a94bfd8012
- OPENSSL_VERSION_NUMBER patch needed for new use of SSL_CTX_set_num_tickets
80 lines
2.9 KiB
Plaintext
80 lines
2.9 KiB
Plaintext
$OpenBSD: patch-src_main_tls_c,v 1.7 2019/02/28 18:46:49 sthen Exp $
|
|
|
|
Index: src/main/tls.c
|
|
--- src/main/tls.c.orig
|
|
+++ src/main/tls.c
|
|
@@ -1579,7 +1579,8 @@ done:
|
|
return 0;
|
|
}
|
|
|
|
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
|
|
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || \
|
|
+ (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2080000fL)
|
|
static SSL_SESSION *cbtls_get_session(SSL *ssl, unsigned char *data, int len, int *copy)
|
|
#else
|
|
static SSL_SESSION *cbtls_get_session(SSL *ssl, const unsigned char *data, int len, int *copy)
|
|
@@ -2129,7 +2130,8 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx)
|
|
char cn_str[1024];
|
|
char buf[64];
|
|
X509 *client_cert;
|
|
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
|
|
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
|
|
+ (!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER >= 0x2080000fL)
|
|
const STACK_OF(X509_EXTENSION) *ext_list;
|
|
#else
|
|
STACK_OF(X509_EXTENSION) *ext_list;
|
|
@@ -2328,7 +2330,8 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx)
|
|
}
|
|
|
|
if (lookup == 0) {
|
|
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
|
|
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
|
|
+ (!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER >= 0x2070000fL)
|
|
ext_list = X509_get0_extensions(client_cert);
|
|
#else
|
|
X509_CINF *client_inf;
|
|
@@ -3167,7 +3170,7 @@ post_ca:
|
|
#ifdef SSL_OP_NO_TLSv1
|
|
if (conf->disable_tlsv1) {
|
|
ctx_options |= SSL_OP_NO_TLSv1;
|
|
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
|
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L /* ok for libressl */
|
|
WARN("Please use tls_min_version and tls_max_version instead of disable_tlsv1");
|
|
#endif
|
|
}
|
|
@@ -3177,7 +3180,7 @@ post_ca:
|
|
#ifdef SSL_OP_NO_TLSv1_1
|
|
if (conf->disable_tlsv1_1) {
|
|
ctx_options |= SSL_OP_NO_TLSv1_1;
|
|
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
|
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L /* ok for libressl */
|
|
WARN("Please use tls_min_version and tls_max_version instead of disable_tlsv1_2");
|
|
#endif
|
|
}
|
|
@@ -3188,7 +3191,7 @@ post_ca:
|
|
|
|
if (conf->disable_tlsv1_2) {
|
|
ctx_options |= SSL_OP_NO_TLSv1_2;
|
|
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
|
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L /* ok for libressl */
|
|
WARN("Please use tls_min_version and tls_max_version instead of disable_tlsv1_2");
|
|
#endif
|
|
}
|
|
@@ -3379,14 +3382,14 @@ post_ca:
|
|
*/
|
|
SSL_CTX_sess_set_cache_size(ctx, conf->session_cache_size);
|
|
|
|
-#if OPENSSL_VERSION_NUMBER >= 0x10101000L
|
|
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
|
|
SSL_CTX_set_num_tickets(ctx, 1);
|
|
#endif
|
|
|
|
} else {
|
|
SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
|
|
|
|
-#if OPENSSL_VERSION_NUMBER >= 0x10101000L
|
|
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
|
|
/*
|
|
* This controls the number of stateful or stateless tickets
|
|
* generated with TLS 1.3. In OpenSSL 1.1.1 it's also
|