pkg: revert openssl3 support

This change makes pkg generate a signature that is incompatible with previous keys, it is better to have pkg broken for openssl3 and die instead of having a backward incompatibility
author: Baptiste Daroussin <bapt@FreeBSD.org> 2023-06-27 11:52:01 +0200
committer: Baptiste Daroussin <bapt@FreeBSD.org> 2023-06-27 11:52:01 +0200
commit: f23812a6dad55f203800721af9378320e52c4f22 (patch)
tree: 9d193e995e3f36ca6d98801cacdb71e4e4bf4f7c /ports-mgmt
parent: devel/py-pytz: Update to 2023.3 (diff)
4 files changed, 2 insertions, 198 deletions
diff --git a/ports-mgmt/pkg-devel/Makefile b/ports-mgmt/pkg-devel/Makefile
index a4b9ce544941..7b634b2e356a 100644
--- a/ports-mgmt/pkg-devel/Makefile
+++ b/ports-mgmt/pkg-devel/Makefile
@@ -1,7 +1,7 @@
 PORTNAME=	pkg
 DISTVERSION=	1.19.99.2
 _PKG_VERSION=	${DISTVERSION}
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	ports-mgmt
 PKGNAMESUFFIX=	-devel
 
diff --git a/ports-mgmt/pkg-devel/files/patch-openssl3 b/ports-mgmt/pkg-devel/files/patch-openssl3
deleted file mode 100644
index d04226e68c50..000000000000
--- a/ports-mgmt/pkg-devel/files/patch-openssl3
+++ /dev/null
@@ -1,98 +0,0 @@
-diff --git libpkg/rsa.c libpkg/rsa.c
-index 41a12466..eea6e0bb 100644
---- libpkg/rsa.c
-+++ libpkg/rsa.c
-@@ -37,31 +37,6 @@
- #include "private/event.h"
- #include "private/pkg.h"
- 
--#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
--/*
-- * This matches the historical usage for pkg.  Older versions sign the hex
-- * encoding of the SHA256 checksum.  If we ever deprecated RSA, this can go
-- * away.
-- */
--static EVP_MD *md_pkg_sha1;
--
--static EVP_MD *
--EVP_md_pkg_sha1(void)
--{
--
--	if (md_pkg_sha1 != NULL)
--		return (md_pkg_sha1);
--
--	md_pkg_sha1 = EVP_MD_meth_dup(EVP_sha1());
--	if (md_pkg_sha1 == NULL)
--		return (NULL);
--
--	EVP_MD_meth_set_result_size(md_pkg_sha1,
--	    pkg_checksum_type_size(PKG_HASH_TYPE_SHA256_HEX));
--	return (md_pkg_sha1);
--}
--#endif	/* OPENSSL_VERSION_NUMBER >= 0x10100000L */
--
- struct pkg_key {
- 	pkg_password_cb *pw_cb;
- 	char *path;
-@@ -217,6 +192,7 @@ rsa_verify_cert(unsigned char *key, int keylen,
- 	OpenSSL_add_all_algorithms();
- 	OpenSSL_add_all_ciphers();
- 
-+
- 	ret = pkg_emit_sandbox_call(rsa_verify_cert_cb, fd, &cbdata);
- 	if (need_close)
- 		close(fd);
-@@ -232,6 +208,7 @@ rsa_verify_cb(int fd, void *ud)
- 	char errbuf[1024];
- 	EVP_PKEY *pkey = NULL;
- #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
-+	const EVP_MD *md;
- 	EVP_PKEY_CTX *ctx;
- #else
- 	RSA *rsa;
-@@ -276,7 +253,8 @@ rsa_verify_cb(int fd, void *ud)
- 		return (EPKG_FATAL);
- 	}
- 
--	if (EVP_PKEY_CTX_set_signature_md(ctx, EVP_md_pkg_sha1()) <= 0) {
-+	md = EVP_sha1();
-+	if (EVP_PKEY_CTX_set_signature_md(ctx, md) <= 0) {
- 		EVP_PKEY_CTX_free(ctx);
- 		EVP_PKEY_free(pkey);
- 		free(sha256);
-@@ -284,7 +262,7 @@ rsa_verify_cb(int fd, void *ud)
- 	}
- 
- 	ret = EVP_PKEY_verify(ctx, cbdata->sig, cbdata->siglen, sha256,
--	    pkg_checksum_type_size(PKG_HASH_TYPE_SHA256_HEX));
-+	    EVP_MD_size(md));
- #else
- 	rsa = EVP_PKEY_get1_RSA(pkey);
- 
-@@ -360,6 +338,7 @@ rsa_sign(char *path, struct pkg_key *keyinfo, unsigned char **sigret,
- 	char errbuf[1024];
- 	int max_len = 0, ret;
- #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
-+	const EVP_MD *md;
- 	EVP_PKEY_CTX *ctx;
- 	size_t siglen;
- #else
-@@ -403,15 +382,15 @@ rsa_sign(char *path, struct pkg_key *keyinfo, unsigned char **sigret,
- 		return (EPKG_FATAL);
- 	}
- 
--	if (EVP_PKEY_CTX_set_signature_md(ctx, EVP_md_pkg_sha1()) <= 0) {
-+	md = EVP_sha1();
-+	if (EVP_PKEY_CTX_set_signature_md(ctx, md) <= 0) {
- 		EVP_PKEY_CTX_free(ctx);
- 		free(sha256);
- 		return (EPKG_FATAL);
- 	}
--
- 	siglen = max_len;
- 	ret = EVP_PKEY_sign(ctx, *sigret, &siglen, sha256,
--	    pkg_checksum_type_size(PKG_HASH_TYPE_SHA256_HEX));
-+	    EVP_MD_size(md));
- #else
- 	rsa = EVP_PKEY_get1_RSA(keyinfo->key);
- 
diff --git a/ports-mgmt/pkg/Makefile b/ports-mgmt/pkg/Makefile
index fde39894a485..9dd8690d94c6 100644
--- a/ports-mgmt/pkg/Makefile
+++ b/ports-mgmt/pkg/Makefile
@@ -1,6 +1,6 @@
 PORTNAME=	pkg
 DISTVERSION=	1.19.1
-PORTREVISION=	2
+PORTREVISION=	3
 _PKG_VERSION=	${DISTVERSION}
 CATEGORIES=	ports-mgmt
 
diff --git a/ports-mgmt/pkg/files/patch-openssl3 b/ports-mgmt/pkg/files/patch-openssl3
deleted file mode 100644
index d04226e68c50..000000000000
--- a/ports-mgmt/pkg/files/patch-openssl3
+++ /dev/null
@@ -1,98 +0,0 @@
-diff --git libpkg/rsa.c libpkg/rsa.c
-index 41a12466..eea6e0bb 100644
---- libpkg/rsa.c
-+++ libpkg/rsa.c
-@@ -37,31 +37,6 @@
- #include "private/event.h"
- #include "private/pkg.h"
- 
--#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
--/*
-- * This matches the historical usage for pkg.  Older versions sign the hex
-- * encoding of the SHA256 checksum.  If we ever deprecated RSA, this can go
-- * away.
-- */
--static EVP_MD *md_pkg_sha1;
--
--static EVP_MD *
--EVP_md_pkg_sha1(void)
--{
--
--	if (md_pkg_sha1 != NULL)
--		return (md_pkg_sha1);
--
--	md_pkg_sha1 = EVP_MD_meth_dup(EVP_sha1());
--	if (md_pkg_sha1 == NULL)
--		return (NULL);
--
--	EVP_MD_meth_set_result_size(md_pkg_sha1,
--	    pkg_checksum_type_size(PKG_HASH_TYPE_SHA256_HEX));
--	return (md_pkg_sha1);
--}
--#endif	/* OPENSSL_VERSION_NUMBER >= 0x10100000L */
--
- struct pkg_key {
- 	pkg_password_cb *pw_cb;
- 	char *path;
-@@ -217,6 +192,7 @@ rsa_verify_cert(unsigned char *key, int keylen,
- 	OpenSSL_add_all_algorithms();
- 	OpenSSL_add_all_ciphers();
- 
-+
- 	ret = pkg_emit_sandbox_call(rsa_verify_cert_cb, fd, &cbdata);
- 	if (need_close)
- 		close(fd);
-@@ -232,6 +208,7 @@ rsa_verify_cb(int fd, void *ud)
- 	char errbuf[1024];
- 	EVP_PKEY *pkey = NULL;
- #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
-+	const EVP_MD *md;
- 	EVP_PKEY_CTX *ctx;
- #else
- 	RSA *rsa;
-@@ -276,7 +253,8 @@ rsa_verify_cb(int fd, void *ud)
- 		return (EPKG_FATAL);
- 	}
- 
--	if (EVP_PKEY_CTX_set_signature_md(ctx, EVP_md_pkg_sha1()) <= 0) {
-+	md = EVP_sha1();
-+	if (EVP_PKEY_CTX_set_signature_md(ctx, md) <= 0) {
- 		EVP_PKEY_CTX_free(ctx);
- 		EVP_PKEY_free(pkey);
- 		free(sha256);
-@@ -284,7 +262,7 @@ rsa_verify_cb(int fd, void *ud)
- 	}
- 
- 	ret = EVP_PKEY_verify(ctx, cbdata->sig, cbdata->siglen, sha256,
--	    pkg_checksum_type_size(PKG_HASH_TYPE_SHA256_HEX));
-+	    EVP_MD_size(md));
- #else
- 	rsa = EVP_PKEY_get1_RSA(pkey);
- 
-@@ -360,6 +338,7 @@ rsa_sign(char *path, struct pkg_key *keyinfo, unsigned char **sigret,
- 	char errbuf[1024];
- 	int max_len = 0, ret;
- #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
-+	const EVP_MD *md;
- 	EVP_PKEY_CTX *ctx;
- 	size_t siglen;
- #else
-@@ -403,15 +382,15 @@ rsa_sign(char *path, struct pkg_key *keyinfo, unsigned char **sigret,
- 		return (EPKG_FATAL);
- 	}
- 
--	if (EVP_PKEY_CTX_set_signature_md(ctx, EVP_md_pkg_sha1()) <= 0) {
-+	md = EVP_sha1();
-+	if (EVP_PKEY_CTX_set_signature_md(ctx, md) <= 0) {
- 		EVP_PKEY_CTX_free(ctx);
- 		free(sha256);
- 		return (EPKG_FATAL);
- 	}
--
- 	siglen = max_len;
- 	ret = EVP_PKEY_sign(ctx, *sigret, &siglen, sha256,
--	    pkg_checksum_type_size(PKG_HASH_TYPE_SHA256_HEX));
-+	    EVP_MD_size(md));
- #else
- 	rsa = EVP_PKEY_get1_RSA(keyinfo->key);
-
author	Baptiste Daroussin <bapt@FreeBSD.org>	2023-06-27 11:52:01 +0200
committer	Baptiste Daroussin <bapt@FreeBSD.org>	2023-06-27 11:52:01 +0200
commit	f23812a6dad55f203800721af9378320e52c4f22 (patch)
tree	9d193e995e3f36ca6d98801cacdb71e4e4bf4f7c /ports-mgmt
parent	devel/py-pytz: Update to 2023.3 (diff)