git: a07283aae1c1 - main - security/libpki: Fix build with openssl3
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 07 Aug 2023 15:25:22 UTC
The branch main has been updated by bofh:
URL: https://cgit.FreeBSD.org/ports/commit/?id=a07283aae1c15d460641ec311f4e5a3c6c122151
commit a07283aae1c15d460641ec311f4e5a3c6c122151
Author: Bruno Damour <bruno@ruomad.net>
AuthorDate: 2023-08-07 14:15:13 +0000
Commit: Muhammad Moinur Rahman <bofh@FreeBSD.org>
CommitDate: 2023-08-07 15:24:45 +0000
security/libpki: Fix build with openssl3
Fixes :
- detection of OpenSSL version (a bit hacky IMHO)
- changes breaking compilation
Doesn't cover the replacement of obsoleted functions (specially the move
from engines to providers) which is way above my paygrade.
This patch has been upstream as a PR
(https://github.com/openca/libpki/pull/74).
PR: 272280
Approved by: bruno@ruomad.net (submitter is maintainer)
---
security/libpki/Makefile | 7 +-
security/libpki/distinfo | 2 +-
security/libpki/files/patch-acinclude.m4 | 16 ++++
.../files/patch-src-drivers-engine-engine_hsm.c | 12 +++
.../patch-src-drivers-openssl-openssl_hsm_pkey.c | 59 ++++++++++++++
.../libpki/files/patch-src-libpki-prqp-prqp_asn1.h | 53 +++++++++++++
.../libpki/files/patch-src-openssl-pki_ocsp_resp.c | 14 ++++
.../libpki/files/patch-src-openssl-pki_x509_cert.c | 26 ++++++
.../libpki/files/patch-src-openssl-pki_x509_req.c | 14 ++++
security/libpki/files/patch-src-pki_init.c | 13 +++
security/libpki/files/patch-src-pki_x509.c | 92 ++++++++++++++++++++++
11 files changed, 304 insertions(+), 4 deletions(-)
diff --git a/security/libpki/Makefile b/security/libpki/Makefile
index a39ce22b650b..f131efdd1a52 100644
--- a/security/libpki/Makefile
+++ b/security/libpki/Makefile
@@ -1,7 +1,7 @@
PORTNAME= libpki
DISTVERSIONPREFIX= v
DISTVERSION= 0.9.2
-PORTREVISION= 3
+PORTREVISION= 4
CATEGORIES= security
PATCH_SITES= https://github.com/openca/libpki/commit/
@@ -15,13 +15,14 @@ LICENSE= APACHE20
LICENSE_FILE= ${WRKSRC}/COPYING
USES= autoreconf gnome libtool ssl
-BROKEN_SSL= openssl30 openssl31
-BROKEN_SSL_REASON= Fails to detect OpenSSL 3.0 or later
USE_GITHUB= yes
GH_ACCOUNT= openca
+
USE_GNOME= libxml2
USE_LDCONFIG= yes
+PATCH_STRIP= -p0
+
GNU_CONFIGURE= yes
CONFIGURE_ARGS= --disable-dependency-tracking \
--disable-iphone
diff --git a/security/libpki/distinfo b/security/libpki/distinfo
index ff5dbd0e6577..a345f02fc034 100644
--- a/security/libpki/distinfo
+++ b/security/libpki/distinfo
@@ -1,4 +1,4 @@
-TIMESTAMP = 1657661150
+TIMESTAMP = 1687900936
SHA256 (openca-libpki-v0.9.2_GH0.tar.gz) = 4352a77457579a498837e33fbc0092f67a1c5d93eee6eb73bc889ad8b8f747fb
SIZE (openca-libpki-v0.9.2_GH0.tar.gz) = 1184928
SHA256 (d7617046e9da97473a140c02582fa571f6359ae3.patch) = 05818f983047b399958f523e79de001d995947ec92366dca2c9f7aac52fed7c7
diff --git a/security/libpki/files/patch-acinclude.m4 b/security/libpki/files/patch-acinclude.m4
new file mode 100644
index 000000000000..fcb98b4cf827
--- /dev/null
