Release LuaSec 0.7.2

Avoid duplicating variable 'ssl_options'.

CHANGELOG

@@ -1,16 +1,16 @@
 --------------------------------------------------------------------------------
-LuaSec 0.8
+LuaSec 0.7.2
 ---------------
 This version includes:
 
-* Add support to ALPN
+* Fix unexported 'ssl.config' table
-* Add support to TLS 1.3
+
-* Add support to multiple certificates
+--------------------------------------------------------------------------------
-* Add timeout to https module (https.TIMEOUT)
+LuaSec 0.7.1
-* Drop support to SSL 3.0
+---------------
-* Drop support to TLS 1.0 from https module
+This version includes:
-* Fix invalid reference to Lua state
+
-* Fix memory leak when get certficate extensions
+* Fix general_name leak in cert:extensions()
 
 --------------------------------------------------------------------------------
 LuaSec 0.7

INSTALL

@@ -1,14 +1,14 @@
-LuaSec 0.8
+LuaSec 0.7.2
 ------------
 
 * OpenSSL options:
 
-    By default, LuaSec 0.8 includes options for OpenSSL 1.1.0g.
+    By default, this version includes options for OpenSSL 1.1.1.
 
     If you need to generate the options for a different version of OpenSSL:
 
       $ cd src
-      $ lua options.lua -g /usr/include/openssl/ssl.h > options.h
+      $ lua options.lua -g /usr/include/openssl/ssl.h > options.c
 
 --------------------------------------------------------------------------------
 

LICENSE

@@ -1,4 +1,4 @@
-LuaSec 0.8 license
+LuaSec 0.7.2 license
 Copyright (C) 2006-2019 Bruno Silvestre, UFG
 
 Permission is hereby granted, free  of charge, to any person obtaining

README.md

@@ -1,9 +1,6 @@
-LuaSec 0.8
+LuaSec 0.7.2
 ===============
 LuaSec depends  on OpenSSL, and  integrates with LuaSocket to  make it
 easy to add secure connections to any Lua applications or scripts.
 
-Important: This version requires at least OpenSSL 1.0.2.
-           For old versions of OpenSSL, use LuaSec 0.7.
-
 Documentation: https://github.com/brunoos/luasec/wiki

luasec-0.7.2-1.rockspec

@@ -1,8 +1,8 @@
 package = "LuaSec"
-version = "0.8-1"
+version = "0.7.2-1"
 source = {
-   url = "https://github.com/brunoos/luasec/archive/luasec-0.8.tar.gz",
+   url = "https://github.com/brunoos/luasec/archive/luasec-0.7.2.tar.gz",
-   dir = "luasec-luasec-0.8"
+   dir = "luasec-luasec-0.7.2"
 }
 description = {
    summary = "A binding for OpenSSL library to provide TLS/SSL communication over LuaSocket.",
@@ -58,7 +58,7 @@ build = {
                   "ssl", "crypto"
                },
                sources = {
-                  "src/config.c", "src/ec.c", 
+                  "src/options.c", "src/config.c", "src/ec.c", 
                   "src/x509.c", "src/context.c", "src/ssl.c", 
                   "src/luasocket/buffer.c", "src/luasocket/io.c",
                   "src/luasocket/timeout.c", "src/luasocket/usocket.c"
@@ -93,7 +93,7 @@ build = {
                   "$(OPENSSL_INCDIR)", "src/", "src/luasocket"
                },
                sources = {
-                  "src/config.c", "src/ec.c", 
+                  "src/options.c", "src/config.c", "src/ec.c", 
                   "src/x509.c", "src/context.c", "src/ssl.c", 
                   "src/luasocket/buffer.c", "src/luasocket/io.c",
                   "src/luasocket/timeout.c", "src/luasocket/wsocket.c"

luasec.vcxproj

@@ -107,6 +107,7 @@
     <ClCompile Include="src\luasocket\io.c" />
     <ClCompile Include="src\luasocket\timeout.c" />
     <ClCompile Include="src\luasocket\wsocket.c" />
+    <ClCompile Include="src\options.c" />
     <ClCompile Include="src\ssl.c" />
     <ClCompile Include="src\x509.c" />
   </ItemGroup>
@@ -127,4 +128,4 @@
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
   <ImportGroup Label="ExtensionTargets">
   </ImportGroup>
-</Project>
+</Project>

samples/README

@@ -1,8 +1,5 @@
 Directories: 
 ------------
-* alpn
- Test ALPN (Application-Layer Protocol Negotiation) support.
-
 * certs
  Contains scripts to generate the certificates used by the examples.
  Generate Root CA 'A' and 'B' first, then the servers and clients.
@@ -10,9 +7,6 @@ Directories:
 * chain
  Example of certificate chain in handshake.
 
-* curve-negotiation
- Elliptic curve negotiation.
-
 * dhparam
  DH parameters for handshake.
 
@@ -36,29 +30,20 @@ Directories:
  Same of above,  but the connection is not  explicit closed, the gabage
  collector is encharge of that.
 
-* luaossl
- Integration with luaossl.
-
-* multicert
- Support to multiple certificate for dual RSA/ECDSA.
-
 * oneshot
  A simple connection example.
 
-* sni
- Support to SNI (Server Name Indication).
-
 * verification
  Retrieve the certificate verification errors from the handshake.
 
 * verify
  Ignore handshake errors and proceed.
 
-* want
- Test want() method.
-
 * wantread
  Test timeout in handshake() and receive().
 
 * wantwrite
  Test timeout in send().
+
+* want
+ Test want() method.

samples/alpn/client.lua

@@ -1,27 +0,0 @@
---
--- Public domain
---
-local socket = require("socket")
-local ssl    = require("ssl")
-
-local params = {
-   mode = "client",
-   protocol = "tlsv1_2",
-   key = "../certs/clientAkey.pem",
-   certificate = "../certs/clientA.pem",
-   cafile = "../certs/rootA.pem",
-   verify = {"peer", "fail_if_no_peer_cert"},
-   options = "all",
-   --alpn = {"foo","bar","baz"}
-   alpn = "foo"
-}
-
-local peer = socket.tcp()
-peer:connect("127.0.0.1", 8888)
-
-peer = assert( ssl.wrap(peer, params) )
-assert(peer:dohandshake())
-
-print("ALPN", peer:getalpn())
-
-peer:close()

samples/alpn/server.lua

@@ -1,77 +0,0 @@
---
--- Public domain
---
-local socket = require("socket")
-local ssl    = require("ssl")
-
---
--- Callback that selects one protocol from client's list.
---
-local function alpncb01(protocols)
-   print("--- ALPN protocols from client")
-   for k, v in ipairs(protocols) do
-      print(k, v)
-   end
-   print("--- Selecting:", protocols[1])
-   return protocols[1]
-end
-
---
--- Callback that returns a fixed list, ignoring the client's list.
---
-local function alpncb02(protocols)
-   print("--- ALPN protocols from client")
-   for k, v in ipairs(protocols) do
-      print(k, v)
-   end
-   print("--- Returning a fixed list") 
-   return {"bar", "foo"}
-end
-
---
--- Callback that generates a list as it whishes.
---
-local function alpncb03(protocols)
-   local resp = {}
-   print("--- ALPN protocols from client")
-   for k, v in ipairs(protocols) do
-      print(k, v)
-      if k%2 ~= 0 then resp[#resp+1] = v end
-   end
-   print("--- Returning an odd list")
-   return resp
-end
-
-
-local params = {
-   mode = "server",
-   protocol = "any",
-   key = "../certs/serverAkey.pem",
-   certificate = "../certs/serverA.pem",
-   cafile = "../certs/rootA.pem",
-   verify = {"peer", "fail_if_no_peer_cert"},
-   options = "all",
-   --alpn = alpncb01,
-   --alpn = alpncb02,
-   --alpn = alpncb03,
-   alpn = {"bar", "baz", "foo"},
-}
-
-
--- [[ SSL context
-local ctx = assert(ssl.newcontext(params))
---]]
-
-local server = socket.tcp()
-server:setoption('reuseaddr', true)
-assert( server:bind("127.0.0.1", 8888) )
-server:listen()
-
-local peer = server:accept()
-peer = assert( ssl.wrap(peer, ctx) )
-assert( peer:dohandshake() )
-
-print("ALPN", peer:getalpn())
-
-peer:close()
-server:close()

samples/certs/all.sh

@@ -1,7 +0,0 @@
-#!/bin/bash
-./rootA.sh
-./rootB.sh
-./clientA.sh
-./clientB.sh
-./serverA.sh
-./serverB.sh

samples/certs/clientA.sh

@@ -1,9 +1,9 @@
 #!/bin/sh
 
-openssl req -newkey rsa:2048 -sha256 -keyout clientAkey.pem -out clientAreq.pem \
+openssl req -newkey rsa:1024 -sha1 -keyout clientAkey.pem -out clientAreq.pem \
   -nodes -config ./clientA.cnf -days 365 -batch
 
