Release LuaSec 1.3.2

reset block timeout at send or receive
Addressing #159 and #160
2025-04-20 15:36:46 +02:00 · 2023-08-31 17:09:53 -03:00 · 2023-08-31 10:51:50 -03:00 · 2023-07-12 21:41:40 -03:00 · 2023-07-05 13:21:49 +02:00 · 2023-05-09 10:25:21 -03:00
49 changed files with 1672 additions and 382 deletions
--- a/125
+++ b/125
@ -1,3 +1,128 @@
 --------------------------------------------------------------------------------
 LuaSec 1.3.2
 ---------------
 This version includes:
 * Fix: place EAI_OVERFLOW inside macro, unbreak build on <10.7 (Sergey Fedorov)
 * Fix: Expand workaround for zero errno to OpenSSL 3.0.x (Kim Alvefur)
 * Fix: reset block timeout at send or receive (MartinDahlberg)
 --------------------------------------------------------------------------------
 LuaSec 1.3.1
 ---------------
 This version includes:
 * Fix: check if PSK is available
 --------------------------------------------------------------------------------
 LuaSec 1.3.0
 ---------------
 This version includes:
 * Add :getlocalchain() + :getlocalcertificate() to mirror the peer methods (@mwild1)
 * Add Pre-Shared Key (PSK) support (@jclab-joseph)
 --------------------------------------------------------------------------------
 LuaSec 1.2.0
 ---------------
 This version includes:
 * Add key material export method
 * Backguard compat for openssl on providers, like LTS linuxes
 --------------------------------------------------------------------------------
 LuaSec 1.1.0
 ---------------
 This version includes:
 * Fix missing DANE flag
 * Remove unused parameter in https.lua
 --------------------------------------------------------------------------------
 LuaSec 1.0.2
 ---------------
 This version includes:
 * Fix handle SSL_send SYSCALL error without errno
 * Fix off by one in cert:validat(notafter)
 * Fix meth_get_{sinagure => signature}_name function name
 * Fix update the Lua state reference on the selected SSL context after SNI
 * Fix ignore SSL_OP_BIT(n) macro and update option.c
 --------------------------------------------------------------------------------
 LuaSec 1.0.1
 ---------------
 This version includes:
 * Fix luaL_buffinit() can use the stack and broke buffer_meth_receive()
 --------------------------------------------------------------------------------
 LuaSec 1.0
 ---------------
 This version includes:
 * Add cert:getsignaturename()
 --------------------------------------------------------------------------------
 LuaSec 0.9
 ---------------
 This version includes:
 * Add DNS-based Authentication of Named Entities (DANE) support
 * Add __close() metamethod
 * Fix deprecation warnings with OpenSSL 1.1
 * Fix special case listing of TLS 1.3 EC curves
 * Fix general_name leak in cert:extensions()
 * Fix unexported 'ssl.config' table
 * Replace $(LD) with $(CCLD) variable
 * Remove multiple definitions of 'ssl_options' variable
 * Use tag in git format: v0.9
 --------------------------------------------------------------------------------
 LuaSec 0.8.2
 ---------------
 This version includes:
 * Fix unexported 'ssl.config' table (backported)
 --------------------------------------------------------------------------------
 LuaSec 0.8.1
 ---------------
 This version includes:
 * Fix general_name leak in cert:extensions() (backported)
 --------------------------------------------------------------------------------
 LuaSec 0.8
 ---------------
 This version includes:
 * Add support to ALPN
 * Add support to TLS 1.3
 * Add support to multiple certificates
 * Add timeout to https module (https.TIMEOUT)
 * Drop support to SSL 3.0
 * Drop support to TLS 1.0 from https module
 * Fix invalid reference to Lua state
 * Fix memory leak when get certficate extensions
 --------------------------------------------------------------------------------
 LuaSec 0.7.2
 ---------------
 This version includes:
 * Fix unexported 'ssl.config' table (backported)
 --------------------------------------------------------------------------------
 LuaSec 0.7.1
 ---------------
 This version includes:
 * Fix general_name leak in cert:extensions() (backported)
 --------------------------------------------------------------------------------
 LuaSec 0.7
 ---------------
--- a/6
+++ b/6
@ -1,14 +1,14 @@
-LuaSec 0.7
+LuaSec 1.3.2
 ------------
 * OpenSSL options:
-    By default, LuaSec 0.7 includes options for OpenSSL 1.1.0f.
+    By default, this version includes options for OpenSSL 3.0.8
    If you need to generate the options for a different version of OpenSSL:
      $ cd src
-      $ lua options.lua -g /usr/include/openssl/ssl.h > options.h
+      $ lua options.lua -g /usr/include/openssl/ssl.h > options.c
 --------------------------------------------------------------------------------
--- a/4
+++ b/4
@ -1,5 +1,5 @@
-LuaSec 0.7 license
+LuaSec 1.3.2 license
-Copyright (C) 2006-2018 Bruno Silvestre, UFG
+Copyright (C) 2006-2023 Bruno Silvestre, UFG
 Permission is hereby granted, free  of charge, to any person obtaining
 a  copy  of this  software  and  associated  documentation files  (the
--- a/README.md
+++ b/README.md
@ -1,4 +1,4 @@
-LuaSec 0.7
+LuaSec 1.3.2
 ===============
 LuaSec depends  on OpenSSL, and  integrates with LuaSocket to  make it
 easy to add secure connections to any Lua applications or scripts.
--- a/luasec-1.3.2-1.rockspec
+++ b/luasec-1.3.2-1.rockspec
@ -1,8 +1,8 @@
 package = "LuaSec"
-version = "0.7-1"
+version = "1.3.2-1"
 source = {
-   url = "https://github.com/brunoos/luasec/archive/luasec-0.7.tar.gz",
+  url = "git+https://github.com/brunoos/luasec",
-   dir = "luasec-luasec-0.7"
+  tag = "v1.3.2",
 }
 description = {
   summary = "A binding for OpenSSL library to provide TLS/SSL communication over LuaSocket.",
@ -58,7 +58,7 @@ build = {
                  "ssl", "crypto"
               },
               sources = {
-                  "src/config.c", "src/ec.c", 
+                  "src/options.c", "src/config.c", "src/ec.c", 
                  "src/x509.c", "src/context.c", "src/ssl.c", 
                  "src/luasocket/buffer.c", "src/luasocket/io.c",
                  "src/luasocket/timeout.c", "src/luasocket/usocket.c"
@ -87,13 +87,13 @@ build = {
                  "$(OPENSSL_BINDIR)",
               },
               libraries = {
-                  "libssl32MD", "libcrypto32MD", "ws2_32"
+                  "libssl", "libcrypto", "ws2_32"
               },
               incdirs = {
                  "$(OPENSSL_INCDIR)", "src/", "src/luasocket"
               },
               sources = {
-                  "src/config.c", "src/ec.c", 
+                  "src/options.c", "src/config.c", "src/ec.c", 
                  "src/x509.c", "src/context.c", "src/ssl.c", 
                  "src/luasocket/buffer.c", "src/luasocket/io.c",
                  "src/luasocket/timeout.c", "src/luasocket/wsocket.c"
--- a/luasec.vcxproj
+++ b/luasec.vcxproj
@ -61,7 +61,7 @@
      <DebugInformationFormat>EditAndContinue</DebugInformationFormat>
    </ClCompile>
    <Link>
-      <AdditionalDependencies>ws2_32.lib;libeay32MDd.lib;ssleay32MDd.lib;lua5.1.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalDependencies>ws2_32.lib;libssl.lib;libcrypto.lib;lua5.1.lib;%(AdditionalDependencies)</AdditionalDependencies>
      <OutputFile>$(OutDir)ssl.dll</OutputFile>
      <AdditionalLibraryDirectories>C:\devel\openssl\lib\VC;C:\devel\lua-dll9;%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
      <GenerateDebugInformation>true</GenerateDebugInformation>
@ -85,7 +85,7 @@
      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
    </ClCompile>
    <Link>
-      <AdditionalDependencies>ws2_32.lib;libssl32MD.lib;libcrypto32MD.lib;lua5.1.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalDependencies>ws2_32.lib;libssl.lib;libcrypto.lib;lua5.1.lib;%(AdditionalDependencies)</AdditionalDependencies>
      <OutputFile>$(OutDir)$(TargetName)$(TargetExt)</OutputFile>
      <AdditionalLibraryDirectories>C:\devel\openssl-1.1.0\lib\VC;C:\devel\lua-5.1\lib;%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
      <GenerateDebugInformation>true</GenerateDebugInformation>
@ -107,6 +107,7 @@
    <ClCompile Include="src\luasocket\io.c" />
    <ClCompile Include="src\luasocket\timeout.c" />
    <ClCompile Include="src\luasocket\wsocket.c" />
    <ClCompile Include="src\options.c" />
    <ClCompile Include="src\ssl.c" />
    <ClCompile Include="src\x509.c" />
  </ItemGroup>
--- a/samples/README
+++ b/samples/README
@ -1,5 +1,8 @@
 Directories: 
 ------------
 * alpn
 Test ALPN (Application-Layer Protocol Negotiation) support.
 * certs
 Contains scripts to generate the certificates used by the examples.
 Generate Root CA 'A' and 'B' first, then the servers and clients.
@ -7,6 +10,9 @@ Directories:
 * chain
 Example of certificate chain in handshake.
 * curve-negotiation
 Elliptic curve negotiation.
 * dhparam
 DH parameters for handshake.
@ -30,20 +36,32 @@ Directories:
 Same of above,  but the connection is not  explicit closed, the gabage
 collector is encharge of that.
 * luaossl
 Integration with luaossl.
 * multicert
 Support to multiple certificate for dual RSA/ECDSA.
 * oneshot
 A simple connection example.
 * psk
 PSK(Pre Shared Key) support.
 * sni
 Support to SNI (Server Name Indication).
 * verification
 Retrieve the certificate verification errors from the handshake.
 * verify
 Ignore handshake errors and proceed.
 * want
 Test want() method.
 * wantread
 Test timeout in handshake() and receive().
 * wantwrite
 Test timeout in send().
 * want
 Test want() method.
--- a/samples/alpn/client.lua
+++ b/samples/alpn/client.lua
@ -0,0 +1,27 @@
 --
 -- Public domain
 --
 local socket = require("socket")
 local ssl    = require("ssl")
 local params = {
   mode = "client",
   protocol = "tlsv1_2",
   key = "../certs/clientAkey.pem",
   certificate = "../certs/clientA.pem",
   cafile = "../certs/rootA.pem",
   verify = {"peer", "fail_if_no_peer_cert"},
   options = "all",
   --alpn = {"foo","bar","baz"}
   alpn = "foo"
 }
 local peer = socket.tcp()
 peer:connect("127.0.0.1", 8888)
 peer = assert( ssl.wrap(peer, params) )
 assert(peer:dohandshake())
 print("ALPN", peer:getalpn())
 peer:close()
--- a/samples/alpn/server.lua
+++ b/samples/alpn/server.lua
@ -0,0 +1,77 @@
 --
 -- Public domain
 --
 local socket = require("socket")
 local ssl    = require("ssl")
 --
 -- Callback that selects one protocol from client's list.
 --
 local function alpncb01(protocols)
   print("--- ALPN protocols from client")
   for k, v in ipairs(protocols) do
      print(k, v)
   end
   print("--- Selecting:", protocols[1])
   return protocols[1]
 end
 --
 -- Callback that returns a fixed list, ignoring the client's list.
 --
 local function alpncb02(protocols)
   print("--- ALPN protocols from client")
   for k, v in ipairs(protocols) do
      print(k, v)
   end
   print("--- Returning a fixed list") 
   return {"bar", "foo"}
 end
 --
 -- Callback that generates a list as it whishes.
 --
 local function alpncb03(protocols)
   local resp = {}
   print("--- ALPN protocols from client")
   for k, v in ipairs(protocols) do
      print(k, v)
      if k%2 ~= 0 then resp[#resp+1] = v end
   end
   print("--- Returning an odd list")
   return resp
 end
 local params = {
   mode = "server",
   protocol = "any",
   key = "../certs/serverAkey.pem",
   certificate = "../certs/serverA.pem",
   cafile = "../certs/rootA.pem",
   verify = {"peer", "fail_if_no_peer_cert"},
   options = "all",
   --alpn = alpncb01,
   --alpn = alpncb02,
   --alpn = alpncb03,
   alpn = {"bar", "baz", "foo"},
 }
 -- [[ SSL context
 local ctx = assert(ssl.newcontext(params))
 --]]
 local server = socket.tcp()
 server:setoption('reuseaddr', true)
 assert( server:bind("127.0.0.1", 8888) )
 server:listen()
 local peer = server:accept()
 peer = assert( ssl.wrap(peer, ctx) )
 assert( peer:dohandshake() )
 print("ALPN", peer:getalpn())
 peer:close()
 server:close()
--- a/samples/certs/all.sh
+++ b/samples/certs/all.sh
@ -0,0 +1,7 @@
 #!/bin/sh
 ./rootA.sh
 ./rootB.sh
 ./clientA.sh
 ./clientB.sh
 ./serverA.sh
 ./serverB.sh
--- a/samples/certs/clientA.sh
+++ b/samples/certs/clientA.sh
@ -1,9 +1,9 @@
 #!/bin/sh
-openssl req -newkey rsa:1024 -sha1 -keyout clientAkey.pem -out clientAreq.pem \
+openssl req -newkey rsa:2048 -sha256 -keyout clientAkey.pem -out clientAreq.pem \
  -nodes -config ./clientA.cnf -days 365 -batch
-openssl x509 -req -in clientAreq.pem -sha1 -extfile ./clientA.cnf \
+openssl x509 -req -in clientAreq.pem -sha256 -extfile ./clientA.cnf \
  -extensions usr_cert -CA rootA.pem -CAkey rootAkey.pem -CAcreateserial \
  -out clientAcert.pem -days 365
--- a/samples/certs/clientB.sh
+++ b/samples/certs/clientB.sh
@ -1,9 +1,9 @@
 #!/bin/sh
-openssl req -newkey rsa:1024 -sha1 -keyout clientBkey.pem -out clientBreq.pem \
+openssl req -newkey rsa:2048 -sha256 -keyout clientBkey.pem -out clientBreq.pem \
  -nodes -config ./clientB.cnf -days 365 -batch
-openssl x509 -req -in clientBreq.pem -sha1 -extfile ./clientB.cnf \
+openssl x509 -req -in clientBreq.pem -sha256 -extfile ./clientB.cnf \
  -extensions usr_cert -CA rootB.pem -CAkey rootBkey.pem -CAcreateserial \
  -out clientBcert.pem -days 365
--- a/samples/certs/rootA.sh
+++ b/samples/certs/rootA.sh
@ -1,7 +1,7 @@
 #!/bin/sh
-openssl req -newkey rsa:1024 -sha1 -keyout rootAkey.pem -out rootAreq.pem -nodes -config ./rootA.cnf -days 365 -batch
+openssl req -newkey rsa:2048 -sha256 -keyout rootAkey.pem -out rootAreq.pem -nodes -config ./rootA.cnf -days 365 -batch
-openssl x509 -req -in rootAreq.pem -sha1 -extfile ./rootA.cnf -extensions v3_ca -signkey rootAkey.pem -out rootA.pem -days 365
+openssl x509 -req -in rootAreq.pem -sha256 -extfile ./rootA.cnf -extensions v3_ca -signkey rootAkey.pem -out rootA.pem -days 365
 openssl x509 -subject -issuer -noout -in rootA.pem
--- a/samples/certs/rootB.sh
+++ b/samples/certs/rootB.sh
@ -1,7 +1,7 @@
 #!/bin/sh
-openssl req -newkey rsa:1024 -sha1 -keyout rootBkey.pem -out rootBreq.pem -nodes -config ./rootB.cnf -days 365 -batch
+openssl req -newkey rsa:2048 -sha256 -keyout rootBkey.pem -out rootBreq.pem -nodes -config ./rootB.cnf -days 365 -batch
-openssl x509 -req -in rootBreq.pem -sha1 -extfile ./rootB.cnf -extensions v3_ca -signkey rootBkey.pem -out rootB.pem -days 365
+openssl x509 -req -in rootBreq.pem -sha256 -extfile ./rootB.cnf -extensions v3_ca -signkey rootBkey.pem -out rootB.pem -days 365
 openssl x509 -subject -issuer -noout -in rootB.pem
--- a/samples/certs/serverA.cnf
+++ b/samples/certs/serverA.cnf
@ -118,7 +118,7 @@ x509_extensions	= v3_ca	# The extensions to add to the self signed cert
 # so use this option with caution!
 string_mask = nombstr
-# req_extensions = v3_req # The extensions to add to a certificate request
+# req_extensions = v3_ext # The extensions to add to a certificate request
 [ req_distinguished_name ]
 countryName			= Country Name (2 letter code)
@ -198,7 +198,7 @@ authorityKeyIdentifier=keyid,issuer
 # subjectAltName=email:copy
 # An alternative to produce certificates that aren't
 # deprecated according to PKIX.
-# subjectAltName=email:move
+subjectAltName=DNS:foo.bar.example
 # Copy subject details
 # issuerAltName=issuer:copy
--- a/samples/certs/serverA.sh
+++ b/samples/certs/serverA.sh
@ -1,9 +1,9 @@
 #!/bin/sh
-openssl req -newkey rsa:1024 -keyout serverAkey.pem -out serverAreq.pem \
+openssl req -newkey rsa:2048 -sha256 -keyout serverAkey.pem -out serverAreq.pem \
   -config ./serverA.cnf -nodes -days 365 -batch
-openssl x509 -req -in serverAreq.pem -sha1 -extfile ./serverA.cnf \
+openssl x509 -req -in serverAreq.pem -sha256 -extfile ./serverA.cnf \
   -extensions usr_cert -CA rootA.pem -CAkey rootAkey.pem -CAcreateserial \
   -out serverAcert.pem -days 365
--- a/samples/certs/serverB.cnf
+++ b/samples/certs/serverB.cnf
@ -195,7 +195,7 @@ authorityKeyIdentifier=keyid,issuer
 # This stuff is for subjectAltName and issuerAltname.
 # Import the email address.
-# subjectAltName=email:copy
+subjectAltName=DNS:fnord.bar.example
 # An alternative to produce certificates that aren't
 # deprecated according to PKIX.
 # subjectAltName=email:move
--- a/samples/certs/serverB.sh
+++ b/samples/certs/serverB.sh
@ -1,9 +1,9 @@
 #!/bin/sh
-openssl req -newkey rsa:1024 -keyout serverBkey.pem -out serverBreq.pem \
+openssl req -newkey rsa:2048 -sha256 -keyout serverBkey.pem -out serverBreq.pem \
   -config ./serverB.cnf -nodes -days 365 -batch
-openssl x509 -req -in serverBreq.pem -sha1 -extfile ./serverB.cnf \
+openssl x509 -req -in serverBreq.pem -sha256 -extfile ./serverB.cnf \
   -extensions usr_cert -CA rootB.pem -CAkey rootBkey.pem -CAcreateserial \
   -out serverBcert.pem -days 365
--- a/samples/chain/server.lua
+++ b/samples/chain/server.lua
@ -31,8 +31,27 @@ util.show( conn:getpeercertificate() )
 print("----------------------------------------------------------------------")
-for k, cert in ipairs( conn:getpeerchain() ) do
+local expectedpeerchain = { "../certs/clientAcert.pem", "../certs/rootA.pem" }
 local peerchain = conn:getpeerchain()
 assert(#peerchain == #expectedpeerchain)
 for k, cert in ipairs( peerchain ) do
  util.show(cert)
  local expectedpem = assert(io.open(expectedpeerchain[k])):read("*a")
  assert(cert:pem() == expectedpem, "peer chain mismatch @ "..tostring(k))
 end
 local expectedlocalchain = { "../certs/serverAcert.pem" }
 local localchain = assert(conn:getlocalchain())
 assert(#localchain == #expectedlocalchain)
 for k, cert in ipairs( localchain ) do
  util.show(cert)
  local expectedpem = assert(io.open(expectedlocalchain[k])):read("*a")
  assert(cert:pem() == expectedpem, "local chain mismatch @ "..tostring(k))
  if k == 1 then
    assert(cert:pem() == conn:getlocalcertificate():pem())
  end
 end
 local f = io.open(params.certificate)
--- a/samples/dane/client.lua
+++ b/samples/dane/client.lua
@ -0,0 +1,40 @@
 local socket = require "socket";
 local ssl = require "ssl";
 local dns = require "lunbound".new();
 local cfg = {
 	protocol = "tlsv1_2",
 	mode = "client",
 	ciphers = "DEFAULT",
 	capath = "/etc/ssl/certs",
 	verify = "peer",
 	dane = true,
 };
 local function daneconnect(host, port)
   port = port or "443";
 	local conn = ssl.wrap(socket.connect(host, port), cfg);
 	local tlsa = dns:resolve("_" .. port .. "._tcp." .. host, 52);
 	assert(tlsa.secure, "Insecure DNS");
 	assert(conn:setdane(host));
 	for i = 1, tlsa.n do
 		local usage, selector, mtype = tlsa[i] :byte(1, 3);
 		assert(conn:settlsa(usage, selector, mtype, tlsa[i] :sub(4, - 1)));
 	end
 	assert(conn:dohandshake());
 	return conn;
 end
 if not ... then
   print("Usage: client.lua example.com [port]");
   return os.exit(1);
 end
 local conn = daneconnect(...);
 print(conn:getpeerverification());
--- a/samples/dhparam/client.lua
+++ b/samples/dhparam/client.lua
@ -6,12 +6,13 @@ local ssl    = require("ssl")
 local params = {
   mode = "client",
-   protocol = "tlsv1_2",
+   protocol = "any",
   key = "../certs/clientAkey.pem",
   certificate = "../certs/clientA.pem",
   cafile = "../certs/rootA.pem",
   verify = {"peer", "fail_if_no_peer_cert"},
   options = "all",
   ciphers = "EDH+AESGCM"
 }
 local peer = socket.tcp()
--- a/samples/dhparam/params.sh
+++ b/samples/dhparam/params.sh
@ -1,4 +1,4 @@
-#!/bin/sh
+#!/usr/bin/env sh
 openssl dhparam -2 -out dh-512.pem  -outform PEM 512
 openssl dhparam -2 -out dh-1024.pem -outform PEM 1024
--- a/samples/dhparam/server.lua
+++ b/samples/dhparam/server.lua
@ -38,6 +38,7 @@ local params = {
   verify = {"peer", "fail_if_no_peer_cert"},
   options = "all",
   dhparam = dhparam_cb,
   ciphers = "EDH+AESGCM"
 }
--- a/samples/key/genkey.sh
+++ b/samples/key/genkey.sh
@ -1,3 +1,3 @@
-#!/bin/sh
+#!/usr/bin/env sh
 openssl genrsa -des3 -out key.pem -passout pass:foobar 2048
--- a/samples/loop/client.lua
+++ b/samples/loop/client.lua
@ -23,6 +23,8 @@ while true do
   assert( peer:dohandshake() )
   --]]
   peer:getpeercertificate():extensions()
   print(peer:receive("*l"))
   peer:close()
 end
--- a/samples/multicert/client-ecdsa.lua
+++ b/samples/multicert/client-ecdsa.lua
@ -0,0 +1,29 @@
 --
 -- Public domain
 --
 local socket = require("socket")
 local ssl    = require("ssl")
 local params = {
   mode        = "client",
   protocol    = "tlsv1_2",
   key         = "certs/clientECDSAkey.pem",
   certificate = "certs/clientECDSA.pem",
   verify      = "none",
   options     = "all",
   ciphers     = "ALL:!aRSA"
 }
 local peer = socket.tcp()
 peer:connect("127.0.0.1", 8888)
 -- [[ SSL wrapper
 peer = assert( ssl.wrap(peer, params) )
 assert(peer:dohandshake())
 --]]
 local i = peer:info()
 for k, v in pairs(i) do print(k, v) end
 print(peer:receive("*l"))
 peer:close()
--- a/samples/multicert/client-rsa.lua
+++ b/samples/multicert/client-rsa.lua
@ -0,0 +1,29 @@
 --
 -- Public domain
 --
 local socket = require("socket")
 local ssl    = require("ssl")
 local params = {
   mode        = "client",
   protocol    = "tlsv1_2",
   key         = "certs/clientRSAkey.pem",
   certificate = "certs/clientRSA.pem",
   verify      = "none",
   options     = "all",
   ciphers     = "ALL:!ECDSA"
 }
 local peer = socket.tcp()
 peer:connect("127.0.0.1", 8888)
 -- [[ SSL wrapper
 peer = assert( ssl.wrap(peer, params) )
 assert(peer:dohandshake())
 --]]
 local i = peer:info()
 for k, v in pairs(i) do print(k, v) end
 print(peer:receive("*l"))
 peer:close()
--- a/samples/multicert/gencerts.sh
+++ b/samples/multicert/gencerts.sh
@ -0,0 +1,13 @@
 #!/usr/bin/env sh
 mkdir -p certs
 openssl ecparam -name secp256r1 -genkey -out certs/serverECDSAkey.pem
 openssl req -new -config ../certs/serverA.cnf -extensions usr_cert -x509 -key certs/serverECDSAkey.pem -out certs/serverECDSA.pem -days 360 -batch
 openssl ecparam -name secp256r1 -genkey -out certs/clientECDSAkey.pem
 openssl req -config ../certs/clientA.cnf -extensions usr_cert -x509 -new -key certs/clientECDSAkey.pem -out certs/clientECDSA.pem -days 360 -batch
 openssl req -config ../certs/serverB.cnf -extensions usr_cert -x509 -new -newkey rsa:2048 -keyout certs/serverRSAkey.pem -out certs/serverRSA.pem -nodes -days 365 -batch
 openssl req -config ../certs/clientB.cnf -extensions usr_cert -x509 -new -newkey rsa:2048 -keyout certs/clientRSAkey.pem -out certs/clientRSA.pem -nodes -days 365 -batch
--- a/samples/multicert/server.lua
+++ b/samples/multicert/server.lua
@ -0,0 +1,38 @@
 --
 -- Public domain
 --
 local socket = require("socket")
 local ssl    = require("ssl")
 local params = {
   mode         = "server",
   protocol     = "any",
   certificates = { 
      -- Comment line below and 'client-rsa' stop working
      { certificate = "certs/serverRSA.pem",   key = "certs/serverRSAkey.pem"   },
      -- Comment line below and 'client-ecdsa' stop working
      { certificate = "certs/serverECDSA.pem", key = "certs/serverECDSAkey.pem" }
   },
   verify  = "none",
   options = "all"
 }
 -- [[ SSL context
 local ctx = assert(ssl.newcontext(params))
 --]]
 local server = socket.tcp()
 server:setoption('reuseaddr', true)
 assert( server:bind("127.0.0.1", 8888) )
 server:listen()
 local peer = server:accept()
 -- [[ SSL wrapper
 peer = assert( ssl.wrap(peer, ctx) )
 assert( peer:dohandshake() )
 --]]
 peer:send("oneshot test\n")
 peer:close()
--- a/samples/psk/client.lua
+++ b/samples/psk/client.lua
@ -0,0 +1,41 @@
 --
 -- Public domain
 --
 local socket = require("socket")
 local ssl    = require("ssl")
 if not ssl.config.capabilities.psk then
   print("[ERRO] PSK not available")
   os.exit(1)
 end
 -- @param hint (nil | string)
 -- @param max_identity_len (number)
 -- @param max_psk_len (number)
 -- @return identity (string)
 -- @return PSK (string)
 local function pskcb(hint, max_identity_len, max_psk_len)
   print(string.format("PSK Callback: hint=%q, max_identity_len=%d, max_psk_len=%d", hint, max_identity_len, max_psk_len))
   return "abcd", "1234"
 end
 local params = {
   mode = "client",
   protocol = "tlsv1_2",
   psk = pskcb,
 }
 local peer = socket.tcp()
 peer:connect("127.0.0.1", 8888)
 peer = assert( ssl.wrap(peer, params) )
 assert(peer:dohandshake())
 print("--- INFO ---")
 local info = peer:info()
 for k, v in pairs(info) do
   print(k, v)
 end
 print("---")
 peer:close()
--- a/samples/psk/server.lua
+++ b/samples/psk/server.lua
@ -0,0 +1,60 @@
 --
 -- Public domain
 --
 local socket = require("socket")
 local ssl    = require("ssl")
 if not ssl.config.capabilities.psk then
   print("[ERRO] PSK not available")
   os.exit(1)
 end
 -- @param identity (string)
 -- @param max_psk_len (number)
 -- @return psk (string)
 local function pskcb(identity, max_psk_len)
   print(string.format("PSK Callback: identity=%q, max_psk_len=%d", identity, max_psk_len))
   if identity == "abcd" then
     return "1234"
  end
  return nil
 end
 local params = {
   mode = "server",
   protocol = "any",
   options = "all",
 -- PSK with just a callback
   psk = pskcb,
 -- PSK with identity hint
 --   psk = {
 --      hint = "hintpsksample",
 --      callback = pskcb,
 --   },
 }
 -- [[ SSL context
 local ctx = assert(ssl.newcontext(params))
 --]]
 local server = socket.tcp()
 server:setoption('reuseaddr', true)
 assert( server:bind("127.0.0.1", 8888) )
 server:listen()
 local peer = server:accept()
 peer = assert( ssl.wrap(peer, ctx) )
 assert( peer:dohandshake() )
 print("--- INFO ---")
 local info = peer:info()
 for k, v in pairs(info) do
   print(k, v)
 end
 print("---")
 peer:close()
 server:close()
--- a/src/Makefile
+++ b/src/Makefile
@ -2,6 +2,7 @@ CMOD=ssl.so
 LMOD=ssl.lua
 OBJS= \
 options.o \
 x509.o    \
 context.o \
 ssl.o     \
@ -24,7 +25,7 @@ MAC_LDFLAGS=-bundle -undefined dynamic_lookup $(LIBDIR)
 INSTALL  = install
 CC      ?= cc
-LD      ?= $(MYENV) cc
+CCLD      ?= $(MYENV) $(CC)
 CFLAGS  += $(MYCFLAGS)
 LDFLAGS += $(MYLDFLAGS)
@ -51,14 +52,15 @@ luasocket:
 	@cd luasocket && $(MAKE)
 $(CMOD): $(EXTRA) $(OBJS)
-	$(LD) $(LDFLAGS) -o $@ $(OBJS) $(LIBS)
+	$(CCLD) $(LDFLAGS) -o $@ $(OBJS) $(LIBS)
 clean:
 	cd luasocket && $(MAKE) clean
 	rm -f $(OBJS) $(CMOD)
 options.o: options.h options.c
 ec.o: ec.c ec.h
 x509.o: x509.c x509.h compat.h
-context.o: context.c context.h ec.h compat.h
+context.o: context.c context.h ec.h compat.h options.h
 ssl.o: ssl.c ssl.h context.h x509.h compat.h
 config.o: config.c ec.h options.h compat.h
--- a/src/compat.h
+++ b/src/compat.h
@ -1,19 +1,25 @@
 /*--------------------------------------------------------------------------
- * LuaSec 0.7
+ * LuaSec 1.3.2
 *
- * Copyright (C) 2006-2018 Bruno Silvestre
+ * Copyright (C) 2006-2023 Bruno Silvestre
 *
 *--------------------------------------------------------------------------*/
 #ifndef LSEC_COMPAT_H
 #define LSEC_COMPAT_H
 #include <openssl/ssl.h>
 //------------------------------------------------------------------------------
 #if defined(_WIN32)
 #define LSEC_API __declspec(dllexport) 
 #else
 #define LSEC_API extern
 #endif
 //------------------------------------------------------------------------------
 #if (LUA_VERSION_NUM == 501)
 #define luaL_testudata(L, ud, tname)  lsec_testudata(L, ud, tname)
@ -28,4 +34,30 @@
 #define setfuncs(L, R) luaL_setfuncs(L, R, 0)
 #endif
 //------------------------------------------------------------------------------
 #if (!defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x1010000fL))
 #define LSEC_ENABLE_DANE
 #endif
 //------------------------------------------------------------------------------
 #if !((defined(LIBRESSL_VERSION_NUMBER) && (LIBRESSL_VERSION_NUMBER < 0x2070000fL)) || (OPENSSL_VERSION_NUMBER < 0x1010000fL))
 #define LSEC_API_OPENSSL_1_1_0
 #endif
 //------------------------------------------------------------------------------
 #if !defined(LIBRESSL_VERSION_NUMBER) && ((OPENSSL_VERSION_NUMBER & 0xFFFFF000L) == 0x10101000L || (OPENSSL_VERSION_NUMBER & 0xFFFFF000L) == 0x30000000L)
 #define LSEC_OPENSSL_ERRNO_BUG
 #endif
 //------------------------------------------------------------------------------
 #if !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_NO_PSK)
 #define LSEC_ENABLE_PSK
 #endif
 //------------------------------------------------------------------------------
 #endif
--- a/src/config.c
+++ b/src/config.c
@ -1,7 +1,7 @@
 /*--------------------------------------------------------------------------
- * LuaSec 0.7
+ * LuaSec 1.3.2
 *
- * Copyright (C) 2006-2018 Bruno Silvestre.
