New Upstream Release - lua-sec
Ready changes
Summary
Merged new upstream version: 1.3.1 (was: 1.2.0).
Resulting package
Built on 2023-06-07T22:39 (took 5m43s)
The resulting binary packages can be installed (if you have the apt repository enabled) by running one of:
apt install -t fresh-releases lua-sec-dbgsymapt install -t fresh-releases lua-sec-devapt install -t fresh-releases lua-sec
Lintian Result
Diff
diff --git a/CHANGELOG b/CHANGELOG
index b94f4ae..13bb421 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,3 +1,18 @@
+--------------------------------------------------------------------------------
+LuaSec 1.3.1
+---------------
+This version includes:
+
+* Fix: check if PSK is available
+
+--------------------------------------------------------------------------------
+LuaSec 1.3.0
+---------------
+This version includes:
+
+* Add :getlocalchain() + :getlocalcertificate() to mirror the peer methods (@mwild1)
+* Add Pre-Shared Key (PSK) support (@jclab-joseph)
+
--------------------------------------------------------------------------------
LuaSec 1.2.0
---------------
diff --git a/INSTALL b/INSTALL
index 7dfbe52..90dfb72 100644
--- a/INSTALL
+++ b/INSTALL
@@ -1,9 +1,9 @@
-LuaSec 1.2.0
+LuaSec 1.3.1
------------
* OpenSSL options:
- By default, this version includes options for OpenSSL 3.0.0 beta2
+ By default, this version includes options for OpenSSL 3.0.8
If you need to generate the options for a different version of OpenSSL:
diff --git a/LICENSE b/LICENSE
index 96c5ce6..a28162f 100644
--- a/LICENSE
+++ b/LICENSE
@@ -1,5 +1,5 @@
-LuaSec 1.2.0 license
-Copyright (C) 2006-2022 Bruno Silvestre, UFG
+LuaSec 1.3.1 license
+Copyright (C) 2006-2023 Bruno Silvestre, UFG
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the
diff --git a/README.md b/README.md
index e8da71a..7c801de 100644
--- a/README.md
+++ b/README.md
@@ -1,4 +1,4 @@
-LuaSec 1.2.0
+LuaSec 1.3.1
===============
LuaSec depends on OpenSSL, and integrates with LuaSocket to make it
easy to add secure connections to any Lua applications or scripts.
diff --git a/debian/changelog b/debian/changelog
index 0509664..a53649e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+lua-sec (1.3.1-1) UNRELEASED; urgency=low
+
+ * New upstream release.
+
+ -- Debian Janitor <janitor@jelmer.uk> Wed, 07 Jun 2023 22:34:40 -0000
+
lua-sec (1.2.0-2) unstable; urgency=medium
[ Debian Janitor ]
diff --git a/debian/patches/0001-test.patch b/debian/patches/0001-test.patch
index 1216730..a0bcc4b 100644
--- a/debian/patches/0001-test.patch
+++ b/debian/patches/0001-test.patch
@@ -9,19 +9,17 @@ Subject: test
create mode 100644 test.lua
create mode 100644 test.sh
-diff --git a/test.lua b/test.lua
-new file mode 100644
-index 0000000..7681667
+Index: lua-sec.git/test.lua
+===================================================================
--- /dev/null
-+++ b/test.lua
++++ lua-sec.git/test.lua
@@ -0,0 +1,2 @@
+rc=os.execute("sh test.sh " .. arg[1])
+if rc == true then os.exit(0) elseif rc== 0 then os.exit(0) else os.exit(1); end
-diff --git a/test.sh b/test.sh
-new file mode 100644
-index 0000000..dbb2e1c
+Index: lua-sec.git/test.sh
+===================================================================
--- /dev/null
-+++ b/test.sh
++++ lua-sec.git/test.sh
@@ -0,0 +1,14 @@
+#!/bin/sh
+
diff --git a/debian/patches/0002-lua-sec.h.patch b/debian/patches/0002-lua-sec.h.patch
index d723e3d..cc22bda 100644
--- a/debian/patches/0002-lua-sec.h.patch
+++ b/debian/patches/0002-lua-sec.h.patch
@@ -7,11 +7,10 @@ Subject: lua-sec.h
1 file changed, 9 insertions(+)
create mode 100644 lua-sec.h
-diff --git a/lua-sec.h b/lua-sec.h
-new file mode 100644
-index 0000000..35281bf
+Index: lua-sec.git/lua-sec.h
+===================================================================
--- /dev/null
-+++ b/lua-sec.h
++++ lua-sec.git/lua-sec.h
@@ -0,0 +1,9 @@
+/* This file has been added in the Debian package */
+
diff --git a/debian/patches/0003-oneshot-let-the-OS-choose-a-free-port.patch b/debian/patches/0003-oneshot-let-the-OS-choose-a-free-port.patch
