Hello,

An example request showing sign and verify would be useful. I am not making much progress working with pkey.read which returns nil every time I pass in a private key.

Any plans to implement?

http://en.wikipedia.org/wiki/Cryptographic_Message_Syntax

File:
makefile

change from:
.c.o:
$(CC) -c -o $@ $?

to:

.c.o:
$(CC) $(INCS) -c -o $@ $?

Doc say options(bool, string) or options(string,string)
But as I can see it options(bool, number) or options(number)
Also because of that it is a bug in ssl.lua

    if params.options then
        local args = {}
        for i=1,#params.options do
            table.insert(arg,params.options[i]) -- !!! note you use `arg` instead of `args`
        end
        ctx:options(unpack(args))
    end

Hello there!

I'm experiencing weird errors on my laptop while trying to use lua-openssl. Lua and/or luajit interpreters crash immediately.

My environment:

$ uname -a
Linux k2 3.2.9-12-desktop #1 SMP PREEMPT Thu Mar 1 17:31:01 UTC 2012 (ba1cb50) i686 i686 i386 GNU/Linux

$ lsb_release -a
LSB Version:    core-2.0-noarch:core-3.2-noarch:core-4.0-noarch:core-2.0-ia32:core-3.2-ia32:core-4.0-ia32:desktop-4.0-ia32:desktop-4.0-noarch:graphics-2.0-ia32:graphics-2.0-noarch:graphics-3.2-ia32:graphics-3.2-noarch:graphics-4.0-ia32:graphics-4.0-noarch
Distributor ID: SUSE LINUX
Description:    openSUSE 12.1 (i586)
Release:        12.1
Codename:       Asparagus

OpenSSL:

$ openssl version
OpenSSL 1.0.0e 6 Sep 2011

I compiled lua and luajit myself, because i thought that something is wrong with packages provided by distribution

$ lua -v
Lua 5.1.5  Copyright (C) 1994-2012 Lua.org, PUC-Rio

$ luajit -v
LuaJIT 2.0.0-beta9 -- Copyright (C) 2005-2011 Mike Pall. http://luajit.org/

System environment:

$ cc --version
cc (SUSE Linux) 4.6.2
Copyright (C) 2011 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

$ ld --version
GNU ld (GNU Binutils; openSUSE 12.1) 2.21.1
Copyright 2011 Free Software Foundation, Inc.
This program is free software; you may redistribute it under the terms of
the GNU General Public License version 3 or (at your option) a later version.
This program has absolutely no warranty.

$ /lib/libc.so.6 
GNU C Library stable release version 2.14.1 (20111007), by Roland McGrath et al.
Copyright (C) 2011 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
Configured for i686-suse-linux.
Compiled by GNU CC version 4.6.2.
Compiled on a Linux 3.1.0 system on 2012-01-09.
Available extensions:
        crypt add-on version 2.1 by Michael Glad and others
        GNU Libidn by Simon Josefsson
        NoVersion patch for broken glibc 2.0 binaries
        Native POSIX Threads Library by Ulrich Drepper et al
        BIND-8.2.3-T5B
libc ABIs: UNIQUE IFUNC
For bug reporting instructions, please see:
<http://www.gnu.org/software/libc/bugs.html>

Code that crashes:

local openssl = require('openssl')

secret_key = "secret"
cipher = openssl.get_cipher("RC4")

num = 10000000
i = 1
while i <= num do
        i = i+1
        id = "something"
        encrypted = cipher:encrypt(id, secret_key);
end

Lua error:

$ lua a.lua
lua: malloc.c:3096: sYSMALLOc: Assertion (old_top == (((mbinptr) (((char *) &((av)->bins[((1) - 1) * 2])) - __builtin_offsetof (struct malloc_chunk, fd)))) && old_size == 0) || ((unsigned long) (old_size) >= (unsigned long)((((__builtin_offsetof (struct malloc_chunk, fd_nextsize))+((2 * (sizeof(size_t))) - 1)) & ~((2 * (sizeof(size_t))) - 1))) && ((old_top)->size & 0x1) && ((unsigned long)old_end & pagemask) == 0)' failed.
Aborted (core dumped)

Stack trace:

#0 0xb754e8c5 in raise () from /lib/libc.so.6
#1 0xb75501d5 in abort () from /lib/libc.so.6
#2 0xb758f294 in __malloc_assert () from /lib/libc.so.6
#3 0xb75921ec in _int_malloc () from /lib/libc.so.6
#4 0xb7593cdc in malloc () from /lib/libc.so.6
#5 0xb739b2bc in ?? () from /lib/libcrypto.so.1.0.0
#6 0xb739b94c in CRYPTO_malloc () from /lib/libcrypto.so.1.0.0
#7 0xb740d13c in lh_new () from /lib/libcrypto.so.1.0.0
#8 0xb739e99c in OBJ_NAME_init () from /lib/libcrypto.so.1.0.0
#9 0xb739ed05 in OBJ_NAME_add () from /lib/libcrypto.so.1.0.0
#10 0xb74177e8 in EVP_add_cipher () from /lib/libcrypto.so.1.0.0
#11 0xb741cb93 in OpenSSL_add_all_ciphers () from /lib/libcrypto.so.1.0.0
#12 0xb750f71d in luaopen_openssl () from ./openssl.so
#13 0x0804f76e in luaD_precall ()
#14 0x0804fb38 in luaD_call ()
#15 0x0804d4d7 in lua_call ()
#16 0x08065a08 in ll_require ()
#17 0x0804f76e in luaD_precall ()
#18 0x08058605 in luaV_execute ()
#19 0x0804fb88 in luaD_call ()
#20 0x0804c0e0 in f_call ()
#21 0x0804eeb2 in luaD_rawrunprotected ()
#22 0x0804fd20 in luaD_pcall ()
#23 0x0804d572 in lua_pcall ()
#24 0x0804b5f6 in docall ()
#25 0x0804be8c in pmain ()
#26 0x0804f76e in luaD_precall ()
#27 0x0804fb38 in luaD_call ()
#28 0x0804c0a8 in f_Ccall ()
#29 0x0804eeb2 in luaD_rawrunprotected ()
#30 0x0804fd20 in luaD_pcall ()
#31 0x0804d601 in lua_cpcall ()
#32 0x0804b22c in main ()

LuaJIT error

$ luajit a.lua
luajit: malloc.c:3096: sYSMALLOc: Assertion (old_top == (((mbinptr) (((char *) &((av)->bins[((1) - 1) * 2])) - __builtin_offsetof (struct malloc_chunk, fd)))) && old_size == 0) || ((unsigned long) (old_size) >= (unsigned long)((((__builtin_offsetof (struct malloc_chunk, fd_nextsize))+((2 * (sizeof(size_t))) - 1)) & ~((2 * (sizeof(size_t))) - 1))) && ((old_top)->size & 0x1) && ((unsigned long)old_end & pagemask) == 0)' failed.
Aborted (core dumped)

Stack trace:

#0 0xb75798c5 in raise () from /lib/libc.so.6
#1 0xb757b1d5 in abort () from /lib/libc.so.6
#2 0xb75ba294 in __malloc_assert () from /lib/libc.so.6
#3 0xb75bd1ec in _int_malloc () from /lib/libc.so.6
#4 0xb75becdc in malloc () from /lib/libc.so.6
#5 0xb73a22bc in ?? () from /lib/libcrypto.so.1.0.0
#6 0xb73a294c in CRYPTO_malloc () from /lib/libcrypto.so.1.0.0
#7 0xb741413c in lh_new () from /lib/libcrypto.so.1.0.0
#8 0xb73a599c in OBJ_NAME_init () from /lib/libcrypto.so.1.0.0
#9 0xb73a5d05 in OBJ_NAME_add () from /lib/libcrypto.so.1.0.0
#10 0xb741e7e8 in EVP_add_cipher () from /lib/libcrypto.so.1.0.0
#11 0xb7423b93 in OpenSSL_add_all_ciphers () from /lib/libcrypto.so.1.0.0
#12 0xb753971d in luaopen_openssl () from ./openssl.so
#13 0x080633c7 in ?? ()
#14 0x0808d9a8 in ?? ()
#15 0x080633c7 in ?? ()
#16 0x080528ad in lua_pcall ()
#17 0x0804ba46 in _start ()

The same code runs fine on Ubuntu 12.04 LTS beta x86_64 (64bit, openssl 1.0.1)... Is there any possibility that something is wrong on 32bit system?

Could you please add explicit close methods to objects.

E.g. I use Cipher context. And after I call ctx:final() I no need this object and can close it and do not wait gc. Is it valid at all using ctx object after final method? In my use case it gives me wrong results. (GNTP server can not decode such data). So to encrypt/decript parts of message I use new->update->final sequence for each part.

close method for cipher/hash could work as final+cleanup. (ofcourse decode error in final should not prevent close context)

It should be a while loop here to read all pending data...

https://github.com/zhaozg/lua-openssl/blob/master/lib/luv/ssl.lua#L130

Thanks for the great library!