-openssl x509 -req -in clientAreq.pem -sha256 -extfile ./clientA.cnf \
+openssl x509 -req -in clientAreq.pem -sha1 -extfile ./clientA.cnf \
   -extensions usr_cert -CA rootA.pem -CAkey rootAkey.pem -CAcreateserial \
   -out clientAcert.pem -days 365
 

samples/certs/clientB.sh

@@ -1,9 +1,9 @@
 #!/bin/sh
 
-openssl req -newkey rsa:2048 -sha256 -keyout clientBkey.pem -out clientBreq.pem \
+openssl req -newkey rsa:1024 -sha1 -keyout clientBkey.pem -out clientBreq.pem \
   -nodes -config ./clientB.cnf -days 365 -batch
 
-openssl x509 -req -in clientBreq.pem -sha256 -extfile ./clientB.cnf \
+openssl x509 -req -in clientBreq.pem -sha1 -extfile ./clientB.cnf \
   -extensions usr_cert -CA rootB.pem -CAkey rootBkey.pem -CAcreateserial \
   -out clientBcert.pem -days 365
 

samples/certs/rootA.sh

@@ -1,7 +1,7 @@
 #!/bin/sh
 
-openssl req -newkey rsa:2048 -sha256 -keyout rootAkey.pem -out rootAreq.pem -nodes -config ./rootA.cnf -days 365 -batch
+openssl req -newkey rsa:1024 -sha1 -keyout rootAkey.pem -out rootAreq.pem -nodes -config ./rootA.cnf -days 365 -batch
 
-openssl x509 -req -in rootAreq.pem -sha256 -extfile ./rootA.cnf -extensions v3_ca -signkey rootAkey.pem -out rootA.pem -days 365
+openssl x509 -req -in rootAreq.pem -sha1 -extfile ./rootA.cnf -extensions v3_ca -signkey rootAkey.pem -out rootA.pem -days 365
 
 openssl x509 -subject -issuer -noout -in rootA.pem

samples/certs/rootB.sh

@@ -1,7 +1,7 @@
 #!/bin/sh
 
-openssl req -newkey rsa:2048 -sha256 -keyout rootBkey.pem -out rootBreq.pem -nodes -config ./rootB.cnf -days 365 -batch
+openssl req -newkey rsa:1024 -sha1 -keyout rootBkey.pem -out rootBreq.pem -nodes -config ./rootB.cnf -days 365 -batch
 
-openssl x509 -req -in rootBreq.pem -sha256 -extfile ./rootB.cnf -extensions v3_ca -signkey rootBkey.pem -out rootB.pem -days 365
+openssl x509 -req -in rootBreq.pem -sha1 -extfile ./rootB.cnf -extensions v3_ca -signkey rootBkey.pem -out rootB.pem -days 365
 
 openssl x509 -subject -issuer -noout -in rootB.pem

samples/certs/serverA.cnf

@@ -118,7 +118,7 @@ x509_extensions	= v3_ca	# The extensions to add to the self signed cert
 # so use this option with caution!
 string_mask = nombstr
 
-# req_extensions = v3_ext # The extensions to add to a certificate request
+# req_extensions = v3_req # The extensions to add to a certificate request
 
 [ req_distinguished_name ]
 countryName			= Country Name (2 letter code)
@@ -198,7 +198,7 @@ authorityKeyIdentifier=keyid,issuer
 # subjectAltName=email:copy
 # An alternative to produce certificates that aren't
 # deprecated according to PKIX.
-subjectAltName=DNS:foo.bar.example
+# subjectAltName=email:move
 
 # Copy subject details
 # issuerAltName=issuer:copy

samples/certs/serverA.sh

@@ -1,9 +1,9 @@
 #!/bin/sh
 
-openssl req -newkey rsa:2048 -keyout serverAkey.pem -out serverAreq.pem \
+openssl req -newkey rsa:1024 -keyout serverAkey.pem -out serverAreq.pem \
    -config ./serverA.cnf -nodes -days 365 -batch
 
-openssl x509 -req -in serverAreq.pem -sha256 -extfile ./serverA.cnf \
+openssl x509 -req -in serverAreq.pem -sha1 -extfile ./serverA.cnf \
    -extensions usr_cert -CA rootA.pem -CAkey rootAkey.pem -CAcreateserial \
    -out serverAcert.pem -days 365
 

samples/certs/serverB.cnf

@@ -195,7 +195,7 @@ authorityKeyIdentifier=keyid,issuer
 
 # This stuff is for subjectAltName and issuerAltname.
 # Import the email address.
-subjectAltName=DNS:fnord.bar.example
+# subjectAltName=email:copy
 # An alternative to produce certificates that aren't
 # deprecated according to PKIX.
 # subjectAltName=email:move

samples/certs/serverB.sh

@@ -1,9 +1,9 @@
 #!/bin/sh
 
-openssl req -newkey rsa:2048 -keyout serverBkey.pem -out serverBreq.pem \
+openssl req -newkey rsa:1024 -keyout serverBkey.pem -out serverBreq.pem \
    -config ./serverB.cnf -nodes -days 365 -batch
 
-openssl x509 -req -in serverBreq.pem -sha256 -extfile ./serverB.cnf \
+openssl x509 -req -in serverBreq.pem -sha1 -extfile ./serverB.cnf \
    -extensions usr_cert -CA rootB.pem -CAkey rootBkey.pem -CAcreateserial \
    -out serverBcert.pem -days 365
 

samples/dhparam/client.lua

@@ -6,13 +6,12 @@ local ssl    = require("ssl")
 
 local params = {
    mode = "client",
-   protocol = "any",
+   protocol = "tlsv1_2",
    key = "../certs/clientAkey.pem",
    certificate = "../certs/clientA.pem",
    cafile = "../certs/rootA.pem",
    verify = {"peer", "fail_if_no_peer_cert"},
    options = "all",
-   ciphers = "EDH+AESGCM"
 }
 
 local peer = socket.tcp()

samples/dhparam/server.lua

@@ -38,7 +38,6 @@ local params = {
    verify = {"peer", "fail_if_no_peer_cert"},
    options = "all",
    dhparam = dhparam_cb,
-   ciphers = "EDH+AESGCM"
 }
 
 

samples/loop/client.lua

@@ -23,8 +23,6 @@ while true do
    assert( peer:dohandshake() )
    --]]
 
-   peer:getpeercertificate():extensions()
-
    print(peer:receive("*l"))
    peer:close()
 end

samples/multicert/client-ecdsa.lua

@@ -1,29 +0,0 @@
---
--- Public domain
---
-local socket = require("socket")
-local ssl    = require("ssl")
-
-local params = {
-   mode        = "client",
-   protocol    = "tlsv1_2",
-   key         = "certs/clientECDSAkey.pem",
-   certificate = "certs/clientECDSA.pem",
-   verify      = "none",
-   options     = "all",
-   ciphers     = "ALL:!aRSA"
-}
-
-local peer = socket.tcp()
-peer:connect("127.0.0.1", 8888)
-
--- [[ SSL wrapper
-peer = assert( ssl.wrap(peer, params) )
-assert(peer:dohandshake())
---]]
-
-local i = peer:info()
-for k, v in pairs(i) do print(k, v) end
-
-print(peer:receive("*l"))
-peer:close()

samples/multicert/client-rsa.lua

@@ -1,29 +0,0 @@
---
--- Public domain
---
-local socket = require("socket")
-local ssl    = require("ssl")
-
-local params = {
-   mode        = "client",
-   protocol    = "tlsv1_2",
-   key         = "certs/clientRSAkey.pem",
-   certificate = "certs/clientRSA.pem",
-   verify      = "none",
-   options     = "all",
-   ciphers     = "ALL:!ECDSA"
-}
-
-local peer = socket.tcp()
-peer:connect("127.0.0.1", 8888)
-
--- [[ SSL wrapper
-peer = assert( ssl.wrap(peer, params) )
-assert(peer:dohandshake())
---]]
-
-local i = peer:info()
-for k, v in pairs(i) do print(k, v) end
-
-print(peer:receive("*l"))
-peer:close()

