Re: [PATCHES] Add support for LibreSSL 2.5.1

Wed, 15 Feb 2017 06:47:10 -0800 

Thanks for the feedback. Could you keep me in CC? I'm not subscribed to the 
list.

> I don't understand much, your e-mail talks about openssl and you're changing
> a line afecting boringssl. You need to provide a bit of description about
> what your patch does and tries to solve, that we'll use as the commit message.

Those lines affect BoringSSL and any OpenSSL-like library with 
OPENSSL_VERSION_NUMBER >= 0x1010000fL. LibreSSL has OPENSSL_VERSION_NUMBER >= 
0x1010000fL but version 2.5.1 actually has SSL_CTX_set_ecdh_auto(), so it needs 
to be excluded from the check.

> Here this 128 looks a bit magic and will very likely break sooner or
> later, so if this is an internal value used by libressl, it's better
> to mention it next to it.

> Same here.

It's taken from 
https://git.openssl.org/?p=openssl.git;a=blob;f=include/openssl/ssl.h;h=f2b6198972736676c39de3799d0901f9ccd467ae;hb=refs/heads/master
Haproxy uses macros defined in OpenSSL, but not defined in LibreSSL (although 
the functions itself work). This patch defines those values.
       
> Be careful not to introduce useless space changes in your patch like this.
       
Corrected in the new patch (attached).

-- 
 _______________________________________ 
/ What scoundrel stole the cork from my \
| lunch?                                |
|                                       |
\ -- J. D. Farley                       /
 --------------------------------------- 
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||

--- src/ssl_sock.c.orig	2017-02-08 18:08:38 UTC
+++ src/ssl_sock.c
@@ -829,10 +829,13 @@ static int ssl_sock_load_ocsp(SSL_CTX *c
 		ocsp = NULL;
 
 #ifndef SSL_CTX_get_tlsext_status_cb
-# define SSL_CTX_get_tlsext_status_cb(ctx, cb) \
-	*cb = (void (*) (void))ctx->tlsext_status_cb;
+#ifndef SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB
+#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB 128
 #endif
-	SSL_CTX_get_tlsext_status_cb(ctx, &callback);
+#define SSL_CTX_get_tlsext_status_cb(ctx, cb) \
+        *cb = SSL_CTX_ctrl(ctx,SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB,0, (void (**)(void))cb)
+#endif
+        SSL_CTX_get_tlsext_status_cb(ctx, &callback);
 
 	if (!callback) {
 		struct ocsp_cbk_arg *cb_arg = calloc(1, sizeof(*cb_arg));
@@ -858,10 +861,13 @@ static int ssl_sock_load_ocsp(SSL_CTX *c
 		int key_type;
 		EVP_PKEY *pkey;
 
-#ifdef SSL_CTX_get_tlsext_status_arg
-		SSL_CTX_ctrl(ctx, SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG, 0, &cb_arg);
+#if defined(SSL_CTX_get_tlsext_status_arg) || (LIBRESSL_VERSION_NUMBER >= 0x2050100fL)
+#ifndef SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG
+#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG 129
+#endif
+ 		SSL_CTX_ctrl(ctx, SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG, 0, &cb_arg);
 #else
		cb_arg = ctx->tlsext_status_arg;
 #endif

Attachment: signature.asc
Description: PGP signature

Reply via email to