diff --git a/src/common.h b/src/common.h index f7d38b0..6b81341 100644 --- a/src/common.h +++ b/src/common.h @@ -448,7 +448,7 @@ extern char *sys_errlist[]; #define OPENSSL_NO_TLS1_2 #endif /* OpenSSL older than 1.0.1 || defined(OPENSSL_NO_TLS1) */ -#if OPENSSL_VERSION_NUMBER>=0x10100000L +#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) #ifndef OPENSSL_NO_SSL2 #define OPENSSL_NO_SSL2 #endif /* !defined(OPENSSL_NO_SSL2) */ @@ -474,7 +474,7 @@ extern char *sys_errlist[]; #include #ifndef OPENSSL_NO_DH #include -#if OPENSSL_VERSION_NUMBER<0x10100000L +#if OPENSSL_VERSION_NUMBER<0x10100000L || defined(LIBRESSL_VERSION_NUMBER) int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g); #endif /* OpenSSL older than 1.1.0 */ #endif /* !defined(OPENSSL_NO_DH) */ diff --git a/src/ctx.c b/src/ctx.c index 5b282e9..7984f32 100644 --- a/src/ctx.c +++ b/src/ctx.c @@ -366,7 +366,7 @@ NOEXPORT int ecdh_init(SERVICE_OPTIONS *section) { /**************************************** initialize OpenSSL CONF */ NOEXPORT int conf_init(SERVICE_OPTIONS *section) { -#if OPENSSL_VERSION_NUMBER>=0x10002000L +#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) SSL_CONF_CTX *cctx; NAME_LIST *curr; char *cmd, *param; diff --git a/src/options.c b/src/options.c index 6727226..d1bae90 100644 --- a/src/options.c +++ b/src/options.c @@ -1291,7 +1291,7 @@ NOEXPORT char *parse_service_option(CMD cmd, SERVICE_OPTIONS *section, break; } -#if OPENSSL_VERSION_NUMBER>=0x10002000L +#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) /* checkEmail */ switch(cmd) { @@ -1428,7 +1428,7 @@ NOEXPORT char *parse_service_option(CMD cmd, SERVICE_OPTIONS *section, break; } -#if OPENSSL_VERSION_NUMBER>=0x10002000L +#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) /* config */ switch(cmd) { @@ -2617,7 +2617,7 @@ NOEXPORT char *parse_service_option(CMD cmd, SERVICE_OPTIONS *section, /* sslVersion */ switch(cmd) { case CMD_BEGIN: -#if OPENSSL_VERSION_NUMBER>=0x10100000L +#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) section->client_method=(SSL_METHOD *)TLS_client_method(); section->server_method=(SSL_METHOD *)TLS_server_method(); #else @@ -2629,7 +2629,7 @@ NOEXPORT char *parse_service_option(CMD cmd, SERVICE_OPTIONS *section, if(strcasecmp(opt, "sslVersion")) break; if(!strcasecmp(arg, "all")) { -#if OPENSSL_VERSION_NUMBER>=0x10100000L +#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) section->client_method=(SSL_METHOD *)TLS_client_method(); section->server_method=(SSL_METHOD *)TLS_server_method(); #else diff --git a/src/prototypes.h b/src/prototypes.h index 182c764..d57aff2 100644 --- a/src/prototypes.h +++ b/src/prototypes.h @@ -206,7 +206,7 @@ typedef struct service_options_struct { char *ocsp_url; unsigned long ocsp_flags; #endif /* !defined(OPENSSL_NO_OCSP) */ -#if OPENSSL_VERSION_NUMBER>=0x10002000L +#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) NAME_LIST *check_host, *check_email, *check_ip; /* cert subject checks */ NAME_LIST *config; /* OpenSSL CONF options */ #endif /* OPENSSL_VERSION_NUMBER>=0x10002000L */ @@ -650,13 +650,13 @@ typedef enum { #endif /* OPENSSL_NO_DH */ STUNNEL_LOCKS /* number of locks */ } LOCK_TYPE; -#if OPENSSL_VERSION_NUMBER < 0x10100004L +#if OPENSSL_VERSION_NUMBER < 0x10100004L || defined(LIBRESSL_VERSION_NUMBER) typedef int STUNNEL_RWLOCK; #else typedef CRYPTO_RWLOCK *STUNNEL_RWLOCK; #endif extern STUNNEL_RWLOCK stunnel_locks[STUNNEL_LOCKS]; -#if OPENSSL_VERSION_NUMBER>=0x10100004L +#if OPENSSL_VERSION_NUMBER>=0x10100004L && !defined(LIBRESSL_VERSION_NUMBER) #define CRYPTO_THREAD_read_unlock(type) CRYPTO_THREAD_unlock(type) #define CRYPTO_THREAD_write_unlock(type) CRYPTO_THREAD_unlock(type) #else diff --git a/src/ssl.c b/src/ssl.c index ba30d75..29c423d 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -50,7 +50,7 @@ NOEXPORT int add_rand_file(GLOBAL_OPTIONS *, const char *); int index_cli, index_opt, index_redirect, index_addr; int ssl_init(void) { /* init SSL before parsing configuration file */ -#if OPENSSL_VERSION_NUMBER>=0x10100000L +#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS | OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL); #else @@ -83,7 +83,7 @@ int ssl_init(void) { /* init SSL before parsing configuration file */ } #ifndef OPENSSL_NO_DH -#if OPENSSL_VERSION_NUMBER<0x10100000L +#if OPENSSL_VERSION_NUMBER<0x10100000L || defined(LIBRESSL_VERSION_NUMBER) /* this is needed for dhparam.c generated with OpenSSL >= 1.1.0 * to be linked against the older versions */ int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) { @@ -118,7 +118,7 @@ int ssl_configure(GLOBAL_OPTIONS *global) { /* configure global SSL settings */ if(FIPS_mode()!=global->option.fips) { RAND_set_rand_method(NULL); /* reset RAND methods */ if(!FIPS_mode_set(global->option.fips)) { -#if OPENSSL_VERSION_NUMBER>=0x10100000L +#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL); #else ERR_load_crypto_strings(); @@ -177,7 +177,7 @@ NOEXPORT int compression_init(GLOBAL_OPTIONS *global) { if(global->compression==COMP_ZLIB) { /* 224 - within the private range (193 to 255) */ COMP_METHOD *meth=COMP_zlib(); -#if OPENSSL_VERSION_NUMBER>=0x10100000L +#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) if(!meth || COMP_get_type(meth)==NID_undef) { #else if(!meth || meth->type==NID_undef) { diff --git a/src/sthreads.c b/src/sthreads.c index 4e4e0e9..f61f230 100644 --- a/src/sthreads.c +++ b/src/sthreads.c @@ -45,7 +45,7 @@ STUNNEL_RWLOCK stunnel_locks[STUNNEL_LOCKS]; -#if OPENSSL_VERSION_NUMBER<0x10100004L +#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER) #define CRYPTO_THREAD_lock_new() CRYPTO_get_new_dynlockid() #endif @@ -203,7 +203,7 @@ int create_client(SOCKET ls, SOCKET s, CLI *arg, void *(*cli)(void *)) { #ifdef USE_PTHREAD -#if OPENSSL_VERSION_NUMBER<0x10100004L +#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER) struct CRYPTO_dynlock_value { pthread_rwlock_t rwlock; @@ -263,7 +263,8 @@ unsigned long stunnel_thread_id(void) { #endif } -#if OPENSSL_VERSION_NUMBER>=0x10000000L && OPENSSL_VERSION_NUMBER<0x10100004L +#if OPENSSL_VERSION_NUMBER>=0x10000000L && \ + (OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER)) NOEXPORT void threadid_func(CRYPTO_THREADID *tid) { CRYPTO_THREADID_set_numeric(tid, stunnel_thread_id()); } @@ -272,7 +273,7 @@ NOEXPORT void threadid_func(CRYPTO_THREADID *tid) { int sthreads_init(void) { int i; -#if OPENSSL_VERSION_NUMBER<0x10100004L +#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER) /* initialize the OpenSSL dynamic locking */ CRYPTO_set_dynlock_create_callback(dyn_create_function); CRYPTO_set_dynlock_lock_callback(dyn_lock_function); @@ -345,7 +346,7 @@ int create_client(SOCKET ls, SOCKET s, CLI *arg, void *(*cli)(void *)) { * but it is unsupported on Windows XP (and earlier versions of Windows): * https://msdn.microsoft.com/en-us/library/windows/desktop/aa904937%28v=vs.85%29.aspx */ -#if OPENSSL_VERSION_NUMBER<0x10100004L +#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER) struct