LuaSec 20120616 (unofficial) + patches

samples/certs/serverA.cnf

@@ -172,7 +172,7 @@ basicConstraints=CA:FALSE
 # the certificate can be used for anything *except* object signing.
 
 # This is OK for an SSL server.
-# nsCertType			= server
+nsCertType			= server
 
 # For an object signing certificate this would be used.
 # nsCertType = objsign

samples/certs/serverB.cnf

@@ -172,7 +172,7 @@ basicConstraints=CA:FALSE
 # the certificate can be used for anything *except* object signing.
 
 # This is OK for an SSL server.
-# nsCertType			= server
+nsCertType			= server
 
 # For an object signing certificate this would be used.
 # nsCertType = objsign

samples/chain/client.lua

@@ -0,0 +1,36 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl    = require("ssl")
+local util   = require("util") 
+
+local params = {
+   mode = "client",
+   protocol = "tlsv1",
+   key = "../certs/clientAkey.pem",
+   certificate = "../certs/clientA.pem",
+   cafile = "../certs/rootA.pem",
+   verify = {"peer", "fail_if_no_peer_cert"},
+   options = {"all", "no_sslv2"},
+}
+
+local conn = socket.tcp()
+conn:connect("127.0.0.1", 8888)
+
+conn = assert( ssl.wrap(conn, params) )
+assert(conn:dohandshake())
+
+util.show( conn:getpeercertificate() )
+
+print("----------------------------------------------------------------------")
+
+for k, cert in ipairs( conn:getpeerchain() ) do
+  util.show(cert)
+end
+
+local cert = conn:getpeercertificate()
+print( cert )
+print( cert:pem() )
+
+conn:close()

samples/chain/server.lua

@@ -0,0 +1,53 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl    = require("ssl")
+local util   = require("util")
+
+local params = {
+   mode = "server",
+   protocol = "tlsv1",
+   key = "../certs/serverAkey.pem",
+   certificate = "../certs/serverA.pem",
+   cafile = "../certs/rootA.pem",
+   verify = {"peer", "fail_if_no_peer_cert"},
+   options = {"all", "no_sslv2"},
+}
+
+local ctx = assert(ssl.newcontext(params))
+
+local server = socket.tcp()
+server:setoption('reuseaddr', true)
+assert( server:bind("127.0.0.1", 8888) )
+server:listen()
+
+local conn = server:accept()
+
+conn = assert( ssl.wrap(conn, ctx) )
+assert( conn:dohandshake() )
+
+util.show( conn:getpeercertificate() )
+
+print("----------------------------------------------------------------------")
+
+for k, cert in ipairs( conn:getpeerchain() ) do
+  util.show(cert)
+end
+
+local f = io.open(params.certificate)
+local str = f:read("*a")
+f:close()
+
+util.show( ssl.loadcertificate(str) )
+
+print("----------------------------------------------------------------------")
+local cert = conn:getpeercertificate()
+print( cert )
+print( cert:digest() )
+print( cert:digest("sha1") )
+print( cert:digest("sha256") )
+print( cert:digest("sha512") )
+
+conn:close()
+server:close()

samples/chain/util.lua

@@ -0,0 +1,22 @@
+local print  = print
+local ipairs = ipairs
+
+local _ENV = {}
+
+function _ENV.show(cert)
+  print("Serial:", cert:serial())
+  print("NotBefore:", cert:notbefore())
+  print("NotAfter:", cert:notafter())
+  print("--- Issuer ---")
+  for k, v in ipairs(cert:issuer()) do
+    print(v.name .. " = " .. v.value)
+  end
+
+  print("--- Subject ---")
+  for k, v in ipairs(cert:subject()) do
+    print(v.name .. " = " .. v.value)
+  end
+  print("----------------------------------------------------------------------")
+end
+
+return _ENV