+++ b/security/libpki/files/patch-acinclude.m4
@@ -0,0 +1,16 @@
+--- acinclude.m4.orig 2023-06-27 08:58:28.460201000 +0200
++++ acinclude.m4 2023-06-27 13:17:52.671338000 +0200
+@@ -116,7 +116,12 @@
+
+ AC_MSG_RESULT([Searching OpenSSL Version: $library_includes]);
+ ver=`grep "^ *# *define *OPENSSL_VERSION_NUMBER" "$library_includes" | sed 's/.*0x/0x/g' | sed 's|\L||g'`;
+- detected_v=`echo $((ver))`
++ if [[ "x$ver" == "x" ]] ; then
++ pver=`grep "^ *# *define OPENSSL_VERSION_PRE_RELEASE" "$library_includes" | sed 's|.* "|"|g' | sed 's|""|fL|g' | sed 's|".*"|0L|g'`
++ bver=`grep "^ *# *define OPENSSL_VERSION_STR" "$library_includes" | sed 's|.* "||g' | sed 's|".*||g' | sed 's|\.| |g' | xargs printf "0x%1x%02X%02X" `
++ ver="$bver$pver"
++ fi
++ detected_v=`echo $((ver))`
+ required_v=`echo $(($_version))`
+
+ dnl ver=`grep "^ *# *define *SHLIB_VERSION_NUMBER" $library_includes | sed 's/[#_a-zA-Z" ]//g' | sed 's|\.|0|g'`;
diff --git a/security/libpki/files/patch-src-drivers-engine-engine_hsm.c b/security/libpki/files/patch-src-drivers-engine-engine_hsm.c
new file mode 100644
index 000000000000..4770da3e5ad4
--- /dev/null
+++ b/security/libpki/files/patch-src-drivers-engine-engine_hsm.c
@@ -0,0 +1,12 @@
+--- src/drivers/engine/engine_hsm.c.orig 2023-06-27 08:58:28.477634000 +0200
++++ src/drivers/engine/engine_hsm.c 2023-06-27 13:17:52.663862000 +0200
+@@ -204,7 +204,9 @@
+ char *engine_id = NULL;
+
+ ENGINE_load_builtin_engines();
++#if OPENSSL_VERSION_NUMBER < 0x30000000
+ ERR_load_ENGINE_strings();
++#endif
+
+ hsm = (HSM *) PKI_Malloc ( sizeof( HSM ));
+ memcpy( hsm, &engine_hsm, sizeof( HSM ));
diff --git a/security/libpki/files/patch-src-drivers-openssl-openssl_hsm_pkey.c b/security/libpki/files/patch-src-drivers-openssl-openssl_hsm_pkey.c
new file mode 100644
index 000000000000..309bad12d747
--- /dev/null
+++ b/security/libpki/files/patch-src-drivers-openssl-openssl_hsm_pkey.c
@@ -0,0 +1,59 @@
+--- src/drivers/openssl/openssl_hsm_pkey.c.orig 2023-06-27 08:58:28.478388000 +0200
++++ src/drivers/openssl/openssl_hsm_pkey.c 2023-06-27 13:17:52.668464000 +0200
+@@ -443,8 +443,11 @@
+ } break;
+ #ifdef ENABLE_ECDSA
+ case EVP_PKEY_EC: {
+-# if OPENSSL_VERSION_NUMBER < 0x1010000fL
++# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ ret = PEM_write_bio_ECPrivateKey(bp,
++ EVP_PKEY_get1_EC_KEY(x), enc, (unsigned char *) kstr, klen, cb, u);
++# elif OPENSSL_VERSION_NUMBER < 0x1010000fL
++ ret = PEM_write_bio_ECPrivateKey(bp,
+ x->pkey.ec, enc, (unsigned char *) kstr, klen, cb, u);
+ # else
+ ret = PEM_write_bio_ECPrivateKey(bp,
+@@ -480,7 +483,9 @@
+
+ case EVP_PKEY_RSA: {
+ RSA *rsa = NULL;
+-#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++ if (((rsa = EVP_PKEY_get1_RSA(kVal)) == NULL) ||
++#elif OPENSSL_VERSION_NUMBER >= 0x1010000fL
+ if (((rsa = EVP_PKEY_get0_RSA(kVal)) == NULL) ||
+ #else
+ if (((rsa = (RSA *)EVP_PKEY_get0(kVal)) == NULL) ||
+@@ -492,7 +497,9 @@
+
+ case EVP_PKEY_DH: {
+ DH *dh = NULL;
