community/lua-turbo: rebuild with openssl 1.1

the openssl ffi binding is broken, both for libressl/openssl1.0 and for openssl 1.1. https://release-monitoring.org certificate verification fails with hostname mismatch for some reason. So we disable the ffi and use luasocket and luasec by default. To use the FFI you need to explicitly set `__TURBO_USE_LUASOCKET__=false`
author: Natanael Copa <ncopa@alpinelinux.org> 2020-01-09 12:09:25 +0000
committer: Natanael Copa <ncopa@alpinelinux.org> 2020-01-09 12:09:25 +0000
commit: 3b642ff071d86d2aeeb5532445d2ff518cc3c05b (patch)
tree: 10264e83568c1fbf0de07352886fc64ea76567a3 /community/lua-turbo/openssl-1.1.patch
parent: d9804f64ac623053b3ecb65c9a0f39603141873d (diff)
download: aports-3b642ff071d86d2aeeb5532445d2ff518cc3c05b.tar.bz2
aports-3b642ff071d86d2aeeb5532445d2ff518cc3c05b.tar.xz
1 files changed, 146 insertions, 0 deletions
diff --git a/community/lua-turbo/openssl-1.1.patch b/community/lua-turbo/openssl-1.1.patch
new file mode 100644
index 0000000000..1b33ea8bcd
--- /dev/null
+++ b/community/lua-turbo/openssl-1.1.patch
@@ -0,0 +1,146 @@
+diff --git a/turbo/cdef.lua b/turbo/cdef.lua
+index 62895de..62830e7 100755
+--- a/turbo/cdef.lua
++++ b/turbo/cdef.lua
+@@ -611,6 +611,7 @@ if _G.TURBO_SSL then
+         typedef void ASN1_STRING;
+         typedef unsigned int SHA_LONG;
+         typedef void EVP_MD;
++	typedef void OPENSSL_INIT_SETTINGS;
+         typedef struct SHAstate_st{
+             SHA_LONG h0,h1,h2,h3,h4;
+             SHA_LONG Nl,Nh;
+@@ -618,11 +619,9 @@ if _G.TURBO_SSL then
+             unsigned int num;
+         } SHA_CTX;
+ 
+-        const SSL_METHOD *SSLv3_server_method(void);
+-        const SSL_METHOD *SSLv3_client_method(void);
+-        const SSL_METHOD *SSLv23_method(void);
+-        const SSL_METHOD *SSLv23_server_method(void);
+-        const SSL_METHOD *SSLv23_client_method(void);
++        const SSL_METHOD *TLS_method(void);
++        const SSL_METHOD *TLS_server_method(void);
++        const SSL_METHOD *TLS_client_method(void);
+         const SSL_METHOD *TLSv1_method(void);
+         const SSL_METHOD *TLSv1_server_method(void);
+         const SSL_METHOD *TLSv1_client_method(void);
+@@ -632,10 +631,8 @@ if _G.TURBO_SSL then
+         const SSL_METHOD *TLSv1_2_method(void);
+         const SSL_METHOD *TLSv1_2_server_method(void);
+         const SSL_METHOD *TLSv1_2_client_method(void);
+-        void OPENSSL_add_all_algorithms_noconf(void);
+-        void SSL_load_error_strings(void);
+         void ERR_free_strings(void);
+-        int SSL_library_init(void);
++	int OPENSSL_init_ssl(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings);
+         void EVP_cleanup(void);
+         SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth);
+         void SSL_CTX_free(SSL_CTX *);
+@@ -656,8 +653,13 @@ if _G.TURBO_SSL then
+             const char *CApath);
+         int SSL_CTX_check_private_key(const SSL_CTX *ctx);
+         SSL *SSL_new(SSL_CTX *ctx);
++	int SSL_set1_host(SSL *s, const char *hostname);
++	int SSL_add1_host(SSL *s, const char *hostname);
++	void SSL_set_hostflags(SSL *s, unsigned int flags);
++	const char *SSL_get0_peername(SSL *s);
+         void SSL_set_connect_state(SSL *s);
+         void SSL_set_accept_state(SSL *s);
++	long SSL_ctrl(SSL *ssl, int cmd, long larg, void *parg);
+         int SSL_do_handshake(SSL *s);
+         int SSL_set_fd(SSL *s, int fd);
+         int SSL_accept(SSL *ssl);
+diff --git a/turbo/crypto_linux.lua b/turbo/crypto_linux.lua
+index 1473022..54c07a9 100644
+--- a/turbo/crypto_linux.lua
++++ b/turbo/crypto_linux.lua
+@@ -23,7 +23,7 @@ require "turbo.cdef"
+ 
+ local crypto = {} -- crypto namespace
+ 
+-local lssl = ffi.load(os.getenv("TURBO_LIBSSL") or "ssl")
++local lssl = ffi.load(os.getenv("TURBO_LIBSSL") or "/usr/lib/libssl.so.1.1")
+ local libtffi = util.load_libtffi()
+ 
+ local EWOULDBLOCK, EINPROGRESS, ECONNRESET =
+@@ -32,6 +32,7 @@ local EWOULDBLOCK, EINPROGRESS, ECONNRESET =
+ crypto.X509_FILETYPE_PEM =          1
+ crypto.X509_FILETYPE_ASN1 =         2
+ crypto.X509_FILETYPE_DEFAULT =      3
++crypto.X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS = 0x4
+ crypto.SSL_FILETYPE_ASN1 =          crypto.X509_FILETYPE_ASN1
+ crypto.SSL_FILETYPE_PEM =           crypto.X509_FILETYPE_PEM
+ crypto.SSL_ERROR_NONE =             0
+@@ -77,9 +78,7 @@ end
+ function crypto.ssl_init()
+     if not _G._TURBO_SSL_INITED then
+        _TURBO_SSL_INITED = true
+-        lssl.SSL_load_error_strings()
+-        lssl.SSL_library_init()
+-        lssl.OPENSSL_add_all_algorithms_noconf()
++       lssl.OPENSSL_init_ssl(0, nil)
+     end
+ end
+ if _G.TURBO_SSL then
+@@ -107,7 +106,7 @@ function crypto.ssl_create_client_context(
+     -- Use standardish path to ca-certificates if not specified by user.
