Attachment #228392 for bug #258885

View | Details | Raw Unified | Return to bug 258885 | Differences between
Collapse All | Expand All




--- src/client.c.orig	2021-04-05 21:21:38 UTC
+++ src/client.c
@@ -742,7 +742,7 @@ NOEXPORT void print_cipher(CLI *c) { /* print negotiat
 NOEXPORT void transfer(CLI *c) {
     int timeout; /* s_poll_wait timeout in seconds */
     int pending; /* either processed on unprocessed TLS data */
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
     int has_pending=0, prev_has_pending;
 #endif
     int watchdog=0; /* a counter to detect an infinite loop */
@@ -789,7 +789,7 @@ NOEXPORT void transfer(CLI *c) {
 
         /****************************** wait for an event */
         pending=SSL_pending(c->ssl);
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
         /* only attempt to process SSL_has_pending() data once */
         prev_has_pending=has_pending;
         has_pending=SSL_has_pending(c->ssl);
@@ -1194,7 +1194,7 @@ NOEXPORT void transfer(CLI *c) {
             s_log(LOG_ERR,
                 "please report the problem to Michal.Trojnara@stunnel.org");
             stunnel_info(LOG_ERR);
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
             s_log(LOG_ERR, "protocol=%s, SSL_pending=%d, SSL_has_pending=%d",
                 SSL_get_version(c->ssl),
                 SSL_pending(c->ssl), SSL_has_pending(c->ssl));
--- src/ctx.c.orig	2021-08-16 18:58:06 UTC
+++ src/ctx.c
@@ -91,7 +91,7 @@ NOEXPORT void set_prompt(const char *);
 NOEXPORT int ui_retry();
 
 /* session tickets */
-#if OPENSSL_VERSION_NUMBER >= 0x10101000L
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
 NOEXPORT int generate_session_ticket_cb(SSL *, void *);
 NOEXPORT int decrypt_session_ticket_cb(SSL *, SSL_SESSION *,
     const unsigned char *, size_t, SSL_TICKET_STATUS, void *);
@@ -130,7 +130,7 @@ NOEXPORT void sslerror_log(unsigned long, const char *
 
 /**************************************** initialize section->ctx */
 
-#if OPENSSL_VERSION_NUMBER>=0x10100000L
+#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
 typedef long unsigned SSL_OPTIONS_TYPE;
 #else
 typedef long SSL_OPTIONS_TYPE;
@@ -138,7 +138,7 @@ typedef long SSL_OPTIONS_TYPE;
 
 int context_init(SERVICE_OPTIONS *section) { /* init TLS context */
     /* create a new TLS context */
-#if OPENSSL_VERSION_NUMBER>=0x10100000L
+#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
     if(section->option.client)
         section->ctx=SSL_CTX_new(TLS_client_method());
     else /* server mode */
@@ -173,7 +173,7 @@ int context_init(SERVICE_OPTIONS *section) { /* init T
     }
     current_section=section; /* setup current section for callbacks */
 
-#if OPENSSL_VERSION_NUMBER>=0x10100000L
+#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
     /* set the security level */
     if(section->security_level>=0) {
         /* set the user-specified value */
@@ -258,7 +258,7 @@ int context_init(SERVICE_OPTIONS *section) { /* init T
 #endif
 
     /* setup session tickets */
-#if OPENSSL_VERSION_NUMBER >= 0x10101000L
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
     SSL_CTX_set_session_ticket_cb(section->ctx, generate_session_ticket_cb,
         decrypt_session_ticket_cb, NULL);
 #endif /* OpenSSL 1.1.1 or later */
@@ -533,7 +533,7 @@ NOEXPORT int ecdh_init(SERVICE_OPTIONS *section) {
 /**************************************** initialize OpenSSL CONF */
 
 NOEXPORT int conf_init(SERVICE_OPTIONS *section) {
-#if OPENSSL_VERSION_NUMBER>=0x10002000L
+#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
     SSL_CONF_CTX *cctx;
     NAME_LIST *curr;
     char *cmd, *param;
@@ -1039,7 +1039,7 @@ NOEXPORT int ui_retry() {
 
 /**************************************** session tickets */
 
-#if OPENSSL_VERSION_NUMBER >= 0x10101000L
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
 
 typedef struct {
     void *session_authenticated;
@@ -1532,7 +1532,7 @@ NOEXPORT void info_callback(const SSL *ssl, int where,
 
     c=SSL_get_ex_data((SSL *)ssl, index_ssl_cli);
     if(c) {
-#if OPENSSL_VERSION_NUMBER>=0x10100000L
+#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
         OSSL_HANDSHAKE_STATE state=SSL_get_state(ssl);
 #else
         int state=SSL_get_state((SSL *)ssl);
--- src/options.c.orig	2021-08-05 07:19:52 UTC
+++ src/options.c
@@ -81,7 +81,7 @@ NOEXPORT char *sni_init(SERVICE_OPTIONS *);
 NOEXPORT void sni_free(SERVICE_OPTIONS *);
 #endif /* !defined(OPENSSL_NO_TLSEXT) */
 
