main/libtls-standalone: move from testing

needed by busybox

10 files changed, 800 insertions, 0 deletions

diff --git a/main/libtls-standalone/APKBUILD b/main/libtls-standalone/APKBUILD
new file mode 100644
index 0000000000..ea80990b44
--- /dev/null
+++ b/main/libtls-standalone/APKBUILD
@@ -0,0 +1,66 @@
+# Maintainer: William Pitcock <nenolod@dereferenced.org>
+pkgname=libtls-standalone
+pkgver=2.7.4
+_namever=${pkgname}${pkgver%.*}
+pkgrel=4
+pkgdesc="libtls extricated from libressl sources"
+url="http://www.libressl.org/"
+arch="all"
+license="ISC"
+depends=""
+makedepends="libbsd-dev openssl-dev"
+subpackages="$pkgname-dbg $pkgname-dev $pkgname-doc"
+source="https://ftp.openbsd.org/pub/OpenBSD/libressl/libressl-$pkgver.tar.gz
+	Makefile
+	tls_compat.c
+	tls_compat.h
+	test_program.c
+	libtls-ciphers.patch
+	openssl-1.1.0-bio-method.patch
+	openssl-1.1.0-verify-param.patch
+	openssl-1.1.0-asn1-string.patch
+	openssl-1.1.0-x509-object.patch
+	"
+libressl_src="$srcdir/libressl-$pkgver"
+builddir="$srcdir"
+
+prepare() {
+	cd "$builddir"
+	rm -rf "$libressl_src"/include/openssl
+
+	cd "$libressl_src"
+	patch -p1 < "$srcdir"/libtls-ciphers.patch
+	patch -p1 < "$srcdir"/openssl-1.1.0-bio-method.patch
+	patch -p1 < "$srcdir"/openssl-1.1.0-verify-param.patch
+	patch -p1 < "$srcdir"/openssl-1.1.0-asn1-string.patch
+	patch -p1 < "$srcdir"/openssl-1.1.0-x509-object.patch
+}
+
+build() {
+	cd "$builddir"
+
+	make PREFIX=/usr LIBRESSL_SRCDIR="${libressl_src}" LIBRESSL_VERSION="${pkgver}"
+}
+
+check() {
+	cd "$builddir"
+	make PREFIX=/usr LIBRESSL_SRCDIR="${libressl_src}" LIBRESSL_VERSION="${pkgver}" check
+}
+
+package() {
+	cd "$builddir"
+
+	make PREFIX=/usr LIBRESSL_SRCDIR="${libressl_src}" LIBRESSL_VERSION="${pkgver}" DESTDIR="${pkgdir}" install
+	install -Dm644 "${libressl_src}"/COPYING "$pkgdir"/usr/share/licenses/$pkgname/COPYING
+}
+
+sha512sums="1cd82a1bff4f655251b5feb0c850f4164e0fd548e4b404407370f74dcc75c205f42efc7787a157eecac84cbbe46af48cb63f46b3fef75f4a0a9ea19a5863a691  libressl-2.7.4.tar.gz
+75292dcd0321a3cb00b30715f537cd35f2375922aac3ad5445f3d7b9eff16ab934926b1605f3330032f8455378c89f41bd1ed83f5a027fc967adff7006ed9486  Makefile
+be8216d08a6992ca65a8e3f1e010645833899465090179f269a62de5fcfe2711d463fe1aa57e408492648878fa2ee53377c4509ef48a2aafe3f267cce73e9209  tls_compat.c
+0b8fca899e1f7b51979d69458be23c77c1b7f265ed60de76cf5cfb9eb5742111cf50813bd35384831301523a6a0562a20acf1aec22dc0d9ad653271d45ede915  tls_compat.h
+71d36fe25c95a0a45497e3f699b01dddcaae9053dd1b1e2419df94272c47024cf6516c51c902129201061601b04a72551904b15a332a4cf53358983b5db73618  test_program.c
+8da41dc7f3a3e94c7c26c20b88e649eeaa556064c6b45deb4604fb0b5738109344bf2d9e5c37dc963634db1761370aa5ed4dfe085cae2a21e74535b5b98f4a43  libtls-ciphers.patch
+90244db67d2f5a2b4679cd4b905f6e58105e20e5a4648dd0781dee3f3d1ce87350eee9683f2e6e554949a390ee45d2247e7588e75668e82feb68213178905d3d  openssl-1.1.0-bio-method.patch
+b0c6c0b32d6ea30b7161ae75e36b8102b3c00268723dec15464318bae8f77a386dba9ef0537d47018b385b16f57132b5c893e494b8853d51b638b4d270e1f9d6  openssl-1.1.0-verify-param.patch
+e0b7ce674269714cd63f628c332ed3420086c973f6e763a9a5d57991738370759d437b59edff5349ce4213725588f58e196c479b372a702833fcae75da9d71a1  openssl-1.1.0-asn1-string.patch
+7d88088240f78dc3656e71d67f2222b4562bbcfacfaac77e7d8d3ace50ae7f02fac15cea0df2d9990b8d30f6cfd0b4ffd92ea97191181f0b00b1d34c050ef130  openssl-1.1.0-x509-object.patch"
diff --git a/main/libtls-standalone/Makefile b/main/libtls-standalone/Makefile
new file mode 100644
index 0000000000..781a15a7d1
--- /dev/null
+++ b/main/libtls-standalone/Makefile
@@ -0,0 +1,86 @@
+PREFIX = /usr/local
+EXEC_PREFIX = ${PREFIX}
+LIBDIR = ${PREFIX}/lib
+INCLUDEDIR = ${PREFIX}/include
+
+LIBRESSL_VERSION = 1.0
+LIBTLS_SOVERSION = 1
+LIBTLS_FULLVERSION = 1.0.0
+
+OPENSSL_CFLAGS = $(shell pkgconf openssl --cflags)
+OPENSSL_LIBS = $(shell pkgconf openssl --libs)
+
+CFLAGS = -Wall -Wno-pointer-sign -fPIC -DPIC -shared -include tls_compat.h -isystem ${LIBRESSL_SRCDIR}/include/compat ${OPENSSL_CFLAGS} -I ${LIBRESSL_SRCDIR}/include \
+	-D__BEGIN_HIDDEN_DECLS= -D__END_HIDDEN_DECLS=
+LDFLAGS = -fPIC -DPIC -shared -Wl,-soname,libtls-standalone.so.${LIBTLS_SOVERSION} ${OPENSSL_LIBS}
+
+SOURCES = \
+	tls_compat.c				\
+	${LIBRESSL_SRCDIR}/tls/tls.c		\
+	${LIBRESSL_SRCDIR}/tls/tls_bio_cb.c	\
+	${LIBRESSL_SRCDIR}/tls/tls_client.c	\
+	${LIBRESSL_SRCDIR}/tls/tls_config.c	\
+	${LIBRESSL_SRCDIR}/tls/tls_conninfo.c	\
+	${LIBRESSL_SRCDIR}/tls/tls_keypair.c	\
+	${LIBRESSL_SRCDIR}/tls/tls_ocsp.c	\
+	${LIBRESSL_SRCDIR}/tls/tls_peer.c	\
+	${LIBRESSL_SRCDIR}/tls/tls_server.c	\
+	${LIBRESSL_SRCDIR}/tls/tls_util.c	\
+	${LIBRESSL_SRCDIR}/tls/tls_verify.c	\
+	${LIBRESSL_SRCDIR}/crypto/compat/arc4random.c		\
+	${LIBRESSL_SRCDIR}/crypto/compat/arc4random_uniform.c	\
+	${LIBRESSL_SRCDIR}/crypto/compat/freezero.c		\
+	${LIBRESSL_SRCDIR}/crypto/compat/reallocarray.c		\
+	${LIBRESSL_SRCDIR}/crypto/compat/timingsafe_memcmp.c
+
+OBJECTS = ${SOURCES:.c=.o}
+
+all: dumpconfig libtls-standalone.so.${LIBTLS_FULLVERSION} libtls-standalone.so.${LIBTLS_SOVERSION} libtls-standalone.pc
+
+dumpconfig:
+	@echo "Building with:"
+	@echo "  LIBRESSL_SRCDIR = ${LIBRESSL_SRCDIR}"
+	@echo "  OPENSSL_CFLAGS  = ${OPENSSL_CFLAGS}"
+	@echo "  OPENSSL_LIBS    = ${OPENSSL_LIBS}"
+
+.c.o:
+	${CC} ${CFLAGS} -o $@ -c $<
+
+libtls-standalone.so.${LIBTLS_SOVERSION}: libtls-standalone.so.${LIBTLS_FULLVERSION}
+	ln -s $< $@
+
+libtls-standalone.so.${LIBTLS_FULLVERSION}: ${OBJECTS}
+	${CC} ${CFLAGS} ${LDFLAGS} -o $@ ${OBJECTS} ${OPENSSL_LIBS}
+
+check: test_program
+	LD_LIBRARY_PATH=$$PWD ./test_program
+
+test_program: test_program.c
+	${CC} -I${LIBRESSL_SRCDIR}/include -o $@ test_program.c ./libtls-standalone.so.${LIBTLS_FULLVERSION}
+
+clean:
+	rm -f ${OBJECTS}
+	rm -f libtls-standalone.so.${LIBTLS_FULLVERSION} libtls-standalone.so.${LIBTLS_SOVERSION}
+	rm -f test_program
+
+install:
+	install -D -m755 libtls-standalone.so.${LIBTLS_FULLVERSION} ${DESTDIR}${PREFIX}/lib/libtls-standalone.so.${LIBTLS_FULLVERSION}
+	ln -sf libtls-standalone.so.${LIBTLS_FULLVERSION} ${DESTDIR}${PREFIX}/lib/libtls-standalone.so.${LIBTLS_SOVERSION}
+	ln -sf libtls-standalone.so.${LIBTLS_FULLVERSION} ${DESTDIR}${PREFIX}/lib/libtls-standalone.so
+
+	install -D -m644 ${LIBRESSL_SRCDIR}/include/tls.h ${DESTDIR}${PREFIX}/include/libtls-standalone/tls.h
+
+	install -D -m644 libtls-standalone.pc ${DESTDIR}${PREFIX}/lib/pkgconfig/libtls-standalone.pc
+
+libtls-standalone.pc: ${LIBRESSL_SRCDIR}/libtls.pc.in
+	sed -e s:@prefix@:${PREFIX}:g \
+	    -e s:@exec_prefix@:${EXEC_PREFIX}:g \
+	    -e s:@libdir@:${LIBDIR}:g \
+	    -e s:@includedir@:${INCLUDEDIR}/libtls-standalone:g \
+	    -e s:@LIBS@:-ltls-standalone:g \
+	    -e s:@PLATFORM_LDADD@::g \
+	    -e s:@VERSION@:${LIBRESSL_VERSION}:g \
+	    -e /^Libs:/s:-ltls:-ltls-standalone:g \
+	    $< > libtls-standalone.pc
+
+.DUMMY: check dumpconfig clean install
diff --git a/main/libtls-standalone/libtls-ciphers.patch b/main/libtls-standalone/libtls-ciphers.patch
new file mode 100644
index 0000000000..7b5843b28c
--- /dev/null
+++ b/main/libtls-standalone/libtls-ciphers.patch
@@ -0,0 +1,17 @@
+--- libressl-2.7.4.orig/tls/tls_internal.h
++++ libressl-2.7.4/tls/tls_internal.h
+@@ -30,12 +30,12 @@
+ #define _PATH_SSL_CA_FILE "/etc/ssl/cert.pem"
+ #endif
+ 
+-#define TLS_CIPHERS_DEFAULT	"TLSv1.2+AEAD+ECDHE:TLSv1.2+AEAD+DHE"
+ #define TLS_CIPHERS_COMPAT	"HIGH:!aNULL"
+ #define TLS_CIPHERS_LEGACY	"HIGH:MEDIUM:!aNULL"
+ #define TLS_CIPHERS_ALL		"ALL:!aNULL:!eNULL"
++#define TLS_CIPHERS_DEFAULT	TLS_CIPHERS_COMPAT
+ 
+-#define TLS_ECDHE_CURVES	"X25519,P-256,P-384"
++#define TLS_ECDHE_CURVES	"P-256,P-384"
+ 
+ union tls_addr {
+ 	struct in_addr ip4;
diff --git a/main/libtls-standalone/openssl-1.1.0-asn1-string.patch b/main/libtls-standalone/openssl-1.1.0-asn1-string.patch
new file mode 100644
index 0000000000..258ba60a5d
--- /dev/null
+++ b/main/libtls-standalone/openssl-1.1.0-asn1-string.patch
@@ -0,0 +1,31 @@
+--- libressl-2.7.4.orig/tls/tls_verify.c
++++ libressl-2.7.4/tls/tls_verify.c
+@@ -126,12 +126,12 @@
+ 			continue;
+ 
+ 		if (type == GEN_DNS) {
+-			unsigned char	*data;
++			const unsigned char	*data;
+ 			int		 format, len;
+ 
+ 			format = ASN1_STRING_type(altname->d.dNSName);
+ 			if (format == V_ASN1_IA5STRING) {
+-				data = ASN1_STRING_data(altname->d.dNSName);
++				data = ASN1_STRING_get0_data(altname->d.dNSName);
+ 				len = ASN1_STRING_length(altname->d.dNSName);
