Support min/max version in LibreSSL

Their implementations of the accessors don't behave expected with no
bounds, so we ignore those bits of the tests.

6 files changed, 97 insertions, 48 deletions

diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml
index 1153dd5a..3b76c416 100644
--- a/openssl-sys/Cargo.toml
+++ b/openssl-sys/Cargo.toml
@@ -9,6 +9,7 @@ repository = "https://github.com/sfackler/rust-openssl"
 readme = "README.md"
 categories = ["cryptography", "external-ffi-bindings"]
 links = "openssl"
+build = "build/main.rs"
 
 [dependencies]
 libc = "0.2"
diff --git a/openssl-sys/build/cfgs.rs b/openssl-sys/build/cfgs.rs
new file mode 100644
index 00000000..3e063aa3
--- /dev/null
+++ b/openssl-sys/build/cfgs.rs
@@ -0,0 +1,45 @@
+pub fn get(openssl_version: Option<u64>, libressl_version: Option<u64>) -> Vec<&'static str> {
+    let mut cfgs = vec![];
+
+    if let Some(libressl_version) = libressl_version {
+        cfgs.push("libressl");
+
+        if libressl_version >= 0x2_05_01_00_0 {
+            cfgs.push("libressl251");
+        }
+
+        if libressl_version >= 0x2_06_01_00_0 {
+            cfgs.push("libressl261");
+        }
+
+        if libressl_version >= 0x2_07_00_00_0 {
+            cfgs.push("libressl270");
+        }
+    } else {
+        let openssl_version = openssl_version.unwrap();
+
+        if openssl_version >= 0x1_00_02_08_0 {
+            cfgs.push("ossl102h");
+        }
+
+        if openssl_version >= 0x1_01_00_07_0 {
+            cfgs.push("ossl110g");
+        }
+
+        if openssl_version >= 0x1_01_01_00_0 {
+            cfgs.push("ossl111");
+            cfgs.push("ossl110");
+        } else if openssl_version >= 0x1_01_00_06_0 {
+            cfgs.push("ossl110");
+            cfgs.push("ossl110f");
+        } else if openssl_version >= 0x1_01_00_00_0 {
+            cfgs.push("ossl110");
+        } else if openssl_version >= 0x1_00_02_00_0 {
+            cfgs.push("ossl102");
+        } else if openssl_version >= 0x1_00_01_00_0 {
+            cfgs.push("ossl101");
+        }
+    }
+
+    cfgs
+}
diff --git a/openssl-sys/build.rs b/openssl-sys/build/main.rs
index c5630556..e2b3108c 100644
--- a/openssl-sys/build.rs
+++ b/openssl-sys/build/main.rs
@@ -11,6 +11,8 @@ use std::io::{BufWriter, Write};
 use std::path::{Path, PathBuf};
 use std::process::Command;
 
+mod cfgs;
+
 // The set of `OPENSSL_NO_<FOO>`s that we care about.
 const DEFINES: &'static [&'static str] = &[
     "OPENSSL_NO_BUF_FREELISTS",
@@ -114,7 +116,7 @@ fn find_openssl_dir(target: &str) -> OsString {
         if homebrew.exists() {
             return homebrew.to_path_buf().into();
         }
-        // Calling `brew --prefix <package>` command usually slow and 
+        // Calling `brew --prefix <package>` command usually slow and
         // takes seconds, and will be used only as a last resort.
         let output = execute_command_and_get_output("brew", &["--prefix", "[email protected]"]);
         if let Some(ref output) = output {
@@ -427,6 +429,10 @@ See rust-openssl README for more information:
     }
     println!("cargo:conf={}", enabled.join(","));
 
+    for cfg in cfgs::get(openssl_version, libressl_version) {
+        println!("cargo:rustc-cfg={}", cfg);
+    }
+
     if let Some(libressl_version) = libressl_version {
         println!("cargo:libressl_version_number={:x}", libressl_version);
 
@@ -445,8 +451,6 @@ See rust-openssl README for more information:
             _ => version_error(),
         };
 
-        println!("cargo:rustc-cfg=libressl");
-        println!("cargo:rustc-cfg=libressl2{}{}", minor, fix);
         println!("cargo:libressl=true");
         println!("cargo:libressl_version=2{}{}", minor, fix);
         println!("cargo:version=101");
@@ -455,37 +459,22 @@ See rust-openssl README for more information:
         let openssl_version = openssl_version.unwrap();
         println!("cargo:version_number={:x}", openssl_version);
 
-        if openssl_version >= 0x1_00_02_08_0 {
-            println!("cargo:rustc-cfg=ossl102h");
-        }
-
-        if openssl_version >= 0x1_01_00_07_0 {
-            println!("cargo:rustc-cfg=ossl110g");
-        }
-
         if openssl_version >= 0x1_01_02_00_0 {
             version_error()
         } else if openssl_version >= 0x1_01_01_00_0 {
-            println!("cargo:rustc-cfg=ossl111");
-            println!("cargo:rustc-cfg=ossl110");
             println!("cargo:version=111");
             Version::Openssl11x
         } else if openssl_version >= 0x1_01_00_06_0 {
-            println!("cargo:rustc-cfg=ossl110");
-            println!("cargo:rustc-cfg=ossl110f");
             println!("cargo:version=110");
             println!("cargo:patch=f");
             Version::Openssl11x
         } else if openssl_version >= 0x1_01_00_00_0 {
-            println!("cargo:rustc-cfg=ossl110");
             println!("cargo:version=110");
             Version::Openssl11x
         } else if openssl_version >= 0x1_00_02_00_0 {
-            println!("cargo:rustc-cfg=ossl102");
             println!("cargo:version=102");
             Version::Openssl10x
         } else if openssl_version >= 0x1_00_01_00_0 {
-            println!("cargo:rustc-cfg=ossl101");
             println!("cargo:version=101");
             Version::Openssl10x
         } else {
@@ -542,10 +531,12 @@ fn determine_mode(libdir: &Path, libs: &[&str]) -> &'static str {
         .map(|e| e.file_name())
         .filter_map(|e| e.into_string().ok())
         .collect::<HashSet<_>>();
-    let can_static = libs.iter()
+    let can_static = libs
+        .iter()
         .all(|l| files.contains(&format!("lib{}.a", l)) || files.contains(&format!("{}.lib", l)));
     let can_dylib = libs.iter().all(|l| {
-        files.contains(&format!("lib{}.so", l)) || files.contains(&format!("{}.dll", l))
+        files.contains(&format!("lib{}.so", l))
+            || files.contains(&format!("{}.dll", l))
             || files.contains(&format!("lib{}.dylib", l))
     });
     match (can_static, can_dylib) {
@@ -567,8 +558,6 @@ fn determine_mode(libdir: &Path, libs: &[&str]) -> &'static str {
     "dylib"
 }
 
-
-
 fn execute_command_and_get_output(cmd: &str, args: &[&str]) -> Option<String> {
     let out = Command::new(cmd).args(args).output();
     if let Ok(ref r1) = out {
@@ -576,9 +565,8 @@ fn execute_command_and_get_output(cmd: &str, args: &[&str]) -> Option<String> {
             let r2 = String::from_utf8(r1.stdout.clone());
             if let Ok(r3) = r2 {
                 return Some(r3.trim().to_string());
-            } 
+            }
         }
     }
     return None;
 }
-
diff --git a/openssl-sys/src/lib.rs b/openssl-sys/src/lib.rs
index 61e087d0..e78c24f4 100644
--- a/openssl-sys/src/lib.rs
+++ b/openssl-sys/src/lib.rs
@@ -236,8 +236,10 @@ pub const EVP_PKEY_OP_VERIFYCTX: c_int = 1 << 7;
 pub const EVP_PKEY_OP_ENCRYPT: c_int = 1 << 8;
 pub const EVP_PKEY_OP_DECRYPT: c_int = 1 << 9;
 
-pub const EVP_PKEY_OP_TYPE_SIG: c_int = EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY
-    | EVP_PKEY_OP_VERIFYRECOVER | EVP_PKEY_OP_SIGNCTX
+pub const EVP_PKEY_OP_TYPE_SIG: c_int = EVP_PKEY_OP_SIGN
+    | EVP_PKEY_OP_VERIFY
+    | EVP_PKEY_OP_VERIFYRECOVER
+    | EVP_PKEY_OP_SIGNCTX
     | EVP_PKEY_OP_VERIFYCTX;
 
 pub const EVP_PKEY_OP_TYPE_CRYPT: c_int = EVP_PKEY_OP_ENCRYPT | EVP_PKEY_OP_DECRYPT;
@@ -1259,21 +1261,23 @@ pub const SSL_VERIFY_NONE: c_int = 0;
 pub const SSL_VERIFY_PEER: c_int = 1;
 pub const SSL_VERIFY_FAIL_IF_NO_PEER_CERT: c_int = 2;
 
