Update version number

ssl: Add :getlocalchain() + :getlocalcertificate() to mirror peer methods

.gitignore

@@ -0,0 +1,3 @@
+/src/*.o
+/src/luasocket/*.o
+/*.dll

CHANGELOG

@@ -1,7 +1,164 @@
+--------------------------------------------------------------------------------
+LuaSec 1.3.0
+---------------
+This version includes:
+
+* Add :getlocalchain() + :getlocalcertificate() to mirror the peer methods (@mwild1)
+* Add Pre-Shared Key (PSK) support (@jclab-joseph)
+
+--------------------------------------------------------------------------------
+LuaSec 1.2.0
+---------------
+This version includes:
+
+* Add key material export method
+* Backguard compat for openssl on providers, like LTS linuxes
+
+--------------------------------------------------------------------------------
+LuaSec 1.1.0
+---------------
+This version includes:
+
+* Fix missing DANE flag
+* Remove unused parameter in https.lua
+
+--------------------------------------------------------------------------------
+LuaSec 1.0.2
+---------------
+This version includes:
+
+* Fix handle SSL_send SYSCALL error without errno
+* Fix off by one in cert:validat(notafter)
+* Fix meth_get_{sinagure => signature}_name function name
+* Fix update the Lua state reference on the selected SSL context after SNI
+* Fix ignore SSL_OP_BIT(n) macro and update option.c
+
+--------------------------------------------------------------------------------
+LuaSec 1.0.1
+---------------
+This version includes:
+
+
+* Fix luaL_buffinit() can use the stack and broke buffer_meth_receive()
+
+--------------------------------------------------------------------------------
+LuaSec 1.0
+---------------
+This version includes:
+
+
+* Add cert:getsignaturename()
+
+--------------------------------------------------------------------------------
+LuaSec 0.9
+---------------
+This version includes:
+
+
+* Add DNS-based Authentication of Named Entities (DANE) support
+* Add __close() metamethod
+* Fix deprecation warnings with OpenSSL 1.1
+* Fix special case listing of TLS 1.3 EC curves
+* Fix general_name leak in cert:extensions()
+* Fix unexported 'ssl.config' table
+* Replace $(LD) with $(CCLD) variable
+* Remove multiple definitions of 'ssl_options' variable
+* Use tag in git format: v0.9
+
+--------------------------------------------------------------------------------
+LuaSec 0.8.2
+---------------
+This version includes:
+
+* Fix unexported 'ssl.config' table (backported)
+
+--------------------------------------------------------------------------------
+LuaSec 0.8.1
+---------------
+This version includes:
+
+* Fix general_name leak in cert:extensions() (backported)
+
+--------------------------------------------------------------------------------
+LuaSec 0.8
+---------------
+This version includes:
+
+* Add support to ALPN
+* Add support to TLS 1.3
+* Add support to multiple certificates
+* Add timeout to https module (https.TIMEOUT)
+* Drop support to SSL 3.0
+* Drop support to TLS 1.0 from https module
+* Fix invalid reference to Lua state
+* Fix memory leak when get certficate extensions
+
+--------------------------------------------------------------------------------
+LuaSec 0.7.2
+---------------
+This version includes:
+
+* Fix unexported 'ssl.config' table (backported)
+
+--------------------------------------------------------------------------------
+LuaSec 0.7.1
+---------------
+This version includes:
+
+* Fix general_name leak in cert:extensions() (backported)
+
+--------------------------------------------------------------------------------
+LuaSec 0.7
+---------------
+LuaSec depends  on OpenSSL, and  integrates with LuaSocket to  make it
+easy to add secure connections to any Lua applications or scripts.
+
+Documentation: https://github.com/brunoos/luasec/wiki
+
+This version includes:
+
+* Add support to OpenSSL 1.1.0
+* Add support to elliptic curves list
+* Add ssl.config that exports some OpenSSL information
+* Add integration with luaossl
+
+--------------------------------------------------------------------------------
+LuaSec 0.6
+------------
+LuaSec depends  on OpenSSL, and  integrates with LuaSocket to  make it
+easy to add secure connections to any Lua applications or scripts.
+
+Documentation: https://github.com/brunoos/luasec/wiki
+
+This version includes:
+
+* Lua 5.2 and 5.3 compatibility
+
+* Context module:
+  - Add ctx:checkkey()
+
+* SSL module:
+  - Add conn:sni() and conn:getsniname()
+
+* Context options:
+  - Add "any" protocol ("sslv23" is deprecated)
+
+* HTTPS module:
+  - Using "any" protocol without SSLv2/SSLv3, by default
+
+* X509 module:
+  - Human readable IP address
+  - Add cert:issued()
+  - Add cert:pubkey()
+
+* Some bug fixes
+
+
+=> Thanks to everyone who collaborate with LuaSec <=
+
 --------------------------------------------------------------------------------
 LuaSec 0.5
 ------------
-
 LuaSec depends  on OpenSSL, and  integrates with LuaSocket to  make it
 easy to add secure connections to any Lua applications or scripts.
 
@@ -75,7 +232,7 @@ LuaSec 0.3
 --------------------------------------------------------------------------------
 LuaSec 0.2.1
 ------------
-- 'key' and 'certificate' configurations become optional. (thanks Ren<EFBFBD> Rebe)
+- 'key' and 'certificate' configurations become optional. (thanks René Rebe)
 - Add '_VERSION' variable to module.
 
 --------------------------------------------------------------------------------

INSTALL

@@ -1,14 +1,14 @@
-LuaSec 0.5
+LuaSec 1.3.0
 ------------
 
 * OpenSSL options:
 
-    By default, LuaSec 0.5 includes options for OpenSSL 1.0.1e.
+    By default, this version includes options for OpenSSL 3.0.8
 
     If you need to generate the options for a different version of OpenSSL:
 
       $ cd src
-      $ lua options.lua -g /usr/include/openssl/ssl.h > options.h
+      $ lua options.lua -g /usr/include/openssl/ssl.h > options.c
 
 --------------------------------------------------------------------------------
 

LICENSE

@@ -1,5 +1,5 @@
-LuaSec 0.5 license
-Copyright (C) 2006-2013 Bruno Silvestre, UFG
+LuaSec 1.3.0 license
+Copyright (C) 2006-2023 Bruno Silvestre, UFG
 
 Permission is hereby granted, free  of charge, to any person obtaining
 a  copy  of this  software  and  associated  documentation files  (the

Makefile

@@ -1,4 +1,4 @@
-# Inform the location to intall the modules
+# Inform the location to install the modules
 LUAPATH  ?= /usr/share/lua/5.1
 LUACPATH ?= /usr/lib/lua/5.1
 
@@ -16,7 +16,7 @@ INCDIR		 = -I. $(INC_PATH)
 LIBDIR    = -L./luasocket $(LIB_PATH)
 
 # For Mac OS X: set the system version
-MACOSX_VERSION=10.4
+MACOSX_VERSION=10.11
 
 #----------------------
 # Do not edit this part

README.md

@@ -1,34 +1,6 @@
-LuaSec 0.5
-==========
-
+LuaSec 1.3.0
+===============
 LuaSec depends  on OpenSSL, and  integrates with LuaSocket to  make it
 easy to add secure connections to any Lua applications or scripts.
 
-This  version  includes:
-
-  * A new certificate (X509) API, which supports:
-    - Reading  the subject  (identity) and  issuer of the certificate.
-    - Reading  various X509  extensions, including email  and dnsName.
-    - Converting  certificates  to and  from  the  standard ASCII  PEM
-      format.
-    - Generating the fingerprint/digest of a certificate  (using SHA1,
-      SHA256 or SHA512).
-    - Reading the  certificate's expiration, serial number,  and other
-      info.
-
-  * The ability  to get more  detailed information from  OpenSSL about
-    why a certificate failed verification, for each certificate in the
-    chain.
-  
-  * Flags to  force acceptance of invalid certificates,  e.g. to allow
-    the use of self-signed certificates in a Trust On First Use model.
-
-  * Flags to control checking CRLs for certificate revocation status.
- 
-  * Support for ECDH cipher suites.
- 
-  * An API  to get the TLS  'finished' messages used  for SASL channel
-    binding (e.g. the SCRAM PLUS mechanisms).
-
-The work in  this release was undertaken by  Kim Alvefur, Paul Aurich,
-Tobias Markmann, Bruno Silvestre and Matthew Wild.
+Documentation: https://github.com/brunoos/luasec/wiki

luasec-1.3.0-1.rockspec

@@ -0,0 +1,105 @@
+package = "LuaSec"
+version = "1.3.0-1"
+source = {
+  url = "git+https://github.com/brunoos/luasec",
+  tag = "v1.3.0",
+}
+description = {
+   summary = "A binding for OpenSSL library to provide TLS/SSL communication over LuaSocket.",
+   detailed = "This version delegates to LuaSocket the TCP connection establishment between the client and server. Then LuaSec uses this connection to start a secure TLS/SSL session.",
+   homepage = "https://github.com/brunoos/luasec/wiki",
+   license = "MIT"
+}
+dependencies = {
+   "lua >= 5.1", "luasocket"
+}
+external_dependencies = {
+   platforms = {
+      unix = {
+         OPENSSL = {
+            header = "openssl/ssl.h",
+            library = "ssl"
+         }
+      },
+      windows = {
+         OPENSSL = {
+            header = "openssl/ssl.h",
+         }
+      },
+   }
+}
+build = {
+   type = "builtin",
+   copy_directories = {
+      "samples"
+   },
+   platforms = {
+      unix = {
+         install = {
+            lib = {
+               "ssl.so"
+            },
+            lua = {
+               "src/ssl.lua", ['ssl.https'] = "src/https.lua"
+            }
+         },
+         modules = {
+            ssl = {
+               defines = {
+                  "WITH_LUASOCKET", "LUASOCKET_DEBUG",
+               },
+               incdirs = {
+                  "$(OPENSSL_INCDIR)", "src/", "src/luasocket",
+               },
+               libdirs = {
+                  "$(OPENSSL_LIBDIR)"
+               },
+               libraries = {
+                  "ssl", "crypto"
+               },
+               sources = {
+                  "src/options.c", "src/config.c", "src/ec.c", 
+                  "src/x509.c", "src/context.c", "src/ssl.c", 
+                  "src/luasocket/buffer.c", "src/luasocket/io.c",
+                  "src/luasocket/timeout.c", "src/luasocket/usocket.c"
+               }
+            }
+         }
+      },
+      windows = {
+         install = {
+            lib = {
+               "ssl.dll"
+            },
+            lua = {
+               "src/ssl.lua", ['ssl.https'] = "src/https.lua"
+            }
+         },
+         modules = {
+            ssl = {
+               defines = {
+                  "WIN32", "NDEBUG", "_WINDOWS", "_USRDLL", "LSEC_EXPORTS", "BUFFER_DEBUG", "LSEC_API=__declspec(dllexport)",
+                  "WITH_LUASOCKET", "LUASOCKET_DEBUG",
+                  "LUASEC_INET_NTOP", "WINVER=0x0501", "_WIN32_WINNT=0x0501", "NTDDI_VERSION=0x05010300"
+               },
+               libdirs = {
+                  "$(OPENSSL_LIBDIR)",
+                  "$(OPENSSL_BINDIR)",
+               },
+               libraries = {
+                  "libssl", "libcrypto", "ws2_32"
+               },
+               incdirs = {
+                  "$(OPENSSL_INCDIR)", "src/", "src/luasocket"
+               },
+               sources = {
+                  "src/options.c", "src/config.c", "src/ec.c", 
+                  "src/x509.c", "src/context.c", "src/ssl.c", 
+                  "src/luasocket/buffer.c", "src/luasocket/io.c",
+                  "src/luasocket/timeout.c", "src/luasocket/wsocket.c"
+               }
+            }
+         }
+      }
+   }
+}

luasec.vcproj

@@ -1,253 +0,0 @@
-<?xml version="1.0" encoding="Windows-1252"?>
-<VisualStudioProject
-	ProjectType="Visual C++"
-	Version="9,00"
-	Name="luasec"
-	ProjectGUID="{A629932F-8819-4C0B-8835-CBF1FEED6376}"
-	Keyword="Win32Proj"
-	TargetFrameworkVersion="131072"
-	>
-	<Platforms>
-		<Platform
-			Name="Win32"
-		/>
-	</Platforms>
-	<ToolFiles>
-	</ToolFiles>
-	<Configurations>
-		<Configuration
-			Name="Debug|Win32"
-			OutputDirectory="Debug"
-			IntermediateDirectory="Debug"
-			ConfigurationType="2"
-			InheritedPropertySheets="$(VCInstallDir)VCProjectDefaults\UpgradeFromVC71.vsprops"
-			CharacterSet="2"
-			>
-			<Tool
-				Name="VCPreBuildEventTool"
-			/>
-			<Tool
-				Name="VCCustomBuildTool"
-			/>
-			<Tool
-				Name="VCXMLDataGeneratorTool"
-			/>
-			<Tool
-				Name="VCWebServiceProxyGeneratorTool"
-			/>
-			<Tool
-				Name="VCMIDLTool"
-			/>
-			<Tool
-				Name="VCCLCompilerTool"
-				Optimization="0"
-				AdditionalIncludeDirectories="C:\devel\openssl\include;C:\devel\lua-dll9\include"
-				PreprocessorDefinitions="WIN32;_DEBUG;_WINDOWS;_USRDLL;LUASEC_EXPORTS"
-				MinimalRebuild="true"
-				BasicRuntimeChecks="3"
-				RuntimeLibrary="3"
-				UsePrecompiledHeader="0"
-				WarningLevel="3"
-				DebugInformationFormat="4"
-			/>
-			<Tool
-				Name="VCManagedResourceCompilerTool"
-			/>
-			<Tool
-				Name="VCResourceCompilerTool"
-			/>
-			<Tool
-				Name="VCPreLinkEventTool"
-			/>
-			<Tool
-				Name="VCLinkerTool"
-				AdditionalDependencies="ws2_32.lib  libeay32MDd.lib ssleay32MDd.lib lua5.1.lib"
-				OutputFile="$(OutDir)/ssl.dll"
-				LinkIncremental="2"
-				AdditionalLibraryDirectories="C:\devel\openssl\lib\VC;C:\devel\lua-dll9"
-				GenerateDebugInformation="true"
-				ProgramDatabaseFile="$(OutDir)/luasec.pdb"
-				SubSystem="2"
-				RandomizedBaseAddress="1"
-				DataExecutionPrevention="0"
-				ImportLibrary="$(OutDir)/ssl.lib"
-				TargetMachine="1"
-			/>
-			<Tool
-				Name="VCALinkTool"
-			/>
-			<Tool
-				Name="VCManifestTool"
-			/>
-			<Tool
-				Name="VCXDCMakeTool"
-			/>
-			<Tool
-				Name="VCBscMakeTool"
-			/>
-			<Tool
-				Name="VCFxCopTool"
-			/>
-			<Tool
-				Name="VCAppVerifierTool"
-			/>
-			<Tool
-				Name="VCPostBuildEventTool"
-			/>
-		</Configuration>
-		<Configuration
-			Name="Release|Win32"
-			OutputDirectory="Release"
-			IntermediateDirectory="Release"
-			ConfigurationType="2"
-			InheritedPropertySheets="$(VCInstallDir)VCProjectDefaults\UpgradeFromVC71.vsprops"
-			CharacterSet="2"
-			>
-			<Tool
-				Name="VCPreBuildEventTool"
-			/>
-			<Tool
-				Name="VCCustomBuildTool"
-			/>
-			<Tool
-				Name="VCXMLDataGeneratorTool"
-			/>
-			<Tool
-				Name="VCWebServiceProxyGeneratorTool"
-			/>
-			<Tool
-				Name="VCMIDLTool"
-			/>
-			<Tool
-				Name="VCCLCompilerTool"
-				AdditionalIncludeDirectories="C:\devel\openssl\include;C:\devel\lua-dll9\include"
-				PreprocessorDefinitions="WIN32;NDEBUG;_WINDOWS;_USRDLL;BUFFER_DEBUG"
-				RuntimeLibrary="2"
-				UsePrecompiledHeader="0"
-				WarningLevel="3"
-				DebugInformationFormat="3"
-			/>
-			<Tool
-				Name="VCManagedResourceCompilerTool"
-			/>
-			<Tool
-				Name="VCResourceCompilerTool"
-			/>
-			<Tool
-				Name="VCPreLinkEventTool"
-			/>
-			<Tool
-				Name="VCLinkerTool"
-				AdditionalDependencies="ws2_32.lib libeay32MD.lib ssleay32MD.lib lua5.1.lib"
-				OutputFile="$(OutDir)/ssl.dll"
-				LinkIncremental="1"
-				AdditionalLibraryDirectories="C:\devel\openssl\lib\VC;C:\devel\lua-dll9\lib"
-				GenerateDebugInformation="true"
-				SubSystem="2"
-				OptimizeReferences="2"
-				EnableCOMDATFolding="2"
-				RandomizedBaseAddress="1"
-				DataExecutionPrevention="0"
-				ImportLibrary="$(OutDir)/ssl.lib"
-				TargetMachine="1"
-			/>
-			<Tool
-				Name="VCALinkTool"
-			/>
-			<Tool
-				Name="VCManifestTool"
-			/>
-			<Tool
-				Name="VCXDCMakeTool"
-			/>
-			<Tool
-				Name="VCBscMakeTool"
-			/>
-			<Tool
-				Name="VCFxCopTool"
-			/>
-			<Tool
-				Name="VCAppVerifierTool"
-			/>
-			<Tool
-				Name="VCPostBuildEventTool"
-			/>
-		</Configuration>
-	</Configurations>
-	<References>
-	</References>
-	<Files>
-		<Filter
-			Name="Source Files"
-			Filter="cpp;c;cxx;def;odl;idl;hpj;bat;asm;asmx"
-			UniqueIdentifier="{4FC737F1-C7A5-4376-A066-2A32D752A2FF}"
-			>
-			<File
-				RelativePath=".\src\buffer.c"
-				>
-			</File>
-			<File
-				RelativePath=".\src\context.c"
-				>
-			</File>
-			<File
-				RelativePath=".\src\io.c"
-				>
-			</File>
-			<File
-				RelativePath=".\src\ssl.c"
-				>
-			</File>
-			<File
-				RelativePath=".\src\timeout.c"
-				>
-			</File>
-			<File
-				RelativePath=".\src\wsocket.c"
-				>
-			</File>
-		</Filter>
-		<Filter
-			Name="Header Files"
-			Filter="h;hpp;hxx;hm;inl;inc;xsd"
-			UniqueIdentifier="{93995380-89BD-4b04-88EB-625FBE52EBFB}"
-			>
-			<File
-				RelativePath=".\src\buffer.h"
-				>
-			</File>
-			<File
-				RelativePath=".\src\context.h"
-				>
-			</File>
-			<File
-				RelativePath=".\src\io.h"
-				>
-			</File>
-			<File
-				RelativePath=".\src\socket.h"
-				>
-			</File>
-			<File
-				RelativePath=".\src\ssl.h"
-				>
-			</File>
-			<File
-				RelativePath=".\src\timeout.h"
-				>
-			</File>
-			<File
-				RelativePath=".\src\wsocket.h"
-				>
-			</File>
-		</Filter>
-		<Filter
-			Name="Resource Files"
-			Filter="rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx"
-			UniqueIdentifier="{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}"
-			>
-		</Filter>
-	</Files>
-	<Globals>
-	</Globals>
-</VisualStudioProject>

luasec.vcxproj

@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="utf-8"?>
-<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+<Project DefaultTargets="Build" ToolsVersion="14.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <ItemGroup Label="ProjectConfigurations">
     <ProjectConfiguration Include="Debug|Win32">
       <Configuration>Debug</Configuration>
@@ -18,10 +18,12 @@
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
     <ConfigurationType>DynamicLibrary</ConfigurationType>
     <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v140</PlatformToolset>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
     <ConfigurationType>DynamicLibrary</ConfigurationType>
     <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v140</PlatformToolset>
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
   <ImportGroup Label="ExtensionSettings">
@@ -49,7 +51,7 @@
     <ClCompile>
       <Optimization>Disabled</Optimization>
       <AdditionalIncludeDirectories>C:\devel\openssl\include;C:\devel\lua-dll9\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
-      <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;LUASEC_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;LUASEC_EXPORTS;LUASEC_INET_NTOP;WINVER=0x0501;_WIN32_WINNT=0x0501;NTDDI_VERSION=0x05010300;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <MinimalRebuild>true</MinimalRebuild>
       <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
       <RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
@@ -59,7 +61,7 @@
       <DebugInformationFormat>EditAndContinue</DebugInformationFormat>
     </ClCompile>
     <Link>
-      <AdditionalDependencies>ws2_32.lib;libeay32MDd.lib;ssleay32MDd.lib;lua5.1.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalDependencies>ws2_32.lib;libssl.lib;libcrypto.lib;lua5.1.lib;%(AdditionalDependencies)</AdditionalDependencies>
       <OutputFile>$(OutDir)ssl.dll</OutputFile>
       <AdditionalLibraryDirectories>C:\devel\openssl\lib\VC;C:\devel\lua-dll9;%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
       <GenerateDebugInformation>true</GenerateDebugInformation>
@@ -74,7 +76,7 @@
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
     <ClCompile>
-      <AdditionalIncludeDirectories>C:\devel\openssl\include;C:\devel\lua5.2\include;.\src;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories>C:\devel\openssl-1.1.0\include;C:\devel\lua-5.1\include;.\src;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <PreprocessorDefinitions>WIN32;_WIN32;NDEBUG;_WINDOWS;_USRDLL;LUASOCKET_DEBUG;WITH_LUASOCKET;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
       <PrecompiledHeader>
@@ -83,9 +85,9 @@
       <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
     </ClCompile>
     <Link>
-      <AdditionalDependencies>ws2_32.lib;libeay32MD.lib;ssleay32MD.lib;lua52.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalDependencies>ws2_32.lib;libssl.lib;libcrypto.lib;lua5.1.lib;%(AdditionalDependencies)</AdditionalDependencies>
       <OutputFile>$(OutDir)$(TargetName)$(TargetExt)</OutputFile>
-      <AdditionalLibraryDirectories>C:\devel\openssl\lib\VC;C:\devel\lua5.2\lib;%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalLibraryDirectories>C:\devel\openssl-1.1.0\lib\VC;C:\devel\lua-5.1\lib;%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
       <GenerateDebugInformation>true</GenerateDebugInformation>
       <SubSystem>Windows</SubSystem>
       <OptimizeReferences>true</OptimizeReferences>
@@ -98,15 +100,19 @@
     </Link>
   </ItemDefinitionGroup>
   <ItemGroup>
+    <ClCompile Include="src\config.c" />
     <ClCompile Include="src\context.c" />
+    <ClCompile Include="src\ec.c" />
     <ClCompile Include="src\luasocket\buffer.c" />
     <ClCompile Include="src\luasocket\io.c" />
     <ClCompile Include="src\luasocket\timeout.c" />
     <ClCompile Include="src\luasocket\wsocket.c" />
+    <ClCompile Include="src\options.c" />
     <ClCompile Include="src\ssl.c" />
     <ClCompile Include="src\x509.c" />
   </ItemGroup>
   <ItemGroup>
+    <ClInclude Include="src\compat.h" />
     <ClInclude Include="src\config.h" />
     <ClInclude Include="src\context.h" />
     <ClInclude Include="src\ec.h" />

