dany/luasec
1
0
Fork 0
mirror of https://github.com/brunoos/luasec.git synced 2025-07-16 05:49:58 +02:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: dany:luasec-0.6
Branches Tags
dany:master dany:shutdown-method dany:dev dany:ocsp dany:luasec-dev-0.8 dany:luasec-dev-0.7 dany:luasec-dev-0.5
dany:v1.3.2 dany:v1.3.1 dany:v1.3.0 dany:v1.2.0 dany:v1.1.0 dany:v1.0.2 dany:v1.0.1 dany:v1.0 dany:v0.9 dany:luasec-0.8.2 dany:luasec-0.7.2 dany:luasec-0.8.1 dany:luasec-0.7.1 dany:luasec-0.8 dany:luasec-0.7 dany:luasec-0.6 dany:luasec-0.5.1 dany:luasec-0.5 dany:luasec-0.4.1 dany:luasec-0.4 dany:luasec-0.3.3 dany:luasec-0.3.2 dany:luasec-0.3.1 dany:luasec-0.3 dany:luasec-0.2
..
compare: dany:luasec-dev-0.5
Branches Tags
dany:master dany:shutdown-method dany:dev dany:ocsp dany:luasec-dev-0.8 dany:luasec-dev-0.7 dany:luasec-dev-0.5
dany:v1.3.2 dany:v1.3.1 dany:v1.3.0 dany:v1.2.0 dany:v1.1.0 dany:v1.0.2 dany:v1.0.1 dany:v1.0 dany:v0.9 dany:luasec-0.8.2 dany:luasec-0.7.2 dany:luasec-0.8.1 dany:luasec-0.7.1 dany:luasec-0.8 dany:luasec-0.7 dany:luasec-0.6 dany:luasec-0.5.1 dany:luasec-0.5 dany:luasec-0.4.1 dany:luasec-0.4 dany:luasec-0.3.3 dany:luasec-0.3.2 dany:luasec-0.3.1 dany:luasec-0.3 dany:luasec-0.2

5 Commits
luasec-0.6 ... luasec-dev

Author SHA1 Message Date
Bruno Silvestre
47cc914e69 Update version number. 2015-11-20 19:39:32 -02:00
Bruno Silvestre
90d4f2d95c typo: intall -> install. 
update MacOSX version -> 10.11.
 2015-11-20 19:20:07 -02:00
Bruno Silvestre
172d324243 Fix push_asn1_string(). 2015-11-20 19:16:16 -02:00
Bruno Silvestre
6cc8e951d4 Update samples. 2015-11-20 19:12:19 -02:00
Bruno Silvestre
d36e156fac Guard SSLv3_method() with #ifndef OPENSSL_NO_SSL3. 
Use TLS_method() instead of SSLv32_method(), when it is the case.
 2015-11-20 18:54:57 -02:00
50 changed files with 241 additions and 847 deletions
Expand all files Collapse all files

3
.gitignore vendored
View File

@ -1,3 +0,0 @@
/src/*.o
/src/luasocket/*.o
/*.dll

36
CHANGELOG
View File

@ -1,36 +1,10 @@
--------------------------------------------------------------------------------
LuaSec 0.6
LuaSec 0.5.1
------------
LuaSec depends on OpenSSL, and integrates with LuaSocket to make it
easy to add secure connections to any Lua applications or scripts.
Documentation: https://github.com/brunoos/luasec/wiki
This version includes:
* Lua 5.2 and 5.3 compatibility
* Context module:
- Add ctx:checkkey()
* SSL module:
- Add conn:sni() and conn:getsniname()
* Context options:
- Add "any" protocol ("sslv23" is deprecated)
* HTTPS module:
- Using "any" protocol without SSLv2/SSLv3, by default
* X509 module:
- Human readable IP address
- Add cert:issued()
- Add cert:pubkey()
* Some bug fixes
=> Thanks to everyone who collaborate with LuaSec <=
- Check if SSLv3 protocol is available.
- Fix push_asn1_string().
- Update samples to use 'sslv23' and 'tlsv1_2'.
- Update MACOSX_VERSION to 10.11 on Makefile.
--------------------------------------------------------------------------------
LuaSec 0.5

4
INSTALL
View File

@ -1,9 +1,9 @@
LuaSec 0.6
LuaSec 0.5.1
------------
* OpenSSL options:
By default, LuaSec 0.6 includes options for OpenSSL 1.0.2f.
By default, LuaSec 0.5.1 includes options for OpenSSL 1.0.1e.
If you need to generate the options for a different version of OpenSSL:

2
LICENSE
View File

@ -1,4 +1,4 @@
LuaSec 0.6 license
LuaSec 0.5.1 license
Copyright (C) 2006-2015 Bruno Silvestre, UFG
Permission is hereby granted, free of charge, to any person obtaining

18
Makefile
View File

@ -1,22 +1,22 @@
# Inform the location to install the modules
LUAPATH ?= /usr/share/lua/5.1
LUACPATH ?= /usr/lib/lua/5.1
LUAPATH ?= /usr/share/lua/5.1
LUACPATH ?= /usr/lib/lua/5.1
# Compile with build-in LuaSocket's help files.
# Comment this lines if you will link with non-internal LuaSocket's help files
# and edit INCDIR and LIBDIR properly.
EXTRA = luasocket
DEFS = -DWITH_LUASOCKET
EXTRA = luasocket
DEFS = -DWITH_LUASOCKET
# Edit the lines below to inform new path, if necessary.
# Path below points to internal LuaSocket's help files.
INC_PATH ?= -I/usr/include
LIB_PATH ?= -L/usr/lib
INCDIR = -I. $(INC_PATH)
LIBDIR = -L./luasocket $(LIB_PATH)
INC_PATH ?= -I/usr/include
LIB_PATH ?= -L/usr/lib
INCDIR = -I. $(INC_PATH)
LIBDIR = -L./luasocket $(LIB_PATH)
# For Mac OS X: set the system version
MACOSX_VERSION=10.11
MACOSX_VERSION?=10.11
#----------------------
# Do not edit this part

61
README.md
View File

@ -1,36 +1,41 @@
LuaSec 0.6
LuaSec 0.5.1
============
- Check if SSLv3 protocol is available.
- Fix push_asn1_string().
- Update samples to use 'sslv23' and 'tlsv1_2'.
- Update MACOSX_VERSION to 10.11 on Makefile.
LuaSec 0.5
==========
LuaSec depends on OpenSSL, and integrates with LuaSocket to make it
easy to add secure connections to any Lua applications or scripts.
Documentation: https://github.com/brunoos/luasec/wiki
This version includes:
This version includes:
* A new certificate (X509) API, which supports:
- Reading the subject (identity) and issuer of the certificate.
- Reading various X509 extensions, including email and dnsName.
- Converting certificates to and from the standard ASCII PEM
format.
- Generating the fingerprint/digest of a certificate (using SHA1,
SHA256 or SHA512).
- Reading the certificate's expiration, serial number, and other
info.
* Lua 5.2 and 5.3 compatibility
* The ability to get more detailed information from OpenSSL about
why a certificate failed verification, for each certificate in the
chain.
* Flags to force acceptance of invalid certificates, e.g. to allow
the use of self-signed certificates in a Trust On First Use model.
* Context module:
- Add ctx:checkkey()
* Flags to control checking CRLs for certificate revocation status.
* Support for ECDH cipher suites.
* An API to get the TLS 'finished' messages used for SASL channel
binding (e.g. the SCRAM PLUS mechanisms).
* SSL module:
- Add conn:sni() and conn:getsniname()
* Context options:
- Add "any" protocol ("sslv23" is deprecated)
* HTTPS module:
- Using "any" protocol without SSLv2/SSLv3, by default
* X509 module:
- Human readable IP address
- Add cert:issued()
- Add cert:pubkey()
* Some bug fixes
********************************************************************************
PS: 10th anniversary! Thanks to everyone who collaborate with LuaSec.
********************************************************************************
The work in this release was undertaken by Kim Alvefur, Paul Aurich,
Tobias Markmann, Bruno Silvestre and Matthew Wild.