+-#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++ if ( ((dh = EVP_PKEY_get1_DH(kVal)) == NULL) ||
++#elif OPENSSL_VERSION_NUMBER >= 0x1010000fL
+ if ( ((dh = EVP_PKEY_get0_DH(kVal)) == NULL) ||
+ #else
+ if ( ((dh = (DH *)EVP_PKEY_get0(kVal)) == NULL) ||
+@@ -505,7 +512,9 @@
+ #ifdef ENABLE_ECDSA
+ case EVP_PKEY_EC: {
+ EC_KEY * ec = NULL;
+-#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++ if (((ec = EVP_PKEY_get1_EC_KEY(kVal)) == NULL) ||
++#elif OPENSSL_VERSION_NUMBER >= 0x1010000fL
+ if (((ec = EVP_PKEY_get0_EC_KEY(kVal)) == NULL) ||
+ #else
+ if (((ec = (EC_KEY *)EVP_PKEY_get0(kVal)) == NULL) ||
+@@ -519,7 +528,9 @@
+ #ifdef ENABLE_DSA
+ case EVP_PKEY_DSA: {
+ DSA *dsa = NULL;
+-#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++ if ( ((dsa = EVP_PKEY_get1_DSA(kVal)) == NULL) ||
++#elif OPENSSL_VERSION_NUMBER >= 0x1010000fL
+ if ( ((dsa = EVP_PKEY_get0_DSA(kVal)) == NULL) ||
+ #else
+ if ( ((dsa = (DSA *)EVP_PKEY_get0(kVal)) == NULL) ||
diff --git a/security/libpki/files/patch-src-libpki-prqp-prqp_asn1.h b/security/libpki/files/patch-src-libpki-prqp-prqp_asn1.h
new file mode 100644
index 000000000000..fe215c4e57d1
--- /dev/null
+++ b/security/libpki/files/patch-src-libpki-prqp-prqp_asn1.h
@@ -0,0 +1,53 @@
+--- src/libpki/prqp/prqp_asn1.h.orig 2023-06-27 08:58:28.483798000 +0200
++++ src/libpki/prqp/prqp_asn1.h 2023-06-27 13:17:52.673161000 +0200
+@@ -73,8 +73,13 @@
+ // DECLARE_ASN1_SET_OF(CERT_IDENTIFIER)
+
+ DECLARE_ASN1_FUNCTIONS(CERT_IDENTIFIER)
+-CERT_IDENTIFIER *CERT_IDENTIFIER_dup( CERT_IDENTIFIER *cid );
+
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++CERT_IDENTIFIER *CERT_IDENTIFIER_dup ( const CERT_IDENTIFIER *cid );
++#else
++CERT_IDENTIFIER *CERT_IDENTIFIER_dup ( CERT_IDENTIFIER *cid );
++#endif
++
+ /* ResourceIdentifier ::= SEQUENCE {
+ * resourceId OBJECT IDENTIFIER,
+ * version [0] INTEGER OPTIONAL }
+@@ -128,7 +133,11 @@
+
+ DECLARE_ASN1_FUNCTIONS(PKI_PRQP_REQ)
+
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++PKI_PRQP_REQ * PKI_PRQP_REQ_dup ( const PKI_PRQP_REQ *x );
++#else
+ PKI_PRQP_REQ * PKI_PRQP_REQ_dup ( PKI_PRQP_REQ *x );
++#endif
+
+ /* PKIStatus ::= INTEGER {
+ * ok {0},
+@@ -207,7 +216,11 @@
+ DECLARE_ASN1_FUNCTIONS(RESOURCE_RESPONSE_TOKEN)
+ DECLARE_STACK_OF(RESOURCE_RESPONSE_TOKEN)
+
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++RESOURCE_RESPONSE_TOKEN * RESOURCE_RESPONSE_TOKEN_dup ( const RESOURCE_RESPONSE_TOKEN * p );
++#else
+ RESOURCE_RESPONSE_TOKEN * RESOURCE_RESPONSE_TOKEN_dup ( RESOURCE_RESPONSE_TOKEN * p );
++#endif
+
+ /* TBSRespData ::= {
+ * version INTEGER { v(1) },
+@@ -239,7 +252,11 @@
+
+ DECLARE_ASN1_FUNCTIONS(PKI_PRQP_RESP)
+
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++PKI_PRQP_RESP * PKI_PRQP_RESP_dup ( const PKI_PRQP_RESP *x );
++#else
+ PKI_PRQP_RESP * PKI_PRQP_RESP_dup ( PKI_PRQP_RESP *x );
++#endif
+
+ /* Crypto Functionality */
+ /*
diff --git a/security/libpki/files/patch-src-openssl-pki_ocsp_resp.c b/security/libpki/files/patch-src-openssl-pki_ocsp_resp.c
