forked from freebsd/freebsd-ports
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
HBSD: www/tomcat-native: Fix build with LibreSSL
- Remove IGNORE for LibreSSL - Add patches for OPENSSL_VERSION_CHECKS - Add compat macro and function Signed-off-by: Bernard Spil <bernard.spil@hardenedbsd.org>
- Loading branch information
Showing
6 changed files
with
253 additions
and
5 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
--- include/ssl_private.h.orig 2016-04-19 10:08:10 UTC | ||
+++ include/ssl_private.h | ||
@@ -49,6 +49,9 @@ | ||
/* Avoid tripping over an engine build installed globally and detected | ||
* when the user points at an explicit non-engine flavor of OpenSSL | ||
*/ | ||
+#ifdef LIBRESSL_VERSION_NUMBER | ||
+#define OPENSSL_NO_ENGINE | ||
+#endif | ||
#ifndef OPENSSL_NO_ENGINE | ||
#include <openssl/engine.h> | ||
#endif | ||
@@ -204,7 +207,7 @@ | ||
#endif /* !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name) */ | ||
|
||
/* OpenSSL 1.0.2 compatibility */ | ||
-#if OPENSSL_VERSION_NUMBER < 0x10100000L | ||
+#if OPENSSL_VERSION_NUMBER < 0x10100001L || defined(LIBRESSL_VERSION_NUMBER) | ||
#define OpenSSL_version SSLeay_version | ||
#define OpenSSL_version_num SSLeay | ||
#define OPENSSL_VERSION SSLEAY_VERSION | ||
@@ -231,6 +234,10 @@ | ||
#define TLS_server_method SSLv23_server_method | ||
#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */ | ||
|
||
+#ifdef LIBRESSL_VERSION_NUMBER | ||
+#define SSL_CTX_add0_chain_cert SSL_CTX_add_extra_chain_cert | ||
+#endif | ||
+ | ||
#define MAX_ALPN_NPN_PROTO_SIZE 65535 | ||
#define SSL_SELECTOR_FAILURE_CHOOSE_MY_LAST_PROTOCOL 1 | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,110 @@ | ||
--- src/ssl.c.orig 2016-04-19 10:08:10 UTC | ||
+++ src/ssl.c | ||
@@ -34,7 +34,7 @@ tcn_pass_cb_t tcn_password_callback; | ||
static jclass byteArrayClass; | ||
static jclass stringClass; | ||
|
||
-#if OPENSSL_VERSION_NUMBER < 0x10100000L | ||
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) | ||
/* Global reference to the pool used by the dynamic mutexes */ | ||
static apr_pool_t *dynlockpool = NULL; | ||
|
||
@@ -193,7 +193,7 @@ static const jint supported_ssl_opts = 0 | ||
#endif | ||
| 0; | ||
|
||
-#if OPENSSL_VERSION_NUMBER < 0x10100000L | ||
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) | ||
/* OpenSSL Pre-1.1.0 compatibility */ | ||
/* Taken from OpenSSL 1.1.0 snapshot 20160410 */ | ||
int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) | ||
@@ -295,7 +295,7 @@ DH *SSL_get_dh_params(unsigned keylen) | ||
return NULL; /* impossible to reach. */ | ||
} | ||
|
||
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L | ||
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) | ||
static void init_bio_methods(void); | ||
static void free_bio_methods(void); | ||
#endif | ||
@@ -330,7 +330,7 @@ static apr_status_t ssl_init_cleanup(voi | ||
tcn_password_callback.cb.obj); | ||
} | ||
|
||
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L | ||
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) | ||
free_bio_methods(); | ||
#endif | ||
free_dh_params(); | ||
@@ -349,7 +349,7 @@ static apr_status_t ssl_init_cleanup(voi | ||
ENGINE_cleanup(); | ||
#endif | ||
CRYPTO_cleanup_all_ex_data(); | ||
-#if OPENSSL_VERSION_NUMBER < 0x10100000L | ||
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) | ||
ERR_remove_thread_state(NULL); | ||
#else | ||
ERR_remove_thread_state(); | ||
@@ -387,7 +387,7 @@ static ENGINE *ssl_try_load_engine(const | ||
* To ensure thread-safetyness in OpenSSL | ||
*/ | ||
|
||
-#if OPENSSL_VERSION_NUMBER < 0x10100000L | ||
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) | ||
static apr_thread_mutex_t **ssl_lock_cs; | ||
static int ssl_lock_num_locks; | ||
|
||
@@ -427,7 +427,7 @@ static unsigned long ssl_thread_id(void) | ||
#endif | ||
} | ||
|
||
-#if OPENSSL_VERSION_NUMBER < 0x10100000L | ||
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) | ||
static void ssl_set_thread_id(CRYPTO_THREADID *id) | ||
{ | ||
CRYPTO_THREADID_set_numeric(id, ssl_thread_id()); | ||
@@ -720,7 +720,7 @@ TCN_IMPLEMENT_CALL(jint, SSL, initialize | ||
#endif | ||
OPENSSL_load_builtin_modules(); | ||
|
||
-#if OPENSSL_VERSION_NUMBER < 0x10100000L | ||
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) | ||
/* Initialize thread support */ | ||
ssl_thread_setup(tcn_global_pool); | ||
#endif | ||
@@ -766,7 +766,7 @@ TCN_IMPLEMENT_CALL(jint, SSL, initialize | ||
SSL_init_app_data2_3_idx(); | ||
|
||
init_dh_params(); | ||
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L | ||
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) | ||
init_bio_methods(); | ||
#endif | ||
|
||
@@ -928,7 +928,7 @@ static int jbs_new(BIO *bi) | ||
j->refcount = 1; | ||
BIO_set_shutdown(bi, 1); | ||
BIO_set_init(bi, 0); | ||
-#if OPENSSL_VERSION_NUMBER < 0x10100000L | ||
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) | ||
/* No setter method for OpenSSL 1.1.0 available, | ||
* but I can't find any functional use of the | ||
* "num" field there either. | ||
@@ -1064,7 +1064,7 @@ static long jbs_ctrl(BIO *b, int cmd, lo | ||
return ret; | ||
} | ||
|
||
-#if OPENSSL_VERSION_NUMBER < 0x10100000L | ||
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) | ||
static BIO_METHOD jbs_methods = { | ||
BIO_TYPE_FILE, | ||
"Java Callback", | ||
@@ -1100,7 +1100,7 @@ static void free_bio_methods(void) | ||
|
||
static BIO_METHOD *BIO_jbs() | ||
{ | ||
-#if OPENSSL_VERSION_NUMBER < 0x10100000L | ||
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) | ||
return(&jbs_methods); | ||
#else | ||
return jbs_methods; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,83 @@ | ||
--- src/sslcontext.c.orig 2016-04-18 09:49:28 UTC | ||
+++ src/sslcontext.c | ||
@@ -139,7 +139,7 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, ma | ||
tcn_ssl_ctxt_t *c = NULL; | ||
SSL_CTX *ctx = NULL; | ||
jclass clazz; | ||
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L | ||
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) | ||
jint prot; | ||
#endif | ||
|
||
@@ -224,7 +224,7 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, ma | ||
BIO_set_fp(c->bio_os, stderr, BIO_NOCLOSE | BIO_FP_TEXT); | ||
SSL_CTX_set_options(c->ctx, SSL_OP_ALL); | ||
|
||
-#if OPENSSL_VERSION_NUMBER < 0x10100000L | ||
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) | ||
/* always disable SSLv2, as per RFC 6176 */ | ||
SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2); | ||
if (!(protocol & SSL_PROTOCOL_SSLV3)) | ||
@@ -240,7 +240,7 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, ma | ||
SSL_CTX_set_options(c->ctx, SSL_OP_NO_TLSv1_2); | ||
#endif | ||
|
||
-#else /* if OPENSSL_VERSION_NUMBER < 0x10100000L */ | ||
+#else /* if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) */ | ||
/* We first determine the maximum protocol version we should provide */ | ||
if (protocol & SSL_PROTOCOL_TLSV1_2) { | ||
prot = TLS1_2_VERSION; | ||
@@ -269,7 +269,7 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, ma | ||
prot = SSL3_VERSION; | ||
} | ||
SSL_CTX_set_min_proto_version(ctx, prot); | ||
-#endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L */ | ||
+#endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) */ | ||
/* | ||
* Configure additional context ingredients | ||
@@ -1577,7 +1577,7 @@ TCN_IMPLEMENT_CALL(void, SSLContext, set | ||
} | ||
-#if OPENSSL_VERSION_NUMBER < 0x10100000L | ||
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) | ||
/* | ||
* Adapted from OpenSSL: | ||
@@ -1677,7 +1677,7 @@ static const char* SSL_CIPHER_authentica | ||
if (cipher == NULL) { | ||
return "UNKNOWN"; | ||
} | ||
-#if OPENSSL_VERSION_NUMBER < 0x10100000L | ||
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) | ||
kx = cipher->algorithm_mkey; | ||
auth = cipher->algorithm_auth; | ||
#else | ||
@@ -1689,7 +1689,7 @@ static const char* SSL_CIPHER_authentica | ||
{ | ||
case TCN_SSL_kRSA: | ||
return SSL_TXT_RSA; | ||
-#if OPENSSL_VERSION_NUMBER < 0x10100000L | ||
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) | ||
case TCN_SSL_kDHr: | ||
return SSL_TXT_DH "_" SSL_TXT_RSA; | ||
case TCN_SSL_kDHd: | ||
@@ -1707,7 +1707,7 @@ static const char* SSL_CIPHER_authentica | ||
default: | ||
return "UNKNOWN"; | ||
} | ||
-#if OPENSSL_VERSION_NUMBER < 0x10100000L | ||
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) | ||
case TCN_SSL_kKRB5: | ||
return SSL_TXT_KRB5; | ||
case TCN_SSL_kECDHr: | ||
@@ -1733,7 +1733,7 @@ static const char* SSL_CIPHER_authentica | ||
} | ||
static const char* SSL_authentication_method(const SSL* ssl) { | ||
-#if OPENSSL_VERSION_NUMBER < 0x10100000L | ||
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) | ||
return SSL_CIPHER_authentication_method(ssl->s3->tmp.new_cipher); | ||
#else | ||
/* XXX ssl->s3->tmp.new_cipher is no longer available in OpenSSL 1.1.0 */ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
--- src/sslinfo.c.orig 2016-03-23 18:06:39 UTC | ||
+++ src/sslinfo.c | ||
@@ -25,6 +25,13 @@ | ||
#ifdef HAVE_OPENSSL | ||
#include "ssl_private.h" | ||
|
||
+#ifdef LIBRESSL_VERSION_NUMBER | ||
+int X509_get_signature_nid(const X509 *x) | ||
+{ | ||
+ return OBJ_obj2nid(x->sig_alg->algorithm); | ||
+} | ||
+#endif | ||
+ | ||
static const char *hex_basis = "0123456789ABCDEF"; | ||
|
||
static char *convert_to_hex(const void *buf, size_t len) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
--- src/sslutils.c.orig 2016-04-19 09:15:43 UTC | ||
+++ src/sslutils.c | ||
@@ -504,7 +504,7 @@ static int ssl_verify_OCSP(int ok, X509_ | ||
* may yield NULL. Return early, but leave the ctx error as is. */ | ||
return OCSP_STATUS_UNKNOWN; | ||
} | ||
-#if OPENSSL_VERSION_NUMBER < 0x10100000L | ||
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) | ||
else if (cert->valid && X509_check_issued(cert,cert) == X509_V_OK) { | ||
#else | ||
/* No need to check cert->valid, because ssl_verify_OCSP() only |