-#[cfg(not(any(libressl261, libressl262, libressl26x, libressl27x, ossl101)))]
+#[cfg(not(any(libressl261, ossl101)))]
 pub const SSL_OP_TLSEXT_PADDING: c_ulong = 0x00000010;
-#[cfg(any(libressl261, libressl262, libressl26x, libressl27x))]
+#[cfg(libressl261)]
 pub const SSL_OP_TLSEXT_PADDING: c_ulong = 0x0;
 pub const SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS: c_ulong = 0x00000800;
-#[cfg(not(any(libressl261, libressl262, libressl26x, libressl27x)))]
+#[cfg(not(libressl261))]
 pub const SSL_OP_CRYPTOPRO_TLSEXT_BUG: c_ulong = 0x80000000;
-#[cfg(any(libressl261, libressl262, libressl26x, libressl27x))]
+#[cfg(libressl261)]
 pub const SSL_OP_CRYPTOPRO_TLSEXT_BUG: c_ulong = 0x0;
 pub const SSL_OP_LEGACY_SERVER_CONNECT: c_ulong = 0x00000004;
 #[cfg(not(any(libressl, ossl110f, ossl111)))]
 pub const SSL_OP_ALL: c_ulong = 0x80000BFF;
 #[cfg(any(ossl110f, ossl111))]
-pub const SSL_OP_ALL: c_ulong = SSL_OP_CRYPTOPRO_TLSEXT_BUG | SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
-    | SSL_OP_LEGACY_SERVER_CONNECT | SSL_OP_TLSEXT_PADDING
+pub const SSL_OP_ALL: c_ulong = SSL_OP_CRYPTOPRO_TLSEXT_BUG
+    | SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
+    | SSL_OP_LEGACY_SERVER_CONNECT
+    | SSL_OP_TLSEXT_PADDING
     | SSL_OP_SAFARI_ECDHE_ECDSA_BUG;
 pub const SSL_OP_NO_QUERY_MTU: c_ulong = 0x00001000;
 pub const SSL_OP_COOKIE_EXCHANGE: c_ulong = 0x00002000;
@@ -1289,8 +1293,11 @@ pub const SSL_OP_NO_TLSv1_2: c_ulong = 0x08000000;
 pub const SSL_OP_NO_SSL_MASK: c_ulong =
     SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2;
 #[cfg(ossl111)]
-pub const SSL_OP_NO_SSL_MASK: c_ulong = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1
-    | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2
+pub const SSL_OP_NO_SSL_MASK: c_ulong = SSL_OP_NO_SSLv2
+    | SSL_OP_NO_SSLv3
+    | SSL_OP_NO_TLSv1
+    | SSL_OP_NO_TLSv1_1
+    | SSL_OP_NO_TLSv1_2
     | SSL_OP_NO_TLSv1_3;
 
 pub const SSL_FILETYPE_PEM: c_int = X509_FILETYPE_PEM;
diff --git a/openssl-sys/src/libressl/mod.rs b/openssl-sys/src/libressl/mod.rs
index 366d9502..5ae205bc 100644
--- a/openssl-sys/src/libressl/mod.rs
+++ b/openssl-sys/src/libressl/mod.rs
@@ -1,19 +1,18 @@
+use libc::{c_char, c_int, c_long, c_uchar, c_uint, c_ulong, c_void, size_t};
 use std::mem;
 use std::ptr;
 use std::sync::{Mutex, MutexGuard};
 use std::sync::{Once, ONCE_INIT};
 
-#[cfg(libressl250)]
+#[cfg(not(libressl251))]
 pub use libressl::v250::*;
-#[cfg(not(libressl250))]
-pub use libressl::v25x::*;
-
-use libc::{c_char, c_int, c_long, c_uchar, c_uint, c_ulong, c_void, size_t};
+#[cfg(libressl251)]
+pub use libressl::v251::*;
 
-#[cfg(libressl250)]
+#[cfg(not(libressl251))]
 mod v250;
-#[cfg(not(libressl250))]
-mod v25x;
+#[cfg(libressl251)]
+mod v251;
 
 #[repr(C)]
 pub struct stack_st_ASN1_OBJECT {
@@ -337,9 +336,9 @@ pub const SSL_CTRL_OPTIONS: c_int = 32;
 pub const SSL_CTRL_CLEAR_OPTIONS: c_int = 77;
 pub const SSL_CTRL_SET_ECDH_AUTO: c_int = 94;
 
-#[cfg(any(libressl261, libressl262, libressl26x, libressl27x))]
+#[cfg(libressl261)]
 pub const SSL_OP_ALL: c_ulong = 0x4;
-#[cfg(not(any(libressl261, libressl262, libressl26x, libressl27x)))]
+#[cfg(not(libressl261))]
 pub const SSL_OP_ALL: c_ulong = 0x80000014;
 pub const SSL_OP_CISCO_ANYCONNECT: c_ulong = 0x0;
 pub const SSL_OP_NO_COMPRESSION: c_ulong = 0x0;
@@ -352,9 +351,9 @@ pub const SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER: c_ulong = 0x0;
 pub const SSL_OP_SSLEAY_080_CLIENT_DH_BUG: c_ulong = 0x0;
 pub const SSL_OP_TLS_D5_BUG: c_ulong = 0x0;
 pub const SSL_OP_TLS_BLOCK_PADDING_BUG: c_ulong = 0x0;
-#[cfg(any(libressl261, libressl262, libressl26x, libressl27x))]
+#[cfg(libressl261)]
 pub const SSL_OP_SINGLE_ECDH_USE: c_ulong = 0x0;
-#[cfg(not(any(libressl261, libressl262, libressl26x, libressl27x)))]
+#[cfg(not(libressl261))]
 pub const SSL_OP_SINGLE_ECDH_USE: c_ulong = 0x00080000;
 pub const SSL_OP_SINGLE_DH_USE: c_ulong = 0x00100000;
 pub const SSL_OP_NO_SSLv2: c_ulong = 0x0;
@@ -540,6 +539,15 @@ extern "C" {
             unsafe extern "C" fn(*mut ::SSL, *mut c_uchar, c_int, *mut c_int) -> *mut SSL_SESSION,
         >,
     );
+    #[cfg(libressl261)]
+    pub fn SSL_CTX_set_min_proto_version(ctx: *mut ::SSL_CTX, version: u16) -> c_int;
+    #[cfg(libressl261)]
+    pub fn SSL_CTX_set_max_proto_version(ctx: *mut ::SSL_CTX, version: u16) -> c_int;
+    #[cfg(libressl270)]
+    pub fn SSL_CTX_get_min_proto_version(ctx: *mut ::SSL_CTX) -> c_int;
+    #[cfg(libressl270)]
+    pub fn SSL_CTX_get_max_proto_version(ctx: *mut ::SSL_CTX) -> c_int;
+
     pub fn X509_get_subject_name(x: *mut ::X509) -> *mut ::X509_NAME;
     pub fn X509_get_issuer_name(x: *mut ::X509) -> *mut ::X509_NAME;
     pub fn X509_set_notAfter(x: *mut ::X509, tm: *const ::ASN1_TIME) -> c_int;
diff --git a/openssl-sys/src/libressl/v25x.rs b/openssl-sys/src/libressl/v251.rs
index 7e7023ec..541b61db 100644
--- a/openssl-sys/src/libressl/v25x.rs
+++ b/openssl-sys/src/libressl/v251.rs
@@ -1,4 +1,4 @@
-use libc::{c_int, c_char, c_void, c_long, c_uchar, size_t, c_uint, c_ulong, time_t};
+use libc::{c_char, c_int, c_long, c_uchar, c_uint, c_ulong, c_void, size_t, time_t};
 
 use super::*;
 
@@ -84,6 +84,6 @@ pub struct X509_VERIFY_PARAM {
     pub purpose: c_int,
     pub trust: c_int,
     pub depth: c_int,
-    policies: *mut stack_st_ASN1_OBJECT,
+    pub policies: *mut stack_st_ASN1_OBJECT,
     id: *mut c_void,
 }