Return nil instead boolean

CHANGELOG

@@ -1,54 +1,3 @@
---------------------------------------------------------------------------------
-LuaSec 1.3.2
----------------
-This version includes:
-
-* Fix: place EAI_OVERFLOW inside macro, unbreak build on <10.7 (Sergey Fedorov)
-* Fix: Expand workaround for zero errno to OpenSSL 3.0.x (Kim Alvefur)
-* Fix: reset block timeout at send or receive (MartinDahlberg)
-
---------------------------------------------------------------------------------
-LuaSec 1.3.1
----------------
-This version includes:
-
-* Fix: check if PSK is available
-
---------------------------------------------------------------------------------
-LuaSec 1.3.0
----------------
-This version includes:
-
-* Add :getlocalchain() + :getlocalcertificate() to mirror the peer methods (@mwild1)
-* Add Pre-Shared Key (PSK) support (@jclab-joseph)
-
---------------------------------------------------------------------------------
-LuaSec 1.2.0
----------------
-This version includes:
-
-* Add key material export method
-* Backguard compat for openssl on providers, like LTS linuxes
-
---------------------------------------------------------------------------------
-LuaSec 1.1.0
----------------
-This version includes:
-
-* Fix missing DANE flag
-* Remove unused parameter in https.lua
-
---------------------------------------------------------------------------------
-LuaSec 1.0.2
----------------
-This version includes:
-
-* Fix handle SSL_send SYSCALL error without errno
-* Fix off by one in cert:validat(notafter)
-* Fix meth_get_{sinagure => signature}_name function name
-* Fix update the Lua state reference on the selected SSL context after SNI
-* Fix ignore SSL_OP_BIT(n) macro and update option.c
-
 --------------------------------------------------------------------------------
 LuaSec 1.0.1
 ---------------

INSTALL

@@ -1,9 +1,9 @@
-LuaSec 1.3.2
+LuaSec 1.0.1
 ------------
 
 * OpenSSL options:
 
-    By default, this version includes options for OpenSSL 3.0.8
+    By default, this version includes options for OpenSSL 1.1.1.
 
     If you need to generate the options for a different version of OpenSSL:
 

LICENSE

@@ -1,5 +1,5 @@
-LuaSec 1.3.2 license
+LuaSec 1.0.1 license
-Copyright (C) 2006-2023 Bruno Silvestre, UFG
+Copyright (C) 2006-2021 Bruno Silvestre, UFG
 
 Permission is hereby granted, free  of charge, to any person obtaining
 a  copy  of this  software  and  associated  documentation files  (the

README.md

@@ -1,4 +1,4 @@
-LuaSec 1.3.2
+LuaSec 1.0.1
 ===============
 LuaSec depends  on OpenSSL, and  integrates with LuaSocket to  make it
 easy to add secure connections to any Lua applications or scripts.

luasec-1.0.1-1.rockspec

@@ -1,8 +1,8 @@
 package = "LuaSec"
-version = "1.3.2-1"
+version = "1.0.1-1"
 source = {
-  url = "git+https://github.com/brunoos/luasec",
+  url = "git://github.com/brunoos/luasec",
-  tag = "v1.3.2",
+  tag = "v1.0.1",
 }
 description = {
    summary = "A binding for OpenSSL library to provide TLS/SSL communication over LuaSocket.",
@@ -87,7 +87,7 @@ build = {
                   "$(OPENSSL_BINDIR)",
                },
                libraries = {
-                  "libssl", "libcrypto", "ws2_32"
+                  "libssl32MD", "libcrypto32MD", "ws2_32"
                },
                incdirs = {
                   "$(OPENSSL_INCDIR)", "src/", "src/luasocket"

luasec.vcxproj

@@ -61,7 +61,7 @@
       <DebugInformationFormat>EditAndContinue</DebugInformationFormat>
     </ClCompile>
     <Link>
-      <AdditionalDependencies>ws2_32.lib;libssl.lib;libcrypto.lib;lua5.1.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalDependencies>ws2_32.lib;libeay32MDd.lib;ssleay32MDd.lib;lua5.1.lib;%(AdditionalDependencies)</AdditionalDependencies>
       <OutputFile>$(OutDir)ssl.dll</OutputFile>
       <AdditionalLibraryDirectories>C:\devel\openssl\lib\VC;C:\devel\lua-dll9;%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
       <GenerateDebugInformation>true</GenerateDebugInformation>
@@ -85,7 +85,7 @@
       <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
     </ClCompile>
     <Link>
-      <AdditionalDependencies>ws2_32.lib;libssl.lib;libcrypto.lib;lua5.1.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalDependencies>ws2_32.lib;libssl32MD.lib;libcrypto32MD.lib;lua5.1.lib;%(AdditionalDependencies)</AdditionalDependencies>
       <OutputFile>$(OutDir)$(TargetName)$(TargetExt)</OutputFile>
       <AdditionalLibraryDirectories>C:\devel\openssl-1.1.0\lib\VC;C:\devel\lua-5.1\lib;%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
       <GenerateDebugInformation>true</GenerateDebugInformation>

samples/README

@@ -45,9 +45,6 @@ Directories:
 * oneshot
  A simple connection example.
 
-* psk
- PSK(Pre Shared Key) support.
-
 * sni
  Support to SNI (Server Name Indication).
 

samples/certs/all.sh

@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/usr/bin/env sh
 ./rootA.sh
 ./rootB.sh
 ./clientA.sh

samples/certs/clientA.sh

@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/usr/bin/env sh
 
 openssl req -newkey rsa:2048 -sha256 -keyout clientAkey.pem -out clientAreq.pem \
   -nodes -config ./clientA.cnf -days 365 -batch

samples/certs/clientB.sh

@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/usr/bin/env sh
 
 openssl req -newkey rsa:2048 -sha256 -keyout clientBkey.pem -out clientBreq.pem \
   -nodes -config ./clientB.cnf -days 365 -batch

samples/certs/rootA.sh

@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/usr/bin/env sh
 
 openssl req -newkey rsa:2048 -sha256 -keyout rootAkey.pem -out rootAreq.pem -nodes -config ./rootA.cnf -days 365 -batch
 

samples/certs/rootB.sh

@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/usr/bin/env sh
 
 openssl req -newkey rsa:2048 -sha256 -keyout rootBkey.pem -out rootBreq.pem -nodes -config ./rootB.cnf -days 365 -batch
 

samples/certs/serverA.sh

@@ -1,6 +1,6 @@
-#!/bin/sh
+#!/usr/bin/env sh
 
-openssl req -newkey rsa:2048 -sha256 -keyout serverAkey.pem -out serverAreq.pem \
+openssl req -newkey rsa:2048 -keyout serverAkey.pem -out serverAreq.pem \
    -config ./serverA.cnf -nodes -days 365 -batch
 
 openssl x509 -req -in serverAreq.pem -sha256 -extfile ./serverA.cnf \

samples/certs/serverB.sh

@@ -1,6 +1,6 @@
-#!/bin/sh
+#!/usr/bin/env sh
 
-openssl req -newkey rsa:2048 -sha256 -keyout serverBkey.pem -out serverBreq.pem \
+openssl req -newkey rsa:2048 -keyout serverBkey.pem -out serverBreq.pem \
    -config ./serverB.cnf -nodes -days 365 -batch
 
 openssl x509 -req -in serverBreq.pem -sha256 -extfile ./serverB.cnf \

samples/chain/server.lua

@@ -31,27 +31,8 @@ util.show( conn:getpeercertificate() )
 
 print("----------------------------------------------------------------------")
 
