Attachment #186940 for bug #222814

Lines 1-8 Link Here

(-)www/apache24/Makefile (-2 / +1 lines)
1	# $FreeBSD$	1	# $FreeBSD$
2		2
3	PORTNAME= apache24	3	PORTNAME= apache24
4	PORTVERSION= 2.4.27	4	PORTVERSION= 2.4.28
5	PORTREVISION= 1
6	CATEGORIES= www ipv6	5	CATEGORIES= www ipv6
7	MASTER_SITES= APACHE_HTTPD	6	MASTER_SITES= APACHE_HTTPD
8	DISTNAME= httpd-${PORTVERSION}	7	DISTNAME= httpd-${PORTVERSION}

Lines 1-3 Link Here

(-)www/apache24/distinfo (-3 / +3 lines)
1	TIMESTAMP = 1499686775	1	TIMESTAMP = 1507272082
2	SHA256 (apache24/httpd-2.4.27.tar.bz2) = 71fcc128238a690515bd8174d5330a5309161ef314a326ae45c7c15ed139c13a	2	SHA256 (apache24/httpd-2.4.28.tar.bz2) = c1197a3a62a4ab5c584ab89b249af38cf28b4adee9c0106b62999fd29f920666
3	SIZE (apache24/httpd-2.4.27.tar.bz2) = 6527394	3	SIZE (apache24/httpd-2.4.28.tar.bz2) = 6553163




--- server/core.c	2017/08/16 16:50:29	1805223
+++ server/core.c	2017/09/08 13:13:11	1807754
@@ -2266,6 +2266,12 @@
             /* method has not been registered yet, but resource restriction
              * is always checked before method handling, so register it.
              */
+            if (cmd->pool == cmd->temp_pool) {
+                /* In .htaccess, we can't globally register new methods. */
+                return apr_psprintf(cmd->pool, "Could not register method '%s' "
+                                   "for %s from .htaccess configuration",
+                                    method, cmd->cmd->name);
+            }
             methnum = ap_method_register(cmd->pool,
                                          apr_pstrdup(cmd->pool, method));
         }




--- modules/ssl/mod_ssl.c.orig	2017-04-03 11:39:20 UTC
+++ modules/ssl/mod_ssl.c
@@ -337,12 +337,12 @@ static apr_status_t ssl_cleanup_pre_conf
 #if HAVE_ENGINE_LOAD_BUILTIN_ENGINES
     ENGINE_cleanup();
 #endif
-#if OPENSSL_VERSION_NUMBER >= 0x1000200fL
+#if OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined(OPENSSL_NO_COMP)
     SSL_COMP_free_compression_methods();
 #endif
 
     /* Usually needed per thread, but this parent process is single-threaded */
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 #if OPENSSL_VERSION_NUMBER >= 0x1000000fL
     ERR_remove_thread_state(NULL);
 #else
@@ -383,14 +383,14 @@ static int ssl_hook_pre_config(apr_pool_
     /* Some OpenSSL internals are allocated per-thread, make sure they
      * are associated to the/our same thread-id until cleaned up.
      */
-#if APR_HAS_THREADS && OPENSSL_VERSION_NUMBER < 0x10100000L
+#if APR_HAS_THREADS && OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
     ssl_util_thread_id_setup(pconf);
 #endif
 
     /* We must register the library in full, to ensure our configuration
      * code can successfully test the SSL environment.
      */
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
     CRYPTO_malloc_init();
 #else
     OPENSSL_malloc_init();




--- modules/ssl/ssl_engine_init.c.orig	2017-04-03 11:39:20 UTC
+++ modules/ssl/ssl_engine_init.c
@@ -47,7 +47,7 @@ APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl,
 #define KEYTYPES "RSA or DSA"
 #endif
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 /* OpenSSL Pre-1.1.0 compatibility */
 /* Taken from OpenSSL 1.1.0 snapshot 20160410 */
 static int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
@@ -257,7 +257,7 @@ apr_status_t ssl_init_Module(apr_pool_t 
 #endif
     }
 
