Release LuaSec 1.3.2

Addressing #159 and #160

.gitignore

@@ -0,0 +1,3 @@
+/src/*.o
+/src/luasocket/*.o
+/*.dll

CHANGELOG

@@ -1,3 +1,232 @@
+--------------------------------------------------------------------------------
+LuaSec 1.3.2
+---------------
+This version includes:
+
+* Fix: place EAI_OVERFLOW inside macro, unbreak build on <10.7 (Sergey Fedorov)
+* Fix: Expand workaround for zero errno to OpenSSL 3.0.x (Kim Alvefur)
+* Fix: reset block timeout at send or receive (MartinDahlberg)
+
+--------------------------------------------------------------------------------
+LuaSec 1.3.1
+---------------
+This version includes:
+
+* Fix: check if PSK is available
+
+--------------------------------------------------------------------------------
+LuaSec 1.3.0
+---------------
+This version includes:
+
+* Add :getlocalchain() + :getlocalcertificate() to mirror the peer methods (@mwild1)
+* Add Pre-Shared Key (PSK) support (@jclab-joseph)
+
+--------------------------------------------------------------------------------
+LuaSec 1.2.0
+---------------
+This version includes:
+
+* Add key material export method
+* Backguard compat for openssl on providers, like LTS linuxes
+
+--------------------------------------------------------------------------------
+LuaSec 1.1.0
+---------------
+This version includes:
+
+* Fix missing DANE flag
+* Remove unused parameter in https.lua
+
+--------------------------------------------------------------------------------
+LuaSec 1.0.2
+---------------
+This version includes:
+
+* Fix handle SSL_send SYSCALL error without errno
+* Fix off by one in cert:validat(notafter)
+* Fix meth_get_{sinagure => signature}_name function name
+* Fix update the Lua state reference on the selected SSL context after SNI
+* Fix ignore SSL_OP_BIT(n) macro and update option.c
+
+--------------------------------------------------------------------------------
+LuaSec 1.0.1
+---------------
+This version includes:
+
+
+* Fix luaL_buffinit() can use the stack and broke buffer_meth_receive()
+
+--------------------------------------------------------------------------------
+LuaSec 1.0
+---------------
+This version includes:
+
+
+* Add cert:getsignaturename()
+
+--------------------------------------------------------------------------------
+LuaSec 0.9
+---------------
+This version includes:
+
+
+* Add DNS-based Authentication of Named Entities (DANE) support
+* Add __close() metamethod
+* Fix deprecation warnings with OpenSSL 1.1
+* Fix special case listing of TLS 1.3 EC curves
+* Fix general_name leak in cert:extensions()
+* Fix unexported 'ssl.config' table
+* Replace $(LD) with $(CCLD) variable
+* Remove multiple definitions of 'ssl_options' variable
+* Use tag in git format: v0.9
+
+--------------------------------------------------------------------------------
+LuaSec 0.8.2
+---------------
+This version includes:
+
+* Fix unexported 'ssl.config' table (backported)
+
+--------------------------------------------------------------------------------
+LuaSec 0.8.1
+---------------
+This version includes:
+
+* Fix general_name leak in cert:extensions() (backported)
+
+--------------------------------------------------------------------------------
+LuaSec 0.8
+---------------
+This version includes:
+
+* Add support to ALPN
+* Add support to TLS 1.3
+* Add support to multiple certificates
+* Add timeout to https module (https.TIMEOUT)
+* Drop support to SSL 3.0
+* Drop support to TLS 1.0 from https module
+* Fix invalid reference to Lua state
+* Fix memory leak when get certficate extensions
+
+--------------------------------------------------------------------------------
+LuaSec 0.7.2
+---------------
+This version includes:
+
+* Fix unexported 'ssl.config' table (backported)
+
+--------------------------------------------------------------------------------
+LuaSec 0.7.1
+---------------
+This version includes:
+
+* Fix general_name leak in cert:extensions() (backported)
+
+--------------------------------------------------------------------------------
+LuaSec 0.7
+---------------
+LuaSec depends  on OpenSSL, and  integrates with LuaSocket to  make it
+easy to add secure connections to any Lua applications or scripts.
+
+Documentation: https://github.com/brunoos/luasec/wiki
+
+This version includes:
+
+* Add support to OpenSSL 1.1.0
+* Add support to elliptic curves list
+* Add ssl.config that exports some OpenSSL information
+* Add integration with luaossl
+
+--------------------------------------------------------------------------------
+LuaSec 0.6
+------------
+LuaSec depends  on OpenSSL, and  integrates with LuaSocket to  make it
+easy to add secure connections to any Lua applications or scripts.
+
+Documentation: https://github.com/brunoos/luasec/wiki
+
+This version includes:
+
+* Lua 5.2 and 5.3 compatibility
+
+* Context module:
+  - Add ctx:checkkey()
+
+* SSL module:
+  - Add conn:sni() and conn:getsniname()
+
+* Context options:
+  - Add "any" protocol ("sslv23" is deprecated)
+
+* HTTPS module:
+  - Using "any" protocol without SSLv2/SSLv3, by default
+
+* X509 module:
+  - Human readable IP address
+  - Add cert:issued()
+  - Add cert:pubkey()
+
+* Some bug fixes
+
+
+=> Thanks to everyone who collaborate with LuaSec <=
+
+--------------------------------------------------------------------------------
+LuaSec 0.5
+------------
+LuaSec depends  on OpenSSL, and  integrates with LuaSocket to  make it
+easy to add secure connections to any Lua applications or scripts.
+
+This  version  includes:
+
+  * A new certificate (X509) API, which supports:
+    - Reading  the subject  (identity) and  issuer of the certificate.
+    - Reading  various X509  extensions, including email  and dnsName.
+    - Converting  certificates  to and  from  the  standard ASCII  PEM
+      format.
+    - Generating the fingerprint/digest of a certificate  (using SHA1,
+      SHA256 or SHA512).
+    - Reading the  certificate's expiration, serial number,  and other
+      info.
+
+  * The ability  to get more  detailed information from  OpenSSL about
+    why a certificate failed verification, for each certificate in the
+    chain.
+  
+  * Flags to  force acceptance of invalid certificates,  e.g. to allow
+    the use of self-signed certificates in a Trust On First Use model.
+
+  * Flags to control checking CRLs for certificate revocation status.
+  
+  * Support for ECDH cipher suites.
+  
+  * An API  to get the TLS  'finished' messages used  for SASL channel
+    binding (e.g. the SCRAM PLUS mechanisms).
+
+The work in  this release was undertaken by  Kim Alvefur, Paul Aurich,
+Tobias Markmann, Bruno Silvestre and Matthew Wild.
+
+--------------------------------------------------------------------------------
+LuaSec 0.4.1
+------------
+- SSL options updated --- based on OpenSSL 1.0.0d.
+- Activate SSL_MODE_RELEASE_BUFFERS by default if it is available.
+  (thanks Prosody project)
+
+---------------------------------------------------------------------------------
+LuaSec 0.4
+------------
+- Add option 'no_ticket' (included in OpenSSL 0.9.8f).
+- Add HTTPS module. (thanks Tomas Guisasola and Pablo Musa)
+
+--------------------------------------------------------------------------------
+LuaSec 0.3.3
+------------
+- BUG: Clear the error queue before call I/O functions (see SSL_get_error 
+  manual).
+  (thanks Matthew Wild)
+
 --------------------------------------------------------------------------------
 LuaSec 0.3.2
 ------------
@@ -19,7 +248,7 @@ LuaSec 0.3
 --------------------------------------------------------------------------------
 LuaSec 0.2.1
 ------------
-- 'key' and 'certificate' configurations become optional. (thanks Ren<EFBFBD> Rebe)
+- 'key' and 'certificate' configurations become optional. (thanks René Rebe)
 - Add '_VERSION' variable to module.
 
 --------------------------------------------------------------------------------

INSTALL

@@ -1,10 +1,22 @@
-LuaSec 0.3.2
+LuaSec 1.3.2
 ------------
 
+* OpenSSL options:
+
+    By default, this version includes options for OpenSSL 3.0.8
+
+    If you need to generate the options for a different version of OpenSSL:
+
+      $ cd src
+      $ lua options.lua -g /usr/include/openssl/ssl.h > options.c
+
+--------------------------------------------------------------------------------
+
 * On Linux, BSD, and Mac OS X:
 
   - Edit 'Makefile'
-    * Inform the path to install the modules.
+    * Inform the path to where install the Lua modules (LUAPATH) and binaries 
+      modules (LUACPATH)
     * If Lua or OpenSSL are not in the default path, set the 
       variables INCDIR and LIBDIR.
     * For Mac OS X, set the variable MACOSX_VERSION.
@@ -14,6 +26,8 @@ LuaSec 0.3.2
 
   - Use 'make install' to install the modules.
 
+--------------------------------------------------------------------------------
+
 * On Windows:
   
   - Use the Visual C++ project to compile the library.
@@ -21,3 +35,5 @@ LuaSec 0.3.2
   - Copy the 'ssl.lua' file to some place in your LUA_PATH.
 
   - Copy the 'ssl.dll' file to some place in your LUA_CPATH.
+
+  - Create a directory 'ssl' in your LUA_PATH and copy 'https.lua' to it.

LICENSE

@@ -1,5 +1,5 @@
-LuaSec 0.3.2 license
-Copyright (C) 2006-2009 Bruno Silvestre
+LuaSec 1.3.2 license
+Copyright (C) 2006-2023 Bruno Silvestre, UFG
 
 Permission is hereby granted, free  of charge, to any person obtaining
 a  copy  of this  software  and  associated  documentation files  (the
@@ -19,27 +19,3 @@ NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
 LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
 OF CONTRACT, TORT OR OTHERWISE,  ARISING FROM, OUT OF OR IN CONNECTION
 WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-----------------------------------------------------------------------
-
-LuaSocket 2.0.2 license
-Copyright <20> 2004-2007 Diego Nehab
-
-Permission is hereby granted, free  of charge, to any person obtaining
-a  copy  of this  software  and  associated documentation  files  (the
-"Software"), to  deal in  the Software without  restriction, including
-without limitation  the rights to  use, copy, modify,  merge, publish,
-distribute, sublicense,  and/or sell  copies of  the Software,  and to
-permit persons to whom the Software  is furnished to do so, subject to
-the following conditions:
-
-The  above  copyright  notice  and this  permission  notice  shall  be
-included in all copies or substantial portions of the Software.
-
-THE  SOFTWARE IS  PROVIDED  "AS  IS", WITHOUT  WARRANTY  OF ANY  KIND,
-EXPRESS OR  IMPLIED, INCLUDING  BUT NOT LIMITED  TO THE  WARRANTIES OF
-MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
-IN NO EVENT  SHALL THE AUTHORS OR COPYRIGHT HOLDERS  BE LIABLE FOR ANY
-CLAIM, DAMAGES OR  OTHER LIABILITY, WHETHER IN AN  ACTION OF CONTRACT,
-TORT OR  OTHERWISE, ARISING  FROM, OUT  OF OR  IN CONNECTION  WITH THE
-SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Makefile

@@ -1,16 +1,22 @@
-# Inform the location to intall the modules
-LUAPATH=/usr/local/share/lua/5.1
-CPATH=/usr/local/lib/lua/5.1
+# Inform the location to install the modules
+LUAPATH  ?= /usr/share/lua/5.1
+LUACPATH ?= /usr/lib/lua/5.1
 
-# Edit the lines below to inform new path, if necessary
-#
-#INCDIR=-I/usr/local/lua-5.1/include -I/usr/local/openssl-0.9.8/include
-#LIBDIR=-L/usr/local/openssl-0.9.8/lib -R/usr/local/openssl-0.9.8/lib
+# Compile with build-in LuaSocket's help files.
+# Comment this lines if you will link with non-internal LuaSocket's help files
+#  and edit INCDIR and LIBDIR properly.
+EXTRA = luasocket
+DEFS  = -DWITH_LUASOCKET
+
+# Edit the lines below to inform new path, if necessary.
+# Path below points to internal LuaSocket's help files.
+INC_PATH ?= -I/usr/include
+LIB_PATH ?= -L/usr/lib
+INCDIR    = -I. $(INC_PATH)
+LIBDIR    = -L./luasocket $(LIB_PATH)
 
 # For Mac OS X: set the system version
-MACOSX_VERSION=10.4
-
-DEFS=-DBUFFER_DEBUG
+MACOSX_VERSION=10.11
 
 #----------------------
 # Do not edit this part
@@ -26,25 +32,25 @@ none:
 	@echo "  * macosx"
 
 install:
-	@cd src ; $(MAKE) CPATH="$(CPATH)" LUAPATH="$(LUAPATH)" install
+	@cd src && $(MAKE) LUACPATH="$(LUACPATH)" LUAPATH="$(LUAPATH)" install
 
 linux:
 	@echo "---------------------"
 	@echo "** Build for Linux **"
 	@echo "---------------------"
-	@cd src ; $(MAKE) INCDIR="$(INCDIR)" LIBDIR="$(LIBDIR)" DEFS="$(DEFS)" $@
+	@cd src && $(MAKE) INCDIR="$(INCDIR)" LIBDIR="$(LIBDIR)" DEFS="$(DEFS)" EXTRA="$(EXTRA)" $@
 
 bsd:
 	@echo "-------------------"
 	@echo "** Build for BSD **"
 	@echo "-------------------"
-	@cd src ; $(MAKE) INCDIR="$(INCDIR)" LIBDIR="$(LIBDIR)" DEFS="$(DEFS)" $@
+	@cd src && $(MAKE) INCDIR="$(INCDIR)" LIBDIR="$(LIBDIR)" DEFS="$(DEFS)" EXTRA="$(EXTRA)" $@
 
 macosx:
 	@echo "------------------------------"
 	@echo "** Build for Mac OS X $(MACOSX_VERSION) **"
 	@echo "------------------------------"
-	@cd src ; $(MAKE) INCDIR="$(INCDIR)" LIBDIR="$(LIBDIR)" DEFS="$(DEFS)" MACVER="$(MACOSX_VERSION)" $@
+	@cd src && $(MAKE) INCDIR="$(INCDIR)" LIBDIR="$(LIBDIR)" MACVER="$(MACOSX_VERSION)" DEFS="$(DEFS)" EXTRA="$(EXTRA)" $@
 
 clean:
-	@cd src ; $(MAKE) clean
+	@cd src && $(MAKE) clean

README.md

@@ -1,4 +1,6 @@
-luasec
-======
+LuaSec 1.3.2
+===============
+LuaSec depends  on OpenSSL, and  integrates with LuaSocket to  make it
+easy to add secure connections to any Lua applications or scripts.
 
-LuaSec
+Documentation: https://github.com/brunoos/luasec/wiki

luasec-1.3.2-1.rockspec

@@ -0,0 +1,105 @@
+package = "LuaSec"
+version = "1.3.2-1"
+source = {
+  url = "git+https://github.com/brunoos/luasec",
+  tag = "v1.3.2",
+}
+description = {
+   summary = "A binding for OpenSSL library to provide TLS/SSL communication over LuaSocket.",
+   detailed = "This version delegates to LuaSocket the TCP connection establishment between the client and server. Then LuaSec uses this connection to start a secure TLS/SSL session.",
+   homepage = "https://github.com/brunoos/luasec/wiki",
+   license = "MIT"
+}
+dependencies = {
+   "lua >= 5.1", "luasocket"
+}
+external_dependencies = {
+   platforms = {
+      unix = {
+         OPENSSL = {
+            header = "openssl/ssl.h",
+            library = "ssl"
+         }
+      },
+      windows = {
+         OPENSSL = {
+            header = "openssl/ssl.h",
+         }
+      },
+   }
+}
+build = {
+   type = "builtin",
+   copy_directories = {
+      "samples"
+   },
+   platforms = {
+      unix = {
+         install = {
+            lib = {
+               "ssl.so"
+            },
+            lua = {
+               "src/ssl.lua", ['ssl.https'] = "src/https.lua"
+            }
+         },
+         modules = {
+            ssl = {
+               defines = {
+                  "WITH_LUASOCKET", "LUASOCKET_DEBUG",
+               },
+               incdirs = {
+                  "$(OPENSSL_INCDIR)", "src/", "src/luasocket",
+               },
+               libdirs = {
+                  "$(OPENSSL_LIBDIR)"
+               },
+               libraries = {
+                  "ssl", "crypto"
+               },
+               sources = {
+                  "src/options.c", "src/config.c", "src/ec.c", 
+                  "src/x509.c", "src/context.c", "src/ssl.c", 
+                  "src/luasocket/buffer.c", "src/luasocket/io.c",
+                  "src/luasocket/timeout.c", "src/luasocket/usocket.c"
+               }
+            }
+         }
+      },
+      windows = {
+         install = {
+            lib = {
+               "ssl.dll"
+            },
+            lua = {
+               "src/ssl.lua", ['ssl.https'] = "src/https.lua"
+            }
+         },
+         modules = {
+            ssl = {
+               defines = {
+                  "WIN32", "NDEBUG", "_WINDOWS", "_USRDLL", "LSEC_EXPORTS", "BUFFER_DEBUG", "LSEC_API=__declspec(dllexport)",
+                  "WITH_LUASOCKET", "LUASOCKET_DEBUG",
+                  "LUASEC_INET_NTOP", "WINVER=0x0501", "_WIN32_WINNT=0x0501", "NTDDI_VERSION=0x05010300"
+               },
+               libdirs = {
+                  "$(OPENSSL_LIBDIR)",
+                  "$(OPENSSL_BINDIR)",
+               },
+               libraries = {
+                  "libssl", "libcrypto", "ws2_32"
+               },
+               incdirs = {
+                  "$(OPENSSL_INCDIR)", "src/", "src/luasocket"
+               },
+               sources = {
+                  "src/options.c", "src/config.c", "src/ec.c", 
+                  "src/x509.c", "src/context.c", "src/ssl.c", 
+                  "src/luasocket/buffer.c", "src/luasocket/io.c",
+                  "src/luasocket/timeout.c", "src/luasocket/wsocket.c"
+               }
+            }
+         }
+      }
+   }
+}

luasec.sln

@@ -1,6 +1,6 @@
-Microsoft Visual Studio Solution File, Format Version 10.00
-# Visual C++ Express 2008
-Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "luasec", "luasec.vcproj", "{A629932F-8819-4C0B-8835-CBF1FEED6376}"
+Microsoft Visual Studio Solution File, Format Version 11.00
+# Visual C++ Express 2010
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "luasec", "luasec.vcxproj", "{A629932F-8819-4C0B-8835-CBF1FEED6376}"
 EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution

luasec.vcproj

@@ -1,253 +0,0 @@
-<?xml version="1.0" encoding="Windows-1252"?>
-<VisualStudioProject
-	ProjectType="Visual C++"
-	Version="9,00"
-	Name="luasec"
-	ProjectGUID="{A629932F-8819-4C0B-8835-CBF1FEED6376}"
-	Keyword="Win32Proj"
-	TargetFrameworkVersion="131072"
-	>
-	<Platforms>
-		<Platform
-			Name="Win32"
-		/>
-	</Platforms>
-	<ToolFiles>
-	</ToolFiles>
-	<Configurations>
-		<Configuration
-			Name="Debug|Win32"
-			OutputDirectory="Debug"
-			IntermediateDirectory="Debug"
-			ConfigurationType="2"
-			InheritedPropertySheets="$(VCInstallDir)VCProjectDefaults\UpgradeFromVC71.vsprops"
-			CharacterSet="2"
-			>
-			<Tool
-				Name="VCPreBuildEventTool"
-			/>
-			<Tool
-				Name="VCCustomBuildTool"
-			/>
-			<Tool
-				Name="VCXMLDataGeneratorTool"
-			/>
-			<Tool
-				Name="VCWebServiceProxyGeneratorTool"
-			/>
-			<Tool
-				Name="VCMIDLTool"
-			/>
-			<Tool
-				Name="VCCLCompilerTool"
-				Optimization="0"
-				AdditionalIncludeDirectories="C:\devel\openssl\include;C:\devel\lua-dll9\include"
-				PreprocessorDefinitions="WIN32;_DEBUG;_WINDOWS;_USRDLL;LUASEC_EXPORTS"
-				MinimalRebuild="true"
-				BasicRuntimeChecks="3"
-				RuntimeLibrary="3"
-				UsePrecompiledHeader="0"
-				WarningLevel="3"
-				DebugInformationFormat="4"
-			/>
-			<Tool
-				Name="VCManagedResourceCompilerTool"
-			/>
-			<Tool
-				Name="VCResourceCompilerTool"
-			/>
-			<Tool
-				Name="VCPreLinkEventTool"
-			/>
-			<Tool
-				Name="VCLinkerTool"
-				AdditionalDependencies="ws2_32.lib  libeay32MDd.lib ssleay32MDd.lib lua5.1.lib"
-				OutputFile="$(OutDir)/ssl.dll"
-				LinkIncremental="2"
-				AdditionalLibraryDirectories="C:\devel\openssl\lib\VC;C:\devel\lua-dll9"
-				GenerateDebugInformation="true"
-				ProgramDatabaseFile="$(OutDir)/luasec.pdb"
-				SubSystem="2"
-				RandomizedBaseAddress="1"
-				DataExecutionPrevention="0"
-				ImportLibrary="$(OutDir)/ssl.lib"
-				TargetMachine="1"
-			/>
-			<Tool
-				Name="VCALinkTool"
-			/>
-			<Tool
-				Name="VCManifestTool"
-			/>
-			<Tool
-				Name="VCXDCMakeTool"
-			/>
-			<Tool
-				Name="VCBscMakeTool"
-			/>
-			<Tool
-				Name="VCFxCopTool"
-			/>
-			<Tool
-				Name="VCAppVerifierTool"
-			/>
-			<Tool
-				Name="VCPostBuildEventTool"
-			/>
-		</Configuration>
-		<Configuration
-			Name="Release|Win32"
-			OutputDirectory="Release"
-			IntermediateDirectory="Release"
-			ConfigurationType="2"
-			InheritedPropertySheets="$(VCInstallDir)VCProjectDefaults\UpgradeFromVC71.vsprops"
-			CharacterSet="2"
-			>
-			<Tool
-				Name="VCPreBuildEventTool"
-			/>
-			<Tool
-				Name="VCCustomBuildTool"
-			/>
-			<Tool
-				Name="VCXMLDataGeneratorTool"
-			/>
-			<Tool
-				Name="VCWebServiceProxyGeneratorTool"
-			/>
-			<Tool
-				Name="VCMIDLTool"
-			/>
-			<Tool
-				Name="VCCLCompilerTool"
-				AdditionalIncludeDirectories="C:\devel\openssl\include;C:\devel\lua-dll9\include"
-				PreprocessorDefinitions="WIN32;NDEBUG;_WINDOWS;_USRDLL;LUASEC_EXPORTS;BUFFER_DEBUG;LUASEC_API=__declspec(dllexport)"
-				RuntimeLibrary="2"
-				UsePrecompiledHeader="0"
-				WarningLevel="3"
-				DebugInformationFormat="3"
-			/>
-			<Tool
-				Name="VCManagedResourceCompilerTool"
-			/>
-			<Tool
-				Name="VCResourceCompilerTool"
-			/>
-			<Tool
-				Name="VCPreLinkEventTool"
-			/>
-			<Tool
-				Name="VCLinkerTool"
-				AdditionalDependencies="ws2_32.lib libeay32MD.lib ssleay32MD.lib lua5.1.lib"
-				OutputFile="$(OutDir)/ssl.dll"
-				LinkIncremental="1"
-				AdditionalLibraryDirectories="C:\devel\openssl\lib\VC;C:\devel\lua-dll9"
-				GenerateDebugInformation="true"
-				SubSystem="2"
-				OptimizeReferences="2"
-				EnableCOMDATFolding="2"
-				RandomizedBaseAddress="1"
-				DataExecutionPrevention="0"
-				ImportLibrary="$(OutDir)/ssl.lib"
-				TargetMachine="1"
-			/>
-			<Tool
-				Name="VCALinkTool"
-			/>
-			<Tool
-				Name="VCManifestTool"
-			/>
-			<Tool
-				Name="VCXDCMakeTool"
-			/>
-			<Tool
-				Name="VCBscMakeTool"
-			/>
-			<Tool
-				Name="VCFxCopTool"
-			/>
-			<Tool
-				Name="VCAppVerifierTool"
-			/>
-			<Tool
-				Name="VCPostBuildEventTool"
-			/>
-		</Configuration>
-	</Configurations>
-	<References>
-	</References>
-	<Files>
-		<Filter
-			Name="Source Files"
-			Filter="cpp;c;cxx;def;odl;idl;hpj;bat;asm;asmx"
-			UniqueIdentifier="{4FC737F1-C7A5-4376-A066-2A32D752A2FF}"
-			>
-			<File
-				RelativePath=".\src\buffer.c"
-				>
-			</File>
-			<File
-				RelativePath=".\src\context.c"
-				>
-			</File>
-			<File
-				RelativePath=".\src\io.c"
-				>
-			</File>
-			<File
-				RelativePath=".\src\ssl.c"
-				>
-			</File>
-			<File
-				RelativePath=".\src\timeout.c"
-				>
-			</File>
-			<File
-				RelativePath=".\src\wsocket.c"
-				>
-			</File>
-		</Filter>
-		<Filter
-			Name="Header Files"
-			Filter="h;hpp;hxx;hm;inl;inc;xsd"
-			UniqueIdentifier="{93995380-89BD-4b04-88EB-625FBE52EBFB}"
-			>
-			<File
-				RelativePath=".\src\buffer.h"
-				>
-			</File>
-			<File
-				RelativePath=".\src\context.h"
-				>
-			</File>
-			<File
-				RelativePath=".\src\io.h"
-				>
-			</File>
-			<File
-				RelativePath=".\src\socket.h"
-				>
-			</File>
-			<File
-				RelativePath=".\src\ssl.h"
-				>
-			</File>
-			<File
-				RelativePath=".\src\timeout.h"
-				>
-			</File>
-			<File
-				RelativePath=".\src\wsocket.h"
-				>
-			</File>
-		</Filter>
-		<Filter
-			Name="Resource Files"
-			Filter="rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx"
-			UniqueIdentifier="{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}"
-			>
-		</Filter>
-	</Files>
-	<Globals>
-	</Globals>
-</VisualStudioProject>

luasec.vcxproj

@@ -0,0 +1,131 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="14.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{A629932F-8819-4C0B-8835-CBF1FEED6376}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v140</PlatformToolset>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v140</PlatformToolset>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+    <Import Project="$(VCTargetsPath)Microsoft.CPP.UpgradeFromVC71.props" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+    <Import Project="$(VCTargetsPath)Microsoft.CPP.UpgradeFromVC71.props" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup>
+    <_ProjectFileVersion>10.0.30319.1</_ProjectFileVersion>
+    <OutDir Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Debug\</OutDir>
+    <IntDir Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Debug\</IntDir>
+    <LinkIncremental Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">true</LinkIncremental>
+    <OutDir Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Release\</OutDir>
+    <IntDir Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Release\</IntDir>
+    <LinkIncremental Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">false</LinkIncremental>
+    <TargetName Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">ssl</TargetName>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <Optimization>Disabled</Optimization>
+      <AdditionalIncludeDirectories>C:\devel\openssl\include;C:\devel\lua-dll9\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;LUASEC_EXPORTS;LUASEC_INET_NTOP;WINVER=0x0501;_WIN32_WINNT=0x0501;NTDDI_VERSION=0x05010300;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <MinimalRebuild>true</MinimalRebuild>
+      <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
+      <RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>EditAndContinue</DebugInformationFormat>
+    </ClCompile>
+    <Link>
+      <AdditionalDependencies>ws2_32.lib;libssl.lib;libcrypto.lib;lua5.1.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <OutputFile>$(OutDir)ssl.dll</OutputFile>
+      <AdditionalLibraryDirectories>C:\devel\openssl\lib\VC;C:\devel\lua-dll9;%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <ProgramDatabaseFile>$(OutDir)luasec.pdb</ProgramDatabaseFile>
+      <SubSystem>Windows</SubSystem>
+      <RandomizedBaseAddress>false</RandomizedBaseAddress>
+      <DataExecutionPrevention>
+      </DataExecutionPrevention>
+      <ImportLibrary>$(OutDir)ssl.lib</ImportLibrary>
+      <TargetMachine>MachineX86</TargetMachine>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <AdditionalIncludeDirectories>C:\devel\openssl-1.1.0\include;C:\devel\lua-5.1\include;.\src;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <PreprocessorDefinitions>WIN32;_WIN32;NDEBUG;_WINDOWS;_USRDLL;LUASOCKET_DEBUG;WITH_LUASOCKET;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+    </ClCompile>
+    <Link>
+      <AdditionalDependencies>ws2_32.lib;libssl.lib;libcrypto.lib;lua5.1.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <OutputFile>$(OutDir)$(TargetName)$(TargetExt)</OutputFile>
+      <AdditionalLibraryDirectories>C:\devel\openssl-1.1.0\lib\VC;C:\devel\lua-5.1\lib;%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <SubSystem>Windows</SubSystem>
+      <OptimizeReferences>true</OptimizeReferences>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <RandomizedBaseAddress>false</RandomizedBaseAddress>
+      <DataExecutionPrevention>
+      </DataExecutionPrevention>
+      <ImportLibrary>$(OutDir)ssl.lib</ImportLibrary>
+      <TargetMachine>MachineX86</TargetMachine>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="src\config.c" />
+    <ClCompile Include="src\context.c" />
+    <ClCompile Include="src\ec.c" />
+    <ClCompile Include="src\luasocket\buffer.c" />
+    <ClCompile Include="src\luasocket\io.c" />
+    <ClCompile Include="src\luasocket\timeout.c" />
+    <ClCompile Include="src\luasocket\wsocket.c" />
+    <ClCompile Include="src\options.c" />
+    <ClCompile Include="src\ssl.c" />
+    <ClCompile Include="src\x509.c" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="src\compat.h" />
+    <ClInclude Include="src\config.h" />
+    <ClInclude Include="src\context.h" />
+    <ClInclude Include="src\ec.h" />
+    <ClInclude Include="src\luasocket\buffer.h" />
+    <ClInclude Include="src\luasocket\io.h" />
+    <ClInclude Include="src\luasocket\socket.h" />
+    <ClInclude Include="src\luasocket\timeout.h" />
+    <ClInclude Include="src\luasocket\wsocket.h" />
+    <ClInclude Include="src\options.h" />
+    <ClInclude Include="src\ssl.h" />
+    <ClInclude Include="src\x509.h" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>

samples/README

@@ -1,17 +1,32 @@
-In all examples, the SSL/TLS  layer can be disable just commenting the
-wrap  section.   In this  case,  the  examples  work with  normal  TCP
-communication.
-
 Directories: 
 ------------
-* certs
- It  contains a set of  certificates used in the examples.  You can use
- the  scrits  to  recreate  them  if  necessary  (due  to  certificates
- expiration  date,  for example).  First,  generate the Root CA 'A' and 
- 'B', then the servers and clients.
+* alpn
+ Test ALPN (Application-Layer Protocol Negotiation) support.
 
-* oneshot
- A simple connection example.
+* certs
+ Contains scripts to generate the certificates used by the examples.
+ Generate Root CA 'A' and 'B' first, then the servers and clients.
+
+* chain
+ Example of certificate chain in handshake.
+
+* curve-negotiation
+ Elliptic curve negotiation.
+
+* dhparam
+ DH parameters for handshake.
+
+* digest
+ Certificate digest.
+
+* ecdh
+ Elliptic curve cipher.
+
+* info
+ Information about the connection.
+
+* key
+ Test encrypted private key.
 
 * loop
  Test successive connections between the server and the client 
@@ -19,16 +34,34 @@ Directories:
 
 * loop-gc
  Same of above,  but the connection is not  explicit closed, the gabage
- collector is encharge of it.
+ collector is encharge of that.
+
+* luaossl
+ Integration with luaossl.
+
+* multicert
+ Support to multiple certificate for dual RSA/ECDSA.
+
+* oneshot
+ A simple connection example.
+
+* psk
+ PSK(Pre Shared Key) support.
+
+* sni
+ Support to SNI (Server Name Indication).
+
+* verification
+ Retrieve the certificate verification errors from the handshake.
+
+* verify
+ Ignore handshake errors and proceed.
+
+* want
+ Test want() method.
 
 * wantread
  Test timeout in handshake() and receive().
 
 * wantwrite
  Test timeout in send().
-
-* want
- Test want().
-
-* key
- Test encrypted private key.

samples/alpn/client.lua

@@ -0,0 +1,27 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl    = require("ssl")
+
+local params = {
+   mode = "client",
+   protocol = "tlsv1_2",
+   key = "../certs/clientAkey.pem",
+   certificate = "../certs/clientA.pem",
+   cafile = "../certs/rootA.pem",
+   verify = {"peer", "fail_if_no_peer_cert"},
+   options = "all",
+   --alpn = {"foo","bar","baz"}
+   alpn = "foo"
+}
+
+local peer = socket.tcp()
+peer:connect("127.0.0.1", 8888)
+
+peer = assert( ssl.wrap(peer, params) )
+assert(peer:dohandshake())
+
+print("ALPN", peer:getalpn())
+
+peer:close()

samples/alpn/server.lua

@@ -0,0 +1,77 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl    = require("ssl")
+
+--
+-- Callback that selects one protocol from client's list.
+--
+local function alpncb01(protocols)
+   print("--- ALPN protocols from client")
+   for k, v in ipairs(protocols) do
+      print(k, v)
+   end
+   print("--- Selecting:", protocols[1])
+   return protocols[1]
+end
+
+--
+-- Callback that returns a fixed list, ignoring the client's list.
+--
+local function alpncb02(protocols)
+   print("--- ALPN protocols from client")
+   for k, v in ipairs(protocols) do
+      print(k, v)
+   end
+   print("--- Returning a fixed list") 
+   return {"bar", "foo"}
+end
+
+--
+-- Callback that generates a list as it whishes.
+--
+local function alpncb03(protocols)
+   local resp = {}
+   print("--- ALPN protocols from client")
+   for k, v in ipairs(protocols) do
+      print(k, v)
+      if k%2 ~= 0 then resp[#resp+1] = v end
+   end
+   print("--- Returning an odd list")
+   return resp
+end
+
+
+local params = {
+   mode = "server",
+   protocol = "any",
+   key = "../certs/serverAkey.pem",
+   certificate = "../certs/serverA.pem",
+   cafile = "../certs/rootA.pem",
+   verify = {"peer", "fail_if_no_peer_cert"},
+   options = "all",
+   --alpn = alpncb01,
+   --alpn = alpncb02,
+   --alpn = alpncb03,
+   alpn = {"bar", "baz", "foo"},
+}
+
+
+-- [[ SSL context
+local ctx = assert(ssl.newcontext(params))
+--]]
+
+local server = socket.tcp()
+server:setoption('reuseaddr', true)
+assert( server:bind("127.0.0.1", 8888) )
+server:listen()
+
+local peer = server:accept()
+peer = assert( ssl.wrap(peer, ctx) )
+assert( peer:dohandshake() )
+
+print("ALPN", peer:getalpn())
+
+peer:close()
+server:close()

samples/certs/all.bat

@@ -0,0 +1,14 @@
+REM make sure the 'openssl.exe' commandline tool is in your path before starting!
+REM set the path below;
+set opensslpath=c:\program files (x86)\openssl-win32\bin
+
+
+
+setlocal
+set path=%opensslpath%;%path%
+call roota.bat
+call rootb.bat
+call servera.bat
+call serverb.bat
+call clienta.bat
+call clientb.bat

samples/certs/all.sh

@@ -0,0 +1,7 @@
+#!/bin/sh
+./rootA.sh
+./rootB.sh
+./clientA.sh
+./clientB.sh
+./serverA.sh
+./serverB.sh

samples/certs/clientA.bat

@@ -0,0 +1,9 @@
+rem #!/bin/sh
+
+openssl req -newkey rsa:1024 -sha1 -keyout clientAkey.pem -out clientAreq.pem -nodes -config ./clientA.cnf -days 365 -batch
+
+openssl x509 -req -in clientAreq.pem -sha1 -extfile ./clientA.cnf -extensions usr_cert -CA rootA.pem -CAkey rootAkey.pem -CAcreateserial -out clientAcert.pem -days 365
+
+copy clientAcert.pem + rootA.pem clientA.pem
+
+openssl x509 -subject -issuer -noout -in clientA.pem

samples/certs/clientA.cnf

@@ -50,7 +50,7 @@ crl		= $dir/crl.pem 		# The current CRL
 private_key	= $dir/private/cakey.pem # The private key
 RANDFILE	= $dir/private/.rand	# private random number file
 
-x509_extensions	= usr_cert		# The extentions to add to the cert
+x509_extensions	= usr_cert		# The extensions to add to the cert
 
 # Comment out the following two lines for the "traditional"
 # (and highly broken) format.
@@ -102,7 +102,7 @@ default_bits		= 1024
 default_keyfile 	= privkey.pem
 distinguished_name	= req_distinguished_name
 attributes		= req_attributes
-x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+x509_extensions	= v3_ca	# The extensions to add to the self signed cert
 
 # Passwords for private keys if not present they will be prompted for
 # input_password = secret

samples/certs/clientA.sh

@@ -1,9 +1,9 @@
 #!/bin/sh
 
-openssl req -newkey rsa:1024 -sha1 -keyout clientAkey.pem -out clientAreq.pem \
+openssl req -newkey rsa:2048 -sha256 -keyout clientAkey.pem -out clientAreq.pem \
   -nodes -config ./clientA.cnf -days 365 -batch
 
-openssl x509 -req -in clientAreq.pem -sha1 -extfile ./clientA.cnf \
+openssl x509 -req -in clientAreq.pem -sha256 -extfile ./clientA.cnf \
   -extensions usr_cert -CA rootA.pem -CAkey rootAkey.pem -CAcreateserial \
   -out clientAcert.pem -days 365
 

samples/certs/clientB.bat

@@ -0,0 +1,9 @@
+rem #!/bin/sh
+
+openssl req -newkey rsa:1024 -sha1 -keyout clientBkey.pem -out clientBreq.pem -nodes -config ./clientB.cnf -days 365 -batch
+
+openssl x509 -req -in clientBreq.pem -sha1 -extfile ./clientB.cnf -extensions usr_cert -CA rootB.pem -CAkey rootBkey.pem -CAcreateserial -out clientBcert.pem -days 365
+
+copy clientBcert.pem + rootB.pem clientB.pem
+
+openssl x509 -subject -issuer -noout -in clientB.pem

samples/certs/clientB.cnf

@@ -50,7 +50,7 @@ crl		= $dir/crl.pem 		# The current CRL
 private_key	= $dir/private/cakey.pem # The private key
 RANDFILE	= $dir/private/.rand	# private random number file
 
-x509_extensions	= usr_cert		# The extentions to add to the cert
+x509_extensions	= usr_cert		# The extensions to add to the cert
 
 # Comment out the following two lines for the "traditional"
 # (and highly broken) format.
@@ -102,7 +102,7 @@ default_bits		= 1024
 default_keyfile 	= privkey.pem
 distinguished_name	= req_distinguished_name
 attributes		= req_attributes
-x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+x509_extensions	= v3_ca	# The extensions to add to the self signed cert
 
 # Passwords for private keys if not present they will be prompted for
 # input_password = secret

samples/certs/clientB.sh

@@ -1,9 +1,9 @@
 #!/bin/sh
 
-openssl req -newkey rsa:1024 -sha1 -keyout clientBkey.pem -out clientBreq.pem \
+openssl req -newkey rsa:2048 -sha256 -keyout clientBkey.pem -out clientBreq.pem \
   -nodes -config ./clientB.cnf -days 365 -batch
 
-openssl x509 -req -in clientBreq.pem -sha1 -extfile ./clientB.cnf \
+openssl x509 -req -in clientBreq.pem -sha256 -extfile ./clientB.cnf \
   -extensions usr_cert -CA rootB.pem -CAkey rootBkey.pem -CAcreateserial \
   -out clientBcert.pem -days 365
 

samples/certs/rootA.bat

@@ -0,0 +1,7 @@
+REM #!/bin/sh
+
+openssl req -newkey rsa:1024 -sha1 -keyout rootAkey.pem -out rootAreq.pem -nodes -config ./rootA.cnf -days 365 -batch
+
+openssl x509 -req -in rootAreq.pem -sha1 -extfile ./rootA.cnf -extensions v3_ca -signkey rootAkey.pem -out rootA.pem -days 365
+
+openssl x509 -subject -issuer -noout -in rootA.pem

samples/certs/rootA.cnf

@@ -50,7 +50,7 @@ crl		= $dir/crl.pem 		# The current CRL
 private_key	= $dir/private/cakey.pem # The private key
 RANDFILE	= $dir/private/.rand	# private random number file
 
-x509_extensions	= usr_cert		# The extentions to add to the cert
+x509_extensions	= usr_cert		# The extensions to add to the cert
 
 # Comment out the following two lines for the "traditional"
 # (and highly broken) format.
@@ -102,7 +102,7 @@ default_bits		= 1024
 default_keyfile 	= privkey.pem
 distinguished_name	= req_distinguished_name
 attributes		= req_attributes
-x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+x509_extensions	= v3_ca	# The extensions to add to the self signed cert
 
 # Passwords for private keys if not present they will be prompted for
 # input_password = secret

samples/certs/rootA.sh

@@ -1,7 +1,7 @@
 #!/bin/sh
 
-openssl req -newkey rsa:1024 -sha1 -keyout rootAkey.pem -out rootAreq.pem -nodes -config ./rootA.cnf -days 365 -batch
+openssl req -newkey rsa:2048 -sha256 -keyout rootAkey.pem -out rootAreq.pem -nodes -config ./rootA.cnf -days 365 -batch
 
-openssl x509 -req -in rootAreq.pem -sha1 -extfile ./rootA.cnf -extensions v3_ca -signkey rootAkey.pem -out rootA.pem -days 365
+openssl x509 -req -in rootAreq.pem -sha256 -extfile ./rootA.cnf -extensions v3_ca -signkey rootAkey.pem -out rootA.pem -days 365
 
 openssl x509 -subject -issuer -noout -in rootA.pem

samples/certs/rootB.bat

@@ -0,0 +1,7 @@
+rem #!/bin/sh
+
+openssl req -newkey rsa:1024 -sha1 -keyout rootBkey.pem -out rootBreq.pem -nodes -config ./rootB.cnf -days 365 -batch
+
+openssl x509 -req -in rootBreq.pem -sha1 -extfile ./rootB.cnf -extensions v3_ca -signkey rootBkey.pem -out rootB.pem -days 365
+
+openssl x509 -subject -issuer -noout -in rootB.pem

samples/certs/rootB.cnf

@@ -50,7 +50,7 @@ crl		= $dir/crl.pem 		# The current CRL
 private_key	= $dir/private/cakey.pem # The private key
 RANDFILE	= $dir/private/.rand	# private random number file
 
-x509_extensions	= usr_cert		# The extentions to add to the cert
+x509_extensions	= usr_cert		# The extensions to add to the cert
 
 # Comment out the following two lines for the "traditional"
 # (and highly broken) format.
@@ -102,7 +102,7 @@ default_bits		= 1024
 default_keyfile 	= privkey.pem
 distinguished_name	= req_distinguished_name
 attributes		= req_attributes
-x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+x509_extensions	= v3_ca	# The extensions to add to the self signed cert
 
 # Passwords for private keys if not present they will be prompted for
 # input_password = secret

samples/certs/rootB.sh

@@ -1,7 +1,7 @@
 #!/bin/sh
 
-openssl req -newkey rsa:1024 -sha1 -keyout rootBkey.pem -out rootBreq.pem -nodes -config ./rootB.cnf -days 365 -batch
+openssl req -newkey rsa:2048 -sha256 -keyout rootBkey.pem -out rootBreq.pem -nodes -config ./rootB.cnf -days 365 -batch
 
-openssl x509 -req -in rootBreq.pem -sha1 -extfile ./rootB.cnf -extensions v3_ca -signkey rootBkey.pem -out rootB.pem -days 365
+openssl x509 -req -in rootBreq.pem -sha256 -extfile ./rootB.cnf -extensions v3_ca -signkey rootBkey.pem -out rootB.pem -days 365
 
 openssl x509 -subject -issuer -noout -in rootB.pem

samples/certs/serverA.bat

@@ -0,0 +1,9 @@
+rem #!/bin/sh
+
+openssl req -newkey rsa:1024 -keyout serverAkey.pem -out serverAreq.pem -config ./serverA.cnf -nodes -days 365 -batch
+
+openssl x509 -req -in serverAreq.pem -sha1 -extfile ./serverA.cnf -extensions usr_cert -CA rootA.pem -CAkey rootAkey.pem -CAcreateserial -out serverAcert.pem -days 365
+
+copy serverAcert.pem + rootA.pem serverA.pem
+
+openssl x509 -subject -issuer -noout -in serverA.pem

samples/certs/serverA.cnf

@@ -50,7 +50,7 @@ crl		= $dir/crl.pem 		# The current CRL
 private_key	= $dir/private/cakey.pem # The private key
 RANDFILE	= $dir/private/.rand	# private random number file
 
-x509_extensions	= usr_cert		# The extentions to add to the cert
+x509_extensions	= usr_cert		# The extensions to add to the cert
 
 # Comment out the following two lines for the "traditional"
 # (and highly broken) format.
@@ -102,7 +102,7 @@ default_bits		= 1024
 default_keyfile 	= privkey.pem
 distinguished_name	= req_distinguished_name
 attributes		= req_attributes
-x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+x509_extensions	= v3_ca	# The extensions to add to the self signed cert
 
 # Passwords for private keys if not present they will be prompted for
 # input_password = secret
@@ -118,7 +118,7 @@ x509_extensions	= v3_ca	# The extentions to add to the self signed cert
 # so use this option with caution!
 string_mask = nombstr
 
-# req_extensions = v3_req # The extensions to add to a certificate request
+# req_extensions = v3_ext # The extensions to add to a certificate request
 
 [ req_distinguished_name ]
 countryName			= Country Name (2 letter code)
@@ -172,7 +172,7 @@ basicConstraints=CA:FALSE
 # the certificate can be used for anything *except* object signing.
 
 # This is OK for an SSL server.
-# nsCertType			= server
+nsCertType			= server
 
 # For an object signing certificate this would be used.
 # nsCertType = objsign
@@ -198,7 +198,7 @@ authorityKeyIdentifier=keyid,issuer
 # subjectAltName=email:copy
 # An alternative to produce certificates that aren't
 # deprecated according to PKIX.
-# subjectAltName=email:move
+subjectAltName=DNS:foo.bar.example
 
 # Copy subject details
 # issuerAltName=issuer:copy

samples/certs/serverA.sh

@@ -1,9 +1,9 @@
 #!/bin/sh
 
-openssl req -newkey rsa:1024 -keyout serverAkey.pem -out serverAreq.pem \
+openssl req -newkey rsa:2048 -sha256 -keyout serverAkey.pem -out serverAreq.pem \
    -config ./serverA.cnf -nodes -days 365 -batch
 
-openssl x509 -req -in serverAreq.pem -sha1 -extfile ./serverA.cnf \
+openssl x509 -req -in serverAreq.pem -sha256 -extfile ./serverA.cnf \
    -extensions usr_cert -CA rootA.pem -CAkey rootAkey.pem -CAcreateserial \
    -out serverAcert.pem -days 365
 

samples/certs/serverB.bat

@@ -0,0 +1,9 @@
+rem #!/bin/sh
+
+openssl req -newkey rsa:1024 -keyout serverBkey.pem -out serverBreq.pem -config ./serverB.cnf -nodes -days 365 -batch
+
+openssl x509 -req -in serverBreq.pem -sha1 -extfile ./serverB.cnf -extensions usr_cert -CA rootB.pem -CAkey rootBkey.pem -CAcreateserial -out serverBcert.pem -days 365
+
+copy serverBcert.pem + rootB.pem serverB.pem
+
+openssl x509 -subject -issuer -noout -in serverB.pem

samples/certs/serverB.cnf

@@ -50,7 +50,7 @@ crl		= $dir/crl.pem 		# The current CRL
 private_key	= $dir/private/cakey.pem # The private key
 RANDFILE	= $dir/private/.rand	# private random number file
 
-x509_extensions	= usr_cert		# The extentions to add to the cert
+x509_extensions	= usr_cert		# The extensions to add to the cert
 
 # Comment out the following two lines for the "traditional"
 # (and highly broken) format.
@@ -102,7 +102,7 @@ default_bits		= 1024
 default_keyfile 	= privkey.pem
 distinguished_name	= req_distinguished_name
 attributes		= req_attributes
-x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+x509_extensions	= v3_ca	# The extensions to add to the self signed cert
 
 # Passwords for private keys if not present they will be prompted for
 # input_password = secret
@@ -172,7 +172,7 @@ basicConstraints=CA:FALSE
 # the certificate can be used for anything *except* object signing.
 
 # This is OK for an SSL server.
-# nsCertType			= server
+nsCertType			= server
 
 # For an object signing certificate this would be used.
 # nsCertType = objsign
@@ -195,7 +195,7 @@ authorityKeyIdentifier=keyid,issuer
 
 # This stuff is for subjectAltName and issuerAltname.
 # Import the email address.
-# subjectAltName=email:copy
+subjectAltName=DNS:fnord.bar.example
 # An alternative to produce certificates that aren't
 # deprecated according to PKIX.
 # subjectAltName=email:move

samples/certs/serverB.sh

@@ -1,9 +1,9 @@
 #!/bin/sh
 
-openssl req -newkey rsa:1024 -keyout serverBkey.pem -out serverBreq.pem \
+openssl req -newkey rsa:2048 -sha256 -keyout serverBkey.pem -out serverBreq.pem \
    -config ./serverB.cnf -nodes -days 365 -batch
 
-openssl x509 -req -in serverBreq.pem -sha1 -extfile ./serverB.cnf \
+openssl x509 -req -in serverBreq.pem -sha256 -extfile ./serverB.cnf \
    -extensions usr_cert -CA rootB.pem -CAkey rootBkey.pem -CAcreateserial \
    -out serverBcert.pem -days 365
 

samples/chain/client.lua

@@ -0,0 +1,36 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl    = require("ssl")
+local util   = require("util") 
+
+local params = {
+   mode = "client",
+   protocol = "tlsv1_2",
+   key = "../certs/clientAkey.pem",
+   certificate = "../certs/clientA.pem",
+   cafile = "../certs/rootA.pem",
+   verify = {"peer", "fail_if_no_peer_cert"},
+   options = "all",
+}
+
+local conn = socket.tcp()
+conn:connect("127.0.0.1", 8888)
+
+conn = assert( ssl.wrap(conn, params) )
+assert(conn:dohandshake())
+
+util.show( conn:getpeercertificate() )
+
+print("----------------------------------------------------------------------")
+
+for k, cert in ipairs( conn:getpeerchain() ) do
+  util.show(cert)
+end
+
+local cert = conn:getpeercertificate()
+print( cert )
+print( cert:pem() )
+
+conn:close()

samples/chain/server.lua

@@ -0,0 +1,72 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl    = require("ssl")
+local util   = require("util")
+
+local params = {
+   mode = "server",
+   protocol = "any",
+   key = "../certs/serverAkey.pem",
+   certificate = "../certs/serverA.pem",
+   cafile = "../certs/rootA.pem",
+   verify = {"peer", "fail_if_no_peer_cert"},
+   options = "all",
+}
+
+local ctx = assert(ssl.newcontext(params))
+
+local server = socket.tcp()
+server:setoption('reuseaddr', true)
+assert( server:bind("127.0.0.1", 8888) )
+server:listen()
+
+local conn = server:accept()
+
+conn = assert( ssl.wrap(conn, ctx) )
+assert( conn:dohandshake() )
+
+util.show( conn:getpeercertificate() )
+
+print("----------------------------------------------------------------------")
+
+local expectedpeerchain = { "../certs/clientAcert.pem", "../certs/rootA.pem" }
+
+local peerchain = conn:getpeerchain()
+assert(#peerchain == #expectedpeerchain)
+for k, cert in ipairs( peerchain ) do
+  util.show(cert)
+  local expectedpem = assert(io.open(expectedpeerchain[k])):read("*a")
+  assert(cert:pem() == expectedpem, "peer chain mismatch @ "..tostring(k))
+end
+
+local expectedlocalchain = { "../certs/serverAcert.pem" }
+
+local localchain = assert(conn:getlocalchain())
+assert(#localchain == #expectedlocalchain)
+for k, cert in ipairs( localchain ) do
+  util.show(cert)
+  local expectedpem = assert(io.open(expectedlocalchain[k])):read("*a")
+  assert(cert:pem() == expectedpem, "local chain mismatch @ "..tostring(k))
+  if k == 1 then
+    assert(cert:pem() == conn:getlocalcertificate():pem())
+  end
+end
+
+local f = io.open(params.certificate)
+local str = f:read("*a")
+f:close()
+
+util.show( ssl.loadcertificate(str) )
+
+print("----------------------------------------------------------------------")
+local cert = conn:getpeercertificate()
+print( cert )
+print( cert:digest() )
+print( cert:digest("sha1") )
+print( cert:digest("sha256") )
+print( cert:digest("sha512") )
+
+conn:close()
+server:close()

samples/chain/util.lua

@@ -0,0 +1,22 @@
+local print  = print
+local ipairs = ipairs
+
+local _ENV = {}
+
+function _ENV.show(cert)
+  print("Serial:", cert:serial())
+  print("NotBefore:", cert:notbefore())
+  print("NotAfter:", cert:notafter())
+  print("--- Issuer ---")
+  for k, v in ipairs(cert:issuer()) do
+    print(v.name .. " = " .. v.value)
+  end
+
+  print("--- Subject ---")
+  for k, v in ipairs(cert:subject()) do
+    print(v.name .. " = " .. v.value)
+  end
+  print("----------------------------------------------------------------------")
+end
+
+return _ENV

samples/curve-negotiation/client.lua

@@ -0,0 +1,28 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl    = require("ssl")
+
+local params = {
+   mode = "client",
+   protocol = "any",
+   key = "../certs/clientAkey.pem",
+   certificate = "../certs/clientA.pem",
+   cafile = "../certs/rootA.pem",
+   verify = {"peer", "fail_if_no_peer_cert"},
+   options = {"all"},
+   --
+   curve = "P-256:P-384",
+}
+
+local peer = socket.tcp()
+peer:connect("127.0.0.1", 8888)
+
+-- [[ SSL wrapper
+peer = assert( ssl.wrap(peer, params) )
+assert(peer:dohandshake())
+--]]
+
+print(peer:receive("*l"))
+peer:close()

samples/curve-negotiation/server.lua

@@ -0,0 +1,37 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl    = require("ssl")
+
+local params = {
+   mode = "server",
+   protocol = "any",
+   key = "../certs/serverAkey.pem",
+   certificate = "../certs/serverA.pem",
+   cafile = "../certs/rootA.pem",
+   verify = {"peer", "fail_if_no_peer_cert"},
+   options = {"all"},
+   --
+   curve = "P-384:P-256:P-521",
+}
+
+
+-- [[ SSL context
+local ctx = assert(ssl.newcontext(params))
+--]]
+
+local server = socket.tcp()
+server:setoption('reuseaddr', true)
+assert( server:bind("127.0.0.1", 8888) )
+server:listen()
+
+local peer = server:accept()
+
+-- [[ SSL wrapper
+peer = assert( ssl.wrap(peer, ctx) )
+assert( peer:dohandshake() )
+--]]
+
+peer:send("oneshot with curve negotiation test\n")
+peer:close()

samples/dane/client.lua

@@ -0,0 +1,40 @@
+
+local socket = require "socket";
+local ssl = require "ssl";
+
+local dns = require "lunbound".new();
+
+
+local cfg = {
+	protocol = "tlsv1_2",
+	mode = "client",
+	ciphers = "DEFAULT",
+	capath = "/etc/ssl/certs",
+	verify = "peer",
+	dane = true,
+};
+
+local function daneconnect(host, port)
+   port = port or "443";
+	local conn = ssl.wrap(socket.connect(host, port), cfg);
+
+	local tlsa = dns:resolve("_" .. port .. "._tcp." .. host, 52);
+	assert(tlsa.secure, "Insecure DNS");
+
+	assert(conn:setdane(host));
+	for i = 1, tlsa.n do
+		local usage, selector, mtype = tlsa[i] :byte(1, 3);
+		assert(conn:settlsa(usage, selector, mtype, tlsa[i] :sub(4, - 1)));
+	end
+
+	assert(conn:dohandshake());
+	return conn;
+end
+
+if not ... then
+   print("Usage: client.lua example.com [port]");
+   return os.exit(1);
+end
+local conn = daneconnect(...);
+
+print(conn:getpeerverification());

samples/dhparam/client.lua

@@ -0,0 +1,27 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl    = require("ssl")
+
+local params = {
+   mode = "client",
+   protocol = "any",
+   key = "../certs/clientAkey.pem",
+   certificate = "../certs/clientA.pem",
+   cafile = "../certs/rootA.pem",
+   verify = {"peer", "fail_if_no_peer_cert"},
+   options = "all",
+   ciphers = "EDH+AESGCM"
+}
+
+local peer = socket.tcp()
+peer:connect("127.0.0.1", 8888)
+
+-- [[ SSL wrapper
+peer = assert( ssl.wrap(peer, params) )
+assert(peer:dohandshake())
+--]]
+
+print(peer:receive("*l"))
+peer:close()

samples/dhparam/params.sh

@@ -0,0 +1,4 @@
+#!/usr/bin/env sh
+
+openssl dhparam -2 -out dh-512.pem  -outform PEM 512
+openssl dhparam -2 -out dh-1024.pem -outform PEM 1024

samples/dhparam/server.lua

@@ -0,0 +1,62 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl    = require("ssl")
+
+local function readfile(filename)
+  local fd = assert(io.open(filename))
+  local dh = fd:read("*a")
+  fd:close()
+  return dh
+end
+
+local function dhparam_cb(export, keylength)
+  print("---")
+  print("DH Callback")
+  print("Export", export)
+  print("Key length", keylength)
+  print("---")
+  local filename
+  if keylength == 512 then
+    filename = "dh-512.pem"
+  elseif keylength == 1024 then
+    filename = "dh-1024.pem"
+  else
+    -- No key
+    return nil
+  end
+  return readfile(filename)
+end
+
+local params = {
+   mode = "server",
+   protocol = "any",
+   key = "../certs/serverAkey.pem",
+   certificate = "../certs/serverA.pem",
+   cafile = "../certs/rootA.pem",
+   verify = {"peer", "fail_if_no_peer_cert"},
+   options = "all",
+   dhparam = dhparam_cb,
+   ciphers = "EDH+AESGCM"
+}
+
+
+-- [[ SSL context
+local ctx = assert(ssl.newcontext(params))
+--]]
+
+local server = socket.tcp()
+server:setoption('reuseaddr', true)
+assert( server:bind("127.0.0.1", 8888) )
+server:listen()
+
+local peer = server:accept()
+
+-- [[ SSL wrapper
+peer = assert( ssl.wrap(peer, ctx) )
+assert( peer:dohandshake() )
+--]]
+
+peer:send("oneshot test\n")
+peer:close()

samples/digest/client.lua

@@ -0,0 +1,26 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl    = require("ssl")
+
+local params = {
+   mode = "client",
+   protocol = "tlsv1_2",
+   key = "../certs/clientAkey.pem",
+   certificate = "../certs/clientA.pem",
+   cafile = "../certs/rootA.pem",
+   verify = {"peer", "fail_if_no_peer_cert"},
+   options = "all",
+}
+
+local peer = socket.tcp()
+peer:connect("127.0.0.1", 8888)
+
+-- [[ SSL wrapper
+peer = assert( ssl.wrap(peer, params) )
+assert(peer:dohandshake())
+--]]
+
+print(peer:receive("*l"))
+peer:close()

samples/digest/server.lua

@@ -0,0 +1,44 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl    = require("ssl")
+
+local params = {
+   mode = "server",
+   protocol = "any",
+   key = "../certs/serverAkey.pem",
+   certificate = "../certs/serverA.pem",
+   cafile = "../certs/rootA.pem",
+   verify = {"peer", "fail_if_no_peer_cert"},
+   options = "all",
+}
+
+
+-- [[ SSL context
+local ctx = assert(ssl.newcontext(params))
+--]]
+
+local server = socket.tcp()
+server:setoption('reuseaddr', true)
+assert( server:bind("127.0.0.1", 8888) )
+server:listen()
+
+local peer = server:accept()
+
+-- [[ SSL wrapper
+peer = assert( ssl.wrap(peer, ctx) )
+assert( peer:dohandshake() )
+--]]
+
+local cert = peer:getpeercertificate()
+local sha1   = cert:digest("sha1")
+local sha256 = cert:digest("sha256")
+local sha512 = cert:digest("sha512")
+
+print("SHA1",   sha1)
+print("SHA256", sha256)
+print("SHA512", sha512)
+
+peer:send("oneshot test\n")
+peer:close()

samples/ecdh/client.lua

@@ -0,0 +1,33 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl    = require("ssl")
+
+local params = {
+   mode = "client",
+   protocol = "tlsv1_2",
+   key = "../certs/clientAkey.pem",
+   certificate = "../certs/clientA.pem",
+   cafile = "../certs/rootA.pem",
+   verify = {"peer", "fail_if_no_peer_cert"},
+   options = "all",
+   --
+   curve = "secp384r1",
+}
+
+--------------------------------------------------------------------------------
+local peer = socket.tcp()
+peer:connect("127.0.0.1", 8888)
+
+peer = assert( ssl.wrap(peer, params) )
+assert(peer:dohandshake())
+
+print("--- INFO  ---")
+local info = peer:info()
+for k, v in pairs(info) do
+  print(k, v)
+end
+print("---")
+
+peer:close()

samples/ecdh/server.lua

@@ -0,0 +1,40 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl    = require("ssl")
+
+local params = {
+   mode = "server",
+   protocol = "any",
+   key = "../certs/serverAkey.pem",
+   certificate = "../certs/serverA.pem",
+   cafile = "../certs/rootA.pem",
+   verify = {"peer", "fail_if_no_peer_cert"},
+   options = "all",
+   --
+   curve = "secp384r1",
+}
+
+------------------------------------------------------------------------------
+local ctx = assert(ssl.newcontext(params))
+
+local server = socket.tcp()
+server:setoption('reuseaddr', true)
+assert( server:bind("127.0.0.1", 8888) )
+server:listen()
+
+local peer = server:accept()
+
+peer = assert( ssl.wrap(peer, ctx) )
+assert( peer:dohandshake() )
+
+print("--- INFO ---")
+local info = peer:info()
+for k, v in pairs(info) do
+  print(k, v)
+end
+print("---")
+
+peer:close()
+server:close()

samples/info/client.lua

@@ -0,0 +1,26 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl    = require("ssl")
+
+local params = {
+   mode = "client",
+   protocol = "tlsv1_2",
+   key = "../certs/clientAkey.pem",
+   certificate = "../certs/clientA.pem",
+   cafile = "../certs/rootA.pem",
+   verify = {"peer", "fail_if_no_peer_cert"},
+   options = "all",
+}
+
+local peer = socket.tcp()
+peer:connect("127.0.0.1", 8888)
+
+-- [[ SSL wrapper
+peer = assert( ssl.wrap(peer, params) )
+assert(peer:dohandshake())
+--]]
+
+print(peer:receive("*l"))
+peer:close()

samples/info/server.lua

@@ -0,0 +1,48 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl    = require("ssl")
+
+local params = {
+   mode = "server",
+   protocol = "any",
+   key = "../certs/serverAkey.pem",
+   certificate = "../certs/serverA.pem",
+   cafile = "../certs/rootA.pem",
+   verify = {"peer", "fail_if_no_peer_cert"},
+   options = "all",
+}
+
+
+-- [[ SSL context
+local ctx = assert(ssl.newcontext(params))
+--]]
+
+local server = socket.tcp()
+server:setoption('reuseaddr', true)
+assert( server:bind("127.0.0.1", 8888) )
+server:listen()
+
+local peer = server:accept()
+
+-- [[ SSL wrapper
+peer = assert( ssl.wrap(peer, ctx) )
+
+-- Before handshake: nil
+print( peer:info() )
+
+assert( peer:dohandshake() )
+--]]
+
+print("---")
+local info = peer:info()
+for k, v in pairs(info) do
+  print(k, v)
+end
+
+print("---")
+print("-> Compression", peer:info("compression"))
+
+peer:send("oneshot test\n")
+peer:close()

samples/key/genkey.sh

@@ -1,3 +1,3 @@
-#!/bin/sh
+#!/usr/bin/env sh
 
 openssl genrsa -des3 -out key.pem -passout pass:foobar 2048

samples/key/loadkey.lua

@@ -1,7 +1,7 @@
 --
 -- Public domain
 --
-require("ssl")
+local ssl = require("ssl")
 
 local pass = "foobar"
 local cfg = {

samples/loop-gc/client.lua

@@ -1,17 +1,17 @@
 --
 -- Public domain
 --
-require("socket")
-require("ssl")
+local socket = require("socket")
+local ssl    = require("ssl")
 
 local params = {
    mode = "client",
-   protocol = "sslv3",
+   protocol = "tlsv1_2",
    key = "../certs/clientAkey.pem",
    certificate = "../certs/clientA.pem",
    cafile = "../certs/rootA.pem",
    verify = {"peer", "fail_if_no_peer_cert"},
-   options = {"all", "no_sslv2"},
+   options = "all",
 }
 
 while true do

samples/loop-gc/server.lua

@@ -1,17 +1,17 @@
 --
 -- Public domain
 --
-require("socket")
-require("ssl")
+local socket = require("socket")
+local ssl    = require("ssl")
 
 local params = {
    mode = "server",
-   protocol = "sslv3",
+   protocol = "any",
    key = "../certs/serverAkey.pem",
    certificate = "../certs/serverA.pem",
    cafile = "../certs/rootA.pem",
    verify = {"peer", "fail_if_no_peer_cert"},
-   options = {"all", "no_sslv2"},
+   options = "all",
 }
 
 -- [[ SSL context 

samples/loop/client.lua

@@ -1,17 +1,17 @@
 --
 -- Public domain
 --
-require("socket")
-require("ssl")
+local socket = require("socket")
+local ssl    = require("ssl")
 
 local params = {
    mode = "client",
-   protocol = "sslv3",
+   protocol = "tlsv1_2",
    key = "../certs/clientAkey.pem",
    certificate = "../certs/clientA.pem",
    cafile = "../certs/rootA.pem",
    verify = {"peer", "fail_if_no_peer_cert"},
-   options = {"all", "no_sslv2"},
+   options = "all",
 }
 
 while true do
@@ -23,6 +23,8 @@ while true do
    assert( peer:dohandshake() )
    --]]
 
+   peer:getpeercertificate():extensions()
+
    print(peer:receive("*l"))
    peer:close()
 end

samples/loop/server.lua

@@ -1,17 +1,17 @@
 --
 -- Public domain
 --
-require("socket")
-require("ssl")
+local socket = require("socket")
+local ssl    = require("ssl")
 
 local params = {
    mode = "server",
-   protocol = "sslv3",
+   protocol = "any",
    key = "../certs/serverAkey.pem",
    certificate = "../certs/serverA.pem",
    cafile = "../certs/rootA.pem",
    verify = {"peer", "fail_if_no_peer_cert"},
-   options = {"all", "no_sslv2"},
+   options = "all",
 }
 
 -- [[ SSL context 

samples/luaossl/client.lua

@@ -0,0 +1,40 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl    = require("ssl")
+
+local pkey = require "openssl.pkey"
+local ssl_context = require "openssl.ssl.context"
+local x509 = require "openssl.x509"
+local x509_store = require "openssl.x509.store"
+
+local function read_file(path)
+	local file, err, errno = io.open(path, "rb")
+	if not file then
+		return nil, err, errno
+	end
+	local contents
+	contents, err, errno = file:read "*a"
+	file:close()
+	return contents, err, errno
+end
+
+local ctx = ssl_context.new("TLSv1_2", false)
+ctx:setPrivateKey(pkey.new(assert(read_file("../certs/clientAkey.pem"))))
+ctx:setCertificate(x509.new(assert(read_file("../certs/clientA.pem"))))
+local store = x509_store.new()
+store:add("../certs/rootA.pem")
+ctx:setStore(store)
+ctx:setVerify(ssl_context.VERIFY_FAIL_IF_NO_PEER_CERT)
+
+local peer = socket.tcp()
+peer:connect("127.0.0.1", 8888)
+
+-- [[ SSL wrapper
+peer = assert( ssl.wrap(peer, ctx) )
+assert(peer:dohandshake())
+--]]
+
+print(peer:receive("*l"))
+peer:close()

samples/luaossl/server.lua

@@ -0,0 +1,58 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl    = require("ssl")
+
+local pkey = require "openssl.pkey"
+local ssl_context = require "openssl.ssl.context"
+local x509 = require "openssl.x509"
+local x509_store = require "openssl.x509.store"
+
+local function read_file(path)
+	local file, err, errno = io.open(path, "rb")
+	if not file then
+		return nil, err, errno
+	end
+	local contents
+	contents, err, errno = file:read "*a"
+	file:close()
+	return contents, err, errno
+end
+
+local ctx = ssl_context.new("TLSv1_2", true)
+ctx:setPrivateKey(pkey.new(assert(read_file("../certs/serverAkey.pem"))))
+ctx:setCertificate(x509.new(assert(read_file("../certs/serverA.pem"))))
+local store = x509_store.new()
+store:add("../certs/rootA.pem")
+ctx:setStore(store)
+ctx:setVerify(ssl_context.VERIFY_FAIL_IF_NO_PEER_CERT)
+
+
+local server = socket.tcp()
+server:setoption('reuseaddr', true)
+assert( server:bind("127.0.0.1", 8888) )
+server:listen()
+
+local peer = server:accept()
+
+-- [[ SSL wrapper
+peer = assert( ssl.wrap(peer, ctx) )
+
+-- Before handshake: nil
+print( peer:info() )
+
+assert( peer:dohandshake() )
+--]]
+
+print("---")
+local info = peer:info()
+for k, v in pairs(info) do
+  print(k, v)
+end
+
+print("---")
+print("-> Compression", peer:info("compression"))
+
+peer:send("oneshot test\n")
+peer:close()

samples/multicert/client-ecdsa.lua

@@ -0,0 +1,29 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl    = require("ssl")
+
+local params = {
+   mode        = "client",
+   protocol    = "tlsv1_2",
+   key         = "certs/clientECDSAkey.pem",
+   certificate = "certs/clientECDSA.pem",
+   verify      = "none",
+   options     = "all",
+   ciphers     = "ALL:!aRSA"
+}
+
+local peer = socket.tcp()
+peer:connect("127.0.0.1", 8888)
+
+-- [[ SSL wrapper
+peer = assert( ssl.wrap(peer, params) )
+assert(peer:dohandshake())
+--]]
+
+local i = peer:info()
+for k, v in pairs(i) do print(k, v) end
+
+print(peer:receive("*l"))
+peer:close()

samples/multicert/client-rsa.lua

@@ -0,0 +1,29 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl    = require("ssl")
+
+local params = {
+   mode        = "client",
+   protocol    = "tlsv1_2",
+   key         = "certs/clientRSAkey.pem",
+   certificate = "certs/clientRSA.pem",
+   verify      = "none",
+   options     = "all",
+   ciphers     = "ALL:!ECDSA"
+}
+
+local peer = socket.tcp()
+peer:connect("127.0.0.1", 8888)
+
+-- [[ SSL wrapper
+peer = assert( ssl.wrap(peer, params) )
+assert(peer:dohandshake())
+--]]
+
+local i = peer:info()
+for k, v in pairs(i) do print(k, v) end
+
+print(peer:receive("*l"))
+peer:close()

samples/multicert/gencerts.sh

@@ -0,0 +1,13 @@
+#!/usr/bin/env sh
+
+mkdir -p certs
+
+openssl ecparam -name secp256r1 -genkey -out certs/serverECDSAkey.pem
+openssl req -new -config ../certs/serverA.cnf -extensions usr_cert -x509 -key certs/serverECDSAkey.pem -out certs/serverECDSA.pem -days 360 -batch
+
+openssl ecparam -name secp256r1 -genkey -out certs/clientECDSAkey.pem
+openssl req -config ../certs/clientA.cnf -extensions usr_cert -x509 -new -key certs/clientECDSAkey.pem -out certs/clientECDSA.pem -days 360 -batch
+
+openssl req -config ../certs/serverB.cnf -extensions usr_cert -x509 -new -newkey rsa:2048 -keyout certs/serverRSAkey.pem -out certs/serverRSA.pem -nodes -days 365 -batch
+
+openssl req -config ../certs/clientB.cnf -extensions usr_cert -x509 -new -newkey rsa:2048 -keyout certs/clientRSAkey.pem -out certs/clientRSA.pem -nodes -days 365 -batch

samples/multicert/server.lua

@@ -0,0 +1,38 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl    = require("ssl")
+
+local params = {
+   mode         = "server",
+   protocol     = "any",
+   certificates = { 
+      -- Comment line below and 'client-rsa' stop working
+      { certificate = "certs/serverRSA.pem",   key = "certs/serverRSAkey.pem"   },
+      -- Comment line below and 'client-ecdsa' stop working
+      { certificate = "certs/serverECDSA.pem", key = "certs/serverECDSAkey.pem" }
+   },
+   verify  = "none",
+   options = "all"
+}
+
+
+-- [[ SSL context
+local ctx = assert(ssl.newcontext(params))
+--]]
+
+local server = socket.tcp()
+server:setoption('reuseaddr', true)
+assert( server:bind("127.0.0.1", 8888) )
+server:listen()
+
+local peer = server:accept()
+
+-- [[ SSL wrapper
+peer = assert( ssl.wrap(peer, ctx) )
+assert( peer:dohandshake() )
+--]]
+
+peer:send("oneshot test\n")
+peer:close()

samples/oneshot/client.lua

@@ -1,17 +1,17 @@
 --
 -- Public domain
 --
-require("socket")
-require("ssl")
+local socket = require("socket")
+local ssl    = require("ssl")
 
 local params = {
    mode = "client",
-   protocol = "sslv3",
+   protocol = "tlsv1_2",
    key = "../certs/clientAkey.pem",
    certificate = "../certs/clientA.pem",
    cafile = "../certs/rootA.pem",
    verify = {"peer", "fail_if_no_peer_cert"},
-   options = {"all", "no_sslv2"},
+   options = "all",
 }
 
 local peer = socket.tcp()

samples/oneshot/server.lua

@@ -1,17 +1,17 @@
 --
 -- Public domain
 --
-require("socket")
-require("ssl")
+local socket = require("socket")
+local ssl    = require("ssl")
 
 local params = {
    mode = "server",
-   protocol = "sslv3",
+   protocol = "any",
    key = "../certs/serverAkey.pem",
    certificate = "../certs/serverA.pem",
    cafile = "../certs/rootA.pem",
    verify = {"peer", "fail_if_no_peer_cert"},
-   options = {"all", "no_sslv2"},
+   options = "all",
 }
 
 

samples/psk/client.lua

@@ -0,0 +1,41 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl    = require("ssl")
+
+if not ssl.config.capabilities.psk then
+   print("[ERRO] PSK not available")
+   os.exit(1)
+end
+
+-- @param hint (nil | string)
+-- @param max_identity_len (number)
+-- @param max_psk_len (number)
+-- @return identity (string)
+-- @return PSK (string)
+local function pskcb(hint, max_identity_len, max_psk_len)
+   print(string.format("PSK Callback: hint=%q, max_identity_len=%d, max_psk_len=%d", hint, max_identity_len, max_psk_len))
+   return "abcd", "1234"
+end
+
+local params = {
+   mode = "client",
+   protocol = "tlsv1_2",
+   psk = pskcb,
+}
+
+local peer = socket.tcp()
+peer:connect("127.0.0.1", 8888)
+
+peer = assert( ssl.wrap(peer, params) )
+assert(peer:dohandshake())
+
+print("--- INFO ---")
+local info = peer:info()
+for k, v in pairs(info) do
+   print(k, v)
+end
+print("---")
+
+peer:close()

samples/psk/server.lua

@@ -0,0 +1,60 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl    = require("ssl")
+
+if not ssl.config.capabilities.psk then
+   print("[ERRO] PSK not available")
+   os.exit(1)
+end
+
+-- @param identity (string)
+-- @param max_psk_len (number)
+-- @return psk (string)
+local function pskcb(identity, max_psk_len)
+   print(string.format("PSK Callback: identity=%q, max_psk_len=%d", identity, max_psk_len))
+   if identity == "abcd" then
+     return "1234"
+  end
+  return nil
+end
+
+local params = {
+   mode = "server",
+   protocol = "any",
+   options = "all",
+
+-- PSK with just a callback
+   psk = pskcb,
+
+-- PSK with identity hint
+--   psk = {
+--      hint = "hintpsksample",
+--      callback = pskcb,
+--   },
+}
+
+
+-- [[ SSL context
+local ctx = assert(ssl.newcontext(params))
+--]]
+
+local server = socket.tcp()
+server:setoption('reuseaddr', true)
+assert( server:bind("127.0.0.1", 8888) )
+server:listen()
+
+local peer = server:accept()
+peer = assert( ssl.wrap(peer, ctx) )
+assert( peer:dohandshake() )
+
+print("--- INFO ---")
+local info = peer:info()
+for k, v in pairs(info) do
+   print(k, v)
+end
+print("---")
+
+peer:close()
+server:close()

samples/sni/client.lua

@@ -0,0 +1,35 @@
+local socket = require("socket")
+local ssl    = require("ssl")
+
+local params = {
+  mode = "client",
+  protocol = "tlsv1_2",
+  key = "../certs/clientAkey.pem",
+  certificate = "../certs/clientA.pem",
+  cafile = "../certs/rootA.pem",
+  verify = "peer",
+  options = "all",
+}
+
+local conn = socket.tcp()
+conn:connect("127.0.0.1", 8888)
+
+-- TLS/SSL initialization
+conn = ssl.wrap(conn, params)
+
+-- Comment the lines to not send a name
+--conn:sni("servera.br")
+--conn:sni("serveraa.br")
+conn:sni("serverb.br")
+
+assert(conn:dohandshake())
+--
+local cert = conn:getpeercertificate()
+for k, v in pairs(cert:subject()) do
+  for i, j in pairs(v) do
+    print(i, j)
+  end
+end
+--
+print(conn:receive("*l"))
+conn:close()

samples/sni/server.lua

@@ -0,0 +1,52 @@
+local socket = require("socket")
+local ssl    = require("ssl")
+
+local params01 = {
+  mode = "server",
+  protocol = "any",
+  key = "../certs/serverAkey.pem",
+  certificate = "../certs/serverA.pem",
+  cafile = "../certs/rootA.pem",
+  verify = "none",
+  options = "all",
+  ciphers = "ALL:!ADH:@STRENGTH",
+}
+
+local params02 = {
+  mode = "server",
+  protocol = "any",
+  key = "../certs/serverAAkey.pem",
+  certificate = "../certs/serverAA.pem",
+  cafile = "../certs/rootA.pem",
+  verify = "none",
+  options = "all",
+  ciphers = "ALL:!ADH:@STRENGTH",
+}
+
+--
+local ctx01 = ssl.newcontext(params01)
+local ctx02 = ssl.newcontext(params02)
+
+--
+local server = socket.tcp()
+server:setoption('reuseaddr', true)
+server:bind("127.0.0.1", 8888)
+server:listen()
+local conn = server:accept()
+--
+
+-- Default context (when client does not send a name) is ctx01
+conn = ssl.wrap(conn, ctx01)
+
+-- Configure the name map
+local sni_map = {
+  ["servera.br"]  = ctx01,
+  ["serveraa.br"] = ctx02,
+}
+
+conn:sni(sni_map, true)
+
+assert(conn:dohandshake())
+--
+conn:send("one line\n")
+conn:close()

samples/verification/fail-string/client.lua

@@ -0,0 +1,29 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl    = require("ssl")
+
+local params = {
+   mode = "client",
+   protocol = "tlsv1",
+   key = "../../certs/clientBkey.pem",
+   certificate = "../../certs/clientB.pem",
+   cafile = "../../certs/rootB.pem",
+   verify = "none",
+   options = "all",
+}
+
+local peer = socket.tcp()
+peer:connect("127.0.0.1", 8888)
+
+-- [[ SSL wrapper
+peer = assert( ssl.wrap(peer, params) )
+assert(peer:dohandshake())
+--]]
+
+local err, msg = peer:getpeerverification()
+print(err, msg)
+
+print(peer:receive("*l"))
+peer:close()

samples/verification/fail-string/server.lua

@@ -0,0 +1,37 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl    = require("ssl")
+
+local params = {
+   mode = "server",
+   protocol = "tlsv1",
+   key = "../../certs/serverAkey.pem",
+   certificate = "../../certs/serverA.pem",
+   cafile = "../../certs/rootA.pem",
+   verify = "none",
+   options = "all",
+}
+
+-- [[ SSL context
+local ctx = assert(ssl.newcontext(params))
+--]]
+
+local server = socket.tcp()
+server:setoption('reuseaddr', true)
+assert( server:bind("127.0.0.1", 8888) )
+server:listen()
+
+local peer = server:accept()
+
+-- [[ SSL wrapper
+peer = assert( ssl.wrap(peer, ctx) )
+assert( peer:dohandshake() )
+--]]
+
+local err, msg = peer:getpeerverification()
+print(err, msg)
+
+peer:send("oneshot test\n")
+peer:close()

samples/verification/fail-table/client.lua

@@ -0,0 +1,39 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl    = require("ssl")
+
+local params = {
+   mode = "client",
+   protocol = "tlsv1",
+   key = "../../certs/clientBkey.pem",
+   certificate = "../../certs/clientB.pem",
+   cafile = "../../certs/rootB.pem",
+   verify = {"peer", "fail_if_no_peer_cert"},
+   options = "all",
+   verifyext = "lsec_continue",
+}
+
+-- [[ SSL context
+local ctx = assert(ssl.newcontext(params))
+--]]
+
+local peer = socket.tcp()
+peer:connect("127.0.0.1", 8888)
+
+-- [[ SSL wrapper
+peer = assert( ssl.wrap(peer, ctx) )
+assert(peer:dohandshake())
+--]]
+
+local succ, errs = peer:getpeerverification()
+print(succ, errs)
+for i, err in pairs(errs) do
+  for j, msg in ipairs(err) do
+    print("depth = " .. i, "error = " .. msg)
+  end
+end
+
+print(peer:receive("*l"))
+peer:close()

samples/verification/fail-table/server.lua

@@ -0,0 +1,43 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl    = require("ssl")
+
+local params = {
+   mode = "server",
+   protocol = "tlsv1",
+   key = "../../certs/serverAkey.pem",
+   certificate = "../../certs/serverA.pem",
+   cafile = "../../certs/rootA.pem",
+   verify = {"peer", "fail_if_no_peer_cert"},
+   options = "all",
+   verifyext = {"lsec_continue", "crl_check", "crl_check_chain"},
+}
+
+-- [[ SSL context
+local ctx = assert(ssl.newcontext(params))
+--]]
+
+local server = socket.tcp()
+server:setoption('reuseaddr', true)
+assert( server:bind("127.0.0.1", 8888) )
+server:listen()
+
+local peer = server:accept()
+
+-- [[ SSL wrapper
+peer = assert( ssl.wrap(peer, ctx) )
+assert( peer:dohandshake() )
+--]]
+
+local succ, errs = peer:getpeerverification()
+print(succ, errs)
+for i, err in pairs(errs) do
+  for j, msg in ipairs(err) do
+    print("depth = " .. i, "error = " .. msg)
+  end
+end
+
+peer:send("oneshot test\n")
+peer:close()

samples/verification/success/client.lua

@@ -0,0 +1,29 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl    = require("ssl")
+
+local params = {
+   mode = "client",
+   protocol = "tlsv1",
+   key = "../../certs/clientAkey.pem",
+   certificate = "../../certs/clientA.pem",
+   cafile = "../../certs/rootA.pem",
+   verify = {"peer", "fail_if_no_peer_cert"},
+   options = "all",
+}
+
+local peer = socket.tcp()
+peer:connect("127.0.0.1", 8888)
+
+-- [[ SSL wrapper
+peer = assert( ssl.wrap(peer, params) )
+assert(peer:dohandshake())
+--]]
+
+local err, msg = peer:getpeerverification()
+print(err, msg)
+
+print(peer:receive("*l"))
+peer:close()

samples/verification/success/server.lua

@@ -0,0 +1,38 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl    = require("ssl")
+
+local params = {
+   mode = "server",
+   protocol = "tlsv1",
+   key = "../../certs/serverAkey.pem",
+   certificate = "../../certs/serverA.pem",
+   cafile = "../../certs/rootA.pem",
+   verify = {"peer", "fail_if_no_peer_cert"},
+   options = "all",
+}
+
+
+-- [[ SSL context
+local ctx = assert(ssl.newcontext(params))
+--]]
+
+local server = socket.tcp()
+server:setoption('reuseaddr', true)
+assert( server:bind("127.0.0.1", 8888) )
+server:listen()
+
+local peer = server:accept()
+
+-- [[ SSL wrapper
+peer = assert( ssl.wrap(peer, ctx) )
+assert( peer:dohandshake() )
+--]]
+
+local err, msg = peer:getpeerverification()
+print(err, msg)
+
+peer:send("oneshot test\n")
+peer:close()

samples/verify/client.lua

@@ -0,0 +1,35 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl    = require("ssl")
+
+local params = {
+   mode = "client",
+   protocol = "tlsv1_2",
+   key = "../certs/serverBkey.pem",
+   certificate = "../certs/serverB.pem",
+   cafile = "../certs/rootB.pem",
+   verify = {"peer", "fail_if_no_peer_cert"},
+   verifyext = {"lsec_continue", "lsec_ignore_purpose"},
+   options = "all",
+}
+
+local ctx = assert(ssl.newcontext(params))
+
+local peer = socket.tcp()
+peer:connect("127.0.0.1", 8888)
+
+peer = assert( ssl.wrap(peer, ctx) )
+assert(peer:dohandshake())
+
+local succ, errs = peer:getpeerverification()
+print(succ, errs)
+for i, err in pairs(errs) do
+  for j, msg in ipairs(err) do
+    print("depth = " .. i, "error = " .. msg)
+  end
+end
+
+print(peer:receive("*l"))
+peer:close()

samples/verify/server.lua

@@ -0,0 +1,40 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl    = require("ssl")
+
+local params = {
+   mode = "server",
+   protocol = "any",
+   key = "../certs/serverAkey.pem",
+   certificate = "../certs/serverA.pem",
+   cafile = "../certs/rootA.pem",
+   verify = {"peer", "fail_if_no_peer_cert"},
+   verifyext = {"lsec_continue", "lsec_ignore_purpose"},
+   options = "all",
+}
+
+
+local ctx = assert(ssl.newcontext(params))
+
+local server = socket.tcp()
+server:setoption('reuseaddr', true)
+assert( server:bind("127.0.0.1", 8888) )
+server:listen()
+
+local peer = server:accept()
+
+peer = assert( ssl.wrap(peer, ctx) )
+assert( peer:dohandshake() )
+
+local succ, errs = peer:getpeerverification()
+print(succ, errs)
+for i, err in pairs(errs) do
+  for j, msg in ipairs(err) do
+    print("depth = " .. i, "error = " .. msg)
+  end
+end
+
+peer:send("oneshot test\n")
+peer:close()

samples/want/client.lua

@@ -3,17 +3,17 @@
 --
 -- Public domain
 --
-require("socket")
-require("ssl")
+local socket = require("socket")
+local ssl    = require("ssl")
 
 local params = {
    mode = "client",
-   protocol = "sslv3",
+   protocol = "tlsv1_2",
    key = "../certs/clientAkey.pem",
    certificate = "../certs/clientA.pem",
    cafile = "../certs/rootA.pem",
    verify = {"peer", "fail_if_no_peer_cert"},
-   options = {"all", "no_sslv2"},
+   options = "all",
 }
 
 -- Wait until socket is ready (for reading or writing)

samples/want/server.lua

@@ -1,17 +1,17 @@
 --
 -- Public domain
 --
-require("socket")
-require("ssl")
+local socket = require("socket")
+local ssl    = require("ssl")
 
 local params = {
    mode = "server",
-   protocol = "sslv3",
+   protocol = "any",
    key = "../certs/serverAkey.pem",
    certificate = "../certs/serverA.pem",
    cafile = "../certs/rootA.pem",
    verify = {"peer", "fail_if_no_peer_cert"},
-   options = {"all", "no_sslv2"},
+   options = "all",
 }
 
 -- [[ SSL context

samples/wantread/client.lua

@@ -1,17 +1,17 @@
 --
 -- Public domain
 --
-require("socket")
-require("ssl")
+local socket = require("socket")
+local ssl    = require("ssl")
 
 local params = {
    mode = "client",
-   protocol = "sslv3",
+   protocol = "tlsv1_2",
    key = "../certs/clientAkey.pem",
    certificate = "../certs/clientA.pem",
    cafile = "../certs/rootA.pem",
    verify = {"peer", "fail_if_no_peer_cert"},
-   options = {"all", "no_sslv2"},
+   options = "all",
 }
 
 

samples/wantread/server.lua

@@ -3,17 +3,17 @@
 --
 -- Public domain
 --
-require("socket")
-require("ssl")
+local socket = require("socket")
+local ssl    = require("ssl")
 
 local params = {
    mode = "server",
-   protocol = "sslv3",
+   protocol = "any",
    key = "../certs/serverAkey.pem",
    certificate = "../certs/serverA.pem",
    cafile = "../certs/rootA.pem",
    verify = {"peer", "fail_if_no_peer_cert"},
-   options = {"all", "no_sslv2"},
+   options = "all",
 }
 
 -- [[ SSL context

samples/wantwrite/client.lua

@@ -1,17 +1,17 @@
 --
 -- Public domain
 --
-require("socket")
-require("ssl")
+local socket = require("socket")
+local ssl    = require("ssl")
 
 local params = {
    mode = "client",
-   protocol = "sslv3",
+   protocol = "tlsv1_2",
    key = "../certs/clientAkey.pem",
    certificate = "../certs/clientA.pem",
    cafile = "../certs/rootA.pem",
    verify = {"peer", "fail_if_no_peer_cert"},
-   options = {"all", "no_sslv2"},
+   options = "all",
 }
 
 local function wait(peer, err)

samples/wantwrite/server.lua

@@ -1,19 +1,19 @@
 --
 -- Public domain
 --
-require("socket")
-require("ssl")
+local socket = require("socket")
+local ssl    = require("ssl")
 
 print("Use Ctrl+S and Ctrl+Q to suspend and resume the server.")
 
 local params = {
    mode = "server",
-   protocol = "sslv3",
+   protocol = "any",
    key = "../certs/serverAkey.pem",
    certificate = "../certs/serverA.pem",
    cafile = "../certs/rootA.pem",
    verify = {"peer", "fail_if_no_peer_cert"},
-   options = {"all", "no_sslv2"},
+   options = "all",
 }
 
 

src/Makefile

@@ -2,60 +2,65 @@ CMOD=ssl.so
 LMOD=ssl.lua
 
 OBJS= \
- timeout.o \
- buffer.o \
- io.o \
- usocket.o \
+ options.o \
+ x509.o    \
  context.o \
- ssl.o
+ ssl.o     \
+ config.o  \
+ ec.o
 
-LIBS=-lssl -lcrypto
+LIBS=-lssl -lcrypto -lluasocket
 
 WARN=-Wall -pedantic
 
-BSD_CFLAGS=-O2 -fpic $(WARN) $(INCDIR) $(DEFS)
-BSD_LDFLAGS=-O -shared -fpic $(LIBDIR)
+BSD_CFLAGS=-O2 -fPIC $(WARN) $(INCDIR) $(DEFS)
+BSD_LDFLAGS=-O -fPIC -shared $(LIBDIR)
 
-LNX_CFLAGS=-O2 -fpic $(WARN) $(INCDIR) $(DEFS)
-LNX_LDFLAGS=-O -shared -fpic $(LIBDIR)
+LNX_CFLAGS=-O2 -fPIC $(WARN) $(INCDIR) $(DEFS)
+LNX_LDFLAGS=-O -fPIC -shared $(LIBDIR)
 
 MAC_ENV=env MACOSX_DEPLOYMENT_TARGET='$(MACVER)'
 MAC_CFLAGS=-O2 -fno-common $(WARN) $(INCDIR) $(DEFS)
 MAC_LDFLAGS=-bundle -undefined dynamic_lookup $(LIBDIR)
 
-CP=cp
-CC=gcc
-LD=$(MYENV) gcc
-CFLAGS=$(MYCFLAGS)
-LDFLAGS=$(MYLDFLAGS)
+INSTALL  = install
+CC      ?= cc
+CCLD      ?= $(MYENV) $(CC)
+CFLAGS  += $(MYCFLAGS)
+LDFLAGS += $(MYLDFLAGS)
 
-.PHONY: all clean install none linux bsd macosx
+.PHONY: all clean install none linux bsd macosx luasocket
 
 all:
 
 install: $(CMOD) $(LMOD)
-	$(CP) $(CMOD) $(CPATH)
-	$(CP) $(LMOD) $(LUAPATH)
+	$(INSTALL) -d $(DESTDIR)$(LUAPATH)/ssl $(DESTDIR)$(LUACPATH)
+	$(INSTALL) $(CMOD) $(DESTDIR)$(LUACPATH)
+	$(INSTALL) -m644 $(LMOD) $(DESTDIR)$(LUAPATH)
+	$(INSTALL) -m644 https.lua $(DESTDIR)$(LUAPATH)/ssl
 
 linux:
-	@$(MAKE) $(CMOD) MYCFLAGS="$(LNX_CFLAGS)" MYLDFLAGS="$(LNX_LDFLAGS)"
+	@$(MAKE) $(CMOD) MYCFLAGS="$(LNX_CFLAGS)" MYLDFLAGS="$(LNX_LDFLAGS)" EXTRA="$(EXTRA)"
 
 bsd:
-	@$(MAKE) $(CMOD) MYCFLAGS="$(BSD_CFLAGS)" MYLDFLAGS="$(BSD_LDFLAGS)"
+	@$(MAKE) $(CMOD) MYCFLAGS="$(BSD_CFLAGS)" MYLDFLAGS="$(BSD_LDFLAGS)" EXTRA="$(EXTRA)"
 
 macosx:
-	@$(MAKE) $(CMOD) MYCFLAGS="$(MAC_CFLAGS)" MYLDFLAGS="$(MAC_LDFLAGS)" MYENV="$(MAC_ENV)"
+	@$(MAKE) $(CMOD) MYCFLAGS="$(MAC_CFLAGS)" MYLDFLAGS="$(MAC_LDFLAGS)" MYENV="$(MAC_ENV)" EXTRA="$(EXTRA)"
 
+luasocket:
+	@cd luasocket && $(MAKE)
 
-$(CMOD): $(OBJS)
-	$(LD) $(LDFLAGS) -o $@ $(OBJS) $(LIBS)
+$(CMOD): $(EXTRA) $(OBJS)
+	$(CCLD) $(LDFLAGS) -o $@ $(OBJS) $(LIBS)
 
 clean:
+	cd luasocket && $(MAKE) clean
 	rm -f $(OBJS) $(CMOD)
 
-buffer.o: buffer.c buffer.h io.h timeout.h
-io.o: io.c io.h timeout.h
-timeout.o: timeout.c timeout.h
-usocket.o: usocket.c socket.h io.h timeout.h usocket.h
-context.o: context.c context.h
-ssl.o: ssl.c socket.h io.h timeout.h usocket.h buffer.h context.h context.c
+options.o: options.h options.c
+ec.o: ec.c ec.h
+x509.o: x509.c x509.h compat.h
+context.o: context.c context.h ec.h compat.h options.h
+ssl.o: ssl.c ssl.h context.h x509.h compat.h
+config.o: config.c ec.h options.h compat.h

src/compat.h

@@ -0,0 +1,63 @@
+/*--------------------------------------------------------------------------
+ * LuaSec 1.3.2
+ *
+ * Copyright (C) 2006-2023 Bruno Silvestre
+ *
+ *--------------------------------------------------------------------------*/
+
+#ifndef LSEC_COMPAT_H
+#define LSEC_COMPAT_H
+
+#include <openssl/ssl.h>
+
+//------------------------------------------------------------------------------
+
+#if defined(_WIN32)
+#define LSEC_API __declspec(dllexport) 
+#else
+#define LSEC_API extern
+#endif
+
+//------------------------------------------------------------------------------
+
+#if (LUA_VERSION_NUM == 501)
+
+#define luaL_testudata(L, ud, tname)  lsec_testudata(L, ud, tname)
+#define setfuncs(L, R)    luaL_register(L, NULL, R)
+#define lua_rawlen(L, i)  lua_objlen(L, i)
+
+#ifndef luaL_newlib
+#define luaL_newlib(L, R) do { lua_newtable(L); luaL_register(L, NULL, R); } while(0)
+#endif
+
+#else
+#define setfuncs(L, R) luaL_setfuncs(L, R, 0)
+#endif
+
+//------------------------------------------------------------------------------
+
+#if (!defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x1010000fL))
+#define LSEC_ENABLE_DANE
+#endif
+
+//------------------------------------------------------------------------------
+
+#if !((defined(LIBRESSL_VERSION_NUMBER) && (LIBRESSL_VERSION_NUMBER < 0x2070000fL)) || (OPENSSL_VERSION_NUMBER < 0x1010000fL))
+#define LSEC_API_OPENSSL_1_1_0
+#endif
+
+//------------------------------------------------------------------------------
+
+#if !defined(LIBRESSL_VERSION_NUMBER) && ((OPENSSL_VERSION_NUMBER & 0xFFFFF000L) == 0x10101000L || (OPENSSL_VERSION_NUMBER & 0xFFFFF000L) == 0x30000000L)
+#define LSEC_OPENSSL_ERRNO_BUG
+#endif
+
+//------------------------------------------------------------------------------
+
+#if !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_NO_PSK)
+#define LSEC_ENABLE_PSK
+#endif
+
+//------------------------------------------------------------------------------
+
+#endif

src/config.c

@@ -0,0 +1,108 @@
+/*--------------------------------------------------------------------------
+ * LuaSec 1.3.2
+ *
+ * Copyright (C) 2006-2023 Bruno Silvestre
+ *
+ *--------------------------------------------------------------------------*/
+
+#include "compat.h"
+#include "options.h"
+#include "ec.h"
+
+/**
+ * Registre the module.
+ */
+LSEC_API int luaopen_ssl_config(lua_State *L)
+{
+  lsec_ssl_option_t *opt;
+
+  lua_newtable(L);
+
+  // Options
+  lua_pushstring(L, "options");
+  lua_newtable(L);
+  for (opt = lsec_get_ssl_options(); opt->name; opt++) {
+    lua_pushstring(L, opt->name);
+    lua_pushboolean(L, 1);
+    lua_rawset(L, -3);
+  }
+  lua_rawset(L, -3);
+
+  // Protocols
+  lua_pushstring(L, "protocols");
+  lua_newtable(L);
+
+  lua_pushstring(L, "tlsv1");
+  lua_pushboolean(L, 1);
+  lua_rawset(L, -3);
+  lua_pushstring(L, "tlsv1_1");
+  lua_pushboolean(L, 1);
+  lua_rawset(L, -3);
+  lua_pushstring(L, "tlsv1_2");
+  lua_pushboolean(L, 1);
+  lua_rawset(L, -3);
+#ifdef TLS1_3_VERSION
+  lua_pushstring(L, "tlsv1_3");
+  lua_pushboolean(L, 1);
+  lua_rawset(L, -3);
+#endif
+
+  lua_rawset(L, -3);
+
+  // Algorithms
+  lua_pushstring(L, "algorithms");
+  lua_newtable(L);
+
+#ifndef OPENSSL_NO_EC
+  lua_pushstring(L, "ec");
+  lua_pushboolean(L, 1);
+  lua_rawset(L, -3);
+#endif
+  lua_rawset(L, -3);
+ 
+  // Curves
+  lua_pushstring(L, "curves");
+  lsec_get_curves(L);
+  lua_rawset(L, -3);
+
+  // Capabilities
+  lua_pushstring(L, "capabilities");
+  lua_newtable(L);
+
+  // ALPN
+  lua_pushstring(L, "alpn");
+  lua_pushboolean(L, 1);
+  lua_rawset(L, -3);
+
+#ifdef LSEC_ENABLE_PSK
+  lua_pushstring(L, "psk");
+  lua_pushboolean(L, 1);
+  lua_rawset(L, -3);
+#endif
+
+#ifdef LSEC_ENABLE_DANE
+  // DANE
+  lua_pushstring(L, "dane");
+#ifdef DANE_FLAG_NO_DANE_EE_NAMECHECKS
+  lua_createtable(L, 0, 1);
+  lua_pushstring(L, "no_ee_namechecks");
+  lua_pushboolean(L, 1);
+  lua_rawset(L, -3);
+#else
+  lua_pushboolean(L, 1);
+#endif
+  lua_rawset(L, -3);
+#endif
+
+#ifndef OPENSSL_NO_EC
+  lua_pushstring(L, "curves_list");
+  lua_pushboolean(L, 1);
+  lua_rawset(L, -3);
+  lua_pushstring(L, "ecdh_auto");
+  lua_pushboolean(L, 1);
+  lua_rawset(L, -3);
+#endif
+  lua_rawset(L, -3);
+
+  return 1;
+}

src/context.h

@@ -1,35 +1,47 @@
-#ifndef __CONTEXT_H__
-#define __CONTEXT_H__
+#ifndef LSEC_CONTEXT_H
+#define LSEC_CONTEXT_H
 
 /*--------------------------------------------------------------------------
- * LuaSec 0.3.2
- * Copyright (C) 2006-2009 Bruno Silvestre
+ * LuaSec 1.3.2
+ *
+ * Copyright (C) 2006-2023 Bruno Silvestre
  *
  *--------------------------------------------------------------------------*/
 
 #include <lua.h>
 #include <openssl/ssl.h>
 
-#ifndef LUASEC_API
-#define LUASEC_API extern
-#endif
+#include "compat.h"
 
-#define MD_CTX_INVALID 0
-#define MD_CTX_SERVER 1
-#define MD_CTX_CLIENT 2
+#define LSEC_MODE_INVALID 0
+#define LSEC_MODE_SERVER  1
+#define LSEC_MODE_CLIENT  2
+
+#define LSEC_VERIFY_CONTINUE        1
+#define LSEC_VERIFY_IGNORE_PURPOSE  2
 
 typedef struct t_context_ {
   SSL_CTX *context;
-  char mode;
+  lua_State *L;
+  DH *dh_param;
+  void *alpn;
+  int mode;
 } t_context;
 typedef t_context* p_context;
 
 /* Retrieve the SSL context from the Lua stack */
-SSL_CTX *ctx_getcontext(lua_State *L, int idx);
+SSL_CTX *lsec_checkcontext(lua_State *L, int idx);
+SSL_CTX *lsec_testcontext(lua_State *L, int idx);
+
 /* Retrieve the mode from the context in the Lua stack */
-char ctx_getmode(lua_State *L, int idx);
+int lsec_getmode(lua_State *L, int idx);
 
 /* Registre the module. */
-LUASEC_API int luaopen_ssl_context(lua_State *L);
+LSEC_API int luaopen_ssl_context(lua_State *L);
+
+/* Compat - Lua 5.1 */
+#if (LUA_VERSION_NUM == 501)
+void *lsec_testudata (lua_State *L, int ud, const char *tname);
+#endif
 
 #endif

src/ec.c

@@ -0,0 +1,116 @@
+/*--------------------------------------------------------------------------
+ * LuaSec 1.3.2
+ *
+ * Copyright (C) 2006-2023 Bruno Silvestre
+ *
+ *--------------------------------------------------------------------------*/
+
+#include <openssl/objects.h>
+
+#include "ec.h"
+
+#ifndef OPENSSL_NO_EC
+
+EC_KEY *lsec_find_ec_key(lua_State *L, const char *str)
+{
+  int nid;
+  lua_pushstring(L, "SSL:EC:CURVES");
+  lua_rawget(L, LUA_REGISTRYINDEX);
+  lua_pushstring(L, str);
+  lua_rawget(L, -2);
+
+  if (!lua_isnumber(L, -1))
+    return NULL;
+
+  nid = (int)lua_tonumber(L, -1);
+  return EC_KEY_new_by_curve_name(nid);
+}
+
+void lsec_load_curves(lua_State *L)
+{
+  size_t i;
+  size_t size;
+  const char *name;
+  EC_builtin_curve *curves = NULL;
+
+  lua_pushstring(L, "SSL:EC:CURVES");
+  lua_newtable(L);
+
+  size = EC_get_builtin_curves(NULL, 0);
+  if (size > 0) {
+    curves = (EC_builtin_curve*)malloc(sizeof(EC_builtin_curve) * size);
+    EC_get_builtin_curves(curves, size);
+    for (i = 0; i < size; i++) {
+      name = OBJ_nid2sn(curves[i].nid);
+      if (name != NULL) {
+        lua_pushstring(L, name);
+        lua_pushnumber(L, curves[i].nid);
+        lua_rawset(L, -3);
+      }
+      switch (curves[i].nid) {
+      case NID_X9_62_prime256v1:
+        lua_pushstring(L, "P-256");
+        lua_pushnumber(L, curves[i].nid);
+        lua_rawset(L, -3);
+        break;
+      case NID_secp384r1:
+        lua_pushstring(L, "P-384");
+        lua_pushnumber(L, curves[i].nid);
+        lua_rawset(L, -3);
+        break;
+      case NID_secp521r1:
+        lua_pushstring(L, "P-521");
+        lua_pushnumber(L, curves[i].nid);
+        lua_rawset(L, -3);
+        break;
+      }
+    }
+    free(curves);
+  }
+
+  /* These are special so are manually added here */
+#ifdef NID_X25519
+  lua_pushstring(L, "X25519");
+  lua_pushnumber(L, NID_X25519);
+  lua_rawset(L, -3);
+#endif
+
+#ifdef NID_X448
+  lua_pushstring(L, "X448");
+  lua_pushnumber(L, NID_X448);
+  lua_rawset(L, -3);
+#endif
+
+  lua_rawset(L,  LUA_REGISTRYINDEX);
+}
+
+void lsec_get_curves(lua_State *L)
+{
+  lua_newtable(L);
+
+  lua_pushstring(L, "SSL:EC:CURVES");
+  lua_rawget(L, LUA_REGISTRYINDEX);
+
+  lua_pushnil(L);
+  while (lua_next(L, -2) != 0) {
+    lua_pop(L, 1);
+    lua_pushvalue(L, -1);
+    lua_pushboolean(L, 1);
+    lua_rawset(L, -5);
+  }
+  lua_pop(L, 1);
+}
+
+#else
+
+void lsec_load_curves(lua_State *L)
+{
+  // do nothing
+}
+
+void lsec_get_curves(lua_State *L)
+{
+  lua_newtable(L);
+}
+
+#endif

src/ec.h

@@ -0,0 +1,22 @@
+/*--------------------------------------------------------------------------
+ * LuaSec 1.3.2
+ *
+ * Copyright (C) 2006-2023 Bruno Silvestre
+ *
+ *--------------------------------------------------------------------------*/
+
+#ifndef LSEC_EC_H
+#define LSEC_EC_H
+
+#include <lua.h>
+
+#ifndef OPENSSL_NO_EC
+#include <openssl/ec.h>
+
+EC_KEY *lsec_find_ec_key(lua_State *L, const char *str);
+#endif
+
+void lsec_get_curves(lua_State *L);
+void lsec_load_curves(lua_State *L);
+
+#endif

src/https.lua

@@ -0,0 +1,147 @@
+----------------------------------------------------------------------------
+-- LuaSec 1.3.2
+--
+-- Copyright (C) 2009-2023 PUC-Rio
+--
+-- Author: Pablo Musa
+-- Author: Tomas Guisasola
+---------------------------------------------------------------------------
+
+local socket = require("socket")
+local ssl    = require("ssl")
+local ltn12  = require("ltn12")
+local http   = require("socket.http")
+local url    = require("socket.url")
+
+local try    = socket.try
+
+--
+-- Module
+--
+local _M = {
+  _VERSION   = "1.3.2",
+  _COPYRIGHT = "LuaSec 1.3.2 - Copyright (C) 2009-2023 PUC-Rio",
+  PORT       = 443,
+  TIMEOUT    = 60
+}
+
+-- TLS configuration
+local cfg = {
+  protocol = "any",
+  options  = {"all", "no_sslv2", "no_sslv3", "no_tlsv1"},
+  verify   = "none",
+}
+
+--------------------------------------------------------------------
+-- Auxiliar Functions
+--------------------------------------------------------------------
+
+-- Insert default HTTPS port.
+local function default_https_port(u)
+   return url.build(url.parse(u, {port = _M.PORT}))
+end
+
+-- Convert an URL to a table according to Luasocket needs.
+local function urlstring_totable(url, body, result_table)
+   url = {
+      url = default_https_port(url),
+      method = body and "POST" or "GET",
+      sink = ltn12.sink.table(result_table)
+   }
+   if body then
+      url.source = ltn12.source.string(body)
+      url.headers = {
+         ["content-length"] = #body,
+         ["content-type"] = "application/x-www-form-urlencoded",
+      }
+   end
+   return url
+end
+
+-- Forward calls to the real connection object.
+local function reg(conn)
+   local mt = getmetatable(conn.sock).__index
+   for name, method in pairs(mt) do
+      if type(method) == "function" then
+         conn[name] = function (self, ...)
+                         return method(self.sock, ...)
+                      end
+      end
+   end
+end
+
+-- Return a function which performs the SSL/TLS connection.
+local function tcp(params)
+   params = params or {}
+   -- Default settings
+   for k, v in pairs(cfg) do 
+      params[k] = params[k] or v
+   end
+   -- Force client mode
+   params.mode = "client"
+   -- 'create' function for LuaSocket
+   return function ()
+      local conn = {}
+      conn.sock = try(socket.tcp())
+      local st = getmetatable(conn.sock).__index.settimeout
+      function conn:settimeout(...)
+         return st(self.sock, _M.TIMEOUT)
+      end
+      -- Replace TCP's connection function
+      function conn:connect(host, port)
+         try(self.sock:connect(host, port))
+         self.sock = try(ssl.wrap(self.sock, params))
+         self.sock:sni(host)
+         self.sock:settimeout(_M.TIMEOUT)
+         try(self.sock:dohandshake())
+         reg(self)
+         return 1
+      end
+      return conn
+  end
+end
+
+--------------------------------------------------------------------
+-- Main Function
+--------------------------------------------------------------------
+
+-- Make a HTTP request over secure connection.  This function receives
+--  the same parameters of LuaSocket's HTTP module (except 'proxy' and
+--  'redirect') plus LuaSec parameters.
+--
+-- @param url mandatory (string or table)
+-- @param body optional (string)
+-- @return (string if url == string or 1), code, headers, status
+--
+local function request(url, body)
+  local result_table = {}
+  local stringrequest = type(url) == "string"
+  if stringrequest then
+    url = urlstring_totable(url, body, result_table)
+  else
+    url.url = default_https_port(url.url)
+  end
+  if http.PROXY or url.proxy then
+    return nil, "proxy not supported"
+  elseif url.redirect then
+    return nil, "redirect not supported"
+  elseif url.create then
+    return nil, "create function not permitted"
+  end
+  -- New 'create' function to establish a secure connection
+  url.create = tcp(url)
+  local res, code, headers, status = http.request(url)
+  if res and stringrequest then
+    return table.concat(result_table), code, headers, status
+  end
+  return res, code, headers, status
+end
+
+--------------------------------------------------------------------------------
+-- Export module
+--
+
+_M.request = request
+_M.tcp = tcp
+
+return _M

src/luasocket/LICENSE

@@ -0,0 +1,21 @@
+LuaSocket 3.0-RC1 license
+Copyright (C) 2004-2013 Diego Nehab
+
+Permission is hereby granted, free  of charge, to any person obtaining
+a  copy  of this  software  and  associated documentation  files  (the
+"Software"), to  deal in  the Software without  restriction, including
+without limitation  the rights to  use, copy, modify,  merge, publish,
+distribute, sublicense,  and/or sell  copies of  the Software,  and to
+permit persons to whom the Software  is furnished to do so, subject to
+the following conditions:
+
+The  above  copyright  notice  and this  permission  notice  shall  be
+included in all copies or substantial portions of the Software.
+
+THE  SOFTWARE IS  PROVIDED  "AS  IS", WITHOUT  WARRANTY  OF ANY  KIND,
+EXPRESS OR  IMPLIED, INCLUDING  BUT NOT LIMITED  TO THE  WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT  SHALL THE AUTHORS OR COPYRIGHT HOLDERS  BE LIABLE FOR ANY
+CLAIM, DAMAGES OR  OTHER LIABILITY, WHETHER IN AN  ACTION OF CONTRACT,
+TORT OR  OTHERWISE, ARISING  FROM, OUT  OF OR  IN CONNECTION  WITH THE
+SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

src/luasocket/Makefile

@@ -0,0 +1,26 @@
+OBJS= \
+ io.o \
+ buffer.o \
+ timeout.o \
+ usocket.o
+
+CC	?= cc
+CFLAGS	+= $(MYCFLAGS) -DLUASOCKET_DEBUG
+AR	?= ar
+RANLIB	?= ranlib
+
+.PHONY: all clean
+
+all: libluasocket.a
+
+libluasocket.a: $(OBJS)
+	$(AR) rcu $@ $(OBJS)
+	$(RANLIB) $@
+
+clean:
+	rm -f $(OBJS) libluasocket.a
+
+buffer.o: buffer.c buffer.h io.h timeout.h
+io.o: io.c io.h timeout.h
+timeout.o: timeout.c timeout.h
+usocket.o: usocket.c socket.h io.h timeout.h usocket.h

src/luasocket/buffer.c

@@ -1,10 +1,6 @@
 /*=========================================================================*\
-* LuaSocket 2.0.2
-* Copyright (C) 2004-2007 Diego Nehab
-*
 * Input/Output interface for Lua programs
-*
-* RCS ID: $Id: buffer.c,v 1.28 2007/06/11 23:44:54 diego Exp $
+* LuaSocket toolkit
 \*=========================================================================*/
 #include "lua.h"
 #include "lauxlib.h"
@@ -32,6 +28,14 @@ static int sendraw(p_buffer buf, const char *data, size_t count, size_t *sent);
 /*=========================================================================*\
 * Exported functions
 \*=========================================================================*/
+/*-------------------------------------------------------------------------*\
+* Initializes module
+\*-------------------------------------------------------------------------*/
+int buffer_open(lua_State *L) {
+    (void) L;
+    return 0;
+}
+
 /*-------------------------------------------------------------------------*\
 * Initializes C structure 
 \*-------------------------------------------------------------------------*/
@@ -39,6 +43,29 @@ void buffer_init(p_buffer buf, p_io io, p_timeout tm) {
     buf->first = buf->last = 0;
     buf->io = io;
     buf->tm = tm;
+    buf->received = buf->sent = 0;
+    buf->birthday = timeout_gettime();
+}
+
+/*-------------------------------------------------------------------------*\
+* object:getstats() interface
+\*-------------------------------------------------------------------------*/
+int buffer_meth_getstats(lua_State *L, p_buffer buf) {
+    lua_pushnumber(L, (lua_Number) buf->received);
+    lua_pushnumber(L, (lua_Number) buf->sent);
+    lua_pushnumber(L, timeout_gettime() - buf->birthday);
+    return 3;
+}
+
+/*-------------------------------------------------------------------------*\
+* object:setstats() interface
+\*-------------------------------------------------------------------------*/
+int buffer_meth_setstats(lua_State *L, p_buffer buf) {
+    buf->received = (long) luaL_optnumber(L, 2, (lua_Number) buf->received); 
+    buf->sent = (long) luaL_optnumber(L, 3, (lua_Number) buf->sent); 
+    if (lua_isnumber(L, 4)) buf->birthday = timeout_gettime() - lua_tonumber(L, 4);
+    lua_pushnumber(L, 1);
+    return 1;
 }
 
