123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737173817391740174117421743174417451746174717481749175017511752175317541755175617571758175917601761176217631764176517661767176817691770177117721773177417751776177717781779178017811782178317841785178617871788178917901791179217931794179517961797179817991800180118021803180418051806180718081809181018111812181318141815181618171818181918201821182218231824182518261827182818291830183118321833183418351836183718381839184018411842184318441845184618471848184918501851185218531854185518561857185818591860186118621863186418651866186718681869187018711872187318741875187618771878187918801881188218831884188518861887188818891890189118921893189418951896189718981899190019011902190319041905190619071908190919101911191219131914191519161917191819191920192119221923192419251926192719281929193019311932193319341935193619371938193919401941194219431944194519461947194819491950195119521953195419551956195719581959196019611962196319641965196619671968196919701971197219731974197519761977197819791980198119821983198419851986198719881989199019911992199319941995199619971998199920002001200220032004200520062007200820092010201120122013201420152016201720182019202020212022202320242025202620272028202920302031203220332034203520362037203820392040204120422043204420452046204720482049205020512052205320542055205620572058205920602061206220632064206520662067206820692070207120722073207420752076207720782079208020812082208320842085208620872088208920902091209220932094209520962097209820992100210121022103210421052106210721082109211021112112211321142115211621172118211921202121212221232124212521262127212821292130213121322133213421352136213721382139214021412142214321442145214621472148214921502151215221532154215521562157215821592160216121622163216421652166216721682169217021712172217321742175217621772178217921802181218221832184218521862187218821892190219121922193219421952196219721982199220022012202220322042205220622072208220922102211221222132214221522162217221822192220222122222223222422252226222722282229223022312232223322342235223622372238223922402241224222432244224522462247224822492250225122522253225422552256225722582259226022612262226322642265226622672268226922702271227222732274227522762277227822792280228122822283228422852286228722882289229022912292229322942295229622972298229923002301230223032304230523062307230823092310231123122313231423152316231723182319232023212322232323242325232623272328232923302331233223332334233523362337233823392340234123422343234423452346234723482349235023512352235323542355235623572358235923602361236223632364236523662367236823692370237123722373237423752376237723782379238023812382238323842385238623872388238923902391239223932394239523962397239823992400240124022403240424052406240724082409241024112412241324142415241624172418241924202421242224232424242524262427242824292430243124322433243424352436243724382439244024412442244324442445244624472448244924502451245224532454245524562457245824592460246124622463246424652466246724682469247024712472247324742475247624772478247924802481248224832484248524862487248824892490249124922493249424952496249724982499250025012502250325042505250625072508250925102511251225132514251525162517251825192520252125222523252425252526252725282529253025312532253325342535253625372538253925402541254225432544254525462547254825492550255125522553255425552556255725582559256025612562256325642565256625672568256925702571257225732574257525762577257825792580258125822583258425852586258725882589259025912592259325942595259625972598259926002601260226032604260526062607260826092610261126122613261426152616261726182619262026212622262326242625262626272628262926302631263226332634263526362637263826392640264126422643264426452646264726482649265026512652265326542655265626572658265926602661266226632664266526662667266826692670267126722673267426752676267726782679268026812682268326842685268626872688268926902691269226932694269526962697269826992700270127022703270427052706270727082709271027112712271327142715271627172718271927202721272227232724272527262727272827292730273127322733273427352736273727382739274027412742274327442745274627472748274927502751275227532754275527562757275827592760276127622763276427652766276727682769277027712772277327742775277627772778277927802781278227832784278527862787278827892790279127922793279427952796279727982799280028012802280328042805280628072808280928102811281228132814281528162817281828192820282128222823282428252826282728282829283028312832283328342835283628372838283928402841284228432844284528462847284828492850285128522853285428552856285728582859286028612862286328642865286628672868286928702871287228732874287528762877287828792880288128822883288428852886288728882889289028912892289328942895289628972898289929002901290229032904290529062907290829092910291129122913291429152916291729182919292029212922292329242925292629272928292929302931293229332934293529362937293829392940294129422943294429452946294729482949295029512952295329542955295629572958295929602961296229632964296529662967296829692970297129722973 |
- /*-
- * Copyright 2016 Vsevolod Stakhov
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
- /***
- * @module rspamd_cryptobox
- * Rspamd cryptobox is a module that operates with digital signatures and
- * hashes.
- * @example
- * local hash = require "rspamd_cryptobox_hash"
- *
- * local h = hash.create()
- * h:update('hello world')
- * print(h:hex())
- */
-
-
- #include "lua_common.h"
- #include "libcryptobox/cryptobox.h"
- #include "libcryptobox/keypair.h"
- #include "libcryptobox/keypair_private.h"
- #include "unix-std.h"
- #include "contrib/libottery/ottery.h"
- #include "libutil/ref.h"
-
- #include <stdalign.h>
- #include <openssl/hmac.h>
-
-
- enum lua_cryptobox_hash_type {
- LUA_CRYPTOBOX_HASH_BLAKE2 = 0,
- LUA_CRYPTOBOX_HASH_SSL,
- LUA_CRYPTOBOX_HASH_HMAC,
- LUA_CRYPTOBOX_HASH_XXHASH64,
- LUA_CRYPTOBOX_HASH_XXHASH32,
- LUA_CRYPTOBOX_HASH_MUM,
- LUA_CRYPTOBOX_HASH_T1HA,
- };
-
- struct rspamd_lua_cryptobox_hash {
- union {
- rspamd_cryptobox_hash_state_t *h;
- EVP_MD_CTX *c;
- HMAC_CTX *hmac_c;
- rspamd_cryptobox_fast_hash_state_t *fh;
- } content;
-
- unsigned char out[rspamd_cryptobox_HASHBYTES];
-
- uint8_t type;
- uint8_t out_len;
- uint8_t is_finished;
-
- ref_entry_t ref;
- };
-
- LUA_FUNCTION_DEF (cryptobox_pubkey, load);
- LUA_FUNCTION_DEF (cryptobox_pubkey, create);
- LUA_FUNCTION_DEF (cryptobox_pubkey, gc);
- LUA_FUNCTION_DEF (cryptobox_keypair, load);
- LUA_FUNCTION_DEF (cryptobox_keypair, create);
- LUA_FUNCTION_DEF (cryptobox_keypair, gc);
- LUA_FUNCTION_DEF (cryptobox_keypair, totable);
- LUA_FUNCTION_DEF (cryptobox_keypair, get_type);
- LUA_FUNCTION_DEF (cryptobox_keypair, get_alg);
- LUA_FUNCTION_DEF (cryptobox_keypair, get_pk);
- LUA_FUNCTION_DEF (cryptobox_signature, create);
- LUA_FUNCTION_DEF (cryptobox_signature, load);
- LUA_FUNCTION_DEF (cryptobox_signature, save);
- LUA_FUNCTION_DEF (cryptobox_signature, gc);
- LUA_FUNCTION_DEF (cryptobox_signature, hex);
- LUA_FUNCTION_DEF (cryptobox_signature, base32);
- LUA_FUNCTION_DEF (cryptobox_signature, base64);
- LUA_FUNCTION_DEF (cryptobox_signature, bin);
- LUA_FUNCTION_DEF (cryptobox_hash, create);
- LUA_FUNCTION_DEF (cryptobox_hash, create_specific);
- LUA_FUNCTION_DEF (cryptobox_hash, create_specific_keyed);
- LUA_FUNCTION_DEF (cryptobox_hash, create_keyed);
- LUA_FUNCTION_DEF (cryptobox_hash, update);
- LUA_FUNCTION_DEF (cryptobox_hash, reset);
- LUA_FUNCTION_DEF (cryptobox_hash, hex);
- LUA_FUNCTION_DEF (cryptobox_hash, base32);
- LUA_FUNCTION_DEF (cryptobox_hash, base64);
- LUA_FUNCTION_DEF (cryptobox_hash, bin);
- LUA_FUNCTION_DEF (cryptobox_hash, gc);
- LUA_FUNCTION_DEF (cryptobox, verify_memory);
- LUA_FUNCTION_DEF (cryptobox, verify_file);
- LUA_FUNCTION_DEF (cryptobox, sign_file);
- LUA_FUNCTION_DEF (cryptobox, sign_memory);
- LUA_FUNCTION_DEF (cryptobox, encrypt_memory);
- LUA_FUNCTION_DEF (cryptobox, encrypt_file);
- LUA_FUNCTION_DEF (cryptobox, decrypt_memory);
- LUA_FUNCTION_DEF (cryptobox, decrypt_file);
- LUA_FUNCTION_DEF (cryptobox, encrypt_cookie);
- LUA_FUNCTION_DEF (cryptobox, decrypt_cookie);
- LUA_FUNCTION_DEF (cryptobox, pbkdf);
- LUA_FUNCTION_DEF (cryptobox, gen_dkim_keypair);
-
- /* Secretbox API: uses libsodium secretbox and blake2b for key derivation */
- LUA_FUNCTION_DEF (cryptobox_secretbox, create);
- LUA_FUNCTION_DEF (cryptobox_secretbox, encrypt);
- LUA_FUNCTION_DEF (cryptobox_secretbox, decrypt);
- LUA_FUNCTION_DEF (cryptobox_secretbox, gc);
-
- static const struct luaL_reg cryptoboxlib_f[] = {
- LUA_INTERFACE_DEF (cryptobox, verify_memory),
- LUA_INTERFACE_DEF (cryptobox, verify_file),
- LUA_INTERFACE_DEF (cryptobox, sign_memory),
- LUA_INTERFACE_DEF (cryptobox, sign_file),
- LUA_INTERFACE_DEF (cryptobox, encrypt_memory),
- LUA_INTERFACE_DEF (cryptobox, encrypt_file),
- LUA_INTERFACE_DEF (cryptobox, decrypt_memory),
- LUA_INTERFACE_DEF (cryptobox, decrypt_file),
- LUA_INTERFACE_DEF (cryptobox, encrypt_cookie),
- LUA_INTERFACE_DEF (cryptobox, decrypt_cookie),
- LUA_INTERFACE_DEF (cryptobox, pbkdf),
- LUA_INTERFACE_DEF (cryptobox, gen_dkim_keypair),
- {NULL, NULL}
- };
-
- static const struct luaL_reg cryptoboxpubkeylib_f[] = {
- LUA_INTERFACE_DEF (cryptobox_pubkey, load),
- LUA_INTERFACE_DEF (cryptobox_pubkey, create),
- {NULL, NULL}
- };
-
- static const struct luaL_reg cryptoboxpubkeylib_m[] = {
- {"__tostring", rspamd_lua_class_tostring},
- {"__gc", lua_cryptobox_pubkey_gc},
- {NULL, NULL}
- };
-
- static const struct luaL_reg cryptoboxkeypairlib_f[] = {
- LUA_INTERFACE_DEF (cryptobox_keypair, load),
- LUA_INTERFACE_DEF (cryptobox_keypair, create),
- {NULL, NULL}
- };
-
- static const struct luaL_reg cryptoboxkeypairlib_m[] = {
- {"__tostring", rspamd_lua_class_tostring},
- {"totable", lua_cryptobox_keypair_totable},
- {"get_type", lua_cryptobox_keypair_get_type},
- {"get_alg", lua_cryptobox_keypair_get_alg},
- {"type", lua_cryptobox_keypair_get_type},
- {"alg", lua_cryptobox_keypair_get_alg},
- {"pk", lua_cryptobox_keypair_get_pk},
