API reference + checkhostname + symbol visibility fix

.gitignore

@@ -0,0 +1,5 @@
+.*.swp
+*.o
+*.a
+*.so
+*.html

.vimrc

@@ -0,0 +1 @@
+set expandtab tabstop=2 shiftwidth=2 softtabstop=2

doc/cert.md

@@ -0,0 +1,138 @@
+Functions
+---------
+
+### cert.load ###
+
+    cert = cert.load(string)
+
+Loads a PEM-formatted x509 certificate from a string. Returns nil on failure.
+See `cert:pem`.
+
+Methods
+-------
+
+### cert:digest ###
+
+    digest = cert:digest([format])
+
+Obtain the certificate fingerprint in the specified format. Can fail, in which
+case it returns nil, followed by an error message.
+
+Format can be one of:
+
+ - `sha1` (default)
+ - `sha256`
+ - `sha512`
+
+### cert:setencode ###
+
+    succes = cert:setencode(encoding)
+
+Set the string encoding used for this certificate.
+
+Encoding can be one of:
+
+ - `ai5`
+ - `utf8`
+
+### cert:extensions ###
+
+    extensions = cert:extensions()
+
+    -- extensions is of the format
+
+    extensions = {
+      [oid] = {
+        name = name,
+        -- the following are all optional
+        dNSName = { dNSName, ... },
+        rfc822Name = { rfc822Name, ... },
+        uniformResourceIdentifier = { uri, ... },
+        iPAddress = { iPAddress, ... },
+        [type] = {
+          name = typeName,
+          value, ...
+        },
+      },
+      ...
+    }
+
+Get the extensions supported by this certificate.
+
+### cert:issuer ###
+
+    issuer = cert:issuer()
+
+Return the subject of the issuer of this certificate. See `cert:subject`.
+Returned as an x509 name, see the Names section.
+
+### cert:notbefore ###
+
+    time = cert:notbefore()
+
+Get the notBefore date from the certificate, which specifies the time this
+certificate becomes valid at (until notAfter). See `cert:notafter`. The time is
+specified as a human-readable string.
+
+### cert:notafter ###
+
+    time = cert:notafter()
+
+Get the notAfter date from the certificate, which specifies the time this
+certificate ceases to be valid at. See `cert:notbefore`. The time is specified
+as a human-readable string.
+
+### cert:pem ###
+
+    pem = cert:pem()
+
+Return the certificate as PEM-formatted string. See `cert.load`.
+
+### cert:pubkey ###
+
+    pem, type, bits = cert:pubkey()
+
+Return the public key as PEM-formatted string. See `cert:pem`. Also returns the
+type and the amount of bits used.
+
+Type can be one of:
+
+ - `RSA`: Rivest-Shamir-Adleman
+ - `DSA`: Digital Signature Algorithm
+ - `DH`: Diffie-Hellman
+ - `EC`: Elliptic Curved
+ - `Unknown`
+
+### cert:serial ###
+
+    serial = cert:digest()
+
+Returns the certificates serial number as a hex-formatted string.
+
+### cert:subject ###
+
+    subject = cert:subject()
+
+Returns the subject of the certificate, that which the certificate is valid for.
+Returned as an x509 name, see the Names section.
+
+### cert:validat ###
+
+    valid = cert:validat(timestamp)
+
+Returns true if the certificate is valid at the given timestamp.
+
+Names
+-----
+
+x509 names are represented as a table in luasec. This table is a list of
+entries, where every entry is of the following format:
+
+    {
+      oid = objectIdAsString,
+      name = name,
+      value = valueAsString,
+    }
+
+One common (no pun intended) entry is the `commonName`, usually corresponding to
+the hostname this certificate was given to.

