meta: revert to using bearssl by default

12 files changed, 35 insertions, 121 deletions

diff --git a/extra/bearssl/build b/extra/bearssl/build
deleted file mode 100755
index 21bbd789..00000000
--- a/extra/bearssl/build
+++ /dev/null
@@ -1,29 +0,0 @@
-#!/bin/sh -e
-
-for patch in *.patch; do
-    patch -p1 < "$patch"
-done
-
-kinstall() {
-    mkdir -p "${3%/*}"; cp "$2" "$3"
-    chmod "$1" "$3"
-}
-
-make
-
-# Build static binary for bearssl, word splitting on CFLAGS is intentional.
-# shellcheck disable=2086
-"${CC:-cc}" \
-    -static $CFLAGS \
-    -I ./inc \
-    -include tools/brssl.h \
-    tools/*.c \
-    build/libbearssl.a \
-    -o brssl
-
-
-kinstall 755 brssl               "$1/usr/bin/brssl"
-kinstall 644 build/libbearssl.a  "$1/usr/lib/libbearssl.a"
-kinstall 755 build/libbearssl.so "$1/usr/lib/libbearssl.so"
-
-mv inc "$1/usr/include"
diff --git a/extra/bearssl/checksums b/extra/bearssl/checksums
deleted file mode 100644
index cd6661bf..00000000
--- a/extra/bearssl/checksums
+++ /dev/null
@@ -1,3 +0,0 @@
-6705bba1714961b41a728dfc5debbe348d2966c117649392f8c8139efc83ff14  bearssl-0.6.tar.gz
-ad783bbbbb58bbdad66af299c5a0ea5389474a7d7256391673fe94e88f11fbef  0001-Add-missing-return-in-client-single-EC-choose-functi.patch
-414fd90fc27353ae3ca2478b68891715088de8b6cf6b81927ed8337df63f47e4  0002-Add-functions-to-retrieve-certificate-validity-perio.patch
diff --git a/extra/bearssl/patches/0001-Add-missing-return-in-client-single-EC-choose-functi.patch b/extra/bearssl/patches/0001-Add-missing-return-in-client-single-EC-choose-functi.patch
deleted file mode 100644
index 421bbc7f..00000000
--- a/extra/bearssl/patches/0001-Add-missing-return-in-client-single-EC-choose-functi.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-From a5c3ea02385205858128e414873a0150cd8bceda Mon Sep 17 00:00:00 2001
-From: Michael Forney <mforney@mforney.org>
-Date: Fri, 31 Jan 2020 15:11:32 -0800
-Subject: [PATCH] Add missing return in client single EC choose function
-
-Otherwise, static ECDH is never selected.
----
- src/ssl/ssl_ccert_single_ec.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/src/ssl/ssl_ccert_single_ec.c b/src/ssl/ssl_ccert_single_ec.c
-index 93ebcde..2e1e54f 100644
---- a/src/ssl/ssl_ccert_single_ec.c
-+++ b/src/ssl/ssl_ccert_single_ec.c
-@@ -69,6 +69,7 @@ cc_choose(const br_ssl_client_certificate_class **pctx,
- 			choices->hash_id = -1;
- 			choices->chain = zc->chain;
- 			choices->chain_len = zc->chain_len;
-+			return;
- 		}
- 	}
- 
--- 
-2.25.0
-
diff --git a/extra/bearssl/patches/0002-Add-functions-to-retrieve-certificate-validity-perio.patch b/extra/bearssl/patches/0002-Add-functions-to-retrieve-certificate-validity-perio.patch
deleted file mode 100644
index 8377da4d..00000000
--- a/extra/bearssl/patches/0002-Add-functions-to-retrieve-certificate-validity-perio.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-From 31fdee5b9d8fc63c850222768dcd097e43da0116 Mon Sep 17 00:00:00 2001
-From: Michael Forney <mforney@mforney.org>
-Date: Thu, 26 Mar 2020 14:17:19 -0700
-Subject: [PATCH] Add functions to retrieve certificate validity period from
- br_x509_decoder.
-
----
- inc/bearssl_x509.h | 36 ++++++++++++++++++++++++++++++++++++
- 1 file changed, 36 insertions(+)
-
-diff --git a/inc/bearssl_x509.h b/inc/bearssl_x509.h
-index 49d2fba..9d43e15 100644
---- a/inc/bearssl_x509.h
-+++ b/inc/bearssl_x509.h
-@@ -1045,6 +1045,42 @@ br_x509_decoder_last_error(br_x509_decoder_context *ctx)
- 	return 0;
- }
- 
-+/**
-+ * \brief Get the time when the certificate becomes valid.
-+ *
-+ * The time is represented the same as in `br_x509_minimal_set_time()`.
