From: Willy Tarreau Date: Thu, 9 May 2019 11:41:45 +0000 (+0200) Subject: BUILD: ssl: make libressl use its own version numbers X-Git-Tag: v2.0-dev3~68 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1d158ab12dc15ab7afaa00530a5ee31cdb8ba2d8;p=thirdparty%2Fhaproxy.git BUILD: ssl: make libressl use its own version numbers LibreSSL causes lots of build issues by pretending to be OpenSSL 2.0.0, and it requires lots of care for each #if added to cover any specific OpenSSL features. This commit addresses the problem by making LibreSSL only advertise the version it forked from (1.0.1g) and by starting to use tests based on its real version to enable features instead of working by exclusion. --- diff --git a/include/proto/openssl-compat.h b/include/proto/openssl-compat.h index b6bf503c1c..1f28b52cba 100644 --- a/include/proto/openssl-compat.h +++ b/include/proto/openssl-compat.h @@ -14,8 +14,16 @@ #include #endif -/* This is intended to reflect the ORIGINAL openssl version */ +#if defined(LIBRESSL_VERSION_NUMBER) +/* LibreSSL is a fork of OpenSSL 1.0.1g but pretends to be 2.0.0, thus + * systematically breaking when some code is written for a specific version + * of OpenSSL. Let's make it appear like what it really is and deal with + * extra features with ORs and not with AND NOT. + */ +#define HA_OPENSSL_VERSION_NUMBER 0x1000107fL +#else /* this is for a real OpenSSL or a truly compatible derivative */ #define HA_OPENSSL_VERSION_NUMBER OPENSSL_VERSION_NUMBER +#endif #if (HA_OPENSSL_VERSION_NUMBER < 0x0090800fL) /* Functions present in OpenSSL 0.9.8, older not tested */ @@ -92,7 +100,7 @@ static inline int SSL_SESSION_set1_id_context(SSL_SESSION *s, const unsigned cha } #endif -#if (HA_OPENSSL_VERSION_NUMBER < 0x1010000fL) || (defined(LIBRESSL_VERSION_NUMBER) && (LIBRESSL_VERSION_NUMBER < 0x2070000fL)) +#if (HA_OPENSSL_VERSION_NUMBER < 0x1010000fL) && (LIBRESSL_VERSION_NUMBER < 0x2070000fL) /* * Functions introduced in OpenSSL 1.1.0 and in LibreSSL 2.7.0 */ @@ -149,7 +157,7 @@ static inline const unsigned char *ASN1_STRING_get0_data(const ASN1_STRING *x) #endif -#if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) +#if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) || (LIBRESSL_VERSION_NUMBER >= 0x2070200fL) #define __OPENSSL_110_CONST__ const #else #define __OPENSSL_110_CONST__ diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 795d66999d..b2cbd1be83 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -9890,7 +9890,7 @@ static void ssl_register_build_options() OPENSSL_VERSION_TEXT "\nRunning on OpenSSL version : %s%s", OpenSSL_version(OPENSSL_VERSION), - ((HA_OPENSSL_VERSION_NUMBER ^ OpenSSL_version_num()) >> 8) ? " (VERSIONS DIFFER!)" : ""); + ((OPENSSL_VERSION_NUMBER ^ OpenSSL_version_num()) >> 8) ? " (VERSIONS DIFFER!)" : ""); #endif memprintf(&ptr, "%s\nOpenSSL library supports TLS extensions : " #if HA_OPENSSL_VERSION_NUMBER < 0x00907000L