lunarmodules / luasec Goto Github PK

View Code? Open in Web Editor NEW

357.0 357.0 132.0 932 KB

LuaSec

License: Other

Makefile 2.08% C 87.09% Lua 10.83%

luasec's People

Stargazers

Watchers

Forkers

tst2005 adamac user-none mwild1 iridium77 daurnimator tomasguisasola xnyhps tfar yanjunh plugwisebv pjsr zash krestenkrab xinmingyao chingliu nagyist dialpad kyary asavartsov petr-kk armatys tieske rheastrike comcast-jonm lluixhi enginix dlanan2k ignacio kernelsauce j-shep olesalscheider bartbes fhaoquan danielga hishamhm landy-zhou bluetardis ncisoft mpeterv mengz0 sue602 doyke coronalabs hujinyong vkorehov kekstee thuvh qrsrjm yongke linuxmaniac whiteland92 chenxinxinfosun greatwolf bigjoe01 r-nikhil mhooper gencer antirek limadm depay gtrabal alexander-nesterov tacigar ewestbrook sonoro1234 4aiman clementfumey warlock90000 beamng aicoliu telemaquehq narcistesa shb3618 sabrinaayu qtiuto jvanderzande the-real-molloy quickdudley getcujo gaoxingwang gexiangying unrealwork treahard mynxnightshade happiykj andrewvmail hotarublaze nasrullo fedenunez martindahlberg cujoai flyarong huluxd luainkernel echocolate marcelomata manish364824 kong tomdaniels41

luasec's Issues

Proxy

I know that proxy is not supported in this version, but is there a possible workaround to use one?

LibreSSL compatibility

Hi, this compile error happens when compiling against libressl:

ssl.c: In function 'meth_compression':
ssl.c:404:3: error: unknown type name 'COMP_METHOD'
   const COMP_METHOD *comp;
   ^
<builtin>: recipe for target 'ssl.o' failed

Hi,
I am trying to build Luasec using Lua 5.2 files and I get errors regarding the ssl_st struct. I copied the latest openssl include folder in the Luasec source folder. I am using Visual Studio Express 2013. My output log is:

1>------ Rebuild All started: Project: luasec, Configuration: Release Win32 ------
1>  context.c
1>src\context.c(118): warning C4996: 'strncpy': This function or variable may be unsafe. Consider using strncpy_s instead. To disable deprecation, use _CRT_SECURE_NO_WARNINGS. See online help for details.
1>          C:\Program Files (x86)\Microsoft Visual Studio 12.0\VC\include\string.h(195) : see declaration of 'strncpy'
1>src\context.c(197): warning C4013: 'DH_free' undefined; assuming extern returning int
1>  buffer.c
1>  io.c
1>  timeout.c
1>  wsocket.c
1>src\luasocket\wsocket.c(311): warning C4996: 'gethostbyaddr': Use getnameinfo() or GetNameInfoW() instead or define _WINSOCK_DEPRECATED_NO_WARNINGS to disable deprecated API warnings
1>          C:\Program Files (x86)\Windows Kits\8.1\Include\um\winsock2.h(2216) : see declaration of 'gethostbyaddr'
1>src\luasocket\wsocket.c(317): warning C4996: 'gethostbyname': Use getaddrinfo() or GetAddrInfoW() instead or define _WINSOCK_DEPRECATED_NO_WARNINGS to disable deprecated API warnings
1>          C:\Program Files (x86)\Windows Kits\8.1\Include\um\winsock2.h(2238) : see declaration of 'gethostbyname'
1>  ssl.c
1>src\ssl.c(453): error C2037: left of 'server' specifies undefined struct/union 'ssl_st'
1>src\ssl.c(485): error C2037: left of 'server' specifies undefined struct/union 'ssl_st'
1>  x509.c
1>src\x509.c(215): error C2037: left of 'object' specifies undefined struct/union 'X509_extension_st'
1>src\x509.c(215): warning C4047: 'function' : 'ASN1_OBJECT *' differs in levels of indirection from 'int'
1>src\x509.c(215): warning C4024: 'push_asn1_objname' : different types for formal and actual parameter 2
1>src\x509.c(215): error C2198: 'push_asn1_objname' : too few arguments for call
1>src\x509.c(219): error C2037: left of 'object' specifies undefined struct/union 'X509_extension_st'
1>src\x509.c(219): error C2198: 'push_asn1_objname' : too few arguments for call
1>  Generating Code...
========== Rebuild All: 0 succeeded, 1 failed, 0 skipped ==========

Server hangs / never receives on client requests

Most, or all, of the samples in the repo seems to be based on that the server sends something to the client first on connection.

In my case, I initiate a server, and wait for the client to send a request. However, the server seems to hang on peer:receive(), until I kill the client. On the other hand, if I send something from the server first, the client receives it.

My client code is written in C#, while my server code basically looks like this. Certs + handshake etc works just fine, until peer:receive() hangs.

local socket = require("socket")
local ssl    = require("ssl")

local params = {
   mode = "server",
   protocol = "tlsv1_2",
   key = "C:\\ .... \\serverkey.pem",
   certificate  = "C:\\ .... \\server.pem",
   cafile = "C:\\ .... \\root.pem",
   verify = {"peer", "fail_if_no_peer_cert"},
   options = "all",
}

local server = socket.tcp()
local ctx = assert(ssl.newcontext(params))
server:setoption('reuseaddr', true)
assert( server:bind("10.20.2.92", 2000) )
server:listen()

local peer = server:accept()
peer = assert( ssl.wrap(peer, ctx) )
peer:dohandshake()
data = peer:receive()
print("receieved: " .. data)
peer:send("Pong!\n")
peer:close()

Broken link on luarocks.org

On https://luarocks.org/modules/brunoos/luasec there's homepage http://luasec.luaforge.net/ which goes to 404.

Luasec failed to install on debian stretch.

