Update to libdigidocpp 3.14.10
Trade all local patches for their rebases PRs. Old/current qdigidoc4 keeps working against new libdigidocpp.
This commit is contained in:
parent
b74f154ad9
commit
b7e9b666b8
@ -1,8 +1,7 @@
|
||||
COMMENT = library for creating DigiDoc signature files
|
||||
|
||||
V = 3.14.8
|
||||
V = 3.14.10
|
||||
DISTNAME = libdigidocpp-${V}
|
||||
REVISION = 2
|
||||
CATEGORIES = security
|
||||
|
||||
SHARED_LIBS = digidocpp 0.0 # 0.0
|
||||
@ -16,12 +15,23 @@ PERMIT_PACKAGE = Yes
|
||||
HOMEPAGE = https://www.id.ee/
|
||||
MASTER_SITES = https://github.com/open-eid/libdigidocpp/releases/download/v${V}/
|
||||
|
||||
DIST_SUBDIR = libdigidocpp
|
||||
MASTER_SITES0 = https://github.com/open-eid/libdigidocpp/
|
||||
# merged but after 3.14.10 release
|
||||
PATCHFILES += pkcs11-path-{pull/}473.patch:0
|
||||
# still pending (but approved)
|
||||
PATCHFILES += iconv-{pull/}470.patch:0
|
||||
PATCHFILES += libressl-{pull/}482.patch:0
|
||||
PATCHFILES += minizip--{pull/}485.patch:0
|
||||
|
||||
PATCH_DIST_STRIP = -p1
|
||||
|
||||
# ${WRKSRC}/etc/schema/.../*.xsd.orig
|
||||
PATCHORIG = .pat.orig
|
||||
|
||||
MAINTAINER = Klemens Nanni <kn@openbsd.org>
|
||||
|
||||
# C++11
|
||||
# -std=gnu++17
|
||||
COMPILER = base-clang ports-gcc
|
||||
|
||||
WANTLIB += ${COMPILER_LIBCXX} c crypto iconv m ssl xalan-c
|
||||
|
@ -1,2 +1,10 @@
|
||||
SHA256 (libdigidocpp-3.14.8.tar.gz) = U5i5IAyJF4359q6M6mQemEuG7+inPYIXqLy8GHv4dkg=
|
||||
SIZE (libdigidocpp-3.14.8.tar.gz) = 2666986
|
||||
SHA256 (libdigidocpp/iconv-470.patch) = YIu3H8XFJWCBFiqQG5bBNBthU9ckH//gq6g8545VzJ8=
|
||||
SHA256 (libdigidocpp/libdigidocpp-3.14.10.tar.gz) = n/+R4ho1Qcft3YSKE12oxZjbFHAsUDwoLFNuk5GXf5c=
|
||||
SHA256 (libdigidocpp/libressl-482.patch) = BQigiPPdBJAnAiUJPIdWGtbBs3gh9h1IMplrlMrz/gw=
|
||||
SHA256 (libdigidocpp/minizip--485.patch) = 4JE5m3IVBwCd6HQmLrp9N6GmGzvggwNpHSMEXMF0AdA=
|
||||
SHA256 (libdigidocpp/pkcs11-path-473.patch) = GdZIdn9fzQ7ajOYFjhqUPCqXIZpj7HCM0VARamzVieY=
|
||||
SIZE (libdigidocpp/iconv-470.patch) = 1406
|
||||
SIZE (libdigidocpp/libdigidocpp-3.14.10.tar.gz) = 2653851
|
||||
SIZE (libdigidocpp/libressl-482.patch) = 7492
|
||||
SIZE (libdigidocpp/minizip--485.patch) = 2006
|
||||
SIZE (libdigidocpp/pkcs11-path-473.patch) = 1360
|
||||
|
@ -1,23 +0,0 @@
|
||||
- Use bundled zlib minizip instead of incompatible minizip-ng from ports
|
||||
https://github.com/open-eid/libdigidocpp/pull/485
|
||||
- Require iconv for libdigidocpp
|
||||
https://github.com/open-eid/libdigidocpp/pull/470
|
||||
|
||||
Index: CMakeLists.txt
|
||||
--- CMakeLists.txt.orig
|
||||
+++ CMakeLists.txt
|
||||
@@ -51,11 +51,12 @@ find_package(Threads)
|
||||
find_package(XmlSecurityC REQUIRED)
|
||||
find_package(XSD 4.0 REQUIRED)
|
||||
find_package(ZLIB REQUIRED)
|
||||
-find_package(MiniZip QUIET)
|
||||
+find_package(MiniZip 0...<2.0.0 QUIET)
|
||||
if(UNIX AND NOT APPLE)
|
||||
find_package(PkgConfig)
|
||||
- pkg_check_modules(MINIZIP minizip IMPORTED_TARGET)
|
||||
