ping вт, 19 янв. 2021 г. в 23:24, Илья Шипицин <[email protected]>:
> Any update on this? > > On Mon, Jan 18, 2021, 3:56 PM Илья Шипицин <[email protected]> wrote: > >> we can do nasty thing. >> SSL_CLIENT_HELLO_CB is not defined for BoringSSL, we can (in >> openssl-compat.h) check whether BoringSSL is used and define that macro. >> >> I'm not sure it is good thing. >> >> if you thing it is, please modify patch when applying. I'm ok with such >> change. >> >> пн, 18 янв. 2021 г. в 15:53, Илья Шипицин <[email protected]>: >> >>> >>> >>> пн, 18 янв. 2021 г. в 15:09, William Lallemand <[email protected]>: >>> >>>> Hello, >>>> >>>> On Sat, Jan 16, 2021 at 11:25:05PM +0500, Илья Шипицин wrote: >>>> > Hello, >>>> > >>>> > next openssl guarding patch >>>> > >>>> > Ilya >>>> >>>> > From b5ff0a9f1e0d2edc84981b39050e7f21d2b08ba8 Mon Sep 17 00:00:00 2001 >>>> > From: Ilya Shipitsin <[email protected]> >>>> > Date: Sat, 16 Jan 2021 23:15:12 +0500 >>>> > Subject: [PATCH] BUILD: ssl: guard Client Hello callbacks with >>>> > SSL_CLIENT_HELLO_CB macro instead of openssl version >>>> > >>>> > --- >>>> > include/haproxy/ssl_sock.h | 2 +- >>>> > src/ssl_sock.c | 2 +- >>>> > 2 files changed, 2 insertions(+), 2 deletions(-) >>>> > >>>> > diff --git a/include/haproxy/ssl_sock.h b/include/haproxy/ssl_sock.h >>>> > index ebfdb19ab..bde75b632 100644 >>>> > --- a/include/haproxy/ssl_sock.h >>>> > +++ b/include/haproxy/ssl_sock.h >>>> > @@ -92,7 +92,7 @@ int ssl_sock_load_global_dh_param_from_file(const >>>> char *filename); >>>> > void ssl_free_dh(void); >>>> > #endif >>>> > void ssl_free_engines(void); >>>> > -#if ((HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) || >>>> defined(OPENSSL_IS_BORINGSSL)) >>>> > +#if (defined(SSL_CLIENT_HELLO_CB) || defined(OPENSSL_IS_BORINGSSL)) >>>> > int ssl_sock_switchctx_err_cbk(SSL *ssl, int *al, void *priv); >>>> > #ifdef OPENSSL_IS_BORINGSSL >>>> > int ssl_sock_switchctx_cbk(const struct ssl_early_callback_ctx *ctx); >>>> > diff --git a/src/ssl_sock.c b/src/ssl_sock.c >>>> > index 5ac81d36a..3e133d423 100644 >>>> > --- a/src/ssl_sock.c >>>> > +++ b/src/ssl_sock.c >>>> > @@ -2290,7 +2290,7 @@ static void ssl_sock_switchctx_set(SSL *ssl, >>>> SSL_CTX *ctx) >>>> > SSL_set_SSL_CTX(ssl, ctx); >>>> > } >>>> > >>>> > -#if ((HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) || >>>> defined(OPENSSL_IS_BORINGSSL)) >>>> > +#if (defined(SSL_CLIENT_HELLO_CB) || defined(OPENSSL_IS_BORINGSSL)) >>>> > >>>> > int ssl_sock_switchctx_err_cbk(SSL *ssl, int *al, void *priv) >>>> > { >>>> >>>> We probably want to remove the defined(IS_BORINGSSL) from the >>>> ssl_sock.c too. >>>> Why don't you define a macro constant with the feature name in >>>> openssl-compat.h and test this constant in ssl_sock.c? Like it was done >>>> for various fonctions. >>>> >>> >>> it depends. I'd consider removing OPENSSL_IS_BORINGSSL as a future >>> improvements. >>> >>> this particular guard is used 2 times only (in *.h and *.c files), >>> readability is good. >>> >>> >>> >>>> >>>> Regards, >>>> >>>> -- >>>> William Lallemand >>>> >>>
