Add shutdown example

This allows applications to separate ending the TLS session from closing the
underlying socket. In particular, it enables us to avoid needing to set the
socket to blocking mode during close().

CHANGELOG

@@ -1,3 +1,62 @@
+--------------------------------------------------------------------------------
+LuaSec 1.3.2
+---------------
+This version includes:
+
+* Fix: place EAI_OVERFLOW inside macro, unbreak build on <10.7 (Sergey Fedorov)
+* Fix: Expand workaround for zero errno to OpenSSL 3.0.x (Kim Alvefur)
+* Fix: reset block timeout at send or receive (MartinDahlberg)
+
+--------------------------------------------------------------------------------
+LuaSec 1.3.1
+---------------
+This version includes:
+
+* Fix: check if PSK is available
+
+--------------------------------------------------------------------------------
+LuaSec 1.3.0
+---------------
+This version includes:
+
+* Add :getlocalchain() + :getlocalcertificate() to mirror the peer methods (@mwild1)
+* Add Pre-Shared Key (PSK) support (@jclab-joseph)
+
+--------------------------------------------------------------------------------
+LuaSec 1.2.0
+---------------
+This version includes:
+
+* Add key material export method
+* Backguard compat for openssl on providers, like LTS linuxes
+
+--------------------------------------------------------------------------------
+LuaSec 1.1.0
+---------------
+This version includes:
+
+* Fix missing DANE flag
+* Remove unused parameter in https.lua
+
+--------------------------------------------------------------------------------
+LuaSec 1.0.2
+---------------
+This version includes:
+
+* Fix handle SSL_send SYSCALL error without errno
+* Fix off by one in cert:validat(notafter)
+* Fix meth_get_{sinagure => signature}_name function name
+* Fix update the Lua state reference on the selected SSL context after SNI
+* Fix ignore SSL_OP_BIT(n) macro and update option.c
+
+--------------------------------------------------------------------------------
+LuaSec 1.0.1
+---------------
+This version includes:
+
+
+* Fix luaL_buffinit() can use the stack and broke buffer_meth_receive()
+
 --------------------------------------------------------------------------------
 LuaSec 1.0
 ---------------

INSTALL

@@ -1,9 +1,9 @@
-LuaSec 1.0
+LuaSec 1.3.2
 ------------
 
 * OpenSSL options:
 
-    By default, this version includes options for OpenSSL 1.1.1.
+    By default, this version includes options for OpenSSL 3.0.8
 
     If you need to generate the options for a different version of OpenSSL:
 

LICENSE

@@ -1,5 +1,5 @@
-LuaSec 1.0 license
-Copyright (C) 2006-2021 Bruno Silvestre, UFG
+LuaSec 1.3.2 license
+Copyright (C) 2006-2023 Bruno Silvestre, UFG
 
 Permission is hereby granted, free  of charge, to any person obtaining
 a  copy  of this  software  and  associated  documentation files  (the

README.md

@@ -1,4 +1,4 @@
-LuaSec 1.0
+LuaSec 1.3.2
 ===============
 LuaSec depends  on OpenSSL, and  integrates with LuaSocket to  make it
 easy to add secure connections to any Lua applications or scripts.

luasec-1.3.2-1.rockspec

@@ -1,8 +1,8 @@
 package = "LuaSec"
-version = "1.0-1"
+version = "1.3.2-1"
 source = {
-  url = "git://github.com/brunoos/luasec",
-  tag = "v1.0",
+  url = "git+https://github.com/brunoos/luasec",
+  tag = "v1.3.2",
 }
 description = {
    summary = "A binding for OpenSSL library to provide TLS/SSL communication over LuaSocket.",
@@ -87,7 +87,7 @@ build = {
                   "$(OPENSSL_BINDIR)",
                },
                libraries = {
-                  "libssl32MD", "libcrypto32MD", "ws2_32"
+                  "libssl", "libcrypto", "ws2_32"
                },
                incdirs = {
                   "$(OPENSSL_INCDIR)", "src/", "src/luasocket"

luasec.vcxproj

@@ -61,7 +61,7 @@
       <DebugInformationFormat>EditAndContinue</DebugInformationFormat>
     </ClCompile>
     <Link>
-      <AdditionalDependencies>ws2_32.lib;libeay32MDd.lib;ssleay32MDd.lib;lua5.1.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalDependencies>ws2_32.lib;libssl.lib;libcrypto.lib;lua5.1.lib;%(AdditionalDependencies)</AdditionalDependencies>
       <OutputFile>$(OutDir)ssl.dll</OutputFile>
       <AdditionalLibraryDirectories>C:\devel\openssl\lib\VC;C:\devel\lua-dll9;%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
       <GenerateDebugInformation>true</GenerateDebugInformation>
@@ -85,7 +85,7 @@
       <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
     </ClCompile>
     <Link>
-      <AdditionalDependencies>ws2_32.lib;libssl32MD.lib;libcrypto32MD.lib;lua5.1.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalDependencies>ws2_32.lib;libssl.lib;libcrypto.lib;lua5.1.lib;%(AdditionalDependencies)</AdditionalDependencies>
       <OutputFile>$(OutDir)$(TargetName)$(TargetExt)</OutputFile>
       <AdditionalLibraryDirectories>C:\devel\openssl-1.1.0\lib\VC;C:\devel\lua-5.1\lib;%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
       <GenerateDebugInformation>true</GenerateDebugInformation>

samples/README

@@ -45,6 +45,9 @@ Directories:
 * oneshot
  A simple connection example.
 
+* psk
+ PSK(Pre Shared Key) support.
+
 * sni
  Support to SNI (Server Name Indication).
 

samples/certs/all.sh

@@ -1,4 +1,4 @@
-#!/usr/bin/env sh
+#!/bin/sh
 ./rootA.sh
 ./rootB.sh
 ./clientA.sh

samples/certs/clientA.sh

@@ -1,4 +1,4 @@
-#!/usr/bin/env sh
+#!/bin/sh
 
 openssl req -newkey rsa:2048 -sha256 -keyout clientAkey.pem -out clientAreq.pem \
   -nodes -config ./clientA.cnf -days 365 -batch

samples/certs/clientB.sh

@@ -1,4 +1,4 @@
-#!/usr/bin/env sh
+#!/bin/sh
 
 openssl req -newkey rsa:2048 -sha256 -keyout clientBkey.pem -out clientBreq.pem \
   -nodes -config ./clientB.cnf -days 365 -batch

samples/certs/rootA.sh

@@ -1,4 +1,4 @@
-#!/usr/bin/env sh
+#!/bin/sh
 
 openssl req -newkey rsa:2048 -sha256 -keyout rootAkey.pem -out rootAreq.pem -nodes -config ./rootA.cnf -days 365 -batch
 

