# HG changeset patch
# User Piotr Sikora <piotr@cloudflare.com>
# Date 1406575677 25200
# Mon Jul 28 12:27:57 2014 -0700
# Node ID c1abbfee85b3185c28a279c7935d0bb871933ed8
# Parent e3086fd5e59335f4f3f165ee74c094a7aca2aeb3
SSL: let it build against LibreSSL.

LibreSSL developers decided that LibreSSL is OpenSSL-2.0.0, so tests
for OpenSSL-1.0.2+ are now passing, even though the library doesn't
provide functions that are expected from that version of OpenSSL.

The #ifndefs around SSL_CTX_set_tmp_rsa_callback() aren't strictly
necessary, but support for the export cipher suites has been removed
from LibreSSL, so they clearly mark the unsupported feature.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>

diff -r e3086fd5e593 -r c1abbfee85b3 src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c Mon Jul 28 12:27:57 2014 -0700
+++ b/src/event/ngx_event_openssl.c Mon Jul 28 12:27:57 2014 -0700
@@ -50,7 +50,7 @@ static int ngx_ssl_session_ticket_key_ca
HMAC_CTX *hctx, int enc);
#endif

-#if OPENSSL_VERSION_NUMBER < 0x10002002L
+#if (OPENSSL_VERSION_NUMBER < 0x10002002L || defined LIBRESSL_VERSION_NUMBER)
static ngx_int_t ngx_ssl_check_name(ngx_str_t *name, ASN1_STRING *str);
#endif

@@ -656,7 +656,7 @@ ngx_ssl_info_callback(const ngx_ssl_conn
}


-#ifndef OPENSSL_IS_BORINGSSL
+#if (!defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)

RSA *
ngx_ssl_rsa512_key_callback(ngx_ssl_conn_t *ssl_conn, int is_export,
@@ -2747,7 +2747,7 @@ ngx_ssl_check_host(ngx_connection_t *c,
return NGX_ERROR;
}

-#if OPENSSL_VERSION_NUMBER >= 0x10002002L
+#if (OPENSSL_VERSION_NUMBER >= 0x10002002L && !defined LIBRESSL_VERSION_NUMBER)

/* X509_check_host() is only available in OpenSSL 1.0.2+ */

@@ -2864,7 +2864,7 @@ found:
}


-#if OPENSSL_VERSION_NUMBER < 0x10002002L
+#if (OPENSSL_VERSION_NUMBER < 0x10002002L || defined LIBRESSL_VERSION_NUMBER)

static ngx_int_t
ngx_ssl_check_name(ngx_str_t *name, ASN1_STRING *pattern)
diff -r e3086fd5e593 -r c1abbfee85b3 src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h Mon Jul 28 12:27:57 2014 -0700
+++ b/src/event/ngx_event_openssl.h Mon Jul 28 12:27:57 2014 -0700
@@ -133,7 +133,7 @@ ngx_int_t ngx_ssl_stapling(ngx_conf_t *c
ngx_str_t *file, ngx_str_t *responder, ngx_uint_t verify);
ngx_int_t ngx_ssl_stapling_resolver(ngx_conf_t *cf, ngx_ssl_t *ssl,
ngx_resolver_t *resolver, ngx_msec_t resolver_timeout);
-#ifndef OPENSSL_IS_BORINGSSL
+#if (!defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
RSA *ngx_ssl_rsa512_key_callback(ngx_ssl_conn_t *ssl_conn, int is_export,
int key_length);
#endif
diff -r e3086fd5e593 -r c1abbfee85b3 src/http/modules/ngx_http_ssl_module.c
--- a/src/http/modules/ngx_http_ssl_module.c Mon Jul 28 12:27:57 2014 -0700
+++ b/src/http/modules/ngx_http_ssl_module.c Mon Jul 28 12:27:57 2014 -0700
@@ -715,7 +715,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *
SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
}

-#ifndef OPENSSL_IS_BORINGSSL
+#if (!defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
/* a temporary 512-bit RSA key is required for export versions of MSIE */
SSL_CTX_set_tmp_rsa_callback(conf->ssl.ctx, ngx_ssl_rsa512_key_callback);
#endif
diff -r e3086fd5e593 -r c1abbfee85b3 src/mail/ngx_mail_ssl_module.c
--- a/src/mail/ngx_mail_ssl_module.c Mon Jul 28 12:27:57 2014 -0700
+++ b/src/mail/ngx_mail_ssl_module.c Mon Jul 28 12:27:57 2014 -0700
@@ -334,7 +334,7 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf,
SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
}

-#ifndef OPENSSL_IS_BORINGSSL
+#if (!defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
SSL_CTX_set_tmp_rsa_callback(conf->ssl.ctx, ngx_ssl_rsa512_key_callback);
#endif


_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel