Some minor adjusts in parameters and script

Merge pull request #192 from mwild1/conn-local-cert-methods
ssl: Add :getlocalchain() + :getlocalcertificate() to mirror peer methods
2025-07-20 16:00:07 +02:00 · 2022-12-12 18:19:37 -03:00 · 2022-10-06 16:48:57 -03:00 · 2022-09-21 18:40:10 +01:00 · 2022-07-30 08:42:53 -03:00 · 2022-07-30 08:41:46 -03:00
27 changed files with 189 additions and 33 deletions
--- a/8
+++ b/8
@ -1,3 +1,11 @@
+--------------------------------------------------------------------------------
+LuaSec 1.2.0
+---------------
+This version includes:
+
+* Add key material export method
+* Backguard compat for openssl on providers, like LTS linuxes
+
 --------------------------------------------------------------------------------
 LuaSec 1.1.0
 ---------------
--- a/2
+++ b/2
@ -1,4 +1,4 @@
-LuaSec 1.1.0
+LuaSec 1.2.0
 ------------

 * OpenSSL options:
--- a/2
+++ b/2
@ -1,4 +1,4 @@
-LuaSec 1.1.0 license
+LuaSec 1.2.0 license
 Copyright (C) 2006-2022 Bruno Silvestre, UFG

 Permission is hereby granted, free  of charge, to any person obtaining
--- a/README.md
+++ b/README.md
@ -1,4 +1,4 @@
-LuaSec 1.1.0
+LuaSec 1.2.0
 ===============
 LuaSec depends  on OpenSSL, and  integrates with LuaSocket to  make it
 easy to add secure connections to any Lua applications or scripts.
--- a/luasec-1.2.0-1.rockspec
+++ b/luasec-1.2.0-1.rockspec
@ -1,8 +1,8 @@
 package = "LuaSec"
-version = "1.1.0-1"
+version = "1.2.0-1"
 source = {
  url = "git+https://github.com/brunoos/luasec",
-  tag = "v1.1.0",
+  tag = "v1.2.0",
 }
 description = {
   summary = "A binding for OpenSSL library to provide TLS/SSL communication over LuaSocket.",
--- a/samples/certs/all.sh
+++ b/samples/certs/all.sh
@ -1,4 +1,4 @@
-#!/usr/bin/env sh
+#!/bin/sh
 ./rootA.sh
 ./rootB.sh
 ./clientA.sh
--- a/samples/certs/clientA.sh
+++ b/samples/certs/clientA.sh
@ -1,4 +1,4 @@
-#!/usr/bin/env sh
+#!/bin/sh

 openssl req -newkey rsa:2048 -sha256 -keyout clientAkey.pem -out clientAreq.pem \
  -nodes -config ./clientA.cnf -days 365 -batch
--- a/samples/certs/clientB.sh
+++ b/samples/certs/clientB.sh
@ -1,4 +1,4 @@
-#!/usr/bin/env sh
+#!/bin/sh

 openssl req -newkey rsa:2048 -sha256 -keyout clientBkey.pem -out clientBreq.pem \
  -nodes -config ./clientB.cnf -days 365 -batch
--- a/samples/certs/rootA.sh
+++ b/samples/certs/rootA.sh
@ -1,4 +1,4 @@
-#!/usr/bin/env sh
+#!/bin/sh

 openssl req -newkey rsa:2048 -sha256 -keyout rootAkey.pem -out rootAreq.pem -nodes -config ./rootA.cnf -days 365 -batch

--- a/samples/certs/rootB.sh
+++ b/samples/certs/rootB.sh
@ -1,4 +1,4 @@
-#!/usr/bin/env sh
+#!/bin/sh

 openssl req -newkey rsa:2048 -sha256 -keyout rootBkey.pem -out rootBreq.pem -nodes -config ./rootB.cnf -days 365 -batch

--- a/samples/certs/serverA.sh
+++ b/samples/certs/serverA.sh
@ -1,6 +1,6 @@
-#!/usr/bin/env sh
+#!/bin/sh

-openssl req -newkey rsa:2048 -keyout serverAkey.pem -out serverAreq.pem \
+openssl req -newkey rsa:2048 -sha256 -keyout serverAkey.pem -out serverAreq.pem \
   -config ./serverA.cnf -nodes -days 365 -batch

 openssl x509 -req -in serverAreq.pem -sha256 -extfile ./serverA.cnf \
--- a/samples/certs/serverB.sh
+++ b/samples/certs/serverB.sh
@ -1,6 +1,6 @@
-#!/usr/bin/env sh
+#!/bin/sh

-openssl req -newkey rsa:2048 -keyout serverBkey.pem -out serverBreq.pem \
+openssl req -newkey rsa:2048 -sha256 -keyout serverBkey.pem -out serverBreq.pem \
   -config ./serverB.cnf -nodes -days 365 -batch

 openssl x509 -req -in serverBreq.pem -sha256 -extfile ./serverB.cnf \
--- a/samples/chain/server.lua
+++ b/samples/chain/server.lua
@ -31,8 +31,27 @@ util.show( conn:getpeercertificate() )

 print("----------------------------------------------------------------------")

-for k, cert in ipairs( conn:getpeerchain() ) do
+local expectedpeerchain = { "../certs/clientAcert.pem", "../certs/rootA.pem" }
+
+local peerchain = conn:getpeerchain()
+assert(#peerchain == #expectedpeerchain)
+for k, cert in ipairs( peerchain ) do
  util.show(cert)
+  local expectedpem = assert(io.open(expectedpeerchain[k])):read("*a")
+  assert(cert:pem() == expectedpem, "peer chain mismatch @ "..tostring(k))
+end
+
+local expectedlocalchain = { "../certs/serverAcert.pem" }
+
+local localchain = assert(conn:getlocalchain())
+assert(#localchain == #expectedlocalchain)
+for k, cert in ipairs( localchain ) do
+  util.show(cert)
+  local expectedpem = assert(io.open(expectedlocalchain[k])):read("*a")
+  assert(cert:pem() == expectedpem, "local chain mismatch @ "..tostring(k))
+  if k == 1 then
+    assert(cert:pem() == conn:getlocalcertificate():pem())
+  end
 end

 local f = io.open(params.certificate)
--- a/src/compat.h
+++ b/src/compat.h
@ -1,5 +1,5 @@
 /*--------------------------------------------------------------------------
- * LuaSec 1.1.0
+ * LuaSec 1.2.0
 *
 * Copyright (C) 2006-2022 Bruno Silvestre
 *
--- a/src/config.c
+++ b/src/config.c
@ -1,5 +1,5 @@
 /*--------------------------------------------------------------------------
- * LuaSec 1.1.0
+ * LuaSec 1.2.0
 *
 * Copyright (C) 2006-2022 Bruno Silvestre.
 *
--- a/src/context.c
+++ b/src/context.c
@ -1,5 +1,5 @@
 /*--------------------------------------------------------------------------
- * LuaSec 1.1.0
+ * LuaSec 1.2.0
 *
 * Copyright (C) 2014-2022 Kim Alvefur, Paul Aurich, Tobias Markmann, 
 *                         Matthew Wild.
--- a/src/context.h
+++ b/src/context.h
@ -2,7 +2,7 @@
 #define LSEC_CONTEXT_H

 /*--------------------------------------------------------------------------
- * LuaSec 1.1.0
+ * LuaSec 1.2.0
 *
 * Copyright (C) 2006-2022 Bruno Silvestre
 *
--- a/src/ec.h
+++ b/src/ec.h
@ -1,5 +1,5 @@
 /*--------------------------------------------------------------------------
- * LuaSec 1.1.0
+ * LuaSec 1.2.0
 *
 * Copyright (C) 2006-2022 Bruno Silvestre
 *
--- a/src/https.lua
+++ b/src/https.lua
@ -1,5 +1,5 @@
 ----------------------------------------------------------------------------
-- LuaSec 1.1.0
+-- LuaSec 1.2.0
 -- Copyright (C) 2009-2022 PUC-Rio
 --
 -- Author: Pablo Musa
@ -18,8 +18,8 @@ local try    = socket.try
 -- Module
 --
 local _M = {
-  _VERSION   = "1.1.0",
-  _COPYRIGHT = "LuaSec 1.1.0 - Copyright (C) 2009-2022 PUC-Rio",
+  _VERSION   = "1.2.0",
+  _COPYRIGHT = "LuaSec 1.2.0 - Copyright (C) 2009-2022 PUC-Rio",
  PORT       = 443,
  TIMEOUT    = 60
 }
--- a/src/options.c
+++ b/src/options.c
@ -1,5 +1,5 @@
 /*--------------------------------------------------------------------------
- * LuaSec 1.1.0
+ * LuaSec 1.2.0
 *
 * Copyright (C) 2006-2022 Bruno Silvestre
 *
--- a/src/options.h
+++ b/src/options.h
@ -2,7 +2,7 @@
 #define LSEC_OPTIONS_H

 /*--------------------------------------------------------------------------
- * LuaSec 1.1.0
+ * LuaSec 1.2.0
 *
 * Copyright (C) 2006-2022 Bruno Silvestre
 *
--- a/src/options.lua
+++ b/src/options.lua
@ -18,7 +18,7 @@ end
 local function generate(options, version)
  print([[
 /*--------------------------------------------------------------------------
- * LuaSec 1.1.0
+ * LuaSec 1.2.0
 *
 * Copyright (C) 2006-2022 Bruno Silvestre
 *
--- a/src/ssl.c
+++ b/src/ssl.c
@ -1,5 +1,5 @@
 /*--------------------------------------------------------------------------
- * LuaSec 1.1.0
+ * LuaSec 1.2.0
 *
 * Copyright (C) 2014-2022 Kim Alvefur, Paul Aurich, Tobias Markmann, 
 *                         Matthew Wild.
@ -530,6 +530,58 @@ static int meth_getpeercertificate(lua_State *L)
  return 1;
 }

+/**
+ * Return the nth certificate of the chain sent to our peer.
+ */
+static int meth_getlocalcertificate(lua_State *L)
+{
+  int n;
+  X509 *cert;
+  STACK_OF(X509) *certs;
+  p_ssl ssl = (p_ssl)luaL_checkudata(L, 1, "SSL:Connection");
+  if (ssl->state != LSEC_STATE_CONNECTED) {
+    lua_pushnil(L);
+    lua_pushstring(L, "closed");
+    return 2;
+  }
+  /* Default to the first cert */
+  n = (int)luaL_optinteger(L, 2, 1);
+  /* This function is 1-based, but OpenSSL is 0-based */
+  --n;
+  if (n < 0) {
+    lua_pushnil(L);
+    lua_pushliteral(L, "invalid certificate index");
+    return 2;
+  }
+  if (n == 0) {
+    cert = SSL_get_certificate(ssl->ssl);
+    if (cert)
+      lsec_pushx509(L, cert);
+    else
+      lua_pushnil(L);
+    return 1;
+  }
+  /* In a server-context, the stack doesn't contain the peer cert,
+   * so adjust accordingly.
+   */
+  if (SSL_is_server(ssl->ssl))
+    --n;
+  if(SSL_get0_chain_certs(ssl->ssl, &certs) != 1) {
+    lua_pushnil(L);
+  } else {
+    if (n >= sk_X509_num(certs)) {
+      lua_pushnil(L);
+      return 1;
+    }
+    cert = sk_X509_value(certs, n);
+    /* Increment the reference counting of the object. */
+    /* See SSL_get_peer_certificate() source code.     */
+    X509_up_ref(cert);
+    lsec_pushx509(L, cert);
+  }
+  return 1;
+}
+
 /**
 * Return the chain of certificate of the peer.
 */
@ -564,6 +616,41 @@ static int meth_getpeerchain(lua_State *L)
  return 1;
 }

