security/libp11: Fix build with LibreSSL

  - Fix-up OPENSSL_VERSION_NUMBER checks

PR:		217006
Approved by:	maintainer timeout

9 files changed, 359 insertions, 0 deletions

diff --git a/security/libp11/files/patch-examples_auth.c b/security/libp11/files/patch-examples_auth.c
new file mode 100644
index 000000000000..92903995c5e2
--- /dev/null
+++ b/security/libp11/files/patch-examples_auth.c
@@ -0,0 +1,11 @@
+--- examples/auth.c.orig	2017-01-26 21:19:45 UTC
++++ examples/auth.c
+@@ -212,7 +212,7 @@ int main(int argc, char *argv[])
+ 
+ 	/* now verify the result */
+ 	rc = RSA_verify(NID_sha1, random, RANDOM_SIZE,
+-#if OPENSSL_VERSION_NUMBER >= 0x10100003L
++#if OPENSSL_VERSION_NUMBER >= 0x10100003L && !defined(LIBRESSL_VERSION_NUMBER)
+ 			signature, siglen, EVP_PKEY_get0_RSA(pubkey));
+ #else
+ 			signature, siglen, pubkey->pkey.rsa);
diff --git a/security/libp11/files/patch-examples_decrypt.c b/security/libp11/files/patch-examples_decrypt.c
new file mode 100644
index 000000000000..df9601bd7da1
--- /dev/null
+++ b/security/libp11/files/patch-examples_decrypt.c
@@ -0,0 +1,29 @@
+--- examples/decrypt.c.orig	2017-01-26 21:19:45 UTC
++++ examples/decrypt.c
+@@ -131,7 +131,7 @@ int main(int argc, char *argv[])
+ 	}
+ 
+ 	/* allocate destination buffer */
+-#if OPENSSL_VERSION_NUMBER >= 0x10100003L
++#if OPENSSL_VERSION_NUMBER >= 0x10100003L && !defined(LIBRESSL_VERSION_NUMBER)
+ 	encrypted = OPENSSL_malloc(RSA_size(EVP_PKEY_get0_RSA(pubkey)));
+ #else
+ 	encrypted = OPENSSL_malloc(RSA_size(pubkey->pkey.rsa));
+@@ -143,7 +143,7 @@ int main(int argc, char *argv[])
+ 
+ 	/* use public key for encryption */
+ 	len = RSA_public_encrypt(RANDOM_SIZE, random, encrypted,
+-#if OPENSSL_VERSION_NUMBER >= 0x10100003L
++#if OPENSSL_VERSION_NUMBER >= 0x10100003L && !defined(LIBRESSL_VERSION_NUMBER)
+ 			EVP_PKEY_get0_RSA(pubkey),
+ #else
+ 			pubkey->pkey.rsa,
+@@ -200,7 +200,7 @@ loggedin:
+ 	}
+ 
+ 	/* allocate space for decrypted data */
+-#if OPENSSL_VERSION_NUMBER >= 0x10100003L
++#if OPENSSL_VERSION_NUMBER >= 0x10100003L && !defined(LIBRESSL_VERSION_NUMBER)
+ 	decrypted = OPENSSL_malloc(RSA_size(EVP_PKEY_get0_RSA(pubkey)));
+ #else
+ 	decrypted = OPENSSL_malloc(RSA_size(pubkey->pkey.rsa));
diff --git a/security/libp11/files/patch-src_eng__back.c b/security/libp11/files/patch-src_eng__back.c
new file mode 100644
index 000000000000..e8245dc48698
--- /dev/null
+++ b/security/libp11/files/patch-src_eng__back.c
@@ -0,0 +1,56 @@
+--- src/eng_back.c.orig	2017-01-26 21:19:45 UTC
++++ src/eng_back.c
+@@ -49,7 +49,7 @@ struct st_engine_ctx {
+ 	char *init_args;
+ 
+ 	/* Engine initialization mutex */
+-#if OPENSSL_VERSION_NUMBER >= 0x10100004L
++#if OPENSSL_VERSION_NUMBER >= 0x10100004L && !defined(LIBRESSL_VERSION_NUMBER)
+ 	CRYPTO_RWLOCK *rwlock;
+ #else
+ 	int rwlock;
+@@ -206,7 +206,7 @@ ENGINE_CTX *ctx_new()
+ #endif
+ 	}
+ 
+-#if OPENSSL_VERSION_NUMBER >= 0x10100004L
++#if OPENSSL_VERSION_NUMBER >= 0x10100004L && !defined(LIBRESSL_VERSION_NUMBER)
+ 	ctx->rwlock = CRYPTO_THREAD_lock_new();
+ #else
+ 	ctx->rwlock = CRYPTO_get_dynlock_create_callback() ?
+@@ -224,7 +224,7 @@ int ctx_destroy(ENGINE_CTX *ctx)
+ 		ctx_destroy_pin(ctx);
+ 		OPENSSL_free(ctx->module);
+ 		OPENSSL_free(ctx->init_args);
+-#if OPENSSL_VERSION_NUMBER >= 0x10100004L
++#if OPENSSL_VERSION_NUMBER >= 0x10100004L && !defined(LIBRESSL_VERSION_NUMBER)
+ 		CRYPTO_THREAD_lock_free(ctx->rwlock);
+ #else
+ 		if (ctx->rwlock)
+@@ -274,7 +274,7 @@ static void ctx_init_libp11_unlocked(ENG
+ 
+ static int ctx_init_libp11(ENGINE_CTX *ctx)
+ {
+-#if OPENSSL_VERSION_NUMBER >= 0x10100004L
++#if OPENSSL_VERSION_NUMBER >= 0x10100004L && !defined(LIBRESSL_VERSION_NUMBER)
+ 	CRYPTO_THREAD_write_lock(ctx->rwlock);
+ #else
+ 	if (ctx->rwlock)
+@@ -282,7 +282,7 @@ static int ctx_init_libp11(ENGINE_CTX *c
+ #endif
+ 	if (ctx->pkcs11_ctx == NULL || ctx->slot_list == NULL)
+ 		ctx_init_libp11_unlocked(ctx);
+-#if OPENSSL_VERSION_NUMBER >= 0x10100004L
++#if OPENSSL_VERSION_NUMBER >= 0x10100004L && !defined(LIBRESSL_VERSION_NUMBER)
+ 	CRYPTO_THREAD_unlock(ctx->rwlock);
+ #else
+ 	if (ctx->rwlock)
+@@ -302,7 +302,7 @@ int ctx_init(ENGINE_CTX *ctx)
+ 	/* Only attempt initialization when dynamic locks are unavailable.
+ 	 * This likely also indicates a single-threaded application,
+ 	 * so temporarily unlocking CRYPTO_LOCK_ENGINE should be safe. */
+-#if OPENSSL_VERSION_NUMBER < 0x10100004L
++#if OPENSSL_VERSION_NUMBER < 0x10100004L && !defined(LIBRESSL_VERSION_NUMBER)
+ 	if (CRYPTO_get_dynlock_create_callback() == NULL ||
+ 			CRYPTO_get_dynlock_lock_callback() == NULL ||
+ 			CRYPTO_get_dynlock_destroy_callback() == NULL) {
diff --git a/security/libp11/files/patch-src_libp11-int.h b/security/libp11/files/patch-src_libp11-int.h
new file mode 100644
index 000000000000..4117b42bc7bb
--- /dev/null
+++ b/security/libp11/files/patch-src_libp11-int.h
@@ -0,0 +1,20 @@
+--- src/libp11-int.h.orig	2017-01-26 21:19:45 UTC
++++ src/libp11-int.h
+@@ -32,7 +32,7 @@
+ extern void *C_LoadModule(const char *name, CK_FUNCTION_LIST_PTR_PTR);
+ extern CK_RV C_UnloadModule(void *module);
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x10100004L
++#if OPENSSL_VERSION_NUMBER < 0x10100004L || defined(LIBRESSL_VERSION_NUMBER)
+ typedef int PKCS11_RWLOCK;
+ #else
+ typedef CRYPTO_RWLOCK *PKCS11_RWLOCK;
+@@ -144,7 +144,7 @@ typedef struct pkcs11_cert_private {
+ #define PKCS11_DUP(s) \
+ 	pkcs11_strdup((char *) s, sizeof(s))
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x10100004L
++#if OPENSSL_VERSION_NUMBER < 0x10100004L || defined(LIBRESSL_VERSION_NUMBER)
+ /* Emulate the OpenSSL 1.1 locking API for older OpenSSL versions */
+ int CRYPTO_THREAD_lock_new();
+ void CRYPTO_THREAD_lock_free(int);
diff --git a/security/libp11/files/patch-src_libp11.h b/security/libp11/files/patch-src_libp11.h
new file mode 100644
index 000000000000..741ef6b15aac
--- /dev/null
+++ b/security/libp11/files/patch-src_libp11.h
@@ -0,0 +1,11 @@
+--- src/libp11.h.orig	2017-01-26 21:19:45 UTC
++++ src/libp11.h
+@@ -370,7 +370,7 @@ extern int PKCS11_generate_random(PKCS11
+  */
+ RSA_METHOD *PKCS11_get_rsa_method(void);
+ /* Also define unsupported methods to retain backward compatibility */
+-#if OPENSSL_VERSION_NUMBER >= 0x10100002L
++#if OPENSSL_VERSION_NUMBER >= 0x10100002L && !defined(LIBRESSL_VERSION_NUMBER)
+ EC_KEY_METHOD *PKCS11_get_ec_key_method(void);
+ void *PKCS11_get_ecdsa_method(void);
+ void *PKCS11_get_ecdh_method(void);
diff --git a/security/libp11/files/patch-src_p11__ec.c b/security/libp11/files/patch-src_p11__ec.c
new file mode 100644
index 000000000000..ac985f600307
--- /dev/null
+++ b/security/libp11/files/patch-src_p11__ec.c
@@ -0,0 +1,109 @@
+--- src/p11_ec.c.orig	2017-01-26 21:19:45 UTC
++++ src/p11_ec.c
+@@ -37,7 +37,7 @@
+ #include <openssl/ecdh.h>
+ #endif
+ 
+-#if OPENSSL_VERSION_NUMBER >= 0x10100004L
++#if OPENSSL_VERSION_NUMBER >= 0x10100004L && !defined(LIBRESSL_VERSION_NUMBER)
+ typedef int (*compute_key_fn)(unsigned char **, size_t *,
+ 	const EC_POINT *, const EC_KEY *);
+ #else
+@@ -73,7 +73,7 @@ struct ecdsa_method {
+ 
+ #endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x10002000L
++#if OPENSSL_VERSION_NUMBER < 0x10002000L || defined(LIBRESSL_VERSION_NUMBER)
+ 
+ /* Define missing functions */
+ 
+@@ -104,7 +104,7 @@ void ECDSA_METHOD_set_sign(ECDSA_METHOD 
+ 
+ /********** Missing ECDH_METHOD functions for OpenSSL < 1.1.0 */
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ 
+ /* ecdh_method maintains unchanged layout between 0.9.8 and 1.0.2 */
+ 
+@@ -156,7 +156,7 @@ static void alloc_ec_ex_index()
+ {
+ 	if (ec_ex_index == 0) {
+ 		while (ec_ex_index == 0) /* Workaround for OpenSSL RT3710 */
+-#if OPENSSL_VERSION_NUMBER >= 0x10100002L
++#if OPENSSL_VERSION_NUMBER >= 0x10100002L && !defined(LIBRESSL_VERSION_NUMBER)
+ 			ec_ex_index = EC_KEY_get_ex_new_index(0, "libp11 ec_key",
+ 				NULL, NULL, NULL);
+ #else
+@@ -265,7 +265,7 @@ static EVP_PKEY *pkcs11_get_evp_key_ec(P
+ 	EVP_PKEY_set1_EC_KEY(pk, ec); /* Also increments the ec ref count */
+ 
+ 	if (key->isPrivate) {
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ 		EC_KEY_set_method(ec, PKCS11_get_ec_key_method());
+ #else
+ 		ECDSA_set_method(ec, PKCS11_get_ecdsa_method());
+@@ -275,7 +275,7 @@ static EVP_PKEY *pkcs11_get_evp_key_ec(P
+ 	/* TODO: Retrieve the ECDSA private key object attributes instead,
+ 	 * unless the key has the "sensitive" attribute set */
+ 
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ 	EC_KEY_set_ex_data(ec, ec_ex_index, key);
+ #else
+ 	ECDSA_set_ex_data(ec, ec_ex_index, key);
+@@ -345,14 +345,14 @@ static ECDSA_SIG *pkcs11_ecdsa_sign_sig(
+ 	(void)kinv; /* Precomputed values are not used for PKCS#11 */
+ 	(void)rp; /* Precomputed values are not used for PKCS#11 */
+ 
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ 	key = (PKCS11_KEY *)EC_KEY_get_ex_data(ec, ec_ex_index);
+ #else
+ 	key = (PKCS11_KEY *)ECDSA_get_ex_data(ec, ec_ex_index);
+ #endif
+ 	if (key == NULL) {
+ 		sign_sig_fn orig_sign_sig;
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ 		const EC_KEY_METHOD *meth = EC_KEY_OpenSSL();
+ 		EC_KEY_METHOD_get_sign((EC_KEY_METHOD *)meth,
+ 			NULL, NULL, &orig_sign_sig);
+@@ -385,7 +385,7 @@ static ECDSA_SIG *pkcs11_ecdsa_sign_sig(
+ 	sig = ECDSA_SIG_new();
+ 	if (sig == NULL)
+ 		return NULL;
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ 	ECDSA_SIG_set0(sig, r, s);
+ #else
+ 	BN_free(sig->r);
+@@ -515,7 +515,7 @@ static int pkcs11_ecdh_derive(unsigned c
+ 	return 0;
+ }
+ 
+-#if OPENSSL_VERSION_NUMBER >= 0x10100004L
++#if OPENSSL_VERSION_NUMBER >= 0x10100004L && !defined(LIBRESSL_VERSION_NUMBER)
+ 
+ /**
+  * ECDH key derivation method (replaces ossl_ecdh_compute_key)
+@@ -578,7 +578,7 @@ static int pkcs11_ec_ckey(void *out, siz
+ 	size_t buflen;
+ 	int rv;
+ 
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ 	key = (PKCS11_KEY *)EC_KEY_get_ex_data(ecdh, ec_ex_index);
+ #else
+ 	key = (PKCS11_KEY *)ECDSA_get_ex_data((EC_KEY *)ecdh, ec_ex_index);
+@@ -623,7 +623,7 @@ static int pkcs11_ec_ckey(void *out, siz
+ /* New way to allocate an ECDSA_METOD object */
+ /* OpenSSL 1.1 has single method  EC_KEY_METHOD for ECDSA and ECDH */
+ 
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ 
+ EC_KEY_METHOD *PKCS11_get_ec_key_method(void)
+ {
diff --git a/security/libp11/files/patch-src_p11__key.c b/security/libp11/files/patch-src_p11__key.c
new file mode 100644
index 000000000000..c9d65cf061b1
--- /dev/null
+++ b/security/libp11/files/patch-src_p11__key.c
@@ -0,0 +1,47 @@
+--- src/p11_key.c.orig	2017-01-26 21:19:45 UTC
++++ src/p11_key.c
+@@ -138,7 +138,7 @@ int pkcs11_generate_key(PKCS11_TOKEN *to
+ 	EVP_PKEY *pk;
+ 	RSA *rsa;
+ 	BIO *err;
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ 	BIGNUM *exp = NULL;
+ 	BN_GENCB *gencb = NULL;
+ #endif
+@@ -151,7 +151,7 @@ int pkcs11_generate_key(PKCS11_TOKEN *to
+ 
+ 	err = BIO_new_fp(stderr, BIO_NOCLOSE);
+ 
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ 	exp = BN_new();
+ 	rsa = RSA_new();
+ 	gencb = BN_GENCB_new();
+@@ -247,7 +247,7 @@ static int pkcs11_store_key(PKCS11_TOKEN
+ 		pkcs11_addattr_bool(attrs + n++, CKA_VERIFY, TRUE);
+ 		pkcs11_addattr_bool(attrs + n++, CKA_WRAP, TRUE);
+ 	}
+-#if OPENSSL_VERSION_NUMBER >= 0x10100003L
++#if OPENSSL_VERSION_NUMBER >= 0x10100003L && !defined(LIBRESSL_VERSION_NUMBER)
+ 	if (EVP_PKEY_base_id(pk) == EVP_PKEY_RSA) {
+ 		RSA *rsa = EVP_PKEY_get1_RSA(pk);
+ #else
+@@ -255,7 +255,7 @@ static int pkcs11_store_key(PKCS11_TOKEN
+ 		RSA *rsa = pk->pkey.rsa;
+ #endif
+ 		pkcs11_addattr_int(attrs + n++, CKA_KEY_TYPE, CKK_RSA);
+-#if OPENSSL_VERSION_NUMBER >= 0x10100005L
++#if OPENSSL_VERSION_NUMBER >= 0x10100005L && !defined(LIBRESSL_VERSION_NUMBER)
+ 		RSA_get0_key(rsa, &rsa_n, &rsa_e, &rsa_d);
+ 		RSA_get0_factors(rsa, &rsa_p, &rsa_q);
+ #else
+@@ -325,7 +325,7 @@ EVP_PKEY *pkcs11_get_key(PKCS11_KEY *key
+ 				fprintf(stderr, "Missing CKA_ALWAYS_AUTHENTICATE attribute\n");
+ 		}
+ 	}
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ 	EVP_PKEY_up_ref(key->evp_key);
+ #else
+ 	CRYPTO_add(&key->evp_key->references, 1, CRYPTO_LOCK_EVP_PKEY);
