Update to bro-2.6.1.

2018-12-30 14:14:14 +00:00 · 2018-12-30 14:14:14 +00:00 · 0629fbe56c
commit 0629fbe56c
parent 23ba9b2ca1
20 changed files with 1601 additions and 67 deletions
--- a/net/bro/Makefile
+++ b/net/bro/Makefile
@ -1,11 +1,14 @@
-# $OpenBSD: Makefile,v 1.47 2018/09/04 12:53:16 espie Exp $
+# $OpenBSD: Makefile,v 1.48 2018/12/30 14:14:14 ajacoutot Exp $

 COMMENT=		network analysis and security monitoring framework

-DISTNAME=		bro-2.5.5
-REVISION=		0
+DISTNAME=		bro-2.6.1

-SHARED_LIBS +=  broccoli                  5.1 # 5.1
+SHARED_LIBS +=  broccoli                  6.0 # 5.1
+SHARED_LIBS +=  broker                    0.0 # XXX see patch-aux_broker_CMakeLists_txt
+SHARED_LIBS +=  caf_core                  0.0 # 0.16
+SHARED_LIBS +=  caf_io                    0.0 # 0.16
+SHARED_LIBS +=  caf_openssl               0.0 # 0.16

 CATEGORIES=		net security

@ -16,8 +19,8 @@ MAINTAINER=		Antoine Jacoutot <ajacoutot@openbsd.org>
 # BSD
 PERMIT_PACKAGE_CDROM= 	Yes

-WANTLIB += GeoIP c crypto m pcap pthread ssl z
-WANTLIB += ${MODPY_WANTLIB} lib/libbind/bind ${COMPILER_LIBCXX}
+WANTLIB += c crypto m maxminddb pcap pthread ssl z
+WANTLIB += ${COMPILER_LIBCXX} ${MODPY_WANTLIB} lib/libbind/bind

 MASTER_SITES=		https://www.bro.org/downloads/

@ -36,11 +39,12 @@ BUILD_DEPENDS=		devel/bison \
 			devel/swig

 LIB_DEPENDS=		${MODPY_LIB_DEPENDS} \
-			net/GeoIP \
-			net/libbind
+			net/libbind \
+			net/libmaxminddb

-RUN_DEPENDS=		net/GeoIP,-asn \
-			net/GeoIP,-city
+RUN_DEPENDS=		net/libmaxminddb,-asn \
+			net/libmaxminddb,-city \
+			net/libmaxminddb,-db

 # XXX the bundled sqlite seems to pick up ICU4C if present and will error out if
 # it gets junked during the build; I could not find a proper way to disable it
@ -73,7 +77,9 @@ CONFIGURE_ARGS=		--prefix=${PREFIX} \
 SUBST_VARS=		MODPY_SITEPKG

 pre-configure:
-	${SUBST_CMD} ${WRKSRC}/aux/broctl/BroControl/options.py
+	${SUBST_CMD} ${WRKSRC}/aux/broctl/BroControl/options.py \
+		${WRKSRC}/aux/broker/CMakeLists.txt \
+		${WRKSRC}/aux/broker/3rdparty/caf/libcaf_{core,io,openssl}/CMakeLists.txt

 post-install:
 	${INSTALL_DATA_DIR} ${PREFIX}/share/examples
--- a/net/bro/distinfo
+++ b/net/bro/distinfo
@ -1,2 +1,2 @@
-SHA256 (bro-2.5.5.tar.gz) = GPKusQtNk12FwRWh5Kk0ZLl1C+GbNJl89hlrKRGOc88=
-SIZE (bro-2.5.5.tar.gz) = 18525979
+SHA256 (bro-2.6.1.tar.gz) = 2XGLg/2uDHbupSVKS5RwMExNHTd4aH3ppP4LXf/qUhs=
+SIZE (bro-2.6.1.tar.gz) = 28432762
--- a/net/bro/patches/patch-CMakeLists_txt
+++ b/net/bro/patches/patch-CMakeLists_txt
@ -1,7 +1,9 @@
-$OpenBSD: patch-CMakeLists_txt,v 1.1 2016/08/27 06:39:14 ajacoutot Exp $
--- CMakeLists.txt.orig	Fri Aug 26 13:10:36 2016
-+++ CMakeLists.txt	Fri Aug 26 13:10:42 2016
-@@ -17,7 +17,7 @@ endif ()
+$OpenBSD: patch-CMakeLists_txt,v 1.2 2018/12/30 14:14:14 ajacoutot Exp $
+
+Index: CMakeLists.txt
+--- CMakeLists.txt.orig
+++ CMakeLists.txt
+@@ -29,7 +29,7 @@ endif ()
 
