Merge commit '411cd2df5a5f4e0e7dccea3f367a6dd39ede1ae3' into 1.6

bunkerity · Jul 24, 2024 · 7897c35 · 7897c35
2 parents d5c24a5 + 411cd2d
commit 7897c35
Show file tree

Hide file tree

Showing 21 changed files with 310 additions and 430 deletions.
diff --git a/src/deps/src/lua-resty-openssl/.github/workflows/tests.yml b/src/deps/src/lua-resty-openssl/.github/workflows/tests.yml
@@ -209,7 +209,8 @@ jobs:
       if: contains(matrix.extras, 'valgrind')
       run: |
         export LD_LIBRARY_PATH=$LUAJIT_LIB:$LD_LIBRARY_PATH
-        export TEST_NGINX_VALGRIND='--num-callers=100 -q --tool=memcheck --leak-check=full --show-possibly-lost=no --gen-suppressions=all --suppressions=valgrind.suppress --track-origins=yes' TEST_NGINX_TIMEOUT=60 TEST_NGINX_SLEEP=1
+        export TEST_NGINX_USE_VALGRIND=1 TEST_NGINX_VALGRIND='--num-callers=100 -q --tool=memcheck --leak-check=full --show-possibly-lost=no --gen-suppressions=all --suppressions=valgrind.suppress --track-origins=yes' TEST_NGINX_TIMEOUT=60 TEST_NGINX_SLEEP=1
+        export TEST_NGINX_INIT_BY_LUA="debug.sethook(function () collectgarbage() end, 'l') jit.off()"
         export PATH=$BASE_PATH/work/nginx/sbin:$PATH
         stdbuf -o 0 -e 0 prove -j$JOBS -r t/ 2>&1 | grep -v "Connection refused" | grep -v "Retry connecting after" | tee output.log
         if grep -q 'insert_a_suppression_name_here' output.log; then echo "Valgrind found problems"; exit 1; fi

diff --git a/src/deps/src/lua-resty-openssl/CHANGELOG.md b/src/deps/src/lua-resty-openssl/CHANGELOG.md
@@ -2,6 +2,21 @@
 ## [Unreleased]
 
 
+<a name="1.5.0"></a>
+## [1.5.0] - 2024-07-23
+### bug fixes
+- **asn1:** correct time_t to be 64 bits type ([#171](https://github.com/fffonion/lua-resty-openssl/issues/171)) [7d6d8b5](https://github.com/fffonion/lua-resty-openssl/commit/7d6d8b5d241374427da2231612e1e4552ff4cf1d)
+- **bn:** fix potential use-after-free in bn.new ([#177](https://github.com/fffonion/lua-resty-openssl/issues/177)) [224fae6](https://github.com/fffonion/lua-resty-openssl/commit/224fae68ca8716fbd97a2a94d194237aaa2eaa58)
+- **objects:** fix a buffer overflow issue in find_sigid_algs. ([#175](https://github.com/fffonion/lua-resty-openssl/issues/175)) [d94064c](https://github.com/fffonion/lua-resty-openssl/commit/d94064cc7754c744b325fcd2908bfce26915b76e)
+- **param:** fix issue when gettable schema may be overwritten by settable schema [7669555](https://github.com/fffonion/lua-resty-openssl/commit/766955521cee5c7ed6a7e64a1439e3ca38c2f958)
+- **param:** save converted value to prevent potential use-after-free [8c366c2](https://github.com/fffonion/lua-resty-openssl/commit/8c366c22c796b0b44bc49d4953084a09bcba4e6c)
+- **pkey:** fix potential use-after-free in pkey.paramgen ([#176](https://github.com/fffonion/lua-resty-openssl/issues/176)) [e924ee0](https://github.com/fffonion/lua-resty-openssl/commit/e924ee0454e1d95b63f62b660d6c0090bfeabb26)
+- **x509.\*:** fix potential use-after-free when get or set subject_alt_name, info_access and dist_points [407d31e](https://github.com/fffonion/lua-resty-openssl/commit/407d31ec31f2fe8cb968b1d7d140f717ef620290)
+- **x509.csr:** fix potential use-after-free in set_extension and add_extension [a0711de](https://github.com/fffonion/lua-resty-openssl/commit/a0711de99cf57e6d8fa62f03abba46e02360063d)
+- **x509.store:** fix potential use-after-free in store:verify and store:check_revocation [b16f759](https://github.com/fffonion/lua-resty-openssl/commit/b16f759c28ed9929d53516af34804d39f49661bf)
+- **x509.store:** fix the string is not NUL terminated in set_purpose ([#174](https://github.com/fffonion/lua-resty-openssl/issues/174)) [a88f1ba](https://github.com/fffonion/lua-resty-openssl/commit/a88f1ba30761e91cc1c2ec1dda3a82f8f4898422)
+
+
 <a name="1.4.0"></a>
 ## [1.4.0] - 2024-05-27
 ### bug fixes
@@ -601,7 +616,8 @@
 - **x509:** export pubkey [ede4f81](https://github.com/fffonion/lua-resty-openssl/commit/ede4f817cb0fe092ad6f9ab5d6ecdcde864a9fd8)
 
