Release LuaSec 0.8.2

Avoid duplicating variable 'ssl_options'.

CHANGELOG

@@ -1,3 +1,31 @@
+--------------------------------------------------------------------------------
+LuaSec 0.8.2
+---------------
+This version includes:
+
+* Fix unexported 'ssl.config' table
+
+--------------------------------------------------------------------------------
+LuaSec 0.8.1
+---------------
+This version includes:
+
+* Fix another memory leak when get certficate extensions
+
+--------------------------------------------------------------------------------
+LuaSec 0.8
+---------------
+This version includes:
+
+* Add support to ALPN
+* Add support to TLS 1.3
+* Add support to multiple certificates
+* Add timeout to https module (https.TIMEOUT)
+* Drop support to SSL 3.0
+* Drop support to TLS 1.0 from https module
+* Fix invalid reference to Lua state
+* Fix memory leak when get certficate extensions
+
 --------------------------------------------------------------------------------
 LuaSec 0.7
 ---------------

INSTALL

@@ -1,14 +1,14 @@
-LuaSec 0.7
+LuaSec 0.8.2
 ------------
 
 * OpenSSL options:
 
-    By default, LuaSec 0.7 includes options for OpenSSL 1.1.0f.
+    By default, this version includes options for OpenSSL 1.1.1.
 
     If you need to generate the options for a different version of OpenSSL:
 
       $ cd src
-      $ lua options.lua -g /usr/include/openssl/ssl.h > options.h
+      $ lua options.lua -g /usr/include/openssl/ssl.h > options.c
 
 --------------------------------------------------------------------------------
 

LICENSE

@@ -1,5 +1,5 @@
-LuaSec 0.7 license
+LuaSec 0.8.2 license
-Copyright (C) 2006-2018 Bruno Silvestre, UFG
+Copyright (C) 2006-2019 Bruno Silvestre, UFG
 
 Permission is hereby granted, free  of charge, to any person obtaining
 a  copy  of this  software  and  associated  documentation files  (the

README.md

@@ -1,6 +1,9 @@
-LuaSec 0.7
+LuaSec 0.8.2
 ===============
 LuaSec depends  on OpenSSL, and  integrates with LuaSocket to  make it
 easy to add secure connections to any Lua applications or scripts.
 
+Important: This version requires at least OpenSSL 1.0.2.
+           For old versions of OpenSSL, use LuaSec 0.7.
+
 Documentation: https://github.com/brunoos/luasec/wiki

luasec-0.8.2-1.rockspec

@@ -1,8 +1,8 @@
 package = "LuaSec"
-version = "0.7-1"
+version = "0.8.2-1"
 source = {
-   url = "https://github.com/brunoos/luasec/archive/luasec-0.7.tar.gz",
+   url = "https://github.com/brunoos/luasec/archive/luasec-0.8.2.tar.gz",
-   dir = "luasec-luasec-0.7"
+   dir = "luasec-luasec-0.8.2"
 }
 description = {
    summary = "A binding for OpenSSL library to provide TLS/SSL communication over LuaSocket.",
@@ -58,7 +58,7 @@ build = {
                   "ssl", "crypto"
                },
                sources = {
-                  "src/config.c", "src/ec.c", 
+                  "src/options.c", "src/config.c", "src/ec.c", 
                   "src/x509.c", "src/context.c", "src/ssl.c", 
                   "src/luasocket/buffer.c", "src/luasocket/io.c",
                   "src/luasocket/timeout.c", "src/luasocket/usocket.c"
@@ -93,7 +93,7 @@ build = {
                   "$(OPENSSL_INCDIR)", "src/", "src/luasocket"
                },
                sources = {
-                  "src/config.c", "src/ec.c", 
+                  "src/options.c", "src/config.c", "src/ec.c", 
                   "src/x509.c", "src/context.c", "src/ssl.c", 
                   "src/luasocket/buffer.c", "src/luasocket/io.c",
                   "src/luasocket/timeout.c", "src/luasocket/wsocket.c"

luasec.vcxproj

@@ -107,6 +107,7 @@
     <ClCompile Include="src\luasocket\io.c" />
     <ClCompile Include="src\luasocket\timeout.c" />
     <ClCompile Include="src\luasocket\wsocket.c" />
+    <ClCompile Include="src\options.c" />
     <ClCompile Include="src\ssl.c" />
     <ClCompile Include="src\x509.c" />
   </ItemGroup>
@@ -127,4 +128,4 @@
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
   <ImportGroup Label="ExtensionTargets">
   </ImportGroup>
-</Project>
+</Project>

samples/README

@@ -1,5 +1,8 @@
 Directories: 
 ------------
+* alpn
+ Test ALPN (Application-Layer Protocol Negotiation) support.
+
 * certs
  Contains scripts to generate the certificates used by the examples.
  Generate Root CA 'A' and 'B' first, then the servers and clients.
@@ -7,6 +10,9 @@ Directories:
 * chain
  Example of certificate chain in handshake.
 
+* curve-negotiation
+ Elliptic curve negotiation.
+
 * dhparam
  DH parameters for handshake.
 
@@ -30,20 +36,29 @@ Directories:
  Same of above,  but the connection is not  explicit closed, the gabage
  collector is encharge of that.
 
+* luaossl
+ Integration with luaossl.
+
+* multicert
+ Support to multiple certificate for dual RSA/ECDSA.
+
 * oneshot
  A simple connection example.
 
+* sni
+ Support to SNI (Server Name Indication).
+
 * verification
  Retrieve the certificate verification errors from the handshake.
 
 * verify
  Ignore handshake errors and proceed.
 
+* want
+ Test want() method.
+
 * wantread
  Test timeout in handshake() and receive().
 
 * wantwrite
  Test timeout in send().
-
-* want
- Test want() method.

samples/alpn/client.lua

@@ -0,0 +1,27 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl    = require("ssl")
+
+local params = {
+   mode = "client",
+   protocol = "tlsv1_2",
+   key = "../certs/clientAkey.pem",
+   certificate = "../certs/clientA.pem",
+   cafile = "../certs/rootA.pem",
+   verify = {"peer", "fail_if_no_peer_cert"},
+   options = "all",
+   --alpn = {"foo","bar","baz"}
+   alpn = "foo"
+}
+
+local peer = socket.tcp()
+peer:connect("127.0.0.1", 8888)
+
+peer = assert( ssl.wrap(peer, params) )
+assert(peer:dohandshake())
+
+print("ALPN", peer:getalpn())
+
+peer:close()

samples/alpn/server.lua

@@ -0,0 +1,77 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl    = require("ssl")
+
+--
+-- Callback that selects one protocol from client's list.
+--
+local function alpncb01(protocols)
+   print("--- ALPN protocols from client")
+   for k, v in ipairs(protocols) do
+      print(k, v)
+   end
+   print("--- Selecting:", protocols[1])
+   return protocols[1]
+end
+
+--
+-- Callback that returns a fixed list, ignoring the client's list.
+--
+local function alpncb02(protocols)
+   print("--- ALPN protocols from client")
+   for k, v in ipairs(protocols) do
+      print(k, v)
+   end
+   print("--- Returning a fixed list") 
+   return {"bar", "foo"}
+end
+
+--
+-- Callback that generates a list as it whishes.
+--
+local function alpncb03(protocols)
+   local resp = {}
+   print("--- ALPN protocols from client")
+   for k, v in ipairs(protocols) do
+      print(k, v)
+      if k%2 ~= 0 then resp[#resp+1] = v end
+   end
+   print("--- Returning an odd list")
+   return resp
+end
+
+
+local params = {
+   mode = "server",
+   protocol = "any",
+   key = "../certs/serverAkey.pem",
+   certificate = "../certs/serverA.pem",
+   cafile = "../certs/rootA.pem",
+   verify = {"peer", "fail_if_no_peer_cert"},
+   options = "all",
+   --alpn = alpncb01,
+   --alpn = alpncb02,
+   --alpn = alpncb03,
+   alpn = {"bar", "baz", "foo"},
+}
+
+
+-- [[ SSL context
+local ctx = assert(ssl.newcontext(params))
+--]]
+
+local server = socket.tcp()
+server:setoption('reuseaddr', true)
+assert( server:bind("127.0.0.1", 8888) )
+server:listen()
+
+local peer = server:accept()
+peer = assert( ssl.wrap(peer, ctx) )
+assert( peer:dohandshake() )
+
+print("ALPN", peer:getalpn())
+
+peer:close()
+server:close()

samples/certs/all.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+./rootA.sh
+./rootB.sh
+./clientA.sh
+./clientB.sh
+./serverA.sh
+./serverB.sh

samples/certs/clientA.sh

@@ -1,9 +1,9 @@
 #!/bin/sh
 
-openssl req -newkey rsa:1024 -sha1 -keyout clientAkey.pem -out clientAreq.pem \
+openssl req -newkey rsa:2048 -sha256 -keyout clientAkey.pem -out clientAreq.pem \
   -nodes -config ./clientA.cnf -days 365 -batch
 
-openssl x509 -req -in clientAreq.pem -sha1 -extfile ./clientA.cnf \
+openssl x509 -req -in clientAreq.pem -sha256 -extfile ./clientA.cnf \
   -extensions usr_cert -CA rootA.pem -CAkey rootAkey.pem -CAcreateserial \
   -out clientAcert.pem -days 365
 

samples/certs/clientB.sh

@@ -1,9 +1,9 @@
 #!/bin/sh
 
-openssl req -newkey rsa:1024 -sha1 -keyout clientBkey.pem -out clientBreq.pem \
+openssl req -newkey rsa:2048 -sha256 -keyout clientBkey.pem -out clientBreq.pem \
   -nodes -config ./clientB.cnf -days 365 -batch
 
-openssl x509 -req -in clientBreq.pem -sha1 -extfile ./clientB.cnf \
+openssl x509 -req -in clientBreq.pem -sha256 -extfile ./clientB.cnf \
   -extensions usr_cert -CA rootB.pem -CAkey rootBkey.pem -CAcreateserial \
   -out clientBcert.pem -days 365
 

samples/certs/rootA.sh

@@ -1,7 +1,7 @@
 #!/bin/sh
 
-openssl req -newkey rsa:1024 -sha1 -keyout rootAkey.pem -out rootAreq.pem -nodes -config ./rootA.cnf -days 365 -batch
+openssl req -newkey rsa:2048 -sha256 -keyout rootAkey.pem -out rootAreq.pem -nodes -config ./rootA.cnf -days 365 -batch
 
-openssl x509 -req -in rootAreq.pem -sha1 -extfile ./rootA.cnf -extensions v3_ca -signkey rootAkey.pem -out rootA.pem -days 365
+openssl x509 -req -in rootAreq.pem -sha256 -extfile ./rootA.cnf -extensions v3_ca -signkey rootAkey.pem -out rootA.pem -days 365
 
 openssl x509 -subject -issuer -noout -in rootA.pem

samples/certs/rootB.sh

@@ -1,7 +1,7 @@
 #!/bin/sh
 
-openssl req -newkey rsa:1024 -sha1 -keyout rootBkey.pem -out rootBreq.pem -nodes -config ./rootB.cnf -days 365 -batch
+openssl req -newkey rsa:2048 -sha256 -keyout rootBkey.pem -out rootBreq.pem -nodes -config ./rootB.cnf -days 365 -batch
 
-openssl x509 -req -in rootBreq.pem -sha1 -extfile ./rootB.cnf -extensions v3_ca -signkey rootBkey.pem -out rootB.pem -days 365
+openssl x509 -req -in rootBreq.pem -sha256 -extfile ./rootB.cnf -extensions v3_ca -signkey rootBkey.pem -out rootB.pem -days 365
 
 openssl x509 -subject -issuer -noout -in rootB.pem

samples/certs/serverA.cnf

@@ -118,7 +118,7 @@ x509_extensions	= v3_ca	# The extensions to add to the self signed cert
 # so use this option with caution!
 string_mask = nombstr
 
-# req_extensions = v3_req # The extensions to add to a certificate request
+# req_extensions = v3_ext # The extensions to add to a certificate request
 
 [ req_distinguished_name ]
 countryName			= Country Name (2 letter code)
@@ -198,7 +198,7 @@ authorityKeyIdentifier=keyid,issuer
 # subjectAltName=email:copy
 # An alternative to produce certificates that aren't
 # deprecated according to PKIX.
-# subjectAltName=email:move
+subjectAltName=DNS:foo.bar.example
 
 # Copy subject details
 # issuerAltName=issuer:copy

samples/certs/serverA.sh

@@ -1,9 +1,9 @@
 #!/bin/sh
 
-openssl req -newkey rsa:1024 -keyout serverAkey.pem -out serverAreq.pem \
+openssl req -newkey rsa:2048 -keyout serverAkey.pem -out serverAreq.pem \
    -config ./serverA.cnf -nodes -days 365 -batch
 
-openssl x509 -req -in serverAreq.pem -sha1 -extfile ./serverA.cnf \
+openssl x509 -req -in serverAreq.pem -sha256 -extfile ./serverA.cnf \
    -extensions usr_cert -CA rootA.pem -CAkey rootAkey.pem -CAcreateserial \
    -out serverAcert.pem -days 365
 

samples/certs/serverB.cnf

@@ -195,7 +195,7 @@ authorityKeyIdentifier=keyid,issuer
 
 # This stuff is for subjectAltName and issuerAltname.
 # Import the email address.
-# subjectAltName=email:copy
+subjectAltName=DNS:fnord.bar.example
 # An alternative to produce certificates that aren't
 # deprecated according to PKIX.
 # subjectAltName=email:move

samples/certs/serverB.sh

@@ -1,9 +1,9 @@
 #!/bin/sh
 
-openssl req -newkey rsa:1024 -keyout serverBkey.pem -out serverBreq.pem \
+openssl req -newkey rsa:2048 -keyout serverBkey.pem -out serverBreq.pem \
    -config ./serverB.cnf -nodes -days 365 -batch
 
-openssl x509 -req -in serverBreq.pem -sha1 -extfile ./serverB.cnf \
+openssl x509 -req -in serverBreq.pem -sha256 -extfile ./serverB.cnf \
    -extensions usr_cert -CA rootB.pem -CAkey rootBkey.pem -CAcreateserial \
    -out serverBcert.pem -days 365
 

samples/dhparam/client.lua

@@ -6,12 +6,13 @@ local ssl    = require("ssl")
 
 local params = {
    mode = "client",
-   protocol = "tlsv1_2",
+   protocol = "any",
    key = "../certs/clientAkey.pem",
    certificate = "../certs/clientA.pem",
    cafile = "../certs/rootA.pem",
    verify = {"peer", "fail_if_no_peer_cert"},
    options = "all",
+   ciphers = "EDH+AESGCM"
 }
 
 local peer = socket.tcp()

samples/dhparam/server.lua

@@ -38,6 +38,7 @@ local params = {
    verify = {"peer", "fail_if_no_peer_cert"},
    options = "all",
    dhparam = dhparam_cb,
+   ciphers = "EDH+AESGCM"
 }
 
 

samples/loop/client.lua

@@ -23,6 +23,8 @@ while true do
    assert( peer:dohandshake() )
    --]]
 
+   peer:getpeercertificate():extensions()
+
    print(peer:receive("*l"))
    peer:close()
 end

samples/multicert/client-ecdsa.lua

@@ -0,0 +1,29 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl    = require("ssl")
+
+local params = {
+   mode        = "client",
+   protocol    = "tlsv1_2",
+   key         = "certs/clientECDSAkey.pem",
+   certificate = "certs/clientECDSA.pem",
+   verify      = "none",
+   options     = "all",
+   ciphers     = "ALL:!aRSA"
+}
+
+local peer = socket.tcp()
+peer:connect("127.0.0.1", 8888)
+
+-- [[ SSL wrapper
+peer = assert( ssl.wrap(peer, params) )
+assert(peer:dohandshake())
+--]]
+
+local i = peer:info()
+for k, v in pairs(i) do print(k, v) end
+
+print(peer:receive("*l"))
+peer:close()

samples/multicert/client-rsa.lua

@@ -0,0 +1,29 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl    = require("ssl")
+
+local params = {
+   mode        = "client",
+   protocol    = "tlsv1_2",
+   key         = "certs/clientRSAkey.pem",
+   certificate = "certs/clientRSA.pem",
+   verify      = "none",
+   options     = "all",
+   ciphers     = "ALL:!ECDSA"
+}
+
+local peer = socket.tcp()
+peer:connect("127.0.0.1", 8888)
+
+-- [[ SSL wrapper
+peer = assert( ssl.wrap(peer, params) )
+assert(peer:dohandshake())
+--]]
+
+local i = peer:info()
+for k, v in pairs(i) do print(k, v) end
+
+print(peer:receive("*l"))
+peer:close()

