openbsd: Update to 7.0

author: Michael Forney <mforney@mforney.org> 2022-02-18 02:32:44 -0800
committer: Michael Forney <mforney@mforney.org> 2022-02-18 02:58:00 -0800
commit: 2a1b8ab63fa49462529a7a86fc0e3b88e535dcaa (patch)
tree: 9de527f41f57284350120328ff01b3dfe3e9d4cb /pkg/openbsd/patch/0036-acme-client-Port-to-BearSSL.patch
parent: 131aab560632f3b8ce9fe1833050e6a31c9531fd (diff)
1 files changed, 60 insertions, 64 deletions
diff --git a/pkg/openbsd/patch/0036-acme-client-Port-to-BearSSL.patch b/pkg/openbsd/patch/0036-acme-client-Port-to-BearSSL.patch
index 40753483..3672dbda 100644
--- a/pkg/openbsd/patch/0036-acme-client-Port-to-BearSSL.patch
+++ b/pkg/openbsd/patch/0036-acme-client-Port-to-BearSSL.patch
@@ -1,4 +1,4 @@
-From 7a7651831514493537b25975ab9c6866d15050d7 Mon Sep 17 00:00:00 2001
+From f2c85cb223c434e6cbfbe40af689a0d5e39edf87 Mon Sep 17 00:00:00 2001
 From: Michael Forney <mforney@mforney.org>
 Date: Fri, 23 Apr 2021 23:14:16 -0700
 Subject: [PATCH] acme-client: Port to BearSSL
@@ -8,12 +8,12 @@ Subject: [PATCH] acme-client: Port to BearSSL
  usr.sbin/acme-client/certproc.c   |   5 -
  usr.sbin/acme-client/key.c        | 342 ++++++++++++++++++++++++------
  usr.sbin/acme-client/key.h        |  22 +-
- usr.sbin/acme-client/keyproc.c    | 198 ++++++-----------
+ usr.sbin/acme-client/keyproc.c    | 195 +++++------------
  usr.sbin/acme-client/revokeproc.c | 280 ++++++++++--------------
- 6 files changed, 560 insertions(+), 592 deletions(-)
+ 6 files changed, 558 insertions(+), 591 deletions(-)
 
 diff --git a/usr.sbin/acme-client/acctproc.c b/usr.sbin/acme-client/acctproc.c
-index d01efa848d6..24a31ed19ad 100644
+index d16680235de..372159d0b45 100644
 --- a/usr.sbin/acme-client/acctproc.c
 +++ b/usr.sbin/acme-client/acctproc.c
 @@ -18,72 +18,30 @@
@@ -116,9 +116,9 @@ index d01efa848d6..24a31ed19ad 100644
 -		warnx("BN_new");
 -	else if ((Y = BN_new()) == NULL)
 -		warnx("BN_new");
--	else if (!EC_POINT_get_affine_coordinates_GFp(EC_KEY_get0_group(ec),
+-	else if (!EC_POINT_get_affine_coordinates(EC_KEY_get0_group(ec),
 -	    EC_KEY_get0_public_key(ec), X, Y, NULL))
--		warnx("EC_POINT_get_affine_coordinates_GFp");
+-		warnx("EC_POINT_get_affine_coordinates");
 -	else if ((x = bn2string(X)) == NULL)
 -		warnx("bn2string");
 -	else if ((y = bn2string(Y)) == NULL)
@@ -262,9 +262,9 @@ index d01efa848d6..24a31ed19ad 100644
 -		warnx("BN_new");
 -	else if ((Y = BN_new()) == NULL)
 -		warnx("BN_new");
--	else if (!EC_POINT_get_affine_coordinates_GFp(EC_KEY_get0_group(ec),
+-	else if (!EC_POINT_get_affine_coordinates(EC_KEY_get0_group(ec),
 -	    EC_KEY_get0_public_key(ec), X, Y, NULL))
--		warnx("EC_POINT_get_affine_coordinates_GFp");
+-		warnx("EC_POINT_get_affine_coordinates");
 -	else if ((x = bn2string(X)) == NULL)
 -		warnx("bn2string");
 -	else if ((y = bn2string(Y)) == NULL)
@@ -982,7 +982,7 @@ index 272d36eb09a..12abdec813c 100644
  
  #endif /* ! KEY_H */
 diff --git a/usr.sbin/acme-client/keyproc.c b/usr.sbin/acme-client/keyproc.c
-index 157e4947667..93c758fdc56 100644
+index 5fba077b7e4..25e676e7829 100644
 --- a/usr.sbin/acme-client/keyproc.c
 +++ b/usr.sbin/acme-client/keyproc.c
 @@ -18,55 +18,18 @@
@@ -1086,7 +1086,7 @@ index 157e4947667..93c758fdc56 100644
  	if (pledge("stdio", NULL) == -1) {
  		warn("pledge");
  		goto out;
-@@ -145,101 +108,64 @@ keyproc(int netsock, const char *keyfile, const char **alts, size_t altsz,
+@@ -145,99 +108,61 @@ keyproc(int netsock, const char *keyfile, const char **alts, size_t altsz,
  	 * Then set it as the X509 requester's key.
  	 */
  
@@ -1131,7 +1131,6 @@ index 157e4947667..93c758fdc56 100644
 +	dn.rdn_len = 1;
 +	req.subject.enc = x509cert_dn_encoder;
 +	req.subject.val = &dn;
-+	req.alts_len = 0;
  