samples/dhparam/client.lua

@@ -0,0 +1,26 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl    = require("ssl")
+
+local params = {
+   mode = "client",
+   protocol = "sslv3",
+   key = "../certs/clientAkey.pem",
+   certificate = "../certs/clientA.pem",
+   cafile = "../certs/rootA.pem",
+   verify = {"peer", "fail_if_no_peer_cert"},
+   options = {"all", "no_sslv2"},
+}
+
+local peer = socket.tcp()
+peer:connect("127.0.0.1", 8888)
+
+-- [[ SSL wrapper
+peer = assert( ssl.wrap(peer, params) )
+assert(peer:dohandshake())
+--]]
+
+print(peer:receive("*l"))
+peer:close()

samples/dhparam/params.sh

@@ -0,0 +1,4 @@
+#!/bin/sh
+
+openssl dhparam -2 -out dh-512.pem  -outform PEM 512
+openssl dhparam -2 -out dh-1024.pem -outform PEM 1024

samples/dhparam/server.lua

@@ -0,0 +1,61 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl    = require("ssl")
+
+local function readfile(filename)
+  local fd = assert(io.open(filename))
+  local dh = fd:read("*a")
+  fd:close()
+  return dh
+end
+
+local function dhparam_cb(export, keylength)
+  print("---")
+  print("DH Callback")
+  print("Export", export)
+  print("Key length", keylength)
+  print("---")
+  local filename
+  if keylength == 512 then
+    filename = "dh-512.pem"
+  elseif keylength == 1024 then
+    filename = "dh-1024.pem"
+  else
+    -- No key
+    return nil
+  end
+  return readfile(filename)
+end
+
+local params = {
+   mode = "server",
+   protocol = "sslv3",
+   key = "../certs/serverAkey.pem",
+   certificate = "../certs/serverA.pem",
+   cafile = "../certs/rootA.pem",
+   verify = {"peer", "fail_if_no_peer_cert"},
+   options = {"all", "no_sslv2"},
+   dhparam = dhparam_cb,
+}
+
+
+-- [[ SSL context
+local ctx = assert(ssl.newcontext(params))
+--]]
+
+local server = socket.tcp()
+server:setoption('reuseaddr', true)
+assert( server:bind("127.0.0.1", 8888) )
+server:listen()
+
+local peer = server:accept()
+
+-- [[ SSL wrapper
+peer = assert( ssl.wrap(peer, ctx) )
+assert( peer:dohandshake() )
+--]]
+
+peer:send("oneshot test\n")
+peer:close()

samples/digest/client.lua

@@ -0,0 +1,26 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl    = require("ssl")
+
+local params = {
+   mode = "client",
+   protocol = "sslv3",
+   key = "../certs/clientAkey.pem",
+   certificate = "../certs/clientA.pem",
+   cafile = "../certs/rootA.pem",
+   verify = {"peer", "fail_if_no_peer_cert"},
+   options = {"all", "no_sslv2"},
+}
+
+local peer = socket.tcp()
+peer:connect("127.0.0.1", 8888)
+
+-- [[ SSL wrapper
+peer = assert( ssl.wrap(peer, params) )
+assert(peer:dohandshake())
+--]]
+
+print(peer:receive("*l"))
+peer:close()

samples/digest/server.lua

@@ -0,0 +1,44 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl    = require("ssl")
+
+local params = {
+   mode = "server",
+   protocol = "sslv3",
+   key = "../certs/serverAkey.pem",
+   certificate = "../certs/serverA.pem",
+   cafile = "../certs/rootA.pem",
+   verify = {"peer", "fail_if_no_peer_cert"},
+   options = {"all", "no_sslv2"},
+}
+
+
+-- [[ SSL context
+local ctx = assert(ssl.newcontext(params))
+--]]
+
+local server = socket.tcp()
+server:setoption('reuseaddr', true)
+assert( server:bind("127.0.0.1", 8888) )
+server:listen()
+
+local peer = server:accept()
+
+-- [[ SSL wrapper
+peer = assert( ssl.wrap(peer, ctx) )
+assert( peer:dohandshake() )
+--]]
+
+local cert = peer:getpeercertificate()
+local sha1   = cert:digest("sha1")
+local sha256 = cert:digest("sha256")
+local sha512 = cert:digest("sha512")
+
+print("SHA1",   sha1)
+print("SHA256", sha256)
+print("SHA512", sha512)
+
+peer:send("oneshot test\n")
+peer:close()

samples/ecdh/client.lua

@@ -0,0 +1,33 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl    = require("ssl")
+
+local params = {
+   mode = "client",
+   protocol = "sslv3",
+   key = "../certs/clientAkey.pem",
+   certificate = "../certs/clientA.pem",
+   cafile = "../certs/rootA.pem",
+   verify = {"peer", "fail_if_no_peer_cert"},
+   options = {"all", "no_sslv2"},
+   --
+   curve = "secp384r1",
+}
+
+--------------------------------------------------------------------------------
+local peer = socket.tcp()
+peer:connect("127.0.0.1", 8888)
+
+peer = assert( ssl.wrap(peer, params) )
+assert(peer:dohandshake())
+
+print("--- INFO  ---")
+local info = peer:info()
+for k, v in pairs(info) do
+  print(k, v)
+end
+print("---")
+
+peer:close()

samples/ecdh/server.lua

@@ -0,0 +1,40 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl    = require("ssl")
+
+local params = {
+   mode = "server",
+   protocol = "sslv3",
+   key = "../certs/serverAkey.pem",
+   certificate = "../certs/serverA.pem",
+   cafile = "../certs/rootA.pem",
+   verify = {"peer", "fail_if_no_peer_cert"},
+   options = {"all", "no_sslv2"},
+   --
+   curve = "secp384r1",
+}
+
+------------------------------------------------------------------------------
+local ctx = assert(ssl.newcontext(params))
+
+local server = socket.tcp()
+server:setoption('reuseaddr', true)
+assert( server:bind("127.0.0.1", 8888) )
+server:listen()
+
+local peer = server:accept()
+
+peer = assert( ssl.wrap(peer, ctx) )
+assert( peer:dohandshake() )
+
+print("--- INFO ---")
+local info = peer:info()
+for k, v in pairs(info) do
+  print(k, v)
+end
+print("---")
+
+peer:close()
+server:close()

samples/info/client.lua

@@ -0,0 +1,26 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl    = require("ssl")
+
+local params = {
+   mode = "client",
+   protocol = "sslv3",
+   key = "../certs/clientAkey.pem",
+   certificate = "../certs/clientA.pem",
+   cafile = "../certs/rootA.pem",
+   verify = {"peer", "fail_if_no_peer_cert"},
+   options = {"all", "no_sslv2"},
+}
+
+local peer = socket.tcp()
+peer:connect("127.0.0.1", 8888)
+
+-- [[ SSL wrapper
+peer = assert( ssl.wrap(peer, params) )
+assert(peer:dohandshake())
+--]]
+
+print(peer:receive("*l"))
+peer:close()

samples/info/server.lua

@@ -0,0 +1,48 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl    = require("ssl")
+
+local params = {
+   mode = "server",
+   protocol = "sslv3",
+   key = "../certs/serverAkey.pem",
+   certificate = "../certs/serverA.pem",
+   cafile = "../certs/rootA.pem",
+   verify = {"peer", "fail_if_no_peer_cert"},
+   options = {"all", "no_sslv2"},
+}
+
+
+-- [[ SSL context
+local ctx = assert(ssl.newcontext(params))
+--]]
+
+local server = socket.tcp()
+server:setoption('reuseaddr', true)
+assert( server:bind("127.0.0.1", 8888) )
+server:listen()
+
+local peer = server:accept()
+
+-- [[ SSL wrapper
+peer = assert( ssl.wrap(peer, ctx) )
+
+-- Before handshake: nil
+print( peer:info() )
+
+assert( peer:dohandshake() )
+--]]
+
+print("---")
+local info = peer:info()
+for k, v in pairs(info) do
+  print(k, v)
+end
+
+print("---")
+print("-> Compression", peer:info("compression"))
+
+peer:send("oneshot test\n")
+peer:close()

samples/key/loadkey.lua

@@ -1,7 +1,7 @@
 --
 -- Public domain
 --
-require("ssl")
+local ssl = require("ssl")
 
 local pass = "foobar"
 local cfg = {

samples/loop-gc/client.lua

@@ -1,8 +1,8 @@
 --
 -- Public domain
 --
-require("socket")
-require("ssl")
+local socket = require("socket")
+local ssl    = require("ssl")
 
 local params = {
    mode = "client",

samples/loop-gc/server.lua

@@ -1,8 +1,8 @@
 --
 -- Public domain
 --
-require("socket")
-require("ssl")
+local socket = require("socket")
+local ssl    = require("ssl")
 
 local params = {
    mode = "server",

samples/loop/client.lua

@@ -1,8 +1,8 @@
 --
 -- Public domain
 --
-require("socket")
-require("ssl")
+local socket = require("socket")
+local ssl    = require("ssl")
 
 local params = {
    mode = "client",

samples/loop/server.lua

@@ -1,8 +1,8 @@
 --
 -- Public domain
 --
-require("socket")
-require("ssl")
+local socket = require("socket")
+local ssl    = require("ssl")
 
 local params = {
    mode = "server",

samples/oneshot/client.lua

@@ -1,8 +1,8 @@
 --
 -- Public domain
 --
-require("socket")
-require("ssl")
+local socket = require("socket")
+local ssl    = require("ssl")
 
 local params = {
    mode = "client",

samples/oneshot/server.lua

@@ -1,8 +1,8 @@
 --
 -- Public domain
 --
-require("socket")
-require("ssl")
+local socket = require("socket")
+local ssl    = require("ssl")
 
 local params = {
    mode = "server",

samples/verification/fail-string/client.lua

@@ -0,0 +1,29 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl    = require("ssl")
+
+local params = {
+   mode = "client",
+   protocol = "sslv3",
+   key = "../../certs/clientBkey.pem",
+   certificate = "../../certs/clientB.pem",
+   cafile = "../../certs/rootB.pem",
+   verify = {"none"},
+   options = {"all", "no_sslv2"},
+}
+
+local peer = socket.tcp()
+peer:connect("127.0.0.1", 8888)
+
+-- [[ SSL wrapper
+peer = assert( ssl.wrap(peer, params) )
+assert(peer:dohandshake())
+--]]
+
+local err, msg = peer:getpeerverification()
+print(err, msg)
+
+print(peer:receive("*l"))
+peer:close()

samples/verification/fail-string/server.lua

@@ -0,0 +1,38 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl    = require("ssl")
+
+local params = {
+   mode = "server",
+   protocol = "sslv3",
+   key = "../../certs/serverAkey.pem",
+   certificate = "../../certs/serverA.pem",
+   cafile = "../../certs/rootA.pem",
+   verify = {"none"},
+   options = {"all", "no_sslv2"},
+}
+
+
+-- [[ SSL context
+local ctx = assert(ssl.newcontext(params))
+--]]
+
+local server = socket.tcp()
+server:setoption('reuseaddr', true)
+assert( server:bind("127.0.0.1", 8888) )
+server:listen()
+
+local peer = server:accept()
+
+-- [[ SSL wrapper
+peer = assert( ssl.wrap(peer, ctx) )
+assert( peer:dohandshake() )
+--]]
+
+local err, msg = peer:getpeerverification()
+print(err, msg)
+
+peer:send("oneshot test\n")
+peer:close()