samples/multicert/gencerts.sh

@@ -0,0 +1,13 @@
+#!/bin/sh
+
+mkdir -p certs
+
+openssl ecparam -name secp256r1 -genkey -out certs/serverECDSAkey.pem
+openssl req -new -config ../certs/serverA.cnf -extensions usr_cert -x509 -key certs/serverECDSAkey.pem -out certs/serverECDSA.pem -days 360 -batch
+
+openssl ecparam -name secp256r1 -genkey -out certs/clientECDSAkey.pem
+openssl req -config ../certs/clientA.cnf -extensions usr_cert -x509 -new -key certs/clientECDSAkey.pem -out certs/clientECDSA.pem -days 360 -batch
+
+openssl req -config ../certs/serverB.cnf -extensions usr_cert -x509 -new -newkey rsa:2048 -keyout certs/serverRSAkey.pem -out certs/serverRSA.pem -nodes -days 365 -batch
+
+openssl req -config ../certs/clientB.cnf -extensions usr_cert -x509 -new -newkey rsa:2048 -keyout certs/clientRSAkey.pem -out certs/clientRSA.pem -nodes -days 365 -batch

samples/multicert/server.lua

@@ -0,0 +1,38 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl    = require("ssl")
+
+local params = {
+   mode         = "server",
+   protocol     = "any",
+   certificates = { 
+      -- Comment line below and 'client-rsa' stop working
+      { certificate = "certs/serverRSA.pem",   key = "certs/serverRSAkey.pem"   },
+      -- Comment line below and 'client-ecdsa' stop working
+      { certificate = "certs/serverECDSA.pem", key = "certs/serverECDSAkey.pem" }
+   },
+   verify  = "none",
+   options = "all"
+}
+
+
+-- [[ SSL context
+local ctx = assert(ssl.newcontext(params))
+--]]
+
+local server = socket.tcp()
+server:setoption('reuseaddr', true)
+assert( server:bind("127.0.0.1", 8888) )
+server:listen()
+
+local peer = server:accept()
+
+-- [[ SSL wrapper
+peer = assert( ssl.wrap(peer, ctx) )
+assert( peer:dohandshake() )
+--]]
+
+peer:send("oneshot test\n")
+peer:close()

src/Makefile

@@ -2,6 +2,7 @@ CMOD=ssl.so
 LMOD=ssl.lua
 
 OBJS= \
+ options.o \
  x509.o    \
  context.o \
  ssl.o     \
@@ -57,6 +58,7 @@ clean:
 	cd luasocket && $(MAKE) clean
 	rm -f $(OBJS) $(CMOD)
 
+options.o: options.c options.h
 ec.o: ec.c ec.h
 x509.o: x509.c x509.h compat.h
 context.o: context.c context.h ec.h compat.h

src/compat.h

@@ -1,7 +1,7 @@
 /*--------------------------------------------------------------------------
- * LuaSec 0.7
+ * LuaSec 0.8.2
  *
- * Copyright (C) 2006-2018 Bruno Silvestre
+ * Copyright (C) 2006-2019 Bruno Silvestre
  *
  *--------------------------------------------------------------------------*/
 

src/config.c

@@ -1,7 +1,7 @@
 /*--------------------------------------------------------------------------
- * LuaSec 0.7
+ * LuaSec 0.8.2
  *
- * Copyright (C) 2006-2018 Bruno Silvestre.
+ * Copyright (C) 2006-2019 Bruno Silvestre.
  *
  *--------------------------------------------------------------------------*/
 
@@ -14,14 +14,14 @@
  */
 LSEC_API int luaopen_ssl_config(lua_State *L)
 {
-  ssl_option_t *opt;
+  lsec_ssl_option_t *opt;
 
   lua_newtable(L);
 
   // Options
   lua_pushstring(L, "options");
   lua_newtable(L);
-  for (opt = ssl_options; opt->name; opt++) {
+  for (opt = lsec_get_ssl_options(); opt->name; opt++) {
     lua_pushstring(L, opt->name);
     lua_pushboolean(L, 1);
     lua_rawset(L, -3);
@@ -32,22 +32,21 @@ LSEC_API int luaopen_ssl_config(lua_State *L)
   lua_pushstring(L, "protocols");
   lua_newtable(L);
 
-#ifndef OPENSSL_NO_SSL3
-  lua_pushstring(L, "sslv3");
-  lua_pushboolean(L, 1);
-  lua_rawset(L, -3);
-#endif
   lua_pushstring(L, "tlsv1");
   lua_pushboolean(L, 1);
   lua_rawset(L, -3);
-#if (OPENSSL_VERSION_NUMBER >= 0x1000100fL)
   lua_pushstring(L, "tlsv1_1");
   lua_pushboolean(L, 1);
   lua_rawset(L, -3);
   lua_pushstring(L, "tlsv1_2");
   lua_pushboolean(L, 1);
   lua_rawset(L, -3);
+#if defined(TLS1_3_VERSION)
+  lua_pushstring(L, "tlsv1_3");
+  lua_pushboolean(L, 1);
+  lua_rawset(L, -3);
 #endif
+
   lua_rawset(L, -3);
 
   // Algorithms
@@ -70,17 +69,18 @@ LSEC_API int luaopen_ssl_config(lua_State *L)
   lua_pushstring(L, "capabilities");
   lua_newtable(L);
 
+  // ALPN
+  lua_pushstring(L, "alpn");
+  lua_pushboolean(L, 1);
+  lua_rawset(L, -3);
+
 #ifndef OPENSSL_NO_EC
-#if defined(SSL_CTRL_SET_ECDH_AUTO) || defined(SSL_CTRL_SET_CURVES_LIST) || defined(SSL_CTX_set1_curves_list)
   lua_pushstring(L, "curves_list");
   lua_pushboolean(L, 1);
   lua_rawset(L, -3);
-#ifdef SSL_CTRL_SET_ECDH_AUTO
   lua_pushstring(L, "ecdh_auto");
   lua_pushboolean(L, 1);
   lua_rawset(L, -3);
-#endif
-#endif
 #endif
   lua_rawset(L, -3);
 

src/context.c

@@ -1,9 +1,9 @@
 /*--------------------------------------------------------------------------
- * LuaSec 0.7
+ * LuaSec 0.8.2
  *
- * Copyright (C) 2014-2018 Kim Alvefur, Paul Aurich, Tobias Markmann, 
+ * Copyright (C) 2014-2019 Kim Alvefur, Paul Aurich, Tobias Markmann, 
  *                         Matthew Wild.
- * Copyright (C) 2006-2018 Bruno Silvestre.
+ * Copyright (C) 2006-2019 Bruno Silvestre.
  *
  *--------------------------------------------------------------------------*/
 
@@ -29,12 +29,6 @@
 #include "ec.h"
 #endif
 
-#if (OPENSSL_VERSION_NUMBER >= 0x1000000fL)
-typedef const SSL_METHOD LSEC_SSL_METHOD;
-#else
-typedef       SSL_METHOD LSEC_SSL_METHOD;
-#endif
-
 /*--------------------------- Auxiliary Functions ----------------------------*/
 
 /**
@@ -55,8 +49,8 @@ static p_context testctx(lua_State *L, int idx)
  */
 static int set_option_flag(const char *opt, unsigned long *flag)
 {
-  ssl_option_t *p;
+  lsec_ssl_option_t *p;
-  for (p = ssl_options; p->name; p++) {
+  for (p = lsec_get_ssl_options(); p->name; p++) {
     if (!strcmp(opt, p->name)) {
       *flag |= p->code;
       return 1;
@@ -65,23 +59,59 @@ static int set_option_flag(const char *opt, unsigned long *flag)
   return 0;
 }
 
+#if (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL) || (OPENSSL_VERSION_NUMBER < 0x1010000fL)
 /**
  * Find the protocol.
  */
-static LSEC_SSL_METHOD* str2method(const char *method)
+static const SSL_METHOD* str2method(const char *method, int *vmin, int *vmax)
 {
+  (void)vmin;
+  (void)vmax;
   if (!strcmp(method, "any"))     return SSLv23_method();
   if (!strcmp(method, "sslv23"))  return SSLv23_method();  // deprecated
-#ifndef OPENSSL_NO_SSL3
-  if (!strcmp(method, "sslv3"))   return SSLv3_method();
-#endif
   if (!strcmp(method, "tlsv1"))   return TLSv1_method();
-#if (OPENSSL_VERSION_NUMBER >= 0x1000100fL)
   if (!strcmp(method, "tlsv1_1")) return TLSv1_1_method();
   if (!strcmp(method, "tlsv1_2")) return TLSv1_2_method();
+  return NULL;
+}
+
+#else
+
+/**
+ * Find the protocol.
+ */
+static const SSL_METHOD* str2method(const char *method, int *vmin, int *vmax)
+{
+  if (!strcmp(method, "any") || !strcmp(method, "sslv23")) { // 'sslv23' is deprecated
+    *vmin = 0;
+    *vmax = 0;
+    return TLS_method();
+  }
+  else if (!strcmp(method, "tlsv1")) {
+    *vmin = TLS1_VERSION;
+    *vmax = TLS1_VERSION;
+    return TLS_method();
+  }
+  else if (!strcmp(method, "tlsv1_1")) {
+    *vmin = TLS1_1_VERSION;
+    *vmax = TLS1_1_VERSION;
+    return TLS_method();
+  }
+  else if (!strcmp(method, "tlsv1_2")) {
+    *vmin = TLS1_2_VERSION;
+    *vmax = TLS1_2_VERSION;
+    return TLS_method();
+  }
+#if defined(TLS1_3_VERSION)
+  else if (!strcmp(method, "tlsv1_3")) {
+    *vmin = TLS1_3_VERSION;
+    *vmax = TLS1_3_VERSION;
+    return TLS_method();
+  }
 #endif
   return NULL;
 }
+#endif
 
