git: 2ed62c75d123 - main - devel/tcltls: adapt to OpenSSL-3.0, upgrade, fix tests.

From: Mikhail Teterin <mi_at_FreeBSD.org>
Date: Mon, 20 Nov 2023 03:41:04 UTC
The branch main has been updated by mi:

URL: https://cgit.FreeBSD.org/ports/commit/?id=2ed62c75d1230bbe8268a1a3c54de2972d50dcf8

commit 2ed62c75d1230bbe8268a1a3c54de2972d50dcf8
Author:     Mikhail Teterin <mi@FreeBSD.org>
AuthorDate: 2023-11-20 03:38:38 +0000
Commit:     Mikhail Teterin <mi@FreeBSD.org>
CommitDate: 2023-11-20 03:40:58 +0000

    devel/tcltls: adapt to OpenSSL-3.0, upgrade, fix tests.
    
    PR:     275160
---
 devel/tcltls/Makefile                              | 11 ++++++-
 devel/tcltls/distinfo                              |  6 ++--
 devel/tcltls/files/dh_params.h                     | 28 ++++++++++++++++
 devel/tcltls/files/patch-gen_dh_params             | 27 ---------------
 devel/tcltls/files/patch-ssl_ignore_unexpected_eof | 14 ++++++++
 devel/tcltls/files/patch-tests                     | 38 ++++++++++++++++++++++
 devel/tcltls/files/patch-warnings                  | 30 +++++++++++++++++
 7 files changed, 123 insertions(+), 31 deletions(-)

diff --git a/devel/tcltls/Makefile b/devel/tcltls/Makefile
index 0480c0772178..d370430fad53 100644
--- a/devel/tcltls/Makefile
+++ b/devel/tcltls/Makefile
@@ -1,5 +1,5 @@
 PORTNAME=	tcltls
-PORTVERSION=	1.7.18
+PORTVERSION=	1.7.22
 CATEGORIES=	devel security tcl
 MASTER_SITES=	http://core.tcl.tk/tcltls/uv/ \
 		http://tcltls.rkeene.org/uv/
@@ -38,6 +38,15 @@ CFLAGS+=       -Wno-error=int-conversion
 
 post-patch:
 	${MV} ${WRKSRC}/tests/ciphers.test ${WRKSRC}/tests/ciphers.test.broken
+	${CP} ${FILESDIR}/dh_params.h ${WRKSRC}/
+
+# Newer openssl-dhparam has no "-C" option, we emulate it here :-/
+post-configure:
+	${OPENSSLBASE}/bin/openssl dhparam -text 2048 | \
+	    ${SED} -E -e '/^---/,/^---/d' \
+		-e '/(DH|prime|generator)/d' \
+		-e 's/([0-9a-h]{2})(:|$$)/0x\1, /g' \
+		-e w${WRKSRC}/generateddh.txt
 
