git: a07283aae1c1 - main - security/libpki: Fix build with openssl3
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 07 Aug 2023 15:25:22 UTC
The branch main has been updated by bofh: URL: https://cgit.FreeBSD.org/ports/commit/?id=a07283aae1c15d460641ec311f4e5a3c6c122151 commit a07283aae1c15d460641ec311f4e5a3c6c122151 Author: Bruno Damour <bruno@ruomad.net> AuthorDate: 2023-08-07 14:15:13 +0000 Commit: Muhammad Moinur Rahman <bofh@FreeBSD.org> CommitDate: 2023-08-07 15:24:45 +0000 security/libpki: Fix build with openssl3 Fixes : - detection of OpenSSL version (a bit hacky IMHO) - changes breaking compilation Doesn't cover the replacement of obsoleted functions (specially the move from engines to providers) which is way above my paygrade. This patch has been upstream as a PR (https://github.com/openca/libpki/pull/74). PR: 272280 Approved by: bruno@ruomad.net (submitter is maintainer) --- security/libpki/Makefile | 7 +- security/libpki/distinfo | 2 +- security/libpki/files/patch-acinclude.m4 | 16 ++++ .../files/patch-src-drivers-engine-engine_hsm.c | 12 +++ .../patch-src-drivers-openssl-openssl_hsm_pkey.c | 59 ++++++++++++++ .../libpki/files/patch-src-libpki-prqp-prqp_asn1.h | 53 +++++++++++++ .../libpki/files/patch-src-openssl-pki_ocsp_resp.c | 14 ++++ .../libpki/files/patch-src-openssl-pki_x509_cert.c | 26 ++++++ .../libpki/files/patch-src-openssl-pki_x509_req.c | 14 ++++ security/libpki/files/patch-src-pki_init.c | 13 +++ security/libpki/files/patch-src-pki_x509.c | 92 ++++++++++++++++++++++ 11 files changed, 304 insertions(+), 4 deletions(-) diff --git a/security/libpki/Makefile b/security/libpki/Makefile index a39ce22b650b..f131efdd1a52 100644 --- a/security/libpki/Makefile +++ b/security/libpki/Makefile @@ -1,7 +1,7 @@ PORTNAME= libpki DISTVERSIONPREFIX= v DISTVERSION= 0.9.2 -PORTREVISION= 3 +PORTREVISION= 4 CATEGORIES= security PATCH_SITES= https://github.com/openca/libpki/commit/ @@ -15,13 +15,14 @@ LICENSE= APACHE20 LICENSE_FILE= ${WRKSRC}/COPYING USES= autoreconf gnome libtool ssl -BROKEN_SSL= openssl30 openssl31 -BROKEN_SSL_REASON= Fails to detect OpenSSL 3.0 or later USE_GITHUB= yes GH_ACCOUNT= openca + USE_GNOME= libxml2 USE_LDCONFIG= yes +PATCH_STRIP= -p0 + GNU_CONFIGURE= yes CONFIGURE_ARGS= --disable-dependency-tracking \ --disable-iphone diff --git a/security/libpki/distinfo b/security/libpki/distinfo index ff5dbd0e6577..a345f02fc034 100644 --- a/security/libpki/distinfo +++ b/security/libpki/distinfo @@ -1,4 +1,4 @@ -TIMESTAMP = 1657661150 +TIMESTAMP = 1687900936 SHA256 (openca-libpki-v0.9.2_GH0.tar.gz) = 4352a77457579a498837e33fbc0092f67a1c5d93eee6eb73bc889ad8b8f747fb SIZE (openca-libpki-v0.9.2_GH0.tar.gz) = 1184928 SHA256 (d7617046e9da97473a140c02582fa571f6359ae3.patch) = 05818f983047b399958f523e79de001d995947ec92366dca2c9f7aac52fed7c7 diff --git a/security/libpki/files/patch-acinclude.m4 b/security/libpki/files/patch-acinclude.m4 new file mode 100644 index 000000000000..fcb98b4cf827 --- /dev/null +++ b/security/libpki/files/patch-acinclude.m4 @@ -0,0 +1,16 @@ +--- acinclude.m4.orig 2023-06-27 08:58:28.460201000 +0200 ++++ acinclude.m4 2023-06-27 13:17:52.671338000 +0200 +@@ -116,7 +116,12 @@ + + AC_MSG_RESULT([Searching OpenSSL Version: $library_includes]); + ver=`grep "^ *# *define *OPENSSL_VERSION_NUMBER" "$library_includes" | sed 's/.*0x/0x/g' | sed 's|\L||g'`; +- detected_v=`echo $((ver))` ++ if [[ "x$ver" == "x" ]] ; then ++ pver=`grep "^ *# *define OPENSSL_VERSION_PRE_RELEASE" "$library_includes" | sed 's|.* "|"|g' | sed 's|""|fL|g' | sed 's|".*"|0L|g'` ++ bver=`grep "^ *# *define OPENSSL_VERSION_STR" "$library_includes" | sed 's|.* "||g' | sed 's|".*||g' | sed 's|\.| |g' | xargs printf "0x%1x%02X%02X" ` ++ ver="$bver$pver" ++ fi ++ detected_v=`echo $((ver))` + required_v=`echo $(($_version))` + + dnl ver=`grep "^ *# *define *SHLIB_VERSION_NUMBER" $library_includes | sed 's/[#_a-zA-Z" ]//g' | sed 's|\.|0|g'`; diff --git a/security/libpki/files/patch-src-drivers-engine-engine_hsm.c b/security/libpki/files/patch-src-drivers-engine-engine_hsm.c new file mode 100644 index 000000000000..4770da3e5ad4 --- /dev/null +++ b/security/libpki/files/patch-src-drivers-engine-engine_hsm.c @@ -0,0 +1,12 @@ +--- src/drivers/engine/engine_hsm.c.orig 2023-06-27 08:58:28.477634000 +0200 ++++ src/drivers/engine/engine_hsm.c 2023-06-27 13:17:52.663862000 +0200 +@@ -204,7 +204,9 @@ + char *engine_id = NULL; + + ENGINE_load_builtin_engines(); ++#if OPENSSL_VERSION_NUMBER < 0x30000000 + ERR_load_ENGINE_strings(); ++#endif + + hsm = (HSM *) PKI_Malloc ( sizeof( HSM )); + memcpy( hsm, &engine_hsm, sizeof( HSM )); diff --git a/security/libpki/files/patch-src-drivers-openssl-openssl_hsm_pkey.c b/security/libpki/files/patch-src-drivers-openssl-openssl_hsm_pkey.c new file mode 100644 index 000000000000..309bad12d747 --- /dev/null +++ b/security/libpki/files/patch-src-drivers-openssl-openssl_hsm_pkey.c @@ -0,0 +1,59 @@ +--- src/drivers/openssl/openssl_hsm_pkey.c.orig 2023-06-27 08:58:28.478388000 +0200 ++++ src/drivers/openssl/openssl_hsm_pkey.c 2023-06-27 13:17:52.668464000 +0200 +@@ -443,8 +443,11 @@ + } break; + #ifdef ENABLE_ECDSA + case EVP_PKEY_EC: { +-# if OPENSSL_VERSION_NUMBER < 0x1010000fL ++# if OPENSSL_VERSION_NUMBER >= 0x30000000L + ret = PEM_write_bio_ECPrivateKey(bp, ++ EVP_PKEY_get1_EC_KEY(x), enc, (unsigned char *) kstr, klen, cb, u); ++# elif OPENSSL_VERSION_NUMBER < 0x1010000fL ++ ret = PEM_write_bio_ECPrivateKey(bp, + x->pkey.ec, enc, (unsigned char *) kstr, klen, cb, u); + # else + ret = PEM_write_bio_ECPrivateKey(bp, +@@ -480,7 +483,9 @@ + + case EVP_PKEY_RSA: { + RSA *rsa = NULL; +-#if OPENSSL_VERSION_NUMBER >= 0x1010000fL ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++ if (((rsa = EVP_PKEY_get1_RSA(kVal)) == NULL) || ++#elif OPENSSL_VERSION_NUMBER >= 0x1010000fL + if (((rsa = EVP_PKEY_get0_RSA(kVal)) == NULL) || + #else + if (((rsa = (RSA *)EVP_PKEY_get0(kVal)) == NULL) || +@@ -492,7 +497,9 @@ + + case EVP_PKEY_DH: { + DH *dh = NULL; +-#if OPENSSL_VERSION_NUMBER >= 0x1010000fL ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++ if ( ((dh = EVP_PKEY_get1_DH(kVal)) == NULL) || ++#elif OPENSSL_VERSION_NUMBER >= 0x1010000fL + if ( ((dh = EVP_PKEY_get0_DH(kVal)) == NULL) || + #else + if ( ((dh = (DH *)EVP_PKEY_get0(kVal)) == NULL) || +@@ -505,7 +512,9 @@ + #ifdef ENABLE_ECDSA + case EVP_PKEY_EC: { + EC_KEY * ec = NULL; +-#if OPENSSL_VERSION_NUMBER >= 0x1010000fL ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++ if (((ec = EVP_PKEY_get1_EC_KEY(kVal)) == NULL) || ++#elif OPENSSL_VERSION_NUMBER >= 0x1010000fL + if (((ec = EVP_PKEY_get0_EC_KEY(kVal)) == NULL) || + #else + if (((ec = (EC_KEY *)EVP_PKEY_get0(kVal)) == NULL) || +@@ -519,7 +528,9 @@ + #ifdef ENABLE_DSA + case EVP_PKEY_DSA: { + DSA *dsa = NULL; +-#if OPENSSL_VERSION_NUMBER >= 0x1010000fL ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++ if ( ((dsa = EVP_PKEY_get1_DSA(kVal)) == NULL) || ++#elif OPENSSL_VERSION_NUMBER >= 0x1010000fL + if ( ((dsa = EVP_PKEY_get0_DSA(kVal)) == NULL) || + #else + if ( ((dsa = (DSA *)EVP_PKEY_get0(kVal)) == NULL) || diff --git a/security/libpki/files/patch-src-libpki-prqp-prqp_asn1.h b/security/libpki/files/patch-src-libpki-prqp-prqp_asn1.h new file mode 100644 index 000000000000..fe215c4e57d1 --- /dev/null +++ b/security/libpki/files/patch-src-libpki-prqp-prqp_asn1.h @@ -0,0 +1,53 @@ +--- src/libpki/prqp/prqp_asn1.h.orig 2023-06-27 08:58:28.483798000 +0200 ++++ src/libpki/prqp/prqp_asn1.h 2023-06-27 13:17:52.673161000 +0200 +@@ -73,8 +73,13 @@ + // DECLARE_ASN1_SET_OF(CERT_IDENTIFIER) + + DECLARE_ASN1_FUNCTIONS(CERT_IDENTIFIER) +-CERT_IDENTIFIER *CERT_IDENTIFIER_dup( CERT_IDENTIFIER *cid ); + ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++CERT_IDENTIFIER *CERT_IDENTIFIER_dup ( const CERT_IDENTIFIER *cid ); ++#else ++CERT_IDENTIFIER *CERT_IDENTIFIER_dup ( CERT_IDENTIFIER *cid ); ++#endif ++ + /* ResourceIdentifier ::= SEQUENCE { + * resourceId OBJECT IDENTIFIER, + * version [0] INTEGER OPTIONAL } +@@ -128,7 +133,11 @@ + + DECLARE_ASN1_FUNCTIONS(PKI_PRQP_REQ) + ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++PKI_PRQP_REQ * PKI_PRQP_REQ_dup ( const PKI_PRQP_REQ *x ); ++#else + PKI_PRQP_REQ * PKI_PRQP_REQ_dup ( PKI_PRQP_REQ *x ); ++#endif + + /* PKIStatus ::= INTEGER { + * ok {0}, +@@ -207,7 +216,11 @@ + DECLARE_ASN1_FUNCTIONS(RESOURCE_RESPONSE_TOKEN) + DECLARE_STACK_OF(RESOURCE_RESPONSE_TOKEN) + ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++RESOURCE_RESPONSE_TOKEN * RESOURCE_RESPONSE_TOKEN_dup ( const RESOURCE_RESPONSE_TOKEN * p ); ++#else + RESOURCE_RESPONSE_TOKEN * RESOURCE_RESPONSE_TOKEN_dup ( RESOURCE_RESPONSE_TOKEN * p ); ++#endif + + /* TBSRespData ::= { + * version INTEGER { v(1) }, +@@ -239,7 +252,11 @@ + + DECLARE_ASN1_FUNCTIONS(PKI_PRQP_RESP) + ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++PKI_PRQP_RESP * PKI_PRQP_RESP_dup ( const PKI_PRQP_RESP *x ); ++#else + PKI_PRQP_RESP * PKI_PRQP_RESP_dup ( PKI_PRQP_RESP *x ); ++#endif + + /* Crypto Functionality */ + /* diff --git a/security/libpki/files/patch-src-openssl-pki_ocsp_resp.c