Date: Mon, 12 Sep 2016 01:19:35 +0000 (UTC) From: John Marino <marino@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r421891 - in head/security/stunnel: . files Message-ID: <201609120119.u8C1JZK7069098@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: marino Date: Mon Sep 12 01:19:35 2016 New Revision: 421891 URL: https://svnweb.freebsd.org/changeset/ports/421891 Log: security/stunnel: Support building with LibreSSL Approved by: SSL blanket Added: head/security/stunnel/files/patch-src_common.h (contents, props changed) head/security/stunnel/files/patch-src_ctx.c (contents, props changed) head/security/stunnel/files/patch-src_prototypes.h (contents, props changed) head/security/stunnel/files/patch-src_ssl.c (contents, props changed) head/security/stunnel/files/patch-src_sthreads.c (contents, props changed) head/security/stunnel/files/patch-src_verify.c (contents, props changed) Modified: head/security/stunnel/Makefile Modified: head/security/stunnel/Makefile ============================================================================== --- head/security/stunnel/Makefile Mon Sep 12 00:54:03 2016 (r421890) +++ head/security/stunnel/Makefile Mon Sep 12 01:19:35 2016 (r421891) @@ -28,10 +28,9 @@ COMMENT= SSL encryption wrapper for stan LICENSE= GPLv2 GPLv3 LICENSE_COMB= dual -USES= cpe libtool perl5 shebangfix +USES= cpe libtool perl5 shebangfix ssl USE_PERL5= build USE_LDCONFIG= yes -USE_OPENSSL= yes USE_RC_SUBR= stunnel GNU_CONFIGURE= yes Added: head/security/stunnel/files/patch-src_common.h ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/stunnel/files/patch-src_common.h Mon Sep 12 01:19:35 2016 (r421891) @@ -0,0 +1,20 @@ +--- src/common.h.orig 2016-06-27 07:29:32 UTC ++++ src/common.h +@@ -448,7 +448,7 @@ extern char *sys_errlist[]; + #define OPENSSL_NO_TLS1_2 + #endif /* OpenSSL older than 1.0.1 || defined(OPENSSL_NO_TLS1) */ + +-#if OPENSSL_VERSION_NUMBER>=0x10100000L ++#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + #ifndef OPENSSL_NO_SSL2 + #define OPENSSL_NO_SSL2 + #endif /* !defined(OPENSSL_NO_SSL2) */ +@@ -474,7 +474,7 @@ extern char *sys_errlist[]; + #include <openssl/des.h> + #ifndef OPENSSL_NO_DH + #include <openssl/dh.h> +-#if OPENSSL_VERSION_NUMBER<0x10100000L ++#if OPENSSL_VERSION_NUMBER<0x10100000L || defined(LIBRESSL_VERSION_NUMBER) + int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g); + #endif /* OpenSSL older than 1.1.0 */ + #endif /* !defined(OPENSSL_NO_DH) */ Added: head/security/stunnel/files/patch-src_ctx.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/stunnel/files/patch-src_ctx.c Mon Sep 12 01:19:35 2016 (r421891) @@ -0,0 +1,11 @@ +--- src/ctx.c.orig 2016-06-21 15:06:14 UTC ++++ src/ctx.c +@@ -366,7 +366,7 @@ NOEXPORT int ecdh_init(SERVICE_OPTIONS * + /**************************************** initialize OpenSSL CONF */ + + NOEXPORT int conf_init(SERVICE_OPTIONS *section) { +-#if OPENSSL_VERSION_NUMBER>=0x10002000L ++#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) + SSL_CONF_CTX *cctx; + NAME_LIST *curr; + char *cmd, *param; Added: head/security/stunnel/files/patch-src_prototypes.h ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/stunnel/files/patch-src_prototypes.h Mon Sep 12 01:19:35 