diff options
Diffstat (limited to 'main/libtls-standalone')
| -rw-r--r-- | main/libtls-standalone/APKBUILD | 66 | ||||
| -rw-r--r-- | main/libtls-standalone/Makefile | 86 | ||||
| -rw-r--r-- | main/libtls-standalone/libtls-ciphers.patch | 17 | ||||
| -rw-r--r-- | main/libtls-standalone/openssl-1.1.0-asn1-string.patch | 31 | ||||
| -rw-r--r-- | main/libtls-standalone/openssl-1.1.0-bio-method.patch | 107 | ||||
| -rw-r--r-- | main/libtls-standalone/openssl-1.1.0-verify-param.patch | 50 | ||||
| -rw-r--r-- | main/libtls-standalone/openssl-1.1.0-x509-object.patch | 40 | ||||
| -rw-r--r-- | main/libtls-standalone/test_program.c | 11 | ||||
| -rw-r--r-- | main/libtls-standalone/tls_compat.c | 369 | ||||
| -rw-r--r-- | main/libtls-standalone/tls_compat.h | 23 |
10 files changed, 800 insertions, 0 deletions
diff --git a/main/libtls-standalone/APKBUILD b/main/libtls-standalone/APKBUILD new file mode 100644 index 0000000000..ea80990b44 --- /dev/null +++ b/main/libtls-standalone/APKBUILD @@ -0,0 +1,66 @@ +# Maintainer: William Pitcock <nenolod@dereferenced.org> +pkgname=libtls-standalone +pkgver=2.7.4 +_namever=${pkgname}${pkgver%.*} +pkgrel=4 +pkgdesc="libtls extricated from libressl sources" +url="http://www.libressl.org/" +arch="all" +license="ISC" +depends="" +makedepends="libbsd-dev openssl-dev" +subpackages="$pkgname-dbg $pkgname-dev $pkgname-doc" +source="https://ftp.openbsd.org/pub/OpenBSD/libressl/libressl-$pkgver.tar.gz + Makefile + tls_compat.c + tls_compat.h + test_program.c + libtls-ciphers.patch + openssl-1.1.0-bio-method.patch + openssl-1.1.0-verify-param.patch + openssl-1.1.0-asn1-string.patch + openssl-1.1.0-x509-object.patch + " +libressl_src="$srcdir/libressl-$pkgver" +builddir="$srcdir" + +prepare() { + cd "$builddir" + rm -rf "$libressl_src"/include/openssl + + cd "$libressl_src" + patch -p1 < "$srcdir"/libtls-ciphers.patch + patch -p1 < "$srcdir"/openssl-1.1.0-bio-method.patch + patch -p1 < "$srcdir"/openssl-1.1.0-verify-param.patch + patch -p1 < "$srcdir"/openssl-1.1.0-asn1-string.patch + patch -p1 < "$srcdir"/openssl-1.1.0-x509-object.patch +} + +build() { + cd "$builddir" + + make PREFIX=/usr LIBRESSL_SRCDIR="${libressl_src}" LIBRESSL_VERSION="${pkgver}" +} + +check() { + cd "$builddir" + make PREFIX=/usr LIBRESSL_SRCDIR="${libressl_src}" LIBRESSL_VERSION="${pkgver}" check +} + +package() { + cd "$builddir" + + make PREFIX=/usr LIBRESSL_SRCDIR="${libressl_src}" LIBRESSL_VERSION="${pkgver}" DESTDIR="${pkgdir}" install + install -Dm644 "${libressl_src}"/COPYING "$pkgdir"/usr/share/licenses/$pkgname/COPYING +} + +sha512sums="1cd82a1bff4f655251b5feb0c850f4164e0fd548e4b404407370f74dcc75c205f42efc7787a157eecac84cbbe46af48cb63f46b3fef75f4a0a9ea19a5863a691 libressl-2.7.4.tar.gz +75292dcd0321a3cb00b30715f537cd35f2375922aac3ad5445f3d7b9eff16ab934926b1605f3330032f8455378c89f41bd1ed83f5a027fc967adff7006ed9486 Makefile +be8216d08a6992ca65a8e3f1e010645833899465090179f269a62de5fcfe2711d463fe1aa57e408492648878fa2ee53377c4509ef48a2aafe3f267cce73e9209 tls_compat.c +0b8fca899e1f7b51979d69458be23c77c1b7f265ed60de76cf5cfb9eb5742111cf50813bd35384831301523a6a0562a20acf1aec22dc0d9ad653271d45ede915 tls_compat.h +71d36fe25c95a0a45497e3f699b01dddcaae9053dd1b1e2419df94272c47024cf6516c51c902129201061601b04a72551904b15a332a4cf53358983b5db73618 test_program.c +8da41dc7f3a3e94c7c26c20b88e649eeaa556064c6b45deb4604fb0b5738109344bf2d9e5c37dc963634db1761370aa5ed4dfe085cae2a21e74535b5b98f4a43 libtls-ciphers.patch +90244db67d2f5a2b4679cd4b905f6e58105e20e5a4648dd0781dee3f3d1ce87350eee9683f2e6e554949a390ee45d2247e7588e75668e82feb68213178905d3d openssl-1.1.0-bio-method.patch +b0c6c0b32d6ea30b7161ae75e36b8102b3c00268723dec15464318bae8f77a386dba9ef0537d47018b385b16f57132b5c893e494b8853d51b638b4d270e1f9d6 openssl-1.1.0-verify-param.patch +e0b7ce674269714cd63f628c332ed3420086c973f6e763a9a5d57991738370759d437b59edff5349ce4213725588f58e196c479b372a702833fcae75da9d71a1 openssl-1.1.0-asn1-string.patch +7d88088240f78dc3656e71d67f2222b4562bbcfacfaac77e7d8d3ace50ae7f02fac15cea0df2d9990b8d30f6cfd0b4ffd92ea97191181f0b00b1d34c050ef130 openssl-1.1.0-x509-object.patch" diff --git a/main/libtls-standalone/Makefile b/main/libtls-standalone/Makefile new file mode 100644 index 0000000000..781a15a7d1 --- /dev/null +++ b/main/libtls-standalone/Makefile @@ -0,0 +1,86 @@ +PREFIX = /usr/local +EXEC_PREFIX = ${PREFIX} +LIBDIR = ${PREFIX}/lib +INCLUDEDIR = ${PREFIX}/include + +LIBRESSL_VERSION = 1.0 +LIBTLS_SOVERSION = 1 +LIBTLS_FULLVERSION = 1.0.0 + +OPENSSL_CFLAGS = $(shell pkgconf openssl --cflags) +OPENSSL_LIBS = $(shell pkgconf openssl --libs) + +CFLAGS = -Wall -Wno-pointer-sign -fPIC -DPIC -shared -include tls_compat.h -isystem ${LIBRESSL_SRCDIR}/include/compat ${OPENSSL_CFLAGS} -I ${LIBRESSL_SRCDIR}/include \ + -D__BEGIN_HIDDEN_DECLS= -D__END_HIDDEN_DECLS= +LDFLAGS = -fPIC -DPIC -shared -Wl,-soname,libtls-standalone.so.${LIBTLS_SOVERSION} ${OPENSSL_LIBS} + +SOURCES = \ + tls_compat.c \ + ${LIBRESSL_SRCDIR}/tls/tls.c \ + ${LIBRESSL_SRCDIR}/tls/tls_bio_cb.c \ + ${LIBRESSL_SRCDIR}/tls/tls_client.c \ + ${LIBRESSL_SRCDIR}/tls/tls_config.c \ + ${LIBRESSL_SRCDIR}/tls/tls_conninfo.c \ + ${LIBRESSL_SRCDIR}/tls/tls_keypair.c \ + ${LIBRESSL_SRCDIR}/tls/tls_ocsp.c \ + ${LIBRESSL_SRCDIR}/tls/tls_peer.c \ + ${LIBRESSL_SRCDIR}/tls/tls_server.c \ + ${LIBRESSL_SRCDIR}/tls/tls_util.c \ + ${LIBRESSL_SRCDIR}/tls/tls_verify.c \ + ${LIBRESSL_SRCDIR}/crypto/compat/arc4random.c \ + ${LIBRESSL_SRCDIR}/crypto/compat/arc4random_uniform.c \ + ${LIBRESSL_SRCDIR}/crypto/compat/freezero.c \ + ${LIBRESSL_SRCDIR}/crypto/compat/reallocarray.c \ + ${LIBRESSL_SRCDIR}/crypto/compat/timingsafe_memcmp.c + +OBJECTS = ${SOURCES:.c=.o} + +all: dumpconfig libtls-standalone.so.${LIBTLS_FULLVERSION} libtls-standalone.so.${LIBTLS_SOVERSION} libtls-standalone.pc + +dumpconfig: + @echo "Building with:" + @echo " LIBRESSL_SRCDIR = ${LIBRESSL_SRCDIR}" + @echo " OPENSSL_CFLAGS = ${OPENSSL_CFLAGS}" + @echo " OPENSSL_LIBS = ${OPENSSL_LIBS}" + +.c.o: + ${CC} ${CFLAGS} -o $@ -c $< + +libtls-standalone.so.${LIBTLS_SOVERSION}: libtls-standalone.so.