meta: revert to using bearssl by default

23 files changed, 153 insertions, 40 deletions

diff --git a/core/bearssl/build b/core/bearssl/build
new file mode 100755
index 00000000..21bbd789
--- /dev/null
+++ b/core/bearssl/build
@@ -0,0 +1,29 @@
+#!/bin/sh -e
+
+for patch in *.patch; do
+    patch -p1 < "$patch"
+done
+
+kinstall() {
+    mkdir -p "${3%/*}"; cp "$2" "$3"
+    chmod "$1" "$3"
+}
+
+make
+
+# Build static binary for bearssl, word splitting on CFLAGS is intentional.
+# shellcheck disable=2086
+"${CC:-cc}" \
+    -static $CFLAGS \
+    -I ./inc \
+    -include tools/brssl.h \
+    tools/*.c \
+    build/libbearssl.a \
+    -o brssl
+
+
+kinstall 755 brssl               "$1/usr/bin/brssl"
+kinstall 644 build/libbearssl.a  "$1/usr/lib/libbearssl.a"
+kinstall 755 build/libbearssl.so "$1/usr/lib/libbearssl.so"
+
+mv inc "$1/usr/include"
diff --git a/core/bearssl/checksums b/core/bearssl/checksums
new file mode 100644
index 00000000..cd6661bf
--- /dev/null
+++ b/core/bearssl/checksums
@@ -0,0 +1,3 @@
+6705bba1714961b41a728dfc5debbe348d2966c117649392f8c8139efc83ff14  bearssl-0.6.tar.gz
+ad783bbbbb58bbdad66af299c5a0ea5389474a7d7256391673fe94e88f11fbef  0001-Add-missing-return-in-client-single-EC-choose-functi.patch
+414fd90fc27353ae3ca2478b68891715088de8b6cf6b81927ed8337df63f47e4  0002-Add-functions-to-retrieve-certificate-validity-perio.patch
diff --git a/core/bearssl/patches/0001-Add-missing-return-in-client-single-EC-choose-functi.patch b/core/bearssl/patches/0001-Add-missing-return-in-client-single-EC-choose-functi.patch
new file mode 100644
index 00000000..421bbc7f
--- /dev/null
+++ b/core/bearssl/patches/0001-Add-missing-return-in-client-single-EC-choose-functi.patch
@@ -0,0 +1,25 @@
+From a5c3ea02385205858128e414873a0150cd8bceda Mon Sep 17 00:00:00 2001
+From: Michael Forney <mforney@mforney.org>
+Date: Fri, 31 Jan 2020 15:11:32 -0800
+Subject: [PATCH] Add missing return in client single EC choose function
+
+Otherwise, static ECDH is never selected.
+---
+ src/ssl/ssl_ccert_single_ec.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/ssl/ssl_ccert_single_ec.c b/src/ssl/ssl_ccert_single_ec.c
+index 93ebcde..2e1e54f 100644
+--- a/src/ssl/ssl_ccert_single_ec.c
++++ b/src/ssl/ssl_ccert_single_ec.c
+@@ -69,6 +69,7 @@ cc_choose(const br_ssl_client_certificate_class **pctx,
+ 			choices->hash_id = -1;
+ 			choices->chain = zc->chain;
+ 			choices->chain_len = zc->chain_len;
++			return;
+ 		}
+ 	}
+ 
+-- 
+2.25.0
+
diff --git a/core/bearssl/patches/0002-Add-functions-to-retrieve-certificate-validity-perio.patch b/core/bearssl/patches/0002-Add-functions-to-retrieve-certificate-validity-perio.patch
new file mode 100644
index 00000000..8377da4d
--- /dev/null
+++ b/core/bearssl/patches/0002-Add-functions-to-retrieve-certificate-validity-perio.patch
@@ -0,0 +1,60 @@
+From 31fdee5b9d8fc63c850222768dcd097e43da0116 Mon Sep 17 00:00:00 2001
+From: Michael Forney <mforney@mforney.org>
+Date: Thu, 26 Mar 2020 14:17:19 -0700
+Subject: [PATCH] Add functions to retrieve certificate validity period from
+ br_x509_decoder.