-#if OPENSSL_VERSION_NUMBER>=0x10100000L
+#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
 NOEXPORT int str_to_proto_version(const char *);
 #else /* OPENSSL_VERSION_NUMBER<0x10100000L */
 NOEXPORT char *tls_methods_set(SERVICE_OPTIONS *, const char *);
@@ -96,7 +96,7 @@ NOEXPORT PSK_KEYS *psk_dup(PSK_KEYS *);
 NOEXPORT void psk_free(PSK_KEYS *);
 #endif /* !defined(OPENSSL_NO_PSK) */
 
-#if OPENSSL_VERSION_NUMBER>=0x10000000L
+#if OPENSSL_VERSION_NUMBER>=0x10000000L && !defined(LIBRESSL_VERSION_NUMBER)
 NOEXPORT TICKET_KEY *key_read(char *, char *);
 NOEXPORT TICKET_KEY *key_dup(TICKET_KEY *);
 NOEXPORT void key_free(TICKET_KEY *);
@@ -3252,7 +3252,7 @@ NOEXPORT char *parse_service_option(CMD cmd, SERVICE_O
         break;
     }
 
-#if OPENSSL_VERSION_NUMBER>=0x10100000L
+#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
 
     /* sslVersion */
     switch(cmd) {
@@ -3421,7 +3421,7 @@ NOEXPORT char *parse_service_option(CMD cmd, SERVICE_O
     }
 #endif
 
-#if OPENSSL_VERSION_NUMBER>=0x10000000L
+#if OPENSSL_VERSION_NUMBER>=0x10000000L && !defined(LIBRESSL_VERSION_NUMBER)
 
     /* ticketKeySecret */
     switch(cmd) {
@@ -3904,7 +3904,7 @@ NOEXPORT void sni_free(SERVICE_OPTIONS *section) {
 
 /**************************************** modern TLS version handling */
 
-#if OPENSSL_VERSION_NUMBER>=0x10100000L
+#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
 
 NOEXPORT int str_to_proto_version(const char *name) {
     if(!strcasecmp(name, "all"))
@@ -4229,7 +4229,7 @@ NOEXPORT void psk_free(PSK_KEYS *head) {
 
 /**************************************** read ticket key */
 
-#if OPENSSL_VERSION_NUMBER>=0x10000000L
+#if OPENSSL_VERSION_NUMBER>=0x10000000L && !defined(LIBRESSL_VERSION_NUMBER)
 
 NOEXPORT TICKET_KEY *key_read(char *arg, char *option) {
     char *key_str;
--- src/prototypes.h.orig	2021-05-30 20:19:44 UTC
+++ src/prototypes.h
@@ -250,7 +250,7 @@ typedef struct service_options_struct {
 #if OPENSSL_VERSION_NUMBER>=0x009080dfL
     long unsigned ssl_options_clear;
 #endif /* OpenSSL 0.9.8m or later */
-#if OPENSSL_VERSION_NUMBER>=0x10100000L
+#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
     int min_proto_version, max_proto_version;
 #else /* OPENSSL_VERSION_NUMBER<0x10100000L */
     SSL_METHOD *client_method, *server_method;
@@ -722,7 +722,7 @@ int getnameinfo(const struct sockaddr *, socklen_t,
 extern CLI *thread_head;
 #endif
 
-#if OPENSSL_VERSION_NUMBER<0x10100004L
+#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER)
 
 #ifdef USE_OS_THREADS
 
@@ -773,7 +773,7 @@ typedef enum {
 
 extern CRYPTO_RWLOCK *stunnel_locks[STUNNEL_LOCKS];
 
-#if OPENSSL_VERSION_NUMBER<0x10100004L
+#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER)
 /* Emulate the OpenSSL 1.1 locking API for older OpenSSL versions */
 CRYPTO_RWLOCK *CRYPTO_THREAD_lock_new(void);
 int CRYPTO_THREAD_read_lock(CRYPTO_RWLOCK *);
--- src/ssl.c.orig	2021-04-05 21:19:15 UTC
+++ src/ssl.c
@@ -39,12 +39,17 @@
 #include "prototypes.h"
 
