Update version number and rock file.

Method for checking if one certificate issued another

.gitignore

@@ -0,0 +1,3 @@
+/src/*.o
+/src/luasocket/*.o
+/*.dll

CHANGELOG

@@ -1,3 +1,37 @@
+--------------------------------------------------------------------------------
+LuaSec 0.6
+------------
+LuaSec depends  on OpenSSL, and  integrates with LuaSocket to  make it
+easy to add secure connections to any Lua applications or scripts.
+
+Documentation: https://github.com/brunoos/luasec/wiki
+
+This version includes:
+
+* Lua 5.2 and 5.3 compatibility
+
+* Context module:
+  - Add ctx:checkkey()
+
+* SSL module:
+  - Add conn:sni() and conn:getsniname()
+
+* Context options:
+  - Add "any" protocol ("sslv23" is deprecated)
+
+* HTTPS module:
+  - Using "any" protocol without SSLv2/SSLv3, by default
+
+* X509 module:
+  - Human readable IP address
+  - Add cert:issued()
+  - Add cert:pubkey()
+
+* Some bug fixes
+
+
+=> Thanks to everyone who collaborate with LuaSec <=
+
 --------------------------------------------------------------------------------
 LuaSec 0.5
 ------------

INSTALL

@@ -1,9 +1,9 @@
-LuaSec 0.5
+LuaSec 0.6
 ------------
 
 * OpenSSL options:
 
-    By default, LuaSec 0.5 includes options for OpenSSL 1.0.1e.
+    By default, LuaSec 0.6 includes options for OpenSSL 1.0.2f.
 
     If you need to generate the options for a different version of OpenSSL:
 

LICENSE

@@ -1,5 +1,5 @@
-LuaSec 0.5 license
+LuaSec 0.6 license
-Copyright (C) 2006-2013 Bruno Silvestre, UFG
+Copyright (C) 2006-2015 Bruno Silvestre, UFG
 
 Permission is hereby granted, free  of charge, to any person obtaining
 a  copy  of this  software  and  associated  documentation files  (the

Makefile

@@ -1,22 +1,22 @@
-# Inform the location to intall the modules
+# Inform the location to install the modules
-LUAPATH		?= /usr/share/lua/5.1
+LUAPATH  ?= /usr/share/lua/5.1
-LUACPATH	?= /usr/lib/lua/5.1
+LUACPATH ?= /usr/lib/lua/5.1
 
 # Compile with build-in LuaSocket's help files.
 # Comment this lines if you will link with non-internal LuaSocket's help files
 #  and edit INCDIR and LIBDIR properly.
-EXTRA		 = luasocket
+EXTRA = luasocket
-DEFS		 = -DWITH_LUASOCKET
+DEFS  = -DWITH_LUASOCKET
 
 # Edit the lines below to inform new path, if necessary.
 # Path below points to internal LuaSocket's help files.
-INC_PATH	?= -I/usr/include
+INC_PATH ?= -I/usr/include
-LIB_PATH	?= -L/usr/lib
+LIB_PATH ?= -L/usr/lib
-INCDIR		 = -I. $(INC_PATH)
+INCDIR    = -I. $(INC_PATH)
-LIBDIR		 = -L./luasocket $(LIB_PATH)
+LIBDIR    = -L./luasocket $(LIB_PATH)
 
 # For Mac OS X: set the system version
-MACOSX_VERSION=10.4
+MACOSX_VERSION=10.11
 
 #----------------------
 # Do not edit this part

README.md

@@ -1,34 +1,36 @@
-LuaSec 0.5
+LuaSec 0.6
 ==========
-
 LuaSec depends  on OpenSSL, and  integrates with LuaSocket to  make it
 easy to add secure connections to any Lua applications or scripts.
 
-This  version  includes:
+Documentation: https://github.com/brunoos/luasec/wiki
 
-  * A new certificate (X509) API, which supports:
+This version includes:
-    - Reading  the subject  (identity) and  issuer of the certificate.
-    - Reading  various X509  extensions, including email  and dnsName.
-    - Converting  certificates  to and  from  the  standard ASCII  PEM
-      format.
-    - Generating the fingerprint/digest of a certificate  (using SHA1,
-      SHA256 or SHA512).
-    - Reading the  certificate's expiration, serial number,  and other
-      info.
 
-  * The ability  to get more  detailed information from  OpenSSL about
+* Lua 5.2 and 5.3 compatibility
-    why a certificate failed verification, for each certificate in the
-    chain.
-  
-  * Flags to  force acceptance of invalid certificates,  e.g. to allow
-    the use of self-signed certificates in a Trust On First Use model.
 
-  * Flags to control checking CRLs for certificate revocation status.
+* Context module:
- 
+  - Add ctx:checkkey()
-  * Support for ECDH cipher suites.
- 
-  * An API  to get the TLS  'finished' messages used  for SASL channel
-    binding (e.g. the SCRAM PLUS mechanisms).
 
-The work in  this release was undertaken by  Kim Alvefur, Paul Aurich,
+* SSL module:
-Tobias Markmann, Bruno Silvestre and Matthew Wild.
+  - Add conn:sni() and conn:getsniname()
+
+* Context options:
+  - Add "any" protocol ("sslv23" is deprecated)
+
+* HTTPS module:
+  - Using "any" protocol without SSLv2/SSLv3, by default
+
+* X509 module:
+  - Human readable IP address
+  - Add cert:issued()
+  - Add cert:pubkey()
+
+* Some bug fixes
+
+
+********************************************************************************
+
+PS: 10th anniversary! Thanks to everyone who collaborate with LuaSec.
+
+********************************************************************************

luasec-0.6-1.rockspec

@@ -0,0 +1,114 @@
+package = "LuaSec"
+version = "0.6-1"
+source = {
+   url = "git://github.com/brunoos/luasec.git",
+   tag = "luasec-0.6"
+}
+description = {
+   summary = "A binding for OpenSSL library to provide TLS/SSL communication over LuaSocket.",
+   detailed = "This version delegates to LuaSocket the TCP connection establishment between the client and server. Then LuaSec uses this connection to start a secure TLS/SSL session.",
+   homepage = "https://github.com/brunoos/luasec/wiki",
+   license = "MIT"
+}
+dependencies = {
+   "lua >= 5.1", "luasocket"
+}
+external_dependencies = {
+   platforms = {
+      unix = {
+         OPENSSL = {
+            header = "openssl/ssl.h",
+            library = "ssl"
+         }
+      },
+      windows = {
+         OPENSSL = {
+            header = "openssl/ssl.h",
+         }
+      },
+   }
+}
+build = {
+   type = "builtin",
+   copy_directories = {
+      "samples"
+   },
+   platforms = {
+      unix = {
+         install = {
+            lib = {
+               "ssl.so"
+            },
+            lua = {
+               "src/ssl.lua", ['ssl.https'] = "src/https.lua"
+            }
+         },
+         modules = {
+            ssl = {
+               incdirs = {
+                  "$(OPENSSL_INCDIR)", "src/", "src/luasocket",
+               },
+               libdirs = {
+                  "$(OPENSSL_LIBDIR)"
+               },
+               libraries = {
+                  "ssl", "crypto"
+               },
+               sources = {
+                  "src/x509.c", "src/context.c", "src/ssl.c", 
+                  "src/luasocket/buffer.c", "src/luasocket/io.c",
+                  "src/luasocket/timeout.c", "src/luasocket/usocket.c"
+               }
+            }
+         }
+      },
+      windows = {
+         install = {
+            lib = {
+               "ssl.dll"
+            },
+            lua = {
+               "src/ssl.lua", ['ssl.https'] = "src/https.lua"
+            }
+         },
+         modules = {
+            ssl = {
+               defines = {
+                  "WIN32", "NDEBUG", "_WINDOWS", "_USRDLL", "LSEC_EXPORTS", "BUFFER_DEBUG", "LSEC_API=__declspec(dllexport)",
+                  "LUASEC_INET_NTOP", "WINVER=0x0501", "_WIN32_WINNT=0x0501", "NTDDI_VERSION=0x05010300"
+               },
+               libdirs = {
+                  "$(OPENSSL_LIBDIR)",
+                  "$(OPENSSL_BINDIR)",
+               },
+               libraries = {
+                  "libeay32", "ssleay32", "ws2_32"
+               },
+               incdirs = {
+                  "$(OPENSSL_INCDIR)", "src/", "src/luasocket"
+               },
+               sources = {
+                  "src/x509.c", "src/context.c", "src/ssl.c", 
+                  "src/luasocket/buffer.c", "src/luasocket/io.c",
+                  "src/luasocket/timeout.c", "src/luasocket/wsocket.c"
+               }
+            }
+         },
+         patches = {
+            ["luarocks_vs_compiler.patch"] = [[
+--- a/src/ssl.c.orig
++++ b/src/ssl.c
+@@ -844,3 +844,8 @@ LSEC_API int luaopen_ssl_core(lua_State *L)
+
+   return 1;
+ }
++
++#if defined(_MSC_VER)
++/* Empty implementation to allow building with LuaRocks and MS compilers */
++LSEC_API int luaopen_ssl(lua_State *L) { return 0; }
++#endif
+]]
+         }
+      }
+   }
+}