+ * Copyright (C) 2006-2023 Bruno Silvestre
 *
 *--------------------------------------------------------------------------*/
@ -14,14 +14,14 @@
 */
 LSEC_API int luaopen_ssl_config(lua_State *L)
 {
-  ssl_option_t *opt;
+  lsec_ssl_option_t *opt;
  lua_newtable(L);
  // Options
  lua_pushstring(L, "options");
  lua_newtable(L);
-  for (opt = ssl_options; opt->name; opt++) {
+  for (opt = lsec_get_ssl_options(); opt->name; opt++) {
    lua_pushstring(L, opt->name);
    lua_pushboolean(L, 1);
    lua_rawset(L, -3);
@ -32,22 +32,21 @@ LSEC_API int luaopen_ssl_config(lua_State *L)
  lua_pushstring(L, "protocols");
  lua_newtable(L);
 #ifndef OPENSSL_NO_SSL3
  lua_pushstring(L, "sslv3");
  lua_pushboolean(L, 1);
  lua_rawset(L, -3);
 #endif
  lua_pushstring(L, "tlsv1");
  lua_pushboolean(L, 1);
  lua_rawset(L, -3);
 #if (OPENSSL_VERSION_NUMBER >= 0x1000100fL)
  lua_pushstring(L, "tlsv1_1");
  lua_pushboolean(L, 1);
  lua_rawset(L, -3);
  lua_pushstring(L, "tlsv1_2");
  lua_pushboolean(L, 1);
  lua_rawset(L, -3);
 #ifdef TLS1_3_VERSION
  lua_pushstring(L, "tlsv1_3");
  lua_pushboolean(L, 1);
  lua_rawset(L, -3);
 #endif
  lua_rawset(L, -3);
  // Algorithms
@ -70,17 +69,38 @@ LSEC_API int luaopen_ssl_config(lua_State *L)
  lua_pushstring(L, "capabilities");
  lua_newtable(L);
  // ALPN
  lua_pushstring(L, "alpn");
  lua_pushboolean(L, 1);
  lua_rawset(L, -3);
 #ifdef LSEC_ENABLE_PSK
  lua_pushstring(L, "psk");
  lua_pushboolean(L, 1);
  lua_rawset(L, -3);
 #endif
 #ifdef LSEC_ENABLE_DANE
  // DANE
  lua_pushstring(L, "dane");
 #ifdef DANE_FLAG_NO_DANE_EE_NAMECHECKS
  lua_createtable(L, 0, 1);
  lua_pushstring(L, "no_ee_namechecks");
  lua_pushboolean(L, 1);
  lua_rawset(L, -3);
 #else
  lua_pushboolean(L, 1);
 #endif
  lua_rawset(L, -3);
 #endif
 #ifndef OPENSSL_NO_EC
 #if defined(SSL_CTRL_SET_ECDH_AUTO) || defined(SSL_CTRL_SET_CURVES_LIST) || defined(SSL_CTX_set1_curves_list)
  lua_pushstring(L, "curves_list");
  lua_pushboolean(L, 1);
  lua_rawset(L, -3);
 #ifdef SSL_CTRL_SET_ECDH_AUTO
  lua_pushstring(L, "ecdh_auto");
  lua_pushboolean(L, 1);
  lua_rawset(L, -3);
 #endif
 #endif
 #endif
  lua_rawset(L, -3);
--- a/src/context.c
+++ b/src/context.c
@ -1,9 +1,8 @@
 /*--------------------------------------------------------------------------
- * LuaSec 0.7
+ * LuaSec 1.3.2
 *
- * Copyright (C) 2014-2018 Kim Alvefur, Paul Aurich, Tobias Markmann, 
+ * Copyright (C) 2014-2023 Kim Alvefur, Paul Aurich, Tobias Markmann, Matthew Wild
- *                         Matthew Wild.
+ * Copyright (C) 2006-2023 Bruno Silvestre
 * Copyright (C) 2006-2018 Bruno Silvestre.
 *
 *--------------------------------------------------------------------------*/
@ -17,10 +16,13 @@
 #include <openssl/err.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 #include <openssl/x509_vfy.h>
 #include <openssl/dh.h>
 #include <lua.h>
 #include <lauxlib.h>
 #include "compat.h"
 #include "context.h"
 #include "options.h"
@ -29,12 +31,6 @@
 #include "ec.h"
 #endif
 #if (OPENSSL_VERSION_NUMBER >= 0x1000000fL)
 typedef const SSL_METHOD LSEC_SSL_METHOD;
 #else
 typedef       SSL_METHOD LSEC_SSL_METHOD;
 #endif
 /*--------------------------- Auxiliary Functions ----------------------------*/
 /**
@ -55,8 +51,8 @@ static p_context testctx(lua_State *L, int idx)
 */
 static int set_option_flag(const char *opt, unsigned long *flag)
 {
-  ssl_option_t *p;
+  lsec_ssl_option_t *p;
-  for (p = ssl_options; p->name; p++) {
+  for (p = lsec_get_ssl_options(); p->name; p++) {
    if (!strcmp(opt, p->name)) {
      *flag |= p->code;
      return 1;
@ -65,23 +61,59 @@ static int set_option_flag(const char *opt, unsigned long *flag)
  return 0;
 }
 #ifndef LSEC_API_OPENSSL_1_1_0
 /**
 * Find the protocol.
 */
-static LSEC_SSL_METHOD* str2method(const char *method)
+static const SSL_METHOD* str2method(const char *method, int *vmin, int *vmax)
 {
  (void)vmin;
  (void)vmax;
  if (!strcmp(method, "any"))     return SSLv23_method();
  if (!strcmp(method, "sslv23"))  return SSLv23_method();  // deprecated
 #ifndef OPENSSL_NO_SSL3
  if (!strcmp(method, "sslv3"))   return SSLv3_method();
 #endif
  if (!strcmp(method, "tlsv1"))   return TLSv1_method();
 #if (OPENSSL_VERSION_NUMBER >= 0x1000100fL)
  if (!strcmp(method, "tlsv1_1")) return TLSv1_1_method();
  if (!strcmp(method, "tlsv1_2")) return TLSv1_2_method();
  return NULL;
 }
 #else
 /**
 * Find the protocol.
 */
 static const SSL_METHOD* str2method(const char *method, int *vmin, int *vmax)
 {
  if (!strcmp(method, "any") || !strcmp(method, "sslv23")) { // 'sslv23' is deprecated
    *vmin = 0;
    *vmax = 0;
    return TLS_method();
  }
  else if (!strcmp(method, "tlsv1")) {
    *vmin = TLS1_VERSION;
    *vmax = TLS1_VERSION;
    return TLS_method();
  }
  else if (!strcmp(method, "tlsv1_1")) {
    *vmin = TLS1_1_VERSION;
    *vmax = TLS1_1_VERSION;
    return TLS_method();
  }
  else if (!strcmp(method, "tlsv1_2")) {
    *vmin = TLS1_2_VERSION;
    *vmax = TLS1_2_VERSION;
    return TLS_method();
  }
 #if defined(TLS1_3_VERSION)
  else if (!strcmp(method, "tlsv1_3")) {
    *vmin = TLS1_3_VERSION;
    *vmax = TLS1_3_VERSION;
    return TLS_method();
  }
 #endif
  return NULL;
 }
 #endif
 /**
 * Prepare the SSL handshake verify flag.
@ -168,7 +200,6 @@ static DH *dhparam_cb(SSL *ssl, int is_export, int keylength)
 {
  BIO *bio;
  lua_State *L;
  DH *dh_tmp = NULL;
  SSL_CTX *ctx = SSL_get_SSL_CTX(ssl);
  p_context pctx = (p_context)SSL_CTX_get_app_data(ctx);
@ -189,24 +220,15 @@ static DH *dhparam_cb(SSL *ssl, int is_export, int keylength)
    lua_pop(L, 2);  /* Remove values from stack */
    return NULL;
  }
-  bio = BIO_new_mem_buf((void*)lua_tostring(L, -1), 
+
-    lua_rawlen(L, -1));
+  bio = BIO_new_mem_buf((void*)lua_tostring(L, -1), lua_rawlen(L, -1));
  if (bio) {
-    dh_tmp = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
+    pctx->dh_param = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
    BIO_free(bio);
  }
  /*
   * OpenSSL exepcts the callback to maintain a reference to the DH*.  So,
   * cache it here, and clean up the previous set of parameters.  Any remaining
   * set is cleaned up when destroying the LuaSec context.
   */
  if (pctx->dh_param)
    DH_free(pctx->dh_param);
  pctx->dh_param = dh_tmp;
  lua_pop(L, 2);    /* Remove values from stack */
-  return dh_tmp;
+  return pctx->dh_param;
 }
 /**
@ -287,10 +309,11 @@ static int create(lua_State *L)
 {
  p_context ctx;
  const char *str_method;
-  LSEC_SSL_METHOD *method;
+  const SSL_METHOD *method;
  int vmin, vmax;
  str_method = luaL_checkstring(L, 1);
-  method = str2method(str_method);
+  method = str2method(str_method, &vmin, &vmax);
  if (!method) {
    lua_pushnil(L);
    lua_pushfstring(L, "invalid protocol (%s)", str_method);
@ -310,6 +333,10 @@ static int create(lua_State *L)
      ERR_reason_error_string(ERR_get_error()));
    return 2;
  }
 #ifdef LSEC_API_OPENSSL_1_1_0
  SSL_CTX_set_min_proto_version(ctx->context, vmin);
  SSL_CTX_set_max_proto_version(ctx->context, vmax);
 #endif
  ctx->mode = LSEC_MODE_INVALID;
  ctx->L = L;
  luaL_getmetatable(L, "SSL:Context");
@ -411,14 +438,31 @@ static int set_cipher(lua_State *L)
  const char *list = luaL_checkstring(L, 2);
  if (SSL_CTX_set_cipher_list(ctx, list) != 1) {
    lua_pushboolean(L, 0);
-    lua_pushfstring(L, "error setting cipher list (%s)",
+    lua_pushfstring(L, "error setting cipher list (%s)", ERR_reason_error_string(ERR_get_error()));
      ERR_reason_error_string(ERR_get_error()));
    return 2;
  }
  lua_pushboolean(L, 1);
  return 1;
 }
 /**
 * Set the cipher suites.
 */
 static int set_ciphersuites(lua_State *L)
 {
 #if defined(TLS1_3_VERSION)
  SSL_CTX *ctx = lsec_checkcontext(L, 1);
  const char *list = luaL_checkstring(L, 2);
  if (SSL_CTX_set_ciphersuites(ctx, list) != 1) {
    lua_pushboolean(L, 0);
    lua_pushfstring(L, "error setting cipher list (%s)", ERR_reason_error_string(ERR_get_error()));
    return 2;
  }
 #endif
  lua_pushboolean(L, 1);
  return 1;
 }
 /**
 * Set the depth for certificate checking.
 */
@ -467,12 +511,6 @@ static int set_options(lua_State *L)
  if (max > 1) {
    for (i = 2; i <= max; i++) {
      str = luaL_checkstring(L, i);
 #if !defined(SSL_OP_NO_COMPRESSION) && (OPENSSL_VERSION_NUMBER >= 0x0090800f) && (OPENSSL_VERSION_NUMBER < 0x1000000fL)
      /* Version 0.9.8 has a different way to disable compression */
      if (!strcmp(str, "no_compression"))
        ctx->comp_methods = NULL;
      else
 #endif
      if (!set_option_flag(str, &flag)) {
        lua_pushboolean(L, 0);
        lua_pushfstring(L, "invalid option (%s)", str);
@ -531,12 +569,13 @@ static int set_dhparam(lua_State *L)
 static int set_curve(lua_State *L)
 {
  long ret;
  EC_KEY *key = NULL;
  SSL_CTX *ctx = lsec_checkcontext(L, 1);
  const char *str = luaL_checkstring(L, 2);
  SSL_CTX_set_options(ctx, SSL_OP_SINGLE_ECDH_USE);
-  EC_KEY *key = lsec_find_ec_key(L, str);
+  key = lsec_find_ec_key(L, str);
  if (!key) {
    lua_pushboolean(L, 0);
@ -558,9 +597,7 @@ static int set_curve(lua_State *L)
  lua_pushboolean(L, 1);
  return 1;
 }
 #endif
 #if !defined(OPENSSL_NO_EC) && (defined(SSL_CTRL_SET_CURVES_LIST) || defined(SSL_CTX_set1_curves_list) || defined(SSL_CTRL_SET_ECDH_AUTO))
 /**
 * Set elliptic curves list.
 */
@ -577,8 +614,8 @@ static int set_curves_list(lua_State *L)
    return 2;
  }
-#ifdef SSL_CTRL_SET_ECDH_AUTO
+#if defined(LIBRESSL_VERSION_NUMBER) || !defined(LSEC_API_OPENSSL_1_1_0)
-  SSL_CTX_set_ecdh_auto(ctx, 1);
+  (void)SSL_CTX_set_ecdh_auto(ctx, 1);
 #endif
  lua_pushboolean(L, 1);
@ -586,30 +623,291 @@ static int set_curves_list(lua_State *L)
 }
 #endif
 /**
 * Set the protocols a client should send for ALPN.
 */
 static int set_alpn(lua_State *L)
 {
  long ret;
  size_t len;
  p_context ctx = checkctx(L, 1);
  const char *str = luaL_checklstring(L, 2, &len);
  ret = SSL_CTX_set_alpn_protos(ctx->context, (const unsigned char*)str, len);
  if (ret) {
    lua_pushboolean(L, 0);
    lua_pushfstring(L, "error setting ALPN (%s)", ERR_reason_error_string(ERR_get_error()));
    return 2;
  }
  lua_pushboolean(L, 1);
  return 1;
 }
 /**
 * This standard callback calls the server's callback in Lua sapce.
 * The server has to return a list in wire-format strings.
 * This function uses a helper function to match server and client lists.
 */
 static int alpn_cb(SSL *s, const unsigned char **out, unsigned char *outlen,
                   const unsigned char *in, unsigned int inlen, void *arg)
 {
  int ret;
  size_t server_len;
  const char *server;
  p_context ctx = (p_context)arg;
  lua_State *L = ctx->L;
  luaL_getmetatable(L, "SSL:ALPN:Registry");
  lua_pushlightuserdata(L, (void*)ctx->context);
  lua_gettable(L, -2);
  lua_pushlstring(L, (const char*)in, inlen);
  lua_call(L, 1, 1);
  if (!lua_isstring(L, -1)) {
    lua_pop(L, 2);
    return SSL_TLSEXT_ERR_NOACK;
  }
  // Protocol list from server in wire-format string
  server = luaL_checklstring(L, -1, &server_len);
  ret  = SSL_select_next_proto((unsigned char**)out, outlen, (const unsigned char*)server,
                               server_len, in, inlen);
  if (ret != OPENSSL_NPN_NEGOTIATED) {
    lua_pop(L, 2);
    return SSL_TLSEXT_ERR_NOACK;
  } 
  // Copy the result because lua_pop() can collect the pointer
  ctx->alpn = malloc(*outlen);
  memcpy(ctx->alpn, (void*)*out, *outlen);
  *out = (const unsigned char*)ctx->alpn;
  lua_pop(L, 2);
  return SSL_TLSEXT_ERR_OK;
 }
 /**
 * Set a callback a server can use to select the next protocol with ALPN.
 */
 static int set_alpn_cb(lua_State *L)
 {
  p_context ctx = checkctx(L, 1);
  luaL_getmetatable(L, "SSL:ALPN:Registry");
  lua_pushlightuserdata(L, (void*)ctx->context);
  lua_pushvalue(L, 2);
  lua_settable(L, -3);
  SSL_CTX_set_alpn_select_cb(ctx->context, alpn_cb, ctx);
  lua_pushboolean(L, 1);
  return 1;
 }
 #if defined(LSEC_ENABLE_PSK)
 /**
 * Callback to select the PSK.