- {"pubkey", lua_cryptobox_keypair_get_pk},
- {"__gc", lua_cryptobox_keypair_gc},
- {NULL, NULL}
- };
-
- static const struct luaL_reg cryptoboxsignlib_f[] = {
- LUA_INTERFACE_DEF (cryptobox_signature, load),
- LUA_INTERFACE_DEF (cryptobox_signature, create),
- {NULL, NULL}
- };
-
- static const struct luaL_reg cryptoboxsignlib_m[] = {
- LUA_INTERFACE_DEF (cryptobox_signature, save),
- LUA_INTERFACE_DEF (cryptobox_signature, hex),
- LUA_INTERFACE_DEF (cryptobox_signature, base32),
- LUA_INTERFACE_DEF (cryptobox_signature, base64),
- LUA_INTERFACE_DEF (cryptobox_signature, bin),
- {"__tostring", rspamd_lua_class_tostring},
- {"__gc", lua_cryptobox_signature_gc},
- {NULL, NULL}
- };
-
- static const struct luaL_reg cryptoboxhashlib_f[] = {
- LUA_INTERFACE_DEF (cryptobox_hash, create),
- LUA_INTERFACE_DEF (cryptobox_hash, create_keyed),
- LUA_INTERFACE_DEF (cryptobox_hash, create_specific),
- LUA_INTERFACE_DEF (cryptobox_hash, create_specific_keyed),
- {NULL, NULL}
- };
-
- static const struct luaL_reg cryptoboxhashlib_m[] = {
- LUA_INTERFACE_DEF (cryptobox_hash, update),
- LUA_INTERFACE_DEF (cryptobox_hash, reset),
- LUA_INTERFACE_DEF (cryptobox_hash, hex),
- LUA_INTERFACE_DEF (cryptobox_hash, base32),
- LUA_INTERFACE_DEF (cryptobox_hash, base64),
- LUA_INTERFACE_DEF (cryptobox_hash, bin),
- {"__tostring", rspamd_lua_class_tostring},
- {"__gc", lua_cryptobox_hash_gc},
- {NULL, NULL}
- };
-
-
- static const struct luaL_reg cryptoboxsecretboxlib_f[] = {
- LUA_INTERFACE_DEF (cryptobox_secretbox, create),
- {NULL, NULL},
- };
-
- static const struct luaL_reg cryptoboxsecretboxlib_m[] = {
- LUA_INTERFACE_DEF (cryptobox_secretbox, encrypt),
- LUA_INTERFACE_DEF (cryptobox_secretbox, decrypt),
- {"__gc", lua_cryptobox_secretbox_gc},
- {NULL, NULL},
- };
-
- struct rspamd_lua_cryptobox_secretbox {
- guchar sk[crypto_secretbox_KEYBYTES];
- };
-
- static struct rspamd_cryptobox_pubkey *
- lua_check_cryptobox_pubkey (lua_State * L, int pos)
- {
- void *ud = rspamd_lua_check_udata (L, pos, "rspamd{cryptobox_pubkey}");
-
- luaL_argcheck (L, ud != NULL, 1, "'cryptobox_pubkey' expected");
- return ud ? *((struct rspamd_cryptobox_pubkey **)ud) : NULL;
- }
-
- static struct rspamd_cryptobox_keypair *
- lua_check_cryptobox_keypair (lua_State * L, int pos)
- {
- void *ud = rspamd_lua_check_udata (L, pos, "rspamd{cryptobox_keypair}");
-
- luaL_argcheck (L, ud != NULL, 1, "'cryptobox_keypair' expected");
- return ud ? *((struct rspamd_cryptobox_keypair **)ud) : NULL;
- }
-
- static rspamd_fstring_t *
- lua_check_cryptobox_sign (lua_State * L, int pos)
- {
- void *ud = rspamd_lua_check_udata (L, pos, "rspamd{cryptobox_signature}");
-
- luaL_argcheck (L, ud != NULL, 1, "'cryptobox_signature' expected");
- return ud ? *((rspamd_fstring_t **)ud) : NULL;
- }
-
- struct rspamd_lua_cryptobox_hash *
- lua_check_cryptobox_hash (lua_State * L, int pos)
- {
- void *ud = rspamd_lua_check_udata (L, pos, "rspamd{cryptobox_hash}");
-
- luaL_argcheck (L, ud != NULL, 1, "'cryptobox_hash' expected");
- return ud ? *((struct rspamd_lua_cryptobox_hash **)ud) : NULL;
- }
-
- static struct rspamd_lua_cryptobox_secretbox *
- lua_check_cryptobox_secretbox (lua_State * L, int pos)
- {
- void *ud = rspamd_lua_check_udata (L, pos, "rspamd{cryptobox_secretbox}");
-
- luaL_argcheck (L, ud != NULL, 1, "'cryptobox_secretbox' expected");
- return ud ? *((struct rspamd_lua_cryptobox_secretbox **)ud) : NULL;
- }
-
- /***
- * @function rspamd_cryptobox_pubkey.load(file[, type[, alg]])
- * Loads public key from base32 encoded file
- * @param {string} file filename to load
- * @param {string} type optional 'sign' or 'kex' for signing and encryption
- * @param {string} alg optional 'default' or 'nist' for curve25519/nistp256 keys
- * @return {cryptobox_pubkey} new public key
- */
- static gint
- lua_cryptobox_pubkey_load (lua_State *L)
- {
- LUA_TRACE_POINT;
- struct rspamd_cryptobox_pubkey *pkey = NULL, **ppkey;
- const gchar *filename, *arg;
- gint type = RSPAMD_KEYPAIR_SIGN;
- gint alg = RSPAMD_CRYPTOBOX_MODE_25519;
- guchar *map;
- gsize len;
-
- filename = luaL_checkstring (L, 1);
- if (filename != NULL) {
- map = rspamd_file_xmap (filename, PROT_READ, &len, TRUE);
-
- if (map == NULL) {
- msg_err ("cannot open pubkey from file: %s, %s",
- filename,
- strerror (errno));
- lua_pushnil (L);
- }
- else {
- if (lua_type (L, 2) == LUA_TSTRING) {
- /* keypair type */
- arg = lua_tostring (L, 2);
-
- if (strcmp (arg, "sign") == 0) {
- type = RSPAMD_KEYPAIR_SIGN;
- }
- else if (strcmp (arg, "kex") == 0) {
- type = RSPAMD_KEYPAIR_KEX;
- }
- }
- if (lua_type (L, 3) == LUA_TSTRING) {
- /* algorithm */
- arg = lua_tostring (L, 3);
-
- if (strcmp (arg, "default") == 0 || strcmp (arg, "curve25519") == 0) {
- type = RSPAMD_CRYPTOBOX_MODE_25519;
- }
- else if (strcmp (arg, "nist") == 0) {
- type = RSPAMD_CRYPTOBOX_MODE_NIST;
- }
- }
-
- pkey = rspamd_pubkey_from_base32 (map, len, type, alg);
-
- if (pkey == NULL) {
- msg_err ("cannot open pubkey from file: %s", filename);
- munmap (map, len);
- lua_pushnil (L);
- }
- else {
- munmap (map, len);
- ppkey = lua_newuserdata (L, sizeof (void *));
- rspamd_lua_setclass (L, "rspamd{cryptobox_pubkey}", -1);
- *ppkey = pkey;
- }
- }
- }
- else {
- return luaL_error (L, "bad input arguments");
- }
-
- return 1;
- }
-
-
- /***
- * @function rspamd_cryptobox_pubkey.create(data[, type[, alg]])
- * Loads public key from base32 encoded string
- * @param {base32 string} base32 string with the key
- * @param {string} type optional 'sign' or 'kex' for signing and encryption
- * @param {string} alg optional 'default' or 'nist' for curve25519/nistp256 keys
- * @return {cryptobox_pubkey} new public key
- */
- static gint
- lua_cryptobox_pubkey_create (lua_State *L)
- {
- LUA_TRACE_POINT;
- struct rspamd_cryptobox_pubkey *pkey = NULL, **ppkey;
- const gchar *buf, *arg;
- gsize len;
- gint type = RSPAMD_KEYPAIR_SIGN;
- gint alg = RSPAMD_CRYPTOBOX_MODE_25519;
-
- buf = luaL_checklstring (L, 1, &len);
- if (buf != NULL) {
- if (lua_type (L, 2) == LUA_TSTRING) {
- /* keypair type */
- arg = lua_tostring (L, 2);
-
- if (strcmp (arg, "sign") == 0) {
- type = RSPAMD_KEYPAIR_SIGN;
- }
- else if (strcmp (arg, "kex") == 0) {
- type = RSPAMD_KEYPAIR_KEX;
- }
- }
- if (lua_type (L, 3) == LUA_TSTRING) {
- /* algorithm */
- arg = lua_tostring (L, 3);
-
- if (strcmp (arg, "default") == 0 || strcmp (arg, "curve25519") == 0) {
- type = RSPAMD_CRYPTOBOX_MODE_25519;
- }
- else if (strcmp (arg, "nist") == 0) {
- type = RSPAMD_CRYPTOBOX_MODE_NIST;
- }
- }
-
- pkey = rspamd_pubkey_from_base32 (buf, len, type, alg);
-
- if (pkey == NULL) {
- msg_err ("cannot load pubkey from string");
- lua_pushnil (L);
- }
- else {
- ppkey = lua_newuserdata (L, sizeof (void *));
- rspamd_lua_setclass (L, "rspamd{cryptobox_pubkey}", -1);
- *ppkey = pkey;
- }
-
- }
- else {
- return luaL_error (L, "bad input arguments");
- }
-
- return 1;
- }
-
- static gint
- lua_cryptobox_pubkey_gc (lua_State *L)
- {
- LUA_TRACE_POINT;
- struct rspamd_cryptobox_pubkey *pkey = lua_check_cryptobox_pubkey (L, 1);
-
- if (pkey != NULL) {
- rspamd_pubkey_unref (pkey);
- }
-
- return 0;
- }
-
- /***
- * @function rspamd_cryptobox_keypair.load(file|table)
- * Loads public key from UCL file or directly from Lua
- * @param {string} file filename to load
- * @return {cryptobox_keypair} new keypair
- */
- static gint
- lua_cryptobox_keypair_load (lua_State *L)
- {
- LUA_TRACE_POINT;
- struct rspamd_cryptobox_keypair *kp, **pkp;
- const gchar *buf;
- gsize len;
- struct ucl_parser *parser;
- ucl_object_t *obj;
-
- if (lua_type (L, 1) == LUA_TSTRING) {
- buf = luaL_checklstring (L, 1, &len);
- if (buf != NULL) {
- parser = ucl_parser_new (0);
-
- if (!ucl_parser_add_chunk (parser, buf, len)) {
- msg_err ("cannot open keypair from data: %s",
- ucl_parser_get_error (parser));
- ucl_parser_free (parser);
- lua_pushnil (L);
- }
- else {
- obj = ucl_parser_get_object (parser);
- kp = rspamd_keypair_from_ucl (obj);
- ucl_parser_free (parser);
-
- if (kp == NULL) {
- msg_err ("cannot load keypair from data");
- ucl_object_unref (obj);
- lua_pushnil (L);
- }
- else {
- pkp = lua_newuserdata (L, sizeof (gpointer));
- *pkp = kp;
- rspamd_lua_setclass (L, "rspamd{cryptobox_keypair}", -1);
- ucl_object_unref (obj);
- }
- }
- }
- else {
- luaL_error (L, "bad input arguments");
- }
- }
- else {
- /* Directly import from lua */
- obj = ucl_object_lua_import (L, 1);
- kp = rspamd_keypair_from_ucl (obj);
-
- if (kp == NULL) {
- msg_err ("cannot load keypair from data");
- ucl_object_unref (obj);
- lua_pushnil (L);
- }
- else {
- pkp = lua_newuserdata (L, sizeof (gpointer));
- *pkp = kp;
- rspamd_lua_setclass (L, "rspamd{cryptobox_keypair}", -1);
- ucl_object_unref (obj);
- }
- }
-
- return 1;
- }
-
- /***
- * @function rspamd_cryptobox_keypair.create([type='encryption'[, alg='curve25519']])
- * Generates new keypair
- * @param {string} type type of keypair: 'encryption' (default) or 'sign'
- * @param {string} alg algorithm of keypair: 'curve25519' (default) or 'nist'
- * @return {cryptobox_keypair} new keypair
- */
- static gint
- lua_cryptobox_keypair_create (lua_State *L)
- {
- LUA_TRACE_POINT;
- struct rspamd_cryptobox_keypair *kp, **pkp;
- enum rspamd_cryptobox_keypair_type type = RSPAMD_KEYPAIR_KEX;
- enum rspamd_cryptobox_mode alg = RSPAMD_CRYPTOBOX_MODE_25519;
-
- if (lua_isstring (L, 1)) {
- const gchar *str = lua_tostring (L, 1);
-
- if (strcmp (str, "sign") == 0) {
- type = RSPAMD_KEYPAIR_SIGN;
- }
- else if (strcmp (str, "encryption") == 0) {
- type = RSPAMD_KEYPAIR_KEX;
- }
- else {
- return luaL_error (L, "invalid keypair type: %s", str);
- }
- }
-
- if (lua_isstring (L, 2)) {
- const gchar *str = lua_tostring (L, 2);
-
- if (strcmp (str, "nist") == 0 || strcmp (str, "openssl") == 0) {
- alg = RSPAMD_CRYPTOBOX_MODE_NIST;
- }
- else if (strcmp (str, "curve25519") == 0 || strcmp (str, "default") == 0) {
- alg = RSPAMD_CRYPTOBOX_MODE_25519;
- }
- else {