index ddb3af8..44b1d90 100644
--- a/debian/patches/0003-oneshot-let-the-OS-choose-a-free-port.patch
+++ b/debian/patches/0003-oneshot-let-the-OS-choose-a-free-port.patch
@@ -8,10 +8,10 @@ Subject: oneshot: let the OS choose a free port
test.sh | 9 ++++++---
3 files changed, 12 insertions(+), 5 deletions(-)
-diff --git a/samples/oneshot/client.lua b/samples/oneshot/client.lua
-index 48bc0bb..b652698 100644
---- a/samples/oneshot/client.lua
-+++ b/samples/oneshot/client.lua
+Index: lua-sec.git/samples/oneshot/client.lua
+===================================================================
+--- lua-sec.git.orig/samples/oneshot/client.lua
++++ lua-sec.git/samples/oneshot/client.lua
@@ -15,7 +15,9 @@ local params = {
}
@@ -23,11 +23,11 @@ index 48bc0bb..b652698 100644
-- [[ SSL wrapper
peer = assert( ssl.wrap(peer, params) )
-diff --git a/samples/oneshot/server.lua b/samples/oneshot/server.lua
-index b3bcd8d..0952986 100644
---- a/samples/oneshot/server.lua
-+++ b/samples/oneshot/server.lua
-@@ -21,7 +21,9 @@ local ctx = assert(ssl.newcontext(params))
+Index: lua-sec.git/samples/oneshot/server.lua
+===================================================================
+--- lua-sec.git.orig/samples/oneshot/server.lua
++++ lua-sec.git/samples/oneshot/server.lua
+@@ -21,7 +21,9 @@ local ctx = assert(ssl.newcontext(params
local server = socket.tcp()
server:setoption('reuseaddr', true)
@@ -38,10 +38,10 @@ index b3bcd8d..0952986 100644
server:listen()
local peer = server:accept()
-diff --git a/test.sh b/test.sh
-index dbb2e1c..b6b5d43 100644
---- a/test.sh
-+++ b/test.sh
+Index: lua-sec.git/test.sh
+===================================================================
+--- lua-sec.git.orig/test.sh
++++ lua-sec.git/test.sh
@@ -5,10 +5,13 @@ set -x
set -m
diff --git a/luasec-1.2.0-1.rockspec b/luasec-1.3.1-1.rockspec
similarity index 96%
rename from luasec-1.2.0-1.rockspec
rename to luasec-1.3.1-1.rockspec
index 584e985..5862c63 100644
--- a/luasec-1.2.0-1.rockspec
+++ b/luasec-1.3.1-1.rockspec
@@ -1,8 +1,8 @@
package = "LuaSec"
-version = "1.2.0-1"
+version = "1.3.1-1"
source = {
url = "git+https://github.com/brunoos/luasec",
- tag = "v1.2.0",
+ tag = "v1.3.1",
}
description = {
summary = "A binding for OpenSSL library to provide TLS/SSL communication over LuaSocket.",
@@ -87,7 +87,7 @@ build = {
"$(OPENSSL_BINDIR)",
},
libraries = {
- "libssl32MD", "libcrypto32MD", "ws2_32"
+ "libssl", "libcrypto", "ws2_32"
},
incdirs = {
"$(OPENSSL_INCDIR)", "src/", "src/luasocket"
diff --git a/luasec.vcxproj b/luasec.vcxproj
index 10b936a..39b71e3 100644
--- a/luasec.vcxproj
+++ b/luasec.vcxproj
@@ -61,7 +61,7 @@
<DebugInformationFormat>EditAndContinue</DebugInformationFormat>
</ClCompile>
<Link>
- <AdditionalDependencies>ws2_32.lib;libeay32MDd.lib;ssleay32MDd.lib;lua5.1.lib;%(AdditionalDependencies)</AdditionalDependencies>
+ <AdditionalDependencies>ws2_32.lib;libssl.lib;libcrypto.lib;lua5.1.lib;%(AdditionalDependencies)</AdditionalDependencies>
<OutputFile>$(OutDir)ssl.dll</OutputFile>
<AdditionalLibraryDirectories>C:\devel\openssl\lib\VC;C:\devel\lua-dll9;%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<GenerateDebugInformation>true</GenerateDebugInformation>
@@ -85,7 +85,7 @@
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
</ClCompile>
<Link>
- <AdditionalDependencies>ws2_32.lib;libssl32MD.lib;libcrypto32MD.lib;lua5.1.lib;%(AdditionalDependencies)</AdditionalDependencies>
+ <AdditionalDependencies>ws2_32.lib;libssl.lib;libcrypto.lib;lua5.1.lib;%(AdditionalDependencies)</AdditionalDependencies>
<OutputFile>$(OutDir)$(TargetName)$(TargetExt)</OutputFile>
<AdditionalLibraryDirectories>C:\devel\openssl-1.1.0\lib\VC;C:\devel\lua-5.1\lib;%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<GenerateDebugInformation>true</GenerateDebugInformation>
diff --git a/samples/README b/samples/README
index 517eefe..bd983d4 100644
--- a/samples/README
+++ b/samples/README
@@ -45,6 +45,9 @@ Directories:
* oneshot
A simple connection example.
+* psk
+ PSK(Pre Shared Key) support.
+
* sni
Support to SNI (Server Name Indication).
diff --git a/samples/certs/all.sh b/samples/certs/all.sh
index 8c842dc..7e1aa98 100755
--- a/samples/certs/all.sh
+++ b/samples/certs/all.sh
@@ -1,4 +1,4 @@
-#!/usr/bin/env sh
+#!/bin/sh
./rootA.sh
./rootB.sh
./clientA.sh
diff --git a/samples/certs/clientA.sh b/samples/certs/clientA.sh
index 0f0657d..118e186 100755
--- a/samples/certs/clientA.sh
+++ b/samples/certs/clientA.sh
@@ -1,4 +1,4 @@
-#!/usr/bin/env sh
+#!/bin/sh
openssl req -newkey rsa:2048 -sha256 -keyout clientAkey.pem -out clientAreq.pem \
-nodes -config ./clientA.cnf -days 365 -batch
diff --git a/samples/certs/clientB.sh b/samples/certs/clientB.sh
index 8718468..a39ae83 100755
--- a/samples/certs/clientB.sh
+++ b/samples/certs/clientB.sh
@@ -1,4 +1,4 @@
-#!/usr/bin/env sh
+#!/bin/sh
openssl req -newkey rsa:2048 -sha256 -keyout clientBkey.pem -out clientBreq.pem \
-nodes -config ./clientB.cnf -days 365 -batch
diff --git a/samples/certs/rootA.sh b/samples/certs/rootA.sh
index 6d29126..fcfcd73 100755
--- a/samples/certs/rootA.sh
+++ b/samples/certs/rootA.sh
@@ -1,4 +1,4 @@
-#!/usr/bin/env sh
+#!/bin/sh
openssl req -newkey rsa:2048 -sha256 -keyout rootAkey.pem -out rootAreq.pem -nodes -config ./rootA.cnf -days 365 -batch
diff --git a/samples/certs/rootB.sh b/samples/certs/rootB.sh
index fabc3a5..07b53a4 100755
--- a/samples/certs/rootB.sh
+++ b/samples/certs/rootB.sh
@@ -1,4 +1,4 @@
-#!/usr/bin/env sh
+#!/bin/sh
openssl req -newkey rsa:2048 -sha256 -keyout rootBkey.pem -out rootBreq.pem -nodes -config ./rootB.cnf -days 365 -batch
diff --git a/samples/certs/serverA.sh b/samples/certs/serverA.sh
index 66e8441..9fcf5dc 100755
--- a/samples/certs/serverA.sh
+++ b/samples/certs/serverA.sh
@@ -1,6 +1,6 @@
-#!/usr/bin/env sh
+#!/bin/sh
-openssl req -newkey rsa:2048 -keyout serverAkey.pem -out serverAreq.pem \
+openssl req -newkey rsa:2048 -sha256 -keyout serverAkey.pem -out serverAreq.pem \
-config ./serverA.cnf -nodes -days 365 -batch
openssl x509 -req -in serverAreq.pem -sha256 -extfile ./serverA.cnf \
diff --git a/samples/certs/serverB.sh b/samples/certs/serverB.sh
index ee127ea..f184b1c 100755
--- a/samples/certs/serverB.sh
+++ b/samples/certs/serverB.sh
@@ -1,6 +1,6 @@
-#!/usr/bin/env sh
+#!/bin/sh
-openssl req -newkey rsa:2048 -keyout serverBkey.pem -out serverBreq.pem \
+openssl req -newkey rsa:2048 -sha256 -keyout serverBkey.pem -out serverBreq.pem \
-config ./serverB.cnf -nodes -days 365 -batch
openssl x509 -req -in serverBreq.pem -sha256 -extfile ./serverB.cnf \
diff --git a/samples/chain/server.lua b/samples/chain/server.lua
index a560fbe..8bf3d36 100644
--- a/samples/chain/server.lua
+++ b/samples/chain/server.lua
@@ -31,8 +31,27 @@ util.show( conn:getpeercertificate() )
print("----------------------------------------------------------------------")
-for k, cert in ipairs( conn:getpeerchain() ) do
+local expectedpeerchain = { "../certs/clientAcert.pem", "../certs/rootA.pem" }
+
+local peerchain = conn:getpeerchain()
+assert(#peerchain == #expectedpeerchain)
+for k, cert in ipairs( peerchain ) do
+ util.show(cert)
+ local expectedpem = assert(io.open(expectedpeerchain[k])):read("*a")
+ assert(cert:pem() == expectedpem, "peer chain mismatch @ "..tostring(k))
+end
+
+local expectedlocalchain = { "../certs/serverAcert.pem" }
+
+local localchain = assert(conn:getlocalchain())
+assert(#localchain == #expectedlocalchain)
+for k, cert in ipairs( localchain ) do
util.show(cert)
+ local expectedpem = assert(io.open(expectedlocalchain[k])):read("*a")
+ assert(cert:pem() == expectedpem, "local chain mismatch @ "..tostring(k))
+ if k == 1 then
+ assert(cert:pem() == conn:getlocalcertificate():pem())
+ end
end
local f = io.open(params.certificate)
diff --git a/samples/psk/client.lua b/samples/psk/client.lua
new file mode 100644
index 0000000..0308463
--- /dev/null
+++ b/samples/psk/client.lua
@@ -0,0 +1,41 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl = require("ssl")
+
+if not ssl.config.capabilities.psk then
+ print("[ERRO] PSK not available")
+ os.exit(1)
+end
+
+-- @param hint (nil | string)