b/security/libpki/files/patch-src-openssl-pki_ocsp_resp.c new file mode 100644 index 000000000000..e0b2dd89bf74 --- /dev/null +++ b/security/libpki/files/patch-src-openssl-pki_ocsp_resp.c @@ -0,0 +1,14 @@ +--- src/openssl/pki_ocsp_resp.c.orig 2023-06-27 08:58:28.486438000 +0200 ++++ src/openssl/pki_ocsp_resp.c 2023-06-27 13:17:52.661387000 +0200 +@@ -701,7 +701,10 @@ + PKI_ERROR(PKI_ERR_MEMORY_ALLOC, NULL ); + break; + } +-#if OPENSSL_VERSION_NUMBER > 0x1010000fL ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++ mem->size = (size_t)ASN1_item_i2d((void *)&(tmp_x->tbsResponseData), ++ &(mem->data), (ASN1_ITEM *) OCSP_RESPDATA_it ); ++#elif OPENSSL_VERSION_NUMBER > 0x1010000fL + mem->size = (size_t)ASN1_item_i2d((void *)&(tmp_x->tbsResponseData), + &(mem->data), &OCSP_RESPDATA_it ); + #else diff --git a/security/libpki/files/patch-src-openssl-pki_x509_cert.c b/security/libpki/files/patch-src-openssl-pki_x509_cert.c new file mode 100644 index 000000000000..0052f92b89fa --- /dev/null +++ b/security/libpki/files/patch-src-openssl-pki_x509_cert.c @@ -0,0 +1,26 @@ +--- src/openssl/pki_x509_cert.c.orig 2023-06-27 08:58:28.486733000 +0200 ++++ src/openssl/pki_x509_cert.c 2023-06-27 13:17:52.669080000 +0200 +@@ -433,7 +433,10 @@ + case PKI_SCHEME_ECDSA: + if ( (int) kParams->ec.form > 0 ) + { +-# if OPENSSL_VERSION_NUMBER < 0x1010000fL ++# if OPENSSL_VERSION_NUMBER >= 0x30000000L ++ EC_KEY_set_conv_form(EVP_PKEY_get1_EC_KEY(certPubKeyVal), ++ (point_conversion_form_t) kParams->ec.form); ++# elif OPENSSL_VERSION_NUMBER < 0x1010000fL + EC_KEY_set_conv_form(certPubKeyVal->pkey.ec, + (point_conversion_form_t) kParams->ec.form); + # else +@@ -443,7 +446,10 @@ + } + if ( kParams->ec.asn1flags > -1 ) + { +-# if OPENSSL_VERSION_NUMBER < 0x1010000fL ++# if OPENSSL_VERSION_NUMBER >= 0x30000000L ++ EC_KEY_set_asn1_flag(EVP_PKEY_get1_EC_KEY(certPubKeyVal), ++ kParams->ec.asn1flags ); ++# elif OPENSSL_VERSION_NUMBER < 0x1010000fL + EC_KEY_set_asn1_flag(certPubKeyVal->pkey.ec, + kParams->ec.asn1flags ); + # else diff --git a/security/libpki/files/patch-src-openssl-pki_x509_req.c b/security/libpki/files/patch-src-openssl-pki_x509_req.c new file mode 100644 index 000000000000..7cac927752bd --- /dev/null +++ b/security/libpki/files/patch-src-openssl-pki_x509_req.c @@ -0,0 +1,14 @@ +--- src/openssl/pki_x509_req.c.orig 2023-06-27 08:58:28.487713000 +0200 ++++ src/openssl/pki_x509_req.c 2023-06-27 13:17:52.669477000 +0200 +@@ -166,7 +166,10 @@ + #ifdef ENABLE_ECDSA + case PKI_SCHEME_ECDSA: + if ( kParams->ec.form != PKI_EC_KEY_FORM_UNKNOWN ) { +-# if OPENSSL_VERSION_NUMBER > 0x1010000fL ++# if OPENSSL_VERSION_NUMBER >= 0x30000000L ++ EC_KEY_set_conv_form(EVP_PKEY_get1_EC_KEY(kVal), ++ (point_conversion_form_t)kParams->ec.form); ++# elif OPENSSL_VERSION_NUMBER > 0x1010000fL + EC_KEY_set_conv_form(EVP_PKEY_get0_EC_KEY(kVal), + (point_conversion_form_t)kParams->ec.form); + # else diff --git a/security/libpki/files/patch-src-pki_init.c b/security/libpki/files/patch-src-pki_init.c new file mode 100644 index 