Any update on this? On Mon, Jan 18, 2021, 3:56 PM Илья Шипицин <[email protected]> wrote:
> we can do nasty thing. > SSL_CLIENT_HELLO_CB is not defined for BoringSSL, we can (in > openssl-compat.h) check whether BoringSSL is used and define that macro. > > I'm not sure it is good thing. > > if you thing it is, please modify patch when applying. I'm ok with such > change. > > пн, 18 янв. 2021 г. в 15:53, Илья Шипицин <[email protected]>: > >> >> >> пн, 18 янв. 2021 г. в 15:09, William Lallemand <[email protected]>: >> >>> Hello, >>> >>> On Sat, Jan 16, 2021 at 11:25:05PM +0500, Илья Шипицин wrote: >>> > Hello, >>> > >>> > next openssl guarding patch >>> > >>> > Ilya >>> >>> > From b5ff0a9f1e0d2edc84981b39050e7f21d2b08ba8 Mon Sep 17 00:00:00 2001 >>> > From: Ilya Shipitsin <[email protected]> >>> > Date: Sat, 16 Jan 2021 23:15:12 +0500 >>> > Subject: [PATCH] BUILD: ssl: guard Client Hello callbacks with >>> > SSL_CLIENT_HELLO_CB macro instead of openssl version >>> > >>> > --- >>> > include/haproxy/ssl_sock.h | 2 +- >>> > src/ssl_sock.c | 2 +- >>> > 2 files changed, 2 insertions(+), 2 deletions(-) >>> > >>> > diff --git a/include/haproxy/ssl_sock.h b/include/haproxy/ssl_sock.h >>> > index ebfdb19ab..bde75b632 100644 >>> > --- a/include/haproxy/ssl_sock.h >>> > +++ b/include/haproxy/ssl_sock.h >>> > @@ -92,7 +92,7 @@ int ssl_sock_load_global_dh_param_from_file(const >>> char *filename); >>> > void ssl_free_dh(void); >>> > #endif >>> > void ssl_free_engines(void); >>> > -#if ((HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) || >>> defined(OPENSSL_IS_BORINGSSL)) >>> > +#if (defined(SSL_CLIENT_HELLO_CB) || defined(OPENSSL_IS_BORINGSSL)) >>> > int ssl_sock_switchctx_err_cbk(SSL *ssl, int *al, void *priv); >>> > #ifdef OPENSSL_IS_BORINGSSL >>> > int ssl_sock_switchctx_cbk(const struct ssl_early_callback_ctx *ctx); >>> > diff --git a/src/ssl_sock.c b/src/ssl_sock.c >>> > index 5ac81d36a..3e133d423 100644 >>> > --- a/src/ssl_sock.c >>> > +++ b/src/ssl_sock.c >>> > @@ -2290,7 +2290,7 @@ static void ssl_sock_switchctx_set(SSL *ssl, >>> SSL_CTX *ctx) >>> > SSL_set_SSL_CTX(ssl, ctx); >>> > } >>> > >>> > -#if ((HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) || >>> defined(OPENSSL_IS_BORINGSSL)) >>> > +#if (defined(SSL_CLIENT_HELLO_CB) || defined(OPENSSL_IS_BORINGSSL)) >>> > >>> > int ssl_sock_switchctx_err_cbk(SSL *ssl, int *al, void *priv) >>> > { >>> >>> We probably want to remove the defined(IS_BORINGSSL) from the ssl_sock.c >>> too. >>> Why don't you define a macro constant with the feature name in >>> openssl-compat.h and test this constant in ssl_sock.c? Like it was done >>> for various fonctions. >>> >> >> it depends. I'd consider removing OPENSSL_IS_BORINGSSL as a future >> improvements. >> >> this particular guard is used 2 times only (in *.h and *.c files), >> readability is good. >> >> >> >>> >>> Regards, >>> >>> -- >>> William Lallemand >>> >>
