I'm attaching two patches: a) patch-src_ssl__sock.c - it makes possible to build Haproxy against LibreSSL 2.5.1 at all, b) patch-include_proto_openssl-compat.h - since "auto" ECDHE API doesn't work OOTB, this patch is also needed
They are against the latest 20170209 snapshot. Please consider merging a) to stable branches. -- ______________________________________ / The things that interest people most \ \ are usually none of their business. / -------------------------------------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || ||
--- include/proto/openssl-compat.h.orig 2017-02-10 12:38:04 UTC +++ include/proto/openssl-compat.h @@ -183,7 +183,7 @@ static inline int EVP_PKEY_base_id(EVP_P #endif /* This function does nothing in 1.1.0 and doesn't exist in boringssl */ -#if defined(OPENSSL_IS_BORINGSSL) || (OPENSSL_VERSION_NUMBER >= 0x1010000fL) +#if !defined(LIBRESSL_VERSION_NUMBER) && (defined(OPENSSL_IS_BORINGSSL) || (OPENSSL_VERSION_NUMBER >= 0x1010000fL)) #undef SSL_CTX_set_ecdh_auto #define SSL_CTX_set_ecdh_auto(ctx, onoff) #endif
--- src/ssl_sock.c.orig 2017-02-08 18:08:38 UTC +++ src/ssl_sock.c @@ -829,10 +829,13 @@ static int ssl_sock_load_ocsp(SSL_CTX *c ocsp = NULL; #ifndef SSL_CTX_get_tlsext_status_cb -# define SSL_CTX_get_tlsext_status_cb(ctx, cb) \ - *cb = (void (*) (void))ctx->tlsext_status_cb; +#ifndef SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB +#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB 128 #endif - SSL_CTX_get_tlsext_status_cb(ctx, &callback); +#define SSL_CTX_get_tlsext_status_cb(ctx, cb) \ + *cb = SSL_CTX_ctrl(ctx,SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB,0, (void (**)(void))cb) +#endif + SSL_CTX_get_tlsext_status_cb(ctx, &callback); if (!callback) { struct ocsp_cbk_arg *cb_arg = calloc(1, sizeof(*cb_arg)); @@ -858,10 +861,13 @@ static int ssl_sock_load_ocsp(SSL_CTX *c int key_type; EVP_PKEY *pkey; -#ifdef SSL_CTX_get_tlsext_status_arg - SSL_CTX_ctrl(ctx, SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG, 0, &cb_arg); +#if defined(SSL_CTX_get_tlsext_status_arg) || defined(LIBRESSL_VERSION_NUMBER) +#ifndef SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG +#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG 129 +#endif + SSL_CTX_ctrl(ctx, SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG, 0, &cb_arg); #else - cb_arg = ctx->tlsext_status_arg; + cb_arg = ctx->tlsext_status_arg; #endif /* @@ -1842,7 +1848,7 @@ static int ssl_sock_add_cert_sni(SSL_CTX /* The following code is used for loading multiple crt files into * SSL_CTX's based on CN/SAN */ -#if OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined(LIBRESSL_VERSION_NUMBER) +#if (OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined LIBRESSL_VERSION_NUMBER) /* This is used to preload the certifcate, private key * and Cert Chain of a file passed in via the crt * argument @@ -3789,7 +3795,7 @@ int ssl_sock_handshake(struct connection conn->err_code = CO_ER_SSL_HANDSHAKE; #else int empty_handshake; -#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(LIBRESSL_VERSION_NUMBER) +#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) OSSL_HANDSHAKE_STATE state = SSL_get_state((SSL *)conn->xprt_ctx); empty_handshake = state == TLS_ST_BEFORE; #else @@ -3867,7 +3873,7 @@ int ssl_sock_handshake(struct connection conn->err_code = CO_ER_SSL_HANDSHAKE; #else int empty_handshake; -#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(LIBRESSL_VERSION_NUMBER) +#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) OSSL_HANDSHAKE_STATE state = SSL_get_state((SSL *)conn->xprt_ctx); empty_handshake = state == TLS_ST_BEFORE; #else @@ -6978,7 +6984,7 @@ static struct xprt_ops ssl_sock = { .name = "SSL", }; -#if (OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER) +#if (OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT && !defined OPENSSL_IS_BORINGSSL) static void ssl_sock_sctl_free_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad, int idx, long argl, void *argp) {
signature.asc
Description: PGP signature