 if (NOT BRO_MAN_INSTALL_PATH)
     # set the default Bro man page installation path (user did not specify one)
--- a/net/bro/patches/patch-aux_broccoli_test_broccoli-v6addrs_c
+++ b/net/bro/patches/patch-aux_broccoli_test_broccoli-v6addrs_c
@ -1,4 +1,5 @@
-$OpenBSD: patch-aux_broccoli_test_broccoli-v6addrs_c,v 1.1 2016/09/06 16:12:57 ajacoutot Exp $
+$OpenBSD: patch-aux_broccoli_test_broccoli-v6addrs_c,v 1.2 2018/12/30 14:14:14 ajacoutot Exp $
+
 --- aux/broccoli/test/broccoli-v6addrs.c.orig	Tue Sep  6 17:53:46 2016
 +++ aux/broccoli/test/broccoli-v6addrs.c	Tue Sep  6 17:53:36 2016
@@ -3,6 +3,7 @@
--- a/net/bro/patches/patch-aux_broccoli_test_broccoli-vectors_c
+++ b/net/bro/patches/patch-aux_broccoli_test_broccoli-vectors_c
@ -1,4 +1,5 @@
-$OpenBSD: patch-aux_broccoli_test_broccoli-vectors_c,v 1.1 2016/08/27 06:39:14 ajacoutot Exp $
+$OpenBSD: patch-aux_broccoli_test_broccoli-vectors_c,v 1.2 2018/12/30 14:14:14 ajacoutot Exp $
+
 --- aux/broccoli/test/broccoli-vectors.c.orig	Fri Aug 26 16:41:55 2016
 +++ aux/broccoli/test/broccoli-vectors.c	Fri Aug 26 16:42:28 2016
@@ -3,6 +3,7 @@
--- a/net/bro/patches/patch-aux_broctl_BroControl_options_py
+++ b/net/bro/patches/patch-aux_broctl_BroControl_options_py
@ -1,8 +1,9 @@
-$OpenBSD: patch-aux_broctl_BroControl_options_py,v 1.4 2017/06/28 09:56:09 ajacoutot Exp $
+$OpenBSD: patch-aux_broctl_BroControl_options_py,v 1.5 2018/12/30 14:14:14 ajacoutot Exp $
+
 Index: aux/broctl/BroControl/options.py
 --- aux/broctl/BroControl/options.py.orig
 +++ aux/broctl/BroControl/options.py
-@@ -187,7 +187,7 @@ options = [
+@@ -170,7 +170,7 @@ options = [
 
