aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorbrnrd <brnrd@FreeBSD.org>2017-03-26 18:40:48 +0800
committerKoop Mast <kwm@rainbow-runner.nl>2017-04-09 20:56:05 +0800
commit76aa61d0be8048ee620fc780545db2b91b5852f0 (patch)
treec88ab768b9f1f594332ac2f5ecf015f46b663571 /security
parentf4ccc74348b870b63725ab4f12b93d10fa2b928e (diff)
downloadfreebsd-ports-gnome-76aa61d0be8048ee620fc780545db2b91b5852f0.tar.gz
freebsd-ports-gnome-76aa61d0be8048ee620fc780545db2b91b5852f0.tar.zst
freebsd-ports-gnome-76aa61d0be8048ee620fc780545db2b91b5852f0.zip
security/certificate-transparency: Fix build issues with LibreSSL
- Fix OPENSSL_VERSION_NUMBER checks - Fix LibreSSL detection - Modify CMS disabling to BoringSSL and LibreSSL PR: 217013 Obtained from: https://github.com/google/certificate-transparency/pull/1364
Diffstat (limited to 'security')
-rw-r--r--security/certificate-transparency/files/patch-Makefile.am27
-rw-r--r--security/certificate-transparency/files/patch-configure.ac26
-rw-r--r--security/certificate-transparency/files/patch-cpp-client-ct.cc58
-rw-r--r--security/certificate-transparency/files/patch-cpp_client_ssl__client.cc11
-rw-r--r--security/certificate-transparency/files/patch-cpp_log_cert.cc20
5 files changed, 94 insertions, 48 deletions
diff --git a/security/certificate-transparency/files/patch-Makefile.am b/security/certificate-transparency/files/patch-Makefile.am
index aa2136fe60c8..7282675debe6 100644
--- a/security/certificate-transparency/files/patch-Makefile.am
+++ b/security/certificate-transparency/files/patch-Makefile.am
@@ -9,6 +9,15 @@
cpp/monitoring/prometheus/metrics.pb.cc \
cpp/monitoring/prometheus/metrics.pb.h \
proto/ct.pb.cc \
+@@ -112,7 +110,7 @@ TESTS = \
+ cpp/util/sync_task_test \
+ cpp/util/task_test
+
+-if !OPENSSL_IS_BORINGSSL
++if !OPENSSL_NO_CMS
+ TESTS += cpp/log/cms_verifier_test
+ endif
+
@@ -131,9 +129,6 @@ endif
cpp/gtest-all.cc: $(GTEST_DIR)/src/gtest-all.cc
$(AM_V_at)cp $^ $@
@@ -19,6 +28,15 @@
test/testdata/urlfetcher_test_certs/localhost-key.pem: test/create_url_fetcher_test_certs.sh
$(AM_V_GEN)test/create_url_fetcher_test_certs.sh
+@@ -217,7 +212,7 @@ cpp_libcore_a_SOURCES = \
+ proto/ct.pb.cc \
+ proto/ct.pb.h
+
+-if !OPENSSL_IS_BORINGSSL
++if !OPENSSL_NO_CMS
+ cpp_libcore_a_SOURCES += cpp/log/cms_verifier.cc
+ endif
+
@@ -226,8 +221,6 @@ cpp_libtest_a_CPPFLAGS = \
-I$(GTEST_DIR) \
$(AM_CPPFLAGS)
@@ -28,3 +46,12 @@
cpp/util/testing.cc
cpp_server_ct_mirror_LDADD = \
+@@ -907,7 +900,7 @@ cpp_log_cert_test_SOURCES = \
+ cpp/log/cert_test.cc \
+ cpp/util/util.cc
+
+-if !OPENSSL_IS_BORINGSSL
++if !OPENSSL_NO_CMS
+ cpp_log_cms_verifier_test_LDADD = \
