[PATCH] SSL: let it build against LibreSSL

Piotr Sikora piotr at cloudflare.com
Tue Jul 29 23:20:20 UTC 2014 

# HG changeset patch
# User Piotr Sikora <piotr at cloudflare.com>
# Date 1406575677 25200
#      Mon Jul 28 12:27:57 2014 -0700
# Node ID c1abbfee85b3185c28a279c7935d0bb871933ed8
# Parent  e3086fd5e59335f4f3f165ee74c094a7aca2aeb3
SSL: let it build against LibreSSL.

LibreSSL developers decided that LibreSSL is OpenSSL-2.0.0, so tests
for OpenSSL-1.0.2+ are now passing, even though the library doesn't
provide functions that are expected from that version of OpenSSL.

The #ifndefs around SSL_CTX_set_tmp_rsa_callback() aren't strictly
necessary, but support for the export cipher suites has been removed
from LibreSSL, so they clearly mark the unsupported feature.

Signed-off-by: Piotr Sikora <piotr at cloudflare.com>

diff -r e3086fd5e593 -r c1abbfee85b3 src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c	Mon Jul 28 12:27:57 2014 -0700
+++ b/src/event/ngx_event_openssl.c	Mon Jul 28 12:27:57 2014 -0700
@@ -50,7 +50,7 @@ static int ngx_ssl_session_ticket_key_ca
     HMAC_CTX *hctx, int enc);
 #endif
 
-#if OPENSSL_VERSION_NUMBER < 0x10002002L
+#if (OPENSSL_VERSION_NUMBER < 0x10002002L || defined LIBRESSL_VERSION_NUMBER)
 static ngx_int_t ngx_ssl_check_name(ngx_str_t *name, ASN1_STRING *str);
 #endif
 
@@ -656,7 +656,7 @@ ngx_ssl_info_callback(const ngx_ssl_conn
 }
 
 
-#ifndef OPENSSL_IS_BORINGSSL
+#if (!defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
 
 RSA *
 ngx_ssl_rsa512_key_callback(ngx_ssl_conn_t *ssl_conn, int is_export,
@@ -2747,7 +2747,7 @@ ngx_ssl_check_host(ngx_connection_t *c, 
         return NGX_ERROR;
     }
 
-#if OPENSSL_VERSION_NUMBER >= 0x10002002L
+#if (OPENSSL_VERSION_NUMBER >= 0x10002002L && !defined LIBRESSL_VERSION_NUMBER)
 
     /* X509_check_host() is only available in OpenSSL 1.0.2+ */
 
@@ -2864,7 +2864,7 @@ found:
 }
 
 
-#if OPENSSL_VERSION_NUMBER < 0x10002002L
+#if (OPENSSL_VERSION_NUMBER < 0x10002002L || defined LIBRESSL_VERSION_NUMBER)
 
 static ngx_int_t
 ngx_ssl_check_name(ngx_str_t *name, ASN1_STRING *pattern)
diff -r e3086fd5e593 -r c1abbfee85b3 src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h	Mon Jul 28 12:27:57 2014 -0700
+++ b/src/event/ngx_event_openssl.h	Mon Jul 28 12:27:57 2014 -0700
@@ -133,7 +133,7 @@ ngx_int_t ngx_ssl_stapling(ngx_conf_t *c
     ngx_str_t *file, ngx_str_t *responder, ngx_uint_t verify);
 ngx_int_t ngx_ssl_stapling_resolver(ngx_conf_t *cf, ngx_ssl_t *ssl,
     ngx_resolver_t *resolver, ngx_msec_t resolver_timeout);
-#ifndef OPENSSL_IS_BORINGSSL
+#if (!defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
 RSA *ngx_ssl_rsa512_key_callback(ngx_ssl_conn_t *ssl_conn, int is_export,
     int key_length);
 #endif
diff -r e3086fd5e593 -r c1abbfee85b3 src/http/modules/ngx_http_ssl_module.c
--- a/src/http/modules/ngx_http_ssl_module.c	Mon Jul 28 12:27:57 2014 -0700
+++ b/src/http/modules/ngx_http_ssl_module.c	Mon Jul 28 12:27:57 2014 -0700
@@ -715,7 +715,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *
         SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
     }
 
-#ifndef OPENSSL_IS_BORINGSSL
+#if (!defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
     /* a temporary 512-bit RSA key is required for export versions of MSIE */
     SSL_CTX_set_tmp_rsa_callback(conf->ssl.ctx, ngx_ssl_rsa512_key_callback);
 #endif
diff -r e3086fd5e593 -r c1abbfee85b3 src/mail/ngx_mail_ssl_module.c
--- a/src/mail/ngx_mail_ssl_module.c	Mon Jul 28 12:27:57 2014 -0700
+++ b/src/mail/ngx_mail_ssl_module.c	Mon Jul 28 12:27:57 2014 -0700
@@ -334,7 +334,7 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, 
         SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
     }
 
-#ifndef OPENSSL_IS_BORINGSSL
+#if (!defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
     SSL_CTX_set_tmp_rsa_callback(conf->ssl.ctx, ngx_ssl_rsa512_key_callback);
 #endif

More information about the nginx-devel mailing list