Attachment #191810 for bug #226922

View | Details | Raw Unified | Return to bug 226922
Collapse All | Expand All

Lines 1-4 Link Here

(-)www/nghttp2/files/nghttpx.conf.sample (-1 / +1 lines)
1	# $FreeBSD$	1	# $FreeBSD: head/www/nghttp2/files/nghttpx.conf.sample 421805 2016-09-11 07:52:26Z brnrd $
2	# Sample config file for nghttpx in proxy forwarding mode.	2	# Sample config file for nghttpx in proxy forwarding mode.
3		3
4	# See https://nghttp2.org/documentation/nghttpx.1.html for	4	# See https://nghttp2.org/documentation/nghttpx.1.html for

Lines 1-5 Link Here

(-)www/nghttp2/files/nghttpx.in (-1 / +1 lines)
1	#!/bin/sh	1	#!/bin/sh
2	# $FreeBSD$	2	# $FreeBSD: head/www/nghttp2/files/nghttpx.in 421805 2016-09-11 07:52:26Z brnrd $
3		3
4	# PROVIDE: nghttpx	4	# PROVIDE: nghttpx
5	# REQUIRE: LOGIN cleanvar	5	# REQUIRE: LOGIN cleanvar




--- examples/client.c.orig	2018-02-02 12:19:16 UTC
+++ examples/client.c
@@ -375,7 +375,9 @@ static void init_ssl_ctx(SSL_CTX *ssl_ct
   SSL_CTX_set_mode(ssl_ctx, SSL_MODE_AUTO_RETRY);
   SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
   /* Set NPN callback */
+#ifndef OPENSSL_NO_NEXTPROTONEG
   SSL_CTX_set_next_proto_select_cb(ssl_ctx, select_next_proto_cb, NULL);
+#endif
 }
 
 static void ssl_handshake(SSL *ssl, int fd) {




--- examples/libevent-client.c.orig	2018-02-02 12:19:16 UTC
+++ examples/libevent-client.c
@@ -335,7 +335,9 @@ static SSL_CTX *create_ssl_ctx(void) {
                       SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
                           SSL_OP_NO_COMPRESSION |
                           SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
+#ifndef OPENSSL_NO_NEXTPROTONEG
   SSL_CTX_set_next_proto_select_cb(ssl_ctx, select_next_proto_cb, NULL);
+#endif
 
 #if OPENSSL_VERSION_NUMBER >= 0x10002000L
   SSL_CTX_set_alpn_protos(ssl_ctx, (const unsigned char *)"\x02h2", 3);
@@ -504,7 +506,9 @@ static void eventcb(struct bufferevent *
 
     ssl = bufferevent_openssl_get_ssl(session_data->bev);
 
+#ifndef OPENSSL_NO_NEXTPROTONEG
     SSL_get0_next_proto_negotiated(ssl, &alpn, &alpnlen);
+#endif
 #if OPENSSL_VERSION_NUMBER >= 0x10002000L
     if (alpn == NULL) {
       SSL_get0_alpn_selected(ssl, &alpn, &alpnlen);




--- examples/libevent-server.c.orig	2018-02-02 12:19:16 UTC
+++ examples/libevent-server.c
@@ -172,7 +172,9 @@ static SSL_CTX *create_ssl_ctx(const cha
          NGHTTP2_PROTO_VERSION_ID_LEN);
   next_proto_list_len = 1 + NGHTTP2_PROTO_VERSION_ID_LEN;
 
+#ifndef OPENSSL_NO_NEXTPROTONEG
   SSL_CTX_set_next_protos_advertised_cb(ssl_ctx, next_proto_cb, NULL);
+#endif
 
 #if OPENSSL_VERSION_NUMBER >= 0x10002000L
   SSL_CTX_set_alpn_select_cb(ssl_ctx, alpn_select_proto_cb, NULL);
@@ -690,7 +692,9 @@ static void eventcb(struct bufferevent *
 
     ssl = bufferevent_openssl_get_ssl(session_data->bev);
 
+#ifndef OPENSSL_NO_NEXTPROTONEG
     SSL_get0_next_proto_negotiated(ssl, &alpn, &alpnlen);
+#endif
 #if OPENSSL_VERSION_NUMBER >= 0x10002000L
     if (alpn == NULL) {
       SSL_get0_alpn_selected(ssl, &alpn, &alpnlen);




--- src/HttpServer.cc.orig	2018-02-17 11:15:19 UTC
+++ src/HttpServer.cc
@@ -888,7 +888,9 @@ int Http2Handler::verify_npn_result() {
   const unsigned char *next_proto = nullptr;
   unsigned int next_proto_len;
   // Check the negotiated protocol in NPN or ALPN
+#ifndef OPENSSL_NO_NEXTPROTONEG
   SSL_get0_next_proto_negotiated(ssl_, &next_proto, &next_proto_len);
+#endif
   for (int i = 0; i < 2; ++i) {
     if (next_proto) {
       auto proto = StringRef{next_proto, next_proto_len};
@@ -2205,7 +2207,9 @@ int HttpServer::run() {
 
     next_proto = util::get_default_alpn();
 
+#ifndef OPENSSL_NO_NEXTPROTONEG
     SSL_CTX_set_next_protos_advertised_cb(ssl_ctx, next_proto_cb, &next_proto);
+#endif
 #if OPENSSL_VERSION_NUMBER >= 0x10002000L
     // ALPN selection callback
     SSL_CTX_set_alpn_select_cb(ssl_ctx, alpn_select_proto_cb, this);




--- src/asio_common.cc.orig	2018-02-02 12:19:16 UTC
+++ src/asio_common.cc
@@ -177,7 +177,9 @@ bool tls_h2_negotiated(ssl_socket &socke
   const unsigned char *next_proto = nullptr;
   unsigned int next_proto_len = 0;
 
+#ifndef OPENSSL_NO_NEXTPROTONEG
   SSL_get0_next_proto_negotiated(ssl, &next_proto, &next_proto_len);
+#endif
 #if OPENSSL_VERSION_NUMBER >= 0x10002000L
   if (next_proto == nullptr) {
     SSL_get0_alpn_selected(ssl, &next_proto, &next_proto_len);




--- src/h2load.cc.orig	2018-02-02 12:19:16 UTC
+++ src/h2load.cc
@@ -857,7 +857,9 @@ int Client::connection_made() {
     const unsigned char *next_proto = nullptr;
     unsigned int next_proto_len;
 
+#ifndef OPENSSL_NO_NEXTPROTONEG
     SSL_get0_next_proto_negotiated(ssl, &next_proto, &next_proto_len);
+#endif
 #if OPENSSL_VERSION_NUMBER >= 0x10002000L
     if (next_proto == nullptr) {
       SSL_get0_alpn_selected(ssl, &next_proto, &next_proto_len);
@@ -2399,8 +2401,10 @@ int main(int argc, char **argv) {
     exit(EXIT_FAILURE);
   }
 
