dany/luasec
1
0
Fork 0
mirror of https://github.com/brunoos/luasec.git synced 2025-07-16 13:59:52 +02:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: dany:dev
Branches Tags
dany:master dany:shutdown-method dany:dev dany:ocsp dany:luasec-dev-0.8 dany:luasec-dev-0.7 dany:luasec-dev-0.5
dany:v1.3.2 dany:v1.3.1 dany:v1.3.0 dany:v1.2.0 dany:v1.1.0 dany:v1.0.2 dany:v1.0.1 dany:v1.0 dany:v0.9 dany:luasec-0.8.2 dany:luasec-0.7.2 dany:luasec-0.8.1 dany:luasec-0.7.1 dany:luasec-0.8 dany:luasec-0.7 dany:luasec-0.6 dany:luasec-0.5.1 dany:luasec-0.5 dany:luasec-0.4.1 dany:luasec-0.4 dany:luasec-0.3.3 dany:luasec-0.3.2 dany:luasec-0.3.1 dany:luasec-0.3 dany:luasec-0.2
..
compare: dany:ocsp
Branches Tags
dany:master dany:shutdown-method dany:dev dany:ocsp dany:luasec-dev-0.8 dany:luasec-dev-0.7 dany:luasec-dev-0.5
dany:v1.3.2 dany:v1.3.1 dany:v1.3.0 dany:v1.2.0 dany:v1.1.0 dany:v1.0.2 dany:v1.0.1 dany:v1.0 dany:v0.9 dany:luasec-0.8.2 dany:luasec-0.7.2 dany:luasec-0.8.1 dany:luasec-0.7.1 dany:luasec-0.8 dany:luasec-0.7 dany:luasec-0.6 dany:luasec-0.5.1 dany:luasec-0.5 dany:luasec-0.4.1 dany:luasec-0.4 dany:luasec-0.3.3 dany:luasec-0.3.2 dany:luasec-0.3.1 dany:luasec-0.3 dany:luasec-0.2

2 Commits
dev ... ocsp

Author SHA1 Message Date
Bruno Silvestre
7ce63ad392 Return nil instead boolean 2021-06-25 19:59:22 -03:00
Bruno Silvestre
a3e74db781 Some work with OCSP 2021-06-25 19:50:47 -03:00
32 changed files with 448 additions and 524 deletions
Expand all files Collapse all files

27
CHANGELOG
View File

@ -1,30 +1,3 @@
--------------------------------------------------------------------------------
LuaSec 1.2.0
---------------
This version includes:
* Add key material export method
* Backguard compat for openssl on providers, like LTS linuxes
--------------------------------------------------------------------------------
LuaSec 1.1.0
---------------
This version includes:
* Fix missing DANE flag
* Remove unused parameter in https.lua
--------------------------------------------------------------------------------
LuaSec 1.0.2
---------------
This version includes:
* Fix handle SSL_send SYSCALL error without errno
* Fix off by one in cert:validat(notafter)
* Fix meth_get_{sinagure => signature}_name function name
* Fix update the Lua state reference on the selected SSL context after SNI
* Fix ignore SSL_OP_BIT(n) macro and update option.c
--------------------------------------------------------------------------------
LuaSec 1.0.1
---------------

4
INSTALL
View File

@ -1,9 +1,9 @@
LuaSec 1.2.0
LuaSec 1.0.1
------------
* OpenSSL options:
By default, this version includes options for OpenSSL 3.0.0 beta2
By default, this version includes options for OpenSSL 1.1.1.
If you need to generate the options for a different version of OpenSSL:

4
LICENSE
View File

@ -1,5 +1,5 @@
LuaSec 1.2.0 license
Copyright (C) 2006-2022 Bruno Silvestre, UFG
LuaSec 1.0.1 license
Copyright (C) 2006-2021 Bruno Silvestre, UFG
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the

2
README.md
View File

@ -1,4 +1,4 @@
LuaSec 1.2.0
LuaSec 1.0.1
===============
LuaSec depends on OpenSSL, and integrates with LuaSocket to make it
easy to add secure connections to any Lua applications or scripts.

6
luasec-1.2.0-1.rockspec → luasec-1.0.1-1.rockspec
View File

@ -1,8 +1,8 @@
package = "LuaSec"
version = "1.2.0-1"
version = "1.0.1-1"
source = {
url = "git+https://github.com/brunoos/luasec",
tag = "v1.2.0",
url = "git://github.com/brunoos/luasec",
tag = "v1.0.1",
}
description = {
summary = "A binding for OpenSSL library to provide TLS/SSL communication over LuaSocket.",

3
samples/README
View File

@ -45,9 +45,6 @@ Directories:
* oneshot
A simple connection example.
* psk
PSK(Pre Shared Key) support.
* sni
Support to SNI (Server Name Indication).

2
samples/certs/all.sh
View File

@ -1,4 +1,4 @@
#!/bin/sh
#!/usr/bin/env sh
./rootA.sh
./rootB.sh
./clientA.sh

2
samples/certs/clientA.sh
View File

@ -1,4 +1,4 @@
#!/bin/sh
#!/usr/bin/env sh
openssl req -newkey rsa:2048 -sha256 -keyout clientAkey.pem -out clientAreq.pem \
-nodes -config ./clientA.cnf -days 365 -batch

2
samples/certs/clientB.sh
View File

@ -1,4 +1,4 @@
#!/bin/sh
#!/usr/bin/env sh
openssl req -newkey rsa:2048 -sha256 -keyout clientBkey.pem -out clientBreq.pem \
-nodes -config ./clientB.cnf -days 365 -batch

2
samples/certs/rootA.sh
View File

@ -1,4 +1,4 @@
#!/bin/sh
#!/usr/bin/env sh
openssl req -newkey rsa:2048 -sha256 -keyout rootAkey.pem -out rootAreq.pem -nodes -config ./rootA.cnf -days 365 -batch

2
samples/certs/rootB.sh
View File

@ -1,4 +1,4 @@
#!/bin/sh
#!/usr/bin/env sh
openssl req -newkey rsa:2048 -sha256 -keyout rootBkey.pem -out rootBreq.pem -nodes -config ./rootB.cnf -days 365 -batch