 /**
  * Prepare the SSL handshake verify flag.
@@ -168,7 +198,6 @@ static DH *dhparam_cb(SSL *ssl, int is_export, int keylength)
 {
   BIO *bio;
   lua_State *L;
-  DH *dh_tmp = NULL;
   SSL_CTX *ctx = SSL_get_SSL_CTX(ssl);
   p_context pctx = (p_context)SSL_CTX_get_app_data(ctx);
 
@@ -189,24 +218,15 @@ static DH *dhparam_cb(SSL *ssl, int is_export, int keylength)
     lua_pop(L, 2);  /* Remove values from stack */
     return NULL;
   }
-  bio = BIO_new_mem_buf((void*)lua_tostring(L, -1), 
+
-    lua_rawlen(L, -1));
+  bio = BIO_new_mem_buf((void*)lua_tostring(L, -1), lua_rawlen(L, -1));
   if (bio) {
-    dh_tmp = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
+    pctx->dh_param = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
     BIO_free(bio);
   }
 
-  /*
-   * OpenSSL exepcts the callback to maintain a reference to the DH*.  So,
-   * cache it here, and clean up the previous set of parameters.  Any remaining
-   * set is cleaned up when destroying the LuaSec context.
-   */
-  if (pctx->dh_param)
-    DH_free(pctx->dh_param);
-  pctx->dh_param = dh_tmp;
-
   lua_pop(L, 2);    /* Remove values from stack */
-  return dh_tmp;
+  return pctx->dh_param;
 }
 
 /**
@@ -287,10 +307,11 @@ static int create(lua_State *L)
 {
   p_context ctx;
   const char *str_method;
-  LSEC_SSL_METHOD *method;
+  const SSL_METHOD *method;
+  int vmin, vmax;
 
   str_method = luaL_checkstring(L, 1);
-  method = str2method(str_method);
+  method = str2method(str_method, &vmin, &vmax);
   if (!method) {
     lua_pushnil(L);
     lua_pushfstring(L, "invalid protocol (%s)", str_method);
@@ -310,6 +331,10 @@ static int create(lua_State *L)
       ERR_reason_error_string(ERR_get_error()));
     return 2;
   }
+#if ! ((defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL) || (OPENSSL_VERSION_NUMBER < 0x1010000fL))
+  SSL_CTX_set_min_proto_version(ctx->context, vmin);
+  SSL_CTX_set_max_proto_version(ctx->context, vmax);
+#endif
   ctx->mode = LSEC_MODE_INVALID;
   ctx->L = L;
   luaL_getmetatable(L, "SSL:Context");
@@ -411,14 +436,31 @@ static int set_cipher(lua_State *L)
   const char *list = luaL_checkstring(L, 2);
   if (SSL_CTX_set_cipher_list(ctx, list) != 1) {
     lua_pushboolean(L, 0);
-    lua_pushfstring(L, "error setting cipher list (%s)",
+    lua_pushfstring(L, "error setting cipher list (%s)", ERR_reason_error_string(ERR_get_error()));
-      ERR_reason_error_string(ERR_get_error()));
     return 2;
   }
   lua_pushboolean(L, 1);
   return 1;
 }
 
+/**
+ * Set the cipher suites.
+ */
+static int set_ciphersuites(lua_State *L)
+{
+#if defined(TLS1_3_VERSION)
+  SSL_CTX *ctx = lsec_checkcontext(L, 1);
+  const char *list = luaL_checkstring(L, 2);
+  if (SSL_CTX_set_ciphersuites(ctx, list) != 1) {
+    lua_pushboolean(L, 0);
+    lua_pushfstring(L, "error setting cipher list (%s)", ERR_reason_error_string(ERR_get_error()));
+    return 2;
+  }
+#endif
+  lua_pushboolean(L, 1);
+  return 1;
+}
+
 /**
  * Set the depth for certificate checking.
  */
@@ -467,12 +509,6 @@ static int set_options(lua_State *L)
   if (max > 1) {
     for (i = 2; i <= max; i++) {
       str = luaL_checkstring(L, i);
-#if !defined(SSL_OP_NO_COMPRESSION) && (OPENSSL_VERSION_NUMBER >= 0x0090800f) && (OPENSSL_VERSION_NUMBER < 0x1000000fL)
-      /* Version 0.9.8 has a different way to disable compression */
-      if (!strcmp(str, "no_compression"))
-        ctx->comp_methods = NULL;
-      else
-#endif
       if (!set_option_flag(str, &flag)) {
         lua_pushboolean(L, 0);
         lua_pushfstring(L, "invalid option (%s)", str);
@@ -531,12 +567,13 @@ static int set_dhparam(lua_State *L)
 static int set_curve(lua_State *L)
 {
   long ret;
+  EC_KEY *key = NULL;
   SSL_CTX *ctx = lsec_checkcontext(L, 1);
   const char *str = luaL_checkstring(L, 2);
 
   SSL_CTX_set_options(ctx, SSL_OP_SINGLE_ECDH_USE);
 
-  EC_KEY *key = lsec_find_ec_key(L, str);
+  key = lsec_find_ec_key(L, str);
 
   if (!key) {
     lua_pushboolean(L, 0);
@@ -558,9 +595,7 @@ static int set_curve(lua_State *L)
   lua_pushboolean(L, 1);
   return 1;
 }
-#endif
 
-#if !defined(OPENSSL_NO_EC) && (defined(SSL_CTRL_SET_CURVES_LIST) || defined(SSL_CTX_set1_curves_list) || defined(SSL_CTRL_SET_ECDH_AUTO))
 /**
  * Set elliptic curves list.
  */
@@ -577,36 +612,119 @@ static int set_curves_list(lua_State *L)
     return 2;
   }
 
-#ifdef SSL_CTRL_SET_ECDH_AUTO
+  (void)SSL_CTX_set_ecdh_auto(ctx, 1);
-  SSL_CTX_set_ecdh_auto(ctx, 1);
-#endif
 
   lua_pushboolean(L, 1);
   return 1;
 }
 #endif
 
+/**
+ * Set the protocols a client should send for ALPN.
+ */
+static int set_alpn(lua_State *L)
+{
+  long ret;
+  size_t len;
+  p_context ctx = checkctx(L, 1);
+  const char *str = luaL_checklstring(L, 2, &len);
+
+  ret = SSL_CTX_set_alpn_protos(ctx->context, (const unsigned char*)str, len);
+  if (ret) {
+    lua_pushboolean(L, 0);
+    lua_pushfstring(L, "error setting ALPN (%s)", ERR_reason_error_string(ERR_get_error()));
+    return 2;
+  }
+  lua_pushboolean(L, 1);
+  return 1;
+}
+
+/**
+ * This standard callback calls the server's callback in Lua sapce.
+ * The server has to return a list in wire-format strings.
+ * This function uses a helper function to match server and client lists.
+ */
+static int alpn_cb(SSL *s, const unsigned char **out, unsigned char *outlen,
+                   const unsigned char *in, unsigned int inlen, void *arg)
+{
+  int ret;
+  size_t server_len;
+  const char *server;
+  p_context ctx = (p_context)arg;
+  lua_State *L = ctx->L;
+
+  luaL_getmetatable(L, "SSL:ALPN:Registry");
+  lua_pushlightuserdata(L, (void*)ctx->context);
+  lua_gettable(L, -2);
+
+  lua_pushlstring(L, (const char*)in, inlen);
+
+  lua_call(L, 1, 1);
+
+  if (!lua_isstring(L, -1)) {
+    lua_pop(L, 2);
+    return SSL_TLSEXT_ERR_NOACK;
+  }
+
+  // Protocol list from server in wire-format string
+  server = luaL_checklstring(L, -1, &server_len);
+  ret  = SSL_select_next_proto((unsigned char**)out, outlen, (const unsigned char*)server,
+                               server_len, in, inlen);
+  if (ret != OPENSSL_NPN_NEGOTIATED) {
+    lua_pop(L, 2);
+    return SSL_TLSEXT_ERR_NOACK;
+  } 
+
+  // Copy the result because lua_pop() can collect the pointer
+  ctx->alpn = malloc(*outlen);
+  memcpy(ctx->alpn, (void*)*out, *outlen);
+  *out = (const unsigned char*)ctx->alpn;
+
+  lua_pop(L, 2);
+
+  return SSL_TLSEXT_ERR_OK;
+}
+
+/**
+ * Set a callback a server can use to select the next protocol with ALPN.
+ */
+static int set_alpn_cb(lua_State *L)
+{
+  p_context ctx = checkctx(L, 1);
+
+  luaL_getmetatable(L, "SSL:ALPN:Registry");
+  lua_pushlightuserdata(L, (void*)ctx->context);
+  lua_pushvalue(L, 2);
+  lua_settable(L, -3);
+
+  SSL_CTX_set_alpn_select_cb(ctx->context, alpn_cb, ctx);
+
+  lua_pushboolean(L, 1);
+  return 1;
+}
+
+
 /**
  * Package functions
  */
 static luaL_Reg funcs[] = {
-  {"create",       create},
+  {"create",          create},
-  {"locations",    load_locations},
+  {"locations",       load_locations},
-  {"loadcert",     load_cert},
+  {"loadcert",        load_cert},
-  {"loadkey",      load_key},
+  {"loadkey",         load_key},
-  {"checkkey",     check_key},
+  {"checkkey",        check_key},
-  {"setcipher",    set_cipher},
+  {"setalpn",         set_alpn},
-  {"setdepth",     set_depth},
+  {"setalpncb",       set_alpn_cb},
-  {"setdhparam",   set_dhparam},
+  {"setcipher",       set_cipher},
-  {"setverify",    set_verify},
+  {"setciphersuites", set_ciphersuites},
-  {"setoptions",   set_options},
+  {"setdepth",        set_depth},
-  {"setmode",      set_mode},
+  {"setdhparam",      set_dhparam},
+  {"setverify",       set_verify},
+  {"setoptions",      set_options},
+  {"setmode",         set_mode},
 