+-- @param max_identity_len (number)
+-- @param max_psk_len (number)
+-- @return identity (string)
+-- @return PSK (string)
+local function pskcb(hint, max_identity_len, max_psk_len)
+ print(string.format("PSK Callback: hint=%q, max_identity_len=%d, max_psk_len=%d", hint, max_identity_len, max_psk_len))
+ return "abcd", "1234"
+end
+
+local params = {
+ mode = "client",
+ protocol = "tlsv1_2",
+ psk = pskcb,
+}
+
+local peer = socket.tcp()
+peer:connect("127.0.0.1", 8888)
+
+peer = assert( ssl.wrap(peer, params) )
+assert(peer:dohandshake())
+
+print("--- INFO ---")
+local info = peer:info()
+for k, v in pairs(info) do
+ print(k, v)
+end
+print("---")
+
+peer:close()
diff --git a/samples/psk/server.lua b/samples/psk/server.lua
new file mode 100644
index 0000000..1f19d9f
--- /dev/null
+++ b/samples/psk/server.lua
@@ -0,0 +1,60 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl = require("ssl")
+
+if not ssl.config.capabilities.psk then
+ print("[ERRO] PSK not available")
+ os.exit(1)
+end
+
+-- @param identity (string)
+-- @param max_psk_len (number)
+-- @return psk (string)
+local function pskcb(identity, max_psk_len)
+ print(string.format("PSK Callback: identity=%q, max_psk_len=%d", identity, max_psk_len))
+ if identity == "abcd" then
+ return "1234"
+ end
+ return nil
+end
+
+local params = {
+ mode = "server",
+ protocol = "any",
+ options = "all",
+
+-- PSK with just a callback
+ psk = pskcb,
+
+-- PSK with identity hint
+-- psk = {
+-- hint = "hintpsksample",
+-- callback = pskcb,
+-- },
+}
+
+
+-- [[ SSL context
+local ctx = assert(ssl.newcontext(params))
+--]]
+
+local server = socket.tcp()
+server:setoption('reuseaddr', true)
+assert( server:bind("127.0.0.1", 8888) )
+server:listen()
+
+local peer = server:accept()
+peer = assert( ssl.wrap(peer, ctx) )
+assert( peer:dohandshake() )
+
+print("--- INFO ---")
+local info = peer:info()
+for k, v in pairs(info) do
+ print(k, v)
+end
+print("---")
+
+peer:close()
+server:close()
diff --git a/src/compat.h b/src/compat.h
index cb3ac8e..32e1966 100644
--- a/src/compat.h
+++ b/src/compat.h
@@ -1,7 +1,7 @@
/*--------------------------------------------------------------------------
- * LuaSec 1.2.0
+ * LuaSec 1.3.1
*
- * Copyright (C) 2006-2022 Bruno Silvestre
+ * Copyright (C) 2006-2023 Bruno Silvestre
*
*--------------------------------------------------------------------------*/
@@ -54,4 +54,10 @@
//------------------------------------------------------------------------------
+#if !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_NO_PSK)
+#define LSEC_ENABLE_PSK
+#endif
+
+//------------------------------------------------------------------------------
+
#endif
diff --git a/src/config.c b/src/config.c
index ef1c04f..3ac06d6 100644
--- a/src/config.c
+++ b/src/config.c
@@ -1,7 +1,7 @@
/*--------------------------------------------------------------------------
- * LuaSec 1.2.0
+ * LuaSec 1.3.1
*
- * Copyright (C) 2006-2022 Bruno Silvestre.
+ * Copyright (C) 2006-2023 Bruno Silvestre
*
*--------------------------------------------------------------------------*/
@@ -74,6 +74,12 @@ LSEC_API int luaopen_ssl_config(lua_State *L)
lua_pushboolean(L, 1);
lua_rawset(L, -3);
+#ifdef LSEC_ENABLE_PSK
+ lua_pushstring(L, "psk");
+ lua_pushboolean(L, 1);
+ lua_rawset(L, -3);
+#endif
+
#ifdef LSEC_ENABLE_DANE
// DANE
lua_pushstring(L, "dane");
diff --git a/src/context.c b/src/context.c
index 0bb4826..ad3bd9b 100644
--- a/src/context.c
+++ b/src/context.c
@@ -1,9 +1,8 @@
/*--------------------------------------------------------------------------
- * LuaSec 1.2.0
+ * LuaSec 1.3.1
*
- * Copyright (C) 2014-2022 Kim Alvefur, Paul Aurich, Tobias Markmann,
- * Matthew Wild.
- * Copyright (C) 2006-2022 Bruno Silvestre.
+ * Copyright (C) 2014-2023 Kim Alvefur, Paul Aurich, Tobias Markmann, Matthew Wild
+ * Copyright (C) 2006-2023 Bruno Silvestre
*
*--------------------------------------------------------------------------*/
@@ -708,6 +707,143 @@ static int set_alpn_cb(lua_State *L)
return 1;
}
+#if defined(LSEC_ENABLE_PSK)
+/**
+ * Callback to select the PSK.