+ pkg_check_modules(MINIZIP minizip IMPORTED_TARGET minizip<2.0.0)
|
||||
endif()
|
||||
+find_package(Iconv REQUIRED)
|
||||
find_package(SWIG)
|
||||
find_package(JNI)
|
||||
|
@ -1,19 +0,0 @@
|
||||
Link digidocpp against iconv to unbreak src/digidoc-tool and tests/TSLTests
|
||||
build:
|
||||
|
||||
ld: error: undefined symbol: libiconv_open
|
||||
|
||||
https://github.com/open-eid/libdigidocpp/pull/470
|
||||
|
||||
Index: src/CMakeLists.txt
|
||||
--- src/CMakeLists.txt.orig
|
||||
+++ src/CMakeLists.txt
|
||||
@@ -227,7 +227,7 @@ set_target_properties(digidocpp PROPERTIES
|
||||
|
||||
target_link_libraries(digidocpp
|
||||
PRIVATE ${CMAKE_DL_LIBS} minizip
|
||||
- PUBLIC digidocpp_priv
|
||||
+ PUBLIC digidocpp_priv Iconv::Iconv
|
||||
)
|
||||
|
||||
if( BUILD_TOOLS )
|
@ -1,32 +0,0 @@
|
||||
LibreSSL doesn't support sha3.
|
||||
|
||||
Index: src/crypto/Digest.cpp
|
||||
--- src/crypto/Digest.cpp.orig
|
||||
+++ src/crypto/Digest.cpp
|
||||
@@ -128,7 +128,7 @@ void Digest::reset(const string &uri)
|
||||
case NID_sha256: result = EVP_DigestInit(d->ctx, EVP_sha256()); break;
|
||||
case NID_sha384: result = EVP_DigestInit(d->ctx, EVP_sha384()); break;
|
||||
case NID_sha512: result = EVP_DigestInit(d->ctx, EVP_sha512()); break;
|
||||
-#if OPENSSL_VERSION_NUMBER > 0x10101000L
|
||||
+#if OPENSSL_VERSION_NUMBER > 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
|
||||
case NID_sha3_224: result = EVP_DigestInit(d->ctx, EVP_sha3_224()); break;
|
||||
case NID_sha3_256: result = EVP_DigestInit(d->ctx, EVP_sha3_256()); break;
|
||||
case NID_sha3_384: result = EVP_DigestInit(d->ctx, EVP_sha3_384()); break;
|
||||
@@ -167,7 +167,7 @@ int Digest::toMethod(const string &uri)
|
||||
if(uri == URI_SHA256 || uri == URI_RSA_SHA256 || uri == URI_RSA_PSS_SHA256 || uri == URI_ECDSA_SHA256) return NID_sha256;
|
||||
if(uri == URI_SHA384 || uri == URI_RSA_SHA384 || uri == URI_RSA_PSS_SHA384 || uri == URI_ECDSA_SHA384) return NID_sha384;
|
||||
if(uri == URI_SHA512 || uri == URI_RSA_SHA512 || uri == URI_RSA_PSS_SHA512 || uri == URI_ECDSA_SHA512) return NID_sha512;
|
||||
-#if OPENSSL_VERSION_NUMBER > 0x10101000L
|
||||
+#if OPENSSL_VERSION_NUMBER > 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
|
||||
if(uri == URI_SHA3_224 || uri == URI_RSA_PSS_SHA3_224) return NID_sha3_224;
|
||||
if(uri == URI_SHA3_256 || uri == URI_RSA_PSS_SHA3_256) return NID_sha3_256;
|
||||
if(uri == URI_SHA3_384 || uri == URI_RSA_PSS_SHA3_384) return NID_sha3_384;
|
||||
@@ -238,7 +238,7 @@ std::string Digest::toUri(int nid)
|
||||
case NID_sha256: return URI_SHA256;
|
||||
case NID_sha384: return URI_SHA384;
|
||||
case NID_sha512: return URI_SHA512;
|
||||
-#if OPENSSL_VERSION_NUMBER > 0x10101000L
|
||||
+#if OPENSSL_VERSION_NUMBER > 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
|
||||
case NID_sha3_224: return URI_SHA3_224;
|
||||
case NID_sha3_256: return URI_SHA3_256;
|
||||
case NID_sha3_384: return URI_SHA3_384;
|
@ -1,18 +0,0 @@
|
||||
LibreSSL doesn't have BIO_ADDR support, so this exception cannot be hit.