 #if !defined(OPENSSL_NO_EC)
-  {"setcurve",     set_curve},
+  {"setcurve",      set_curve},
-#endif
-
-#if !defined(OPENSSL_NO_EC) && (defined(SSL_CTRL_SET_CURVES_LIST) || defined(SSL_CTX_set1_curves_list) || defined(SSL_CTRL_SET_ECDH_AUTO))
   {"setcurveslist", set_curves_list},
 #endif
 
@@ -631,15 +749,14 @@ static int meth_destroy(lua_State *L)
     lua_pushlightuserdata(L, (void*)ctx->context);
     lua_pushnil(L);
     lua_settable(L, -3);
+    luaL_getmetatable(L, "SSL:ALPN:Registry");
+    lua_pushlightuserdata(L, (void*)ctx->context);
+    lua_pushnil(L);
+    lua_settable(L, -3);
 
     SSL_CTX_free(ctx->context);
     ctx->context = NULL;
   }
-  if (ctx->dh_param) {
-    DH_free(ctx->dh_param);
-    ctx->dh_param = NULL;
-  }
-
   return 0;
 }
 
@@ -777,8 +894,9 @@ void *lsec_testudata (lua_State *L, int ud, const char *tname) {
  */
 LSEC_API int luaopen_ssl_context(lua_State *L)
 {
-  luaL_newmetatable(L, "SSL:DH:Registry");      /* Keep all DH callbacks */
+  luaL_newmetatable(L, "SSL:DH:Registry");      /* Keep all DH callbacks   */
-  luaL_newmetatable(L, "SSL:Verify:Registry");  /* Keep all verify flags */
+  luaL_newmetatable(L, "SSL:ALPN:Registry");    /* Keep all ALPN callbacks */
+  luaL_newmetatable(L, "SSL:Verify:Registry");  /* Keep all verify flags   */
   luaL_newmetatable(L, "SSL:Context");
   setfuncs(L, meta);
 

src/context.h

@@ -2,9 +2,9 @@
 #define LSEC_CONTEXT_H
 
 /*--------------------------------------------------------------------------
- * LuaSec 0.7
+ * LuaSec 0.8.2
  *
- * Copyright (C) 2006-2017 Bruno Silvestre
+ * Copyright (C) 2006-2019 Bruno Silvestre
  *
  *--------------------------------------------------------------------------*/
 
@@ -24,6 +24,7 @@ typedef struct t_context_ {
   SSL_CTX *context;
   lua_State *L;
   DH *dh_param;
+  void *alpn;
   int mode;
 } t_context;
 typedef t_context* p_context;

src/ec.c

@@ -2,7 +2,7 @@
 
 #include "ec.h"
 
-#ifndef OPENSSL_NO_ECDH
+#ifndef OPENSSL_NO_EC
 
 EC_KEY *lsec_find_ec_key(lua_State *L, const char *str)
 {

src/ec.h

@@ -1,7 +1,7 @@
 /*--------------------------------------------------------------------------
- * LuaSec 0.7
+ * LuaSec 0.8.2
  *
- * Copyright (C) 2006-2018 Bruno Silvestre
+ * Copyright (C) 2006-2019 Bruno Silvestre
  *
  *--------------------------------------------------------------------------*/
 
@@ -10,7 +10,7 @@
 
 #include <lua.h>
 
-#ifndef OPENSSL_NO_ECDH
+#ifndef OPENSSL_NO_EC
 #include <openssl/ec.h>
 
 EC_KEY *lsec_find_ec_key(lua_State *L, const char *str);

src/https.lua

@@ -1,6 +1,6 @@
 ----------------------------------------------------------------------------
--- LuaSec 0.7
+-- LuaSec 0.8.2
--- Copyright (C) 2009-2018 PUC-Rio
+-- Copyright (C) 2009-2019 PUC-Rio
 --
 -- Author: Pablo Musa
 -- Author: Tomas Guisasola
@@ -18,15 +18,16 @@ local try    = socket.try
 -- Module
 --
 local _M = {
-  _VERSION   = "0.7",
+  _VERSION   = "0.8.2",
-  _COPYRIGHT = "LuaSec 0.7 - Copyright (C) 2009-2018 PUC-Rio",
+  _COPYRIGHT = "LuaSec 0.8.2 - Copyright (C) 2009-2019 PUC-Rio",
   PORT       = 443,
+  TIMEOUT    = 60
 }
 
 -- TLS configuration
 local cfg = {
   protocol = "any",
-  options  = {"all", "no_sslv2", "no_sslv3"},
+  options  = {"all", "no_sslv2", "no_sslv3", "no_tlsv1"},
   verify   = "none",
 }
 
@@ -83,13 +84,14 @@ local function tcp(params)
       conn.sock = try(socket.tcp())
       local st = getmetatable(conn.sock).__index.settimeout
       function conn:settimeout(...)
-         return st(self.sock, ...)
+         return st(self.sock, _M.TIMEOUT)
       end
       -- Replace TCP's connection function
       function conn:connect(host, port)
          try(self.sock:connect(host, port))
          self.sock = try(ssl.wrap(self.sock, params))
          self.sock:sni(host)
+         self.sock:settimeout(_M.TIMEOUT)
          try(self.sock:dohandshake())
          reg(self, getmetatable(self.sock))
          return 1
@@ -139,5 +141,6 @@ end
 --
 