samples/multicert/gencerts.sh

@@ -1,13 +0,0 @@
-#!/bin/sh
-
-mkdir -p certs
-
-openssl ecparam -name secp256r1 -genkey -out certs/serverECDSAkey.pem
-openssl req -new -config ../certs/serverA.cnf -extensions usr_cert -x509 -key certs/serverECDSAkey.pem -out certs/serverECDSA.pem -days 360 -batch
-
-openssl ecparam -name secp256r1 -genkey -out certs/clientECDSAkey.pem
-openssl req -config ../certs/clientA.cnf -extensions usr_cert -x509 -new -key certs/clientECDSAkey.pem -out certs/clientECDSA.pem -days 360 -batch
-
-openssl req -config ../certs/serverB.cnf -extensions usr_cert -x509 -new -newkey rsa:2048 -keyout certs/serverRSAkey.pem -out certs/serverRSA.pem -nodes -days 365 -batch
-
-openssl req -config ../certs/clientB.cnf -extensions usr_cert -x509 -new -newkey rsa:2048 -keyout certs/clientRSAkey.pem -out certs/clientRSA.pem -nodes -days 365 -batch

samples/multicert/server.lua

@@ -1,38 +0,0 @@
---
--- Public domain
---
-local socket = require("socket")
-local ssl    = require("ssl")
-
-local params = {
-   mode         = "server",
-   protocol     = "any",
-   certificates = { 
-      -- Comment line below and 'client-rsa' stop working
-      { certificate = "certs/serverRSA.pem",   key = "certs/serverRSAkey.pem"   },
-      -- Comment line below and 'client-ecdsa' stop working
-      { certificate = "certs/serverECDSA.pem", key = "certs/serverECDSAkey.pem" }
-   },
-   verify  = "none",
-   options = "all"
-}
-
-
--- [[ SSL context
-local ctx = assert(ssl.newcontext(params))
---]]
-
-local server = socket.tcp()
-server:setoption('reuseaddr', true)
-assert( server:bind("127.0.0.1", 8888) )
-server:listen()
-
-local peer = server:accept()
-
--- [[ SSL wrapper
-peer = assert( ssl.wrap(peer, ctx) )
-assert( peer:dohandshake() )
---]]
-
-peer:send("oneshot test\n")
-peer:close()

src/Makefile

@@ -2,6 +2,7 @@ CMOD=ssl.so
 LMOD=ssl.lua
 
 OBJS= \
+ options.o \
  x509.o    \
  context.o \
  ssl.o     \
@@ -57,6 +58,7 @@ clean:
 	cd luasocket && $(MAKE) clean
 	rm -f $(OBJS) $(CMOD)
 
+options.o: options.h options.c
 ec.o: ec.c ec.h
 x509.o: x509.c x509.h compat.h
 context.o: context.c context.h ec.h compat.h

src/compat.h

@@ -1,5 +1,5 @@
 /*--------------------------------------------------------------------------
- * LuaSec 0.8
+ * LuaSec 0.7.2
  *
  * Copyright (C) 2006-2019 Bruno Silvestre
  *

src/config.c

@@ -1,5 +1,5 @@
 /*--------------------------------------------------------------------------
- * LuaSec 0.8
+ * LuaSec 0.7.2
  *
  * Copyright (C) 2006-2019 Bruno Silvestre.
  *
@@ -14,14 +14,14 @@
  */
 LSEC_API int luaopen_ssl_config(lua_State *L)
 {
-  ssl_option_t *opt;
+  lsec_ssl_option_t *opt;
 
   lua_newtable(L);
 
   // Options
   lua_pushstring(L, "options");
   lua_newtable(L);
-  for (opt = ssl_options; opt->name; opt++) {
+  for (opt = lsec_get_ssl_options(); opt->name; opt++) {
     lua_pushstring(L, opt->name);
     lua_pushboolean(L, 1);
     lua_rawset(L, -3);
@@ -32,21 +32,22 @@ LSEC_API int luaopen_ssl_config(lua_State *L)
   lua_pushstring(L, "protocols");
   lua_newtable(L);
 
+#ifndef OPENSSL_NO_SSL3
+  lua_pushstring(L, "sslv3");
+  lua_pushboolean(L, 1);
+  lua_rawset(L, -3);
+#endif
   lua_pushstring(L, "tlsv1");
   lua_pushboolean(L, 1);
   lua_rawset(L, -3);
+#if (OPENSSL_VERSION_NUMBER >= 0x1000100fL)
   lua_pushstring(L, "tlsv1_1");
   lua_pushboolean(L, 1);
   lua_rawset(L, -3);
   lua_pushstring(L, "tlsv1_2");
   lua_pushboolean(L, 1);
   lua_rawset(L, -3);
-#if defined(TLS1_3_VERSION)
-  lua_pushstring(L, "tlsv1_3");
-  lua_pushboolean(L, 1);
-  lua_rawset(L, -3);
 #endif
-
   lua_rawset(L, -3);
 
   // Algorithms
@@ -69,18 +70,17 @@ LSEC_API int luaopen_ssl_config(lua_State *L)
   lua_pushstring(L, "capabilities");
   lua_newtable(L);
 
-  // ALPN
-  lua_pushstring(L, "alpn");
-  lua_pushboolean(L, 1);
-  lua_rawset(L, -3);
-
 #ifndef OPENSSL_NO_EC
+#if defined(SSL_CTRL_SET_ECDH_AUTO) || defined(SSL_CTRL_SET_CURVES_LIST) || defined(SSL_CTX_set1_curves_list)
   lua_pushstring(L, "curves_list");
   lua_pushboolean(L, 1);
   lua_rawset(L, -3);
+#ifdef SSL_CTRL_SET_ECDH_AUTO
   lua_pushstring(L, "ecdh_auto");
   lua_pushboolean(L, 1);
   lua_rawset(L, -3);
+#endif
+#endif
 #endif
   lua_rawset(L, -3);
 

src/context.c

@@ -1,5 +1,5 @@
 /*--------------------------------------------------------------------------
- * LuaSec 0.8
+ * LuaSec 0.7.2
  *
  * Copyright (C) 2014-2019 Kim Alvefur, Paul Aurich, Tobias Markmann, 
  *                         Matthew Wild.
@@ -29,6 +29,12 @@
 #include "ec.h"
 #endif
 
+#if (OPENSSL_VERSION_NUMBER >= 0x1000000fL)
+typedef const SSL_METHOD LSEC_SSL_METHOD;
+#else
+typedef       SSL_METHOD LSEC_SSL_METHOD;
+#endif
+
 /*--------------------------- Auxiliary Functions ----------------------------*/
 
 /**
@@ -49,8 +55,8 @@ static p_context testctx(lua_State *L, int idx)
  */
 static int set_option_flag(const char *opt, unsigned long *flag)
 {
-  ssl_option_t *p;
+  lsec_ssl_option_t *p;
-  for (p = ssl_options; p->name; p++) {
+  for (p = lsec_get_ssl_options(); p->name; p++) {
     if (!strcmp(opt, p->name)) {
       *flag |= p->code;
       return 1;
@@ -59,59 +65,23 @@ static int set_option_flag(const char *opt, unsigned long *flag)
   return 0;
 }
 
-#if (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL) || (OPENSSL_VERSION_NUMBER < 0x1010000fL)
 /**
  * Find the protocol.
  */
-static const SSL_METHOD* str2method(const char *method, int *vmin, int *vmax)
+static LSEC_SSL_METHOD* str2method(const char *method)
 {
-  (void)vmin;
-  (void)vmax;
   if (!strcmp(method, "any"))     return SSLv23_method();
   if (!strcmp(method, "sslv23"))  return SSLv23_method();  // deprecated
+#ifndef OPENSSL_NO_SSL3
+  if (!strcmp(method, "sslv3"))   return SSLv3_method();
+#endif
   if (!strcmp(method, "tlsv1"))   return TLSv1_method();
+#if (OPENSSL_VERSION_NUMBER >= 0x1000100fL)
   if (!strcmp(method, "tlsv1_1")) return TLSv1_1_method();
   if (!strcmp(method, "tlsv1_2")) return TLSv1_2_method();
-  return NULL;
-}
-
-#else
-
-/**
- * Find the protocol.
- */
-static const SSL_METHOD* str2method(const char *method, int *vmin, int *vmax)
-{
-  if (!strcmp(method, "any") || !strcmp(method, "sslv23")) { // 'sslv23' is deprecated
-    *vmin = 0;
-    *vmax = 0;
-    return TLS_method();
-  }
-  else if (!strcmp(method, "tlsv1")) {
-    *vmin = TLS1_VERSION;
-    *vmax = TLS1_VERSION;
-    return TLS_method();
-  }
-  else if (!strcmp(method, "tlsv1_1")) {
-    *vmin = TLS1_1_VERSION;
-    *vmax = TLS1_1_VERSION;
-    return TLS_method();
-  }
-  else if (!strcmp(method, "tlsv1_2")) {
-    *vmin = TLS1_2_VERSION;
-    *vmax = TLS1_2_VERSION;
-    return TLS_method();
-  }
-#if defined(TLS1_3_VERSION)
-  else if (!strcmp(method, "tlsv1_3")) {
-    *vmin = TLS1_3_VERSION;
-    *vmax = TLS1_3_VERSION;
-    return TLS_method();
-  }
 #endif
   return NULL;
 }
-#endif
 