samples/certs/rootB.sh

@@ -1,4 +1,4 @@
-#!/usr/bin/env sh
+#!/bin/sh
 
 openssl req -newkey rsa:2048 -sha256 -keyout rootBkey.pem -out rootBreq.pem -nodes -config ./rootB.cnf -days 365 -batch
 

samples/certs/serverA.sh

@@ -1,6 +1,6 @@
-#!/usr/bin/env sh
+#!/bin/sh
 
-openssl req -newkey rsa:2048 -keyout serverAkey.pem -out serverAreq.pem \
+openssl req -newkey rsa:2048 -sha256 -keyout serverAkey.pem -out serverAreq.pem \
    -config ./serverA.cnf -nodes -days 365 -batch
 
 openssl x509 -req -in serverAreq.pem -sha256 -extfile ./serverA.cnf \

samples/certs/serverB.sh

@@ -1,6 +1,6 @@
-#!/usr/bin/env sh
+#!/bin/sh
 
-openssl req -newkey rsa:2048 -keyout serverBkey.pem -out serverBreq.pem \
+openssl req -newkey rsa:2048 -sha256 -keyout serverBkey.pem -out serverBreq.pem \
    -config ./serverB.cnf -nodes -days 365 -batch
 
 openssl x509 -req -in serverBreq.pem -sha256 -extfile ./serverB.cnf \

samples/chain/server.lua

@@ -31,8 +31,27 @@ util.show( conn:getpeercertificate() )
 
 print("----------------------------------------------------------------------")
 
-for k, cert in ipairs( conn:getpeerchain() ) do
+local expectedpeerchain = { "../certs/clientAcert.pem", "../certs/rootA.pem" }
+
+local peerchain = conn:getpeerchain()
+assert(#peerchain == #expectedpeerchain)
+for k, cert in ipairs( peerchain ) do
   util.show(cert)
+  local expectedpem = assert(io.open(expectedpeerchain[k])):read("*a")
+  assert(cert:pem() == expectedpem, "peer chain mismatch @ "..tostring(k))
+end
+
+local expectedlocalchain = { "../certs/serverAcert.pem" }
+
+local localchain = assert(conn:getlocalchain())
+assert(#localchain == #expectedlocalchain)
+for k, cert in ipairs( localchain ) do
+  util.show(cert)
+  local expectedpem = assert(io.open(expectedlocalchain[k])):read("*a")
+  assert(cert:pem() == expectedpem, "local chain mismatch @ "..tostring(k))
+  if k == 1 then
+    assert(cert:pem() == conn:getlocalcertificate():pem())
+  end
 end
 
 local f = io.open(params.certificate)

samples/psk/client.lua

@@ -0,0 +1,41 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl    = require("ssl")
+
+if not ssl.config.capabilities.psk then
+   print("[ERRO] PSK not available")
+   os.exit(1)
+end
+
+-- @param hint (nil | string)
+-- @param max_identity_len (number)
+-- @param max_psk_len (number)
+-- @return identity (string)
+-- @return PSK (string)
+local function pskcb(hint, max_identity_len, max_psk_len)
+   print(string.format("PSK Callback: hint=%q, max_identity_len=%d, max_psk_len=%d", hint, max_identity_len, max_psk_len))
+   return "abcd", "1234"
+end
+
+local params = {
+   mode = "client",
+   protocol = "tlsv1_2",
+   psk = pskcb,
+}
+
+local peer = socket.tcp()
+peer:connect("127.0.0.1", 8888)
+
+peer = assert( ssl.wrap(peer, params) )
+assert(peer:dohandshake())
+
+print("--- INFO ---")
+local info = peer:info()
+for k, v in pairs(info) do
+   print(k, v)
+end
+print("---")
+
+peer:close()

samples/psk/server.lua

@@ -0,0 +1,60 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl    = require("ssl")
+
+if not ssl.config.capabilities.psk then
+   print("[ERRO] PSK not available")
+   os.exit(1)
+end
+
+-- @param identity (string)
+-- @param max_psk_len (number)
+-- @return psk (string)
+local function pskcb(identity, max_psk_len)
+   print(string.format("PSK Callback: identity=%q, max_psk_len=%d", identity, max_psk_len))
+   if identity == "abcd" then
+     return "1234"
+  end
+  return nil
+end
+
+local params = {
+   mode = "server",
+   protocol = "any",
+   options = "all",
+
+-- PSK with just a callback
+   psk = pskcb,
+
+-- PSK with identity hint
+--   psk = {
+--      hint = "hintpsksample",
+--      callback = pskcb,
+--   },
+}
+
+
+-- [[ SSL context
+local ctx = assert(ssl.newcontext(params))
+--]]
+
+local server = socket.tcp()
+server:setoption('reuseaddr', true)
+assert( server:bind("127.0.0.1", 8888) )
+server:listen()
+
+local peer = server:accept()
+peer = assert( ssl.wrap(peer, ctx) )
+assert( peer:dohandshake() )
+
+print("--- INFO ---")
+local info = peer:info()
+for k, v in pairs(info) do
+   print(k, v)
+end
+print("---")
+
+peer:close()
+server:close()

samples/shutdown/client.lua

@@ -0,0 +1,85 @@
+--
+-- Test the conn:shutdown() function
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl    = require("ssl")
+
+local params = {
+   mode = "client",
+   protocol = "tlsv1_2",
+   key = "../certs/clientAkey.pem",
+   certificate = "../certs/clientA.pem",
+   cafile = "../certs/rootA.pem",
+   verify = {"peer", "fail_if_no_peer_cert"},
+   options = "all",
+}
+
+-- Wait until socket is ready (for reading or writing)
+local function wait(peer)
+   -- What event blocked us?
+   local err = peer:want()
+   print("Want? ", err)
+
+   if err == "read" then
+      socket.select({peer}, nil)
+   elseif err == "write" then
+      socket.select(nil, {peer})
+   elseif err == "nothing" then
+      return
+   else
+      peer:close()
+      os.exit(1)
+   end
+end
+
+-- Send data
+local function send(peer, data)
+   local offset = 1
+   while true do
+      local succ, msg, part = peer:send(data, offset)
+      if succ then break end
+      if part then
+         offset = offset + part
+         wait(peer)
+      end
+  end
+end
+
+-- Start the TCP connection
+local peer = socket.tcp()
+peer:setoption('tcp-nodelay', true)
+
+assert(peer:connect("127.0.0.1", 8888))
+
+peer = assert(ssl.wrap(peer, params))
+local ctx = assert(ssl.newcontext(params))
+
+peer:settimeout(0.3)
+
+print("*** Handshake")
+
+while true do
+   local succ, msg = peer:dohandshake()
+   if succ then break end
+   wait(peer)
+end
+
+print("*** Send data")
+for i = 1, 10 do
+  send(peer, string.rep('1', 8192))
+end
+
+print("*** Shutdown")
+while true do
+   local succ, msg = peer:shutdown()
+   if succ then break end
+   print(succ, msg)
+   if msg ~= "inprogress" then
+      wait(peer)
+   end
+end
+
+print("*** Done")
+peer:close()

