Hi, let us use macros instead of openssl versions.
Cheers, Ilya
From 278857e7d21e593e1b5a05a05605c89bdb08581d Mon Sep 17 00:00:00 2001 From: Ilya Shipitsin <[email protected]> Date: Wed, 4 Nov 2020 00:39:07 +0500 Subject: [PATCH 1/2] BUILD: ssl: use feature macros for detecting ec curves manipulation support let us use SSL_CTX_set1_curves_list (OpenSSL), SSL_CTRL_SET_CURVES_LIST (BoringSSL) for feature detection instead of versions --- include/haproxy/ssl_sock-t.h | 2 +- src/cfgparse-ssl.c | 8 ++++---- src/ssl_sock.c | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/include/haproxy/ssl_sock-t.h b/include/haproxy/ssl_sock-t.h index c8c8616ea..1f9045cb9 100644 --- a/include/haproxy/ssl_sock-t.h +++ b/include/haproxy/ssl_sock-t.h @@ -274,7 +274,7 @@ struct global_ssl { char *listen_default_ciphersuites; char *connect_default_ciphersuites; #endif -#if ((HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL) || defined(LIBRESSL_VERSION_NUMBER)) +#if (defined SSL_CTX_set1_curves_list || defined SSL_CTRL_SET_CURVES_LIST) char *listen_default_curves; #endif int listen_default_ssloptions; diff --git a/src/cfgparse-ssl.c b/src/cfgparse-ssl.c index fcf2b163a..178cd3fd1 100644 --- a/src/cfgparse-ssl.c +++ b/src/cfgparse-ssl.c @@ -229,7 +229,7 @@ static int ssl_parse_global_ciphersuites(char **args, int section_type, struct p } #endif -#if ((HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL) || defined(LIBRESSL_VERSION_NUMBER)) +#if (defined SSL_CTX_set1_curves_list || defined SSL_CTRL_SET_CURVES_LIST) /* * parse the "ssl-default-bind-curves" keyword in a global section. * Returns <0 on alert, >0 on warning, 0 on success. @@ -703,7 +703,7 @@ static int bind_parse_crl_file(char **args, int cur_arg, struct proxy *px, struc /* parse the "curves" bind keyword keyword */ static int ssl_bind_parse_curves(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, char **err) { -#if ((HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL) || defined(LIBRESSL_VERSION_NUMBER)) +#if (defined SSL_CTX_set1_curves_list || defined SSL_CTRL_SET_CURVES_LIST) if (!*args[cur_arg + 1]) { memprintf(err, "'%s' : missing curve suite", args[cur_arg]); return ERR_ALERT | ERR_FATAL; @@ -1045,7 +1045,7 @@ static int bind_parse_ssl(char **args, int cur_arg, struct proxy *px, struct bin if (global_ssl.listen_default_ciphers && !conf->ssl_conf.ciphers) conf->ssl_conf.ciphers = strdup(global_ssl.listen_default_ciphers); -#if ((HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL) || defined(LIBRESSL_VERSION_NUMBER)) +#if (defined SSL_CTX_set1_curves_list || defined SSL_CTRL_SET_CURVES_LIST) if (global_ssl.listen_default_curves && !conf->ssl_conf.curves) conf->ssl_conf.curves = strdup(global_ssl.listen_default_curves); #endif @@ -1877,7 +1877,7 @@ static struct cfg_kw_list cfg_kws = {ILH, { #endif { CFG_GLOBAL, "ssl-default-bind-ciphers", ssl_parse_global_ciphers }, { CFG_GLOBAL, "ssl-default-server-ciphers", ssl_parse_global_ciphers }, -#if ((HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL) || defined(LIBRESSL_VERSION_NUMBER)) +#if (defined SSL_CTX_set1_curves_list || defined SSL_CTRL_SET_CURVES_LIST) { CFG_GLOBAL, "ssl-default-bind-curves", ssl_parse_global_curves }, #endif #if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 57e5f5afe..a9a575fd7 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -4177,7 +4177,7 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, struct ssl_bind_conf *ssl_ if (ssl_conf_cur) SSL_CTX_set_alpn_select_cb(ctx, ssl_sock_advertise_alpn_protos, ssl_conf_cur); #endif -#if ((HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL) || defined(LIBRESSL_VERSION_NUMBER)) +#if (defined SSL_CTX_set1_curves_list || defined SSL_CTRL_SET_CURVES_LIST) conf_curves = (ssl_conf && ssl_conf->curves) ? ssl_conf->curves : bind_conf->ssl_conf.curves; if (conf_curves) { if (!SSL_CTX_set1_curves_list(ctx, conf_curves)) { -- 2.28.0
