commit: f58eb8616d064d5b47fc8cb1384334139645c87f
Author: orbea <orbea <AT> riseup <DOT> net>
AuthorDate: Tue Jul 22 14:40:45 2025 +0000
Commit: orbea <orbea <AT> riseup <DOT> net>
CommitDate: Tue Jul 22 14:40:45 2025 +0000
URL: https://gitweb.gentoo.org/repo/proj/libressl.git/commit/?id=f58eb861
net-misc/stunnel: add 5.74, 5.75
Signed-off-by: orbea <orbea <AT> riseup.net>
net-misc/stunnel/Manifest | 2 +
net-misc/stunnel/files/stunnel-5.74-libressl.patch | 348 ++++++++++++++++++++
net-misc/stunnel/files/stunnel-5.75-libressl.patch | 364 +++++++++++++++++++++
net-misc/stunnel/stunnel-5.74.ebuild | 127 +++++++
net-misc/stunnel/stunnel-5.75.ebuild | 127 +++++++
5 files changed, 968 insertions(+)
diff --git a/net-misc/stunnel/Manifest b/net-misc/stunnel/Manifest
index ed1de84..d3cddbf 100644
--- a/net-misc/stunnel/Manifest
+++ b/net-misc/stunnel/Manifest
@@ -1 +1,3 @@
DIST stunnel-5.71.tar.gz 895646 BLAKE2B
d323363c7bfdd6c0b7931b84a6069cf9a8337e967c31e14d15976d7932f0c0d6f40f7a1cbf5abbdff0e9edc52176cdcead4f848653088193b2debf4e77443b42
SHA512
c7004f48b93b3415305eec1193d51b7bf51a3bdd2cdc9f6ae588f563b32408b1ecde83b9f3f5b658f945ab5bcc5124390c38235394aad4471bf5b666081af2a2
+DIST stunnel-5.74.tar.gz 904360 BLAKE2B
84fc84c1b63e9219ee80f0f9d2b8f08e0a44899196968d5a00a73dc8c6b0b50bea7625f1ba7d900216c8fefe08d2b8d3de546fa03cbacd8dad0f5e473528b0f6
SHA512
b0581916c3979c8edb2dc31a3a5e9d26c565328a4314eecc4fcf3bc4eab12df019a6e3650304deec44ade630871ab5aad001839152b2e88cb226fa19744f8056
+DIST stunnel-5.75.tar.gz 921591 BLAKE2B
2a48440afde0ddc34df1603591c43674f97a6ba66ecfc98a3d87f1bbb4f310d6a363c82b2f1a8da461efc4d7e912f6fa6b25d00f8ab65c205c1d69c997eeb9ed
SHA512
ce1d7d1c1534389ae39f2aa838c10b5631c36e88ce1bafc3249fee30130eeb86937808a22c3886dd6598fccf8c63bf965a64b60600a1287aef42b87bd19e7ee7
diff --git a/net-misc/stunnel/files/stunnel-5.74-libressl.patch
b/net-misc/stunnel/files/stunnel-5.74-libressl.patch
new file mode 100644
index 0000000..d869ace
--- /dev/null
+++ b/net-misc/stunnel/files/stunnel-5.74-libressl.patch
@@ -0,0 +1,348 @@
+Rebased from an OpenBSD patch.
+
+--- a/src/client.c
++++ b/src/client.c
+@@ -794,7 +794,7 @@ NOEXPORT void print_cipher(CLI *c) { /* print negotiated
cipher */
+ NOEXPORT void transfer(CLI *c) {
+ int timeout; /* s_poll_wait timeout in seconds */
+ int pending; /* either processed on unprocessed TLS data */
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ int has_pending=0, prev_has_pending;
+ #endif
+ int watchdog=0; /* a counter to detect an infinite loop */
+@@ -841,7 +841,7 @@ NOEXPORT void transfer(CLI *c) {
+
+ /****************************** wait for an event */
+ pending=SSL_pending(c->ssl);
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ /* only attempt to process SSL_has_pending() data once */
+ prev_has_pending=has_pending;
+ has_pending=SSL_has_pending(c->ssl);
+@@ -1264,7 +1264,7 @@ NOEXPORT void transfer(CLI *c) {
+ s_log(LOG_ERR,
+ "please report the problem to [email protected]");
+ stunnel_info(LOG_ERR);
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ s_log(LOG_ERR, "protocol=%s, SSL_pending=%d, SSL_has_pending=%d",
+ SSL_get_version(c->ssl),
+ SSL_pending(c->ssl), SSL_has_pending(c->ssl));
+--- a/src/common.h
++++ b/src/common.h
+@@ -467,7 +467,7 @@ extern char *sys_errlist[];
+ #define OPENSSL_NO_TLS1_2
+ #endif /* OpenSSL older than 1.0.1 || defined(OPENSSL_NO_TLS1) */
+
+-#if OPENSSL_VERSION_NUMBER>=0x10100000L
++#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ #ifndef OPENSSL_NO_SSL2
+ #define OPENSSL_NO_SSL2
+ #endif /* !defined(OPENSSL_NO_SSL2) */
+@@ -513,7 +513,7 @@ int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g);
+ /* not defined in public headers before OpenSSL 0.9.8 */
+ STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void);
+ #endif /* !defined(OPENSSL_NO_COMP) */
+-#if OPENSSL_VERSION_NUMBER>=0x10101000L
++#if OPENSSL_VERSION_NUMBER>=0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
+ #include <openssl/storeerr.h>
+ #endif /* OPENSSL_VERSION_NUMBER>=0x10101000L */
+ #if OPENSSL_VERSION_NUMBER>=0x30000000L
+--- a/src/ctx.c
++++ b/src/ctx.c
+@@ -94,7 +94,7 @@ NOEXPORT void set_prompt(const char *);
+ NOEXPORT int ui_retry(void);
+
+ /* session tickets */
+-#if OPENSSL_VERSION_NUMBER >= 0x10101000L
++#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
+ NOEXPORT int generate_session_ticket_cb(SSL *, void *);
+ NOEXPORT int decrypt_session_ticket_cb(SSL *, SSL_SESSION *,
+ const unsigned char *, size_t, SSL_TICKET_STATUS, void *);
+@@ -109,7 +109,7 @@ NOEXPORT int ssl_tlsext_ticket_key_cb(SSL *, unsigned char
*,
+ NOEXPORT int sess_new_cb(SSL *, SSL_SESSION *);
+ NOEXPORT void new_chain(CLI *);
+ NOEXPORT void session_cache_save(CLI *, SSL_SESSION *);
