Hello, Here's a proposed diff to build sqlcipher against OpenSSL 3.5 for MAC_EVP API support. I was working through an update for net/flare-messenger and a recent change there brings in a vendored BoringSSL version. The vendored copy of sqlcipher in libsqlite3-sys wants to compile against OpenSSL supporting MAC_EVP which conflicts with BoringSSL when linking.
Following FreeBSD's approach, libsqlite3-sys/presage/rusqlite can use an external version of sqlcipher which allows the flare update to build and link as expected. The column metadata and unlock notify extensions are also required for the flare update. Thoughts? Thanks, Lucas
diff refs/heads/master refs/heads/sqlcipher commit - 659a7907c02ba41794f66c9916169435e1147ecd commit + d9d0ee1f0761bd7bf721db8d01275bd9d10157d6 blob - dab6e29e7c9b8bf15c9979a3d470bdbc330051a4 blob + 3b4f746b03054cc8e2d4a8d76c1df46d11cb2c6c --- databases/sqlcipher/Makefile +++ databases/sqlcipher/Makefile @@ -3,8 +3,9 @@ COMMENT= encrypted SQLite database GH_ACCOUNT= sqlcipher GH_PROJECT= sqlcipher GH_TAGNAME= v4.16.0 +REVISION = 0 -SHARED_LIBS += sqlcipher 3.3 +SHARED_LIBS += sqlcipher 4.0 CATEGORIES= databases @@ -13,8 +14,14 @@ HOMEPAGE= https://www.zetetic.net/sqlcipher/ # PD and BSD PERMIT_PACKAGE= Yes -WANTLIB += c crypto curses m pthread readline z +OPENSSL_VSN = 3.5 +EOPENSSL_VSN = eopenssl${OPENSSL_VSN:C/\.//} +EOPENSSL_LIB = ${LOCALBASE}/lib/${EOPENSSL_VSN} +EOPENSSL_INC = ${LOCALBASE}/include/${EOPENSSL_VSN} +WANTLIB += c curses m pthread readline z +WANTLIB += lib/${EOPENSSL_VSN}/crypto + DEBUG_PACKAGES= ${BUILD_PACKAGES} MODULES= lang/tcl @@ -22,6 +29,8 @@ MODTCL_VERSION= 8.6 BUILD_DEPENDS= ${MODTCL_BUILD_DEPENDS} +LIB_DEPENDS = security/openssl/${OPENSSL_VSN} + CONFIGURE_STYLE= simple CONFIGURE_ARGS= --soname=${LIBsqlcipher_VERSION} \ @@ -32,15 +41,19 @@ CONFIGURE_ARGS= --soname=${LIBsqlcipher_VERSION} \ CONFIGURE_ENV= CCACHE=None \ CFLAGS='${CFLAGS}' \ - LDFLAGS='${LDFLAGS}' \ + LDFLAGS='${LDFLAGS} ${LIBS}' \ autosetup_tclsh=${MODTCL_BIN} CFLAGS+= -DOMIT_MEMLOCK \ -DSQLITE_EXTRA_INIT=sqlcipher_extra_init \ -DSQLITE_EXTRA_SHUTDOWN=sqlcipher_extra_shutdown \ - -DSQLITE_HAS_CODEC + -DSQLITE_HAS_CODEC \ + -DSQLITE_ENABLE_COLUMN_METADATA \ + -DSQLITE_ENABLE_UNLOCK_NOTIFY \ + -I${EOPENSSL_INC} -LDFLAGS+= -lcrypto +LDFLAGS+= -L${EOPENSSL_LIB} -lcrypto +LIBS+= -Wl,-rpath -Wl,${EOPENSSL_LIB} post-install: mv ${PREFIX}/bin/{sqlite3,sqlcipher} blob - 6745e2d1cf8d2b21696d41b19fb56e2f9d5b82fc (mode 644) blob + /dev/null --- databases/sqlcipher/patches/patch-src_crypto_openssl_c +++ /dev/null @@ -1,94 +0,0 @@ -LibreSSL does not support the OpenSSL 3 EVP_MAC API - -Partial revert of -https://github.com/sqlcipher/sqlcipher/commit/801b81a8d0c42c13f66de89805c3bfa0d1d450aa - -Index: src/crypto_openssl.c ---- src/crypto_openssl.c.orig -+++ src/crypto_openssl.c -@@ -156,6 +156,76 @@ static int sqlcipher_openssl_hmac( - ) { - int rc = 0; - -+#if (defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER < 0x30000000L) -+ unsigned int outlen; -+ HMAC_CTX* hctx = NULL; -+ -+ if(in == NULL) goto error; -+ -+ hctx = HMAC_CTX_new(); -+ if(hctx == NULL) { -+ sqlcipher_log(SQLCIPHER_LOG_ERROR, SQLCIPHER_LOG_PROVIDER, "sqlcipher_openssl_hmac: HMAC_CTX_new() failed"); -+ sqlcipher_openssl_log_errors(); -+ goto error; -+ } -+ -+ switch(algorithm) { -+ case SQLCIPHER_HMAC_SHA1: -+ if(!(rc = HMAC_Init_ex(hctx, hmac_key, key_sz, EVP_sha1(), NULL))) { -+ sqlcipher_log(SQLCIPHER_LOG_ERROR, SQLCIPHER_LOG_PROVIDER, "sqlcipher_openssl_hmac: HMAC_Init_ex() with key size %d and EVP_sha1() returned %d", key_sz, rc); -+ sqlcipher_openssl_log_errors(); -+ goto error; -+ } -+ break; -+ case SQLCIPHER_HMAC_SHA256: -+ if(!(rc = HMAC_Init_ex(hctx, hmac_key, key_sz, EVP_sha256(), NULL))) { -+ sqlcipher_log(SQLCIPHER_LOG_ERROR, SQLCIPHER_LOG_PROVIDER, "sqlcipher_openssl_hmac: HMAC_Init_ex() with key size %d and EVP_sha256() returned %d", key_sz, rc); -+ sqlcipher_openssl_log_errors(); -+ goto error; -+ } -+ break; -+ case SQLCIPHER_HMAC_SHA512: -+ if(!(rc = HMAC_Init_ex(hctx, hmac_key, key_sz, EVP_sha512(), NULL))) { -+ sqlcipher_log(SQLCIPHER_LOG_ERROR, SQLCIPHER_LOG_PROVIDER, "sqlcipher_openssl_hmac: HMAC_Init_ex() with key size %d and EVP_sha512() returned %d", key_sz, rc); -+ sqlcipher_openssl_log_errors(); -+ goto error; -+ } -+ break; -+ default: -+ sqlcipher_log(SQLCIPHER_LOG_ERROR, SQLCIPHER_LOG_PROVIDER, "sqlcipher_openssl_hmac: invalid algorithm %d", algorithm); -+ goto error; -+ } -+ -+ if(!(rc = HMAC_Update(hctx, in, in_sz))) { -+ sqlcipher_log(SQLCIPHER_LOG_ERROR, SQLCIPHER_LOG_PROVIDER, "sqlcipher_openssl_hmac: HMAC_Update() on 1st input buffer of %d bytes using algorithm %d returned %d", in_sz, algorithm, rc); -+ sqlcipher_openssl_log_errors(); -+ goto error; -+ } -+ -+ if(in2 != NULL) { -+ if(!(rc = HMAC_Update(hctx, in2, in2_sz))) { -+ sqlcipher_log(SQLCIPHER_LOG_ERROR, SQLCIPHER_LOG_PROVIDER, "sqlcipher_openssl_hmac: HMAC_Update() on 2nd input buffer of %d bytes using algorithm %d returned %d", in2_sz, algorithm, rc); -+ sqlcipher_openssl_log_errors(); -+ goto error; -+ } -+ } -+ -+ if(!(rc = HMAC_Final(hctx, out, &outlen))) { -+ sqlcipher_log(SQLCIPHER_LOG_ERROR, SQLCIPHER_LOG_PROVIDER, "sqlcipher_openssl_hmac: HMAC_Final() using algorithm %d returned %d", algorithm, rc); -+ sqlcipher_openssl_log_errors(); -+ goto error; -+ } -+ -+ rc = SQLITE_OK; -+ goto cleanup; -+ -+error: -+ rc = SQLITE_ERROR; -+ -+cleanup: -+ if(hctx) HMAC_CTX_free(hctx); -+ -+#else - size_t outlen; - EVP_MAC *mac = NULL; - EVP_MAC_CTX *hctx = NULL; -@@ -241,6 +311,8 @@ error: - cleanup: - if(hctx) EVP_MAC_CTX_free(hctx); - if(mac) EVP_MAC_free(mac); -+ -+#endif - - return rc; - }