-local expectedpeerchain = { "../certs/clientAcert.pem", "../certs/rootA.pem" }
+for k, cert in ipairs( conn:getpeerchain() ) do
-
-local peerchain = conn:getpeerchain()
-assert(#peerchain == #expectedpeerchain)
-for k, cert in ipairs( peerchain ) do
   util.show(cert)
-  local expectedpem = assert(io.open(expectedpeerchain[k])):read("*a")
-  assert(cert:pem() == expectedpem, "peer chain mismatch @ "..tostring(k))
-end
-
-local expectedlocalchain = { "../certs/serverAcert.pem" }
-
-local localchain = assert(conn:getlocalchain())
-assert(#localchain == #expectedlocalchain)
-for k, cert in ipairs( localchain ) do
-  util.show(cert)
-  local expectedpem = assert(io.open(expectedlocalchain[k])):read("*a")
-  assert(cert:pem() == expectedpem, "local chain mismatch @ "..tostring(k))
-  if k == 1 then
-    assert(cert:pem() == conn:getlocalcertificate():pem())
-  end
 end
 
 local f = io.open(params.certificate)

samples/ocsp/client.lua

@@ -0,0 +1,54 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl    = require("ssl")
+
+local ocsp   = ssl.ocsp
+
+-- Parameters
+--   * status:
+--     * nil                          (no status was sent by server)
+--     * ocsp.status.successful
+--     * ocsp.status.malformedrequest
+--     * ocsp.status.internalerror
+--     * ocsp.status.trylater
+--     * ocsp.status.sigrequired
+--     * ocsp.status.unauthorized
+--
+-- Returns
+--   * nil: on error
+--   * true: status was accepted (continue the handshake)
+--   * false: status not accepted (handshake stops with error)
+--
+local callback = function(status)
+  print("Status: ", status)
+  print("---")
+
+  if status == nil then
+    print("[WARN] No OCSP response")
+    return true
+  end
+
+  return (status == ocsp.status.successful)
+end
+
+local params = {
+   mode     = "client",
+   protocol = "tlsv1_2",
+   verify   = "none",
+   options  = "all",
+   ocsp     = callback,
+}
+
+while true do
+  local peer = socket.tcp()
+  peer:connect("127.0.0.1", 8443)
+  
+  peer = assert(ssl.wrap(peer, params))
+  assert(peer:dohandshake())
+  
+  print(peer:receive())
+  print("------------")
+  peer:close()
+end

samples/ocsp/server.lua

@@ -0,0 +1,89 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl    = require("ssl")
+
+local mime   = require("mime")
+local ltn12  = require("ltn12")
+local http   = require("socket.http")
+
+local ocsp   = ssl.ocsp
+
+--------------------------------------------------------------------------------
+
+local response
+
+function loadresponse(certfile, cafile)
+  local f = io.open(cafile)
+  local ca = f:read("*a")
+  ca = ssl.loadcertificate(ca)
+  f:close()
+ 
+  f = io.open(certfile)
+  local cert = f:read("*a")
+  cert = ssl.loadcertificate(cert)
+  f:close()
+ 
+  local res = {}
+  local req = ocsp.buildrequest(cert, ca)
+  req = mime.b64(req)
+ 
+  local a, b = http.request {
+    url = "http://zerossl.ocsp.sectigo.com/" .. req,
+    method = "GET",
+    sink = ltn12.sink.table(res),
+    header = {
+      ["Content-Type"] = "application/ocsp-request",
+      ["Host"] = "zerossl.ocsp.sectigo.com",
+    },
+  }
+ 
+  response = table.concat(res)
+
+  local thisupd, nextupd = ocsp.responsetime(response)
+  print("This update: ", thisupd)
+  print("Next update: ", nextupd)
+end
+
+--------------------------------------------------------------------------------
+
+local cafile = "ca.pem"
+local certfile = "server.pem"
+
+-- Remember to update 'response' before 'next update'
+local callback = function()
+  if not response then
+    loadresponse(certfile, cafile)
+  end
+  return response
+end
+
+local params = {
+   mode = "server",
+   protocol = "any",
+   key = "server.key",
+   certificate = certfile,
+   verify = "none",
+   options = "all",
+   ocsp = callback,
+}
+
+--------------------------------------------------------------------------------
+
+local ctx = assert(ssl.newcontext(params))
+
+local server = socket.tcp()
+server:setoption('reuseaddr', true)
+assert(server:bind("127.0.0.1", 8443))
+server:listen()
+
+while true do
+  local peer = server:accept()
+  peer = assert(ssl.wrap(peer, ctx))
+  local succ = peer:dohandshake()
+  if succ then
+    peer:send("OCSP test\n")
+    peer:close()
+  end
+end

samples/psk/client.lua

@@ -1,41 +0,0 @@
---
--- Public domain
---
-local socket = require("socket")
-local ssl    = require("ssl")
-
-if not ssl.config.capabilities.psk then
-   print("[ERRO] PSK not available")
-   os.exit(1)
-end
-
--- @param hint (nil | string)
--- @param max_identity_len (number)
--- @param max_psk_len (number)
--- @return identity (string)
--- @return PSK (string)
-local function pskcb(hint, max_identity_len, max_psk_len)
-   print(string.format("PSK Callback: hint=%q, max_identity_len=%d, max_psk_len=%d", hint, max_identity_len, max_psk_len))
-   return "abcd", "1234"
-end
-
-local params = {
-   mode = "client",
-   protocol = "tlsv1_2",
-   psk = pskcb,
-}
-
-local peer = socket.tcp()
-peer:connect("127.0.0.1", 8888)
-
-peer = assert( ssl.wrap(peer, params) )
-assert(peer:dohandshake())
-
-print("--- INFO ---")
-local info = peer:info()
-for k, v in pairs(info) do
-   print(k, v)
-end
-print("---")
-
-peer:close()

samples/psk/server.lua

@@ -1,60 +0,0 @@
---
--- Public domain
---
-local socket = require("socket")
-local ssl    = require("ssl")
-
-if not ssl.config.capabilities.psk then
-   print("[ERRO] PSK not available")
-   os.exit(1)
-end
-
--- @param identity (string)
--- @param max_psk_len (number)
--- @return psk (string)
-local function pskcb(identity, max_psk_len)
-   print(string.format("PSK Callback: identity=%q, max_psk_len=%d", identity, max_psk_len))
-   if identity == "abcd" then
-     return "1234"
-  end
-  return nil
-end
-
-local params = {
-   mode = "server",
-   protocol = "any",
-   options = "all",
-
--- PSK with just a callback
-   psk = pskcb,
-
--- PSK with identity hint
---   psk = {
---      hint = "hintpsksample",
---      callback = pskcb,
---   },
-}
-
-
--- [[ SSL context
-local ctx = assert(ssl.newcontext(params))
---]]
-
-local server = socket.tcp()
-server:setoption('reuseaddr', true)
-assert( server:bind("127.0.0.1", 8888) )
-server:listen()
-
-local peer = server:accept()
-peer = assert( ssl.wrap(peer, ctx) )
-assert( peer:dohandshake() )
-
-print("--- INFO ---")
-local info = peer:info()
-for k, v in pairs(info) do
-   print(k, v)
-end
-print("---")
-
-peer:close()
-server:close()

src/compat.h

@@ -1,7 +1,7 @@
 /*--------------------------------------------------------------------------
- * LuaSec 1.3.2
+ * LuaSec 1.0.1
  *
- * Copyright (C) 2006-2023 Bruno Silvestre
+ * Copyright (C) 2006-2021 Bruno Silvestre
  *
  *--------------------------------------------------------------------------*/
 
