git: 08beae7b9617 - main - security/libpki: Runtime fix
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 20 Feb 2024 11:53:47 UTC
The branch main has been updated by bofh:
URL: https://cgit.FreeBSD.org/ports/commit/?id=08beae7b9617a07ffff47c118a5cfd5ae798fd4e
commit 08beae7b9617a07ffff47c118a5cfd5ae798fd4e
Author: Bruno Damour <bruno@ruomad.net>
AuthorDate: 2024-02-20 11:52:22 +0000
Commit: Muhammad Moinur Rahman <bofh@FreeBSD.org>
CommitDate: 2024-02-20 11:53:40 +0000
security/libpki: Runtime fix
The previous patch did build on FreeBSD 14.0 but the OCSP responder was
segfaulting.
This fixes the previous incorrect patch through backporting changes from
upstream.
OCSP responder (openca-ocspd) now works on FreeBSD 14.0.
PR: 276951
Approved by: submitter is maintainer
---
security/libpki/Makefile | 5 +-
security/libpki/distinfo | 4 +-
security/libpki/files/patch-acinclude.m4 | 16 ----
security/libpki/files/patch-configure.ac | 34 --------
.../files/patch-src-drivers-engine-engine_hsm.c | 12 ---
.../patch-src-drivers-openssl-openssl_hsm_pkey.c | 59 --------------
.../libpki/files/patch-src-libpki-prqp-prqp_asn1.h | 53 -------------
.../libpki/files/patch-src-openssl-pki_ocsp_resp.c | 14 ----
.../libpki/files/patch-src-openssl-pki_x509_cert.c | 26 ------
.../libpki/files/patch-src-openssl-pki_x509_req.c | 14 ----
security/libpki/files/patch-src-pki_init.c | 13 ---
security/libpki/files/patch-src-pki_x509.c | 92 ----------------------
12 files changed, 6 insertions(+), 336 deletions(-)
diff --git a/security/libpki/Makefile b/security/libpki/Makefile
index f131efdd1a52..f09f9d9ef067 100644
--- a/security/libpki/Makefile
+++ b/security/libpki/Makefile
@@ -1,11 +1,12 @@
PORTNAME= libpki
DISTVERSIONPREFIX= v
DISTVERSION= 0.9.2
-PORTREVISION= 4
+PORTREVISION= 5
CATEGORIES= security
PATCH_SITES= https://github.com/openca/libpki/commit/
-PATCHFILES= d7617046e9da97473a140c02582fa571f6359ae3.patch:-p1
+PATCHFILES= d7617046e9da97473a140c02582fa571f6359ae3.patch:-p1 \
+ 9c4865ad476a75c34d89e0bd663c280f544590c0.patch:-p1
MAINTAINER= bruno@ruomad.net
COMMENT= OpenCA PKI library (libpki) and tools
diff --git a/security/libpki/distinfo b/security/libpki/distinfo
index a345f02fc034..d89d00d30956 100644
--- a/security/libpki/distinfo
+++ b/security/libpki/distinfo
@@ -1,5 +1,7 @@
-TIMESTAMP = 1687900936
+TIMESTAMP = 1708348718
SHA256 (openca-libpki-v0.9.2_GH0.tar.gz) = 4352a77457579a498837e33fbc0092f67a1c5d93eee6eb73bc889ad8b8f747fb
SIZE (openca-libpki-v0.9.2_GH0.tar.gz) = 1184928
SHA256 (d7617046e9da97473a140c02582fa571f6359ae3.patch) = 05818f983047b399958f523e79de001d995947ec92366dca2c9f7aac52fed7c7
SIZE (d7617046e9da97473a140c02582fa571f6359ae3.patch) = 1251