gcc -g -fPIC -Wall -fPIC -I/usr/local/openresty/luajit/include/lua5.1 -DPTHREADS -I/usr/local/openresty/luajit/include/lua5.1 -c -o src/ssl.o src/ssl.c
In file included from src/ssl.c:1:0:
src/openssl.h:30:0: 警告：“lua_objlen”重定义 [默认启用]
#define lua_objlen lua_rawlen
^
In file included from /usr/include/lua.h:16:0,
from src/openssl.h:25,
from src/ssl.c:1:
/usr/include/luaconf.h:301:0: 附注：这是先前定义的位置
#define lua_objlen(L,i) lua_rawlen(L, (i))
^
src/ssl.c: 在函数‘openssl_ssl_ctx_new’中:
src/ssl.c:12:10: 警告：assignment discards ‘const’ qualifier from pointer target type [默认启用]
method = SSLv3_method(); /* SSLv3 /
^
src/ssl.c:14:10: 警告：assignment discards ‘const’ qualifier from pointer target type [默认启用]
method = SSLv3_server_method(); / SSLv3 /
^
src/ssl.c:16:10: 警告：assignment discards ‘const’ qualifier from pointer target type [默认启用]
method = SSLv3_client_method(); / SSLv3 /
^
src/ssl.c:18:10: 警告：assignment discards ‘const’ qualifier from pointer target type [默认启用]
method = SSLv23_method(); / SSLv3 but can rollback to v2 /
^
src/ssl.c:20:10: 警告：assignment discards ‘const’ qualifier from pointer target type [默认启用]
method = SSLv23_server_method(); / SSLv3 but can rollback to v2 /
^
src/ssl.c:22:10: 警告：assignment discards ‘const’ qualifier from pointer target type [默认启用]
method = SSLv23_client_method(); / SSLv3 but can rollback to v2 /
^
src/ssl.c:24:10: 警告：assignment discards ‘const’ qualifier from pointer target type [默认启用]
method = TLSv1_method(); / TLSv1.0 /
^
src/ssl.c:26:10: 警告：assignment discards ‘const’ qualifier from pointer target type [默认启用]
method = TLSv1_server_method(); / TLSv1.0 /
^
src/ssl.c:28:10: 警告：assignment discards ‘const’ qualifier from pointer target type [默认启用]
method = TLSv1_client_method(); / TLSv1.0 /
^
src/ssl.c:30:10: 警告：assignment discards ‘const’ qualifier from pointer target type [默认启用]
method = DTLSv1_method(); / DTLSv1.0 /
^
src/ssl.c:32:10: 警告：assignment discards ‘const’ qualifier from pointer target type [默认启用]
method = DTLSv1_server_method(); / DTLSv1.0 /
^
src/ssl.c:34:10: 警告：assignment discards ‘const’ qualifier from pointer target type [默认启用]
method = DTLSv1_client_method(); / DTLSv1.0 /
^
src/ssl.c:37:10: 警告：assignment discards ‘const’ qualifier from pointer target type [默认启用]
method = SSLv2_method(); / SSLv2 /
^
src/ssl.c:39:10: 警告：assignment discards ‘const’ qualifier from pointer target type [默认启用]
method = SSLv2_server_method(); / SSLv2 /
^
src/ssl.c:41:10: 警告：assignment discards ‘const’ qualifier from pointer target type [默认启用]
method = SSLv2_client_method();
^
src/ssl.c:10:6: 警告：未使用的变量‘ret’ [-Wunused-variable]
int ret = 0;
^
src/ssl.c: 在函数‘openssl_ssl_ctx_sessions’中:
src/ssl.c:159:3: 警告：传递‘SSL_CTX_set_session_id_context’的第 2 个参数给指针时，目标与指针符号不一致 [-Wpointer-sign]
int ret = SSL_CTX_set_session_id_context(ctx, sid_ctx, s);
^
In file included from src/ssl.c:2:0:
/usr/include/openssl/ssl.h:1754:5: 附注：需要类型‘const unsigned char *’，但实参的类型为‘const char *’
int SSL_CTX_set_session_id_context(SSL_CTX *ctx,const unsigned char *sid_ctx,
^
src/ssl.c: 在函数‘openssl_ssl_ctx_use_RSAPrivateKey’中:
src/ssl.c:204:3: 警告：传递‘SSL_CTX_use_RSAPrivateKey_ASN1’的第 2 个参数给指针时，目标与指针符号不一致 [-Wpointer-sign]
ret = SSL_CTX_use_RSAPrivateKey_ASN1(ctx, d, size);
^
In file included from src/ssl.c:2:0:
/usr/include/openssl/ssl.h:1741:5: 附注：需要类型‘const unsigned char *’，但实参的类型为‘const char *’
int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const unsigned char *d, long len);
^
src/ssl.c: 在函数‘openssl_ssl_ctx_use_PrivateKey’中:
src/ssl.c:220:3: 警告：传递‘SSL_CTX_use_PrivateKey_ASN1’的第 3 个参数给指针时，目标与指针符号不一致 [-Wpointer-sign]
ret = SSL_CTX_use_PrivateKey_ASN1(pk, ctx, d, size);
^
In file included from src/ssl.c:2:0:
/usr/include/openssl/ssl.h:1743:5: 附注：需要类型‘const unsigned char *’，但实参的类型为‘const char *’
int SSL_CTX_use_PrivateKey_ASN1(int pk,SSL_CTX *ctx,
^
src/ssl.c: 在函数‘openssl_ssl_ctx_use_certificate’中:
src/ssl.c:235:3: 警告：传递‘SSL_CTX_use_certificate_ASN1’的第 3 个参数给指针时，目标与指针符号不一致 [-Wpointer-sign]
ret = SSL_CTX_use_certificate_ASN1(ctx, size, d);
^
In file included from src/ssl.c:2:0:
/usr/include/openssl/ssl.h:1746:5: 附注：需要类型‘const unsigned char *’，但实参的类型为‘const char *’
int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, const unsigned char *d);
^
src/ssl.c: 在文件作用域：
src/ssl.c:376:2: 警告：“/”出现在注释中 [-Wcomment]
/* These are the ones being used, the ones in SSL_SESSION are
^
src/ssl.c: 在函数‘openssl_ssl_session_id’中:
src/ssl.c:452:3: 警告：传递‘lua_pushlstring’的第 2 个参数给指针时，目标与指针符号不一致 [-Wpointer-sign]
lua_pushlstring(L, id, len);
^
In file included from src/openssl.h:25:0,
from src/ssl.c:1:
/usr/include/lua.h:209:22: 附注：需要类型‘const char ’，但实参的类型为‘const unsigned char *’
LUA_API const char *(lua_pushlstring) (lua_State *L, const char *s, size_t l);
^
src/ssl.c:458:3: 警告：传递‘SSL_SESSION_set1_id_context’的第 2 个参数给指针时，目标与指针符号不一致 [-Wpointer-sign]
int ret = SSL_SESSION_set1_id_context(session, id, len);
^
In file included from src/ssl.c:2:0:
/usr/include/openssl/ssl.h:1700:5: 附注：需要类型‘const unsigned char *’，但实参的类型为‘const char *’
int SSL_SESSION_set1_id_context(SSL_SESSION *s,const unsigned char *sid_ctx,
^
src/ssl.c: 在函数‘openssl_ssl_current_cipher’中:
src/ssl.c:566:47: 错误：‘luaL_Buffer’没有名为‘buffer’的成员
lua_pushstring(L, SSL_CIPHER_description(c, B.buffer, sizeof(B.buffer)));
^
src/ssl.c:566:64: 错误：‘luaL_Buffer’没有名为‘buffer’的成员
lua_pushstring(L, SSL_CIPHER_description(c, B.buffer, sizeof(B.buffer)));
^
src/ssl.c:548:14: 警告：变量‘B’被设定但未被使用 [-Wunused-but-set-variable]
luaL_Buffer B = {0};
^
src/ssl.c: 在函数‘openssl_ssl_fd’中:
src/ssl.c:575:6: 警告：未使用的变量‘ret’ [-Wunused-variable]
int ret = 1;
^
src/ssl.c: 在函数‘openssl_ssl_shared_ciphers’中:
src/ssl.c:640:49: 错误：‘luaL_Buffer’没有名为‘buffer’的成员
lua_pushstring(L, SSL_get_shared_ciphers(s, buf.buffer, sizeof(buf.buffer)));
^
src/ssl.c:640:68: 错误：‘luaL_Buffer’没有名为‘buffer’的成员
lua_pushstring(L, SSL_get_shared_ciphers(s, buf.buffer, sizeof(buf.buffer)));
^
src/ssl.c:639:14: 警告：变量‘buf’被设定但未被使用 [-Wunused-but-set-variable]
luaL_Buffer buf = {0};
^
src/ssl.c: 在函数‘openssl_ssl_use_PrivateKey’中:
src/ssl.c:698:3: 警告：传递‘SSL_use_PrivateKey_ASN1’的第 3 个参数给指针时，目标与指针符号不一致 [-Wpointer-sign]
ret = SSL_use_PrivateKey_ASN1(pk, s, d, size);
^
In file included from src/ssl.c:2:0:
/usr/include/openssl/ssl.h:1665:5: 附注：需要类型‘const unsigned char *’，但实参的类型为‘const char *’
int SSL_use_PrivateKey_ASN1(int pk,SSL *ssl, const unsigned char *d, long len);
^
src/ssl.c: 在函数‘openssl_ssl_use_certificate’中:
src/ssl.c:713:3: 警告：传递‘SSL_use_certificate_ASN1’的第 2 个参数给指针时，目标与指针符号不一致 [-Wpointer-sign]
ret = SSL_use_certificate_ASN1(s, d, (int)size);
^
In file included from src/ssl.c:2:0:
/usr/include/openssl/ssl.h:1667:5: 附注：需要类型‘const unsigned char *’，但实参的类型为‘const char *’
int SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len);
^
src/ssl.c: 在函数‘openssl_ssl_ctrl’中:
src/ssl.c:824:7: 警告：未使用的变量‘s’ [-Wunused-variable]
SSL s = CHECK_OBJECT(1, SSL, "openssl.ssl");
^
src/ssl.c: 在函数‘openssl_ssl_alert_type_string’中:
src/ssl.c:1017:7: 警告：未使用的变量‘s’ [-Wunused-variable]
SSL* s = CHECK_OBJECT(1, SSL, "openssl.ssl");
^
src/ssl.c: 在函数‘openssl_ssl_alert_desc_string’中:
src/ssl.c:1030:7: 警告：未使用的变量‘s’ [-Wunused-variable]
SSL* s = CHECK_OBJECT(1, SSL, "openssl.ssl");
^
src/ssl.c: 在函数‘openssl_ssl_session’中:
src/ssl.c:1055:4: 警告：传递‘SSL_set_session_id_context’的第 2 个参数给指针时，目标与指针符号不一致 [-Wpointer-sign]
int ret = SSL_set_session_id_context(s, sid_ctx, sz);
^
In file included from src/ssl.c:2:0:
/usr/include/openssl/ssl.h:1758:5: 附注：需要类型‘const unsigned char ’，但实参的类型为‘const char *’
int SSL_set_session_id_context(SSL *ssl,const unsigned char *sid_ctx,
^
src/ssl.c: 在文件作用域：
src/ssl.c:439:12: 警告：‘openssl_ssl_session_peer’定义后未使用 [-Wunused-function]
static int openssl_ssl_session_peer(lua_State_L){
^
src/ssl.c:766:12: 警告：‘openssl_ssl_set_purpose’定义后未使用 [-Wunused-function]
static int openssl_ssl_set_purpose(lua_State_L){
^
src/ssl.c:774:12: 警告：‘openssl_ssl_set_trust’定义后未使用 [-Wunused-function]
static int openssl_ssl_set_trust(lua_State_L){
^
src/ssl.c:945:12: 警告：‘openssl_ssl_verify_result’定义后未使用 [-Wunused-function]
static int openssl_ssl_verify_result(lua_State_L){
^
make: ** [src/ssl.o] 错误 1