+     -- May not be present on all Unix systems.
+     ca_cert_path = ca_cert_path or "/etc/ssl/certs/ca-certificates.crt"
+-    meth = sslv or lssl.SSLv23_client_method()
++    meth = sslv or lssl.TLS_client_method()
+     if meth == nil then
+         err = lssl.ERR_peek_error()
+         lssl.ERR_clear_error()
+@@ -142,7 +141,7 @@ function crypto.ssl_create_client_context(
+     end
+     if verify == true then
+         if lssl.SSL_CTX_load_verify_locations(ctx,
+-                ca_cert_path, nil) ~= 1 then
++                ca_cert_path, "/etc/ssl/certs/") ~= 1 then
+             err = lssl.ERR_peek_error()
+             lssl.ERR_clear_error()
+             return err, crypto.ERR_error_string(err)
+@@ -172,7 +171,7 @@ function crypto.ssl_create_server_context(cert_file, prv_file, ca_cert_path, ssl
+     elseif not prv_file then
+         return -1, "No priv file given in arguments";
+     end
+-    meth = sslv or lssl.SSLv23_server_method()
++    meth = sslv or lssl.TLS_server_method()
+     if meth == nil then
+         err = lssl.ERR_peek_error()
+         lssl.ERR_clear_error()
+@@ -249,6 +248,18 @@ function crypto.ssl_do_handshake(SSLIOStream)
+     -- EINPROGRESS or equaivalent on prior calls. The OpenSSL
+     -- documentation states that SSL_do_handshake should be called again
+     -- when its needs are satisfied.
++    if SSLIOStream._ssl_verify then
++        lssl.SSL_set_hostflags(ssl, crypto.X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS)
++	if lssl.SSL_set1_host(ssl, SSLIOStream._ssl_hostname) <= 0 then
++            err = crypto.lib.ERR_peek_error()
++            crypto.lib.ERR_clear_error()
++            error(string.format(
++                "Could not do SSL handshake. \
++                     Failed to set SSL hostname: %s",
++                crypto.ERR_error_string(err)))
++	end
++	print("DEBUG!!!: set ssl hostname", SSLIOStream._ssl_hostname)
++    end
+     rc = crypto.lib.SSL_do_handshake(ssl)
+     if rc <= 0 then
+         if client and SSLIOStream._ssl_verify then
+@@ -308,14 +319,6 @@ function crypto.ssl_do_handshake(SSLIOStream)
+                 "Could not do SSL handshake. SSL_do_hanshake returned %d",
+                 err))
+         end
+-    else
+-        if client and SSLIOStream._ssl_verify then
+-            rc = libtffi.validate_hostname(SSLIOStream._ssl_hostname, ssl)
+-            if rc ~= crypto.validate.MatchFound then
+-                error("SSL certficate hostname validation failed, rc " ..
+-                tonumber(rc))
+-            end
+-        end
+     end
+     return true
+ end
author	Natanael Copa <ncopa@alpinelinux.org>	2020-01-09 12:09:25 +0000
committer	Natanael Copa <ncopa@alpinelinux.org>	2020-01-09 12:09:25 +0000
commit	3b642ff071d86d2aeeb5532445d2ff518cc3c05b (patch)
tree	10264e83568c1fbf0de07352886fc64ea76567a3 /community/lua-turbo/openssl-1.1.patch
parent	d9804f64ac623053b3ecb65c9a0f39603141873d (diff)
download	aports-3b642ff071d86d2aeeb5532445d2ff518cc3c05b.tar.bz2 aports-3b642ff071d86d2aeeb5532445d2ff518cc3c05b.tar.xz