luasec.vcxproj.filters

@@ -1,75 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
-  <ItemGroup>
-    <Filter Include="Source Files">
-      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
-      <Extensions>cpp;c;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
-    </Filter>
-    <Filter Include="Header Files">
-      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
-      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
-    </Filter>
-    <Filter Include="Resource Files">
-      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
-      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx</Extensions>
-    </Filter>
-  </ItemGroup>
-  <ItemGroup>
-    <ClCompile Include="src\x509.c">
-      <Filter>Source Files</Filter>
-    </ClCompile>
-    <ClCompile Include="src\context.c">
-      <Filter>Source Files</Filter>
-    </ClCompile>
-    <ClCompile Include="src\ssl.c">
-      <Filter>Source Files</Filter>
-    </ClCompile>
-    <ClCompile Include="src\luasocket\wsocket.c">
-      <Filter>Source Files</Filter>
-    </ClCompile>
-    <ClCompile Include="src\luasocket\buffer.c">
-      <Filter>Source Files</Filter>
-    </ClCompile>
-    <ClCompile Include="src\luasocket\io.c">
-      <Filter>Source Files</Filter>
-    </ClCompile>
-    <ClCompile Include="src\luasocket\timeout.c">
-      <Filter>Source Files</Filter>
-    </ClCompile>
-  </ItemGroup>
-  <ItemGroup>
-    <ClInclude Include="src\x509.h">
-      <Filter>Header Files</Filter>
-    </ClInclude>
-    <ClInclude Include="src\config.h">
-      <Filter>Header Files</Filter>
-    </ClInclude>
-    <ClInclude Include="src\context.h">
-      <Filter>Header Files</Filter>
-    </ClInclude>
-    <ClInclude Include="src\ec.h">
-      <Filter>Header Files</Filter>
-    </ClInclude>
-    <ClInclude Include="src\options.h">
-      <Filter>Header Files</Filter>
-    </ClInclude>
-    <ClInclude Include="src\ssl.h">
-      <Filter>Header Files</Filter>
-    </ClInclude>
-    <ClInclude Include="src\luasocket\wsocket.h">
-      <Filter>Header Files</Filter>
-    </ClInclude>
-    <ClInclude Include="src\luasocket\buffer.h">
-      <Filter>Header Files</Filter>
-    </ClInclude>
-    <ClInclude Include="src\luasocket\io.h">
-      <Filter>Header Files</Filter>
-    </ClInclude>
-    <ClInclude Include="src\luasocket\socket.h">
-      <Filter>Header Files</Filter>
-    </ClInclude>
-    <ClInclude Include="src\luasocket\timeout.h">
-      <Filter>Header Files</Filter>
-    </ClInclude>
-  </ItemGroup>
-</Project>

samples/README

@@ -1,5 +1,8 @@
 Directories: 
 ------------
+* alpn
+ Test ALPN (Application-Layer Protocol Negotiation) support.
+
 * certs
  Contains scripts to generate the certificates used by the examples.
  Generate Root CA 'A' and 'B' first, then the servers and clients.
@@ -7,6 +10,9 @@ Directories:
 * chain
  Example of certificate chain in handshake.
 
+* curve-negotiation
+ Elliptic curve negotiation.
+
 * dhparam
  DH parameters for handshake.
 
@@ -17,7 +23,7 @@ Directories:
  Elliptic curve cipher.
 
 * info
- Informations about the connection.
+ Information about the connection.
 
 * key
  Test encrypted private key.
@@ -30,20 +36,32 @@ Directories:
  Same of above,  but the connection is not  explicit closed, the gabage
  collector is encharge of that.
 
+* luaossl
+ Integration with luaossl.
+
+* multicert
+ Support to multiple certificate for dual RSA/ECDSA.
+
 * oneshot
  A simple connection example.
 
+* psk
+ PSK(Pre Shared Key) support.
+
+* sni
+ Support to SNI (Server Name Indication).
+
 * verification
  Retrieve the certificate verification errors from the handshake.
 
 * verify
  Ignore handshake errors and proceed.
 
+* want
+ Test want() method.
+
 * wantread
  Test timeout in handshake() and receive().
 
 * wantwrite
  Test timeout in send().
-
-* want
- Test want() method.

samples/alpn/client.lua

@@ -0,0 +1,27 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl    = require("ssl")
+
+local params = {
+   mode = "client",
+   protocol = "tlsv1_2",
+   key = "../certs/clientAkey.pem",
+   certificate = "../certs/clientA.pem",
+   cafile = "../certs/rootA.pem",
+   verify = {"peer", "fail_if_no_peer_cert"},
+   options = "all",
+   --alpn = {"foo","bar","baz"}
+   alpn = "foo"
+}
+
+local peer = socket.tcp()
+peer:connect("127.0.0.1", 8888)
+
+peer = assert( ssl.wrap(peer, params) )
+assert(peer:dohandshake())
+
+print("ALPN", peer:getalpn())
+
+peer:close()

samples/alpn/server.lua

@@ -0,0 +1,77 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl    = require("ssl")
+
+--
+-- Callback that selects one protocol from client's list.
+--
+local function alpncb01(protocols)
+   print("--- ALPN protocols from client")
+   for k, v in ipairs(protocols) do
+      print(k, v)
+   end
+   print("--- Selecting:", protocols[1])
+   return protocols[1]
+end
+
+--
+-- Callback that returns a fixed list, ignoring the client's list.
+--
+local function alpncb02(protocols)
+   print("--- ALPN protocols from client")
+   for k, v in ipairs(protocols) do
+      print(k, v)
+   end
+   print("--- Returning a fixed list") 
+   return {"bar", "foo"}
+end
+
+--
+-- Callback that generates a list as it whishes.
+--
+local function alpncb03(protocols)
+   local resp = {}
+   print("--- ALPN protocols from client")
+   for k, v in ipairs(protocols) do
+      print(k, v)
+      if k%2 ~= 0 then resp[#resp+1] = v end
+   end
+   print("--- Returning an odd list")
+   return resp
+end
+
+
+local params = {
+   mode = "server",
+   protocol = "any",
+   key = "../certs/serverAkey.pem",
+   certificate = "../certs/serverA.pem",
+   cafile = "../certs/rootA.pem",
+   verify = {"peer", "fail_if_no_peer_cert"},
+   options = "all",
+   --alpn = alpncb01,
+   --alpn = alpncb02,
+   --alpn = alpncb03,
+   alpn = {"bar", "baz", "foo"},
+}
+
+
+-- [[ SSL context
+local ctx = assert(ssl.newcontext(params))
+--]]
+
+local server = socket.tcp()
+server:setoption('reuseaddr', true)
+assert( server:bind("127.0.0.1", 8888) )
+server:listen()
+
+local peer = server:accept()
+peer = assert( ssl.wrap(peer, ctx) )
+assert( peer:dohandshake() )
+
+print("ALPN", peer:getalpn())
+
+peer:close()
+server:close()

samples/certs/all.bat

@@ -0,0 +1,14 @@
+REM make sure the 'openssl.exe' commandline tool is in your path before starting!
+REM set the path below;
+set opensslpath=c:\program files (x86)\openssl-win32\bin
+
+
+
+setlocal
+set path=%opensslpath%;%path%
+call roota.bat
+call rootb.bat
+call servera.bat
+call serverb.bat
+call clienta.bat
+call clientb.bat

samples/certs/all.sh

@@ -0,0 +1,7 @@
+#!/bin/sh
+./rootA.sh
+./rootB.sh
+./clientA.sh
+./clientB.sh
+./serverA.sh
+./serverB.sh

samples/certs/clientA.bat

@@ -0,0 +1,9 @@
+rem #!/bin/sh
+
+openssl req -newkey rsa:1024 -sha1 -keyout clientAkey.pem -out clientAreq.pem -nodes -config ./clientA.cnf -days 365 -batch
+
+openssl x509 -req -in clientAreq.pem -sha1 -extfile ./clientA.cnf -extensions usr_cert -CA rootA.pem -CAkey rootAkey.pem -CAcreateserial -out clientAcert.pem -days 365
+
+copy clientAcert.pem + rootA.pem clientA.pem
+
+openssl x509 -subject -issuer -noout -in clientA.pem

samples/certs/clientA.cnf

@@ -50,7 +50,7 @@ crl		= $dir/crl.pem 		# The current CRL
 private_key	= $dir/private/cakey.pem # The private key
 RANDFILE	= $dir/private/.rand	# private random number file
 
-x509_extensions	= usr_cert		# The extentions to add to the cert
+x509_extensions	= usr_cert		# The extensions to add to the cert
 
 # Comment out the following two lines for the "traditional"
 # (and highly broken) format.
@@ -102,7 +102,7 @@ default_bits		= 1024
 default_keyfile 	= privkey.pem
 distinguished_name	= req_distinguished_name
 attributes		= req_attributes
-x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+x509_extensions	= v3_ca	# The extensions to add to the self signed cert
 
 # Passwords for private keys if not present they will be prompted for
 # input_password = secret

samples/certs/clientA.sh

@@ -1,9 +1,9 @@
 #!/bin/sh
 
-openssl req -newkey rsa:1024 -sha1 -keyout clientAkey.pem -out clientAreq.pem \
+openssl req -newkey rsa:2048 -sha256 -keyout clientAkey.pem -out clientAreq.pem \
   -nodes -config ./clientA.cnf -days 365 -batch
 
-openssl x509 -req -in clientAreq.pem -sha1 -extfile ./clientA.cnf \
+openssl x509 -req -in clientAreq.pem -sha256 -extfile ./clientA.cnf \
   -extensions usr_cert -CA rootA.pem -CAkey rootAkey.pem -CAcreateserial \
   -out clientAcert.pem -days 365
 

samples/certs/clientB.bat

@@ -0,0 +1,9 @@
+rem #!/bin/sh
+
+openssl req -newkey rsa:1024 -sha1 -keyout clientBkey.pem -out clientBreq.pem -nodes -config ./clientB.cnf -days 365 -batch
+
+openssl x509 -req -in clientBreq.pem -sha1 -extfile ./clientB.cnf -extensions usr_cert -CA rootB.pem -CAkey rootBkey.pem -CAcreateserial -out clientBcert.pem -days 365
+
+copy clientBcert.pem + rootB.pem clientB.pem
+
+openssl x509 -subject -issuer -noout -in clientB.pem

samples/certs/clientB.cnf

@@ -50,7 +50,7 @@ crl		= $dir/crl.pem 		# The current CRL
 private_key	= $dir/private/cakey.pem # The private key
 RANDFILE	= $dir/private/.rand	# private random number file
 
-x509_extensions	= usr_cert		# The extentions to add to the cert
+x509_extensions	= usr_cert		# The extensions to add to the cert
 
 # Comment out the following two lines for the "traditional"
 # (and highly broken) format.
@@ -102,7 +102,7 @@ default_bits		= 1024
 default_keyfile 	= privkey.pem
 distinguished_name	= req_distinguished_name
 attributes		= req_attributes
-x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+x509_extensions	= v3_ca	# The extensions to add to the self signed cert
 
 # Passwords for private keys if not present they will be prompted for
 # input_password = secret

samples/certs/clientB.sh

@@ -1,9 +1,9 @@
 #!/bin/sh
 
-openssl req -newkey rsa:1024 -sha1 -keyout clientBkey.pem -out clientBreq.pem \
+openssl req -newkey rsa:2048 -sha256 -keyout clientBkey.pem -out clientBreq.pem \
   -nodes -config ./clientB.cnf -days 365 -batch
 
-openssl x509 -req -in clientBreq.pem -sha1 -extfile ./clientB.cnf \
+openssl x509 -req -in clientBreq.pem -sha256 -extfile ./clientB.cnf \
   -extensions usr_cert -CA rootB.pem -CAkey rootBkey.pem -CAcreateserial \
   -out clientBcert.pem -days 365
 

samples/certs/rootA.bat

@@ -0,0 +1,7 @@
+REM #!/bin/sh
+
+openssl req -newkey rsa:1024 -sha1 -keyout rootAkey.pem -out rootAreq.pem -nodes -config ./rootA.cnf -days 365 -batch
+
+openssl x509 -req -in rootAreq.pem -sha1 -extfile ./rootA.cnf -extensions v3_ca -signkey rootAkey.pem -out rootA.pem -days 365
+
+openssl x509 -subject -issuer -noout -in rootA.pem

samples/certs/rootA.cnf

@@ -50,7 +50,7 @@ crl		= $dir/crl.pem 		# The current CRL
 private_key	= $dir/private/cakey.pem # The private key
 RANDFILE	= $dir/private/.rand	# private random number file
 
-x509_extensions	= usr_cert		# The extentions to add to the cert
+x509_extensions	= usr_cert		# The extensions to add to the cert
 
 # Comment out the following two lines for the "traditional"
 # (and highly broken) format.
@@ -102,7 +102,7 @@ default_bits		= 1024
 default_keyfile 	= privkey.pem
 distinguished_name	= req_distinguished_name
 attributes		= req_attributes
-x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+x509_extensions	= v3_ca	# The extensions to add to the self signed cert
 
 # Passwords for private keys if not present they will be prompted for
 # input_password = secret

samples/certs/rootA.sh

@@ -1,7 +1,7 @@
 #!/bin/sh
 
-openssl req -newkey rsa:1024 -sha1 -keyout rootAkey.pem -out rootAreq.pem -nodes -config ./rootA.cnf -days 365 -batch
+openssl req -newkey rsa:2048 -sha256 -keyout rootAkey.pem -out rootAreq.pem -nodes -config ./rootA.cnf -days 365 -batch
 
-openssl x509 -req -in rootAreq.pem -sha1 -extfile ./rootA.cnf -extensions v3_ca -signkey rootAkey.pem -out rootA.pem -days 365
+openssl x509 -req -in rootAreq.pem -sha256 -extfile ./rootA.cnf -extensions v3_ca -signkey rootAkey.pem -out rootA.pem -days 365
 
 openssl x509 -subject -issuer -noout -in rootA.pem

samples/certs/rootB.bat

@@ -0,0 +1,7 @@
+rem #!/bin/sh
+
+openssl req -newkey rsa:1024 -sha1 -keyout rootBkey.pem -out rootBreq.pem -nodes -config ./rootB.cnf -days 365 -batch
+
+openssl x509 -req -in rootBreq.pem -sha1 -extfile ./rootB.cnf -extensions v3_ca -signkey rootBkey.pem -out rootB.pem -days 365
+
+openssl x509 -subject -issuer -noout -in rootB.pem

samples/certs/rootB.cnf

@@ -50,7 +50,7 @@ crl		= $dir/crl.pem 		# The current CRL
 private_key	= $dir/private/cakey.pem # The private key
 RANDFILE	= $dir/private/.rand	# private random number file
 
-x509_extensions	= usr_cert		# The extentions to add to the cert
+x509_extensions	= usr_cert		# The extensions to add to the cert
 
 # Comment out the following two lines for the "traditional"
 # (and highly broken) format.
@@ -102,7 +102,7 @@ default_bits		= 1024
 default_keyfile 	= privkey.pem
 distinguished_name	= req_distinguished_name
 attributes		= req_attributes
-x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+x509_extensions	= v3_ca	# The extensions to add to the self signed cert
 
 # Passwords for private keys if not present they will be prompted for
 # input_password = secret

samples/certs/rootB.sh

@@ -1,7 +1,7 @@
 #!/bin/sh
 
-openssl req -newkey rsa:1024 -sha1 -keyout rootBkey.pem -out rootBreq.pem -nodes -config ./rootB.cnf -days 365 -batch
+openssl req -newkey rsa:2048 -sha256 -keyout rootBkey.pem -out rootBreq.pem -nodes -config ./rootB.cnf -days 365 -batch
 
-openssl x509 -req -in rootBreq.pem -sha1 -extfile ./rootB.cnf -extensions v3_ca -signkey rootBkey.pem -out rootB.pem -days 365
+openssl x509 -req -in rootBreq.pem -sha256 -extfile ./rootB.cnf -extensions v3_ca -signkey rootBkey.pem -out rootB.pem -days 365
 
 openssl x509 -subject -issuer -noout -in rootB.pem

samples/certs/serverA.bat

@@ -0,0 +1,9 @@
+rem #!/bin/sh
+
+openssl req -newkey rsa:1024 -keyout serverAkey.pem -out serverAreq.pem -config ./serverA.cnf -nodes -days 365 -batch
+
+openssl x509 -req -in serverAreq.pem -sha1 -extfile ./serverA.cnf -extensions usr_cert -CA rootA.pem -CAkey rootAkey.pem -CAcreateserial -out serverAcert.pem -days 365
+
+copy serverAcert.pem + rootA.pem serverA.pem
+
+openssl x509 -subject -issuer -noout -in serverA.pem

samples/certs/serverA.cnf

@@ -50,7 +50,7 @@ crl		= $dir/crl.pem 		# The current CRL
 private_key	= $dir/private/cakey.pem # The private key
 RANDFILE	= $dir/private/.rand	# private random number file
 
-x509_extensions	= usr_cert		# The extentions to add to the cert
+x509_extensions	= usr_cert		# The extensions to add to the cert
 
 # Comment out the following two lines for the "traditional"
 # (and highly broken) format.
@@ -102,7 +102,7 @@ default_bits		= 1024
 default_keyfile 	= privkey.pem
 distinguished_name	= req_distinguished_name
 attributes		= req_attributes
-x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+x509_extensions	= v3_ca	# The extensions to add to the self signed cert
 
 # Passwords for private keys if not present they will be prompted for
 # input_password = secret
@@ -118,7 +118,7 @@ x509_extensions	= v3_ca	# The extentions to add to the self signed cert
 # so use this option with caution!
 string_mask = nombstr
 
-# req_extensions = v3_req # The extensions to add to a certificate request
+# req_extensions = v3_ext # The extensions to add to a certificate request
 
 [ req_distinguished_name ]
 countryName			= Country Name (2 letter code)
@@ -198,7 +198,7 @@ authorityKeyIdentifier=keyid,issuer
 # subjectAltName=email:copy
 # An alternative to produce certificates that aren't
 # deprecated according to PKIX.
-# subjectAltName=email:move
+subjectAltName=DNS:foo.bar.example
 
 # Copy subject details
 # issuerAltName=issuer:copy

samples/certs/serverA.sh

@@ -1,9 +1,9 @@
 #!/bin/sh
 
-openssl req -newkey rsa:1024 -keyout serverAkey.pem -out serverAreq.pem \
+openssl req -newkey rsa:2048 -sha256 -keyout serverAkey.pem -out serverAreq.pem \
    -config ./serverA.cnf -nodes -days 365 -batch
 
-openssl x509 -req -in serverAreq.pem -sha1 -extfile ./serverA.cnf \
+openssl x509 -req -in serverAreq.pem -sha256 -extfile ./serverA.cnf \
    -extensions usr_cert -CA rootA.pem -CAkey rootAkey.pem -CAcreateserial \
    -out serverAcert.pem -days 365
 

samples/certs/serverB.bat

@@ -0,0 +1,9 @@
+rem #!/bin/sh
+
+openssl req -newkey rsa:1024 -keyout serverBkey.pem -out serverBreq.pem -config ./serverB.cnf -nodes -days 365 -batch
+
+openssl x509 -req -in serverBreq.pem -sha1 -extfile ./serverB.cnf -extensions usr_cert -CA rootB.pem -CAkey rootBkey.pem -CAcreateserial -out serverBcert.pem -days 365
+
+copy serverBcert.pem + rootB.pem serverB.pem
+
+openssl x509 -subject -issuer -noout -in serverB.pem

samples/certs/serverB.cnf

@@ -50,7 +50,7 @@ crl		= $dir/crl.pem 		# The current CRL
 private_key	= $dir/private/cakey.pem # The private key
 RANDFILE	= $dir/private/.rand	# private random number file
 
-x509_extensions	= usr_cert		# The extentions to add to the cert
+x509_extensions	= usr_cert		# The extensions to add to the cert
 
 # Comment out the following two lines for the "traditional"
 # (and highly broken) format.
@@ -102,7 +102,7 @@ default_bits		= 1024
 default_keyfile 	= privkey.pem
 distinguished_name	= req_distinguished_name
 attributes		= req_attributes
-x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+x509_extensions	= v3_ca	# The extensions to add to the self signed cert
 
 # Passwords for private keys if not present they will be prompted for
 # input_password = secret
@@ -195,7 +195,7 @@ authorityKeyIdentifier=keyid,issuer
 
 # This stuff is for subjectAltName and issuerAltname.
 # Import the email address.
-# subjectAltName=email:copy
+subjectAltName=DNS:fnord.bar.example
 # An alternative to produce certificates that aren't
 # deprecated according to PKIX.
 # subjectAltName=email:move

samples/certs/serverB.sh

@@ -1,9 +1,9 @@
 #!/bin/sh
 
-openssl req -newkey rsa:1024 -keyout serverBkey.pem -out serverBreq.pem \
+openssl req -newkey rsa:2048 -sha256 -keyout serverBkey.pem -out serverBreq.pem \
    -config ./serverB.cnf -nodes -days 365 -batch
 
-openssl x509 -req -in serverBreq.pem -sha1 -extfile ./serverB.cnf \
+openssl x509 -req -in serverBreq.pem -sha256 -extfile ./serverB.cnf \
    -extensions usr_cert -CA rootB.pem -CAkey rootBkey.pem -CAcreateserial \
    -out serverBcert.pem -days 365
 

samples/chain/client.lua

@@ -7,12 +7,12 @@ local util   = require("util")
 
 local params = {
    mode = "client",
-   protocol = "tlsv1",
+   protocol = "tlsv1_2",
    key = "../certs/clientAkey.pem",
    certificate = "../certs/clientA.pem",
    cafile = "../certs/rootA.pem",
    verify = {"peer", "fail_if_no_peer_cert"},
-   options = {"all", "no_sslv2"},
+   options = "all",
 }
 
 local conn = socket.tcp()

samples/chain/server.lua

@@ -7,12 +7,12 @@ local util   = require("util")
 
 local params = {
    mode = "server",
-   protocol = "tlsv1",
+   protocol = "any",
    key = "../certs/serverAkey.pem",
    certificate = "../certs/serverA.pem",
    cafile = "../certs/rootA.pem",
    verify = {"peer", "fail_if_no_peer_cert"},
-   options = {"all", "no_sslv2"},
+   options = "all",
 }
 
 local ctx = assert(ssl.newcontext(params))
@@ -31,8 +31,27 @@ util.show( conn:getpeercertificate() )
 
 print("----------------------------------------------------------------------")
 
-for k, cert in ipairs( conn:getpeerchain() ) do
+local expectedpeerchain = { "../certs/clientAcert.pem", "../certs/rootA.pem" }
+
+local peerchain = conn:getpeerchain()
+assert(#peerchain == #expectedpeerchain)
+for k, cert in ipairs( peerchain ) do
   util.show(cert)
+  local expectedpem = assert(io.open(expectedpeerchain[k])):read("*a")
+  assert(cert:pem() == expectedpem, "peer chain mismatch @ "..tostring(k))
+end
+
+local expectedlocalchain = { "../certs/serverAcert.pem" }
+
+local localchain = assert(conn:getlocalchain())
+assert(#localchain == #expectedlocalchain)
+for k, cert in ipairs( localchain ) do
+  util.show(cert)
+  local expectedpem = assert(io.open(expectedlocalchain[k])):read("*a")
+  assert(cert:pem() == expectedpem, "local chain mismatch @ "..tostring(k))
+  if k == 1 then
+    assert(cert:pem() == conn:getlocalcertificate():pem())
+  end
 end
 
 local f = io.open(params.certificate)

samples/curve-negotiation/client.lua

@@ -0,0 +1,28 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl    = require("ssl")
+
+local params = {
+   mode = "client",
+   protocol = "any",
+   key = "../certs/clientAkey.pem",
+   certificate = "../certs/clientA.pem",
+   cafile = "../certs/rootA.pem",
+   verify = {"peer", "fail_if_no_peer_cert"},
+   options = {"all"},
+   --
+   curve = "P-256:P-384",
+}
+
+local peer = socket.tcp()
+peer:connect("127.0.0.1", 8888)
+
+-- [[ SSL wrapper
+peer = assert( ssl.wrap(peer, params) )
+assert(peer:dohandshake())
+--]]
+
+print(peer:receive("*l"))
+peer:close()

samples/curve-negotiation/server.lua

@@ -0,0 +1,37 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl    = require("ssl")
+
+local params = {
+   mode = "server",
+   protocol = "any",
+   key = "../certs/serverAkey.pem",
+   certificate = "../certs/serverA.pem",
+   cafile = "../certs/rootA.pem",
+   verify = {"peer", "fail_if_no_peer_cert"},
+   options = {"all"},
+   --
+   curve = "P-384:P-256:P-521",
+}
+
+
+-- [[ SSL context
+local ctx = assert(ssl.newcontext(params))
+--]]
+
+local server = socket.tcp()
+server:setoption('reuseaddr', true)
+assert( server:bind("127.0.0.1", 8888) )
+server:listen()
+
+local peer = server:accept()
+
+-- [[ SSL wrapper
+peer = assert( ssl.wrap(peer, ctx) )
+assert( peer:dohandshake() )
+--]]
+
+peer:send("oneshot with curve negotiation test\n")
+peer:close()

samples/dane/client.lua

@@ -0,0 +1,40 @@
+
+local socket = require "socket";
+local ssl = require "ssl";
+
+local dns = require "lunbound".new();
+
+
+local cfg = {
+	protocol = "tlsv1_2",
+	mode = "client",
+	ciphers = "DEFAULT",
+	capath = "/etc/ssl/certs",
+	verify = "peer",
+	dane = true,
+};
+
+local function daneconnect(host, port)
+   port = port or "443";
+	local conn = ssl.wrap(socket.connect(host, port), cfg);
+
+	local tlsa = dns:resolve("_" .. port .. "._tcp." .. host, 52);
+	assert(tlsa.secure, "Insecure DNS");
+
+	assert(conn:setdane(host));
+	for i = 1, tlsa.n do
+		local usage, selector, mtype = tlsa[i] :byte(1, 3);
+		assert(conn:settlsa(usage, selector, mtype, tlsa[i] :sub(4, - 1)));
+	end
+
+	assert(conn:dohandshake());
+	return conn;
+end
+
+if not ... then
+   print("Usage: client.lua example.com [port]");
+   return os.exit(1);
+end
+local conn = daneconnect(...);
+
+print(conn:getpeerverification());

samples/dhparam/client.lua

@@ -6,12 +6,13 @@ local ssl    = require("ssl")
 
 local params = {
    mode = "client",
-   protocol = "sslv3",
+   protocol = "any",
    key = "../certs/clientAkey.pem",
    certificate = "../certs/clientA.pem",
    cafile = "../certs/rootA.pem",
    verify = {"peer", "fail_if_no_peer_cert"},
-   options = {"all", "no_sslv2"},
+   options = "all",
+   ciphers = "EDH+AESGCM"
 }
 
 local peer = socket.tcp()

samples/dhparam/params.sh

@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/usr/bin/env sh
 
 openssl dhparam -2 -out dh-512.pem  -outform PEM 512
 openssl dhparam -2 -out dh-1024.pem -outform PEM 1024

samples/dhparam/server.lua

@@ -31,13 +31,14 @@ end
 
 local params = {
    mode = "server",
-   protocol = "sslv3",
+   protocol = "any",
    key = "../certs/serverAkey.pem",
    certificate = "../certs/serverA.pem",
    cafile = "../certs/rootA.pem",
    verify = {"peer", "fail_if_no_peer_cert"},
-   options = {"all", "no_sslv2"},
+   options = "all",
    dhparam = dhparam_cb,
+   ciphers = "EDH+AESGCM"
 }
 
 

samples/digest/client.lua

@@ -6,12 +6,12 @@ local ssl    = require("ssl")
 
 local params = {
    mode = "client",
-   protocol = "sslv3",
+   protocol = "tlsv1_2",
    key = "../certs/clientAkey.pem",
    certificate = "../certs/clientA.pem",
    cafile = "../certs/rootA.pem",
    verify = {"peer", "fail_if_no_peer_cert"},
-   options = {"all", "no_sslv2"},
+   options = "all",
 }
 
 local peer = socket.tcp()

samples/digest/server.lua

@@ -6,12 +6,12 @@ local ssl    = require("ssl")
 
 local params = {
    mode = "server",
-   protocol = "sslv3",
+   protocol = "any",
    key = "../certs/serverAkey.pem",
    certificate = "../certs/serverA.pem",
    cafile = "../certs/rootA.pem",
    verify = {"peer", "fail_if_no_peer_cert"},
-   options = {"all", "no_sslv2"},
+   options = "all",
 }
 
 

samples/ecdh/client.lua

@@ -6,12 +6,12 @@ local ssl    = require("ssl")
 
 local params = {
    mode = "client",
-   protocol = "sslv3",
+   protocol = "tlsv1_2",
    key = "../certs/clientAkey.pem",
    certificate = "../certs/clientA.pem",
    cafile = "../certs/rootA.pem",
    verify = {"peer", "fail_if_no_peer_cert"},
-   options = {"all", "no_sslv2"},
+   options = "all",
    --
    curve = "secp384r1",
 }

samples/ecdh/server.lua

@@ -6,12 +6,12 @@ local ssl    = require("ssl")
 
 local params = {
    mode = "server",
-   protocol = "sslv3",
+   protocol = "any",
    key = "../certs/serverAkey.pem",
    certificate = "../certs/serverA.pem",
    cafile = "../certs/rootA.pem",
    verify = {"peer", "fail_if_no_peer_cert"},
-   options = {"all", "no_sslv2"},
+   options = "all",
    --
    curve = "secp384r1",
 }

samples/info/client.lua

@@ -6,12 +6,12 @@ local ssl    = require("ssl")
 
 local params = {
    mode = "client",
-   protocol = "sslv3",
+   protocol = "tlsv1_2",
    key = "../certs/clientAkey.pem",
    certificate = "../certs/clientA.pem",
    cafile = "../certs/rootA.pem",
    verify = {"peer", "fail_if_no_peer_cert"},
-   options = {"all", "no_sslv2"},
+   options = "all",
 }
 
 local peer = socket.tcp()

samples/info/server.lua

@@ -6,12 +6,12 @@ local ssl    = require("ssl")
 
 local params = {
    mode = "server",
-   protocol = "sslv3",
+   protocol = "any",
    key = "../certs/serverAkey.pem",
    certificate = "../certs/serverA.pem",
    cafile = "../certs/rootA.pem",
    verify = {"peer", "fail_if_no_peer_cert"},
-   options = {"all", "no_sslv2"},
+   options = "all",
 }
 
 

samples/key/genkey.sh

@@ -1,3 +1,3 @@
-#!/bin/sh
+#!/usr/bin/env sh
 
 openssl genrsa -des3 -out key.pem -passout pass:foobar 2048

samples/loop-gc/client.lua

@@ -6,12 +6,12 @@ local ssl    = require("ssl")
 
 local params = {
    mode = "client",
-   protocol = "sslv3",
+   protocol = "tlsv1_2",
    key = "../certs/clientAkey.pem",
    certificate = "../certs/clientA.pem",
    cafile = "../certs/rootA.pem",
    verify = {"peer", "fail_if_no_peer_cert"},
-   options = {"all", "no_sslv2"},
+   options = "all",
 }
 
 while true do

samples/loop-gc/server.lua

@@ -6,12 +6,12 @@ local ssl    = require("ssl")
 
 local params = {
    mode = "server",
-   protocol = "sslv3",
+   protocol = "any",
    key = "../certs/serverAkey.pem",
    certificate = "../certs/serverA.pem",
    cafile = "../certs/rootA.pem",
    verify = {"peer", "fail_if_no_peer_cert"},
-   options = {"all", "no_sslv2"},
+   options = "all",
 }
 
 -- [[ SSL context 

samples/loop/client.lua

@@ -6,12 +6,12 @@ local ssl    = require("ssl")
 
 local params = {
    mode = "client",
-   protocol = "sslv3",
+   protocol = "tlsv1_2",
    key = "../certs/clientAkey.pem",
    certificate = "../certs/clientA.pem",
    cafile = "../certs/rootA.pem",
    verify = {"peer", "fail_if_no_peer_cert"},
-   options = {"all", "no_sslv2"},
+   options = "all",
 }
 
 while true do
@@ -23,6 +23,8 @@ while true do
    assert( peer:dohandshake() )
    --]]
 
+   peer:getpeercertificate():extensions()
+
    print(peer:receive("*l"))
    peer:close()
 end

samples/loop/server.lua

@@ -6,12 +6,12 @@ local ssl    = require("ssl")
 
 local params = {
    mode = "server",
-   protocol = "sslv3",
+   protocol = "any",
    key = "../certs/serverAkey.pem",
    certificate = "../certs/serverA.pem",
    cafile = "../certs/rootA.pem",
    verify = {"peer", "fail_if_no_peer_cert"},
-   options = {"all", "no_sslv2"},
+   options = "all",
 }
 
 -- [[ SSL context 

samples/luaossl/client.lua

@@ -0,0 +1,40 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl    = require("ssl")
+
+local pkey = require "openssl.pkey"
+local ssl_context = require "openssl.ssl.context"
+local x509 = require "openssl.x509"
+local x509_store = require "openssl.x509.store"
+
+local function read_file(path)
+	local file, err, errno = io.open(path, "rb")
+	if not file then
+		return nil, err, errno
+	end
+	local contents
+	contents, err, errno = file:read "*a"
+	file:close()
+	return contents, err, errno
+end
+
+local ctx = ssl_context.new("TLSv1_2", false)
+ctx:setPrivateKey(pkey.new(assert(read_file("../certs/clientAkey.pem"))))
+ctx:setCertificate(x509.new(assert(read_file("../certs/clientA.pem"))))
+local store = x509_store.new()
+store:add("../certs/rootA.pem")
+ctx:setStore(store)
+ctx:setVerify(ssl_context.VERIFY_FAIL_IF_NO_PEER_CERT)
+
+local peer = socket.tcp()
+peer:connect("127.0.0.1", 8888)
+
+-- [[ SSL wrapper
+peer = assert( ssl.wrap(peer, ctx) )
+assert(peer:dohandshake())
+--]]
+
+print(peer:receive("*l"))
+peer:close()

samples/luaossl/server.lua

@@ -0,0 +1,58 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl    = require("ssl")
+
+local pkey = require "openssl.pkey"
+local ssl_context = require "openssl.ssl.context"
+local x509 = require "openssl.x509"
+local x509_store = require "openssl.x509.store"
+
+local function read_file(path)
+	local file, err, errno = io.open(path, "rb")
+	if not file then
+		return nil, err, errno
+	end
+	local contents
+	contents, err, errno = file:read "*a"
+	file:close()
+	return contents, err, errno
+end
+
+local ctx = ssl_context.new("TLSv1_2", true)
+ctx:setPrivateKey(pkey.new(assert(read_file("../certs/serverAkey.pem"))))
+ctx:setCertificate(x509.new(assert(read_file("../certs/serverA.pem"))))
+local store = x509_store.new()
+store:add("../certs/rootA.pem")
+ctx:setStore(store)
+ctx:setVerify(ssl_context.VERIFY_FAIL_IF_NO_PEER_CERT)
+
+
+local server = socket.tcp()
+server:setoption('reuseaddr', true)
+assert( server:bind("127.0.0.1", 8888) )
+server:listen()
+
+local peer = server:accept()
+
+-- [[ SSL wrapper
+peer = assert( ssl.wrap(peer, ctx) )
+
+-- Before handshake: nil
+print( peer:info() )
+
+assert( peer:dohandshake() )
+--]]
+
+print("---")
+local info = peer:info()
+for k, v in pairs(info) do
+  print(k, v)
+end
+
+print("---")
+print("-> Compression", peer:info("compression"))
+
+peer:send("oneshot test\n")
+peer:close()

samples/multicert/client-ecdsa.lua

@@ -0,0 +1,29 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl    = require("ssl")
+
+local params = {
+   mode        = "client",
+   protocol    = "tlsv1_2",
+   key         = "certs/clientECDSAkey.pem",
+   certificate = "certs/clientECDSA.pem",
+   verify      = "none",
+   options     = "all",
+   ciphers     = "ALL:!aRSA"
+}
+
+local peer = socket.tcp()
+peer:connect("127.0.0.1", 8888)
+
+-- [[ SSL wrapper
+peer = assert( ssl.wrap(peer, params) )
+assert(peer:dohandshake())
+--]]
+
+local i = peer:info()
+for k, v in pairs(i) do print(k, v) end
+
+print(peer:receive("*l"))
+peer:close()

samples/multicert/client-rsa.lua

@@ -0,0 +1,29 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl    = require("ssl")
+
+local params = {
+   mode        = "client",
+   protocol    = "tlsv1_2",
+   key         = "certs/clientRSAkey.pem",
+   certificate = "certs/clientRSA.pem",
+   verify      = "none",
+   options     = "all",
+   ciphers     = "ALL:!ECDSA"
+}
+
+local peer = socket.tcp()
+peer:connect("127.0.0.1", 8888)
+
+-- [[ SSL wrapper
+peer = assert( ssl.wrap(peer, params) )
+assert(peer:dohandshake())
+--]]
+
+local i = peer:info()
+for k, v in pairs(i) do print(k, v) end
+
+print(peer:receive("*l"))
+peer:close()

samples/multicert/gencerts.sh

@@ -0,0 +1,13 @@
+#!/usr/bin/env sh
+
+mkdir -p certs
+
+openssl ecparam -name secp256r1 -genkey -out certs/serverECDSAkey.pem
+openssl req -new -config ../certs/serverA.cnf -extensions usr_cert -x509 -key certs/serverECDSAkey.pem -out certs/serverECDSA.pem -days 360 -batch
+
+openssl ecparam -name secp256r1 -genkey -out certs/clientECDSAkey.pem
+openssl req -config ../certs/clientA.cnf -extensions usr_cert -x509 -new -key certs/clientECDSAkey.pem -out certs/clientECDSA.pem -days 360 -batch
+
+openssl req -config ../certs/serverB.cnf -extensions usr_cert -x509 -new -newkey rsa:2048 -keyout certs/serverRSAkey.pem -out certs/serverRSA.pem -nodes -days 365 -batch
+
+openssl req -config ../certs/clientB.cnf -extensions usr_cert -x509 -new -newkey rsa:2048 -keyout certs/clientRSAkey.pem -out certs/clientRSA.pem -nodes -days 365 -batch

samples/multicert/server.lua

@@ -0,0 +1,38 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl    = require("ssl")
+
+local params = {
+   mode         = "server",
+   protocol     = "any",
+   certificates = { 
+      -- Comment line below and 'client-rsa' stop working
+      { certificate = "certs/serverRSA.pem",   key = "certs/serverRSAkey.pem"   },
+      -- Comment line below and 'client-ecdsa' stop working
+      { certificate = "certs/serverECDSA.pem", key = "certs/serverECDSAkey.pem" }
+   },
+   verify  = "none",
+   options = "all"
+}
+
+
+-- [[ SSL context
+local ctx = assert(ssl.newcontext(params))
+--]]
+
+local server = socket.tcp()
+server:setoption('reuseaddr', true)
+assert( server:bind("127.0.0.1", 8888) )
+server:listen()
+
+local peer = server:accept()
+
+-- [[ SSL wrapper
+peer = assert( ssl.wrap(peer, ctx) )
+assert( peer:dohandshake() )
+--]]
+
+peer:send("oneshot test\n")
+peer:close()

samples/oneshot/client.lua

@@ -6,12 +6,12 @@ local ssl    = require("ssl")
 
 local params = {
    mode = "client",
-   protocol = "sslv3",
+   protocol = "tlsv1_2",
    key = "../certs/clientAkey.pem",
    certificate = "../certs/clientA.pem",
    cafile = "../certs/rootA.pem",
    verify = {"peer", "fail_if_no_peer_cert"},
-   options = {"all", "no_sslv2"},
+   options = "all",
 }
 
 local peer = socket.tcp()

samples/oneshot/server.lua

@@ -6,12 +6,12 @@ local ssl    = require("ssl")
 
 local params = {
    mode = "server",
-   protocol = "sslv3",
+   protocol = "any",
    key = "../certs/serverAkey.pem",
    certificate = "../certs/serverA.pem",
    cafile = "../certs/rootA.pem",
    verify = {"peer", "fail_if_no_peer_cert"},
-   options = {"all", "no_sslv2"},
+   options = "all",
 }
 
 

samples/psk/client.lua

@@ -0,0 +1,36 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl    = require("ssl")
+
+-- @param hint (nil | string)
+-- @param max_identity_len (number)
+-- @param max_psk_len (number)
+-- @return identity (string)
+-- @return PSK (string)
+local function pskcb(hint, max_identity_len, max_psk_len)
+   print(string.format("PSK Callback: hint=%q, max_identity_len=%d, max_psk_len=%d", hint, max_identity_len, max_psk_len))
+   return "abcd", "1234"
+end
+
+local params = {
+   mode = "client",
+   protocol = "tlsv1_2",
+   psk = pskcb,
+}
+
+local peer = socket.tcp()
+peer:connect("127.0.0.1", 8888)
+
+peer = assert( ssl.wrap(peer, params) )
+assert(peer:dohandshake())
+
+print("--- INFO ---")
+local info = peer:info()
+for k, v in pairs(info) do
+   print(k, v)
+end
+print("---")
+
+peer:close()

samples/psk/server.lua

@@ -0,0 +1,55 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl    = require("ssl")
+
+-- @param identity (string)
+-- @param max_psk_len (number)
+-- @return psk (string)
+local function pskcb(identity, max_psk_len)
+   print(string.format("PSK Callback: identity=%q, max_psk_len=%d", identity, max_psk_len))
+   if identity == "abcd" then
+     return "1234"
+  end
+  return nil
+end
+
+local params = {
+   mode = "server",
+   protocol = "any",
+   options = "all",
+
+-- PSK with just a callback
+   psk = pskcb,
+
+-- PSK with identity hint
+--   psk = {
+--      hint = "hintpsksample",
+--      callback = pskcb,
+--   },
+}
+
+
+-- [[ SSL context
+local ctx = assert(ssl.newcontext(params))
+--]]
+
+local server = socket.tcp()
+server:setoption('reuseaddr', true)
+assert( server:bind("127.0.0.1", 8888) )
+server:listen()
+
+local peer = server:accept()
+peer = assert( ssl.wrap(peer, ctx) )
+assert( peer:dohandshake() )
+
+print("--- INFO ---")
+local info = peer:info()
+for k, v in pairs(info) do
+   print(k, v)
+end
+print("---")
+
+peer:close()
+server:close()

samples/sni/client.lua

@@ -0,0 +1,35 @@
+local socket = require("socket")
+local ssl    = require("ssl")
+
+local params = {
+  mode = "client",
+  protocol = "tlsv1_2",
+  key = "../certs/clientAkey.pem",
+  certificate = "../certs/clientA.pem",
+  cafile = "../certs/rootA.pem",
+  verify = "peer",
+  options = "all",
+}
+
+local conn = socket.tcp()
+conn:connect("127.0.0.1", 8888)
+
+-- TLS/SSL initialization
+conn = ssl.wrap(conn, params)
+
+-- Comment the lines to not send a name
+--conn:sni("servera.br")
+--conn:sni("serveraa.br")
+conn:sni("serverb.br")
+
+assert(conn:dohandshake())
+--
+local cert = conn:getpeercertificate()
+for k, v in pairs(cert:subject()) do
+  for i, j in pairs(v) do
+    print(i, j)
+  end
+end
+--
+print(conn:receive("*l"))
+conn:close()

samples/sni/server.lua

@@ -0,0 +1,52 @@
+local socket = require("socket")
+local ssl    = require("ssl")
+
+local params01 = {
+  mode = "server",
+  protocol = "any",
+  key = "../certs/serverAkey.pem",
+  certificate = "../certs/serverA.pem",
+  cafile = "../certs/rootA.pem",
+  verify = "none",
+  options = "all",
+  ciphers = "ALL:!ADH:@STRENGTH",
+}
+
+local params02 = {
+  mode = "server",
+  protocol = "any",
+  key = "../certs/serverAAkey.pem",
+  certificate = "../certs/serverAA.pem",
+  cafile = "../certs/rootA.pem",
+  verify = "none",
+  options = "all",
+  ciphers = "ALL:!ADH:@STRENGTH",
+}
+
+--
+local ctx01 = ssl.newcontext(params01)
+local ctx02 = ssl.newcontext(params02)
+
+--
+local server = socket.tcp()
+server:setoption('reuseaddr', true)
+server:bind("127.0.0.1", 8888)
+server:listen()
+local conn = server:accept()
+--
+
+-- Default context (when client does not send a name) is ctx01
+conn = ssl.wrap(conn, ctx01)
+
+-- Configure the name map
+local sni_map = {
+  ["servera.br"]  = ctx01,
+  ["serveraa.br"] = ctx02,
+}
+
+conn:sni(sni_map, true)
+
+assert(conn:dohandshake())
+--
+conn:send("one line\n")
+conn:close()

samples/verification/fail-string/client.lua

@@ -6,12 +6,12 @@ local ssl    = require("ssl")
 
 local params = {
    mode = "client",
-   protocol = "sslv3",
+   protocol = "tlsv1",
    key = "../../certs/clientBkey.pem",
    certificate = "../../certs/clientB.pem",
    cafile = "../../certs/rootB.pem",
-   verify = {"none"},
-   options = {"all", "no_sslv2"},
+   verify = "none",
+   options = "all",
 }
 
 local peer = socket.tcp()

samples/verification/fail-string/server.lua

@@ -6,12 +6,12 @@ local ssl    = require("ssl")
 
 local params = {
    mode = "server",
-   protocol = "sslv3",
+   protocol = "tlsv1",
    key = "../../certs/serverAkey.pem",
    certificate = "../../certs/serverA.pem",
    cafile = "../../certs/rootA.pem",
-   verify = {"none"},
-   options = {"all", "no_sslv2"},
+   verify = "none",
+   options = "all",
 }
 
 -- [[ SSL context

samples/verification/fail-table/client.lua

@@ -6,13 +6,13 @@ local ssl    = require("ssl")
 
 local params = {
    mode = "client",
-   protocol = "sslv3",
+   protocol = "tlsv1",
    key = "../../certs/clientBkey.pem",
    certificate = "../../certs/clientB.pem",
    cafile = "../../certs/rootB.pem",
    verify = {"peer", "fail_if_no_peer_cert"},
-   options = {"all", "no_sslv2"},
-   verifyext = {"lsec_continue"},
+   options = "all",
+   verifyext = "lsec_continue",
 }
 
 -- [[ SSL context

samples/verification/fail-table/server.lua

@@ -6,12 +6,12 @@ local ssl    = require("ssl")
 
 local params = {
    mode = "server",
-   protocol = "sslv3",
+   protocol = "tlsv1",
    key = "../../certs/serverAkey.pem",
    certificate = "../../certs/serverA.pem",
    cafile = "../../certs/rootA.pem",
    verify = {"peer", "fail_if_no_peer_cert"},
-   options = {"all", "no_sslv2"},
+   options = "all",
    verifyext = {"lsec_continue", "crl_check", "crl_check_chain"},
 }
 

samples/verification/success/client.lua

@@ -6,12 +6,12 @@ local ssl    = require("ssl")
 
 local params = {
    mode = "client",
-   protocol = "sslv3",
+   protocol = "tlsv1",
    key = "../../certs/clientAkey.pem",
    certificate = "../../certs/clientA.pem",
    cafile = "../../certs/rootA.pem",
    verify = {"peer", "fail_if_no_peer_cert"},
-   options = {"all", "no_sslv2"},
+   options = "all",
 }
 
 local peer = socket.tcp()

samples/verification/success/server.lua

@@ -6,12 +6,12 @@ local ssl    = require("ssl")
 
 local params = {
    mode = "server",
-   protocol = "sslv3",
+   protocol = "tlsv1",
    key = "../../certs/serverAkey.pem",
    certificate = "../../certs/serverA.pem",
    cafile = "../../certs/rootA.pem",
    verify = {"peer", "fail_if_no_peer_cert"},
-   options = {"all", "no_sslv2"},
+   options = "all",
 }
 
 

samples/verify/client.lua

@@ -6,13 +6,13 @@ local ssl    = require("ssl")
 
 local params = {
    mode = "client",
-   protocol = "tlsv1",
+   protocol = "tlsv1_2",
    key = "../certs/serverBkey.pem",
    certificate = "../certs/serverB.pem",
    cafile = "../certs/rootB.pem",
    verify = {"peer", "fail_if_no_peer_cert"},
    verifyext = {"lsec_continue", "lsec_ignore_purpose"},
-   options = {"all", "no_sslv2"},
+   options = "all",
 }
 
 local ctx = assert(ssl.newcontext(params))

samples/verify/server.lua

@@ -6,13 +6,13 @@ local ssl    = require("ssl")
 
 local params = {
    mode = "server",
-   protocol = "tlsv1",
+   protocol = "any",
    key = "../certs/serverAkey.pem",
    certificate = "../certs/serverA.pem",
    cafile = "../certs/rootA.pem",
    verify = {"peer", "fail_if_no_peer_cert"},
    verifyext = {"lsec_continue", "lsec_ignore_purpose"},
-   options = {"all", "no_sslv2"},
+   options = "all",
 }
 
 

samples/want/client.lua

@@ -8,12 +8,12 @@ local ssl    = require("ssl")
 
 local params = {
    mode = "client",
-   protocol = "sslv3",
+   protocol = "tlsv1_2",
    key = "../certs/clientAkey.pem",
    certificate = "../certs/clientA.pem",
    cafile = "../certs/rootA.pem",
    verify = {"peer", "fail_if_no_peer_cert"},
-   options = {"all", "no_sslv2"},
+   options = "all",
 }
 
 -- Wait until socket is ready (for reading or writing)

samples/want/server.lua

@@ -6,12 +6,12 @@ local ssl    = require("ssl")
 
 local params = {
    mode = "server",
-   protocol = "sslv3",
+   protocol = "any",
    key = "../certs/serverAkey.pem",
    certificate = "../certs/serverA.pem",
    cafile = "../certs/rootA.pem",
    verify = {"peer", "fail_if_no_peer_cert"},
-   options = {"all", "no_sslv2"},
+   options = "all",
 }
 
 -- [[ SSL context

samples/wantread/client.lua

@@ -6,12 +6,12 @@ local ssl    = require("ssl")
 
 local params = {
    mode = "client",
-   protocol = "sslv3",
+   protocol = "tlsv1_2",
    key = "../certs/clientAkey.pem",
    certificate = "../certs/clientA.pem",
    cafile = "../certs/rootA.pem",
    verify = {"peer", "fail_if_no_peer_cert"},
-   options = {"all", "no_sslv2"},
+   options = "all",
 }
 
 

samples/wantread/server.lua

@@ -8,12 +8,12 @@ local ssl    = require("ssl")
 
 local params = {
    mode = "server",
-   protocol = "sslv3",
+   protocol = "any",
    key = "../certs/serverAkey.pem",
    certificate = "../certs/serverA.pem",
    cafile = "../certs/rootA.pem",
    verify = {"peer", "fail_if_no_peer_cert"},
-   options = {"all", "no_sslv2"},
+   options = "all",
 }
 
 -- [[ SSL context

samples/wantwrite/client.lua

@@ -6,12 +6,12 @@ local ssl    = require("ssl")
 
 local params = {
    mode = "client",
-   protocol = "sslv3",
+   protocol = "tlsv1_2",
    key = "../certs/clientAkey.pem",
    certificate = "../certs/clientA.pem",
    cafile = "../certs/rootA.pem",
    verify = {"peer", "fail_if_no_peer_cert"},
-   options = {"all", "no_sslv2"},
+   options = "all",
 }
 
 local function wait(peer, err)

samples/wantwrite/server.lua

@@ -8,12 +8,12 @@ print("Use Ctrl+S and Ctrl+Q to suspend and resume the server.")
 
 local params = {
    mode = "server",
-   protocol = "sslv3",
+   protocol = "any",
    key = "../certs/serverAkey.pem",
    certificate = "../certs/serverA.pem",
    cafile = "../certs/rootA.pem",
    verify = {"peer", "fail_if_no_peer_cert"},
-   options = {"all", "no_sslv2"},
+   options = "all",
 }
 
 

src/Makefile

@@ -2,9 +2,12 @@ CMOD=ssl.so
 LMOD=ssl.lua
 
 OBJS= \
+ options.o \
  x509.o    \
  context.o \
- ssl.o
+ ssl.o     \
+ config.o  \
+ ec.o
 
 LIBS=-lssl -lcrypto -lluasocket
 
@@ -20,12 +23,11 @@ MAC_ENV=env MACOSX_DEPLOYMENT_TARGET='$(MACVER)'
 MAC_CFLAGS=-O2 -fno-common $(WARN) $(INCDIR) $(DEFS)
 MAC_LDFLAGS=-bundle -undefined dynamic_lookup $(LIBDIR)
 
-INSTALL	?= install
+INSTALL  = install
 CC      ?= cc
-LD	?= $(MYENV) cc
+CCLD      ?= $(MYENV) $(CC)
 CFLAGS  += $(MYCFLAGS)
 LDFLAGS += $(MYLDFLAGS)
-DESTDIR	?= /
 
 .PHONY: all clean install none linux bsd macosx luasocket
 
@@ -33,9 +35,9 @@ all:
 
 install: $(CMOD) $(LMOD)
 	$(INSTALL) -d $(DESTDIR)$(LUAPATH)/ssl $(DESTDIR)$(LUACPATH)
-	$(INSTALL) -D $(CMOD) $(DESTDIR)$(LUACPATH)
-	$(INSTALL) -m644 -D $(LMOD) $(DESTDIR)$(LUAPATH)
-	$(INSTALL) -m644 -D https.lua $(DESTDIR)$(LUAPATH)/ssl
+	$(INSTALL) $(CMOD) $(DESTDIR)$(LUACPATH)
+	$(INSTALL) -m644 $(LMOD) $(DESTDIR)$(LUAPATH)
+	$(INSTALL) -m644 https.lua $(DESTDIR)$(LUAPATH)/ssl
 
 linux:
 	@$(MAKE) $(CMOD) MYCFLAGS="$(LNX_CFLAGS)" MYLDFLAGS="$(LNX_LDFLAGS)" EXTRA="$(EXTRA)"
@@ -50,12 +52,15 @@ luasocket:
 	@cd luasocket && $(MAKE)
 
 $(CMOD): $(EXTRA) $(OBJS)
-	$(LD) $(LDFLAGS) -o $@ $(OBJS) $(LIBS)
+	$(CCLD) $(LDFLAGS) -o $@ $(OBJS) $(LIBS)
 
 clean:
 	cd luasocket && $(MAKE) clean
 	rm -f $(OBJS) $(CMOD)
 
-x509.o: x509.c x509.h config.h
-context.o: context.c context.h ec.h config.h
-ssl.o: ssl.c ssl.h context.h x509.h config.h
+options.o: options.h options.c
+ec.o: ec.c ec.h
+x509.o: x509.c x509.h compat.h
+context.o: context.c context.h ec.h compat.h options.h
+ssl.o: ssl.c ssl.h context.h x509.h compat.h
+config.o: config.c ec.h options.h compat.h

src/compat.h

@@ -0,0 +1,57 @@
+/*--------------------------------------------------------------------------
+ * LuaSec 1.3.0
+ *
+ * Copyright (C) 2006-2023 Bruno Silvestre
+ *
+ *--------------------------------------------------------------------------*/
+
+#ifndef LSEC_COMPAT_H
+#define LSEC_COMPAT_H
+
+#include <openssl/ssl.h>
+
+//------------------------------------------------------------------------------
+
+#if defined(_WIN32)
+#define LSEC_API __declspec(dllexport) 
+#else
+#define LSEC_API extern
+#endif
+
+//------------------------------------------------------------------------------
+
+#if (LUA_VERSION_NUM == 501)
+
+#define luaL_testudata(L, ud, tname)  lsec_testudata(L, ud, tname)
+#define setfuncs(L, R)    luaL_register(L, NULL, R)
+#define lua_rawlen(L, i)  lua_objlen(L, i)
+
+#ifndef luaL_newlib
+#define luaL_newlib(L, R) do { lua_newtable(L); luaL_register(L, NULL, R); } while(0)
+#endif
+
+#else
+#define setfuncs(L, R) luaL_setfuncs(L, R, 0)
+#endif
+
+//------------------------------------------------------------------------------
+
+#if (!defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x1010000fL))
+#define LSEC_ENABLE_DANE
+#endif
+
+//------------------------------------------------------------------------------
+
+#if !((defined(LIBRESSL_VERSION_NUMBER) && (LIBRESSL_VERSION_NUMBER < 0x2070000fL)) || (OPENSSL_VERSION_NUMBER < 0x1010000fL))
+#define LSEC_API_OPENSSL_1_1_0
+#endif
+
+//------------------------------------------------------------------------------
+
+#if !defined(LIBRESSL_VERSION_NUMBER) && ((OPENSSL_VERSION_NUMBER & 0xFFFFF000L) == 0x10101000L)
+#define LSEC_OPENSSL_1_1_1
+#endif
+
+//------------------------------------------------------------------------------
+
+#endif

src/config.c

@@ -0,0 +1,102 @@
+/*--------------------------------------------------------------------------
+ * LuaSec 1.3.0
+ *
+ * Copyright (C) 2006-2023 Bruno Silvestre
+ *
+ *--------------------------------------------------------------------------*/
+
+#include "compat.h"
+#include "options.h"
+#include "ec.h"
+
+/**
+ * Registre the module.
+ */
+LSEC_API int luaopen_ssl_config(lua_State *L)
+{
+  lsec_ssl_option_t *opt;
+
+  lua_newtable(L);
+
+  // Options
+  lua_pushstring(L, "options");
+  lua_newtable(L);
+  for (opt = lsec_get_ssl_options(); opt->name; opt++) {
+    lua_pushstring(L, opt->name);
+    lua_pushboolean(L, 1);
+    lua_rawset(L, -3);
+  }
+  lua_rawset(L, -3);
+
+  // Protocols
+  lua_pushstring(L, "protocols");
+  lua_newtable(L);
+
+  lua_pushstring(L, "tlsv1");
+  lua_pushboolean(L, 1);
+  lua_rawset(L, -3);
+  lua_pushstring(L, "tlsv1_1");
+  lua_pushboolean(L, 1);
+  lua_rawset(L, -3);
+  lua_pushstring(L, "tlsv1_2");
+  lua_pushboolean(L, 1);
+  lua_rawset(L, -3);
+#ifdef TLS1_3_VERSION
+  lua_pushstring(L, "tlsv1_3");
+  lua_pushboolean(L, 1);
+  lua_rawset(L, -3);
+#endif
+
+  lua_rawset(L, -3);
+
+  // Algorithms
+  lua_pushstring(L, "algorithms");
+  lua_newtable(L);
+
+#ifndef OPENSSL_NO_EC
+  lua_pushstring(L, "ec");
+  lua_pushboolean(L, 1);
+  lua_rawset(L, -3);
+#endif
+  lua_rawset(L, -3);
+ 
+  // Curves
+  lua_pushstring(L, "curves");
+  lsec_get_curves(L);
+  lua_rawset(L, -3);
+
+  // Capabilities
+  lua_pushstring(L, "capabilities");
+  lua_newtable(L);
+
+  // ALPN
+  lua_pushstring(L, "alpn");
+  lua_pushboolean(L, 1);
+  lua_rawset(L, -3);
+
+#ifdef LSEC_ENABLE_DANE
+  // DANE
+  lua_pushstring(L, "dane");
+#ifdef DANE_FLAG_NO_DANE_EE_NAMECHECKS
+  lua_createtable(L, 0, 1);
+  lua_pushstring(L, "no_ee_namechecks");
+  lua_pushboolean(L, 1);
+  lua_rawset(L, -3);
+#else
+  lua_pushboolean(L, 1);
+#endif
+  lua_rawset(L, -3);
+#endif
+
+#ifndef OPENSSL_NO_EC
+  lua_pushstring(L, "curves_list");
+  lua_pushboolean(L, 1);
+  lua_rawset(L, -3);
+  lua_pushstring(L, "ecdh_auto");
+  lua_pushboolean(L, 1);
+  lua_rawset(L, -3);
+#endif
+  lua_rawset(L, -3);
+
+  return 1;
+}

src/config.h

@@ -1,20 +0,0 @@
-/*--------------------------------------------------------------------------
- * LuaSec 0.5
- * Copyright (C) 2006-2014 Bruno Silvestre
- *
- *--------------------------------------------------------------------------*/
-
-#ifndef LSEC_CONFIG_H
-#define LSEC_CONFIG_H
-
-#if defined(_WIN32)
-#define LSEC_API __declspec(dllexport) 
-#else
-#define LSEC_API extern
-#endif
-
-#if (LUA_VERSION_NUM == 501)
-#define lua_rawlen(L, i) lua_objlen(L, i)
-#endif
-
-#endif

src/context.c

@@ -1,9 +1,8 @@
 /*--------------------------------------------------------------------------
- * LuaSec 0.5
+ * LuaSec 1.3.0
  *
- * Copyright (C) 2014 Kim Alvefur, Paul Aurich, Tobias Markmann, 
- *                    Matthew Wild.
- * Copyright (C) 2006-2014 Bruno Silvestre.
+ * Copyright (C) 2014-2023 Kim Alvefur, Paul Aurich, Tobias Markmann, Matthew Wild
+ * Copyright (C) 2006-2023 Bruno Silvestre
  *
  *--------------------------------------------------------------------------*/
 
@@ -17,24 +16,21 @@
 #include <openssl/err.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
+#include <openssl/x509_vfy.h>
+#include <openssl/dh.h>
 
 #include <lua.h>
 #include <lauxlib.h>
 
+#include "compat.h"
 #include "context.h"
 #include "options.h"
 
-#ifndef OPENSSL_NO_ECDH
+#ifndef OPENSSL_NO_EC
 #include <openssl/ec.h>
 #include "ec.h"
 #endif
 
-#if (OPENSSL_VERSION_NUMBER >= 0x1000000fL)
-typedef const SSL_METHOD LSEC_SSL_METHOD;
-#else
-typedef       SSL_METHOD LSEC_SSL_METHOD;
-#endif
-
 /*--------------------------- Auxiliary Functions ----------------------------*/
 
 /**
@@ -45,13 +41,18 @@ static p_context checkctx(lua_State *L, int idx)
   return (p_context)luaL_checkudata(L, idx, "SSL:Context");
 }
 
+static p_context testctx(lua_State *L, int idx)
+{
+  return (p_context)luaL_testudata(L, idx, "SSL:Context");
+}
+
 /**
  * Prepare the SSL options flag.
  */
 static int set_option_flag(const char *opt, unsigned long *flag)
 {
-  ssl_option_t *p;
-  for (p = ssl_options; p->name; p++) {
+  lsec_ssl_option_t *p;
+  for (p = lsec_get_ssl_options(); p->name; p++) {
     if (!strcmp(opt, p->name)) {
       *flag |= p->code;
       return 1;
@@ -60,20 +61,59 @@ static int set_option_flag(const char *opt, unsigned long *flag)
   return 0;
 }
 
+#ifndef LSEC_API_OPENSSL_1_1_0
 /**
  * Find the protocol.
  */
-static LSEC_SSL_METHOD* str2method(const char *method)
+static const SSL_METHOD* str2method(const char *method, int *vmin, int *vmax)
 {
-  if (!strcmp(method, "sslv23"))  return SSLv23_method();
-  if (!strcmp(method, "sslv3"))   return SSLv3_method();
+  (void)vmin;
+  (void)vmax;
+  if (!strcmp(method, "any"))     return SSLv23_method();
+  if (!strcmp(method, "sslv23"))  return SSLv23_method();  // deprecated
   if (!strcmp(method, "tlsv1"))   return TLSv1_method();
-#if (OPENSSL_VERSION_NUMBER >= 0x1000100fL)
   if (!strcmp(method, "tlsv1_1")) return TLSv1_1_method();
   if (!strcmp(method, "tlsv1_2")) return TLSv1_2_method();
+  return NULL;
+}
+
+#else
+
+/**
+ * Find the protocol.
+ */
+static const SSL_METHOD* str2method(const char *method, int *vmin, int *vmax)
+{
+  if (!strcmp(method, "any") || !strcmp(method, "sslv23")) { // 'sslv23' is deprecated
+    *vmin = 0;
+    *vmax = 0;
+    return TLS_method();
+  }
+  else if (!strcmp(method, "tlsv1")) {
+    *vmin = TLS1_VERSION;
+    *vmax = TLS1_VERSION;
+    return TLS_method();
+  }
+  else if (!strcmp(method, "tlsv1_1")) {
+    *vmin = TLS1_1_VERSION;
+    *vmax = TLS1_1_VERSION;
+    return TLS_method();
+  }
+  else if (!strcmp(method, "tlsv1_2")) {
+    *vmin = TLS1_2_VERSION;
+    *vmax = TLS1_2_VERSION;
+    return TLS_method();
+  }
+#if defined(TLS1_3_VERSION)
+  else if (!strcmp(method, "tlsv1_3")) {
+    *vmin = TLS1_3_VERSION;
+    *vmax = TLS1_3_VERSION;
+    return TLS_method();
+  }
 #endif
   return NULL;
 }
+#endif
 
 /**
  * Prepare the SSL handshake verify flag.
@@ -160,7 +200,6 @@ static DH *dhparam_cb(SSL *ssl, int is_export, int keylength)
 {
   BIO *bio;
   lua_State *L;
-  DH *dh_tmp = NULL;
   SSL_CTX *ctx = SSL_get_SSL_CTX(ssl);
   p_context pctx = (p_context)SSL_CTX_get_app_data(ctx);
 
@@ -181,24 +220,15 @@ static DH *dhparam_cb(SSL *ssl, int is_export, int keylength)
     lua_pop(L, 2);  /* Remove values from stack */
     return NULL;
   }
-  bio = BIO_new_mem_buf((void*)lua_tostring(L, -1), 
-    lua_rawlen(L, -1));
+
+  bio = BIO_new_mem_buf((void*)lua_tostring(L, -1), lua_rawlen(L, -1));
   if (bio) {
-    dh_tmp = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
+    pctx->dh_param = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
     BIO_free(bio);
   }
 
-  /*
-   * OpenSSL exepcts the callback to maintain a reference to the DH*.  So,
-   * cache it here, and clean up the previous set of parameters.  Any remaining
-   * set is cleaned up when destroying the LuaSec context.
-   */
-  if (pctx->dh_param)
-    DH_free(pctx->dh_param);
-  pctx->dh_param = dh_tmp;
-
   lua_pop(L, 2);    /* Remove values from stack */
-  return dh_tmp;
+  return pctx->dh_param;
 }
 
 /**
@@ -270,18 +300,6 @@ static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
   return (verify & LSEC_VERIFY_CONTINUE ? 1 : preverify_ok);
 }
 
-#ifndef OPENSSL_NO_ECDH
-static EC_KEY *find_ec_key(const char *str)
-{
-  p_ec ptr;
-  for (ptr = curves; ptr->name; ptr++) {
-    if (!strcmp(str, ptr->name))
-      return EC_KEY_new_by_curve_name(ptr->nid);
-  }
-  return NULL;
-}
-#endif
-
 /*------------------------------ Lua Functions -------------------------------*/
 
 /**
@@ -291,10 +309,11 @@ static int create(lua_State *L)
 {
   p_context ctx;
   const char *str_method;
-  LSEC_SSL_METHOD *method;
+  const SSL_METHOD *method;
+  int vmin, vmax;
 
   str_method = luaL_checkstring(L, 1);
-  method = str2method(str_method);
+  method = str2method(str_method, &vmin, &vmax);
   if (!method) {
     lua_pushnil(L);
     lua_pushfstring(L, "invalid protocol (%s)", str_method);
@@ -314,6 +333,10 @@ static int create(lua_State *L)
       ERR_reason_error_string(ERR_get_error()));
     return 2;
   }
+#ifdef LSEC_API_OPENSSL_1_1_0
+  SSL_CTX_set_min_proto_version(ctx->context, vmin);
+  SSL_CTX_set_max_proto_version(ctx->context, vmax);
+#endif
   ctx->mode = LSEC_MODE_INVALID;
   ctx->L = L;
   luaL_getmetatable(L, "SSL:Context");
@@ -395,6 +418,17 @@ static int load_key(lua_State *L)
   return ret;
 }
 
+/**
+ * Check that the certificate public key matches the private key
+ */
+
+static int check_key(lua_State *L)
+{
+  SSL_CTX *ctx = lsec_checkcontext(L, 1);
+  lua_pushboolean(L, SSL_CTX_check_private_key(ctx));
+  return 1;
+}
+
 /**
  * Set the cipher list.
  */
@@ -404,21 +438,38 @@ static int set_cipher(lua_State *L)
   const char *list = luaL_checkstring(L, 2);
   if (SSL_CTX_set_cipher_list(ctx, list) != 1) {
     lua_pushboolean(L, 0);
-    lua_pushfstring(L, "error setting cipher list (%s)",
-      ERR_reason_error_string(ERR_get_error()));
+    lua_pushfstring(L, "error setting cipher list (%s)", ERR_reason_error_string(ERR_get_error()));
     return 2;
   }
   lua_pushboolean(L, 1);
   return 1;
 }
 
+/**
+ * Set the cipher suites.
+ */
+static int set_ciphersuites(lua_State *L)
+{
+#if defined(TLS1_3_VERSION)
+  SSL_CTX *ctx = lsec_checkcontext(L, 1);
+  const char *list = luaL_checkstring(L, 2);
+  if (SSL_CTX_set_ciphersuites(ctx, list) != 1) {
+    lua_pushboolean(L, 0);
+    lua_pushfstring(L, "error setting cipher list (%s)", ERR_reason_error_string(ERR_get_error()));
+    return 2;
+  }
+#endif
+  lua_pushboolean(L, 1);
+  return 1;
+}
+
 /**
  * Set the depth for certificate checking.
  */
 static int set_depth(lua_State *L)
 {
   SSL_CTX *ctx = lsec_checkcontext(L, 1);
-  SSL_CTX_set_verify_depth(ctx, luaL_checkint(L, 2));
+  SSL_CTX_set_verify_depth(ctx, (int)luaL_checkinteger(L, 2));
   lua_pushboolean(L, 1);
   return 1;
 }
@@ -460,12 +511,6 @@ static int set_options(lua_State *L)
   if (max > 1) {
     for (i = 2; i <= max; i++) {
       str = luaL_checkstring(L, i);
-#if !defined(SSL_OP_NO_COMPRESSION) && (OPENSSL_VERSION_NUMBER >= 0x0090800f) && (OPENSSL_VERSION_NUMBER < 0x1000000fL)
-      /* Version 0.9.8 has a different way to disable compression */
-      if (!strcmp(str, "no_compression"))
-        ctx->comp_methods = NULL;
-      else
-#endif
       if (!set_option_flag(str, &flag)) {
         lua_pushboolean(L, 0);
         lua_pushfstring(L, "invalid option (%s)", str);
@@ -517,27 +562,24 @@ static int set_dhparam(lua_State *L)
   return 0;
 }
 
+#if !defined(OPENSSL_NO_EC)
 /**
  * Set elliptic curve.
  */
-#ifdef OPENSSL_NO_ECDH
-static int set_curve(lua_State *L)
-{
-  lua_pushboolean(L, 0);
-  lua_pushstring(L, "OpenSSL does not support ECDH");
-  return 2;
-}
-#else
 static int set_curve(lua_State *L)
 {
   long ret;
+  EC_KEY *key = NULL;
   SSL_CTX *ctx = lsec_checkcontext(L, 1);
   const char *str = luaL_checkstring(L, 2);
-  EC_KEY *key = find_ec_key(str);
+
+  SSL_CTX_set_options(ctx, SSL_OP_SINGLE_ECDH_USE);
+
+  key = lsec_find_ec_key(L, str);
 
   if (!key) {
     lua_pushboolean(L, 0);
-    lua_pushfstring(L, "elliptic curve %s not supported", str);
+    lua_pushfstring(L, "elliptic curve '%s' not supported", str);
     return 2;
   }
 
@@ -551,9 +593,287 @@ static int set_curve(lua_State *L)
       ERR_reason_error_string(ERR_get_error()));
     return 2;
   }
+
   lua_pushboolean(L, 1);
   return 1;
 }
+
+/**
+ * Set elliptic curves list.
+ */
+static int set_curves_list(lua_State *L)
+{
+  SSL_CTX *ctx = lsec_checkcontext(L, 1);
+  const char *str = luaL_checkstring(L, 2);
+
+  SSL_CTX_set_options(ctx, SSL_OP_SINGLE_ECDH_USE);
+
+  if (SSL_CTX_set1_curves_list(ctx, str) != 1) {
+    lua_pushboolean(L, 0);
+    lua_pushfstring(L, "unknown elliptic curve in \"%s\"", str);
+    return 2;
+  }
+
+#if defined(LIBRESSL_VERSION_NUMBER) || !defined(LSEC_API_OPENSSL_1_1_0)
+  (void)SSL_CTX_set_ecdh_auto(ctx, 1);
+#endif
+
+  lua_pushboolean(L, 1);
+  return 1;
+}
+#endif
+
+/**
+ * Set the protocols a client should send for ALPN.
+ */
+static int set_alpn(lua_State *L)
+{
+  long ret;
+  size_t len;
+  p_context ctx = checkctx(L, 1);
+  const char *str = luaL_checklstring(L, 2, &len);
+
+  ret = SSL_CTX_set_alpn_protos(ctx->context, (const unsigned char*)str, len);
+  if (ret) {
+    lua_pushboolean(L, 0);
+    lua_pushfstring(L, "error setting ALPN (%s)", ERR_reason_error_string(ERR_get_error()));
+    return 2;
+  }
+  lua_pushboolean(L, 1);
+  return 1;
+}
+
+/**
+ * This standard callback calls the server's callback in Lua sapce.
+ * The server has to return a list in wire-format strings.
+ * This function uses a helper function to match server and client lists.
+ */
+static int alpn_cb(SSL *s, const unsigned char **out, unsigned char *outlen,
+                   const unsigned char *in, unsigned int inlen, void *arg)
+{
+  int ret;
+  size_t server_len;
+  const char *server;
+  p_context ctx = (p_context)arg;
+  lua_State *L = ctx->L;
+
+  luaL_getmetatable(L, "SSL:ALPN:Registry");
+  lua_pushlightuserdata(L, (void*)ctx->context);
+  lua_gettable(L, -2);
+
+  lua_pushlstring(L, (const char*)in, inlen);
+
+  lua_call(L, 1, 1);
+
+  if (!lua_isstring(L, -1)) {
+    lua_pop(L, 2);
+    return SSL_TLSEXT_ERR_NOACK;
+  }
+
+  // Protocol list from server in wire-format string
+  server = luaL_checklstring(L, -1, &server_len);
+  ret  = SSL_select_next_proto((unsigned char**)out, outlen, (const unsigned char*)server,
+                               server_len, in, inlen);
+  if (ret != OPENSSL_NPN_NEGOTIATED) {
+    lua_pop(L, 2);
+    return SSL_TLSEXT_ERR_NOACK;
+  } 
+
+  // Copy the result because lua_pop() can collect the pointer
+  ctx->alpn = malloc(*outlen);
+  memcpy(ctx->alpn, (void*)*out, *outlen);
+  *out = (const unsigned char*)ctx->alpn;
+
+  lua_pop(L, 2);
+
+  return SSL_TLSEXT_ERR_OK;
+}
+
+/**
+ * Set a callback a server can use to select the next protocol with ALPN.
+ */
+static int set_alpn_cb(lua_State *L)
+{
+  p_context ctx = checkctx(L, 1);
+
+  luaL_getmetatable(L, "SSL:ALPN:Registry");
+  lua_pushlightuserdata(L, (void*)ctx->context);
+  lua_pushvalue(L, 2);
+  lua_settable(L, -3);
+
+  SSL_CTX_set_alpn_select_cb(ctx->context, alpn_cb, ctx);
+
+  lua_pushboolean(L, 1);
+  return 1;
+}
+
+/**
+ * Callback to select the PSK.
+ */
+static unsigned int server_psk_cb(SSL *ssl, const char *identity, unsigned char *psk,
+  unsigned int max_psk_len)
+{
+  size_t psk_len;
+  const char *ret_psk;
+  SSL_CTX *ctx = SSL_get_SSL_CTX(ssl);
+  p_context pctx = (p_context)SSL_CTX_get_app_data(ctx);
+  lua_State *L = pctx->L;
+
+  luaL_getmetatable(L, "SSL:PSK:Registry");
+  lua_pushlightuserdata(L, (void*)pctx->context);
+  lua_gettable(L, -2);
+
+  lua_pushstring(L, identity);
+  lua_pushinteger(L, max_psk_len);
+
+  lua_call(L, 2, 1);
+
+  if (!lua_isstring(L, -1)) {
+    lua_pop(L, 2);
+    return 0;
+  }
+
+  ret_psk = lua_tolstring(L, -1, &psk_len);
+
+  if (psk_len == 0 || psk_len > max_psk_len)
+    psk_len = 0;
+  else
+    memcpy(psk, ret_psk, psk_len);
+
+  lua_pop(L, 2);
+
+  return psk_len;
+}
+
+/**
+ * Set a PSK callback for server.
+ */
+static int set_server_psk_cb(lua_State *L)
+{
+  p_context ctx = checkctx(L, 1);
+
+  luaL_getmetatable(L, "SSL:PSK:Registry");
+  lua_pushlightuserdata(L, (void*)ctx->context);
+  lua_pushvalue(L, 2);
+  lua_settable(L, -3);
+
+  SSL_CTX_set_psk_server_callback(ctx->context, server_psk_cb);
+
+  lua_pushboolean(L, 1);
+  return 1;
+}
+
+/*
+ * Set the PSK indentity hint.
+ */
+static int set_psk_identity_hint(lua_State *L)
+{
+  p_context ctx = checkctx(L, 1);
+  const char *hint = luaL_checkstring(L, 2);
+  int ret = SSL_CTX_use_psk_identity_hint(ctx->context, hint);
+  lua_pushboolean(L, ret);
+  return 1;
+}
+
+/*
+ * Client callback to PSK.
+ */
+static unsigned int client_psk_cb(SSL *ssl, const char *hint, char *identity,
+  unsigned int max_identity_len, unsigned char *psk, unsigned int max_psk_len)
+{
+  size_t psk_len;
+  size_t identity_len;
+  const char *ret_psk;
+  const char *ret_identity;
+  SSL_CTX *ctx = SSL_get_SSL_CTX(ssl);
+  p_context pctx = (p_context)SSL_CTX_get_app_data(ctx);
+  lua_State *L = pctx->L;
+
+  luaL_getmetatable(L, "SSL:PSK:Registry");
+  lua_pushlightuserdata(L, (void*)pctx->context);
+  lua_gettable(L, -2);
+
+  if (hint)
+    lua_pushstring(L, hint);
+  else
+    lua_pushnil(L);
+
+  // Leave space to '\0'
+  lua_pushinteger(L, max_identity_len-1);
+  lua_pushinteger(L, max_psk_len);
+
+  lua_call(L, 3, 2);
+
+  if (!lua_isstring(L, -1) || !lua_isstring(L, -2)) {
+    lua_pop(L, 3);
+    return 0;
+  }
+
+  ret_identity = lua_tolstring(L, -2, &identity_len);
+  ret_psk = lua_tolstring(L, -1, &psk_len);
+
+  if (identity_len >= max_identity_len || psk_len > max_psk_len)
+    psk_len = 0;
+  else {
+    memcpy(identity, ret_identity, identity_len);
+    identity[identity_len] = 0;
+    memcpy(psk, ret_psk, psk_len);
+  }
+
+  lua_pop(L, 3);
+
+  return psk_len;
+}
+
+/**
+ * Set a PSK callback for client.
+ */
+static int set_client_psk_cb(lua_State *L) {
+  p_context ctx = checkctx(L, 1);
+
+  luaL_getmetatable(L, "SSL:PSK:Registry");
+  lua_pushlightuserdata(L, (void*)ctx->context);
+  lua_pushvalue(L, 2);
+  lua_settable(L, -3);
+
+  SSL_CTX_set_psk_client_callback(ctx->context, client_psk_cb);
+
+  lua_pushboolean(L, 1);
+  return 1;
+}
+
+#if defined(LSEC_ENABLE_DANE)
+/*
+ * DANE
+ */
+static int dane_options[] = {
+  /* TODO move into options.c
+   * however this symbol is not from openssl/ssl.h but rather from
+   * openssl/x509_vfy.h
+   * */
+#ifdef DANE_FLAG_NO_DANE_EE_NAMECHECKS
+  DANE_FLAG_NO_DANE_EE_NAMECHECKS,
+#endif
+  0
+};
+static const char *dane_option_names[] = {
+#ifdef DANE_FLAG_NO_DANE_EE_NAMECHECKS
+  "no_ee_namechecks",
+#endif
+  NULL
+};
+
+static int set_dane(lua_State *L)
+{
+  int ret, i;
+  SSL_CTX *ctx = lsec_checkcontext(L, 1);
+  ret = SSL_CTX_dane_enable(ctx);
+  for (i = 2; ret > 0 && i <= lua_gettop(L); i++) {
+    ret = SSL_CTX_dane_set_flags(ctx, dane_options[luaL_checkoption(L, i, NULL, dane_option_names)]);
+  }
+  lua_pushboolean(L, (ret > 0));
+  return 1;
+}
 #endif
 
 /**
@@ -564,13 +884,26 @@ static luaL_Reg funcs[] = {
   {"locations",       load_locations},
   {"loadcert",        load_cert},
   {"loadkey",         load_key},
+  {"checkkey",        check_key},
+  {"setalpn",         set_alpn},
+  {"setalpncb",       set_alpn_cb},
   {"setcipher",       set_cipher},
+  {"setciphersuites", set_ciphersuites},
   {"setdepth",        set_depth},
   {"setdhparam",      set_dhparam},
-  {"setcurve",     set_curve},
   {"setverify",       set_verify},
   {"setoptions",      set_options},
+  {"setpskhint",      set_psk_identity_hint},
+  {"setserverpskcb",  set_server_psk_cb},
+  {"setclientpskcb",  set_client_psk_cb},
   {"setmode",         set_mode},
+#if !defined(OPENSSL_NO_EC)
+  {"setcurve",        set_curve},
+  {"setcurveslist",   set_curves_list},
+#endif
+#if defined(LSEC_ENABLE_DANE)
+  {"setdane",         set_dane},
+#endif
   {NULL, NULL}
 };
 
@@ -592,15 +925,18 @@ static int meth_destroy(lua_State *L)
     lua_pushlightuserdata(L, (void*)ctx->context);
     lua_pushnil(L);
     lua_settable(L, -3);
+    luaL_getmetatable(L, "SSL:ALPN:Registry");
+    lua_pushlightuserdata(L, (void*)ctx->context);
+    lua_pushnil(L);
+    lua_settable(L, -3);
+    luaL_getmetatable(L, "SSL:PSK:Registry");
+    lua_pushlightuserdata(L, (void*)ctx->context);
+    lua_pushnil(L);
+    lua_settable(L, -3);
 
     SSL_CTX_free(ctx->context);
     ctx->context = NULL;
   }
-  if (ctx->dh_param) {
-    DH_free(ctx->dh_param);
-    ctx->dh_param = NULL;
-  }
-
   return 0;
 }
 
@@ -672,6 +1008,7 @@ static int meth_set_verify_ext(lua_State *L)
  * Context metamethods.
  */
 static luaL_Reg meta[] = {
+  {"__close",    meth_destroy},
   {"__gc",       meth_destroy},
   {"__tostring", meth_tostring},
   {NULL, NULL}
@@ -697,6 +1034,12 @@ SSL_CTX* lsec_checkcontext(lua_State *L, int idx)
   return ctx->context;
 }
 
+SSL_CTX* lsec_testcontext(lua_State *L, int idx)
+{
+  p_context ctx = testctx(L, idx);
+  return (ctx) ? ctx->context : NULL;
+}
+
 /**
  * Retrieve the mode from the context in the Lua stack.
  */
@@ -706,44 +1049,47 @@ int lsec_getmode(lua_State *L, int idx)
   return ctx->mode;
 }
 
+/*-- Compat - Lua 5.1 --*/
+#if (LUA_VERSION_NUM == 501)
+
+void *lsec_testudata (lua_State *L, int ud, const char *tname) {
+  void *p = lua_touserdata(L, ud);
+  if (p != NULL) {  /* value is a userdata? */
+    if (lua_getmetatable(L, ud)) {  /* does it have a metatable? */
+      luaL_getmetatable(L, tname);  /* get correct metatable */
+      if (!lua_rawequal(L, -1, -2))  /* not the same? */
+        p = NULL;  /* value is a userdata with wrong metatable */
+      lua_pop(L, 2);  /* remove both metatables */
+      return p;
+    }
+  }
+  return NULL;  /* value is not a userdata with a metatable */
+}
+
+#endif
+
 /*------------------------------ Initialization ------------------------------*/
 
 /**
  * Registre the module.
  */
-#if (LUA_VERSION_NUM == 501)
 LSEC_API int luaopen_ssl_context(lua_State *L)
 {
   luaL_newmetatable(L, "SSL:DH:Registry");        /* Keep all DH callbacks   */
+  luaL_newmetatable(L, "SSL:ALPN:Registry");      /* Keep all ALPN callbacks */
+  luaL_newmetatable(L, "SSL:PSK:Registry");       /* Keep all PSK callbacks */
   luaL_newmetatable(L, "SSL:Verify:Registry");    /* Keep all verify flags   */
   luaL_newmetatable(L, "SSL:Context");
-  luaL_register(L, NULL, meta);
+  setfuncs(L, meta);
 
   /* Create __index metamethods for context */
-  lua_newtable(L);
-  luaL_register(L, NULL, meta_index);
+  luaL_newlib(L, meta_index);
   lua_setfield(L, -2, "__index");
 
