5 Commits

Author SHA1 Message Date
47cc914e69 Update version number. 2015-11-20 19:39:32 -02:00
90d4f2d95c typo: intall -> install.
update MacOSX version -> 10.11.
2015-11-20 19:20:07 -02:00
172d324243 Fix push_asn1_string(). 2015-11-20 19:16:16 -02:00
6cc8e951d4 Update samples. 2015-11-20 19:12:19 -02:00
d36e156fac Guard SSLv3_method() with #ifndef OPENSSL_NO_SSL3.
Use TLS_method() instead of SSLv32_method(), when it is the case.
2015-11-20 18:54:57 -02:00
50 changed files with 241 additions and 847 deletions

3
.gitignore vendored
View File

@ -1,3 +0,0 @@
/src/*.o
/src/luasocket/*.o
/*.dll

View File

@ -1,36 +1,10 @@
-------------------------------------------------------------------------------- --------------------------------------------------------------------------------
LuaSec 0.6 LuaSec 0.5.1
------------ ------------
LuaSec depends on OpenSSL, and integrates with LuaSocket to make it - Check if SSLv3 protocol is available.
easy to add secure connections to any Lua applications or scripts. - Fix push_asn1_string().
- Update samples to use 'sslv23' and 'tlsv1_2'.
Documentation: https://github.com/brunoos/luasec/wiki - Update MACOSX_VERSION to 10.11 on Makefile.
This version includes:
* Lua 5.2 and 5.3 compatibility
* Context module:
- Add ctx:checkkey()
* SSL module:
- Add conn:sni() and conn:getsniname()
* Context options:
- Add "any" protocol ("sslv23" is deprecated)
* HTTPS module:
- Using "any" protocol without SSLv2/SSLv3, by default
* X509 module:
- Human readable IP address
- Add cert:issued()
- Add cert:pubkey()
* Some bug fixes
=> Thanks to everyone who collaborate with LuaSec <=
-------------------------------------------------------------------------------- --------------------------------------------------------------------------------
LuaSec 0.5 LuaSec 0.5

View File

@ -1,9 +1,9 @@
LuaSec 0.6 LuaSec 0.5.1
------------ ------------
* OpenSSL options: * OpenSSL options:
By default, LuaSec 0.6 includes options for OpenSSL 1.0.2f. By default, LuaSec 0.5.1 includes options for OpenSSL 1.0.1e.
If you need to generate the options for a different version of OpenSSL: If you need to generate the options for a different version of OpenSSL:

View File

@ -1,4 +1,4 @@
LuaSec 0.6 license LuaSec 0.5.1 license
Copyright (C) 2006-2015 Bruno Silvestre, UFG Copyright (C) 2006-2015 Bruno Silvestre, UFG
Permission is hereby granted, free of charge, to any person obtaining Permission is hereby granted, free of charge, to any person obtaining

View File

@ -1,22 +1,22 @@
# Inform the location to install the modules # Inform the location to install the modules
LUAPATH ?= /usr/share/lua/5.1 LUAPATH ?= /usr/share/lua/5.1
LUACPATH ?= /usr/lib/lua/5.1 LUACPATH ?= /usr/lib/lua/5.1
# Compile with build-in LuaSocket's help files. # Compile with build-in LuaSocket's help files.
# Comment this lines if you will link with non-internal LuaSocket's help files # Comment this lines if you will link with non-internal LuaSocket's help files
# and edit INCDIR and LIBDIR properly. # and edit INCDIR and LIBDIR properly.
EXTRA = luasocket EXTRA = luasocket
DEFS = -DWITH_LUASOCKET DEFS = -DWITH_LUASOCKET
# Edit the lines below to inform new path, if necessary. # Edit the lines below to inform new path, if necessary.
# Path below points to internal LuaSocket's help files. # Path below points to internal LuaSocket's help files.
INC_PATH ?= -I/usr/include INC_PATH ?= -I/usr/include
LIB_PATH ?= -L/usr/lib LIB_PATH ?= -L/usr/lib
INCDIR = -I. $(INC_PATH) INCDIR = -I. $(INC_PATH)
LIBDIR = -L./luasocket $(LIB_PATH) LIBDIR = -L./luasocket $(LIB_PATH)
# For Mac OS X: set the system version # For Mac OS X: set the system version
MACOSX_VERSION=10.11 MACOSX_VERSION?=10.11
#---------------------- #----------------------
# Do not edit this part # Do not edit this part

View File

@ -1,36 +1,41 @@
LuaSec 0.6 LuaSec 0.5.1
============
- Check if SSLv3 protocol is available.
- Fix push_asn1_string().
- Update samples to use 'sslv23' and 'tlsv1_2'.
- Update MACOSX_VERSION to 10.11 on Makefile.
LuaSec 0.5
========== ==========
LuaSec depends on OpenSSL, and integrates with LuaSocket to make it LuaSec depends on OpenSSL, and integrates with LuaSocket to make it
easy to add secure connections to any Lua applications or scripts. easy to add secure connections to any Lua applications or scripts.
Documentation: https://github.com/brunoos/luasec/wiki This version includes:
This version includes: * A new certificate (X509) API, which supports:
- Reading the subject (identity) and issuer of the certificate.
- Reading various X509 extensions, including email and dnsName.
- Converting certificates to and from the standard ASCII PEM
format.
- Generating the fingerprint/digest of a certificate (using SHA1,
SHA256 or SHA512).
- Reading the certificate's expiration, serial number, and other
info.
* Lua 5.2 and 5.3 compatibility * The ability to get more detailed information from OpenSSL about
why a certificate failed verification, for each certificate in the
chain.
* Flags to force acceptance of invalid certificates, e.g. to allow
the use of self-signed certificates in a Trust On First Use model.
* Context module: * Flags to control checking CRLs for certificate revocation status.
- Add ctx:checkkey()
* Support for ECDH cipher suites.
* An API to get the TLS 'finished' messages used for SASL channel
binding (e.g. the SCRAM PLUS mechanisms).
* SSL module: The work in this release was undertaken by Kim Alvefur, Paul Aurich,
- Add conn:sni() and conn:getsniname() Tobias Markmann, Bruno Silvestre and Matthew Wild.
* Context options:
- Add "any" protocol ("sslv23" is deprecated)
* HTTPS module:
- Using "any" protocol without SSLv2/SSLv3, by default
* X509 module:
- Human readable IP address
- Add cert:issued()
- Add cert:pubkey()
* Some bug fixes
********************************************************************************
PS: 10th anniversary! Thanks to everyone who collaborate with LuaSec.
********************************************************************************

View File

@ -1,114 +0,0 @@
package = "LuaSec"
version = "0.6-1"
source = {
url = "git://github.com/brunoos/luasec.git",
tag = "luasec-0.6"
}
description = {
summary = "A binding for OpenSSL library to provide TLS/SSL communication over LuaSocket.",
detailed = "This version delegates to LuaSocket the TCP connection establishment between the client and server. Then LuaSec uses this connection to start a secure TLS/SSL session.",
homepage = "https://github.com/brunoos/luasec/wiki",
license = "MIT"
}
dependencies = {
"lua >= 5.1", "luasocket"
}
external_dependencies = {
platforms = {
unix = {
OPENSSL = {
header = "openssl/ssl.h",
library = "ssl"
}
},
windows = {
OPENSSL = {
header = "openssl/ssl.h",
}
},
}
}
build = {
type = "builtin",
copy_directories = {
"samples"
},
platforms = {
unix = {
install = {
lib = {
"ssl.so"
},
lua = {
"src/ssl.lua", ['ssl.https'] = "src/https.lua"
}
},
modules = {
ssl = {
incdirs = {
"$(OPENSSL_INCDIR)", "src/", "src/luasocket",
},
libdirs = {
"$(OPENSSL_LIBDIR)"
},
libraries = {
"ssl", "crypto"
},
sources = {
"src/x509.c", "src/context.c", "src/ssl.c",
"src/luasocket/buffer.c", "src/luasocket/io.c",
"src/luasocket/timeout.c", "src/luasocket/usocket.c"
}
}
}
},
windows = {
install = {
lib = {
"ssl.dll"
},
lua = {
"src/ssl.lua", ['ssl.https'] = "src/https.lua"
}
},
modules = {
ssl = {
defines = {
"WIN32", "NDEBUG", "_WINDOWS", "_USRDLL", "LSEC_EXPORTS", "BUFFER_DEBUG", "LSEC_API=__declspec(dllexport)",
"LUASEC_INET_NTOP", "WINVER=0x0501", "_WIN32_WINNT=0x0501", "NTDDI_VERSION=0x05010300"
},
libdirs = {
"$(OPENSSL_LIBDIR)",
"$(OPENSSL_BINDIR)",
},
libraries = {
"libeay32", "ssleay32", "ws2_32"
},
incdirs = {
"$(OPENSSL_INCDIR)", "src/", "src/luasocket"
},
sources = {
"src/x509.c", "src/context.c", "src/ssl.c",
"src/luasocket/buffer.c", "src/luasocket/io.c",
"src/luasocket/timeout.c", "src/luasocket/wsocket.c"
}
}
},
patches = {
["luarocks_vs_compiler.patch"] = [[
--- a/src/ssl.c.orig
+++ b/src/ssl.c
@@ -844,3 +844,8 @@ LSEC_API int luaopen_ssl_core(lua_State *L)
return 1;
}
+
+#if defined(_MSC_VER)
+/* Empty implementation to allow building with LuaRocks and MS compilers */
+LSEC_API int luaopen_ssl(lua_State *L) { return 0; }
+#endif
]]
}
}
}
}

View File

@ -49,7 +49,7 @@
<ClCompile> <ClCompile>
<Optimization>Disabled</Optimization> <Optimization>Disabled</Optimization>
<AdditionalIncludeDirectories>C:\devel\openssl\include;C:\devel\lua-dll9\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories> <AdditionalIncludeDirectories>C:\devel\openssl\include;C:\devel\lua-dll9\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;LUASEC_EXPORTS;LUASEC_INET_NTOP;WINVER=0x0501;_WIN32_WINNT=0x0501;NTDDI_VERSION=0x05010300;%(PreprocessorDefinitions)</PreprocessorDefinitions> <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;LUASEC_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<MinimalRebuild>true</MinimalRebuild> <MinimalRebuild>true</MinimalRebuild>
<BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks> <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
<RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary> <RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
@ -122,4 +122,4 @@
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" /> <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets"> <ImportGroup Label="ExtensionTargets">
</ImportGroup> </ImportGroup>
</Project> </Project>

View File

@ -1,14 +0,0 @@
REM make sure the 'openssl.exe' commandline tool is in your path before starting!
REM set the path below;
set opensslpath=c:\program files (x86)\openssl-win32\bin
setlocal
set path=%opensslpath%;%path%
call roota.bat
call rootb.bat
call servera.bat
call serverb.bat
call clienta.bat
call clientb.bat

View File

@ -1,9 +0,0 @@
rem #!/bin/sh
openssl req -newkey rsa:1024 -sha1 -keyout clientAkey.pem -out clientAreq.pem -nodes -config ./clientA.cnf -days 365 -batch
openssl x509 -req -in clientAreq.pem -sha1 -extfile ./clientA.cnf -extensions usr_cert -CA rootA.pem -CAkey rootAkey.pem -CAcreateserial -out clientAcert.pem -days 365
copy clientAcert.pem + rootA.pem clientA.pem
openssl x509 -subject -issuer -noout -in clientA.pem

View File

@ -1,9 +0,0 @@
rem #!/bin/sh
openssl req -newkey rsa:1024 -sha1 -keyout clientBkey.pem -out clientBreq.pem -nodes -config ./clientB.cnf -days 365 -batch
openssl x509 -req -in clientBreq.pem -sha1 -extfile ./clientB.cnf -extensions usr_cert -CA rootB.pem -CAkey rootBkey.pem -CAcreateserial -out clientBcert.pem -days 365
copy clientBcert.pem + rootB.pem clientB.pem
openssl x509 -subject -issuer -noout -in clientB.pem

View File

@ -1,7 +0,0 @@
REM #!/bin/sh
openssl req -newkey rsa:1024 -sha1 -keyout rootAkey.pem -out rootAreq.pem -nodes -config ./rootA.cnf -days 365 -batch
openssl x509 -req -in rootAreq.pem -sha1 -extfile ./rootA.cnf -extensions v3_ca -signkey rootAkey.pem -out rootA.pem -days 365
openssl x509 -subject -issuer -noout -in rootA.pem

View File

@ -1,7 +0,0 @@
rem #!/bin/sh
openssl req -newkey rsa:1024 -sha1 -keyout rootBkey.pem -out rootBreq.pem -nodes -config ./rootB.cnf -days 365 -batch
openssl x509 -req -in rootBreq.pem -sha1 -extfile ./rootB.cnf -extensions v3_ca -signkey rootBkey.pem -out rootB.pem -days 365
openssl x509 -subject -issuer -noout -in rootB.pem

View File

@ -1,9 +0,0 @@
rem #!/bin/sh
openssl req -newkey rsa:1024 -keyout serverAkey.pem -out serverAreq.pem -config ./serverA.cnf -nodes -days 365 -batch
openssl x509 -req -in serverAreq.pem -sha1 -extfile ./serverA.cnf -extensions usr_cert -CA rootA.pem -CAkey rootAkey.pem -CAcreateserial -out serverAcert.pem -days 365
copy serverAcert.pem + rootA.pem serverA.pem
openssl x509 -subject -issuer -noout -in serverA.pem

View File

@ -1,9 +0,0 @@
rem #!/bin/sh
openssl req -newkey rsa:1024 -keyout serverBkey.pem -out serverBreq.pem -config ./serverB.cnf -nodes -days 365 -batch
openssl x509 -req -in serverBreq.pem -sha1 -extfile ./serverB.cnf -extensions usr_cert -CA rootB.pem -CAkey rootBkey.pem -CAcreateserial -out serverBcert.pem -days 365
copy serverBcert.pem + rootB.pem serverB.pem
openssl x509 -subject -issuer -noout -in serverB.pem

View File

@ -7,7 +7,7 @@ local util = require("util")
local params = { local params = {
mode = "server", mode = "server",
protocol = "any", protocol = "sslv23",
key = "../certs/serverAkey.pem", key = "../certs/serverAkey.pem",
certificate = "../certs/serverA.pem", certificate = "../certs/serverA.pem",
cafile = "../certs/rootA.pem", cafile = "../certs/rootA.pem",

View File

@ -31,7 +31,7 @@ end
local params = { local params = {
mode = "server", mode = "server",
protocol = "any", protocol = "sslv23",
key = "../certs/serverAkey.pem", key = "../certs/serverAkey.pem",
certificate = "../certs/serverA.pem", certificate = "../certs/serverA.pem",
cafile = "../certs/rootA.pem", cafile = "../certs/rootA.pem",

View File

@ -6,7 +6,7 @@ local ssl = require("ssl")
local params = { local params = {
mode = "server", mode = "server",
protocol = "any", protocol = "sslv23",
key = "../certs/serverAkey.pem", key = "../certs/serverAkey.pem",
certificate = "../certs/serverA.pem", certificate = "../certs/serverA.pem",
cafile = "../certs/rootA.pem", cafile = "../certs/rootA.pem",

View File

@ -6,7 +6,7 @@ local ssl = require("ssl")
local params = { local params = {
mode = "server", mode = "server",
protocol = "any", protocol = "sslv23",
key = "../certs/serverAkey.pem", key = "../certs/serverAkey.pem",
certificate = "../certs/serverA.pem", certificate = "../certs/serverA.pem",
cafile = "../certs/rootA.pem", cafile = "../certs/rootA.pem",

View File

@ -6,7 +6,7 @@ local ssl = require("ssl")
local params = { local params = {
mode = "server", mode = "server",
protocol = "any", protocol = "sslv23",
key = "../certs/serverAkey.pem", key = "../certs/serverAkey.pem",
certificate = "../certs/serverA.pem", certificate = "../certs/serverA.pem",
cafile = "../certs/rootA.pem", cafile = "../certs/rootA.pem",

View File

@ -5,7 +5,7 @@ local ssl = require("ssl")
local pass = "foobar" local pass = "foobar"
local cfg = { local cfg = {
protocol = "tlsv1", protocol = "tlsv1_2",
mode = "client", mode = "client",
key = "key.pem", key = "key.pem",
} }

View File

@ -6,7 +6,7 @@ local ssl = require("ssl")
local params = { local params = {
mode = "server", mode = "server",
protocol = "any", protocol = "sslv23",
key = "../certs/serverAkey.pem", key = "../certs/serverAkey.pem",
certificate = "../certs/serverA.pem", certificate = "../certs/serverA.pem",
cafile = "../certs/rootA.pem", cafile = "../certs/rootA.pem",

View File

@ -6,7 +6,7 @@ local ssl = require("ssl")
local params = { local params = {
mode = "server", mode = "server",
protocol = "any", protocol = "sslv23",
key = "../certs/serverAkey.pem", key = "../certs/serverAkey.pem",
certificate = "../certs/serverA.pem", certificate = "../certs/serverA.pem",
cafile = "../certs/rootA.pem", cafile = "../certs/rootA.pem",