4
samples/certs/serverA.sh
View File

@ -1,6 +1,6 @@
#!/bin/sh
#!/usr/bin/env sh
openssl req -newkey rsa:2048 -sha256 -keyout serverAkey.pem -out serverAreq.pem \
openssl req -newkey rsa:2048 -keyout serverAkey.pem -out serverAreq.pem \
-config ./serverA.cnf -nodes -days 365 -batch
openssl x509 -req -in serverAreq.pem -sha256 -extfile ./serverA.cnf \

4
samples/certs/serverB.sh
View File

@ -1,6 +1,6 @@
#!/bin/sh
#!/usr/bin/env sh
openssl req -newkey rsa:2048 -sha256 -keyout serverBkey.pem -out serverBreq.pem \
openssl req -newkey rsa:2048 -keyout serverBkey.pem -out serverBreq.pem \
-config ./serverB.cnf -nodes -days 365 -batch
openssl x509 -req -in serverBreq.pem -sha256 -extfile ./serverB.cnf \

21
samples/chain/server.lua
View File

@ -31,27 +31,8 @@ util.show( conn:getpeercertificate() )
print("----------------------------------------------------------------------")
local expectedpeerchain = { "../certs/clientAcert.pem", "../certs/rootA.pem" }
local peerchain = conn:getpeerchain()
assert(#peerchain == #expectedpeerchain)
for k, cert in ipairs( peerchain ) do
for k, cert in ipairs( conn:getpeerchain() ) do
util.show(cert)
local expectedpem = assert(io.open(expectedpeerchain[k])):read("*a")
assert(cert:pem() == expectedpem, "peer chain mismatch @ "..tostring(k))
end
local expectedlocalchain = { "../certs/serverAcert.pem" }
local localchain = assert(conn:getlocalchain())
assert(#localchain == #expectedlocalchain)
for k, cert in ipairs( localchain ) do
util.show(cert)
local expectedpem = assert(io.open(expectedlocalchain[k])):read("*a")
assert(cert:pem() == expectedpem, "local chain mismatch @ "..tostring(k))
if k == 1 then
assert(cert:pem() == conn:getlocalcertificate():pem())
end
end
local f = io.open(params.certificate)

54
samples/ocsp/client.lua Normal file
View File

@ -0,0 +1,54 @@
--
-- Public domain
--
local socket = require("socket")
local ssl = require("ssl")
local ocsp = ssl.ocsp
-- Parameters
-- * status:
-- * nil (no status was sent by server)
-- * ocsp.status.successful
-- * ocsp.status.malformedrequest
-- * ocsp.status.internalerror
-- * ocsp.status.trylater
-- * ocsp.status.sigrequired
-- * ocsp.status.unauthorized
--
-- Returns
-- * nil: on error
-- * true: status was accepted (continue the handshake)
-- * false: status not accepted (handshake stops with error)
--
local callback = function(status)
print("Status: ", status)
print("---")
if status == nil then
print("[WARN] No OCSP response")
return true
end
return (status == ocsp.status.successful)
end
local params = {
mode = "client",
protocol = "tlsv1_2",
verify = "none",
options = "all",
ocsp = callback,
}
while true do
local peer = socket.tcp()
peer:connect("127.0.0.1", 8443)
peer = assert(ssl.wrap(peer, params))
assert(peer:dohandshake())
print(peer:receive())
print("------------")
peer:close()
end

89
samples/ocsp/server.lua Normal file
View File

@ -0,0 +1,89 @@
--
-- Public domain
--
local socket = require("socket")
local ssl = require("ssl")
local mime = require("mime")
local ltn12 = require("ltn12")
local http = require("socket.http")
local ocsp = ssl.ocsp
--------------------------------------------------------------------------------
local response
function loadresponse(certfile, cafile)
local f = io.open(cafile)
local ca = f:read("*a")
ca = ssl.loadcertificate(ca)
f:close()
f = io.open(certfile)
local cert = f:read("*a")
cert = ssl.loadcertificate(cert)
f:close()
local res = {}
local req = ocsp.buildrequest(cert, ca)
req = mime.b64(req)
local a, b = http.request {
url = "http://zerossl.ocsp.sectigo.com/" .. req,
method = "GET",
sink = ltn12.sink.table(res),
header = {
["Content-Type"] = "application/ocsp-request",
["Host"] = "zerossl.ocsp.sectigo.com",
},
}
response = table.concat(res)
local thisupd, nextupd = ocsp.responsetime(response)
print("This update: ", thisupd)
print("Next update: ", nextupd)
end
--------------------------------------------------------------------------------
local cafile = "ca.pem"
local certfile = "server.pem"
-- Remember to update 'response' before 'next update'
local callback = function()
if not response then
loadresponse(certfile, cafile)
end
return response
end
local params = {
mode = "server",
protocol = "any",
key = "server.key",
certificate = certfile,
verify = "none",
options = "all",
ocsp = callback,
}
--------------------------------------------------------------------------------
local ctx = assert(ssl.newcontext(params))
local server = socket.tcp()
server:setoption('reuseaddr', true)
assert(server:bind("127.0.0.1", 8443))
server:listen()
while true do
local peer = server:accept()
peer = assert(ssl.wrap(peer, ctx))
local succ = peer:dohandshake()
if succ then
peer:send("OCSP test\n")
peer:close()
end
end

36
samples/psk/client.lua
View File

@ -1,36 +0,0 @@
--
-- Public domain
--
local socket = require("socket")
local ssl = require("ssl")
-- @param hint (nil | string)
-- @param max_identity_len (number)
-- @param max_psk_len (number)
-- @return identity (string)
-- @return PSK (string)
local function pskcb(hint, max_identity_len, max_psk_len)
print(string.format("PSK Callback: hint=%q, max_identity_len=%d, max_psk_len=%d", hint, max_identity_len, max_psk_len))
return "abcd", "1234"
end
local params = {
mode = "client",
protocol = "tlsv1_2",
psk = pskcb,
}
local peer = socket.tcp()
peer:connect("127.0.0.1", 8888)
peer = assert( ssl.wrap(peer, params) )
assert(peer:dohandshake())
print("--- INFO ---")
local info = peer:info()
for k, v in pairs(info) do
print(k, v)
end
print("---")
peer:close()