+#ifndef OPENSSL_NO_NEXTPROTONEG
   SSL_CTX_set_next_proto_select_cb(ssl_ctx, client_select_next_proto_cb,
                                    nullptr);
+#endif
 
 #if OPENSSL_VERSION_NUMBER >= 0x10002000L
   std::vector<unsigned char> proto_list;




--- src/nghttp.cc.orig	2018-03-25 12:28:55 UTC
+++ src/nghttp.cc
@@ -680,9 +680,9 @@ int HttpClient::initiate_connection() {
       const auto &host_string =
           config.host_override.empty() ? host : config.host_override;
 
-#if (!defined(LIBRESSL_VERSION_NUMBER) &&                                      \
+#if (!(defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L) && \
      OPENSSL_VERSION_NUMBER >= 0x10002000L) ||                                 \
-    defined(OPENSSL_IS_BORINGSSL)
+     defined(OPENSSL_IS_BORINGSSL)
       auto param = SSL_get0_param(ssl);
       X509_VERIFY_PARAM_set_hostflags(param, 0);
       X509_VERIFY_PARAM_set1_host(param, host_string.c_str(),




--- src/shrpx_client_handler.cc.orig	2018-02-02 12:19:16 UTC
+++ src/shrpx_client_handler.cc
@@ -549,7 +549,9 @@ int ClientHandler::validate_next_proto()
   // First set callback for catch all cases
   on_read_ = &ClientHandler::upstream_read;
 
+#ifndef OPENSSL_NO_NEXTPROTONEG
   SSL_get0_next_proto_negotiated(conn_.tls.ssl, &next_proto, &next_proto_len);
+#endif
 #if OPENSSL_VERSION_NUMBER >= 0x10002000L
   if (next_proto == nullptr) {
     SSL_get0_alpn_selected(conn_.tls.ssl, &next_proto, &next_proto_len);




--- src/shrpx_config.cc.orig	2018-02-27 12:18:50 UTC
+++ src/shrpx_config.cc
@@ -1222,7 +1222,7 @@ int parse_subcert_params(SubcertParams &
     auto param = StringRef{first, end};
 
     if (util::istarts_with_l(param, "sct-dir=")) {
-#if !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L
+#if !LIBRESSL_1_0_API && OPENSSL_VERSION_NUMBER >= 0x10002000L
       auto sct_dir =
           StringRef{std::begin(param) + str_size("sct-dir="), std::end(param)};
       if (sct_dir.empty()) {
@@ -1230,9 +1230,9 @@ int parse_subcert_params(SubcertParams &
         return -1;
       }
       out.sct_dir = sct_dir;
-#else  // !(!LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L)
+#else  // !(!LIBRESSL_1_0_API && OPENSSL_VERSION_NUMBER >= 0x10002000L)
       LOG(WARN) << "subcert: sct-dir requires OpenSSL >= 1.0.2";
-#endif // !(!LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L)
+#endif // !(!LIBRESSL_1_0_API && OPENSSL_VERSION_NUMBER >= 0x10002000L)
     } else if (!param.empty()) {
       LOG(ERROR) << "subcert: " << param << ": unknown keyword";
       return -1;
@@ -1364,7 +1364,7 @@ int read_tls_sct_from_dir(std::vector<ui
 }
 } // namespace
 
-#if !LIBRESSL_IN_USE
+#if !LIBRESSL_1_0_API
 namespace {
 // Reads PSK secrets from path, and parses each line.  The result is
 // directly stored into config->tls.psk_secrets.  This function
@@ -1428,9 +1428,9 @@ int parse_psk_secrets(Config *config, co
   return 0;
 }
 } // namespace
-#endif // !LIBRESSL_IN_USE
+#endif // !LIBRESSL_1_0_API
 
-#if !LIBRESSL_IN_USE
+#if !LIBRESSL_1_0_API
 namespace {
 // Reads PSK secrets from path, and parses each line.  The result is
 // directly stored into config->tls.client.psk.  This function returns
@@ -1490,7 +1490,7 @@ int parse_client_psk_secrets(Config *con
   return 0;
 }
 } // namespace
-#endif // !LIBRESSL_IN_USE
+#endif // !LIBRESSL_1_0_API
 
 // generated by gennghttpxfun.py
 int option_lookup_token(const char *name, size_t namelen) {
@@ -3454,19 +3454,19 @@ int parse_config(Config *config, int opt
     return parse_uint_with_unit(
         &config->http2.downstream.decoder_dynamic_table_size, opt, optarg);
   case SHRPX_OPTID_ECDH_CURVES:
-#if !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L
+#if !LIBRESSL_1_0_API && OPENSSL_VERSION_NUMBER >= 0x10002000L
     config->tls.ecdh_curves = make_string_ref(config->balloc, optarg);
-#else  // !(!LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L)
+#else  // !(!LIBRESSL_1_0_API && OPENSSL_VERSION_NUMBER >= 0x10002000L)
     LOG(WARN) << opt << ": This option requires OpenSSL >= 1.0.2";
-#endif // !(!LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L)
+#endif // !(!LIBRESSL_1_0_API && OPENSSL_VERSION_NUMBER >= 0x10002000L)
     return 0;
   case SHRPX_OPTID_TLS_SCT_DIR:
-#if !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L
+#if !LIBRESSL_1_0_API && OPENSSL_VERSION_NUMBER >= 0x10002000L
     return read_tls_sct_from_dir(config->tls.sct_data, opt, optarg);
-#else  // !(!LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L)
+#else  // !(!LIBRESSL_1_0_API && OPENSSL_VERSION_NUMBER >= 0x10002000L)
     LOG(WARN) << opt << ": This option requires OpenSSL >= 1.0.2";
     return 0;
-#endif // !(!LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L)
+#endif // !(!LIBRESSL_1_0_API && OPENSSL_VERSION_NUMBER >= 0x10002000L)
   case SHRPX_OPTID_DNS_CACHE_TIMEOUT:
     return parse_duration(&config->dns.timeout.cache, opt, optarg);
   case SHRPX_OPTID_DNS_LOOKUP_TIMEOUT:
@@ -3489,23 +3489,23 @@ int parse_config(Config *config, int opt
     return parse_duration(&config->conn.upstream.timeout.idle_read, opt,
                           optarg);
   case SHRPX_OPTID_PSK_SECRETS:
-#if !LIBRESSL_IN_USE
+#if !LIBRESSL_1_0_API
     return parse_psk_secrets(config, optarg);
-#else  // LIBRESSL_IN_USE
+#else  // LIBRESSL_1_0_API
     LOG(WARN)
         << opt
         << ": ignored because underlying TLS library does not support PSK";
     return 0;
-#endif // LIBRESSL_IN_USE
+#endif // LIBRESSL_1_0_API
   case SHRPX_OPTID_CLIENT_PSK_SECRETS:
-#if !LIBRESSL_IN_USE
+#if !LIBRESSL_1_0_API
     return parse_client_psk_secrets(config, optarg);
-#else  // LIBRESSL_IN_USE
+#else  // LIBRESSL_1_0_API
     LOG(WARN)
         << opt
         << ": ignored because underlying TLS library does not support PSK";
     return 0;
-#endif // LIBRESSL_IN_USE
+#endif // LIBRESSL_1_0_API
   case SHRPX_OPTID_CLIENT_NO_HTTP2_CIPHER_BLACK_LIST:
     config->tls.client.no_http2_cipher_black_list =
         util::strieq_l("yes", optarg);




--- src/shrpx_connection.cc.orig	2018-02-02 12:19:16 UTC
+++ src/shrpx_connection.cc
@@ -523,7 +523,9 @@ int Connection::check_http2_requirement(
   const unsigned char *next_proto = nullptr;
   unsigned int next_proto_len;
 
+#ifndef OPENSSL_NO_NEXTPROTONEG
   SSL_get0_next_proto_negotiated(tls.ssl, &next_proto, &next_proto_len);
+#endif
 #if OPENSSL_VERSION_NUMBER >= 0x10002000L
   if (next_proto == nullptr) {
     SSL_get0_alpn_selected(tls.ssl, &next_proto, &next_proto_len);




--- src/shrpx_http2_session.cc.orig	2018-02-02 12:19:16 UTC
+++ src/shrpx_http2_session.cc
@@ -1649,7 +1649,9 @@ int Http2Session::connection_made() {
     const unsigned char *next_proto = nullptr;
     unsigned int next_proto_len = 0;
 
+#ifndef OPENSSL_NO_NEXTPROTONEG
     SSL_get0_next_proto_negotiated(conn_.tls.ssl, &next_proto, &next_proto_len);
+#endif
 #if OPENSSL_VERSION_NUMBER >= 0x10002000L
     if (!next_proto) {
       SSL_get0_alpn_selected(conn_.tls.ssl, &next_proto, &next_proto_len);




--- src/shrpx_live_check.cc.orig	2018-02-02 12:19:16 UTC
+++ src/shrpx_live_check.cc
@@ -406,7 +406,9 @@ int LiveCheck::tls_handshake() {
   const unsigned char *next_proto = nullptr;
   unsigned int next_proto_len = 0;
 
+#ifndef OPENSSL_NO_NEXTPROTONEG
   SSL_get0_next_proto_negotiated(conn_.tls.ssl, &next_proto, &next_proto_len);
+#endif
 #if OPENSSL_VERSION_NUMBER >= 0x10002000L
   if (next_proto == nullptr) {
     SSL_get0_alpn_selected(conn_.tls.ssl, &next_proto, &next_proto_len);




--- src/shrpx_tls.cc.orig	2018-03-25 12:28:55 UTC
+++ src/shrpx_tls.cc
@@ -360,7 +360,7 @@ int tls_session_new_cb(SSL *ssl, SSL_SES
 
 namespace {
 SSL_SESSION *tls_session_get_cb(SSL *ssl,
-#if OPENSSL_1_1_API
+#if OPENSSL_1_1_API && !LIBRESSL_1_1_API
                                 const unsigned char *id,
 #else  // !OPENSSL_1_1_API
                                 unsigned char *id,
@@ -563,7 +563,7 @@ int alpn_select_proto_cb(SSL *ssl, const
 } // namespace
 #endif // OPENSSL_VERSION_NUMBER >= 0x10002000L
 
-#if !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L
+#if !LIBRESSL_1_0_API && OPENSSL_VERSION_NUMBER >= 0x10002000L
 
 #ifndef TLSEXT_TYPE_signed_certificate_timestamp
 #define TLSEXT_TYPE_signed_certificate_timestamp 18
@@ -653,9 +653,9 @@ int legacy_sct_parse_cb(SSL *ssl, unsign
 } // namespace
 
 #endif // !OPENSSL_1_1_1_API
-#endif // !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L
+#endif // !LIBRESSL_1_0_API && OPENSSL_VERSION_NUMBER >= 0x10002000L
 
-#if !LIBRESSL_IN_USE
+#ifndef OPENSSL_NO_PSK
 namespace {
 unsigned int psk_server_cb(SSL *ssl, const char *identity, unsigned char *psk,
                            unsigned int max_psk_len) {
@@ -679,9 +679,9 @@ unsigned int psk_server_cb(SSL *ssl, con
   return static_cast<unsigned int>(secret.size());
 }
 } // namespace
-#endif // !LIBRESSL_IN_USE
+#endif // !OPENSSL_NO_PSK
 
-#if !LIBRESSL_IN_USE
+#ifndef OPENSSL_NO_PSK
 namespace {
 unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity_out,
                            unsigned int max_identity_len, unsigned char *psk,
@@ -714,7 +714,7 @@ unsigned int psk_client_cb(SSL *ssl, con
   return static_cast<unsigned int>(secret.size());
 }
 } // namespace
-#endif // !LIBRESSL_IN_USE
+#endif // !OPENSSL_NO_PSK
 
 struct TLSProtocol {
   StringRef name;
@@ -792,7 +792,7 @@ SSL_CTX *create_ssl_context(const char *
   }
 
 #ifndef OPENSSL_NO_EC
-#if !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L
+#if !LIBRESSL_1_0_API && OPENSSL_VERSION_NUMBER >= 0x10002000L
   if (SSL_CTX_set1_curves_list(ssl_ctx, tlsconf.ecdh_curves.c_str()) != 1) {
     LOG(FATAL) << "SSL_CTX_set1_curves_list " << tlsconf.ecdh_curves
                << " failed";
@@ -803,7 +803,7 @@ SSL_CTX *create_ssl_context(const char *
   // function was deprecated in OpenSSL 1.1.0 and BoringSSL.
   SSL_CTX_set_ecdh_auto(ssl_ctx, 1);
 #endif // !defined(OPENSSL_IS_BORINGSSL) && !OPENSSL_1_1_API
-#else  // LIBRESSL_IN_USE || OPENSSL_VERSION_NUBMER < 0x10002000L
+#else  // LIBRESSL_1_0_API || OPENSSL_VERSION_NUBMER < 0x10002000L
   // Use P-256, which is sufficiently secure at the time of this
   // writing.
   auto ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
@@ -814,7 +814,7 @@ SSL_CTX *create_ssl_context(const char *
   }
   SSL_CTX_set_tmp_ecdh(ssl_ctx, ecdh);
   EC_KEY_free(ecdh);
-#endif // LIBRESSL_IN_USE || OPENSSL_VERSION_NUBMER < 0x10002000L
+#endif // LIBRESSL_1_0_API || OPENSSL_VERSION_NUBMER < 0x10002000L
 #endif // OPENSSL_NO_EC
 
   if (!tlsconf.dh_param_file.empty()) {
@@ -931,7 +931,7 @@ SSL_CTX *create_ssl_context(const char *
   SSL_CTX_set_alpn_select_cb(ssl_ctx, alpn_select_proto_cb, nullptr);
 #endif // OPENSSL_VERSION_NUMBER >= 0x10002000L
 