-  /* Register the module */
-  luaL_register(L, "ssl.context", funcs);
-  return 1;
-}
-#else
-LSEC_API int luaopen_ssl_context(lua_State *L)
-{
-  luaL_newmetatable(L, "SSL:DH:Registry");      /* Keep all DH callbacks */
-  luaL_newmetatable(L, "SSL:Verify:Registry");  /* Keep all verify flags */
-  luaL_newmetatable(L, "SSL:Context");
-  luaL_setfuncs(L, meta, 0);
-
-  /* Create __index metamethods for context */
-  lua_newtable(L);
-  luaL_setfuncs(L, meta_index, 0);
-  lua_setfield(L, -2, "__index");
+  lsec_load_curves(L);
 
   /* Return the module */
-  lua_newtable(L);
-  luaL_setfuncs(L, funcs, 0);
+  luaL_newlib(L, funcs);
+
   return 1;
 }
-#endif

src/context.h

@@ -2,15 +2,16 @@
 #define LSEC_CONTEXT_H
 
 /*--------------------------------------------------------------------------
- * LuaSec 0.5
- * Copyright (C) 2006-2014 Bruno Silvestre
+ * LuaSec 1.3.0
+ *
+ * Copyright (C) 2006-2023 Bruno Silvestre
  *
  *--------------------------------------------------------------------------*/
 
 #include <lua.h>
 #include <openssl/ssl.h>
 
-#include "config.h"
+#include "compat.h"
 
 #define LSEC_MODE_INVALID 0
 #define LSEC_MODE_SERVER  1
@@ -23,12 +24,14 @@ typedef struct t_context_ {
   SSL_CTX *context;
   lua_State *L;
   DH *dh_param;
+  void *alpn;
   int mode;
 } t_context;
 typedef t_context* p_context;
 
 /* Retrieve the SSL context from the Lua stack */
 SSL_CTX *lsec_checkcontext(lua_State *L, int idx);
+SSL_CTX *lsec_testcontext(lua_State *L, int idx);
 
 /* Retrieve the mode from the context in the Lua stack */
 int lsec_getmode(lua_State *L, int idx);
@@ -36,4 +39,9 @@ int lsec_getmode(lua_State *L, int idx);
 /* Registre the module. */
 LSEC_API int luaopen_ssl_context(lua_State *L);
 
+/* Compat - Lua 5.1 */
+#if (LUA_VERSION_NUM == 501)
+void *lsec_testudata (lua_State *L, int ud, const char *tname);
+#endif
+
 #endif

src/ec.c

@@ -0,0 +1,116 @@
+/*--------------------------------------------------------------------------
+ * LuaSec 1.3.0
+ *
+ * Copyright (C) 2006-2023 Bruno Silvestre
+ *
+ *--------------------------------------------------------------------------*/
+
+#include <openssl/objects.h>
+
+#include "ec.h"
+
+#ifndef OPENSSL_NO_EC
+
+EC_KEY *lsec_find_ec_key(lua_State *L, const char *str)
+{
+  int nid;
+  lua_pushstring(L, "SSL:EC:CURVES");
+  lua_rawget(L, LUA_REGISTRYINDEX);
+  lua_pushstring(L, str);
+  lua_rawget(L, -2);
+
+  if (!lua_isnumber(L, -1))
+    return NULL;
+
+  nid = (int)lua_tonumber(L, -1);
+  return EC_KEY_new_by_curve_name(nid);
+}
+
+void lsec_load_curves(lua_State *L)
+{
+  size_t i;
+  size_t size;
+  const char *name;
+  EC_builtin_curve *curves = NULL;
+
+  lua_pushstring(L, "SSL:EC:CURVES");
+  lua_newtable(L);
+
+  size = EC_get_builtin_curves(NULL, 0);
+  if (size > 0) {
+    curves = (EC_builtin_curve*)malloc(sizeof(EC_builtin_curve) * size);
+    EC_get_builtin_curves(curves, size);
+    for (i = 0; i < size; i++) {
+      name = OBJ_nid2sn(curves[i].nid);
+      if (name != NULL) {
+        lua_pushstring(L, name);
+        lua_pushnumber(L, curves[i].nid);
+        lua_rawset(L, -3);
+      }
+      switch (curves[i].nid) {
+      case NID_X9_62_prime256v1:
+        lua_pushstring(L, "P-256");
+        lua_pushnumber(L, curves[i].nid);
+        lua_rawset(L, -3);
+        break;
+      case NID_secp384r1:
+        lua_pushstring(L, "P-384");
+        lua_pushnumber(L, curves[i].nid);
+        lua_rawset(L, -3);
+        break;
+      case NID_secp521r1:
+        lua_pushstring(L, "P-521");
+        lua_pushnumber(L, curves[i].nid);
+        lua_rawset(L, -3);
+        break;
+      }
+    }
+    free(curves);
+  }
+
+  /* These are special so are manually added here */
+#ifdef NID_X25519
+  lua_pushstring(L, "X25519");
+  lua_pushnumber(L, NID_X25519);
+  lua_rawset(L, -3);
+#endif
+
+#ifdef NID_X448
+  lua_pushstring(L, "X448");
+  lua_pushnumber(L, NID_X448);
+  lua_rawset(L, -3);
+#endif
+
+  lua_rawset(L,  LUA_REGISTRYINDEX);
+}
+
+void lsec_get_curves(lua_State *L)
+{
+  lua_newtable(L);
+
+  lua_pushstring(L, "SSL:EC:CURVES");
+  lua_rawget(L, LUA_REGISTRYINDEX);
+
+  lua_pushnil(L);
+  while (lua_next(L, -2) != 0) {
+    lua_pop(L, 1);
+    lua_pushvalue(L, -1);
+    lua_pushboolean(L, 1);
+    lua_rawset(L, -5);
+  }
+  lua_pop(L, 1);
+}
+
+#else
+
+void lsec_load_curves(lua_State *L)
+{
+  // do nothing
+}
+
+void lsec_get_curves(lua_State *L)
+{
+  lua_newtable(L);
+}
+
+#endif

src/ec.h

@@ -1,64 +1,22 @@
 /*--------------------------------------------------------------------------
- * LuaSec 0.5
- * Copyright (C) 2006-2014 Bruno Silvestre
+ * LuaSec 1.3.0
+ *
+ * Copyright (C) 2006-2023 Bruno Silvestre
  *
  *--------------------------------------------------------------------------*/
 
 #ifndef LSEC_EC_H
 #define LSEC_EC_H
 
-#include <openssl/objects.h>
+#include <lua.h>
 
-typedef struct t_ec_ {
-  char *name;
-  int nid;
-} t_ec;
-typedef t_ec* p_ec;
+#ifndef OPENSSL_NO_EC
+#include <openssl/ec.h>
 
-/* Elliptic curves supported */
-static t_ec curves[] = {
-  /* SECG */
-  {"secp112r1", NID_secp112r1},
-  {"secp112r2", NID_secp112r2},
-  {"secp128r1", NID_secp128r1},
-  {"secp128r2", NID_secp128r2},
-  {"secp160k1", NID_secp160k1},
-  {"secp160r1", NID_secp160r1},
-  {"secp160r2", NID_secp160r2},
-  {"secp192k1", NID_secp192k1},
-  {"secp224k1", NID_secp224k1},
-  {"secp224r1", NID_secp224r1},
-  {"secp256k1", NID_secp256k1},
-  {"secp384r1", NID_secp384r1},
-  {"secp521r1", NID_secp521r1},
-  {"sect113r1", NID_sect113r1},
-  {"sect113r2", NID_sect113r2},
-  {"sect131r1", NID_sect131r1},
-  {"sect131r2", NID_sect131r2},
-  {"sect163k1", NID_sect163k1},
-  {"sect163r1", NID_sect163r1},
-  {"sect163r2", NID_sect163r2},
-  {"sect193r1", NID_sect193r1},
-  {"sect193r2", NID_sect193r2},
-  {"sect233k1", NID_sect233k1},
-  {"sect233r1", NID_sect233r1},
-  {"sect239k1", NID_sect239k1},
-  {"sect283k1", NID_sect283k1},
-  {"sect283r1", NID_sect283r1},
-  {"sect409k1", NID_sect409k1},
-  {"sect409r1", NID_sect409r1},
-  {"sect571k1", NID_sect571k1},
-  {"sect571r1", NID_sect571r1},
-  /* ANSI X9.62 */
-  {"prime192v1", NID_X9_62_prime192v1},
-  {"prime192v2", NID_X9_62_prime192v2},
-  {"prime192v3", NID_X9_62_prime192v3},
-  {"prime239v1", NID_X9_62_prime239v1},
-  {"prime239v2", NID_X9_62_prime239v2},
-  {"prime239v3", NID_X9_62_prime239v3},
-  {"prime256v1", NID_X9_62_prime256v1},
-  /* End */
-  {NULL,        0U}
-};
+EC_KEY *lsec_find_ec_key(lua_State *L, const char *str);
+#endif
+
+void lsec_get_curves(lua_State *L);
+void lsec_load_curves(lua_State *L);
 
 #endif

src/https.lua

@@ -1,6 +1,7 @@
 ----------------------------------------------------------------------------
--- LuaSec 0.5
--- Copyright (C) 2009-2014 PUC-Rio
+-- LuaSec 1.3.0
+--
+-- Copyright (C) 2009-2023 PUC-Rio
 --
 -- Author: Pablo Musa
 -- Author: Tomas Guisasola
@@ -12,25 +13,22 @@ local ltn12  = require("ltn12")
 local http   = require("socket.http")
 local url    = require("socket.url")
 
-local table  = require("table")
-local string = require("string")
-
 local try    = socket.try
-local type         = type
-local pairs        = pairs
-local getmetatable = getmetatable
 
-module("ssl.https")
-
-_VERSION   = "0.5"
-_COPYRIGHT = "LuaSec 0.5 - Copyright (C) 2009-2014 PUC-Rio"
-
--- Default settings
-PORT = 443
+--
+-- Module
+--
+local _M = {
+  _VERSION   = "1.3.0",
+  _COPYRIGHT = "LuaSec 1.3.0 - Copyright (C) 2009-2023 PUC-Rio",
+  PORT       = 443,
+  TIMEOUT    = 60
+}
 
+-- TLS configuration
 local cfg = {
-  protocol = "tlsv1",
-  options  = "all",
+  protocol = "any",
+  options  = {"all", "no_sslv2", "no_sslv3", "no_tlsv1"},
   verify   = "none",
 }
 
@@ -40,7 +38,7 @@ local cfg = {
 
 -- Insert default HTTPS port.
 local function default_https_port(u)
-   return url.build(url.parse(u, {port = PORT}))
+   return url.build(url.parse(u, {port = _M.PORT}))
 end
 
 -- Convert an URL to a table according to Luasocket needs.
@@ -87,14 +85,16 @@ local function tcp(params)
       conn.sock = try(socket.tcp())
       local st = getmetatable(conn.sock).__index.settimeout
       function conn:settimeout(...)
-         return st(self.sock, ...)
+         return st(self.sock, _M.TIMEOUT)
       end
       -- Replace TCP's connection function
       function conn:connect(host, port)
          try(self.sock:connect(host, port))
          self.sock = try(ssl.wrap(self.sock, params))
+         self.sock:sni(host)
+         self.sock:settimeout(_M.TIMEOUT)
          try(self.sock:dohandshake())
-         reg(self, getmetatable(self.sock))
+         reg(self)
          return 1
       end
       return conn
@@ -113,7 +113,7 @@ end
 -- @param body optional (string)
 -- @return (string if url == string or 1), code, headers, status
 --
-function request(url, body)
+local function request(url, body)
   local result_table = {}
   local stringrequest = type(url) == "string"
   if stringrequest then
@@ -136,3 +136,12 @@ function request(url, body)
   end
   return res, code, headers, status
 end
+
+--------------------------------------------------------------------------------
+-- Export module
+--
+
+_M.request = request
+_M.tcp = tcp
+
+return _M

src/luasocket/Makefile

@@ -6,7 +6,7 @@ OBJS= \
 
 CC	?= cc
 CFLAGS	+= $(MYCFLAGS) -DLUASOCKET_DEBUG
-AR	:= ar rcu
+AR	?= ar
 RANLIB	?= ranlib
 
 .PHONY: all clean
@@ -14,7 +14,7 @@ RANLIB	?= ranlib
 all: libluasocket.a
 
 libluasocket.a: $(OBJS)
-	$(AR) $@ $(OBJS)
+	$(AR) rcu $@ $(OBJS)
 	$(RANLIB) $@
 
 clean:

src/luasocket/buffer.c

@@ -107,10 +107,16 @@ int buffer_meth_send(lua_State *L, p_buffer buf) {
 * object:receive() interface
 \*-------------------------------------------------------------------------*/
 int buffer_meth_receive(lua_State *L, p_buffer buf) {
-    int err = IO_DONE, top = lua_gettop(L);
     luaL_Buffer b;
     size_t size;
-    const char *part = luaL_optlstring(L, 3, "", &size);
+    const char *part;
+    int err = IO_DONE;
+    int top = lua_gettop(L);
+    if (top < 3) {
+        lua_settop(L, 3);
+        top = 3;
+    }
+    part = luaL_optlstring(L, 3, "", &size);
 #ifdef LUASOCKET_DEBUG
     p_timeout tm = timeout_markstart(buf->tm);
 #endif
@@ -135,7 +141,7 @@ int buffer_meth_receive(lua_State *L, p_buffer buf) {
     }
     /* check if there was an error */
     if (err != IO_DONE) {
-        /* we can't push anyting in the stack before pushing the
+        /* we can't push anything in the stack before pushing the
          * contents of the buffer. this is the reason for the complication */
         luaL_pushresult(&b);
         lua_pushstring(L, buf->io->error(buf->io->ctx, err)); 

src/luasocket/io.h

@@ -43,7 +43,7 @@ typedef int (*p_send) (
 /* interface to recv function */
 typedef int (*p_recv) (
     void *ctx,          /* context needed by recv */
-    char *data,         /* pointer to buffer where data will be writen */
+    char *data,         /* pointer to buffer where data will be written */
     size_t count,       /* number of bytes to receive into buffer */
     size_t *got,        /* number of bytes received uppon return */
     p_timeout tm        /* timeout control */

src/luasocket/socket.h

@@ -32,7 +32,7 @@
 typedef struct sockaddr SA;
 
 /*=========================================================================*\
-* Functions bellow implement a comfortable platform independent 
+* Functions below implement a comfortable platform independent 
 * interface to sockets
 \*=========================================================================*/
 int socket_open(void);

src/luasocket/timeout.h

@@ -9,7 +9,7 @@
 /* timeout control structure */
 typedef struct t_timeout_ {
     double block;          /* maximum time for blocking calls */
-    double total;          /* total number of miliseconds for operation */
+    double total;          /* total number of milliseconds for operation */
     double start;          /* time of start of operation */
 } t_timeout;
 typedef t_timeout *p_timeout;

src/luasocket/usocket.c

@@ -40,7 +40,7 @@ int socket_waitfd(p_socket ps, int sw, p_timeout tm) {
     if (*ps >= FD_SETSIZE) return EINVAL;
     if (timeout_iszero(tm)) return IO_TIMEOUT;  /* optimize timeout == 0 case */
     do {
-        /* must set bits within loop, because select may have modifed them */
+        /* must set bits within loop, because select may have modified them */
         rp = wp = NULL;
         if (sw & WAITFD_R) { FD_ZERO(&rfds); FD_SET(*ps, &rfds); rp = &rfds; }
         if (sw & WAITFD_W) { FD_ZERO(&wfds); FD_SET(*ps, &wfds); wp = &wfds; }

src/options.c

@@ -0,0 +1,185 @@
+/*--------------------------------------------------------------------------
+ * LuaSec 1.3.0
+ *
+ * Copyright (C) 2006-2023 Bruno Silvestre
+ *
+ *--------------------------------------------------------------------------*/
+
+#include <openssl/ssl.h>
+
+#include "options.h"
+
+/* If you need to generate these options again, see options.lua */
+
+
+/* 
+  OpenSSL version: OpenSSL 3.0.8
+*/
+
+static lsec_ssl_option_t ssl_options[] = {
+#if defined(SSL_OP_ALL)
+  {"all", SSL_OP_ALL},
+#endif
+#if defined(SSL_OP_ALLOW_CLIENT_RENEGOTIATION)
+  {"allow_client_renegotiation", SSL_OP_ALLOW_CLIENT_RENEGOTIATION},
+#endif
+#if defined(SSL_OP_ALLOW_NO_DHE_KEX)
+  {"allow_no_dhe_kex", SSL_OP_ALLOW_NO_DHE_KEX},
+#endif
+#if defined(SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)
+  {"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION},
+#endif
+#if defined(SSL_OP_CIPHER_SERVER_PREFERENCE)
+  {"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE},
+#endif
+#if defined(SSL_OP_CISCO_ANYCONNECT)
+  {"cisco_anyconnect", SSL_OP_CISCO_ANYCONNECT},
+#endif
+#if defined(SSL_OP_CLEANSE_PLAINTEXT)
+  {"cleanse_plaintext", SSL_OP_CLEANSE_PLAINTEXT},
+#endif
+#if defined(SSL_OP_COOKIE_EXCHANGE)
+  {"cookie_exchange", SSL_OP_COOKIE_EXCHANGE},
+#endif
+#if defined(SSL_OP_CRYPTOPRO_TLSEXT_BUG)
+  {"cryptopro_tlsext_bug", SSL_OP_CRYPTOPRO_TLSEXT_BUG},
+#endif
+#if defined(SSL_OP_DISABLE_TLSEXT_CA_NAMES)
+  {"disable_tlsext_ca_names", SSL_OP_DISABLE_TLSEXT_CA_NAMES},
+#endif
+#if defined(SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)
+  {"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS},
+#endif
+#if defined(SSL_OP_ENABLE_KTLS)
+  {"enable_ktls", SSL_OP_ENABLE_KTLS},
+#endif
+#if defined(SSL_OP_ENABLE_MIDDLEBOX_COMPAT)
+  {"enable_middlebox_compat", SSL_OP_ENABLE_MIDDLEBOX_COMPAT},
+#endif
+#if defined(SSL_OP_EPHEMERAL_RSA)
+  {"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA},
+#endif
+#if defined(SSL_OP_IGNORE_UNEXPECTED_EOF)
+  {"ignore_unexpected_eof", SSL_OP_IGNORE_UNEXPECTED_EOF},
+#endif
+#if defined(SSL_OP_LEGACY_SERVER_CONNECT)
+  {"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT},
+#endif
+#if defined(SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER)
+  {"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER},
+#endif
+#if defined(SSL_OP_MICROSOFT_SESS_ID_BUG)
+  {"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG},
+#endif
+#if defined(SSL_OP_MSIE_SSLV2_RSA_PADDING)
+  {"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING},
+#endif
+#if defined(SSL_OP_NETSCAPE_CA_DN_BUG)
+  {"netscape_ca_dn_bug", SSL_OP_NETSCAPE_CA_DN_BUG},
+#endif
+#if defined(SSL_OP_NETSCAPE_CHALLENGE_BUG)
+  {"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG},
+#endif
+#if defined(SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG)
+  {"netscape_demo_cipher_change_bug", SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG},
+#endif
+#if defined(SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG)
+  {"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG},
+#endif
+#if defined(SSL_OP_NO_ANTI_REPLAY)
+  {"no_anti_replay", SSL_OP_NO_ANTI_REPLAY},
+#endif
+#if defined(SSL_OP_NO_COMPRESSION)
+  {"no_compression", SSL_OP_NO_COMPRESSION},
+#endif
+#if defined(SSL_OP_NO_DTLS_MASK)
+  {"no_dtls_mask", SSL_OP_NO_DTLS_MASK},
+#endif
+#if defined(SSL_OP_NO_DTLSv1)
+  {"no_dtlsv1", SSL_OP_NO_DTLSv1},
+#endif
+#if defined(SSL_OP_NO_DTLSv1_2)
+  {"no_dtlsv1_2", SSL_OP_NO_DTLSv1_2},
+#endif
+#if defined(SSL_OP_NO_ENCRYPT_THEN_MAC)
+  {"no_encrypt_then_mac", SSL_OP_NO_ENCRYPT_THEN_MAC},
+#endif
+#if defined(SSL_OP_NO_EXTENDED_MASTER_SECRET)
+  {"no_extended_master_secret", SSL_OP_NO_EXTENDED_MASTER_SECRET},
+#endif
+#if defined(SSL_OP_NO_QUERY_MTU)
+  {"no_query_mtu", SSL_OP_NO_QUERY_MTU},
+#endif
+#if defined(SSL_OP_NO_RENEGOTIATION)
+  {"no_renegotiation", SSL_OP_NO_RENEGOTIATION},
+#endif
+#if defined(SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION)
+  {"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION},
+#endif
+#if defined(SSL_OP_NO_SSL_MASK)
+  {"no_ssl_mask", SSL_OP_NO_SSL_MASK},
+#endif
+#if defined(SSL_OP_NO_SSLv2)
+  {"no_sslv2", SSL_OP_NO_SSLv2},
+#endif
+#if defined(SSL_OP_NO_SSLv3)
+  {"no_sslv3", SSL_OP_NO_SSLv3},
+#endif
+#if defined(SSL_OP_NO_TICKET)
+  {"no_ticket", SSL_OP_NO_TICKET},
+#endif
+#if defined(SSL_OP_NO_TLSv1)
+  {"no_tlsv1", SSL_OP_NO_TLSv1},
+#endif
+#if defined(SSL_OP_NO_TLSv1_1)
+  {"no_tlsv1_1", SSL_OP_NO_TLSv1_1},
+#endif
+#if defined(SSL_OP_NO_TLSv1_2)
+  {"no_tlsv1_2", SSL_OP_NO_TLSv1_2},
+#endif
+#if defined(SSL_OP_NO_TLSv1_3)
+  {"no_tlsv1_3", SSL_OP_NO_TLSv1_3},
+#endif
+#if defined(SSL_OP_PKCS1_CHECK_1)
+  {"pkcs1_check_1", SSL_OP_PKCS1_CHECK_1},
+#endif
+#if defined(SSL_OP_PKCS1_CHECK_2)
+  {"pkcs1_check_2", SSL_OP_PKCS1_CHECK_2},
+#endif
+#if defined(SSL_OP_PRIORITIZE_CHACHA)
+  {"prioritize_chacha", SSL_OP_PRIORITIZE_CHACHA},
+#endif
+#if defined(SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
+  {"safari_ecdhe_ecdsa_bug", SSL_OP_SAFARI_ECDHE_ECDSA_BUG},
+#endif
+#if defined(SSL_OP_SINGLE_DH_USE)
+  {"single_dh_use", SSL_OP_SINGLE_DH_USE},
+#endif
+#if defined(SSL_OP_SINGLE_ECDH_USE)
+  {"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE},
+#endif
+#if defined(SSL_OP_SSLEAY_080_CLIENT_DH_BUG)
+  {"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG},
+#endif
+#if defined(SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG)
+  {"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG},
+#endif
+#if defined(SSL_OP_TLSEXT_PADDING)
+  {"tlsext_padding", SSL_OP_TLSEXT_PADDING},
+#endif
+#if defined(SSL_OP_TLS_BLOCK_PADDING_BUG)
+  {"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG},
+#endif
+#if defined(SSL_OP_TLS_D5_BUG)
+  {"tls_d5_bug", SSL_OP_TLS_D5_BUG},
+#endif
+#if defined(SSL_OP_TLS_ROLLBACK_BUG)
+  {"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG},
+#endif
+  {NULL, 0L}
+};
+
+LSEC_API lsec_ssl_option_t* lsec_get_ssl_options() {
+  return ssl_options;
+}
+

src/options.h

@@ -2,130 +2,21 @@
 #define LSEC_OPTIONS_H
 
 /*--------------------------------------------------------------------------
- * LuaSec 0.5
- * Copyright (C) 2006-2014 Bruno Silvestre
+ * LuaSec 1.3.0
+ *
+ * Copyright (C) 2006-2023 Bruno Silvestre
  *
  *--------------------------------------------------------------------------*/
 