diff --git a/security/libp11/files/patch-src_p11__misc.c b/security/libp11/files/patch-src_p11__misc.c
new file mode 100644
index 000000000000..92bd9e32101d
--- /dev/null
+++ b/security/libp11/files/patch-src_p11__misc.c
@@ -0,0 +1,11 @@
+--- src/p11_misc.c.orig	2017-02-11 19:26:33 UTC
++++ src/p11_misc.c
+@@ -43,7 +43,7 @@ char *pkcs11_strdup(char *mem, size_t si
+  * CRYPTO dynlock wrappers: 0 is an invalid dynamic lock ID
+  */
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x10100004L
++#if OPENSSL_VERSION_NUMBER < 0x10100004L || defined(LIBRESSL_VERSION_NUMBER)
+ 
+ int CRYPTO_THREAD_lock_new()
+ {
diff --git a/security/libp11/files/patch-src_p11__rsa.c b/security/libp11/files/patch-src_p11__rsa.c
new file mode 100644
index 000000000000..d3e4867c4918
--- /dev/null
+++ b/security/libp11/files/patch-src_p11__rsa.c
@@ -0,0 +1,65 @@
+--- src/p11_rsa.c.orig	2017-01-26 21:19:45 UTC
++++ src/p11_rsa.c
+@@ -29,7 +29,7 @@
+ 
+ static int rsa_ex_index = 0;
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x10100003L
++#if OPENSSL_VERSION_NUMBER < 0x10100003L || defined(LIBRESSL_VERSION_NUMBER)
+ #define EVP_PKEY_get0_RSA(key) ((key)->pkey.rsa)
+ #endif
+ 
+@@ -226,7 +226,7 @@ failure:
+ 	return NULL;
+ 
+ success:
+-#if OPENSSL_VERSION_NUMBER >= 0x10100005L
++#if OPENSSL_VERSION_NUMBER >= 0x10100005L && !defined(LIBRESSL_VERSION_NUMBER)
+ 		RSA_set0_key(rsa, rsa_n, rsa_e, NULL);
+ #else
+ 		rsa->n=rsa_n;
+@@ -275,7 +275,7 @@ int pkcs11_get_key_modulus(PKCS11_KEY *k
+ 
+ 	if (rsa == NULL)
+ 		return 0;
+-#if OPENSSL_VERSION_NUMBER >= 0x10100005L
++#if OPENSSL_VERSION_NUMBER >= 0x10100005L && !defined(LIBRESSL_VERSION_NUMBER)
+ 	RSA_get0_key(rsa, &rsa_n, NULL, NULL);
+ #else
+ 	rsa_n=rsa->n;
+@@ -292,7 +292,7 @@ int pkcs11_get_key_exponent(PKCS11_KEY *
+ 
+ 	if (rsa == NULL)
+ 		return 0;
+-#if OPENSSL_VERSION_NUMBER >= 0x10100005L
++#if OPENSSL_VERSION_NUMBER >= 0x10100005L && !defined(LIBRESSL_VERSION_NUMBER)
+ 	RSA_get0_key(rsa, NULL, &rsa_e, NULL);
+ #else
+ 	rsa_e=rsa->e;
+@@ -310,7 +310,7 @@ int pkcs11_get_key_size(PKCS11_KEY *key)
+ 	return RSA_size(rsa);
+ }
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x10100005L
++#if OPENSSL_VERSION_NUMBER < 0x10100005L || defined(LIBRESSL_VERSION_NUMBER)
+ 
+ int (*RSA_meth_get_priv_enc(const RSA_METHOD *meth))
+ 		(int flen, const unsigned char *from,
+@@ -374,7 +374,7 @@ static void alloc_rsa_ex_index()
+ static void free_rsa_ex_index()
+ {
+ 	/* CRYPTO_free_ex_index requires OpenSSL version >= 1.1.0-pre1 */
+-#if OPENSSL_VERSION_NUMBER >= 0x10100001L
++#if OPENSSL_VERSION_NUMBER >= 0x10100001L && !defined(LIBRESSL_VERSION_NUMBER)
+ 	if (rsa_ex_index > 0) {
+ 		CRYPTO_free_ex_index(CRYPTO_EX_INDEX_RSA, rsa_ex_index);
+ 		rsa_ex_index = 0;
+@@ -382,7 +382,7 @@ static void free_rsa_ex_index()
+ #endif
+ }
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x10100005L
++#if OPENSSL_VERSION_NUMBER < 0x10100005L || defined(LIBRESSL_VERSION_NUMBER)
+ 
+ static RSA_METHOD *RSA_meth_dup(const RSA_METHOD *meth)
+ {