diff --git a/ports-mgmt/pkg-devel/Makefile b/ports-mgmt/pkg-devel/Makefile index 83f5df1802c5..a4b9ce544941 100644 --- a/ports-mgmt/pkg-devel/Makefile +++ b/ports-mgmt/pkg-devel/Makefile @@ -1,78 +1,79 @@ PORTNAME= pkg DISTVERSION= 1.19.99.2 _PKG_VERSION= ${DISTVERSION} +PORTREVISION= 1 CATEGORIES= ports-mgmt PKGNAMESUFFIX= -devel MAINTAINER= pkg@FreeBSD.org COMMENT= Package manager WWW= https://github.com/freebsd/pkg LICENSE= BSD2CLAUSE USE_GITHUB= yes GH_ACCOUNT= freebsd GH_TAGNAME= e6a95323 CFLAGS+= -O0 -g -Wno-error USE_LDCONFIG= ${PREFIX}/lib/compat/pkg HAS_CONFIGURE= yes PORTDOCS= NEWS PORTSCOUT= ignore:1 CONFIGURE_ARGS= --mandir=${PREFIX}/man --prefix="${PREFIX}" CONFIGURE_ENV= CC_FOR_BUILD="${CC}" # Use a submake as 'deinstall install' needs to reevaluate PKG_REGISTER # so that pkg-static is used from the wrkdir USE_SUBMAKE= yes OPTIONS_DEFINE= DOCS SAN SAN_DESC= Enable sanitizers (ASAN and UBSAN) .if !exists(/usr/include/jail.h) EXTRA_PATCHES= ${FILESDIR}/extra-patch-docs_pkg.8 .endif .include .if ${PORT_OPTIONS:MSAN} CONFIGURE_ARGS+= --with-asan --with-ubsan .endif # TODO: activate in april 2021 #.if ${OPSYS} == FreeBSD && ${OSVERSION} > 1400000 #CONFIGURE_ARGS+= --default-format=tzst #.endif .if defined(WITH_PKG) .if ${WITH_PKG} != devel . if !defined(PACKAGE_BUILDING) IGNORE= WITH_PKG is not defined to 'devel', this version is the devel one . endif .else PKGNAMESUFFIX= #define PKG_DEPENDS to nothing to avoid infinite loop looking for pkg :) PKG_DEPENDS= .endif .endif .undef INSTALLS_DEPENDS .if !exists(${LOCALBASE}/sbin/pkg) && !defined(CROSS_TOOLCHAIN) PKG_BIN= ${WRKSRC}/src/pkg-static .endif .if ${PORT_OPTIONS:MSAN} post-build: @(cd ${WRKSRC}/src && \ ${LN} -fs pkg pkg-static) .endif post-install: @${MKDIR} ${STAGEDIR}${PREFIX}/lib/compat/pkg @${MKDIR} ${STAGEDIR}${DOCSDIR} ${INSTALL_DATA} ${WRKSRC}/NEWS ${STAGEDIR}${DOCSDIR}/NEWS .if ${PORT_OPTIONS:MSAN} @${CP} ${STAGEDIR}${PREFIX}/sbin/pkg ${STAGEDIR}${PREFIX}/sbin/pkg-static .endif .include diff --git a/ports-mgmt/pkg-devel/files/patch-openssl3 b/ports-mgmt/pkg-devel/files/patch-openssl3 new file mode 100644 index 000000000000..d04226e68c50 --- /dev/null +++ b/ports-mgmt/pkg-devel/files/patch-openssl3 @@ -0,0 +1,98 @@ +diff --git libpkg/rsa.c libpkg/rsa.c +index 41a12466..eea6e0bb 100644 +--- libpkg/rsa.c ++++ libpkg/rsa.c +@@ -37,31 +37,6 @@ + #include "private/event.h" + #include "private/pkg.h" + +-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) +-/* +- * This matches the historical usage for pkg. Older versions sign the hex +- * encoding of the SHA256 checksum. If we ever deprecated RSA, this can go +- * away. +- */ +-static EVP_MD *md_pkg_sha1; +- +-static EVP_MD * +-EVP_md_pkg_sha1(void) +-{ +- +- if (md_pkg_sha1 != NULL) +- return (md_pkg_sha1); +- +- md_pkg_sha1 = EVP_MD_meth_dup(EVP_sha1()); +- if (md_pkg_sha1 == NULL) +- return (NULL); +- +- EVP_MD_meth_set_result_size(md_pkg_sha1, +- pkg_checksum_type_size(PKG_HASH_TYPE_SHA256_HEX)); +- return (md_pkg_sha1); +-} +-#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */ +- + struct pkg_key { + pkg_password_cb *pw_cb; + char *path; +@@ -217,6 +192,7 @@ rsa_verify_cert(unsigned char *key, int keylen, + OpenSSL_add_all_algorithms(); + OpenSSL_add_all_ciphers(); + ++ + ret = pkg_emit_sandbox_call(rsa_verify_cert_cb, fd, &cbdata); + if (need_close) + close(fd); +@@ -232,6 +208,7 @@ rsa_verify_cb(int fd, void *ud) + char