security/qca2-ossl: Support OpenSSL 1.0

DragonFly in on OpenSSL 1.0 and this package wasn't building due to the missing MD5 digest that no longer builds by default on the latest versions of OpenSSL. FreeBSD already ran into this and patched qca-ossl, and this ports their fix to pkgsrc.
author: marino <marino> 2011-12-17 12:46:51 +0000
committer: marino <marino> 2011-12-17 12:46:51 +0000
commit: a455565366c76fe3d1829e7e0adc072715dbb423 (patch)
tree: a88d0ef1eeaf077c32e05fbee35aeea95edb33f6 /security
parent: 6fa0524c58241be35ae82d30cce2c4ea118b503f (diff)
download: pkgsrc-a455565366c76fe3d1829e7e0adc072715dbb423.tar.gz
3 files changed, 262 insertions, 7 deletions
diff --git a/security/qca2-ossl/Makefile b/security/qca2-ossl/Makefile
index 4c7e254b6b9..8cb7ede7166 100644
--- a/security/qca2-ossl/Makefile
+++ b/security/qca2-ossl/Makefile
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.14 2011/11/01 06:02:30 sbd Exp $
+# $NetBSD: Makefile,v 1.15 2011/12/17 12:46:51 marino Exp $
 
 DISTNAME=	qca-ossl-2.0.0-beta3
 PKGNAME=	qca2-ossl-${DISTNAME:S/-beta/beta/:C/.*-//}
-PKGREVISION=	12
+PKGREVISION=	13
 CATEGORIES=	security
 MASTER_SITES=	http://delta.affinix.com/download/qca/2.0/plugins/
 EXTRACT_SUFX=	.tar.bz2
diff --git a/security/qca2-ossl/distinfo b/security/qca2-ossl/distinfo
index 9305d91a2f0..e8e1b010292 100644
--- a/security/qca2-ossl/distinfo
+++ b/security/qca2-ossl/distinfo
@@ -1,6 +1,6 @@
-$NetBSD: distinfo,v 1.2 2008/12/30 15:13:28 stacktic Exp $
+$NetBSD: distinfo,v 1.3 2011/12/17 12:46:51 marino Exp $
 
 SHA1 (qca-ossl-2.0.0-beta3.tar.bz2) = dd925e8732ff76f24f9f90f4094abaf2f0ac27bf
 RMD160 (qca-ossl-2.0.0-beta3.tar.bz2) = c979c3c3427eb45e8866e28746f83966e8bcf3c2
 Size (qca-ossl-2.0.0-beta3.tar.bz2) = 49188 bytes
-SHA1 (patch-aa) = 30059ab5aa0a71382da68159fc7779a7a2663c7d
+SHA1 (patch-aa) = 56daba9dd5ea2c545c63b9971fa78941d3d6ec12
diff --git a/security/qca2-ossl/patches/patch-aa b/security/qca2-ossl/patches/patch-aa
index 494c5d97954..5fd408e50c8 100644
--- a/security/qca2-ossl/patches/patch-aa
+++ b/security/qca2-ossl/patches/patch-aa
@@ -1,8 +1,157 @@
-$NetBSD: patch-aa,v 1.1 2008/12/30 15:13:28 stacktic Exp $
+$NetBSD: patch-aa,v 1.2 2011/12/17 12:46:51 marino Exp $
 