+-#if OPENSSL_VERSION_NUMBER<0x10101000L
++#if OPENSSL_VERSION_NUMBER<0x10101000L || defined(LIBRESSL_VERSION_NUMBER)
+ NOEXPORT SSL_SESSION *SSL_SESSION_dup(SSL_SESSION *);
+ #endif
+ NOEXPORT SSL_SESSION *sess_get_cb(SSL *,
+@@ -138,7 +138,7 @@ NOEXPORT char *get_tls13_cipher_list(STACK_OF(SSL_CIPHER)
*);
+
+ /**************************************** initialize section->ctx */
+
+-#if OPENSSL_VERSION_NUMBER>=0x10100000L
++#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ typedef long unsigned SSL_OPTIONS_TYPE;
+ #else
+ typedef long SSL_OPTIONS_TYPE;
+@@ -191,7 +191,7 @@ int context_init(SERVICE_OPTIONS *section) { /* init TLS
context */
+ }
+ current_section=section; /* setup current section for callbacks */
+
+-#if OPENSSL_VERSION_NUMBER>=0x10100000L
++#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ /* set the security level */
+ if(section->security_level>=0) {
+ /* set the user-specified value */
+@@ -292,7 +292,7 @@ int context_init(SERVICE_OPTIONS *section) { /* init TLS
context */
+ #endif
+
+ /* setup session tickets */
+-#if OPENSSL_VERSION_NUMBER >= 0x10101000L
++#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
+ SSL_CTX_set_session_ticket_cb(section->ctx, generate_session_ticket_cb,
+ decrypt_session_ticket_cb, NULL);
+ #endif /* OpenSSL 1.1.1 or later */
+@@ -591,7 +591,7 @@ NOEXPORT int ecdh_init(SERVICE_OPTIONS *section) {
+ /**************************************** initialize OpenSSL CONF */
+
+ NOEXPORT int conf_init(SERVICE_OPTIONS *section) {
+-#if OPENSSL_VERSION_NUMBER>=0x10002000L
++#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
+ SSL_CONF_CTX *cctx;
+ NAME_LIST *curr;
+ char *cmd, *param;
+@@ -1112,7 +1112,7 @@ NOEXPORT int ui_retry(void) {
+
+ /**************************************** session tickets */
+
+-#if OPENSSL_VERSION_NUMBER >= 0x10101000L
++#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
+
+ typedef struct {
+ void *session_authenticated;
+@@ -1393,7 +1393,7 @@ NOEXPORT void session_cache_save(CLI *c, SSL_SESSION
*sess) {
+ CRYPTO_THREAD_unlock(stunnel_locks[LOCK_SESSION]);
+ }
+
+-#if OPENSSL_VERSION_NUMBER<0x10101000L
++#if OPENSSL_VERSION_NUMBER<0x10101000L || defined(LIBRESSL_VERSION_NUMBER)
+ NOEXPORT SSL_SESSION *SSL_SESSION_dup(SSL_SESSION *src) {
+ int der_len;
+ unsigned char *der_data;
+@@ -1622,7 +1622,7 @@ NOEXPORT void info_callback(const SSL *ssl, int where,
int ret) {
+ CLI *c;
+ SSL_CTX *ctx;
+ const char *state_string;
+-#if OPENSSL_VERSION_NUMBER>=0x10100000L
++#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ OSSL_HANDSHAKE_STATE state=SSL_get_state(ssl);
+ #else
+ int state=SSL_get_state((SSL *)ssl);
+@@ -1671,7 +1671,10 @@ NOEXPORT void info_callback(const SSL *ssl, int where,
int ret) {
+ if(state==TLS_ST_SR_CLNT_HELLO) {
+ #else
+ if(state==SSL3_ST_SR_CLNT_HELLO_A
+- || state==SSL23_ST_SR_CLNT_HELLO_A) {
++#if !defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER < 0x4000000fL
++ || state==SSL23_ST_SR_CLNT_HELLO_A
++#endif
++ ) {
+ #endif
+ /* client hello received after initial handshake,
+ * this means renegotiation -> mark it */
+--- a/src/prototypes.h
++++ b/src/prototypes.h
+@@ -72,7 +72,7 @@ typedef struct servername_list_struct SERVERNAME_LIST;
+ typedef HANDLE THREAD_ID;
+ #endif
+
+-#if OPENSSL_VERSION_NUMBER<0x10100004L
++#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER)
+
+ #ifdef USE_OS_THREADS
+
+@@ -804,7 +804,7 @@ extern CLI *thread_head;
+
+ extern CRYPTO_RWLOCK *stunnel_locks[STUNNEL_LOCKS];
+
+-#if OPENSSL_VERSION_NUMBER<0x10100004L
++#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER)
+ /* Emulate the OpenSSL 1.1 locking API for older OpenSSL versions */
+ CRYPTO_RWLOCK *CRYPTO_THREAD_lock_new(void);
+ int CRYPTO_THREAD_read_lock(CRYPTO_RWLOCK *);
+--- a/src/ssl.c
++++ b/src/ssl.c
+@@ -38,7 +38,7 @@
+ #include "prototypes.h"
+
+ /* global OpenSSL initialization: compression, engine, entropy */
+-#if OPENSSL_VERSION_NUMBER>=0x10100000L
++#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ NOEXPORT void cb_new_auth(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
+ int idx, long argl, void *argp);
+ #else /* OPENSSL_VERSION_NUMBER>=0x10100000L */
+@@ -48,7 +48,7 @@ NOEXPORT int cb_new_auth(void *parent, void *ptr,
CRYPTO_EX_DATA *ad,
+ #if OPENSSL_VERSION_NUMBER>=0x30000000L
+ NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from,
+ void **from_d, int idx, long argl, void *argp);
+-#elif OPENSSL_VERSION_NUMBER>=0x10100000L
++#elif OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from,
+ void *from_d, int idx, long argl, void *argp);
+ #else
+@@ -108,7 +108,7 @@ int fips_available(void) { /* either FIPS provider or
container is available */
+