 _M.request = request
+_M.tcp = tcp
 
 return _M

src/options.c

@@ -0,0 +1,167 @@
+/*--------------------------------------------------------------------------
+ * LuaSec 0.8.2
+ *
+ * Copyright (C) 2006-2019 Bruno Silvestre
+ *
+ *--------------------------------------------------------------------------*/
+
+#include <openssl/ssl.h>
+
+#include "options.h"
+
+/* If you need to generate these options again, see options.lua */
+
+
+/* 
+  OpenSSL version: OpenSSL 1.1.1
+*/
+
+static lsec_ssl_option_t ssl_options[] = {
+#if defined(SSL_OP_ALL)
+  {"all", SSL_OP_ALL},
+#endif
+#if defined(SSL_OP_ALLOW_NO_DHE_KEX)
+  {"allow_no_dhe_kex", SSL_OP_ALLOW_NO_DHE_KEX},
+#endif
+#if defined(SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)
+  {"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION},
+#endif
+#if defined(SSL_OP_CIPHER_SERVER_PREFERENCE)
+  {"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE},
+#endif
+#if defined(SSL_OP_CISCO_ANYCONNECT)
+  {"cisco_anyconnect", SSL_OP_CISCO_ANYCONNECT},
+#endif
+#if defined(SSL_OP_COOKIE_EXCHANGE)
+  {"cookie_exchange", SSL_OP_COOKIE_EXCHANGE},
+#endif
+#if defined(SSL_OP_CRYPTOPRO_TLSEXT_BUG)
+  {"cryptopro_tlsext_bug", SSL_OP_CRYPTOPRO_TLSEXT_BUG},
+#endif
+#if defined(SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)
+  {"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS},
+#endif
+#if defined(SSL_OP_ENABLE_MIDDLEBOX_COMPAT)
+  {"enable_middlebox_compat", SSL_OP_ENABLE_MIDDLEBOX_COMPAT},
+#endif
+#if defined(SSL_OP_EPHEMERAL_RSA)
+  {"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA},
+#endif
+#if defined(SSL_OP_LEGACY_SERVER_CONNECT)
+  {"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT},
+#endif
+#if defined(SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER)
+  {"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER},
+#endif
+#if defined(SSL_OP_MICROSOFT_SESS_ID_BUG)
+  {"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG},
+#endif
+#if defined(SSL_OP_MSIE_SSLV2_RSA_PADDING)
+  {"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING},
+#endif
+#if defined(SSL_OP_NETSCAPE_CA_DN_BUG)
+  {"netscape_ca_dn_bug", SSL_OP_NETSCAPE_CA_DN_BUG},
+#endif
+#if defined(SSL_OP_NETSCAPE_CHALLENGE_BUG)
+  {"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG},
+#endif
+#if defined(SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG)
+  {"netscape_demo_cipher_change_bug", SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG},
+#endif
+#if defined(SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG)
+  {"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG},
+#endif
+#if defined(SSL_OP_NO_ANTI_REPLAY)
+  {"no_anti_replay", SSL_OP_NO_ANTI_REPLAY},
+#endif
+#if defined(SSL_OP_NO_COMPRESSION)
+  {"no_compression", SSL_OP_NO_COMPRESSION},
+#endif
+#if defined(SSL_OP_NO_DTLS_MASK)
+  {"no_dtls_mask", SSL_OP_NO_DTLS_MASK},
+#endif
+#if defined(SSL_OP_NO_DTLSv1)
+  {"no_dtlsv1", SSL_OP_NO_DTLSv1},
+#endif
+#if defined(SSL_OP_NO_DTLSv1_2)
+  {"no_dtlsv1_2", SSL_OP_NO_DTLSv1_2},
+#endif
+#if defined(SSL_OP_NO_ENCRYPT_THEN_MAC)
+  {"no_encrypt_then_mac", SSL_OP_NO_ENCRYPT_THEN_MAC},
+#endif
+#if defined(SSL_OP_NO_QUERY_MTU)
+  {"no_query_mtu", SSL_OP_NO_QUERY_MTU},
+#endif
+#if defined(SSL_OP_NO_RENEGOTIATION)
+  {"no_renegotiation", SSL_OP_NO_RENEGOTIATION},
+#endif
+#if defined(SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION)
+  {"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION},
+#endif
+#if defined(SSL_OP_NO_SSL_MASK)
+  {"no_ssl_mask", SSL_OP_NO_SSL_MASK},
+#endif
+#if defined(SSL_OP_NO_SSLv2)
+  {"no_sslv2", SSL_OP_NO_SSLv2},
+#endif
+#if defined(SSL_OP_NO_SSLv3)
+  {"no_sslv3", SSL_OP_NO_SSLv3},
+#endif
+#if defined(SSL_OP_NO_TICKET)
+  {"no_ticket", SSL_OP_NO_TICKET},
+#endif
+#if defined(SSL_OP_NO_TLSv1)
+  {"no_tlsv1", SSL_OP_NO_TLSv1},
+#endif
+#if defined(SSL_OP_NO_TLSv1_1)
+  {"no_tlsv1_1", SSL_OP_NO_TLSv1_1},
+#endif
+#if defined(SSL_OP_NO_TLSv1_2)
+  {"no_tlsv1_2", SSL_OP_NO_TLSv1_2},
+#endif
+#if defined(SSL_OP_NO_TLSv1_3)
+  {"no_tlsv1_3", SSL_OP_NO_TLSv1_3},
+#endif
+#if defined(SSL_OP_PKCS1_CHECK_1)
+  {"pkcs1_check_1", SSL_OP_PKCS1_CHECK_1},
+#endif
+#if defined(SSL_OP_PKCS1_CHECK_2)
+  {"pkcs1_check_2", SSL_OP_PKCS1_CHECK_2},
+#endif
+#if defined(SSL_OP_PRIORITIZE_CHACHA)
+  {"prioritize_chacha", SSL_OP_PRIORITIZE_CHACHA},
+#endif
+#if defined(SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
+  {"safari_ecdhe_ecdsa_bug", SSL_OP_SAFARI_ECDHE_ECDSA_BUG},
+#endif
+#if defined(SSL_OP_SINGLE_DH_USE)
+  {"single_dh_use", SSL_OP_SINGLE_DH_USE},
+#endif
+#if defined(SSL_OP_SINGLE_ECDH_USE)
+  {"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE},
+#endif
+#if defined(SSL_OP_SSLEAY_080_CLIENT_DH_BUG)
+  {"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG},
+#endif
+#if defined(SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG)
+  {"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG},
+#endif
+#if defined(SSL_OP_TLSEXT_PADDING)
+  {"tlsext_padding", SSL_OP_TLSEXT_PADDING},
+#endif
+#if defined(SSL_OP_TLS_BLOCK_PADDING_BUG)
+  {"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG},
+#endif
+#if defined(SSL_OP_TLS_D5_BUG)
+  {"tls_d5_bug", SSL_OP_TLS_D5_BUG},
+#endif
+#if defined(SSL_OP_TLS_ROLLBACK_BUG)
+  {"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG},
+#endif
+  {NULL, 0L}
+};
+
+LSEC_API lsec_ssl_option_t* lsec_get_ssl_options() {
+  return ssl_options;
+}
+

src/options.h

@@ -2,155 +2,21 @@
 #define LSEC_OPTIONS_H
 
 /*--------------------------------------------------------------------------
- * LuaSec 0.7
+ * LuaSec 0.8.2
  *
- * Copyright (C) 2006-2018 Bruno Silvestre
+ * Copyright (C) 2006-2019 Bruno Silvestre
  *
  *--------------------------------------------------------------------------*/
 
-#include <openssl/ssl.h>
+#include "compat.h"
 
-/* If you need to generate these options again, see options.lua */
+struct lsec_ssl_option_s {
-
-/* 
-  OpenSSL version: OpenSSL 1.1.0h
-*/
-
-struct ssl_option_s {
   const char *name;
   unsigned long code;
 };
-typedef struct ssl_option_s ssl_option_t;
 
