Update version number

Remove Windows libraries sufix
2025-07-16 22:09:45 +02:00 · 2023-03-14 10:43:47 -03:00 · 2023-03-14 10:42:51 -03:00 · 2023-03-14 10:37:42 -03:00 · 2023-03-14 09:36:06 -03:00 · 2023-02-20 09:57:04 -03:00
32 changed files with 448 additions and 62 deletions
--- a/8
+++ b/8
@ -1,3 +1,11 @@
+--------------------------------------------------------------------------------
+LuaSec 1.3.0
+---------------
+This version includes:
+
+* Add :getlocalchain() + :getlocalcertificate() to mirror the peer methods (@mwild1)
+* Add Pre-Shared Key (PSK) support (@jclab-joseph)
+
 --------------------------------------------------------------------------------
 LuaSec 1.2.0
 ---------------
--- a/4
+++ b/4
@ -1,9 +1,9 @@
-LuaSec 1.2.0
+LuaSec 1.3.0
 ------------

 * OpenSSL options:

-    By default, this version includes options for OpenSSL 3.0.0 beta2
+    By default, this version includes options for OpenSSL 3.0.8

    If you need to generate the options for a different version of OpenSSL:

--- a/4
+++ b/4
@ -1,5 +1,5 @@
-LuaSec 1.2.0 license
-Copyright (C) 2006-2022 Bruno Silvestre, UFG
+LuaSec 1.3.0 license
+Copyright (C) 2006-2023 Bruno Silvestre, UFG

 Permission is hereby granted, free  of charge, to any person obtaining
 a  copy  of this  software  and  associated  documentation files  (the
--- a/README.md
+++ b/README.md
@ -1,4 +1,4 @@
-LuaSec 1.2.0
+LuaSec 1.3.0
 ===============
 LuaSec depends  on OpenSSL, and  integrates with LuaSocket to  make it
 easy to add secure connections to any Lua applications or scripts.
--- a/luasec-1.3.0-1.rockspec
+++ b/luasec-1.3.0-1.rockspec
@ -1,8 +1,8 @@
 package = "LuaSec"
-version = "1.2.0-1"
+version = "1.3.0-1"
 source = {
  url = "git+https://github.com/brunoos/luasec",
-  tag = "v1.2.0",
+  tag = "v1.3.0",
 }
 description = {
   summary = "A binding for OpenSSL library to provide TLS/SSL communication over LuaSocket.",
@ -87,7 +87,7 @@ build = {
                  "$(OPENSSL_BINDIR)",
               },
               libraries = {
-                  "libssl32MD", "libcrypto32MD", "ws2_32"
+                  "libssl", "libcrypto", "ws2_32"
               },
               incdirs = {
                  "$(OPENSSL_INCDIR)", "src/", "src/luasocket"
--- a/luasec.vcxproj
+++ b/luasec.vcxproj
@ -61,7 +61,7 @@
      <DebugInformationFormat>EditAndContinue</DebugInformationFormat>
    </ClCompile>
    <Link>
-      <AdditionalDependencies>ws2_32.lib;libeay32MDd.lib;ssleay32MDd.lib;lua5.1.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalDependencies>ws2_32.lib;libssl.lib;libcrypto.lib;lua5.1.lib;%(AdditionalDependencies)</AdditionalDependencies>
      <OutputFile>$(OutDir)ssl.dll</OutputFile>
      <AdditionalLibraryDirectories>C:\devel\openssl\lib\VC;C:\devel\lua-dll9;%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
      <GenerateDebugInformation>true</GenerateDebugInformation>
@ -85,7 +85,7 @@
      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
    </ClCompile>
    <Link>
-      <AdditionalDependencies>ws2_32.lib;libssl32MD.lib;libcrypto32MD.lib;lua5.1.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalDependencies>ws2_32.lib;libssl.lib;libcrypto.lib;lua5.1.lib;%(AdditionalDependencies)</AdditionalDependencies>
      <OutputFile>$(OutDir)$(TargetName)$(TargetExt)</OutputFile>
      <AdditionalLibraryDirectories>C:\devel\openssl-1.1.0\lib\VC;C:\devel\lua-5.1\lib;%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
      <GenerateDebugInformation>true</GenerateDebugInformation>
--- a/samples/README
+++ b/samples/README
@ -45,6 +45,9 @@ Directories:
 * oneshot
 A simple connection example.

+* psk
+ PSK(Pre Shared Key) support.
+
 * sni
 Support to SNI (Server Name Indication).

--- a/samples/certs/all.sh
+++ b/samples/certs/all.sh
@ -1,4 +1,4 @@
-#!/usr/bin/env sh
+#!/bin/sh
 ./rootA.sh
 ./rootB.sh
 ./clientA.sh
--- a/samples/certs/clientA.sh
+++ b/samples/certs/clientA.sh
@ -1,4 +1,4 @@
-#!/usr/bin/env sh
+#!/bin/sh

 openssl req -newkey rsa:2048 -sha256 -keyout clientAkey.pem -out clientAreq.pem \
  -nodes -config ./clientA.cnf -days 365 -batch
--- a/samples/certs/clientB.sh
+++ b/samples/certs/clientB.sh
@ -1,4 +1,4 @@
-#!/usr/bin/env sh
+#!/bin/sh

 openssl req -newkey rsa:2048 -sha256 -keyout clientBkey.pem -out clientBreq.pem \
  -nodes -config ./clientB.cnf -days 365 -batch
--- a/samples/certs/rootA.sh
+++ b/samples/certs/rootA.sh
@ -1,4 +1,4 @@
-#!/usr/bin/env sh
+#!/bin/sh

 openssl req -newkey rsa:2048 -sha256 -keyout rootAkey.pem -out rootAreq.pem -nodes -config ./rootA.cnf -days 365 -batch

--- a/samples/certs/rootB.sh
+++ b/samples/certs/rootB.sh
@ -1,4 +1,4 @@
-#!/usr/bin/env sh
+#!/bin/sh

 openssl req -newkey rsa:2048 -sha256 -keyout rootBkey.pem -out rootBreq.pem -nodes -config ./rootB.cnf -days 365 -batch

--- a/samples/certs/serverA.sh
+++ b/samples/certs/serverA.sh
@ -1,6 +1,6 @@
-#!/usr/bin/env sh
+#!/bin/sh

-openssl req -newkey rsa:2048 -keyout serverAkey.pem -out serverAreq.pem \
+openssl req -newkey rsa:2048 -sha256 -keyout serverAkey.pem -out serverAreq.pem \
   -config ./serverA.cnf -nodes -days 365 -batch

 openssl x509 -req -in serverAreq.pem -sha256 -extfile ./serverA.cnf \
--- a/samples/certs/serverB.sh
+++ b/samples/certs/serverB.sh
@ -1,6 +1,6 @@
-#!/usr/bin/env sh
+#!/bin/sh

-openssl req -newkey rsa:2048 -keyout serverBkey.pem -out serverBreq.pem \
+openssl req -newkey rsa:2048 -sha256 -keyout serverBkey.pem -out serverBreq.pem \
   -config ./serverB.cnf -nodes -days 365 -batch

 openssl x509 -req -in serverBreq.pem -sha256 -extfile ./serverB.cnf \
--- a/samples/chain/server.lua
+++ b/samples/chain/server.lua
@ -31,8 +31,27 @@ util.show( conn:getpeercertificate() )

 print("----------------------------------------------------------------------")

-for k, cert in ipairs( conn:getpeerchain() ) do
+local expectedpeerchain = { "../certs/clientAcert.pem", "../certs/rootA.pem" }
+
+local peerchain = conn:getpeerchain()
+assert(#peerchain == #expectedpeerchain)
+for k, cert in ipairs( peerchain ) do
  util.show(cert)
+  local expectedpem = assert(io.open(expectedpeerchain[k])):read("*a")
+  assert(cert:pem() == expectedpem, "peer chain mismatch @ "..tostring(k))
+end
+
+local expectedlocalchain = { "../certs/serverAcert.pem" }
+
+local localchain = assert(conn:getlocalchain())
+assert(#localchain == #expectedlocalchain)
+for k, cert in ipairs( localchain ) do
+  util.show(cert)
+  local expectedpem = assert(io.open(expectedlocalchain[k])):read("*a")
+  assert(cert:pem() == expectedpem, "local chain mismatch @ "..tostring(k))
+  if k == 1 then
+    assert(cert:pem() == conn:getlocalcertificate():pem())
+  end
 end

 local f = io.open(params.certificate)
--- a/samples/psk/client.lua
+++ b/samples/psk/client.lua
@ -0,0 +1,36 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl    = require("ssl")
+
+-- @param hint (nil | string)
+-- @param max_identity_len (number)
+-- @param max_psk_len (number)
+-- @return identity (string)
+-- @return PSK (string)
+local function pskcb(hint, max_identity_len, max_psk_len)
+   print(string.format("PSK Callback: hint=%q, max_identity_len=%d, max_psk_len=%d", hint, max_identity_len, max_psk_len))
+   return "abcd", "1234"
+end
+
+local params = {
+   mode = "client",
+   protocol = "tlsv1_2",
+   psk = pskcb,
+}
+
+local peer = socket.tcp()
+peer:connect("127.0.0.1", 8888)
+
+peer = assert( ssl.wrap(peer, params) )
+assert(peer:dohandshake())
+
+print("--- INFO ---")
+local info = peer:info()
+for k, v in pairs(info) do
+   print(k, v)
+end
+print("---")
+
+peer:close()
--- a/samples/psk/server.lua
+++ b/samples/psk/server.lua
@ -0,0 +1,55 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl    = require("ssl")
+
+-- @param identity (string)
+-- @param max_psk_len (number)
+-- @return psk (string)
+local function pskcb(identity, max_psk_len)
+   print(string.format("PSK Callback: identity=%q, max_psk_len=%d", identity, max_psk_len))
+   if identity == "abcd" then
+     return "1234"
+  end
+  return nil
+end
+
+local params = {
+   mode = "server",
+   protocol = "any",
+   options = "all",
+
+-- PSK with just a callback
+   psk = pskcb,
+
+-- PSK with identity hint
+--   psk = {
+--      hint = "hintpsksample",
+--      callback = pskcb,
+--   },
+}
+
+
+-- [[ SSL context
+local ctx = assert(ssl.newcontext(params))
+--]]
+
+local server = socket.tcp()
+server:setoption('reuseaddr', true)
+assert( server:bind("127.0.0.1", 8888) )
+server:listen()
+
+local peer = server:accept()
+peer = assert( ssl.wrap(peer, ctx) )
+assert( peer:dohandshake() )
+
+print("--- INFO ---")
+local info = peer:info()
+for k, v in pairs(info) do
+   print(k, v)
+end
+print("---")
+
+peer:close()
+server:close()
--- a/src/compat.h
+++ b/src/compat.h
@ -1,7 +1,7 @@
 /*--------------------------------------------------------------------------
- * LuaSec 1.2.0
+ * LuaSec 1.3.0
 *
- * Copyright (C) 2006-2022 Bruno Silvestre
+ * Copyright (C) 2006-2023 Bruno Silvestre
 *
 *--------------------------------------------------------------------------*/

--- a/src/config.c
+++ b/src/config.c
@ -1,7 +1,7 @@
 /*--------------------------------------------------------------------------
- * LuaSec 1.2.0
+ * LuaSec 1.3.0
 *
- * Copyright (C) 2006-2022 Bruno Silvestre.
+ * Copyright (C) 2006-2023 Bruno Silvestre
 *
 *--------------------------------------------------------------------------*/

--- a/src/context.c
+++ b/src/context.c
@ -1,9 +1,8 @@
 /*--------------------------------------------------------------------------
- * LuaSec 1.2.0
+ * LuaSec 1.3.0
 *
- * Copyright (C) 2014-2022 Kim Alvefur, Paul Aurich, Tobias Markmann, 
- *                         Matthew Wild.
- * Copyright (C) 2006-2022 Bruno Silvestre.
+ * Copyright (C) 2014-2023 Kim Alvefur, Paul Aurich, Tobias Markmann, Matthew Wild
+ * Copyright (C) 2006-2023 Bruno Silvestre
 *
 *--------------------------------------------------------------------------*/

@ -708,6 +707,141 @@ static int set_alpn_cb(lua_State *L)
  return 1;
 }

+/**
+ * Callback to select the PSK.
+ */
+static unsigned int server_psk_cb(SSL *ssl, const char *identity, unsigned char *psk,
+  unsigned int max_psk_len)
+{
+  size_t psk_len;
+  const char *ret_psk;
+  SSL_CTX *ctx = SSL_get_SSL_CTX(ssl);
+  p_context pctx = (p_context)SSL_CTX_get_app_data(ctx);
+  lua_State *L = pctx->L;
+
+  luaL_getmetatable(L, "SSL:PSK:Registry");
+  lua_pushlightuserdata(L, (void*)pctx->context);
+  lua_gettable(L, -2);
+
+  lua_pushstring(L, identity);
+  lua_pushinteger(L, max_psk_len);
+
+  lua_call(L, 2, 1);
+
+  if (!lua_isstring(L, -1)) {
+    lua_pop(L, 2);
+    return 0;
+  }
+
+  ret_psk = lua_tolstring(L, -1, &psk_len);
+
+  if (psk_len == 0 || psk_len > max_psk_len)
+    psk_len = 0;
+  else
+    memcpy(psk, ret_psk, psk_len);
+
+  lua_pop(L, 2);
+
+  return psk_len;
+}
+
+/**
+ * Set a PSK callback for server.
+ */
+static int set_server_psk_cb(lua_State *L)
+{
+  p_context ctx = checkctx(L, 1);
+
+  luaL_getmetatable(L, "SSL:PSK:Registry");
+  lua_pushlightuserdata(L, (void*)ctx->context);
+  lua_pushvalue(L, 2);
+  lua_settable(L, -3);
+
+  SSL_CTX_set_psk_server_callback(ctx->context, server_psk_cb);
+
+  lua_pushboolean(L, 1);
+  return 1;
+}
+
+/*
+ * Set the PSK indentity hint.
+ */
+static int set_psk_identity_hint(lua_State *L)
+{
+  p_context ctx = checkctx(L, 1);
+  const char *hint = luaL_checkstring(L, 2);
+  int ret = SSL_CTX_use_psk_identity_hint(ctx->context, hint);
+  lua_pushboolean(L, ret);
+  return 1;
+}
+
+/*
+ * Client callback to PSK.
+ */
+static unsigned int client_psk_cb(SSL *ssl, const char *hint, char *identity,
+  unsigned int max_identity_len, unsigned char *psk, unsigned int max_psk_len)
+{
+  size_t psk_len;
+  size_t identity_len;
+  const char *ret_psk;
+  const char *ret_identity;
+  SSL_CTX *ctx = SSL_get_SSL_CTX(ssl);
+  p_context pctx = (p_context)SSL_CTX_get_app_data(ctx);
+  lua_State *L = pctx->L;
+
+  luaL_getmetatable(L, "SSL:PSK:Registry");
+  lua_pushlightuserdata(L, (void*)pctx->context);
+  lua_gettable(L, -2);
+
+  if (hint)
+    lua_pushstring(L, hint);
+  else
+    lua_pushnil(L);
+
+  // Leave space to '\0'
+  lua_pushinteger(L, max_identity_len-1);
+  lua_pushinteger(L, max_psk_len);
+
+  lua_call(L, 3, 2);
+
+  if (!lua_isstring(L, -1) || !lua_isstring(L, -2)) {
+    lua_pop(L, 3);
+    return 0;
+  }
+
+  ret_identity = lua_tolstring(L, -2, &identity_len);
+  ret_psk = lua_tolstring(L, -1, &psk_len);
+
+  if (identity_len >= max_identity_len || psk_len > max_psk_len)
+    psk_len = 0;
+  else {
+    memcpy(identity, ret_identity, identity_len);
+    identity[identity_len] = 0;
+    memcpy(psk, ret_psk, psk_len);
+  }
+
+  lua_pop(L, 3);
+
+  return psk_len;
+}
+
+/**
+ * Set a PSK callback for client.
+ */
+static int set_client_psk_cb(lua_State *L) {
+  p_context ctx = checkctx(L, 1);
+
+  luaL_getmetatable(L, "SSL:PSK:Registry");
+  lua_pushlightuserdata(L, (void*)ctx->context);
+  lua_pushvalue(L, 2);
+  lua_settable(L, -3);
+
+  SSL_CTX_set_psk_client_callback(ctx->context, client_psk_cb);
+
+  lua_pushboolean(L, 1);
+  return 1;
+}
+
 #if defined(LSEC_ENABLE_DANE)
 /*
 * DANE
@ -759,6 +893,9 @@ static luaL_Reg funcs[] = {
  {"setdhparam",      set_dhparam},
  {"setverify",       set_verify},
  {"setoptions",      set_options},
+  {"setpskhint",      set_psk_identity_hint},
+  {"setserverpskcb",  set_server_psk_cb},
+  {"setclientpskcb",  set_client_psk_cb},
  {"setmode",         set_mode},
 #if !defined(OPENSSL_NO_EC)
  {"setcurve",        set_curve},
@ -792,6 +929,10 @@ static int meth_destroy(lua_State *L)
    lua_pushlightuserdata(L, (void*)ctx->context);
    lua_pushnil(L);
    lua_settable(L, -3);
+    luaL_getmetatable(L, "SSL:PSK:Registry");
+    lua_pushlightuserdata(L, (void*)ctx->context);
+    lua_pushnil(L);
+    lua_settable(L, -3);

