Re: [PATCH} improve ssl guarding
On Sat, Feb 06, 2021 at 09:18:30PM +0500, Илья Шипицин wrote: > you are right. > I've fixed it. > Thanks, both pushed in master. -- William Lallemand
Re: [PATCH} improve ssl guarding
you are right.
I've fixed it.
сб, 23 янв. 2021 г. в 21:41, William Lallemand :
> On Sat, Jan 23, 2021 at 04:50:08PM +0500, Илья Шипицин wrote:
> > Hello,
> >
> > yet another guard improving patch (forgot to fix last time)
> >
> > Ilya
>
> Hello,
>
> > From 5ce5623fac558d85c0ef0ec26dcffca754a87fae Mon Sep 17 00:00:00 2001
> > From: Ilya Shipitsin
> > Date: Sat, 23 Jan 2021 16:38:33 +0500
> > Subject: [PATCH 1/2] BUILD: ssl: guard SSL_CTX_add_server_custom_ext with
> > special macro
> >
> > ---
> > src/ssl_sock.c | 4 ++--
> > 1 file changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/src/ssl_sock.c b/src/ssl_sock.c
> > index 2bda3d765..803af393f 100644
> > --- a/src/ssl_sock.c
> > +++ b/src/ssl_sock.c
> > @@ -6720,7 +6720,7 @@ static struct action_kw_list http_req_actions =
> {ILH, {
> >
> > INITCALL1(STG_REGISTER, http_req_keywords_register, _req_actions);
> >
> > -#if (HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined
> OPENSSL_NO_TLSEXT && !defined OPENSSL_IS_BORINGSSL)
> > +#ifdef HAVE_SL_CTX_ADD_SERVER_CUSTOM_EXT
> >
>
> I believe you wanted to write "SSL_CTX" and not "SL_CTX" here?
>
> > static void ssl_sock_sctl_free_func(void *parent, void *ptr,
> CRYPTO_EX_DATA *ad, int idx, long argl, void *argp)
> > {
> > @@ -6818,7 +6818,7 @@ static void __ssl_sock_init(void)
> > #if defined(USE_THREAD) && (HA_OPENSSL_VERSION_NUMBER < 0x1010L)
> > ssl_locking_init();
> > #endif
> > -#if (HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined
> OPENSSL_NO_TLSEXT && !defined OPENSSL_IS_BORINGSSL)
> > +#ifdef HAVE_SL_CTX_ADD_SERVER_CUSTOM_EXT
> > sctl_ex_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL,
> ssl_sock_sctl_free_func);
> > #endif
> >
>
>
> --
> William Lallemand
>
From 5cbc6e7f428756c8cf67d9789f0b8df6b8715a20 Mon Sep 17 00:00:00 2001
From: Ilya Shipitsin
Date: Sat, 6 Feb 2021 18:55:27 +0500
Subject: [PATCH 1/2] BUILD: ssl: fix typo in
HAVE_SSL_CTX_ADD_SERVER_CUSTOM_EXT macro
HAVE_SSL_CTX_ADD_SERVER_CUSTOM_EXT was introduced in ec609098718b9c1cd803ca57442b2b98c9ba4a16
however it was defined as HAVE_SL_CTX_ADD_SERVER_CUSTOM_EXT (missing "S")
let us fix typo
---
include/haproxy/openssl-compat.h | 2 +-
src/ssl_sock.c | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/include/haproxy/openssl-compat.h b/include/haproxy/openssl-compat.h
index b4af429cf..3fe58be40 100644
--- a/include/haproxy/openssl-compat.h
+++ b/include/haproxy/openssl-compat.h
@@ -50,7 +50,7 @@
#endif
#if ((OPENSSL_VERSION_NUMBER >= 0x1000200fL) && !defined(OPENSSL_NO_TLSEXT) && !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_IS_BORINGSSL))
-#define HAVE_SL_CTX_ADD_SERVER_CUSTOM_EXT
+#define HAVE_SSL_CTX_ADD_SERVER_CUSTOM_EXT
#endif
#if ((OPENSSL_VERSION_NUMBER >= 0x10002000L) && !defined(LIBRESSL_VERSION_NUMBER))