55
samples/psk/server.lua
View File

@ -1,55 +0,0 @@
--
-- Public domain
--
local socket = require("socket")
local ssl = require("ssl")
-- @param identity (string)
-- @param max_psk_len (number)
-- @return psk (string)
local function pskcb(identity, max_psk_len)
print(string.format("PSK Callback: identity=%q, max_psk_len=%d", identity, max_psk_len))
if identity == "abcd" then
return "1234"
end
return nil
end
local params = {
mode = "server",
protocol = "any",
options = "all",
-- PSK with just a callback
psk = pskcb,
-- PSK with identity hint
-- psk = {
-- hint = "hintpsksample",
-- callback = pskcb,
-- },
}
-- [[ SSL context
local ctx = assert(ssl.newcontext(params))
--]]
local server = socket.tcp()
server:setoption('reuseaddr', true)
assert( server:bind("127.0.0.1", 8888) )
server:listen()
local peer = server:accept()
peer = assert( ssl.wrap(peer, ctx) )
assert( peer:dohandshake() )
print("--- INFO ---")
local info = peer:info()
for k, v in pairs(info) do
print(k, v)
end
print("---")
peer:close()
server:close()

4
src/compat.h
View File

@ -1,7 +1,7 @@
/*--------------------------------------------------------------------------
* LuaSec 1.2.0
* LuaSec 1.0.1
*
* Copyright (C) 2006-2022 Bruno Silvestre
* Copyright (C) 2006-2021 Bruno Silvestre
*
*--------------------------------------------------------------------------*/

14
src/config.c
View File

@ -1,7 +1,7 @@
/*--------------------------------------------------------------------------
* LuaSec 1.2.0
* LuaSec 1.0.1
*
* Copyright (C) 2006-2022 Bruno Silvestre.
* Copyright (C) 2006-2021 Bruno Silvestre.
*
*--------------------------------------------------------------------------*/
@ -77,14 +77,14 @@ LSEC_API int luaopen_ssl_config(lua_State *L)
#ifdef LSEC_ENABLE_DANE
// DANE
lua_pushstring(L, "dane");
#ifdef DANE_FLAG_NO_DANE_EE_NAMECHECKS
lua_createtable(L, 0, 1);
lua_pushstring(L, "no_ee_namechecks");
lua_pushboolean(L, 1);
lua_rawset(L, -3);
#else
lua_pushboolean(L, 1);
#endif
#ifndef OPENSSL_NO_OCSP
// OCSP
lua_pushstring(L, "ocsp");
lua_pushboolean(L, 1);
lua_rawset(L, -3);
#endif