errbuf[1024]; + EVP_PKEY *pkey = NULL; + #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) ++ const EVP_MD *md; + EVP_PKEY_CTX *ctx; + #else + RSA *rsa; +@@ -276,7 +253,8 @@ rsa_verify_cb(int fd, void *ud) + return (EPKG_FATAL); + } + +- if (EVP_PKEY_CTX_set_signature_md(ctx, EVP_md_pkg_sha1()) <= 0) { ++ md = EVP_sha1(); ++ if (EVP_PKEY_CTX_set_signature_md(ctx, md) <= 0) { + EVP_PKEY_CTX_free(ctx); + EVP_PKEY_free(pkey); + free(sha256); +@@ -284,7 +262,7 @@ rsa_verify_cb(int fd, void *ud) + } + + ret = EVP_PKEY_verify(ctx, cbdata->sig, cbdata->siglen, sha256, +- pkg_checksum_type_size(PKG_HASH_TYPE_SHA256_HEX)); ++ EVP_MD_size(md)); + #else + rsa = EVP_PKEY_get1_RSA(pkey); + +@@ -360,6 +338,7 @@ rsa_sign(char *path, struct pkg_key *keyinfo, unsigned char **sigret, + char errbuf[1024]; + int max_len = 0, ret; + #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) ++ const EVP_MD *md; + EVP_PKEY_CTX *ctx; + size_t siglen; + #else +@@ -403,15 +382,15 @@ rsa_sign(char *path, struct pkg_key *keyinfo, unsigned char **sigret, + return (EPKG_FATAL); + } + +- if (EVP_PKEY_CTX_set_signature_md(ctx, EVP_md_pkg_sha1()) <= 0) { ++ md = EVP_sha1(); ++ if (EVP_PKEY_CTX_set_signature_md(ctx, md) <= 0) { + EVP_PKEY_CTX_free(ctx); + free(sha256); + return (EPKG_FATAL); + } +- + siglen = max_len; + ret = EVP_PKEY_sign(ctx, *sigret, &siglen, sha256, +- pkg_checksum_type_size(PKG_HASH_TYPE_SHA256_HEX)); ++ EVP_MD_size(md)); + #else + rsa = EVP_PKEY_get1_RSA(keyinfo->key); + diff --git a/ports-mgmt/pkg/Makefile b/ports-mgmt/pkg/Makefile index 7b6b20de0ead..fde39894a485 100644 --- a/ports-mgmt/pkg/Makefile +++ b/ports-mgmt/pkg/Makefile @@ -1,88 +1,88 @@ PORTNAME= pkg DISTVERSION= 1.19.1 -PORTREVISION= 1 +PORTREVISION= 2 _PKG_VERSION= ${DISTVERSION} CATEGORIES= ports-mgmt MAINTAINER= pkg@FreeBSD.org COMMENT= Package manager WWW= https://github.com/freebsd/pkg LICENSE= BSD2CLAUSE USE_GITHUB= yes GH_ACCOUNT= freebsd USE_LDCONFIG= ${PREFIX}/lib/compat/pkg HAS_CONFIGURE= yes PORTDOCS= NEWS PORTSCOUT= ignore:1 CONFIGURE_ARGS= --mandir=${PREFIX}/man --prefix="${PREFIX}" CONFIGURE_ENV= CC_FOR_BUILD="${CC}" # Use a submake as 'deinstall install' needs to reevaluate PKG_REGISTER # so that pkg-static is used from the wrkdir USE_SUBMAKE= yes CFLAGS+= -Wno-error CFLAGS_powerpc64le= -DSQLITE_BYTEORDER=1234 OPTIONS_DEFINE= DOCS .if !exists(/usr/include/jail.h) EXTRA_PATCHES= ${FILESDIR}/extra-patch-docs_pkg.8 .endif .include .if defined(WITH_DEBUG) MAKE_ARGS+= DEBUG_FLAGS="${DEBUG_FLAGS}" .endif .if defined(WITH_PKG) .if ${WITH_PKG} == devel IGNORE= WITH_PKG is defined to 'devel', this version is the stable one .endif .if exists(${LOCALBASE}/sbin/pkg_info) || exists(/usr/sbin/pkg_info) NB_OLDPKGS!= pkg_info 2>/dev/null | wc -l .if exists(${PKG_BIN}) NB_NEWPKGS!= ${PKG_INFO} -aq | wc -l .else NB_NEWPKGS= 0 .endif # Only show the pre-everything notice if they have not already # converted any packages .if ${NB_OLDPKGS} > 0 && ${NB_NEWPKGS} == 0 && !defined(UPGRADEPKG) pre-everything:: @${ECHO_CMD} "You are about to convert your system to pkg while you have ports/packages"; \ ${ECHO_CMD} "installed with the old pkg_install tools."; \ ${ECHO_CMD} ""; \ ${ECHO_CMD} "To switch to pkg:"; \ ${ECHO_CMD} " 1) Install ports-mgmt/pkg"; \ ${ECHO_CMD} " cd ports-mgmt/pkg && make UPGRADEPKG=1 install clean"; \ ${ECHO_CMD} " 2) Convert your package database by running pkg2ng"; \ ${ECHO_CMD} ""; \ exit 1 .endif .endif .endif #define PKG_DEPENDS to nothing to avoid infinite loop looking for pkg :) PKG_DEPENDS= .undef INSTALLS_DEPENDS # Use the internal pkg instead, generally, unless this is a cross-build, # in which case that won't work. Hope for the best then. .if !defined(CROSS_TOOLCHAIN) PKG_BIN= ${WRKSRC}/src/pkg-static .endif post-install: @${MKDIR} ${STAGEDIR}${PREFIX}/lib/compat/pkg post-install-DOCS-on: @${MKDIR} ${STAGEDIR}${DOCSDIR} ${INSTALL_DATA} ${WRKSRC}/NEWS ${STAGEDIR}${DOCSDIR}/NEWS .include diff --git a/ports-mgmt/pkg/files/patch-openssl3 b/ports-mgmt/pkg/files/patch-openssl3 new file mode 100644 index 000000000000..d04226e68c50 --- /dev/null +++ b/ports-mgmt/pkg/files/patch-openssl3 @@ -0,0 +1,98 @@ +diff --git libpkg/rsa.c libpkg/rsa.c +index 41a12466..eea6e0bb 100644 +--- libpkg/rsa.c ++++ libpkg/rsa.c +@@ -37,31 +37,6 @@ + #include "private/event.h" + #include "private/pkg.h" + +-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) +-/* +- * This matches the historical usage for pkg. Older versions sign the hex +- * encoding of the SHA256 checksum. If we ever deprecated RSA, this can go +- * away. +- */ +-static EVP_MD *md_pkg_sha1; +- +-static EVP_MD * +-EVP_md_pkg_sha1(void) +-{ +- +- if (md_pkg_sha1 != NULL) +- return (md_pkg_sha1); +- +- md_pkg_sha1 = EVP_MD_meth_dup(EVP_sha1()); +- if (md_pkg_sha1 == NULL) +- return (NULL); +- +- EVP_MD_meth_set_result_size(md_pkg_sha1, +- pkg_checksum_type_size(PKG_HASH_TYPE_SHA256_HEX)); +- return (md_pkg_sha1); +-} +-#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */ +- + struct pkg_key { + pkg_password_cb *pw_cb; + char *path; +@@ -217,6 +192,7 @@ rsa_verify_cert(unsigned char *key, int keylen, + OpenSSL_add_all_algorithms(); + OpenSSL_add_all_ciphers(); + ++ + ret = pkg_emit_sandbox_call(rsa_verify_cert_cb, fd, &cbdata); + if (need_close) + close(fd); +@@ -232,6 +208,7 @@ rsa_verify_cb(int fd, void *ud) + char errbuf[1024]; + EVP_PKEY *pkey = NULL; + #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) ++ const EVP_MD *md; + EVP_PKEY_CTX *ctx; + #else + RSA *rsa; +@@ -276,7 +253,8 @@ rsa_verify_cb(int fd, void *ud) + return (EPKG_FATAL); + } + +- if (EVP_PKEY_CTX_set_signature_md(ctx, EVP_md_pkg_sha1()) <= 0) { ++ md = EVP_sha1(); ++ if (EVP_PKEY_CTX_set_signature_md(ctx, md) <= 0) { + EVP_PKEY_CTX_free(ctx); + EVP_PKEY_free(pkey); + free(sha256); +@@ -284,7 +262,7 @@ rsa_verify_cb(int fd, void *ud) + } + + ret = EVP_PKEY_verify(ctx, cbdata->sig, cbdata->siglen, sha256, +- pkg_checksum_type_size(PKG_HASH_TYPE_SHA256_HEX)); ++ EVP_MD_size(md)); + #else + rsa = EVP_PKEY_get1_RSA(pkey); + +@@ -360,6 +338,7 @@ rsa_sign(char *path, struct pkg_key *keyinfo, unsigned char **sigret, + char errbuf[1024]; + int max_len = 0, ret; + #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) ++ const EVP_MD *md; + EVP_PKEY_CTX *ctx; + size_t siglen; + #else +@@ -403,15 +382,15 @@ rsa_sign(char *path, struct pkg_key *keyinfo, unsigned char **sigret, + return (EPKG_FATAL); + } + +- if (EVP_PKEY_CTX_set_signature_md(ctx, EVP_md_pkg_sha1()) <= 0) { ++ md = EVP_sha1(); ++ if (EVP_PKEY_CTX_set_signature_md(ctx, md) <= 0) { + EVP_PKEY_CTX_free(ctx); + free(sha256); + return (EPKG_FATAL); + } +- + siglen = max_len; + ret = EVP_PKEY_sign(ctx, *sigret, &siglen, sha256, +- pkg_checksum_type_size(PKG_HASH_TYPE_SHA256_HEX)); ++ EVP_MD_size(md)); + #else + rsa = EVP_PKEY_get1_RSA(keyinfo->key); +