     Option("LibDir", "${BroBase}/lib", "string", Option.AUTOMATIC, False,
            "Directory for library files."),
--- a/net/bro/patches/patch-aux_broker_3rdparty_caf_libcaf_core_CMakeLists_txt
+++ b/net/bro/patches/patch-aux_broker_3rdparty_caf_libcaf_core_CMakeLists_txt
@ -0,0 +1,16 @@
+$OpenBSD: patch-aux_broker_3rdparty_caf_libcaf_core_CMakeLists_txt,v 1.1 2018/12/30 14:14:14 ajacoutot Exp $
+
+Index: aux/broker/3rdparty/caf/libcaf_core/CMakeLists.txt
+--- aux/broker/3rdparty/caf/libcaf_core/CMakeLists.txt.orig
+++ aux/broker/3rdparty/caf/libcaf_core/CMakeLists.txt
+@@ -152,8 +152,8 @@ if (NOT CAF_BUILD_STATIC_ONLY)
+   )
+   set_target_properties(libcaf_core_shared
+     PROPERTIES
+-    SOVERSION ${CAF_VERSION}
+-    VERSION ${CAF_VERSION}
+    SOVERSION ${LIBcaf_core_VERSION}
+    VERSION ${LIBcaf_core_VERSION}
+     OUTPUT_NAME caf_core
+   )
+   install(TARGETS libcaf_core_shared
--- a/net/bro/patches/patch-aux_broker_3rdparty_caf_libcaf_core_caf_config_hpp
+++ b/net/bro/patches/patch-aux_broker_3rdparty_caf_libcaf_core_caf_config_hpp
@ -0,0 +1,14 @@
+$OpenBSD: patch-aux_broker_3rdparty_caf_libcaf_core_caf_config_hpp,v 1.1 2018/12/30 14:14:14 ajacoutot Exp $
+
+Index: aux/broker/3rdparty/caf/libcaf_core/caf/config.hpp
+--- aux/broker/3rdparty/caf/libcaf_core/caf/config.hpp.orig
+++ aux/broker/3rdparty/caf/libcaf_core/caf/config.hpp
+@@ -207,7 +207,7 @@
+ #  if LINUX_VERSION_CODE <= KERNEL_VERSION(2,6,16)
+ #    define CAF_POLL_IMPL
+ #  endif
+-#elif defined(__FreeBSD__)
+#elif defined(__FreeBSD__) || defined(__OpenBSD__)
+ #  define CAF_BSD
+ #elif defined(__CYGWIN__)
+ #  define CAF_CYGWIN
--- a/net/bro/patches/patch-aux_broker_3rdparty_caf_libcaf_io_CMakeLists_txt
+++ b/net/bro/patches/patch-aux_broker_3rdparty_caf_libcaf_io_CMakeLists_txt
@ -0,0 +1,16 @@
+$OpenBSD: patch-aux_broker_3rdparty_caf_libcaf_io_CMakeLists_txt,v 1.1 2018/12/30 14:14:14 ajacoutot Exp $
+
+Index: aux/broker/3rdparty/caf/libcaf_io/CMakeLists.txt
+--- aux/broker/3rdparty/caf/libcaf_io/CMakeLists.txt.orig
+++ aux/broker/3rdparty/caf/libcaf_io/CMakeLists.txt
+@@ -61,8 +61,8 @@ if (NOT CAF_BUILD_STATIC_ONLY)
+   )
+   set_target_properties(libcaf_io_shared
+                         PROPERTIES
+-                        SOVERSION ${CAF_VERSION}
+-                        VERSION ${CAF_VERSION}
+                        SOVERSION ${LIBcaf_io_VERSION}
+                        VERSION ${LIBcaf_io_VERSION}
+                         OUTPUT_NAME caf_io)
+   install(TARGETS libcaf_io_shared
+           RUNTIME DESTINATION bin
--- a/net/bro/patches/patch-aux_broker_3rdparty_caf_libcaf_io_src_interfaces_cpp
+++ b/net/bro/patches/patch-aux_broker_3rdparty_caf_libcaf_io_src_interfaces_cpp
@ -0,0 +1,16 @@
+$OpenBSD: patch-aux_broker_3rdparty_caf_libcaf_io_src_interfaces_cpp,v 1.1 2018/12/30 14:14:14 ajacoutot Exp $
+
+Index: aux/broker/3rdparty/caf/libcaf_io/src/interfaces.cpp
+--- aux/broker/3rdparty/caf/libcaf_io/src/interfaces.cpp.orig
+++ aux/broker/3rdparty/caf/libcaf_io/src/interfaces.cpp
+@@ -51,6 +51,10 @@
+ #include "caf/io/network/ip_endpoint.hpp"
+ #include "caf/raise_error.hpp"
+ 
+#ifndef AI_V4MAPPED
+# define AI_V4MAPPED 0
+#endif
+
+ namespace caf {
+ namespace io {
+ namespace network {
--- a/net/bro/patches/patch-aux_broker_3rdparty_caf_libcaf_io_src_native_socket_cpp
+++ b/net/bro/patches/patch-aux_broker_3rdparty_caf_libcaf_io_src_native_socket_cpp
