diff options
| author | Jakub Jirutka <jakub@jirutka.cz> | 2018-05-27 22:20:46 +0200 |
|---|---|---|
| committer | Jakub Jirutka <jakub@jirutka.cz> | 2018-05-28 00:07:36 +0200 |
| commit | 215d3bd9c652d0fff573a50a616e66af3aa23ca9 (patch) | |
| tree | 0131c2ab578d2fd671c9d6f20a96816612ee1ebc /main/libressl | |
| parent | 4a50fb4c185720f75db4deed293d7550c15494cd (diff) | |
| download | aports-215d3bd9c652d0fff573a50a616e66af3aa23ca9.tar.bz2 aports-215d3bd9c652d0fff573a50a616e66af3aa23ca9.tar.xz | |
main/libressl: add options -verify_{hostname,email,ip} to s_client
Diffstat (limited to 'main/libressl')
| -rw-r--r-- | main/libressl/APKBUILD | 6 | ||||
| -rw-r--r-- | main/libressl/s_client-add-options-verify_.patch | 71 |
2 files changed, 75 insertions, 2 deletions
diff --git a/main/libressl/APKBUILD b/main/libressl/APKBUILD index 222d7f72c9..bbe96d849b 100644 --- a/main/libressl/APKBUILD +++ b/main/libressl/APKBUILD @@ -9,7 +9,7 @@ pkgname=libressl pkgver=2.7.3 _namever=${pkgname}${pkgver%.*} -pkgrel=0 +pkgrel=1 pkgdesc="Version of the TLS/crypto stack forked from OpenSSL" url="http://www.libressl.org/" arch="all" @@ -24,6 +24,7 @@ subpackages="$pkgname-dbg $_namever-libcrypto:_libs $_namever-libssl:_libs source="http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/$pkgname-$pkgver.tar.gz starttls-ldap.patch ssl-libcompat.patch + s_client-add-options-verify_.patch " builddir="$srcdir/$pkgname-$pkgver" @@ -83,4 +84,5 @@ _libs() { sha512sums="5fafff32bc4effa98c00278206f0aeca92652c6a8101b2c5da3904a5a3deead2d1e3ce979c644b8dc6060ec216eb878a5069324a0396c0b1d7b6f8169d509e9b libressl-2.7.3.tar.gz 9f1628fbc2a697b6570353920d784b161ca0a122047066d8bee15225bad1e5271aa2ed72b145506bcd4ffe58b35da2caf38c4a048db7e014dabd16b5eba44581 starttls-ldap.patch -ef8150843f5aae577a859198439673591764fb3ab1da03436607328962f084356fd7f793484c3ad5f2294bd9e8dad15644c311b0da811acbc83eed4b71c0145a ssl-libcompat.patch" +ef8150843f5aae577a859198439673591764fb3ab1da03436607328962f084356fd7f793484c3ad5f2294bd9e8dad15644c311b0da811acbc83eed4b71c0145a ssl-libcompat.patch +4c992872addbe4fd612ba9e3f859b5ba69b448aafa7676751ca7ca09bbcfc47a2a1cad468c235f8d1a65c65e8efb38f27c512a32b444346c39ec0d8dcfbcd346 s_client-add-options-verify_.patch" diff --git a/main/libressl/s_client-add-options-verify_.patch b/main/libressl/s_client-add-options-verify_.patch new file mode 100644 index 0000000000..24048cea9e --- /dev/null +++ b/main/libressl/s_client-add-options-verify_.patch @@ -0,0 +1,71 @@ +From: Jakub Jirutka <jakub@jirutka.cz> +Date: Sun, 27 May 2018 22:08:00 +0200 +Subject: [PATCH] s_client: Add options -verify_{hostname,email,ip} + +This code is ported from OpenSSL 1.0.2o. We need it for Busybox wget. + +--- a/apps/openssl/apps.c ++++ b/apps/openssl/apps.c +@@ -1845,6 +1845,9 @@ + char **oldargs = *pargs; + char *arg = **pargs, *argn = (*pargs)[1]; + time_t at_time = 0; ++ char *hostname = NULL; ++ char *email = NULL; ++ char *ipasc = NULL; + const char *errstr = NULL; + + if (!strcmp(arg, "-policy")) { +@@ -1905,6 +1908,21 @@ + at_time = (time_t) timestamp; + } + (*pargs)++; ++ } else if (strcmp(arg, "-verify_hostname") == 0) { ++ if (!argn) ++ *badarg = 1; ++ hostname = argn; ++ (*pargs)++; ++ } else if (strcmp(arg, "-verify_email") == 0) { ++ if (!argn) ++ *badarg = 1; ++ email = argn; ++ (*pargs)++; ++ } else if (strcmp(arg, "-verify_ip") == 0) { ++ if (!argn) ++ *badarg = 1; ++ ipasc = argn; ++ (*pargs)++; + } else if (!strcmp(arg, "-ignore_critical")) + flags |= X509_V_FLAG_IGNORE_CRITICAL; + else if (!strcmp(arg, "-issuer_checks")) +@@ -1958,6 +1976,15 @@ + + if (at_time) + X509_VERIFY_PARAM_set_time(*pm, at_time); ++ ++ if (hostname && !X509_VERIFY_PARAM_set1_host(*pm, hostname, 0)) ++ *badarg = 1; ++ ++ if (email && !X509_VERIFY_PARAM_set1_email(*pm, email, 0)) ++ *badarg = 1; ++ ++ if (ipasc && !X509_VERIFY_PARAM_set1_ip_asc(*pm, ipasc)) ++ *badarg = 1; + + end: + (*pargs)++; +--- a/apps/openssl/s_client.c ++++ b/apps/openssl/s_client.c +@@ -200,8 +200,12 @@ + BIO_printf(bio_err, " -port port - use -connect instead\n"); + BIO_printf(bio_err, " -connect host:port - who to connect to (default is %s:%s)\n", SSL_HOST_NAME, PORT_STR); + BIO_printf(bio_err, " -proxy host:port - connect to http proxy\n"); ++ BIO_printf(bio_err, " -verify_hostname host - check peer certificate matches \"host\"\n"); ++ BIO_printf(bio_err, " -verify_email email - check peer certificate matches \"email\"\n"); ++ BIO_printf(bio_err, " -verify_ip ipaddr - check peer certificate matches \"ipaddr\"\n"); + + BIO_printf(bio_err, " -verify arg - turn on peer certificate verification\n"); ++ BIO_printf(bio_err, " -verify_return_error - return verification errors\n"); + BIO_printf(bio_err, " -cert arg - certificate file to use, PEM format assumed\n"); + BIO_printf(bio_err, " -certform arg - certificate format (PEM or DER) PEM default\n"); + BIO_printf(bio_err, " -key arg - Private key file to use, in cert file if\n"); |