type_[0]] = f"{path}:{i}"
type_ = re.findall(f"}}\s*({token}+);", line)
if type_:
cdefs["types"][type_[0]] = f"{path}:{i}"
return cdefs
# those are dynamically called
ignore_list = [
"OSSL_PARAM_(?:set|get)_",
"PEM_read_bio_",
"fake_openssl_",
"(?:d2i|i2d)_(?:PUBKEY|PrivateKey)_bio",
"_(?:gettable|settable)_params",
"_(?:get|set)_params",
"_do_all_(?:sorted|provided)",
"_get0_name",
]
def check_cdefs(files, cdef):
unused = {
"funcs": {},
"types": {},
}
undefined = {
"funcs": {},
"types": {},
}
patterns = {
"funcs": "C.%s[^a-zA-Z0-9_]",
"types": "%s[^a-zA-Z0-9_]",
}
ignore_regex = "(?:%s)" % "|".join(ignore_list)
for name, regex_pattern in patterns.items():
for token, path in cdef[name].items():
found = False
for _, lines in files.items():
full_content = "".join(lines)
if re.findall(regex_pattern % token, full_content):
found = True
break
if not found and not re.findall(ignore_regex, token):
unused[name][token] = path
# TODO: find undefined
return unused, undefined
def display(unused, undefined):
for name, tokens in unused.items():
if len(tokens) == 0:
continue
print(f"Unused {name} ({len(tokens)}):")
for token, path in tokens.items():
print(f" {token} on {path}")
for name, tokens in undefined.items():
if len(tokens) == 0:
continue
print(f"Undefined {name} ({len(tokens)}):")
for token, path in tokens.items():
print(f" {token} on {path}")
if __name__ == '__main__':
files = load_files(os.path.join(os.path.dirname(current_script_path), "..", "lib"))
cdefs = find_cdefs(files)
display(*check_cdefs(files, cdefs))

17
src/deps/src/lua-resty-openssl/scripts/templates/x509_functions.j2 vendored
View file

@ -13,8 +13,6 @@ function _M:sign(pkey, digest)
return false, "{{modname}}:sign: expect a digest instance to have algo member"
end
digest_algo = digest.algo
elseif BORINGSSL then
digest_algo = C.EVP_get_digestbyname('sha256')
end
-- returns size of signature if success
@ -89,19 +87,6 @@ function _M:get_extension(nid_txt, last_pos)
return ext, pos+1
end
local {{ module.type }}_delete_ext
if OPENSSL_11_OR_LATER then
{{ module.type }}_delete_ext = C.{{ module.type }}_delete_ext
elseif OPENSSL_10 then
{{ module.type }}_delete_ext = function(ctx, pos)
return C.X509v3_delete_ext(ctx.{{ module.extensions_in_struct }}, pos)
end
else
{{ module.type }}_delete_ext = function(...)
error("{{ module.type }}_delete_ext undefined")
end
end
-- AUTO GENERATED
function _M:set_extension(extension, last_pos)
if not extension_lib.istype(extension) then
@ -114,7 +99,7 @@ function _M:set_extension(extension, last_pos)
local pos = C.{{ module.type }}_get_ext_by_NID(self.ctx, nid, last_pos)
-- pos may be -1, which means not found, it's fine, we will add new one instead of replace
local removed = {{ module.type }}_delete_ext(self.ctx, pos)
local removed = C.{{ module.type }}_delete_ext(self.ctx, pos)
C.X509_EXTENSION_free(removed)
if C.{{ module.type }}_add_ext(self.ctx, extension.ctx, pos) == nil then