aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2018-10-31 07:33:01 +0000
committerNatanael Copa <ncopa@alpinelinux.org>2018-11-07 16:46:12 +0000
commit1071e5913bb4650500a86baefbeb660976085127 (patch)
treeab74f7ac2bc6c7a9c6388ff1029518cdeab65410
parenta5bbe2b19caadf886ae754aa2369ef02d0937f81 (diff)
downloadaports-1071e5913bb4650500a86baefbeb660976085127.tar.gz
aports-1071e5913bb4650500a86baefbeb660976085127.tar.bz2
aports-1071e5913bb4650500a86baefbeb660976085127.tar.xz
main/pound: rebuild against openssl-1.1
patch taken from https://github.com/graygnuorg/pound
-rw-r--r--main/pound/APKBUILD10
-rw-r--r--main/pound/openssl-1.1.patch345
2 files changed, 351 insertions, 4 deletions
diff --git a/main/pound/APKBUILD b/main/pound/APKBUILD
index f918fff117..8b03bbb7c7 100644
--- a/main/pound/APKBUILD
+++ b/main/pound/APKBUILD
@@ -1,15 +1,16 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=pound
-pkgver=2.7
-pkgrel=5
+pkgver=2.8
+pkgrel=0
pkgdesc="A reverse proxy, load balancer, and SSL wrapper"
url="http://www.apsis.ch/pound/index_html"
arch="all"
license="GPL"
depends=
-makedepends="pcre-dev libressl-dev"
+makedepends="pcre-dev openssl-dev"
subpackages="$pkgname-doc"
source="http://www.apsis.ch/$pkgname/Pound-$pkgver.tgz
+ openssl-1.1.patch
pound.cfg
$pkgname.initd"
@@ -39,6 +40,7 @@ package() {
install -Dm644 "$srcdir"/pound.cfg "$pkgdir"/etc/pound.cfg
}
-sha512sums="3edfb948715ff7e38b7665cc083eb5619daf4c2ddda4efcffffa2bcf5d8c1ee158fa5275b16bbaea4cf51bf3f8c022ba2197d5f67d57732404a448ae00e62aa1 Pound-2.7.tgz
+sha512sums="cf0b865b17d3628e273626e07733f1320e4768702c0f64c8ef0f78d46667f770b223bdc7dca88016a95e5ebd23ae646f95a9b2f4a54a5a80001a10047f07eacc Pound-2.8.tgz
+bc1ba9b6cca1e0cddc95ba519fb2ef11c8252e6585582d0ee26d083d360edc8e8baf52c2708c77895aa2c1453297180f80b9e2aa2a9f8c3c2cafd188447603b1 openssl-1.1.patch
9471e5abe3e0ee83165ed01a7081a4d14075c6c21b9f9d7c3fb239aa78c38eae74394a7c7e7e7753d218a7ce5cae388823570d19b702a829baa93e949a8946b8 pound.cfg
cd014677ef7e724d5bd0a101436d0269d2fc18b4cd90ff71eaa690967754d3e4bfe5d0a439099967487b6256121ccc734b01880d96dff50d28242829715e7776 pound.initd"
diff --git a/main/pound/openssl-1.1.patch b/main/pound/openssl-1.1.patch
new file mode 100644
index 0000000000..d16b5ef733
--- /dev/null
+++ b/main/pound/openssl-1.1.patch
@@ -0,0 +1,345 @@
+From a2c9dde4d055ea8942afb150b7fc3a807d4e5d60 Mon Sep 17 00:00:00 2001
+From: Sergey Poznyakoff <gray@gnu.org>
+Date: Wed, 28 Feb 2018 13:44:01 +0000
+Subject: [PATCH] Support for Openssl 1.1
+
+---
+ .gitignore | 15 ++++++++
+ config.c | 17 +++++++--
+ http.c | 12 ++++++-
+ pound.h | 4 ++-
+ svc.c | 101 +++++++++++++++++++++++++++++++++++++++++++----------
+ 5 files changed, 125 insertions(+), 24 deletions(-)
+ create mode 100644 .gitignore
+
+diff --git a/.gitignore b/.gitignore
+new file mode 100644
+index 0000000..1afa3b2
+--- /dev/null
++++ b/.gitignore
+@@ -0,0 +1,15 @@
++Makefile
++*.orig
++*.rej
++core
++config.h
++config.log
++config.status
++stamp-h1
++.emacs*
++*.o
++*~
++dh2048.h
++dh512.h
++pound
++poundctl
+diff --git a/config.c b/config.c
+index d41a3ee..e8fec0f 100644
+--- a/config.c
++++ b/config.c
+@@ -174,6 +174,16 @@ conf_fgets(char *buf, const int max)
+ }
+ }
+
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++# define general_name_string(n) \
++ strndup(ASN1_STRING_get0_data(n->d.dNSName), \
++ ASN1_STRING_length(n->d.dNSName) + 1)
++#else
++# define general_name_string(n) \
++ strndup(ASN1_STRING_data(n->d.dNSName), \
++ ASN1_STRING_length(n->d.dNSName) + 1)
++#endif
++
+ unsigned char **
+ get_subjectaltnames(X509 *x509, unsigned int *count)
+ {
+@@ -194,8 +204,7 @@ get_subjectaltnames(X509 *x509, unsigned int *count)
+ name = sk_GENERAL_NAME_pop(san_stack);
+ switch(name->type) {
+ case GEN_DNS:
+- temp[local_count] = strndup(ASN1_STRING_data(name->d.dNSName), ASN1_STRING_length(name->d.dNSName)
+- + 1);
++ temp[local_count] = general_name_string(name);
+ if(temp[local_count] == NULL)
+ conf_err("out of memory");
+ local_count++;
+@@ -565,7 +574,9 @@ parse_service(const char *svc_name)
+ pthread_mutex_init(&res->mut, NULL);
+ if(svc_name)
+ strncpy(res->name, svc_name, KEY_SIZE);
+-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++ if((res->sessions = lh_TABNODE_new(t_hash, t_cmp)) == NULL)
++#elif OPENSSL_VERSION_NUMBER >= 0x10000000L
+ if((res->sessions = LHM_lh_new(TABNODE, t)) == NULL)
+ #else
+ if((res->sessions = lh_new(LHASH_HASH_FN(t_hash), LHASH_COMP_FN(t_cmp))) == NULL)
+diff --git a/http.c b/http.c
+index dd211e4..c8e756a 100644
+--- a/http.c
++++ b/http.c
+@@ -527,12 +527,22 @@ log_bytes(char *res, const LONG cnt)
+
+ /* Cleanup code. This should really be in the pthread_cleanup_push, except for bugs in some implementations */
+
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++# define clear_error()
++#elif OPENSSL_VERSION_NUMBER >= 0x10000000L
++# define clear_error() \
++ if(ssl != NULL) { ERR_clear_error(); ERR_remove_thread_state(NULL); }
++#else
++# define clear_error() \
++ if(ssl != NULL) { ERR_clear_error(); ERR_remove_state(0); }
++#endif
++
+ #define clean_all() { \
+ if(ssl != NULL) { BIO_ssl_shutdown(cl); } \
+ if(be != NULL) { BIO_flush(be); BIO_reset(be); BIO_free_all(be); be = NULL; } \
+ if(cl != NULL) { BIO_flush(cl); BIO_reset(cl); BIO_free_all(cl); cl = NULL; } \
+ if(x509 != NULL) { X509_free(x509); x509 = NULL; } \
+- if(ssl != NULL) { ERR_clear_error(); ERR_remove_state(0); } \
++ clear_error(); \
+ }
+
+ /*
+diff --git a/pound.h b/pound.h
+index fa22c36..9603b91 100644
+--- a/pound.h
++++ b/pound.h
+@@ -344,7 +344,9 @@ typedef struct _tn {
+ /* maximal session key size */
+ #define KEY_SIZE 127
+
+-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++ DEFINE_LHASH_OF(TABNODE);
++#elif OPENSSL_VERSION_NUMBER >= 0x10000000L
+ DECLARE_LHASH_OF(TABNODE);
+ #endif
+
+diff --git a/svc.c b/svc.c
+index 60ba488..063b92c 100644
+--- a/svc.c
++++ b/svc.c
+@@ -27,10 +27,17 @@
+
+ #include "pound.h"
+
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++# define TABNODE_GET_DOWN_LOAD(t) lh_TABNODE_get_down_load(t)
++# define TABNODE_SET_DOWN_LOAD(t,n) lh_TABNODE_set_down_load(t,n)
++#else
+ #ifndef LHASH_OF
+ #define LHASH_OF(x) LHASH
+ #define CHECKED_LHASH_OF(type, h) h
+ #endif
++# define TABNODE_GET_DOWN_LOAD(t) (CHECKED_LHASH_OF(TABNODE, t)->down_load)
++# define TABNODE_SET_DOWN_LOAD(t,n) (CHECKED_LHASH_OF(TABNODE, t)->down_load = n)
++#endif
+
+ /*
+ * Add a new key/content pair to a hash table
+@@ -58,7 +65,9 @@ t_add(LHASH_OF(TABNODE) *const tab, const char *key, const void *content, const
+ }
+ memcpy(t->content, content, cont_len);
+ t->last_acc = time(NULL);
+-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++ if((old = lh_TABNODE_insert(tab, t)) != NULL) {
++#elif OPENSSL_VERSION_NUMBER >= 0x10000000L
+ if((old = LHM_lh_insert(TABNODE, tab, t)) != NULL) {
+ #else
+ if((old = (TABNODE *)lh_insert(tab, t)) != NULL) {
+@@ -82,7 +91,9 @@ t_find(LHASH_OF(TABNODE) *const tab, char *const key)
+ TABNODE t, *res;
+
+ t.key = key;
+-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++ if((res = lh_TABNODE_retrieve(tab, &t)) != NULL) {
++#elif OPENSSL_VERSION_NUMBER >= 0x10000000L
+ if((res = (TABNODE *)LHM_lh_retrieve(TABNODE, tab, &t)) != NULL) {
+ #else
+ if((res = (TABNODE *)lh_retrieve(tab, &t)) != NULL) {
+@@ -102,7 +113,9 @@ t_remove(LHASH_OF(TABNODE) *const tab, char *const key)
+ TABNODE t, *res;
+
+ t.key = key;
+-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++ if((res = lh_TABNODE_delete(tab, &t)) != NULL) {
++#elif OPENSSL_VERSION_NUMBER >= 0x10000000L
+ if((res = LHM_lh_delete(TABNODE, tab, &t)) != NULL) {
+ #else
+ if((res = (TABNODE *)lh_delete(tab, &t)) != NULL) {
+@@ -127,7 +140,9 @@ t_old_doall_arg(TABNODE *t, ALL_ARG *a)
+ TABNODE *res;
+
+ if(t->last_acc < a->lim)
+-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++ if((res = lh_TABNODE_delete(a->tab, t)) != NULL) {
++#elif OPENSSL_VERSION_NUMBER >= 0x10000000L
+ if((res = LHM_lh_delete(TABNODE, a->tab, t)) != NULL) {
+ #else
+ if((res = lh_delete(a->tab, t)) != NULL) {
+@@ -145,6 +160,10 @@ IMPLEMENT_LHASH_DOALL_ARG_FN(t_old, TABNODE, ALL_ARG)
+ IMPLEMENT_LHASH_DOALL_ARG_FN(t_old, TABNODE *, ALL_ARG *)
+ #endif
+
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++IMPLEMENT_LHASH_DOALL_ARG(TABNODE,ALL_ARG);
++#endif
++
+ /*
+ * Expire all old nodes
+ */
+@@ -156,14 +175,16 @@ t_expire(LHASH_OF(TABNODE) *const tab, const time_t lim)
+
+ a.tab = tab;
+ a.lim = lim;
+- down_load = CHECKED_LHASH_OF(TABNODE, tab)->down_load;
+- CHECKED_LHASH_OF(TABNODE, tab)->down_load = 0;
+-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
++ down_load = TABNODE_GET_DOWN_LOAD(tab);
++ TABNODE_SET_DOWN_LOAD(tab, 0);
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++ lh_TABNODE_doall_ALL_ARG(tab, t_old_doall_arg, &a);
++#elif OPENSSL_VERSION_NUMBER >= 0x10000000L
+ LHM_lh_doall_arg(TABNODE, tab, LHASH_DOALL_ARG_FN(t_old), ALL_ARG, &a);
+ #else
+ lh_doall_arg(tab, LHASH_DOALL_ARG_FN(t_old), &a);
+ #endif
+- CHECKED_LHASH_OF(TABNODE, tab)->down_load = down_load;
++ TABNODE_SET_DOWN_LOAD(tab, down_load);
+ return;
+ }
+
+@@ -173,7 +194,9 @@ t_cont_doall_arg(TABNODE *t, ALL_ARG *arg)
+ TABNODE *res;
+
+ if(memcmp(t->content, arg->content, arg->cont_len) == 0)
+-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++ if((res = lh_TABNODE_delete(arg->tab, t)) != NULL) {
++#elif OPENSSL_VERSION_NUMBER >= 0x10000000L
+ if((res = LHM_lh_delete(TABNODE, arg->tab, t)) != NULL) {
+ #else
+ if((res = lh_delete(arg->tab, t)) != NULL) {
+@@ -203,15 +226,16 @@ t_clean(LHASH_OF(TABNODE) *const tab, void *const content, const size_t cont_len
+ a.tab = tab;
+ a.content = content;
+ a.cont_len = cont_len;
+- down_load = CHECKED_LHASH_OF(TABNODE, tab)->down_load;
+- CHECKED_LHASH_OF(TABNODE, tab)->down_load = 0;
+-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
++ down_load = TABNODE_GET_DOWN_LOAD(tab);
++ TABNODE_SET_DOWN_LOAD(tab, 0);
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++ lh_TABNODE_doall_ALL_ARG(tab, t_cont_doall_arg, &a);
++#elif OPENSSL_VERSION_NUMBER >= 0x10000000L
+ LHM_lh_doall_arg(TABNODE, tab, LHASH_DOALL_ARG_FN(t_cont), ALL_ARG, &a);
+ #else
+ lh_doall_arg(tab, LHASH_DOALL_ARG_FN(t_cont), &a);
+ #endif
+- CHECKED_LHASH_OF(TABNODE, tab)->down_load = down_load;
+- return;
++ TABNODE_SET_DOWN_LOAD(tab, down_load);
+ }
+
+ /*
+@@ -1262,6 +1286,31 @@ RSA_tmp_callback(/* not used */SSL *ssl, /* not used */int is_export, int keylen
+ return res;
+ }
+
++static int
++generate_key(RSA **ret_rsa, unsigned long bits)
++{
++#if OPENSSL_VERSION_NUMBER > 0x00908000L
++ int rc = 0;
++ RSA *rsa;
++
++ rsa = RSA_new();
++ if (rsa) {
++ BIGNUM *bne = BN_new();
++ if (BN_set_word(bne, RSA_F4))
++ rc = RSA_generate_key_ex(rsa, bits, bne, NULL);
++ BN_free(bne);
++ if (rc)
++ *ret_rsa = rsa;
++ else
++ RSA_free(rsa);
++ }
++ return rc;
++#else
++ *ret_rsa = RSA_generate_key(bits, RSA_F4, NULL, NULL);
++ return *ret_rsa != NULL;
++#endif
++}
++
+ /*
+ * Periodically regenerate ephemeral RSA keys
+ * runs every T_RSA_KEYS seconds
+@@ -1274,8 +1323,9 @@ do_RSAgen(void)
+ RSA *t_RSA1024_keys[N_RSA_KEYS];
+
+ for(n = 0; n < N_RSA_KEYS; n++) {
+- t_RSA512_keys[n] = RSA_generate_key(512, RSA_F4, NULL, NULL);
+- t_RSA1024_keys[n] = RSA_generate_key(1024, RSA_F4, NULL, NULL);
++ /* FIXME: Error handling */
++ generate_key(&t_RSA512_keys[n], 512);
++ generate_key(&t_RSA1024_keys[n], 1024);
+ }
+ if(ret_val = pthread_mutex_lock(&RSA_mut))
+ logmsg(LOG_WARNING, "thr_RSAgen() lock: %s", strerror(ret_val));
+@@ -1329,11 +1379,11 @@ init_timer(void)
+ * Pre-generate ephemeral RSA keys
+ */
+ for(n = 0; n < N_RSA_KEYS; n++) {
+- if((RSA512_keys[n] = RSA_generate_key(512, RSA_F4, NULL, NULL)) == NULL) {
++ if(!generate_key(&RSA512_keys[n], 512)) {
+ logmsg(LOG_WARNING,"RSA_generate(%d, 512) failed", n);
+ return;
+ }
+- if((RSA1024_keys[n] = RSA_generate_key(1024, RSA_F4, NULL, NULL)) == NULL) {
++ if(!generate_key(&RSA1024_keys[n], 1024)) {
+ logmsg(LOG_WARNING,"RSA_generate(%d, 1024) failed", n);
+ return;
+ }
+@@ -1420,6 +1470,10 @@ IMPLEMENT_LHASH_DOALL_ARG_FN(t_dump, TABNODE, DUMP_ARG)
+ IMPLEMENT_LHASH_DOALL_ARG_FN(t_dump, TABNODE *, DUMP_ARG *)
+ #endif
+
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++IMPLEMENT_LHASH_DOALL_ARG(TABNODE,DUMP_ARG);
++#endif
++
+ /*
+ * write sessions to the control socket
+ */
+@@ -1430,7 +1484,9 @@ dump_sess(const int control_sock, LHASH_OF(TABNODE) *const sess, BACKEND *const
+
+ a.control_sock = control_sock;
+ a.backends = backends;
+-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++ lh_TABNODE_doall_DUMP_ARG(sess, t_dump_doall_arg, &a);
++#elif OPENSSL_VERSION_NUMBER >= 0x10000000L
+ LHM_lh_doall_arg(TABNODE, sess, LHASH_DOALL_ARG_FN(t_dump), DUMP_ARG, &a);
+ #else
+ lh_doall_arg(sess, LHASH_DOALL_ARG_FN(t_dump), &a);
+@@ -1664,6 +1720,13 @@ thr_control(void *arg)
+ }
+ }
+
++#ifndef SSL3_ST_SR_CLNT_HELLO_A
++# define SSL3_ST_SR_CLNT_HELLO_A (0x110|SSL_ST_ACCEPT)
++#endif
++#ifndef SSL23_ST_SR_CLNT_HELLO_A
++# define SSL23_ST_SR_CLNT_HELLO_A (0x210|SSL_ST_ACCEPT)
++#endif
++
+ void
+ SSLINFO_callback(const SSL *ssl, int where, int rc)
+ {