kpriv/freebsd-ports
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Replace OpenSSL 1.1.0 with upstream ones

Browse source 
The patches from bug 228902 and added in r481850 are not entirely compatible
with older OpenSSL versions, to the point that the qca-ossl plugin refuses to
load at all on FreeBSD 11.2, for example (see bug 232784 and its duplicates).

Fix it by replacing our patches with backports from upstream the same way
OpenSUSE does it (the OpenSSL 1.1.0 upstream patch was authored by SUSE):

* Revert an upstream commit made only to the 2.1 branch disabling a few ciphers
  in the unit tests.
* Backport a change to the master branch that never made it to the 2.1 branch
  disabling the ciphers mentioned above as well as a few other ones, so that we
  can backport the actual change adding support for OpenSSL 1.1.0 more clealy.
* Backport the actual OpenSSL 1.1.0 support commit, with a few conflicts
  resolved due to the lack of a commit adding suport for AES GCM and AES CCM in
  the 2.1 branch. The patch was actually obtained from OpenSUSE's repositories,
  since they had to resolve the same conflict as well.

The port built fine on 11.2-i386, an old 12-CURRENT snapshot on amd64 as well
as 13-CURRENT on amd64, and all unit tests are passing except for some PGP ones
that are unrelated. With the patches we have in the tree, a lot of unit tests
failed on 11.2 due to the qca-ossl plugin failing to load.

PR:		228902
PR:		232784
Reviewed by:	tcberner
Differential Revision:	https://reviews.freebsd.org/D19347
This commit is contained in:
Raphael Kubo da Costa 2019-02-27 19:22:15 +00:00
parent e79925a0a7
commit 5f0a11c80b
Notes: svn2git 2021-03-31 03:12:20 +00:00 
svn path=/head/; revision=494079
6 changed files with 610 additions and 698 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
devel/qca/Makefile
View file

@ -3,7 +3,7 @@
PORTNAME= qca
PORTVERSION= 2.1.3
PORTREVISION= 5
PORTREVISION= 6
CATEGORIES= devel
MASTER_SITES= KDE/stable/qca/${PORTVERSION}/src
PKGNAMESUFFIX= -${FLAVOR}

44
devel/qca/files/patch-openssl110_01 Normal file
View file

@ -0,0 +1,44 @@
Revert a change to the 2.1 branch that conflicts with a more extensive one from
the master branch (159e144abf, "Disable missed openssl cipher suites"). That
one is more extensive and is necessary for a clean backport of the upstream
change adding support for OpenSSL 1.1.0.
---
From ecec3886ac73a5cfc8eb1f5929171afb89b204c3 Mon Sep 17 00:00:00 2001
From: Raphael Kubo da Costa <rakuco@FreeBSD.org>
Date: Mon, 25 Feb 2019 13:31:51 +0100
Subject: [PATCH 1/2] Revert "tlsunittest: disable some ciphers"
This reverts commit 89800d4341a3346cee53bc28e18d9a3972e33378.
---
unittest/tls/tlsunittest.cpp | 8 ++------
1 file changed, 2 insertions(+), 6 deletions(-)
diff --git a/unittest/tls/tlsunittest.cpp b/unittest/tls/tlsunittest.cpp
index fb8fa10..74c0b18 100644
--- unittest/tls/tlsunittest.cpp
+++ unittest/tls/tlsunittest.cpp
@@ -69,9 +69,7 @@ void TLSUnitTest::testCipherList()
QVERIFY( cipherList.contains("TLS_DHE_DSS_WITH_AES_128_CBC_SHA") );
QVERIFY( cipherList.contains("TLS_RSA_WITH_AES_128_CBC_SHA") );
QVERIFY( cipherList.contains("TLS_RSA_WITH_RC4_128_SHA") );
-
- // Fedora 22 has no TLS_RSA_WITH_RC4_128_MD5
- // QVERIFY( cipherList.contains("TLS_RSA_WITH_RC4_128_MD5") );
+ QVERIFY( cipherList.contains("TLS_RSA_WITH_RC4_128_MD5") );
// Fedora 20 openssl has no this cipher suites.
// I just believe that F20 has the most strict patent rules
@@ -98,9 +96,7 @@ void TLSUnitTest::testCipherList()
QVERIFY( cipherList.contains("SSL_DHE_DSS_WITH_AES_128_CBC_SHA") );
QVERIFY( cipherList.contains("SSL_RSA_WITH_AES_128_CBC_SHA") );
QVERIFY( cipherList.contains("SSL_RSA_WITH_RC4_128_SHA") );
-
- // Fedora 22 has no SSL_RSA_WITH_RC4_128_MD5
- // QVERIFY( cipherList.contains("SSL_RSA_WITH_RC4_128_MD5") );
+ QVERIFY( cipherList.contains("SSL_RSA_WITH_RC4_128_MD5") );
// QVERIFY( cipherList.contains("SSL_DHE_RSA_WITH_DES_CBC_SHA") );
// QVERIFY( cipherList.contains("SSL_DHE_DSS_WITH_DES_CBC_SHA") );
--
2.20.1