+ cpp/libcore.a \
+ cpp/libtest.a \
diff --git a/security/certificate-transparency/files/patch-configure.ac b/security/certificate-transparency/files/patch-configure.ac
index 919648849ca5..80963aff929e 100644
--- a/security/certificate-transparency/files/patch-configure.ac
+++ b/security/certificate-transparency/files/patch-configure.ac
@@ -29,3 +29,29 @@
save_LIBS="$LIBS"
AS_UNSET([LIBS])
AC_SEARCH_LIBS([snappy_compress], [snappy],,, [$save_LIBS])
+@@ -146,6 +147,17 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[#in
+ [AC_MSG_RESULT([yes]); openssl_is_boringssl=1],
+ [AC_MSG_RESULT([no])])
+
++AC_MSG_CHECKING([for LibreSSL])
++AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[#include <openssl/opensslv.h>]],
++ [[
++ #ifndef LIBRESSL_VERSION_NUMBER
++ # error not LibreSSL
++ #endif
++ ]])
++ ],
++ [AC_MSG_RESULT([yes]); openssl_is_libressl=1],
++ [AC_MSG_RESULT([no])])
++
+ save_LIBS="$LIBS"
+ AS_UNSET([LIBS])
+ AC_SEARCH_LIBS([event_base_dispatch], [event],, [missing_libevent=1],
+@@ -212,6 +224,7 @@ AM_CONDITIONAL([HAVE_ANT], [test -n "$AN
+ AM_CONDITIONAL([HAVE_LDNS], [test -z "$missing_ldns"])
+ AM_CONDITIONAL([HAVE_OBJECTHASH], [test -z "$missing_objecthash"])
+ AM_CONDITIONAL([OPENSSL_IS_BORINGSSL], [test -n "$openssl_is_boringssl"])
++AM_CONDITIONAL([OPENSSL_NO_CMS], [test -z "$openssl_is_boringssl" -o -z "$openssl_is_boringssl"])
+ AC_DEFINE_UNQUOTED([TEST_SRCDIR], ["$srcdir"], [Top of the source directory, for tests.])
+ AC_SUBST([INSTALL_DIR])
+ AC_CONFIG_FILES([Makefile])
diff --git a/security/certificate-transparency/files/patch-cpp-client-ct.cc b/security/certificate-transparency/files/patch-cpp-client-ct.cc
index cf02f5cc3c18..4721a2a6a9e7 100644
--- a/security/certificate-transparency/files/patch-cpp-client-ct.cc
+++ b/security/certificate-transparency/files/patch-cpp-client-ct.cc
@@ -1,49 +1,11 @@
---- cpp/client/ct.cc.orig 2016-10-14 17:11:57 UTC
+--- cpp/client/ct.cc.orig 2017-02-11 20:58:57 UTC
+++ cpp/client/ct.cc
-@@ -451,8 +451,8 @@ static void MakeCert() {
- // (This means the relevant section should be last in the configuration.)
- // 1.2.3.1=DER:[raw encoding of proof]
- static void WriteProofToConfig() {
-- CHECK(!FLAGS_sct_token.empty()) << google::ProgramUsage();
-- CHECK(!FLAGS_extensions_config_out.empty()) << google::ProgramUsage();
-+ CHECK(!FLAGS_sct_token.empty()) << gflags::ProgramUsage();
-+ CHECK(!FLAGS_extensions_config_out.empty()) << gflags::ProgramUsage();
-
- string sct;
-
-@@ -479,8 +479,8 @@ static const char kPEMLabel[] = "SERVERI
- // Wrap the proof in the format expected by the TLS extension,
- // so that we can feed it to OpenSSL.