samples/shutdown/server.lua

@@ -0,0 +1,47 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl    = require("ssl")
+
+local params = {
+   mode = "server",
+   protocol = "any",
+   key = "../certs/serverAkey.pem",
+   certificate = "../certs/serverA.pem",
+   cafile = "../certs/rootA.pem",
+   verify = {"peer", "fail_if_no_peer_cert"},
+   options = "all",
+}
+
+local ctx = assert(ssl.newcontext(params))
+
+local server = socket.tcp()
+server:setoption('reuseaddr', true)
+
+assert(server:bind("127.0.0.1", 8888))
+server:listen()
+
+while true do
+  local peer = server:accept()
+  peer:setoption('tcp-nodelay', true)
+
+  print("*** New connection")
+
+  peer = assert( ssl.wrap(peer, ctx) )
+
+  print("*** Handshake")
+  assert( peer:dohandshake() )
+
+  print("*** Receive")
+  while true do
+    local str = peer:receive(1024)
+    if not str then break end
+    socket.sleep(0.1)
+  end
+
+  print("*** Done")
+  peer:close()
+end
+
+server:close()

src/compat.h

@@ -1,7 +1,7 @@
 /*--------------------------------------------------------------------------
- * LuaSec 1.0
+ * LuaSec 1.3.2
  *
- * Copyright (C) 2006-2021 Bruno Silvestre
+ * Copyright (C) 2006-2023 Bruno Silvestre
  *
  *--------------------------------------------------------------------------*/
 
@@ -48,4 +48,16 @@
 
 //------------------------------------------------------------------------------
 
+#if !defined(LIBRESSL_VERSION_NUMBER) && ((OPENSSL_VERSION_NUMBER & 0xFFFFF000L) == 0x10101000L || (OPENSSL_VERSION_NUMBER & 0xFFFFF000L) == 0x30000000L)
+#define LSEC_OPENSSL_ERRNO_BUG
+#endif
+
+//------------------------------------------------------------------------------
+
+#if !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_NO_PSK)
+#define LSEC_ENABLE_PSK
+#endif
+
+//------------------------------------------------------------------------------
+
 #endif

src/config.c

@@ -1,7 +1,7 @@
 /*--------------------------------------------------------------------------
- * LuaSec 1.0
+ * LuaSec 1.3.2
  *
- * Copyright (C) 2006-2021 Bruno Silvestre.
+ * Copyright (C) 2006-2023 Bruno Silvestre
  *
  *--------------------------------------------------------------------------*/
 
@@ -74,11 +74,24 @@ LSEC_API int luaopen_ssl_config(lua_State *L)
   lua_pushboolean(L, 1);
   lua_rawset(L, -3);
 
+#ifdef LSEC_ENABLE_PSK
+  lua_pushstring(L, "psk");
+  lua_pushboolean(L, 1);
+  lua_rawset(L, -3);
+#endif
+
 #ifdef LSEC_ENABLE_DANE
   // DANE
   lua_pushstring(L, "dane");
+#ifdef DANE_FLAG_NO_DANE_EE_NAMECHECKS
+  lua_createtable(L, 0, 1);
+  lua_pushstring(L, "no_ee_namechecks");
   lua_pushboolean(L, 1);
   lua_rawset(L, -3);
+#else
+  lua_pushboolean(L, 1);
+#endif
+  lua_rawset(L, -3);
 #endif
 
 #ifndef OPENSSL_NO_EC

src/context.c

@@ -1,9 +1,8 @@
 /*--------------------------------------------------------------------------
- * LuaSec 1.0
+ * LuaSec 1.3.2
  *
- * Copyright (C) 2014-2021 Kim Alvefur, Paul Aurich, Tobias Markmann, 
- *                         Matthew Wild.
- * Copyright (C) 2006-2021 Bruno Silvestre.
+ * Copyright (C) 2014-2023 Kim Alvefur, Paul Aurich, Tobias Markmann, Matthew Wild
+ * Copyright (C) 2006-2023 Bruno Silvestre
  *
  *--------------------------------------------------------------------------*/
 
@@ -17,6 +16,7 @@
 #include <openssl/err.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
+#include <openssl/x509_vfy.h>
 #include <openssl/dh.h>
 
 #include <lua.h>
@@ -707,15 +707,172 @@ static int set_alpn_cb(lua_State *L)
   return 1;
 }
 