+
+---
+ inc/bearssl_x509.h | 36 ++++++++++++++++++++++++++++++++++++
+ 1 file changed, 36 insertions(+)
+
+diff --git a/inc/bearssl_x509.h b/inc/bearssl_x509.h
+index 49d2fba..9d43e15 100644
+--- a/inc/bearssl_x509.h
++++ b/inc/bearssl_x509.h
+@@ -1045,6 +1045,42 @@ br_x509_decoder_last_error(br_x509_decoder_context *ctx)
+ 	return 0;
+ }
+ 
++/**
++ * \brief Get the time when the certificate becomes valid.
++ *
++ * The time is represented the same as in `br_x509_minimal_set_time()`.
++ * These values should not be read before decoding completed successfully.
++ *
++ * \param ctx      X.509 decoder context.
++ * \param days     receives the days since January 1st, 0 AD.
++ * \param seconds  receives the seconds since midnight (0 to 86400).
++ */
++static inline void
++br_x509_decoder_get_notbefore(br_x509_decoder_context *ctx,
++	uint32_t *days, uint32_t *seconds)
++{
++	*days = ctx->notbefore_days;
++	*seconds = ctx->notbefore_seconds;
++}
++
++/**
++ * \brief Get the time when the certificate is no longer valid.
++ *
++ * The time is represented the same as in `br_x509_minimal_set_time()`.
++ * These values should not be read before decoding completed successfully.
++ *
++ * \param ctx      X.509 decoder context.
++ * \param days     receives the days since January 1st, 0 AD.
++ * \param seconds  receives the seconds since midnight (0 to 86400).
++ */
++static inline void
++br_x509_decoder_get_notafter(br_x509_decoder_context *ctx,
++	uint32_t *days, uint32_t *seconds)
++{
++	*days = ctx->notafter_days;
++	*seconds = ctx->notafter_seconds;
++}
++
+ /**
+  * \brief Get the "isCA" flag from an X.509 decoder context.
+  *
+-- 
+2.26.0
+
diff --git a/core/bearssl/sources b/core/bearssl/sources
new file mode 100644
index 00000000..3d637087
--- /dev/null
+++ b/core/bearssl/sources
@@ -0,0 +1,3 @@
+https://bearssl.org/bearssl-0.6.tar.gz
+patches/0001-Add-missing-return-in-client-single-EC-choose-functi.patch
+patches/0002-Add-functions-to-retrieve-certificate-validity-perio.patch
diff --git a/core/bearssl/version b/core/bearssl/version
new file mode 100644
index 00000000..28c26d58
--- /dev/null
+++ b/core/bearssl/version
@@ -0,0 +1 @@
+0.6 2
diff --git a/core/ca-certificates/build b/core/ca-certificates/build
new file mode 100755
index 00000000..0f8263d8
--- /dev/null
+++ b/core/ca-certificates/build
@@ -0,0 +1,3 @@
+#!/bin/sh -e
+
+install -Dm755 cert.sh "$1/usr/bin/update-certdata"
diff --git a/core/ca-certificates/checksums b/core/ca-certificates/checksums
new file mode 100644
index 00000000..ec462a46
--- /dev/null
+++ b/core/ca-certificates/checksums
@@ -0,0 +1 @@
+556ce672b222179d5a3e0a3c5fcce3126571d3d321701b0017244a0c879e50a4  cert.sh
diff --git a/core/ca-certificates/files/cert.sh b/core/ca-certificates/files/cert.sh
new file mode 100755
index 00000000..8ab33928
--- /dev/null
+++ b/core/ca-certificates/files/cert.sh
@@ -0,0 +1,15 @@
+#!/bin/sh -e
+#
+# update-certdata
+
+DEST="$CPT_ROOT/etc/certificates"
+
+[ -d "$DEST" ]  || mkdir -p "$DEST"
+
+[ -w "$DEST" ] || {
+    printf '%s\n' "${0##*/}: root required to update CA certificates." >&2
+    exit 1
+}
+
+wget https://curl.haxx.se/ca/cacert.pem -O "$DEST/cert.pem"
+printf '%s\n' "${0##*/}: updated cert.pem"
diff --git a/core/ca-certificates/post-install b/core/ca-certificates/post-install
new file mode 100755
index 00000000..8ee4d0ea
--- /dev/null
+++ b/core/ca-certificates/post-install
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+/usr/bin/update-certdata
