we can do nasty thing. SSL_CLIENT_HELLO_CB is not defined for BoringSSL, we can (in openssl-compat.h) check whether BoringSSL is used and define that macro.
I'm not sure it is good thing. if you thing it is, please modify patch when applying. I'm ok with such change. пн, 18 янв. 2021 г. в 15:53, Илья Шипицин <[email protected]>: > > > пн, 18 янв. 2021 г. в 15:09, William Lallemand <[email protected]>: > >> Hello, >> >> On Sat, Jan 16, 2021 at 11:25:05PM +0500, Илья Шипицин wrote: >> > Hello, >> > >> > next openssl guarding patch >> > >> > Ilya >> >> > From b5ff0a9f1e0d2edc84981b39050e7f21d2b08ba8 Mon Sep 17 00:00:00 2001 >> > From: Ilya Shipitsin <[email protected]> >> > Date: Sat, 16 Jan 2021 23:15:12 +0500 >> > Subject: [PATCH] BUILD: ssl: guard Client Hello callbacks with >> > SSL_CLIENT_HELLO_CB macro instead of openssl version >> > >> > --- >> > include/haproxy/ssl_sock.h | 2 +- >> > src/ssl_sock.c | 2 +- >> > 2 files changed, 2 insertions(+), 2 deletions(-) >> > >> > diff --git a/include/haproxy/ssl_sock.h b/include/haproxy/ssl_sock.h >> > index ebfdb19ab..bde75b632 100644 >> > --- a/include/haproxy/ssl_sock.h >> > +++ b/include/haproxy/ssl_sock.h >> > @@ -92,7 +92,7 @@ int ssl_sock_load_global_dh_param_from_file(const >> char *filename); >> > void ssl_free_dh(void); >> > #endif >> > void ssl_free_engines(void); >> > -#if ((HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) || >> defined(OPENSSL_IS_BORINGSSL)) >> > +#if (defined(SSL_CLIENT_HELLO_CB) || defined(OPENSSL_IS_BORINGSSL)) >> > int ssl_sock_switchctx_err_cbk(SSL *ssl, int *al, void *priv); >> > #ifdef OPENSSL_IS_BORINGSSL >> > int ssl_sock_switchctx_cbk(const struct ssl_early_callback_ctx *ctx); >> > diff --git a/src/ssl_sock.c b/src/ssl_sock.c >> > index 5ac81d36a..3e133d423 100644 >> > --- a/src/ssl_sock.c >> > +++ b/src/ssl_sock.c >> > @@ -2290,7 +2290,7 @@ static void ssl_sock_switchctx_set(SSL *ssl, >> SSL_CTX *ctx) >> > SSL_set_SSL_CTX(ssl, ctx); >> > } >> > >> > -#if ((HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) || >> defined(OPENSSL_IS_BORINGSSL)) >> > +#if (defined(SSL_CLIENT_HELLO_CB) || defined(OPENSSL_IS_BORINGSSL)) >> > >> > int ssl_sock_switchctx_err_cbk(SSL *ssl, int *al, void *priv) >> > { >> >> We probably want to remove the defined(IS_BORINGSSL) from the ssl_sock.c >> too. >> Why don't you define a macro constant with the feature name in >> openssl-compat.h and test this constant in ssl_sock.c? Like it was done >> for various fonctions. >> > > it depends. I'd consider removing OPENSSL_IS_BORINGSSL as a future > improvements. > > this particular guard is used 2 times only (in *.h and *.c files), > readability is good. > > > >> >> Regards, >> >> -- >> William Lallemand >> >
