diff options
| -rw-r--r-- | main/libressl/APKBUILD | 9 | ||||
| -rw-r--r-- | main/libressl/starttls-ldap.patch | 198 |
2 files changed, 204 insertions, 3 deletions
diff --git a/main/libressl/APKBUILD b/main/libressl/APKBUILD index 166eeedabb..17bae94f3a 100644 --- a/main/libressl/APKBUILD +++ b/main/libressl/APKBUILD @@ -9,7 +9,7 @@ pkgname=libressl pkgver=2.5.5 _namever=${pkgname}${pkgver%.*} -pkgrel=0 +pkgrel=1 pkgdesc="Version of the TLS/crypto stack forked from OpenSSL" url="http://www.libressl.org/" arch="all" @@ -21,7 +21,9 @@ makedepends="$makedepends_host" replaces="openssl" subpackages="$pkgname-dbg $_namever-libcrypto:_libs $_namever-libssl:_libs $_namever-libtls:_libs $pkgname-dev $pkgname-doc" -source="http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/$pkgname-$pkgver.tar.gz" +source="http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/$pkgname-$pkgver.tar.gz + starttls-ldap.patch + " builddir="$srcdir/$pkgname-$pkgver" build() { @@ -62,4 +64,5 @@ _libs() { done } -sha512sums="3f576e74ddea17bd72e1bfbe0b57b94e1a2a9e6fa56cee50624cd8d18f0a8674273086225669e6ece56e6b859d2376e36e2c140d37acb52d4cd79374c4ba7096 libressl-2.5.5.tar.gz" +sha512sums="3f576e74ddea17bd72e1bfbe0b57b94e1a2a9e6fa56cee50624cd8d18f0a8674273086225669e6ece56e6b859d2376e36e2c140d37acb52d4cd79374c4ba7096 libressl-2.5.5.tar.gz +18fe5f83aa5944d644a67e4a294deaf772c42d0696ff38e075f7265070269b09dc001a9bf2bab3fb8200f8ce66346d189d48884859727c7d5ad30398ed76a948 starttls-ldap.patch" diff --git a/main/libressl/starttls-ldap.patch b/main/libressl/starttls-ldap.patch new file mode 100644 index 0000000000..55319ed04c --- /dev/null +++ b/main/libressl/starttls-ldap.patch @@ -0,0 +1,198 @@ +--- libressl-2.5.5/apps/openssl/s_client.c ++++ libressl-2.5.5.ldap/apps/openssl/s_client.c +@@ -184,6 +184,7 @@ + static void sc_usage(void); + static void print_stuff(BIO * berr, SSL * con, int full); + static int ocsp_resp_cb(SSL * s, void *arg); ++static int ldap_ExtendedResponse_parse(const char *buf, long rem); + static BIO *bio_c_out = NULL; + static int c_quiet = 0; + static int c_ign_eof = 0; +@@ -234,7 +235,7 @@ + BIO_printf(bio_err, " -starttls prot - use the STARTTLS command before starting TLS\n"); + BIO_printf(bio_err, " for those protocols that support it, where\n"); + BIO_printf(bio_err, " 'prot' defines which one to assume. Currently,\n"); +- BIO_printf(bio_err, " only \"smtp\", \"lmtp\", \"pop3\", \"imap\", \"ftp\" and \"xmpp\"\n"); ++ BIO_printf(bio_err, " only \"smtp\", \"lmtp\", \"pop3\", \"imap\", \"ftp\", \"xmpp\" and \"ldap\"\n"); + BIO_printf(bio_err, " are supported.\n"); + BIO_printf(bio_err, " -xmpphost host - connect to this virtual host on the xmpp server\n"); + BIO_printf(bio_err, " -sess_out arg - file to write SSL session to\n"); +@@ -315,7 +316,8 @@ + PROTO_POP3, + PROTO_IMAP, + PROTO_FTP, +- PROTO_XMPP ++ PROTO_XMPP, ++ PROTO_LDAP + }; + + int +@@ -575,6 +577,8 @@ + starttls_proto = PROTO_FTP; + else if (strcmp(*argv, "xmpp") == 0) + starttls_proto = PROTO_XMPP; ++ else if (strcmp(*argv, "ldap") == 0) ++ starttls_proto = PROTO_LDAP; + else + goto bad; + } +@@ -978,6 +982,72 @@ + if (!strstr(sbuf, "<proceed")) + goto shut; + mbuf[0] = 0; ++ } else if (starttls_proto == PROTO_LDAP) { ++ /* StartTLS Operation according to RFC 4511 */ ++ static char ldap_tls_genconf[] = "asn1=SEQUENCE:LDAPMessage\n" ++ "[LDAPMessage]\n" ++ "messageID=INTEGER:1\n" ++ "extendedReq=EXPLICIT:23A,IMPLICIT:0C," ++ "FORMAT:ASCII,OCT:1.3.6.1.4.1.1466.20037\n"; ++ long errline = -1; ++ char *genstr = NULL; ++ int result = -1; ++ ASN1_TYPE *atyp = NULL; ++ BIO *ldapbio = BIO_new(BIO_s_mem()); ++ CONF *cnf = NCONF_new(NULL); ++ ++ if (cnf == NULL) { ++ BIO_free(ldapbio); ++ goto end; ++ } ++ BIO_puts(ldapbio, ldap_tls_genconf); ++ if (NCONF_load_bio(cnf, ldapbio, &errline) <= 0) { ++ BIO_free(ldapbio); ++ NCONF_free(cnf); ++ if (errline <= 0) { ++ BIO_printf(bio_err, "NCONF_load_bio failed\n"); ++ goto end; ++ } else { ++ BIO_printf(bio_err, "Error on line %ld\n", errline); ++ goto end; ++ } ++ } ++ BIO_free(ldapbio); ++ genstr = NCONF_get_string(cnf, "default", "asn1"); ++ if (genstr == NULL) { ++ NCONF_free(cnf); ++ BIO_printf(bio_err, "NCONF_get_string failed\n"); ++ goto end; ++ } ++ atyp = ASN1_generate_nconf(genstr, cnf); ++ if (atyp == NULL) { ++ NCONF_free(cnf); ++ BIO_printf(bio_err, "ASN1_generate_nconf failed\n"); ++ goto end; ++ } ++ NCONF_free(cnf); ++ ++ /* Send SSLRequest packet */ ++ BIO_write(sbio, atyp->value.sequence->data, ++ atyp->value.sequence->length); ++ (void)BIO_flush(sbio); ++ ASN1_TYPE_free(atyp); ++ ++ mbuf_len = BIO_read(sbio, mbuf, BUFSIZZ); ++ if (mbuf_len < 0) { ++ BIO_printf(bio_err, "BIO_read failed\n"); ++ goto end; ++ } ++ result = ldap_ExtendedResponse_parse(mbuf, mbuf_len); ++ if (result < 0) { ++ BIO_printf(bio_err, "ldap_ExtendedResponse_parse failed\n"); ++ goto shut; ++ } else if (result > 0) { ++ BIO_printf(bio_err, "STARTTLS failed, LDAP Result Code: %i\n", ++ result); ++ goto shut; ++ } ++ mbuf_len = 0; + } else if (proxy != NULL) { + BIO_printf(sbio, "CONNECT %s HTTP/1.0\r\n\r\n", connect); + mbuf_len = BIO_read(sbio, mbuf, BUFSIZZ); +@@ -1499,3 +1569,86 @@ + return 1; + } + ++static int ldap_ExtendedResponse_parse(const char *buf, long rem) ++{ ++ const unsigned char *cur, *end; ++ long len; ++ int tag, xclass, inf, ret = -1; ++ ++ cur = (const unsigned char *)buf; ++ end = cur + rem; ++ ++ /* ++ * From RFC 4511: ++ * ++ * LDAPMessage ::= SEQUENCE { ++ * messageID MessageID, ++ * protocolOp CHOICE { ++ * ... ++ * extendedResp ExtendedResponse, ++ * ... }, ++ * controls [0] Controls OPTIONAL } ++ * ++ * ExtendedResponse ::= [APPLICATION 24] SEQUENCE { ++ * COMPONENTS OF LDAPResult, ++ * responseName [10] LDAPOID OPTIONAL, ++ * responseValue [11] OCTET STRING OPTIONAL } ++ * ++ * LDAPResult ::= SEQUENCE { ++ * resultCode ENUMERATED { ++ * success (0), ++ * ... ++ * other (80), ++ * ... }, ++ * matchedDN LDAPDN, ++ * diagnosticMessage LDAPString, ++ * referral [3] Referral OPTIONAL } ++ */ ++ ++ /* pull SEQUENCE */ ++ inf = ASN1_get_object(&cur, &len, &tag, &xclass, rem); ++ if (inf != V_ASN1_CONSTRUCTED || tag != V_ASN1_SEQUENCE || ++ (rem = end - cur, len > rem)) { ++ BIO_printf(bio_err, "Unexpected LDAP response\n"); ++ goto end; ++ } ++ ++ rem = len; /* ensure that we don't overstep the SEQUENCE */ ++ ++ /* pull MessageID */ ++ inf = ASN1_get_object(&cur, &len, &tag, &xclass, rem); ++ if (inf != V_ASN1_UNIVERSAL || tag != V_ASN1_INTEGER || ++ (rem = end - cur, len > rem)) { ++ BIO_printf(bio_err, "No MessageID\n"); ++ goto end; ++ } ++ ++ cur += len; /* shall we check for MessageId match or just skip? */ ++ ++ /* pull [APPLICATION 24] */ ++ rem = end - cur; ++ inf = ASN1_get_object(&cur, &len, &tag, &xclass, rem); ++ if (inf != V_ASN1_CONSTRUCTED || xclass != V_ASN1_APPLICATION || ++ tag != 24) { ++ BIO_printf(bio_err, "Not ExtendedResponse\n"); ++ goto end; ++ } ++ ++ /* pull resultCode */ ++ rem = end - cur; ++ inf = ASN1_get_object(&cur, &len, &tag, &xclass, rem); ++ if (inf != V_ASN1_UNIVERSAL || tag != V_ASN1_ENUMERATED || len == 0 || ++ (rem = end - cur, len > rem)) { ++ BIO_printf(bio_err, "Not LDAPResult\n"); ++ goto end; ++ } ++ ++ /* len should always be one, but just in case... */ ++ for (ret = 0, inf = 0; inf < len; inf++) { ++ ret <<= 8; ++ ret |= cur[inf]; ++ } ++ /* There is more data, but we don't care... */ ++ end: ++ return ret; ++} |