Switch open62541 crypto library from Mbed TLS to LibreSSL. Use

newer OpenSSL API that LibreSSL also provides. Use X509_check_issued instead of missing API until LibreSSL developers implement a more compatible solution. OK tb@
2022-11-30 18:01:22 +00:00 · 2022-11-30 18:01:22 +00:00 · 744abf77d8
parent 9d17f4c8fc
commit 744abf77d8
4 changed files with 49 additions and 6 deletions
--- a/misc/open62541/Makefile
+++ b/misc/open62541/Makefile
@ -1,10 +1,11 @@
 COMMENT =	library implementation of OPC UA

 VERSION =	1.3.4
+REVISION =	0
 DISTNAME =	open62541-${VERSION}
 PKGNAME =	open62541-${VERSION}

-SHARED_LIBS =	open62541	2.1
+SHARED_LIBS =	open62541	3.0

 CATEGORIES =	misc

@ -15,7 +16,7 @@ MAINTAINER =		Alexander Bluhm <bluhm@openbsd.org>
 # Mozilla Public License v2.0
 PERMIT_PACKAGE =	Yes

-WANTLIB =		c m mbedcrypto mbedtls mbedx509 pthread
+WANTLIB =		c crypto m pthread ssl tls

 MASTER_SITES =		https://github.com/open62541/open62541/
 MASTER_SITES0 =		https://github.com/OPCFoundation/UA-Nodeset/archive/
@ -32,13 +33,11 @@ BUILD_DEPENDS =		devel/check \
 			print/texlive/texmf,-full \
 			textproc/py-sphinx,python3 \
 			textproc/py-sphinx_rtd_theme,python3
-# needed to build with encryption
-LIB_DEPENDS =		security/polarssl

 CONFIGURE_ARGS =	-DCMAKE_BUILD_TYPE=RelWithDebInfo \
 			-DOPEN62541_VERSION=v${VERSION} \
 			-DBUILD_SHARED_LIBS=ON \
-			-DUA_ENABLE_ENCRYPTION=ON \
+			-DUA_ENABLE_ENCRYPTION=LIBRESSL \
 			-DUA_ENABLE_AMALGAMATION=OFF \
 			-DUA_PACK_DEBIAN=ON \
 			-DUA_BUILD_TOOLS=ON \
--- a/misc/open62541/patches/patch-plugins_crypto_openssl_ua_openssl_version_abstraction_h
+++ b/misc/open62541/patches/patch-plugins_crypto_openssl_ua_openssl_version_abstraction_h
@ -0,0 +1,21 @@
+Index: plugins/crypto/openssl/ua_openssl_version_abstraction.h
+--- plugins/crypto/openssl/ua_openssl_version_abstraction.h.orig
+++ plugins/crypto/openssl/ua_openssl_version_abstraction.h
+@@ -17,15 +17,11 @@
+ #error "OPENSSL_VERSION_NUMBER is not defined."
+ #endif
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ #define X509_STORE_CTX_set0_trusted_stack(STORE_CTX, CTX_SKTRUSTED) X509_STORE_CTX_trusted_stack(STORE_CTX, CTX_SKTRUSTED)
+ #endif
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x1010000fL || defined(LIBRESSL_VERSION_NUMBER)
+-#define X509_STORE_CTX_get_check_issued(STORE_CTX) STORE_CTX->check_issued
+-#endif
+-
+-#if OPENSSL_VERSION_NUMBER < 0x1010000fL || defined(LIBRESSL_VERSION_NUMBER)
+#if OPENSSL_VERSION_NUMBER < 0x1010000fL
+ #define get_pkey_rsa(evp) ((evp)->pkey.rsa)
+ #else
+ #define get_pkey_rsa(evp) EVP_PKEY_get0_RSA(evp)
--- a/misc/open62541/patches/patch-plugins_crypto_openssl_ua_pki_openssl_c
+++ b/misc/open62541/patches/patch-plugins_crypto_openssl_ua_pki_openssl_c
@ -0,0 +1,24 @@
+Replace X509_STORE_CTX_get_check_issued with X509_check_issued.
+https://github.com/libressl-portable/portable/issues/748
+
+Index: plugins/crypto/openssl/ua_pki_openssl.c
+--- plugins/crypto/openssl/ua_pki_openssl.c.orig
+++ plugins/crypto/openssl/ua_pki_openssl.c
+@@ -485,7 +485,7 @@ UA_CertificateVerification_Verify (void *             
+     /* Set flag to check if the certificate has an invalid signature */
+     X509_STORE_CTX_set_flags (storeCtx, X509_V_FLAG_CHECK_SS_SIGNATURE);
+ 
+-    if (X509_STORE_CTX_get_check_issued(storeCtx) (storeCtx,certificateX509, certificateX509) != 1) {
+    if (X509_check_issued (certificateX509, certificateX509) != X509_V_OK) {
+         X509_STORE_CTX_set_flags (storeCtx, X509_V_FLAG_CRL_CHECK);
+     }
+ 
+@@ -505,7 +505,7 @@ UA_CertificateVerification_Verify (void *             
+         /* Check if the not trusted certificate has a CRL file. If there is no CRL file available for the corresponding
+          * parent certificate then return status code UA_STATUSCODE_BADCERTIFICATEISSUERREVOCATIONUNKNOWN. Refer the test
+          * case CTT/Security/Security Certificate Validation/002.js */
+-        if (X509_STORE_CTX_get_check_issued (storeCtx) (storeCtx,certificateX509, certificateX509) != 1) {
+        if (X509_check_issued (certificateX509, certificateX509) != X509_V_OK) {
+             /* Free X509_STORE_CTX and reuse it for certification verification */
+             if (storeCtx != NULL) {
+                X509_STORE_CTX_free(storeCtx);
--- a/misc/open62541/pkg/PLIST
+++ b/misc/open62541/pkg/PLIST
@ -40,7 +40,6 @@ include/open62541/util.h
@comment include/ziptree.h
 lib/cmake/
 lib/cmake/open62541/
-lib/cmake/open62541/FindMbedTLS.cmake
 lib/cmake/open62541/open62541Config.cmake
 lib/cmake/open62541/open62541ConfigVersion.cmake
 lib/cmake/open62541/open62541Macros.cmake