- return luaL_error (L, "invalid keypair algorithm: %s", str);
- }
- }
-
- kp = rspamd_keypair_new (type, alg);
-
- pkp = lua_newuserdata (L, sizeof (gpointer));
- *pkp = kp;
- rspamd_lua_setclass (L, "rspamd{cryptobox_keypair}", -1);
-
- return 1;
- }
-
- static gint
- lua_cryptobox_keypair_gc (lua_State *L)
- {
- LUA_TRACE_POINT;
- struct rspamd_cryptobox_keypair *kp = lua_check_cryptobox_keypair (L, 1);
-
- if (kp != NULL) {
- rspamd_keypair_unref (kp);
- }
-
- return 0;
- }
-
- /***
- * @method keypair:totable([hex=false]])
- * Converts keypair to table (not very safe due to memory leftovers)
- */
- static gint
- lua_cryptobox_keypair_totable (lua_State *L)
- {
- LUA_TRACE_POINT;
- struct rspamd_cryptobox_keypair *kp = lua_check_cryptobox_keypair (L, 1);
- ucl_object_t *obj;
- gboolean hex = FALSE;
- gint ret = 1;
-
- if (kp != NULL) {
-
- if (lua_isboolean (L, 2)) {
- hex = lua_toboolean (L, 2);
- }
-
- obj = rspamd_keypair_to_ucl (kp, hex);
-
- ret = ucl_object_push_lua (L, obj, true);
- ucl_object_unref (obj);
- }
- else {
- return luaL_error (L, "invalid arguments");
- }
-
- return ret;
- }
- /***
- * @method keypair:type()
- * Returns type of keypair as a string: 'encryption' or 'sign'
- * @return {string} type of keypair as a string
- */
- static gint
- lua_cryptobox_keypair_get_type (lua_State *L)
- {
- LUA_TRACE_POINT;
- struct rspamd_cryptobox_keypair *kp = lua_check_cryptobox_keypair (L, 1);
-
- if (kp) {
- if (kp->type == RSPAMD_KEYPAIR_KEX) {
- lua_pushstring (L, "encryption");
- }
- else {
- lua_pushstring (L, "sign");
- }
- }
- else {
- return luaL_error (L, "invalid arguments");
- }
-
- return 1;
- }
-
- /***
- * @method keypair:alg()
- * Returns algorithm of keypair as a string: 'encryption' or 'sign'
- * @return {string} type of keypair as a string
- */
- static gint
- lua_cryptobox_keypair_get_alg (lua_State *L)
- {
- LUA_TRACE_POINT;
- struct rspamd_cryptobox_keypair *kp = lua_check_cryptobox_keypair (L, 1);
-
- if (kp) {
- if (kp->alg == RSPAMD_CRYPTOBOX_MODE_25519) {
- lua_pushstring (L, "curve25519");
- }
- else {
- lua_pushstring (L, "nist");
- }
- }
- else {
- return luaL_error (L, "invalid arguments");
- }
-
- return 1;
- }
-
- /***
- * @method keypair:pk()
- * Returns pubkey for a specific keypair
- * @return {rspamd_pubkey} pubkey for a keypair
- */
- static gint
- lua_cryptobox_keypair_get_pk (lua_State *L)
- {
- LUA_TRACE_POINT;
- struct rspamd_cryptobox_keypair *kp = lua_check_cryptobox_keypair (L, 1);
- struct rspamd_cryptobox_pubkey *pk, **ppk;
- const guchar *data;
- guint dlen;
-
- if (kp) {
- data = rspamd_keypair_component (kp, RSPAMD_KEYPAIR_COMPONENT_PK, &dlen);
- pk = rspamd_pubkey_from_bin (data, dlen, kp->type, kp->alg);
-
- if (pk == NULL) {
- return luaL_error (L, "invalid keypair");
- }
-
- ppk = lua_newuserdata (L, sizeof (*ppk));
- *ppk = pk;
- rspamd_lua_setclass (L, "rspamd{cryptobox_pubkey}", -1);
- }
- else {
- return luaL_error (L, "invalid arguments");
- }
-
- return 1;
- }
-
- /***
- * @function rspamd_cryptobox_signature.load(file, [alg = 'curve25519'])
- * Loads signature from raw file
- * @param {string} file filename to load
- * @return {cryptobox_signature} new signature
- */
- static gint
- lua_cryptobox_signature_load (lua_State *L)
- {
- LUA_TRACE_POINT;
- rspamd_fstring_t *sig, **psig;
- const gchar *filename;
- gpointer data;
- int fd;
- struct stat st;
- enum rspamd_cryptobox_mode alg = RSPAMD_CRYPTOBOX_MODE_25519;
-
- filename = luaL_checkstring (L, 1);
- if (filename != NULL) {
- fd = open (filename, O_RDONLY);
- if (fd == -1) {
- msg_err ("cannot open signature file: %s, %s", filename,
- strerror (errno));
- lua_pushnil (L);
- }
- else {
- if (fstat (fd, &st) == -1 ||
- (data =
- mmap (NULL, st.st_size, PROT_READ, MAP_SHARED, fd, 0))
- == MAP_FAILED) {
- msg_err ("cannot mmap file %s: %s", filename, strerror (errno));
- lua_pushnil (L);
- }
- else {
- if (lua_isstring (L, 2)) {
- const gchar *str = lua_tostring (L, 2);
-
- if (strcmp (str, "nist") == 0 || strcmp (str, "openssl") == 0) {
- alg = RSPAMD_CRYPTOBOX_MODE_NIST;
- }
- else if (strcmp (str, "curve25519") == 0 || strcmp (str, "default") == 0) {
- alg = RSPAMD_CRYPTOBOX_MODE_25519;
- }
- else {
- return luaL_error (L, "invalid keypair algorithm: %s", str);
- }
- }
- if (st.st_size > 0) {
- sig = rspamd_fstring_new_init (data, st.st_size);
- psig = lua_newuserdata (L, sizeof (rspamd_fstring_t *));
- rspamd_lua_setclass (L, "rspamd{cryptobox_signature}", -1);
- *psig = sig;
- }
- else {
- msg_err ("size of %s mismatches: %d while %d is expected",
- filename, (int)st.st_size,
- rspamd_cryptobox_signature_bytes (alg));
- lua_pushnil (L);
- }
-
- munmap (data, st.st_size);
- }
- close (fd);
- }
- }
- else {
- luaL_error (L, "bad input arguments");
- }
-
- return 1;
- }
-
- /***
- * @method rspamd_cryptobox_signature:save(file)
- * Stores signature in raw file
- * @param {string} file filename to use
- * @return {boolean} true if signature has been saved
- */
- static gint
- lua_cryptobox_signature_save (lua_State *L)
- {
- LUA_TRACE_POINT;
- rspamd_fstring_t *sig;
- gint fd, flags;
- const gchar *filename;
- gboolean forced = FALSE, res = TRUE;
-
- sig = lua_check_cryptobox_sign (L, 1);
- filename = luaL_checkstring (L, 2);
-
- if (!sig || !filename) {
- luaL_error (L, "bad input arguments");
- return 1;
- }
-
- if (lua_gettop (L) > 2) {
- forced = lua_toboolean (L, 3);
- }
-
- if (sig != NULL && filename != NULL) {
- flags = O_WRONLY | O_CREAT;
- if (forced) {
- flags |= O_TRUNC;
- }
- else {
- flags |= O_EXCL;
- }
- fd = open (filename, flags, 00644);
- if (fd == -1) {
- msg_err ("cannot create a signature file: %s, %s",
- filename,
- strerror (errno));
- lua_pushboolean (L, FALSE);
- }
- else {
- while (write (fd, sig->str, sig->len) == -1) {
- if (errno == EINTR) {
- continue;
- }
- msg_err ("cannot write to a signature file: %s, %s",
- filename,
- strerror (errno));
- res = FALSE;
- break;
- }
- lua_pushboolean (L, res);
- close (fd);
- }
- }
- else {
- return luaL_error (L, "invalid arguments");
- }
-
- return 1;
- }
-
- /***
- * @function rspamd_cryptobox_signature.create(data)
- * Creates signature object from raw data
- * @param {data} raw signature data
- * @return {cryptobox_signature} signature object
- */
- static gint
- lua_cryptobox_signature_create (lua_State *L)
- {
- LUA_TRACE_POINT;
- rspamd_fstring_t *sig, **psig;
- struct rspamd_lua_text *t;
- const gchar *data;
- gsize dlen;
-
- if (lua_isuserdata (L, 1)) {
- t = lua_check_text (L, 1);
-
- if (!t) {
- return luaL_error (L, "invalid arguments");
- }
-
- data = t->start;
- dlen = t->len;
- }
- else {
- data = luaL_checklstring (L, 1, &dlen);
- }
-
- if (data != NULL) {
- if (dlen == rspamd_cryptobox_signature_bytes (RSPAMD_CRYPTOBOX_MODE_25519)) {
- sig = rspamd_fstring_new_init (data, dlen);
- psig = lua_newuserdata (L, sizeof (rspamd_fstring_t *));
- rspamd_lua_setclass (L, "rspamd{cryptobox_signature}", -1);
- *psig = sig;
- }
- }
- else {
- return luaL_error (L, "bad input arguments");
- }
-
- return 1;
- }
-
- /***
- * @method cryptobox_signature:hex()
- * Return hex encoded signature string
- * @return {string} raw value of signature
- */
- static gint
- lua_cryptobox_signature_hex (lua_State *L)
- {
- LUA_TRACE_POINT;
- rspamd_fstring_t *sig = lua_check_cryptobox_sign (L, 1);
- gchar *encoded;
-
- if (sig) {
- encoded = rspamd_encode_hex (sig->str, sig->len);
- lua_pushstring (L, encoded);
- g_free (encoded);
- }
- else {
- return luaL_error (L, "invalid arguments");
- }
-
- return 1;
- }
-
- /***
- * @method cryptobox_signature:base32([b32type='default'])
- * Return base32 encoded signature string
- * @param {string} b32type base32 type (default, bleach, rfc)
- * @return {string} raw value of signature
- */
- static gint
- lua_cryptobox_signature_base32 (lua_State *L)
- {
- LUA_TRACE_POINT;
- rspamd_fstring_t *sig = lua_check_cryptobox_sign (L, 1);
- gchar *encoded;
- enum rspamd_base32_type btype = RSPAMD_BASE32_DEFAULT;
-
- if (lua_type (L, 2) == LUA_TSTRING) {
- btype = rspamd_base32_decode_type_from_str (lua_tostring (L, 2));
-
- if (btype == RSPAMD_BASE32_INVALID) {
- return luaL_error (L, "invalid b32 type: %s", lua_tostring (L, 2));
- }
- }
-
- if (sig) {
- encoded = rspamd_encode_base32 (sig->str, sig->len, btype);
- lua_pushstring (L, encoded);
- g_free (encoded);
- }
- else {
- return luaL_error (L, "invalid arguments");
- }
-
- return 1;
- }
-
- /***
- * @method cryptobox_signature:base64()
- * Return base64 encoded signature string
- * @return {string} raw value of signature
- */
- static gint
- lua_cryptobox_signature_base64 (lua_State *L)
- {
- LUA_TRACE_POINT;
- rspamd_fstring_t *sig = lua_check_cryptobox_sign (L, 1);
- gsize dlen;
- gchar *encoded;
-
- if (sig) {
- encoded = rspamd_encode_base64 (sig->str, sig->len, 0, &dlen);
- lua_pushlstring (L, encoded, dlen);
- g_free (encoded);
- }
- else {
- return luaL_error (L, "invalid arguments");
- }
-
- return 1;
- }
-
- /***
- * @method cryptobox_signature:bin()
- * Return raw signature string
- * @return {string} raw value of signature
- */
- static gint
- lua_cryptobox_signature_bin (lua_State *L)
- {
- LUA_TRACE_POINT;
- rspamd_fstring_t *sig = lua_check_cryptobox_sign (L, 1);
-
- if (sig) {
- lua_pushlstring (L, sig->str, sig->len);
- }
- else {
- return luaL_error (L, "invalid arguments");
- }
-
- return 1;
- }
-
- static gint
- lua_cryptobox_signature_gc (lua_State *L)
- {
- LUA_TRACE_POINT;
- rspamd_fstring_t *sig = lua_check_cryptobox_sign (L, 1);
-
- rspamd_fstring_free (sig);
-
- return 0;
- }
-
- static void
- rspamd_lua_hash_update (struct rspamd_lua_cryptobox_hash *h,
- const void *p, gsize len)
- {
- if (h) {
- switch (h->type) {
- case LUA_CRYPTOBOX_HASH_BLAKE2:
- rspamd_cryptobox_hash_update (h->content.h, p, len);
- break;
- case LUA_CRYPTOBOX_HASH_SSL:
- EVP_DigestUpdate (h->content.c, p, len);
- break;
- case LUA_CRYPTOBOX_HASH_HMAC:
- HMAC_Update (h->content.hmac_c, p, len);
- break;