     /* global OpenSSL initialization: compression, engine, entropy */
+#ifdef LIBRESSL_VERSION_NUMBER
+NOEXPORT int cb_new_auth(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
+        int idx, long argl, void *argp);
+#else
 NOEXPORT void cb_new_auth(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
         int idx, long argl, void *argp);
-#if OPENSSL_VERSION_NUMBER>=0x30000000L
+#endif
+#if OPENSSL_VERSION_NUMBER>=0x30000000L && !defined(LIBRESSL_VERSION_NUMBER)
 NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from,
     void **from_d, int idx, long argl, void *argp);
-#elif OPENSSL_VERSION_NUMBER>=0x10100000L
+#elif OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
 NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from,
     void *from_d, int idx, long argl, void *argp);
 #else
@@ -83,7 +88,7 @@ int fips_available() { /* either FIPS provider or cont
 }
 
 int ssl_init(void) { /* init TLS before parsing configuration file */
-#if OPENSSL_VERSION_NUMBER>=0x10100000L
+#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
     OPENSSL_INIT_SETTINGS *conf=OPENSSL_INIT_new();
 #ifdef USE_WIN32
     OPENSSL_INIT_set_config_filename(conf, "..\\config\\openssl.cnf");
@@ -143,21 +148,33 @@ int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *
 #endif
 #endif
 
+#ifdef LIBRESSL_VERSION_NUMBER
+NOEXPORT int cb_new_auth(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
+        int idx, long argl, void *argp) {
+#else
 NOEXPORT void cb_new_auth(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
         int idx, long argl, void *argp) {
+#endif
     (void)parent; /* squash the unused parameter warning */
     (void)ptr; /* squash the unused parameter warning */
     (void)argl; /* squash the unused parameter warning */
     s_log(LOG_DEBUG, "Initializing application specific data for %s",
         (char *)argp);
-    if(!CRYPTO_set_ex_data(ad, idx, (void *)(-1)))
+    if(!CRYPTO_set_ex_data(ad, idx, (void *)(-1))) {
         sslerror("CRYPTO_set_ex_data");
+#ifdef LIBRESSL_VERSION_NUMBER
+	return 0;
+#endif
+    }
+#ifdef LIBRESSL_VERSION_NUMBER
+    return 1;
+#endif
 }
 
-#if OPENSSL_VERSION_NUMBER>=0x30000000L
+#if OPENSSL_VERSION_NUMBER>=0x30000000L && !defined(LIBRESSL_VERSION_NUMBER)
 NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from,
         void **from_d, int idx, long argl, void *argp) {
-#elif OPENSSL_VERSION_NUMBER>=0x10100000L
+#elif OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
 NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from,
         void *from_d, int idx, long argl, void *argp) {
 #else
@@ -256,7 +273,7 @@ int ssl_configure(GLOBAL_OPTIONS *global) { /* configu
 
 #ifndef OPENSSL_NO_COMP
 
-#if OPENSSL_VERSION_NUMBER<0x10100000L
+#if OPENSSL_VERSION_NUMBER<0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 
 NOEXPORT int COMP_get_type(const COMP_METHOD *meth) {
     return meth->type;
@@ -347,7 +364,7 @@ NOEXPORT int prng_init(GLOBAL_OPTIONS *global) {
     const RAND_METHOD *meth=RAND_get_rand_method();
 
     /* skip PRNG initialization when no seeding methods are available */
-    if(meth->status==NULL || meth->add==NULL) {
+    if(meth==NULL || meth->status==NULL || meth->add==NULL) {
         s_log(LOG_DEBUG, "No PRNG seeding methods");
         return 0; /* success */
     }
--- src/sthreads.c.orig	2021-02-10 11:39:36 UTC
+++ src/sthreads.c
@@ -102,14 +102,16 @@ unsigned long stunnel_thread_id(void) {
 
 #endif /* USE_WIN32 */
 
-#if OPENSSL_VERSION_NUMBER>=0x10000000L && OPENSSL_VERSION_NUMBER<0x10100004L
+#if (OPENSSL_VERSION_NUMBER>=0x10000000L && OPENSSL_VERSION_NUMBER<0x10100004L) || \
+    defined(LIBRESSL_VERSION_NUMBER)
 NOEXPORT void threadid_func(CRYPTO_THREADID *tid) {
     CRYPTO_THREADID_set_numeric(tid, stunnel_thread_id());
 }
 #endif
 
 void thread_id_init(void) {
-#if OPENSSL_VERSION_NUMBER>=0x10000000L && OPENSSL_VERSION_NUMBER<0x10100000L
+#if (OPENSSL_VERSION_NUMBER>=0x10000000L && OPENSSL_VERSION_NUMBER<0x10100000L) || \
+    defined(LIBRESSL_VERSION_NUMBER)
     CRYPTO_THREADID_set_callback(threadid_func);
 #endif
 #if OPENSSL_VERSION_NUMBER<0x10000000L || !defined(OPENSSL_NO_DEPRECATED)
@@ -120,7 +122,7 @@ void thread_id_init(void) {
 /**************************************** locking */
 