+ /* initialize libcrypto before invoking API functions that require it */
+ void crypto_init(void) {
+-#if OPENSSL_VERSION_NUMBER>=0x10100000L
++#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ OPENSSL_INIT_SETTINGS *conf;
+ #endif /* OPENSSL_VERSION_NUMBER>=0x10100000L */
+ #ifdef USE_WIN32
+@@ -151,7 +151,7 @@ void crypto_init(void) {
+ #endif /* USE_WIN32 */
+
+ /* initialize OpenSSL */
+-#if OPENSSL_VERSION_NUMBER>=0x10100000L
++#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ conf=OPENSSL_INIT_new();
+ #ifdef USE_WIN32
+ stunnel_dir=tstr2str(stunnel_exe_path);
+@@ -237,7 +237,7 @@ int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) {
+ #endif
+ #endif
+
+-#if OPENSSL_VERSION_NUMBER>=0x10100000L
++#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ NOEXPORT void cb_new_auth(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
+ int idx, long argl, void *argp) {
+ #else /* OPENSSL_VERSION_NUMBER>=0x10100000L */
+@@ -251,7 +251,7 @@ NOEXPORT int cb_new_auth(void *parent, void *ptr,
CRYPTO_EX_DATA *ad,
+ (char *)argp);
+ if(!CRYPTO_set_ex_data(ad, idx, (void *)(-1)))
+ sslerror("CRYPTO_set_ex_data");
+-#if OPENSSL_VERSION_NUMBER<0x10100000L
++#if OPENSSL_VERSION_NUMBER<0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ return 1; /* success */
+ #endif /* OPENSSL_VERSION_NUMBER<0x10100000L */
+ }
+@@ -259,7 +259,7 @@ NOEXPORT int cb_new_auth(void *parent, void *ptr,
CRYPTO_EX_DATA *ad,
+ #if OPENSSL_VERSION_NUMBER>=0x30000000L
+ NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from,
+ void **from_d, int idx, long argl, void *argp) {
+-#elif OPENSSL_VERSION_NUMBER>=0x10100000L
++#elif OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from,
+ void *from_d, int idx, long argl, void *argp) {
+ #else
+--- a/src/sthreads.c
++++ b/src/sthreads.c
+@@ -123,7 +123,7 @@ NOEXPORT void thread_id_init(void) {
+ /**************************************** locking */
+
+ /* we only need to initialize locking with OpenSSL older than 1.1.0 */
+-#if OPENSSL_VERSION_NUMBER<0x10100004L
++#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER)
+
+ #ifdef USE_PTHREAD
+
+@@ -283,7 +283,7 @@ NOEXPORT int s_atomic_add(int *val, int amount,
CRYPTO_RWLOCK *lock) {
+
+ CRYPTO_RWLOCK *stunnel_locks[STUNNEL_LOCKS];
+
+-#if OPENSSL_VERSION_NUMBER<0x10100004L
++#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER)
+
+ #ifdef USE_OS_THREADS
+
+@@ -391,7 +391,8 @@ int CRYPTO_atomic_add(int *val, int amount, int *ret,
CRYPTO_RWLOCK *lock) {
+
+ NOEXPORT void locking_init(void) {
+ size_t i;
+-#if defined(USE_OS_THREADS) && OPENSSL_VERSION_NUMBER<0x10100004L
++#if defined(USE_OS_THREADS) && \
++ (OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER))
+ size_t num;
+
+ /* initialize the OpenSSL static locking */
+--- a/src/str.c
++++ b/src/str.c
+@@ -98,7 +98,7 @@ NOEXPORT LEAK_ENTRY leak_hash_table[LEAK_TABLE_SIZE],
+ *leak_results[LEAK_TABLE_SIZE];
+ NOEXPORT int leak_result_num=0;
+
+-#if OPENSSL_VERSION_NUMBER >= 0x10101000L
++#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
+ DEFINE_STACK_OF(LEAK_ENTRY)
+ #endif /* OpenSSL version >= 1.1.1 */
+
+@@ -112,7 +112,7 @@ NOEXPORT ALLOC_LIST *get_alloc_list_ptr(void *, const char
*, int);
+ NOEXPORT void str_leak_debug(const ALLOC_LIST *, int);
+
+ NOEXPORT LEAK_ENTRY *leak_search(const ALLOC_LIST *);
+-#if OPENSSL_VERSION_NUMBER >= 0x10101000L
++#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
+ NOEXPORT int leak_cmp(const LEAK_ENTRY *const *, const LEAK_ENTRY *const *);
+ #endif /* OpenSSL version >= 1.1.1 */
+ NOEXPORT void leak_report(void);
+@@ -563,7 +563,7 @@ NOEXPORT LEAK_ENTRY *leak_search(const ALLOC_LIST
*alloc_list) {
+ void leak_table_utilization(void) {
+ int i, utilization=0;
+ int64_t grand_total=0;
+-#if OPENSSL_VERSION_NUMBER >= 0x10101000L
++#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
+ STACK_OF(LEAK_ENTRY) *stats;
+ #endif /* OpenSSL version >= 1.1.1 */
+
+@@ -580,7 +580,7 @@ void leak_table_utilization(void) {
+ s_log(LOG_DEBUG, "Leak detection table utilization: %d/%d (%05.2f%%)",
+ utilization, LEAK_TABLE_SIZE, 100.0*utilization/LEAK_TABLE_SIZE);
+
+-#if OPENSSL_VERSION_NUMBER >= 0x10101000L
++#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
+ /* log up to 5 most frequently used heap allocations */
+ stats=sk_LEAK_ENTRY_new_reserve(leak_cmp, utilization);
+ for(i=0; i<LEAK_TABLE_SIZE; ++i)
+@@ -597,7 +597,7 @@ void leak_table_utilization(void) {
+ #endif /* OpenSSL version >= 1.1.1 */
+ }
+
+-#if OPENSSL_VERSION_NUMBER >= 0x10101000L
++#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
+ NOEXPORT int leak_cmp(const LEAK_ENTRY *const *a, const LEAK_ENTRY *const *b)
{
+ int64_t d = (*a)->total - (*b)->total;
+ if(d>0)
+--- a/src/tls.c
++++ b/src/tls.c
+@@ -40,7 +40,7 @@
+ volatile int tls_initialized=0;
+
+ NOEXPORT void tls_platform_init(void);
+-#if OPENSSL_VERSION_NUMBER<0x10100000L
++#if OPENSSL_VERSION_NUMBER<0x10100000L || (defined(LIBRESSL_VERSION_NUMBER)
&& LIBRESSL_VERSION_NUMBER<0x4010000fL)
+ NOEXPORT void free_function(void *);
+ #endif
+
+@@ -51,7 +51,7 @@ void tls_init(void) {
+ tls_platform_init();
+ tls_initialized=1;
+ ui_tls=tls_alloc(NULL, NULL, "ui");
+-#if OPENSSL_VERSION_NUMBER>=0x10100000L
++#if OPENSSL_VERSION_NUMBER>=0x10100000L && (!defined(LIBRESSL_VERSION_NUMBER)
|| LIBRESSL_VERSION_NUMBER>=0x4010000fL)
+ CRYPTO_set_mem_functions(str_alloc_detached_debug,
+ str_realloc_detached_debug, str_free_debug);
+ #else
+@@ -184,7 +184,7 @@ TLS_DATA *tls_get(void) {
+
+ /**************************************** OpenSSL allocator hook */
+
+-#if OPENSSL_VERSION_NUMBER<0x10100000L
++#if OPENSSL_VERSION_NUMBER<0x10100000L || (defined(LIBRESSL_VERSION_NUMBER)
&& LIBRESSL_VERSION_NUMBER<0x4010000fL)
+ NOEXPORT void free_function(void *ptr) {
+ /* CRYPTO_set_mem_ex_functions() needs a function rather than a macro */
+ /* unfortunately, OpenSSL provides no file:line information here */
+--- a/src/verify.c
++++ b/src/verify.c
+@@ -382,7 +382,7 @@ NOEXPORT int cert_check_local(X509_STORE_CTX
*callback_ctx) {
+ cert=X509_STORE_CTX_get_current_cert(callback_ctx);
+ subject=X509_get_subject_name(cert);
+
+-#if OPENSSL_VERSION_NUMBER<0x10100006L
++#if OPENSSL_VERSION_NUMBER<0x10100006L || defined(LIBRESSL_VERSION_NUMBER)
+ #define X509_STORE_CTX_get1_certs X509_STORE_get1_certs
+ #endif
+ /* modern API allows retrieving multiple matching certificates */
diff --git a/net-misc/stunnel/files/stunnel-5.75-libressl.patch
b/net-misc/stunnel/files/stunnel-5.75-libressl.patch
new file mode 100644
index 0000000..20e086d
--- /dev/null
+++ b/net-misc/stunnel/files/stunnel-5.75-libressl.patch
@@ -0,0 +1,364 @@
+Rebased from an OpenBSD patch.
+
+--- a/src/client.c
++++ b/src/client.c
+@@ -795,7 +795,7 @@ NOEXPORT void print_cipher(CLI *c) { /* print negotiated
cipher */
+ NOEXPORT void transfer(CLI *c) {
+ int timeout; /* s_poll_wait timeout in seconds */
+ int pending; /* either processed on unprocessed TLS data */
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ int has_pending=0, prev_has_pending;
+ #endif
+ int watchdog=0; /* a counter to detect an infinite loop */
+@@ -842,7 +842,7 @@ NOEXPORT void transfer(CLI *c) {
+
+ /****************************** wait for an event */
+ pending=SSL_pending(c->ssl);
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ /* only attempt to process SSL_has_pending() data once */
+ prev_has_pending=has_pending;
+ has_pending=SSL_has_pending(c->ssl);
+@@ -1265,7 +1265,7 @@ NOEXPORT void transfer(CLI *c) {
+ s_log(LOG_ERR,
+ "please report the problem to [email protected]");
+ stunnel_info(LOG_ERR);
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ s_log(LOG_ERR, "protocol=%s, SSL_pending=%d, SSL_has_pending=%d",
+ SSL_get_version(c->ssl),
+ SSL_pending(c->ssl), SSL_has_pending(c->ssl));
+--- a/src/common.h
++++ b/src/common.h
+@@ -467,7 +467,7 @@ extern char *sys_errlist[];
+ #define OPENSSL_NO_TLS1_2
+ #endif /* OpenSSL older than 1.0.1 || defined(OPENSSL_NO_TLS1) */
+
+-#if OPENSSL_VERSION_NUMBER>=0x10100000L
++#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ #ifndef OPENSSL_NO_SSL2
+ #define OPENSSL_NO_SSL2
+ #endif /* !defined(OPENSSL_NO_SSL2) */
+@@ -514,7 +514,7 @@ int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g);
+ /* not defined in public headers before OpenSSL 0.9.8 */
+ STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void);
+ #endif /* !defined(OPENSSL_NO_COMP) */
+-#if OPENSSL_VERSION_NUMBER>=0x10101000L
++#if OPENSSL_VERSION_NUMBER>=0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
+ #include <openssl/store.h>
+ #include <openssl/storeerr.h>
+ #endif /* OPENSSL_VERSION_NUMBER>=0x10101000L */
+--- a/src/ctx.c
++++ b/src/ctx.c
+@@ -46,7 +46,7 @@
+
+ SERVICE_OPTIONS *current_section=NULL;
+
+-#if OPENSSL_VERSION_NUMBER<0x10101000L
++#if OPENSSL_VERSION_NUMBER<0x10101000L || defined(LIBRESSL_VERSION_NUMBER)
+ /* try an empty passphrase first */
+ static char cached_passwd[PEM_BUFSIZE]="";
+ static int cached_len=0;
+@@ -90,7 +90,7 @@ NOEXPORT unsigned psk_server_callback(SSL *, const char *,
+ unsigned char *, unsigned);
+ #endif /* !defined(OPENSSL_NO_PSK) */
+
+-#if OPENSSL_VERSION_NUMBER>=0x10101000L
++#if OPENSSL_VERSION_NUMBER>=0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
+ NOEXPORT int load_objects(SERVICE_OPTIONS *, int, int);
+ NOEXPORT int load_objects_from_store(SSL_CTX *, const char *, int, int);
+ #else /* OpenSSL 1.1.1 or later */