 /**
  * Prepare the SSL handshake verify flag.
@@ -198,6 +168,7 @@ static DH *dhparam_cb(SSL *ssl, int is_export, int keylength)
 {
   BIO *bio;
   lua_State *L;
+  DH *dh_tmp = NULL;
   SSL_CTX *ctx = SSL_get_SSL_CTX(ssl);
   p_context pctx = (p_context)SSL_CTX_get_app_data(ctx);
 
@@ -218,15 +189,24 @@ static DH *dhparam_cb(SSL *ssl, int is_export, int keylength)
     lua_pop(L, 2);  /* Remove values from stack */
     return NULL;
   }
-
+  bio = BIO_new_mem_buf((void*)lua_tostring(L, -1), 
-  bio = BIO_new_mem_buf((void*)lua_tostring(L, -1), lua_rawlen(L, -1));
+    lua_rawlen(L, -1));
   if (bio) {
-    pctx->dh_param = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
+    dh_tmp = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
     BIO_free(bio);
   }
 
+  /*
+   * OpenSSL exepcts the callback to maintain a reference to the DH*.  So,
+   * cache it here, and clean up the previous set of parameters.  Any remaining
+   * set is cleaned up when destroying the LuaSec context.
+   */
+  if (pctx->dh_param)
+    DH_free(pctx->dh_param);
+  pctx->dh_param = dh_tmp;
+
   lua_pop(L, 2);    /* Remove values from stack */
-  return pctx->dh_param;
+  return dh_tmp;
 }
 
 /**
@@ -307,11 +287,10 @@ static int create(lua_State *L)
 {
   p_context ctx;
   const char *str_method;
-  const SSL_METHOD *method;
+  LSEC_SSL_METHOD *method;
-  int vmin, vmax;
 
   str_method = luaL_checkstring(L, 1);
-  method = str2method(str_method, &vmin, &vmax);
+  method = str2method(str_method);
   if (!method) {
     lua_pushnil(L);
     lua_pushfstring(L, "invalid protocol (%s)", str_method);
@@ -331,10 +310,6 @@ static int create(lua_State *L)
       ERR_reason_error_string(ERR_get_error()));
     return 2;
   }
-#if ! ((defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL) || (OPENSSL_VERSION_NUMBER < 0x1010000fL))
-  SSL_CTX_set_min_proto_version(ctx->context, vmin);
-  SSL_CTX_set_max_proto_version(ctx->context, vmax);
-#endif
   ctx->mode = LSEC_MODE_INVALID;
   ctx->L = L;
   luaL_getmetatable(L, "SSL:Context");
@@ -436,31 +411,14 @@ static int set_cipher(lua_State *L)
   const char *list = luaL_checkstring(L, 2);
   if (SSL_CTX_set_cipher_list(ctx, list) != 1) {
     lua_pushboolean(L, 0);
-    lua_pushfstring(L, "error setting cipher list (%s)", ERR_reason_error_string(ERR_get_error()));
+    lua_pushfstring(L, "error setting cipher list (%s)",
+      ERR_reason_error_string(ERR_get_error()));
     return 2;
   }
   lua_pushboolean(L, 1);
   return 1;
 }
 
-/**
- * Set the cipher suites.
- */
-static int set_ciphersuites(lua_State *L)
-{
-#if defined(TLS1_3_VERSION)
-  SSL_CTX *ctx = lsec_checkcontext(L, 1);
-  const char *list = luaL_checkstring(L, 2);
-  if (SSL_CTX_set_ciphersuites(ctx, list) != 1) {
-    lua_pushboolean(L, 0);
-    lua_pushfstring(L, "error setting cipher list (%s)", ERR_reason_error_string(ERR_get_error()));
-    return 2;
-  }
-#endif
-  lua_pushboolean(L, 1);
-  return 1;
-}
-
 /**
  * Set the depth for certificate checking.
  */
@@ -509,6 +467,12 @@ static int set_options(lua_State *L)
   if (max > 1) {
     for (i = 2; i <= max; i++) {
       str = luaL_checkstring(L, i);
+#if !defined(SSL_OP_NO_COMPRESSION) && (OPENSSL_VERSION_NUMBER >= 0x0090800f) && (OPENSSL_VERSION_NUMBER < 0x1000000fL)
+      /* Version 0.9.8 has a different way to disable compression */
+      if (!strcmp(str, "no_compression"))
+        ctx->comp_methods = NULL;
+      else
+#endif
       if (!set_option_flag(str, &flag)) {
         lua_pushboolean(L, 0);
         lua_pushfstring(L, "invalid option (%s)", str);
@@ -567,13 +531,12 @@ static int set_dhparam(lua_State *L)
 static int set_curve(lua_State *L)
 {
   long ret;
-  EC_KEY *key = NULL;
   SSL_CTX *ctx = lsec_checkcontext(L, 1);
   const char *str = luaL_checkstring(L, 2);
 
   SSL_CTX_set_options(ctx, SSL_OP_SINGLE_ECDH_USE);
 
-  key = lsec_find_ec_key(L, str);
+  EC_KEY *key = lsec_find_ec_key(L, str);
 
   if (!key) {
     lua_pushboolean(L, 0);
@@ -595,7 +558,9 @@ static int set_curve(lua_State *L)
   lua_pushboolean(L, 1);
   return 1;
 }
+#endif
 
+#if !defined(OPENSSL_NO_EC) && (defined(SSL_CTRL_SET_CURVES_LIST) || defined(SSL_CTX_set1_curves_list) || defined(SSL_CTRL_SET_ECDH_AUTO))
 /**
  * Set elliptic curves list.
  */
@@ -612,119 +577,36 @@ static int set_curves_list(lua_State *L)
     return 2;
   }
 
-  (void)SSL_CTX_set_ecdh_auto(ctx, 1);
+#ifdef SSL_CTRL_SET_ECDH_AUTO
+  SSL_CTX_set_ecdh_auto(ctx, 1);
+#endif
 
   lua_pushboolean(L, 1);
   return 1;
 }
 #endif
 
-/**
- * Set the protocols a client should send for ALPN.
- */
-static int set_alpn(lua_State *L)
-{
-  long ret;
-  size_t len;
-  p_context ctx = checkctx(L, 1);
-  const char *str = luaL_checklstring(L, 2, &len);
-
-  ret = SSL_CTX_set_alpn_protos(ctx->context, (const unsigned char*)str, len);
-  if (ret) {
-    lua_pushboolean(L, 0);
-    lua_pushfstring(L, "error setting ALPN (%s)", ERR_reason_error_string(ERR_get_error()));
-    return 2;
-  }
-  lua_pushboolean(L, 1);
-  return 1;
-}
-
-/**
- * This standard callback calls the server's callback in Lua sapce.
- * The server has to return a list in wire-format strings.
- * This function uses a helper function to match server and client lists.
- */
-static int alpn_cb(SSL *s, const unsigned char **out, unsigned char *outlen,
-                   const unsigned char *in, unsigned int inlen, void *arg)
-{
-  int ret;
-  size_t server_len;
-  const char *server;
-  p_context ctx = (p_context)arg;
-  lua_State *L = ctx->L;
-
-  luaL_getmetatable(L, "SSL:ALPN:Registry");
-  lua_pushlightuserdata(L, (void*)ctx->context);
-  lua_gettable(L, -2);
-
-  lua_pushlstring(L, (const char*)in, inlen);
-
-  lua_call(L, 1, 1);
-
-  if (!lua_isstring(L, -1)) {
-    lua_pop(L, 2);
-    return SSL_TLSEXT_ERR_NOACK;
-  }
-
-  // Protocol list from server in wire-format string
-  server = luaL_checklstring(L, -1, &server_len);
-  ret  = SSL_select_next_proto((unsigned char**)out, outlen, (const unsigned char*)server,
-                               server_len, in, inlen);
-  if (ret != OPENSSL_NPN_NEGOTIATED) {
-    lua_pop(L, 2);
-    return SSL_TLSEXT_ERR_NOACK;
-  } 
-
-  // Copy the result because lua_pop() can collect the pointer
-  ctx->alpn = malloc(*outlen);
-  memcpy(ctx->alpn, (void*)*out, *outlen);
-  *out = (const unsigned char*)ctx->alpn;
-
-  lua_pop(L, 2);
-
-  return SSL_TLSEXT_ERR_OK;
-}
-
-/**
- * Set a callback a server can use to select the next protocol with ALPN.
- */
-static int set_alpn_cb(lua_State *L)
-{
-  p_context ctx = checkctx(L, 1);
-
-  luaL_getmetatable(L, "SSL:ALPN:Registry");
-  lua_pushlightuserdata(L, (void*)ctx->context);
-  lua_pushvalue(L, 2);
-  lua_settable(L, -3);
-
-  SSL_CTX_set_alpn_select_cb(ctx->context, alpn_cb, ctx);
-
-  lua_pushboolean(L, 1);
-  return 1;
-}
-
-
 /**
  * Package functions
  */
 static luaL_Reg funcs[] = {
-  {"create",          create},
+  {"create",       create},
-  {"locations",       load_locations},
+  {"locations",    load_locations},
-  {"loadcert",        load_cert},
+  {"loadcert",     load_cert},
-  {"loadkey",         load_key},
+  {"loadkey",      load_key},
-  {"checkkey",        check_key},
+  {"checkkey",     check_key},
-  {"setalpn",         set_alpn},
+  {"setcipher",    set_cipher},
-  {"setalpncb",       set_alpn_cb},
+  {"setdepth",     set_depth},
-  {"setcipher",       set_cipher},
+  {"setdhparam",   set_dhparam},
-  {"setciphersuites", set_ciphersuites},
+  {"setverify",    set_verify},
-  {"setdepth",        set_depth},
+  {"setoptions",   set_options},
-  {"setdhparam",      set_dhparam},
+  {"setmode",      set_mode},
-  {"setverify",       set_verify},
-  {"setoptions",      set_options},
-  {"setmode",         set_mode},
 