 
-[Unreleased]: https://github.com/fffonion/lua-resty-openssl/compare/1.4.0...HEAD
+[Unreleased]: https://github.com/fffonion/lua-resty-openssl/compare/1.5.0...HEAD
+[1.5.0]: https://github.com/fffonion/lua-resty-openssl/compare/1.4.0...1.5.0
 [1.4.0]: https://github.com/fffonion/lua-resty-openssl/compare/1.3.1...1.4.0
 [1.3.1]: https://github.com/fffonion/lua-resty-openssl/compare/1.3.0...1.3.1
 [1.3.0]: https://github.com/fffonion/lua-resty-openssl/compare/1.2.1...1.3.0

diff --git a/src/deps/src/lua-resty-openssl/examples/raw-sign-and-recover.lua b/src/deps/src/lua-resty-openssl/examples/raw-sign-and-recover.lua
@@ -1,5 +1,7 @@
 local pkey = require("resty.openssl.pkey")
 
+-- sign_raw and verify_recover for RSA keys
+
 local priv = assert(pkey.new())
 local pub = assert(pkey.new(priv:to_PEM("public")))
 
@@ -17,6 +19,8 @@ local recovered = assert(pub:verify_recover(signed))
 print("Recovered message: " .. recovered)
 
 
+-- sign_raw and verify_raw for non RSA keys
+
 local priv = assert(pkey.new({
     type = "EC",
 }))
@@ -29,7 +33,5 @@ local signed = assert(priv:sign_raw(hashed))
 
 print("Signed message: " .. ngx.encode_base64(signed))
 
--- same as nodejs: crypto.publicDecrypt
---            php: openssl_public_decrypt
 local verified = assert(pub:verify_raw(signed, hashed, md_alg))
-print("Verification result: ", verified)
+print("Verification result: ", verified)
diff --git a/src/deps/src/lua-resty-openssl/lib/resty/openssl.lua b/src/deps/src/lua-resty-openssl/lib/resty/openssl.lua
@@ -24,7 +24,7 @@ try_require_modules()
 
 
 local _M = {
-  _VERSION = '1.4.0',
+  _VERSION = '1.5.0',
 }
 
 function _M.load_modules()

diff --git a/src/deps/src/lua-resty-openssl/lib/resty/openssl/bn.lua b/src/deps/src/lua-resty-openssl/lib/resty/openssl/bn.lua
@@ -57,6 +57,7 @@ local function set_bn(ctx, s, base)
     if C.BN_set_word(ctx, s) ~= 1 then
       return nil, format_error("set_bn")
     end
+    return ctx
   elseif type(s) == 'string' then
     if not base or base == 10 then
       return set_dec(ctx, s)
@@ -65,22 +66,26 @@ local function set_bn(ctx, s, base)
     elseif base == 2 then
       return set_binary(ctx, s)
     elseif base == 0 then
-      ctx = set_mpi(ctx, s)
+      return set_mpi(ctx, s)
     else
       return nil, "set_bn: unsupported base: " .. base
     end
   elseif s then
     return nil, "set_bn: expect nil, a number or a string at #1"
   end
 
-  return ctx
+  -- fall through
+  return ctx 
 end
 
 function _M.new(some, base)
   local ctx = C.BN_new()
   ffi_gc(ctx, C.BN_free)
 
