On Tue, Oct 24, 2017 at 06:26:26PM +0200, Emmanuel Hocdet wrote:
> okay, patch split in 2 parts :)
>
> 1) support OPENSSL_NO_ASYNC #define
> 2) BoringSSL switch OPENSSL_VERSION_NUMBER to 1.1.0 for compatibility.
It's indeed more understandable to me now. And it allows me to spot this
which I think is a leftover from another change you may have in your
local tree :
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 94d1290d0..bb1d69156 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -46,6 +46,7 @@
#include <openssl/x509.h>
#include <openssl/err.h>
#include <openssl/rand.h>
+#include <openssl/hmac.h>
#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP)
#include <openssl/ocsp.h>
#endif
@@ -2055,7 +2056,7 @@ static int ssl_sock_switchctx_cbk(const struct
ssl_early_callback_ctx *ctx)
goto abort;
}
cipher = SSL_get_cipher_by_value(cipher_suite);
- if (cipher && SSL_CIPHER_is_ECDSA(cipher)) {
+ if (cipher && SSL_CIPHER_get_auth_nid(cipher) ==
NID_auth_ecdsa) {
has_ecdsa = 1;
break;
}
There's no mention of it in the commit message and it doesn't look much
related to the various #ifdefs. Could you please double-check ?
Otherwise I'm fine with the other changes, they seem totally riskless.
Thanks,
Willy