 #if !defined(OPENSSL_NO_EC)
-  {"setcurve",      set_curve},
+  {"setcurve",     set_curve},
+#endif
+
+#if !defined(OPENSSL_NO_EC) && (defined(SSL_CTRL_SET_CURVES_LIST) || defined(SSL_CTX_set1_curves_list) || defined(SSL_CTRL_SET_ECDH_AUTO))
   {"setcurveslist", set_curves_list},
 #endif
 
@@ -749,14 +631,15 @@ static int meth_destroy(lua_State *L)
     lua_pushlightuserdata(L, (void*)ctx->context);
     lua_pushnil(L);
     lua_settable(L, -3);
-    luaL_getmetatable(L, "SSL:ALPN:Registry");
-    lua_pushlightuserdata(L, (void*)ctx->context);
-    lua_pushnil(L);
-    lua_settable(L, -3);
 
     SSL_CTX_free(ctx->context);
     ctx->context = NULL;
   }
+  if (ctx->dh_param) {
+    DH_free(ctx->dh_param);
+    ctx->dh_param = NULL;
+  }
+
   return 0;
 }
 
@@ -894,9 +777,8 @@ void *lsec_testudata (lua_State *L, int ud, const char *tname) {
  */
 LSEC_API int luaopen_ssl_context(lua_State *L)
 {
-  luaL_newmetatable(L, "SSL:DH:Registry");      /* Keep all DH callbacks   */
+  luaL_newmetatable(L, "SSL:DH:Registry");      /* Keep all DH callbacks */
-  luaL_newmetatable(L, "SSL:ALPN:Registry");    /* Keep all ALPN callbacks */
+  luaL_newmetatable(L, "SSL:Verify:Registry");  /* Keep all verify flags */
-  luaL_newmetatable(L, "SSL:Verify:Registry");  /* Keep all verify flags   */
   luaL_newmetatable(L, "SSL:Context");
   setfuncs(L, meta);
 

src/context.h

@@ -2,7 +2,7 @@
 #define LSEC_CONTEXT_H
 
 /*--------------------------------------------------------------------------
- * LuaSec 0.8
+ * LuaSec 0.7.2
  *
  * Copyright (C) 2006-2019 Bruno Silvestre
  *
@@ -24,7 +24,6 @@ typedef struct t_context_ {
   SSL_CTX *context;
   lua_State *L;
   DH *dh_param;
-  void *alpn;
   int mode;
 } t_context;
 typedef t_context* p_context;

src/ec.c

@@ -2,7 +2,7 @@
 
 #include "ec.h"
 
-#ifndef OPENSSL_NO_EC
+#ifndef OPENSSL_NO_ECDH
 
 EC_KEY *lsec_find_ec_key(lua_State *L, const char *str)
 {

src/ec.h

@@ -1,5 +1,5 @@
 /*--------------------------------------------------------------------------
- * LuaSec 0.8
+ * LuaSec 0.7.2
  *
  * Copyright (C) 2006-2019 Bruno Silvestre
  *
@@ -10,7 +10,7 @@
 
 #include <lua.h>
 
-#ifndef OPENSSL_NO_EC
+#ifndef OPENSSL_NO_ECDH
 #include <openssl/ec.h>
 
 EC_KEY *lsec_find_ec_key(lua_State *L, const char *str);

src/https.lua

@@ -1,5 +1,5 @@
 ----------------------------------------------------------------------------
--- LuaSec 0.8
+-- LuaSec 0.7.2
 -- Copyright (C) 2009-2019 PUC-Rio
 --
 -- Author: Pablo Musa
@@ -18,16 +18,15 @@ local try    = socket.try
 -- Module
 --
 local _M = {
-  _VERSION   = "0.8",
+  _VERSION   = "0.7.2",
-  _COPYRIGHT = "LuaSec 0.8 - Copyright (C) 2009-2019 PUC-Rio",
+  _COPYRIGHT = "LuaSec 0.7.2 - Copyright (C) 2009-2019 PUC-Rio",
   PORT       = 443,
-  TIMEOUT    = 60
 }
 
 -- TLS configuration
 local cfg = {
   protocol = "any",
-  options  = {"all", "no_sslv2", "no_sslv3", "no_tlsv1"},
+  options  = {"all", "no_sslv2", "no_sslv3"},
   verify   = "none",
 }
 
@@ -84,14 +83,13 @@ local function tcp(params)
       conn.sock = try(socket.tcp())
       local st = getmetatable(conn.sock).__index.settimeout
       function conn:settimeout(...)
-         return st(self.sock, _M.TIMEOUT)
+         return st(self.sock, ...)
       end
       -- Replace TCP's connection function
       function conn:connect(host, port)
          try(self.sock:connect(host, port))
          self.sock = try(ssl.wrap(self.sock, params))
          self.sock:sni(host)
-         self.sock:settimeout(_M.TIMEOUT)
          try(self.sock:dohandshake())
          reg(self, getmetatable(self.sock))
          return 1
@@ -141,6 +139,5 @@ end
 --
 