Following the INSTALL instruction & successfully install the OpenSSL 1.0.2f version as mentioned.
I come across the following error.

user@ux31a:/usr/src/luasec-master# luarocks install luasec OPENSSL_DIR=/usr/local/ssl
Installing https://luarocks.org/luasec-0.6-1.rockspec
Cloning into 'luasec'...
remote: Counting objects: 116, done.
remote: Compressing objects: 100% (93/93), done.
remote: Total 116 (delta 33), reused 76 (delta 22), pack-reused 0
Receiving objects: 100% (116/116), 68.52 KiB | 0 bytes/s, done.
Resolving deltas: 100% (33/33), done.
Note: checking out '20443861ebc3f6498ee7d9c70fbdaa059bec15e1'.

You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by performing another checkout.

If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -b with the checkout command again. Example:

  git checkout -b <new-branch-name>

gcc -O2 -fPIC -I/usr/include/lua5.1 -c src/x509.c -o src/x509.o -I/usr/local/ssl/include -Isrc/ -Isrc/luasocket
gcc -O2 -fPIC -I/usr/include/lua5.1 -c src/context.c -o src/context.o -I/usr/local/ssl/include -Isrc/ -Isrc/luasocket
gcc -O2 -fPIC -I/usr/include/lua5.1 -c src/ssl.c -o src/ssl.o -I/usr/local/ssl/include -Isrc/ -Isrc/luasocket
gcc -O2 -fPIC -I/usr/include/lua5.1 -c src/luasocket/buffer.c -o src/luasocket/buffer.o -I/usr/local/ssl/include -Isrc/ -Isrc/luasocket
gcc -O2 -fPIC -I/usr/include/lua5.1 -c src/luasocket/io.c -o src/luasocket/io.o -I/usr/local/ssl/include -Isrc/ -Isrc/luasocket
gcc -O2 -fPIC -I/usr/include/lua5.1 -c src/luasocket/timeout.c -o src/luasocket/timeout.o -I/usr/local/ssl/include -Isrc/ -Isrc/luasocket
gcc -O2 -fPIC -I/usr/include/lua5.1 -c src/luasocket/usocket.c -o src/luasocket/usocket.o -I/usr/local/ssl/include -Isrc/ -Isrc/luasocket
gcc -shared -o ssl.so -L/usr/local/lib src/x509.o src/context.o src/ssl.o src/luasocket/buffer.o src/luasocket/io.o src/luasocket/timeout.o src/luasocket/usocket.o -L/usr/local/ssl/lib -Wl,-rpath,/usr/local/ssl/lib: -lssl -lcrypto
/usr/bin/ld: /usr/local/ssl/lib/libssl.a(s3_srvr.o): relocation R_X86_64_PC32 against symbol `stderr@@GLIBC_2.2.5' can not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: final link failed: Bad value
collect2: error: ld returned 1 exit status

Error: Build error: Failed compiling module ssl.so

I've been searching for the solution but so far haven't come across with working solution yet.

Remain (partially) ABI Compatible

The changes to t_context will break other projects that try and interoperate with luasec.

E.g. https://github.com/chatid/fend/blob/master/ssl.lua#L10

If the ABI must change, ensure there is some (dlsym-able) way to check which version you're interoperating with.

proper socket invalidation

See line https://github.com/brunoos/luasec/blob/master/src/ssl.lua#L123

it sets the value to -1 which is proper for unix (but still a magical value), but not for Windows. I don't know where (if any) else it is used, but I think the proper way is to expose the constant to Lua, and set that value.

Same as (unreleased) LuaSocket does https://github.com/diegonehab/luasocket/blob/be67f63f4e11e53690bf1431a236f86b484c9bf0/src/select.c#L44-L46

luasec should export it's feature-set to the user

By now, there are some features of luasec which depend on build options rather than on the luasec version and are thus hard to detect for the user. However, luasec throws hard errors and cannot tell the user exactly why an operation failed.

Prosody for example is forced by this to either not use ECDH by default or have no SSL on platforms without ECDH (RedHat and derivates).

Conclusively, one should think about a way to export luasecs feature set to the user.

Problem with https.request

Hi,
I am having trouble with the following piece of code:

local https = require("ssl.https")
https.request("https://de.wiktionary.org/wiki/%26")

luajit test.lua
PANIC: unprotected error in call to Lua API (?)

Some info:

luasec
   0.5-2 (installed) - /usr/local/lib/luarocks/rocks-5.1

luajit -v
LuaJIT 2.0.4 -- Copyright (C) 2005-2015 Mike Pall. http://luajit.org/

openssl version
OpenSSL 1.0.1l-freebsd 15 Jan 2015

uname -a
FreeBSD x230 10.1-RELEASE-p6 FreeBSD 10.1-RELEASE-p6 #0: Tue Feb 24 19:00:21 UTC 2015     [email protected]:/usr/obj/usr/src/sys/GENERIC  amd64

Is 0.6 compatible with LuaJIT 2.0.4?

Lua 5.2 and 5.3 compatibility

LuaJIT is compatible with Lua 5.1, so does LuaSec works on LuaJIT?

Cannot install through Luarocks on Debian Jessie

I've installed Lua 5.3 and Luarocks from source, and luasocket worked nicely. However, trying to install luasec doesn't work

Warning: falling back to curl - install luasec to get native HTTPS support
Installing https://luarocks.org/luasec-0.6-1.rockspec
Cloning into 'luasec'...
remote: Counting objects: 116, done.
remote: Compressing objects: 100% (93/93), done.
remote: Total 116 (delta 33), reused 76 (delta 22), pack-reused 0
Receiving objects: 100% (116/116), 68.52 KiB | 0 bytes/s, done.
Resolving deltas: 100% (33/33), done.
Checking connectivity... done.
Note: checking out '20443861ebc3f6498ee7d9c70fbdaa059bec15e1'.

You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by performing another checkout.