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index ccce57874..f2c8a667c 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -1497,7 +1497,7 @@ static int ssl_sock_load_ocsp(SSL_CTX *ctx, const struct cert_key_and_chain *ckc
#endif
-#ifdef HAVE_SL_CTX_ADD_SERVER_CUSTOM_EXT
+#ifdef HAVE_SSL_CTX_ADD_SERVER_CUSTOM_EXT
#define CT_EXTENSION_TYPE 18
@@ -3217,7 +3217,7 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_an
}
#endif
-#ifdef HAVE_SL_CTX_ADD_SERVER_CUSTOM_EXT
+#ifdef HAVE_SSL_CTX_ADD_SERVER_CUSTOM_EXT
if (sctl_ex_index >= 0 && ckch->sctl) {
if (ssl_sock_load_sctl(ctx, ckch->sctl) < 0) {
memprintf(err, "%s '%s.sctl' is present but cannot be read or parsed'.\n",
--
2.29.2
From 8db969c4b7f40865a895f37772d697d6f08e9727 Mon Sep 17 00:00:00 2001
From: Ilya Shipitsin
Date: Sat, 6 Feb 2021 18:59:22 +0500
Subject: [PATCH 2/2] BUILD: ssl: guard SSL_CTX_add_server_custom_ext with
special macro
special guard macros HAVE_SSL_CTX_ADD_SERVER_CUSTOM_EXT was defined earlier
exactly for guarding SSL_CTX_add_server_custom_ext, let us use it wherever
appropriate
---
src/ssl_sock.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index f2c8a667c..310578503 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -6922,7 +6922,7 @@ static struct action_kw_list http_req_actions = {ILH, {
INITCALL1(STG_REGISTER, http_req_keywords_register, _req_actions);
-#if (HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT && !defined OPENSSL_IS_BORINGSSL)
+#ifdef HAVE_SSL_CTX_ADD_SERVER_CUSTOM_EXT
static void ssl_sock_sctl_free_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad, int idx, long argl, void *argp)
{
@@ -7020,7 +7020,7 @@ static void __ssl_sock_init(void)
#if defined(USE_THREAD) && (HA_OPENSSL_VERSION_NUMBER < 0x1010L)
ssl_locking_init();
#endif
-#if (HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT && !defined OPENSSL_IS_BORINGSSL)
+#ifdef HAVE_SSL_CTX_ADD_SERVER_CUSTOM_EXT
sctl_ex_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, ssl_sock_sctl_free_func);
#endif
--
2.29.2
Re: [PATCH} improve ssl guarding
On Sat, Jan 23, 2021 at 04:50:08PM +0500, Илья Шипицин wrote:
> Hello,
>
> yet another guard improving patch (forgot to fix last time)
>
> Ilya
Hello,
> From 5ce5623fac558d85c0ef0ec26dcffca754a87fae Mon Sep 17 00:00:00 2001
> From: Ilya Shipitsin
> Date: Sat, 23 Jan 2021 16:38:33 +0500
> Subject: [PATCH 1/2] BUILD: ssl: guard SSL_CTX_add_server_custom_ext with
> special macro
>
> ---
> src/ssl_sock.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/src/ssl_sock.c b/src/ssl_sock.c
> index 2bda3d765..803af393f 100644
> --- a/src/ssl_sock.c
> +++ b/src/ssl_sock.c
> @@ -6720,7 +6720,7 @@ static struct action_kw_list http_req_actions = {ILH, {
>
> INITCALL1(STG_REGISTER, http_req_keywords_register, _req_actions);
>
> -#if (HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT
> && !defined OPENSSL_IS_BORINGSSL)
> +#ifdef HAVE_SL_CTX_ADD_SERVER_CUSTOM_EXT
>
I believe you wanted to write "SSL_CTX" and not "SL_CTX" here?