 _M.request = request
-_M.tcp = tcp
 
 return _M

src/options.c

@@ -0,0 +1,167 @@
+/*--------------------------------------------------------------------------
+ * LuaSec 0.7.2
+ *
+ * Copyright (C) 2006-2019 Bruno Silvestre
+ *
+ *--------------------------------------------------------------------------*/
+
+#include <openssl/ssl.h>
+
+#include "options.h"
+
+/* If you need to generate these options again, see options.lua */
+
+
+/* 
+  OpenSSL version: OpenSSL 1.1.1
+*/
+
+static lsec_ssl_option_t ssl_options[] = {
+#if defined(SSL_OP_ALL)
+  {"all", SSL_OP_ALL},
+#endif
+#if defined(SSL_OP_ALLOW_NO_DHE_KEX)
+  {"allow_no_dhe_kex", SSL_OP_ALLOW_NO_DHE_KEX},
+#endif
+#if defined(SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)
+  {"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION},
+#endif
+#if defined(SSL_OP_CIPHER_SERVER_PREFERENCE)
+  {"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE},
+#endif
+#if defined(SSL_OP_CISCO_ANYCONNECT)
+  {"cisco_anyconnect", SSL_OP_CISCO_ANYCONNECT},
+#endif
+#if defined(SSL_OP_COOKIE_EXCHANGE)
+  {"cookie_exchange", SSL_OP_COOKIE_EXCHANGE},
+#endif
+#if defined(SSL_OP_CRYPTOPRO_TLSEXT_BUG)
+  {"cryptopro_tlsext_bug", SSL_OP_CRYPTOPRO_TLSEXT_BUG},
+#endif
+#if defined(SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)
+  {"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS},
+#endif
+#if defined(SSL_OP_ENABLE_MIDDLEBOX_COMPAT)
+  {"enable_middlebox_compat", SSL_OP_ENABLE_MIDDLEBOX_COMPAT},
+#endif
+#if defined(SSL_OP_EPHEMERAL_RSA)
+  {"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA},
+#endif
+#if defined(SSL_OP_LEGACY_SERVER_CONNECT)
+  {"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT},
+#endif
+#if defined(SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER)
+  {"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER},
+#endif
+#if defined(SSL_OP_MICROSOFT_SESS_ID_BUG)
+  {"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG},
+#endif
+#if defined(SSL_OP_MSIE_SSLV2_RSA_PADDING)
+  {"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING},
+#endif
+#if defined(SSL_OP_NETSCAPE_CA_DN_BUG)
+  {"netscape_ca_dn_bug", SSL_OP_NETSCAPE_CA_DN_BUG},
+#endif
+#if defined(SSL_OP_NETSCAPE_CHALLENGE_BUG)
+  {"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG},
+#endif
+#if defined(SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG)
+  {"netscape_demo_cipher_change_bug", SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG},
+#endif
+#if defined(SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG)
+  {"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG},
+#endif
+#if defined(SSL_OP_NO_ANTI_REPLAY)
+  {"no_anti_replay", SSL_OP_NO_ANTI_REPLAY},
+#endif
+#if defined(SSL_OP_NO_COMPRESSION)
+  {"no_compression", SSL_OP_NO_COMPRESSION},
+#endif
+#if defined(SSL_OP_NO_DTLS_MASK)
+  {"no_dtls_mask", SSL_OP_NO_DTLS_MASK},
+#endif
+#if defined(SSL_OP_NO_DTLSv1)
+  {"no_dtlsv1", SSL_OP_NO_DTLSv1},
+#endif
+#if defined(SSL_OP_NO_DTLSv1_2)
+  {"no_dtlsv1_2", SSL_OP_NO_DTLSv1_2},
+#endif
+#if defined(SSL_OP_NO_ENCRYPT_THEN_MAC)
+  {"no_encrypt_then_mac", SSL_OP_NO_ENCRYPT_THEN_MAC},
+#endif
+#if defined(SSL_OP_NO_QUERY_MTU)
+  {"no_query_mtu", SSL_OP_NO_QUERY_MTU},
+#endif
+#if defined(SSL_OP_NO_RENEGOTIATION)
+  {"no_renegotiation", SSL_OP_NO_RENEGOTIATION},
+#endif
+#if defined(SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION)
+  {"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION},
+#endif
+#if defined(SSL_OP_NO_SSL_MASK)
+  {"no_ssl_mask", SSL_OP_NO_SSL_MASK},
+#endif
+#if defined(SSL_OP_NO_SSLv2)
+  {"no_sslv2", SSL_OP_NO_SSLv2},
+#endif
+#if defined(SSL_OP_NO_SSLv3)
+  {"no_sslv3", SSL_OP_NO_SSLv3},
+#endif
+#if defined(SSL_OP_NO_TICKET)
+  {"no_ticket", SSL_OP_NO_TICKET},
+#endif
+#if defined(SSL_OP_NO_TLSv1)
+  {"no_tlsv1", SSL_OP_NO_TLSv1},
+#endif
+#if defined(SSL_OP_NO_TLSv1_1)
+  {"no_tlsv1_1", SSL_OP_NO_TLSv1_1},
+#endif
+#if defined(SSL_OP_NO_TLSv1_2)
+  {"no_tlsv1_2", SSL_OP_NO_TLSv1_2},
+#endif
+#if defined(SSL_OP_NO_TLSv1_3)
+  {"no_tlsv1_3", SSL_OP_NO_TLSv1_3},
+#endif
+#if defined(SSL_OP_PKCS1_CHECK_1)
+  {"pkcs1_check_1", SSL_OP_PKCS1_CHECK_1},
+#endif
+#if defined(SSL_OP_PKCS1_CHECK_2)
+  {"pkcs1_check_2", SSL_OP_PKCS1_CHECK_2},
+#endif
+#if defined(SSL_OP_PRIORITIZE_CHACHA)
+  {"prioritize_chacha", SSL_OP_PRIORITIZE_CHACHA},
+#endif
+#if defined(SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
+  {"safari_ecdhe_ecdsa_bug", SSL_OP_SAFARI_ECDHE_ECDSA_BUG},
+#endif
+#if defined(SSL_OP_SINGLE_DH_USE)
+  {"single_dh_use", SSL_OP_SINGLE_DH_USE},
+#endif
+#if defined(SSL_OP_SINGLE_ECDH_USE)
+  {"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE},
+#endif
+#if defined(SSL_OP_SSLEAY_080_CLIENT_DH_BUG)
+  {"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG},
+#endif
+#if defined(SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG)
+  {"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG},
+#endif
+#if defined(SSL_OP_TLSEXT_PADDING)
+  {"tlsext_padding", SSL_OP_TLSEXT_PADDING},
+#endif
+#if defined(SSL_OP_TLS_BLOCK_PADDING_BUG)
+  {"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG},
+#endif
+#if defined(SSL_OP_TLS_D5_BUG)
+  {"tls_d5_bug", SSL_OP_TLS_D5_BUG},
+#endif
+#if defined(SSL_OP_TLS_ROLLBACK_BUG)
+  {"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG},
+#endif
+  {NULL, 0L}
+};
+
+LSEC_API lsec_ssl_option_t* lsec_get_ssl_options() {
+  return ssl_options;
+}
+

src/options.h

@@ -2,170 +2,21 @@
 #define LSEC_OPTIONS_H
 
 /*--------------------------------------------------------------------------
- * LuaSec 0.8
+ * LuaSec 0.7.2
  *
  * Copyright (C) 2006-2019 Bruno Silvestre
  *
  *--------------------------------------------------------------------------*/
 
-#include <openssl/ssl.h>
+#include "compat.h"
 
-/* If you need to generate these options again, see options.lua */
+struct lsec_ssl_option_s {
-
-/* 
-  OpenSSL version: OpenSSL 1.1.1b
-*/
-
-struct ssl_option_s {
   const char *name;
   unsigned long code;
 };
-typedef struct ssl_option_s ssl_option_t;
 