View File

@ -6,7 +6,7 @@ local ssl = require("ssl")
local params = { local params = {
mode = "server", mode = "server",
protocol = "any", protocol = "sslv23",
key = "../certs/serverAkey.pem", key = "../certs/serverAkey.pem",
certificate = "../certs/serverA.pem", certificate = "../certs/serverA.pem",
cafile = "../certs/rootA.pem", cafile = "../certs/rootA.pem",

View File

@ -1,35 +0,0 @@
local socket = require("socket")
local ssl = require("ssl")
local params = {
mode = "client",
protocol = "tlsv1_2",
key = "../certs/clientAkey.pem",
certificate = "../certs/clientA.pem",
cafile = "../certs/rootA.pem",
verify = "peer",
options = "all",
}
local conn = socket.tcp()
conn:connect("127.0.0.1", 8888)
-- TLS/SSL initialization
conn = ssl.wrap(conn, params)
-- Comment the lines to not send a name
--conn:sni("servera.br")
--conn:sni("serveraa.br")
conn:sni("serverb.br")
assert(conn:dohandshake())
--
local cert = conn:getpeercertificate()
for k, v in pairs(cert:subject()) do
for i, j in pairs(v) do
print(i, j)
end
end
--
print(conn:receive("*l"))
conn:close()

View File

@ -1,52 +0,0 @@
local socket = require("socket")
local ssl = require("ssl")
local params01 = {
mode = "server",
protocol = "any",
key = "../certs/serverAkey.pem",
certificate = "../certs/serverA.pem",
cafile = "../certs/rootA.pem",
verify = "none",
options = "all",
ciphers = "ALL:!ADH:@STRENGTH",
}
local params02 = {
mode = "server",
protocol = "any",
key = "../certs/serverAAkey.pem",
certificate = "../certs/serverAA.pem",
cafile = "../certs/rootA.pem",
verify = "none",
options = "all",
ciphers = "ALL:!ADH:@STRENGTH",
}
--
local ctx01 = ssl.newcontext(params01)
local ctx02 = ssl.newcontext(params02)
--
local server = socket.tcp()
server:setoption('reuseaddr', true)
server:bind("127.0.0.1", 8888)
server:listen()
local conn = server:accept()
--
-- Default context (when client does not send a name) is ctx01
conn = ssl.wrap(conn, ctx01)
-- Configure the name map
local sni_map = {
["servera.br"] = ctx01,
["serveraa.br"] = ctx02,
}
conn:sni(sni_map, true)
assert(conn:dohandshake())
--
conn:send("one line\n")
conn:close()

View File

@ -6,7 +6,7 @@ local ssl = require("ssl")
local params = { local params = {
mode = "client", mode = "client",
protocol = "tlsv1", protocol = "tlsv1_2",
key = "../../certs/clientBkey.pem", key = "../../certs/clientBkey.pem",
certificate = "../../certs/clientB.pem", certificate = "../../certs/clientB.pem",
cafile = "../../certs/rootB.pem", cafile = "../../certs/rootB.pem",

View File

@ -6,7 +6,7 @@ local ssl = require("ssl")
local params = { local params = {
mode = "server", mode = "server",
protocol = "tlsv1", protocol = "sslv23",
key = "../../certs/serverAkey.pem", key = "../../certs/serverAkey.pem",
certificate = "../../certs/serverA.pem", certificate = "../../certs/serverA.pem",
cafile = "../../certs/rootA.pem", cafile = "../../certs/rootA.pem",

View File

@ -6,12 +6,12 @@ local ssl = require("ssl")
local params = { local params = {
mode = "client", mode = "client",
protocol = "tlsv1", protocol = "tlsv1_2",
key = "../../certs/clientBkey.pem", key = "../../certs/clientBkey.pem",
certificate = "../../certs/clientB.pem", certificate = "../../certs/clientB.pem",
cafile = "../../certs/rootB.pem", cafile = "../../certs/rootB.pem",
verify = {"peer", "fail_if_no_peer_cert"}, verify = {"peer", "fail_if_no_peer_cert"},
options = "all", options = "all", ,
verifyext = "lsec_continue", verifyext = "lsec_continue",
} }

View File

@ -6,7 +6,7 @@ local ssl = require("ssl")
local params = { local params = {
mode = "server", mode = "server",
protocol = "tlsv1", protocol = "sslv23",
key = "../../certs/serverAkey.pem", key = "../../certs/serverAkey.pem",
certificate = "../../certs/serverA.pem", certificate = "../../certs/serverA.pem",
cafile = "../../certs/rootA.pem", cafile = "../../certs/rootA.pem",

View File

@ -6,7 +6,7 @@ local ssl = require("ssl")
local params = { local params = {
mode = "client", mode = "client",
protocol = "tlsv1", protocol = "tlsv1_2",
key = "../../certs/clientAkey.pem", key = "../../certs/clientAkey.pem",
certificate = "../../certs/clientA.pem", certificate = "../../certs/clientA.pem",
cafile = "../../certs/rootA.pem", cafile = "../../certs/rootA.pem",

View File

@ -6,7 +6,7 @@ local ssl = require("ssl")
local params = { local params = {
mode = "server", mode = "server",
protocol = "tlsv1", protocol = "sslv23",
key = "../../certs/serverAkey.pem", key = "../../certs/serverAkey.pem",
certificate = "../../certs/serverA.pem", certificate = "../../certs/serverA.pem",
cafile = "../../certs/rootA.pem", cafile = "../../certs/rootA.pem",

View File

@ -6,7 +6,7 @@ local ssl = require("ssl")
local params = { local params = {
mode = "server", mode = "server",
protocol = "any", protocol = "sslv23",
key = "../certs/serverAkey.pem", key = "../certs/serverAkey.pem",
certificate = "../certs/serverA.pem", certificate = "../certs/serverA.pem",
cafile = "../certs/rootA.pem", cafile = "../certs/rootA.pem",

View File

@ -6,7 +6,7 @@ local ssl = require("ssl")
local params = { local params = {
mode = "server", mode = "server",
protocol = "any", protocol = "sslv23",
key = "../certs/serverAkey.pem", key = "../certs/serverAkey.pem",
certificate = "../certs/serverA.pem", certificate = "../certs/serverA.pem",
cafile = "../certs/rootA.pem", cafile = "../certs/rootA.pem",

View File

@ -8,7 +8,7 @@ local ssl = require("ssl")
local params = { local params = {
mode = "server", mode = "server",
protocol = "any", protocol = "sslv23",
key = "../certs/serverAkey.pem", key = "../certs/serverAkey.pem",
certificate = "../certs/serverA.pem", certificate = "../certs/serverA.pem",
cafile = "../certs/rootA.pem", cafile = "../certs/rootA.pem",

View File

@ -8,7 +8,7 @@ print("Use Ctrl+S and Ctrl+Q to suspend and resume the server.")
local params = { local params = {
mode = "server", mode = "server",
protocol = "any", protocol = "sslv23",
key = "../certs/serverAkey.pem", key = "../certs/serverAkey.pem",
certificate = "../certs/serverA.pem", certificate = "../certs/serverA.pem",
cafile = "../certs/rootA.pem", cafile = "../certs/rootA.pem",

View File

@ -20,21 +20,22 @@ MAC_ENV=env MACOSX_DEPLOYMENT_TARGET='$(MACVER)'
MAC_CFLAGS=-O2 -fno-common $(WARN) $(INCDIR) $(DEFS) MAC_CFLAGS=-O2 -fno-common $(WARN) $(INCDIR) $(DEFS)
MAC_LDFLAGS=-bundle -undefined dynamic_lookup $(LIBDIR) MAC_LDFLAGS=-bundle -undefined dynamic_lookup $(LIBDIR)
INSTALL = install INSTALL ?= install
CC = cc CC ?= cc
LD = $(MYENV) cc LD ?= $(MYENV) cc
CFLAGS += $(MYCFLAGS) CFLAGS += $(MYCFLAGS)
LDFLAGS += $(MYLDFLAGS) LDFLAGS += $(MYLDFLAGS)
DESTDIR ?= /
.PHONY: all clean install none linux bsd macosx luasocket .PHONY: all clean install none linux bsd macosx luasocket
all: all:
install: $(CMOD) $(LMOD) install: $(CMOD) $(LMOD)
$(INSTALL) -d $(LUAPATH)/ssl $(LUACPATH) $(INSTALL) -d $(DESTDIR)$(LUAPATH)/ssl $(DESTDIR)$(LUACPATH)
$(INSTALL) $(CMOD) $(LUACPATH) $(INSTALL) -D $(CMOD) $(DESTDIR)$(LUACPATH)
$(INSTALL) -m644 $(LMOD) $(LUAPATH) $(INSTALL) -m644 -D $(LMOD) $(DESTDIR)$(LUAPATH)
$(INSTALL) -m644 https.lua $(LUAPATH)/ssl $(INSTALL) -m644 -D https.lua $(DESTDIR)$(LUAPATH)/ssl
linux: linux:
@$(MAKE) $(CMOD) MYCFLAGS="$(LNX_CFLAGS)" MYLDFLAGS="$(LNX_LDFLAGS)" EXTRA="$(EXTRA)" @$(MAKE) $(CMOD) MYCFLAGS="$(LNX_CFLAGS)" MYLDFLAGS="$(LNX_LDFLAGS)" EXTRA="$(EXTRA)"

