Re: Remove openssl dep from kde-applications/messagelib

[Rafael Sadowski]

On Wed Jul 09, 2025 at 10:42:09AM +0200, Theo Buehler wrote:
> messagelib only does DKIM verification and uses OPENSSL_DECODER_CTX
> for deserializing an RSA public key and another bit of trivially
> replaceable API to get the RSA e.
> 
> The below diff replaces this with "legacy" API, bumps the major of
> KPim6MessageViewer and links it against libcrypto - no ssl in sight
> here.
> 
> It's slightly more intrusive than I would like it to be, but so be it.
> I disabled the test but it could be patched in a similar way.

Will do it.

> 
> I'll of course happily help if this gets in the way of updates.
> 
> I only build tested this, but I did verify that the code successfully
> parses the test key in an equivalent C program.

Tested with a pile of KDE PAM apps without any issues. I'm not
sure if I've hit this exact use-case but it doesn't make the PAM
situation any better or worse.

Thanks a lot, OK rsadowski

> 
> Index: Makefile
> ===================================================================
> RCS file: /cvs/ports/x11/kde-applications/messagelib/Makefile,v
> diff -u -p -r1.31 Makefile
> --- Makefile  13 Mar 2025 16:15:21 -0000      1.31
> +++ Makefile  9 Jul 2025 08:06:57 -0000
> @@ -2,10 +2,12 @@ COMMENT =   KDE PIM messaging library
>  DISTNAME =   messagelib-${VERSION}
>  CATEGORIES = devel
>  
> +REVISION =   0
> +
>  SHARED_LIBS +=       KPim6MessageComposer      2.0 # 0.0
>  SHARED_LIBS +=       KPim6MessageCore          2.0 # 0.0
>  SHARED_LIBS +=       KPim6MessageList          2.0 # 0.0
> -SHARED_LIBS +=       KPim6MessageViewer        2.0 # 0.0
> +SHARED_LIBS +=       KPim6MessageViewer        3.0 # 0.0
>  SHARED_LIBS +=       KPim6MimeTreeParser       2.0 # 0.0
>  SHARED_LIBS +=       KPim6TemplateParser       1.0 # 0.0
>  SHARED_LIBS +=       KPim6WebEngineViewer      2.0 # 0.0
> @@ -29,10 +31,9 @@ WANTLIB += KPim6Mime KPim6PimCommon KPim
>  WANTLIB += Qt6Core Qt6DBus Qt6Gui Qt6Network Qt6OpenGL Qt6Positioning
>  WANTLIB += Qt6PrintSupport Qt6Qml Qt6QmlMeta Qt6QmlModels Qt6QmlWorkerScript
>  WANTLIB += Qt6Quick Qt6WebChannel Qt6WebEngineCore Qt6WebEngineWidgets
> -WANTLIB += Qt6Widgets Qt6Xml assuan gpgme gpgmepp m qgpgmeqt6
> +WANTLIB += Qt6Widgets Qt6Xml assuan crypto gpgme gpgmepp m qgpgmeqt6
>  
>  WANTLIB += lib/inotify/inotify
> -WANTLIB += lib/eopenssl33/crypto lib/eopenssl33/ssl
>  
>  MODKDE_TRANSLATIONS = yes
>  MODKF5_L10N_CONFLICT = yes
> @@ -91,13 +92,8 @@ LIB_DEPENDS =      devel/kf6/karchive \
>               x11/qt6/qtwebchannel \
>               x11/qt6/qtwebengine
>  
> -LIB_DEPENDS +=       security/openssl/3.3
> -
>  TEST_IS_INTERACTIVE =        X11
>  
> -CONFIGURE_ENV        = OPENSSL_ROOT_DIR=${LOCALBASE}/lib/eopenssl33
> -
> -CXXFLAGS =   -I${LOCALBASE}/include/inotify/ 
> -I${LOCALBASE}/include/eopenssl33
> -LDFLAGS =    -L${LOCALBASE}/lib/eopenssl33 
> -Wl,-rpath,${LOCALBASE}/lib/eopenssl33
> +CXXFLAGS =   -I${LOCALBASE}/include/inotify/
>  
>  .include <bsd.port.mk>
> Index: patches/patch-messageviewer_src_CMakeLists_txt
> ===================================================================
> RCS file: patches/patch-messageviewer_src_CMakeLists_txt
> diff -N patches/patch-messageviewer_src_CMakeLists_txt
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-messageviewer_src_CMakeLists_txt    9 Jul 2025 07:55:10 
> -0000
> @@ -0,0 +1,12 @@
> +Index: messageviewer/src/CMakeLists.txt
> +--- messageviewer/src/CMakeLists.txt.orig
> ++++ messageviewer/src/CMakeLists.txt
> +@@ -425,7 +425,7 @@ target_link_libraries(KPim6MessageViewer
> +     Qt::PrintSupport
> +     KF6::Notifications
> +     KF6::TextAddonsWidgets
> +-    OpenSSL::SSL
> ++    crypto
> + )
> + 
> + if(TARGET KF6::TextEditTextToSpeech)
> Index: patches/patch-messageviewer_src_dkim-verify_CMakeLists_txt
> ===================================================================
> RCS file: patches/patch-messageviewer_src_dkim-verify_CMakeLists_txt
> diff -N patches/patch-messageviewer_src_dkim-verify_CMakeLists_txt
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-messageviewer_src_dkim-verify_CMakeLists_txt        9 Jul 
> 2025 07:21:49 -0000
> @@ -0,0 +1,10 @@
> +Index: messageviewer/src/dkim-verify/CMakeLists.txt
> +--- messageviewer/src/dkim-verify/CMakeLists.txt.orig
> ++++ messageviewer/src/dkim-verify/CMakeLists.txt
> +@@ -1,5 +1,5 @@
> + # SPDX-License-Identifier: CC0-1.0
> + # SPDX-FileCopyrightText: none
> + if(BUILD_TESTING)
> +-    add_subdirectory(autotests)
> ++    #add_subdirectory(autotests)
> + endif()
> Index: patches/patch-messageviewer_src_dkim-verify_dkimchecksignaturejob_cpp
> ===================================================================
> RCS file: 
> patches/patch-messageviewer_src_dkim-verify_dkimchecksignaturejob_cpp
> diff -N patches/patch-messageviewer_src_dkim-verify_dkimchecksignaturejob_cpp
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-messageviewer_src_dkim-verify_dkimchecksignaturejob_cpp     
> 9 Jul 2025 08:33:43 -0000
> @@ -0,0 +1,58 @@
> +Index: messageviewer/src/dkim-verify/dkimchecksignaturejob.cpp
> +--- messageviewer/src/dkim-verify/dkimchecksignaturejob.cpp.orig
> ++++ messageviewer/src/dkim-verify/dkimchecksignaturejob.cpp
> +@@ -19,8 +19,12 @@
> + #include <QRegularExpression>
> + 
> + #include <openssl/bn.h>
> ++#ifdef LIBRESSL_VERSION_NUMBER
> ++#include <openssl/x509.h>
> ++#else
> + #include <openssl/core_names.h>
> + #include <openssl/decoder.h>
> ++#endif
> + #include <openssl/err.h>
> + #include <openssl/evp.h>
> + #include <openssl/rsa.h>
> +@@ -510,6 +514,7 @@ using EVPPKeyPtr = std::unique_ptr<EVP_PKEY, decltype(
> + EVPPKeyPtr loadRSAPublicKey(const QByteArray &der)
> + {
> +     EVP_PKEY *pubKey = nullptr;
> ++#ifndef LIBRESSL_VERSION_NUMBER
> +     std::unique_ptr<OSSL_DECODER_CTX, decltype(&OSSL_DECODER_CTX_free)> 
> decoderCtx(
> +         OSSL_DECODER_CTX_new_for_pkey(&pubKey, "DER", nullptr, "RSA", 
> EVP_PKEY_PUBLIC_KEY, nullptr, nullptr),
> +         OSSL_DECODER_CTX_free);
> +@@ -517,10 +522,16 @@ EVPPKeyPtr loadRSAPublicKey(const QByteArray &der)
> +         qCWarning(MESSAGEVIEWER_DKIMCHECKER_LOG) << "Failed to create 
> OSSL_DECODER_CTX";
> +         return {nullptr, EVP_PKEY_free};
> +     }
> ++#endif
> + 
> +     const auto rawDer = QByteArray::fromBase64(der);
> ++#ifdef LIBRESSL_VERSION_NUMBER
> ++    const unsigned char *p = reinterpret_cast<const unsigned char 
> *>(rawDer.constData());
> ++    if ((pubKey = d2i_PUBKEY(nullptr, &p, rawDer.size())) == nullptr) {    
> ++#else
> +     std::unique_ptr<BIO, decltype(&BIO_free)> 
> pubKeyBio(BIO_new_mem_buf(rawDer.constData(), rawDer.size()), BIO_free);
> +     if (!OSSL_DECODER_from_bio(decoderCtx.get(), pubKeyBio.get())) {
> ++#endif
> +         // No need to free pubKey, it's initialized by this function only 
> on success
> +         qCWarning(MESSAGEVIEWER_DKIMCHECKER_LOG) << "Failed to decode 
> public key:" << ERR_error_string(ERR_get_error(), nullptr);
> +         return {nullptr, EVP_PKEY_free};
> +@@ -575,11 +586,16 @@ std::optional<bool> doVerifySignature(EVP_PKEY *key, c
> + 
> + uint64_t getKeyE(EVP_PKEY *key)
> + {
> ++#ifdef LIBRESSL_VERSION_NUMBER
> ++    const RSA *rsa = EVP_PKEY_get0_RSA(key);
> ++    return BN_get_word(RSA_get0_e(rsa));
> ++#else
> +     BIGNUM *bne = nullptr;
> +     EVP_PKEY_get_bn_param(key, OSSL_PKEY_PARAM_RSA_E, &bne);
> +     const uint64_t size = BN_get_word(bne);
> +     BN_free(bne);
> +     return size;
> ++#endif
> + }
> + 
> + void DKIMCheckSignatureJob::verifyRSASignature()
>