Commit: ec12a84c5374a56a0b4011f7c26ffc40298b0b27
Parent: 5a44e942acde1b141a75aaceb8b249ef34402bee
Author: Michael Forney
Date: Tue, 14 Apr 2026 23:42:58 -0700
libtls-bearssl: Update to latest git
Diffstat:
5 files changed, 34 insertions(+), 77 deletions(-)
diff --git a/pkg/libtls-bearssl/gen.lua b/pkg/libtls-bearssl/gen.lua
@@ -1,9 +1,10 @@
-cflags({
+cflags{
'-std=c11', '-Wall', '-Wpedantic',
'-D _DEFAULT_SOURCE',
+ '-D LIBRESSL_INTERNAL',
'-I $srcdir',
'-isystem $builddir/pkg/bearssl/include',
-})
+}
pkg.hdrs = copy('$outdir/include', '$srcdir', {'tls.h'})
pkg.deps = {
diff --git a/pkg/libtls-bearssl/patch/0001-Use-patched-bearssl-flag-to-force-CertificateRequest.patch b/pkg/libtls-bearssl/patch/0001-Use-patched-bearssl-flag-to-force-CertificateRequest.patch
@@ -0,0 +1,30 @@
+From 430580cf1df1fe85f7401ebf3e0005b9f72bfac7 Mon Sep 17 00:00:00 2001
+From: Michael Forney <mforney@mforney.org>
+Date: Thu, 13 May 2021 22:17:56 -0700
+Subject: [PATCH] Use patched bearssl flag to force CertificateRequest
+
+---
+ tls_server.c | 7 +------
+ 1 file changed, 1 insertion(+), 6 deletions(-)
+
+diff --git a/tls_server.c b/tls_server.c
+index 87bf4f4..f03d326 100644
+--- a/tls_server.c
++++ b/tls_server.c
+@@ -332,12 +332,7 @@ tls_accept_common(struct tls *ctx)
+ if (tls_configure_x509(conn_ctx) != 0)
+ goto err;
+
+- if (ctx->config->ca_len == 0) {
+- tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
+- "cannot verify client without trust anchors");
+- goto err;
+- }
+-
++ flags |= BR_OPT_REQUEST_CLIENT_CERT;
+ br_ssl_server_set_trust_anchor_names_alt(&conn_ctx->conn->u.server,
+ ctx->config->ca, ctx->config->ca_len);
+
+--
+2.49.0
+
diff --git a/pkg/libtls-bearssl/patch/0001-Use-patched-bearssl-method-to-retrieve-validity-peri.patch b/pkg/libtls-bearssl/patch/0001-Use-patched-bearssl-method-to-retrieve-validity-peri.patch
@@ -1,45 +0,0 @@
-From 7701b90a015c4e4c2b6af6e8b53315dce1f6c780 Mon Sep 17 00:00:00 2001
-From: Michael Forney <mforney@mforney.org>
-Date: Sun, 29 Mar 2020 13:07:39 -0700
-Subject: [PATCH] Use patched bearssl method to retrieve validity period
-
----
- tls_conninfo.c | 22 ++++++++++++++++++----
- 1 file changed, 18 insertions(+), 4 deletions(-)
-
-diff --git a/tls_conninfo.c b/tls_conninfo.c
-index ccce70d..1e9b57e 100644
---- a/tls_conninfo.c
-+++ b/tls_conninfo.c
-@@ -162,10 +162,24 @@ static int
- tls_get_peer_cert_times(struct tls *ctx, time_t *notbefore,
- time_t *notafter)
- {
-- /* XXX: BearSSL has no way to get certificate notBefore and
-- * notAfter */
-- *notbefore = -1;
-- *notafter = -1;
-+ br_x509_decoder_context xc;
-+ uint32_t notbefore_days, notbefore_seconds;
-+ uint32_t notafter_days, notafter_seconds;
-+ int err;
-+
-+ br_x509_decoder_init(&xc, NULL, NULL);
-+ br_x509_decoder_push(&xc, ctx->peer_chain[0].data, ctx->peer_chain[0].data_len);
-+
-+ if ((err = br_x509_decoder_last_error(&xc)) != 0) {
-+ tls_set_errorx(ctx, "%s", bearssl_strerror(err));
-+ return (-1);
-+ }
-+
-+ br_x509_decoder_get_notbefore(&xc, ¬before_days, ¬before_seconds);
-+ br_x509_decoder_get_notafter(&xc, ¬after_days, ¬after_seconds);
-+
-+ *notbefore = 86400LL * (notbefore_days - 719528) + notbefore_seconds;
-+ *notafter = 86400LL * (notafter_days - 719528) + notafter_seconds;
-
- return (0);
- }
---
-2.31.1
-
diff --git a/pkg/libtls-bearssl/patch/0002-Use-patched-bearssl-flag-to-force-CertificateRequest.patch b/pkg/libtls-bearssl/patch/0002-Use-patched-bearssl-flag-to-force-CertificateRequest.patch
@@ -1,29 +0,0 @@
-From ce2e99a74f9216fa5783a6bc943c228788fd469c Mon Sep 17 00:00:00 2001
-From: Michael Forney <mforney@mforney.org>
-Date: Thu, 13 May 2021 22:17:56 -0700
-Subject: [PATCH] Use patched bearssl flag to force CertificateRequest
-
----
- tls_server.c | 6 +-----
- 1 file changed, 1 insertion(+), 5 deletions(-)
-
-diff --git a/tls_server.c b/tls_server.c
-index 2436036..7f578b8 100644
---- a/tls_server.c
-+++ b/tls_server.c
-@@ -339,11 +339,7 @@ tls_accept_common(struct tls *ctx)
- if (tls_configure_x509(conn_ctx) != 0)
- goto err;
-
-- if (ctx->config->ca_len == 0) {
-- tls_set_errorx(ctx, "cannot verify client without trust anchors");
-- goto err;
-- }
--
-+ flags |= BR_OPT_REQUEST_CLIENT_CERT;
- br_ssl_server_set_trust_anchor_names_alt(&conn_ctx->conn->u.server,
- ctx->config->ca, ctx->config->ca_len);
-
---
-2.31.1
-
diff --git a/pkg/libtls-bearssl/ver b/pkg/libtls-bearssl/ver
@@ -1 +1 @@
-0.5 r3
+0.5-147-g0d2b6e2aa5