View File

@ -1,6 +1,6 @@
/*-------------------------------------------------------------------------- /*--------------------------------------------------------------------------
* LuaSec 0.6 * LuaSec 0.5.1
* Copyright (C) 2006-2016 Bruno Silvestre * Copyright (C) 2006-2015 Bruno Silvestre
* *
*--------------------------------------------------------------------------*/ *--------------------------------------------------------------------------*/
@ -14,11 +14,7 @@
#endif #endif
#if (LUA_VERSION_NUM == 501) #if (LUA_VERSION_NUM == 501)
#define setfuncs(L, R) luaL_register(L, NULL, R) #define lua_rawlen(L, i) lua_objlen(L, i)
#define lua_rawlen(L, i) lua_objlen(L, i)
#define luaL_newlib(L, R) do { lua_newtable(L); luaL_register(L, NULL, R); } while(0)
#else
#define setfuncs(L, R) luaL_setfuncs(L, R, 0)
#endif #endif
#endif #endif

View File

@ -1,9 +1,9 @@
/*-------------------------------------------------------------------------- /*--------------------------------------------------------------------------
* LuaSec 0.6 * LuaSec 0.5.1
* *
* Copyright (C) 2014-2016 Kim Alvefur, Paul Aurich, Tobias Markmann, * Copyright (C) 2014-2015 Kim Alvefur, Paul Aurich, Tobias Markmann,
* Matthew Wild. * Matthew Wild.
* Copyright (C) 2006-2016 Bruno Silvestre. * Copyright (C) 2006-2015 Bruno Silvestre.
* *
*--------------------------------------------------------------------------*/ *--------------------------------------------------------------------------*/
@ -39,28 +39,6 @@ typedef SSL_METHOD LSEC_SSL_METHOD;
#define SSLv23_method() TLS_method() #define SSLv23_method() TLS_method()
#endif #endif
/*-- Compat - Lua 5.1 --------------------------------------------------------*/
#if (LUA_VERSION_NUM == 501)
#define luaL_testudata(L, ud, tname) testudata(L, ud, tname)
static void *testudata (lua_State *L, int ud, const char *tname) {
void *p = lua_touserdata(L, ud);
if (p != NULL) { /* value is a userdata? */
if (lua_getmetatable(L, ud)) { /* does it have a metatable? */
luaL_getmetatable(L, tname); /* get correct metatable */
if (!lua_rawequal(L, -1, -2)) /* not the same? */
p = NULL; /* value is a userdata with wrong metatable */
lua_pop(L, 2); /* remove both metatables */
return p;
}
}
return NULL; /* value is not a userdata with a metatable */
}
#endif
/*--------------------------- Auxiliary Functions ----------------------------*/ /*--------------------------- Auxiliary Functions ----------------------------*/
/** /**
@ -71,11 +49,6 @@ static p_context checkctx(lua_State *L, int idx)
return (p_context)luaL_checkudata(L, idx, "SSL:Context"); return (p_context)luaL_checkudata(L, idx, "SSL:Context");
} }
static p_context testctx(lua_State *L, int idx)
{
return (p_context)luaL_testudata(L, idx, "SSL:Context");
}
/** /**
* Prepare the SSL options flag. * Prepare the SSL options flag.
*/ */
@ -96,8 +69,7 @@ static int set_option_flag(const char *opt, unsigned long *flag)
*/ */
static LSEC_SSL_METHOD* str2method(const char *method) static LSEC_SSL_METHOD* str2method(const char *method)
{ {
if (!strcmp(method, "any")) return SSLv23_method(); if (!strcmp(method, "sslv23")) return SSLv23_method();
if (!strcmp(method, "sslv23")) return SSLv23_method(); // deprecated
#ifndef OPENSSL_NO_SSL3 #ifndef OPENSSL_NO_SSL3
if (!strcmp(method, "sslv3")) return SSLv3_method(); if (!strcmp(method, "sslv3")) return SSLv3_method();
#endif #endif
@ -429,17 +401,6 @@ static int load_key(lua_State *L)
return ret; return ret;
} }
/**
* Check that the certificate public key matches the private key
*/
static int check_key(lua_State *L)
{
SSL_CTX *ctx = lsec_checkcontext(L, 1);
lua_pushboolean(L, SSL_CTX_check_private_key(ctx));
return 1;
}
/** /**
* Set the cipher list. * Set the cipher list.
*/ */
@ -463,7 +424,7 @@ static int set_cipher(lua_State *L)
static int set_depth(lua_State *L) static int set_depth(lua_State *L)
{ {
SSL_CTX *ctx = lsec_checkcontext(L, 1); SSL_CTX *ctx = lsec_checkcontext(L, 1);
SSL_CTX_set_verify_depth(ctx, (int)luaL_checkinteger(L, 2)); SSL_CTX_set_verify_depth(ctx, luaL_checkint(L, 2));
lua_pushboolean(L, 1); lua_pushboolean(L, 1);
return 1; return 1;
} }
@ -609,7 +570,6 @@ static luaL_Reg funcs[] = {
{"locations", load_locations}, {"locations", load_locations},
{"loadcert", load_cert}, {"loadcert", load_cert},
{"loadkey", load_key}, {"loadkey", load_key},
{"checkkey", check_key},
{"setcipher", set_cipher}, {"setcipher", set_cipher},
{"setdepth", set_depth}, {"setdepth", set_depth},
{"setdhparam", set_dhparam}, {"setdhparam", set_dhparam},
@ -743,12 +703,6 @@ SSL_CTX* lsec_checkcontext(lua_State *L, int idx)
return ctx->context; return ctx->context;
} }
SSL_CTX* lsec_testcontext(lua_State *L, int idx)
{
p_context ctx = testctx(L, idx);
return (ctx) ? ctx->context : NULL;
}
/** /**
* Retrieve the mode from the context in the Lua stack. * Retrieve the mode from the context in the Lua stack.
*/ */
@ -763,19 +717,39 @@ int lsec_getmode(lua_State *L, int idx)
/** /**
* Registre the module. * Registre the module.
*/ */
#if (LUA_VERSION_NUM == 501)
LSEC_API int luaopen_ssl_context(lua_State *L) LSEC_API int luaopen_ssl_context(lua_State *L)
{ {
luaL_newmetatable(L, "SSL:DH:Registry"); /* Keep all DH callbacks */ luaL_newmetatable(L, "SSL:DH:Registry"); /* Keep all DH callbacks */
luaL_newmetatable(L, "SSL:Verify:Registry"); /* Keep all verify flags */ luaL_newmetatable(L, "SSL:Verify:Registry"); /* Keep all verify flags */
luaL_newmetatable(L, "SSL:Context"); luaL_newmetatable(L, "SSL:Context");
setfuncs(L, meta); luaL_register(L, NULL, meta);
/* Create __index metamethods for context */ /* Create __index metamethods for context */
luaL_newlib(L, meta_index); lua_newtable(L);
luaL_register(L, NULL, meta_index);
lua_setfield(L, -2, "__index");
/* Register the module */
luaL_register(L, "ssl.context", funcs);
return 1;
}
#else
LSEC_API int luaopen_ssl_context(lua_State *L)
{
luaL_newmetatable(L, "SSL:DH:Registry"); /* Keep all DH callbacks */
luaL_newmetatable(L, "SSL:Verify:Registry"); /* Keep all verify flags */
luaL_newmetatable(L, "SSL:Context");
luaL_setfuncs(L, meta, 0);
/* Create __index metamethods for context */
lua_newtable(L);
luaL_setfuncs(L, meta_index, 0);
lua_setfield(L, -2, "__index"); lua_setfield(L, -2, "__index");
/* Return the module */ /* Return the module */
luaL_newlib(L, funcs); lua_newtable(L);
luaL_setfuncs(L, funcs, 0);
return 1; return 1;
} }
#endif

View File

@ -2,8 +2,8 @@
#define LSEC_CONTEXT_H #define LSEC_CONTEXT_H
/*-------------------------------------------------------------------------- /*--------------------------------------------------------------------------
* LuaSec 0.6 * LuaSec 0.5.1
* Copyright (C) 2006-2016 Bruno Silvestre * Copyright (C) 2006-2015 Bruno Silvestre
* *
*--------------------------------------------------------------------------*/ *--------------------------------------------------------------------------*/
@ -29,7 +29,6 @@ typedef t_context* p_context;
/* Retrieve the SSL context from the Lua stack */ /* Retrieve the SSL context from the Lua stack */
SSL_CTX *lsec_checkcontext(lua_State *L, int idx); SSL_CTX *lsec_checkcontext(lua_State *L, int idx);
SSL_CTX *lsec_testcontext(lua_State *L, int idx);
/* Retrieve the mode from the context in the Lua stack */ /* Retrieve the mode from the context in the Lua stack */
int lsec_getmode(lua_State *L, int idx); int lsec_getmode(lua_State *L, int idx);

View File

@ -1,6 +1,6 @@
/*-------------------------------------------------------------------------- /*--------------------------------------------------------------------------
* LuaSec 0.6 * LuaSec 0.5.1
* Copyright (C) 2006-2016 Bruno Silvestre * Copyright (C) 2006-2015 Bruno Silvestre
* *
*--------------------------------------------------------------------------*/ *--------------------------------------------------------------------------*/

View File

@ -1,6 +1,6 @@
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
-- LuaSec 0.6 -- LuaSec 0.5.1
-- Copyright (C) 2009-2016 PUC-Rio -- Copyright (C) 2009-2015 PUC-Rio
-- --
-- Author: Pablo Musa -- Author: Pablo Musa
-- Author: Tomas Guisasola -- Author: Tomas Guisasola
@ -12,21 +12,25 @@ local ltn12 = require("ltn12")
local http = require("socket.http") local http = require("socket.http")
local url = require("socket.url") local url = require("socket.url")
local try = socket.try local table = require("table")
local string = require("string")
-- local try = socket.try
-- Module local type = type
-- local pairs = pairs
local _M = { local getmetatable = getmetatable
_VERSION = "0.6",
_COPYRIGHT = "LuaSec 0.6 - Copyright (C) 2009-2016 PUC-Rio", module("ssl.https")
PORT = 443,
} _VERSION = "0.5.1"
_COPYRIGHT = "LuaSec 0.5.1 - Copyright (C) 2009-2015 PUC-Rio"
-- Default settings
PORT = 443
-- TLS configuration
local cfg = { local cfg = {
protocol = "any", protocol = "tlsv1",
options = {"all", "no_sslv2", "no_sslv3"}, options = "all",
verify = "none", verify = "none",
} }
@ -36,7 +40,7 @@ local cfg = {
-- Insert default HTTPS port. -- Insert default HTTPS port.
local function default_https_port(u) local function default_https_port(u)
return url.build(url.parse(u, {port = _M.PORT})) return url.build(url.parse(u, {port = PORT}))
end end
-- Convert an URL to a table according to Luasocket needs. -- Convert an URL to a table according to Luasocket needs.
@ -109,7 +113,7 @@ end
-- @param body optional (string) -- @param body optional (string)
-- @return (string if url == string or 1), code, headers, status -- @return (string if url == string or 1), code, headers, status
-- --
local function request(url, body) function request(url, body)
local result_table = {} local result_table = {}
local stringrequest = type(url) == "string" local stringrequest = type(url) == "string"
if stringrequest then if stringrequest then
@ -132,11 +136,3 @@ local function request(url, body)
end end
return res, code, headers, status return res, code, headers, status
end end
--------------------------------------------------------------------------------
-- Export module
--
_M.request = request
return _M

View File

@ -6,7 +6,7 @@ OBJS= \
CC ?= cc CC ?= cc
CFLAGS += $(MYCFLAGS) -DLUASOCKET_DEBUG CFLAGS += $(MYCFLAGS) -DLUASOCKET_DEBUG
AR ?= ar AR := ar rcu
RANLIB ?= ranlib RANLIB ?= ranlib
.PHONY: all clean .PHONY: all clean
@ -14,7 +14,7 @@ RANLIB ?= ranlib
all: libluasocket.a all: libluasocket.a
libluasocket.a: $(OBJS) libluasocket.a: $(OBJS)
$(AR) rcu $@ $(OBJS) $(AR) $@ $(OBJS)
$(RANLIB) $@ $(RANLIB) $@
clean: clean:

View File

@ -2,8 +2,8 @@
#define LSEC_OPTIONS_H #define LSEC_OPTIONS_H
/*-------------------------------------------------------------------------- /*--------------------------------------------------------------------------
* LuaSec 0.6 * LuaSec 0.5.1
* Copyright (C) 2006-2016 Bruno Silvestre * Copyright (C) 2006-2015 Bruno Silvestre
* *
*--------------------------------------------------------------------------*/ *--------------------------------------------------------------------------*/
@ -12,7 +12,7 @@
/* If you need to generate these options again, see options.lua */ /* If you need to generate these options again, see options.lua */
/* /*
OpenSSL version: OpenSSL 1.0.2f OpenSSL version: OpenSSL 1.0.1e 2013-06-12
*/ */
struct ssl_option_s { struct ssl_option_s {
@ -73,21 +73,12 @@ static ssl_option_t ssl_options[] = {
#if defined(SSL_OP_NO_COMPRESSION) #if defined(SSL_OP_NO_COMPRESSION)
{"no_compression", SSL_OP_NO_COMPRESSION}, {"no_compression", SSL_OP_NO_COMPRESSION},
#endif #endif
#if defined(SSL_OP_NO_DTLSv1)
{"no_dtlsv1", SSL_OP_NO_DTLSv1},
#endif
#if defined(SSL_OP_NO_DTLSv1_2)
{"no_dtlsv1_2", SSL_OP_NO_DTLSv1_2},
#endif
#if defined(SSL_OP_NO_QUERY_MTU) #if defined(SSL_OP_NO_QUERY_MTU)
{"no_query_mtu", SSL_OP_NO_QUERY_MTU}, {"no_query_mtu", SSL_OP_NO_QUERY_MTU},
#endif #endif
#if defined(SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION) #if defined(SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION)
{"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION}, {"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION},
#endif #endif
#if defined(SSL_OP_NO_SSL_MASK)
{"no_ssl_mask", SSL_OP_NO_SSL_MASK},
#endif
#if defined(SSL_OP_NO_SSLv2) #if defined(SSL_OP_NO_SSLv2)
{"no_sslv2", SSL_OP_NO_SSLv2}, {"no_sslv2", SSL_OP_NO_SSLv2},
#endif #endif
@ -112,9 +103,6 @@ static ssl_option_t ssl_options[] = {
#if defined(SSL_OP_PKCS1_CHECK_2) #if defined(SSL_OP_PKCS1_CHECK_2)
{"pkcs1_check_2", SSL_OP_PKCS1_CHECK_2}, {"pkcs1_check_2", SSL_OP_PKCS1_CHECK_2},
#endif #endif
#if defined(SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
{"safari_ecdhe_ecdsa_bug", SSL_OP_SAFARI_ECDHE_ECDSA_BUG},
#endif
#if defined(SSL_OP_SINGLE_DH_USE) #if defined(SSL_OP_SINGLE_DH_USE)
{"single_dh_use", SSL_OP_SINGLE_DH_USE}, {"single_dh_use", SSL_OP_SINGLE_DH_USE},
#endif #endif
@ -127,9 +115,6 @@ static ssl_option_t ssl_options[] = {
#if defined(SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG) #if defined(SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG)
{"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG}, {"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG},
#endif #endif
#if defined(SSL_OP_TLSEXT_PADDING)
{"tlsext_padding", SSL_OP_TLSEXT_PADDING},
#endif
#if defined(SSL_OP_TLS_BLOCK_PADDING_BUG) #if defined(SSL_OP_TLS_BLOCK_PADDING_BUG)
{"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG}, {"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG},
#endif #endif

View File

@ -21,8 +21,8 @@ local function generate(options, version)
#define LSEC_OPTIONS_H #define LSEC_OPTIONS_H
/*-------------------------------------------------------------------------- /*--------------------------------------------------------------------------
* LuaSec 0.6 * LuaSec 0.5.1
* Copyright (C) 2006-2016 Bruno Silvestre * Copyright (C) 2006-2015 Bruno Silvestre
* *
*--------------------------------------------------------------------------*/ *--------------------------------------------------------------------------*/

