initial import

qt-base/CVE-2024-39936.patch

@@ -0,0 +1,109 @@
+--- a/src/network/access/qhttp2protocolhandler.cpp
++++ b/src/network/access/qhttp2protocolhandler.cpp
+@@ -371,12 +371,12 @@ bool QHttp2ProtocolHandler::sendRequest(
+         }
+     }
+ 
+-    if (!prefaceSent && !sendClientPreface())
+-        return false;
+-
+     if (!requests.size())
+         return true;
+ 
++    if (!prefaceSent && !sendClientPreface())
++        return false;
++
+     m_channel->state = QHttpNetworkConnectionChannel::WritingState;
+     // Check what was promised/pushed, maybe we do not have to send a request
+     // and have a response already?
+--- a/src/network/access/qhttpnetworkconnectionchannel.cpp	2020-10-27 09:02:11.000000000 +0100
++++ b/src/network/access/qhttpnetworkconnectionchannel.cpp	2024-08-16 22:36:07.819945304 +0200
+@@ -255,6 +255,10 @@
+ bool QHttpNetworkConnectionChannel::sendRequest()
+ {
+     Q_ASSERT(!protocolHandler.isNull());
++    if (waitingForPotentialAbort) {
++        needInvokeSendRequest = true;
++        return false; // this return value is unused
++    }
+     return protocolHandler->sendRequest();
+ }
+ 
+@@ -270,18 +274,27 @@
+         Q_ASSERT(!protocolHandler.isNull());
+         if (reply)
+             protocolHandler->sendRequest();
++            sendRequest();
+     }, Qt::ConnectionType::QueuedConnection);
+ }
+ 
+ void QHttpNetworkConnectionChannel::_q_receiveReply()
+ {
+     Q_ASSERT(!protocolHandler.isNull());
++    if (waitingForPotentialAbort) {
++        needInvokeReceiveReply = true;
++        return;
++    }
+     protocolHandler->_q_receiveReply();
+ }
+ 
+ void QHttpNetworkConnectionChannel::_q_readyRead()
+ {
+     Q_ASSERT(!protocolHandler.isNull());
++    if (waitingForPotentialAbort) {
++        needInvokeReadyRead = true;
++        return;
++    }
+     protocolHandler->_q_readyRead();
+ }
+ 
+@@ -1299,6 +1312,27 @@
+     }
+ }
+ 
++void QHttpNetworkConnectionChannel::checkAndResumeCommunication()
++{
++    Q_ASSERT(connection->connectionType() == QHttpNetworkConnection::ConnectionTypeHTTP2
++             || connection->connectionType() == QHttpNetworkConnection::ConnectionTypeHTTP2Direct);
++
++    // Because HTTP/2 requires that we send a SETTINGS frame as the first thing we do, and respond
++    // to a SETTINGS frame with an ACK, we need to delay any handling until we can ensure that any
++    // effects from emitting encrypted() have been processed.
++    // This function is called after encrypted() was emitted, so check for changes.
++
++    if (!reply && spdyRequestsToSend.isEmpty())
++        abort();
++    waitingForPotentialAbort = false;
++    if (needInvokeReadyRead)
++        _q_readyRead();
++    if (needInvokeReceiveReply)
++        _q_receiveReply();
++    if (needInvokeSendRequest)
++        sendRequest();
++}
++
+ void QHttpNetworkConnectionChannel::requeueSpdyRequests()
+ {
+     QList<HttpMessagePair> spdyPairs = spdyRequestsToSend.values();
+--- a/src/network/access/qhttpnetworkconnectionchannel_p.h	2020-10-27 09:02:11.000000000 +0100
++++ b/src/network/access/qhttpnetworkconnectionchannel_p.h	2024-08-16 22:40:50.519943219 +0200
+@@ -107,6 +107,10 @@
+     QAbstractSocket *socket;
+     bool ssl;
+     bool isInitialized;
++    bool waitingForPotentialAbort = false;
++    bool needInvokeReceiveReply = false;
++    bool needInvokeReadyRead = false;
++    bool needInvokeSendRequest = false;
+     ChannelState state;
+     QHttpNetworkRequest request; // current request, only used for HTTP
+     QHttpNetworkReply *reply; // current reply for this request, only used for HTTP
+@@ -187,6 +191,8 @@
+     void closeAndResendCurrentRequest();
+     void resendCurrentRequest();
+ 
++    void checkAndResumeCommunication();
++
+     bool isSocketBusy() const;
+     bool isSocketWriting() const;
+     bool isSocketWaiting() const;

qt-base/PKGBUILD

@@ -0,0 +1,152 @@
+# Maintainer: Jesus E. <heckyel@riseup.net>
+
+pkgbase=qt-base
+pkgname=(qt-base qt-xcb-private-headers)
+_qtver=5.15.2
+pkgver=${_qtver/-/}
+_debver=$pkgver
+_debrel=9
+pkgrel=9
+arch=('i686' 'x86_64')
+url='https://www.qt.io'
+license=('LGPL-3')
+pkgdesc="A cross-platform application and UI framework"
+depends=('libjpeg-turbo' 'xcb-util-keysyms' 'xcb-util-renderutil' 'mesa-libgl' 'fontconfig' 'xdg-utils'
+         'shared-mime-info' 'xcb-util-wm' 'libxrender' 'libxi' 'sqlite' 'xcb-util-image' 'mesa'
+         'tslib' 'libxkbcommon-x11' 'libproxy' 'libcups' 'md4c' 'pcre2' 'harfbuzz')
+makedepends=('sqlite' 'unixodbc' 'postgresql-libs' 'alsa-lib' 'gst-plugins-base-libs'
+             'gtk' 'cups' 'quilt')
+optdepends=('qt-svg: to use SVG icon themes'
+            'postgresql-libs: PostgreSQL driver'
+            'unixodbc: ODBC driver'
+            'gtk: GTK platform plugin'
+            'perl: for fixqt4headers and syncqt')
+replaces=('qt5-base')
+conflicts=('qt5-base' 'qtchooser')
+provides=('qt5-base')
+groups=('qt')
+_pkgfqn="${pkgbase/-/}-everywhere-src-${_qtver}"
+source=("https://download.qt.io/official_releases/qt/${pkgver%.*}/${_qtver}/submodules/${_pkgfqn}.tar.xz"
+        "https://deb.debian.org/debian/pool/main/q/qtbase-opensource-src/qtbase-opensource-src_${_debver}+dfsg-${_debrel}+deb11u1.debian.tar.xz"
+        "qt-base-cflags.patch"
+        "kdebug-428095.patch"
+        "qtnetwork-5.15.0-libressl.patch"
+        "CVE-2024-39936.patch")
+sha512sums=('a549bfaf867d746ff744ab224eb65ac1bdcdac7e8457dfa379941b2b225a90442fcfc1e1175b9afb1f169468f8130b7ab917c67be67156520a4bfb5c92d304f9'
+            'e4d4210b222b6722c3b97d7139c6ddf812e8022454a20d677e1df60d1ec472079dfc0fc5805c81059b1bdb26e323b358ec7ec57fb24b972d2ce84e55d40b936e'
+            'fa3dddfe42b7f0ade45bd0530badfc3a3800adbd3798bd814597527713c9fe360a242f7cf39312f4cc3c88e9bd7aba233bd6674c0fc78e694a1fd868474c4240'
+            'afc8c44cb2fdb1b07b8e88bda102791d4f807a00acc60aad98114b5a5b78336b4e6aeff59fa2795f3f83f196635d034c571859dab7c7c0443a913012944a45a7'
+            '1f249256ab94f72d667bc703ae668e0e7c0671ebd464a3800c9dd2121637438de7c2cd9a72a45610ab4ad584103c7261e237facc114b142dcec0c38930ce8975'
+            '51f378c6751ec6b24c5afac4eaa9a6f9b54680b53610e3db14d42c931034382e875316e9c25a8b04d0e36d08deef614fd2c8dc4cabac5de9d718cf0255e3020c')
+
+prepare() {
+  cd ${_pkgfqn}
+
+  if [[ ${pkgver%.*} = ${_debver%.*} ]]; then
+    # Debian patches
+    export QUILT_PATCHES=debian/patches
+    export QUILT_REFRESH_ARGS='-p ab --no-timestamps --no-index'
+    export QUILT_DIFF_ARGS='--no-timestamps'
+
+    mv "$srcdir"/debian .