@@ -48,14 +48,8 @@
 
 //------------------------------------------------------------------------------
 
-#if !defined(LIBRESSL_VERSION_NUMBER) && ((OPENSSL_VERSION_NUMBER & 0xFFFFF000L) == 0x10101000L || (OPENSSL_VERSION_NUMBER & 0xFFFFF000L) == 0x30000000L)
+#if !defined(LIBRESSL_VERSION_NUMBER) && ((OPENSSL_VERSION_NUMBER & 0xFFFFF000L) == 0x10101000L)
-#define LSEC_OPENSSL_ERRNO_BUG
+#define LSEC_OPENSSL_1_1_1
-#endif
-
-//------------------------------------------------------------------------------
-
-#if !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_NO_PSK)
-#define LSEC_ENABLE_PSK
 #endif
 
 //------------------------------------------------------------------------------

src/config.c

@@ -1,7 +1,7 @@
 /*--------------------------------------------------------------------------
- * LuaSec 1.3.2
+ * LuaSec 1.0.1
  *
- * Copyright (C) 2006-2023 Bruno Silvestre
+ * Copyright (C) 2006-2021 Bruno Silvestre.
  *
  *--------------------------------------------------------------------------*/
 
@@ -74,24 +74,18 @@ LSEC_API int luaopen_ssl_config(lua_State *L)
   lua_pushboolean(L, 1);
   lua_rawset(L, -3);
 
-#ifdef LSEC_ENABLE_PSK
+#ifdef LSEC_ENABLE_DANE
-  lua_pushstring(L, "psk");
+  // DANE
+  lua_pushstring(L, "dane");
   lua_pushboolean(L, 1);
   lua_rawset(L, -3);
 #endif
 
-#ifdef LSEC_ENABLE_DANE
+#ifndef OPENSSL_NO_OCSP
-  // DANE
+  // OCSP
-  lua_pushstring(L, "dane");
+  lua_pushstring(L, "ocsp");
-#ifdef DANE_FLAG_NO_DANE_EE_NAMECHECKS
-  lua_createtable(L, 0, 1);
-  lua_pushstring(L, "no_ee_namechecks");
   lua_pushboolean(L, 1);
   lua_rawset(L, -3);
-#else
-  lua_pushboolean(L, 1);
-#endif
-  lua_rawset(L, -3);
 #endif
 
 #ifndef OPENSSL_NO_EC

src/context.c

@@ -1,8 +1,9 @@
 /*--------------------------------------------------------------------------
- * LuaSec 1.3.2
+ * LuaSec 1.0.1
  *
- * Copyright (C) 2014-2023 Kim Alvefur, Paul Aurich, Tobias Markmann, Matthew Wild
+ * Copyright (C) 2014-2021 Kim Alvefur, Paul Aurich, Tobias Markmann, 
- * Copyright (C) 2006-2023 Bruno Silvestre
+ *                         Matthew Wild.
+ * Copyright (C) 2006-2021 Bruno Silvestre.
  *
  *--------------------------------------------------------------------------*/
 
@@ -16,15 +17,19 @@
 #include <openssl/err.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
-#include <openssl/x509_vfy.h>
 #include <openssl/dh.h>
 
+#ifndef OPENSSL_NO_OCSP
+#include <openssl/ocsp.h>
+#endif
+
 #include <lua.h>
 #include <lauxlib.h>
 
 #include "compat.h"
 #include "context.h"
 #include "options.h"
+#include "x509.h"
 
 #ifndef OPENSSL_NO_EC
 #include <openssl/ec.h>
@@ -707,172 +712,207 @@ static int set_alpn_cb(lua_State *L)
   return 1;
 }
 
-#if defined(LSEC_ENABLE_PSK)
+#ifndef OPENSSL_NO_OCSP
-/**
+static int ocsp_server_cb(SSL *ssl, void *arg)
- * Callback to select the PSK.
- */
-static unsigned int server_psk_cb(SSL *ssl, const char *identity, unsigned char *psk,
-  unsigned int max_psk_len)
 {
-  size_t psk_len;
+  int len;
-  const char *ret_psk;
+  BIO *bio;
-  SSL_CTX *ctx = SSL_get_SSL_CTX(ssl);
+  const char *data;
-  p_context pctx = (p_context)SSL_CTX_get_app_data(ctx);
+  unsigned char *r = NULL;
-  lua_State *L = pctx->L;
+  OCSP_RESPONSE *resp = NULL;
+  p_context ctx = (p_context)arg;
+  lua_State *L = ctx->L;
 
-  luaL_getmetatable(L, "SSL:PSK:Registry");
+  // Retrieve the callback
-  lua_pushlightuserdata(L, (void*)pctx->context);
+  luaL_getmetatable(L, "SSL:OCSP:Registry");
-  lua_gettable(L, -2);
+  lua_pushlightuserdata(L, ctx->context);
+  lua_rawget(L, -2);
 
-  lua_pushstring(L, identity);
+  lua_call(L, 0, 1);
-  lua_pushinteger(L, max_psk_len);
+  if (lua_type(L, -1) != LUA_TSTRING) {
-
+    return SSL_TLSEXT_ERR_NOACK;
-  lua_call(L, 2, 1);
-
-  if (!lua_isstring(L, -1)) {
-    lua_pop(L, 2);
-    return 0;
   }
 
-  ret_psk = lua_tolstring(L, -1, &psk_len);
+  data = lua_tostring(L, -1);
+  len  = (int)lua_rawlen(L, -1);
 
-  if (psk_len == 0 || psk_len > max_psk_len)
+  bio = BIO_new_mem_buf(data, len);
-    psk_len = 0;
+  if (bio == NULL)
-  else
+    return SSL_TLSEXT_ERR_NOACK;
-    memcpy(psk, ret_psk, psk_len);
 
-  lua_pop(L, 2);
+  resp = d2i_OCSP_RESPONSE_bio(bio, NULL);
+  BIO_free(bio);
+  if (resp == NULL)
+    return SSL_TLSEXT_ERR_NOACK;
 
-  return psk_len;
+  len = i2d_OCSP_RESPONSE(resp, &r);
+  if (len <= 0) {
+    OCSP_RESPONSE_free(resp);
+    return SSL_TLSEXT_ERR_NOACK;
+  }
+
+  SSL_set_tlsext_status_ocsp_resp(ssl, r, len);
+  OCSP_RESPONSE_free(resp);
+  return SSL_TLSEXT_ERR_OK;
 }
 
-/**
+static int ocsp_client_cb(SSL *ssl, void *arg)
- * Set a PSK callback for server.
- */
-static int set_server_psk_cb(lua_State *L)
 {
-  p_context ctx = checkctx(L, 1);
+  long len;
+  const unsigned char *b;
+  OCSP_RESPONSE *ocsp = NULL;
+  p_context ctx = (p_context)arg;
+  lua_State *L = ctx->L;
 
