build with libressl

libressl defines SSL_OP_NO_SSLv2 and SSL_OP_NO_SSLv3 as 0x0
  (thx Christian Heckendorf)

libressl matches ERR_remove_thread_state() signature from openssl 1.0.2
  (libressl pretends that libressl is openssl version 2.0.0,
   but openssl 1.1.0 changes signature of ERR_remove_thread_state())

libressl does not yet provide compatibility interfaces for the new
  prototypes introduced in openssl 1.1.0, including
  DH_set0_pqg() and DH_set_length()

remove OPENSSL_NO_KRB5 from build config (added in 5fab991b in 2005)
  (define USE_OPENSSL_KERBEROS if required)
  (Note: OPENSSL_NO_KRB5 removed in openssl 1.1.0)

README.FreeBSD

@@ -46,6 +46,3 @@ Configure:
 
 To help autotools find libraries and headers:
 CPPFLAGS=-I/usr/local/include LDFLAGS=-L/usr/local/lib ./configure ...
-
-With ssl the compiler might warn about OPENSSL_NO_KRB5 redefinitions, just
-configure "--with-kerberos5" for now.

configure.ac

@@ -346,8 +346,8 @@ AC_ARG_WITH(kerberos5,
 )
 
 if test "x$use_openssl" = "xyes"; then
-    if test "x$use_kerberos" != "xyes"; then
-        CPPFLAGS="$CPPFLAGS -DOPENSSL_NO_KRB5"
+    if test "x$use_kerberos" = "xyes"; then
+        AC_DEFINE([USE_OPENSSL_KERBEROS], [1], [with kerberos])
     fi
 
     AC_CHECK_HEADERS([openssl/ssl.h])

src/CMakeLists.txt

@@ -225,7 +225,6 @@ if(WITH_OPENSSL)
 	if(HAVE_OPENSSL_SSL_H)
 		check_library_exists(crypto BIO_f_base64 "" HAVE_LIBCRYPTO)
 		if(HAVE_LIBCRYPTO)
-			set(OPENSSL_NO_KRB5 1)
 			check_library_exists(ssl SSL_new "" HAVE_LIBSSL)
 		endif()
 	endif()

src/SConscript

@@ -120,7 +120,7 @@ if env['with_memcached']:
 if env['with_lua']:
 	modules['mod_magnet'] = { 'src' : [ 'mod_magnet.c', 'mod_magnet_cache.c' ], 'lib' : [ env['LIBLUA'] ] }
 
-staticenv = env.Clone(CPPFLAGS=[ env['CPPFLAGS'], '-DLIGHTTPD_STATIC', '-DOPENSSL_NO_KRB5'])
+staticenv = env.Clone(CPPFLAGS=[ env['CPPFLAGS'], '-DLIGHTTPD_STATIC' ])
 
 ## all the core-sources + the modules
 staticsrc = src + common_src

src/base.h

@@ -30,6 +30,12 @@
 
 #if defined HAVE_LIBSSL && defined HAVE_OPENSSL_SSL_H
 # define USE_OPENSSL
+# include <openssl/opensslconf.h>
+#  ifndef USE_OPENSSL_KERBEROS
+#   ifndef OPENSSL_NO_KRB5
+#   define OPENSSL_NO_KRB5
+#   endif
+#  endif
 # include <openssl/ssl.h>
 # if ! defined OPENSSL_NO_TLSEXT && ! defined SSL_CTRL_SET_TLSEXT_HOSTNAME
 #  define OPENSSL_NO_TLSEXT

src/config.h.cmake

@@ -40,7 +40,6 @@
 /* OpenSSL */
 #cmakedefine  HAVE_OPENSSL_SSL_H
 #cmakedefine  HAVE_LIBCRYPTO
-#cmakedefine  OPENSSL_NO_KRB5
 #cmakedefine  HAVE_LIBSSL
 
 /* BZip */

src/network.c

@@ -780,7 +780,7 @@ int network_init(server *srv) {
 
 		if (!s->ssl_use_sslv2) {
 			/* disable SSLv2 */
-			if (!(SSL_OP_NO_SSLv2 & SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv2))) {
+			if ((SSL_OP_NO_SSLv2 & SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv2)) != SSL_OP_NO_SSLv2) {
 				log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
 						ERR_error_string(ERR_get_error(), NULL));
 				return -1;
@@ -789,7 +789,7 @@ int network_init(server *srv) {
 
 		if (!s->ssl_use_sslv3) {
 			/* disable SSLv3 */
-			if (!(SSL_OP_NO_SSLv3 & SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv3))) {
+			if ((SSL_OP_NO_SSLv3 & SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv3)) != SSL_OP_NO_SSLv3) {
 				log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
 						ERR_error_string(ERR_get_error(), NULL));
 				return -1;
@@ -839,7 +839,8 @@ int network_init(server *srv) {
 				log_error_write(srv, __FILE__, __LINE__, "s", "SSL: BN_bin2bn () failed");
 				return -1;
 			}
-		      #if OPENSSL_VERSION_NUMBER < 0x10100000L
+		      #if OPENSSL_VERSION_NUMBER < 0x10100000L \
+			|| defined(LIBRESSL_VERSION_NUMBER)
 			dh->p = dh_p;
 			dh->g = dh_g;
 			dh->length = 160;

src/server.c

@@ -387,7 +387,8 @@ static void server_free(server *srv) {
 	if (srv->ssl_is_init) {
 		CRYPTO_cleanup_all_ex_data();
 		ERR_free_strings();
-	      #if   OPENSSL_VERSION_NUMBER >= 0x10100000L
+	      #if   OPENSSL_VERSION_NUMBER >= 0x10100000L \
+		&& !defined(LIBRESSL_VERSION_NUMBER)
 		ERR_remove_thread_state();
 	      #elif OPENSSL_VERSION_NUMBER >= 0x10000000L
 		ERR_remove_thread_state(NULL);