commit deb3cc400a32c21712b6b748da616ef4a1b0d86a
Author: orbea <orbea@riseup.net>
Date:   Tue Apr 11 15:13:02 2023 -0700

    libressl (From OpenBSD)

diff --git a/src/client.c b/src/client.c
index ac4a115..dda42c2 100644
--- a/src/client.c
+++ b/src/client.c
@@ -773,7 +773,7 @@ NOEXPORT void print_cipher(CLI *c) { /* print negotiated cipher */
 NOEXPORT void transfer(CLI *c) {
     int timeout; /* s_poll_wait timeout in seconds */
     int pending; /* either processed on unprocessed TLS data */
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
     int has_pending=0, prev_has_pending;
 #endif
     int watchdog=0; /* a counter to detect an infinite loop */
@@ -820,7 +820,7 @@ NOEXPORT void transfer(CLI *c) {
 
         /****************************** wait for an event */
         pending=SSL_pending(c->ssl);
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
         /* only attempt to process SSL_has_pending() data once */
         prev_has_pending=has_pending;
         has_pending=SSL_has_pending(c->ssl);
@@ -1225,7 +1225,7 @@ NOEXPORT void transfer(CLI *c) {
             s_log(LOG_ERR,
                 "please report the problem to Michal.Trojnara@stunnel.org");
             stunnel_info(LOG_ERR);
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
             s_log(LOG_ERR, "protocol=%s, SSL_pending=%d, SSL_has_pending=%d",
                 SSL_get_version(c->ssl),
                 SSL_pending(c->ssl), SSL_has_pending(c->ssl));
diff --git a/src/common.h b/src/common.h
index 8fe50b4..52435d7 100644
--- a/src/common.h
+++ b/src/common.h
@@ -459,7 +459,7 @@ extern char *sys_errlist[];
 #define OPENSSL_NO_TLS1_2
 #endif /* OpenSSL older than 1.0.1 || defined(OPENSSL_NO_TLS1) */
 
-#if OPENSSL_VERSION_NUMBER>=0x10100000L
+#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
 #ifndef OPENSSL_NO_SSL2
 #define OPENSSL_NO_SSL2
 #endif /* !defined(OPENSSL_NO_SSL2) */
@@ -505,7 +505,7 @@ int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g);
 /* not defined in public headers before OpenSSL 0.9.8 */
 STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void);
 #endif /* !defined(OPENSSL_NO_COMP) */
-#if OPENSSL_VERSION_NUMBER>=0x10101000L
+#if OPENSSL_VERSION_NUMBER>=0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
 #include <openssl/storeerr.h>
 #endif /* OPENSSL_VERSION_NUMBER>=0x10101000L */
 #if OPENSSL_VERSION_NUMBER>=0x30000000L
diff --git a/src/ctx.c b/src/ctx.c
index 6a42a6b..90d6273 100644
--- a/src/ctx.c
+++ b/src/ctx.c
@@ -94,7 +94,7 @@ NOEXPORT void set_prompt(const char *);
 NOEXPORT int ui_retry(void);
 
 /* session tickets */
-#if OPENSSL_VERSION_NUMBER >= 0x10101000L
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
 NOEXPORT int generate_session_ticket_cb(SSL *, void *);
 NOEXPORT int decrypt_session_ticket_cb(SSL *, SSL_SESSION *,
     const unsigned char *, size_t, SSL_TICKET_STATUS, void *);
@@ -133,7 +133,7 @@ NOEXPORT void sslerror_log(unsigned long, const char *, int, const char *);
 
 /**************************************** initialize section->ctx */
 
-#if OPENSSL_VERSION_NUMBER>=0x10100000L
+#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
 typedef long unsigned SSL_OPTIONS_TYPE;
 #else
 typedef long SSL_OPTIONS_TYPE;
@@ -184,7 +184,7 @@ int context_init(SERVICE_OPTIONS *section) { /* init TLS context */
     }
     current_section=section; /* setup current section for callbacks */
 