+/**
+ * Return the chain of certificates sent to the peer.
+ */
+static int meth_getlocalchain(lua_State *L)
+{
+  int i;
+  int idx = 1;
+  int n_certs;
+  X509 *cert;
+  STACK_OF(X509) *certs;
+  p_ssl ssl = (p_ssl)luaL_checkudata(L, 1, "SSL:Connection");
+  if (ssl->state != LSEC_STATE_CONNECTED) {
+    lua_pushnil(L);
+    lua_pushstring(L, "closed");
+    return 2;
+  }
+  lua_newtable(L);
+  if (SSL_is_server(ssl->ssl)) {
+    lsec_pushx509(L, SSL_get_certificate(ssl->ssl));
+    lua_rawseti(L, -2, idx++);
+  }
+  if(SSL_get0_chain_certs(ssl->ssl, &certs)) {
+    n_certs = sk_X509_num(certs);
+    for (i = 0; i < n_certs; i++) {
+      cert = sk_X509_value(certs, i);
+      /* Increment the reference counting of the object. */
+      /* See SSL_get_peer_certificate() source code.     */
+      X509_up_ref(cert);
+      lsec_pushx509(L, cert);
+      lua_rawseti(L, -2, idx++);
+    }
+  }
+  return 1;
+}
+
 /**
 * Copy the table src to the table dst.
 */
@ -671,6 +758,41 @@ static int meth_getpeerfinished(lua_State *L)
  return 1;
 }

+/**
+ * Get some shared keying material
+ */
+static int meth_exportkeyingmaterial(lua_State *L)
+{
+  p_ssl ssl = (p_ssl)luaL_checkudata(L, 1, "SSL:Connection");
+
+  if(ssl->state != LSEC_STATE_CONNECTED) {
+    lua_pushnil(L);
+    lua_pushstring(L, "closed");
+    return 0;
+  }
+
+  size_t llen = 0;
+  size_t contextlen = 0;
+  const unsigned char *context = NULL;
+  const char *label = (const char*)luaL_checklstring(L, 2, &llen);
+  size_t olen = (size_t)luaL_checkinteger(L, 3);
+
+  if (!lua_isnoneornil(L, 4))
+    context = (const unsigned char*)luaL_checklstring(L, 4, &contextlen);
+
+  /* Temporary buffer memory-managed by Lua itself */
+  unsigned char *out = (unsigned char*)lua_newuserdata(L, olen);
+
+  if(SSL_export_keying_material(ssl->ssl, out, olen, label, llen, context, contextlen, context != NULL) != 1) {
+    lua_pushnil(L);
+    lua_pushstring(L, "error exporting keying material");
+    return 2;
+  }
+
+  lua_pushlstring(L, (char*)out, olen);
+  return 1;
+}
+
 /**
 * Object information -- tostring metamethod
 */
@ -826,7 +948,7 @@ static int meth_getalpn(lua_State *L)

 static int meth_copyright(lua_State *L)
 {
-  lua_pushstring(L, "LuaSec 1.1.0 - Copyright (C) 2006-2022 Bruno Silvestre, UFG"
+  lua_pushstring(L, "LuaSec 1.2.0 - Copyright (C) 2006-2022 Bruno Silvestre, UFG"
 #if defined(WITH_LUASOCKET)
                    "\nLuaSocket 3.0-RC1 - Copyright (C) 2004-2013 Diego Nehab"
 #endif
@ -873,9 +995,12 @@ static luaL_Reg methods[] = {
  {"getfd",               meth_getfd},
  {"getfinished",         meth_getfinished},
  {"getpeercertificate",  meth_getpeercertificate},
+  {"getlocalcertificate", meth_getlocalcertificate},
  {"getpeerchain",        meth_getpeerchain},
+  {"getlocalchain",       meth_getlocalchain},
  {"getpeerverification", meth_getpeerverification},
  {"getpeerfinished",     meth_getpeerfinished},
+  {"exportkeyingmaterial",meth_exportkeyingmaterial},
  {"getsniname",          meth_getsniname},
  {"getstats",            meth_getstats},
  {"setstats",            meth_setstats},
--- a/src/ssl.h
+++ b/src/ssl.h
@ -2,7 +2,7 @@
 #define LSEC_SSL_H

 /*--------------------------------------------------------------------------
- * LuaSec 1.1.0
+ * LuaSec 1.2.0
 *
 * Copyright (C) 2006-2022 Bruno Silvestre
 *
--- a/src/ssl.lua
+++ b/src/ssl.lua
@ -1,5 +1,5 @@
 ------------------------------------------------------------------------------
-- LuaSec 1.1.0
+-- LuaSec 1.2.0
 --
 -- Copyright (C) 2006-2022 Bruno Silvestre
 --
@ -275,7 +275,7 @@ core.setmethod("info", info)
 --

 local _M = {
-  _VERSION        = "1.1.0",
+  _VERSION        = "1.2.0",
  _COPYRIGHT      = core.copyright(),
  config          = config,
  loadcertificate = x509.load,
--- a/src/x509.c
+++ b/src/x509.c
@ -1,5 +1,5 @@
 /*--------------------------------------------------------------------------
- * LuaSec 1.1.0
+ * LuaSec 1.2.0
 *
 * Copyright (C) 2014-2022 Kim Alvefur, Paul Aurich, Tobias Markmann
 *                         Matthew Wild, Bruno Silvestre.
@ -655,6 +655,7 @@ static int meth_set_encode(lua_State* L)
  return 1;
 }

+#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL)
 /**
 * Get signature name.
 */
@ -669,6 +670,7 @@ static int meth_get_signature_name(lua_State* L)
    lua_pushstring(L, name);
  return 1;
 }
+#endif

 /*---------------------------------------------------------------------------*/

@ -698,7 +700,9 @@ static luaL_Reg methods[] = {
  {"digest",     meth_digest},
  {"setencode",  meth_set_encode},
  {"extensions", meth_extensions},
+#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL)
  {"getsignaturename", meth_get_signature_name},
+#endif
  {"issuer",     meth_issuer},
  {"notbefore",  meth_notbefore},
  {"notafter",   meth_notafter},
--- a/src/x509.h
+++ b/src/x509.h
@ -1,5 +1,5 @@
 /*--------------------------------------------------------------------------
- * LuaSec 1.1.0
+ * LuaSec 1.2.0
 *
 * Copyright (C) 2014-2022 Kim Alvefur, Paul Aurich, Tobias Markmann
 *                         Matthew Wild, Bruno Silvestre.
Author	SHA1	Message	Date
Bruno Silvestre	b47bfff382	Some minor adjusts in parameters and script	2022-12-12 18:19:37 -03:00
Bruno Silvestre	480aef1626	Merge pull request #192 from mwild1/conn-local-cert-methods ssl: Add :getlocalchain() + :getlocalcertificate() to mirror peer methods	2022-10-06 16:48:57 -03:00
Matthew Wild	4cecbb2783	ssl: Add :getlocalchain() + :getlocalcertificate() to mirror the peer methods These methods mirror the existing methods that fetch the peer certificate and chain. Due to various factors (SNI, multiple key types, etc.) it is not always trivial for an application to determine what certificate was presented to the client. However there are various use-cases where this is needed, such as tls-server-end-point channel binding and OCSP stapling. Requires OpenSSL 1.0.2+ (note: SSL_get_certificate() has existed for a very long time, but was lacking documentation until OpenSSL 3.0).	2022-09-21 18:40:10 +01:00
Bruno Silvestre	d9215ee00f	Update rockspec	2022-07-30 08:42:53 -03:00
Bruno Silvestre	03e03140cd	Update version number	2022-07-30 08:41:46 -03:00
Bruno Silvestre	8b3b2318d2	Merge pull request #188 from mckaygerhard/patch-1 backguard compat for openssl on providers, like LTS linuxes	2022-07-29 11:42:21 -03:00
Bruno Silvestre	2c248947df	Adjust some types and casts	2022-07-20 17:52:01 -03:00
Bruno Silvestre	f22b3ea609	Code format	2022-07-20 17:39:20 -03:00
Bruno Silvestre	c9539bca86	Fix variable shadowing	2022-07-20 17:36:27 -03:00
Bruno Silvestre	afb2d44b0e	Merge pull request #187 from Zash/exporter Add key material export method	2022-07-20 17:32:02 -03:00
Герхард PICCORO Lenz McKAY	f9afada3d1	backguard compat for openssl on providers, like LTS linuxes * The commit `de393417b7` introduces high dependency due raices requirement to openssl 1.1.0l+ * The X509_REQ_get0_signature(), X509_REQ_get_signature_nid(), X509_CRL_get0_signature() and X509_CRL_get_signature_nid() were added in OpenSSL 1.1.0. * This patch makes luasec runs on all kind of embebed systems that cannot be upgraded due vendors limitations	2022-06-24 01:09:44 -04:00
Kim Alvefur	371abcf718	Add key material export method	2022-06-01 16:26:35 +02:00