- case LUA_CRYPTOBOX_HASH_XXHASH64:
- case LUA_CRYPTOBOX_HASH_XXHASH32:
- case LUA_CRYPTOBOX_HASH_MUM:
- case LUA_CRYPTOBOX_HASH_T1HA:
- rspamd_cryptobox_fast_hash_update (h->content.fh, p, len);
- break;
- default:
- g_assert_not_reached ();
- }
- }
- }
-
- static void
- lua_cryptobox_hash_dtor (struct rspamd_lua_cryptobox_hash *h)
- {
- if (h->type == LUA_CRYPTOBOX_HASH_SSL) {
- #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
- EVP_MD_CTX_cleanup (h->content.c);
- #else
- EVP_MD_CTX_reset (h->content.c);
- #endif
- EVP_MD_CTX_destroy (h->content.c);
- }
- else if (h->type == LUA_CRYPTOBOX_HASH_HMAC) {
- #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
- HMAC_CTX_cleanup (h->content.hmac_c);
- g_free (h->content.hmac_c);
- #else
- HMAC_CTX_free (h->content.hmac_c);
- #endif
- }
- else if (h->type == LUA_CRYPTOBOX_HASH_BLAKE2) {
- rspamd_explicit_memzero (h->content.h, sizeof (*h->content.h));
- free (h->content.h); /* Allocated by posix_memalign */
- }
- else {
- g_free (h->content.fh);
- }
-
- g_free (h);
- }
-
- static inline void
- rspamd_lua_hash_init_default (struct rspamd_lua_cryptobox_hash *h,
- const gchar *key, gsize keylen)
- {
- h->type = LUA_CRYPTOBOX_HASH_BLAKE2;
- if (posix_memalign ((void **)&h->content.h,
- _Alignof (rspamd_cryptobox_hash_state_t),
- sizeof (*h->content.h)) != 0) {
- g_assert_not_reached ();
- }
-
- rspamd_cryptobox_hash_init (h->content.h, key, keylen);
- h->out_len = rspamd_cryptobox_HASHBYTES;
- }
-
- static void
- rspamd_lua_ssl_hash_create (struct rspamd_lua_cryptobox_hash *h, const EVP_MD *htype,
- bool insecure)
- {
- h->type = LUA_CRYPTOBOX_HASH_SSL;
- h->content.c = EVP_MD_CTX_create ();
- h->out_len = EVP_MD_size (htype);
-
- if (insecure) {
- /* Should never ever be used for crypto/security purposes! */
- #ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
- EVP_MD_CTX_set_flags(h->content.c, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
- #endif
- }
-
- EVP_DigestInit_ex (h->content.c, htype, NULL);
- }
-
- static void
- rspamd_lua_ssl_hmac_create (struct rspamd_lua_cryptobox_hash *h, const EVP_MD *htype,
- const gchar *key, gsize keylen,
- bool insecure)
- {
- h->type = LUA_CRYPTOBOX_HASH_HMAC;
-
- #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
- h->content.hmac_c = g_malloc0 (sizeof(*h->content.hmac_c));
- #else
- h->content.hmac_c = HMAC_CTX_new ();
- #endif
- h->out_len = EVP_MD_size (htype);
-
- #if OPENSSL_VERSION_NUMBER > 0x10100000L
- if (insecure) {
- /* Should never ever be used for crypto/security purposes! */
- #ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
- HMAC_CTX_set_flags(h->content.hmac_c, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
- #endif
- }
- #endif
-
- HMAC_Init_ex (h->content.hmac_c, key, keylen, htype, NULL);
- }
-
- static struct rspamd_lua_cryptobox_hash *
- rspamd_lua_hash_create (const gchar *type, const gchar *key, gsize keylen)
- {
- struct rspamd_lua_cryptobox_hash *h;
-
- h = g_malloc0 (sizeof (*h));
- REF_INIT_RETAIN (h, lua_cryptobox_hash_dtor);
-
- if (type) {
- if (g_ascii_strcasecmp (type, "md5") == 0) {
- if (keylen > 0) {
- rspamd_lua_ssl_hmac_create(h, EVP_md5(), key, keylen, true);
- }
- else {
- rspamd_lua_ssl_hash_create(h, EVP_md5(), true);
- }
- }
- else if (g_ascii_strcasecmp (type, "sha1") == 0 ||
- g_ascii_strcasecmp (type, "sha") == 0) {
- if (keylen > 0) {
- rspamd_lua_ssl_hmac_create(h, EVP_sha1(), key, keylen, true);
- }
- else {
- rspamd_lua_ssl_hash_create(h, EVP_sha1(), true);
- }
- }
- else if (g_ascii_strcasecmp (type, "sha256") == 0) {
- if (keylen > 0) {
- rspamd_lua_ssl_hmac_create(h, EVP_sha256(), key, keylen, true);
- }
- else {
- rspamd_lua_ssl_hash_create(h, EVP_sha256(), true);
- }
- }
- else if (g_ascii_strcasecmp (type, "sha512") == 0) {
- if (keylen > 0) {
- rspamd_lua_ssl_hmac_create(h, EVP_sha512(), key, keylen, true);
- }
- else {
- rspamd_lua_ssl_hash_create(h, EVP_sha512(), true);
- }
- }
- else if (g_ascii_strcasecmp (type, "sha384") == 0) {
- if (keylen > 0) {
- rspamd_lua_ssl_hmac_create(h, EVP_sha384(), key, keylen, true);
- }
- else {
- rspamd_lua_ssl_hash_create(h, EVP_sha384(), true);
- }
- }
- else if (g_ascii_strcasecmp (type, "xxh64") == 0) {
- h->type = LUA_CRYPTOBOX_HASH_XXHASH64;
- h->content.fh = g_malloc0 (sizeof (*h->content.fh));
- rspamd_cryptobox_fast_hash_init_specific (h->content.fh,
- RSPAMD_CRYPTOBOX_XXHASH64, 0);
- h->out_len = sizeof (guint64);
- }
- else if (g_ascii_strcasecmp (type, "xxh32") == 0) {
- h->type = LUA_CRYPTOBOX_HASH_XXHASH32;
- h->content.fh = g_malloc0 (sizeof (*h->content.fh));
- rspamd_cryptobox_fast_hash_init_specific (h->content.fh,
- RSPAMD_CRYPTOBOX_XXHASH32, 0);
- h->out_len = sizeof (guint32);
- }
- else if (g_ascii_strcasecmp (type, "mum") == 0) {
- h->type = LUA_CRYPTOBOX_HASH_MUM;
- h->content.fh = g_malloc0 (sizeof (*h->content.fh));
- rspamd_cryptobox_fast_hash_init_specific (h->content.fh,
- RSPAMD_CRYPTOBOX_MUMHASH, 0);
- h->out_len = sizeof (guint64);
- }
- else if (g_ascii_strcasecmp (type, "t1ha") == 0) {
- h->type = LUA_CRYPTOBOX_HASH_T1HA;
- h->content.fh = g_malloc0 (sizeof (*h->content.fh));
- rspamd_cryptobox_fast_hash_init_specific (h->content.fh,
- RSPAMD_CRYPTOBOX_T1HA, 0);
- h->out_len = sizeof (guint64);
- }
- else if (g_ascii_strcasecmp (type, "blake2") == 0) {
- rspamd_lua_hash_init_default (h, key, keylen);
- }
- else {
- g_free (h);
-
- return NULL;
- }
- }
- else {
- /* Default hash type */
- rspamd_lua_hash_init_default (h, key, keylen);
- }
-
- return h;
- }
-
- /***
- * @function rspamd_cryptobox_hash.create([string])
- * Creates new hash context
- * @param {string} data optional string to hash
- * @return {cryptobox_hash} hash object
- */
- static gint
- lua_cryptobox_hash_create (lua_State *L)
- {
- LUA_TRACE_POINT;
- struct rspamd_lua_cryptobox_hash *h, **ph;
- const gchar *s = NULL;
- struct rspamd_lua_text *t;
- gsize len = 0;
-
- h = rspamd_lua_hash_create (NULL, NULL, 0);
-
- if (lua_type (L, 1) == LUA_TSTRING) {
- s = lua_tolstring (L, 1, &len);
- }
- else if (lua_type (L, 1) == LUA_TUSERDATA) {
- t = lua_check_text (L, 1);
-
- if (!t) {
- return luaL_error (L, "invalid arguments");
- }
-
- s = t->start;
- len = t->len;
- }
-
- if (s) {
- rspamd_lua_hash_update (h, s, len);
- }
-
- ph = lua_newuserdata (L, sizeof (void *));
- *ph = h;
- rspamd_lua_setclass (L, "rspamd{cryptobox_hash}", -1);
-
- return 1;
- }
-
- /***
- * @function rspamd_cryptobox_hash.create_specific(type, [string])
- * Creates new hash context
- * @param {string} type type of hash (blake2, sha256, md5, sha512, mum, xxh64, xxh32, t1ha)
- * @param {string} string initial data
- * @return {cryptobox_hash} hash object
- */
- static gint
- lua_cryptobox_hash_create_specific (lua_State *L)
- {
- LUA_TRACE_POINT;
- struct rspamd_lua_cryptobox_hash *h, **ph;
- const gchar *s = NULL, *type = luaL_checkstring (L, 1);
- gsize len = 0;
- struct rspamd_lua_text *t;
-
- if (!type) {
- return luaL_error (L, "invalid arguments");
- }
-
- h = rspamd_lua_hash_create (type, NULL, 0);
-
- if (h == NULL) {
- return luaL_error (L, "invalid hash type: %s", type);
- }
-
- if (lua_type (L, 2) == LUA_TSTRING) {
- s = lua_tolstring (L, 2, &len);
- }
- else if (lua_type (L, 2) == LUA_TUSERDATA) {
- t = lua_check_text (L, 2);
-
- if (!t) {
- return luaL_error (L, "invalid arguments");
- }
-
- s = t->start;
- len = t->len;
- }
-
- if (s) {
- rspamd_lua_hash_update (h, s, len);
- }
-
- ph = lua_newuserdata (L, sizeof (void *));
- *ph = h;
- rspamd_lua_setclass (L, "rspamd{cryptobox_hash}", -1);
-
- return 1;
- }
-
- /***
- * @function rspamd_cryptobox_hash.create_keyed(key, [string])
- * Creates new hash context with specified key
- * @param {string} key key
- * @return {cryptobox_hash} hash object
- */
- static gint
- lua_cryptobox_hash_create_keyed (lua_State *L)
- {
- LUA_TRACE_POINT;
- struct rspamd_lua_cryptobox_hash *h, **ph;
- const gchar *key, *s = NULL;
- struct rspamd_lua_text *t;
- gsize len = 0;
- gsize keylen;
-
- key = luaL_checklstring (L, 1, &keylen);
-
- if (key != NULL) {
- h = rspamd_lua_hash_create (NULL, key, keylen);
-
- if (lua_type (L, 2) == LUA_TSTRING) {
- s = lua_tolstring (L, 2, &len);
- }
- else if (lua_type (L, 2) == LUA_TUSERDATA) {
- t = lua_check_text (L, 2);
-
- if (!t) {
- return luaL_error (L, "invalid arguments");
- }
-
- s = t->start;
- len = t->len;
- }
-
- if (s) {
- rspamd_lua_hash_update (h, s, len);
- }
-
- ph = lua_newuserdata (L, sizeof (void *));
- *ph = h;
- rspamd_lua_setclass (L, "rspamd{cryptobox_hash}", -1);
- }
- else {
- return luaL_error (L, "invalid arguments");
- }
-
- return 1;
- }
-
- /***
- * @function rspamd_cryptobox_hash.create_specific_keyed(key, type, [string])
- * Creates new hash context with specified key
- * @param {string} key key
- * @return {cryptobox_hash} hash object
- */
- static gint
- lua_cryptobox_hash_create_specific_keyed (lua_State *L)
- {
- LUA_TRACE_POINT;
- struct rspamd_lua_cryptobox_hash *h, **ph;
- const gchar *key, *s = NULL, *type = luaL_checkstring (L, 2);
- struct rspamd_lua_text *t;
- gsize len = 0;
- gsize keylen;
-
- key = luaL_checklstring (L, 1, &keylen);
-
- if (key != NULL && type != NULL) {
- h = rspamd_lua_hash_create (type, key, keylen);
-
- if (lua_type (L, 3) == LUA_TSTRING) {
- s = lua_tolstring (L, 3, &len);
- }
- else if (lua_type (L, 3) == LUA_TUSERDATA) {
- t = lua_check_text (L, 3);
-
- if (!t) {
- return luaL_error (L, "invalid arguments");
- }
-
- s = t->start;
- len = t->len;
- }
-
- if (s) {
- rspamd_lua_hash_update (h, s, len);
- }
-
- ph = lua_newuserdata (L, sizeof (void *));
- *ph = h;
- rspamd_lua_setclass (L, "rspamd{cryptobox_hash}", -1);
- }
- else {
- return luaL_error (L, "invalid arguments");
- }
-
- return 1;
- }
-
- /***
- * @method cryptobox_hash:update(data)
- * Updates hash with the specified data (hash should not be finalized using `hex` or `bin` methods)
- * @param {string} data data to hash
- */
- static gint
- lua_cryptobox_hash_update (lua_State *L)
- {
- LUA_TRACE_POINT;
- struct rspamd_lua_cryptobox_hash *h = lua_check_cryptobox_hash (L, 1), **ph;
- const gchar *data;
- struct rspamd_lua_text *t;
- gsize len;
-
- if (lua_isuserdata (L, 2)) {
- t = lua_check_text (L, 2);
-
- if (!t) {
- return luaL_error (L, "invalid arguments");
- }
-
- data = t->start;
- len = t->len;
- }
- else {
- data = luaL_checklstring (L, 2, &len);
- }
-
- if (lua_isnumber (L, 3)) {
- gsize nlen = lua_tonumber (L, 3);
-
- if (nlen > len) {
- return luaL_error (L, "invalid length: %d while %d is available",
- (int)nlen, (int)len);
- }
-
- len = nlen;
- }
-
- if (h && data) {
- if (!h->is_finished) {
- rspamd_lua_hash_update (h, data, len);
- }
- else {
- return luaL_error (L, "hash is already finalized");
- }
- }
- else {
- return luaL_error (L, "invalid arguments");
- }
-
- ph = lua_newuserdata (L, sizeof (void *));
- *ph = h;
- REF_RETAIN (h);
- rspamd_lua_setclass (L, "rspamd{cryptobox_hash}", -1);
-
- return 1;
- }
-
- /***
- * @method cryptobox_hash:reset()
- * Resets hash to the initial state
- */
- static gint
- lua_cryptobox_hash_reset (lua_State *L)
- {
- LUA_TRACE_POINT;
- struct rspamd_lua_cryptobox_hash *h = lua_check_cryptobox_hash (L, 1), **ph;
-
- if (h) {
- switch (h->type) {
- case LUA_CRYPTOBOX_HASH_BLAKE2:
- memset (h->content.h, 0, sizeof (*h->content.h));
- rspamd_cryptobox_hash_init (h->content.h, NULL, 0);
- break;
- case LUA_CRYPTOBOX_HASH_SSL:
- EVP_DigestInit (h->content.c, EVP_MD_CTX_md (h->content.c));
- break;
- case LUA_CRYPTOBOX_HASH_HMAC:
- #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
- /* Old openssl is awesome... */
- HMAC_Init_ex (h->content.hmac_c, NULL, 0, h->content.hmac_c->md, NULL);
- #else
- HMAC_CTX_reset (h->content.hmac_c);
- #endif
- break;
- case LUA_CRYPTOBOX_HASH_XXHASH64:
- rspamd_cryptobox_fast_hash_init_specific (h->content.fh,
- RSPAMD_CRYPTOBOX_XXHASH64, 0);
- break;
- case LUA_CRYPTOBOX_HASH_XXHASH32:
- rspamd_cryptobox_fast_hash_init_specific (h->content.fh,
- RSPAMD_CRYPTOBOX_XXHASH32, 0);
- break;
- case LUA_CRYPTOBOX_HASH_MUM:
- rspamd_cryptobox_fast_hash_init_specific (h->content.fh,
- RSPAMD_CRYPTOBOX_MUMHASH, 0);
- break;
- case LUA_CRYPTOBOX_HASH_T1HA:
- rspamd_cryptobox_fast_hash_init_specific (h->content.fh,
- RSPAMD_CRYPTOBOX_T1HA, 0);
- break;
- default:
- g_assert_not_reached ();
- }
- h->is_finished = FALSE;
- }
- else {
- return luaL_error (L, "invalid arguments");
- }
-
- ph = lua_newuserdata (L, sizeof (void *));
- *ph = h;
- REF_RETAIN (h);
- rspamd_lua_setclass (L, "rspamd{cryptobox_hash}", -1);
-
- return 1;
- }
-
- static void
- lua_cryptobox_hash_finish (struct rspamd_lua_cryptobox_hash *h)
- {
- guint64 ll;
- guchar out[rspamd_cryptobox_HASHBYTES];
- guint ssl_outlen = sizeof (out);
-
- switch (h->type) {
- case LUA_CRYPTOBOX_HASH_BLAKE2:
- rspamd_cryptobox_hash_final (h->content.h, out);
- memcpy (h->out, out, sizeof (out));
- break;
- case LUA_CRYPTOBOX_HASH_SSL:
- EVP_DigestFinal_ex (h->content.c, out, &ssl_outlen);
- h->out_len = ssl_outlen;
- g_assert (ssl_outlen <= sizeof (h->out));
- memcpy (h->out, out, ssl_outlen);
- break;
- case LUA_CRYPTOBOX_HASH_HMAC:
- HMAC_Final (h->content.hmac_c, out, &ssl_outlen);
- h->out_len = ssl_outlen;
- g_assert (ssl_outlen <= sizeof (h->out));
- memcpy (h->out, out, ssl_outlen);
- break;
- case LUA_CRYPTOBOX_HASH_XXHASH64:
- case LUA_CRYPTOBOX_HASH_XXHASH32:
- case LUA_CRYPTOBOX_HASH_MUM:
- case LUA_CRYPTOBOX_HASH_T1HA:
- ll = rspamd_cryptobox_fast_hash_final (h->content.fh);
- memcpy (h->out, &ll, sizeof (ll));
- break;
- default:
- g_assert_not_reached ();
- }
-
- h->is_finished = TRUE;
- }
-
- /***
- * @method cryptobox_hash:hex()
- * Finalizes hash and return it as hex string
- * @return {string} hex value of hash
- */
- static gint
- lua_cryptobox_hash_hex (lua_State *L)
- {
- LUA_TRACE_POINT;
- struct rspamd_lua_cryptobox_hash *h = lua_check_cryptobox_hash (L, 1);
- guchar out_hex[rspamd_cryptobox_HASHBYTES * 2 + 1], *r;
- guint dlen;
-
- if (h) {
- if (!h->is_finished) {
- lua_cryptobox_hash_finish (h);
- }
-
- memset (out_hex, 0, sizeof (out_hex));
- r = h->out;
- dlen = h->out_len;
-
- if (lua_isnumber (L, 2)) {
- guint lim = lua_tonumber (L, 2);
-
- if (lim < dlen) {
- r += dlen - lim;
- dlen = lim;
- }
- }
-
- rspamd_encode_hex_buf (r, dlen, out_hex, sizeof (out_hex));
- lua_pushstring (L, out_hex);
- }
- else {
- return luaL_error (L, "invalid arguments");
- }
-
- return 1;
- }
-
- /***
- * @method cryptobox_hash:base32([b32type])
- * Finalizes hash and return it as zbase32 (by default) string
- * @param {string} b32type base32 type (default, bleach, rfc)
- * @return {string} base32 value of hash
- */
- static gint
- lua_cryptobox_hash_base32 (lua_State *L)
- {
- LUA_TRACE_POINT;
- struct rspamd_lua_cryptobox_hash *h = lua_check_cryptobox_hash (L, 1);
- guchar out_b32[rspamd_cryptobox_HASHBYTES * 2], *r;
- guint dlen;
-
- if (h) {
- enum rspamd_base32_type btype = RSPAMD_BASE32_DEFAULT;
-
- if (lua_type (L, 2) == LUA_TSTRING) {
- btype = rspamd_base32_decode_type_from_str (lua_tostring (L, 2));
-
- if (btype == RSPAMD_BASE32_INVALID) {
- return luaL_error (L, "invalid b32 type: %s", lua_tostring (L, 2));
- }
- }
-
- if (!h->is_finished) {
- lua_cryptobox_hash_finish (h);
- }
-
- memset (out_b32, 0, sizeof (out_b32));
- r = h->out;
- dlen = h->out_len;
-
- if (lua_isnumber (L, 2)) {
- guint lim = lua_tonumber (L, 2);
-
- if (lim < dlen) {
- r += dlen - lim;
- dlen = lim;
- }
- }
-
- rspamd_encode_base32_buf (r, dlen, out_b32, sizeof (out_b32), btype);
- lua_pushstring (L, out_b32);
- }
- else {
- return luaL_error (L, "invalid arguments");
- }
-
- return 1;
- }
-
- /***
- * @method cryptobox_hash:base64()
- * Finalizes hash and return it as base64 string
- * @return {string} base64 value of hash
- */
- static gint
- lua_cryptobox_hash_base64 (lua_State *L)
- {
- LUA_TRACE_POINT;
- struct rspamd_lua_cryptobox_hash *h = lua_check_cryptobox_hash (L, 1);
- guchar *b64, *r;
- gsize len;
- guint dlen;
-
- if (h) {
- if (!h->is_finished) {
- lua_cryptobox_hash_finish (h);
- }
-
- r = h->out;
- dlen = h->out_len;
-
- if (lua_isnumber (L, 2)) {
- guint lim = lua_tonumber (L, 2);
-
- if (lim < dlen) {
- r += dlen - lim;
- dlen = lim;
- }
- }
-
- b64 = rspamd_encode_base64 (r, dlen, 0, &len);
- lua_pushlstring (L, b64, len);
- g_free (b64);
- }
- else {
- return luaL_error (L, "invalid arguments");
- }
-
- return 1;
- }
-
- /***
- * @method cryptobox_hash:bin()
- * Finalizes hash and return it as raw string
- * @return {string} raw value of hash
- */
- static gint
- lua_cryptobox_hash_bin (lua_State *L)
- {
- LUA_TRACE_POINT;
- struct rspamd_lua_cryptobox_hash *h = lua_check_cryptobox_hash (L, 1);
- guchar *r;
- guint dlen;
-
- if (h) {
- if (!h->is_finished) {
- lua_cryptobox_hash_finish (h);
- }
-
- r = h->out;
- dlen = h->out_len;
-
- if (lua_isnumber (L, 2)) {
- guint lim = lua_tonumber (L, 2);
-
- if (lim < dlen) {
- r += dlen - lim;
- dlen = lim;
- }
- }
-
- lua_pushlstring (L, r, dlen);
- h->is_finished = TRUE;
- }
- else {
- return luaL_error (L, "invalid arguments");
- }
-
- return 1;
- }
-
- static gint
- lua_cryptobox_hash_gc (lua_State *L)
- {
- LUA_TRACE_POINT;
- struct rspamd_lua_cryptobox_hash *h = lua_check_cryptobox_hash (L, 1);
-
- REF_RELEASE (h);
-
- return 0;
- }
-
- /***
- * @function rspamd_cryptobox.verify_memory(pk, sig, data, [alg = 'curve25519'])
- * Check memory using specified cryptobox key and signature
- * @param {pubkey} pk public key to verify
- * @param {sig} signature to check
- * @param {string} data data to check signature against
- * @return {boolean} `true` - if string matches cryptobox signature
- */
- static gint
- lua_cryptobox_verify_memory (lua_State *L)
- {
- LUA_TRACE_POINT;
- struct rspamd_cryptobox_pubkey *pk;
- rspamd_fstring_t *signature;
- struct rspamd_lua_text *t;
- const gchar *data;
- enum rspamd_cryptobox_mode alg = RSPAMD_CRYPTOBOX_MODE_25519;
- gsize len;
- gint ret;
-
- pk = lua_check_cryptobox_pubkey (L, 1);
- signature = lua_check_cryptobox_sign (L, 2);
-
- if (lua_isuserdata (L, 3)) {
- t = lua_check_text (L, 3);
-
- if (!t) {
- return luaL_error (L, "invalid arguments");
- }
-
- data = t->start;
- len = t->len;
- }
- else {
- data = luaL_checklstring (L, 3, &len);
- }
-
- if (lua_isstring (L, 4)) {
- const gchar *str = lua_tostring (L, 4);
-
- if (strcmp (str, "nist") == 0 || strcmp (str, "openssl") == 0) {
- alg = RSPAMD_CRYPTOBOX_MODE_NIST;
- }
- else if (strcmp (str, "curve25519") == 0 || strcmp (str, "default") == 0) {
- alg = RSPAMD_CRYPTOBOX_MODE_25519;
- }
- else {
- return luaL_error (L, "invalid algorithm: %s", str);
- }
- }
-
- if (pk != NULL && signature != NULL && data != NULL) {
- ret = rspamd_cryptobox_verify (signature->str, signature->len, data, len,
- rspamd_pubkey_get_pk (pk, NULL), alg);
-
- if (ret) {
- lua_pushboolean (L, 1);
- }
- else {
- lua_pushboolean (L, 0);
- }
- }
- else {
- return luaL_error (L, "invalid arguments");
- }
-
- return 1;
- }
-
- /***
- * @function rspamd_cryptobox.verify_file(pk, sig, file, [alg = 'curve25519'])
- * Check file using specified cryptobox key and signature
- * @param {pubkey} pk public key to verify
- * @param {sig} signature to check
- * @param {string} file to load data from
- * @return {boolean} `true` - if string matches cryptobox signature
- */
- static gint
- lua_cryptobox_verify_file (lua_State *L)
- {
- LUA_TRACE_POINT;
- const gchar *fname;
- struct rspamd_cryptobox_pubkey *pk;
- rspamd_fstring_t *signature;
- guchar *map = NULL;
- enum rspamd_cryptobox_mode alg = RSPAMD_CRYPTOBOX_MODE_25519;
- gsize len;
- gint ret;
-
- pk = lua_check_cryptobox_pubkey (L, 1);
- signature = lua_check_cryptobox_sign (L, 2);
- fname = luaL_checkstring (L, 3);
-
- if (lua_isstring (L, 4)) {
- const gchar *str = lua_tostring (L, 4);
-
- if (strcmp (str, "nist") == 0 || strcmp (str, "openssl") == 0) {
- alg = RSPAMD_CRYPTOBOX_MODE_NIST;
- }