2016 (r421891) @@ -0,0 +1,18 @@ +--- src/prototypes.h.orig 2016-07-05 21:27:57 UTC ++++ src/prototypes.h +@@ -650,13 +650,13 @@ typedef enum { + #endif /* OPENSSL_NO_DH */ + STUNNEL_LOCKS /* number of locks */ + } LOCK_TYPE; +-#if OPENSSL_VERSION_NUMBER < 0x10100004L ++#if OPENSSL_VERSION_NUMBER < 0x10100004L || defined(LIBRESSL_VERSION_NUMBER) + typedef int STUNNEL_RWLOCK; + #else + typedef CRYPTO_RWLOCK *STUNNEL_RWLOCK; + #endif + extern STUNNEL_RWLOCK stunnel_locks[STUNNEL_LOCKS]; +-#if OPENSSL_VERSION_NUMBER>=0x10100004L ++#if OPENSSL_VERSION_NUMBER>=0x10100004L && !defined(LIBRESSL_VERSION_NUMBER) + #define CRYPTO_THREAD_read_unlock(type) CRYPTO_THREAD_unlock(type) + #define CRYPTO_THREAD_write_unlock(type) CRYPTO_THREAD_unlock(type) + #else Added: head/security/stunnel/files/patch-src_ssl.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/stunnel/files/patch-src_ssl.c Mon Sep 12 01:19:35 2016 (r421891) @@ -0,0 +1,11 @@ +--- src/ssl.c.orig 2016-06-02 13:43:49 UTC ++++ src/ssl.c +@@ -78,7 +78,7 @@ int ssl_init(void) { /* init SSL before + } + + #ifndef OPENSSL_NO_DH +-#if OPENSSL_VERSION_NUMBER<0x10100000L ++#if OPENSSL_VERSION_NUMBER<0x10100000L || defined(LIBRESSL_VERSION_NUMBER) + /* this is needed for dhparam.c generated with OpenSSL >= 1.1.0 + * to be linked against the older versions */ + int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) { Added: head/security/stunnel/files/patch-src_sthreads.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/stunnel/files/patch-src_sthreads.c Mon Sep 12 01:19:35 2016 (r421891) @@ -0,0 +1,59 @@ +--- src/sthreads.c.orig 2016-05-03 18:35:03 UTC ++++ src/sthreads.c +@@ -45,7 +45,7 @@ + + STUNNEL_RWLOCK stunnel_locks[STUNNEL_LOCKS]; + +-#if OPENSSL_VERSION_NUMBER<0x10100004L ++#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER) + #define CRYPTO_THREAD_lock_new() CRYPTO_get_new_dynlockid() + #endif + +@@ -203,7 +203,7 @@ int create_client(SOCKET ls, SOCKET s, C + + #ifdef USE_PTHREAD + +-#if OPENSSL_VERSION_NUMBER<0x10100004L ++#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER) + + struct CRYPTO_dynlock_value { + pthread_rwlock_t rwlock; +@@ -263,16 +263,18 @@ unsigned long stunnel_thread_id(void) { + #endif + } + +-#if OPENSSL_VERSION_NUMBER>=0x10000000L && OPENSSL_VERSION_NUMBER<0x10100004L ++#if OPENSSL_VERSION_NUMBER>=0x10000000L ++#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER) + NOEXPORT void threadid_func(CRYPTO_THREADID *tid) { + CRYPTO_THREADID_set_numeric(tid, stunnel_thread_id()); + } + #endif ++#endif + + int sthreads_init(void) { + int i; + +-#if OPENSSL_VERSION_NUMBER<0x10100004L ++#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER) + /* initialize the OpenSSL dynamic locking */ + CRYPTO_set_dynlock_create_callback(dyn_create_function); + CRYPTO_set_dynlock_lock_callback(dyn_lock_function); +@@ -345,7 +347,7 @@ int create_client(SOCKET ls, SOCKET s, C + * but it is unsupported on Windows XP (and earlier versions of Windows): + * https://msdn.microsoft.com/en-us/library/windows/desktop/aa904937%28v=vs.85%29.aspx */ + +-#if OPENSSL_VERSION_NUMBER<0x10100004L ++#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER) + + struct CRYPTO_dynlock_value { + CRITICAL_SECTION mutex; +@@ -398,7 +400,7 @@ unsigned long stunnel_thread_id(void) { + int sthreads_init(void) { + int i; + +-#if OPENSSL_VERSION_NUMBER<0x10100004L ++#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER) + /* initialize the OpenSSL dynamic locking */ + CRYPTO_set_dynlock_create_callback(dyn_create_function); + CRYPTO_set_dynlock_lock_callback(dyn_lock_function); Added: head/security/stunnel/files/patch-src_verify.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/stunnel/files/patch-src_verify.c Mon Sep 12 01:19:35 2016 (r421891) @@ -0,0 +1,64 @@ +--- src/verify.c.orig 2016-07-05 21:27:57 UTC ++++ src/verify.c +@@ -178,14 +178,14 @@ NOEXPORT void auth_warnings(SERVICE_OPTI + if(section->option.verify_peer) /* verify_peer does not depend on PKI */ + return; + if(section->option.verify_chain) { +-#if OPENSSL_VERSION_NUMBER>=0x10002000L ++#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) + if(section->check_email || section->check_host || section->check_ip) + return; + #endif /* OPENSSL_VERSION_NUMBER>=0x10002000L */ + s_log(LOG_WARNING, + "Service [%s] uses \"verify = 2\" without subject checks", + section->servname); +-#if OPENSSL_VERSION_NUMBER<0x10002000L ++#if OPENSSL_VERSION_NUMBER<0x10002000L || defined(LIBRESSL_VERSION_NUMBER) + s_log(LOG_WARNING, + "Rebuild your stunnel against OpenSSL version 1.0.2 or higher"); + #endif /* OPENSSL_VERSION_NUMBER<0x10002000L */ +@@ -277,7 +277,7 @@ NOEXPORT int cert_check(CLI *c, X509_STO + } + + if(depth==0) { /* additional peer certificate checks */ +-#if OPENSSL_VERSION_NUMBER>=0x10002000L ++#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) + if(!cert_check_subject(c, callback_ctx)) + return 0; /* reject */ + #endif /* OPENSSL_VERSION_NUMBER>=0x10002000L */ +@@ -288,7 +288,7 @@ NOEXPORT int cert_check(CLI *c, X509_STO + return 1; /* accept */ + } + +-#if OPENSSL_VERSION_NUMBER>=0x10002000L ++#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) + NOEXPORT int cert_check_subject(CLI *c, X509_STORE_CTX *callback_ctx) { + X509 *cert=X509_STORE_CTX_get_current_cert(callback_ctx); + NAME_LIST *ptr; +@@ -340,7 +340,7 @@ NOEXPORT int cert_check_local(X509_STORE + STACK_OF(X509) *sk; + int i; + #endif +-#if OPENSSL_VERSION_NUMBER<0x10100000L ++#if OPENSSL_VERSION_NUMBER<0x10100000L || defined(LIBRESSL_VERSION_NUMBER) + X509_OBJECT obj; + int success; + #endif +@@ -349,7 +349,7 @@ NOEXPORT int cert_check_local(X509_STORE + subject=X509_get_subject_name(cert); + + #if OPENSSL_VERSION_NUMBER>=0x10000000L +-#if OPENSSL_VERSION_NUMBER<0x10100006L ++#if OPENSSL_VERSION_NUMBER<0x10100006L || defined(LIBRESSL_VERSION_NUMBER) + #define X509_STORE_CTX_get1_certs X509_STORE_get1_certs + #endif + /* modern API allows retrieving multiple matching certificates */ +@@ -364,7 +364,7 @@ NOEXPORT int cert_check_local(X509_STORE + } + #endif + +-#if OPENSSL_VERSION_NUMBER<0x10100000L ++#if OPENSSL_VERSION_NUMBER<0x10100000L || defined(LIBRESSL_VERSION_NUMBER) + /* pre-1.0.0 API only returns a single matching certificate */ + /* we also invoke it for other OpenSSL versions before 1.1.0 */ + memset((char *)&obj, 0, sizeof obj);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201609120119.u8C1JZK7069098>