-#if APR_HAS_THREADS && OPENSSL_VERSION_NUMBER < 0x10100000L
+#if APR_HAS_THREADS && ( OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) )
     ssl_util_thread_setup(p);
 #endif
 
@@ -380,7 +380,7 @@ apr_status_t ssl_init_Module(apr_pool_t 
     modssl_init_app_data2_idx(); /* for modssl_get_app_data2() at request time */
 
     init_dh_params();
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
     init_bio_methods();
 #endif
 
@@ -1301,7 +1301,7 @@ static apr_status_t ssl_init_server_cert
      * or configure NIST P-256 (required to enable ECDHE for earlier versions)
      * ECDH is always enabled in 1.1.0 unless excluded from SSLCipherList
      */
-#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
     else {
 #if defined(SSL_CTX_set_ecdh_auto)
         SSL_CTX_set_ecdh_auto(mctx->ssl_ctx, 1);
@@ -2011,7 +2011,7 @@ apr_status_t ssl_init_ModuleKill(void *d
 
     }
 
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
     free_bio_methods();
 #endif
     free_dh_params();




--- modules/ssl/ssl_engine_io.c.orig	2017-05-30 12:26:05 UTC
+++ modules/ssl/ssl_engine_io.c
@@ -164,7 +164,7 @@ static int bio_filter_create(BIO *bio)
 {
     BIO_set_shutdown(bio, 1);
     BIO_set_init(bio, 1);
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
     /* No setter method for OpenSSL 1.1.0 available,
      * but I can't find any functional use of the
      * "num" field there either.
@@ -549,7 +549,7 @@ static long bio_filter_in_ctrl(BIO *bio,
     return -1;
 }
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
         
 static BIO_METHOD bio_filter_out_method = {
     BIO_TYPE_MEM,
@@ -2024,7 +2024,7 @@ static void ssl_io_input_add_filter(ssl_
 
     filter_ctx->pInputFilter = ap_add_input_filter(ssl_io_filter, inctx, r, c);
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
     filter_ctx->pbioRead = BIO_new(&bio_filter_in_method);
 #else
     filter_ctx->pbioRead = BIO_new(bio_filter_in_method);
@@ -2059,7 +2059,7 @@ void ssl_io_filter_init(conn_rec *c, req
     filter_ctx->pOutputFilter   = ap_add_output_filter(ssl_io_filter,
                                                        filter_ctx, r, c);
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
     filter_ctx->pbioWrite       = BIO_new(&bio_filter_out_method);
 #else
     filter_ctx->pbioWrite       = BIO_new(bio_filter_out_method);

Lines 1-11 Link Here

(-)www/apache24/files/patch-modules_ssl_ssl__engine__kernel.c (-11 lines)
1	--- modules/ssl/ssl_engine_kernel.c.orig 2017-05-02 11:01:17 UTC
2	+++ modules/ssl/ssl_engine_kernel.c
3	@@ -1733,7 +1733,7 @@ static void modssl_proxy_info_log(conn_r
4	* so we need to increment here to prevent them from
5	* being freed.
6	*/
7	-#if OPENSSL_VERSION_NUMBER < 0x10100000L
8	+#if OPENSSL_VERSION_NUMBER < 0x10100000L \|\| defined(LIBRESSL_VERSION_NUMBER)
9	#define modssl_set_cert_info(info, cert, pkey) \
10	*cert = info->x509; \
11	CRYPTO_add(&(*cert)->references, +1, CRYPTO_LOCK_X509); \

