From 2f8b78b8310d887673ce52bb6b8455a11c1ddede Mon Sep 17 00:00:00 2001 From: Nathan Owens Date: Mon, 7 Jan 2019 20:22:46 -0600 Subject: [PATCH] bro: update to 2.6.1 --- common/shlibs | 3 + srcpkgs/bro/patches/libressl.patch | 176 +++++++++++++++++++++++++++++ srcpkgs/bro/template | 8 +- 3 files changed, 183 insertions(+), 4 deletions(-) create mode 100644 srcpkgs/bro/patches/libressl.patch diff --git a/common/shlibs b/common/shlibs index 76488f92f4..f65408ee18 100644 --- a/common/shlibs +++ b/common/shlibs @@ -3377,3 +3377,6 @@ libtexpdf.so.0 libtexpdf-0.9.5_1 libupstart.so.1 libupstart-1.13.3_1 librtas.so.2 librtas-2.0.2_1 librtasevent.so.2 librtas-2.0.2_1 +libbroker.so.0 bro-2.6.1_1 +libcaf_core.so.0.16.2 bro-2.6.1_1 +libcaf_openssl.so.0.16.2 bro-2.6.1_1 diff --git a/srcpkgs/bro/patches/libressl.patch b/srcpkgs/bro/patches/libressl.patch new file mode 100644 index 0000000000..3130862906 --- /dev/null +++ b/srcpkgs/bro/patches/libressl.patch @@ -0,0 +1,176 @@ +From fc43d06955a255bce4162b459be4a6a3a11a178d Mon Sep 17 00:00:00 2001 +From: Jon Siwek +Date: Mon, 7 Jan 2019 11:35:17 -0600 +Subject: [PATCH] GH-227: Improve LibreSSL support + +--- + src/file_analysis/analyzer/x509/OCSP.cc | 16 ++++++++-------- + src/file_analysis/analyzer/x509/X509.cc | 2 +- + src/file_analysis/analyzer/x509/X509.h | 11 ++++++++--- + src/file_analysis/analyzer/x509/functions.bif | 6 +++--- + 4 files changed, 20 insertions(+), 15 deletions(-) + +diff --git src/file_analysis/analyzer/x509/OCSP.cc src/file_analysis/analyzer/x509/OCSP.cc +index bea88fc747..537d194906 100644 +--- src/file_analysis/analyzer/x509/OCSP.cc ++++ src/file_analysis/analyzer/x509/OCSP.cc +@@ -44,7 +44,7 @@ static Val* get_ocsp_type(RecordVal* args, const char* name) + + static bool OCSP_RESPID_bio(OCSP_BASICRESP* basic_resp, BIO* bio) + { +-#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) ++#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) || defined(LIBRESSL_VERSION_NUMBER) + ASN1_OCTET_STRING* key = nullptr; + X509_NAME* name = nullptr; + +@@ -423,7 +423,7 @@ void file_analysis::OCSP::ParseRequest(OCSP_REQUEST* req, const char* fid) + + uint64 version = 0; + +-#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) ++#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) || defined(LIBRESSL_VERSION_NUMBER) + if ( req->tbsRequest->version ) + version = (uint64)ASN1_INTEGER_get(req->tbsRequest->version); + #else +@@ -495,7 +495,7 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val, const char* fid) + if ( !basic_resp ) + goto clean_up; + +-#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) ++#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) || defined(LIBRESSL_VERSION_NUMBER) + resp_data = basic_resp->tbsResponseData; + if ( !resp_data ) + goto clean_up; +@@ -506,7 +506,7 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val, const char* fid) + vl->append(resp_val->Ref()); + vl->append(status_val); + +-#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) ++#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) || defined(LIBRESSL_VERSION_NUMBER) + vl->append(new Val((uint64)ASN1_INTEGER_get(resp_data->version), TYPE_COUNT)); + #else + vl->append(parse_basic_resp_data_version(basic_resp)); +@@ -526,7 +526,7 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val, const char* fid) + } + + // producedAt +-#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) ++#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) || defined(LIBRESSL_VERSION_NUMBER) + produced_at = resp_data->producedAt; + #else + produced_at = OCSP_resp_get0_produced_at(basic_resp); +@@ -551,7 +551,7 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val, const char* fid) + // cert id + const OCSP_CERTID* cert_id = nullptr; + +-#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) ++#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) || defined(LIBRESSL_VERSION_NUMBER) + cert_id = single_resp->certId; + #else + cert_id = OCSP_SINGLERESP_get0_id(single_resp); +@@ -618,7 +618,7 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val, const char* fid) + } + } + +-#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) ++#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) || defined(LIBRESSL_VERSION_NUMBER) + i2a_ASN1_OBJECT(bio, basic_resp->signatureAlgorithm->algorithm); + len = BIO_read(bio, buf, sizeof(buf)); + vl->append(new StringVal(len, buf)); +@@ -635,7 +635,7 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val, const char* fid) + certs_vector = new VectorVal(internal_type("x509_opaque_vector")->AsVectorType()); + vl->append(certs_vector); + +-#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) ++#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) || defined(LIBRESSL_VERSION_NUMBER) + certs = basic_resp->certs; + #else + certs = OCSP_resp_get0_certs(basic_resp); +diff --git src/file_analysis/analyzer/x509/X509.cc src/file_analysis/analyzer/x509/X509.cc +index 7571915207..600b3adb52 100644 +--- src/file_analysis/analyzer/x509/X509.cc ++++ src/file_analysis/analyzer/x509/X509.cc +@@ -290,7 +290,7 @@ void file_analysis::X509::ParseSAN(X509_EXTENSION* ext) + continue; + } + +-#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) ++#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) || defined(LIBRESSL_VERSION_NUMBER) + const char* name = (const char*) ASN1_STRING_data(gen->d.ia5); + #else + const char* name = (const char*) ASN1_STRING_get0_data(gen->d.ia5); +diff --git src/file_analysis/analyzer/x509/X509.h src/file_analysis/analyzer/x509/X509.h +index b808b676fe..91a5a7a5a1 100644 +--- src/file_analysis/analyzer/x509/X509.h ++++ src/file_analysis/analyzer/x509/X509.h +@@ -8,24 +8,27 @@ + #include "Val.h" + #include "X509Common.h" + +-#if (OPENSSL_VERSION_NUMBER < 0x10002000L || LIBRESSL_VERSION_NUMBER) ++#if ( OPENSSL_VERSION_NUMBER < 0x10002000L ) || defined(LIBRESSL_VERSION_NUMBER) + + #define X509_get_signature_nid(x) OBJ_obj2nid((x)->sig_alg->algorithm) + + #endif + +-#if (OPENSSL_VERSION_NUMBER < 0x1010000fL || LIBRESSL_VERSION_NUMBER) ++#if ( OPENSSL_VERSION_NUMBER < 0x1010000fL ) || defined(LIBRESSL_VERSION_NUMBER) + + #define X509_OBJECT_new() (X509_OBJECT*)malloc(sizeof(X509_OBJECT)) + #define X509_OBJECT_free(a) free(a) + +-#define OCSP_SINGLERESP_get0_id(s) (s)->certId + #define OCSP_resp_get0_certs(x) (x)->certs + + #define EVP_PKEY_get0_DSA(p) ((p)->pkey.dsa) + #define EVP_PKEY_get0_EC_KEY(p) ((p)->pkey.ec) + #define EVP_PKEY_get0_RSA(p) ((p)->pkey.rsa) + ++#if !defined(LIBRESSL_VERSION_NUMBER) || ( LIBRESSL_VERSION_NUMBER < 0x2070000fL ) ++ ++#define OCSP_SINGLERESP_get0_id(s) (s)->certId ++ + static X509 *X509_OBJECT_get0_X509(const X509_OBJECT *a) + { + if ( a == nullptr || a->type != X509_LU_X509 ) +@@ -57,6 +60,8 @@ static void RSA_get0_key(const RSA *r, + + #endif + ++#endif ++ + namespace file_analysis { + + class X509Val; +diff --git src/file_analysis/analyzer/x509/functions.bif src/file_analysis/analyzer/x509/functions.bif +index 0b18feb8fe..ec87a495b3 100644 +--- src/file_analysis/analyzer/x509/functions.bif ++++ src/file_analysis/analyzer/x509/functions.bif +@@ -115,7 +115,7 @@ X509* x509_get_ocsp_signer(const STACK_OF(X509)* certs, + const ASN1_OCTET_STRING* key = nullptr; + const X509_NAME* name = nullptr; + +-#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) ++#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) || defined(LIBRESSL_VERSION_NUMBER) + OCSP_RESPID* resp_id = basic_resp->tbsResponseData->responderId; + + if ( resp_id->type == V_OCSP_RESPID_NAME ) +@@ -348,7 +348,7 @@ function x509_ocsp_verify%(certs: x509_opaque_vector, ocsp_reply: string, root_c + + // Because we actually want to be able to give nice error messages that show why we were + // not able to verify the OCSP response - do our own verification logic first. +-#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) ++#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) || defined(LIBRESSL_VERSION_NUMBER) + signer = x509_get_ocsp_signer(basic->certs, basic); + #else + signer = x509_get_ocsp_signer(OCSP_resp_get0_certs(basic), basic); +@@ -714,7 +714,7 @@ function sct_verify%(cert: opaque of x509, logid: string, log_key: string, signa + uint32 cert_length; + if ( precert ) + { +-#if (OPENSSL_VERSION_NUMBER < 0x10002000L || LIBRESSL_VERSION_NUMBER) ++#if ( OPENSSL_VERSION_NUMBER < 0x10002000L ) || defined(LIBRESSL_VERSION_NUMBER) + x->cert_info->enc.modified = 1; + cert_length = i2d_X509_CINF(x->cert_info, &cert_out); + #else diff --git a/srcpkgs/bro/template b/srcpkgs/bro/template index cc228ed973..a5a20a1495 100644 --- a/srcpkgs/bro/template +++ b/srcpkgs/bro/template @@ -1,9 +1,8 @@ # Template file for 'bro' pkgname=bro -version=2.5.5 -revision=2 +version=2.6.1 +revision=1 build_style=cmake -nocross="Needs to build part of itself to run, can't be built separately yet." hostmakedepends="flex pkg-config python3" makedepends="bind-devel geoip-devel libpcap-devel libressl-devel jemalloc-devel" short_desc="Advanced framework for network traffic analysis" @@ -11,7 +10,8 @@ maintainer="Andrew Benson " license="BSD-3-Clause" homepage="https://www.bro.org" distfiles="https://www.bro.org/downloads/bro-${version}.tar.gz" -checksum=18f2aeb10b4d935d85c115a1e4a93464b9750be19b34997cf6196b29118e73cf +checksum=d9718b83fdae0c76eea5254a4b9470304c4d1d3778687de9a4fe0b5dffea521b +nocross="Needs to build part of itself to run, can't be built separately yet." case "$XBPS_TARGET_MACHINE" in *-musl)