[WIP] Move to BearSSL

.travis.yml

@@ -18,7 +18,7 @@ env:
 
 install:
  - docker pull "$IMG"
- - docker run -v "$PWD":/tmp/build-dir -w "/tmp/build-dir" "$IMG" /bin/sh -c "xbps-install -Syu xbps && xbps-install -yu && xbps-install -y $DEPS make pkgconf kyua zlib-devel libarchive-devel atf-devel && CC=$CC ./configure --enable-tests && make -j$(nproc) && make check"
+ - docker run -v "$PWD":/tmp/build-dir -w "/tmp/build-dir" "$IMG" /bin/sh -c "xbps-install -Syu xbps && xbps-install -yu && xbps-install -y $DEPS make pkgconf kyua zlib-devel libarchive-devel atf-devel bearssl-devel && CC=$CC ./configure --enable-tests && make -j$(nproc) && make check"
 
 script:
  - echo BUILDS PASSED

bin/xbps-fetch/main.c

@@ -31,8 +31,6 @@
 #include <unistd.h>
 #include <getopt.h>
 
-#include <openssl/sha.h>
-
 #include <xbps.h>
 #include "../xbps-install/defs.h"
 
@@ -175,7 +173,7 @@ main(int argc, char **argv)
 			rv = 0;
 		}
 		if (shasum) {
-			print_digest(digest, SHA256_DIGEST_LENGTH);
+			print_digest(digest, XBPS_SHA256_DIGEST_SIZE);
 			printf("  %s\n", filename);
 		}
 	}

configure

@@ -700,6 +700,12 @@ else
 		>>$CONFIG_MK
 fi
 
+#
+# bearssl doesn't ship pkg-config files
+#
+echo "LDFLAGS += -lbearssl" >>$CONFIG_MK
+echo "STATIC_LIBS += -lbearssl -static" >>$CONFIG_MK
+
 #
 # libssl with pkg-config support is required.
 #

lib/download.c

@@ -42,7 +42,7 @@
 #include <sys/wait.h>
 #include <libgen.h>
 
-#include <openssl/sha.h>
+#include <bearssl.h>
 
 #include "xbps_api_impl.h"
 #include "fetch.h"
@@ -106,7 +106,7 @@ xbps_fetch_file_dest_sha256(struct xbps_handle *xhp, const char *uri, const char
 	char fetch_flags[8];
 	int fd = -1, rv = 0;
 	bool refetch = false, restart = false;
-	SHA256_CTX sha256;
+	br_sha256_context sha256;
 
 	assert(xhp);
 	assert(uri);
@@ -117,7 +117,7 @@ xbps_fetch_file_dest_sha256(struct xbps_handle *xhp, const char *uri, const char
 			errno = ENOBUFS;
 			return -1;
 		}
-		SHA256_Init(&sha256);
+		br_sha256_init(&sha256);
 	}
 
 	/* Extern vars declared in libfetch */
@@ -232,7 +232,7 @@ xbps_fetch_file_dest_sha256(struct xbps_handle *xhp, const char *uri, const char
 	if (restart) {
 		if (digest) {
 			while ((bytes_read = read(fd, buf, sizeof(buf))) > 0) {
-				SHA256_Update(&sha256, buf, bytes_read);
+				br_sha256_update(&sha256, buf, bytes_read);
 			}
 			if (bytes_read == -1) {
 				xbps_dbg_printf(xhp, "IO error while reading %s: %s\n",
@@ -257,7 +257,7 @@ xbps_fetch_file_dest_sha256(struct xbps_handle *xhp, const char *uri, const char
 	 */
 	while ((bytes_read = fetchIO_read(fio, buf, sizeof(buf))) > 0) {
 		if (digest)
-			SHA256_Update(&sha256, buf, bytes_read);
+			br_sha256_update(&sha256, buf, bytes_read);
 		bytes_written = write(fd, buf, (size_t)bytes_read);
 		if (bytes_written != bytes_read) {
 			xbps_dbg_printf(xhp,
@@ -319,7 +319,7 @@ xbps_fetch_file_dest_sha256(struct xbps_handle *xhp, const char *uri, const char
 	rv = 1;
 
 	if (digest)
-		SHA256_Final(digest, &sha256);
+		br_sha256_out(&sha256, digest);
 
 fetch_file_out:
 	if (fio != NULL)

lib/repo.c

@@ -31,12 +31,6 @@
 #include <libgen.h>
 #include <fcntl.h>
 
-#include <openssl/err.h>
-#include <openssl/sha.h>
-#include <openssl/rsa.h>
-#include <openssl/ssl.h>
-#include <openssl/pem.h>
-
 #include "xbps_api_impl.h"
 
 /**

lib/util_hash.c

@@ -31,7 +31,7 @@
 #include <fcntl.h>
 #include <limits.h>
 
-#include <openssl/sha.h>
+#include <bearssl.h>
 
 #include "xbps_api_impl.h"
 