This function isn't bound yet to lua-openssl. At the minimum, setting the cache to off would be super useful.

George,

I did not see an email address on github, but I wanted to let you know we bound lua-openssl to luv+luvi. Great job on your openssl bindings. They really made the lua code more extensible.

Luvi: https://github.com/luvit/luvi
Example: https://github.com/luvit/luvit/blob/luvi-up/test-tls.lua

You mark export function as LUA_API.
But by default it is just extern.
You need define /DLUA_BUILD_AS_DLL /DLUA_LIB in Makefile.

I've updated http://lua-users.org/wiki/CryptographyStuff to include lua-openssl.

As seen, there are a number of other projects that bind to various parts of OpenSSL:

OpenSSL SSL/TLS sockets: see LuaSec (synchronous) and ratchet (coroutine asynchronous). Both use OpenSSL.
OpenSSL crypto: see LuaCrypto (crypto binding), lua-openssl (without TLS/SSL), lmd5 (small MDx/SHAx digest binding)

Two of these apparently aim to be general purpose crpto (non-TLS/SSL) bindings: LuaCrypto and lua-openssl. As seen in the introduction ( http://luacrypto.luaforge.net/manual.html ), I think LuaCrypto may be less extensive that lua-openssl.

I think it's worth adding in your README that lua-openssl does not do SSL/TLS (I think) and some notes about why it differs from LuaCrypto. Could LuaCrypto and lua-openssl be merged? or are the designs too different?

I think it more Lua way to start index from 1

peer, stack = ssl_ctx:peer()
-- Currently
for i = 1, #stack do local cert = stack:get(i-1) ... end
-- 
for i = 1, #stack do local cert = stack:get(i) ... end
-- or even
for i = 1, #stack do local cert = stack[i] ... end

Hello

I cannot build the project:

Package lua was not found in the pkg-config search path.
Perhaps you should add the directory containing `lua.pc'
to the PKG_CONFIG_PATH environment variable
No package 'lua' found
Package lua was not found in the pkg-config search path.
Perhaps you should add the directory containing `lua.pc'
to the PKG_CONFIG_PATH environment variable
No package 'lua' found
gcc -g -fPIC -Wall -fPIC -Wno-unused-value    -DPTHREADS  -Wall -fPIC -Wno-unused-value    -DPTHREADS  -c -o src/asn1.o src/asn1.c
In file included from src/asn1.c:7:0:
src/openssl.h:10:17: fatal error: lua.h: No such file or directory
compilation terminated.
make: *** [src/asn1.o] Error 1

What configuration file are we supposed to change? The only one I see is config.win and I am on a linux box.

I'm loading ssh public keys from github and want to convert them to openssl public keys to verify some signatures I'm creating.

I've parsed the ssh format and have the raw e and n values using bn.text() and some custom parsing code I wrote.
I can't figure out how to go from this to an instance of the openssl public key format.

Do you have any tips or docs on this matter?

Last version deos not export module to global space so tests fials.
I do not know more about this or how stable current status of LuaUnit.
So may by for now just use luaunit.lua file from test directory and do not update it
while installing on Travis.

The auto format detection of pkey.read is limited to RSA keys only. EC keys in the format of DER are not auto detected. This is due to the limitation of the detection => bio_is_der.

if (len == sizeof(head) && head[0] == 0x30 && head[1] == 0x82)

EC keys have a different second byte. If I'm not wrong, the second byte is the length of the ASN.1 sequence.
To get a clearer view on the problem run the following command for EC keys:

openssl ecparam -list_curves|fgrep :|tr -d ' '|cut -d: -f1|xargs -I{} sh -c "openssl ecparam -name {} -genkey -noout -outform DER|od -tx1|fgrep 0000000"

The same problems happens as well with small RSA keys:

seq 5 12|xargs -I{} sh -c 'openssl genrsa $(dc -e "2 {} ^ p") 2>/dev/null|openssl rsa -inform pem -outform der 2>/dev/null|od -tx1|fgrep 0000000'