368
src/context.c
View File

@ -1,9 +1,9 @@
/*--------------------------------------------------------------------------
* LuaSec 1.2.0
* LuaSec 1.0.1
*
* Copyright (C) 2014-2022 Kim Alvefur, Paul Aurich, Tobias Markmann,
* Copyright (C) 2014-2021 Kim Alvefur, Paul Aurich, Tobias Markmann,
* Matthew Wild.
* Copyright (C) 2006-2022 Bruno Silvestre.
* Copyright (C) 2006-2021 Bruno Silvestre.
*
*--------------------------------------------------------------------------*/
@ -17,15 +17,19 @@
#include <openssl/err.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include <openssl/x509_vfy.h>
#include <openssl/dh.h>
#ifndef OPENSSL_NO_OCSP
#include <openssl/ocsp.h>
#endif
#include <lua.h>
#include <lauxlib.h>
#include "compat.h"
#include "context.h"
#include "options.h"
#include "x509.h"
#ifndef OPENSSL_NO_EC
#include <openssl/ec.h>
@ -708,170 +712,207 @@ static int set_alpn_cb(lua_State *L)
return 1;
}
/**
* Callback to select the PSK.
*/
static unsigned int server_psk_cb(SSL *ssl, const char *identity, unsigned char *psk,
unsigned int max_psk_len)
#ifndef OPENSSL_NO_OCSP
static int ocsp_server_cb(SSL *ssl, void *arg)
{
size_t psk_len;
const char *ret_psk;
SSL_CTX *ctx = SSL_get_SSL_CTX(ssl);
p_context pctx = (p_context)SSL_CTX_get_app_data(ctx);
lua_State *L = pctx->L;
int len;
BIO *bio;
const char *data;
unsigned char *r = NULL;
OCSP_RESPONSE *resp = NULL;
p_context ctx = (p_context)arg;
lua_State *L = ctx->L;
luaL_getmetatable(L, "SSL:PSK:Registry");
lua_pushlightuserdata(L, (void*)pctx->context);
lua_gettable(L, -2);
// Retrieve the callback
luaL_getmetatable(L, "SSL:OCSP:Registry");
lua_pushlightuserdata(L, ctx->context);
lua_rawget(L, -2);
lua_pushstring(L, identity);
lua_pushinteger(L, max_psk_len);
lua_call(L, 2, 1);
if (!lua_isstring(L, -1)) {
lua_pop(L, 2);
return 0;
lua_call(L, 0, 1);
if (lua_type(L, -1) != LUA_TSTRING) {
return SSL_TLSEXT_ERR_NOACK;
}
ret_psk = lua_tolstring(L, -1, &psk_len);
data = lua_tostring(L, -1);
len = (int)lua_rawlen(L, -1);
if (psk_len == 0 || psk_len > max_psk_len)
psk_len = 0;
else
memcpy(psk, ret_psk, psk_len);
bio = BIO_new_mem_buf(data, len);
if (bio == NULL)
return SSL_TLSEXT_ERR_NOACK;
lua_pop(L, 2);
resp = d2i_OCSP_RESPONSE_bio(bio, NULL);
BIO_free(bio);
if (resp == NULL)
return SSL_TLSEXT_ERR_NOACK;
return psk_len;
len = i2d_OCSP_RESPONSE(resp, &r);
if (len <= 0) {
OCSP_RESPONSE_free(resp);
return SSL_TLSEXT_ERR_NOACK;
}
SSL_set_tlsext_status_ocsp_resp(ssl, r, len);
OCSP_RESPONSE_free(resp);
return SSL_TLSEXT_ERR_OK;
}
/**
* Set a PSK callback for server.
*/
static int set_server_psk_cb(lua_State *L)
static int ocsp_client_cb(SSL *ssl, void *arg)
{
p_context ctx = checkctx(L, 1);
long len;
const unsigned char *b;
OCSP_RESPONSE *ocsp = NULL;
p_context ctx = (p_context)arg;
lua_State *L = ctx->L;
luaL_getmetatable(L, "SSL:PSK:Registry");
lua_pushlightuserdata(L, (void*)ctx->context);
lua_pushvalue(L, 2);
lua_settable(L, -3);
// Retrieve the callback
luaL_getmetatable(L, "SSL:OCSP:Registry");
lua_pushlightuserdata(L, ctx->context);
lua_rawget(L, -2);
SSL_CTX_set_psk_server_callback(ctx->context, server_psk_cb);
lua_pushboolean(L, 1);
return 1;
}
/*
* Set the PSK indentity hint.
*/
static int set_psk_identity_hint(lua_State *L)
{
p_context ctx = checkctx(L, 1);
const char *hint = luaL_checkstring(L, 2);
int ret = SSL_CTX_use_psk_identity_hint(ctx->context, hint);
lua_pushboolean(L, ret);
return 1;
}
/*
* Client callback to PSK.
*/
static unsigned int client_psk_cb(SSL *ssl, const char *hint, char *identity,
unsigned int max_identity_len, unsigned char *psk, unsigned int max_psk_len)
{
size_t psk_len;
size_t identity_len;
const char *ret_psk;
const char *ret_identity;
SSL_CTX *ctx = SSL_get_SSL_CTX(ssl);
p_context pctx = (p_context)SSL_CTX_get_app_data(ctx);
lua_State *L = pctx->L;
luaL_getmetatable(L, "SSL:PSK:Registry");
lua_pushlightuserdata(L, (void*)pctx->context);
lua_gettable(L, -2);
if (hint)
lua_pushstring(L, hint);
else
len = SSL_get_tlsext_status_ocsp_resp(ssl, &b);
if (len == -1)
lua_pushnil(L);
// Leave space to '\0'
lua_pushinteger(L, max_identity_len-1);
lua_pushinteger(L, max_psk_len);
lua_call(L, 3, 2);
if (!lua_isstring(L, -1) || !lua_isstring(L, -2)) {
lua_pop(L, 3);
return 0;
}
ret_identity = lua_tolstring(L, -2, &identity_len);
ret_psk = lua_tolstring(L, -1, &psk_len);
if (identity_len >= max_identity_len || psk_len > max_psk_len)
psk_len = 0;
else {
memcpy(identity, ret_identity, identity_len);
identity[identity_len] = 0;
memcpy(psk, ret_psk, psk_len);
ocsp = d2i_OCSP_RESPONSE(NULL, &b, len);
lua_pushinteger(L, OCSP_response_status(ocsp));
OCSP_RESPONSE_free(ocsp);
}
lua_pop(L, 3);
return psk_len;
lua_call(L, 1, 1);
return (lua_type(L, -1) != LUA_TBOOLEAN) ? -1 : (int)lua_toboolean(L, -1);
}
/**
* Set a PSK callback for client.
*/
static int set_client_psk_cb(lua_State *L) {
static int set_ocsp_cb(lua_State *L)
{
int ret;
p_context ctx = checkctx(L, 1);
luaL_getmetatable(L, "SSL:PSK:Registry");
luaL_getmetatable(L, "SSL:OCSP:Registry");
lua_pushlightuserdata(L, (void*)ctx->context);
lua_pushvalue(L, 2);
lua_settable(L, -3);
SSL_CTX_set_psk_client_callback(ctx->context, client_psk_cb);
ret = (int)SSL_CTX_set_tlsext_status_type(ctx->context, TLSEXT_STATUSTYPE_ocsp);
if (ret == 0) {
lua_pushboolean(L, 0);
return 1;
}
lua_pushboolean(L, 1);
if (ctx->mode == LSEC_MODE_CLIENT)
