Commit b8e97808 authored by Ariadne Conill's avatar Ariadne Conill

testing/libtls-standalone: new aport

libtls extricated from libressl, built against openssl.
also, probably one of the ugliest hacks i have ever done.
parent af1db7f2
# Maintainer: William Pitcock <nenolod@dereferenced.org>
pkgname=libtls-standalone
pkgver=2.7.4
_namever=${pkgname}${pkgver%.*}
pkgrel=0
pkgdesc="libtls extricated from libressl sources"
url="http://www.libressl.org/"
arch="all"
license="ISC"
depends=""
makedepends="libbsd-dev openssl-dev"
replaces="libressl-libtls libressl2.7-libtls"
subpackages="$pkgname-dbg $pkgname-dev $pkgname-doc"
source="https://ftp.openbsd.org/pub/OpenBSD/libressl/libressl-$pkgver.tar.gz
Makefile
tls_compat.c
tls_compat.h
test_program.c
libtls-ciphers.patch
"
libressl_src="$srcdir/libressl-$pkgver"
builddir="$srcdir"
prepare() {
cd "$builddir"
rm -rf "$libressl_src"/include/openssl
cd "$libressl_src"
patch -p1 < "$srcdir"/libtls-ciphers.patch
}
build() {
cd "$builddir"
make PREFIX=/usr LIBRESSL_SRCDIR="${libressl_src}" LIBRESSL_VERSION="${pkgver}"
}
check() {
cd "$builddir"
make PREFIX=/usr LIBRESSL_SRCDIR="${libressl_src}" LIBRESSL_VERSION="${pkgver}" check
}
package() {
cd "$builddir"
make PREFIX=/usr LIBRESSL_SRCDIR="${libressl_src}" LIBRESSL_VERSION="${pkgver}" DESTDIR="${pkgdir}" install
install -Dm644 "${libressl_src}"/COPYING "$pkgdir"/usr/share/licenses/$pkgname/COPYING
}
sha512sums="1cd82a1bff4f655251b5feb0c850f4164e0fd548e4b404407370f74dcc75c205f42efc7787a157eecac84cbbe46af48cb63f46b3fef75f4a0a9ea19a5863a691 libressl-2.7.4.tar.gz
28e08af50fbcb286d413a2df2b063ee90675561c1501d24d33e17c142b85f404a27c4954644d65e367c925981e514dcaad6d311c768162cd02f3eea0db15d14d Makefile
b08c24948c18ba85472693f429dc8c7732aeebdea447e9e57a5be19b8c37d18dec0775159236b8b07bd1e40b57e9dc632b838c5d40d96d631f24d713ccd1ae1f tls_compat.c
c73352962a76ca5cba571f4b8b4decaff86849c737893523198b696ab808934a10df9dc42c4cece7640e007dcc1b4f5778cdf04b498fec5c058a4c9a2206c749 tls_compat.h
71d36fe25c95a0a45497e3f699b01dddcaae9053dd1b1e2419df94272c47024cf6516c51c902129201061601b04a72551904b15a332a4cf53358983b5db73618 test_program.c
21a0f62eb76bb7737ebc3fe96de844831a237e09ff46886267c3d1ec4612a5a5de4534e84b2548c640b0f6d19c414d22d6c495b03bee6b437cfa171aa82c3198 libtls-ciphers.patch"
PREFIX = /usr/local
EXEC_PREFIX = ${PREFIX}
LIBDIR = ${PREFIX}/lib
INCLUDEDIR = ${PREFIX}/include
LIBRESSL_VERSION = 1.0
LIBTLS_SOVERSION = 17
LIBTLS_FULLVERSION = 17.0.1
OPENSSL_CFLAGS = $(shell pkgconf openssl --cflags)
OPENSSL_LIBS = $(shell pkgconf openssl --libs)
CFLAGS = -Wall -Wno-pointer-sign -fPIC -DPIC -shared -include tls_compat.h -isystem ${LIBRESSL_SRCDIR}/include/compat ${OPENSSL_CFLAGS} -I ${LIBRESSL_SRCDIR}/include \
-D__BEGIN_HIDDEN_DECLS= -D__END_HIDDEN_DECLS=
LDFLAGS = -fPIC -DPIC -shared -Wl,-soname,libtls.so.${LIBTLS_SOVERSION} ${OPENSSL_LIBS}
SOURCES = \
tls_compat.c \
${LIBRESSL_SRCDIR}/tls/tls.c \
${LIBRESSL_SRCDIR}/tls/tls_bio_cb.c \
${LIBRESSL_SRCDIR}/tls/tls_client.c \
${LIBRESSL_SRCDIR}/tls/tls_config.c \
${LIBRESSL_SRCDIR}/tls/tls_conninfo.c \
${LIBRESSL_SRCDIR}/tls/tls_keypair.c \
${LIBRESSL_SRCDIR}/tls/tls_ocsp.c \
${LIBRESSL_SRCDIR}/tls/tls_peer.c \
${LIBRESSL_SRCDIR}/tls/tls_server.c \
${LIBRESSL_SRCDIR}/tls/tls_util.c \
${LIBRESSL_SRCDIR}/tls/tls_verify.c \
${LIBRESSL_SRCDIR}/crypto/compat/arc4random.c \
${LIBRESSL_SRCDIR}/crypto/compat/arc4random_uniform.c \
${LIBRESSL_SRCDIR}/crypto/compat/freezero.c \
${LIBRESSL_SRCDIR}/crypto/compat/reallocarray.c \
${LIBRESSL_SRCDIR}/crypto/compat/timingsafe_memcmp.c
OBJECTS = ${SOURCES:.c=.o}
all: dumpconfig libtls.so.${LIBTLS_FULLVERSION} libtls.pc
dumpconfig:
@echo "Building with:"
@echo " LIBRESSL_SRCDIR = ${LIBRESSL_SRCDIR}"
@echo " OPENSSL_CFLAGS = ${OPENSSL_CFLAGS}"
@echo " OPENSSL_LIBS = ${OPENSSL_LIBS}"
.c.o:
${CC} ${CFLAGS} -o $@ -c $<
libtls.so.${LIBTLS_FULLVERSION}: ${OBJECTS}
${CC} ${CFLAGS} ${LDFLAGS} -o $@ ${OBJECTS} ${OPENSSL_LIBS}
check: test_program
LD_PRELOAD=./libtls.so.${LIBTLS_FULLVERSION} ./test_program
test_program: test_program.c
${CC} -I${LIBRESSL_SRCDIR}/include -o $@ test_program.c ./libtls.so.${LIBTLS_FULLVERSION}
clean:
rm -f ${OBJECTS}
rm -f libtls.so.${LIBTLS_FULLVERSION}
rm -f test_program
install:
install -D -m755 libtls.so.${LIBTLS_FULLVERSION} ${DESTDIR}${PREFIX}/lib/libtls.so.${LIBTLS_FULLVERSION}
ln -sf libtls.so.${LIBTLS_FULLVERSION} ${DESTDIR}${PREFIX}/lib/libtls.so.${LIBTLS_SOVERSION}
install -D -m644 ${LIBRESSL_SRCDIR}/include/tls.h ${DESTDIR}${PREFIX}/include/tls.h
install -D -m644 libtls.pc ${DESTDIR}${PREFIX}/lib/pkgconfig/libtls.pc
libtls.pc: ${LIBRESSL_SRCDIR}/libtls.pc.in
sed -e s:@prefix@:${PREFIX}:g \
-e s:@exec_prefix@:${EXEC_PREFIX}:g \
-e s:@libdir@:${LIBDIR}:g \
-e s:@includedir@:${INCLUDEDIR}:g \
-e s:@LIBS@:-ltls:g \
-e s:@PLATFORM_LDADD@::g \
-e s:@VERSION@:${LIBRESSL_VERSION}:g \
${LIBRESSL_SRCDIR}/libtls.pc.in > libtls.pc
.DUMMY: check dumpconfig clean install
--- libressl-2.7.4.orig/tls/tls_internal.h
+++ libressl-2.7.4/tls/tls_internal.h
@@ -30,10 +30,10 @@
#define _PATH_SSL_CA_FILE "/etc/ssl/cert.pem"
#endif
-#define TLS_CIPHERS_DEFAULT "TLSv1.2+AEAD+ECDHE:TLSv1.2+AEAD+DHE"
#define TLS_CIPHERS_COMPAT "HIGH:!aNULL"
#define TLS_CIPHERS_LEGACY "HIGH:MEDIUM:!aNULL"
#define TLS_CIPHERS_ALL "ALL:!aNULL:!eNULL"
+#define TLS_CIPHERS_DEFAULT TLS_CIPHERS_COMPAT
#define TLS_ECDHE_CURVES "X25519,P-256,P-384"
--- libressl-2.7.4.orig/tls/tls_internal.h
+++ libressl-2.7.4/tls/tls_internal.h
@@ -35,7 +35,7 @@
#define TLS_CIPHERS_ALL "ALL:!aNULL:!eNULL"
#define TLS_CIPHERS_DEFAULT TLS_CIPHERS_COMPAT
-#define TLS_ECDHE_CURVES "X25519,P-256,P-384"
+#define TLS_ECDHE_CURVES "P-256,P-384"
union tls_addr {
struct in_addr ip4;
#include <stdlib.h>
#include <assert.h>
#include <tls.h>
int
main(int argc, const char *argv[])
{
assert(tls_init() == 0);
return EXIT_SUCCESS;
}
/*
* Copyright (c) 2016 Tai Chi Minh Ralph Eastwood <tcmreastwood@gmail.com>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#include <openssl/opensslv.h>
#include <openssl/x509_vfy.h>
#include <openssl/ssl.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/stat.h>
#include <ctype.h>
int SSL_CTX_load_verify_mem(SSL_CTX *ctx, void *buf, int len)
{
char fname[] = "/tmp/libtlscompatXXXXXX";
int rc;
int fd;
fd = mkstemp(fname);
if (fd < 0)
return -1;
do {
ssize_t wrote = write(fd, buf, len);
if(wrote == -1) {
break;
} else {
buf = (char *)buf + wrote;
len -= wrote;
}
} while(len);
close(fd);
rc = SSL_CTX_load_verify_locations(ctx, fname, NULL);
remove(fname);
return rc;
}
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
* This package is an SSL implementation written
* by Eric Young (eay@cryptsoft.com).
