You could define a HAVE_SSL_* macro like it's done elsewhere in the code, for example "HAVE_SSL_CLIENT_HELLO_CB".
On Fri, Jan 22, 2021 at 06:59:58PM +0500, Илья Шипицин wrote: > ping > > вт, 19 янв. 2021 г. в 23:24, Илья Шипицин <[email protected]>: > > > Any update on this? > > > > On Mon, Jan 18, 2021, 3:56 PM Илья Шипицин <[email protected]> wrote: > > > >> we can do nasty thing. > >> SSL_CLIENT_HELLO_CB is not defined for BoringSSL, we can (in > >> openssl-compat.h) check whether BoringSSL is used and define that macro. > >> > >> I'm not sure it is good thing. > >> > >> if you thing it is, please modify patch when applying. I'm ok with such > >> change. > >> > >> пн, 18 янв. 2021 г. в 15:53, Илья Шипицин <[email protected]>: > >> > >>> > >>> > >>> пн, 18 янв. 2021 г. в 15:09, William Lallemand <[email protected]>: > >>> > >>>> Hello, > >>>> > >>>> On Sat, Jan 16, 2021 at 11:25:05PM +0500, Илья Шипицин wrote: > >>>> > Hello, > >>>> > > >>>> > next openssl guarding patch > >>>> > > >>>> > Ilya > >>>> > >>>> > From b5ff0a9f1e0d2edc84981b39050e7f21d2b08ba8 Mon Sep 17 00:00:00 2001 > >>>> > From: Ilya Shipitsin <[email protected]> > >>>> > Date: Sat, 16 Jan 2021 23:15:12 +0500 > >>>> > Subject: [PATCH] BUILD: ssl: guard Client Hello callbacks with > >>>> > SSL_CLIENT_HELLO_CB macro instead of openssl version > >>>> > > >>>> > --- > >>>> > include/haproxy/ssl_sock.h | 2 +- > >>>> > src/ssl_sock.c | 2 +- > >>>> > 2 files changed, 2 insertions(+), 2 deletions(-) > >>>> > > >>>> > diff --git a/include/haproxy/ssl_sock.h b/include/haproxy/ssl_sock.h > >>>> > index ebfdb19ab..bde75b632 100644 > >>>> > --- a/include/haproxy/ssl_sock.h > >>>> > +++ b/include/haproxy/ssl_sock.h > >>>> > @@ -92,7 +92,7 @@ int ssl_sock_load_global_dh_param_from_file(const > >>>> char *filename); > >>>> > void ssl_free_dh(void); > >>>> > #endif > >>>> > void ssl_free_engines(void); > >>>> > -#if ((HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) || > >>>> defined(OPENSSL_IS_BORINGSSL)) > >>>> > +#if (defined(SSL_CLIENT_HELLO_CB) || defined(OPENSSL_IS_BORINGSSL)) > >>>> > int ssl_sock_switchctx_err_cbk(SSL *ssl, int *al, void *priv); > >>>> > #ifdef OPENSSL_IS_BORINGSSL > >>>> > int ssl_sock_switchctx_cbk(const struct ssl_early_callback_ctx *ctx); > >>>> > diff --git a/src/ssl_sock.c b/src/ssl_sock.c > >>>> > index 5ac81d36a..3e133d423 100644 > >>>> > --- a/src/ssl_sock.c > >>>> > +++ b/src/ssl_sock.c > >>>> > @@ -2290,7 +2290,7 @@ static void ssl_sock_switchctx_set(SSL *ssl, > >>>> SSL_CTX *ctx) > >>>> > SSL_set_SSL_CTX(ssl, ctx); > >>>> > } > >>>> > > >>>> > -#if ((HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) || > >>>> defined(OPENSSL_IS_BORINGSSL)) > >>>> > +#if (defined(SSL_CLIENT_HELLO_CB) || defined(OPENSSL_IS_BORINGSSL)) > >>>> > > >>>> > int ssl_sock_switchctx_err_cbk(SSL *ssl, int *al, void *priv) > >>>> > { > >>>> > >>>> We probably want to remove the defined(IS_BORINGSSL) from the > >>>> ssl_sock.c too. > >>>> Why don't you define a macro constant with the feature name in > >>>> openssl-compat.h and test this constant in ssl_sock.c? Like it was done > >>>> for various fonctions. > >>>> > >>> > >>> it depends. I'd consider removing OPENSSL_IS_BORINGSSL as a future > >>> improvements. > >>> > >>> this particular guard is used 2 times only (in *.h and *.c files), > >>> readability is good. > >>> > >>> > >>> > >>>> > >>>> Regards, > >>>> > >>>> -- > >>>> William Lallemand > >>>> > >>> -- William Lallemand