 /* we only need to initialize locking with OpenSSL older than 1.1.0 */
-#if OPENSSL_VERSION_NUMBER<0x10100004L
+#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER)
 
 #ifdef USE_PTHREAD
 
@@ -279,7 +281,7 @@ NOEXPORT int s_atomic_add(int *val, int amount, CRYPTO
 
 CRYPTO_RWLOCK *stunnel_locks[STUNNEL_LOCKS];
 
-#if OPENSSL_VERSION_NUMBER<0x10100004L
+#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER)
 
 #ifdef USE_OS_THREADS
 
@@ -387,7 +389,8 @@ int CRYPTO_atomic_add(int *val, int amount, int *ret, 
 
 void locking_init(void) {
     size_t i;
-#if defined(USE_OS_THREADS) && OPENSSL_VERSION_NUMBER<0x10100004L
+#if defined(USE_OS_THREADS) && \
+    (OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER))
     size_t num;
 
     /* initialize the OpenSSL static locking */
--- src/tls.c.orig	2021-02-10 11:39:36 UTC
+++ src/tls.c
@@ -41,7 +41,7 @@
 volatile int tls_initialized=0;
 
 NOEXPORT void tls_platform_init();
-#if OPENSSL_VERSION_NUMBER<0x10100000L
+#if OPENSSL_VERSION_NUMBER<0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 NOEXPORT void free_function(void *);
 #endif
 
@@ -52,7 +52,7 @@ void tls_init() {
     tls_platform_init();
     tls_initialized=1;
     ui_tls=tls_alloc(NULL, NULL, "ui");
-#if OPENSSL_VERSION_NUMBER>=0x10100000L
+#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
     CRYPTO_set_mem_functions(str_alloc_detached_debug,
         str_realloc_detached_debug, str_free_debug);
 #else
@@ -184,7 +184,7 @@ TLS_DATA *tls_get() {
 
 /**************************************** OpenSSL allocator hook */
 
-#if OPENSSL_VERSION_NUMBER<0x10100000L
+#if OPENSSL_VERSION_NUMBER<0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 NOEXPORT void free_function(void *ptr) {
     /* CRYPTO_set_mem_ex_functions() needs a function rather than a macro */
     /* unfortunately, OpenSSL provides no file:line information here */
--- src/verify.c.orig	2021-08-05 07:19:52 UTC
+++ src/verify.c
@@ -351,7 +351,7 @@ NOEXPORT int cert_check_local(X509_STORE_CTX *callback
     cert=X509_STORE_CTX_get_current_cert(callback_ctx);
     subject=X509_get_subject_name(cert);
 
-#if OPENSSL_VERSION_NUMBER<0x10100006L
+#if OPENSSL_VERSION_NUMBER<0x10100006L || defined(LIBRESSL_VERSION_NUMBER)
 #define X509_STORE_CTX_get1_certs X509_STORE_get1_certs
 #endif
     /* modern API allows retrieving multiple matching certificates */

