diff options
| author | Natanael Copa <ncopa@alpinelinux.org> | 2020-01-09 12:09:25 +0000 |
|---|---|---|
| committer | Natanael Copa <ncopa@alpinelinux.org> | 2020-01-09 12:09:25 +0000 |
| commit | 3b642ff071d86d2aeeb5532445d2ff518cc3c05b (patch) | |
| tree | 10264e83568c1fbf0de07352886fc64ea76567a3 | |
| parent | d9804f64ac623053b3ecb65c9a0f39603141873d (diff) | |
| download | aports-3b642ff071d86d2aeeb5532445d2ff518cc3c05b.tar.bz2 aports-3b642ff071d86d2aeeb5532445d2ff518cc3c05b.tar.xz | |
community/lua-turbo: rebuild with openssl 1.1
the openssl ffi binding is broken, both for libressl/openssl1.0 and for
openssl 1.1. https://release-monitoring.org certificate verification
fails with hostname mismatch for some reason.
So we disable the ffi and use luasocket and luasec by default. To use
the FFI you need to explicitly set `__TURBO_USE_LUASOCKET__=false`
| -rw-r--r-- | community/lua-turbo/APKBUILD | 20 | ||||
| -rw-r--r-- | community/lua-turbo/default-luasocket.patch | 14 | ||||
| -rw-r--r-- | community/lua-turbo/openssl-1.1.patch | 146 |
3 files changed, 171 insertions, 9 deletions
diff --git a/community/lua-turbo/APKBUILD b/community/lua-turbo/APKBUILD index 92031440fd..22656d4d79 100644 --- a/community/lua-turbo/APKBUILD +++ b/community/lua-turbo/APKBUILD @@ -4,21 +4,23 @@ pkgname=lua-turbo _jitver=2.1.0_beta3 pkgver=2.1.3 -pkgrel=2 +pkgrel=3 pkgdesc="a framework built for LuaJIT 2 and Linux" url="https://github.com/kernelsauce/turbo" # luajit is not available for disabled arches arch="all !s390x" license="Apache-2.0" -depends="luajit lua5.1-cjson ca-certificates" +depends="luajit lua5.1-cjson lua5.1-sec ca-certificates" subpackages="$pkgname-openrc" # https://github.com/kernelsauce/turbo/issues/343 (libressl-dev) -makedepends="libressl-dev" +makedepends="openssl-dev" options="!check" # bundled tests dont work source="$pkgname-$pkgver.tar.gz::https://github.com/kernelsauce/turbo/archive/v$pkgver.tar.gz $pkgname.initd $pkgname.confd 0001-use-cjson-instead-of-JSON.lua.patch + default-luasocket.patch + openssl-1.1.patch " builddir="$srcdir/turbo-$pkgver" @@ -36,12 +38,10 @@ prepare() { die "cannot locate luajit APKBUILD!" fi # we need to fix the loading of libssl. + local _soname=$(scanelf --nobanner --soname /usr/lib/libssl.so | awk '{print $2}') sed -i -e \ - 's|"ssl")$|"/lib/libssl.so.47")|' \ - turbo/hash.lua - sed -i -e \ - 's|"ssl")$|"/lib/libssl.so.47")|' \ - turbo/crypto_linux.lua + "/ffi.load/s|\"ssl\")$|\"/usr/lib/$_soname\")|" \ + turbo/hash.lua turbo/crypto_linux.lua } build() { @@ -67,4 +67,6 @@ package() { sha512sums="c553478f3985d2b462a81a6a9555b911d50dab8fe790aa4185fc1fbc2b4af7e85418dc874d91a85fa38d57f2057acefb7d91996ae250a9a794d0d61055f95326 lua-turbo-2.1.3.tar.gz 2e91d5dda33b4bf09667fd23c80a471e93605125a820c440c2b1b022b8bce6ab065493473b153f1fa1863e9655f6413dbe42dc983260da4ed8bee3b2e3743ec2 lua-turbo.initd 3d2816738a2ee615bb6523b6b0aff12a51062e56ade5dbaa4b1b63afda8dce0a532c099b8a03fe67d589058ac8a7d49434a68fb28d93b167a56c56acc7596fdb lua-turbo.confd -b3579e2a90dd0a50701f06f07de88e2398145c12df41c07c87a22e78bd159280b7e445b51c3a37f8314695abdcdc6f2045433a84d5c84be795d1bcbbbd6c8f97 0001-use-cjson-instead-of-JSON.lua.patch" +b3579e2a90dd0a50701f06f07de88e2398145c12df41c07c87a22e78bd159280b7e445b51c3a37f8314695abdcdc6f2045433a84d5c84be795d1bcbbbd6c8f97 0001-use-cjson-instead-of-JSON.lua.patch +724e78556296e58f4df8e089f782dba7d4387a26e6ab80f5585b65c35b97c460edf3fe2e6b33bc817fdb5eb5923fd0ae39054060c238dbd41a185b52a70b3949 default-luasocket.patch +6cc7c511f66f5d28b0a0799b22e6545dc2dce975539a446eff56ea0016f28116f6c777536b3d1a9e9c076e6db7b4ed75d7caa8a201efdd467b857a7342a6c2c0 openssl-1.1.patch" diff --git a/community/lua-turbo/default-luasocket.patch b/community/lua-turbo/default-luasocket.patch new file mode 100644 index 0000000000..ca5d877397 --- /dev/null +++ b/community/lua-turbo/default-luasocket.patch @@ -0,0 +1,14 @@ +diff --git a/turbo.lua b/turbo.lua +index 543cce4..e03f8ce 100644 +--- a/turbo.lua ++++ b/turbo.lua +@@ -88,6 +88,9 @@ assert(pcall(require, "bit") or pcall(require, "bit32"), + "No bit or compatible library available") + turbo.platform = require "turbo.platform" + turbo.log = require "turbo.log" ++if _G.__TURBO_USE_LUASOCKET__ == nil then ++ _G.__TURBO_USE_LUASOCKET__ = true ++end + if not turbo.platform.__LINUX__ then + if not pcall(require, "socket") then + turbo.log.error("Could not load LuaSocket. Aborting.") diff --git a/community/lua-turbo/openssl-1.1.patch b/community/lua-turbo/openssl-1.1.patch new file mode 100644 index 0000000000..1b33ea8bcd --- /dev/null +++ b/community/lua-turbo/openssl-1.1.patch @@ -0,0 +1,146 @@ +diff --git a/turbo/cdef.lua b/turbo/cdef.lua +index 62895de..62830e7 100755 +--- a/turbo/cdef.lua ++++ b/turbo/cdef.lua +@@ -611,6 +611,7 @@ if _G.TURBO_SSL then + typedef void ASN1_STRING; + typedef unsigned int SHA_LONG; + typedef void EVP_MD; ++ typedef void OPENSSL_INIT_SETTINGS; + typedef struct SHAstate_st{ + SHA_LONG h0,h1,h2,h3,h4; + SHA_LONG Nl,Nh; +@@ -618,11 +619,9 @@ if _G.TURBO_SSL then + unsigned int num; + } SHA_CTX; + +- const SSL_METHOD *SSLv3_server_method(void); +- const SSL_METHOD *SSLv3_client_method(void); +- const SSL_METHOD *SSLv23_method(void); +- const SSL_METHOD *SSLv23_server_method(void); +- const SSL_METHOD *SSLv23_client_method(void); ++ const SSL_METHOD *TLS_method(void); ++ const SSL_METHOD *TLS_server_method(void); ++ const SSL_METHOD *TLS_client_method(void); + const SSL_METHOD *TLSv1_method(void); + const SSL_METHOD *TLSv1_server_method(void); + const SSL_METHOD *TLSv1_client_method(void); +@@ -632,10 +631,8 @@ if _G.TURBO_SSL then + const SSL_METHOD *TLSv1_2_method(void); + const SSL_METHOD *TLSv1_2_server_method(void); + const SSL_METHOD *TLSv1_2_client_method(void); +- void OPENSSL_add_all_algorithms_noconf(void); +- void SSL_load_error_strings(void); + void ERR_free_strings(void); +- int SSL_library_init(void); ++ int OPENSSL_init_ssl(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings); + void EVP_cleanup(void); + SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth); + void SSL_CTX_free(SSL_CTX *); +@@ -656,8 +653,13 @@ if _G.TURBO_SSL then + const char *CApath); + int SSL_CTX_check_private_key(const SSL_CTX *ctx); + SSL *SSL_new(SSL_CTX *ctx); ++ int SSL_set1_host(SSL *s, const char *hostname); ++ int SSL_add1_host(SSL *s, const char *hostname); ++ void SSL_set_hostflags(SSL *s, unsigned int flags); ++ const char *SSL_get0_peername(SSL *s); + void SSL_set_connect_state(SSL *s); + void SSL_set_accept_state(SSL *s); ++ long SSL_ctrl(SSL *ssl, int cmd, long larg, void *parg); + int SSL_do_handshake(SSL *s); + int SSL_set_fd(SSL *s, int fd); + int SSL_accept(SSL *ssl); +diff --git a/turbo/crypto_linux.lua b/turbo/crypto_linux.lua +index 1473022..54c07a9 100644 +--- a/turbo/crypto_linux.lua ++++ b/turbo/crypto_linux.lua +@@ -23,7 +23,7 @@ require "turbo.cdef" + + local crypto = {} -- crypto namespace + +-local lssl = ffi.load(os.getenv("TURBO_LIBSSL") or "ssl") ++local lssl = ffi.load(os.getenv("TURBO_LIBSSL") or "/usr/lib/libssl.so.1.1") + local libtffi = util.load_libtffi() + + local EWOULDBLOCK, EINPROGRESS, ECONNRESET = +@@ -32,6 +32,7 @@ local EWOULDBLOCK, EINPROGRESS, ECONNRESET = + crypto.X509_FILETYPE_PEM = 1 + crypto.X509_FILETYPE_ASN1 = 2 + crypto.X509_FILETYPE_DEFAULT = 3 ++crypto.X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS = 0x4 + crypto.SSL_FILETYPE_ASN1 = crypto.X509_FILETYPE_ASN1 + crypto.SSL_FILETYPE_PEM = crypto.X509_FILETYPE_PEM + crypto.SSL_ERROR_NONE = 0 +@@ -77,9 +78,7 @@ end + function crypto.ssl_init() + if not _G._TURBO_SSL_INITED then + _TURBO_SSL_INITED = true +- lssl.SSL_load_error_strings() +- lssl.SSL_library_init() +- lssl.OPENSSL_add_all_algorithms_noconf() ++ lssl.OPENSSL_init_ssl(0, nil) + end + end + if _G.TURBO_SSL then +@@ -107,7 +106,7 @@ function crypto.ssl_create_client_context( + -- Use standardish path to ca-certificates if not specified by user. + -- May not be present on all Unix systems. + ca_cert_path = ca_cert_path or "/etc/ssl/certs/ca-certificates.crt" +- meth = sslv or lssl.SSLv23_client_method() ++ meth = sslv or lssl.TLS_client_method() + if meth == nil then + err = lssl.ERR_peek_error() + lssl.ERR_clear_error() +@@ -142,7 +141,7 @@ function crypto.ssl_create_client_context( + end + if verify == true then + if lssl.SSL_CTX_load_verify_locations(ctx, +- ca_cert_path, nil) ~= 1 then ++ ca_cert_path, "/etc/ssl/certs/") ~= 1 then + err = lssl.ERR_peek_error() + lssl.ERR_clear_error() + return err, crypto.ERR_error_string(err) +@@ -172,7 +171,7 @@ function crypto.ssl_create_server_context(cert_file, prv_file, ca_cert_path, ssl + elseif not prv_file then + return -1, "No priv file given in arguments"; + end +- meth = sslv or lssl.SSLv23_server_method() ++ meth = sslv or lssl.TLS_server_method() + if meth == nil then + err = lssl.ERR_peek_error() + lssl.ERR_clear_error() +@@ -249,6 +248,18 @@ function crypto.ssl_do_handshake(SSLIOStream) + -- EINPROGRESS or equaivalent on prior calls. The OpenSSL + -- documentation states that SSL_do_handshake should be called again + -- when its needs are satisfied. ++ if SSLIOStream._ssl_verify then ++ lssl.SSL_set_hostflags(ssl, crypto.X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS) ++ if lssl.SSL_set1_host(ssl, SSLIOStream._ssl_hostname) <= 0 then ++ err = crypto.lib.ERR_peek_error() ++ crypto.lib.ERR_clear_error() ++ error(string.format( ++ "Could not do SSL handshake. \ ++ Failed to set SSL hostname: %s", ++ crypto.ERR_error_string(err))) ++ end ++ print("DEBUG!!!: set ssl hostname", SSLIOStream._ssl_hostname) ++ end + rc = crypto.lib.SSL_do_handshake(ssl) + if rc <= 0 then + if client and SSLIOStream._ssl_verify then +@@ -308,14 +319,6 @@ function crypto.ssl_do_handshake(SSLIOStream) + "Could not do SSL handshake. SSL_do_hanshake returned %d", + err)) + end +- else +- if client and SSLIOStream._ssl_verify then +- rc = libtffi.validate_hostname(SSLIOStream._ssl_hostname, ssl) +- if rc ~= crypto.validate.MatchFound then +- error("SSL certficate hostname validation failed, rc " .. +- tonumber(rc)) +- end +- end + end + return true + end |