diff options
author | Glenn Strauss <gstrauss@gluelogic.com> | 2016-05-07 12:41:05 -0400 |
---|---|---|
committer | Glenn Strauss <gstrauss@gluelogic.com> | 2016-05-07 12:50:41 -0400 |
commit | 1ca52fdce3b87f7748dd5db6f59d738ed7a9efe1 (patch) | |
tree | f2909dafbfbf144494132e6c67a57fe1245be991 | |
parent | 873eaf3f4ad9b56150d2c370c4a3ab98e5b7ce90 (diff) | |
download | lighttpd-git-1ca52fdce3b87f7748dd5db6f59d738ed7a9efe1.tar.gz |
build with libressl
libressl defines SSL_OP_NO_SSLv2 and SSL_OP_NO_SSLv3 as 0x0
(thx Christian Heckendorf)
libressl matches ERR_remove_thread_state() signature from openssl 1.0.2
(libressl pretends that libressl is openssl version 2.0.0,
but openssl 1.1.0 changes signature of ERR_remove_thread_state())
libressl does not yet provide compatibility interfaces for the new
prototypes introduced in openssl 1.1.0, including
DH_set0_pqg() and DH_set_length()
remove OPENSSL_NO_KRB5 from build config (added in 5fab991b in 2005)
(define USE_OPENSSL_KERBEROS if required)
(Note: OPENSSL_NO_KRB5 removed in openssl 1.1.0)
-rw-r--r-- | README.FreeBSD | 3 | ||||
-rw-r--r-- | configure.ac | 4 | ||||
-rw-r--r-- | src/CMakeLists.txt | 1 | ||||
-rw-r--r-- | src/SConscript | 2 | ||||
-rw-r--r-- | src/base.h | 6 | ||||
-rw-r--r-- | src/config.h.cmake | 1 | ||||
-rw-r--r-- | src/network.c | 7 | ||||
-rw-r--r-- | src/server.c | 3 |
8 files changed, 15 insertions, 12 deletions
diff --git a/README.FreeBSD b/README.FreeBSD index d7c34655..29da0a37 100644 --- a/README.FreeBSD +++ b/README.FreeBSD @@ -46,6 +46,3 @@ Configure: To help autotools find libraries and headers: CPPFLAGS=-I/usr/local/include LDFLAGS=-L/usr/local/lib ./configure ... - -With ssl the compiler might warn about OPENSSL_NO_KRB5 redefinitions, just -configure "--with-kerberos5" for now. diff --git a/configure.ac b/configure.ac index b7a0a67a..6fe4b044 100644 --- a/configure.ac +++ b/configure.ac @@ -346,8 +346,8 @@ AC_ARG_WITH(kerberos5, ) if test "x$use_openssl" = "xyes"; then - if test "x$use_kerberos" != "xyes"; then - CPPFLAGS="$CPPFLAGS -DOPENSSL_NO_KRB5" + if test "x$use_kerberos" = "xyes"; then + AC_DEFINE([USE_OPENSSL_KERBEROS], [1], [with kerberos]) fi AC_CHECK_HEADERS([openssl/ssl.h]) diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 9094b0bc..502815e3 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -225,7 +225,6 @@ if(WITH_OPENSSL) if(HAVE_OPENSSL_SSL_H) check_library_exists(crypto BIO_f_base64 "" HAVE_LIBCRYPTO) if(HAVE_LIBCRYPTO) - set(OPENSSL_NO_KRB5 1) check_library_exists(ssl SSL_new "" HAVE_LIBSSL) endif() endif() diff --git a/src/SConscript b/src/SConscript index 524b090a..1decfda1 100644 --- a/src/SConscript +++ b/src/SConscript @@ -120,7 +120,7 @@ if env['with_memcached']: if env['with_lua']: modules['mod_magnet'] = { 'src' : [ 'mod_magnet.c', 'mod_magnet_cache.c' ], 'lib' : [ env['LIBLUA'] ] } -staticenv = env.Clone(CPPFLAGS=[ env['CPPFLAGS'], '-DLIGHTTPD_STATIC', '-DOPENSSL_NO_KRB5']) +staticenv = env.Clone(CPPFLAGS=[ env['CPPFLAGS'], '-DLIGHTTPD_STATIC' ]) ## all the core-sources + the modules staticsrc = src + common_src @@ -30,6 +30,12 @@ #if defined HAVE_LIBSSL && defined HAVE_OPENSSL_SSL_H # define USE_OPENSSL +# include <openssl/opensslconf.h> +# ifndef USE_OPENSSL_KERBEROS +# ifndef OPENSSL_NO_KRB5 +# define OPENSSL_NO_KRB5 +# endif +# endif # include <openssl/ssl.h> # if ! defined OPENSSL_NO_TLSEXT && ! defined SSL_CTRL_SET_TLSEXT_HOSTNAME # define OPENSSL_NO_TLSEXT diff --git a/src/config.h.cmake b/src/config.h.cmake index 19c8843b..8b1f4636 100644 --- a/src/config.h.cmake +++ b/src/config.h.cmake @@ -40,7 +40,6 @@ /* OpenSSL */ #cmakedefine HAVE_OPENSSL_SSL_H #cmakedefine HAVE_LIBCRYPTO -#cmakedefine OPENSSL_NO_KRB5 #cmakedefine HAVE_LIBSSL /* BZip */ diff --git a/src/network.c b/src/network.c index 5b64cdc0..46b4be8e 100644 --- a/src/network.c +++ b/src/network.c @@ -780,7 +780,7 @@ int network_init(server *srv) { if (!s->ssl_use_sslv2) { /* disable SSLv2 */ - if (!(SSL_OP_NO_SSLv2 & SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv2))) { + if ((SSL_OP_NO_SSLv2 & SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv2)) != SSL_OP_NO_SSLv2) { log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", ERR_error_string(ERR_get_error(), NULL)); return -1; @@ -789,7 +789,7 @@ int network_init(server *srv) { if (!s->ssl_use_sslv3) { /* disable SSLv3 */ - if (!(SSL_OP_NO_SSLv3 & SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv3))) { + if ((SSL_OP_NO_SSLv3 & SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv3)) != SSL_OP_NO_SSLv3) { log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", ERR_error_string(ERR_get_error(), NULL)); return -1; @@ -839,7 +839,8 @@ int network_init(server *srv) { log_error_write(srv, __FILE__, __LINE__, "s", "SSL: BN_bin2bn () failed"); return -1; } - #if OPENSSL_VERSION_NUMBER < 0x10100000L + #if OPENSSL_VERSION_NUMBER < 0x10100000L \ + || defined(LIBRESSL_VERSION_NUMBER) dh->p = dh_p; dh->g = dh_g; dh->length = 160; diff --git a/src/server.c b/src/server.c index 1f3a57d4..aee01db8 100644 --- a/src/server.c +++ b/src/server.c @@ -387,7 +387,8 @@ static void server_free(server *srv) { if (srv->ssl_is_init) { CRYPTO_cleanup_all_ex_data(); ERR_free_strings(); - #if OPENSSL_VERSION_NUMBER >= 0x10100000L + #if OPENSSL_VERSION_NUMBER >= 0x10100000L \ + && !defined(LIBRESSL_VERSION_NUMBER) ERR_remove_thread_state(); #elif OPENSSL_VERSION_NUMBER >= 0x10000000L ERR_remove_thread_state(NULL); |