wahern / luaossl Goto Github PK

When used in a C program that also uses OpenSSL (or another library that uses OpenSSL), re-initializing OpenSSL like initall() does will cause issues.

There should be a way to tell the library that OpenSSL is already initialized before calling any luaopen_ function.

The luaossl CRL module doesn't expose any way to check if a given cert/serial is in it.

Use case:

When using cqueues's :starttls, I want a way to check against the listed CRL.
I'm not sure how this would look; my first guess is the flow would be something like:

• Do SSL negotation via :starttls
• Once complete get the SSL object via :checktls
• Get the x509 cert via ssl:getPeerCertificate() (perhaps need to do following steps for the whole chain?)
• Get CRL URL from the certificate (work needed here. related to #12?)
• Fetch CRL (this step would be outside of luaossl)
• Create luaossl CRL object
• Check if x509 cert is on the CRL (function needed here)

Example code:

local w = require "cqueues.socket".connect("wikipedia.org", "443")
assert(w:starttls())
local ssl = w:checktls()
local cert = ssl:getPeerCertificate()
local crl_ext = cert:getExtension("2.5.29.31") -- or crlDistributionPoints
local crl_url = decode_crl_extension(crl_ext:getData()) -- need this function!
local crl do
    local request = require "http.request"
    local r = assert(request.new_from_uri(crl_url))
    local h, s = assert(r:go())
    local b = assert(s:get_body_as_string())
    crl = require "openssl.x509.crl".new(b, "DER")
end
local is_revoked = crl:contains(cert:getSerial()) -- need this function!

I'd like to block sha1-signed certificates. To do so requires finding out the signature algorithm. Preliminary research suggests the code would be: OBJ_nid2sn(X509_get_signature_nid(cert))

This will allow serving different certificates per host

• SSL_CTX_set_tlsext_servername_callback

From the callback, we need to be able to change the ssl object's parameters.
The easiest thing to have to call would be

• SSL_set_SSL_CTX
  This lets you swap out the current SSL_CTX for a different one.

Alternatively (or perhaps: in addition), most of the ssl context functions should be made available on ssl objects:

• setCertificate (SSL_use_certificate)
• setPrivateKey (SSL_use_PrivateKey)
• setEphemeralKey
• setVerify (SSL_set_verify)
• getVerify (SSL_get_verify_mode)

Current the bignum bitops are not bound
https://www.openssl.org/docs/crypto/BN_set_bit.html

Lua5.3 has bitwise operators+metamethods we can use.
For other luas, make them available as methods (might as well do with other operations too)

Hi,

This is the code that I am using: http://pastebin.com/VfMNztgw. The two files I'm decrypting can be found as shown below.

• The file that decrypts successfully: http://cryptopals.com/static/challenge-data/7.txt
• The file that gives bad decrypt exception: http://cryptopals.com/static/challenge-data/10.txt

The full error message is: evp_enc.c:539:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt

As you can see in code, both are base64 encoded ciphers of the same length, 2880 bytes. The key difference between the two is that 7.txt (successful one) results in an ASCII string after decryption whereas 10.txt results in non-ASCII byte string after decryption. Also, I decrypted both the files using openssl command line tool. The decryption worked fine for both 7.txt and 10.txt.

Is there a parameter that I didn't set correctly?

Lua version: 5.3.1
OpenSSL version: 1.0.1f

• Way to read OCSP url from cert (related to #12)

To implement an OCSP validating client

• Way to call SSL_set_tlsext_status_type(mySSL, TLSEXT_STATUSTYPE_ocsp) on an SSL object before handshake is started
• Binding to SSL_get_tlsext_status_ocsp_resp

To implement OCSP stapling on a server:

• Binding to SSL_CTX_set_tlsext_status_cb
• Binding to SSL_set_tlsext_status_ocsp_resp

To implement an OCSP responder:

Functions for OCSP responders. OCSP_request_onereq_count(), OCSP_request_onereq_get0(), OCSP_onereq_get0_id() and OCSP_id_get0_info() extract information from a certificate request. OCSP_response_create() creates a response and optionally adds a basic response structure. OCSP_basic_add1_status() adds a complete single response to a basic response and returns the OCSP_SINGLERESP structure just added (to allow extensions to be included for example). OCSP_basic_add1_cert() adds a certificate to a basic response and OCSP_basic_sign() signs a basic response with various flags.

Docs

• https://www.openssl.org/docs/manmaster/man3/SSL_set_tlsext_status_type.html

Hi,

When I try to do "luarocks install luaossl" the build is failing on a centos:7 Docker container.
Just started happening with the new release of luaossl.

There are four errors of the same type in openssl.c...
src/openssl.c:784:2: error: 'for' loop initial declarations are only allowed in C99 mode

For now I'm installing the previous version to get around the error with the new version...
luarocks install luaossl 20151221-1

Please bind X509_STORE_add_crl.
This will allow delaying #42 for a little longer.

If you give store:add(path) the path to a file without any CA certs in it then it throws oops: no OpenSSL errors set.

(e.g. if it's an empty file)

OpenSSL does not check the references member of X509_STORE objects when destroying them. Bumping the reference count when using SSL_CTX_set_cert_store will have no effect.

Solution: Ruby's SSL bindings install a user-data handler on the SSL_CTX object, which will conditionally set to NULL the store member so that it's not freed. This is hack works because of the [presumably unintentional] order of finalization--SSL_CTX external data free handler is called before destroying the store member. But it seems to work for them.

The solution depends on the Issue #15 exdata branch, which implements a framework for initializing and using the external data API.

Should also make the issue known to upstream OpenSSL and libressl.

TLS False Start allows for less round trips to start an SSL connection
http://chimera.labs.oreilly.com/books/1230000000545/ch04.html#TLS_FALSE_START
It's supported by all major browsers as long as ALPN is used.

On some openssl forks it is enabled by the option SSL_MODE_HANDSHAKE_CUTTHROUGH. But this doesn't seem to exist in the main openssl repo. I'm not sure if there's another name for it.

Interesting link: https://www.imperialviolet.org/2012/04/11/falsestart.html

gcc -O2 -fPIC -DHAVE_SYS_SYSCTL_H=0 -I/usr/include/lua5.2 -I/usr/include -c src/openssl.c -o src/openssl.o -D_REENTRANT -D_THREAD_SAFE -D_GNU_SOURCE -DLUA_COMPAT_APIINTCASTS -I/usr/include -I/usr/include
src/openssl.c: In function 'randL_stir':
src/openssl.c:7008:16: error: 'CTL_KERN' undeclared (first use in this function)
  int mib[] = { CTL_KERN, KERN_RANDOM, RANDOM_UUID };
                ^
src/openssl.c:7008:16: note: each undeclared identifier is reported only once for each function it appears in
src/openssl.c:7008:26: error: 'KERN_RANDOM' undeclared (first use in this function)
  int mib[] = { CTL_KERN, KERN_RANDOM, RANDOM_UUID };
                          ^
src/openssl.c:7008:39: error: 'RANDOM_UUID' undeclared (first use in this function)
  int mib[] = { CTL_KERN, KERN_RANDOM, RANDOM_UUID };
                                       ^
src/openssl.c:7018:12: warning: implicit declaration of function 'sysctl' [-Wimplicit-function-declaration]
   if (0 != sysctl(mib, countof(mib), data, &n, (void *)0, 0))
            ^

sysctl() is deprecated and not supported in musl.

18:45 <~daurnimator> LadyAlissa: file a bug against luaossl. reference the fact that sysctl is deprecated.
18:45 <~daurnimator> (musl chooses not to have it)

From the Debian man 2 sysctl page:

DESCRIPTION
Do not use this system call! See NOTES.

NOTES
Glibc does not provide a wrapper for this system call; call it using syscall(2). Or rather... don't call it: use of this system call has long been discouraged, and it is so unloved
that it is likely to disappear in a future kernel version. Since Linux 2.6.24, uses of this system call result in warnings in the kernel log. Remove it from your programs now; use
the /proc/sys interface instead.
This system call is available only if the kernel was configured with the CONFIG_SYSCTL_SYSCALL option.

Could you please extend your makefile to support LuaJIT?

There should be a way to extract private key parameters.

(I need to convert one to "JWK" format)

print(require"openssl.pkey".new():toPEM("private", "public"))
prints the private key twice then the public key.

