Elgato_dark/bunkerweb
1
0
Fork 0
mirror of https://github.com/bunkerity/bunkerweb synced 2026-05-24 09:28:37 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Squashed 'src/deps/src/lua-resty-openssl/' changes from b23c072a4..89195843c

Browse source 
89195843c release: 1.0.1 (#129)
3a1bc273e fix(jwk) return error if exporting private key from public key (#128)
969f3e003 release: 1.0.0 (#127)
7cdcf0d17 chore(tests) cleanup fips tests
935227b34 feat(fips) add get_fips_version_text
f2d015b4b chore(scripts) add script to check unused cdefs
84abc0ab9 refactor(*) remove unused cdefs
99b493e67 refactor(*) BREAKING: drop OpenSSL 1.0.2, 1.1.0 and BoringSSL support
8d12024e4 release: 0.8.26
2ca4d14b1 doc(readme) add notes around :reset usage
74fc033ae chore(tests): bump openssl versions in CI
756e3e638 tests(provider) support OpenSSL 3.x
1516b4d94 fix(version) add support for all 3.x versions
d6ed9648e fix(x509.csr) remove extension before adding it
4f67b295e tests(ci) bump version and refactor fips module build
f9a153288 release: 0.8.25 (#122)
6e58b28c3 fix(pkey) clear error stack when verification fails (#121)
4871f49c3 release: 0.8.24
abaa66ee0 fix(ssl) support ngx_lua 10025
d51ba7909 chore(tests): bump openresty 1.21.4.2
2b99acd36 doc(changelog): include optional colon

git-subtree-dir: src/deps/src/lua-resty-openssl
git-subtree-split: 89195843cfbfac9dcbf071832aa9303a347871b4
This commit is contained in:
Théophile Diot 2023-11-16 16:54:59 +00:00
parent a280059882
commit c473aa4080
65 changed files with 702 additions and 1841 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.chglog/config.yml
View file

@ -19,7 +19,7 @@ options:
perf: Performance Improvements
refactor: Code Refactoring
header:
pattern: "^(\\w*)(?:\\(([\\w\\$\\.\\-\\*\\s\\/]*)\\))?\\s(.*)$"
pattern: "^(\\w*)(?:\\(([\\w\\$\\.\\-\\*\\s\\/]*)\\))?:?\\s(.*)$"
pattern_maps:
- Type
- Scope

159
.github/workflows/tests.yml vendored
View file

@ -20,7 +20,7 @@ concurrency:
jobs:
tests:
name: Tests
runs-on: ubuntu-22.04
runs-on: ubuntu-latest
strategy:
fail-fast: false
@ -29,69 +29,43 @@ jobs:
# TODO: arm64
# latest and one version older for valgrind and perf test
- nginx: "1.19.9"
openssl: "1.0.2u"
openssl: "1.1.1w"
extras: "valgrind"
lua_nginx_module: "v0.10.20"
lua_resty_core: "v0.1.22"
- nginx: "1.19.9"
openssl: "1.1.1t"
openssl: "3.1.4"
openssl_fips: "3.0.8"
extras: "valgrind"
lua_nginx_module: "v0.10.20"
lua_resty_core: "v0.1.22"
- nginx: "1.19.9"
openssl: "3.0.8"
extras: "valgrind"
openssl_opts: "enable-fips"
lua_nginx_module: "v0.10.20"
lua_resty_core: "v0.1.22"
nginx_cc_opts: "-Wno-error"
- nginx: "1.21.4"
openssl: "1.0.2u"
extras: "valgrind"
lua_nginx_module: "v0.10.21"
lua_resty_core: "v0.1.23"
- nginx: "1.21.4"
openssl: "1.1.1t"
openssl: "1.1.1w"
extras: "valgrind perf"
lua_nginx_module: "v0.10.21"
lua_resty_core: "v0.1.23"
lua_nginx_module: "v0.10.25"
lua_resty_core: "v0.1.27"
- nginx: "1.21.4"
openssl: "3.0.8"
openssl: "3.0.12"
openssl_fips: "3.0.8"
extras: "valgrind perf"
openssl_opts: "enable-fips"
lua_nginx_module: "v0.10.21"
lua_resty_core: "v0.1.23"
lua_nginx_module: "v0.10.25"
lua_resty_core: "v0.1.27"
nginx_cc_opts: "-Wno-error"
- nginx: "1.21.4"
openssl: "3.1.0"
openssl: "3.1.4"
openssl_fips: "3.0.8"
extras: "valgrind perf"
openssl_opts: "enable-fips"
lua_nginx_module: "v0.10.21"
lua_resty_core: "v0.1.23"
lua_nginx_module: "v0.10.25"
lua_resty_core: "v0.1.27"
nginx_cc_opts: "-Wno-error"
# latest version with EOL 1.1.0
- nginx: "1.21.4"
openssl: "1.1.0l"
lua_nginx_module: "v0.10.21"
lua_resty_core: "v0.1.23"
# version that kong uses, for fips
- nginx: "1.21.4"
openssl: "1.0.2u"
fips2: "2.0.16"
openssl_opts: "fips --with-fipsdir=/home/runner/work/cache/ssl/fips"
extras: "valgrind"
lua_nginx_module: "v0.10.21"
lua_resty_core: "v0.1.23"
- nginx: "1.21.4"
boringssl: "ae223d6138807a13006342edfeef32e813246b39" # fips-20190808
openssl: "3.2.0-alpha1"
openssl_fips: "3.0.8"
extras: "valgrind perf"
lua_nginx_module: "v0.10.21"
lua_resty_core: "v0.1.23"
- nginx: "1.21.4"
boringssl: "853ca1ea1168dff08011e5d42d94609cc0ca2e27" # fips-20210429, not active yet
extras: "valgrind perf"
lua_nginx_module: "v0.10.21"
lua_resty_core: "v0.1.23"
lua_nginx_module: "v0.10.25"
lua_resty_core: "v0.1.27"
nginx_cc_opts: "-Wno-error"
env:
JOBS: 3
@ -121,7 +95,7 @@ jobs:
with:
path: |
/home/runner/work/cache
key: ${{ runner.os }}-${{ hashFiles('**/tests.yml') }}-nginx-${{ matrix.nginx }}-openssl-${{ matrix.openssl }}-${{ matrix.fips2 }}-boringssl-${{ matrix.boringssl }}
key: ${{ runner.os }}-${{ hashFiles('**/tests.yml') }}-nginx-${{ matrix.nginx }}-openssl-${{ matrix.openssl }}-fips-${{ matrix.openssl_fips }}
- name: Setup tools
run: |
@ -149,57 +123,31 @@ jobs:
- name: Build OpenSSL
if: matrix.boringssl == ''
run: |
mkdir -p $OPENSSL_PREFIX
# fips doesn't seem to support to build parallelly
if [ "X${{ matrix.fips2 }}" != "X" ]; then wget https://www.openssl.org/source/old/fips/openssl-fips-${{ matrix.fips2 }}.tar.gz -qO - | tar zxf - ; pushd openssl-fips-${{ matrix.fips2 }}/; FIPSDIR=$OPENSSL_PREFIX/fips ./config; make; make install; popd; fi
T=$OPENSSL_PREFIX
mkdir -p $T
if [ "X$OPENSSL_HASH" != "X" ]; then wget https://github.com/openssl/openssl/archive/$OPENSSL_HASH.tar.gz -qO - | tar zxf ; pushd openssl-$OPENSSL_HASH/; fi
if [ "X$OPENSSL_HASH" = "X" ] ; then wget https://www.openssl.org/source/openssl-${{ matrix.openssl }}.tar.gz -qO - | tar zxf -; pushd openssl-${{ matrix.openssl }}/; fi
if [ ! -e $OPENSSL_PREFIX/include ]; then ./config shared -d --prefix=$OPENSSL_PREFIX -DPURIFY ${{ matrix.openssl_opts }} > build.log 2>&1 || (cat build.log && exit 1); fi
if [ ! -e $OPENSSL_PREFIX/include ]; then make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1); fi
if [ ! -e $OPENSSL_PREFIX/include ]; then sudo make PATH=$PATH install_sw > build.log 2>&1 || (cat build.log && exit 1); fi
if [ -e $OPENSSL_LIB/libcrypto.so.3 ] && [ ! -e $OPENSSL_LIB/ossl-modules/fips.so ]; then mkdir -p $OPENSSL_PREFIX/ssl; sudo make PATH=$PATH install_fips > build.log 2>&1 || (cat build.log && exit 1); fi
if [ ! -e $OPENSSL_PREFIX/lib64 ]; then sudo cp -r $OPENSSL_PREFIX/lib $OPENSSL_PREFIX/lib64; fi
mkdir -p $OPENSSL_PREFIX/certs/ && sudo cp -r /etc/ssl/certs/* $OPENSSL_PREFIX/certs/
if [ ! -e $T/include ]; then ./config shared -d --prefix=$T -DPURIFY > build.log 2>&1 || (cat build.log && exit 1); fi
if [ ! -e $T/include ]; then make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1); fi
if [ ! -e $T/include ]; then make PATH=$PATH install_sw > build.log 2>&1 || (cat build.log && exit 1); fi
if [ ! -e $T/lib64 ]; then sudo cp -r $T/lib $T/lib64; fi
mkdir -p $T/certs/ && sudo cp -r /etc/ssl/certs/* $T/certs/
- name: Build BoringSSL
if: matrix.boringssl != ''
- name: Build OpenSSL FIPS module
if: matrix.openssl_fips != ''
run: |
mkdir -p $OPENSSL_PREFIX
if [ ! -e $OPENSSL_PREFIX/include ]; then
# libtinfo5 is a dependency of clang7 on ubuntu20.04
sudo apt-get install -qq -y cmake libtinfo5 unzip libunwind-dev libgcc-9-dev libstdc++-9-dev
wget https://releases.llvm.org/7.0.1/clang+llvm-7.0.1-x86_64-linux-gnu-ubuntu-18.04.tar.xz -qO - |tar Jxf -
export HOME="$PWD"
printf "set(CMAKE_C_COMPILER \"clang\")\nset(CMAKE_CXX_COMPILER \"clang++\")\n" > ${HOME}/toolchain
export PATH="$PWD/clang+llvm-7.0.1-x86_64-linux-gnu-ubuntu-18.04/bin:$PATH"
clang --version
wget https://dl.google.com/go/go1.12.7.linux-amd64.tar.gz -qO - |tar zxf -
export GOPATH="$PWD/gopath"
export GOROOT="$PWD/go"
export PATH="$GOPATH/bin:$GOROOT/bin:$PATH"
go version
wget https://github.com/ninja-build/ninja/releases/download/v1.9.0/ninja-linux.zip -q
unzip -o ninja-linux.zip
export PATH="$PWD:$PATH"
ninja --version
wget https://commondatastorage.googleapis.com/chromium-boringssl-fips/boringssl-${{ matrix.boringssl }}.tar.xz -qO - | tar Jxf -; pushd boringssl
if [ "${{ matrix.boringssl }}" == "ae223d6138807a13006342edfeef32e813246b39" ]; then
patch -p1 < ../t/fixtures/boringssl_fips.patch
fi
rm -rf build; mkdir build; pushd build
cmake -GNinja -DCMAKE_TOOLCHAIN_FILE=${HOME}/toolchain -DFIPS=1 -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIBS=1 .. > build.log 2>&1 || (cat build.log && exit 1)
ninja > build.log 2>&1 || (cat build.log && exit 1)
./tool/bssl isfips
popd; rm -rf $OPENSSL_INC; cp -r include $OPENSSL_INC
mkdir -p $OPENSSL_LIB; cp -r build/*/*.so $OPENSSL_LIB
fi
mkdir -p $OPENSSL_PREFIX/certs/ && sudo cp -r /etc/ssl/certs/* $OPENSSL_PREFIX/certs/
T=${OPENSSL_PREFIX}.fips
mkdir -p $T
wget https://www.openssl.org/source/openssl-${{ matrix.openssl_fips }}.tar.gz -qO - | tar zxf -; pushd openssl-${{ matrix.openssl_fips }}/
if [ -e $OPENSSL_PREFIX/lib64/ossl-modules/fips.so ]; then exit 0; fi
./config shared -d --prefix=$T -DPURIFY enable-fips > build.log 2>&1 || (cat build.log && exit 1)
make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1)
make PATH=$PATH install_sw > build.log 2>&1 || (cat build.log && exit 1)
make PATH=$PATH install_fips > build.log 2>&1 || (cat build.log && exit 1)
cp $T/lib64/ossl-modules/fips.so $OPENSSL_PREFIX/lib64/ossl-modules/fips.so
mkdir -p $OPENSSL_PREFIX/ssl && cp $T/ssl/fipsmodule.cnf $OPENSSL_PREFIX/ssl/fipsmodule.cnf
# don't activate by default
sed -i "/activate = 1/d" $OPENSSL_PREFIX/ssl/fipsmodule.cnf
- name: Build LuaJIT
env:
@ -274,34 +222,16 @@ jobs:
- name: Run FIPS Test
run: |
# openssl 3.0
if [ -e $OPENSSL_LIB/libcrypto.so.3 ]; then
if [ -e $OPENSSL_LIB/ossl-modules/fips.so ]; then
echo "FIPS for OpenSSL 3.0"
cp t/fixtures/openssl_fips.cnf $OPENSSL_PREFIX/openssl-fips.cnf
pushd openssl-${{ matrix.openssl }}/;
# LD_LIBRARY_PATH=$OPENSSL_LIB $OPENSSL_PREFIX/bin/openssl fipsinstall -out $OPENSSL_PREFIX/fipsmodule.cnf -module $OPENSSL_LIB/ossl-modules/fips.so
# don't activate by default
sed -i "/activate = 1/d" $OPENSSL_PREFIX/ssl/fipsmodule.cnf
cat $OPENSSL_PREFIX/ssl/fipsmodule.cnf >> $OPENSSL_PREFIX/openssl-fips.cnf
export OPENSSL_CONF=$OPENSSL_PREFIX/openssl-fips.cnf
popd
export TEST_NGINX_FIPS=1
fi
# openssl 1.0.2 with fips module
if [ "X${{ matrix.fips2 }}" != "X" ]; then
echo "FIPS for OpenSSL 1.0.2"
export TEST_NGINX_FIPS=1
fi
# BoringSSL
if [ "X${{ matrix.boringssl }}" != "X" ]; then
echo "FIPS for BoringSSL ${{ matrix.boringssl }}"
export TEST_NGINX_FIPS=1
fi
if [ "X$TEST_NGINX_FIPS" != "X" ]; then
echo "Running FIPS tests"
export LD_LIBRARY_PATH=$LUAJIT_LIB:$LD_LIBRARY_PATH
@ -309,6 +239,7 @@ jobs:
TEST_NGINX_FIPS=1 TEST_NGINX_TIMEOUT=10 prove -j$JOBS -r t/ 2>&1
TEST_NGINX_TIMEOUT=20 prove -j$JOBS -r t/ 2>&1
else
echo "FIPS tests are skipped"
fi

43
CHANGELOG.md
View file

@ -2,6 +2,41 @@
## [Unreleased]
<a name="1.0.1"></a>
## [1.0.1] - 2023-11-07
### bug fixes
- **jwk:** return error if exporting private key from public key ([#128](https://github.com/fffonion/lua-resty-openssl/issues/128)) [3a1bc27](https://github.com/fffonion/lua-resty-openssl/commit/3a1bc273e2a3f41faa7eb68f2939fd1fc25cdecb)
<a name="1.0.0"></a>
## [1.0.0] - 2023-11-03
### code refactoring
- **\*:** remove unused cdefs [84abc0a](https://github.com/fffonion/lua-resty-openssl/commit/84abc0ab99b3d649c7fe4575cf13867cf96a94ef)
- **\*:** BREAKING: drop OpenSSL 1.0.2, 1.1.0 and BoringSSL support [99b493e](https://github.com/fffonion/lua-resty-openssl/commit/99b493e671886e68c07b1b9c9472075c22ce38e9)
### features
- **fips:** add get_fips_version_text [935227b](https://github.com/fffonion/lua-resty-openssl/commit/935227b348ba4416f2f4d671dd94f7910cbf9e61)
<a name="0.8.26"></a>
## [0.8.26] - 2023-10-30
### bug fixes
- **version:** add support for all 3.x versions [1516b4d](https://github.com/fffonion/lua-resty-openssl/commit/1516b4d94ac4621a1b243c14b5133ded81515d28)
- **x509.csr:** remove extension before adding it [d6ed964](https://github.com/fffonion/lua-resty-openssl/commit/d6ed9648e39f46f7519413489baf021092ccbc49)
<a name="0.8.25"></a>
## [0.8.25] - 2023-09-05
### bug fixes
- **pkey:** clear error stack when verification fails ([#121](https://github.com/fffonion/lua-resty-openssl/issues/121)) [6e58b28](https://github.com/fffonion/lua-resty-openssl/commit/6e58b28c3d42560631e0c8351befa1434b6fc542)
<a name="0.8.24"></a>
## [0.8.24] - 2023-08-07
### bug fixes
- **ssl:** support ngx_lua 10025 [abaa66e](https://github.com/fffonion/lua-resty-openssl/commit/abaa66ee07ce734580fd29ec6032157c998f6346)
<a name="0.8.23"></a>
## [0.8.23] - 2023-06-20
### bug fixes
@ -9,6 +44,7 @@
### features
- **tests:** add performance test ([#112](https://github.com/fffonion/lua-resty-openssl/issues/112)) [100b4e4](https://github.com/fffonion/lua-resty-openssl/commit/100b4e43843a597327be6e5356c64b5ce621fa56)
- **x509.store:** add store:check_revocation and add flag to skip check CRL for store:add ([#1](https://github.com/fffonion/lua-resty-openssl/issues/1)) [1a5a4c8](https://github.com/fffonion/lua-resty-openssl/commit/1a5a4c881128ffb65d6eaf47bb3961417ef23f0b)
<a name="0.8.22"></a>
@ -506,7 +542,12 @@
- **x509:** export pubkey [ede4f81](https://github.com/fffonion/lua-resty-openssl/commit/ede4f817cb0fe092ad6f9ab5d6ecdcde864a9fd8)
[Unreleased]: https://github.com/fffonion/lua-resty-openssl/compare/0.8.23...HEAD
[Unreleased]: https://github.com/fffonion/lua-resty-openssl/compare/1.0.1...HEAD
[1.0.1]: https://github.com/fffonion/lua-resty-openssl/compare/1.0.0...1.0.1
[1.0.0]: https://github.com/fffonion/lua-resty-openssl/compare/0.8.26...1.0.0
[0.8.26]: https://github.com/fffonion/lua-resty-openssl/compare/0.8.25...0.8.26
[0.8.25]: https://github.com/fffonion/lua-resty-openssl/compare/0.8.24...0.8.25
[0.8.24]: https://github.com/fffonion/lua-resty-openssl/compare/0.8.23...0.8.24
[0.8.23]: https://github.com/fffonion/lua-resty-openssl/compare/0.8.22...0.8.23
[0.8.22]: https://github.com/fffonion/lua-resty-openssl/compare/0.8.21...0.8.22
[0.8.21]: https://github.com/fffonion/lua-resty-openssl/compare/0.8.20...0.8.21

90
README.md
View file

@ -1,8 +1,8 @@
# lua-resty-openssl
FFI-based OpenSSL binding for LuaJIT, supporting OpenSSL 3.1, 3.0, 1.1 and 1.0.2 series.
FFI-based OpenSSL binding for LuaJIT, supporting OpenSSL 3.x, 1.1 series.
BoringSSL is also supported.
OpenSSL 1.1.0, 1.0.2 and BoringSSL support has been dropped, but are still available at the [0.x branch](https://github.com/fffonion/lua-resty-openssl/tree/0.x).
![Build Status](https://github.com/fffonion/lua-resty-openssl/workflows/Tests/badge.svg) ![luarocks](https://img.shields.io/luarocks/v/fffonion/lua-resty-openssl?color=%232c3e67) ![opm](https://img.shields.io/opm/v/fffonion/lua-resty-openssl?color=%23599059)
@ -20,6 +20,7 @@ Table of Contents
+ [openssl.resty_hmac_compat](#opensslresty_hmac_compat)
+ [openssl.get_fips_mode](#opensslget_fips_mode)
+ [openssl.set_fips_mode](#opensslset_fips_mode)
+ [openssl.get_fips_version_text](#opensslget_fips_version_text)
+ [openssl.set_default_properties](#opensslset_default_properties)
+ [openssl.list_cipher_algorithms](#openssllist_cipher_algorithms)
+ [openssl.list_digest_algorithms](#openssllist_digest_algorithms)
@ -35,8 +36,7 @@ Table of Contents
+ [version.version](#versionversion)
+ [version.info](#versioninfo)
+ [version.OPENSSL_3X](#versionOPENSSL_3X)
+ [version.OPENSSL_11](#versionopenssl_11)
+ [version.OPENSSL_10](#versionopenssl_10)
+ [version.OPENSSL_111](#versionopenssl_111)
* [resty.openssl.provider](#restyopensslprovider)
+ [provider.load](#providerload)
+ [provider.istype](#provideristype)
@ -295,10 +295,7 @@ Description
===========
`lua-resty-openssl` is a FFI-based OpenSSL binding library, currently
supports OpenSSL `3.1.x`, `3.0.x`, `1.1.1`, `1.1.0` and `1.0.2` series.
**Note: when using with OpenSSL 1.0.2, it's recommanded to not use this library with other FFI-based OpenSSL binding libraries to avoid potential mismatch of `cdef`.**
supports OpenSSL `3.x` and `1.1.1` series.
[Back to TOC](#table-of-contents)
@ -321,9 +318,6 @@ using `error()` but instead return as last parameter.
Each Lua table returned by `new()` contains a cdata object `ctx`. User are not supposed to manully setting
`ffi.gc` or calling corresponding destructor of the `ctx` struct (like `*_free` functions).
BoringSSL removes some algorithms and not all functionalities below is supported by BoringSSL. Please
consul its manual for differences between OpenSSL API.
[Back to TOC](#table-of-contents)
## resty.openssl
@ -443,7 +437,14 @@ print(c:get_provider_name()) -- prints "fips"
Compile the module per [security policy](https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3678.pdf)
Check if FIPS is acticated by running `assert(openssl.set_fips_mode(true))`.
BoringSSL doesn't support "turn FIPS mode off" once it's compiled.
[Back to TOC](#table-of-contents)
### openssl.get_fips_version_text
**syntax**: *text, err = openssl.get_fips_version_text()*
Returns the version text of the FIPS module, only available on OpenSSL 3.x.
[Back to TOC](#table-of-contents)
@ -596,11 +597,6 @@ Returns various OpenSSL version information. Available values for `types` are:
MODULES_DIR
CPU_INFO
For OpenSSL prior to 1.1.x, only `VERSION`, `CFLAGS`, `BUILT_ON`, `PLATFORM`
and `DIR` are supported. Please refer to
[OPENSSL_VERSION_NUMBER(3)](https://www.openssl.org/docs/manmaster/man3/OPENSSL_VERSION_NUMBER.html)
for explanation of each type.
```lua
local version = require("resty.openssl.version")
ngx.say(string.format("%x", version.version_num))
@ -647,23 +643,9 @@ A boolean indicates whether the linked OpenSSL is 3.x series.
[Back to TOC](#table-of-contents)
### version.OPENSSL_30
### version.OPENSSL_111
Deprecated: use `version.OPENSSL_3X` is encouraged.
A boolean indicates whether the linked OpenSSL is 3.0 series.
[Back to TOC](#table-of-contents)
### version.OPENSSL_11
A boolean indicates whether the linked OpenSSL is 1.1 series.
[Back to TOC](#table-of-contents)
### version.OPENSSL_10
A boolean indicates whether the linked OpenSSL is 1.0 series.
A boolean indicates whether the linked OpenSSL is 1.1.1 series.
[Back to TOC](#table-of-contents)
@ -767,10 +749,6 @@ X25519 | Y | Y | | | Y (ECDH) |
Ed448 | Y | Y | | Y (PureEdDSA) | |
X448 | Y | Y | | | Y (ECDH) |
`Ed25519`, `X25519`, `Ed448` and `X448` keys are only supported since OpenSSL 1.1.0.
Note BoringSSL doesn't support `Ed448` and `X448` keys.
Direct support of encryption and decryption for EC and ECX does not exist, but
processes like ECIES is possible with [pkey:derive](#pkeyderive),
[kdf](#restyopensslkdf) and [cipher](#restyopensslcipher)
@ -1067,8 +1045,7 @@ This mode only supports RSA and EC keys.
When passing a string as first parameter, `md_alg` parameter will specify the name
to use when signing. When `md_alg` is undefined, for RSA and EC keys, this function does SHA256
by default. For Ed25519 or Ed448 keys, this function does a PureEdDSA signing,
no message digest should be specified and will not be used. BoringSSL doesn't have default
digest thus `md_alg` must be specified.
no message digest should be specified and will not be used.
`opts` is a table that accepts additional parameters.
@ -1083,8 +1060,7 @@ obsolete MD5 hash algorithm and will return error on this combination. See
for a list of algorithms and associated public key algorithms. Normally, the ECDSA signature
is encoded in ASN.1 DER format. If the `opts` table contains a `ecdsa_use_raw` field with
a true value, a binary with just the concatenation of binary representation `pr` and `ps` is returned.
This is useful for example to send the signature as JWS. This feature
is only supported on OpenSSL 1.1.0 or later.
This is useful for example to send the signature as JWS.
[Back to TOC](#table-of-contents)
@ -1106,8 +1082,7 @@ This mode only supports RSA and EC keys.
When passing a string as second parameter, `md_alg` parameter will specify the name
to use when verifying. When `md_alg` is undefined, for RSA and EC keys, this function does SHA256
by default. For Ed25519 or Ed448 keys, this function does a PureEdDSA verification,
no message digest should be specified and will not be used. BoringSSL doesn't have default
digest thus `md_alg` must be specified.
no message digest should be specified and will not be used.
`opts` is a table that accepts additional parameters.
@ -1118,8 +1093,7 @@ possible to specify PSS salt length by setting `opts.pss_saltlen`.
For EC key, this function does a ECDSA verification. Normally, the ECDSA signature
should be encoded in ASN.1 DER format. If the `opts` table contains a `ecdsa_use_raw` field with
a true value, this library treat `signature` as concatenation of binary representation `pr` and `ps`.
This is useful for example to verify the signature as JWS. This feature
is only supported on OpenSSL 1.1.0 or later.
This is useful for example to verify the signature as JWS.
```lua
-- RSA and EC keys
@ -1313,8 +1287,7 @@ Creates a `bn` instance from binary string.
Exports the BIGNUM value in binary string.
`bn:to_binary` accepts an optional number argument `padto` that can be
used to pad leading zeros to the output to a specific length. This feature
is only supported on OpenSSL 1.1.0 or later.
used to pad leading zeros to the output to a specific length.
```lua
local b, err = require("resty.openssl.bn").from_binary(ngx.decode_base64("WyU="))
@ -1860,6 +1833,8 @@ Reset the internal state of `digest` instance as it's just created by [digest.ne
It calls [EVP_DigestInit_ex](https://www.openssl.org/docs/manmaster/man3/EVP_DigestInit_ex.html) under
the hood.
User must call this before reusing the same `digest` instance.
[Back to TOC](#table-of-contents)
## resty.openssl.hmac
@ -1929,6 +1904,8 @@ Reset the internal state of `hmac` instance as it's just created by [hmac.new](#
It calls [HMAC_Init_ex](https://www.openssl.org/docs/manmaster/man3/HMAC_Init_ex.html) under
the hood.
User must call this before reusing the same `hmac` instance.
[Back to TOC](#table-of-contents)
## resty.openssl.mac
@ -2026,8 +2003,7 @@ instead.
Derive a key from given material. Various KDFs are supported based on OpenSSL version:
- On OpenSSL 1.0.2 and later, `PBKDF2`([RFC 2898], [NIST SP 800-132]) is available.
- On OpenSSL 1.1.0 and later, `HKDF`([RFC 5869]), `TLS1-PRF`([RFC 2246], [RFC 5246] and [NIST SP 800-135 r1]) and `scrypt`([RFC 7914]) is available.
`PBKDF2`([RFC 2898], [NIST SP 800-132]), `HKDF`([RFC 5869]), `TLS1-PRF`([RFC 2246], [RFC 5246] and [NIST SP 800-135 r1]) and `scrypt`([RFC 7914]) is available.
`options` is a table that contains:
@ -2043,7 +2019,7 @@ Derive a key from given material. Various KDFs are supported based on OpenSSL ve
to explictly select provider to fetch algorithms. | |
| pbkdf2_iter | number | PBKDF2 iteration count. RFC 2898 suggests an iteration count of at least 1000. Any value less than 1 is treated as a single iteration. | `1` |
| hkdf_key | string | HKDF key | **required** |
| hkdf_mode | number | HKDF mode to use, one of `kdf.HKDEF_MODE_EXTRACT_AND_EXPAND`, `kdf.HKDEF_MODE_EXTRACT_ONLY` or `kdf.HKDEF_MODE_EXPAND_ONLY`. This is only effective with OpenSSL >= 1.1.1. To learn about mode, please refer to [EVP_PKEY_CTX_set1_hkdf_key(3)](https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_CTX_set1_hkdf_key.html). Note with `kdf.HKDEF_MODE_EXTRACT_ONLY`, `outlen` is ignored and the output will be fixed size of `HMAC-<md>`. | `kdf.HKDEF_MODE_EXTRACT_AND_EXPAND`|
| hkdf_mode | number | HKDF mode to use, one of `kdf.HKDEF_MODE_EXTRACT_AND_EXPAND`, `kdf.HKDEF_MODE_EXTRACT_ONLY` or `kdf.HKDEF_MODE_EXPAND_ONLY`. To learn about mode, please refer to [EVP_PKEY_CTX_set1_hkdf_key(3)](https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_CTX_set1_hkdf_key.html). Note with `kdf.HKDEF_MODE_EXTRACT_ONLY`, `outlen` is ignored and the output will be fixed size of `HMAC-<md>`. | `kdf.HKDEF_MODE_EXTRACT_AND_EXPAND`|
| hkdf_info | string | HKDF info value | (empty string) |
| tls1_prf_secret | string | TLS1-PRF secret | **required** |
| tls1_prf_seed | string | TLS1-PRF seed | **required** |
@ -2182,6 +2158,8 @@ This function is available since OpenSSL 3.0.
Reset the internal state of `kdf` instance as it's just created by [kdf.new](#kdfnew).
User must call this before reusing the same `kdf` instance.
[Back to TOC](#table-of-contents)
## resty.openssl.objects
@ -2586,8 +2564,6 @@ Sign the certificate using the private key specified by `pkey`, which must be a
parameter to set digest method, whichmust be a [resty.openssl.digest](#restyopenssldigest) instance.
Returns a boolean indicating if signing is successful and error if any.
In BoringSSL when `digest` is not set it's fallback to `SHA256`.
[Back to TOC](#table-of-contents)
### x509:verify
@ -2798,8 +2774,6 @@ Sign the certificate request using the private key specified by `pkey`, which mu
parameter to set digest method, whichmust be a [resty.openssl.digest](#restyopenssldigest) instance.
Returns a boolean indicating if signing is successful and error if any.
In BoringSSL when `digest` is not set it's fallback to `SHA256`.
[Back to TOC](#table-of-contents)
### csr:verify
@ -3014,8 +2988,6 @@ Sign the CRL using the private key specified by `pkey`, which must be a
parameter to set digest method, whichmust be a [resty.openssl.digest](#restyopenssldigest) instance.
Returns a boolean indicating if signing is successful and error if any.
In BoringSSL when `digest` is not set it's fallback to `SHA256`.
[Back to TOC](#table-of-contents)
### crl:verify
@ -3967,8 +3939,6 @@ to explictly select provider to fetch algorithms.
Returns `true` when the certificate isn't revoked,
otherwise returns `nil` and error explaining the reason.
Note this function is supported from OpenSSL 1.1.0 and not supported in BoringSSL.
[Back to TOC](#table-of-contents)
## resty.openssl.x509.revoked
@ -4533,7 +4503,7 @@ Copyright and License
This module is licensed under the BSD license.
Copyright (C) 2019-2020, by fffonion <fffonion@gmail.com>.
Copyright (C) 2019-2023, by fffonion <fffonion@gmail.com>.
All rights reserved.
@ -4551,7 +4521,7 @@ See Also
========
* [luaossl](https://github.com/wahern/luaossl)
* [API/ABI changes review for OpenSSL](https://abi-laboratory.pro/index.php?view=timeline&l=openssl)
* [OpenSSL API manual](https://www.openssl.org/docs/man1.1.1/man3/)
* [OpenSSL API manual](https://www.openssl.org/docs/man3.1/man3/)
[Back to TOC](#table-of-contents)

25
lib/resty/openssl.lua
View file

@ -5,7 +5,7 @@ local ffi_str = ffi.string
local format_error = require("resty.openssl.err").format_error
local OPENSSL_3X, BORINGSSL
local OPENSSL_3X
local function try_require_modules()
package.loaded["resty.openssl.version"] = nil
@ -13,7 +13,6 @@ local function try_require_modules()
local pok, lib = pcall(require, "resty.openssl.version")
if pok then
OPENSSL_3X = lib.OPENSSL_3X
BORINGSSL = lib.BORINGSSL
require "resty.openssl.include.crypto"
require "resty.openssl.include.objects"
@ -25,7 +24,7 @@ try_require_modules()
local _M = {
_VERSION = '0.8.23',
_VERSION = '1.0.1',
}
local libcrypto_name
@ -286,6 +285,14 @@ if OPENSSL_3X then
return C.EVP_default_properties_is_fips_enabled(ctx_lib.get_libctx()) == 1
end
function _M.get_fips_version_text()
if not fips_provider_ctx then
return false, "FIPS mode is not enabled"
end
return fips_provider_ctx:get_params("version")
end
else
function _M.set_fips_mode(enable)
if (not not enable) == _M.get_fips_mode() then
@ -302,6 +309,10 @@ else
function _M.get_fips_mode()
return C.FIPS_mode() == 1
end
function _M.get_fips_version_text()
return nil, "openssl.get_fips_version_text not supported on OpenSSL 1.1.1"
end
end
function _M.set_default_properties(props)
@ -362,10 +373,6 @@ local function list_provided(typ)
end
function _M.list_cipher_algorithms()
if BORINGSSL then
return nil, "openssl.list_cipher_algorithms is not supported on BoringSSL"
end
require "resty.openssl.include.evp.cipher"
local ret = list_legacy("EVP_CIPHER",
OPENSSL_3X and C.EVP_CIPHER_get_nid or C.EVP_CIPHER_nid)
@ -381,10 +388,6 @@ function _M.list_cipher_algorithms()
end
function _M.list_digest_algorithms()
if BORINGSSL then
return nil, "openssl.list_digest_algorithms is not supported on BoringSSL"
end
require "resty.openssl.include.evp.md"
local ret = list_legacy("EVP_MD",
OPENSSL_3X and C.EVP_MD_get_type or C.EVP_MD_type)

4
lib/resty/openssl/auxiliary/jwk.lua
View file

@ -202,6 +202,10 @@ end
function _M.dump_jwk(pkey, is_priv)
local jwk
if is_priv and not pkey:is_private() then
return nil, "jwk.dump_jwk: could not dump public key as private key"
end
if pkey.key_type == evp_macro.EVP_PKEY_RSA then
local param_keys = { "n" , "e" }
if is_priv then

3
lib/resty/openssl/auxiliary/nginx.lua
View file

@ -168,6 +168,7 @@ else
return ssl.session_ctx
end
-- https://github.com/openresty/stream-lua-nginx-module/blob/master/src/ngx_stream_lua_socket_tcp.h
ffi.cdef[[
typedef struct ngx_http_lua_socket_tcp_upstream_s
ngx_http_lua_socket_tcp_upstream_t;
@ -213,7 +214,7 @@ else
ngx.config.ngx_lua_version and
ngx.config.ngx_lua_version
if ngx_lua_version >= 10019 and ngx_lua_version <= 10021 then
if ngx_lua_version >= 10019 and ngx_lua_version <= 10025 then
-- https://github.com/openresty/lua-nginx-module/blob/master/src/ngx_http_lua_socket_tcp.h
ffi.cdef[[
typedef struct {

71
lib/resty/openssl/bn.lua
View file

@ -9,7 +9,6 @@ require "resty.openssl.include.bn"
local crypto_macro = require("resty.openssl.include.crypto")
local ctypes = require "resty.openssl.auxiliary.ctypes"
local format_error = require("resty.openssl.err").format_error
local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X
local _M = {}
@ -55,8 +54,6 @@ function _M:to_binary(pad)
if pad then
if type(pad) ~= "number" then
return nil, "bn:to_binary: expect a number at #1"
elseif OPENSSL_10 then
return nil, "bn:to_binary: padding is only supported on OpenSSL 1.1.0 or later"
end
end
@ -167,30 +164,18 @@ end
-- we only need one per worker
local bn_ctx_tmp = C.BN_CTX_new()
assert(bn_ctx_tmp ~= nil)
if OPENSSL_10 then
C.BN_CTX_init(bn_ctx_tmp)
end
ffi_gc(bn_ctx_tmp, C.BN_CTX_free)
_M.bn_ctx_tmp = bn_ctx_tmp
-- mathematics
local is_negative
if OPENSSL_10 then
local bn_zero = assert(_M.new(0)).ctx
is_negative = function(ctx)
return C.BN_cmp(ctx, bn_zero) < 0 and 1 or 0
end
else
is_negative = C.BN_is_negative
end
function mt.__unm(a)
local b = _M.dup(a.ctx)
if b == nil then
error("BN_dup() failed")
end
local sign = is_negative(b.ctx)
local sign = C.BN_is_negative(b.ctx)
C.BN_set_negative(b.ctx, 1-sign)
return b
end
@ -366,52 +351,20 @@ function mt.__le(a, b)
return C.BN_cmp(a.ctx, b.ctx) <= 0
end
if OPENSSL_10 then
-- in openssl 1.0.x those functions are implemented as macros
-- don't want to copy paste all structs here
-- the followings are definitely slower, but works
local bn_zero = assert(_M.new(0)).ctx
local bn_one = assert(_M.new(1)).ctx
function _M:is_zero()
return C.BN_is_zero(self.ctx) == 1
end
function _M:is_zero()
return C.BN_cmp(self.ctx, bn_zero) == 0
end
function _M:is_one()
return C.BN_is_one(self.ctx) == 1
end
function _M:is_one()
return C.BN_cmp(self.ctx, bn_one) == 0
end
function _M:is_word(n)
return C.BN_is_word(self.ctx, n) == 1
end
function _M:is_word(n)
local ctx = C.BN_new()
ffi_gc(ctx, C.BN_free)
if ctx == nil then
return nil, "bn:is_word: BN_new() failed"
end
if C.BN_set_word(ctx, n) ~= 1 then
return nil, "bn:is_word: BN_set_word() failed"
end
return C.BN_cmp(self.ctx, ctx) == 0
end
function _M:is_odd()
return self:to_number() % 2 == 1
end
else
function _M:is_zero()
return C.BN_is_zero(self.ctx) == 1
end
function _M:is_one()
return C.BN_is_one(self.ctx) == 1
end
function _M:is_word(n)
return C.BN_is_word(self.ctx, n) == 1
end
function _M:is_odd()
return C.BN_is_odd(self.ctx) == 1
end
function _M:is_odd()
return C.BN_is_odd(self.ctx) == 1
end
function _M:is_prime(nchecks)

13
lib/resty/openssl/cipher.lua
View file

@ -9,8 +9,6 @@ local evp_macro = require "resty.openssl.include.evp"
local ctypes = require "resty.openssl.auxiliary.ctypes"
local ctx_lib = require "resty.openssl.ctx"
local format_error = require("resty.openssl.err").format_error
local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER
local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X
local uchar_array = ctypes.uchar_array
@ -32,18 +30,11 @@ function _M.new(typ, properties)
return nil, "cipher.new: expect type to be defined"
end
local ctx
if OPENSSL_11_OR_LATER then
ctx = C.EVP_CIPHER_CTX_new()
ffi_gc(ctx, C.EVP_CIPHER_CTX_free)
elseif OPENSSL_10 then
ctx = ffi.new('EVP_CIPHER_CTX')
C.EVP_CIPHER_CTX_init(ctx)
ffi_gc(ctx, C.EVP_CIPHER_CTX_cleanup)
end
local ctx = C.EVP_CIPHER_CTX_new()
if ctx == nil then
return nil, "cipher.new: failed to create EVP_CIPHER_CTX"
end
ffi_gc(ctx, C.EVP_CIPHER_CTX_free)
local ctyp
if OPENSSL_3X then

86
lib/resty/openssl/dh.lua
View file

@ -4,8 +4,6 @@ local C = ffi.C
require "resty.openssl.include.dh"
local bn_lib = require "resty.openssl.bn"
local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER
local format_error = require("resty.openssl.err").format_error
local _M = {}
@ -18,45 +16,23 @@ function _M.get_parameters(dh_st)
return setmetatable(empty_table, {
__index = function(_, k)
local ptr, ret
if OPENSSL_11_OR_LATER then
ptr = bn_ptrptr_ct()
end
if OPENSSL_11_OR_LATER then
ptr = bn_ptrptr_ct()
end
ptr = bn_ptrptr_ct()
if k == 'p' then
if OPENSSL_11_OR_LATER then
C.DH_get0_pqg(dh_st, ptr, nil, nil)
end
C.DH_get0_pqg(dh_st, ptr, nil, nil)
elseif k == 'q' then
if OPENSSL_11_OR_LATER then
C.DH_get0_pqg(dh_st, nil, ptr, nil)
end
C.DH_get0_pqg(dh_st, nil, ptr, nil)
elseif k == 'g' then
if OPENSSL_11_OR_LATER then
C.DH_get0_pqg(dh_st, nil, nil, ptr)
end
C.DH_get0_pqg(dh_st, nil, nil, ptr)
elseif k == 'public' then
if OPENSSL_11_OR_LATER then
C.DH_get0_key(dh_st, ptr, nil)
end
k = "pub_key"
C.DH_get0_key(dh_st, ptr, nil)
elseif k == 'private' then
if OPENSSL_11_OR_LATER then
C.DH_get0_key(dh_st, nil, ptr)
end
k = "priv_key"
C.DH_get0_key(dh_st, nil, ptr)
else
return nil, "rsa.get_parameters: unknown parameter \"" .. k .. "\" for RSA key"
end
if OPENSSL_11_OR_LATER then
ret = ptr[0]
elseif OPENSSL_10 then
ret = dh_st[k]
end
ret = ptr[0]
if ret == nil then
return nil
@ -85,52 +61,44 @@ function _M.set_parameters(dh_st, opts)
local cleanup_from_idx = 1
-- dup input
local do_set_key, do_set_pqg
for k, v in pairs(opts) do
opts_bn[k], err = dup_bn_value(v)
if err then
err = "dh.set_parameters: cannot process parameter \"" .. k .. "\":" .. err
goto cleanup_with_error
while true do -- luacheck: ignore
for k, v in pairs(opts) do
opts_bn[k], err = dup_bn_value(v)
if err then
-- luacheck: ignore
err = "dh.set_parameters: cannot process parameter \"" .. k .. "\":" .. err
break
end
if k == "private" or k == "public" then
do_set_key = true
elseif k == "p" or k == "q" or k == "g" then
do_set_pqg = true
end
end
if k == "private" or k == "public" then
do_set_key = true
elseif k == "p" or k == "q" or k == "g" then
do_set_pqg = true
end
end
if OPENSSL_11_OR_LATER then
local code
if do_set_key then
code = C.DH_set0_key(dh_st, opts_bn["public"], opts_bn["private"])
if code == 0 then
err = format_error("dh.set_parameters: DH_set0_key")
goto cleanup_with_error
break
end
end
cleanup_from_idx = cleanup_from_idx + 2
if do_set_pqg then
code = C.DH_set0_pqg(dh_st, opts_bn["p"], opts_bn["q"], opts_bn["g"])
if code == 0 then
err = format_error("dh.set_parameters: DH_set0_pqg")
goto cleanup_with_error
break
end
end
return true
elseif OPENSSL_10 then
for k, v in pairs(opts_bn) do
if k == "public" then
k = "pub_key"
elseif k == "private" then
k = "priv_key"
end
if dh_st[k] ~= nil then
C.BN_free(dh_st[k])
end
dh_st[k]= v
end
return true
end
::cleanup_with_error::
for i, k in pairs(_M.params) do
if i >= cleanup_from_idx then
C.BN_free(opts_bn[k])

13
lib/resty/openssl/digest.lua
View file

@ -7,8 +7,6 @@ require "resty.openssl.include.evp.md"
local ctypes = require "resty.openssl.auxiliary.ctypes"
local ctx_lib = require "resty.openssl.ctx"
local format_error = require("resty.openssl.err").format_error
local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER
local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X
local _M = {}
@ -17,17 +15,11 @@ local mt = {__index = _M}
local md_ctx_ptr_ct = ffi.typeof('EVP_MD_CTX*')
function _M.new(typ, properties)
local ctx
if OPENSSL_11_OR_LATER then
ctx = C.EVP_MD_CTX_new()
ffi_gc(ctx, C.EVP_MD_CTX_free)
elseif OPENSSL_10 then
ctx = C.EVP_MD_CTX_create()
ffi_gc(ctx, C.EVP_MD_CTX_destroy)
end
local ctx = C.EVP_MD_CTX_new()
if ctx == nil then
return nil, "digest.new: failed to create EVP_MD_CTX"
end
ffi_gc(ctx, C.EVP_MD_CTX_free)
local err_new = string.format("digest.new: invalid digest type \"%s\"", typ)
@ -37,6 +29,7 @@ function _M.new(typ, properties)
else
if OPENSSL_3X then
algo = C.EVP_MD_fetch(ctx_lib.get_libctx(), typ or 'sha1', properties)
ffi_gc(algo, C.EVP_MD_free)
else
algo = C.EVP_get_digestbyname(typ or 'sha1')
end

39
lib/resty/openssl/ec.lua
View file

@ -5,11 +5,8 @@ local ffi_gc = ffi.gc
require "resty.openssl.include.ec"
local bn_lib = require "resty.openssl.bn"
local objects_lib = require "resty.openssl.objects"
local ctypes = require "resty.openssl.auxiliary.ctypes"
local version_num = require("resty.openssl.version").version_num
local format_error = require("resty.openssl.err").format_error
local BORINGSSL = require("resty.openssl.version").BORINGSSL
local _M = {}
@ -38,27 +35,12 @@ function _M.get_parameters(ec_key_st)
if point_form == nil then
return nil, format_error("ec.get_parameters: EC_KEY_get_conv_form")
end
if BORINGSSL then
local sz = tonumber(C.EC_POINT_point2oct(group, pub_point, point_form, nil, 0, bn_lib.bn_ctx_tmp))
if sz <= 0 then
return nil, format_error("ec.get_parameters: EC_POINT_point2oct")
end
local buf = ctypes.uchar_array(sz)
C.EC_POINT_point2oct(group, pub_point, point_form, buf, sz, bn_lib.bn_ctx_tmp)
buf = ffi.string(buf, sz)
local err
bn, err = bn_lib.from_binary(buf)
if bn == nil then
return nil, "ec.get_parameters: bn_lib.from_binary: " .. err
end
return bn
else
bn = C.EC_POINT_point2bn(group, pub_point, point_form, nil, bn_lib.bn_ctx_tmp)
if bn == nil then
return nil, format_error("ec.get_parameters: EC_POINT_point2bn")
end
ffi_gc(bn, C.BN_free)
bn = C.EC_POINT_point2bn(group, pub_point, point_form, nil, bn_lib.bn_ctx_tmp)
if bn == nil then
return nil, format_error("ec.get_parameters: EC_POINT_point2bn")
end
ffi_gc(bn, C.BN_free)
elseif k == 'private' or k == "priv_key" then
-- get0, don't GC
bn = C.EC_KEY_get0_private_key(ec_key_st)
@ -72,17 +54,12 @@ function _M.get_parameters(ec_key_st)
return nil, "ec.get_parameters: BN_new() failed"
end
ffi_gc(bn, C.BN_free)
local f
if version_num >= 0x10101000 then
f = C.EC_POINT_get_affine_coordinates
else
f = C.EC_POINT_get_affine_coordinates_GFp
end
local code
if k == 'x' then
code = f(group, pub_point, bn, nil, bn_lib.bn_ctx_tmp)
code = C.EC_POINT_get_affine_coordinates(group, pub_point, bn, nil, bn_lib.bn_ctx_tmp)
else
code = f(group, pub_point, nil, bn, bn_lib.bn_ctx_tmp)
code = C.EC_POINT_get_affine_coordinates(group, pub_point, nil, bn, bn_lib.bn_ctx_tmp)
end
if code ~= 1 then
return nil, format_error("ec.get_parameters: EC_POINT_get_affine_coordinates")

13
lib/resty/openssl/hmac.lua
View file

@ -7,8 +7,6 @@ require "resty.openssl.include.hmac"
require "resty.openssl.include.evp.md"
local ctypes = require "resty.openssl.auxiliary.ctypes"
local format_error = require("resty.openssl.err").format_error
local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER
local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X
local _M = {}
@ -20,18 +18,11 @@ local hmac_ctx_ptr_ct = ffi.typeof('HMAC_CTX*')
-- Replace with EVP_MAC_* functions for OpenSSL 3.0
function _M.new(key, typ)
local ctx
if OPENSSL_11_OR_LATER then
ctx = C.HMAC_CTX_new()
ffi_gc(ctx, C.HMAC_CTX_free)
elseif OPENSSL_10 then
ctx = ffi.new('HMAC_CTX')
C.HMAC_CTX_init(ctx)
ffi_gc(ctx, C.HMAC_CTX_cleanup)
end
local ctx = C.HMAC_CTX_new()
if ctx == nil then
return nil, "hmac.new: failed to create HMAC_CTX"
end
ffi_gc(ctx, C.HMAC_CTX_free)
local algo = C.EVP_get_digestbyname(typ or 'sha1')
if algo == nil then

36
lib/resty/openssl/include/asn1.lua
View file

@ -54,38 +54,10 @@ declare_asn1_functions("ASN1_OBJECT")
declare_asn1_functions("ASN1_STRING")
declare_asn1_functions("ASN1_ENUMERATED")
local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER
local BORINGSSL_110 = require("resty.openssl.version").BORINGSSL_110
local ASN1_STRING_get0_data
if OPENSSL_11_OR_LATER then
ffi.cdef[[
const unsigned char *ASN1_STRING_get0_data(const ASN1_STRING *x);
]]
ASN1_STRING_get0_data = C.ASN1_STRING_get0_data
elseif OPENSSL_10 then
ffi.cdef[[
unsigned char *ASN1_STRING_data(ASN1_STRING *x);
typedef struct ASN1_ENCODING_st {
unsigned char *enc; /* DER encoding */
long len; /* Length of encoding */
int modified; /* set to 1 if 'enc' is invalid */
} ASN1_ENCODING;
]]
ASN1_STRING_get0_data = C.ASN1_STRING_data
end
if BORINGSSL_110 then
ffi.cdef [[
// required by resty/openssl/include/x509/crl.lua
typedef struct ASN1_ENCODING_st {
unsigned char *enc; /* DER encoding */
long len; /* Length of encoding */
int modified; /* set to 1 if 'enc' is invalid */
} ASN1_ENCODING;
]]
end
ffi.cdef[[
const unsigned char *ASN1_STRING_get0_data(const ASN1_STRING *x);
]]
local ASN1_STRING_get0_data = C.ASN1_STRING_get0_data
return {
ASN1_STRING_get0_data = ASN1_STRING_get0_data,

2
lib/resty/openssl/include/bio.lua
View file

@ -9,5 +9,5 @@ ffi.cdef [[
BIO *BIO_new(const BIO_METHOD *type);
int BIO_free(BIO *a);
const BIO_METHOD *BIO_s_mem(void);
int BIO_read(BIO *b, void *data, int dlen);
// int BIO_read(BIO *b, void *data, int dlen);
]]

2
lib/resty/openssl/include/bn.lua
View file

@ -16,7 +16,7 @@ ffi.cdef(
void BN_free(BIGNUM *a);
BN_CTX *BN_CTX_new(void);
void BN_CTX_init(BN_CTX *c);
// void BN_CTX_init(BN_CTX *c);
void BN_CTX_free(BN_CTX *c);
BIGNUM *BN_dup(const BIGNUM *a);

34
lib/resty/openssl/include/crypto.lua
View file

@ -1,37 +1,19 @@
local ffi = require "ffi"
local C = ffi.C
local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER
local BORINGSSL = require("resty.openssl.version").BORINGSSL
local OPENSSL_free
if OPENSSL_10 then
ffi.cdef [[
void CRYPTO_free(void *ptr);
]]
OPENSSL_free = C.CRYPTO_free
elseif BORINGSSL then
ffi.cdef [[
void OPENSSL_free(void *ptr);
]]
OPENSSL_free = C.OPENSSL_free
elseif OPENSSL_11_OR_LATER then
ffi.cdef [[
void CRYPTO_free(void *ptr, const char *file, int line);
]]
OPENSSL_free = function(ptr)
-- file and line is for debuggin only, since we can't know the c file info
-- the macro is expanded, just ignore this
C.CRYPTO_free(ptr, "", 0)
end
end
ffi.cdef [[
int FIPS_mode(void);
int FIPS_mode_set(int ONOFF);
void CRYPTO_free(void *ptr, const char *file, int line);
]]
local OPENSSL_free = function(ptr)
-- file and line is for debuggin only, since we can't know the c file info
-- the macro is expanded, just ignore this
C.CRYPTO_free(ptr, "", 0)
end
return {
OPENSSL_free = OPENSSL_free,
}

49
lib/resty/openssl/include/dh.lua
View file

@ -3,50 +3,15 @@ local C = ffi.C
require "resty.openssl.include.ossl_typ"
require "resty.openssl.include.objects"
local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER
if OPENSSL_11_OR_LATER then
ffi.cdef [[
void DH_get0_pqg(const DH *dh,
const BIGNUM **p, const BIGNUM **q, const BIGNUM **g);
int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g);
void DH_get0_key(const DH *dh,
const BIGNUM **pub_key, const BIGNUM **priv_key);
int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key);
]]
elseif OPENSSL_10 then
ffi.cdef [[
struct dh_st {
/*
* This first argument is used to pick up errors when a DH is passed
* instead of a EVP_PKEY
*/
int pad;
int version;
BIGNUM *p;
BIGNUM *g;
long length; /* optional */
BIGNUM *pub_key; /* g^x */
BIGNUM *priv_key; /* x */
int flags;
/*BN_MONT_CTX*/ void *method_mont_p;
/* Place holders if we want to do X9.42 DH */
BIGNUM *q;
BIGNUM *j;
unsigned char *seed;
int seedlen;
BIGNUM *counter;
int references;
/* trimmer */
// CRYPTO_EX_DATA ex_data;
// const DH_METHOD *meth;
// ENGINE *engine;
};
]]
end
ffi.cdef [[
void DH_get0_pqg(const DH *dh,
const BIGNUM **p, const BIGNUM **q, const BIGNUM **g);
int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g);
void DH_get0_key(const DH *dh,
const BIGNUM **pub_key, const BIGNUM **priv_key);
int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key);
DH *DH_get_1024_160(void);
DH *DH_get_2048_224(void);
DH *DH_get_2048_256(void);

12
lib/resty/openssl/include/ec.lua
View file

@ -23,23 +23,13 @@ ffi.cdef [[
void EC_GROUP_set_asn1_flag(EC_GROUP *group, int flag);
void EC_GROUP_set_point_conversion_form(EC_GROUP *group,
point_conversion_form_t form);
void EC_GROUP_set_curve_name(EC_GROUP *group, int nid);
// void EC_GROUP_set_curve_name(EC_GROUP *group, int nid);
int EC_GROUP_get_curve_name(const EC_GROUP *group);
void EC_GROUP_free(EC_GROUP *group);
BIGNUM *EC_POINT_point2bn(const EC_GROUP *, const EC_POINT *,
point_conversion_form_t form, BIGNUM *, BN_CTX *);
// for BoringSSL
size_t EC_POINT_point2oct(const EC_GROUP *group, const EC_POINT *p,
point_conversion_form_t form,
unsigned char *buf, size_t len, BN_CTX *ctx);
// OpenSSL < 1.1.1
int EC_POINT_get_affine_coordinates_GFp(const EC_GROUP *group,
const EC_POINT *p,
BIGNUM *x, BIGNUM *y, BN_CTX *ctx);
// OpenSSL >= 1.1.1
int EC_POINT_get_affine_coordinates(const EC_GROUP *group, const EC_POINT *p,
BIGNUM *x, BIGNUM *y, BN_CTX *ctx);
EC_POINT *EC_POINT_bn2point(const EC_GROUP *group, const BIGNUM *bn,

35
lib/resty/openssl/include/evp.lua
View file

@ -6,33 +6,18 @@ require "resty.openssl.include.ossl_typ"
require "resty.openssl.include.err"
require "resty.openssl.include.objects"
local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X
local BORINGSSL = require("resty.openssl.version").BORINGSSL
if BORINGSSL then
ffi.cdef [[
int PKCS5_PBKDF2_HMAC(const char *password, size_t password_len,
const uint8_t *salt, size_t salt_len,
unsigned iterations, const EVP_MD *digest,
size_t key_len, uint8_t *out_key);
int EVP_PBE_scrypt(const char *password, size_t password_len,
const uint8_t *salt, size_t salt_len,
uint64_t N, uint64_t r, uint64_t p,
size_t max_mem, uint8_t *out_key,
size_t key_len);
]]
else
ffi.cdef [[
/* KDF */
int PKCS5_PBKDF2_HMAC(const char *pass, int passlen,
const unsigned char *salt, int saltlen, int iter,
const EVP_MD *digest, int keylen, unsigned char *out);
ffi.cdef [[
/* KDF */
int PKCS5_PBKDF2_HMAC(const char *pass, int passlen,
const unsigned char *salt, int saltlen, int iter,
const EVP_MD *digest, int keylen, unsigned char *out);
int EVP_PBE_scrypt(const char *pass, size_t passlen,
const unsigned char *salt, size_t saltlen,
uint64_t N, uint64_t r, uint64_t p, uint64_t maxmem,
unsigned char *key, size_t keylen);
]]
end
int EVP_PBE_scrypt(const char *pass, size_t passlen,
const unsigned char *salt, size_t saltlen,
uint64_t N, uint64_t r, uint64_t p, uint64_t maxmem,
unsigned char *key, size_t keylen);
]]
if OPENSSL_3X then
require "resty.openssl.include.provider"

88
lib/resty/openssl/include/evp/cipher.lua
View file

@ -1,25 +1,22 @@
local ffi = require "ffi"
require "resty.openssl.include.ossl_typ"
local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER
local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X
local BORINGSSL = require("resty.openssl.version").BORINGSSL
ffi.cdef [[
// openssl < 3.0
int EVP_CIPHER_CTX_block_size(const EVP_CIPHER_CTX *ctx);
int EVP_CIPHER_CTX_key_length(const EVP_CIPHER_CTX *ctx);
int EVP_CIPHER_CTX_iv_length(const EVP_CIPHER_CTX *ctx);
EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void);
// int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *c);
void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *c);
int EVP_CIPHER_CTX_set_padding(EVP_CIPHER_CTX *c, int pad);
const EVP_CIPHER *EVP_CIPHER_CTX_cipher(const EVP_CIPHER_CTX *ctx);
const EVP_CIPHER *EVP_get_cipherbyname(const char *name);
int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr);
int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
int *outl, const unsigned char *in, int inl);
int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
int *outl, const unsigned char *in, int inl);
// int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
// int *outl, const unsigned char *in, int inl);
// int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
// int *outl, const unsigned char *in, int inl);
int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx,
@ -38,24 +35,14 @@ ffi.cdef [[
void EVP_CIPHER_do_all_sorted(void (*fn)
(const EVP_CIPHER *ciph, const char *from,
const char *to, void *x), void *arg);
int EVP_CIPHER_nid(const EVP_CIPHER *cipher);
int EVP_BytesToKey(const EVP_CIPHER *type, const EVP_MD *md,
const unsigned char *salt,
const unsigned char *data, int datal, int count,
unsigned char *key, unsigned char *iv);
]]
if BORINGSSL then
ffi.cdef [[
int EVP_BytesToKey(const EVP_CIPHER *type, const EVP_MD *md,
const uint8_t *salt, const uint8_t *data,
size_t data_len, unsigned count, uint8_t *key,
uint8_t *iv);
]]
else
ffi.cdef [[
int EVP_BytesToKey(const EVP_CIPHER *type, const EVP_MD *md,
const unsigned char *salt,
const unsigned char *data, int datal, int count,
unsigned char *key, unsigned char *iv);
]]
end
if OPENSSL_3X then
require "resty.openssl.include.provider"
@ -75,8 +62,8 @@ if OPENSSL_3X then
void EVP_CIPHER_do_all_provided(OSSL_LIB_CTX *libctx,
fake_openssl_cipher_provided_list_fn*,
void *arg);
int EVP_CIPHER_up_ref(EVP_CIPHER *cipher);
void EVP_CIPHER_free(EVP_CIPHER *cipher);
// int EVP_CIPHER_up_ref(EVP_CIPHER *cipher);
// void EVP_CIPHER_free(EVP_CIPHER *cipher);
const char *EVP_CIPHER_get0_name(const EVP_CIPHER *cipher);
@ -85,39 +72,12 @@ if OPENSSL_3X then
int EVP_CIPHER_CTX_get_params(EVP_CIPHER_CTX *ctx, OSSL_PARAM params[]);
const OSSL_PARAM *EVP_CIPHER_CTX_gettable_params(EVP_CIPHER_CTX *ctx);
]]
else
ffi.cdef [[
int EVP_CIPHER_CTX_block_size(const EVP_CIPHER_CTX *ctx);
int EVP_CIPHER_CTX_key_length(const EVP_CIPHER_CTX *ctx);
int EVP_CIPHER_CTX_iv_length(const EVP_CIPHER_CTX *ctx);
int EVP_CIPHER_nid(const EVP_CIPHER *cipher);
]]
end
if OPENSSL_11_OR_LATER then
ffi.cdef [[
EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void);
int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *c);
void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *c);
]]
elseif OPENSSL_10 then
ffi.cdef [[
void EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *a);
int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *a);
// # define EVP_MAX_IV_LENGTH 16
// # define EVP_MAX_BLOCK_LENGTH 32
struct evp_cipher_ctx_st {
const EVP_CIPHER *cipher;
ENGINE *engine; /* functional reference if 'cipher' is
* ENGINE-provided */
int encrypt; /* encrypt or decrypt */
int buf_len; /* number we have left */
unsigned char oiv[16]; /* original iv EVP_MAX_IV_LENGTH */
unsigned char iv[16]; /* working iv EVP_MAX_IV_LENGTH */
unsigned char buf[32]; /* saved partial block EVP_MAX_BLOCK_LENGTH */
int num; /* used by cfb/ofb/ctr mode */
void *app_data; /* application stuff */
int key_len; /* May change for variable length cipher */
unsigned long flags; /* Various flags */
void *cipher_data; /* per EVP data */
int final_used;
int block_mask;
unsigned char final[32]; /* possible final block EVP_MAX_BLOCK_LENGTH */
} /* EVP_CIPHER_CTX */ ;
]]
end

7
lib/resty/openssl/include/evp/kdf.lua
View file

@ -7,7 +7,6 @@ require "resty.openssl.include.evp.md"
local evp = require("resty.openssl.include.evp")
local ctypes = require "resty.openssl.auxiliary.ctypes"
local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X
local BORINGSSL = require("resty.openssl.version").BORINGSSL
local void_ptr = ctypes.void_ptr
@ -27,7 +26,7 @@ if OPENSSL_3X then
void EVP_KDF_do_all_provided(OSSL_LIB_CTX *libctx,
fake_openssl_kdf_provided_list_fn*,
void *arg);
int EVP_KDF_up_ref(EVP_KDF *kdf);
// int EVP_KDF_up_ref(EVP_KDF *kdf);
void EVP_KDF_free(EVP_KDF *kdf);
const char *EVP_KDF_get0_name(const EVP_KDF *kdf);
@ -46,11 +45,7 @@ if OPENSSL_3X then
int EVP_KDF_CTX_set_params(EVP_KDF_CTX *ctx, const OSSL_PARAM params[]);
const OSSL_PARAM *EVP_KDF_CTX_gettable_params(const EVP_KDF_CTX *ctx);
const OSSL_PARAM *EVP_KDF_CTX_settable_params(const EVP_KDF_CTX *ctx);
]]
end
if OPENSSL_3X or BORINGSSL then
ffi.cdef [[
int EVP_PKEY_CTX_set_tls1_prf_md(EVP_PKEY_CTX *ctx, const EVP_MD *md);
int EVP_PKEY_CTX_set1_tls1_prf_secret(EVP_PKEY_CTX *pctx,
const unsigned char *sec, int seclen);

2
lib/resty/openssl/include/evp/mac.lua
View file

@ -26,7 +26,7 @@ ffi.cdef [[
void EVP_MAC_do_all_provided(OSSL_LIB_CTX *libctx,
fake_openssl_mac_provided_list_fn*,
void *arg);
int EVP_MAC_up_ref(EVP_MAC *mac);
// int EVP_MAC_up_ref(EVP_MAC *mac);
void EVP_MAC_free(EVP_MAC *mac);
const char *EVP_MAC_get0_name(const EVP_MAC *mac);

43
lib/resty/openssl/include/evp/md.lua
View file

@ -1,8 +1,6 @@
local ffi = require "ffi"
require "resty.openssl.include.ossl_typ"
local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER
local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X
ffi.cdef [[
@ -19,9 +17,9 @@ ffi.cdef [[
unsigned int *s);
const EVP_MD *EVP_md_null(void);
// openssl < 3.0
int EVP_MD_size(const EVP_MD *md);
int EVP_MD_type(const EVP_MD *md);
EVP_MD_CTX *EVP_MD_CTX_new(void);
void EVP_MD_CTX_free(EVP_MD_CTX *ctx);
typedef void* fake_openssl_md_list_fn(const EVP_MD *ciph, const char *from,
const char *to, void *x);
@ -45,7 +43,7 @@ if OPENSSL_3X then
void EVP_MD_do_all_provided(OSSL_LIB_CTX *libctx,
fake_openssl_md_provided_list_fn*,
void *arg);
int EVP_MD_up_ref(EVP_MD *md);
// int EVP_MD_up_ref(EVP_MD *md);
void EVP_MD_free(EVP_MD *md);
const char *EVP_MD_get0_name(const EVP_MD *md);
@ -55,32 +53,9 @@ if OPENSSL_3X then
int EVP_MD_CTX_get_params(EVP_MD_CTX *ctx, OSSL_PARAM params[]);
const OSSL_PARAM *EVP_MD_CTX_gettable_params(EVP_MD_CTX *ctx);
]]
else
ffi.cdef [[
int EVP_MD_size(const EVP_MD *md);
int EVP_MD_type(const EVP_MD *md);
]]
end
if OPENSSL_11_OR_LATER then
ffi.cdef [[
EVP_MD_CTX *EVP_MD_CTX_new(void);
void EVP_MD_CTX_free(EVP_MD_CTX *ctx);
]]
elseif OPENSSL_10 then
ffi.cdef [[
EVP_MD_CTX *EVP_MD_CTX_create(void);
void EVP_MD_CTX_destroy(EVP_MD_CTX *ctx);
// crypto/evp/evp.h
// only needed for openssl 1.0.x where initializer for HMAC_CTX is not avaiable
// HACK: renamed from env_md_ctx_st to evp_md_ctx_st to match typedef (lazily)
// it's an internal struct thus name is not exported so we will be fine
struct evp_md_ctx_st {
const EVP_MD *digest;
ENGINE *engine; /* functional reference if 'digest' is
* ENGINE-provided */
unsigned long flags;
void *md_data;
/* Public key context for sign/verify */
EVP_PKEY_CTX *pctx;
/* Update function: usually copied from EVP_MD */
int (*update) (EVP_MD_CTX *ctx, const void *data, size_t count);
} /* EVP_MD_CTX */ ;
]]
end

66
lib/resty/openssl/include/evp/pkey.lua
View file

@ -4,9 +4,7 @@ local C = ffi.C
require "resty.openssl.include.ossl_typ"
require "resty.openssl.include.evp.md"
local evp = require("resty.openssl.include.evp")
local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X
local BORINGSSL = require("resty.openssl.version").BORINGSSL
ffi.cdef [[
EVP_PKEY *EVP_PKEY_new(void);
@ -28,8 +26,8 @@ ffi.cdef [[
int cmd, int p1, void *p2);
// TODO replace EVP_PKEY_CTX_ctrl with EVP_PKEY_CTX_ctrl_str to reduce
// some hardcoded macros
int EVP_PKEY_CTX_ctrl_str(EVP_PKEY_CTX *ctx, const char *type,
const char *value);
// int EVP_PKEY_CTX_ctrl_str(EVP_PKEY_CTX *ctx, const char *type,
// const char *value);
int EVP_PKEY_encrypt_init(EVP_PKEY_CTX *ctx);
int EVP_PKEY_encrypt(EVP_PKEY_CTX *ctx,
unsigned char *out, size_t *outlen,
@ -85,6 +83,8 @@ ffi.cdef [[
int EVP_PKEY_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey);
]]
local _M = {}
if OPENSSL_3X then
require "resty.openssl.include.provider"
@ -94,55 +94,6 @@ if OPENSSL_3X then
int EVP_PKEY_get_base_id(const EVP_PKEY *pkey);
int EVP_PKEY_get_size(const EVP_PKEY *pkey);
const OSSL_PROVIDER *EVP_PKEY_get0_provider(const EVP_PKEY *key);
const OSSL_PROVIDER *EVP_PKEY_CTX_get0_provider(const EVP_PKEY_CTX *ctx);
const OSSL_PARAM *EVP_PKEY_settable_params(const EVP_PKEY *pkey);
int EVP_PKEY_set_params(EVP_PKEY *pkey, OSSL_PARAM params[]);
int EVP_PKEY_get_params(EVP_PKEY *ctx, OSSL_PARAM params[]);
const OSSL_PARAM *EVP_PKEY_gettable_params(EVP_PKEY *ctx);
]]
end
if OPENSSL_10 then
ffi.cdef [[
// crypto/evp/evp.h
// only needed for openssl 1.0.x where getters are not available
// needed to get key to extract parameters
// Note: this struct is trimmed
struct evp_pkey_st {
int type;
int save_type;
const EVP_PKEY_ASN1_METHOD *ameth;
ENGINE *engine;
ENGINE *pmeth_engine;
union {
void *ptr;
struct rsa_st *rsa;
struct dsa_st *dsa;
struct dh_st *dh;
struct ec_key_st *ec;
} pkey;
// trimmed
// CRYPTO_REF_COUNT references;
// CRYPTO_RWLOCK *lock;
// STACK_OF(X509_ATTRIBUTE) *attributes;
// int save_parameters;
// struct {
// EVP_KEYMGMT *keymgmt;
// void *provkey;
// } pkeys[10];
// size_t dirty_cnt_copy;
};
]]
end
local _M = {}
if OPENSSL_3X or BORINGSSL then
ffi.cdef [[
int EVP_PKEY_CTX_set_ec_paramgen_curve_nid(EVP_PKEY_CTX *ctx, int nid);
int EVP_PKEY_CTX_set_ec_param_enc(EVP_PKEY_CTX *ctx, int param_enc);
@ -153,7 +104,16 @@ if OPENSSL_3X or BORINGSSL then
int EVP_PKEY_CTX_set_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int len);
int EVP_PKEY_CTX_set_dh_paramgen_prime_len(EVP_PKEY_CTX *ctx, int pbits);
const OSSL_PROVIDER *EVP_PKEY_get0_provider(const EVP_PKEY *key);
// const OSSL_PROVIDER *EVP_PKEY_CTX_get0_provider(const EVP_PKEY_CTX *ctx);
const OSSL_PARAM *EVP_PKEY_settable_params(const EVP_PKEY *pkey);
int EVP_PKEY_set_params(EVP_PKEY *pkey, OSSL_PARAM params[]);
int EVP_PKEY_get_params(EVP_PKEY *ctx, OSSL_PARAM params[]);
const OSSL_PARAM *EVP_PKEY_gettable_params(EVP_PKEY *ctx);
]]
_M.EVP_PKEY_CTX_set_ec_paramgen_curve_nid = function(pctx, nid)
return C.EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, nid)
end

43
lib/resty/openssl/include/hmac.lua
View file

@ -2,47 +2,16 @@ local ffi = require "ffi"
require "resty.openssl.include.ossl_typ"
require "resty.openssl.include.evp"
local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER
local BORINGSSL = require("resty.openssl.version").BORINGSSL
if BORINGSSL then
ffi.cdef [[
int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, size_t key_len,
const EVP_MD *md, ENGINE *impl);
]]
else
ffi.cdef [[
int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len,
const EVP_MD *md, ENGINE *impl);
]]
end
ffi.cdef [[
int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len,
const EVP_MD *md, ENGINE *impl);
int HMAC_Update(HMAC_CTX *ctx, const unsigned char *data,
size_t len);
int HMAC_Final(HMAC_CTX *ctx, unsigned char *md,
unsigned int *len);
HMAC_CTX *HMAC_CTX_new(void);
void HMAC_CTX_free(HMAC_CTX *ctx);
]]
if OPENSSL_11_OR_LATER then
ffi.cdef [[
HMAC_CTX *HMAC_CTX_new(void);
void HMAC_CTX_free(HMAC_CTX *ctx);
]]
elseif OPENSSL_10 then
ffi.cdef [[
// # define HMAC_MAX_MD_CBLOCK 128/* largest known is SHA512 */
struct hmac_ctx_st {
const EVP_MD *md;
EVP_MD_CTX md_ctx;
EVP_MD_CTX i_ctx;
EVP_MD_CTX o_ctx;
unsigned int key_length;
unsigned char key[128];
};
void HMAC_CTX_init(HMAC_CTX *ctx);
void HMAC_CTX_cleanup(HMAC_CTX *ctx);
]]
end

2
lib/resty/openssl/include/param.lua
View file

@ -15,7 +15,7 @@ ffi.cdef [[
OSSL_PARAM OSSL_PARAM_construct_uint(const char *key, unsigned int *buf);
OSSL_PARAM OSSL_PARAM_construct_BN(const char *key, unsigned char *buf,
size_t bsize);
OSSL_PARAM OSSL_PARAM_construct_double(const char *key, double *buf);
// OSSL_PARAM OSSL_PARAM_construct_double(const char *key, double *buf);
OSSL_PARAM OSSL_PARAM_construct_utf8_string(const char *key, char *buf,
size_t bsize);
OSSL_PARAM OSSL_PARAM_construct_octet_string(const char *key, void *buf,

8
lib/resty/openssl/include/rand.lua
View file

@ -2,14 +2,8 @@ local ffi = require "ffi"
require "resty.openssl.include.ossl_typ"
local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X
local BORINGSSL = require("resty.openssl.version").BORINGSSL
if BORINGSSL then
ffi.cdef [[
int RAND_bytes(uint8_t *buf, size_t num);
int RAND_priv_bytes(uint8_t *buf, size_t num);
]]
elseif OPENSSL_3X then
if OPENSSL_3X then
ffi.cdef [[
int RAND_bytes_ex(OSSL_LIB_CTX *ctx, unsigned char *buf, size_t num,
unsigned int strength);

63
lib/resty/openssl/include/rsa.lua
View file

@ -1,63 +1,24 @@
local ffi = require "ffi"
require "resty.openssl.include.ossl_typ"
local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER
ffi.cdef [[
RSA *RSA_new(void);
void RSA_free(RSA *r);
void RSA_get0_key(const RSA *r,
const BIGNUM **n, const BIGNUM **e, const BIGNUM **d);
void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q);
void RSA_get0_crt_params(const RSA *r,
const BIGNUM **dmp1, const BIGNUM **dmq1,
const BIGNUM **iqmp);
int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d);
int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q);
int RSA_set0_crt_params(RSA *r,BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp);
struct rsa_st;
]]
if OPENSSL_11_OR_LATER then
ffi.cdef [[
void RSA_get0_key(const RSA *r,
const BIGNUM **n, const BIGNUM **e, const BIGNUM **d);
void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q);
void RSA_get0_crt_params(const RSA *r,
const BIGNUM **dmp1, const BIGNUM **dmq1,
const BIGNUM **iqmp);
int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d);
int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q);
int RSA_set0_crt_params(RSA *r,BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp);
struct rsa_st;
]]
elseif OPENSSL_10 then
ffi.cdef [[
// crypto/rsa/rsa_locl.h
// needed to extract parameters
// Note: this struct is trimmed
struct rsa_st {
int pad;
// the following has been changed in OpenSSL 1.1.x to int32_t
long version;
const RSA_METHOD *meth;
ENGINE *engine;
BIGNUM *n;
BIGNUM *e;
BIGNUM *d;
BIGNUM *p;
BIGNUM *q;
BIGNUM *dmp1;
BIGNUM *dmq1;
BIGNUM *iqmp;
// trimmed
// CRYPTO_EX_DATA ex_data;
// int references;
// int flags;
// BN_MONT_CTX *_method_mod_n;
// BN_MONT_CTX *_method_mod_p;
// BN_MONT_CTX *_method_mod_q;
// char *bignum_data;
// BN_BLINDING *blinding;
// BN_BLINDING *mt_blinding;
};
]]
end
return {
paddings = {
RSA_PKCS1_PADDING = 1,

34
lib/resty/openssl/include/ssl.lua
View file

@ -4,12 +4,11 @@ local C = ffi.C
require "resty.openssl.include.ossl_typ"
require "resty.openssl.include.stack"
local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X
local BORINGSSL = require("resty.openssl.version").BORINGSSL
ffi.cdef [[
// SSL_METHOD
typedef struct ssl_method_st SSL_METHOD;
const SSL_METHOD *TLS_method(void);
// const SSL_METHOD *TLS_method(void);
const SSL_METHOD *TLS_server_method(void);
// SSL_CIPHER
@ -53,7 +52,7 @@ ffi.cdef [[
long SSL_get_options(SSL *ssl);
/*STACK_OF(SSL_CIPHER)*/ OPENSSL_STACK *SSL_get_ciphers(const SSL *ssl);
/*STACK_OF(SSL_CIPHER)*/ OPENSSL_STACK *SSL_CTX_get_ciphers(const SSL_CTX *ctx);
// /*STACK_OF(SSL_CIPHER)*/ OPENSSL_STACK *SSL_CTX_get_ciphers(const SSL_CTX *ctx);
OPENSSL_STACK *SSL_get_peer_cert_chain(const SSL *ssl);
typedef int (*verify_callback)(int preverify_ok, X509_STORE_CTX *x509_ctx);
@ -75,36 +74,15 @@ else
]]
end
if BORINGSSL then
ffi.cdef [[
int SSL_set_min_proto_version(SSL *ssl, int version);
int SSL_set_max_proto_version(SSL *ssl, int version);
]]
end
local SSL_CTRL_SET_MIN_PROTO_VERSION = 123
local SSL_CTRL_SET_MAX_PROTO_VERSION = 124
local SSL_set_min_proto_version
if BORINGSSL then
SSL_set_min_proto_version = function(ctx, version)
return C.SSL_set_min_proto_version(ctx, version)
end
else
SSL_set_min_proto_version = function(ctx, version)
return C.SSL_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, version, nil)
end
local SSL_set_min_proto_version = function(ctx, version)
return C.SSL_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, version, nil)
end
local SSL_set_max_proto_version
if BORINGSSL then
SSL_set_max_proto_version = function(ctx, version)
return C.SSL_set_max_proto_version(ctx, version)
end
else
SSL_set_max_proto_version = function(ctx, version)
return C.SSL_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, nil)
end
local SSL_set_max_proto_version = function(ctx, version)
return C.SSL_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, nil)
end
return {

97
lib/resty/openssl/include/stack.lua
View file

@ -6,90 +6,25 @@
]]
local ffi = require "ffi"
local C = ffi.C
require "resty.openssl.include.ossl_typ"
local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER
local BORINGSSL = require("resty.openssl.version").BORINGSSL
local _M = {}
ffi.cdef [[
typedef char *OPENSSL_STRING;
typedef struct stack_st OPENSSL_STACK;
OPENSSL_STACK *OPENSSL_sk_new_null(void);
int OPENSSL_sk_push(OPENSSL_STACK *st, const void *data);
void OPENSSL_sk_pop_free(OPENSSL_STACK *st, void (*func) (void *));
int OPENSSL_sk_num(const OPENSSL_STACK *);
void *OPENSSL_sk_value(const OPENSSL_STACK *, int);
OPENSSL_STACK *OPENSSL_sk_dup(const OPENSSL_STACK *st);
void OPENSSL_sk_free(OPENSSL_STACK *);
// void *OPENSSL_sk_delete(OPENSSL_STACK *st, int loc);
typedef void (*OPENSSL_sk_freefunc)(void *);
typedef void *(*OPENSSL_sk_copyfunc)(const void *);
OPENSSL_STACK *OPENSSL_sk_deep_copy(const OPENSSL_STACK *,
OPENSSL_sk_copyfunc c,
OPENSSL_sk_freefunc f);
]]
if OPENSSL_11_OR_LATER and not BORINGSSL then
ffi.cdef [[
typedef struct stack_st OPENSSL_STACK;
OPENSSL_STACK *OPENSSL_sk_new_null(void);
int OPENSSL_sk_push(OPENSSL_STACK *st, const void *data);
void OPENSSL_sk_pop_free(OPENSSL_STACK *st, void (*func) (void *));
int OPENSSL_sk_num(const OPENSSL_STACK *);
void *OPENSSL_sk_value(const OPENSSL_STACK *, int);
OPENSSL_STACK *OPENSSL_sk_dup(const OPENSSL_STACK *st);
void OPENSSL_sk_free(OPENSSL_STACK *);
void *OPENSSL_sk_delete(OPENSSL_STACK *st, int loc);
typedef void (*OPENSSL_sk_freefunc)(void *);
typedef void *(*OPENSSL_sk_copyfunc)(const void *);
OPENSSL_STACK *OPENSSL_sk_deep_copy(const OPENSSL_STACK *,
OPENSSL_sk_copyfunc c,
OPENSSL_sk_freefunc f);
]]
_M.OPENSSL_sk_pop_free = C.OPENSSL_sk_pop_free
_M.OPENSSL_sk_new_null = C.OPENSSL_sk_new_null
_M.OPENSSL_sk_push = C.OPENSSL_sk_push
_M.OPENSSL_sk_pop_free = C.OPENSSL_sk_pop_free
_M.OPENSSL_sk_num = C.OPENSSL_sk_num
_M.OPENSSL_sk_value = C.OPENSSL_sk_value
_M.OPENSSL_sk_dup = C.OPENSSL_sk_dup
_M.OPENSSL_sk_delete = C.OPENSSL_sk_delete
_M.OPENSSL_sk_free = C.OPENSSL_sk_free
_M.OPENSSL_sk_deep_copy = C.OPENSSL_sk_deep_copy
elseif OPENSSL_10 or BORINGSSL then
ffi.cdef [[
typedef struct stack_st _STACK;
// i made this up
typedef struct stack_st OPENSSL_STACK;
_STACK *sk_new_null(void);
void sk_pop_free(_STACK *st, void (*func) (void *));
_STACK *sk_dup(_STACK *st);
void sk_free(_STACK *st);
_STACK *sk_deep_copy(_STACK *, void *(*)(void *), void (*)(void *));
]]
if BORINGSSL then -- indices are using size_t instead of int
ffi.cdef [[
size_t sk_push(_STACK *st, void *data);
size_t sk_num(const _STACK *);
void *sk_value(const _STACK *, size_t);
void *sk_delete(_STACK *st, size_t loc);
]]
else -- normal OpenSSL 1.0
ffi.cdef [[
int sk_push(_STACK *st, void *data);
int sk_num(const _STACK *);
void *sk_value(const _STACK *, int);
void *sk_delete(_STACK *st, int loc);
]]
end
_M.OPENSSL_sk_pop_free = C.sk_pop_free
_M.OPENSSL_sk_new_null = C.sk_new_null
_M.OPENSSL_sk_push = function(...) return tonumber(C.sk_push(...)) end
_M.OPENSSL_sk_pop_free = C.sk_pop_free
_M.OPENSSL_sk_num = function(...) return tonumber(C.sk_num(...)) end
_M.OPENSSL_sk_value = C.sk_value
_M.OPENSSL_sk_delete = C.sk_delete
_M.OPENSSL_sk_dup = C.sk_dup
_M.OPENSSL_sk_free = C.sk_free
_M.OPENSSL_sk_deep_copy = C.sk_deep_copy
end
return _M

59
lib/resty/openssl/include/x509/crl.lua
View file

@ -8,10 +8,6 @@ require "resty.openssl.include.stack"
local asn1_macro = require "resty.openssl.include.asn1"
local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER
local BORINGSSL_110 = require("resty.openssl.version").BORINGSSL_110
asn1_macro.declare_asn1_functions("X509_CRL", asn1_macro.has_new_ex)
ffi.cdef [[
@ -22,7 +18,7 @@ ffi.cdef [[
int X509_CRL_add_ext(X509_CRL *x, X509_EXTENSION *ex, int loc);
X509_EXTENSION *X509_CRL_get_ext(const X509_CRL *x, int loc);
int X509_CRL_get_ext_by_NID(const X509_CRL *x, int nid, int lastpos);
void *X509_CRL_get_ext_d2i(const X509_CRL *x, int nid, int *crit, int *idx);
// void *X509_CRL_get_ext_d2i(const X509_CRL *x, int nid, int *crit, int *idx);
int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md);
int X509_CRL_verify(X509_CRL *a, EVP_PKEY *r);
@ -35,52 +31,21 @@ ffi.cdef [[
int X509_CRL_get0_by_serial(X509_CRL *crl,
X509_REVOKED **ret, ASN1_INTEGER *serial);
int X509_CRL_get0_by_cert(X509_CRL *crl, X509_REVOKED **ret, X509 *x);
// int X509_CRL_get0_by_cert(X509_CRL *crl, X509_REVOKED **ret, X509 *x);
//STACK_OF(X509_REVOKED)
OPENSSL_STACK *X509_CRL_get_REVOKED(X509_CRL *crl);
int X509_CRL_get0_by_serial(X509_CRL *crl,
X509_REVOKED **ret, ASN1_INTEGER *serial);
int X509_CRL_set1_lastUpdate(X509_CRL *x, const ASN1_TIME *tm);
int X509_CRL_set1_nextUpdate(X509_CRL *x, const ASN1_TIME *tm);
/*const*/ ASN1_TIME *X509_CRL_get0_lastUpdate(const X509_CRL *crl);
/*const*/ ASN1_TIME *X509_CRL_get0_nextUpdate(const X509_CRL *crl);
long X509_CRL_get_version(const X509_CRL *crl);
X509_EXTENSION *X509_CRL_delete_ext(X509_CRL *x, int loc);
int X509_CRL_get_signature_nid(const X509_CRL *crl);
]]
if OPENSSL_11_OR_LATER then
ffi.cdef [[
int X509_CRL_set1_lastUpdate(X509_CRL *x, const ASN1_TIME *tm);
int X509_CRL_set1_nextUpdate(X509_CRL *x, const ASN1_TIME *tm);
/*const*/ ASN1_TIME *X509_CRL_get0_lastUpdate(const X509_CRL *crl);
/*const*/ ASN1_TIME *X509_CRL_get0_nextUpdate(const X509_CRL *crl);
long X509_CRL_get_version(const X509_CRL *crl);
X509_EXTENSION *X509_CRL_delete_ext(X509_CRL *x, int loc);
int X509_CRL_get_signature_nid(const X509_CRL *crl);
]]
end
if OPENSSL_10 or BORINGSSL_110 then
-- in openssl 1.0.x some getters are direct accessor to struct members (defiend by macros)
ffi.cdef [[
typedef struct X509_crl_info_st {
ASN1_INTEGER *version;
X509_ALGOR *sig_alg;
X509_NAME *issuer;
ASN1_TIME *lastUpdate;
ASN1_TIME *nextUpdate;
// STACK_OF(X509_REVOKED)
OPENSSL_STACK *revoked;
// STACK_OF(X509_EXTENSION)
OPENSSL_STACK /* [0] */ *extensions;
ASN1_ENCODING enc;
} X509_CRL_INFO;
// Note: this struct is trimmed
struct X509_crl_st {
/* actual signature */
X509_CRL_INFO *crl;
// trimmed
} /* X509_CRL */ ;
int X509_CRL_set_lastUpdate(X509_CRL *x, const ASN1_TIME *tm);
int X509_CRL_set_nextUpdate(X509_CRL *x, const ASN1_TIME *tm);
]]
end

49
lib/resty/openssl/include/x509/csr.lua
View file

@ -8,10 +8,7 @@ require "resty.openssl.include.stack"
local asn1_macro = require "resty.openssl.include.asn1"
local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER
local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X
local BORINGSSL_110 = require("resty.openssl.version").BORINGSSL_110
asn1_macro.declare_asn1_functions("X509_REQ", asn1_macro.has_new_ex)
@ -23,18 +20,17 @@ ffi.cdef [[
int X509_REQ_set_version(X509_REQ *x, long version);
int X509_REQ_get_attr_count(const X509_REQ *req);
int X509_CRL_add_ext(X509_CRL *x, X509_EXTENSION *ex, int loc);
X509_EXTENSION *X509_CRL_get_ext(const X509_CRL *x, int loc);
int X509_CRL_get_ext_by_NID(const X509_CRL *x, int nid, int lastpos);
int i2d_re_X509_REQ_tbs(X509_REQ *req, unsigned char **pp);
void X509_ATTRIBUTE_free(X509_ATTRIBUTE *a);
int X509_REQ_get_attr_by_NID(const X509_REQ *req, int nid, int lastpos);
// int X509_REQ_get_attr_count(const X509_REQ *req);
// int X509_REQ_get_attr_by_NID(const X509_REQ *req, int nid, int lastpos);
X509_ATTRIBUTE *X509_REQ_delete_attr(X509_REQ *req, int loc);
int *X509_REQ_get_extension_nids(void);
// int *X509_REQ_get_extension_nids(void);
int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md);
int X509_REQ_verify(X509_REQ *a, EVP_PKEY *r);
@ -48,41 +44,16 @@ ffi.cdef [[
int X509_REQ_add_extensions(X509_REQ *req, OPENSSL_STACK *exts);
int X509_REQ_check_private_key(X509_REQ *x, EVP_PKEY *k);
X509_NAME *X509_REQ_get_subject_name(const X509_REQ *req);
long X509_REQ_get_version(const X509_REQ *req);
int X509_REQ_get_signature_nid(const X509_REQ *crl);
]]
if OPENSSL_11_OR_LATER then
ffi.cdef [[
X509_NAME *X509_REQ_get_subject_name(const X509_REQ *req);
long X509_REQ_get_version(const X509_REQ *req);
int X509_REQ_get_signature_nid(const X509_REQ *crl);
]]
end
if OPENSSL_10 or BORINGSSL_110 then
ffi.cdef [[
typedef struct X509_req_info_st {
ASN1_ENCODING enc;
ASN1_INTEGER *version;
X509_NAME *subject;
/*X509_PUBKEY*/ void *pubkey;
/* d=2 hl=2 l= 0 cons: cont: 00 */
/*STACK_OF(X509_ATTRIBUTE)*/ OPENSSL_STACK *attributes; /* [ 0 ] */
} X509_REQ_INFO;
// Note: this struct is trimmed
typedef struct X509_req_st {
X509_REQ_INFO *req_info;
X509_ALGOR *sig_alg;
// trimmed
//ASN1_BIT_STRING *signature;
//int references;
} X509_REQ;
]]
end
if OPENSSL_3X then
ffi.cdef [[
int X509_REQ_verify_ex(X509_REQ *a, EVP_PKEY *pkey, OSSL_LIB_CTX *libctx,
const char *propq);
// int X509_REQ_verify_ex(X509_REQ *a, EVP_PKEY *pkey, OSSL_LIB_CTX *libctx,
// const char *propq);
]]
end

85
lib/resty/openssl/include/x509/init.lua
View file

@ -6,10 +6,6 @@ require "resty.openssl.include.pem"
require "resty.openssl.include.stack"
local asn1_macro = require "resty.openssl.include.asn1"
local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER
local BORINGSSL_110 = require("resty.openssl.version").BORINGSSL_110
asn1_macro.declare_asn1_functions("X509", asn1_macro.has_new_ex)
ffi.cdef [[
@ -65,74 +61,17 @@ ffi.cdef [[
int X509_get_signature_nid(const X509 *x);
unsigned char *X509_alias_get0(X509 *x, int *len);
unsigned char *X509_keyid_get0(X509 *x, int *len);
// unsigned char *X509_keyid_get0(X509 *x, int *len);
int X509_check_private_key(X509 *x, EVP_PKEY *k);
int X509_up_ref(X509 *a);
int X509_set1_notBefore(X509 *x, const ASN1_TIME *tm);
int X509_set1_notAfter(X509 *x, const ASN1_TIME *tm);
/*const*/ ASN1_TIME *X509_get0_notBefore(const X509 *x);
/*const*/ ASN1_TIME *X509_get0_notAfter(const X509 *x);
long X509_get_version(const X509 *x);
const ASN1_INTEGER *X509_get0_serialNumber(X509 *x);
X509_EXTENSION *X509_delete_ext(X509 *x, int loc);
]]
if OPENSSL_11_OR_LATER then
ffi.cdef [[
int X509_up_ref(X509 *a);
int X509_set1_notBefore(X509 *x, const ASN1_TIME *tm);
int X509_set1_notAfter(X509 *x, const ASN1_TIME *tm);
/*const*/ ASN1_TIME *X509_get0_notBefore(const X509 *x);
/*const*/ ASN1_TIME *X509_get0_notAfter(const X509 *x);
long X509_get_version(const X509 *x);
const ASN1_INTEGER *X509_get0_serialNumber(X509 *x);
X509_EXTENSION *X509_delete_ext(X509 *x, int loc);
]]
elseif OPENSSL_10 then
ffi.cdef [[
// STACK_OF(X509_EXTENSION)
X509_EXTENSION *X509v3_delete_ext(OPENSSL_STACK *x, int loc);
]]
end
if OPENSSL_10 or BORINGSSL_110 then
-- in openssl 1.0.x some getters are direct accessor to struct members (defiend by macros)
ffi.cdef [[
// crypto/x509/x509.h
typedef struct X509_val_st {
ASN1_TIME *notBefore;
ASN1_TIME *notAfter;
} X509_VAL;
typedef struct X509_algor_st {
ASN1_OBJECT *algorithm;
ASN1_TYPE *parameter;
} X509_ALGOR;
// Note: this struct is trimmed
typedef struct x509_cinf_st {
/*ASN1_INTEGER*/ void *version;
/*ASN1_INTEGER*/ void *serialNumber;
X509_ALGOR *signature;
X509_NAME *issuer;
X509_VAL *validity;
X509_NAME *subject;
/*X509_PUBKEY*/ void *key;
/*ASN1_BIT_STRING*/ void *issuerUID; /* [ 1 ] optional in v2 */
/*ASN1_BIT_STRING*/ void *subjectUID; /* [ 2 ] optional in v2 */
/*STACK_OF(X509_EXTENSION)*/ OPENSSL_STACK *extensions; /* [ 3 ] optional in v3 */
// trimmed
// ASN1_ENCODING enc;
} X509_CINF;
// Note: this struct is trimmed
struct x509_st {
X509_CINF *cert_info;
// trimmed
} X509;
int X509_set_notBefore(X509 *x, const ASN1_TIME *tm);
int X509_set_notAfter(X509 *x, const ASN1_TIME *tm);
ASN1_INTEGER *X509_get_serialNumber(X509 *x);
]]
end
if BORINGSSL_110 then
ffi.cdef [[
ASN1_TIME *X509_get_notBefore(const X509 *x);
ASN1_TIME *X509_get_notAfter(const X509 *x);
]]
end

64
lib/resty/openssl/include/x509_vfy.lua
View file

@ -3,20 +3,16 @@ local C = ffi.C
require "resty.openssl.include.ossl_typ"
require "resty.openssl.include.stack"
local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER
local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X
local BORINGSSL = require("resty.openssl.version").BORINGSSL
local BORINGSSL_110 = require("resty.openssl.version").BORINGSSL_110
ffi.cdef [[
X509_STORE *X509_STORE_new(void);
void X509_STORE_free(X509_STORE *v);
/* int X509_STORE_lock(X509_STORE *ctx);
int X509_STORE_unlock(X509_STORE *ctx);
int X509_STORE_up_ref(X509_STORE *v);
// int X509_STORE_lock(X509_STORE *ctx);
// int X509_STORE_unlock(X509_STORE *ctx);
// int X509_STORE_up_ref(X509_STORE *v);
// STACK_OF(X509_OBJECT)
OPENSSL_STACK *X509_STORE_get0_objects(X509_STORE *v);*/
// OPENSSL_STACK *X509_STORE_get0_objects(X509_STORE *v);
int X509_STORE_add_cert(X509_STORE *ctx, X509 *x);
int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x);
@ -39,14 +35,25 @@ ffi.cdef [[
void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags);
int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose);
// int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose);
// STACK_OF(X509_CRL)
void X509_STORE_CTX_set0_crls(X509_STORE_CTX *c, OPENSSL_STACK *sk);
// void X509_STORE_CTX_set0_crls(X509_STORE_CTX *c, OPENSSL_STACK *sk);
int X509_PURPOSE_get_by_sname(char *sname);
X509_PURPOSE *X509_PURPOSE_get0(int idx);
int X509_PURPOSE_get_id(const X509_PURPOSE *xp);
// STACK_OF(X509)
OPENSSL_STACK *X509_STORE_CTX_get0_chain(X509_STORE_CTX *ctx);
typedef int (*X509_STORE_CTX_check_revocation_fn)(X509_STORE_CTX *ctx);
// STACK_OF(X509)
void X509_STORE_CTX_set0_verified_chain(X509_STORE_CTX *ctx, OPENSSL_STACK *sk);
typedef int (*X509_STORE_CTX_check_revocation_fn)(X509_STORE_CTX *ctx);
X509_STORE_CTX_check_revocation_fn X509_STORE_CTX_get_check_revocation(const X509_STORE_CTX *ctx);
// STACK_OF(X509)
void X509_STORE_CTX_set0_verified_chain(X509_STORE_CTX *ctx, OPENSSL_STACK *sk);
]]
local _M = {
@ -76,45 +83,16 @@ local _M = {
},
}
if OPENSSL_10 or BORINGSSL_110 then
ffi.cdef [[
// STACK_OF(X509)
OPENSSL_STACK *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx);
]];
_M.X509_STORE_CTX_get0_chain = C.X509_STORE_CTX_get_chain
elseif OPENSSL_11_OR_LATER then
ffi.cdef [[
// STACK_OF(X509)
OPENSSL_STACK *X509_STORE_CTX_get0_chain(X509_STORE_CTX *ctx);
typedef int (*X509_STORE_CTX_check_revocation_fn)(X509_STORE_CTX *ctx);
// STACK_OF(X509)
void X509_STORE_CTX_set0_verified_chain(X509_STORE_CTX *ctx, OPENSSL_STACK *sk);
]];
_M.X509_STORE_CTX_get0_chain = C.X509_STORE_CTX_get0_chain
end
-- these two apis are supported from 1.1.0 but not supported by boringssl
if not BORINGSSL then
if OPENSSL_11_OR_LATER then
ffi.cdef [[
typedef int (*X509_STORE_CTX_check_revocation_fn)(X509_STORE_CTX *ctx);
X509_STORE_CTX_check_revocation_fn X509_STORE_CTX_get_check_revocation(const X509_STORE_CTX *ctx);
// STACK_OF(X509)
void X509_STORE_CTX_set0_verified_chain(X509_STORE_CTX *ctx, OPENSSL_STACK *sk);
]];
end
end
if OPENSSL_3X then
ffi.cdef [[
X509_STORE_CTX *X509_STORE_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq);
int X509_STORE_set_default_paths_ex(X509_STORE *ctx, OSSL_LIB_CTX *libctx,
const char *propq);
/* int X509_STORE_load_file_ex(X509_STORE *ctx, const char *file,
OSSL_LIB_CTX *libctx, const char *propq);
int X509_STORE_load_store_ex(X509_STORE *ctx, const char *uri,
OSSL_LIB_CTX *libctx, const char *propq); */
// int X509_STORE_load_file_ex(X509_STORE *ctx, const char *file,
// OSSL_LIB_CTX *libctx, const char *propq);
// int X509_STORE_load_store_ex(X509_STORE *ctx, const char *uri,
// OSSL_LIB_CTX *libctx, const char *propq);
int X509_STORE_load_locations_ex(X509_STORE *ctx, const char *file,
const char *dir, OSSL_LIB_CTX *libctx,
const char *propq);

4
lib/resty/openssl/include/x509v3.lua
View file

@ -61,8 +61,8 @@ ffi.cdef [[
X509_EXTENSION *X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int ext_nid,
const char *value);
X509_EXTENSION *X509V3_EXT_nconf(CONF *conf, X509V3_CTX *ctx, const char *name,
const char *value);
// X509_EXTENSION *X509V3_EXT_nconf(CONF *conf, X509V3_CTX *ctx, const char *name,
// const char *value);
int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, unsigned long flag,
int indent);

64
lib/resty/openssl/kdf.lua
View file

@ -10,9 +10,7 @@ require("resty.openssl.include.evp.pkey")
local kdf_macro = require "resty.openssl.include.evp.kdf"
local ctx_lib = require "resty.openssl.ctx"
local format_error = require("resty.openssl.err").format_error
local version_num = require("resty.openssl.version").version_num
local version_text = require("resty.openssl.version").version_text
local BORINGSSL = require("resty.openssl.version").BORINGSSL
local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X
local ctypes = require "resty.openssl.auxiliary.ctypes"
@ -26,23 +24,17 @@ OpenSSL 3.0 additionally provides Single Step KDF, SSH KDF, PBKDF2, Scrypt, HKDF
From OpenSSL 3.0 the recommended way of performing key derivation is to use the EVP_KDF functions. If compatibility with OpenSSL 1.1.1 is required then a limited set of KDFs can be used via EVP_PKEY_derive.
]]
local NID_id_pbkdf2 = -1
local NID_id_scrypt = -2
local NID_tls1_prf = -3
local NID_hkdf = -4
if version_num >= 0x10002000 then
NID_id_pbkdf2 = C.OBJ_txt2nid("PBKDF2")
assert(NID_id_pbkdf2 > 0)
end
if version_num >= 0x10100000 and not BORINGSSL then
NID_hkdf = C.OBJ_txt2nid("HKDF")
assert(NID_hkdf > 0)
NID_tls1_prf = C.OBJ_txt2nid("TLS1-PRF")
assert(NID_tls1_prf > 0)
-- we use EVP_PBE_scrypt to do scrypt, so this is supported >= 1.1.0
NID_id_scrypt = C.OBJ_txt2nid("id-scrypt")
assert(NID_id_scrypt > 0)
end
local NID_id_pbkdf2 = C.OBJ_txt2nid("PBKDF2")
assert(NID_id_pbkdf2 > 0)
local NID_hkdf = C.OBJ_txt2nid("HKDF")
assert(NID_hkdf > 0)
local NID_tls1_prf = C.OBJ_txt2nid("TLS1-PRF")
assert(NID_tls1_prf > 0)
-- we use EVP_PBE_scrypt to do scrypt, so this is supported >= 1.1.0
local NID_id_scrypt = C.OBJ_txt2nid("id-scrypt")
assert(NID_id_scrypt > 0)
local _M = {
HKDEF_MODE_EXTRACT_AND_EXPAND = kdf_macro.EVP_PKEY_HKDEF_MODE_EXTRACT_AND_EXPAND,
@ -93,7 +85,7 @@ end
local function check_hkdf_options(opt)
local mode = opt.hkdf_mode
if not mode or version_num < 0x10101000 then
if not mode then
mode = _M.HKDEF_MODE_EXTRACT_AND_EXPAND
end
@ -184,11 +176,6 @@ function _M.derive(options)
-- begin legacay low level routines
local code
if typ == NID_id_pbkdf2 then
-- make openssl 1.0.2 happy
if version_num < 0x10100000 and not options.pass then
options.pass = ""
pass_len = 0
end
-- https://www.openssl.org/docs/man1.1.0/man3/PKCS5_PBKDF2_HMAC.html
local iter = options.pbkdf2_iter
if iter < 1 then
@ -257,22 +244,18 @@ function _M.derive(options)
return nil, format_error("kdf.derive: EVP_PKEY_CTX_add1_hkdf_info")
end
if options.hkdf_mode then
if version_num >= 0x10101000 then
if kdf_macro.EVP_PKEY_CTX_set_hkdf_mode(ctx, options.hkdf_mode) ~= 1 then
return nil, format_error("kdf.derive: EVP_PKEY_CTX_set_hkdf_mode")
if kdf_macro.EVP_PKEY_CTX_set_hkdf_mode(ctx, options.hkdf_mode) ~= 1 then
return nil, format_error("kdf.derive: EVP_PKEY_CTX_set_hkdf_mode")
end
if options.hkdf_mode == _M.HKDEF_MODE_EXTRACT_ONLY then
local md_size = OPENSSL_3X and C.EVP_MD_get_size(md) or C.EVP_MD_size(md)
if options.outlen ~= md_size then
options.outlen = md_size
ngx.log(ngx.WARN, "hkdf_mode EXTRACT_ONLY outputs fixed length of ", md_size,
" key, ignoring options.outlen")
end
if options.hkdf_mode == _M.HKDEF_MODE_EXTRACT_ONLY then
local md_size = OPENSSL_3X and C.EVP_MD_get_size(md) or C.EVP_MD_size(md)
if options.outlen ~= md_size then
options.outlen = md_size
ngx.log(ngx.WARN, "hkdf_mode EXTRACT_ONLY outputs fixed length of ", md_size,
" key, ignoring options.outlen")
end
outlen[0] = md_size
buf = ctypes.uchar_array(md_size)
end
else
ngx.log(ngx.WARN, "hkdf_mode is not effective in ", version_text)
outlen[0] = md_size
buf = ctypes.uchar_array(md_size)
end
end
else
@ -307,6 +290,7 @@ function _M.new(typ, properties)
if algo == nil then
return nil, format_error(string.format("mac.new: invalid mac type \"%s\"", typ))
end
ffi_gc(algo, C.EVP_KDF_free)
local ctx = C.EVP_KDF_CTX_new(algo)
if ctx == nil then

1
lib/resty/openssl/mac.lua
View file

@ -29,6 +29,7 @@ function _M.new(key, typ, cipher, digest, properties)
if algo == nil then
return nil, format_error(string.format("mac.new: invalid mac type \"%s\"", typ))
end
ffi_gc(algo, C.EVP_MAC_free)
local ctx = C.EVP_MAC_CTX_new(algo)
if ctx == nil then

18
lib/resty/openssl/pkcs12.lua
View file

@ -5,15 +5,14 @@ local ffi_str = ffi.string
require "resty.openssl.include.pkcs12"
require "resty.openssl.include.bio"
require "resty.openssl.include.stack"
local bio_util = require "resty.openssl.auxiliary.bio"
local format_error = require("resty.openssl.err").format_error
local pkey_lib = require "resty.openssl.pkey"
local x509_lib = require "resty.openssl.x509"
local stack_macro = require "resty.openssl.include.stack"
local stack_lib = require "resty.openssl.stack"
local objects_lib = require "resty.openssl.objects"
local ctx_lib = require "resty.openssl.ctx"
local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X
local stack_of_x509_new = stack_lib.new_of("X509")
@ -54,7 +53,7 @@ local function decode(p12, passphrase)
end
local cacerts
local n = stack_macro.OPENSSL_sk_num(stack)
local n = C.OPENSSL_sk_num(stack)
if n > 0 then
cacerts = {}
local iter = stack_of_x509_iter({ ctx = stack })
@ -123,23 +122,14 @@ local function encode(opts, passphrase, properties)
-- stack lib handles gc
x509stack = stack_of_x509_new()
for _, c in ipairs(cacerts) do
if not OPENSSL_10 then
if C.X509_up_ref(c.ctx) ~= 1 then
return nil, "pkcs12.encode: failed to add cacerts: X509_up_ref failed"
end
if C.X509_up_ref(c.ctx) ~= 1 then
return nil, "pkcs12.encode: failed to add cacerts: X509_up_ref failed"
end
local ok, err = stack_of_x509_add(x509stack, c.ctx)
if not ok then
return nil, "pkcs12.encode: failed to add cacerts: " .. err
end
end
if OPENSSL_10 then
-- OpenSSL 1.0.2 doesn't have X509_up_ref
-- shallow copy the stack, up_ref for each element
x509stack = C.X509_chain_up_ref(x509stack)
-- use the shallow gc
ffi_gc(x509stack, stack_macro.OPENSSL_sk_free)
end
end
end

67
lib/resty/openssl/pkey.lua
View file

@ -27,10 +27,7 @@ local ctypes = require "resty.openssl.auxiliary.ctypes"
local ecdsa_util = require "resty.openssl.auxiliary.ecdsa"
local format_error = require("resty.openssl.err").format_error
local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER
local OPENSSL_111_OR_LATER = require("resty.openssl.version").OPENSSL_111_OR_LATER
local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X
local BORINGSSL = require("resty.openssl.version").BORINGSSL
local ptr_of_uint = ctypes.ptr_of_uint
local ptr_of_size_t = ctypes.ptr_of_size_t
@ -40,20 +37,11 @@ local null = ctypes.null
local load_pem_args = { null, null, null }
local load_der_args = { null }
local get_pkey_key
if OPENSSL_11_OR_LATER then
get_pkey_key = {
[evp_macro.EVP_PKEY_RSA] = function(ctx) return C.EVP_PKEY_get0_RSA(ctx) end,
[evp_macro.EVP_PKEY_EC] = function(ctx) return C.EVP_PKEY_get0_EC_KEY(ctx) end,
[evp_macro.EVP_PKEY_DH] = function(ctx) return C.EVP_PKEY_get0_DH(ctx) end
}
else
get_pkey_key = {
[evp_macro.EVP_PKEY_RSA] = function(ctx) return ctx.pkey and ctx.pkey.rsa end,
[evp_macro.EVP_PKEY_EC] = function(ctx) return ctx.pkey and ctx.pkey.ec end,
[evp_macro.EVP_PKEY_DH] = function(ctx) return ctx.pkey and ctx.pkey.dh end,
}
end
local get_pkey_key = {
[evp_macro.EVP_PKEY_RSA] = function(ctx) return C.EVP_PKEY_get0_RSA(ctx) end,
[evp_macro.EVP_PKEY_EC] = function(ctx) return C.EVP_PKEY_get0_EC_KEY(ctx) end,
[evp_macro.EVP_PKEY_DH] = function(ctx) return C.EVP_PKEY_get0_DH(ctx) end
}
local load_rsa_key_funcs
@ -212,17 +200,18 @@ local function generate_param(key_type, config)
if nid == 0 then
return nil, "unknown curve " .. curve
end
if pkey_macro.EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, nid) <= 0 then
return nil, format_error("EVP_PKEY_CTX_ctrl: EC: curve_nid")
end
if not BORINGSSL then
-- use the named-curve encoding for best backward-compatibilty
-- and for playing well with go:crypto/x509
-- # define OPENSSL_EC_NAMED_CURVE 0x001
if pkey_macro.EVP_PKEY_CTX_set_ec_param_enc(pctx, 1) <= 0 then
return nil, format_error("EVP_PKEY_CTX_ctrl: EC: param_enc")
end
-- use the named-curve encoding for best backward-compatibilty
-- and for playing well with go:crypto/x509
-- # define OPENSSL_EC_NAMED_CURVE 0x001
if pkey_macro.EVP_PKEY_CTX_set_ec_param_enc(pctx, 1) <= 0 then
return nil, format_error("EVP_PKEY_CTX_ctrl: EC: param_enc")
end
elseif key_type == evp_macro.EVP_PKEY_DH then
local bits = config.bits
if not config.param and not bits then
@ -530,10 +519,6 @@ function _M:get_key_type()
end
function _M:get_default_digest_type()
if BORINGSSL then
return nil, "BoringSSL doesn't have default digest for pkey"
end
local nid = ptr_of_int()
local code = C.EVP_PKEY_get_default_digest_nid(self.ctx, nid)
if code == -2 then
@ -788,14 +773,6 @@ function _M:sign(digest, md_alg, padding, opts)
end
ret = ffi_str(self.buf, length[0])
elseif type(digest) == "string" then
if not OPENSSL_111_OR_LATER and not BORINGSSL then
-- we can still support earilier version with *Update and *Final
-- but we choose to not relying on the legacy interface for simplicity
return nil, "pkey:sign: new-style sign only available in OpenSSL 1.1.1 (or BoringSSL 1.1.0) or later"
elseif BORINGSSL and not md_alg and not self.key_type_is_ecx then
return nil, "pkey:sign: BoringSSL doesn't provide default digest, md_alg must be specified"
end
local md_ctx, err = sign_verify_prepare(self, C.EVP_DigestSignInit, md_alg, padding, opts)
if err then
return nil, err
@ -811,10 +788,6 @@ function _M:sign(digest, md_alg, padding, opts)
end
if self.key_type == evp_macro.EVP_PKEY_EC and opts and opts.ecdsa_use_raw then
if not OPENSSL_11_OR_LATER then
return nil, "pkey:sign: opts.ecdsa_use_raw is only supported on OpenSSL 1.1.0 or later"
end
local ec_key = get_pkey_key[evp_macro.EVP_PKEY_EC](self.ctx)
ret, err = ecdsa_util.sig_der2raw(ret, ec_key)
@ -833,10 +806,6 @@ function _M:verify(signature, digest, md_alg, padding, opts)
local err
if self.key_type == evp_macro.EVP_PKEY_EC and opts and opts.ecdsa_use_raw then
if not OPENSSL_11_OR_LATER then
return nil, "pkey:sign: opts.ecdsa_use_raw is only supported on OpenSSL 1.1.0 or later"
end
local ec_key = get_pkey_key[evp_macro.EVP_PKEY_EC](self.ctx)
signature, err = ecdsa_util.sig_raw2der(signature, ec_key)
@ -849,14 +818,6 @@ function _M:verify(signature, digest, md_alg, padding, opts)
if digest_lib.istype(digest) then
code = C.EVP_VerifyFinal(digest.ctx, signature, #signature, self.ctx)
elseif type(digest) == "string" then
if not OPENSSL_111_OR_LATER and not BORINGSSL then
-- we can still support earilier version with *Update and *Final
-- but we choose to not relying on the legacy interface for simplicity
return nil, "pkey:verify: new-style verify only available in OpenSSL 1.1.1 (or BoringSSL 1.1.0) or later"
elseif BORINGSSL and not md_alg and not self.key_type_is_ecx then
return nil, "pkey:verify: BoringSSL doesn't provide default digest, md_alg must be specified"
end
local md_ctx, err = sign_verify_prepare(self, C.EVP_DigestVerifyInit, md_alg, padding, opts)
if err then
return nil, err
@ -868,7 +829,7 @@ function _M:verify(signature, digest, md_alg, padding, opts)
end
if code == 0 then
return false, nil
return false, format_error("pkey:verify")
elseif code == 1 then
return true, nil
end

94
lib/resty/openssl/rsa.lua
View file

@ -2,9 +2,6 @@ local ffi = require "ffi"
local C = ffi.C
local bn_lib = require "resty.openssl.bn"
local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER
local format_error = require("resty.openssl.err").format_error
local _M = {}
@ -18,51 +15,29 @@ function _M.get_parameters(rsa_st)
return setmetatable(empty_table, {
__index = function(_, k)
local ptr, ret
if OPENSSL_11_OR_LATER then
ptr = bn_ptrptr_ct()
end
ptr = bn_ptrptr_ct()
if k == 'n' then
if OPENSSL_11_OR_LATER then
C.RSA_get0_key(rsa_st, ptr, nil, nil)
end
C.RSA_get0_key(rsa_st, ptr, nil, nil)
elseif k == 'e' then
if OPENSSL_11_OR_LATER then
C.RSA_get0_key(rsa_st, nil, ptr, nil)
end
C.RSA_get0_key(rsa_st, nil, ptr, nil)
elseif k == 'd' then
if OPENSSL_11_OR_LATER then
C.RSA_get0_key(rsa_st, nil, nil, ptr)
end
C.RSA_get0_key(rsa_st, nil, nil, ptr)
elseif k == 'p' then
if OPENSSL_11_OR_LATER then
C.RSA_get0_factors(rsa_st, ptr, nil)
end
C.RSA_get0_factors(rsa_st, ptr, nil)
elseif k == 'q' then
if OPENSSL_11_OR_LATER then
C.RSA_get0_factors(rsa_st, nil, ptr)
end
C.RSA_get0_factors(rsa_st, nil, ptr)
elseif k == 'dmp1' then
if OPENSSL_11_OR_LATER then
C.RSA_get0_crt_params(rsa_st, ptr, nil, nil)
end
C.RSA_get0_crt_params(rsa_st, ptr, nil, nil)
elseif k == 'dmq1' then
if OPENSSL_11_OR_LATER then
C.RSA_get0_crt_params(rsa_st, nil, ptr, nil)
end
C.RSA_get0_crt_params(rsa_st, nil, ptr, nil)
elseif k == 'iqmp' then
if OPENSSL_11_OR_LATER then
C.RSA_get0_crt_params(rsa_st, nil, nil, ptr)
end
C.RSA_get0_crt_params(rsa_st, nil, nil, ptr)
else
return nil, "rsa.get_parameters: unknown parameter \"" .. k .. "\" for RSA key"
end
if OPENSSL_11_OR_LATER then
ret = ptr[0]
elseif OPENSSL_10 then
ret = rsa_st[k]
end
ret = ptr[0]
if ret == nil then
return nil
@ -91,21 +66,24 @@ function _M.set_parameters(rsa_st, opts)
local cleanup_from_idx = 1
-- dup input
local do_set_key, do_set_factors, do_set_crt_params
for k, v in pairs(opts) do
opts_bn[k], err = dup_bn_value(v)
if err then
err = "rsa.set_parameters: cannot process parameter \"" .. k .. "\":" .. err
goto cleanup_with_error
while true do -- luacheck: ignore
for k, v in pairs(opts) do
opts_bn[k], err = dup_bn_value(v)
if err then
-- luacheck: ignore
err = "rsa.set_parameters: cannot process parameter \"" .. k .. "\":" .. err
break
end
if k == "n" or k == "e" or k == "d" then
do_set_key = true
elseif k == "p" or k == "q" then
do_set_factors = true
elseif k == "dmp1" or k == "dmq1" or k == "iqmp" then
do_set_crt_params = true
end
end
if k == "n" or k == "e" or k == "d" then
do_set_key = true
elseif k == "p" or k == "q" then
do_set_factors = true
elseif k == "dmp1" or k == "dmq1" or k == "iqmp" then
do_set_crt_params = true
end
end
if OPENSSL_11_OR_LATER then
-- "The values n and e must be non-NULL the first time this function is called on a given RSA object."
-- thus we force to set them together
local code
@ -113,37 +91,31 @@ function _M.set_parameters(rsa_st, opts)
code = C.RSA_set0_key(rsa_st, opts_bn["n"], opts_bn["e"], opts_bn["d"])
if code == 0 then
err = format_error("rsa.set_parameters: RSA_set0_key")
goto cleanup_with_error
break
end
end
cleanup_from_idx = cleanup_from_idx + 3
if do_set_factors then
code = C.RSA_set0_factors(rsa_st, opts_bn["p"], opts_bn["q"])
if code == 0 then
err = format_error("rsa.set_parameters: RSA_set0_factors")
goto cleanup_with_error
break
end
end
cleanup_from_idx = cleanup_from_idx + 2
if do_set_crt_params then
code = C.RSA_set0_crt_params(rsa_st, opts_bn["dmp1"], opts_bn["dmq1"], opts_bn["iqmp"])
if code == 0 then
err = format_error("rsa.set_parameters: RSA_set0_crt_params")
goto cleanup_with_error
break
end
end
return true
elseif OPENSSL_10 then
for k, v in pairs(opts_bn) do
if rsa_st[k] ~= nil then
C.BN_free(rsa_st[k])
end
rsa_st[k]= v
end
return true
end
::cleanup_with_error::
for i, k in pairs(_M.params) do
if i >= cleanup_from_idx then
C.BN_free(opts_bn[k])

32
lib/resty/openssl/ssl.lua
View file

@ -10,7 +10,6 @@ local x509_lib = require("resty.openssl.x509")
local chain_lib = require("resty.openssl.x509.chain")
local stack_lib = require("resty.openssl.stack")
local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X
local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
local format_error = require("resty.openssl.err").format_error
local _M = {
@ -265,22 +264,13 @@ function _M:set_options(...)
bitmask = bit.bor(bitmask, opt)
end
if OPENSSL_10 then
bitmask = C.SSL_ctrl(self.ctx, 32, bitmask, nil) -- SSL_CTRL_OPTIONS
else
bitmask = C.SSL_set_options(self.ctx, bitmask)
end
bitmask = C.SSL_set_options(self.ctx, bitmask)
return tonumber(bitmask)
end
function _M:get_options(readable)
local bitmask
if OPENSSL_10 then
bitmask = C.SSL_ctrl(self.ctx, 32, 0, nil) -- SSL_CTRL_OPTIONS
else
bitmask = C.SSL_get_options(self.ctx)
end
local bitmask = C.SSL_get_options(self.ctx)
if not readable then
return tonumber(bitmask)
@ -303,11 +293,7 @@ function _M:clear_options(...)
bitmask = bit.bor(bitmask, opt)
end
if OPENSSL_10 then
bitmask = C.SSL_ctrl(self.ctx, 77, bitmask, nil) -- SSL_CTRL_CLEAR_OPTIONS
else
bitmask = C.SSL_clear_options(self.ctx, bitmask)
end
bitmask = C.SSL_clear_options(self.ctx, bitmask)
return tonumber(bitmask)
end
@ -336,18 +322,10 @@ function _M:set_protocols(...)
end
-- first disable all protocols
if OPENSSL_10 then
C.SSL_ctrl(self.ctx, 32, ops.SSL_OP_NO_SSL_MASK, nil) -- SSL_CTRL_OPTIONS
else
C.SSL_set_options(self.ctx, ops.SSL_OP_NO_SSL_MASK)
end
C.SSL_set_options(self.ctx, ops.SSL_OP_NO_SSL_MASK)
-- then enable selected protocols
if OPENSSL_10 then
return tonumber(C.SSL_clear_options(self.ctx, bitmask))
else
return tonumber(C.SSL_ctrl(self.ctx, 77, bitmask, nil)) -- SSL_CTRL_CLEAR_OPTIONS)
end
return tonumber(C.SSL_clear_options(self.ctx, bitmask))
end
return _M

22
lib/resty/openssl/stack.lua
View file

@ -10,7 +10,7 @@ local C = ffi.C
local ffi_cast = ffi.cast
local ffi_gc = ffi.gc
local stack_macro = require "resty.openssl.include.stack"
require "resty.openssl.include.stack"
local format_error = require("resty.openssl.err").format_error
local _M = {}
@ -18,7 +18,7 @@ local _M = {}
local function gc_of(typ)
local f = C[typ .. "_free"]
return function (st)
stack_macro.OPENSSL_sk_pop_free(st, f)
C.OPENSSL_sk_pop_free(st, f)
end
end
@ -35,7 +35,7 @@ _M.mt_of = function(typ, convert, index_tbl, no_gc)
-- starts from 0
local function value_at(ctx, i)
local elem = stack_macro.OPENSSL_sk_value(ctx, i)
local elem = C.OPENSSL_sk_value(ctx, i)
if elem == nil then
error(format_error("OPENSSL_sk_value"))
end
@ -49,7 +49,7 @@ _M.mt_of = function(typ, convert, index_tbl, no_gc)
local function iter(tbl)
if not tbl then error("instance is nil") end
local i = 0
local n = tonumber(stack_macro.OPENSSL_sk_num(tbl.ctx))
local n = tonumber(C.OPENSSL_sk_num(tbl.ctx))
return function()
i = i + 1
if i <= n then
@ -63,7 +63,7 @@ _M.mt_of = function(typ, convert, index_tbl, no_gc)
__ipairs = iter,
__len = function(tbl)
if not tbl then error("instance is nil") end
return tonumber(stack_macro.OPENSSL_sk_num(tbl.ctx))
return tonumber(C.OPENSSL_sk_num(tbl.ctx))
end,
__index = function(tbl, k)
if not tbl then error("instance is nil") end
@ -71,7 +71,7 @@ _M.mt_of = function(typ, convert, index_tbl, no_gc)
if not i then
return index_tbl[k]
end
local n = stack_macro.OPENSSL_sk_num(tbl.ctx)
local n = C.OPENSSL_sk_num(tbl.ctx)
if i <= 0 or i > n then
return nil
end
@ -88,7 +88,7 @@ end
_M.new_of = function(typ)
local gc = gc_of(typ)
return function()
local raw = stack_macro.OPENSSL_sk_new_null()
local raw = C.OPENSSL_sk_new_null()
if raw == nil then
return nil, "stack.new_of: OPENSSL_sk_new_null() failed"
end
@ -104,7 +104,7 @@ _M.add_of = function(typ)
if ctx == nil or not ffi.istype(ptr, ctx) then
return false, "stack.add_of: expect a " .. typ .. "* at #1"
end
local code = stack_macro.OPENSSL_sk_push(stack, ctx)
local code = C.OPENSSL_sk_push(stack, ctx)
if code == 0 then
return false, "stack.add_of: OPENSSL_sk_push() failed"
end
@ -118,13 +118,13 @@ _M.dup_of = function(_)
if ctx == nil or not ffi.istype(stack_ptr_ct, ctx) then
return nil, "stack.dup_of: expect a stack ctx at #1"
end
local ctx = stack_macro.OPENSSL_sk_dup(ctx)
local ctx = C.OPENSSL_sk_dup(ctx)
if ctx == nil then
return nil, "stack.dup_of: OPENSSL_sk_dup() failed"
end
-- if the stack is duplicated: since we don't copy the elements
-- then we only control gc of the stack itself here
ffi_gc(ctx, stack_macro.OPENSSL_sk_free)
ffi_gc(ctx, C.OPENSSL_sk_free)
return ctx
end
end
@ -152,7 +152,7 @@ _M.deep_copy_of = function(typ)
local free = C[typ .. "_free"]
return function(ctx)
return stack_macro.OPENSSL_sk_deep_copy(ctx, dup, free)
return C.OPENSSL_sk_deep_copy(ctx, dup, free)
end
end

20
lib/resty/openssl/version.lua
View file

@ -12,8 +12,6 @@ ffi.cdef[[
const char *OpenSSL_version(int t);
// >= 3.0
const char *OPENSSL_info(int t);
// BoringSSL
int BORINGSSL_self_test(void);
]]
local version_func, info_func
@ -88,12 +86,6 @@ else
end
end
local BORINGSSL = false
pcall(function()
local _ = C.BORINGSSL_self_test
BORINGSSL = true
end)
return setmetatable({
version_num = tonumber(version_num),
version_text = ffi_str(version_func(0)),
@ -103,15 +95,9 @@ return setmetatable({
info = function(t)
return ffi_str(info_func(t))
end,
OPENSSL_3X = version_num >= 0x30000000 and version_num < 0x30200000,
OPENSSL_30 = version_num >= 0x30000000 and version_num < 0x30100000, -- for backward compat, deprecated
OPENSSL_11 = version_num >= 0x10100000 and version_num < 0x10200000,
-- the following has implict upper bound of 4.x
OPENSSL_3X = version_num >= 0x30000000 and version_num < 0x40000000,
OPENSSL_111 = version_num >= 0x10101000 and version_num < 0x10200000,
OPENSSL_11_OR_LATER = version_num >= 0x10100000 and version_num < 0x30200000,
OPENSSL_111_OR_LATER = version_num >= 0x10101000 and version_num < 0x30200000,
OPENSSL_10 = version_num < 0x10100000 and version_num > 0x10000000,
BORINGSSL = BORINGSSL,
BORINGSSL_110 = BORINGSSL and version_num >= 0x10100000 and version_num < 0x10101000
}, {
__index = types_table,
})
})

81
lib/resty/openssl/x509/crl.lua
View file

@ -18,65 +18,21 @@ local txtnid2nid = require("resty.openssl.objects").txtnid2nid
local find_sigid_algs = require("resty.openssl.objects").find_sigid_algs
local format_error = require("resty.openssl.err").format_error
local version = require("resty.openssl.version")
local OPENSSL_10 = version.OPENSSL_10
local OPENSSL_11_OR_LATER = version.OPENSSL_11_OR_LATER
local OPENSSL_3X = version.OPENSSL_3X
local BORINGSSL = version.BORINGSSL
local BORINGSSL_110 = version.BORINGSSL_110 -- used in boringssl-fips-20190808
local accessors = {}
accessors.set_issuer_name = C.X509_CRL_set_issuer_name
accessors.set_version = C.X509_CRL_set_version
if OPENSSL_11_OR_LATER and not BORINGSSL_110 then
accessors.get_last_update = C.X509_CRL_get0_lastUpdate
accessors.set_last_update = C.X509_CRL_set1_lastUpdate
accessors.get_next_update = C.X509_CRL_get0_nextUpdate
accessors.set_next_update = C.X509_CRL_set1_nextUpdate
accessors.get_version = C.X509_CRL_get_version
accessors.get_issuer_name = C.X509_CRL_get_issuer -- returns internal ptr
accessors.get_signature_nid = C.X509_CRL_get_signature_nid
-- BORINGSSL_110 exports X509_CRL_get_signature_nid, but just ignored for simplicity
accessors.get_revoked = C.X509_CRL_get_REVOKED
elseif OPENSSL_10 or BORINGSSL_110 then
accessors.get_last_update = function(crl)
if crl == nil or crl.crl == nil then
return nil
end
return crl.crl.lastUpdate
end
accessors.set_last_update = C.X509_CRL_set_lastUpdate
accessors.get_next_update = function(crl)
if crl == nil or crl.crl == nil then
return nil
end
return crl.crl.nextUpdate
end
accessors.set_next_update = C.X509_CRL_set_nextUpdate
accessors.get_version = function(crl)
if crl == nil or crl.crl == nil then
return nil
end
return C.ASN1_INTEGER_get(crl.crl.version)
end
accessors.get_issuer_name = function(crl)
if crl == nil or crl.crl == nil then
return nil
end
return crl.crl.issuer
end
accessors.get_signature_nid = function(crl)
if crl == nil or crl.crl == nil or crl.crl.sig_alg == nil then
return nil
end
return C.OBJ_obj2nid(crl.crl.sig_alg.algorithm)
end
accessors.get_revoked = function(crl)
return crl.crl.revoked
end
end
accessors.get_last_update = C.X509_CRL_get0_lastUpdate
accessors.set_last_update = C.X509_CRL_set1_lastUpdate
accessors.get_next_update = C.X509_CRL_get0_nextUpdate
accessors.set_next_update = C.X509_CRL_set1_nextUpdate
accessors.get_version = C.X509_CRL_get_version
accessors.get_issuer_name = C.X509_CRL_get_issuer -- returns internal ptr
accessors.get_signature_nid = C.X509_CRL_get_signature_nid
accessors.get_revoked = C.X509_CRL_get_REVOKED
local function __tostring(self, fmt)
if not fmt or fmt == 'PEM' then
@ -183,10 +139,6 @@ function _M:text()
end
local function revoked_decode(ctx)
if OPENSSL_10 then
error("x509.crl:revoked_decode: not supported on OpenSSL 1.0")
end
local ret = {}
local serial = C.X509_REVOKED_get0_serialNumber(ctx)
if serial ~= nil then
@ -330,8 +282,6 @@ function _M:sign(pkey, digest)
return false, "x509.crl:sign: expect a digest instance to have algo member"
end
digest_algo = digest.algo
elseif BORINGSSL then
digest_algo = C.EVP_get_digestbyname('sha256')
end
-- returns size of signature if success
@ -404,19 +354,6 @@ function _M:get_extension(nid_txt, last_pos)
return ext, pos+1
end
local X509_CRL_delete_ext
if OPENSSL_11_OR_LATER then
X509_CRL_delete_ext = C.X509_CRL_delete_ext
elseif OPENSSL_10 then
X509_CRL_delete_ext = function(ctx, pos)
return C.X509v3_delete_ext(ctx.crl.extensions, pos)
end
else
X509_CRL_delete_ext = function(...)
error("X509_CRL_delete_ext undefined")
end
end
-- AUTO GENERATED
function _M:set_extension(extension, last_pos)
if not extension_lib.istype(extension) then
@ -429,7 +366,7 @@ function _M:set_extension(extension, last_pos)
local pos = C.X509_CRL_get_ext_by_NID(self.ctx, nid, last_pos)
-- pos may be -1, which means not found, it's fine, we will add new one instead of replace
local removed = X509_CRL_delete_ext(self.ctx, pos)
local removed = C.X509_CRL_delete_ext(self.ctx, pos)
C.X509_EXTENSION_free(removed)
if C.X509_CRL_add_ext(self.ctx, extension.ctx, pos) == nil then

58
lib/resty/openssl/x509/csr.lua
View file

@ -7,7 +7,7 @@ require "resty.openssl.include.pem"
require "resty.openssl.include.x509v3"
require "resty.openssl.include.x509.csr"
require "resty.openssl.include.asn1"
local stack_macro = require "resty.openssl.include.stack"
require "resty.openssl.include.stack"
local stack_lib = require "resty.openssl.stack"
local pkey_lib = require "resty.openssl.pkey"
local digest_lib = require("resty.openssl.digest")
@ -20,11 +20,7 @@ local txtnid2nid = require("resty.openssl.objects").txtnid2nid
local find_sigid_algs = require("resty.openssl.objects").find_sigid_algs
local format_error = require("resty.openssl.err").format_error
local version = require("resty.openssl.version")
local OPENSSL_10 = version.OPENSSL_10
local OPENSSL_11_OR_LATER = version.OPENSSL_11_OR_LATER
local OPENSSL_3X = version.OPENSSL_3X
local BORINGSSL = version.BORINGSSL
local BORINGSSL_110 = version.BORINGSSL_110 -- used in boringssl-fips-20190808
local accessors = {}
@ -32,35 +28,9 @@ accessors.set_subject_name = C.X509_REQ_set_subject_name
accessors.get_pubkey = C.X509_REQ_get_pubkey
accessors.set_pubkey = C.X509_REQ_set_pubkey
accessors.set_version = C.X509_REQ_set_version
if OPENSSL_11_OR_LATER or BORINGSSL_110 then
accessors.get_signature_nid = C.X509_REQ_get_signature_nid
elseif OPENSSL_10 then
accessors.get_signature_nid = function(csr)
if csr == nil or csr.sig_alg == nil then
return nil
end
return C.OBJ_obj2nid(csr.sig_alg.algorithm)
end
end
if OPENSSL_11_OR_LATER and not BORINGSSL_110 then
accessors.get_subject_name = C.X509_REQ_get_subject_name -- returns internal ptr
accessors.get_version = C.X509_REQ_get_version
elseif OPENSSL_10 or BORINGSSL_110 then
accessors.get_subject_name = function(csr)
if csr == nil or csr.req_info == nil then
return nil
end
return csr.req_info.subject
end
accessors.get_version = function(csr)
if csr == nil or csr.req_info == nil then
return nil
end
return C.ASN1_INTEGER_get(csr.req_info.version)
end
end
accessors.get_signature_nid = C.X509_REQ_get_signature_nid
accessors.get_subject_name = C.X509_REQ_get_subject_name -- returns internal ptr
accessors.get_version = C.X509_REQ_get_version
local function __tostring(self, fmt)
if not fmt or fmt == 'PEM' then
@ -226,7 +196,7 @@ local function modify_extension(replace, ctx, nid, toset, crit)
-- https://github.com/openssl/openssl/commit/2039ac07b401932fa30a05ade80b3626e189d78a
-- introduces a change that a empty stack instead of NULL will be returned in no extension
-- is found. so we need to double check the number if it's not NULL.
stack_macro.OPENSSL_sk_num(extensions_ptr[0]) > 0
C.OPENSSL_sk_num(extensions_ptr[0]) > 0
local flag
if replace then
@ -245,11 +215,6 @@ local function modify_extension(replace, ctx, nid, toset, crit)
return false, format_error("X509V3_add1_i2d", code)
end
code = C.X509_REQ_add_extensions(ctx, extensions_ptr[0])
if code ~= 1 then
return false, format_error("X509_REQ_add_extensions", code)
end
if need_cleanup then
-- cleanup old attributes
-- delete the first only, why?
@ -259,13 +224,14 @@ local function modify_extension(replace, ctx, nid, toset, crit)
end
end
-- mark encoded form as invalid so next time it will be re-encoded
if OPENSSL_11_OR_LATER then
C.i2d_re_X509_REQ_tbs(ctx, nil)
else
ctx.req_info.enc.modified = 1
code = C.X509_REQ_add_extensions(ctx, extensions_ptr[0])
if code ~= 1 then
return false, format_error("X509_REQ_add_extensions", code)
end
-- mark encoded form as invalid so next time it will be re-encoded
C.i2d_re_X509_REQ_tbs(ctx, nil)
return true
end
@ -339,8 +305,6 @@ function _M:sign(pkey, digest)
return false, "x509.csr:sign: expect a digest instance to have algo member"
end
digest_algo = digest.algo
elseif BORINGSSL then
digest_algo = C.EVP_get_digestbyname('sha256')
end
-- returns size of signature if success

22
lib/resty/openssl/x509/extension.lua
View file

@ -16,7 +16,6 @@ local stack_lib = require("resty.openssl.stack")
local bio_util = require "resty.openssl.auxiliary.bio"
local format_error = require("resty.openssl.err").format_error
local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X
local BORINGSSL = require("resty.openssl.version").BORINGSSL
local _M = {}
local mt = { __index = _M }
@ -34,22 +33,15 @@ if OPENSSL_3X then
extension_types["issuer_pkey"] = "resty.openssl.pkey"
end
local nconf_load
if BORINGSSL then
nconf_load = function()
return nil, "NCONF_load_bio not exported in BoringSSL"
local nconf_load = function(conf, str)
local bio = C.BIO_new_mem_buf(str, #str)
if bio == nil then
return format_error("BIO_new_mem_buf")
end
else
nconf_load = function(conf, str)
local bio = C.BIO_new_mem_buf(str, #str)
if bio == nil then
return format_error("BIO_new_mem_buf")
end
ffi_gc(bio, C.BIO_free)
ffi_gc(bio, C.BIO_free)
if C.NCONF_load_bio(conf, bio, nil) ~= 1 then
return format_error("NCONF_load_bio")
end
if C.NCONF_load_bio(conf, bio, nil) ~= 1 then
return format_error("NCONF_load_bio")
end
end

86
lib/resty/openssl/x509/init.lua
View file

@ -8,7 +8,7 @@ require "resty.openssl.include.x509"
require "resty.openssl.include.x509v3"
require "resty.openssl.include.evp"
require "resty.openssl.include.objects"
local stack_macro = require("resty.openssl.include.stack")
require "resty.openssl.include.stack"
local stack_lib = require("resty.openssl.stack")
local asn1_lib = require("resty.openssl.asn1")
local digest_lib = require("resty.openssl.digest")
@ -21,11 +21,7 @@ local ctypes = require "resty.openssl.auxiliary.ctypes"
local ctx_lib = require "resty.openssl.ctx"
local format_error = require("resty.openssl.err").format_error
local version = require("resty.openssl.version")
local OPENSSL_10 = version.OPENSSL_10
local OPENSSL_11_OR_LATER = version.OPENSSL_11_OR_LATER
local OPENSSL_3X = version.OPENSSL_3X
local BORINGSSL = version.BORINGSSL
local BORINGSSL_110 = version.BORINGSSL_110 -- used in boringssl-fips-20190808
-- accessors provides an openssl version neutral interface to lua layer
-- it doesn't handle any error, expect that to be implemented in
@ -48,49 +44,12 @@ accessors.get_signature_nid = C.X509_get_signature_nid
-- parent struct is freed.
-- otherwise, use get0, which returns an internal pointer, we don't need to free it up.
-- it will be gone together with the parent struct.
if BORINGSSL_110 then
accessors.get_not_before = C.X509_get0_notBefore -- returns internal ptr, we convert to number
accessors.set_not_before = C.X509_set_notBefore
accessors.get_not_after = C.X509_get0_notAfter -- returns internal ptr, we convert to number
accessors.set_not_after = C.X509_set_notAfter
accessors.get_version = function(x509)
if x509 == nil or x509.cert_info == nil or x509.cert_info.validity == nil then
return nil
end
return C.ASN1_INTEGER_get(x509.cert_info.version)
end
accessors.get_serial_number = C.X509_get_serialNumber -- returns internal ptr, we convert to bn
elseif OPENSSL_11_OR_LATER then
accessors.get_not_before = C.X509_get0_notBefore -- returns internal ptr, we convert to number
accessors.set_not_before = C.X509_set1_notBefore
accessors.get_not_after = C.X509_get0_notAfter -- returns internal ptr, we convert to number
accessors.set_not_after = C.X509_set1_notAfter
accessors.get_version = C.X509_get_version -- returns int
accessors.get_serial_number = C.X509_get0_serialNumber -- returns internal ptr, we convert to bn
elseif OPENSSL_10 then
accessors.get_not_before = function(x509)
if x509 == nil or x509.cert_info == nil or x509.cert_info.validity == nil then
return nil
end
return x509.cert_info.validity.notBefore
end
accessors.set_not_before = C.X509_set_notBefore
accessors.get_not_after = function(x509)
if x509 == nil or x509.cert_info == nil or x509.cert_info.validity == nil then
return nil
end
return x509.cert_info.validity.notAfter
end
accessors.set_not_after = C.X509_set_notAfter
accessors.get_version = function(x509)
if x509 == nil or x509.cert_info == nil or x509.cert_info.validity == nil then
return nil
end
return C.ASN1_INTEGER_get(x509.cert_info.version)
end
accessors.get_serial_number = C.X509_get_serialNumber -- returns internal ptr, we convert to bn
end
accessors.get_not_before = C.X509_get0_notBefore -- returns internal ptr, we convert to number
accessors.set_not_before = C.X509_set1_notBefore
accessors.get_not_after = C.X509_get0_notAfter -- returns internal ptr, we convert to number
accessors.set_not_after = C.X509_set1_notAfter
accessors.get_version = C.X509_get_version -- returns int
accessors.get_serial_number = C.X509_get0_serialNumber -- returns internal ptr, we convert to bn
local function __tostring(self, fmt)
if not fmt or fmt == 'PEM' then
@ -241,7 +200,7 @@ end
-- note: index is 0 based
local OPENSSL_STRING_value_at = function(ctx, i)
local ct = ffi_cast("OPENSSL_STRING", stack_macro.OPENSSL_sk_value(ctx, i))
local ct = ffi_cast("OPENSSL_STRING", C.OPENSSL_sk_value(ctx, i))
if ct == nil then
return nil
end
@ -251,7 +210,7 @@ end
function _M:get_ocsp_url(return_all)
local st = C.X509_get1_ocsp(self.ctx)
local count = stack_macro.OPENSSL_sk_num(st)
local count = C.OPENSSL_sk_num(st)
if count == 0 then
return
end
@ -324,17 +283,11 @@ local digest_length = ctypes.ptr_of_uint()
local digest_buf, digest_buf_size
local function digest(self, cfunc, typ, properties)
-- TODO: dedup the following with resty.openssl.digest
local ctx
if OPENSSL_11_OR_LATER then
ctx = C.EVP_MD_CTX_new()
ffi_gc(ctx, C.EVP_MD_CTX_free)
elseif OPENSSL_10 then
ctx = C.EVP_MD_CTX_create()
ffi_gc(ctx, C.EVP_MD_CTX_destroy)
end
local ctx = C.EVP_MD_CTX_new()
if ctx == nil then
return nil, "x509:digest: failed to create EVP_MD_CTX"
end
ffi_gc(ctx, C.EVP_MD_CTX_free)
local algo
if OPENSSL_3X then
@ -398,8 +351,6 @@ function _M:sign(pkey, digest)
return false, "x509:sign: expect a digest instance to have algo member"
end
digest_algo = digest.algo
elseif BORINGSSL then
digest_algo = C.EVP_get_digestbyname('sha256')
end
-- returns size of signature if success
@ -472,19 +423,6 @@ function _M:get_extension(nid_txt, last_pos)
return ext, pos+1
end
local X509_delete_ext
if OPENSSL_11_OR_LATER then
X509_delete_ext = C.X509_delete_ext
elseif OPENSSL_10 then
X509_delete_ext = function(ctx, pos)
return C.X509v3_delete_ext(ctx.cert_info.extensions, pos)
end
else
X509_delete_ext = function(...)
error("X509_delete_ext undefined")
end
end
-- AUTO GENERATED
function _M:set_extension(extension, last_pos)
if not extension_lib.istype(extension) then
@ -497,7 +435,7 @@ function _M:set_extension(extension, last_pos)
local pos = C.X509_get_ext_by_NID(self.ctx, nid, last_pos)
-- pos may be -1, which means not found, it's fine, we will add new one instead of replace
local removed = X509_delete_ext(self.ctx, pos)
local removed = C.X509_delete_ext(self.ctx, pos)
C.X509_EXTENSION_free(removed)
if C.X509_add_ext(self.ctx, extension.ctx, pos) == nil then

12
lib/resty/openssl/x509/store.lua
View file

@ -11,9 +11,7 @@ local crl_lib = require "resty.openssl.x509.crl"
local ctx_lib = require "resty.openssl.ctx"
local format_all_error = require("resty.openssl.err").format_all_error
local format_error = require("resty.openssl.err").format_error
local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER
local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X
local BORINGSSL = require("resty.openssl.version").BORINGSSL
local _M = {}
local mt = { __index = _M }
@ -218,7 +216,7 @@ function _M:verify(x509, chain, return_chain, properties, verify_method, flags)
if not return_chain then
return true, nil
end
local ret_chain_ctx = x509_vfy_macro.X509_STORE_CTX_get0_chain(ctx)
local ret_chain_ctx = C.X509_STORE_CTX_get0_chain(ctx)
return chain_lib.dup(ret_chain_ctx)
elseif code == 0 then -- unverified
local vfy_code = C.X509_STORE_CTX_get_error(ctx)
@ -232,14 +230,6 @@ function _M:verify(x509, chain, return_chain, properties, verify_method, flags)
end
function _M:check_revocation(verified_chain, properties)
if BORINGSSL then
return nil, "x509.store:check_revocation: this API is not supported in BoringSSL"
end
if not OPENSSL_11_OR_LATER then
return nil, "x509.store:check_revocation: this API is supported from OpenSSL 1.1.0"
end
if not verified_chain or not chain_lib.istype(verified_chain) then
return nil, "x509.store:check_revocation: expect a x509.chain instance at #1"
end

4
lua-resty-openssl-0.8.23-1.rockspec → lua-resty-openssl-1.0.1-1.rockspec
View file

@ -1,8 +1,8 @@
package = "lua-resty-openssl"
version = "0.8.23-1"
version = "1.0.1-1"
source = {
url = "git+https://github.com/fffonion/lua-resty-openssl.git",
tag = "0.8.23"
tag = "1.0.1"
}
description = {
detailed = "FFI-based OpenSSL binding for LuaJIT.",

117
scripts/find_unused_cdef.py Normal file
View file

@ -0,0 +1,117 @@
#!/usr/bin/env python3
import os
import re
import sys
current_script_path = os.path.abspath(sys.argv[0])
def load_files(path):
file_contents = {}
for root, _, files in os.walk(path):
for file in files:
if file.endswith(".lua"):
p = os.path.join(root.replace(path, ""), file).lstrip("/")
with open(os.path.join(root, file)) as f:
file_contents[p] = f.readlines()
return file_contents
token = "[a-zA-Z0-9_]"
def find_cdefs(files):
cdefs = {
"funcs": {},
"types": {},
}
for path, lines in files.items():
start = False
for i in range(len(lines)):
line = lines[i]
if "ffi.cdef" in line:
start = True
elif "]]" in line and start:
start = False
if start:
if re.findall("^\s*//", line): # comment
continue
func = re.findall(f"{token}+[\s\*]+({token}+)\(", line)
if func:
cdefs["funcs"][func[0]] = f"{path}:{i}"
type_ = re.findall(f"typedef.*?({token}+);", line)
if type_:
cdefs["types"][type_[0]] = f"{path}:{i}"
type_ = re.findall(f"}}\s*({token}+);", line)
if type_:
cdefs["types"][type_[0]] = f"{path}:{i}"
return cdefs
# those are dynamically called
ignore_list = [
"OSSL_PARAM_(?:set|get)_",
"PEM_read_bio_",
"fake_openssl_",
"(?:d2i|i2d)_(?:PUBKEY|PrivateKey)_bio",
"_(?:gettable|settable)_params",
"_(?:get|set)_params",
"_do_all_(?:sorted|provided)",
"_get0_name",
]
def check_cdefs(files, cdef):
unused = {
"funcs": {},
"types": {},
}
undefined = {
"funcs": {},
"types": {},
}
patterns = {
"funcs": "C.%s[^a-zA-Z0-9_]",
"types": "%s[^a-zA-Z0-9_]",
}
ignore_regex = "(?:%s)" % "|".join(ignore_list)
for name, regex_pattern in patterns.items():
for token, path in cdef[name].items():
found = False
for _, lines in files.items():
full_content = "".join(lines)
if re.findall(regex_pattern % token, full_content):
found = True
break
if not found and not re.findall(ignore_regex, token):
unused[name][token] = path
# TODO: find undefined
return unused, undefined
def display(unused, undefined):
for name, tokens in unused.items():
if len(tokens) == 0:
continue
print(f"Unused {name} ({len(tokens)}):")
for token, path in tokens.items():
print(f" {token} on {path}")
for name, tokens in undefined.items():
if len(tokens) == 0:
continue
print(f"Undefined {name} ({len(tokens)}):")
for token, path in tokens.items():
print(f" {token} on {path}")
if __name__ == '__main__':
files = load_files(os.path.join(os.path.dirname(current_script_path), "..", "lib"))
cdefs = find_cdefs(files)
display(*check_cdefs(files, cdefs))

17
scripts/templates/x509_functions.j2
View file

@ -13,8 +13,6 @@ function _M:sign(pkey, digest)
return false, "{{modname}}:sign: expect a digest instance to have algo member"
end
digest_algo = digest.algo
elseif BORINGSSL then
digest_algo = C.EVP_get_digestbyname('sha256')
end
-- returns size of signature if success
@ -89,19 +87,6 @@ function _M:get_extension(nid_txt, last_pos)
return ext, pos+1
end
local {{ module.type }}_delete_ext
if OPENSSL_11_OR_LATER then
{{ module.type }}_delete_ext = C.{{ module.type }}_delete_ext
elseif OPENSSL_10 then
{{ module.type }}_delete_ext = function(ctx, pos)
return C.X509v3_delete_ext(ctx.{{ module.extensions_in_struct }}, pos)
end
else
{{ module.type }}_delete_ext = function(...)
error("{{ module.type }}_delete_ext undefined")
end
end
-- AUTO GENERATED
function _M:set_extension(extension, last_pos)
if not extension_lib.istype(extension) then
@ -114,7 +99,7 @@ function _M:set_extension(extension, last_pos)
local pos = C.{{ module.type }}_get_ext_by_NID(self.ctx, nid, last_pos)
-- pos may be -1, which means not found, it's fine, we will add new one instead of replace
local removed = {{ module.type }}_delete_ext(self.ctx, pos)
local removed = C.{{ module.type }}_delete_ext(self.ctx, pos)
C.X509_EXTENSION_free(removed)
if C.{{ module.type }}_add_ext(self.ctx, extension.ctx, pos) == nil then

33
t/fips.t
View file

@ -35,14 +35,6 @@ __DATA__
ngx.exit(200)
end
local openssl = require("resty.openssl")
if require("resty.openssl.version").BORINGSSL then
if openssl.get_fips_mode() then
ngx.say("false\ntrue\nfalse")
else
ngx.say("BORINGSSL should have fips turned on but actually not")
end
ngx.exit(200)
end
ngx.say(openssl.get_fips_mode())
myassert(openssl.set_fips_mode(true))
ngx.say(openssl.get_fips_mode())
@ -90,8 +82,7 @@ fips
--- config
location =/t {
content_by_lua_block {
-- BORINGSSL doesn't seem to remove non-fips compliant algorithms?
if not _G.fips or require("resty.openssl.version").BORINGSSL then
if not _G.fips then
ngx.say("true\ntrue")
ngx.say("invalid cipher type \"chacha20\": unsupported")
ngx.say("invalid digest type \"md5\": unsupported")
@ -130,3 +121,25 @@ true
.*invalid digest type "md5".+(?:unsupported|disabled for fips).*
--- no_error_log
[error]
=== TEST 4: Get FIPS version text
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
if not _G.fips then
ngx.say("3.0.8")
ngx.exit(200)
end
local openssl = require("resty.openssl")
myassert(openssl.set_fips_mode(true))
ngx.say(myassert(openssl.get_fips_version_text()))
}
}
--- request
GET /t
--- response_body_like
3\.\d+\.\d+
--- no_error_log
[error]

18
t/fixtures/boringssl_fips.patch
View file

@ -1,18 +0,0 @@
# Fix FIPS build (from BoringSSL commit 4ca15d5dcbe6e8051a4654df7c971ea8307abfe0).
#
# The modulewrapper is not a part of the FIPS module, so it can be patched without
# concern about breaking the FIPS validation.
--- boringssl/util/fipstools/acvp/modulewrapper/modulewrapper.cc
+++ boringssl/util/fipstools/acvp/modulewrapper/modulewrapper.cc
@@ -12,9 +12,11 @@
* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+#include <string>
#include <vector>
#include <assert.h>
+#include <errno.h>
#include <string.h>
#include <sys/uio.h>
#include <unistd.h>

23
t/openssl.t
View file

@ -69,14 +69,9 @@ false
--- config
location =/t {
content_by_lua_block {
local version = require("resty.openssl.version")
if version.BORINGSSL then
ngx.say("[\"AES\"]")
ngx.say("[\"AES-256-GCM @ default\"]")
ngx.exit(0)
end
local openssl = require("resty.openssl")
ngx.say(require("cjson").encode(openssl.list_cipher_algorithms()))
local version = require("resty.openssl.version")
if not version.OPENSSL_3X then
ngx.say("[\"AES-256-GCM @ default\"]")
ngx.exit(0)
@ -97,14 +92,9 @@ false
--- config
location =/t {
content_by_lua_block {
local version = require("resty.openssl.version")
if version.BORINGSSL then
ngx.say("[\"SHA\"]")
ngx.say("[\"SHA2-256 @ default\"]")
ngx.exit(0)
end
local openssl = require("resty.openssl")
ngx.say(require("cjson").encode(openssl.list_digest_algorithms()))
local version = require("resty.openssl.version")
if not version.OPENSSL_3X then
ngx.say("[\"SHA2-256 @ default\"]")
ngx.exit(0)
@ -167,15 +157,6 @@ false
--- config
location =/t {
content_by_lua_block {
local version = require("resty.openssl.version")
if version.OPENSSL_10 or (version.OPENSSL_11 and not version.OPENSSL_111) then
ngx.say("ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA")
ngx.say("ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA")
ngx.say("ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA")
ngx.say("ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA")
ngx.exit(0)
end
local version = require("resty.openssl.version")
local openssl = require("resty.openssl")
ngx.say(openssl.list_ssl_ciphers())
ngx.say(openssl.list_ssl_ciphers("ECDHE-ECDSA-AES128-SHA"))

41
t/openssl/aux/jwk.t
View file

@ -177,10 +177,6 @@ true
--- config
location =/t {
content_by_lua_block {
if not require("resty.openssl.version").OPENSSL_111_OR_LATER then
ngx.say('pkey.new:load_key: failed to construct OKP key from JWK: at least "x" or "d" parameter is required')
ngx.exit(0)
end
local jwk = require("cjson").encode({
kty = "OKP",
crv = "Ed25519",
@ -229,4 +225,39 @@ true
'pkey.new:load_key: failed to construct OKP key from JWK: at least "x" or "d" parameter is required
'
--- no_error_log
[error]
[error]
=== TEST 4: Errors if tries to export privkey using pubkey
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local privkey, err = require("resty.openssl.pkey").new({ type = 'EC', curve = 'prime256v1'})
if err then
ngx.log(ngx.ERR, err)
return
end
local pem, err = privkey:tostring("public")
if err then
ngx.log(ngx.ERR, err)
return
end
local pubkey, err = require("resty.openssl.pkey").new(pem)
if err then
ngx.log(ngx.ERR, err)
return
end
local _, err = pubkey:tostring("private", "JWK")
ngx.say(err)
}
}
--- request
GET /t
--- response_body eval
'jwk.dump_jwk: could not dump public key as private key
'
--- no_error_log
[error]

4
t/openssl/bn.t
View file

@ -122,10 +122,6 @@ bn:to_binary failed
end
ngx.print(ngx.encode_base64(b))
if not require("resty.openssl.version").OPENSSL_11_OR_LATER then
ngx.print("AAAAAAAAAABbJQ=="); ngx.exit(0)
end
local b, err = bn:to_binary(10)
if err then
ngx.log(ngx.ERR, err)

6
t/openssl/helper.lua
View file

@ -4,7 +4,6 @@ local name = require "resty.openssl.x509.name"
local extension = require "resty.openssl.x509.extension"
local bn = require "resty.openssl.bn"
local digest = require "resty.openssl.digest"
local BORINGSSL = require "resty.openssl.version".BORINGSSL
local OPENSSL_3X = require "resty.openssl.version".OPENSSL_3X
local function create_self_signed(key_opts, names, is_ca, signing_key, issuing_name)
@ -41,10 +40,7 @@ local function create_self_signed(key_opts, names, is_ca, signing_key, issuing_n
}))))
end
local dgst
if BORINGSSL then
dgst = digest.new("SHA256")
end
local dgst = digest.new("SHA256")
assert(cert:sign(signing_key or key, dgst))
return cert, key

32
t/openssl/kdf.t
View file

@ -119,11 +119,6 @@ kdf.derive: unknown type 19823718236128632
--- config
location =/t {
content_by_lua_block {
local version = require("resty.openssl.version")
if version.BORINGSSL or not version.OPENSSL_11_OR_LATER then
ngx.print("aqRd+gO5Ok3YneDEormTcg==")
ngx.exit(0)
end
local kdf = require("resty.openssl.kdf")
local key = myassert(kdf.derive({
type = kdf.HKDF,
@ -151,13 +146,6 @@ kdf.derive: unknown type 19823718236128632
--- config
location =/t {
content_by_lua_block {
local version = require("resty.openssl.version")
if version.BORINGSSL or not version.OPENSSL_11_OR_LATER then
ngx.say("aggdq4eoqRiP0Z3GbpxCjg==")
ngx.say("W/tSxFnNsHIYwXa13eybYhW9W3Y=")
ngx.exit(0)
end
local version_num = version.version_num
local kdf = require("resty.openssl.kdf")
local key = myassert(kdf.derive({
type = kdf.HKDF,
@ -169,10 +157,6 @@ kdf.derive: unknown type 19823718236128632
ngx.say(ngx.encode_base64(key))
if not version.OPENSSL_111_or_LATER then
ngx.say("W/tSxFnNsHIYwXa13eybYhW9W3Y=")
ngx.exit(0)
end
local key = myassert(kdf.derive({
type = kdf.HKDF,
outlen = 16,
@ -199,11 +183,6 @@ W/tSxFnNsHIYwXa13eybYhW9W3Y=
--- config
location =/t {
content_by_lua_block {
local version = require("resty.openssl.version")
if version.BORINGSSL or not version.OPENSSL_11_OR_LATER then
ngx.print("0xr8qthU+ypv2xRC90la8g==")
ngx.exit(0)
end
local kdf = require("resty.openssl.kdf")
local key = myassert(kdf.derive({
type = kdf.TLS1_PRF,
@ -229,11 +208,6 @@ W/tSxFnNsHIYwXa13eybYhW9W3Y=
--- config
location =/t {
content_by_lua_block {
local version = require("resty.openssl.version")
if version.BORINGSSL or not version.OPENSSL_11_OR_LATER then
ngx.print("XVVDK9/puTqBOsyTKt8PKQ==")
ngx.exit(0)
end
local kdf = require("resty.openssl.kdf")
local key = myassert(kdf.derive({
type = kdf.TLS1_PRF,
@ -258,11 +232,6 @@ W/tSxFnNsHIYwXa13eybYhW9W3Y=
--- config
location =/t {
content_by_lua_block {
local version = require("resty.openssl.version")
if version.BORINGSSL or not version.OPENSSL_11_OR_LATER then
ngx.print("9giFtxace5sESmRb8qxuOw==")
ngx.exit(0)
end
local kdf = require("resty.openssl.kdf")
local key = myassert(kdf.derive({
type = kdf.SCRYPT,
@ -292,6 +261,7 @@ W/tSxFnNsHIYwXa13eybYhW9W3Y=
ngx.say('mac.new: invalid mac type "UNKNOWNKDF": blah')
ngx.exit(0)
end
local kdf = require("resty.openssl.kdf")
myassert(kdf.new("PBKDF2"))
local ok, err = kdf.new("UNKNOWNKDF")

5
t/openssl/pkcs12.t
View file

@ -227,11 +227,6 @@ pkcs12.decode.+(mac verify failure|INCORRECT_PASSWORD)
--- config
location =/t {
content_by_lua_block {
if require("resty.openssl.version").BORINGSSL then
ngx.say("2333")
ngx.exit(0)
end
-- don't load the legacy provider for this test
-- by default nid_key is RC2 and is moved to legacy provider in 3.0

126
t/openssl/pkey.t
View file

@ -94,9 +94,6 @@ true"
--- config
location =/t {
content_by_lua_block {
if not require("resty.openssl.version").OPENSSL_111_OR_LATER then
ngx.say("-----BEGIN PRIVATE KEY-----\nyayaa\ntrue"); ngx.exit(0)
end
local pkey = require("resty.openssl.pkey")
local p = myassert(pkey.new({
type = 'Ed25519',
@ -120,11 +117,6 @@ true"
--- config
location =/t {
content_by_lua_block {
local version = require("resty.openssl.version")
if version.BORINGSSL or not version.OPENSSL_111_OR_LATER then
ngx.say("-----BEGIN PRIVATE KEY-----\nsad\ntrue")
ngx.exit(0)
end
local pkey = require("resty.openssl.pkey")
local p = myassert(pkey.new({
type = 'DH',
@ -150,10 +142,6 @@ true"
--- config
location =/t {
content_by_lua_block {
if require("resty.openssl.version").BORINGSSL then
ngx.say("-----BEGIN PRIVATE KEY-----\nsad\ntrue")
ngx.exit(0)
end
local pkey = require("resty.openssl.pkey")
local p = myassert(pkey.new({
type = 'DH',
@ -405,11 +393,6 @@ nil
--- config
location =/t {
content_by_lua_block {
local version = require("resty.openssl.version")
if not version.OPENSSL_111_OR_LATER then
ngx.say("32\n32\nfake")
ngx.exit(0)
end
local p = myassert(require("resty.openssl.pkey").new({
type = "Ed25519",
}))
@ -434,12 +417,6 @@ nil
--- config
location =/t {
content_by_lua_block {
if require("resty.openssl.version").BORINGSSL then
ngx.say("B10B8F96A080E01DDE92DE5EAE5D54EC52C99FBCFB06A3C69A6A9DCA52D23B616073E28675A23D189838EF1E2EE652C013ECB4AEA906112324975C3CD49B83BFACCBDD7D90C4BD7098488E9C219A73724EFFD6FAE5644738FAA31A4FF55BCCC0A151AF5F0DC8B4BD45BF37DF365C1A65E68CFDA76D4DA708DF1FB2BC2E4A4371")
ngx.say("A4D1CBD5C3FD34126765A442EFB99905F8104DD258AC507FD6406CFF14266D31266FEA1E5C41564B777E690F5504F213160217B4B01B886A5E91547F9E2749F4D7FBD7D3B9A92EE1909D0D2263F80A76A6A24C087A091F531DBF0A0169B6A28AD662A4D18E73AFA32D779D5918D08BC8858F4DCEF97C2A24855E6EEB22B3B2E5")
ngx.say("1\n2")
ngx.exit(0)
end
local p = myassert(require("resty.openssl.pkey").new({
type = "DH",
group = "dh_1024_160",
@ -525,12 +502,6 @@ true
--- config
location =/t {
content_by_lua_block {
local version = require("resty.openssl.version")
if not version.OPENSSL_111_OR_LATER and not version.BORINGSSL then
ngx.say("64\ntrue\n256\ntrue")
ngx.exit(0)
end
-- pureeddsa
local p = myassert(require("resty.openssl.pkey").new({
type = "Ed25519"
@ -542,20 +513,15 @@ true
local v = myassert(p:verify(s, digest))
ngx.say(v)
local md
if version.BORINGSSL then
md = "SHA256"
end
-- uses default md type
local p = myassert(require("resty.openssl.pkey").new({
type = "RSA"
}))
local digest = "23333"
local s = myassert(p:sign(digest, md))
local s = myassert(p:sign(digest))
ngx.say(#s)
local v = myassert(p:verify(s, digest, md))
local v = myassert(p:verify(s, digest))
ngx.say(v)
}
}
@ -602,16 +568,7 @@ pkey:verify: expect a string at #1
--- config
location =/t {
content_by_lua_block {
local version_num = require("resty.openssl.version").version_num
local BORINGSSL = require("resty.openssl.version").BORINGSSL
local expected = { 32, 32, 56 }
for i, t in ipairs({"EC", "X25519", "X448"}) do
if (version_num < 0x10101000 and i == 3) or
(version_num < 0x10100000 and i == 2) or
(BORINGSSL and i > 2) then
ngx.say(expected[i])
goto next
end
local p = myassert(require("resty.openssl.pkey").new({
type = t,
curve = t == "EC" and "prime256v1" or nil,
@ -680,12 +637,6 @@ true
--- config
location =/t {
content_by_lua_block {
local version = require("resty.openssl.version")
if not version.OPENSSL_111_OR_LATER or version.BORINGSSL then
ngx.say("true\ntrue\ntrue\ntrue")
ngx.exit(0)
end
local p = myassert(require("resty.openssl.pkey").new())
local pec = myassert(require("resty.openssl.pkey").new({
type = "EC",
@ -741,11 +692,6 @@ true
--- config
location =/t {
content_by_lua_block {
if require("resty.openssl.version").BORINGSSL then
ngx.say("-----BEGIN DH PARAMETERS-----\nsad\n-----BEGIN EC PARAMETERS-----")
ngx.exit(0)
end
local pkey = require("resty.openssl.pkey")
ngx.say(myassert(pkey.paramgen({
type = 'DH',
@ -773,14 +719,6 @@ true
--- config
location =/t {
content_by_lua_block {
if require("resty.openssl.version").BORINGSSL then
ngx.say("B10B8F96A080E01DDE92DE5EAE5D54EC52C99FBCFB06A3C69A6A9DCA52D23B616073E28675A23D189838EF1E2EE652C013ECB4AEA906112324975C3CD49B83BFACCBDD7D90C4BD7098488E9C219A73724EFFD6FAE5644738FAA31A4FF55BCCC0A151AF5F0DC8B4BD45BF37DF365C1A65E68CFDA76D4DA708DF1FB2BC2E4A4371")
ngx.say("A4D1CBD5C3FD34126765A442EFB99905F8104DD258AC507FD6406CFF14266D31266FEA1E5C41564B777E690F5504F213160217B4B01B886A5E91547F9E2749F4D7FBD7D3B9A92EE1909D0D2263F80A76A6A24C087A091F531DBF0A0169B6A28AD662A4D18E73AFA32D779D5918D08BC8858F4DCEF97C2A24855E6EEB22B3B2E5")
ngx.say(string.rep("1", 256))
ngx.say(string.rep("1", 256))
ngx.exit(0)
end
local p = myassert(require("resty.openssl.pkey").new({
type = "DH",
group = "dh_1024_160",
@ -826,12 +764,6 @@ A4D1CBD5C3FD34126765A442EFB99905F8104DD258AC507FD6406CFF14266D31266FEA1E5C41564B
--- config
location =/t {
content_by_lua_block {
if require("resty.openssl.version").BORINGSSL then
ngx.say("B10B8F96A080E01DDE92DE5EAE5D54EC52C99FBCFB06A3C69A6A9DCA52D23B616073E28675A23D189838EF1E2EE652C013ECB4AEA906112324975C3CD49B83BFACCBDD7D90C4BD7098488E9C219A73724EFFD6FAE5644738FAA31A4FF55BCCC0A151AF5F0DC8B4BD45BF37DF365C1A65E68CFDA76D4DA708DF1FB2BC2E4A4371")
ngx.say("415")
ngx.exit(0)
end
local pem = myassert(require("resty.openssl.pkey").paramgen({
type = "DH",
group = "dh_1024_160",
@ -879,10 +811,6 @@ A4D1CBD5C3FD34126765A442EFB99905F8104DD258AC507FD6406CFF14266D31266FEA1E5C41564B
{ type = 'DH', group = "dh_1024_160",},
}
for _, opt in ipairs(opts) do
if require("resty.openssl.version").BORINGSSL and opt.type == "DH" then
goto next_loop
end
local priv = myassert(require("resty.openssl.pkey").new(opt))
local ok, err = priv:is_private()
@ -898,7 +826,6 @@ A4D1CBD5C3FD34126765A442EFB99905F8104DD258AC507FD6406CFF14266D31266FEA1E5C41564B
if ok then
ngx.say(opt.type .. ": should not be a private key, but returns true: ".. (err or "nil"))
end
::next_loop::
end
}
}
@ -914,10 +841,6 @@ A4D1CBD5C3FD34126765A442EFB99905F8104DD258AC507FD6406CFF14266D31266FEA1E5C41564B
--- config
location =/t {
content_by_lua_block {
local version = require("resty.openssl.version")
if not version.OPENSSL_111_OR_LATER then
ngx.exit(0)
end
local opts = {
{ type = 'Ed25519'},
}
@ -952,11 +875,6 @@ A4D1CBD5C3FD34126765A442EFB99905F8104DD258AC507FD6406CFF14266D31266FEA1E5C41564B
--- config
location =/t {
content_by_lua_block {
local version = require("resty.openssl.version")
if not version.OPENSSL_111_OR_LATER then
ngx.say("256\ntrue\nfalse\nfalse")
ngx.exit(0)
end
-- uses default md type
local p = myassert(require("resty.openssl.pkey").new({
type = "RSA"
@ -969,7 +887,6 @@ A4D1CBD5C3FD34126765A442EFB99905F8104DD258AC507FD6406CFF14266D31266FEA1E5C41564B
ngx.say(ok)
-- use wrong md type, should not pass
local md = version.BORINGSSL and "sha256" or nil
local ok, e = p:verify(s, digest, "sha256")
ngx.say(ok)
local ok, e = p:verify(s, digest, "md5")
@ -992,13 +909,8 @@ false
--- config
location =/t {
content_by_lua_block {
local version = require("resty.openssl.version")
if not version.OPENSSL_111_OR_LATER then
ngx.say("256\ntrue\nfalse\nfalse")
ngx.exit(0)
end
-- uses default md type, boringssl must have md_alg
local md = version.BORINGSSL and "sha256" or nil
-- uses default md type
local p = myassert(require("resty.openssl.pkey").new({
type = "RSA"
}))
@ -1010,9 +922,9 @@ false
ngx.say(ok)
-- use wrong padding scheme, should not pass
local ok, e = p:verify(s, digest, md)
local ok, e = p:verify(s, digest, nil)
if ok ~= false then ngx.say(e) else ngx.say(ok) end
local ok, e = p:verify(s, digest, md, p.PADDINGS.RSA_PKCS1_PADDING)
local ok, e = p:verify(s, digest, nil, p.PADDINGS.RSA_PKCS1_PADDING)
if ok ~= false then ngx.say(e) else ngx.say(ok) end
}
}
@ -1032,23 +944,16 @@ false
--- config
location =/t {
content_by_lua_block {
local version = require("resty.openssl.version")
if not version.OPENSSL_111_OR_LATER then
ngx.say("256\ntrue")
ngx.exit(0)
end
-- uses default md type, boringssl must have md_alg
local md = version.BORINGSSL and "sha256" or nil
local p = myassert(require("resty.openssl.pkey").new({
type = "RSA"
}))
local digest = "23333"
local s = myassert(p:sign(digest, md, p.PADDINGS.RSA_PKCS1_PSS_PADDING, {
local s = myassert(p:sign(digest, nil, p.PADDINGS.RSA_PKCS1_PSS_PADDING, {
pss_saltlen = 64,
}))
ngx.say(#s)
local ok = myassert(p:verify(s, digest, md, p.PADDINGS.RSA_PKCS1_PSS_PADDING, {
local ok = myassert(p:verify(s, digest, nil, p.PADDINGS.RSA_PKCS1_PSS_PADDING, {
pss_saltlen = 64,
}))
ngx.say(ok)
@ -1213,11 +1118,6 @@ default
--- config
location =/t {
content_by_lua_block {
if require("resty.openssl.version").BORINGSSL then
ngx.say('BROKEN sha256 BROKEN')
ngx.exit(0)
end
local pkey = require("resty.openssl.pkey")
local p = myassert(pkey.new({ type = "EC" }))
local algo = myassert(p:get_default_digest_type())
@ -1284,12 +1184,6 @@ true
--- config
location =/t {
content_by_lua_block {
if not require("resty.openssl.version").OPENSSL_11_OR_LATER then
ngx.say("64\ntrue\ntrue\ntruenil\nfalsenil")
ngx.say("nilpkey:sign: ecdsa.sig_raw2der: invalid signature length, expect 64 but got 72")
ngx.exit(0)
end
local opts = { ecdsa_use_raw = true }
local p = myassert(require("resty.openssl.pkey").new({
type = "EC",
@ -1332,10 +1226,6 @@ nilpkey:sign: ecdsa.sig_raw2der: invalid signature length, expect 64 but got \\d
--- config
location =/t {
content_by_lua_block {
if not require("resty.openssl.version").OPENSSL_11_OR_LATER then
ngx.say("132\n96\ntrue\ntrue")
ngx.exit(0)
end
local opts = { ecdsa_use_raw = true }
local p_521 = myassert(require("resty.openssl.pkey").new({
type = "EC",

2
t/openssl/provider.t
View file

@ -112,7 +112,7 @@ true
GET /t
--- response_body_like
true
.+(?:init fail|common libcrypto routines::reason\(524325\))
.+(?:init fail|common libcrypto routines::reason\(\d+\))
--- no_error_log
[error]

10
t/openssl/x509/crl.t
View file

@ -200,11 +200,6 @@ __DATA__
--- config
location =/t {
content_by_lua_block {
if require("resty.openssl.version").OPENSSL_10 then
ngx.say("09159859CAC0C90203BB34C5A012C2A3, 1577753344\n09159859CAC0C90203BB34C5A012C2A3, 1577753344\n2, 2")
ngx.say("09159859CAC0C90203BB34C5A012C2A3, 1577753344\n04D2, 1511122233")
ngx.exit(0)
end
local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a")
local c = myassert(require("resty.openssl.x509.crl").new(f))
local s = myassert(c:index(1))
@ -239,11 +234,6 @@ __DATA__
--- config
location =/t {
content_by_lua_block {
if require("resty.openssl.version").OPENSSL_10 then
ngx.say("09159859CAC0C90203BB34C5A012C2A3, 1577753344\n09159859CAC0C90203BB34C5A012C2A3, 1577753344\ntruetrue")
ngx.exit(0)
end
local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a")
local c = myassert(require("resty.openssl.x509.crl").new(f))
local s = myassert(c:get_by_serial("09159859CAC0C90203BB34C5A012C2A3"))

16
t/openssl/x509/extension.t
View file

@ -293,22 +293,6 @@ DNS:test.com, DNS:test2.com
--- config
location =/t {
content_by_lua_block {
if require("resty.openssl.version").BORINGSSL then
ngx.say([[
{"id":"2.5.29.32","ln":"X509v3 Certificate Policies","nid":89,"sn":"certificatePolicies"}
Policy: 1.2.3.4
Policy: 1.5.6.7.8
Policy: 1.3.5.8
CPS: http://my.host.name/
CPS: http://my.your.name/
User Notice:
Organization: Organisation Name
Numbers: 1, 2, 3, 4
Explicit Text: Explicit Text Here
]])
ngx.exit(0)
end
local extension = require("resty.openssl.x509.extension")
local c = myassert(extension.new("certificatePolicies", "ia5org,1.2.3.4,1.5.6.7.8,@polsect",
[[

67
t/openssl/x509/store.t
View file

@ -297,8 +297,6 @@ truenil
-- in openssl < 1.1.0, depth are counted 1 more than later versions
-- we set it to be one less than enough to be prune to that case
myassert(s:set_depth(1))
-- openssl 1.0.2 will emit "unable to get local issuer certificate"
-- instead of "certificate chain too long"
ngx.say(s:verify(certs[#certs], ch))
}
}
@ -306,7 +304,7 @@ truenil
GET /t
--- response_body_like eval
"truenil
nil(?:certificate chain too long|unable to get local issuer certificate)
nilcertificate chain too long
"
--- no_error_log
[error]
@ -463,67 +461,10 @@ truenil
--- request
GET /t
--- response_body_like eval
"nil(?:x509\.store:check_revocation: expect a x509\.chain instance at #1|x509\.store:check_revocation: this API is not supported in BoringSSL)
(?:truenil|nilx509\.store:check_revocation: this API is not supported in BoringSSL)
nil(?:certificate revoked|x509\.store:check_revocation: this API is not supported in BoringSSL)
"nilx509\.store:check_revocation: expect a x509\.chain instance at #1
truenil
nilcertificate revoked
"
--- no_error_log
[error]
--- skip_openssl
3: < 1.1.0
=== TEST 15: Check revocation only supported from OpenSSL 1.1.0
--- http_config eval: $::HttpConfig
--- config
location =/t {
content_by_lua_block {
local x509 = require("resty.openssl.x509")
local crl = require("resty.openssl.x509.crl")
local store = require("resty.openssl.x509.store")
local s1 = myassert(store.new())
local f = io.open("t/fixtures/crl/rootca.cert.pem"):read("*a")
local rootca = myassert(x509.new(f))
local f = io.open("t/fixtures/crl/subca.cert.pem"):read("*a")
local subca = myassert(x509.new(f))
local f = io.open("t/fixtures/crl/valid.cert.pem"):read("*a")
local valid_cert = myassert(x509.new(f))
local f = io.open("t/fixtures/crl/revoked.cert.pem"):read("*a")
local revoked_cert = myassert(x509.new(f))
local f = io.open("t/fixtures/crl/crl.pem"):read("*a")
local c = myassert(crl.new(f))
myassert(s1:add(rootca))
myassert(s1:add(subca))
-- add crl to store, but skip setting the flag
myassert(s1:add(c, true))
-- to get the verified_chain first
local chain1 = myassert(s1:verify(valid_cert, nil, true))
local chain2 = myassert(s1:verify(revoked_cert, nil, true))
local ok, err = s1:check_revocation()
ngx.say(ok, err)
local ok, err = s1:check_revocation(chain1)
ngx.say(ok, err)
local ok, err = s1:check_revocation(chain2)
ngx.say(ok, err)
}
}
--- request
GET /t
--- response_body_like eval
"nil(?:x509\.store:check_revocation: this API is supported from OpenSSL 1\.1\.0|x509\.store:check_revocation: this API is not supported in BoringSSL)
nil(?:x509\.store:check_revocation: this API is supported from OpenSSL 1\.1\.0|x509\.store:check_revocation: this API is not supported in BoringSSL)
nil(?:x509\.store:check_revocation: this API is supported from OpenSSL 1\.1\.0|x509\.store:check_revocation: this API is not supported in BoringSSL)
"
--- no_error_log
[error]
--- skip_openssl
3: >= 1.1.0