 /*-------------------------------------------------------------------------*\
@@ -51,7 +78,7 @@ int buffer_meth_send(lua_State *L, p_buffer buf) {
     const char *data = luaL_checklstring(L, 2, &size);
     long start = (long) luaL_optnumber(L, 3, 1);
     long end = (long) luaL_optnumber(L, 4, -1);
-    p_timeout tm = timeout_markstart(buf->tm);
+    timeout_markstart(buf->tm);
     if (start < 0) start = (long) (size+start+1);
     if (end < 0) end = (long) (size+end+1);
     if (start < 1) start = (long) 1;
@@ -61,15 +88,15 @@ int buffer_meth_send(lua_State *L, p_buffer buf) {
     if (err != IO_DONE) {
         lua_pushnil(L);
         lua_pushstring(L, buf->io->error(buf->io->ctx, err)); 
-        lua_pushnumber(L, sent+start-1);
+        lua_pushnumber(L, (lua_Number) (sent+start-1));
     } else {
-        lua_pushnumber(L, sent+start-1);
+        lua_pushnumber(L, (lua_Number) (sent+start-1));
         lua_pushnil(L);
         lua_pushnil(L);
     }
-#ifdef BUFFER_DEBUG
+#ifdef LUASOCKET_DEBUG
     /* push time elapsed during operation as the last return value */
-    lua_pushnumber(L, timeout_gettime() - timeout_getstart(tm));
+    lua_pushnumber(L, timeout_gettime() - timeout_getstart(buf->tm));
 #endif
     return lua_gettop(L) - top;
 }
@@ -78,11 +105,17 @@ int buffer_meth_send(lua_State *L, p_buffer buf) {
 * object:receive() interface
 \*-------------------------------------------------------------------------*/
 int buffer_meth_receive(lua_State *L, p_buffer buf) {
-    int err = IO_DONE, top = lua_gettop(L);
     luaL_Buffer b;
     size_t size;
-    const char *part = luaL_optlstring(L, 3, "", &size);
-    p_timeout tm = timeout_markstart(buf->tm);
+    const char *part;
+    int err = IO_DONE;
+    int top = lua_gettop(L);
+    if (top < 3) {
+        lua_settop(L, 3);
+        top = 3;
+    }
+    part = luaL_optlstring(L, 3, "", &size);
+    timeout_markstart(buf->tm);
     /* initialize buffer with optional extra prefix 
      * (useful for concatenating previous partial results) */
     luaL_buffinit(L, &b);
@@ -93,12 +126,18 @@ int buffer_meth_receive(lua_State *L, p_buffer buf) {
         if (p[0] == '*' && p[1] == 'l') err = recvline(buf, &b);
         else if (p[0] == '*' && p[1] == 'a') err = recvall(buf, &b); 
         else luaL_argcheck(L, 0, 2, "invalid receive pattern");
-        /* get a fixed number of bytes (minus what was already partially 
-         * received) */
-    } else err = recvraw(buf, (size_t) lua_tonumber(L, 2)-size, &b);
+    /* get a fixed number of bytes (minus what was already partially 
+     * received) */
+    } else {
+        double n = lua_tonumber(L, 2); 
+        size_t wanted = (size_t) n;
+        luaL_argcheck(L, n >= 0, 2, "invalid receive pattern");
+        if (size == 0 || wanted > size)
+            err = recvraw(buf, wanted-size, &b);
+    }
     /* check if there was an error */
     if (err != IO_DONE) {
-        /* we can't push anyting in the stack before pushing the
+        /* we can't push anything in the stack before pushing the
          * contents of the buffer. this is the reason for the complication */
         luaL_pushresult(&b);
         lua_pushstring(L, buf->io->error(buf->io->ctx, err)); 
@@ -110,9 +149,9 @@ int buffer_meth_receive(lua_State *L, p_buffer buf) {
         lua_pushnil(L);
         lua_pushnil(L);
     }
-#ifdef BUFFER_DEBUG 
+#ifdef LUASOCKET_DEBUG
     /* push time elapsed during operation as the last return value */
-    lua_pushnumber(L, timeout_gettime() - timeout_getstart(tm));
+    lua_pushnumber(L, timeout_gettime() - timeout_getstart(buf->tm));
 #endif
     return lua_gettop(L) - top;
 }
@@ -137,12 +176,13 @@ static int sendraw(p_buffer buf, const char *data, size_t count, size_t *sent) {
     size_t total = 0;
     int err = IO_DONE;
     while (total < count && err == IO_DONE) {
-        size_t done;
+        size_t done = 0;
         size_t step = (count-total <= STEPSIZE)? count-total: STEPSIZE;
         err = io->send(io->ctx, data+total, step, &done, tm);
         total += done;
     }
     *sent = total;
+    buf->sent += total;
     return err;
 }
 
@@ -195,7 +235,7 @@ static int recvline(p_buffer buf, luaL_Buffer *b) {
         pos = 0;
         while (pos < count && data[pos] != '\n') {
             /* we ignore all \r's */
-            if (data[pos] != '\r') luaL_putchar(b, data[pos]);
+            if (data[pos] != '\r') luaL_addchar(b, data[pos]);
             pos++;
         }
         if (pos < count) { /* found '\n' */
@@ -212,6 +252,7 @@ static int recvline(p_buffer buf, luaL_Buffer *b) {
 * transport layer
 \*-------------------------------------------------------------------------*/
 static void buffer_skip(p_buffer buf, size_t count) {
+    buf->received += count;
     buf->first += count;
     if (buffer_isempty(buf)) 
         buf->first = buf->last = 0;

src/luasocket/buffer.h

@@ -1,10 +1,8 @@
 #ifndef BUF_H
 #define BUF_H 
 /*=========================================================================*\
-* LuaSocket 2.0.2
-* Copyright (C) 2004-2007 Diego Nehab
-*
 * Input/Output interface for Lua programs
+* LuaSocket toolkit
 *
 * Line patterns require buffering. Reading one character at a time involves
 * too many system calls and is very slow. This module implements the
@@ -16,11 +14,8 @@
 *
 * The module is built on top of the I/O abstraction defined in io.h and the
 * timeout management is done with the timeout.h interface.
-*
-*
-* RCS ID: $Id: buffer.h,v 1.12 2005/10/07 04:40:59 diego Exp $
 \*=========================================================================*/
-#include <lua.h>
+#include "lua.h"
 
 #include "io.h"
 #include "timeout.h"
@@ -30,6 +25,8 @@
 
 /* buffer control structure */
 typedef struct t_buffer_ {
+    double birthday;        /* throttle support info: creation time, */
+    size_t sent, received;  /* bytes sent, and bytes received */
     p_io io;                /* IO driver used for this buffer */
     p_timeout tm;           /* timeout management for this buffer */
     size_t first, last;     /* index of first and last bytes of stored data */
@@ -37,9 +34,12 @@ typedef struct t_buffer_ {
 } t_buffer;
 typedef t_buffer *p_buffer;
 
+int buffer_open(lua_State *L);
 void buffer_init(p_buffer buf, p_io io, p_timeout tm);
 int buffer_meth_send(lua_State *L, p_buffer buf);
 int buffer_meth_receive(lua_State *L, p_buffer buf);
+int buffer_meth_getstats(lua_State *L, p_buffer buf);
+int buffer_meth_setstats(lua_State *L, p_buffer buf);
 int buffer_isempty(p_buffer buf);
 
 #endif /* BUF_H */

src/luasocket/io.c

@@ -1,10 +1,6 @@
 /*=========================================================================*\
-* LuaSocket 2.0.2
-* Copyright (C) 2004-2007 Diego Nehab
-* 
 * Input/Output abstraction
-*
-* RCS ID: $Id: io.c 2 2006-04-30 19:30:47Z brunoos $
+* LuaSocket toolkit
 \*=========================================================================*/
 #include "io.h"
 

src/luasocket/io.h

@@ -1,10 +1,8 @@
 #ifndef IO_H
 #define IO_H
 /*=========================================================================*\
-* LuaSocket 2.0.2
-* Copyright (C) 2004-2007 Diego Nehab
-*
 * Input/Output abstraction
+* LuaSocket toolkit
 *
 * This module defines the interface that LuaSocket expects from the
 * transport layer for streamed input/output. The idea is that if any
@@ -13,21 +11,18 @@
 *
 * The module socket.h implements this interface, and thus the module tcp.h
 * is very simple.
-*
-* RCS ID: $Id: io.h 6 2006-04-30 20:33:05Z brunoos $
 \*=========================================================================*/
 #include <stdio.h>
-#include <lua.h>
+#include "lua.h"
 
 #include "timeout.h"
 
 /* IO error codes */
 enum {
-    IO_DONE = 0,      /* operation completed successfully */
-    IO_TIMEOUT = -1,  /* operation timed out */
-    IO_CLOSED = -2,   /* the connection has been closed */
-    IO_UNKNOWN = -3,  /* Unknown error */
-    IO_SSL = -4       /* SSL error */
+    IO_DONE = 0,        /* operation completed successfully */
+    IO_TIMEOUT = -1,    /* operation timed out */
+    IO_CLOSED = -2,     /* the connection has been closed */
+	IO_UNKNOWN = -3     
 };
 
 /* interface to error message function */
@@ -48,7 +43,7 @@ typedef int (*p_send) (
 /* interface to recv function */
 typedef int (*p_recv) (
     void *ctx,          /* context needed by recv */
-    char *data,         /* pointer to buffer where data will be writen */
+    char *data,         /* pointer to buffer where data will be written */
     size_t count,       /* number of bytes to receive into buffer */
     size_t *got,        /* number of bytes received uppon return */
     p_timeout tm        /* timeout control */

src/luasocket/socket.h

@@ -1,17 +1,13 @@
 #ifndef SOCKET_H
 #define SOCKET_H
 /*=========================================================================*\
-* LuaSocket 2.0.2
-* Copyright (C) 2004-2007 Diego Nehab
-*
 * Socket compatibilization module
+* LuaSocket toolkit
 *
 * BSD Sockets and WinSock are similar, but there are a few irritating
 * differences. Also, not all *nix platforms behave the same. This module
 * (and the associated usocket.h and wsocket.h) factor these differences and
 * creates a interface compatible with the io.h module.
-*
-* RCS ID: $Id: socket.h 2 2006-04-30 19:30:47Z brunoos $
 \*=========================================================================*/
 #include "io.h"
 
@@ -32,17 +28,51 @@
 \*=========================================================================*/
 #include "timeout.h"
 
+/* we are lazy... */
+typedef struct sockaddr SA;
+
 /*=========================================================================*\
-* Functions bellow implement a comfortable platform independent 
+* Functions below implement a comfortable platform independent 
 * interface to sockets
 \*=========================================================================*/
 int socket_open(void);
 int socket_close(void);
 void socket_destroy(p_socket ps);
+void socket_shutdown(p_socket ps, int how); 
+int socket_sendto(p_socket ps, const char *data, size_t count, 
+        size_t *sent, SA *addr, socklen_t addr_len, p_timeout tm);
+int socket_recvfrom(p_socket ps, char *data, size_t count, 
+        size_t *got, SA *addr, socklen_t *addr_len, p_timeout tm);
+
 void socket_setnonblocking(p_socket ps);
 void socket_setblocking(p_socket ps);
+
 int socket_waitfd(p_socket ps, int sw, p_timeout tm);
+int socket_select(t_socket n, fd_set *rfds, fd_set *wfds, fd_set *efds, 
+        p_timeout tm);
+
+int socket_connect(p_socket ps, SA *addr, socklen_t addr_len, p_timeout tm); 
+int socket_create(p_socket ps, int domain, int type, int protocol);
+int socket_bind(p_socket ps, SA *addr, socklen_t addr_len); 
+int socket_listen(p_socket ps, int backlog);
+int socket_accept(p_socket ps, p_socket pa, SA *addr, 
+        socklen_t *addr_len, p_timeout tm);
+
+const char *socket_hoststrerror(int err);
+const char *socket_gaistrerror(int err);
 const char *socket_strerror(int err);
-int socket_error();
+
+/* these are perfect to use with the io abstraction module 
+   and the buffered input module */
+int socket_send(p_socket ps, const char *data, size_t count, 
+        size_t *sent, p_timeout tm);
+int socket_recv(p_socket ps, char *data, size_t count, size_t *got, p_timeout tm);
+int socket_write(p_socket ps, const char *data, size_t count, 
+        size_t *sent, p_timeout tm);
+int socket_read(p_socket ps, char *data, size_t count, size_t *got, p_timeout tm);
+const char *socket_ioerror(p_socket ps, int err);
+
+int socket_gethostbyaddr(const char *addr, socklen_t len, struct hostent **hp);
+int socket_gethostbyname(const char *addr, struct hostent **hp);
 
 #endif /* SOCKET_H */

src/luasocket/timeout.c

@@ -1,12 +1,15 @@
 /*=========================================================================*\
-* LuaSocket 2.0.2
-* Copyright (C) 2004-2007 Diego Nehab
-*
 * Timeout management functions
-*
-* RCS ID: $Id: timeout.c,v 1.30 2005/10/07 04:40:59 diego Exp $
+* LuaSocket toolkit
 \*=========================================================================*/
 #include <stdio.h>
+#include <limits.h>
+#include <float.h>
+
+#include "lua.h"
+#include "lauxlib.h"
+
+#include "timeout.h"
 
 #ifdef _WIN32
 #include <windows.h>
@@ -15,11 +18,6 @@
 #include <sys/time.h>
 #endif
 
-#include <lua.h>
-#include <lauxlib.h>
-
-#include "timeout.h"
-
 /* min and max macros */
 #ifndef MIN
 #define MIN(x, y) ((x) < (y) ? x : y)
@@ -28,6 +26,18 @@
 #define MAX(x, y) ((x) > (y) ? x : y)
 #endif
 
+/*=========================================================================*\
+* Internal function prototypes
+\*=========================================================================*/
+static int timeout_lua_gettime(lua_State *L);
+static int timeout_lua_sleep(lua_State *L);
+
+static luaL_Reg func[] = {
+    { "gettime", timeout_lua_gettime },
+    { "sleep", timeout_lua_sleep },
+    { NULL, NULL }
+};
+
 /*=========================================================================*\
 * Exported functions.
 \*=========================================================================*/
@@ -129,6 +139,18 @@ double timeout_gettime(void) {
 }
 #endif
 
+/*-------------------------------------------------------------------------*\
+* Initializes module
+\*-------------------------------------------------------------------------*/
+int timeout_open(lua_State *L) {
+#if LUA_VERSION_NUM > 501 && !defined(LUA_COMPAT_MODULE)
+    luaL_setfuncs(L, func, 0);
+#else
+    luaL_openlib(L, NULL, func, 0);
+#endif
+    return 0;
+}
+
 /*-------------------------------------------------------------------------*\
 * Sets timeout values for IO operations
 * Lua Input: base, time [, mode]
@@ -153,3 +175,46 @@ int timeout_meth_settimeout(lua_State *L, p_timeout tm) {
     return 1;
 }
 
+/*=========================================================================*\
+* Test support functions
+\*=========================================================================*/
+/*-------------------------------------------------------------------------*\
+* Returns the time the system has been up, in secconds.
+\*-------------------------------------------------------------------------*/
+static int timeout_lua_gettime(lua_State *L)
+{
+    lua_pushnumber(L, timeout_gettime());
+    return 1;
+}
+
+/*-------------------------------------------------------------------------*\
+* Sleep for n seconds.
+\*-------------------------------------------------------------------------*/
+#ifdef _WIN32
+int timeout_lua_sleep(lua_State *L)
+{
+    double n = luaL_checknumber(L, 1);
+    if (n < 0.0) n = 0.0;
+    if (n < DBL_MAX/1000.0) n *= 1000.0;
+    if (n > INT_MAX) n = INT_MAX;
+    Sleep((int)n);
+    return 0;
+}
+#else
+int timeout_lua_sleep(lua_State *L)
+{
+    double n = luaL_checknumber(L, 1);
+    struct timespec t, r;
+    if (n < 0.0) n = 0.0;
+    if (n > INT_MAX) n = INT_MAX;
+    t.tv_sec = (int) n;
+    n -= t.tv_sec;
+    t.tv_nsec = (int) (n * 1000000000);
+    if (t.tv_nsec >= 1000000000) t.tv_nsec = 999999999;
+    while (nanosleep(&t, &r) != 0) {
+        t.tv_sec = r.tv_sec;
+        t.tv_nsec = r.tv_nsec;
+    }
+    return 0;
+}
+#endif

src/luasocket/timeout.h

@@ -1,19 +1,15 @@
 #ifndef TIMEOUT_H
 #define TIMEOUT_H
 /*=========================================================================*\
-* LuaSocket 2.0.2
-* Copyright (C) 2004-2007 Diego Nehab
-*
 * Timeout management functions
-*
-* RCS ID: $Id: timeout.h 2 2006-04-30 19:30:47Z brunoos $
+* LuaSocket toolkit
 \*=========================================================================*/
-#include <lua.h>
+#include "lua.h"
 
 /* timeout control structure */
 typedef struct t_timeout_ {
     double block;          /* maximum time for blocking calls */
-    double total;          /* total number of miliseconds for operation */
+    double total;          /* total number of milliseconds for operation */
     double start;          /* time of start of operation */
 } t_timeout;
 typedef t_timeout *p_timeout;

src/luasocket/usocket.c

@@ -0,0 +1,441 @@
+/*=========================================================================*\
+* Socket compatibilization module for Unix
+* LuaSocket toolkit
+*
+* The code is now interrupt-safe.
+* The penalty of calling select to avoid busy-wait is only paid when
+* the I/O call fail in the first place. 
+\*=========================================================================*/
+#include <string.h> 
+#include <signal.h>
+
+#include "socket.h"
+
+/*-------------------------------------------------------------------------*\
+* Wait for readable/writable/connected socket with timeout
+\*-------------------------------------------------------------------------*/
+#ifndef SOCKET_SELECT
+int socket_waitfd(p_socket ps, int sw, p_timeout tm) {
+    int ret;
+    struct pollfd pfd;
+    pfd.fd = *ps;
+    pfd.events = sw;
+    pfd.revents = 0;
+    if (timeout_iszero(tm)) return IO_TIMEOUT;  /* optimize timeout == 0 case */
+    do {
+        int t = (int)(timeout_getretry(tm)*1e3);
+        ret = poll(&pfd, 1, t >= 0? t: -1);
+    } while (ret == -1 && errno == EINTR);
+    if (ret == -1) return errno;
+    if (ret == 0) return IO_TIMEOUT;
+    if (sw == WAITFD_C && (pfd.revents & (POLLIN|POLLERR))) return IO_CLOSED;
+    return IO_DONE;
+}
+#else
+int socket_waitfd(p_socket ps, int sw, p_timeout tm) {
+    int ret;
+    fd_set rfds, wfds, *rp, *wp;
+    struct timeval tv, *tp;
+    double t;
+    if (*ps >= FD_SETSIZE) return EINVAL;
+    if (timeout_iszero(tm)) return IO_TIMEOUT;  /* optimize timeout == 0 case */
+    do {
+        /* must set bits within loop, because select may have modified them */
+        rp = wp = NULL;
+        if (sw & WAITFD_R) { FD_ZERO(&rfds); FD_SET(*ps, &rfds); rp = &rfds; }
+        if (sw & WAITFD_W) { FD_ZERO(&wfds); FD_SET(*ps, &wfds); wp = &wfds; }
+        t = timeout_getretry(tm);
+        tp = NULL;
+        if (t >= 0.0) {
+            tv.tv_sec = (int)t;
+            tv.tv_usec = (int)((t-tv.tv_sec)*1.0e6);
+            tp = &tv;
+        }
+        ret = select(*ps+1, rp, wp, NULL, tp);
+    } while (ret == -1 && errno == EINTR);
+    if (ret == -1) return errno;
+    if (ret == 0) return IO_TIMEOUT;
+    if (sw == WAITFD_C && FD_ISSET(*ps, &rfds)) return IO_CLOSED;
+    return IO_DONE;
+}
+#endif
+
+
+/*-------------------------------------------------------------------------*\
+* Initializes module 
+\*-------------------------------------------------------------------------*/
+int socket_open(void) {
+    /* instals a handler to ignore sigpipe or it will crash us */
+    signal(SIGPIPE, SIG_IGN);
+    return 1;
+}
+
+/*-------------------------------------------------------------------------*\
+* Close module 
+\*-------------------------------------------------------------------------*/
+int socket_close(void) {
+    return 1;
+}
+
+/*-------------------------------------------------------------------------*\
+* Close and inutilize socket
+\*-------------------------------------------------------------------------*/
+void socket_destroy(p_socket ps) {
+    if (*ps != SOCKET_INVALID) {
+        socket_setblocking(ps);
+        close(*ps);
+        *ps = SOCKET_INVALID;
+    }
+}
+
+/*-------------------------------------------------------------------------*\
+* Select with timeout control
+\*-------------------------------------------------------------------------*/
+int socket_select(t_socket n, fd_set *rfds, fd_set *wfds, fd_set *efds, 
+        p_timeout tm) {
+    int ret;
+    do {
+        struct timeval tv;
+        double t = timeout_getretry(tm);
+        tv.tv_sec = (int) t;
+        tv.tv_usec = (int) ((t - tv.tv_sec) * 1.0e6);
+        /* timeout = 0 means no wait */
+        ret = select(n, rfds, wfds, efds, t >= 0.0 ? &tv: NULL);
+    } while (ret < 0 && errno == EINTR);
+    return ret;
+}
+
+/*-------------------------------------------------------------------------*\
+* Creates and sets up a socket
+\*-------------------------------------------------------------------------*/
+int socket_create(p_socket ps, int domain, int type, int protocol) {
+    *ps = socket(domain, type, protocol);
+    if (*ps != SOCKET_INVALID) return IO_DONE; 
+    else return errno; 
+}
+
+/*-------------------------------------------------------------------------*\
+* Binds or returns error message
+\*-------------------------------------------------------------------------*/
+int socket_bind(p_socket ps, SA *addr, socklen_t len) {
+    int err = IO_DONE;
+    socket_setblocking(ps);
+    if (bind(*ps, addr, len) < 0) err = errno; 
+    socket_setnonblocking(ps);
+    return err;
+}
+
+/*-------------------------------------------------------------------------*\
+* 
+\*-------------------------------------------------------------------------*/
+int socket_listen(p_socket ps, int backlog) {
+    int err = IO_DONE; 
+    socket_setblocking(ps);
+    if (listen(*ps, backlog)) err = errno; 
+    socket_setnonblocking(ps);
+    return err;
+}
+
+/*-------------------------------------------------------------------------*\
+* 
+\*-------------------------------------------------------------------------*/
+void socket_shutdown(p_socket ps, int how) {
+    socket_setblocking(ps);
+    shutdown(*ps, how);
+    socket_setnonblocking(ps);
+}
+
+/*-------------------------------------------------------------------------*\
+* Connects or returns error message
+\*-------------------------------------------------------------------------*/
+int socket_connect(p_socket ps, SA *addr, socklen_t len, p_timeout tm) {
+    int err;
+    /* avoid calling on closed sockets */
+    if (*ps == SOCKET_INVALID) return IO_CLOSED;
+    /* call connect until done or failed without being interrupted */
+    do if (connect(*ps, addr, len) == 0) return IO_DONE;
+    while ((err = errno) == EINTR);
+    /* if connection failed immediately, return error code */
+    if (err != EINPROGRESS && err != EAGAIN) return err; 
+    /* zero timeout case optimization */
+    if (timeout_iszero(tm)) return IO_TIMEOUT;
+    /* wait until we have the result of the connection attempt or timeout */
+    err = socket_waitfd(ps, WAITFD_C, tm);
+    if (err == IO_CLOSED) {
+        if (recv(*ps, (char *) &err, 0, 0) == 0) return IO_DONE;
+        else return errno;
+    } else return err;
+}
+
+/*-------------------------------------------------------------------------*\
+* Accept with timeout
+\*-------------------------------------------------------------------------*/
+int socket_accept(p_socket ps, p_socket pa, SA *addr, socklen_t *len, p_timeout tm) {
+    if (*ps == SOCKET_INVALID) return IO_CLOSED; 
+    for ( ;; ) {
+        int err;
+        if ((*pa = accept(*ps, addr, len)) != SOCKET_INVALID) return IO_DONE;
+        err = errno;
+        if (err == EINTR) continue;
+        if (err != EAGAIN && err != ECONNABORTED) return err;
+        if ((err = socket_waitfd(ps, WAITFD_R, tm)) != IO_DONE) return err;
+    }
+    /* can't reach here */
+    return IO_UNKNOWN;
+}
+
+/*-------------------------------------------------------------------------*\
+* Send with timeout
+\*-------------------------------------------------------------------------*/
+int socket_send(p_socket ps, const char *data, size_t count, 
+        size_t *sent, p_timeout tm)
+{
+    int err;
+    *sent = 0;
+    /* avoid making system calls on closed sockets */
+    if (*ps == SOCKET_INVALID) return IO_CLOSED;
+    /* loop until we send something or we give up on error */
+    for ( ;; ) {
+        long put = (long) send(*ps, data, count, 0);
+        /* if we sent anything, we are done */
+        if (put >= 0) {
+            *sent = put;
+            return IO_DONE;
+        }
+        err = errno;
+        /* EPIPE means the connection was closed */
+        if (err == EPIPE) return IO_CLOSED;
+        /* we call was interrupted, just try again */
+        if (err == EINTR) continue;
+        /* if failed fatal reason, report error */
+        if (err != EAGAIN) return err;
+        /* wait until we can send something or we timeout */
+        if ((err = socket_waitfd(ps, WAITFD_W, tm)) != IO_DONE) return err;
+    }
+    /* can't reach here */
+    return IO_UNKNOWN;
+}
+
+/*-------------------------------------------------------------------------*\
+* Sendto with timeout
+\*-------------------------------------------------------------------------*/
+int socket_sendto(p_socket ps, const char *data, size_t count, size_t *sent, 
+        SA *addr, socklen_t len, p_timeout tm)
+{
+    int err;
+    *sent = 0;
+    if (*ps == SOCKET_INVALID) return IO_CLOSED;
+    for ( ;; ) {
+        long put = (long) sendto(*ps, data, count, 0, addr, len);  
+        if (put >= 0) {
+            *sent = put;
+            return IO_DONE;
+        }
+        err = errno;
+        if (err == EPIPE) return IO_CLOSED;
+        if (err == EINTR) continue;
+        if (err != EAGAIN) return err;
+        if ((err = socket_waitfd(ps, WAITFD_W, tm)) != IO_DONE) return err;
+    }
+    return IO_UNKNOWN;
+}
+
+/*-------------------------------------------------------------------------*\
+* Receive with timeout
+\*-------------------------------------------------------------------------*/
+int socket_recv(p_socket ps, char *data, size_t count, size_t *got, p_timeout tm) {
+    int err;
+    *got = 0;
+    if (*ps == SOCKET_INVALID) return IO_CLOSED;
+    for ( ;; ) {
+        long taken = (long) recv(*ps, data, count, 0);
+        if (taken > 0) {
+            *got = taken;
+            return IO_DONE;
+        }
+        err = errno;
+        if (taken == 0) return IO_CLOSED;
+        if (err == EINTR) continue;
+        if (err != EAGAIN) return err; 
+        if ((err = socket_waitfd(ps, WAITFD_R, tm)) != IO_DONE) return err; 
+    }
+    return IO_UNKNOWN;
+}
+
+/*-------------------------------------------------------------------------*\
+* Recvfrom with timeout
+\*-------------------------------------------------------------------------*/
+int socket_recvfrom(p_socket ps, char *data, size_t count, size_t *got, 
+        SA *addr, socklen_t *len, p_timeout tm) {
+    int err;
+    *got = 0;
+    if (*ps == SOCKET_INVALID) return IO_CLOSED;
+    for ( ;; ) {
+        long taken = (long) recvfrom(*ps, data, count, 0, addr, len);
+        if (taken > 0) {
+            *got = taken;
+            return IO_DONE;
+        }
+        err = errno;
+        if (taken == 0) return IO_CLOSED;
+        if (err == EINTR) continue;
+        if (err != EAGAIN) return err; 
+        if ((err = socket_waitfd(ps, WAITFD_R, tm)) != IO_DONE) return err; 
+    }
+    return IO_UNKNOWN;
+}
+
+
+/*-------------------------------------------------------------------------*\
+* Write with timeout
+*
+* socket_read and socket_write are cut-n-paste of socket_send and socket_recv,
+* with send/recv replaced with write/read. We can't just use write/read
+* in the socket version, because behaviour when size is zero is different.
+\*-------------------------------------------------------------------------*/
+int socket_write(p_socket ps, const char *data, size_t count, 
+        size_t *sent, p_timeout tm)
+{
+    int err;
+    *sent = 0;
+    /* avoid making system calls on closed sockets */
+    if (*ps == SOCKET_INVALID) return IO_CLOSED;
+    /* loop until we send something or we give up on error */
+    for ( ;; ) {
+        long put = (long) write(*ps, data, count);
+        /* if we sent anything, we are done */
+        if (put >= 0) {
+            *sent = put;
+            return IO_DONE;
+        }
+        err = errno;
+        /* EPIPE means the connection was closed */
+        if (err == EPIPE) return IO_CLOSED;
+        /* we call was interrupted, just try again */
+        if (err == EINTR) continue;
+        /* if failed fatal reason, report error */
+        if (err != EAGAIN) return err;
+        /* wait until we can send something or we timeout */
+        if ((err = socket_waitfd(ps, WAITFD_W, tm)) != IO_DONE) return err;
+    }
+    /* can't reach here */
+    return IO_UNKNOWN;
+}
+
+/*-------------------------------------------------------------------------*\
+* Read with timeout
+* See note for socket_write
+\*-------------------------------------------------------------------------*/
+int socket_read(p_socket ps, char *data, size_t count, size_t *got, p_timeout tm) {
+    int err;
+    *got = 0;
+    if (*ps == SOCKET_INVALID) return IO_CLOSED;
+    for ( ;; ) {
+        long taken = (long) read(*ps, data, count);
+        if (taken > 0) {
+            *got = taken;
+            return IO_DONE;
+        }
+        err = errno;
+        if (taken == 0) return IO_CLOSED;
+        if (err == EINTR) continue;
+        if (err != EAGAIN) return err; 
+        if ((err = socket_waitfd(ps, WAITFD_R, tm)) != IO_DONE) return err; 
+    }
+    return IO_UNKNOWN;
+}
+
+/*-------------------------------------------------------------------------*\
+* Put socket into blocking mode
+\*-------------------------------------------------------------------------*/
+void socket_setblocking(p_socket ps) {
+    int flags = fcntl(*ps, F_GETFL, 0);
+    flags &= (~(O_NONBLOCK));
+    fcntl(*ps, F_SETFL, flags);
+}
+
+/*-------------------------------------------------------------------------*\
+* Put socket into non-blocking mode
+\*-------------------------------------------------------------------------*/
+void socket_setnonblocking(p_socket ps) {
+    int flags = fcntl(*ps, F_GETFL, 0);
+    flags |= O_NONBLOCK;
+    fcntl(*ps, F_SETFL, flags);
+}
+
+/*-------------------------------------------------------------------------*\
+* DNS helpers 
+\*-------------------------------------------------------------------------*/
+int socket_gethostbyaddr(const char *addr, socklen_t len, struct hostent **hp) {
+    *hp = gethostbyaddr(addr, len, AF_INET);
+    if (*hp) return IO_DONE;
+    else if (h_errno) return h_errno;
+    else if (errno) return errno;
+    else return IO_UNKNOWN;
+}
+
+int socket_gethostbyname(const char *addr, struct hostent **hp) {
+    *hp = gethostbyname(addr);
+    if (*hp) return IO_DONE;
+    else if (h_errno) return h_errno;
+    else if (errno) return errno;
+    else return IO_UNKNOWN;
+}
+
+/*-------------------------------------------------------------------------*\
+* Error translation functions
+* Make sure important error messages are standard
+\*-------------------------------------------------------------------------*/
+const char *socket_hoststrerror(int err) {
+    if (err <= 0) return io_strerror(err);
+    switch (err) {
+        case HOST_NOT_FOUND: return "host not found";
+        default: return hstrerror(err);
+    }
+}
+
+const char *socket_strerror(int err) {
+    if (err <= 0) return io_strerror(err);
+    switch (err) {
+        case EADDRINUSE: return "address already in use";
+        case EISCONN: return "already connected";
+        case EACCES: return "permission denied";
+        case ECONNREFUSED: return "connection refused";
+        case ECONNABORTED: return "closed";
+        case ECONNRESET: return "closed";
+        case ETIMEDOUT: return "timeout";
+        default: return strerror(err);
+    }
+}
+
+const char *socket_ioerror(p_socket ps, int err) {
+    (void) ps;
+    return socket_strerror(err);
+} 
+
+const char *socket_gaistrerror(int err) {
+    if (err == 0) return NULL; 
+    switch (err) {
+        case EAI_AGAIN: return "temporary failure in name resolution";
+        case EAI_BADFLAGS: return "invalid value for ai_flags";
+#ifdef EAI_BADHINTS
+        case EAI_BADHINTS: return "invalid value for hints";
+#endif
+        case EAI_FAIL: return "non-recoverable failure in name resolution";
+        case EAI_FAMILY: return "ai_family not supported";
+        case EAI_MEMORY: return "memory allocation failure";
+        case EAI_NONAME: 
+            return "host or service not provided, or not known";
+#ifdef EAI_OVERFLOW
+        case EAI_OVERFLOW: return "argument buffer overflow";
+#endif
+#ifdef EAI_PROTOCOL
+        case EAI_PROTOCOL: return "resolved protocol is unknown";
+#endif
+        case EAI_SERVICE: return "service not supported for socket type";
+        case EAI_SOCKTYPE: return "ai_socktype not supported";
+        case EAI_SYSTEM: return strerror(errno); 
+        default: return gai_strerror(err);
+    }
+}
+

src/luasocket/usocket.h

@@ -0,0 +1,70 @@
+#ifndef USOCKET_H
+#define USOCKET_H
+/*=========================================================================*\
+* Socket compatibilization module for Unix
+* LuaSocket toolkit
+\*=========================================================================*/
+
+/*=========================================================================*\
+* BSD include files
+\*=========================================================================*/
+/* error codes */
+#include <errno.h>
+/* close function */
+#include <unistd.h>
+/* fnctnl function and associated constants */
+#include <fcntl.h>
+/* struct sockaddr */
+#include <sys/types.h>
+/* socket function */
+#include <sys/socket.h>
+/* struct timeval */
+#include <sys/time.h>
+/* gethostbyname and gethostbyaddr functions */
+#include <netdb.h>
+/* sigpipe handling */
+#include <signal.h>
+/* IP stuff*/
+#include <netinet/in.h>
+#include <arpa/inet.h>
+/* TCP options (nagle algorithm disable) */
+#include <netinet/tcp.h>
+#include <net/if.h>
+
+#ifndef SOCKET_SELECT
+#include <sys/poll.h>
+#define WAITFD_R        POLLIN
+#define WAITFD_W        POLLOUT
+#define WAITFD_C        (POLLIN|POLLOUT)
+#else
+#define WAITFD_R        1
+#define WAITFD_W        2
+#define WAITFD_C        (WAITFD_R|WAITFD_W)
+#endif
+
+#ifndef SO_REUSEPORT
+#define SO_REUSEPORT SO_REUSEADDR
+#endif
+
+/* Some platforms use IPV6_JOIN_GROUP instead if
+ * IPV6_ADD_MEMBERSHIP. The semantics are same, though. */
+#ifndef IPV6_ADD_MEMBERSHIP
+#ifdef IPV6_JOIN_GROUP
+#define IPV6_ADD_MEMBERSHIP IPV6_JOIN_GROUP
+#endif /* IPV6_JOIN_GROUP */
+#endif /* !IPV6_ADD_MEMBERSHIP */
+
+/* Same with IPV6_DROP_MEMBERSHIP / IPV6_LEAVE_GROUP. */
+#ifndef IPV6_DROP_MEMBERSHIP
+#ifdef IPV6_LEAVE_GROUP
+#define IPV6_DROP_MEMBERSHIP IPV6_LEAVE_GROUP
+#endif /* IPV6_LEAVE_GROUP */
+#endif /* !IPV6_DROP_MEMBERSHIP */
+
+typedef int t_socket;
+typedef t_socket *p_socket;
+typedef struct sockaddr_storage t_sockaddr_storage;
+
+#define SOCKET_INVALID (-1)
+
+#endif /* USOCKET_H */