dany/luasec
1
0
Fork 0
mirror of https://github.com/brunoos/luasec.git synced 2025-07-16 22:09:45 +02:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: dany:v1.0
Branches Tags
dany:master dany:shutdown-method dany:dev dany:ocsp dany:luasec-dev-0.8 dany:luasec-dev-0.7 dany:luasec-dev-0.5
dany:v1.3.2 dany:v1.3.1 dany:v1.3.0 dany:v1.2.0 dany:v1.1.0 dany:v1.0.2 dany:v1.0.1 dany:v1.0 dany:v0.9 dany:luasec-0.8.2 dany:luasec-0.7.2 dany:luasec-0.8.1 dany:luasec-0.7.1 dany:luasec-0.8 dany:luasec-0.7 dany:luasec-0.6 dany:luasec-0.5.1 dany:luasec-0.5 dany:luasec-0.4.1 dany:luasec-0.4 dany:luasec-0.3.3 dany:luasec-0.3.2 dany:luasec-0.3.1 dany:luasec-0.3 dany:luasec-0.2
..
compare: dany:v1.1.0
Branches Tags
dany:master dany:shutdown-method dany:dev dany:ocsp dany:luasec-dev-0.8 dany:luasec-dev-0.7 dany:luasec-dev-0.5
dany:v1.3.2 dany:v1.3.1 dany:v1.3.0 dany:v1.2.0 dany:v1.1.0 dany:v1.0.2 dany:v1.0.1 dany:v1.0 dany:v0.9 dany:luasec-0.8.2 dany:luasec-0.7.2 dany:luasec-0.8.1 dany:luasec-0.7.1 dany:luasec-0.8 dany:luasec-0.7 dany:luasec-0.6 dany:luasec-0.5.1 dany:luasec-0.5 dany:luasec-0.4.1 dany:luasec-0.4 dany:luasec-0.3.3 dany:luasec-0.3.2 dany:luasec-0.3.1 dany:luasec-0.3 dany:luasec-0.2

18 Commits
v1.0 ... v1.1.0

Author SHA1 Message Date
Bruno Silvestre
df27c62f4c Update source protocol on rockspec 2022-04-13 10:46:36 -03:00
Bruno Silvestre
09691fe782 Update rockspec 2022-04-13 10:38:18 -03:00
Bruno Silvestre
3a71559e13 Update version number 2022-04-13 10:35:06 -03:00
Bruno Silvestre
3f04fd7529 Removing useless code 2022-04-04 15:48:22 -03:00
Bruno Silvestre
d7161ca026 Merge pull request #179 from Zash/dane_no_hostname 
Support passing DANE flags
 2022-01-05 09:35:10 -03:00
Kim Alvefur
65ee83275b Support passing DANE flags 
The only flag at the moment is one that disables name checks, which is
needed for certain protocols such as XMPP.
 2022-01-01 19:42:09 +01:00
Bruno Silvestre
ef14b27a2c Update CHANGELOG 2021-08-14 10:28:09 -03:00
Bruno Silvestre
316bea078c Update version to LuaSec 1.0.2 2021-08-14 10:16:35 -03:00
Bruno Silvestre
79bbc0bc3e Ignore SSL_OP_BIT(n) macro and update option.c #178 2021-08-02 17:02:44 -03:00
Bruno Silvestre
8cba350f37 Update the Lua state reference on the selected SSL context after SNI 
Thanks Kim Alvefur
 2021-08-02 16:13:12 -03:00
Bruno Silvestre
eedebb2477 Merge pull request #176 from linusg/fix-method-name 
Fix meth_get_{sinagure => signature}_name function name
 2021-07-14 13:05:09 -03:00
Linus Groh
c1e28e9132 Fix meth_get_{sinagure => signature}_name function name 2021-07-10 12:47:53 +01:00
Bruno Silvestre
cdcf5fdb30 Off by one in cert:validat(notafter) #173 2021-06-23 13:35:49 -03:00
Bruno Silvestre
bdbc67b188 Move the fix of SSL_get_error() in OpenSSL 1.1.1 
Moving to lsec_socket_error() coverts better 'errno == 0' with SSL_ERROR_SYSCALL.
 2021-05-29 10:11:02 -03:00
Bruno Silvestre
359151144b Merge pull request #172 from edzius/master 
Handle SSL_send SYSCALL error without errno
https://www.openssl.org/docs/man1.1.1/man3/SSL_get_error.html
 2021-05-29 09:38:29 -03:00
Edvinas Stunžėnas
d6b2fd7d35 Handle SSL_send SYSCALL error without errno 
Either intentionaly or due to bug in openssl in some marginal
cases SSL_send reports SYSCALL error whilst errno is set to 0.
This either could mean that SSL_send did not made any system
call or errno were prematurely reset with consequent syscalls.
And in consequence sendraw() is not propagate correct errno
ends up in infinite loop trying to send same data.

Such behaviour was usually observed after third consequential
failed SSL send attempt which application was not aware of.
First send failed with syscall errno 32 (Broken pipe) second
one with SSL error 0x1409e10f (bad length) and lastly next
send attemt results with SYSCALL error and errno 0.

Tested using:
* OpenSSL v1.1.1
* musl v1.1.20 (c50985d5c8e316c5c464f352e79eeebfed1121a9)
* Linux 4.4.60+yocto armv7l
 2021-05-21 21:20:19 +03:00
Bruno Silvestre
d5df315617 Update version and rockspec 2021-04-26 09:16:05 -03:00
Bruno Silvestre
34252fb10a Set parameter 2 and 3 to none before luaL_buffinit() 2021-04-26 08:37:09 -03:00
20 changed files with 158 additions and 56 deletions
Expand all files Collapse all files

27
CHANGELOG
View File

@ -1,3 +1,30 @@
--------------------------------------------------------------------------------
LuaSec 1.1.0
---------------
This version includes:
* Fix missing DANE flag
* Remove unused parameter in https.lua
--------------------------------------------------------------------------------
LuaSec 1.0.2
---------------
This version includes:
* Fix handle SSL_send SYSCALL error without errno
* Fix off by one in cert:validat(notafter)
* Fix meth_get_{sinagure => signature}_name function name
* Fix update the Lua state reference on the selected SSL context after SNI
* Fix ignore SSL_OP_BIT(n) macro and update option.c
--------------------------------------------------------------------------------
LuaSec 1.0.1
---------------
This version includes:
* Fix luaL_buffinit() can use the stack and broke buffer_meth_receive()
--------------------------------------------------------------------------------
LuaSec 1.0
---------------

4
INSTALL
View File

@ -1,9 +1,9 @@
LuaSec 1.0
LuaSec 1.1.0
------------
* OpenSSL options:
By default, this version includes options for OpenSSL 1.1.1.
By default, this version includes options for OpenSSL 3.0.0 beta2
If you need to generate the options for a different version of OpenSSL:

4
LICENSE
View File

@ -1,5 +1,5 @@
LuaSec 1.0 license
Copyright (C) 2006-2021 Bruno Silvestre, UFG
LuaSec 1.1.0 license
Copyright (C) 2006-2022 Bruno Silvestre, UFG
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the

2
README.md
View File

@ -1,4 +1,4 @@
LuaSec 1.0
LuaSec 1.1.0
===============
LuaSec depends on OpenSSL, and integrates with LuaSocket to make it
easy to add secure connections to any Lua applications or scripts.

6
luasec-1.0-1.rockspec → luasec-1.1.0-1.rockspec
View File

@ -1,8 +1,8 @@
package = "LuaSec"
version = "1.0-1"
version = "1.1.0-1"
source = {
url = "git://github.com/brunoos/luasec",
tag = "v1.0",
url = "git+https://github.com/brunoos/luasec",
tag = "v1.1.0",
}
description = {
summary = "A binding for OpenSSL library to provide TLS/SSL communication over LuaSocket.",

10
src/compat.h
View File

@ -1,7 +1,7 @@
/*--------------------------------------------------------------------------
* LuaSec 1.0
* LuaSec 1.1.0
*
* Copyright (C) 2006-2021 Bruno Silvestre
* Copyright (C) 2006-2022 Bruno Silvestre
*
*--------------------------------------------------------------------------*/
@ -48,4 +48,10 @@
//------------------------------------------------------------------------------
#if !defined(LIBRESSL_VERSION_NUMBER) && ((OPENSSL_VERSION_NUMBER & 0xFFFFF000L) == 0x10101000L)
#define LSEC_OPENSSL_1_1_1
#endif
//------------------------------------------------------------------------------
#endif

11
src/config.c
View File

@ -1,7 +1,7 @@
/*--------------------------------------------------------------------------
* LuaSec 1.0
* LuaSec 1.1.0
*
* Copyright (C) 2006-2021 Bruno Silvestre.
* Copyright (C) 2006-2022 Bruno Silvestre.
*
*--------------------------------------------------------------------------*/
@ -77,8 +77,15 @@ LSEC_API int luaopen_ssl_config(lua_State *L)
#ifdef LSEC_ENABLE_DANE
// DANE
lua_pushstring(L, "dane");
#ifdef DANE_FLAG_NO_DANE_EE_NAMECHECKS
lua_createtable(L, 0, 1);
lua_pushstring(L, "no_ee_namechecks");
lua_pushboolean(L, 1);
lua_rawset(L, -3);
#else
lua_pushboolean(L, 1);
#endif
lua_rawset(L, -3);
#endif
#ifndef OPENSSL_NO_EC

29
src/context.c
View File

@ -1,9 +1,9 @@
/*--------------------------------------------------------------------------
* LuaSec 1.0
* LuaSec 1.1.0
*
* Copyright (C) 2014-2021 Kim Alvefur, Paul Aurich, Tobias Markmann,
* Copyright (C) 2014-2022 Kim Alvefur, Paul Aurich, Tobias Markmann,
* Matthew Wild.
* Copyright (C) 2006-2021 Bruno Silvestre.
* Copyright (C) 2006-2022 Bruno Silvestre.
*
*--------------------------------------------------------------------------*/
@ -17,6 +17,7 @@
#include <openssl/err.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include <openssl/x509_vfy.h>
#include <openssl/dh.h>
#include <lua.h>
@ -711,11 +712,31 @@ static int set_alpn_cb(lua_State *L)
/*
* DANE
*/
static int dane_options[] = {
/* TODO move into options.c
* however this symbol is not from openssl/ssl.h but rather from
* openssl/x509_vfy.h
* */
#ifdef DANE_FLAG_NO_DANE_EE_NAMECHECKS
DANE_FLAG_NO_DANE_EE_NAMECHECKS,
#endif
0
};
static const char *dane_option_names[] = {
#ifdef DANE_FLAG_NO_DANE_EE_NAMECHECKS
"no_ee_namechecks",
#endif
NULL
};
static int set_dane(lua_State *L)
{
int ret;
int ret, i;
SSL_CTX *ctx = lsec_checkcontext(L, 1);
ret = SSL_CTX_dane_enable(ctx);
for (i = 2; ret > 0 && i <= lua_gettop(L); i++) {
ret = SSL_CTX_dane_set_flags(ctx, dane_options[luaL_checkoption(L, i, NULL, dane_option_names)]);
}
lua_pushboolean(L, (ret > 0));
return 1;
}

4
src/context.h
View File

@ -2,9 +2,9 @@
#define LSEC_CONTEXT_H
/*--------------------------------------------------------------------------
* LuaSec 1.0
* LuaSec 1.1.0
*
* Copyright (C) 2006-2021 Bruno Silvestre
* Copyright (C) 2006-2022 Bruno Silvestre
*
*--------------------------------------------------------------------------*/

4
src/ec.h
View File

@ -1,7 +1,7 @@
/*--------------------------------------------------------------------------
* LuaSec 1.0
* LuaSec 1.1.0
*
* Copyright (C) 2006-2021 Bruno Silvestre
* Copyright (C) 2006-2022 Bruno Silvestre
*
*--------------------------------------------------------------------------*/

