I've made a patch to build Haproxy against LibreSSL 2.5.1. This is based on OpenBSD patch, but OpenBSD still has 1.6.11, so I've made some additions.
On 17-02-03 14:13:09, Piotr Kubaj wrote:
> I've also tried to build 1.8-dev0-20170131, which fails with the same errors.
>
> On 17-02-02 09:38:19, Piotr Kubaj wrote:
> > Hello,
> >
> > I'm trying to build Haproxy 1.7.2 on FreeBSD 11.0 against LibreSSL 2.5.1.
> > I'm building from FreeBSD ports with:
> > DEFAULT_VERSIONS= ssl=libressl-devel
> > in /etc/make.conf.
> >
> > I could build against 2.5.0, but 2.5.1 has hidden more variables in opaque
> > structures. The errors I'm getting are:
> > cc -Iinclude -Iebtree -Wall -O2 -pipe -fPIE -fPIC -fstack-protector
> > -fno-strict-aliasing -DFREEBSD_PORTS -DTPROXY -DCONFIG_HAP_CRYPT
> > -DUSE_GETADDRINFO -DUSE_ZLIB -DENABLE_POLL -DENABLE_KQUEUE
> > -DUSE_CPU_AFFINITY -DUSE_OPENSSL -DUSE_PCRE -I/usr/local/include
> > -DUSE_PCRE_JIT -DCONFIG_HAPROXY_VERSION=\"1.7.2\"
> > -DCONFIG_HAPROXY_DATE=\"2017/01/13\" -c -o ebtree/ebistree.o
> > ebtree/ebistree.c
> > src/shctx.c:660:31: warning: incompatible pointer types passing
> > 'SSL_SESSION *(SSL *, const unsigned char *, int, int *)' (aka 'struct
> > ssl_session_st *(struct ssl_st *, const unsigned char *, int, int *)') to
> > parameter of type
> > 'SSL_SESSION *(*)(struct ssl_st *, unsigned char *, int, int *)' (aka
> > 'struct ssl_session_st *(*)(struct ssl_st *, unsigned char *, int, int *)')
> > [-Wincompatible-pointer-types]
> > SSL_CTX_sess_set_get_cb(ctx, shctx_get_cb);
> > ^~~~~~~~~~~~
> > /usr/local/include/openssl/ssl.h:742:20: note: passing argument to
> > parameter 'get_session_cb' here
> > SSL_SESSION *(*get_session_cb)(struct ssl_st *ssl, unsigned char *data,
> > ^
> > src/ssl_sock.c:798:2: error: no member named 'tlsext_status_cb' in 'struct
> > ssl_ctx_st'
> > SSL_CTX_get_tlsext_status_cb(ctx, &callback);
> > ^ ~~~
> > src/ssl_sock.c:796:30: note: expanded from macro
> > 'SSL_CTX_get_tlsext_status_cb'
> > *cb = (void (*) (void))ctx->tlsext_status_cb;
> > ~~~ ^
> > src/ssl_sock.c:827:17: error: no member named 'tlsext_status_arg' in
> > 'struct ssl_ctx_st'
> > cb_arg = ctx->tlsext_status_arg;
> > ~~~ ^
> > src/ssl_sock.c:3540:50: error: no member named 'packet_length' in 'struct
> > ssl_st'
> > empty_handshake = !((SSL
> > *)conn->xprt_ctx)->packet_length;
> >
> > ~~~~~~~~~~~~~~~~~~~~~~~ ^
> > src/ssl_sock.c:3618:48: error: no member named 'packet_length' in 'struct
> > ssl_st'
> > empty_handshake = !((SSL
> > *)conn->xprt_ctx)->packet_length;
> > ~~~~~~~~~~~~~~~~~~~~~~~ ^
> > src/ssl_sock.c:4698:18: warning: passing 'const ASN1_OBJECT **' (aka 'const
> > struct asn1_object_st **') to parameter of type 'ASN1_OBJECT **' (aka
> > 'struct asn1_object_st **') discards qualifiers in nested pointer types
> > [-Wincompatible-pointer-types-discards-qualifiers]
> > X509_ALGOR_get0(&algorithm, NULL, NULL, X509_get0_tbs_sigalg(crt));
> > ^~~~~~~~~~
> > /usr/local/include/openssl/x509.h:760:36: note: passing argument to
> > parameter 'paobj' here
> > void X509_ALGOR_get0(ASN1_OBJECT **paobj, int *pptype, void **ppval,
> >
> > --
> > _______________________________________
> > / Ed Sullivan will be around as long as \
> > | someone else has talent. |
> > | |
> > \ -- Fred Allen /
> > ---------------------------------------
> > \ ^__^
> > \ (oo)\_______
> > (__)\ )\/\
> > ||----w |
> > || ||
>
>
>
> --
> ______________________________________
> / The ripest fruit falls first. \
> | |
> \ -- William Shakespeare, "Richard II" /
> --------------------------------------
> \ ^__^
> \ (oo)\_______
> (__)\ )\/\
> ||----w |
> || ||
--
__________________________
< Santa Claus is watching! >
--------------------------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
--- src/ssl_sock.c.orig 2017-01-13 09:03:00 UTC
+++ src/ssl_sock.c
@@ -793,7 +793,7 @@ static int ssl_sock_load_ocsp(SSL_CTX *c
#ifndef SSL_CTX_get_tlsext_status_cb
# define SSL_CTX_get_tlsext_status_cb(ctx, cb) \
- *cb = (void (*) (void))ctx->tlsext_status_cb;
+ *cb = SSL_CTX_ctrl(ctx,128,0, (void (**)(void))cb)
#endif
SSL_CTX_get_tlsext_status_cb(ctx, &callback);
@@ -821,11 +821,7 @@ static int ssl_sock_load_ocsp(SSL_CTX *c
int key_type;
EVP_PKEY *pkey;
-#ifdef SSL_CTX_get_tlsext_status_arg
- SSL_CTX_ctrl(ctx, SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG, 0, &cb_arg);
-#else
- cb_arg = ctx->tlsext_status_arg;
-#endif
+ SSL_CTX_ctrl(ctx, 129, 0, &cb_arg);
/*
* The following few lines will convert cb_arg from a single ocsp to multi ocsp
@@ -3537,7 +3533,7 @@ int ssl_sock_handshake(struct connection
OSSL_HANDSHAKE_STATE state = SSL_get_state((SSL *)conn->xprt_ctx);
empty_handshake = state == TLS_ST_BEFORE;
#else
- empty_handshake = !((SSL *)conn->xprt_ctx)->packet_length;
+ empty_handshake = SSL_state((SSL *)conn->xprt_ctx) == SSL_ST_BEFORE;
#endif
if (empty_handshake) {
@@ -3615,7 +3611,7 @@ int ssl_sock_handshake(struct connection
state = SSL_get_state((SSL *)conn->xprt_ctx);
empty_handshake = state == TLS_ST_BEFORE;
#else
- empty_handshake = !((SSL *)conn->xprt_ctx)->packet_length;
+ empty_handshake = SSL_state((SSL *)conn->xprt_ctx) == SSL_ST_BEFORE;
#endif
if (empty_handshake) {
if (!errno) {
signature.asc
Description: PGP signature