Return to bug 258885

Added Link Here

(-)b/security/stunnel/files/patch-libressl-compat (-1 / +363 lines)
0	-	1	--- src/client.c.orig 2021-04-05 21:21:38 UTC
		2	+++ src/client.c
		3	@@ -742,7 +742,7 @@ NOEXPORT void print_cipher(CLI c) { / print negotiat
		4	NOEXPORT void transfer(CLI *c) {
		5	int timeout; /* s_poll_wait timeout in seconds */
		6	int pending; /* either processed on unprocessed TLS data */
		7	-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
		8	+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
		9	int has_pending=0, prev_has_pending;
		10	#endif
		11	int watchdog=0; /* a counter to detect an infinite loop */
		12	@@ -789,7 +789,7 @@ NOEXPORT void transfer(CLI *c) {
		13
		14	/****************************** wait for an event */
		15	pending=SSL_pending(c->ssl);
		16	-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
		17	+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
		18	/* only attempt to process SSL_has_pending() data once */
		19	prev_has_pending=has_pending;
		20	has_pending=SSL_has_pending(c->ssl);
		21	@@ -1194,7 +1194,7 @@ NOEXPORT void transfer(CLI *c) {
		22	s_log(LOG_ERR,
		23	"please report the problem to Michal.Trojnara@stunnel.org");
		24	stunnel_info(LOG_ERR);
		25	-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
		26	+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
		27	s_log(LOG_ERR, "protocol=%s, SSL_pending=%d, SSL_has_pending=%d",
		28	SSL_get_version(c->ssl),
		29	SSL_pending(c->ssl), SSL_has_pending(c->ssl));
		30	--- src/ctx.c.orig 2021-08-16 18:58:06 UTC
		31	+++ src/ctx.c
		32	@@ -91,7 +91,7 @@ NOEXPORT void set_prompt(const char *);
		33	NOEXPORT int ui_retry();
		34
		35	/* session tickets */
		36	-#if OPENSSL_VERSION_NUMBER >= 0x10101000L
		37	+#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
		38	NOEXPORT int generate_session_ticket_cb(SSL , void );
		39	NOEXPORT int decrypt_session_ticket_cb(SSL , SSL_SESSION ,
		40	const unsigned char , size_t, SSL_TICKET_STATUS, void );
		41	@@ -130,7 +130,7 @@ NOEXPORT void sslerror_log(unsigned long, const char *
		42
		43	/**************************************** initialize section->ctx */
		44
		45	-#if OPENSSL_VERSION_NUMBER>=0x10100000L
		46	+#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
		47	typedef long unsigned SSL_OPTIONS_TYPE;
		48	#else
		49	typedef long SSL_OPTIONS_TYPE;
		50	@@ -138,7 +138,7 @@ typedef long SSL_OPTIONS_TYPE;
		51
		52	int context_init(SERVICE_OPTIONS section) { / init TLS context */
		53	/* create a new TLS context */
		54	-#if OPENSSL_VERSION_NUMBER>=0x10100000L
		55	+#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
		56	if(section->option.client)
		57	section->ctx=SSL_CTX_new(TLS_client_method());
		58	else /* server mode */
		59	@@ -173,7 +173,7 @@ int context_init(SERVICE_OPTIONS section) { / init T
		60	}
		61	current_section=section; /* setup current section for callbacks */
		62
		63	-#if OPENSSL_VERSION_NUMBER>=0x10100000L
		64	+#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
		65	/* set the security level */
66	if(section->security_level>=0) {
67	/* set the user-specified value */
68	@@ -258,7 +258,7 @@ int context_init(SERVICE_OPTIONS section) { / init T
69	#endif
70
71	/* setup session tickets */
72	-#if OPENSSL_VERSION_NUMBER >= 0x10101000L
73	+#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
74	SSL_CTX_set_session_ticket_cb(section->ctx, generate_session_ticket_cb,
75	decrypt_session_ticket_cb, NULL);
76	#endif /* OpenSSL 1.1.1 or later */
77	@@ -533,7 +533,7 @@ NOEXPORT int ecdh_init(SERVICE_OPTIONS *section) {
78	/**************************************** initialize OpenSSL CONF */
79
80	NOEXPORT int conf_init(SERVICE_OPTIONS *section) {
81	-#if OPENSSL_VERSION_NUMBER>=0x10002000L
82	+#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
83	SSL_CONF_CTX *cctx;
84	NAME_LIST *curr;
85	char cmd, param;
86	@@ -1039,7 +1039,7 @@ NOEXPORT int ui_retry() {
87
88	/**************************************** session tickets */
89
90	-#if OPENSSL_VERSION_NUMBER >= 0x10101000L
91	+#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
92
93	typedef struct {
94	void *session_authenticated;
95	@@ -1532,7 +1532,7 @@ NOEXPORT void info_callback(const SSL *ssl, int where,
96
97	c=SSL_get_ex_data((SSL *)ssl, index_ssl_cli);
98	if(c) {
99	-#if OPENSSL_VERSION_NUMBER>=0x10100000L
100	+#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
101	OSSL_HANDSHAKE_STATE state=SSL_get_state(ssl);
102	#else
103	int state=SSL_get_state((SSL *)ssl);
104	--- src/options.c.orig 2021-08-05 07:19:52 UTC
105	+++ src/options.c
106	@@ -81,7 +81,7 @@ NOEXPORT char sni_init(SERVICE_OPTIONS );
107	NOEXPORT void sni_free(SERVICE_OPTIONS *);
108	#endif /* !defined(OPENSSL_NO_TLSEXT) */
109
110	-#if OPENSSL_VERSION_NUMBER>=0x10100000L
111	+#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
112	NOEXPORT int str_to_proto_version(const char *);
113	#else /* OPENSSL_VERSION_NUMBER<0x10100000L */
114	NOEXPORT char tls_methods_set(SERVICE_OPTIONS , const char *);
115	@@ -96,7 +96,7 @@ NOEXPORT PSK_KEYS psk_dup(PSK_KEYS );
116	NOEXPORT void psk_free(PSK_KEYS *);
117	#endif /* !defined(OPENSSL_NO_PSK) */
118
119	-#if OPENSSL_VERSION_NUMBER>=0x10000000L
120	+#if OPENSSL_VERSION_NUMBER>=0x10000000L && !defined(LIBRESSL_VERSION_NUMBER)
121	NOEXPORT TICKET_KEY key_read(char , char *);
122	NOEXPORT TICKET_KEY key_dup(TICKET_KEY );
123	NOEXPORT void key_free(TICKET_KEY *);
124	@@ -3252,7 +3252,7 @@ NOEXPORT char *parse_service_option(CMD cmd, SERVICE_O
125	break;
126	}
127
128	-#if OPENSSL_VERSION_NUMBER>=0x10100000L
129	+#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
130
131	/* sslVersion */
132	switch(cmd) {
133	@@ -3421,7 +3421,7 @@ NOEXPORT char *parse_service_option(CMD cmd, SERVICE_O
134	}
135	#endif
136
137	-#if OPENSSL_VERSION_NUMBER>=0x10000000L
138	+#if OPENSSL_VERSION_NUMBER>=0x10000000L && !defined(LIBRESSL_VERSION_NUMBER)
139
140	/* ticketKeySecret */
141	switch(cmd) {
142	@@ -3904,7 +3904,7 @@ NOEXPORT void sni_free(SERVICE_OPTIONS *section) {
143
144	/**************************************** modern TLS version handling */
145
146	-#if OPENSSL_VERSION_NUMBER>=0x10100000L
147	+#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
148
149	NOEXPORT int str_to_proto_version(const char *name) {
150	if(!strcasecmp(name, "all"))
151	@@ -4229,7 +4229,7 @@ NOEXPORT void psk_free(PSK_KEYS *head) {
152
153	/**************************************** read ticket key */
154
155	-#if OPENSSL_VERSION_NUMBER>=0x10000000L
156	+#if OPENSSL_VERSION_NUMBER>=0x10000000L && !defined(LIBRESSL_VERSION_NUMBER)
157
158	NOEXPORT TICKET_KEY key_read(char arg, char *option) {
159	char *key_str;
160	--- src/prototypes.h.orig 2021-05-30 20:19:44 UTC
161	+++ src/prototypes.h
162	@@ -250,7 +250,7 @@ typedef struct service_options_struct {
163	#if OPENSSL_VERSION_NUMBER>=0x009080dfL
164	long unsigned ssl_options_clear;
165	#endif /* OpenSSL 0.9.8m or later */
166	-#if OPENSSL_VERSION_NUMBER>=0x10100000L
167	+#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
168	int min_proto_version, max_proto_version;
169	#else /* OPENSSL_VERSION_NUMBER<0x10100000L */
170	SSL_METHOD client_method, server_method;
171	@@ -722,7 +722,7 @@ int getnameinfo(const struct sockaddr *, socklen_t,
172	extern CLI *thread_head;
173	#endif
174
175	-#if OPENSSL_VERSION_NUMBER<0x10100004L
176	+#if OPENSSL_VERSION_NUMBER<0x10100004L \|\| defined(LIBRESSL_VERSION_NUMBER)
177
178	#ifdef USE_OS_THREADS
179
180	@@ -773,7 +773,7 @@ typedef enum {
181
182	extern CRYPTO_RWLOCK *stunnel_locks[STUNNEL_LOCKS];
183
184	-#if OPENSSL_VERSION_NUMBER<0x10100004L
185	+#if OPENSSL_VERSION_NUMBER<0x10100004L \|\| defined(LIBRESSL_VERSION_NUMBER)
186	/* Emulate the OpenSSL 1.1 locking API for older OpenSSL versions */
187	CRYPTO_RWLOCK *CRYPTO_THREAD_lock_new(void);
188	int CRYPTO_THREAD_read_lock(CRYPTO_RWLOCK *);
189	--- src/ssl.c.orig 2021-04-05 21:19:15 UTC
190	+++ src/ssl.c
191	@@ -39,12 +39,17 @@
192	#include "prototypes.h"
193
194	/* global OpenSSL initialization: compression, engine, entropy */
195	+#ifdef LIBRESSL_VERSION_NUMBER
196	+NOEXPORT int cb_new_auth(void parent, void ptr, CRYPTO_EX_DATA *ad,
197	+ int idx, long argl, void *argp);
198	+#else
199	NOEXPORT void cb_new_auth(void parent, void ptr, CRYPTO_EX_DATA *ad,
200	int idx, long argl, void *argp);
201	-#if OPENSSL_VERSION_NUMBER>=0x30000000L
202	+#endif
203	+#if OPENSSL_VERSION_NUMBER>=0x30000000L && !defined(LIBRESSL_VERSION_NUMBER)
204	NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA to, const CRYPTO_EX_DATA from,
205	void *from_d, int idx, long argl, void argp);
206	-#elif OPENSSL_VERSION_NUMBER>=0x10100000L
207	+#elif OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
208	NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA to, const CRYPTO_EX_DATA from,
209	void from_d, int idx, long argl, void argp);
210	#else
211	@@ -83,7 +88,7 @@ int fips_available() { /* either FIPS provider or cont
212	}
213
214	int ssl_init(void) { /* init TLS before parsing configuration file */
215	-#if OPENSSL_VERSION_NUMBER>=0x10100000L
216	+#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
217	OPENSSL_INIT_SETTINGS *conf=OPENSSL_INIT_new();
218	#ifdef USE_WIN32
219	OPENSSL_INIT_set_config_filename(conf, "..\\config\\openssl.cnf");
220	@@ -143,21 +148,33 @@ int DH_set0_pqg(DH dh, BIGNUM p, BIGNUM q, BIGNUM
221	#endif
222	#endif
223
224	+#ifdef LIBRESSL_VERSION_NUMBER
225	+NOEXPORT int cb_new_auth(void parent, void ptr, CRYPTO_EX_DATA *ad,
226	+ int idx, long argl, void *argp) {
227	+#else
228	NOEXPORT void cb_new_auth(void parent, void ptr, CRYPTO_EX_DATA *ad,
229	int idx, long argl, void *argp) {
230	+#endif
231	(void)parent; /* squash the unused parameter warning */
232	(void)ptr; /* squash the unused parameter warning */
233	(void)argl; /* squash the unused parameter warning */
234	s_log(LOG_DEBUG, "Initializing application specific data for %s",
235	(char *)argp);
236	- if(!CRYPTO_set_ex_data(ad, idx, (void *)(-1)))
237	+ if(!CRYPTO_set_ex_data(ad, idx, (void *)(-1))) {
238	sslerror("CRYPTO_set_ex_data");
239	+#ifdef LIBRESSL_VERSION_NUMBER
240	+ return 0;
241	+#endif
242	+ }
243	+#ifdef LIBRESSL_VERSION_NUMBER
244	+ return 1;
245	+#endif
246	}
247
248	-#if OPENSSL_VERSION_NUMBER>=0x30000000L
249	+#if OPENSSL_VERSION_NUMBER>=0x30000000L && !defined(LIBRESSL_VERSION_NUMBER)
250	NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA to, const CRYPTO_EX_DATA from,
251	void *from_d, int idx, long argl, void argp) {
252	-#elif OPENSSL_VERSION_NUMBER>=0x10100000L
253	+#elif OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
254	NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA to, const CRYPTO_EX_DATA from,
255	void from_d, int idx, long argl, void argp) {
256	#else
257	@@ -256,7 +273,7 @@ int ssl_configure(GLOBAL_OPTIONS global) { / configu
258
259	#ifndef OPENSSL_NO_COMP
260
261	-#if OPENSSL_VERSION_NUMBER<0x10100000L
262	+#if OPENSSL_VERSION_NUMBER<0x10100000L \|\| defined(LIBRESSL_VERSION_NUMBER)
263
264	NOEXPORT int COMP_get_type(const COMP_METHOD *meth) {
265	return meth->type;
266	@@ -347,7 +364,7 @@ NOEXPORT int prng_init(GLOBAL_OPTIONS *global) {
267	const RAND_METHOD *meth=RAND_get_rand_method();
268
269	/* skip PRNG initialization when no seeding methods are available */
270	- if(meth->status==NULL \|\| meth->add==NULL) {