luasec.vcxproj

@@ -49,7 +49,7 @@
     <ClCompile>
       <Optimization>Disabled</Optimization>
       <AdditionalIncludeDirectories>C:\devel\openssl\include;C:\devel\lua-dll9\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
-      <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;LUASEC_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;LUASEC_EXPORTS;LUASEC_INET_NTOP;WINVER=0x0501;_WIN32_WINNT=0x0501;NTDDI_VERSION=0x05010300;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <MinimalRebuild>true</MinimalRebuild>
       <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
       <RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
@@ -122,4 +122,4 @@
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
   <ImportGroup Label="ExtensionTargets">
   </ImportGroup>
-</Project>
+</Project>

samples/certs/all.bat

@@ -0,0 +1,14 @@
+REM make sure the 'openssl.exe' commandline tool is in your path before starting!
+REM set the path below;
+set opensslpath=c:\program files (x86)\openssl-win32\bin
+
+
+
+setlocal
+set path=%opensslpath%;%path%
+call roota.bat
+call rootb.bat
+call servera.bat
+call serverb.bat
+call clienta.bat
+call clientb.bat

samples/certs/clientA.bat

@@ -0,0 +1,9 @@
+rem #!/bin/sh
+
+openssl req -newkey rsa:1024 -sha1 -keyout clientAkey.pem -out clientAreq.pem -nodes -config ./clientA.cnf -days 365 -batch
+
+openssl x509 -req -in clientAreq.pem -sha1 -extfile ./clientA.cnf -extensions usr_cert -CA rootA.pem -CAkey rootAkey.pem -CAcreateserial -out clientAcert.pem -days 365
+
+copy clientAcert.pem + rootA.pem clientA.pem
+
+openssl x509 -subject -issuer -noout -in clientA.pem

samples/certs/clientB.bat

@@ -0,0 +1,9 @@
+rem #!/bin/sh
+
+openssl req -newkey rsa:1024 -sha1 -keyout clientBkey.pem -out clientBreq.pem -nodes -config ./clientB.cnf -days 365 -batch
+
+openssl x509 -req -in clientBreq.pem -sha1 -extfile ./clientB.cnf -extensions usr_cert -CA rootB.pem -CAkey rootBkey.pem -CAcreateserial -out clientBcert.pem -days 365
+
+copy clientBcert.pem + rootB.pem clientB.pem
+
+openssl x509 -subject -issuer -noout -in clientB.pem

samples/certs/rootA.bat

@@ -0,0 +1,7 @@
+REM #!/bin/sh
+
+openssl req -newkey rsa:1024 -sha1 -keyout rootAkey.pem -out rootAreq.pem -nodes -config ./rootA.cnf -days 365 -batch
+
+openssl x509 -req -in rootAreq.pem -sha1 -extfile ./rootA.cnf -extensions v3_ca -signkey rootAkey.pem -out rootA.pem -days 365
+
+openssl x509 -subject -issuer -noout -in rootA.pem

samples/certs/rootB.bat

@@ -0,0 +1,7 @@
+rem #!/bin/sh
+
+openssl req -newkey rsa:1024 -sha1 -keyout rootBkey.pem -out rootBreq.pem -nodes -config ./rootB.cnf -days 365 -batch
+
+openssl x509 -req -in rootBreq.pem -sha1 -extfile ./rootB.cnf -extensions v3_ca -signkey rootBkey.pem -out rootB.pem -days 365
+
+openssl x509 -subject -issuer -noout -in rootB.pem

samples/certs/serverA.bat

@@ -0,0 +1,9 @@
+rem #!/bin/sh
+
+openssl req -newkey rsa:1024 -keyout serverAkey.pem -out serverAreq.pem -config ./serverA.cnf -nodes -days 365 -batch
+
+openssl x509 -req -in serverAreq.pem -sha1 -extfile ./serverA.cnf -extensions usr_cert -CA rootA.pem -CAkey rootAkey.pem -CAcreateserial -out serverAcert.pem -days 365
+
+copy serverAcert.pem + rootA.pem serverA.pem
+
+openssl x509 -subject -issuer -noout -in serverA.pem

samples/certs/serverB.bat

@@ -0,0 +1,9 @@
+rem #!/bin/sh
+
+openssl req -newkey rsa:1024 -keyout serverBkey.pem -out serverBreq.pem -config ./serverB.cnf -nodes -days 365 -batch
+
+openssl x509 -req -in serverBreq.pem -sha1 -extfile ./serverB.cnf -extensions usr_cert -CA rootB.pem -CAkey rootBkey.pem -CAcreateserial -out serverBcert.pem -days 365
+
+copy serverBcert.pem + rootB.pem serverB.pem
+
+openssl x509 -subject -issuer -noout -in serverB.pem

samples/chain/client.lua

@@ -7,12 +7,12 @@ local util   = require("util")
 
 local params = {
    mode = "client",
-   protocol = "tlsv1",
+   protocol = "tlsv1_2",
    key = "../certs/clientAkey.pem",
    certificate = "../certs/clientA.pem",
    cafile = "../certs/rootA.pem",
    verify = {"peer", "fail_if_no_peer_cert"},
-   options = {"all", "no_sslv2"},
+   options = "all",
 }
 
 local conn = socket.tcp()

samples/chain/server.lua

@@ -7,12 +7,12 @@ local util   = require("util")
 
 local params = {
    mode = "server",
-   protocol = "tlsv1",
+   protocol = "any",
    key = "../certs/serverAkey.pem",
    certificate = "../certs/serverA.pem",
    cafile = "../certs/rootA.pem",
    verify = {"peer", "fail_if_no_peer_cert"},
-   options = {"all", "no_sslv2"},
+   options = "all",
 }
 
 local ctx = assert(ssl.newcontext(params))

samples/dhparam/client.lua

@@ -6,12 +6,12 @@ local ssl    = require("ssl")
 
 local params = {
    mode = "client",
-   protocol = "sslv3",
+   protocol = "tlsv1_2",
    key = "../certs/clientAkey.pem",
    certificate = "../certs/clientA.pem",
    cafile = "../certs/rootA.pem",
    verify = {"peer", "fail_if_no_peer_cert"},
-   options = {"all", "no_sslv2"},
+   options = "all",
 }
 
 local peer = socket.tcp()

samples/dhparam/server.lua

@@ -31,12 +31,12 @@ end
 
 local params = {
    mode = "server",
-   protocol = "sslv3",
+   protocol = "any",
    key = "../certs/serverAkey.pem",
    certificate = "../certs/serverA.pem",
    cafile = "../certs/rootA.pem",
    verify = {"peer", "fail_if_no_peer_cert"},
-   options = {"all", "no_sslv2"},
+   options = "all",
    dhparam = dhparam_cb,
 }
 

samples/digest/client.lua

@@ -6,12 +6,12 @@ local ssl    = require("ssl")
 
 local params = {
    mode = "client",
-   protocol = "sslv3",
+   protocol = "tlsv1_2",
    key = "../certs/clientAkey.pem",
    certificate = "../certs/clientA.pem",
    cafile = "../certs/rootA.pem",
    verify = {"peer", "fail_if_no_peer_cert"},
-   options = {"all", "no_sslv2"},
+   options = "all",
 }
 
 local peer = socket.tcp()

samples/digest/server.lua

@@ -6,12 +6,12 @@ local ssl    = require("ssl")
 
 local params = {
    mode = "server",
-   protocol = "sslv3",
+   protocol = "any",
    key = "../certs/serverAkey.pem",
    certificate = "../certs/serverA.pem",
    cafile = "../certs/rootA.pem",
    verify = {"peer", "fail_if_no_peer_cert"},
-   options = {"all", "no_sslv2"},
+   options = "all",
 }
 
 

samples/ecdh/client.lua

@@ -6,12 +6,12 @@ local ssl    = require("ssl")
 
 local params = {
    mode = "client",
-   protocol = "sslv3",
+   protocol = "tlsv1_2",
    key = "../certs/clientAkey.pem",
    certificate = "../certs/clientA.pem",
    cafile = "../certs/rootA.pem",
    verify = {"peer", "fail_if_no_peer_cert"},
-   options = {"all", "no_sslv2"},
+   options = "all",
    --
    curve = "secp384r1",
 }

samples/ecdh/server.lua

@@ -6,12 +6,12 @@ local ssl    = require("ssl")
 
 local params = {
    mode = "server",
-   protocol = "sslv3",
+   protocol = "any",
    key = "../certs/serverAkey.pem",
    certificate = "../certs/serverA.pem",
    cafile = "../certs/rootA.pem",
    verify = {"peer", "fail_if_no_peer_cert"},
-   options = {"all", "no_sslv2"},
+   options = "all",
    --
    curve = "secp384r1",
 }

samples/info/client.lua

@@ -6,12 +6,12 @@ local ssl    = require("ssl")
 
 local params = {
    mode = "client",
-   protocol = "sslv3",
+   protocol = "tlsv1_2",
    key = "../certs/clientAkey.pem",
    certificate = "../certs/clientA.pem",
    cafile = "../certs/rootA.pem",
    verify = {"peer", "fail_if_no_peer_cert"},
-   options = {"all", "no_sslv2"},
+   options = "all",
 }
 
 local peer = socket.tcp()

samples/info/server.lua

@@ -6,12 +6,12 @@ local ssl    = require("ssl")
 
 local params = {
    mode = "server",
-   protocol = "sslv3",
+   protocol = "any",
    key = "../certs/serverAkey.pem",
    certificate = "../certs/serverA.pem",
    cafile = "../certs/rootA.pem",
    verify = {"peer", "fail_if_no_peer_cert"},
-   options = {"all", "no_sslv2"},
+   options = "all",
 }
 
 

samples/loop-gc/client.lua

@@ -6,12 +6,12 @@ local ssl    = require("ssl")
 
 local params = {
    mode = "client",
-   protocol = "sslv3",
+   protocol = "tlsv1_2",
    key = "../certs/clientAkey.pem",
    certificate = "../certs/clientA.pem",
    cafile = "../certs/rootA.pem",
    verify = {"peer", "fail_if_no_peer_cert"},
-   options = {"all", "no_sslv2"},
+   options = "all",
 }
 
 while true do

samples/loop-gc/server.lua

@@ -6,12 +6,12 @@ local ssl    = require("ssl")
 
 local params = {
    mode = "server",
-   protocol = "sslv3",
+   protocol = "any",
    key = "../certs/serverAkey.pem",
    certificate = "../certs/serverA.pem",
    cafile = "../certs/rootA.pem",
    verify = {"peer", "fail_if_no_peer_cert"},
-   options = {"all", "no_sslv2"},
+   options = "all",
 }
 
 -- [[ SSL context 

samples/loop/client.lua

@@ -6,12 +6,12 @@ local ssl    = require("ssl")
 
 local params = {
    mode = "client",
-   protocol = "sslv3",
+   protocol = "tlsv1_2",
    key = "../certs/clientAkey.pem",
    certificate = "../certs/clientA.pem",
    cafile = "../certs/rootA.pem",
    verify = {"peer", "fail_if_no_peer_cert"},
-   options = {"all", "no_sslv2"},
+   options = "all",
 }
 
 while true do

samples/loop/server.lua

@@ -6,12 +6,12 @@ local ssl    = require("ssl")
 
 local params = {
    mode = "server",
-   protocol = "sslv3",
+   protocol = "any",
    key = "../certs/serverAkey.pem",
    certificate = "../certs/serverA.pem",
    cafile = "../certs/rootA.pem",
    verify = {"peer", "fail_if_no_peer_cert"},
-   options = {"all", "no_sslv2"},
+   options = "all",
 }
 
 -- [[ SSL context 

samples/oneshot/client.lua

@@ -6,12 +6,12 @@ local ssl    = require("ssl")
 
 local params = {
    mode = "client",
-   protocol = "sslv3",
+   protocol = "tlsv1_2",
    key = "../certs/clientAkey.pem",
    certificate = "../certs/clientA.pem",
    cafile = "../certs/rootA.pem",
    verify = {"peer", "fail_if_no_peer_cert"},
-   options = {"all", "no_sslv2"},
+   options = "all",
 }
 
 local peer = socket.tcp()

samples/oneshot/server.lua

@@ -6,12 +6,12 @@ local ssl    = require("ssl")
 
 local params = {
    mode = "server",
-   protocol = "sslv3",
+   protocol = "any",
    key = "../certs/serverAkey.pem",
    certificate = "../certs/serverA.pem",
    cafile = "../certs/rootA.pem",
    verify = {"peer", "fail_if_no_peer_cert"},
-   options = {"all", "no_sslv2"},
+   options = "all",
 }
 
 

samples/sni/client.lua

@@ -0,0 +1,35 @@
+local socket = require("socket")
+local ssl    = require("ssl")
+
+local params = {
+  mode = "client",
+  protocol = "tlsv1_2",
+  key = "../certs/clientAkey.pem",
+  certificate = "../certs/clientA.pem",
+  cafile = "../certs/rootA.pem",
+  verify = "peer",
+  options = "all",
+}
+
+local conn = socket.tcp()
+conn:connect("127.0.0.1", 8888)
+
+-- TLS/SSL initialization
+conn = ssl.wrap(conn, params)
+
+-- Comment the lines to not send a name
+--conn:sni("servera.br")
+--conn:sni("serveraa.br")
+conn:sni("serverb.br")
+
+assert(conn:dohandshake())
+--
+local cert = conn:getpeercertificate()
+for k, v in pairs(cert:subject()) do
+  for i, j in pairs(v) do
+    print(i, j)
+  end
+end
+--
+print(conn:receive("*l"))
+conn:close()

samples/sni/server.lua

@@ -0,0 +1,52 @@
+local socket = require("socket")
+local ssl    = require("ssl")
+
+local params01 = {
+  mode = "server",
+  protocol = "any",
+  key = "../certs/serverAkey.pem",
+  certificate = "../certs/serverA.pem",
+  cafile = "../certs/rootA.pem",
+  verify = "none",
+  options = "all",
+  ciphers = "ALL:!ADH:@STRENGTH",
+}
+
+local params02 = {
+  mode = "server",
+  protocol = "any",
+  key = "../certs/serverAAkey.pem",
+  certificate = "../certs/serverAA.pem",
+  cafile = "../certs/rootA.pem",
+  verify = "none",
+  options = "all",
+  ciphers = "ALL:!ADH:@STRENGTH",
+}
+
+--
+local ctx01 = ssl.newcontext(params01)
+local ctx02 = ssl.newcontext(params02)
+
+--
+local server = socket.tcp()
+server:setoption('reuseaddr', true)
+server:bind("127.0.0.1", 8888)
+server:listen()
+local conn = server:accept()
+--
+
+-- Default context (when client does not send a name) is ctx01
+conn = ssl.wrap(conn, ctx01)
+
+-- Configure the name map
+local sni_map = {
+  ["servera.br"]  = ctx01,
+  ["serveraa.br"] = ctx02,
+}
+
+conn:sni(sni_map, true)
+
+assert(conn:dohandshake())
+--
+conn:send("one line\n")
+conn:close()

samples/verification/fail-string/client.lua

@@ -6,12 +6,12 @@ local ssl    = require("ssl")
 
 local params = {
    mode = "client",
-   protocol = "sslv3",
+   protocol = "tlsv1",
    key = "../../certs/clientBkey.pem",
    certificate = "../../certs/clientB.pem",
    cafile = "../../certs/rootB.pem",
-   verify = {"none"},
+   verify = "none",
-   options = {"all", "no_sslv2"},
+   options = "all",
 }
 
 local peer = socket.tcp()

samples/verification/fail-string/server.lua

@@ -6,12 +6,12 @@ local ssl    = require("ssl")
 
 local params = {
    mode = "server",
-   protocol = "sslv3",
+   protocol = "tlsv1",
    key = "../../certs/serverAkey.pem",
    certificate = "../../certs/serverA.pem",
    cafile = "../../certs/rootA.pem",
-   verify = {"none"},
+   verify = "none",
-   options = {"all", "no_sslv2"},
+   options = "all",
 }
 
 -- [[ SSL context

samples/verification/fail-table/client.lua

@@ -6,13 +6,13 @@ local ssl    = require("ssl")
 
 local params = {
    mode = "client",
-   protocol = "sslv3",
+   protocol = "tlsv1",
    key = "../../certs/clientBkey.pem",
    certificate = "../../certs/clientB.pem",
    cafile = "../../certs/rootB.pem",
    verify = {"peer", "fail_if_no_peer_cert"},
-   options = {"all", "no_sslv2"},
+   options = "all",
-   verifyext = {"lsec_continue"},
+   verifyext = "lsec_continue",
 }
 
 -- [[ SSL context

samples/verification/fail-table/server.lua

@@ -6,12 +6,12 @@ local ssl    = require("ssl")
 
 local params = {
    mode = "server",
-   protocol = "sslv3",
+   protocol = "tlsv1",
    key = "../../certs/serverAkey.pem",
    certificate = "../../certs/serverA.pem",
    cafile = "../../certs/rootA.pem",
    verify = {"peer", "fail_if_no_peer_cert"},
-   options = {"all", "no_sslv2"},
+   options = "all",
    verifyext = {"lsec_continue", "crl_check", "crl_check_chain"},
 }
 

samples/verification/success/client.lua

@@ -6,12 +6,12 @@ local ssl    = require("ssl")
 
 local params = {
    mode = "client",
-   protocol = "sslv3",
+   protocol = "tlsv1",
    key = "../../certs/clientAkey.pem",
    certificate = "../../certs/clientA.pem",
    cafile = "../../certs/rootA.pem",
    verify = {"peer", "fail_if_no_peer_cert"},
-   options = {"all", "no_sslv2"},
+   options = "all",
 }
 
 local peer = socket.tcp()

samples/verification/success/server.lua

@@ -6,12 +6,12 @@ local ssl    = require("ssl")
 
 local params = {
    mode = "server",
-   protocol = "sslv3",
+   protocol = "tlsv1",
    key = "../../certs/serverAkey.pem",
    certificate = "../../certs/serverA.pem",
    cafile = "../../certs/rootA.pem",
    verify = {"peer", "fail_if_no_peer_cert"},
-   options = {"all", "no_sslv2"},
+   options = "all",
 }
 