Looks like only the public key codepath has a BIO_reset call on it.

bn_sqr passes a NULL pointer as the second operand index to bn_prepops, but bn_prepops expects non-NULL.

Found with clang static analyzer.

$ lua -e 'ssl = require "openssl"'
lua: error loading module '_openssl' from file '/usr/local/lib/lua/5.2/_openssl.so':
    dlopen(/usr/local/lib/lua/5.2/_openssl.so, 6): Symbol not found: _DTLS_client_method
  Referenced from: /usr/local/lib/lua/5.2/_openssl.so
  Expected in: flat namespace
 in /usr/local/lib/lua/5.2/_openssl.so
stack traceback:
    [C]: in ?
    [C]: in function 'require'
    /usr/local/share/lua/5.2/openssl.lua:1: in main chunk
    [C]: in function 'require'
    (command line):1: in main chunk
    [C]: in ?

I'm using the latest version (20151221-0) compiled from luarocks for lua 5.2.4_3 on OS X 10.11.1.

Hi,

Would it be possible to tag a new release? Release tags makes it much easier when making distro packages.

I am interested in the DER support.

Thanks!

Not sure whether to file this under cqueues or here....

Does cqueues transparently support SSL session resumption? Either with or without tickets. I assume not... If I'm wrong on this, do you have an example somewhere?

For normal session resumption, it means binding these functions: https://www.openssl.org/docs/ssl/SSL_CTX_sess_set_get_cb.html

For tickets; this means adding support for SSL_CTX_set_tlsext_ticket_key_cb that somehow works across threads (see https://www.openssl.org/docs/ssl/SSL_CTX_set_tlsext_ticket_key_cb.html )

I was playing with using OCSP validation, but found that I had no way to read the OCSP url outside of cert:text()

Please add support for reading x509v3 extensions.

It's required by some specs/protocols, e.g. from http2:

A deployment of HTTP/2 over TLS 1.2 MUST disable renegotiation. An endpoint MUST treat a TLS renegotiation as a connection error (Section 5.4.1) of type PROTOCOL_ERROR. Note that disabling renegotiation can result in long-lived connections becoming unusable due to limits on the number of messages the underlying cipher suite can encipher.

http://25thandclement.com/~william/projects/luaossl.html says "Lua OpenSSL" (in title)
The require string prefix is "openssl"
The repository name is "luaossl".

We need to be more consistent. I recommend using "luaossl" exclusively. This prevents any confusion with https://github.com/zhaozg/lua-openssl (which also uses the "openssl" require prefix; among others)

I was reminded by http://hisham.hm/2015/04/18/a-small-practical-example-where-luas-behavior-is-better-than-cs/ that lua has slightly different behavior for modulo (%) than C.
luaossl's __mod uses BN_mod directly, which has also has the undesirable behaviour:

$ lua -e 'for i = -50, 100 do print(i, require"openssl.bignum".new(i)%30, i%30) end'
-50 -20 10
-49 -19 11
-48 -18 12
-47 -17 13
-46 -16 14
-45 -15 15
-44 -14 16
-43 -13 17
-42 -12 18
-41 -11 19
-40 -10 20
-39 -9  21
-38 -8  22
-37 -7  23
-36 -6  24
-35 -5  25
-34 -4  26
-33 -3  27
-32 -2  28
-31 -1  29
-30 0   0
-29 -29 1
-28 -28 2
-27 -27 3
-26 -26 4
-25 -25 5
-24 -24 6
-23 -23 7
-22 -22 8
-21 -21 9
-20 -20 10
-19 -19 11
-18 -18 12
-17 -17 13
-16 -16 14
-15 -15 15
-14 -14 16
-13 -13 17
-12 -12 18
-11 -11 19
-10 -10 20
-9  -9  21
-8  -8  22
-7  -7  23
-6  -6  24
-5  -5  25
-4  -4  26
-3  -3  27
-2  -2  28
-1  -1  29
0   0   0
1   1   1
2   2   2
3   3   3
4   4   4
5   5   5
6   6   6
7   7   7
8   8   8
9   9   9
10  10  10
11  11  11
12  12  12
13  13  13
14  14  14
15  15  15
16  16  16
17  17  17
18  18  18
19  19  19
20  20  20
21  21  21
22  22  22
23  23  23
24  24  24
25  25  25
26  26  26
27  27  27
28  28  28
29  29  29
30  0   0
31  1   1
32  2   2
33  3   3
34  4   4
35  5   5
36  6   6
37  7   7
38  8   8
39  9   9
40  10  10
41  11  11
42  12  12
43  13  13
44  14  14
45  15  15
46  16  16
47  17  17
48  18  18
49  19  19
50  20  20
51  21  21
52  22  22
53  23  23
54  24  24
55  25  25
56  26  26
57  27  27
58  28  28
59  29  29
60  0   0
61  1   1
62  2   2
63  3   3
64  4   4
65  5   5
66  6   6
67  7   7
68  8   8
69  9   9
70  10  10
71  11  11
72  12  12
73  13  13
74  14  14
75  15  15
76  16  16
77  17  17
78  18  18
79  19  19
80  20  20
81  21  21
82  22  22
83  23  23
84  24  24
85  25  25
86  26  26
87  27  27
88  28  28
89  29  29
90  0   0
91  1   1
92  2   2
93  3   3
94  4   4
95  5   5
96  6   6
97  7   7
98  8   8
99  9   9
100 10  10

