shrdlu68 / cl-tls Goto Github PK
View Code? Open in Web Editor NEWAn implementation of TLS and related specifications in Common Lisp
License: BSD 3-Clause "New" or "Revised" License
cl-tls's People
Contributors
Stargazers
Watchers
cl-tls's Issues
Implement https://tools.ietf.org/html/rfc7366 in response to https://tools.ietf.org/html/rfc7457#section-2.4
This requires creating modified versions of the functions #'encrypt-and-send and #'ciphertext-to-compressed that handle mac-then-encrypt rather than encrypt-then mac.
In addition, add mechanisms to the hello messages to facilitate negotiating this extension.
How to generate public key base64-string?
Hi,
if i have N and E with RSA, how to generate public key? is this library can do that?
(cl-tls:create-asn-sequence
(list '(1 2 840 113549 1 1 1) :oid)
(list n :integer)
(list e :integer))
and result is correct oct-vector, can you help me?
ironclad::|sha256-regs-a| when loading from quicklisp
Implementation: sbcl
Steps to reproduce: (ql:quickload "cl-tls")
Backtrace:
0: ("undefined function" #(1779033703 3144134277 1013904242 2773480762 1359893119 2600822924 ...))
1: (ironclad::update-sha256-block # #)
2: (ironclad::mdx-updater #S(ironclad:sha256 :amount 32 :buffer #(0 0 0 0 0 0 ...) :buffer-index 32 :regs #(1779033703 3144134277 1013904242 2773480762 1359893119 2600822924 ...) :block #(0 0 0 0 0 0 .....
3: ((sb-pcl::emf ironclad:update-digest) # # #S(ironclad:sha256 :amount 32 :buffer #(0 0 0 0 0 0 ...) :buffer-index 32 :regs #(1779033703 3144134277 1013904242 277348076..
4: ((:method ironclad:prng-reseed (t ironclad:fortuna-generator)) #(239 187 46 22 44 160 ...) #<ironclad:fortuna-generator {100592CED3}>) [fast-method]
5: ((:method ironclad:prng-reseed (t ironclad:fortuna-prng)) #(239 187 46 22 44 160 ...) #<ironclad:fortuna-prng {1005929093}>) [fast-method]
6: ((:method ironclad:make-prng :around (t)) :fortuna :seed :urandom) [fast-method]
7: ((lambda (sb-pcl::.pv. sb-pcl::.next-method-call. sb-pcl::.arg0. sb-int:&more sb-pcl::.dfun-more-context. sb-pcl::.dfun-more-count.) :in "/home/gavinok/.cache/common-lisp/sbcl-2.2.9-linux-x64/home/gav..
8: ((sb-c::top-level-form (setq package (sb-int:find-undeleted-package-or-lose "CL-TLS")))) [toplevel]
9: (sb-fasl::load-fasl-group #S(sb-fasl::fasl-input :stream #<sb-sys:fd-stream for "file /home/gavinok/.cache/common-lisp/sbcl-2.2.9-linux-x64/home/gavinok/.local/share/roswell/lisp/quicklisp/dists/quick..
10: ((lambda nil :in sb-fasl::load-as-fasl))
11: (sb-impl::call-with-loader-package-names #<function (lambda nil :in sb-fasl::load-as-fasl) {100591A33B}>)
12: (sb-fasl::load-as-fasl #<sb-sys:fd-stream for "file /home/gavinok/.cache/common-lisp/sbcl-2.2.9-linux-x64/home/gavinok/.local/share/roswell/lisp/quicklisp/dists/quicklisp/software/cl-tls-20221106-git/..
13: ((labels sb-fasl::load-stream-1 :in load) #<sb-sys:fd-stream for "file /home/gavinok/.cache/common-lisp/sbcl-2.2.9-linux-x64/home/gavinok/.local/share/roswell/lisp/quicklisp/dists/quicklisp/software/c..
14: (sb-fasl::call-with-load-bindings #<function (labels sb-fasl::load-stream-1 :in load) {7F235F0BC8AB}> #<sb-sys:fd-stream for "file /home/gavinok/.cache/common-lisp/sbcl-2.2.9-linux-x64/home/gavinok/.l..
15: (load #P"/home/gavinok/.cache/common-lisp/sbcl-2.2.9-linux-x64/home/gavinok/.local/share/roswell/lisp/quicklisp/dists/quicklisp/software/cl-tls-20221106-git/src/utils.fasl" :verbose nil :print nil :if..
