From 139959cec3352563713e55753215cb1c7598440f Mon Sep 17 00:00:00 2001 From: Doan Tran Cong Danh Date: Wed, 2 Oct 2019 10:39:34 +0700 Subject: [PATCH] ykpivmgr: update to 1.7.0. Patch is submited upstream at https://github.com/Yubico/yubico-piv-tool/pull/212 --- srcpkgs/ykpivmgr/patches/libressl.patch | 158 -------------------- srcpkgs/ykpivmgr/patches/ssl_obsolete.patch | 22 +++ srcpkgs/ykpivmgr/template | 9 +- 3 files changed, 27 insertions(+), 162 deletions(-) delete mode 100644 srcpkgs/ykpivmgr/patches/libressl.patch create mode 100644 srcpkgs/ykpivmgr/patches/ssl_obsolete.patch diff --git a/srcpkgs/ykpivmgr/patches/libressl.patch b/srcpkgs/ykpivmgr/patches/libressl.patch deleted file mode 100644 index 4c48300e932..00000000000 --- a/srcpkgs/ykpivmgr/patches/libressl.patch +++ /dev/null @@ -1,158 +0,0 @@ ---- tool/openssl-compat.c -+++ tool/openssl-compat.c -@@ -71,6 +71,10 @@ - *iqmp = r->iqmp; - } - -+#endif /* OPENSSL_VERSION_NUMBER */ -+ -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) -+ - void X509_SIG_getm(X509_SIG *sig, X509_ALGOR **palg, - ASN1_OCTET_STRING **pdigest) - { -@@ -80,4 +84,4 @@ - *pdigest = sig->digest; - } - --#endif /* OPENSSL_VERSION_NUMBER */ -+#endif /* OPENSSL_VERSION_NUMBER || defined(LIBRESSL_VERSION_NUMBER) */ - ---- tool/openssl-compat.h -+++ tool/openssl-compat.h -@@ -20,7 +20,6 @@ - #include - #include - #include --#include - - int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d); - void RSA_get0_key(const RSA *r, -@@ -29,9 +28,15 @@ - void RSA_get0_crt_params(const RSA *r, - const BIGNUM **dmp1, const BIGNUM **dmq1, - const BIGNUM **iqmp); -+#endif /* OPENSSL_VERSION_NUMBER */ -+ -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) -+ -+#include -+ - void X509_SIG_getm(X509_SIG *sig, X509_ALGOR **palg, - ASN1_OCTET_STRING **pdigest); - -+#endif /* OPENSSL_VERSION_NUMBER || defined(LIBRESSL_VERSION_NUMBER) */ - #endif /* _WINDOWS */ --#endif /* OPENSSL_VERSION_NUMBER */ - #endif /* LIBCRYPTO_COMPAT_H */ - ---- tool/yubico-piv-tool.c -+++ tool/yubico-piv-tool.c -@@ -124,7 +124,7 @@ - return false; - } - --#if OPENSSL_VERSION_NUMBER >= 0x10100000L -+#if !((OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)) - static int ec_key_ex_data_idx = -1; - - struct internal_key { -@@ -688,7 +688,7 @@ - goto request_out; - } - --#if OPENSSL_VERSION_NUMBER < 0x10100000L -+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER) - memcpy(digest, oid, oid_len); - /* XXX: this should probably use X509_REQ_digest() but that's buggy */ - if(!ASN1_item_digest(ASN1_ITEM_rptr(X509_REQ_INFO), md, req->req_info, -@@ -721,7 +721,7 @@ - fprintf(stderr, "Failed signing request.\n"); - goto request_out; - } -- M_ASN1_BIT_STRING_set(req->signature, signature, sig_len); -+ ASN1_BIT_STRING_set(req->signature, signature, sig_len); - /* mark that all bits should be used. */ - req->signature->flags = ASN1_STRING_FLAG_BITS_LEFT; - } -@@ -751,7 +751,7 @@ - EVP_PKEY_free(public_key); - } - if(req) { --#if OPENSSL_VERSION_NUMBER < 0x10100000L -+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER) - if(req->sig_alg->parameter) { - req->sig_alg->parameter = NULL; - } -@@ -884,7 +884,7 @@ - if(nid == 0) { - goto selfsign_out; - } --#if OPENSSL_VERSION_NUMBER < 0x10100000L -+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER) - if(YKPIV_IS_RSA(algorithm)) { - signinput = digest; - len = oid_len + md_len; -@@ -912,7 +912,7 @@ - fprintf(stderr, "Failed signing certificate.\n"); - goto selfsign_out; - } -- M_ASN1_BIT_STRING_set(x509->signature, signature, sig_len); -+ ASN1_BIT_STRING_set(x509->signature, signature, sig_len); - /* setting flags to ASN1_STRING_FLAG_BITS_LEFT here marks that no bits - * should be subtracted from the bit string, thus making sure that the - * certificate can be validated. */ -@@ -941,7 +941,7 @@ - fclose(output_file); - } - if(x509) { --#if OPENSSL_VERSION_NUMBER < 0x10100000L -+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER) - if(x509->sig_alg->parameter) { - x509->sig_alg->parameter = NULL; - x509->cert_info->signature->parameter = NULL; - -diff --git ykcs11/openssl_utils.c ykcs11/openssl_utils.c -index 68fb29a..5a7f85d 100644 ---- ykcs11/openssl_utils.c -+++ ykcs11/openssl_utils.c -@@ -165,7 +165,7 @@ CK_RV do_create_empty_cert(CK_BYTE_PTR in, CK_ULONG in_len, CK_BBOOL is_rsa, - X509_set_notBefore(cert, tm); - X509_set_notAfter(cert, tm); - --#if OPENSSL_VERSION_NUMBER < 10100000L -+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER) - // Manually set the signature algorithms. - // OpenSSL 1.0.1i complains about empty DER fields - // 8 => md5WithRsaEncryption -diff --git ykcs11/tests/ykcs11_tests.c ykcs11/tests/ykcs11_tests.c -index 9fb51da..257c938 100644 ---- ykcs11/tests/ykcs11_tests.c -+++ ykcs11/tests/ykcs11_tests.c -@@ -274,7 +274,7 @@ static void test_login() { - - } - --#if OPENSSL_VERSION_NUMBER >= 0x10100000L -+#if !((OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)) - static int bogus_sign(int dtype, const unsigned char *m, unsigned int m_length, - unsigned char *sigret, unsigned int *siglen, const RSA *rsa) { - sigret = malloc(1); -@@ -385,7 +385,7 @@ static void test_import_and_sign_all_10() { - X509_set_notBefore(cert, tm); - X509_set_notAfter(cert, tm); - --#if OPENSSL_VERSION_NUMBER < 0x10100000L -+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER) - cert->sig_alg->algorithm = OBJ_nid2obj(8); - cert->cert_info->signature->algorithm = OBJ_nid2obj(8); - -@@ -583,7 +583,7 @@ static void test_import_and_sign_all_10_RSA() { - X509_set_notBefore(cert, tm); - X509_set_notAfter(cert, tm); - --#if OPENSSL_VERSION_NUMBER < 0x10100000L -+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER) - /* putting bogus data to signature to make some checks happy */ - cert->sig_alg->algorithm = OBJ_nid2obj(8); - cert->cert_info->signature->algorithm = OBJ_nid2obj(8); diff --git a/srcpkgs/ykpivmgr/patches/ssl_obsolete.patch b/srcpkgs/ykpivmgr/patches/ssl_obsolete.patch new file mode 100644 index 00000000000..e842806e821 --- /dev/null +++ b/srcpkgs/ykpivmgr/patches/ssl_obsolete.patch @@ -0,0 +1,22 @@ +diff --git a/tool/yubico-piv-tool.c b/tool/yubico-piv-tool.c +index d7e11d5..7cd15e3 100644 +--- a/tool/yubico-piv-tool.c ++++ b/tool/yubico-piv-tool.c +@@ -751,7 +751,7 @@ static bool request_certificate(ykpiv_state *state, enum enum_key_format key_for + fprintf(stderr, "Failed signing request.\n"); + goto request_out; + } +- M_ASN1_BIT_STRING_set(req->signature, signature, sig_len); ++ ASN1_STRING_set(req->signature, signature, sig_len); + /* mark that all bits should be used. */ + req->signature->flags = ASN1_STRING_FLAG_BITS_LEFT; + } +@@ -1007,7 +1007,7 @@ static bool selfsign_certificate(ykpiv_state *state, enum enum_key_format key_fo + fprintf(stderr, "Failed signing certificate.\n"); + goto selfsign_out; + } +- M_ASN1_BIT_STRING_set(x509->signature, signature, sig_len); ++ ASN1_STRING_set(x509->signature, signature, sig_len); + /* setting flags to ASN1_STRING_FLAG_BITS_LEFT here marks that no bits + * should be subtracted from the bit string, thus making sure that the + * certificate can be validated. */ diff --git a/srcpkgs/ykpivmgr/template b/srcpkgs/ykpivmgr/template index 7e72bcc15f5..1e4a78e0e4a 100644 --- a/srcpkgs/ykpivmgr/template +++ b/srcpkgs/ykpivmgr/template @@ -6,8 +6,8 @@ _libykcs_name="libykcs11" _libykcs_desc="Yubikey PIV pkcs11 library" pkgname=ykpivmgr -version=1.5.0 -revision=5 +version=1.7.0 +revision=1 wrksrc="${_real_name}-${version}" build_style=gnu-configure configure_args="--enable-doxygen-man --program-transform-name='s/^yubico-piv-tool$/ykpivmgr/'" @@ -15,10 +15,11 @@ hostmakedepends="automake libtool gengetopt pkg-config doxygen perl" makedepends="libressl-devel check-devel pcsclite-devel" short_desc="Yubikey PIV management tool" maintainer="Aloz1 " -license="BSD" +license="BSD-2-Clause" homepage="https://developers.yubico.com/${_real_name}" distfiles="https://developers.yubico.com/${_real_name}/Releases/${_real_name}-${version}.tar.gz" -checksum=c18375179ba25bf9d61365b3903f033f112897bbd54ca63c62fa153f2d05aaab +checksum=b428527e4031453a637128077983e782e9fea25df98e95e0fc27819b2e82fd7f +patch_args="-Np1" post_extract() { sed -i '/^yubico-piv-tool.1/,$d' tool/Makefile.am