+#if defined(LSEC_ENABLE_PSK)
+/**
+ * Callback to select the PSK.
+ */
+static unsigned int server_psk_cb(SSL *ssl, const char *identity, unsigned char *psk,
+  unsigned int max_psk_len)
+{
+  size_t psk_len;
+  const char *ret_psk;
+  SSL_CTX *ctx = SSL_get_SSL_CTX(ssl);
+  p_context pctx = (p_context)SSL_CTX_get_app_data(ctx);
+  lua_State *L = pctx->L;
+
+  luaL_getmetatable(L, "SSL:PSK:Registry");
+  lua_pushlightuserdata(L, (void*)pctx->context);
+  lua_gettable(L, -2);
+
+  lua_pushstring(L, identity);
+  lua_pushinteger(L, max_psk_len);
+
+  lua_call(L, 2, 1);
+
+  if (!lua_isstring(L, -1)) {
+    lua_pop(L, 2);
+    return 0;
+  }
+
+  ret_psk = lua_tolstring(L, -1, &psk_len);
+
+  if (psk_len == 0 || psk_len > max_psk_len)
+    psk_len = 0;
+  else
+    memcpy(psk, ret_psk, psk_len);
+
+  lua_pop(L, 2);
+
+  return psk_len;
+}
+
+/**
+ * Set a PSK callback for server.
+ */
+static int set_server_psk_cb(lua_State *L)
+{
+  p_context ctx = checkctx(L, 1);
+
+  luaL_getmetatable(L, "SSL:PSK:Registry");
+  lua_pushlightuserdata(L, (void*)ctx->context);
+  lua_pushvalue(L, 2);
+  lua_settable(L, -3);
+
+  SSL_CTX_set_psk_server_callback(ctx->context, server_psk_cb);
+
+  lua_pushboolean(L, 1);
+  return 1;
+}
+
+/*
+ * Set the PSK indentity hint.
+ */
+static int set_psk_identity_hint(lua_State *L)
+{
+  p_context ctx = checkctx(L, 1);
+  const char *hint = luaL_checkstring(L, 2);
+  int ret = SSL_CTX_use_psk_identity_hint(ctx->context, hint);
+  lua_pushboolean(L, ret);
+  return 1;
+}
+
+/*
+ * Client callback to PSK.
+ */
+static unsigned int client_psk_cb(SSL *ssl, const char *hint, char *identity,
+  unsigned int max_identity_len, unsigned char *psk, unsigned int max_psk_len)
+{
+  size_t psk_len;
+  size_t identity_len;
+  const char *ret_psk;
+  const char *ret_identity;
+  SSL_CTX *ctx = SSL_get_SSL_CTX(ssl);
+  p_context pctx = (p_context)SSL_CTX_get_app_data(ctx);
+  lua_State *L = pctx->L;
+
+  luaL_getmetatable(L, "SSL:PSK:Registry");
+  lua_pushlightuserdata(L, (void*)pctx->context);
+  lua_gettable(L, -2);
+
+  if (hint)
+    lua_pushstring(L, hint);
+  else
+    lua_pushnil(L);
+
+  // Leave space to '\0'
+  lua_pushinteger(L, max_identity_len-1);
+  lua_pushinteger(L, max_psk_len);
+
+  lua_call(L, 3, 2);
+
+  if (!lua_isstring(L, -1) || !lua_isstring(L, -2)) {
+    lua_pop(L, 3);
+    return 0;
+  }
+
+  ret_identity = lua_tolstring(L, -2, &identity_len);
+  ret_psk = lua_tolstring(L, -1, &psk_len);
+
+  if (identity_len >= max_identity_len || psk_len > max_psk_len)
+    psk_len = 0;
+  else {
+    memcpy(identity, ret_identity, identity_len);
+    identity[identity_len] = 0;
+    memcpy(psk, ret_psk, psk_len);
+  }
+
+  lua_pop(L, 3);
+
+  return psk_len;
+}
+
+/**
+ * Set a PSK callback for client.
+ */
+static int set_client_psk_cb(lua_State *L) {
+  p_context ctx = checkctx(L, 1);
+
+  luaL_getmetatable(L, "SSL:PSK:Registry");
+  lua_pushlightuserdata(L, (void*)ctx->context);
+  lua_pushvalue(L, 2);
+  lua_settable(L, -3);
+
+  SSL_CTX_set_psk_client_callback(ctx->context, client_psk_cb);
+
+  lua_pushboolean(L, 1);
+  return 1;
+}
+#endif
+
 #if defined(LSEC_ENABLE_DANE)
 /*
  * DANE
  */
+static int dane_options[] = {
+  /* TODO move into options.c
+   * however this symbol is not from openssl/ssl.h but rather from
+   * openssl/x509_vfy.h
+   * */
+#ifdef DANE_FLAG_NO_DANE_EE_NAMECHECKS
+  DANE_FLAG_NO_DANE_EE_NAMECHECKS,
+#endif
+  0
+};
+static const char *dane_option_names[] = {
+#ifdef DANE_FLAG_NO_DANE_EE_NAMECHECKS
+  "no_ee_namechecks",
+#endif
+  NULL
+};
+
 static int set_dane(lua_State *L)
 {
-  int ret;
+  int ret, i;
   SSL_CTX *ctx = lsec_checkcontext(L, 1);
   ret = SSL_CTX_dane_enable(ctx);
+  for (i = 2; ret > 0 && i <= lua_gettop(L); i++) {
+    ret = SSL_CTX_dane_set_flags(ctx, dane_options[luaL_checkoption(L, i, NULL, dane_option_names)]);
+  }
   lua_pushboolean(L, (ret > 0));
   return 1;
 }
@@ -738,6 +895,11 @@ static luaL_Reg funcs[] = {
   {"setdhparam",      set_dhparam},
   {"setverify",       set_verify},
   {"setoptions",      set_options},
+#if defined(LSEC_ENABLE_PSK)
+  {"setpskhint",      set_psk_identity_hint},
+  {"setserverpskcb",  set_server_psk_cb},
+  {"setclientpskcb",  set_client_psk_cb},
+#endif
   {"setmode",         set_mode},
 #if !defined(OPENSSL_NO_EC)
   {"setcurve",        set_curve},
@@ -771,6 +933,10 @@ static int meth_destroy(lua_State *L)
     lua_pushlightuserdata(L, (void*)ctx->context);
     lua_pushnil(L);
     lua_settable(L, -3);
+    luaL_getmetatable(L, "SSL:PSK:Registry");
+    lua_pushlightuserdata(L, (void*)ctx->context);
+    lua_pushnil(L);
+    lua_settable(L, -3);
 
     SSL_CTX_free(ctx->context);
     ctx->context = NULL;
@@ -913,9 +1079,10 @@ void *lsec_testudata (lua_State *L, int ud, const char *tname) {
  */
 LSEC_API int luaopen_ssl_context(lua_State *L)
 {
-  luaL_newmetatable(L, "SSL:DH:Registry");      /* Keep all DH callbacks   */
-  luaL_newmetatable(L, "SSL:ALPN:Registry");    /* Keep all ALPN callbacks */
-  luaL_newmetatable(L, "SSL:Verify:Registry");  /* Keep all verify flags   */
+  luaL_newmetatable(L, "SSL:DH:Registry");        /* Keep all DH callbacks   */
+  luaL_newmetatable(L, "SSL:ALPN:Registry");      /* Keep all ALPN callbacks */
+  luaL_newmetatable(L, "SSL:PSK:Registry");       /* Keep all PSK callbacks */
+  luaL_newmetatable(L, "SSL:Verify:Registry");    /* Keep all verify flags   */
   luaL_newmetatable(L, "SSL:Context");
   setfuncs(L, meta);
 

src/context.h

@@ -2,9 +2,9 @@
 #define LSEC_CONTEXT_H
 
 /*--------------------------------------------------------------------------
- * LuaSec 1.0
+ * LuaSec 1.3.2
  *
- * Copyright (C) 2006-2021 Bruno Silvestre
+ * Copyright (C) 2006-2023 Bruno Silvestre
  *
  *--------------------------------------------------------------------------*/
 

src/ec.c

@@ -1,3 +1,10 @@
+/*--------------------------------------------------------------------------
+ * LuaSec 1.3.2
+ *
+ * Copyright (C) 2006-2023 Bruno Silvestre
+ *
+ *--------------------------------------------------------------------------*/
+
 #include <openssl/objects.h>
 
 #include "ec.h"

src/ec.h

@@ -1,7 +1,7 @@
 /*--------------------------------------------------------------------------
- * LuaSec 1.0
+ * LuaSec 1.3.2
  *
- * Copyright (C) 2006-2021 Bruno Silvestre
+ * Copyright (C) 2006-2023 Bruno Silvestre
  *
  *--------------------------------------------------------------------------*/
 

src/https.lua

@@ -1,6 +1,7 @@
 ----------------------------------------------------------------------------
--- LuaSec 1.0
--- Copyright (C) 2009-2021 PUC-Rio
+-- LuaSec 1.3.2
+--
+-- Copyright (C) 2009-2023 PUC-Rio
 --
 -- Author: Pablo Musa
 -- Author: Tomas Guisasola
@@ -18,8 +19,8 @@ local try    = socket.try
 -- Module
 --
 local _M = {
-  _VERSION   = "1.0",
-  _COPYRIGHT = "LuaSec 1.0 - Copyright (C) 2009-2021 PUC-Rio",
+  _VERSION   = "1.3.2",
+  _COPYRIGHT = "LuaSec 1.3.2 - Copyright (C) 2009-2023 PUC-Rio",
   PORT       = 443,
   TIMEOUT    = 60
 }
@@ -93,7 +94,7 @@ local function tcp(params)
          self.sock:sni(host)
          self.sock:settimeout(_M.TIMEOUT)
          try(self.sock:dohandshake())
-         reg(self, getmetatable(self.sock))
+         reg(self)
          return 1
       end
       return conn

src/luasocket/buffer.c

@@ -78,9 +78,7 @@ int buffer_meth_send(lua_State *L, p_buffer buf) {
     const char *data = luaL_checklstring(L, 2, &size);
     long start = (long) luaL_optnumber(L, 3, 1);
     long end = (long) luaL_optnumber(L, 4, -1);
-#ifdef LUASOCKET_DEBUG
-    p_timeout tm = timeout_markstart(buf->tm);
-#endif
+    timeout_markstart(buf->tm);
     if (start < 0) start = (long) (size+start+1);
     if (end < 0) end = (long) (size+end+1);
     if (start < 1) start = (long) 1;
@@ -98,7 +96,7 @@ int buffer_meth_send(lua_State *L, p_buffer buf) {
     }
 #ifdef LUASOCKET_DEBUG
     /* push time elapsed during operation as the last return value */
-    lua_pushnumber(L, timeout_gettime() - timeout_getstart(tm));
+    lua_pushnumber(L, timeout_gettime() - timeout_getstart(buf->tm));
 #endif
     return lua_gettop(L) - top;
 }
@@ -107,13 +105,17 @@ int buffer_meth_send(lua_State *L, p_buffer buf) {
 * object:receive() interface
 \*-------------------------------------------------------------------------*/
 int buffer_meth_receive(lua_State *L, p_buffer buf) {
-    int err = IO_DONE, top = lua_gettop(L);
     luaL_Buffer b;
     size_t size;
-    const char *part = luaL_optlstring(L, 3, "", &size);
-#ifdef LUASOCKET_DEBUG
-    p_timeout tm = timeout_markstart(buf->tm);
-#endif
+    const char *part;
+    int err = IO_DONE;
+    int top = lua_gettop(L);
+    if (top < 3) {
+        lua_settop(L, 3);
+        top = 3;
+    }
+    part = luaL_optlstring(L, 3, "", &size);
+    timeout_markstart(buf->tm);
     /* initialize buffer with optional extra prefix 
      * (useful for concatenating previous partial results) */
     luaL_buffinit(L, &b);
@@ -149,7 +151,7 @@ int buffer_meth_receive(lua_State *L, p_buffer buf) {
     }
 #ifdef LUASOCKET_DEBUG
     /* push time elapsed during operation as the last return value */
-    lua_pushnumber(L, timeout_gettime() - timeout_getstart(tm));
+    lua_pushnumber(L, timeout_gettime() - timeout_getstart(buf->tm));
 #endif
     return lua_gettop(L) - top;
 }

src/luasocket/usocket.c

@@ -82,7 +82,6 @@ int socket_close(void) {
 \*-------------------------------------------------------------------------*/
 void socket_destroy(p_socket ps) {
     if (*ps != SOCKET_INVALID) {
-        socket_setblocking(ps);
         close(*ps);
         *ps = SOCKET_INVALID;
     }
@@ -426,7 +425,9 @@ const char *socket_gaistrerror(int err) {
         case EAI_MEMORY: return "memory allocation failure";
         case EAI_NONAME: 
             return "host or service not provided, or not known";
+#ifdef EAI_OVERFLOW
         case EAI_OVERFLOW: return "argument buffer overflow";
+#endif
 #ifdef EAI_PROTOCOL
         case EAI_PROTOCOL: return "resolved protocol is unknown";
 #endif

src/options.c

@@ -1,7 +1,7 @@
 /*--------------------------------------------------------------------------
- * LuaSec 1.0
+ * LuaSec 1.3.2
  *
- * Copyright (C) 2006-2021 Bruno Silvestre
+ * Copyright (C) 2006-2023 Bruno Silvestre
  *
  *--------------------------------------------------------------------------*/
 