ret = (int)SSL_CTX_set_tlsext_status_cb(ctx->context, ocsp_client_cb);
else
ret = (int)SSL_CTX_set_tlsext_status_cb(ctx->context, ocsp_server_cb);
if (ret == 0) {
lua_pushboolean(L, 0);
return 1;
}
ret = (int)SSL_CTX_set_tlsext_status_arg(ctx->context, ctx);
lua_pushboolean(L, ret == 1);
return 1;
}
static int ocsp_build_request(lua_State *L)
{
long len;
BIO *bio;
X509 *cert;
X509 *issuer;
OCSP_CERTID *cid;
OCSP_REQUEST *req;
char *buf;
cert = lsec_checkx509(L, 1);
issuer = lsec_checkx509(L, 2);
req = OCSP_REQUEST_new();
if (req == NULL) {
lua_pushnil(L);
return 1;
}
cid = OCSP_cert_to_id(NULL, cert, issuer);
if (cid == NULL) {
lua_pushnil(L);
return 1;
}
if (OCSP_request_add0_id(req, cid) == NULL) {
lua_pushnil(L);
return 1;
}
bio = BIO_new(BIO_s_mem());
i2d_OCSP_REQUEST_bio(bio, req);
len = BIO_get_mem_data(bio, &buf);
lua_pushlstring(L, buf, len);
BIO_free(bio);
OCSP_REQUEST_free(req);
return 1;
}
static int ocsp_response_time(lua_State *L)
{
long len;
BIO *bio;
char *buf;
int reason;
OCSP_BASICRESP *bs;
OCSP_SINGLERESP *sr;
OCSP_RESPONSE *res;
ASN1_GENERALIZEDTIME *revtime, *thisupd, *nextupd;
buf = (char*)lua_tostring(L, 1);
len = (long)lua_rawlen(L, 1);
res = d2i_OCSP_RESPONSE(NULL, (const unsigned char**)&buf, (int)len);
if (res == NULL) {
lua_pushnil(L);
lua_pushnil(L);
return 2;
}
bs = OCSP_response_get1_basic(res);
if (bs == NULL) {
lua_pushnil(L);
lua_pushnil(L);
return 2;
}
sr = OCSP_resp_get0(bs, 0);
OCSP_single_get0_status(sr, &reason, &revtime, &thisupd, &nextupd);
bio = BIO_new(BIO_s_mem());
ASN1_GENERALIZEDTIME_print(bio, thisupd);
len = BIO_get_mem_data(bio, &buf);
lua_pushlstring(L, buf, len);
BIO_free(bio);
bio = BIO_new(BIO_s_mem());
ASN1_GENERALIZEDTIME_print(bio, nextupd);
len = BIO_get_mem_data(bio, &buf);
lua_pushlstring(L, buf, len);
BIO_free(bio);
OCSP_BASICRESP_free(bs);
OCSP_RESPONSE_free(res);
return 2;
}
#endif
#if defined(LSEC_ENABLE_DANE)
/*
* DANE
*/
static int dane_options[] = {
/* TODO move into options.c
* however this symbol is not from openssl/ssl.h but rather from
* openssl/x509_vfy.h
* */
#ifdef DANE_FLAG_NO_DANE_EE_NAMECHECKS
DANE_FLAG_NO_DANE_EE_NAMECHECKS,
#endif
0
};
static const char *dane_option_names[] = {
#ifdef DANE_FLAG_NO_DANE_EE_NAMECHECKS
"no_ee_namechecks",
#endif
NULL
};
static int set_dane(lua_State *L)
{
int ret, i;
int ret;
SSL_CTX *ctx = lsec_checkcontext(L, 1);
ret = SSL_CTX_dane_enable(ctx);
for (i = 2; ret > 0 && i <= lua_gettop(L); i++) {
ret = SSL_CTX_dane_set_flags(ctx, dane_options[luaL_checkoption(L, i, NULL, dane_option_names)]);
}
lua_pushboolean(L, (ret > 0));
return 1;
}
@ -894,9 +935,6 @@ static luaL_Reg funcs[] = {
{"setdhparam", set_dhparam},
{"setverify", set_verify},
{"setoptions", set_options},
{"setpskhint", set_psk_identity_hint},
{"setserverpskcb", set_server_psk_cb},
{"setclientpskcb", set_client_psk_cb},
{"setmode", set_mode},
#if !defined(OPENSSL_NO_EC)
{"setcurve", set_curve},
@ -904,6 +942,9 @@ static luaL_Reg funcs[] = {
#endif
#if defined(LSEC_ENABLE_DANE)
{"setdane", set_dane},
#endif
#if !defined(OPENSSL_NO_OCSP)
{"setocspcb", set_ocsp_cb},
#endif
{NULL, NULL}
};
@ -930,7 +971,7 @@ static int meth_destroy(lua_State *L)
lua_pushlightuserdata(L, (void*)ctx->context);
lua_pushnil(L);
lua_settable(L, -3);
luaL_getmetatable(L, "SSL:PSK:Registry");
luaL_getmetatable(L, "SSL:OCSP:Registry");
lua_pushlightuserdata(L, (void*)ctx->context);
lua_pushnil(L);
lua_settable(L, -3);
@ -1071,15 +1112,64 @@ void *lsec_testudata (lua_State *L, int ud, const char *tname) {
/*------------------------------ Initialization ------------------------------*/
#ifndef OPENSSL_NO_OCSP
struct ocsp_status_response_s {
const char *name;
int value;
};
typedef struct ocsp_status_response_s ocsp_status_response_t;
static ocsp_status_response_t status_response[] = {
{"successful", OCSP_RESPONSE_STATUS_SUCCESSFUL},
{"malformedrequest", OCSP_RESPONSE_STATUS_MALFORMEDREQUEST},
{"internalerror", OCSP_RESPONSE_STATUS_INTERNALERROR},
{"trylater", OCSP_RESPONSE_STATUS_TRYLATER},
{"sigrequired", OCSP_RESPONSE_STATUS_SIGREQUIRED},
{"unauthorized", OCSP_RESPONSE_STATUS_UNAUTHORIZED},
{NULL, 0}
};
static luaL_Reg ocsp_funcs[] = {
{"buildrequest", ocsp_build_request},
{"responsetime", ocsp_response_time},
{NULL, NULL}
};
/**
* OCSP module
*/
LSEC_API int luaopen_ssl_context_ocsp(lua_State *L)
{
ocsp_status_response_t *ptr;
luaL_newlib(L, ocsp_funcs);
lua_pushstring(L, "status");
lua_newtable(L);
for (ptr = status_response; ptr->name; ptr++) {
lua_pushstring(L, ptr->name);
lua_pushinteger(L, ptr->value);
lua_rawset(L, -3);
}
lua_rawset(L, -3);
return 1;
}
#endif
//------------------------------------------------------------------------------
/**
* Registre the module.
*/
LSEC_API int luaopen_ssl_context(lua_State *L)
{
luaL_newmetatable(L, "SSL:DH:Registry"); /* Keep all DH callbacks */
luaL_newmetatable(L, "SSL:ALPN:Registry"); /* Keep all ALPN callbacks */
luaL_newmetatable(L, "SSL:PSK:Registry"); /* Keep all PSK callbacks */
luaL_newmetatable(L, "SSL:Verify:Registry"); /* Keep all verify flags */
luaL_newmetatable(L, "SSL:DH:Registry"); /* Keep all DH callbacks */
luaL_newmetatable(L, "SSL:ALPN:Registry"); /* Keep all ALPN callbacks */
luaL_newmetatable(L, "SSL:Verify:Registry"); /* Keep all verify flags */
luaL_newmetatable(L, "SSL:OCSP:Registry"); /* Keep all OCSP callbacks */
luaL_newmetatable(L, "SSL:Context");
setfuncs(L, meta);