 --- qca-ossl.cpp.orig	2007-12-11 07:34:57.000000000 +0100
 +++ qca-ossl.cpp
-@@ -6597,9 +6597,11 @@ static QStringList all_hash_types()
+@@ -42,6 +42,15 @@
+ #define OSSL_097
+ #endif
+ 
++#if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10000000L
++// OpenSSL 1.0.0 makes a few changes that aren't very C++ friendly...
++// Among other things, CHECKED_PTR_OF returns a void*, but is used in
++// contexts requiring STACK pointers.
++#undef CHECKED_PTR_OF
++#define CHECKED_PTR_OF(type, p) \
++	            ((_STACK*) (1 ? p : (type*)0))
++#endif
++
+ using namespace QCA;
+ 
+ namespace opensslQCAPlugin {
+@@ -327,7 +336,7 @@
+ 	X509V3_CTX ctx;
+ 	X509V3_set_ctx_nodb(&ctx);
+ 	X509V3_set_ctx(&ctx, NULL, cert, NULL, NULL, 0);
+-	X509_EXTENSION *ex = X509V3_EXT_conf_nid(NULL, &ctx, NID_subject_key_identifier, "hash");
++	X509_EXTENSION *ex = X509V3_EXT_conf_nid(NULL, &ctx, NID_subject_key_identifier, (char *)"hash");
+ 	return ex;
+ }
+ 
+@@ -1182,6 +1191,7 @@
+ 	{
+ 		pkey = from.pkey;
+ 		CRYPTO_add(&pkey->references, 1, CRYPTO_LOCK_EVP_PKEY);
++		raw_type = false;
+ 		state = Idle;
+ 	}
+ 
+@@ -1226,6 +1236,7 @@
+ 		}
+ 		else
+ 		{
++			raw_type = false;
+ 			EVP_MD_CTX_init(&mdctx);
+ 			if(!EVP_VerifyInit_ex(&mdctx, type, NULL))
+ 				state = VerifyError;
+@@ -1771,8 +1782,10 @@
+ 			md = EVP_sha1();
+ 		else if(alg == EMSA3_MD5)
+ 			md = EVP_md5();
++#ifdef HAVE_OPENSSL_MD2
+ 		else if(alg == EMSA3_MD2)
+ 			md = EVP_md2();
++#endif
+ 		else if(alg == EMSA3_RIPEMD160)
+ 			md = EVP_ripemd160();
+ 		else if(alg == EMSA3_Raw)
+@@ -1789,8 +1802,10 @@
+ 			md = EVP_sha1();
+ 		else if(alg == EMSA3_MD5)
+ 			md = EVP_md5();
++#ifdef HAVE_OPENSSL_MD2
+ 		else if(alg == EMSA3_MD2)
+ 			md = EVP_md2();
++#endif
+ 		else if(alg == EMSA3_RIPEMD160)
+ 			md = EVP_ripemd160();
+ 		else if(alg == EMSA3_Raw)
+@@ -3385,9 +3400,11 @@
+ 		case NID_md5WithRSAEncryption:
+ 		    p.sigalgo = QCA::EMSA3_MD5;
+ 		    break;
++#ifdef HAVE_OPENSSL_MD2
+ 		case NID_md2WithRSAEncryption:
+ 		    p.sigalgo = QCA::EMSA3_MD2;
+ 		    break;
++#endif
+ 		case NID_ripemd160WithRSA:
+ 		    p.sigalgo = QCA::EMSA3_RIPEMD160;
+ 		    break;
+@@ -3871,9 +3888,11 @@
+ 		case NID_md5WithRSAEncryption:
+ 		    p.sigalgo = QCA::EMSA3_MD5;
+ 		    break;
++#ifdef HAVE_OPENSSL_MD2
+ 		case NID_md2WithRSAEncryption:
+ 		    p.sigalgo = QCA::EMSA3_MD2;
+ 		    break;
++#endif
+ 		case NID_ripemd160WithRSA:
+ 		    p.sigalgo = QCA::EMSA3_RIPEMD160;
+ 		    break;
+@@ -4061,9 +4080,11 @@
+ 		case NID_md5WithRSAEncryption:
+ 		    p.sigalgo = QCA::EMSA3_MD5;
+ 		    break;
++#ifdef HAVE_OPENSSL_MD2
+ 		case NID_md2WithRSAEncryption:
+ 		    p.sigalgo = QCA::EMSA3_MD2;
+ 		    break;
++#endif
+ 		case NID_ripemd160WithRSA:
+ 		    p.sigalgo = QCA::EMSA3_RIPEMD160;
+ 		    break;
+@@ -5128,6 +5149,16 @@
+ 		v_eof = false;
+ 	}
+ 
++	// dummy verification function for SSL_set_verify()
++	static int ssl_verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx)
++	{
++		Q_UNUSED(preverify_ok);
++		Q_UNUSED(x509_ctx);
++
++		// don't terminate handshake in case of verification failure
++		return 1;
++	}
++
+ 	virtual QStringList supportedCipherSuites(const TLS::Version &version) const
+ 	{
+ 		OpenSSL_add_ssl_algorithms();
+@@ -5692,6 +5723,14 @@
+ 			}
+ 		}
+ 
++		// request a certificate from the client, if in server mode
++		if(serv)
++		{
++			SSL_set_verify(ssl,
++				SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE,
++				ssl_verify_callback);
++		}
++
+ 		return true;
+ 	}
+ 
+@@ -6155,6 +6194,7 @@
+ 				i2d_PKCS7_bio(bo, p7);
+ 				//PEM_write_bio_PKCS7(bo, p7);
+ 				out = bio2ba(bo);
++				PKCS7_free(p7);
+ 			}
+ 			else
+ 			{
+@@ -6582,7 +6622,9 @@
+ 	list += "sha1";
+ 	list += "sha0";
+ 	list += "ripemd160";
++#ifdef HAVE_OPENSSL_MD2
+ 	list += "md2";
++#endif
+ 	list += "md4";
+ 	list += "md5";
+ #ifdef SHA224_DIGEST_LENGTH
+@@ -6597,9 +6639,11 @@
  #ifdef SHA512_DIGEST_LENGTH
  	list += "sha512";
  #endif
@@ -14,7 +163,107 @@ $NetBSD: patch-aa,v 1.1 2008/12/30 15:13:28 stacktic Exp $
  	return list;
  }
  