- else if (strcmp (str, "curve25519") == 0 || strcmp (str, "default") == 0) {
- alg = RSPAMD_CRYPTOBOX_MODE_25519;
- }
- else {
- return luaL_error (L, "invalid algorithm: %s", str);
- }
- }
-
- map = rspamd_file_xmap (fname, PROT_READ, &len, TRUE);
-
- if (map != NULL && pk != NULL && signature != NULL) {
- ret = rspamd_cryptobox_verify (signature->str, signature->len,
- map, len,
- rspamd_pubkey_get_pk (pk, NULL), alg);
-
- if (ret) {
- lua_pushboolean (L, 1);
- }
- else {
- lua_pushboolean (L, 0);
- }
- }
- else {
- if (map != NULL) {
- munmap (map, len);
- }
-
- return luaL_error (L, "invalid arguments");
- }
-
- if (map != NULL) {
- munmap (map, len);
- }
-
- return 1;
- }
-
- /***
- * @function rspamd_cryptobox.sign_memory(kp, data)
- * Sign data using specified keypair
- * @param {keypair} kp keypair to sign
- * @param {string} data
- * @return {cryptobox_signature} signature object
- */
- static gint
- lua_cryptobox_sign_memory (lua_State *L)
- {
- LUA_TRACE_POINT;
- struct rspamd_cryptobox_keypair *kp;
- const gchar *data;
- struct rspamd_lua_text *t;
- gsize len = 0;
- rspamd_fstring_t *sig, **psig;
-
- kp = lua_check_cryptobox_keypair (L, 1);
-
- if (lua_isuserdata (L, 2)) {
- t = lua_check_text (L, 2);
-
- if (!t) {
- return luaL_error (L, "invalid arguments");
- }
-
- data = t->start;
- len = t->len;
- }
- else {
- data = luaL_checklstring (L, 2, &len);
- }
-
-
- if (!kp || !data || kp->type == RSPAMD_KEYPAIR_KEX) {
- return luaL_error (L, "invalid arguments");
- }
-
- sig = rspamd_fstring_sized_new (rspamd_cryptobox_signature_bytes (
- rspamd_keypair_alg (kp)));
-
- unsigned long long siglen = sig->len;
- rspamd_cryptobox_sign (sig->str, &siglen, data,
- len, rspamd_keypair_component (kp, RSPAMD_KEYPAIR_COMPONENT_SK,
- NULL), rspamd_keypair_alg (kp));
-
- sig->len = siglen;
- psig = lua_newuserdata (L, sizeof (void *));
- *psig = sig;
- rspamd_lua_setclass (L, "rspamd{cryptobox_signature}", -1);
-
- return 1;
- }
-
- /***
- * @function rspamd_cryptobox.sign_file(kp, file)
- * Sign file using specified keypair
- * @param {keypair} kp keypair to sign
- * @param {string} filename
- * @return {cryptobox_signature} signature object
- */
- static gint
- lua_cryptobox_sign_file (lua_State *L)
- {
- LUA_TRACE_POINT;
- struct rspamd_cryptobox_keypair *kp;
- const gchar *filename;
- gchar *data;
- gsize len = 0;
- rspamd_fstring_t *sig, **psig;
-
- kp = lua_check_cryptobox_keypair (L, 1);
- filename = luaL_checkstring (L, 2);
-
- if (!kp || !filename) {
- return luaL_error (L, "invalid arguments");
- }
-
- data = rspamd_file_xmap (filename, PROT_READ, &len, TRUE);
-
- if (data == NULL) {
- msg_err ("cannot mmap file %s: %s", filename, strerror (errno));
- lua_pushnil (L);
- }
- else {
- sig = rspamd_fstring_sized_new (rspamd_cryptobox_signature_bytes (
- rspamd_keypair_alg (kp)));
-
- unsigned long long siglen = sig->len;
-
- rspamd_cryptobox_sign (sig->str, &siglen, data,
- len, rspamd_keypair_component (kp, RSPAMD_KEYPAIR_COMPONENT_SK,
- NULL), rspamd_keypair_alg (kp));
-
- sig->len = siglen;
- psig = lua_newuserdata (L, sizeof (void *));
- *psig = sig;
- rspamd_lua_setclass (L, "rspamd{cryptobox_signature}", -1);
- munmap (data, len);
- }
-
- return 1;
- }
-
- /***
- * @function rspamd_cryptobox.encrypt_memory(kp, data[, nist=false])
- * Encrypt data using specified keypair/pubkey
- * @param {keypair|string} kp keypair or pubkey in base32 to use
- * @param {string|text} data
- * @return {rspamd_text} encrypted text
- */
- static gint
- lua_cryptobox_encrypt_memory (lua_State *L)
- {
- LUA_TRACE_POINT;
- struct rspamd_cryptobox_keypair *kp = NULL;
- struct rspamd_cryptobox_pubkey *pk = NULL;
- const gchar *data;
- guchar *out = NULL;
- struct rspamd_lua_text *t, *res;
- gsize len = 0, outlen = 0;
- GError *err = NULL;
-
- if (lua_type (L, 1) == LUA_TUSERDATA) {
- if (rspamd_lua_check_udata_maybe (L, 1, "rspamd{cryptobox_keypair}")) {
- kp = lua_check_cryptobox_keypair (L, 1);
- }
- else if (rspamd_lua_check_udata_maybe (L, 1, "rspamd{cryptobox_pubkey}")) {
- pk = lua_check_cryptobox_pubkey (L, 1);
- }
- }
- else if (lua_type (L, 1) == LUA_TSTRING) {
- const gchar *b32;
- gsize blen;
-
- b32 = lua_tolstring (L, 1, &blen);
- pk = rspamd_pubkey_from_base32 (b32, blen, RSPAMD_KEYPAIR_KEX,
- lua_toboolean (L, 3) ?
- RSPAMD_CRYPTOBOX_MODE_NIST : RSPAMD_CRYPTOBOX_MODE_25519);
- }
-
- if (lua_isuserdata (L, 2)) {
- t = lua_check_text (L, 2);
-
- if (!t) {
- return luaL_error (L, "invalid arguments");
- }
-
- data = t->start;
- len = t->len;
- }
- else {
- data = luaL_checklstring (L, 2, &len);
- }
-
-
- if (!(kp || pk) || !data) {
- return luaL_error (L, "invalid arguments");
- }
-
- if (kp) {
- if (!rspamd_keypair_encrypt (kp, data, len, &out, &outlen, &err)) {
- gint ret = luaL_error (L, "cannot encrypt data: %s", err->message);
- g_error_free (err);
-
- return ret;
- }
- }
- else if (pk) {
- if (!rspamd_pubkey_encrypt (pk, data, len, &out, &outlen, &err)) {
- gint ret = luaL_error (L, "cannot encrypt data: %s", err->message);
- g_error_free (err);
-
- return ret;
- }
- }
-
- res = lua_newuserdata (L, sizeof (*res));
- res->flags = RSPAMD_TEXT_FLAG_OWN;
- res->start = out;
- res->len = outlen;
- rspamd_lua_setclass (L, "rspamd{text}", -1);
-
- return 1;
- }
-
- /***
- * @function rspamd_cryptobox.encrypt_file(kp|pk_string, filename[, nist=false])
- * Encrypt data using specified keypair/pubkey
- * @param {keypair|string} kp keypair or pubkey in base32 to use
- * @param {string} filename
- * @return {rspamd_text} encrypted text
- */
- static gint
- lua_cryptobox_encrypt_file (lua_State *L)
- {
- LUA_TRACE_POINT;
- struct rspamd_cryptobox_keypair *kp = NULL;
- struct rspamd_cryptobox_pubkey *pk = NULL;
- const gchar *filename;
- gchar *data;
- guchar *out = NULL;
- struct rspamd_lua_text *res;
- gsize len = 0, outlen = 0;
- GError *err = NULL;
-
- if (lua_type (L, 1) == LUA_TUSERDATA) {
- if (rspamd_lua_check_udata_maybe (L, 1, "rspamd{cryptobox_keypair}")) {
- kp = lua_check_cryptobox_keypair (L, 1);
- }
- else if (rspamd_lua_check_udata_maybe (L, 1, "rspamd{cryptobox_pubkey}")) {
- pk = lua_check_cryptobox_pubkey (L, 1);
- }
- }
- else if (lua_type (L, 1) == LUA_TSTRING) {
- const gchar *b32;
- gsize blen;
-
- b32 = lua_tolstring (L, 1, &blen);
- pk = rspamd_pubkey_from_base32 (b32, blen, RSPAMD_KEYPAIR_KEX,
- lua_toboolean (L, 3) ?
- RSPAMD_CRYPTOBOX_MODE_NIST : RSPAMD_CRYPTOBOX_MODE_25519);
- }
-
- filename = luaL_checkstring (L, 2);
- data = rspamd_file_xmap (filename, PROT_READ, &len, TRUE);
-
- if (!(kp || pk) || !data) {
- return luaL_error (L, "invalid arguments");
- }
-
- if (kp) {
- if (!rspamd_keypair_encrypt (kp, data, len, &out, &outlen, &err)) {
- gint ret = luaL_error (L, "cannot encrypt file %s: %s", filename,
- err->message);
- g_error_free (err);
- munmap (data, len);
-
- return ret;
- }
- }
- else if (pk) {
- if (!rspamd_pubkey_encrypt (pk, data, len, &out, &outlen, &err)) {
- gint ret = luaL_error (L, "cannot encrypt file %s: %s", filename,
- err->message);
- g_error_free (err);
- munmap (data, len);
-
- return ret;
- }
- }
-
- res = lua_newuserdata (L, sizeof (*res));
- res->flags = RSPAMD_TEXT_FLAG_OWN;
- res->start = out;
- res->len = outlen;
- rspamd_lua_setclass (L, "rspamd{text}", -1);
- munmap (data, len);
-
- return 1;
- }
-
- /***
- * @function rspamd_cryptobox.decrypt_memory(kp, data[, nist = false])
- * Encrypt data using specified keypair
- * @param {keypair} kp keypair to use
- * @param {string} data
- * @return status,{rspamd_text}|error status is boolean variable followed by either unencrypted data or an error message
- */
- static gint
- lua_cryptobox_decrypt_memory (lua_State *L)
- {
- LUA_TRACE_POINT;
- struct rspamd_cryptobox_keypair *kp;
- const gchar *data;
- guchar *out;
- struct rspamd_lua_text *t, *res;
- gsize len = 0, outlen;
- GError *err = NULL;
-
- kp = lua_check_cryptobox_keypair (L, 1);
-
- if (lua_isuserdata (L, 2)) {
- t = lua_check_text (L, 2);
-
- if (!t) {
- return luaL_error (L, "invalid arguments");
- }
-
- data = t->start;
- len = t->len;
- }
- else {
- data = luaL_checklstring (L, 2, &len);
- }
-
-
- if (!kp || !data) {
- return luaL_error (L, "invalid arguments");
- }
-
- if (!rspamd_keypair_decrypt (kp, data, len, &out, &outlen, &err)) {
- lua_pushboolean (L, false);
- lua_pushstring (L, err->message);
- g_error_free (err);
- }
- else {
- lua_pushboolean (L, true);
- res = lua_newuserdata (L, sizeof (*res));
- res->flags = RSPAMD_TEXT_FLAG_OWN;
- res->start = out;
- res->len = outlen;
- rspamd_lua_setclass (L, "rspamd{text}", -1);
- }
-
- return 2;
- }
-
- /***
- * @function rspamd_cryptobox.decrypt_file(kp, filename)
- * Encrypt data using specified keypair
- * @param {keypair} kp keypair to use
- * @param {string} filename
- * @return status,{rspamd_text}|error status is boolean variable followed by either unencrypted data or an error message
- */
- static gint
- lua_cryptobox_decrypt_file (lua_State *L)
- {
- LUA_TRACE_POINT;
- struct rspamd_cryptobox_keypair *kp;
- const gchar *filename;
- gchar *data;
- guchar *out;
- struct rspamd_lua_text *res;
- gsize len = 0, outlen;
- GError *err = NULL;
-
- kp = lua_check_cryptobox_keypair (L, 1);
- filename = luaL_checkstring (L, 2);
- data = rspamd_file_xmap (filename, PROT_READ, &len, TRUE);
-
-
- if (!kp || !data) {
- return luaL_error (L, "invalid arguments");
- }
-
- if (!rspamd_keypair_decrypt (kp, data, len, &out, &outlen, &err)) {
- lua_pushboolean (L, false);
- lua_pushstring (L, err->message);
- g_error_free (err);
- }
- else {
- lua_pushboolean (L, true);
- res = lua_newuserdata (L, sizeof (*res));
- res->flags = RSPAMD_TEXT_FLAG_OWN;
- res->start = out;
- res->len = outlen;
- rspamd_lua_setclass (L, "rspamd{text}", -1);
- }
-
- munmap (data, len);
-
- return 2;
- }
-
- #define RSPAMD_CRYPTOBOX_AES_BLOCKSIZE 16
- #define RSPAMD_CRYPTOBOX_AES_KEYSIZE 16
-
- /***
- * @function rspamd_cryptobox.encrypt_cookie(secret_key, secret_cookie)
- * Specialised function that performs AES-CTR encryption of the provided cookie
- * ```
- * e := base64(nonce||aesencrypt(nonce, secret_cookie))
- * nonce := uint32_le(unix_timestamp)||random_64bit
- * aesencrypt := aes_ctr(nonce, secret_key) ^ pad(secret_cookie)
- * pad := secret_cookie || 0^(32-len(secret_cookie))
- * ```
- * @param {string} secret_key secret key as a hex string (must be 16 bytes in raw or 32 in hex)
- * @param {string} secret_cookie secret cookie as a string for up to 31 character
- * @return {string} e function value for this sk and cookie
- */
- static gint
- lua_cryptobox_encrypt_cookie (lua_State *L)
- {
- guchar aes_block[RSPAMD_CRYPTOBOX_AES_BLOCKSIZE], *blk;
- guchar padded_cookie[RSPAMD_CRYPTOBOX_AES_BLOCKSIZE];
- guchar nonce[RSPAMD_CRYPTOBOX_AES_BLOCKSIZE];
- guchar aes_key[RSPAMD_CRYPTOBOX_AES_KEYSIZE];
- guchar result[RSPAMD_CRYPTOBOX_AES_BLOCKSIZE * 2];
- guint32 ts;
-
- const gchar *sk, *cookie;
- gsize sklen, cookie_len;
- gint bklen;
-
- sk = lua_tolstring (L, 1, &sklen);
- cookie = lua_tolstring (L, 2, &cookie_len);
-
- if (sk && cookie) {
- if (sklen == 32) {
- /* Hex */
- rspamd_decode_hex_buf (sk, sklen, aes_key, sizeof (aes_key));
- }
- else if (sklen == RSPAMD_CRYPTOBOX_AES_KEYSIZE) {
- /* Raw */
- memcpy (aes_key, sk, sizeof (aes_key));
- }
- else {
- return luaL_error (L, "invalid keysize %d", (gint)sklen);
- }
-
- if (cookie_len > sizeof (padded_cookie) - 1) {
- return luaL_error (L, "cookie is too long %d", (gint)cookie_len);
- }
-
- /* Fill nonce */
- ottery_rand_bytes (nonce, sizeof (guint64) + sizeof (guint32));
- ts = (guint32)rspamd_get_calendar_ticks ();
- ts = GUINT32_TO_LE (ts);
- memcpy (nonce + sizeof (guint64) + sizeof (guint32), &ts, sizeof (ts));
-
- /* Prepare padded cookie */
- memset (padded_cookie, 0, sizeof (padded_cookie));
- memcpy (padded_cookie, cookie, cookie_len);
-
- /* Perform AES CTR via AES ECB on nonce */
- EVP_CIPHER_CTX *ctx;
- ctx = EVP_CIPHER_CTX_new ();
- EVP_EncryptInit_ex (ctx, EVP_aes_128_ecb (), NULL, aes_key, NULL);
- EVP_CIPHER_CTX_set_padding (ctx, 0);
-
- bklen = sizeof (aes_block);
- blk = aes_block;
- g_assert (EVP_EncryptUpdate (ctx, blk, &bklen, nonce, sizeof (nonce)));
- blk += bklen;
- g_assert (EVP_EncryptFinal_ex(ctx, blk, &bklen));
- EVP_CIPHER_CTX_free (ctx);
-
- /* Encode result */
- memcpy (result, nonce, sizeof (nonce));
- for (guint i = 0; i < sizeof (aes_block); i ++) {
- result[i + sizeof (nonce)] = padded_cookie[i] ^ aes_block[i];
- }
-
- gsize rlen;
- gchar *res = rspamd_encode_base64 (result, sizeof (result),
- 0, &rlen);
-
- lua_pushlstring (L, res, rlen);
- g_free (res);
- rspamd_explicit_memzero (aes_key, sizeof (aes_key));
- rspamd_explicit_memzero (aes_block, sizeof (aes_block));
- }
- else {
- return luaL_error (L, "invalid arguments");
- }
-
- return 1;
- }
-
- /***
- * @function rspamd_cryptobox.decrypt_cookie(secret_key, encrypted_cookie)
- * Specialised function that performs AES-CTR decryption of the provided cookie in form
- * ```
- * e := base64(nonce||aesencrypt(nonce, secret_cookie))
- * nonce := int32_le(unix_timestamp)||random_96bit
- * aesencrypt := aes_ctr(nonce, secret_key) ^ pad(secret_cookie)
- * pad := secret_cookie || 0^(32-len(secret_cookie))
- * ```
- * @param {string} secret_key secret key as a hex string (must be 16 bytes in raw or 32 in hex)
- * @param {string} encrypted_cookie encrypted cookie as a base64 encoded string
- * @return {string+number} decrypted value of the cookie and the cookie timestamp
- */
- static gint
- lua_cryptobox_decrypt_cookie (lua_State *L)
- {
- guchar *blk;
- guchar nonce[RSPAMD_CRYPTOBOX_AES_BLOCKSIZE];
- guchar aes_key[RSPAMD_CRYPTOBOX_AES_KEYSIZE];
- guchar *src;
- guint32 ts;
-
- const gchar *sk, *cookie;
- gsize sklen, cookie_len;
- gint bklen;
-
- sk = lua_tolstring (L, 1, &sklen);
- cookie = lua_tolstring (L, 2, &cookie_len);
-
- if (sk && cookie) {
- if (sklen == 32) {
- /* Hex */
- rspamd_decode_hex_buf (sk, sklen, aes_key, sizeof (aes_key));
- }
- else if (sklen == RSPAMD_CRYPTOBOX_AES_KEYSIZE) {
- /* Raw */
- memcpy (aes_key, sk, sizeof (aes_key));
- }
- else {
- return luaL_error (L, "invalid keysize %d", (gint)sklen);
- }
-
- src = g_malloc (cookie_len);
-
- rspamd_cryptobox_base64_decode (cookie, cookie_len, src, &cookie_len);
-
- if (cookie_len != RSPAMD_CRYPTOBOX_AES_BLOCKSIZE * 2) {
- g_free (src);
- lua_pushnil (L);
-
- return 1;
- }
-
- /* Perform AES CTR via AES ECB on nonce */
- EVP_CIPHER_CTX *ctx;
- ctx = EVP_CIPHER_CTX_new ();
- /* As per CTR definition, we use encrypt for both encrypt and decrypt */
- EVP_EncryptInit_ex (ctx, EVP_aes_128_ecb (), NULL, aes_key, NULL);
- EVP_CIPHER_CTX_set_padding (ctx, 0);
-
- /* Copy time */
- memcpy (&ts, src + sizeof (guint64) + sizeof (guint32), sizeof (ts));
- ts = GUINT32_FROM_LE (ts);
- bklen = sizeof (nonce);
- blk = nonce;
- g_assert (EVP_EncryptUpdate (ctx, blk, &bklen, src,
- RSPAMD_CRYPTOBOX_AES_BLOCKSIZE));
- blk += bklen;
- g_assert (EVP_EncryptFinal_ex (ctx, blk, &bklen));
- EVP_CIPHER_CTX_free (ctx);
-
- /* Decode result */
- for (guint i = 0; i < RSPAMD_CRYPTOBOX_AES_BLOCKSIZE; i ++) {
- src[i + sizeof (nonce)] ^= nonce[i];
- }
-
- if (src[RSPAMD_CRYPTOBOX_AES_BLOCKSIZE * 2 - 1] != '\0') {
- /* Bad cookie */
- lua_pushnil (L);
- lua_pushnil (L);
- }
- else {
- lua_pushstring (L, src + sizeof (nonce));
- lua_pushnumber (L, ts);
- }
-
- rspamd_explicit_memzero (src, RSPAMD_CRYPTOBOX_AES_BLOCKSIZE * 2);
- g_free (src);
- rspamd_explicit_memzero (aes_key, sizeof (aes_key));
- }
- else {
- return luaL_error (L, "invalid arguments");
- }
-
- return 2;
- }
-
- /***
- * @function rspamd_cryptobox.pbkdf([password, [kdf_alg]])
- * Function that encrypts password using PBKDF function.
- * This function either reads password from STDIN or accepts prepared password as
- * an argument
- * @param {string} password optional password string
- * @param {string} kdf_alg algorithm to use (catena or pbkdf2)
- * @return {string} encrypted password or nil if error occurs
- */
- static gint
- lua_cryptobox_pbkdf (lua_State *L)
- {
- const struct rspamd_controller_pbkdf *pbkdf = NULL;
- const gchar *pbkdf_str = "catena";
- gchar *password;
- gsize pwlen;
-
- if (lua_type (L, 2) == LUA_TSTRING) {
- pbkdf_str = lua_tostring (L, 2);
- }
-
- for (guint i = 0; i < RSPAMD_PBKDF_ID_MAX - 1; i ++) {
- pbkdf = &pbkdf_list[i];
-
- if (g_ascii_strcasecmp (pbkdf_str, pbkdf->alias) == 0) {
- break;
- }
- if (g_ascii_strcasecmp (pbkdf_str, pbkdf->name) == 0) {
- break;
- }
-
- pbkdf = NULL;
- }
-
- if (pbkdf == NULL) {
- return luaL_error (L, "invalid pbkdf algorithm: %s", pbkdf_str);
- }
-
- if (lua_type (L, 1) == LUA_TSTRING) {
- password = g_strdup (lua_tolstring (L, 1, &pwlen));
- }
- else {
- pwlen = 8192;
- password = g_malloc0 (pwlen);
- pwlen = rspamd_read_passphrase (password, pwlen, 0, NULL);
- }
-
- if (pwlen == 0) {
- lua_pushnil (L);
-
- return 1;
- }
-
- guchar *salt, *key;
- gchar *encoded_salt, *encoded_key;
- GString *result;
-
- salt = g_alloca (pbkdf->salt_len);
- key = g_alloca (pbkdf->key_len);
- ottery_rand_bytes (salt, pbkdf->salt_len);
- /* Derive key */
- rspamd_cryptobox_pbkdf (password, pwlen,
- salt, pbkdf->salt_len, key, pbkdf->key_len, pbkdf->complexity,
- pbkdf->type);
-
- encoded_salt = rspamd_encode_base32 (salt, pbkdf->salt_len, RSPAMD_BASE32_DEFAULT);
- encoded_key = rspamd_encode_base32 (key, pbkdf->key_len, RSPAMD_BASE32_DEFAULT);
-
- result = g_string_new ("");
- rspamd_printf_gstring (result, "$%d$%s$%s", pbkdf->id, encoded_salt,
- encoded_key);
-
- g_free (encoded_salt);
- g_free (encoded_key);
- rspamd_explicit_memzero (password, pwlen);
- g_free (password);
- lua_pushlstring (L, result->str, result->len);
- g_string_free (result, TRUE);
-
- return 1;
- }
-
- /***
- * @function rspamd_cryptobox.gen_dkim_keypair([alg, [nbits]])
- * Generates DKIM keypair. Returns 2 base64 strings as rspamd_text: privkey and pubkey
- * @param {string} alg optional algorithm (rsa default, can be ed25519)
- * @param {number} nbits optional number of bits for rsa (default 1024)
- * @return {rspamd_text,rspamd_text} private key and public key as base64 encoded strings
- */
- static gint
- lua_cryptobox_gen_dkim_keypair (lua_State *L)
- {
- const gchar *alg_str = "rsa";
- guint nbits = 1024;
- struct rspamd_lua_text *priv_out, *pub_out;
-
- if (lua_type (L, 1) == LUA_TSTRING) {
- alg_str = lua_tostring (L, 1);
- }
-
- if (lua_type (L, 2) == LUA_TNUMBER) {
- nbits = lua_tointeger (L, 2);
- }
-
- if (strcmp (alg_str, "rsa") == 0) {
- BIGNUM *e;
- RSA *r;
- EVP_PKEY *pk;
-
- e = BN_new ();
- r = RSA_new ();
- pk = EVP_PKEY_new ();
-
- if (BN_set_word (e, RSA_F4) != 1) {
- BN_free (e);
- RSA_free (r);
- EVP_PKEY_free (pk);
-
- return luaL_error (L, "BN_set_word failed");
- }
-
- if (RSA_generate_key_ex (r, nbits, e, NULL) != 1) {
- BN_free (e);
- RSA_free (r);
- EVP_PKEY_free (pk);
-
- return luaL_error (L, "RSA_generate_key_ex failed");
- }
-
- if (EVP_PKEY_set1_RSA (pk, r) != 1) {
- BN_free (e);
- RSA_free (r);
- EVP_PKEY_free (pk);
-
- return luaL_error (L, "EVP_PKEY_set1_RSA failed");
- }
-
- BIO *mbio;
- gint rc, len;
- guchar *data;
- gchar *b64_data;
- gsize b64_len;
-
- mbio = BIO_new (BIO_s_mem ());
-
- /* Process private key */
- rc = i2d_RSAPrivateKey_bio (mbio, r);
-
- if (rc == 0) {
- BIO_free (mbio);
- BN_free (e);
- RSA_free (r);
- EVP_PKEY_free (pk);
-
- return luaL_error (L, "i2d_RSAPrivateKey_bio failed");
- }
-
- len = BIO_get_mem_data (mbio, &data);
-
- b64_data = rspamd_encode_base64 (data, len, -1, &b64_len);
-
- priv_out = lua_newuserdata (L, sizeof (*priv_out));
- rspamd_lua_setclass (L, "rspamd{text}", -1);
- priv_out->start = b64_data;
- priv_out->len = b64_len;
- priv_out->flags = RSPAMD_TEXT_FLAG_OWN|RSPAMD_TEXT_FLAG_WIPE;
-
- /* Process public key */
- BIO_reset (mbio);
- rc = i2d_RSA_PUBKEY_bio (mbio, r);
-
- if (rc == 0) {
- BIO_free (mbio);
- BN_free (e);
- RSA_free (r);
- EVP_PKEY_free (pk);
-
- return luaL_error (L, "i2d_RSA_PUBKEY_bio failed");
- }
-
