Mirror/aports
1
0
Fork 0
mirror of https://gitlab.alpinelinux.org/alpine/aports.git synced 2025-07-22 10:45:15 +03:00
Code Issues Wiki Activity
aports/community/lua-turbo/openssl-1.1.patch
Natanael Copa 3b642ff071 community/lua-turbo: rebuild with openssl 1.1 
the openssl ffi binding is broken, both for libressl/openssl1.0 and for
openssl 1.1. https://release-monitoring.org certificate verification
fails with hostname mismatch for some reason.

So we disable the ffi and use luasocket and luasec by default. To use
the FFI you need to explicitly set `__TURBO_USE_LUASOCKET__=false`
2020-01-09 12:09:25 +00:00

146 lines
6 KiB
Diff
Raw Blame History

diff --git a/turbo/cdef.lua b/turbo/cdef.lua
index 62895de..62830e7 100755
--- a/turbo/cdef.lua
+++ b/turbo/cdef.lua
@@ -611,6 +611,7 @@ if _G.TURBO_SSL then
typedef void ASN1_STRING;
typedef unsigned int SHA_LONG;
typedef void EVP_MD;
+ typedef void OPENSSL_INIT_SETTINGS;
typedef struct SHAstate_st{
SHA_LONG h0,h1,h2,h3,h4;
SHA_LONG Nl,Nh;
@@ -618,11 +619,9 @@ if _G.TURBO_SSL then
unsigned int num;
} SHA_CTX;
- const SSL_METHOD *SSLv3_server_method(void);
- const SSL_METHOD *SSLv3_client_method(void);
- const SSL_METHOD *SSLv23_method(void);
- const SSL_METHOD *SSLv23_server_method(void);
- const SSL_METHOD *SSLv23_client_method(void);
+ const SSL_METHOD *TLS_method(void);
+ const SSL_METHOD *TLS_server_method(void);
+ const SSL_METHOD *TLS_client_method(void);
const SSL_METHOD *TLSv1_method(void);
const SSL_METHOD *TLSv1_server_method(void);
const SSL_METHOD *TLSv1_client_method(void);
@@ -632,10 +631,8 @@ if _G.TURBO_SSL then
const SSL_METHOD *TLSv1_2_method(void);
const SSL_METHOD *TLSv1_2_server_method(void);
const SSL_METHOD *TLSv1_2_client_method(void);
- void OPENSSL_add_all_algorithms_noconf(void);
- void SSL_load_error_strings(void);
void ERR_free_strings(void);
- int SSL_library_init(void);
+ int OPENSSL_init_ssl(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings);
void EVP_cleanup(void);
SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth);
void SSL_CTX_free(SSL_CTX *);
@@ -656,8 +653,13 @@ if _G.TURBO_SSL then
const char *CApath);
int SSL_CTX_check_private_key(const SSL_CTX *ctx);
SSL *SSL_new(SSL_CTX *ctx);
+ int SSL_set1_host(SSL *s, const char *hostname);
+ int SSL_add1_host(SSL *s, const char *hostname);
+ void SSL_set_hostflags(SSL *s, unsigned int flags);
+ const char *SSL_get0_peername(SSL *s);
void SSL_set_connect_state(SSL *s);
void SSL_set_accept_state(SSL *s);
+ long SSL_ctrl(SSL *ssl, int cmd, long larg, void *parg);
int SSL_do_handshake(SSL *s);
int SSL_set_fd(SSL *s, int fd);
int SSL_accept(SSL *ssl);
diff --git a/turbo/crypto_linux.lua b/turbo/crypto_linux.lua
index 1473022..54c07a9 100644
--- a/turbo/crypto_linux.lua
+++ b/turbo/crypto_linux.lua
@@ -23,7 +23,7 @@ require "turbo.cdef"
local crypto = {} -- crypto namespace
-local lssl = ffi.load(os.getenv("TURBO_LIBSSL") or "ssl")
+local lssl = ffi.load(os.getenv("TURBO_LIBSSL") or "/usr/lib/libssl.so.1.1")
