security/libpki: Fix build with openssl3

Fixes : - detection of OpenSSL version (a bit hacky IMHO) - changes breaking compilation Doesn't cover the replacement of obsoleted functions (specially the move from engines to providers) which is way above my paygrade. This patch has been upstream as a PR (https://github.com/openca/libpki/pull/74). PR: 272280 Approved by: bruno@ruomad.net (submitter is maintainer)
author: Bruno Damour <bruno@ruomad.net> 2023-08-07 14:15:13 +0000
committer: Muhammad Moinur Rahman <bofh@FreeBSD.org> 2023-08-07 15:24:45 +0000
commit: a07283aae1c15d460641ec311f4e5a3c6c122151 (patch)
tree: ae7a5da582f5a55f6e6c1e98e3d59146cda821e6
parent: fcd080242c7afe764ec51279adf9da2ae80bfa16 (diff)
download: ports-a07283aae1c15d460641ec311f4e5a3c6c122151.tar.gz
ports-a07283aae1c15d460641ec311f4e5a3c6c122151.zip
11 files changed, 304 insertions, 4 deletions
diff --git a/security/libpki/Makefile b/security/libpki/Makefile
index a39ce22b650b..f131efdd1a52 100644
--- a/security/libpki/Makefile
+++ b/security/libpki/Makefile
@@ -1,7 +1,7 @@
 PORTNAME=	libpki
 DISTVERSIONPREFIX=	v
 DISTVERSION=	0.9.2
-PORTREVISION=	3
+PORTREVISION=	4
 CATEGORIES=	security
 
 PATCH_SITES=	https://github.com/openca/libpki/commit/
@@ -15,13 +15,14 @@ LICENSE=	APACHE20
 LICENSE_FILE=	${WRKSRC}/COPYING
 
 USES=		autoreconf gnome libtool ssl
-BROKEN_SSL=	openssl30 openssl31
-BROKEN_SSL_REASON=	Fails to detect OpenSSL 3.0 or later
 USE_GITHUB=	yes
 GH_ACCOUNT=	openca
+
 USE_GNOME=	libxml2
 USE_LDCONFIG=	yes
 
+PATCH_STRIP= 	-p0
+
 GNU_CONFIGURE=	yes
 CONFIGURE_ARGS=	--disable-dependency-tracking \
 		--disable-iphone
diff --git a/security/libpki/distinfo b/security/libpki/distinfo
index ff5dbd0e6577..a345f02fc034 100644
--- a/security/libpki/distinfo
+++ b/security/libpki/distinfo
@@ -1,4 +1,4 @@
-TIMESTAMP = 1657661150
+TIMESTAMP = 1687900936
 SHA256 (openca-libpki-v0.9.2_GH0.tar.gz) = 4352a77457579a498837e33fbc0092f67a1c5d93eee6eb73bc889ad8b8f747fb
 SIZE (openca-libpki-v0.9.2_GH0.tar.gz) = 1184928
 SHA256 (d7617046e9da97473a140c02582fa571f6359ae3.patch) = 05818f983047b399958f523e79de001d995947ec92366dca2c9f7aac52fed7c7
diff --git a/security/libpki/files/patch-acinclude.m4 b/security/libpki/files/patch-acinclude.m4
new file mode 100644
index 000000000000..fcb98b4cf827
--- /dev/null
+++ b/security/libpki/files/patch-acinclude.m4
@@ -0,0 +1,16 @@
+--- acinclude.m4.orig	2023-06-27 08:58:28.460201000 +0200
++++ acinclude.m4	2023-06-27 13:17:52.671338000 +0200
+@@ -116,7 +116,12 @@
+ 
+ 		AC_MSG_RESULT([Searching OpenSSL Version: $library_includes]);
+ 		ver=`grep "^ *# *define  *OPENSSL_VERSION_NUMBER" "$library_includes" | sed 's/.*0x/0x/g' | sed 's|\L||g'`;
+-		detected_v=`echo $((ver))`
++		if [[ "x$ver" == "x" ]] ; then
++		   pver=`grep "^ *# *define OPENSSL_VERSION_PRE_RELEASE" "$library_includes" | sed 's|.* "|"|g' | sed 's|""|fL|g' | sed 's|".*"|0L|g'`
++		   bver=`grep "^ *# *define OPENSSL_VERSION_STR" "$library_includes"  | sed 's|.* "||g' | sed 's|".*||g' | sed 's|\.| |g' | xargs printf "0x%1x%02X%02X" `
++		   ver="$bver$pver"
++		fi