${LIBTLS_FULLVERSION} + ln -s $< $@ + +libtls-standalone.so.${LIBTLS_FULLVERSION}: ${OBJECTS} + ${CC} ${CFLAGS} ${LDFLAGS} -o $@ ${OBJECTS} ${OPENSSL_LIBS} + +check: test_program + LD_LIBRARY_PATH=$$PWD ./test_program + +test_program: test_program.c + ${CC} -I${LIBRESSL_SRCDIR}/include -o $@ test_program.c ./libtls-standalone.so.${LIBTLS_FULLVERSION} + +clean: + rm -f ${OBJECTS} + rm -f libtls-standalone.so.${LIBTLS_FULLVERSION} libtls-standalone.so.${LIBTLS_SOVERSION} + rm -f test_program + +install: + install -D -m755 libtls-standalone.so.${LIBTLS_FULLVERSION} ${DESTDIR}${PREFIX}/lib/libtls-standalone.so.${LIBTLS_FULLVERSION} + ln -sf libtls-standalone.so.${LIBTLS_FULLVERSION} ${DESTDIR}${PREFIX}/lib/libtls-standalone.so.${LIBTLS_SOVERSION} + ln -sf libtls-standalone.so.${LIBTLS_FULLVERSION} ${DESTDIR}${PREFIX}/lib/libtls-standalone.so + + install -D -m644 ${LIBRESSL_SRCDIR}/include/tls.h ${DESTDIR}${PREFIX}/include/libtls-standalone/tls.h + + install -D -m644 libtls-standalone.pc ${DESTDIR}${PREFIX}/lib/pkgconfig/libtls-standalone.pc + +libtls-standalone.pc: ${LIBRESSL_SRCDIR}/libtls.pc.in + sed -e s:@prefix@:${PREFIX}:g \ + -e s:@exec_prefix@:${EXEC_PREFIX}:g \ + -e s:@libdir@:${LIBDIR}:g \ + -e s:@includedir@:${INCLUDEDIR}/libtls-standalone:g \ + -e s:@LIBS@:-ltls-standalone:g \ + -e s:@PLATFORM_LDADD@::g \ + -e s:@VERSION@:${LIBRESSL_VERSION}:g \ + -e /^Libs:/s:-ltls:-ltls-standalone:g \ + $< > libtls-standalone.pc + +.DUMMY: check dumpconfig clean install diff --git a/main/libtls-standalone/libtls-ciphers.patch b/main/libtls-standalone/libtls-ciphers.patch new file mode 100644 index 0000000000..7b5843b28c --- /dev/null +++ b/main/libtls-standalone/libtls-ciphers.patch @@ -0,0 +1,17 @@ +--- libressl-2.7.4.orig/tls/tls_internal.h ++++ libressl-2.7.4/tls/tls_internal.h +@@ -30,12 +30,12 @@ + #define _PATH_SSL_CA_FILE "/etc/ssl/cert.pem" + #endif + +-#define TLS_CIPHERS_DEFAULT "TLSv1.2+AEAD+ECDHE:TLSv1.2+AEAD+DHE" + #define TLS_CIPHERS_COMPAT "HIGH:!aNULL" + #define TLS_CIPHERS_LEGACY "HIGH:MEDIUM:!aNULL" + #define TLS_CIPHERS_ALL "ALL:!aNULL:!eNULL" ++#define TLS_CIPHERS_DEFAULT TLS_CIPHERS_COMPAT + +-#define TLS_ECDHE_CURVES "X25519,P-256,P-384" ++#define TLS_ECDHE_CURVES "P-256,P-384" + + union tls_addr { + struct in_addr ip4; diff --git a/main/libtls-standalone/openssl-1.1.0-asn1-string.patch b/main/libtls-standalone/openssl-1.1.0-asn1-string.patch new file mode 100644 index 0000000000..258ba60a5d --- /dev/null +++ b/main/libtls-standalone/openssl-1.1.0-asn1-string.patch @@ -0,0 +1,31 @@ +--- libressl-2.7.4.orig/tls/tls_verify.c ++++ libressl-2.7.4/tls/tls_verify.c +@@ -126,12 +126,12 @@ + continue; + + if (type == GEN_DNS) { +- unsigned char *data; ++ const unsigned char *data; + int format, len; + + format = ASN1_STRING_type(altname->d.dNSName); + if (format == V_ASN1_IA5STRING) { +- data = ASN1_STRING_data(altname->d.dNSName); ++ data = ASN1_STRING_get0_data(altname->d.dNSName); + len = ASN1_STRING_length(altname->d.dNSName); + + if (len < 0 || (size_t)len != strlen(data)) { +@@ -171,11 +171,11 @@ + } + + } else if (type == GEN_IPADD) { +- unsigned char *data; ++ const unsigned char *data; + int datalen; + + datalen = ASN1_STRING_length(altname->d.iPAddress); +- data = ASN1_STRING_data(altname->d.iPAddress); ++ data = ASN1_STRING_get0_data(altname->d.iPAddress); + + if (datalen < 0) { + tls_set_errorx(ctx, diff --git a/main/libtls-standalone/openssl-1.1.0-bio-method.patch b/main/libtls-standalone/openssl-1.1.0-bio-method.patch new file mode 100644 index 0000000000..4f4290c3ce --- /dev/null +++ b/main/libtls-standalone/openssl-1.1.0-bio-method.patch @@ -0,0 +1,107 @@ +--- libressl-2.7.4.orig/tls/tls_bio_cb.c ++++ libressl-2.7.4/tls/tls_bio_cb.c +@@ -18,6 +18,7 @@ + #include <fcntl.h> + #include <stdlib.h> + #include <unistd.h> ++#include <assert.h> + + #include <openssl/bio.h> + +@@ -29,19 +30,36 @@ + static int bio_cb_puts(BIO *bio, const char *str); + static long bio_cb_ctrl(BIO *bio, int cmd, long num, void *ptr); + +-static BIO_METHOD bio_cb_method = { +- .type = BIO_TYPE_MEM, +- .name = "libtls_callbacks", +- .bwrite = bio_cb_write, +- .bread = bio_cb_read, +- .bputs = bio_cb_puts, +- .ctrl = bio_cb_ctrl, +-}; ++static pthread_once_t bio_cb_init_once = PTHREAD_ONCE_INIT; + ++static BIO_METHOD *bio_cb_method = NULL; ++ ++static void ++bio_s_cb_init(void) ++{ ++ BIO_METHOD *method; ++ ++ method = BIO_meth_new(BIO_TYPE_MEM, "libtls_callbacks"); ++ assert(method != NULL); ++ ++ BIO_meth_set_read(method, bio_cb_read); ++ BIO_meth_set_write(method, bio_cb_write); ++ BIO_meth_set_puts(method, bio_cb_puts); ++ BIO_meth_set_ctrl(method, bio_cb_ctrl); ++ ++ bio_cb_method = method; ++} ++ + static BIO_METHOD * + bio_s_cb(void) + { +- return (&bio_cb_method); ++ if (bio_cb_method != NULL) { ++ return bio_cb_method; ++ } ++ ++ (void) pthread_once(&bio_cb_init_once, bio_s_cb_init); ++ ++ return bio_cb_method; + } + + static int +@@ -57,10 +75,10 @@ + + switch (cmd) { + case BIO_CTRL_GET_CLOSE: +- ret = (long)bio->shutdown; ++ ret = (long) BIO_get_shutdown(bio); + break; + case BIO_CTRL_SET_CLOSE: +- bio->shutdown = (int)num; ++ BIO_set_shutdown(bio, (int) num); + break; + case BIO_CTRL_DUP: + case BIO_CTRL_FLUSH: +@@ -69,7 +87,7 @@ + case BIO_CTRL_GET: + case BIO_CTRL_SET: + default: +- ret = BIO_ctrl(bio->next_bio, cmd, num, ptr); ++ ret = BIO_ctrl(BIO_next(bio), cmd, num, ptr); + } + + return (ret); +@@ -78,7 +96,7 @@ + static int + bio_cb_write(BIO *bio, const char *buf, int num) + { +- struct tls *ctx = bio->ptr; ++ struct tls *ctx = BIO_get_data(bio); + int rv; + + BIO_clear_retry_flags(bio); +@@ -96,7 +114,7 @@ + static int + bio_cb_read(BIO *bio, char *buf, int size) + { +- struct tls *ctx = bio->ptr; ++ struct tls *ctx = BIO_get_data(bio); + int rv; + + BIO_clear_retry_flags(bio); +@@ -131,8 +149,8 @@ + tls_set_errorx(ctx, "failed to create callback i/o"); + goto err; + } +- bio->ptr = ctx; +- bio->init = 1; ++ BIO_set_data(bio, ctx); ++ BIO_set_init(bio, 1); + + SSL_set_bio(ctx->ssl_conn, bio, bio); + diff --git a/main/libtls-standalone/openssl-1.1.0-verify-param.patch