 post-install-DOCS-on:
 	${MKDIR} ${STAGEDIR}${DOCSDIR}
diff --git a/devel/tcltls/distinfo b/devel/tcltls/distinfo
index d0704b78bc7d..4602cf7c8969 100644
--- a/devel/tcltls/distinfo
+++ b/devel/tcltls/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1556815670
-SHA256 (tcltls-1.7.18.tar.gz) = 6b21e7a4343bf8ae87358f933e98c61ea9c22162b916f35c9433e053a8f19b49
-SIZE (tcltls-1.7.18.tar.gz) = 163473
+TIMESTAMP = 1700353727
+SHA256 (tcltls-1.7.22.tar.gz) = e84e2b7a275ec82c4aaa9d1b1f9786dbe4358c815e917539ffe7f667ff4bc3b4
+SIZE (tcltls-1.7.22.tar.gz) = 165206
diff --git a/devel/tcltls/files/dh_params.h b/devel/tcltls/files/dh_params.h
new file mode 100644
index 000000000000..21512fb11235
--- /dev/null
+++ b/devel/tcltls/files/dh_params.h
@@ -0,0 +1,28 @@
+/*
+ * OpenSSL no longer offers the "-C" option for its dhparam
+ * subcommand, so we keep our own C-code here...
+ */
+
+static DH * get_dhParams(void) {
+	static unsigned char dhp_2048[] = {
+#include "generateddh.txt"
+	};
+	static unsigned char dhg_2048[] = {
+		0x02
+	};
+	DH	       *dh = DH_new();
+	BIGNUM	       *p, *g;
+
+	if (dh == NULL)
+		return NULL;
+	p = BN_bin2bn(dhp_2048, sizeof(dhp_2048), NULL);
+	g = BN_bin2bn(dhg_2048, sizeof(dhg_2048), NULL);
+	if (p == NULL || g == NULL
+	    || !DH_set0_pqg(dh, p, NULL, g)) {
+		DH_free(dh);
+		BN_free(p);
+		BN_free(g);
+		return NULL;
+	}
+	return dh;
+}
diff --git a/devel/tcltls/files/patch-gen_dh_params b/devel/tcltls/files/patch-gen_dh_params
deleted file mode 100644
index 4179d9dd5884..000000000000
--- a/devel/tcltls/files/patch-gen_dh_params
+++ /dev/null
@@ -1,27 +0,0 @@
---- gen_dh_params	2017-05-01 10:45:59.000000000 -0400
-+++ gen_dh_params	2017-05-16 18:19:20.703957000 -0400
-@@ -12,11 +12,8 @@
- 
- openssl_dhparam() {
--	if [ -x "`which openssl 2>/dev/null`" ]; then
--		o_output="`openssl dhparam -C "$@" 2>/dev/null`" || return 1
--		o_output="`echo "${o_output}" | sed 's/get_dh[0-9][0-9]*/get_dhParams/'`" || return 1
--		o_output="`echo "${o_output}" | sed '/^-----BEGIN DH PARAMETERS-----$/,/^-----END DH PARAMETERS-----$/ d;/^#/ d'`" || return 1
--
--		echo "${o_output}"
--
-+	if openssl dhparam -C "$@" | sed	\
-+	    -e 's/^\(static \)*DH \*get_dh[0-9]*/static DH *get_dhParams/'	\
-+	    -e '/^-----BEGIN DH PARAMETERS-----$/,/^-----END DH PARAMETERS-----$/ d;/^#/ d'
-+	then
- 		return 0
- 	fi
-@@ -273,6 +270,6 @@
- echo "*****************************" >&2
- gen_dh_params_openssl && exit 0
--gen_dh_params_remote && exit 0
--gen_dh_params_fallback && exit 0
-+# gen_dh_params_remote && exit 0
-+# gen_dh_params_fallback && exit 0
- 
- echo "Unable to generate parameters for DH of ${bits} bits" >&2
diff --git a/devel/tcltls/files/patch-ssl_ignore_unexpected_eof b/devel/tcltls/files/patch-ssl_ignore_unexpected_eof
new file mode 100644
index 000000000000..6f588ed2e00d
--- /dev/null
+++ b/devel/tcltls/files/patch-ssl_ignore_unexpected_eof
@@ -0,0 +1,14 @@
+See bug-report:
+
+	https://core.tcl-lang.org/tcltls/tktview/88c0c84969
+
+--- tls.c	2020-10-12 16:39:22.000000000 -0400
++++ tls.c	2023-11-19 21:44:39.676318000 -0500
+@@ -1215,4 +1214,7 @@