-  local ctx, err = set_bn(ctx, some, base)
+  -- local ctx, err = set_bn(ctx, some, base)
+  -- The above expression set ctx to a new cdata return by
+  -- set_bn, the origin cdata would be GC at any time.
+  local _, err = set_bn(ctx, some, base)
   if err then
     return nil, "bn.new: " .. err
   end

diff --git a/src/deps/src/lua-resty-openssl/lib/resty/openssl/include/asn1.lua b/src/deps/src/lua-resty-openssl/lib/resty/openssl/include/asn1.lua
@@ -18,7 +18,7 @@ ffi.cdef [[
   ASN1_INTEGER *BN_to_ASN1_INTEGER(const BIGNUM *bn, ASN1_INTEGER *ai);
   BIGNUM *ASN1_INTEGER_to_BN(const ASN1_INTEGER *ai, BIGNUM *bn);
 
-  typedef int time_t;
+  typedef long time_t;
   ASN1_TIME *ASN1_TIME_set(ASN1_TIME *s, time_t t);
 
   int ASN1_INTEGER_set(ASN1_INTEGER *a, long v);

diff --git a/src/deps/src/lua-resty-openssl/lib/resty/openssl/kdf.lua b/src/deps/src/lua-resty-openssl/lib/resty/openssl/kdf.lua
@@ -337,7 +337,7 @@ function _M:derive(outlen, options, options_count)
   end
 
   if self.buf_size and outlen then
-    return nil, string.format("kdf:derive: this KDF has fixed output size %d, ".. 
+    return nil, string.format("kdf:derive: this KDF has fixed output size %d, "..
                               "it can't be set manually", self.buf_size)
   end
 

diff --git a/src/deps/src/lua-resty-openssl/lib/resty/openssl/objects.lua b/src/deps/src/lua-resty-openssl/lib/resty/openssl/objects.lua
@@ -57,7 +57,7 @@ local function txtnid2nid(txt_nid)
 end
 
 local function find_sigid_algs(nid)
-  local out = ffi.new("int[0]")
+  local out = ffi.new("int[1]")
   if C.OBJ_find_sigid_algs(nid, out, nil) == 0 then
     return 0, "objects.find_sigid_algs: invalid sigid " .. nid
   end
@@ -71,4 +71,4 @@ return {
   txtnid2nid = txtnid2nid,
   find_sigid_algs = find_sigid_algs,
   create = C.OBJ_create,
-}
+}
diff --git a/src/deps/src/lua-resty-openssl/lib/resty/openssl/param.lua b/src/deps/src/lua-resty-openssl/lib/resty/openssl/param.lua
@@ -20,17 +20,23 @@ local OSSL_PARAM_OCTET_PTR = 7
 
 local alter_type_key = {}
 local buf_param_key = {}
+local buf_anchor_key = {}
 
 local function construct(buf_t, length, types_map, types_size)
   if not length then
     length = nkeys(buf_t)
   end
 
+
   local params = ffi_new("OSSL_PARAM[?]", length + 1)
 
   local i = 0
-  local buf_param
+  local buf_param, buf_anchored
   for key, value in pairs(buf_t) do
+    if key == buf_anchor_key then
+      goto continue
+    end
+
     local typ = types_map[key]
     if not typ then
       return nil, "param:construct: unknown key \"" .. key .. "\""
@@ -69,28 +75,38 @@ local function construct(buf_t, length, types_map, types_size)
                       ffi_new("unsigned int[1]")
       param = C.OSSL_PARAM_construct_uint(key, buf)
     elseif typ == OSSL_PARAM_UTF8_STRING then
-      buf = value and ffi_cast("char *", value) or buf
+      buf = value ~= nil and ffi_cast("char *", value) or buf
       param = C.OSSL_PARAM_construct_utf8_string(key, buf, value and #value or size)
     elseif typ == OSSL_PARAM_OCTET_STRING then
-      buf = value and ffi_cast("char *", value) or buf
+      buf = value ~= nil and ffi_cast("char *", value) or buf
       param = C.OSSL_PARAM_construct_octet_string(key, ffi_cast("void*", buf),
                                                   value and #value or size)
-    elseif typ == OSSL_PARAM_UTF8_PTR then
+    elseif typ == OSSL_PARAM_UTF8_PTR then -- out only
       buf = ffi_new("char*[1]")
       param = C.OSSL_PARAM_construct_utf8_ptr(key, buf, 0)
-    elseif typ == OSSL_PARAM_OCTET_PTR then
+    elseif typ == OSSL_PARAM_OCTET_PTR then -- out only
       buf = ffi_new("char*[1]")
       param = C.OSSL_PARAM_construct_octet_ptr(key, ffi_cast("void**", buf), 0)
     else
       error("type " .. typ .. " is not yet implemented")
     end
-    if not value then -- out
+
+    if value == nil then -- out
       buf_t[key] = buf
+    else -- in
+      -- save value as OSSL_PARAM_construct_* doesn't copy the value
+      buf_anchored = buf_anchored or {}
+      buf_anchored[key] = buf
     end
+
     params[i] = param
     i = i + 1
+
+::continue::
   end
 
+  buf_t[buf_anchor_key] = buf_anchored
+
   buf_t[buf_param_key] = buf_param
   params[length] = C.OSSL_PARAM_construct_end()
 
@@ -112,7 +128,8 @@ local function parse(buf_t, length, types_map, types_size)
       if C.OSSL_PARAM_get_BN(param, bn_t) ~= 1 then
         return nil, format_error("param:parse: OSSL_PARAM_get_BN")
       end
-      buf_t[key] = bn_lib.dup(bn_t[0])
+      buf_t[key] = assert(bn_lib.dup(bn_t[0]))
+      C.BN_free(bn_t[0])
     elseif typ == OSSL_PARAM_INTEGER or
         typ == OSSL_PARAM_UNSIGNED_INTEGER then
       buf_t[key] = tonumber(buf[0])
@@ -228,7 +245,7 @@ local function get_params_func(typ, field)
   local cf_set = C[typ .. "_set_params"]
   local set = function(self, params)
     if not param_maps_set[self[field]] then
-      local ok, err = self:settable_params()
+      local ok, err = self:settable_params(true) -- only query raw schema to save memory
       if not ok then
         return false, typ_lower .. ":set_params: " .. err
       end
@@ -249,8 +266,8 @@ local function get_params_func(typ, field)
   local cf_gettable = C[typ .. "_gettable_params"]
   local gettable = function(self, raw)
     local k = self[field]
-    if raw and param_maps_set[k] then
-      return param_maps_set[k]
+    if raw and param_maps_get[k] then
+      return param_maps_get[k]
     end
 
     local param = cf_gettable(self.ctx)
@@ -261,7 +278,7 @@ local function get_params_func(typ, field)
     end
     local schema, schema_reabale = {}, raw and nil or {}
     parse_params_schema(param, schema, schema_reabale)
-    param_maps_set[k] = schema
+    param_maps_get[k] = schema
 
     return raw and schema or schema_reabale
   end
@@ -270,12 +287,12 @@ local function get_params_func(typ, field)
   local get_buffer, get_size_map = {}, {}
   local get = function(self, key, want_size, want_type)
     if not param_maps_get[self[field]] then
-      local ok, err = self:gettable_params()
+      local ok, err = self:gettable_params(true) -- only query raw schema to save memory
       if not ok then
         return false, typ_lower .. ":set_params: " .. err
       end
     end
-    local schema = param_maps_set[self[field]]
+    local schema = param_maps_get[self[field]]
     if schema == nil or not schema[key] then -- nil or null
       return nil, typ_lower .. ":get_param: unknown key \"" .. key .. "\""
     end

diff --git a/src/deps/src/lua-resty-openssl/lib/resty/openssl/pkey.lua b/src/deps/src/lua-resty-openssl/lib/resty/openssl/pkey.lua
@@ -1060,7 +1060,10 @@ function _M.paramgen(config)
     return nil, format_error("pkey.paramgen: EVP_PKEY_get0_{key}")
   end
 
-  return bio_util.read_wrap(write_func, ctx)
+  -- since ctx is always a internal pointer inside of params (a EVP_PKEY*), thus avoid use tail call
+  -- here to avoid using `ctx` after `params` is GC collected.
+  local res, err = bio_util.read_wrap(write_func, ctx)
+  return res, err
 end
 
 return _M
diff --git a/src/deps/src/lua-resty-openssl/lib/resty/openssl/x509/altname.lua b/src/deps/src/lua-resty-openssl/lib/resty/openssl/x509/altname.lua
@@ -121,7 +121,7 @@ function _M.dup(ctx)
   end
 
   return setmetatable({
-    cast = ffi_cast("GENERAL_NAMES*", dup_ctx),
+    cast = ffi_cast(general_names_ptr_ct, dup_ctx),
     ctx = dup_ctx,
     -- don't let lua gc the original stack to keep its elements
     _dupped_from = ctx,