1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
|
diff --git a/turbo/cdef.lua b/turbo/cdef.lua
index 62895de..62830e7 100755
--- a/turbo/cdef.lua
+++ b/turbo/cdef.lua
@@ -611,6 +611,7 @@ if _G.TURBO_SSL then
typedef void ASN1_STRING;
typedef unsigned int SHA_LONG;
typedef void EVP_MD;
+ typedef void OPENSSL_INIT_SETTINGS;
typedef struct SHAstate_st{
SHA_LONG h0,h1,h2,h3,h4;
SHA_LONG Nl,Nh;
@@ -618,11 +619,9 @@ if _G.TURBO_SSL then
unsigned int num;
} SHA_CTX;
- const SSL_METHOD *SSLv3_server_method(void);
- const SSL_METHOD *SSLv3_client_method(void);
- const SSL_METHOD *SSLv23_method(void);
- const SSL_METHOD *SSLv23_server_method(void);
- const SSL_METHOD *SSLv23_client_method(void);
+ const SSL_METHOD *TLS_method(void);
+ const SSL_METHOD *TLS_server_method(void);
+ const SSL_METHOD *TLS_client_method(void);
const SSL_METHOD *TLSv1_method(void);
const SSL_METHOD *TLSv1_server_method(void);
const SSL_METHOD *TLSv1_client_method(void);
@@ -632,10 +631,8 @@ if _G.TURBO_SSL then
const SSL_METHOD *TLSv1_2_method(void);
const SSL_METHOD *TLSv1_2_server_method(void);
const SSL_METHOD *TLSv1_2_client_method(void);
- void OPENSSL_add_all_algorithms_noconf(void);
- void SSL_load_error_strings(void);
void ERR_free_strings(void);
- int SSL_library_init(void);
+ int OPENSSL_init_ssl(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings);
void EVP_cleanup(void);
SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth);
void SSL_CTX_free(SSL_CTX *);
@@ -656,8 +653,13 @@ if _G.TURBO_SSL then
const char *CApath);
int SSL_CTX_check_private_key(const SSL_CTX *ctx);
SSL *SSL_new(SSL_CTX *ctx);
+ int SSL_set1_host(SSL *s, const char *hostname);
+ int SSL_add1_host(SSL *s, const char *hostname);
+ void SSL_set_hostflags(SSL *s, unsigned int flags);
+ const char *SSL_get0_peername(SSL *s);
void SSL_set_connect_state(SSL *s);
void SSL_set_accept_state(SSL *s);
+ long SSL_ctrl(SSL *ssl, int cmd, long larg, void *parg);
int SSL_do_handshake(SSL *s);
int SSL_set_fd(SSL *s, int fd);
int SSL_accept(SSL *ssl);
diff --git a/turbo/crypto_linux.lua b/turbo/crypto_linux.lua
index 1473022..54c07a9 100644
--- a/turbo/crypto_linux.lua
+++ b/turbo/crypto_linux.lua
@@ -23,7 +23,7 @@ require "turbo.cdef"
local crypto = {} -- crypto namespace
-local lssl = ffi.load(os.getenv("TURBO_LIBSSL") or "ssl")
+local lssl = ffi.load(os.getenv("TURBO_LIBSSL") or "/usr/lib/libssl.so.1.1")
local libtffi = util.load_libtffi()
local EWOULDBLOCK, EINPROGRESS, ECONNRESET =
@@ -32,6 +32,7 @@ local EWOULDBLOCK, EINPROGRESS, ECONNRESET =
crypto.X509_FILETYPE_PEM = 1
crypto.X509_FILETYPE_ASN1 = 2
crypto.X509_FILETYPE_DEFAULT = 3
+crypto.X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS = 0x4
crypto.SSL_FILETYPE_ASN1 = crypto.X509_FILETYPE_ASN1
crypto.SSL_FILETYPE_PEM = crypto.X509_FILETYPE_PEM
crypto.SSL_ERROR_NONE = 0
@@ -77,9 +78,7 @@ end
function crypto.ssl_init()
if not _G._TURBO_SSL_INITED then
_TURBO_SSL_INITED = true
- lssl.SSL_load_error_strings()
- lssl.SSL_library_init()
- lssl.OPENSSL_add_all_algorithms_noconf()
+ lssl.OPENSSL_init_ssl(0, nil)
end
end
if _G.TURBO_SSL then
@@ -107,7 +106,7 @@ function crypto.ssl_create_client_context(
-- Use standardish path to ca-certificates if not specified by user.
-- May not be present on all Unix systems.
ca_cert_path = ca_cert_path or "/etc/ssl/certs/ca-certificates.crt"
- meth = sslv or lssl.SSLv23_client_method()
+ meth = sslv or lssl.TLS_client_method()
if meth == nil then
err = lssl.ERR_peek_error()
lssl.ERR_clear_error()
@@ -142,7 +141,7 @@ function crypto.ssl_create_client_context(
end
if verify == true then
if lssl.SSL_CTX_load_verify_locations(ctx,
- ca_cert_path, nil) ~= 1 then
+ ca_cert_path, "/etc/ssl/certs/") ~= 1 then
err = lssl.ERR_peek_error()
lssl.ERR_clear_error()
return err, crypto.ERR_error_string(err)
@@ -172,7 +171,7 @@ function crypto.ssl_create_server_context(cert_file, prv_file, ca_cert_path, ssl
elseif not prv_file then
return -1, "No priv file given in arguments";
end
- meth = sslv or lssl.SSLv23_server_method()
+ meth = sslv or lssl.TLS_server_method()
if meth == nil then
err = lssl.ERR_peek_error()
lssl.ERR_clear_error()
@@ -249,6 +248,18 @@ function crypto.ssl_do_handshake(SSLIOStream)
-- EINPROGRESS or equaivalent on prior calls. The OpenSSL
-- documentation states that SSL_do_handshake should be called again
-- when its needs are satisfied.
+ if SSLIOStream._ssl_verify then
+ lssl.SSL_set_hostflags(ssl, crypto.X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS)
+ if lssl.SSL_set1_host(ssl, SSLIOStream._ssl_hostname) <= 0 then
+ err = crypto.lib.ERR_peek_error()
+ crypto.lib.ERR_clear_error()
+ error(string.format(
+ "Could not do SSL handshake. \
+ Failed to set SSL hostname: %s",
+ crypto.ERR_error_string(err)))
+ end
+ print("DEBUG!!!: set ssl hostname", SSLIOStream._ssl_hostname)
+ end
rc = crypto.lib.SSL_do_handshake(ssl)
if rc <= 0 then
if client and SSLIOStream._ssl_verify then
@@ -308,14 +319,6 @@ function crypto.ssl_do_handshake(SSLIOStream)
"Could not do SSL handshake. SSL_do_hanshake returned %d",
err))
end
- else
- if client and SSLIOStream._ssl_verify then
- rc = libtffi.validate_hostname(SSLIOStream._ssl_hostname, ssl)
- if rc ~= crypto.validate.MatchFound then
- error("SSL certficate hostname validation failed, rc " ..
- tonumber(rc))
- end
- end
end
return true
end
|