* The implementation was written so as to conform with Netscapes SSL.
*
* This library is free for commercial and non-commercial use as long as
* the following conditions are aheared to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
*
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
* If this package is used in a product, Eric Young should be given attribution
* as the author of the parts of the library used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* "This product includes cryptographic software written by
* Eric Young (eay@cryptsoft.com)"
* The word 'cryptographic' can be left out if the rouines from the library
* being used are not cryptographic related :-).
* 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
*
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/
#include <sys/types.h>
#include <unistd.h>
#include <stdio.h>
#include <openssl/err.h>
#include <openssl/bio.h>
#include <openssl/objects.h>
#include <openssl/evp.h>
#include <openssl/x509.h>
#include <openssl/pem.h>
#include <openssl/ssl.h>
int
SSL_CTX_use_certificate_chain_mem(SSL_CTX *ctx, char *buf, off_t len)
{
int ret;
BIO*in;
X509*x;
X509*ca;
unsigned long err;
ret = 0;
x = ca = NULL;
if ((in = BIO_new_mem_buf(buf, len)) == NULL) {
SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_BUF_LIB);
goto end;
}
if ((x = PEM_read_bio_X509(in, NULL,
ctx->default_passwd_callback,
ctx->default_passwd_callback_userdata)) == NULL) {
SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_PEM_LIB);
goto end;
}
if (!SSL_CTX_use_certificate(ctx, x) || ERR_peek_error() != 0)
goto end;
/* If we could set up our certificate, now proceed to
* the CA certificates.
*/
if (ctx->extra_certs != NULL) {
sk_X509_pop_free(ctx->extra_certs, X509_free);
ctx->extra_certs = NULL;
}
while ((ca = PEM_read_bio_X509(in, NULL,
ctx->default_passwd_callback,
ctx->default_passwd_callback_userdata)) != NULL) {
if (!SSL_CTX_add_extra_chain_cert(ctx, ca))
goto end;
}
err = ERR_peek_last_error();
if (ERR_GET_LIB(err) == ERR_LIB_PEM &&
ERR_GET_REASON(err) == PEM_R_NO_START_LINE)
ERR_clear_error();
else
goto end;
ret = 1;
end:
if (ca != NULL)
X509_free(ca);
if (x != NULL)
X509_free(x);
if (in != NULL)
BIO_free(in);
return (ret);
}
/*
* Copyright (c) 2015 Bob Beck <beck@openbsd.org>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/*
* Parse an RFC 5280 format ASN.1 time string.
*
* mode must be:
* 0 if we expect to parse a time as specified in RFC 5280 from an X509 object.
* V_ASN1_UTCTIME if we wish to parse on RFC5280 format UTC time.
* V_ASN1_GENERALIZEDTIME if we wish to parse an RFC5280 format Generalized time.
*
* Returns:
* -1 if the string was invalid.
* V_ASN1_UTCTIME if the string validated as a UTC time string.
* V_ASN1_GENERALIZEDTIME if the string validated as a Generalized time string.
*
* Fills in *tm with the corresponding time if tm is non NULL.
*/
#define GENTIME_LENGTH 15
#define UTCTIME_LENGTH 13
#define ATOI2(ar) ((ar) += 2, ((ar)[-2] - '0') * 10 + ((ar)[-1] - '0'))
int
ASN1_time_parse(const char *bytes, size_t len, struct tm *tm, int mode)
{
size_t i;
int type = 0;
struct tm ltm;
struct tm *lt;
const char *p;
if (bytes == NULL)
return (-1);
/* Constrain to valid lengths. */
if (len != UTCTIME_LENGTH && len != GENTIME_LENGTH)
return (-1);
lt = tm;
if (lt == NULL) {
memset(&ltm, 0, sizeof(ltm));
lt = &ltm;
}
/* Timezone is required and must be GMT (Zulu). */
if (bytes[len - 1] != 'Z')
return (-1);
/* Make sure everything else is digits. */
for (i = 0; i < len - 1; i++) {
if (isdigit((unsigned char)bytes[i]))
continue;
return (-1);
}
/*
* Validate and convert the time
*/
p = bytes;
switch (len) {
case GENTIME_LENGTH:
if (mode == V_ASN1_UTCTIME)
return (-1);
lt->tm_year = (ATOI2(p) * 100) - 1900; /* cc */
type = V_ASN1_GENERALIZEDTIME;
/* FALLTHROUGH */
case UTCTIME_LENGTH:
if (type == 0) {
if (mode == V_ASN1_GENERALIZEDTIME)
return (-1);
type = V_ASN1_UTCTIME;
}
lt->tm_year += ATOI2(p); /* yy */
if (type == V_ASN1_UTCTIME) {
if (lt->tm_year < 50)
lt->tm_year += 100;
}
lt->tm_mon = ATOI2(p) - 1; /* mm */
if (lt->tm_mon < 0 || lt->tm_mon > 11)
return (-1);
lt->tm_mday = ATOI2(p); /* dd */
if (lt->tm_mday < 1 || lt->tm_mday > 31)
return (-1);
lt->tm_hour = ATOI2(p); /* HH */
if (lt->tm_hour < 0 || lt->tm_hour > 23)
return (-1);
lt->tm_min = ATOI2(p); /* MM */
if (lt->tm_min < 0 || lt->tm_min > 59)
return (-1);
lt->tm_sec = ATOI2(p); /* SS */
/* Leap second 60 is not accepted. Reconsider later? */
if (lt->tm_sec < 0 || lt->tm_sec > 59)
return (-1);
break;
default:
return (-1);
}
return (type);
}
int
SSL_CTX_set1_groups(SSL_CTX *ctx, int *glist, int glistlen)
{
return 1;
}
/* $OpenBSD: a_time_tm.c,v 1.14 2017/08/28 17:42:47 jsing Exp $ */
/*
* Copyright (c) 2015 Bob Beck <beck@openbsd.org>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#include <ctype.h>
#include <limits.h>
#include <stdio.h>
#include <string.h>
#include <time.h>
#include <openssl/asn1t.h>
#include <openssl/err.h>
#define RFC5280 0
#define GENTIME_LENGTH 15
#define UTCTIME_LENGTH 13
int
ASN1_time_tm_cmp(struct tm *tm1, struct tm *tm2)
{
if (tm1->tm_year < tm2->tm_year)
return (-1);
if (tm1->tm_year > tm2->tm_year)
return (1);
if (tm1->tm_mon < tm2->tm_mon)
return (-1);
if (tm1->tm_mon > tm2->tm_mon)
return (1);
if (tm1->tm_mday < tm2->tm_mday)
return (-1);
if (tm1->tm_mday > tm2->tm_mday)
return (1);
if (tm1->tm_hour < tm2->tm_hour)
return (-1);
if (tm1->tm_hour > tm2->tm_hour)
return (1);
if (tm1->tm_min < tm2->tm_min)
return (-1);
if (tm1->tm_min > tm2->tm_min)
return (1);
if (tm1->tm_sec < tm2->tm_sec)
return (-1);
if (tm1->tm_sec > tm2->tm_sec)
return (1);
return 0;
}
int
ASN1_time_tm_clamp_notafter(struct tm *tm)
{
if (sizeof(time_t) < 8) {
struct tm broken_os_epoch_tm;
time_t broken_os_epoch_time = INT_MAX;
if (gmtime_r(&broken_os_epoch_time, &broken_os_epoch_tm) == NULL)
return 0;
if (ASN1_time_tm_cmp(tm, &broken_os_epoch_tm) == 1)
memcpy(tm, &broken_os_epoch_tm, sizeof(*tm));
}
return 1;
}
#include <openssl/opensslv.h>
#include <openssl/x509_vfy.h>
#ifndef LIBTLS_TLS_COMPAT_H
#define LIBTLS_TLS_COMPAT_H
#ifndef X509_V_FLAG_NO_CHECK_TIME
#define X509_V_FLAG_NO_CHECK_TIME 0
#endif
#ifndef SSL_OP_NO_CLIENT_RENEGOTIATION
#define SSL_OP_NO_CLIENT_RENEGOTIATION 0
#endif
int SSL_CTX_load_verify_mem(SSL_CTX *ctx, void *buf, int len);
int ASN1_time_parse(const char *bytes, size_t len, struct tm *tm, int mode);
int SSL_CTX_use_certificate_chain_mem(SSL_CTX *, char *buf, off_t);
int SSL_CTX_set1_groups(SSL_CTX *ctx, int *glist, int glistlen);
#define SSL_CTX_set_dh_auto(...)
#endif
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment