Index: devel/qca/files/patch-plugins_qca-ossl_qca-ossl.cpp =================================================================== --- devel/qca/files/patch-plugins_qca-ossl_qca-ossl.cpp (revision 553292) +++ devel/qca/files/patch-plugins_qca-ossl_qca-ossl.cpp (working copy) @@ -1,58 +1,94 @@ ---- plugins/qca-ossl/qca-ossl.cpp.orig 2020-02-25 09:08:01 UTC +Patch from OpenBSD rsadowski@ + +LibreSSL 3.0.x support from Stefan Strogin + +Index: plugins/qca-ossl/qca-ossl.cpp +--- plugins/qca-ossl/qca-ossl.cpp.orig +++ plugins/qca-ossl/qca-ossl.cpp -@@ -43,6 +43,10 @@ +@@ -41,7 +41,13 @@ + #include + #include - #include - +#ifndef RSA_F_RSA_OSSL_PRIVATE_DECRYPT +#define RSA_F_RSA_OSSL_PRIVATE_DECRYPT RSA_F_RSA_EAY_PRIVATE_DECRYPT +#endif + ++#ifndef LIBRESSL_VERSION_NUMBER + #include ++#endif + using namespace QCA; - namespace opensslQCAPlugin { -@@ -1272,6 +1276,7 @@ class opensslHkdfContext : public HKDFContext (public) - const InitializationVector &info, unsigned int keyLength) override - { - SecureArray out(keyLength); -+#ifdef EVP_PKEY_HKDF - EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, nullptr); - EVP_PKEY_derive_init(pctx); - EVP_PKEY_CTX_set_hkdf_md(pctx, EVP_sha256()); -@@ -1281,6 +1286,36 @@ class opensslHkdfContext : public HKDFContext (public) - size_t outlen = out.size(); - EVP_PKEY_derive(pctx, reinterpret_cast(out.data()), &outlen); - EVP_PKEY_CTX_free(pctx); -+#else -+ unsigned char prk[EVP_MAX_MD_SIZE]; -+ unsigned char *ret; -+ unsigned int prk_len; -+ HMAC(EVP_sha256(), salt.data(), salt.size(), reinterpret_cast(secret.data()), secret.size(), prk, &prk_len); -+ HMAC_CTX hmac; -+ unsigned char prev[EVP_MAX_MD_SIZE]; -+ size_t done_len = 0; -+ size_t dig_len = EVP_MD_size(EVP_sha256()); -+ size_t n = out.size() / dig_len; -+ if (out.size() % dig_len) ++n; -+ HMAC_CTX_init(&hmac); -+ HMAC_Init_ex(&hmac, prk, prk_len, EVP_sha256(), nullptr); -+ for (unsigned int i = 1; i <= n; ++i) { -+ const unsigned char ctr = i; -+ if (i > 1) { -+ HMAC_Init_ex(&hmac, nullptr, 0, nullptr, nullptr); -+ HMAC_Update(&hmac, prev, dig_len); -+ } -+ HMAC_Update(&hmac, reinterpret_cast(info.data()), info.size()); -+ HMAC_Update(&hmac, &ctr, 1); -+ HMAC_Final(&hmac, prev, nullptr); -+ size_t copy_len = (done_len + dig_len > out.size()) ? -+ out.size() - done_len : dig_len; -+ memcpy(reinterpret_cast(out.data()) + done_len, prev, copy_len); -+ done_len += copy_len; -+ } -+ HMAC_CTX_cleanup(&hmac); -+ OPENSSL_cleanse(prk, sizeof prk); -+#endif +@@ -1262,6 +1268,7 @@ class opensslPbkdf2Context : public KDFContext (public + protected: + }; + ++#ifndef LIBRESSL_VERSION_NUMBER + class opensslHkdfContext : public HKDFContext + { + Q_OBJECT +@@ -1291,6 +1298,7 @@ class opensslHkdfContext : public HKDFContext (public) return out; } }; ++#endif // LIBRESSL_VERSION_NUMBER + + class opensslHMACContext : public MACContext + { +@@ -4990,7 +4998,11 @@ class MyTLSContext : public