47
devel/qca/files/patch-openssl110_02 Normal file
View file

@ -0,0 +1,47 @@
This change is part of the master branch but was never integrated into the 2.1
branch, which only has a similar but less extensive commit mentioning Fedora 22.
This backport is necessary for a clean cherry-pick of the change adding support
for OpenSSL 1.1.0 upstream.
---
From 802180b9611e816b12b58c279824106514941d53 Mon Sep 17 00:00:00 2001
From: Ivan Romanov <drizt@land.ru>
Date: Sat, 30 Sep 2017 15:45:59 +0500
Subject: [PATCH 2/2] Disable missed openssl cipher suites
Fedora 26 has no them.
---
unittest/tls/tlsunittest.cpp | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/unittest/tls/tlsunittest.cpp b/unittest/tls/tlsunittest.cpp
index 74c0b18..38caf2d 100644
--- unittest/tls/tlsunittest.cpp
+++ unittest/tls/tlsunittest.cpp
@@ -68,8 +68,12 @@ void TLSUnitTest::testCipherList()
QVERIFY( cipherList.contains("TLS_DHE_RSA_WITH_AES_128_CBC_SHA") );
QVERIFY( cipherList.contains("TLS_DHE_DSS_WITH_AES_128_CBC_SHA") );
QVERIFY( cipherList.contains("TLS_RSA_WITH_AES_128_CBC_SHA") );
- QVERIFY( cipherList.contains("TLS_RSA_WITH_RC4_128_SHA") );
- QVERIFY( cipherList.contains("TLS_RSA_WITH_RC4_128_MD5") );
+
+ // Fedora 26 openssl has no this cipher suites.
+ // QVERIFY( cipherList.contains("TLS_RSA_WITH_RC4_128_SHA") );
+ // QVERIFY( cipherList.contains("TLS_RSA_WITH_RC4_128_MD5") );
+ // QVERIFY( cipherList.contains("SSL_RSA_WITH_RC4_128_SHA") );
+ // QVERIFY( cipherList.contains("SSL_RSA_WITH_RC4_128_MD5") );
// Fedora 20 openssl has no this cipher suites.
// I just believe that F20 has the most strict patent rules
@@ -95,8 +99,6 @@ void TLSUnitTest::testCipherList()
QVERIFY( cipherList.contains("SSL_DHE_RSA_WITH_AES_128_CBC_SHA") );
QVERIFY( cipherList.contains("SSL_DHE_DSS_WITH_AES_128_CBC_SHA") );
QVERIFY( cipherList.contains("SSL_RSA_WITH_AES_128_CBC_SHA") );
- QVERIFY( cipherList.contains("SSL_RSA_WITH_RC4_128_SHA") );
- QVERIFY( cipherList.contains("SSL_RSA_WITH_RC4_128_MD5") );
// QVERIFY( cipherList.contains("SSL_DHE_RSA_WITH_DES_CBC_SHA") );
// QVERIFY( cipherList.contains("SSL_DHE_DSS_WITH_DES_CBC_SHA") );
--
2.20.1

740
devel/qca/files/patch-plugins_qca-ossl_qca-ossl.cpp → devel/qca/files/patch-openssl110_03
View file

File diff suppressed because it is too large Load diff

414
devel/qca/files/patch-plugins_qca-ossl_libcrypto-compat.c
View file

@ -1,414 +0,0 @@
--- plugins/qca-ossl/libcrypto-compat.c.orig 2018-10-07 18:32:46 UTC
+++ plugins/qca-ossl/libcrypto-compat.c
@@ -0,0 +1,411 @@
+/*
+ * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <openssl/evp.h>
+
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+
+#include <string.h>
+#include <openssl/engine.h>
+
+static void *OPENSSL_zalloc(size_t num)
+{
+ void *ret = OPENSSL_malloc(num);
+
+ if (ret != NULL)
+ memset(ret, 0, num);
+ return ret;
+}
+
+int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d)
+{
+ /* If the fields n and e in r are NULL, the corresponding input
+ * parameters MUST be non-NULL for n and e. d may be
+ * left NULL (in case only the public key is used).
+ */
+ if ((r->n == NULL && n == NULL)
+ || (r->e == NULL && e == NULL))
+ return 0;
+
+ if (n != NULL) {
+ BN_free(r->n);
+ r->n = n;
+ }
+ if (e != NULL) {
+ BN_free(r->e);
+ r->e = e;
+ }
+ if (d != NULL) {
+ BN_free(r->d);
+ r->d = d;
+ }
+
+ return 1;
+}
+
+int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q)
+{
+ /* If the fields p and q in r are NULL, the corresponding input
+ * parameters MUST be non-NULL.
+ */
+ if ((r->p == NULL && p == NULL)
+ || (r->q == NULL && q == NULL))
+ return 0;
+
+ if (p != NULL) {
+ BN_free(r->p);
+ r->p = p;
+ }
+ if (q != NULL) {
+ BN_free(r->q);
+ r->q = q;
+ }
+
+ return 1;
+}
+
+int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp)
+{
+ /* If the fields dmp1, dmq1 and iqmp in r are NULL, the corresponding input
+ * parameters MUST be non-NULL.
+ */
+ if ((r->dmp1 == NULL && dmp1 == NULL)
+ || (r->dmq1 == NULL && dmq1 == NULL)
+ || (r->iqmp == NULL && iqmp == NULL))
+ return 0;
+
+ if (dmp1 != NULL) {
+ BN_free(r->dmp1);
+ r->dmp1 = dmp1;
+ }
+ if (dmq1 != NULL) {
+ BN_free(r->dmq1);
+ r->dmq1 = dmq1;
+ }
+ if (iqmp != NULL) {
+ BN_free(r->iqmp);
+ r->iqmp = iqmp;
+ }
+
+ return 1;
+}
+
+void RSA_get0_key(const RSA *r,
+ const BIGNUM **n, const BIGNUM **e, const BIGNUM **d)
+{
+ if (n != NULL)
+ *n = r->n;
+ if (e != NULL)
+ *e = r->e;
+ if (d != NULL)
+ *d = r->d;
+}
+
+void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q)
+{
+ if (p != NULL)
+ *p = r->p;
+ if (q != NULL)
+ *q = r->q;
+}
+
+void RSA_get0_crt_params(const RSA *r,
+ const BIGNUM **dmp1, const BIGNUM **dmq1,
+ const BIGNUM **iqmp)
+{
+ if (dmp1 != NULL)
+ *dmp1 = r->dmp1;
+ if (dmq1 != NULL)
+ *dmq1 = r->dmq1;
+ if (iqmp != NULL)
+ *iqmp = r->iqmp;
+}
+
+void DSA_get0_pqg(const DSA *d,
+ const BIGNUM **p, const BIGNUM **q, const BIGNUM **g)
+{
+ if (p != NULL)
+ *p = d->p;
+ if (q != NULL)
+ *q = d->q;
+ if (g != NULL)
+ *g = d->g;
+}
+
+int DSA_set0_pqg(DSA *d, BIGNUM *p, BIGNUM *q, BIGNUM *g)
+{
+ /* If the fields p, q and g in d are NULL, the corresponding input
+ * parameters MUST be non-NULL.
+ */
+ if ((d->p == NULL && p == NULL)
+ || (d->q == NULL && q == NULL)
+ || (d->g == NULL && g == NULL))
+ return 0;
+
+ if (p != NULL) {
+ BN_free(d->p);
+ d->p = p;
+ }
+ if (q != NULL) {
+ BN_free(d->q);
+ d->q = q;
+ }
+ if (g != NULL) {
+ BN_free(d->g);
+ d->g = g;
+ }
+
+ return 1;
+}
+
+void DSA_get0_key(const DSA *d,
+ const BIGNUM **pub_key, const BIGNUM **priv_key)
+{
+ if (pub_key != NULL)
+ *pub_key = d->pub_key;
+ if (priv_key != NULL)
+ *priv_key = d->priv_key;
+}
+
+int DSA_set0_key(DSA *d, BIGNUM *pub_key, BIGNUM *priv_key)
+{
+ /* If the field pub_key in d is NULL, the corresponding input
+ * parameters MUST be non-NULL. The priv_key field may
+ * be left NULL.
+ */
+ if (d->pub_key == NULL && pub_key == NULL)
+ return 0;
+
+ if (pub_key != NULL) {
+ BN_free(d->pub_key);
+ d->pub_key = pub_key;
+ }
+ if (priv_key != NULL) {
+ BN_free(d->priv_key);
+ d->priv_key = priv_key;
+ }
+
+ return 1;
+}
+