 */
 static unsigned int server_psk_cb(SSL *ssl, const char *identity, unsigned char *psk,
  unsigned int max_psk_len)
 {
  size_t psk_len;
  const char *ret_psk;
  SSL_CTX *ctx = SSL_get_SSL_CTX(ssl);
  p_context pctx = (p_context)SSL_CTX_get_app_data(ctx);
  lua_State *L = pctx->L;
  luaL_getmetatable(L, "SSL:PSK:Registry");
  lua_pushlightuserdata(L, (void*)pctx->context);
  lua_gettable(L, -2);
  lua_pushstring(L, identity);
  lua_pushinteger(L, max_psk_len);
  lua_call(L, 2, 1);
  if (!lua_isstring(L, -1)) {
    lua_pop(L, 2);
    return 0;
  }
  ret_psk = lua_tolstring(L, -1, &psk_len);
  if (psk_len == 0 || psk_len > max_psk_len)
    psk_len = 0;
  else
    memcpy(psk, ret_psk, psk_len);
  lua_pop(L, 2);
  return psk_len;
 }
 /**
 * Set a PSK callback for server.
 */
 static int set_server_psk_cb(lua_State *L)
 {
  p_context ctx = checkctx(L, 1);
  luaL_getmetatable(L, "SSL:PSK:Registry");
  lua_pushlightuserdata(L, (void*)ctx->context);
  lua_pushvalue(L, 2);
  lua_settable(L, -3);
  SSL_CTX_set_psk_server_callback(ctx->context, server_psk_cb);
  lua_pushboolean(L, 1);
  return 1;
 }
 /*
 * Set the PSK indentity hint.
 */
 static int set_psk_identity_hint(lua_State *L)
 {
  p_context ctx = checkctx(L, 1);
  const char *hint = luaL_checkstring(L, 2);
  int ret = SSL_CTX_use_psk_identity_hint(ctx->context, hint);
  lua_pushboolean(L, ret);
  return 1;
 }
 /*
 * Client callback to PSK.
 */
 static unsigned int client_psk_cb(SSL *ssl, const char *hint, char *identity,
  unsigned int max_identity_len, unsigned char *psk, unsigned int max_psk_len)
 {
  size_t psk_len;
  size_t identity_len;
  const char *ret_psk;
  const char *ret_identity;
  SSL_CTX *ctx = SSL_get_SSL_CTX(ssl);
  p_context pctx = (p_context)SSL_CTX_get_app_data(ctx);
  lua_State *L = pctx->L;
  luaL_getmetatable(L, "SSL:PSK:Registry");
  lua_pushlightuserdata(L, (void*)pctx->context);
  lua_gettable(L, -2);
  if (hint)
    lua_pushstring(L, hint);
  else
    lua_pushnil(L);
  // Leave space to '\0'
  lua_pushinteger(L, max_identity_len-1);
  lua_pushinteger(L, max_psk_len);
  lua_call(L, 3, 2);
  if (!lua_isstring(L, -1) || !lua_isstring(L, -2)) {
    lua_pop(L, 3);
    return 0;
  }
  ret_identity = lua_tolstring(L, -2, &identity_len);
  ret_psk = lua_tolstring(L, -1, &psk_len);
  if (identity_len >= max_identity_len || psk_len > max_psk_len)
    psk_len = 0;
  else {
    memcpy(identity, ret_identity, identity_len);
    identity[identity_len] = 0;
    memcpy(psk, ret_psk, psk_len);
  }
  lua_pop(L, 3);
  return psk_len;
 }
 /**
 * Set a PSK callback for client.
 */
 static int set_client_psk_cb(lua_State *L) {
  p_context ctx = checkctx(L, 1);
  luaL_getmetatable(L, "SSL:PSK:Registry");
  lua_pushlightuserdata(L, (void*)ctx->context);
  lua_pushvalue(L, 2);
  lua_settable(L, -3);
  SSL_CTX_set_psk_client_callback(ctx->context, client_psk_cb);
  lua_pushboolean(L, 1);
  return 1;
 }
 #endif
 #if defined(LSEC_ENABLE_DANE)
 /*
 * DANE
 */
 static int dane_options[] = {
  /* TODO move into options.c
   * however this symbol is not from openssl/ssl.h but rather from
   * openssl/x509_vfy.h
   * */
 #ifdef DANE_FLAG_NO_DANE_EE_NAMECHECKS
  DANE_FLAG_NO_DANE_EE_NAMECHECKS,
 #endif
  0
 };
 static const char *dane_option_names[] = {
 #ifdef DANE_FLAG_NO_DANE_EE_NAMECHECKS
  "no_ee_namechecks",
 #endif
  NULL
 };
 static int set_dane(lua_State *L)
 {
  int ret, i;
  SSL_CTX *ctx = lsec_checkcontext(L, 1);
  ret = SSL_CTX_dane_enable(ctx);
  for (i = 2; ret > 0 && i <= lua_gettop(L); i++) {
    ret = SSL_CTX_dane_set_flags(ctx, dane_options[luaL_checkoption(L, i, NULL, dane_option_names)]);
  }
  lua_pushboolean(L, (ret > 0));
  return 1;
 }
 #endif
 /**
 * Package functions
 */
 static luaL_Reg funcs[] = {
-  {"create",       create},
+  {"create",          create},
-  {"locations",    load_locations},
+  {"locations",       load_locations},
-  {"loadcert",     load_cert},
+  {"loadcert",        load_cert},
-  {"loadkey",      load_key},
+  {"loadkey",         load_key},
-  {"checkkey",     check_key},
+  {"checkkey",        check_key},
-  {"setcipher",    set_cipher},
+  {"setalpn",         set_alpn},
-  {"setdepth",     set_depth},
+  {"setalpncb",       set_alpn_cb},
-  {"setdhparam",   set_dhparam},
+  {"setcipher",       set_cipher},
-  {"setverify",    set_verify},
+  {"setciphersuites", set_ciphersuites},
-  {"setoptions",   set_options},
+  {"setdepth",        set_depth},
-  {"setmode",      set_mode},
+  {"setdhparam",      set_dhparam},
-
+  {"setverify",       set_verify},
  {"setoptions",      set_options},
 #if defined(LSEC_ENABLE_PSK)
  {"setpskhint",      set_psk_identity_hint},
  {"setserverpskcb",  set_server_psk_cb},
  {"setclientpskcb",  set_client_psk_cb},
 #endif
  {"setmode",         set_mode},
 #if !defined(OPENSSL_NO_EC)
-  {"setcurve",     set_curve},
+  {"setcurve",        set_curve},
  {"setcurveslist",   set_curves_list},
 #endif
-
+#if defined(LSEC_ENABLE_DANE)
-#if !defined(OPENSSL_NO_EC) && (defined(SSL_CTRL_SET_CURVES_LIST) || defined(SSL_CTX_set1_curves_list) || defined(SSL_CTRL_SET_ECDH_AUTO))
+  {"setdane",         set_dane},
  {"setcurveslist", set_curves_list},
 #endif
  {NULL, NULL}
 };
@ -631,15 +929,18 @@ static int meth_destroy(lua_State *L)
    lua_pushlightuserdata(L, (void*)ctx->context);
    lua_pushnil(L);
    lua_settable(L, -3);
    luaL_getmetatable(L, "SSL:ALPN:Registry");
    lua_pushlightuserdata(L, (void*)ctx->context);
    lua_pushnil(L);
    lua_settable(L, -3);
    luaL_getmetatable(L, "SSL:PSK:Registry");
    lua_pushlightuserdata(L, (void*)ctx->context);
    lua_pushnil(L);
    lua_settable(L, -3);
    SSL_CTX_free(ctx->context);
    ctx->context = NULL;
  }
  if (ctx->dh_param) {
    DH_free(ctx->dh_param);
    ctx->dh_param = NULL;
  }
  return 0;
 }
@ -711,6 +1012,7 @@ static int meth_set_verify_ext(lua_State *L)
 * Context metamethods.
 */
 static luaL_Reg meta[] = {
  {"__close",    meth_destroy},
  {"__gc",       meth_destroy},
  {"__tostring", meth_tostring},
  {NULL, NULL}
@ -777,8 +1079,10 @@ void *lsec_testudata (lua_State *L, int ud, const char *tname) {
 */
 LSEC_API int luaopen_ssl_context(lua_State *L)
 {
-  luaL_newmetatable(L, "SSL:DH:Registry");      /* Keep all DH callbacks */
+  luaL_newmetatable(L, "SSL:DH:Registry");        /* Keep all DH callbacks   */
-  luaL_newmetatable(L, "SSL:Verify:Registry");  /* Keep all verify flags */
+  luaL_newmetatable(L, "SSL:ALPN:Registry");      /* Keep all ALPN callbacks */
  luaL_newmetatable(L, "SSL:PSK:Registry");       /* Keep all PSK callbacks */
  luaL_newmetatable(L, "SSL:Verify:Registry");    /* Keep all verify flags   */
  luaL_newmetatable(L, "SSL:Context");
  setfuncs(L, meta);
--- a/src/context.h
+++ b/src/context.h
@ -2,9 +2,9 @@
 #define LSEC_CONTEXT_H
 /*--------------------------------------------------------------------------
- * LuaSec 0.7
+ * LuaSec 1.3.2
 *
- * Copyright (C) 2006-2017 Bruno Silvestre
+ * Copyright (C) 2006-2023 Bruno Silvestre
 *
 *--------------------------------------------------------------------------*/
@ -24,6 +24,7 @@ typedef struct t_context_ {
  SSL_CTX *context;
  lua_State *L;
  DH *dh_param;
  void *alpn;
  int mode;
 } t_context;
 typedef t_context* p_context;
--- a/src/ec.c
+++ b/src/ec.c
@ -1,8 +1,15 @@
 /*--------------------------------------------------------------------------
 * LuaSec 1.3.2
 *
 * Copyright (C) 2006-2023 Bruno Silvestre
 *
 *--------------------------------------------------------------------------*/
 #include <openssl/objects.h>
 #include "ec.h"
-#ifndef OPENSSL_NO_ECDH
+#ifndef OPENSSL_NO_EC
 EC_KEY *lsec_find_ec_key(lua_State *L, const char *str)
 {
@ -56,25 +63,24 @@ void lsec_load_curves(lua_State *L)
        lua_pushnumber(L, curves[i].nid);
        lua_rawset(L, -3);
        break;
 #ifdef NID_X25519
     case NID_X25519:
        lua_pushstring(L, "X25519");
        lua_pushnumber(L, curves[i].nid);
        lua_rawset(L, -3);
        break;
 #endif
 #ifdef NID_X448
     case NID_X448:
        lua_pushstring(L, "X448");
        lua_pushnumber(L, curves[i].nid);
        lua_rawset(L, -3);
        break;
 #endif
      }
    }
    free(curves);
  }
  /* These are special so are manually added here */
 #ifdef NID_X25519
  lua_pushstring(L, "X25519");
  lua_pushnumber(L, NID_X25519);
  lua_rawset(L, -3);
 #endif
 #ifdef NID_X448
  lua_pushstring(L, "X448");
  lua_pushnumber(L, NID_X448);
  lua_rawset(L, -3);
 #endif
  lua_rawset(L,  LUA_REGISTRYINDEX);
 }
--- a/src/ec.h
+++ b/src/ec.h
@ -1,7 +1,7 @@
 /*--------------------------------------------------------------------------
- * LuaSec 0.7
+ * LuaSec 1.3.2
 *
- * Copyright (C) 2006-2018 Bruno Silvestre
+ * Copyright (C) 2006-2023 Bruno Silvestre
 *
 *--------------------------------------------------------------------------*/
@ -10,7 +10,7 @@
 #include <lua.h>
-#ifndef OPENSSL_NO_ECDH
+#ifndef OPENSSL_NO_EC
 #include <openssl/ec.h>
 EC_KEY *lsec_find_ec_key(lua_State *L, const char *str);
--- a/src/https.lua
+++ b/src/https.lua
@ -1,6 +1,7 @@
 ----------------------------------------------------------------------------
-- LuaSec 0.7
+-- LuaSec 1.3.2
-- Copyright (C) 2009-2018 PUC-Rio
+--
 -- Copyright (C) 2009-2023 PUC-Rio
 --
 -- Author: Pablo Musa
 -- Author: Tomas Guisasola
@ -18,15 +19,16 @@ local try    = socket.try
 -- Module
 --
 local _M = {
-  _VERSION   = "0.7",
+  _VERSION   = "1.3.2",
-  _COPYRIGHT = "LuaSec 0.7 - Copyright (C) 2009-2018 PUC-Rio",
+  _COPYRIGHT = "LuaSec 1.3.2 - Copyright (C) 2009-2023 PUC-Rio",
  PORT       = 443,
  TIMEOUT    = 60
 }
 -- TLS configuration
 local cfg = {
  protocol = "any",
-  options  = {"all", "no_sslv2", "no_sslv3"},
+  options  = {"all", "no_sslv2", "no_sslv3", "no_tlsv1"},
  verify   = "none",
 }
@ -83,15 +85,16 @@ local function tcp(params)
      conn.sock = try(socket.tcp())
      local st = getmetatable(conn.sock).__index.settimeout
      function conn:settimeout(...)
-         return st(self.sock, ...)
