Re: [PATCH] improve ssl guarding by switching to macro SSL_CLIENT_HELLO_CB instead of openssl version

Fri, 22 Jan 2021 11:23:44 -0800 

updated patch attached

пт, 22 янв. 2021 г. в 19:16, William Lallemand <wlallem...@haproxy.com>:

> You could define a HAVE_SSL_* macro like it's done elsewhere in the
> code, for example "HAVE_SSL_CLIENT_HELLO_CB".
>
>
> On Fri, Jan 22, 2021 at 06:59:58PM +0500, Илья Шипицин wrote:
> > ping
> >
> > вт, 19 янв. 2021 г. в 23:24, Илья Шипицин <chipits...@gmail.com>:
> >
> > > Any update on this?
> > >
> > > On Mon, Jan 18, 2021, 3:56 PM Илья Шипицин <chipits...@gmail.com>
> wrote:
> > >
> > >> we can do nasty thing.
> > >> SSL_CLIENT_HELLO_CB is not defined for BoringSSL, we can (in
> > >> openssl-compat.h) check whether BoringSSL is used and define that
> macro.
> > >>
> > >> I'm not sure it is good thing.
> > >>
> > >> if you thing it is, please modify patch when applying. I'm ok with
> such
> > >> change.
> > >>
> > >> пн, 18 янв. 2021 г. в 15:53, Илья Шипицин <chipits...@gmail.com>:
> > >>
> > >>>
> > >>>
> > >>> пн, 18 янв. 2021 г. в 15:09, William Lallemand <
> wlallem...@haproxy.com>:
> > >>>
> > >>>> Hello,
> > >>>>
> > >>>> On Sat, Jan 16, 2021 at 11:25:05PM +0500, Илья Шипицин wrote:
> > >>>> > Hello,
> > >>>> >
> > >>>> > next openssl guarding patch
> > >>>> >
> > >>>> > Ilya
> > >>>>
> > >>>> > From b5ff0a9f1e0d2edc84981b39050e7f21d2b08ba8 Mon Sep 17 00:00:00
> 2001
> > >>>> > From: Ilya Shipitsin <chipits...@gmail.com>
> > >>>> > Date: Sat, 16 Jan 2021 23:15:12 +0500
> > >>>> > Subject: [PATCH] BUILD: ssl: guard Client Hello callbacks with
> > >>>> >  SSL_CLIENT_HELLO_CB macro instead of openssl version
> > >>>> >
> > >>>> > ---
> > >>>> >  include/haproxy/ssl_sock.h | 2 +-
> > >>>> >  src/ssl_sock.c             | 2 +-
> > >>>> >  2 files changed, 2 insertions(+), 2 deletions(-)
> > >>>> >
> > >>>> > diff --git a/include/haproxy/ssl_sock.h
> b/include/haproxy/ssl_sock.h
> > >>>> > index ebfdb19ab..bde75b632 100644
> > >>>> > --- a/include/haproxy/ssl_sock.h
> > >>>> > +++ b/include/haproxy/ssl_sock.h
> > >>>> > @@ -92,7 +92,7 @@ int
> ssl_sock_load_global_dh_param_from_file(const
> > >>>> char *filename);
> > >>>> >  void ssl_free_dh(void);
> > >>>> >  #endif
> > >>>> >  void ssl_free_engines(void);
> > >>>> > -#if ((HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) ||
> > >>>> defined(OPENSSL_IS_BORINGSSL))
> > >>>> > +#if (defined(SSL_CLIENT_HELLO_CB) ||
> defined(OPENSSL_IS_BORINGSSL))
> > >>>> >  int ssl_sock_switchctx_err_cbk(SSL *ssl, int *al, void *priv);
> > >>>> >  #ifdef OPENSSL_IS_BORINGSSL
> > >>>> >  int ssl_sock_switchctx_cbk(const struct ssl_early_callback_ctx
> *ctx);
> > >>>> > diff --git a/src/ssl_sock.c b/src/ssl_sock.c
> > >>>> > index 5ac81d36a..3e133d423 100644
> > >>>> > --- a/src/ssl_sock.c
> > >>>> > +++ b/src/ssl_sock.c
> > >>>> > @@ -2290,7 +2290,7 @@ static void ssl_sock_switchctx_set(SSL *ssl,
> > >>>> SSL_CTX *ctx)
> > >>>> >       SSL_set_SSL_CTX(ssl, ctx);
> > >>>> >  }
> > >>>> >
> > >>>> > -#if ((HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) ||
> > >>>> defined(OPENSSL_IS_BORINGSSL))
> > >>>> > +#if (defined(SSL_CLIENT_HELLO_CB) ||
> defined(OPENSSL_IS_BORINGSSL))
> > >>>> >
> > >>>> >  int ssl_sock_switchctx_err_cbk(SSL *ssl, int *al, void *priv)
> > >>>> >  {
> > >>>>
> > >>>> We probably want to remove the defined(IS_BORINGSSL) from the
> > >>>> ssl_sock.c too.
> > >>>> Why don't you define a macro constant with the feature name in
> > >>>> openssl-compat.h and test this constant in ssl_sock.c? Like it was
> done
> > >>>> for various fonctions.
> > >>>>
> > >>>
> > >>> it depends. I'd consider removing OPENSSL_IS_BORINGSSL as a future
> > >>> improvements.
> > >>>
> > >>> this particular guard is used 2 times only (in *.h and *.c files),
> > >>> readability is good.
> > >>>
> > >>>
> > >>>
> > >>>>
> > >>>> Regards,
> > >>>>
> > >>>> --
> > >>>> William Lallemand
> > >>>>
> > >>>
>
> --
> William Lallemand
>

