From owner-svn-ports-head@freebsd.org  Mon Sep 12 01:19:37 2016
Return-Path: <owner-svn-ports-head@freebsd.org>
Delivered-To: svn-ports-head@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0A244BD7062;
 Mon, 12 Sep 2016 01:19:37 +0000 (UTC)
 (envelope-from marino@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id C23308BE;
 Mon, 12 Sep 2016 01:19:36 +0000 (UTC)
 (envelope-from marino@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u8C1JaLX069105;
 Mon, 12 Sep 2016 01:19:36 GMT (envelope-from marino@FreeBSD.org)
Received: (from marino@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id u8C1JZK7069098;
 Mon, 12 Sep 2016 01:19:35 GMT (envelope-from marino@FreeBSD.org)
Message-Id: <201609120119.u8C1JZK7069098@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: marino set sender to
 marino@FreeBSD.org using -f
From: John Marino <marino@FreeBSD.org>
Date: Mon, 12 Sep 2016 01:19:35 +0000 (UTC)
To: ports-committers@freebsd.org, svn-ports-all@freebsd.org,
 svn-ports-head@freebsd.org
Subject: svn commit: r421891 - in head/security/stunnel: . files
X-SVN-Group: ports-head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-ports-head@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: SVN commit messages for the ports tree for head
 <svn-ports-head.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-ports-head>, 
 <mailto:svn-ports-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-ports-head/>
List-Post: <mailto:svn-ports-head@freebsd.org>
List-Help: <mailto:svn-ports-head-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-ports-head>,
 <mailto:svn-ports-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Sep 2016 01:19:37 -0000

Author: marino
Date: Mon Sep 12 01:19:35 2016
New Revision: 421891
URL: https://svnweb.freebsd.org/changeset/ports/421891

Log:
  security/stunnel: Support building with LibreSSL
  
  Approved by:	SSL blanket

Added:
  head/security/stunnel/files/patch-src_common.h   (contents, props changed)
  head/security/stunnel/files/patch-src_ctx.c   (contents, props changed)
  head/security/stunnel/files/patch-src_prototypes.h   (contents, props changed)
  head/security/stunnel/files/patch-src_ssl.c   (contents, props changed)
  head/security/stunnel/files/patch-src_sthreads.c   (contents, props changed)
  head/security/stunnel/files/patch-src_verify.c   (contents, props changed)
Modified:
  head/security/stunnel/Makefile

Modified: head/security/stunnel/Makefile
==============================================================================
--- head/security/stunnel/Makefile	Mon Sep 12 00:54:03 2016	(r421890)
+++ head/security/stunnel/Makefile	Mon Sep 12 01:19:35 2016	(r421891)
@@ -28,10 +28,9 @@ COMMENT=	SSL encryption wrapper for stan
 LICENSE=	GPLv2 GPLv3
 LICENSE_COMB=	dual
 
-USES=		cpe libtool perl5 shebangfix
+USES=		cpe libtool perl5 shebangfix ssl
 USE_PERL5=	build
 USE_LDCONFIG=	yes
-USE_OPENSSL=	yes
 USE_RC_SUBR=	stunnel
 
 GNU_CONFIGURE=	yes

Added: head/security/stunnel/files/patch-src_common.h
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/security/stunnel/files/patch-src_common.h	Mon Sep 12 01:19:35 2016	(r421891)
@@ -0,0 +1,20 @@
+--- src/common.h.orig	2016-06-27 07:29:32 UTC
++++ src/common.h
+@@ -448,7 +448,7 @@ extern char *sys_errlist[];
+ #define OPENSSL_NO_TLS1_2
+ #endif /* OpenSSL older than 1.0.1 || defined(OPENSSL_NO_TLS1) */
+ 
+-#if OPENSSL_VERSION_NUMBER>=0x10100000L
++#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ #ifndef OPENSSL_NO_SSL2
+ #define OPENSSL_NO_SSL2
+ #endif /* !defined(OPENSSL_NO_SSL2) */
+@@ -474,7 +474,7 @@ extern char *sys_errlist[];
+ #include <openssl/des.h>
+ #ifndef OPENSSL_NO_DH
+ #include <openssl/dh.h>
+-#if OPENSSL_VERSION_NUMBER<0x10100000L
++#if OPENSSL_VERSION_NUMBER<0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g);
+ #endif /* OpenSSL older than 1.1.0 */
+ #endif /* !defined(OPENSSL_NO_DH) */

Added: head/security/stunnel/files/patch-src_ctx.c
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/security/stunnel/files/patch-src_ctx.c	Mon Sep 12 01:19:35 2016	(r421891)
@@ -0,0 +1,11 @@
+--- src/ctx.c.orig	2016-06-21 15:06:14 UTC
++++ src/ctx.c
+@@ -366,7 +366,7 @@ NOEXPORT int ecdh_init(SERVICE_OPTIONS *
+ /**************************************** initialize OpenSSL CONF */
+ 
+ NOEXPORT int conf_init(SERVICE_OPTIONS *section) {
+-#if OPENSSL_VERSION_NUMBER>=0x10002000L
++#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
+     SSL_CONF_CTX *cctx;
+     NAME_LIST *curr;
+     char *cmd, *param;

Added: head/security/stunnel/files/patch-src_prototypes.h
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/security/stunnel/files/patch-src_prototypes.h	Mon Sep 12 01:19:35 2016	(r421891)
@@ -0,0 +1,18 @@
+--- src/prototypes.h.orig	2016-07-05 21:27:57 UTC
++++ src/prototypes.h
+@@ -650,13 +650,13 @@ typedef enum {
+ #endif /* OPENSSL_NO_DH */
+     STUNNEL_LOCKS                           /* number of locks */
+ } LOCK_TYPE;
+-#if OPENSSL_VERSION_NUMBER < 0x10100004L
++#if OPENSSL_VERSION_NUMBER < 0x10100004L || defined(LIBRESSL_VERSION_NUMBER)
+ typedef int STUNNEL_RWLOCK;
+ #else
+ typedef CRYPTO_RWLOCK *STUNNEL_RWLOCK;
+ #endif
+ extern STUNNEL_RWLOCK stunnel_locks[STUNNEL_LOCKS];
+-#if OPENSSL_VERSION_NUMBER>=0x10100004L
++#if OPENSSL_VERSION_NUMBER>=0x10100004L && !defined(LIBRESSL_VERSION_NUMBER)
+ #define CRYPTO_THREAD_read_unlock(type) CRYPTO_THREAD_unlock(type)
+ #define CRYPTO_THREAD_write_unlock(type) CRYPTO_THREAD_unlock(type)
+ #else

Added: head/security/stunnel/files/patch-src_ssl.c
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/security/stunnel/files/patch-src_ssl.c	Mon Sep 12 01:19:35 2016	(r421891)
@@ -0,0 +1,11 @@
+--- src/ssl.c.orig	2016-06-02 13:43:49 UTC
++++ src/ssl.c
+@@ -78,7 +78,7 @@ int ssl_init(void) { /* init SSL before 
+ }
+ 
+ #ifndef OPENSSL_NO_DH
+-#if OPENSSL_VERSION_NUMBER<0x10100000L
++#if OPENSSL_VERSION_NUMBER<0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ /* this is needed for dhparam.c generated with OpenSSL >= 1.1.0
+  * to be linked against the older versions */
+ int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) {

Added: head/security/stunnel/files/patch-src_sthreads.c
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/security/stunnel/files/patch-src_sthreads.c	Mon Sep 12 01:19:35 2016	(r421891)
@@ -0,0 +1,59 @@
+--- src/sthreads.c.orig	2016-05-03 18:35:03 UTC
++++ src/sthreads.c
+@@ -45,7 +45,7 @@
+ 
+ STUNNEL_RWLOCK stunnel_locks[STUNNEL_LOCKS];
+ 
+-#if OPENSSL_VERSION_NUMBER<0x10100004L
++#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER)
+ #define CRYPTO_THREAD_lock_new() CRYPTO_get_new_dynlockid()
+ #endif
+ 
+@@ -203,7 +203,7 @@ int create_client(SOCKET ls, SOCKET s, C
+ 
+ #ifdef USE_PTHREAD
+ 
+-#if OPENSSL_VERSION_NUMBER<0x10100004L
++#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER)
+ 
+ struct CRYPTO_dynlock_value {
+     pthread_rwlock_t rwlock;
+@@ -263,16 +263,18 @@ unsigned long stunnel_thread_id(void) {
+ #endif
+ }
+ 
+-#if OPENSSL_VERSION_NUMBER>=0x10000000L && OPENSSL_VERSION_NUMBER<0x10100004L
++#if OPENSSL_VERSION_NUMBER>=0x10000000L
++#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER)
+ NOEXPORT void threadid_func(CRYPTO_THREADID *tid) {
+     CRYPTO_THREADID_set_numeric(tid, stunnel_thread_id());
+ }
+ #endif
++#endif
+ 
+ int sthreads_init(void) {
+     int i;
+ 
+-#if OPENSSL_VERSION_NUMBER<0x10100004L
++#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER)
+     /* initialize the OpenSSL dynamic locking */
+     CRYPTO_set_dynlock_create_callback(dyn_create_function);
+     CRYPTO_set_dynlock_lock_callback(dyn_lock_function);
+@@ -345,7 +347,7 @@ int create_client(SOCKET ls, SOCKET s, C
+  * but it is unsupported on Windows XP (and earlier versions of Windows):
+  * https://msdn.microsoft.com/en-us/library/windows/desktop/aa904937%28v=vs.85%29.aspx */
+ 
+-#if OPENSSL_VERSION_NUMBER<0x10100004L
++#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER)
+ 
+ struct CRYPTO_dynlock_value {
+     CRITICAL_SECTION mutex;
+@@ -398,7 +400,7 @@ unsigned long stunnel_thread_id(void) {
+ int sthreads_init(void) {
+     int i;
+ 
+-#if OPENSSL_VERSION_NUMBER<0x10100004L
++#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER)
+     /* initialize the OpenSSL dynamic locking */
+     CRYPTO_set_dynlock_create_callback(dyn_create_function);
+     CRYPTO_set_dynlock_lock_callback(dyn_lock_function);

Added: head/security/stunnel/files/patch-src_verify.c
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/security/stunnel/files/patch-src_verify.c	Mon Sep 12 01:19:35 2016	(r421891)
@@ -0,0 +1,64 @@
+--- src/verify.c.orig	2016-07-05 21:27:57 UTC
++++ src/verify.c
+@@ -178,14 +178,14 @@ NOEXPORT void auth_warnings(SERVICE_OPTI
+     if(section->option.verify_peer) /* verify_peer does not depend on PKI */
+         return;
+     if(section->option.verify_chain) {
+-#if OPENSSL_VERSION_NUMBER>=0x10002000L
++#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
+         if(section->check_email || section->check_host || section->check_ip)
+             return;
+ #endif /* OPENSSL_VERSION_NUMBER>=0x10002000L */
+         s_log(LOG_WARNING,
+             "Service [%s] uses \"verify = 2\" without subject checks",
+             section->servname);
+-#if OPENSSL_VERSION_NUMBER<0x10002000L
++#if OPENSSL_VERSION_NUMBER<0x10002000L || defined(LIBRESSL_VERSION_NUMBER)
+         s_log(LOG_WARNING,
+             "Rebuild your stunnel against OpenSSL version 1.0.2 or higher");
+ #endif /* OPENSSL_VERSION_NUMBER<0x10002000L */
+@@ -277,7 +277,7 @@ NOEXPORT int cert_check(CLI *c, X509_STO
+     }
+ 
+     if(depth==0) { /* additional peer certificate checks */
+-#if OPENSSL_VERSION_NUMBER>=0x10002000L
++#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
+         if(!cert_check_subject(c, callback_ctx))
+             return 0; /* reject */
+ #endif /* OPENSSL_VERSION_NUMBER>=0x10002000L */
+@@ -288,7 +288,7 @@ NOEXPORT int cert_check(CLI *c, X509_STO
+     return 1; /* accept */
+ }
+ 
+-#if OPENSSL_VERSION_NUMBER>=0x10002000L
++#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
+ NOEXPORT int cert_check_subject(CLI *c, X509_STORE_CTX *callback_ctx) {
+     X509 *cert=X509_STORE_CTX_get_current_cert(callback_ctx);
+     NAME_LIST *ptr;
+@@ -340,7 +340,7 @@ NOEXPORT int cert_check_local(X509_STORE
+     STACK_OF(X509) *sk;
+     int i;
+ #endif
+-#if OPENSSL_VERSION_NUMBER<0x10100000L
++#if OPENSSL_VERSION_NUMBER<0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+     X509_OBJECT obj;
+     int success;
+ #endif
+@@ -349,7 +349,7 @@ NOEXPORT int cert_check_local(X509_STORE
+     subject=X509_get_subject_name(cert);
+ 
+ #if OPENSSL_VERSION_NUMBER>=0x10000000L
+-#if OPENSSL_VERSION_NUMBER<0x10100006L
++#if OPENSSL_VERSION_NUMBER<0x10100006L || defined(LIBRESSL_VERSION_NUMBER)
+ #define X509_STORE_CTX_get1_certs X509_STORE_get1_certs
+ #endif
+     /* modern API allows retrieving multiple matching certificates */
+@@ -364,7 +364,7 @@ NOEXPORT int cert_check_local(X509_STORE
+     }
+ #endif
+ 
+-#if OPENSSL_VERSION_NUMBER<0x10100000L
++#if OPENSSL_VERSION_NUMBER<0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+     /* pre-1.0.0 API only returns a single matching certificate */
+     /* we also invoke it for other OpenSSL versions before 1.1.0 */
+     memset((char *)&obj, 0, sizeof obj);