-static ssl_option_t ssl_options[] = {
+typedef struct lsec_ssl_option_s lsec_ssl_option_t;
-#if defined(SSL_OP_ALL)
+
-  {"all", SSL_OP_ALL},
+LSEC_API lsec_ssl_option_t* lsec_get_ssl_options();
-#endif
-#if defined(SSL_OP_ALLOW_NO_DHE_KEX)
-  {"allow_no_dhe_kex", SSL_OP_ALLOW_NO_DHE_KEX},
-#endif
-#if defined(SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)
-  {"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION},
-#endif
-#if defined(SSL_OP_CIPHER_SERVER_PREFERENCE)
-  {"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE},
-#endif
-#if defined(SSL_OP_CISCO_ANYCONNECT)
-  {"cisco_anyconnect", SSL_OP_CISCO_ANYCONNECT},
-#endif
-#if defined(SSL_OP_COOKIE_EXCHANGE)
-  {"cookie_exchange", SSL_OP_COOKIE_EXCHANGE},
-#endif
-#if defined(SSL_OP_CRYPTOPRO_TLSEXT_BUG)
-  {"cryptopro_tlsext_bug", SSL_OP_CRYPTOPRO_TLSEXT_BUG},
-#endif
-#if defined(SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)
-  {"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS},
-#endif
-#if defined(SSL_OP_ENABLE_MIDDLEBOX_COMPAT)
-  {"enable_middlebox_compat", SSL_OP_ENABLE_MIDDLEBOX_COMPAT},
-#endif
-#if defined(SSL_OP_EPHEMERAL_RSA)
-  {"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA},
-#endif
-#if defined(SSL_OP_LEGACY_SERVER_CONNECT)
-  {"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT},
-#endif
-#if defined(SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER)
-  {"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER},
-#endif
-#if defined(SSL_OP_MICROSOFT_SESS_ID_BUG)
-  {"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG},
-#endif
-#if defined(SSL_OP_MSIE_SSLV2_RSA_PADDING)
-  {"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING},
-#endif
-#if defined(SSL_OP_NETSCAPE_CA_DN_BUG)
-  {"netscape_ca_dn_bug", SSL_OP_NETSCAPE_CA_DN_BUG},
-#endif
-#if defined(SSL_OP_NETSCAPE_CHALLENGE_BUG)
-  {"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG},
-#endif
-#if defined(SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG)
-  {"netscape_demo_cipher_change_bug", SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG},
-#endif
-#if defined(SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG)
-  {"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG},
-#endif
-#if defined(SSL_OP_NO_ANTI_REPLAY)
-  {"no_anti_replay", SSL_OP_NO_ANTI_REPLAY},
-#endif
-#if defined(SSL_OP_NO_COMPRESSION)
-  {"no_compression", SSL_OP_NO_COMPRESSION},
-#endif
-#if defined(SSL_OP_NO_DTLS_MASK)
-  {"no_dtls_mask", SSL_OP_NO_DTLS_MASK},
-#endif
-#if defined(SSL_OP_NO_DTLSv1)
-  {"no_dtlsv1", SSL_OP_NO_DTLSv1},
-#endif
-#if defined(SSL_OP_NO_DTLSv1_2)
-  {"no_dtlsv1_2", SSL_OP_NO_DTLSv1_2},
-#endif
-#if defined(SSL_OP_NO_ENCRYPT_THEN_MAC)
-  {"no_encrypt_then_mac", SSL_OP_NO_ENCRYPT_THEN_MAC},
-#endif
-#if defined(SSL_OP_NO_QUERY_MTU)
-  {"no_query_mtu", SSL_OP_NO_QUERY_MTU},
-#endif
-#if defined(SSL_OP_NO_RENEGOTIATION)
-  {"no_renegotiation", SSL_OP_NO_RENEGOTIATION},
-#endif
-#if defined(SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION)
-  {"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION},
-#endif
-#if defined(SSL_OP_NO_SSL_MASK)
-  {"no_ssl_mask", SSL_OP_NO_SSL_MASK},
-#endif
-#if defined(SSL_OP_NO_SSLv2)
-  {"no_sslv2", SSL_OP_NO_SSLv2},
-#endif
-#if defined(SSL_OP_NO_SSLv3)
-  {"no_sslv3", SSL_OP_NO_SSLv3},
-#endif
-#if defined(SSL_OP_NO_TICKET)
-  {"no_ticket", SSL_OP_NO_TICKET},
-#endif
-#if defined(SSL_OP_NO_TLSv1)
-  {"no_tlsv1", SSL_OP_NO_TLSv1},
-#endif
-#if defined(SSL_OP_NO_TLSv1_1)
-  {"no_tlsv1_1", SSL_OP_NO_TLSv1_1},
-#endif
-#if defined(SSL_OP_NO_TLSv1_2)
-  {"no_tlsv1_2", SSL_OP_NO_TLSv1_2},
-#endif
-#if defined(SSL_OP_NO_TLSv1_3)
-  {"no_tlsv1_3", SSL_OP_NO_TLSv1_3},
-#endif
-#if defined(SSL_OP_PKCS1_CHECK_1)
-  {"pkcs1_check_1", SSL_OP_PKCS1_CHECK_1},
-#endif
-#if defined(SSL_OP_PKCS1_CHECK_2)
-  {"pkcs1_check_2", SSL_OP_PKCS1_CHECK_2},
-#endif
-#if defined(SSL_OP_PRIORITIZE_CHACHA)
-  {"prioritize_chacha", SSL_OP_PRIORITIZE_CHACHA},
-#endif
-#if defined(SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
-  {"safari_ecdhe_ecdsa_bug", SSL_OP_SAFARI_ECDHE_ECDSA_BUG},
-#endif
-#if defined(SSL_OP_SINGLE_DH_USE)
-  {"single_dh_use", SSL_OP_SINGLE_DH_USE},
-#endif
-#if defined(SSL_OP_SINGLE_ECDH_USE)
-  {"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE},
-#endif
-#if defined(SSL_OP_SSLEAY_080_CLIENT_DH_BUG)
-  {"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG},
-#endif
-#if defined(SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG)
-  {"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG},
-#endif
-#if defined(SSL_OP_TLSEXT_PADDING)
-  {"tlsext_padding", SSL_OP_TLSEXT_PADDING},
-#endif
-#if defined(SSL_OP_TLS_BLOCK_PADDING_BUG)
-  {"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG},
-#endif
-#if defined(SSL_OP_TLS_D5_BUG)
-  {"tls_d5_bug", SSL_OP_TLS_D5_BUG},
-#endif
-#if defined(SSL_OP_TLS_ROLLBACK_BUG)
-  {"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG},
-#endif
-  {NULL, 0L}
-};
 
 #endif
-

src/options.lua

@@ -1,10 +1,10 @@
 local function usage()
   print("Usage:")
   print("* Generate options of your system:")
-  print("  lua options.lua -g /path/to/ssl.h [version] > options.h")
+  print("  lua options.lua -g /path/to/ssl.h [version] > options.c")
   print("* Examples:")
-  print("  lua options.lua -g /usr/include/openssl/ssl.h > options.h\n")
+  print("  lua options.lua -g /usr/include/openssl/ssl.h > options.c\n")
-  print("  lua options.lua -g /usr/include/openssl/ssl.h \"OpenSSL 1.0.1 14\" > options.h\n")
+  print("  lua options.lua -g /usr/include/openssl/ssl.h \"OpenSSL 1.0.1 14\" > options.c\n")
 
   print("* List options of your system:")
   print("  lua options.lua -l /path/to/ssl.h\n")
@@ -17,11 +17,8 @@ end
 
 local function generate(options, version)
   print([[
-#ifndef LSEC_OPTIONS_H
-#define LSEC_OPTIONS_H
-
 /*--------------------------------------------------------------------------
- * LuaSec 0.8
+ * LuaSec 0.7.2
  *
  * Copyright (C) 2006-2019 Bruno Silvestre
  *
@@ -29,22 +26,19 @@ local function generate(options, version)
 
 #include <openssl/ssl.h>
 
+#include "options.h"
+
 /* If you need to generate these options again, see options.lua */
+
 ]])
+
   printf([[
 /* 
   OpenSSL version: %s
 */
 ]], version)
-  print([[
-struct ssl_option_s {
-  const char *name;
-  unsigned long code;
-};
-typedef struct ssl_option_s ssl_option_t;
-]])
 
-  print([[static ssl_option_t ssl_options[] = {]])
+  print([[static lsec_ssl_option_t ssl_options[] = {]])
 
   for k, option in ipairs(options) do
     local name = string.lower(string.sub(option, 8))
@@ -56,7 +50,9 @@ typedef struct ssl_option_s ssl_option_t;
   print([[
 };
 
-#endif
+LSEC_API lsec_ssl_option_t* lsec_get_ssl_options() {
+  return ssl_options;
+}
 ]])
 end
 

src/ssl.c

@@ -1,5 +1,5 @@
 /*--------------------------------------------------------------------------
- * LuaSec 0.8
+ * LuaSec 0.7.2
  *
  * Copyright (C) 2014-2019 Kim Alvefur, Paul Aurich, Tobias Markmann, 
  *                         Matthew Wild.
@@ -11,7 +11,7 @@
 #include <string.h>
 
 #if defined(WIN32)
-#include <winsock2.h>
+#include <Winsock2.h>
 #endif
 
 #include <openssl/ssl.h>
@@ -32,7 +32,7 @@
 #include "ssl.h"
 
 
-#if (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL) || (OPENSSL_VERSION_NUMBER < 0x1010000fL)
+#if defined(LIBRESSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER<0x10100000L
 #define SSL_is_server(s) (s->server)
 #define SSL_up_ref(ssl)  CRYPTO_add(&(ssl)->references, 1, CRYPTO_LOCK_SSL)
 #define X509_up_ref(c)   CRYPTO_add(&c->references, 1, CRYPTO_LOCK_X509)
@@ -302,7 +302,9 @@ static int meth_create(lua_State *L)
   SSL_set_fd(ssl->ssl, (int)SOCKET_INVALID);
   SSL_set_mode(ssl->ssl, SSL_MODE_ENABLE_PARTIAL_WRITE | 
     SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
+#if defined(SSL_MODE_RELEASE_BUFFERS)
   SSL_set_mode(ssl->ssl, SSL_MODE_RELEASE_BUFFERS);
+#endif
   if (mode == LSEC_MODE_SERVER)
     SSL_set_accept_state(ssl->ssl);
   else
@@ -380,19 +382,8 @@ static int meth_setfd(lua_State *L)
  */
 static int meth_handshake(lua_State *L)
 {
-  int err;
   p_ssl ssl = (p_ssl)luaL_checkudata(L, 1, "SSL:Connection");
-  p_context ctx = (p_context)SSL_CTX_get_app_data(SSL_get_SSL_CTX(ssl->ssl));
+  int err = handshake(ssl);
-  ctx->L = L;
-  err = handshake(ssl);
-  if (ctx->dh_param) {
-    DH_free(ctx->dh_param);
-    ctx->dh_param = NULL;
-  }
-  if (ctx->alpn) {
-    free(ctx->alpn);
-    ctx->alpn = NULL;
-  }
   if (err == IO_DONE) {
     lua_pushboolean(L, 1);
     return 1;
@@ -803,22 +794,9 @@ static int meth_getsniname(lua_State *L)
   return 1;
 }
 
