HBSD: www/tomcat-native: Fix build with LibreSSL

- Remove IGNORE for LibreSSL - Add patches for OPENSSL_VERSION_CHECKS - Add compat macro and function Signed-off-by: Bernard Spil <bernard.spil@hardenedbsd.org>
HardenedBSD · Dec 10, 2016 · 5ec2147 · 5ec2147
1 parent d6e2e95
commit 5ec2147
Show file tree

Hide file tree

Showing 6 changed files with 253 additions and 5 deletions.
diff --git a/www/tomcat-native/Makefile b/www/tomcat-native/Makefile
@@ -1,5 +1,5 @@
 # Created by: Alex Dupre <ale@FreeBSD.org>
-# $FreeBSD$
+# $FreeBSD: head/www/tomcat-native/Makefile 422874 2016-09-28 13:47:53Z mat $
 
 PORTNAME=	tomcat-native
 PORTVERSION=	1.2.7
@@ -40,8 +40,4 @@ IGNORE_FreeBSD_9=	Requires OpenSSL 1.0.2 (set DEFAULT_VERSIONS+=ssl=openssl)
 IGNORE_FreeBSD_10=	Requires OpenSSL 1.0.2 (set DEFAULT_VERSIONS+=ssl=openssl)
 .endif
 
-.if ${SSL_DEFAULT:Mlibressl*}
-IGNORE=	Detected LibreSSL (missing numerous symbols during linking)
-.endif
-
 .include <bsd.port.post.mk>
diff --git a/www/tomcat-native/files/patch-include_ssl__private.h b/www/tomcat-native/files/patch-include_ssl__private.h
@@ -0,0 +1,32 @@
+--- include/ssl_private.h.orig	2016-04-19 10:08:10 UTC
++++ include/ssl_private.h
+@@ -49,6 +49,9 @@
+ /* Avoid tripping over an engine build installed globally and detected
+  * when the user points at an explicit non-engine flavor of OpenSSL
+  */
++#ifdef LIBRESSL_VERSION_NUMBER
++#define OPENSSL_NO_ENGINE
++#endif
+ #ifndef OPENSSL_NO_ENGINE
+ #include <openssl/engine.h>
+ #endif
+@@ -204,7 +207,7 @@
+ #endif /* !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name) */
+
+ /* OpenSSL 1.0.2 compatibility */
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100001L || defined(LIBRESSL_VERSION_NUMBER)
+ #define OpenSSL_version                  SSLeay_version
+ #define OpenSSL_version_num              SSLeay
+ #define OPENSSL_VERSION                  SSLEAY_VERSION
+@@ -231,6 +234,10 @@
+ #define TLS_server_method                SSLv23_server_method
+ #endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
+
++#ifdef LIBRESSL_VERSION_NUMBER
++#define SSL_CTX_add0_chain_cert          SSL_CTX_add_extra_chain_cert
++#endif
++
+ #define MAX_ALPN_NPN_PROTO_SIZE 65535
+ #define SSL_SELECTOR_FAILURE_CHOOSE_MY_LAST_PROTOCOL            1
+
diff --git a/www/tomcat-native/files/patch-src_ssl.c b/www/tomcat-native/files/patch-src_ssl.c
@@ -0,0 +1,110 @@
+--- src/ssl.c.orig	2016-04-19 10:08:10 UTC
++++ src/ssl.c
+@@ -34,7 +34,7 @@ tcn_pass_cb_t tcn_password_callback;
+ static jclass byteArrayClass;
+ static jclass stringClass;
+
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ /* Global reference to the pool used by the dynamic mutexes */
+ static apr_pool_t *dynlockpool = NULL;
+
+@@ -193,7 +193,7 @@ static const jint supported_ssl_opts = 0
+ #endif
+      | 0;
+
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ /* OpenSSL Pre-1.1.0 compatibility */
+ /* Taken from OpenSSL 1.1.0 snapshot 20160410 */
+ int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
+@@ -295,7 +295,7 @@ DH *SSL_get_dh_params(unsigned keylen)
+     return NULL; /* impossible to reach. */
+ }
+
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ static void init_bio_methods(void);
+ static void free_bio_methods(void);
+ #endif
+@@ -330,7 +330,7 @@ static apr_status_t ssl_init_cleanup(voi
+                          tcn_password_callback.cb.obj);
+     }
+
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+     free_bio_methods();
+ #endif
+     free_dh_params();
+@@ -349,7 +349,7 @@ static apr_status_t ssl_init_cleanup(voi
+     ENGINE_cleanup();
+ #endif
+     CRYPTO_cleanup_all_ex_data();
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+     ERR_remove_thread_state(NULL);
+ #else
+     ERR_remove_thread_state();
+@@ -387,7 +387,7 @@ static ENGINE *ssl_try_load_engine(const
+  * To ensure thread-safetyness in OpenSSL
+  */
+
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ static apr_thread_mutex_t **ssl_lock_cs;
+ static int                  ssl_lock_num_locks;
+
+@@ -427,7 +427,7 @@ static unsigned long ssl_thread_id(void)
+ #endif
+ }
+
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ static void ssl_set_thread_id(CRYPTO_THREADID *id)
+ {
+     CRYPTO_THREADID_set_numeric(id, ssl_thread_id());
+@@ -720,7 +720,7 @@ TCN_IMPLEMENT_CALL(jint, SSL, initialize
+ #endif
+     OPENSSL_load_builtin_modules();
+
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+     /* Initialize thread support */
+     ssl_thread_setup(tcn_global_pool);
+ #endif
+@@ -766,7 +766,7 @@ TCN_IMPLEMENT_CALL(jint, SSL, initialize
+     SSL_init_app_data2_3_idx();
+
+     init_dh_params();
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+     init_bio_methods();
+ #endif
+
+@@ -928,7 +928,7 @@ static int jbs_new(BIO *bi)
+     j->refcount  = 1;
+     BIO_set_shutdown(bi, 1);
+     BIO_set_init(bi, 0);
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+     /* No setter method for OpenSSL 1.1.0 available,
+      * but I can't find any functional use of the
+      * "num" field there either.
+@@ -1064,7 +1064,7 @@ static long jbs_ctrl(BIO *b, int cmd, lo
+     return ret;
+ }
+
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ static BIO_METHOD jbs_methods = {
+     BIO_TYPE_FILE,
+     "Java Callback",
+@@ -1100,7 +1100,7 @@ static void free_bio_methods(void)
+
+ static BIO_METHOD *BIO_jbs()
+ {
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+     return(&jbs_methods);
+ #else
+     return jbs_methods;
diff --git a/www/tomcat-native/files/patch-src_sslcontext.c b/www/tomcat-native/files/patch-src_sslcontext.c
@@ -0,0 +1,83 @@
+--- src/sslcontext.c.orig	2016-04-18 09:49:28 UTC
++++ src/sslcontext.c
+@@ -139,7 +139,7 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, ma
+     tcn_ssl_ctxt_t *c = NULL;
+     SSL_CTX *ctx = NULL;
+     jclass clazz;
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+     jint prot;
+ #endif
+
+@@ -224,7 +224,7 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, ma
+         BIO_set_fp(c->bio_os, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
+     SSL_CTX_set_options(c->ctx, SSL_OP_ALL);
+
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+     /* always disable SSLv2, as per RFC 6176 */
+     SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
+     if (!(protocol & SSL_PROTOCOL_SSLV3))
+@@ -240,7 +240,7 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, ma
+         SSL_CTX_set_options(c->ctx, SSL_OP_NO_TLSv1_2);
+ #endif
+
+-#else /* if OPENSSL_VERSION_NUMBER < 0x10100000L */
++#else /* if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) */
+     /* We first determine the maximum protocol version we should provide */
+     if (protocol & SSL_PROTOCOL_TLSV1_2) {
+         prot = TLS1_2_VERSION;
+@@ -269,7 +269,7 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, ma
+         prot = SSL3_VERSION;
+     }
+     SSL_CTX_set_min_proto_version(ctx, prot);
+-#endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L */
++#endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) */
+ 
+     /*
+      * Configure additional context ingredients
+@@ -1577,7 +1577,7 @@ TCN_IMPLEMENT_CALL(void, SSLContext, set
+ }
+ 
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ 
+ /*
+  * Adapted from OpenSSL:
+@@ -1677,7 +1677,7 @@ static const char* SSL_CIPHER_authentica
+     if (cipher == NULL) {
+         return "UNKNOWN";
+     }
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+     kx = cipher->algorithm_mkey;
+     auth = cipher->algorithm_auth;
+ #else
+@@ -1689,7 +1689,7 @@ static const char* SSL_CIPHER_authentica
+         {
+     case TCN_SSL_kRSA:
+         return SSL_TXT_RSA;
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+     case TCN_SSL_kDHr:
+         return SSL_TXT_DH "_" SSL_TXT_RSA;
+     case TCN_SSL_kDHd:
+@@ -1707,7 +1707,7 @@ static const char* SSL_CIPHER_authentica
+         default:
+             return "UNKNOWN";
+             }
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+     case TCN_SSL_kKRB5:
+         return SSL_TXT_KRB5;
+     case TCN_SSL_kECDHr:
+@@ -1733,7 +1733,7 @@ static const char* SSL_CIPHER_authentica
+ }
+ 
+ static const char* SSL_authentication_method(const SSL* ssl) {
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+    return SSL_CIPHER_authentication_method(ssl->s3->tmp.new_cipher);
+ #else
+     /* XXX ssl->s3->tmp.new_cipher is no longer available in OpenSSL 1.1.0 */
diff --git a/www/tomcat-native/files/patch-src_sslinfo.c b/www/tomcat-native/files/patch-src_sslinfo.c
@@ -0,0 +1,16 @@
+--- src/sslinfo.c.orig	2016-03-23 18:06:39 UTC
++++ src/sslinfo.c
+@@ -25,6 +25,13 @@
+ #ifdef HAVE_OPENSSL
+ #include "ssl_private.h"
+
++#ifdef LIBRESSL_VERSION_NUMBER
++int X509_get_signature_nid(const X509 *x)
++{
++    return OBJ_obj2nid(x->sig_alg->algorithm);
++}
++#endif
++
+ static const char *hex_basis = "0123456789ABCDEF";
+
+ static char *convert_to_hex(const void *buf, size_t len)
diff --git a/www/tomcat-native/files/patch-src_sslutils.c b/www/tomcat-native/files/patch-src_sslutils.c
@@ -0,0 +1,11 @@
+--- src/sslutils.c.orig	2016-04-19 09:15:43 UTC
++++ src/sslutils.c
+@@ -504,7 +504,7 @@ static int ssl_verify_OCSP(int ok, X509_
+          * may yield NULL. Return early, but leave the ctx error as is. */
+         return OCSP_STATUS_UNKNOWN;
+     }
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+     else if (cert->valid && X509_check_issued(cert,cert) == X509_V_OK) {
+ #else
+     /* No need to check cert->valid, because ssl_verify_OCSP() only