6 files changed, 132 insertions, 0 deletions

diff --git a/www/tomcat-native2/Makefile b/www/tomcat-native2/Makefile
new file mode 100644
index 000000000000..4cb291adc34c
--- /dev/null
+++ b/www/tomcat-native2/Makefile
@@ -0,0 +1,37 @@
+PORTNAME=	tomcat-native
+DISTVERSION=	2.0.7
+CATEGORIES=	www java
+MASTER_SITES=	https://archive.apache.org/dist/tomcat/tomcat-connectors/native/${PORTVERSION}/source/
+PKGNAMESUFFIX=	2
+DISTNAME=	${PORTNAME}-${PORTVERSION}-src
+
+MAINTAINER=	michaelo@apache.org
+COMMENT=	Tomcat native library
+WWW=		https://tomcat.apache.org/native-doc/
+
+LICENSE=	APACHE20
+
+LIB_DEPENDS=	libapr-1.so:devel/apr1
+
+USES=		libtool ssl
+USE_JAVA=	yes
+USE_LDCONFIG=	yes
+GNU_CONFIGURE=	yes
+CONFIGURE_ARGS=	--with-apr=${LOCALBASE} \
+		--with-java-home=${JAVA_HOME} \
+		--with-ssl=${OPENSSLBASE} \
+		--disable-openssl-version-check
+
+WRKSRC=	${WRKDIR}/${DISTNAME}/native
+
+SOVERSION=	${PORTVERSION:E}
+MAJORVERSION=	${PORTVERSION:R:R}
+PLIST_FILES=	lib/libtcnative-${MAJORVERSION}.so \
+		lib/libtcnative-${MAJORVERSION}.so.0 \
+		lib/libtcnative-${MAJORVERSION}.so.0.0.${SOVERSION}
+
+post-install:
+	${RM} ${STAGEDIR}${PREFIX}/lib/libtcnative-${MAJORVERSION}.a
+	${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/libtcnative-${MAJORVERSION}.so.0.0.${SOVERSION}
+
+.include <bsd.port.mk>
diff --git a/www/tomcat-native2/distinfo b/www/tomcat-native2/distinfo
new file mode 100644
index 000000000000..6c7db5104702
--- /dev/null
+++ b/www/tomcat-native2/distinfo
@@ -0,0 +1,3 @@
+TIMESTAMP = 1713346420
+SHA256 (tomcat-native-2.0.7-src.tar.gz) = 2c5afc7edc383e47660647e9a7071ad81f58e51c7f765c12f7e7afc9203b2d4d
+SIZE (tomcat-native-2.0.7-src.tar.gz) = 538131
diff --git a/www/tomcat-native2/files/patch-include_ssl__private.h b/www/tomcat-native2/files/patch-include_ssl__private.h
new file mode 100644
index 000000000000..80ff3e5c8cd9
--- /dev/null
+++ b/www/tomcat-native2/files/patch-include_ssl__private.h
@@ -0,0 +1,12 @@
+--- include/ssl_private.h.orig	2024-02-04 19:32:52 UTC
++++ include/ssl_private.h
+@@ -46,9 +46,6 @@
+ #include <openssl/x509v3.h>
+ #include <openssl/dh.h>
+ #include <openssl/bn.h>
+-#ifndef LIBRESSL_VERSION_NUMBER
+-#include <openssl/provider.h>
+-#endif
+ /* Avoid tripping over an engine build installed globally and detected
+  * when the user points at an explicit non-engine flavor of OpenSSL
+  */
diff --git a/www/tomcat-native2/files/patch-src_ssl.c b/www/tomcat-native2/files/patch-src_ssl.c
new file mode 100644
index 000000000000..b3b37819b955
--- /dev/null
+++ b/www/tomcat-native2/files/patch-src_ssl.c
@@ -0,0 +1,63 @@
+--- src/ssl.c.orig	2024-02-04 19:32:52 UTC
++++ src/ssl.c
+@@ -395,30 +395,14 @@ TCN_IMPLEMENT_CALL(void, SSL, randSet)(TCN_STDARGS, js
+ 
+ TCN_IMPLEMENT_CALL(jint, SSL, fipsModeGet)(TCN_STDARGS)
+ {
+-#if defined(LIBRESSL_VERSION_NUMBER)
+     UNREFERENCED(o);