164
src/ssl.c
View File

@ -1,9 +1,9 @@
/*-------------------------------------------------------------------------- /*--------------------------------------------------------------------------
* LuaSec 0.6 * LuaSec 0.5.1
* *
* Copyright (C) 2014-2016 Kim Alvefur, Paul Aurich, Tobias Markmann, * Copyright (C) 2014-2015 Kim Alvefur, Paul Aurich, Tobias Markmann,
* Matthew Wild. * Matthew Wild.
* Copyright (C) 2006-2016 Bruno Silvestre. * Copyright (C) 2006-2014 Bruno Silvestre.
* *
*--------------------------------------------------------------------------*/ *--------------------------------------------------------------------------*/
@ -28,7 +28,6 @@
#include <luasocket/socket.h> #include <luasocket/socket.h>
#include "x509.h" #include "x509.h"
#include "context.h"
#include "ssl.h" #include "ssl.h"
/** /**
@ -81,15 +80,11 @@ static int meth_destroy(lua_State *L)
} }
ssl->state = LSEC_STATE_CLOSED; ssl->state = LSEC_STATE_CLOSED;
if (ssl->ssl) { if (ssl->ssl) {
/* Clear the registries */ /* Clear the registry */
luaL_getmetatable(L, "SSL:Verify:Registry"); luaL_getmetatable(L, "SSL:Verify:Registry");
lua_pushlightuserdata(L, (void*)ssl->ssl); lua_pushlightuserdata(L, (void*)ssl->ssl);
lua_pushnil(L); lua_pushnil(L);
lua_settable(L, -3); lua_settable(L, -3);
luaL_getmetatable(L, "SSL:SNI:Registry");
lua_pushlightuserdata(L, (void*)ssl->ssl);
lua_pushnil(L);
lua_settable(L, -3);
/* Destroy the object */ /* Destroy the object */
SSL_free(ssl->ssl); SSL_free(ssl->ssl);
ssl->ssl = NULL; ssl->ssl = NULL;
@ -330,7 +325,7 @@ static int meth_setfd(lua_State *L)
p_ssl ssl = (p_ssl)luaL_checkudata(L, 1, "SSL:Connection"); p_ssl ssl = (p_ssl)luaL_checkudata(L, 1, "SSL:Connection");
if (ssl->state != LSEC_STATE_NEW) if (ssl->state != LSEC_STATE_NEW)
luaL_argerror(L, 1, "invalid SSL object state"); luaL_argerror(L, 1, "invalid SSL object state");
ssl->sock = (t_socket)luaL_checkinteger(L, 2); ssl->sock = luaL_checkint(L, 2);
socket_setnonblocking(&ssl->sock); socket_setnonblocking(&ssl->sock);
SSL_set_fd(ssl->ssl, (int)ssl->sock); SSL_set_fd(ssl->ssl, (int)ssl->sock);
return 0; return 0;
@ -400,30 +395,24 @@ static int meth_want(lua_State *L)
} }
return 1; return 1;
} }
/** /**
* Return the compression method used. * Return the compression method used.
*/ */
static int meth_compression(lua_State *L) static int meth_compression(lua_State *L)
{ {
#if !defined(OPENSSL_NO_COMP)
const COMP_METHOD *comp; const COMP_METHOD *comp;
#endif
p_ssl ssl = (p_ssl)luaL_checkudata(L, 1, "SSL:Connection"); p_ssl ssl = (p_ssl)luaL_checkudata(L, 1, "SSL:Connection");
if (ssl->state != LSEC_STATE_CONNECTED) { if (ssl->state != LSEC_STATE_CONNECTED) {
lua_pushnil(L); lua_pushnil(L);
lua_pushstring(L, "closed"); lua_pushstring(L, "closed");
return 2; return 2;
} }
#if !defined(OPENSSL_NO_COMP)
comp = SSL_get_current_compression(ssl->ssl); comp = SSL_get_current_compression(ssl->ssl);
if (comp) if (comp)
lua_pushstring(L, SSL_COMP_get_name(comp)); lua_pushstring(L, SSL_COMP_get_name(comp));
else else
lua_pushnil(L); lua_pushnil(L);
#else
lua_pushnil(L);
#endif
return 1; return 1;
} }
@ -442,7 +431,7 @@ static int meth_getpeercertificate(lua_State *L)
return 2; return 2;
} }
/* Default to the first cert */ /* Default to the first cert */
n = (int)luaL_optinteger(L, 2, 1); n = luaL_optint(L, 2, 1);
/* This function is 1-based, but OpenSSL is 0-based */ /* This function is 1-based, but OpenSSL is 0-based */
--n; --n;
if (n < 0) { if (n < 0) {
@ -664,100 +653,9 @@ static int meth_info(lua_State *L)
return 4; return 4;
} }
static int sni_cb(SSL *ssl, int *ad, void *arg)
{
int strict;
SSL_CTX *newctx = NULL;
SSL_CTX *ctx = SSL_get_SSL_CTX(ssl);
lua_State *L = ((p_context)SSL_CTX_get_app_data(ctx))->L;
const char *name = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
/* No name, use default context */
if (!name)
return SSL_TLSEXT_ERR_NOACK;
/* Retrieve struct from registry */
luaL_getmetatable(L, "SSL:SNI:Registry");
lua_pushlightuserdata(L, (void*)ssl);
lua_gettable(L, -2);
/* Strict search? */
lua_pushstring(L, "strict");
lua_gettable(L, -2);
strict = lua_toboolean(L, -1);
lua_pop(L, 1);
/* Search for the name in the map */
lua_pushstring(L, "map");
lua_gettable(L, -2);
lua_pushstring(L, name);
lua_gettable(L, -2);
if (lua_isuserdata(L, -1))
newctx = lsec_checkcontext(L, -1);
lua_pop(L, 4);
/* Found, use this context */
if (newctx) {
SSL_set_SSL_CTX(ssl, newctx);
return SSL_TLSEXT_ERR_OK;
}
/* Not found, but use initial context */
if (!strict)
return SSL_TLSEXT_ERR_OK;
return SSL_TLSEXT_ERR_ALERT_FATAL;
}
static int meth_sni(lua_State *L)
{
int strict;
SSL_CTX *aux;
const char *name;
p_ssl ssl = (p_ssl)luaL_checkudata(L, 1, "SSL:Connection");
SSL_CTX *ctx = SSL_get_SSL_CTX(ssl->ssl);
p_context pctx = (p_context)SSL_CTX_get_app_data(ctx);
if (pctx->mode == LSEC_MODE_CLIENT) {
name = luaL_checkstring(L, 2);
SSL_set_tlsext_host_name(ssl->ssl, name);
return 0;
} else if (pctx->mode == LSEC_MODE_SERVER) {
luaL_checktype(L, 2, LUA_TTABLE);
strict = lua_toboolean(L, 3);
/* Check if the table contains only (string -> context) */
lua_pushnil(L);
while (lua_next(L, 2)) {
luaL_checkstring(L, -2);
aux = lsec_checkcontext(L, -1);
/* Set callback in every context */
SSL_CTX_set_tlsext_servername_callback(aux, sni_cb);
/* leave the next key on the stack */
lua_pop(L, 1);
}
/* Save table in the register */
luaL_getmetatable(L, "SSL:SNI:Registry");
lua_pushlightuserdata(L, (void*)ssl->ssl);
lua_newtable(L);
lua_pushstring(L, "map");
lua_pushvalue(L, 2);
lua_settable(L, -3);
lua_pushstring(L, "strict");
lua_pushboolean(L, strict);
lua_settable(L, -3);
lua_settable(L, -3);
/* Set callback in the default context */
SSL_CTX_set_tlsext_servername_callback(ctx, sni_cb);
}
return 0;
}
static int meth_getsniname(lua_State *L)
{
p_ssl ssl = (p_ssl)luaL_checkudata(L, 1, "SSL:Connection");
const char *name = SSL_get_servername(ssl->ssl, TLSEXT_NAMETYPE_host_name);
if (name)
lua_pushstring(L, name);
else
lua_pushnil(L);
return 1;
}
static int meth_copyright(lua_State *L) static int meth_copyright(lua_State *L)
{ {
lua_pushstring(L, "LuaSec 0.6 - Copyright (C) 2006-2016 Bruno Silvestre, UFG" lua_pushstring(L, "LuaSec 0.5.1 - Copyright (C) 2006-2015 Bruno Silvestre"
#if defined(WITH_LUASOCKET) #if defined(WITH_LUASOCKET)
"\nLuaSocket 3.0-RC1 - Copyright (C) 2004-2013 Diego Nehab" "\nLuaSocket 3.0-RC1 - Copyright (C) 2004-2013 Diego Nehab"
#endif #endif
@ -778,7 +676,6 @@ static luaL_Reg methods[] = {
{"getpeerchain", meth_getpeerchain}, {"getpeerchain", meth_getpeerchain},
{"getpeerverification", meth_getpeerverification}, {"getpeerverification", meth_getpeerverification},
{"getpeerfinished", meth_getpeerfinished}, {"getpeerfinished", meth_getpeerfinished},
{"getsniname", meth_getsniname},
{"getstats", meth_getstats}, {"getstats", meth_getstats},
{"setstats", meth_setstats}, {"setstats", meth_setstats},
{"dirty", meth_dirty}, {"dirty", meth_dirty},
@ -786,7 +683,6 @@ static luaL_Reg methods[] = {
{"receive", meth_receive}, {"receive", meth_receive},
{"send", meth_send}, {"send", meth_send},
{"settimeout", meth_settimeout}, {"settimeout", meth_settimeout},
{"sni", meth_sni},
{"want", meth_want}, {"want", meth_want},
{NULL, NULL} {NULL, NULL}
}; };
@ -816,6 +712,37 @@ static luaL_Reg funcs[] = {
/** /**
* Initialize modules. * Initialize modules.
*/ */
#if (LUA_VERSION_NUM == 501)
LSEC_API int luaopen_ssl_core(lua_State *L)
{
/* Initialize SSL */
if (!SSL_library_init()) {
lua_pushstring(L, "unable to initialize SSL library");
lua_error(L);
}
OpenSSL_add_all_algorithms();
SSL_load_error_strings();
#if defined(WITH_LUASOCKET)
/* Initialize internal library */
socket_open();
#endif
/* Register the functions and tables */
luaL_newmetatable(L, "SSL:Connection");
luaL_register(L, NULL, meta);
lua_newtable(L);
luaL_register(L, NULL, methods);
lua_setfield(L, -2, "__index");
luaL_register(L, "ssl.core", funcs);
lua_pushnumber(L, SOCKET_INVALID);
lua_setfield(L, -2, "invalidfd");
return 1;
}
#else
LSEC_API int luaopen_ssl_core(lua_State *L) LSEC_API int luaopen_ssl_core(lua_State *L)
{ {
/* Initialize SSL */ /* Initialize SSL */
@ -831,16 +758,19 @@ LSEC_API int luaopen_ssl_core(lua_State *L)
socket_open(); socket_open();
#endif #endif
luaL_newmetatable(L, "SSL:SNI:Registry");
/* Register the functions and tables */ /* Register the functions and tables */
luaL_newmetatable(L, "SSL:Connection"); luaL_newmetatable(L, "SSL:Connection");
setfuncs(L, meta); luaL_setfuncs(L, meta, 0);
luaL_newlib(L, methods); lua_newtable(L);
luaL_setfuncs(L, methods, 0);
lua_setfield(L, -2, "__index"); lua_setfield(L, -2, "__index");
luaL_newlib(L, funcs); lua_newtable(L);
luaL_setfuncs(L, funcs, 0);
lua_pushnumber(L, SOCKET_INVALID);
lua_setfield(L, -2, "invalidfd");
return 1; return 1;
} }
#endif

