Commit Graph

136 Commits

Author SHA1 Message Date
Bruno Silvestre
9f6d623ccb proper socket invalidation #70 2017-03-31 14:32:35 -03:00
W-Mark Kubacki
622ef3d6a6
Enable curve negotiation with #ifdef SSL_CTX_set1_curves_list
One of currently three definitions in the wild that indicate support for
SSL_CTX_set1_curves_list().
2017-02-26 00:16:25 +01:00
Mark Kubacki
231563682a
Add support for the new curve selection API.
Signed-off-by: W-Mark Kubacki <wmark@hurrikane.de>
2017-02-26 00:16:24 +01:00
Greatwolf
77b88e0b0d Fix for sni host issue #88 and #44. Thanks to @TomasB 2016-12-15 16:46:59 -08:00
Bruno Silvestre
4889830d53 Compatibility with OpenSSL 1.1.0
Defining macros X509_up_ref() and SSL_is_server to use the same
API of OpenSSL 1.1.0.
2016-09-14 17:47:09 -03:00
Bruno Silvestre
80a527d630 Use EVP_PKEY_base_id() to recover the key's type 2016-09-13 13:30:44 -03:00
Bruno Silvestre
53db804b9d Use X509_EXTENSION_get_object() to get the 'object' field from extension 2016-09-13 13:22:25 -03:00
Bruno Silvestre
22e6652d88 ASN1_STRING_data() is deprecated in OpenSSL 1.1.0
ASN1_STRING_get0_data() must be used instead.
2016-09-13 13:09:18 -03:00
Alexander Scheuermann
6bb007b75f Make CC and LD configurable 2016-08-13 23:24:11 +02:00
Bruno Silvestre
3cfdb878dd Merge pull request #76 from msva/patch-1
Return of DESTDIR support
2016-08-03 15:10:06 -03:00
Bruno Silvestre
4101af103e Return the number of data read and remove a useless line. 2016-08-03 14:56:07 -03:00
Vadim A. Misbakh-Soloviov
4aa9ec3b60 Return of DESTDIR support 2016-07-24 02:01:21 +07:00
klemens
d45c03a1ad spelling fixes, as seen on lintian.debian.org 2016-07-11 21:57:50 +02:00
Perry Clarke
5a98bb6adb Fix crash related to incorrect buffer size
The number of bytes received by ssl_recv() is being passed to luaL_addlstring() (in recvall()) but it was being left either uninitialized or being set to an error code.  The crashing case I found was when the state was not LSEC_STATE_CONNECTED (e.g. when dohandshake() has failed) and ssl_recv() returned immediately without setting "got".
2016-05-03 16:37:47 -07:00
Bruno Silvestre
20443861eb Update version number and rock file. 2016-03-03 16:11:46 -03:00
Bruno Silvestre
3b5f4b0dc1 Options from OpenSSL 1.0.2f 2016-02-16 10:48:19 -02:00
Bruno Silvestre
407ff6133c Use "any" protocol, but SSL. 2016-02-16 09:35:47 -02:00
Bruno Silvestre
72e159149b Merge pull request #20 from Zash/zash/checkissued
Method for checking if one certificate issued another
2016-02-16 09:34:31 -02:00
Gleydson
27fbd70424 tweak OPENSSL_NO_COMP 2015-11-20 13:22:00 -03:00
Bruno Silvestre
6a7a6f7f67 Keep 'sslv23' for compability, but deprected. (it will be removed in the next version) 2015-11-19 12:33:06 -02:00
Gleydson Soares
63f7d46d00 for consistency and readability, rename "sslv23" to "any" since that it is related to {TLS, SSLv23}methods that handles all supported protocols. 2015-11-17 20:05:06 -03:00
Gleydson Soares
ef28f7d20d add TLS_method(). for now, keep SSLv23_method() for compatibility. 2015-11-17 19:36:58 -03:00
Bruno Silvestre
49ea6b8ba6 Merge pull request #55 from gleydsonsoares/ifndef-OPENSSL_NO_SSL3
guard SSLv3_method() with #ifndef OPENSSL_NO_SSL3
2015-11-12 18:47:56 -02:00
Bruno Silvestre
96401bdf67 Add lsec_testcontext(). 2015-10-28 00:05:30 -02:00
Gleydson Soares
67f0867277 guard SSLv3_method() with #ifndef OPENSSL_NO_SSL3 2015-10-12 08:35:35 -03:00
Bruno Silvestre
d1fb889547 Version number -> 0.6 alpha 2015-08-21 11:21:16 -03:00
Bruno Silvestre
24e5ec13f3 Merge pull request #46 from olesalscheider/master
Do not hardcode ar
2015-08-03 20:37:00 -03:00
Bruno Silvestre
8e9910cb15 Format. 2015-08-01 01:14:16 -03:00
Bruno Silvestre
2c2c9cf16f Alternative implementation to inet_ntop() for old versions of Windows. 2015-08-01 01:07:04 -03:00
Niels Ole Salscheider
580d9b7ed8 Do not hardcode ar
On Exherbo, ar is prefixed by the target triple.
2015-05-23 19:51:58 +02:00
Kim Alvefur
4e59c719df Perform all validation before allocating structures
Check that all arguments are certificates before allocating OpenSSL
structures that require cleanup afterwards.

