aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLeo <thinkabit.ukim@gmail.com>2019-06-16 00:56:09 -0300
committerLeo <thinkabit.ukim@gmail.com>2019-06-16 13:49:10 -0300
commit73141bd36be63dd76321f821978e8812ba1e0e8f (patch)
tree6f0a3ad67e691f10d2d389c1cb562c8e084b3a69
parentb4da27a91ad46de7323d0c699276ccbdebc9e399 (diff)
downloadaports-73141bd36be63dd76321f821978e8812ba1e0e8f.tar.gz
aports-73141bd36be63dd76321f821978e8812ba1e0e8f.tar.bz2
aports-73141bd36be63dd76321f821978e8812ba1e0e8f.tar.xz
testing/shellinabox: fix license, switch to OpenSSL
-rw-r--r--testing/shellinabox/APKBUILD13
-rw-r--r--testing/shellinabox/openssl-1.1.patch360
2 files changed, 368 insertions, 5 deletions
diff --git a/testing/shellinabox/APKBUILD b/testing/shellinabox/APKBUILD
index ae7a4ed3d3..1d97aee538 100644
--- a/testing/shellinabox/APKBUILD
+++ b/testing/shellinabox/APKBUILD
@@ -3,19 +3,21 @@
pkgname=shellinabox
_daemonname=${pkgname}d
pkgver=2.21
-pkgrel=0
+pkgrel=1
pkgdesc="Implementation of a web server that can export arbitrary command line tools to a web based terminal emulator"
url="https://github.com/shellinabox/shellinabox"
arch="all"
-license="GPL-2.0"
-makedepends="autoconf automake m4 libtool libressl-dev zlib-dev"
+license="GPL-2.0-or-later"
+makedepends="autoconf automake m4 libtool openssl-dev zlib-dev"
subpackages="$pkgname-doc $pkgname-openrc"
pkgusers="$_daemonname"
pkggroups="$_daemonname"
install="$pkgname.pre-install"
source="http://slackware.co.nz/raspbian/raspbian/pool/main/s/$pkgname/${pkgname}_${pkgver}.tar.xz
$pkgname.initd
- $pkgname.confd"
+ $pkgname.confd
+ openssl-1.1.patch
+ "
builddir="$srcdir/$pkgname"
prepare() {
@@ -50,4 +52,5 @@ package() {
sha512sums="284ce2d76daa6a3c57060e380a777befd69870e5fce52311e8dcf4e55ac57fb265662d9194915aeed7c842d2e9f10f9ab5bf4e9ae0afebee6c7650219459cc2b shellinabox_2.21.tar.xz
47206ce991f642e474387c5c00ee4fd8cae0c71da6075e3c62381bb75b46085c35767e817932da64a112b58535516fc620d089434e478c844b4cd7c62bdae654 shellinabox.initd
-2e0ef340d88cd62cac4c7c073bdcb79e2e88c77aab7e310daa4ae8b27c297b6138262762dae1f054928f02b38d4a8185dd9b357fd3f59a635c04697fd620cfef shellinabox.confd"
+2e0ef340d88cd62cac4c7c073bdcb79e2e88c77aab7e310daa4ae8b27c297b6138262762dae1f054928f02b38d4a8185dd9b357fd3f59a635c04697fd620cfef shellinabox.confd
+b3dfc8642408b65f0b271a49500950480fcce6cb173009694882096a352d0db52f7beb4f82f886a5c5ce0c00bac23744939a8965312bfff74b6127e288846e7d openssl-1.1.patch"
diff --git a/testing/shellinabox/openssl-1.1.patch b/testing/shellinabox/openssl-1.1.patch
new file mode 100644
index 0000000000..0e68d7b4be
--- /dev/null
+++ b/testing/shellinabox/openssl-1.1.patch
@@ -0,0 +1,360 @@
+From c32f3d365a0848eb6b3350ec521fcd4d1d098295 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <cote2004-github@yahoo.com>
+Date: Sun, 2 Sep 2018 19:01:28 -0300
+Subject: [PATCH] openssl 1.1 runtime-loading support, misc changes
+
+Added openssl 1.1.x support for runtime-loading.
+Some of the calls were renamed in openssl 1.1.0, so the table that
+handles runtime loading needed some adjustments to support them.
+
+Added option to prefer ChaCha20-Poly1305 over AES-256-GCM.
+This is important especially for SoC systems where CPU does not have
+AES-NI instructions.