To be hooked in via SSL_CTX_get0_param and SSL_CTX_set1_param

X509_VERIFY_PARAM was added in OpenSSL 0.9.8 (released 5 Jul 2005)

At the moment, the makefile creates a symlink for openssl.pubkey to openssl.pkey.
For various reasons, this is difficult to deal with in build systems, in addition to not being obvious from the source.
Please consider having a stub file instead, openssl.pubkey.lua:

return require "openssl.pkey"

In multiple cases I've tried to chase down apparent bugs, only to realize that the version of OpenSSL loaded at runtime was different than the module what was compiled against. For examle, a recent upgrade to an AIX system, caused the linker to preferentially load a 1.0.1 release of OpenSSL, even though the system OpenSSL headers were 0.9.8.

Need to figure out how to query the loaded OpenSSL version so that, at a minimum, regression tests can warn on library and header mismatches.

e.g. in xs_verify:

		lua_pushstring(L, X509_verify_cert_error_string(why));
		nr = 2;

		break;
	default:
		goto eossl;
	}

	X509_STORE_CTX_free(ctx);

If the lua_pushstring longjmp'd out due to low memory then the ctx is never freed

Would be nice if ctx:setCipherList took an array of strings or a vararg

extensions currently do not have a __tostring metamethod.
Add one that uses X509V3_EXT_print.

These 2 context option descriptions are around the wrong way:

OP_NO TLSv1_2 Do not use the TLSv1.1 protocol.
OP_NO_TLSv1_1 Do not use the TLSv1.2 protocol.

In openssl 1.1.0 the behaviour when the alpn callback returns SSL_TLSEXT_ERR_NOACK was changed to send an error to the peer.

To get the old behaviour back we should coerce nil in an ALPN callback to something else.

Related link: openssl/openssl#891

ctx:setStore is not in the docs

I had a go at this tonight on a branch over here: https://github.com/daurnimator/luaossl/tree/windows-support.

With 568a076 if you comment out the lines in _openssl.c that use inet_pton and inet_ntop then I could cross compile with:

x86_64-w64-mingw32-gcc -O2 -fPIC -Wall -Wextra -Wno-missing-field-initializers -c src/openssl.c -o src/openssl.o -D_REENTRANT -D_THREAD_SAFE -DLUA_COMPAT_APIINTCASTS -D_WIN32_WINNT=0x0600
x86_64-w64-mingw32-gcc -shared -o _openssl.dll src/openssl.o -lssl -lcrypto -lpthread -lm -llua

The resulting dll seems to work, and the basic examples work (only tested in wine though).

The sign bit is not included in the returned binary string from bignum:tobin(), which may cause it to be given the wrong sign when something else attempts to parse it unless you manually prepend a NUL or \128 byte, or otherwise preserve this bit somewhere.

local bignum = require "openssl.bignum";
local n = bignum.new(123);
assert(n:tobin() ~= (-n):tobin(), "The sign bit was lost");

The result of BN_bn2dec (currently used in bn__tostring) should be freed with OPENSSL_free.

luaossl also FTBFS with OpenSSL 1.1.0, from https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=835786

OpenSSL 1.1.0 is about to released. During a rebuild of all
packages using OpenSSL this package fail to build. A log of that
build can be found at:
https://breakpoint.cc/openssl-1.1-rebuild-2016-08-26/failed/lua-openssl_20151221-2_amd64-2016-08-26T19%3A13%3A40Z

On https://wiki.openssl.org/index.php/1.1_API_Changes you can see
various of the reasons why it might fail. There are also updated
man pages at https://www.openssl.org/docs/manmaster/ that should
contain useful information.

From quick glance to the build log this will require more work due to "opaqueness" of the data structures.

Need to bind at least one of the following options:

• SSL_CTX_set_default_verify_paths (which is the same as SSL_CTX_set_default_verify_file + SSL_CTX_set_default_verify_dir)
• X509_STORE_set_default_paths
• X509_get_default_cert_file and X509_get_default_cert_dir

I'd like to be able create new OIDs, as well as read/write the X509v3
extensions defined by those OIDs. I think this would need exposing X509v3_add_ext, X509v3_get_ext_by_NID, X509v3_delete_ext, X509v3_get_ext amongst the OID creation functions.

This would allow loading a serialized JWK structure back into a usable form.

https://tools.ietf.org/html/rfc7301
Support added in OpenSSL 1.0.2: https://www.openssl.org/news/openssl-1.0.2-notes.html

I noticed you guys are missing a public encrypt and private decrypt option in luaossl for pkeys. Am I missing something or does it need to be added?

It would be nice to be able to load a bignum from the binary representation given by :tobin().

static void randL_checkpid(struct randL_state *st) {
    if (st->pid != getpid())
        (void)randL_stir(st, 16);
} /* randL_checkpid() */

^^ This code is currently used to ensure that a forked process will generate different random numbers.

A determined attacker could use pid overflow/wrapping to get the same random number generated more than once.

Related links:

• https://wiki.openssl.org/index.php/Random_fork-safety
• https://www.agwa.name/blog/post/libressls_prng_is_unsafe_on_linux
• https://news.ycombinator.com/item?id=8034273 (linked from above)

SSL_get_verify_result is required to find out why a TLS negotiation failed.

Unlike what the man page suggests, you don't need to have called SSL_get_peer_certificate for this to work.

For example, adding multiple names into a subjectAltName extension would be very useful.

From c6a00de#commitcomment-10810431

I need to either make it optional at runtime to pin the module, or implement
dladdr on AIX. Actually, both should happen eventually.

lua: error loading module '_openssl.hmac' from file '/usr/lib/lua/5.3/_openssl.so':
    /usr/lib/lua/5.3/_openssl.so: undefined symbol: lua_pushunsigned
stack traceback:
    [C]: in ?
    [C]: in function 'require'
    /usr/share/lua/5.3/openssl/hmac.lua:1: in main chunk
    [C]: in function 'require'
    (command line):1: in main chunk
    [C]: in ?

Usage is here:

Use lua_pushinteger instead. (lua_pushunsigned was just that with a cast anyway)

Additionally, I noticed auxL_pushunsigned is declared as NOTUSED, yet it is in ossl_version

Rather than hard-coding a default of SHA-1 as the digest algorithm, use the new EVP_PKEY_get_default_digest_nid API. Or better, just use xc_signature like all the other routines.

SHA-1 is no longer the default digest for OpenSSL 1.0 and OpenSSL 1.1, but instead SHA-256. For EC and DSA keys even the string names have changed across versions. And "SHA-1" or "SHA-anything" is invalid for DSA keys with all versions (IIRC) and for EC keys with 0.9.8. Basically, it's not possible to hardcode anything that will work for all the different key types on all the different versions.

Hi,

When running this code http://pastebin.com/M0wSFBsM I see a segmentation fault. As the code shows, decryption key is not being set as aes:decrypt() method is not invoked at all. Setting the key by calling aes:decrypt() resolves the issue. The cipher file 7.txt can be found here http://cryptopals.com/static/challenge-data/7.txt although its particular contents are not relevant to the problem.

It seems to be coming from the C lib that luaossl ultimately calls into. Let me know if you need any help in replicating it as I can do it on my side.

Lua version: 5.3.1
OpenSSL version: 1.0.1f