main/libressl: port '-starttls ldap' from OpenSSL

2 files changed, 204 insertions, 3 deletions

diff --git a/main/libressl/APKBUILD b/main/libressl/APKBUILD
index 166eeedabb..17bae94f3a 100644
--- a/main/libressl/APKBUILD
+++ b/main/libressl/APKBUILD
@@ -9,7 +9,7 @@
 pkgname=libressl
 pkgver=2.5.5
 _namever=${pkgname}${pkgver%.*}
-pkgrel=0
+pkgrel=1
 pkgdesc="Version of the TLS/crypto stack forked from OpenSSL"
 url="http://www.libressl.org/"
 arch="all"
@@ -21,7 +21,9 @@ makedepends="$makedepends_host"
 replaces="openssl"
 subpackages="$pkgname-dbg $_namever-libcrypto:_libs $_namever-libssl:_libs
 	$_namever-libtls:_libs $pkgname-dev $pkgname-doc"
-source="http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/$pkgname-$pkgver.tar.gz"
+source="http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/$pkgname-$pkgver.tar.gz
+	starttls-ldap.patch
+	"
 builddir="$srcdir/$pkgname-$pkgver"
 
 build() {
@@ -62,4 +64,5 @@ _libs() {
 	done
 }
 
-sha512sums="3f576e74ddea17bd72e1bfbe0b57b94e1a2a9e6fa56cee50624cd8d18f0a8674273086225669e6ece56e6b859d2376e36e2c140d37acb52d4cd79374c4ba7096  libressl-2.5.5.tar.gz"
+sha512sums="3f576e74ddea17bd72e1bfbe0b57b94e1a2a9e6fa56cee50624cd8d18f0a8674273086225669e6ece56e6b859d2376e36e2c140d37acb52d4cd79374c4ba7096  libressl-2.5.5.tar.gz
+18fe5f83aa5944d644a67e4a294deaf772c42d0696ff38e075f7265070269b09dc001a9bf2bab3fb8200f8ce66346d189d48884859727c7d5ad30398ed76a948  starttls-ldap.patch"
diff --git a/main/libressl/starttls-ldap.patch b/main/libressl/starttls-ldap.patch
new file mode 100644
index 0000000000..55319ed04c
--- /dev/null
+++ b/main/libressl/starttls-ldap.patch
@@ -0,0 +1,198 @@
+--- libressl-2.5.5/apps/openssl/s_client.c
++++ libressl-2.5.5.ldap/apps/openssl/s_client.c
+@@ -184,6 +184,7 @@
+ static void sc_usage(void);
+ static void print_stuff(BIO * berr, SSL * con, int full);
+ static int ocsp_resp_cb(SSL * s, void *arg);
++static int ldap_ExtendedResponse_parse(const char *buf, long rem);
+ static BIO *bio_c_out = NULL;
+ static int c_quiet = 0;
+ static int c_ign_eof = 0;
+@@ -234,7 +235,7 @@
+ 	BIO_printf(bio_err, " -starttls prot - use the STARTTLS command before starting TLS\n");
+ 	BIO_printf(bio_err, "                 for those protocols that support it, where\n");
+ 	BIO_printf(bio_err, "                 'prot' defines which one to assume.  Currently,\n");
+-	BIO_printf(bio_err, "                 only \"smtp\", \"lmtp\", \"pop3\", \"imap\", \"ftp\" and \"xmpp\"\n");
++	BIO_printf(bio_err, "                 only \"smtp\", \"lmtp\", \"pop3\", \"imap\", \"ftp\", \"xmpp\" and \"ldap\"\n");
+ 	BIO_printf(bio_err, "                 are supported.\n");
+ 	BIO_printf(bio_err, " -xmpphost host - connect to this virtual host on the xmpp server\n");
+ 	BIO_printf(bio_err, " -sess_out arg - file to write SSL session to\n");
+@@ -315,7 +316,8 @@
+ 	PROTO_POP3,
+ 	PROTO_IMAP,
+ 	PROTO_FTP,
+-	PROTO_XMPP
++	PROTO_XMPP,
++	PROTO_LDAP
+ };
+ 
+ int
+@@ -575,6 +577,8 @@
+ 				starttls_proto = PROTO_FTP;
+ 			else if (strcmp(*argv, "xmpp") == 0)
+ 				starttls_proto = PROTO_XMPP;
++			else if (strcmp(*argv, "ldap") == 0)
++				starttls_proto = PROTO_LDAP;
+ 			else
+ 				goto bad;
+ 		}
+@@ -978,6 +982,72 @@
+ 		if (!strstr(sbuf, "<proceed"))
+ 			goto shut;
+ 		mbuf[0] = 0;
++	} else if (starttls_proto == PROTO_LDAP) {
++		/* StartTLS Operation according to RFC 4511 */
++		static char ldap_tls_genconf[] = "asn1=SEQUENCE:LDAPMessage\n"
++			"[LDAPMessage]\n"
++			"messageID=INTEGER:1\n"
++			"extendedReq=EXPLICIT:23A,IMPLICIT:0C,"
++			"FORMAT:ASCII,OCT:1.3.6.1.4.1.1466.20037\n";
++		long errline = -1;
++		char *genstr = NULL;
++		int result = -1;
++		ASN1_TYPE *atyp = NULL;
++		BIO *ldapbio = BIO_new(BIO_s_mem());
++		CONF *cnf = NCONF_new(NULL);
++
++		if (cnf == NULL) {
++			BIO_free(ldapbio);
++			goto end;
++		}
++		BIO_puts(ldapbio, ldap_tls_genconf);
++		if (NCONF_load_bio(cnf, ldapbio, &errline) <= 0) {
++			BIO_free(ldapbio);
++			NCONF_free(cnf);