+
+Added ECDSA suites to the ciphersuite ordering list.
+
+Added version to default soname when loading libssl & libcrypto. The
+unversioned lib{ssl,crypto}.so are not present in some distros, while the
+versioned file always have to be there. Besides, when compiled with
+openssl 1.0.x, shellinabox will not run with 1.1.x and vice-versa, and
+the system may have more than one version installed.
+Adding the version to the file avoids picking out the wrong one.
+Allow the name to be defined at compile-time as well.
+
+Allowed automatic EC curve choice for openssl >= 1.1.0, instead of
+always setting P-256.
+
+Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
+---
+ configure.ac | 11 +++++++++
+ libhttp/ssl.c | 62 ++++++++++++++++++++++++++++++++++++++++++++++++---
+ libhttp/ssl.h | 34 ++++++++++++++++++++++++++++
+ 3 files changed, 104 insertions(+), 3 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 05ab1bb..5fa918d 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -138,6 +138,17 @@ AC_ARG_ENABLE(runtime-loading,
+ these libraries into the binary, thus making them a
+ hard dependency, then disable runtime-loading.])
+
++dnl This changes the order of the top ciphersuites
++AC_ARG_ENABLE(prefer-chacha,
++ [ --enable-prefer-chacha Prefer ChaCha20-Poly1305 ciphersuites over
++ AES256-GCM. For processors without AES-NI or
++ similar capabilities, ChaCha20-Poly1305 is 3 times
++ faster than AES, with an equivalent strength.])
++if test "x$enable_prefer_chacha" == xyes; then
++ AC_DEFINE(SHELLINABOX_USE_CHACHA_FIRST, 1,
++ Set if you want to prefer Chacha20-Poly1305 over AES-GCM)
++fi
++
+ dnl This is feature is not suported in some standard C libs. So users can use
+ dnl this switch to avoid compile and runtime problems. Note that utmp must
+ dnl disabled on systems with musl libc.
+diff --git a/libhttp/ssl.c b/libhttp/ssl.c
+index 6d09035..609d4e5 100644
+--- a/libhttp/ssl.c
++++ b/libhttp/ssl.c
+@@ -117,6 +117,9 @@ SSL_CTX * (*SSL_CTX_new)(SSL_METHOD *);
+ int (*SSL_CTX_set_cipher_list)(SSL_CTX *, const char *);
+ void (*SSL_CTX_set_info_callback)(SSL_CTX *,
+ void (*)(const SSL *, int, int));
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++unsigned long (*SSL_CTX_set_options)(SSL_CTX *, unsigned long);
++#endif
+ int (*SSL_CTX_use_PrivateKey_file)(SSL_CTX *, const char *, int);
+ int (*SSL_CTX_use_PrivateKey_ASN1)(int, SSL_CTX *,
+ const unsigned char *, long);
+@@ -130,7 +133,9 @@ void * (*SSL_get_ex_data)(const SSL *, int);
+ BIO * (*SSL_get_rbio)(const SSL *);
+ const char * (*SSL_get_servername)(const SSL *, int);
+ BIO * (*SSL_get_wbio)(const SSL *);
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ int (*SSL_library_init)(void);
++#endif
+ SSL * (*SSL_new)(SSL_CTX *);
+ int (*SSL_read)(SSL *, void *, int);
+ SSL_CTX * (*SSL_set_SSL_CTX)(SSL *, SSL_CTX *);
+@@ -139,10 +144,16 @@ void (*SSL_set_bio)(SSL *, BIO *, BIO *);
+ int (*SSL_set_ex_data)(SSL *, int, void *);
+ int (*SSL_shutdown)(SSL *);
+ int (*SSL_write)(SSL *, const void *, int);
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ SSL_METHOD * (*SSLv23_server_method)(void);
++#else
++SSL_METHOD * (*TLS_server_method)(void);
++#endif
+ X509 * (*d2i_X509)(X509 **px, const unsigned char **in, int len);
+ void (*X509_free)(X509 *a);
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ void (*x_sk_zero)(void *st);
++#endif
+ void * (*x_SSL_COMP_get_compression_methods)(void);
+ #endif
+
+@@ -208,7 +219,7 @@ static int maybeLoadCrypto(void) {
+ // The feature is currently disabled.
