Initial commit
This commit is contained in:
domenico
72
package/libs/ustream-ssl/Makefile
Normal file
72
package/libs/ustream-ssl/Makefile
Normal file
@@ -0,0 +1,72 @@
|
||||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=ustream-ssl
|
||||
PKG_RELEASE:=2
|
||||
|
||||
PKG_SOURCE_PROTO:=git
|
||||
PKG_SOURCE_URL=$(PROJECT_GIT)/project/ustream-ssl.git
|
||||
PKG_SOURCE_DATE:=2018-07-30
|
||||
PKG_SOURCE_VERSION:=23a3f2830341acd1db149175baf7315a33bd0edb
|
||||
PKG_MIRROR_HASH:=289bef5dac684015b6a40cfd72cf1c8c297bb77cf2efd54e562b628ba3afd83d
|
||||
CMAKE_INSTALL:=1
|
||||
|
||||
PKG_BUILD_DIR=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_SOURCE_SUBDIR)
|
||||
|
||||
PKG_LICENSE:=ISC
|
||||
PKG_LICENSE_FILES:=
|
||||
|
||||
PKG_MAINTAINER:=Felix Fietkau <nbd@nbd.name>
|
||||
|
||||
include $(INCLUDE_DIR)/package.mk
|
||||
include $(INCLUDE_DIR)/cmake.mk
|
||||
|
||||
define Package/libustream/default
|
||||
SECTION:=libs
|
||||
CATEGORY:=Libraries
|
||||
TITLE:=ustream SSL Library
|
||||
DEPENDS:=+libubox
|
||||
ABI_VERSION:=$(PKG_VERSION)
|
||||
endef
|
||||
|
||||
define Package/libustream-openssl
|
||||
$(Package/libustream/default)
|
||||
TITLE += (openssl)
|
||||
DEPENDS += +PACKAGE_libustream-openssl:libopenssl
|
||||
VARIANT:=openssl
|
||||
endef
|
||||
|
||||
define Package/libustream-wolfssl
|
||||
$(Package/libustream/default)
|
||||
TITLE += (wolfssl)
|
||||
DEPENDS += +PACKAGE_libustream-wolfssl:libwolfssl
|
||||
VARIANT:=wolfssl
|
||||
endef
|
||||
|
||||
define Package/libustream-mbedtls
|
||||
$(Package/libustream/default)
|
||||
TITLE += (mbedtls)
|
||||
DEPENDS += +libmbedtls
|
||||
VARIANT:=mbedtls
|
||||
DEFAULT_VARIANT:=1
|
||||
endef
|
||||
|
||||
ifeq ($(BUILD_VARIANT),wolfssl)
|
||||
TARGET_CFLAGS += -I$(STAGING_DIR)/usr/include/cyassl -DHAVE_SNI
|
||||
CMAKE_OPTIONS += -DCYASSL=on
|
||||
endif
|
||||
ifeq ($(BUILD_VARIANT),mbedtls)
|
||||
CMAKE_OPTIONS += -DMBEDTLS=on
|
||||
endif
|
||||
|
||||
define Package/libustream/default/install
|
||||
$(INSTALL_DIR) $(1)/lib/
|
||||
$(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/libustream-ssl.so $(1)/lib/
|
||||
endef
|
||||
|
||||
Package/libustream-openssl/install = $(Package/libustream/default/install)
|
||||
Package/libustream-wolfssl/install = $(Package/libustream/default/install)
|
||||
Package/libustream-mbedtls/install = $(Package/libustream/default/install)
|
||||
|
||||
$(eval $(call BuildPackage,libustream-mbedtls))
|
||||
$(eval $(call BuildPackage,libustream-wolfssl))
|
||||
$(eval $(call BuildPackage,libustream-openssl))
|
||||
@@ -0,0 +1,56 @@
|
||||
From c9b6668215a27f2346d5eedd6f29cc720985b448 Mon Sep 17 00:00:00 2001
|
||||
From: Jo-Philipp Wich <jo@mein.io>
|
||||
Date: Wed, 11 Sep 2019 21:09:59 +0200
|
||||
Subject: [PATCH] ustream-ssl: skip writing pending data if .eof is true after
|
||||
connect
|
||||
|
||||
Check the .eof member of the underlying ustream after the call to
|
||||
__ustream_ssl_connect() since existing users of the library appear
|
||||
to set the eof flag as a way to signal connection termination upon
|
||||
failing certificate verification.
|
||||
|
||||
This is a stop-gap measure to address TALOS-2019-0893 but a proper
|
||||
API redesign is required to give applications proper control over
|
||||
whether certificate failures are to be ignored or not and the default
|
||||
implementation without custom callbacks should always terminate on
|
||||
verification failures.
|
||||
|
||||
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
||||
---
|
||||
ustream-ssl.c | 20 ++++++++++++++++++++
|
||||
1 file changed, 20 insertions(+)
|
||||
|
||||
diff --git a/ustream-ssl.c b/ustream-ssl.c
|
||||
index e6b084b..47f66d6 100644
|
||||
--- a/ustream-ssl.c
|
||||
+++ b/ustream-ssl.c
|
||||
@@ -40,6 +40,26 @@ static void ustream_ssl_check_conn(struct ustream_ssl *us)
|
||||
return;
|
||||
|
||||
if (__ustream_ssl_connect(us) == U_SSL_OK) {
|
||||
+
|
||||
+ /* __ustream_ssl_connect() will also return U_SSL_OK when certificate
|
||||
+ * verification failed!
|
||||
+ *
|
||||
+ * Applications may register a custom .notify_verify_error callback in the
|
||||
+ * struct ustream_ssl which is called upon verification failures, but there
|
||||
+ * is no straight forward way for the callback to terminate the connection
|
||||
+ * initiation right away, e.g. through a true or false return value.
|
||||
+ *
|
||||
+ * Instead, existing implementations appear to set .eof field of the underlying
|
||||
+ * ustream in the hope that this inhibits further operations on the stream.
|
||||
+ *
|
||||
+ * Declare this informal behaviour "official" and check for the state of the
|
||||
+ * .eof member after __ustream_ssl_connect() returned, and do not write the
|
||||
+ * pending data if it is set to true.
|
||||
+ */
|
||||
+
|
||||
+ if (us->stream.eof)
|
||||
+ return;
|
||||
+
|
||||
us->connected = true;
|
||||
if (us->notify_connected)
|
||||
us->notify_connected(us);
|
||||
--
|
||||
2.20.1
|
||||
|
||||
Reference in New Issue
Block a user