+         return st(self.sock, _M.TIMEOUT)
      end
      -- Replace TCP's connection function
      function conn:connect(host, port)
         try(self.sock:connect(host, port))
         self.sock = try(ssl.wrap(self.sock, params))
         self.sock:sni(host)
         self.sock:settimeout(_M.TIMEOUT)
         try(self.sock:dohandshake())
-         reg(self, getmetatable(self.sock))
+         reg(self)
         return 1
      end
      return conn
@ -139,5 +142,6 @@ end
 --
 _M.request = request
 _M.tcp = tcp
 return _M
--- a/src/luasocket/buffer.c
+++ b/src/luasocket/buffer.c
@ -78,9 +78,7 @@ int buffer_meth_send(lua_State *L, p_buffer buf) {
    const char *data = luaL_checklstring(L, 2, &size);
    long start = (long) luaL_optnumber(L, 3, 1);
    long end = (long) luaL_optnumber(L, 4, -1);
-#ifdef LUASOCKET_DEBUG
+    timeout_markstart(buf->tm);
    p_timeout tm = timeout_markstart(buf->tm);
 #endif
    if (start < 0) start = (long) (size+start+1);
    if (end < 0) end = (long) (size+end+1);
    if (start < 1) start = (long) 1;
@ -98,7 +96,7 @@ int buffer_meth_send(lua_State *L, p_buffer buf) {
    }
 #ifdef LUASOCKET_DEBUG
    /* push time elapsed during operation as the last return value */
-    lua_pushnumber(L, timeout_gettime() - timeout_getstart(tm));
+    lua_pushnumber(L, timeout_gettime() - timeout_getstart(buf->tm));
 #endif
    return lua_gettop(L) - top;
 }
@ -107,13 +105,17 @@ int buffer_meth_send(lua_State *L, p_buffer buf) {
 * object:receive() interface
 \*-------------------------------------------------------------------------*/
 int buffer_meth_receive(lua_State *L, p_buffer buf) {
    int err = IO_DONE, top = lua_gettop(L);
    luaL_Buffer b;
    size_t size;
-    const char *part = luaL_optlstring(L, 3, "", &size);
+    const char *part;
-#ifdef LUASOCKET_DEBUG
+    int err = IO_DONE;
-    p_timeout tm = timeout_markstart(buf->tm);
+    int top = lua_gettop(L);
-#endif
+    if (top < 3) {
        lua_settop(L, 3);
        top = 3;
    }
    part = luaL_optlstring(L, 3, "", &size);
    timeout_markstart(buf->tm);
    /* initialize buffer with optional extra prefix 
     * (useful for concatenating previous partial results) */
    luaL_buffinit(L, &b);
@ -149,7 +151,7 @@ int buffer_meth_receive(lua_State *L, p_buffer buf) {
    }
 #ifdef LUASOCKET_DEBUG
    /* push time elapsed during operation as the last return value */
-    lua_pushnumber(L, timeout_gettime() - timeout_getstart(tm));
+    lua_pushnumber(L, timeout_gettime() - timeout_getstart(buf->tm));
 #endif
    return lua_gettop(L) - top;
 }
--- a/src/luasocket/usocket.c
+++ b/src/luasocket/usocket.c
@ -426,7 +426,9 @@ const char *socket_gaistrerror(int err) {
        case EAI_MEMORY: return "memory allocation failure";
        case EAI_NONAME: 
            return "host or service not provided, or not known";
 #ifdef EAI_OVERFLOW
        case EAI_OVERFLOW: return "argument buffer overflow";
 #endif
 #ifdef EAI_PROTOCOL
        case EAI_PROTOCOL: return "resolved protocol is unknown";
 #endif
--- a/src/options.c
+++ b/src/options.c
@ -0,0 +1,185 @@
 /*--------------------------------------------------------------------------
 * LuaSec 1.3.2
 *
 * Copyright (C) 2006-2023 Bruno Silvestre
 *
 *--------------------------------------------------------------------------*/
 #include <openssl/ssl.h>
 #include "options.h"
 /* If you need to generate these options again, see options.lua */
 /* 
  OpenSSL version: OpenSSL 3.0.8
 */
 static lsec_ssl_option_t ssl_options[] = {
 #if defined(SSL_OP_ALL)
  {"all", SSL_OP_ALL},
 #endif
 #if defined(SSL_OP_ALLOW_CLIENT_RENEGOTIATION)
  {"allow_client_renegotiation", SSL_OP_ALLOW_CLIENT_RENEGOTIATION},
 #endif
 #if defined(SSL_OP_ALLOW_NO_DHE_KEX)
  {"allow_no_dhe_kex", SSL_OP_ALLOW_NO_DHE_KEX},
 #endif
 #if defined(SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)
  {"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION},
 #endif
 #if defined(SSL_OP_CIPHER_SERVER_PREFERENCE)
  {"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE},
 #endif
 #if defined(SSL_OP_CISCO_ANYCONNECT)
  {"cisco_anyconnect", SSL_OP_CISCO_ANYCONNECT},
 #endif
 #if defined(SSL_OP_CLEANSE_PLAINTEXT)
  {"cleanse_plaintext", SSL_OP_CLEANSE_PLAINTEXT},
 #endif
 #if defined(SSL_OP_COOKIE_EXCHANGE)
  {"cookie_exchange", SSL_OP_COOKIE_EXCHANGE},
 #endif
 #if defined(SSL_OP_CRYPTOPRO_TLSEXT_BUG)
  {"cryptopro_tlsext_bug", SSL_OP_CRYPTOPRO_TLSEXT_BUG},
 #endif
 #if defined(SSL_OP_DISABLE_TLSEXT_CA_NAMES)
  {"disable_tlsext_ca_names", SSL_OP_DISABLE_TLSEXT_CA_NAMES},
 #endif
 #if defined(SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)
  {"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS},
 #endif
 #if defined(SSL_OP_ENABLE_KTLS)
  {"enable_ktls", SSL_OP_ENABLE_KTLS},
 #endif
 #if defined(SSL_OP_ENABLE_MIDDLEBOX_COMPAT)
  {"enable_middlebox_compat", SSL_OP_ENABLE_MIDDLEBOX_COMPAT},
 #endif
 #if defined(SSL_OP_EPHEMERAL_RSA)
  {"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA},
 #endif
 #if defined(SSL_OP_IGNORE_UNEXPECTED_EOF)
  {"ignore_unexpected_eof", SSL_OP_IGNORE_UNEXPECTED_EOF},
 #endif
 #if defined(SSL_OP_LEGACY_SERVER_CONNECT)
  {"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT},
 #endif
 #if defined(SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER)
  {"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER},
 #endif
 #if defined(SSL_OP_MICROSOFT_SESS_ID_BUG)
  {"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG},
 #endif
 #if defined(SSL_OP_MSIE_SSLV2_RSA_PADDING)
  {"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING},
 #endif
 #if defined(SSL_OP_NETSCAPE_CA_DN_BUG)
  {"netscape_ca_dn_bug", SSL_OP_NETSCAPE_CA_DN_BUG},
 #endif
 #if defined(SSL_OP_NETSCAPE_CHALLENGE_BUG)
  {"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG},
 #endif
 #if defined(SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG)
  {"netscape_demo_cipher_change_bug", SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG},
 #endif
 #if defined(SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG)
  {"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG},
 #endif
 #if defined(SSL_OP_NO_ANTI_REPLAY)
  {"no_anti_replay", SSL_OP_NO_ANTI_REPLAY},
 #endif
 #if defined(SSL_OP_NO_COMPRESSION)
  {"no_compression", SSL_OP_NO_COMPRESSION},
 #endif
 #if defined(SSL_OP_NO_DTLS_MASK)
  {"no_dtls_mask", SSL_OP_NO_DTLS_MASK},
 #endif
 #if defined(SSL_OP_NO_DTLSv1)
  {"no_dtlsv1", SSL_OP_NO_DTLSv1},
 #endif
 #if defined(SSL_OP_NO_DTLSv1_2)
  {"no_dtlsv1_2", SSL_OP_NO_DTLSv1_2},
 #endif
 #if defined(SSL_OP_NO_ENCRYPT_THEN_MAC)
  {"no_encrypt_then_mac", SSL_OP_NO_ENCRYPT_THEN_MAC},
 #endif
 #if defined(SSL_OP_NO_EXTENDED_MASTER_SECRET)
  {"no_extended_master_secret", SSL_OP_NO_EXTENDED_MASTER_SECRET},
 #endif
 #if defined(SSL_OP_NO_QUERY_MTU)
  {"no_query_mtu", SSL_OP_NO_QUERY_MTU},
 #endif
 #if defined(SSL_OP_NO_RENEGOTIATION)
  {"no_renegotiation", SSL_OP_NO_RENEGOTIATION},
 #endif
 #if defined(SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION)
  {"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION},
 #endif
 #if defined(SSL_OP_NO_SSL_MASK)
  {"no_ssl_mask", SSL_OP_NO_SSL_MASK},
 #endif
 #if defined(SSL_OP_NO_SSLv2)
  {"no_sslv2", SSL_OP_NO_SSLv2},
 #endif
 #if defined(SSL_OP_NO_SSLv3)
  {"no_sslv3", SSL_OP_NO_SSLv3},
 #endif
 #if defined(SSL_OP_NO_TICKET)
  {"no_ticket", SSL_OP_NO_TICKET},
 #endif
 #if defined(SSL_OP_NO_TLSv1)
  {"no_tlsv1", SSL_OP_NO_TLSv1},
 #endif
 #if defined(SSL_OP_NO_TLSv1_1)
  {"no_tlsv1_1", SSL_OP_NO_TLSv1_1},
 #endif
 #if defined(SSL_OP_NO_TLSv1_2)
  {"no_tlsv1_2", SSL_OP_NO_TLSv1_2},
 #endif
 #if defined(SSL_OP_NO_TLSv1_3)
  {"no_tlsv1_3", SSL_OP_NO_TLSv1_3},
 #endif
 #if defined(SSL_OP_PKCS1_CHECK_1)
  {"pkcs1_check_1", SSL_OP_PKCS1_CHECK_1},
 #endif
 #if defined(SSL_OP_PKCS1_CHECK_2)
  {"pkcs1_check_2", SSL_OP_PKCS1_CHECK_2},
 #endif
 #if defined(SSL_OP_PRIORITIZE_CHACHA)
  {"prioritize_chacha", SSL_OP_PRIORITIZE_CHACHA},
 #endif
 #if defined(SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
  {"safari_ecdhe_ecdsa_bug", SSL_OP_SAFARI_ECDHE_ECDSA_BUG},
 #endif
 #if defined(SSL_OP_SINGLE_DH_USE)
  {"single_dh_use", SSL_OP_SINGLE_DH_USE},
 #endif
 #if defined(SSL_OP_SINGLE_ECDH_USE)
  {"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE},
 #endif
 #if defined(SSL_OP_SSLEAY_080_CLIENT_DH_BUG)
  {"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG},
 #endif
 #if defined(SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG)
  {"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG},
 #endif
 #if defined(SSL_OP_TLSEXT_PADDING)
  {"tlsext_padding", SSL_OP_TLSEXT_PADDING},
 #endif
 #if defined(SSL_OP_TLS_BLOCK_PADDING_BUG)
  {"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG},
 #endif
 #if defined(SSL_OP_TLS_D5_BUG)
  {"tls_d5_bug", SSL_OP_TLS_D5_BUG},
 #endif
 #if defined(SSL_OP_TLS_ROLLBACK_BUG)
  {"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG},
 #endif
  {NULL, 0L}
 };
 LSEC_API lsec_ssl_option_t* lsec_get_ssl_options() {
  return ssl_options;
 }
--- a/src/options.h
+++ b/src/options.h
@ -2,155 +2,21 @@
 #define LSEC_OPTIONS_H
 /*--------------------------------------------------------------------------
- * LuaSec 0.7
+ * LuaSec 1.3.2
 *
- * Copyright (C) 2006-2018 Bruno Silvestre
+ * Copyright (C) 2006-2023 Bruno Silvestre
 *
 *--------------------------------------------------------------------------*/
-#include <openssl/ssl.h>
+#include "compat.h"
-/* If you need to generate these options again, see options.lua */
+struct lsec_ssl_option_s {
 /* 
  OpenSSL version: OpenSSL 1.1.0h
 */
 struct ssl_option_s {
  const char *name;
  unsigned long code;
 };
 typedef struct ssl_option_s ssl_option_t;
-static ssl_option_t ssl_options[] = {
+typedef struct lsec_ssl_option_s lsec_ssl_option_t;
-#if defined(SSL_OP_ALL)
+
-  {"all", SSL_OP_ALL},
+LSEC_API lsec_ssl_option_t* lsec_get_ssl_options();
 #endif
 #if defined(SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)
  {"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION},
 #endif
 #if defined(SSL_OP_CIPHER_SERVER_PREFERENCE)
  {"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE},
 #endif
 #if defined(SSL_OP_CISCO_ANYCONNECT)
  {"cisco_anyconnect", SSL_OP_CISCO_ANYCONNECT},
 #endif
 #if defined(SSL_OP_COOKIE_EXCHANGE)
  {"cookie_exchange", SSL_OP_COOKIE_EXCHANGE},
 #endif
 #if defined(SSL_OP_CRYPTOPRO_TLSEXT_BUG)
  {"cryptopro_tlsext_bug", SSL_OP_CRYPTOPRO_TLSEXT_BUG},
 #endif
 #if defined(SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)
  {"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS},
 #endif
 #if defined(SSL_OP_EPHEMERAL_RSA)
  {"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA},
 #endif
 #if defined(SSL_OP_LEGACY_SERVER_CONNECT)
  {"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT},
 #endif
 #if defined(SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER)
  {"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER},
 #endif
 #if defined(SSL_OP_MICROSOFT_SESS_ID_BUG)
  {"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG},
 #endif
 #if defined(SSL_OP_MSIE_SSLV2_RSA_PADDING)
  {"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING},
 #endif
 #if defined(SSL_OP_NETSCAPE_CA_DN_BUG)
  {"netscape_ca_dn_bug", SSL_OP_NETSCAPE_CA_DN_BUG},
 #endif
 #if defined(SSL_OP_NETSCAPE_CHALLENGE_BUG)
  {"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG},
 #endif
 #if defined(SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG)
  {"netscape_demo_cipher_change_bug", SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG},
 #endif
 #if defined(SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG)
  {"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG},
 #endif
 #if defined(SSL_OP_NO_COMPRESSION)
  {"no_compression", SSL_OP_NO_COMPRESSION},
 #endif
 #if defined(SSL_OP_NO_DTLS_MASK)
  {"no_dtls_mask", SSL_OP_NO_DTLS_MASK},
 #endif
 #if defined(SSL_OP_NO_DTLSv1)
  {"no_dtlsv1", SSL_OP_NO_DTLSv1},
 #endif
 #if defined(SSL_OP_NO_DTLSv1_2)
  {"no_dtlsv1_2", SSL_OP_NO_DTLSv1_2},
 #endif
 #if defined(SSL_OP_NO_ENCRYPT_THEN_MAC)
  {"no_encrypt_then_mac", SSL_OP_NO_ENCRYPT_THEN_MAC},
 #endif
 #if defined(SSL_OP_NO_QUERY_MTU)
  {"no_query_mtu", SSL_OP_NO_QUERY_MTU},
 #endif
 #if defined(SSL_OP_NO_RENEGOTIATION)
  {"no_renegotiation", SSL_OP_NO_RENEGOTIATION},
 #endif
 #if defined(SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION)
  {"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION},
 #endif
 #if defined(SSL_OP_NO_SSL_MASK)
  {"no_ssl_mask", SSL_OP_NO_SSL_MASK},
 #endif
 #if defined(SSL_OP_NO_SSLv2)
  {"no_sslv2", SSL_OP_NO_SSLv2},
 #endif
 #if defined(SSL_OP_NO_SSLv3)
  {"no_sslv3", SSL_OP_NO_SSLv3},
 #endif
 #if defined(SSL_OP_NO_TICKET)
  {"no_ticket", SSL_OP_NO_TICKET},
 #endif
 #if defined(SSL_OP_NO_TLSv1)
  {"no_tlsv1", SSL_OP_NO_TLSv1},
 #endif
 #if defined(SSL_OP_NO_TLSv1_1)
  {"no_tlsv1_1", SSL_OP_NO_TLSv1_1},
 #endif
 #if defined(SSL_OP_NO_TLSv1_2)
  {"no_tlsv1_2", SSL_OP_NO_TLSv1_2},
 #endif
 #if defined(SSL_OP_PKCS1_CHECK_1)
  {"pkcs1_check_1", SSL_OP_PKCS1_CHECK_1},
 #endif
 #if defined(SSL_OP_PKCS1_CHECK_2)
  {"pkcs1_check_2", SSL_OP_PKCS1_CHECK_2},
 #endif
 #if defined(SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
  {"safari_ecdhe_ecdsa_bug", SSL_OP_SAFARI_ECDHE_ECDSA_BUG},
 #endif
 #if defined(SSL_OP_SINGLE_DH_USE)
  {"single_dh_use", SSL_OP_SINGLE_DH_USE},
 #endif
 #if defined(SSL_OP_SINGLE_ECDH_USE)
  {"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE},
 #endif
 #if defined(SSL_OP_SSLEAY_080_CLIENT_DH_BUG)
  {"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG},
 #endif
 #if defined(SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG)
  {"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG},
 #endif
 #if defined(SSL_OP_TLSEXT_PADDING)
  {"tlsext_padding", SSL_OP_TLSEXT_PADDING},
 #endif
 #if defined(SSL_OP_TLS_BLOCK_PADDING_BUG)
  {"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG},
 #endif
 #if defined(SSL_OP_TLS_D5_BUG)
  {"tls_d5_bug", SSL_OP_TLS_D5_BUG},
 #endif
 #if defined(SSL_OP_TLS_ROLLBACK_BUG)
  {"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG},
 #endif
  {NULL, 0L}
 };
 #endif
--- a/src/options.lua
+++ b/src/options.lua
@ -1,10 +1,10 @@
 local function usage()
  print("Usage:")
  print("* Generate options of your system:")
-  print("  lua options.lua -g /path/to/ssl.h [version] > options.h")
+  print("  lua options.lua -g /path/to/ssl.h [version] > options.c")
  print("* Examples:")
-  print("  lua options.lua -g /usr/include/openssl/ssl.h > options.h\n")
+  print("  lua options.lua -g /usr/include/openssl/ssl.h > options.c\n")
-  print("  lua options.lua -g /usr/include/openssl/ssl.h \"OpenSSL 1.0.1 14\" > options.h\n")
+  print("  lua options.lua -g /usr/include/openssl/ssl.h \"OpenSSL 1.1.1f\" > options.c\n")
  print("* List options of your system:")
  print("  lua options.lua -l /path/to/ssl.h\n")
@ -17,34 +17,28 @@ end
 local function generate(options, version)
  print([[
 #ifndef LSEC_OPTIONS_H
 #define LSEC_OPTIONS_H
 /*--------------------------------------------------------------------------
- * LuaSec 0.7
+ * LuaSec 1.3.2
 *
- * Copyright (C) 2006-2018 Bruno Silvestre
+ * Copyright (C) 2006-2023 Bruno Silvestre
 *
 *--------------------------------------------------------------------------*/
 #include <openssl/ssl.h>
 #include "options.h"
 /* If you need to generate these options again, see options.lua */
 ]])
  printf([[
 /* 
  OpenSSL version: %s
 */
 ]], version)
  print([[
 struct ssl_option_s {
  const char *name;
  unsigned long code;
 };
 typedef struct ssl_option_s ssl_option_t;
 ]])
-  print([[static ssl_option_t ssl_options[] = {]])
+  print([[static lsec_ssl_option_t ssl_options[] = {]])
  for k, option in ipairs(options) do
    local name = string.lower(string.sub(option, 8))
@ -56,7 +50,9 @@ typedef struct ssl_option_s ssl_option_t;
  print([[
 };
-#endif
+LSEC_API lsec_ssl_option_t* lsec_get_ssl_options() {
  return ssl_options;
 }
 ]])
 end
@ -64,9 +60,12 @@ local function loadoptions(file)
  local options = {}
  local f = assert(io.open(file, "r"))
  for line in f:lines() do
-    local op = string.match(line, "define%s+(SSL_OP_%S+)")
+    local op = string.match(line, "define%s+(SSL_OP_BIT%()")
-    if op then
+    if not op then
-      table.insert(options, op)
+      op = string.match(line, "define%s+(SSL_OP_%S+)")
      if op then
        table.insert(options, op)
      end
    end
  end
  table.sort(options, function(a,b) return a<b end)
--- a/src/ssl.c
+++ b/src/ssl.c
@ -1,9 +1,8 @@
 /*--------------------------------------------------------------------------
- * LuaSec 0.7
+ * LuaSec 1.3.2
 *
- * Copyright (C) 2014-2018 Kim Alvefur, Paul Aurich, Tobias Markmann, 
+ * Copyright (C) 2014-2023 Kim Alvefur, Paul Aurich, Tobias Markmann, Matthew Wild
- *                         Matthew Wild.