000000000000..117fb69acd93 --- /dev/null +++ b/security/libpki/files/patch-src-pki_init.c @@ -0,0 +1,13 @@ +--- src/pki_init.c.orig 2023-06-27 08:58:28.488119000 +0200 ++++ src/pki_init.c 2023-06-27 13:17:52.664235000 +0200 +@@ -159,8 +159,10 @@ + OpenSSL_add_all_ciphers(); + OpenSSL_pthread_init(); + ++#if OPENSSL_VERSION_NUMBER < 0x30000000 + ERR_load_ERR_strings(); + ERR_load_crypto_strings(); ++#endif + + PRQP_init_all_services(); + PKI_X509_SCEP_init(); diff --git a/security/libpki/files/patch-src-pki_x509.c b/security/libpki/files/patch-src-pki_x509.c new file mode 100644 index 000000000000..d9f25c82ee0b --- /dev/null +++ b/security/libpki/files/patch-src-pki_x509.c @@ -0,0 +1,92 @@ +--- src/pki_x509.c.orig 2023-06-27 08:58:28.488591000 +0200 ++++ src/pki_x509.c 2023-06-27 13:17:52.661803000 +0200 +@@ -44,7 +44,11 @@ + switch (type) { + + case PKI_DATATYPE_X509_CERT : { ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++ it = (ASN1_ITEM *) X509_CINF_it; ++#else + it = &X509_CINF_it; ++#endif + #if OPENSSL_VERSION_NUMBER > 0x1010000fL + p = &(((LIBPKI_X509_CERT *)v)->cert_info); + #else +@@ -53,7 +57,11 @@ + } break; + + case PKI_DATATYPE_X509_CRL : { ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++ it = (ASN1_ITEM *) X509_CRL_INFO_it; ++#else + it = &X509_CRL_INFO_it; ++#endif + #if OPENSSL_VERSION_NUMBER > 0x1010000fL + p = &(((PKI_X509_CRL_VALUE *)v)->crl); + #else +@@ -62,7 +70,11 @@ + } break; + + case PKI_DATATYPE_X509_REQ : { ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++ it = (ASN1_ITEM *) X509_REQ_INFO_it; ++#else + it = &X509_REQ_INFO_it; ++#endif + #if OPENSSL_VERSION_NUMBER > 0x1010000fL + p = &(((LIBPKI_X509_REQ *)v)->req_info); + #else +@@ -71,7 +83,11 @@ + } break; + + case PKI_DATATYPE_X509_OCSP_REQ : { ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++ it = (ASN1_ITEM *) OCSP_REQINFO_it; ++#else + it = &OCSP_REQINFO_it; ++#endif + #if OPENSSL_VERSION_NUMBER > 0x1010000fL + p = &(((PKI_X509_OCSP_REQ_VALUE *)v)->tbsRequest); + #else +@@ -80,7 +96,11 @@ + } break; + + case PKI_DATATYPE_X509_OCSP_RESP : { ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++ it = (ASN1_ITEM *) OCSP_RESPDATA_it; ++#else + it = &OCSP_RESPDATA_it; ++#endif + #if OPENSSL_VERSION_NUMBER > 0x1010000fL + p = &(((PKI_OCSP_RESP *)v)->bs->tbsResponseData); + #else +@@ -89,17 +109,29 @@ + } break; + + case PKI_DATATYPE_X509_PRQP_REQ : { ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++ it = (ASN1_ITEM *) PKI_PRQP_REQ_it; ++#else + it = &PKI_PRQP_REQ_it; ++#endif + p = ((PKI_X509_PRQP_REQ_VALUE *)v)->requestData; + } break; + + case PKI_DATATYPE_X509_PRQP_RESP : { ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++ it = (ASN1_ITEM *) PKI_PRQP_RESP_it; ++#else + it = &PKI_PRQP_RESP_it; ++#endif + p = ((PKI_X509_PRQP_RESP_VALUE *)v)->respData; + } break; + + case PKI_DATATYPE_X509_CMS : { ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++ it = (ASN1_ITEM *) CMS_ContentInfo_it; ++#else + it = &CMS_ContentInfo_it; ++#endif + p = NULL; + } +