+@@ -111,7 +111,7 @@ NOEXPORT int load_key_engine(SERVICE_OPTIONS *);
+ NOEXPORT int ui_retry(void);
+
+ /* session tickets */
+-#if OPENSSL_VERSION_NUMBER >= 0x10101000L
++#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
+ NOEXPORT int generate_session_ticket_cb(SSL *, void *);
+ NOEXPORT int decrypt_session_ticket_cb(SSL *, SSL_SESSION *,
+ const unsigned char *, size_t, SSL_TICKET_STATUS, void *);
+@@ -126,7 +126,7 @@ NOEXPORT int ssl_tlsext_ticket_key_cb(SSL *, unsigned char
*,
+ NOEXPORT int sess_new_cb(SSL *, SSL_SESSION *);
+ NOEXPORT void new_chain(CLI *);
+ NOEXPORT void session_cache_save(CLI *, SSL_SESSION *);
+-#if OPENSSL_VERSION_NUMBER<0x10101000L
++#if OPENSSL_VERSION_NUMBER<0x10101000L || defined(LIBRESSL_VERSION_NUMBER)
+ NOEXPORT SSL_SESSION *SSL_SESSION_dup(SSL_SESSION *);
+ #endif
+ NOEXPORT SSL_SESSION *sess_get_cb(SSL *,
+@@ -155,7 +155,7 @@ NOEXPORT char *get_tls13_cipher_list(STACK_OF(SSL_CIPHER)
*);
+
+ /**************************************** initialize section->ctx */
+
+-#if OPENSSL_VERSION_NUMBER>=0x10100000L
++#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ typedef long unsigned SSL_OPTIONS_TYPE;
+ #else
+ typedef long SSL_OPTIONS_TYPE;
+@@ -208,7 +208,7 @@ int context_init(SERVICE_OPTIONS *section) { /* init TLS
context */
+ }
+ current_section=section; /* setup current section for callbacks */
+
+-#if OPENSSL_VERSION_NUMBER>=0x10100000L
++#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ /* set the security level */
+ if(section->security_level>=0) {
+ /* set the user-specified value */
+@@ -309,7 +309,7 @@ int context_init(SERVICE_OPTIONS *section) { /* init TLS
context */
+ #endif
+
+ /* setup session tickets */
+-#if OPENSSL_VERSION_NUMBER >= 0x10101000L
++#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
+ SSL_CTX_set_session_ticket_cb(section->ctx, generate_session_ticket_cb,
+ decrypt_session_ticket_cb, NULL);
+ #endif /* OpenSSL 1.1.1 or later */
+@@ -608,7 +608,7 @@ NOEXPORT int ecdh_init(SERVICE_OPTIONS *section) {
+ /**************************************** initialize OpenSSL CONF */
+
+ NOEXPORT int conf_init(SERVICE_OPTIONS *section) {
+-#if OPENSSL_VERSION_NUMBER>=0x10002000L
++#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
+ SSL_CONF_CTX *cctx;
+ NAME_LIST *curr;
+ char *cmd, *param;
+@@ -713,7 +713,7 @@ NOEXPORT int auth_init(SERVICE_OPTIONS *section) {
+ key_needed=load_key_engine(section);
+ }
+ #endif
+-#if OPENSSL_VERSION_NUMBER>=0x10101000L
++#if OPENSSL_VERSION_NUMBER>=0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
+ if(load_objects(section, cert_needed, key_needed))
+ return 1; /* FAILED */
+ #else /* OpenSSL 1.1.1 or later */
+@@ -840,7 +840,7 @@ PSK_KEYS *psk_find(const PSK_TABLE *table, const char
*identity) {
+
+ #endif /* !defined(OPENSSL_NO_PSK) */
+
+-#if OPENSSL_VERSION_NUMBER<0x10101000L
++#if OPENSSL_VERSION_NUMBER<0x10101000L || defined(LIBRESSL_VERSION_NUMBER)
+
+ NOEXPORT int pkcs12_extension(const char *filename) {
+ const char *ext=strrchr(filename, '.');
+@@ -1121,7 +1121,7 @@ NOEXPORT int load_key_engine(SERVICE_OPTIONS *section) {
+
+ #endif /* !defined(OPENSSL_NO_ENGINE) */
+
+-#if OPENSSL_VERSION_NUMBER>=0x10101000L
++#if OPENSSL_VERSION_NUMBER>=0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
+
+ NOEXPORT int load_objects(SERVICE_OPTIONS *section, int cert_needed, int
key_needed) {
+
+@@ -1374,7 +1374,7 @@ NOEXPORT int ui_retry(void) {
+
+ /**************************************** session tickets */
+
+-#if OPENSSL_VERSION_NUMBER >= 0x10101000L
++#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
+
+ typedef struct {
+ void *session_authenticated;
+@@ -1655,7 +1655,7 @@ NOEXPORT void session_cache_save(CLI *c, SSL_SESSION
*sess) {
+ CRYPTO_THREAD_unlock(stunnel_locks[LOCK_SESSION]);
+ }
+
+-#if OPENSSL_VERSION_NUMBER<0x10101000L
++#if OPENSSL_VERSION_NUMBER<0x10101000L || defined(LIBRESSL_VERSION_NUMBER)
+ NOEXPORT SSL_SESSION *SSL_SESSION_dup(SSL_SESSION *src) {
+ int der_len;
+ unsigned char *der_data;
+@@ -1884,7 +1884,7 @@ NOEXPORT void info_callback(const SSL *ssl, int where,
int ret) {
+ CLI *c;
+ SSL_CTX *ctx;
+ const char *state_string;
+-#if OPENSSL_VERSION_NUMBER>=0x10100000L
++#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ OSSL_HANDSHAKE_STATE state=SSL_get_state(ssl);
+ #else
+ int state=SSL_get_state((SSL *)ssl);
+@@ -1933,7 +1933,10 @@ NOEXPORT void info_callback(const SSL *ssl, int where,
int ret) {
+ if(state==TLS_ST_SR_CLNT_HELLO) {
+ #else
+ if(state==SSL3_ST_SR_CLNT_HELLO_A
+- || state==SSL23_ST_SR_CLNT_HELLO_A) {
++#if !defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER < 0x4000000fL
++ || state==SSL23_ST_SR_CLNT_HELLO_A
++#endif
++ ) {
