From 1d158ab12dc15ab7afaa00530a5ee31cdb8ba2d8 Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Thu, 9 May 2019 13:41:45 +0200 Subject: [PATCH] BUILD: ssl: make libressl use its own version numbers LibreSSL causes lots of build issues by pretending to be OpenSSL 2.0.0, and it requires lots of care for each #if added to cover any specific OpenSSL features. This commit addresses the problem by making LibreSSL only advertise the version it forked from (1.0.1g) and by starting to use tests based on its real version to enable features instead of working by exclusion. --- include/proto/openssl-compat.h | 14 +++++++++++--- src/ssl_sock.c | 2 +- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/include/proto/openssl-compat.h b/include/proto/openssl-compat.h index b6bf503c1..1f28b52cb 100644 --- a/include/proto/openssl-compat.h +++ b/include/proto/openssl-compat.h @@ -14,8 +14,16 @@ #include #endif -/* This is intended to reflect the ORIGINAL openssl version */ +#if defined(LIBRESSL_VERSION_NUMBER) +/* LibreSSL is a fork of OpenSSL 1.0.1g but pretends to be 2.0.0, thus + * systematically breaking when some code is written for a specific version + * of OpenSSL. Let's make it appear like what it really is and deal with + * extra features with ORs and not with AND NOT. + */ +#define HA_OPENSSL_VERSION_NUMBER 0x1000107fL +#else /* this is for a real OpenSSL or a truly compatible derivative */ #define HA_OPENSSL_VERSION_NUMBER OPENSSL_VERSION_NUMBER +#endif #if (HA_OPENSSL_VERSION_NUMBER < 0x0090800fL) /* Functions present in OpenSSL 0.9.8, older not tested */ @@ -92,7 +100,7 @@ static inline int SSL_SESSION_set1_id_context(SSL_SESSION *s, const unsigned cha } #endif -#if (HA_OPENSSL_VERSION_NUMBER < 0x1010000fL) || (defined(LIBRESSL_VERSION_NUMBER) && (LIBRESSL_VERSION_NUMBER < 0x2070000fL)) +#if (HA_OPENSSL_VERSION_NUMBER < 0x1010000fL) && (LIBRESSL_VERSION_NUMBER < 0x2070000fL) /* * Functions introduced in OpenSSL 1.1.0 and in LibreSSL 2.7.0 */ @@ -149,7 +157,7 @@ static inline const unsigned char *ASN1_STRING_get0_data(const ASN1_STRING *x) #endif -#if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) +#if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) || (LIBRESSL_VERSION_NUMBER >= 0x2070200fL) #define __OPENSSL_110_CONST__ const #else #define __OPENSSL_110_CONST__ diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 795d66999..b2cbd1be8 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -9890,7 +9890,7 @@ static void ssl_register_build_options() OPENSSL_VERSION_TEXT "\nRunning on OpenSSL version : %s%s", OpenSSL_version(OPENSSL_VERSION), - ((HA_OPENSSL_VERSION_NUMBER ^ OpenSSL_version_num()) >> 8) ? " (VERSIONS DIFFER!)" : ""); + ((OPENSSL_VERSION_NUMBER ^ OpenSSL_version_num()) >> 8) ? " (VERSIONS DIFFER!)" : ""); #endif memprintf(&ptr, "%s\nOpenSSL library supports TLS extensions : " #if HA_OPENSSL_VERSION_NUMBER < 0x00907000L