Lines 1-11 Link Here

(-)www/apache24/files/patch-modules_ssl_ssl__engine__vars.c (-11 lines)
1	--- modules/ssl/ssl_engine_vars.c.orig 2017-03-20 12:01:16 UTC
2	+++ modules/ssl/ssl_engine_vars.c
3	@@ -529,7 +529,7 @@ static char *ssl_var_lookup_ssl_cert(apr
4	resdup = FALSE;
5	}
6	else if (strcEQ(var, "A_SIG")) {
7	-#if OPENSSL_VERSION_NUMBER < 0x10100000L
8	+#if OPENSSL_VERSION_NUMBER < 0x10100000L \|\| defined(LIBRESSL_VERSION_NUMBER)
9	nid = OBJ_obj2nid((ASN1_OBJECT *)(xs->cert_info->signature->algorithm));
10	#else
11	const ASN1_OBJECT *paobj;




--- modules/ssl/ssl_private.h.orig	2017-04-03 11:39:20 UTC
+++ modules/ssl/ssl_private.h
@@ -123,6 +123,16 @@
 #define MODSSL_SSL_METHOD_CONST
 #endif
 
+#if defined(LIBRESSL_VERSION_NUMBER)
+/* Missing from LibreSSL */
+#define SSL_CTRL_SET_MIN_PROTO_VERSION          123
+#define SSL_CTRL_SET_MAX_PROTO_VERSION          124
+#define SSL_CTX_set_min_proto_version(ctx, version) \
+        SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, version, NULL)
+#define SSL_CTX_set_max_proto_version(ctx, version) \
+        SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL)
+#endif
+
 #if defined(OPENSSL_FIPS)
 #define HAVE_FIPS
 #endif
@@ -136,7 +146,7 @@
 #endif
 
 /* session id constness */
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 #define IDCONST
 #else
 #define IDCONST const
@@ -199,7 +209,7 @@
 
 #endif /* !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name) */
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 #define BN_get_rfc2409_prime_768   get_rfc2409_prime_768
 #define BN_get_rfc2409_prime_1024  get_rfc2409_prime_1024
 #define BN_get_rfc3526_prime_1536  get_rfc3526_prime_1536
@@ -219,7 +229,7 @@ void init_bio_methods(void);
 void free_bio_methods(void);
 #endif
 
-#if OPENSSL_VERSION_NUMBER < 0x10002000L
+#if OPENSSL_VERSION_NUMBER < 0x10002000L || defined(LIBRESSL_VERSION_NUMBER)
 #define X509_STORE_CTX_get0_store(x) (x->ctx)
 #endif
 
@@ -934,7 +944,7 @@ char        *ssl_util_readfilter(server_
                                  const char * const *);
 BOOL         ssl_util_path_check(ssl_pathcheck_t, const char *, apr_pool_t *);
 #if APR_HAS_THREADS
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 void         ssl_util_thread_setup(apr_pool_t *);
 #endif
 void         ssl_util_thread_id_setup(apr_pool_t *);

Lines 1-11 Link Here

(-)www/apache24/files/patch-modules_ssl_ssl__util.c (-11 lines)
1	--- modules/ssl/ssl_util.c.orig 2017-03-24 13:31:03 UTC
2	+++ modules/ssl/ssl_util.c
3	@@ -247,7 +247,7 @@ void ssl_asn1_table_unset(apr_hash_t *ta
4	}
5
6	#if APR_HAS_THREADS
7	-#if OPENSSL_VERSION_NUMBER < 0x10100000L
8	+#if OPENSSL_VERSION_NUMBER < 0x10100000L \|\| defined(LIBRESSL_VERSION_NUMBER)
9	/*
10	* To ensure thread-safetyness in OpenSSL - work in progress
11	*/