-  luaL_getmetatable(L, "SSL:PSK:Registry");
+  // Retrieve the callback
-  lua_pushlightuserdata(L, (void*)ctx->context);
+  luaL_getmetatable(L, "SSL:OCSP:Registry");
-  lua_pushvalue(L, 2);
+  lua_pushlightuserdata(L, ctx->context);
-  lua_settable(L, -3);
+  lua_rawget(L, -2);
 
-  SSL_CTX_set_psk_server_callback(ctx->context, server_psk_cb);
+  len = SSL_get_tlsext_status_ocsp_resp(ssl, &b);
-
+  if (len == -1)
-  lua_pushboolean(L, 1);
-  return 1;
-}
-
-/*
- * Set the PSK indentity hint.
- */
-static int set_psk_identity_hint(lua_State *L)
-{
-  p_context ctx = checkctx(L, 1);
-  const char *hint = luaL_checkstring(L, 2);
-  int ret = SSL_CTX_use_psk_identity_hint(ctx->context, hint);
-  lua_pushboolean(L, ret);
-  return 1;
-}
-
-/*
- * Client callback to PSK.
- */
-static unsigned int client_psk_cb(SSL *ssl, const char *hint, char *identity,
-  unsigned int max_identity_len, unsigned char *psk, unsigned int max_psk_len)
-{
-  size_t psk_len;
-  size_t identity_len;
-  const char *ret_psk;
-  const char *ret_identity;
-  SSL_CTX *ctx = SSL_get_SSL_CTX(ssl);
-  p_context pctx = (p_context)SSL_CTX_get_app_data(ctx);
-  lua_State *L = pctx->L;
-
-  luaL_getmetatable(L, "SSL:PSK:Registry");
-  lua_pushlightuserdata(L, (void*)pctx->context);
-  lua_gettable(L, -2);
-
-  if (hint)
-    lua_pushstring(L, hint);
-  else
     lua_pushnil(L);
-
-  // Leave space to '\0'
-  lua_pushinteger(L, max_identity_len-1);
-  lua_pushinteger(L, max_psk_len);
-
-  lua_call(L, 3, 2);
-
-  if (!lua_isstring(L, -1) || !lua_isstring(L, -2)) {
-    lua_pop(L, 3);
-    return 0;
-  }
-
-  ret_identity = lua_tolstring(L, -2, &identity_len);
-  ret_psk = lua_tolstring(L, -1, &psk_len);
-
-  if (identity_len >= max_identity_len || psk_len > max_psk_len)
-    psk_len = 0;
   else {
-    memcpy(identity, ret_identity, identity_len);
+    ocsp = d2i_OCSP_RESPONSE(NULL, &b, len);
-    identity[identity_len] = 0;
+    lua_pushinteger(L, OCSP_response_status(ocsp));
-    memcpy(psk, ret_psk, psk_len);
+    OCSP_RESPONSE_free(ocsp);
   }
 
-  lua_pop(L, 3);
+  lua_call(L, 1, 1);
-
+  return (lua_type(L, -1) != LUA_TBOOLEAN) ? -1 : (int)lua_toboolean(L, -1);
-  return psk_len;
 }
 
-/**
+static int set_ocsp_cb(lua_State *L)
- * Set a PSK callback for client.
+{
- */
+  int ret;
-static int set_client_psk_cb(lua_State *L) {
   p_context ctx = checkctx(L, 1);
 
-  luaL_getmetatable(L, "SSL:PSK:Registry");
+  luaL_getmetatable(L, "SSL:OCSP:Registry");
   lua_pushlightuserdata(L, (void*)ctx->context);
   lua_pushvalue(L, 2);
   lua_settable(L, -3);
 
-  SSL_CTX_set_psk_client_callback(ctx->context, client_psk_cb);
+  ret = (int)SSL_CTX_set_tlsext_status_type(ctx->context, TLSEXT_STATUSTYPE_ocsp);
+  if (ret == 0) {
+    lua_pushboolean(L, 0);
+    return 1;
+  }
 
-  lua_pushboolean(L, 1);
+  if (ctx->mode == LSEC_MODE_CLIENT)
+    ret = (int)SSL_CTX_set_tlsext_status_cb(ctx->context, ocsp_client_cb);
+  else
+    ret = (int)SSL_CTX_set_tlsext_status_cb(ctx->context, ocsp_server_cb);
+
+  if (ret == 0) {
+    lua_pushboolean(L, 0);
+    return 1;
+  }
+
+  ret = (int)SSL_CTX_set_tlsext_status_arg(ctx->context, ctx);
+  lua_pushboolean(L, ret == 1);
   return 1;
 }
+
+static int ocsp_build_request(lua_State *L)
+{
+  long len;
+  BIO *bio;
+  X509 *cert;
+  X509 *issuer;
+  OCSP_CERTID *cid;
+  OCSP_REQUEST *req;
+  char *buf;
+
+  cert = lsec_checkx509(L, 1);
+  issuer = lsec_checkx509(L, 2);
+
+  req = OCSP_REQUEST_new();
+  if (req == NULL) {
+    lua_pushnil(L);
+    return 1;
+  }
+
+  cid = OCSP_cert_to_id(NULL, cert, issuer);
+  if (cid == NULL) {
+    lua_pushnil(L);
+    return 1;
+  }
+
+  if (OCSP_request_add0_id(req, cid) == NULL) {
+    lua_pushnil(L);
+    return 1;
+  }
+
+  bio = BIO_new(BIO_s_mem());
+  i2d_OCSP_REQUEST_bio(bio, req);
+  len = BIO_get_mem_data(bio, &buf);
+  lua_pushlstring(L, buf, len);
+
+  BIO_free(bio);
+  OCSP_REQUEST_free(req);
+
+  return 1;
+}
+
+static int ocsp_response_time(lua_State *L)
+{
+  long len;
+  BIO *bio;
+  char *buf;
+  int reason;
+  OCSP_BASICRESP *bs;
+  OCSP_SINGLERESP *sr;
+  OCSP_RESPONSE *res;
+  ASN1_GENERALIZEDTIME *revtime, *thisupd, *nextupd;
+
+  buf = (char*)lua_tostring(L, 1);
+  len = (long)lua_rawlen(L, 1);
+
+  res = d2i_OCSP_RESPONSE(NULL, (const unsigned char**)&buf, (int)len);
+  if (res == NULL) {
+    lua_pushnil(L);
+    lua_pushnil(L);
+    return 2;
+  }
+
+  bs = OCSP_response_get1_basic(res);
+  if (bs == NULL) {
+    lua_pushnil(L);
+    lua_pushnil(L);
+    return 2;
+  }
+
+  sr = OCSP_resp_get0(bs, 0);
+  OCSP_single_get0_status(sr, &reason, &revtime, &thisupd, &nextupd);
+
+  bio = BIO_new(BIO_s_mem());
+  ASN1_GENERALIZEDTIME_print(bio, thisupd);
+  len = BIO_get_mem_data(bio, &buf);
+  lua_pushlstring(L, buf, len);
+  BIO_free(bio);
+
+  bio = BIO_new(BIO_s_mem());
+  ASN1_GENERALIZEDTIME_print(bio, nextupd);
+  len = BIO_get_mem_data(bio, &buf);
+  lua_pushlstring(L, buf, len);
+  BIO_free(bio);
+
+  OCSP_BASICRESP_free(bs);
+  OCSP_RESPONSE_free(res);
+
+  return 2;
+}
 #endif
 