+ 
+ 				if (len < 0 || (size_t)len != strlen(data)) {
+@@ -171,11 +171,11 @@
+ 			}
+ 
+ 		} else if (type == GEN_IPADD) {
+-			unsigned char	*data;
++			const unsigned char	*data;
+ 			int		 datalen;
+ 
+ 			datalen = ASN1_STRING_length(altname->d.iPAddress);
+-			data = ASN1_STRING_data(altname->d.iPAddress);
++			data = ASN1_STRING_get0_data(altname->d.iPAddress);
+ 
+ 			if (datalen < 0) {
+ 				tls_set_errorx(ctx,
diff --git a/main/libtls-standalone/openssl-1.1.0-bio-method.patch b/main/libtls-standalone/openssl-1.1.0-bio-method.patch
new file mode 100644
index 0000000000..4f4290c3ce
--- /dev/null
+++ b/main/libtls-standalone/openssl-1.1.0-bio-method.patch
@@ -0,0 +1,107 @@
+--- libressl-2.7.4.orig/tls/tls_bio_cb.c
++++ libressl-2.7.4/tls/tls_bio_cb.c
+@@ -18,6 +18,7 @@
+ #include <fcntl.h>
+ #include <stdlib.h>
+ #include <unistd.h>
++#include <assert.h>
+ 
+ #include <openssl/bio.h>
+ 
+@@ -29,19 +30,36 @@
+ static int bio_cb_puts(BIO *bio, const char *str);
+ static long bio_cb_ctrl(BIO *bio, int cmd, long num, void *ptr);
+ 
+-static BIO_METHOD bio_cb_method = {
+-	.type = BIO_TYPE_MEM,
+-	.name = "libtls_callbacks",
+-	.bwrite = bio_cb_write,
+-	.bread = bio_cb_read,
+-	.bputs = bio_cb_puts,
+-	.ctrl = bio_cb_ctrl,
+-};
++static pthread_once_t bio_cb_init_once = PTHREAD_ONCE_INIT;
+ 
++static BIO_METHOD *bio_cb_method = NULL;
++
++static void
++bio_s_cb_init(void)
++{
++	BIO_METHOD *method;
++
++	method = BIO_meth_new(BIO_TYPE_MEM, "libtls_callbacks");
++	assert(method != NULL);
++
++	BIO_meth_set_read(method, bio_cb_read);
++	BIO_meth_set_write(method, bio_cb_write);
++	BIO_meth_set_puts(method, bio_cb_puts);
++	BIO_meth_set_ctrl(method, bio_cb_ctrl);
++
++	bio_cb_method = method;
++}
++
+ static BIO_METHOD *
+ bio_s_cb(void)
+ {
+-	return (&bio_cb_method);
++	if (bio_cb_method != NULL) {
++		return bio_cb_method;
++	}
++
++	(void) pthread_once(&bio_cb_init_once, bio_s_cb_init);
++
++	return bio_cb_method;
+ }
+ 
+ static int
+@@ -57,10 +75,10 @@
+ 
+ 	switch (cmd) {
+ 	case BIO_CTRL_GET_CLOSE:
+-		ret = (long)bio->shutdown;
++		ret = (long) BIO_get_shutdown(bio);
+ 		break;
+ 	case BIO_CTRL_SET_CLOSE:
+-		bio->shutdown = (int)num;
++		BIO_set_shutdown(bio, (int) num);
+ 		break;
+ 	case BIO_CTRL_DUP:
+ 	case BIO_CTRL_FLUSH:
+@@ -69,7 +87,7 @@
+ 	case BIO_CTRL_GET:
+ 	case BIO_CTRL_SET:
+ 	default:
+-		ret = BIO_ctrl(bio->next_bio, cmd, num, ptr);
++		ret = BIO_ctrl(BIO_next(bio), cmd, num, ptr);
+ 	}
+ 
+ 	return (ret);
+@@ -78,7 +96,7 @@
+ static int
+ bio_cb_write(BIO *bio, const char *buf, int num)
+ {
+-	struct tls *ctx = bio->ptr;
++	struct tls *ctx = BIO_get_data(bio);
+ 	int rv;
+ 
+ 	BIO_clear_retry_flags(bio);
+@@ -96,7 +114,7 @@
+ static int
+ bio_cb_read(BIO *bio, char *buf, int size)
+ {
+-	struct tls *ctx = bio->ptr;
++	struct tls *ctx = BIO_get_data(bio);
+ 	int rv;
+ 
+ 	BIO_clear_retry_flags(bio);
+@@ -131,8 +149,8 @@
+ 		tls_set_errorx(ctx, "failed to create callback i/o");
+ 		goto err;
+ 	}
+-	bio->ptr = ctx;
+-	bio->init = 1;
++	BIO_set_data(bio, ctx);
++	BIO_set_init(bio, 1);
+ 
+ 	SSL_set_bio(ctx->ssl_conn, bio, bio);
+ 
diff --git a/main/libtls-standalone/openssl-1.1.0-verify-param.patch b/main/libtls-standalone/openssl-1.1.0-verify-param.patch
new file mode 100644
index 0000000000..ef3f948e02
--- /dev/null
+++ b/main/libtls-standalone/openssl-1.1.0-verify-param.patch
@@ -0,0 +1,50 @@
+--- libressl-2.7.4.orig/tls/tls.c
++++ libressl-2.7.4/tls/tls.c
+@@ -438,8 +438,16 @@
+ 	}
+ 
+ 	if (ctx->config->verify_time == 0) {
+-		X509_VERIFY_PARAM_set_flags(ssl_ctx->param,
+-		    X509_V_FLAG_NO_CHECK_TIME);
++		X509_VERIFY_PARAM *param = X509_VERIFY_PARAM_new();
++
++		if (param == NULL) {
++			goto err;
++		}
++
++		X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_NO_CHECK_TIME);
++		SSL_CTX_set1_param(ssl_ctx, param);
++
++		X509_VERIFY_PARAM_free(param);
+ 	}
+ 
+ 	/* Disable any form of session caching by default */
+@@ -487,6 +495,7 @@
+ 	STACK_OF(X509_INFO) *xis = NULL;
+ 	X509_STORE *store;
+ 	X509_INFO *xi;
++	X509_VERIFY_PARAM *param;
+ 	BIO *bio = NULL;
+ 	int rv = -1;
+ 	int i;
+@@ -548,8 +557,19 @@
+ 			}
+ 			xi->crl = NULL;
+ 		}
+-		X509_VERIFY_PARAM_set_flags(store->param,
++
++		param = X509_VERIFY_PARAM_new();
++
++		if (param == NULL) {
++			goto err;
++		}
++		
++		X509_VERIFY_PARAM_set_flags(param,
+ 		    X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
++
++		X509_STORE_set1_param(store, param);
++
++		X509_VERIFY_PARAM_free(param);
+ 	}
+ 
+  done:
diff --git a/main/libtls-standalone/openssl-1.1.0-x509-object.patch b/main/libtls-standalone/openssl-1.1.0-x509-object.patch
new file mode 100644
index 0000000000..e90903252f
--- /dev/null
+++ b/main/libtls-standalone/openssl-1.1.0-x509-object.patch
@@ -0,0 +1,40 @@
+--- libressl-2.7.4.orig/tls/tls_ocsp.c
++++ libressl-2.7.4/tls/tls_ocsp.c
+@@ -127,8 +127,8 @@
+ {
+ 	X509_NAME *issuer_name;
+ 	X509 *issuer;
+-	X509_STORE_CTX storectx;
+-	X509_OBJECT tmpobj;
++	X509_STORE_CTX *storectx;
++	X509_OBJECT *tmpobj;
+ 	OCSP_CERTID *cid = NULL;
+ 	X509_STORE *store;
+ 
+@@ -143,14 +143,20 @@
+ 
+ 	if ((store = SSL_CTX_get_cert_store(ssl_ctx)) == NULL)
+ 		return NULL;
+-	if (X509_STORE_CTX_init(&storectx, store, main_cert, extra_certs) != 1)
++	if ((storectx = X509_STORE_CTX_new()) == NULL)
+ 		return NULL;
+-	if (X509_STORE_get_by_subject(&storectx, X509_LU_X509, issuer_name,
+-		&tmpobj) == 1) {
+-		cid = OCSP_cert_to_id(NULL, main_cert, tmpobj.data.x509);
+-		X509_OBJECT_free_contents(&tmpobj);
++	if (X509_STORE_CTX_init(storectx, store, main_cert, extra_certs) != 1)
++		goto err;
++	if ((tmpobj = X509_OBJECT_new()) == NULL)
++		goto err;
++	if (X509_STORE_get_by_subject(storectx, X509_LU_X509, issuer_name,
++		tmpobj) == 1) {
++		cid = OCSP_cert_to_id(NULL, main_cert, X509_OBJECT_get0_X509(tmpobj));
++		X509_OBJECT_free(tmpobj);
+ 	}
+-	X509_STORE_CTX_cleanup(&storectx);
++
++ err:
++	X509_STORE_CTX_cleanup(storectx);
+ 	return cid;
+ }
+ 
diff --git a/main/libtls-standalone/test_program.c b/main/libtls-standalone/test_program.c
new file mode 100644
index 0000000000..f8d7332d72
--- /dev/null
+++ b/main/libtls-standalone/test_program.c
@@ -0,0 +1,11 @@
+#include <stdlib.h>
+#include <assert.h>
+#include <tls.h>
+
+int
+main(int argc, const char *argv[])
+{
+	assert(tls_init() == 0);
+
+	return EXIT_SUCCESS;
+}
diff --git a/main/libtls-standalone/tls_compat.c b/main/libtls-standalone/tls_compat.c
new file mode 100644
index 0000000000..2d184e4020
--- /dev/null
+++ b/main/libtls-standalone/tls_compat.c
@@ -0,0 +1,369 @@
+/*
+ * Copyright (c) 2016 Tai Chi Minh Ralph Eastwood <tcmreastwood@gmail.com>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <openssl/opensslv.h>
+#include <openssl/x509_vfy.h>
+#include <openssl/ssl.h>
+#include <stdlib.h>
+#include <string.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <sys/stat.h>
+#include <ctype.h>
+
+int SSL_CTX_load_verify_mem(SSL_CTX *ctx, void *buf, int len)
+{
+    char fname[] = "/tmp/libtlscompatXXXXXX";
+    int rc;
+    int fd;
+
+    fd = mkstemp(fname);
+
+    if (fd < 0)
+        return -1;
+    do {
+        ssize_t wrote = write(fd, buf, len);
+        if(wrote == -1) {
+            break;
+        } else {
+            buf = (char *)buf + wrote;
+            len -= wrote;
+        }
+    } while(len);
+    close(fd);
+	rc = SSL_CTX_load_verify_locations(ctx, fname, NULL);
+    remove(fname);
+    return rc;
+}
+
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <sys/types.h>
+
+#include <unistd.h>
+#include <stdio.h>
+
+#include <openssl/err.h>
+#include <openssl/bio.h>
+#include <openssl/objects.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+#include <openssl/ssl.h>
+
+int
+SSL_CTX_use_certificate_chain_mem(SSL_CTX *ctx, char *buf, off_t len)
+{
+	int ret;
+	BIO*in;
+	X509*x;
+	X509*ca;
+	unsigned long err;
+
+	ret = 0;
+	x = ca = NULL;
+
+	if ((in = BIO_new_mem_buf(buf, len)) == NULL) {
+		SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_BUF_LIB);
+		goto end;
+	}
+
+	if ((x = PEM_read_bio_X509(in, NULL,
+		    SSL_CTX_get_default_passwd_cb(ctx),
+		    SSL_CTX_get_default_passwd_cb_userdata(ctx))) == NULL) {
+		SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_PEM_LIB);
+		goto end;
+	}
+
+	if (!SSL_CTX_use_certificate(ctx, x) || ERR_peek_error() != 0)
+		goto end;
+
+	/* If we could set up our certificate, now proceed to
+	 * the CA certificates.
+	 */
+	SSL_CTX_clear_extra_chain_certs(ctx);
+
+	while ((ca = PEM_read_bio_X509(in, NULL,
+		    SSL_CTX_get_default_passwd_cb(ctx),
+		    SSL_CTX_get_default_passwd_cb_userdata(ctx))) != NULL) {
+
+		if (!SSL_CTX_add_extra_chain_cert(ctx, ca))
+			goto end;
+	}
+
+	err = ERR_peek_last_error();
+	if (ERR_GET_LIB(err) == ERR_LIB_PEM &&
+	    ERR_GET_REASON(err) == PEM_R_NO_START_LINE)
+		ERR_clear_error();
+	else
+		goto end;
+
+	ret = 1;
+end:
+	if (ca != NULL)
+		X509_free(ca);
+	if (x != NULL)
+		X509_free(x);
+	if (in != NULL)
+		BIO_free(in);
+	return (ret);
+}
+
+/*
+ * Copyright (c) 2015 Bob Beck <beck@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Parse an RFC 5280 format ASN.1 time string.
+ *
+ * mode must be:
+ * 0 if we expect to parse a time as specified in RFC 5280 from an X509 object.
+ * V_ASN1_UTCTIME if we wish to parse on RFC5280 format UTC time.
+ * V_ASN1_GENERALIZEDTIME if we wish to parse an RFC5280 format Generalized time.
+ *
+ * Returns:
+ * -1 if the string was invalid.
+ * V_ASN1_UTCTIME if the string validated as a UTC time string.
+ * V_ASN1_GENERALIZEDTIME if the string validated as a Generalized time string.
+ *
+ * Fills in *tm with the corresponding time if tm is non NULL.
+ */
+
+#define GENTIME_LENGTH 15
+#define UTCTIME_LENGTH 13
+
+#define	ATOI2(ar)	((ar) += 2, ((ar)[-2] - '0') * 10 + ((ar)[-1] - '0'))
+int
+ASN1_time_parse(const char *bytes, size_t len, struct tm *tm, int mode)
+{
+	size_t i;
+	int type = 0;
+	struct tm ltm;
+	struct tm *lt;
+	const char *p;
+
+	if (bytes == NULL)
+		return (-1);
+
+	/* Constrain to valid lengths. */
+	if (len != UTCTIME_LENGTH && len != GENTIME_LENGTH)
+		return (-1);
+
+	lt = tm;
+	if (lt == NULL) {
+		memset(&ltm, 0, sizeof(ltm));
+		lt = &ltm;
+	}
+
+	/* Timezone is required and must be GMT (Zulu). */
+	if (bytes[len - 1] != 'Z')
+		return (-1);
+
+	/* Make sure everything else is digits. */
+	for (i = 0; i < len - 1; i++) {
+		if (isdigit((unsigned char)bytes[i]))
+			continue;
+		return (-1);
+	}
+
+	/*
+	 * Validate and convert the time
+	 */
+	p = bytes;
+	switch (len) {
+	case GENTIME_LENGTH:
+		if (mode == V_ASN1_UTCTIME)
+			return (-1);
+		lt->tm_year = (ATOI2(p) * 100) - 1900;	/* cc */
+		type = V_ASN1_GENERALIZEDTIME;
+		/* FALLTHROUGH */
+	case UTCTIME_LENGTH:
+		if (type == 0) {
+			if (mode == V_ASN1_GENERALIZEDTIME)
+				return (-1);
+			type = V_ASN1_UTCTIME;
+		}
+		lt->tm_year += ATOI2(p);		/* yy */
+		if (type == V_ASN1_UTCTIME) {
+			if (lt->tm_year < 50)
+				lt->tm_year += 100;
+		}
+		lt->tm_mon = ATOI2(p) - 1;		/* mm */
+		if (lt->tm_mon < 0 || lt->tm_mon > 11)
+			return (-1);
+		lt->tm_mday = ATOI2(p);			/* dd */