@@ -13,13 +13,16 @@
 
 
 /* 
-  OpenSSL version: OpenSSL 1.1.1
+  OpenSSL version: OpenSSL 3.0.8
 */
 
 static lsec_ssl_option_t ssl_options[] = {
 #if defined(SSL_OP_ALL)
   {"all", SSL_OP_ALL},
 #endif
+#if defined(SSL_OP_ALLOW_CLIENT_RENEGOTIATION)
+  {"allow_client_renegotiation", SSL_OP_ALLOW_CLIENT_RENEGOTIATION},
+#endif
 #if defined(SSL_OP_ALLOW_NO_DHE_KEX)
   {"allow_no_dhe_kex", SSL_OP_ALLOW_NO_DHE_KEX},
 #endif
@@ -32,21 +35,33 @@ static lsec_ssl_option_t ssl_options[] = {
 #if defined(SSL_OP_CISCO_ANYCONNECT)
   {"cisco_anyconnect", SSL_OP_CISCO_ANYCONNECT},
 #endif
+#if defined(SSL_OP_CLEANSE_PLAINTEXT)
+  {"cleanse_plaintext", SSL_OP_CLEANSE_PLAINTEXT},
+#endif
 #if defined(SSL_OP_COOKIE_EXCHANGE)
   {"cookie_exchange", SSL_OP_COOKIE_EXCHANGE},
 #endif
 #if defined(SSL_OP_CRYPTOPRO_TLSEXT_BUG)
   {"cryptopro_tlsext_bug", SSL_OP_CRYPTOPRO_TLSEXT_BUG},
 #endif
+#if defined(SSL_OP_DISABLE_TLSEXT_CA_NAMES)
+  {"disable_tlsext_ca_names", SSL_OP_DISABLE_TLSEXT_CA_NAMES},
+#endif
 #if defined(SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)
   {"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS},
 #endif
+#if defined(SSL_OP_ENABLE_KTLS)
+  {"enable_ktls", SSL_OP_ENABLE_KTLS},
+#endif
 #if defined(SSL_OP_ENABLE_MIDDLEBOX_COMPAT)
   {"enable_middlebox_compat", SSL_OP_ENABLE_MIDDLEBOX_COMPAT},
 #endif
 #if defined(SSL_OP_EPHEMERAL_RSA)
   {"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA},
 #endif
+#if defined(SSL_OP_IGNORE_UNEXPECTED_EOF)
+  {"ignore_unexpected_eof", SSL_OP_IGNORE_UNEXPECTED_EOF},
+#endif
 #if defined(SSL_OP_LEGACY_SERVER_CONNECT)
   {"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT},
 #endif
@@ -89,6 +104,9 @@ static lsec_ssl_option_t ssl_options[] = {
 #if defined(SSL_OP_NO_ENCRYPT_THEN_MAC)
   {"no_encrypt_then_mac", SSL_OP_NO_ENCRYPT_THEN_MAC},
 #endif
+#if defined(SSL_OP_NO_EXTENDED_MASTER_SECRET)
+  {"no_extended_master_secret", SSL_OP_NO_EXTENDED_MASTER_SECRET},
+#endif
 #if defined(SSL_OP_NO_QUERY_MTU)
   {"no_query_mtu", SSL_OP_NO_QUERY_MTU},
 #endif

src/options.h

@@ -2,9 +2,9 @@
 #define LSEC_OPTIONS_H
 
 /*--------------------------------------------------------------------------
- * LuaSec 1.0
+ * LuaSec 1.3.2
  *
- * Copyright (C) 2006-2021 Bruno Silvestre
+ * Copyright (C) 2006-2023 Bruno Silvestre
  *
  *--------------------------------------------------------------------------*/
 

src/options.lua

@@ -4,7 +4,7 @@ local function usage()
   print("  lua options.lua -g /path/to/ssl.h [version] > options.c")
   print("* Examples:")
   print("  lua options.lua -g /usr/include/openssl/ssl.h > options.c\n")
-  print("  lua options.lua -g /usr/include/openssl/ssl.h \"OpenSSL 1.0.1 14\" > options.c\n")
+  print("  lua options.lua -g /usr/include/openssl/ssl.h \"OpenSSL 1.1.1f\" > options.c\n")
 
   print("* List options of your system:")
   print("  lua options.lua -l /path/to/ssl.h\n")
@@ -18,9 +18,9 @@ end
 local function generate(options, version)
   print([[
 /*--------------------------------------------------------------------------
- * LuaSec 1.0
+ * LuaSec 1.3.2
  *
- * Copyright (C) 2006-2021 Bruno Silvestre
+ * Copyright (C) 2006-2023 Bruno Silvestre
  *
  *--------------------------------------------------------------------------*/
 
@@ -60,9 +60,12 @@ local function loadoptions(file)
   local options = {}
   local f = assert(io.open(file, "r"))
   for line in f:lines() do
-    local op = string.match(line, "define%s+(SSL_OP_%S+)")
-    if op then
-      table.insert(options, op)
+    local op = string.match(line, "define%s+(SSL_OP_BIT%()")
+    if not op then
+      op = string.match(line, "define%s+(SSL_OP_%S+)")
+      if op then
+        table.insert(options, op)
+      end
     end
   end
   table.sort(options, function(a,b) return a<b end)

src/ssl.c

@@ -1,9 +1,8 @@
 /*--------------------------------------------------------------------------
- * LuaSec 1.0
+ * LuaSec 1.3.2
  *
- * Copyright (C) 2014-2021 Kim Alvefur, Paul Aurich, Tobias Markmann, 
- *                         Matthew Wild.
- * Copyright (C) 2006-2021 Bruno Silvestre.
+ * Copyright (C) 2014-2023 Kim Alvefur, Paul Aurich, Tobias Markmann, Matthew Wild
+ * Copyright (C) 2006-2023 Bruno Silvestre
  *
  *--------------------------------------------------------------------------*/
 
@@ -12,6 +11,9 @@
 
 #if defined(WIN32)
 #include <winsock2.h>
+#define LSEC_ERR_INPROGRESS WSAEINPROGRESS
+#else
+#define LSEC_ERR_INPROGRESS EINPROGRESS
 #endif
 
 #include <openssl/ssl.h>
@@ -48,6 +50,11 @@ static int lsec_socket_error()
 #if defined(WIN32)
   return WSAGetLastError();
 #else
+#if defined(LSEC_OPENSSL_ERRNO_BUG)
+  // Bug in OpenSSL
+  if (errno == 0)
+    return LSEC_IO_SSL;
+#endif
   return errno;
 #endif
 }
@@ -148,6 +155,46 @@ static int handshake(p_ssl ssl)
   return IO_UNKNOWN;
 }
 
+/**
+ * Perform the TLS/SSL shutdown
+ */
+static int low_shutdown(p_ssl ssl)
+{
+  int err;
+  p_timeout tm = timeout_markstart(&ssl->tm);
+  if (ssl->state == LSEC_STATE_CLOSED)
+    return IO_CLOSED;
+  for ( ; ; ) {
+    ERR_clear_error();
+    err = SSL_shutdown(ssl->ssl);
+    if (err == 0) return LSEC_ERR_INPROGRESS;
+    if (err == 1) return IO_DONE;
+    ssl->error = SSL_get_error(ssl->ssl, err);
+    switch (ssl->error) {
+    case SSL_ERROR_WANT_READ:
+      err = socket_waitfd(&ssl->sock, WAITFD_R, tm);
+      if (err == IO_TIMEOUT) return LSEC_IO_SSL;
+      if (err != IO_DONE)    return err;
+      break;
+    case SSL_ERROR_WANT_WRITE:
+      err = socket_waitfd(&ssl->sock, WAITFD_W, tm);
+      if (err == IO_TIMEOUT) return LSEC_IO_SSL;
+      if (err != IO_DONE)    return err;
+      break;
+    case SSL_ERROR_SYSCALL:
+      if (ERR_peek_error())  {
+        ssl->error = SSL_ERROR_SSL;
+        return LSEC_IO_SSL;
+      }
+      if (err == 0) return IO_CLOSED;
+      return lsec_socket_error();
+    default:
+      return LSEC_IO_SSL;
+    }
+  }
+  return IO_UNKNOWN;
+}
+
 /**
  * Send data
  */
@@ -403,6 +450,21 @@ static int meth_handshake(lua_State *L)
   return 2;
 }
 
+/**
+ * Lua shutdown function.
+ */
+static int meth_shutdown(lua_State *L) {
+  p_ssl ssl = (p_ssl)luaL_checkudata(L, 1, "SSL:Connection");
+  int err = low_shutdown(ssl);
+  if (err == IO_DONE) {
+    lua_pushboolean(L, 1);
+    return 1;
+  }
+  lua_pushboolean(L, 0);
+  lua_pushstring(L, (err == LSEC_ERR_INPROGRESS) ? "inprogress" : ssl_ioerror((void*)ssl, err));
+  return 2;
+}
+
 /**
  * Close the connection.
  */
@@ -525,6 +587,58 @@ static int meth_getpeercertificate(lua_State *L)
   return 1;
 }
 
+/**
+ * Return the nth certificate of the chain sent to our peer.
+ */
+static int meth_getlocalcertificate(lua_State *L)
+{
+  int n;
+  X509 *cert;
+  STACK_OF(X509) *certs;
+  p_ssl ssl = (p_ssl)luaL_checkudata(L, 1, "SSL:Connection");
+  if (ssl->state != LSEC_STATE_CONNECTED) {
+    lua_pushnil(L);
+    lua_pushstring(L, "closed");
+    return 2;
+  }
+  /* Default to the first cert */
+  n = (int)luaL_optinteger(L, 2, 1);
+  /* This function is 1-based, but OpenSSL is 0-based */
+  --n;
+  if (n < 0) {
+    lua_pushnil(L);
+    lua_pushliteral(L, "invalid certificate index");
+    return 2;
+  }
+  if (n == 0) {
+    cert = SSL_get_certificate(ssl->ssl);
+    if (cert)
+      lsec_pushx509(L, cert);
+    else
+      lua_pushnil(L);
+    return 1;
+  }
+  /* In a server-context, the stack doesn't contain the peer cert,
+   * so adjust accordingly.
+   */
+  if (SSL_is_server(ssl->ssl))
+    --n;
+  if(SSL_get0_chain_certs(ssl->ssl, &certs) != 1) {
+    lua_pushnil(L);
+  } else {
+    if (n >= sk_X509_num(certs)) {
+      lua_pushnil(L);
+      return 1;
+    }
+    cert = sk_X509_value(certs, n);
+    /* Increment the reference counting of the object. */
+    /* See SSL_get_peer_certificate() source code.     */
+    X509_up_ref(cert);
+    lsec_pushx509(L, cert);
+  }
+  return 1;
+}
+
 /**
  * Return the chain of certificate of the peer.
  */
@@ -559,6 +673,41 @@ static int meth_getpeerchain(lua_State *L)
   return 1;
 }
 
+/**
+ * Return the chain of certificates sent to the peer.
+ */
+static int meth_getlocalchain(lua_State *L)
+{
+  int i;
+  int idx = 1;
+  int n_certs;
+  X509 *cert;
+  STACK_OF(X509) *certs;
+  p_ssl ssl = (p_ssl)luaL_checkudata(L, 1, "SSL:Connection");
+  if (ssl->state != LSEC_STATE_CONNECTED) {
+    lua_pushnil(L);
+    lua_pushstring(L, "closed");
+    return 2;
+  }
+  lua_newtable(L);
+  if (SSL_is_server(ssl->ssl)) {
+    lsec_pushx509(L, SSL_get_certificate(ssl->ssl));
+    lua_rawseti(L, -2, idx++);
+  }
+  if(SSL_get0_chain_certs(ssl->ssl, &certs)) {
+    n_certs = sk_X509_num(certs);
+    for (i = 0; i < n_certs; i++) {
+      cert = sk_X509_value(certs, i);
+      /* Increment the reference counting of the object. */
+      /* See SSL_get_peer_certificate() source code.     */
+      X509_up_ref(cert);
+      lsec_pushx509(L, cert);
+      lua_rawseti(L, -2, idx++);
+    }
+  }
+  return 1;
+}
+
 /**
  * Copy the table src to the table dst.
  */
@@ -666,6 +815,41 @@ static int meth_getpeerfinished(lua_State *L)
   return 1;
 }
 
+/**
+ * Get some shared keying material
+ */
+static int meth_exportkeyingmaterial(lua_State *L)
+{
+  p_ssl ssl = (p_ssl)luaL_checkudata(L, 1, "SSL:Connection");
+
+  if(ssl->state != LSEC_STATE_CONNECTED) {
+    lua_pushnil(L);
+    lua_pushstring(L, "closed");
+    return 0;
+  }
+
+  size_t llen = 0;
+  size_t contextlen = 0;
+  const unsigned char *context = NULL;
+  const char *label = (const char*)luaL_checklstring(L, 2, &llen);
+  size_t olen = (size_t)luaL_checkinteger(L, 3);
+
+  if (!lua_isnoneornil(L, 4))
+    context = (const unsigned char*)luaL_checklstring(L, 4, &contextlen);
+
+  /* Temporary buffer memory-managed by Lua itself */
+  unsigned char *out = (unsigned char*)lua_newuserdata(L, olen);
+
+  if(SSL_export_keying_material(ssl->ssl, out, olen, label, llen, context, contextlen, context != NULL) != 1) {
+    lua_pushnil(L);
+    lua_pushstring(L, "error exporting keying material");
+    return 2;
+  }
+
+  lua_pushlstring(L, (char*)out, olen);
+  return 1;
+}
+
 /**
  * Object information -- tostring metamethod
  */
@@ -742,6 +926,8 @@ static int sni_cb(SSL *ssl, int *ad, void *arg)
   lua_pop(L, 4);
   /* Found, use this context */
   if (newctx) {
+    p_context pctx = (p_context)SSL_CTX_get_app_data(newctx);
+    pctx->L = L;
     SSL_set_SSL_CTX(ssl, newctx);
     return SSL_TLSEXT_ERR_OK;
   }
@@ -819,7 +1005,7 @@ static int meth_getalpn(lua_State *L)
 
 static int meth_copyright(lua_State *L)
 {
-  lua_pushstring(L, "LuaSec 1.0 - Copyright (C) 2006-2021 Bruno Silvestre, UFG"
+  lua_pushstring(L, "LuaSec 1.3.2 - Copyright (C) 2006-2023 Bruno Silvestre, UFG"
 #if defined(WITH_LUASOCKET)
                     "\nLuaSocket 3.0-RC1 - Copyright (C) 2004-2013 Diego Nehab"
 #endif
@@ -862,13 +1048,17 @@ static int meth_tlsa(lua_State *L)
  */
 static luaL_Reg methods[] = {
   {"close",               meth_close},
+  {"shutdown",            meth_shutdown},
   {"getalpn",             meth_getalpn},
   {"getfd",               meth_getfd},
   {"getfinished",         meth_getfinished},
   {"getpeercertificate",  meth_getpeercertificate},
+  {"getlocalcertificate", meth_getlocalcertificate},
   {"getpeerchain",        meth_getpeerchain},
+  {"getlocalchain",       meth_getlocalchain},
   {"getpeerverification", meth_getpeerverification},
   {"getpeerfinished",     meth_getpeerfinished},
+  {"exportkeyingmaterial",meth_exportkeyingmaterial},
   {"getsniname",          meth_getsniname},
   {"getstats",            meth_getstats},
   {"setstats",            meth_setstats},

src/ssl.h

@@ -2,9 +2,9 @@
 #define LSEC_SSL_H
 
 /*--------------------------------------------------------------------------
- * LuaSec 1.0
+ * LuaSec 1.3.2
  *
- * Copyright (C) 2006-2021 Bruno Silvestre
+ * Copyright (C) 2006-2023 Bruno Silvestre
  *
  *--------------------------------------------------------------------------*/
 

src/ssl.lua

@@ -1,7 +1,7 @@
 ------------------------------------------------------------------------------
--- LuaSec 1.0
+-- LuaSec 1.3.2
 --
--- Copyright (C) 2006-2021 Bruno Silvestre
+-- Copyright (C) 2006-2023 Bruno Silvestre
 --
 ------------------------------------------------------------------------------
 
@@ -201,8 +201,39 @@ local function newcontext(cfg)
       if not succ then return nil, msg end
    end
 
+   -- PSK
+   if config.capabilities.psk and cfg.psk then
+      if cfg.mode == "client" then
+         if type(cfg.psk) ~= "function" then
+            return nil, "invalid PSK configuration"
+         end
+         succ = context.setclientpskcb(ctx, cfg.psk)
+         if not succ then return nil, msg end
+      elseif cfg.mode == "server" then
+         if type(cfg.psk) == "function" then
+            succ, msg = context.setserverpskcb(ctx, cfg.psk)
+            if not succ then return nil, msg end
+         elseif type(cfg.psk) == "table" then
+            if type(cfg.psk.hint) == "string" and type(cfg.psk.callback) == "function" then
+               succ, msg = context.setpskhint(ctx, cfg.psk.hint)
+               if not succ then return succ, msg end
+               succ = context.setserverpskcb(ctx, cfg.psk.callback)
+               if not succ then return succ, msg end
+            else
+               return nil, "invalid PSK configuration"
+            end
+         else
+            return nil, "invalid PSK configuration"
+         end
+      end
+   end
+
    if config.capabilities.dane and cfg.dane then
-      context.setdane(ctx)
+      if type(cfg.dane) == "table" then
+         context.setdane(ctx, unpack(cfg.dane))
+      else
+         context.setdane(ctx)
+      end
    end
 
    return ctx
@@ -271,7 +302,7 @@ core.setmethod("info", info)
 --
 
 local _M = {
-  _VERSION        = "1.0",
+  _VERSION        = "1.3.2",
   _COPYRIGHT      = core.copyright(),
   config          = config,
   loadcertificate = x509.load,

src/x509.c

@@ -1,8 +1,8 @@
 /*--------------------------------------------------------------------------
- * LuaSec 1.0
+ * LuaSec 1.3.2
  *
- * Copyright (C) 2014-2021 Kim Alvefur, Paul Aurich, Tobias Markmann
- *                         Matthew Wild, Bruno Silvestre.
+ * Copyright (C) 2014-2023 Kim Alvefur, Paul Aurich, Tobias Markmann, Matthew Wild
+ * Copyright (C) 2014-2023 Bruno Silvestre
  *
  *--------------------------------------------------------------------------*/
 
@@ -485,10 +485,13 @@ static int meth_digest(lua_State* L)
  */
 static int meth_valid_at(lua_State* L)
 {
+  int nb, na;
   X509* cert = lsec_checkx509(L, 1);
   time_t time = luaL_checkinteger(L, 2);
-  lua_pushboolean(L, (X509_cmp_time(X509_get0_notAfter(cert), &time)     >= 0
-                      && X509_cmp_time(X509_get0_notBefore(cert), &time) <= 0));
+  nb = X509_cmp_time(X509_get0_notBefore(cert), &time);
+  time -= 1;
+  na = X509_cmp_time(X509_get0_notAfter(cert),  &time);
+  lua_pushboolean(L, nb == -1 && na == 1);
   return 1;
 }
 
@@ -652,10 +655,11 @@ static int meth_set_encode(lua_State* L)
   return 1;
 }
 
+#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL)
 /**
  * Get signature name.
  */
-static int meth_get_sinagure_name(lua_State* L)
+static int meth_get_signature_name(lua_State* L)
 {
   p_x509 px = lsec_checkp_x509(L, 1);
   int nid = X509_get_signature_nid(px->cert);
@@ -666,6 +670,7 @@ static int meth_get_sinagure_name(lua_State* L)
     lua_pushstring(L, name);
   return 1;
 }
+#endif
 
 /*---------------------------------------------------------------------------*/
 
@@ -695,7 +700,9 @@ static luaL_Reg methods[] = {
   {"digest",     meth_digest},
   {"setencode",  meth_set_encode},
   {"extensions", meth_extensions},
-  {"getsignaturename", meth_get_sinagure_name},
+#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL)
+  {"getsignaturename", meth_get_signature_name},
+#endif
   {"issuer",     meth_issuer},
   {"notbefore",  meth_notbefore},
   {"notafter",   meth_notafter},

src/x509.h

@@ -1,8 +1,8 @@
 /*--------------------------------------------------------------------------
- * LuaSec 1.0
+ * LuaSec 1.3.2
  *
- * Copyright (C) 2014-2021 Kim Alvefur, Paul Aurich, Tobias Markmann
- *                         Matthew Wild, Bruno Silvestre.
+ * Copyright (C) 2014-2023 Kim Alvefur, Paul Aurich, Tobias Markmann, Matthew Wild
+ * Copyright (C) 2013-2023 Bruno Silvestre
  *
  *--------------------------------------------------------------------------*/