- static void ProofToExtensionData() {
-- CHECK(!FLAGS_sct_token.empty()) << google::ProgramUsage();
-- CHECK(!FLAGS_tls_extension_data_out.empty()) << google::ProgramUsage();
-+ CHECK(!FLAGS_sct_token.empty()) << gflags::ProgramUsage();
-+ CHECK(!FLAGS_tls_extension_data_out.empty()) << gflags::ProgramUsage();
-
- string serialized_sct;
- PCHECK(util::ReadBinaryFile(FLAGS_sct_token, &serialized_sct))
-@@ -939,13 +939,13 @@ int GetSTH() {
- // Exit code upon abnormal exit (CHECK failures): != 0
- // (on UNIX, 134 is expected)
- int main(int argc, char** argv) {
-- google::SetUsageMessage(argv[0] + string(kUsage));
-+ gflags::SetUsageMessage(argv[0] + string(kUsage));
- util::InitCT(&argc, &argv);
- ConfigureSerializerForV1CT();
-
- const string main_command(argv[0]);
- if (argc < 2) {
-- std::cout << google::ProgramUsage();
-+ std::cout << gflags::ProgramUsage();
- return 1;
- }
-
-@@ -983,7 +983,7 @@ int main(int argc, char** argv) {
- } else if (cmd == "sth") {
- ret = GetSTH();
- } else {
-- std::cout << google::ProgramUsage();
-+ std::cout << gflags::ProgramUsage();
- ret = 1;
- }
-
+@@ -530,7 +530,7 @@ static void ProofToExtensionData() {
+ << " for writing:" << strerror(errno);
+
+ // Work around broken PEM_write() declaration in older OpenSSL versions.
+-#if OPENSSL_VERSION_NUMBER < 0x10002000L
++#if OPENSSL_VERSION_NUMBER < 0x10002000L || defined(LIBRESSL_VERSION_NUMBER)
+ PEM_write(out, const_cast<char*>(kPEMLabel), const_cast<char*>(""),
+ const_cast<unsigned char*>(reinterpret_cast<const unsigned char*>(
+ extension_data_out.str().data())),
diff --git a/security/certificate-transparency/files/patch-cpp_client_ssl__client.cc b/security/certificate-transparency/files/patch-cpp_client_ssl__client.cc
new file mode 100644
index 000000000000..9ef3de8a5ad3
--- /dev/null
+++ b/security/certificate-transparency/files/patch-cpp_client_ssl__client.cc
@@ -0,0 +1,11 @@
+--- cpp/client/ssl_client.cc.orig 2016-10-14 17:11:57 UTC
++++ cpp/client/ssl_client.cc
+@@ -88,7 +88,7 @@ SSLClient::SSLClient(const string& serve
+
+ SSL_CTX_set_cert_verify_callback(ctx_.get(), &VerifyCallback, &verify_args_);
+
+-#if OPENSSL_VERSION_NUMBER >= 0x10002000L
++#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
+ SSL_CTX_add_client_custom_ext(ctx_.get(), CT_EXTENSION_TYPE, NULL, NULL,
+ NULL, ExtensionCallback, &verify_args_);
+ #else
diff --git a/security/certificate-transparency/files/patch-cpp_log_cert.cc b/security/certificate-transparency/files/patch-cpp_log_cert.cc
new file mode 100644
index 000000000000..6629927547c1
--- /dev/null
+++ b/security/certificate-transparency/files/patch-cpp_log_cert.cc
@@ -0,0 +1,20 @@
+--- cpp/log/cert.cc.orig 2016-10-14 17:11:57 UTC
++++ cpp/log/cert.cc
+@@ -31,7 +31,7 @@ using util::StatusOr;
+ using util::error::Code;
+
+
+-#if OPENSSL_VERSION_NUMBER < 0x10002000L || defined(OPENSSL_IS_BORINGSSL)
++#if OPENSSL_VERSION_NUMBER < 0x10002000L || defined(OPENSSL_IS_BORINGSSL) || defined(LIBRESSL_VERSION_NUMBER)
+ // Backport from 1.0.2-beta3.
+ static int i2d_re_X509_tbs(X509* x, unsigned char** pp) {
+ x->cert_info->enc.modified = 1;
+@@ -39,7 +39,7 @@ static int i2d_re_X509_tbs(X509* x, unsi
+ }
+ #endif
+
+-#if OPENSSL_VERSION_NUMBER < 0x10002000L
++#if OPENSSL_VERSION_NUMBER < 0x10002000L || defined(LIBRESSL_VERSION_NUMBER)
+ static int X509_get_signature_nid(const X509* x) {
+ return OBJ_obj2nid(x->sig_alg->algorithm);
+ }