++                detected_v=`echo $((ver))`
+ 		required_v=`echo $(($_version))`
+ 
+ 		dnl ver=`grep "^ *# *define  *SHLIB_VERSION_NUMBER" $library_includes | sed 's/[#_a-zA-Z" ]//g' | sed 's|\.|0|g'`;
diff --git a/security/libpki/files/patch-src-drivers-engine-engine_hsm.c b/security/libpki/files/patch-src-drivers-engine-engine_hsm.c
new file mode 100644
index 000000000000..4770da3e5ad4
--- /dev/null
+++ b/security/libpki/files/patch-src-drivers-engine-engine_hsm.c
@@ -0,0 +1,12 @@
+--- src/drivers/engine/engine_hsm.c.orig	2023-06-27 08:58:28.477634000 +0200
++++ src/drivers/engine/engine_hsm.c	2023-06-27 13:17:52.663862000 +0200
+@@ -204,7 +204,9 @@
+ 	char *engine_id = NULL;
+ 
+ 	ENGINE_load_builtin_engines();
++#if OPENSSL_VERSION_NUMBER < 0x30000000
+ 	ERR_load_ENGINE_strings();
++#endif
+ 
+ 	hsm = (HSM *) PKI_Malloc ( sizeof( HSM ));
+ 	memcpy( hsm, &engine_hsm, sizeof( HSM ));
diff --git a/security/libpki/files/patch-src-drivers-openssl-openssl_hsm_pkey.c b/security/libpki/files/patch-src-drivers-openssl-openssl_hsm_pkey.c
new file mode 100644
index 000000000000..309bad12d747
--- /dev/null
+++ b/security/libpki/files/patch-src-drivers-openssl-openssl_hsm_pkey.c
@@ -0,0 +1,59 @@
+--- src/drivers/openssl/openssl_hsm_pkey.c.orig	2023-06-27 08:58:28.478388000 +0200
++++ src/drivers/openssl/openssl_hsm_pkey.c	2023-06-27 13:17:52.668464000 +0200
+@@ -443,8 +443,11 @@
+             } break;
+ #ifdef ENABLE_ECDSA
+         case EVP_PKEY_EC: {
+-# if OPENSSL_VERSION_NUMBER < 0x1010000fL
++# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+             ret = PEM_write_bio_ECPrivateKey(bp, 
++                EVP_PKEY_get1_EC_KEY(x), enc, (unsigned char *) kstr, klen, cb, u);
++# elif OPENSSL_VERSION_NUMBER < 0x1010000fL
++            ret = PEM_write_bio_ECPrivateKey(bp, 
+                 x->pkey.ec, enc, (unsigned char *) kstr, klen, cb, u);
+ # else
+             ret = PEM_write_bio_ECPrivateKey(bp, 
+@@ -480,7 +483,9 @@
+ 
+         case EVP_PKEY_RSA: {
+             RSA *rsa = NULL;
+-#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++            if (((rsa = EVP_PKEY_get1_RSA(kVal)) == NULL) ||
++#elif OPENSSL_VERSION_NUMBER >= 0x1010000fL
+             if (((rsa = EVP_PKEY_get0_RSA(kVal)) == NULL) ||
+ #else
+             if (((rsa = (RSA *)EVP_PKEY_get0(kVal)) == NULL) ||
+@@ -492,7 +497,9 @@
+ 
+         case EVP_PKEY_DH: {
+             DH *dh = NULL;
+-#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++            if ( ((dh = EVP_PKEY_get1_DH(kVal)) == NULL) ||
++#elif OPENSSL_VERSION_NUMBER >= 0x1010000fL
+             if ( ((dh = EVP_PKEY_get0_DH(kVal)) == NULL) ||
+ #else
+             if ( ((dh = (DH *)EVP_PKEY_get0(kVal)) == NULL) ||
+@@ -505,7 +512,9 @@
+ #ifdef ENABLE_ECDSA
+         case EVP_PKEY_EC: {
+             EC_KEY * ec = NULL;
+-#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++            if (((ec = EVP_PKEY_get1_EC_KEY(kVal)) == NULL) ||
++#elif OPENSSL_VERSION_NUMBER >= 0x1010000fL
+             if (((ec = EVP_PKEY_get0_EC_KEY(kVal)) == NULL) ||
+ #else
+             if (((ec = (EC_KEY *)EVP_PKEY_get0(kVal)) == NULL) ||