-#if OPENSSL_VERSION_NUMBER>=0x10100000L
+#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
     /* set the security level */
     if(section->security_level>=0) {
         /* set the user-specified value */
@@ -272,7 +272,7 @@ int context_init(SERVICE_OPTIONS *section) { /* init TLS context */
 #endif
 
     /* setup session tickets */
-#if OPENSSL_VERSION_NUMBER >= 0x10101000L
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
     SSL_CTX_set_session_ticket_cb(section->ctx, generate_session_ticket_cb,
         decrypt_session_ticket_cb, NULL);
 #endif /* OpenSSL 1.1.1 or later */
@@ -546,7 +546,7 @@ NOEXPORT int ecdh_init(SERVICE_OPTIONS *section) {
 /**************************************** initialize OpenSSL CONF */
 
 NOEXPORT int conf_init(SERVICE_OPTIONS *section) {
-#if OPENSSL_VERSION_NUMBER>=0x10002000L
+#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
     SSL_CONF_CTX *cctx;
     NAME_LIST *curr;
     char *cmd, *param;
@@ -1085,7 +1085,7 @@ NOEXPORT int ui_retry() {
 
 /**************************************** session tickets */
 
-#if OPENSSL_VERSION_NUMBER >= 0x10101000L
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
 
 typedef struct {
     void *session_authenticated;
@@ -1573,7 +1573,7 @@ NOEXPORT void info_callback(const SSL *ssl, int where, int ret) {
     CLI *c;
     SSL_CTX *ctx;
     const char *state_string;
-#if OPENSSL_VERSION_NUMBER>=0x10100000L
+#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
     OSSL_HANDSHAKE_STATE state=SSL_get_state(ssl);
 #else
     int state=SSL_get_state((SSL *)ssl);
@@ -1622,8 +1622,11 @@ NOEXPORT void info_callback(const SSL *ssl, int where, int ret) {
         if(state==TLS_ST_SR_CLNT_HELLO) {
 #else
         if(state==SSL3_ST_SR_CLNT_HELLO_A
-                || state==SSL23_ST_SR_CLNT_HELLO_A) {
+#if !defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER < 0x4000000fL
+                || state==SSL23_ST_SR_CLNT_HELLO_A
 #endif
+#endif
+        ) {
             /* client hello received after initial handshake,
              * this means renegotiation -> mark it */
             c->reneg_state=RENEG_DETECTED;
diff --git a/src/prototypes.h b/src/prototypes.h
index 0ecd719..1084ce2 100644
--- a/src/prototypes.h
+++ b/src/prototypes.h
@@ -733,7 +733,7 @@ int getnameinfo(const struct sockaddr *, socklen_t,
 extern CLI *thread_head;
 #endif
 
-#if OPENSSL_VERSION_NUMBER<0x10100004L
+#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER)
 
 #ifdef USE_OS_THREADS
 
@@ -784,7 +784,7 @@ typedef enum {
 
 extern CRYPTO_RWLOCK *stunnel_locks[STUNNEL_LOCKS];
 
-#if OPENSSL_VERSION_NUMBER<0x10100004L
+#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER)
 /* Emulate the OpenSSL 1.1 locking API for older OpenSSL versions */
 CRYPTO_RWLOCK *CRYPTO_THREAD_lock_new(void);
 int CRYPTO_THREAD_read_lock(CRYPTO_RWLOCK *);
diff --git a/src/ssl.c b/src/ssl.c
index 2fd0c77..e465fe1 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -43,7 +43,7 @@ NOEXPORT void cb_new_auth(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
 #if OPENSSL_VERSION_NUMBER>=0x30000000L
 NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from,
     void **from_d, int idx, long argl, void *argp);
-#elif OPENSSL_VERSION_NUMBER>=0x10100000L
+#elif OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
 NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from,
     void *from_d, int idx, long argl, void *argp);
 #else
@@ -103,7 +103,7 @@ int fips_available() { /* either FIPS provider or container is available */
 
 /* initialize libcrypto before invoking API functions that require it */
 void crypto_init() {
-#if OPENSSL_VERSION_NUMBER>=0x10100000L
+#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
     OPENSSL_INIT_SETTINGS *conf;
 #endif /* OPENSSL_VERSION_NUMBER>=0x10100000L */
 #ifdef USE_WIN32
@@ -146,7 +146,7 @@ void crypto_init() {
 #endif /* USE_WIN32 */
 
     /* initialize OpenSSL */
-#if OPENSSL_VERSION_NUMBER>=0x10100000L
+#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
     conf=OPENSSL_INIT_new();
 #ifdef USE_WIN32
     stunnel_dir=tstr2str(stunnel_exe_path);
@@ -246,7 +246,7 @@ NOEXPORT void cb_new_auth(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
 #if OPENSSL_VERSION_NUMBER>=0x30000000L
 NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from,
         void **from_d, int idx, long argl, void *argp) {
-#elif OPENSSL_VERSION_NUMBER>=0x10100000L
+#elif OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
 NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from,
         void *from_d, int idx, long argl, void *argp) {
 #else
diff --git a/src/sthreads.c b/src/sthreads.c
index d0104ee..23ca48c 100644
--- a/src/sthreads.c
+++ b/src/sthreads.c
@@ -123,7 +123,7 @@ NOEXPORT void thread_id_init() {
 /**************************************** locking */
 
 /* we only need to initialize locking with OpenSSL older than 1.1.0 */
-#if OPENSSL_VERSION_NUMBER<0x10100004L
+#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER)
 
 #ifdef USE_PTHREAD
 
@@ -283,7 +283,7 @@ NOEXPORT int s_atomic_add(int *val, int amount, CRYPTO_RWLOCK *lock) {
 
 CRYPTO_RWLOCK *stunnel_locks[STUNNEL_LOCKS];
 
-#if OPENSSL_VERSION_NUMBER<0x10100004L
+#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER)
 
 #ifdef USE_OS_THREADS
 
@@ -391,7 +391,8 @@ int CRYPTO_atomic_add(int *val, int amount, int *ret, CRYPTO_RWLOCK *lock) {
 
 NOEXPORT void locking_init() {
     size_t i;
-#if defined(USE_OS_THREADS) && OPENSSL_VERSION_NUMBER<0x10100004L
+#if defined(USE_OS_THREADS) && \
+	(OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER))
     size_t num;
 
     /* initialize the OpenSSL static locking */
diff --git a/src/str.c b/src/str.c
index 5b464a1..9837c49 100644
--- a/src/str.c
+++ b/src/str.c
@@ -93,7 +93,7 @@ NOEXPORT LEAK_ENTRY leak_hash_table[LEAK_TABLE_SIZE],
     *leak_results[LEAK_TABLE_SIZE];
 NOEXPORT int leak_result_num=0;
 
-#if OPENSSL_VERSION_NUMBER >= 0x10101000L
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
 DEFINE_STACK_OF(LEAK_ENTRY)
 #endif /* OpenSSL version >= 1.1.1 */
 
@@ -107,7 +107,9 @@ NOEXPORT ALLOC_LIST *get_alloc_list_ptr(void *, const char *, int);
 NOEXPORT void str_leak_debug(const ALLOC_LIST *, int);
 
 NOEXPORT LEAK_ENTRY *leak_search(const ALLOC_LIST *);
+#if !defined(LIBRESSL_VERSION_NUMBER)
 NOEXPORT int leak_cmp(const LEAK_ENTRY *const *, const LEAK_ENTRY *const *);
+#endif /* LIBRESSL_VERSION_NUMBER */
 NOEXPORT void leak_report(void);
 NOEXPORT long leak_threshold(void);
 