+ #endif
+ /* client hello received after initial handshake,
+ * this means renegotiation -> mark it */
+--- a/src/prototypes.h
++++ b/src/prototypes.h
+@@ -72,7 +72,7 @@ typedef struct servername_list_struct SERVERNAME_LIST;
+ typedef HANDLE THREAD_ID;
+ #endif
+
+-#if OPENSSL_VERSION_NUMBER<0x10100004L
++#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER)
+
+ #ifdef USE_OS_THREADS
+
+@@ -810,7 +810,7 @@ extern CLI *thread_head;
+
+ extern CRYPTO_RWLOCK *stunnel_locks[STUNNEL_LOCKS];
+
+-#if OPENSSL_VERSION_NUMBER<0x10100004L
++#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER)
+ /* Emulate the OpenSSL 1.1 locking API for older OpenSSL versions */
+ CRYPTO_RWLOCK *CRYPTO_THREAD_lock_new(void);
+ int CRYPTO_THREAD_read_lock(CRYPTO_RWLOCK *);
+--- a/src/ssl.c
++++ b/src/ssl.c
+@@ -38,7 +38,7 @@
+ #include "prototypes.h"
+
+ /* global OpenSSL initialization: compression, engine, entropy */
+-#if OPENSSL_VERSION_NUMBER>=0x10100000L
++#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ NOEXPORT void cb_new_auth(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
+ int idx, long argl, void *argp);
+ #else /* OPENSSL_VERSION_NUMBER>=0x10100000L */
+@@ -48,7 +48,7 @@ NOEXPORT int cb_new_auth(void *parent, void *ptr,
CRYPTO_EX_DATA *ad,
+ #if OPENSSL_VERSION_NUMBER>=0x30000000L
+ NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from,
+ void **from_d, int idx, long argl, void *argp);
+-#elif OPENSSL_VERSION_NUMBER>=0x10100000L
++#elif OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from,
+ void *from_d, int idx, long argl, void *argp);
+ #else
+@@ -108,7 +108,7 @@ int fips_available(void) { /* either FIPS provider or
container is available */
+
+ /* initialize libcrypto before invoking API functions that require it */
+ void crypto_init(void) {
+-#if OPENSSL_VERSION_NUMBER>=0x10100000L
++#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ OPENSSL_INIT_SETTINGS *conf;
+ #endif /* OPENSSL_VERSION_NUMBER>=0x10100000L */
+ #ifdef USE_WIN32
+@@ -158,7 +158,7 @@ void crypto_init(void) {
+ #endif /* USE_WIN32 */
+
+ /* initialize OpenSSL */
+-#if OPENSSL_VERSION_NUMBER>=0x10100000L
++#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ conf=OPENSSL_INIT_new();
+ #ifdef USE_WIN32
+ path=str_printf("%s\\config\\openssl.cnf", stunnel_dir);
+@@ -241,7 +241,7 @@ int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) {
+ #endif
+ #endif
+
+-#if OPENSSL_VERSION_NUMBER>=0x10100000L
++#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ NOEXPORT void cb_new_auth(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
+ int idx, long argl, void *argp) {
+ #else /* OPENSSL_VERSION_NUMBER>=0x10100000L */
+@@ -255,7 +255,7 @@ NOEXPORT int cb_new_auth(void *parent, void *ptr,
CRYPTO_EX_DATA *ad,
+ (char *)argp);
+ if(!CRYPTO_set_ex_data(ad, idx, (void *)(-1)))
+ sslerror("CRYPTO_set_ex_data");
+-#if OPENSSL_VERSION_NUMBER<0x10100000L
++#if OPENSSL_VERSION_NUMBER<0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ return 1; /* success */
+ #endif /* OPENSSL_VERSION_NUMBER<0x10100000L */
+ }
+@@ -263,7 +263,7 @@ NOEXPORT int cb_new_auth(void *parent, void *ptr,
CRYPTO_EX_DATA *ad,
+ #if OPENSSL_VERSION_NUMBER>=0x30000000L
+ NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from,
+ void **from_d, int idx, long argl, void *argp) {
+-#elif OPENSSL_VERSION_NUMBER>=0x10100000L
++#elif OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from,
+ void *from_d, int idx, long argl, void *argp) {
+ #else
+--- a/src/sthreads.c
++++ b/src/sthreads.c
+@@ -123,7 +123,7 @@ NOEXPORT void thread_id_init(void) {
+ /**************************************** locking */
+
+ /* we only need to initialize locking with OpenSSL older than 1.1.0 */
+-#if OPENSSL_VERSION_NUMBER<0x10100004L
++#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER)
+
+ #ifdef USE_PTHREAD
+
+@@ -283,7 +283,7 @@ NOEXPORT int s_atomic_add(int *val, int amount,
CRYPTO_RWLOCK *lock) {
+
+ CRYPTO_RWLOCK *stunnel_locks[STUNNEL_LOCKS];
+
+-#if OPENSSL_VERSION_NUMBER<0x10100004L
++#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER)
+
+ #ifdef USE_OS_THREADS
+
+@@ -391,7 +391,8 @@ int CRYPTO_atomic_add(int *val, int amount, int *ret,
CRYPTO_RWLOCK *lock) {
+
+ NOEXPORT void locking_init(void) {
+ size_t i;
+-#if defined(USE_OS_THREADS) && OPENSSL_VERSION_NUMBER<0x10100004L
++#if defined(USE_OS_THREADS) && \
++ (OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER))
+ size_t num;
+
+ /* initialize the OpenSSL static locking */
+--- a/src/str.c
++++ b/src/str.c
+@@ -98,7 +98,7 @@ NOEXPORT LEAK_ENTRY leak_hash_table[LEAK_TABLE_SIZE],
+ *leak_results[LEAK_TABLE_SIZE];
+ NOEXPORT int leak_result_num=0;
+
+-#if OPENSSL_VERSION_NUMBER >= 0x10101000L
++#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
+ DEFINE_STACK_OF(LEAK_ENTRY)
+ #endif /* OpenSSL version >= 1.1.1 */
+
+@@ -112,7 +112,7 @@ NOEXPORT ALLOC_LIST *get_alloc_list_ptr(void *, const char
*, int);
+ NOEXPORT void str_leak_debug(const ALLOC_LIST *, int);
+
+ NOEXPORT LEAK_ENTRY *leak_search(const ALLOC_LIST *);
+-#if OPENSSL_VERSION_NUMBER >= 0x10101000L
++#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
+ NOEXPORT int leak_cmp(const LEAK_ENTRY *const *, const LEAK_ENTRY *const *);
+ #endif /* OpenSSL version >= 1.1.1 */
+ NOEXPORT void leak_report(void);
+@@ -574,7 +574,7 @@ NOEXPORT LEAK_ENTRY *leak_search(const ALLOC_LIST
*alloc_list) {
+ void leak_table_utilization(void) {
+ int i, utilization=0;
+ int64_t grand_total=0;
+-#if OPENSSL_VERSION_NUMBER >= 0x10101000L
++#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
+ STACK_OF(LEAK_ENTRY) *stats;
+ #endif /* OpenSSL version >= 1.1.1 */
+
+@@ -591,7 +591,7 @@ void leak_table_utilization(void) {
+ s_log(LOG_DEBUG, "Leak detection table utilization: %d/%d (%05.2f%%)",
+ utilization, LEAK_TABLE_SIZE, 100.0*utilization/LEAK_TABLE_SIZE);
+
+-#if OPENSSL_VERSION_NUMBER >= 0x10101000L
++#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
+ /* log up to 5 most frequently used heap allocations */
+ stats=sk_LEAK_ENTRY_new_reserve(leak_cmp, utilization);
+ for(i=0; i<LEAK_TABLE_SIZE; ++i)
+@@ -608,7 +608,7 @@ void leak_table_utilization(void) {
+ #endif /* OpenSSL version >= 1.1.1 */
+ }
+
+-#if OPENSSL_VERSION_NUMBER >= 0x10101000L
++#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
+ NOEXPORT int leak_cmp(const LEAK_ENTRY *const *a, const LEAK_ENTRY *const *b)
{
+ int64_t d = (*a)->total - (*b)->total;
+ if(d>0)
+--- a/src/verify.c
++++ b/src/verify.c
+@@ -392,7 +392,7 @@ NOEXPORT int cert_check_local(X509_STORE_CTX
*callback_ctx) {
+ cert=X509_STORE_CTX_get_current_cert(callback_ctx);
+ subject=X509_get_subject_name(cert);
+
+-#if OPENSSL_VERSION_NUMBER<0x10100006L
++#if OPENSSL_VERSION_NUMBER<0x10100006L || defined(LIBRESSL_VERSION_NUMBER)
+ #define X509_STORE_CTX_get1_certs X509_STORE_get1_certs
+ #endif
+ /* modern API allows retrieving multiple matching certificates */
diff --git a/net-misc/stunnel/stunnel-5.74.ebuild
b/net-misc/stunnel/stunnel-5.74.ebuild
new file mode 100644
index 0000000..44a9a6f
--- /dev/null
+++ b/net-misc/stunnel/stunnel-5.74.ebuild
@@ -0,0 +1,127 @@
+# Copyright 1999-2025 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+PYTHON_COMPAT=( python3_{11..14} )
+inherit autotools python-any-r1 ssl-cert systemd tmpfiles
+
+DESCRIPTION="TLS/SSL - Port Wrapper"
+HOMEPAGE="https://www.stunnel.org/index.html";
+SRC_URI="
+ https://www.stunnel.org/downloads/${P}.tar.gz
+ https://www.stunnel.org/stunnel/archive/${PV%%.*}.x/${P}.tar.gz
+"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~mips ~ppc ~ppc64 ~s390 ~sparc ~x86
~amd64-linux ~x86-linux ~ppc-macos"
+IUSE="selinux stunnel3 systemd tcpd test"
+RESTRICT="!test? ( test )"
+
+DEPEND="
+ dev-libs/openssl:=
+ tcpd? ( sys-apps/tcp-wrappers )
+ systemd? ( sys-apps/systemd:= )
+"
+RDEPEND="
+ ${DEPEND}
+ acct-user/stunnel
+ acct-group/stunnel
+ selinux? ( sec-policy/selinux-stunnel )
+ stunnel3? ( dev-lang/perl )
+"
+# autoconf-archive for F_S patch
+BDEPEND="
+ dev-build/autoconf-archive
+ test? (
+ ${PYTHON_DEPS}
+ $(python_gen_any_dep
'dev-python/cryptography[${PYTHON_USEDEP}]')
+ )
+"
+
+PATCHES=(
+ "${FILESDIR}"/${PN}-5.74-libressl.patch
+ "${FILESDIR}"/${PN}-5.71-dont-clobber-fortify-source.patch
+ "${FILESDIR}"/${PN}-5.71-respect-EPYTHON-for-tests.patch
+)
+
+python_check_deps() {
+ python_has_version "dev-python/cryptography[${PYTHON_USEDEP}]"
+}
+
+pkg_setup() {
+ use test && python-any-r1_pkg_setup
+}
+
+src_prepare() {
+ default
+
+ # Hack away generation of certificate
+ sed -i -e "s/^install-data-local:/do-not-run-this:/" \
+ tools/Makefile.am || die "sed failed"
+
+ echo "CONFIG_PROTECT=\"/etc/stunnel/stunnel.conf\"" > "${T}"/20stunnel
|| die
+
+ # We pass --disable-fips to configure, so avoid spurious test failures
+ rm tests/plugins/p10_fips.py tests/plugins/p11_fips_cipher.py || die
+
+ # Needed for FORTIFY_SOURCE patch
+ eautoreconf
+}
+
+src_configure() {
+ local myeconfargs=(
+ --libdir="${EPREFIX}/usr/$(get_libdir)"
+ --with-ssl="${EPREFIX}"/usr
+ --disable-fips
+ $(use_enable tcpd libwrap)
+ $(use_enable systemd)
+ )
+
+ econf "${myeconfargs[@]}"
+}
+
+src_install() {
+ emake DESTDIR="${D}" install
+
+ rm -rf "${ED}"/usr/share/doc/${PN} || die
+ rm -f "${ED}"/etc/stunnel/stunnel.conf-sample \
+ "${ED}"/usr/share/man/man8/stunnel.{fr,pl}.8 || die
+
+ if ! use stunnel3 ; then
+ rm -f "${ED}"/usr/bin/stunnel3 || die
+ fi
+
