1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
|
From fbb0cc3b65a2ead522019fb461ae520371cc3ede Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Beh=C3=BAn?= <kabel@blackhole.sk>
Date: Mon, 6 Jun 2016 18:41:30 +0200
Subject: [PATCH] Support compiling with LibreSSL 2.4.0
This patch checks for macros OPENSSL_NO_COMP, OPENSSL_NO_EGD, and
if disables those features if they are.
Also add ifdef for HAVE_SSLv3_{client/server}_method in sslcls.c,
since these were removed from LibreSSL 2.4.0.
---
sslcls.c | 8 +++++++-
sslcls.h | 4 +++-
xio-openssl.c | 24 ++++++++++++++++++------
xio-openssl.h | 4 +++-
xioopts.c | 8 ++++++--
xioopts.h | 4 +++-
6 files changed, 40 insertions(+), 12 deletions(-)
diff --git a/sslcls.c b/sslcls.c
index ea4c303..5011ef2 100644
--- a/sslcls.c
+++ b/sslcls.c
@@ -55,6 +55,7 @@ const SSL_METHOD *sycSSLv2_server_method(void) {
}
#endif
+#if HAVE_SSLv3_client_method
const SSL_METHOD *sycSSLv3_client_method(void) {
const SSL_METHOD *result;
Debug("SSLv3_client_method()");
@@ -62,7 +63,9 @@ const SSL_METHOD *sycSSLv3_client_method(void) {
Debug1("SSLv3_client_method() -> %p", result);
return result;
}
+#endif
+#if HAVE_SSLv3_server_method
const SSL_METHOD *sycSSLv3_server_method(void) {
const SSL_METHOD *result;
Debug("SSLv3_server_method()");
@@ -70,6 +73,7 @@ const SSL_METHOD *sycSSLv3_server_method(void) {
Debug1("SSLv3_server_method() -> %p", result);
return result;
}
+#endif
const SSL_METHOD *sycSSLv23_client_method(void) {
const SSL_METHOD *result;
@@ -347,6 +351,7 @@ void sycSSL_free(SSL *ssl) {
return;
}
+#ifndef OPENSSL_NO_EGD
int sycRAND_egd(const char *path) {
int result;
Debug1("RAND_egd(\"%s\")", path);
@@ -354,6 +359,7 @@ int sycRAND_egd(const char *path) {
Debug1("RAND_egd() -> %d", result);
return result;
}
+#endif
DH *sycPEM_read_bio_DHparams(BIO *bp, DH **x, pem_password_cb *cb, void *u) {
DH *result;
@@ -391,7 +397,7 @@ int sycFIPS_mode_set(int onoff) {
}
#endif /* WITH_FIPS */
-#if OPENSSL_VERSION_NUMBER >= 0x00908000L
+#if OPENSSL_VERSION_NUMBER >= 0x00908000L && !defined(OPENSSL_NO_COMP)
const COMP_METHOD *sycSSL_get_current_compression(SSL *ssl) {
const COMP_METHOD *result;
Debug1("SSL_get_current_compression(%p)", ssl);
diff --git a/sslcls.h b/sslcls.h
index 152fe5b..9fd8ef2 100644
--- a/sslcls.h
+++ b/sslcls.h
@@ -49,7 +49,9 @@ X509 *sycSSL_get_peer_certificate(SSL *ssl);
int sycSSL_shutdown(SSL *ssl);
void sycSSL_CTX_free(SSL_CTX *ctx);
void sycSSL_free(SSL *ssl);
+#ifndef OPENSSL_NO_EGD
int sycRAND_egd(const char *path);
+#endif
DH *sycPEM_read_bio_DHparams(BIO *bp, DH **x, pem_password_cb *cb, void *u);
@@ -57,7 +59,7 @@ BIO *sycBIO_new_file(const char *filename, const char *mode);
int sycFIPS_mode_set(int onoff);
-#if OPENSSL_VERSION_NUMBER >= 0x00908000L
+#if OPENSSL_VERSION_NUMBER >= 0x00908000L && !defined(OPENSSL_NO_COMP)
const COMP_METHOD *sycSSL_get_current_compression(SSL *ssl);
const COMP_METHOD *sycSSL_get_current_expansion(SSL *ssl);
const char *sycSSL_COMP_get_name(const COMP_METHOD *comp);
diff --git a/xio-openssl.c b/xio-openssl.c
index c7f283c..38dc20d 100644
--- a/xio-openssl.c