diff --git a/core/ca-certificates/sources b/core/ca-certificates/sources
new file mode 100644
index 00000000..198fd03e
--- /dev/null
+++ b/core/ca-certificates/sources
@@ -0,0 +1 @@
+files/cert.sh
diff --git a/core/ca-certificates/version b/core/ca-certificates/version
new file mode 100644
index 00000000..82026115
--- /dev/null
+++ b/core/ca-certificates/version
@@ -0,0 +1 @@
+git 2
diff --git a/core/curl/build b/core/curl/build
index 2ef56a74..f27b1522 100755
--- a/core/curl/build
+++ b/core/curl/build
@@ -16,7 +16,9 @@
     --without-libpsl \
     --without-zstd \
     --with-pic \
-    --with-ssl
+    --with-bearssl \
+    --with-ca-bundle=/etc/certificates/cert.pem \
+    --without-ssl
 
 make curl_LDFLAGS=-all-static
 make DESTDIR="$1" install
diff --git a/core/curl/depends b/core/curl/depends
index 9ee911ae..cf6ff53d 100644
--- a/core/curl/depends
+++ b/core/curl/depends
@@ -1,2 +1,3 @@
-libressl
+bearssl
+ca-certificates
 zlib
diff --git a/core/curl/version b/core/curl/version
index a59a9334..db87252d 100644
--- a/core/curl/version
+++ b/core/curl/version
@@ -1 +1 @@
-7.72.0 3
+7.72.0 2
diff --git a/core/git/depends b/core/git/depends
index 7a3c084e..0a37ab16 100644
--- a/core/git/depends
+++ b/core/git/depends
@@ -1,4 +1,4 @@
+bearssl   make
 curl      make
-libressl  make
 pkgconf   make
 zlib      make
diff --git a/core/git/version b/core/git/version
index 1ab3a66b..3e2a9c0a 100644
--- a/core/git/version
+++ b/core/git/version
@@ -1 +1 @@
-2.28.0 2
+2.28.0 3
diff --git a/core/libressl/build b/core/libressl/build
deleted file mode 100755
index 86ade623..00000000
--- a/core/libressl/build
+++ /dev/null
@@ -1,13 +0,0 @@
-#!/bin/sh -e
-
-./configure \
-    --prefix=/usr \
-    --sysconfdir=/etc
-
-make
-make DESTDIR="$1" install
-
-install -Dm 755 update-certdata.sh "$1/etc/ssl"
-
-# Link ca-certificates to cert.pem
-ln -sfv ../cert.pem "$1/etc/ssl/certs/ca-certificates.crt"
diff --git a/core/libressl/checksums b/core/libressl/checksums
deleted file mode 100644
index fe481445..00000000
--- a/core/libressl/checksums
+++ /dev/null
@@ -1,2 +0,0 @@
-d28db224cfb6d18009b2a7e8cb213cd5c943bbec87550062fef6a38479250315  libressl-3.2.1.tar.gz
-043d2c3d64ecfaa021dbd1e772e42bf261917ef9b8b5b2ea955efd64c0791f00  update-certdata.sh
diff --git a/core/libressl/files/update-certdata.sh b/core/libressl/files/update-certdata.sh
deleted file mode 100755
index 611f944d..00000000
--- a/core/libressl/files/update-certdata.sh
+++ /dev/null
@@ -1,14 +0,0 @@
-#!/bin/sh -e
-#
-# update-certdata.sh
-
-[ -w "$CPT_ROOT/etc/ssl" ] || {
-    printf '%s\n' "${0##*/}: root required to update CA certificates." >&2
-    exit 1
-}
-
-cd "$CPT_ROOT/etc/ssl" && {
-    wget https://curl.haxx.se/ca/cacert.pem
-    mv -f cacert.pem cert.pem
-    printf '%s\n' "${0##*/}: updated cert.pem"
-}
diff --git a/core/libressl/post-install b/core/libressl/post-install
deleted file mode 100755
index f39088e7..00000000
--- a/core/libressl/post-install
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/bin/sh
-
-"$CPT_ROOT/etc/ssl/update-certdata.sh"
diff --git a/core/libressl/sources b/core/libressl/sources
deleted file mode 100644
index 1dc98b16..00000000
--- a/core/libressl/sources
+++ /dev/null
@@ -1,2 +0,0 @@
-https://fossies.org/linux/misc/libressl-3.2.1.tar.gz
-files/update-certdata.sh
diff --git a/core/libressl/version b/core/libressl/version
deleted file mode 100644
index b7c90c2c..00000000
--- a/core/libressl/version
+++ /dev/null
@@ -1 +0,0 @@
-3.2.1 1