API of issued() changes (again) to root:issued(cert, [chain]*)
2015-03-31 17:48:44 +02:00
Kim Alvefur
aa0c7ea1e5 Validate signatures too.
API changes to root:issued([intermediate]*, cert)
2015-03-20 16:36:05 +01:00
Bruno Silvestre
3862e76df9 Fix inet_ntop() on Windows. 2015-03-12 17:05:53 -03:00
Bruno Silvestre
1ab6fac919 Don't set globals from C. 2015-02-12 16:32:54 -02:00
Bruno Silvestre
91d378a86e Fix unpack(). 2015-02-12 16:29:02 -02:00
Bruno Silvestre
356e03a64d Stop using module(). 2015-02-06 18:07:29 -02:00
Bruno Silvestre
97b1974039 Change to luaL_newlib(). 2015-02-06 17:44:08 -02:00
Bruno Silvestre
9cb5220759 Remove luaL_optint() and luaL_checkint(). 2015-02-06 16:53:34 -02:00
Bruno Silvestre
acbf575420 BSD headers. 2015-01-28 16:38:00 -02:00
Bruno Silvestre
a9b81b1c10 Merge pull request #21 from Zash/zash/iPAddress-fix
iPAddress encoding
2015-01-28 16:24:02 -02:00
Bruno Silvestre
ab42d4ec86 Stop if we don't have a string. 2015-01-28 16:19:19 -02:00
Lluixhi Scura
5240c02f3d Changed for strict compiles. 2015-01-16 09:12:14 -08:00
Lluixhi Scura
4c7339cace Fix for LibreSSL/OPENSSL_NO_COMP 2015-01-16 08:55:22 -08:00
Bruno Silvestre
f514e9fb1b Problem on Win64, since double does not represent SOCKET_INVALID exactly. 2014-09-10 14:41:09 -03:00
Bruno Silvestre
84cb83b92f - Add a parameter to server:sni(), so that we can accept an unknown name, using the initial context.
- Add the method :getsniname() to retrieve the SNI hostname used.
2014-09-09 21:48:26 -03:00
Kim Alvefur
f13aee5dac Encode iPAddress fields in human readable form 2014-06-08 13:20:47 +02:00
Kim Alvefur
b83d2c6a91 Don't try to encode IP addresses as UTF-8 2014-06-08 12:47:58 +02:00
Kim Alvefur
c276e9ff60 Return early if ASN1 string is invalid 2014-06-08 12:41:20 +02:00
Kim Alvefur
1ade1542d7 Push nil if unable to encode ASN1 string as UTF-8 2014-06-08 12:38:52 +02:00
Kim Alvefur
97e836696b Return human readable error message from cert:issued() 2014-04-22 01:17:34 +02:00
Bruno Silvestre
903efaf3b1 SNI support. 2014-04-21 13:20:17 -03:00
brunoos
77637e9d3c Merge pull request #17 from Zash/zash/checkkey
Verify that certificate and key belong together
2014-04-21 13:07:38 -03:00
brunoos
a481015217 Merge pull request #19 from Zash/zash/pubkey
Zash/pubkey
2014-04-21 11:52:40 -03:00
Kim Alvefur
11eaec6520 Add cert:pubkey() to methods registry 2014-04-19 23:11:32 +02:00
Kim Alvefur
d2c87d71f7 Add cert:issued(leafcert) for checking chains 2014-04-19 22:58:28 +02:00
Bruno Silvestre
8fd31f3ad2 Wrong type. 2014-04-18 22:50:40 -03:00
Kim Alvefur
55d45f0542 Check if private key matches cert only if both key and cert are set 2014-02-05 16:51:30 +01:00
Kim Alvefur
8e5bcefbb6 Check that certificate matches private key 2014-02-05 01:48:58 +01:00
Kim Alvefur
eb8cb33160 Add method for extracting public key, type and size from x509 objects 2014-02-05 01:39:30 +01:00
Bruno Silvestre
21aefcf67d Version number -> 0.5. 2014-01-29 18:43:33 -02:00
Bruno Silvestre
46d6078e82 Merge branch 'master' of https://github.com/brunoos/luasec 2013-10-23 13:53:43 -02:00
Bruno Silvestre
ce504d3554 Add x509:setencode() function to change the encode of ASN.1 string. 2013-10-23 13:42:34 -02:00
brunoos
4a95102cc8 Merge pull request #8 from xnyhps/protocol_version
Report the actual TLS version used, not the version the cipher belongs to.
2013-09-16 09:25:39 -07:00
Paul Aurich
1d920fc13c context: Don't leak DH* in dhparam_cb
==1429== 336 (144 direct, 192 indirect) bytes in 1 blocks are definitely lost in loss record 567 of 611
...
==1429==    by 0x5ECCBC7: PEM_ASN1_read_bio (in /lib/x86_64-linux-gnu/libcrypto.so.1.0.0)
==1429==    by 0x4E39D8F: dhparam_cb (context.c:184)
==1429==    by 0x5B679D3: ??? (in /lib/x86_64-linux-gnu/libssl.so.1.0.0)
==1429==    by 0x5B6A6EE: ??? (in /lib/x86_64-linux-gnu/libssl.so.1.0.0)
==1429==    by 0x4E3C00D: meth_handshake (ssl.c:103)
...
2013-09-11 21:55:25 -07:00
Paul Aurich
0dab860770 context: Link SSL_CTX to p_context (not lua_State)
This is needed because the p_context is going to cache DH (and eventually
EC_KEY) objects, to plug a leak in the dhparam callback.
2013-09-11 21:55:25 -07:00
Paul Aurich
8cf7eb2d78 context: for dhparam_cb, pass is_export as boolean
The integer value that's actually returned for this flag is 2, which is fine
for C (it is defined as true), but it's sufficiently surprising (because it's
not 1), that this is worth fixing -- even if export ciphers aren't common.

It should be a boolean anyway.
2013-09-11 21:55:25 -07:00
Paul Aurich
9c7c96f2a0 Add useful context to various error messages 2013-09-11 21:55:25 -07:00
Paul Aurich
9262f9e7de ssl.lua: Comment subtle DH/ECDH ordering caveat 2013-09-11 21:55:25 -07:00
Paul Aurich
3fb33cdc4e context: Don't leak EC_KEY in set_curve()
SSL_CTX_set_tmp_ecdh() takes a reference to the provided key.

==8323== 1,044 (56 direct, 988 indirect) bytes in 1 blocks are definitely lost in loss record 611 of 631
==8323==    at 0x4C2935B: malloc (vg_replace_malloc.c:270)
==8323==    by 0x5E05D9F: CRYPTO_malloc (mem.c:308)
==8323==    by 0x5E59859: EC_KEY_new (ec_key.c:75)
==8323==    by 0x5E59974: EC_KEY_new_by_curve_name (ec_key.c:96)
==8323==    by 0x4E395A7: set_curve (context.c:261)
...
2013-09-11 21:55:25 -07:00
Paul Aurich
a344f58b20 context: Wrap find_ec_key in #ifndef OPENSSL_NO_ECDH
"#ifndef OPENSSL_NO_ECDH" is a ridiculous conditional, by the way.
2013-09-11 21:55:25 -07:00
Thijs Alkemade
1a75704ff0 Report the actual TLS version used, not the version the cipher belongs
to.
2013-09-08 15:00:07 +02:00
Bruno Silvestre
063e8a8a5c - using buffer from luasocket 3.0.
- adding getstats() and setstats().
2013-06-20 13:03:58 -03:00
Paul Aurich
7532f3b729 context: Support explicit selection of TLS v1.1 and v1.2 2013-06-12 19:06:16 -07:00
Paul Aurich
2dae14877e options: Remove dead code
The workaround for 'no_compression' on older OpenSSL is handled in context.c;
set_option_flag (which uses ssl_options) is never called, so this shouldn't
exist.
2013-06-12 18:38:44 -07:00
Paul Aurich
4c5ce1b177 context: Incidental cleanup 2013-06-12 18:36:35 -07:00
Paul Aurich
9bda3322fb context: no_compression is options, not verify
The OpenSSL 0.9.8 compat needs to be handled as part of the options, not the
verification flags.
2013-06-12 18:33:19 -07:00
Vadim A. Misbakh-Soloviov
fceef56dce DESTDIR compatibility + *FLAGs/utils configurability + ld -fpic error fix. Also fixes #1
Signed-off-by: Vadim A. Misbakh-Soloviov <mva@mva.name>
2013-05-14 08:13:57 +07:00
Matthew Wild
1b899afd38 Remove duplicate files (now in luasocket/) 2013-03-30 12:49:55 +00:00
Matthew Wild
77ac210283 LuaSec 20120616 (unofficial) + patches 2013-03-30 12:21:40 +00:00
Bruno Silvestre
908fc346d2 LuaSec 0.4.1 2012-09-02 11:40:59 -03:00
Bruno Silvestre
67e5176b6b LuaSec 0.4 2012-09-02 11:32:26 -03:00
Bruno Silvestre
29c6bd65d2 LuaSec 0.3.3 2012-09-02 11:31:22 -03:00
Bruno Silvestre
d28c5e4f9e LuaSec 0.3.2 2012-09-02 11:30:04 -03:00
Bruno Silvestre
affd08cf05 LuaSec 0.3.1 2012-09-02 11:27:04 -03:00
Bruno Silvestre
1c95a077ee LuaSec 0.3 2012-09-02 11:22:22 -03:00
Bruno Silvestre
36e94ee40d LuaSec 0.2 2012-09-02 11:15:49 -03:00