@@ -555,7 +557,7 @@ NOEXPORT LEAK_ENTRY *leak_search(const ALLOC_LIST *alloc_list) {
 void leak_table_utilization() {
     int i, utilization=0;
     int64_t grand_total=0;
-#if OPENSSL_VERSION_NUMBER >= 0x10101000L
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
     STACK_OF(LEAK_ENTRY) *stats;
 #endif /* OpenSSL version >= 1.1.1 */
 
@@ -572,7 +574,7 @@ void leak_table_utilization() {
     s_log(LOG_DEBUG, "Leak detection table utilization: %d/%d (%05.2f%%)",
         utilization, LEAK_TABLE_SIZE, 100.0*utilization/LEAK_TABLE_SIZE);
 
-#if OPENSSL_VERSION_NUMBER >= 0x10101000L
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
     /* log up to 5 most frequently used heap allocations */
     stats=sk_LEAK_ENTRY_new_reserve(leak_cmp, utilization);
     for(i=0; i<LEAK_TABLE_SIZE; ++i)
@@ -589,6 +591,7 @@ void leak_table_utilization() {
 #endif /* OpenSSL version >= 1.1.1 */
 }
 
+#if !defined(LIBRESSL_VERSION_NUMBER)
 NOEXPORT int leak_cmp(const LEAK_ENTRY *const *a, const LEAK_ENTRY *const *b) {
     int64_t d = (*a)->total - (*b)->total;
     if(d>0)
@@ -597,6 +600,7 @@ NOEXPORT int leak_cmp(const LEAK_ENTRY *const *a, const LEAK_ENTRY *const *b) {
         return -1;
     return 0;
 }
+#endif /* LIBRESSL_VERSION_NUMBER */
 
 /* report identified leaks */
 NOEXPORT void leak_report() {
diff --git a/src/tls.c b/src/tls.c
index 691dfa2..bd1b66a 100644
--- a/src/tls.c
+++ b/src/tls.c
@@ -40,7 +40,7 @@
 volatile int tls_initialized=0;
 
 NOEXPORT void tls_platform_init(void);
-#if OPENSSL_VERSION_NUMBER<0x10100000L
+#if OPENSSL_VERSION_NUMBER<0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 NOEXPORT void free_function(void *);
 #endif
 
@@ -51,7 +51,7 @@ void tls_init() {
     tls_platform_init();
     tls_initialized=1;
     ui_tls=tls_alloc(NULL, NULL, "ui");
-#if OPENSSL_VERSION_NUMBER>=0x10100000L
+#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
     CRYPTO_set_mem_functions(str_alloc_detached_debug,
         str_realloc_detached_debug, str_free_debug);
 #else
@@ -184,7 +184,7 @@ TLS_DATA *tls_get() {
 
 /**************************************** OpenSSL allocator hook */
 
-#if OPENSSL_VERSION_NUMBER<0x10100000L
+#if OPENSSL_VERSION_NUMBER<0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 NOEXPORT void free_function(void *ptr) {
     /* CRYPTO_set_mem_ex_functions() needs a function rather than a macro */
     /* unfortunately, OpenSSL provides no file:line information here */
diff --git a/src/verify.c b/src/verify.c
index 4d8c087..9e71e2c 100644
--- a/src/verify.c
+++ b/src/verify.c
@@ -388,7 +388,7 @@ NOEXPORT int cert_check_local(X509_STORE_CTX *callback_ctx) {
     cert=X509_STORE_CTX_get_current_cert(callback_ctx);
     subject=X509_get_subject_name(cert);
 
-#if OPENSSL_VERSION_NUMBER<0x10100006L
+#if OPENSSL_VERSION_NUMBER<0x10100006L || defined(LIBRESSL_VERSION_NUMBER)
 #define X509_STORE_CTX_get1_certs X509_STORE_get1_certs
 #endif
     /* modern API allows retrieving multiple matching certificates */