|
||||
|
||||
Index: src/crypto/OpenSSLHelpers.h
|
||||
--- src/crypto/OpenSSLHelpers.h.orig
|
||||
+++ src/crypto/OpenSSLHelpers.h
|
||||
@@ -118,10 +118,12 @@ class OpenSSLException : public Exception
|
||||
while((error = ERR_get_error()) != 0)
|
||||
{
|
||||
Exception e(ERR_lib_error_string(error), 0, ERR_error_string(error, nullptr));
|
||||
+#ifndef LIBRESSL_VERSION_NUMBER
|
||||
if(ERR_GET_LIB(error) == ERR_R_BIO_LIB &&
|
||||
ERR_GET_FUNC(error) == BIO_F_BIO_LOOKUP_EX &&
|
||||
ERR_GET_REASON(error) == ERR_R_SYS_LIB)
|
||||
e.setCode(ExceptionCode::HostNotFound);
|
||||
+#endif
|
||||
addCause(e);
|
||||
}
|
||||
}
|
@ -1,55 +0,0 @@
|
||||
Provide OPENSSL_memdup() and TS accessors for LibreSSL
|
||||
|
||||
"Upgrade openssl 1.1.1m and fix crash with new openssl version (#453)"
|
||||
https://github.com/open-eid/libdigidocpp/commit/42a8cfd
|
||||
|
||||
Index: src/crypto/TS.cpp
|
||||
--- src/crypto/TS.cpp.orig
|
||||
+++ src/crypto/TS.cpp
|
||||
@@ -40,7 +40,22 @@
|
||||
using namespace digidoc;
|
||||
using namespace std;
|
||||
|
||||
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||
+#if defined(LIBRESSL_VERSION_NUMBER)
|
||||
+void *OPENSSL_memdup(const void *data, size_t size)
|
||||
+{
|
||||
+ void *copy;
|
||||
+
|
||||
+ if (data == NULL || size >= INT_MAX)
|
||||
+ return NULL;
|
||||
+
|
||||
+ if ((copy = malloc(size)) == NULL)
|
||||
+ return NULL;
|
||||
+
|
||||
+ return memcpy(copy, data, size);
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
|
||||
static void TS_VERIFY_CTX_set_flags(TS_VERIFY_CTX *ctx, int f)
|
||||
{
|
||||
ctx->flags = unsigned(f);
|
||||
@@ -48,6 +63,7 @@ static void TS_VERIFY_CTX_set_flags(TS_VERIFY_CTX *ctx
|
||||
|
||||
static void TS_VERIFY_CTX_set_imprint(TS_VERIFY_CTX *ctx, unsigned char *hexstr, long len)
|
||||
{
|
||||
+ OPENSSL_free(ctx->imprint);
|
||||
ctx->imprint = hexstr;
|
||||
ctx->imprint_len = unsigned(len);
|
||||
}
|
||||
@@ -257,11 +273,10 @@ void TS::verify(const Digest &digest)
|
||||
{
|
||||
SCOPE(TS_VERIFY_CTX, ctx, TS_VERIFY_CTX_new());
|
||||
TS_VERIFY_CTX_set_flags(ctx.get(), TS_VFY_IMPRINT|TS_VFY_VERSION|TS_VFY_SIGNATURE);
|
||||
- TS_VERIFY_CTX_set_imprint(ctx.get(), data.data(), long(data.size()));
|
||||
+ TS_VERIFY_CTX_set_imprint(ctx.get(),
|
||||
+ (unsigned char*)OPENSSL_memdup(data.data(), data.size()), long(data.size()));
|
||||
TS_VERIFY_CTX_set_store(ctx.get(), store.release());
|
||||
- int err = TS_RESP_verify_token(ctx.get(), d.get());
|
||||
- TS_VERIFY_CTX_set_imprint(ctx.get(), nullptr, 0); //Avoid CRYPTO_free
|
||||
- if(err != 1)
|
||||
+ if(TS_RESP_verify_token(ctx.get(), d.get()) != 1)
|
||||
{
|
||||
unsigned long err = ERR_get_error();
|
||||
if(ERR_GET_LIB(err) == ERR_LIB_TS && ERR_GET_REASON(err) == TS_R_CERTIFICATE_VERIFY_ERROR)
|
@ -1,14 +0,0 @@
|
||||
Use old-style STACK_OF stuff for LibreSSL
|
||||
|
||||
Index: src/crypto/X509Cert.cpp
|
||||
--- src/crypto/X509Cert.cpp.orig
|
||||
+++ src/crypto/X509Cert.cpp
|
||||
@@ -86,7 +86,7 @@ DECLARE_ASN1_FUNCTIONS(QCStatement)
|
||||
* QCStatements ::= SEQUENCE OF QCStatement
|
||||
*/
|
||||
using QCStatements = STACK_OF(QCStatement);
|
||||
-#if OPENSSL_VERSION_NUMBER < 0x10010000L
|
||||
+#if OPENSSL_VERSION_NUMBER < 0x10010000L || defined(LIBRESSL_VERSION_NUMBER)
|
||||
#include <openssl/safestack.h>
|
||||
#define sk_QCStatement_num(st) sk_num((_STACK*)st)
|
||||
#define sk_QCStatement_value(st, i) (QCStatement*)sk_value((_STACK*)st, i)
|
@ -1,14 +0,0 @@
|
||||
LibreSSL provides d2i_ESS_ISSUER_SERIAL()
|
||||
|
||||
Index: src/crypto/X509Crypto.cpp
|
||||
--- src/crypto/X509Crypto.cpp.orig
|
||||
+++ src/crypto/X509Crypto.cpp
|
||||
@@ -37,7 +37,7 @@
|
||||
using namespace digidoc;
|
||||
using namespace std;
|
||||
|
||||
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
||||
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
|
||||
/*-
|
||||
* IssuerSerial ::= SEQUENCE {
|
||||
* issuer GeneralNames,
|
@ -1,15 +0,0 @@
|
||||
Set correct OpenSC PKCS11 module path
|
||||
https://github.com/open-eid/libdigidocpp/pull/473
|
||||
|
||||
Index: src/digidoc-tool.1.cmake
|
||||
--- src/digidoc-tool.1.cmake.orig
|
||||
+++ src/digidoc-tool.1.cmake
|
||||
@@ -55,7 +55,7 @@ Command sign:
|
||||
--postalCode= - postalCode of production place
|
||||
--country= - country of production place
|
||||
--role= - option can occur multiple times. Signer role(s)
|
||||
- --pkcs11[=] - default is /Library/OpenSC/lib/opensc-pkcs11.so. Path of PKCS11 driver.
|
||||
+ --pkcs11[=] - default is ${PKCS11_MODULE}. Path of PKCS11 driver.
|
||||
--pkcs12= - pkcs12 signer certificate (use --pin for password)
|
||||
--pin= - default asks pin from prompt
|
||||
--sha(224,256,384,512) - set default digest method (default sha256)
|
Loading…
Reference in New Issue
Block a user