+void DSA_SIG_get0(const DSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps)
+{
+ if (pr != NULL)
+ *pr = sig->r;
+ if (ps != NULL)
+ *ps = sig->s;
+}
+
+int DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s)
+{
+ if (r == NULL || s == NULL)
+ return 0;
+ BN_clear_free(sig->r);
+ BN_clear_free(sig->s);
+ sig->r = r;
+ sig->s = s;
+ return 1;
+}
+
+void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps)
+{
+ if (pr != NULL)
+ *pr = sig->r;
+ if (ps != NULL)
+ *ps = sig->s;
+}
+
+int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s)
+{
+ if (r == NULL || s == NULL)
+ return 0;
+ BN_clear_free(sig->r);
+ BN_clear_free(sig->s);
+ sig->r = r;
+ sig->s = s;
+ return 1;
+}
+
+void DH_get0_pqg(const DH *dh,
+ const BIGNUM **p, const BIGNUM **q, const BIGNUM **g)
+{
+ if (p != NULL)
+ *p = dh->p;
+ if (q != NULL)
+ *q = dh->q;
+ if (g != NULL)
+ *g = dh->g;
+}
+
+int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
+{
+ /* If the fields p and g in d are NULL, the corresponding input
+ * parameters MUST be non-NULL. q may remain NULL.
+ */
+ if ((dh->p == NULL && p == NULL)
+ || (dh->g == NULL && g == NULL))
+ return 0;
+
+ if (p != NULL) {
+ BN_free(dh->p);
+ dh->p = p;
+ }
+ if (q != NULL) {
+ BN_free(dh->q);
+ dh->q = q;
+ }
+ if (g != NULL) {
+ BN_free(dh->g);
+ dh->g = g;
+ }
+
+ if (q != NULL) {
+ dh->length = BN_num_bits(q);
+ }
+
+ return 1;
+}
+
+void DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key)
+{
+ if (pub_key != NULL)
+ *pub_key = dh->pub_key;
+ if (priv_key != NULL)
+ *priv_key = dh->priv_key;
+}
+
+int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key)
+{
+ /* If the field pub_key in dh is NULL, the corresponding input
+ * parameters MUST be non-NULL. The priv_key field may
+ * be left NULL.
+ */
+ if (dh->pub_key == NULL && pub_key == NULL)
+ return 0;
+
+ if (pub_key != NULL) {
+ BN_free(dh->pub_key);
+ dh->pub_key = pub_key;
+ }
+ if (priv_key != NULL) {
+ BN_free(dh->priv_key);
+ dh->priv_key = priv_key;
+ }
+
+ return 1;
+}
+
+int DH_set_length(DH *dh, long length)
+{
+ dh->length = length;
+ return 1;
+}
+
+const unsigned char *EVP_CIPHER_CTX_iv(const EVP_CIPHER_CTX *ctx)
+{
+ return ctx->iv;
+}
+
+unsigned char *EVP_CIPHER_CTX_iv_noconst(EVP_CIPHER_CTX *ctx)
+{
+ return ctx->iv;
+}
+
+EVP_MD_CTX *EVP_MD_CTX_new(void)
+{
+ return OPENSSL_zalloc(sizeof(EVP_MD_CTX));
+}
+
+void EVP_MD_CTX_free(EVP_MD_CTX *ctx)
+{
+ EVP_MD_CTX_cleanup(ctx);
+ OPENSSL_free(ctx);
+}
+
+RSA_METHOD *RSA_meth_dup(const RSA_METHOD *meth)
+{
+ RSA_METHOD *ret;
+
+ ret = OPENSSL_malloc(sizeof(RSA_METHOD));
+
+ if (ret != NULL) {
+ memcpy(ret, meth, sizeof(*meth));
+ ret->name = OPENSSL_strdup(meth->name);
+ if (ret->name == NULL) {
+ OPENSSL_free(ret);
+ return NULL;
+ }
+ }
+
+ return ret;
+}
+
+int RSA_meth_set1_name(RSA_METHOD *meth, const char *name)
+{
+ char *tmpname;
+
+ tmpname = OPENSSL_strdup(name);
+ if (tmpname == NULL) {
+ return 0;
+ }
+
+ OPENSSL_free((char *)meth->name);
+ meth->name = tmpname;
+
+ return 1;
+}
+
+int RSA_meth_set_priv_enc(RSA_METHOD *meth,
+ int (*priv_enc) (int flen, const unsigned char *from,
+ unsigned char *to, RSA *rsa,
+ int padding))
+{
+ meth->rsa_priv_enc = priv_enc;
+ return 1;
+}
+
+int RSA_meth_set_priv_dec(RSA_METHOD *meth,
+ int (*priv_dec) (int flen, const unsigned char *from,
+ unsigned char *to, RSA *rsa,
+ int padding))
+{
+ meth->rsa_priv_dec = priv_dec;
+ return 1;
+}
+
+int RSA_meth_set_finish(RSA_METHOD *meth, int (*finish) (RSA *rsa))
+{
+ meth->finish = finish;
+ return 1;
+}
+
+void RSA_meth_free(RSA_METHOD *meth)
+{
+ if (meth != NULL) {
+ OPENSSL_free((char *)meth->name);
+ OPENSSL_free(meth);
+ }
+}
+
+int RSA_bits(const RSA *r)
+{
+ return (BN_num_bits(r->n));
+}
+
+RSA *EVP_PKEY_get0_RSA(EVP_PKEY *pkey)
+{
+ if (pkey->type != EVP_PKEY_RSA) {
+ return NULL;
+ }
+ return pkey->pkey.rsa;
+}
+
+
+#endif /* OPENSSL_VERSION_NUMBER */
+