-#include <openssl/ssl.h>
+#include "compat.h"
 
-/* If you need to generate these options again, see options.lua */
-
-/* 
-  OpenSSL version: OpenSSL 1.0.1e 2013-06-12
-*/
-
-struct ssl_option_s {
+struct lsec_ssl_option_s {
   const char *name;
   unsigned long code;
 };
-typedef struct ssl_option_s ssl_option_t;
 
-static ssl_option_t ssl_options[] = {
-#if defined(SSL_OP_ALL)
-  {"all", SSL_OP_ALL},
-#endif
-#if defined(SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)
-  {"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION},
-#endif
-#if defined(SSL_OP_CIPHER_SERVER_PREFERENCE)
-  {"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE},
-#endif
-#if defined(SSL_OP_CISCO_ANYCONNECT)
-  {"cisco_anyconnect", SSL_OP_CISCO_ANYCONNECT},
-#endif
-#if defined(SSL_OP_COOKIE_EXCHANGE)
-  {"cookie_exchange", SSL_OP_COOKIE_EXCHANGE},
-#endif
-#if defined(SSL_OP_CRYPTOPRO_TLSEXT_BUG)
-  {"cryptopro_tlsext_bug", SSL_OP_CRYPTOPRO_TLSEXT_BUG},
-#endif
-#if defined(SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)
-  {"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS},
-#endif
-#if defined(SSL_OP_EPHEMERAL_RSA)
-  {"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA},
-#endif
-#if defined(SSL_OP_LEGACY_SERVER_CONNECT)
-  {"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT},
-#endif
-#if defined(SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER)
-  {"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER},
-#endif
-#if defined(SSL_OP_MICROSOFT_SESS_ID_BUG)
-  {"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG},
-#endif
-#if defined(SSL_OP_MSIE_SSLV2_RSA_PADDING)
-  {"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING},
-#endif
-#if defined(SSL_OP_NETSCAPE_CA_DN_BUG)
-  {"netscape_ca_dn_bug", SSL_OP_NETSCAPE_CA_DN_BUG},
-#endif
-#if defined(SSL_OP_NETSCAPE_CHALLENGE_BUG)
-  {"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG},
-#endif
-#if defined(SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG)
-  {"netscape_demo_cipher_change_bug", SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG},
-#endif
-#if defined(SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG)
-  {"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG},
-#endif
-#if defined(SSL_OP_NO_COMPRESSION)
-  {"no_compression", SSL_OP_NO_COMPRESSION},
-#endif
-#if defined(SSL_OP_NO_QUERY_MTU)
-  {"no_query_mtu", SSL_OP_NO_QUERY_MTU},
-#endif
-#if defined(SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION)
-  {"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION},
-#endif
-#if defined(SSL_OP_NO_SSLv2)
-  {"no_sslv2", SSL_OP_NO_SSLv2},
-#endif
-#if defined(SSL_OP_NO_SSLv3)
-  {"no_sslv3", SSL_OP_NO_SSLv3},
-#endif
-#if defined(SSL_OP_NO_TICKET)
-  {"no_ticket", SSL_OP_NO_TICKET},
-#endif
-#if defined(SSL_OP_NO_TLSv1)
-  {"no_tlsv1", SSL_OP_NO_TLSv1},
-#endif
-#if defined(SSL_OP_NO_TLSv1_1)
-  {"no_tlsv1_1", SSL_OP_NO_TLSv1_1},
-#endif
-#if defined(SSL_OP_NO_TLSv1_2)
-  {"no_tlsv1_2", SSL_OP_NO_TLSv1_2},
-#endif
-#if defined(SSL_OP_PKCS1_CHECK_1)
-  {"pkcs1_check_1", SSL_OP_PKCS1_CHECK_1},
-#endif
-#if defined(SSL_OP_PKCS1_CHECK_2)
-  {"pkcs1_check_2", SSL_OP_PKCS1_CHECK_2},
-#endif
-#if defined(SSL_OP_SINGLE_DH_USE)
-  {"single_dh_use", SSL_OP_SINGLE_DH_USE},
-#endif
-#if defined(SSL_OP_SINGLE_ECDH_USE)
-  {"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE},
-#endif
-#if defined(SSL_OP_SSLEAY_080_CLIENT_DH_BUG)
-  {"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG},
-#endif
-#if defined(SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG)
-  {"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG},
-#endif
-#if defined(SSL_OP_TLS_BLOCK_PADDING_BUG)
-  {"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG},
-#endif
-#if defined(SSL_OP_TLS_D5_BUG)
-  {"tls_d5_bug", SSL_OP_TLS_D5_BUG},
-#endif
-#if defined(SSL_OP_TLS_ROLLBACK_BUG)
-  {"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG},
-#endif
-  {NULL, 0L}
-};
+typedef struct lsec_ssl_option_s lsec_ssl_option_t;
+
+LSEC_API lsec_ssl_option_t* lsec_get_ssl_options();
 
 #endif
-

src/options.lua

@@ -1,10 +1,10 @@
 local function usage()
   print("Usage:")
   print("* Generate options of your system:")
-  print("  lua options.lua -g /path/to/ssl.h [verion] > options.h")
+  print("  lua options.lua -g /path/to/ssl.h [version] > options.c")
   print("* Examples:")
-  print("  lua options.lua -g /usr/include/openssl/ssl.h > options.h\n")
-  print("  lua options.lua -g /usr/include/openssl/ssl.h \"OpenSSL 1.0.1 14\" > options.h\n")
+  print("  lua options.lua -g /usr/include/openssl/ssl.h > options.c\n")
+  print("  lua options.lua -g /usr/include/openssl/ssl.h \"OpenSSL 1.1.1f\" > options.c\n")
 
   print("* List options of your system:")
   print("  lua options.lua -l /path/to/ssl.h\n")
@@ -17,33 +17,28 @@ end
 
 local function generate(options, version)
   print([[
-#ifndef LSEC_OPTIONS_H
-#define LSEC_OPTIONS_H
-
 /*--------------------------------------------------------------------------
- * LuaSec 0.5
- * Copyright (C) 2006-2014 Bruno Silvestre
+ * LuaSec 1.3.0
+ *
+ * Copyright (C) 2006-2023 Bruno Silvestre
  *
  *--------------------------------------------------------------------------*/
 
 #include <openssl/ssl.h>
 
+#include "options.h"
+
 /* If you need to generate these options again, see options.lua */
+
 ]])
+
   printf([[
 /* 
   OpenSSL version: %s
 */
 ]], version)
-  print([[
-struct ssl_option_s {
-  const char *name;
-  unsigned long code;
-};
-typedef struct ssl_option_s ssl_option_t;
-]])
 
-  print([[static ssl_option_t ssl_options[] = {]])
+  print([[static lsec_ssl_option_t ssl_options[] = {]])
 
   for k, option in ipairs(options) do
     local name = string.lower(string.sub(option, 8))
@@ -55,7 +50,9 @@ typedef struct ssl_option_s ssl_option_t;
   print([[
 };
 
-#endif
+LSEC_API lsec_ssl_option_t* lsec_get_ssl_options() {
+  return ssl_options;
+}
 ]])
 end
 
@@ -63,11 +60,14 @@ local function loadoptions(file)
   local options = {}
   local f = assert(io.open(file, "r"))
   for line in f:lines() do
-    local op = string.match(line, "define%s+(SSL_OP_%S+)")
+    local op = string.match(line, "define%s+(SSL_OP_BIT%()")
+    if not op then
+      op = string.match(line, "define%s+(SSL_OP_%S+)")
       if op then
         table.insert(options, op)
       end
     end
+  end
   table.sort(options, function(a,b) return a<b end)
   return options
 end

src/ssl.c

@@ -1,9 +1,8 @@
 /*--------------------------------------------------------------------------
- * LuaSec 0.5
+ * LuaSec 1.3.0
  *
- * Copyright (C) 2014 Kim Alvefur, Paul Aurich, Tobias Markmann, 
- *                    Matthew Wild.
- * Copyright (C) 2006-2014 Bruno Silvestre.
+ * Copyright (C) 2014-2023 Kim Alvefur, Paul Aurich, Tobias Markmann, Matthew Wild
+ * Copyright (C) 2006-2023 Bruno Silvestre
  *
  *--------------------------------------------------------------------------*/
 
@@ -11,13 +10,14 @@
 #include <string.h>
 
 #if defined(WIN32)
-#include <Winsock2.h>
+#include <winsock2.h>
 #endif
 
 #include <openssl/ssl.h>
 #include <openssl/x509v3.h>
 #include <openssl/x509_vfy.h>
 #include <openssl/err.h>
+#include <openssl/dh.h>
 
 #include <lua.h>
 #include <lauxlib.h>
@@ -28,8 +28,17 @@
 #include <luasocket/socket.h>
 
 #include "x509.h"
+#include "context.h"
 #include "ssl.h"
 
+
+#ifndef LSEC_API_OPENSSL_1_1_0
+#define SSL_is_server(s) (s->server)
+#define SSL_up_ref(ssl)  CRYPTO_add(&(ssl)->references, 1, CRYPTO_LOCK_SSL)
+#define X509_up_ref(c)   CRYPTO_add(&c->references, 1, CRYPTO_LOCK_X509)
+#endif
+
+
 /**
  * Underline socket error.
  */
@@ -38,6 +47,11 @@ static int lsec_socket_error()
 #if defined(WIN32)
   return WSAGetLastError();
 #else
+#if defined(LSEC_OPENSSL_1_1_1)
+  // Bug in OpenSSL 1.1.1
+  if (errno == 0)
+    return LSEC_IO_SSL;
+#endif
   return errno;
 #endif
 }
@@ -80,11 +94,15 @@ static int meth_destroy(lua_State *L)
   }
   ssl->state = LSEC_STATE_CLOSED;
   if (ssl->ssl) {
-    /* Clear the registry */
+    /* Clear the registries */
     luaL_getmetatable(L, "SSL:Verify:Registry");
     lua_pushlightuserdata(L, (void*)ssl->ssl);
     lua_pushnil(L);
     lua_settable(L, -3);
+    luaL_getmetatable(L, "SSL:SNI:Registry");
+    lua_pushlightuserdata(L, (void*)ssl->ssl);
+    lua_pushnil(L);
+    lua_settable(L, -3);
     /* Destroy the object */
     SSL_free(ssl->ssl);
     ssl->ssl = NULL;
@@ -186,9 +204,9 @@ static int ssl_recv(void *ctx, char *data, size_t count, size_t *got,
 {
   int err;
   p_ssl ssl = (p_ssl)ctx;
+  *got = 0;
   if (ssl->state != LSEC_STATE_CONNECTED)
     return IO_CLOSED;
-  *got = 0;
   for ( ; ; ) {
     ERR_clear_error();
     err = SSL_read(ssl->ssl, data, (int)count);
@@ -198,7 +216,6 @@ static int ssl_recv(void *ctx, char *data, size_t count, size_t *got,
       *got = err;
       return IO_DONE;
     case SSL_ERROR_ZERO_RETURN:
-      *got = err;
       return IO_CLOSED;
     case SSL_ERROR_WANT_READ:
       err = socket_waitfd(&ssl->sock, WAITFD_R, tm);
@@ -225,26 +242,45 @@ static int ssl_recv(void *ctx, char *data, size_t count, size_t *got,
   return IO_UNKNOWN;
 }
 
+static SSL_CTX* luaossl_testcontext(lua_State *L, int arg) {
+  SSL_CTX **ctx = luaL_testudata(L, arg, "SSL_CTX*");
+  if (ctx)
+    return *ctx;
+  return NULL;
+}
+
+static SSL* luaossl_testssl(lua_State *L, int arg) {
+  SSL **ssl = luaL_testudata(L, arg, "SSL*");
+  if (ssl)
+    return *ssl;
+  return NULL;
+}
+
 /**
  * Create a new TLS/SSL object and mark it as new.
  */
 static int meth_create(lua_State *L)
 {
   p_ssl ssl;
-  int mode = lsec_getmode(L, 1);
-  SSL_CTX *ctx = lsec_checkcontext(L, 1);
+  int mode;
+  SSL_CTX *ctx;
+
+  lua_settop(L, 1);
 
-  if (mode == LSEC_MODE_INVALID) {
-    lua_pushnil(L);
-    lua_pushstring(L, "invalid mode");
-    return 2;
-  }
   ssl = (p_ssl)lua_newuserdata(L, sizeof(t_ssl));
   if (!ssl) {
     lua_pushnil(L);
     lua_pushstring(L, "error creating SSL object");
     return 2;
   }
+
+  if ((ctx = lsec_testcontext(L, 1))) {
+    mode = lsec_getmode(L, 1);
+    if (mode == LSEC_MODE_INVALID) {
+      lua_pushnil(L);
+      lua_pushstring(L, "invalid mode");
+      return 2;
+    }
     ssl->ssl = SSL_new(ctx);
     if (!ssl->ssl) {
       lua_pushnil(L);
@@ -252,13 +288,26 @@ static int meth_create(lua_State *L)
         ERR_reason_error_string(ERR_get_error()));
       return 2;
     }
+  } else if ((ctx = luaossl_testcontext(L, 1))) {
+    ssl->ssl = SSL_new(ctx);
+    if (!ssl->ssl) {
+      lua_pushnil(L);
+      lua_pushfstring(L, "error creating SSL object (%s)",
+        ERR_reason_error_string(ERR_get_error()));
+      return 2;
+    }
+    mode = SSL_is_server(ssl->ssl) ? LSEC_MODE_SERVER : LSEC_MODE_CLIENT;
+  } else if ((ssl->ssl = luaossl_testssl(L, 1))) {
+    SSL_up_ref(ssl->ssl);
+    mode = SSL_is_server(ssl->ssl) ? LSEC_MODE_SERVER : LSEC_MODE_CLIENT;
+  } else {
+    return luaL_argerror(L, 1, "invalid context");
+  }
   ssl->state = LSEC_STATE_NEW;
   SSL_set_fd(ssl->ssl, (int)SOCKET_INVALID);
   SSL_set_mode(ssl->ssl, SSL_MODE_ENABLE_PARTIAL_WRITE | 
     SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
-#if defined(SSL_MODE_RELEASE_BUFFERS)
   SSL_set_mode(ssl->ssl, SSL_MODE_RELEASE_BUFFERS);
-#endif
   if (mode == LSEC_MODE_SERVER)
     SSL_set_accept_state(ssl->ssl);
   else
@@ -325,7 +374,7 @@ static int meth_setfd(lua_State *L)
   p_ssl ssl = (p_ssl)luaL_checkudata(L, 1, "SSL:Connection");
   if (ssl->state != LSEC_STATE_NEW)
     luaL_argerror(L, 1, "invalid SSL object state");
-  ssl->sock = luaL_checkint(L, 2);
+  ssl->sock = (t_socket)luaL_checkinteger(L, 2);
   socket_setnonblocking(&ssl->sock);
   SSL_set_fd(ssl->ssl, (int)ssl->sock);
   return 0;
@@ -336,8 +385,19 @@ static int meth_setfd(lua_State *L)
  */
 static int meth_handshake(lua_State *L)
 {
+  int err;
   p_ssl ssl = (p_ssl)luaL_checkudata(L, 1, "SSL:Connection");
-  int err = handshake(ssl);
+  p_context ctx = (p_context)SSL_CTX_get_app_data(SSL_get_SSL_CTX(ssl->ssl));
+  ctx->L = L;
+  err = handshake(ssl);
+  if (ctx->dh_param) {
+    DH_free(ctx->dh_param);
+    ctx->dh_param = NULL;
+  }
+  if (ctx->alpn) {
+    free(ctx->alpn);
+    ctx->alpn = NULL;
+  }
   if (err == IO_DONE) {
     lua_pushboolean(L, 1);
     return 1;
@@ -401,7 +461,11 @@ static int meth_want(lua_State *L)
  */
 static int meth_compression(lua_State *L)
 {
+#ifdef OPENSSL_NO_COMP
+  const void *comp;
+#else
   const COMP_METHOD *comp;
+#endif
   p_ssl ssl = (p_ssl)luaL_checkudata(L, 1, "SSL:Connection");
   if (ssl->state != LSEC_STATE_CONNECTED) {
     lua_pushnil(L);
@@ -431,7 +495,7 @@ static int meth_getpeercertificate(lua_State *L)
     return 2;
   }
   /* Default to the first cert */ 
-  n = luaL_optint(L, 2, 1);                           
+  n = (int)luaL_optinteger(L, 2, 1);                           
   /* This function is 1-based, but OpenSSL is 0-based */
   --n;
   if (n < 0) {
@@ -450,7 +514,7 @@ static int meth_getpeercertificate(lua_State *L)
   /* In a server-context, the stack doesn't contain the peer cert,
    * so adjust accordingly.
    */
-  if (ssl->ssl->server)
+  if (SSL_is_server(ssl->ssl))
     --n;
   certs = SSL_get_peer_cert_chain(ssl->ssl);
   if (n >= sk_X509_num(certs)) {
@@ -460,11 +524,63 @@ static int meth_getpeercertificate(lua_State *L)
   cert = sk_X509_value(certs, n);
   /* Increment the reference counting of the object. */
   /* See SSL_get_peer_certificate() source code.     */
-  CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509);
+  X509_up_ref(cert);
   lsec_pushx509(L, cert);
   return 1;
 }
 
+/**
+ * Return the nth certificate of the chain sent to our peer.
+ */
+static int meth_getlocalcertificate(lua_State *L)
+{
+  int n;
+  X509 *cert;
+  STACK_OF(X509) *certs;
+  p_ssl ssl = (p_ssl)luaL_checkudata(L, 1, "SSL:Connection");
+  if (ssl->state != LSEC_STATE_CONNECTED) {
+    lua_pushnil(L);
+    lua_pushstring(L, "closed");
+    return 2;
+  }
+  /* Default to the first cert */
+  n = (int)luaL_optinteger(L, 2, 1);
+  /* This function is 1-based, but OpenSSL is 0-based */
+  --n;
+  if (n < 0) {
+    lua_pushnil(L);
+    lua_pushliteral(L, "invalid certificate index");
+    return 2;
+  }
+  if (n == 0) {
+    cert = SSL_get_certificate(ssl->ssl);
+    if (cert)
+      lsec_pushx509(L, cert);
+    else
+      lua_pushnil(L);
+    return 1;
+  }
+  /* In a server-context, the stack doesn't contain the peer cert,
+   * so adjust accordingly.
+   */
+  if (SSL_is_server(ssl->ssl))
+    --n;
+  if(SSL_get0_chain_certs(ssl->ssl, &certs) != 1) {
+    lua_pushnil(L);
+  } else {
+    if (n >= sk_X509_num(certs)) {
+      lua_pushnil(L);
+      return 1;
+    }
+    cert = sk_X509_value(certs, n);
+    /* Increment the reference counting of the object. */
+    /* See SSL_get_peer_certificate() source code.     */
+    X509_up_ref(cert);
+    lsec_pushx509(L, cert);
+  }
+  return 1;
+}
+
 /**
  * Return the chain of certificate of the peer.
  */
@@ -482,7 +598,7 @@ static int meth_getpeerchain(lua_State *L)
     return 2;
   }
   lua_newtable(L);
-  if (ssl->ssl->server) {
+  if (SSL_is_server(ssl->ssl)) {
     lsec_pushx509(L, SSL_get_peer_certificate(ssl->ssl));
     lua_rawseti(L, -2, idx++);
   }
@@ -492,13 +608,48 @@ static int meth_getpeerchain(lua_State *L)
     cert = sk_X509_value(certs, i);
     /* Increment the reference counting of the object. */
     /* See SSL_get_peer_certificate() source code.     */
-    CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509);
+    X509_up_ref(cert);
     lsec_pushx509(L, cert);
     lua_rawseti(L, -2, idx++);
   }
   return 1;
 }
 