+		if (lt->tm_mday < 1 || lt->tm_mday > 31)
+			return (-1);
+		lt->tm_hour = ATOI2(p);			/* HH */
+		if (lt->tm_hour < 0 || lt->tm_hour > 23)
+			return (-1);
+		lt->tm_min = ATOI2(p);			/* MM */
+		if (lt->tm_min < 0 || lt->tm_min > 59)
+			return (-1);
+		lt->tm_sec = ATOI2(p);			/* SS */
+		/* Leap second 60 is not accepted. Reconsider later? */
+		if (lt->tm_sec < 0 || lt->tm_sec > 59)
+			return (-1);
+		break;
+	default:
+		return (-1);
+	}
+
+	return (type);
+}
+
+/* $OpenBSD: a_time_tm.c,v 1.14 2017/08/28 17:42:47 jsing Exp $ */
+/*
+ * Copyright (c) 2015 Bob Beck <beck@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+#include <ctype.h>
+#include <limits.h>
+#include <stdio.h>
+#include <string.h>
+#include <time.h>
+
+#include <openssl/asn1t.h>
+#include <openssl/err.h>
+
+#define RFC5280 0
+#define GENTIME_LENGTH 15
+#define UTCTIME_LENGTH 13
+
+int
+ASN1_time_tm_cmp(struct tm *tm1, struct tm *tm2)
+{
+	if (tm1->tm_year < tm2->tm_year)
+		return (-1);
+	if (tm1->tm_year > tm2->tm_year)
+		return (1);
+	if (tm1->tm_mon < tm2->tm_mon)
+		return (-1);
+	if (tm1->tm_mon > tm2->tm_mon)
+		return (1);
+	if (tm1->tm_mday < tm2->tm_mday)
+		return (-1);
+	if (tm1->tm_mday > tm2->tm_mday)
+		return (1);
+	if (tm1->tm_hour < tm2->tm_hour)
+		return (-1);
+	if (tm1->tm_hour > tm2->tm_hour)
+		return (1);
+	if (tm1->tm_min < tm2->tm_min)
+		return (-1);
+	if (tm1->tm_min > tm2->tm_min)
+		return (1);
+	if (tm1->tm_sec < tm2->tm_sec)
+		return (-1);
+	if (tm1->tm_sec > tm2->tm_sec)
+		return (1);
+	return 0;
+}
+
+int
+ASN1_time_tm_clamp_notafter(struct tm *tm)
+{
+	if (sizeof(time_t) < 8) {
+		struct tm broken_os_epoch_tm;
+		time_t broken_os_epoch_time = INT_MAX;
+
+		if (gmtime_r(&broken_os_epoch_time, &broken_os_epoch_tm) == NULL)
+			return 0;
+
+		if (ASN1_time_tm_cmp(tm, &broken_os_epoch_tm) == 1)
+			memcpy(tm, &broken_os_epoch_tm, sizeof(*tm));
+	}
+
+	return 1;
+}
diff --git a/main/libtls-standalone/tls_compat.h b/main/libtls-standalone/tls_compat.h
new file mode 100644
index 0000000000..8e4629e35a
--- /dev/null
+++ b/main/libtls-standalone/tls_compat.h
@@ -0,0 +1,23 @@
+#include <string.h>
+
+#include <openssl/opensslv.h>
+#include <openssl/x509_vfy.h>
+
+#ifndef LIBTLS_TLS_COMPAT_H
+#define LIBTLS_TLS_COMPAT_H
+
+#ifndef X509_V_FLAG_NO_CHECK_TIME
+#define X509_V_FLAG_NO_CHECK_TIME 0
+#endif
+
+#ifndef SSL_OP_NO_CLIENT_RENEGOTIATION
+#define SSL_OP_NO_CLIENT_RENEGOTIATION 0
+#endif
+
+int SSL_CTX_load_verify_mem(SSL_CTX *ctx, void *buf, int len);
+
+int ASN1_time_parse(const char *bytes, size_t len, struct tm *tm, int mode);
+
+int SSL_CTX_use_certificate_chain_mem(SSL_CTX *, char *buf, off_t);
+
+#endif