Re: Fix building haproxy 1.8.5 with LibreSSL 2.6.4

2018-04-07 Thread Andy Postnikov 
Hi Willy,
Alpine migrating to libressl 2.7 and there new patch added
https://github.com/alpinelinux/aports/commit/d32f982f0bbdfe3b902408920923d1d44ab88471
I did not test yet but this patch at least allowed haproxy to build without
errors

2018-04-06 20:12 GMT+03:00 Willy Tarreau <w...@1wt.eu>:

> Hi Andy,
>
> On Sat, Mar 31, 2018 at 05:43:55PM +0300, Andy Postnikov wrote:
> > I used to rework previous patch from Alpinelinux to build with latest
> > stable libressl
> > But found no way to run tests with openssl which is primary library as I
> see
> > Is it possible to accept the patch upstream or get review on it?
>
> It is probably correct, though I remember that some parts that you changed
> used to be tricky with certain openssl versions, thus I'd like that Emeric
> takes a look before merging this. And possibly Manu who uses BoringSSL,
> which comes with its own set of incompatibilities :-)
>
> CCing them now.
>
> Thanks,
> Willy
>



-- 
*Andy Postnikov*, drupal consultant

dgo.to/@andypost
skype:andypost2005

Fix building haproxy 1.8.5 with LibreSSL 2.6.4

2018-03-31 Thread Andy Postnikov 
I used to rework previous patch from Alpinelinux to build with latest
stable libressl
But found no way to run tests with openssl which is primary library as I see
Is it possible to accept the patch upstream or get review on it?
--- a/src/ssl_sock.c.orig
+++ b/src/ssl_sock.c
@@ -56,6 +56,15 @@
 #include 
 #endif
 
+
+#ifdef LIBRESSL_VERSION_NUMBER
+
+#ifndef OPENSSL_NO_ASYNC
+#define OPENSSL_NO_ASYNC
+#endif
+
+#endif
+
 #if (OPENSSL_VERSION_NUMBER >= 0x101fL) && !defined(OPENSSL_NO_ASYNC)
 #include 
 #endif
@@ -1126,8 +1135,11 @@
 		ocsp = NULL;
 
 #ifndef SSL_CTX_get_tlsext_status_cb
-# define SSL_CTX_get_tlsext_status_cb(ctx, cb) \
-	*cb = (void (*) (void))ctx->tlsext_status_cb;
+#ifndef SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB
+#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB 128
+#endif
+#define SSL_CTX_get_tlsext_status_cb(ctx, cb) \
+	*cb = SSL_CTX_ctrl(ctx,SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB,0, (void (**)(void))cb)
 #endif
 	SSL_CTX_get_tlsext_status_cb(ctx, );
 
@@ -1155,7 +1167,10 @@
 		int key_type;
 		EVP_PKEY *pkey;
 
-#ifdef SSL_CTX_get_tlsext_status_arg
+#if defined(SSL_CTX_get_tlsext_status_arg) || defined(LIBRESSL_VERSION_NUMBER)
+#ifndef SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG
+#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG 129
+#endif
 		SSL_CTX_ctrl(ctx, SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG, 0, _arg);
 #else
 		cb_arg = ctx->tlsext_status_arg;
@@ -2066,7 +2081,7 @@
 	SSL_set_SSL_CTX(ssl, ctx);
 }
 
-#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) || defined(OPENSSL_IS_BORINGSSL)
+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined LIBRESSL_VERSION_NUMBER) || defined(OPENSSL_IS_BORINGSSL)
 
 static int ssl_sock_switchctx_err_cbk(SSL *ssl, int *al, void *priv)
 {
@@ -2208,7 +2223,7 @@
 #else
 			cipher = SSL_CIPHER_find(ssl, cipher_suites);
 #endif
-			if (cipher && SSL_CIPHER_get_auth_nid(cipher) == NID_auth_ecdsa) {
+			if (cipher && SSL_CIPHER_is_ECDSA(cipher)) {
 has_ecdsa = 1;
 break;
 			}
@@ -2306,7 +2321,7 @@
 #ifdef OPENSSL_IS_BORINGSSL
 	if (allow_early)
 		SSL_set_early_data_enabled(ssl, 1);
-#else
+#elif !defined LIBRESSL_VERSION_NUMBER
 	if (!allow_early)
 		SSL_set_max_early_data(ssl, 0);
 #endif
@@ -3798,7 +3813,7 @@
 #ifdef OPENSSL_IS_BORINGSSL
 	SSL_CTX_set_select_certificate_cb(ctx, ssl_sock_switchctx_cbk);
 	SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_err_cbk);
-#elif (OPENSSL_VERSION_NUMBER >= 0x10101000L)
+#elif (OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined LIBRESSL_VERSION_NUMBER
 	SSL_CTX_set_client_hello_cb(ctx, ssl_sock_switchctx_cbk, NULL);
 	SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_err_cbk);
 #else
@@ -5052,7 +5067,7 @@
 	if (!conn->xprt_ctx)
 		goto out_error;
 
-#if OPENSSL_VERSION_NUMBER >= 0x10101000L
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined LIBRESSL_VERSION_NUMBER
 	/*
 	 * Check if we have early data. If we do, we have to read them
 	 * before SSL_do_handshake() is called, And there's no way to
@@ -5128,7 +5143,7 @@
 	OSSL_HANDSHAKE_STATE state = SSL_get_state((SSL *)conn->xprt_ctx);
 	empty_handshake = state == TLS_ST_BEFORE;
 #else
-	empty_handshake = !((SSL *)conn->xprt_ctx)->packet_length;
+	empty_handshake = SSL_state((SSL *)conn->xprt_ctx) == SSL_ST_BEFORE;
 #endif
 	if (empty_handshake) {
 		if (!errno) {
@@ -5212,7 +5227,7 @@
 OSSL_HANDSHAKE_STATE state = SSL_get_state((SSL *)conn->xprt_ctx);
 empty_handshake = state == TLS_ST_BEFORE;
 #else
-empty_handshake = !((SSL *)conn->xprt_ctx)->packet_length;
+empty_handshake = SSL_state((SSL *)conn->xprt_ctx) == SSL_ST_BEFORE;
 #endif
 if (empty_handshake) {
 	if (!errno) {
@@ -5252,7 +5267,7 @@
 			goto out_error;
 		}
 	}
-#if (OPENSSL_VERSION_NUMBER >= 0x10101000L)
+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined LIBRESSL_VERSION_NUMBER
 	else {
 		/*
 		 * If the server refused the early data, we have to send a
@@ -5375,7 +5390,7 @@
 			continue;
 		}
 
-#if (OPENSSL_VERSION_NUMBER >= 0x10101000L)
+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined LIBRESSL_VERSION_NUMBER
 		if (conn->flags & CO_FL_EARLY_SSL_HS) {
 			size_t read_length;
 
@@ -5531,7 +5546,7 @@
 			conn->xprt_st |= SSL_SOCK_SEND_UNLIMITED;
 		}
 
-#if (OPENSSL_VERSION_NUMBER >= 0x10101000L)
+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined LIBRESSL_VERSION_NUMBER
 		if (!SSL_is_init_finished(conn->xprt_ctx)) {
 			unsigned int max_early;