@ -0,0 +1,14 @@
+$OpenBSD: patch-aux_broker_3rdparty_caf_libcaf_io_src_native_socket_cpp,v 1.1 2018/12/30 14:14:14 ajacoutot Exp $
+
+Index: aux/broker/3rdparty/caf/libcaf_io/src/native_socket.cpp
+--- aux/broker/3rdparty/caf/libcaf_io/src/native_socket.cpp.orig
+++ aux/broker/3rdparty/caf/libcaf_io/src/native_socket.cpp
+@@ -93,7 +93,7 @@ namespace network {
+ #endif
+ 
+ // platform-dependent SIGPIPE setup
+-#if defined(CAF_MACOS) || defined(CAF_IOS) || defined(CAF_BSD)
+#if defined(CAF_MACOS) || defined(CAF_IOS)
+   // Use the socket option but no flags to recv/send on macOS/iOS/BSD.
+   const int no_sigpipe_socket_flag = SO_NOSIGPIPE;
+   const int no_sigpipe_io_flag = 0;
--- a/net/bro/patches/patch-aux_broker_3rdparty_caf_libcaf_openssl_CMakeLists_txt
+++ b/net/bro/patches/patch-aux_broker_3rdparty_caf_libcaf_openssl_CMakeLists_txt
@ -0,0 +1,16 @@
+$OpenBSD: patch-aux_broker_3rdparty_caf_libcaf_openssl_CMakeLists_txt,v 1.1 2018/12/30 14:14:14 ajacoutot Exp $
+
+Index: aux/broker/3rdparty/caf/libcaf_openssl/CMakeLists.txt
+--- aux/broker/3rdparty/caf/libcaf_openssl/CMakeLists.txt.orig
+++ aux/broker/3rdparty/caf/libcaf_openssl/CMakeLists.txt
+@@ -32,8 +32,8 @@ if (NOT CAF_BUILD_STATIC_ONLY)
+ 
+   set_target_properties(libcaf_openssl_shared
+                         PROPERTIES
+-                        SOVERSION ${CAF_VERSION}
+-                        VERSION ${CAF_VERSION}
+                        SOVERSION ${LIBcaf_openssl_VERSION}
+                        VERSION ${LIBcaf_openssl_VERSION}
+                         OUTPUT_NAME caf_openssl)
+   if (CYGWIN)
+     install(TARGETS libcaf_openssl_shared RUNTIME DESTINATION bin)
--- a/net/bro/patches/patch-aux_broker_CMakeLists_txt
+++ b/net/bro/patches/patch-aux_broker_CMakeLists_txt
@ -0,0 +1,19 @@
+$OpenBSD: patch-aux_broker_CMakeLists_txt,v 1.1 2018/12/30 14:14:14 ajacoutot Exp $
+
+XXX BROKER_VERSION_MAJOR and BROKER_VERSION_MINOR are undefined
+(build ends up creating libbroker.so..)
+
+Index: aux/broker/CMakeLists.txt
+--- aux/broker/CMakeLists.txt.orig
+++ aux/broker/CMakeLists.txt
+@@ -383,8 +383,8 @@ endif ()
+ if (ENABLE_SHARED)
+   add_library(broker SHARED ${BROKER_SRC})
+   set_target_properties(broker PROPERTIES
+-                        SOVERSION ${BROKER_SOVERSION}
+-                        VERSION ${BROKER_VERSION_MAJOR}.${BROKER_VERSION_MINOR}
+                        SOVERSION ${LIBbroker_VERSION}
+                        VERSION ${LIBbroker_VERSION}
+                         MACOSX_RPATH true
+                         OUTPUT_NAME broker)
+   target_link_libraries(broker ${LINK_LIBS})
--- a/net/bro/patches/patch-configure
+++ b/net/bro/patches/patch-configure
@ -1,7 +1,9 @@
-$OpenBSD: patch-configure,v 1.2 2016/11/19 12:02:37 ajacoutot Exp $
--- configure.orig	Wed Nov 16 23:53:44 2016
-+++ configure	Thu Nov 17 07:43:54 2016
-@@ -32,6 +32,9 @@ Usage: $0 [OPTION]... [VAR=VALUE]...
+$OpenBSD: patch-configure,v 1.3 2018/12/30 14:14:14 ajacoutot Exp $
+
+Index: configure
+--- configure.orig
+++ configure
+@@ -42,6 +42,9 @@ Usage: $0 [OPTION]... [VAR=VALUE]...
     --logdir=PATH          when using BroControl, path to store log file
                            [PREFIX/logs]
     --conf-files-dir=PATH  config files installation directory [PREFIX/etc]
@ -10,8 +12,8 @@ $OpenBSD: patch-configure,v 1.2 2016/11/19 12:02:37 ajacoutot Exp $
 +                           [PREFIX/lib/broctl]
 