+
+    # Doesn't apply
+    rm -v debian/patches/armv4.diff || true
+    rm -v debian/patches/gnukfreebsd.diff || true
+    rm -v debian/patches/gnukfreebsd_linker_warnings.diff || true
+
+    quilt push -av
+  fi
+
+  patch -p1 -i ${srcdir}/qt-base-cflags.patch # Use system CFLAGS
+  patch -p1 -i ${srcdir}/kdebug-428095.patch # Fix black border on some menus with Breeze
+  patch -p1 -i ${srcdir}/qtnetwork-5.15.0-libressl.patch # Add LibreSSL support
+  patch -p1 -i ${srcdir}/CVE-2024-39936.patch # Fix CVE-2024-39936
+}
+
+build() {
+  cd ${_pkgfqn}
+
+  # Work around SSLv3_{client,server}_method missing in LibreSSL
+  CFLAGS+=" -DOPENSSL_NO_PSK -DOPENSSL_NO_NEXTPROTONEG"
+  CXXFLAGS+=" -Wno-deprecated-declarations -Wno-class-memaccess -Wno-packed-not-aligned"
+
+  OPENSSL_LIBS='-lssl -lcrypto'
+
+  [[ "${CARCH}" = "i686" ]] && SSE2="-no-sse2"
+
+  ./configure -confirm-license -opensource -v \
+    -prefix /usr \
+    -docdir /usr/share/doc/qt \
+    -headerdir /usr/include/qt \
+    -archdatadir /usr/lib/qt \
+    -datadir /usr/share/qt \
+    -sysconfdir /etc/xdg \
+    -examplesdir /usr/share/doc/qt/examples \
+    -plugin-sql-{psql,sqlite} \
+    -system-sqlite \
+    -openssl-linked \
+    -no-dtls \
+    -nomake examples \
+    -no-rpath \
+    -no-dbus \
+    -system-harfbuzz \
+    -syslog \
+    -no-mimetype-database \
+    -no-use-gold-linker \
+    -reduce-relocations \
+    -no-strip ${SSE2} \
+    -no-egl \
+    -no-angle \
+    -no-zstd \
+    -opengl desktop \
+    -no-vulkan \
+    -qt-doubleconversion \
+    -system-libpng \
+    -system-libmd4c \
+    -system-libjpeg \
+    -system-pcre \
+    -system-zlib \
+    -system-freetype
+  make
+}
+
+package_qt-base() {
+  pkgdesc='A cross-platform application and UI framework'
+
+  cd ${_pkgfqn}
+  make INSTALL_ROOT="${pkgdir}" install
+
+  # Install license
+  install -D -m644 "${srcdir}"/${_pkgfqn}/LICENSE.LGPL3 "${pkgdir}"/usr/share/licenses/${pkgname}/LICENSE.LGPL3
+
+  # Drop QMAKE_PRL_BUILD_DIR because reference the build dir
+  find "${pkgdir}/usr/lib" -type f -name '*.prl' \
+    -exec sed -i -e '/^QMAKE_PRL_BUILD_DIR/d' {} \;
+
+  # Fix wrong qmake path in pri file
+  sed -i "s|${srcdir}/${_pkgfqn}|/usr|" \
+    "${pkgdir}"/usr/lib/qt/mkspecs/modules/qt_lib_bootstrap_private.pri
+
+  # Symlinks for backwards compatibility
+  for b in "${pkgdir}"/usr/bin/*; do
+    ln -s $(basename $b) "${pkgdir}"/usr/bin/$(basename $b)-qt5
+  done
+}
+
+package_qt-xcb-private-headers() {
+  pkgdesc='Private headers for Qt Xcb'
+  depends=("qt-base=$pkgver")
+  optdepends=()
+  groups=()
+  replaces=('qt5-xcb-private-headers')
+  conflicts=('qt5-xcb-private-headers')
+  provides=('qt5-xcb-private-headers')
+
+  cd ${_pkgfqn}
+  install -d -m755 "$pkgdir"/usr/include/qtxcb-private
+  cp -r src/plugins/platforms/xcb/*.h "$pkgdir"/usr/include/qtxcb-private/
+
+  # Install license
+  install -D -m644 "${srcdir}"/${_pkgfqn}/LICENSE.LGPL3 "${pkgdir}"/usr/share/licenses/${pkgname}/LICENSE.LGPL3
+}

qt-base/kdebug-428095.patch

@@ -0,0 +1,45 @@
+From c5336057301d6a62160bc672dd0ab081b3c26725 Mon Sep 17 00:00:00 2001
+From: David Redondo <qt@david-redondo.de>
+Date: Tue, 3 Nov 2020 11:04:56 +0100
+Subject: Ensure that QMenu is polished before setting the screen in popup()
+
+Some styles alter the widget that will influence the underlying platform
+window. An example is when a style would want to draw the menu with some
+transparency and sets the Qt::WA_TranslucentBackground attribute. This
+needs to happen before the platform window is created. However calling
+QWidgetPrivate::setScreen will end up creating the window and the
+surface format will be fixed at this point.
+
+Change-Id: I707cf1de5c1614382cffbea1aae8cdb01f7de44a
+Reviewed-by: Nate Graham
+Reviewed-by: Richard Moe Gustavsen <richard.gustavsen@qt.io>
+(cherry picked from commit 36b1d37cef09769eea22f78d77440ac4c5d008d8)
+Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
+---
+ src/widgets/widgets/qmenu.cpp | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/widgets/widgets/qmenu.cpp b/src/widgets/widgets/qmenu.cpp
+index ab933c987f..a23d8b790d 100644
+--- a/src/widgets/widgets/qmenu.cpp
++++ b/src/widgets/widgets/qmenu.cpp
+@@ -2368,6 +2368,8 @@ void QMenuPrivate::popup(const QPoint &p, QAction *atAction, PositionFunction po
+     doChildEffects = true;
+     updateLayoutDirection();
+ 
++    q->ensurePolished(); // Get the right font
++
+     // Ensure that we get correct sizeHints by placing this window on the correct screen.
+     // However if the QMenu was constructed with a QDesktopScreenWidget as its parent,
+     // then initialScreenIndex was set, so we should respect that for the lifetime of this menu.