61
devel/qca/files/patch-plugins_qca-ossl_libcrypto-compat.h
View file

@ -1,61 +0,0 @@
--- plugins/qca-ossl/libcrypto-compat.h.orig 2018-10-07 18:34:21 UTC
+++ plugins/qca-ossl/libcrypto-compat.h
@@ -0,0 +1,58 @@
+#ifndef LIBCRYPTO_COMPAT_H
+#define LIBCRYPTO_COMPAT_H
+
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+
+#include <openssl/rsa.h>
+#include <openssl/dsa.h>
+#include <openssl/ecdsa.h>
+#include <openssl/dh.h>
+#include <openssl/evp.h>
+
+int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d);
+int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q);
+int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp);
+void RSA_get0_key(const RSA *r, const BIGNUM **n, const BIGNUM **e, const BIGNUM **d);
+void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q);
+void RSA_get0_crt_params(const RSA *r, const BIGNUM **dmp1, const BIGNUM **dmq1, const BIGNUM **iqmp);
+
+void DSA_get0_pqg(const DSA *d, const BIGNUM **p, const BIGNUM **q, const BIGNUM **g);
+int DSA_set0_pqg(DSA *d, BIGNUM *p, BIGNUM *q, BIGNUM *g);
+void DSA_get0_key(const DSA *d, const BIGNUM **pub_key, const BIGNUM **priv_key);
+int DSA_set0_key(DSA *d, BIGNUM *pub_key, BIGNUM *priv_key);
+
+void DSA_SIG_get0(const DSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps);
+int DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s);
+
+void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps);
+int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s);
+
+void DH_get0_pqg(const DH *dh, const BIGNUM **p, const BIGNUM **q, const BIGNUM **g);
+int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g);
+void DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key);
+int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key);
+int DH_set_length(DH *dh, long length);
+
+const unsigned char *EVP_CIPHER_CTX_iv(const EVP_CIPHER_CTX *ctx);
+unsigned char *EVP_CIPHER_CTX_iv_noconst(EVP_CIPHER_CTX *ctx);
+EVP_MD_CTX *EVP_MD_CTX_new(void);
+void EVP_MD_CTX_free(EVP_MD_CTX *ctx);
+#define EVP_CIPHER_impl_ctx_size(e) e->ctx_size
+#define EVP_CIPHER_CTX_get_cipher_data(ctx) ctx->cipher_data
+
+RSA_METHOD *RSA_meth_dup(const RSA_METHOD *meth);
+int RSA_meth_set1_name(RSA_METHOD *meth, const char *name);
+#define RSA_meth_get_finish(meth) meth->finish
+int RSA_meth_set_priv_enc(RSA_METHOD *meth, int (*priv_enc) (int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding));
+int RSA_meth_set_priv_dec(RSA_METHOD *meth, int (*priv_dec) (int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding));
+int RSA_meth_set_finish(RSA_METHOD *meth, int (*finish) (RSA *rsa));
+void RSA_meth_free(RSA_METHOD *meth);
+
+int RSA_bits(const RSA *r);
+
+RSA *EVP_PKEY_get0_RSA(EVP_PKEY *pkey);
+
+#endif /* OPENSSL_VERSION_NUMBER */
+
+#endif /* LIBCRYPTO_COMPAT_H */
+