initial import

2025-06-22 20:39:04 -05:00
commit f8a70886f0
3428 changed files with 302546 additions and 0 deletions
--- a/postfix/libressl.patch
+++ b/postfix/libressl.patch
@@ -0,0 +1,233 @@
+diff --git a/src/global/mail_params.h b/src/global/mail_params.h
+index a6119f1b..e437b9cd 100644
+--- a/src/global/mail_params.h
+++ b/src/global/mail_params.h
+@@ -19,7 +19,7 @@ typedef int bool;
+ #ifdef USE_TLS
+ #include <openssl/opensslv.h>		/* OPENSSL_VERSION_NUMBER */
+ #include <openssl/objects.h>		/* SN_* and NID_* macros */
+-#if OPENSSL_VERSION_NUMBER < 0x1000200fUL
+#if OPENSSL_VERSION_NUMBER < 0x1010101fUL && !defined(LIBRESSL_VERSION_NUMBER)
+ #error "OpenSSL releases prior to 1.0.2 are no longer supported"
+ #endif
+ #endif
+diff --git a/src/posttls-finger/posttls-finger.c b/src/posttls-finger/posttls-finger.c
+index c142d43f..ee894327 100644
+--- a/src/posttls-finger/posttls-finger.c
+++ b/src/posttls-finger/posttls-finger.c
+@@ -1673,7 +1673,8 @@ static int finger(STATE *state)
+     return (0);
+ }
+ 
+-#if defined(USE_TLS) && OPENSSL_VERSION_NUMBER < 0x10100000L
+#if defined(USE_TLS) && \
+    ( OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) )
+ 
+ /* ssl_cleanup - free memory allocated in the OpenSSL library */
+ 
+@@ -2156,7 +2157,8 @@ int     main(int argc, char *argv[])
+     cleanup(&state);
+ 
+     /* OpenSSL 1.1.0 and later (de)initialization is implicit */
+-#if defined(USE_TLS) && OPENSSL_VERSION_NUMBER < 0x10100000L
+#if defined(USE_TLS) && \
+    ( OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) )
+     ssl_cleanup();
+ #endif
+ 
+diff --git a/src/tls/tls.h b/src/tls/tls.h
+index 2a8cc119..4c8dff11 100644
+--- a/src/tls/tls.h
+++ b/src/tls/tls.h
+@@ -84,12 +84,12 @@ extern const char *str_tls_level(int);
+ #define ssl_cipher_stack_t STACK_OF(SSL_CIPHER)
+ #define ssl_comp_stack_t STACK_OF(SSL_COMP)
+ 
+-#if (OPENSSL_VERSION_NUMBER < 0x1000200fUL)
+#if (OPENSSL_VERSION_NUMBER < 0x1000200fUL && !defined(LIBRESSL_VERSION_NUMBER))
+ #error "OpenSSL releases prior to 1.0.2 are no longer supported"
+ #endif
+ 
+  /* Backwards compatibility with OpenSSL < 1.1.0 */
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ #define OpenSSL_version_num SSLeay
+ #define OpenSSL_version SSLeay_version
+ #define OPENSSL_VERSION SSLEAY_VERSION
+@@ -106,13 +106,16 @@ extern const char *str_tls_level(int);
+ #define ASN1_STRING_get0_data ASN1_STRING_data
+ #define X509_getm_notBefore X509_get_notBefore
+ #define X509_getm_notAfter X509_get_notAfter
+#endif
+
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ #define TLS_method SSLv23_method
+ #define TLS_client_method SSLv23_client_method
+ #define TLS_server_method SSLv23_server_method
+ #endif
+ 
+  /* Backwards compatibility with OpenSSL < 1.1.1 */
+-#if OPENSSL_VERSION_NUMBER < 0x1010100fUL
+#if OPENSSL_VERSION_NUMBER < 0x1010100fUL || defined(LIBRESSL_VERSION_NUMBER)
+ #define SSL_CTX_set_num_tickets(ctx, num) ((void)0)
+ #endif
+ 
+@@ -124,7 +127,7 @@ extern const char *str_tls_level(int);
+   * SSL_get_peer_tmp_key(), with the original name left behind as an alias.  We
+   * use the new name when available.
+   */
+-#if OPENSSL_VERSION_NUMBER < 0x1010101fUL
+#if OPENSSL_VERSION_NUMBER < 0x1010101fUL || defined(LIBRESSL_VERSION_NUMBER)
+ #undef SSL_get_signature_nid
+ #define SSL_get_signature_nid(ssl, pnid) (NID_undef)
+ #define tls_get_peer_dh_pubkey SSL_get_server_tmp_key
+diff --git a/src/tls/tls_certkey.c b/src/tls/tls_certkey.c
+index be8d4700..27a039c0 100644
+--- a/src/tls/tls_certkey.c
+++ b/src/tls/tls_certkey.c
+@@ -149,7 +149,7 @@ static void init_pem_load_state(pem_load_state_t *st, SSL_CTX *ctx, SSL *ssl,
+ 
+ /* use_chain - load cert, key and chain into ctx or ssl */
+ 
+-#if OPENSSL_VERSION_NUMBER >= 0x1010100fUL
+#if OPENSSL_VERSION_NUMBER >= 0x1010100fUL && !defined(LIBRESSL_VERSION_NUMBER)
+ static int use_chain(pem_load_state_t *st)
+ {
+     int     ret;
+@@ -697,7 +697,7 @@ int     main(int argc, char *argv[])
+     char   *key_file = 0;
+     SSL_CTX *ctx;
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ 
+     /*
+      * Initialize the OpenSSL library by the book! To start with, we must
+diff --git a/src/tls/tls_client.c b/src/tls/tls_client.c
+index 135cea4b..955c5340 100644
+--- a/src/tls/tls_client.c
+++ b/src/tls/tls_client.c
+@@ -333,7 +333,7 @@ TLS_APPL_STATE *tls_client_init(const TLS_CLIENT_INIT_PROPS *props)
+      */
+     tls_check_version();
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ 
+     /*
+      * Initialize the OpenSSL library by the book! To start with, we must
+@@ -410,7 +410,7 @@ TLS_APPL_STATE *tls_client_init(const TLS_CLIENT_INIT_PROPS *props)
+     SSL_CTX_set_options(client_ctx, off);
+ 
+     /* Enable all supported protocols */
+-#if OPENSSL_VERSION_NUMBER >= 0x1010000fUL
+#if OPENSSL_VERSION_NUMBER >= 0x1010000fUL && !defined(LIBRESSL_VERSION_NUMBER)
+     SSL_CTX_set_min_proto_version(client_ctx, 0);
+ #endif
+ 
+@@ -473,7 +473,7 @@ TLS_APPL_STATE *tls_client_init(const TLS_CLIENT_INIT_PROPS *props)
+     /*
+      * 2015-12-05: Ephemeral RSA removed from OpenSSL 1.1.0-dev
+      */
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ 
+     /*
+      * According to the OpenSSL documentation, temporary RSA key is needed
+diff --git a/src/tls/tls_dane.c b/src/tls/tls_dane.c
+index 013426b1..5cbb74e3 100644
+--- a/src/tls/tls_dane.c
+++ b/src/tls/tls_dane.c
+@@ -2006,7 +2006,7 @@ static SSL_CTX *ctx_init(const char *CAfile)
+     tls_param_init();
+     tls_check_version();
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+     SSL_load_error_strings();
+     SSL_library_init();
+ #endif
+diff --git a/src/tls/tls_dh.c b/src/tls/tls_dh.c
+index 70db8e9d..727e3a80 100644
+--- a/src/tls/tls_dh.c
+++ b/src/tls/tls_dh.c
+@@ -314,7 +314,7 @@ void    tls_auto_eecdh_curves(SSL_CTX *ctx, const char *configured)
+      * This is a NOP in OpenSSL 1.1.0 and later, where curves are always
+      * auto-negotiated.