> static void ssl_sock_sctl_free_func(void *parent, void *ptr, CRYPTO_EX_DATA
> *ad, int idx, long argl, void *argp)
> {
> @@ -6818,7 +6818,7 @@ static void __ssl_sock_init(void)
> #if defined(USE_THREAD) && (HA_OPENSSL_VERSION_NUMBER < 0x1010L)
> ssl_locking_init();
> #endif
> -#if (HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT
> && !defined OPENSSL_IS_BORINGSSL)
> +#ifdef HAVE_SL_CTX_ADD_SERVER_CUSTOM_EXT
> sctl_ex_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL,
> ssl_sock_sctl_free_func);
> #endif
>
--
William Lallemand
[PATCH} improve ssl guarding
Hello,
yet another guard improving patch (forgot to fix last time)
Ilya
From 5ce5623fac558d85c0ef0ec26dcffca754a87fae Mon Sep 17 00:00:00 2001
From: Ilya Shipitsin
Date: Sat, 23 Jan 2021 16:38:33 +0500
Subject: [PATCH 1/2] BUILD: ssl: guard SSL_CTX_add_server_custom_ext with
special macro
---
src/ssl_sock.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 2bda3d765..803af393f 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -6720,7 +6720,7 @@ static struct action_kw_list http_req_actions = {ILH, {
INITCALL1(STG_REGISTER, http_req_keywords_register, _req_actions);
-#if (HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT && !defined OPENSSL_IS_BORINGSSL)
+#ifdef HAVE_SL_CTX_ADD_SERVER_CUSTOM_EXT
static void ssl_sock_sctl_free_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad, int idx, long argl, void *argp)
{
@@ -6818,7 +6818,7 @@ static void __ssl_sock_init(void)
#if defined(USE_THREAD) && (HA_OPENSSL_VERSION_NUMBER < 0x1010L)
ssl_locking_init();
#endif
-#if (HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT && !defined OPENSSL_IS_BORINGSSL)
+#ifdef HAVE_SL_CTX_ADD_SERVER_CUSTOM_EXT
sctl_ex_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, ssl_sock_sctl_free_func);
#endif
--
2.29.2
Re: [PATCH] improve ssl guarding by switching to macro SSL_CLIENT_HELLO_CB instead of openssl version
On Sat, Jan 23, 2021 at 12:23:01AM +0500, Илья Шипицин wrote: > updated patch attached > Thanks, merged. -- William Lallemand
Re: [PATCH] improve ssl guarding by switching to macro SSL_CLIENT_HELLO_CB instead of openssl version
updated patch attached
пт, 22 янв. 2021 г. в 19:16, William Lallemand :
> You could define a HAVE_SSL_* macro like it's done elsewhere in the
> code, for example "HAVE_SSL_CLIENT_HELLO_CB".
>
>
> On Fri, Jan 22, 2021 at 06:59:58PM +0500, Илья Шипицин wrote:
> > ping
> >
> > вт, 19 янв. 2021 г. в 23:24, Илья Шипицин :
> >
> > > Any update on this?
> > >
> > > On Mon, Jan 18, 2021, 3:56 PM Илья Шипицин
> wrote:
> > >
> > >> we can do nasty thing.
> > >> SSL_CLIENT_HELLO_CB is not defined for BoringSSL, we can (in
> > >> openssl-compat.h) check whether BoringSSL is used and define that
> macro.
> > >>
> > >> I'm not sure it is good thing.
> > >>
> > >> if you thing it is, please modify patch when applying. I'm ok with
> such
> > >> change.
