Re: [PATCH] improve ssl guarding by switching to macro SSL_CLIENT_HELLO_CB instead of openssl version

Mon, 18 Jan 2021 02:53:58 -0800 

пн, 18 янв. 2021 г. в 15:09, William Lallemand <[email protected]>:

> Hello,
>
> On Sat, Jan 16, 2021 at 11:25:05PM +0500, Илья Шипицин wrote:
> > Hello,
> >
> > next openssl guarding patch
> >
> > Ilya
>
> > From b5ff0a9f1e0d2edc84981b39050e7f21d2b08ba8 Mon Sep 17 00:00:00 2001
> > From: Ilya Shipitsin <[email protected]>
> > Date: Sat, 16 Jan 2021 23:15:12 +0500
> > Subject: [PATCH] BUILD: ssl: guard Client Hello callbacks with
> >  SSL_CLIENT_HELLO_CB macro instead of openssl version
> >
> > ---
> >  include/haproxy/ssl_sock.h | 2 +-
> >  src/ssl_sock.c             | 2 +-
> >  2 files changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/include/haproxy/ssl_sock.h b/include/haproxy/ssl_sock.h
> > index ebfdb19ab..bde75b632 100644
> > --- a/include/haproxy/ssl_sock.h
> > +++ b/include/haproxy/ssl_sock.h
> > @@ -92,7 +92,7 @@ int ssl_sock_load_global_dh_param_from_file(const char
> *filename);
> >  void ssl_free_dh(void);
> >  #endif
> >  void ssl_free_engines(void);
> > -#if ((HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) ||
> defined(OPENSSL_IS_BORINGSSL))
> > +#if (defined(SSL_CLIENT_HELLO_CB) || defined(OPENSSL_IS_BORINGSSL))
> >  int ssl_sock_switchctx_err_cbk(SSL *ssl, int *al, void *priv);
> >  #ifdef OPENSSL_IS_BORINGSSL
> >  int ssl_sock_switchctx_cbk(const struct ssl_early_callback_ctx *ctx);
> > diff --git a/src/ssl_sock.c b/src/ssl_sock.c
> > index 5ac81d36a..3e133d423 100644
> > --- a/src/ssl_sock.c
> > +++ b/src/ssl_sock.c
> > @@ -2290,7 +2290,7 @@ static void ssl_sock_switchctx_set(SSL *ssl,
> SSL_CTX *ctx)
> >       SSL_set_SSL_CTX(ssl, ctx);
> >  }
> >
> > -#if ((HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) ||
> defined(OPENSSL_IS_BORINGSSL))
> > +#if (defined(SSL_CLIENT_HELLO_CB) || defined(OPENSSL_IS_BORINGSSL))
> >
> >  int ssl_sock_switchctx_err_cbk(SSL *ssl, int *al, void *priv)
> >  {
>
> We probably want to remove the defined(IS_BORINGSSL) from the ssl_sock.c
> too.
> Why don't you define a macro constant with the feature name in
> openssl-compat.h and test this constant in ssl_sock.c? Like it was done
> for various fonctions.
>

it depends. I'd consider removing OPENSSL_IS_BORINGSSL as a future
improvements.

this particular guard is used 2 times only (in *.h and *.c files),
readability is good.



>
> Regards,
>
> --
> William Lallemand
>

Reply via email to