From 1ca52fdce3b87f7748dd5db6f59d738ed7a9efe1 Mon Sep 17 00:00:00 2001
From: Glenn Strauss <gstrauss@gluelogic.com>
Date: Sat, 7 May 2016 12:41:05 -0400
Subject: build with libressl

libressl defines SSL_OP_NO_SSLv2 and SSL_OP_NO_SSLv3 as 0x0
  (thx Christian Heckendorf)

libressl matches ERR_remove_thread_state() signature from openssl 1.0.2
  (libressl pretends that libressl is openssl version 2.0.0,
   but openssl 1.1.0 changes signature of ERR_remove_thread_state())

libressl does not yet provide compatibility interfaces for the new
  prototypes introduced in openssl 1.1.0, including
  DH_set0_pqg() and DH_set_length()

remove OPENSSL_NO_KRB5 from build config (added in 5fab991b in 2005)
  (define USE_OPENSSL_KERBEROS if required)
  (Note: OPENSSL_NO_KRB5 removed in openssl 1.1.0)
---
 README.FreeBSD     | 3 ---
 configure.ac       | 4 ++--
 src/CMakeLists.txt | 1 -
 src/SConscript     | 2 +-
 src/base.h         | 6 ++++++
 src/config.h.cmake | 1 -
 src/network.c      | 7 ++++---
 src/server.c       | 3 ++-
 8 files changed, 15 insertions(+), 12 deletions(-)

diff --git a/README.FreeBSD b/README.FreeBSD
index d7c34655..29da0a37 100644
--- a/README.FreeBSD
+++ b/README.FreeBSD
@@ -46,6 +46,3 @@ Configure:
 
 To help autotools find libraries and headers:
 CPPFLAGS=-I/usr/local/include LDFLAGS=-L/usr/local/lib ./configure ...
-
-With ssl the compiler might warn about OPENSSL_NO_KRB5 redefinitions, just
-configure "--with-kerberos5" for now.
diff --git a/configure.ac b/configure.ac
index b7a0a67a..6fe4b044 100644
--- a/configure.ac
+++ b/configure.ac
@@ -346,8 +346,8 @@ AC_ARG_WITH(kerberos5,
 )
 
 if test "x$use_openssl" = "xyes"; then
-    if test "x$use_kerberos" != "xyes"; then
-        CPPFLAGS="$CPPFLAGS -DOPENSSL_NO_KRB5"
+    if test "x$use_kerberos" = "xyes"; then
+        AC_DEFINE([USE_OPENSSL_KERBEROS], [1], [with kerberos])
     fi
 
     AC_CHECK_HEADERS([openssl/ssl.h])
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index 9094b0bc..502815e3 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -225,7 +225,6 @@ if(WITH_OPENSSL)
 	if(HAVE_OPENSSL_SSL_H)
 		check_library_exists(crypto BIO_f_base64 "" HAVE_LIBCRYPTO)
 		if(HAVE_LIBCRYPTO)
-			set(OPENSSL_NO_KRB5 1)
 			check_library_exists(ssl SSL_new "" HAVE_LIBSSL)
 		endif()
 	endif()
diff --git a/src/SConscript b/src/SConscript
index 524b090a..1decfda1 100644
--- a/src/SConscript
+++ b/src/SConscript
@@ -120,7 +120,7 @@ if env['with_memcached']:
 if env['with_lua']:
 	modules['mod_magnet'] = { 'src' : [ 'mod_magnet.c', 'mod_magnet_cache.c' ], 'lib' : [ env['LIBLUA'] ] }
 
-staticenv = env.Clone(CPPFLAGS=[ env['CPPFLAGS'], '-DLIGHTTPD_STATIC', '-DOPENSSL_NO_KRB5'])
+staticenv = env.Clone(CPPFLAGS=[ env['CPPFLAGS'], '-DLIGHTTPD_STATIC' ])
 
 ## all the core-sources + the modules
 staticsrc = src + common_src
diff --git a/src/base.h b/src/base.h
index 1111d769..f02b56a5 100644
--- a/src/base.h
+++ b/src/base.h
@@ -30,6 +30,12 @@
 
 #if defined HAVE_LIBSSL && defined HAVE_OPENSSL_SSL_H
 # define USE_OPENSSL
+# include <openssl/opensslconf.h>
+#  ifndef USE_OPENSSL_KERBEROS
+#   ifndef OPENSSL_NO_KRB5
+#   define OPENSSL_NO_KRB5
+#   endif
+#  endif
 # include <openssl/ssl.h>
 # if ! defined OPENSSL_NO_TLSEXT && ! defined SSL_CTRL_SET_TLSEXT_HOSTNAME
 #  define OPENSSL_NO_TLSEXT
diff --git a/src/config.h.cmake b/src/config.h.cmake
index 19c8843b..8b1f4636 100644
--- a/src/config.h.cmake
+++ b/src/config.h.cmake
@@ -40,7 +40,6 @@
 /* OpenSSL */
 #cmakedefine  HAVE_OPENSSL_SSL_H
 #cmakedefine  HAVE_LIBCRYPTO
-#cmakedefine  OPENSSL_NO_KRB5
 #cmakedefine  HAVE_LIBSSL
 
 /* BZip */
diff --git a/src/network.c b/src/network.c
index 5b64cdc0..46b4be8e 100644
--- a/src/network.c
+++ b/src/network.c
@@ -780,7 +780,7 @@ int network_init(server *srv) {
 
 		if (!s->ssl_use_sslv2) {
 			/* disable SSLv2 */
-			if (!(SSL_OP_NO_SSLv2 & SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv2))) {
+			if ((SSL_OP_NO_SSLv2 & SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv2)) != SSL_OP_NO_SSLv2) {
 				log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
 						ERR_error_string(ERR_get_error(), NULL));
 				return -1;
@@ -789,7 +789,7 @@ int network_init(server *srv) {
 
 		if (!s->ssl_use_sslv3) {
 			/* disable SSLv3 */
-			if (!(SSL_OP_NO_SSLv3 & SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv3))) {
+			if ((SSL_OP_NO_SSLv3 & SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv3)) != SSL_OP_NO_SSLv3) {
 				log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
 						ERR_error_string(ERR_get_error(), NULL));
 				return -1;
@@ -839,7 +839,8 @@ int network_init(server *srv) {
 				log_error_write(srv, __FILE__, __LINE__, "s", "SSL: BN_bin2bn () failed");
 				return -1;
 			}
-		      #if OPENSSL_VERSION_NUMBER < 0x10100000L
+		      #if OPENSSL_VERSION_NUMBER < 0x10100000L \
+			|| defined(LIBRESSL_VERSION_NUMBER)
 			dh->p = dh_p;
 			dh->g = dh_g;
 			dh->length = 160;
diff --git a/src/server.c b/src/server.c
index 1f3a57d4..aee01db8 100644
--- a/src/server.c
+++ b/src/server.c
@@ -387,7 +387,8 @@ static void server_free(server *srv) {
 	if (srv->ssl_is_init) {
 		CRYPTO_cleanup_all_ex_data();
 		ERR_free_strings();
-	      #if   OPENSSL_VERSION_NUMBER >= 0x10100000L
+	      #if   OPENSSL_VERSION_NUMBER >= 0x10100000L \
+		&& !defined(LIBRESSL_VERSION_NUMBER)
 		ERR_remove_thread_state();
 	      #elif OPENSSL_VERSION_NUMBER >= 0x10000000L
 		ERR_remove_thread_state(NULL);
-- 
cgit v1.2.1