updated patch attached пт, 22 янв. 2021 г. в 19:16, William Lallemand <wlallem...@haproxy.com>:
> You could define a HAVE_SSL_* macro like it's done elsewhere in the > code, for example "HAVE_SSL_CLIENT_HELLO_CB". > > > On Fri, Jan 22, 2021 at 06:59:58PM +0500, Илья Шипицин wrote: > > ping > > > > вт, 19 янв. 2021 г. в 23:24, Илья Шипицин <chipits...@gmail.com>: > > > > > Any update on this? > > > > > > On Mon, Jan 18, 2021, 3:56 PM Илья Шипицин <chipits...@gmail.com> > wrote: > > > > > >> we can do nasty thing. > > >> SSL_CLIENT_HELLO_CB is not defined for BoringSSL, we can (in > > >> openssl-compat.h) check whether BoringSSL is used and define that > macro. > > >> > > >> I'm not sure it is good thing. > > >> > > >> if you thing it is, please modify patch when applying. I'm ok with > such > > >> change. > > >> > > >> пн, 18 янв. 2021 г. в 15:53, Илья Шипицин <chipits...@gmail.com>: > > >> > > >>> > > >>> > > >>> пн, 18 янв. 2021 г. в 15:09, William Lallemand < > wlallem...@haproxy.com>: > > >>> > > >>>> Hello, > > >>>> > > >>>> On Sat, Jan 16, 2021 at 11:25:05PM +0500, Илья Шипицин wrote: > > >>>> > Hello, > > >>>> > > > >>>> > next openssl guarding patch > > >>>> > > > >>>> > Ilya > > >>>> > > >>>> > From b5ff0a9f1e0d2edc84981b39050e7f21d2b08ba8 Mon Sep 17 00:00:00 > 2001 > > >>>> > From: Ilya Shipitsin <chipits...@gmail.com> > > >>>> > Date: Sat, 16 Jan 2021 23:15:12 +0500 > > >>>> > Subject: [PATCH] BUILD: ssl: guard Client Hello callbacks with > > >>>> > SSL_CLIENT_HELLO_CB macro instead of openssl version > > >>>> > > > >>>> > --- > > >>>> > include/haproxy/ssl_sock.h | 2 +- > > >>>> > src/ssl_sock.c | 2 +- > > >>>> > 2 files changed, 2 insertions(+), 2 deletions(-) > > >>>> > > > >>>> > diff --git a/include/haproxy/ssl_sock.h > b/include/haproxy/ssl_sock.h > > >>>> > index ebfdb19ab..bde75b632 100644 > > >>>> > --- a/include/haproxy/ssl_sock.h > > >>>> > +++ b/include/haproxy/ssl_sock.h > > >>>> > @@ -92,7 +92,7 @@ int > ssl_sock_load_global_dh_param_from_file(const > > >>>> char *filename); > > >>>> > void ssl_free_dh(void); > > >>>> > #endif > > >>>> > void ssl_free_engines(void); > > >>>> > -#if ((HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) || > > >>>> defined(OPENSSL_IS_BORINGSSL)) > > >>>> > +#if (defined(SSL_CLIENT_HELLO_CB) || > defined(OPENSSL_IS_BORINGSSL)) > > >>>> > int ssl_sock_switchctx_err_cbk(SSL *ssl, int *al, void *priv); > > >>>> > #ifdef OPENSSL_IS_BORINGSSL > > >>>> > int ssl_sock_switchctx_cbk(const struct ssl_early_callback_ctx > *ctx); > > >>>> > diff --git a/src/ssl_sock.c b/src/ssl_sock.c > > >>>> > index 5ac81d36a..3e133d423 100644 > > >>>> > --- a/src/ssl_sock.c > > >>>> > +++ b/src/ssl_sock.c > > >>>> > @@ -2290,7 +2290,7 @@ static void ssl_sock_switchctx_set(SSL *ssl, > > >>>> SSL_CTX *ctx) > > >>>> > SSL_set_SSL_CTX(ssl, ctx); > > >>>> > } > > >>>> > > > >>>> > -#if ((HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) || > > >>>> defined(OPENSSL_IS_BORINGSSL)) > > >>>> > +#if (defined(SSL_CLIENT_HELLO_CB) || > defined(OPENSSL_IS_BORINGSSL)) > > >>>> > > > >>>> > int ssl_sock_switchctx_err_cbk(SSL *ssl, int *al, void *priv) > > >>>> > { > > >>>> > > >>>> We probably want to remove the defined(IS_BORINGSSL) from the > > >>>> ssl_sock.c too. > > >>>> Why don't you define a macro constant with the feature name in > > >>>> openssl-compat.h and test this constant in ssl_sock.c? Like it was > done > > >>>> for various fonctions. > > >>>> > > >>> > > >>> it depends. I'd consider removing OPENSSL_IS_BORINGSSL as a future > > >>> improvements. > > >>> > > >>> this particular guard is used 2 times only (in *.h and *.c files), > > >>> readability is good. > > >>> > > >>> > > >>> > > >>>> > > >>>> Regards, > > >>>> > > >>>> -- > > >>>> William Lallemand > > >>>> > > >>> > > -- > William Lallemand >
From c733754941556b30bbc3e4ad4f8f917d5a885282 Mon Sep 17 00:00:00 2001 From: Ilya Shipitsin <chipits...@gmail.com> Date: Sat, 23 Jan 2021 00:09:14 +0500 Subject: [PATCH] BUILD: ssl: guard Client Hello callbacks with HAVE_SSL_CLIENT_HELLO_CB macro instead of openssl version let us introduce new macro HAVE_SSL_CLIENT_HELLO_CB and guard callback functions with it --- include/haproxy/openssl-compat.h | 4 ++++ include/haproxy/ssl_sock.h | 2 +- src/ssl_sock.c | 2 +- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/include/haproxy/openssl-compat.h b/include/haproxy/openssl-compat.h index 3cba3627f..b4af429cf 100644 --- a/include/haproxy/openssl-compat.h +++ b/include/haproxy/openssl-compat.h @@ -45,6 +45,10 @@ #define HAVE_SSL_CTX_SET_CIPHERSUITES #endif +#if (defined(SSL_CLIENT_HELLO_CB) || defined(OPENSSL_IS_BORINGSSL)) +#define HAVE_SSL_CLIENT_HELLO_CB +#endif + #if ((OPENSSL_VERSION_NUMBER >= 0x1000200fL) && !defined(OPENSSL_NO_TLSEXT) && !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_IS_BORINGSSL)) #define HAVE_SL_CTX_ADD_SERVER_CUSTOM_EXT #endif diff --git a/include/haproxy/ssl_sock.h b/include/haproxy/ssl_sock.h index ebfdb19ab..c52d99144 100644 --- a/include/haproxy/ssl_sock.h +++ b/include/haproxy/ssl_sock.h @@ -92,7 +92,7 @@ int ssl_sock_load_global_dh_param_from_file(const char *filename); void ssl_free_dh(void); #endif void ssl_free_engines(void); -#if ((HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) || defined(OPENSSL_IS_BORINGSSL)) +#ifdef HAVE_SSL_CLIENT_HELLO_CB int ssl_sock_switchctx_err_cbk(SSL *ssl, int *al, void *priv); #ifdef OPENSSL_IS_BORINGSSL int ssl_sock_switchctx_cbk(const struct ssl_early_callback_ctx *ctx); diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 611ecce4d..24a38e47d 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -2291,7 +2291,7 @@ static void ssl_sock_switchctx_set(SSL *ssl, SSL_CTX *ctx) SSL_set_SSL_CTX(ssl, ctx); } -#if ((HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) || defined(OPENSSL_IS_BORINGSSL)) +#ifdef HAVE_SSL_CLIENT_HELLO_CB int ssl_sock_switchctx_err_cbk(SSL *ssl, int *al, void *priv) { -- 2.29.2