   Optional Features:
-     --enable-debug         compile in debugging mode
-@@ -178,6 +181,9 @@ while [ $# -ne 0 ]; do
+     --enable-debug         compile in debugging mode (like --build-type=Debug)
+@@ -199,6 +202,9 @@ while [ $# -ne 0 ]; do
             ;;
         --logdir=*)
             append_cache_entry BRO_LOG_DIR  PATH   $optarg
@ -19,5 +21,5 @@ $OpenBSD: patch-configure,v 1.2 2016/11/19 12:02:37 ajacoutot Exp $
 +        --python-install-dir=*)
 +            append_cache_entry PY_MOD_INSTALL_DIR PATH $optarg
             ;;
-         --enable-debug)
-             append_cache_entry ENABLE_DEBUG         BOOL   true
+         --enable-coverage)
+             append_cache_entry ENABLE_COVERAGE         BOOL   true
--- a/net/bro/patches/patch-src_Sessions_cc
+++ b/net/bro/patches/patch-src_Sessions_cc
@ -0,0 +1,15 @@
+$OpenBSD: patch-src_Sessions_cc,v 1.3 2018/12/30 14:14:14 ajacoutot Exp $
+
+warning: '__inet_makeaddr' has C-linkage specified, but returns incomplete type 'struct in_addr' which could be incompatible with C
+
+Index: src/Sessions.cc
+--- src/Sessions.cc.orig
+++ src/Sessions.cc
+@@ -3,6 +3,7 @@
+ 
+ #include "bro-config.h"
+ 
+#include <netinet/in.h>
+ #include <arpa/inet.h>
+ 
+ #include <stdlib.h>
--- a/net/bro/patches/patch-src_analyzer_protocol_dns_DNS_cc
+++ b/net/bro/patches/patch-src_analyzer_protocol_dns_DNS_cc
@ -0,0 +1,15 @@
+$OpenBSD: patch-src_analyzer_protocol_dns_DNS_cc,v 1.1 2018/12/30 14:14:14 ajacoutot Exp $
+
+warning: '__inet_makeaddr' has C-linkage specified, but returns incomplete type 'struct in_addr' which could be incompatible with C
+
+Index: src/analyzer/protocol/dns/DNS.cc
+--- src/analyzer/protocol/dns/DNS.cc.orig
+++ src/analyzer/protocol/dns/DNS.cc
+@@ -5,6 +5,7 @@
+ #include <ctype.h>
+ #include <sys/types.h>
+ #include <sys/socket.h>
+#include <netinet/in.h>
+ #include <arpa/inet.h>
+ 
+ #include "NetVar.h"
--- a/net/bro/patches/patch-src_file_analysis_analyzer_x509_OCSP_cc
+++ b/net/bro/patches/patch-src_file_analysis_analyzer_x509_OCSP_cc
@ -0,0 +1,77 @@
+$OpenBSD: patch-src_file_analysis_analyzer_x509_OCSP_cc,v 1.1 2018/12/30 14:14:14 ajacoutot Exp $
+
+Index: src/file_analysis/analyzer/x509/OCSP.cc
+--- src/file_analysis/analyzer/x509/OCSP.cc.orig
+++ src/file_analysis/analyzer/x509/OCSP.cc
+@@ -44,7 +44,7 @@ static Val* get_ocsp_type(RecordVal* args, const char*
+ 
+ static bool OCSP_RESPID_bio(OCSP_BASICRESP* basic_resp, BIO* bio)
+ 	{
+-#if ( OPENSSL_VERSION_NUMBER < 0x10100000L )
+#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) || defined(LIBRESSL_VERSION_NUMBER)
+ 	ASN1_OCTET_STRING* key  = nullptr;
+ 	X509_NAME*         name = nullptr;
+ 
+@@ -423,7 +423,7 @@ void file_analysis::OCSP::ParseRequest(OCSP_REQUEST* r
+ 
+ 	uint64 version = 0;
+ 
+-#if ( OPENSSL_VERSION_NUMBER < 0x10100000L )
+#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) || defined(LIBRESSL_VERSION_NUMBER)