+/**
+ * Return the chain of certificates sent to the peer.
+ */
+static int meth_getlocalchain(lua_State *L)
+{
+  int i;
+  int idx = 1;
+  int n_certs;
+  X509 *cert;
+  STACK_OF(X509) *certs;
+  p_ssl ssl = (p_ssl)luaL_checkudata(L, 1, "SSL:Connection");
+  if (ssl->state != LSEC_STATE_CONNECTED) {
+    lua_pushnil(L);
+    lua_pushstring(L, "closed");
+    return 2;
+  }
+  lua_newtable(L);
+  if (SSL_is_server(ssl->ssl)) {
+    lsec_pushx509(L, SSL_get_certificate(ssl->ssl));
+    lua_rawseti(L, -2, idx++);
+  }
+  if(SSL_get0_chain_certs(ssl->ssl, &certs)) {
+    n_certs = sk_X509_num(certs);
+    for (i = 0; i < n_certs; i++) {
+      cert = sk_X509_value(certs, i);
+      /* Increment the reference counting of the object. */
+      /* See SSL_get_peer_certificate() source code.     */
+      X509_up_ref(cert);
+      lsec_pushx509(L, cert);
+      lua_rawseti(L, -2, idx++);
+    }
+  }
+  return 1;
+}
+
 /**
  * Copy the table src to the table dst.
  */
@@ -606,6 +757,41 @@ static int meth_getpeerfinished(lua_State *L)
   return 1;
 }
 
+/**
+ * Get some shared keying material
+ */
+static int meth_exportkeyingmaterial(lua_State *L)
+{
+  p_ssl ssl = (p_ssl)luaL_checkudata(L, 1, "SSL:Connection");
+
+  if(ssl->state != LSEC_STATE_CONNECTED) {
+    lua_pushnil(L);
+    lua_pushstring(L, "closed");
+    return 0;
+  }
+
+  size_t llen = 0;
+  size_t contextlen = 0;
+  const unsigned char *context = NULL;
+  const char *label = (const char*)luaL_checklstring(L, 2, &llen);
+  size_t olen = (size_t)luaL_checkinteger(L, 3);
+
+  if (!lua_isnoneornil(L, 4))
+    context = (const unsigned char*)luaL_checklstring(L, 4, &contextlen);
+
+  /* Temporary buffer memory-managed by Lua itself */
+  unsigned char *out = (unsigned char*)lua_newuserdata(L, olen);
+
+  if(SSL_export_keying_material(ssl->ssl, out, olen, label, llen, context, contextlen, context != NULL) != 1) {
+    lua_pushnil(L);
+    lua_pushstring(L, "error exporting keying material");
+    return 2;
+  }
+
+  lua_pushlstring(L, (char*)out, olen);
+  return 1;
+}
+
 /**
  * Object information -- tostring metamethod
  */
@@ -653,9 +839,115 @@ static int meth_info(lua_State *L)
   return 4;
 }
 
+static int sni_cb(SSL *ssl, int *ad, void *arg)
+{
+  int strict;
+  SSL_CTX *newctx = NULL;
+  SSL_CTX *ctx = SSL_get_SSL_CTX(ssl);
+  lua_State *L = ((p_context)SSL_CTX_get_app_data(ctx))->L;
+  const char *name = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
+  /* No name, use default context */
+  if (!name)
+    return SSL_TLSEXT_ERR_NOACK;
+  /* Retrieve struct from registry */
+  luaL_getmetatable(L, "SSL:SNI:Registry");
+  lua_pushlightuserdata(L, (void*)ssl);
+  lua_gettable(L, -2);
+  /* Strict search? */
+  lua_pushstring(L, "strict");
+  lua_gettable(L, -2);
+  strict = lua_toboolean(L, -1);
+  lua_pop(L, 1);
+  /* Search for the name in the map */
+  lua_pushstring(L, "map");
+  lua_gettable(L, -2);
+  lua_pushstring(L, name);
+  lua_gettable(L, -2);
+  if (lua_isuserdata(L, -1))
+    newctx = lsec_checkcontext(L, -1);
+  lua_pop(L, 4);
+  /* Found, use this context */
+  if (newctx) {
+    p_context pctx = (p_context)SSL_CTX_get_app_data(newctx);
+    pctx->L = L;
+    SSL_set_SSL_CTX(ssl, newctx);
+    return SSL_TLSEXT_ERR_OK;
+  }
+  /* Not found, but use initial context */
+  if (!strict)
+    return SSL_TLSEXT_ERR_OK;
+  return SSL_TLSEXT_ERR_ALERT_FATAL;
+}
+
+static int meth_sni(lua_State *L)
+{
+  int strict;
+  SSL_CTX *aux;
+  const char *name;
+  p_ssl ssl = (p_ssl)luaL_checkudata(L, 1, "SSL:Connection");
+  SSL_CTX *ctx = SSL_get_SSL_CTX(ssl->ssl);
+  p_context pctx = (p_context)SSL_CTX_get_app_data(ctx);
+  if (pctx->mode == LSEC_MODE_CLIENT) {
+    name = luaL_checkstring(L, 2);
+    SSL_set_tlsext_host_name(ssl->ssl, name);
+    return 0;
+  } else if (pctx->mode == LSEC_MODE_SERVER) {
+    luaL_checktype(L, 2, LUA_TTABLE);
+    strict = lua_toboolean(L, 3);
+    /* Check if the table contains only (string -> context) */
+    lua_pushnil(L);
+    while (lua_next(L, 2)) {
+      luaL_checkstring(L, -2);
+      aux = lsec_checkcontext(L, -1);
+      /* Set callback in every context */
+      SSL_CTX_set_tlsext_servername_callback(aux, sni_cb);
+      /* leave the next key on the stack */
+      lua_pop(L, 1);
+    }
+    /* Save table in the register */
+    luaL_getmetatable(L, "SSL:SNI:Registry");
+    lua_pushlightuserdata(L, (void*)ssl->ssl);
+    lua_newtable(L);
+    lua_pushstring(L, "map");
+    lua_pushvalue(L, 2);
+    lua_settable(L, -3);
+    lua_pushstring(L, "strict");
+    lua_pushboolean(L, strict);
+    lua_settable(L, -3);
+    lua_settable(L, -3);
+    /* Set callback in the default context */
+    SSL_CTX_set_tlsext_servername_callback(ctx, sni_cb);
+  }
+  return 0;
+}
+
+static int meth_getsniname(lua_State *L)
+{
+  p_ssl ssl = (p_ssl)luaL_checkudata(L, 1, "SSL:Connection");
+  const char *name = SSL_get_servername(ssl->ssl, TLSEXT_NAMETYPE_host_name);
+  if (name)
+    lua_pushstring(L, name);
+  else
+    lua_pushnil(L);
+  return 1;
+}
+
+static int meth_getalpn(lua_State *L)
+{
+  unsigned len;
+  const unsigned char *data;
+  p_ssl ssl = (p_ssl)luaL_checkudata(L, 1, "SSL:Connection");
+  SSL_get0_alpn_selected(ssl->ssl, &data, &len);
+  if (data == NULL && len == 0)
+    lua_pushnil(L);
+  else
+    lua_pushlstring(L, (const char*)data, len);
+  return 1;
+}
+
 static int meth_copyright(lua_State *L)
 {
-  lua_pushstring(L, "LuaSec 0.5 - Copyright (C) 2006-2011 Bruno Silvestre"
+  lua_pushstring(L, "LuaSec 1.3.0 - Copyright (C) 2006-2023 Bruno Silvestre, UFG"
 #if defined(WITH_LUASOCKET)
                     "\nLuaSocket 3.0-RC1 - Copyright (C) 2004-2013 Diego Nehab"
 #endif
@@ -663,6 +955,34 @@ static int meth_copyright(lua_State *L)
   return 1;
 }
 
+#if defined(LSEC_ENABLE_DANE)
+static int meth_dane(lua_State *L)
+{
+  int ret;
+  p_ssl ssl = (p_ssl)luaL_checkudata(L, 1, "SSL:Connection");
+  ret = SSL_dane_enable(ssl->ssl, luaL_checkstring(L, 2));
+  lua_pushboolean(L, (ret > 0));
+  return 1;
+}
+
+static int meth_tlsa(lua_State *L)
+{
+  int ret;
+  size_t len;
+  p_ssl ssl = (p_ssl)luaL_checkudata(L, 1, "SSL:Connection");
+  uint8_t usage = (uint8_t)luaL_checkinteger(L, 2);
+  uint8_t selector = (uint8_t)luaL_checkinteger(L, 3);
+  uint8_t mtype = (uint8_t)luaL_checkinteger(L, 4);
+  unsigned char *data = (unsigned char*)luaL_checklstring(L, 5, &len);
+
+  ERR_clear_error();
+  ret = SSL_dane_tlsa_add(ssl->ssl, usage, selector, mtype, data, len);
+  lua_pushboolean(L, (ret > 0));
+
+  return 1;
+}
+#endif
+
 /*---------------------------------------------------------------------------*/
 
 /**
@@ -670,12 +990,17 @@ static int meth_copyright(lua_State *L)
  */
 static luaL_Reg methods[] = {
   {"close",               meth_close},
+  {"getalpn",             meth_getalpn},
   {"getfd",               meth_getfd},
   {"getfinished",         meth_getfinished},
   {"getpeercertificate",  meth_getpeercertificate},
+  {"getlocalcertificate", meth_getlocalcertificate},
   {"getpeerchain",        meth_getpeerchain},
+  {"getlocalchain",       meth_getlocalchain},
   {"getpeerverification", meth_getpeerverification},
   {"getpeerfinished",     meth_getpeerfinished},
+  {"exportkeyingmaterial",meth_exportkeyingmaterial},
+  {"getsniname",          meth_getsniname},
   {"getstats",            meth_getstats},
   {"setstats",            meth_setstats},
   {"dirty",               meth_dirty},
@@ -683,7 +1008,12 @@ static luaL_Reg methods[] = {
   {"receive",             meth_receive},
   {"send",                meth_send},
   {"settimeout",          meth_settimeout},
+  {"sni",                 meth_sni},
   {"want",                meth_want},
+#if defined(LSEC_ENABLE_DANE)
+  {"setdane",             meth_dane},
+  {"settlsa",             meth_tlsa},
+#endif
   {NULL,                  NULL}
 };
 
@@ -691,6 +1021,7 @@ static luaL_Reg methods[] = {
  * SSL metamethods.
  */
 static luaL_Reg meta[] = {
+  {"__close",    meth_destroy},
   {"__gc",       meth_destroy},
   {"__tostring", meth_tostring},
   {NULL, NULL}
@@ -712,9 +1043,9 @@ static luaL_Reg funcs[] = {
 /**
  * Initialize modules.
  */
-#if (LUA_VERSION_NUM == 501)
 LSEC_API int luaopen_ssl_core(lua_State *L)
 {
+#ifndef LSEC_API_OPENSSL_1_1_0
   /* Initialize SSL */
   if (!SSL_library_init()) {
     lua_pushstring(L, "unable to initialize SSL library");
@@ -722,55 +1053,40 @@ LSEC_API int luaopen_ssl_core(lua_State *L)
   }
   OpenSSL_add_all_algorithms();
   SSL_load_error_strings();
+#endif
 
 #if defined(WITH_LUASOCKET)
   /* Initialize internal library */
   socket_open();
 #endif
 
+  luaL_newmetatable(L, "SSL:SNI:Registry");
+
   /* Register the functions and tables */
   luaL_newmetatable(L, "SSL:Connection");
-  luaL_register(L, NULL, meta);
+  setfuncs(L, meta);
 
-  lua_newtable(L);
-  luaL_register(L, NULL, methods);
+  luaL_newlib(L, methods);
   lua_setfield(L, -2, "__index");
 
-  luaL_register(L, "ssl.core", funcs);
-  lua_pushnumber(L, SOCKET_INVALID);
-  lua_setfield(L, -2, "invalidfd");
+  luaL_newlib(L, funcs);
+
+  lua_pushstring(L, "SOCKET_INVALID");
+  lua_pushinteger(L, SOCKET_INVALID);
+  lua_rawset(L, -3);
 
   return 1;
 }
-#else
-LSEC_API int luaopen_ssl_core(lua_State *L)
-{
-  /* Initialize SSL */
-  if (!SSL_library_init()) {
-    lua_pushstring(L, "unable to initialize SSL library");
+
+//------------------------------------------------------------------------------
+
+#if defined(_MSC_VER)
+
+/* Empty implementation to allow building with LuaRocks and MS compilers */
+LSEC_API int luaopen_ssl(lua_State *L) {
+  lua_pushstring(L, "you should not call this function");
   lua_error(L);
-  }
-  OpenSSL_add_all_algorithms();
-  SSL_load_error_strings();
-
-#if defined(WITH_LUASOCKET)
-  /* Initialize internal library */
-  socket_open();
-#endif
-
-  /* Register the functions and tables */
-  luaL_newmetatable(L, "SSL:Connection");
-  luaL_setfuncs(L, meta, 0);
-
-  lua_newtable(L);
-  luaL_setfuncs(L, methods, 0);
-  lua_setfield(L, -2, "__index");
-
-  lua_newtable(L);
-  luaL_setfuncs(L, funcs, 0);
-  lua_pushnumber(L, SOCKET_INVALID);
-  lua_setfield(L, -2, "invalidfd");
-
-  return 1;
+  return 0;
 }
+
 #endif

src/ssl.h

@@ -2,8 +2,9 @@
 #define LSEC_SSL_H
 
 /*--------------------------------------------------------------------------
- * LuaSec 0.5
- * Copyright (C) 2006-2014 Bruno Silvestre
+ * LuaSec 1.3.0
+ *
+ * Copyright (C) 2006-2023 Bruno Silvestre
  *
  *--------------------------------------------------------------------------*/
 
@@ -15,7 +16,7 @@
 #include <luasocket/timeout.h>
 #include <luasocket/socket.h>
 
-#include "config.h"
+#include "compat.h"
 #include "context.h"
 
 #define LSEC_STATE_NEW       1

src/ssl.lua

@@ -1,20 +1,16 @@
 ------------------------------------------------------------------------------
--- LuaSec 0.5
--- Copyright (C) 2006-2014 Bruno Silvestre
+-- LuaSec 1.3.0
+--
+-- Copyright (C) 2006-2023 Bruno Silvestre
 --
 ------------------------------------------------------------------------------
 
 local core    = require("ssl.core")
 local context = require("ssl.context")
 local x509    = require("ssl.x509")
+local config  = require("ssl.config")
 
-module("ssl", package.seeall)
-
-_VERSION   = "0.5.PR"
-_COPYRIGHT = core.copyright()
-
--- Export
-loadcertificate = x509.load
+local unpack  = table.unpack or unpack
 
 -- We must prevent the contexts to be collected before the connections,
 -- otherwise the C registry will be cleared.
@@ -35,9 +31,42 @@ local function optexec(func, param, ctx)
 end
 
 --
+-- Convert an array of strings to wire-format
+--
+local function array2wireformat(array)
+   local str = ""
+   for k, v in ipairs(array) do
+      if type(v) ~= "string" then return nil end
+      local len = #v
+      if len == 0 then
+        return nil, "invalid ALPN name (empty string)"
+      elseif len > 255 then
+        return nil, "invalid ALPN name (length > 255)"
+      end
+      str = str .. string.char(len) .. v
+   end
+   if str == "" then return nil, "invalid ALPN list (empty)" end
+   return str
+end
+
+--
+-- Convert wire-string format to array
+--
+local function wireformat2array(str)
+   local i = 1
+   local array = {}
+   while i < #str do
+      local len = str:byte(i)
+      array[#array + 1] = str:sub(i + 1, i + len)
+      i = i + len + 1
+   end
+   return array
+end
+
 --
 --
-function newcontext(cfg)
+--
+local function newcontext(cfg)
    local succ, msg, ctx
    -- Create the context
    ctx, msg = context.create(cfg.protocol)
@@ -45,21 +74,33 @@ function newcontext(cfg)
    -- Mode
    succ, msg = context.setmode(ctx, cfg.mode)
    if not succ then return nil, msg end
+   local certificates = cfg.certificates
+   if not certificates then
+      certificates = {
+         { certificate = cfg.certificate, key = cfg.key, password = cfg.password }
+      }
+   end
+   for _, certificate in ipairs(certificates) do
       -- Load the key
-   if cfg.key then
-      if cfg.password and
-         type(cfg.password) ~= "function" and
-         type(cfg.password) ~= "string"
+      if certificate.key then
+         if certificate.password and
+            type(certificate.password) ~= "function" and
+            type(certificate.password) ~= "string"
          then
             return nil, "invalid password type"
          end
-      succ, msg = context.loadkey(ctx, cfg.key, cfg.password)
+         succ, msg = context.loadkey(ctx, certificate.key, certificate.password)
          if not succ then return nil, msg end
       end
-   -- Load the certificate
-   if cfg.certificate then
-      succ, msg = context.loadcert(ctx, cfg.certificate)
+      -- Load the certificate(s)
+      if certificate.certificate then
+        succ, msg = context.loadcert(ctx, certificate.certificate)
         if not succ then return nil, msg end
+        if certificate.key and context.checkkey then
+          succ = context.checkkey(ctx)
+          if not succ then return nil, "private key does not match public key" end
+        end
+      end
    end
    -- Load the CA certificates
    if cfg.cafile or cfg.capath then
@@ -70,6 +111,11 @@ function newcontext(cfg)
    if cfg.ciphers then
       succ, msg = context.setcipher(ctx, cfg.ciphers)
       if not succ then return nil, msg end
+   end
+   -- Set SSL cipher suites
+   if cfg.ciphersuites then
+      succ, msg = context.setciphersuites(ctx, cfg.ciphersuites)
+      if not succ then return nil, msg end
    end
     -- Set the verification options
    succ, msg = optexec(context.setverify, cfg.verify, ctx)
@@ -94,24 +140,109 @@ function newcontext(cfg)
       end
       context.setdhparam(ctx, cfg.dhparam)
    end
-   -- Set elliptic curve
-   if cfg.curve then
+   
+   -- Set elliptic curves
+   if (not config.algorithms.ec) and (cfg.curve or cfg.curveslist) then
+     return false, "elliptic curves not supported"
+   end
+   if config.capabilities.curves_list and cfg.curveslist then
+     succ, msg = context.setcurveslist(ctx, cfg.curveslist)
+     if not succ then return nil, msg end
+   elseif cfg.curve then
      succ, msg = context.setcurve(ctx, cfg.curve)
      if not succ then return nil, msg end
    end
+
    -- Set extra verification options
    if cfg.verifyext and ctx.setverifyext then
       succ, msg = optexec(ctx.setverifyext, cfg.verifyext, ctx)
       if not succ then return nil, msg end
    end
 
+   -- ALPN
+   if cfg.mode == "server" and cfg.alpn then
+      if type(cfg.alpn) == "function" then
+         local alpncb = cfg.alpn
+         -- This callback function has to return one value only
+         succ, msg = context.setalpncb(ctx, function(str)
+            local protocols = alpncb(wireformat2array(str))
+            if type(protocols) == "string" then
+               protocols = { protocols }
+            elseif type(protocols) ~= "table" then
+               return nil
+            end
+            return (array2wireformat(protocols))    -- use "()" to drop error message
+         end)
+         if not succ then return nil, msg end
+      elseif type(cfg.alpn) == "table" then
+         local protocols = cfg.alpn
+         -- check if array is valid before use it
+         succ, msg = array2wireformat(protocols)
+         if not succ then return nil, msg end
+         -- This callback function has to return one value only
+         succ, msg = context.setalpncb(ctx, function()
+            return (array2wireformat(protocols))    -- use "()" to drop error message
+         end)
+         if not succ then return nil, msg end
+      else
+         return nil, "invalid ALPN parameter"
+      end
+   elseif cfg.mode == "client" and cfg.alpn then
+      local alpn
+      if type(cfg.alpn) == "string" then
+         alpn, msg = array2wireformat({ cfg.alpn })
+      elseif type(cfg.alpn) == "table" then
+         alpn, msg = array2wireformat(cfg.alpn)
+      else
+         return nil, "invalid ALPN parameter"
+      end
+      if not alpn then return nil, msg end
+      succ, msg = context.setalpn(ctx, alpn)
+      if not succ then return nil, msg end
+   end
+
+   -- PSK
+   if cfg.psk then
+      if cfg.mode == "client" then
+         if type(cfg.psk) ~= "function" then
+            return nil, "invalid PSK configuration"
+         end
+         succ = context.setclientpskcb(ctx, cfg.psk)
+         if not succ then return nil, msg end
+      elseif cfg.mode == "server" then
+         if type(cfg.psk) == "function" then
+            succ, msg = context.setserverpskcb(ctx, cfg.psk)
+            if not succ then return nil, msg end
+         elseif type(cfg.psk) == "table" then
+            if type(cfg.psk.hint) == "string" and type(cfg.psk.callback) == "function" then
+               succ, msg = context.setpskhint(ctx, cfg.psk.hint)
+               if not succ then return succ, msg end
+               succ = context.setserverpskcb(ctx, cfg.psk.callback)
+               if not succ then return succ, msg end
+            else
+               return nil, "invalid PSK configuration"
+            end
+         else
+            return nil, "invalid PSK configuration"
+         end
+      end
+   end
+
+   if config.capabilities.dane and cfg.dane then
+      if type(cfg.dane) == "table" then
+         context.setdane(ctx, unpack(cfg.dane))
+      else
+         context.setdane(ctx)
+      end
+   end
+
    return ctx
 end
 
 --
 --
 --
-function wrap(sock, cfg)
+local function wrap(sock, cfg)
    local ctx, msg
    if type(cfg) == "table" then
       ctx, msg = newcontext(cfg)
@@ -122,7 +253,7 @@ function wrap(sock, cfg)
    local s, msg = core.create(ctx)
    if s then
       core.setfd(s, sock:getfd())
-      sock:setfd(core.invalidfd)
+      sock:setfd(core.SOCKET_INVALID)
       registry[s] = ctx
       return s
    end
@@ -166,3 +297,17 @@ end
 --
 core.setmethod("info", info)
 
+--------------------------------------------------------------------------------
+-- Export module
+--
+
+local _M = {
+  _VERSION        = "1.3.0",
+  _COPYRIGHT      = core.copyright(),
+  config          = config,
+  loadcertificate = x509.load,
+  newcontext      = newcontext,
+  wrap            = wrap,
+}
+
+return _M