opkg

Commit: 5d60dbe4ae80b7ae4180148fa1d83d61cf164794
Parent: 7a9747498197e7a942beb1aaf765367fb3651a84
Author: Randy Palamar
Date:   Wed, 27 Sep 2023 06:32:21 -0600

add libs/libtls-bearssl from oasis and enable nc

having libtls from libressl implemented on top of bearssl is very
useful. it will also serve as a backend for curl.

Diffstat:
M
.gitmodules
 | 
4
++++
M
pkg/libs/gen.lua
 | 
1
+
A
pkg/libs/libtls-bearssl/gen.lua
 | 
30
++++++++++++++++++++++++++++++
A
pkg/libs/libtls-bearssl/patch/0001-Use-patched-bearssl-method-to-retrieve-validity-peri.patch
 | 
45
+++++++++++++++++++++++++++++++++++++++++++++
A
pkg/libs/libtls-bearssl/patch/0002-Use-patched-bearssl-flag-to-force-CertificateRequest.patch
 | 
29
+++++++++++++++++++++++++++++
A
pkg/libs/libtls-bearssl/src
 | 
1
+
A
pkg/libs/libtls-bearssl/ver
 | 
1
+
M
pkg/sys/openbsd/gen.lua
 | 
8
+++-----
M
sets.lua
 | 
1
+