+@@ -519,7 +528,9 @@
+ #ifdef ENABLE_DSA
+         case EVP_PKEY_DSA: {
+             DSA *dsa = NULL;
+-#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++            if ( ((dsa = EVP_PKEY_get1_DSA(kVal)) == NULL) ||
++#elif OPENSSL_VERSION_NUMBER >= 0x1010000fL
+             if ( ((dsa = EVP_PKEY_get0_DSA(kVal)) == NULL) ||
+ #else
+             if ( ((dsa = (DSA *)EVP_PKEY_get0(kVal)) == NULL) ||
diff --git a/security/libpki/files/patch-src-libpki-prqp-prqp_asn1.h b/security/libpki/files/patch-src-libpki-prqp-prqp_asn1.h
new file mode 100644
index 000000000000..fe215c4e57d1
--- /dev/null
+++ b/security/libpki/files/patch-src-libpki-prqp-prqp_asn1.h
@@ -0,0 +1,53 @@
+--- src/libpki/prqp/prqp_asn1.h.orig	2023-06-27 08:58:28.483798000 +0200
++++ src/libpki/prqp/prqp_asn1.h	2023-06-27 13:17:52.673161000 +0200
+@@ -73,8 +73,13 @@
+ // DECLARE_ASN1_SET_OF(CERT_IDENTIFIER)
+ 
+ DECLARE_ASN1_FUNCTIONS(CERT_IDENTIFIER)
+-CERT_IDENTIFIER *CERT_IDENTIFIER_dup( CERT_IDENTIFIER *cid );
+ 
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++CERT_IDENTIFIER *CERT_IDENTIFIER_dup ( const CERT_IDENTIFIER *cid );
++#else
++CERT_IDENTIFIER *CERT_IDENTIFIER_dup ( CERT_IDENTIFIER *cid );
++#endif
++
+ /* ResourceIdentifier ::= SEQUENCE {
+  *      resourceId      OBJECT IDENTIFIER,
+  *      version         [0] INTEGER     OPTIONAL }
+@@ -128,7 +133,11 @@
+ 
+ DECLARE_ASN1_FUNCTIONS(PKI_PRQP_REQ)
+ 
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++PKI_PRQP_REQ * PKI_PRQP_REQ_dup ( const PKI_PRQP_REQ *x );
++#else
+ PKI_PRQP_REQ * PKI_PRQP_REQ_dup ( PKI_PRQP_REQ *x );
++#endif
+ 
+ /* PKIStatus ::= INTEGER {
+  * 	ok		{0},
+@@ -207,7 +216,11 @@
+ DECLARE_ASN1_FUNCTIONS(RESOURCE_RESPONSE_TOKEN)
+ DECLARE_STACK_OF(RESOURCE_RESPONSE_TOKEN)
+ 
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++RESOURCE_RESPONSE_TOKEN * RESOURCE_RESPONSE_TOKEN_dup ( const RESOURCE_RESPONSE_TOKEN * p );
++#else
+ RESOURCE_RESPONSE_TOKEN * RESOURCE_RESPONSE_TOKEN_dup ( RESOURCE_RESPONSE_TOKEN * p );
++#endif
+ 
+ /* TBSRespData ::= {
+  *	version		INTEGER { v(1) },
+@@ -239,7 +252,11 @@
+ 
+ DECLARE_ASN1_FUNCTIONS(PKI_PRQP_RESP)
+ 
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++PKI_PRQP_RESP * PKI_PRQP_RESP_dup ( const PKI_PRQP_RESP *x );
++#else
+ PKI_PRQP_RESP * PKI_PRQP_RESP_dup ( PKI_PRQP_RESP *x );
++#endif
+ 
+ /* Crypto Functionality */
+ /*
diff --git a/security/libpki/files/patch-src-openssl-pki_ocsp_resp.c b/security/libpki/files/patch-src-openssl-pki_ocsp_resp.c
new file mode 100644
index 000000000000..e0b2dd89bf74
--- /dev/null
+++ b/security/libpki/files/patch-src-openssl-pki_ocsp_resp.c
@@ -0,0 +1,14 @@
+--- src/openssl/pki_ocsp_resp.c.orig	2023-06-27 08:58:28.486438000 +0200
++++ src/openssl/pki_ocsp_resp.c	2023-06-27 13:17:52.661387000 +0200
+@@ -701,7 +701,10 @@
+ 				PKI_ERROR(PKI_ERR_MEMORY_ALLOC, NULL );
+ 				break;
+ 			}
+-#if OPENSSL_VERSION_NUMBER > 0x1010000fL
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++			mem->size = (size_t)ASN1_item_i2d((void *)&(tmp_x->tbsResponseData),
++				&(mem->data), (ASN1_ITEM *) OCSP_RESPDATA_it );
