Re: [PATCH] use better ec curves manipulation detection

Wed, 04 Nov 2020 07:38:04 -0800 

ср, 4 нояб. 2020 г. в 20:14, Willy Tarreau <[email protected]>:

> Hi Ilya,
>
> On Wed, Nov 04, 2020 at 12:43:44AM +0500, ???? ??????? wrote:
> > Hi,
> >
> > let us use macros instead of openssl versions.
> >
> > Cheers,
> > Ilya
>
> > From 278857e7d21e593e1b5a05a05605c89bdb08581d Mon Sep 17 00:00:00 2001
> > From: Ilya Shipitsin <[email protected]>
> > Date: Wed, 4 Nov 2020 00:39:07 +0500
> > Subject: [PATCH 1/2] BUILD: ssl: use feature macros for detecting ec
> curves
> >  manipulation support
> >
> > let us use SSL_CTX_set1_curves_list (OpenSSL), SSL_CTRL_SET_CURVES_LIST
> (BoringSSL)
> > for feature detection instead of versions
> > ---
> >  include/haproxy/ssl_sock-t.h | 2 +-
> >  src/cfgparse-ssl.c           | 8 ++++----
> >  src/ssl_sock.c               | 2 +-
> >  3 files changed, 6 insertions(+), 6 deletions(-)
> >
> > diff --git a/include/haproxy/ssl_sock-t.h b/include/haproxy/ssl_sock-t.h
> > index c8c8616ea..1f9045cb9 100644
> > --- a/include/haproxy/ssl_sock-t.h
> > +++ b/include/haproxy/ssl_sock-t.h
> > @@ -274,7 +274,7 @@ struct global_ssl {
> >       char *listen_default_ciphersuites;
> >       char *connect_default_ciphersuites;
> >  #endif
> > -#if ((HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL) ||
> defined(LIBRESSL_VERSION_NUMBER))
> > +#if (defined SSL_CTX_set1_curves_list || defined
> SSL_CTRL_SET_CURVES_LIST)
>
> I could run that from 0.9.8 to 1.1.1 and confirm it gives the same
> resultss (not tested on libressl though). However given that it results
> in yet another "OR" between two variables supposedly identical, I think
> we should remap the boringssl one to the SSL_CTX_set1_curves_list in
> openssl-compat.h, something like this:
>
> #if !defined(SSL_CTX_set1_curves_list) && defined(SSL_CTRL_SET_CURVES_LIST)
> // boringSSL only sets SSL_CTRL_SET_CURVES_LIST
> #define SSL_CTX_set1_curves_list
> #endif
>
> This way it's cleaner to only test on the canonical name through the
> code (SSL_CTX_set1_curves_list).
>
> Not very important, I'll let William decide, it's just a suggestion,
> because as you've certainly figured by yourself now, this code full
> of #ifdef has become a real mess.
>

code full of "ifdefs" is not a mess.
the mess is to depend on OPENSSL_VERSION, every fork has it's own opinion
what its own version should be.

as far as we depend on macros we are safe.


I'm ok to move that condition to openssl-compat.h if you think it is better


>
> Cheers,
> Willy
>

Reply via email to