4
src/context.h
View File

@ -2,9 +2,9 @@
#define LSEC_CONTEXT_H
/*--------------------------------------------------------------------------
* LuaSec 1.2.0
* LuaSec 1.0.1
*
* Copyright (C) 2006-2022 Bruno Silvestre
* Copyright (C) 2006-2021 Bruno Silvestre
*
*--------------------------------------------------------------------------*/

4
src/ec.h
View File

@ -1,7 +1,7 @@
/*--------------------------------------------------------------------------
* LuaSec 1.2.0
* LuaSec 1.0.1
*
* Copyright (C) 2006-2022 Bruno Silvestre
* Copyright (C) 2006-2021 Bruno Silvestre
*
*--------------------------------------------------------------------------*/

10
src/https.lua
View File

@ -1,6 +1,6 @@
----------------------------------------------------------------------------
-- LuaSec 1.2.0
-- Copyright (C) 2009-2022 PUC-Rio
-- LuaSec 1.0.1
-- Copyright (C) 2009-2021 PUC-Rio
--
-- Author: Pablo Musa
-- Author: Tomas Guisasola
@ -18,8 +18,8 @@ local try = socket.try
-- Module
--
local _M = {
_VERSION = "1.2.0",
_COPYRIGHT = "LuaSec 1.2.0 - Copyright (C) 2009-2022 PUC-Rio",
_VERSION = "1.0.1",
_COPYRIGHT = "LuaSec 1.0.1 - Copyright (C) 2009-2021 PUC-Rio",
PORT = 443,
TIMEOUT = 60
}
@ -93,7 +93,7 @@ local function tcp(params)
self.sock:sni(host)
self.sock:settimeout(_M.TIMEOUT)
try(self.sock:dohandshake())
reg(self)
reg(self, getmetatable(self.sock))
return 1
end
return conn

24
src/options.c
View File

@ -1,7 +1,7 @@
/*--------------------------------------------------------------------------
* LuaSec 1.2.0
* LuaSec 1.0.1
*
* Copyright (C) 2006-2022 Bruno Silvestre
* Copyright (C) 2006-2021 Bruno Silvestre
*
*--------------------------------------------------------------------------*/
@ -13,16 +13,13 @@
/*
OpenSSL version: OpenSSL 3.0.0-beta2
OpenSSL version: OpenSSL 1.1.1
*/
static lsec_ssl_option_t ssl_options[] = {
#if defined(SSL_OP_ALL)
{"all", SSL_OP_ALL},
#endif
#if defined(SSL_OP_ALLOW_CLIENT_RENEGOTIATION)
{"allow_client_renegotiation", SSL_OP_ALLOW_CLIENT_RENEGOTIATION},
#endif
#if defined(SSL_OP_ALLOW_NO_DHE_KEX)
{"allow_no_dhe_kex", SSL_OP_ALLOW_NO_DHE_KEX},
#endif
@ -35,33 +32,21 @@ static lsec_ssl_option_t ssl_options[] = {
#if defined(SSL_OP_CISCO_ANYCONNECT)
{"cisco_anyconnect", SSL_OP_CISCO_ANYCONNECT},
#endif
#if defined(SSL_OP_CLEANSE_PLAINTEXT)
{"cleanse_plaintext", SSL_OP_CLEANSE_PLAINTEXT},
#endif
#if defined(SSL_OP_COOKIE_EXCHANGE)
{"cookie_exchange", SSL_OP_COOKIE_EXCHANGE},
#endif
#if defined(SSL_OP_CRYPTOPRO_TLSEXT_BUG)
{"cryptopro_tlsext_bug", SSL_OP_CRYPTOPRO_TLSEXT_BUG},
#endif
#if defined(SSL_OP_DISABLE_TLSEXT_CA_NAMES)
{"disable_tlsext_ca_names", SSL_OP_DISABLE_TLSEXT_CA_NAMES},
#endif
#if defined(SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)
{"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS},
#endif
#if defined(SSL_OP_ENABLE_KTLS)
{"enable_ktls", SSL_OP_ENABLE_KTLS},
#endif
#if defined(SSL_OP_ENABLE_MIDDLEBOX_COMPAT)
{"enable_middlebox_compat", SSL_OP_ENABLE_MIDDLEBOX_COMPAT},
#endif
#if defined(SSL_OP_EPHEMERAL_RSA)
{"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA},
#endif
#if defined(SSL_OP_IGNORE_UNEXPECTED_EOF)
{"ignore_unexpected_eof", SSL_OP_IGNORE_UNEXPECTED_EOF},
#endif
#if defined(SSL_OP_LEGACY_SERVER_CONNECT)
{"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT},
#endif
@ -104,9 +89,6 @@ static lsec_ssl_option_t ssl_options[] = {
#if defined(SSL_OP_NO_ENCRYPT_THEN_MAC)
{"no_encrypt_then_mac", SSL_OP_NO_ENCRYPT_THEN_MAC},
#endif
#if defined(SSL_OP_NO_EXTENDED_MASTER_SECRET)
{"no_extended_master_secret", SSL_OP_NO_EXTENDED_MASTER_SECRET},
#endif
#if defined(SSL_OP_NO_QUERY_MTU)
{"no_query_mtu", SSL_OP_NO_QUERY_MTU},
#endif

4
src/options.h
View File

@ -2,9 +2,9 @@
#define LSEC_OPTIONS_H
/*--------------------------------------------------------------------------
* LuaSec 1.2.0
* LuaSec 1.0.1
*
* Copyright (C) 2006-2022 Bruno Silvestre
* Copyright (C) 2006-2021 Bruno Silvestre
*
*--------------------------------------------------------------------------*/

