On Fri, Feb 10, 2017 at 04:21:06PM +0100, Piotr Kubaj wrote:
> Please try the corrected patches. Before Haproxy was kind of unstable. Now it
> seems to work fine. I also changed tests for defined LIBRESSL_VERSION_NUMBER
> to testing LibreSSL version to keep the older versions working.
(...)
>
> --- include/proto/openssl-compat.h.orig 2017-02-10 12:38:04 UTC
> +++ include/proto/openssl-compat.h
> @@ -183,7 +183,7 @@ static inline int EVP_PKEY_base_id(EVP_P
> #endif
>
> /* This function does nothing in 1.1.0 and doesn't exist in boringssl */
> -#if defined(OPENSSL_IS_BORINGSSL) || (OPENSSL_VERSION_NUMBER >= 0x1010000fL)
> +#if (LIBRESSL_VERSION_NUMBER < 0x2050100fL) &&
> (defined(OPENSSL_IS_BORINGSSL) || (OPENSSL_VERSION_NUMBER >= 0x1010000fL))
> #undef SSL_CTX_set_ecdh_auto
> #define SSL_CTX_set_ecdh_auto(ctx, onoff)
> #endif
I don't understand much, your e-mail talks about openssl and you're changing
a line afecting boringssl. You need to provide a bit of description about
what your patch does and tries to solve, that we'll use as the commit message.
> --- src/ssl_sock.c.orig 2017-02-08 18:08:38 UTC
> +++ src/ssl_sock.c
> @@ -829,10 +829,13 @@ static int ssl_sock_load_ocsp(SSL_CTX *c
> ocsp = NULL;
>
> #ifndef SSL_CTX_get_tlsext_status_cb
> -# define SSL_CTX_get_tlsext_status_cb(ctx, cb) \
> - *cb = (void (*) (void))ctx->tlsext_status_cb;
> +#ifndef SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB
> +#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB 128
> #endif
Here this 128 looks a bit magic and will very likely break sooner or
later, so if this is an internal value used by libressl, it's better
to mention it next to it.
> - SSL_CTX_get_tlsext_status_cb(ctx, &callback);
> +#define SSL_CTX_get_tlsext_status_cb(ctx, cb) \
> + *cb = SSL_CTX_ctrl(ctx,SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB,0, (void
> (**)(void))cb)
> +#endif
> + SSL_CTX_get_tlsext_status_cb(ctx, &callback);
>
> if (!callback) {
> struct ocsp_cbk_arg *cb_arg = calloc(1, sizeof(*cb_arg));
> @@ -858,10 +861,13 @@ static int ssl_sock_load_ocsp(SSL_CTX *c
> int key_type;
> EVP_PKEY *pkey;
>
> -#ifdef SSL_CTX_get_tlsext_status_arg
> - SSL_CTX_ctrl(ctx, SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG, 0,
> &cb_arg);
> +#if defined(SSL_CTX_get_tlsext_status_arg) || (LIBRESSL_VERSION_NUMBER >=
> 0x2050100fL)
> +#ifndef SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG
> +#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG 129
> +#endif
Same here.
> + SSL_CTX_ctrl(ctx, SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG, 0,
> &cb_arg);
> #else
> - cb_arg = ctx->tlsext_status_arg;
> + cb_arg = ctx->tlsext_status_arg;
Be careful not to introduce useless space changes in your patch like this.
> #endif
Thanks,
Willy