+++ b/xio-openssl.c
@@ -181,9 +181,11 @@ const struct optdesc opt_openssl_key = { "openssl-key", "key",
const struct optdesc opt_openssl_dhparam = { "openssl-dhparam", "dh", OPT_OPENSSL_DHPARAM, GROUP_OPENSSL, PH_SPEC, TYPE_FILENAME, OFUNC_SPEC };
const struct optdesc opt_openssl_cafile = { "openssl-cafile", "cafile", OPT_OPENSSL_CAFILE, GROUP_OPENSSL, PH_SPEC, TYPE_FILENAME, OFUNC_SPEC };
const struct optdesc opt_openssl_capath = { "openssl-capath", "capath", OPT_OPENSSL_CAPATH, GROUP_OPENSSL, PH_SPEC, TYPE_FILENAME, OFUNC_SPEC };
+#ifndef OPENSSL_NO_EGD
const struct optdesc opt_openssl_egd = { "openssl-egd", "egd", OPT_OPENSSL_EGD, GROUP_OPENSSL, PH_SPEC, TYPE_FILENAME, OFUNC_SPEC };
+#endif
const struct optdesc opt_openssl_pseudo = { "openssl-pseudo", "pseudo", OPT_OPENSSL_PSEUDO, GROUP_OPENSSL, PH_SPEC, TYPE_BOOL, OFUNC_SPEC };
-#if OPENSSL_VERSION_NUMBER >= 0x00908000L
+#if OPENSSL_VERSION_NUMBER >= 0x00908000L && !defined(OPENSSL_NO_COMP)
const struct optdesc opt_openssl_compress = { "openssl-compress", "compress", OPT_OPENSSL_COMPRESS, GROUP_OPENSSL, PH_SPEC, TYPE_STRING, OFUNC_SPEC };
#endif
#if WITH_FIPS
@@ -220,7 +222,7 @@ int xio_reset_fips_mode(void) {
static void openssl_conn_loginfo(SSL *ssl) {
Notice1("SSL connection using %s", SSL_get_cipher(ssl));
-#if OPENSSL_VERSION_NUMBER >= 0x00908000L
+#if OPENSSL_VERSION_NUMBER >= 0x00908000L && !defined(OPENSSL_NO_COMP)
{
const COMP_METHOD *comp, *expansion;
@@ -786,7 +788,7 @@ int _xioopen_openssl_listen(struct single *xfd,
#endif /* WITH_LISTEN */
-#if OPENSSL_VERSION_NUMBER >= 0x00908000L
+#if OPENSSL_VERSION_NUMBER >= 0x00908000L && !defined(OPENSSL_NO_COMP)
/* In OpenSSL 0.9.7 compression methods could be added using
* SSL_COMP_add_compression_method(3), but the implemntation is not compatible
* with the standard (RFC3749).
@@ -857,8 +859,10 @@ int
char *opt_dhparam = NULL; /* file name of DH params */
char *opt_cafile = NULL; /* certificate authority file */
char *opt_capath = NULL; /* certificate authority directory */
+#ifndef OPENSSL_NO_EGD
char *opt_egd = NULL; /* entropy gathering daemon socket path */
-#if OPENSSL_VERSION_NUMBER >= 0x00908000L
+#endif
+#if OPENSSL_VERSION_NUMBER >= 0x00908000L && !defined(OPENSSL_NO_COMP)
char *opt_compress = NULL; /* compression method */
#endif
bool opt_pseudo = false; /* use pseudo entropy if nothing else */
@@ -875,9 +879,11 @@ int
retropt_string(opts, OPT_OPENSSL_CAPATH, &opt_capath);
retropt_string(opts, OPT_OPENSSL_KEY, &opt_key);
retropt_string(opts, OPT_OPENSSL_DHPARAM, &opt_dhparam);
+#ifndef OPENSSL_NO_EGD
retropt_string(opts, OPT_OPENSSL_EGD, &opt_egd);
+#endif
retropt_bool(opts,OPT_OPENSSL_PSEUDO, &opt_pseudo);
-#if OPENSSL_VERSION_NUMBER >= 0x00908000L
+#if OPENSSL_VERSION_NUMBER >= 0x00908000L && !defined(OPENSSL_NO_COMP)
retropt_string(opts, OPT_OPENSSL_COMPRESS, &opt_compress);
#endif
#if WITH_FIPS
@@ -1010,9 +1016,11 @@ int
}
}
+#ifndef OPENSSL_NO_EGD
if (opt_egd) {
sycRAND_egd(opt_egd);
}
+#endif
if (opt_pseudo) {
long int randdata;
@@ -1124,7 +1132,7 @@ int
}
#endif /* !defined(EC_KEY) */
