commit 7e7f19d292e28fc9f2e4bd4196c4553d9429baf7
author Jeongik Cha <jeongik@google.com> Thu Oct 31 20:50:24 2024 +0900
committer Jeongik Cha <jeongik@google.com> Thu Oct 31 22:55:52 2024 +0900
tree bb5592b0645398c093d4d882af1614ce3649983c
parent 17e0cee39d129c68fb5201f17fe4051cbce81498

build ttyd with client cert patch

client cert doesn't work as intented, so added patch for that, and then
made it build during build

in addition, fixed the bug in reading client cert logic as well(actually
alias isn't set in p12, so need to enumerate and get the first one),
BTW, this logic will be removed very soon with the logic which generates
key on the fly

Bug: 363235314
Test: run ttyd and check if client cert works well
Change-Id: I5d08f3d11cf4846677f19137e860236c42b9c9d8

build/debian/ttyd/client_cert.patch

diff --git a/build/debian/ttyd/client_cert.patch b/build/debian/ttyd/client_cert.patch
new file mode 100644
index 0000000..93b8aed
--- /dev/null
+++ b/build/debian/ttyd/client_cert.patch
@@ -0,0 +1,41 @@
+diff --git a/lib/tls/mbedtls/mbedtls-server.c b/lib/tls/mbedtls/mbedtls-server.c
+index efd7fc8b..ca5ebc15 100644
+--- a/lib/tls/mbedtls/mbedtls-server.c
++++ b/lib/tls/mbedtls/mbedtls-server.c
+@@ -39,7 +39,7 @@ lws_tls_server_client_cert_verify_config(struct lws_vhost *vh)
+ 	}
+ 
+ 	if (!lws_check_opt(vh->options, LWS_SERVER_OPTION_PEER_CERT_NOT_REQUIRED))
+-		verify_options = SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
++		verify_options |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
+ 
+ 	lwsl_notice("%s: vh %s requires client cert %d\n", __func__, vh->name,
+ 		    verify_options);
+diff --git a/lib/tls/mbedtls/wrapper/platform/ssl_pm.c b/lib/tls/mbedtls/wrapper/platform/ssl_pm.c
+index 3879e977..e47d4c13 100755
+--- a/lib/tls/mbedtls/wrapper/platform/ssl_pm.c
++++ b/lib/tls/mbedtls/wrapper/platform/ssl_pm.c
+@@ -255,9 +255,9 @@ static int ssl_pm_reload_crt(SSL *ssl)
+     struct pkey_pm *pkey_pm = (struct pkey_pm *)ssl->cert->pkey->pkey_pm;
+     struct x509_pm *crt_pm = (struct x509_pm *)ssl->cert->x509->x509_pm;
+ 
+-    if (ssl->verify_mode == SSL_VERIFY_PEER)
++    if ((ssl->verify_mode & SSL_VERIFY_PEER) > 0)
+         mode = MBEDTLS_SSL_VERIFY_REQUIRED;
+-    else if (ssl->verify_mode == SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
++    else if ((ssl->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) > 0)
+         mode = MBEDTLS_SSL_VERIFY_OPTIONAL;
+     else if (ssl->verify_mode == SSL_VERIFY_CLIENT_ONCE)
+         mode = MBEDTLS_SSL_VERIFY_UNSET;
+@@ -980,9 +980,9 @@ void SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx)
+ 
+ #if defined(LWS_HAVE_mbedtls_ssl_set_hs_authmode)
+ 
+-	if (ctx->verify_mode == SSL_VERIFY_PEER)
++	if ((ctx->verify_mode & SSL_VERIFY_PEER) > 0)
+ 		mode = MBEDTLS_SSL_VERIFY_REQUIRED;
+-	else if (ctx->verify_mode == SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
++	else if ((ctx->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) > 0)
+ 		mode = MBEDTLS_SSL_VERIFY_REQUIRED;
+ 	else if (ctx->verify_mode == SSL_VERIFY_CLIENT_ONCE)
+ 		mode = MBEDTLS_SSL_VERIFY_UNSET;