Hi, I sent this patch a few months ago. Now, here's an updated version for dev3. It still introduces another warning, but works just fine FreeBSD 11.1-STABLE and LibreSSL 2.6.2. Since it only introduces changes for LibreSSL (against which Haproxy doesn't even build right now), this patch is fine also for OpenSSL users.
--_________________________________________ / "I'd love to go out with you, but there \
| are important world issues that need | \ worrying about." /----------------------------------------- \ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
--- src/ssl_sock.c.orig 2017-10-22 08:13:45 UTC
+++ src/ssl_sock.c
@@ -56,7 +56,7 @@
#include <openssl/engine.h>
#endif
-#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
+#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL && !defined LIBRESSL_VERSION_NUMBER)
#include <openssl/async.h>
#endif
@@ -362,7 +362,7 @@ fail_get:
}
#endif
-#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
+#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL && !defined LIBRESSL_VERSION_NUMBER)
/*
* openssl async fd handler
*/
@@ -1044,8 +1044,11 @@ static int ssl_sock_load_ocsp(SSL_CTX *c
ocsp = NULL;
#ifndef SSL_CTX_get_tlsext_status_cb
+#ifndef SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB
+#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB 128
+#endif
# define SSL_CTX_get_tlsext_status_cb(ctx, cb) \
- *cb = (void (*) (void))ctx->tlsext_status_cb;
+ *cb = SSL_CTX_ctrl(ctx,SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB,0, (void
(**)(void))cb)
#endif
SSL_CTX_get_tlsext_status_cb(ctx, &callback);
@@ -1073,7 +1076,10 @@ static int ssl_sock_load_ocsp(SSL_CTX *c
int key_type;
EVP_PKEY *pkey;
-#ifdef SSL_CTX_get_tlsext_status_arg
+#if defined(SSL_CTX_get_tlsext_status_arg) || defined(LIBRESSL_VERSION_NUMBER)
+#ifndef SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG
+#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG 129
+#endif
SSL_CTX_ctrl(ctx, SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG, 0,
&cb_arg);
#else
cb_arg = ctx->tlsext_status_arg;
@@ -3627,7 +3633,7 @@ ssl_sock_initial_ctx(struct bind_conf *b
options &= ~SSL_OP_CIPHER_SERVER_PREFERENCE;
SSL_CTX_set_options(ctx, options);
-#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
+#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL && !defined LIBRESSL_VERSION_NUMBER)
if (global_ssl.async)
mode |= SSL_MODE_ASYNC;
#endif
@@ -4125,7 +4131,7 @@ int ssl_sock_prepare_srv_ctx(struct serv
options |= SSL_OP_NO_TICKET;
SSL_CTX_set_options(ctx, options);
-#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
+#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL && !defined LIBRESSL_VERSION_NUMBER)
if (global_ssl.async)
mode |= SSL_MODE_ASYNC;
#endif
@@ -4638,7 +4644,7 @@ int ssl_sock_handshake(struct connection
fd_cant_recv(conn->handle.fd);
return 0;
}
-#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
+#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL && !defined LIBRESSL_VERSION_NUMBER)
else if (ret == SSL_ERROR_WANT_ASYNC) {
ssl_async_process_fds(conn, conn->xprt_ctx);
return 0;
@@ -4722,7 +4728,7 @@ int ssl_sock_handshake(struct connection
fd_cant_recv(conn->handle.fd);
return 0;
}
-#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
+#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL && !defined LIBRESSL_VERSION_NUMBER)
else if (ret == SSL_ERROR_WANT_ASYNC) {
ssl_async_process_fds(conn, conn->xprt_ctx);
return 0;
@@ -4784,7 +4790,7 @@ int ssl_sock_handshake(struct connection
reneg_ok:
-#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
+#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL && !defined LIBRESSL_VERSION_NUMBER)
/* ASYNC engine API doesn't support moving read/write
* buffers. So we disable ASYNC mode right after
* the handshake to avoid buffer oveflows.
@@ -4908,7 +4914,7 @@ static int ssl_sock_to_buf(struct connec
/* handshake is running, and it needs to enable
write */
conn->flags |= CO_FL_SSL_WAIT_HS;
__conn_sock_want_send(conn);
-#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
+#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL && !defined LIBRESSL_VERSION_NUMBER)
/* Async mode can be re-enabled, because we're
leaving data state.*/
if (global_ssl.async)
SSL_set_mode(conn->xprt_ctx,
SSL_MODE_ASYNC);
signature.asc
Description: PGP signature