+SHA256 (9c4865ad476a75c34d89e0bd663c280f544590c0.patch) = bbc836316c30c8d3488ef63688bc94cfd6219a9ea265b3003663cc10d15d488d
+SIZE (9c4865ad476a75c34d89e0bd663c280f544590c0.patch) = 15103
diff --git a/security/libpki/files/patch-acinclude.m4 b/security/libpki/files/patch-acinclude.m4
deleted file mode 100644
index fcb98b4cf827..000000000000
--- a/security/libpki/files/patch-acinclude.m4
+++ /dev/null
@@ -1,16 +0,0 @@
---- acinclude.m4.orig 2023-06-27 08:58:28.460201000 +0200
-+++ acinclude.m4 2023-06-27 13:17:52.671338000 +0200
-@@ -116,7 +116,12 @@
-
- AC_MSG_RESULT([Searching OpenSSL Version: $library_includes]);
- ver=`grep "^ *# *define *OPENSSL_VERSION_NUMBER" "$library_includes" | sed 's/.*0x/0x/g' | sed 's|\L||g'`;
-- detected_v=`echo $((ver))`
-+ if [[ "x$ver" == "x" ]] ; then
-+ pver=`grep "^ *# *define OPENSSL_VERSION_PRE_RELEASE" "$library_includes" | sed 's|.* "|"|g' | sed 's|""|fL|g' | sed 's|".*"|0L|g'`
-+ bver=`grep "^ *# *define OPENSSL_VERSION_STR" "$library_includes" | sed 's|.* "||g' | sed 's|".*||g' | sed 's|\.| |g' | xargs printf "0x%1x%02X%02X" `
-+ ver="$bver$pver"
-+ fi
-+ detected_v=`echo $((ver))`
- required_v=`echo $(($_version))`
-
- dnl ver=`grep "^ *# *define *SHLIB_VERSION_NUMBER" $library_includes | sed 's/[#_a-zA-Z" ]//g' | sed 's|\.|0|g'`;
diff --git a/security/libpki/files/patch-configure.ac b/security/libpki/files/patch-configure.ac
deleted file mode 100644
index 3950cc7afc45..000000000000
--- a/security/libpki/files/patch-configure.ac
+++ /dev/null
@@ -1,34 +0,0 @@
---- configure.ac.orig 2023-02-21 00:50:13.111304000 +0100
-+++ configure.ac 2023-02-21 00:56:17.195099000 +0100
-@@ -23,7 +23,7 @@
- mybits_install=""
- is_sparc="no"
- is_aix="no"
--my_arch=`uname -m`
-+my_arch=`uname -p`
-
- case "$my_arch" in
- *i686)
-@@ -40,7 +40,13 @@
- mybits="64"
- mybits_install="64"
- ;;
-- *aarch64)
-+ *arm|*armv?)
-+ mybits="32"
-+ ;;
-+ *powerpc)
-+ mybits="32"
-+ ;;
-+ *aarch64|*arm64)
- mybits="64"
- mybits_install="64"
- ;;
-@@ -57,7 +63,6 @@
- *powerpc*)
- mybits="64"
- mybits_install="64"
-- is_aix="yes"
- ;;
- *)
- AC_MSG_ERROR([Not supported arch ($my_arch)])
diff --git a/security/libpki/files/patch-src-drivers-engine-engine_hsm.c b/security/libpki/files/patch-src-drivers-engine-engine_hsm.c
deleted file mode 100644
index 4770da3e5ad4..000000000000
--- a/security/libpki/files/patch-src-drivers-engine-engine_hsm.c
+++ /dev/null
@@ -1,12 +0,0 @@
---- src/drivers/engine/engine_hsm.c.orig 2023-06-27 08:58:28.477634000 +0200
-+++ src/drivers/engine/engine_hsm.c 2023-06-27 13:17:52.663862000 +0200
-@@ -204,7 +204,9 @@
- char *engine_id = NULL;
-
- ENGINE_load_builtin_engines();
-+#if OPENSSL_VERSION_NUMBER < 0x30000000