10
src/https.lua
View File

@ -1,6 +1,6 @@
----------------------------------------------------------------------------
-- LuaSec 1.0
-- Copyright (C) 2009-2021 PUC-Rio
-- LuaSec 1.1.0
-- Copyright (C) 2009-2022 PUC-Rio
--
-- Author: Pablo Musa
-- Author: Tomas Guisasola
@ -18,8 +18,8 @@ local try = socket.try
-- Module
--
local _M = {
_VERSION = "1.0",
_COPYRIGHT = "LuaSec 1.0 - Copyright (C) 2009-2021 PUC-Rio",
_VERSION = "1.1.0",
_COPYRIGHT = "LuaSec 1.1.0 - Copyright (C) 2009-2022 PUC-Rio",
PORT = 443,
TIMEOUT = 60
}
@ -93,7 +93,7 @@ local function tcp(params)
self.sock:sni(host)
self.sock:settimeout(_M.TIMEOUT)
try(self.sock:dohandshake())
reg(self, getmetatable(self.sock))
reg(self)
return 1
end
return conn

10
src/luasocket/buffer.c
View File

@ -107,10 +107,16 @@ int buffer_meth_send(lua_State *L, p_buffer buf) {
* object:receive() interface
\*-------------------------------------------------------------------------*/
int buffer_meth_receive(lua_State *L, p_buffer buf) {
int err = IO_DONE, top = lua_gettop(L);
luaL_Buffer b;
size_t size;
const char *part = luaL_optlstring(L, 3, "", &size);
const char *part;
int err = IO_DONE;
int top = lua_gettop(L);
if (top < 3) {
lua_settop(L, 3);
top = 3;
}
part = luaL_optlstring(L, 3, "", &size);
#ifdef LUASOCKET_DEBUG
p_timeout tm = timeout_markstart(buf->tm);
#endif

24
src/options.c
View File

@ -1,7 +1,7 @@
/*--------------------------------------------------------------------------
* LuaSec 1.0
* LuaSec 1.1.0
*
* Copyright (C) 2006-2021 Bruno Silvestre
* Copyright (C) 2006-2022 Bruno Silvestre
*
*--------------------------------------------------------------------------*/
@ -13,13 +13,16 @@
/*
OpenSSL version: OpenSSL 1.1.1
OpenSSL version: OpenSSL 3.0.0-beta2
*/
static lsec_ssl_option_t ssl_options[] = {
#if defined(SSL_OP_ALL)
{"all", SSL_OP_ALL},
#endif
#if defined(SSL_OP_ALLOW_CLIENT_RENEGOTIATION)
{"allow_client_renegotiation", SSL_OP_ALLOW_CLIENT_RENEGOTIATION},
#endif
#if defined(SSL_OP_ALLOW_NO_DHE_KEX)
{"allow_no_dhe_kex", SSL_OP_ALLOW_NO_DHE_KEX},
#endif
@ -32,21 +35,33 @@ static lsec_ssl_option_t ssl_options[] = {
#if defined(SSL_OP_CISCO_ANYCONNECT)
{"cisco_anyconnect", SSL_OP_CISCO_ANYCONNECT},
#endif
#if defined(SSL_OP_CLEANSE_PLAINTEXT)
{"cleanse_plaintext", SSL_OP_CLEANSE_PLAINTEXT},
#endif
#if defined(SSL_OP_COOKIE_EXCHANGE)
{"cookie_exchange", SSL_OP_COOKIE_EXCHANGE},
#endif
#if defined(SSL_OP_CRYPTOPRO_TLSEXT_BUG)
{"cryptopro_tlsext_bug", SSL_OP_CRYPTOPRO_TLSEXT_BUG},
#endif
#if defined(SSL_OP_DISABLE_TLSEXT_CA_NAMES)
{"disable_tlsext_ca_names", SSL_OP_DISABLE_TLSEXT_CA_NAMES},
#endif
#if defined(SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)
{"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS},
#endif
#if defined(SSL_OP_ENABLE_KTLS)
{"enable_ktls", SSL_OP_ENABLE_KTLS},
#endif
#if defined(SSL_OP_ENABLE_MIDDLEBOX_COMPAT)
{"enable_middlebox_compat", SSL_OP_ENABLE_MIDDLEBOX_COMPAT},
#endif
#if defined(SSL_OP_EPHEMERAL_RSA)
{"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA},
#endif
#if defined(SSL_OP_IGNORE_UNEXPECTED_EOF)
{"ignore_unexpected_eof", SSL_OP_IGNORE_UNEXPECTED_EOF},
#endif
#if defined(SSL_OP_LEGACY_SERVER_CONNECT)
{"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT},
#endif
@ -89,6 +104,9 @@ static lsec_ssl_option_t ssl_options[] = {
#if defined(SSL_OP_NO_ENCRYPT_THEN_MAC)
{"no_encrypt_then_mac", SSL_OP_NO_ENCRYPT_THEN_MAC},
#endif
#if defined(SSL_OP_NO_EXTENDED_MASTER_SECRET)
{"no_extended_master_secret", SSL_OP_NO_EXTENDED_MASTER_SECRET},
#endif
#if defined(SSL_OP_NO_QUERY_MTU)
{"no_query_mtu", SSL_OP_NO_QUERY_MTU},
#endif

4
src/options.h
View File

@ -2,9 +2,9 @@
#define LSEC_OPTIONS_H
/*--------------------------------------------------------------------------
* LuaSec 1.0
* LuaSec 1.1.0
*
* Copyright (C) 2006-2021 Bruno Silvestre
* Copyright (C) 2006-2022 Bruno Silvestre
*
*--------------------------------------------------------------------------*/

15
src/options.lua
View File

@ -4,7 +4,7 @@ local function usage()
print(" lua options.lua -g /path/to/ssl.h [version] > options.c")
print("* Examples:")
print(" lua options.lua -g /usr/include/openssl/ssl.h > options.c\n")
print(" lua options.lua -g /usr/include/openssl/ssl.h \"OpenSSL 1.0.1 14\" > options.c\n")
print(" lua options.lua -g /usr/include/openssl/ssl.h \"OpenSSL 1.1.1f\" > options.c\n")
print("* List options of your system:")
print(" lua options.lua -l /path/to/ssl.h\n")
@ -18,9 +18,9 @@ end
local function generate(options, version)
print([[
/*--------------------------------------------------------------------------
* LuaSec 1.0
* LuaSec 1.1.0
*
* Copyright (C) 2006-2021 Bruno Silvestre
* Copyright (C) 2006-2022 Bruno Silvestre
*
*--------------------------------------------------------------------------*/
@ -60,9 +60,12 @@ local function loadoptions(file)
local options = {}
local f = assert(io.open(file, "r"))
for line in f:lines() do
local op = string.match(line, "define%s+(SSL_OP_%S+)")
if op then
table.insert(options, op)
local op = string.match(line, "define%s+(SSL_OP_BIT%()")
if not op then
op = string.match(line, "define%s+(SSL_OP_%S+)")
if op then
table.insert(options, op)
end
end
end
table.sort(options, function(a,b) return a<b end)

15
src/ssl.c
View File

@ -1,9 +1,9 @@
/*--------------------------------------------------------------------------
* LuaSec 1.0
* LuaSec 1.1.0
*
* Copyright (C) 2014-2021 Kim Alvefur, Paul Aurich, Tobias Markmann,
* Copyright (C) 2014-2022 Kim Alvefur, Paul Aurich, Tobias Markmann,
* Matthew Wild.
* Copyright (C) 2006-2021 Bruno Silvestre.
* Copyright (C) 2006-2022 Bruno Silvestre.
*
*--------------------------------------------------------------------------*/
@ -48,6 +48,11 @@ static int lsec_socket_error()
#if defined(WIN32)
return WSAGetLastError();
#else
#if defined(LSEC_OPENSSL_1_1_1)
// Bug in OpenSSL 1.1.1
if (errno == 0)
return LSEC_IO_SSL;
#endif
return errno;
#endif
}
@ -742,6 +747,8 @@ static int sni_cb(SSL *ssl, int *ad, void *arg)
lua_pop(L, 4);
/* Found, use this context */
if (newctx) {
p_context pctx = (p_context)SSL_CTX_get_app_data(newctx);
pctx->L = L;
SSL_set_SSL_CTX(ssl, newctx);
return SSL_TLSEXT_ERR_OK;
}
@ -819,7 +826,7 @@ static int meth_getalpn(lua_State *L)
static int meth_copyright(lua_State *L)
{
lua_pushstring(L, "LuaSec 1.0 - Copyright (C) 2006-2021 Bruno Silvestre, UFG"
lua_pushstring(L, "LuaSec 1.1.0 - Copyright (C) 2006-2022 Bruno Silvestre, UFG"
#if defined(WITH_LUASOCKET)
"\nLuaSocket 3.0-RC1 - Copyright (C) 2004-2013 Diego Nehab"
#endif

4
src/ssl.h
View File

@ -2,9 +2,9 @@
#define LSEC_SSL_H
/*--------------------------------------------------------------------------
* LuaSec 1.0
* LuaSec 1.1.0
*
* Copyright (C) 2006-2021 Bruno Silvestre
* Copyright (C) 2006-2022 Bruno Silvestre
*
*--------------------------------------------------------------------------*/

12
src/ssl.lua
View File

@ -1,7 +1,7 @@
------------------------------------------------------------------------------
-- LuaSec 1.0
-- LuaSec 1.1.0
--
-- Copyright (C) 2006-2021 Bruno Silvestre
-- Copyright (C) 2006-2022 Bruno Silvestre
--
------------------------------------------------------------------------------
@ -202,7 +202,11 @@ local function newcontext(cfg)
end
if config.capabilities.dane and cfg.dane then
context.setdane(ctx)
if type(cfg.dane) == "table" then
context.setdane(ctx, unpack(cfg.dane))
else
context.setdane(ctx)
end
end
return ctx
@ -271,7 +275,7 @@ core.setmethod("info", info)
--
local _M = {
_VERSION = "1.0",
_VERSION = "1.1.0",
_COPYRIGHT = core.copyright(),
config = config,
loadcertificate = x509.load,

15
src/x509.c
View File

@ -1,7 +1,7 @@
/*--------------------------------------------------------------------------
* LuaSec 1.0
* LuaSec 1.1.0
*
* Copyright (C) 2014-2021 Kim Alvefur, Paul Aurich, Tobias Markmann
* Copyright (C) 2014-2022 Kim Alvefur, Paul Aurich, Tobias Markmann
* Matthew Wild, Bruno Silvestre.
*
*--------------------------------------------------------------------------*/
@ -485,10 +485,13 @@ static int meth_digest(lua_State* L)
*/
static int meth_valid_at(lua_State* L)
{
int nb, na;
X509* cert = lsec_checkx509(L, 1);
time_t time = luaL_checkinteger(L, 2);
lua_pushboolean(L, (X509_cmp_time(X509_get0_notAfter(cert), &time) >= 0
&& X509_cmp_time(X509_get0_notBefore(cert), &time) <= 0));
nb = X509_cmp_time(X509_get0_notBefore(cert), &time);
time -= 1;
na = X509_cmp_time(X509_get0_notAfter(cert), &time);
lua_pushboolean(L, nb == -1 && na == 1);
return 1;
}
@ -655,7 +658,7 @@ static int meth_set_encode(lua_State* L)
/**
* Get signature name.
*/
static int meth_get_sinagure_name(lua_State* L)
static int meth_get_signature_name(lua_State* L)
{
p_x509 px = lsec_checkp_x509(L, 1);
int nid = X509_get_signature_nid(px->cert);
@ -695,7 +698,7 @@ static luaL_Reg methods[] = {
{"digest", meth_digest},
{"setencode", meth_set_encode},
{"extensions", meth_extensions},
{"getsignaturename", meth_get_sinagure_name},
{"getsignaturename", meth_get_signature_name},
{"issuer", meth_issuer},
{"notbefore", meth_notbefore},
{"notafter", meth_notafter},

4
src/x509.h
View File

@ -1,7 +1,7 @@
/*--------------------------------------------------------------------------
* LuaSec 1.0
* LuaSec 1.1.0
*
* Copyright (C) 2014-2021 Kim Alvefur, Paul Aurich, Tobias Markmann
* Copyright (C) 2014-2022 Kim Alvefur, Paul Aurich, Tobias Markmann
* Matthew Wild, Bruno Silvestre.
*
*--------------------------------------------------------------------------*/