> > >>
> > >> пн, 18 янв. 2021 г. в 15:53, Илья Шипицин :
> > >>
> > >>>
> > >>>
> > >>> пн, 18 янв. 2021 г. в 15:09, William Lallemand <
> wlallem...@haproxy.com>:
> > >>>
> > Hello,
> >
> > On Sat, Jan 16, 2021 at 11:25:05PM +0500, Илья Шипицин wrote:
> > > Hello,
> > >
> > > next openssl guarding patch
> > >
> > > Ilya
> >
> > > From b5ff0a9f1e0d2edc84981b39050e7f21d2b08ba8 Mon Sep 17 00:00:00
> 2001
> > > From: Ilya Shipitsin
> > > Date: Sat, 16 Jan 2021 23:15:12 +0500
> > > Subject: [PATCH] BUILD: ssl: guard Client Hello callbacks with
> > > SSL_CLIENT_HELLO_CB macro instead of openssl version
> > >
> > > ---
> > > include/haproxy/ssl_sock.h | 2 +-
> > > src/ssl_sock.c | 2 +-
> > > 2 files changed, 2 insertions(+), 2 deletions(-)
> > >
> > > diff --git a/include/haproxy/ssl_sock.h
> b/include/haproxy/ssl_sock.h
> > > index ebfdb19ab..bde75b632 100644
> > > --- a/include/haproxy/ssl_sock.h
> > > +++ b/include/haproxy/ssl_sock.h
> > > @@ -92,7 +92,7 @@ int
> ssl_sock_load_global_dh_param_from_file(const
> > char *filename);
> > > void ssl_free_dh(void);
> > > #endif
> > > void ssl_free_engines(void);
> > > -#if ((HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) ||
> > defined(OPENSSL_IS_BORINGSSL))
> > > +#if (defined(SSL_CLIENT_HELLO_CB) ||
> defined(OPENSSL_IS_BORINGSSL))
> > > int ssl_sock_switchctx_err_cbk(SSL *ssl, int *al, void *priv);
> > > #ifdef OPENSSL_IS_BORINGSSL
> > > int ssl_sock_switchctx_cbk(const struct ssl_early_callback_ctx
> *ctx);
> > > diff --git a/src/ssl_sock.c b/src/ssl_sock.c
> > > index 5ac81d36a..3e133d423 100644
> > > --- a/src/ssl_sock.c
> > > +++ b/src/ssl_sock.c
> > > @@ -2290,7 +2290,7 @@ static void ssl_sock_switchctx_set(SSL *ssl,
> > SSL_CTX *ctx)
> > > SSL_set_SSL_CTX(ssl, ctx);
> > > }
> > >
> > > -#if ((HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) ||
> > defined(OPENSSL_IS_BORINGSSL))
> > > +#if (defined(SSL_CLIENT_HELLO_CB) ||
> defined(OPENSSL_IS_BORINGSSL))
> > >
> > > int ssl_sock_switchctx_err_cbk(SSL *ssl, int *al, void *priv)
> > > {
> >
> > We probably want to remove the defined(IS_BORINGSSL) from the
> > ssl_sock.c too.
> > Why don't you define a macro constant with the feature name in
> > openssl-compat.h and test this constant in ssl_sock.c? Like it was
> done
> > for various fonctions.
> >
> > >>>
> > >>> it depends. I'd consider removing OPENSSL_IS_BORINGSSL as a future
> > >>> improvements.
> > >>>
> > >>> this particular guard is used 2 times only (in *.h and *.c files),
> > >>> readability is good.
> > >>>
> > >>>
> > >>>
> >
> > Regards,
> >
> > --
> > William Lallemand
> >
> > >>>
>
> --
> William Lallemand
>
From c733754941556b30bbc3e4ad4f8f917d5a885282 Mon Sep 17 00:00:00 2001
From: Ilya Shipitsin
Date: Sat, 23 Jan 2021 00:09:14 +0500
Subject: [PATCH] BUILD: ssl: guard Client Hello callbacks with
HAVE_SSL_CLIENT_HELLO_CB macro instead of openssl version
let us introduce new macro HAVE_SSL_CLIENT_HELLO_CB and guard
callback functions with it
---
include/haproxy/openssl-compat.h | 4
include/haproxy/ssl_sock.h | 2 +-
src/ssl_sock.c | 2 +-
3 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/include/haproxy/openssl-compat.h b/include/haproxy/openssl-compat.h
index 3cba3627f..b4af429cf 100644
--- a/include/haproxy/openssl-compat.h
+++ b/include/haproxy/openssl-compat.h
@@ -45,6 +45,10 @@
#define HAVE_SSL_CTX_SET_CIPHERSUITES
#endif
+#if (defined(SSL_CLIENT_HELLO_CB) || defined(OPENSSL_IS_BORINGSSL))
+#define HAVE_SSL_CLIENT_HELLO_CB
+#endif
+
#if ((OPENSSL_VERSION_NUMBER >= 0x1000200fL) && !defined(OPENSSL_NO_TLSEXT) && !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_IS_BORINGSSL))
#define HAVE_SL_CTX_ADD_SERVER_CUSTOM_EXT
#endif
diff --git a/include/haproxy/ssl_sock.h b/include/haproxy/ssl_sock.h
index ebfdb19ab..c52d99144 100644
--- a/include/haproxy/ssl_sock.h
+++ b/include/haproxy/ssl_sock.h
@@ -92,7 +92,7 @@ int
Re: [PATCH] improve ssl guarding by switching to macro SSL_CLIENT_HELLO_CB instead of openssl version
You could define a HAVE_SSL_* macro like it's done elsewhere in the
code, for example "HAVE_SSL_CLIENT_HELLO_CB".
On Fri, Jan 22, 2021 at 06:59:58PM +0500, Илья Шипицин wrote:
> ping
>
> вт, 19 янв. 2021 г. в 23:24, Илья Шипицин :
>
> > Any update on this?
> >
> > On Mon, Jan 18, 2021, 3:56 PM Илья Шипицин wrote:
> >
> >> we can do nasty thing.
> >> SSL_CLIENT_HELLO_CB is not defined for BoringSSL, we can (in
> >> openssl-compat.h) check whether BoringSSL is used and define that macro.
> >>
> >> I'm not sure it is good thing.
> >>
> >> if you thing it is, please modify patch when applying. I'm ok with such
> >> change.
> >>
> >> пн, 18 янв. 2021 г. в 15:53, Илья Шипицин :
> >>
> >>>
> >>>
> >>> пн, 18 янв. 2021 г. в 15:09, William Lallemand :
> >>>
> Hello,
>
> On Sat, Jan 16, 2021 at 11:25:05PM +0500, Илья Шипицин wrote:
> > Hello,
> >
> > next openssl guarding patch
> >
> > Ilya
>
> > From b5ff0a9f1e0d2edc84981b39050e7f21d2b08ba8 Mon Sep 17 00:00:00 2001
> > From: Ilya Shipitsin
> > Date: Sat, 16 Jan 2021 23:15:12 +0500
> > Subject: [PATCH] BUILD: ssl: guard Client Hello callbacks with
> > SSL_CLIENT_HELLO_CB macro instead of openssl version
> >
> > ---
> > include/haproxy/ssl_sock.h | 2 +-
> > src/ssl_sock.c | 2 +-
> > 2 files changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/include/haproxy/ssl_sock.h b/include/haproxy/ssl_sock.h
> > index ebfdb19ab..bde75b632 100644
> > --- a/include/haproxy/ssl_sock.h
> > +++ b/include/haproxy/ssl_sock.h
> > @@ -92,7 +92,7 @@ int ssl_sock_load_global_dh_param_from_file(const
> char *filename);
> > void ssl_free_dh(void);
> > #endif
> > void ssl_free_engines(void);
> > -#if ((HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) ||
> defined(OPENSSL_IS_BORINGSSL))
> > +#if (defined(SSL_CLIENT_HELLO_CB) || defined(OPENSSL_IS_BORINGSSL))
> > int ssl_sock_switchctx_err_cbk(SSL *ssl, int *al, void *priv);
> > #ifdef OPENSSL_IS_BORINGSSL
> > int ssl_sock_switchctx_cbk(const struct ssl_early_callback_ctx *ctx);
> > diff --git a/src/ssl_sock.c b/src/ssl_sock.c
> > index 5ac81d36a..3e133d423 100644
> > --- a/src/ssl_sock.c
> > +++ b/src/ssl_sock.c
> > @@ -2290,7 +2290,7 @@ static void ssl_sock_switchctx_set(SSL *ssl,
> SSL_CTX *ctx)
> > SSL_set_SSL_CTX(ssl, ctx);
> > }
> >
> > -#if ((HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) ||
> defined(OPENSSL_IS_BORINGSSL))
> > +#if (defined(SSL_CLIENT_HELLO_CB) || defined(OPENSSL_IS_BORINGSSL))
> >
> > int ssl_sock_switchctx_err_cbk(SSL *ssl, int *al, void *priv)
> > {
>
> We probably want to remove the defined(IS_BORINGSSL) from the
> ssl_sock.c too.
> Why don't you define a macro constant with the feature name in
> openssl-compat.h and test this constant in ssl_sock.c? Like it was done
> for various fonctions.
>
> >>>
> >>> it depends. I'd consider removing OPENSSL_IS_BORINGSSL as a future
> >>> improvements.
> >>>
> >>> this particular guard is used 2 times only (in *.h and *.c files),
> >>> readability is good.
> >>>
> >>>
> >>>
>
> