curl - libressl-2.7 patches

4 files changed, 121 insertions, 0 deletions

diff --git a/ftp/curl/HISTORY b/ftp/curl/HISTORY
index 871c5238ae..babaf62397 100644
--- a/ftp/curl/HISTORY
+++ b/ftp/curl/HISTORY
@@ -1,3 +1,6 @@
+2018-04-05 Treeve Jelbert <treeve@sourcemage.org>
+	* PRE_BUILD patches/*: apply upstream patches for libressl-2.7
+
 2018-03-24 Treeve Jelbert <treeve@sourcemage.org>
 	* DEPENDS: add brotli
 
diff --git a/ftp/curl/PRE_BUILD b/ftp/curl/PRE_BUILD
new file mode 100755
index 0000000000..922c0ab256
--- /dev/null
+++ b/ftp/curl/PRE_BUILD
@@ -0,0 +1,3 @@
+default_pre_build    &&
+cd $SOURCE_DIRECTORY &&
+apply_patch_dir patches
diff --git a/ftp/curl/patches/0001-openssl-fix-build-with-LibreSSL-2.7.patch b/ftp/curl/patches/0001-openssl-fix-build-with-LibreSSL-2.7.patch
new file mode 100644
index 0000000000..d1277e75f0
--- /dev/null
+++ b/ftp/curl/patches/0001-openssl-fix-build-with-LibreSSL-2.7.patch
@@ -0,0 +1,73 @@
+From 7c90c93c0b061da81f69fabdd57125b2783c15fb Mon Sep 17 00:00:00 2001
+From: Bernard Spil <brnrd@FreeBSD.org>
+Date: Mon, 2 Apr 2018 19:04:06 +0200
+Subject: [PATCH 1/3] openssl: fix build with LibreSSL 2.7
+
+ - LibreSSL 2.7 implements (most of) OpenSSL 1.1 API
+
+Fixes #2319
+Closes #2447
+Closes #2448
+
+Signed-off-by: Bernard Spil <brnrd@FreeBSD.org>
+---
+ lib/vtls/openssl.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
+index 2a6b3cf..bbb8ec7 100644
+--- a/lib/vtls/openssl.c
++++ b/lib/vtls/openssl.c
+@@ -104,7 +104,8 @@
+ #endif
+ 
+ #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && /* OpenSSL 1.1.0+ */ \
+-  !defined(LIBRESSL_VERSION_NUMBER)
++    !(defined(LIBRESSL_VERSION_NUMBER) && \
++      LIBRESSL_VERSION_NUMBER < 0x20700000L)
+ #define SSLEAY_VERSION_NUMBER OPENSSL_VERSION_NUMBER
+ #define HAVE_X509_GET0_EXTENSIONS 1 /* added in 1.1.0 -pre1 */
+ #define HAVE_OPAQUE_EVP_PKEY 1 /* since 1.1.0 -pre3 */
+@@ -128,7 +129,8 @@ static unsigned long OpenSSL_version_num(void)
+ #endif
+ 
+ #if (OPENSSL_VERSION_NUMBER >= 0x1000200fL) && /* 1.0.2 or later */ \
+-  !defined(LIBRESSL_VERSION_NUMBER)
++    !(defined(LIBRESSL_VERSION_NUMBER) && \
++      LIBRESSL_VERSION_NUMBER < 0x20700000L)
+ #define HAVE_X509_GET0_SIGNATURE 1
+ #endif
+ 
+@@ -147,7 +149,7 @@ static unsigned long OpenSSL_version_num(void)
+  * Whether SSL_CTX_set_keylog_callback is available.
+  * OpenSSL: supported since 1.1.1 https://github.com/openssl/openssl/pull/2287
+  * BoringSSL: supported since d28f59c27bac (committed 2015-11-19)
+- * LibreSSL: unsupported in at least 2.5.1 (explicitly check for it since it
++ * LibreSSL: unsupported in at least 2.7.2 (explicitly check for it since it
+  *           lies and pretends to be OpenSSL 2.0.0).
+  */
+ #if (OPENSSL_VERSION_NUMBER >= 0x10101000L && \
+@@ -259,7 +261,9 @@ static void tap_ssl_key(const SSL *ssl, ssl_tap_state_t *state)
+   if(!session || !keylog_file_fp)
+     return;
+ 
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
++    !(defined(LIBRESSL_VERSION_NUMBER) && \
++      LIBRESSL_VERSION_NUMBER < 0x20700000L)
+   /* ssl->s3 is not checked in openssl 1.1.0-pre6, but let's assume that
+    * we have a valid SSL context if we have a non-NULL session. */
+   SSL_get_client_random(ssl, client_random, SSL3_RANDOM_SIZE);
+@@ -2082,8 +2086,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
+   case CURL_SSLVERSION_TLSv1_2:
+   case CURL_SSLVERSION_TLSv1_3:
+     /* it will be handled later with the context options */
+-#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && \
+-    !defined(LIBRESSL_VERSION_NUMBER)
++#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
+     req_method = TLS_client_method();
+ #else
+     req_method = SSLv23_client_method();
+-- 
+2.17.0
+
diff --git a/ftp/curl/patches/0002-openssl-provide-defines-for-argument-typecasts-to-bu.patch b/ftp/curl/patches/0002-openssl-provide-defines-for-argument-typecasts-to-bu.patch
new file mode 100644
index 0000000000..953bc706a3
--- /dev/null
+++ b/ftp/curl/patches/0002-openssl-provide-defines-for-argument-typecasts-to-bu.patch
@@ -0,0 +1,42 @@
+From 256b80fe81ad6de63e7fcffbef5e2ce554319ae8 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 4 Apr 2018 10:55:56 +0200
+Subject: [PATCH 2/3] openssl: provide defines for argument typecasts to build
+ warning-free
+
+... as OpenSSL >= 1.1.0 and libressl >= 2.7.0 use different argument types.
+---
+ lib/vtls/openssl.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
+index bbb8ec7..fc9ad47 100644
+--- a/lib/vtls/openssl.c
++++ b/lib/vtls/openssl.c
+@@ -112,6 +112,14 @@
+ #define HAVE_OPAQUE_RSA_DSA_DH 1 /* since 1.1.0 -pre5 */
+ #define CONST_EXTS const
+ #define HAVE_ERR_REMOVE_THREAD_STATE_DEPRECATED 1
++
++/* funny typecast define due to difference in API */
++#ifdef LIBRESSL_VERSION_NUMBER
++#define ARG2_X509_signature_print (X509_ALGOR *)
++#else
++#define ARG2_X509_signature_print
++#endif
++
+ #else
+ /* For OpenSSL before 1.1.0 */
+ #define ASN1_STRING_get0_data(x) ASN1_STRING_data(x)
+@@ -2802,7 +2810,7 @@ static CURLcode get_cert_chain(struct connectdata *conn,
+       ASN1_STRING *a = ASN1_STRING_new();
+       if(a) {
+         X509_get0_signature(&psig, &palg, x);
+-        X509_signature_print(mem, palg, a);
++        X509_signature_print(mem, ARG2_X509_signature_print palg, a);
+         ASN1_STRING_free(a);
+ 
+         if(palg) {
+-- 
+2.17.0
+