+@@ -2405,7 +2407,6 @@ void QMenuPrivate::popup(const QPoint &p, QAction *atAction, PositionFunction po
+     q->setAttribute(Qt::WA_X11NetWmWindowTypeDropDownMenu, qobject_cast<QMenuBar *>(topCausedWidget()) != nullptr);
+ #endif
+ 
+-    q->ensurePolished(); // Get the right font
+     emit q->aboutToShow();
+     const bool actionListChanged = itemsDirty;
+ 
+-- 
+cgit v1.2.1
+

qt-base/qt-base-cflags.patch

@@ -0,0 +1,46 @@
+diff --git a/mkspecs/common/g++-unix.conf b/mkspecs/common/g++-unix.conf
+index a493cd5984..41342f5020 100644
+--- a/mkspecs/common/g++-unix.conf
++++ b/mkspecs/common/g++-unix.conf
+@@ -10,5 +10,6 @@
+ 
+ include(g++-base.conf)
+ 
+-QMAKE_LFLAGS_RELEASE   += -Wl,-O1
++SYSTEM_LDFLAGS = $$(LDFLAGS)
++!isEmpty(SYSTEM_LDFLAGS) { eval(QMAKE_LFLAGS_RELEASE += $$(LDFLAGS)) } else { QMAKE_LFLAGS_RELEASE   += -Wl,-O1 }
+ QMAKE_LFLAGS_NOUNDEF   += -Wl,--no-undefined
+diff --git a/mkspecs/common/gcc-base.conf b/mkspecs/common/gcc-base.conf
+index 1f919d270a..7ef6046326 100644
+--- a/mkspecs/common/gcc-base.conf
++++ b/mkspecs/common/gcc-base.conf
+@@ -40,9 +40,11 @@ QMAKE_CFLAGS_OPTIMIZE_SIZE = -Os
+ QMAKE_CFLAGS_DEPS          += -M
+ QMAKE_CFLAGS_WARN_ON       += -Wall -Wextra
+ QMAKE_CFLAGS_WARN_OFF      += -w
+-QMAKE_CFLAGS_RELEASE       += $$QMAKE_CFLAGS_OPTIMIZE
+-QMAKE_CFLAGS_RELEASE_WITH_DEBUGINFO += $$QMAKE_CFLAGS_OPTIMIZE -g
+-QMAKE_CFLAGS_DEBUG         += -g
++SYSTEM_CFLAGS = $$(CFLAGS)
++SYSTEM_DEBUG_CFLAGS = $$(DEBUG_CFLAGS)
++!isEmpty(SYSTEM_CFLAGS) { eval(QMAKE_CFLAGS_RELEASE += $$(CPPFLAGS) $$(CFLAGS)) } else { QMAKE_CFLAGS_RELEASE += $$QMAKE_CFLAGS_OPTIMIZE }
++!isEmpty(SYSTEM_CFLAGS) { eval(QMAKE_CFLAGS_RELEASE_WITH_DEBUGINFO += $$(CPPFLAGS) -g $$(CFLAGS)) } else { QMAKE_CFLAGS_RELEASE_WITH_DEBUGINFO += $$QMAKE_CFLAGS_OPTIMIZE -g }
++!isEmpty(SYSTEM_DEBUG_CFLAGS) { eval(QMAKE_CFLAGS_DEBUG += $$(DEBUG_CFLAGS)) } else { QMAKE_CFLAGS_DEBUG += -g }
+ QMAKE_CFLAGS_SHLIB         += $$QMAKE_CFLAGS_PIC
+ QMAKE_CFLAGS_STATIC_LIB    += $$QMAKE_CFLAGS_PIC
+ QMAKE_CFLAGS_APP           += $$QMAKE_CFLAGS_PIC
+@@ -59,9 +61,11 @@ QMAKE_CXXFLAGS            += $$QMAKE_CFLAGS
+ QMAKE_CXXFLAGS_DEPS       += $$QMAKE_CFLAGS_DEPS
+ QMAKE_CXXFLAGS_WARN_ON    += $$QMAKE_CFLAGS_WARN_ON
+ QMAKE_CXXFLAGS_WARN_OFF   += $$QMAKE_CFLAGS_WARN_OFF
+-QMAKE_CXXFLAGS_RELEASE    += $$QMAKE_CFLAGS_RELEASE
+-QMAKE_CXXFLAGS_RELEASE_WITH_DEBUGINFO += $$QMAKE_CFLAGS_RELEASE_WITH_DEBUGINFO
+-QMAKE_CXXFLAGS_DEBUG      += $$QMAKE_CFLAGS_DEBUG
++SYSTEM_CXXFLAGS = $$(CXXFLAGS)
++SYSTEM_DEBUG_CXXFLAGS = $$(DEBUG_CXXFLAGS)
++!isEmpty(SYSTEM_CXXFLAGS) { eval(QMAKE_CXXFLAGS_RELEASE += $$(CPPFLAGS) $$(CXXFLAGS)) } else { QMAKE_CXXFLAGS_RELEASE += $$QMAKE_CFLAGS_OPTIMIZE }
++!isEmpty(SYSTEM_CXXFLAGS) { eval(QMAKE_CXXFLAGS_RELEASE_WITH_DEBUGINFO += $$(CPPFLAGS) -g $$(CXXFLAGS)) } else { QMAKE_CXXFLAGS_RELEASE_WITH_DEBUGINFO += $$QMAKE_CFLAGS_OPTIMIZE -g }
++!isEmpty(SYSTEM_DEBUG_CXXFLAGS) { eval(QMAKE_CXXFLAGS_DEBUG += $$(DEBUG_CXXFLAGS)) } else { QMAKE_CXXFLAGS_DEBUG += -g }
+ QMAKE_CXXFLAGS_SHLIB      += $$QMAKE_CFLAGS_SHLIB
+ QMAKE_CXXFLAGS_STATIC_LIB += $$QMAKE_CFLAGS_STATIC_LIB
+ QMAKE_CXXFLAGS_APP        += $$QMAKE_CFLAGS_APP

qt-base/qtnetwork-5.15.0-libressl.patch

@@ -0,0 +1,590 @@
+diff --git a/src/network/ssl/qdtls_openssl.cpp b/src/network/ssl/qdtls_openssl.cpp
+index 25a6c5f4..b688e9e2 100644
+--- a/src/network/ssl/qdtls_openssl.cpp
++++ b/src/network/ssl/qdtls_openssl.cpp
+@@ -713,7 +713,11 @@ bool DtlsState::initCtxAndConnection(QDtlsBasePrivate *dtlsBase)
+ 
+     if (dtlsBase->mode == QSslSocket::SslServerMode) {
+         if (dtlsBase->dtlsConfiguration.dtlsCookieEnabled)
++#ifndef LIBRESSL_VERSION_NUMBER
+             q_SSL_set_options(newConnection.data(), SSL_OP_COOKIE_EXCHANGE);
++#else
++            q_SSL_ctrl(newConnection.data(), SSL_CTRL_OPTIONS, SSL_OP_COOKIE_EXCHANGE, NULL);
++#endif
+         q_SSL_set_psk_server_callback(newConnection.data(), dtlscallbacks::q_PSK_server_callback);
+     } else {
+         q_SSL_set_psk_client_callback(newConnection.data(), dtlscallbacks::q_PSK_client_callback);
+@@ -786,7 +790,11 @@ void DtlsState::setLinkMtu(QDtlsBasePrivate *dtlsBase)
+     }
+ 
+     // For now, we disable this option.
++#ifndef LIBRESSL_VERSION_NUMBER
+     q_SSL_set_options(tlsConnection.data(), SSL_OP_NO_QUERY_MTU);
++#else
++    q_SSL_ctrl(tlsConnection.data(), SSL_CTRL_OPTIONS, SSL_OP_NO_QUERY_MTU, NULL);
++#endif
+ 
+     q_DTLS_set_link_mtu(tlsConnection.data(), mtu);
+ }
+diff --git a/src/network/ssl/qsslcertificate_openssl.cpp b/src/network/ssl/qsslcertificate_openssl.cpp
+index ca9d61cc..19774432 100644
+--- a/src/network/ssl/qsslcertificate_openssl.cpp
++++ b/src/network/ssl/qsslcertificate_openssl.cpp
+@@ -661,7 +661,7 @@ static QMultiMap<QByteArray, QString> _q_mapFromX509Name(X509_NAME *name)
+         unsigned char *data = nullptr;
+         int size = q_ASN1_STRING_to_UTF8(&data, q_X509_NAME_ENTRY_get_data(e));
+         info.insert(name, QString::fromUtf8((char*)data, size));
+-#if QT_CONFIG(opensslv11)
++#if QT_CONFIG(opensslv11) && !defined(LIBRESSL_VERSION_NUMBER)
+         q_CRYPTO_free(data, nullptr, 0);
+ #else
+         q_CRYPTO_free(data);
+diff --git a/src/network/ssl/qsslcontext_openssl.cpp b/src/network/ssl/qsslcontext_openssl.cpp
+index c9f202f5..714add6b 100644
+--- a/src/network/ssl/qsslcontext_openssl.cpp
++++ b/src/network/ssl/qsslcontext_openssl.cpp
+@@ -351,9 +351,11 @@ init_context:
+         return;
+     }
+ 
++#ifndef LIBRESSL_VERSION_NUMBER
+     // A nasty hacked OpenSSL using a level that will make our auto-tests fail:
+     if (q_SSL_CTX_get_security_level(sslContext->ctx) > 1 && *forceSecurityLevel())
+         q_SSL_CTX_set_security_level(sslContext->ctx, 1);
++#endif
+ 
+     const long anyVersion =
+ #if QT_CONFIG(dtls)
+@@ -408,16 +410,28 @@ init_context:
+         maxVersion = DTLS1_VERSION;
+         break;
+     case QSsl::DtlsV1_0OrLater:
++#ifdef DTLS_MAX_VERSION
+         minVersion = DTLS1_VERSION;
+         maxVersion = DTLS_MAX_VERSION;
++#else
++        Q_UNREACHABLE();
++#endif // DTLS_MAX_VERSION
+         break;
+     case QSsl::DtlsV1_2:
++#ifdef DTLS1_2_VERSION
+         minVersion = DTLS1_2_VERSION;
+         maxVersion = DTLS1_2_VERSION;
++#else
++        Q_UNREACHABLE();
++#endif // DTLS1_2_VERSION
+         break;
+     case QSsl::DtlsV1_2OrLater:
++#if defined(DTLS1_2_VERSION) && defined(DTLS_MAX_VERSION)
+         minVersion = DTLS1_2_VERSION;
+         maxVersion = DTLS_MAX_VERSION;
++#else
++        Q_UNREACHABLE();
++#endif // DTLS1_2_VERSION && DTLS_MAX_VERSION
+         break;
+     case QSsl::TlsV1_3OrLater:
+ #ifdef TLS1_3_VERSION
+@@ -456,7 +470,11 @@ init_context:
+ 
+     // Enable bug workarounds.
+     long options = QSslSocketBackendPrivate::setupOpenSslOptions(configuration.protocol(), configuration.d->sslOptions);
++#ifndef LIBRESSL_VERSION_NUMBER
+     q_SSL_CTX_set_options(sslContext->ctx, options);
++#else
++    q_SSL_CTX_ctrl(sslContext->ctx, SSL_CTRL_OPTIONS, options, NULL);
++#endif
+ 
+     // Tell OpenSSL to release memory early
+     // http://www.openssl.org/docs/ssl/SSL_CTX_set_mode.html
+@@ -722,6 +740,7 @@ void QSslContext::applyBackendConfig(QSslContext *sslContext)
+     }
+ #endif // ocsp
+ 
++#ifndef LIBRESSL_VERSION_NUMBER
+     QSharedPointer<SSL_CONF_CTX> cctx(q_SSL_CONF_CTX_new(), &q_SSL_CONF_CTX_free);
+     if (cctx) {
+         q_SSL_CONF_CTX_set_ssl_ctx(cctx.data(), sslContext->ctx);
+@@ -768,7 +787,9 @@ void QSslContext::applyBackendConfig(QSslContext *sslContext)
+             sslContext->errorStr = msgErrorSettingBackendConfig(QSslSocket::tr("SSL_CONF_finish() failed"));
+             sslContext->errorCode = QSslError::UnspecifiedError;
+         }
+-    } else {
++    } else
++#endif // LIBRESSL_VERSION_NUMBER
++    {
+         sslContext->errorStr = msgErrorSettingBackendConfig(QSslSocket::tr("SSL_CONF_CTX_new() failed"));
+         sslContext->errorCode = QSslError::UnspecifiedError;
+     }
+diff --git a/src/network/ssl/qsslcontext_openssl_p.h b/src/network/ssl/qsslcontext_openssl_p.h
+index 70cb97aa..01a61cf5 100644
+--- a/src/network/ssl/qsslcontext_openssl_p.h
++++ b/src/network/ssl/qsslcontext_openssl_p.h
+@@ -61,6 +61,13 @@
+ 
+ QT_BEGIN_NAMESPACE
+ 
++#ifndef DTLS_ANY_VERSION
++#define DTLS_ANY_VERSION 0x1FFFF
++#endif
++#ifndef TLS_ANY_VERSION
++#define TLS_ANY_VERSION 0x10000
++#endif
++
+ #ifndef QT_NO_SSL
+ 
+ class QSslContextPrivate;
+diff --git a/src/network/ssl/qssldiffiehellmanparameters_openssl.cpp b/src/network/ssl/qssldiffiehellmanparameters_openssl.cpp
+index aaf87411..a33ebc63 100644
+--- a/src/network/ssl/qssldiffiehellmanparameters_openssl.cpp
++++ b/src/network/ssl/qssldiffiehellmanparameters_openssl.cpp
+@@ -141,7 +141,11 @@ static bool isSafeDH(DH *dh)
+     const BIGNUM *g = nullptr;
+     q_DH_get0_pqg(dh, &p, &q, &g);
+ 
++#ifndef LIBRESSL_VERSION_NUMBER
+     if (q_BN_is_word(const_cast<BIGNUM *>(g), DH_GENERATOR_2)) {
++#else
++    if (BN_is_word(const_cast<BIGNUM *>(g), DH_GENERATOR_2)) {
++#endif
+         const unsigned long residue = q_BN_mod_word(p, 24);
+         if (residue == 11 || residue == 23)
+             status &= ~DH_NOT_SUITABLE_GENERATOR;
+diff --git a/src/network/ssl/qsslkey_openssl.cpp b/src/network/ssl/qsslkey_openssl.cpp
+index 43cb8c6d..a27336aa 100644
+--- a/src/network/ssl/qsslkey_openssl.cpp
++++ b/src/network/ssl/qsslkey_openssl.cpp
+@@ -360,7 +360,7 @@ static QByteArray doCrypt(QSslKeyPrivate::Cipher cipher, const QByteArray &data,
+     q_EVP_CipherUpdate(ctx,
+         reinterpret_cast<unsigned char *>(output.data()), &len,
+         reinterpret_cast<const unsigned char *>(data.constData()), data.size());
+-    q_EVP_CipherFinal(ctx,
++    q_EVP_CipherFinal_ex(ctx,
+         reinterpret_cast<unsigned char *>(output.data()) + len, &i);
+     len += i;
+ 
+diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp
+index 277037e5..026c69a4 100644
+--- a/src/network/ssl/qsslsocket_openssl.cpp
++++ b/src/network/ssl/qsslsocket_openssl.cpp
+@@ -653,7 +653,7 @@ bool QSslSocketBackendPrivate::initSslContext()
+     else if (mode == QSslSocket::SslServerMode)
+         q_SSL_set_psk_server_callback(ssl, &q_ssl_psk_server_callback);
+ 
+-#if OPENSSL_VERSION_NUMBER >= 0x10101006L
++#if OPENSSL_VERSION_NUMBER >= 0x10101006L && !defined(LIBRESSL_VERSION_NUMBER)
+     // Set the client callback for TLSv1.3 PSK
+     if (mode == QSslSocket::SslClientMode
+         && QSslSocket::sslLibraryBuildVersionNumber() >= 0x10101006L) {
+@@ -704,7 +704,11 @@ bool QSslSocketBackendPrivate::initSslContext()
+ void QSslSocketBackendPrivate::destroySslContext()
+ {
+     if (ssl) {
++#ifndef LIBRESSL_VERSION_NUMBER
+         if (!q_SSL_in_init(ssl) && !systemOrSslErrorDetected) {
++#else
++        if (!SSL_in_init(ssl) && !systemOrSslErrorDetected) {
++#endif
+             // We do not send a shutdown alert here. Just mark the session as
+             // resumable for qhttpnetworkconnection's "optimization", otherwise
+             // OpenSSL won't start a session resumption.
+@@ -1841,7 +1845,11 @@ bool QSslSocketBackendPrivate::checkOcspStatus()
+ void QSslSocketBackendPrivate::disconnectFromHost()
+ {
+     if (ssl) {
++#ifndef LIBRESSL_VERSION_NUMBER
+         if (!shutdown && !q_SSL_in_init(ssl) && !systemOrSslErrorDetected) {
++#else
++        if (!shutdown && !SSL_in_init(ssl) && !systemOrSslErrorDetected) {
++#endif
+             if (q_SSL_shutdown(ssl) != 1) {
+                 // Some error may be queued, clear it.
+                 const auto errors = getErrorsFromOpenSsl();
+@@ -1910,7 +1918,11 @@ void QSslSocketBackendPrivate::continueHandshake()
+     if (readBufferMaxSize)
+         plainSocket->setReadBufferSize(readBufferMaxSize);
+ 
++#ifndef LIBRESSL_VERSION_NUMBER
+     if (q_SSL_session_reused(ssl))
++#else
++    if (q_SSL_ctrl(ssl, SSL_CTRL_GET_SESSION_REUSED, 0, NULL))
++#endif
+         configuration.peerSessionShared = true;
+ 
+ #ifdef QT_DECRYPT_SSL_TRAFFIC
+diff --git a/src/network/ssl/qsslsocket_openssl_symbols.cpp b/src/network/ssl/qsslsocket_openssl_symbols.cpp
+index ed80fc14..5003db41 100644
+--- a/src/network/ssl/qsslsocket_openssl_symbols.cpp
++++ b/src/network/ssl/qsslsocket_openssl_symbols.cpp
+@@ -142,14 +142,19 @@ DEFINEFUNC2(int, OPENSSL_init_ssl, uint64_t opts, opts, const OPENSSL_INIT_SETTI
+ DEFINEFUNC2(int, OPENSSL_init_crypto, uint64_t opts, opts, const OPENSSL_INIT_SETTINGS *settings, settings, return 0, return)
+ DEFINEFUNC(BIO *, BIO_new, const BIO_METHOD *a, a, return nullptr, return)
+ DEFINEFUNC(const BIO_METHOD *, BIO_s_mem, void, DUMMYARG, return nullptr, return)
++#ifndef LIBRESSL_VERSION_NUMBER
+ DEFINEFUNC2(int, BN_is_word, BIGNUM *a, a, BN_ULONG w, w, return 0, return)
++#endif
+ DEFINEFUNC(int, EVP_CIPHER_CTX_reset, EVP_CIPHER_CTX *c, c, return 0, return)
+ DEFINEFUNC(int, EVP_PKEY_up_ref, EVP_PKEY *a, a, return 0, return)
+ DEFINEFUNC2(EVP_PKEY_CTX *, EVP_PKEY_CTX_new, EVP_PKEY *pkey, pkey, ENGINE *e, e, return nullptr, return)
++#ifndef LIBRESSL_VERSION_NUMBER
+ DEFINEFUNC(int, EVP_PKEY_param_check, EVP_PKEY_CTX *ctx, ctx, return 0, return)
++#endif
+ DEFINEFUNC(void, EVP_PKEY_CTX_free, EVP_PKEY_CTX *ctx, ctx, return, return)
+ DEFINEFUNC(int, EVP_PKEY_base_id, EVP_PKEY *a, a, return NID_undef, return)
+ DEFINEFUNC(int, RSA_bits, RSA *a, a, return 0, return)
++#ifndef LIBRESSL_VERSION_NUMBER
+ DEFINEFUNC(int, DSA_bits, DSA *a, a, return 0, return)
+ DEFINEFUNC(int, OPENSSL_sk_num, OPENSSL_STACK *a, a, return -1, return)
+ DEFINEFUNC2(void, OPENSSL_sk_pop_free, OPENSSL_STACK *a, a, void (*b)(void*), b, return, DUMMYARG)
+@@ -157,10 +162,20 @@ DEFINEFUNC(OPENSSL_STACK *, OPENSSL_sk_new_null, DUMMYARG, DUMMYARG, return null
+ DEFINEFUNC2(void, OPENSSL_sk_push, OPENSSL_STACK *a, a, void *b, b, return, DUMMYARG)
+ DEFINEFUNC(void, OPENSSL_sk_free, OPENSSL_STACK *a, a, return, DUMMYARG)
+ DEFINEFUNC2(void *, OPENSSL_sk_value, OPENSSL_STACK *a, a, int b, b, return nullptr, return)
++#else
++DEFINEFUNC(int, sk_num, STACK *a, a, return -1, return)
++DEFINEFUNC2(void, sk_pop_free, STACK *a, a, void (*b)(void*), b, return, DUMMYARG)
++DEFINEFUNC(_STACK *, sk_new_null, DUMMYARG, DUMMYARG, return nullptr, return)
++DEFINEFUNC2(void, sk_push, _STACK *a, a, void *b, b, return, DUMMYARG)
++DEFINEFUNC(void, sk_free, _STACK *a, a, return, DUMMYARG)
++DEFINEFUNC2(void *, sk_value, STACK *a, a, int b, b, return nullptr, return)
++#endif // LIBRESSL_VERSION_NUMBER
++#ifndef LIBRESSL_VERSION_NUMBER
+ DEFINEFUNC(int, SSL_session_reused, SSL *a, a, return 0, return)
+ DEFINEFUNC2(unsigned long, SSL_CTX_set_options, SSL_CTX *ctx, ctx, unsigned long op, op, return 0, return)
+ DEFINEFUNC(int, SSL_CTX_get_security_level, const SSL_CTX *ctx, ctx, return -1, return)
+ DEFINEFUNC2(void, SSL_CTX_set_security_level, SSL_CTX *ctx, ctx, int level, level, return, return)
++#endif
+ #ifdef TLS1_3_VERSION
+ DEFINEFUNC2(int, SSL_CTX_set_ciphersuites, SSL_CTX *ctx, ctx, const char *str, str, return 0, return)
+ DEFINEFUNC2(void, SSL_set_psk_use_session_callback, SSL *ssl, ssl, q_SSL_psk_use_session_cb_func_t callback, callback, return, DUMMYARG)
+@@ -170,7 +185,9 @@ DEFINEFUNC(int, SSL_SESSION_is_resumable, const SSL_SESSION *s, s, return 0, ret
+ DEFINEFUNC3(size_t, SSL_get_client_random, SSL *a, a, unsigned char *out, out, size_t outlen, outlen, return 0, return)
+ DEFINEFUNC3(size_t, SSL_SESSION_get_master_key, const SSL_SESSION *ses, ses, unsigned char *out, out, size_t outlen, outlen, return 0, return)
+ DEFINEFUNC6(int, CRYPTO_get_ex_new_index, int class_index, class_index, long argl, argl, void *argp, argp, CRYPTO_EX_new *new_func, new_func, CRYPTO_EX_dup *dup_func, dup_func, CRYPTO_EX_free *free_func, free_func, return -1, return)
++#ifndef LIBRESSL_VERSION_NUMBER
+ DEFINEFUNC2(unsigned long, SSL_set_options, SSL *ssl, ssl, unsigned long op, op, return 0, return)
++#endif
+ 
+ DEFINEFUNC(const SSL_METHOD *, TLS_method, DUMMYARG, DUMMYARG, return nullptr, return)
+ DEFINEFUNC(const SSL_METHOD *, TLS_client_method, DUMMYARG, DUMMYARG, return nullptr, return)
+@@ -184,7 +201,11 @@ DEFINEFUNC2(void, X509_STORE_set_verify_cb, X509_STORE *a, a, X509_STORE_CTX_ver
+ DEFINEFUNC3(int, X509_STORE_set_ex_data, X509_STORE *a, a, int idx, idx, void *data, data, return 0, return)
+ DEFINEFUNC2(void *, X509_STORE_get_ex_data, X509_STORE *r, r, int idx, idx, return nullptr, return)
+ DEFINEFUNC(STACK_OF(X509) *, X509_STORE_CTX_get0_chain, X509_STORE_CTX *a, a, return nullptr, return)
++#ifndef LIBRESSL_VERSION_NUMBER
+ DEFINEFUNC3(void, CRYPTO_free, void *str, str, const char *file, file, int line, line, return, DUMMYARG)
++#else
++DEFINEFUNC(void, CRYPTO_free, void *a, a, return, DUMMYARG)
++#endif
+ DEFINEFUNC(long, OpenSSL_version_num, void, DUMMYARG, return 0, return)
+ DEFINEFUNC(const char *, OpenSSL_version, int a, a, return nullptr, return)
+ DEFINEFUNC(unsigned long, SSL_SESSION_get_ticket_lifetime_hint, const SSL_SESSION *session, session, return 0, return)
+@@ -224,7 +245,9 @@ DEFINEFUNC5(int, OCSP_id_get0_info, ASN1_OCTET_STRING **piNameHash, piNameHash,
+             ASN1_OCTET_STRING **piKeyHash, piKeyHash, ASN1_INTEGER **pserial, pserial, OCSP_CERTID *cid, cid,
+             return 0, return)
+ DEFINEFUNC2(OCSP_RESPONSE *, OCSP_response_create, int status, status, OCSP_BASICRESP *bs, bs, return nullptr, return)
++#ifndef LIBRESSL_VERSION_NUMBER
+ DEFINEFUNC(const STACK_OF(X509) *, OCSP_resp_get0_certs, const OCSP_BASICRESP *bs, bs, return nullptr, return)
++#endif
+ DEFINEFUNC2(int, OCSP_id_cmp, OCSP_CERTID *a, a, OCSP_CERTID *b, b, return -1, return)
+ DEFINEFUNC7(OCSP_SINGLERESP *, OCSP_basic_add1_status, OCSP_BASICRESP *r, r, OCSP_CERTID *c, c, int s, s,
+             int re, re, ASN1_TIME *rt, rt, ASN1_TIME *t, t, ASN1_TIME *n, n, return nullptr, return)
+@@ -269,7 +292,7 @@ DEFINEFUNC2(int, EVP_CIPHER_CTX_set_key_length, EVP_CIPHER_CTX *ctx, ctx, int ke
+ DEFINEFUNC5(int, EVP_CipherInit, EVP_CIPHER_CTX *ctx, ctx, const EVP_CIPHER *type, type, const unsigned char *key, key, const unsigned char *iv, iv, int enc, enc, return 0, return)
+ DEFINEFUNC6(int, EVP_CipherInit_ex, EVP_CIPHER_CTX *ctx, ctx, const EVP_CIPHER *cipher, cipher, ENGINE *impl, impl, const unsigned char *key, key, const unsigned char *iv, iv, int enc, enc, return 0, return)
+ DEFINEFUNC5(int, EVP_CipherUpdate, EVP_CIPHER_CTX *ctx, ctx, unsigned char *out, out, int *outl, outl, const unsigned char *in, in, int inl, inl, return 0, return)
+-DEFINEFUNC3(int, EVP_CipherFinal, EVP_CIPHER_CTX *ctx, ctx, unsigned char *out, out, int *outl, outl, return 0, return)
++DEFINEFUNC3(int, EVP_CipherFinal_ex, EVP_CIPHER_CTX *ctx, ctx, unsigned char *out, out, int *outl, outl, return 0, return)
+ DEFINEFUNC(const EVP_MD *, EVP_get_digestbyname, const char *name, name, return nullptr, return)
+ #ifndef OPENSSL_NO_DES
+ DEFINEFUNC(const EVP_CIPHER *, EVP_des_cbc, DUMMYARG, DUMMYARG, return nullptr, return)
+@@ -356,12 +379,14 @@ DEFINEFUNC2(int, SSL_CTX_use_PrivateKey, SSL_CTX *a, a, EVP_PKEY *b, b, return -
+ DEFINEFUNC2(int, SSL_CTX_use_RSAPrivateKey, SSL_CTX *a, a, RSA *b, b, return -1, return)
+ DEFINEFUNC3(int, SSL_CTX_use_PrivateKey_file, SSL_CTX *a, a, const char *b, b, int c, c, return -1, return)
+ DEFINEFUNC(X509_STORE *, SSL_CTX_get_cert_store, const SSL_CTX *a, a, return nullptr, return)
++#ifndef LIBRESSL_VERSION_NUMBER
+ DEFINEFUNC(SSL_CONF_CTX *, SSL_CONF_CTX_new, DUMMYARG, DUMMYARG, return nullptr, return);
+ DEFINEFUNC(void, SSL_CONF_CTX_free, SSL_CONF_CTX *a, a, return ,return);
+ DEFINEFUNC2(void, SSL_CONF_CTX_set_ssl_ctx, SSL_CONF_CTX *a, a, SSL_CTX *b, b, return, return);
+ DEFINEFUNC2(unsigned int, SSL_CONF_CTX_set_flags, SSL_CONF_CTX *a, a, unsigned int b, b, return 0, return);
+ DEFINEFUNC(int, SSL_CONF_CTX_finish, SSL_CONF_CTX *a, a, return 0, return);
+ DEFINEFUNC3(int, SSL_CONF_cmd, SSL_CONF_CTX *a, a, const char *b, b, const char *c, c, return 0, return);
++#endif
+ DEFINEFUNC(void, SSL_free, SSL *a, a, return, DUMMYARG)
+ DEFINEFUNC(STACK_OF(SSL_CIPHER) *, SSL_get_ciphers, const SSL *a, a, return nullptr, return)
+ DEFINEFUNC(const SSL_CIPHER *, SSL_get_current_cipher, SSL *a, a, return nullptr, return)
+@@ -378,7 +403,9 @@ DEFINEFUNC3(void, SSL_set_bio, SSL *a, a, BIO *b, b, BIO *c, c, return, DUMMYARG
+ DEFINEFUNC(void, SSL_set_accept_state, SSL *a, a, return, DUMMYARG)
+ DEFINEFUNC(void, SSL_set_connect_state, SSL *a, a, return, DUMMYARG)
+ DEFINEFUNC(int, SSL_shutdown, SSL *a, a, return -1, return)
++#ifndef LIBRESSL_VERSION_NUMBER
+ DEFINEFUNC(int, SSL_in_init, const SSL *a, a, return 0, return)
++#endif
+ DEFINEFUNC(int, SSL_get_shutdown, const SSL *ssl, ssl, return 0, return)
+ DEFINEFUNC2(int, SSL_set_session, SSL* to, to, SSL_SESSION *session, session, return -1, return)
+ DEFINEFUNC(void, SSL_SESSION_free, SSL_SESSION *ses, ses, return, DUMMYARG)
+@@ -846,20 +873,26 @@ bool q_resolveOpenSslSymbols()
+     RESOLVEFUNC(EVP_CIPHER_CTX_reset)
+     RESOLVEFUNC(EVP_PKEY_up_ref)
+     RESOLVEFUNC(EVP_PKEY_CTX_new)
++#ifndef LIBRESSL_VERSION_NUMBER
+     RESOLVEFUNC(EVP_PKEY_param_check)
++#endif
+     RESOLVEFUNC(EVP_PKEY_CTX_free)
+     RESOLVEFUNC(EVP_PKEY_base_id)
+     RESOLVEFUNC(RSA_bits)
++#ifndef LIBRESSL_VERSION_NUMBER
+     RESOLVEFUNC(OPENSSL_sk_new_null)
+     RESOLVEFUNC(OPENSSL_sk_push)
+     RESOLVEFUNC(OPENSSL_sk_free)
+     RESOLVEFUNC(OPENSSL_sk_num)
+     RESOLVEFUNC(OPENSSL_sk_pop_free)
+     RESOLVEFUNC(OPENSSL_sk_value)
++#endif
+     RESOLVEFUNC(DH_get0_pqg)
++#ifndef LIBRESSL_VERSION_NUMBER
+     RESOLVEFUNC(SSL_CTX_set_options)
+     RESOLVEFUNC(SSL_CTX_get_security_level)
+     RESOLVEFUNC(SSL_CTX_set_security_level)
++#endif
+ #ifdef TLS1_3_VERSION
+     RESOLVEFUNC(SSL_CTX_set_ciphersuites)
+     RESOLVEFUNC(SSL_set_psk_use_session_callback)
+@@ -869,9 +902,13 @@ bool q_resolveOpenSslSymbols()
+ 
+     RESOLVEFUNC(SSL_get_client_random)
+     RESOLVEFUNC(SSL_SESSION_get_master_key)
++#ifndef LIBRESSL_VERSION_NUMBER
+     RESOLVEFUNC(SSL_session_reused)
++#endif
+     RESOLVEFUNC(SSL_get_session)
++#ifndef LIBRESSL_VERSION_NUMBER
+     RESOLVEFUNC(SSL_set_options)
++#endif
+     RESOLVEFUNC(CRYPTO_get_ex_new_index)
+     RESOLVEFUNC(TLS_method)
+     RESOLVEFUNC(TLS_client_method)
+@@ -898,7 +935,9 @@ bool q_resolveOpenSslSymbols()
+ 
+     RESOLVEFUNC(SSL_SESSION_get_ticket_lifetime_hint)
+     RESOLVEFUNC(DH_bits)
++#ifndef LIBRESSL_VERSION_NUMBER
+     RESOLVEFUNC(DSA_bits)
++#endif
+ 
+ #if QT_CONFIG(dtls)
+     RESOLVEFUNC(DTLSv1_listen)
+@@ -928,7 +967,9 @@ bool q_resolveOpenSslSymbols()
+     RESOLVEFUNC(OCSP_check_validity)
+     RESOLVEFUNC(OCSP_cert_to_id)
+     RESOLVEFUNC(OCSP_id_get0_info)
++#ifndef LIBRESSL_VERSION_NUMBER
+     RESOLVEFUNC(OCSP_resp_get0_certs)
++#endif
+     RESOLVEFUNC(OCSP_basic_sign)
+     RESOLVEFUNC(OCSP_response_create)
+     RESOLVEFUNC(i2d_OCSP_RESPONSE)
+@@ -965,7 +1006,9 @@ bool q_resolveOpenSslSymbols()
+     RESOLVEFUNC(EC_GROUP_get_degree)
+ #endif
+     RESOLVEFUNC(BN_num_bits)
++#ifndef LIBRESSL_VERSION_NUMBER
+     RESOLVEFUNC(BN_is_word)
++#endif
+     RESOLVEFUNC(BN_mod_word)
+     RESOLVEFUNC(DSA_new)
+     RESOLVEFUNC(DSA_free)
+@@ -979,7 +1022,7 @@ bool q_resolveOpenSslSymbols()
+     RESOLVEFUNC(EVP_CipherInit)
+     RESOLVEFUNC(EVP_CipherInit_ex)
+     RESOLVEFUNC(EVP_CipherUpdate)
+-    RESOLVEFUNC(EVP_CipherFinal)
++    RESOLVEFUNC(EVP_CipherFinal_ex)
+     RESOLVEFUNC(EVP_get_digestbyname)
+ #ifndef OPENSSL_NO_DES
+     RESOLVEFUNC(EVP_des_cbc)
+@@ -1058,12 +1101,14 @@ bool q_resolveOpenSslSymbols()
+     RESOLVEFUNC(SSL_CTX_use_RSAPrivateKey)
+     RESOLVEFUNC(SSL_CTX_use_PrivateKey_file)
+     RESOLVEFUNC(SSL_CTX_get_cert_store);
++#ifndef LIBRESSL_VERSION_NUMBER
+     RESOLVEFUNC(SSL_CONF_CTX_new);
+     RESOLVEFUNC(SSL_CONF_CTX_free);
+     RESOLVEFUNC(SSL_CONF_CTX_set_ssl_ctx);
+     RESOLVEFUNC(SSL_CONF_CTX_set_flags);
+     RESOLVEFUNC(SSL_CONF_CTX_finish);
+     RESOLVEFUNC(SSL_CONF_cmd);
++#endif
+     RESOLVEFUNC(SSL_accept)
+     RESOLVEFUNC(SSL_clear)
+     RESOLVEFUNC(SSL_connect)
+@@ -1083,7 +1128,9 @@ bool q_resolveOpenSslSymbols()
+     RESOLVEFUNC(SSL_set_bio)
+     RESOLVEFUNC(SSL_set_connect_state)
+     RESOLVEFUNC(SSL_shutdown)
++#ifndef LIBRESSL_VERSION_NUMBER
+     RESOLVEFUNC(SSL_in_init)
++#endif
+     RESOLVEFUNC(SSL_get_shutdown)
+     RESOLVEFUNC(SSL_set_session)
+     RESOLVEFUNC(SSL_SESSION_free)
+diff --git a/src/network/ssl/qsslsocket_openssl_symbols_p.h b/src/network/ssl/qsslsocket_openssl_symbols_p.h
+index c46afcf5..4daba4ac 100644
+--- a/src/network/ssl/qsslsocket_openssl_symbols_p.h
++++ b/src/network/ssl/qsslsocket_openssl_symbols_p.h
+@@ -80,6 +80,13 @@ QT_BEGIN_NAMESPACE
+ 
+ #define DUMMYARG
+ 
++#ifdef LIBRESSL_VERSION_NUMBER
++typedef _STACK STACK;
++typedef STACK OPENSSL_STACK;
++typedef void OPENSSL_INIT_SETTINGS;
++typedef int (*X509_STORE_CTX_verify_cb)(int ok,X509_STORE_CTX *ctx);
++#endif
++
+ #if !defined QT_LINKED_OPENSSL
+ // **************** Shared declarations ******************
+ // ret func(arg)
+@@ -230,7 +237,11 @@ const unsigned char * q_ASN1_STRING_get0_data(const ASN1_STRING *x);
+ Q_AUTOTEST_EXPORT BIO *q_BIO_new(const BIO_METHOD *a);
+ Q_AUTOTEST_EXPORT const BIO_METHOD *q_BIO_s_mem();
+ 
++#ifndef LIBRESSL_VERSION_NUMBER
+ int q_DSA_bits(DSA *a);
++#else
++#define q_DSA_bits(dsa) q_BN_num_bits((dsa)->p)
++#endif
+ int q_EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *c);
+ Q_AUTOTEST_EXPORT int q_EVP_PKEY_up_ref(EVP_PKEY *a);
+ EVP_PKEY_CTX *q_EVP_PKEY_CTX_new(EVP_PKEY *pkey, ENGINE *e);
+@@ -238,14 +249,33 @@ void q_EVP_PKEY_CTX_free(EVP_PKEY_CTX *ctx);
+ int q_EVP_PKEY_param_check(EVP_PKEY_CTX *ctx);
+ int q_EVP_PKEY_base_id(EVP_PKEY *a);
+ int q_RSA_bits(RSA *a);
++
++#ifndef LIBRESSL_VERSION_NUMBER
+ Q_AUTOTEST_EXPORT int q_OPENSSL_sk_num(OPENSSL_STACK *a);
+ Q_AUTOTEST_EXPORT void q_OPENSSL_sk_pop_free(OPENSSL_STACK *a, void (*b)(void *));
+ Q_AUTOTEST_EXPORT OPENSSL_STACK *q_OPENSSL_sk_new_null();
+ Q_AUTOTEST_EXPORT void q_OPENSSL_sk_push(OPENSSL_STACK *st, void *data);
+ Q_AUTOTEST_EXPORT void q_OPENSSL_sk_free(OPENSSL_STACK *a);
+ Q_AUTOTEST_EXPORT void * q_OPENSSL_sk_value(OPENSSL_STACK *a, int b);
++#else // LIBRESSL_VERSION_NUMBER
++int q_sk_num(STACK *a);
++#define q_OPENSSL_sk_num(a) q_sk_num(a)
++void q_sk_pop_free(STACK *a, void (*b)(void *));
++#define q_OPENSSL_sk_pop_free(a, b) q_sk_pop_free(a, b)
++STACK *q_sk_new_null();
++#define q_OPENSSL_sk_new_null() q_sk_new_null()
++void q_sk_push(STACK *st, void *data);
++#define q_OPENSSL_sk_push(st, data) q_sk_push(st, data)
++void q_sk_free(STACK *a);
++#define q_OPENSSL_sk_free q_sk_free
++void *q_sk_value(STACK *a, int b);
++#define q_OPENSSL_sk_value(a, b) q_sk_value(a, b)
++#endif // LIBRESSL_VERSION_NUMBER
++
++#ifndef LIBRESSL_VERSION_NUMBER
+ int q_SSL_session_reused(SSL *a);
+ unsigned long q_SSL_CTX_set_options(SSL_CTX *ctx, unsigned long op);
++#endif
+ int q_OPENSSL_init_ssl(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings);
+ size_t q_SSL_get_client_random(SSL *a, unsigned char *out, size_t outlen);
+ size_t q_SSL_SESSION_get_master_key(const SSL_SESSION *session, unsigned char *out, size_t outlen);
+@@ -269,8 +299,13 @@ int q_DH_bits(DH *dh);
+ # define q_SSL_load_error_strings() q_OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS \
+                                                        | OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL)
+ 
++#ifndef LIBRESSL_VERSION_NUMBER
+ #define q_SKM_sk_num(type, st) ((int (*)(const STACK_OF(type) *))q_OPENSSL_sk_num)(st)
+ #define q_SKM_sk_value(type, st,i) ((type * (*)(const STACK_OF(type) *, int))q_OPENSSL_sk_value)(st, i)
++#else
++#define q_SKM_sk_num(type, st) ((int (*)(const STACK_OF(type) *))q_sk_num)(st)
++#define q_SKM_sk_value(type, st,i) ((type * (*)(const STACK_OF(type) *, int))q_sk_value)(st, i)
++#endif // LIBRESSL_VERSION_NUMBER
+ 
+ #define q_OPENSSL_add_all_algorithms_conf()  q_OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS \
+                                                                    | OPENSSL_INIT_ADD_ALL_DIGESTS \
+@@ -279,13 +314,19 @@ int q_DH_bits(DH *dh);
+                                                                     | OPENSSL_INIT_ADD_ALL_DIGESTS, NULL)
+ 
+ int q_OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings);
++#ifndef LIBRESSL_VERSION_NUMBER
+ void q_CRYPTO_free(void *str, const char *file, int line);
++#else
++void q_CRYPTO_free(void *a);
++#endif
+ 
+ long q_OpenSSL_version_num();
+ const char *q_OpenSSL_version(int type);
+ 
+ unsigned long q_SSL_SESSION_get_ticket_lifetime_hint(const SSL_SESSION *session);
++#ifndef LIBRESSL_VERSION_NUMBER
+ unsigned long q_SSL_set_options(SSL *s, unsigned long op);
++#endif
+ 
+ #ifdef TLS1_3_VERSION
+ int q_SSL_CTX_set_ciphersuites(SSL_CTX *ctx, const char *str);
+@@ -374,7 +415,9 @@ BIO *q_BIO_new_mem_buf(void *a, int b);
+ int q_BIO_read(BIO *a, void *b, int c);
+ Q_AUTOTEST_EXPORT int q_BIO_write(BIO *a, const void *b, int c);
+ int q_BN_num_bits(const BIGNUM *a);
++#ifndef LIBRESSL_VERSION_NUMBER
+ int q_BN_is_word(BIGNUM *a, BN_ULONG w);
++#endif
+ BN_ULONG q_BN_mod_word(const BIGNUM *a, BN_ULONG w);
+ 
+ #ifndef OPENSSL_NO_EC
+@@ -395,7 +438,7 @@ int q_EVP_CIPHER_CTX_set_key_length(EVP_CIPHER_CTX *x, int keylen);
+ int q_EVP_CipherInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, const unsigned char *key, const unsigned char *iv, int enc);
+ int q_EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *impl, const unsigned char *key, const unsigned char *iv, int enc);
+ int q_EVP_CipherUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, const unsigned char *in, int inl);
+-int q_EVP_CipherFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl);
++int q_EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl);
+ const EVP_MD *q_EVP_get_digestbyname(const char *name);
+ 
+ #ifndef OPENSSL_NO_DES
+@@ -497,12 +540,14 @@ int q_SSL_CTX_use_PrivateKey(SSL_CTX *a, EVP_PKEY *b);
+ int q_SSL_CTX_use_RSAPrivateKey(SSL_CTX *a, RSA *b);
+ int q_SSL_CTX_use_PrivateKey_file(SSL_CTX *a, const char *b, int c);
+ X509_STORE *q_SSL_CTX_get_cert_store(const SSL_CTX *a);
++#ifndef LIBRESSL_VERSION_NUMBER
+ SSL_CONF_CTX *q_SSL_CONF_CTX_new();
+ void q_SSL_CONF_CTX_free(SSL_CONF_CTX *a);
+ void q_SSL_CONF_CTX_set_ssl_ctx(SSL_CONF_CTX *a, SSL_CTX *b);
+ unsigned int q_SSL_CONF_CTX_set_flags(SSL_CONF_CTX *a, unsigned int b);
+ int q_SSL_CONF_CTX_finish(SSL_CONF_CTX *a);
+ int q_SSL_CONF_cmd(SSL_CONF_CTX *a, const char *b, const char *c);
++#endif
+ void q_SSL_free(SSL *a);
+ STACK_OF(SSL_CIPHER) *q_SSL_get_ciphers(const SSL *a);
+ const SSL_CIPHER *q_SSL_get_current_cipher(SSL *a);
+@@ -513,13 +558,15 @@ X509 *q_SSL_get_peer_certificate(SSL *a);
+ long q_SSL_get_verify_result(const SSL *a);
+ SSL *q_SSL_new(SSL_CTX *a);
+ SSL_CTX *q_SSL_get_SSL_CTX(SSL *a);
+-long q_SSL_ctrl(SSL *ssl,int cmd, long larg, void *parg);
++long q_SSL_ctrl(SSL *ssl, int cmd, long larg, void *parg);
+ int q_SSL_read(SSL *a, void *b, int c);
+ void q_SSL_set_bio(SSL *a, BIO *b, BIO *c);
+ void q_SSL_set_accept_state(SSL *a);
+ void q_SSL_set_connect_state(SSL *a);
+ int q_SSL_shutdown(SSL *a);
++#ifndef LIBRESSL_VERSION_NUMBER
+ int q_SSL_in_init(const SSL *s);
++#endif
+ int q_SSL_get_shutdown(const SSL *ssl);
+ int q_SSL_set_session(SSL *to, SSL_SESSION *session);
+ void q_SSL_SESSION_free(SSL_SESSION *ses);
+@@ -728,7 +775,11 @@ int q_OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd, ASN1_GENERALIZEDTIME *n
+ int q_OCSP_id_get0_info(ASN1_OCTET_STRING **piNameHash, ASN1_OBJECT **pmd, ASN1_OCTET_STRING **pikeyHash,
+                         ASN1_INTEGER **pserial, OCSP_CERTID *cid);
+ 
++#ifndef LIBRESSL_VERSION_NUMBER
+ const STACK_OF(X509) *q_OCSP_resp_get0_certs(const OCSP_BASICRESP *bs);
++#else
++#define q_OCSP_resp_get0_certs(bs) ((bs)->certs)
++#endif
+ Q_AUTOTEST_EXPORT OCSP_CERTID *q_OCSP_cert_to_id(const EVP_MD *dgst, X509 *subject, X509 *issuer);
+ Q_AUTOTEST_EXPORT void q_OCSP_CERTID_free(OCSP_CERTID *cid);
+ int q_OCSP_id_cmp(OCSP_CERTID *a, OCSP_CERTID *b);