fishinabarrel / bounty Goto Github PK

Hi, in the absence of a better place to write about this/get feedback, I figured I'd post here. Whether or not this is eligible for a bounty I think it would probably be a good thing for the ecosystem and wanted to try to make progress on it.

I looked last night at the feasibility of replacing the OpenSSL implementation in nginx. My initial idea was to use mesalink - github.com/mesalock-linux/mesalink - since this would allow you to compile in rustls without needing to change the nginx source code at all. If I got it working, I could put together a prototype, benchmark it, test it in our development environment and then write up instructions on how to build it.

Unfortunately nginx uses the SSL_CTX_set_options OpenSSL API, which is not currently supported by mesalink, and it doesn't look like the mesalink library has momentum, see mesalock-linux/mesalink#51 for details.

I guess my options right now would be

• Try to add support for SSL_CTX_set_options in mesalink
• Look for a different drop-in OpenSSL replacement. I'm not sure this exists, searching Github for SSL_CTX_set_options in Rust source code mostly reveals things that let you call OpenSSL or BoringSSL - the C sources - from Rust which doesn't seem like what we want.
• Edit the nginx sources to add a TLS compatibility layer, and then add a new TLS backend, similar to the approach here: curl/curl@246399a. I am probably not proficient enough to be able to do this.

Mainly I am looking for advice at this point - I am good at fighting build systems and getting stuff to compile and less good at understanding what's currently possible to do in the crypto ecosystem, and at writing C code - I've probably written under 2,000 lines of C in my life.

Git uses libcurl for http:// and https:// fetches. If you are using a curl older than 7.34, then git will use OpenSSL to do IMAP fetches.

The recent change to add a rustls backend for curl - documented here: https://daniel.haxx.se/blog/2021/02/09/curl-supports-rustls/ - means that Git should use Rust for TLS as long as you are compiling in a libcurl that has been compiled with TLS, which should be possible on tip, or in version 7.76.0.

To do SSH transfers Git executes the "ssh" binary - it doesn't compile SSH in. The ssh binary on most machines is typically OpenSSH. I'm not sure if there is a Rust replacement for everything OpenSSH does.

Keep a list of useful getting-started points for people who're interested in doing this kind of work.

Flying off the tails of the suricata ssh-decoder that was just submitted, here's a pointer to a demo of how to do wireshark protocol-dissectors in Rust.

https://github.com/sevagh/wireshark-dissector-rs

This has been one of the most common ways to attack wireshark over the years. [Which usually runs with an unusual amount of network access, on a privileged machine, by a user who should know better than to run his process as root....]

Node ships with its own vendored OpenSSL in deps/openssl. Still you can try to compile in your own with the --shared-openssl, --shared-openssl-include and --shared-openssl-libpath flags. I tried compiling in mesalink in place of OpenSSL and got this error:

In file included from ../src/node.cc:45:
In file included from ../src/node_crypto.h:31:
In file included from ../src/crypto/crypto_aes.h:6:
In file included from ../src/crypto/crypto_cipher.h:6:
In file included from ../src/crypto/crypto_keys.h:6:
../src/crypto/crypto_util.h:17:10: fatal error: 'openssl/ec.h' file not found
#include <openssl/ec.h>
         ^~~~~~~~~~~~~~
1 error generated.
make[1]: *** [libnode.target.mk:467: /Users/kevin/src/github.com/nodejs/node/out/Release/obj.target/libnode/src/node.o] Error 1
rm ccd3dc533142c730cad81819404fde1dda793e8d.intermediate
make: *** [Makefile:104: node] Error 2

The interface to OpenSSL is contained entirely in src/crypto which has this nice README: https://github.com/nodejs/node/tree/master/src/crypto#nodejs-srccrypto-documentation

There is a note in there about how the Electron distribution ships with BoringSSL so in terms of replacing OpenSSL that might be the first place to look, in terms of how they made in more portable.

This might be a good place to start in src/crypto/crypto_x509.cc, trying to replace SSL_get_certificate with a safer parser.

void X509Certificate::Verify(const FunctionCallbackInfo<Value>& args) {
  X509Certificate* cert;
  ASSIGN_OR_RETURN_UNWRAP(&cert, args.Holder());

  CHECK(args[0]->IsObject());
  KeyObjectHandle* key;
  ASSIGN_OR_RETURN_UNWRAP(&key, args[0]);
  CHECK_EQ(key->Data()->GetKeyType(), kKeyTypePublic);

  args.GetReturnValue().Set(
      X509_verify(
          cert->get(),
          key->Data()->GetAsymmetricKey().get()) > 0);
}

Hi,
Thanks for taking on this project, this is super valuable and I appreciate your efforts here. I saw this post this morning and got really excited about it: https://daniel.haxx.se/blog/2021/02/09/curl-supports-rustls/

I was starting to think about all of the other tools I use that use OpenSSL as the TLS backend by default (nginx, git, ruby, node come to mind) and how to go about porting those. It would be nice if there was a list of like, here are some popular projects that compile a C TLS library in by default, the maintainers are definitely open to this, the maintainers are not open to this at all. I figure instead of starting from scratch I could at least contact folks and ask about this.

Googling for "ruby custom TLS backend" did not really return any results. At the very least, a Github issue titled "Memory safe TLS backend for Ruby" might rank really highly and then you could explain the benefits and people interested in this issue would have a place they could coordinate with other folks interested in this issue.