114
luasec-0.6-1.rockspec
View File

@ -1,114 +0,0 @@
package = "LuaSec"
version = "0.6-1"
source = {
url = "git://github.com/brunoos/luasec.git",
tag = "luasec-0.6"
}
description = {
summary = "A binding for OpenSSL library to provide TLS/SSL communication over LuaSocket.",
detailed = "This version delegates to LuaSocket the TCP connection establishment between the client and server. Then LuaSec uses this connection to start a secure TLS/SSL session.",
homepage = "https://github.com/brunoos/luasec/wiki",
license = "MIT"
}
dependencies = {
"lua >= 5.1", "luasocket"
}
external_dependencies = {
platforms = {
unix = {
OPENSSL = {
header = "openssl/ssl.h",
library = "ssl"
}
},
windows = {
OPENSSL = {
header = "openssl/ssl.h",
}
},
}
}
build = {
type = "builtin",
copy_directories = {
"samples"
},
platforms = {
unix = {
install = {
lib = {
"ssl.so"
},
lua = {
"src/ssl.lua", ['ssl.https'] = "src/https.lua"
}
},
modules = {
ssl = {
incdirs = {
"$(OPENSSL_INCDIR)", "src/", "src/luasocket",
},
libdirs = {
"$(OPENSSL_LIBDIR)"
},
libraries = {
"ssl", "crypto"
},
sources = {
"src/x509.c", "src/context.c", "src/ssl.c",
"src/luasocket/buffer.c", "src/luasocket/io.c",
"src/luasocket/timeout.c", "src/luasocket/usocket.c"
}
}
}
},
windows = {
install = {
lib = {
"ssl.dll"
},
lua = {
"src/ssl.lua", ['ssl.https'] = "src/https.lua"
}
},
modules = {
ssl = {
defines = {
"WIN32", "NDEBUG", "_WINDOWS", "_USRDLL", "LSEC_EXPORTS", "BUFFER_DEBUG", "LSEC_API=__declspec(dllexport)",
"LUASEC_INET_NTOP", "WINVER=0x0501", "_WIN32_WINNT=0x0501", "NTDDI_VERSION=0x05010300"
},
libdirs = {
"$(OPENSSL_LIBDIR)",
"$(OPENSSL_BINDIR)",
},
libraries = {
"libeay32", "ssleay32", "ws2_32"
},
incdirs = {
"$(OPENSSL_INCDIR)", "src/", "src/luasocket"
},
sources = {
"src/x509.c", "src/context.c", "src/ssl.c",
"src/luasocket/buffer.c", "src/luasocket/io.c",
"src/luasocket/timeout.c", "src/luasocket/wsocket.c"
}
}
},
patches = {
["luarocks_vs_compiler.patch"] = [[
--- a/src/ssl.c.orig
+++ b/src/ssl.c
@@ -844,3 +844,8 @@ LSEC_API int luaopen_ssl_core(lua_State *L)
return 1;
}
+
+#if defined(_MSC_VER)
+/* Empty implementation to allow building with LuaRocks and MS compilers */
+LSEC_API int luaopen_ssl(lua_State *L) { return 0; }
+#endif
]]
}
}
}
}

4
luasec.vcxproj
View File

@ -49,7 +49,7 @@
<ClCompile>
<Optimization>Disabled</Optimization>
<AdditionalIncludeDirectories>C:\devel\openssl\include;C:\devel\lua-dll9\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;LUASEC_EXPORTS;LUASEC_INET_NTOP;WINVER=0x0501;_WIN32_WINNT=0x0501;NTDDI_VERSION=0x05010300;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;LUASEC_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<MinimalRebuild>true</MinimalRebuild>
<BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
<RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
@ -122,4 +122,4 @@
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>
</Project>

14
samples/certs/all.bat
View File

@ -1,14 +0,0 @@
REM make sure the 'openssl.exe' commandline tool is in your path before starting!
REM set the path below;
set opensslpath=c:\program files (x86)\openssl-win32\bin
setlocal
set path=%opensslpath%;%path%
call roota.bat
call rootb.bat
call servera.bat
call serverb.bat
call clienta.bat
call clientb.bat

9
samples/certs/clientA.bat
View File

@ -1,9 +0,0 @@
rem #!/bin/sh
openssl req -newkey rsa:1024 -sha1 -keyout clientAkey.pem -out clientAreq.pem -nodes -config ./clientA.cnf -days 365 -batch
openssl x509 -req -in clientAreq.pem -sha1 -extfile ./clientA.cnf -extensions usr_cert -CA rootA.pem -CAkey rootAkey.pem -CAcreateserial -out clientAcert.pem -days 365
copy clientAcert.pem + rootA.pem clientA.pem
openssl x509 -subject -issuer -noout -in clientA.pem

9
samples/certs/clientB.bat
View File

@ -1,9 +0,0 @@
rem #!/bin/sh
openssl req -newkey rsa:1024 -sha1 -keyout clientBkey.pem -out clientBreq.pem -nodes -config ./clientB.cnf -days 365 -batch
openssl x509 -req -in clientBreq.pem -sha1 -extfile ./clientB.cnf -extensions usr_cert -CA rootB.pem -CAkey rootBkey.pem -CAcreateserial -out clientBcert.pem -days 365
copy clientBcert.pem + rootB.pem clientB.pem
openssl x509 -subject -issuer -noout -in clientB.pem

7
samples/certs/rootA.bat
View File

@ -1,7 +0,0 @@
REM #!/bin/sh
openssl req -newkey rsa:1024 -sha1 -keyout rootAkey.pem -out rootAreq.pem -nodes -config ./rootA.cnf -days 365 -batch
openssl x509 -req -in rootAreq.pem -sha1 -extfile ./rootA.cnf -extensions v3_ca -signkey rootAkey.pem -out rootA.pem -days 365
openssl x509 -subject -issuer -noout -in rootA.pem

7
samples/certs/rootB.bat
View File

@ -1,7 +0,0 @@
rem #!/bin/sh
openssl req -newkey rsa:1024 -sha1 -keyout rootBkey.pem -out rootBreq.pem -nodes -config ./rootB.cnf -days 365 -batch
openssl x509 -req -in rootBreq.pem -sha1 -extfile ./rootB.cnf -extensions v3_ca -signkey rootBkey.pem -out rootB.pem -days 365
openssl x509 -subject -issuer -noout -in rootB.pem

9
samples/certs/serverA.bat
View File

@ -1,9 +0,0 @@
rem #!/bin/sh
openssl req -newkey rsa:1024 -keyout serverAkey.pem -out serverAreq.pem -config ./serverA.cnf -nodes -days 365 -batch
openssl x509 -req -in serverAreq.pem -sha1 -extfile ./serverA.cnf -extensions usr_cert -CA rootA.pem -CAkey rootAkey.pem -CAcreateserial -out serverAcert.pem -days 365
copy serverAcert.pem + rootA.pem serverA.pem
openssl x509 -subject -issuer -noout -in serverA.pem

9
samples/certs/serverB.bat
View File

@ -1,9 +0,0 @@
rem #!/bin/sh
openssl req -newkey rsa:1024 -keyout serverBkey.pem -out serverBreq.pem -config ./serverB.cnf -nodes -days 365 -batch
openssl x509 -req -in serverBreq.pem -sha1 -extfile ./serverB.cnf -extensions usr_cert -CA rootB.pem -CAkey rootBkey.pem -CAcreateserial -out serverBcert.pem -days 365
copy serverBcert.pem + rootB.pem serverB.pem
openssl x509 -subject -issuer -noout -in serverB.pem

2
samples/chain/server.lua
View File

@ -7,7 +7,7 @@ local util = require("util")
local params = {
mode = "server",
protocol = "any",
protocol = "sslv23",
key = "../certs/serverAkey.pem",
certificate = "../certs/serverA.pem",
cafile = "../certs/rootA.pem",

2
samples/dhparam/server.lua
View File

@ -31,7 +31,7 @@ end
local params = {
mode = "server",
protocol = "any",
protocol = "sslv23",
key = "../certs/serverAkey.pem",
certificate = "../certs/serverA.pem",
cafile = "../certs/rootA.pem",

2
samples/digest/server.lua
View File

@ -6,7 +6,7 @@ local ssl = require("ssl")
local params = {
mode = "server",
protocol = "any",
protocol = "sslv23",
key = "../certs/serverAkey.pem",
certificate = "../certs/serverA.pem",
cafile = "../certs/rootA.pem",

2
samples/ecdh/server.lua
View File

@ -6,7 +6,7 @@ local ssl = require("ssl")
local params = {
mode = "server",
protocol = "any",
protocol = "sslv23",
key = "../certs/serverAkey.pem",
certificate = "../certs/serverA.pem",
cafile = "../certs/rootA.pem",

2
samples/info/server.lua
View File

@ -6,7 +6,7 @@ local ssl = require("ssl")
local params = {
mode = "server",
protocol = "any",
protocol = "sslv23",
key = "../certs/serverAkey.pem",
certificate = "../certs/serverA.pem",
cafile = "../certs/rootA.pem",

2
samples/key/loadkey.lua
View File

@ -5,7 +5,7 @@ local ssl = require("ssl")
local pass = "foobar"
local cfg = {
protocol = "tlsv1",
protocol = "tlsv1_2",
mode = "client",
key = "key.pem",
}

2
samples/loop-gc/server.lua
View File

@ -6,7 +6,7 @@ local ssl = require("ssl")
local params = {
mode = "server",
protocol = "any",
protocol = "sslv23",
key = "../certs/serverAkey.pem",
certificate = "../certs/serverA.pem",
cafile = "../certs/rootA.pem",

2
samples/loop/server.lua
View File

@ -6,7 +6,7 @@ local ssl = require("ssl")
local params = {
mode = "server",
protocol = "any",
protocol = "sslv23",
key = "../certs/serverAkey.pem",
certificate = "../certs/serverA.pem",
cafile = "../certs/rootA.pem",

2
samples/oneshot/server.lua
View File

@ -6,7 +6,7 @@ local ssl = require("ssl")
local params = {
mode = "server",
protocol = "any",
protocol = "sslv23",
key = "../certs/serverAkey.pem",
certificate = "../certs/serverA.pem",
cafile = "../certs/rootA.pem",

35
samples/sni/client.lua
View File

@ -1,35 +0,0 @@
local socket = require("socket")
local ssl = require("ssl")
local params = {
mode = "client",
protocol = "tlsv1_2",
key = "../certs/clientAkey.pem",
certificate = "../certs/clientA.pem",
cafile = "../certs/rootA.pem",
verify = "peer",
options = "all",
}
local conn = socket.tcp()
conn:connect("127.0.0.1", 8888)
-- TLS/SSL initialization
conn = ssl.wrap(conn, params)
-- Comment the lines to not send a name
--conn:sni("servera.br")
--conn:sni("serveraa.br")
conn:sni("serverb.br")
assert(conn:dohandshake())
--
local cert = conn:getpeercertificate()
for k, v in pairs(cert:subject()) do
for i, j in pairs(v) do
print(i, j)
end
end
--
print(conn:receive("*l"))
conn:close()

52
samples/sni/server.lua
View File

@ -1,52 +0,0 @@
local socket = require("socket")
local ssl = require("ssl")
local params01 = {
mode = "server",
protocol = "any",
key = "../certs/serverAkey.pem",
certificate = "../certs/serverA.pem",
cafile = "../certs/rootA.pem",
verify = "none",
options = "all",
ciphers = "ALL:!ADH:@STRENGTH",
}
local params02 = {
mode = "server",
protocol = "any",
key = "../certs/serverAAkey.pem",
certificate = "../certs/serverAA.pem",
cafile = "../certs/rootA.pem",
verify = "none",
options = "all",
ciphers = "ALL:!ADH:@STRENGTH",
}
--
local ctx01 = ssl.newcontext(params01)
local ctx02 = ssl.newcontext(params02)
--
local server = socket.tcp()
server:setoption('reuseaddr', true)
server:bind("127.0.0.1", 8888)
server:listen()
local conn = server:accept()
--
-- Default context (when client does not send a name) is ctx01
conn = ssl.wrap(conn, ctx01)
-- Configure the name map
local sni_map = {
["servera.br"] = ctx01,
["serveraa.br"] = ctx02,
}
conn:sni(sni_map, true)
assert(conn:dohandshake())
--
conn:send("one line\n")
conn:close()

2
samples/verification/fail-string/client.lua
View File

@ -6,7 +6,7 @@ local ssl = require("ssl")
local params = {
mode = "client",
protocol = "tlsv1",
protocol = "tlsv1_2",
key = "../../certs/clientBkey.pem",
certificate = "../../certs/clientB.pem",
cafile = "../../certs/rootB.pem",

2
samples/verification/fail-string/server.lua
View File

@ -6,7 +6,7 @@ local ssl = require("ssl")
local params = {
mode = "server",
protocol = "tlsv1",
protocol = "sslv23",
key = "../../certs/serverAkey.pem",
certificate = "../../certs/serverA.pem",
cafile = "../../certs/rootA.pem",

4
samples/verification/fail-table/client.lua
View File

@ -6,12 +6,12 @@ local ssl = require("ssl")
local params = {
mode = "client",
protocol = "tlsv1",
protocol = "tlsv1_2",
key = "../../certs/clientBkey.pem",
certificate = "../../certs/clientB.pem",
cafile = "../../certs/rootB.pem",
verify = {"peer", "fail_if_no_peer_cert"},
options = "all",
options = "all", ,
verifyext = "lsec_continue",
}

2
samples/verification/fail-table/server.lua
View File

@ -6,7 +6,7 @@ local ssl = require("ssl")
local params = {
mode = "server",
protocol = "tlsv1",
protocol = "sslv23",
key = "../../certs/serverAkey.pem",
certificate = "../../certs/serverA.pem",
cafile = "../../certs/rootA.pem",

2
samples/verification/success/client.lua
View File

@ -6,7 +6,7 @@ local ssl = require("ssl")
local params = {
mode = "client",
protocol = "tlsv1",
protocol = "tlsv1_2",
key = "../../certs/clientAkey.pem",
certificate = "../../certs/clientA.pem",
cafile = "../../certs/rootA.pem",

2
samples/verification/success/server.lua
View File

@ -6,7 +6,7 @@ local ssl = require("ssl")
local params = {
mode = "server",
protocol = "tlsv1",
protocol = "sslv23",
key = "../../certs/serverAkey.pem",
certificate = "../../certs/serverA.pem",
cafile = "../../certs/rootA.pem",

2
samples/verify/server.lua
View File

@ -6,7 +6,7 @@ local ssl = require("ssl")
local params = {
mode = "server",
protocol = "any",
protocol = "sslv23",
key = "../certs/serverAkey.pem",
certificate = "../certs/serverA.pem",
cafile = "../certs/rootA.pem",

2
samples/want/server.lua
View File

@ -6,7 +6,7 @@ local ssl = require("ssl")
local params = {
mode = "server",
protocol = "any",
protocol = "sslv23",
key = "../certs/serverAkey.pem",
certificate = "../certs/serverA.pem",
cafile = "../certs/rootA.pem",

2
samples/wantread/server.lua
View File

@ -8,7 +8,7 @@ local ssl = require("ssl")
local params = {
mode = "server",
protocol = "any",
protocol = "sslv23",
key = "../certs/serverAkey.pem",
certificate = "../certs/serverA.pem",
cafile = "../certs/rootA.pem",

2
samples/wantwrite/server.lua
View File

@ -8,7 +8,7 @@ print("Use Ctrl+S and Ctrl+Q to suspend and resume the server.")
local params = {
mode = "server",
protocol = "any",
protocol = "sslv23",
key = "../certs/serverAkey.pem",
certificate = "../certs/serverA.pem",
cafile = "../certs/rootA.pem",

19
src/Makefile
View File

@ -20,21 +20,22 @@ MAC_ENV=env MACOSX_DEPLOYMENT_TARGET='$(MACVER)'
MAC_CFLAGS=-O2 -fno-common $(WARN) $(INCDIR) $(DEFS)
MAC_LDFLAGS=-bundle -undefined dynamic_lookup $(LIBDIR)
INSTALL = install
CC = cc
LD = $(MYENV) cc
CFLAGS += $(MYCFLAGS)
LDFLAGS += $(MYLDFLAGS)
INSTALL ?= install
CC ?= cc
LD ?= $(MYENV) cc
CFLAGS += $(MYCFLAGS)
LDFLAGS += $(MYLDFLAGS)
DESTDIR ?= /
.PHONY: all clean install none linux bsd macosx luasocket
all:
install: $(CMOD) $(LMOD)
$(INSTALL) -d $(LUAPATH)/ssl $(LUACPATH)
$(INSTALL) $(CMOD) $(LUACPATH)
$(INSTALL) -m644 $(LMOD) $(LUAPATH)
$(INSTALL) -m644 https.lua $(LUAPATH)/ssl
$(INSTALL) -d $(DESTDIR)$(LUAPATH)/ssl $(DESTDIR)$(LUACPATH)
$(INSTALL) -D $(CMOD) $(DESTDIR)$(LUACPATH)
$(INSTALL) -m644 -D $(LMOD) $(DESTDIR)$(LUAPATH)
$(INSTALL) -m644 -D https.lua $(DESTDIR)$(LUAPATH)/ssl
linux:
@$(MAKE) $(CMOD) MYCFLAGS="$(LNX_CFLAGS)" MYLDFLAGS="$(LNX_LDFLAGS)" EXTRA="$(EXTRA)"

10
src/config.h
View File

@ -1,6 +1,6 @@
/*--------------------------------------------------------------------------
* LuaSec 0.6
* Copyright (C) 2006-2016 Bruno Silvestre
* LuaSec 0.5.1
* Copyright (C) 2006-2015 Bruno Silvestre
*
*--------------------------------------------------------------------------*/
@ -14,11 +14,7 @@
#endif
#if (LUA_VERSION_NUM == 501)
#define setfuncs(L, R) luaL_register(L, NULL, R)
#define lua_rawlen(L, i) lua_objlen(L, i)
#define luaL_newlib(L, R) do { lua_newtable(L); luaL_register(L, NULL, R); } while(0)
#else
#define setfuncs(L, R) luaL_setfuncs(L, R, 0)
#define lua_rawlen(L, i) lua_objlen(L, i)
#endif
#endif

84
src/context.c
View File

@ -1,9 +1,9 @@
/*--------------------------------------------------------------------------
* LuaSec 0.6
* LuaSec 0.5.1
*
* Copyright (C) 2014-2016 Kim Alvefur, Paul Aurich, Tobias Markmann,
* Copyright (C) 2014-2015 Kim Alvefur, Paul Aurich, Tobias Markmann,
* Matthew Wild.
* Copyright (C) 2006-2016 Bruno Silvestre.
* Copyright (C) 2006-2015 Bruno Silvestre.
*
*--------------------------------------------------------------------------*/
@ -39,28 +39,6 @@ typedef SSL_METHOD LSEC_SSL_METHOD;
#define SSLv23_method() TLS_method()
#endif
/*-- Compat - Lua 5.1 --------------------------------------------------------*/
#if (LUA_VERSION_NUM == 501)
#define luaL_testudata(L, ud, tname) testudata(L, ud, tname)
static void *testudata (lua_State *L, int ud, const char *tname) {
void *p = lua_touserdata(L, ud);
if (p != NULL) { /* value is a userdata? */
if (lua_getmetatable(L, ud)) { /* does it have a metatable? */
luaL_getmetatable(L, tname); /* get correct metatable */
if (!lua_rawequal(L, -1, -2)) /* not the same? */
p = NULL; /* value is a userdata with wrong metatable */
lua_pop(L, 2); /* remove both metatables */
return p;
}
}
return NULL; /* value is not a userdata with a metatable */
}
#endif
/*--------------------------- Auxiliary Functions ----------------------------*/
/**
@ -71,11 +49,6 @@ static p_context checkctx(lua_State *L, int idx)
return (p_context)luaL_checkudata(L, idx, "SSL:Context");
}
static p_context testctx(lua_State *L, int idx)
{
return (p_context)luaL_testudata(L, idx, "SSL:Context");
}
/**
* Prepare the SSL options flag.
*/
@ -96,8 +69,7 @@ static int set_option_flag(const char *opt, unsigned long *flag)
*/
static LSEC_SSL_METHOD* str2method(const char *method)
{
if (!strcmp(method, "any")) return SSLv23_method();
if (!strcmp(method, "sslv23")) return SSLv23_method(); // deprecated
if (!strcmp(method, "sslv23")) return SSLv23_method();
#ifndef OPENSSL_NO_SSL3
if (!strcmp(method, "sslv3")) return SSLv3_method();
#endif
@ -429,17 +401,6 @@ static int load_key(lua_State *L)
return ret;
}
/**
* Check that the certificate public key matches the private key
*/
static int check_key(lua_State *L)
{
SSL_CTX *ctx = lsec_checkcontext(L, 1);
lua_pushboolean(L, SSL_CTX_check_private_key(ctx));
return 1;
}
/**
* Set the cipher list.
*/
@ -463,7 +424,7 @@ static int set_cipher(lua_State *L)
static int set_depth(lua_State *L)
{
SSL_CTX *ctx = lsec_checkcontext(L, 1);
SSL_CTX_set_verify_depth(ctx, (int)luaL_checkinteger(L, 2));
SSL_CTX_set_verify_depth(ctx, luaL_checkint(L, 2));
lua_pushboolean(L, 1);
return 1;
}
@ -609,7 +570,6 @@ static luaL_Reg funcs[] = {
{"locations", load_locations},
{"loadcert", load_cert},
{"loadkey", load_key},
{"checkkey", check_key},
{"setcipher", set_cipher},
{"setdepth", set_depth},
{"setdhparam", set_dhparam},
@ -743,12 +703,6 @@ SSL_CTX* lsec_checkcontext(lua_State *L, int idx)
return ctx->context;
}
SSL_CTX* lsec_testcontext(lua_State *L, int idx)
{
p_context ctx = testctx(L, idx);
return (ctx) ? ctx->context : NULL;
}
/**
* Retrieve the mode from the context in the Lua stack.
*/
@ -763,19 +717,39 @@ int lsec_getmode(lua_State *L, int idx)
/**
* Registre the module.
*/
#if (LUA_VERSION_NUM == 501)
LSEC_API int luaopen_ssl_context(lua_State *L)
{
luaL_newmetatable(L, "SSL:DH:Registry"); /* Keep all DH callbacks */
luaL_newmetatable(L, "SSL:Verify:Registry"); /* Keep all verify flags */
luaL_newmetatable(L, "SSL:Context");
setfuncs(L, meta);
luaL_register(L, NULL, meta);
/* Create __index metamethods for context */
luaL_newlib(L, meta_index);
lua_newtable(L);
luaL_register(L, NULL, meta_index);
lua_setfield(L, -2, "__index");
/* Register the module */
luaL_register(L, "ssl.context", funcs);
return 1;
}
#else
LSEC_API int luaopen_ssl_context(lua_State *L)
{
luaL_newmetatable(L, "SSL:DH:Registry"); /* Keep all DH callbacks */
luaL_newmetatable(L, "SSL:Verify:Registry"); /* Keep all verify flags */
luaL_newmetatable(L, "SSL:Context");
luaL_setfuncs(L, meta, 0);
/* Create __index metamethods for context */
lua_newtable(L);
luaL_setfuncs(L, meta_index, 0);
lua_setfield(L, -2, "__index");
/* Return the module */
luaL_newlib(L, funcs);
lua_newtable(L);
luaL_setfuncs(L, funcs, 0);
return 1;
}
#endif

5
src/context.h
View File

@ -2,8 +2,8 @@
#define LSEC_CONTEXT_H
/*--------------------------------------------------------------------------
* LuaSec 0.6
* Copyright (C) 2006-2016 Bruno Silvestre
* LuaSec 0.5.1
* Copyright (C) 2006-2015 Bruno Silvestre
*
*--------------------------------------------------------------------------*/
@ -29,7 +29,6 @@ typedef t_context* p_context;
/* Retrieve the SSL context from the Lua stack */
SSL_CTX *lsec_checkcontext(lua_State *L, int idx);
SSL_CTX *lsec_testcontext(lua_State *L, int idx);
/* Retrieve the mode from the context in the Lua stack */
int lsec_getmode(lua_State *L, int idx);

4
src/ec.h
View File

@ -1,6 +1,6 @@
/*--------------------------------------------------------------------------
* LuaSec 0.6
* Copyright (C) 2006-2016 Bruno Silvestre
* LuaSec 0.5.1
* Copyright (C) 2006-2015 Bruno Silvestre
*
*--------------------------------------------------------------------------*/

44
src/https.lua
View File

@ -1,6 +1,6 @@
----------------------------------------------------------------------------
-- LuaSec 0.6
-- Copyright (C) 2009-2016 PUC-Rio
-- LuaSec 0.5.1
-- Copyright (C) 2009-2015 PUC-Rio
--
-- Author: Pablo Musa
-- Author: Tomas Guisasola
@ -12,21 +12,25 @@ local ltn12 = require("ltn12")
local http = require("socket.http")
local url = require("socket.url")
local try = socket.try
local table = require("table")
local string = require("string")
--
-- Module
--
local _M = {
_VERSION = "0.6",
_COPYRIGHT = "LuaSec 0.6 - Copyright (C) 2009-2016 PUC-Rio",
PORT = 443,
}
local try = socket.try
local type = type
local pairs = pairs
local getmetatable = getmetatable
module("ssl.https")
_VERSION = "0.5.1"
_COPYRIGHT = "LuaSec 0.5.1 - Copyright (C) 2009-2015 PUC-Rio"
-- Default settings
PORT = 443
-- TLS configuration
local cfg = {
protocol = "any",
options = {"all", "no_sslv2", "no_sslv3"},
protocol = "tlsv1",
options = "all",
verify = "none",
}
@ -36,7 +40,7 @@ local cfg = {
-- Insert default HTTPS port.
local function default_https_port(u)
return url.build(url.parse(u, {port = _M.PORT}))
return url.build(url.parse(u, {port = PORT}))
end
-- Convert an URL to a table according to Luasocket needs.
@ -109,7 +113,7 @@ end
-- @param body optional (string)
-- @return (string if url == string or 1), code, headers, status
--
local function request(url, body)
function request(url, body)
local result_table = {}
local stringrequest = type(url) == "string"
if stringrequest then
@ -132,11 +136,3 @@ local function request(url, body)
end
return res, code, headers, status
end
--------------------------------------------------------------------------------
-- Export module
--
_M.request = request
return _M

4
src/luasocket/Makefile
View File

@ -6,7 +6,7 @@ OBJS= \
CC ?= cc
CFLAGS += $(MYCFLAGS) -DLUASOCKET_DEBUG
AR ?= ar
AR := ar rcu
RANLIB ?= ranlib
.PHONY: all clean
@ -14,7 +14,7 @@ RANLIB ?= ranlib
all: libluasocket.a
libluasocket.a: $(OBJS)
$(AR) rcu $@ $(OBJS)
$(AR) $@ $(OBJS)
$(RANLIB) $@
clean:

21
src/options.h
View File

@ -2,8 +2,8 @@
#define LSEC_OPTIONS_H
/*--------------------------------------------------------------------------
* LuaSec 0.6
* Copyright (C) 2006-2016 Bruno Silvestre
* LuaSec 0.5.1
* Copyright (C) 2006-2015 Bruno Silvestre
*
*--------------------------------------------------------------------------*/
@ -12,7 +12,7 @@
/* If you need to generate these options again, see options.lua */
/*
OpenSSL version: OpenSSL 1.0.2f
OpenSSL version: OpenSSL 1.0.1e 2013-06-12
*/
struct ssl_option_s {
@ -73,21 +73,12 @@ static ssl_option_t ssl_options[] = {
#if defined(SSL_OP_NO_COMPRESSION)
{"no_compression", SSL_OP_NO_COMPRESSION},
#endif
#if defined(SSL_OP_NO_DTLSv1)
{"no_dtlsv1", SSL_OP_NO_DTLSv1},
#endif
#if defined(SSL_OP_NO_DTLSv1_2)
{"no_dtlsv1_2", SSL_OP_NO_DTLSv1_2},
#endif
#if defined(SSL_OP_NO_QUERY_MTU)
{"no_query_mtu", SSL_OP_NO_QUERY_MTU},
#endif
#if defined(SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION)
{"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION},
#endif
#if defined(SSL_OP_NO_SSL_MASK)
{"no_ssl_mask", SSL_OP_NO_SSL_MASK},
#endif
#if defined(SSL_OP_NO_SSLv2)
{"no_sslv2", SSL_OP_NO_SSLv2},
#endif
@ -112,9 +103,6 @@ static ssl_option_t ssl_options[] = {
#if defined(SSL_OP_PKCS1_CHECK_2)
{"pkcs1_check_2", SSL_OP_PKCS1_CHECK_2},
#endif
#if defined(SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
{"safari_ecdhe_ecdsa_bug", SSL_OP_SAFARI_ECDHE_ECDSA_BUG},
#endif
#if defined(SSL_OP_SINGLE_DH_USE)
{"single_dh_use", SSL_OP_SINGLE_DH_USE},
#endif
@ -127,9 +115,6 @@ static ssl_option_t ssl_options[] = {
#if defined(SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG)
{"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG},
#endif
#if defined(SSL_OP_TLSEXT_PADDING)
{"tlsext_padding", SSL_OP_TLSEXT_PADDING},
#endif
#if defined(SSL_OP_TLS_BLOCK_PADDING_BUG)
{"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG},
#endif

4
src/options.lua
View File

@ -21,8 +21,8 @@ local function generate(options, version)
#define LSEC_OPTIONS_H
/*--------------------------------------------------------------------------
* LuaSec 0.6
* Copyright (C) 2006-2016 Bruno Silvestre
* LuaSec 0.5.1
* Copyright (C) 2006-2015 Bruno Silvestre
*
*--------------------------------------------------------------------------*/

164
src/ssl.c
View File

@ -1,9 +1,9 @@
/*--------------------------------------------------------------------------
* LuaSec 0.6
* LuaSec 0.5.1
*
* Copyright (C) 2014-2016 Kim Alvefur, Paul Aurich, Tobias Markmann,
* Copyright (C) 2014-2015 Kim Alvefur, Paul Aurich, Tobias Markmann,
* Matthew Wild.
* Copyright (C) 2006-2016 Bruno Silvestre.
* Copyright (C) 2006-2014 Bruno Silvestre.
*
*--------------------------------------------------------------------------*/
@ -28,7 +28,6 @@
#include <luasocket/socket.h>
#include "x509.h"
#include "context.h"
#include "ssl.h"
/**
@ -81,15 +80,11 @@ static int meth_destroy(lua_State *L)
}
ssl->state = LSEC_STATE_CLOSED;
if (ssl->ssl) {
/* Clear the registries */
/* Clear the registry */
luaL_getmetatable(L, "SSL:Verify:Registry");
lua_pushlightuserdata(L, (void*)ssl->ssl);
lua_pushnil(L);
lua_settable(L, -3);
luaL_getmetatable(L, "SSL:SNI:Registry");
lua_pushlightuserdata(L, (void*)ssl->ssl);
lua_pushnil(L);
lua_settable(L, -3);
/* Destroy the object */
SSL_free(ssl->ssl);
ssl->ssl = NULL;
@ -330,7 +325,7 @@ static int meth_setfd(lua_State *L)
p_ssl ssl = (p_ssl)luaL_checkudata(L, 1, "SSL:Connection");
if (ssl->state != LSEC_STATE_NEW)
luaL_argerror(L, 1, "invalid SSL object state");
ssl->sock = (t_socket)luaL_checkinteger(L, 2);
ssl->sock = luaL_checkint(L, 2);
socket_setnonblocking(&ssl->sock);
SSL_set_fd(ssl->ssl, (int)ssl->sock);
return 0;
@ -400,30 +395,24 @@ static int meth_want(lua_State *L)
}
return 1;
}
/**
* Return the compression method used.
*/
static int meth_compression(lua_State *L)
{
#if !defined(OPENSSL_NO_COMP)
const COMP_METHOD *comp;
#endif
p_ssl ssl = (p_ssl)luaL_checkudata(L, 1, "SSL:Connection");
if (ssl->state != LSEC_STATE_CONNECTED) {
lua_pushnil(L);
lua_pushstring(L, "closed");
return 2;
}
#if !defined(OPENSSL_NO_COMP)
comp = SSL_get_current_compression(ssl->ssl);
if (comp)
lua_pushstring(L, SSL_COMP_get_name(comp));
else
lua_pushnil(L);
#else
lua_pushnil(L);
#endif
return 1;
}
@ -442,7 +431,7 @@ static int meth_getpeercertificate(lua_State *L)
return 2;
}
/* Default to the first cert */
n = (int)luaL_optinteger(L, 2, 1);
n = luaL_optint(L, 2, 1);
/* This function is 1-based, but OpenSSL is 0-based */
--n;
if (n < 0) {
@ -664,100 +653,9 @@ static int meth_info(lua_State *L)
return 4;
}
static int sni_cb(SSL *ssl, int *ad, void *arg)
{
int strict;
SSL_CTX *newctx = NULL;
SSL_CTX *ctx = SSL_get_SSL_CTX(ssl);
lua_State *L = ((p_context)SSL_CTX_get_app_data(ctx))->L;
const char *name = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
/* No name, use default context */
if (!name)
return SSL_TLSEXT_ERR_NOACK;
/* Retrieve struct from registry */
luaL_getmetatable(L, "SSL:SNI:Registry");
lua_pushlightuserdata(L, (void*)ssl);
lua_gettable(L, -2);
/* Strict search? */
lua_pushstring(L, "strict");
lua_gettable(L, -2);
strict = lua_toboolean(L, -1);
lua_pop(L, 1);
/* Search for the name in the map */
lua_pushstring(L, "map");
lua_gettable(L, -2);
lua_pushstring(L, name);
lua_gettable(L, -2);
if (lua_isuserdata(L, -1))
newctx = lsec_checkcontext(L, -1);
lua_pop(L, 4);
/* Found, use this context */
if (newctx) {
SSL_set_SSL_CTX(ssl, newctx);
return SSL_TLSEXT_ERR_OK;
}
/* Not found, but use initial context */
if (!strict)
return SSL_TLSEXT_ERR_OK;
return SSL_TLSEXT_ERR_ALERT_FATAL;
}
static int meth_sni(lua_State *L)
{
int strict;
SSL_CTX *aux;
const char *name;
p_ssl ssl = (p_ssl)luaL_checkudata(L, 1, "SSL:Connection");
SSL_CTX *ctx = SSL_get_SSL_CTX(ssl->ssl);
p_context pctx = (p_context)SSL_CTX_get_app_data(ctx);
if (pctx->mode == LSEC_MODE_CLIENT) {
name = luaL_checkstring(L, 2);
SSL_set_tlsext_host_name(ssl->ssl, name);
return 0;
} else if (pctx->mode == LSEC_MODE_SERVER) {
luaL_checktype(L, 2, LUA_TTABLE);
strict = lua_toboolean(L, 3);
/* Check if the table contains only (string -> context) */
lua_pushnil(L);
while (lua_next(L, 2)) {
luaL_checkstring(L, -2);
aux = lsec_checkcontext(L, -1);
/* Set callback in every context */
SSL_CTX_set_tlsext_servername_callback(aux, sni_cb);
/* leave the next key on the stack */
lua_pop(L, 1);
}
/* Save table in the register */
luaL_getmetatable(L, "SSL:SNI:Registry");
lua_pushlightuserdata(L, (void*)ssl->ssl);
lua_newtable(L);
lua_pushstring(L, "map");
lua_pushvalue(L, 2);
lua_settable(L, -3);
lua_pushstring(L, "strict");
lua_pushboolean(L, strict);
lua_settable(L, -3);
lua_settable(L, -3);
/* Set callback in the default context */
SSL_CTX_set_tlsext_servername_callback(ctx, sni_cb);
}
return 0;
}
static int meth_getsniname(lua_State *L)
{
p_ssl ssl = (p_ssl)luaL_checkudata(L, 1, "SSL:Connection");
const char *name = SSL_get_servername(ssl->ssl, TLSEXT_NAMETYPE_host_name);
if (name)
lua_pushstring(L, name);
else
lua_pushnil(L);
return 1;
}
static int meth_copyright(lua_State *L)
{
lua_pushstring(L, "LuaSec 0.6 - Copyright (C) 2006-2016 Bruno Silvestre, UFG"
lua_pushstring(L, "LuaSec 0.5.1 - Copyright (C) 2006-2015 Bruno Silvestre"
#if defined(WITH_LUASOCKET)
"\nLuaSocket 3.0-RC1 - Copyright (C) 2004-2013 Diego Nehab"
#endif
@ -778,7 +676,6 @@ static luaL_Reg methods[] = {
{"getpeerchain", meth_getpeerchain},
{"getpeerverification", meth_getpeerverification},
{"getpeerfinished", meth_getpeerfinished},
{"getsniname", meth_getsniname},
{"getstats", meth_getstats},
{"setstats", meth_setstats},
{"dirty", meth_dirty},
@ -786,7 +683,6 @@ static luaL_Reg methods[] = {
{"receive", meth_receive},
{"send", meth_send},
{"settimeout", meth_settimeout},
{"sni", meth_sni},
{"want", meth_want},
{NULL, NULL}
};
@ -816,6 +712,37 @@ static luaL_Reg funcs[] = {
/**
* Initialize modules.
*/
#if (LUA_VERSION_NUM == 501)
LSEC_API int luaopen_ssl_core(lua_State *L)
{
/* Initialize SSL */
if (!SSL_library_init()) {
lua_pushstring(L, "unable to initialize SSL library");
lua_error(L);
}
OpenSSL_add_all_algorithms();
SSL_load_error_strings();
#if defined(WITH_LUASOCKET)
/* Initialize internal library */
socket_open();
#endif
/* Register the functions and tables */
luaL_newmetatable(L, "SSL:Connection");
luaL_register(L, NULL, meta);
lua_newtable(L);
luaL_register(L, NULL, methods);
lua_setfield(L, -2, "__index");
luaL_register(L, "ssl.core", funcs);
lua_pushnumber(L, SOCKET_INVALID);
lua_setfield(L, -2, "invalidfd");
return 1;
}
#else
LSEC_API int luaopen_ssl_core(lua_State *L)
{
/* Initialize SSL */
@ -831,16 +758,19 @@ LSEC_API int luaopen_ssl_core(lua_State *L)
socket_open();
#endif
luaL_newmetatable(L, "SSL:SNI:Registry");
/* Register the functions and tables */
luaL_newmetatable(L, "SSL:Connection");
setfuncs(L, meta);
luaL_setfuncs(L, meta, 0);
luaL_newlib(L, methods);
lua_newtable(L);
luaL_setfuncs(L, methods, 0);
lua_setfield(L, -2, "__index");
luaL_newlib(L, funcs);
lua_newtable(L);
luaL_setfuncs(L, funcs, 0);
lua_pushnumber(L, SOCKET_INVALID);
lua_setfield(L, -2, "invalidfd");
return 1;
}
#endif

4
src/ssl.h
View File

@ -2,8 +2,8 @@
#define LSEC_SSL_H
/*--------------------------------------------------------------------------
* LuaSec 0.6
* Copyright (C) 2006-2016 Bruno Silvestre
* LuaSec 0.5.1
* Copyright (C) 2006-2015 Bruno Silvestre
*
*--------------------------------------------------------------------------*/

39
src/ssl.lua
View File

@ -1,6 +1,6 @@
------------------------------------------------------------------------------
-- LuaSec 0.6
-- Copyright (C) 2006-2016 Bruno Silvestre
-- LuaSec 0.5.1
-- Copyright (C) 2006-2015 Bruno Silvestre
--
------------------------------------------------------------------------------
@ -8,7 +8,13 @@ local core = require("ssl.core")
local context = require("ssl.context")
local x509 = require("ssl.x509")
local unpack = table.unpack or unpack
module("ssl", package.seeall)
_VERSION = "0.5.1"
_COPYRIGHT = core.copyright()
-- Export
loadcertificate = x509.load
-- We must prevent the contexts to be collected before the connections,
-- otherwise the C registry will be cleared.
@ -31,7 +37,7 @@ end
--
--
--
local function newcontext(cfg)
function newcontext(cfg)
local succ, msg, ctx
-- Create the context
ctx, msg = context.create(cfg.protocol)
@ -52,12 +58,8 @@ local function newcontext(cfg)
end
-- Load the certificate
if cfg.certificate then
succ, msg = context.loadcert(ctx, cfg.certificate)
if not succ then return nil, msg end
if cfg.key and context.checkkey then
succ = context.checkkey(ctx)
if not succ then return nil, "private key does not match public key" end
end
succ, msg = context.loadcert(ctx, cfg.certificate)
if not succ then return nil, msg end
end
-- Load the CA certificates
if cfg.cafile or cfg.capath then
@ -109,7 +111,7 @@ end
--
--
--
local function wrap(sock, cfg)
function wrap(sock, cfg)
local ctx, msg
if type(cfg) == "table" then
ctx, msg = newcontext(cfg)
@ -120,7 +122,7 @@ local function wrap(sock, cfg)
local s, msg = core.create(ctx)
if s then
core.setfd(s, sock:getfd())
sock:setfd(-1)
sock:setfd(core.invalidfd)
registry[s] = ctx
return s
end
@ -164,16 +166,3 @@ end
--
core.setmethod("info", info)
--------------------------------------------------------------------------------
-- Export module
--
local _M = {
_VERSION = "0.6",
_COPYRIGHT = core.copyright(),
loadcertificate = x509.load,
newcontext = newcontext,
wrap = wrap,
}
return _M