@@ -111,31 +111,31 @@ xbps_mmap_file(const char *file, void **mmf, size_t *mmflen, size_t *filelen)
 bool
 xbps_file_sha256_raw(unsigned char *dst, size_t dstlen, const char *file)
 {
-	int fd;
-	ssize_t len;
+	FILE *stream;
+	size_t len;
 	char buf[65536];
-	SHA256_CTX sha256;
+	br_sha256_context sha256;
 
 	assert(dstlen >= XBPS_SHA256_DIGEST_SIZE);
 	if (dstlen < XBPS_SHA256_DIGEST_SIZE) {
 		errno = ENOBUFS;
 		return false;
 	}
 
-	if ((fd = open(file, O_RDONLY)) < 0)
+	if ((stream = fopen(file, "rb")) == 0)
 		return false;
 
-	SHA256_Init(&sha256);
-
-	while ((len = read(fd, buf, sizeof(buf))) > 0)
-		SHA256_Update(&sha256, buf, len);
+	br_sha256_init(&sha256);
 
-	(void)close(fd);
+	while ((len = fread(buf, 1, sizeof(buf), stream)) > 0)
+		br_sha256_update(&sha256, buf, len);
 
-	if(len == -1)
+	if (ferror(stream))
 		return false;
 
-	SHA256_Final(dst, &sha256);
+	fclose(stream);
+
+	br_sha256_out(&sha256, dst);
 
 	return true;
 }

lib/verifysig.c

@@ -32,11 +32,10 @@
 #include <sys/stat.h>
 #include <sys/mman.h>
 
-#include <openssl/err.h>
-#include <openssl/sha.h>
 #include <openssl/rsa.h>
-#include <openssl/ssl.h>
 #include <openssl/pem.h>
+#include <openssl/bn.h>
+#include <bearssl.h>
 
 #include "xbps_api_impl.h"
 
@@ -45,30 +44,38 @@ rsa_verify_hash(struct xbps_repo *repo, xbps_data_t pubkey,
 		unsigned char *sig, unsigned int siglen,
 		unsigned char *sha256)
 {
+	int rv;
+	br_rsa_public_key pk;
+	br_rsa_pkcs1_vrfy vrfy;
+	// ssl
+	unsigned char e[3], n[512];
 	BIO *bio;
 	RSA *rsa;
-	int rv;
-
-	ERR_load_crypto_strings();
-	SSL_load_error_strings();
+	const BIGNUM *nrsa = NULL, *ersa = NULL, *drsa = NULL;
 
-	bio = BIO_new_mem_buf(__UNCONST(xbps_data_data_nocopy(pubkey)),
-			xbps_data_size(pubkey));
-	assert(bio);
+	(void) repo;
 
+	bio = BIO_new_mem_buf(__UNCONST(xbps_data_data_nocopy(pubkey)), xbps_data_size(pubkey));
 	rsa = PEM_read_bio_RSA_PUBKEY(bio, NULL, NULL, NULL);
-	if (rsa == NULL) {
-		xbps_dbg_printf(repo->xhp, "`%s' error reading public key: %s\n",
-		    repo->uri, ERR_error_string(ERR_get_error(), NULL));
-		return false;
-	}
-
-	rv = RSA_verify(NID_sha1, sha256, SHA256_DIGEST_LENGTH, sig, siglen, rsa);
-	RSA_free(rsa);
-	BIO_free(bio);
-	ERR_free_strings();
-
-	return rv ? true : false;
+	RSA_get0_key(rsa, &nrsa, &ersa, &drsa);
+	printf("- n (size %d): ", BN_num_bytes(nrsa));
+	BN_print_fp(stdout, nrsa);
+	printf("\n- e (size %d): ", BN_num_bytes(ersa));
+	BN_print_fp(stdout, ersa);
+	puts("");
+	assert(BN_num_bytes(nrsa) == 512);
+	BN_bn2bin(nrsa, n);
+	BN_bn2bin(ersa, e);
+
+	pk.n = n;
+	pk.nlen = 512;
+	pk.e = e;
+	pk.elen = 3;
+
+	vrfy = br_rsa_pkcs1_vrfy_get_default();
+	rv = vrfy(sig, siglen, BR_HASH_OID_SHA1, 32, &pk, sha256);
+
+	return rv;
 }
 
 bool
@@ -91,7 +98,7 @@ xbps_verify_signature(struct xbps_repo *repo, const char *sigfile,
 	    xbps_dictionary_get(repo->idxmeta, "public-key"));
 	if (hexfp == NULL) {
 		xbps_dbg_printf(repo->xhp, "%s: incomplete signed repo, missing hexfp obj\n", repo->uri);
-		return false;
+		goto out;
 	}
 
 	/*
@@ -121,10 +128,8 @@ xbps_verify_signature(struct xbps_repo *repo, const char *sigfile,
 		val = true;
 
 out:
-	if (hexfp)
-		free(hexfp);
-	if (rkeyfile)
-		free(rkeyfile);
+	free(hexfp);
+	free(rkeyfile);
 	if (sig_buf)
 		(void)munmap(sig_buf, sigbuflen);
 	if (repokeyd)