git: b0b7fc161d2d - main - pkg: fix signing with openssl3
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 26 Jun 2023 13:05:43 UTC
The branch main has been updated by bapt: URL: https://cgit.FreeBSD.org/ports/commit/?id=b0b7fc161d2deaa5a500a752e89375ec56bc8fe0 commit b0b7fc161d2deaa5a500a752e89375ec56bc8fe0 Author: Baptiste Daroussin <bapt@FreeBSD.org> AuthorDate: 2023-06-26 13:04:07 +0000 Commit: Baptiste Daroussin <bapt@FreeBSD.org> CommitDate: 2023-06-26 13:05:13 +0000 pkg: fix signing with openssl3 --- ports-mgmt/pkg-devel/Makefile | 1 + ports-mgmt/pkg-devel/files/patch-openssl3 | 98 +++++++++++++++++++++++++++++++ ports-mgmt/pkg/Makefile | 2 +- ports-mgmt/pkg/files/patch-openssl3 | 98 +++++++++++++++++++++++++++++++ 4 files changed, 198 insertions(+), 1 deletion(-) diff --git a/ports-mgmt/pkg-devel/Makefile b/ports-mgmt/pkg-devel/Makefile index 83f5df1802c5..a4b9ce544941 100644 --- a/ports-mgmt/pkg-devel/Makefile +++ b/ports-mgmt/pkg-devel/Makefile @@ -1,6 +1,7 @@ PORTNAME= pkg DISTVERSION= 1.19.99.2 _PKG_VERSION= ${DISTVERSION} +PORTREVISION= 1 CATEGORIES= ports-mgmt PKGNAMESUFFIX= -devel diff --git a/ports-mgmt/pkg-devel/files/patch-openssl3 b/ports-mgmt/pkg-devel/files/patch-openssl3 new file mode 100644 index 000000000000..d04226e68c50 --- /dev/null +++ b/ports-mgmt/pkg-devel/files/patch-openssl3 @@ -0,0 +1,98 @@ +diff --git libpkg/rsa.c libpkg/rsa.c +index 41a12466..eea6e0bb 100644 +--- libpkg/rsa.c ++++ libpkg/rsa.c +@@ -37,31 +37,6 @@ + #include "private/event.h" + #include "private/pkg.h" + +-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) +-/* +- * This matches the historical usage for pkg. Older versions sign the hex +- * encoding of the SHA256 checksum. If we ever deprecated RSA, this can go +- * away. +- */ +-static EVP_MD *md_pkg_sha1; +- +-static EVP_MD * +-EVP_md_pkg_sha1(void) +-{ +- +- if (md_pkg_sha1 != NULL) +- return (md_pkg_sha1); +- +- md_pkg_sha1 = EVP_MD_meth_dup(EVP_sha1()); +- if (md_pkg_sha1 == NULL) +- return (NULL); +- +- EVP_MD_meth_set_result_size(md_pkg_sha1, +- pkg_checksum_type_size(PKG_HASH_TYPE_SHA256_HEX)); +- return (md_pkg_sha1); +-} +-#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */ +- + struct pkg_key { + pkg_password_cb *pw_cb; + char *path; +@@ -217,6 +192,7 @@ rsa_verify_cert(unsigned char *key, int keylen, + OpenSSL_add_all_algorithms(); + OpenSSL_add_all_ciphers(); + ++ + ret = pkg_emit_sandbox_call(rsa_verify_cert_cb, fd, &cbdata); + if (need_close) + close(fd); +@@ -232,6 +208,7 @@ rsa_verify_cb(int fd, void *ud) + char errbuf[1024]; + EVP_PKEY *pkey = NULL; + #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) ++ const EVP_MD *md; + EVP_PKEY_CTX *ctx; + #else + RSA *rsa; +@@ -276,7 +253,8 @@ rsa_verify_cb(int fd, void *ud) + return (EPKG_FATAL); + } + +- if (EVP_PKEY_CTX_set_signature_md(ctx, EVP_md_pkg_sha1()) <= 0) { ++ md = EVP_sha1(); ++ if (EVP_PKEY_CTX_set_signature_md(ctx, md) <= 0) { + EVP_PKEY_CTX_free(ctx); + EVP_PKEY_free(pkey); + free(sha256); +@@ -284,7 +262,7 @@ rsa_verify_cb(int fd, void *ud) + } + + ret = EVP_PKEY_verify(ctx, cbdata->sig, cbdata->siglen, sha256, +- pkg_checksum_type_size(PKG_HASH_TYPE_SHA256_HEX)); ++ EVP_MD_size(md)); + #else + rsa = EVP_PKEY_get1_RSA(pkey); + +@@ -360,6 +338,7 @@ rsa_sign(char *path, struct pkg_key *keyinfo, unsigned char **sigret, + char errbuf[1024]; + int max_len = 0, ret; + #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) ++ const EVP_MD *md; + EVP_PKEY_CTX *ctx; + size_t siglen; + #else +@@ -403,15 +382,15 @@ rsa_sign(char *path, struct pkg_key *keyinfo, unsigned char **sigret, + return (EPKG_FATAL); + } + +- if (EVP_PKEY_CTX_set_signature_md(ctx, EVP_md_pkg_sha1()) <= 0) { ++ md = EVP_sha1(); ++ if (EVP_PKEY_CTX_set_signature_md(ctx, md) <= 0) { + EVP_PKEY_CTX_free(ctx); + free(sha256); + return (EPKG_FATAL); + } +- + siglen = max_len; + ret = EVP_PKEY_sign(ctx, *sigret, &siglen, sha256, +- pkg_checksum_type_size(PKG_HASH_TYPE_SHA256_HEX)); ++ EVP_MD_size(md)); + #else + rsa = EVP_PKEY_get1_RSA(keyinfo->key); + diff --git a/ports-mgmt/pkg/Makefile b/ports-mgmt/pkg/Makefile index 7b6b20de0ead..fde39894a485 100644 --- a/ports-mgmt/pkg/Makefile +++ b/ports-mgmt/pkg/Makefile @@ -1,6 +1,6 @@ PORTNAME= pkg DISTVERSION= 1.19.1 -PORTREVISION= 1 +PORTREVISION= 2 _PKG_VERSION= ${DISTVERSION} CATEGORIES= ports-mgmt diff --git a/ports-mgmt/pkg/files/patch-openssl3 b/ports-mgmt/pkg/files/patch-openssl3 new file mode 100644 index 000000000000..d04226e68c50 --- /dev/null +++ b/ports-mgmt/pkg/files/patch-openssl3 @@ -0,0 +1,98 @@ +diff --git libpkg/rsa.c libpkg/rsa.c +index 41a12466..eea6e0bb 100644 +--- libpkg/rsa.c ++++ libpkg/rsa.c +@@ -37,31 +37,6 @@ + #include "private/event.h" + #include "private/pkg.h" + +-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) +-/* +- * This matches the historical usage for pkg. Older versions sign the hex +- * encoding of the SHA256 checksum. If we ever deprecated RSA, this can go +- * away. +- */ +-static EVP_MD *md_pkg_sha1; +- +-static EVP_MD * +-EVP_md_pkg_sha1(void) +-{ +- +- if (md_pkg_sha1 != NULL) +- return (md_pkg_sha1); +- +- md_pkg_sha1 = EVP_MD_meth_dup(EVP_sha1()); +- if (md_pkg_sha1 == NULL) +- return (NULL); +- +- EVP_MD_meth_set_result_size(md_pkg_sha1, +- pkg_checksum_type_size(PKG_HASH_TYPE_SHA256_HEX)); +- return (md_pkg_sha1); +-} +-#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */ +- + struct pkg_key { + pkg_password_cb *pw_cb; + char *path; +@@ -217,6 +192,7 @@ rsa_verify_cert(unsigned char *key, int keylen, + OpenSSL_add_all_algorithms(); + OpenSSL_add_all_ciphers(); + ++ + ret = pkg_emit_sandbox_call(rsa_verify_cert_cb, fd, &cbdata); + if (need_close) + close(fd); +@@ -232,6 +208,7 @@ rsa_verify_cb(int fd, void *ud) + char errbuf[1024]; + EVP_PKEY *pkey = NULL; + #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) ++ const EVP_MD *md; + EVP_PKEY_CTX *ctx; + #else + RSA *rsa; +@@ -276,7 +253,8 @@ rsa_verify_cb(int fd, void *ud) + return (EPKG_FATAL); + } + +- if (EVP_PKEY_CTX_set_signature_md(ctx, EVP_md_pkg_sha1()) <= 0) { ++ md = EVP_sha1(); ++ if (EVP_PKEY_CTX_set_signature_md(ctx, md) <= 0) { + EVP_PKEY_CTX_free(ctx); + EVP_PKEY_free(pkey); + free(sha256); +@@ -284,7 +262,7 @@ rsa_verify_cb(int fd, void *ud) + } + + ret = EVP_PKEY_verify(ctx, cbdata->sig, cbdata->siglen, sha256, +- pkg_checksum_type_size(PKG_HASH_TYPE_SHA256_HEX)); ++ EVP_MD_size(md)); + #else + rsa = EVP_PKEY_get1_RSA(pkey); + +@@ -360,6 +338,7 @@ rsa_sign(char *path, struct pkg_key *keyinfo, unsigned char **sigret, + char errbuf[1024]; + int max_len = 0, ret; + #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) ++ const EVP_MD *md; + EVP_PKEY_CTX *ctx; + size_t siglen; + #else +@@ -403,15 +382,15 @@ rsa_sign(char *path, struct pkg_key *keyinfo, unsigned char **sigret, + return (EPKG_FATAL); + } + +- if (EVP_PKEY_CTX_set_signature_md(ctx, EVP_md_pkg_sha1()) <= 0) { ++ md = EVP_sha1(); ++ if (EVP_PKEY_CTX_set_signature_md(ctx, md) <= 0) { + EVP_PKEY_CTX_free(ctx); + free(sha256); + return (EPKG_FATAL); + } +- + siglen = max_len; + ret = EVP_PKEY_sign(ctx, *sigret, &siglen, sha256, +- pkg_checksum_type_size(PKG_HASH_TYPE_SHA256_HEX)); ++ EVP_MD_size(md)); + #else + rsa = EVP_PKEY_get1_RSA(keyinfo->key); +