- len = BIO_get_mem_data (mbio, &data);
-
- b64_data = rspamd_encode_base64 (data, len, -1, &b64_len);
-
- pub_out = lua_newuserdata (L, sizeof (*pub_out));
- rspamd_lua_setclass (L, "rspamd{text}", -1);
- pub_out->start = b64_data;
- pub_out->len = b64_len;
- pub_out->flags = RSPAMD_TEXT_FLAG_OWN;
-
- BN_free (e);
- RSA_free (r);
- EVP_PKEY_free (pk);
- BIO_free (mbio);
- }
- else if (strcmp (alg_str, "ed25519") == 0) {
- rspamd_sig_pk_t pk;
- rspamd_sig_sk_t sk;
- gchar *b64_data;
- gsize b64_len;
-
- rspamd_cryptobox_keypair_sig (pk, sk, RSPAMD_CRYPTOBOX_MODE_25519);
-
- /* Process private key */
- b64_data = rspamd_encode_base64 (sk,
- rspamd_cryptobox_sk_sig_bytes (RSPAMD_CRYPTOBOX_MODE_25519),
- -1, &b64_len);
-
- priv_out = lua_newuserdata (L, sizeof (*priv_out));
- rspamd_lua_setclass (L, "rspamd{text}", -1);
- priv_out->start = b64_data;
- priv_out->len = b64_len;
- priv_out->flags = RSPAMD_TEXT_FLAG_OWN|RSPAMD_TEXT_FLAG_WIPE;
-
- /* Process public key */
- b64_data = rspamd_encode_base64 (pk,
- rspamd_cryptobox_pk_sig_bytes (RSPAMD_CRYPTOBOX_MODE_25519),
- -1, &b64_len);
-
- pub_out = lua_newuserdata (L, sizeof (*pub_out));
- rspamd_lua_setclass (L, "rspamd{text}", -1);
- pub_out->start = b64_data;
- pub_out->len = b64_len;
- pub_out->flags = RSPAMD_TEXT_FLAG_OWN;
-
- rspamd_explicit_memzero (pk, sizeof (pk));
- rspamd_explicit_memzero (sk, sizeof (sk));
- }
- else {
- return luaL_error (L, "invalid algorithm %s", alg_str);
- }
-
- return 2;
- }
-
- /*
- * Secretbox API
- */
- /* Ensure that KDF output is suitable for crypto_secretbox_KEYBYTES */
- #ifdef crypto_generichash_BYTES_MIN
- G_STATIC_ASSERT(crypto_secretbox_KEYBYTES >= crypto_generichash_BYTES_MIN);
- #endif
-
- /***
- * @function rspamd_cryptobox_secretbox.create(secret_string, [params])
- * Generates a secretbox state by expanding secret string
- * @param {string/text} secret_string secret string (should have high enough entropy)
- * @param {table} params optional parameters - NYI
- * @return {rspamd_cryptobox_secretbox} opaque object with the key expanded
- */
- static gint
- lua_cryptobox_secretbox_create (lua_State *L)
- {
- const gchar *in;
- gsize inlen;
-
-
- if (lua_isstring (L, 1)) {
- in = lua_tolstring (L, 1, &inlen);
- }
- else if (lua_isuserdata (L, 1)) {
- struct rspamd_lua_text *t = lua_check_text (L, 1);
-
- if (!t) {
- return luaL_error (L, "invalid arguments; userdata is not text");
- }
-
- in = t->start;
- inlen = t->len;
- }
- else {
- return luaL_error (L, "invalid arguments; userdata or string are expected");
- }
-
- if (in == NULL || inlen == 0) {
- return luaL_error (L, "invalid arguments; non empty secret expected");
- }
-
- struct rspamd_lua_cryptobox_secretbox *sbox, **psbox;
-
- sbox = g_malloc0 (sizeof (*sbox));
- crypto_generichash (sbox->sk, sizeof (sbox->sk), in, inlen, NULL, 0);
- psbox = lua_newuserdata (L, sizeof (*psbox));
- *psbox = sbox;
- rspamd_lua_setclass (L, "rspamd{cryptobox_secretbox}", -1);
-
- return 1;
- }
-
-
- static gint
- lua_cryptobox_secretbox_gc (lua_State *L)
- {
- struct rspamd_lua_cryptobox_secretbox *sbox =
- lua_check_cryptobox_secretbox (L, 1);
-
- if (sbox != NULL) {
- sodium_memzero (sbox->sk, sizeof (sbox->sk));
- g_free (sbox);
- }
- else {
- return luaL_error (L, "invalid arguments");
- }
-
- return 0;
- }
-
- /***
- * @method rspamd_cryptobox_secretbox:encrypt(input, [nonce])
- * Encrypts data using secretbox. MAC is prepended to the message
- * @param {string/text} input input to encrypt
- * @param {string/text} nonce optional nonce (must be 1 - 192 bits length)
- * @param {table} params optional parameters - NYI
- * @return {rspamd_text},{rspamd_text} output with mac + nonce or just output if nonce is there
- */
- static gint
- lua_cryptobox_secretbox_encrypt (lua_State *L)
- {
- const gchar *in, *nonce;
- gsize inlen, nlen;
- struct rspamd_lua_cryptobox_secretbox *sbox =
- lua_check_cryptobox_secretbox (L, 1);
- struct rspamd_lua_text *out;
-
- if (sbox == NULL) {
- return luaL_error (L, "invalid arguments");
- }
-
- if (lua_isstring (L, 2)) {
- in = lua_tolstring (L, 2, &inlen);
- }
- else if (lua_isuserdata (L, 2)) {
- struct rspamd_lua_text *t = lua_check_text (L, 2);
-
- if (!t) {
- return luaL_error (L, "invalid arguments; userdata is not text");
- }
-
- in = t->start;
- inlen = t->len;
- }
- else {
- return luaL_error (L, "invalid arguments; userdata or string are expected");
- }
-
- /* Nonce part */
- if (!lua_isnoneornil (L, 3)) {
- if (lua_isstring (L, 3)) {
- nonce = lua_tolstring (L, 3, &nlen);
- }
- else if (lua_isuserdata (L, 3)) {
- struct rspamd_lua_text *t = lua_check_text (L, 3);
-
- if (!t) {
- return luaL_error (L, "invalid arguments; userdata is not text");
- }
-
- nonce = t->start;
- nlen = t->len;
- }
- else {
- return luaL_error (L, "invalid arguments; userdata or string are expected");
- }
-
- if (nlen < 1 || nlen > crypto_secretbox_NONCEBYTES) {
- return luaL_error (L, "bad nonce");
- }
-
- guchar real_nonce[crypto_secretbox_NONCEBYTES];
-
- memset (real_nonce, 0, sizeof (real_nonce));
- memcpy (real_nonce, nonce, nlen);
-
- out = lua_new_text (L, NULL, inlen + crypto_secretbox_MACBYTES,
- TRUE);
- crypto_secretbox_easy ((guchar *)out->start, in, inlen,
- nonce, sbox->sk);
-
- return 1;
- }
- else {
- /* Random nonce */
- struct rspamd_lua_text *random_nonce;
-
- out = lua_new_text (L, NULL, inlen + crypto_secretbox_MACBYTES,
- TRUE);
- random_nonce = lua_new_text (L, NULL, crypto_secretbox_NONCEBYTES, TRUE);
-
- randombytes_buf ((guchar *)random_nonce->start, random_nonce->len);
- crypto_secretbox_easy ((guchar *)out->start, in, inlen,
- random_nonce->start, sbox->sk);
-
- return 2; /* output + random nonce */
- }
- }
-
- /***
- * @method rspamd_cryptobox_secretbox:decrypt(input, nonce)
- * Decrypts data using secretbox
- * @param {string/text} nonce nonce used to encrypt
- * @param {string/text} input input to decrypt
- * @param {table} params optional parameters - NYI
- * @return {boolean},{rspamd_text} decryption result + decrypted text
- */
- static gint
- lua_cryptobox_secretbox_decrypt (lua_State *L)
- {
- const gchar *in, *nonce;
- gsize inlen, nlen;
- struct rspamd_lua_cryptobox_secretbox *sbox =
- lua_check_cryptobox_secretbox (L, 1);
- struct rspamd_lua_text *out;
-
- if (sbox == NULL) {
- return luaL_error (L, "invalid arguments");
- }
-
- /* Input argument */
- if (lua_isstring (L, 2)) {
- in = lua_tolstring (L, 2, &inlen);
- }
- else if (lua_isuserdata (L, 2)) {
- struct rspamd_lua_text *t = lua_check_text (L, 2);
-
- if (!t) {
- return luaL_error (L, "invalid arguments; userdata is not text");
- }
-
- in = t->start;
- inlen = t->len;
- }
- else {
- return luaL_error (L, "invalid arguments; userdata or string are expected");
- }
-
- /* Nonce argument */
- if (lua_isstring (L, 3)) {
- nonce = lua_tolstring (L, 3, &nlen);
- }
- else if (lua_isuserdata (L, 3)) {
- struct rspamd_lua_text *t = lua_check_text (L, 3);
-
- if (!t) {
- return luaL_error (L, "invalid arguments; userdata is not text");
- }
-
- nonce = t->start;
- nlen = t->len;
- }
- else {
- return luaL_error (L, "invalid arguments; userdata or string are expected");
- }
-
-
- if (nlen < 1 || nlen > crypto_secretbox_NONCEBYTES) {
- lua_pushboolean (L, false);
- lua_pushstring (L, "invalid nonce");
- return 2;
- }
-
- if (inlen < crypto_secretbox_MACBYTES) {
- lua_pushboolean (L, false);
- lua_pushstring (L, "too short");
- return 2;
- }
-
- guchar real_nonce[crypto_secretbox_NONCEBYTES];
-
- memset (real_nonce, 0, sizeof (real_nonce));
- memcpy (real_nonce, nonce, nlen);
-
- out = lua_new_text (L, NULL, inlen - crypto_secretbox_MACBYTES,
- TRUE);
- gint text_pos = lua_gettop (L);
-
- if (crypto_secretbox_open_easy ((guchar *)out->start, in, inlen,
- nonce, sbox->sk) == 0) {
- lua_pushboolean (L, true);
- lua_pushvalue (L, text_pos); /* Prevent gc by copying in stack */
- }
- else {
- lua_pushboolean (L, false);
- lua_pushstring (L, "authentication error");
- }
-
- /* This causes gc method if decryption has failed */
- lua_remove (L, text_pos);
-
- return 2;
- }
-
- static gint
- lua_load_pubkey (lua_State * L)
- {
- lua_newtable (L);
- luaL_register (L, NULL, cryptoboxpubkeylib_f);
-
- return 1;
- }
-
- static gint
- lua_load_keypair (lua_State * L)
- {
- lua_newtable (L);
- luaL_register (L, NULL, cryptoboxkeypairlib_f);
-
- return 1;
- }
-
- static gint
- lua_load_signature (lua_State * L)
- {
- lua_newtable (L);
- luaL_register (L, NULL, cryptoboxsignlib_f);
-
- return 1;
- }
-
- static gint
- lua_load_hash (lua_State * L)
- {
- lua_newtable (L);
- luaL_register (L, NULL, cryptoboxhashlib_f);
-
- return 1;
- }
-
- static gint
- lua_load_cryptobox_secretbox (lua_State * L)
- {
- lua_newtable (L);
- luaL_register (L, NULL, cryptoboxsecretboxlib_f);
-
- return 1;
- }
-
- static gint
- lua_load_cryptobox (lua_State * L)
- {
- lua_newtable (L);
- luaL_register (L, NULL, cryptoboxlib_f);
-
- return 1;
- }
-
- void
- luaopen_cryptobox (lua_State * L)
- {
- rspamd_lua_new_class (L, "rspamd{cryptobox_pubkey}", cryptoboxpubkeylib_m);
- lua_pop (L, 1);
- rspamd_lua_add_preload (L, "rspamd_cryptobox_pubkey", lua_load_pubkey);
-
- rspamd_lua_new_class (L, "rspamd{cryptobox_keypair}", cryptoboxkeypairlib_m);
- lua_pop (L, 1);
- rspamd_lua_add_preload (L, "rspamd_cryptobox_keypair", lua_load_keypair);
-
- rspamd_lua_new_class (L, "rspamd{cryptobox_signature}", cryptoboxsignlib_m);
- lua_pop (L, 1);
- rspamd_lua_add_preload (L, "rspamd_cryptobox_signature", lua_load_signature);
-
- rspamd_lua_new_class (L, "rspamd{cryptobox_hash}", cryptoboxhashlib_m);
- lua_pop (L, 1);
- rspamd_lua_add_preload (L, "rspamd_cryptobox_hash", lua_load_hash);
-
- rspamd_lua_new_class (L, "rspamd{cryptobox_secretbox}",
- cryptoboxsecretboxlib_m);
- lua_pop (L, 1);
- rspamd_lua_add_preload (L, "rspamd_cryptobox_secretbox",
- lua_load_cryptobox_secretbox);
-
- rspamd_lua_add_preload (L, "rspamd_cryptobox", lua_load_cryptobox);
-
- lua_settop (L, 0);
- }
|