 

samples/verify/client.lua

@@ -6,13 +6,13 @@ local ssl    = require("ssl")
 
 local params = {
    mode = "client",
-   protocol = "tlsv1",
+   protocol = "tlsv1_2",
    key = "../certs/serverBkey.pem",
    certificate = "../certs/serverB.pem",
    cafile = "../certs/rootB.pem",
    verify = {"peer", "fail_if_no_peer_cert"},
    verifyext = {"lsec_continue", "lsec_ignore_purpose"},
-   options = {"all", "no_sslv2"},
+   options = "all",
 }
 
 local ctx = assert(ssl.newcontext(params))

samples/verify/server.lua

@@ -6,13 +6,13 @@ local ssl    = require("ssl")
 
 local params = {
    mode = "server",
-   protocol = "tlsv1",
+   protocol = "any",
    key = "../certs/serverAkey.pem",
    certificate = "../certs/serverA.pem",
    cafile = "../certs/rootA.pem",
    verify = {"peer", "fail_if_no_peer_cert"},
    verifyext = {"lsec_continue", "lsec_ignore_purpose"},
-   options = {"all", "no_sslv2"},
+   options = "all",
 }
 
 

samples/want/client.lua

@@ -8,12 +8,12 @@ local ssl    = require("ssl")
 
 local params = {
    mode = "client",
-   protocol = "sslv3",
+   protocol = "tlsv1_2",
    key = "../certs/clientAkey.pem",
    certificate = "../certs/clientA.pem",
    cafile = "../certs/rootA.pem",
    verify = {"peer", "fail_if_no_peer_cert"},
-   options = {"all", "no_sslv2"},
+   options = "all",
 }
 
 -- Wait until socket is ready (for reading or writing)

samples/want/server.lua

@@ -6,12 +6,12 @@ local ssl    = require("ssl")
 
 local params = {
    mode = "server",
-   protocol = "sslv3",
+   protocol = "any",
    key = "../certs/serverAkey.pem",
    certificate = "../certs/serverA.pem",
    cafile = "../certs/rootA.pem",
    verify = {"peer", "fail_if_no_peer_cert"},
-   options = {"all", "no_sslv2"},
+   options = "all",
 }
 
 -- [[ SSL context

samples/wantread/client.lua

@@ -6,12 +6,12 @@ local ssl    = require("ssl")
 
 local params = {
    mode = "client",
-   protocol = "sslv3",
+   protocol = "tlsv1_2",
    key = "../certs/clientAkey.pem",
    certificate = "../certs/clientA.pem",
    cafile = "../certs/rootA.pem",
    verify = {"peer", "fail_if_no_peer_cert"},
-   options = {"all", "no_sslv2"},
+   options = "all",
 }
 
 

samples/wantread/server.lua

@@ -8,12 +8,12 @@ local ssl    = require("ssl")
 
 local params = {
    mode = "server",
-   protocol = "sslv3",
+   protocol = "any",
    key = "../certs/serverAkey.pem",
    certificate = "../certs/serverA.pem",
    cafile = "../certs/rootA.pem",
    verify = {"peer", "fail_if_no_peer_cert"},
-   options = {"all", "no_sslv2"},
+   options = "all",
 }
 
 -- [[ SSL context

samples/wantwrite/client.lua

@@ -6,12 +6,12 @@ local ssl    = require("ssl")
 
 local params = {
    mode = "client",
-   protocol = "sslv3",
+   protocol = "tlsv1_2",
    key = "../certs/clientAkey.pem",
    certificate = "../certs/clientA.pem",
    cafile = "../certs/rootA.pem",
    verify = {"peer", "fail_if_no_peer_cert"},
-   options = {"all", "no_sslv2"},
+   options = "all",
 }
 
 local function wait(peer, err)

samples/wantwrite/server.lua

@@ -8,12 +8,12 @@ print("Use Ctrl+S and Ctrl+Q to suspend and resume the server.")
 
 local params = {
    mode = "server",
-   protocol = "sslv3",
+   protocol = "any",
    key = "../certs/serverAkey.pem",
    certificate = "../certs/serverA.pem",
    cafile = "../certs/rootA.pem",
    verify = {"peer", "fail_if_no_peer_cert"},
-   options = {"all", "no_sslv2"},
+   options = "all",
 }
 
 

src/Makefile

@@ -20,22 +20,21 @@ MAC_ENV=env MACOSX_DEPLOYMENT_TARGET='$(MACVER)'
 MAC_CFLAGS=-O2 -fno-common $(WARN) $(INCDIR) $(DEFS)
 MAC_LDFLAGS=-bundle -undefined dynamic_lookup $(LIBDIR)
 
-INSTALL	?= install
+INSTALL  = install
-CC	?= cc
+CC       = cc
-LD	?= $(MYENV) cc
+LD       = $(MYENV) cc
-CFLAGS	+= $(MYCFLAGS)
+CFLAGS  += $(MYCFLAGS)
-LDFLAGS	+= $(MYLDFLAGS)
+LDFLAGS += $(MYLDFLAGS)
-DESTDIR	?= /
 
 .PHONY: all clean install none linux bsd macosx luasocket
 
 all:
 
 install: $(CMOD) $(LMOD)
-	$(INSTALL) -d $(DESTDIR)$(LUAPATH)/ssl $(DESTDIR)$(LUACPATH)
+	$(INSTALL) -d $(LUAPATH)/ssl $(LUACPATH)
-	$(INSTALL) -D $(CMOD) $(DESTDIR)$(LUACPATH)
+	$(INSTALL) $(CMOD) $(LUACPATH)
-	$(INSTALL) -m644 -D $(LMOD) $(DESTDIR)$(LUAPATH)
+	$(INSTALL) -m644 $(LMOD) $(LUAPATH)
-	$(INSTALL) -m644 -D https.lua $(DESTDIR)$(LUAPATH)/ssl
+	$(INSTALL) -m644 https.lua $(LUAPATH)/ssl
 
 linux:
 	@$(MAKE) $(CMOD) MYCFLAGS="$(LNX_CFLAGS)" MYLDFLAGS="$(LNX_LDFLAGS)" EXTRA="$(EXTRA)"

src/config.h

@@ -1,6 +1,6 @@
 /*--------------------------------------------------------------------------
- * LuaSec 0.5
+ * LuaSec 0.6
- * Copyright (C) 2006-2014 Bruno Silvestre
+ * Copyright (C) 2006-2016 Bruno Silvestre
  *
  *--------------------------------------------------------------------------*/
 
@@ -14,7 +14,11 @@
 #endif
 
 #if (LUA_VERSION_NUM == 501)
-#define lua_rawlen(L, i) lua_objlen(L, i)
+#define setfuncs(L, R)    luaL_register(L, NULL, R)
+#define lua_rawlen(L, i)  lua_objlen(L, i)
+#define luaL_newlib(L, R) do { lua_newtable(L); luaL_register(L, NULL, R); } while(0)
+#else
+#define setfuncs(L, R) luaL_setfuncs(L, R, 0)
 #endif
 
 #endif

src/context.c

@@ -1,9 +1,9 @@
 /*--------------------------------------------------------------------------
- * LuaSec 0.5
+ * LuaSec 0.6
  *
- * Copyright (C) 2014 Kim Alvefur, Paul Aurich, Tobias Markmann, 
+ * Copyright (C) 2014-2016 Kim Alvefur, Paul Aurich, Tobias Markmann, 
- *                    Matthew Wild.
+ *                         Matthew Wild.
- * Copyright (C) 2006-2014 Bruno Silvestre.
+ * Copyright (C) 2006-2016 Bruno Silvestre.
  *
  *--------------------------------------------------------------------------*/
 
@@ -35,6 +35,32 @@ typedef const SSL_METHOD LSEC_SSL_METHOD;
 typedef       SSL_METHOD LSEC_SSL_METHOD;
 #endif
 
+#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+#define SSLv23_method() TLS_method()
+#endif
+
+/*-- Compat - Lua 5.1 --------------------------------------------------------*/
+
+#if (LUA_VERSION_NUM == 501)
+
+#define luaL_testudata(L, ud, tname)  testudata(L, ud, tname)
+
+static void *testudata (lua_State *L, int ud, const char *tname) {
+  void *p = lua_touserdata(L, ud);
+  if (p != NULL) {  /* value is a userdata? */
+    if (lua_getmetatable(L, ud)) {  /* does it have a metatable? */
+      luaL_getmetatable(L, tname);  /* get correct metatable */
+      if (!lua_rawequal(L, -1, -2))  /* not the same? */
+        p = NULL;  /* value is a userdata with wrong metatable */
+      lua_pop(L, 2);  /* remove both metatables */
+      return p;
+    }
+  }
+  return NULL;  /* value is not a userdata with a metatable */
+}
+
+#endif
+
 /*--------------------------- Auxiliary Functions ----------------------------*/
 