new file mode 100644
index 000000000000..e0b2dd89bf74
--- /dev/null
+++ b/security/libpki/files/patch-src-openssl-pki_ocsp_resp.c
@@ -0,0 +1,14 @@
+--- src/openssl/pki_ocsp_resp.c.orig 2023-06-27 08:58:28.486438000 +0200
++++ src/openssl/pki_ocsp_resp.c 2023-06-27 13:17:52.661387000 +0200
+@@ -701,7 +701,10 @@
+ PKI_ERROR(PKI_ERR_MEMORY_ALLOC, NULL );
+ break;
+ }
+-#if OPENSSL_VERSION_NUMBER > 0x1010000fL
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++ mem->size = (size_t)ASN1_item_i2d((void *)&(tmp_x->tbsResponseData),
++ &(mem->data), (ASN1_ITEM *) OCSP_RESPDATA_it );
++#elif OPENSSL_VERSION_NUMBER > 0x1010000fL
+ mem->size = (size_t)ASN1_item_i2d((void *)&(tmp_x->tbsResponseData),
+ &(mem->data), &OCSP_RESPDATA_it );
+ #else
diff --git a/security/libpki/files/patch-src-openssl-pki_x509_cert.c b/security/libpki/files/patch-src-openssl-pki_x509_cert.c
new file mode 100644
index 000000000000..0052f92b89fa
--- /dev/null
+++ b/security/libpki/files/patch-src-openssl-pki_x509_cert.c
@@ -0,0 +1,26 @@
+--- src/openssl/pki_x509_cert.c.orig 2023-06-27 08:58:28.486733000 +0200
++++ src/openssl/pki_x509_cert.c 2023-06-27 13:17:52.669080000 +0200
+@@ -433,7 +433,10 @@
+ case PKI_SCHEME_ECDSA:
+ if ( (int) kParams->ec.form > 0 )
+ {
+-# if OPENSSL_VERSION_NUMBER < 0x1010000fL
++# if OPENSSL_VERSION_NUMBER >= 0x30000000L
++ EC_KEY_set_conv_form(EVP_PKEY_get1_EC_KEY(certPubKeyVal),
++ (point_conversion_form_t) kParams->ec.form);
++# elif OPENSSL_VERSION_NUMBER < 0x1010000fL
+ EC_KEY_set_conv_form(certPubKeyVal->pkey.ec,
+ (point_conversion_form_t) kParams->ec.form);
+ # else
+@@ -443,7 +446,10 @@
+ }
+ if ( kParams->ec.asn1flags > -1 )
+ {
+-# if OPENSSL_VERSION_NUMBER < 0x1010000fL
++# if OPENSSL_VERSION_NUMBER >= 0x30000000L
++ EC_KEY_set_asn1_flag(EVP_PKEY_get1_EC_KEY(certPubKeyVal),
++ kParams->ec.asn1flags );
++# elif OPENSSL_VERSION_NUMBER < 0x1010000fL
+ EC_KEY_set_asn1_flag(certPubKeyVal->pkey.ec,
+ kParams->ec.asn1flags );
+ # else
diff --git a/security/libpki/files/patch-src-openssl-pki_x509_req.c b/security/libpki/files/patch-src-openssl-pki_x509_req.c
new file mode 100644
index 000000000000..7cac927752bd
--- /dev/null
+++ b/security/libpki/files/patch-src-openssl-pki_x509_req.c
@@ -0,0 +1,14 @@
+--- src/openssl/pki_x509_req.c.orig 2023-06-27 08:58:28.487713000 +0200
++++ src/openssl/pki_x509_req.c 2023-06-27 13:17:52.669477000 +0200
+@@ -166,7 +166,10 @@
+ #ifdef ENABLE_ECDSA
+ case PKI_SCHEME_ECDSA:
+ if ( kParams->ec.form != PKI_EC_KEY_FORM_UNKNOWN ) {
+-# if OPENSSL_VERSION_NUMBER > 0x1010000fL
++# if OPENSSL_VERSION_NUMBER >= 0x30000000L
++ EC_KEY_set_conv_form(EVP_PKEY_get1_EC_KEY(kVal),
++ (point_conversion_form_t)kParams->ec.form);
++# elif OPENSSL_VERSION_NUMBER > 0x1010000fL
+ EC_KEY_set_conv_form(EVP_PKEY_get0_EC_KEY(kVal),
+ (point_conversion_form_t)kParams->ec.form);
+ # else
diff --git a/security/libpki/files/patch-src-pki_init.c b/security/libpki/files/patch-src-pki_init.c
new file mode 100644
index 000000000000..117fb69acd93
