diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 477d1ca4..eb00808b 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -28,11 +28,6 @@ jobs: include: # TODO: arm64 # latest and one version older for valgrind and perf test - - nginx: "1.19.9" - openssl: "1.0.2u" - extras: "valgrind" - lua_nginx_module: "v0.10.20" - lua_resty_core: "v0.1.22" - nginx: "1.19.9" openssl: "1.1.1w" extras: "valgrind" @@ -45,11 +40,6 @@ jobs: lua_nginx_module: "v0.10.20" lua_resty_core: "v0.1.22" nginx_cc_opts: "-Wno-error" - - nginx: "1.21.4" - openssl: "1.0.2u" - extras: "valgrind" - lua_nginx_module: "v0.10.25" - lua_resty_core: "v0.1.27" - nginx: "1.21.4" openssl: "1.1.1w" extras: "valgrind perf" @@ -76,23 +66,6 @@ jobs: lua_nginx_module: "v0.10.25" lua_resty_core: "v0.1.27" nginx_cc_opts: "-Wno-error" - # - # latest version with EOL 1.1.0 - - nginx: "1.21.4" - openssl: "1.1.0l" - lua_nginx_module: "v0.10.25" - lua_resty_core: "v0.1.27" - # version that kong uses, for fips - - nginx: "1.21.4" - boringssl: "ae223d6138807a13006342edfeef32e813246b39" # fips-20190808 - extras: "valgrind perf" - lua_nginx_module: "v0.10.25" - lua_resty_core: "v0.1.27" - - nginx: "1.21.4" - boringssl: "853ca1ea1168dff08011e5d42d94609cc0ca2e27" # fips-20210429, not active yet - extras: "valgrind perf" - lua_nginx_module: "v0.10.25" - lua_resty_core: "v0.1.27" env: JOBS: 3 @@ -122,7 +95,7 @@ jobs: with: path: | /home/runner/work/cache - key: ${{ runner.os }}-${{ hashFiles('**/tests.yml') }}-nginx-${{ matrix.nginx }}-openssl-${{ matrix.openssl }}-${{ matrix.fips2 }}-boringssl-${{ matrix.boringssl }} + key: ${{ runner.os }}-${{ hashFiles('**/tests.yml') }}-nginx-${{ matrix.nginx }}-openssl-${{ matrix.openssl }}-fips-${{ matrix.openssl_fips }} - name: Setup tools run: | @@ -152,8 +125,6 @@ jobs: run: | T=$OPENSSL_PREFIX mkdir -p $T - # fips doesn't seem to support to build parallelly - if [ "X${{ matrix.fips2 }}" != "X" ]; then wget https://www.openssl.org/source/old/fips/openssl-fips-${{ matrix.fips2 }}.tar.gz -qO - | tar zxf - ; pushd openssl-fips-${{ matrix.fips2 }}/; FIPSDIR=$T/fips ./config; make; make install; popd; fi if [ "X$OPENSSL_HASH" != "X" ]; then wget https://github.com/openssl/openssl/archive/$OPENSSL_HASH.tar.gz -qO - | tar zxf ; pushd openssl-$OPENSSL_HASH/; fi if [ "X$OPENSSL_HASH" = "X" ] ; then wget https://www.openssl.org/source/openssl-${{ matrix.openssl }}.tar.gz -qO - | tar zxf -; pushd openssl-${{ matrix.openssl }}/; fi if [ ! -e $T/include ]; then ./config shared -d --prefix=$T -DPURIFY > build.log 2>&1 || (cat build.log && exit 1); fi @@ -178,47 +149,6 @@ jobs: # don't activate by default sed -i "/activate = 1/d" $OPENSSL_PREFIX/ssl/fipsmodule.cnf - - - name: Build BoringSSL - if: matrix.boringssl != '' - run: | - mkdir -p $OPENSSL_PREFIX - if [ ! -e $OPENSSL_PREFIX/include ]; then - # libtinfo5 is a dependency of clang7 on ubuntu20.04 - sudo apt-get install -qq -y cmake libtinfo5 unzip libunwind-dev libgcc-9-dev libstdc++-9-dev - - wget https://releases.llvm.org/7.0.1/clang+llvm-7.0.1-x86_64-linux-gnu-ubuntu-18.04.tar.xz -qO - |tar Jxf - - export HOME="$PWD" - printf "set(CMAKE_C_COMPILER \"clang\")\nset(CMAKE_CXX_COMPILER \"clang++\")\n" > ${HOME}/toolchain - export PATH="$PWD/clang+llvm-7.0.1-x86_64-linux-gnu-ubuntu-18.04/bin:$PATH" - clang --version - - wget https://dl.google.com/go/go1.12.7.linux-amd64.tar.gz -qO - |tar zxf - - export GOPATH="$PWD/gopath" - export GOROOT="$PWD/go" - export PATH="$GOPATH/bin:$GOROOT/bin:$PATH" - go version - - wget https://github.com/ninja-build/ninja/releases/download/v1.9.0/ninja-linux.zip -q - unzip -o ninja-linux.zip - export PATH="$PWD:$PATH" - ninja --version - - wget https://commondatastorage.googleapis.com/chromium-boringssl-fips/boringssl-${{ matrix.boringssl }}.tar.xz -qO - | tar Jxf -; pushd boringssl - if [ "${{ matrix.boringssl }}" == "ae223d6138807a13006342edfeef32e813246b39" ]; then - patch -p1 < ../t/fixtures/boringssl_fips.patch - fi - rm -rf build; mkdir build; pushd build - cmake -GNinja -DCMAKE_TOOLCHAIN_FILE=${HOME}/toolchain -DFIPS=1 -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIBS=1 .. > build.log 2>&1 || (cat build.log && exit 1) - ninja > build.log 2>&1 || (cat build.log && exit 1) - - ./tool/bssl isfips - - popd; rm -rf $OPENSSL_INC; cp -r include $OPENSSL_INC - mkdir -p $OPENSSL_LIB; cp -r build/*/*.so $OPENSSL_LIB - fi - mkdir -p $OPENSSL_PREFIX/certs/ && sudo cp -r /etc/ssl/certs/* $OPENSSL_PREFIX/certs/ - - name: Build LuaJIT env: LUAJIT_CC_OPTS: ${{ matrix.luajit_cc_opts }} @@ -305,18 +235,6 @@ jobs: export TEST_NGINX_FIPS=1 fi - # openssl 1.0.2 with fips module - if [ "X${{ matrix.fips2 }}" != "X" ]; then - echo "FIPS for OpenSSL 1.0.2" - export TEST_NGINX_FIPS=1 - fi - - # BoringSSL - if [ "X${{ matrix.boringssl }}" != "X" ]; then - echo "FIPS for BoringSSL ${{ matrix.boringssl }}" - export TEST_NGINX_FIPS=1 - fi - if [ "X$TEST_NGINX_FIPS" != "X" ]; then echo "Running FIPS tests" diff --git a/README.md b/README.md index 4c005a9b..a0819961 100644 --- a/README.md +++ b/README.md @@ -1,8 +1,8 @@ # lua-resty-openssl -FFI-based OpenSSL binding for LuaJIT, supporting OpenSSL 3.1, 3.0, 1.1 and 1.0.2 series. +FFI-based OpenSSL binding for LuaJIT, supporting OpenSSL 3.x, 1.1 series. -BoringSSL is also supported. +OpenSSL 1.1.0, 1.0.2 and BoringSSL support has been dropped, but are still available at the [0.x branch](https://github.com/fffonion/lua-resty-openssl/tree/0.x). ![Build Status](https://github.com/fffonion/lua-resty-openssl/workflows/Tests/badge.svg) ![luarocks](https://img.shields.io/luarocks/v/fffonion/lua-resty-openssl?color=%232c3e67) ![opm](https://img.shields.io/opm/v/fffonion/lua-resty-openssl?color=%23599059) @@ -35,8 +35,7 @@ Table of Contents + [version.version](#versionversion) + [version.info](#versioninfo) + [version.OPENSSL_3X](#versionOPENSSL_3X) - + [version.OPENSSL_11](#versionopenssl_11) - + [version.OPENSSL_10](#versionopenssl_10) + + [version.OPENSSL_111](#versionopenssl_111) * [resty.openssl.provider](#restyopensslprovider) + [provider.load](#providerload) + [provider.istype](#provideristype) @@ -295,10 +294,7 @@ Description =========== `lua-resty-openssl` is a FFI-based OpenSSL binding library, currently -supports OpenSSL `3.1.x`, `3.0.x`, `1.1.1`, `1.1.0` and `1.0.2` series. - -**Note: when using with OpenSSL 1.0.2, it's recommanded to not use this library with other FFI-based OpenSSL binding libraries to avoid potential mismatch of `cdef`.** - +supports OpenSSL `3.x` and `1.1.1` series. [Back to TOC](#table-of-contents) @@ -321,9 +317,6 @@ using `error()` but instead return as last parameter. Each Lua table returned by `new()` contains a cdata object `ctx`. User are not supposed to manully setting `ffi.gc` or calling corresponding destructor of the `ctx` struct (like `*_free` functions). -BoringSSL removes some algorithms and not all functionalities below is supported by BoringSSL. Please -consul its manual for differences between OpenSSL API. - [Back to TOC](#table-of-contents) ## resty.openssl @@ -443,7 +436,6 @@ print(c:get_provider_name()) -- prints "fips" Compile the module per [security policy](https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3678.pdf) Check if FIPS is acticated by running `assert(openssl.set_fips_mode(true))`. -BoringSSL doesn't support "turn FIPS mode off" once it's compiled. [Back to TOC](#table-of-contents) @@ -596,11 +588,6 @@ Returns various OpenSSL version information. Available values for `types` are: MODULES_DIR CPU_INFO -For OpenSSL prior to 1.1.x, only `VERSION`, `CFLAGS`, `BUILT_ON`, `PLATFORM` -and `DIR` are supported. Please refer to -[OPENSSL_VERSION_NUMBER(3)](https://www.openssl.org/docs/manmaster/man3/OPENSSL_VERSION_NUMBER.html) -for explanation of each type. - ```lua local version = require("resty.openssl.version") ngx.say(string.format("%x", version.version_num)) @@ -647,23 +634,9 @@ A boolean indicates whether the linked OpenSSL is 3.x series. [Back to TOC](#table-of-contents) -### version.OPENSSL_30 - -Deprecated: use `version.OPENSSL_3X` is encouraged. - -A boolean indicates whether the linked OpenSSL is 3.0 series. - -[Back to TOC](#table-of-contents) - -### version.OPENSSL_11 +### version.OPENSSL_111 -A boolean indicates whether the linked OpenSSL is 1.1 series. - -[Back to TOC](#table-of-contents) - -### version.OPENSSL_10 - -A boolean indicates whether the linked OpenSSL is 1.0 series. +A boolean indicates whether the linked OpenSSL is 1.1.1 series. [Back to TOC](#table-of-contents) @@ -767,10 +740,6 @@ X25519 | Y | Y | | | Y (ECDH) | Ed448 | Y | Y | | Y (PureEdDSA) | | X448 | Y | Y | | | Y (ECDH) | -`Ed25519`, `X25519`, `Ed448` and `X448` keys are only supported since OpenSSL 1.1.0. - -Note BoringSSL doesn't support `Ed448` and `X448` keys. - Direct support of encryption and decryption for EC and ECX does not exist, but processes like ECIES is possible with [pkey:derive](#pkeyderive), [kdf](#restyopensslkdf) and [cipher](#restyopensslcipher) @@ -1067,8 +1036,7 @@ This mode only supports RSA and EC keys. When passing a string as first parameter, `md_alg` parameter will specify the name to use when signing. When `md_alg` is undefined, for RSA and EC keys, this function does SHA256 by default. For Ed25519 or Ed448 keys, this function does a PureEdDSA signing, -no message digest should be specified and will not be used. BoringSSL doesn't have default -digest thus `md_alg` must be specified. +no message digest should be specified and will not be used. `opts` is a table that accepts additional parameters. @@ -1083,8 +1051,7 @@ obsolete MD5 hash algorithm and will return error on this combination. See for a list of algorithms and associated public key algorithms. Normally, the ECDSA signature is encoded in ASN.1 DER format. If the `opts` table contains a `ecdsa_use_raw` field with a true value, a binary with just the concatenation of binary representation `pr` and `ps` is returned. -This is useful for example to send the signature as JWS. This feature -is only supported on OpenSSL 1.1.0 or later. +This is useful for example to send the signature as JWS. [Back to TOC](#table-of-contents) @@ -1106,8 +1073,7 @@ This mode only supports RSA and EC keys. When passing a string as second parameter, `md_alg` parameter will specify the name to use when verifying. When `md_alg` is undefined, for RSA and EC keys, this function does SHA256 by default. For Ed25519 or Ed448 keys, this function does a PureEdDSA verification, -no message digest should be specified and will not be used. BoringSSL doesn't have default -digest thus `md_alg` must be specified. +no message digest should be specified and will not be used. `opts` is a table that accepts additional parameters. @@ -1118,8 +1084,7 @@ possible to specify PSS salt length by setting `opts.pss_saltlen`. For EC key, this function does a ECDSA verification. Normally, the ECDSA signature should be encoded in ASN.1 DER format. If the `opts` table contains a `ecdsa_use_raw` field with a true value, this library treat `signature` as concatenation of binary representation `pr` and `ps`. -This is useful for example to verify the signature as JWS. This feature -is only supported on OpenSSL 1.1.0 or later. +This is useful for example to verify the signature as JWS. ```lua -- RSA and EC keys @@ -1313,8 +1278,7 @@ Creates a `bn` instance from binary string. Exports the BIGNUM value in binary string. `bn:to_binary` accepts an optional number argument `padto` that can be -used to pad leading zeros to the output to a specific length. This feature -is only supported on OpenSSL 1.1.0 or later. +used to pad leading zeros to the output to a specific length. ```lua local b, err = require("resty.openssl.bn").from_binary(ngx.decode_base64("WyU=")) @@ -2030,8 +1994,7 @@ instead. Derive a key from given material. Various KDFs are supported based on OpenSSL version: -- On OpenSSL 1.0.2 and later, `PBKDF2`([RFC 2898], [NIST SP 800-132]) is available. -- On OpenSSL 1.1.0 and later, `HKDF`([RFC 5869]), `TLS1-PRF`([RFC 2246], [RFC 5246] and [NIST SP 800-135 r1]) and `scrypt`([RFC 7914]) is available. +`PBKDF2`([RFC 2898], [NIST SP 800-132]), `HKDF`([RFC 5869]), `TLS1-PRF`([RFC 2246], [RFC 5246] and [NIST SP 800-135 r1]) and `scrypt`([RFC 7914]) is available. `options` is a table that contains: @@ -2047,7 +2010,7 @@ Derive a key from given material. Various KDFs are supported based on OpenSSL ve to explictly select provider to fetch algorithms. | | | pbkdf2_iter | number | PBKDF2 iteration count. RFC 2898 suggests an iteration count of at least 1000. Any value less than 1 is treated as a single iteration. | `1` | | hkdf_key | string | HKDF key | **required** | -| hkdf_mode | number | HKDF mode to use, one of `kdf.HKDEF_MODE_EXTRACT_AND_EXPAND`, `kdf.HKDEF_MODE_EXTRACT_ONLY` or `kdf.HKDEF_MODE_EXPAND_ONLY`. This is only effective with OpenSSL >= 1.1.1. To learn about mode, please refer to [EVP_PKEY_CTX_set1_hkdf_key(3)](https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_CTX_set1_hkdf_key.html). Note with `kdf.HKDEF_MODE_EXTRACT_ONLY`, `outlen` is ignored and the output will be fixed size of `HMAC-`. | `kdf.HKDEF_MODE_EXTRACT_AND_EXPAND`| +| hkdf_mode | number | HKDF mode to use, one of `kdf.HKDEF_MODE_EXTRACT_AND_EXPAND`, `kdf.HKDEF_MODE_EXTRACT_ONLY` or `kdf.HKDEF_MODE_EXPAND_ONLY`. To learn about mode, please refer to [EVP_PKEY_CTX_set1_hkdf_key(3)](https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_CTX_set1_hkdf_key.html). Note with `kdf.HKDEF_MODE_EXTRACT_ONLY`, `outlen` is ignored and the output will be fixed size of `HMAC-`. | `kdf.HKDEF_MODE_EXTRACT_AND_EXPAND`| | hkdf_info | string | HKDF info value | (empty string) | | tls1_prf_secret | string | TLS1-PRF secret | **required** | | tls1_prf_seed | string | TLS1-PRF seed | **required** | @@ -2592,8 +2555,6 @@ Sign the certificate using the private key specified by `pkey`, which must be a parameter to set digest method, whichmust be a [resty.openssl.digest](#restyopenssldigest) instance. Returns a boolean indicating if signing is successful and error if any. -In BoringSSL when `digest` is not set it's fallback to `SHA256`. - [Back to TOC](#table-of-contents) ### x509:verify @@ -2804,8 +2765,6 @@ Sign the certificate request using the private key specified by `pkey`, which mu parameter to set digest method, whichmust be a [resty.openssl.digest](#restyopenssldigest) instance. Returns a boolean indicating if signing is successful and error if any. -In BoringSSL when `digest` is not set it's fallback to `SHA256`. - [Back to TOC](#table-of-contents) ### csr:verify @@ -3020,8 +2979,6 @@ Sign the CRL using the private key specified by `pkey`, which must be a parameter to set digest method, whichmust be a [resty.openssl.digest](#restyopenssldigest) instance. Returns a boolean indicating if signing is successful and error if any. -In BoringSSL when `digest` is not set it's fallback to `SHA256`. - [Back to TOC](#table-of-contents) ### crl:verify @@ -3973,8 +3930,6 @@ to explictly select provider to fetch algorithms. Returns `true` when the certificate isn't revoked, otherwise returns `nil` and error explaining the reason. -Note this function is supported from OpenSSL 1.1.0 and not supported in BoringSSL. - [Back to TOC](#table-of-contents) ## resty.openssl.x509.revoked @@ -4539,7 +4494,7 @@ Copyright and License This module is licensed under the BSD license. -Copyright (C) 2019-2020, by fffonion . +Copyright (C) 2019-2023, by fffonion . All rights reserved. @@ -4557,7 +4512,7 @@ See Also ======== * [luaossl](https://github.com/wahern/luaossl) * [API/ABI changes review for OpenSSL](https://abi-laboratory.pro/index.php?view=timeline&l=openssl) -* [OpenSSL API manual](https://www.openssl.org/docs/man1.1.1/man3/) +* [OpenSSL API manual](https://www.openssl.org/docs/man3.1/man3/) [Back to TOC](#table-of-contents) diff --git a/lib/resty/openssl.lua b/lib/resty/openssl.lua index da2166c9..e33e5a3c 100644 --- a/lib/resty/openssl.lua +++ b/lib/resty/openssl.lua @@ -5,7 +5,7 @@ local ffi_str = ffi.string local format_error = require("resty.openssl.err").format_error -local OPENSSL_3X, BORINGSSL +local OPENSSL_3X local function try_require_modules() package.loaded["resty.openssl.version"] = nil @@ -13,7 +13,6 @@ local function try_require_modules() local pok, lib = pcall(require, "resty.openssl.version") if pok then OPENSSL_3X = lib.OPENSSL_3X - BORINGSSL = lib.BORINGSSL require "resty.openssl.include.crypto" require "resty.openssl.include.objects" @@ -362,10 +361,6 @@ local function list_provided(typ) end function _M.list_cipher_algorithms() - if BORINGSSL then - return nil, "openssl.list_cipher_algorithms is not supported on BoringSSL" - end - require "resty.openssl.include.evp.cipher" local ret = list_legacy("EVP_CIPHER", OPENSSL_3X and C.EVP_CIPHER_get_nid or C.EVP_CIPHER_nid) @@ -381,10 +376,6 @@ function _M.list_cipher_algorithms() end function _M.list_digest_algorithms() - if BORINGSSL then - return nil, "openssl.list_digest_algorithms is not supported on BoringSSL" - end - require "resty.openssl.include.evp.md" local ret = list_legacy("EVP_MD", OPENSSL_3X and C.EVP_MD_get_type or C.EVP_MD_type) diff --git a/lib/resty/openssl/bn.lua b/lib/resty/openssl/bn.lua index d02972d6..3c4fce44 100644 --- a/lib/resty/openssl/bn.lua +++ b/lib/resty/openssl/bn.lua @@ -9,7 +9,6 @@ require "resty.openssl.include.bn" local crypto_macro = require("resty.openssl.include.crypto") local ctypes = require "resty.openssl.auxiliary.ctypes" local format_error = require("resty.openssl.err").format_error -local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10 local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X local _M = {} @@ -55,8 +54,6 @@ function _M:to_binary(pad) if pad then if type(pad) ~= "number" then return nil, "bn:to_binary: expect a number at #1" - elseif OPENSSL_10 then - return nil, "bn:to_binary: padding is only supported on OpenSSL 1.1.0 or later" end end @@ -167,30 +164,18 @@ end -- we only need one per worker local bn_ctx_tmp = C.BN_CTX_new() assert(bn_ctx_tmp ~= nil) -if OPENSSL_10 then - C.BN_CTX_init(bn_ctx_tmp) -end ffi_gc(bn_ctx_tmp, C.BN_CTX_free) _M.bn_ctx_tmp = bn_ctx_tmp -- mathematics -local is_negative -if OPENSSL_10 then - local bn_zero = assert(_M.new(0)).ctx - is_negative = function(ctx) - return C.BN_cmp(ctx, bn_zero) < 0 and 1 or 0 - end -else - is_negative = C.BN_is_negative -end function mt.