search

wahern / luaossl

Most comprehensive OpenSSL module in the Lua universe.
http://25thandclement.com/~william/projects/luaossl.html
Other
144 stars 50 forks source link

OpenSSL 3.0.0 #199

Closed jprjr closed 2 years ago

jprjr commented 2 years ago

Hi there - I took a crack at updating this Lua module to work with OpenSSL 3.0.0 (issue #195), by trying to make the EVP_KDF-emulating functions closer match the OpenSSL 3.0.0 signatures.

I'm very welcome to feedback on this, there's one area where I'm not sure if I'm doing the right thing or not -

Previously, when using EVP_KDF_ctrl with EVP_KDF_CTRL_SET_MD - that uses some opaque message digest type. It looks like in OpenSSL 3.0.0, if youset the digest they expect a printable string. I'm unsure if mk_checkdigest is just taking a regular printable string and converting it to that custom type?

I'm also not super-stoked about OpenSSL adding this new OSSL_PARAM type and requiring its usage - this resulted in having a whole lot of #if directives in the kdf_derive function. The only other way I see getting around that would be actually defining the OSSL_PARAM type and writing those construct functions, then write a replacement EVP_KDF_CTX_set_params function that iterates through the params and calls EVP_KDF_ctrl with the appropriate arguments.

There's a good number of deprecation warnings, but as far as I can tell it works correctly. But could/should probably get more eyes on it and tested.

jprjr commented 2 years ago

There's still some deprecation warnings around some low-level object functions (RSA_new, DSA_new) but IMO, that effort could be done in a separate update, it's a bit more involved than changing some function signatures.

jprjr commented 2 years ago

So I've compiled on Ubuntu 22.04 (OpenSSL 3.0.0) and Arch Linux (OpenSSL 1.1.1), and successfully ran the 95-kdf.lua script in the regress directory. I also ran the other scripts in the regress directory, but I figure that 95-kdf.lua script covers what's being updated in this PR.

jfcap commented 2 years ago

Hi @daurnimator , do you plan a new release on luarocks with this fix ?

daurnimator commented 2 years ago

I've now tested this on debian jessie (OpenSSL 1.0.1t 3 May 2016) and confirmed it works there; I think that's as old as we need to go these days.

ConiKost commented 2 years ago

Could you do a new release? Thank you!

mimi89999 commented 2 years ago

Would it also be possible to tag a new release on GH so that distros could start packaging the new version?

ConiKost commented 2 years ago

Thank you for providing new release!