extra/postfix/libressl.patch

diff --git a/src/global/mail_params.h b/src/global/mail_params.h
index a6119f1b..e437b9cd 100644
--- a/src/global/mail_params.h
+++ b/src/global/mail_params.h
@@ -19,7 +19,7 @@ typedef int bool;
 #ifdef USE_TLS
 #include <openssl/opensslv.h>		/* OPENSSL_VERSION_NUMBER */
 #include <openssl/objects.h>		/* SN_* and NID_* macros */
-#if OPENSSL_VERSION_NUMBER < 0x1000200fUL
+#if OPENSSL_VERSION_NUMBER < 0x1010101fUL && !defined(LIBRESSL_VERSION_NUMBER)
 #error "OpenSSL releases prior to 1.0.2 are no longer supported"
 #endif
 #endif
diff --git a/src/posttls-finger/posttls-finger.c b/src/posttls-finger/posttls-finger.c
index c142d43f..ee894327 100644
--- a/src/posttls-finger/posttls-finger.c
+++ b/src/posttls-finger/posttls-finger.c
@@ -1673,7 +1673,8 @@ static int finger(STATE *state)
     return (0);
 }
 
-#if defined(USE_TLS) && OPENSSL_VERSION_NUMBER < 0x10100000L
+#if defined(USE_TLS) && \
+    ( OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) )
 
 /* ssl_cleanup - free memory allocated in the OpenSSL library */
 
@@ -2156,7 +2157,8 @@ int     main(int argc, char *argv[])
     cleanup(&state);
 
     /* OpenSSL 1.1.0 and later (de)initialization is implicit */
-#if defined(USE_TLS) && OPENSSL_VERSION_NUMBER < 0x10100000L
+#if defined(USE_TLS) && \
+    ( OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) )
     ssl_cleanup();
 #endif
 
diff --git a/src/tls/tls.h b/src/tls/tls.h
index 2a8cc119..4c8dff11 100644
--- a/src/tls/tls.h
+++ b/src/tls/tls.h
@@ -84,12 +84,12 @@ extern const char *str_tls_level(int);
 #define ssl_cipher_stack_t STACK_OF(SSL_CIPHER)
 #define ssl_comp_stack_t STACK_OF(SSL_COMP)
 
-#if (OPENSSL_VERSION_NUMBER < 0x1000200fUL)
+#if (OPENSSL_VERSION_NUMBER < 0x1000200fUL && !defined(LIBRESSL_VERSION_NUMBER))
 #error "OpenSSL releases prior to 1.0.2 are no longer supported"
 #endif
 
  /* Backwards compatibility with OpenSSL < 1.1.0 */
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 #define OpenSSL_version_num SSLeay
 #define OpenSSL_version SSLeay_version
 #define OPENSSL_VERSION SSLEAY_VERSION
@@ -106,13 +106,16 @@ extern const char *str_tls_level(int);
 #define ASN1_STRING_get0_data ASN1_STRING_data
 #define X509_getm_notBefore X509_get_notBefore
 #define X509_getm_notAfter X509_get_notAfter
+#endif
+
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 #define TLS_method SSLv23_method
 #define TLS_client_method SSLv23_client_method
 #define TLS_server_method SSLv23_server_method
 #endif
 
  /* Backwards compatibility with OpenSSL < 1.1.1 */
-#if OPENSSL_VERSION_NUMBER < 0x1010100fUL
+#if OPENSSL_VERSION_NUMBER < 0x1010100fUL || defined(LIBRESSL_VERSION_NUMBER)
 #define SSL_CTX_set_num_tickets(ctx, num) ((void)0)
 #endif
 
@@ -124,7 +127,7 @@ extern const char *str_tls_level(int);
   * SSL_get_peer_tmp_key(), with the original name left behind as an alias.  We
   * use the new name when available.
   */
-#if OPENSSL_VERSION_NUMBER < 0x1010101fUL
+#if OPENSSL_VERSION_NUMBER < 0x1010101fUL || defined(LIBRESSL_VERSION_NUMBER)
 #undef SSL_get_signature_nid
 #define SSL_get_signature_nid(ssl, pnid) (NID_undef)
 #define tls_get_peer_dh_pubkey SSL_get_server_tmp_key
diff --git a/src/tls/tls_certkey.c b/src/tls/tls_certkey.c
index be8d4700..27a039c0 100644
--- a/src/tls/tls_certkey.c
+++ b/src/tls/tls_certkey.c
@@ -149,7 +149,7 @@ static void init_pem_load_state(pem_load_state_t *st, SSL_CTX *ctx, SSL *ssl,
 
 /* use_chain - load cert, key and chain into ctx or ssl */
 
-#if OPENSSL_VERSION_NUMBER >= 0x1010100fUL
+#if OPENSSL_VERSION_NUMBER >= 0x1010100fUL && !defined(LIBRESSL_VERSION_NUMBER)
 static int use_chain(pem_load_state_t *st)
 {
     int     ret;
@@ -697,7 +697,7 @@ int     main(int argc, char *argv[])
     char   *key_file = 0;
     SSL_CTX *ctx;
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 
     /*
      * Initialize the OpenSSL library by the book! To start with, we must
diff --git a/src/tls/tls_client.c b/src/tls/tls_client.c
index 135cea4b..955c5340 100644
--- a/src/tls/tls_client.c
+++ b/src/tls/tls_client.c
@@ -333,7 +333,7 @@ TLS_APPL_STATE *tls_client_init(const TLS_CLIENT_INIT_PROPS *props)
      */
     tls_check_version();
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 
     /*
      * Initialize the OpenSSL library by the book! To start with, we must
@@ -410,7 +410,7 @@ TLS_APPL_STATE *tls_client_init(const TLS_CLIENT_INIT_PROPS *props)
     SSL_CTX_set_options(client_ctx, off);
 