+-    /* LibreSSL doesn't support FIPS */
+-    return 0;
++#ifdef OPENSSL_FIPS
++    return FIPS_mode();
+ #else
+-    EVP_MD              *md;
+-    const OSSL_PROVIDER *provider;
+-    const char          *name;
+-    UNREFERENCED(o);
++    /* FIPS is unavailable */
++    tcn_ThrowException(e, "FIPS was not available to tcnative at build time. You will need to re-build tcnative against an OpenSSL with FIPS.");
+ 
+-    // Maps the OpenSSL 3. x onwards behaviour to theOpenSSL 1.x API
+-
+-    // Checks that FIPS is the default provider
+-    md = EVP_MD_fetch(NULL, "SHA-512", NULL);
+-    provider = EVP_MD_get0_provider(md);
+-    name = OSSL_PROVIDER_get0_name(provider);
+-    // Clean up
+-    EVP_MD_free(md);
+-
+-    if (strcmp("fips", name)) {
+-        return 0;
+-    } else {
+-        return 1;
+-    }
++    return 0;
+ #endif
+ }
+ 
+@@ -427,8 +411,22 @@ TCN_IMPLEMENT_CALL(jint, SSL, fipsModeSet)(TCN_STDARGS
+     int r = 0;
+     UNREFERENCED(o);
+ 
+-    /* This method should never be called when using Tomcat Native 2.x onwards */
+-    tcn_ThrowException(e, "fipsModeSet is not supported in Tomcat Native 2.x onwards.");
++#ifdef OPENSSL_FIPS
++    if(1 != (r = (jint)FIPS_mode_set((int)mode))) {
++      /* arrange to get a human-readable error message */
++      unsigned long err = SSL_ERR_get();
++      char msg[256];
++
++      /* ERR_load_crypto_strings() already called in initialize() */
++
++      ERR_error_string_n(err, msg, 256);
++
++      tcn_ThrowException(e, msg);
++    }
++#else
++    /* FIPS is unavailable */
++    tcn_ThrowException(e, "FIPS was not available to tcnative at build time. You will need to re-build tcnative against an OpenSSL with FIPS.");
++#endif
+ 
+     return r;
+ }
diff --git a/www/tomcat-native2/files/patch-src_sslutils.c b/www/tomcat-native2/files/patch-src_sslutils.c
new file mode 100644
index 000000000000..39d22ddc7850
--- /dev/null
+++ b/www/tomcat-native2/files/patch-src_sslutils.c
@@ -0,0 +1,14 @@
+--- src/sslutils.c.orig	2024-02-04 19:32:52 UTC
++++ src/sslutils.c
+@@ -946,11 +946,7 @@ static OCSP_RESPONSE *get_ocsp_response(apr_pool_t *p,
+     int ok = 0;
+     apr_socket_t *apr_sock = NULL;
+     apr_pool_t *mp;
+-#ifdef LIBRESSL_VERSION_NUMBER
+     if (OCSP_parse_url(url, &hostname, &c_port, &path, &use_ssl) == 0)
+-#else
+-    if (OSSL_HTTP_parse_url(url, &use_ssl, NULL, &hostname, &c_port, NULL, &path, NULL, NULL) == 0)
+-#endif
+         goto end;
+ 
+     if (sscanf(c_port, "%d", &port) != 1)
diff --git a/www/tomcat-native2/pkg-descr b/www/tomcat-native2/pkg-descr
new file mode 100644
index 000000000000..35d1f60cfb90
--- /dev/null
+++ b/www/tomcat-native2/pkg-descr
@@ -0,0 +1,3 @@
+The Apache Tomcat Native Library is an optional component for use with Apache
+Tomcat that allows Tomcat to use OpenSSL as a replacement for JSSE to support
+TLS connections.