16: (uiop/utility:call-with-muffled-conditions #<function (lambda nil :in uiop/lisp-build:load*) {1005915BDB}> ("Overwriting already existing readtable ~S." #(#:finalizers-off-warning :asdf-finalizers)))
17: ((sb-pcl::emf asdf/action:perform) # # #<asdf/lisp-action:load-op > #<asdf/lisp-action:cl-source-file "cl-tls" "src" "utils">)
18: ((lambda nil :in asdf/action:call-while-visiting-action))
19: ((:method asdf/action:perform-with-restarts (asdf/lisp-action:load-op asdf/lisp-action:cl-source-file)) #<asdf/lisp-action:load-op > #<asdf/lisp-action:cl-source-file "cl-tls" "src" "utils">) [fast-me..
20: ((:method asdf/action:perform-with-restarts :around (t t)) #<asdf/lisp-action:load-op > #<asdf/lisp-action:cl-source-file "cl-tls" "src" "utils">) [fast-method]
21: ((:method asdf/plan:perform-plan (t)) #<asdf/plan:sequential-plan {10027F6CE3}>) [fast-method]
22: ((flet sb-c::with-it :in sb-c::%with-compilation-unit))
23: ((:method asdf/plan:perform-plan :around (t)) #<asdf/plan:sequential-plan {10027F6CE3}>) [fast-method]
24: ((:method asdf/operate:operate (asdf/operation:operation asdf/component:component)) #<asdf/lisp-action:load-op > #<asdf/system:system "cl-tls"> :plan-class nil :plan-options nil) [fast-method]
25: ((sb-pcl::emf asdf/operate:operate) # # #<asdf/lisp-action:load-op > #<asdf/system:system "cl-tls"> :verbose nil)
26: ((lambda nil :in asdf/operate:operate))
27: ((:method asdf/operate:operate :around (t t)) #<asdf/lisp-action:load-op > #<asdf/system:system "cl-tls"> :verbose nil) [fast-method]
28: ((sb-pcl::emf asdf/operate:operate) # # asdf/lisp-action:load-op "cl-tls" :verbose nil)
29: ((lambda nil :in asdf/operate:operate))
30: ((:method asdf/operate:operate :around (t t)) asdf/lisp-action:load-op "cl-tls" :verbose nil) [fast-method]
31: (asdf/session:call-with-asdf-session #<function (lambda nil :in asdf/operate:operate) {10027ECCDB}> :override t :key nil :override-cache t :override-forcing nil)
32: ((lambda nil :in asdf/operate:operate))
33: (asdf/session:call-with-asdf-session #<function (lambda nil :in asdf/operate:operate) {10027E1FEB}> :override nil :key nil :override-cache nil :override-forcing nil)
34: ((:method asdf/operate:operate :around (t t)) asdf/lisp-action:load-op "cl-tls" :verbose nil) [fast-method]
35: (asdf/operate:load-system "cl-tls" :verbose nil)
36: (quicklisp-client::call-with-macroexpand-progress #<function (lambda nil :in quicklisp-client::apply-load-strategy) {10027E1F5B}>)
37: (quicklisp-client::autoload-system-and-dependencies "cl-tls" :prompt nil)
38: ((:method ql-impl-util::%call-with-quiet-compilation (t t)) # #<function (flet quicklisp-client::ql :in quicklisp-client:quickload) {10027CB8DB}>) [fast-method]
39: ((:method ql-impl-util::%call-with-quiet-compilation :around (ql-impl:sbcl t)) #<ql-impl:sbcl {100523C1D3}> #<function (flet quicklisp-client::ql :in quicklisp-client:quickload) {10027CB8DB}>) [fast-m..