 #if defined(LSEC_ENABLE_DANE)
 /*
  * DANE
  */
-static int dane_options[] = {
-  /* TODO move into options.c
-   * however this symbol is not from openssl/ssl.h but rather from
-   * openssl/x509_vfy.h
-   * */
-#ifdef DANE_FLAG_NO_DANE_EE_NAMECHECKS
-  DANE_FLAG_NO_DANE_EE_NAMECHECKS,
-#endif
-  0
-};
-static const char *dane_option_names[] = {
-#ifdef DANE_FLAG_NO_DANE_EE_NAMECHECKS
-  "no_ee_namechecks",
-#endif
-  NULL
-};
-
 static int set_dane(lua_State *L)
 {
-  int ret, i;
+  int ret;
   SSL_CTX *ctx = lsec_checkcontext(L, 1);
   ret = SSL_CTX_dane_enable(ctx);
-  for (i = 2; ret > 0 && i <= lua_gettop(L); i++) {
-    ret = SSL_CTX_dane_set_flags(ctx, dane_options[luaL_checkoption(L, i, NULL, dane_option_names)]);
-  }
   lua_pushboolean(L, (ret > 0));
   return 1;
 }
@@ -895,11 +935,6 @@ static luaL_Reg funcs[] = {
   {"setdhparam",      set_dhparam},
   {"setverify",       set_verify},
   {"setoptions",      set_options},
-#if defined(LSEC_ENABLE_PSK)
-  {"setpskhint",      set_psk_identity_hint},
-  {"setserverpskcb",  set_server_psk_cb},
-  {"setclientpskcb",  set_client_psk_cb},
-#endif
   {"setmode",         set_mode},
 #if !defined(OPENSSL_NO_EC)
   {"setcurve",        set_curve},
@@ -907,6 +942,9 @@ static luaL_Reg funcs[] = {
 #endif
 #if defined(LSEC_ENABLE_DANE)
   {"setdane",         set_dane},
+#endif
+#if !defined(OPENSSL_NO_OCSP)
+  {"setocspcb",       set_ocsp_cb},
 #endif
   {NULL, NULL}
 };
@@ -933,7 +971,7 @@ static int meth_destroy(lua_State *L)
     lua_pushlightuserdata(L, (void*)ctx->context);
     lua_pushnil(L);
     lua_settable(L, -3);
-    luaL_getmetatable(L, "SSL:PSK:Registry");
+    luaL_getmetatable(L, "SSL:OCSP:Registry");
     lua_pushlightuserdata(L, (void*)ctx->context);
     lua_pushnil(L);
     lua_settable(L, -3);
@@ -1074,15 +1112,64 @@ void *lsec_testudata (lua_State *L, int ud, const char *tname) {
 
 /*------------------------------ Initialization ------------------------------*/
 
+#ifndef OPENSSL_NO_OCSP
+struct ocsp_status_response_s {
+  const char *name;
+  int value;
+};
+
+typedef struct ocsp_status_response_s ocsp_status_response_t;
+
+static ocsp_status_response_t status_response[] = {
+  {"successful",       OCSP_RESPONSE_STATUS_SUCCESSFUL},
+  {"malformedrequest", OCSP_RESPONSE_STATUS_MALFORMEDREQUEST},
+  {"internalerror",    OCSP_RESPONSE_STATUS_INTERNALERROR},
+  {"trylater",         OCSP_RESPONSE_STATUS_TRYLATER},
+  {"sigrequired",      OCSP_RESPONSE_STATUS_SIGREQUIRED},
+  {"unauthorized",     OCSP_RESPONSE_STATUS_UNAUTHORIZED},
+  {NULL, 0}
+};
+
+static luaL_Reg ocsp_funcs[] = {
+  {"buildrequest", ocsp_build_request},
+  {"responsetime", ocsp_response_time},
+  {NULL, NULL}
+};
+
+
+/**
+ * OCSP module
+ */
+LSEC_API int luaopen_ssl_context_ocsp(lua_State *L)
+{
+  ocsp_status_response_t *ptr;
+
+  luaL_newlib(L, ocsp_funcs);
+
+  lua_pushstring(L, "status");
+  lua_newtable(L);
+  for (ptr = status_response; ptr->name; ptr++) {
+    lua_pushstring(L, ptr->name);
+    lua_pushinteger(L, ptr->value);
+    lua_rawset(L, -3);
+  }
+  lua_rawset(L, -3);
+
+  return 1;
+}
+#endif
+
+//------------------------------------------------------------------------------
+
 /**
  * Registre the module.
  */
 LSEC_API int luaopen_ssl_context(lua_State *L)
 {
-  luaL_newmetatable(L, "SSL:DH:Registry");        /* Keep all DH callbacks   */
+  luaL_newmetatable(L, "SSL:DH:Registry");      /* Keep all DH callbacks   */
-  luaL_newmetatable(L, "SSL:ALPN:Registry");      /* Keep all ALPN callbacks */
+  luaL_newmetatable(L, "SSL:ALPN:Registry");    /* Keep all ALPN callbacks */
-  luaL_newmetatable(L, "SSL:PSK:Registry");       /* Keep all PSK callbacks */
+  luaL_newmetatable(L, "SSL:Verify:Registry");  /* Keep all verify flags   */
-  luaL_newmetatable(L, "SSL:Verify:Registry");    /* Keep all verify flags   */
+  luaL_newmetatable(L, "SSL:OCSP:Registry");    /* Keep all OCSP callbacks */
   luaL_newmetatable(L, "SSL:Context");
   setfuncs(L, meta);
 

src/context.h

@@ -2,9 +2,9 @@
 #define LSEC_CONTEXT_H
 
 /*--------------------------------------------------------------------------
- * LuaSec 1.3.2
+ * LuaSec 1.0.1
  *
- * Copyright (C) 2006-2023 Bruno Silvestre
+ * Copyright (C) 2006-2021 Bruno Silvestre
  *
  *--------------------------------------------------------------------------*/
 

src/ec.c

@@ -1,10 +1,3 @@
-/*--------------------------------------------------------------------------
- * LuaSec 1.3.2
- *
- * Copyright (C) 2006-2023 Bruno Silvestre
- *
- *--------------------------------------------------------------------------*/
-
 #include <openssl/objects.h>
 
 #include "ec.h"

src/ec.h

@@ -1,7 +1,7 @@
 /*--------------------------------------------------------------------------
- * LuaSec 1.3.2
+ * LuaSec 1.0.1
  *
- * Copyright (C) 2006-2023 Bruno Silvestre
+ * Copyright (C) 2006-2021 Bruno Silvestre
  *
  *--------------------------------------------------------------------------*/
 

src/https.lua

@@ -1,7 +1,6 @@
 ----------------------------------------------------------------------------
--- LuaSec 1.3.2
+-- LuaSec 1.0.1
---
+-- Copyright (C) 2009-2021 PUC-Rio
--- Copyright (C) 2009-2023 PUC-Rio
 --
 -- Author: Pablo Musa
 -- Author: Tomas Guisasola
@@ -19,8 +18,8 @@ local try    = socket.try
 -- Module
 --
 local _M = {
-  _VERSION   = "1.3.2",
+  _VERSION   = "1.0.1",
-  _COPYRIGHT = "LuaSec 1.3.2 - Copyright (C) 2009-2023 PUC-Rio",
+  _COPYRIGHT = "LuaSec 1.0.1 - Copyright (C) 2009-2021 PUC-Rio",
   PORT       = 443,
   TIMEOUT    = 60
 }
@@ -94,7 +93,7 @@ local function tcp(params)
          self.sock:sni(host)
          self.sock:settimeout(_M.TIMEOUT)
          try(self.sock:dohandshake())
-         reg(self)
+         reg(self, getmetatable(self.sock))
          return 1
       end
       return conn

src/luasocket/buffer.c

@@ -78,7 +78,9 @@ int buffer_meth_send(lua_State *L, p_buffer buf) {
     const char *data = luaL_checklstring(L, 2, &size);
     long start = (long) luaL_optnumber(L, 3, 1);
     long end = (long) luaL_optnumber(L, 4, -1);
-    timeout_markstart(buf->tm);
+#ifdef LUASOCKET_DEBUG
+    p_timeout tm = timeout_markstart(buf->tm);
+#endif
     if (start < 0) start = (long) (size+start+1);
     if (end < 0) end = (long) (size+end+1);
     if (start < 1) start = (long) 1;
@@ -96,7 +98,7 @@ int buffer_meth_send(lua_State *L, p_buffer buf) {
     }
 #ifdef LUASOCKET_DEBUG
     /* push time elapsed during operation as the last return value */
-    lua_pushnumber(L, timeout_gettime() - timeout_getstart(buf->tm));
+    lua_pushnumber(L, timeout_gettime() - timeout_getstart(tm));
 #endif
     return lua_gettop(L) - top;
 }
@@ -115,7 +117,9 @@ int buffer_meth_receive(lua_State *L, p_buffer buf) {
         top = 3;
     }
     part = luaL_optlstring(L, 3, "", &size);
-    timeout_markstart(buf->tm);
+#ifdef LUASOCKET_DEBUG
+    p_timeout tm = timeout_markstart(buf->tm);
+#endif
     /* initialize buffer with optional extra prefix 
      * (useful for concatenating previous partial results) */
     luaL_buffinit(L, &b);
@@ -151,7 +155,7 @@ int buffer_meth_receive(lua_State *L, p_buffer buf) {
     }
 #ifdef LUASOCKET_DEBUG
     /* push time elapsed during operation as the last return value */
-    lua_pushnumber(L, timeout_gettime() - timeout_getstart(buf->tm));
+    lua_pushnumber(L, timeout_gettime() - timeout_getstart(tm));
 #endif
     return lua_gettop(L) - top;
 }

src/luasocket/usocket.c

@@ -426,9 +426,7 @@ const char *socket_gaistrerror(int err) {
         case EAI_MEMORY: return "memory allocation failure";
         case EAI_NONAME: 
             return "host or service not provided, or not known";
-#ifdef EAI_OVERFLOW
         case EAI_OVERFLOW: return "argument buffer overflow";
-#endif
 #ifdef EAI_PROTOCOL
         case EAI_PROTOCOL: return "resolved protocol is unknown";
 #endif

src/options.c

@@ -1,7 +1,7 @@
 /*--------------------------------------------------------------------------
- * LuaSec 1.3.2
+ * LuaSec 1.0.1
  *
- * Copyright (C) 2006-2023 Bruno Silvestre
+ * Copyright (C) 2006-2021 Bruno Silvestre
  *
  *--------------------------------------------------------------------------*/
 
@@ -13,16 +13,13 @@
 
 
 /* 
-  OpenSSL version: OpenSSL 3.0.8
+  OpenSSL version: OpenSSL 1.1.1
 */
 
 static lsec_ssl_option_t ssl_options[] = {
 #if defined(SSL_OP_ALL)
   {"all", SSL_OP_ALL},
 #endif
-#if defined(SSL_OP_ALLOW_CLIENT_RENEGOTIATION)
-  {"allow_client_renegotiation", SSL_OP_ALLOW_CLIENT_RENEGOTIATION},
-#endif
 #if defined(SSL_OP_ALLOW_NO_DHE_KEX)
   {"allow_no_dhe_kex", SSL_OP_ALLOW_NO_DHE_KEX},
 #endif
@@ -35,33 +32,21 @@ static lsec_ssl_option_t ssl_options[] = {
 #if defined(SSL_OP_CISCO_ANYCONNECT)
   {"cisco_anyconnect", SSL_OP_CISCO_ANYCONNECT},
 #endif
-#if defined(SSL_OP_CLEANSE_PLAINTEXT)
-  {"cleanse_plaintext", SSL_OP_CLEANSE_PLAINTEXT},
-#endif
 #if defined(SSL_OP_COOKIE_EXCHANGE)
   {"cookie_exchange", SSL_OP_COOKIE_EXCHANGE},
 #endif
 #if defined(SSL_OP_CRYPTOPRO_TLSEXT_BUG)
   {"cryptopro_tlsext_bug", SSL_OP_CRYPTOPRO_TLSEXT_BUG},
 #endif
-#if defined(SSL_OP_DISABLE_TLSEXT_CA_NAMES)
-  {"disable_tlsext_ca_names", SSL_OP_DISABLE_TLSEXT_CA_NAMES},
-#endif
 #if defined(SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)
   {"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS},
 #endif
-#if defined(SSL_OP_ENABLE_KTLS)
-  {"enable_ktls", SSL_OP_ENABLE_KTLS},
-#endif
 #if defined(SSL_OP_ENABLE_MIDDLEBOX_COMPAT)
   {"enable_middlebox_compat", SSL_OP_ENABLE_MIDDLEBOX_COMPAT},
 #endif
 #if defined(SSL_OP_EPHEMERAL_RSA)
   {"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA},
 #endif
-#if defined(SSL_OP_IGNORE_UNEXPECTED_EOF)
-  {"ignore_unexpected_eof", SSL_OP_IGNORE_UNEXPECTED_EOF},
-#endif
 #if defined(SSL_OP_LEGACY_SERVER_CONNECT)
   {"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT},
 #endif
@@ -104,9 +89,6 @@ static lsec_ssl_option_t ssl_options[] = {
 #if defined(SSL_OP_NO_ENCRYPT_THEN_MAC)
   {"no_encrypt_then_mac", SSL_OP_NO_ENCRYPT_THEN_MAC},
 #endif
-#if defined(SSL_OP_NO_EXTENDED_MASTER_SECRET)
-  {"no_extended_master_secret", SSL_OP_NO_EXTENDED_MASTER_SECRET},
-#endif
 #if defined(SSL_OP_NO_QUERY_MTU)
   {"no_query_mtu", SSL_OP_NO_QUERY_MTU},
 #endif

src/options.h

@@ -2,9 +2,9 @@
 #define LSEC_OPTIONS_H
 
 /*--------------------------------------------------------------------------
- * LuaSec 1.3.2
+ * LuaSec 1.0.1
  *
- * Copyright (C) 2006-2023 Bruno Silvestre
+ * Copyright (C) 2006-2021 Bruno Silvestre
  *
  *--------------------------------------------------------------------------*/
 

src/options.lua

@@ -4,7 +4,7 @@ local function usage()
   print("  lua options.lua -g /path/to/ssl.h [version] > options.c")
   print("* Examples:")
   print("  lua options.lua -g /usr/include/openssl/ssl.h > options.c\n")
-  print("  lua options.lua -g /usr/include/openssl/ssl.h \"OpenSSL 1.1.1f\" > options.c\n")
+  print("  lua options.lua -g /usr/include/openssl/ssl.h \"OpenSSL 1.0.1 14\" > options.c\n")
 
   print("* List options of your system:")
   print("  lua options.lua -l /path/to/ssl.h\n")
@@ -18,9 +18,9 @@ end
 local function generate(options, version)
   print([[
 /*--------------------------------------------------------------------------
- * LuaSec 1.3.2
+ * LuaSec 1.0.1
  *
- * Copyright (C) 2006-2023 Bruno Silvestre
+ * Copyright (C) 2006-2021 Bruno Silvestre
  *
  *--------------------------------------------------------------------------*/
 