If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -b with the checkout command again. Example:

  git checkout -b new_branch_name

gcc -O2 -fPIC -I/usr/local/include -c src/x509.c -o src/x509.o -I/usr/include -Isrc/ -Isrc/luasocket
gcc -O2 -fPIC -I/usr/local/include -c src/context.c -o src/context.o -I/usr/include -Isrc/ -Isrc/luasocket
gcc -O2 -fPIC -I/usr/local/include -c src/ssl.c -o src/ssl.o -I/usr/include -Isrc/ -Isrc/luasocket
gcc -O2 -fPIC -I/usr/local/include -c src/luasocket/buffer.c -o src/luasocket/buffer.o -I/usr/include -Isrc/ -Isrc/luasocket
gcc -O2 -fPIC -I/usr/local/include -c src/luasocket/io.c -o src/luasocket/io.o -I/usr/include -Isrc/ -Isrc/luasocket
gcc -O2 -fPIC -I/usr/local/include -c src/luasocket/timeout.c -o src/luasocket/timeout.o -I/usr/include -Isrc/ -Isrc/luasocket
gcc -O2 -fPIC -I/usr/local/include -c src/luasocket/usocket.c -o src/luasocket/usocket.o -I/usr/include -Isrc/ -Isrc/luasocket
gcc -shared -o ssl.so -L/usr/local/lib src/x509.o src/context.o src/ssl.o src/luasocket/buffer.o src/luasocket/io.o src/luasocket/timeout.o src/luasocket/usocket.o -L/usr/lib -Wl,-rpath,/usr/lib: -lssl -lcrypto
/usr/bin/ld: /usr/lib/libssl.a(s23_meth.o): relocation R_X86_64_32 against `.rodata' can not be used when making a shared object; recompile with -fPIC
/usr/lib/libssl.a: error adding symbols: Bad value
collect2: error: ld returned 1 exit status

Error: Build error: Failed compiling module ssl.so

Installing from the github repository does not work either:

---------------------
** Build for Linux **
---------------------
make[1]: Entering directory '/home/candunc/luasec/src'
make[2]: Entering directory '/home/candunc/luasec/src'
make[3]: Entering directory '/home/candunc/luasec/src/luasocket'
cc -O2 -fPIC -Wall -pedantic -I. -I/usr/include -DWITH_LUASOCKET -DLUASOCKET_DEBUG   -c -o io.o io.c
cc -O2 -fPIC -Wall -pedantic -I. -I/usr/include -DWITH_LUASOCKET -DLUASOCKET_DEBUG   -c -o buffer.o buffer.c
cc -O2 -fPIC -Wall -pedantic -I. -I/usr/include -DWITH_LUASOCKET -DLUASOCKET_DEBUG   -c -o timeout.o timeout.c
cc -O2 -fPIC -Wall -pedantic -I. -I/usr/include -DWITH_LUASOCKET -DLUASOCKET_DEBUG   -c -o usocket.o usocket.c
ar rcu libluasocket.a io.o buffer.o timeout.o usocket.o
ranlib libluasocket.a
make[3]: Leaving directory '/home/candunc/luasec/src/luasocket'
cc -O2 -fPIC -Wall -pedantic -I. -I/usr/include -DWITH_LUASOCKET   -c -o x509.o x509.c
cc -O2 -fPIC -Wall -pedantic -I. -I/usr/include -DWITH_LUASOCKET   -c -o context.o context.c
context.c: In function 'str2method':
context.c:96:60: warning: C++ style comments are not allowed in ISO C90
   if (!strcmp(method, "sslv23"))  return SSLv23_method();  // deprecated
                                                            ^
context.c:96:60: warning: (this will be reported only once per input file)
cc -O2 -fPIC -Wall -pedantic -I. -I/usr/include -DWITH_LUASOCKET   -c -o ssl.o ssl.c
cc -O -fPIC -shared -L./luasocket -L/usr/lib -o ssl.so x509.o context.o ssl.o -lssl -lcrypto -lluasocket
/usr/bin/ld: /usr/lib/libssl.a(s23_meth.o): relocation R_X86_64_32 against `.rodata' can not be used when making a shared object; recompile with -fPIC
/usr/lib/libssl.a: error adding symbols: Bad value
collect2: error: ld returned 1 exit status
Makefile:52: recipe for target 'ssl.so' failed
make[2]: *** [ssl.so] Error 1
make[2]: Leaving directory '/home/candunc/luasec/src'
Makefile:40: recipe for target 'linux' failed
make[1]: *** [linux] Error 2
make[1]: Leaving directory '/home/candunc/luasec/src'
Makefile:38: recipe for target 'linux' failed
make: *** [linux] Error 2

Is there something I've configured wrong on my end, or is this a bug?

Error: Failed applying patch luarocks_vs_compiler.patch

I'm trying to use this with luarocks and I'm getting this error.

luarocks install luasec OPENSSL_DIR=C:\Build-OpenSSL-VC-32
Installing http://luarocks.org/repositories/rocks/luasec-0.6-1.rockspec...
Cloning into 'luasec'...
remote: Counting objects: 872, done.
remote: Total 872 (delta 0), reused 0 (delta 0), pack-reused 872
Receiving objects: 100% (872/872), 689.99 KiB | 0 bytes/s, done.
Resolving deltas: 100% (523/523), done.
Checking connectivity... done.
Applying patch luarocks_vs_compiler.patch...
source/target file does not exist
--- src/ssl.c.orig

+++ C:\Users\Username\AppData\Local\Temp\luarocks_luasec-0.6-1-6833\luasec/src/ssl.c


Error: Failed applying patch luarocks_vs_compiler.patch

I see that the .rockspec file has this in it but I'm not sure what the issue is, exactly.

         patches = {
            ["luarocks_vs_compiler.patch"] = [[
--- a/src/ssl.c.orig
+++ b/src/ssl.c
@@ -844,3 +844,8 @@ LSEC_API int luaopen_ssl_core(lua_State *L)

   return 1;
 }
+
+#if defined(_MSC_VER)
+/* Empty implementation to allow building with LuaRocks and MS compilers */
+LSEC_API int luaopen_ssl(lua_State *L) { return 0; }
+#endif
]]
         }

Any ideas?

compile error in x509.c (rockspec 0.6-1 and openssl 1.1.0e)

Compilation failed with two errors in src/x509.c:

In function 'meth_extensions':
src/x509.c:296:35: error: dereferencing pointer to incomplete type 'X509_EXTENSION {aka struct X509_extension_st}'
push_asn1_objname(L, extension->object, 1);
^~
src/x509.c: In function 'meth_pubkey':
src/x509.c:407:32: error: dereferencing pointer to incomplete type 'EVP_PKEY {aka struct evp_pkey_st}'
switch(EVP_PKEY_type(pkey->type)) {
^~

Error: Build error: Failed compiling object src/x509.o

I don't know for sure if that is strictly a luasec issue, or if the fault lies with the openssl includes that I use, but I'd be glad for help in any case...

Using luarocks-2.4.2-win32 and luasec-0.6-1 rockspeck. compiler is mingw-w64-i868-gcc (6.3.0-2) from msys2 (I edited luarocks/lua/luarocks/cfg.lua to remove the "mingw-" prefix so the compiler would be found).
both lua (5.3) and openssl (1.1.0e) were built from within msys-mingw32.

full output:

PS C:\luarocks> ./luarocks.bat install luasec OPENSSL_DIR=C:\openssl32

C:\luarocks>SET "PATH=C:\ProgramData\Oracle\Java\javapath;C:\Program Files (x86)\Intel\iCLS Client\;C:\Program Files\Intel\iCLS Client\;C:\Windows\system32;C:\Windows
;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Intel\Intel(R) Management Engine Components\DAL;C:\Program Files (x86)\Intel\In
tel(R) Management Engine Components\DAL;C:\Program Files\Intel\Intel(R) Management Engine Components\IPT;C:\Program Files (x86)\Intel\Intel(R) Management Engine Compo
nents\IPT;C:\Program Files (x86)\NVIDIA Corporation\PhysX\Common;C:\Program Files (x86)\GnuPG\pub;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\S
ystem32\WindowsPowerShell\v1.0\;C:\Program Files\Intel\WiFi\bin\;C:\Program Files\Common Files\Intel\WirelessCommon\;C:\Program Files (x86)\Skype\Phone\;C:\Program Fi
les\Intel\WiFi\bin\;C:\Program Files\Common Files\Intel\WirelessCommon\;C:\Users\lordhelmchen\AppData\Local\Microsoft\WindowsApps;C:\Program Files\cmdline-tools;C:\lu
a32\bin;C:\msys64\mingw32\bin;C:\msys64\usr\bin"
Installing https://luarocks.org/luasec-0.6-1.rockspec
Cloning into 'luasec'...
remote: Counting objects: 116, done.
remote: Compressing objects: 100% (93/93), done.
Receiving objects:  81% (94/116)   remote: Total 116 (delta 33), reused 76 (delta 22), pack-reused 0
Receiving objects: 100% (116/116), 68.52 KiB | 0 bytes/s, done.
Resolving deltas: 100% (33/33), done.
Note: checking out '20443861ebc3f6498ee7d9c70fbdaa059bec15e1'.

You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by performing another checkout.

If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -b with the checkout command again. Example:

  git checkout -b <new-branch-name>

Applying patch luarocks_vs_compiler.patch...
successfully patched C:\Users\LORDHE~1\AppData\Local\Temp/luarocks_luasec-0.6-1-4001/luasec/src/ssl.c
gcc -O2 -c -o src/x509.o -IC:/lua32/include src/x509.c -DWIN32 -DNDEBUG -D_WINDOWS -D_USRDLL -DLSEC_EXPORTS -DBUFFER_DEBUG -DLSEC_API=__declspec(dllexport) -DLUASEC_I
NET_NTOP -DWINVER=0x0501 -D_WIN32_WINNT=0x0501 -DNTDDI_VERSION=0x05010300 -IC:\openssl32/include -Isrc/ -Isrc/luasocket
src/x509.c: In function 'push_asn1_string':
src/x509.c:149:5: warning: 'ASN1_STRING_data' is deprecated [-Wdeprecated-declarations]
     lua_pushlstring(L, (char*)ASN1_STRING_data(string),
     ^~~~~~~~~~~~~~~
In file included from C:\openssl32/include/openssl/bn.h:31:0,
                 from C:\openssl32/include/openssl/asn1.h:24,
                 from C:\openssl32/include/openssl/objects.h:916,
                 from C:\openssl32/include/openssl/evp.h:27,
                 from C:\openssl32/include/openssl/x509.h:23,
                 from C:\openssl32/include/openssl/ssl.h:50,
                 from src/x509.c:22:
C:\openssl32/include/openssl/asn1.h:553:35: note: declared here
 DEPRECATEDIN_1_1_0(unsigned char *ASN1_STRING_data(ASN1_STRING *x))
                                   ^
C:\openssl32/include/openssl/opensslconf.h:105:35: note: in definition of macro 'DECLARE_DEPRECATED'
 # define DECLARE_DEPRECATED(f)    f __attribute__ ((deprecated));
                                   ^
C:\openssl32/include/openssl/asn1.h:553:1: note: in expansion of macro 'DEPRECATEDIN_1_1_0'
 DEPRECATEDIN_1_1_0(unsigned char *ASN1_STRING_data(ASN1_STRING *x))
 ^
src/x509.c: In function 'push_asn1_ip':
src/x509.c:185:3: warning: 'ASN1_STRING_data' is deprecated [-Wdeprecated-declarations]
   unsigned char *ip = ASN1_STRING_data(string);
   ^~~~~~~~
In file included from C:\openssl32/include/openssl/bn.h:31:0,
                 from C:\openssl32/include/openssl/asn1.h:24,
                 from C:\openssl32/include/openssl/objects.h:916,
                 from C:\openssl32/include/openssl/evp.h:27,
                 from C:\openssl32/include/openssl/x509.h:23,
                 from C:\openssl32/include/openssl/ssl.h:50,
                 from src/x509.c:22:
C:\openssl32/include/openssl/asn1.h:553:35: note: declared here
 DEPRECATEDIN_1_1_0(unsigned char *ASN1_STRING_data(ASN1_STRING *x))
                                   ^
C:\openssl32/include/openssl/opensslconf.h:105:35: note: in definition of macro 'DECLARE_DEPRECATED'
 # define DECLARE_DEPRECATED(f)    f __attribute__ ((deprecated));
                                   ^
C:\openssl32/include/openssl/asn1.h:553:1: note: in expansion of macro 'DEPRECATEDIN_1_1_0'
 DEPRECATEDIN_1_1_0(unsigned char *ASN1_STRING_data(ASN1_STRING *x))
 ^
src/x509.c: In function 'meth_extensions':
src/x509.c:296:35: error: dereferencing pointer to incomplete type 'X509_EXTENSION {aka struct X509_extension_st}'
     push_asn1_objname(L, extension->object, 1);
                                   ^~
src/x509.c: In function 'meth_pubkey':
src/x509.c:407:32: error: dereferencing pointer to incomplete type 'EVP_PKEY {aka struct evp_pkey_st}'
       switch(EVP_PKEY_type(pkey->type)) {
                                ^~

Error: Build error: Failed compiling object src/x509.o
PS C:\luarocks>

http redirects are silently allowed

See these lines; https://github.com/brunoos/luasec/blob/1ab6fac9197b194ea94166dff7ad81579f6113ed/src/https.lua#L122-L123

LuaSocket http module blocks redirects only if url.redirect is explicitly set to false. Hence the test here, allows nil to pass and makes LuaSocket execute the redirect.

SNI not working

It seems like the client is not supporting SNI during the handshake when making a request to an https endpoint. I am using the following code:

local https = require "ssl.https"

https.request{
  url = "https://server:443/",
  mode = "client",
  protocol = "tlsv1",
  options = "all"
}

Is SNI supported?

Windows build broken

#21 broke the Windows build by using unix only code.

Add support for new curve selection API in OpenSSL

Currently LuaSec only allows you to select a single curve for ECDH, due to the limitations of the OpenSSL API.

OpenSSL 1.0.2 (released 22 Jan 2015) added a bunch of new functions for managing what curves are used: https://www.openssl.org/docs/ssl/SSL_CTX_set1_curves.html

At a minimum we should call SSL_CTX_set_ecdh_auto().

0.5 tarball has non-standard layout

Hey there.

I'm trying to package the 0.5 release here. If I extract that, I get a folder called luasec-luasec-0.5 while I would expect luasec-0.5 (no repetition), just like with 0.4.

Was that an intentional change? Will you keep that naming convention? In that case I'd work around it, but it would be nicer if the 0.4 (and arguably: standard) layout would just work.

Error loading module ssl.core

I compiled luasec 0.6alpha-2 with openssl 1.0.2f using luarocks and compilation was succesfull.
I tried also 1.0.1r and 1.0.1e with no luck.

After requiring it using
local https = require('ssl.https')
I'm getting error

lua: error loading module 'ssl.core' from file 'c:\work\apps\lua\bin\..\lib\lua\5.3\ssl.dll':
    The specified module could not be found.


stack traceback:
    [C]: in ?
    [C]: in function 'require'
    c:\work\apps\lua\bin\..\share\lua\5.3\ssl.lua:7: in main chunk
    [C]: in function 'require'
    c:\work\apps\lua\bin\..\share\lua\5.3\ssl\https.lua:10: in main chunk
    [C]: in function 'require'
    C:\work\lua\test.lua:4: in main chunk
    [C]: in ?
[Finished in 0.1s]

OS win10
mingw32
cmake 3.4.3
lua 5.3.2
luarocks 2.3.0

ssl.dll looks pretty small ... 107kb

Please could you help me?

Support OpenSSL 1.1.X

I try build LuaSec 0.6 (using LuaRocks) and got

c:/luarocks/x64/external/include\openssl/lhash.h(198): warning C4090: 'function': different 'const' qualifiers
src/x509.c(296): error C2037: left of 'object' specifies undefined struct/union 'X509_extension_st'
src/x509.c(296): warning C4047: 'function': 'ASN1_OBJECT *' differs in levels of indirection from 'int'
src/x509.c(296): warning C4024: 'push_asn1_objname': different types for formal and actual parameter 2
src/x509.c(296): error C2198: 'push_asn1_objname': too few arguments for call
src/x509.c(300): error C2037: left of 'object' specifies undefined struct/union 'X509_extension_st'
src/x509.c(300): error C2198: 'push_asn1_objname': too few arguments for call
src/x509.c(407): error C2037: left of 'type' specifies undefined struct/union 'evp_pkey_st'
src/x509.c(407): error C2198: 'EVP_PKEY_type': too few arguments for call

Seems openssl removes defenition of X509_extension_st and leave only declaration in public API.

dohandshake() result values

the documentation states that dohandshake() can return nil followed by "wantread" or "wantwrite" to indicate that the handshake was not finished yet.
The source code reveals that it will return false in these cases. It will never return nil.

openssl not thread safe without special effort

Per https://www.openssl.org/docs/manmaster/crypto/threads.html openssl isn't thread safe by default, but it can be made to be. Can reentrancy safety be added? see also maybe http://stackoverflow.com/questions/3919420/tutorial-on-using-openssl-with-pthreads and/or wahern/luaossl@331bc57

Issuing HTTPS request with POST method

I can't seem to figure out how to issue an POST request with the HTTPS library. Would be nice to have this documented somewhere.