15
src/options.lua
View File

@ -4,7 +4,7 @@ local function usage()
print(" lua options.lua -g /path/to/ssl.h [version] > options.c")
print("* Examples:")
print(" lua options.lua -g /usr/include/openssl/ssl.h > options.c\n")
print(" lua options.lua -g /usr/include/openssl/ssl.h \"OpenSSL 1.1.1f\" > options.c\n")
print(" lua options.lua -g /usr/include/openssl/ssl.h \"OpenSSL 1.0.1 14\" > options.c\n")
print("* List options of your system:")
print(" lua options.lua -l /path/to/ssl.h\n")
@ -18,9 +18,9 @@ end
local function generate(options, version)
print([[
/*--------------------------------------------------------------------------
* LuaSec 1.2.0
* LuaSec 1.0.1
*
* Copyright (C) 2006-2022 Bruno Silvestre
* Copyright (C) 2006-2021 Bruno Silvestre
*
*--------------------------------------------------------------------------*/
@ -60,12 +60,9 @@ local function loadoptions(file)
local options = {}
local f = assert(io.open(file, "r"))
for line in f:lines() do
local op = string.match(line, "define%s+(SSL_OP_BIT%()")
if not op then
op = string.match(line, "define%s+(SSL_OP_%S+)")
if op then
table.insert(options, op)
end
local op = string.match(line, "define%s+(SSL_OP_%S+)")
if op then
table.insert(options, op)
end
end
table.sort(options, function(a,b) return a<b end)

135
src/ssl.c
View File

@ -1,9 +1,9 @@
/*--------------------------------------------------------------------------
* LuaSec 1.2.0
* LuaSec 1.0.1
*
* Copyright (C) 2014-2022 Kim Alvefur, Paul Aurich, Tobias Markmann,
* Copyright (C) 2014-2021 Kim Alvefur, Paul Aurich, Tobias Markmann,
* Matthew Wild.
* Copyright (C) 2006-2022 Bruno Silvestre.
* Copyright (C) 2006-2021 Bruno Silvestre.
*
*--------------------------------------------------------------------------*/
@ -530,58 +530,6 @@ static int meth_getpeercertificate(lua_State *L)
return 1;
}
/**
* Return the nth certificate of the chain sent to our peer.
*/
static int meth_getlocalcertificate(lua_State *L)
{
int n;
X509 *cert;
STACK_OF(X509) *certs;
p_ssl ssl = (p_ssl)luaL_checkudata(L, 1, "SSL:Connection");
if (ssl->state != LSEC_STATE_CONNECTED) {
lua_pushnil(L);
lua_pushstring(L, "closed");
return 2;
}
/* Default to the first cert */
n = (int)luaL_optinteger(L, 2, 1);
/* This function is 1-based, but OpenSSL is 0-based */
--n;
if (n < 0) {
lua_pushnil(L);
lua_pushliteral(L, "invalid certificate index");
return 2;
}
if (n == 0) {
cert = SSL_get_certificate(ssl->ssl);
if (cert)
lsec_pushx509(L, cert);
else
lua_pushnil(L);
return 1;
}
/* In a server-context, the stack doesn't contain the peer cert,
* so adjust accordingly.
*/
if (SSL_is_server(ssl->ssl))
--n;
if(SSL_get0_chain_certs(ssl->ssl, &certs) != 1) {
lua_pushnil(L);
} else {
if (n >= sk_X509_num(certs)) {
lua_pushnil(L);
return 1;
}
cert = sk_X509_value(certs, n);
/* Increment the reference counting of the object. */
/* See SSL_get_peer_certificate() source code. */
X509_up_ref(cert);
lsec_pushx509(L, cert);
}
return 1;
}
/**
* Return the chain of certificate of the peer.
*/
@ -616,41 +564,6 @@ static int meth_getpeerchain(lua_State *L)
return 1;
}
/**
* Return the chain of certificates sent to the peer.
*/
static int meth_getlocalchain(lua_State *L)
{
int i;
int idx = 1;
int n_certs;
X509 *cert;
STACK_OF(X509) *certs;
p_ssl ssl = (p_ssl)luaL_checkudata(L, 1, "SSL:Connection");
if (ssl->state != LSEC_STATE_CONNECTED) {
lua_pushnil(L);
lua_pushstring(L, "closed");
return 2;
}
lua_newtable(L);
if (SSL_is_server(ssl->ssl)) {
lsec_pushx509(L, SSL_get_certificate(ssl->ssl));
lua_rawseti(L, -2, idx++);
}
if(SSL_get0_chain_certs(ssl->ssl, &certs)) {
n_certs = sk_X509_num(certs);
for (i = 0; i < n_certs; i++) {
cert = sk_X509_value(certs, i);
/* Increment the reference counting of the object. */
/* See SSL_get_peer_certificate() source code. */
X509_up_ref(cert);
lsec_pushx509(L, cert);
lua_rawseti(L, -2, idx++);
}
}
return 1;
}
/**
* Copy the table src to the table dst.
*/
@ -758,41 +671,6 @@ static int meth_getpeerfinished(lua_State *L)
return 1;
}
/**
* Get some shared keying material
*/
static int meth_exportkeyingmaterial(lua_State *L)
{
p_ssl ssl = (p_ssl)luaL_checkudata(L, 1, "SSL:Connection");
if(ssl->state != LSEC_STATE_CONNECTED) {
lua_pushnil(L);
lua_pushstring(L, "closed");
return 0;
}
size_t llen = 0;
size_t contextlen = 0;
const unsigned char *context = NULL;
const char *label = (const char*)luaL_checklstring(L, 2, &llen);
size_t olen = (size_t)luaL_checkinteger(L, 3);
if (!lua_isnoneornil(L, 4))
context = (const unsigned char*)luaL_checklstring(L, 4, &contextlen);
/* Temporary buffer memory-managed by Lua itself */
unsigned char *out = (unsigned char*)lua_newuserdata(L, olen);
if(SSL_export_keying_material(ssl->ssl, out, olen, label, llen, context, contextlen, context != NULL) != 1) {
lua_pushnil(L);
lua_pushstring(L, "error exporting keying material");
return 2;
}
lua_pushlstring(L, (char*)out, olen);
return 1;
}
/**
* Object information -- tostring metamethod
*/
@ -869,8 +747,6 @@ static int sni_cb(SSL *ssl, int *ad, void *arg)
lua_pop(L, 4);
/* Found, use this context */
if (newctx) {
p_context pctx = (p_context)SSL_CTX_get_app_data(newctx);
pctx->L = L;
SSL_set_SSL_CTX(ssl, newctx);
return SSL_TLSEXT_ERR_OK;
}
@ -948,7 +824,7 @@ static int meth_getalpn(lua_State *L)
static int meth_copyright(lua_State *L)
{
lua_pushstring(L, "LuaSec 1.2.0 - Copyright (C) 2006-2022 Bruno Silvestre, UFG"
lua_pushstring(L, "LuaSec 1.0.1 - Copyright (C) 2006-2021 Bruno Silvestre, UFG"
#if defined(WITH_LUASOCKET)
"\nLuaSocket 3.0-RC1 - Copyright (C) 2004-2013 Diego Nehab"
#endif
@ -995,12 +871,9 @@ static luaL_Reg methods[] = {
{"getfd", meth_getfd},
{"getfinished", meth_getfinished},
{"getpeercertificate", meth_getpeercertificate},
{"getlocalcertificate", meth_getlocalcertificate},
{"getpeerchain", meth_getpeerchain},
{"getlocalchain", meth_getlocalchain},
{"getpeerverification", meth_getpeerverification},
{"getpeerfinished", meth_getpeerfinished},
{"exportkeyingmaterial",meth_exportkeyingmaterial},
{"getsniname", meth_getsniname},
{"getstats", meth_getstats},
{"setstats", meth_setstats},