-#if !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L
+#if !LIBRESSL_1_0_API && !LIBRESSL_1_1_API && OPENSSL_VERSION_NUMBER >= 0x10002000L
   // SSL_extension_supported(TLSEXT_TYPE_signed_certificate_timestamp)
   // returns 1, which means OpenSSL internally handles it.  But
   // OpenSSL handles signed_certificate_timestamp extension specially,
@@ -962,11 +962,11 @@ SSL_CTX *create_ssl_context(const char *
     }
 #endif // !OPENSSL_1_1_1_API
   }
-#endif // !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L
+#endif // !LIBRESSL_1_0_API && OPENSSL_VERSION_NUMBER >= 0x10002000L
 
-#if !LIBRESSL_IN_USE
+#ifndef OPENSSL_NO_PSK
   SSL_CTX_set_psk_server_callback(ssl_ctx, psk_server_cb);
-#endif // !LIBRESSL_IN_USE
+#endif // !OPENSSL_NO_PSK
 
   auto tls_ctx_data = new TLSContextData();
   tls_ctx_data->cert_file = cert_file;
@@ -1114,9 +1114,9 @@ SSL_CTX *create_ssl_client_context(
 #endif // HAVE_NEVERBLEED
   }
 
-#if !LIBRESSL_IN_USE
+#ifndef OPENSSL_NO_PSK
   SSL_CTX_set_psk_client_callback(ssl_ctx, psk_client_cb);
-#endif // !LIBRESSL_IN_USE
+#endif // !OPENSSL_NO_PSK
 
   // NPN selection callback.  This is required to set SSL_CTX because
   // OpenSSL does not offer SSL_set_next_proto_select_cb.
@@ -1553,15 +1553,15 @@ int cert_lookup_tree_add_ssl_ctx(
     SSL_CTX *ssl_ctx) {
   std::array<uint8_t, NI_MAXHOST> buf;
 
-#if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10002000L
+#if !defined(LIBRESSL_1_0_API) && OPENSSL_VERSION_NUMBER >= 0x10002000L
   auto cert = SSL_CTX_get0_certificate(ssl_ctx);
-#else  // defined(LIBRESSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER <
+#else  // defined(LIBRESSL_1_0_API) || OPENSSL_VERSION_NUMBER <
   // 0x10002000L
   auto tls_ctx_data =
       static_cast<TLSContextData *>(SSL_CTX_get_app_data(ssl_ctx));
   auto cert = load_certificate(tls_ctx_data->cert_file);
   auto cert_deleter = defer(X509_free, cert);
-#endif // defined(LIBRESSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER <
+#endif // defined(LIBRESSL_1_0_API) || OPENSSL_VERSION_NUMBER <
        // 0x10002000L
 
   auto altnames = static_cast<GENERAL_NAMES *>(
@@ -1977,7 +1977,7 @@ StringRef get_x509_issuer_name(BlockAllo
 #endif /* !WORDS_BIGENDIAN */
 
 StringRef get_x509_serial(BlockAllocator &balloc, X509 *x) {
-#if OPENSSL_1_1_API
+#if OPENSSL_1_1_API && !LIBRESSL_1_1_API
   auto sn = X509_get0_serialNumber(x);
   uint64_t r;
   if (ASN1_INTEGER_get_uint64(&r, sn) != 1) {




--- src/ssl_compat.h.orig	2018-02-27 12:18:50 UTC
+++ src/ssl_compat.h
@@ -26,16 +26,22 @@
 
 #include <openssl/opensslv.h>
 
-#if defined(LIBRESSL_VERSION_NUMBER)
-#define LIBRESSL_IN_USE 1
-#else // !defined(LIBRESSL_VERSION_NUMBER)
-#define LIBRESSL_IN_USE 0
-#endif // !defined(LIBRESSL_VERSION_NUMBER)
+#if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L
+#define LIBRESSL_1_0_API 1
+#define LIBRESSL_1_1_API 0
+#elif defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x20700000L
+#define LIBRESSL_1_0_API 0
+#define LIBRESSL_1_1_API 1
+#else // !defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L
+#define LIBRESSL_1_0_API 0
+#define LIBRESSL_1_1_API 0
+#endif // !defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L
 
 #define OPENSSL_1_1_API                                                        \
-  (!LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x1010000fL)
+  (!LIBRESSL_1_0_API && OPENSSL_VERSION_NUMBER >= 0x1010000fL)
 
 #define OPENSSL_1_1_1_API                                                      \
-  (!LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10101000L)
+  (!LIBRESSL_1_0_API && !LIBRESSL_1_1_API &&                                   \
+   OPENSSL_VERSION_NUMBER >= 0x10101000L)
 
 #endif // OPENSSL_COMPAT_H

Return to bug 226922

Line 0 Link Here

(-)www/nghttp2/files/patch-examples_client.c (+12 lines)
	1	--- examples/client.c.orig 2018-02-02 12:19:16 UTC
	2	+++ examples/client.c
	3	@@ -375,7 +375,9 @@ static void init_ssl_ctx(SSL_CTX *ssl_ct
	4	SSL_CTX_set_mode(ssl_ctx, SSL_MODE_AUTO_RETRY);
	5	SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
	6	/* Set NPN callback */
	7	+#ifndef OPENSSL_NO_NEXTPROTONEG
	8	SSL_CTX_set_next_proto_select_cb(ssl_ctx, select_next_proto_cb, NULL);
	9	+#endif
	10	}
	11
	12	static void ssl_handshake(SSL *ssl, int fd) {

Line 0 Link Here

(-)www/nghttp2/files/patch-examples_libevent-client.c (+22 lines)
	1	--- examples/libevent-client.c.orig 2018-02-02 12:19:16 UTC
	2	+++ examples/libevent-client.c
	3	@@ -335,7 +335,9 @@ static SSL_CTX *create_ssl_ctx(void) {
	4	SSL_OP_ALL \| SSL_OP_NO_SSLv2 \| SSL_OP_NO_SSLv3 \|
	5	SSL_OP_NO_COMPRESSION \|
	6	SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
	7	+#ifndef OPENSSL_NO_NEXTPROTONEG
	8	SSL_CTX_set_next_proto_select_cb(ssl_ctx, select_next_proto_cb, NULL);
	9	+#endif
	10
	11	#if OPENSSL_VERSION_NUMBER >= 0x10002000L
	12	SSL_CTX_set_alpn_protos(ssl_ctx, (const unsigned char *)"\x02h2", 3);
	13	@@ -504,7 +506,9 @@ static void eventcb(struct bufferevent *
	14
	15	ssl = bufferevent_openssl_get_ssl(session_data->bev);
	16
	17	+#ifndef OPENSSL_NO_NEXTPROTONEG
	18	SSL_get0_next_proto_negotiated(ssl, &alpn, &alpnlen);
	19	+#endif
	20	#if OPENSSL_VERSION_NUMBER >= 0x10002000L
	21	if (alpn == NULL) {
	22	SSL_get0_alpn_selected(ssl, &alpn, &alpnlen);

Line 0 Link Here

(-)www/nghttp2/files/patch-examples_libevent-server.c (+22 lines)
	1	--- examples/libevent-server.c.orig 2018-02-02 12:19:16 UTC
	2	+++ examples/libevent-server.c
	3	@@ -172,7 +172,9 @@ static SSL_CTX *create_ssl_ctx(const cha
	4	NGHTTP2_PROTO_VERSION_ID_LEN);
	5	next_proto_list_len = 1 + NGHTTP2_PROTO_VERSION_ID_LEN;
	6
	7	+#ifndef OPENSSL_NO_NEXTPROTONEG
	8	SSL_CTX_set_next_protos_advertised_cb(ssl_ctx, next_proto_cb, NULL);
	9	+#endif
	10
	11	#if OPENSSL_VERSION_NUMBER >= 0x10002000L
	12	SSL_CTX_set_alpn_select_cb(ssl_ctx, alpn_select_proto_cb, NULL);
	13	@@ -690,7 +692,9 @@ static void eventcb(struct bufferevent *
	14
	15	ssl = bufferevent_openssl_get_ssl(session_data->bev);
	16
	17	+#ifndef OPENSSL_NO_NEXTPROTONEG
	18	SSL_get0_next_proto_negotiated(ssl, &alpn, &alpnlen);
	19	+#endif
	20	#if OPENSSL_VERSION_NUMBER >= 0x10002000L
	21	if (alpn == NULL) {
	22	SSL_get0_alpn_selected(ssl, &alpn, &alpnlen);

Line 0 Link Here

(-)www/nghttp2/files/patch-src_HttpServer.cc (+22 lines)
	1	--- src/HttpServer.cc.orig 2018-02-17 11:15:19 UTC
	2	+++ src/HttpServer.cc
	3	@@ -888,7 +888,9 @@ int Http2Handler::verify_npn_result() {
	4	const unsigned char *next_proto = nullptr;
	5	unsigned int next_proto_len;
	6	// Check the negotiated protocol in NPN or ALPN
	7	+#ifndef OPENSSL_NO_NEXTPROTONEG
	8	SSL_get0_next_proto_negotiated(ssl_, &next_proto, &next_proto_len);
	9	+#endif
	10	for (int i = 0; i < 2; ++i) {
	11	if (next_proto) {
	12	auto proto = StringRef{next_proto, next_proto_len};
	13	@@ -2205,7 +2207,9 @@ int HttpServer::run() {
	14
	15	next_proto = util::get_default_alpn();
	16
	17	+#ifndef OPENSSL_NO_NEXTPROTONEG
	18	SSL_CTX_set_next_protos_advertised_cb(ssl_ctx, next_proto_cb, &next_proto);
	19	+#endif
	20	#if OPENSSL_VERSION_NUMBER >= 0x10002000L
	21	// ALPN selection callback
	22	SSL_CTX_set_alpn_select_cb(ssl_ctx, alpn_select_proto_cb, this);

Line 0 Link Here

(-)www/nghttp2/files/patch-src_asio__common.cc (+12 lines)
	1	--- src/asio_common.cc.orig 2018-02-02 12:19:16 UTC
	2	+++ src/asio_common.cc
	3	@@ -177,7 +177,9 @@ bool tls_h2_negotiated(ssl_socket &socke
	4	const unsigned char *next_proto = nullptr;
	5	unsigned int next_proto_len = 0;
	6
	7	+#ifndef OPENSSL_NO_NEXTPROTONEG
	8	SSL_get0_next_proto_negotiated(ssl, &next_proto, &next_proto_len);
	9	+#endif
	10	#if OPENSSL_VERSION_NUMBER >= 0x10002000L
	11	if (next_proto == nullptr) {
	12	SSL_get0_alpn_selected(ssl, &next_proto, &next_proto_len);

Line 0 Link Here

(-)www/nghttp2/files/patch-src_h2load.cc (+23 lines)
	1	--- src/h2load.cc.orig 2018-02-02 12:19:16 UTC
	2	+++ src/h2load.cc
	3	@@ -857,7 +857,9 @@ int Client::connection_made() {
	4	const unsigned char *next_proto = nullptr;
	5	unsigned int next_proto_len;
	6
	7	+#ifndef OPENSSL_NO_NEXTPROTONEG
	8	SSL_get0_next_proto_negotiated(ssl, &next_proto, &next_proto_len);
	9	+#endif
	10	#if OPENSSL_VERSION_NUMBER >= 0x10002000L
	11	if (next_proto == nullptr) {
	12	SSL_get0_alpn_selected(ssl, &next_proto, &next_proto_len);
	13	@@ -2399,8 +2401,10 @@ int main(int argc, char **argv) {
	14	exit(EXIT_FAILURE);
	15	}
	16
	17	+#ifndef OPENSSL_NO_NEXTPROTONEG
	18	SSL_CTX_set_next_proto_select_cb(ssl_ctx, client_select_next_proto_cb,
	19	nullptr);
	20	+#endif
	21
	22	#if OPENSSL_VERSION_NUMBER >= 0x10002000L
	23	std::vector<unsigned char> proto_list;

Line 0 Link Here

(-)www/nghttp2/files/patch-src_nghttp.cc (+14 lines)
	1	--- src/nghttp.cc.orig 2018-03-25 12:28:55 UTC
	2	+++ src/nghttp.cc
	3	@@ -680,9 +680,9 @@ int HttpClient::initiate_connection() {
	4	const auto &host_string =
	5	config.host_override.empty() ? host : config.host_override;
	6
	7	-#if (!defined(LIBRESSL_VERSION_NUMBER) && \
	8	+#if (!(defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L) && \
	9	OPENSSL_VERSION_NUMBER >= 0x10002000L) \|\| \
	10	- defined(OPENSSL_IS_BORINGSSL)
	11	+ defined(OPENSSL_IS_BORINGSSL)
	12	auto param = SSL_get0_param(ssl);
	13	X509_VERIFY_PARAM_set_hostflags(param, 0);
	14	X509_VERIFY_PARAM_set1_host(param, host_string.c_str(),

Line 0 Link Here

(-)www/nghttp2/files/patch-src_shrpx__client__handler.cc (+12 lines)
	1	--- src/shrpx_client_handler.cc.orig 2018-02-02 12:19:16 UTC
	2	+++ src/shrpx_client_handler.cc
	3	@@ -549,7 +549,9 @@ int ClientHandler::validate_next_proto()
	4	// First set callback for catch all cases
	5	on_read_ = &ClientHandler::upstream_read;
	6
	7	+#ifndef OPENSSL_NO_NEXTPROTONEG
	8	SSL_get0_next_proto_negotiated(conn_.tls.ssl, &next_proto, &next_proto_len);
	9	+#endif
	10	#if OPENSSL_VERSION_NUMBER >= 0x10002000L
	11	if (next_proto == nullptr) {
	12	SSL_get0_alpn_selected(conn_.tls.ssl, &next_proto, &next_proto_len);

Line 0 Link Here

(-)www/nghttp2/files/patch-src_shrpx__config.cc (+109 lines)
		1	--- src/shrpx_config.cc.orig 2018-02-27 12:18:50 UTC
		2	+++ src/shrpx_config.cc
		3	@@ -1222,7 +1222,7 @@ int parse_subcert_params(SubcertParams &
		4	auto param = StringRef{first, end};
		5
		6	if (util::istarts_with_l(param, "sct-dir=")) {
		7	-#if !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L
		8	+#if !LIBRESSL_1_0_API && OPENSSL_VERSION_NUMBER >= 0x10002000L
		9	auto sct_dir =
		10	StringRef{std::begin(param) + str_size("sct-dir="), std::end(param)};
		11	if (sct_dir.empty()) {
		12	@@ -1230,9 +1230,9 @@ int parse_subcert_params(SubcertParams &
		13	return -1;
		14	}
		15	out.sct_dir = sct_dir;
		16	-#else // !(!LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L)
		17	+#else // !(!LIBRESSL_1_0_API && OPENSSL_VERSION_NUMBER >= 0x10002000L)
		18	LOG(WARN) << "subcert: sct-dir requires OpenSSL >= 1.0.2";
		19	-#endif // !(!LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L)
		20	+#endif // !(!LIBRESSL_1_0_API && OPENSSL_VERSION_NUMBER >= 0x10002000L)
		21	} else if (!param.empty()) {
		22	LOG(ERROR) << "subcert: " << param << ": unknown keyword";
		23	return -1;
		24	@@ -1364,7 +1364,7 @@ int read_tls_sct_from_dir(std::vector<ui
		25	}
		26	} // namespace
		27
		28	-#if !LIBRESSL_IN_USE
		29	+#if !LIBRESSL_1_0_API
		30	namespace {
		31	// Reads PSK secrets from path, and parses each line. The result is
		32	// directly stored into config->tls.psk_secrets. This function
		33	@@ -1428,9 +1428,9 @@ int parse_psk_secrets(Config *config, co
		34	return 0;
		35	}
		36	} // namespace
		37	-#endif // !LIBRESSL_IN_USE
		38	+#endif // !LIBRESSL_1_0_API
		39
		40	-#if !LIBRESSL_IN_USE
		41	+#if !LIBRESSL_1_0_API
		42	namespace {
		43	// Reads PSK secrets from path, and parses each line. The result is
		44	// directly stored into config->tls.client.psk. This function returns
		45	@@ -1490,7 +1490,7 @@ int parse_client_psk_secrets(Config *con
		46	return 0;
		47	}
		48	} // namespace
		49	-#endif // !LIBRESSL_IN_USE
		50	+#endif // !LIBRESSL_1_0_API
		51
		52	// generated by gennghttpxfun.py
		53	int option_lookup_token(const char *name, size_t namelen) {
		54	@@ -3454,19 +3454,19 @@ int parse_config(Config *config, int opt
		55	return parse_uint_with_unit(
		56	&config->http2.downstream.decoder_dynamic_table_size, opt, optarg);
		57	case SHRPX_OPTID_ECDH_CURVES:
		58	-#if !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L
		59	+#if !LIBRESSL_1_0_API && OPENSSL_VERSION_NUMBER >= 0x10002000L
		60	config->tls.ecdh_curves = make_string_ref(config->balloc, optarg);
		61	-#else // !(!LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L)
		62	+#else // !(!LIBRESSL_1_0_API && OPENSSL_VERSION_NUMBER >= 0x10002000L)
		63	LOG(WARN) << opt << ": This option requires OpenSSL >= 1.0.2";
		64	-#endif // !(!LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L)
65	+#endif // !(!LIBRESSL_1_0_API && OPENSSL_VERSION_NUMBER >= 0x10002000L)
66	return 0;
67	case SHRPX_OPTID_TLS_SCT_DIR:
68	-#if !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L
69	+#if !LIBRESSL_1_0_API && OPENSSL_VERSION_NUMBER >= 0x10002000L
70	return read_tls_sct_from_dir(config->tls.sct_data, opt, optarg);
71	-#else // !(!LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L)
72	+#else // !(!LIBRESSL_1_0_API && OPENSSL_VERSION_NUMBER >= 0x10002000L)
73	LOG(WARN) << opt << ": This option requires OpenSSL >= 1.0.2";
74	return 0;
75	-#endif // !(!LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L)
76	+#endif // !(!LIBRESSL_1_0_API && OPENSSL_VERSION_NUMBER >= 0x10002000L)
77	case SHRPX_OPTID_DNS_CACHE_TIMEOUT:
78	return parse_duration(&config->dns.timeout.cache, opt, optarg);
79	case SHRPX_OPTID_DNS_LOOKUP_TIMEOUT:
80	@@ -3489,23 +3489,23 @@ int parse_config(Config *config, int opt
81	return parse_duration(&config->conn.upstream.timeout.idle_read, opt,
82	optarg);
83	case SHRPX_OPTID_PSK_SECRETS:
84	-#if !LIBRESSL_IN_USE
85	+#if !LIBRESSL_1_0_API
86	return parse_psk_secrets(config, optarg);
87	-#else // LIBRESSL_IN_USE
88	+#else // LIBRESSL_1_0_API
89	LOG(WARN)
90	<< opt
91	<< ": ignored because underlying TLS library does not support PSK";
92	return 0;
93	-#endif // LIBRESSL_IN_USE
94	+#endif // LIBRESSL_1_0_API
95	case SHRPX_OPTID_CLIENT_PSK_SECRETS:
96	-#if !LIBRESSL_IN_USE
97	+#if !LIBRESSL_1_0_API
98	return parse_client_psk_secrets(config, optarg);
99	-#else // LIBRESSL_IN_USE
100	+#else // LIBRESSL_1_0_API
101	LOG(WARN)
102	<< opt
103	<< ": ignored because underlying TLS library does not support PSK";
104	return 0;
105	-#endif // LIBRESSL_IN_USE
106	+#endif // LIBRESSL_1_0_API
107	case SHRPX_OPTID_CLIENT_NO_HTTP2_CIPHER_BLACK_LIST:
108	config->tls.client.no_http2_cipher_black_list =
109	util::strieq_l("yes", optarg);