__unm(a) local b = _M.dup(a.ctx) if b == nil then error("BN_dup() failed") end - local sign = is_negative(b.ctx) + local sign = C.BN_is_negative(b.ctx) C.BN_set_negative(b.ctx, 1-sign) return b end @@ -366,52 +351,20 @@ function mt.__le(a, b) return C.BN_cmp(a.ctx, b.ctx) <= 0 end -if OPENSSL_10 then - -- in openssl 1.0.x those functions are implemented as macros - -- don't want to copy paste all structs here - -- the followings are definitely slower, but works - local bn_zero = assert(_M.new(0)).ctx - local bn_one = assert(_M.new(1)).ctx - - function _M:is_zero() - return C.BN_cmp(self.ctx, bn_zero) == 0 - end - - function _M:is_one() - return C.BN_cmp(self.ctx, bn_one) == 0 - end - - function _M:is_word(n) - local ctx = C.BN_new() - ffi_gc(ctx, C.BN_free) - if ctx == nil then - return nil, "bn:is_word: BN_new() failed" - end - if C.BN_set_word(ctx, n) ~= 1 then - return nil, "bn:is_word: BN_set_word() failed" - end - return C.BN_cmp(self.ctx, ctx) == 0 - end - - function _M:is_odd() - return self:to_number() % 2 == 1 - end -else - function _M:is_zero() - return C.BN_is_zero(self.ctx) == 1 - end +function _M:is_zero() + return C.BN_is_zero(self.ctx) == 1 +end - function _M:is_one() - return C.BN_is_one(self.ctx) == 1 - end +function _M:is_one() + return C.BN_is_one(self.ctx) == 1 +end - function _M:is_word(n) - return C.BN_is_word(self.ctx, n) == 1 - end +function _M:is_word(n) + return C.BN_is_word(self.ctx, n) == 1 +end - function _M:is_odd() - return C.BN_is_odd(self.ctx) == 1 - end +function _M:is_odd() + return C.BN_is_odd(self.ctx) == 1 end function _M:is_prime(nchecks) diff --git a/lib/resty/openssl/cipher.lua b/lib/resty/openssl/cipher.lua index 693ac096..f247ed9a 100644 --- a/lib/resty/openssl/cipher.lua +++ b/lib/resty/openssl/cipher.lua @@ -9,8 +9,6 @@ local evp_macro = require "resty.openssl.include.evp" local ctypes = require "resty.openssl.auxiliary.ctypes" local ctx_lib = require "resty.openssl.ctx" local format_error = require("resty.openssl.err").format_error -local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10 -local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X local uchar_array = ctypes.uchar_array @@ -32,18 +30,11 @@ function _M.new(typ, properties) return nil, "cipher.new: expect type to be defined" end - local ctx - if OPENSSL_11_OR_LATER then - ctx = C.EVP_CIPHER_CTX_new() - ffi_gc(ctx, C.EVP_CIPHER_CTX_free) - elseif OPENSSL_10 then - ctx = ffi.new('EVP_CIPHER_CTX') - C.EVP_CIPHER_CTX_init(ctx) - ffi_gc(ctx, C.EVP_CIPHER_CTX_cleanup) - end + local ctx = C.EVP_CIPHER_CTX_new() if ctx == nil then return nil, "cipher.new: failed to create EVP_CIPHER_CTX" end + ffi_gc(ctx, C.EVP_CIPHER_CTX_free) local ctyp if OPENSSL_3X then diff --git a/lib/resty/openssl/dh.lua b/lib/resty/openssl/dh.lua index 93e4941a..cc0f6eb0 100644 --- a/lib/resty/openssl/dh.lua +++ b/lib/resty/openssl/dh.lua @@ -4,8 +4,6 @@ local C = ffi.C require "resty.openssl.include.dh" local bn_lib = require "resty.openssl.bn" -local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10 -local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER local format_error = require("resty.openssl.err").format_error local _M = {} @@ -18,45 +16,23 @@ function _M.get_parameters(dh_st) return setmetatable(empty_table, { __index = function(_, k) local ptr, ret - if OPENSSL_11_OR_LATER then - ptr = bn_ptrptr_ct() - end - - if OPENSSL_11_OR_LATER then - ptr = bn_ptrptr_ct() - end + ptr = bn_ptrptr_ct() if k == 'p' then - if OPENSSL_11_OR_LATER then - C.DH_get0_pqg(dh_st, ptr, nil, nil) - end + C.DH_get0_pqg(dh_st, ptr, nil, nil) elseif k == 'q' then - if OPENSSL_11_OR_LATER then - C.DH_get0_pqg(dh_st, nil, ptr, nil) - end + C.DH_get0_pqg(dh_st, nil, ptr, nil) elseif k == 'g' then - if OPENSSL_11_OR_LATER then - C.DH_get0_pqg(dh_st, nil, nil, ptr) - end + C.DH_get0_pqg(dh_st, nil, nil, ptr) elseif k == 'public' then - if OPENSSL_11_OR_LATER then - C.DH_get0_key(dh_st, ptr, nil) - end - k = "pub_key" + C.DH_get0_key(dh_st, ptr, nil) elseif k == 'private' then - if OPENSSL_11_OR_LATER then - C.DH_get0_key(dh_st, nil, ptr) - end - k = "priv_key" + C.DH_get0_key(dh_st, nil, ptr) else return nil, "rsa.get_parameters: unknown parameter \"" .. k .. "\" for RSA key" end - if OPENSSL_11_OR_LATER then - ret = ptr[0] - elseif OPENSSL_10 then - ret = dh_st[k] - end + ret = ptr[0] if ret == nil then return nil @@ -85,52 +61,44 @@ function _M.set_parameters(dh_st, opts) local cleanup_from_idx = 1 -- dup input local do_set_key, do_set_pqg - for k, v in pairs(opts) do - opts_bn[k], err = dup_bn_value(v) - if err then - err = "dh.set_parameters: cannot process parameter \"" .. k .. "\":" .. err - goto cleanup_with_error - end - if k == "private" or k == "public" then - do_set_key = true - elseif k == "p" or k == "q" or k == "g" then - do_set_pqg = true + + while true do -- luacheck: ignore + for k, v in pairs(opts) do + opts_bn[k], err = dup_bn_value(v) + if err then + -- luacheck: ignore + err = "dh.set_parameters: cannot process parameter \"" .. k .. "\":" .. err + break + end + + if k == "private" or k == "public" then + do_set_key = true + elseif k == "p" or k == "q" or k == "g" then + do_set_pqg = true + end end - end - if OPENSSL_11_OR_LATER then + local code if do_set_key then code = C.DH_set0_key(dh_st, opts_bn["public"], opts_bn["private"]) if code == 0 then err = format_error("dh.set_parameters: DH_set0_key") - goto cleanup_with_error + break end end + cleanup_from_idx = cleanup_from_idx + 2 if do_set_pqg then code = C.DH_set0_pqg(dh_st, opts_bn["p"], opts_bn["q"], opts_bn["g"]) if code == 0 then err = format_error("dh.set_parameters: DH_set0_pqg") - goto cleanup_with_error - end - end - return true - elseif OPENSSL_10 then - for k, v in pairs(opts_bn) do - if k == "public" then - k = "pub_key" - elseif k == "private" then - k = "priv_key" + break end - if dh_st[k] ~= nil then - C.BN_free(dh_st[k]) - end - dh_st[k]= v end + return true end -::cleanup_with_error:: for i, k in pairs(_M.params) do if i >= cleanup_from_idx then C.BN_free(opts_bn[k]) diff --git a/lib/resty/openssl/digest.lua b/lib/resty/openssl/digest.lua index cfef9aee..e0389cad 100644 --- a/lib/resty/openssl/digest.lua +++ b/lib/resty/openssl/digest.lua @@ -7,8 +7,6 @@ require "resty.openssl.include.evp.md" local ctypes = require "resty.openssl.auxiliary.ctypes" local ctx_lib = require "resty.openssl.ctx" local format_error = require("resty.openssl.err").format_error -local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10 -local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X local _M = {} @@ -17,17 +15,11 @@ local mt = {__index = _M} local md_ctx_ptr_ct = ffi.typeof('EVP_MD_CTX*') function _M.new(typ, properties) - local ctx - if OPENSSL_11_OR_LATER then - ctx = C.EVP_MD_CTX_new() - ffi_gc(ctx, C.EVP_MD_CTX_free) - elseif OPENSSL_10 then - ctx = C.EVP_MD_CTX_create() - ffi_gc(ctx, C.EVP_MD_CTX_destroy) - end + local ctx = C.EVP_MD_CTX_new() if ctx == nil then return nil, "digest.new: failed to create EVP_MD_CTX" end + ffi_gc(ctx, C.EVP_MD_CTX_free) local err_new = string.format("digest.new: invalid digest type \"%s\"", typ) diff --git a/lib/resty/openssl/ec.lua b/lib/resty/openssl/ec.lua index 2d0dd022..817c9df9 100644 --- a/lib/resty/openssl/ec.lua +++ b/lib/resty/openssl/ec.lua @@ -5,11 +5,8 @@ local ffi_gc = ffi.gc require "resty.openssl.include.ec" local bn_lib = require "resty.openssl.bn" local objects_lib = require "resty.openssl.objects" -local ctypes = require "resty.openssl.auxiliary.ctypes" -local version_num = require("resty.openssl.version").version_num local format_error = require("resty.openssl.err").format_error -local BORINGSSL = require("resty.openssl.version").BORINGSSL local _M = {} @@ -38,27 +35,12 @@ function _M.get_parameters(ec_key_st) if point_form == nil then return nil, format_error("ec.get_parameters: EC_KEY_get_conv_form") end - if BORINGSSL then - local sz = tonumber(C.EC_POINT_point2oct(group, pub_point, point_form, nil, 0, bn_lib.bn_ctx_tmp)) - if sz <= 0 then - return nil, format_error("ec.get_parameters: EC_POINT_point2oct") - end - local buf = ctypes.uchar_array(sz) - C.EC_POINT_point2oct(group, pub_point, point_form, buf, sz, bn_lib.bn_ctx_tmp) - buf = ffi.string(buf, sz) - local err - bn, err = bn_lib.from_binary(buf) - if bn == nil then - return nil, "ec.get_parameters: bn_lib.from_binary: " .. err - end - return bn - else - bn = C.EC_POINT_point2bn(group, pub_point, point_form, nil, bn_lib.bn_ctx_tmp) - if bn == nil then - return nil, format_error("ec.get_parameters: EC_POINT_point2bn") - end - ffi_gc(bn, C.BN_free) + + bn = C.EC_POINT_point2bn(group, pub_point, point_form, nil, bn_lib.bn_ctx_tmp) + if bn == nil then + return nil, format_error("ec.get_parameters: EC_POINT_point2bn") end + ffi_gc(bn, C.BN_free) elseif k == 'private' or k == "priv_key" then -- get0, don't GC bn = C.EC_KEY_get0_private_key(ec_key_st) @@ -72,17 +54,12 @@ function _M.get_parameters(ec_key_st) return nil, "ec.get_parameters: BN_new() failed" end ffi_gc(bn, C.BN_free) - local f - if version_num >= 0x10101000 then - f = C.EC_POINT_get_affine_coordinates - else - f = C.EC_POINT_get_affine_coordinates_GFp - end + local code if k == 'x' then - code = f(group, pub_point, bn, nil, bn_lib.bn_ctx_tmp) + code = C.EC_POINT_get_affine_coordinates(group, pub_point, bn, nil, bn_lib.bn_ctx_tmp) else - code = f(group, pub_point, nil, bn, bn_lib.bn_ctx_tmp) + code = C.EC_POINT_get_affine_coordinates(group, pub_point, nil, bn, bn_lib.bn_ctx_tmp) end if code ~= 1 then return nil, format_error("ec.get_parameters: EC_POINT_get_affine_coordinates") diff --git a/lib/resty/openssl/hmac.lua b/lib/resty/openssl/hmac.lua index fe18d2f7..9704ca38 100644 --- a/lib/resty/openssl/hmac.lua +++ b/lib/resty/openssl/hmac.lua @@ -7,8 +7,6 @@ require "resty.openssl.include.hmac" require "resty.openssl.include.evp.md" local ctypes = require "resty.openssl.auxiliary.ctypes" local format_error = require("resty.openssl.err").format_error -local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10 -local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X local _M = {} @@ -20,18 +18,11 @@ local hmac_ctx_ptr_ct = ffi.typeof('HMAC_CTX*') -- Replace with EVP_MAC_* functions for OpenSSL 3.0 function _M.new(key, typ) - local ctx - if OPENSSL_11_OR_LATER then - ctx = C.HMAC_CTX_new() - ffi_gc(ctx, C.HMAC_CTX_free) - elseif OPENSSL_10 then - ctx = ffi.new('HMAC_CTX') - C.HMAC_CTX_init(ctx) - ffi_gc(ctx, C.HMAC_CTX_cleanup) - end + local ctx = C.HMAC_CTX_new() if ctx == nil then return nil, "hmac.new: failed to create HMAC_CTX" end + ffi_gc(ctx, C.HMAC_CTX_free) local algo = C.EVP_get_digestbyname(typ or 'sha1') if algo == nil then diff --git a/lib/resty/openssl/include/asn1.lua b/lib/resty/openssl/include/asn1.lua index ba59ebc3..a2e8f864 100644 --- a/lib/resty/openssl/include/asn1.lua +++ b/lib/resty/openssl/include/asn1.lua @@ -54,38 +54,10 @@ declare_asn1_functions("ASN1_OBJECT") declare_asn1_functions("ASN1_STRING") declare_asn1_functions("ASN1_ENUMERATED") -local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10 -local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER -local BORINGSSL_110 = require("resty.openssl.version").BORINGSSL_110 - -local ASN1_STRING_get0_data -if OPENSSL_11_OR_LATER then - ffi.cdef[[ - const unsigned char *ASN1_STRING_get0_data(const ASN1_STRING *x); - ]] - ASN1_STRING_get0_data = C.ASN1_STRING_get0_data -elseif OPENSSL_10 then - ffi.cdef[[ - unsigned char *ASN1_STRING_data(ASN1_STRING *x); - typedef struct ASN1_ENCODING_st { - unsigned char *enc; /* DER encoding */ - long len; /* Length of encoding */ - int modified; /* set to 1 if 'enc' is invalid */ - } ASN1_ENCODING; - ]] - ASN1_STRING_get0_data = C.ASN1_STRING_data -end - -if BORINGSSL_110 then - ffi.cdef [[ - // required by resty/openssl/include/x509/crl.lua - typedef struct ASN1_ENCODING_st { - unsigned char *enc; /* DER encoding */ - long len; /* Length of encoding */ - int modified; /* set to 1 if 'enc' is invalid */ - } ASN1_ENCODING; - ]] -end +ffi.cdef[[ + const unsigned char *ASN1_STRING_get0_data(const ASN1_STRING *x); +]] +local ASN1_STRING_get0_data = C.ASN1_STRING_get0_data return { ASN1_STRING_get0_data = ASN1_STRING_get0_data, diff --git a/lib/resty/openssl/include/crypto.lua b/lib/resty/openssl/include/crypto.lua index 29a6a227..59711d05 100644 --- a/lib/resty/openssl/include/crypto.lua +++ b/lib/resty/openssl/include/crypto.lua @@ -1,37 +1,19 @@ local ffi = require "ffi" local C = ffi.C -local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10 -local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER -local BORINGSSL = require("resty.openssl.version").BORINGSSL - -local OPENSSL_free -if OPENSSL_10 then - ffi.cdef [[ - void CRYPTO_free(void *ptr); - ]] - OPENSSL_free = C.CRYPTO_free -elseif BORINGSSL then - ffi.cdef [[ - void OPENSSL_free(void *ptr); - ]] - OPENSSL_free = C.OPENSSL_free -elseif OPENSSL_11_OR_LATER then - ffi.cdef [[ - void CRYPTO_free(void *ptr, const char *file, int line); - ]] - OPENSSL_free = function(ptr) - -- file and line is for debuggin only, since we can't know the c file info - -- the macro is expanded, just ignore this - C.CRYPTO_free(ptr, "", 0) - end -end - ffi.cdef [[ int FIPS_mode(void); int FIPS_mode_set(int ONOFF); + void CRYPTO_free(void *ptr, const char *file, int line); ]] +local OPENSSL_free = function(ptr) + -- file and line is for debuggin only, since we can't know the c file info + -- the macro is expanded, just ignore this + C.CRYPTO_free(ptr, "", 0) +end + + return { OPENSSL_free = OPENSSL_free, } diff --git a/lib/resty/openssl/include/dh.lua b/lib/resty/openssl/include/dh.lua index 504879da..dc4a96f0 100644 --- a/lib/resty/openssl/include/dh.lua +++ b/lib/resty/openssl/include/dh.lua @@ -3,50 +3,15 @@ local C = ffi.C require "resty.openssl.include.ossl_typ" require "resty.openssl.include.objects" -local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10 -local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER - -if OPENSSL_11_OR_LATER then - ffi.cdef [[ - void DH_get0_pqg(const DH *dh, - const BIGNUM **p, const BIGNUM **q, const BIGNUM **g); - int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g); - void DH_get0_key(const DH *dh, - const BIGNUM **pub_key, const BIGNUM **priv_key); - int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key); - ]] -elseif OPENSSL_10 then - ffi.cdef [[ - struct dh_st { - /* - * This first argument is used to pick up errors when a DH is passed - * instead of a EVP_PKEY - */ - int pad; - int version; - BIGNUM *p; - BIGNUM *g; - long length; /* optional */ - BIGNUM *pub_key; /* g^x */ - BIGNUM *priv_key; /* x */ - int flags; - /*BN_MONT_CTX*/ void *method_mont_p; - /* Place holders if we want to do X9.42 DH */ - BIGNUM *q; - BIGNUM *j; - unsigned char *seed; - int seedlen; - BIGNUM *counter; - int references; - /* trimmer */ - // CRYPTO_EX_DATA ex_data; - // const DH_METHOD *meth; - // ENGINE *engine; - }; - ]] -end ffi.cdef [[ + void DH_get0_pqg(const DH *dh, + const BIGNUM **p, const BIGNUM **q, const BIGNUM **g); + int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g); + void DH_get0_key(const DH *dh, + const BIGNUM **pub_key, const BIGNUM **priv_key); + int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key); + DH *DH_get_1024_160(void); DH *DH_get_2048_224(void); DH *DH_get_2048_256(void); diff --git a/lib/resty/openssl/include/ec.lua b/lib/resty/openssl/include/ec.lua index 674ef426..8e51e450 100644 --- a/lib/resty/openssl/include/ec.lua +++ b/lib/resty/openssl/include/ec.lua @@ -31,15 +31,6 @@ ffi.cdef [[ BIGNUM *EC_POINT_point2bn(const EC_GROUP *, const EC_POINT *, point_conversion_form_t form, BIGNUM *, BN_CTX *); - // for BoringSSL - size_t EC_POINT_point2oct(const EC_GROUP *group, const EC_POINT *p, - point_conversion_form_t form, - unsigned char *buf, size_t len, BN_CTX *ctx); - // OpenSSL < 1.1.1 - int EC_POINT_get_affine_coordinates_GFp(const EC_GROUP *group, - const EC_POINT *p, - BIGNUM *x, BIGNUM *y, BN_CTX *ctx); - // OpenSSL >= 1.1.1 int EC_POINT_get_affine_coordinates(const EC_GROUP *group, const EC_POINT *p, BIGNUM *x, BIGNUM *y, BN_CTX *ctx); EC_POINT *EC_POINT_bn2point(const EC_GROUP *group, const BIGNUM *bn, diff --git a/lib/resty/openssl/include/evp.lua b/lib/resty/openssl/include/evp.lua index beeaf911..48c6ad77 100644 --- a/lib/resty/openssl/include/evp.lua +++ b/lib/resty/openssl/include/evp.lua @@ -6,33 +6,18 @@ require "resty.openssl.include.ossl_typ" require "resty.openssl.include.err" require "resty.openssl.include.objects" local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X -local BORINGSSL = require("resty.openssl.version").BORINGSSL -if BORINGSSL then - ffi.cdef [[ - int PKCS5_PBKDF2_HMAC(const char *password, size_t password_len, - const uint8_t *salt, size_t salt_len, - unsigned iterations, const EVP_MD *digest, - size_t key_len, uint8_t *out_key); - int EVP_PBE_scrypt(const char *password, size_t password_len, - const uint8_t *salt, size_t salt_len, - uint64_t N, uint64_t r, uint64_t p, - size_t max_mem, uint8_t *out_key, - size_t key_len); - ]] -else - ffi.cdef [[ - /* KDF */ - int PKCS5_PBKDF2_HMAC(const char *pass, int passlen, - const unsigned char *salt, int saltlen, int iter, - const EVP_MD *digest, int keylen, unsigned char *out); - - int EVP_PBE_scrypt(const char *pass, size_t passlen, - const unsigned char *salt, size_t saltlen, - uint64_t N, uint64_t r, uint64_t p, uint64_t maxmem, - unsigned char *key, size_t keylen); - ]] -end +ffi.cdef [[ + /* KDF */ + int PKCS5_PBKDF2_HMAC(const char *pass, int passlen, + const unsigned char *salt, int saltlen, int iter, + const EVP_MD *digest, int keylen, unsigned char *out); + + int EVP_PBE_scrypt(const char *pass, size_t passlen, + const unsigned char *salt, size_t saltlen, + uint64_t N, uint64_t r, uint64_t p, uint64_t maxmem, + unsigned char *key, size_t keylen); +]] if OPENSSL_3X then require "resty.openssl.include.provider" diff --git a/lib/resty/openssl/include/evp/cipher.lua b/lib/resty/openssl/include/evp/cipher.lua index c8037661..30f6432a 100644 --- a/lib/resty/openssl/include/evp/cipher.lua +++ b/lib/resty/openssl/include/evp/cipher.lua @@ -1,16 +1,13 @@ local ffi = require "ffi" require "resty.openssl.include.ossl_typ" -local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10 -local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X -local BORINGSSL = require("resty.openssl.version").BORINGSSL ffi.cdef [[ - // openssl < 3.0 - int EVP_CIPHER_CTX_block_size(const EVP_CIPHER_CTX *ctx); - int EVP_CIPHER_CTX_key_length(const EVP_CIPHER_CTX *ctx); - int EVP_CIPHER_CTX_iv_length(const EVP_CIPHER_CTX *ctx); + EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void); + int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *c); + void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *c); + int EVP_CIPHER_CTX_set_padding(EVP_CIPHER_CTX *c, int pad); const EVP_CIPHER *EVP_CIPHER_CTX_cipher(const EVP_CIPHER_CTX *ctx); @@ -38,24 +35,14 @@ ffi.cdef [[ void EVP_CIPHER_do_all_sorted(void (*fn) (const EVP_CIPHER *ciph, const char *from, const char *to, void *x), void *arg); - int EVP_CIPHER_nid(const EVP_CIPHER *cipher); + + int EVP_BytesToKey(const EVP_CIPHER *type, const EVP_MD *md, + const unsigned char *salt, + const unsigned char *data, int datal, int count, + unsigned char *key, unsigned char *iv); + ]] -if BORINGSSL then - ffi.cdef [[ - int EVP_BytesToKey(const EVP_CIPHER *type, const EVP_MD *md, - const uint8_t *salt, const uint8_t *data, - size_t data_len, unsigned count, uint8_t *key, - uint8_t *iv); - ]] -else - ffi.cdef [[ - int EVP_BytesToKey(const EVP_CIPHER *type, const EVP_MD *md, - const unsigned char *salt, - const unsigned char *data, int datal, int count, - unsigned char *key, unsigned char *iv); - ]] -end if OPENSSL_3X then require "resty.openssl.include.provider" @@ -85,39 +72,12 @@ if OPENSSL_3X then int EVP_CIPHER_CTX_get_params(EVP_CIPHER_CTX *ctx, OSSL_PARAM params[]); const OSSL_PARAM *EVP_CIPHER_CTX_gettable_params(EVP_CIPHER_CTX *ctx); ]] -end - -if OPENSSL_11_OR_LATER then - ffi.cdef [[ - EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void); - int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *c); - void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *c); - ]] -elseif OPENSSL_10 then +else ffi.cdef [[ - void EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *a); - int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *a); - - // # define EVP_MAX_IV_LENGTH 16 - // # define EVP_MAX_BLOCK_LENGTH 32 - - struct evp_cipher_ctx_st { - const EVP_CIPHER *cipher; - ENGINE *engine; /* functional reference if 'cipher' is - * ENGINE-provided */ - int encrypt; /* encrypt or decrypt */ - int buf_len; /* number we have left */ - unsigned char oiv[16]; /* original iv EVP_MAX_IV_LENGTH */ - unsigned char iv[16]; /* working iv EVP_MAX_IV_LENGTH */ - unsigned char buf[32]; /* saved partial block EVP_MAX_BLOCK_LENGTH */ - int num; /* used by cfb/ofb/ctr mode */ - void *app_data; /* application stuff */ - int key_len; /* May change for variable length cipher */ - unsigned long flags; /* Various flags */ - void *cipher_data; /* per EVP data */ - int final_used; - int block_mask; - unsigned char final[32]; /* possible final block EVP_MAX_BLOCK_LENGTH */ - } /* EVP_CIPHER_CTX */ ; + int EVP_CIPHER_CTX_block_size(const EVP_CIPHER_CTX *ctx); + int EVP_CIPHER_CTX_key_length(const EVP_CIPHER_CTX *ctx); + int EVP_CIPHER_CTX_iv_length(const EVP_CIPHER_CTX *ctx); + + int EVP_CIPHER_nid(const EVP_CIPHER *cipher); ]] -end \ No newline at end of file +end diff --git a/lib/resty/openssl/include/evp/kdf.lua b/lib/resty/openssl/include/evp/kdf.lua index 1fd408f5..839cc1d9 100644 --- a/lib/resty/openssl/include/evp/kdf.lua +++ b/lib/resty/openssl/include/evp/kdf.lua @@ -7,7 +7,6 @@ require "resty.openssl.include.evp.md" local evp = require("resty.openssl.include.evp") local ctypes = require "resty.openssl.auxiliary.ctypes" local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X -local BORINGSSL = require("resty.openssl.version").BORINGSSL local void_ptr = ctypes.void_ptr @@ -46,11 +45,7 @@ if OPENSSL_3X then int EVP_KDF_CTX_set_params(EVP_KDF_CTX *ctx, const OSSL_PARAM params[]); const OSSL_PARAM *EVP_KDF_CTX_gettable_params(const EVP_KDF_CTX *ctx); const OSSL_PARAM *EVP_KDF_CTX_settable_params(const EVP_KDF_CTX *ctx); - ]] -end -if OPENSSL_3X or BORINGSSL then - ffi.cdef [[ int EVP_PKEY_CTX_set_tls1_prf_md(EVP_PKEY_CTX *ctx, const EVP_MD *md); int EVP_PKEY_CTX_set1_tls1_prf_secret(EVP_PKEY_CTX *pctx, const unsigned char *sec, int seclen); diff --git a/lib/resty/openssl/include/evp/md.lua b/lib/resty/openssl/include/evp/md.lua index 1794ce18..908bb1a2 100644 --- a/lib/resty/openssl/include/evp/md.lua +++ b/lib/resty/openssl/include/evp/md.lua @@ -1,8 +1,6 @@ local ffi = require "ffi" require "resty.openssl.include.ossl_typ" -local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10 -local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X ffi.cdef [[ @@ -19,9 +17,9 @@ ffi.cdef [[ unsigned int *s); const EVP_MD *EVP_md_null(void); - // openssl < 3.0 - int EVP_MD_size(const EVP_MD *md); - int EVP_MD_type(const EVP_MD *md); + + EVP_MD_CTX *EVP_MD_CTX_new(void); + void EVP_MD_CTX_free(EVP_MD_CTX *ctx); typedef void* fake_openssl_md_list_fn(const EVP_MD *ciph, const char *from, const char *to, void *x); @@ -55,32 +53,9 @@ if OPENSSL_3X then int EVP_MD_CTX_get_params(EVP_MD_CTX *ctx, OSSL_PARAM params[]); const OSSL_PARAM *EVP_MD_CTX_gettable_params(EVP_MD_CTX *ctx); ]] -end - -if OPENSSL_11_OR_LATER then +else ffi.cdef [[ - EVP_MD_CTX *EVP_MD_CTX_new(void); - void EVP_MD_CTX_free(EVP_MD_CTX *ctx); + int EVP_MD_size(const EVP_MD *md); + int EVP_MD_type(const EVP_MD *md); ]] -elseif OPENSSL_10 then - ffi.cdef [[ - EVP_MD_CTX *EVP_MD_CTX_create(void); - void EVP_MD_CTX_destroy(EVP_MD_CTX *ctx); - - // crypto/evp/evp.h - // only needed for openssl 1.0.x where initializer for HMAC_CTX is not avaiable - // HACK: renamed from env_md_ctx_st to evp_md_ctx_st to match typedef (lazily) - // it's an internal struct thus name is not exported so we will be fine - struct evp_md_ctx_st { - const EVP_MD *digest; - ENGINE *engine; /* functional reference if 'digest' is - * ENGINE-provided */ - unsigned long flags; - void *md_data; - /* Public key context for sign/verify */ - EVP_PKEY_CTX *pctx; - /* Update function: usually copied from EVP_MD */ - int (*update) (EVP_MD_CTX *ctx, const void *data, size_t count); - } /* EVP_MD_CTX */ ; - ]] -end \ No newline at end of file +end diff --git a/lib/resty/openssl/include/evp/pkey.lua b/lib/resty/openssl/include/evp/pkey.lua index ee1a213d..f9361968 100644 --- a/lib/resty/openssl/include/evp/pkey.lua +++ b/lib/resty/openssl/include/evp/pkey.lua @@ -4,9 +4,7 @@ local C = ffi.C require "resty.openssl.include.ossl_typ" require "resty.openssl.include.evp.md" local evp = require("resty.openssl.include.evp") -local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10 local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X -local BORINGSSL = require("resty.openssl.version").BORINGSSL ffi.cdef [[ EVP_PKEY *EVP_PKEY_new(void); @@ -85,6 +83,8 @@ ffi.cdef [[ int EVP_PKEY_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey); ]] +local _M = {} + if OPENSSL_3X then require "resty.openssl.include.provider" @@ -94,55 +94,6 @@ if OPENSSL_3X then int EVP_PKEY_get_base_id(const EVP_PKEY *pkey); int EVP_PKEY_get_size(const EVP_PKEY *pkey); - const OSSL_PROVIDER *EVP_PKEY_get0_provider(const EVP_PKEY *key); - const OSSL_PROVIDER *EVP_PKEY_CTX_get0_provider(const EVP_PKEY_CTX *ctx); - - const OSSL_PARAM *EVP_PKEY_settable_params(const EVP_PKEY *pkey); - int EVP_PKEY_set_params(EVP_PKEY *pkey, OSSL_PARAM params[]); - int EVP_PKEY_get_params(EVP_PKEY *ctx, OSSL_PARAM params[]); - const OSSL_PARAM *EVP_PKEY_gettable_params(EVP_PKEY *ctx); - ]] -end - -if OPENSSL_10 then - ffi.cdef [[ - // crypto/evp/evp.h - // only needed for openssl 1.0.x where getters are not available - // needed to get key to extract parameters - // Note: this struct is trimmed - struct evp_pkey_st { - int type; - int save_type; - const EVP_PKEY_ASN1_METHOD *ameth; - ENGINE *engine; - ENGINE *pmeth_engine; - union { - void *ptr; - struct rsa_st *rsa; - struct dsa_st *dsa; - struct dh_st *dh; - struct ec_key_st *ec; - } pkey; - // trimmed - - // CRYPTO_REF_COUNT references; - // CRYPTO_RWLOCK *lock; - // STACK_OF(X509_ATTRIBUTE) *attributes; - // int save_parameters; - - // struct { - // EVP_KEYMGMT *keymgmt; - // void *provkey; - // } pkeys[10]; - // size_t dirty_cnt_copy; - }; - ]] -end - -local _M = {} - -if OPENSSL_3X or BORINGSSL then - ffi.cdef [[ int EVP_PKEY_CTX_set_ec_paramgen_curve_nid(EVP_PKEY_CTX *ctx, int nid); int EVP_PKEY_CTX_set_ec_param_enc(EVP_PKEY_CTX *ctx, int param_enc); @@ -153,7 +104,16 @@ if OPENSSL_3X or BORINGSSL then int EVP_PKEY_CTX_set_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int len); int EVP_PKEY_CTX_set_dh_paramgen_prime_len(EVP_PKEY_CTX *ctx, int pbits); + + const OSSL_PROVIDER *EVP_PKEY_get0_provider(const EVP_PKEY *key); + const OSSL_PROVIDER *EVP_PKEY_CTX_get0_provider(const EVP_PKEY_CTX *ctx); + + const OSSL_PARAM *EVP_PKEY_settable_params(const EVP_PKEY *pkey); + int EVP_PKEY_set_params(EVP_PKEY *pkey, OSSL_PARAM params[]); + int EVP_PKEY_get_params(EVP_PKEY *ctx, OSSL_PARAM params[]); + const OSSL_PARAM *EVP_PKEY_gettable_params(EVP_PKEY *ctx); ]] + _M.EVP_PKEY_CTX_set_ec_paramgen_curve_nid = function(pctx, nid) return C.EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, nid) end diff --git a/lib/resty/openssl/include/hmac.lua b/lib/resty/openssl/include/hmac.lua index e08f0311..ccc983c0 100644 --- a/lib/resty/openssl/include/hmac.lua +++ b/lib/resty/openssl/include/hmac.lua @@ -2,47 +2,16 @@ local ffi = require "ffi" require "resty.openssl.include.ossl_typ" require "resty.openssl.include.evp" -local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10 -local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER -local BORINGSSL = require("resty.openssl.version").BORINGSSL - -if BORINGSSL then - ffi.cdef [[ - int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, size_t key_len, - const EVP_MD *md, ENGINE *impl); - ]] -else - ffi.cdef [[ - int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len, - const EVP_MD *md, ENGINE *impl); - ]] -end ffi.cdef [[ + int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len, + const EVP_MD *md, ENGINE *impl); + int HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, size_t len); int HMAC_Final(HMAC_CTX *ctx, unsigned char *md, unsigned int *len); -]] -if OPENSSL_11_OR_LATER then - ffi.cdef [[ - HMAC_CTX *HMAC_CTX_new(void); - void HMAC_CTX_free(HMAC_CTX *ctx); - ]] -elseif OPENSSL_10 then - ffi.cdef [[ - // # define HMAC_MAX_MD_CBLOCK 128/* largest known is SHA512 */ - struct hmac_ctx_st { - const EVP_MD *md; - EVP_MD_CTX md_ctx; - EVP_MD_CTX i_ctx; - EVP_MD_CTX o_ctx; - unsigned int key_length; - unsigned char key[128]; - }; - - void HMAC_CTX_init(HMAC_CTX *ctx); - void HMAC_CTX_cleanup(HMAC_CTX *ctx); - ]] -end \ No newline at end of file + HMAC_CTX *HMAC_CTX_new(void); + void HMAC_CTX_free(HMAC_CTX *ctx); +]] diff --git a/lib/resty/openssl/include/rand.lua b/lib/resty/openssl/include/rand.lua index 90f44c1c..5d23256c 100644 --- a/lib/resty/openssl/include/rand.lua +++ b/lib/resty/openssl/include/rand.lua @@ -2,14 +2,8 @@ local ffi = require "ffi" require "resty.openssl.include.ossl_typ" local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X -local BORINGSSL = require("resty.openssl.version").BORINGSSL -if BORINGSSL then - ffi.cdef [[ - int RAND_bytes(uint8_t *buf, size_t num); - int RAND_priv_bytes(uint8_t *buf, size_t num); - ]] -elseif OPENSSL_3X then +if OPENSSL_3X then ffi.cdef [[ int RAND_bytes_ex(OSSL_LIB_CTX *ctx, unsigned char *buf, size_t num, unsigned int strength); diff --git a/lib/resty/openssl/include/rsa.lua b/lib/resty/openssl/include/rsa.lua index d7de5f4d..cbd1f9af 100644 --- a/lib/resty/openssl/include/rsa.lua +++ b/lib/resty/openssl/include/rsa.lua @@ -1,62 +1,23 @@ local ffi = require "ffi" require "resty.openssl.include.ossl_typ" -local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10 -local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER ffi.cdef [[ RSA *RSA_new(void); void RSA_free(RSA *r); -]] - -if OPENSSL_11_OR_LATER then - ffi.cdef [[ - void RSA_get0_key(const RSA *r, - const BIGNUM **n, const BIGNUM **e, const BIGNUM **d); - void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q); - void RSA_get0_crt_params(const RSA *r, - const BIGNUM **dmp1, const BIGNUM **dmq1, - const BIGNUM **iqmp); - int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d); - int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q); - int RSA_set0_crt_params(RSA *r,BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp); - struct rsa_st; - ]] -elseif OPENSSL_10 then - ffi.cdef [[ - // crypto/rsa/rsa_locl.h - // needed to extract parameters - // Note: this struct is trimmed - struct rsa_st { - int pad; - // the following has been changed in OpenSSL 1.1.x to int32_t - long version; - const RSA_METHOD *meth; - ENGINE *engine; - BIGNUM *n; - BIGNUM *e; - BIGNUM *d; - BIGNUM *p; - BIGNUM *q; - BIGNUM *dmp1; - BIGNUM *dmq1; - BIGNUM *iqmp; - // trimmed + void RSA_get0_key(const RSA *r, + const BIGNUM **n, const BIGNUM **e, const BIGNUM **d); + void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q); + void RSA_get0_crt_params(const RSA *r, + const BIGNUM **dmp1, const BIGNUM **dmq1, + const BIGNUM **iqmp); - // CRYPTO_EX_DATA ex_data; - // int references; - // int flags; - // BN_MONT_CTX *_method_mod_n; - // BN_MONT_CTX *_method_mod_p; - // BN_MONT_CTX *_method_mod_q; - - // char *bignum_data; - // BN_BLINDING *blinding; - // BN_BLINDING *mt_blinding; - }; - ]] -end + int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d); + int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q); + int RSA_set0_crt_params(RSA *r,BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp); + struct rsa_st; +]] return { paddings = { diff --git a/lib/resty/openssl/include/ssl.lua b/lib/resty/openssl/include/ssl.lua index 1219ac36..507024a6 100644 --- a/lib/resty/openssl/include/ssl.lua +++ b/lib/resty/openssl/include/ssl.lua @@ -4,7 +4,6 @@ local C = ffi.C require "resty.openssl.include.ossl_typ" require "resty.openssl.include.stack" local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X -local BORINGSSL = require("resty.openssl.version").BORINGSSL ffi.cdef [[ // SSL_METHOD @@ -75,36 +74,15 @@ else ]] end -if BORINGSSL then - ffi.cdef [[ - int SSL_set_min_proto_version(SSL *ssl, int version); - int SSL_set_max_proto_version(SSL *ssl, int version); - ]] -end - local SSL_CTRL_SET_MIN_PROTO_VERSION = 123 local SSL_CTRL_SET_MAX_PROTO_VERSION = 124 -local SSL_set_min_proto_version -if BORINGSSL then - SSL_set_min_proto_version = function(ctx, version) - return C.SSL_set_min_proto_version(ctx, version) - end -else - SSL_set_min_proto_version = function(ctx, version) - return C.SSL_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, version, nil) - end +local SSL_set_min_proto_version = function(ctx, version) + return C.SSL_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, version, nil) end -local SSL_set_max_proto_version -if BORINGSSL then - SSL_set_max_proto_version = function(ctx, version) - return C.SSL_set_max_proto_version(ctx, version) - end -else - SSL_set_max_proto_version = function(ctx, version) - return C.SSL_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, nil) - end +local SSL_set_max_proto_version = function(ctx, version) + return C.SSL_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, nil) end return { diff --git a/lib/resty/openssl/include/stack.lua b/lib/resty/openssl/include/stack.lua index 5732608e..1dc95656 100644 --- a/lib/resty/openssl/include/stack.lua +++ b/lib/resty/openssl/include/stack.lua @@ -6,90 +6,25 @@ ]] local ffi = require "ffi" -local C = ffi.C require "resty.openssl.include.ossl_typ" -local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10 -local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER -local BORINGSSL = require("resty.openssl.version").BORINGSSL - -local _M = {} ffi.cdef [[ typedef char *OPENSSL_STRING; + typedef struct stack_st OPENSSL_STACK; + + OPENSSL_STACK *OPENSSL_sk_new_null(void); + int OPENSSL_sk_push(OPENSSL_STACK *st, const void *data); + void OPENSSL_sk_pop_free(OPENSSL_STACK *st, void (*func) (void *)); + int OPENSSL_sk_num(const OPENSSL_STACK *); + void *OPENSSL_sk_value(const OPENSSL_STACK *, int); + OPENSSL_STACK *OPENSSL_sk_dup(const OPENSSL_STACK *st); + void OPENSSL_sk_free(OPENSSL_STACK *); + void *OPENSSL_sk_delete(OPENSSL_STACK *st, int loc); + + typedef void (*OPENSSL_sk_freefunc)(void *); + typedef void *(*OPENSSL_sk_copyfunc)(const void *); + OPENSSL_STACK *OPENSSL_sk_deep_copy(const OPENSSL_STACK *, + OPENSSL_sk_copyfunc c, + OPENSSL_sk_freefunc f); ]] - -if OPENSSL_11_OR_LATER and not BORINGSSL then - ffi.cdef [[ - typedef struct stack_st OPENSSL_STACK; - - OPENSSL_STACK *OPENSSL_sk_new_null(void); - int OPENSSL_sk_push(OPENSSL_STACK *st, const void *data); - void OPENSSL_sk_pop_free(OPENSSL_STACK *st, void (*func) (void *)); - int OPENSSL_sk_num(const OPENSSL_STACK *); - void *OPENSSL_sk_value(const OPENSSL_STACK *, int); - OPENSSL_STACK *OPENSSL_sk_dup(const OPENSSL_STACK *st); - void OPENSSL_sk_free(OPENSSL_STACK *); - void *OPENSSL_sk_delete(OPENSSL_STACK *st, int loc); - - typedef void (*OPENSSL_sk_freefunc)(void *); - typedef void *(*OPENSSL_sk_copyfunc)(const void *); - OPENSSL_STACK *OPENSSL_sk_deep_copy(const OPENSSL_STACK *, - OPENSSL_sk_copyfunc c, - OPENSSL_sk_freefunc f); - ]] - _M.OPENSSL_sk_pop_free = C.OPENSSL_sk_pop_free - - _M.OPENSSL_sk_new_null = C.OPENSSL_sk_new_null - _M.OPENSSL_sk_push = C.OPENSSL_sk_push - _M.OPENSSL_sk_pop_free = C.OPENSSL_sk_pop_free - _M.OPENSSL_sk_num = C.OPENSSL_sk_num - _M.OPENSSL_sk_value = C.OPENSSL_sk_value - _M.OPENSSL_sk_dup = C.OPENSSL_sk_dup - _M.OPENSSL_sk_delete = C.OPENSSL_sk_delete - _M.OPENSSL_sk_free = C.OPENSSL_sk_free - _M.OPENSSL_sk_deep_copy = C.OPENSSL_sk_deep_copy -elseif OPENSSL_10 or BORINGSSL then - ffi.cdef [[ - typedef struct stack_st _STACK; - // i made this up - typedef struct stack_st OPENSSL_STACK; - - _STACK *sk_new_null(void); - void sk_pop_free(_STACK *st, void (*func) (void *)); - _STACK *sk_dup(_STACK *st); - void sk_free(_STACK *st); - - _STACK *sk_deep_copy(_STACK *, void *(*)(void *), void (*)(void *)); - ]] - - if BORINGSSL then -- indices are using size_t instead of int - ffi.cdef [[ - size_t sk_push(_STACK *st, void *data); - size_t sk_num(const _STACK *); - void *sk_value(const _STACK *, size_t); - void *sk_delete(_STACK *st, size_t loc); - ]] - else -- normal OpenSSL 1.0 - ffi.cdef [[ - int sk_push(_STACK *st, void *data); - int sk_num(const _STACK *); - void *sk_value(const _STACK *, int); - void *sk_delete(_STACK *st, int loc); - ]] - end - - _M.OPENSSL_sk_pop_free = C.sk_pop_free - - _M.OPENSSL_sk_new_null = C.sk_new_null - _M.OPENSSL_sk_push = function(...) return tonumber(C.sk_push(...)) end - _M.OPENSSL_sk_pop_free = C.sk_pop_free - _M.OPENSSL_sk_num = function(...) return tonumber(C.sk_num(...)) end - _M.OPENSSL_sk_value = C.sk_value - _M.OPENSSL_sk_delete = C.sk_delete - _M.OPENSSL_sk_dup = C.sk_dup - _M.OPENSSL_sk_free = C.sk_free - _M.OPENSSL_sk_deep_copy = C.sk_deep_copy -end - -return _M diff --git a/lib/resty/openssl/include/x509/crl.lua b/lib/resty/openssl/include/x509/crl.lua index 7870cd3e..de15a4dc 100644 --- a/lib/resty/openssl/include/x509/crl.lua +++ b/lib/resty/openssl/include/x509/crl.lua @@ -8,10 +8,6 @@ require "resty.openssl.include.stack" local asn1_macro = require "resty.openssl.include.asn1" -local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10 -local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER -local BORINGSSL_110 = require("resty.openssl.version").BORINGSSL_110 - asn1_macro.declare_asn1_functions("X509_CRL", asn1_macro.has_new_ex) ffi.cdef [[ @@ -42,45 +38,14 @@ ffi.cdef [[ int X509_CRL_get0_by_serial(X509_CRL *crl, X509_REVOKED **ret, ASN1_INTEGER *serial); -]] - -if OPENSSL_11_OR_LATER then - ffi.cdef [[ - int X509_CRL_set1_lastUpdate(X509_CRL *x, const ASN1_TIME *tm); - int X509_CRL_set1_nextUpdate(X509_CRL *x, const ASN1_TIME *tm); - /*const*/ ASN1_TIME *X509_CRL_get0_lastUpdate(const X509_CRL *crl); - /*const*/ ASN1_TIME *X509_CRL_get0_nextUpdate(const X509_CRL *crl); - long X509_CRL_get_version(const X509_CRL *crl); - X509_EXTENSION *X509_CRL_delete_ext(X509_CRL *x, int loc); + int X509_CRL_set1_lastUpdate(X509_CRL *x, const ASN1_TIME *tm); + int X509_CRL_set1_nextUpdate(X509_CRL *x, const ASN1_TIME *tm); + /*const*/ ASN1_TIME *X509_CRL_get0_lastUpdate(const X509_CRL *crl); + /*const*/ ASN1_TIME *X509_CRL_get0_nextUpdate(const X509_CRL *crl); + long X509_CRL_get_version(const X509_CRL *crl); - int X509_CRL_get_signature_nid(const X509_CRL *crl); - ]] -end -if OPENSSL_10 or BORINGSSL_110 then - -- in openssl 1.0.x some getters are direct accessor to struct members (defiend by macros) - ffi.cdef [[ - typedef struct X509_crl_info_st { - ASN1_INTEGER *version; - X509_ALGOR *sig_alg; - X509_NAME *issuer; - ASN1_TIME *lastUpdate; - ASN1_TIME *nextUpdate; - // STACK_OF(X509_REVOKED) - OPENSSL_STACK *revoked; - // STACK_OF(X509_EXTENSION) - OPENSSL_STACK /* [0] */ *extensions; - ASN1_ENCODING enc; - } X509_CRL_INFO; + X509_EXTENSION *X509_CRL_delete_ext(X509_CRL *x, int loc); - // Note: this struct is trimmed - struct X509_crl_st { - /* actual signature */ - X509_CRL_INFO *crl; - // trimmed - } /* X509_CRL */ ; - - int X509_CRL_set_lastUpdate(X509_CRL *x, const ASN1_TIME *tm); - int X509_CRL_set_nextUpdate(X509_CRL *x, const ASN1_TIME *tm); - ]] -end + int X509_CRL_get_signature_nid(const X509_CRL *crl); +]] diff --git a/lib/resty/openssl/include/x509/csr.lua b/lib/resty/openssl/include/x509/csr.lua index 44c48019..eb94264e 100644 --- a/lib/resty/openssl/include/x509/csr.lua +++ b/lib/resty/openssl/include/x509/csr.lua @@ -8,10 +8,7 @@ require "resty.openssl.include.stack" local asn1_macro = require "resty.openssl.include.asn1" -local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10 -local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X -local BORINGSSL_110 = require("resty.openssl.version").BORINGSSL_110 asn1_macro.declare_asn1_functions("X509_REQ", asn1_macro.has_new_ex) @@ -48,37 +45,12 @@ ffi.cdef [[ int X509_REQ_add_extensions(X509_REQ *req, OPENSSL_STACK *exts); int X509_REQ_check_private_key(X509_REQ *x, EVP_PKEY *k); -]] -if OPENSSL_11_OR_LATER then - ffi.cdef [[ - X509_NAME *X509_REQ_get_subject_name(const X509_REQ *req); - long X509_REQ_get_version(const X509_REQ *req); + X509_NAME *X509_REQ_get_subject_name(const X509_REQ *req); + long X509_REQ_get_version(const X509_REQ *req); - int X509_REQ_get_signature_nid(const X509_REQ *crl); - ]] -end -if OPENSSL_10 or BORINGSSL_110 then - ffi.cdef [[ - typedef struct X509_req_info_st { - ASN1_ENCODING enc; - ASN1_INTEGER *version; - X509_NAME *subject; - /*X509_PUBKEY*/ void *pubkey; - /* d=2 hl=2 l= 0 cons: cont: 00 */ - /*STACK_OF(X509_ATTRIBUTE)*/ OPENSSL_STACK *attributes; /* [ 0 ] */ - } X509_REQ_INFO; - - // Note: this struct is trimmed - typedef struct X509_req_st { - X509_REQ_INFO *req_info; - X509_ALGOR *sig_alg; - // trimmed - //ASN1_BIT_STRING *signature; - //int references; - } X509_REQ; - ]] -end + int X509_REQ_get_signature_nid(const X509_REQ *crl); +]] if OPENSSL_3X then ffi.cdef [[ diff --git a/lib/resty/openssl/include/x509/init.lua b/lib/resty/openssl/include/x509/init.lua index ec104ef6..4760fb8b 100644 --- a/lib/resty/openssl/include/x509/init.lua +++ b/lib/resty/openssl/include/x509/init.lua @@ -6,10 +6,6 @@ require "resty.openssl.include.pem" require "resty.openssl.include.stack" local asn1_macro = require "resty.openssl.include.asn1" -local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10 -local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER -local BORINGSSL_110 = require("resty.openssl.version").BORINGSSL_110 - asn1_macro.declare_asn1_functions("X509", asn1_macro.has_new_ex) ffi.cdef [[ @@ -67,72 +63,15 @@ ffi.cdef [[ unsigned char *X509_alias_get0(X509 *x, int *len); unsigned char *X509_keyid_get0(X509 *x, int *len); int X509_check_private_key(X509 *x, EVP_PKEY *k); -]] -if OPENSSL_11_OR_LATER then - ffi.cdef [[ - int X509_up_ref(X509 *a); - - int X509_set1_notBefore(X509 *x, const ASN1_TIME *tm); - int X509_set1_notAfter(X509 *x, const ASN1_TIME *tm); - /*const*/ ASN1_TIME *X509_get0_notBefore(const X509 *x); - /*const*/ ASN1_TIME *X509_get0_notAfter(const X509 *x); - long X509_get_version(const X509 *x); - const ASN1_INTEGER *X509_get0_serialNumber(X509 *x); - - X509_EXTENSION *X509_delete_ext(X509 *x, int loc); - ]] -elseif OPENSSL_10 then - ffi.cdef [[ - // STACK_OF(X509_EXTENSION) - X509_EXTENSION *X509v3_delete_ext(OPENSSL_STACK *x, int loc); - ]] -end - -if OPENSSL_10 or BORINGSSL_110 then - -- in openssl 1.0.x some getters are direct accessor to struct members (defiend by macros) - ffi.cdef [[ - // crypto/x509/x509.h - typedef struct X509_val_st { - ASN1_TIME *notBefore; - ASN1_TIME *notAfter; - } X509_VAL; - - typedef struct X509_algor_st { - ASN1_OBJECT *algorithm; - ASN1_TYPE *parameter; - } X509_ALGOR; - - // Note: this struct is trimmed - typedef struct x509_cinf_st { - /*ASN1_INTEGER*/ void *version; - /*ASN1_INTEGER*/ void *serialNumber; - X509_ALGOR *signature; - X509_NAME *issuer; - X509_VAL *validity; - X509_NAME *subject; - /*X509_PUBKEY*/ void *key; - /*ASN1_BIT_STRING*/ void *issuerUID; /* [ 1 ] optional in v2 */ - /*ASN1_BIT_STRING*/ void *subjectUID; /* [ 2 ] optional in v2 */ - /*STACK_OF(X509_EXTENSION)*/ OPENSSL_STACK *extensions; /* [ 3 ] optional in v3 */ - // trimmed - // ASN1_ENCODING enc; - } X509_CINF; - // Note: this struct is trimmed - struct x509_st { - X509_CINF *cert_info; - // trimmed - } X509; - - int X509_set_notBefore(X509 *x, const ASN1_TIME *tm); - int X509_set_notAfter(X509 *x, const ASN1_TIME *tm); - ASN1_INTEGER *X509_get_serialNumber(X509 *x); - ]] -end - -if BORINGSSL_110 then - ffi.cdef [[ - ASN1_TIME *X509_get_notBefore(const X509 *x); - ASN1_TIME *X509_get_notAfter(const X509 *x); - ]] -end + int X509_up_ref(X509 *a); + + int X509_set1_notBefore(X509 *x, const ASN1_TIME *tm); + int X509_set1_notAfter(X509 *x, const ASN1_TIME *tm); + /*const*/ ASN1_TIME *X509_get0_notBefore(const X509 *x); + /*const*/ ASN1_TIME *X509_get0_notAfter(const X509 *x); + long X509_get_version(const X509 *x); + const ASN1_INTEGER *X509_get0_serialNumber(X509 *x); + + X509_EXTENSION *X509_delete_ext(X509 *x, int loc); +]] diff --git a/lib/resty/openssl/include/x509_vfy.lua b/lib/resty/openssl/include/x509_vfy.lua index 54317f60..60c8969f 100644 --- a/lib/resty/openssl/include/x509_vfy.lua +++ b/lib/resty/openssl/include/x509_vfy.lua @@ -3,11 +3,7 @@ local C = ffi.C require "resty.openssl.include.ossl_typ" require "resty.openssl.include.stack" -local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10 -local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X -local BORINGSSL = require("resty.openssl.version").BORINGSSL -local BORINGSSL_110 = require("resty.openssl.version").BORINGSSL_110 ffi.cdef [[ X509_STORE *X509_STORE_new(void); @@ -47,6 +43,17 @@ ffi.cdef [[ int X509_PURPOSE_get_by_sname(char *sname); X509_PURPOSE *X509_PURPOSE_get0(int idx); int X509_PURPOSE_get_id(const X509_PURPOSE *xp); + + // STACK_OF(X509) + OPENSSL_STACK *X509_STORE_CTX_get0_chain(X509_STORE_CTX *ctx); + typedef int (*X509_STORE_CTX_check_revocation_fn)(X509_STORE_CTX *ctx); + // STACK_OF(X509) + void X509_STORE_CTX_set0_verified_chain(X509_STORE_CTX *ctx, OPENSSL_STACK *sk); + + typedef int (*X509_STORE_CTX_check_revocation_fn)(X509_STORE_CTX *ctx); + X509_STORE_CTX_check_revocation_fn X509_STORE_CTX_get_check_revocation(const X509_STORE_CTX *ctx); + // STACK_OF(X509) + void X509_STORE_CTX_set0_verified_chain(X509_STORE_CTX *ctx, OPENSSL_STACK *sk); ]] local _M = { @@ -76,35 +83,6 @@ local _M = { }, } -if OPENSSL_10 or BORINGSSL_110 then - ffi.cdef [[ - // STACK_OF(X509) - OPENSSL_STACK *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx); - ]]; - _M.X509_STORE_CTX_get0_chain = C.X509_STORE_CTX_get_chain -elseif OPENSSL_11_OR_LATER