++			if (errline <= 0) {
++				BIO_printf(bio_err, "NCONF_load_bio failed\n");
++				goto end;
++			} else {
++				BIO_printf(bio_err, "Error on line %ld\n", errline);
++				goto end;
++			}
++		}
++		BIO_free(ldapbio);
++		genstr = NCONF_get_string(cnf, "default", "asn1");
++		if (genstr == NULL) {
++			NCONF_free(cnf);
++			BIO_printf(bio_err, "NCONF_get_string failed\n");
++			goto end;
++		}
++		atyp = ASN1_generate_nconf(genstr, cnf);
++		if (atyp == NULL) {
++			NCONF_free(cnf);
++			BIO_printf(bio_err, "ASN1_generate_nconf failed\n");
++			goto end;
++		}
++		NCONF_free(cnf);
++
++		/* Send SSLRequest packet */
++		BIO_write(sbio, atyp->value.sequence->data,
++				  atyp->value.sequence->length);
++		(void)BIO_flush(sbio);
++		ASN1_TYPE_free(atyp);
++
++		mbuf_len = BIO_read(sbio, mbuf, BUFSIZZ);
++		if (mbuf_len < 0) {
++			BIO_printf(bio_err, "BIO_read failed\n");
++			goto end;
++		}
++		result = ldap_ExtendedResponse_parse(mbuf, mbuf_len);
++		if (result < 0) {
++			BIO_printf(bio_err, "ldap_ExtendedResponse_parse failed\n");
++			goto shut;
++		} else if (result > 0) {
++			BIO_printf(bio_err, "STARTTLS failed, LDAP Result Code: %i\n",
++			           result);
++			goto shut;
++		}
++		mbuf_len = 0;
+ 	} else if (proxy != NULL) {
+ 		BIO_printf(sbio, "CONNECT %s HTTP/1.0\r\n\r\n", connect);
+ 		mbuf_len = BIO_read(sbio, mbuf, BUFSIZZ);
+@@ -1499,3 +1569,86 @@
+ 	return 1;
+ }
+ 
++static int ldap_ExtendedResponse_parse(const char *buf, long rem)
++{
++	const unsigned char *cur, *end;
++	long len;
++	int tag, xclass, inf, ret = -1;
++
++	cur = (const unsigned char *)buf;
++	end = cur + rem;
++
++	/*
++	 * From RFC 4511:
++	 *
++	 *    LDAPMessage ::= SEQUENCE {
++	 *         messageID       MessageID,
++	 *         protocolOp      CHOICE {
++	 *              ...
++	 *              extendedResp          ExtendedResponse,
++	 *              ... },
++	 *         controls       [0] Controls OPTIONAL }
++	 *
++	 *    ExtendedResponse ::= [APPLICATION 24] SEQUENCE {
++	 *         COMPONENTS OF LDAPResult,
++	 *         responseName     [10] LDAPOID OPTIONAL,
++	 *         responseValue    [11] OCTET STRING OPTIONAL }
++	 *
++	 *    LDAPResult ::= SEQUENCE {
++	 *         resultCode         ENUMERATED {
++	 *              success                      (0),
++	 *              ...
++	 *              other                        (80),
++	 *              ...  },
++	 *         matchedDN          LDAPDN,
++	 *         diagnosticMessage  LDAPString,
++	 *         referral           [3] Referral OPTIONAL }
++	 */
++
++	/* pull SEQUENCE */
++	inf = ASN1_get_object(&cur, &len, &tag, &xclass, rem);
++	if (inf != V_ASN1_CONSTRUCTED || tag != V_ASN1_SEQUENCE ||
++		(rem = end - cur, len > rem)) {
++		BIO_printf(bio_err, "Unexpected LDAP response\n");
++		goto end;
++	}
++
++	rem = len;  /* ensure that we don't overstep the SEQUENCE */
++
++	/* pull MessageID */
++	inf = ASN1_get_object(&cur, &len, &tag, &xclass, rem);
++	if (inf != V_ASN1_UNIVERSAL || tag != V_ASN1_INTEGER ||
++		(rem = end - cur, len > rem)) {
++		BIO_printf(bio_err, "No MessageID\n");
++		goto end;
++	}
++
++	cur += len; /* shall we check for MessageId match or just skip? */
++
++	/* pull [APPLICATION 24] */
++	rem = end - cur;
++	inf = ASN1_get_object(&cur, &len, &tag, &xclass, rem);
++	if (inf != V_ASN1_CONSTRUCTED || xclass != V_ASN1_APPLICATION ||
++		tag != 24) {
++		BIO_printf(bio_err, "Not ExtendedResponse\n");
++		goto end;
++	}
++
++	/* pull resultCode */
++	rem = end - cur;
++	inf = ASN1_get_object(&cur, &len, &tag, &xclass, rem);
++	if (inf != V_ASN1_UNIVERSAL || tag != V_ASN1_ENUMERATED || len == 0 ||
++		(rem = end - cur, len > rem)) {
++		BIO_printf(bio_err, "Not LDAPResult\n");
++		goto end;
++	}
++
++	/* len should always be one, but just in case... */
++	for (ret = 0, inf = 0; inf < len; inf++) {
++		ret <<= 8;
++		ret |= cur[inf];
++	}
++	/* There is more data, but we don't care... */
++    end:
++	return ret;
++}