++#elif OPENSSL_VERSION_NUMBER > 0x1010000fL
+ 			mem->size = (size_t)ASN1_item_i2d((void *)&(tmp_x->tbsResponseData),
+ 				&(mem->data), &OCSP_RESPDATA_it );
+ #else
diff --git a/security/libpki/files/patch-src-openssl-pki_x509_cert.c b/security/libpki/files/patch-src-openssl-pki_x509_cert.c
new file mode 100644
index 000000000000..0052f92b89fa
--- /dev/null
+++ b/security/libpki/files/patch-src-openssl-pki_x509_cert.c
@@ -0,0 +1,26 @@
+--- src/openssl/pki_x509_cert.c.orig	2023-06-27 08:58:28.486733000 +0200
++++ src/openssl/pki_x509_cert.c	2023-06-27 13:17:52.669080000 +0200
+@@ -433,7 +433,10 @@
+         case PKI_SCHEME_ECDSA:
+             if ( (int) kParams->ec.form > 0 )
+             {
+-# if OPENSSL_VERSION_NUMBER < 0x1010000fL
++# if OPENSSL_VERSION_NUMBER >= 0x30000000L
++              EC_KEY_set_conv_form(EVP_PKEY_get1_EC_KEY(certPubKeyVal), 
++              (point_conversion_form_t) kParams->ec.form);
++# elif OPENSSL_VERSION_NUMBER < 0x1010000fL
+               EC_KEY_set_conv_form(certPubKeyVal->pkey.ec, 
+               			   (point_conversion_form_t) kParams->ec.form);
+ # else
+@@ -443,7 +446,10 @@
+             }
+           if ( kParams->ec.asn1flags > -1 )
+           {
+-# if OPENSSL_VERSION_NUMBER < 0x1010000fL
++# if OPENSSL_VERSION_NUMBER >= 0x30000000L
++            EC_KEY_set_asn1_flag(EVP_PKEY_get1_EC_KEY(certPubKeyVal),
++              kParams->ec.asn1flags );
++# elif OPENSSL_VERSION_NUMBER < 0x1010000fL
+             EC_KEY_set_asn1_flag(certPubKeyVal->pkey.ec,
+               kParams->ec.asn1flags );
+ # else
diff --git a/security/libpki/files/patch-src-openssl-pki_x509_req.c b/security/libpki/files/patch-src-openssl-pki_x509_req.c
new file mode 100644
index 000000000000..7cac927752bd
--- /dev/null
+++ b/security/libpki/files/patch-src-openssl-pki_x509_req.c
@@ -0,0 +1,14 @@
+--- src/openssl/pki_x509_req.c.orig	2023-06-27 08:58:28.487713000 +0200
++++ src/openssl/pki_x509_req.c	2023-06-27 13:17:52.669477000 +0200
+@@ -166,7 +166,10 @@
+ #ifdef ENABLE_ECDSA
+ 				case PKI_SCHEME_ECDSA:
+     				if ( kParams->ec.form != PKI_EC_KEY_FORM_UNKNOWN ) {
+-# if OPENSSL_VERSION_NUMBER > 0x1010000fL
++# if OPENSSL_VERSION_NUMBER >= 0x30000000L
++    					EC_KEY_set_conv_form(EVP_PKEY_get1_EC_KEY(kVal),
++							     (point_conversion_form_t)kParams->ec.form);
++# elif OPENSSL_VERSION_NUMBER > 0x1010000fL
+     					EC_KEY_set_conv_form(EVP_PKEY_get0_EC_KEY(kVal),
+ 							     (point_conversion_form_t)kParams->ec.form);
+ # else
diff --git a/security/libpki/files/patch-src-pki_init.c b/security/libpki/files/patch-src-pki_init.c
new file mode 100644
index 000000000000..117fb69acd93
--- /dev/null
+++ b/security/libpki/files/patch-src-pki_init.c
@@ -0,0 +1,13 @@
+--- src/pki_init.c.orig	2023-06-27 08:58:28.488119000 +0200
++++ src/pki_init.c	2023-06-27 13:17:52.664235000 +0200
+@@ -159,8 +159,10 @@
+ 		OpenSSL_add_all_ciphers();
+ 		OpenSSL_pthread_init();
+ 
++#if OPENSSL_VERSION_NUMBER < 0x30000000
+ 		ERR_load_ERR_strings();
+ 		ERR_load_crypto_strings();
++#endif
+ 
+ 		PRQP_init_all_services();