-+ * These values should not be read before decoding completed successfully.
-+ *
-+ * \param ctx      X.509 decoder context.
-+ * \param days     receives the days since January 1st, 0 AD.
-+ * \param seconds  receives the seconds since midnight (0 to 86400).
-+ */
-+static inline void
-+br_x509_decoder_get_notbefore(br_x509_decoder_context *ctx,
-+	uint32_t *days, uint32_t *seconds)
-+{
-+	*days = ctx->notbefore_days;
-+	*seconds = ctx->notbefore_seconds;
-+}
-+
-+/**
-+ * \brief Get the time when the certificate is no longer valid.
-+ *
-+ * The time is represented the same as in `br_x509_minimal_set_time()`.
-+ * These values should not be read before decoding completed successfully.
-+ *
-+ * \param ctx      X.509 decoder context.
-+ * \param days     receives the days since January 1st, 0 AD.
-+ * \param seconds  receives the seconds since midnight (0 to 86400).
-+ */
-+static inline void
-+br_x509_decoder_get_notafter(br_x509_decoder_context *ctx,
-+	uint32_t *days, uint32_t *seconds)
-+{
-+	*days = ctx->notafter_days;
-+	*seconds = ctx->notafter_seconds;
-+}
-+
- /**
-  * \brief Get the "isCA" flag from an X.509 decoder context.
-  *
--- 
-2.26.0
-
diff --git a/extra/bearssl/sources b/extra/bearssl/sources
deleted file mode 100644
index 3d637087..00000000
--- a/extra/bearssl/sources
+++ /dev/null
@@ -1,3 +0,0 @@
-https://bearssl.org/bearssl-0.6.tar.gz
-patches/0001-Add-missing-return-in-client-single-EC-choose-functi.patch
-patches/0002-Add-functions-to-retrieve-certificate-validity-perio.patch
diff --git a/extra/bearssl/version b/extra/bearssl/version
deleted file mode 100644
index 28c26d58..00000000
--- a/extra/bearssl/version
+++ /dev/null
@@ -1 +0,0 @@
-0.6 2
diff --git a/extra/libressl/build b/extra/libressl/build
new file mode 100755
index 00000000..86ade623
--- /dev/null
+++ b/extra/libressl/build
@@ -0,0 +1,13 @@
+#!/bin/sh -e
+
+./configure \
+    --prefix=/usr \
+    --sysconfdir=/etc
+
+make
+make DESTDIR="$1" install
+
+install -Dm 755 update-certdata.sh "$1/etc/ssl"
+
+# Link ca-certificates to cert.pem
+ln -sfv ../cert.pem "$1/etc/ssl/certs/ca-certificates.crt"
diff --git a/extra/libressl/checksums b/extra/libressl/checksums
new file mode 100644
index 00000000..fe481445
--- /dev/null
+++ b/extra/libressl/checksums
@@ -0,0 +1,2 @@
+d28db224cfb6d18009b2a7e8cb213cd5c943bbec87550062fef6a38479250315  libressl-3.2.1.tar.gz
+043d2c3d64ecfaa021dbd1e772e42bf261917ef9b8b5b2ea955efd64c0791f00  update-certdata.sh
diff --git a/extra/libressl/files/update-certdata.sh b/extra/libressl/files/update-certdata.sh
new file mode 100755
index 00000000..611f944d
--- /dev/null
+++ b/extra/libressl/files/update-certdata.sh
@@ -0,0 +1,14 @@
+#!/bin/sh -e
+#
+# update-certdata.sh
+
+[ -w "$CPT_ROOT/etc/ssl" ] || {
+    printf '%s\n' "${0##*/}: root required to update CA certificates." >&2
+    exit 1
+}
+
+cd "$CPT_ROOT/etc/ssl" && {
+    wget https://curl.haxx.se/ca/cacert.pem
+    mv -f cacert.pem cert.pem
+    printf '%s\n' "${0##*/}: updated cert.pem"
+}
diff --git a/extra/libressl/post-install b/extra/libressl/post-install
new file mode 100755
index 00000000..f39088e7
--- /dev/null
+++ b/extra/libressl/post-install
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+"$CPT_ROOT/etc/ssl/update-certdata.sh"
diff --git a/extra/libressl/sources b/extra/libressl/sources
new file mode 100644
index 00000000..1dc98b16
--- /dev/null
+++ b/extra/libressl/sources
@@ -0,0 +1,2 @@
+https://fossies.org/linux/misc/libressl-3.2.1.tar.gz
+files/update-certdata.sh
diff --git a/extra/libressl/version b/extra/libressl/version
new file mode 100644
index 00000000..b7c90c2c
--- /dev/null
+++ b/extra/libressl/version
@@ -0,0 +1 @@
+3.2.1 1