On Tue, Jan 27, 2015 at 05:57:41PM +0100, Alessandro Ghedini wrote: > On mar, gen 27, 2015 at 04:17:40 +0000, Joe Mason wrote: > > > From: curl-library [[email protected]] on behalf of > > > Alessandro > > > Ghedini [[email protected]] > > > > > > It looks good to me, but note that the OpenSSL developers are planning to > > > remove > > > the OPENSSL_NO_TLSEXT option (see [0]), so this will probably fail to > > > build at > > > some point in the future. > > > > I don't think that will cause a problem unless a version of openssl ships > > that doesn't have OCSP support but doesn't define OPENSSL_NO_TLSEXT. I > > assume that's not what they're doing - if they remove the definition, it > > would mean that all versions shipped after that point always support TLSEXT > > (and therefore OCSP). > > Right, I have no idea why I wrote that it would fail to build, go figure... > > > However it might be a good idea to define a OPENSSL_HAVE_OCSP macro, so > > that we don't have to repeat this test several times, and only have to > > update the macro definition if we find other configurations that need OCSP > > disabled. > > Yes, it may also check for the OpenSSL version, although it's probably old > enough that a check isn't really needed. I'll write a patch if no one beats me > to it.
Patch attached. I put the version check too, since I noticed that there are other version checks below for even older OpenSSL versions. Cheers
From 5c4ad0c1892a2a71e246d93f0f5c837707b9fcd0 Mon Sep 17 00:00:00 2001 From: Alessandro Ghedini <[email protected]> Date: Tue, 27 Jan 2015 17:43:38 +0100 Subject: [PATCH] openssl: use a single HAVE_OCSP define instead of repeating the checks --- lib/vtls/openssl.c | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index e514e32..e39b304 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -64,15 +64,21 @@ #include <openssl/md5.h> #include <openssl/conf.h> #include <openssl/bn.h> -#ifndef HAVE_BORINGSSL -#include <openssl/ocsp.h> -#endif #else #include <rand.h> #include <x509v3.h> #include <md5.h> #endif +#if defined(USE_OPENSSL) && (OPENSSL_VERSION_NUMBER >= 0x0090807fL) && \ + !defined(HAVE_BORINGSSL) && !defined(OPENSSL_NO_TLSEXT) +#define HAVE_OCSP +#endif + +#ifdef HAVE_OCSP +#include <openssl/ocsp.h> +#endif + #include "warnless.h" #include "curl_memory.h" #include "non-ascii.h" /* for Curl_convert_from_utf8 prototype */ @@ -1323,7 +1329,7 @@ static CURLcode verifyhost(struct connectdata *conn, X509 *server_cert) return result; } -#if !defined(HAVE_BORINGSSL) && !defined(OPENSSL_NO_TLSEXT) +#ifdef HAVE_OCSP static CURLcode verifystatus(struct connectdata *conn, struct ssl_connect_data *connssl) { @@ -1446,7 +1452,7 @@ end: return result; } -#endif /* HAVE_BORINGSSL */ +#endif /* HAVE_OCSP */ #endif /* USE_SSLEAY */ @@ -2060,7 +2066,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) return CURLE_OUT_OF_MEMORY; } -#if !defined(HAVE_BORINGSSL) && !defined(OPENSSL_NO_TLSEXT) +#ifdef HAVE_OCSP if(data->set.ssl.verifystatus) SSL_set_tlsext_status_type(connssl->handle, TLSEXT_STATUSTYPE_ocsp); #endif @@ -2748,7 +2754,7 @@ static CURLcode servercert(struct connectdata *conn, infof(data, "\t SSL certificate verify ok.\n"); } -#if !defined(HAVE_BORINGSSL) && !defined(OPENSSL_NO_TLSEXT) +#ifdef HAVE_OCSP if(data->set.ssl.verifystatus) { result = verifystatus(conn, connssl); if(result) { @@ -3202,7 +3208,7 @@ void Curl_ossl_md5sum(unsigned char *tmp, /* input */ bool Curl_ossl_cert_status_request(void) { -#if !defined(HAVE_BORINGSSL) && !defined(OPENSSL_NO_TLSEXT) +#ifdef HAVE_OCSP return TRUE; #else return FALSE; -- 2.1.4
signature.asc
Description: Digital signature
------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