+ dodoc AUTHORS.md BUGS.md CREDITS.md PORTS.md README.md TODO.md
+ docinto html
+ dodoc doc/stunnel.html doc/en/VNC_StunnelHOWTO.html tools/ca.html \
+ tools/importCA.html
+
+ insinto /etc/stunnel
+ doins "${FILESDIR}"/stunnel.conf
+ newinitd "${FILESDIR}"/stunnel-r2 stunnel
+
+ doenvd "${T}"/20stunnel
+
+ systemd_dounit "${S}/tools/stunnel.service"
+ newtmpfiles "${FILESDIR}"/stunnel.tmpfiles.conf stunnel.conf
+
+ find "${ED}" -name '*.la' -delete || die
+}
+
+pkg_postinst() {
+ if [[ ! -f "${EROOT}"/etc/stunnel/stunnel.key ]]; then
+ install_cert /etc/stunnel/stunnel
+ chown stunnel:stunnel
"${EROOT}"/etc/stunnel/stunnel.{crt,csr,key,pem}
+ chmod 0640 "${EROOT}"/etc/stunnel/stunnel.{crt,csr,key,pem}
+ fi
+
+ tmpfiles_process stunnel.conf
+
+ einfo "If you want to run multiple instances of stunnel, create a new
config"
+ einfo "file ending with .conf in /etc/stunnel/. **Make sure** you
change "
+ einfo "\'pid= \' with a unique filename. For openrc make a symlink
from the"
+ einfo "stunnel init script to \'stunnel.name\' and use that to
start|stop"
+ einfo "your custom instance"
+}
diff --git a/net-misc/stunnel/stunnel-5.75.ebuild
b/net-misc/stunnel/stunnel-5.75.ebuild
new file mode 100644
index 0000000..0de4c20
--- /dev/null
+++ b/net-misc/stunnel/stunnel-5.75.ebuild
@@ -0,0 +1,127 @@
+# Copyright 1999-2025 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+PYTHON_COMPAT=( python3_{11..14} )
+inherit autotools python-any-r1 ssl-cert systemd tmpfiles
+
+DESCRIPTION="TLS/SSL - Port Wrapper"
+HOMEPAGE="https://www.stunnel.org/index.html";
+SRC_URI="
+ https://www.stunnel.org/downloads/${P}.tar.gz
+ https://www.stunnel.org/stunnel/archive/${PV%%.*}.x/${P}.tar.gz
+"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~alpha amd64 arm ~arm64 ~hppa ~mips ppc ppc64 ~s390 ~sparc x86
~amd64-linux ~x86-linux ~ppc-macos"
+IUSE="selinux stunnel3 systemd tcpd test"
+RESTRICT="!test? ( test )"
+
+DEPEND="
+ dev-libs/openssl:=
+ tcpd? ( sys-apps/tcp-wrappers )
+ systemd? ( sys-apps/systemd:= )
+"
+RDEPEND="
+ ${DEPEND}
+ acct-user/stunnel
+ acct-group/stunnel
+ selinux? ( sec-policy/selinux-stunnel )
+ stunnel3? ( dev-lang/perl )
+"
+# autoconf-archive for F_S patch
+BDEPEND="
+ dev-build/autoconf-archive
+ test? (
+ ${PYTHON_DEPS}
+ $(python_gen_any_dep
'dev-python/cryptography[${PYTHON_USEDEP}]')
+ )
+"
+
+PATCHES=(
+ "${FILESDIR}"/${PN}-5.75-libressl.patch
+ "${FILESDIR}"/${PN}-5.71-dont-clobber-fortify-source.patch
+ "${FILESDIR}"/${PN}-5.71-respect-EPYTHON-for-tests.patch
+)
+
+python_check_deps() {
+ python_has_version "dev-python/cryptography[${PYTHON_USEDEP}]"
+}
+
+pkg_setup() {
+ use test && python-any-r1_pkg_setup
+}
+
+src_prepare() {
+ default
+
+ # Hack away generation of certificate
+ sed -i -e "s/^install-data-local:/do-not-run-this:/" \
+ tools/Makefile.am || die "sed failed"
+
+ echo "CONFIG_PROTECT=\"/etc/stunnel/stunnel.conf\"" > "${T}"/20stunnel
|| die
+
+ # We pass --disable-fips to configure, so avoid spurious test failures
+ rm tests/plugins/p10_fips.py tests/plugins/p11_fips_cipher.py || die
+
+ # Needed for FORTIFY_SOURCE patch
+ eautoreconf
+}
+
+src_configure() {
+ local myeconfargs=(
+ --libdir="${EPREFIX}/usr/$(get_libdir)"
+ --with-ssl="${EPREFIX}"/usr
+ --disable-fips
+ $(use_enable tcpd libwrap)
+ $(use_enable systemd)
+ )
+
+ econf "${myeconfargs[@]}"
+}
+
+src_install() {
+ emake DESTDIR="${D}" install
+
+ rm -rf "${ED}"/usr/share/doc/${PN} || die
+ rm -f "${ED}"/etc/stunnel/stunnel.conf-sample \
+ "${ED}"/usr/share/man/man8/stunnel.{fr,pl}.8 || die
+
+ if ! use stunnel3 ; then
+ rm -f "${ED}"/usr/bin/stunnel3 || die
+ fi
+
+ dodoc AUTHORS.md BUGS.md CREDITS.md PORTS.md README.md TODO.md
+ docinto html
+ dodoc doc/stunnel.html doc/en/VNC_StunnelHOWTO.html tools/ca.html \
+ tools/importCA.html
+
+ insinto /etc/stunnel
+ doins "${FILESDIR}"/stunnel.conf
+ newinitd "${FILESDIR}"/stunnel-r2 stunnel
+
+ doenvd "${T}"/20stunnel
+
+ systemd_dounit "${S}/tools/stunnel.service"
+ newtmpfiles "${FILESDIR}"/stunnel.tmpfiles.conf stunnel.conf
+
+ find "${ED}" -name '*.la' -delete || die
+}
+
+pkg_postinst() {
+ if [[ ! -f "${EROOT}"/etc/stunnel/stunnel.key ]]; then
+ install_cert /etc/stunnel/stunnel
+ chown stunnel:stunnel
"${EROOT}"/etc/stunnel/stunnel.{crt,csr,key,pem}
+ chmod 0640 "${EROOT}"/etc/stunnel/stunnel.{crt,csr,key,pem}
+ fi
+
+ tmpfiles_process stunnel.conf
+
+ einfo "If you want to run multiple instances of stunnel, create a new
config"
+ einfo "file ending with .conf in /etc/stunnel/. **Make sure** you
change "
+ einfo "\'pid= \' with a unique filename. For openrc make a symlink
from the"
+ einfo "stunnel init script to \'stunnel.name\' and use that to
start|stop"
+ einfo "your custom instance"
+}
