security/libpki: Runtime fix

The previous patch did build on FreeBSD 14.0 but the OCSP responder was
segfaulting.

This fixes the previous incorrect patch through backporting changes from
upstream.

OCSP responder (openca-ocspd) now works on FreeBSD 14.0.

PR:		276951
Approved by:	submitter is maintainer

12 files changed, 6 insertions, 336 deletions

diff --git a/security/libpki/Makefile b/security/libpki/Makefile
index f131efdd1a52..f09f9d9ef067 100644
--- a/security/libpki/Makefile
+++ b/security/libpki/Makefile
@@ -1,11 +1,12 @@
 PORTNAME=	libpki
 DISTVERSIONPREFIX=	v
 DISTVERSION=	0.9.2
-PORTREVISION=	4
+PORTREVISION=	5
 CATEGORIES=	security
 
 PATCH_SITES=	https://github.com/openca/libpki/commit/
-PATCHFILES=	d7617046e9da97473a140c02582fa571f6359ae3.patch:-p1
+PATCHFILES=	d7617046e9da97473a140c02582fa571f6359ae3.patch:-p1 \
+		9c4865ad476a75c34d89e0bd663c280f544590c0.patch:-p1
 
 MAINTAINER=	bruno@ruomad.net
 COMMENT=	OpenCA PKI library (libpki) and tools
diff --git a/security/libpki/distinfo b/security/libpki/distinfo
index a345f02fc034..d89d00d30956 100644
--- a/security/libpki/distinfo
+++ b/security/libpki/distinfo
@@ -1,5 +1,7 @@
-TIMESTAMP = 1687900936
+TIMESTAMP = 1708348718
 SHA256 (openca-libpki-v0.9.2_GH0.tar.gz) = 4352a77457579a498837e33fbc0092f67a1c5d93eee6eb73bc889ad8b8f747fb
 SIZE (openca-libpki-v0.9.2_GH0.tar.gz) = 1184928
 SHA256 (d7617046e9da97473a140c02582fa571f6359ae3.patch) = 05818f983047b399958f523e79de001d995947ec92366dca2c9f7aac52fed7c7
 SIZE (d7617046e9da97473a140c02582fa571f6359ae3.patch) = 1251
+SHA256 (9c4865ad476a75c34d89e0bd663c280f544590c0.patch) = bbc836316c30c8d3488ef63688bc94cfd6219a9ea265b3003663cc10d15d488d
+SIZE (9c4865ad476a75c34d89e0bd663c280f544590c0.patch) = 15103
diff --git a/security/libpki/files/patch-acinclude.m4 b/security/libpki/files/patch-acinclude.m4
deleted file mode 100644
index fcb98b4cf827..000000000000
--- a/security/libpki/files/patch-acinclude.m4
+++ /dev/null
@@ -1,16 +0,0 @@
---- acinclude.m4.orig	2023-06-27 08:58:28.460201000 +0200
-+++ acinclude.m4	2023-06-27 13:17:52.671338000 +0200
-@@ -116,7 +116,12 @@
- 
- 		AC_MSG_RESULT([Searching OpenSSL Version: $library_includes]);
- 		ver=`grep "^ *# *define  *OPENSSL_VERSION_NUMBER" "$library_includes" | sed 's/.*0x/0x/g' | sed 's|\L||g'`;
--		detected_v=`echo $((ver))`
-+		if [[ "x$ver" == "x" ]] ; then
-+		   pver=`grep "^ *# *define OPENSSL_VERSION_PRE_RELEASE" "$library_includes" | sed 's|.* "|"|g' | sed 's|""|fL|g' | sed 's|".*"|0L|g'`
-+		   bver=`grep "^ *# *define OPENSSL_VERSION_STR" "$library_includes"  | sed 's|.* "||g' | sed 's|".*||g' | sed 's|\.| |g' | xargs printf "0x%1x%02X%02X" `
-+		   ver="$bver$pver"
-+		fi
-+                detected_v=`echo $((ver))`
- 		required_v=`echo $(($_version))`
- 
- 		dnl ver=`grep "^ *# *define  *SHLIB_VERSION_NUMBER" $library_includes | sed 's/[#_a-zA-Z" ]//g' | sed 's|\.|0|g'`;
diff --git a/security/libpki/files/patch-configure.ac b/security/libpki/files/patch-configure.ac
deleted file mode 100644
index 3950cc7afc45..000000000000
--- a/security/libpki/files/patch-configure.ac
+++ /dev/null
@@ -1,34 +0,0 @@
---- configure.ac.orig	2023-02-21 00:50:13.111304000 +0100
-+++ configure.ac	2023-02-21 00:56:17.195099000 +0100
-@@ -23,7 +23,7 @@
- mybits_install=""
- is_sparc="no"
- is_aix="no"
--my_arch=`uname -m`
-+my_arch=`uname -p`
- 
- case "$my_arch" in
-   *i686)
-@@ -40,7 +40,13 @@
-     mybits="64"
-     mybits_install="64"
-         ;;
--  *aarch64)
-+  *arm|*armv?)
-+    mybits="32"
-+    ;;
-+  *powerpc)
-+    mybits="32"
-+    ;;
-+  *aarch64|*arm64)
-     mybits="64"
-     mybits_install="64"
-     ;;
-@@ -57,7 +63,6 @@
-   *powerpc*)
-     mybits="64"
-     mybits_install="64"
--    is_aix="yes"
-     ;;
-   *)
-     AC_MSG_ERROR([Not supported arch ($my_arch)])
diff --git a/security/libpki/files/patch-src-drivers-engine-engine_hsm.c b/security/libpki/files/patch-src-drivers-engine-engine_hsm.c
deleted file mode 100644
index 4770da3e5ad4..000000000000
--- a/security/libpki/files/patch-src-drivers-engine-engine_hsm.c
+++ /dev/null
@@ -1,12 +0,0 @@
---- src/drivers/engine/engine_hsm.c.orig	2023-06-27 08:58:28.477634000 +0200
-+++ src/drivers/engine/engine_hsm.c	2023-06-27 13:17:52.663862000 +0200
-@@ -204,7 +204,9 @@
- 	char *engine_id = NULL;
- 
- 	ENGINE_load_builtin_engines();
-+#if OPENSSL_VERSION_NUMBER < 0x30000000
- 	ERR_load_ENGINE_strings();
-+#endif
- 
- 	hsm = (HSM *) PKI_Malloc ( sizeof( HSM ));
- 	memcpy( hsm, &engine_hsm, sizeof( HSM ));
diff --git a/security/libpki/files/patch-src-drivers-openssl-openssl_hsm_pkey.c b/security/libpki/files/patch-src-drivers-openssl-openssl_hsm_pkey.c
deleted file mode 100644
index 309bad12d747..000000000000
--- a/security/libpki/files/patch-src-drivers-openssl-openssl_hsm_pkey.c
+++ /dev/null
@@ -1,59 +0,0 @@
---- src/drivers/openssl/openssl_hsm_pkey.c.orig	2023-06-27 08:58:28.478388000 +0200
-+++ src/drivers/openssl/openssl_hsm_pkey.c	2023-06-27 13:17:52.668464000 +0200
-@@ -443,8 +443,11 @@
-             } break;
- #ifdef ENABLE_ECDSA
-         case EVP_PKEY_EC: {
--# if OPENSSL_VERSION_NUMBER < 0x1010000fL
-+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
-             ret = PEM_write_bio_ECPrivateKey(bp, 
-+                EVP_PKEY_get1_EC_KEY(x), enc, (unsigned char *) kstr, klen, cb, u);
-+# elif OPENSSL_VERSION_NUMBER < 0x1010000fL
-+            ret = PEM_write_bio_ECPrivateKey(bp, 
-                 x->pkey.ec, enc, (unsigned char *) kstr, klen, cb, u);
- # else
-             ret = PEM_write_bio_ECPrivateKey(bp, 
-@@ -480,7 +483,9 @@
- 
-         case EVP_PKEY_RSA: {
-             RSA *rsa = NULL;
--#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
-+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-+            if (((rsa = EVP_PKEY_get1_RSA(kVal)) == NULL) ||
-+#elif OPENSSL_VERSION_NUMBER >= 0x1010000fL
-             if (((rsa = EVP_PKEY_get0_RSA(kVal)) == NULL) ||
- #else
-             if (((rsa = (RSA *)EVP_PKEY_get0(kVal)) == NULL) ||
-@@ -492,7 +497,9 @@
- 
-         case EVP_PKEY_DH: {
-             DH *dh = NULL;
--#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
-+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-+            if ( ((dh = EVP_PKEY_get1_DH(kVal)) == NULL) ||
-+#elif OPENSSL_VERSION_NUMBER >= 0x1010000fL
-             if ( ((dh = EVP_PKEY_get0_DH(kVal)) == NULL) ||
- #else
-             if ( ((dh = (DH *)EVP_PKEY_get0(kVal)) == NULL) ||
-@@ -505,7 +512,9 @@
- #ifdef ENABLE_ECDSA
-         case EVP_PKEY_EC: {
-             EC_KEY * ec = NULL;
--#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
-+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-+            if (((ec = EVP_PKEY_get1_EC_KEY(kVal)) == NULL) ||
-+#elif OPENSSL_VERSION_NUMBER >= 0x1010000fL
-             if (((ec = EVP_PKEY_get0_EC_KEY(kVal)) == NULL) ||
- #else
-             if (((ec = (EC_KEY *)EVP_PKEY_get0(kVal)) == NULL) ||
-@@ -519,7 +528,9 @@
- #ifdef ENABLE_DSA
-         case EVP_PKEY_DSA: {
-             DSA *dsa = NULL;
--#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
-+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-+            if ( ((dsa = EVP_PKEY_get1_DSA(kVal)) == NULL) ||
-+#elif OPENSSL_VERSION_NUMBER >= 0x1010000fL
-             if ( ((dsa = EVP_PKEY_get0_DSA(kVal)) == NULL) ||
- #else
-             if ( ((dsa = (DSA *)EVP_PKEY_get0(kVal)) == NULL) ||
diff --git a/security/libpki/files/patch-src-libpki-prqp-prqp_asn1.h b/security/libpki/files/patch-src-libpki-prqp-prqp_asn1.h
deleted file mode 100644
index fe215c4e57d1..000000000000
--- a/security/libpki/files/patch-src-libpki-prqp-prqp_asn1.h
+++ /dev/null
@@ -1,53 +0,0 @@
---- src/libpki/prqp/prqp_asn1.h.orig	2023-06-27 08:58:28.483798000 +0200
-+++ src/libpki/prqp/prqp_asn1.h	2023-06-27 13:17:52.673161000 +0200
-@@ -73,8 +73,13 @@
- // DECLARE_ASN1_SET_OF(CERT_IDENTIFIER)
- 
- DECLARE_ASN1_FUNCTIONS(CERT_IDENTIFIER)
--CERT_IDENTIFIER *CERT_IDENTIFIER_dup( CERT_IDENTIFIER *cid );
- 
-+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-+CERT_IDENTIFIER *CERT_IDENTIFIER_dup ( const CERT_IDENTIFIER *cid );
-+#else
-+CERT_IDENTIFIER *CERT_IDENTIFIER_dup ( CERT_IDENTIFIER *cid );
-+#endif
-+
- /* ResourceIdentifier ::= SEQUENCE {
-  *      resourceId      OBJECT IDENTIFIER,
-  *      version         [0] INTEGER     OPTIONAL }
-@@ -128,7 +133,11 @@
- 
- DECLARE_ASN1_FUNCTIONS(PKI_PRQP_REQ)
- 
-+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-+PKI_PRQP_REQ * PKI_PRQP_REQ_dup ( const PKI_PRQP_REQ *x );
-+#else
- PKI_PRQP_REQ * PKI_PRQP_REQ_dup ( PKI_PRQP_REQ *x );
-+#endif
- 
- /* PKIStatus ::= INTEGER {
-  * 	ok		{0},
-@@ -207,7 +216,11 @@
- DECLARE_ASN1_FUNCTIONS(RESOURCE_RESPONSE_TOKEN)
- DECLARE_STACK_OF(RESOURCE_RESPONSE_TOKEN)
- 
-+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-+RESOURCE_RESPONSE_TOKEN * RESOURCE_RESPONSE_TOKEN_dup ( const RESOURCE_RESPONSE_TOKEN * p );
-+#else
- RESOURCE_RESPONSE_TOKEN * RESOURCE_RESPONSE_TOKEN_dup ( RESOURCE_RESPONSE_TOKEN * p );
-+#endif
- 
- /* TBSRespData ::= {
-  *	version		INTEGER { v(1) },
-@@ -239,7 +252,11 @@
- 
- DECLARE_ASN1_FUNCTIONS(PKI_PRQP_RESP)
- 
-+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-+PKI_PRQP_RESP * PKI_PRQP_RESP_dup ( const PKI_PRQP_RESP *x );
-+#else
- PKI_PRQP_RESP * PKI_PRQP_RESP_dup ( PKI_PRQP_RESP *x );
-+#endif
- 
- /* Crypto Functionality */
- /*
diff --git a/security/libpki/files/patch-src-openssl-pki_ocsp_resp.c b/security/libpki/files/patch-src-openssl-pki_ocsp_resp.c
deleted file mode 100644
index e0b2dd89bf74..000000000000
--- a/security/libpki/files/patch-src-openssl-pki_ocsp_resp.c
+++ /dev/null
@@ -1,14 +0,0 @@
---- src/openssl/pki_ocsp_resp.c.orig	2023-06-27 08:58:28.486438000 +0200
-+++ src/openssl/pki_ocsp_resp.c	2023-06-27 13:17:52.661387000 +0200
-@@ -701,7 +701,10 @@
- 				PKI_ERROR(PKI_ERR_MEMORY_ALLOC, NULL );
- 				break;
- 			}
--#if OPENSSL_VERSION_NUMBER > 0x1010000fL
-+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-+			mem->size = (size_t)ASN1_item_i2d((void *)&(tmp_x->tbsResponseData),
-+				&(mem->data), (ASN1_ITEM *) OCSP_RESPDATA_it );
-+#elif OPENSSL_VERSION_NUMBER > 0x1010000fL
- 			mem->size = (size_t)ASN1_item_i2d((void *)&(tmp_x->tbsResponseData),
- 				&(mem->data), &OCSP_RESPDATA_it );
- #else
diff --git a/security/libpki/files/patch-src-openssl-pki_x509_cert.c b/security/libpki/files/patch-src-openssl-pki_x509_cert.c
deleted file mode 100644
index 0052f92b89fa..000000000000
--- a/security/libpki/files/patch-src-openssl-pki_x509_cert.c
+++ /dev/null
@@ -1,26 +0,0 @@
---- src/openssl/pki_x509_cert.c.orig	2023-06-27 08:58:28.486733000 +0200
-+++ src/openssl/pki_x509_cert.c	2023-06-27 13:17:52.669080000 +0200
-@@ -433,7 +433,10 @@
-         case PKI_SCHEME_ECDSA:
-             if ( (int) kParams->ec.form > 0 )
-             {
--# if OPENSSL_VERSION_NUMBER < 0x1010000fL
-+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
-+              EC_KEY_set_conv_form(EVP_PKEY_get1_EC_KEY(certPubKeyVal), 
-+              (point_conversion_form_t) kParams->ec.form);
-+# elif OPENSSL_VERSION_NUMBER < 0x1010000fL
-               EC_KEY_set_conv_form(certPubKeyVal->pkey.ec, 
-               			   (point_conversion_form_t) kParams->ec.form);
- # else
-@@ -443,7 +446,10 @@
-             }
-           if ( kParams->ec.asn1flags > -1 )
-           {
--# if OPENSSL_VERSION_NUMBER < 0x1010000fL
-+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
-+            EC_KEY_set_asn1_flag(EVP_PKEY_get1_EC_KEY(certPubKeyVal),
-+              kParams->ec.asn1flags );
-+# elif OPENSSL_VERSION_NUMBER < 0x1010000fL
-             EC_KEY_set_asn1_flag(certPubKeyVal->pkey.ec,
-               kParams->ec.asn1flags );
- # else
diff --git a/security/libpki/files/patch-src-openssl-pki_x509_req.c b/security/libpki/files/patch-src-openssl-pki_x509_req.c
deleted file mode 100644
index 7cac927752bd..000000000000
--- a/security/libpki/files/patch-src-openssl-pki_x509_req.c
+++ /dev/null
@@ -1,14 +0,0 @@
---- src/openssl/pki_x509_req.c.orig	2023-06-27 08:58:28.487713000 +0200
-+++ src/openssl/pki_x509_req.c	2023-06-27 13:17:52.669477000 +0200
-@@ -166,7 +166,10 @@
- #ifdef ENABLE_ECDSA
- 				case PKI_SCHEME_ECDSA:
-     				if ( kParams->ec.form != PKI_EC_KEY_FORM_UNKNOWN ) {
--# if OPENSSL_VERSION_NUMBER > 0x1010000fL
-+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
-+    					EC_KEY_set_conv_form(EVP_PKEY_get1_EC_KEY(kVal),
-+							     (point_conversion_form_t)kParams->ec.form);
-+# elif OPENSSL_VERSION_NUMBER > 0x1010000fL
-     					EC_KEY_set_conv_form(EVP_PKEY_get0_EC_KEY(kVal),
- 							     (point_conversion_form_t)kParams->ec.form);
- # else
diff --git a/security/libpki/files/patch-src-pki_init.c b/security/libpki/files/patch-src-pki_init.c
deleted file mode 100644
index 117fb69acd93..000000000000
--- a/security/libpki/files/patch-src-pki_init.c
+++ /dev/null
@@ -1,13 +0,0 @@
---- src/pki_init.c.orig	2023-06-27 08:58:28.488119000 +0200
-+++ src/pki_init.c	2023-06-27 13:17:52.664235000 +0200
-@@ -159,8 +159,10 @@
- 		OpenSSL_add_all_ciphers();
- 		OpenSSL_pthread_init();
- 
-+#if OPENSSL_VERSION_NUMBER < 0x30000000
- 		ERR_load_ERR_strings();
- 		ERR_load_crypto_strings();
-+#endif
- 
- 		PRQP_init_all_services();
- 		PKI_X509_SCEP_init();
diff --git a/security/libpki/files/patch-src-pki_x509.c b/security/libpki/files/patch-src-pki_x509.c
deleted file mode 100644
index d9f25c82ee0b..000000000000
--- a/security/libpki/files/patch-src-pki_x509.c
+++ /dev/null
@@ -1,92 +0,0 @@
---- src/pki_x509.c.orig	2023-06-27 08:58:28.488591000 +0200
-+++ src/pki_x509.c	2023-06-27 13:17:52.661803000 +0200
-@@ -44,7 +44,11 @@
- 	switch (type) {
- 
- 		case PKI_DATATYPE_X509_CERT : {
-+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-+		        it = (ASN1_ITEM *) X509_CINF_it;
-+#else
- 			it = &X509_CINF_it;
-+#endif
- #if OPENSSL_VERSION_NUMBER > 0x1010000fL
- 			p = &(((LIBPKI_X509_CERT *)v)->cert_info);
- #else
-@@ -53,7 +57,11 @@
- 		} break;
- 
- 		case PKI_DATATYPE_X509_CRL : {
-+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-+			it = (ASN1_ITEM *) X509_CRL_INFO_it;
-+#else
- 			it = &X509_CRL_INFO_it;
-+#endif
- #if OPENSSL_VERSION_NUMBER > 0x1010000fL
- 			p = &(((PKI_X509_CRL_VALUE *)v)->crl);
- #else
-@@ -62,7 +70,11 @@
- 		} break;
- 
- 		case PKI_DATATYPE_X509_REQ : {
-+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-+			it = (ASN1_ITEM *) X509_REQ_INFO_it;
-+#else
- 			it = &X509_REQ_INFO_it;
-+#endif
- #if OPENSSL_VERSION_NUMBER > 0x1010000fL
- 			p = &(((LIBPKI_X509_REQ *)v)->req_info);
- #else
-@@ -71,7 +83,11 @@
- 		} break;
- 
- 		case PKI_DATATYPE_X509_OCSP_REQ : {
-+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-+			it = (ASN1_ITEM *) OCSP_REQINFO_it;
-+#else
- 			it = &OCSP_REQINFO_it;
-+#endif
- #if OPENSSL_VERSION_NUMBER > 0x1010000fL
- 			p = &(((PKI_X509_OCSP_REQ_VALUE *)v)->tbsRequest);
- #else
-@@ -80,7 +96,11 @@
- 		} break;
- 
- 		case PKI_DATATYPE_X509_OCSP_RESP : {
-+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-+			it = (ASN1_ITEM *) OCSP_RESPDATA_it;
-+#else
- 			it = &OCSP_RESPDATA_it;
-+#endif
- #if OPENSSL_VERSION_NUMBER > 0x1010000fL
- 			p = &(((PKI_OCSP_RESP *)v)->bs->tbsResponseData);
- #else
-@@ -89,17 +109,29 @@
- 		} break;
- 
- 		case PKI_DATATYPE_X509_PRQP_REQ : {
-+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-+			it = (ASN1_ITEM *) PKI_PRQP_REQ_it;
-+#else
- 			it = &PKI_PRQP_REQ_it;
-+#endif
- 			p = ((PKI_X509_PRQP_REQ_VALUE *)v)->requestData;
- 		} break;
- 
- 		case PKI_DATATYPE_X509_PRQP_RESP : {
-+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-+			it = (ASN1_ITEM *) PKI_PRQP_RESP_it;
-+#else
- 			it = &PKI_PRQP_RESP_it;
-+#endif
- 			p = ((PKI_X509_PRQP_RESP_VALUE *)v)->respData;
- 		} break;
- 
- 		case PKI_DATATYPE_X509_CMS : {
-+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-+			it = (ASN1_ITEM *) CMS_ContentInfo_it;
-+#else
- 			it = &CMS_ContentInfo_it;
-+#endif
- 			p = NULL;
- 		}
-