Invalid core.invalidfd in Win64

core.invalidfd is implemented as lua number
It works in linux32/64 where SOCKET_INVALID (-1)
but in windows SOCKET_INVALID = (SOCKET)(~0)
win32 it is 0xFFFFFFFF
but in win64 is not possible to set 0xFFFFFFFFFFFFFFFF into lua number

I temporairy disable line sock:setfd(core.invalidfd) in ssl.lua and https in win64 works for me.

Has anyone got this to work with Lua 5.2

I tried installing a rockspec via https and luarocks complained that I should install Luasec to get this supported.

From what I see in this repo, there isn't any activity to indicate Lua 5.2 compatibility, so this is why I am asking.

Support for Server Name Indication (SNI)

This allows a server to present the correct certificate depending on what hostname the client is connecting to, without requiring separate IPs or ports.

OCSP Stapling

Please implement OCSP Stapling.
This is especially useful to 1. reduce load of OCSP servers and 2. prevent privacy leaks of who is connecting to your host towards the OCSP server.

Unable to compile on centos 6.4

uname -a

Linux b2bc5f371fab 3.10-2-amd64 #1 SMP Debian 3.10.7-1 (2013-08-17) x86_64 x86_64 x86_64 GNU/Linux

gcc -v

Using built-in specs.
Target: x86_64-redhat-linux
Configured with: ../configure --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --with-bugurl=http://bugzilla.redhat.com/bugzilla --enable-bootstrap --enable-shared --enable-threads=posix --enable-checking=release --with-system-zlib --enable-__cxa_atexit --disable-libunwind-exceptions --enable-gnu-unique-object --enable-languages=c,c++,objc,obj-c++,java,fortran,ada --enable-java-awt=gtk --disable-dssi --with-java-home=/usr/lib/jvm/java-1.5.0-gcj-1.5.0.0/jre --enable-libgcj-multifile --enable-java-maintainer-mode --with-ecj-jar=/usr/share/java/eclipse-ecj.jar --disable-libjava-multilib --with-ppl --with-cloog --with-tune=generic --with-arch_32=i686 --build=x86_64-redhat-linux
Thread model: posix
gcc version 4.4.7 20120313 (Red Hat 4.4.7-3) (GCC)

lua -v

Lua 5.1.4  Copyright (C) 1994-2008 Lua.org, PUC-Rio

Build output:

---------------------
** Build for Linux **
---------------------
make[1]: Entering directory `/home/kitchen/luasec/src'
make[2]: Entering directory `/home/kitchen/luasec/src'
make[3]: Entering directory `/home/kitchen/luasec/src/luasocket'
cc -O2 -fPIC -Wall -pedantic -I. -I/usr/include -DWITH_LUASOCKET -DLUASOCKET_DEBUG   -c -o io.o io.c
cc -O2 -fPIC -Wall -pedantic -I. -I/usr/include -DWITH_LUASOCKET -DLUASOCKET_DEBUG   -c -o buffer.o buffer.c
cc -O2 -fPIC -Wall -pedantic -I. -I/usr/include -DWITH_LUASOCKET -DLUASOCKET_DEBUG   -c -o timeout.o timeout.c
cc -O2 -fPIC -Wall -pedantic -I. -I/usr/include -DWITH_LUASOCKET -DLUASOCKET_DEBUG   -c -o usocket.o usocket.c
ar rcu libluasocket.a io.o buffer.o timeout.o usocket.o
ranlib libluasocket.a
make[3]: Leaving directory `/home/kitchen/luasec/src/luasocket'
cc -O2 -fPIC -Wall -pedantic -I. -I/usr/include -DWITH_LUASOCKET   -c -o x509.o x509.c
cc -O2 -fPIC -Wall -pedantic -I. -I/usr/include -DWITH_LUASOCKET   -c -o context.o context.c
context.c: In function ‘str2method’:
context.c:65: warning: return discards qualifiers from pointer target type
context.c:66: warning: return discards qualifiers from pointer target type
context.c:67: warning: return discards qualifiers from pointer target type
context.c: At top level:
context.c:255: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘*’ token
make[2]: *** [context.o] Error 1
make[2]: Leaving directory `/home/kitchen/luasec/src'
make[1]: *** [linux] Error 2
make[1]: Leaving directory `/home/kitchen/luasec/src'
make: *** [linux] Error 2

Strange protocol issue

Hello,

I have strange problem using luasec for site https://www.sk-nic.sk

Site returns code:
"tlsv1 alert protocol version"

For other protocols returns:
"invalid protocol"

Correct reply code should be 301 (there is a redirect)

Lua code is here:
https://gist.github.com/is73/d50fa12718812e0f0c76c991030b8583

Using by ex. Go, Tcl, PHP (even with simple file_get_contents() request) everything works fine.

Build Issues in VS 2015?

Hi, not a dev, but can poke.
I am having build issues - first wa build failure as /opensll/sll.h was missing along with ./lua.h and ./luaconf.h

Once i found these I got the project to start building but hit 91 errors and 25 warnings.

Should this build in VS 2015?

alex

Server with multiple certificates

OpenSSL makes it possible to add multiple different certificates for the sever to use. For example, a (EC)DSA and a RSA cert, where the selected cipher determines which certificate to use. With the SHA1 deprecation coming up, the recommended setup to maintain compatibility is a RSA cert signed using SHA1 and a ECDSA cert signed using SHA256.

LuaSec's API does not make it easy to add multiple certificates. Calling loadcert and loadkey manually after creating a new context is possible, but annoying.

I propose to make it possible to specify cert and key as lists when calling newcontext. They must be of equal length and added one by one.

Missing OpenSSL even when present

Hi Bruno,

I am running the kaixhin/torch image on Docker, and luarocks install for luasec keeps failing. I already have openssl installed.

