linux-qubasis

linux oasis port as a qubes template

git clone https://9o.is/git/linux-qubasis.git

commit 5a8789a892902935ca3f181bc53a670a9e48ac60
parent a7e35a05b11e407bdaf53dfb4423e1076798b960
Author: Jul <jul@9o.is>
Date:   Thu, 27 Nov 2025 10:03:31 -0500

add libtls-bearssl

Diffstat:

M.gitmodules | 4++++


Mpkg/gen.sh | 1+


Apkg/libtls-bearssl/gen.sh | 29+++++++++++++++++++++++++++++


Apkg/libtls-bearssl/patch/0001-Use-patched-bearssl-method-to-retrieve-validity-peri.patch | 45+++++++++++++++++++++++++++++++++++++++++++++


Apkg/libtls-bearssl/patch/0002-Use-patched-bearssl-flag-to-force-CertificateRequest.patch | 29+++++++++++++++++++++++++++++


5 files changed, 108 insertions(+), 0 deletions(-)

diff --git a/.gitmodules b/.gitmodules
@@ -38,6 +38,10 @@
 	path = pkg/libpng/src
 	url = https://github.com/glennrp/libpng
 	ignore = all
+[submodule "libtls-bearssl"]
+	path = pkg/libtls-bearssl/src
+	url = https://git.sr.ht/~mcf/libtls-bearssl
+	ignore = all
 [submodule "netbsd-curses"]
 	path = pkg/netbsd-curses/src
 	url = https://github.com/oasislinux/netbsd-curses.git
diff --git a/pkg/gen.sh b/pkg/gen.sh
@@ -25,6 +25,7 @@ pkg fzy
 pkg less
 pkg libpng
 pkg libtermkey
+pkg libtls-bearssl
 pkg linux-headers
 pkg lpeg
 pkg lua
diff --git a/pkg/libtls-bearssl/gen.sh b/pkg/libtls-bearssl/gen.sh
@@ -0,0 +1,29 @@
+git 28db202
+
+cflags "
+	-std=c11
+	-D_DEFAULT_SOURCE
+	-I$srcdir
+	-isystem $pkgdir/bearssl/include
+	-Wno-unused-parameter
+"
+
+dep bearssl/headers
+include tls.h
+
+lib libtls.a "
+	bearssl.c
+	tls.c
+	tls_bio_cb.c
+	tls_client.c
+	tls_config.c
+	tls_conninfo.c
+	tls_keypair.c
+	tls_ocsp.c
+	tls_peer.c
+	tls_server.c
+	tls_util.c
+	tls_verify.c
+	$pkgdir/bearssl/libbearssl.a
+	$pkgdir/openbsd/libbsd.a
+"
diff --git a/pkg/libtls-bearssl/patch/0001-Use-patched-bearssl-method-to-retrieve-validity-peri.patch b/pkg/libtls-bearssl/patch/0001-Use-patched-bearssl-method-to-retrieve-validity-peri.patch
@@ -0,0 +1,45 @@
+From 7701b90a015c4e4c2b6af6e8b53315dce1f6c780 Mon Sep 17 00:00:00 2001
+From: Michael Forney <mforney@mforney.org>
+Date: Sun, 29 Mar 2020 13:07:39 -0700
+Subject: [PATCH] Use patched bearssl method to retrieve validity period
+
+---
+ tls_conninfo.c | 22 ++++++++++++++++++----
+ 1 file changed, 18 insertions(+), 4 deletions(-)
+
+diff --git a/tls_conninfo.c b/tls_conninfo.c
+index ccce70d..1e9b57e 100644
+--- a/tls_conninfo.c
++++ b/tls_conninfo.c
+@@ -162,10 +162,24 @@ static int
+ tls_get_peer_cert_times(struct tls *ctx, time_t *notbefore,
+     time_t *notafter)
+ {
+-	/* XXX: BearSSL has no way to get certificate notBefore and
+-	 * notAfter */
+-	*notbefore = -1;
+-	*notafter = -1;
++	br_x509_decoder_context xc;
++	uint32_t notbefore_days, notbefore_seconds;
++	uint32_t notafter_days, notafter_seconds;
++	int err;
++
++	br_x509_decoder_init(&xc, NULL, NULL);
++	br_x509_decoder_push(&xc, ctx->peer_chain[0].data, ctx->peer_chain[0].data_len);
++
++	if ((err = br_x509_decoder_last_error(&xc)) != 0) {
++		tls_set_errorx(ctx, "%s", bearssl_strerror(err));
++		return (-1);
++	}
++
++	br_x509_decoder_get_notbefore(&xc, &notbefore_days, &notbefore_seconds);
++	br_x509_decoder_get_notafter(&xc, &notafter_days, &notafter_seconds);
++
++	*notbefore = 86400LL * (notbefore_days - 719528) + notbefore_seconds;
++	*notafter = 86400LL * (notafter_days - 719528) + notafter_seconds;
+ 
+ 	return (0);
+ }
+-- 
+2.31.1
+
diff --git a/pkg/libtls-bearssl/patch/0002-Use-patched-bearssl-flag-to-force-CertificateRequest.patch b/pkg/libtls-bearssl/patch/0002-Use-patched-bearssl-flag-to-force-CertificateRequest.patch
@@ -0,0 +1,29 @@
+From ce2e99a74f9216fa5783a6bc943c228788fd469c Mon Sep 17 00:00:00 2001
+From: Michael Forney <mforney@mforney.org>
+Date: Thu, 13 May 2021 22:17:56 -0700
+Subject: [PATCH] Use patched bearssl flag to force CertificateRequest
+
+---
+ tls_server.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/tls_server.c b/tls_server.c
+index 2436036..7f578b8 100644
+--- a/tls_server.c
++++ b/tls_server.c
+@@ -339,11 +339,7 @@ tls_accept_common(struct tls *ctx)
+ 		if (tls_configure_x509(conn_ctx) != 0)
+ 			goto err;
+ 
+-		if (ctx->config->ca_len == 0) {
+-			tls_set_errorx(ctx, "cannot verify client without trust anchors");
+-			goto err;
+-		}
+-
++		flags |= BR_OPT_REQUEST_CLIENT_CERT;
+ 		br_ssl_server_set_trust_anchor_names_alt(&conn_ctx->conn->u.server,
+ 		    ctx->config->ca, ctx->config->ca_len);
+ 
+-- 
+2.31.1
+