From af3e24bee26eb0cbbab683c2f37a3f49bf1338ee Mon Sep 17 00:00:00 2001 From: Cem Keylan Date: Wed, 16 Sep 2020 01:04:44 +0300 Subject: meta: revert to using bearssl by default --- core/bearssl/build | 29 +++++++++++ core/bearssl/checksums | 3 ++ ...-return-in-client-single-EC-choose-functi.patch | 25 +++++++++ ...ns-to-retrieve-certificate-validity-perio.patch | 60 ++++++++++++++++++++++ core/bearssl/sources | 3 ++ core/bearssl/version | 1 + core/ca-certificates/build | 3 ++ core/ca-certificates/checksums | 1 + core/ca-certificates/files/cert.sh | 15 ++++++ core/ca-certificates/post-install | 3 ++ core/ca-certificates/sources | 1 + core/ca-certificates/version | 1 + core/curl/build | 4 +- core/curl/depends | 3 +- core/curl/version | 2 +- core/git/depends | 2 +- core/git/version | 2 +- core/libressl/build | 13 ----- core/libressl/checksums | 2 - core/libressl/files/update-certdata.sh | 14 ----- core/libressl/post-install | 3 -- core/libressl/sources | 2 - core/libressl/version | 1 - extra/bearssl/build | 29 ----------- extra/bearssl/checksums | 3 -- ...-return-in-client-single-EC-choose-functi.patch | 25 --------- ...ns-to-retrieve-certificate-validity-perio.patch | 60 ---------------------- extra/bearssl/sources | 3 -- extra/bearssl/version | 1 - extra/libressl/build | 13 +++++ extra/libressl/checksums | 2 + extra/libressl/files/update-certdata.sh | 14 +++++ extra/libressl/post-install | 3 ++ extra/libressl/sources | 2 + extra/libressl/version | 1 + 35 files changed, 188 insertions(+), 161 deletions(-) create mode 100755 core/bearssl/build create mode 100644 core/bearssl/checksums create mode 100644 core/bearssl/patches/0001-Add-missing-return-in-client-single-EC-choose-functi.patch create mode 100644 core/bearssl/patches/0002-Add-functions-to-retrieve-certificate-validity-perio.patch create mode 100644 core/bearssl/sources create mode 100644 core/bearssl/version create mode 100755 core/ca-certificates/build create mode 100644 core/ca-certificates/checksums create mode 100755 core/ca-certificates/files/cert.sh create mode 100755 core/ca-certificates/post-install create mode 100644 core/ca-certificates/sources create mode 100644 core/ca-certificates/version delete mode 100755 core/libressl/build delete mode 100644 core/libressl/checksums delete mode 100755 core/libressl/files/update-certdata.sh delete mode 100755 core/libressl/post-install delete mode 100644 core/libressl/sources delete mode 100644 core/libressl/version delete mode 100755 extra/bearssl/build delete mode 100644 extra/bearssl/checksums delete mode 100644 extra/bearssl/patches/0001-Add-missing-return-in-client-single-EC-choose-functi.patch delete mode 100644 extra/bearssl/patches/0002-Add-functions-to-retrieve-certificate-validity-perio.patch delete mode 100644 extra/bearssl/sources delete mode 100644 extra/bearssl/version create mode 100755 extra/libressl/build create mode 100644 extra/libressl/checksums create mode 100755 extra/libressl/files/update-certdata.sh create mode 100755 extra/libressl/post-install create mode 100644 extra/libressl/sources create mode 100644 extra/libressl/version diff --git a/core/bearssl/build b/core/bearssl/build new file mode 100755 index 00000000..21bbd789 --- /dev/null +++ b/core/bearssl/build @@ -0,0 +1,29 @@ +#!/bin/sh -e + +for patch in *.patch; do + patch -p1 < "$patch" +done + +kinstall() { + mkdir -p "${3%/*}"; cp "$2" "$3" + chmod "$1" "$3" +} + +make + +# Build static binary for bearssl, word splitting on CFLAGS is intentional. +# shellcheck disable=2086 +"${CC:-cc}" \ + -static $CFLAGS \ + -I ./inc \ + -include tools/brssl.h \ + tools/*.c \ + build/libbearssl.a \ + -o brssl + + +kinstall 755 brssl "$1/usr/bin/brssl" +kinstall 644 build/libbearssl.a "$1/usr/lib/libbearssl.a" +kinstall 755 build/libbearssl.so "$1/usr/lib/libbearssl.so" + +mv inc "$1/usr/include" diff --git a/core/bearssl/checksums b/core/bearssl/checksums new file mode 100644 index 00000000..cd6661bf --- /dev/null +++ b/core/bearssl/checksums @@ -0,0 +1,3 @@ +6705bba1714961b41a728dfc5debbe348d2966c117649392f8c8139efc83ff14 bearssl-0.6.tar.gz +ad783bbbbb58bbdad66af299c5a0ea5389474a7d7256391673fe94e88f11fbef 0001-Add-missing-return-in-client-single-EC-choose-functi.patch +414fd90fc27353ae3ca2478b68891715088de8b6cf6b81927ed8337df63f47e4 0002-Add-functions-to-retrieve-certificate-validity-perio.patch diff --git a/core/bearssl/patches/0001-Add-missing-return-in-client-single-EC-choose-functi.patch b/core/bearssl/patches/0001-Add-missing-return-in-client-single-EC-choose-functi.patch new file mode 100644 index 00000000..421bbc7f --- /dev/null +++ b/core/bearssl/patches/0001-Add-missing-return-in-client-single-EC-choose-functi.patch @@ -0,0 +1,25 @@ +From a5c3ea02385205858128e414873a0150cd8bceda Mon Sep 17 00:00:00 2001 +From: Michael Forney +Date: Fri, 31 Jan 2020 15:11:32 -0800 +Subject: [PATCH] Add missing return in client single EC choose function + +Otherwise, static ECDH is never selected. +--- + src/ssl/ssl_ccert_single_ec.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/ssl/ssl_ccert_single_ec.c b/src/ssl/ssl_ccert_single_ec.c +index 93ebcde..2e1e54f 100644 +--- a/src/ssl/ssl_ccert_single_ec.c ++++ b/src/ssl/ssl_ccert_single_ec.c +@@ -69,6 +69,7 @@ cc_choose(const br_ssl_client_certificate_class **pctx, + choices->hash_id = -1; + choices->chain = zc->chain; + choices->chain_len = zc->chain_len; ++ return; + } + } + +-- +2.25.0 + diff --git a/core/bearssl/patches/0002-Add-functions-to-retrieve-certificate-validity-perio.patch b/core/bearssl/patches/0002-Add-functions-to-retrieve-certificate-validity-perio.patch new file mode 100644 index 00000000..8377da4d --- /dev/null +++ b/core/bearssl/patches/0002-Add-functions-to-retrieve-certificate-validity-perio.patch @@ -0,0 +1,60 @@ +From 31fdee5b9d8fc63c850222768dcd097e43da0116 Mon Sep 17 00:00:00 2001 +From: Michael Forney +Date: Thu, 26 Mar 2020 14:17:19 -0700 +Subject: [PATCH] Add functions to retrieve certificate validity period from + br_x509_decoder. + +--- + inc/bearssl_x509.h | 36 ++++++++++++++++++++++++++++++++++++ + 1 file changed, 36 insertions(+) + +diff --git a/inc/bearssl_x509.h b/inc/bearssl_x509.h +index 49d2fba..9d43e15 100644 +--- a/inc/bearssl_x509.h ++++ b/inc/bearssl_x509.h +@@ -1045,6 +1045,42 @@ br_x509_decoder_last_error(br_x509_decoder_context *ctx) + return 0; + } + ++/** ++ * \brief Get the time when the certificate becomes valid. ++ * ++ * The time is represented the same as in `br_x509_minimal_set_time()`. ++ * These values should not be read before decoding completed successfully. ++ * ++ * \param ctx X.509 decoder context. ++ * \param days receives