In Makefile.win use ws2_32.lib instead of wsock32.lib

Memleaks in test\4.pkey.lua, test\7.pkcs12.lua

Not builds with MinGW 4.7.2, but builds with 4.6.1; openssl-1.0.1c builds with 4.7.2

>make

gcc -g -fPIC -Wall -fPIC -I../lua-5.1.5/src -I"../openssl-1.0.1c/include"  -L../openssl-1.0.1c -L../lua-5.1.5/src -L./ -I../lua-5.1.5/src -I"../openssl-1.0.1c/include"  -L../openssl-1.0.1c -L../lua-5.1.5/src -L./ -c -o src/auxiliar.o src/auxiliar.c
src/auxiliar.c:1:0: warning: -fPIC ignored for target (all code is position independent) [enabled by default]
gcc -g -fPIC -Wall -fPIC -I../lua-5.1.5/src -I"../openssl-1.0.1c/include"  -L../openssl-1.0.1c -L../lua-5.1.5/src -L./ -I../lua-5.1.5/src -I"../openssl-1.0.1c/include"  -L../openssl-1.0.1c -L../lua-5.1.5/src -L./ -c -o src/bio.o src/bio.c
src/bio.c:1:0: warning: -fPIC ignored for target (all code is position independent) [enabled by default]
In file included from src/openssl.h:46:0,
                 from src/bio.c:23:
../openssl-1.0.1c/include/openssl/ssl.h:1284:2: error: expected specifier-qualifier-list before '(' token
In file included from src/bio.c:23:0:
src/openssl.h:93:0: warning: "strcasecmp" redefined [enabled by default]
In file included from d:\mingw\bin\../lib/gcc/i686-w64-mingw32/4.7.2/../../../../i686-w64-mingw32/include/guiddef.h:139:0,
                 from d:\mingw\bin\../lib/gcc/i686-w64-mingw32/4.7.2/../../../../i686-w64-mingw32/include/winnt.h:461,
                 from d:\mingw\bin\../lib/gcc/i686-w64-mingw32/4.7.2/../../../../i686-w64-mingw32/include/windef.h:139,
                 from d:\mingw\bin\../lib/gcc/i686-w64-mingw32/4.7.2/../../../../i686-w64-mingw32/include/windows.h:69,
                 from ../openssl-1.0.1c/include/openssl/rand.h:67,
                 from src/openssl.h:44,
                 from src/bio.c:23:
d:\mingw\bin\../lib/gcc/i686-w64-mingw32/4.7.2/../../../../i686-w64-mingw32/include/string.h:106:0: note: this is the location of the previous definition
In file included from src/bio.c:23:0:
src/openssl.h:308:59: error: expected declaration specifiers or '...' before '(' token
makefile:11: recipe for target `src/bio.o' failed
make: *** [src/bio.o] Error 1

When I run tes I get one error

>>> TestX509Name.testAll failed
1.x509_name.lua:60: Error, substring "utf8" was not found in string "bmp:ι"

If I comment assertStrContains(tostring(v),'utf8') then I get error

>>> TestX509Name.testAll failed
1.x509_name.lua:62: expected: "utf8:эЧФэЫОыз¦"
actual: "bmp:-Lг+¦·"

PS. this error exists at least at e99b949

There is no copyright statement on lua-openssl, so under most legal jurisdictions, it is copyright the author, all rights reserved, and cannot be legally used without some kind of agreement with the author. This probably isn't what you intended by putting the source on github.

Also, this project looks like it was started from a copy of PHP's openssl support. That's OK, except this isn't acknowledged anywhere that I can see, and the original authors copyright statements have been stripped from the code. The PHP copyright explicitly prohibits that:

http://www.php.net/license/3_01.txt:

Redistribution and use in source and binary forms, with or without
modification, is permitted provided that the following conditions
are met:

1. Redistributions of source code must retain the above copyright
   notice, this list of conditions and the following disclaimer.
   ....

I use this library on https://github.com/Seb35/nginx-ssl-variables/blob/master/fastcgi_ssl_variables_lua.conf. When I try to extract the "C" identid in name "/CN=test" by using x509_name:get_text(), Lua crashes with a segfault error. It should return nil.

TestX509Name.testAll failed
1.x509_name.lua:51: expected: "utf8:DEV"
actual: "printable:DEV"

Hi!

Excellent project, many thanks! Wonder if you could make it not go to _G and return table of functions? Or, if this is incompatible, to do both.

TIA,
--Vladimir

When verifying a signed cms object the fourth argument is an x509.store object. ie:
verify (signed, verify_mode, singers, store, message, out[, flags=0])
instead of:
verify (signed, verify_mode, singers, message, out[, flags=0])

Thanks for a great library!

A small issue with the documentation. The third argument to openssl.cms.sign is a stack of x509 certificates.

While writing a test for EC pkeys I came across an inconsistency.

local pkey = require'openssl'.pkey
local unpack = unpack or table.unpack
local inspect = require 'inspect'

local nec =  {'ec','prime256v1'}
local ec_key = pkey.new(unpack(nec))
local curve_params = ec_key:parse().ec:parse()
print(inspect(curve_params))
curve_params.alg = 'ec'
pkey.new(curve_params)

Expected result:
----------------
{
  ec_name = 415,
  x = <userdata 1>,
  y = <userdata 2>,
  d =  <userdata 3>
}

Actual result:
--------------
{
  conv_form = 4,
  enc_flag = 0,
  group = <userdata 1>,
  priv_key = <userdata 2>,
  pub_key = <userdata 3>
}

The expected behavior is to return a table with the curve parameters. To make the behavior comparably to RSA and DSA keys.

My proposal is to extend the openssl.ec_key key with a group parameter. openssl.ec_key.parse() would return the expected table.

The following code leaks memory really badly (2G per in 7 seconds)

require "openssl"

secret_key = "secret"
cipher = openssl.get_cipher("RC4")

num = 10000000
i = 1
while i <= num do
        i = i+1

        id = "something"

        encrypted = cipher:encrypt(id, secret_key);
end

Lua environment:

$ uname -a
Linux pipi.dev.interseek.com 3.2.0-8-generic #14-Ubuntu SMP Fri Jan 6 01:56:48 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux

$ lua -v
Lua 5.1.4  Copyright (C) 1994-2008 Lua.org, PUC-Rio

$ luajit-2.0.0-beta9 -v
LuaJIT 2.0.0-beta9 -- Copyright (C) 2005-2011 Mike Pall. http://luajit.org/

$ openssl version
OpenSSL 1.0.0g 18 Jan 2012

Latest lua-openssl master

Currently API is not consistent and intuitive at all.
E.g. context:set_verify() can be used to get information.
So I suggest to make name/semantic convention.
E.g. we can use one function to get/set just like context:options() or use
prefix set_ to setter.

Windows XP/OpenSSL 1.0.1c
Problem that on line crl.c:533 revoked->reason is -1

    X509_REVOKED *revoked = sk_X509_REVOKED_value(crl->crl->revoked, i);
    lua_newtable(L);

#if OPENSSL_VERSION_NUMBER > 0x10000000L
    AUXILIAR_SET(L, -1, "CRLReason", reason_flags[revoked->reason].lname, string);
#else

If I remove #if block and use variant based on X509_REVOKED_get_ext_d2i It works and get result Unused

The alternative for ctx:verify_locations(params.cafile,params.capath) would be SSL_CTX_use_certificate_chain within the API. This would allow applications to pragmatically set the certificate chain to verify against.

This section of code [1] that caches the verify_cert is used here [2] within the getpeerverification function. Problem is, I have my own verify callback that returns '1', and I want to perform late verification within the luvit stack. The verify_cert table isn't setup within the context of getpeerverification. I believe a good fix would be to create a function to push the error table from [1], and call it in both verify_cb and getpeerverification, and not rely on the cache.

1. https://github.com/zhaozg/lua-openssl/blob/master/src/ssl.c#L474-492
2. https://github.com/zhaozg/lua-openssl/blob/master/src/ssl.c#L511-512

With my cert I get cert->cert_info->serialNumber as negative integer (V_ASN1_NEG_INTEGER)
(This is certificate from Avast Free Antivirus).
So I get error when call PUSH_ASN1_INTEGER(L, cert->cert_info->serialNumber);
So I think is it valid to update openssl_push_asn1 as

int openssl_push_asn1(lua_State* L, ASN1_STRING* string, int type, int utf8)
{
  if(type && (
    (string->type != type) && (string->type != (type|V_ASN1_NEG))
  ))
  {
    luaL_error(L, "need %s asn1, but get %s",asn1_typestring(type),asn1_typestring(string->type));
    return 0;
  }

  switch(string->type){
  case V_ASN1_INTEGER:
  case V_ASN1_NEG_INTEGER:

If it need I can create PR tomorrow.

I'm on my Chinese Spring Festival holiday.

At first I do not know is it possible at all but recently I try figure out why I can not connect to some server using SSL connection. The reasan was that server reply with TLSv1.0 HELLO when I use TLSv1.2. Error code from ssl:handshake() is just SSL_ERROR but on server there was all OK.
I can figure out the reason only with Wireshark.
So may be there exists way to have more detail error messages for ssl function.

The source files have no common line ending format. Some files have Linux line endings, the rest has Windows style CRLF line endings.

I recommend to convert all Windows style line endings to Linux.
Use this CLI command to find all Windows style files: find -type f -name *.c -exec file {} \;|fgrep CRLF

./src/misc.c: C source, ASCII text, with CRLF line terminators
./src/x509.c: C source, ASCII text, with CRLF line terminators
./src/digest.c: C source, ASCII text, with CRLF line terminators
./src/openssl.c: C source, ASCII text, with CRLF line terminators
./src/crl.c: C source, ASCII text, with CRLF line terminators
./src/ots.c: C source, ASCII text, with CRLF line terminators
./src/pkey.c: C source, ASCII text, with CRLF line terminators
./src/cipher.c: C source, ASCII text, with CRLF line terminators
./src/auxiliar.c: C source, ASCII text, with CRLF line terminators
./src/pkcs12.c: C source, ASCII text, with CRLF line terminators
./src/bio.c: C source, ASCII text, with CRLF line terminators
./src/csr.c: C source, ASCII text, with CRLF line terminators
./src/pkcs7.c: C source, ASCII text, with CRLF line terminators

There is a double free with a SSL_CTX and X509_store. The current code will cause the GC to free the cert_store, and SSL_CTX_free will call free on the cert store.

