Re: [PATCHES] Add support for LibreSSL 2.5.1

Piotr Kubaj Fri, 10 Feb 2017 07:22:10 -0800

Please try the corrected patches. Before Haproxy was kind of unstable. Now it 
seems to work fine. I also changed tests for defined LIBRESSL_VERSION_NUMBER to 
testing LibreSSL version to keep the older versions working.


On 17-02-10 13:48:20, Piotr Kubaj wrote:
> I'm attaching two patches:
> a) patch-src_ssl__sock.c - it makes possible to build Haproxy against 
> LibreSSL 2.5.1 at all,
> b) patch-include_proto_openssl-compat.h - since "auto" ECDHE API doesn't work 
> OOTB, this patch is also needed
> 
> They are against the latest 20170209 snapshot. Please consider merging a) to 
> stable branches.
> 
> -- 
>  ______________________________________ 
> / The things that interest people most \
> \ are usually none of their business.  /
>  -------------------------------------- 
>         \   ^__^
>          \  (oo)\_______
>             (__)\       )\/\
>                 ||----w |
>                 ||     ||

> --- include/proto/openssl-compat.h.orig       2017-02-10 12:38:04 UTC
> +++ include/proto/openssl-compat.h
> @@ -183,7 +183,7 @@ static inline int EVP_PKEY_base_id(EVP_P
>  #endif
>  
>  /* This function does nothing in 1.1.0 and doesn't exist in boringssl */
> -#if defined(OPENSSL_IS_BORINGSSL) || (OPENSSL_VERSION_NUMBER >= 0x1010000fL)
> +#if !defined(LIBRESSL_VERSION_NUMBER) && (defined(OPENSSL_IS_BORINGSSL) || 
> (OPENSSL_VERSION_NUMBER >= 0x1010000fL))
>  #undef  SSL_CTX_set_ecdh_auto
>  #define SSL_CTX_set_ecdh_auto(ctx, onoff)
>  #endif

> --- src/ssl_sock.c.orig       2017-02-08 18:08:38 UTC
> +++ src/ssl_sock.c
> @@ -829,10 +829,13 @@ static int ssl_sock_load_ocsp(SSL_CTX *c
>               ocsp = NULL;
>  
>  #ifndef SSL_CTX_get_tlsext_status_cb
> -# define SSL_CTX_get_tlsext_status_cb(ctx, cb) \
> -     *cb = (void (*) (void))ctx->tlsext_status_cb;
> +#ifndef SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB
> +#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB 128
>  #endif
> -     SSL_CTX_get_tlsext_status_cb(ctx, &callback);
> +#define SSL_CTX_get_tlsext_status_cb(ctx, cb) \
> +        *cb = SSL_CTX_ctrl(ctx,SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB,0, (void 
> (**)(void))cb)
> +#endif
> +        SSL_CTX_get_tlsext_status_cb(ctx, &callback);
>  
>       if (!callback) {
>               struct ocsp_cbk_arg *cb_arg = calloc(1, sizeof(*cb_arg));
> @@ -858,10 +861,13 @@ static int ssl_sock_load_ocsp(SSL_CTX *c
>               int key_type;
>               EVP_PKEY *pkey;
>  
> -#ifdef SSL_CTX_get_tlsext_status_arg
> -             SSL_CTX_ctrl(ctx, SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG, 0, 
> &cb_arg);
> +#if defined(SSL_CTX_get_tlsext_status_arg) || 
> defined(LIBRESSL_VERSION_NUMBER)
> +#ifndef SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG
> +#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG 129
> +#endif
> +             SSL_CTX_ctrl(ctx, SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG, 0, 
> &cb_arg);
>  #else
> -             cb_arg = ctx->tlsext_status_arg;
> +             cb_arg = ctx->tlsext_status_arg;
>  #endif
>  
>               /*
> @@ -1842,7 +1848,7 @@ static int ssl_sock_add_cert_sni(SSL_CTX
>  /* The following code is used for loading multiple crt files into
>   * SSL_CTX's based on CN/SAN
>   */
> -#if OPENSSL_VERSION_NUMBER >= 0x1000200fL && 
> !defined(LIBRESSL_VERSION_NUMBER)
> +#if (OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined 
> LIBRESSL_VERSION_NUMBER)
>  /* This is used to preload the certifcate, private key
>   * and Cert Chain of a file passed in via the crt
>   * argument
> @@ -3789,7 +3795,7 @@ int ssl_sock_handshake(struct connection
>                                       conn->err_code = CO_ER_SSL_HANDSHAKE;
>  #else
>                                       int empty_handshake;
> -#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && 
> !defined(LIBRESSL_VERSION_NUMBER)
> +#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL)
>                                       OSSL_HANDSHAKE_STATE state = 
> SSL_get_state((SSL *)conn->xprt_ctx);
>                                       empty_handshake = state == 
> TLS_ST_BEFORE;
>  #else
> @@ -3867,7 +3873,7 @@ int ssl_sock_handshake(struct connection
>                               conn->err_code = CO_ER_SSL_HANDSHAKE;
>  #else
>                               int empty_handshake;
> -#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && 
> !defined(LIBRESSL_VERSION_NUMBER)
> +#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL)
>                               OSSL_HANDSHAKE_STATE state = SSL_get_state((SSL 
> *)conn->xprt_ctx);
>                               empty_handshake = state == TLS_ST_BEFORE;
>  #else
> @@ -6978,7 +6984,7 @@ static struct xprt_ops ssl_sock = {
>       .name     = "SSL",
>  };
>  
> -#if (OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT && 
> !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
> +#if (OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT && 
> !defined OPENSSL_IS_BORINGSSL)
>  
>  static void ssl_sock_sctl_free_func(void *parent, void *ptr, CRYPTO_EX_DATA 
> *ad, int idx, long argl, void *argp)
>  {




