cc'ing ports to avoid everyone running bulks reporting the same stuff :)
ruby/2.[45] now fail with the recent additions. they have everything
hidden behind a single HAVE_OPAQUE_OPENSSL ifdef. there's a check based
on structure members, but if we change to checking one of the new
functions instead we can get the flag enabled more easily:
Index: patches/patch-ext_openssl_extconf_rb
===================================================================
RCS file: patches/patch-ext_openssl_extconf_rb
diff -N patches/patch-ext_openssl_extconf_rb
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-ext_openssl_extconf_rb 18 Feb 2018 14:29:32 -0000
@@ -0,0 +1,14 @@
+$OpenBSD$
+
+Index: ext/openssl/extconf.rb
+--- ext/openssl/extconf.rb.orig
++++ ext/openssl/extconf.rb
+@@ -158,7 +158,7 @@ have_func("SSL_is_server")
+
+ # added in 1.1.0
+ have_func("CRYPTO_lock") || $defs.push("-DHAVE_OPENSSL_110_THREADING_API")
+-have_struct_member("SSL", "ctx", "openssl/ssl.h") ||
$defs.push("-DHAVE_OPAQUE_OPENSSL")
++have_func("RSA_set0_key") && $defs.push("-DHAVE_OPAQUE_OPENSSL")
+ have_func("BN_GENCB_new")
+ have_func("BN_GENCB_free")
+ have_func("BN_GENCB_get_arg")
(patch is for 2.4 but close enough to work with 2.5 as well).
Building with this shows that 2.4 wants the following:
DH_set0_key
DH_get0_engine
DSA_set0_key
EVP_PKEY_get0_EC_KEY
EVP_PKEY_get0_EC_KEY
X509_CRL_get0_lastUpdate
X509_CRL_get0_nextUpdate
2.5 wants the above plus
X509_set1_notBefore
X509_set1_notAfter
X509_CRL_set1_lastUpdate
X509_CRL_set1_nextUpdate
Some of these are already on the radar but probably not all of them
yet.
There are some other LIBRESSL_VERSION_NUMBER checks that should be
removed or changed to a specific version, at least TLS_method in
ext/openssl/ossl_ssl.c and alt chains in ext/openssl/ossl_ocsp.c
aren't needed for recent libressl.