--- /dev/null
+++ b/security/libpki/files/patch-src-pki_init.c
@@ -0,0 +1,13 @@
+--- src/pki_init.c.orig 2023-06-27 08:58:28.488119000 +0200
++++ src/pki_init.c 2023-06-27 13:17:52.664235000 +0200
+@@ -159,8 +159,10 @@
+ OpenSSL_add_all_ciphers();
+ OpenSSL_pthread_init();
+
++#if OPENSSL_VERSION_NUMBER < 0x30000000
+ ERR_load_ERR_strings();
+ ERR_load_crypto_strings();
++#endif
+
+ PRQP_init_all_services();
+ PKI_X509_SCEP_init();
diff --git a/security/libpki/files/patch-src-pki_x509.c b/security/libpki/files/patch-src-pki_x509.c
new file mode 100644
index 000000000000..d9f25c82ee0b
--- /dev/null
+++ b/security/libpki/files/patch-src-pki_x509.c
@@ -0,0 +1,92 @@
+--- src/pki_x509.c.orig 2023-06-27 08:58:28.488591000 +0200
++++ src/pki_x509.c 2023-06-27 13:17:52.661803000 +0200
+@@ -44,7 +44,11 @@
+ switch (type) {
+
+ case PKI_DATATYPE_X509_CERT : {
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++ it = (ASN1_ITEM *) X509_CINF_it;
++#else
+ it = &X509_CINF_it;
++#endif
+ #if OPENSSL_VERSION_NUMBER > 0x1010000fL
+ p = &(((LIBPKI_X509_CERT *)v)->cert_info);
+ #else
+@@ -53,7 +57,11 @@
+ } break;
+
+ case PKI_DATATYPE_X509_CRL : {
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++ it = (ASN1_ITEM *) X509_CRL_INFO_it;
++#else
+ it = &X509_CRL_INFO_it;
++#endif
+ #if OPENSSL_VERSION_NUMBER > 0x1010000fL
+ p = &(((PKI_X509_CRL_VALUE *)v)->crl);
+ #else
+@@ -62,7 +70,11 @@
+ } break;
+
+ case PKI_DATATYPE_X509_REQ : {
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++ it = (ASN1_ITEM *) X509_REQ_INFO_it;
++#else
+ it = &X509_REQ_INFO_it;
++#endif
+ #if OPENSSL_VERSION_NUMBER > 0x1010000fL
+ p = &(((LIBPKI_X509_REQ *)v)->req_info);
+ #else
+@@ -71,7 +83,11 @@
+ } break;
+
+ case PKI_DATATYPE_X509_OCSP_REQ : {
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++ it = (ASN1_ITEM *) OCSP_REQINFO_it;
++#else
+ it = &OCSP_REQINFO_it;
++#endif
+ #if OPENSSL_VERSION_NUMBER > 0x1010000fL
+ p = &(((PKI_X509_OCSP_REQ_VALUE *)v)->tbsRequest);
+ #else
+@@ -80,7 +96,11 @@
+ } break;
+
+ case PKI_DATATYPE_X509_OCSP_RESP : {
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++ it = (ASN1_ITEM *) OCSP_RESPDATA_it;
++#else
+ it = &OCSP_RESPDATA_it;
++#endif
+ #if OPENSSL_VERSION_NUMBER > 0x1010000fL
+ p = &(((PKI_OCSP_RESP *)v)->bs->tbsResponseData);
+ #else
+@@ -89,17 +109,29 @@
+ } break;
+
+ case PKI_DATATYPE_X509_PRQP_REQ : {
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++ it = (ASN1_ITEM *) PKI_PRQP_REQ_it;
++#else
+ it = &PKI_PRQP_REQ_it;
++#endif
+ p = ((PKI_X509_PRQP_REQ_VALUE *)v)->requestData;
+ } break;
+
+ case PKI_DATATYPE_X509_PRQP_RESP : {
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++ it = (ASN1_ITEM *) PKI_PRQP_RESP_it;
++#else
+ it = &PKI_PRQP_RESP_it;
++#endif
+ p = ((PKI_X509_PRQP_RESP_VALUE *)v)->respData;
+ } break;
+
+ case PKI_DATATYPE_X509_CMS : {
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++ it = (ASN1_ITEM *) CMS_ContentInfo_it;
++#else
+ it = &CMS_ContentInfo_it;
++#endif
+ p = NULL;
+ }
+