4
src/ssl.h
View File

@ -2,9 +2,9 @@
#define LSEC_SSL_H
/*--------------------------------------------------------------------------
* LuaSec 1.2.0
* LuaSec 1.0.1
*
* Copyright (C) 2006-2022 Bruno Silvestre
* Copyright (C) 2006-2021 Bruno Silvestre
*
*--------------------------------------------------------------------------*/

51
src/ssl.lua
View File

@ -1,7 +1,7 @@
------------------------------------------------------------------------------
-- LuaSec 1.2.0
-- LuaSec 1.0.1
--
-- Copyright (C) 2006-2022 Bruno Silvestre
-- Copyright (C) 2006-2021 Bruno Silvestre
--
------------------------------------------------------------------------------
@ -10,6 +10,11 @@ local context = require("ssl.context")
local x509 = require("ssl.x509")
local config = require("ssl.config")
local ocsp
if config.capabilities.ocsp then
ocsp = require("ssl.context.ocsp")
end
local unpack = table.unpack or unpack
-- We must prevent the contexts to be collected before the connections,
@ -201,39 +206,16 @@ local function newcontext(cfg)
if not succ then return nil, msg end
end
-- PSK
if cfg.psk then
if cfg.mode == "client" then
if type(cfg.psk) ~= "function" then
return nil, "invalid PSK configuration"
end
succ = context.setclientpskcb(ctx, cfg.psk)
if not succ then return nil, msg end
elseif cfg.mode == "server" then
if type(cfg.psk) == "function" then
succ, msg = context.setserverpskcb(ctx, cfg.psk)
if not succ then return nil, msg end
elseif type(cfg.psk) == "table" then
if type(cfg.psk.hint) == "string" and type(cfg.psk.callback) == "function" then
succ, msg = context.setpskhint(ctx, cfg.psk.hint)
if not succ then return succ, msg end
succ = context.setserverpskcb(ctx, cfg.psk.callback)
if not succ then return succ, msg end
else
return nil, "invalid PSK configuration"
end
else
return nil, "invalid PSK configuration"
end
end
if config.capabilities.dane and cfg.dane then
context.setdane(ctx)
end
if config.capabilities.dane and cfg.dane then
if type(cfg.dane) == "table" then
context.setdane(ctx, unpack(cfg.dane))
else
context.setdane(ctx)
end
if config.capabilities.ocsp and cfg.ocsp then
msg = "error setting OCSP"
succ = type(cfg.ocsp) == "function"
if not succ then return nil, msg end
succ = context.setocspcb(ctx, cfg.ocsp)
if not succ then return nil, msg end
end
return ctx
@ -302,9 +284,10 @@ core.setmethod("info", info)
--
local _M = {
_VERSION = "1.2.0",
_VERSION = "1.0.1",
_COPYRIGHT = core.copyright(),
config = config,
ocsp = ocsp,
loadcertificate = x509.load,
newcontext = newcontext,
wrap = wrap,

12
src/x509.c
View File

@ -1,7 +1,7 @@
/*--------------------------------------------------------------------------
* LuaSec 1.2.0
* LuaSec 1.0.1
*
* Copyright (C) 2014-2022 Kim Alvefur, Paul Aurich, Tobias Markmann
* Copyright (C) 2014-2021 Kim Alvefur, Paul Aurich, Tobias Markmann
* Matthew Wild, Bruno Silvestre.
*
*--------------------------------------------------------------------------*/
@ -655,11 +655,10 @@ static int meth_set_encode(lua_State* L)
return 1;
}
#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL)
/**
* Get signature name.
*/
static int meth_get_signature_name(lua_State* L)
static int meth_get_sinagure_name(lua_State* L)
{
p_x509 px = lsec_checkp_x509(L, 1);
int nid = X509_get_signature_nid(px->cert);
@ -670,7 +669,6 @@ static int meth_get_signature_name(lua_State* L)
lua_pushstring(L, name);
return 1;
}
#endif
/*---------------------------------------------------------------------------*/
@ -700,9 +698,7 @@ static luaL_Reg methods[] = {
{"digest", meth_digest},
{"setencode", meth_set_encode},
{"extensions", meth_extensions},
#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL)
{"getsignaturename", meth_get_signature_name},
#endif
{"getsignaturename", meth_get_sinagure_name},
{"issuer", meth_issuer},
{"notbefore", meth_notbefore},
{"notafter", meth_notafter},

4
src/x509.h
View File

@ -1,7 +1,7 @@
/*--------------------------------------------------------------------------
* LuaSec 1.2.0
* LuaSec 1.0.1
*
* Copyright (C) 2014-2022 Kim Alvefur, Paul Aurich, Tobias Markmann
* Copyright (C) 2014-2021 Kim Alvefur, Paul Aurich, Tobias Markmann
* Matthew Wild, Bruno Silvestre.
*
*--------------------------------------------------------------------------*/