 /**
@@ -45,6 +71,11 @@ static p_context checkctx(lua_State *L, int idx)
   return (p_context)luaL_checkudata(L, idx, "SSL:Context");
 }
 
+static p_context testctx(lua_State *L, int idx)
+{
+  return (p_context)luaL_testudata(L, idx, "SSL:Context");
+}
+
 /**
  * Prepare the SSL options flag.
  */
@@ -65,8 +96,11 @@ static int set_option_flag(const char *opt, unsigned long *flag)
  */
 static LSEC_SSL_METHOD* str2method(const char *method)
 {
-  if (!strcmp(method, "sslv23"))  return SSLv23_method();
+  if (!strcmp(method, "any"))     return SSLv23_method();
+  if (!strcmp(method, "sslv23"))  return SSLv23_method();  // deprecated
+#ifndef OPENSSL_NO_SSL3
   if (!strcmp(method, "sslv3"))   return SSLv3_method();
+#endif
   if (!strcmp(method, "tlsv1"))   return TLSv1_method();
 #if (OPENSSL_VERSION_NUMBER >= 0x1000100fL)
   if (!strcmp(method, "tlsv1_1")) return TLSv1_1_method();
@@ -395,6 +429,17 @@ static int load_key(lua_State *L)
   return ret;
 }
 
+/**
+ * Check that the certificate public key matches the private key
+ */
+
+static int check_key(lua_State *L)
+{
+  SSL_CTX *ctx = lsec_checkcontext(L, 1);
+  lua_pushboolean(L, SSL_CTX_check_private_key(ctx));
+  return 1;
+}
+
 /**
  * Set the cipher list.
  */
@@ -418,7 +463,7 @@ static int set_cipher(lua_State *L)
 static int set_depth(lua_State *L)
 {
   SSL_CTX *ctx = lsec_checkcontext(L, 1);
-  SSL_CTX_set_verify_depth(ctx, luaL_checkint(L, 2));
+  SSL_CTX_set_verify_depth(ctx, (int)luaL_checkinteger(L, 2));
   lua_pushboolean(L, 1);
   return 1;
 }
@@ -564,6 +609,7 @@ static luaL_Reg funcs[] = {
   {"locations",    load_locations},
   {"loadcert",     load_cert},
   {"loadkey",      load_key},
+  {"checkkey",     check_key},
   {"setcipher",    set_cipher},
   {"setdepth",     set_depth},
   {"setdhparam",   set_dhparam},
@@ -697,6 +743,12 @@ SSL_CTX* lsec_checkcontext(lua_State *L, int idx)
   return ctx->context;
 }
 
+SSL_CTX* lsec_testcontext(lua_State *L, int idx)
+{
+  p_context ctx = testctx(L, idx);
+  return (ctx) ? ctx->context : NULL;
+}
+
 /**
  * Retrieve the mode from the context in the Lua stack.
  */
@@ -711,39 +763,19 @@ int lsec_getmode(lua_State *L, int idx)
 /**
  * Registre the module.
  */
-#if (LUA_VERSION_NUM == 501)
 LSEC_API int luaopen_ssl_context(lua_State *L)
 {
   luaL_newmetatable(L, "SSL:DH:Registry");      /* Keep all DH callbacks */
   luaL_newmetatable(L, "SSL:Verify:Registry");  /* Keep all verify flags */
   luaL_newmetatable(L, "SSL:Context");
-  luaL_register(L, NULL, meta);
+  setfuncs(L, meta);
 
   /* Create __index metamethods for context */
-  lua_newtable(L);
+  luaL_newlib(L, meta_index);
-  luaL_register(L, NULL, meta_index);
-  lua_setfield(L, -2, "__index");
-
-  /* Register the module */
-  luaL_register(L, "ssl.context", funcs);
-  return 1;
-}
-#else
-LSEC_API int luaopen_ssl_context(lua_State *L)
-{
-  luaL_newmetatable(L, "SSL:DH:Registry");      /* Keep all DH callbacks */
-  luaL_newmetatable(L, "SSL:Verify:Registry");  /* Keep all verify flags */
-  luaL_newmetatable(L, "SSL:Context");
-  luaL_setfuncs(L, meta, 0);
-
-  /* Create __index metamethods for context */
-  lua_newtable(L);
-  luaL_setfuncs(L, meta_index, 0);
   lua_setfield(L, -2, "__index");
 
   /* Return the module */
-  lua_newtable(L);
+  luaL_newlib(L, funcs);
-  luaL_setfuncs(L, funcs, 0);
+
   return 1;
 }
-#endif

src/context.h

@@ -2,8 +2,8 @@
 #define LSEC_CONTEXT_H
 
 /*--------------------------------------------------------------------------
- * LuaSec 0.5
+ * LuaSec 0.6
- * Copyright (C) 2006-2014 Bruno Silvestre
+ * Copyright (C) 2006-2016 Bruno Silvestre
  *
  *--------------------------------------------------------------------------*/
 
@@ -29,6 +29,7 @@ typedef t_context* p_context;
 
 /* Retrieve the SSL context from the Lua stack */
 SSL_CTX *lsec_checkcontext(lua_State *L, int idx);
+SSL_CTX *lsec_testcontext(lua_State *L, int idx);
 
 /* Retrieve the mode from the context in the Lua stack */
 int lsec_getmode(lua_State *L, int idx);

src/ec.h

@@ -1,6 +1,6 @@
 /*--------------------------------------------------------------------------
- * LuaSec 0.5
+ * LuaSec 0.6
- * Copyright (C) 2006-2014 Bruno Silvestre
+ * Copyright (C) 2006-2016 Bruno Silvestre
  *
  *--------------------------------------------------------------------------*/
 

src/https.lua

@@ -1,6 +1,6 @@
 ----------------------------------------------------------------------------
--- LuaSec 0.5
+-- LuaSec 0.6
--- Copyright (C) 2009-2014 PUC-Rio
+-- Copyright (C) 2009-2016 PUC-Rio
 --
 -- Author: Pablo Musa
 -- Author: Tomas Guisasola
@@ -12,25 +12,21 @@ local ltn12  = require("ltn12")
 local http   = require("socket.http")
 local url    = require("socket.url")
 
-local table  = require("table")
+local try    = socket.try
-local string = require("string")
 
-local try          = socket.try
+--
-local type         = type
+-- Module
-local pairs        = pairs
+--
-local getmetatable = getmetatable
+local _M = {
-
+  _VERSION   = "0.6",
-module("ssl.https")
+  _COPYRIGHT = "LuaSec 0.6 - Copyright (C) 2009-2016 PUC-Rio",
-
+  PORT       = 443,
-_VERSION   = "0.5"
+}
-_COPYRIGHT = "LuaSec 0.5 - Copyright (C) 2009-2014 PUC-Rio"
-
--- Default settings
-PORT = 443
 
+-- TLS configuration
 local cfg = {
-  protocol = "tlsv1",
+  protocol = "any",
-  options  = "all",
+  options  = {"all", "no_sslv2", "no_sslv3"},
   verify   = "none",
 }
 
@@ -40,7 +36,7 @@ local cfg = {
 
 -- Insert default HTTPS port.
 local function default_https_port(u)
-   return url.build(url.parse(u, {port = PORT}))
+   return url.build(url.parse(u, {port = _M.PORT}))
 end
 
 -- Convert an URL to a table according to Luasocket needs.
@@ -113,7 +109,7 @@ end
 -- @param body optional (string)
 -- @return (string if url == string or 1), code, headers, status
 --
-function request(url, body)
+local function request(url, body)
   local result_table = {}
   local stringrequest = type(url) == "string"
   if stringrequest then
@@ -136,3 +132,11 @@ function request(url, body)
   end
   return res, code, headers, status
 end
+
+--------------------------------------------------------------------------------
+-- Export module
+--
+
+_M.request = request
+
+return _M

src/luasocket/Makefile

@@ -6,7 +6,7 @@ OBJS= \
 
 CC	?= cc
 CFLAGS	+= $(MYCFLAGS) -DLUASOCKET_DEBUG
-AR	:= ar rcu
+AR	?= ar
 RANLIB	?= ranlib
 
 .PHONY: all clean
@@ -14,7 +14,7 @@ RANLIB	?= ranlib
 all: libluasocket.a
 
 libluasocket.a: $(OBJS)
-	$(AR) $@ $(OBJS)
+	$(AR) rcu $@ $(OBJS)
 	$(RANLIB) $@
 
 clean:

src/options.h

@@ -2,8 +2,8 @@
 #define LSEC_OPTIONS_H
 
 /*--------------------------------------------------------------------------
- * LuaSec 0.5
+ * LuaSec 0.6
- * Copyright (C) 2006-2014 Bruno Silvestre
+ * Copyright (C) 2006-2016 Bruno Silvestre
  *
  *--------------------------------------------------------------------------*/
 
@@ -12,7 +12,7 @@
 /* If you need to generate these options again, see options.lua */
 
