| # based on upstream commit from: |
| # https://github.com/apache/httpd/commit/8134addfabf2685e08da6d51167775b628fda0dc |
| # this should be included in the next release (2.4.34?) |
| |
| diff --git a/modules/md/md_crypt.c b/modules/md/md_crypt.c |
| index 66682eaf4d..8f0def2805 100644 |
| --- a/modules/md/md_crypt.c |
| +++ b/modules/md/md_crypt.c |
| @@ -190,7 +190,7 @@ static int pem_passwd(char *buf, int size, int rwflag, void *baton) |
| */ |
| static apr_time_t md_asn1_time_get(const ASN1_TIME* time) |
| { |
| -#ifdef LIBRESSL_VERSION_NUMBER |
| +#ifdef LIBRESSL_VERSION_NUMBER < 0x10002000L || defined(LIBRESSL_VERSION_NUMBER) |
| /* courtesy: https://stackoverflow.com/questions/10975542/asn1-time-to-time-t-conversion#11263731 |
| * all bugs are mine */ |
| apr_time_exp_t t; |
| @@ -471,7 +471,7 @@ apr_status_t md_pkey_gen(md_pkey_t **ppkey, apr_pool_t *p, md_pkey_spec_t *spec) |
| } |
| } |
| |
| -#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) |
| +#if OPENSSL_VERSION_NUMBER < 0x10100000L || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000f) |
| |
| #ifndef NID_tlsfeature |
| #define NID_tlsfeature 1020 |
| diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c |
| index 48d64cb624..2392019aed 100644 |
| --- a/modules/ssl/mod_ssl.c |
| +++ b/modules/ssl/mod_ssl.c |
| @@ -398,7 +398,7 @@ static int ssl_hook_pre_config(apr_pool_t *pconf, |
| /* We must register the library in full, to ensure our configuration |
| * code can successfully test the SSL environment. |
| */ |
| -#if MODSSL_USE_OPENSSL_PRE_1_1_API |
| +#if MODSSL_USE_OPENSSL_PRE_1_1_API || defined(LIBRESSL_VERSION_NUMBER) |
| (void)CRYPTO_malloc_init(); |
| #else |
| OPENSSL_malloc_init(); |
| diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c |
| index a3a74f474c..88c0939cab 100644 |
| --- a/modules/ssl/ssl_engine_init.c |
| +++ b/modules/ssl/ssl_engine_init.c |
| @@ -546,7 +546,8 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s, |
| char *cp; |
| int protocol = mctx->protocol; |
| SSLSrvConfigRec *sc = mySrvConfig(s); |
| -#if OPENSSL_VERSION_NUMBER >= 0x10100000L |
| +#if OPENSSL_VERSION_NUMBER >= 0x10100000L || \ |
| + (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20800000L) |
| int prot; |
| #endif |
| |
| @@ -616,7 +617,8 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s, |
| |
| SSL_CTX_set_options(ctx, SSL_OP_ALL); |
| |
| -#if OPENSSL_VERSION_NUMBER < 0x10100000L |
| +#if OPENSSL_VERSION_NUMBER < 0x10100000L || \ |
| + (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20800000L) |
| /* always disable SSLv2, as per RFC 6176 */ |
| SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2); |
| |
| diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h |
| index a39569cbf7..e0e1b37087 100644 |
| --- a/modules/ssl/ssl_private.h |
| +++ b/modules/ssl/ssl_private.h |
| @@ -132,13 +132,14 @@ |
| SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, version, NULL) |
| #define SSL_CTX_set_max_proto_version(ctx, version) \ |
| SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL) |
| -#endif |
| -/* LibreSSL declares OPENSSL_VERSION_NUMBER == 2.0 but does not include most |
| - * changes from OpenSSL >= 1.1 (new functions, macros, deprecations, ...), so |
| - * we have to work around this... |
| +#elif LIBRESSL_VERSION_NUMBER < 0x2070000f |
| +/* LibreSSL before 2.7 declares OPENSSL_VERSION_NUMBER == 2.0 but does not |
| + * include most changes from OpenSSL >= 1.1 (new functions, macros, |
| + * deprecations, ...), so we have to work around this... |
| */ |
| #define MODSSL_USE_OPENSSL_PRE_1_1_API (1) |
| -#else |
| +#endif /* LIBRESSL_VERSION_NUMBER < 0x2060000f */ |
| +#else /* defined(LIBRESSL_VERSION_NUMBER) */ |
| #define MODSSL_USE_OPENSSL_PRE_1_1_API (OPENSSL_VERSION_NUMBER < 0x10100000L) |
| #endif |
| |
| @@ -238,7 +239,8 @@ void init_bio_methods(void); |
| void free_bio_methods(void); |
| #endif |
| |
| -#if OPENSSL_VERSION_NUMBER < 0x10002000L || defined(LIBRESSL_VERSION_NUMBER) |
| +#if OPENSSL_VERSION_NUMBER < 0x10002000L || \ |
| + (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000f) |
| #define X509_STORE_CTX_get0_store(x) (x->ctx) |
| #endif |
| |