     /* Enable all supported protocols */
-#if OPENSSL_VERSION_NUMBER >= 0x1010000fUL
+#if OPENSSL_VERSION_NUMBER >= 0x1010000fUL && !defined(LIBRESSL_VERSION_NUMBER)
     SSL_CTX_set_min_proto_version(client_ctx, 0);
 #endif
 
@@ -473,7 +473,7 @@ TLS_APPL_STATE *tls_client_init(const TLS_CLIENT_INIT_PROPS *props)
     /*
      * 2015-12-05: Ephemeral RSA removed from OpenSSL 1.1.0-dev
      */
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 
     /*
      * According to the OpenSSL documentation, temporary RSA key is needed
diff --git a/src/tls/tls_dane.c b/src/tls/tls_dane.c
index 013426b1..5cbb74e3 100644
--- a/src/tls/tls_dane.c
+++ b/src/tls/tls_dane.c
@@ -2006,7 +2006,7 @@ static SSL_CTX *ctx_init(const char *CAfile)
     tls_param_init();
     tls_check_version();
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
     SSL_load_error_strings();
     SSL_library_init();
 #endif
diff --git a/src/tls/tls_dh.c b/src/tls/tls_dh.c
index 70db8e9d..727e3a80 100644
--- a/src/tls/tls_dh.c
+++ b/src/tls/tls_dh.c
@@ -314,7 +314,7 @@ void    tls_auto_eecdh_curves(SSL_CTX *ctx, const char *configured)
      * This is a NOP in OpenSSL 1.1.0 and later, where curves are always
      * auto-negotiated.
      */
-#if OPENSSL_VERSION_NUMBER < 0x10100000UL
+#if OPENSSL_VERSION_NUMBER < 0x10100000UL || defined(LIBRESSL_VERSION_NUMBER)
     if (SSL_CTX_set_ecdh_auto(ctx, 1) <= 0) {
 	msg_warn("failed to enable automatic ECDHE curve selection");
 	tls_print_errors();
diff --git a/src/tls/tls_rsa.c b/src/tls/tls_rsa.c
index 67f2a2ee..c6a759e8 100644
--- a/src/tls/tls_rsa.c
+++ b/src/tls/tls_rsa.c
@@ -57,7 +57,7 @@
  /*
   * 2015-12-05: Ephemeral RSA removed from OpenSSL 1.1.0-dev
   */
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 
 /* tls_tmp_rsa_cb - call-back to generate ephemeral RSA key */
 
@@ -103,7 +103,7 @@ int     main(int unused_argc, char *const argv[])
     /*
      * 2015-12-05: Ephemeral RSA removed from OpenSSL 1.1.0-dev
      */
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
     RSA    *rsa;
 
     msg_vstream_init(argv[0], VSTREAM_ERR);
diff --git a/src/tls/tls_server.c b/src/tls/tls_server.c
index 25d85ec7..b134d50d 100644
--- a/src/tls/tls_server.c
+++ b/src/tls/tls_server.c
@@ -167,7 +167,7 @@ static const char server_session_id_context[] = "Postfix/TLS";
 #define GET_SID(s, v, lptr)	((v) = SSL_SESSION_get_id((s), (lptr)))
 
  /* OpenSSL 1.1.0 bitrot */
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
 typedef const unsigned char *session_id_t;
 
 #else
@@ -370,7 +370,7 @@ TLS_APPL_STATE *tls_server_init(const TLS_SERVER_INIT_PROPS *props)
      */
     tls_check_version();
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 
     /*
      * Initialize the OpenSSL library by the book! To start with, we must
@@ -487,7 +487,7 @@ TLS_APPL_STATE *tls_server_init(const TLS_SERVER_INIT_PROPS *props)
      * incomplete.
      */
 #ifdef SSL_OP_NO_TICKET
-#ifndef OPENSSL_NO_TLSEXT
+#if !defined(OPENSSL_NO_TLSEXT) && OPENSSL_VERSION_NUMBER >= 0x0090808fL && !defined(LIBRESSL_VERSION_NUMBER)
     ticketable = (*var_tls_tkt_cipher && scache_timeout > 0
 		  && !(off & SSL_OP_NO_TICKET));
     if (ticketable) {
@@ -528,7 +528,7 @@ TLS_APPL_STATE *tls_server_init(const TLS_SERVER_INIT_PROPS *props)
     SSL_CTX_set_options(server_ctx, off);
 
     /* Enable all supported protocols */
-#if OPENSSL_VERSION_NUMBER >= 0x1010000fUL
+#if OPENSSL_VERSION_NUMBER >= 0x1010000fUL && !defined(LIBRESSL_VERSION_NUMBER)
     SSL_CTX_set_min_proto_version(server_ctx, 0);
     SSL_CTX_set_min_proto_version(sni_ctx, 0);
 #endif
@@ -616,7 +616,7 @@ TLS_APPL_STATE *tls_server_init(const TLS_SERVER_INIT_PROPS *props)
     /*
      * 2015-12-05: Ephemeral RSA removed from OpenSSL 1.1.0-dev
      */
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 
     /*
      * According to OpenSSL documentation, a temporary RSA key is needed when