Lines 1-11 Link Here

(-)www/apache24/files/patch-modules_ssl_ssl__util__ssl.h (-11 lines)
1	--- modules/ssl/ssl_util_ssl.h.orig 2017-03-20 12:01:16 UTC
2	+++ modules/ssl/ssl_util_ssl.h
3	@@ -41,7 +41,7 @@
4	#define MODSSL_LIBRARY_VERSION OPENSSL_VERSION_NUMBER
5	#define MODSSL_LIBRARY_NAME "OpenSSL"
6	#define MODSSL_LIBRARY_TEXT OPENSSL_VERSION_TEXT
7	-#if OPENSSL_VERSION_NUMBER < 0x10100000L
8	+#if OPENSSL_VERSION_NUMBER < 0x10100000L \|\| defined(LIBRESSL_VERSION_NUMBER)
9	#define MODSSL_LIBRARY_DYNTEXT SSLeay_version(SSLEAY_VERSION)
10	#else
11	#define MODSSL_LIBRARY_DYNTEXT OpenSSL_version(OPENSSL_VERSION)

Return to bug 222814

Lines 1-15 Link Here

(-)www/apache24/files/patch-CVE-2017-9798 (-15 lines)
1	--- server/core.c 2017/08/16 16:50:29 1805223
2	+++ server/core.c 2017/09/08 13:13:11 1807754
3	@@ -2266,6 +2266,12 @@
4	/* method has not been registered yet, but resource restriction
5	* is always checked before method handling, so register it.
6	*/
7	+ if (cmd->pool == cmd->temp_pool) {
8	+ /* In .htaccess, we can't globally register new methods. */
9	+ return apr_psprintf(cmd->pool, "Could not register method '%s' "
10	+ "for %s from .htaccess configuration",
11	+ method, cmd->cmd->name);
12	+ }
13	methnum = ap_method_register(cmd->pool,
14	apr_pstrdup(cmd->pool, method));
15	}

Lines 1-34 Link Here

(-)www/apache24/files/patch-modules_ssl_mod__ssl.c (-34 lines)
1	--- modules/ssl/mod_ssl.c.orig 2017-04-03 11:39:20 UTC
2	+++ modules/ssl/mod_ssl.c
3	@@ -337,12 +337,12 @@ static apr_status_t ssl_cleanup_pre_conf
4	#if HAVE_ENGINE_LOAD_BUILTIN_ENGINES
5	ENGINE_cleanup();
6	#endif
7	-#if OPENSSL_VERSION_NUMBER >= 0x1000200fL
8	+#if OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined(OPENSSL_NO_COMP)
9	SSL_COMP_free_compression_methods();
10	#endif
11
12	/* Usually needed per thread, but this parent process is single-threaded */
13	-#if OPENSSL_VERSION_NUMBER < 0x10100000L
14	+#if OPENSSL_VERSION_NUMBER < 0x10100000L \|\| defined(LIBRESSL_VERSION_NUMBER)
15	#if OPENSSL_VERSION_NUMBER >= 0x1000000fL
16	ERR_remove_thread_state(NULL);
17	#else
18	@@ -383,14 +383,14 @@ static int ssl_hook_pre_config(apr_pool_
19	/* Some OpenSSL internals are allocated per-thread, make sure they
20	* are associated to the/our same thread-id until cleaned up.
21	*/
22	-#if APR_HAS_THREADS && OPENSSL_VERSION_NUMBER < 0x10100000L
23	+#if APR_HAS_THREADS && OPENSSL_VERSION_NUMBER < 0x10100000L \|\| defined(LIBRESSL_VERSION_NUMBER)
24	ssl_util_thread_id_setup(pconf);
25	#endif
26
27	/* We must register the library in full, to ensure our configuration
28	* code can successfully test the SSL environment.
29	*/
30	-#if OPENSSL_VERSION_NUMBER < 0x10100000L
31	+#if OPENSSL_VERSION_NUMBER < 0x10100000L \|\| defined(LIBRESSL_VERSION_NUMBER)
32	CRYPTO_malloc_init();
33	#else
34	OPENSSL_malloc_init();