249
src/x509.c
View File

@ -1,22 +1,15 @@
/*--------------------------------------------------------------------------
* LuaSec 0.6
* LuaSec 0.5.1
*
* Copyright (C) 2014-2016 Kim Alvefur, Paul Aurich, Tobias Markmann
* Copyright (C) 2014-2015 Kim Alvefur, Paul Aurich, Tobias Markmann
* Matthew Wild, Bruno Silvestre.
*
*--------------------------------------------------------------------------*/
#include <stdio.h>
#include <string.h>
#if defined(WIN32)
#include <ws2tcpip.h>
#include <windows.h>
#else
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#endif
#include <openssl/ssl.h>
@ -64,51 +57,6 @@ p_x509 lsec_checkp_x509(lua_State* L, int idx)
/*---------------------------------------------------------------------------*/
#if defined(LUASEC_INET_NTOP)
/*
* For WinXP (SP3), set the following preprocessor macros:
* LUASEC_INET_NTOP
* WINVER=0x0501
* _WIN32_WINNT=0x0501
* NTDDI_VERSION=0x05010300
*
* For IPv6 addresses, you need to add IPv6 Protocol to your interface.
*
*/
static const char *inet_ntop(int af, const char *src, char *dst, socklen_t size)
{
int addrsize;
struct sockaddr *addr;
struct sockaddr_in addr4;
struct sockaddr_in6 addr6;
switch (af) {
case AF_INET:
memset((void*)&addr4, 0, sizeof(addr4));
addr4.sin_family = AF_INET;
memcpy((void*)&addr4.sin_addr, src, sizeof(struct in_addr));
addr = (struct sockaddr*)&addr4;
addrsize = sizeof(struct sockaddr_in);
break;
case AF_INET6:
memset((void*)&addr6, 0, sizeof(addr6));
addr6.sin6_family = AF_INET6;
memcpy((void*)&addr6.sin6_addr, src, sizeof(struct in6_addr));
addr = (struct sockaddr*)&addr6;
addrsize = sizeof(struct sockaddr_in6);
break;
default:
return NULL;
}
if(getnameinfo(addr, addrsize, dst, size, NULL, 0, NI_NUMERICHOST) != 0)
return NULL;
return dst;
}
#endif
/*---------------------------------------------------------------------------*/
/**
* Convert the buffer 'in' to hexadecimal.
*/
@ -138,7 +86,7 @@ static void push_asn1_objname(lua_State* L, ASN1_OBJECT *object, int no_name)
*/
static void push_asn1_string(lua_State* L, ASN1_STRING *string, int encode)
{
int len;
int len;
unsigned char *data;
if (!string) {
lua_pushnil(L);
@ -175,31 +123,6 @@ static int push_asn1_time(lua_State *L, ASN1_UTCTIME *tm)
return 1;
}
/**
* Return a human readable IP address.
*/
static void push_asn1_ip(lua_State *L, ASN1_STRING *string)
{
int af;
char dst[INET6_ADDRSTRLEN];
unsigned char *ip = ASN1_STRING_data(string);
switch(ASN1_STRING_length(string)) {
case 4:
af = AF_INET;
break;
case 16:
af = AF_INET6;
break;
default:
lua_pushnil(L);
return;
}
if(inet_ntop(af, ip, dst, INET6_ADDRSTRLEN))
lua_pushstring(L, dst);
else
lua_pushnil(L);
}
/**
*
*/
@ -317,7 +240,7 @@ int meth_extensions(lua_State* L)
break;
case GEN_DNS:
lua_pushstring(L, "dNSName");
push_subtable(L, -2);
push_subtable(L, -2);
push_asn1_string(L, general_name->d.dNSName, px->encode);
lua_rawseti(L, -2, lua_rawlen(L, -2) + 1);
lua_pop(L, 1);
@ -339,7 +262,7 @@ int meth_extensions(lua_State* L)
case GEN_IPADD:
lua_pushstring(L, "iPAddress");
push_subtable(L, -2);
push_asn1_ip(L, general_name->d.iPAddress);
push_asn1_string(L, general_name->d.iPAddress, px->encode);
lua_rawseti(L, -2, lua_rawlen(L, -2)+1);
lua_pop(L, 1);
break;
@ -389,52 +312,6 @@ static int meth_pem(lua_State* L)
return 1;
}
/**
* Extract public key in PEM format.
*/
static int meth_pubkey(lua_State* L)
{
char* data;
long bytes;
int ret = 1;
X509* cert = lsec_checkx509(L, 1);
BIO *bio = BIO_new(BIO_s_mem());
EVP_PKEY *pkey = X509_get_pubkey(cert);
if(PEM_write_bio_PUBKEY(bio, pkey)) {
bytes = BIO_get_mem_data(bio, &data);
if (bytes > 0) {
lua_pushlstring(L, data, bytes);
switch(EVP_PKEY_type(pkey->type)) {
case EVP_PKEY_RSA:
lua_pushstring(L, "RSA");
break;
case EVP_PKEY_DSA:
lua_pushstring(L, "DSA");
break;
case EVP_PKEY_DH:
lua_pushstring(L, "DH");
break;
case EVP_PKEY_EC:
lua_pushstring(L, "EC");
break;
default:
lua_pushstring(L, "Unknown");
break;
}
lua_pushinteger(L, EVP_PKEY_bits(pkey));
ret = 3;
}
else
lua_pushnil(L);
}
else
lua_pushnil(L);
/* Cleanup */
BIO_free(bio);
EVP_PKEY_free(pkey);
return ret;
}
/**
* Compute the fingerprint.
*/
@ -520,91 +397,6 @@ static int meth_notafter(lua_State *L)
return push_asn1_time(L, X509_get_notAfter(cert));
}
/**
* Check if this certificate issued some other certificate
*/
static int meth_issued(lua_State* L)
{
int ret, i, len;
X509_STORE_CTX* ctx = NULL;
X509_STORE* root = NULL;
STACK_OF(X509)* chain = NULL;
X509* issuer = lsec_checkx509(L, 1);
X509* subject = lsec_checkx509(L, 2);
X509* cert = NULL;
len = lua_gettop(L);
/* Check that all arguments are certificates */
for (i = 3; i <= len; i++) {
lsec_checkx509(L, i);
}
/* Before allocating things that require freeing afterwards */
chain = sk_X509_new_null();
ctx = X509_STORE_CTX_new();
root = X509_STORE_new();
if (ctx == NULL || root == NULL) {
lua_pushnil(L);
lua_pushstring(L, "X509_STORE_new() or X509_STORE_CTX_new() error");
ret = 2;
goto cleanup;
}
ret = X509_STORE_add_cert(root, issuer);
if(!ret) {
lua_pushnil(L);
lua_pushstring(L, "X509_STORE_add_cert() error");
ret = 2;
goto cleanup;
}
for (i = 3; i <= len && lua_isuserdata(L, i); i++) {
cert = lsec_checkx509(L, i);
sk_X509_push(chain, cert);
}
ret = X509_STORE_CTX_init(ctx, root, subject, chain);
if(!ret) {
lua_pushnil(L);
lua_pushstring(L, "X509_STORE_CTX_init() error");
ret = 2;
goto cleanup;
}
/* Actual verification */
if (X509_verify_cert(ctx) <= 0) {
ret = X509_STORE_CTX_get_error(ctx);
lua_pushnil(L);
lua_pushstring(L, X509_verify_cert_error_string(ret));
ret = 2;
} else {
lua_pushboolean(L, 1);
ret = 1;
}
cleanup:
if (ctx != NULL) {
X509_STORE_CTX_free(ctx);
}
if (chain != NULL) {
X509_STORE_free(root);
}
sk_X509_free(chain);
return ret;
}
/**
* Collect X509 objects.
*/
@ -671,9 +463,7 @@ static luaL_Reg methods[] = {
{"issuer", meth_issuer},
{"notbefore", meth_notbefore},
{"notafter", meth_notafter},
{"issued", meth_issued},
{"pem", meth_pem},
{"pubkey", meth_pubkey},
{"serial", meth_serial},
{"subject", meth_subject},
{"validat", meth_valid_at},
@ -699,16 +489,39 @@ static luaL_Reg funcs[] = {
/*--------------------------------------------------------------------------*/
#if (LUA_VERSION_NUM == 501)
LSEC_API int luaopen_ssl_x509(lua_State *L)
{
/* Register the functions and tables */
luaL_newmetatable(L, "SSL:Certificate");
setfuncs(L, meta);
luaL_register(L, NULL, meta);
luaL_newlib(L, methods);
lua_newtable(L);
luaL_register(L, NULL, methods);
lua_setfield(L, -2, "__index");
luaL_newlib(L, funcs);
luaL_register(L, "ssl.x509", funcs);
return 1;
}
#else
LSEC_API int luaopen_ssl_x509(lua_State *L)
{
/* Register the functions and tables */
luaL_newmetatable(L, "SSL:Certificate");
luaL_setfuncs(L, meta, 0);
lua_newtable(L);
luaL_setfuncs(L, methods, 0);
lua_setfield(L, -2, "__index");
lua_newtable(L);
luaL_setfuncs(L, funcs, 0);
return 1;
}
#endif

4
src/x509.h
View File

@ -1,7 +1,7 @@
/*--------------------------------------------------------------------------
* LuaSec 0.6
* LuaSec 0.5.1
*
* Copyright (C) 2014-2016 Kim Alvefur, Paul Aurich, Tobias Markmann
* Copyright (C) 2014-2015 Kim Alvefur, Paul Aurich, Tobias Markmann
* Matthew Wild, Bruno Silvestre.
*
*--------------------------------------------------------------------------*/