TLSContext (public) + case TLS::TLS_v1: + ctx = SSL_CTX_new(TLS_client_method()); + SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION); ++#ifdef TLS1_3_VERSION + SSL_CTX_set_max_proto_version(ctx, TLS1_3_VERSION); ++#else ++ SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION); ++#endif + break; + case TLS::DTLS_v1: + default: +@@ -5011,7 +5023,11 @@ class MyTLSContext : public TLSContext (public) + QStringList cipherList; + for(int i = 0; i < sk_SSL_CIPHER_num(sk); ++i) { + const SSL_CIPHER *thisCipher = sk_SSL_CIPHER_value(sk, i); ++#ifndef LIBRESSL_VERSION_NUMBER + cipherList += QString::fromLatin1(SSL_CIPHER_standard_name(thisCipher)); ++#else ++ cipherList += QString::fromLatin1(SSL_CIPHER_get_name(thisCipher)); ++#endif + } + sk_SSL_CIPHER_free(sk); + +@@ -5404,7 +5420,11 @@ class MyTLSContext : public TLSContext (public) + sessInfo.version = TLS::TLS_v1; + } + ++#ifndef LIBRESSL_VERSION_NUMBER + sessInfo.cipherSuite = QString::fromLatin1(SSL_CIPHER_standard_name(SSL_get_current_cipher(ssl))); ++#else ++ sessInfo.cipherSuite = QString::fromLatin1(SSL_CIPHER_get_name(SSL_get_current_cipher(ssl))); ++#endif + + sessInfo.cipherMaxBits = SSL_get_cipher_bits(ssl, &(sessInfo.cipherBits)); + +@@ -6751,7 +6771,9 @@ class opensslProvider : public Provider (public) + #endif + list += QStringLiteral("pbkdf1(sha1)"); + list += QStringLiteral("pbkdf2(sha1)"); ++#ifndef LIBRESSL_VERSION_NUMBER + list += QStringLiteral("hkdf(sha256)"); ++#endif + list += QStringLiteral("pkey"); + list += QStringLiteral("dlgroup"); + list += QStringLiteral("rsa"); +@@ -6820,8 +6842,10 @@ class opensslProvider : public Provider (public) + #endif + else if ( type == QLatin1String("pbkdf2(sha1)") ) + return new opensslPbkdf2Context( this, type ); ++#ifndef LIBRESSL_VERSION_NUMBER + else if ( type == QLatin1String("hkdf(sha256)") ) + return new opensslHkdfContext( this, type ); ++#endif + else if ( type == QLatin1String("hmac(md5)") ) + return new opensslHMACContext( EVP_md5(), this, type ); + else if ( type == QLatin1String("hmac(sha1)") ) Index: ftp/curl/Makefile =================================================================== --- ftp/curl/Makefile (revision 553292) +++ ftp/curl/Makefile (working copy) @@ -143,9 +143,9 @@ CONFIGURE_ARGS+=--with-ca-fallback .endif -.if ((!${PORT_OPTIONS:MGNUTLS} && !${PORT_OPTIONS:MOPENSSL}) || (${PORT_OPTIONS:MOPENSSL} && ${SSL_DEFAULT:Mlibressl*})) && ${PORT_OPTIONS:MTLS_SRP} -IGNORE= only supports TLS-SRP with either OpenSSL or GnuTLS -.endif +#.if ((!${PORT_OPTIONS:MGNUTLS} && !${PORT_OPTIONS:MOPENSSL}) || (${PORT_OPTIONS:MOPENSSL} && ${SSL_DEFAULT:Mlibressl*})) && ${PORT_OPTIONS:MTLS_SRP} +#IGNORE= only supports TLS-SRP with either OpenSSL or GnuTLS +#.endif .if ${PORT_OPTIONS:MLDAPS} && !${PORT_OPTIONS:MGNUTLS} && !${PORT_OPTIONS:MNSS} && !${PORT_OPTIONS:MOPENSSL} && !${PORT_OPTIONS:MWOLFSSL} IGNORE= only supports LDAPS with SSL