then - ffi.cdef [[ - // STACK_OF(X509) - OPENSSL_STACK *X509_STORE_CTX_get0_chain(X509_STORE_CTX *ctx); - typedef int (*X509_STORE_CTX_check_revocation_fn)(X509_STORE_CTX *ctx); - // STACK_OF(X509) - void X509_STORE_CTX_set0_verified_chain(X509_STORE_CTX *ctx, OPENSSL_STACK *sk); - ]]; - _M.X509_STORE_CTX_get0_chain = C.X509_STORE_CTX_get0_chain -end - --- these two apis are supported from 1.1.0 but not supported by boringssl -if not BORINGSSL then - if OPENSSL_11_OR_LATER then - ffi.cdef [[ - typedef int (*X509_STORE_CTX_check_revocation_fn)(X509_STORE_CTX *ctx); - X509_STORE_CTX_check_revocation_fn X509_STORE_CTX_get_check_revocation(const X509_STORE_CTX *ctx); - // STACK_OF(X509) - void X509_STORE_CTX_set0_verified_chain(X509_STORE_CTX *ctx, OPENSSL_STACK *sk); - ]]; - end -end - if OPENSSL_3X then ffi.cdef [[ X509_STORE_CTX *X509_STORE_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq); diff --git a/lib/resty/openssl/kdf.lua b/lib/resty/openssl/kdf.lua index 62188bcf..e5df1dc2 100644 --- a/lib/resty/openssl/kdf.lua +++ b/lib/resty/openssl/kdf.lua @@ -10,9 +10,7 @@ require("resty.openssl.include.evp.pkey") local kdf_macro = require "resty.openssl.include.evp.kdf" local ctx_lib = require "resty.openssl.ctx" local format_error = require("resty.openssl.err").format_error -local version_num = require("resty.openssl.version").version_num local version_text = require("resty.openssl.version").version_text -local BORINGSSL = require("resty.openssl.version").BORINGSSL local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X local ctypes = require "resty.openssl.auxiliary.ctypes" @@ -26,23 +24,17 @@ OpenSSL 3.0 additionally provides Single Step KDF, SSH KDF, PBKDF2, Scrypt, HKDF From OpenSSL 3.0 the recommended way of performing key derivation is to use the EVP_KDF functions. If compatibility with OpenSSL 1.1.1 is required then a limited set of KDFs can be used via EVP_PKEY_derive. ]] -local NID_id_pbkdf2 = -1 -local NID_id_scrypt = -2 -local NID_tls1_prf = -3 -local NID_hkdf = -4 -if version_num >= 0x10002000 then - NID_id_pbkdf2 = C.OBJ_txt2nid("PBKDF2") - assert(NID_id_pbkdf2 > 0) -end -if version_num >= 0x10100000 and not BORINGSSL then - NID_hkdf = C.OBJ_txt2nid("HKDF") - assert(NID_hkdf > 0) - NID_tls1_prf = C.OBJ_txt2nid("TLS1-PRF") - assert(NID_tls1_prf > 0) - -- we use EVP_PBE_scrypt to do scrypt, so this is supported >= 1.1.0 - NID_id_scrypt = C.OBJ_txt2nid("id-scrypt") - assert(NID_id_scrypt > 0) -end +local NID_id_pbkdf2 = C.OBJ_txt2nid("PBKDF2") +assert(NID_id_pbkdf2 > 0) + +local NID_hkdf = C.OBJ_txt2nid("HKDF") +assert(NID_hkdf > 0) + +local NID_tls1_prf = C.OBJ_txt2nid("TLS1-PRF") +assert(NID_tls1_prf > 0) +-- we use EVP_PBE_scrypt to do scrypt, so this is supported >= 1.1.0 +local NID_id_scrypt = C.OBJ_txt2nid("id-scrypt") +assert(NID_id_scrypt > 0) local _M = { HKDEF_MODE_EXTRACT_AND_EXPAND = kdf_macro.EVP_PKEY_HKDEF_MODE_EXTRACT_AND_EXPAND, @@ -93,7 +85,7 @@ end local function check_hkdf_options(opt) local mode = opt.hkdf_mode - if not mode or version_num < 0x10101000 then + if not mode then mode = _M.HKDEF_MODE_EXTRACT_AND_EXPAND end @@ -184,11 +176,6 @@ function _M.derive(options) -- begin legacay low level routines local code if typ == NID_id_pbkdf2 then - -- make openssl 1.0.2 happy - if version_num < 0x10100000 and not options.pass then - options.pass = "" - pass_len = 0 - end -- https://www.openssl.org/docs/man1.1.0/man3/PKCS5_PBKDF2_HMAC.html local iter = options.pbkdf2_iter if iter < 1 then @@ -257,22 +244,18 @@ function _M.derive(options) return nil, format_error("kdf.derive: EVP_PKEY_CTX_add1_hkdf_info") end if options.hkdf_mode then - if version_num >= 0x10101000 then - if kdf_macro.EVP_PKEY_CTX_set_hkdf_mode(ctx, options.hkdf_mode) ~= 1 then - return nil, format_error("kdf.derive: EVP_PKEY_CTX_set_hkdf_mode") - end - if options.hkdf_mode == _M.HKDEF_MODE_EXTRACT_ONLY then - local md_size = OPENSSL_3X and C.EVP_MD_get_size(md) or C.EVP_MD_size(md) - if options.outlen ~= md_size then - options.outlen = md_size - ngx.log(ngx.WARN, "hkdf_mode EXTRACT_ONLY outputs fixed length of ", md_size, - " key, ignoring options.outlen") - end - outlen[0] = md_size - buf = ctypes.uchar_array(md_size) + if kdf_macro.EVP_PKEY_CTX_set_hkdf_mode(ctx, options.hkdf_mode) ~= 1 then + return nil, format_error("kdf.derive: EVP_PKEY_CTX_set_hkdf_mode") + end + if options.hkdf_mode == _M.HKDEF_MODE_EXTRACT_ONLY then + local md_size = OPENSSL_3X and C.EVP_MD_get_size(md) or C.EVP_MD_size(md) + if options.outlen ~= md_size then + options.outlen = md_size + ngx.log(ngx.WARN, "hkdf_mode EXTRACT_ONLY outputs fixed length of ", md_size, + " key, ignoring options.outlen") end - else - ngx.log(ngx.WARN, "hkdf_mode is not effective in ", version_text) + outlen[0] = md_size + buf = ctypes.uchar_array(md_size) end end else diff --git a/lib/resty/openssl/pkcs12.lua b/lib/resty/openssl/pkcs12.lua index 222bce2d..05c9c5d0 100644 --- a/lib/resty/openssl/pkcs12.lua +++ b/lib/resty/openssl/pkcs12.lua @@ -5,15 +5,14 @@ local ffi_str = ffi.string require "resty.openssl.include.pkcs12" require "resty.openssl.include.bio" +require "resty.openssl.include.stack" local bio_util = require "resty.openssl.auxiliary.bio" local format_error = require("resty.openssl.err").format_error local pkey_lib = require "resty.openssl.pkey" local x509_lib = require "resty.openssl.x509" -local stack_macro = require "resty.openssl.include.stack" local stack_lib = require "resty.openssl.stack" local objects_lib = require "resty.openssl.objects" local ctx_lib = require "resty.openssl.ctx" -local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10 local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X local stack_of_x509_new = stack_lib.new_of("X509") @@ -54,7 +53,7 @@ local function decode(p12, passphrase) end local cacerts - local n = stack_macro.OPENSSL_sk_num(stack) + local n = C.OPENSSL_sk_num(stack) if n > 0 then cacerts = {} local iter = stack_of_x509_iter({ ctx = stack }) @@ -123,23 +122,14 @@ local function encode(opts, passphrase, properties) -- stack lib handles gc x509stack = stack_of_x509_new() for _, c in ipairs(cacerts) do - if not OPENSSL_10 then - if C.X509_up_ref(c.ctx) ~= 1 then - return nil, "pkcs12.encode: failed to add cacerts: X509_up_ref failed" - end + if C.X509_up_ref(c.ctx) ~= 1 then + return nil, "pkcs12.encode: failed to add cacerts: X509_up_ref failed" end local ok, err = stack_of_x509_add(x509stack, c.ctx) if not ok then return nil, "pkcs12.encode: failed to add cacerts: " .. err end end - if OPENSSL_10 then - -- OpenSSL 1.0.2 doesn't have X509_up_ref - -- shallow copy the stack, up_ref for each element - x509stack = C.X509_chain_up_ref(x509stack) - -- use the shallow gc - ffi_gc(x509stack, stack_macro.OPENSSL_sk_free) - end end end diff --git a/lib/resty/openssl/pkey.lua b/lib/resty/openssl/pkey.lua index dc0426fa..8dba4dd5 100644 --- a/lib/resty/openssl/pkey.lua +++ b/lib/resty/openssl/pkey.lua @@ -27,10 +27,7 @@ local ctypes = require "resty.openssl.auxiliary.ctypes" local ecdsa_util = require "resty.openssl.auxiliary.ecdsa" local format_error = require("resty.openssl.err").format_error -local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER -local OPENSSL_111_OR_LATER = require("resty.openssl.version").OPENSSL_111_OR_LATER local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X -local BORINGSSL = require("resty.openssl.version").BORINGSSL local ptr_of_uint = ctypes.ptr_of_uint local ptr_of_size_t = ctypes.ptr_of_size_t @@ -40,20 +37,11 @@ local null = ctypes.null local load_pem_args = { null, null, null } local load_der_args = { null } -local get_pkey_key -if OPENSSL_11_OR_LATER then - get_pkey_key = { - [evp_macro.EVP_PKEY_RSA] = function(ctx) return C.EVP_PKEY_get0_RSA(ctx) end, - [evp_macro.EVP_PKEY_EC] = function(ctx) return C.EVP_PKEY_get0_EC_KEY(ctx) end, - [evp_macro.EVP_PKEY_DH] = function(ctx) return C.EVP_PKEY_get0_DH(ctx) end - } -else - get_pkey_key = { - [evp_macro.EVP_PKEY_RSA] = function(ctx) return ctx.pkey and ctx.pkey.rsa end, - [evp_macro.EVP_PKEY_EC] = function(ctx) return ctx.pkey and ctx.pkey.ec end, - [evp_macro.EVP_PKEY_DH] = function(ctx) return ctx.pkey and ctx.pkey.dh end, - } -end +local get_pkey_key = { + [evp_macro.EVP_PKEY_RSA] = function(ctx) return C.EVP_PKEY_get0_RSA(ctx) end, + [evp_macro.EVP_PKEY_EC] = function(ctx) return C.EVP_PKEY_get0_EC_KEY(ctx) end, + [evp_macro.EVP_PKEY_DH] = function(ctx) return C.EVP_PKEY_get0_DH(ctx) end +} local load_rsa_key_funcs @@ -212,17 +200,18 @@ local function generate_param(key_type, config) if nid == 0 then return nil, "unknown curve " .. curve end + if pkey_macro.EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, nid) <= 0 then return nil, format_error("EVP_PKEY_CTX_ctrl: EC: curve_nid") end - if not BORINGSSL then - -- use the named-curve encoding for best backward-compatibilty - -- and for playing well with go:crypto/x509 - -- # define OPENSSL_EC_NAMED_CURVE 0x001 - if pkey_macro.EVP_PKEY_CTX_set_ec_param_enc(pctx, 1) <= 0 then - return nil, format_error("EVP_PKEY_CTX_ctrl: EC: param_enc") - end + + -- use the named-curve encoding for best backward-compatibilty + -- and for playing well with go:crypto/x509 + -- # define OPENSSL_EC_NAMED_CURVE 0x001 + if pkey_macro.EVP_PKEY_CTX_set_ec_param_enc(pctx, 1) <= 0 then + return nil, format_error("EVP_PKEY_CTX_ctrl: EC: param_enc") end + elseif key_type == evp_macro.EVP_PKEY_DH then local bits = config.bits if not config.param and not bits then @@ -530,10 +519,6 @@ function _M:get_key_type() end function _M:get_default_digest_type() - if BORINGSSL then - return nil, "BoringSSL doesn't have default digest for pkey" - end - local nid = ptr_of_int() local code = C.EVP_PKEY_get_default_digest_nid(self.ctx, nid) if code == -2 then @@ -788,14 +773,6 @@ function _M:sign(digest, md_alg, padding, opts) end ret = ffi_str(self.buf, length[0]) elseif type(digest) == "string" then - if not OPENSSL_111_OR_LATER and not BORINGSSL then - -- we can still support earilier version with *Update and *Final - -- but we choose to not relying on the legacy interface for simplicity - return nil, "pkey:sign: new-style sign only available in OpenSSL 1.1.1 (or BoringSSL 1.1.0) or later" - elseif BORINGSSL and not md_alg and not self.key_type_is_ecx then - return nil, "pkey:sign: BoringSSL doesn't provide default digest, md_alg must be specified" - end - local md_ctx, err = sign_verify_prepare(self, C.EVP_DigestSignInit, md_alg, padding, opts) if err then return nil, err @@ -811,10 +788,6 @@ function _M:sign(digest, md_alg, padding, opts) end if self.key_type == evp_macro.EVP_PKEY_EC and opts and opts.ecdsa_use_raw then - if not OPENSSL_11_OR_LATER then - return nil, "pkey:sign: opts.ecdsa_use_raw is only supported on OpenSSL 1.1.0 or later" - end - local ec_key = get_pkey_key[evp_macro.EVP_PKEY_EC](self.ctx) ret, err = ecdsa_util.sig_der2raw(ret, ec_key) @@ -833,10 +806,6 @@ function _M:verify(signature, digest, md_alg, padding, opts) local err if self.key_type == evp_macro.EVP_PKEY_EC and opts and opts.ecdsa_use_raw then - if not OPENSSL_11_OR_LATER then - return nil, "pkey:sign: opts.ecdsa_use_raw is only supported on OpenSSL 1.1.0 or later" - end - local ec_key = get_pkey_key[evp_macro.EVP_PKEY_EC](self.ctx) signature, err = ecdsa_util.sig_raw2der(signature, ec_key) @@ -849,14 +818,6 @@ function _M:verify(signature, digest, md_alg, padding, opts) if digest_lib.istype(digest) then code = C.EVP_VerifyFinal(digest.ctx, signature, #signature, self.ctx) elseif type(digest) == "string" then - if not OPENSSL_111_OR_LATER and not BORINGSSL then - -- we can still support earilier version with *Update and *Final - -- but we choose to not relying on the legacy interface for simplicity - return nil, "pkey:verify: new-style verify only available in OpenSSL 1.1.1 (or BoringSSL 1.1.0) or later" - elseif BORINGSSL and not md_alg and not self.key_type_is_ecx then - return nil, "pkey:verify: BoringSSL doesn't provide default digest, md_alg must be specified" - end - local md_ctx, err = sign_verify_prepare(self, C.EVP_DigestVerifyInit, md_alg, padding, opts) if err then return nil, err diff --git a/lib/resty/openssl/rsa.lua b/lib/resty/openssl/rsa.lua index f3af3943..98773989 100644 --- a/lib/resty/openssl/rsa.lua +++ b/lib/resty/openssl/rsa.lua @@ -2,9 +2,6 @@ local ffi = require "ffi" local C = ffi.C local bn_lib = require "resty.openssl.bn" - -local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10 -local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER local format_error = require("resty.openssl.err").format_error local _M = {} @@ -18,51 +15,29 @@ function _M.get_parameters(rsa_st) return setmetatable(empty_table, { __index = function(_, k) local ptr, ret - if OPENSSL_11_OR_LATER then - ptr = bn_ptrptr_ct() - end + ptr = bn_ptrptr_ct() if k == 'n' then - if OPENSSL_11_OR_LATER then - C.RSA_get0_key(rsa_st, ptr, nil, nil) - end + C.RSA_get0_key(rsa_st, ptr, nil, nil) elseif k == 'e' then - if OPENSSL_11_OR_LATER then - C.RSA_get0_key(rsa_st, nil, ptr, nil) - end + C.RSA_get0_key(rsa_st, nil, ptr, nil) elseif k == 'd' then - if OPENSSL_11_OR_LATER then - C.RSA_get0_key(rsa_st, nil, nil, ptr) - end + C.RSA_get0_key(rsa_st, nil, nil, ptr) elseif k == 'p' then - if OPENSSL_11_OR_LATER then - C.RSA_get0_factors(rsa_st, ptr, nil) - end + C.RSA_get0_factors(rsa_st, ptr, nil) elseif k == 'q' then - if OPENSSL_11_OR_LATER then - C.RSA_get0_factors(rsa_st, nil, ptr) - end + C.RSA_get0_factors(rsa_st, nil, ptr) elseif k == 'dmp1' then - if OPENSSL_11_OR_LATER then - C.RSA_get0_crt_params(rsa_st, ptr, nil, nil) - end + C.RSA_get0_crt_params(rsa_st, ptr, nil, nil) elseif k == 'dmq1' then - if OPENSSL_11_OR_LATER then - C.RSA_get0_crt_params(rsa_st, nil, ptr, nil) - end + C.RSA_get0_crt_params(rsa_st, nil, ptr, nil) elseif k == 'iqmp' then - if OPENSSL_11_OR_LATER then - C.RSA_get0_crt_params(rsa_st, nil, nil, ptr) - end + C.RSA_get0_crt_params(rsa_st, nil, nil, ptr) else return nil, "rsa.get_parameters: unknown parameter \"" .. k .. "\" for RSA key" end - if OPENSSL_11_OR_LATER then - ret = ptr[0] - elseif OPENSSL_10 then - ret = rsa_st[k] - end + ret = ptr[0] if ret == nil then return nil @@ -91,21 +66,24 @@ function _M.set_parameters(rsa_st, opts) local cleanup_from_idx = 1 -- dup input local do_set_key, do_set_factors, do_set_crt_params - for k, v in pairs(opts) do - opts_bn[k], err = dup_bn_value(v) - if err then - err = "rsa.set_parameters: cannot process parameter \"" .. k .. "\":" .. err - goto cleanup_with_error - end - if k == "n" or k == "e" or k == "d" then - do_set_key = true - elseif k == "p" or k == "q" then - do_set_factors = true - elseif k == "dmp1" or k == "dmq1" or k == "iqmp" then - do_set_crt_params = true + + while true do -- luacheck: ignore + for k, v in pairs(opts) do + opts_bn[k], err = dup_bn_value(v) + if err then + -- luacheck: ignore + err = "rsa.set_parameters: cannot process parameter \"" .. k .. "\":" .. err + break + end + if k == "n" or k == "e" or k == "d" then + do_set_key = true + elseif k == "p" or k == "q" then + do_set_factors = true + elseif k == "dmp1" or k == "dmq1" or k == "iqmp" then + do_set_crt_params = true + end end - end - if OPENSSL_11_OR_LATER then + -- "The values n and e must be non-NULL the first time this function is called on a given RSA object." -- thus we force to set them together local code @@ -113,37 +91,31 @@ function _M.set_parameters(rsa_st, opts) code = C.RSA_set0_key(rsa_st, opts_bn["n"], opts_bn["e"], opts_bn["d"]) if code == 0 then err = format_error("rsa.set_parameters: RSA_set0_key") - goto cleanup_with_error + break end end + cleanup_from_idx = cleanup_from_idx + 3 if do_set_factors then code = C.RSA_set0_factors(rsa_st, opts_bn["p"], opts_bn["q"]) if code == 0 then err = format_error("rsa.set_parameters: RSA_set0_factors") - goto cleanup_with_error + break end end + cleanup_from_idx = cleanup_from_idx + 2 if do_set_crt_params then code = C.RSA_set0_crt_params(rsa_st, opts_bn["dmp1"], opts_bn["dmq1"], opts_bn["iqmp"]) if code == 0 then err = format_error("rsa.set_parameters: RSA_set0_crt_params") - goto cleanup_with_error + break end end - return true - elseif OPENSSL_10 then - for k, v in pairs(opts_bn) do - if rsa_st[k] ~= nil then - C.BN_free(rsa_st[k]) - end - rsa_st[k]= v - end + return true end -::cleanup_with_error:: for i, k in pairs(_M.params) do if i >= cleanup_from_idx then C.BN_free(opts_bn[k]) diff --git a/lib/resty/openssl/ssl.lua b/lib/resty/openssl/ssl.lua index d3eee907..2dcfcc7d 100644 --- a/lib/resty/openssl/ssl.lua +++ b/lib/resty/openssl/ssl.lua @@ -10,7 +10,6 @@ local x509_lib = require("resty.openssl.x509") local chain_lib = require("resty.openssl.x509.chain") local stack_lib = require("resty.openssl.stack") local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X -local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10 local format_error = require("resty.openssl.err").format_error local _M = { @@ -265,22 +264,13 @@ function _M:set_options(...) bitmask = bit.bor(bitmask, opt) end - if OPENSSL_10 then - bitmask = C.SSL_ctrl(self.ctx, 32, bitmask, nil) -- SSL_CTRL_OPTIONS - else - bitmask = C.SSL_set_options(self.ctx, bitmask) - end + bitmask = C.SSL_set_options(self.ctx, bitmask) return tonumber(bitmask) end function _M:get_options(readable) - local bitmask - if OPENSSL_10 then - bitmask = C.SSL_ctrl(self.ctx, 32, 0, nil) -- SSL_CTRL_OPTIONS - else - bitmask = C.SSL_get_options(self.ctx) - end + local bitmask = C.SSL_get_options(self.ctx) if not readable then return tonumber(bitmask) @@ -303,11 +293,7 @@ function _M:clear_options(...) bitmask = bit.bor(bitmask, opt) end - if OPENSSL_10 then - bitmask = C.SSL_ctrl(self.ctx, 77, bitmask, nil) -- SSL_CTRL_CLEAR_OPTIONS - else - bitmask = C.SSL_clear_options(self.ctx, bitmask) - end + bitmask = C.SSL_clear_options(self.ctx, bitmask) return tonumber(bitmask) end @@ -336,18 +322,10 @@ function _M:set_protocols(...) end -- first disable all protocols - if OPENSSL_10 then - C.SSL_ctrl(self.ctx, 32, ops.SSL_OP_NO_SSL_MASK, nil) -- SSL_CTRL_OPTIONS - else - C.SSL_set_options(self.ctx, ops.SSL_OP_NO_SSL_MASK) - end + C.SSL_set_options(self.ctx, ops.SSL_OP_NO_SSL_MASK) -- then enable selected protocols - if OPENSSL_10 then - return tonumber(C.SSL_clear_options(self.ctx, bitmask)) - else - return tonumber(C.SSL_ctrl(self.ctx, 77, bitmask, nil)) -- SSL_CTRL_CLEAR_OPTIONS) - end + return tonumber(C.SSL_clear_options(self.ctx, bitmask)) end return _M \ No newline at end of file diff --git a/lib/resty/openssl/stack.lua b/lib/resty/openssl/stack.lua index 9bdc3772..b4570e6f 100644 --- a/lib/resty/openssl/stack.lua +++ b/lib/resty/openssl/stack.lua @@ -10,7 +10,7 @@ local C = ffi.C local ffi_cast = ffi.cast local ffi_gc = ffi.gc -local stack_macro = require "resty.openssl.include.stack" +require "resty.openssl.include.stack" local format_error = require("resty.openssl.err").format_error local _M = {} @@ -18,7 +18,7 @@ local _M = {} local function gc_of(typ) local f = C[typ .. "_free"] return function (st) - stack_macro.OPENSSL_sk_pop_free(st, f) + C.OPENSSL_sk_pop_free(st, f) end end @@ -35,7 +35,7 @@ _M.mt_of = function(typ, convert, index_tbl, no_gc) -- starts from 0 local function value_at(ctx, i) - local elem = stack_macro.OPENSSL_sk_value(ctx, i) + local elem = C.OPENSSL_sk_value(ctx, i) if elem == nil then error(format_error("OPENSSL_sk_value")) end @@ -49,7 +49,7 @@ _M.mt_of = function(typ, convert, index_tbl, no_gc) local function iter(tbl) if not tbl then error("instance is nil") end local i = 0 - local n = tonumber(stack_macro.OPENSSL_sk_num(tbl.ctx)) + local n = tonumber(C.OPENSSL_sk_num(tbl.ctx)) return function() i = i + 1 if i <= n then @@ -63,7 +63,7 @@ _M.mt_of = function(typ, convert, index_tbl, no_gc) __ipairs = iter, __len = function(tbl) if not tbl then error("instance is nil") end - return tonumber(stack_macro.OPENSSL_sk_num(tbl.ctx)) + return tonumber(C.OPENSSL_sk_num(tbl.ctx)) end, __index = function(tbl, k) if not tbl then error("instance is nil") end @@ -71,7 +71,7 @@ _M.mt_of = function(typ, convert, index_tbl, no_gc) if not i then return index_tbl[k] end - local n = stack_macro.OPENSSL_sk_num(tbl.ctx) + local n = C.OPENSSL_sk_num(tbl.ctx) if i <= 0 or i > n then return nil end @@ -88,7 +88,7 @@ end _M.new_of = function(typ) local gc = gc_of(typ) return function() - local raw = stack_macro.OPENSSL_sk_new_null() + local raw = C.OPENSSL_sk_new_null() if raw == nil then return nil, "stack.new_of: OPENSSL_sk_new_null() failed" end @@ -104,7 +104,7 @@ _M.add_of = function(typ) if ctx == nil or not ffi.istype(ptr, ctx) then return false, "stack.add_of: expect a " .. typ .. "* at #1" end - local code = stack_macro.OPENSSL_sk_push(stack, ctx) + local code = C.OPENSSL_sk_push(stack, ctx) if code == 0 then return false, "stack.add_of: OPENSSL_sk_push() failed" end @@ -118,13 +118,13 @@ _M.dup_of = function(_) if ctx == nil or not ffi.istype(stack_ptr_ct, ctx) then return nil, "stack.dup_of: expect a stack ctx at #1" end - local ctx = stack_macro.OPENSSL_sk_dup(ctx) + local ctx = C.OPENSSL_sk_dup(ctx) if ctx == nil then return nil, "stack.dup_of: OPENSSL_sk_dup() failed" end -- if the stack is duplicated: since we don't copy the elements -- then we only control gc of the stack itself here - ffi_gc(ctx, stack_macro.OPENSSL_sk_free) + ffi_gc(ctx, C.OPENSSL_sk_free) return ctx end end @@ -152,7 +152,7 @@ _M.deep_copy_of = function(typ) local free = C[typ .. "_free"] return function(ctx) - return stack_macro.OPENSSL_sk_deep_copy(ctx, dup, free) + return C.OPENSSL_sk_deep_copy(ctx, dup, free) end end diff --git a/lib/resty/openssl/version.lua b/lib/resty/openssl/version.lua index 0ed731a5..b13777d6 100644 --- a/lib/resty/openssl/version.lua +++ b/lib/resty/openssl/version.lua @@ -12,8 +12,6 @@ ffi.cdef[[ const char *OpenSSL_version(int t); // >= 3.0 const char *OPENSSL_info(int t); - // BoringSSL - int BORINGSSL_self_test(void); ]] local version_func, info_func @@ -88,12 +86,6 @@ else end end -local BORINGSSL = false -pcall(function() - local _ = C.BORINGSSL_self_test - BORINGSSL = true -end) - return setmetatable({ version_num = tonumber(version_num), version_text = ffi_str(version_func(0)), @@ -105,14 +97,7 @@ return setmetatable({ end, -- the following has implict upper bound of 4.x OPENSSL_3X = version_num >= 0x30000000 and version_num < 0x40000000, - OPENSSL_30 = version_num >= 0x30000000 and version_num < 0x30100000, -- for backward compat, deprecated - OPENSSL_11 = version_num >= 0x10100000 and version_num < 0x10200000, OPENSSL_111 = version_num >= 0x10101000 and version_num < 0x10200000, - OPENSSL_11_OR_LATER = version_num >= 0x10100000 and version_num < 0x40000000, - OPENSSL_111_OR_LATER = version_num >= 0x10101000 and version_num < 0x40000000, - OPENSSL_10 = version_num < 0x10100000 and version_num > 0x10000000, - BORINGSSL = BORINGSSL, - BORINGSSL_110 = BORINGSSL and version_num >= 0x10100000 and version_num < 0x10101000 }, { __index = types_table, }) diff --git a/lib/resty/openssl/x509/crl.lua b/lib/resty/openssl/x509/crl.lua index 3ee45019..b4ab264f 100644 --- a/lib/resty/openssl/x509/crl.lua +++ b/lib/resty/openssl/x509/crl.lua @@ -18,65 +18,21 @@ local txtnid2nid = require("resty.openssl.objects").txtnid2nid local find_sigid_algs = require("resty.openssl.objects").find_sigid_algs local format_error = require("resty.openssl.err").format_error local version = require("resty.openssl.version") -local OPENSSL_10 = version.OPENSSL_10 -local OPENSSL_11_OR_LATER = version.OPENSSL_11_OR_LATER local OPENSSL_3X = version.OPENSSL_3X -local BORINGSSL = version.BORINGSSL -local BORINGSSL_110 = version.BORINGSSL_110 -- used in boringssl-fips-20190808 local accessors = {} accessors.set_issuer_name = C.X509_CRL_set_issuer_name accessors.set_version = C.X509_CRL_set_version - -if OPENSSL_11_OR_LATER and not BORINGSSL_110 then - accessors.get_last_update = C.X509_CRL_get0_lastUpdate - accessors.set_last_update = C.X509_CRL_set1_lastUpdate - accessors.get_next_update = C.X509_CRL_get0_nextUpdate - accessors.set_next_update = C.X509_CRL_set1_nextUpdate - accessors.get_version = C.X509_CRL_get_version - accessors.get_issuer_name = C.X509_CRL_get_issuer -- returns internal ptr - accessors.get_signature_nid = C.X509_CRL_get_signature_nid - -- BORINGSSL_110 exports X509_CRL_get_signature_nid, but just ignored for simplicity - accessors.get_revoked = C.X509_CRL_get_REVOKED -elseif OPENSSL_10 or BORINGSSL_110 then - accessors.get_last_update = function(crl) - if crl == nil or crl.crl == nil then - return nil - end - return crl.crl.lastUpdate - end - accessors.set_last_update = C.X509_CRL_set_lastUpdate - accessors.get_next_update = function(crl) - if crl == nil or crl.crl == nil then - return nil - end - return crl.crl.nextUpdate - end - accessors.set_next_update = C.X509_CRL_set_nextUpdate - accessors.get_version = function(crl) - if crl == nil or crl.crl == nil then - return nil - end - return C.ASN1_INTEGER_get(crl.crl.version) - end - accessors.get_issuer_name = function(crl) - if crl == nil or crl.crl == nil then - return nil - end - return crl.crl.issuer - end - accessors.get_signature_nid = function(crl) - if crl == nil or crl.crl == nil or crl.crl.sig_alg == nil then - return nil - end - return C.OBJ_obj2nid(crl.crl.sig_alg.algorithm) - end - accessors.get_revoked = function(crl) - return crl.crl.revoked - end -end +accessors.get_last_update = C.X509_CRL_get0_lastUpdate +accessors.set_last_update = C.X509_CRL_set1_lastUpdate +accessors.get_next_update = C.X509_CRL_get0_nextUpdate +accessors.set_next_update = C.X509_CRL_set1_nextUpdate +accessors.get_version = C.X509_CRL_get_version +accessors.get_issuer_name = C.X509_CRL_get_issuer -- returns internal ptr +accessors.get_signature_nid = C.X509_CRL_get_signature_nid +accessors.get_revoked = C.X509_CRL_get_REVOKED local function __tostring(self, fmt) if not fmt or fmt == 'PEM' then @@ -183,10 +139,6 @@ function _M:text() end local function revoked_decode(ctx) - if OPENSSL_10 then - error("x509.crl:revoked_decode: not supported on OpenSSL 1.0") - end - local ret = {} local serial = C.X509_REVOKED_get0_serialNumber(ctx) if serial ~= nil then @@ -330,8 +282,6 @@ function _M:sign(pkey, digest) return false, "x509.crl:sign: expect a digest instance to have algo member" end digest_algo = digest.algo - elseif BORINGSSL then - digest_algo = C.EVP_get_digestbyname('sha256') end -- returns size of signature if success @@ -404,19 +354,6 @@ function _M:get_extension(nid_txt, last_pos) return ext, pos+1 end -local X509_CRL_delete_ext -if OPENSSL_11_OR_LATER then - X509_CRL_delete_ext = C.X509_CRL_delete_ext -elseif OPENSSL_10 then - X509_CRL_delete_ext = function(ctx, pos) - return C.X509v3_delete_ext(ctx.crl.extensions, pos) - end -else - X509_CRL_delete_ext = function(...) - error("X509_CRL_delete_ext undefined") - end -end - -- AUTO GENERATED function _M:set_extension(extension, last_pos) if not extension_lib.istype(extension) then @@ -429,7 +366,7 @@ function _M:set_extension(extension, last_pos) local pos = C.X509_CRL_get_ext_by_NID(self.ctx, nid, last_pos) -- pos may be -1, which means not found, it's fine, we will add new one instead of replace - local removed = X509_CRL_delete_ext(self.ctx, pos) + local removed = C.X509_CRL_delete_ext(self.ctx, pos) C.X509_EXTENSION_free(removed) if C.X509_CRL_add_ext(self.ctx, extension.ctx, pos) == nil then diff --git a/lib/resty/openssl/x509/csr.lua b/lib/resty/openssl/x509/csr.lua index d7795a95..93263df0 100644 --- a/lib/resty/openssl/x509/csr.lua +++ b/lib/resty/openssl/x509/csr.lua @@ -7,7 +7,7 @@ require "resty.openssl.include.pem" require "resty.openssl.include.x509v3" require "resty.openssl.include.x509.csr" require "resty.openssl.include.asn1" -local stack_macro = require "resty.openssl.include.stack" +require "resty.openssl.include.stack" local stack_lib = require "resty.openssl.stack" local pkey_lib = require "resty.openssl.pkey" local digest_lib = require("resty.openssl.digest") @@ -20,11 +20,7 @@ local txtnid2nid = require("resty.openssl.objects").txtnid2nid local find_sigid_algs = require("resty.openssl.objects").find_sigid_algs local format_error = require("resty.openssl.err").format_error local version = require("resty.openssl.version") -local OPENSSL_10 = version.OPENSSL_10 -local OPENSSL_11_OR_LATER = version.OPENSSL_11_OR_LATER local OPENSSL_3X = version.OPENSSL_3X -local BORINGSSL = version.BORINGSSL -local BORINGSSL_110 = version.BORINGSSL_110 -- used in boringssl-fips-20190808 local accessors = {} @@ -32,35 +28,9 @@ accessors.set_subject_name = C.X509_REQ_set_subject_name accessors.get_pubkey = C.X509_REQ_get_pubkey accessors.set_pubkey = C.X509_REQ_set_pubkey accessors.set_version = C.X509_REQ_set_version - -if OPENSSL_11_OR_LATER or BORINGSSL_110 then - accessors.get_signature_nid = C.X509_REQ_get_signature_nid -elseif OPENSSL_10 then - accessors.get_signature_nid = function(csr) - if csr == nil or csr.sig_alg == nil then - return nil - end - return C.OBJ_obj2nid(csr.sig_alg.algorithm) - end -end - -if OPENSSL_11_OR_LATER and not BORINGSSL_110 then - accessors.get_subject_name = C.X509_REQ_get_subject_name -- returns internal ptr - accessors.get_version = C.X509_REQ_get_version -elseif OPENSSL_10 or BORINGSSL_110 then - accessors.get_subject_name = function(csr) - if csr == nil or csr.req_info == nil then - return nil - end - return csr.req_info.subject - end - accessors.get_version = function(csr) - if csr == nil or csr.req_info == nil then - return nil - end - return C.ASN1_INTEGER_get(csr.req_info.version) - end -end +accessors.get_signature_nid = C.X509_REQ_get_signature_nid +accessors.get_subject_name = C.X509_REQ_get_subject_name -- returns internal ptr +accessors.get_version = C.X509_REQ_get_version local function __tostring(self, fmt) if not fmt or fmt == 'PEM' then @@ -226,7 +196,7 @@ local function modify_extension(replace, ctx, nid, toset, crit) -- https://github.com/openssl/openssl/commit/2039ac07b401932fa30a05ade80b3626e189d78a -- introduces a change that a empty stack instead of NULL will be returned in no extension -- is found. so we need to double check the number if it's not NULL. - stack_macro.OPENSSL_sk_num(extensions_ptr[0]) > 0 + C.OPENSSL_sk_num(extensions_ptr[0]) > 0 local flag if replace then @@ -260,11 +230,7 @@ local function modify_extension(replace, ctx, nid, toset, crit) end -- mark encoded form as invalid so next time it will be re-encoded - if OPENSSL_11_OR_LATER then - C.i2d_re_X509_REQ_tbs(ctx, nil) - else - ctx.req_info.enc.modified = 1 - end + C.i2d_re_X509_REQ_tbs(ctx, nil) return true end @@ -339,8 +305,6 @@ function _M:sign(pkey, digest) return false, "x509.csr:sign: expect a digest instance to have algo member" end digest_algo = digest.algo - elseif BORINGSSL then - digest_algo = C.EVP_get_digestbyname('sha256') end -- returns size of signature if success diff --git a/lib/resty/openssl/x509/extension.lua b/lib/resty/openssl/x509/extension.lua index ca231588..f0bcd88e 100644 --- a/lib/resty/openssl/x509/extension.lua +++ b/lib/resty/openssl/x509/extension.lua @@ -16,7 +16,6 @@ local stack_lib = require("resty.openssl.stack") local bio_util = require "resty.openssl.auxiliary.bio" local format_error = require("resty.openssl.err").format_error local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X -local BORINGSSL = require("resty.openssl.version").BORINGSSL local _M = {} local mt = { __index = _M } @@ -34,22 +33,15 @@ if OPENSSL_3X then extension_types["issuer_pkey"] = "resty.openssl.pkey" end -local nconf_load -if BORINGSSL then - nconf_load = function() - return nil, "NCONF_load_bio not exported in BoringSSL" +local nconf_load = function(conf, str) + local bio = C.BIO_new_mem_buf(str, #str) + if bio == nil then + return format_error("BIO_new_mem_buf") end -else - nconf_load = function(conf, str) - local bio = C.BIO_new_mem_buf(str, #str) - if bio == nil then - return format_error("BIO_new_mem_buf") - end - ffi_gc(bio, C.BIO_free) + ffi_gc(bio, C.BIO_free) - if C.NCONF_load_bio(conf, bio, nil) ~= 1 then - return format_error("NCONF_load_bio") - end + if C.NCONF_load_bio(conf, bio, nil) ~= 1 then + return format_error("NCONF_load_bio") end end diff --git a/lib/resty/openssl/x509/init.lua b/lib/resty/openssl/x509/init.lua index 5c259c8d..77bebbce 100644 --- a/lib/resty/openssl/x509/init.lua +++ b/lib/resty/openssl/x509/init.lua @@ -8,7 +8,7 @@ require "resty.openssl.include.x509" require "resty.openssl.include.x509v3" require "resty.openssl.include.evp" require "resty.openssl.include.objects" -local stack_macro = require("resty.openssl.include.stack") +require "resty.openssl.include.stack" local stack_lib = require("resty.openssl.stack") local asn1_lib = require("resty.openssl.asn1") local digest_lib = require("resty.openssl.digest") @@ -21,11 +21,7 @@ local ctypes = require "resty.openssl.auxiliary.ctypes" local ctx_lib = require "resty.openssl.ctx" local format_error = require("resty.openssl.err").format_error local version = require("resty.openssl.version") -local OPENSSL_10 = version.OPENSSL_10 -local OPENSSL_11_OR_LATER = version.OPENSSL_11_OR_LATER local OPENSSL_3X = version.OPENSSL_3X -local BORINGSSL = version.BORINGSSL -local BORINGSSL_110 = version.BORINGSSL_110 -- used in boringssl-fips-20190808 -- accessors provides an openssl version neutral interface to lua layer -- it doesn't handle any error, expect that to be implemented in @@ -48,49 +44,12 @@ accessors.get_signature_nid = C.X509_get_signature_nid -- parent struct is freed. -- otherwise, use get0, which returns an internal pointer, we don't need to free it up. -- it will be gone together with the parent struct. - -if BORINGSSL_110 then - accessors.get_not_before = C.X509_get0_notBefore -- returns internal ptr, we convert to number - accessors.set_not_before = C.X509_set_notBefore - accessors.get_not_after = C.X509_get0_notAfter -- returns internal ptr, we convert to number - accessors.set_not_after = C.X509_set_notAfter - accessors.get_version = function(x509) - if x509 == nil or x509.cert_info == nil or x509.cert_info.validity == nil then - return nil - end - return C.ASN1_INTEGER_get(x509.cert_info.version) - end - accessors.get_serial_number = C.X509_get_serialNumber -- returns internal ptr, we convert to bn -elseif OPENSSL_11_OR_LATER then - accessors.get_not_before = C.X509_get0_notBefore -- returns internal ptr, we convert to number - accessors.set_not_before = C.X509_set1_notBefore - accessors.get_not_after = C.X509_get0_notAfter -- returns internal ptr, we convert to number - accessors.set_not_after = C.X509_set1_notAfter - accessors.get_version = C.X509_get_version -- returns int - accessors.get_serial_number = C.X509_get0_serialNumber -- returns internal ptr, we convert to bn -elseif OPENSSL_10 then - accessors.get_not_before = function(x509) - if x509 == nil or x509.cert_info == nil or x509.cert_info.validity == nil then - return nil - end - return x509.cert_info.validity.notBefore - end - accessors.set_not_before = C.X509_set_notBefore - accessors.get_not_after = function(x509) - if x509 == nil or x509.cert_info == nil or x509.cert_info.validity == nil then - return nil - end - return x509.cert_info.validity.notAfter - end - accessors.set_not_after = C.X509_set_notAfter - accessors.get_version = function(x509) - if x509 == nil or x509.cert_info == nil or x509.cert_info.validity == nil then - return nil - end - return C.ASN1_INTEGER_get(x509.cert_info.version) - end - accessors.get_serial_number = C.X509_get_serialNumber -- returns internal ptr, we convert to bn -end +accessors.get_not_before = C.X509_get0_notBefore -- returns internal ptr, we convert to number +accessors.set_not_before = C.X509_set1_notBefore +accessors.get_not_after = C.X509_get0_notAfter -- returns internal ptr, we convert to number +accessors.set_not_after = C.X509_set1_notAfter +accessors.get_version = C.X509_get_version -- returns int +accessors.get_serial_number = C.X509_get0_serialNumber -- returns internal ptr, we convert to bn local function __tostring(self, fmt) if not fmt or fmt == 'PEM' then @@ -241,7 +200,7 @@ end -- note: index is 0 based local OPENSSL_STRING_value_at = function(ctx, i) - local ct = ffi_cast("OPENSSL_STRING", stack_macro.OPENSSL_sk_value(ctx, i)) + local ct = ffi_cast("OPENSSL_STRING", C.OPENSSL_sk_value(ctx, i)) if ct == nil then return nil end @@ -251,7 +210,7 @@ end function _M:get_ocsp_url(return_all) local st = C.X509_get1_ocsp(self.ctx) - local count = stack_macro.OPENSSL_sk_num(st) + local count = C.OPENSSL_sk_num(st) if count == 0 then return end @@ -324,17 +283,11 @@ local digest_length = ctypes.ptr_of_uint() local digest_buf, digest_buf_size local function digest(self, cfunc, typ, properties) -- TODO: dedup the following with resty.openssl.digest - local ctx - if OPENSSL_11_OR_LATER then - ctx = C.EVP_MD_CTX_new() - ffi_gc(ctx, C.EVP_MD_CTX_free) - elseif OPENSSL_10 then - ctx = C.EVP_MD_CTX_create() - ffi_gc(ctx, C.EVP_MD_CTX_destroy) - end + local ctx = C.EVP_MD_CTX_new() if ctx == nil then return nil, "x509:digest: failed to create EVP_MD_CTX" end + ffi_gc(ctx, C.EVP_MD_CTX_free) local algo if OPENSSL_3X then @@ -398,8 +351,6 @@ function _M:sign(pkey, digest) return false, "x509:sign: expect a digest instance to have algo member" end digest_algo = digest.algo - elseif BORINGSSL then - digest_algo = C.EVP_get_digestbyname('sha256') end -- returns size of signature if success @@ -472,19 +423,6 @@ function _M:get_extension(nid_txt, last_pos) return ext, pos+1 end -local X509_delete_ext -if OPENSSL_11_OR_LATER then - X509_delete_ext = C.X509_delete_ext -elseif OPENSSL_10 then - X509_delete_ext = function(ctx, pos) - return C.X509v3_delete_ext(ctx.cert_info.extensions, pos) - end -else - X509_delete_ext = function(...) - error("X509_delete_ext undefined") - end -end - -- AUTO GENERATED function _M:set_extension(extension, last_pos) if not extension_lib.istype(extension) then @@ -497,7 +435,7 @@ function _M:set_extension(extension, last_pos) local pos = C.X509_get_ext_by_NID(self.ctx, nid, last_pos) -- pos may be -1, which means not found, it's fine, we will add new one instead of replace - local removed = X509_delete_ext(self.ctx, pos) + local removed = C.X509_delete_ext(self.ctx, pos) C.X509_EXTENSION_free(removed) if C.X509_add_ext(self.ctx, extension.ctx, pos) == nil then diff --git a/lib/resty/openssl/x509/store.lua b/lib/resty/openssl/x509/store.lua index 3a0bffb3..6161a741 100644 --- a/lib/resty/openssl/x509/store.lua +++ b/lib/resty/openssl/x509/store.lua @@ -11,9 +11,7 @@ local crl_lib = require "resty.openssl.x509.crl" local ctx_lib = require "resty.openssl.ctx" local format_all_error = require("resty.openssl.err").format_all_error local format_error = require("resty.openssl.err").format_error -local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X -local BORINGSSL = require("resty.openssl.version").BORINGSSL local _M = {} local mt = { __index = _M } @@ -218,7 +216,7 @@ function _M:verify(x509, chain, return_chain, properties, verify_method, flags) if not return_chain then return true, nil end - local ret_chain_ctx = x509_vfy_macro.X509_STORE_CTX_get0_chain(ctx) + local ret_chain_ctx = C.X509_STORE_CTX_get0_chain(ctx) return chain_lib.dup(ret_chain_ctx) elseif code == 0 then -- unverified local vfy_code = C.X509_STORE_CTX_get_error(ctx) @@ -232,14 +230,6 @@ function _M:verify(x509, chain, return_chain, properties, verify_method, flags) end function _M:check_revocation(verified_chain, properties) - if BORINGSSL then - return nil, "x509.store:check_revocation: this API is not supported in BoringSSL" - end - - if not OPENSSL_11_OR_LATER then - return nil, "x509.store:check_revocation: this API is supported from OpenSSL 1.1.0" - end - if not verified_chain or not chain_lib.istype(verified_chain) then return nil, "x509.store:check_revocation: expect a x509.chain instance at #1" end diff --git a/scripts/templates/x509_functions.j2 b/scripts/templates/x509_functions.j2 index 4f2fee3e..dace9cd8 100644 --- a/scripts/templates/x509_functions.j2 +++ b/scripts/templates/x509_functions.j2 @@ -13,8 +13,6 @@ function _M:sign(pkey, digest) return false, "{{modname}}:sign: expect a digest instance to have algo member" end digest_algo = digest.algo - elseif BORINGSSL then - digest_algo = C.EVP_get_digestbyname('sha256') end -- returns size of signature if success @@ -89,19 +87,6 @@ function _M:get_extension(nid_txt, last_pos) return ext, pos+1 end -local {{ module.type }}_delete_ext -if OPENSSL_11_OR_LATER then - {{ module.type }}_delete_ext = C.{{ module.type }}_delete_ext -elseif OPENSSL_10 then - {{ module.type }}_delete_ext = function(ctx, pos) - return C.X509v3_delete_ext(ctx.{{ module.extensions_in_struct }}, pos) - end -else - {{ module.type }}_delete_ext = function(...) - error("{{ module.type }}_delete_ext undefined") - end -end - -- AUTO GENERATED function _M:set_extension(extension, last_pos) if not extension_lib.istype(extension) then @@ -114,7 +99,7 @@ function _M:set_extension(extension, last_pos) local pos = C.{{ module.type }}_get_ext_by_NID(self.ctx, nid, last_pos) -- pos may be -1, which means not found, it's fine, we will add new one instead of replace - local removed = {{ module.type }}_delete_ext(self.ctx, pos) + local removed = C.{{ module.type }}_delete_ext(self.ctx, pos) C.X509_EXTENSION_free(removed) if C.{{ module.type }}_add_ext(self.ctx, extension.ctx, pos) == nil then diff --git a/t/fips.t b/t/fips.t index 29c61de3..0e361f4e 100644 --- a/t/fips.t +++ b/t/fips.t @@ -35,14 +35,6 @@ __DATA__ ngx.exit(200) end local openssl = require("resty.openssl") - if require("resty.openssl.version").BORINGSSL then - if openssl.get_fips_mode() then - ngx.say("false\ntrue\nfalse") - else - ngx.say("BORINGSSL should have fips turned on but actually not") - end - ngx.exit(200) - end ngx.say(openssl.get_fips_mode()) myassert(openssl.set_fips_mode(true)) ngx.say(openssl.get_fips_mode()) @@ -90,8 +82,7 @@ fips --- config location =/t { content_by_lua_block { - -- BORINGSSL doesn't seem to remove non-fips compliant algorithms? - if not _G.fips or require("resty.openssl.version").BORINGSSL then + if not _G.fips then ngx.say("true\ntrue") ngx.say("invalid cipher type \"chacha20\": unsupported") ngx.say("invalid digest type \"md5\": unsupported") diff --git a/t/fixtures/boringssl_fips.patch b/t/fixtures/boringssl_fips.patch deleted file mode 100644 index 37247dc2..00000000 --- a/t/fixtures/boringssl_fips.patch +++ /dev/null @@ -1,18 +0,0 @@ -# Fix FIPS build (from BoringSSL commit 4ca15d5dcbe6e8051a4654df7c971ea8307abfe0). -# -# The modulewrapper is not a part of the FIPS module, so it can be patched without -# concern about breaking the FIPS validation. ---- boringssl/util/fipstools/acvp/modulewrapper/modulewrapper.cc -+++ boringssl/util/fipstools/acvp/modulewrapper/modulewrapper.cc -@@ -12,9 +12,11 @@ - * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN - * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ - -+#include - #include - - #include -+#include - #include - #include - #include diff --git a/t/openssl.t b/t/openssl.t index 554f80b8..978f61af 100644 --- a/t/openssl.t +++ b/t/openssl.t @@ -69,14 +69,9 @@ false --- config location =/t { content_by_lua_block { - local version = require("resty.openssl.version") - if version.BORINGSSL then - ngx.say("[\"AES\"]") - ngx.say("[\"AES-256-GCM @ default\"]") - ngx.exit(0) - end local openssl = require("resty.openssl") ngx.say(require("cjson").encode(openssl.list_cipher_algorithms())) + local version = require("resty.openssl.version") if not version.OPENSSL_3X then ngx.say("[\"AES-256-GCM @ default\"]") ngx.exit(0) @@ -97,14 +92,9 @@ false --- config location =/t { content_by_lua_block { - local version = require("resty.openssl.version") - if version.BORINGSSL then - ngx.say("[\"SHA\"]") - ngx.say("[\"SHA2-256 @ default\"]") - ngx.exit(0) - end local openssl = require("resty.openssl") ngx.say(require("cjson").encode(openssl.list_digest_algorithms())) + local version = require("resty.openssl.version") if not version.OPENSSL_3X then ngx.say("[\"SHA2-256 @ default\"]") ngx.exit(0) @@ -167,15 +157,6 @@ false --- config location =/t { content_by_lua_block { - local version = require("resty.openssl.version") - if version.OPENSSL_10 or (version.OPENSSL_11 and not version.OPENSSL_111) then - ngx.say("ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA") - ngx.say("ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA") - ngx.say("ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA") - ngx.say("ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA") - ngx.exit(0) - end - local version = require("resty.openssl.version") local openssl = require("resty.openssl") ngx.say(openssl.list_ssl_ciphers()) ngx.say(openssl.list_ssl_ciphers("ECDHE-ECDSA-AES128-SHA")) diff --git a/t/openssl/aux/jwk.t b/t/openssl/aux/jwk.t index efc8e587..63346fe5 100644 --- a/t/openssl/aux/jwk.t +++ b/t/openssl/aux/jwk.t @@ -177,10 +177,6 @@ true --- config location =/t { content_by_lua_block { - if not require("resty.openssl.version").OPENSSL_111_OR_LATER then - ngx.say('pkey.new:load_key: failed to construct OKP key from JWK: at least "x" or "d" parameter is required') - ngx.exit(0) - end local jwk = require("cjson").encode({ kty = "OKP", crv = "Ed25519", diff --git a/t/openssl/bn.t b/t/openssl/bn.t index 1a36f9fd..9a1dc369 100644 --- a/t/openssl/bn.t +++ b/t/openssl/bn.t @@ -122,10 +122,6 @@ bn:to_binary failed end ngx.print(ngx.encode_base64(b)) - if not require("resty.openssl.version").OPENSSL_11_OR_LATER then - ngx.print("AAAAAAAAAABbJQ=="); ngx.exit(0) - end - local b, err = bn:to_binary(10) if err then ngx.log(ngx.ERR, err) diff --git a/t/openssl/helper.lua b/t/openssl/helper.lua index f59cad03..42e1ef28 100644 --- a/t/openssl/helper.lua +++ b/t/openssl/helper.lua @@ -4,7 +4,6 @@ local name = require "resty.openssl.x509.name" local extension = require "resty.openssl.x509.extension" local bn = require "resty.openssl.bn" local digest = require "resty.openssl.digest" -local BORINGSSL = require "resty.openssl.version".BORINGSSL local OPENSSL_3X = require "resty.openssl.version".OPENSSL_3X local function create_self_signed(key_opts, names, is_ca, signing_key, issuing_name) @@ -41,10 +40,7 @@ local function create_self_signed(key_opts, names, is_ca, signing_key, issuing_n })))) end - local dgst - if BORINGSSL then - dgst = digest.new("SHA256") - end + local dgst = digest.new("SHA256") assert(cert:sign(signing_key or key, dgst)) return cert, key diff --git a/t/openssl/kdf.t b/t/openssl/kdf.t index 1abb65be..51676834 100644 --- a/t/openssl/kdf.t +++ b/t/openssl/kdf.t @@ -119,11 +119,6 @@ kdf.derive: unknown type 19823718236128632 --- config location =/t { content_by_lua_block { - local version = require("resty.openssl.version") - if version.BORINGSSL or not version.OPENSSL_11_OR_LATER then - ngx.print("aqRd+gO5Ok3YneDEormTcg==") - ngx.exit(0) - end local kdf = require("resty.openssl.kdf") local key = myassert(kdf.derive({ type = kdf.HKDF, @@ -151,13 +146,6 @@ kdf.derive: unknown type 19823718236128632 --- config location =/t { content_by_lua_block { - local version = require("resty.openssl.version") - if version.BORINGSSL or not version.OPENSSL_11_OR_LATER then - ngx.say("aggdq4eoqRiP0Z3GbpxCjg==") - ngx.say("W/tSxFnNsHIYwXa13eybYhW9W3Y=") - ngx.exit(0) - end - local version_num = version.version_num local kdf = require("resty.openssl.kdf") local key = myassert(kdf.derive({ type = kdf.HKDF, @@ -169,10 +157,6 @@ kdf.derive: unknown type 19823718236128632 ngx.say(ngx.encode_base64(key)) - if not version.OPENSSL_111_or_LATER then - ngx.say("W/tSxFnNsHIYwXa13eybYhW9W3Y=") - ngx.exit(0) - end local key = myassert(kdf.derive({ type = kdf.HKDF, outlen = 16, @@ -199,11 +183,6 @@ W/tSxFnNsHIYwXa13eybYhW9W3Y= --- config location =/t { content_by_lua_block { - local version = require("resty.openssl.version") - if version.BORINGSSL or not version.OPENSSL_11_OR_LATER then - ngx.print("0xr8qthU+ypv2xRC90la8g==") - ngx.exit(0) - end local kdf = require("resty.openssl.kdf") local key = myassert(kdf.derive({ type = kdf.TLS1_PRF, @@ -229,11 +208,6 @@ W/tSxFnNsHIYwXa13eybYhW9W3Y= --- config location =/t { content_by_lua_block { - local version = require("resty.openssl.version") - if version.BORINGSSL or not version.OPENSSL_11_OR_LATER then - ngx.print("XVVDK9/puTqBOsyTKt8PKQ==") - ngx.exit(0) - end local kdf = require("resty.openssl.kdf") local key = myassert(kdf.derive({ type = kdf.TLS1_PRF, @@ -258,11 +232,6 @@ W/tSxFnNsHIYwXa13eybYhW9W3Y= --- config location =/t { content_by_lua_block { - local version = require("resty.openssl.version") - if version.BORINGSSL or not version.OPENSSL_11_OR_LATER then - ngx.print("9giFtxace5sESmRb8qxuOw==") - ngx.exit(0) - end local kdf = require("resty.openssl.kdf") local key = myassert(kdf.derive({ type = kdf.SCRYPT, @@ -292,6 +261,7 @@ W/tSxFnNsHIYwXa13eybYhW9W3Y= ngx.say('mac.new: invalid mac type "UNKNOWNKDF": blah') ngx.exit(0) end + local kdf = require("resty.openssl.kdf") myassert(kdf.new("PBKDF2")) local ok, err = kdf.new("UNKNOWNKDF") diff --git a/t/openssl/pkcs12.t b/t/openssl/pkcs12.t index 8afba27e..4acedef5 100644 --- a/t/openssl/pkcs12.t +++ b/t/openssl/pkcs12.t @@ -227,11 +227,6 @@ pkcs12.decode.+(mac verify failure|INCORRECT_PASSWORD) --- config location =/t { content_by_lua_block { - if require("resty.openssl.version").BORINGSSL then - ngx.say("2333") - ngx.exit(0) - end - -- don't load the legacy provider for this test -- by default nid_key is RC2 and is moved to legacy provider in 3.0 diff --git a/t/openssl/pkey.t b/t/openssl/pkey.t index 76cf9078..5c425b8d 100644 --- a/t/openssl/pkey.t +++ b/t/openssl/pkey.t @@ -94,9 +94,6 @@ true" --- config location =/t { content_by_lua_block { - if not require("resty.openssl.version").OPENSSL_111_OR_LATER then - ngx.say("-----BEGIN PRIVATE KEY-----\nyayaa\ntrue"); ngx.exit(0) - end local pkey = require("resty.openssl.pkey") local p = myassert(pkey.new({ type = 'Ed25519', @@ -120,11 +117,6 @@ true" --- config location =/t { content_by_lua_block { - local version = require("resty.openssl.version") - if version.BORINGSSL or not version.OPENSSL_111_OR_LATER then - ngx.say("-----BEGIN PRIVATE KEY-----\nsad\ntrue") - ngx.exit(0) - end local pkey = require("resty.openssl.pkey") local p = myassert(pkey.new({ type = 'DH', @@ -150,10 +142,6 @@ true" --- config location =/t { content_by_lua_block { - if require("resty.openssl.version").BORINGSSL then - ngx.say("-----BEGIN PRIVATE KEY-----\nsad\ntrue") - ngx.exit(0) - end local pkey = require("resty.openssl.pkey") local p = myassert(pkey.new({ type = 'DH', @@ -405,11 +393,6 @@ nil --- config location =/t { content_by_lua_block { - local version = require("resty.openssl.version") - if not version.OPENSSL_111_OR_LATER then - ngx.say("32\n32\nfake") - ngx.exit(0) - end local p = myassert(require("resty.openssl.pkey").new({ type = "Ed25519", })) @@ -434,12 +417,6 @@ nil --- config location =/t { content_by_lua_block { - if require("resty.openssl.version").BORINGSSL then - ngx.say("B10B8F96A080E01DDE92DE5EAE5D54EC52C99FBCFB06A3C69A6A9DCA52D23B616073E28675A23D189838EF1E2EE652C013ECB4AEA906112324975C3CD49B83BFACCBDD7D90C4BD7098488E9C219A73724EFFD6FAE5644738FAA31A4FF55BCCC0A151AF5F0DC8B4BD45BF37DF365C1A65E68CFDA76D4DA708DF1FB2BC2E4A4371") - ngx.say("A4D1CBD5C3FD34126765A442EFB99905F8104DD258AC507FD6406CFF14266D31266FEA1E5C41564B777E690F5504F213160217B4B01B886A5E91547F9E2749F4D7FBD7D3B9A92EE1909D0D2263F80A76A6A24C087A091F531DBF0A0169B6A28AD662A4D18E73AFA32D779D5918D08BC8858F4DCEF97C2A24855E6EEB22B3B2E5") - ngx.say("1\n2") - ngx.exit(0) - end local p = myassert(require("resty.openssl.pkey").new({ type = "DH", group = "dh_1024_160", @@ -525,12 +502,6 @@ true --- config location =/t { content_by_lua_block { - local version = require("resty.openssl.version") - if not version.OPENSSL_111_OR_LATER and not version.BORINGSSL then - ngx.say("64\ntrue\n256\ntrue") - ngx.exit(0) - end - -- pureeddsa local p = myassert(require("resty.openssl.pkey").new({ type = "Ed25519" @@ -542,20 +513,15 @@ true local v = myassert(p:verify(s, digest)) ngx.say(v) - local md - if version.BORINGSSL then - md = "SHA256" - end - -- uses default md type local p = myassert(require("resty.openssl.pkey").new({ type = "RSA" })) local digest = "23333" - local s = myassert(p:sign(digest, md)) + local s = myassert(p:sign(digest)) ngx.say(#s) - local v = myassert(p:verify(s, digest, md)) + local v = myassert(p:verify(s, digest)) ngx.say(v) } } @@ -602,16 +568,7 @@ pkey:verify: expect a string at #1 --- config location =/t { content_by_lua_block { - local version_num = require("resty.openssl.version").version_num - local BORINGSSL = require("resty.openssl.version").BORINGSSL - local expected = { 32, 32, 56 } for i, t in ipairs({"EC", "X25519", "X448"}) do - if (version_num < 0x10101000 and i == 3) or - (version_num < 0x10100000 and i == 2) or - (BORINGSSL and i > 2) then - ngx.say(expected[i]) - goto next - end local p = myassert(require("resty.openssl.pkey").new({ type = t, curve = t == "EC" and "prime256v1" or nil, @@ -680,12 +637,6 @@ true --- config location =/t { content_by_lua_block { - local version = require("resty.openssl.version") - if not version.OPENSSL_111_OR_LATER or version.BORINGSSL then - ngx.say("true\ntrue\ntrue\ntrue") - ngx.exit(0) - end - local p = myassert(require("resty.openssl.pkey").new()) local pec = myassert(require("resty.openssl.pkey").new({ type = "EC", @@ -741,11 +692,6 @@ true --- config location =/t { content_by_lua_block { - if require("resty.openssl.version").BORINGSSL then - ngx.say("-----BEGIN DH PARAMETERS-----\nsad\n-----BEGIN EC PARAMETERS-----") - ngx.exit(0) - end - local pkey = require("resty.openssl.pkey") ngx.say(myassert(pkey.paramgen({ type = 'DH', @@ -773,14 +719,6 @@ true --- config location =/t { content_by_lua_block { - if require("resty.openssl.version").BORINGSSL then - ngx.say("B10B8F96A080E01DDE92DE5EAE5D54EC52C99FBCFB06A3C69A6A9DCA52D23B616073E28675A23D189838EF1E2EE652C013ECB4AEA906112324975C3CD49B83BFACCBDD7D90C4BD7098488E9C219A73724EFFD6FAE5644738FAA31A4FF55BCCC0A151AF5F0DC8B4BD45BF37DF365C1A65E68CFDA76D4DA708DF1FB2BC2E4A4371") - ngx.say("A4D1CBD5C3FD34126765A442EFB99905F8104DD258AC507FD6406CFF14266D31266FEA1E5C41564B777E690F5504F213160217B4B01B886A5E91547F9E2749F4D7FBD7D3B9A92EE1909D0D2263F80A76A6A24C087A091F531DBF0A0169B6A28AD662A4D18E73AFA32D779D5918D08BC8858F4DCEF97C2A24855E6EEB22B3B2E5") - ngx.say(string.rep("1", 256)) - ngx.say(string.rep("1", 256)) - ngx.exit(0) - end - local p = myassert(require("resty.openssl.pkey").new({ type = "DH", group = "dh_1024_160", @@ -826,12 +764,6 @@ A4D1CBD5C3FD34126765A442EFB99905F8104DD258AC507FD6406CFF14266D31266FEA1E5C41564B --- config location =/t { content_by_lua_block { - if require("resty.openssl.version").BORINGSSL then - ngx.say("B10B8F96A080E01DDE92DE5EAE5D54EC52C99FBCFB06A3C69A6A9DCA52D23B616073E28675A23D189838EF1E2EE652C013ECB4AEA906112324975C3CD49B83BFACCBDD7D90C4BD7098488E9C219A73724EFFD6FAE5644738FAA31A4FF55BCCC0A151AF5F0DC8B4BD45BF37DF365C1A65E68CFDA76D4DA708DF1FB2BC2E4A4371") - ngx.say("415") - ngx.exit(0) - end - local pem = myassert(require("resty.openssl.pkey").paramgen({ type = "DH", group = "dh_1024_160", @@ -879,10 +811,6 @@ A4D1CBD5C3FD34126765A442EFB99905F8104DD258AC507FD6406CFF14266D31266FEA1E5C41564B { type = 'DH', group = "dh_1024_160",}, } for _, opt in ipairs(opts) do - if require("resty.openssl.version").BORINGSSL and opt.type == "DH" then - goto next_loop - end - local priv = myassert(require("resty.openssl.pkey").new(opt)) local ok, err = priv:is_private() @@ -898,7 +826,6 @@ A4D1CBD5C3FD34126765A442EFB99905F8104DD258AC507FD6406CFF14266D31266FEA1E5C41564B if ok then ngx.say(opt.type .. ": should not be a private key, but returns true: ".. (err or "nil")) end - ::next_loop:: end } } @@ -914,10 +841,6 @@ A4D1CBD5C3FD34126765A442EFB99905F8104DD258AC507FD6406CFF14266D31266FEA1E5C41564B --- config location =/t { content_by_lua_block { - local version = require("resty.openssl.version") - if not version.OPENSSL_111_OR_LATER then - ngx.exit(0) - end local opts = { { type = 'Ed25519'}, } @@ -952,11 +875,6 @@ A4D1CBD5C3FD34126765A442EFB99905F8104DD258AC507FD6406CFF14266D31266FEA1E5C41564B --- config location =/t { content_by_lua_block { - local version = require("resty.openssl.version") - if not version.OPENSSL_111_OR_LATER then - ngx.say("256\ntrue\nfalse\nfalse") - ngx.exit(0) - end -- uses default md type local p = myassert(require("resty.openssl.pkey").new({ type = "RSA" @@ -969,7 +887,6 @@ A4D1CBD5C3FD34126765A442EFB99905F8104DD258AC507FD6406CFF14266D31266FEA1E5C41564B ngx.say(ok) -- use wrong md type, should not pass - local md = version.BORINGSSL and "sha256" or nil local ok, e = p:verify(s, digest, "sha256") ngx.say(ok) local ok, e = p:verify(s, digest, "md5") @@ -992,13 +909,8 @@ false --- config location =/t { content_by_lua_block { - local version = require("resty.openssl.version") - if not version.OPENSSL_111_OR_LATER then - ngx.say("256\ntrue\nfalse\nfalse") - ngx.exit(0) - end - -- uses default md type, boringssl must have md_alg - local md = version.BORINGSSL and "sha256" or nil + -- uses default md type + local p = myassert(require("resty.openssl.pkey").new({ type = "RSA" })) @@ -1010,9 +922,9 @@ false ngx.say(ok) -- use wrong padding scheme, should not pass - local ok, e = p:verify(s, digest, md) + local ok, e = p:verify(s, digest, nil) if ok ~= false then ngx.say(e) else ngx.say(ok) end - local ok, e = p:verify(s, digest, md, p.PADDINGS.RSA_PKCS1_PADDING) + local ok, e = p:verify(s, digest, nil, p.PADDINGS.RSA_PKCS1_PADDING) if ok ~= false then ngx.say(e) else ngx.say(ok) end } } @@ -1032,23 +944,16 @@ false --- config location =/t { content_by_lua_block { - local version = require("resty.openssl.version") - if not version.OPENSSL_111_OR_LATER then - ngx.say("256\ntrue") - ngx.exit(0) - end - -- uses default md type, boringssl must have md_alg - local md = version.BORINGSSL and "sha256" or nil local p = myassert(require("resty.openssl.pkey").new({ type = "RSA" })) local digest = "23333" - local s = myassert(p:sign(digest, md, p.PADDINGS.RSA_PKCS1_PSS_PADDING, { + local s = myassert(p:sign(digest, nil, p.PADDINGS.RSA_PKCS1_PSS_PADDING, { pss_saltlen = 64, })) ngx.say(#s) - local ok = myassert(p:verify(s, digest, md, p.PADDINGS.RSA_PKCS1_PSS_PADDING, { + local ok = myassert(p:verify(s, digest, nil, p.PADDINGS.RSA_PKCS1_PSS_PADDING, { pss_saltlen = 64, })) ngx.say(ok) @@ -1213,11 +1118,6 @@ default --- config location =/t { content_by_lua_block { - if require("resty.openssl.version").BORINGSSL then - ngx.say('BROKEN sha256 BROKEN') - ngx.exit(0) - end - local pkey = require("resty.openssl.pkey") local p = myassert(pkey.new({ type = "EC" })) local algo = myassert(p:get_default_digest_type()) @@ -1284,12 +1184,6 @@ true --- config location =/t { content_by_lua_block { - if not require("resty.openssl.version").OPENSSL_11_OR_LATER then - ngx.say("64\ntrue\ntrue\ntruenil\nfalsenil") - ngx.say("nilpkey:sign: ecdsa.sig_raw2der: invalid signature length, expect 64 but got 72") - ngx.exit(0) - end - local opts = { ecdsa_use_raw = true } local p = myassert(require("resty.openssl.pkey").new({ type = "EC", @@ -1332,10 +1226,6 @@ nilpkey:sign: ecdsa.sig_raw2der: invalid signature length, expect 64 but got \\d --- config location =/t { content_by_lua_block { - if not require("resty.openssl.version").OPENSSL_11_OR_LATER then - ngx.say("132\n96\ntrue\ntrue") - ngx.exit(0) - end local opts = { ecdsa_use_raw = true } local p_521 = myassert(require("resty.openssl.pkey").new({ type = "EC", diff --git a/t/openssl/x509/crl.t b/t/openssl/x509/crl.t index ed61a333..c5c77442 100644 --- a/t/openssl/x509/crl.t +++ b/t/openssl/x509/crl.t @@ -200,11 +200,6 @@ __DATA__ --- config location =/t { content_by_lua_block { - if require("resty.openssl.version").OPENSSL_10 then - ngx.say("09159859CAC0C90203BB34C5A012C2A3, 1577753344\n09159859CAC0C90203BB34C5A012C2A3, 1577753344\n2, 2") - ngx.say("09159859CAC0C90203BB34C5A012C2A3, 1577753344\n04D2, 1511122233") - ngx.exit(0) - end local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a") local c = myassert(require("resty.openssl.x509.crl").new(f)) local s = myassert(c:index(1)) @@ -239,11 +234,6 @@ __DATA__ --- config location =/t { content_by_lua_block { - if require("resty.openssl.version").OPENSSL_10 then - ngx.say("09159859CAC0C90203BB34C5A012C2A3, 1577753344\n09159859CAC0C90203BB34C5A012C2A3, 1577753344\ntruetrue") - ngx.exit(0) - end - local f = io.open("t/fixtures/TrustAsiaEVTLSProCAG2.crl"):read("*a") local c = myassert(require("resty.openssl.x509.crl").new(f)) local s = myassert(c:get_by_serial("09159859CAC0C90203BB34C5A012C2A3")) diff --git a/t/openssl/x509/extension.t b/t/openssl/x509/extension.t index 71643227..a4e8c43c 100644 --- a/t/openssl/x509/extension.t +++ b/t/openssl/x509/extension.t @@ -293,22 +293,6 @@ DNS:test.com, DNS:test2.com --- config location =/t { content_by_lua_block { - if require("resty.openssl.version").BORINGSSL then - ngx.say([[ -{"id":"2.5.29.32","ln":"X509v3 Certificate Policies","nid":89,"sn":"certificatePolicies"} -Policy: 1.2.3.4 -Policy: 1.5.6.7.8 -Policy: 1.3.5.8 - CPS: http://my.host.name/ - CPS: http://my.your.name/ - User Notice: - Organization: Organisation Name - Numbers: 1, 2, 3, 4 - Explicit Text: Explicit Text Here - ]]) - ngx.exit(0) - end - local extension = require("resty.openssl.x509.extension") local c = myassert(extension.new("certificatePolicies", "ia5org,1.2.3.4,1.5.6.7.8,@polsect", [[ diff --git a/t/openssl/x509/store.t b/t/openssl/x509/store.t index 8f440cc6..16fd74c1 100644 --- a/t/openssl/x509/store.t +++ b/t/openssl/x509/store.t @@ -297,8 +297,6 @@ truenil -- in openssl < 1.1.0, depth are counted 1 more than later versions -- we set it to be one less than enough to be prune to that case myassert(s:set_depth(1)) - -- openssl 1.0.2 will emit "unable to get local issuer certificate" - -- instead of "certificate chain too long" ngx.say(s:verify(certs[#certs], ch)) } } @@ -306,7 +304,7 @@ truenil GET /t --- response_body_like eval "truenil -nil(?:certificate chain too long|unable to get local issuer certificate) +nilcertificate chain too long " --- no_error_log [error] @@ -463,67 +461,10 @@ truenil --- request GET /t --- response_body_like eval -"nil(?:x509\.store:check_revocation: expect a x509\.chain instance at #1|x509\.store:check_revocation: this API is not supported in BoringSSL) -(?:truenil|nilx509\.store:check_revocation: this API is not supported in BoringSSL) -nil(?:certificate revoked|x509\.store:check_revocation: this API is not supported in BoringSSL) +"nilx509\.store:check_revocation: expect a x509\.chain instance at #1 +truenil +nilcertificate revoked " --- no_error_log [error] ---- skip_openssl -3: < 1.1.0 - -=== TEST 15: Check revocation only supported from OpenSSL 1.1.0 ---- http_config eval: $::HttpConfig ---- config - location =/t { - content_by_lua_block { - local x509 = require("resty.openssl.x509") - local crl = require("resty.openssl.x509.crl") - local store = require("resty.openssl.x509.store") - - local s1 = myassert(store.new()) - - local f = io.open("t/fixtures/crl/rootca.cert.pem"):read("*a") - local rootca = myassert(x509.new(f)) - local f = io.open("t/fixtures/crl/subca.cert.pem"):read("*a") - local subca = myassert(x509.new(f)) - - local f = io.open("t/fixtures/crl/valid.cert.pem"):read("*a") - local valid_cert = myassert(x509.new(f)) - local f = io.open("t/fixtures/crl/revoked.cert.pem"):read("*a") - local revoked_cert = myassert(x509.new(f)) - - local f = io.open("t/fixtures/crl/crl.pem"):read("*a") - local c = myassert(crl.new(f)) - - myassert(s1:add(rootca)) - myassert(s1:add(subca)) - -- add crl to store, but skip setting the flag - myassert(s1:add(c, true)) - - -- to get the verified_chain first - local chain1 = myassert(s1:verify(valid_cert, nil, true)) - local chain2 = myassert(s1:verify(revoked_cert, nil, true)) - - local ok, err = s1:check_revocation() - ngx.say(ok, err) - - local ok, err = s1:check_revocation(chain1) - ngx.say(ok, err) - - local ok, err = s1:check_revocation(chain2) - ngx.say(ok, err) - } - } ---- request - GET /t ---- response_body_like eval -"nil(?:x509\.store:check_revocation: this API is supported from OpenSSL 1\.1\.0|x509\.store:check_revocation: this API is not supported in BoringSSL) -nil(?:x509\.store:check_revocation: this API is supported from OpenSSL 1\.1\.0|x509\.store:check_revocation: this API is not supported in BoringSSL) -nil(?:x509\.store:check_revocation: this API is supported from OpenSSL 1\.1\.0|x509\.store:check_revocation: this API is not supported in BoringSSL) -" ---- no_error_log -[error] ---- skip_openssl -3: >= 1.1.0