mod_ssl: build with LibreSSL.

LibreSSL seems to be openssl-1.1 API compatible only in version 2.8 (master).
So use that for MODSSL_USE_OPENSSL_PRE_1_1_API instead of 2.7, the two 2.7
compatibility-exceptions are handled explicitely but overall it's simpler.

Regarding CRYPTO_malloc_init vs OPENSSL_malloc_init, libreSSL uses none, the
former used to be a no-op but depends is LIBRESSL_INTERNAL in latest versions,
while the latter has never been (and will never be) defined. So don't call any
with LibreSSL.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1833598 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/modules/md/md_crypt.c b/modules/md/md_crypt.c
index fac6239cab2e2b88eb86b45cf5861e2de1d73a94..7e3e2e27e16111bd9e41de3de25944dd685bec37 100644 (file)
--- a/modules/md/md_crypt.c
+++ b/modules/md/md_crypt.c
@@ -471,7 +471,8 @@ apr_status_t md_pkey_gen(md_pkey_t **ppkey, apr_pool_t *p, md_pkey_spec_t *spec)
     }
 }
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000f)
+#if MODSSL_USE_OPENSSL_PRE_1_1_API || (defined(LIBRESSL_VERSION_NUMBER) && \
+                                       LIBRESSL_VERSION_NUMBER < 0x2070000f)
 
 #ifndef NID_tlsfeature
 #define NID_tlsfeature          1020

diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
index 496eb19cf17b62b8ee3db6662ce5920bc3c99406..8f34ffdacd71b8ef3b9f8d83f480065544c2783d 100644 (file)
--- a/modules/ssl/mod_ssl.c
+++ b/modules/ssl/mod_ssl.c
@@ -442,10 +442,13 @@ static int ssl_hook_pre_config(apr_pool_t *pconf,
         /* We must register the library in full, to ensure our configuration
          * code can successfully test the SSL environment.
          */
-#if MODSSL_USE_OPENSSL_PRE_1_1_API || defined(LIBRESSL_VERSION_NUMBER)
+/* Both undefined (or no-op) with LibreSSL */
+#if !defined(LIBRESSL_VERSION_NUMBER)
+#if MODSSL_USE_OPENSSL_PRE_1_1_API
         CRYPTO_malloc_init();
 #else
         OPENSSL_malloc_init();
+#endif
 #endif
         ERR_load_crypto_strings();
 #if HAVE_ENGINE_LOAD_BUILTIN_ENGINES

diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index e63d42c35090f4e8acf96e0ff66fd3778d0e2edf..c8a3365e0c0905c56e006efe0f52487992327ddb 100644 (file)
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -51,7 +51,8 @@ APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, init_server,
 #define KEYTYPES "RSA or DSA"
 #endif
 
-#if MODSSL_USE_OPENSSL_PRE_1_1_API
+#if MODSSL_USE_OPENSSL_PRE_1_1_API && (!defined(LIBRESSL_VERSION_NUMBER) || \
+                                       LIBRESSL_VERSION_NUMBER < 0x2070000f)
 /* OpenSSL Pre-1.1.0 compatibility */
 /* Taken from OpenSSL 1.1.0 snapshot 20160410 */
 static int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
@@ -543,8 +544,7 @@ static apr_status_t ssl_init_ctx_tls_extensions(server_rec *s,
 }
 #endif
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || \
-       (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20800000L)
+#if MODSSL_USE_OPENSSL_PRE_1_1_API
 /*
  * Enable/disable SSLProtocol. If the mod_ssl enables protocol
  * which is disabled by default by OpenSSL, show a warning.
@@ -582,8 +582,7 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
     char *cp;
     int protocol = mctx->protocol;
     SSLSrvConfigRec *sc = mySrvConfig(s);
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L  && \
-       (!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER >= 0x20800000L)
+#if !MODSSL_USE_OPENSSL_PRE_1_1_API
     int prot;
 #endif
 
@@ -663,8 +662,7 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
 
     SSL_CTX_set_options(ctx, SSL_OP_ALL);
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L  || \
-       (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20800000L)
+#if MODSSL_USE_OPENSSL_PRE_1_1_API
     /* always disable SSLv2, as per RFC 6176 */
     SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
 
@@ -685,7 +683,7 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
     ssl_set_ctx_protocol_option(s, ctx, SSL_OP_NO_TLSv1_3,
                                 protocol & SSL_PROTOCOL_TLSV1_3, "TLSv1.3");
 #endif
-#endif
+#endif /* MODSSL_USE_OPENSSL_PRE_1_1_API */
 
 #else /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */
     /* We first determine the maximum protocol version we should provide */

diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
index e1c871da4f5093e025cc528f0466c54391ffb58e..1f629a46e355b92dd15e46ba56c40c9b87903204 100644 (file)
--- a/modules/ssl/ssl_private.h
+++ b/modules/ssl/ssl_private.h
@@ -132,13 +132,12 @@
         SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, version, NULL)
 #define SSL_CTX_set_max_proto_version(ctx, version) \
         SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL)
-#elif LIBRESSL_VERSION_NUMBER < 0x2070000f
+#endif /* LIBRESSL_VERSION_NUMBER < 0x2060000f */
 /* LibreSSL before 2.7 declares OPENSSL_VERSION_NUMBER == 2.0 but does not
  * include most changes from OpenSSL >= 1.1 (new functions, macros, 
  * deprecations, ...), so we have to work around this...
  */
-#define MODSSL_USE_OPENSSL_PRE_1_1_API (1)
-#endif /* LIBRESSL_VERSION_NUMBER < 0x2060000f */
+#define MODSSL_USE_OPENSSL_PRE_1_1_API (LIBRESSL_VERSION_NUMBER < 0x2080000f)
 #else /* defined(LIBRESSL_VERSION_NUMBER) */
 #define MODSSL_USE_OPENSSL_PRE_1_1_API (OPENSSL_VERSION_NUMBER < 0x10100000L)
 #endif