-- 
 _______________________________________ 
/ I ain't got no quarrel with them Viet \
| Congs.                                |
|                                       |
\ -- Muhammad Ali                       /
 --------------------------------------- 
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||

--- include/proto/openssl-compat.h.orig	2017-02-10 12:38:04 UTC
+++ include/proto/openssl-compat.h
@@ -183,7 +183,7 @@ static inline int EVP_PKEY_base_id(EVP_P
 #endif
 
 /* This function does nothing in 1.1.0 and doesn't exist in boringssl */
-#if defined(OPENSSL_IS_BORINGSSL) || (OPENSSL_VERSION_NUMBER >= 0x1010000fL)
+#if (LIBRESSL_VERSION_NUMBER < 0x2050100fL) && (defined(OPENSSL_IS_BORINGSSL) || (OPENSSL_VERSION_NUMBER >= 0x1010000fL))
 #undef  SSL_CTX_set_ecdh_auto
 #define SSL_CTX_set_ecdh_auto(ctx, onoff)
 #endif

--- src/ssl_sock.c.orig	2017-02-08 18:08:38 UTC
+++ src/ssl_sock.c
@@ -829,10 +829,13 @@ static int ssl_sock_load_ocsp(SSL_CTX *c
 		ocsp = NULL;
 
 #ifndef SSL_CTX_get_tlsext_status_cb
-# define SSL_CTX_get_tlsext_status_cb(ctx, cb) \
-	*cb = (void (*) (void))ctx->tlsext_status_cb;
+#ifndef SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB
+#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB 128
 #endif
-	SSL_CTX_get_tlsext_status_cb(ctx, &callback);
+#define SSL_CTX_get_tlsext_status_cb(ctx, cb) \
+        *cb = SSL_CTX_ctrl(ctx,SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB,0, (void (**)(void))cb)
+#endif
+        SSL_CTX_get_tlsext_status_cb(ctx, &callback);
 
 	if (!callback) {
 		struct ocsp_cbk_arg *cb_arg = calloc(1, sizeof(*cb_arg));
@@ -858,10 +861,13 @@ static int ssl_sock_load_ocsp(SSL_CTX *c
 		int key_type;
 		EVP_PKEY *pkey;
 
-#ifdef SSL_CTX_get_tlsext_status_arg
-		SSL_CTX_ctrl(ctx, SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG, 0, &cb_arg);
+#if defined(SSL_CTX_get_tlsext_status_arg) || (LIBRESSL_VERSION_NUMBER >= 0x2050100fL)
+#ifndef SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG
+#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG 129
+#endif
+ 		SSL_CTX_ctrl(ctx, SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG, 0, &cb_arg);
 #else
-		cb_arg = ctx->tlsext_status_arg;
+ 		cb_arg = ctx->tlsext_status_arg;
 #endif
 
 		/*

signature.asc
Description: PGP signature

Re: [PATCHES] Add support for LibreSSL 2.5.1

Reply via email to