@@ -60,12 +60,9 @@ local function loadoptions(file)
   local options = {}
   local f = assert(io.open(file, "r"))
   for line in f:lines() do
-    local op = string.match(line, "define%s+(SSL_OP_BIT%()")
+    local op = string.match(line, "define%s+(SSL_OP_%S+)")
-    if not op then
+    if op then
-      op = string.match(line, "define%s+(SSL_OP_%S+)")
+      table.insert(options, op)
-      if op then
-        table.insert(options, op)
-      end
     end
   end
   table.sort(options, function(a,b) return a<b end)

src/ssl.c

@@ -1,8 +1,9 @@
 /*--------------------------------------------------------------------------
- * LuaSec 1.3.2
+ * LuaSec 1.0.1
  *
- * Copyright (C) 2014-2023 Kim Alvefur, Paul Aurich, Tobias Markmann, Matthew Wild
+ * Copyright (C) 2014-2021 Kim Alvefur, Paul Aurich, Tobias Markmann, 
- * Copyright (C) 2006-2023 Bruno Silvestre
+ *                         Matthew Wild.
+ * Copyright (C) 2006-2021 Bruno Silvestre.
  *
  *--------------------------------------------------------------------------*/
 
@@ -47,8 +48,8 @@ static int lsec_socket_error()
 #if defined(WIN32)
   return WSAGetLastError();
 #else
-#if defined(LSEC_OPENSSL_ERRNO_BUG)
+#if defined(LSEC_OPENSSL_1_1_1)
-  // Bug in OpenSSL
+  // Bug in OpenSSL 1.1.1
   if (errno == 0)
     return LSEC_IO_SSL;
 #endif
@@ -529,58 +530,6 @@ static int meth_getpeercertificate(lua_State *L)
   return 1;
 }
 
-/**
- * Return the nth certificate of the chain sent to our peer.
- */
-static int meth_getlocalcertificate(lua_State *L)
-{
-  int n;
-  X509 *cert;
-  STACK_OF(X509) *certs;
-  p_ssl ssl = (p_ssl)luaL_checkudata(L, 1, "SSL:Connection");
-  if (ssl->state != LSEC_STATE_CONNECTED) {
-    lua_pushnil(L);
-    lua_pushstring(L, "closed");
-    return 2;
-  }
-  /* Default to the first cert */
-  n = (int)luaL_optinteger(L, 2, 1);
-  /* This function is 1-based, but OpenSSL is 0-based */
-  --n;
-  if (n < 0) {
-    lua_pushnil(L);
-    lua_pushliteral(L, "invalid certificate index");
-    return 2;
-  }
-  if (n == 0) {
-    cert = SSL_get_certificate(ssl->ssl);
-    if (cert)
-      lsec_pushx509(L, cert);
-    else
-      lua_pushnil(L);
-    return 1;
-  }
-  /* In a server-context, the stack doesn't contain the peer cert,
-   * so adjust accordingly.
-   */
-  if (SSL_is_server(ssl->ssl))
-    --n;
-  if(SSL_get0_chain_certs(ssl->ssl, &certs) != 1) {
-    lua_pushnil(L);
-  } else {
-    if (n >= sk_X509_num(certs)) {
-      lua_pushnil(L);
-      return 1;
-    }
-    cert = sk_X509_value(certs, n);
-    /* Increment the reference counting of the object. */
-    /* See SSL_get_peer_certificate() source code.     */
-    X509_up_ref(cert);
-    lsec_pushx509(L, cert);
-  }
-  return 1;
-}
-
 /**
  * Return the chain of certificate of the peer.
  */
@@ -615,41 +564,6 @@ static int meth_getpeerchain(lua_State *L)
   return 1;
 }
 
-/**
- * Return the chain of certificates sent to the peer.
- */
-static int meth_getlocalchain(lua_State *L)
-{
-  int i;
-  int idx = 1;
-  int n_certs;
-  X509 *cert;
-  STACK_OF(X509) *certs;
-  p_ssl ssl = (p_ssl)luaL_checkudata(L, 1, "SSL:Connection");
-  if (ssl->state != LSEC_STATE_CONNECTED) {
-    lua_pushnil(L);
-    lua_pushstring(L, "closed");
-    return 2;
-  }
-  lua_newtable(L);
-  if (SSL_is_server(ssl->ssl)) {
-    lsec_pushx509(L, SSL_get_certificate(ssl->ssl));
-    lua_rawseti(L, -2, idx++);
-  }
-  if(SSL_get0_chain_certs(ssl->ssl, &certs)) {
-    n_certs = sk_X509_num(certs);
-    for (i = 0; i < n_certs; i++) {
-      cert = sk_X509_value(certs, i);
-      /* Increment the reference counting of the object. */
-      /* See SSL_get_peer_certificate() source code.     */
-      X509_up_ref(cert);
-      lsec_pushx509(L, cert);
-      lua_rawseti(L, -2, idx++);
-    }
-  }
-  return 1;
-}
-
 /**
  * Copy the table src to the table dst.
  */
@@ -757,41 +671,6 @@ static int meth_getpeerfinished(lua_State *L)
   return 1;
 }
 
-/**
- * Get some shared keying material
- */
-static int meth_exportkeyingmaterial(lua_State *L)
-{
-  p_ssl ssl = (p_ssl)luaL_checkudata(L, 1, "SSL:Connection");
-
-  if(ssl->state != LSEC_STATE_CONNECTED) {
-    lua_pushnil(L);
-    lua_pushstring(L, "closed");
-    return 0;
-  }
-
-  size_t llen = 0;
-  size_t contextlen = 0;
-  const unsigned char *context = NULL;
-  const char *label = (const char*)luaL_checklstring(L, 2, &llen);
-  size_t olen = (size_t)luaL_checkinteger(L, 3);
-
-  if (!lua_isnoneornil(L, 4))
-    context = (const unsigned char*)luaL_checklstring(L, 4, &contextlen);
-
-  /* Temporary buffer memory-managed by Lua itself */
-  unsigned char *out = (unsigned char*)lua_newuserdata(L, olen);
-
-  if(SSL_export_keying_material(ssl->ssl, out, olen, label, llen, context, contextlen, context != NULL) != 1) {
-    lua_pushnil(L);
-    lua_pushstring(L, "error exporting keying material");
-    return 2;
-  }
-
-  lua_pushlstring(L, (char*)out, olen);
-  return 1;
-}
-
 /**
  * Object information -- tostring metamethod
  */
@@ -868,8 +747,6 @@ static int sni_cb(SSL *ssl, int *ad, void *arg)
   lua_pop(L, 4);
   /* Found, use this context */
   if (newctx) {
-    p_context pctx = (p_context)SSL_CTX_get_app_data(newctx);
-    pctx->L = L;
     SSL_set_SSL_CTX(ssl, newctx);
     return SSL_TLSEXT_ERR_OK;
   }
@@ -947,7 +824,7 @@ static int meth_getalpn(lua_State *L)
 
 static int meth_copyright(lua_State *L)
 {
-  lua_pushstring(L, "LuaSec 1.3.2 - Copyright (C) 2006-2023 Bruno Silvestre, UFG"
+  lua_pushstring(L, "LuaSec 1.0.1 - Copyright (C) 2006-2021 Bruno Silvestre, UFG"
 #if defined(WITH_LUASOCKET)
                     "\nLuaSocket 3.0-RC1 - Copyright (C) 2004-2013 Diego Nehab"
 #endif
@@ -994,12 +871,9 @@ static luaL_Reg methods[] = {
   {"getfd",               meth_getfd},
   {"getfinished",         meth_getfinished},
   {"getpeercertificate",  meth_getpeercertificate},
-  {"getlocalcertificate", meth_getlocalcertificate},
   {"getpeerchain",        meth_getpeerchain},
-  {"getlocalchain",       meth_getlocalchain},
   {"getpeerverification", meth_getpeerverification},
   {"getpeerfinished",     meth_getpeerfinished},
-  {"exportkeyingmaterial",meth_exportkeyingmaterial},
   {"getsniname",          meth_getsniname},
   {"getstats",            meth_getstats},
   {"setstats",            meth_setstats},

src/ssl.h

@@ -2,9 +2,9 @@
 #define LSEC_SSL_H
 
 /*--------------------------------------------------------------------------
- * LuaSec 1.3.2
+ * LuaSec 1.0.1
  *
- * Copyright (C) 2006-2023 Bruno Silvestre
+ * Copyright (C) 2006-2021 Bruno Silvestre
  *
  *--------------------------------------------------------------------------*/
 

src/ssl.lua

@@ -1,7 +1,7 @@
 ------------------------------------------------------------------------------
--- LuaSec 1.3.2
+-- LuaSec 1.0.1
 --
--- Copyright (C) 2006-2023 Bruno Silvestre
+-- Copyright (C) 2006-2021 Bruno Silvestre
 --
 ------------------------------------------------------------------------------
 
@@ -10,6 +10,11 @@ local context = require("ssl.context")
 local x509    = require("ssl.x509")
 local config  = require("ssl.config")
 
+local ocsp
+if config.capabilities.ocsp then
+  ocsp = require("ssl.context.ocsp")
+end
+
 local unpack  = table.unpack or unpack
 
 -- We must prevent the contexts to be collected before the connections,
@@ -201,39 +206,16 @@ local function newcontext(cfg)
       if not succ then return nil, msg end
    end
 
-   -- PSK
+   if config.capabilities.dane and cfg.dane then
-   if config.capabilities.psk and cfg.psk then
+      context.setdane(ctx)
-      if cfg.mode == "client" then
-         if type(cfg.psk) ~= "function" then
-            return nil, "invalid PSK configuration"
-         end
-         succ = context.setclientpskcb(ctx, cfg.psk)
-         if not succ then return nil, msg end
-      elseif cfg.mode == "server" then
-         if type(cfg.psk) == "function" then
-            succ, msg = context.setserverpskcb(ctx, cfg.psk)
-            if not succ then return nil, msg end
-         elseif type(cfg.psk) == "table" then
-            if type(cfg.psk.hint) == "string" and type(cfg.psk.callback) == "function" then
-               succ, msg = context.setpskhint(ctx, cfg.psk.hint)
-               if not succ then return succ, msg end
-               succ = context.setserverpskcb(ctx, cfg.psk.callback)
-               if not succ then return succ, msg end
-            else
-               return nil, "invalid PSK configuration"
-            end
-         else
-            return nil, "invalid PSK configuration"
-         end
-      end
    end
 
-   if config.capabilities.dane and cfg.dane then
+   if config.capabilities.ocsp and cfg.ocsp then
-      if type(cfg.dane) == "table" then
+      msg  = "error setting OCSP"
-         context.setdane(ctx, unpack(cfg.dane))
+      succ = type(cfg.ocsp) == "function"
-      else
+      if not succ then return nil, msg end
-         context.setdane(ctx)
+      succ = context.setocspcb(ctx, cfg.ocsp)
-      end
+      if not succ then return nil, msg end
    end
 
    return ctx
@@ -302,9 +284,10 @@ core.setmethod("info", info)
 --
 
 local _M = {
-  _VERSION        = "1.3.2",
+  _VERSION        = "1.0.1",
   _COPYRIGHT      = core.copyright(),
   config          = config,
+  ocsp            = ocsp,
   loadcertificate = x509.load,
   newcontext      = newcontext,
   wrap            = wrap,

src/x509.c

@@ -1,8 +1,8 @@
 /*--------------------------------------------------------------------------
- * LuaSec 1.3.2
+ * LuaSec 1.0.1
  *
- * Copyright (C) 2014-2023 Kim Alvefur, Paul Aurich, Tobias Markmann, Matthew Wild
+ * Copyright (C) 2014-2021 Kim Alvefur, Paul Aurich, Tobias Markmann
- * Copyright (C) 2014-2023 Bruno Silvestre
+ *                         Matthew Wild, Bruno Silvestre.
  *
  *--------------------------------------------------------------------------*/
 
@@ -655,11 +655,10 @@ static int meth_set_encode(lua_State* L)
   return 1;
 }
 
-#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL)
 /**
  * Get signature name.
  */
-static int meth_get_signature_name(lua_State* L)
+static int meth_get_sinagure_name(lua_State* L)
 {
   p_x509 px = lsec_checkp_x509(L, 1);
   int nid = X509_get_signature_nid(px->cert);
@@ -670,7 +669,6 @@ static int meth_get_signature_name(lua_State* L)
     lua_pushstring(L, name);
   return 1;
 }
-#endif
 
 /*---------------------------------------------------------------------------*/
 
@@ -700,9 +698,7 @@ static luaL_Reg methods[] = {
   {"digest",     meth_digest},
   {"setencode",  meth_set_encode},
   {"extensions", meth_extensions},
-#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL)
+  {"getsignaturename", meth_get_sinagure_name},
-  {"getsignaturename", meth_get_signature_name},
-#endif
   {"issuer",     meth_issuer},
   {"notbefore",  meth_notbefore},
   {"notafter",   meth_notafter},

src/x509.h

@@ -1,8 +1,8 @@
 /*--------------------------------------------------------------------------
- * LuaSec 1.3.2
+ * LuaSec 1.0.1
  *
- * Copyright (C) 2014-2023 Kim Alvefur, Paul Aurich, Tobias Markmann, Matthew Wild
+ * Copyright (C) 2014-2021 Kim Alvefur, Paul Aurich, Tobias Markmann
- * Copyright (C) 2013-2023 Bruno Silvestre
+ *                         Matthew Wild, Bruno Silvestre.
  *
  *--------------------------------------------------------------------------*/