-@@ -6810,10 +6812,12 @@ public:
+@@ -6671,7 +6715,7 @@
+ 	{
+ 	}
+ 
+-	Context *clone() const
++	Provider::Context *clone() const
+ 	{
+ 		return new opensslInfoContext(*this);
+ 	}
+@@ -6692,6 +6736,34 @@
+ 	}
+ };
+ 
++class opensslRandomContext : public RandomContext
++{
++public:
++	opensslRandomContext(QCA::Provider *p) : RandomContext(p)
++	{
++	}
++
++	Context *clone() const
++	{
++		return new opensslRandomContext(*this);
++	}
++
++	QCA::SecureArray nextBytes(int size)
++	{
++		QCA::SecureArray buf(size);
++		int r;
++		// FIXME: loop while we don't have enough random bytes.
++		while (true) {
++			r = RAND_bytes((unsigned char*)(buf.data()), size);
++			if (r == 1) break; // success
++			r = RAND_pseudo_bytes((unsigned char*)(buf.data()),
++						size);
++			if (r >= 0) break; // accept insecure random numbers
++		}
++		return buf;
++	}
++};
++
+ }
+ 
+ using namespace opensslQCAPlugin;
+@@ -6711,11 +6783,14 @@
+ 		OpenSSL_add_all_algorithms();
+ 		ERR_load_crypto_strings();
+ 
+-		srand(time(NULL));
+-		char buf[128];
+-		for(int n = 0; n < 128; ++n)
+-			buf[n] = rand();
+-		RAND_seed(buf, 128);
++		// seed the RNG if it's not seeded yet
++		if (RAND_status() == 0) {
++			qsrand(time(NULL));
++			char buf[128];
++			for(int n = 0; n < 128; ++n)
++				buf[n] = qrand();
++			RAND_seed(buf, 128);
++		}
+ 
+ 		openssl_initted = true;
+ 	}
+@@ -6754,10 +6829,13 @@
+ 	QStringList features() const
+ 	{
+ 		QStringList list;
++		list += "random";
+ 		list += all_hash_types();
+ 		list += all_mac_types();
+ 		list += all_cipher_types();
++#ifdef HAVE_OPENSSL_MD2
+ 		list += "pbkdf1(md2)";
++#endif
+ 		list += "pbkdf1(sha1)";
+ 		list += "pbkdf2(sha1)";
+ 		list += "pkey";
+@@ -6780,7 +6858,9 @@
+ 	Context *createContext(const QString &type)
+ 	{
+ 		//OpenSSL_add_all_digests();
+-		if ( type == "info" )
++		if ( type == "random" )
++			return new opensslRandomContext(this);
++		else if ( type == "info" )
+ 			return new opensslInfoContext(this);
+ 		else if ( type == "sha1" )
+ 			return new opensslHashContext( EVP_sha1(), this, type);
+@@ -6788,8 +6868,10 @@
+ 			return new opensslHashContext( EVP_sha(), this, type);
+ 		else if ( type == "ripemd160" )
+ 			return new opensslHashContext( EVP_ripemd160(), this, type);
++#ifdef HAVE_OPENSSL_MD2
+ 		else if ( type == "md2" )
+ 			return new opensslHashContext( EVP_md2(), this, type);
++#endif
+ 		else if ( type == "md4" )
+ 			return new opensslHashContext( EVP_md4(), this, type);
+ 		else if ( type == "md5" )
+@@ -6810,14 +6892,18 @@
  		else if ( type == "sha512" )
  			return new opensslHashContext( EVP_sha512(), this, type);
  #endif
@@ -26,4 +275,10 @@ $NetBSD: patch-aa,v 1.1 2008/12/30 15:13:28 stacktic Exp $
 +*/
  		else if ( type == "pbkdf1(sha1)" )
  			return new opensslPbkdf1Context( EVP_sha1(), this, type );
++#ifdef HAVE_OPENSSL_MD2
  		else if ( type == "pbkdf1(md2)" )
+ 			return new opensslPbkdf1Context( EVP_md2(), this, type );
++#endif
+ 		else if ( type == "pbkdf2(sha1)" )
+ 			return new opensslPbkdf2Context( this, type );
+ 		else if ( type == "hmac(md5)" )
author	marino <marino>	2011-12-17 12:46:51 +0000
committer	marino <marino>	2011-12-17 12:46:51 +0000
commit	a455565366c76fe3d1829e7e0adc072715dbb423 (patch)
tree	a88d0ef1eeaf077c32e05fbee35aeea95edb33f6 /security
parent	6fa0524c58241be35ae82d30cce2c4ea118b503f (diff)
download	pkgsrc-a455565366c76fe3d1829e7e0adc072715dbb423.tar.gz