--- httpd-2.4.26/modules/ssl/mod_ssl.c +++ httpd-2.4.26.libressl/modules/ssl/mod_ssl.c @@ -337,12 +337,12 @@ #if HAVE_ENGINE_LOAD_BUILTIN_ENGINES ENGINE_cleanup(); #endif -#if OPENSSL_VERSION_NUMBER >= 0x1000200fL +#if OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined(OPENSSL_NO_COMP) SSL_COMP_free_compression_methods(); #endif /* Usually needed per thread, but this parent process is single-threaded */ -#if OPENSSL_VERSION_NUMBER < 0x10100000L +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) #if OPENSSL_VERSION_NUMBER >= 0x1000000fL ERR_remove_thread_state(NULL); #else @@ -383,14 +383,14 @@ /* Some OpenSSL internals are allocated per-thread, make sure they * are associated to the/our same thread-id until cleaned up. */ -#if APR_HAS_THREADS && OPENSSL_VERSION_NUMBER < 0x10100000L +#if APR_HAS_THREADS && OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) ssl_util_thread_id_setup(pconf); #endif /* We must register the library in full, to ensure our configuration * code can successfully test the SSL environment. */ -#if OPENSSL_VERSION_NUMBER < 0x10100000L +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) CRYPTO_malloc_init(); #else OPENSSL_malloc_init(); --- httpd-2.4.26/modules/ssl/ssl_engine_init.c +++ httpd-2.4.26.libressl/modules/ssl/ssl_engine_init.c @@ -47,7 +47,7 @@ #define KEYTYPES "RSA or DSA" #endif -#if OPENSSL_VERSION_NUMBER < 0x10100000L +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) /* OpenSSL Pre-1.1.0 compatibility */ /* Taken from OpenSSL 1.1.0 snapshot 20160410 */ static int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) @@ -257,7 +257,7 @@ #endif } -#if APR_HAS_THREADS && OPENSSL_VERSION_NUMBER < 0x10100000L +#if APR_HAS_THREADS && ( OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) ) ssl_util_thread_setup(p); #endif @@ -380,7 +380,7 @@ modssl_init_app_data2_idx(); /* for modssl_get_app_data2() at request time */ init_dh_params(); -#if OPENSSL_VERSION_NUMBER >= 0x10100000L +#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) init_bio_methods(); #endif @@ -1301,7 +1301,7 @@ * or configure NIST P-256 (required to enable ECDHE for earlier versions) * ECDH is always enabled in 1.1.0 unless excluded from SSLCipherList */ -#if (OPENSSL_VERSION_NUMBER < 0x10100000L) +#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER) else { #if defined(SSL_CTX_set_ecdh_auto) SSL_CTX_set_ecdh_auto(mctx->ssl_ctx, 1); @@ -2011,7 +2011,7 @@ } -#if OPENSSL_VERSION_NUMBER >= 0x10100000L +#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) free_bio_methods(); #endif free_dh_params(); --- httpd-2.4.26/modules/ssl/ssl_engine_io.c +++ httpd-2.4.26.libressl/modules/ssl/ssl_engine_io.c @@ -164,7 +164,7 @@ { BIO_set_shutdown(bio, 1); BIO_set_init(bio, 1); -#if OPENSSL_VERSION_NUMBER < 0x10100000L +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) /* No setter method for OpenSSL 1.1.0 available, * but I can't find any functional use of the * "num" field there either. @@ -549,7 +549,7 @@ return -1; } -#if OPENSSL_VERSION_NUMBER < 0x10100000L +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) static BIO_METHOD bio_filter_out_method = { BIO_TYPE_MEM, @@ -2024,7 +2024,7 @@ filter_ctx->pInputFilter = ap_add_input_filter(ssl_io_filter, inctx, r, c); -#if OPENSSL_VERSION_NUMBER < 0x10100000L +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) filter_ctx->pbioRead = BIO_new(&bio_filter_in_method); #else filter_ctx->pbioRead = BIO_new(bio_filter_in_method); @@ -2059,7 +2059,7 @@ filter_ctx->pOutputFilter = ap_add_output_filter(ssl_io_filter, filter_ctx, r, c); -#if OPENSSL_VERSION_NUMBER < 0x10100000L +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) filter_ctx->pbioWrite = BIO_new(&bio_filter_out_method); #else filter_ctx->pbioWrite = BIO_new(bio_filter_out_method); --- httpd-2.4.26/modules/ssl/ssl_engine_kernel.c +++ httpd-2.4.26.libressl/modules/ssl/ssl_engine_kernel.c @@ -1733,7 +1733,7 @@ * so we need to increment here to prevent them from * being freed. */ -#if OPENSSL_VERSION_NUMBER < 0x10100000L +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) #define modssl_set_cert_info(info, cert, pkey) \ *cert = info->x509; \ CRYPTO_add(&(*cert)->references, +1, CRYPTO_LOCK_X509); \ --- httpd-2.4.26/modules/ssl/ssl_engine_vars.c +++ httpd-2.4.26.libressl/modules/ssl/ssl_engine_vars.c @@ -529,7 +529,7 @@ resdup = FALSE; } else if (strcEQ(var, "A_SIG")) { -#if OPENSSL_VERSION_NUMBER < 0x10100000L +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) nid = OBJ_obj2nid((ASN1_OBJECT *)(xs->cert_info->signature->algorithm)); #else const ASN1_OBJECT *paobj; --- httpd-2.4.26/modules/ssl/ssl_private.h +++ httpd-2.4.26.libressl/modules/ssl/ssl_private.h @@ -123,6 +123,16 @@ #define MODSSL_SSL_METHOD_CONST #endif +#if defined(LIBRESSL_VERSION_NUMBER) +/* Missing from LibreSSL */ +#define SSL_CTRL_SET_MIN_PROTO_VERSION 123 +#define SSL_CTRL_SET_MAX_PROTO_VERSION 124 +#define SSL_CTX_set_min_proto_version(ctx, version) \ + SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, version, NULL) +#define SSL_CTX_set_max_proto_version(ctx, version) \ + SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL) +#endif + #if defined(OPENSSL_FIPS) #define HAVE_FIPS #endif @@ -136,7 +146,7 @@ #endif /* session id constness */ -#if OPENSSL_VERSION_NUMBER < 0x10100000L +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) #define IDCONST #else #define IDCONST const @@ -199,7 +209,7 @@ #endif /* !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name) */ -#if OPENSSL_VERSION_NUMBER < 0x10100000L +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) #define BN_get_rfc2409_prime_768 get_rfc2409_prime_768 #define BN_get_rfc2409_prime_1024 get_rfc2409_prime_1024 #define BN_get_rfc3526_prime_1536 get_rfc3526_prime_1536 @@ -219,7 +229,7 @@ void free_bio_methods(void); #endif -#if OPENSSL_VERSION_NUMBER < 0x10002000L +#if OPENSSL_VERSION_NUMBER < 0x10002000L || defined(LIBRESSL_VERSION_NUMBER) #define X509_STORE_CTX_get0_store(x) (x->ctx) #endif @@ -934,7 +944,7 @@ const char * const *); BOOL ssl_util_path_check(ssl_pathcheck_t, const char *, apr_pool_t *); #if APR_HAS_THREADS -#if OPENSSL_VERSION_NUMBER < 0x10100000L +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) void ssl_util_thread_setup(apr_pool_t *); #endif void ssl_util_thread_id_setup(apr_pool_t *); --- httpd-2.4.26/modules/ssl/ssl_util.c +++ httpd-2.4.26.libressl/modules/ssl/ssl_util.c @@ -247,7 +247,7 @@ } #if APR_HAS_THREADS -#if OPENSSL_VERSION_NUMBER < 0x10100000L +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) /* * To ensure thread-safetyness in OpenSSL - work in progress */ --- httpd-2.4.26/modules/ssl/ssl_util_ssl.h +++ httpd-2.4.26.libressl/modules/ssl/ssl_util_ssl.h @@ -41,7 +41,7 @@ #define MODSSL_LIBRARY_VERSION OPENSSL_VERSION_NUMBER #define MODSSL_LIBRARY_NAME "OpenSSL" #define MODSSL_LIBRARY_TEXT OPENSSL_VERSION_TEXT -#if OPENSSL_VERSION_NUMBER < 0x10100000L +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) #define MODSSL_LIBRARY_DYNTEXT SSLeay_version(SSLEAY_VERSION) #else #define MODSSL_LIBRARY_DYNTEXT OpenSSL_version(OPENSSL_VERSION) --- httpd-2.4.26/support/ab.c +++ httpd-2.4.26.libressl/support/ab.c @@ -197,6 +197,14 @@ #if !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name) #define HAVE_TLSEXT #endif +#if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2060000f +# define SSL_CTRL_SET_MIN_PROTO_VERSION 123 +# define SSL_CTRL_SET_MAX_PROTO_VERSION 124 +#define SSL_CTX_set_min_proto_version(ctx, version) \ + SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, version, NULL) +#define SSL_CTX_set_max_proto_version(ctx, version) \ + SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL) +#endif #endif #include