diff --git a/include/proto/openssl-compat.h b/include/proto/openssl-compat.h index b6fe1d2..551cae2 100644 --- a/include/proto/openssl-compat.h +++ b/include/proto/openssl-compat.h @@ -89,7 +89,7 @@ static inline int SSL_SESSION_set1_id_context(SSL_SESSION *s, const unsigned cha } #endif -#if (OPENSSL_VERSION_NUMBER < 0x1010000fL) || defined(LIBRESSL_VERSION_NUMBER) || defined(OPENSSL_IS_BORINGSSL) +#if (OPENSSL_VERSION_NUMBER < 0x1010000fL) || (defined(LIBRESSL_VERSION_NUMBER) && (LIBRESSL_VERSION_NUMBER < 0x20700000L)) || defined(OPENSSL_IS_BORINGSSL) /* * Functions introduced in OpenSSL 1.1.0 and not yet present in LibreSSL / BoringSSL */ @@ -121,7 +121,7 @@ static inline const OCSP_CERTID *OCSP_SINGLERESP_get0_id(const OCSP_SINGLERESP * #endif -#if (OPENSSL_VERSION_NUMBER < 0x1010000fL) || defined(LIBRESSL_VERSION_NUMBER) +#if (OPENSSL_VERSION_NUMBER < 0x1010000fL) || (defined(LIBRESSL_VERSION_NUMBER) && (LIBRESSL_VERSION_NUMBER < 0x20700000L)) /* * Functions introduced in OpenSSL 1.1.0 and not yet present in LibreSSL */ diff --git a/src/ssl_sock.c b/src/ssl_sock.c index c2b5bf6..ebde76d 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -56,6 +56,14 @@ #include #endif +#if defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_NO_ASYNC) +#define OPENSSL_NO_ASYNC +#endif + +#if defined(SSL_READ_EARLY_DATA_ERROR) && defined(SSL_READ_EARLY_DATA_SUCCESS) +#define HAVE_SSL_READ_EARLY +#endif + #if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) #include #endif @@ -2066,7 +2074,7 @@ static void ssl_sock_switchctx_set(SSL *ssl, SSL_CTX *ctx) SSL_set_SSL_CTX(ssl, ctx); } -#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) || defined(OPENSSL_IS_BORINGSSL) +#if ((OPENSSL_VERSION_NUMBER >= 0x10101000L) || defined(OPENSSL_IS_BORINGSSL)) && !defined(LIBRESSL_VERSION_NUMBER) static int ssl_sock_switchctx_err_cbk(SSL *ssl, int *al, void *priv) { @@ -3798,7 +3806,7 @@ ssl_sock_initial_ctx(struct bind_conf *bind_conf) #ifdef OPENSSL_IS_BORINGSSL SSL_CTX_set_select_certificate_cb(ctx, ssl_sock_switchctx_cbk); SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_err_cbk); -#elif (OPENSSL_VERSION_NUMBER >= 0x10101000L) +#elif (OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(LIBRESSL_VERSION_NUMBER) SSL_CTX_set_client_hello_cb(ctx, ssl_sock_switchctx_cbk, NULL); SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_err_cbk); #else @@ -5052,7 +5060,7 @@ int ssl_sock_handshake(struct connection *conn, unsigned int flag) if (!conn->xprt_ctx) goto out_error; -#if OPENSSL_VERSION_NUMBER >= 0x10101000L +#if HAVE_SSL_READ_EARLY /* * Check if we have early data. If we do, we have to read them * before SSL_do_handshake() is called, And there's no way to @@ -5252,7 +5260,7 @@ check_error: goto out_error; } } -#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) +#if HAVE_SSL_READ_EARLY else { /* * If the server refused the early data, we have to send a @@ -5375,7 +5383,7 @@ static int ssl_sock_to_buf(struct connection *conn, struct buffer *buf, int coun continue; } -#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) +#if OPENSSL_READ_EARLY if (conn->flags & CO_FL_EARLY_SSL_HS) { size_t read_length; @@ -5512,7 +5520,7 @@ static int ssl_sock_from_buf(struct connection *conn, struct buffer *buf, int fl * in which case we accept to do it once again. */ while (buf->o) { -#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) +#if HAVE_SSL_EARLY_DATA size_t written_data; #endif @@ -5531,7 +5539,7 @@ static int ssl_sock_from_buf(struct connection *conn, struct buffer *buf, int fl conn->xprt_st |= SSL_SOCK_SEND_UNLIMITED; } -#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) +#if HAVE_SSL_EARLY_DATA if (!SSL_is_init_finished(conn->xprt_ctx)) { unsigned int max_early;