+ 	if ( req->tbsRequest->version )
+ 		version = (uint64)ASN1_INTEGER_get(req->tbsRequest->version);
+ #else
+@@ -495,7 +495,7 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPVal *
+ 	if ( !basic_resp )
+ 		goto clean_up;
+ 
+-#if ( OPENSSL_VERSION_NUMBER < 0x10100000L )
+#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) || defined(LIBRESSL_VERSION_NUMBER)
+ 	resp_data = basic_resp->tbsResponseData;
+ 	if ( !resp_data )
+ 		goto clean_up;
+@@ -506,7 +506,7 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPVal *
+ 	vl->append(resp_val->Ref());
+ 	vl->append(status_val);
+ 
+-#if ( OPENSSL_VERSION_NUMBER < 0x10100000L )
+#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) || defined(LIBRESSL_VERSION_NUMBER)
+ 	vl->append(new Val((uint64)ASN1_INTEGER_get(resp_data->version), TYPE_COUNT));
+ #else
+ 	vl->append(parse_basic_resp_data_version(basic_resp));
+@@ -526,7 +526,7 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPVal *
+ 		}
+ 
+ 	// producedAt
+-#if ( OPENSSL_VERSION_NUMBER < 0x10100000L )
+#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) || defined(LIBRESSL_VERSION_NUMBER)
+ 	produced_at = resp_data->producedAt;
+ #else
+ 	produced_at = OCSP_resp_get0_produced_at(basic_resp);
+@@ -551,7 +551,7 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPVal *
+ 		// cert id
+ 		const OCSP_CERTID* cert_id = nullptr;
+ 
+-#if ( OPENSSL_VERSION_NUMBER < 0x10100000L )
+#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) || defined(LIBRESSL_VERSION_NUMBER)
+ 		cert_id = single_resp->certId;
+ #else
+ 		cert_id = OCSP_SINGLERESP_get0_id(single_resp);
+@@ -618,7 +618,7 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPVal *
+ 			}
+ 		}
+ 
+-#if ( OPENSSL_VERSION_NUMBER < 0x10100000L )
+#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) || defined(LIBRESSL_VERSION_NUMBER)
+ 	i2a_ASN1_OBJECT(bio, basic_resp->signatureAlgorithm->algorithm);
+ 	len = BIO_read(bio, buf, sizeof(buf));
+ 	vl->append(new StringVal(len, buf));
+@@ -635,7 +635,7 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPVal *
+ 	certs_vector = new VectorVal(internal_type("x509_opaque_vector")->AsVectorType());
+ 	vl->append(certs_vector);
+ 
+-#if ( OPENSSL_VERSION_NUMBER < 0x10100000L )
+#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) || defined(LIBRESSL_VERSION_NUMBER)
+ 	certs = basic_resp->certs;
+ #else
+ 	certs = OCSP_resp_get0_certs(basic_resp);
--- a/net/bro/patches/patch-src_file_analysis_analyzer_x509_X509_h
+++ b/net/bro/patches/patch-src_file_analysis_analyzer_x509_X509_h
@ -0,0 +1,28 @@
+$OpenBSD: patch-src_file_analysis_analyzer_x509_X509_h,v 1.1 2018/12/30 14:14:14 ajacoutot Exp $
+
+Index: src/file_analysis/analyzer/x509/X509.h
+--- src/file_analysis/analyzer/x509/X509.h.orig
+++ src/file_analysis/analyzer/x509/X509.h
+@@ -8,13 +8,20 @@
+ #include "Val.h"
+ #include "X509Common.h"
+ 
+-#if (OPENSSL_VERSION_NUMBER < 0x10002000L || LIBRESSL_VERSION_NUMBER)
+#if (OPENSSL_VERSION_NUMBER < 0x10002000L || defined(LIBRESSL_VERSION_NUMBER))
+ 
+ #define X509_get_signature_nid(x) OBJ_obj2nid((x)->sig_alg->algorithm)
+ 
+/* not implemented in libressl yet */
+#if defined(LIBRESSL_VERSION_NUMBER)
+#define X509_OBJECT_new()   (X509_OBJECT*)malloc(sizeof(X509_OBJECT))
+#define X509_OBJECT_free(a) free(a)
+ #endif
+ 
+-#if (OPENSSL_VERSION_NUMBER < 0x1010000fL || LIBRESSL_VERSION_NUMBER)
+#endif
+
+#if (OPENSSL_VERSION_NUMBER < 0x1010000fL || \
+     defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL)
+ 
+ #define X509_OBJECT_new()   (X509_OBJECT*)malloc(sizeof(X509_OBJECT))
+ #define X509_OBJECT_free(a) free(a)
--- a/net/bro/patches/patch-src_file_analysis_analyzer_x509_functions_bif
+++ b/net/bro/patches/patch-src_file_analysis_analyzer_x509_functions_bif
@ -0,0 +1,44 @@
+$OpenBSD: patch-src_file_analysis_analyzer_x509_functions_bif,v 1.1 2018/12/30 14:14:14 ajacoutot Exp $
+
+Index: src/file_analysis/analyzer/x509/functions.bif
+--- src/file_analysis/analyzer/x509/functions.bif.orig
+++ src/file_analysis/analyzer/x509/functions.bif
+@@ -115,7 +115,7 @@ X509* x509_get_ocsp_signer(const STACK_OF(X509)* certs
+ 	const ASN1_OCTET_STRING* key  = nullptr;
+ 	const X509_NAME*         name = nullptr;
+ 
+-#if ( OPENSSL_VERSION_NUMBER < 0x10100000L )
+#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) || defined(LIBRESSL_VERSION_NUMBER)
+ 	OCSP_RESPID* resp_id = basic_resp->tbsResponseData->responderId;
+ 
+ 	if ( resp_id->type == V_OCSP_RESPID_NAME )
+@@ -348,7 +348,7 @@ function x509_ocsp_verify%(certs: x509_opaque_vector, 
+ 
+ 	// Because we actually want to be able to give nice error messages that show why we were
+ 	// not able to verify the OCSP response - do our own verification logic first.
+-#if ( OPENSSL_VERSION_NUMBER < 0x10100000L )
+#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) || defined(LIBRESSL_VERSION_NUMBER)
+ 	signer = x509_get_ocsp_signer(basic->certs, basic);
+ #else
+ 	signer = x509_get_ocsp_signer(OCSP_resp_get0_certs(basic), basic);
+@@ -370,7 +370,11 @@ function x509_ocsp_verify%(certs: x509_opaque_vector, 
+ 		}
+ 
+ 		{
+#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) || defined(LIBRESSL_VERSION_NUMBER)
+		auto basic_certs = basic->certs;
+#else
+ 		auto basic_certs = OCSP_resp_get0_certs(basic);
+#endif
+ 		if ( basic_certs )
+ 			ocsp_certs = sk_X509_dup(basic_certs);
+ 
+@@ -714,7 +718,7 @@ function sct_verify%(cert: opaque of x509, logid: stri
+ 	uint32 cert_length;
+ 	if ( precert )
+ 		{
+-#if (OPENSSL_VERSION_NUMBER < 0x10002000L || LIBRESSL_VERSION_NUMBER)
+#if (OPENSSL_VERSION_NUMBER < 0x10002000L || defined(LIBRESSL_VERSION_NUMBER))
+ 		x->cert_info->enc.modified = 1;
+ 		cert_length = i2d_X509_CINF(x->cert_info, &cert_out);
+ #else
--- a/net/bro/pkg/PLIST
+++ b/net/bro/pkg/PLIST