View File

@ -2,8 +2,8 @@
#define LSEC_SSL_H #define LSEC_SSL_H
/*-------------------------------------------------------------------------- /*--------------------------------------------------------------------------
* LuaSec 0.6 * LuaSec 0.5.1
* Copyright (C) 2006-2016 Bruno Silvestre * Copyright (C) 2006-2015 Bruno Silvestre
* *
*--------------------------------------------------------------------------*/ *--------------------------------------------------------------------------*/

View File

@ -1,6 +1,6 @@
------------------------------------------------------------------------------ ------------------------------------------------------------------------------
-- LuaSec 0.6 -- LuaSec 0.5.1
-- Copyright (C) 2006-2016 Bruno Silvestre -- Copyright (C) 2006-2015 Bruno Silvestre
-- --
------------------------------------------------------------------------------ ------------------------------------------------------------------------------
@ -8,7 +8,13 @@ local core = require("ssl.core")
local context = require("ssl.context") local context = require("ssl.context")
local x509 = require("ssl.x509") local x509 = require("ssl.x509")
local unpack = table.unpack or unpack module("ssl", package.seeall)
_VERSION = "0.5.1"
_COPYRIGHT = core.copyright()
-- Export
loadcertificate = x509.load
-- We must prevent the contexts to be collected before the connections, -- We must prevent the contexts to be collected before the connections,
-- otherwise the C registry will be cleared. -- otherwise the C registry will be cleared.
@ -31,7 +37,7 @@ end
-- --
-- --
-- --
local function newcontext(cfg) function newcontext(cfg)
local succ, msg, ctx local succ, msg, ctx
-- Create the context -- Create the context
ctx, msg = context.create(cfg.protocol) ctx, msg = context.create(cfg.protocol)
@ -52,12 +58,8 @@ local function newcontext(cfg)
end end
-- Load the certificate -- Load the certificate
if cfg.certificate then if cfg.certificate then
succ, msg = context.loadcert(ctx, cfg.certificate) succ, msg = context.loadcert(ctx, cfg.certificate)
if not succ then return nil, msg end if not succ then return nil, msg end
if cfg.key and context.checkkey then
succ = context.checkkey(ctx)
if not succ then return nil, "private key does not match public key" end
end
end end
-- Load the CA certificates -- Load the CA certificates
if cfg.cafile or cfg.capath then if cfg.cafile or cfg.capath then
@ -109,7 +111,7 @@ end
-- --
-- --
-- --
local function wrap(sock, cfg) function wrap(sock, cfg)
local ctx, msg local ctx, msg
if type(cfg) == "table" then if type(cfg) == "table" then
ctx, msg = newcontext(cfg) ctx, msg = newcontext(cfg)
@ -120,7 +122,7 @@ local function wrap(sock, cfg)
local s, msg = core.create(ctx) local s, msg = core.create(ctx)
if s then if s then
core.setfd(s, sock:getfd()) core.setfd(s, sock:getfd())
sock:setfd(-1) sock:setfd(core.invalidfd)
registry[s] = ctx registry[s] = ctx
return s return s
end end
@ -164,16 +166,3 @@ end
-- --
core.setmethod("info", info) core.setmethod("info", info)
--------------------------------------------------------------------------------
-- Export module
--
local _M = {
_VERSION = "0.6",
_COPYRIGHT = core.copyright(),
loadcertificate = x509.load,
newcontext = newcontext,
wrap = wrap,
}
return _M