doc/context.md

@@ -0,0 +1,192 @@
+Functions
+---------
+
+### context.create ###
+
+    ctxt = context.create(method)
+
+Creates a new context. Can fail, in which case it returns nil, followed by an
+error.
+
+### context.locations ###
+
+    success, error = context.locations(ctxt, [cafile], [capath])
+
+Set the location of either the CA certificate file, or the directory which
+contains said file(s).
+
+### context.loadcert ###
+
+    success, error = context.loadcert(ctxt, filename)
+
+Load a certificate from a file into this context.
+
+### context.loadkey ###
+
+    success, error = context.loadkey(ctxt, filename)
+    success, error = context.loadkey(ctxt, filename, string)
+    success, error = context.loadkey(ctxt, filename, function() -> string)
+
+Loads a private key from a PEM-format file. The third argument can be either a
+string, or a function returning a string producing the password for the key.
+
+### context.checkkey ###
+
+    success = context.checkkey(ctxt)
+
+Returns true if the certificate loaded matches the key loaded.
+
+### context.setcipher ###
+
+    success, error = context.setcipher(ctxt, cipherlist)
+
+Sets the ciphers used when negotiation. For the format of the string
+`cipherlist`, see the openssl documentation, and in particular the `openssl
+ciphers` command line tool.
+
+### context.setdepth ###
+
+    success = context.setdepth(ctxt)
+
+Set the maximum verification depth for checking certificate chains.
+
+### context.setdhparam ###
+
+    context.setdhparam(ctxt, function(isExport, keyLength) -> params)
+
+Sets a callback to obtain Diffie-Hellman parameters on this context. Once these
+parameters are required, the callback gets called with a flag (`isExport`)
+indicating whether export-level security is used, and a key length
+(`keyLength`). It is then expected to produce a string containg parameters.
+
+For the format of the parameters string, see the openssl documentation.
+
+### context.setcurve ###
+
+    success, error = context.setcurve(ctxt, curve)
+
+Set the curve to use for Elliptic Curve cryptography.
+
+The curve can be one of:
+
+  - `secp112r1`
+  - `secp112r2`
+  - `secp128r1`
+  - `secp128r2`
+  - `secp160k1`
+  - `secp160r1`
+  - `secp160r2`
+  - `secp192k1`
+  - `secp224k1`
+  - `secp224r1`
+  - `secp256k1`
+  - `secp384r1`
+  - `secp521r1`
+  - `sect113r1`
+  - `sect113r2`
+  - `sect131r1`
+  - `sect131r2`
+  - `sect163k1`
+  - `sect163r1`
+  - `sect163r2`
+  - `sect193r1`
+  - `sect193r2`
+  - `sect233k1`
+  - `sect233r1`
+  - `sect239k1`
+  - `sect283k1`
+  - `sect283r1`
+  - `sect409k1`
+  - `sect409r1`
+  - `sect571k1`
+  - `sect571r1`
+  - `prime192v1`
+  - `prime192v2`
+  - `prime192v3`
+  - `prime239v1`
+  - `prime239v2`
+  - `prime239v3`
+  - `prime256v1`
+
+### context.setverify ###
+
+    success, error = context.setverify(ctxt, options...)
+
+Sets verification options for this context.
+
+The following options are valid:
+
+ - `none`
+ - `peer`
+ - `client_once`
+ - `fail_if_no_peer_cert`
+
+### context.setoptions ###
+
+    success, error = context.setoptions(ctxt, options...)
+
+Set generic context options for this context.
+
+The following options are valid:
+
+ - `all`
+ - `allow_unsafe_legacy_renegotiation`
+ - `cipher_server_preference`
+ - `cisco_anyconnect`
+ - `cookie_exchange`
+ - `cryptopro_tlsext_bug`
+ - `dont_insert_empty_fragments`
+ - `ephemeral_rsa`
+ - `legacy_server_connect`
+ - `microsoft_big_sslv3_buffer`
+ - `microsoft_sess_id_bug`
+ - `msie_sslv2_rsa_padding`
+ - `netscape_ca_dn_bug`
+ - `netscape_challenge_bug`
+ - `netscape_demo_cipher_change_bug`
+ - `netscape_reuse_cipher_change_bug`
+ - `no_compression`
+ - `no_query_mtu`
+ - `no_session_resumption_on_renegotiation`
+ - `no_sslv2`
+ - `no_sslv3`
+ - `no_ticket`
+ - `no_tlsv1`
+ - `no_tlsv1_1`
+ - `no_tlsv1_2`
+ - `pkcs1_check_1`
+ - `pkcs1_check_2`
+ - `single_dh_use`
+ - `single_ecdh_use`
+ - `ssleay_080_client_dh_bug`
+ - `sslref2_reuse_cert_type_bug`
+ - `tls_block_padding_bug`
+ - `tls_d5_bug`
+ - `tls_rollback_bug`
+
+### context.setmode ###
+
+    success = context.setmode(ctxt, mode)
+
+Set the mode for this context.
+
+Mode can be one of:
+
+ - `client`
+ - `server`
+
+Methods
+-------
+
+### ctxt:setverifyext ###
+
+    success, error = ctxt:setverifyext(flags...)
+
+Set which extra verification steps to use.
+
+The following flags are valid:
+
+ - `lsec_continue`: Continue with verification errors
+ - `lsec_ignore_purpose`: Ignore this certificate's purpose (like server/client)
+ - `crl_check`: Check Certification Revocation Lists
+ - `crl_check_chain`: Check CRLs for the entire chain

doc/core.md

@@ -0,0 +1,44 @@
+Functions
+---------
+
+### core.compression ###
+
+    compression = core.compression(conn)
+
+Returns the compression method used in a particular `conn` object. Can fail,
+in which case it returns nil, followed by an error message.
+
+### core.create ###
+
+    conn = core.create(context)
+
+Creates a new core connection object from a context. Use of `ssl.wrap` is
+encouraged.
+
+### core.info ###
+
+    buffer, numbits, processedbits, version = core.info(conn)
+
+Returns the information associated with a `conn` object.
+
+### core.setfd ###
+
+    core.setfd(conn, fd)
+
+Set the `conn` object to use the given file descriptor. Usually done by
+`ssl.wrap`.
+
+### core.setmethod ###
+
+    core.setmethod(name, value)
+
+Set the the name and value as method/member on `conn` objects. Similar to the
+following snippet:
+
+    debug.getmetatable(conn).__index[name] = value
+
+### core.copyright ###
+
+    copyright = core.copyright()
+
+Return copyright information for luasec.

doc/https.md

@@ -0,0 +1,14 @@
+Functions
+---------
+
+### https.request ###
+
+    res, code, headers, status = https.request(url, [body])
+
+See the luasocket documentation for `http.request`. In the url table, apart
+from the usual luasocket flags, luasec flags can be specified. Note that
+`proxy` and `redirect` are not supported.
+
+**WARNING**: Peer verification is off by default. It is highly recommended to
+specify either a `capath` or a `cafile` in the flags, and turn peer
+verification on.