Hi, I tested the following patch on LibreSSL-2.7.5, 2.8.3, 2.9.1
thanks! Ilya Shipitcin
From 12c3a7b0eac4bab73864869bf8fcb365c9ba06ef Mon Sep 17 00:00:00 2001 From: Ilya Shipitsin <[email protected]> Date: Sun, 28 Apr 2019 00:00:16 +0500 Subject: [PATCH] BUILD: add defines to support LibreSSL tested on LibreSSL-2.7.5, 2.8.3, 2.9.1 --- include/proto/openssl-compat.h | 2 +- include/proto/ssl_sock.h | 2 +- src/cli.c | 2 +- src/ssl_sock.c | 44 +++++++++++++++++----------------- 4 files changed, 25 insertions(+), 25 deletions(-) diff --git a/include/proto/openssl-compat.h b/include/proto/openssl-compat.h index ffee2e40..47d7bbd2 100644 --- a/include/proto/openssl-compat.h +++ b/include/proto/openssl-compat.h @@ -89,7 +89,7 @@ static inline int SSL_SESSION_set1_id_context(SSL_SESSION *s, const unsigned cha } #endif -#if (OPENSSL_VERSION_NUMBER < 0x1010000fL) || defined(LIBRESSL_VERSION_NUMBER) +#if (OPENSSL_VERSION_NUMBER < 0x1010000fL) || (LIBRESSL_VERSION_NUMBER < 0x2070000fL) /* * Functions introduced in OpenSSL 1.1.0 and not yet present in LibreSSL */ diff --git a/include/proto/ssl_sock.h b/include/proto/ssl_sock.h index ce52fb74..586ebb90 100644 --- a/include/proto/ssl_sock.h +++ b/include/proto/ssl_sock.h @@ -85,7 +85,7 @@ SSL_CTX *ssl_sock_get_generated_cert(unsigned int key, struct bind_conf *bind_co int ssl_sock_set_generated_cert(SSL_CTX *ctx, unsigned int key, struct bind_conf *bind_conf); unsigned int ssl_sock_generated_cert_key(const void *data, size_t len); -#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) +#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER) void ssl_async_fd_handler(int fd); void ssl_async_fd_free(int fd); #endif diff --git a/src/cli.c b/src/cli.c index 9581369c..508d70e9 100644 --- a/src/cli.c +++ b/src/cli.c @@ -1002,7 +1002,7 @@ static int cli_io_handler_show_fd(struct appctx *appctx) (fdt.iocb == poller_pipe_io_handler) ? "poller_pipe_io_handler" : (fdt.iocb == mworker_accept_wrapper) ? "mworker_accept_wrapper" : #ifdef USE_OPENSSL -#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) +#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER) (fdt.iocb == ssl_async_fd_free) ? "ssl_async_fd_free" : (fdt.iocb == ssl_async_fd_handler) ? "ssl_async_fd_handler" : #endif diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 015943ee..e2b98a0b 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -57,7 +57,7 @@ #include <openssl/engine.h> #endif -#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) +#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER) #include <openssl/async.h> #endif @@ -573,7 +573,7 @@ fail_get: } #endif -#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) +#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER) /* * openssl async fd handler */ @@ -2295,7 +2295,7 @@ static void ssl_sock_switchctx_set(SSL *ssl, SSL_CTX *ctx) SSL_set_SSL_CTX(ssl, ctx); } -#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) || defined(OPENSSL_IS_BORINGSSL) +#if ((OPENSSL_VERSION_NUMBER >= 0x10101000L) || defined(OPENSSL_IS_BORINGSSL)) && !defined(LIBRESSL_VERSION_NUMBER) static int ssl_sock_switchctx_err_cbk(SSL *ssl, int *al, void *priv) { @@ -4027,7 +4027,7 @@ ssl_sock_initial_ctx(struct bind_conf *bind_conf) SSL_CTX_set_options(ctx, options); -#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) +#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER) if (global_ssl.async) mode |= SSL_MODE_ASYNC; #endif @@ -4039,7 +4039,7 @@ ssl_sock_initial_ctx(struct bind_conf *bind_conf) #ifdef OPENSSL_IS_BORINGSSL SSL_CTX_set_select_certificate_cb(ctx, ssl_sock_switchctx_cbk); SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_err_cbk); -#elif (OPENSSL_VERSION_NUMBER >= 0x10101000L) +#elif (OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(LIBRESSL_VERSION_NUMBER) if (bind_conf->ssl_conf.early_data) { SSL_CTX_set_options(ctx, SSL_OP_NO_ANTI_REPLAY); SSL_CTX_set_max_early_data(ctx, global.tune.bufsize - global.tune.maxrewrite); @@ -4815,7 +4815,7 @@ int ssl_sock_prepare_srv_ctx(struct server *srv) options |= SSL_OP_NO_TICKET; SSL_CTX_set_options(ctx, options); -#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) +#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER) if (global_ssl.async) mode |= SSL_MODE_ASYNC; #endif @@ -5368,7 +5368,7 @@ int ssl_sock_handshake(struct connection *conn, unsigned int flag) if (!conn->xprt_ctx) goto out_error; -#if OPENSSL_VERSION_NUMBER >= 0x10101000L +#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined LIBRESSL_VERSION_NUMBER) /* * Check if we have early data. If we do, we have to read them * before SSL_do_handshake() is called, And there's no way to @@ -5425,7 +5425,7 @@ int ssl_sock_handshake(struct connection *conn, unsigned int flag) fd_cant_recv(conn->handle.fd); return 0; } -#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) +#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER) else if (ret == SSL_ERROR_WANT_ASYNC) { ssl_async_process_fds(conn, ctx->ssl); return 0; @@ -5444,7 +5444,7 @@ int ssl_sock_handshake(struct