9 files changed, 115 insertions(+), 5 deletions(-)
diff --git a/.gitmodules b/.gitmodules
@@ -24,6 +24,10 @@
 	path = pkg/libs/bearssl/src
 	url = https://www.bearssl.org/git/BearSSL
 	ignore = all
+[submodule "pkg/libs/libtls-bearssl/src"]
+	path = pkg/libs/libtls-bearssl/src
+	url = https://git.sr.ht/~mcf/libtls-bearssl
+	ignore = all
 [submodule "pkg/libs/netbsd-curses/src"]
 	path = pkg/libs/netbsd-curses/src
 	url = https://github.com/oasislinux/netbsd-curses.git
diff --git a/pkg/libs/gen.lua b/pkg/libs/gen.lua
@@ -1,4 +1,5 @@
 subgen('bearssl')
 subgen('libtermkey')
+subgen('libtls-bearssl')
 subgen('lpeg')
 subgen('netbsd-curses')
diff --git a/pkg/libs/libtls-bearssl/gen.lua b/pkg/libs/libtls-bearssl/gen.lua
@@ -0,0 +1,30 @@
+cflags({
+	'-std=c11', '-Wall', '-Wpedantic',
+	'-D _DEFAULT_SOURCE',
+	'-I $srcdir',
+	'-isystem $builddir/pkg/libs/bearssl/include',
+})
+
+pkg.hdrs = copy('$outdir/include', '$srcdir', {'tls.h'})
+pkg.deps = {
+	'pkg/libs/bearssl/headers',
+}
+
+lib('libtls.a', {
+	'tls.c',
+	'tls_bio_cb.c',
+	'tls_client.c',
+	'tls_config.c',
+	'tls_conninfo.c',
+	'tls_keypair.c',
+	'tls_ocsp.c',
+	'tls_peer.c',
+	'tls_server.c',
+	'tls_util.c',
+	'tls_verify.c',
+	'bearssl.c',
+	'$builddir/pkg/libs/bearssl/libbearssl.a',
+	'$builddir/pkg/sys/openbsd/libbsd.a',
+})
+
+fetch('git')
diff --git a/pkg/libs/libtls-bearssl/patch/0001-Use-patched-bearssl-method-to-retrieve-validity-peri.patch b/pkg/libs/libtls-bearssl/patch/0001-Use-patched-bearssl-method-to-retrieve-validity-peri.patch
@@ -0,0 +1,45 @@
+From 7701b90a015c4e4c2b6af6e8b53315dce1f6c780 Mon Sep 17 00:00:00 2001
+From: Michael Forney <mforney@mforney.org>
+Date: Sun, 29 Mar 2020 13:07:39 -0700
+Subject: [PATCH] Use patched bearssl method to retrieve validity period
+
+---
+ tls_conninfo.c | 22 ++++++++++++++++++----
+ 1 file changed, 18 insertions(+), 4 deletions(-)
+
+diff --git a/tls_conninfo.c b/tls_conninfo.c
+index ccce70d..1e9b57e 100644
+--- a/tls_conninfo.c
++++ b/tls_conninfo.c
+@@ -162,10 +162,24 @@ static int
+ tls_get_peer_cert_times(struct tls *ctx, time_t *notbefore,
+     time_t *notafter)
+ {
+-	/* XXX: BearSSL has no way to get certificate notBefore and
+-	 * notAfter */
+-	*notbefore = -1;
+-	*notafter = -1;
++	br_x509_decoder_context xc;
++	uint32_t notbefore_days, notbefore_seconds;
++	uint32_t notafter_days, notafter_seconds;
++	int err;
++
++	br_x509_decoder_init(&xc, NULL, NULL);
++	br_x509_decoder_push(&xc, ctx->peer_chain[0].data, ctx->peer_chain[0].data_len);
++
++	if ((err = br_x509_decoder_last_error(&xc)) != 0) {
++		tls_set_errorx(ctx, "%s", bearssl_strerror(err));
++		return (-1);
++	}
++
++	br_x509_decoder_get_notbefore(&xc, &notbefore_days, &notbefore_seconds);
++	br_x509_decoder_get_notafter(&xc, &notafter_days, &notafter_seconds);
++
++	*notbefore = 86400LL * (notbefore_days - 719528) + notbefore_seconds;
++	*notafter = 86400LL * (notafter_days - 719528) + notafter_seconds;
+ 
+ 	return (0);
+ }
+-- 
+2.31.1
+
diff --git a/pkg/libs/libtls-bearssl/patch/0002-Use-patched-bearssl-flag-to-force-CertificateRequest.patch b/pkg/libs/libtls-bearssl/patch/0002-Use-patched-bearssl-flag-to-force-CertificateRequest.patch
@@ -0,0 +1,29 @@
+From ce2e99a74f9216fa5783a6bc943c228788fd469c Mon Sep 17 00:00:00 2001
+From: Michael Forney <mforney@mforney.org>
+Date: Thu, 13 May 2021 22:17:56 -0700
+Subject: [PATCH] Use patched bearssl flag to force CertificateRequest
+
+---
+ tls_server.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/tls_server.c b/tls_server.c
+index 2436036..7f578b8 100644
+--- a/tls_server.c
++++ b/tls_server.c
+@@ -339,11 +339,7 @@ tls_accept_common(struct tls *ctx)
+ 		if (tls_configure_x509(conn_ctx) != 0)
+ 			goto err;
+ 
+-		if (ctx->config->ca_len == 0) {
+-			tls_set_errorx(ctx, "cannot verify client without trust anchors");
+-			goto err;
+-		}
+-
++		flags |= BR_OPT_REQUEST_CLIENT_CERT;
+ 		br_ssl_server_set_trust_anchor_names_alt(&conn_ctx->conn->u.server,
+ 		    ctx->config->ca, ctx->config->ca_len);
+ 
+-- 
+2.31.1
+
diff --git a/pkg/libs/libtls-bearssl/src b/pkg/libs/libtls-bearssl/src
@@ -0,0 +1 @@
+Subproject commit f35ee486e3aad1d88613a18d9c91e8b7545c2c27
diff --git a/pkg/libs/libtls-bearssl/ver b/pkg/libs/libtls-bearssl/ver
@@ -0,0 +1 @@
+0.5 r3
diff --git a/pkg/sys/openbsd/gen.lua b/pkg/sys/openbsd/gen.lua
@@ -51,19 +51,17 @@ man({'usr.bin/doas/doas.1', 'usr.bin/doas/doas.conf.5'})
 file('bin/fmt', '755', exe('fmt', {'usr.bin/fmt/fmt.c', 'libbsd.a'}))
 man({'usr.bin/fmt/fmt.1'})
 
---[[
 -- nc
 sub('nc.ninja', function()
-	cflags({'-isystem $builddir/pkg/libtls-bearssl/include'})
+	cflags({'-isystem $builddir/pkg/libs/libtls-bearssl/include'})
 	exe('nc', [[
 		usr.bin/nc/(netcat.c atomicio.c socks.c)
-		$builddir/pkg/libtls-bearssl/libtls.a.d
+		$builddir/pkg/libs/libtls-bearssl/libtls.a.d
 		libbsd.a
-	, {'pkg/libtls-bearssl/headers'})
+	]], {'pkg/libs/libtls-bearssl/headers'})
 	file('bin/nc', '755', '$outdir/nc')
 	man({'usr.bin/nc/nc.1'})
 end)
---]]
 
 -- m4
 yacc('usr.bin/m4/parser', 'usr.bin/m4/parser.y')
diff --git a/sets.lua b/sets.lua
@@ -13,6 +13,7 @@ S.bin = {
 }
 
 S.lib = {
+	'libtls-bearssl',
 	'netbsd-curses',
 }