From a48a5c0e26139f43a9899882529589ce4b69ca49 Mon Sep 17 00:00:00 2001 From: Rosen Penev Date: Tue, 20 Nov 2018 18:55:59 -0800 Subject: [PATCH] luasec: Update to 0.7 Switched to codeload to keep a sane source name. Backported a few useful patches. Signed-off-by: Rosen Penev --- lang/luasec/Makefile | 9 +- .../patches/010-Using-const-SSL_METHOD.patch | 49 +++++ .../010-openssl-1.1-compatibility.patch | 180 ------------------ .../patches/020-Removing-SSLv3-support.patch | 43 +++++ ...cated-methods-to-select-the-protocol.patch | 98 ++++++++++ .../patches/040-openssl-deprecated.patch | 89 +++++++++ lang/luasec/patches/100-fix-compilation.patch | 19 ++ 7 files changed, 303 insertions(+), 184 deletions(-) create mode 100644 lang/luasec/patches/010-Using-const-SSL_METHOD.patch delete mode 100644 lang/luasec/patches/010-openssl-1.1-compatibility.patch create mode 100644 lang/luasec/patches/020-Removing-SSLv3-support.patch create mode 100644 lang/luasec/patches/030-Removing-deprecated-methods-to-select-the-protocol.patch create mode 100644 lang/luasec/patches/040-openssl-deprecated.patch create mode 100644 lang/luasec/patches/100-fix-compilation.patch diff --git a/lang/luasec/Makefile b/lang/luasec/Makefile index 307624d69..4690ddd4b 100644 --- a/lang/luasec/Makefile +++ b/lang/luasec/Makefile @@ -8,18 +8,19 @@ include $(TOPDIR)/rules.mk PKG_NAME:=luasec -PKG_VERSION:=0.6 -PKG_RELEASE:=2 +PKG_VERSION:=0.7 +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz -PKG_SOURCE_URL:=https://github.com/brunoos/luasec/archive/ -PKG_HASH:=cef3a35c18beb8a54d9c8ce6260a4cabbd9a386de8711320d084daffad0aed5d +PKG_SOURCE_URL:=https://codeload.github.com/brunoos/luasec/tar.gz/luasec-$(PKG_VERSION)? +PKG_HASH:=2176e95b1d2a72a3235ede5d2aa9838050feee55dade8fdbde4be7fdc66f3a31 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_NAME)-$(PKG_VERSION) MAINTAINER:=W. Michael Petullo PKG_LICENSE:=MIT PKG_LICENSE_FILES:=LICENSE +PKG_BUILD_PARALLEL:=1 PKG_INSTALL:=1 include $(INCLUDE_DIR)/package.mk diff --git a/lang/luasec/patches/010-Using-const-SSL_METHOD.patch b/lang/luasec/patches/010-Using-const-SSL_METHOD.patch new file mode 100644 index 000000000..ddf4d9a53 --- /dev/null +++ b/lang/luasec/patches/010-Using-const-SSL_METHOD.patch @@ -0,0 +1,49 @@ +From 8212b89f1a04023b431d2fc9bc12aca02394698f Mon Sep 17 00:00:00 2001 +From: Bruno Silvestre +Date: Fri, 29 Jun 2018 14:02:39 -0300 +Subject: [PATCH 1/3] Using 'const SSL_METHOD*' + +This change was introduced in OpenSSL 1.0.0. +Start droping 0.9.8 code. +--- + src/context.c | 10 ++-------- + 1 file changed, 2 insertions(+), 8 deletions(-) + +diff --git a/src/context.c b/src/context.c +index a2b5ae5..b9e8cda 100644 +--- a/src/context.c ++++ b/src/context.c +@@ -29,12 +29,6 @@ + #include "ec.h" + #endif + +-#if (OPENSSL_VERSION_NUMBER >= 0x1000000fL) +-typedef const SSL_METHOD LSEC_SSL_METHOD; +-#else +-typedef SSL_METHOD LSEC_SSL_METHOD; +-#endif +- + /*--------------------------- Auxiliary Functions ----------------------------*/ + + /** +@@ -68,7 +62,7 @@ static int set_option_flag(const char *opt, unsigned long *flag) + /** + * Find the protocol. + */ +-static LSEC_SSL_METHOD* str2method(const char *method) ++static const SSL_METHOD* str2method(const char *method) + { + if (!strcmp(method, "any")) return SSLv23_method(); + if (!strcmp(method, "sslv23")) return SSLv23_method(); // deprecated +@@ -287,7 +281,7 @@ static int create(lua_State *L) + { + p_context ctx; + const char *str_method; +- LSEC_SSL_METHOD *method; ++ const SSL_METHOD *method; + + str_method = luaL_checkstring(L, 1); + method = str2method(str_method); +-- +2.19.1 + diff --git a/lang/luasec/patches/010-openssl-1.1-compatibility.patch b/lang/luasec/patches/010-openssl-1.1-compatibility.patch deleted file mode 100644 index 39681dd10..000000000 --- a/lang/luasec/patches/010-openssl-1.1-compatibility.patch +++ /dev/null @@ -1,180 +0,0 @@ ---- a/src/context.c -+++ b/src/context.c -@@ -24,7 +24,7 @@ - #include "context.h" - #include "options.h" - --#ifndef OPENSSL_NO_ECDH -+#ifndef OPENSSL_NO_EC - #include - #include "ec.h" - #endif -@@ -35,10 +35,6 @@ typedef const SSL_METHOD LSEC_SSL_METHOD - typedef SSL_METHOD LSEC_SSL_METHOD; - #endif - --#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) --#define SSLv23_method() TLS_method() --#endif -- - /*-- Compat - Lua 5.1 --------------------------------------------------------*/ - - #if (LUA_VERSION_NUM == 501) -@@ -304,7 +300,7 @@ static int verify_cb(int preverify_ok, X - return (verify & LSEC_VERIFY_CONTINUE ? 1 : preverify_ok); - } - --#ifndef OPENSSL_NO_ECDH -+#ifndef OPENSSL_NO_EC - static EC_KEY *find_ec_key(const char *str) - { - p_ec ptr; -@@ -565,7 +561,7 @@ static int set_dhparam(lua_State *L) - /** - * Set elliptic curve. - */ --#ifdef OPENSSL_NO_ECDH -+#ifdef OPENSSL_NO_EC - static int set_curve(lua_State *L) - { - lua_pushboolean(L, 0); ---- a/src/ssl.c -+++ b/src/ssl.c -@@ -31,6 +31,13 @@ - #include "context.h" - #include "ssl.h" - -+ -+#if defined(LIBRESSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER<0x10100000L -+#define SSL_is_server(s) (s->server) -+#define X509_up_ref(c) CRYPTO_add(&c->references, 1, CRYPTO_LOCK_X509) -+#endif -+ -+ - /** - * Underline socket error. - */ -@@ -406,7 +413,9 @@ static int meth_want(lua_State *L) - */ - static int meth_compression(lua_State *L) - { --#if !defined(OPENSSL_NO_COMP) -+#ifdef OPENSSL_NO_COMP -+ const void *comp; -+#else - const COMP_METHOD *comp; - #endif - p_ssl ssl = (p_ssl)luaL_checkudata(L, 1, "SSL:Connection"); -@@ -415,15 +424,11 @@ static int meth_compression(lua_State *L - lua_pushstring(L, "closed"); - return 2; - } --#if !defined(OPENSSL_NO_COMP) - comp = SSL_get_current_compression(ssl->ssl); - if (comp) - lua_pushstring(L, SSL_COMP_get_name(comp)); - else - lua_pushnil(L); --#else -- lua_pushnil(L); --#endif - return 1; - } - -@@ -461,7 +466,7 @@ static int meth_getpeercertificate(lua_S - /* In a server-context, the stack doesn't contain the peer cert, - * so adjust accordingly. - */ -- if (ssl->ssl->server) -+ if (SSL_is_server(ssl->ssl)) - --n; - certs = SSL_get_peer_cert_chain(ssl->ssl); - if (n >= sk_X509_num(certs)) { -@@ -471,7 +476,7 @@ static int meth_getpeercertificate(lua_S - cert = sk_X509_value(certs, n); - /* Increment the reference counting of the object. */ - /* See SSL_get_peer_certificate() source code. */ -- CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509); -+ X509_up_ref(cert); - lsec_pushx509(L, cert); - return 1; - } -@@ -493,7 +498,7 @@ static int meth_getpeerchain(lua_State * - return 2; - } - lua_newtable(L); -- if (ssl->ssl->server) { -+ if (SSL_is_server(ssl->ssl)) { - lsec_pushx509(L, SSL_get_peer_certificate(ssl->ssl)); - lua_rawseti(L, -2, idx++); - } -@@ -503,7 +508,7 @@ static int meth_getpeerchain(lua_State * - cert = sk_X509_value(certs, i); - /* Increment the reference counting of the object. */ - /* See SSL_get_peer_certificate() source code. */ -- CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509); -+ X509_up_ref(cert); - lsec_pushx509(L, cert); - lua_rawseti(L, -2, idx++); - } ---- a/src/x509.c -+++ b/src/x509.c -@@ -32,6 +32,17 @@ - - #include "x509.h" - -+ -+/* -+ * ASN1_STRING_data is deprecated in OpenSSL 1.1.0 -+ */ -+#if OPENSSL_VERSION_NUMBER>=0x1010000fL && !defined(LIBRESSL_VERSION_NUMBER) -+#define LSEC_ASN1_STRING_data(x) ASN1_STRING_get0_data(x) -+#else -+#define LSEC_ASN1_STRING_data(x) ASN1_STRING_data(x) -+#endif -+ -+ - static const char* hex_tab = "0123456789abcdef"; - - /** -@@ -146,7 +157,7 @@ static void push_asn1_string(lua_State* - } - switch (encode) { - case LSEC_AI5_STRING: -- lua_pushlstring(L, (char*)ASN1_STRING_data(string), -+ lua_pushlstring(L, (char*)LSEC_ASN1_STRING_data(string), - ASN1_STRING_length(string)); - break; - case LSEC_UTF8_STRING: -@@ -182,7 +193,7 @@ static void push_asn1_ip(lua_State *L, A - { - int af; - char dst[INET6_ADDRSTRLEN]; -- unsigned char *ip = ASN1_STRING_data(string); -+ unsigned char *ip = (unsigned char*)LSEC_ASN1_STRING_data(string); - switch(ASN1_STRING_length(string)) { - case 4: - af = AF_INET; -@@ -293,11 +304,11 @@ int meth_extensions(lua_State* L) - break; - - /* Push ret[oid] */ -- push_asn1_objname(L, extension->object, 1); -+ push_asn1_objname(L, X509_EXTENSION_get_object(extension), 1); - push_subtable(L, -2); - - /* Set ret[oid].name = name */ -- push_asn1_objname(L, extension->object, 0); -+ push_asn1_objname(L, X509_EXTENSION_get_object(extension), 0); - lua_setfield(L, -2, "name"); - - n_general_names = sk_GENERAL_NAME_num(values); -@@ -404,7 +415,7 @@ static int meth_pubkey(lua_State* L) - bytes = BIO_get_mem_data(bio, &data); - if (bytes > 0) { - lua_pushlstring(L, data, bytes); -- switch(EVP_PKEY_type(pkey->type)) { -+ switch(EVP_PKEY_base_id(pkey)) { - case EVP_PKEY_RSA: - lua_pushstring(L, "RSA"); - break; diff --git a/lang/luasec/patches/020-Removing-SSLv3-support.patch b/lang/luasec/patches/020-Removing-SSLv3-support.patch new file mode 100644 index 000000000..ef3dc05f2 --- /dev/null +++ b/lang/luasec/patches/020-Removing-SSLv3-support.patch @@ -0,0 +1,43 @@ +From 89bdc6148cd8cffb1483f4fc0aa14d636f8f5b4f Mon Sep 17 00:00:00 2001 +From: Bruno Silvestre +Date: Fri, 29 Jun 2018 14:06:51 -0300 +Subject: [PATCH 2/3] Removing SSLv3 support + +--- + src/config.c | 5 ----- + src/context.c | 3 --- + 2 files changed, 8 deletions(-) + +diff --git a/src/config.c b/src/config.c +index ce74997..6939fca 100644 +--- a/src/config.c ++++ b/src/config.c +@@ -32,11 +32,6 @@ LSEC_API int luaopen_ssl_config(lua_State *L) + lua_pushstring(L, "protocols"); + lua_newtable(L); + +-#ifndef OPENSSL_NO_SSL3 +- lua_pushstring(L, "sslv3"); +- lua_pushboolean(L, 1); +- lua_rawset(L, -3); +-#endif + lua_pushstring(L, "tlsv1"); + lua_pushboolean(L, 1); + lua_rawset(L, -3); +diff --git a/src/context.c b/src/context.c +index b9e8cda..d8fc8b6 100644 +--- a/src/context.c ++++ b/src/context.c +@@ -66,9 +66,6 @@ static const SSL_METHOD* str2method(const char *method) + { + if (!strcmp(method, "any")) return SSLv23_method(); + if (!strcmp(method, "sslv23")) return SSLv23_method(); // deprecated +-#ifndef OPENSSL_NO_SSL3 +- if (!strcmp(method, "sslv3")) return SSLv3_method(); +-#endif + if (!strcmp(method, "tlsv1")) return TLSv1_method(); + #if (OPENSSL_VERSION_NUMBER >= 0x1000100fL) + if (!strcmp(method, "tlsv1_1")) return TLSv1_1_method(); +-- +2.19.1 + diff --git a/lang/luasec/patches/030-Removing-deprecated-methods-to-select-the-protocol.patch b/lang/luasec/patches/030-Removing-deprecated-methods-to-select-the-protocol.patch new file mode 100644 index 000000000..64c4501f3 --- /dev/null +++ b/lang/luasec/patches/030-Removing-deprecated-methods-to-select-the-protocol.patch @@ -0,0 +1,98 @@ +From 28e247dbc53b95acf9cb716f99f13aadc4d38651 Mon Sep 17 00:00:00 2001 +From: Bruno Silvestre +Date: Mon, 2 Jul 2018 10:31:45 -0300 +Subject: [PATCH 3/3] Removing deprecated methods to select the protocol + +Using TLS_method(), SSL_set_min_proto_version() and +SSL_set_max_proto_version(). +--- + src/context.c | 46 ++++++++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 44 insertions(+), 2 deletions(-) + +diff --git a/src/context.c b/src/context.c +index d8fc8b6..d1377f1 100644 +--- a/src/context.c ++++ b/src/context.c +@@ -59,11 +59,46 @@ static int set_option_flag(const char *opt, unsigned long *flag) + return 0; + } + ++#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) ++ + /** + * Find the protocol. + */ +-static const SSL_METHOD* str2method(const char *method) ++static const SSL_METHOD* str2method(const char *method, int *vmin, int *vmax) + { ++ if (!strcmp(method, "any") || !strcmp(method, "sslv23")) { ++ *vmin = TLS1_VERSION; ++ *vmax = TLS1_2_VERSION; ++ return TLS_method(); ++ } ++ else if (!strcmp(method, "tlsv1")) { ++ *vmin = TLS1_VERSION; ++ *vmax = TLS1_VERSION; ++ return TLS_method(); ++ } ++ else if (!strcmp(method, "tlsv1_1")) { ++ *vmin = TLS1_1_VERSION; ++ *vmax = TLS1_1_VERSION; ++ return TLS_method(); ++ } ++ else if (!strcmp(method, "tlsv1_2")) { ++ *vmin = TLS1_2_VERSION; ++ *vmax = TLS1_2_VERSION; ++ return TLS_method(); ++ } ++ ++ return NULL; ++} ++ ++#else ++ ++/** ++ * Find the protocol. ++ */ ++static const SSL_METHOD* str2method(const char *method, int *vmin, int *vmax) ++{ ++ (void)vmin; ++ (void)vmax; + if (!strcmp(method, "any")) return SSLv23_method(); + if (!strcmp(method, "sslv23")) return SSLv23_method(); // deprecated + if (!strcmp(method, "tlsv1")) return TLSv1_method(); +@@ -74,6 +109,8 @@ static const SSL_METHOD* str2method(const char *method) + return NULL; + } + ++#endif ++ + /** + * Prepare the SSL handshake verify flag. + */ +@@ -279,9 +316,10 @@ static int create(lua_State *L) + p_context ctx; + const char *str_method; + const SSL_METHOD *method; ++ int vmin, vmax; + + str_method = luaL_checkstring(L, 1); +- method = str2method(str_method); ++ method = str2method(str_method, &vmin, &vmax); + if (!method) { + lua_pushnil(L); + lua_pushfstring(L, "invalid protocol (%s)", str_method); +@@ -301,6 +339,10 @@ static int create(lua_State *L) + ERR_reason_error_string(ERR_get_error())); + return 2; + } ++#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) ++ SSL_CTX_set_min_proto_version(ctx->context, vmin); ++ SSL_CTX_set_max_proto_version(ctx->context, vmax); ++#endif + ctx->mode = LSEC_MODE_INVALID; + ctx->L = L; + luaL_getmetatable(L, "SSL:Context"); +-- +2.19.1 + diff --git a/lang/luasec/patches/040-openssl-deprecated.patch b/lang/luasec/patches/040-openssl-deprecated.patch new file mode 100644 index 000000000..5709b213b --- /dev/null +++ b/lang/luasec/patches/040-openssl-deprecated.patch @@ -0,0 +1,89 @@ +--- a/src/context.c ++++ b/src/context.c +@@ -17,6 +17,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -819,7 +820,9 @@ LSEC_API int luaopen_ssl_context(lua_State *L) + luaL_newlib(L, meta_index); + lua_setfield(L, -2, "__index"); + ++#ifndef OPENSSL_NO_EC + lsec_load_curves(L); ++#endif + + /* Return the module */ + luaL_newlib(L, funcs); +--- a/src/ssl.c ++++ b/src/ssl.c +@@ -857,6 +857,7 @@ static luaL_Reg funcs[] = { + */ + LSEC_API int luaopen_ssl_core(lua_State *L) + { ++#if OPENSSL_VERSION_NUMBER<0x10100000L + /* Initialize SSL */ + if (!SSL_library_init()) { + lua_pushstring(L, "unable to initialize SSL library"); +@@ -864,6 +865,7 @@ LSEC_API int luaopen_ssl_core(lua_State *L) + } + OpenSSL_add_all_algorithms(); + SSL_load_error_strings(); ++#endif + + #if defined(WITH_LUASOCKET) + /* Initialize internal library */ +--- a/src/x509.c ++++ b/src/x509.c +@@ -42,6 +42,10 @@ + #define LSEC_ASN1_STRING_data(x) ASN1_STRING_data(x) + #endif + ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++#define X509_get0_notBefore X509_get_notBefore ++#define X509_get0_notAfter X509_get_notAfter ++#endif + + static const char* hex_tab = "0123456789abcdef"; + +@@ -174,7 +178,7 @@ static void push_asn1_string(lua_State* L, ASN1_STRING *string, int encode) + /** + * Return a human readable time. + */ +-static int push_asn1_time(lua_State *L, ASN1_UTCTIME *tm) ++static int push_asn1_time(lua_State *L, const ASN1_UTCTIME *tm) + { + char *tmp; + long size; +@@ -490,8 +494,8 @@ static int meth_valid_at(lua_State* L) + { + X509* cert = lsec_checkx509(L, 1); + time_t time = luaL_checkinteger(L, 2); +- lua_pushboolean(L, (X509_cmp_time(X509_get_notAfter(cert), &time) >= 0 +- && X509_cmp_time(X509_get_notBefore(cert), &time) <= 0)); ++ lua_pushboolean(L, (X509_cmp_time(X509_get0_notAfter(cert), &time) >= 0 ++ && X509_cmp_time(X509_get0_notBefore(cert), &time) <= 0)); + return 1; + } + +@@ -519,7 +523,7 @@ static int meth_serial(lua_State *L) + static int meth_notbefore(lua_State *L) + { + X509* cert = lsec_checkx509(L, 1); +- return push_asn1_time(L, X509_get_notBefore(cert)); ++ return push_asn1_time(L, X509_get0_notBefore(cert)); + } + + /** +@@ -528,7 +532,7 @@ static int meth_notbefore(lua_State *L) + static int meth_notafter(lua_State *L) + { + X509* cert = lsec_checkx509(L, 1); +- return push_asn1_time(L, X509_get_notAfter(cert)); ++ return push_asn1_time(L, X509_get0_notAfter(cert)); + } + + /** diff --git a/lang/luasec/patches/100-fix-compilation.patch b/lang/luasec/patches/100-fix-compilation.patch new file mode 100644 index 000000000..fbd6ab3b6 --- /dev/null +++ b/lang/luasec/patches/100-fix-compilation.patch @@ -0,0 +1,19 @@ +diff --git a/src/Makefile b/src/Makefile +index 9be2f14..93d1dc4 100644 +--- a/src/Makefile ++++ b/src/Makefile +@@ -33,10 +33,10 @@ LDFLAGS += $(MYLDFLAGS) + all: + + install: $(CMOD) $(LMOD) +- $(INSTALL) -d $(DESTDIR)$(LUAPATH)/ssl $(DESTDIR)$(LUACPATH) +- $(INSTALL) $(CMOD) $(DESTDIR)$(LUACPATH) +- $(INSTALL) -m644 $(LMOD) $(DESTDIR)$(LUAPATH) +- $(INSTALL) -m644 https.lua $(DESTDIR)$(LUAPATH)/ssl ++ $(INSTALL) -d $(LUAPATH)/ssl $(LUACPATH) ++ $(INSTALL) $(CMOD) $(LUACPATH) ++ $(INSTALL) -m644 $(LMOD) $(LUAPATH) ++ $(INSTALL) -m644 https.lua $(LUAPATH)/ssl + + linux: + @$(MAKE) $(CMOD) MYCFLAGS="$(LNX_CFLAGS)" MYLDFLAGS="$(LNX_LDFLAGS)" EXTRA="$(EXTRA)"