130 lines
4.3 KiB
Diff
130 lines
4.3 KiB
Diff
diff -ru a/include/proto/openssl-compat.h include/proto/openssl-compat.h
|
|
--- a/include/proto/openssl-compat.h 2019-02-11 08:16:19.000000000 -0500
|
|
+++ include/proto/openssl-compat.h 2019-04-14 11:41:09.820848231 -0400
|
|
@@ -89,7 +89,7 @@
|
|
}
|
|
#endif
|
|
|
|
-#if (OPENSSL_VERSION_NUMBER < 0x1010000fL) || defined(LIBRESSL_VERSION_NUMBER) || defined(OPENSSL_IS_BORINGSSL)
|
|
+#if (OPENSSL_VERSION_NUMBER < 0x1010000fL) || (defined(LIBRESSL_VERSION_NUMBER) && (LIBRESSL_VERSION_NUMBER < 0x20700000L)) || defined(OPENSSL_IS_BORINGSSL)
|
|
/*
|
|
* Functions introduced in OpenSSL 1.1.0 and not yet present in LibreSSL / BoringSSL
|
|
*/
|
|
@@ -121,7 +121,7 @@
|
|
|
|
#endif
|
|
|
|
-#if (OPENSSL_VERSION_NUMBER < 0x1010000fL) || defined(LIBRESSL_VERSION_NUMBER)
|
|
+#if (OPENSSL_VERSION_NUMBER < 0x1010000fL) || (defined(LIBRESSL_VERSION_NUMBER) && (LIBRESSL_VERSION_NUMBER < 0x20700000L))
|
|
/*
|
|
* Functions introduced in OpenSSL 1.1.0 and not yet present in LibreSSL
|
|
*/
|
|
diff -ru a/src/ssl_sock.c src/ssl_sock.c
|
|
--- a/src/ssl_sock.c 2019-02-11 08:16:19.000000000 -0500
|
|
+++ src/ssl_sock.c 2019-04-14 11:58:25.820742830 -0400
|
|
@@ -56,6 +56,14 @@
|
|
#include <openssl/engine.h>
|
|
#endif
|
|
|
|
+#if defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_NO_ASYNC)
|
|
+#define OPENSSL_NO_ASYNC
|
|
+#endif
|
|
+
|
|
+#if defined(SSL_READ_EARLY_DATA_ERROR) && defined(SSL_READ_EARLY_DATA_SUCCESS)
|
|
+#define HAVE_SSL_READ_EARLY
|
|
+#endif
|
|
+
|
|
#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC)
|
|
#include <openssl/async.h>
|
|
#endif
|
|
@@ -2093,7 +2101,7 @@
|
|
SSL_set_SSL_CTX(ssl, ctx);
|
|
}
|
|
|
|
-#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) || defined(OPENSSL_IS_BORINGSSL)
|
|
+#if ((OPENSSL_VERSION_NUMBER >= 0x10101000L) || defined(OPENSSL_IS_BORINGSSL)) && !defined(LIBRESSL_VERSION_NUMBER)
|
|
|
|
static int ssl_sock_switchctx_err_cbk(SSL *ssl, int *al, void *priv)
|
|
{
|
|
@@ -3830,7 +3838,7 @@
|
|
#ifdef OPENSSL_IS_BORINGSSL
|
|
SSL_CTX_set_select_certificate_cb(ctx, ssl_sock_switchctx_cbk);
|
|
SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_err_cbk);
|
|
-#elif (OPENSSL_VERSION_NUMBER >= 0x10101000L)
|
|
+#elif (OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(LIBRESSL_VERSION_NUMBER)
|
|
if (bind_conf->ssl_conf.early_data) {
|
|
SSL_CTX_set_options(ctx, SSL_OP_NO_ANTI_REPLAY);
|
|
SSL_CTX_set_max_early_data(ctx, global.tune.bufsize - global.tune.maxrewrite);
|
|
@@ -5081,7 +5089,7 @@
|
|
|
|
/* leave init state and start handshake */
|
|
conn->flags |= CO_FL_SSL_WAIT_HS | CO_FL_WAIT_L6_CONN;
|
|
-#if OPENSSL_VERSION_NUMBER >= 0x10101000L || defined(OPENSSL_IS_BORINGSSL)
|
|
+#if ((OPENSSL_VERSION_NUMBER >= 0x10101000L) || defined(OPENSSL_IS_BORINGSSL)) && !defined(LIBRESSL_VERSION_NUMBER)
|
|
conn->flags |= CO_FL_EARLY_SSL_HS;
|
|
#endif
|
|
|
|
@@ -5111,7 +5119,7 @@
|
|
if (!conn->xprt_ctx)
|
|
goto out_error;
|
|
|
|
-#if OPENSSL_VERSION_NUMBER >= 0x10101000L
|
|
+#if HAVE_SSL_READ_EARLY
|
|
/*
|
|
* Check if we have early data. If we do, we have to read them
|
|
* before SSL_do_handshake() is called, And there's no way to
|
|
@@ -5187,7 +5195,7 @@
|
|
OSSL_HANDSHAKE_STATE state = SSL_get_state((SSL *)conn->xprt_ctx);
|
|
empty_handshake = state == TLS_ST_BEFORE;
|
|
#else
|
|
- empty_handshake = !((SSL *)conn->xprt_ctx)->packet_length;
|
|
+ empty_handshake = SSL_state((SSL *)conn->xprt_ctx) == SSL_ST_BEFORE;
|
|
#endif
|
|
if (empty_handshake) {
|
|
if (!errno) {
|
|
@@ -5271,7 +5279,7 @@
|
|
OSSL_HANDSHAKE_STATE state = SSL_get_state((SSL *)conn->xprt_ctx);
|
|
empty_handshake = state == TLS_ST_BEFORE;
|
|
#else
|
|
- empty_handshake = !((SSL *)conn->xprt_ctx)->packet_length;
|
|
+ empty_handshake = SSL_state((SSL *)conn->xprt_ctx) == SSL_ST_BEFORE;
|
|
#endif
|
|
if (empty_handshake) {
|
|
if (!errno) {
|
|
@@ -5311,7 +5319,7 @@
|
|
goto out_error;
|
|
}
|
|
}
|
|
-#if (OPENSSL_VERSION_NUMBER >= 0x10101000L)
|
|
+#if HAVE_SSL_READ_EARLY
|
|
else {
|
|
/*
|
|
* If the server refused the early data, we have to send a
|
|
@@ -5434,7 +5442,7 @@
|
|
continue;
|
|
}
|
|
|
|
-#if (OPENSSL_VERSION_NUMBER >= 0x10101000L)
|
|
+#if HAVE_SSL_READ_EARLY
|
|
if (conn->flags & CO_FL_EARLY_SSL_HS) {
|
|
size_t read_length;
|
|
|
|
@@ -5571,7 +5579,7 @@
|
|
* in which case we accept to do it once again.
|
|
*/
|
|
while (buf->o) {
|
|
-#if (OPENSSL_VERSION_NUMBER >= 0x10101000L)
|
|
+#if HAVE_SSL_EARLY_DATA
|
|
size_t written_data;
|
|
#endif
|
|
|
|
@@ -5590,7 +5598,7 @@
|
|
conn->xprt_st |= SSL_SOCK_SEND_UNLIMITED;
|
|
}
|
|
|
|
-#if (OPENSSL_VERSION_NUMBER >= 0x10101000L)
|
|
+#if HAVE_SSL_EARLY_DATA
|
|
if (!SSL_is_init_finished(conn->xprt_ctx)) {
|
|
unsigned int max_early;
|
|
|