Line 0 Link Here

(-)www/nghttp2/files/patch-src_shrpx__connection.cc (+12 lines)
	1	--- src/shrpx_connection.cc.orig 2018-02-02 12:19:16 UTC
	2	+++ src/shrpx_connection.cc
	3	@@ -523,7 +523,9 @@ int Connection::check_http2_requirement(
	4	const unsigned char *next_proto = nullptr;
	5	unsigned int next_proto_len;
	6
	7	+#ifndef OPENSSL_NO_NEXTPROTONEG
	8	SSL_get0_next_proto_negotiated(tls.ssl, &next_proto, &next_proto_len);
	9	+#endif
	10	#if OPENSSL_VERSION_NUMBER >= 0x10002000L
	11	if (next_proto == nullptr) {
	12	SSL_get0_alpn_selected(tls.ssl, &next_proto, &next_proto_len);

Line 0 Link Here

(-)www/nghttp2/files/patch-src_shrpx__http2__session.cc (+12 lines)
	1	--- src/shrpx_http2_session.cc.orig 2018-02-02 12:19:16 UTC
	2	+++ src/shrpx_http2_session.cc
	3	@@ -1649,7 +1649,9 @@ int Http2Session::connection_made() {
	4	const unsigned char *next_proto = nullptr;
	5	unsigned int next_proto_len = 0;
	6
	7	+#ifndef OPENSSL_NO_NEXTPROTONEG
	8	SSL_get0_next_proto_negotiated(conn_.tls.ssl, &next_proto, &next_proto_len);
	9	+#endif
	10	#if OPENSSL_VERSION_NUMBER >= 0x10002000L
	11	if (!next_proto) {
	12	SSL_get0_alpn_selected(conn_.tls.ssl, &next_proto, &next_proto_len);

Line 0 Link Here

(-)www/nghttp2/files/patch-src_shrpx__live__check.cc (+12 lines)
	1	--- src/shrpx_live_check.cc.orig 2018-02-02 12:19:16 UTC
	2	+++ src/shrpx_live_check.cc
	3	@@ -406,7 +406,9 @@ int LiveCheck::tls_handshake() {
	4	const unsigned char *next_proto = nullptr;
	5	unsigned int next_proto_len = 0;
	6
	7	+#ifndef OPENSSL_NO_NEXTPROTONEG
	8	SSL_get0_next_proto_negotiated(conn_.tls.ssl, &next_proto, &next_proto_len);
	9	+#endif
	10	#if OPENSSL_VERSION_NUMBER >= 0x10002000L
	11	if (next_proto == nullptr) {
	12	SSL_get0_alpn_selected(conn_.tls.ssl, &next_proto, &next_proto_len);

Line 0 Link Here

(-)www/nghttp2/files/patch-src_shrpx__tls.cc (+144 lines)
		1	--- src/shrpx_tls.cc.orig 2018-03-25 12:28:55 UTC
		2	+++ src/shrpx_tls.cc
		3	@@ -360,7 +360,7 @@ int tls_session_new_cb(SSL *ssl, SSL_SES
		4
		5	namespace {
		6	SSL_SESSION tls_session_get_cb(SSL ssl,
		7	-#if OPENSSL_1_1_API
		8	+#if OPENSSL_1_1_API && !LIBRESSL_1_1_API
		9	const unsigned char *id,
		10	#else // !OPENSSL_1_1_API
		11	unsigned char *id,
		12	@@ -563,7 +563,7 @@ int alpn_select_proto_cb(SSL *ssl, const
		13	} // namespace
		14	#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L
		15
		16	-#if !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L
		17	+#if !LIBRESSL_1_0_API && OPENSSL_VERSION_NUMBER >= 0x10002000L
		18
		19	#ifndef TLSEXT_TYPE_signed_certificate_timestamp
		20	#define TLSEXT_TYPE_signed_certificate_timestamp 18
		21	@@ -653,9 +653,9 @@ int legacy_sct_parse_cb(SSL *ssl, unsign
		22	} // namespace
		23
		24	#endif // !OPENSSL_1_1_1_API
		25	-#endif // !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L
		26	+#endif // !LIBRESSL_1_0_API && OPENSSL_VERSION_NUMBER >= 0x10002000L
		27
		28	-#if !LIBRESSL_IN_USE
		29	+#ifndef OPENSSL_NO_PSK
		30	namespace {
		31	unsigned int psk_server_cb(SSL ssl, const char identity, unsigned char *psk,
		32	unsigned int max_psk_len) {
		33	@@ -679,9 +679,9 @@ unsigned int psk_server_cb(SSL *ssl, con
		34	return static_cast<unsigned int>(secret.size());
		35	}
		36	} // namespace
		37	-#endif // !LIBRESSL_IN_USE
		38	+#endif // !OPENSSL_NO_PSK
		39
		40	-#if !LIBRESSL_IN_USE
		41	+#ifndef OPENSSL_NO_PSK
		42	namespace {
		43	unsigned int psk_client_cb(SSL ssl, const char hint, char *identity_out,
		44	unsigned int max_identity_len, unsigned char *psk,
		45	@@ -714,7 +714,7 @@ unsigned int psk_client_cb(SSL *ssl, con
		46	return static_cast<unsigned int>(secret.size());
		47	}
		48	} // namespace
		49	-#endif // !LIBRESSL_IN_USE
		50	+#endif // !OPENSSL_NO_PSK
		51
		52	struct TLSProtocol {
		53	StringRef name;
		54	@@ -792,7 +792,7 @@ SSL_CTX create_ssl_context(const char
		55	}
		56
		57	#ifndef OPENSSL_NO_EC
		58	-#if !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L
		59	+#if !LIBRESSL_1_0_API && OPENSSL_VERSION_NUMBER >= 0x10002000L
		60	if (SSL_CTX_set1_curves_list(ssl_ctx, tlsconf.ecdh_curves.c_str()) != 1) {
		61	LOG(FATAL) << "SSL_CTX_set1_curves_list " << tlsconf.ecdh_curves
		62	<< " failed";
		63	@@ -803,7 +803,7 @@ SSL_CTX create_ssl_context(const char
		64	// function was deprecated in OpenSSL 1.1.0 and BoringSSL.
65	SSL_CTX_set_ecdh_auto(ssl_ctx, 1);
66	#endif // !defined(OPENSSL_IS_BORINGSSL) && !OPENSSL_1_1_API
67	-#else // LIBRESSL_IN_USE \|\| OPENSSL_VERSION_NUBMER < 0x10002000L
68	+#else // LIBRESSL_1_0_API \|\| OPENSSL_VERSION_NUBMER < 0x10002000L
69	// Use P-256, which is sufficiently secure at the time of this
70	// writing.
71	auto ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
72	@@ -814,7 +814,7 @@ SSL_CTX create_ssl_context(const char
73	}
74	SSL_CTX_set_tmp_ecdh(ssl_ctx, ecdh);
75	EC_KEY_free(ecdh);
76	-#endif // LIBRESSL_IN_USE \|\| OPENSSL_VERSION_NUBMER < 0x10002000L
77	+#endif // LIBRESSL_1_0_API \|\| OPENSSL_VERSION_NUBMER < 0x10002000L
78	#endif // OPENSSL_NO_EC
79
80	if (!tlsconf.dh_param_file.empty()) {
81	@@ -931,7 +931,7 @@ SSL_CTX create_ssl_context(const char
82	SSL_CTX_set_alpn_select_cb(ssl_ctx, alpn_select_proto_cb, nullptr);
83	#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L
84
85	-#if !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L
86	+#if !LIBRESSL_1_0_API && !LIBRESSL_1_1_API && OPENSSL_VERSION_NUMBER >= 0x10002000L
87	// SSL_extension_supported(TLSEXT_TYPE_signed_certificate_timestamp)
88	// returns 1, which means OpenSSL internally handles it. But
89	// OpenSSL handles signed_certificate_timestamp extension specially,
90	@@ -962,11 +962,11 @@ SSL_CTX create_ssl_context(const char
91	}
92	#endif // !OPENSSL_1_1_1_API
93	}
94	-#endif // !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L
95	+#endif // !LIBRESSL_1_0_API && OPENSSL_VERSION_NUMBER >= 0x10002000L
96
97	-#if !LIBRESSL_IN_USE
98	+#ifndef OPENSSL_NO_PSK
99	SSL_CTX_set_psk_server_callback(ssl_ctx, psk_server_cb);
100	-#endif // !LIBRESSL_IN_USE
101	+#endif // !OPENSSL_NO_PSK
102
103	auto tls_ctx_data = new TLSContextData();
104	tls_ctx_data->cert_file = cert_file;
105	@@ -1114,9 +1114,9 @@ SSL_CTX *create_ssl_client_context(
106	#endif // HAVE_NEVERBLEED
107	}
108
109	-#if !LIBRESSL_IN_USE
110	+#ifndef OPENSSL_NO_PSK
111	SSL_CTX_set_psk_client_callback(ssl_ctx, psk_client_cb);
112	-#endif // !LIBRESSL_IN_USE
113	+#endif // !OPENSSL_NO_PSK
114
115	// NPN selection callback. This is required to set SSL_CTX because
116	// OpenSSL does not offer SSL_set_next_proto_select_cb.
117	@@ -1553,15 +1553,15 @@ int cert_lookup_tree_add_ssl_ctx(
118	SSL_CTX *ssl_ctx) {
119	std::array<uint8_t, NI_MAXHOST> buf;
120
121	-#if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10002000L
122	+#if !defined(LIBRESSL_1_0_API) && OPENSSL_VERSION_NUMBER >= 0x10002000L
123	auto cert = SSL_CTX_get0_certificate(ssl_ctx);
124	-#else // defined(LIBRESSL_VERSION_NUMBER) \|\| OPENSSL_VERSION_NUMBER <
125	+#else // defined(LIBRESSL_1_0_API) \|\| OPENSSL_VERSION_NUMBER <
126	// 0x10002000L
127	auto tls_ctx_data =
128	static_cast<TLSContextData *>(SSL_CTX_get_app_data(ssl_ctx));
129	auto cert = load_certificate(tls_ctx_data->cert_file);
130	auto cert_deleter = defer(X509_free, cert);
131	-#endif // defined(LIBRESSL_VERSION_NUMBER) \|\| OPENSSL_VERSION_NUMBER <
132	+#endif // defined(LIBRESSL_1_0_API) \|\| OPENSSL_VERSION_NUMBER <
133	// 0x10002000L
134
135	auto altnames = static_cast<GENERAL_NAMES *>(
136	@@ -1977,7 +1977,7 @@ StringRef get_x509_issuer_name(BlockAllo
137	#endif /* !WORDS_BIGENDIAN */
138
139	StringRef get_x509_serial(BlockAllocator &balloc, X509 *x) {
140	-#if OPENSSL_1_1_API
141	+#if OPENSSL_1_1_API && !LIBRESSL_1_1_API
142	auto sn = X509_get0_serialNumber(x);
143	uint64_t r;
144	if (ASN1_INTEGER_get_uint64(&r, sn) != 1) {

Line 0 Link Here

(-)www/nghttp2/files/patch-src_ssl__compat.h (+32 lines)
	1	--- src/ssl_compat.h.orig 2018-02-27 12:18:50 UTC
	2	+++ src/ssl_compat.h
	3	@@ -26,16 +26,22 @@
	4
	5	#include <openssl/opensslv.h>
	6
	7	-#if defined(LIBRESSL_VERSION_NUMBER)
	8	-#define LIBRESSL_IN_USE 1
	9	-#else // !defined(LIBRESSL_VERSION_NUMBER)
	10	-#define LIBRESSL_IN_USE 0
	11	-#endif // !defined(LIBRESSL_VERSION_NUMBER)
	12	+#if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L
	13	+#define LIBRESSL_1_0_API 1
	14	+#define LIBRESSL_1_1_API 0
	15	+#elif defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x20700000L
	16	+#define LIBRESSL_1_0_API 0
	17	+#define LIBRESSL_1_1_API 1
	18	+#else // !defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L
	19	+#define LIBRESSL_1_0_API 0
	20	+#define LIBRESSL_1_1_API 0
	21	+#endif // !defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L
	22
	23	#define OPENSSL_1_1_API \
	24	- (!LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x1010000fL)
	25	+ (!LIBRESSL_1_0_API && OPENSSL_VERSION_NUMBER >= 0x1010000fL)
	26
	27	#define OPENSSL_1_1_1_API \
	28	- (!LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10101000L)
	29	+ (!LIBRESSL_1_0_API && !LIBRESSL_1_1_API && \
	30	+ OPENSSL_VERSION_NUMBER >= 0x10101000L)
	31
	32	#endif // OPENSSL_COMPAT_H