+ 		PKI_X509_SCEP_init();
diff --git a/security/libpki/files/patch-src-pki_x509.c b/security/libpki/files/patch-src-pki_x509.c
new file mode 100644
index 000000000000..d9f25c82ee0b
--- /dev/null
+++ b/security/libpki/files/patch-src-pki_x509.c
@@ -0,0 +1,92 @@
+--- src/pki_x509.c.orig	2023-06-27 08:58:28.488591000 +0200
++++ src/pki_x509.c	2023-06-27 13:17:52.661803000 +0200
+@@ -44,7 +44,11 @@
+ 	switch (type) {
+ 
+ 		case PKI_DATATYPE_X509_CERT : {
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++		        it = (ASN1_ITEM *) X509_CINF_it;
++#else
+ 			it = &X509_CINF_it;
++#endif
+ #if OPENSSL_VERSION_NUMBER > 0x1010000fL
+ 			p = &(((LIBPKI_X509_CERT *)v)->cert_info);
+ #else
+@@ -53,7 +57,11 @@
+ 		} break;
+ 
+ 		case PKI_DATATYPE_X509_CRL : {
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++			it = (ASN1_ITEM *) X509_CRL_INFO_it;
++#else
+ 			it = &X509_CRL_INFO_it;
++#endif
+ #if OPENSSL_VERSION_NUMBER > 0x1010000fL
+ 			p = &(((PKI_X509_CRL_VALUE *)v)->crl);
+ #else
+@@ -62,7 +70,11 @@
+ 		} break;
+ 
+ 		case PKI_DATATYPE_X509_REQ : {
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++			it = (ASN1_ITEM *) X509_REQ_INFO_it;
++#else
+ 			it = &X509_REQ_INFO_it;
++#endif
+ #if OPENSSL_VERSION_NUMBER > 0x1010000fL
+ 			p = &(((LIBPKI_X509_REQ *)v)->req_info);
+ #else
+@@ -71,7 +83,11 @@
+ 		} break;
+ 
+ 		case PKI_DATATYPE_X509_OCSP_REQ : {
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++			it = (ASN1_ITEM *) OCSP_REQINFO_it;
++#else
+ 			it = &OCSP_REQINFO_it;
++#endif
+ #if OPENSSL_VERSION_NUMBER > 0x1010000fL
+ 			p = &(((PKI_X509_OCSP_REQ_VALUE *)v)->tbsRequest);
+ #else
+@@ -80,7 +96,11 @@
+ 		} break;
+ 
+ 		case PKI_DATATYPE_X509_OCSP_RESP : {
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++			it = (ASN1_ITEM *) OCSP_RESPDATA_it;
++#else
+ 			it = &OCSP_RESPDATA_it;
++#endif
+ #if OPENSSL_VERSION_NUMBER > 0x1010000fL
+ 			p = &(((PKI_OCSP_RESP *)v)->bs->tbsResponseData);
+ #else
+@@ -89,17 +109,29 @@
+ 		} break;
+ 
+ 		case PKI_DATATYPE_X509_PRQP_REQ : {
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++			it = (ASN1_ITEM *) PKI_PRQP_REQ_it;
++#else
+ 			it = &PKI_PRQP_REQ_it;
++#endif
+ 			p = ((PKI_X509_PRQP_REQ_VALUE *)v)->requestData;
+ 		} break;
+ 
+ 		case PKI_DATATYPE_X509_PRQP_RESP : {
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++			it = (ASN1_ITEM *) PKI_PRQP_RESP_it;
++#else
+ 			it = &PKI_PRQP_RESP_it;
++#endif
+ 			p = ((PKI_X509_PRQP_RESP_VALUE *)v)->respData;
+ 		} break;
+ 
+ 		case PKI_DATATYPE_X509_CMS : {
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++			it = (ASN1_ITEM *) CMS_ContentInfo_it;
++#else
+ 			it = &CMS_ContentInfo_it;
++#endif
+ 			p = NULL;
+ 		}
+
author	Bruno Damour <bruno@ruomad.net>	2023-08-07 14:15:13 +0000
committer	Muhammad Moinur Rahman <bofh@FreeBSD.org>	2023-08-07 15:24:45 +0000
commit	a07283aae1c15d460641ec311f4e5a3c6c122151 (patch)
tree	ae7a5da582f5a55f6e6c1e98e3d59146cda821e6
parent	fcd080242c7afe764ec51279adf9da2ae80bfa16 (diff)
download	ports-a07283aae1c15d460641ec311f4e5a3c6c122151.tar.gz ports-a07283aae1c15d460641ec311f4e5a3c6c122151.zip