LuaSec for x64?

I have managed to run Luasec under x86 (32-bit) but I could not build it to run under x64, SSL.dll is not found, could you please provide a build?

lua 5.3 out, it is compatible?

For information: http://www.lua.org/versions.html#5.3

wrong version number

Hi !
I want to download a file (here the google index) but it fails.

require("socket")
local https = require("ssl.https")
print(https.request("https://www.google.com"))
-- nil  wrong version number    nil nil

require("socket")
local https = require("ssl.https")
local one, code, headers, status = https.request({
  url = "https://www.google.com",
  protocol="sslv3",
  options="all",
  verify="none"})
print(one, code, headers, status)
-- nil  wrong version number    nil nil

This might be related to #34 and #38 ... If I'm not able to download a simple file, well it's bad.
What do I do ?

wantread/wantwrite

The wiki says (under dohandshake);

"wantread" indicates that the operation was not finished because a timeout in the underline TCP connection prevents it of sending data.

This is rather cryptic, but it says that "I'm sending data, and I want my counterpart to READ; wantread"

The example given does it exactly the other way around;

local succ, msg
conn:settimeout(0)
while not succ do
  succ, msg = conn:dohandshake()
  if msg == "wantread" then
    socket.select({conn}, nil)        --> select for reading!!
  elseif msg == "wantwrite" then
    socket.select(nil, {conn})        --> select for writing!!
  else
    -- other errors
  end
end

This is straightforward, it says "wait to become readable on wantread", and vice versa for write.

The logic from the wiki text, is giving me strange problems with async connections (applying the same logic to receive and send timeouts). So is this wrong? and should I follow the logic from the example?

undefined symbol '__guard_local'

# openssl version                                                                                                               
OpenSSL 1.0.1c 10 May 2012
# lua51
Lua 5.1.5  Copyright (C) 1994-2012 Lua.org, PUC-Rio
> require('ssl')
lua51:/usr/local/lib/lua/5.1/ssl.so: undefined symbol '__guard_local'
lua51:/usr/local/lib/lua/5.1/ssl.so: undefined symbol '__guard_local'
<snipped 30 repetitions of the previous line>
error loading module 'ssl.core' from file '/usr/local/lib/lua/5.1/ssl.so':
        Cannot load specified object
stack traceback:
        [C]: ?
        [C]: in function 'require'
        /usr/local/share/lua/5.1/ssl.lua:7: in main chunk
        [C]: in function 'require'
        stdin:1: in main chunk
        [C]: ?
>

I've been getting this error since updating openssl (after the heartbleed issue). The OpenSSL version is the same (AFAIK), but with that issue fixed.

OS is OpenBSD 5.5-current. I've no idea what other information might be useful, but I can provide whatever is necesary.

dhparam_cb not unset on destruction

I was reading through the code, and saw that the callback dhparam_cb is setup via SSL_CTX_set_tmp_dh_callback, but not torn down.
This means if the reference to the ssl context is collected while a DH negotiation is pending, there will be an illegal de-reference (segfault if we're lucky) in dhparam_cb. I don't think this can currently be reached within the confines of luasec, but if a SSL_CTX* or SSL* ever escaped then there would be a problem.
For safety, meth_destroy should unset the dh callback.

SSLv3 removed from Debian

As per version 1.0.2d-2, the SSLv3_* API has been disabled in Debian.
http://metadata.ftp-master.debian.org/changelogs//main/o/openssl/openssl_1.0.2d-3_changelog
Can you help me choosing the right replacement?

LuaSec doesn't use SSL_CTX_set_default_verify_paths()

Why does LuaSec expect the explicit location of the SSL/TLS trusted certificate stores? Why doesn't it use SSL_CTX_set_default_verify_paths() to let OpenSSL handle it? See also https://www.happyassassin.net/2015/01/12/a-note-about-ssltls-trusted-certificate-stores-and-platforms/ which provides some hints how this should be done, implemented and how fallbacks could work.

Support HTTP(S) redirect

As I see, redirect is not supported. It is possible you support it?

https://github.com/brunoos/luasec/blob/master/src/https.lua#L123

Thanks.

src/ssl.c:404:9: error: unknown type name 'COMP_METHOD'

The following holds for https://luarocks.org/modules/luarocks/luasec,
which is the most downloaded code, and is one year old.

src/ssl.c:404:9: error: unknown type name 'COMP_METHOD'; did you mean 'CONF_METHOD'?
const COMP_METHOD *comp;
^~~~~~~~~~~
CONF_METHOD
/opt/share/libressl/include/openssl/conf.h:86:31: note: 'CONF_METHOD' declared here
typedef struct conf_method_st CONF_METHOD;
^
1 error generated.

Error: Build error: Failed compiling object src/ssl.o

note:

search -cv COMP_METHOD /opt/share/libressl
/opt/share/libressl/include/openssl/comp.h:14:typedef struct comp_method_st {
/opt/share/libressl/include/openssl/comp.h:26:} COMP_METHOD;
/opt/share/libressl/include/openssl/comp.h:29: COMP_METHOD *meth;
/opt/share/libressl/include/openssl/comp.h:39:COMP_CTX *COMP_CTX_new(COMP_METHOD *meth);
/opt/share/libressl/include/openssl/comp.h:45:COMP_METHOD *COMP_rle(void );
/opt/share/libressl/include/openssl/comp.h:46:COMP_METHOD *COMP_zlib(void );

Rockspec support static OpenSSL on Windows

Just try build LuaSec with OpenSSL 1.0.2h and got:

   Creating library ssl.lib and object ssl.exp
libeay32.lib(cryptlib.obj) : error LNK2019: unresolved external symbol __imp_DeregisterEventSource referenced in function OPENSSL_showfatal
libeay32.lib(cryptlib.obj) : error LNK2019: unresolved external symbol __imp_RegisterEventSourceW referenced in function OPENSSL_showfatal
libeay32.lib(cryptlib.obj) : error LNK2019: unresolved external symbol __imp_ReportEventW referenced in function OPENSSL_showfatal
libeay32.lib(cryptlib.obj) : error LNK2019: unresolved external symbol __imp_GetProcessWindowStation referenced in function OPENSSL_isservice
libeay32.lib(cryptlib.obj) : error LNK2019: unresolved external symbol __imp_GetUserObjectInformationW referenced in function OPENSSL_isservice
libeay32.lib(cryptlib.obj) : error LNK2019: unresolved external symbol __imp_MessageBoxW referenced in function OPENSSL_showfatal
libeay32.lib(rand_win.obj) : error LNK2019: unresolved external symbol __imp_CreateCompatibleBitmap referenced in function readscreen
libeay32.lib(rand_win.obj) : error LNK2019: unresolved external symbol __imp_DeleteObject referenced in function readscreen
libeay32.lib(rand_win.obj) : error LNK2019: unresolved external symbol __imp_GetDeviceCaps referenced in function readscreen
libeay32.lib(rand_win.obj) : error LNK2019: unresolved external symbol __imp_GetDIBits referenced in function readscreen
libeay32.lib(rand_win.obj) : error LNK2019: unresolved external symbol __imp_GetObjectW referenced in function readscreen
libeay32.lib(rand_win.obj) : error LNK2019: unresolved external symbol __imp_GetDC referenced in function readscreen
libeay32.lib(rand_win.obj) : error LNK2019: unresolved external symbol __imp_ReleaseDC referenced in function readscreen
ssl.dll : fatal error LNK1120: 13 unresolved externals

To resolve this deps need also ling against Advapi32.lib, User32.lib and Gdi32.lib

segfault on client:dohandshake() for http

client:dohandshake() works very well for https://call
but when I use http:// for my test.. my server is crashing with segfault on dohandshake() function.

Return message I get is false, wrong version number from this function.

How do I avoid this segfault for http:// request?

Thanks in advance.

tlsv1 alert internal error when trying to API query https://bittrex.com

Here's a short code snippet to reproduce the problem:

local req = require 'ssl.https'.request
local resp = {}
local url = 'https://bittrex.com/api/v1.1/public/getmarketsummaries'

print( req { method = "GET", url = url, sink = ltn12.sink.table (resp) } )
print( table.concat(resp) )

For me, this gives the output:

nil tlsv1 alert internal error nil nil

My setup

luajit 2.1.0
luasocket 3.0rc1
luasec 0.6-1
openssl 1.0.1g used when building luasec
mingw 4.9.1

It's important to mention that this problem started happening today. Before today, this use to work just fine which suggests that bittrex might have changed something with their ssl certificate or the cipher suite used. I posted about this problem over on /r/bitcoinmarkets

Another interesting observation, I tested the same get request on curl 7.23.1:

curl -v -k "https://bittrex.com/api/v1.1/public/getmarkethistory?market=BTC-XMR"

giving me this output:

* About to connect() to bittrex.com port 443 (#0)
*   Trying 104.18.56.9... connected
* SSLv3, TLS handshake, Client hello (1):
* error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
* Closing connection #0
curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

However, if I perform the same operation on curl 7.51.0 that works! And of course, testing this in the chrome browser works fine.

Any ideas on what the tlsv1 error means and how to fix it? A search shows this same error message has happened on other languages too like python which likely suggests an error that's emanating from openssl or the way luasec is using openssl.

Crash in dhparam_cb ()

Possibly related to #73 (even running with that change applied). SEGFAULT in the middle of a dohandshake call.

Traceback from a core dump:

(gdb) bt 3 full
#0  0x08054d63 in luaS_newlstr (L=0x9984e88, str=0x372d38 "SSL:DH:Registry", 
    l=15) at lstring.c:82
        o = <optimized out>
        h = 4194570653
        step = <optimized out>
        l1 = <optimized out>
#1  0x0804c96c in lua_getfield (L=0x9984e88, idx=-10000, 
    k=0x372d38 "SSL:DH:Registry") at lapi.c:550
        i_o = 0xbfaf8574
        t = 0x8067288
        key = {value = {gc = 0x0, p = 0x0, n = 5.703924686114652e-311, b = 0}, 
          tt = 1955778}
#2  0x0036d9af in dhparam_cb () from /usr/local/lib/lua/5.1/ssl.so
No symbol table info available.
#3  0x00150fe0 in ssl3_send_server_key_exchange (s=0x99d3308) at s3_srvr.c:1615
#4  0x0015432b in ssl3_accept (s=0x99d3308) at s3_srvr.c:481
#5  0x00179f2a in SSL_accept (s=0x99d3308) at ssl_lib.c:938
#6  0x001630bd in ssl23_get_client_hello (s=0x99d3308) at s23_srvr.c:655
#7  0x001639c2 in ssl23_accept (s=0x99d3308) at s23_srvr.c:212
#8  0x0017945d in SSL_do_handshake (s=0x99d3308) at ssl_lib.c:2587
#9  0x00370ca0 in meth_handshake () from /usr/local/lib/lua/5.1/ssl.so

LuaSec was unfortunately built without debug symbols.

Please fix Lua 5.3 support

I can't find the rockspec in the repo, but all I did to get it to work was add a symbol definition for LUA_COMPAT_5_2. You could duplicate this in both the unix and windows table, or restructure the table so that the platforms overrides are outside the main module definitions.

New luasec release

Please make a new official luasec release in order to push it to distributions.
Thanks.

Is release 0.5 compatible with Lua 5.3?

Hi,

If not, could there be a Lua 5.3 release in the not too distant future? I've read that the trunk code seems to be compatible with Lua 5.3.

lunarmodules / luasec Goto Github PK

luasec's People

Stargazers

Watchers

Forkers

luasec's Issues

Recommend Projects

Recommend Topics

Recommend Org