-static ssl_option_t ssl_options[] = {
+typedef struct lsec_ssl_option_s lsec_ssl_option_t;
-#if defined(SSL_OP_ALL)
+
-  {"all", SSL_OP_ALL},
+LSEC_API lsec_ssl_option_t* lsec_get_ssl_options();
-#endif
-#if defined(SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)
-  {"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION},
-#endif
-#if defined(SSL_OP_CIPHER_SERVER_PREFERENCE)
-  {"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE},
-#endif
-#if defined(SSL_OP_CISCO_ANYCONNECT)
-  {"cisco_anyconnect", SSL_OP_CISCO_ANYCONNECT},
-#endif
-#if defined(SSL_OP_COOKIE_EXCHANGE)
-  {"cookie_exchange", SSL_OP_COOKIE_EXCHANGE},
-#endif
-#if defined(SSL_OP_CRYPTOPRO_TLSEXT_BUG)
-  {"cryptopro_tlsext_bug", SSL_OP_CRYPTOPRO_TLSEXT_BUG},
-#endif
-#if defined(SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)
-  {"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS},
-#endif
-#if defined(SSL_OP_EPHEMERAL_RSA)
-  {"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA},
-#endif
-#if defined(SSL_OP_LEGACY_SERVER_CONNECT)
-  {"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT},
-#endif
-#if defined(SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER)
-  {"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER},
-#endif
-#if defined(SSL_OP_MICROSOFT_SESS_ID_BUG)
-  {"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG},
-#endif
-#if defined(SSL_OP_MSIE_SSLV2_RSA_PADDING)
-  {"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING},
-#endif
-#if defined(SSL_OP_NETSCAPE_CA_DN_BUG)
-  {"netscape_ca_dn_bug", SSL_OP_NETSCAPE_CA_DN_BUG},
-#endif
-#if defined(SSL_OP_NETSCAPE_CHALLENGE_BUG)
-  {"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG},
-#endif
-#if defined(SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG)
-  {"netscape_demo_cipher_change_bug", SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG},
-#endif
-#if defined(SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG)
-  {"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG},
-#endif
-#if defined(SSL_OP_NO_COMPRESSION)
-  {"no_compression", SSL_OP_NO_COMPRESSION},
-#endif
-#if defined(SSL_OP_NO_DTLS_MASK)
-  {"no_dtls_mask", SSL_OP_NO_DTLS_MASK},
-#endif
-#if defined(SSL_OP_NO_DTLSv1)
-  {"no_dtlsv1", SSL_OP_NO_DTLSv1},
-#endif
-#if defined(SSL_OP_NO_DTLSv1_2)
-  {"no_dtlsv1_2", SSL_OP_NO_DTLSv1_2},
-#endif
-#if defined(SSL_OP_NO_ENCRYPT_THEN_MAC)
-  {"no_encrypt_then_mac", SSL_OP_NO_ENCRYPT_THEN_MAC},
-#endif
-#if defined(SSL_OP_NO_QUERY_MTU)
-  {"no_query_mtu", SSL_OP_NO_QUERY_MTU},
-#endif
-#if defined(SSL_OP_NO_RENEGOTIATION)
-  {"no_renegotiation", SSL_OP_NO_RENEGOTIATION},
-#endif
-#if defined(SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION)
-  {"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION},
-#endif
-#if defined(SSL_OP_NO_SSL_MASK)
-  {"no_ssl_mask", SSL_OP_NO_SSL_MASK},
-#endif
-#if defined(SSL_OP_NO_SSLv2)
-  {"no_sslv2", SSL_OP_NO_SSLv2},
-#endif
-#if defined(SSL_OP_NO_SSLv3)
-  {"no_sslv3", SSL_OP_NO_SSLv3},
-#endif
-#if defined(SSL_OP_NO_TICKET)
-  {"no_ticket", SSL_OP_NO_TICKET},
-#endif
-#if defined(SSL_OP_NO_TLSv1)
-  {"no_tlsv1", SSL_OP_NO_TLSv1},
-#endif
-#if defined(SSL_OP_NO_TLSv1_1)
-  {"no_tlsv1_1", SSL_OP_NO_TLSv1_1},
-#endif
-#if defined(SSL_OP_NO_TLSv1_2)
-  {"no_tlsv1_2", SSL_OP_NO_TLSv1_2},
-#endif
-#if defined(SSL_OP_PKCS1_CHECK_1)
-  {"pkcs1_check_1", SSL_OP_PKCS1_CHECK_1},
-#endif
-#if defined(SSL_OP_PKCS1_CHECK_2)
-  {"pkcs1_check_2", SSL_OP_PKCS1_CHECK_2},
-#endif
-#if defined(SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
-  {"safari_ecdhe_ecdsa_bug", SSL_OP_SAFARI_ECDHE_ECDSA_BUG},
-#endif
-#if defined(SSL_OP_SINGLE_DH_USE)
-  {"single_dh_use", SSL_OP_SINGLE_DH_USE},
-#endif
-#if defined(SSL_OP_SINGLE_ECDH_USE)
-  {"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE},
-#endif
-#if defined(SSL_OP_SSLEAY_080_CLIENT_DH_BUG)
-  {"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG},
-#endif
-#if defined(SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG)
-  {"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG},
-#endif
-#if defined(SSL_OP_TLSEXT_PADDING)
-  {"tlsext_padding", SSL_OP_TLSEXT_PADDING},
-#endif
-#if defined(SSL_OP_TLS_BLOCK_PADDING_BUG)
-  {"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG},
-#endif
-#if defined(SSL_OP_TLS_D5_BUG)
-  {"tls_d5_bug", SSL_OP_TLS_D5_BUG},
-#endif
-#if defined(SSL_OP_TLS_ROLLBACK_BUG)
-  {"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG},
-#endif
-  {NULL, 0L}
-};
 
 #endif
-

src/options.lua

@@ -1,10 +1,10 @@
 local function usage()
   print("Usage:")
   print("* Generate options of your system:")
-  print("  lua options.lua -g /path/to/ssl.h [version] > options.h")
+  print("  lua options.lua -g /path/to/ssl.h [version] > options.c")
   print("* Examples:")
-  print("  lua options.lua -g /usr/include/openssl/ssl.h > options.h\n")
+  print("  lua options.lua -g /usr/include/openssl/ssl.h > options.c\n")
-  print("  lua options.lua -g /usr/include/openssl/ssl.h \"OpenSSL 1.0.1 14\" > options.h\n")
+  print("  lua options.lua -g /usr/include/openssl/ssl.h \"OpenSSL 1.0.1 14\" > options.c\n")
 
   print("* List options of your system:")
   print("  lua options.lua -l /path/to/ssl.h\n")
@@ -17,34 +17,28 @@ end
 
 local function generate(options, version)
   print([[
-#ifndef LSEC_OPTIONS_H
-#define LSEC_OPTIONS_H
-
 /*--------------------------------------------------------------------------
- * LuaSec 0.7
+ * LuaSec 0.8.2
  *
- * Copyright (C) 2006-2018 Bruno Silvestre
+ * Copyright (C) 2006-2019 Bruno Silvestre
  *
  *--------------------------------------------------------------------------*/
 
 #include <openssl/ssl.h>
 
+#include "options.h"
+
 /* If you need to generate these options again, see options.lua */
+
 ]])
+
   printf([[
 /* 
   OpenSSL version: %s
 */
 ]], version)
-  print([[
-struct ssl_option_s {
-  const char *name;
-  unsigned long code;
-};
-typedef struct ssl_option_s ssl_option_t;
-]])
 
-  print([[static ssl_option_t ssl_options[] = {]])
+  print([[static lsec_ssl_option_t ssl_options[] = {]])
 
   for k, option in ipairs(options) do
     local name = string.lower(string.sub(option, 8))
@@ -56,7 +50,9 @@ typedef struct ssl_option_s ssl_option_t;
   print([[
 };
 
-#endif
+LSEC_API lsec_ssl_option_t* lsec_get_ssl_options() {
+  return ssl_options;
+}
 ]])
 end
 

src/ssl.c

@@ -1,9 +1,9 @@
 /*--------------------------------------------------------------------------
- * LuaSec 0.7
+ * LuaSec 0.8.2
  *
- * Copyright (C) 2014-2018 Kim Alvefur, Paul Aurich, Tobias Markmann, 
+ * Copyright (C) 2014-2019 Kim Alvefur, Paul Aurich, Tobias Markmann, 
  *                         Matthew Wild.
- * Copyright (C) 2006-2018 Bruno Silvestre.
+ * Copyright (C) 2006-2019 Bruno Silvestre.
  *
  *--------------------------------------------------------------------------*/
 
@@ -11,7 +11,7 @@
 #include <string.h>
 
 #if defined(WIN32)
-#include <Winsock2.h>
+#include <winsock2.h>
 #endif
 
 #include <openssl/ssl.h>
@@ -32,7 +32,7 @@
 #include "ssl.h"
 
 
-#if defined(LIBRESSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER<0x10100000L
+#if (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL) || (OPENSSL_VERSION_NUMBER < 0x1010000fL)
 #define SSL_is_server(s) (s->server)
 #define SSL_up_ref(ssl)  CRYPTO_add(&(ssl)->references, 1, CRYPTO_LOCK_SSL)
 #define X509_up_ref(c)   CRYPTO_add(&c->references, 1, CRYPTO_LOCK_X509)
@@ -302,9 +302,7 @@ static int meth_create(lua_State *L)
   SSL_set_fd(ssl->ssl, (int)SOCKET_INVALID);
   SSL_set_mode(ssl->ssl, SSL_MODE_ENABLE_PARTIAL_WRITE | 
     SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
-#if defined(SSL_MODE_RELEASE_BUFFERS)
   SSL_set_mode(ssl->ssl, SSL_MODE_RELEASE_BUFFERS);
-#endif
   if (mode == LSEC_MODE_SERVER)
     SSL_set_accept_state(ssl->ssl);
   else
@@ -382,8 +380,19 @@ static int meth_setfd(lua_State *L)
  */
 static int meth_handshake(lua_State *L)
 {
+  int err;
   p_ssl ssl = (p_ssl)luaL_checkudata(L, 1, "SSL:Connection");
-  int err = handshake(ssl);
+  p_context ctx = (p_context)SSL_CTX_get_app_data(SSL_get_SSL_CTX(ssl->ssl));
+  ctx->L = L;
+  err = handshake(ssl);
+  if (ctx->dh_param) {
+    DH_free(ctx->dh_param);
+    ctx->dh_param = NULL;
+  }
+  if (ctx->alpn) {
+    free(ctx->alpn);
+    ctx->alpn = NULL;
+  }
   if (err == IO_DONE) {
     lua_pushboolean(L, 1);
     return 1;
@@ -794,9 +803,22 @@ static int meth_getsniname(lua_State *L)
   return 1;
 }
 
+static int meth_getalpn(lua_State *L)
+{
+  unsigned len;
+  const unsigned char *data;
+  p_ssl ssl = (p_ssl)luaL_checkudata(L, 1, "SSL:Connection");
+  SSL_get0_alpn_selected(ssl->ssl, &data, &len);
+  if (data == NULL && len == 0)
+    lua_pushnil(L);
+  else
+    lua_pushlstring(L, (const char*)data, len);
+  return 1;
+}
+
 static int meth_copyright(lua_State *L)
 {
-  lua_pushstring(L, "LuaSec 0.7 - Copyright (C) 2006-2018 Bruno Silvestre, UFG"
+  lua_pushstring(L, "LuaSec 0.8.2 - Copyright (C) 2006-2019 Bruno Silvestre, UFG"
 #if defined(WITH_LUASOCKET)
                     "\nLuaSocket 3.0-RC1 - Copyright (C) 2004-2013 Diego Nehab"
 #endif
@@ -811,6 +833,7 @@ static int meth_copyright(lua_State *L)
  */
 static luaL_Reg methods[] = {
   {"close",               meth_close},
+  {"getalpn",             meth_getalpn},
   {"getfd",               meth_getfd},
   {"getfinished",         meth_getfinished},
   {"getpeercertificate",  meth_getpeercertificate},

src/ssl.h

@@ -2,9 +2,9 @@
 #define LSEC_SSL_H
 
 /*--------------------------------------------------------------------------
- * LuaSec 0.7
+ * LuaSec 0.8.2
  *
- * Copyright (C) 2006-2018 Bruno Silvestre
+ * Copyright (C) 2006-2019 Bruno Silvestre
  *
  *--------------------------------------------------------------------------*/
 

src/ssl.lua

@@ -1,7 +1,7 @@
 ------------------------------------------------------------------------------
--- LuaSec 0.7
+-- LuaSec 0.8.2
 --
--- Copyright (C) 2006-2018 Bruno Silvestre
+-- Copyright (C) 2006-2019 Bruno Silvestre
 --
 ------------------------------------------------------------------------------
 
@@ -30,6 +30,39 @@ local function optexec(func, param, ctx)
   return true
 end
 
+--
+-- Convert an array of strings to wire-format
+--
+local function array2wireformat(array)
+   local str = ""
+   for k, v in ipairs(array) do
+      if type(v) ~= "string" then return nil end
+      local len = #v
+      if len == 0 then
+        return nil, "invalid ALPN name (empty string)"
+      elseif len > 255 then
+        return nil, "invalid ALPN name (length > 255)"
+      end
+      str = str .. string.char(len) .. v
+   end
+   if str == "" then return nil, "invalid ALPN list (empty)" end
+   return str
+end
+
+--
+-- Convert wire-string format to array
+--
+local function wireformat2array(str)
+   local i = 1
+   local array = {}
+   while i < #str do
+      local len = str:byte(i)
+      array[#array + 1] = str:sub(i + 1, i + len)
+      i = i + len + 1
+   end
+   return array
+end
+
 --
 --
 --
@@ -41,25 +74,33 @@ local function newcontext(cfg)
    -- Mode
    succ, msg = context.setmode(ctx, cfg.mode)
    if not succ then return nil, msg end
-   -- Load the key
+   local certificates = cfg.certificates
-   if cfg.key then
+   if not certificates then
-      if cfg.password and
+      certificates = {
-         type(cfg.password) ~= "function" and
+         { certificate = cfg.certificate, key = cfg.key, password = cfg.password }
-         type(cfg.password) ~= "string"
+      }
-      then
-         return nil, "invalid password type"
-      end
-      succ, msg = context.loadkey(ctx, cfg.key, cfg.password)
-      if not succ then return nil, msg end
    end
-   -- Load the certificate
+   for _, certificate in ipairs(certificates) do
-   if cfg.certificate then
+      -- Load the key
-     succ, msg = context.loadcert(ctx, cfg.certificate)
+      if certificate.key then
-     if not succ then return nil, msg end
+         if certificate.password and
-     if cfg.key and context.checkkey then
+            type(certificate.password) ~= "function" and
-       succ = context.checkkey(ctx)
+            type(certificate.password) ~= "string"
-       if not succ then return nil, "private key does not match public key" end
+         then
-     end
+            return nil, "invalid password type"
+         end
+         succ, msg = context.loadkey(ctx, certificate.key, certificate.password)
+         if not succ then return nil, msg end
+      end
+      -- Load the certificate(s)
+      if certificate.certificate then
+        succ, msg = context.loadcert(ctx, certificate.certificate)
+        if not succ then return nil, msg end
+        if certificate.key and context.checkkey then
+          succ = context.checkkey(ctx)
+          if not succ then return nil, "private key does not match public key" end
+        end
+      end
    end
    -- Load the CA certificates
    if cfg.cafile or cfg.capath then
@@ -71,7 +112,12 @@ local function newcontext(cfg)
       succ, msg = context.setcipher(ctx, cfg.ciphers)
       if not succ then return nil, msg end
    end
-   -- Set the verification options
+   -- Set SSL cipher suites
+   if cfg.ciphersuites then
+      succ, msg = context.setciphersuites(ctx, cfg.ciphersuites)
+      if not succ then return nil, msg end
+   end
+    -- Set the verification options
    succ, msg = optexec(context.setverify, cfg.verify, ctx)
    if not succ then return nil, msg end
    -- Set SSL options
@@ -113,6 +159,48 @@ local function newcontext(cfg)
       if not succ then return nil, msg end
    end
 
+   -- ALPN
+   if cfg.mode == "server" and cfg.alpn then
+      if type(cfg.alpn) == "function" then
+         local alpncb = cfg.alpn
+         -- This callback function has to return one value only
+         succ, msg = context.setalpncb(ctx, function(str)
+            local protocols = alpncb(wireformat2array(str))
+            if type(protocols) == "string" then
+               protocols = { protocols }
+            elseif type(protocols) ~= "table" then
+               return nil
+            end
+            return (array2wireformat(protocols))    -- use "()" to drop error message
+         end)
+         if not succ then return nil, msg end
+      elseif type(cfg.alpn) == "table" then
+         local protocols = cfg.alpn
+         -- check if array is valid before use it
+         succ, msg = array2wireformat(protocols)
+         if not succ then return nil, msg end
+         -- This callback function has to return one value only
+         succ, msg = context.setalpncb(ctx, function()
+            return (array2wireformat(protocols))    -- use "()" to drop error message
+         end)
+         if not succ then return nil, msg end
+      else
+         return nil, "invalid ALPN parameter"
+      end
+   elseif cfg.mode == "client" and cfg.alpn then
+      local alpn
+      if type(cfg.alpn) == "string" then
+         alpn, msg = array2wireformat({ cfg.alpn })
+      elseif type(cfg.alpn) == "table" then
+         alpn, msg = array2wireformat(cfg.alpn)
+      else
+         return nil, "invalid ALPN parameter"
+      end
+      if not alpn then return nil, msg end
+      succ, msg = context.setalpn(ctx, alpn)
+      if not succ then return nil, msg end
+   end
+
    return ctx
 end
 
@@ -179,8 +267,9 @@ core.setmethod("info", info)
 --
 
 local _M = {
-  _VERSION        = "0.7",
+  _VERSION        = "0.8.2",
   _COPYRIGHT      = core.copyright(),
+  config          = config,
   loadcertificate = x509.load,
   newcontext      = newcontext,
   wrap            = wrap,

src/x509.c

@@ -1,7 +1,7 @@
 /*--------------------------------------------------------------------------
- * LuaSec 0.7
+ * LuaSec 0.8.2
  *
- * Copyright (C) 2014-2018 Kim Alvefur, Paul Aurich, Tobias Markmann
+ * Copyright (C) 2014-2019 Kim Alvefur, Paul Aurich, Tobias Markmann
  *                         Matthew Wild, Bruno Silvestre.
  *
  *--------------------------------------------------------------------------*/
@@ -371,7 +371,9 @@ int meth_extensions(lua_State* L)
         /* not supported */
         break;
       }
+      GENERAL_NAME_free(general_name);
     }
+    sk_GENERAL_NAME_free(values);
     lua_pop(L, 1); /* ret[oid] */
     i++;           /* Next extension */
   }

src/x509.h

@@ -1,7 +1,7 @@
 /*--------------------------------------------------------------------------
- * LuaSec 0.7
+ * LuaSec 0.8.2
  *
- * Copyright (C) 2014-2018 Kim Alvefur, Paul Aurich, Tobias Markmann
+ * Copyright (C) 2014-2019 Kim Alvefur, Paul Aurich, Tobias Markmann
  *                         Matthew Wild, Bruno Silvestre.
  *
  *--------------------------------------------------------------------------*/