--- www/tomcat-native/Makefile (revision 428108) +++ www/tomcat-native/Makefile (working copy) @@ -40,8 +40,4 @@ IGNORE_FreeBSD_10= Requires OpenSSL 1.0.2 (set DEFAULT_VERSIONS+=ssl=openssl) .endif -.if ${SSL_DEFAULT:Mlibressl*} -IGNORE= Detected LibreSSL (missing numerous symbols during linking) -.endif - .include --- www/tomcat-native/files/patch-include_ssl__private.h (nonexistent) +++ www/tomcat-native/files/patch-include_ssl__private.h (working copy) @@ -0,0 +1,32 @@ +--- include/ssl_private.h.orig 2016-04-19 10:08:10 UTC ++++ include/ssl_private.h +@@ -49,6 +49,9 @@ + /* Avoid tripping over an engine build installed globally and detected + * when the user points at an explicit non-engine flavor of OpenSSL + */ ++#ifdef LIBRESSL_VERSION_NUMBER ++#define OPENSSL_NO_ENGINE ++#endif + #ifndef OPENSSL_NO_ENGINE + #include + #endif +@@ -204,7 +207,7 @@ + #endif /* !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name) */ + + /* OpenSSL 1.0.2 compatibility */ +-#if OPENSSL_VERSION_NUMBER < 0x10100000L ++#if OPENSSL_VERSION_NUMBER < 0x10100001L || defined(LIBRESSL_VERSION_NUMBER) + #define OpenSSL_version SSLeay_version + #define OpenSSL_version_num SSLeay + #define OPENSSL_VERSION SSLEAY_VERSION +@@ -231,6 +234,10 @@ + #define TLS_server_method SSLv23_server_method + #endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */ + ++#ifdef LIBRESSL_VERSION_NUMBER ++#define SSL_CTX_add0_chain_cert SSL_CTX_add_extra_chain_cert ++#endif ++ + #define MAX_ALPN_NPN_PROTO_SIZE 65535 + #define SSL_SELECTOR_FAILURE_CHOOSE_MY_LAST_PROTOCOL 1 + --- www/tomcat-native/files/patch-src_ssl.c (nonexistent) +++ www/tomcat-native/files/patch-src_ssl.c (working copy) @@ -0,0 +1,110 @@ +--- src/ssl.c.orig 2016-04-19 10:08:10 UTC ++++ src/ssl.c +@@ -34,7 +34,7 @@ tcn_pass_cb_t tcn_password_callback; + static jclass byteArrayClass; + static jclass stringClass; + +-#if OPENSSL_VERSION_NUMBER < 0x10100000L ++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) + /* Global reference to the pool used by the dynamic mutexes */ + static apr_pool_t *dynlockpool = NULL; + +@@ -193,7 +193,7 @@ static const jint supported_ssl_opts = 0 + #endif + | 0; + +-#if OPENSSL_VERSION_NUMBER < 0x10100000L ++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) + /* OpenSSL Pre-1.1.0 compatibility */ + /* Taken from OpenSSL 1.1.0 snapshot 20160410 */ + int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) +@@ -295,7 +295,7 @@ DH *SSL_get_dh_params(unsigned keylen) + return NULL; /* impossible to reach. */ + } + +-#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + static void init_bio_methods(void); + static void free_bio_methods(void); + #endif +@@ -330,7 +330,7 @@ static apr_status_t ssl_init_cleanup(voi + tcn_password_callback.cb.obj); + } + +-#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + free_bio_methods(); + #endif + free_dh_params(); +@@ -349,7 +349,7 @@ static apr_status_t ssl_init_cleanup(voi + ENGINE_cleanup(); + #endif + CRYPTO_cleanup_all_ex_data(); +-#if OPENSSL_VERSION_NUMBER < 0x10100000L ++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) + ERR_remove_thread_state(NULL); + #else + ERR_remove_thread_state(); +@@ -387,7 +387,7 @@ static ENGINE *ssl_try_load_engine(const + * To ensure thread-safetyness in OpenSSL + */ + +-#if OPENSSL_VERSION_NUMBER < 0x10100000L ++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) + static apr_thread_mutex_t **ssl_lock_cs; + static int ssl_lock_num_locks; + +@@ -427,7 +427,7 @@ static unsigned long ssl_thread_id(void) + #endif + } + +-#if OPENSSL_VERSION_NUMBER < 0x10100000L ++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) + static void ssl_set_thread_id(CRYPTO_THREADID *id) + { + CRYPTO_THREADID_set_numeric(id, ssl_thread_id()); +@@ -720,7 +720,7 @@ TCN_IMPLEMENT_CALL(jint, SSL, initialize + #endif + OPENSSL_load_builtin_modules(); + +-#if OPENSSL_VERSION_NUMBER < 0x10100000L ++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) + /* Initialize thread support */ + ssl_thread_setup(tcn_global_pool); + #endif +@@ -766,7 +766,7 @@ TCN_IMPLEMENT_CALL(jint, SSL, initialize + SSL_init_app_data2_3_idx(); + + init_dh_params(); +-#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + init_bio_methods(); + #endif + +@@ -928,7 +928,7 @@ static int jbs_new(BIO *bi) + j->refcount = 1; + BIO_set_shutdown(bi, 1); + BIO_set_init(bi, 0); +-#if OPENSSL_VERSION_NUMBER < 0x10100000L ++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) + /* No setter method for OpenSSL 1.1.0 available, + * but I can't find any functional use of the + * "num" field there either. +@@ -1064,7 +1064,7 @@ static long jbs_ctrl(BIO *b, int cmd, lo + return ret; + } + +-#if OPENSSL_VERSION_NUMBER < 0x10100000L ++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) + static BIO_METHOD jbs_methods = { + BIO_TYPE_FILE, + "Java Callback", +@@ -1100,7 +1100,7 @@ static void free_bio_methods(void) + + static BIO_METHOD *BIO_jbs() + { +-#if OPENSSL_VERSION_NUMBER < 0x10100000L ++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) + return(&jbs_methods); + #else + return jbs_methods; --- www/tomcat-native/files/patch-src_sslcontext.c (nonexistent) +++ www/tomcat-native/files/patch-src_sslcontext.c (working copy) @@ -0,0 +1,83 @@ +--- src/sslcontext.c.orig 2016-04-18 09:49:28 UTC ++++ src/sslcontext.c +@@ -139,7 +139,7 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, ma + tcn_ssl_ctxt_t *c = NULL; + SSL_CTX *ctx = NULL; + jclass clazz; +-#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + jint prot; + #endif + +@@ -224,7 +224,7 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, ma + BIO_set_fp(c->bio_os, stderr, BIO_NOCLOSE | BIO_FP_TEXT); + SSL_CTX_set_options(c->ctx, SSL_OP_ALL); + +-#if OPENSSL_VERSION_NUMBER < 0x10100000L ++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) + /* always disable SSLv2, as per RFC 6176 */ + SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2); + if (!(protocol & SSL_PROTOCOL_SSLV3)) +@@ -240,7 +240,7 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, ma + SSL_CTX_set_options(c->ctx, SSL_OP_NO_TLSv1_2); + #endif + +-#else /* if OPENSSL_VERSION_NUMBER < 0x10100000L */ ++#else /* if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) */ + /* We first determine the maximum protocol version we should provide */ + if (protocol & SSL_PROTOCOL_TLSV1_2) { + prot = TLS1_2_VERSION; +@@ -269,7 +269,7 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, ma + prot = SSL3_VERSION; + } + SSL_CTX_set_min_proto_version(ctx, prot); +-#endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L */ ++#endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) */ + + /* + * Configure additional context ingredients +@@ -1577,7 +1577,7 @@ TCN_IMPLEMENT_CALL(void, SSLContext, set + } + + +-#if OPENSSL_VERSION_NUMBER < 0x10100000L ++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) + + /* + * Adapted from OpenSSL: +@@ -1677,7 +1677,7 @@ static const char* SSL_CIPHER_authentica + if (cipher == NULL) { + return "UNKNOWN"; + } +-#if OPENSSL_VERSION_NUMBER < 0x10100000L ++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) + kx = cipher->algorithm_mkey; + auth = cipher->algorithm_auth; + #else +@@ -1689,7 +1689,7 @@ static const char* SSL_CIPHER_authentica + { + case TCN_SSL_kRSA: + return SSL_TXT_RSA; +-#if OPENSSL_VERSION_NUMBER < 0x10100000L ++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) + case TCN_SSL_kDHr: + return SSL_TXT_DH "_" SSL_TXT_RSA; + case TCN_SSL_kDHd: +@@ -1707,7 +1707,7 @@ static const char* SSL_CIPHER_authentica + default: + return "UNKNOWN"; + } +-#if OPENSSL_VERSION_NUMBER < 0x10100000L ++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) + case TCN_SSL_kKRB5: + return SSL_TXT_KRB5; + case TCN_SSL_kECDHr: +@@ -1733,7 +1733,7 @@ static const char* SSL_CIPHER_authentica + } + + static const char* SSL_authentication_method(const SSL* ssl) { +-#if OPENSSL_VERSION_NUMBER < 0x10100000L ++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) + return SSL_CIPHER_authentication_method(ssl->s3->tmp.new_cipher); + #else + /* XXX ssl->s3->tmp.new_cipher is no longer available in OpenSSL 1.1.0 */ --- www/tomcat-native/files/patch-src_sslinfo.c (nonexistent) +++ www/tomcat-native/files/patch-src_sslinfo.c (working copy) @@ -0,0 +1,16 @@ +--- src/sslinfo.c.orig 2016-03-23 18:06:39 UTC ++++ src/sslinfo.c +@@ -25,6 +25,13 @@ + #ifdef HAVE_OPENSSL + #include "ssl_private.h" + ++#ifdef LIBRESSL_VERSION_NUMBER ++int X509_get_signature_nid(const X509 *x) ++{ ++ return OBJ_obj2nid(x->sig_alg->algorithm); ++} ++#endif ++ + static const char *hex_basis = "0123456789ABCDEF"; + + static char *convert_to_hex(const void *buf, size_t len) --- www/tomcat-native/files/patch-src_sslutils.c (nonexistent) +++ www/tomcat-native/files/patch-src_sslutils.c (working copy) @@ -0,0 +1,11 @@ +--- src/sslutils.c.orig 2016-04-19 09:15:43 UTC ++++ src/sslutils.c +@@ -504,7 +504,7 @@ static int ssl_verify_OCSP(int ok, X509_ + * may yield NULL. Return early, but leave the ctx error as is. */ + return OCSP_STATUS_UNKNOWN; + } +-#if OPENSSL_VERSION_NUMBER < 0x10100000L ++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) + else if (cert->valid && X509_check_issued(cert,cert) == X509_V_OK) { + #else + /* No need to check cert->valid, because ssl_verify_OCSP() only