View File

@ -1,22 +1,15 @@
/*-------------------------------------------------------------------------- /*--------------------------------------------------------------------------
* LuaSec 0.6 * LuaSec 0.5.1
* *
* Copyright (C) 2014-2016 Kim Alvefur, Paul Aurich, Tobias Markmann * Copyright (C) 2014-2015 Kim Alvefur, Paul Aurich, Tobias Markmann
* Matthew Wild, Bruno Silvestre. * Matthew Wild, Bruno Silvestre.
* *
*--------------------------------------------------------------------------*/ *--------------------------------------------------------------------------*/
#include <stdio.h>
#include <string.h> #include <string.h>
#if defined(WIN32) #if defined(WIN32)
#include <ws2tcpip.h>
#include <windows.h> #include <windows.h>
#else
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#endif #endif
#include <openssl/ssl.h> #include <openssl/ssl.h>
@ -64,51 +57,6 @@ p_x509 lsec_checkp_x509(lua_State* L, int idx)
/*---------------------------------------------------------------------------*/ /*---------------------------------------------------------------------------*/
#if defined(LUASEC_INET_NTOP)
/*
* For WinXP (SP3), set the following preprocessor macros:
* LUASEC_INET_NTOP
* WINVER=0x0501
* _WIN32_WINNT=0x0501
* NTDDI_VERSION=0x05010300
*
* For IPv6 addresses, you need to add IPv6 Protocol to your interface.
*
*/
static const char *inet_ntop(int af, const char *src, char *dst, socklen_t size)
{
int addrsize;
struct sockaddr *addr;
struct sockaddr_in addr4;
struct sockaddr_in6 addr6;
switch (af) {
case AF_INET:
memset((void*)&addr4, 0, sizeof(addr4));
addr4.sin_family = AF_INET;
memcpy((void*)&addr4.sin_addr, src, sizeof(struct in_addr));
addr = (struct sockaddr*)&addr4;
addrsize = sizeof(struct sockaddr_in);
break;
case AF_INET6:
memset((void*)&addr6, 0, sizeof(addr6));
addr6.sin6_family = AF_INET6;
memcpy((void*)&addr6.sin6_addr, src, sizeof(struct in6_addr));
addr = (struct sockaddr*)&addr6;
addrsize = sizeof(struct sockaddr_in6);
break;
default:
return NULL;
}
if(getnameinfo(addr, addrsize, dst, size, NULL, 0, NI_NUMERICHOST) != 0)
return NULL;
return dst;
}
#endif
/*---------------------------------------------------------------------------*/
/** /**
* Convert the buffer 'in' to hexadecimal. * Convert the buffer 'in' to hexadecimal.
*/ */
@ -138,7 +86,7 @@ static void push_asn1_objname(lua_State* L, ASN1_OBJECT *object, int no_name)
*/ */
static void push_asn1_string(lua_State* L, ASN1_STRING *string, int encode) static void push_asn1_string(lua_State* L, ASN1_STRING *string, int encode)
{ {
int len; int len;
unsigned char *data; unsigned char *data;
if (!string) { if (!string) {
lua_pushnil(L); lua_pushnil(L);
@ -175,31 +123,6 @@ static int push_asn1_time(lua_State *L, ASN1_UTCTIME *tm)
return 1; return 1;
} }
/**
* Return a human readable IP address.
*/
static void push_asn1_ip(lua_State *L, ASN1_STRING *string)
{
int af;
char dst[INET6_ADDRSTRLEN];
unsigned char *ip = ASN1_STRING_data(string);
switch(ASN1_STRING_length(string)) {
case 4:
af = AF_INET;
break;
case 16:
af = AF_INET6;
break;
default:
lua_pushnil(L);
return;
}
if(inet_ntop(af, ip, dst, INET6_ADDRSTRLEN))
lua_pushstring(L, dst);
else
lua_pushnil(L);
}
/** /**
* *
*/ */
@ -317,7 +240,7 @@ int meth_extensions(lua_State* L)
break; break;
case GEN_DNS: case GEN_DNS:
lua_pushstring(L, "dNSName"); lua_pushstring(L, "dNSName");
push_subtable(L, -2); push_subtable(L, -2);
push_asn1_string(L, general_name->d.dNSName, px->encode); push_asn1_string(L, general_name->d.dNSName, px->encode);
lua_rawseti(L, -2, lua_rawlen(L, -2) + 1); lua_rawseti(L, -2, lua_rawlen(L, -2) + 1);
lua_pop(L, 1); lua_pop(L, 1);
@ -339,7 +262,7 @@ int meth_extensions(lua_State* L)
case GEN_IPADD: case GEN_IPADD:
lua_pushstring(L, "iPAddress"); lua_pushstring(L, "iPAddress");
push_subtable(L, -2); push_subtable(L, -2);
push_asn1_ip(L, general_name->d.iPAddress); push_asn1_string(L, general_name->d.iPAddress, px->encode);
lua_rawseti(L, -2, lua_rawlen(L, -2)+1); lua_rawseti(L, -2, lua_rawlen(L, -2)+1);
lua_pop(L, 1); lua_pop(L, 1);
break; break;
@ -389,52 +312,6 @@ static int meth_pem(lua_State* L)
return 1; return 1;
} }
/**
* Extract public key in PEM format.
*/
static int meth_pubkey(lua_State* L)
{
char* data;
long bytes;
int ret = 1;
X509* cert = lsec_checkx509(L, 1);
BIO *bio = BIO_new(BIO_s_mem());
EVP_PKEY *pkey = X509_get_pubkey(cert);
if(PEM_write_bio_PUBKEY(bio, pkey)) {
bytes = BIO_get_mem_data(bio, &data);
if (bytes > 0) {
lua_pushlstring(L, data, bytes);
switch(EVP_PKEY_type(pkey->type)) {
case EVP_PKEY_RSA:
lua_pushstring(L, "RSA");
break;
case EVP_PKEY_DSA:
lua_pushstring(L, "DSA");
break;
case EVP_PKEY_DH:
lua_pushstring(L, "DH");
break;
case EVP_PKEY_EC:
lua_pushstring(L, "EC");
break;
default:
lua_pushstring(L, "Unknown");
break;
}
lua_pushinteger(L, EVP_PKEY_bits(pkey));
ret = 3;
}
else
lua_pushnil(L);
}
else
lua_pushnil(L);
/* Cleanup */
BIO_free(bio);
EVP_PKEY_free(pkey);
return ret;
}
/** /**
* Compute the fingerprint. * Compute the fingerprint.
*/ */
@ -520,91 +397,6 @@ static int meth_notafter(lua_State *L)
return push_asn1_time(L, X509_get_notAfter(cert)); return push_asn1_time(L, X509_get_notAfter(cert));
} }
/**
* Check if this certificate issued some other certificate
*/
static int meth_issued(lua_State* L)
{
int ret, i, len;
X509_STORE_CTX* ctx = NULL;
X509_STORE* root = NULL;
STACK_OF(X509)* chain = NULL;
X509* issuer = lsec_checkx509(L, 1);
X509* subject = lsec_checkx509(L, 2);
X509* cert = NULL;
len = lua_gettop(L);
/* Check that all arguments are certificates */
for (i = 3; i <= len; i++) {
lsec_checkx509(L, i);
}
/* Before allocating things that require freeing afterwards */
chain = sk_X509_new_null();
ctx = X509_STORE_CTX_new();
root = X509_STORE_new();
if (ctx == NULL || root == NULL) {
lua_pushnil(L);
lua_pushstring(L, "X509_STORE_new() or X509_STORE_CTX_new() error");
ret = 2;
goto cleanup;
}
ret = X509_STORE_add_cert(root, issuer);
if(!ret) {
lua_pushnil(L);
lua_pushstring(L, "X509_STORE_add_cert() error");
ret = 2;
goto cleanup;
}
for (i = 3; i <= len && lua_isuserdata(L, i); i++) {
cert = lsec_checkx509(L, i);
sk_X509_push(chain, cert);
}
ret = X509_STORE_CTX_init(ctx, root, subject, chain);
if(!ret) {
lua_pushnil(L);
lua_pushstring(L, "X509_STORE_CTX_init() error");
ret = 2;
goto cleanup;
}
/* Actual verification */
if (X509_verify_cert(ctx) <= 0) {
ret = X509_STORE_CTX_get_error(ctx);
lua_pushnil(L);
lua_pushstring(L, X509_verify_cert_error_string(ret));
ret = 2;
} else {
lua_pushboolean(L, 1);
ret = 1;
}
cleanup:
if (ctx != NULL) {
X509_STORE_CTX_free(ctx);
}
if (chain != NULL) {
X509_STORE_free(root);
}
sk_X509_free(chain);
return ret;
}
/** /**
* Collect X509 objects. * Collect X509 objects.
*/ */
@ -671,9 +463,7 @@ static luaL_Reg methods[] = {
{"issuer", meth_issuer}, {"issuer", meth_issuer},
{"notbefore", meth_notbefore}, {"notbefore", meth_notbefore},
{"notafter", meth_notafter}, {"notafter", meth_notafter},
{"issued", meth_issued},
{"pem", meth_pem}, {"pem", meth_pem},
{"pubkey", meth_pubkey},
{"serial", meth_serial}, {"serial", meth_serial},
{"subject", meth_subject}, {"subject", meth_subject},
{"validat", meth_valid_at}, {"validat", meth_valid_at},
@ -699,16 +489,39 @@ static luaL_Reg funcs[] = {
/*--------------------------------------------------------------------------*/ /*--------------------------------------------------------------------------*/
#if (LUA_VERSION_NUM == 501)
LSEC_API int luaopen_ssl_x509(lua_State *L) LSEC_API int luaopen_ssl_x509(lua_State *L)
{ {
/* Register the functions and tables */ /* Register the functions and tables */
luaL_newmetatable(L, "SSL:Certificate"); luaL_newmetatable(L, "SSL:Certificate");
setfuncs(L, meta); luaL_register(L, NULL, meta);
luaL_newlib(L, methods); lua_newtable(L);
luaL_register(L, NULL, methods);
lua_setfield(L, -2, "__index"); lua_setfield(L, -2, "__index");
luaL_newlib(L, funcs); luaL_register(L, "ssl.x509", funcs);
return 1; return 1;
} }
#else
LSEC_API int luaopen_ssl_x509(lua_State *L)
{
/* Register the functions and tables */
luaL_newmetatable(L, "SSL:Certificate");
luaL_setfuncs(L, meta, 0);
lua_newtable(L);
luaL_setfuncs(L, methods, 0);
lua_setfield(L, -2, "__index");
lua_newtable(L);
luaL_setfuncs(L, funcs, 0);
return 1;
}
#endif

View File

@ -1,7 +1,7 @@
/*-------------------------------------------------------------------------- /*--------------------------------------------------------------------------
* LuaSec 0.6 * LuaSec 0.5.1
* *
* Copyright (C) 2014-2016 Kim Alvefur, Paul Aurich, Tobias Markmann * Copyright (C) 2014-2015 Kim Alvefur, Paul Aurich, Tobias Markmann
* Matthew Wild, Bruno Silvestre. * Matthew Wild, Bruno Silvestre.
* *
*--------------------------------------------------------------------------*/ *--------------------------------------------------------------------------*/