+     SSL_CTX_set_options( ctx, SSL_OP_ALL);	/* all SSL bug workarounds */
+     SSL_CTX_set_options( ctx, off);	/* all SSL bug workarounds */
++#ifdef SSL_OP_IGNORE_UNEXPECTED_EOF
++    SSL_CTX_set_options( ctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
++#endif
+     SSL_CTX_sess_set_cache_size( ctx, 128);
+ 
diff --git a/devel/tcltls/files/patch-tests b/devel/tcltls/files/patch-tests
new file mode 100644
index 000000000000..f5870aa09486
--- /dev/null
+++ b/devel/tcltls/files/patch-tests
@@ -0,0 +1,38 @@
+See bug-reports:
+
+	https://core.tcl-lang.org/tcltls/tktview/bb7085cfdc
+	https://core.tcl-lang.org/tcltls/tktview/c6b35cf0e3
+	https://core.tcl-lang.org/tcltls/tktview/64cdb76212
+
+--- tests/tlsIO.test	2020-10-12 16:39:22.000000000 -0400
++++ tests/tlsIO.test	2023-11-19 21:03:22.658062000 -0500
+@@ -1106,4 +1106,5 @@
+     # need update to complete TLS handshake in-process
+     update
++    fconfigure $s1 -blocking 1
+     set z [gets $s1]
+     close $s
+@@ -2027,5 +2028,5 @@
+ } {{} 0 {} 0 {}}
+ 
+-test tls-bug58-1.0 {test protocol negotiation failure} {socket} {
++test tls-bug58-1.0 {test protocol negotiation failure} -constraints {socket} -body {
+     # Following code is based on what was reported in bug #58. Prior
+     # to fix the program would crash with a segfault.
+@@ -2062,5 +2063,5 @@
+     }
+     set ::done
+-} {handshake failed: wrong version number}
++} -result {handshake failed: *} -match glob
+ 
+ # cleanup
+--- tests/all.tcl	2020-10-12 16:39:22.000000000 -0400
++++ tests/all.tcl	2023-11-19 21:19:34.128221000 -0500
+@@ -55,5 +55,5 @@
+ # cleanup
+ puts stdout "\nTests ended at [eval $timeCmd]"
++set failCount [llength $::tcltest::failFiles]
+ ::tcltest::cleanupTests 1
+-return
+-
++exit [expr $failCount > 0]
diff --git a/devel/tcltls/files/patch-warnings b/devel/tcltls/files/patch-warnings
new file mode 100644
index 000000000000..783d462e014b
--- /dev/null
+++ b/devel/tcltls/files/patch-warnings
@@ -0,0 +1,30 @@
+See bug-report:
+
+	https://core.tcl-lang.org/tcltls/tktview/539d25f105
+
+--- tls.c	2020-10-12 16:39:22.000000000 -0400
++++ tls.c	2023-11-19 21:30:03.357601000 -0500
+@@ -62,5 +62,5 @@
+ 			Tcl_Interp *interp, int objc, Tcl_Obj *CONST objv[]);
+ 
+-static SSL_CTX *CTX_Init(State *statePtr, int isServer, int proto, char *key,
++static SSL_CTX *CTX_Init(State *statePtr, int proto, char *key,
+ 			char *certfile, unsigned char *key_asn1, unsigned char *cert_asn1,
+ 			int key_asn1_len, int cert_asn1_len, char *CAdir, char *CAfile,
+@@ -897,5 +897,5 @@
+ 	ctx = ((State *)Tcl_GetChannelInstanceData(chan))->ctx;
+     } else {
+-	if ((ctx = CTX_Init(statePtr, server, proto, keyfile, certfile, key,
++	if ((ctx = CTX_Init(statePtr, proto, keyfile, certfile, key,
+     cert, key_len, cert_len, CAdir, CAfile, ciphers,
+     DHparams)) == (SSL_CTX*)0) {
+@@ -1067,8 +1067,7 @@
+ 
+ static SSL_CTX *
+-CTX_Init(statePtr, isServer, proto, keyfile, certfile, key, cert,
++CTX_Init(statePtr, proto, keyfile, certfile, key, cert,
+          key_len, cert_len, CAdir, CAfile, ciphers, DHparams)
+     State *statePtr;
+-    int isServer;
+     int proto;
+     char *keyfile;