#0  0x00000001001e629d in X509_STORE_free ()
#1  0x00000001001043b6 in SSL_CTX_free ()
#2  0x00000001000d38d9 in openssl_ssl_ctx_gc ()
#3  0x00000001000a962b in lj_BC_FUNCC ()

self.context is a ssl.context

function Credential:addRootCerts()
  local store = openssl.x509.store:new()
  for _, v in pairs(_root_ca.roots) do
    store:add(assert(openssl.x509.read(v)))
  end
  self.context:cert_store(store)
end

lua-openssl is compiled against master (e54ba29).

Backtrace:

(gdb) bt
#0  0x00000001001ce78c in sk_value ()
#1  0x00000001001d8ada in X509_STORE_free ()
#2  0x00000001000f6d46 in SSL_CTX_free ()
#3  0x00000001000c67b9 in openssl_ssl_ctx_gc ()
#4  0x00000001000a9d5b in lj_BC_FUNCC ()

Steps to reproduce:

git clone --branch luvi-up --recursive https://github.com/virgo-agent-toolkit/virgo-base
make
make test or gdb ./base

I updated to the latest version of lua-openssl for luvi and now I'm getting link errors:

liblua_openssl.a(ssl.c.o): In function `openssl_ssl_ctx_set_cert_verify':
ssl.c:(.text+0x2a3b): undefined reference to `openssl_cert_verify_cb'
liblua_openssl.a(ssl.c.o): In function `openssl_ssl_ctx_set_verify':
ssl.c:(.text+0x2cdb): undefined reference to `openssl_verify_cb'

This is on an up-to-date archlinux with openssl version: OpenSSL 1.0.1j 15 Oct 2014

The update also breaks my travis builds which are using an ubuntu userspace. https://travis-ci.org/luvit/luvi/jobs/44259383#L416-L420

It would be extremely useful for the signature verification function pubkey:verify() to support update and then final separately. Currently, all the data needs to be read into a lua buffer and then passed to the verify function. The update and final approach would allow the data to be streamed through.

We receive lots of compiler warnings when compiling on
Linux montesa.opag.ch 2.6.32-358.2.1.el6.x86_64 #1 SMP Wed Mar 13 00:26:49 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux

Some of them are due to missing standard include files.
(Wrong declaration of predefined string functions can lead to a crash on x86_64)
(I will supply a patch for these)

Remaining warnings are:

• Lots of warnings like ots.c:411: warning: value computed is not used
  seams to come from a set of macros named ADD_ASSOC_*
• More heavy are the following two warnings:

ots.c: In function ‘tsa_serial_cb’:

ots.c:34: warning: cast from pointer to integer of different size
ots.c: In function ‘openssl_ts_resp_ctx_new’:
ots.c:223: warning: cast from pointer to integer of different size

The latter is an attempt to cast a pointer (64-Bit) to an integer (32-Bit)
which almost certainly leads to a SEGV on 64-Bit platforms.

I opened a PR, but it doesn't seem to fully fix the issue:

https://gist.github.com/creationix/01df8f837adc9fd5d265
https://gist.github.com/rphillips/2bef85d001cb1d608e6e

Please make openssl.version and write version in beginning of README

version: 9b64f62

issues:

src/cms.c: In function ‘memdup’:
src/cms.c:252:13: error: ‘FALSE’ undeclared (first use in this function)
src/cms.c:252:13: note: each undeclared identifier is reported only once for each function it appears in
src/cms.c:260:11: error: ‘TRUE’ undeclared (first use in this function)

src/x509.c: In function ‘sk_x509_free’:
src/x509.c:367:1: error: pasting ")" and "X509" does not give a valid preprocessing token

I think we should add a test for a shared context, similar to the current test [1], where the x509 certificate store gets set on the shared context. We are still seeing crashes regarding this use case.

[1] https://github.com/zhaozg/lua-openssl/blob/master/test/8.ssl_c.lua

See for example https://travis-ci.org/moteus/lua-lluv-ssl/builds/52266303.
You can also check out this discassion
But I do not know good solution. (For release I think it is possible build src.rock)

file:

ots.c

change from:

include <openssl\ts.h>

to:

include <openssl/ts.h>

need compat with https://github.com/brunoos/luasec

RT, I have a certificate whose perent CA's certificate doesn't exist on the client system, so I need to set a certificate chain to an SSL context. I see there is a function - openssl.x509.sk_x509_read, which read all certificates of a pem string, but I can't find a way to apply it to a context.

I see there an openssl API not exported to Lua: SSL_CTX_use_certificate_chain_file.