40: ((:method quicklisp-client:quickload (t)) "cl-tls" :prompt nil :silent nil :verbose nil) [fast-method]
41: (ql-dist::call-with-consistent-dists #<function (lambda nil :in quicklisp-client:quickload) {10027A616B}>)
42: (sb-int:simple-eval-in-lexenv (quicklisp-client:quickload "cl-tls") #)
43: (eval (quicklisp-client:quickload "cl-tls"))
44: ((lambda nil :in slynk-mrepl::mrepl-eval-1))
45: (slynk::call-with-retry-restart "Retry SLY mREPL evaluation request." #<function (lambda nil :in slynk-mrepl::mrepl-eval-1) {10027A566B}>)
46: ((lambda nil :in slynk-mrepl::mrepl-eval-1))
47: ((lambda nil :in slynk::call-with-listener))
48: (slynk::call-with-bindings # #)
49: (slynk-mrepl::mrepl-eval-1 # #)
50: (slynk-mrepl::mrepl-eval #<slynk-mrepl::mrepl mrepl-1-1> #)
51: (slynk:process-requests nil)
52: ((lambda nil :in slynk::spawn-channel-thread))
53: ((lambda nil :in slynk::spawn-channel-thread))
54: (slynk-sbcl::call-with-break-hook # #)
55: ((flet slynk-backend:call-with-debugger-hook :in "/home/gavinok/.emacs.d/elpa/sly-20221108.2234/slynk/backend/sbcl.lisp") # #)
56: ((lambda nil :in slynk::call-with-listener))
57: (slynk::call-with-bindings # #)
58: ((lambda nil :in slynk::spawn-channel-thread))
59: ((flet sb-unix::body :in sb-thread::run))
60: ((flet "WITHOUT-INTERRUPTS-BODY-11" :in sb-thread::run))
61: ((flet sb-unix::body :in sb-thread::run))
62: ((flet "WITHOUT-INTERRUPTS-BODY-4" :in sb-thread::run))
63: (sb-thread::run)
64: ("foreign function: call_into_lisp_")
Please add to quicklisp
Hi my latter-day-paypal library https://github.com/K1D77A/latter-day-paypal depends on this library to verify the integrity of webhooks sent from paypal, so I was wondering if you could either give me permission to ask Xach to add this to QL or if you could ask yourself @ https://github.com/quicklisp/quicklisp-projects/issues
Thanks ๐
Validate received DH parameters to counter MITM as per https://tools.ietf.org/html/rfc7457#section-2.9
Validate parameters as in rfc2631 or ANSI X9.42 to ensure the parameters we receive from the other party are cryptographically secure.
Add support for OCSP stapling
Specified in https://tools.ietf.org/html/rfc6961
OCSP stapling eliminates privacy concerns for OCSP and saves bandwidth for clients by requiring server to query OCSP responders themselves.
#'generate-dh-params in DH/diffie-hellman.lisp does not pass correctness test
The function that implements section 2.2.1.1 of rfc2631 needs to be rewritten.
This is needed because the current implementation does not pass the correctness tests in the specs.
(tls-vulnerability CVE-2011-1473 CVE-2013-0169 CVE-2016-2183)
when i test cl-tls with testssl.sh,
./testssl.sh -e -E -s -f -p -g -S -P -x -c -h -U -H -I -T -R -C -B -O -Z -W -A -L -F -J -D -4 https://127.0.0.1:443/
it shows some item not ok.
please fix these security issues of cl-tls.
| Vulnerabilitie | Severity | Attack | Fix_plan | Refer_to | Status |
|---|---|---|---|---|---|
| CVE-2011-1473 | Medium | Renegotiation Attack | secure renegotiation | RFC 5746 | repairable |
| CVE-2013-0169 | Low | Lucky13 | use aes_gcm | RFC 5288 | |
| CVE-2016-2183 | High | Sweet32 | remove 3des | RFC 8429 | fixed at 1307891 |
| CVE-2011-3389 | Medium | BEAST | use random iv | RFC 5246 | d4b3489 (False positive) |
Line 247 in 2ab4fc3
| mode | mac | way | name |
|---|---|---|---|
| aes-cbc | hmac | mac-then-encrypt | cbc |
| aes-gcm | gmac | encrypt-then-mac | ctr |
The following lisp code may help a little:
Line 447 in 1307891
;; Add tls extensions
(fast-io:fast-write-sequence something-and-empty-renegotiation-info-octets msg)
Line 51 in 2ab4fc3
;; Session close
(defun close-tls-session (session)
nil)
;; Session handshake timeout or active timeout
(defun start-to-check-timeout ()
(loop
nil))
Line 937 in 2ab4fc3
;; Success, connection is now open
(if (eql state :open)
(error "this server disable renegotiation")
(setf state :open))
cl-tls/src/tls/ciphersuites.lisp
Line 314 in 2ab4fc3
;; Remove anon rc4 3des
(member arg
(union
(union +anon-authentication-suites+ +rc4-encryption-suites+)
+3des-encryption-suites+)
:test #'equal)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.