the days since January 1st, 0 AD. ++ * \param seconds receives the seconds since midnight (0 to 86400). ++ */ ++static inline void ++br_x509_decoder_get_notbefore(br_x509_decoder_context *ctx, ++ uint32_t *days, uint32_t *seconds) ++{ ++ *days = ctx->notbefore_days; ++ *seconds = ctx->notbefore_seconds; ++} ++ ++/** ++ * \brief Get the time when the certificate is no longer valid. ++ * ++ * The time is represented the same as in `br_x509_minimal_set_time()`. ++ * These values should not be read before decoding completed successfully. ++ * ++ * \param ctx X.509 decoder context. ++ * \param days receives the days since January 1st, 0 AD. ++ * \param seconds receives the seconds since midnight (0 to 86400). ++ */ ++static inline void ++br_x509_decoder_get_notafter(br_x509_decoder_context *ctx, ++ uint32_t *days, uint32_t *seconds) ++{ ++ *days = ctx->notafter_days; ++ *seconds = ctx->notafter_seconds; ++} ++ + /** + * \brief Get the "isCA" flag from an X.509 decoder context. + * +-- +2.26.0 + diff --git a/core/bearssl/sources b/core/bearssl/sources new file mode 100644 index 00000000..3d637087 --- /dev/null +++ b/core/bearssl/sources @@ -0,0 +1,3 @@ +https://bearssl.org/bearssl-0.6.tar.gz +patches/0001-Add-missing-return-in-client-single-EC-choose-functi.patch +patches/0002-Add-functions-to-retrieve-certificate-validity-perio.patch diff --git a/core/bearssl/version b/core/bearssl/version new file mode 100644 index 00000000..28c26d58 --- /dev/null +++ b/core/bearssl/version @@ -0,0 +1 @@ +0.6 2 diff --git a/core/ca-certificates/build b/core/ca-certificates/build new file mode 100755 index 00000000..0f8263d8 --- /dev/null +++ b/core/ca-certificates/build @@ -0,0 +1,3 @@ +#!/bin/sh -e + +install -Dm755 cert.sh "$1/usr/bin/update-certdata" diff --git a/core/ca-certificates/checksums b/core/ca-certificates/checksums new file mode 100644 index 00000000..ec462a46 --- /dev/null +++ b/core/ca-certificates/checksums @@ -0,0 +1 @@ +556ce672b222179d5a3e0a3c5fcce3126571d3d321701b0017244a0c879e50a4 cert.sh diff --git a/core/ca-certificates/files/cert.sh b/core/ca-certificates/files/cert.sh new file mode 100755 index 00000000..8ab33928 --- /dev/null +++ b/core/ca-certificates/files/cert.sh @@ -0,0 +1,15 @@ +#!/bin/sh -e +# +# update-certdata + +DEST="$CPT_ROOT/etc/certificates" + +[ -d "$DEST" ] || mkdir -p "$DEST" + +[ -w "$DEST" ] || { + printf '%s\n' "${0##*/}: root required to update CA certificates." >&2 + exit 1 +} + +wget https://curl.haxx.se/ca/cacert.pem -O "$DEST/cert.pem" +printf '%s\n' "${0##*/}: updated cert.pem" diff --git a/core/ca-certificates/post-install b/core/ca-certificates/post-install new file mode 100755 index 00000000..8ee4d0ea --- /dev/null +++ b/core/ca-certificates/post-install @@ -0,0 +1,3 @@ +#!/bin/sh + +/usr/bin/update-certdata diff --git a/core/ca-certificates/sources b/core/ca-certificates/sources new file mode 100644 index 00000000..198fd03e --- /dev/null +++ b/core/ca-certificates/sources @@ -0,0 +1 @@ +files/cert.sh diff --git a/core/ca-certificates/version b/core/ca-certificates/version new file mode 100644 index 00000000..82026115 --- /dev/null +++ b/core/ca-certificates/version @@ -0,0 +1 @@ +git 2 diff --git a/core/curl/build b/core/curl/build index 2ef56a74..f27b1522 100755 --- a/core/curl/build +++ b/core/curl/build @@ -16,7 +16,9 @@ --without-libpsl \ --without-zstd \ --with-pic \ - --with-ssl + --with-bearssl \ + --with-ca-bundle=/etc/certificates/cert.pem \ + --without-ssl make curl_LDFLAGS=-all-static make DESTDIR="$1" install diff --git a/core/curl/depends b/core/curl/depends index 9ee911ae..cf6ff53d 100644 --- a/core/curl/depends +++ b/core/curl/depends @@ -1,2 +1,3 @@ -libressl +bearssl +ca-certificates zlib diff --git a/core/curl/version b/core/curl/version index a59a9334..db87252d 100644 --- a/core/curl/version +++ b/core/curl/version @@ -1 +1 @@ -7.72.0 3 +7.72.0 2 diff --git a/core/git/depends b/core/git/depends index 7a3c084e..0a37ab16 100644 --- a/core/git/depends +++ b/core/git/depends @@ -1,4 +1,4 @@ +bearssl make curl make -libressl make pkgconf make zlib make diff --git a/core/git/version b/core/git/version index 1ab3a66b..3e2a9c0a 100644 --- a/core/git/version +++ b/core/git/version @@ -1 +1 @@ -2.28.0 2 +2.28.0 3 diff --git a/core/libressl/build b/core/libressl/build deleted file mode 100755 index 86ade623..00000000 --- a/core/libressl/build +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/sh -e - -./configure \ - --prefix=/usr \ - --sysconfdir=/etc - -make -make DESTDIR="$1" install - -install -Dm 755 update-certdata.sh "$1/etc/ssl" - -# Link ca-certificates to cert.pem -ln -sfv ../cert.pem "$1/etc/ssl/certs/ca-certificates.crt" diff --git a/core/libressl/checksums b/core/libressl/checksums deleted file mode 100644 index fe481445..00000000 --- a/core/libressl/checksums +++ /dev/null @@ -1,2 +0,0 @@ -d28db224cfb6d18009b2a7e8cb213cd5c943bbec87550062fef6a38479250315 libressl-3.2.1.tar.gz -043d2c3d64ecfaa021dbd1e772e42bf261917ef9b8b5b2ea955efd64c0791f00 update-certdata.sh diff --git a/core/libressl/files/update-certdata.sh b/core/libressl/files/update-certdata.sh deleted file mode 100755 index 611f944d..00000000 --- a/core/libressl/files/update-certdata.sh +++ /dev/null @@ -1,14 +0,0 @@ -#!/bin/sh -e -# -# update-certdata.sh - -[ -w "$CPT_ROOT/etc/ssl" ] || { - printf '%s\n' "${0##*/}: root required to update CA certificates." >&2 - exit 1 -} - -cd "$CPT_ROOT/etc/ssl" && { - wget https://curl.haxx.se/ca/cacert.pem - mv -f cacert.pem cert.pem - printf '%s\n' "${0##*/}: updated cert.pem" -} diff --git a/core/libressl/post-install b/core/libressl/post-install deleted file mode 100755 index f39088e7..00000000 --- a/core/libressl/post-install +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh - -"$CPT_ROOT/etc/ssl/update-certdata.sh" diff --git a/core/libressl/sources b/core/libressl/sources deleted file mode 100644 index 1dc98b16..00000000 --- a/core/libressl/sources +++ /dev/null @@ -1,2 +0,0 @@ -https://fossies.org/linux/misc/libressl-3.2.1.tar.gz -files/update-certdata.sh diff --git a/core/libressl/version b/core/libressl/version deleted file mode 100644 index b7c90c2c..00000000 --- a/core/libressl/version +++ /dev/null @@ -1 +0,0 @@ -3.2.1 1 diff --git a/extra/bearssl/build b/extra/bearssl/build deleted file mode 100755 index 21bbd789..00000000 --- a/extra/bearssl/build +++ /dev/null @@ -1,29 +0,0 @@ -#!/bin/sh -e - -for patch in *.patch; do - patch -p1 < "$patch" -done - -kinstall() { - mkdir -p "${3%/*}"; cp "$2" "$3" - chmod "$1" "$3" -} - -make - -# Build static binary for bearssl, word splitting on CFLAGS is intentional. -# shellcheck disable=2086 -"${CC:-cc}" \ - -static $CFLAGS \ - -I ./inc \ - -include tools/brssl.h \ - tools/*.c \ - build/libbearssl.a \ - -o brssl - - -kinstall 755 brssl "$1/usr/bin/brssl" -kinstall 644 build/libbearssl.a "$1/usr/lib/libbearssl.a" -kinstall 755 build/libbearssl.so "$1/usr/lib/libbearssl.so" - -mv inc "$1/usr/include" diff --git a/extra/bearssl/checksums b/extra/bearssl/checksums deleted file mode 100644 index cd6661bf..00000000 --- a/extra/bearssl/checksums +++ /dev/null @@ -1,3 +0,0 @@ -6705bba1714961b41a728dfc5debbe348d2966c117649392f8c8139efc83ff14 bearssl-0.6.tar.gz -ad783bbbbb58bbdad66af299c5a0ea5389474a7d7256391673fe94e88f11fbef 0001-Add-missing-return-in-client-single-EC-choose-functi.patch -414fd90fc27353ae3ca2478b68891715088de8b6cf6b81927ed8337df63f47e4 0002-Add-functions-to-retrieve-certificate-validity-perio.patch diff --git a/extra/bearssl/patches/0001-Add-missing-return-in-client-single-EC-choose-functi.patch b/extra/bearssl/patches/0001-Add-missing-return-in-client-single-EC-choose-functi.patch deleted file mode 100644 index 421bbc7f..00000000 --- a/extra/bearssl/patches/0001-Add-missing-return-in-client-single-EC-choose-functi.patch +++ /dev/null @@ -1,25 +0,0 @@ -From a5c3ea02385205858128e414873a0150cd8bceda Mon Sep 17 00:00:00 2001 -From: Michael Forney -Date: Fri, 31 Jan 2020 15:11:32 -0800 -Subject: [PATCH] Add missing return in client single EC choose function - -Otherwise, static ECDH is never selected. ---- - src/ssl/ssl_ccert_single_ec.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/ssl/ssl_ccert_single_ec.c b/src/ssl/ssl_ccert_single_ec.c -index 93ebcde..2e1e54f 100644 ---- a/src/ssl/ssl_ccert_single_ec.c -+++ b/src/ssl/ssl_ccert_single_ec.c -@@ -69,6 +69,7 @@ cc_choose(const br_ssl_client_certificate_class **pctx, - choices->hash_id = -1; - choices->chain = zc->chain; - choices->chain_len = zc->chain_len; -+ return; - } - } - --- -2.25.0 - diff --git a/extra/bearssl/patches/0002-Add-functions-to-retrieve-certificate-validity-perio.patch b/extra/bearssl/patches/0002-Add-functions-to-retrieve-certificate-validity-perio.patch deleted file mode 100644 index 8377da4d..00000000 --- a/extra/bearssl/patches/0002-Add-functions-to-retrieve-certificate-validity-perio.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 31fdee5b9d8fc63c850222768dcd097e43da0116 Mon Sep 17 00:00:00 2001 -From: Michael Forney -Date: Thu, 26 Mar 2020 14:17:19 -0700 -Subject: [PATCH] Add functions to retrieve certificate validity period from - br_x509_decoder. - ---- - inc/bearssl_x509.h | 36 ++++++++++++++++++++++++++++++++++++ - 1 file changed, 36 insertions(+) - -diff --git a/inc/bearssl_x509.h b/inc/bearssl_x509.h -index 49d2fba..9d43e15 100644 ---- a/inc/bearssl_x509.h -+++ b/inc/bearssl_x509.h -@@ -1045,6 +1045,42 @@ br_x509_decoder_last_error(br_x509_decoder_context *ctx) - return 0; - } - -+/** -+ * \brief Get the time when the certificate becomes valid. -+ * -+ * The time is represented the same as in `br_x509_minimal_set_time()`. -+ * These values should not be read before decoding completed successfully. -+ * -+ * \param ctx X.509 decoder context. -+ * \param days receives the days since January 1st, 0 AD. -+ * \param seconds receives the seconds since midnight (0 to 86400). -+ */ -+static inline void -+br_x509_decoder_get_notbefore(br_x509_decoder_context *ctx, -+ uint32_t *days, uint32_t *seconds) -+{ -+ *days = ctx->notbefore_days; -+ *seconds = ctx->notbefore_seconds; -+} -+ -+/** -+ * \brief Get the time when the certificate is no longer valid. -+ * -+ * The time is represented the same as in `br_x509_minimal_set_time()`. -+ * These values should not be read before decoding completed successfully. -+ * -+ * \param ctx X.509 decoder context. -+ * \param days receives the days since January 1st, 0 AD. -+ * \param seconds receives the seconds since midnight (0 to 86400). -+ */ -+static inline void -+br_x509_decoder_get_notafter(br_x509_decoder_context *ctx, -+ uint32_t *days, uint32_t *seconds) -+{ -+ *days = ctx->notafter_days; -+ *seconds = ctx->notafter_seconds; -+} -+ - /** - * \brief Get the "isCA" flag from an X.509 decoder context. - * --- -2.26.0 - diff --git a/extra/bearssl/sources b/extra/bearssl/sources deleted file mode 100644 index 3d637087..00000000 --- a/extra/bearssl/sources +++ /dev/null @@ -1,3 +0,0 @@ -https://bearssl.org/bearssl-0.6.tar.gz -patches/0001-Add-missing-return-in-client-single-EC-choose-functi.patch -patches/0002-Add-functions-to-retrieve-certificate-validity-perio.patch diff --git a/extra/bearssl/version b/extra/bearssl/version deleted file mode 100644 index 28c26d58..00000000 --- a/extra/bearssl/version +++ /dev/null @@ -1 +0,0 @@ -0.6 2 diff --git a/extra/libressl/build b/extra/libressl/build new file mode 100755 index 00000000..86ade623 --- /dev/null +++ b/extra/libressl/build @@ -0,0 +1,13 @@ +#!/bin/sh -e + +./configure \ + --prefix=/usr \ + --sysconfdir=/etc + +make +make DESTDIR="$1" install + +install -Dm 755 update-certdata.sh "$1/etc/ssl" + +# Link ca-certificates to cert.pem +ln -sfv ../cert.pem "$1/etc/ssl/certs/ca-certificates.crt" diff --git a/extra/libressl/checksums b/extra/libressl/checksums new file mode 100644 index 00000000..fe481445 --- /dev/null +++ b/extra/libressl/checksums @@ -0,0 +1,2 @@ +d28db224cfb6d18009b2a7e8cb213cd5c943bbec87550062fef6a38479250315 libressl-3.2.1.tar.gz +043d2c3d64ecfaa021dbd1e772e42bf261917ef9b8b5b2ea955efd64c0791f00 update-certdata.sh diff --git a/extra/libressl/files/update-certdata.sh b/extra/libressl/files/update-certdata.sh new file mode 100755 index 00000000..611f944d --- /dev/null +++ b/extra/libressl/files/update-certdata.sh @@ -0,0 +1,14 @@ +#!/bin/sh -e +# +# update-certdata.sh + +[ -w "$CPT_ROOT/etc/ssl" ] || { + printf '%s\n' "${0##*/}: root required to update CA certificates." >&2 + exit 1 +} + +cd "$CPT_ROOT/etc/ssl" && { + wget https://curl.haxx.se/ca/cacert.pem + mv -f cacert.pem cert.pem + printf '%s\n' "${0##*/}: updated cert.pem" +} diff --git a/extra/libressl/post-install b/extra/libressl/post-install new file mode 100755 index 00000000..f39088e7 --- /dev/null +++ b/extra/libressl/post-install @@ -0,0 +1,3 @@ +#!/bin/sh + +"$CPT_ROOT/etc/ssl/update-certdata.sh" diff --git a/extra/libressl/sources b/extra/libressl/sources new file mode 100644 index 00000000..1dc98b16 --- /dev/null +++ b/extra/libressl/sources @@ -0,0 +1,2 @@ +https://fossies.org/linux/misc/libressl-3.2.1.tar.gz +files/update-certdata.sh diff --git a/extra/libressl/version b/extra/libressl/version new file mode 100644 index 00000000..b7c90c2c --- /dev/null +++ b/extra/libressl/version @@ -0,0 +1 @@ +3.2.1 1 -- cgit v1.2.3