[PATCH] more granular guard for SSL_CTX_add_server_custom_ext

Thu, 26 Nov 2020 13:59:29 -0800 

Hello,

let us continue to improve ssl guarding.

Ilya

From 133c8cc62dea471b306f91cf4e5363b272a80608 Mon Sep 17 00:00:00 2001
From: Ilya Shipitsin <[email protected]>
Date: Fri, 27 Nov 2020 02:39:48 +0500
Subject: [PATCH] BUILD: SSL: fine guard for SSL_CTX_add_server_custom_ext call

SSL_CTX_add_server_custom_ext is openssl specific function present
since openssl-1.0.2, let us define readable guard for it, not depending
on HA_OPENSSL_VERSION
---
 include/haproxy/openssl-compat.h | 4 ++++
 src/ssl_sock.c                   | 4 ++--
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/include/haproxy/openssl-compat.h b/include/haproxy/openssl-compat.h
index 42349d7c1..564d1ea78 100644
--- a/include/haproxy/openssl-compat.h
+++ b/include/haproxy/openssl-compat.h
@@ -45,6 +45,10 @@
 #define HAVE_SSL_CTX_SET_CIPHERSUITES
 #endif
 
+#if ((OPENSSL_VERSION_NUMBER >= 0x1000200fL) && !defined(OPENSSL_NO_TLSEXT) && !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_IS_BORINGSSL))
+#define HAVE_SL_CTX_ADD_SERVER_CUSTOM_EXT
+#endif
+
 #if (HA_OPENSSL_VERSION_NUMBER < 0x0090800fL)
 /* Functions present in OpenSSL 0.9.8, older not tested */
 static inline const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *sess, unsigned int *sid_length)
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index b7d3b92b4..2b0fa5014 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -1495,7 +1495,7 @@ static int ssl_sock_load_ocsp(SSL_CTX *ctx, const struct cert_key_and_chain *ckc
 #endif
 
 
-#if (HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT && !defined OPENSSL_IS_BORINGSSL)
+#ifdef HAVE_SL_CTX_ADD_SERVER_CUSTOM_EXT
 
 #define CT_EXTENSION_TYPE 18
 
@@ -3168,7 +3168,7 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_an
 	}
 #endif
 
-#if (HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT && !defined OPENSSL_IS_BORINGSSL)
+#ifdef HAVE_SL_CTX_ADD_SERVER_CUSTOM_EXT
 	if (sctl_ex_index >= 0 && ckch->sctl) {
 		if (ssl_sock_load_sctl(ctx, ckch->sctl) < 0) {
 			memprintf(err, "%s '%s.sctl' is present but cannot be read or parsed'.\n",
-- 
2.28.0

Reply via email to