+ * Copyright (C) 2006-2023 Bruno Silvestre
 * Copyright (C) 2006-2018 Bruno Silvestre.
 *
 *--------------------------------------------------------------------------*/
@ -11,13 +10,14 @@
 #include <string.h>
 #if defined(WIN32)
-#include <Winsock2.h>
+#include <winsock2.h>
 #endif
 #include <openssl/ssl.h>
 #include <openssl/x509v3.h>
 #include <openssl/x509_vfy.h>
 #include <openssl/err.h>
 #include <openssl/dh.h>
 #include <lua.h>
 #include <lauxlib.h>
@ -32,7 +32,7 @@
 #include "ssl.h"
-#if defined(LIBRESSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER<0x10100000L
+#ifndef LSEC_API_OPENSSL_1_1_0
 #define SSL_is_server(s) (s->server)
 #define SSL_up_ref(ssl)  CRYPTO_add(&(ssl)->references, 1, CRYPTO_LOCK_SSL)
 #define X509_up_ref(c)   CRYPTO_add(&c->references, 1, CRYPTO_LOCK_X509)
@ -47,6 +47,11 @@ static int lsec_socket_error()
 #if defined(WIN32)
  return WSAGetLastError();
 #else
 #if defined(LSEC_OPENSSL_ERRNO_BUG)
  // Bug in OpenSSL
  if (errno == 0)
    return LSEC_IO_SSL;
 #endif
  return errno;
 #endif
 }
@ -302,9 +307,7 @@ static int meth_create(lua_State *L)
  SSL_set_fd(ssl->ssl, (int)SOCKET_INVALID);
  SSL_set_mode(ssl->ssl, SSL_MODE_ENABLE_PARTIAL_WRITE | 
    SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
 #if defined(SSL_MODE_RELEASE_BUFFERS)
  SSL_set_mode(ssl->ssl, SSL_MODE_RELEASE_BUFFERS);
 #endif
  if (mode == LSEC_MODE_SERVER)
    SSL_set_accept_state(ssl->ssl);
  else
@ -382,8 +385,19 @@ static int meth_setfd(lua_State *L)
 */
 static int meth_handshake(lua_State *L)
 {
  int err;
  p_ssl ssl = (p_ssl)luaL_checkudata(L, 1, "SSL:Connection");
-  int err = handshake(ssl);
+  p_context ctx = (p_context)SSL_CTX_get_app_data(SSL_get_SSL_CTX(ssl->ssl));
  ctx->L = L;
  err = handshake(ssl);
  if (ctx->dh_param) {
    DH_free(ctx->dh_param);
    ctx->dh_param = NULL;
  }
  if (ctx->alpn) {
    free(ctx->alpn);
    ctx->alpn = NULL;
  }
  if (err == IO_DONE) {
    lua_pushboolean(L, 1);
    return 1;
@ -515,6 +529,58 @@ static int meth_getpeercertificate(lua_State *L)
  return 1;
 }
 /**
 * Return the nth certificate of the chain sent to our peer.
 */
 static int meth_getlocalcertificate(lua_State *L)
 {
  int n;
  X509 *cert;
  STACK_OF(X509) *certs;
  p_ssl ssl = (p_ssl)luaL_checkudata(L, 1, "SSL:Connection");
  if (ssl->state != LSEC_STATE_CONNECTED) {
    lua_pushnil(L);
    lua_pushstring(L, "closed");
    return 2;
  }
  /* Default to the first cert */
  n = (int)luaL_optinteger(L, 2, 1);
  /* This function is 1-based, but OpenSSL is 0-based */
  --n;
  if (n < 0) {
    lua_pushnil(L);
    lua_pushliteral(L, "invalid certificate index");
    return 2;
  }
  if (n == 0) {
    cert = SSL_get_certificate(ssl->ssl);
    if (cert)
      lsec_pushx509(L, cert);
    else
      lua_pushnil(L);
    return 1;
  }
  /* In a server-context, the stack doesn't contain the peer cert,
   * so adjust accordingly.
   */
  if (SSL_is_server(ssl->ssl))
    --n;
  if(SSL_get0_chain_certs(ssl->ssl, &certs) != 1) {
    lua_pushnil(L);
  } else {
    if (n >= sk_X509_num(certs)) {
      lua_pushnil(L);
      return 1;
    }
    cert = sk_X509_value(certs, n);
    /* Increment the reference counting of the object. */
    /* See SSL_get_peer_certificate() source code.     */
    X509_up_ref(cert);
    lsec_pushx509(L, cert);
  }
  return 1;
 }
 /**
 * Return the chain of certificate of the peer.
 */
@ -549,6 +615,41 @@ static int meth_getpeerchain(lua_State *L)
  return 1;
 }
 /**
 * Return the chain of certificates sent to the peer.
 */
 static int meth_getlocalchain(lua_State *L)
 {
  int i;
  int idx = 1;
  int n_certs;
  X509 *cert;
  STACK_OF(X509) *certs;
  p_ssl ssl = (p_ssl)luaL_checkudata(L, 1, "SSL:Connection");
  if (ssl->state != LSEC_STATE_CONNECTED) {
    lua_pushnil(L);
    lua_pushstring(L, "closed");
    return 2;
  }
  lua_newtable(L);
  if (SSL_is_server(ssl->ssl)) {
    lsec_pushx509(L, SSL_get_certificate(ssl->ssl));
    lua_rawseti(L, -2, idx++);
  }
  if(SSL_get0_chain_certs(ssl->ssl, &certs)) {
    n_certs = sk_X509_num(certs);
    for (i = 0; i < n_certs; i++) {
      cert = sk_X509_value(certs, i);
      /* Increment the reference counting of the object. */
      /* See SSL_get_peer_certificate() source code.     */
      X509_up_ref(cert);
      lsec_pushx509(L, cert);
      lua_rawseti(L, -2, idx++);
    }
  }
  return 1;
 }
 /**
 * Copy the table src to the table dst.
 */
@ -656,6 +757,41 @@ static int meth_getpeerfinished(lua_State *L)
  return 1;
 }
 /**
 * Get some shared keying material
 */
 static int meth_exportkeyingmaterial(lua_State *L)
 {
  p_ssl ssl = (p_ssl)luaL_checkudata(L, 1, "SSL:Connection");
  if(ssl->state != LSEC_STATE_CONNECTED) {
    lua_pushnil(L);
    lua_pushstring(L, "closed");
    return 0;
  }
  size_t llen = 0;
  size_t contextlen = 0;
  const unsigned char *context = NULL;
  const char *label = (const char*)luaL_checklstring(L, 2, &llen);
  size_t olen = (size_t)luaL_checkinteger(L, 3);
  if (!lua_isnoneornil(L, 4))
    context = (const unsigned char*)luaL_checklstring(L, 4, &contextlen);
  /* Temporary buffer memory-managed by Lua itself */
  unsigned char *out = (unsigned char*)lua_newuserdata(L, olen);
  if(SSL_export_keying_material(ssl->ssl, out, olen, label, llen, context, contextlen, context != NULL) != 1) {
    lua_pushnil(L);
    lua_pushstring(L, "error exporting keying material");
    return 2;
  }
  lua_pushlstring(L, (char*)out, olen);
  return 1;
 }
 /**
 * Object information -- tostring metamethod
 */
@ -732,6 +868,8 @@ static int sni_cb(SSL *ssl, int *ad, void *arg)
  lua_pop(L, 4);
  /* Found, use this context */
  if (newctx) {
    p_context pctx = (p_context)SSL_CTX_get_app_data(newctx);
    pctx->L = L;
    SSL_set_SSL_CTX(ssl, newctx);
    return SSL_TLSEXT_ERR_OK;
  }
@ -794,9 +932,22 @@ static int meth_getsniname(lua_State *L)
  return 1;
 }
 static int meth_getalpn(lua_State *L)
 {
  unsigned len;
  const unsigned char *data;
  p_ssl ssl = (p_ssl)luaL_checkudata(L, 1, "SSL:Connection");
  SSL_get0_alpn_selected(ssl->ssl, &data, &len);
  if (data == NULL && len == 0)
    lua_pushnil(L);
  else
    lua_pushlstring(L, (const char*)data, len);
  return 1;
 }
 static int meth_copyright(lua_State *L)
 {
-  lua_pushstring(L, "LuaSec 0.7 - Copyright (C) 2006-2018 Bruno Silvestre, UFG"
+  lua_pushstring(L, "LuaSec 1.3.2 - Copyright (C) 2006-2023 Bruno Silvestre, UFG"
 #if defined(WITH_LUASOCKET)
                    "\nLuaSocket 3.0-RC1 - Copyright (C) 2004-2013 Diego Nehab"
 #endif
@ -804,6 +955,34 @@ static int meth_copyright(lua_State *L)
  return 1;
 }
 #if defined(LSEC_ENABLE_DANE)
 static int meth_dane(lua_State *L)
 {
  int ret;
  p_ssl ssl = (p_ssl)luaL_checkudata(L, 1, "SSL:Connection");
  ret = SSL_dane_enable(ssl->ssl, luaL_checkstring(L, 2));
  lua_pushboolean(L, (ret > 0));
  return 1;
 }
 static int meth_tlsa(lua_State *L)
 {
  int ret;
  size_t len;
  p_ssl ssl = (p_ssl)luaL_checkudata(L, 1, "SSL:Connection");
  uint8_t usage = (uint8_t)luaL_checkinteger(L, 2);
  uint8_t selector = (uint8_t)luaL_checkinteger(L, 3);
  uint8_t mtype = (uint8_t)luaL_checkinteger(L, 4);
  unsigned char *data = (unsigned char*)luaL_checklstring(L, 5, &len);
  ERR_clear_error();
  ret = SSL_dane_tlsa_add(ssl->ssl, usage, selector, mtype, data, len);
  lua_pushboolean(L, (ret > 0));
  return 1;
 }
 #endif
 /*---------------------------------------------------------------------------*/
 /**
@ -811,12 +990,16 @@ static int meth_copyright(lua_State *L)
 */
 static luaL_Reg methods[] = {
  {"close",               meth_close},
  {"getalpn",             meth_getalpn},
  {"getfd",               meth_getfd},
  {"getfinished",         meth_getfinished},
  {"getpeercertificate",  meth_getpeercertificate},
  {"getlocalcertificate", meth_getlocalcertificate},
  {"getpeerchain",        meth_getpeerchain},
  {"getlocalchain",       meth_getlocalchain},
  {"getpeerverification", meth_getpeerverification},
  {"getpeerfinished",     meth_getpeerfinished},
  {"exportkeyingmaterial",meth_exportkeyingmaterial},
  {"getsniname",          meth_getsniname},
  {"getstats",            meth_getstats},
  {"setstats",            meth_setstats},
@ -827,6 +1010,10 @@ static luaL_Reg methods[] = {
  {"settimeout",          meth_settimeout},
  {"sni",                 meth_sni},
  {"want",                meth_want},
 #if defined(LSEC_ENABLE_DANE)
  {"setdane",             meth_dane},
  {"settlsa",             meth_tlsa},
 #endif
  {NULL,                  NULL}
 };
@ -834,6 +1021,7 @@ static luaL_Reg methods[] = {
 * SSL metamethods.