-static int meth_getalpn(lua_State *L)
-{
-  unsigned len;
-  const unsigned char *data;
-  p_ssl ssl = (p_ssl)luaL_checkudata(L, 1, "SSL:Connection");
-  SSL_get0_alpn_selected(ssl->ssl, &data, &len);
-  if (data == NULL && len == 0)
-    lua_pushnil(L);
-  else
-    lua_pushlstring(L, (const char*)data, len);
-  return 1;
-}
-
 static int meth_copyright(lua_State *L)
 {
-  lua_pushstring(L, "LuaSec 0.8 - Copyright (C) 2006-2019 Bruno Silvestre, UFG"
+  lua_pushstring(L, "LuaSec 0.7.2 - Copyright (C) 2006-2019 Bruno Silvestre, UFG"
 #if defined(WITH_LUASOCKET)
                     "\nLuaSocket 3.0-RC1 - Copyright (C) 2004-2013 Diego Nehab"
 #endif
@@ -833,7 +811,6 @@ static int meth_copyright(lua_State *L)
  */
 static luaL_Reg methods[] = {
   {"close",               meth_close},
-  {"getalpn",             meth_getalpn},
   {"getfd",               meth_getfd},
   {"getfinished",         meth_getfinished},
   {"getpeercertificate",  meth_getpeercertificate},

src/ssl.h

@@ -2,7 +2,7 @@
 #define LSEC_SSL_H
 
 /*--------------------------------------------------------------------------
- * LuaSec 0.8
+ * LuaSec 0.7.2
  *
  * Copyright (C) 2006-2019 Bruno Silvestre
  *

src/ssl.lua

@@ -1,5 +1,5 @@
 ------------------------------------------------------------------------------
--- LuaSec 0.8
+-- LuaSec 0.7.2
 --
 -- Copyright (C) 2006-2019 Bruno Silvestre
 --
@@ -30,39 +30,6 @@ local function optexec(func, param, ctx)
   return true
 end
 
---
--- Convert an array of strings to wire-format
---
-local function array2wireformat(array)
-   local str = ""
-   for k, v in ipairs(array) do
-      if type(v) ~= "string" then return nil end
-      local len = #v
-      if len == 0 then
-        return nil, "invalid ALPN name (empty string)"
-      elseif len > 255 then
-        return nil, "invalid ALPN name (length > 255)"
-      end
-      str = str .. string.char(len) .. v
-   end
-   if str == "" then return nil, "invalid ALPN list (empty)" end
-   return str
-end
-
---
--- Convert wire-string format to array
---
-local function wireformat2array(str)
-   local i = 1
-   local array = {}
-   while i < #str do
-      local len = str:byte(i)
-      array[#array + 1] = str:sub(i + 1, i + len)
-      i = i + len + 1
-   end
-   return array
-end
-
 --
 --
 --
@@ -74,33 +41,25 @@ local function newcontext(cfg)
    -- Mode
    succ, msg = context.setmode(ctx, cfg.mode)
    if not succ then return nil, msg end
-   local certificates = cfg.certificates
+   -- Load the key
-   if not certificates then
+   if cfg.key then
-      certificates = {
+      if cfg.password and
-         { certificate = cfg.certificate, key = cfg.key, password = cfg.password }
+         type(cfg.password) ~= "function" and
-      }
+         type(cfg.password) ~= "string"
+      then
+         return nil, "invalid password type"
+      end
+      succ, msg = context.loadkey(ctx, cfg.key, cfg.password)
+      if not succ then return nil, msg end
    end
-   for _, certificate in ipairs(certificates) do
+   -- Load the certificate
-      -- Load the key
+   if cfg.certificate then
-      if certificate.key then
+     succ, msg = context.loadcert(ctx, cfg.certificate)
-         if certificate.password and
+     if not succ then return nil, msg end
-            type(certificate.password) ~= "function" and
+     if cfg.key and context.checkkey then
-            type(certificate.password) ~= "string"
+       succ = context.checkkey(ctx)
-         then
+       if not succ then return nil, "private key does not match public key" end
-            return nil, "invalid password type"
+     end
-         end
-         succ, msg = context.loadkey(ctx, certificate.key, certificate.password)
-         if not succ then return nil, msg end
-      end
-      -- Load the certificate(s)
-      if certificate.certificate then
-        succ, msg = context.loadcert(ctx, certificate.certificate)
-        if not succ then return nil, msg end
-        if certificate.key and context.checkkey then
-          succ = context.checkkey(ctx)
-          if not succ then return nil, "private key does not match public key" end
-        end
-      end
    end
    -- Load the CA certificates
    if cfg.cafile or cfg.capath then
@@ -112,12 +71,7 @@ local function newcontext(cfg)
       succ, msg = context.setcipher(ctx, cfg.ciphers)
       if not succ then return nil, msg end
    end
-   -- Set SSL cipher suites
+   -- Set the verification options
-   if cfg.ciphersuites then
-      succ, msg = context.setciphersuites(ctx, cfg.ciphersuites)
-      if not succ then return nil, msg end
-   end
-    -- Set the verification options
    succ, msg = optexec(context.setverify, cfg.verify, ctx)
    if not succ then return nil, msg end
    -- Set SSL options
@@ -159,48 +113,6 @@ local function newcontext(cfg)
       if not succ then return nil, msg end
    end
 
-   -- ALPN
-   if cfg.mode == "server" and cfg.alpn then
-      if type(cfg.alpn) == "function" then
-         local alpncb = cfg.alpn
-         -- This callback function has to return one value only
-         succ, msg = context.setalpncb(ctx, function(str)
-            local protocols = alpncb(wireformat2array(str))
-            if type(protocols) == "string" then
-               protocols = { protocols }
-            elseif type(protocols) ~= "table" then
-               return nil
-            end
-            return (array2wireformat(protocols))    -- use "()" to drop error message
-         end)
-         if not succ then return nil, msg end
-      elseif type(cfg.alpn) == "table" then
-         local protocols = cfg.alpn
-         -- check if array is valid before use it
-         succ, msg = array2wireformat(protocols)
-         if not succ then return nil, msg end
-         -- This callback function has to return one value only
-         succ, msg = context.setalpncb(ctx, function()
-            return (array2wireformat(protocols))    -- use "()" to drop error message
-         end)
-         if not succ then return nil, msg end
-      else
-         return nil, "invalid ALPN parameter"
-      end
-   elseif cfg.mode == "client" and cfg.alpn then
-      local alpn
-      if type(cfg.alpn) == "string" then
-         alpn, msg = array2wireformat({ cfg.alpn })
-      elseif type(cfg.alpn) == "table" then
-         alpn, msg = array2wireformat(cfg.alpn)
-      else
-         return nil, "invalid ALPN parameter"
-      end
-      if not alpn then return nil, msg end
-      succ, msg = context.setalpn(ctx, alpn)
-      if not succ then return nil, msg end
-   end
-
    return ctx
 end
 
@@ -267,8 +179,9 @@ core.setmethod("info", info)
 --
 
 local _M = {
-  _VERSION        = "0.8",
+  _VERSION        = "0.7.2",
   _COPYRIGHT      = core.copyright(),
+  config          = config,
   loadcertificate = x509.load,
   newcontext      = newcontext,
   wrap            = wrap,

src/x509.c

@@ -1,5 +1,5 @@
 /*--------------------------------------------------------------------------
- * LuaSec 0.8
+ * LuaSec 0.7.2
  *
  * Copyright (C) 2014-2019 Kim Alvefur, Paul Aurich, Tobias Markmann
  *                         Matthew Wild, Bruno Silvestre.
@@ -371,6 +371,7 @@ int meth_extensions(lua_State* L)
         /* not supported */
         break;
       }
+      GENERAL_NAME_free(general_name);
     }
     sk_GENERAL_NAME_free(values);
     lua_pop(L, 1); /* ret[oid] */

src/x509.h

@@ -1,5 +1,5 @@
 /*--------------------------------------------------------------------------
- * LuaSec 0.8
+ * LuaSec 0.7.2
  *
  * Copyright (C) 2014-2019 Kim Alvefur, Paul Aurich, Tobias Markmann
  *                         Matthew Wild, Bruno Silvestre.