local libtffi = util.load_libtffi()
local EWOULDBLOCK, EINPROGRESS, ECONNRESET =
@@ -32,6 +32,7 @@ local EWOULDBLOCK, EINPROGRESS, ECONNRESET =
crypto.X509_FILETYPE_PEM = 1
crypto.X509_FILETYPE_ASN1 = 2
crypto.X509_FILETYPE_DEFAULT = 3
+crypto.X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS = 0x4
crypto.SSL_FILETYPE_ASN1 = crypto.X509_FILETYPE_ASN1
crypto.SSL_FILETYPE_PEM = crypto.X509_FILETYPE_PEM
crypto.SSL_ERROR_NONE = 0
@@ -77,9 +78,7 @@ end
function crypto.ssl_init()
if not _G._TURBO_SSL_INITED then
_TURBO_SSL_INITED = true
- lssl.SSL_load_error_strings()
- lssl.SSL_library_init()
- lssl.OPENSSL_add_all_algorithms_noconf()
+ lssl.OPENSSL_init_ssl(0, nil)
end
end
if _G.TURBO_SSL then
@@ -107,7 +106,7 @@ function crypto.ssl_create_client_context(
-- Use standardish path to ca-certificates if not specified by user.
-- May not be present on all Unix systems.
ca_cert_path = ca_cert_path or "/etc/ssl/certs/ca-certificates.crt"
- meth = sslv or lssl.SSLv23_client_method()
+ meth = sslv or lssl.TLS_client_method()
if meth == nil then
err = lssl.ERR_peek_error()
lssl.ERR_clear_error()
@@ -142,7 +141,7 @@ function crypto.ssl_create_client_context(
end
if verify == true then
if lssl.SSL_CTX_load_verify_locations(ctx,
- ca_cert_path, nil) ~= 1 then
+ ca_cert_path, "/etc/ssl/certs/") ~= 1 then
err = lssl.ERR_peek_error()
lssl.ERR_clear_error()
return err, crypto.ERR_error_string(err)
@@ -172,7 +171,7 @@ function crypto.ssl_create_server_context(cert_file, prv_file, ca_cert_path, ssl
elseif not prv_file then
return -1, "No priv file given in arguments";
end
- meth = sslv or lssl.SSLv23_server_method()
+ meth = sslv or lssl.TLS_server_method()
if meth == nil then
err = lssl.ERR_peek_error()
lssl.ERR_clear_error()
@@ -249,6 +248,18 @@ function crypto.ssl_do_handshake(SSLIOStream)
-- EINPROGRESS or equaivalent on prior calls. The OpenSSL
-- documentation states that SSL_do_handshake should be called again
-- when its needs are satisfied.
+ if SSLIOStream._ssl_verify then
+ lssl.SSL_set_hostflags(ssl, crypto.X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS)
+ if lssl.SSL_set1_host(ssl, SSLIOStream._ssl_hostname) <= 0 then
+ err = crypto.lib.ERR_peek_error()
+ crypto.lib.ERR_clear_error()
+ error(string.format(
+ "Could not do SSL handshake. \
+ Failed to set SSL hostname: %s",
+ crypto.ERR_error_string(err)))
+ end
+ print("DEBUG!!!: set ssl hostname", SSLIOStream._ssl_hostname)
+ end
rc = crypto.lib.SSL_do_handshake(ssl)
if rc <= 0 then
if client and SSLIOStream._ssl_verify then
@@ -308,14 +319,6 @@ function crypto.ssl_do_handshake(SSLIOStream)
"Could not do SSL handshake. SSL_do_hanshake returned %d",
err))
end
- else
- if client and SSLIOStream._ssl_verify then
- rc = libtffi.validate_hostname(SSLIOStream._ssl_hostname, ssl)
- if rc ~= crypto.validate.MatchFound then
- error("SSL certficate hostname validation failed, rc " ..
- tonumber(rc))
- end
- end
end
return true
end
Reference in a new issue View git blame Copy permalink