samples/verification/fail-table/client.lua

@@ -0,0 +1,40 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl    = require("ssl")
+
+local params = {
+   mode = "client",
+   protocol = "sslv3",
+   key = "../../certs/clientBkey.pem",
+   certificate = "../../certs/clientB.pem",
+   cafile = "../../certs/rootB.pem",
+   verify = {"peer", "fail_if_no_peer_cert"},
+   options = {"all", "no_sslv2"},
+}
+
+-- [[ SSL context
+local ctx = assert(ssl.newcontext(params))
+--]]
+
+ctx:setverifyext("lsec_continue")
+
+local peer = socket.tcp()
+peer:connect("127.0.0.1", 8888)
+
+-- [[ SSL wrapper
+peer = assert( ssl.wrap(peer, ctx) )
+assert(peer:dohandshake())
+--]]
+
+local succ, errs = peer:getpeerverification()
+print(succ, errs)
+for i, err in pairs(errs) do
+  for j, msg in ipairs(err) do
+    print("depth = " .. i, "error = " .. msg)
+  end
+end
+
+print(peer:receive("*l"))
+peer:close()

samples/verification/fail-table/server.lua

@@ -0,0 +1,45 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl    = require("ssl")
+
+local params = {
+   mode = "server",
+   protocol = "sslv3",
+   key = "../../certs/serverAkey.pem",
+   certificate = "../../certs/serverA.pem",
+   cafile = "../../certs/rootA.pem",
+   verify = {"peer", "fail_if_no_peer_cert"},
+   options = {"all", "no_sslv2"},
+}
+
+
+-- [[ SSL context
+local ctx = assert(ssl.newcontext(params))
+--]]
+
+ctx:setverifyext("lsec_continue", "crl_check", "crl_check_chain")
+
+local server = socket.tcp()
+server:setoption('reuseaddr', true)
+assert( server:bind("127.0.0.1", 8888) )
+server:listen()
+
+local peer = server:accept()
+
+-- [[ SSL wrapper
+peer = assert( ssl.wrap(peer, ctx) )
+assert( peer:dohandshake() )
+--]]
+
+local succ, errs = peer:getpeerverification()
+print(succ, errs)
+for i, err in pairs(errs) do
+  for j, msg in ipairs(err) do
+    print("depth = " .. i, "error = " .. msg)
+  end
+end
+
+peer:send("oneshot test\n")
+peer:close()

samples/verification/success/client.lua

@@ -0,0 +1,29 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl    = require("ssl")
+
+local params = {
+   mode = "client",
+   protocol = "sslv3",
+   key = "../../certs/clientAkey.pem",
+   certificate = "../../certs/clientA.pem",
+   cafile = "../../certs/rootA.pem",
+   verify = {"peer", "fail_if_no_peer_cert"},
+   options = {"all", "no_sslv2"},
+}
+
+local peer = socket.tcp()
+peer:connect("127.0.0.1", 8888)
+
+-- [[ SSL wrapper
+peer = assert( ssl.wrap(peer, params) )
+assert(peer:dohandshake())
+--]]
+
+local err, msg = peer:getpeerverification()
+print(err, msg)
+
+print(peer:receive("*l"))
+peer:close()

samples/verification/success/server.lua

@@ -0,0 +1,38 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl    = require("ssl")
+
+local params = {
+   mode = "server",
+   protocol = "sslv3",
+   key = "../../certs/serverAkey.pem",
+   certificate = "../../certs/serverA.pem",
+   cafile = "../../certs/rootA.pem",
+   verify = {"peer", "fail_if_no_peer_cert"},
+   options = {"all", "no_sslv2"},
+}
+
+
+-- [[ SSL context
+local ctx = assert(ssl.newcontext(params))
+--]]
+
+local server = socket.tcp()
+server:setoption('reuseaddr', true)
+assert( server:bind("127.0.0.1", 8888) )
+server:listen()
+
+local peer = server:accept()
+
+-- [[ SSL wrapper
+peer = assert( ssl.wrap(peer, ctx) )
+assert( peer:dohandshake() )
+--]]
+
+local err, msg = peer:getpeerverification()
+print(err, msg)
+
+peer:send("oneshot test\n")
+peer:close()

