Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kerberos5: build with LibreSSL #19799

Closed
wants to merge 1 commit into from
Closed

kerberos5: build with LibreSSL #19799

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
14 changes: 14 additions & 0 deletions net/kerberos5/Portfile
View file
Open in desktop
Expand Up @@ -67,6 +67,20 @@ configure.args --with-system-et \
--without-system-ss \
ac_cv_prog_AWK=/usr/bin/awk

# kerberos5 can be built with LibreSSL again, if we can provide "explicit_bzero", see #66601
# However, this needs 'libbsd' and we use 'libbsd-devel' until new version from upstream.
variant libressl description {Build with LibreSSL} {

depends_lib-delete path:lib/libssl.dylib:openssl
depends_lib-append port:libressl \
port:libbsd-devel

patchfiles-append patch-plugins_preauth_pkinit_pkinit__crypto__openssl.c.diff

configure.optflags-append -DLIBBSD_OVERLAY -isystem ${prefix}/include/bsd -L${prefix}/lib -lbsd
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

configure.optflags is for optimization flags, which none of these are.


}

# Needs LIBRARY_PATH support
compiler.blacklist-append {clang <= 318.0.61}

Expand Down
48 changes: 48 additions & 0 deletions net/kerberos5/files/patch-plugins_preauth_pkinit_pkinit__crypto__openssl.c.diff
View file
Open in desktop
@@ -0,0 +1,48 @@
# This patch was derived from [1] in verbatim form for the MacPorts port.
# The patch itself was part of commit [2] of @cschuber at FreeBSD.
# [1] https://github.com/freebsd/freebsd-ports/blob/main/security/krb5-121/files/patch-plugins_preauth_pkinit_pkinit__crypto__openssl.c
# [2] https://github.com/freebsd/freebsd-ports/commit/49e70b32f3d1610c7a398e8f82343935362d6466
#
--- plugins/preauth/pkinit/pkinit_crypto_openssl.c.orig 2022-10-17 09:52:43 UTC
+++ plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -184,6 +184,17 @@ pkcs11err(int err);
(*_x509_pp) = PKCS7_cert_from_signer_info(_p7,_si)
#endif

+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+
+/*
+ * 1.1 adds DHX support, which uses the RFC 3279 DomainParameters encoding we
+ * need for PKINIT. For 1.0 we must use the original DH type when creating
+ * EVP_PKEY objects.
+ */
+#define EVP_PKEY_DHX EVP_PKEY_DH
+#define d2i_DHxparams d2i_DHparams
+#endif
+
#if OPENSSL_VERSION_NUMBER < 0x10100000L

/* 1.1 standardizes constructor and destructor names, renaming
@@ -193,13 +204,6 @@ pkcs11err(int err);
#define EVP_MD_CTX_free EVP_MD_CTX_destroy
#define ASN1_STRING_get0_data ASN1_STRING_data

-/*
- * 1.1 adds DHX support, which uses the RFC 3279 DomainParameters encoding we
- * need for PKINIT. For 1.0 we must use the original DH type when creating
- * EVP_PKEY objects.
- */
-#define EVP_PKEY_DHX EVP_PKEY_DH
-
/* 1.1 makes many handle types opaque and adds accessors. Add compatibility
* versions of the new accessors we use for pre-1.1. */

@@ -588,7 +592,7 @@ set_padded_derivation(EVP_PKEY_CTX *ctx)
{
EVP_PKEY_CTX_set_dh_pad(ctx, 1);
}
-#elif OPENSSL_VERSION_NUMBER >= 0x10100000L
+#elif OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
static void
set_padded_derivation(EVP_PKEY_CTX *ctx)
{