BUILD: ssl: make libressl use its own version numbers

LibreSSL causes lots of build issues by pretending to be OpenSSL 2.0.0,
and it requires lots of care for each #if added to cover any specific
OpenSSL features.

This commit addresses the problem by making LibreSSL only advertise the
version it forked from (1.0.1g) and by starting to use tests based on
its real version to enable features instead of working by exclusion.

diff --git a/include/proto/openssl-compat.h b/include/proto/openssl-compat.h
index b6bf503c1c1934e976955cd2bc3933af4cfe50c5..1f28b52cbaf4dfc3ed987106e11f025849636107 100644 (file)
--- a/include/proto/openssl-compat.h
+++ b/include/proto/openssl-compat.h
@@ -14,8 +14,16 @@
 #include <openssl/dh.h>
 #endif
 
-/* This is intended to reflect the ORIGINAL openssl version */
+#if defined(LIBRESSL_VERSION_NUMBER)
+/* LibreSSL is a fork of OpenSSL 1.0.1g but pretends to be 2.0.0, thus
+ * systematically breaking when some code is written for a specific version
+ * of OpenSSL. Let's make it appear like what it really is and deal with
+ * extra features with ORs and not with AND NOT.
+ */
+#define HA_OPENSSL_VERSION_NUMBER 0x1000107fL
+#else /* this is for a real OpenSSL or a truly compatible derivative */
 #define HA_OPENSSL_VERSION_NUMBER OPENSSL_VERSION_NUMBER
+#endif
 
 #if (HA_OPENSSL_VERSION_NUMBER < 0x0090800fL)
 /* Functions present in OpenSSL 0.9.8, older not tested */
@@ -92,7 +100,7 @@ static inline int SSL_SESSION_set1_id_context(SSL_SESSION *s, const unsigned cha
 }
 #endif
 
-#if (HA_OPENSSL_VERSION_NUMBER < 0x1010000fL) || (defined(LIBRESSL_VERSION_NUMBER) && (LIBRESSL_VERSION_NUMBER < 0x2070000fL))
+#if (HA_OPENSSL_VERSION_NUMBER < 0x1010000fL) && (LIBRESSL_VERSION_NUMBER < 0x2070000fL)
 /*
  * Functions introduced in OpenSSL 1.1.0 and in LibreSSL 2.7.0
  */
@@ -149,7 +157,7 @@ static inline const unsigned char *ASN1_STRING_get0_data(const ASN1_STRING *x)
 
 #endif
 
-#if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL)
+#if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) || (LIBRESSL_VERSION_NUMBER >= 0x2070200fL)
 #define __OPENSSL_110_CONST__ const
 #else
 #define __OPENSSL_110_CONST__

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 795d66999d7aad511c7c7fdde17417cae63deb71..b2cbd1be8363657b37117dde91fab691aa093fc3 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -9890,7 +9890,7 @@ static void ssl_register_build_options()
                OPENSSL_VERSION_TEXT
                "\nRunning on OpenSSL version : %s%s",
               OpenSSL_version(OPENSSL_VERSION),
-              ((HA_OPENSSL_VERSION_NUMBER ^ OpenSSL_version_num()) >> 8) ? " (VERSIONS DIFFER!)" : "");
+              ((OPENSSL_VERSION_NUMBER ^ OpenSSL_version_num()) >> 8) ? " (VERSIONS DIFFER!)" : "");
 #endif
        memprintf(&ptr, "%s\nOpenSSL library supports TLS extensions : "
 #if HA_OPENSSL_VERSION_NUMBER < 0x00907000L