-#if OPENSSL_VERSION_NUMBER >= 0x00908000L
+#if OPENSSL_VERSION_NUMBER >= 0x00908000L && !defined(OPENSSL_NO_COMP)
if (opt_compress) {
int result;
result = openssl_setup_compression(*ctx, opt_compress);
@@ -1238,7 +1246,11 @@ static int openssl_SSL_ERROR_SSL(int level, const char *funcname) {
if (e == ((ERR_LIB_RAND<<24)|
(RAND_F_SSLEAY_RAND_BYTES<<12)|
(RAND_R_PRNG_NOT_SEEDED)) /*0x24064064*/) {
+#ifdef OPENSSL_NO_EGD
+ Error("too few entropy; use option \"pseudo\"");
+#else
Error("too few entropy; use options \"egd\" or \"pseudo\"");
+#endif
stat = STAT_NORETRY;
} else {
Msg2(level, "%s(): %s", funcname, ERR_error_string(e, buf));
diff --git a/xio-openssl.h b/xio-openssl.h
index 62586fc..f10ee0c 100644
--- a/xio-openssl.h
+++ b/xio-openssl.h
@@ -21,9 +21,11 @@ extern const struct optdesc opt_openssl_key;
extern const struct optdesc opt_openssl_dhparam;
extern const struct optdesc opt_openssl_cafile;
extern const struct optdesc opt_openssl_capath;
+#ifndef OPENSSL_NO_EGD
extern const struct optdesc opt_openssl_egd;
+#endif
extern const struct optdesc opt_openssl_pseudo;
-#if OPENSSL_VERSION_NUMBER >= 0x00908000L
+#if OPENSSL_VERSION_NUMBER >= 0x00908000L && !defined(OPENSSL_NO_COMP)
extern const struct optdesc opt_openssl_compress;
#endif
#if WITH_FIPS
diff --git a/xioopts.c b/xioopts.c
index 6c231f4..9a56298 100644
--- a/xioopts.c
+++ b/xioopts.c
@@ -303,7 +303,7 @@ const struct optname optionnames[] = {
#if WITH_EXT2 && defined(EXT2_COMPR_FL)
IF_ANY ("compr", &opt_ext2_compr)
#endif
-#if OPENSSL_VERSION_NUMBER >= 0x00908000L
+#if OPENSSL_VERSION_NUMBER >= 0x00908000L && !defined(OPENSSL_NO_COMP)
IF_OPENSSL("compress", &opt_openssl_compress)
#endif
#ifdef TCP_CONN_ABORT_THRESHOLD /* HP_UX */
@@ -419,7 +419,9 @@ const struct optname optionnames[] = {
#ifdef ECHOPRT
IF_TERMIOS("echoprt", &opt_echoprt)
#endif
+#ifndef OPENSSL_NO_EGD
IF_OPENSSL("egd", &opt_openssl_egd)
+#endif
IF_ANY ("end-close", &opt_end_close)
IF_TERMIOS("eof", &opt_veof)
IF_TERMIOS("eol", &opt_veol)
@@ -1062,11 +1064,13 @@ const struct optname optionnames[] = {
IF_OPENSSL("openssl-certificate", &opt_openssl_certificate)
IF_OPENSSL("openssl-cipherlist", &opt_openssl_cipherlist)
IF_OPENSSL("openssl-commonname", &opt_openssl_commonname)
-#if OPENSSL_VERSION_NUMBER >= 0x00908000L
+#if OPENSSL_VERSION_NUMBER >= 0x00908000L && !defined(OPENSSL_NO_COMP)
IF_OPENSSL("openssl-compress", &opt_openssl_compress)
#endif
IF_OPENSSL("openssl-dhparam", &opt_openssl_dhparam)
+#ifndef OPENSSL_NO_EGD
IF_OPENSSL("openssl-egd", &opt_openssl_egd)
+#endif
#if WITH_FIPS
IF_OPENSSL("openssl-fips", &opt_openssl_fips)
#endif
diff --git a/xioopts.h b/xioopts.h
index 2a165f5..37d6883 100644
--- a/xioopts.h
+++ b/xioopts.h
@@ -478,11 +478,13 @@ enum e_optcode {
OPT_OPENSSL_CERTIFICATE,
OPT_OPENSSL_CIPHERLIST,
OPT_OPENSSL_COMMONNAME,
-#if OPENSSL_VERSION_NUMBER >= 0x00908000L
+#if OPENSSL_VERSION_NUMBER >= 0x00908000L && !defined(OPENSSL_NO_COMP)
OPT_OPENSSL_COMPRESS,
#endif
OPT_OPENSSL_DHPARAM,
+#ifndef OPENSSL_NO_EGD
OPT_OPENSSL_EGD,
+#endif
OPT_OPENSSL_FIPS,
OPT_OPENSSL_KEY,
OPT_OPENSSL_METHOD,
--
2.7.3
|