    SSL_CTX_free(ctx->context);
    ctx->context = NULL;
@ -936,6 +1077,7 @@ LSEC_API int luaopen_ssl_context(lua_State *L)
 {
  luaL_newmetatable(L, "SSL:DH:Registry");        /* Keep all DH callbacks   */
  luaL_newmetatable(L, "SSL:ALPN:Registry");      /* Keep all ALPN callbacks */
+  luaL_newmetatable(L, "SSL:PSK:Registry");       /* Keep all PSK callbacks */
  luaL_newmetatable(L, "SSL:Verify:Registry");    /* Keep all verify flags   */
  luaL_newmetatable(L, "SSL:Context");
  setfuncs(L, meta);
--- a/src/context.h
+++ b/src/context.h
@ -2,9 +2,9 @@
 #define LSEC_CONTEXT_H

 /*--------------------------------------------------------------------------
- * LuaSec 1.2.0
+ * LuaSec 1.3.0
 *
- * Copyright (C) 2006-2022 Bruno Silvestre
+ * Copyright (C) 2006-2023 Bruno Silvestre
 *
 *--------------------------------------------------------------------------*/

--- a/src/ec.c
+++ b/src/ec.c
@ -1,3 +1,10 @@
+/*--------------------------------------------------------------------------
+ * LuaSec 1.3.0
+ *
+ * Copyright (C) 2006-2023 Bruno Silvestre
+ *
+ *--------------------------------------------------------------------------*/
+
 #include <openssl/objects.h>

 #include "ec.h"
--- a/src/ec.h
+++ b/src/ec.h
@ -1,7 +1,7 @@
 /*--------------------------------------------------------------------------
- * LuaSec 1.2.0
+ * LuaSec 1.3.0
 *
- * Copyright (C) 2006-2022 Bruno Silvestre
+ * Copyright (C) 2006-2023 Bruno Silvestre
 *
 *--------------------------------------------------------------------------*/

--- a/src/https.lua
+++ b/src/https.lua
@ -1,6 +1,7 @@
 ----------------------------------------------------------------------------
-- LuaSec 1.2.0
-- Copyright (C) 2009-2022 PUC-Rio
+-- LuaSec 1.3.0
+--
+-- Copyright (C) 2009-2023 PUC-Rio
 --
 -- Author: Pablo Musa
 -- Author: Tomas Guisasola
@ -18,8 +19,8 @@ local try    = socket.try
 -- Module
 --
 local _M = {
-  _VERSION   = "1.2.0",
-  _COPYRIGHT = "LuaSec 1.2.0 - Copyright (C) 2009-2022 PUC-Rio",
+  _VERSION   = "1.3.0",
+  _COPYRIGHT = "LuaSec 1.3.0 - Copyright (C) 2009-2023 PUC-Rio",
  PORT       = 443,
  TIMEOUT    = 60
 }
--- a/src/options.c
+++ b/src/options.c
@ -1,7 +1,7 @@
 /*--------------------------------------------------------------------------
- * LuaSec 1.2.0
+ * LuaSec 1.3.0
 *
- * Copyright (C) 2006-2022 Bruno Silvestre
+ * Copyright (C) 2006-2023 Bruno Silvestre
 *
 *--------------------------------------------------------------------------*/

@ -13,7 +13,7 @@


 /* 
-  OpenSSL version: OpenSSL 3.0.0-beta2
+  OpenSSL version: OpenSSL 3.0.8
 */

 static lsec_ssl_option_t ssl_options[] = {
--- a/src/options.h
+++ b/src/options.h
@ -2,9 +2,9 @@
 #define LSEC_OPTIONS_H

