Hi, another series of removing HA_OPENSSL_VERSION
Ilya
From 13b0f8e575021b4d3c10fd3a2066ff83b26588bc Mon Sep 17 00:00:00 2001 From: Ilya Shipitsin <[email protected]> Date: Thu, 7 Jan 2021 11:55:45 +0500 Subject: [PATCH 1/3] BUILD: SSL: guard TLS13 ciphersuites with HAVE_SSL_CTX_SET_CIPHERSUITES accidently src/server.c still used earlier guarding --- src/server.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/server.c b/src/server.c index 9463882fe..1c4ad7aaf 100644 --- a/src/server.c +++ b/src/server.c @@ -1553,7 +1553,7 @@ static void srv_ssl_settings_cpy(struct server *srv, struct server *src) if (src->ssl_ctx.methods.max) srv->ssl_ctx.methods.max = src->ssl_ctx.methods.max; -#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL) +#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES if (src->ssl_ctx.ciphersuites != NULL) srv->ssl_ctx.ciphersuites = strdup(src->ssl_ctx.ciphersuites); #endif -- 2.29.2
From 5bc44a8a35b5234a57e63325317175e33af9a924 Mon Sep 17 00:00:00 2001 From: Ilya Shipitsin <[email protected]> Date: Thu, 7 Jan 2021 11:57:42 +0500 Subject: [PATCH 2/3] BUILD: ssl: guard EVP_PKEY_get_default_digest_nid with ASN1_PKEY_CTRL_DEFAULT_MD_NID let us switch to openssl specific macro instead of versions --- src/ssl_sock.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 830dc3e69..587140f1b 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -2001,7 +2001,7 @@ ssl_sock_do_create_cert(const char *servername, struct bind_conf *bind_conf, SSL else if (key_type == EVP_PKEY_EC) digest = EVP_sha256(); else { -#if (HA_OPENSSL_VERSION_NUMBER >= 0x1000000fL) && !defined(OPENSSL_IS_BORINGSSL) +#ifdef ASN1_PKEY_CTRL_DEFAULT_MD_NID int nid; if (EVP_PKEY_get_default_digest_nid(capkey, &nid) <= 0) -- 2.29.2
From c3971d1290d0bf460ce167a94ece0a99f16d34fd Mon Sep 17 00:00:00 2001 From: Ilya Shipitsin <[email protected]> Date: Thu, 7 Jan 2021 11:59:58 +0500 Subject: [PATCH 3/3] BUILD: ssl: guard openssl specific with SSL_READ_EARLY_DATA_SUCCESS let us switch to SSL_READ_EARLY_DATA_SUCCESS instead of openssl versions --- src/ssl_sock.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 587140f1b..5ac81d36a 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -5630,7 +5630,7 @@ static struct task *ssl_sock_io_cb(struct task *t, void *context, unsigned short goto leave; } } -#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) +#ifdef SSL_READ_EARLY_DATA_SUCCESS /* If we have early data and somebody wants to receive, let them */ else if (b_data(&ctx->early_buf) && ctx->subs && ctx->subs->events & SUB_RETRY_RECV) { @@ -5669,7 +5669,7 @@ static size_t ssl_sock_to_buf(struct connection *conn, void *xprt_ctx, struct bu if (!ctx) goto out_error; -#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) +#ifdef SSL_READ_EARLY_DATA_SUCCESS if (b_data(&ctx->early_buf)) { try = b_contig_space(buf); if (try > b_data(&ctx->early_buf)) -- 2.29.2