connection *conn, unsigned int flag) OSSL_HANDSHAKE_STATE state = SSL_get_state((SSL *)ctx->ssl); empty_handshake = state == TLS_ST_BEFORE; #else - empty_handshake = !ctx->ssl->packet_length; + empty_handshake = SSL_state((SSL *)ctx->ssl) == SSL_ST_BEFORE; #endif if (empty_handshake) { if (!errno) { @@ -5509,7 +5509,7 @@ check_error: fd_cant_recv(conn->handle.fd); return 0; } -#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) +#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER) else if (ret == SSL_ERROR_WANT_ASYNC) { ssl_async_process_fds(conn, ctx->ssl); return 0; @@ -5528,7 +5528,7 @@ check_error: OSSL_HANDSHAKE_STATE state = SSL_get_state(ctx->ssl); empty_handshake = state == TLS_ST_BEFORE; #else - empty_handshake = !ctx->ssl->packet_length; + empty_handshake = SSL_state((SSL *)ctx->ssl) == SSL_ST_BEFORE; #endif if (empty_handshake) { if (!errno) { @@ -5568,7 +5568,7 @@ check_error: goto out_error; } } -#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) +#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(LIBRESSL_VERSION_NUMBER) else { /* * If the server refused the early data, we have to send a @@ -5587,7 +5587,7 @@ check_error: reneg_ok: -#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) +#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER) /* ASYNC engine API doesn't support moving read/write * buffers. So we disable ASYNC mode right after * the handshake to avoid buffer oveflows. @@ -5696,7 +5696,7 @@ static size_t ssl_sock_to_buf(struct connection *conn, void *xprt_ctx, struct bu continue; } -#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) +#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(LIBRESSL_VERSION_NUMBER) if (conn->flags & CO_FL_EARLY_SSL_HS) { size_t read_length; @@ -5748,7 +5748,7 @@ static size_t ssl_sock_to_buf(struct connection *conn, void *xprt_ctx, struct bu /* handshake is running, and it needs to enable write */ conn->flags |= CO_FL_SSL_WAIT_HS; __conn_sock_want_send(conn); -#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) +#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER) /* Async mode can be re-enabled, because we're leaving data state.*/ if (global_ssl.async) SSL_set_mode(ctx->ssl, SSL_MODE_ASYNC); @@ -5760,7 +5760,7 @@ static size_t ssl_sock_to_buf(struct connection *conn, void *xprt_ctx, struct bu /* handshake is running, and it may need to re-enable read */ conn->flags |= CO_FL_SSL_WAIT_HS; __conn_sock_want_recv(conn); -#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) +#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER) /* Async mode can be re-enabled, because we're leaving data state.*/ if (global_ssl.async) SSL_set_mode(ctx->ssl, SSL_MODE_ASYNC); @@ -5837,7 +5837,7 @@ static size_t ssl_sock_from_buf(struct connection *conn, void *xprt_ctx, const s * in which case we accept to do it once again. */ while (count) { -#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) +#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined (LIBRESSL_VERSION_NUMBER) size_t written_data; #endif @@ -5858,7 +5858,7 @@ static size_t ssl_sock_from_buf(struct connection *conn, void *xprt_ctx, const s ctx->xprt_st |= SSL_SOCK_SEND_UNLIMITED; } -#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) +#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined (LIBRESSL_VERSION_NUMBER) if (!SSL_is_init_finished(ctx->ssl)) { unsigned int max_early; @@ -5913,7 +5913,7 @@ static size_t ssl_sock_from_buf(struct connection *conn, void *xprt_ctx, const s /* handshake is running, and it may need to re-enable write */ conn->flags |= CO_FL_SSL_WAIT_HS; __conn_sock_want_send(conn); -#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) +#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER) /* Async mode can be re-enabled, because we're leaving data state.*/ if (global_ssl.async) SSL_set_mode(ctx->ssl, SSL_MODE_ASYNC); @@ -5928,7 +5928,7 @@ static size_t ssl_sock_from_buf(struct connection *conn, void *xprt_ctx, const s /* handshake is running, and it needs to enable read */ conn->flags |= CO_FL_SSL_WAIT_HS; __conn_sock_want_recv(conn); -#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) +#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER) /* Async mode can be re-enabled, because we're leaving data state.*/ if (global_ssl.async) SSL_set_mode(ctx->ssl, SSL_MODE_ASYNC); @@ -5956,7 +5956,7 @@ static void ssl_sock_close(struct connection *conn, void *xprt_ctx) { struct ssl_sock_ctx *ctx = xprt_ctx; if (ctx) { -#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) +#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER) if (global_ssl.async) { OSSL_ASYNC_FD all_fd[32], afd; size_t num_all_fds = 0; @@ -8766,7 +8766,7 @@ static int ssl_parse_global_ssl_async(char **args, int section_type, struct prox struct proxy *defpx, const char *file, int line, char **err) { -#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) +#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER) global_ssl.async = 1; global.ssl_used_async_engines = nb_engines; return 0; -- 2.20.1