Lines 1-47 Link Here

(-)www/apache24/files/patch-modules_ssl_ssl__engine__init.c (-47 lines)
1	--- modules/ssl/ssl_engine_init.c.orig 2017-04-03 11:39:20 UTC
2	+++ modules/ssl/ssl_engine_init.c
3	@@ -47,7 +47,7 @@ APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl,
4	#define KEYTYPES "RSA or DSA"
5	#endif
6
7	-#if OPENSSL_VERSION_NUMBER < 0x10100000L
8	+#if OPENSSL_VERSION_NUMBER < 0x10100000L \|\| defined(LIBRESSL_VERSION_NUMBER)
9	/* OpenSSL Pre-1.1.0 compatibility */
10	/* Taken from OpenSSL 1.1.0 snapshot 20160410 */
11	static int DH_set0_pqg(DH dh, BIGNUM p, BIGNUM q, BIGNUM g)
12	@@ -257,7 +257,7 @@ apr_status_t ssl_init_Module(apr_pool_t
13	#endif
14	}
15
16	-#if APR_HAS_THREADS && OPENSSL_VERSION_NUMBER < 0x10100000L
17	+#if APR_HAS_THREADS && ( OPENSSL_VERSION_NUMBER < 0x10100000L \|\| defined(LIBRESSL_VERSION_NUMBER) )
18	ssl_util_thread_setup(p);
19	#endif
20
21	@@ -380,7 +380,7 @@ apr_status_t ssl_init_Module(apr_pool_t
22	modssl_init_app_data2_idx(); /* for modssl_get_app_data2() at request time */
23
24	init_dh_params();
25	-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
26	+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
27	init_bio_methods();
28	#endif
29
30	@@ -1301,7 +1301,7 @@ static apr_status_t ssl_init_server_cert
31	* or configure NIST P-256 (required to enable ECDHE for earlier versions)
32	* ECDH is always enabled in 1.1.0 unless excluded from SSLCipherList
33	*/
34	-#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
35	+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) \|\| defined(LIBRESSL_VERSION_NUMBER)
36	else {
37	#if defined(SSL_CTX_set_ecdh_auto)
38	SSL_CTX_set_ecdh_auto(mctx->ssl_ctx, 1);
39	@@ -2011,7 +2011,7 @@ apr_status_t ssl_init_ModuleKill(void *d
40
41	}
42
43	-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
44	+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
45	free_bio_methods();
46	#endif
47	free_dh_params();

Lines 1-38 Link Here

(-)www/apache24/files/patch-modules_ssl_ssl__engine__io.c (-38 lines)
1	--- modules/ssl/ssl_engine_io.c.orig 2017-05-30 12:26:05 UTC
2	+++ modules/ssl/ssl_engine_io.c
3	@@ -164,7 +164,7 @@ static int bio_filter_create(BIO *bio)
4	{
5	BIO_set_shutdown(bio, 1);
6	BIO_set_init(bio, 1);
7	-#if OPENSSL_VERSION_NUMBER < 0x10100000L
8	+#if OPENSSL_VERSION_NUMBER < 0x10100000L \|\| defined(LIBRESSL_VERSION_NUMBER)
9	/* No setter method for OpenSSL 1.1.0 available,
10	* but I can't find any functional use of the
11	* "num" field there either.
12	@@ -549,7 +549,7 @@ static long bio_filter_in_ctrl(BIO *bio,
13	return -1;
14	}
15
16	-#if OPENSSL_VERSION_NUMBER < 0x10100000L
17	+#if OPENSSL_VERSION_NUMBER < 0x10100000L \|\| defined(LIBRESSL_VERSION_NUMBER)
18
19	static BIO_METHOD bio_filter_out_method = {
20	BIO_TYPE_MEM,
21	@@ -2024,7 +2024,7 @@ static void ssl_io_input_add_filter(ssl_
22
23	filter_ctx->pInputFilter = ap_add_input_filter(ssl_io_filter, inctx, r, c);
24
25	-#if OPENSSL_VERSION_NUMBER < 0x10100000L
26	+#if OPENSSL_VERSION_NUMBER < 0x10100000L \|\| defined(LIBRESSL_VERSION_NUMBER)
27	filter_ctx->pbioRead = BIO_new(&bio_filter_in_method);
28	#else
29	filter_ctx->pbioRead = BIO_new(bio_filter_in_method);
30	@@ -2059,7 +2059,7 @@ void ssl_io_filter_init(conn_rec *c, req
31	filter_ctx->pOutputFilter = ap_add_output_filter(ssl_io_filter,
32	filter_ctx, r, c);
33
34	-#if OPENSSL_VERSION_NUMBER < 0x10100000L
35	+#if OPENSSL_VERSION_NUMBER < 0x10100000L \|\| defined(LIBRESSL_VERSION_NUMBER)
36	filter_ctx->pbioWrite = BIO_new(&bio_filter_out_method);
37	#else
38	filter_ctx->pbioWrite = BIO_new(bio_filter_out_method);