+      */
+-#if OPENSSL_VERSION_NUMBER < 0x10100000UL
+#if OPENSSL_VERSION_NUMBER < 0x10100000UL || defined(LIBRESSL_VERSION_NUMBER)
+     if (SSL_CTX_set_ecdh_auto(ctx, 1) <= 0) {
+ 	msg_warn("failed to enable automatic ECDHE curve selection");
+ 	tls_print_errors();
+diff --git a/src/tls/tls_rsa.c b/src/tls/tls_rsa.c
+index 67f2a2ee..c6a759e8 100644
+--- a/src/tls/tls_rsa.c
+++ b/src/tls/tls_rsa.c
+@@ -57,7 +57,7 @@
+  /*
+   * 2015-12-05: Ephemeral RSA removed from OpenSSL 1.1.0-dev
+   */
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ 
+ /* tls_tmp_rsa_cb - call-back to generate ephemeral RSA key */
+ 
+@@ -103,7 +103,7 @@ int     main(int unused_argc, char *const argv[])
+     /*
+      * 2015-12-05: Ephemeral RSA removed from OpenSSL 1.1.0-dev
+      */
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+     RSA    *rsa;
+ 
+     msg_vstream_init(argv[0], VSTREAM_ERR);
+diff --git a/src/tls/tls_server.c b/src/tls/tls_server.c
+index 25d85ec7..b134d50d 100644
+--- a/src/tls/tls_server.c
+++ b/src/tls/tls_server.c
+@@ -167,7 +167,7 @@ static const char server_session_id_context[] = "Postfix/TLS";
+ #define GET_SID(s, v, lptr)	((v) = SSL_SESSION_get_id((s), (lptr)))
+ 
+  /* OpenSSL 1.1.0 bitrot */
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ typedef const unsigned char *session_id_t;
+ 
+ #else
+@@ -370,7 +370,7 @@ TLS_APPL_STATE *tls_server_init(const TLS_SERVER_INIT_PROPS *props)
+      */
+     tls_check_version();
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ 
+     /*
+      * Initialize the OpenSSL library by the book! To start with, we must
+@@ -487,7 +487,7 @@ TLS_APPL_STATE *tls_server_init(const TLS_SERVER_INIT_PROPS *props)
+      * incomplete.
+      */
+ #ifdef SSL_OP_NO_TICKET
+-#ifndef OPENSSL_NO_TLSEXT
+#if !defined(OPENSSL_NO_TLSEXT) && OPENSSL_VERSION_NUMBER >= 0x0090808fL && !defined(LIBRESSL_VERSION_NUMBER)
+     ticketable = (*var_tls_tkt_cipher && scache_timeout > 0
+ 		  && !(off & SSL_OP_NO_TICKET));
+     if (ticketable) {
+@@ -528,7 +528,7 @@ TLS_APPL_STATE *tls_server_init(const TLS_SERVER_INIT_PROPS *props)
+     SSL_CTX_set_options(server_ctx, off);
+ 
+     /* Enable all supported protocols */
+-#if OPENSSL_VERSION_NUMBER >= 0x1010000fUL
+#if OPENSSL_VERSION_NUMBER >= 0x1010000fUL && !defined(LIBRESSL_VERSION_NUMBER)
+     SSL_CTX_set_min_proto_version(server_ctx, 0);
+     SSL_CTX_set_min_proto_version(sni_ctx, 0);
+ #endif
+@@ -616,7 +616,7 @@ TLS_APPL_STATE *tls_server_init(const TLS_SERVER_INIT_PROPS *props)
+     /*
+      * 2015-12-05: Ephemeral RSA removed from OpenSSL 1.1.0-dev
+      */
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ 
+     /*
+      * According to OpenSSL documentation, a temporary RSA key is needed when