271	+ if(meth==NULL \|\| meth->status==NULL \|\| meth->add==NULL) {
272	s_log(LOG_DEBUG, "No PRNG seeding methods");
273	return 0; /* success */
274	}
275	--- src/sthreads.c.orig 2021-02-10 11:39:36 UTC
276	+++ src/sthreads.c
277	@@ -102,14 +102,16 @@ unsigned long stunnel_thread_id(void) {
278
279	#endif /* USE_WIN32 */
280
281	-#if OPENSSL_VERSION_NUMBER>=0x10000000L && OPENSSL_VERSION_NUMBER<0x10100004L
282	+#if (OPENSSL_VERSION_NUMBER>=0x10000000L && OPENSSL_VERSION_NUMBER<0x10100004L) \|\| \
283	+ defined(LIBRESSL_VERSION_NUMBER)
284	NOEXPORT void threadid_func(CRYPTO_THREADID *tid) {
285	CRYPTO_THREADID_set_numeric(tid, stunnel_thread_id());
286	}
287	#endif
288
289	void thread_id_init(void) {
290	-#if OPENSSL_VERSION_NUMBER>=0x10000000L && OPENSSL_VERSION_NUMBER<0x10100000L
291	+#if (OPENSSL_VERSION_NUMBER>=0x10000000L && OPENSSL_VERSION_NUMBER<0x10100000L) \|\| \
292	+ defined(LIBRESSL_VERSION_NUMBER)
293	CRYPTO_THREADID_set_callback(threadid_func);
294	#endif
295	#if OPENSSL_VERSION_NUMBER<0x10000000L \|\| !defined(OPENSSL_NO_DEPRECATED)
296	@@ -120,7 +122,7 @@ void thread_id_init(void) {
297	/**************************************** locking */
298
299	/* we only need to initialize locking with OpenSSL older than 1.1.0 */
300	-#if OPENSSL_VERSION_NUMBER<0x10100004L
301	+#if OPENSSL_VERSION_NUMBER<0x10100004L \|\| defined(LIBRESSL_VERSION_NUMBER)
302
303	#ifdef USE_PTHREAD
304
305	@@ -279,7 +281,7 @@ NOEXPORT int s_atomic_add(int *val, int amount, CRYPTO
306
307	CRYPTO_RWLOCK *stunnel_locks[STUNNEL_LOCKS];
308
309	-#if OPENSSL_VERSION_NUMBER<0x10100004L
310	+#if OPENSSL_VERSION_NUMBER<0x10100004L \|\| defined(LIBRESSL_VERSION_NUMBER)
311
312	#ifdef USE_OS_THREADS
313
314	@@ -387,7 +389,8 @@ int CRYPTO_atomic_add(int val, int amount, int ret,
315
316	void locking_init(void) {
317	size_t i;
318	-#if defined(USE_OS_THREADS) && OPENSSL_VERSION_NUMBER<0x10100004L
319	+#if defined(USE_OS_THREADS) && \
320	+ (OPENSSL_VERSION_NUMBER<0x10100004L \|\| defined(LIBRESSL_VERSION_NUMBER))
321	size_t num;
322
323	/* initialize the OpenSSL static locking */
324	--- src/tls.c.orig 2021-02-10 11:39:36 UTC
325	+++ src/tls.c
326	@@ -41,7 +41,7 @@
327	volatile int tls_initialized=0;
328
329	NOEXPORT void tls_platform_init();
330	-#if OPENSSL_VERSION_NUMBER<0x10100000L
331	+#if OPENSSL_VERSION_NUMBER<0x10100000L \|\| defined(LIBRESSL_VERSION_NUMBER)
332	NOEXPORT void free_function(void *);
333	#endif
334
335	@@ -52,7 +52,7 @@ void tls_init() {
336	tls_platform_init();
337	tls_initialized=1;
338	ui_tls=tls_alloc(NULL, NULL, "ui");
339	-#if OPENSSL_VERSION_NUMBER>=0x10100000L
340	+#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
341	CRYPTO_set_mem_functions(str_alloc_detached_debug,
342	str_realloc_detached_debug, str_free_debug);
343	#else
344	@@ -184,7 +184,7 @@ TLS_DATA *tls_get() {
345
346	/**************************************** OpenSSL allocator hook */
347
348	-#if OPENSSL_VERSION_NUMBER<0x10100000L
349	+#if OPENSSL_VERSION_NUMBER<0x10100000L \|\| defined(LIBRESSL_VERSION_NUMBER)
350	NOEXPORT void free_function(void *ptr) {
351	/* CRYPTO_set_mem_ex_functions() needs a function rather than a macro */
352	/* unfortunately, OpenSSL provides no file:line information here */
353	--- src/verify.c.orig 2021-08-05 07:19:52 UTC
354	+++ src/verify.c
355	@@ -351,7 +351,7 @@ NOEXPORT int cert_check_local(X509_STORE_CTX *callback
356	cert=X509_STORE_CTX_get_current_cert(callback_ctx);
357	subject=X509_get_subject_name(cert);
358
359	-#if OPENSSL_VERSION_NUMBER<0x10100006L
360	+#if OPENSSL_VERSION_NUMBER<0x10100006L \|\| defined(LIBRESSL_VERSION_NUMBER)
361	#define X509_STORE_CTX_get1_certs X509_STORE_get1_certs
362	#endif
363	/* modern API allows retrieving multiple matching certificates */