CRYPTO_dynlock_value { CRITICAL_SECTION mutex; @@ -398,7 +399,7 @@ unsigned long stunnel_thread_id(void) { int sthreads_init(void) { int i; -#if OPENSSL_VERSION_NUMBER<0x10100004L +#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER) /* initialize the OpenSSL dynamic locking */ CRYPTO_set_dynlock_create_callback(dyn_create_function); CRYPTO_set_dynlock_lock_callback(dyn_lock_function); diff --git a/src/verify.c b/src/verify.c index 9fc0ff9..5c7ff26 100644 --- a/src/verify.c +++ b/src/verify.c @@ -51,7 +51,7 @@ NOEXPORT int add_dir_lookup(X509_STORE *, char *); NOEXPORT int verify_callback(int, X509_STORE_CTX *); NOEXPORT int verify_checks(CLI *, int, X509_STORE_CTX *); NOEXPORT int cert_check(CLI *, X509_STORE_CTX *, int); -#if OPENSSL_VERSION_NUMBER>=0x10002000L +#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) NOEXPORT int cert_check_subject(CLI *, X509_STORE_CTX *); #endif /* OPENSSL_VERSION_NUMBER>=0x10002000L */ NOEXPORT int cert_check_local(X509_STORE_CTX *); @@ -120,7 +120,7 @@ NOEXPORT int crl_init(SERVICE_OPTIONS *section) { return 1; /* FAILED */ } if(section->crl_dir) { -#if OPENSSL_VERSION_NUMBER<0x10100000L +#if OPENSSL_VERSION_NUMBER<0x10100000L || defined(LIBRESSL_VERSION_NUMBER) /* do not cache CRLs (only required with OpenSSL version < 1.0.0) */ store->cache=0; #endif @@ -178,7 +178,7 @@ NOEXPORT void auth_warnings(SERVICE_OPTIONS *section) { if(section->option.verify_peer) /* verify_peer does not depend on PKI */ return; if(section->option.verify_chain) { -#if OPENSSL_VERSION_NUMBER>=0x10002000L +#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) if(section->check_email || section->check_host || section->check_ip) return; #endif /* OPENSSL_VERSION_NUMBER>=0x10002000L */ @@ -277,7 +277,7 @@ NOEXPORT int cert_check(CLI *c, X509_STORE_CTX *callback_ctx, } if(depth==0) { /* additional peer certificate checks */ -#if OPENSSL_VERSION_NUMBER>=0x10002000L +#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) if(!cert_check_subject(c, callback_ctx)) return 0; /* reject */ #endif /* OPENSSL_VERSION_NUMBER>=0x10002000L */ @@ -288,7 +288,7 @@ NOEXPORT int cert_check(CLI *c, X509_STORE_CTX *callback_ctx, return 1; /* accept */ } -#if OPENSSL_VERSION_NUMBER>=0x10002000L +#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) NOEXPORT int cert_check_subject(CLI *c, X509_STORE_CTX *callback_ctx) { X509 *cert=X509_STORE_CTX_get_current_cert(callback_ctx); NAME_LIST *ptr; @@ -340,7 +340,7 @@ NOEXPORT int cert_check_local(X509_STORE_CTX *callback_ctx) { STACK_OF(X509) *sk; int i; #endif -#if OPENSSL_VERSION_NUMBER<0x10100000L +#if OPENSSL_VERSION_NUMBER<0x10100000L || defined(LIBRESSL_VERSION_NUMBER) X509_OBJECT obj; int success; #endif @@ -349,7 +349,7 @@ NOEXPORT int cert_check_local(X509_STORE_CTX *callback_ctx) { subject=X509_get_subject_name(cert); #if OPENSSL_VERSION_NUMBER>=0x10000000L -#if OPENSSL_VERSION_NUMBER<0x10100006L +#if OPENSSL_VERSION_NUMBER<0x10100006L || defined(LIBRESSL_VERSION_NUMBER) #define X509_STORE_CTX_get1_certs X509_STORE_get1_certs #endif /* modern API allows retrieving multiple matching certificates */ @@ -364,7 +364,7 @@ NOEXPORT int cert_check_local(X509_STORE_CTX *callback_ctx) { } #endif -#if OPENSSL_VERSION_NUMBER<0x10100000L +#if OPENSSL_VERSION_NUMBER<0x10100000L || defined(LIBRESSL_VERSION_NUMBER) /* pre-1.0.0 API only returns a single matching certificate */ /* we also invoke it for other OpenSSL versions before 1.1.0 */ memset((char *)&obj, 0, sizeof obj);