b/main/libtls-standalone/openssl-1.1.0-verify-param.patch new file mode 100644 index 0000000000..ef3f948e02 --- /dev/null +++ b/main/libtls-standalone/openssl-1.1.0-verify-param.patch @@ -0,0 +1,50 @@ +--- libressl-2.7.4.orig/tls/tls.c ++++ libressl-2.7.4/tls/tls.c +@@ -438,8 +438,16 @@ + } + + if (ctx->config->verify_time == 0) { +- X509_VERIFY_PARAM_set_flags(ssl_ctx->param, +- X509_V_FLAG_NO_CHECK_TIME); ++ X509_VERIFY_PARAM *param = X509_VERIFY_PARAM_new(); ++ ++ if (param == NULL) { ++ goto err; ++ } ++ ++ X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_NO_CHECK_TIME); ++ SSL_CTX_set1_param(ssl_ctx, param); ++ ++ X509_VERIFY_PARAM_free(param); + } + + /* Disable any form of session caching by default */ +@@ -487,6 +495,7 @@ + STACK_OF(X509_INFO) *xis = NULL; + X509_STORE *store; + X509_INFO *xi; ++ X509_VERIFY_PARAM *param; + BIO *bio = NULL; + int rv = -1; + int i; +@@ -548,8 +557,19 @@ + } + xi->crl = NULL; + } +- X509_VERIFY_PARAM_set_flags(store->param, ++ ++ param = X509_VERIFY_PARAM_new(); ++ ++ if (param == NULL) { ++ goto err; ++ } ++ ++ X509_VERIFY_PARAM_set_flags(param, + X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL); ++ ++ X509_STORE_set1_param(store, param); ++ ++ X509_VERIFY_PARAM_free(param); + } + + done: diff --git a/main/libtls-standalone/openssl-1.1.0-x509-object.patch b/main/libtls-standalone/openssl-1.1.0-x509-object.patch new file mode 100644 index 0000000000..e90903252f --- /dev/null +++ b/main/libtls-standalone/openssl-1.1.0-x509-object.patch @@ -0,0 +1,40 @@ +--- libressl-2.7.4.orig/tls/tls_ocsp.c ++++ libressl-2.7.4/tls/tls_ocsp.c +@@ -127,8 +127,8 @@ + { + X509_NAME *issuer_name; + X509 *issuer; +- X509_STORE_CTX storectx; +- X509_OBJECT tmpobj; ++ X509_STORE_CTX *storectx; ++ X509_OBJECT *tmpobj; + OCSP_CERTID *cid = NULL; + X509_STORE *store; + +@@ -143,14 +143,20 @@ + + if ((store = SSL_CTX_get_cert_store(ssl_ctx)) == NULL) + return NULL; +- if (X509_STORE_CTX_init(&storectx, store, main_cert, extra_certs) != 1) ++ if ((storectx = X509_STORE_CTX_new()) == NULL) + return NULL; +- if (X509_STORE_get_by_subject(&storectx, X509_LU_X509, issuer_name, +- &tmpobj) == 1) { +- cid = OCSP_cert_to_id(NULL, main_cert, tmpobj.data.x509); +- X509_OBJECT_free_contents(&tmpobj); ++ if (X509_STORE_CTX_init(storectx, store, main_cert, extra_certs) != 1) ++ goto err; ++ if ((tmpobj = X509_OBJECT_new()) == NULL) ++ goto err; ++ if (X509_STORE_get_by_subject(storectx, X509_LU_X509, issuer_name, ++ tmpobj) == 1) { ++ cid = OCSP_cert_to_id(NULL, main_cert, X509_OBJECT_get0_X509(tmpobj)); ++ X509_OBJECT_free(tmpobj); + } +- X509_STORE_CTX_cleanup(&storectx); ++ ++ err: ++ X509_STORE_CTX_cleanup(storectx); + return cid; + } + diff --git a/main/libtls-standalone/test_program.c b/main/libtls-standalone/test_program.c new file mode 100644 index 0000000000..f8d7332d72 --- /dev/null +++ b/main/libtls-standalone/test_program.c @@ -0,0 +1,11 @@ +#include <stdlib.h> +#include <assert.h> +#include <tls.h> + +int +main(int argc, const char *argv[]) +{ + assert(tls_init() == 0); + + return EXIT_SUCCESS; +} diff --git a/main/libtls-standalone/tls_compat.c b/main/libtls-standalone/tls_compat.c new file mode 100644 index 0000000000..2d184e4020 --- /dev/null +++ b/main/libtls-standalone/tls_compat.c @@ -0,0 +1,369 @@ +/* + * Copyright (c) 2016 Tai Chi Minh Ralph Eastwood <tcmreastwood@gmail.com> + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include <openssl/opensslv.h> +#include <openssl/x509_vfy.h> +#include <openssl/ssl.h> +#include <stdlib.h> +#include <string.h> +#include <fcntl.h> +#include <unistd.h> +#include <sys/stat.h> +#include <ctype.h> + +int SSL_CTX_load_verify_mem(SSL_CTX *ctx, void *buf, int len) +{ + char fname[] = "/tmp/libtlscompatXXXXXX"; + int rc; + int fd; + + fd = mkstemp(fname); + + if (fd < 0) + return -1; + do { + ssize_t wrote = write(fd, buf, len); + if(wrote == -1) { + break; + } else { + buf = (char *)buf + wrote; + len -= wrote; + } + } while(len); + close(fd); + rc = SSL_CTX_load_verify_locations(ctx, fname, NULL); + remove(fname); + return rc; +} + +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) + * All rights reserved. + * + * This package is an SSL implementation written + * by Eric Young (eay@cryptsoft.com). + * The implementation was written so as to conform with Netscapes SSL. + * + * This library is free for commercial and non-commercial use as long as + * the following conditions are aheared to. The following conditions + * apply to all code found in this distribution, be it the RC4, RSA, + * lhash, DES, etc., code; not just the SSL code. The SSL documentation + * included with this distribution is covered by the same copyright terms + * except that the holder is Tim Hudson (tjh@cryptsoft.com). + * + * Copyright remains Eric Young's, and as such any Copyright notices in + * the code are not to be removed. + * If this package is used in a product, Eric Young should be given attribution + * as the author of the parts of the library used. + * This can be in the form of a textual message at program startup or + * in documentation (online or textual) provided with the package. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * "This product includes cryptographic software written by + * Eric Young (eay@cryptsoft.com)" + * The word 'cryptographic' can be left out if the rouines from the library + * being used are not cryptographic related :-). + * 4. If you include any Windows specific code (or a derivative thereof) from + * the apps directory (application code) you must include an acknowledgement: + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" + * + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * The licence and distribution terms for any publically available version or + * derivative of this code cannot be changed. i.e. this code cannot simply be + * copied and put under another distribution licence + * [including the GNU Public Licence.] + */ + +#include <sys/types.h> + +#include <unistd.h> +#include <stdio.h> + +#include <openssl/err.h> +#include <openssl/bio.h> +#include <openssl/objects.h> +#include <openssl/evp.h> +#include <openssl/x509.h> +#include <openssl/pem.h> +#include <openssl/ssl.h> + +int +SSL_CTX_use_certificate_chain_mem(SSL_CTX *ctx, char *buf, off_t len) +{ + int ret; + BIO*in; + X509*x; + X509*ca; + unsigned long err; + + ret = 0; + x = ca = NULL; + + if ((in = BIO_new_mem_buf(buf, len)) == NULL) { + SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_BUF_LIB); + goto end; + } + + if ((x = PEM_read_bio_X509(in, NULL, + SSL_CTX_get_default_passwd_cb(ctx), + SSL_CTX_get_default_passwd_cb_userdata(ctx))) == NULL) { + SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_PEM_LIB); + goto end; + } + + if (!SSL_CTX_use_certificate(ctx, x) || ERR_peek_error() != 0) + goto end; + + /* If we could set up our certificate, now proceed to + * the CA certificates. + */ + SSL_CTX_clear_extra_chain_certs(ctx); + + while ((ca = PEM_read_bio_X509(in, NULL, + SSL_CTX_get_default_passwd_cb(ctx), + SSL_CTX_get_default_passwd_cb_userdata(ctx))) != NULL) { + + if (!SSL_CTX_add_extra_chain_cert(ctx, ca)) + goto end; + } + + err = ERR_peek_last_error(); + if (ERR_GET_LIB(err) == ERR_LIB_PEM && + ERR_GET_REASON(err) == PEM_R_NO_START_LINE) + ERR_clear_error(); + else + goto end; + + ret = 1; +end: + if (ca != NULL) + X509_free(ca); + if (x != NULL) + X509_free(x); + if (in != NULL) + BIO_free(in); + return (ret); +} + +/* + * Copyright (c) 2015 Bob Beck <beck@openbsd.org> + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +/* + * Parse an RFC 5280 format ASN.1 time string. + * + * mode must be: + * 0 if we expect to parse a time as specified in RFC 5280 from an X509 object. + * V_ASN1_UTCTIME if we wish to parse on RFC5280 format UTC time. + * V_ASN1_GENERALIZEDTIME if we wish to parse an RFC5280 format Generalized time. + * + * Returns: + * -1 if the string was invalid. + * V_ASN1_UTCTIME if the string validated as a UTC time string. + * V_ASN1_GENERALIZEDTIME if the string validated as a Generalized time string. + * + * Fills in *tm with the corresponding time if tm is non NULL. + */ + +#define GENTIME_LENGTH 15 +#define UTCTIME_LENGTH 13 + +#define ATOI2(ar) ((ar) += 2, ((ar)[-2] - '0') * 10 + ((ar)[-1] - '0')) +int +ASN1_time_parse(const char *bytes, size_t len, struct tm *tm, int mode) +{ + size_t i; + int type = 0; + struct tm ltm; + struct tm *lt; + const char *p; + + if (bytes == NULL) + return (-1); + + /* Constrain to valid lengths. */ + if (len != UTCTIME_LENGTH && len != GENTIME_LENGTH) + return (-1); + + lt = tm; + if (lt == NULL) { + memset(<m, 0, sizeof(ltm)); + lt = <m; + } + + /* Timezone is required and must be GMT (Zulu). */ + if (bytes[len - 1] != 'Z') + return (-1); + + /* Make sure everything else is digits. */ + for (i = 0; i < len - 1; i++) { + if (isdigit((unsigned char)bytes[i])) + continue; + return (-1); + } + + /* + * Validate and convert the time + */ + p = bytes; + switch (len) { + case GENTIME_LENGTH: + if (mode == V_ASN1_UTCTIME) + return (-1); + lt->tm_year = (ATOI2(p) * 100) - 1900; /* cc */ + type = V_ASN1_GENERALIZEDTIME; + /* FALLTHROUGH */ + case UTCTIME_LENGTH: + if (type == 0) { + if (mode == V_ASN1_GENERALIZEDTIME) + return (-1); + type = V_ASN1_UTCTIME; + } + lt->tm_year += ATOI2(p); /* yy */ + if (type == V_ASN1_UTCTIME) { + if (lt->tm_year < 50) + lt->tm_year += 100; + } + lt->tm_mon = ATOI2(p) - 1; /* mm */ + if (lt->tm_mon < 0 || lt->tm_mon > 11) + return (-1); + lt->tm_mday = ATOI2(p); /* dd */ + if (lt->tm_mday < 1 || lt->tm_mday > 31) + return (-1); + lt->tm_hour = ATOI2(p); /* HH */ + if (lt->tm_hour < 0 || lt->tm_hour > 23) + return (-1); + lt->tm_min = ATOI2(p); /* MM */ + if (lt->tm_min < 0 || lt->tm_min > 59) + return (-1); + lt->tm_sec = ATOI2(p); /* SS */ + /* Leap second 60 is not accepted. Reconsider later? */ + if (lt->tm_sec < 0 || lt->tm_sec > 59) + return (-1); + break; + default: + return (-1); + } + + return (type); +} + +/* $OpenBSD: a_time_tm.c,v 1.14 2017/08/28 17:42:47 jsing Exp $ */ +/* + * Copyright (c) 2015 Bob Beck <beck@openbsd.org> + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ +#include <ctype.h> +#include <limits.h> +#include <stdio.h> +#include <string.h> +#include <time.h> + +#include <openssl/asn1t.h> +#include <openssl/err.h> + +#define RFC5280 0 +#define GENTIME_LENGTH 15 +#define UTCTIME_LENGTH 13 + +int +ASN1_time_tm_cmp(struct tm *tm1, struct tm *tm2) +{ + if (tm1->tm_year < tm2->tm_year) + return (-1); + if (tm1->tm_year > tm2->tm_year) + return (1); + if (tm1->tm_mon < tm2->tm_mon) + return (-1); + if (tm1->tm_mon > tm2->tm_mon) + return (1); + if (tm1->tm_mday < tm2->tm_mday) + return (-1); + if (tm1->tm_mday > tm2->tm_mday) + return (1); + if (tm1->tm_hour < tm2->tm_hour) + return (-1); + if (tm1->tm_hour > tm2->tm_hour) + return (1); + if (tm1->tm_min < tm2->tm_min) + return (-1); + if (tm1->tm_min > tm2->tm_min) + return (1); + if (tm1->tm_sec < tm2->tm_sec) + return (-1); + if (tm1->tm_sec > tm2->tm_sec) + return (1); + return 0; +} + +int +ASN1_time_tm_clamp_notafter(struct tm *tm) +{ + if (sizeof(time_t) < 8) { + struct tm broken_os_epoch_tm; + time_t broken_os_epoch_time = INT_MAX; + + if (gmtime_r(&broken_os_epoch_time, &broken_os_epoch_tm) == NULL) + return 0; + + if (ASN1_time_tm_cmp(tm, &broken_os_epoch_tm) == 1) + memcpy(tm, &broken_os_epoch_tm, sizeof(*tm)); + } + + return 1; +} diff --git a/main/libtls-standalone/tls_compat.h b/main/libtls-standalone/tls_compat.h new file mode 100644 index 0000000000..8e4629e35a --- /dev/null +++ b/main/libtls-standalone/tls_compat.h @@ -0,0 +1,23 @@ +#include <string.h> + +#include <openssl/opensslv.h> +#include <openssl/x509_vfy.h> + +#ifndef LIBTLS_TLS_COMPAT_H +#define LIBTLS_TLS_COMPAT_H + +#ifndef X509_V_FLAG_NO_CHECK_TIME +#define X509_V_FLAG_NO_CHECK_TIME 0 +#endif + +#ifndef SSL_OP_NO_CLIENT_RENEGOTIATION +#define SSL_OP_NO_CLIENT_RENEGOTIATION 0 +#endif + +int SSL_CTX_load_verify_mem(SSL_CTX *ctx, void *buf, int len); + +int ASN1_time_parse(const char *bytes, size_t len, struct tm *tm, int mode); + +int SSL_CTX_use_certificate_chain_mem(SSL_CTX *, char *buf, off_t); + +#endif |