+ */
+static unsigned int server_psk_cb(SSL *ssl, const char *identity, unsigned char *psk,
+ unsigned int max_psk_len)
+{
+ size_t psk_len;
+ const char *ret_psk;
+ SSL_CTX *ctx = SSL_get_SSL_CTX(ssl);
+ p_context pctx = (p_context)SSL_CTX_get_app_data(ctx);
+ lua_State *L = pctx->L;
+
+ luaL_getmetatable(L, "SSL:PSK:Registry");
+ lua_pushlightuserdata(L, (void*)pctx->context);
+ lua_gettable(L, -2);
+
+ lua_pushstring(L, identity);
+ lua_pushinteger(L, max_psk_len);
+
+ lua_call(L, 2, 1);
+
+ if (!lua_isstring(L, -1)) {
+ lua_pop(L, 2);
+ return 0;
+ }
+
+ ret_psk = lua_tolstring(L, -1, &psk_len);
+
+ if (psk_len == 0 || psk_len > max_psk_len)
+ psk_len = 0;
+ else
+ memcpy(psk, ret_psk, psk_len);
+
+ lua_pop(L, 2);
+
+ return psk_len;
+}
+
+/**
+ * Set a PSK callback for server.
+ */
+static int set_server_psk_cb(lua_State *L)
+{
+ p_context ctx = checkctx(L, 1);
+
+ luaL_getmetatable(L, "SSL:PSK:Registry");
+ lua_pushlightuserdata(L, (void*)ctx->context);
+ lua_pushvalue(L, 2);
+ lua_settable(L, -3);
+
+ SSL_CTX_set_psk_server_callback(ctx->context, server_psk_cb);
+
+ lua_pushboolean(L, 1);
+ return 1;
+}
+
+/*
+ * Set the PSK indentity hint.
+ */
+static int set_psk_identity_hint(lua_State *L)
+{
+ p_context ctx = checkctx(L, 1);
+ const char *hint = luaL_checkstring(L, 2);
+ int ret = SSL_CTX_use_psk_identity_hint(ctx->context, hint);
+ lua_pushboolean(L, ret);
+ return 1;
+}
+
+/*
+ * Client callback to PSK.
+ */
+static unsigned int client_psk_cb(SSL *ssl, const char *hint, char *identity,
+ unsigned int max_identity_len, unsigned char *psk, unsigned int max_psk_len)
+{
+ size_t psk_len;
+ size_t identity_len;
+ const char *ret_psk;
+ const char *ret_identity;
+ SSL_CTX *ctx = SSL_get_SSL_CTX(ssl);
+ p_context pctx = (p_context)SSL_CTX_get_app_data(ctx);
+ lua_State *L = pctx->L;
+
+ luaL_getmetatable(L, "SSL:PSK:Registry");
+ lua_pushlightuserdata(L, (void*)pctx->context);
+ lua_gettable(L, -2);
+
+ if (hint)
+ lua_pushstring(L, hint);
+ else
+ lua_pushnil(L);
+
+ // Leave space to '\0'
+ lua_pushinteger(L, max_identity_len-1);
+ lua_pushinteger(L, max_psk_len);
+
+ lua_call(L, 3, 2);
+
+ if (!lua_isstring(L, -1) || !lua_isstring(L, -2)) {
+ lua_pop(L, 3);
+ return 0;
+ }
+
+ ret_identity = lua_tolstring(L, -2, &identity_len);
+ ret_psk = lua_tolstring(L, -1, &psk_len);
+
+ if (identity_len >= max_identity_len || psk_len > max_psk_len)
+ psk_len = 0;
+ else {
+ memcpy(identity, ret_identity, identity_len);
+ identity[identity_len] = 0;
+ memcpy(psk, ret_psk, psk_len);
+ }
+
+ lua_pop(L, 3);
+
+ return psk_len;
+}
+
+/**
+ * Set a PSK callback for client.
+ */
+static int set_client_psk_cb(lua_State *L) {
+ p_context ctx = checkctx(L, 1);
+
+ luaL_getmetatable(L, "SSL:PSK:Registry");
+ lua_pushlightuserdata(L, (void*)ctx->context);
+ lua_pushvalue(L, 2);
+ lua_settable(L, -3);
+
+ SSL_CTX_set_psk_client_callback(ctx->context, client_psk_cb);
+
+ lua_pushboolean(L, 1);
+ return 1;
+}
+#endif
+
#if defined(LSEC_ENABLE_DANE)
/*
* DANE
@@ -759,6 +895,11 @@ static luaL_Reg funcs[] = {
{"setdhparam", set_dhparam},
{"setverify", set_verify},
{"setoptions", set_options},
+#if defined(LSEC_ENABLE_PSK)
+ {"setpskhint", set_psk_identity_hint},
+ {"setserverpskcb", set_server_psk_cb},
+ {"setclientpskcb", set_client_psk_cb},
+#endif
{"setmode", set_mode},
#if !defined(OPENSSL_NO_EC)
{"setcurve", set_curve},
@@ -792,6 +933,10 @@ static int meth_destroy(lua_State *L)
lua_pushlightuserdata(L, (void*)ctx->context);
lua_pushnil(L);
lua_settable(L, -3);
+ luaL_getmetatable(L, "SSL:PSK:Registry");
+ lua_pushlightuserdata(L, (void*)ctx->context);
+ lua_pushnil(L);
+ lua_settable(L, -3);
SSL_CTX_free(ctx->context);
ctx->context = NULL;
@@ -934,9 +1079,10 @@ void *lsec_testudata (lua_State *L, int ud, const char *tname) {
*/
LSEC_API int luaopen_ssl_context(lua_State *L)
{
- luaL_newmetatable(L, "SSL:DH:Registry"); /* Keep all DH callbacks */
- luaL_newmetatable(L, "SSL:ALPN:Registry"); /* Keep all ALPN callbacks */
- luaL_newmetatable(L, "SSL:Verify:Registry"); /* Keep all verify flags */
+ luaL_newmetatable(L, "SSL:DH:Registry"); /* Keep all DH callbacks */
+ luaL_newmetatable(L, "SSL:ALPN:Registry"); /* Keep all ALPN callbacks */
+ luaL_newmetatable(L, "SSL:PSK:Registry"); /* Keep all PSK callbacks */
+ luaL_newmetatable(L, "SSL:Verify:Registry"); /* Keep all verify flags */
luaL_newmetatable(L, "SSL:Context");
setfuncs(L, meta);
diff --git a/src/context.h b/src/context.h
index a2dd7db..30933b9 100644
--- a/src/context.h
+++ b/src/context.h
@@ -2,9 +2,9 @@
#define LSEC_CONTEXT_H
/*--------------------------------------------------------------------------
- * LuaSec 1.2.0
+ * LuaSec 1.3.1
*
- * Copyright (C) 2006-2022 Bruno Silvestre
+ * Copyright (C) 2006-2023 Bruno Silvestre
*
*--------------------------------------------------------------------------*/
diff --git a/src/ec.c b/src/ec.c
index 73b09d7..55b5da9 100644
--- a/src/ec.c
+++ b/src/ec.c
@@ -1,3 +1,10 @@
+/*--------------------------------------------------------------------------
+ * LuaSec 1.3.1
+ *
+ * Copyright (C) 2006-2023 Bruno Silvestre
+ *
+ *--------------------------------------------------------------------------*/
+
#include <openssl/objects.h>
#include "ec.h"
diff --git a/src/ec.h b/src/ec.h
index 7bf700d..da7f964 100644
--- a/src/ec.h
+++ b/src/ec.h
@@ -1,7 +1,7 @@
/*--------------------------------------------------------------------------
- * LuaSec 1.2.0
+ * LuaSec 1.3.1
*
- * Copyright (C) 2006-2022 Bruno Silvestre
+ * Copyright (C) 2006-2023 Bruno Silvestre
*
*--------------------------------------------------------------------------*/
diff --git a/src/https.lua b/src/https.lua
index 1d7ec7b..8709772 100644
--- a/src/https.lua
+++ b/src/https.lua
@@ -1,6 +1,7 @@
----------------------------------------------------------------------------
--- LuaSec 1.2.0
--- Copyright (C) 2009-2022 PUC-Rio
+-- LuaSec 1.3.1
+--
+-- Copyright (C) 2009-2023 PUC-Rio
--
-- Author: Pablo Musa
-- Author: Tomas Guisasola
@@ -18,8 +19,8 @@ local try = socket.try
-- Module
--
local _M = {
- _VERSION = "1.2.0",
- _COPYRIGHT = "LuaSec 1.2.0 - Copyright (C) 2009-2022 PUC-Rio",
+ _VERSION = "1.3.1",
+ _COPYRIGHT = "LuaSec 1.3.1 - Copyright (C) 2009-2023 PUC-Rio",
PORT = 443,
TIMEOUT = 60
}
diff --git a/src/options.c b/src/options.c
index 2037c2e..643e0cf 100644
--- a/src/options.c
+++ b/src/options.c
@@ -1,7 +1,7 @@
/*--------------------------------------------------------------------------
- * LuaSec 1.2.0
+ * LuaSec 1.3.1
*
- * Copyright (C) 2006-2022 Bruno Silvestre
+ * Copyright (C) 2006-2023 Bruno Silvestre
*
*--------------------------------------------------------------------------*/
@@ -13,7 +13,7 @@
/*
- OpenSSL version: OpenSSL 3.0.0-beta2
+ OpenSSL version: OpenSSL 3.0.8
*/
static lsec_ssl_option_t ssl_options[] = {
diff --git a/src/options.h b/src/options.h
index 7f4ce0a..ee6d92e 100644
--- a/src/options.h
+++ b/src/options.h
@@ -2,9 +2,9 @@
#define LSEC_OPTIONS_H
/*--------------------------------------------------------------------------
- * LuaSec 1.2.0
+ * LuaSec 1.3.1
*
- * Copyright (C) 2006-2022 Bruno Silvestre
+ * Copyright (C) 2006-2023 Bruno Silvestre
*
*--------------------------------------------------------------------------*/
diff --git a/src/options.lua b/src/options.lua
index 8899ed2..3f03041 100644
--- a/src/options.lua
+++ b/src/options.lua
@@ -18,9 +18,9 @@ end
local function generate(options, version)
print([[
/*--------------------------------------------------------------------------
- * LuaSec 1.2.0
+ * LuaSec 1.3.1
*
- * Copyright (C) 2006-2022 Bruno Silvestre
+ * Copyright (C) 2006-2023 Bruno Silvestre
*
*--------------------------------------------------------------------------*/
diff --git a/src/ssl.c b/src/ssl.c
index c546a87..af94137 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -1,9 +1,8 @@
/*--------------------------------------------------------------------------
- * LuaSec 1.2.0
+ * LuaSec 1.3.1
*
- * Copyright (C) 2014-2022 Kim Alvefur, Paul Aurich, Tobias Markmann,
- * Matthew Wild.
- * Copyright (C) 2006-2022 Bruno Silvestre.
+ * Copyright (C) 2014-2023 Kim Alvefur, Paul Aurich, Tobias Markmann, Matthew Wild
+ * Copyright (C) 2006-2023 Bruno Silvestre
*
*--------------------------------------------------------------------------*/
@@ -530,6 +529,58 @@ static int meth_getpeercertificate(lua_State *L)
return 1;
}
+/**
+ * Return the nth certificate of the chain sent to our peer.
+ */
+static int meth_getlocalcertificate(lua_State *L)
+{
+ int n;
+ X509 *cert;
+ STACK_OF(X509) *certs;
+ p_ssl ssl = (p_ssl)luaL_checkudata(L, 1, "SSL:Connection");
+ if (ssl->state != LSEC_STATE_CONNECTED) {
+ lua_pushnil(L);
+ lua_pushstring(L, "closed");
+ return 2;
+ }
+ /* Default to the first cert */
+ n = (int)luaL_optinteger(L, 2, 1);
+ /* This function is 1-based, but OpenSSL is 0-based */
+ --n;
+ if (n < 0) {
+ lua_pushnil(L);
+ lua_pushliteral(L, "invalid certificate index");
+ return 2;
+ }
+ if (n == 0) {
+ cert = SSL_get_certificate(ssl->ssl);
+ if (cert)
+ lsec_pushx509(L, cert);
+ else
+ lua_pushnil(L);
+ return 1;
+ }
+ /* In a server-context, the stack doesn't contain the peer cert,
+ * so adjust accordingly.
+ */
+ if (SSL_is_server(ssl->ssl))
+ --n;
+ if(SSL_get0_chain_certs(ssl->ssl, &certs) != 1) {
+ lua_pushnil(L);
+ } else {
+ if (n >= sk_X509_num(certs)) {
+ lua_pushnil(L);
+ return 1;
+ }
+ cert = sk_X509_value(certs, n);
+ /* Increment the reference counting of the object. */
+ /* See SSL_get_peer_certificate() source code. */
+ X509_up_ref(cert);
+ lsec_pushx509(L, cert);
+ }
+ return 1;
+}
+
/**
* Return the chain of certificate of the peer.
*/
@@ -564,6 +615,41 @@ static int meth_getpeerchain(lua_State *L)
return 1;
}
+/**
+ * Return the chain of certificates sent to the peer.
+ */
+static int meth_getlocalchain(lua_State *L)
+{
+ int i;
+ int idx = 1;
+ int n_certs;
+ X509 *cert;
+ STACK_OF(X509) *certs;
+ p_ssl ssl = (p_ssl)luaL_checkudata(L, 1, "SSL:Connection");
+ if (ssl->state != LSEC_STATE_CONNECTED) {
+ lua_pushnil(L);
+ lua_pushstring(L, "closed");
+ return 2;
+ }
+ lua_newtable(L);
+ if (SSL_is_server(ssl->ssl)) {
+ lsec_pushx509(L, SSL_get_certificate(ssl->ssl));
+ lua_rawseti(L, -2, idx++);
+ }
+ if(SSL_get0_chain_certs(ssl->ssl, &certs)) {
+ n_certs = sk_X509_num(certs);
+ for (i = 0; i < n_certs; i++) {
+ cert = sk_X509_value(certs, i);
+ /* Increment the reference counting of the object. */
+ /* See SSL_get_peer_certificate() source code. */
+ X509_up_ref(cert);
+ lsec_pushx509(L, cert);
+ lua_rawseti(L, -2, idx++);
+ }
+ }
+ return 1;
+}
+
/**
* Copy the table src to the table dst.
*/
@@ -861,7 +947,7 @@ static int meth_getalpn(lua_State *L)
static int meth_copyright(lua_State *L)
{
- lua_pushstring(L, "LuaSec 1.2.0 - Copyright (C) 2006-2022 Bruno Silvestre, UFG"
+ lua_pushstring(L, "LuaSec 1.3.1 - Copyright (C) 2006-2023 Bruno Silvestre, UFG"
#if defined(WITH_LUASOCKET)
"\nLuaSocket 3.0-RC1 - Copyright (C) 2004-2013 Diego Nehab"
#endif
@@ -908,7 +994,9 @@ static luaL_Reg methods[] = {
{"getfd", meth_getfd},
{"getfinished", meth_getfinished},
{"getpeercertificate", meth_getpeercertificate},
+ {"getlocalcertificate", meth_getlocalcertificate},
{"getpeerchain", meth_getpeerchain},
+ {"getlocalchain", meth_getlocalchain},
{"getpeerverification", meth_getpeerverification},
{"getpeerfinished", meth_getpeerfinished},
{"exportkeyingmaterial",meth_exportkeyingmaterial},
diff --git a/src/ssl.h b/src/ssl.h
index 69b010f..3ca82e1 100644
--- a/src/ssl.h
+++ b/src/ssl.h
@@ -2,9 +2,9 @@
#define LSEC_SSL_H
/*--------------------------------------------------------------------------
- * LuaSec 1.2.0
+ * LuaSec 1.3.1
*
- * Copyright (C) 2006-2022 Bruno Silvestre
+ * Copyright (C) 2006-2023 Bruno Silvestre
*
*--------------------------------------------------------------------------*/
diff --git a/src/ssl.lua b/src/ssl.lua
index f49b172..c3dafb0 100644
--- a/src/ssl.lua
+++ b/src/ssl.lua
@@ -1,7 +1,7 @@
------------------------------------------------------------------------------
--- LuaSec 1.2.0
+-- LuaSec 1.3.1
--
--- Copyright (C) 2006-2022 Bruno Silvestre
+-- Copyright (C) 2006-2023 Bruno Silvestre
--
------------------------------------------------------------------------------
@@ -201,6 +201,33 @@ local function newcontext(cfg)
if not succ then return nil, msg end
end
+ -- PSK
+ if config.capabilities.psk and cfg.psk then
+ if cfg.mode == "client" then
+ if type(cfg.psk) ~= "function" then
+ return nil, "invalid PSK configuration"
+ end
+ succ = context.setclientpskcb(ctx, cfg.psk)
+ if not succ then return nil, msg end
+ elseif cfg.mode == "server" then
+ if type(cfg.psk) == "function" then
+ succ, msg = context.setserverpskcb(ctx, cfg.psk)
+ if not succ then return nil, msg end
+ elseif type(cfg.psk) == "table" then
+ if type(cfg.psk.hint) == "string" and type(cfg.psk.callback) == "function" then
+ succ, msg = context.setpskhint(ctx, cfg.psk.hint)
+ if not succ then return succ, msg end
+ succ = context.setserverpskcb(ctx, cfg.psk.callback)
+ if not succ then return succ, msg end
+ else
+ return nil, "invalid PSK configuration"
+ end
+ else
+ return nil, "invalid PSK configuration"
+ end
+ end
+ end
+
if config.capabilities.dane and cfg.dane then
if type(cfg.dane) == "table" then
context.setdane(ctx, unpack(cfg.dane))
@@ -275,7 +302,7 @@ core.setmethod("info", info)
--
local _M = {
- _VERSION = "1.2.0",
+ _VERSION = "1.3.1",
_COPYRIGHT = core.copyright(),
config = config,
loadcertificate = x509.load,
diff --git a/src/x509.c b/src/x509.c
index 9bb5e57..6c5a571 100644
--- a/src/x509.c
+++ b/src/x509.c
@@ -1,8 +1,8 @@
/*--------------------------------------------------------------------------
- * LuaSec 1.2.0
+ * LuaSec 1.3.1
*
- * Copyright (C) 2014-2022 Kim Alvefur, Paul Aurich, Tobias Markmann
- * Matthew Wild, Bruno Silvestre.
+ * Copyright (C) 2014-2023 Kim Alvefur, Paul Aurich, Tobias Markmann, Matthew Wild
+ * Copyright (C) 2014-2023 Bruno Silvestre
*
*--------------------------------------------------------------------------*/
diff --git a/src/x509.h b/src/x509.h
index f47b87e..8b766f4 100644
--- a/src/x509.h
+++ b/src/x509.h
@@ -1,8 +1,8 @@
/*--------------------------------------------------------------------------
- * LuaSec 1.2.0
+ * LuaSec 1.3.1
*
- * Copyright (C) 2014-2022 Kim Alvefur, Paul Aurich, Tobias Markmann
- * Matthew Wild, Bruno Silvestre.
+ * Copyright (C) 2014-2023 Kim Alvefur, Paul Aurich, Tobias Markmann, Matthew Wild
+ * Copyright (C) 2013-2023 Bruno Silvestre
*
*--------------------------------------------------------------------------*/
Debdiff
[The following lists of changes regard files as different if they have different names, permissions or owners.]
Files in second set of .debs but not in first
-rw-r--r-- root/root /usr/lib/debug/.build-id/0f/3e645ef22fb9038099892ae2437690a3550fdc.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/2a/6bb0704a570c1fef8234c0fbbd8255dafb1472.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/f5/4c664e55d8981f046f29517f7f698318328908.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/f7/78948b6c8b72f15e23a6d1a5de7281a29f1669.debug -rw-r--r-- root/root /usr/share/doc/lua-sec-dev/samples/psk/client.lua -rw-r--r-- root/root /usr/share/doc/lua-sec-dev/samples/psk/server.lua
Files in first set of .debs but not in second
-rw-r--r-- root/root /usr/lib/debug/.build-id/29/d79a017046b0a6f08c0ec9b855e17dda494933.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/34/e7f9ebf070f955d1dd44f2fa2fb9db2b907720.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/6b/235c3d4a6457e18733873cf57290aebfb37f2a.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/88/e95df6836569a5f2d97171263ec121d7823035.debug
Control files of package lua-sec: lines which differ (wdiff format)
Depends: lua-socket (>= 3.1.0), libc6 (>= 2.4), 2.14), libssl3 (>= 3.0.0)
Control files of package lua-sec-dbgsym: lines which differ (wdiff format)
Build-Ids: 29d79a017046b0a6f08c0ec9b855e17dda494933 34e7f9ebf070f955d1dd44f2fa2fb9db2b907720 6b235c3d4a6457e18733873cf57290aebfb37f2a 88e95df6836569a5f2d97171263ec121d7823035 0f3e645ef22fb9038099892ae2437690a3550fdc 2a6bb0704a570c1fef8234c0fbbd8255dafb1472 f54c664e55d8981f046f29517f7f698318328908 f778948b6c8b72f15e23a6d1a5de7281a29f1669
No differences were encountered between the control files of package lua-sec-dev