Lines 1-55 Link Here

(-)www/apache24/files/patch-modules_ssl_ssl__private.h (-55 lines)
1	--- modules/ssl/ssl_private.h.orig 2017-04-03 11:39:20 UTC
2	+++ modules/ssl/ssl_private.h
3	@@ -123,6 +123,16 @@
4	#define MODSSL_SSL_METHOD_CONST
5	#endif
6
7	+#if defined(LIBRESSL_VERSION_NUMBER)
8	+/* Missing from LibreSSL */
9	+#define SSL_CTRL_SET_MIN_PROTO_VERSION 123
10	+#define SSL_CTRL_SET_MAX_PROTO_VERSION 124
11	+#define SSL_CTX_set_min_proto_version(ctx, version) \
12	+ SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, version, NULL)
13	+#define SSL_CTX_set_max_proto_version(ctx, version) \
14	+ SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL)
15	+#endif
16	+
17	#if defined(OPENSSL_FIPS)
18	#define HAVE_FIPS
19	#endif
20	@@ -136,7 +146,7 @@
21	#endif
22
23	/* session id constness */
24	-#if OPENSSL_VERSION_NUMBER < 0x10100000L
25	+#if OPENSSL_VERSION_NUMBER < 0x10100000L \|\| defined(LIBRESSL_VERSION_NUMBER)
26	#define IDCONST
27	#else
28	#define IDCONST const
29	@@ -199,7 +209,7 @@
30
31	#endif /* !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name) */
32
33	-#if OPENSSL_VERSION_NUMBER < 0x10100000L
34	+#if OPENSSL_VERSION_NUMBER < 0x10100000L \|\| defined(LIBRESSL_VERSION_NUMBER)
35	#define BN_get_rfc2409_prime_768 get_rfc2409_prime_768
36	#define BN_get_rfc2409_prime_1024 get_rfc2409_prime_1024
37	#define BN_get_rfc3526_prime_1536 get_rfc3526_prime_1536
38	@@ -219,7 +229,7 @@ void init_bio_methods(void);
39	void free_bio_methods(void);
40	#endif
41
42	-#if OPENSSL_VERSION_NUMBER < 0x10002000L
43	+#if OPENSSL_VERSION_NUMBER < 0x10002000L \|\| defined(LIBRESSL_VERSION_NUMBER)
44	#define X509_STORE_CTX_get0_store(x) (x->ctx)
45	#endif
46
47	@@ -934,7 +944,7 @@ char *ssl_util_readfilter(server_
48	const char * const *);
49	BOOL ssl_util_path_check(ssl_pathcheck_t, const char , apr_pool_t );
50	#if APR_HAS_THREADS
51	-#if OPENSSL_VERSION_NUMBER < 0x10100000L
52	+#if OPENSSL_VERSION_NUMBER < 0x10100000L \|\| defined(LIBRESSL_VERSION_NUMBER)
53	void ssl_util_thread_setup(apr_pool_t *);
54	#endif
55	void ssl_util_thread_id_setup(apr_pool_t *);