samples/verify/client.lua

@@ -0,0 +1,40 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl    = require("ssl")
+
+local params = {
+   mode = "client",
+   protocol = "tlsv1",
+   key = "../certs/serverBkey.pem",
+   certificate = "../certs/serverB.pem",
+   cafile = "../certs/rootB.pem",
+   verify = {"peer", "fail_if_no_peer_cert"},
+   options = {"all", "no_sslv2"},
+}
+
+local ctx = assert(ssl.newcontext(params))
+
+-- [[ Ignore error on certificate verification
+ctx:setverifyext("lsec_continue")
+--ctx:setverifyext("lsec_ignore_purpose")
+--ctx:setverifyext();                           -- Clear all flags set
+--]]
+
+local peer = socket.tcp()
+peer:connect("127.0.0.1", 8888)
+
+peer = assert( ssl.wrap(peer, ctx) )
+assert(peer:dohandshake())
+
+local succ, errs = peer:getpeerverification()
+print(succ, errs)
+for i, err in pairs(errs) do
+  for j, msg in ipairs(err) do
+    print("depth = " .. i, "error = " .. msg)
+  end
+end
+
+print(peer:receive("*l"))
+peer:close()

samples/verify/server.lua

@@ -0,0 +1,45 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl    = require("ssl")
+
+local params = {
+   mode = "server",
+   protocol = "tlsv1",
+   key = "../certs/serverAkey.pem",
+   certificate = "../certs/serverA.pem",
+   cafile = "../certs/rootA.pem",
+   verify = {"peer", "fail_if_no_peer_cert"},
+   options = {"all", "no_sslv2"},
+}
+
+
+local ctx = assert(ssl.newcontext(params))
+
+-- [[ Ignore error on certificate verification
+ctx:setverifyext("lsec_continue")
+--ctx:setverifyext("lsec_ignore_purpose")
+--ctx:setverifyext();                           -- Clear all flags set
+--]]
+
+local server = socket.tcp()
+server:setoption('reuseaddr', true)
+assert( server:bind("127.0.0.1", 8888) )
+server:listen()
+
+local peer = server:accept()
+
+peer = assert( ssl.wrap(peer, ctx) )
+assert( peer:dohandshake() )
+
+local succ, errs = peer:getpeerverification()
+print(succ, errs)
+for i, err in pairs(errs) do
+  for j, msg in ipairs(err) do
+    print("depth = " .. i, "error = " .. msg)
+  end
+end
+
+peer:send("oneshot test\n")
+peer:close()

samples/want/client.lua

@@ -3,8 +3,8 @@
 --
 -- Public domain
 --
-require("socket")
-require("ssl")
+local socket = require("socket")
+local ssl    = require("ssl")
 
 local params = {
    mode = "client",

samples/want/server.lua

@@ -1,8 +1,8 @@
 --
 -- Public domain
 --
-require("socket")
-require("ssl")
+local socket = require("socket")
+local ssl    = require("ssl")
 
 local params = {
    mode = "server",

samples/wantread/client.lua

@@ -1,8 +1,8 @@
 --
 -- Public domain
 --
-require("socket")
-require("ssl")
+local socket = require("socket")
+local ssl    = require("ssl")
 
 local params = {
    mode = "client",

samples/wantread/server.lua

@@ -3,8 +3,8 @@
 --
 -- Public domain
 --
-require("socket")
-require("ssl")
+local socket = require("socket")
+local ssl    = require("ssl")
 
 local params = {
    mode = "server",

samples/wantwrite/client.lua

@@ -1,8 +1,8 @@
 --
 -- Public domain
 --
-require("socket")
-require("ssl")
+local socket = require("socket")
+local ssl    = require("ssl")
 
 local params = {
    mode = "client",

samples/wantwrite/server.lua

@@ -1,8 +1,8 @@
 --
 -- Public domain
 --
-require("socket")
-require("ssl")
+local socket = require("socket")
+local ssl    = require("ssl")
 
 print("Use Ctrl+S and Ctrl+Q to suspend and resume the server.")