From c733754941556b30bbc3e4ad4f8f917d5a885282 Mon Sep 17 00:00:00 2001
From: Ilya Shipitsin <chipits...@gmail.com>
Date: Sat, 23 Jan 2021 00:09:14 +0500
Subject: [PATCH] BUILD: ssl: guard Client Hello callbacks with
 HAVE_SSL_CLIENT_HELLO_CB macro instead of openssl version

let us introduce new macro HAVE_SSL_CLIENT_HELLO_CB and guard
callback functions with it
---
 include/haproxy/openssl-compat.h | 4 ++++
 include/haproxy/ssl_sock.h       | 2 +-
 src/ssl_sock.c                   | 2 +-
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/include/haproxy/openssl-compat.h b/include/haproxy/openssl-compat.h
index 3cba3627f..b4af429cf 100644
--- a/include/haproxy/openssl-compat.h
+++ b/include/haproxy/openssl-compat.h
@@ -45,6 +45,10 @@
 #define HAVE_SSL_CTX_SET_CIPHERSUITES
 #endif
 
+#if (defined(SSL_CLIENT_HELLO_CB) || defined(OPENSSL_IS_BORINGSSL))
+#define HAVE_SSL_CLIENT_HELLO_CB
+#endif
+
 #if ((OPENSSL_VERSION_NUMBER >= 0x1000200fL) && !defined(OPENSSL_NO_TLSEXT) && !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_IS_BORINGSSL))
 #define HAVE_SL_CTX_ADD_SERVER_CUSTOM_EXT
 #endif
diff --git a/include/haproxy/ssl_sock.h b/include/haproxy/ssl_sock.h
index ebfdb19ab..c52d99144 100644
--- a/include/haproxy/ssl_sock.h
+++ b/include/haproxy/ssl_sock.h
@@ -92,7 +92,7 @@ int ssl_sock_load_global_dh_param_from_file(const char *filename);
 void ssl_free_dh(void);
 #endif
 void ssl_free_engines(void);
-#if ((HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) || defined(OPENSSL_IS_BORINGSSL))
+#ifdef HAVE_SSL_CLIENT_HELLO_CB
 int ssl_sock_switchctx_err_cbk(SSL *ssl, int *al, void *priv);
 #ifdef OPENSSL_IS_BORINGSSL
 int ssl_sock_switchctx_cbk(const struct ssl_early_callback_ctx *ctx);
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 611ecce4d..24a38e47d 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -2291,7 +2291,7 @@ static void ssl_sock_switchctx_set(SSL *ssl, SSL_CTX *ctx)
 	SSL_set_SSL_CTX(ssl, ctx);
 }
 
-#if ((HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) || defined(OPENSSL_IS_BORINGSSL))
+#ifdef HAVE_SSL_CLIENT_HELLO_CB
 
 int ssl_sock_switchctx_err_cbk(SSL *ssl, int *al, void *priv)
 {
-- 
2.29.2

Reply via email to