 /*--------------------------------------------------------------------------
- * LuaSec 1.2.0
+ * LuaSec 1.3.0
 *
- * Copyright (C) 2006-2022 Bruno Silvestre
+ * Copyright (C) 2006-2023 Bruno Silvestre
 *
 *--------------------------------------------------------------------------*/

--- a/src/options.lua
+++ b/src/options.lua
@ -18,9 +18,9 @@ end
 local function generate(options, version)
  print([[
 /*--------------------------------------------------------------------------
- * LuaSec 1.2.0
+ * LuaSec 1.3.0
 *
- * Copyright (C) 2006-2022 Bruno Silvestre
+ * Copyright (C) 2006-2023 Bruno Silvestre
 *
 *--------------------------------------------------------------------------*/

--- a/src/ssl.c
+++ b/src/ssl.c
@ -1,9 +1,8 @@
 /*--------------------------------------------------------------------------
- * LuaSec 1.2.0
+ * LuaSec 1.3.0
 *
- * Copyright (C) 2014-2022 Kim Alvefur, Paul Aurich, Tobias Markmann, 
- *                         Matthew Wild.
- * Copyright (C) 2006-2022 Bruno Silvestre.
+ * Copyright (C) 2014-2023 Kim Alvefur, Paul Aurich, Tobias Markmann, Matthew Wild
+ * Copyright (C) 2006-2023 Bruno Silvestre
 *
 *--------------------------------------------------------------------------*/

@ -530,6 +529,58 @@ static int meth_getpeercertificate(lua_State *L)
  return 1;
 }

+/**
+ * Return the nth certificate of the chain sent to our peer.
+ */
+static int meth_getlocalcertificate(lua_State *L)
+{
+  int n;
+  X509 *cert;
+  STACK_OF(X509) *certs;
+  p_ssl ssl = (p_ssl)luaL_checkudata(L, 1, "SSL:Connection");
+  if (ssl->state != LSEC_STATE_CONNECTED) {
+    lua_pushnil(L);
+    lua_pushstring(L, "closed");
+    return 2;
+  }
+  /* Default to the first cert */
+  n = (int)luaL_optinteger(L, 2, 1);
+  /* This function is 1-based, but OpenSSL is 0-based */
+  --n;
+  if (n < 0) {
+    lua_pushnil(L);
+    lua_pushliteral(L, "invalid certificate index");
+    return 2;
+  }
+  if (n == 0) {
+    cert = SSL_get_certificate(ssl->ssl);
+    if (cert)
+      lsec_pushx509(L, cert);
+    else
+      lua_pushnil(L);
+    return 1;
+  }
+  /* In a server-context, the stack doesn't contain the peer cert,
+   * so adjust accordingly.
+   */
+  if (SSL_is_server(ssl->ssl))
+    --n;
+  if(SSL_get0_chain_certs(ssl->ssl, &certs) != 1) {
+    lua_pushnil(L);
+  } else {
+    if (n >= sk_X509_num(certs)) {
+      lua_pushnil(L);
+      return 1;
+    }
+    cert = sk_X509_value(certs, n);
+    /* Increment the reference counting of the object. */
+    /* See SSL_get_peer_certificate() source code.     */
+    X509_up_ref(cert);
+    lsec_pushx509(L, cert);
+  }
+  return 1;
+}
+
 /**
 * Return the chain of certificate of the peer.
 */
@ -564,6 +615,41 @@ static int meth_getpeerchain(lua_State *L)
  return 1;
 }

+/**
+ * Return the chain of certificates sent to the peer.
+ */
+static int meth_getlocalchain(lua_State *L)
+{
+  int i;
+  int idx = 1;
+  int n_certs;
+  X509 *cert;
+  STACK_OF(X509) *certs;
+  p_ssl ssl = (p_ssl)luaL_checkudata(L, 1, "SSL:Connection");
+  if (ssl->state != LSEC_STATE_CONNECTED) {
+    lua_pushnil(L);
+    lua_pushstring(L, "closed");
+    return 2;
+  }
+  lua_newtable(L);
+  if (SSL_is_server(ssl->ssl)) {
+    lsec_pushx509(L, SSL_get_certificate(ssl->ssl));
+    lua_rawseti(L, -2, idx++);
+  }
+  if(SSL_get0_chain_certs(ssl->ssl, &certs)) {
+    n_certs = sk_X509_num(certs);
+    for (i = 0; i < n_certs; i++) {
+      cert = sk_X509_value(certs, i);
+      /* Increment the reference counting of the object. */
+      /* See SSL_get_peer_certificate() source code.     */
+      X509_up_ref(cert);
+      lsec_pushx509(L, cert);
+      lua_rawseti(L, -2, idx++);
+    }
+  }
+  return 1;
+}
+
 /**
 * Copy the table src to the table dst.
 */
@ -861,7 +947,7 @@ static int meth_getalpn(lua_State *L)

 static int meth_copyright(lua_State *L)
 {
-  lua_pushstring(L, "LuaSec 1.2.0 - Copyright (C) 2006-2022 Bruno Silvestre, UFG"
+  lua_pushstring(L, "LuaSec 1.3.0 - Copyright (C) 2006-2023 Bruno Silvestre, UFG"
 #if defined(WITH_LUASOCKET)
                    "\nLuaSocket 3.0-RC1 - Copyright (C) 2004-2013 Diego Nehab"
 #endif
@ -908,7 +994,9 @@ static luaL_Reg methods[] = {
  {"getfd",               meth_getfd},
  {"getfinished",         meth_getfinished},
  {"getpeercertificate",  meth_getpeercertificate},
+  {"getlocalcertificate", meth_getlocalcertificate},
  {"getpeerchain",        meth_getpeerchain},
+  {"getlocalchain",       meth_getlocalchain},
  {"getpeerverification", meth_getpeerverification},
  {"getpeerfinished",     meth_getpeerfinished},
  {"exportkeyingmaterial",meth_exportkeyingmaterial},
--- a/src/ssl.h
+++ b/src/ssl.h
@ -2,9 +2,9 @@
 #define LSEC_SSL_H

 /*--------------------------------------------------------------------------
- * LuaSec 1.2.0
+ * LuaSec 1.3.0
 *
- * Copyright (C) 2006-2022 Bruno Silvestre
+ * Copyright (C) 2006-2023 Bruno Silvestre
 *
 *--------------------------------------------------------------------------*/

--- a/src/ssl.lua
+++ b/src/ssl.lua
@ -1,7 +1,7 @@
 ------------------------------------------------------------------------------
-- LuaSec 1.2.0
+-- LuaSec 1.3.0
 --
-- Copyright (C) 2006-2022 Bruno Silvestre
+-- Copyright (C) 2006-2023 Bruno Silvestre
 --
 ------------------------------------------------------------------------------

@ -201,6 +201,33 @@ local function newcontext(cfg)
      if not succ then return nil, msg end
   end

+   -- PSK
+   if cfg.psk then
+      if cfg.mode == "client" then
+         if type(cfg.psk) ~= "function" then
+            return nil, "invalid PSK configuration"
+         end
+         succ = context.setclientpskcb(ctx, cfg.psk)
+         if not succ then return nil, msg end
+      elseif cfg.mode == "server" then
+         if type(cfg.psk) == "function" then
+            succ, msg = context.setserverpskcb(ctx, cfg.psk)
+            if not succ then return nil, msg end
+         elseif type(cfg.psk) == "table" then
+            if type(cfg.psk.hint) == "string" and type(cfg.psk.callback) == "function" then
+               succ, msg = context.setpskhint(ctx, cfg.psk.hint)
+               if not succ then return succ, msg end
+               succ = context.setserverpskcb(ctx, cfg.psk.callback)
+               if not succ then return succ, msg end
+            else
+               return nil, "invalid PSK configuration"
+            end
+         else
+            return nil, "invalid PSK configuration"
+         end
+      end
+   end
+
   if config.capabilities.dane and cfg.dane then
      if type(cfg.dane) == "table" then
         context.setdane(ctx, unpack(cfg.dane))
@ -275,7 +302,7 @@ core.setmethod("info", info)
 --

 local _M = {
-  _VERSION        = "1.2.0",
+  _VERSION        = "1.3.0",
  _COPYRIGHT      = core.copyright(),
  config          = config,
  loadcertificate = x509.load,
--- a/src/x509.c
+++ b/src/x509.c
@ -1,8 +1,8 @@
 /*--------------------------------------------------------------------------
- * LuaSec 1.2.0
+ * LuaSec 1.3.0
 *
- * Copyright (C) 2014-2022 Kim Alvefur, Paul Aurich, Tobias Markmann
- *                         Matthew Wild, Bruno Silvestre.
+ * Copyright (C) 2014-2023 Kim Alvefur, Paul Aurich, Tobias Markmann, Matthew Wild
+ * Copyright (C) 2014-2023 Bruno Silvestre
 *
 *--------------------------------------------------------------------------*/