- ERR_load_ENGINE_strings();
-+#endif
-
- hsm = (HSM *) PKI_Malloc ( sizeof( HSM ));
- memcpy( hsm, &engine_hsm, sizeof( HSM ));
diff --git a/security/libpki/files/patch-src-drivers-openssl-openssl_hsm_pkey.c b/security/libpki/files/patch-src-drivers-openssl-openssl_hsm_pkey.c
deleted file mode 100644
index 309bad12d747..000000000000
--- a/security/libpki/files/patch-src-drivers-openssl-openssl_hsm_pkey.c
+++ /dev/null
@@ -1,59 +0,0 @@
---- src/drivers/openssl/openssl_hsm_pkey.c.orig 2023-06-27 08:58:28.478388000 +0200
-+++ src/drivers/openssl/openssl_hsm_pkey.c 2023-06-27 13:17:52.668464000 +0200
-@@ -443,8 +443,11 @@
- } break;
- #ifdef ENABLE_ECDSA
- case EVP_PKEY_EC: {
--# if OPENSSL_VERSION_NUMBER < 0x1010000fL
-+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
- ret = PEM_write_bio_ECPrivateKey(bp,
-+ EVP_PKEY_get1_EC_KEY(x), enc, (unsigned char *) kstr, klen, cb, u);
-+# elif OPENSSL_VERSION_NUMBER < 0x1010000fL
-+ ret = PEM_write_bio_ECPrivateKey(bp,
- x->pkey.ec, enc, (unsigned char *) kstr, klen, cb, u);
- # else
- ret = PEM_write_bio_ECPrivateKey(bp,
-@@ -480,7 +483,9 @@
-
- case EVP_PKEY_RSA: {
- RSA *rsa = NULL;
--#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
-+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-+ if (((rsa = EVP_PKEY_get1_RSA(kVal)) == NULL) ||
-+#elif OPENSSL_VERSION_NUMBER >= 0x1010000fL
- if (((rsa = EVP_PKEY_get0_RSA(kVal)) == NULL) ||
- #else
- if (((rsa = (RSA *)EVP_PKEY_get0(kVal)) == NULL) ||
-@@ -492,7 +497,9 @@
-
- case EVP_PKEY_DH: {
- DH *dh = NULL;
--#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
-+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-+ if ( ((dh = EVP_PKEY_get1_DH(kVal)) == NULL) ||
-+#elif OPENSSL_VERSION_NUMBER >= 0x1010000fL
- if ( ((dh = EVP_PKEY_get0_DH(kVal)) == NULL) ||
- #else
- if ( ((dh = (DH *)EVP_PKEY_get0(kVal)) == NULL) ||
-@@ -505,7 +512,9 @@
- #ifdef ENABLE_ECDSA
- case EVP_PKEY_EC: {
- EC_KEY * ec = NULL;
--#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
-+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-+ if (((ec = EVP_PKEY_get1_EC_KEY(kVal)) == NULL) ||
-+#elif OPENSSL_VERSION_NUMBER >= 0x1010000fL
- if (((ec = EVP_PKEY_get0_EC_KEY(kVal)) == NULL) ||
- #else
- if (((ec = (EC_KEY *)EVP_PKEY_get0(kVal)) == NULL) ||
-@@ -519,7 +528,9 @@
- #ifdef ENABLE_DSA
- case EVP_PKEY_DSA: {
- DSA *dsa = NULL;
--#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
-+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-+ if ( ((dsa = EVP_PKEY_get1_DSA(kVal)) == NULL) ||
-+#elif OPENSSL_VERSION_NUMBER >= 0x1010000fL
- if ( ((dsa = EVP_PKEY_get0_DSA(kVal)) == NULL) ||
- #else
- if ( ((dsa = (DSA *)EVP_PKEY_get0(kVal)) == NULL) ||
diff --git a/security/libpki/files/patch-src-libpki-prqp-prqp_asn1.h b/security/libpki/files/patch-src-libpki-prqp-prqp_asn1.h
deleted file mode 100644
index fe215c4e57d1..000000000000
--- a/security/libpki/files/patch-src-libpki-prqp-prqp_asn1.h
+++ /dev/null
@@ -1,53 +0,0 @@
---- src/libpki/prqp/prqp_asn1.h.orig 2023-06-27 08:58:28.483798000 +0200
-+++ src/libpki/prqp/prqp_asn1.h 2023-06-27 13:17:52.673161000 +0200
-@@ -73,8 +73,13 @@
- // DECLARE_ASN1_SET_OF(CERT_IDENTIFIER)
-
- DECLARE_ASN1_FUNCTIONS(CERT_IDENTIFIER)
--CERT_IDENTIFIER *CERT_IDENTIFIER_dup( CERT_IDENTIFIER *cid );
-
-+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-+CERT_IDENTIFIER *CERT_IDENTIFIER_dup ( const CERT_IDENTIFIER *cid );
-+#else
-+CERT_IDENTIFIER *CERT_IDENTIFIER_dup ( CERT_IDENTIFIER *cid );
-+#endif
-+
- /* ResourceIdentifier ::= SEQUENCE {
- * resourceId OBJECT IDENTIFIER,
- * version [0] INTEGER OPTIONAL }
-@@ -128,7 +133,11 @@
-
- DECLARE_ASN1_FUNCTIONS(PKI_PRQP_REQ)
-
-+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-+PKI_PRQP_REQ * PKI_PRQP_REQ_dup ( const PKI_PRQP_REQ *x );
-+#else
- PKI_PRQP_REQ * PKI_PRQP_REQ_dup ( PKI_PRQP_REQ *x );
-+#endif
-
- /* PKIStatus ::= INTEGER {
- * ok {0},
-@@ -207,7 +216,11 @@
- DECLARE_ASN1_FUNCTIONS(RESOURCE_RESPONSE_TOKEN)
- DECLARE_STACK_OF(RESOURCE_RESPONSE_TOKEN)
-
-+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-+RESOURCE_RESPONSE_TOKEN * RESOURCE_RESPONSE_TOKEN_dup ( const RESOURCE_RESPONSE_TOKEN * p );
-+#else
- RESOURCE_RESPONSE_TOKEN * RESOURCE_RESPONSE_TOKEN_dup ( RESOURCE_RESPONSE_TOKEN * p );
-+#endif
-
- /* TBSRespData ::= {
- * version INTEGER { v(1) },
-@@ -239,7 +252,11 @@
-
- DECLARE_ASN1_FUNCTIONS(PKI_PRQP_RESP)
-
-+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-+PKI_PRQP_RESP * PKI_PRQP_RESP_dup ( const PKI_PRQP_RESP *x );
-+#else
- PKI_PRQP_RESP * PKI_PRQP_RESP_dup ( PKI_PRQP_RESP *x );
-+#endif
-
- /* Crypto Functionality */
- /*
diff --git a/security/libpki/files/patch-src-openssl-pki_ocsp_resp.c b/security/libpki/files/patch-src-openssl-pki_ocsp_resp.c
deleted file mode 100644
index e0b2dd89bf74..000000000000
--- a/security/libpki/files/patch-src-openssl-pki_ocsp_resp.c
+++ /dev/null
@@ -1,14 +0,0 @@
---- src/openssl/pki_ocsp_resp.c.orig 2023-06-27 08:58:28.486438000 +0200
-+++ src/openssl/pki_ocsp_resp.c 2023-06-27 13:17:52.661387000 +0200
-@@ -701,7 +701,10 @@
- PKI_ERROR(PKI_ERR_MEMORY_ALLOC, NULL );
- break;
- }
--#if OPENSSL_VERSION_NUMBER > 0x1010000fL
-+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-+ mem->size = (size_t)ASN1_item_i2d((void *)&(tmp_x->tbsResponseData),
-+ &(mem->data), (ASN1_ITEM *) OCSP_RESPDATA_it );
-+#elif OPENSSL_VERSION_NUMBER > 0x1010000fL
- mem->size = (size_t)ASN1_item_i2d((void *)&(tmp_x->tbsResponseData),
- &(mem->data), &OCSP_RESPDATA_it );
- #else
diff --git a/security/libpki/files/patch-src-openssl-pki_x509_cert.c b/security/libpki/files/patch-src-openssl-pki_x509_cert.c
deleted file mode 100644
index 0052f92b89fa..000000000000
--- a/security/libpki/files/patch-src-openssl-pki_x509_cert.c
+++ /dev/null
@@ -1,26 +0,0 @@
---- src/openssl/pki_x509_cert.c.orig 2023-06-27 08:58:28.486733000 +0200
-+++ src/openssl/pki_x509_cert.c 2023-06-27 13:17:52.669080000 +0200
-@@ -433,7 +433,10 @@
- case PKI_SCHEME_ECDSA:
- if ( (int) kParams->ec.form > 0 )
- {
--# if OPENSSL_VERSION_NUMBER < 0x1010000fL
-+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
-+ EC_KEY_set_conv_form(EVP_PKEY_get1_EC_KEY(certPubKeyVal),
-+ (point_conversion_form_t) kParams->ec.form);
-+# elif OPENSSL_VERSION_NUMBER < 0x1010000fL
- EC_KEY_set_conv_form(certPubKeyVal->pkey.ec,
- (point_conversion_form_t) kParams->ec.form);
- # else
-@@ -443,7 +446,10 @@
- }
- if ( kParams->ec.asn1flags > -1 )
- {
--# if OPENSSL_VERSION_NUMBER < 0x1010000fL
-+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
-+ EC_KEY_set_asn1_flag(EVP_PKEY_get1_EC_KEY(certPubKeyVal),
-+ kParams->ec.asn1flags );
-+# elif OPENSSL_VERSION_NUMBER < 0x1010000fL
- EC_KEY_set_asn1_flag(certPubKeyVal->pkey.ec,
- kParams->ec.asn1flags );
- # else
diff --git a/security/libpki/files/patch-src-openssl-pki_x509_req.c b/security/libpki/files/patch-src-openssl-pki_x509_req.c
deleted file mode 100644
index 7cac927752bd..000000000000
--- a/security/libpki/files/patch-src-openssl-pki_x509_req.c
+++ /dev/null
@@ -1,14 +0,0 @@
---- src/openssl/pki_x509_req.c.orig 2023-06-27 08:58:28.487713000 +0200
-+++ src/openssl/pki_x509_req.c 2023-06-27 13:17:52.669477000 +0200
-@@ -166,7 +166,10 @@
- #ifdef ENABLE_ECDSA
- case PKI_SCHEME_ECDSA:
- if ( kParams->ec.form != PKI_EC_KEY_FORM_UNKNOWN ) {
--# if OPENSSL_VERSION_NUMBER > 0x1010000fL
-+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
-+ EC_KEY_set_conv_form(EVP_PKEY_get1_EC_KEY(kVal),
-+ (point_conversion_form_t)kParams->ec.form);
-+# elif OPENSSL_VERSION_NUMBER > 0x1010000fL
- EC_KEY_set_conv_form(EVP_PKEY_get0_EC_KEY(kVal),
- (point_conversion_form_t)kParams->ec.form);
- # else
diff --git a/security/libpki/files/patch-src-pki_init.c b/security/libpki/files/patch-src-pki_init.c
deleted file mode 100644
index 117fb69acd93..000000000000
--- a/security/libpki/files/patch-src-pki_init.c
+++ /dev/null
@@ -1,13 +0,0 @@
---- src/pki_init.c.orig 2023-06-27 08:58:28.488119000 +0200
-+++ src/pki_init.c 2023-06-27 13:17:52.664235000 +0200
-@@ -159,8 +159,10 @@
- OpenSSL_add_all_ciphers();
- OpenSSL_pthread_init();
-
-+#if OPENSSL_VERSION_NUMBER < 0x30000000
- ERR_load_ERR_strings();
- ERR_load_crypto_strings();
-+#endif
-
- PRQP_init_all_services();
- PKI_X509_SCEP_init();
diff --git a/security/libpki/files/patch-src-pki_x509.c b/security/libpki/files/patch-src-pki_x509.c
deleted file mode 100644
index d9f25c82ee0b..000000000000
--- a/security/libpki/files/patch-src-pki_x509.c
+++ /dev/null
@@ -1,92 +0,0 @@
---- src/pki_x509.c.orig 2023-06-27 08:58:28.488591000 +0200
-+++ src/pki_x509.c 2023-06-27 13:17:52.661803000 +0200
-@@ -44,7 +44,11 @@
- switch (type) {
-
- case PKI_DATATYPE_X509_CERT : {
-+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-+ it = (ASN1_ITEM *) X509_CINF_it;
-+#else
- it = &X509_CINF_it;
-+#endif
- #if OPENSSL_VERSION_NUMBER > 0x1010000fL
- p = &(((LIBPKI_X509_CERT *)v)->cert_info);
- #else
-@@ -53,7 +57,11 @@
- } break;
-
- case PKI_DATATYPE_X509_CRL : {
-+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-+ it = (ASN1_ITEM *) X509_CRL_INFO_it;
-+#else
- it = &X509_CRL_INFO_it;
-+#endif
- #if OPENSSL_VERSION_NUMBER > 0x1010000fL
- p = &(((PKI_X509_CRL_VALUE *)v)->crl);
- #else
-@@ -62,7 +70,11 @@
- } break;
-
- case PKI_DATATYPE_X509_REQ : {
-+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-+ it = (ASN1_ITEM *) X509_REQ_INFO_it;
-+#else
- it = &X509_REQ_INFO_it;
-+#endif
- #if OPENSSL_VERSION_NUMBER > 0x1010000fL
- p = &(((LIBPKI_X509_REQ *)v)->req_info);
- #else
-@@ -71,7 +83,11 @@
- } break;
-
- case PKI_DATATYPE_X509_OCSP_REQ : {
-+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-+ it = (ASN1_ITEM *) OCSP_REQINFO_it;
-+#else
- it = &OCSP_REQINFO_it;
-+#endif
- #if OPENSSL_VERSION_NUMBER > 0x1010000fL
- p = &(((PKI_X509_OCSP_REQ_VALUE *)v)->tbsRequest);
- #else
-@@ -80,7 +96,11 @@
- } break;
-
- case PKI_DATATYPE_X509_OCSP_RESP : {
-+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-+ it = (ASN1_ITEM *) OCSP_RESPDATA_it;
-+#else
- it = &OCSP_RESPDATA_it;
-+#endif
- #if OPENSSL_VERSION_NUMBER > 0x1010000fL
- p = &(((PKI_OCSP_RESP *)v)->bs->tbsResponseData);
- #else
-@@ -89,17 +109,29 @@
- } break;
-
- case PKI_DATATYPE_X509_PRQP_REQ : {
-+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-+ it = (ASN1_ITEM *) PKI_PRQP_REQ_it;
-+#else
- it = &PKI_PRQP_REQ_it;
-+#endif
- p = ((PKI_X509_PRQP_REQ_VALUE *)v)->requestData;
- } break;
-
- case PKI_DATATYPE_X509_PRQP_RESP : {
-+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-+ it = (ASN1_ITEM *) PKI_PRQP_RESP_it;
-+#else
- it = &PKI_PRQP_RESP_it;
-+#endif
- p = ((PKI_X509_PRQP_RESP_VALUE *)v)->respData;
- } break;
-
- case PKI_DATATYPE_X509_CMS : {
-+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-+ it = (ASN1_ITEM *) CMS_ContentInfo_it;
-+#else
- it = &CMS_ContentInfo_it;
-+#endif
- p = NULL;
- }
-