2 * nixio - Linux I/O library for lua
4 * Copyright (C) 2009 Steven Barth <steven@midlink.org>
6 * Licensed under the Apache License, Version 2.0 (the "License");
7 * you may not use this file except in compliance with the License.
8 * You may obtain a copy of the License at
10 * http://www.apache.org/licenses/LICENSE-2.0
12 * Unless required by applicable law or agreed to in writing, software
13 * distributed under the License is distributed on an "AS IS" BASIS,
14 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 * See the License for the specific language governing permissions and
16 * limitations under the License.
19 #include "nixio-tls.h"
22 static SSL_CTX* nixio__checktlsctx(lua_State *L) {
23 SSL_CTX **ctx = (SSL_CTX **)luaL_checkudata(L, 1, NIXIO_TLS_CTX_META);
24 luaL_argcheck(L, *ctx, 1, "invalid context");
28 static int nixio__tls_perror(lua_State *L, int code) {
30 lua_pushinteger(L, code);
34 static int nixio__tls_pstatus(lua_State *L, int code) {
36 lua_pushboolean(L, 1);
39 return nixio__tls_perror(L, code);
43 static int nixio_tls_ctx(lua_State * L) {
44 const char *method = luaL_optlstring(L, 1, "tlsv1", NULL);
46 luaL_getmetatable(L, NIXIO_TLS_CTX_META);
47 SSL_CTX **ctx = lua_newuserdata(L, sizeof(SSL_CTX *));
49 return luaL_error(L, "out of memory");
54 lua_setmetatable(L, -2);
55 lua_getfield(L, -1, "tls_defaultkey");
57 if (!strcmp(method, "tlsv1")) {
58 *ctx = SSL_CTX_new(TLSv1_method());
59 } else if (!strcmp(method, "sslv23")) {
60 *ctx = SSL_CTX_new(SSLv23_method());
62 return luaL_argerror(L, 1, "supported values: tlsv1, sslv23");
66 return luaL_error(L, "unable to create TLS context");
69 const char *autoload = lua_tostring(L, -1);
71 SSL_CTX_use_PrivateKey_file(*ctx, autoload, SSL_FILETYPE_PEM);
75 SSL_CTX_set_options(*ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
80 static int nixio_tls_ctx_create(lua_State *L) {
81 SSL_CTX *ctx = nixio__checktlsctx(L);
82 int fd = nixio__checkfd(L, 2);
84 lua_createtable(L, 0, 3);
85 nixio_tls_sock *sock = lua_newuserdata(L, sizeof(nixio_tls_sock));
87 return luaL_error(L, "out of memory");
89 memset(sock, 0, sizeof(nixio_tls_sock));
92 luaL_getmetatable(L, NIXIO_TLS_SOCK_META);
94 lua_setmetatable(L, -3);
96 sock->socket = SSL_new(ctx);
98 return nixio__tls_perror(L, 0);
101 if (SSL_set_fd(sock->socket, fd) != 1) {
102 return nixio__tls_perror(L, 0);
105 /* save context and socket to prevent GC from collecting them */
106 lua_setmetatable(L, -3);
107 lua_setfield(L, -2, "connection");
110 lua_setfield(L, -2, "context");
113 lua_setfield(L, -2, "socket");
118 static int nixio_tls_ctx_set_cert(lua_State *L) {
119 SSL_CTX *ctx = nixio__checktlsctx(L);
120 const char *cert = luaL_checkstring(L, 2);
121 return nixio__tls_pstatus(L, SSL_CTX_use_certificate_chain_file(ctx, cert));
124 static int nixio_tls_ctx_set_key(lua_State *L) {
125 SSL_CTX *ctx = nixio__checktlsctx(L);
126 const char *cert = luaL_checkstring(L, 2);
127 const int ktype = SSL_FILETYPE_PEM;
128 return nixio__tls_pstatus(L, SSL_CTX_use_PrivateKey_file(ctx, cert, ktype));
131 static int nixio_tls_ctx_set_ciphers(lua_State *L) {
132 SSL_CTX *ctx = nixio__checktlsctx(L);
134 const char *ciphers = luaL_checklstring(L, 2, &len);
135 luaL_argcheck(L, len < 255, 2, "cipher string too long");
136 return nixio__tls_pstatus(L, SSL_CTX_set_cipher_list(ctx, ciphers));
139 static int nixio_tls_ctx_set_verify_depth(lua_State *L) {
140 SSL_CTX *ctx = nixio__checktlsctx(L);
141 const int depth = luaL_checkinteger(L, 2);
142 SSL_CTX_set_verify_depth(ctx, depth);
146 static int nixio_tls_ctx_set_verify(lua_State *L) {
147 SSL_CTX *ctx = nixio__checktlsctx(L);
148 const int j = lua_gettop(L);
150 for (int i=2; i<=j; i++) {
151 const char *flag = luaL_checkstring(L, i);
152 if (!strcmp(flag, "none")) {
153 flags |= SSL_VERIFY_NONE;
154 } else if (!strcmp(flag, "peer")) {
155 flags |= SSL_VERIFY_PEER;
156 } else if (!strcmp(flag, "verify_fail_if_no_peer_cert")) {
157 flags |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
158 } else if (!strcmp(flag, "client_once")) {
159 flags |= SSL_VERIFY_CLIENT_ONCE;
161 return luaL_argerror(L, i, "supported values: none, peer, "
162 "verify_fail_if_no_peer_cert, client_once");
165 SSL_CTX_set_verify(ctx, flags, NULL);
169 static int nixio_tls_ctx__gc(lua_State *L) {
170 SSL_CTX **ctx = (SSL_CTX **)luaL_checkudata(L, 1, NIXIO_TLS_CTX_META);
178 static int nixio_tls_ctx__tostring(lua_State *L) {
179 SSL_CTX *ctx = nixio__checktlsctx(L);
180 lua_pushfstring(L, "nixio TLS context: %p", ctx);
185 static const luaL_reg R[] = {
186 {"tls", nixio_tls_ctx},
190 /* ctx function table */
191 static const luaL_reg CTX_M[] = {
192 {"set_cert", nixio_tls_ctx_set_cert},
193 {"set_key", nixio_tls_ctx_set_key},
194 {"set_ciphers", nixio_tls_ctx_set_ciphers},
195 {"set_verify_depth", nixio_tls_ctx_set_verify_depth},
196 {"set_verify", nixio_tls_ctx_set_verify},
197 {"create", nixio_tls_ctx_create},
198 {"__gc", nixio_tls_ctx__gc},
199 {"__tostring", nixio_tls_ctx__tostring},
204 void nixio_open_tls_context(lua_State *L) {
205 /* initialize tls library */
206 SSL_load_error_strings();
209 /* register module functions */
210 luaL_register(L, NULL, R);
213 lua_pushliteral(L, "openssl");
215 lua_pushliteral(L, "axtls");
217 lua_setfield(L, -2, "tls_provider");
219 /* create context metatable */
220 luaL_newmetatable(L, NIXIO_TLS_CTX_META);
221 lua_pushvalue(L, -1);
222 lua_setfield(L, -2, "__index");
223 luaL_register(L, NULL, CTX_M);
225 lua_pushliteral(L, "/etc/private.rsa");
226 lua_setfield(L, -2, "tls_defaultkey");
228 lua_setfield(L, -2, "meta_tls_context");