+ const char* path_libcrypto = NULL; // getenv ("SHELLINABOX_LIBCRYPTO_SO");
+ if (path_libcrypto == NULL)
+- path_libcrypto = "libcrypto.so";
++ path_libcrypto = DEFAULT_LIBCRYPTO_SO;
+
+ if (!crypto++) {
+ #ifdef RTLD_NOLOAD
+@@ -267,8 +278,8 @@ static void loadSSL(void) {
+ // The feature is currently disabled.
+ const char* path_libssl = NULL; // = getenv ("SHELLINABOX_LIBSSL_SO");
+ if (path_libssl == NULL)
+- path_libssl = "libssl.so";
+- check(!SSL_library_init);
++ path_libssl = DEFAULT_LIBSSL_SO;
++ check(!SSL_CTX_new);
+ struct {
+ union {
+ void *avoid_gcc_warning_about_type_punning;
+@@ -299,6 +310,9 @@ static void loadSSL(void) {
+ { { &SSL_CTX_new }, "SSL_CTX_new" },
+ { { &SSL_CTX_set_cipher_list }, "SSL_CTX_set_cipher_list" },
+ { { &SSL_CTX_set_info_callback }, "SSL_CTX_set_info_callback" },
++#if OPENSSL_VERSION_NUMBER > 0x10100000L
++ { { &SSL_CTX_set_options }, "SSL_CTX_set_options" },
++#endif
+ { { &SSL_CTX_use_PrivateKey_file }, "SSL_CTX_use_PrivateKey_file" },
+ { { &SSL_CTX_use_PrivateKey_ASN1 }, "SSL_CTX_use_PrivateKey_ASN1" },
+ { { &SSL_CTX_use_certificate_file },"SSL_CTX_use_certificate_file"},
+@@ -312,7 +326,9 @@ static void loadSSL(void) {
+ { { &SSL_get_servername }, "SSL_get_servername" },
+ #endif
+ { { &SSL_get_wbio }, "SSL_get_wbio" },
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ { { &SSL_library_init }, "SSL_library_init" },
++#endif
+ { { &SSL_new }, "SSL_new" },
+ { { &SSL_read }, "SSL_read" },
+ #ifdef HAVE_TLSEXT
+@@ -323,10 +339,16 @@ static void loadSSL(void) {
+ { { &SSL_set_ex_data }, "SSL_set_ex_data" },
+ { { &SSL_shutdown }, "SSL_shutdown" },
+ { { &SSL_write }, "SSL_write" },
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ { { &SSLv23_server_method }, "SSLv23_server_method" },
++#else
++ { { &TLS_server_method }, "TLS_server_method" },
++#endif
+ { { &d2i_X509 }, "d2i_X509" },
+ { { &X509_free }, "X509_free" },
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ { { &x_sk_zero }, "sk_zero" }
++#endif
+ };
+ for (unsigned i = 0; i < sizeof(symbols)/sizeof(symbols[0]); i++) {
+ if (!(*symbols[i].var = loadSymbol(path_libssl, symbols[i].fn))) {
+@@ -343,7 +365,9 @@ static void loadSSL(void) {
+ // ends
+
+
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ SSL_library_init();
++#endif
+ dcheck(!ERR_peek_error());
+ debug("[ssl] Loaded SSL suppport...");
+ }
+@@ -351,7 +375,11 @@ static void loadSSL(void) {
+
+ int serverSupportsSSL(void) {
+ #if defined(HAVE_OPENSSL) && !defined(HAVE_DLOPEN)
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ return SSL_library_init();
++#else
++ return 1;
++#endif
+ #else
+ #if defined(HAVE_OPENSSL)
+ // We want to call loadSSL() exactly once. For single-threaded applications,
+@@ -372,7 +400,11 @@ int serverSupportsSSL(void) {
+ loadSSL();
+ }
+ }
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ return !!SSL_library_init;
++#else
++ return 1;
++#endif
+ #else
+ return 0;
+ #endif
+@@ -623,7 +655,11 @@ static void sslInfoCallback(const SSL *sslHndl, int type, int val) {
+ static SSL_CTX *sslMakeContext(void) {
+
+ SSL_CTX *context;
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ check(context = SSL_CTX_new(SSLv23_server_method()));
++#else
++ check(context = SSL_CTX_new(TLS_server_method()));
++#endif
+
+ long options = SSL_OP_ALL;
+ options |= SSL_OP_NO_SSLv2;
+@@ -641,6 +677,7 @@ static SSL_CTX *sslMakeContext(void) {
+ // Set default SSL options.
+ SSL_CTX_set_options(context, options);
+
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ // Workaround for SSL_OP_NO_COMPRESSION with older OpenSSL versions.
+ #ifdef HAVE_DLOPEN
+ if (SSL_COMP_get_compression_methods) {
+@@ -648,6 +685,7 @@ static SSL_CTX *sslMakeContext(void) {
+ }
+ #elif OPENSSL_VERSION_NUMBER >= 0x00908000L
+ sk_SSL_COMP_zero(SSL_COMP_get_compression_methods());
++#endif
+ #endif
+
+ // For Perfect Forward Secrecy (PFS) support we need to enable some additional
+@@ -657,21 +695,39 @@ static SSL_CTX *sslMakeContext(void) {
+ SSL_CTX_set_options(context, SSL_OP_SINGLE_ECDH_USE);
+ SSL_CTX_set_options(context, SSL_OP_CIPHER_SERVER_PREFERENCE);
+
++#if OPENSSL_VERSION_NUMBER < 0x10100000L /* openssl 1.1 does this automatically */
+ EC_KEY *ecKey;
+ check(ecKey = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1));
+ SSL_CTX_set_tmp_ecdh(context, ecKey);
+ EC_KEY_free(ecKey);
++#endif
+
+ debug("[ssl] Support for PFS enabled...");
+ #endif
+
+ check(SSL_CTX_set_cipher_list(context,
++#ifdef SHELLINABOX_USE_CHACHA_FIRST
++ "ECDHE-ECDSA-CHACHA20-POLY1305:"
++ "ECDHE-RSA-CHACHA20-POLY1305:"
++ "ECDHE-ECDSA-AES256-GCM-SHA384:"
+ "ECDHE-RSA-AES256-GCM-SHA384:"
++#else
++ "ECDHE-ECDSA-AES256-GCM-SHA384:"
++ "ECDHE-RSA-AES256-GCM-SHA384:"
++ "ECDHE-ECDSA-CHACHA20-POLY1305:"
++ "ECDHE-RSA-CHACHA20-POLY1305:"
++#endif
++ "ECDHE-ECDSA-AES128-GCM-SHA256:"
+ "ECDHE-RSA-AES128-GCM-SHA256:"
++ "ECDHE-ECDSA-AES256-SHA384:"
+ "ECDHE-RSA-AES256-SHA384:"
++ "ECDHE-ECDSA-AES128-SHA256:"
+ "ECDHE-RSA-AES128-SHA256:"
++ "ECDHE-ECDSA-AES256-SHA:"
+ "ECDHE-RSA-AES256-SHA:"
++ "ECDHE-ECDSA-AES128-SHA:"
+ "ECDHE-RSA-AES128-SHA:"
++ "ECDHE-ECDSA-DES-CBC3-SHA:"
+ "ECDHE-RSA-DES-CBC3-SHA:"
+ "HIGH:MEDIUM:!RC4:!aNULL:!MD5"));
+
+diff --git a/libhttp/ssl.h b/libhttp/ssl.h
+index 9fbac63..7c3a23d 100644
+--- a/libhttp/ssl.h
++++ b/libhttp/ssl.h
+@@ -57,6 +57,7 @@
+ #include <openssl/bio.h>
+ #include <openssl/err.h>
+ #include <openssl/ssl.h>
++#include <openssl/safestack.h>
+ #else
+ #undef HAVE_OPENSSL
+ typedef struct BIO BIO;
+@@ -77,6 +78,17 @@ typedef struct X509 X509;
+ #endif
+
+ #if defined(HAVE_DLOPEN)
++#if !defined(DEFAULT_LIBCRYPTO_SO) || !defined(DEFAULT_LIBSSL_SO)
++#undef DEFAULT_LIBCRYPTO_SO
++#undef DEFAULT_LIBSSL_SO
++#ifdef SHLIB_VERSION_NUMBER
++#define DEFAULT_LIBCRYPTO_SO "libcrypto.so." SHLIB_VERSION_NUMBER
++#define DEFAULT_LIBSSL_SO "libssl.so." SHLIB_VERSION_NUMBER
++#else
++#define DEFAULT_LIBCRYPTO_SO "libcrypto.so"
++#define DEFAULT_LIBSSL_SO "libssl.so"
++#endif
++#endif
+ extern long (*x_BIO_ctrl)(BIO *, int, long, void *);
+ extern BIO_METHOD *(*x_BIO_f_buffer)(void);
+ extern void (*x_BIO_free_all)(BIO *);
+@@ -99,6 +111,9 @@ extern SSL_CTX*(*x_SSL_CTX_new)(SSL_METHOD *);
+ extern int (*x_SSL_CTX_set_cipher_list)(SSL_CTX *, const char *);
+ extern void (*x_SSL_CTX_set_info_callback)(SSL_CTX *,
+ void (*)(const SSL *, int, int));
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++extern unsigned long (*x_SSL_CTX_set_options)(SSL_CTX *, unsigned long);
++#endif
+ extern int (*x_SSL_CTX_use_PrivateKey_file)(SSL_CTX *, const char *, int);
+ extern int (*x_SSL_CTX_use_PrivateKey_ASN1)(int, SSL_CTX *,
+ const unsigned char *, long);
+@@ -112,7 +127,9 @@ extern void *(*x_SSL_get_ex_data)(const SSL *, int);
+ extern BIO *(*x_SSL_get_rbio)(const SSL *);
+ extern const char *(*x_SSL_get_servername)(const SSL *, int);
+ extern BIO *(*x_SSL_get_wbio)(const SSL *);
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ extern int (*x_SSL_library_init)(void);
++#endif
+ extern SSL *(*x_SSL_new)(SSL_CTX *);
+ extern int (*x_SSL_read)(SSL *, void *, int);
+ extern SSL_CTX*(*x_SSL_set_SSL_CTX)(SSL *, SSL_CTX *);
+@@ -121,10 +138,16 @@ extern void (*x_SSL_set_bio)(SSL *, BIO *, BIO *);
+ extern int (*x_SSL_set_ex_data)(SSL *, int, void *);
+ extern int (*x_SSL_shutdown)(SSL *);
+ extern int (*x_SSL_write)(SSL *, const void *, int);
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ extern SSL_METHOD *(*x_SSLv23_server_method)(void);
++#else
++extern SSL_METHOD *(*x_TLS_server_method)(void);
++#endif
+ extern X509 * (*x_d2i_X509)(X509 **px, const unsigned char **in, int len);
+ extern void (*x_X509_free)(X509 *a);
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ extern void (*x_sk_zero)(void *st);
++#endif
+ extern void *(*x_SSL_COMP_get_compression_methods)(void);
+
+ #define BIO_ctrl x_BIO_ctrl
+@@ -146,6 +169,9 @@ extern void *(*x_SSL_COMP_get_compression_methods)(void);
+ #define SSL_CTX_new x_SSL_CTX_new
+ #define SSL_CTX_set_cipher_list x_SSL_CTX_set_cipher_list
+ #define SSL_CTX_set_info_callback x_SSL_CTX_set_info_callback
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++#define SSL_CTX_set_options x_SSL_CTX_set_options
++#endif
+ #define SSL_CTX_use_PrivateKey_file x_SSL_CTX_use_PrivateKey_file
+ #define SSL_CTX_use_PrivateKey_ASN1 x_SSL_CTX_use_PrivateKey_ASN1
+ #define SSL_CTX_use_certificate_file x_SSL_CTX_use_certificate_file
+@@ -157,7 +183,9 @@ extern void *(*x_SSL_COMP_get_compression_methods)(void);
+ #define SSL_get_rbio x_SSL_get_rbio
+ #define SSL_get_servername x_SSL_get_servername
+ #define SSL_get_wbio x_SSL_get_wbio
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ #define SSL_library_init x_SSL_library_init
++#endif
+ #define SSL_new x_SSL_new
+ #define SSL_read x_SSL_read
+ #define SSL_set_SSL_CTX x_SSL_set_SSL_CTX
+@@ -166,10 +194,16 @@ extern void *(*x_SSL_COMP_get_compression_methods)(void);
+ #define SSL_set_ex_data x_SSL_set_ex_data
+ #define SSL_shutdown x_SSL_shutdown
+ #define SSL_write x_SSL_write
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ #define SSLv23_server_method x_SSLv23_server_method
++#else
++#define TLS_server_method x_TLS_server_method
++#endif
+ #define d2i_X509 x_d2i_X509
+ #define X509_free x_X509_free
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ #define sk_zero x_sk_zero
++#endif
+ #define SSL_COMP_get_compression_methods x_SSL_COMP_get_compression_methods
+
+ #undef BIO_set_buffer_read_data
+