 -	/*
 -	 * Now add the SAN extensions.
@@ -1142,68 +1141,65 @@ index 157e4947667..93c758fdc56 100644
 -	 */
 +	/* Now add the SAN extension. */
  
- 	if (altsz > 1) {
--		nid = NID_subject_alt_name;
--		if ((exts = sk_X509_EXTENSION_new_null()) == NULL) {
--			warnx("sk_X509_EXTENSION_new_null");
-+		req.alts_len = altsz;
-+		req.alts = calloc(altsz, sizeof(req.alts[0]));
-+		if (req.alts == NULL) {
-+			warn("calloc");
- 			goto out;
- 		}
--		/* Initialise to empty string. */
--		if ((sans = strdup("")) == NULL) {
--			warn("strdup");
--			goto out;
--		}
--		sansz = strlen(sans) + 1;
+-	nid = NID_subject_alt_name;
+-	if ((exts = sk_X509_EXTENSION_new_null()) == NULL) {
+-		warnx("sk_X509_EXTENSION_new_null");
++	req.alts_len = altsz;
++	req.alts = calloc(altsz, sizeof(req.alts[0]));
++	if (req.alts == NULL) {
++		warn("calloc");
+ 		goto out;
+ 	}
+-	/* Initialise to empty string. */
+-	if ((sans = strdup("")) == NULL) {
+-		warn("strdup");
+-		goto out;
+-	}
+-	sansz = strlen(sans) + 1;
  
--		/*
--		 * For each SAN entry, append it to the string.
--		 * We need a single SAN entry for all of the SAN
--		 * domains: NOT an entry per domain!
--		 */
--
--		for (i = 1; i < altsz; i++) {
--			cc = asprintf(&san, "%sDNS:%s",
--			    i > 1 ? "," : "", alts[i]);
--			if (cc == -1) {
--				warn("asprintf");
--				goto out;
--			}
--			pp = recallocarray(sans, sansz, sansz + strlen(san), 1);
--			if (pp == NULL) {
--				warn("recallocarray");
--				goto out;
--			}
--			sans = pp;
--			sansz += strlen(san);
--			strlcat(sans, san, sansz);
--			free(san);
--			san = NULL;
--		}
-+		/* Add a dNSName SAN entry for each alternate name. */
+-	/*
+-	 * For each SAN entry, append it to the string.
+-	 * We need a single SAN entry for all of the SAN
+-	 * domains: NOT an entry per domain!
+-	 */
++	/* Add a dNSName SAN entry for each alternate name. */
  
--		if (!add_ext(exts, nid, sans)) {
--			warnx("add_ext");
+ 	for (i = 0; i < altsz; i++) {
+-		cc = asprintf(&san, "%sDNS:%s",
+-		    i ? "," : "", alts[i]);
+-		if (cc == -1) {
+-			warn("asprintf");
 -			goto out;
--		} else if (!X509_REQ_add_extensions(x, exts)) {
--			warnx("X509_REQ_add_extensions");
+-		}
+-		pp = recallocarray(sans, sansz, sansz + strlen(san), 1);
+-		if (pp == NULL) {
+-			warn("recallocarray");
 -			goto out;
-+		for (i = 0; i < altsz; i++) {
-+			req.alts[i].tag = X509CERT_SAN_DNSNAME;
-+			req.alts[i].val = alts[i];
-+			req.alts[i].len = strlen(alts[i]);
- 		}
--		sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
+-		}
+-		sans = pp;
+-		sansz += strlen(san);
+-		strlcat(sans, san, sansz);
+-		free(san);
+-		san = NULL;
+-	}
+-
+-	if (!add_ext(exts, nid, sans)) {
+-		warnx("add_ext");
+-		goto out;
+-	} else if (!X509_REQ_add_extensions(x, exts)) {
+-		warnx("X509_REQ_add_extensions");
+-		goto out;
 -	}
+-	sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
 -
 -	/* Sign the X509 request using SHA256. */
 -
 -	if (!X509_REQ_sign(x, pkey, EVP_sha256())) {
 -		warnx("X509_sign");
 -		goto out;
++		req.alts[i].tag = X509CERT_SAN_DNSNAME;
++		req.alts[i].val = alts[i];
++		req.alts[i].len = strlen(alts[i]);
  	}
  
 -	/* Now, serialise to DER, then base64. */
@@ -1228,7 +1224,7 @@ index 157e4947667..93c758fdc56 100644
  		goto out;
  	} else if ((der64 = base64buf_url(der, len)) == NULL) {
  		warnx("base64buf_url");
-@@ -264,12 +190,8 @@ out:
+@@ -262,12 +187,8 @@ out:
  		fclose(f);
  	free(der);
  	free(der64);
@@ -1615,5 +1611,5 @@ index 6b32205b31b..122dcda0620 100644
  	return rc;
  }
 -- 
-2.31.1
+2.34.1
author	Michael Forney <mforney@mforney.org>	2022-02-18 02:32:44 -0800
committer	Michael Forney <mforney@mforney.org>	2022-02-18 02:58:00 -0800
commit	2a1b8ab63fa49462529a7a86fc0e3b88e535dcaa (patch)
tree	9de527f41f57284350120328ff01b3dfe3e9d4cb /pkg/openbsd/patch/0036-acme-client-Port-to-BearSSL.patch
parent	131aab560632f3b8ce9fe1833050e6a31c9531fd (diff)