From nobody Mon Jun 26 13:05:43 2023 X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4QqSkw1Jwjz4k8t6; Mon, 26 Jun 2023 13:05:44 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4QqSkw0v5yz3Ckc; Mon, 26 Jun 2023 13:05:44 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1687784744; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=PiRQNIVbKa0E2VkdQVkHJLpy5BFyG94MMX/J2un4TZs=; b=rMTq1q3S6or09LYc/3qP+aoz4Wxe6cvwllK2IINp+RMotgw/RaTCT1iFEJILrQbFLK9e8D LDClPy/rvVHF1KBoSHmc9X2JGLhdzUCs599QvGCKWti5MNUgBGWGhyjkFyP1J7AzFS+6wO 4+rslIw+bJwnjuCplsgEnzQCCsU591EtxFm7lawQCItrAKKYG/0gSSlUyRYyinISNS/BWe 2G5SZCf2+ac5ddxvELV8HuYDJHya/2obpRbjgnC1pItvKjzGDDuzSL0nVzlG2l1E45o7Fe KzVnzTFDv9i1DhuuDZWC+dNmXXo3u4+z6R5f7TH5OikdUXH46j+5uJH27Bfofw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1687784744; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=PiRQNIVbKa0E2VkdQVkHJLpy5BFyG94MMX/J2un4TZs=; b=itXwR8bw8V8GeyNTZBgUVUlEMwDZ9KZZRksNAR0csWjhl1qV/rJp6/Ft4hhNU6PjoKpIJ5 hwNX9TQh0xsZJnq0GyygEXFX4FCYklu+4Dk/VOSQDkZi7xxbbBdtjIkWWNmS6h66iUAPR4 drwAWzoQiZ4XUehAiNPM3Z3/QlDZEKOh/XLPbV4xwrYlZfR6sFB02gU2B0f4vQqQH5W1k3 M5Lw7rs5/Dz0igFzRB8UMax6YKlXn4yudZwfVKPuZjg0l2PN8WulxlyprLASJW8aSxmvkH PcHGAmWnckiBbgW4FL4HabccLQM3X0OqjXVYTDp9O2cRjp/MtQWpP9b1KFLd1w== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1687784744; a=rsa-sha256; cv=none; b=VEqzrsSeO0WS/wHqeLuISgUhWLEO9B0RHE4Apl1sJQx6DgPejq8ocZQDnu07wtwaVAzp9l FRlmzQvnTuf7o5zDgq4ipq91J6mJsSx/xJ6xFcjEYgn4oxAwXHBo9C06bDScSrud9g0rMP uXvTSoEv+vjUAmBFR3e+MIfldCBZj5MLp8b00C3ROXpdCeeh+706G0/nUmVVt1OGyCNlfD T/krAET+bXfkAdM32Mf0XonOFqrI/HMoIjMUYlFlnQ2EV84IsR72H18uUiKGKZykIQ0GIW mfEHD/gfpVjNW5A+8D+as21wnubyzQvPxL3xVffn4BM4YRF5JOJwKq+joa+0Yw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4QqSkv74xLz19s4; Mon, 26 Jun 2023 13:05:43 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 35QD5h97083636; Mon, 26 Jun 2023 13:05:43 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 35QD5hvI083635; Mon, 26 Jun 2023 13:05:43 GMT (envelope-from git) Date: Mon, 26 Jun 2023 13:05:43 GMT Message-Id: <202306261305.35QD5hvI083635@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Baptiste Daroussin Subject: git: b0b7fc161d2d - main - pkg: fix signing with openssl3 List-Id: Commits to the main branch of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-main@freebsd.org X-BeenThere: dev-commits-ports-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: bapt X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: b0b7fc161d2deaa5a500a752e89375ec56bc8fe0 Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by bapt: URL: https://cgit.FreeBSD.org/ports/commit/?id=b0b7fc161d2deaa5a500a752e89375ec56bc8fe0 commit b0b7fc161d2deaa5a500a752e89375ec56bc8fe0 Author: Baptiste Daroussin AuthorDate: 2023-06-26 13:04:07 +0000 Commit: Baptiste Daroussin CommitDate: 2023-06-26 13:05:13 +0000 pkg: fix signing with openssl3 --- ports-mgmt/pkg-devel/Makefile | 1 + ports-mgmt/pkg-devel/files/patch-openssl3 | 98 +++++++++++++++++++++++++++++++ ports-mgmt/pkg/Makefile | 2 +- ports-mgmt/pkg/files/patch-openssl3 | 98 +++++++++++++++++++++++++++++++ 4 files changed, 198 insertions(+), 1 deletion(-) diff --git a/ports-mgmt/pkg-devel/Makefile b/ports-mgmt/pkg-devel/Makefile index 83f5df1802c5..a4b9ce544941 100644 --- a/ports-mgmt/pkg-devel/Makefile +++ b/ports-mgmt/pkg-devel/Makefile @@ -1,6 +1,7 @@ PORTNAME= pkg DISTVERSION= 1.19.99.2 _PKG_VERSION= ${DISTVERSION} +PORTREVISION= 1 CATEGORIES= ports-mgmt PKGNAMESUFFIX= -devel diff --git a/ports-mgmt/pkg-devel/files/patch-openssl3 b/ports-mgmt/pkg-devel/files/patch-openssl3 new file mode 100644 index 000000000000..d04226e68c50 --- /dev/null +++ b/ports-mgmt/pkg-devel/files/patch-openssl3 @@ -0,0 +1,98 @@ +diff --git libpkg/rsa.c libpkg/rsa.c +index 41a12466..eea6e0bb 100644 +--- libpkg/rsa.c ++++ libpkg/rsa.c +@@ -37,31 +37,6 @@ + #include "private/event.h" + #include "private/pkg.h" + +-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) +-/* +- * This matches the historical usage for pkg. Older versions sign the hex +- * encoding of the SHA256 checksum. If we ever deprecated RSA, this can go +- * away. +- */ +-static EVP_MD *md_pkg_sha1; +- +-static EVP_MD * +-EVP_md_pkg_sha1(void) +-{ +- +- if (md_pkg_sha1 != NULL) +- return (md_pkg_sha1); +- +- md_pkg_sha1 = EVP_MD_meth_dup(EVP_sha1()); +- if (md_pkg_sha1 == NULL) +- return (NULL); +- +- EVP_MD_meth_set_result_size(md_pkg_sha1, +- pkg_checksum_type_size(PKG_HASH_TYPE_SHA256_HEX)); +- return (md_pkg_sha1); +-} +-#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */ +- + struct pkg_key { + pkg_password_cb *pw_cb; + char *path; +@@ -217,6 +192,7 @@ rsa_verify_cert(unsigned char *key, int keylen, + OpenSSL_add_all_algorithms(); + OpenSSL_add_all_ciphers(); + ++ + ret = pkg_emit_sandbox_call(rsa_verify_cert_cb, fd, &cbdata); + if (need_close) + close(fd); +@@ -232,6 +208,7 @@ rsa_verify_cb(int fd, void *ud) + char errbuf[1024]; + EVP_PKEY *pkey = NULL; + #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) ++ const EVP_MD *md; + EVP_PKEY_CTX *ctx; + #else + RSA *rsa; +@@ -276,7 +253,8 @@ rsa_verify_cb(int fd, void *ud) + return (EPKG_FATAL); + } + +- if (EVP_PKEY_CTX_set_signature_md(ctx, EVP_md_pkg_sha1()) <= 0) { ++ md = EVP_sha1(); ++ if (EVP_PKEY_CTX_set_signature_md(ctx, md) <= 0) { + EVP_PKEY_CTX_free(ctx); + EVP_PKEY_free(pkey); + free(sha256); +@@ -284,7 +262,7 @@ rsa_verify_cb(int fd, void *ud) + } + + ret = EVP_PKEY_verify(ctx, cbdata->sig, cbdata->siglen, sha256, +- pkg_checksum_type_size(PKG_HASH_TYPE_SHA256_HEX)); ++ EVP_MD_size(md)); + #else + rsa = EVP_PKEY_get1_RSA(pkey); + +@@ -360,6 +338,7 @@ rsa_sign(char *path, struct pkg_key *keyinfo, unsigned char **sigret, + char errbuf[1024]; + int max_len = 0, ret; + #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) ++ const EVP_MD *md; + EVP_PKEY_CTX *ctx; + size_t siglen; + #else +@@ -403,15 +382,15 @@ rsa_sign(char *path, struct pkg_key *keyinfo, unsigned char **sigret, + return (EPKG_FATAL); + } + +- if (EVP_PKEY_CTX_set_signature_md(ctx, EVP_md_pkg_sha1()) <= 0) { ++ md = EVP_sha1(); ++ if (EVP_PKEY_CTX_set_signature_md(ctx, md) <= 0) { + EVP_PKEY_CTX_free(ctx); + free(sha256); + return (EPKG_FATAL); + } +- + siglen = max_len; + ret = EVP_PKEY_sign(ctx, *sigret, &siglen, sha256, +- pkg_checksum_type_size(PKG_HASH_TYPE_SHA256_HEX)); ++ EVP_MD_size(md)); + #else + rsa = EVP_PKEY_get1_RSA(keyinfo->key); + diff --git a/ports-mgmt/pkg/Makefile b/ports-mgmt/pkg/Makefile index 7b6b20de0ead..fde39894a485 100644 --- a/ports-mgmt/pkg/Makefile +++ b/ports-mgmt/pkg/Makefile @@ -1,6 +1,6 @@ PORTNAME= pkg DISTVERSION= 1.19.1 -PORTREVISION= 1 +PORTREVISION= 2 _PKG_VERSION= ${DISTVERSION} CATEGORIES= ports-mgmt diff --git a/ports-mgmt/pkg/files/patch-openssl3 b/ports-mgmt/pkg/files/patch-openssl3 new file mode 100644 index 000000000000..d04226e68c50 --- /dev/null +++ b/ports-mgmt/pkg/files/patch-openssl3 @@ -0,0 +1,98 @@ +diff --git libpkg/rsa.c libpkg/rsa.c +index 41a12466..eea6e0bb 100644 +--- libpkg/rsa.c ++++ libpkg/rsa.c +@@ -37,31 +37,6 @@ + #include "private/event.h" + #include "private/pkg.h" + +-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) +-/* +- * This matches the historical usage for pkg. Older versions sign the hex +- * encoding of the SHA256 checksum. If we ever deprecated RSA, this can go +- * away. +- */ +-static EVP_MD *md_pkg_sha1; +- +-static EVP_MD * +-EVP_md_pkg_sha1(void) +-{ +- +- if (md_pkg_sha1 != NULL) +- return (md_pkg_sha1); +- +- md_pkg_sha1 = EVP_MD_meth_dup(EVP_sha1()); +- if (md_pkg_sha1 == NULL) +- return (NULL); +- +- EVP_MD_meth_set_result_size(md_pkg_sha1, +- pkg_checksum_type_size(PKG_HASH_TYPE_SHA256_HEX)); +- return (md_pkg_sha1); +-} +-#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */ +- + struct pkg_key { + pkg_password_cb *pw_cb; + char *path; +@@ -217,6 +192,7 @@ rsa_verify_cert(unsigned char *key, int keylen, + OpenSSL_add_all_algorithms(); + OpenSSL_add_all_ciphers(); + ++ + ret = pkg_emit_sandbox_call(rsa_verify_cert_cb, fd, &cbdata); + if (need_close) + close(fd); +@@ -232,6 +208,7 @@ rsa_verify_cb(int fd, void *ud) + char errbuf[1024]; + EVP_PKEY *pkey = NULL; + #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) ++ const EVP_MD *md; + EVP_PKEY_CTX *ctx; + #else + RSA *rsa; +@@ -276,7 +253,8 @@ rsa_verify_cb(int fd, void *ud) + return (EPKG_FATAL); + } + +- if (EVP_PKEY_CTX_set_signature_md(ctx, EVP_md_pkg_sha1()) <= 0) { ++ md = EVP_sha1(); ++ if (EVP_PKEY_CTX_set_signature_md(ctx, md) <= 0) { + EVP_PKEY_CTX_free(ctx); + EVP_PKEY_free(pkey); + free(sha256); +@@ -284,7 +262,7 @@ rsa_verify_cb(int fd, void *ud) + } + + ret = EVP_PKEY_verify(ctx, cbdata->sig, cbdata->siglen, sha256, +- pkg_checksum_type_size(PKG_HASH_TYPE_SHA256_HEX)); ++ EVP_MD_size(md)); + #else + rsa = EVP_PKEY_get1_RSA(pkey); + +@@ -360,6 +338,7 @@ rsa_sign(char *path, struct pkg_key *keyinfo, unsigned char **sigret, + char errbuf[1024]; + int max_len = 0, ret; + #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) ++ const EVP_MD *md; + EVP_PKEY_CTX *ctx; + size_t siglen; + #else +@@ -403,15 +382,15 @@ rsa_sign(char *path, struct pkg_key *keyinfo, unsigned char **sigret, + return (EPKG_FATAL); + } + +- if (EVP_PKEY_CTX_set_signature_md(ctx, EVP_md_pkg_sha1()) <= 0) { ++ md = EVP_sha1(); ++ if (EVP_PKEY_CTX_set_signature_md(ctx, md) <= 0) { + EVP_PKEY_CTX_free(ctx); + free(sha256); + return (EPKG_FATAL); + } +- + siglen = max_len; + ret = EVP_PKEY_sign(ctx, *sigret, &siglen, sha256, +- pkg_checksum_type_size(PKG_HASH_TYPE_SHA256_HEX)); ++ EVP_MD_size(md)); + #else + rsa = EVP_PKEY_get1_RSA(keyinfo->key); +