 */
 static luaL_Reg meta[] = {
  {"__close",    meth_destroy},
  {"__gc",       meth_destroy},
  {"__tostring", meth_tostring},
  {NULL, NULL}
@ -857,6 +1045,7 @@ static luaL_Reg funcs[] = {
 */
 LSEC_API int luaopen_ssl_core(lua_State *L)
 {
 #ifndef LSEC_API_OPENSSL_1_1_0
  /* Initialize SSL */
  if (!SSL_library_init()) {
    lua_pushstring(L, "unable to initialize SSL library");
@ -864,6 +1053,7 @@ LSEC_API int luaopen_ssl_core(lua_State *L)
  }
  OpenSSL_add_all_algorithms();
  SSL_load_error_strings();
 #endif
 #if defined(WITH_LUASOCKET)
  /* Initialize internal library */
@ -882,7 +1072,7 @@ LSEC_API int luaopen_ssl_core(lua_State *L)
  luaL_newlib(L, funcs);
  lua_pushstring(L, "SOCKET_INVALID");
-  lua_pushnumber(L, SOCKET_INVALID);
+  lua_pushinteger(L, SOCKET_INVALID);
  lua_rawset(L, -3);
  return 1;
--- a/src/ssl.h
+++ b/src/ssl.h
@ -2,9 +2,9 @@
 #define LSEC_SSL_H
 /*--------------------------------------------------------------------------
- * LuaSec 0.7
+ * LuaSec 1.3.2
 *
- * Copyright (C) 2006-2018 Bruno Silvestre
+ * Copyright (C) 2006-2023 Bruno Silvestre
 *
 *--------------------------------------------------------------------------*/
--- a/src/ssl.lua
+++ b/src/ssl.lua
@ -1,7 +1,7 @@
 ------------------------------------------------------------------------------
-- LuaSec 0.7
+-- LuaSec 1.3.2
 --
-- Copyright (C) 2006-2018 Bruno Silvestre
+-- Copyright (C) 2006-2023 Bruno Silvestre
 --
 ------------------------------------------------------------------------------
@ -30,6 +30,39 @@ local function optexec(func, param, ctx)
  return true
 end
 --
 -- Convert an array of strings to wire-format
 --
 local function array2wireformat(array)
   local str = ""
   for k, v in ipairs(array) do
      if type(v) ~= "string" then return nil end
      local len = #v
      if len == 0 then
        return nil, "invalid ALPN name (empty string)"
      elseif len > 255 then
        return nil, "invalid ALPN name (length > 255)"
      end
      str = str .. string.char(len) .. v
   end
   if str == "" then return nil, "invalid ALPN list (empty)" end
   return str
 end
 --
 -- Convert wire-string format to array
 --
 local function wireformat2array(str)
   local i = 1
   local array = {}
   while i < #str do
      local len = str:byte(i)
      array[#array + 1] = str:sub(i + 1, i + len)
      i = i + len + 1
   end
   return array
 end
 --
 --
 --
@ -41,25 +74,33 @@ local function newcontext(cfg)
   -- Mode
   succ, msg = context.setmode(ctx, cfg.mode)
   if not succ then return nil, msg end
-   -- Load the key
+   local certificates = cfg.certificates
-   if cfg.key then
+   if not certificates then
-      if cfg.password and
+      certificates = {
-         type(cfg.password) ~= "function" and
+         { certificate = cfg.certificate, key = cfg.key, password = cfg.password }
-         type(cfg.password) ~= "string"
+      }
      then
         return nil, "invalid password type"
      end
      succ, msg = context.loadkey(ctx, cfg.key, cfg.password)
      if not succ then return nil, msg end
   end
-   -- Load the certificate
+   for _, certificate in ipairs(certificates) do
-   if cfg.certificate then
+      -- Load the key
-     succ, msg = context.loadcert(ctx, cfg.certificate)
+      if certificate.key then
-     if not succ then return nil, msg end
+         if certificate.password and
-     if cfg.key and context.checkkey then
+            type(certificate.password) ~= "function" and
-       succ = context.checkkey(ctx)
+            type(certificate.password) ~= "string"
-       if not succ then return nil, "private key does not match public key" end
+         then
-     end
+            return nil, "invalid password type"
         end
         succ, msg = context.loadkey(ctx, certificate.key, certificate.password)
         if not succ then return nil, msg end
      end
      -- Load the certificate(s)
      if certificate.certificate then
        succ, msg = context.loadcert(ctx, certificate.certificate)
        if not succ then return nil, msg end
        if certificate.key and context.checkkey then
          succ = context.checkkey(ctx)
          if not succ then return nil, "private key does not match public key" end
        end
      end
   end
   -- Load the CA certificates
   if cfg.cafile or cfg.capath then
@ -71,7 +112,12 @@ local function newcontext(cfg)
      succ, msg = context.setcipher(ctx, cfg.ciphers)
      if not succ then return nil, msg end
   end
-   -- Set the verification options
+   -- Set SSL cipher suites
   if cfg.ciphersuites then
      succ, msg = context.setciphersuites(ctx, cfg.ciphersuites)
      if not succ then return nil, msg end
   end
    -- Set the verification options
   succ, msg = optexec(context.setverify, cfg.verify, ctx)
   if not succ then return nil, msg end
   -- Set SSL options
@ -113,6 +159,83 @@ local function newcontext(cfg)
      if not succ then return nil, msg end
   end
   -- ALPN
   if cfg.mode == "server" and cfg.alpn then
      if type(cfg.alpn) == "function" then
         local alpncb = cfg.alpn
         -- This callback function has to return one value only
         succ, msg = context.setalpncb(ctx, function(str)
            local protocols = alpncb(wireformat2array(str))
            if type(protocols) == "string" then
               protocols = { protocols }
            elseif type(protocols) ~= "table" then
               return nil
            end
            return (array2wireformat(protocols))    -- use "()" to drop error message
         end)
         if not succ then return nil, msg end
      elseif type(cfg.alpn) == "table" then
         local protocols = cfg.alpn
         -- check if array is valid before use it
         succ, msg = array2wireformat(protocols)
         if not succ then return nil, msg end
         -- This callback function has to return one value only
         succ, msg = context.setalpncb(ctx, function()
            return (array2wireformat(protocols))    -- use "()" to drop error message
         end)
         if not succ then return nil, msg end
      else
         return nil, "invalid ALPN parameter"
      end
   elseif cfg.mode == "client" and cfg.alpn then
      local alpn
      if type(cfg.alpn) == "string" then
         alpn, msg = array2wireformat({ cfg.alpn })
      elseif type(cfg.alpn) == "table" then
         alpn, msg = array2wireformat(cfg.alpn)
      else
         return nil, "invalid ALPN parameter"
      end
      if not alpn then return nil, msg end
      succ, msg = context.setalpn(ctx, alpn)
      if not succ then return nil, msg end
   end
   -- PSK
   if config.capabilities.psk and cfg.psk then
      if cfg.mode == "client" then
         if type(cfg.psk) ~= "function" then
            return nil, "invalid PSK configuration"
         end
         succ = context.setclientpskcb(ctx, cfg.psk)
         if not succ then return nil, msg end
      elseif cfg.mode == "server" then
         if type(cfg.psk) == "function" then
            succ, msg = context.setserverpskcb(ctx, cfg.psk)
            if not succ then return nil, msg end
         elseif type(cfg.psk) == "table" then
            if type(cfg.psk.hint) == "string" and type(cfg.psk.callback) == "function" then
               succ, msg = context.setpskhint(ctx, cfg.psk.hint)
               if not succ then return succ, msg end
               succ = context.setserverpskcb(ctx, cfg.psk.callback)
               if not succ then return succ, msg end
            else
               return nil, "invalid PSK configuration"
            end
         else
            return nil, "invalid PSK configuration"
         end
      end
   end
   if config.capabilities.dane and cfg.dane then
      if type(cfg.dane) == "table" then
         context.setdane(ctx, unpack(cfg.dane))
      else
         context.setdane(ctx)
      end
   end
   return ctx
 end
@ -179,8 +302,9 @@ core.setmethod("info", info)
 --
 local _M = {
-  _VERSION        = "0.7",
+  _VERSION        = "1.3.2",
  _COPYRIGHT      = core.copyright(),
  config          = config,
  loadcertificate = x509.load,
  newcontext      = newcontext,
  wrap            = wrap,
--- a/src/x509.c
+++ b/src/x509.c
@ -1,8 +1,8 @@
 /*--------------------------------------------------------------------------
- * LuaSec 0.7
+ * LuaSec 1.3.2
 *
- * Copyright (C) 2014-2018 Kim Alvefur, Paul Aurich, Tobias Markmann
+ * Copyright (C) 2014-2023 Kim Alvefur, Paul Aurich, Tobias Markmann, Matthew Wild
- *                         Matthew Wild, Bruno Silvestre.
+ * Copyright (C) 2014-2023 Bruno Silvestre
 *
 *--------------------------------------------------------------------------*/
@ -33,16 +33,12 @@
 #include "x509.h"
-/*
+#ifndef LSEC_API_OPENSSL_1_1_0
- * ASN1_STRING_data is deprecated in OpenSSL 1.1.0
+#define X509_get0_notBefore   X509_get_notBefore
- */
+#define X509_get0_notAfter    X509_get_notAfter
-#if OPENSSL_VERSION_NUMBER>=0x1010000fL && !defined(LIBRESSL_VERSION_NUMBER)
+#define ASN1_STRING_get0_data ASN1_STRING_data
 #define LSEC_ASN1_STRING_data(x) ASN1_STRING_get0_data(x)
 #else
 #define LSEC_ASN1_STRING_data(x) ASN1_STRING_data(x)
 #endif
 static const char* hex_tab = "0123456789abcdef";
 /**
@ -157,8 +153,7 @@ static void push_asn1_string(lua_State* L, ASN1_STRING *string, int encode)
  }
  switch (encode) {
  case LSEC_AI5_STRING:
-    lua_pushlstring(L, (char*)LSEC_ASN1_STRING_data(string),
+    lua_pushlstring(L, (char*)ASN1_STRING_get0_data(string), ASN1_STRING_length(string));
                       ASN1_STRING_length(string));
    break;
  case LSEC_UTF8_STRING:
    len = ASN1_STRING_to_UTF8(&data, string);
@ -174,7 +169,7 @@ static void push_asn1_string(lua_State* L, ASN1_STRING *string, int encode)
 /**
 * Return a human readable time.
 */
-static int push_asn1_time(lua_State *L, ASN1_UTCTIME *tm)
+static int push_asn1_time(lua_State *L, const ASN1_UTCTIME *tm)
 {
  char *tmp;
  long size;
@ -193,7 +188,7 @@ static void push_asn1_ip(lua_State *L, ASN1_STRING *string)
 {
  int af;
  char dst[INET6_ADDRSTRLEN];
-  unsigned char *ip = (unsigned char*)LSEC_ASN1_STRING_data(string);
+  unsigned char *ip = (unsigned char*)ASN1_STRING_get0_data(string);
  switch(ASN1_STRING_length(string)) {
  case 4:
    af = AF_INET;
@ -371,7 +366,9 @@ int meth_extensions(lua_State* L)
        /* not supported */
        break;
      }
      GENERAL_NAME_free(general_name);
    }
    sk_GENERAL_NAME_free(values);
    lua_pop(L, 1); /* ret[oid] */
    i++;           /* Next extension */
  }
@ -488,10 +485,13 @@ static int meth_digest(lua_State* L)
 */
 static int meth_valid_at(lua_State* L)
 {
  int nb, na;
  X509* cert = lsec_checkx509(L, 1);
  time_t time = luaL_checkinteger(L, 2);
-  lua_pushboolean(L, (X509_cmp_time(X509_get_notAfter(cert), &time)     >= 0
+  nb = X509_cmp_time(X509_get0_notBefore(cert), &time);
-                      && X509_cmp_time(X509_get_notBefore(cert), &time) <= 0));
+  time -= 1;
  na = X509_cmp_time(X509_get0_notAfter(cert),  &time);
  lua_pushboolean(L, nb == -1 && na == 1);
  return 1;
 }
@ -519,7 +519,7 @@ static int meth_serial(lua_State *L)
 static int meth_notbefore(lua_State *L)
 {
  X509* cert = lsec_checkx509(L, 1);
-  return push_asn1_time(L, X509_get_notBefore(cert));
+  return push_asn1_time(L, X509_get0_notBefore(cert));
 }
 /**
@ -528,7 +528,7 @@ static int meth_notbefore(lua_State *L)
 static int meth_notafter(lua_State *L)
 {
  X509* cert = lsec_checkx509(L, 1);
-  return push_asn1_time(L, X509_get_notAfter(cert));
+  return push_asn1_time(L, X509_get0_notAfter(cert));
 }
 /**
@ -621,7 +621,11 @@ cleanup:
 */
 static int meth_destroy(lua_State* L)
 {
-  X509_free(lsec_checkx509(L, 1));
+  p_x509 px = lsec_checkp_x509(L, 1);
  if (px->cert) {
    X509_free(px->cert);
    px->cert = NULL;
  }
  return 0;
 }
@ -651,6 +655,23 @@ static int meth_set_encode(lua_State* L)
  return 1;
 }
 #if (OPENSSL_VERSION_NUMBER >= 0x1010000fL)
 /**
 * Get signature name.
 */
 static int meth_get_signature_name(lua_State* L)
 {
  p_x509 px = lsec_checkp_x509(L, 1);
  int nid = X509_get_signature_nid(px->cert);
  const char *name = OBJ_nid2sn(nid);
  if (!name)
    lua_pushnil(L);
  else
    lua_pushstring(L, name);
  return 1;
 }
 #endif
 /*---------------------------------------------------------------------------*/
 static int load_cert(lua_State* L)
@ -679,6 +700,9 @@ static luaL_Reg methods[] = {
  {"digest",     meth_digest},
  {"setencode",  meth_set_encode},
  {"extensions", meth_extensions},
 #if (OPENSSL_VERSION_NUMBER >= 0x1010000fL)
  {"getsignaturename", meth_get_signature_name},
 #endif
  {"issuer",     meth_issuer},
  {"notbefore",  meth_notbefore},
  {"notafter",   meth_notafter},
@ -695,6 +719,7 @@ static luaL_Reg methods[] = {
 * X509 metamethods.
 */
 static luaL_Reg meta[] = {
  {"__close",    meth_destroy},
  {"__gc",       meth_destroy},
  {"__tostring", meth_tostring},
  {NULL, NULL}
--- a/src/x509.h
+++ b/src/x509.h
@ -1,8 +1,8 @@
 /*--------------------------------------------------------------------------
- * LuaSec 0.7
+ * LuaSec 1.3.2
 *
- * Copyright (C) 2014-2018 Kim Alvefur, Paul Aurich, Tobias Markmann
+ * Copyright (C) 2014-2023 Kim Alvefur, Paul Aurich, Tobias Markmann, Matthew Wild
- *                         Matthew Wild, Bruno Silvestre.
+ * Copyright (C) 2013-2023 Bruno Silvestre
 *
 *--------------------------------------------------------------------------*/
Author	SHA1	Message	Date
Bruno Silvestre	4c06287052	Release LuaSec 1.3.2	2023-08-31 17:09:53 -03:00
Bruno Silvestre	5f4799d8cf	reset block timeout at send or receive Addressing #159 and #160	2023-08-31 10:51:50 -03:00
Bruno Silvestre	5787d51bb8	Merge pull request #197 from Zash/errno-bug-again Expand workaround for zero errno to OpenSSL 3.0.x	2023-07-12 21:41:40 -03:00
Kim Alvefur	a2b211f847	Expand workaround for zero errno to OpenSSL 3.0.x Encountered the bug in #172 after upgrading to OpenSSL 3.0.9, so it appears to still be present. Occurs when writing to a connection that has been closed by the remote.	2023-07-05 13:21:49 +02:00
Bruno Silvestre	769ac528e2	Merge pull request #196 from barracuda156/darwin usocket.c: place EAI_OVERFLOW inside macro, unbreak build on <10.7	2023-05-09 10:25:21 -03:00
Sergey Fedorov	0f0e07eb41	usocket.c: place EAI_OVERFLOW inside macro, unbreak build on <10.7	2023-04-09 20:20:36 +08:00
Bruno Silvestre	fddde111f7	Release 1.3.1	2023-03-19 11:55:08 -03:00
Bruno Silvestre	6405645155	Check if PSK is available	2023-03-19 11:48:56 -03:00
Bruno Silvestre	e01c6e63cd	Fix: check if PSK is available	2023-03-19 11:43:09 -03:00
Bruno Silvestre	c297c5204c	Update version number	2023-03-14 10:43:47 -03:00
Bruno Silvestre	e42bc358e2	Remove Windows libraries sufix	2023-03-14 10:42:51 -03:00
Bruno Silvestre	f72457bbf9	Remove Windows libraries sufix	2023-03-14 10:37:42 -03:00
Bruno Silvestre	361813c0da	Update options to OpenSSL 3.0.8	2023-03-14 09:36:06 -03:00
Bruno Silvestre	e53caaad73	Merge branch 'tls-psk' into dev	2023-02-20 09:57:04 -03:00
Bruno Silvestre	0e669f6c82	Add identity hint to PSK	2023-02-19 08:56:24 -03:00
Bruno Silvestre	c3f12b8c4d	Use lua_tolstring instead luaL_checklstring	2023-02-16 22:07:55 -03:00
Bruno Silvestre	38bb3edfb4	Fix checklstring, pop(3), identity_len	2023-02-16 11:27:52 -03:00
Bruno Silvestre	50431ed511	Fix identity indexing	2023-02-16 10:53:41 -03:00
Bruno Silvestre	b321ba8fab	Fix PSK samples	2023-02-16 10:52:05 -03:00
Bruno Silvestre	6708ccc381	Do not wrap the PSK callbacks	2023-02-16 10:37:59 -03:00
Bruno Silvestre	4f28db9f53	Format	2023-02-16 10:31:06 -03:00
Bruno Silvestre	dd8ba1fc92	Fix PSK client callback	2023-02-16 10:28:34 -03:00
Bruno Silvestre	9b09c93249	Return '0' from callback on size error	2023-02-16 10:13:54 -03:00
Bruno Silvestre	0f793b73c0	Format	2023-02-16 09:43:44 -03:00
Bruno Silvestre	7b60dc4794	Fix psk_len type, do not check string again	2023-02-16 09:41:35 -03:00
Bruno Silvestre	4f6aec07f6	Return the value from Lua's callback, fixes	2023-02-16 09:37:09 -03:00
Bruno Silvestre	c87fe7d5ea	Do not need two PSK registry	2023-02-16 09:33:29 -03:00
unknown	842380caf6	feat: tls-psk	2023-02-16 09:52:18 +09:00
Bruno Silvestre	b47bfff382	Some minor adjusts in parameters and script	2022-12-12 18:19:37 -03:00
Bruno Silvestre	480aef1626	Merge pull request #192 from mwild1/conn-local-cert-methods ssl: Add :getlocalchain() + :getlocalcertificate() to mirror peer methods	2022-10-06 16:48:57 -03:00
Matthew Wild	4cecbb2783	ssl: Add :getlocalchain() + :getlocalcertificate() to mirror the peer methods These methods mirror the existing methods that fetch the peer certificate and chain. Due to various factors (SNI, multiple key types, etc.) it is not always trivial for an application to determine what certificate was presented to the client. However there are various use-cases where this is needed, such as tls-server-end-point channel binding and OCSP stapling. Requires OpenSSL 1.0.2+ (note: SSL_get_certificate() has existed for a very long time, but was lacking documentation until OpenSSL 3.0).	2022-09-21 18:40:10 +01:00
Bruno Silvestre	d9215ee00f	Update rockspec	2022-07-30 08:42:53 -03:00
Bruno Silvestre	03e03140cd	Update version number	2022-07-30 08:41:46 -03:00
Bruno Silvestre	8b3b2318d2	Merge pull request #188 from mckaygerhard/patch-1 backguard compat for openssl on providers, like LTS linuxes	2022-07-29 11:42:21 -03:00
Bruno Silvestre	2c248947df	Adjust some types and casts	2022-07-20 17:52:01 -03:00
Bruno Silvestre	f22b3ea609	Code format	2022-07-20 17:39:20 -03:00
Bruno Silvestre	c9539bca86	Fix variable shadowing	2022-07-20 17:36:27 -03:00
Bruno Silvestre	afb2d44b0e	Merge pull request #187 from Zash/exporter Add key material export method	2022-07-20 17:32:02 -03:00
Герхард PICCORO Lenz McKAY	f9afada3d1	backguard compat for openssl on providers, like LTS linuxes * The commit `de393417b7` introduces high dependency due raices requirement to openssl 1.1.0l+ * The X509_REQ_get0_signature(), X509_REQ_get_signature_nid(), X509_CRL_get0_signature() and X509_CRL_get_signature_nid() were added in OpenSSL 1.1.0. * This patch makes luasec runs on all kind of embebed systems that cannot be upgraded due vendors limitations	2022-06-24 01:09:44 -04:00
Kim Alvefur	371abcf718	Add key material export method	2022-06-01 16:26:35 +02:00
Bruno Silvestre	df27c62f4c	Update source protocol on rockspec	2022-04-13 10:46:36 -03:00
Bruno Silvestre	09691fe782	Update rockspec	2022-04-13 10:38:18 -03:00
Bruno Silvestre	3a71559e13	Update version number	2022-04-13 10:35:06 -03:00
Bruno Silvestre	3f04fd7529	Removing useless code	2022-04-04 15:48:22 -03:00
Bruno Silvestre	d7161ca026	Merge pull request #179 from Zash/dane_no_hostname Support passing DANE flags	2022-01-05 09:35:10 -03:00
Kim Alvefur	65ee83275b	Support passing DANE flags The only flag at the moment is one that disables name checks, which is needed for certain protocols such as XMPP.	2022-01-01 19:42:09 +01:00
Bruno Silvestre	ef14b27a2c	Update CHANGELOG	2021-08-14 10:28:09 -03:00
Bruno Silvestre	316bea078c	Update version to LuaSec 1.0.2	2021-08-14 10:16:35 -03:00
Bruno Silvestre	79bbc0bc3e	Ignore SSL_OP_BIT(n) macro and update option.c #178	2021-08-02 17:02:44 -03:00
Bruno Silvestre	8cba350f37	Update the Lua state reference on the selected SSL context after SNI Thanks Kim Alvefur	2021-08-02 16:13:12 -03:00
Bruno Silvestre	eedebb2477	Merge pull request #176 from linusg/fix-method-name Fix meth_get_{sinagure => signature}_name function name	2021-07-14 13:05:09 -03:00
Linus Groh	c1e28e9132	Fix meth_get_{sinagure => signature}_name function name	2021-07-10 12:47:53 +01:00
Bruno Silvestre	cdcf5fdb30	Off by one in cert:validat(notafter) #173	2021-06-23 13:35:49 -03:00
Bruno Silvestre	bdbc67b188	Move the fix of SSL_get_error() in OpenSSL 1.1.1 Moving to lsec_socket_error() coverts better 'errno == 0' with SSL_ERROR_SYSCALL.	2021-05-29 10:11:02 -03:00
Bruno Silvestre	359151144b	Merge pull request #172 from edzius/master Handle SSL_send SYSCALL error without errno https://www.openssl.org/docs/man1.1.1/man3/SSL_get_error.html	2021-05-29 09:38:29 -03:00
Edvinas Stunžėnas	d6b2fd7d35	Handle SSL_send SYSCALL error without errno Either intentionaly or due to bug in openssl in some marginal cases SSL_send reports SYSCALL error whilst errno is set to 0. This either could mean that SSL_send did not made any system call or errno were prematurely reset with consequent syscalls. And in consequence sendraw() is not propagate correct errno ends up in infinite loop trying to send same data. Such behaviour was usually observed after third consequential failed SSL send attempt which application was not aware of. First send failed with syscall errno 32 (Broken pipe) second one with SSL error 0x1409e10f (bad length) and lastly next send attemt results with SYSCALL error and errno 0. Tested using: * OpenSSL v1.1.1 * musl v1.1.20 (c50985d5c8e316c5c464f352e79eeebfed1121a9) * Linux 4.4.60+yocto armv7l	2021-05-21 21:20:19 +03:00
Bruno Silvestre	d5df315617	Update version and rockspec	2021-04-26 09:16:05 -03:00
Bruno Silvestre	34252fb10a	Set parameter 2 and 3 to none before luaL_buffinit()	2021-04-26 08:37:09 -03:00
Bruno Silvestre	711a98b760	Update rockspec	2021-01-30 10:32:28 -03:00
Bruno Silvestre	4894c2f6a4	Update version number	2021-01-30 10:29:53 -03:00
Bruno Silvestre	ae774258c5	Merge pull request #164 from murillopaula/master feature: getsignaturename	2021-01-16 10:13:29 -03:00
Murillo Paula	de393417b7	feature: getsignaturename	2021-01-12 10:49:27 -03:00
Bruno Silvestre	22eadbd20e	Merge pull request #156 from Petr-kk/upstream SOCKET_INVALID pushed as integer, not as number	2020-03-06 13:44:42 -03:00
Petr Kristan	63e35c161f	SOCKET_INVALID pushed as integer, not as number winsock define INVALID_SOCKET as (UINT_PTR)(~0) in win64 it is 0xffffffffffffffff if pushed by lua_pushnumber, then ssl.core.SOCKET_INVALID is 1.84467440737096E19 tested in win32/64, linux32/64 lua5.1 and lua5.3	2020-03-04 17:05:06 +01:00
Bruno Silvestre	c6704919bd	Typo	2019-10-31 11:43:53 -03:00
Bruno Silvestre	d7ccfad97f	Fix source in rockspec	2019-10-31 11:39:37 -03:00
Bruno Silvestre	43feb51c5e	Update 0.8 -> 0.9	2019-10-31 11:34:27 -03:00
Bruno Silvestre	860b2a8b5f	Use a more generic form	2019-10-19 10:22:21 -03:00
Bruno Silvestre	caeaa5ffda	Use a more generic form	2019-10-19 10:12:20 -03:00
Bruno Silvestre	9d84469912	Use a more generic form	2019-10-19 10:04:30 -03:00
Bruno Silvestre	87e51d99ea	Add __close metamethod	2019-10-15 13:25:12 -03:00
Bruno Silvestre	7898bd2043	Remove warning from cast.	2019-10-14 10:00:47 -03:00
Bruno Silvestre	c810df6839	Cleanup of #if expression	2019-10-13 22:21:05 -03:00
Bruno Silvestre	1e2f342006	Using same form to ifdefs	2019-10-13 22:11:55 -03:00
Bruno Silvestre	8ef33e33cf	Some adjusts to OpenSSL 1.1.1 with --api=1.1.0	2019-10-13 22:10:03 -03:00
Bruno Silvestre	3490d8d1c0	Merge pull request #126 from neheb/master Get rid of some deprecation warnings with OpenSSL 1.1	2019-10-13 19:42:19 -03:00
Bruno Silvestre	86c8fa40c9	Merge pull request #134 from neheb/patch-1 use $(CC) for LD definition.	2019-10-13 19:11:48 -03:00
Bruno Silvestre	4903e2f2c1	Export 'config' table (#149 ) Avoid duplicating variable 'ssl_options'.	2019-10-09 14:49:58 -03:00
Bruno Silvestre	2480572bdf	Merge pull request #147 from Zash/issue146 Special case listing of TLS 1.3 EC curves	2019-08-28 11:10:37 -03:00
Kim Alvefur	c26513f4f7	Special case listing of TLS 1.3 EC curves (fixes #146 )	2019-08-21 20:58:01 +02:00
Bruno Silvestre	f64e660de0	Disable DANE for LibreSSL	2019-07-11 11:19:21 -03:00
Bruno Silvestre	8722f83e8f	Fix check for error in DANE functions	2019-07-11 10:20:53 -03:00
Bruno Silvestre	a2dcfffcfa	Enable DANE only for OpenSSL 1.1.0 or higher	2019-07-11 10:09:39 -03:00
Bruno Silvestre	18fa0118be	Merge pull request #122 from Zash/dane DANE support	2019-07-11 09:50:25 -03:00
Bruno Silvestre	9f3a97e397	Merge pull request #144 from Zash/fix-general-name-leak Fix general_name leak in cert:extensions()	2019-07-11 09:42:23 -03:00
Kim Alvefur	daf728fec2	Fix general_name leak in cert:extensions() Thanks to @zeen for identifying and @horazont for providing test environment.	2019-07-07 23:03:54 +02:00
Bruno Silvestre	041a37874b	Inform OpenSSL 1.0.2 dependency	2019-04-22 10:31:32 -03:00
Bruno Silvestre	d6ba8d21da	Update version to 0.8, new rock file	2019-04-16 14:01:52 -03:00
Bruno Silvestre	f8b2968e79	Declare variable "key" before use it.	2019-04-16 10:48:15 -03:00
Rosen Penev	57f2f1363f	Replace LD with CCLD variable When cross compiling, the LD variable typically gets overriden.	2019-04-08 09:45:40 -07:00
Bruno Silvestre	1efa37087e	Add 'ciphersuites' property for TLS 1.3	2019-03-22 11:34:33 -03:00
Bruno Silvestre	1c9401ae54	README for samples updated	2019-02-26 16:06:17 -03:00
Bruno Silvestre	ea8ccc3113	Update sample of multiple certificates	2019-02-26 15:52:02 -03:00
Bruno Silvestre	c0cb85d77f	Do not create 'certificates' on 'cfg' if it does not exist	2019-02-26 15:49:51 -03:00
Bruno Silvestre	1c3bf23551	Merge pull request #133 from quickdudley/multi-certs Enable multiple SSL certificates	2019-02-26 14:42:47 -03:00
Bruno Silvestre	31237195a3	Fix invalid section	2019-02-26 13:37:12 -03:00
Jeremy List	c72dc02ecb	Sample for multiple certificates.	2019-02-26 10:52:53 +13:00
Jeremy List	143ccf1323	PR feedback (Data structure)	2019-02-26 10:51:44 +13:00
Bruno Silvestre	5e2b27fa71	Merge pull request #132 from ewestbrook/prc-expose-tcp Expose tcp() for use by LuaSocket	2019-02-25 15:25:20 -03:00
Jeremy List	ff868e4a06	Enable multiple SSL certificates (issue 27)	2019-02-22 13:42:44 +13:00
Bruno Silvestre	ef342a7cda	Merge pull request #125 from horazont/feature/fix-memleak Fix memory leak in meth_extensions	2019-01-10 10:03:25 -02:00
Bruno Silvestre	569d12dc64	Merge pull request #124 from horazont/feature/modernize-certs Modernize certificate generation	2019-01-10 10:02:22 -02:00
Rosen Penev	79c629956e	Get rid of some deprecation warnings with OpenSSL 1.1	2018-11-20 20:12:39 -08:00
Jonas Schäfer	81c38864d4	Fix memory leak in meth_extensions	2018-11-19 16:00:30 +01:00
Jonas Schäfer	0775d5744f	Make memory leak reproducible in loop sample	2018-11-19 16:00:20 +01:00
Jonas Schäfer	8bcabff0c1	Modernize certificate generation - Use 2048 bit keys (required for modern OpenSSL) - Use SHA256 instead of SHA1 (required for modern OpenSSL) - Add a SubjectAltName to be able to trigger certain edge-cases - Add all.sh to conveniently re-generate certificates	2018-11-19 15:56:42 +01:00
E. Westbrook	3f38f0929c	Expose src/https.lua:tcp() for use by e.g. luasocket redirects	2018-10-13 07:31:38 -06:00
Kim Alvefur	5ffe22e98e	Add sample DANE usage	2018-10-06 19:37:43 +02:00
Kim Alvefur	6359275c5f	Add support for setting DANE TLSA information	2018-09-29 21:38:18 +02:00
Bruno Silvestre	550777a9d6	Merge pull request #120 from narcistesa/update-tls-cfg Disable TLSv1 protocol by default in https module	2018-09-29 10:26:08 -03:00
Narcis Tesa	4c5996a499	Disable TLSv1 to fix received tlsv1 alert protocol version from errors with certain websites	2018-09-19 16:25:39 -04:00
Bruno Silvestre	421c897dd3	Support for TLS 1.3 from OpenSSL 1.1.1 Based on PR #97 from @wmark.	2018-09-12 19:08:19 -03:00
Bruno Silvestre	2ecf239cfe	Suppress warning with OpenSSL 1.1.0 and 1.1.1	2018-09-12 18:43:44 -03:00
Bruno Silvestre	113331fa0c	Assuming that TLS 1.1 and TLS 1.2 are available	2018-09-12 18:27:43 -03:00
Bruno Silvestre	8440bc3d59	Assuming curves list is available if EC is available	2018-09-12 18:26:19 -03:00
Bruno Silvestre	5ece6049e5	Fix constant: OPENSS_NO_ECDH -> OPENSSL_NO_EC	2018-09-12 18:24:12 -03:00
Bruno Silvestre	9883782102	Fix constant: OPENSS_NO_ECDH -> OPENSSL_NO_EC	2018-09-12 18:17:19 -03:00
Bruno Silvestre	661d08e5f3	Removing OpenSSL 0.9.8 code	2018-09-12 18:08:19 -03:00
Bruno Silvestre	5514c4a06e	Assuming that TLS 1.1 and TLS 1.2 are available Fix some #if's also.	2018-09-12 18:03:37 -03:00
Bruno Silvestre	f42c171d55	This mode is available in new versions of OpenSSL, no more check	2018-09-12 17:45:13 -03:00
Bruno Silvestre	706e0f0281	New version of LibreSSL already implement these functions	2018-09-12 17:41:03 -03:00
Bruno Silvestre	d4ea2d12f3	Update reference to Lua state prior to handshake The Lua thread that creates the context is saved to be used for accessing callback related data. However that thread may become garbage and its memory could be overwritten with anything if the handshake happens later, in a different thread. Fixes #75 Thanks @Zash	2018-09-10 10:49:18 -03:00
Bruno Silvestre	dea60edf4f	Add ALPN support based on PR #64 from xnyhps	2018-08-27 15:10:18 -03:00
Bruno Silvestre	fdb2fa5f59	Let the library choose the min and max versions Some protocols can be disable with 'options'.	2018-07-26 11:25:57 -03:00
Bruno Silvestre	93e0e8cc64	Force a cipher that use DH parameter	2018-07-26 11:22:24 -03:00
Bruno Silvestre	d9d0cd620d	Free DH parameter right after handshake	2018-07-26 11:21:54 -03:00
Bruno Silvestre	953a363a59	Add timeout to https module Glocal attribute https.TIMEOUT controls connection tiemout. Sample: https.TIMEOUT = 5 -- seconds https.request()	2018-07-02 10:40:14 -03:00
Bruno Silvestre	28e247dbc5	Removing deprecated methods to select the protocol Using TLS_method(), SSL_set_min_proto_version() and SSL_set_max_proto_version().	2018-07-02 10:31:45 -03:00
Bruno Silvestre	89bdc6148c	Removing SSLv3 support	2018-06-29 14:06:51 -03:00
Bruno Silvestre	8212b89f1a	Using 'const SSL_METHOD*' This change was introduced in OpenSSL 1.0.0. Start droping 0.9.8 code.	2018-06-29 14:02:39 -03:00
Bruno Silvestre	879ba6d4f9	Merge pull request #116 from hishamhm/cross-windows Use lowercase Windows header name	2018-06-29 13:49:01 -03:00
Hisham Muhammad	4d10a5a0c0	Use lowercase Windows header name This is necessary for cross-compilation of Windows binaries on non-Windows platforms (and harmless for Windows).	2018-06-29 10:21:22 -03:00
`@ -1,3 +1,3 @@`
	`#!/bin/sh`	`#!/usr/bin/env sh`

	`openssl genrsa -des3 -out key.pem -passout pass:foobar 2048`	`openssl genrsa -des3 -out key.pem -passout pass:foobar 2048`