--- a/src/x509.h
+++ b/src/x509.h
@ -1,8 +1,8 @@
 /*--------------------------------------------------------------------------
- * LuaSec 1.2.0
+ * LuaSec 1.3.0
 *
- * Copyright (C) 2014-2022 Kim Alvefur, Paul Aurich, Tobias Markmann
- *                         Matthew Wild, Bruno Silvestre.
+ * Copyright (C) 2014-2023 Kim Alvefur, Paul Aurich, Tobias Markmann, Matthew Wild
+ * Copyright (C) 2013-2023 Bruno Silvestre
 *
 *--------------------------------------------------------------------------*/
Author	SHA1	Message	Date
Bruno Silvestre	c297c5204c	Update version number	2023-03-14 10:43:47 -03:00
Bruno Silvestre	e42bc358e2	Remove Windows libraries sufix	2023-03-14 10:42:51 -03:00
Bruno Silvestre	f72457bbf9	Remove Windows libraries sufix	2023-03-14 10:37:42 -03:00
Bruno Silvestre	361813c0da	Update options to OpenSSL 3.0.8	2023-03-14 09:36:06 -03:00
Bruno Silvestre	e53caaad73	Merge branch 'tls-psk' into dev	2023-02-20 09:57:04 -03:00
Bruno Silvestre	0e669f6c82	Add identity hint to PSK	2023-02-19 08:56:24 -03:00
Bruno Silvestre	c3f12b8c4d	Use lua_tolstring instead luaL_checklstring	2023-02-16 22:07:55 -03:00
Bruno Silvestre	38bb3edfb4	Fix checklstring, pop(3), identity_len	2023-02-16 11:27:52 -03:00
Bruno Silvestre	50431ed511	Fix identity indexing	2023-02-16 10:53:41 -03:00
Bruno Silvestre	b321ba8fab	Fix PSK samples	2023-02-16 10:52:05 -03:00
Bruno Silvestre	6708ccc381	Do not wrap the PSK callbacks	2023-02-16 10:37:59 -03:00
Bruno Silvestre	4f28db9f53	Format	2023-02-16 10:31:06 -03:00
Bruno Silvestre	dd8ba1fc92	Fix PSK client callback	2023-02-16 10:28:34 -03:00
Bruno Silvestre	9b09c93249	Return '0' from callback on size error	2023-02-16 10:13:54 -03:00
Bruno Silvestre	0f793b73c0	Format	2023-02-16 09:43:44 -03:00
Bruno Silvestre	7b60dc4794	Fix psk_len type, do not check string again	2023-02-16 09:41:35 -03:00
Bruno Silvestre	4f6aec07f6	Return the value from Lua's callback, fixes	2023-02-16 09:37:09 -03:00
Bruno Silvestre	c87fe7d5ea	Do not need two PSK registry	2023-02-16 09:33:29 -03:00
unknown	842380caf6	feat: tls-psk	2023-02-16 09:52:18 +09:00
Bruno Silvestre	b47bfff382	Some minor adjusts in parameters and script	2022-12-12 18:19:37 -03:00
Bruno Silvestre	480aef1626	Merge pull request #192 from mwild1/conn-local-cert-methods ssl: Add :getlocalchain() + :getlocalcertificate() to mirror peer methods	2022-10-06 16:48:57 -03:00
Matthew Wild	4cecbb2783	ssl: Add :getlocalchain() + :getlocalcertificate() to mirror the peer methods These methods mirror the existing methods that fetch the peer certificate and chain. Due to various factors (SNI, multiple key types, etc.) it is not always trivial for an application to determine what certificate was presented to the client. However there are various use-cases where this is needed, such as tls-server-end-point channel binding and OCSP stapling. Requires OpenSSL 1.0.2+ (note: SSL_get_certificate() has existed for a very long time, but was lacking documentation until OpenSSL 3.0).	2022-09-21 18:40:10 +01:00