--- a/src/ssl_sock.c.orig +++ b/src/ssl_sock.c @@ -56,6 +56,15 @@ #include #endif + +#ifdef LIBRESSL_VERSION_NUMBER + +#ifndef OPENSSL_NO_ASYNC +#define OPENSSL_NO_ASYNC +#endif + +#endif + #if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) #include #endif @@ -1126,8 +1135,11 @@ ocsp = NULL; #ifndef SSL_CTX_get_tlsext_status_cb -# define SSL_CTX_get_tlsext_status_cb(ctx, cb) \ - *cb = (void (*) (void))ctx->tlsext_status_cb; +#ifndef SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB +#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB 128 +#endif +#define SSL_CTX_get_tlsext_status_cb(ctx, cb) \ + *cb = SSL_CTX_ctrl(ctx,SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB,0, (void (**)(void))cb) #endif SSL_CTX_get_tlsext_status_cb(ctx, &callback); @@ -1155,7 +1167,10 @@ int key_type; EVP_PKEY *pkey; -#ifdef SSL_CTX_get_tlsext_status_arg +#if defined(SSL_CTX_get_tlsext_status_arg) || defined(LIBRESSL_VERSION_NUMBER) +#ifndef SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG +#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG 129 +#endif SSL_CTX_ctrl(ctx, SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG, 0, &cb_arg); #else cb_arg = ctx->tlsext_status_arg; @@ -2066,7 +2081,7 @@ SSL_set_SSL_CTX(ssl, ctx); } -#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) || defined(OPENSSL_IS_BORINGSSL) +#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined LIBRESSL_VERSION_NUMBER) || defined(OPENSSL_IS_BORINGSSL) static int ssl_sock_switchctx_err_cbk(SSL *ssl, int *al, void *priv) { @@ -2208,7 +2223,7 @@ #else cipher = SSL_CIPHER_find(ssl, cipher_suites); #endif - if (cipher && SSL_CIPHER_get_auth_nid(cipher) == NID_auth_ecdsa) { + if (cipher && SSL_CIPHER_is_ECDSA(cipher)) { has_ecdsa = 1; break; } @@ -2306,7 +2321,7 @@ #ifdef OPENSSL_IS_BORINGSSL if (allow_early) SSL_set_early_data_enabled(ssl, 1); -#else +#elif !defined LIBRESSL_VERSION_NUMBER if (!allow_early) SSL_set_max_early_data(ssl, 0); #endif @@ -3798,7 +3813,7 @@ #ifdef OPENSSL_IS_BORINGSSL SSL_CTX_set_select_certificate_cb(ctx, ssl_sock_switchctx_cbk); SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_err_cbk); -#elif (OPENSSL_VERSION_NUMBER >= 0x10101000L) +#elif (OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined LIBRESSL_VERSION_NUMBER SSL_CTX_set_client_hello_cb(ctx, ssl_sock_switchctx_cbk, NULL); SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_err_cbk); #else @@ -5052,7 +5067,7 @@ if (!conn->xprt_ctx) goto out_error; -#if OPENSSL_VERSION_NUMBER >= 0x10101000L +#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined LIBRESSL_VERSION_NUMBER /* * Check if we have early data. If we do, we have to read them * before SSL_do_handshake() is called, And there's no way to @@ -5128,7 +5143,7 @@ OSSL_HANDSHAKE_STATE state = SSL_get_state((SSL *)conn->xprt_ctx); empty_handshake = state == TLS_ST_BEFORE; #else - empty_handshake = !((SSL *)conn->xprt_ctx)->packet_length; + empty_handshake = SSL_state((SSL *)conn->xprt_ctx) == SSL_ST_BEFORE; #endif if (empty_handshake) { if (!errno) { @@ -5212,7 +5227,7 @@ OSSL_HANDSHAKE_STATE state = SSL_get_state((SSL *)conn->xprt_ctx); empty_handshake = state == TLS_ST_BEFORE; #else - empty_handshake = !((SSL *)conn->xprt_ctx)->packet_length; + empty_handshake = SSL_state((SSL *)conn->xprt_ctx) == SSL_ST_BEFORE; #endif if (empty_handshake) { if (!errno) { @@ -5252,7 +5267,7 @@ goto out_error; } } -#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) +#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined LIBRESSL_VERSION_NUMBER else { /* * If the server refused the early data, we have to send a @@ -5375,7 +5390,7 @@ continue; } -#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) +#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined LIBRESSL_VERSION_NUMBER if (conn->flags & CO_FL_EARLY_SSL_HS) { size_t read_length; @@ -5531,7 +5546,7 @@ conn->xprt_st |= SSL_SOCK_SEND_UNLIMITED; } -#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) +#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined LIBRESSL_VERSION_NUMBER if (!SSL_is_init_finished(conn->xprt_ctx)) { unsigned int max_early;