 /* 
-  OpenSSL version: OpenSSL 1.0.1e 2013-06-12
+  OpenSSL version: OpenSSL 1.0.2f
 */
 
 struct ssl_option_s {
@@ -73,12 +73,21 @@ static ssl_option_t ssl_options[] = {
 #if defined(SSL_OP_NO_COMPRESSION)
   {"no_compression", SSL_OP_NO_COMPRESSION},
 #endif
+#if defined(SSL_OP_NO_DTLSv1)
+  {"no_dtlsv1", SSL_OP_NO_DTLSv1},
+#endif
+#if defined(SSL_OP_NO_DTLSv1_2)
+  {"no_dtlsv1_2", SSL_OP_NO_DTLSv1_2},
+#endif
 #if defined(SSL_OP_NO_QUERY_MTU)
   {"no_query_mtu", SSL_OP_NO_QUERY_MTU},
 #endif
 #if defined(SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION)
   {"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION},
 #endif
+#if defined(SSL_OP_NO_SSL_MASK)
+  {"no_ssl_mask", SSL_OP_NO_SSL_MASK},
+#endif
 #if defined(SSL_OP_NO_SSLv2)
   {"no_sslv2", SSL_OP_NO_SSLv2},
 #endif
@@ -103,6 +112,9 @@ static ssl_option_t ssl_options[] = {
 #if defined(SSL_OP_PKCS1_CHECK_2)
   {"pkcs1_check_2", SSL_OP_PKCS1_CHECK_2},
 #endif
+#if defined(SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
+  {"safari_ecdhe_ecdsa_bug", SSL_OP_SAFARI_ECDHE_ECDSA_BUG},
+#endif
 #if defined(SSL_OP_SINGLE_DH_USE)
   {"single_dh_use", SSL_OP_SINGLE_DH_USE},
 #endif
@@ -115,6 +127,9 @@ static ssl_option_t ssl_options[] = {
 #if defined(SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG)
   {"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG},
 #endif
+#if defined(SSL_OP_TLSEXT_PADDING)
+  {"tlsext_padding", SSL_OP_TLSEXT_PADDING},
+#endif
 #if defined(SSL_OP_TLS_BLOCK_PADDING_BUG)
   {"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG},
 #endif

src/options.lua

@@ -21,8 +21,8 @@ local function generate(options, version)
 #define LSEC_OPTIONS_H
 
 /*--------------------------------------------------------------------------
- * LuaSec 0.5
+ * LuaSec 0.6
- * Copyright (C) 2006-2014 Bruno Silvestre
+ * Copyright (C) 2006-2016 Bruno Silvestre
  *
  *--------------------------------------------------------------------------*/
 

src/ssl.c

@@ -1,9 +1,9 @@
 /*--------------------------------------------------------------------------
- * LuaSec 0.5
+ * LuaSec 0.6
  *
- * Copyright (C) 2014 Kim Alvefur, Paul Aurich, Tobias Markmann, 
+ * Copyright (C) 2014-2016 Kim Alvefur, Paul Aurich, Tobias Markmann, 
- *                    Matthew Wild.
+ *                         Matthew Wild.
- * Copyright (C) 2006-2014 Bruno Silvestre.
+ * Copyright (C) 2006-2016 Bruno Silvestre.
  *
  *--------------------------------------------------------------------------*/
 
@@ -28,6 +28,7 @@
 #include <luasocket/socket.h>
 
 #include "x509.h"
+#include "context.h"
 #include "ssl.h"
 
 /**
@@ -80,11 +81,15 @@ static int meth_destroy(lua_State *L)
   }
   ssl->state = LSEC_STATE_CLOSED;
   if (ssl->ssl) {
-    /* Clear the registry */
+    /* Clear the registries */
     luaL_getmetatable(L, "SSL:Verify:Registry");
     lua_pushlightuserdata(L, (void*)ssl->ssl);
     lua_pushnil(L);
     lua_settable(L, -3);
+    luaL_getmetatable(L, "SSL:SNI:Registry");
+    lua_pushlightuserdata(L, (void*)ssl->ssl);
+    lua_pushnil(L);
+    lua_settable(L, -3);
     /* Destroy the object */
     SSL_free(ssl->ssl);
     ssl->ssl = NULL;
@@ -325,7 +330,7 @@ static int meth_setfd(lua_State *L)
   p_ssl ssl = (p_ssl)luaL_checkudata(L, 1, "SSL:Connection");
   if (ssl->state != LSEC_STATE_NEW)
     luaL_argerror(L, 1, "invalid SSL object state");
-  ssl->sock = luaL_checkint(L, 2);
+  ssl->sock = (t_socket)luaL_checkinteger(L, 2);
   socket_setnonblocking(&ssl->sock);
   SSL_set_fd(ssl->ssl, (int)ssl->sock);
   return 0;
@@ -395,24 +400,30 @@ static int meth_want(lua_State *L)
   }
   return 1;
 }
-  
+
 /**
  * Return the compression method used.
  */
 static int meth_compression(lua_State *L)
 {
+#if !defined(OPENSSL_NO_COMP)
   const COMP_METHOD *comp;
+#endif
   p_ssl ssl = (p_ssl)luaL_checkudata(L, 1, "SSL:Connection");
   if (ssl->state != LSEC_STATE_CONNECTED) {
     lua_pushnil(L);
     lua_pushstring(L, "closed");
     return 2;
   }
+#if !defined(OPENSSL_NO_COMP)
   comp = SSL_get_current_compression(ssl->ssl);
   if (comp)
     lua_pushstring(L, SSL_COMP_get_name(comp));
   else
     lua_pushnil(L);
+#else
+  lua_pushnil(L);
+#endif
   return 1;
 }
 
@@ -431,7 +442,7 @@ static int meth_getpeercertificate(lua_State *L)
     return 2;
   }
   /* Default to the first cert */ 
-  n = luaL_optint(L, 2, 1);                           
+  n = (int)luaL_optinteger(L, 2, 1);                           
   /* This function is 1-based, but OpenSSL is 0-based */
   --n;
   if (n < 0) {
@@ -653,9 +664,100 @@ static int meth_info(lua_State *L)
   return 4;
 }
 
+static int sni_cb(SSL *ssl, int *ad, void *arg)
+{
+  int strict;
+  SSL_CTX *newctx = NULL;
+  SSL_CTX *ctx = SSL_get_SSL_CTX(ssl);
+  lua_State *L = ((p_context)SSL_CTX_get_app_data(ctx))->L;
+  const char *name = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
+  /* No name, use default context */
+  if (!name)
+    return SSL_TLSEXT_ERR_NOACK;
+  /* Retrieve struct from registry */
+  luaL_getmetatable(L, "SSL:SNI:Registry");
+  lua_pushlightuserdata(L, (void*)ssl);
+  lua_gettable(L, -2);
+  /* Strict search? */
+  lua_pushstring(L, "strict");
+  lua_gettable(L, -2);
+  strict = lua_toboolean(L, -1);
+  lua_pop(L, 1);
+  /* Search for the name in the map */
+  lua_pushstring(L, "map");
+  lua_gettable(L, -2);
+  lua_pushstring(L, name);
+  lua_gettable(L, -2);
+  if (lua_isuserdata(L, -1))
+    newctx = lsec_checkcontext(L, -1);
+  lua_pop(L, 4);
+  /* Found, use this context */
+  if (newctx) {
+    SSL_set_SSL_CTX(ssl, newctx);
+    return SSL_TLSEXT_ERR_OK;
+  }
+  /* Not found, but use initial context */
+  if (!strict)
+    return SSL_TLSEXT_ERR_OK;
+  return SSL_TLSEXT_ERR_ALERT_FATAL;
+}
+
+static int meth_sni(lua_State *L)
+{
+  int strict;
+  SSL_CTX *aux;
+  const char *name;
+  p_ssl ssl = (p_ssl)luaL_checkudata(L, 1, "SSL:Connection");
+  SSL_CTX *ctx = SSL_get_SSL_CTX(ssl->ssl);
+  p_context pctx = (p_context)SSL_CTX_get_app_data(ctx);
+  if (pctx->mode == LSEC_MODE_CLIENT) {
+    name = luaL_checkstring(L, 2);
+    SSL_set_tlsext_host_name(ssl->ssl, name);
+    return 0;
+  } else if (pctx->mode == LSEC_MODE_SERVER) {
+    luaL_checktype(L, 2, LUA_TTABLE);
+    strict = lua_toboolean(L, 3);
+    /* Check if the table contains only (string -> context) */
+    lua_pushnil(L);
+    while (lua_next(L, 2)) {
+      luaL_checkstring(L, -2);
+      aux = lsec_checkcontext(L, -1);
+      /* Set callback in every context */
+      SSL_CTX_set_tlsext_servername_callback(aux, sni_cb);
+      /* leave the next key on the stack */
+      lua_pop(L, 1);
+    }
+    /* Save table in the register */
+    luaL_getmetatable(L, "SSL:SNI:Registry");
+    lua_pushlightuserdata(L, (void*)ssl->ssl);
+    lua_newtable(L);
+    lua_pushstring(L, "map");
+    lua_pushvalue(L, 2);
+    lua_settable(L, -3);
+    lua_pushstring(L, "strict");
+    lua_pushboolean(L, strict);
+    lua_settable(L, -3);
+    lua_settable(L, -3);
+    /* Set callback in the default context */
+    SSL_CTX_set_tlsext_servername_callback(ctx, sni_cb);
+  }
+  return 0;
+}
+
+static int meth_getsniname(lua_State *L)
+{
+  p_ssl ssl = (p_ssl)luaL_checkudata(L, 1, "SSL:Connection");
+  const char *name = SSL_get_servername(ssl->ssl, TLSEXT_NAMETYPE_host_name);
+  if (name)
+    lua_pushstring(L, name);
+  else
+    lua_pushnil(L);
+  return 1;
+}
+
 static int meth_copyright(lua_State *L)
 {
-  lua_pushstring(L, "LuaSec 0.5 - Copyright (C) 2006-2011 Bruno Silvestre"
+  lua_pushstring(L, "LuaSec 0.6 - Copyright (C) 2006-2016 Bruno Silvestre, UFG"
 #if defined(WITH_LUASOCKET)
                     "\nLuaSocket 3.0-RC1 - Copyright (C) 2004-2013 Diego Nehab"
 #endif
@@ -676,6 +778,7 @@ static luaL_Reg methods[] = {
   {"getpeerchain",        meth_getpeerchain},
   {"getpeerverification", meth_getpeerverification},
   {"getpeerfinished",     meth_getpeerfinished},
+  {"getsniname",          meth_getsniname},
   {"getstats",            meth_getstats},
   {"setstats",            meth_setstats},
   {"dirty",               meth_dirty},
@@ -683,6 +786,7 @@ static luaL_Reg methods[] = {
   {"receive",             meth_receive},
   {"send",                meth_send},
   {"settimeout",          meth_settimeout},
+  {"sni",                 meth_sni},
   {"want",                meth_want},
   {NULL,                  NULL}
 };
@@ -712,37 +816,6 @@ static luaL_Reg funcs[] = {
 /**
  * Initialize modules.
  */
-#if (LUA_VERSION_NUM == 501)
-LSEC_API int luaopen_ssl_core(lua_State *L)
-{
-  /* Initialize SSL */
-  if (!SSL_library_init()) {
-    lua_pushstring(L, "unable to initialize SSL library");
-    lua_error(L);
-  }
-  OpenSSL_add_all_algorithms();
-  SSL_load_error_strings();
-
-#if defined(WITH_LUASOCKET)
-  /* Initialize internal library */
-  socket_open();
-#endif
-   
-  /* Register the functions and tables */
-  luaL_newmetatable(L, "SSL:Connection");
-  luaL_register(L, NULL, meta);
-
-  lua_newtable(L);
-  luaL_register(L, NULL, methods);
-  lua_setfield(L, -2, "__index");
-
-  luaL_register(L, "ssl.core", funcs);
-  lua_pushnumber(L, SOCKET_INVALID);
-  lua_setfield(L, -2, "invalidfd");
-
-  return 1;
-}
-#else
 LSEC_API int luaopen_ssl_core(lua_State *L)
 {
   /* Initialize SSL */
@@ -758,19 +831,16 @@ LSEC_API int luaopen_ssl_core(lua_State *L)
   socket_open();
 #endif
 
+  luaL_newmetatable(L, "SSL:SNI:Registry");
+
   /* Register the functions and tables */
   luaL_newmetatable(L, "SSL:Connection");
-  luaL_setfuncs(L, meta, 0);
+  setfuncs(L, meta);
 
-  lua_newtable(L);
+  luaL_newlib(L, methods);
-  luaL_setfuncs(L, methods, 0);
   lua_setfield(L, -2, "__index");
 
-  lua_newtable(L);
+  luaL_newlib(L, funcs);
-  luaL_setfuncs(L, funcs, 0);
-  lua_pushnumber(L, SOCKET_INVALID);
-  lua_setfield(L, -2, "invalidfd");
 
   return 1;
 }
-#endif

src/ssl.h

@@ -2,8 +2,8 @@
 #define LSEC_SSL_H
 
 /*--------------------------------------------------------------------------
- * LuaSec 0.5
+ * LuaSec 0.6
- * Copyright (C) 2006-2014 Bruno Silvestre
+ * Copyright (C) 2006-2016 Bruno Silvestre
  *
  *--------------------------------------------------------------------------*/
 

src/ssl.lua

@@ -1,6 +1,6 @@
 ------------------------------------------------------------------------------
--- LuaSec 0.5
+-- LuaSec 0.6
--- Copyright (C) 2006-2014 Bruno Silvestre
+-- Copyright (C) 2006-2016 Bruno Silvestre
 --
 ------------------------------------------------------------------------------
 
@@ -8,13 +8,7 @@ local core    = require("ssl.core")
 local context = require("ssl.context")
 local x509    = require("ssl.x509")
 
-module("ssl", package.seeall)
+local unpack  = table.unpack or unpack
-
-_VERSION   = "0.5.PR"
-_COPYRIGHT = core.copyright()
-
--- Export
-loadcertificate = x509.load
 
 -- We must prevent the contexts to be collected before the connections,
 -- otherwise the C registry will be cleared.
@@ -37,7 +31,7 @@ end
 --
 --
 --
-function newcontext(cfg)
+local function newcontext(cfg)
    local succ, msg, ctx
    -- Create the context
    ctx, msg = context.create(cfg.protocol)
@@ -58,8 +52,12 @@ function newcontext(cfg)
    end
    -- Load the certificate
    if cfg.certificate then
-      succ, msg = context.loadcert(ctx, cfg.certificate)
+     succ, msg = context.loadcert(ctx, cfg.certificate)
-      if not succ then return nil, msg end
+     if not succ then return nil, msg end
+     if cfg.key and context.checkkey then
+       succ = context.checkkey(ctx)
+       if not succ then return nil, "private key does not match public key" end
+     end
    end
    -- Load the CA certificates
    if cfg.cafile or cfg.capath then
@@ -111,7 +109,7 @@ end
 --
 --
 --
-function wrap(sock, cfg)
+local function wrap(sock, cfg)
    local ctx, msg
    if type(cfg) == "table" then
       ctx, msg = newcontext(cfg)
@@ -122,7 +120,7 @@ function wrap(sock, cfg)
    local s, msg = core.create(ctx)
    if s then
       core.setfd(s, sock:getfd())
-      sock:setfd(core.invalidfd)
+      sock:setfd(-1)
       registry[s] = ctx
       return s
    end
@@ -166,3 +164,16 @@ end
 --
 core.setmethod("info", info)
 
+--------------------------------------------------------------------------------
+-- Export module
+--
+
+local _M = {
+  _VERSION        = "0.6",
+  _COPYRIGHT      = core.copyright(),
+  loadcertificate = x509.load,
+  newcontext      = newcontext,
+  wrap            = wrap,
+}
+
+return _M

src/x509.c

@@ -1,15 +1,22 @@
 /*--------------------------------------------------------------------------
- * LuaSec 0.5
+ * LuaSec 0.6
  *
- * Copyright (C) 2014 Kim Alvefur, Paul Aurich, Tobias Markmann
+ * Copyright (C) 2014-2016 Kim Alvefur, Paul Aurich, Tobias Markmann
- *                    Matthew Wild, Bruno Silvestre.
+ *                         Matthew Wild, Bruno Silvestre.
  *
  *--------------------------------------------------------------------------*/
 
+#include <stdio.h>
 #include <string.h>
 
 #if defined(WIN32)
+#include <ws2tcpip.h>
 #include <windows.h>
+#else
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
 #endif
 
 #include <openssl/ssl.h>
@@ -57,6 +64,51 @@ p_x509 lsec_checkp_x509(lua_State* L, int idx)
 
 /*---------------------------------------------------------------------------*/
 
+#if defined(LUASEC_INET_NTOP)
+/*
+ * For WinXP (SP3), set the following preprocessor macros:
+ *     LUASEC_INET_NTOP
+ *     WINVER=0x0501
+ *     _WIN32_WINNT=0x0501
+ *     NTDDI_VERSION=0x05010300
+ *
+ * For IPv6 addresses, you need to add IPv6 Protocol to your interface.
+ *
+ */
+static const char *inet_ntop(int af, const char *src, char *dst, socklen_t size)
+{
+  int addrsize;
+  struct sockaddr    *addr;
+  struct sockaddr_in  addr4;
+  struct sockaddr_in6 addr6;
+
+  switch (af) {
+  case AF_INET:
+    memset((void*)&addr4, 0, sizeof(addr4));
+    addr4.sin_family = AF_INET;
+    memcpy((void*)&addr4.sin_addr, src, sizeof(struct in_addr));
+    addr = (struct sockaddr*)&addr4;
+    addrsize = sizeof(struct sockaddr_in);
+    break;
+  case AF_INET6:
+    memset((void*)&addr6, 0, sizeof(addr6));
+    addr6.sin6_family = AF_INET6;
+    memcpy((void*)&addr6.sin6_addr, src, sizeof(struct in6_addr));
+    addr = (struct sockaddr*)&addr6;
+    addrsize = sizeof(struct sockaddr_in6);
+    break;
+  default:
+    return NULL;
+  }
+
+  if(getnameinfo(addr, addrsize, dst, size, NULL, 0, NI_NUMERICHOST) != 0)
+    return NULL;
+  return dst;
+}
+#endif
+
+/*---------------------------------------------------------------------------*/
+
 /**
  * Convert the buffer 'in' to hexadecimal.
  */
@@ -86,10 +138,12 @@ static void push_asn1_objname(lua_State* L, ASN1_OBJECT *object, int no_name)
  */
 static void push_asn1_string(lua_State* L, ASN1_STRING *string, int encode)
 {
-  size_t len;
+  int len;
   unsigned char *data;
-  if (!string)
+  if (!string) {
     lua_pushnil(L);
+    return;
+  }
   switch (encode) {
   case LSEC_AI5_STRING:
     lua_pushlstring(L, (char*)ASN1_STRING_data(string),
@@ -101,6 +155,8 @@ static void push_asn1_string(lua_State* L, ASN1_STRING *string, int encode)
       lua_pushlstring(L, (char*)data, len);
       OPENSSL_free(data);
     }
+    else
+      lua_pushnil(L);
   }
 }
 
@@ -119,6 +175,31 @@ static int push_asn1_time(lua_State *L, ASN1_UTCTIME *tm)
   return 1;
 }
 
+/**
+ * Return a human readable IP address.
+ */
+static void push_asn1_ip(lua_State *L, ASN1_STRING *string)
+{
+  int af;
+  char dst[INET6_ADDRSTRLEN];
+  unsigned char *ip = ASN1_STRING_data(string);
+  switch(ASN1_STRING_length(string)) {
+  case 4:
+    af = AF_INET;
+    break;
+  case 16:
+    af = AF_INET6;
+    break;
+  default:
+    lua_pushnil(L);
+    return;
+  }
+  if(inet_ntop(af, ip, dst, INET6_ADDRSTRLEN))
+    lua_pushstring(L, dst);
+  else
+    lua_pushnil(L);
+}
+
 /**
  * 
  */
@@ -236,7 +317,7 @@ int meth_extensions(lua_State* L)
         break;
       case GEN_DNS:
         lua_pushstring(L, "dNSName");
-	push_subtable(L, -2);
+        push_subtable(L, -2);
         push_asn1_string(L, general_name->d.dNSName, px->encode);
         lua_rawseti(L, -2, lua_rawlen(L, -2) + 1);
         lua_pop(L, 1);
@@ -258,7 +339,7 @@ int meth_extensions(lua_State* L)
       case GEN_IPADD:
         lua_pushstring(L, "iPAddress");
         push_subtable(L, -2);
-        push_asn1_string(L, general_name->d.iPAddress, px->encode);
+        push_asn1_ip(L, general_name->d.iPAddress);
         lua_rawseti(L, -2, lua_rawlen(L, -2)+1);
         lua_pop(L, 1);
         break;
@@ -308,6 +389,52 @@ static int meth_pem(lua_State* L)
   return 1;
 }
 
+/**
+ * Extract public key in PEM format.
+ */
+static int meth_pubkey(lua_State* L)
+{
+  char* data;
+  long bytes;
+  int ret = 1;
+  X509* cert = lsec_checkx509(L, 1);
+  BIO *bio = BIO_new(BIO_s_mem());
+  EVP_PKEY *pkey = X509_get_pubkey(cert);
+  if(PEM_write_bio_PUBKEY(bio, pkey)) {
+    bytes = BIO_get_mem_data(bio, &data);
+    if (bytes > 0) {
+      lua_pushlstring(L, data, bytes);
+      switch(EVP_PKEY_type(pkey->type)) {
+        case EVP_PKEY_RSA:
+          lua_pushstring(L, "RSA");
+          break;
+        case EVP_PKEY_DSA:
+          lua_pushstring(L, "DSA");
+          break;
+        case EVP_PKEY_DH:
+          lua_pushstring(L, "DH");
+          break;
+        case EVP_PKEY_EC:
+          lua_pushstring(L, "EC");
+          break;
+        default:
+          lua_pushstring(L, "Unknown");
+          break;
+      }
+      lua_pushinteger(L, EVP_PKEY_bits(pkey));
+      ret = 3;
+    }
+    else
+      lua_pushnil(L);
+  }
+  else
+    lua_pushnil(L);
+  /* Cleanup */
+  BIO_free(bio);
+  EVP_PKEY_free(pkey);
+  return ret;
+}
+
 /**
  * Compute the fingerprint.
  */
@@ -393,6 +520,91 @@ static int meth_notafter(lua_State *L)
   return push_asn1_time(L, X509_get_notAfter(cert));
 }
 
+/**
+ * Check if this certificate issued some other certificate
+ */
+static int meth_issued(lua_State* L)
+{
+  int ret, i, len;
+
+  X509_STORE_CTX* ctx = NULL;
+  X509_STORE* root = NULL;
+  STACK_OF(X509)* chain = NULL;
+
+  X509* issuer = lsec_checkx509(L, 1);
+  X509* subject = lsec_checkx509(L, 2);
+  X509* cert = NULL;
+
+  len = lua_gettop(L);
+
+  /* Check that all arguments are certificates */
+
+  for (i = 3; i <= len; i++) {
+    lsec_checkx509(L, i);
+  }
+
+  /* Before allocating things that require freeing afterwards */
+
+  chain = sk_X509_new_null();
+  ctx = X509_STORE_CTX_new();
+  root = X509_STORE_new();
+
+  if (ctx == NULL || root == NULL) {
+    lua_pushnil(L);
+    lua_pushstring(L, "X509_STORE_new() or X509_STORE_CTX_new() error");
+    ret = 2;
+    goto cleanup;
+  }
+
+  ret = X509_STORE_add_cert(root, issuer);
+
+  if(!ret) {
+    lua_pushnil(L);
+    lua_pushstring(L, "X509_STORE_add_cert() error");
+    ret = 2;
+    goto cleanup;
+  }
+
+  for (i = 3; i <= len && lua_isuserdata(L, i); i++) {
+    cert = lsec_checkx509(L, i);
+    sk_X509_push(chain, cert);
+  }
+
+  ret = X509_STORE_CTX_init(ctx, root, subject, chain);
+
+  if(!ret) {
+    lua_pushnil(L);
+    lua_pushstring(L, "X509_STORE_CTX_init() error");
+    ret = 2;
+    goto cleanup;
+  }
+
+  /* Actual verification */
+  if (X509_verify_cert(ctx) <= 0) {
+    ret = X509_STORE_CTX_get_error(ctx);
+    lua_pushnil(L);
+    lua_pushstring(L, X509_verify_cert_error_string(ret));
+    ret = 2;
+  } else {
+    lua_pushboolean(L, 1);
+    ret = 1;
+  }
+
+cleanup:
+
+  if (ctx != NULL) {
+    X509_STORE_CTX_free(ctx);
+  }
+
+  if (chain != NULL) {
+    X509_STORE_free(root);
+  }
+
+  sk_X509_free(chain);
+
+  return ret;
+}
+
 /**
  * Collect X509 objects.
  */
@@ -459,7 +671,9 @@ static luaL_Reg methods[] = {
   {"issuer",     meth_issuer},
   {"notbefore",  meth_notbefore},
   {"notafter",   meth_notafter},
+  {"issued",     meth_issued},
   {"pem",        meth_pem},
+  {"pubkey",     meth_pubkey},
   {"serial",     meth_serial},
   {"subject",    meth_subject},
   {"validat",    meth_valid_at},
@@ -485,39 +699,16 @@ static luaL_Reg funcs[] = {
 
 /*--------------------------------------------------------------------------*/
 
-#if (LUA_VERSION_NUM == 501)
-
 LSEC_API int luaopen_ssl_x509(lua_State *L)
 {
   /* Register the functions and tables */
   luaL_newmetatable(L, "SSL:Certificate");
-  luaL_register(L, NULL, meta);
+  setfuncs(L, meta);
 
-  lua_newtable(L);
+  luaL_newlib(L, methods);
-  luaL_register(L, NULL, methods);
   lua_setfield(L, -2, "__index");
 
-  luaL_register(L, "ssl.x509", funcs);
+  luaL_newlib(L, funcs);
 
   return 1;
 }
-
-#else
-
-LSEC_API int luaopen_ssl_x509(lua_State *L)
-{
-  /* Register the functions and tables */
-  luaL_newmetatable(L, "SSL:Certificate");
-  luaL_setfuncs(L, meta, 0);
-
-  lua_newtable(L);
-  luaL_setfuncs(L, methods, 0);
-  lua_setfield(L, -2, "__index");
-
-  lua_newtable(L);
-  luaL_setfuncs(L, funcs, 0);
-
-  return 1;
-}
-
-#endif

src/x509.h

@@ -1,8 +1,8 @@
 /*--------------------------------------------------------------------------
- * LuaSec 0.5
+ * LuaSec 0.6
  *
- * Copyright (C) 2014 Kim Alvefur, Paul Aurich, Tobias Markmann
+ * Copyright (C) 2014-2016 Kim Alvefur, Paul Aurich, Tobias Markmann
- *                    Matthew Wild, Bruno Silvestre.
+ *                         Matthew Wild, Bruno Silvestre.
  *
  *--------------------------------------------------------------------------*/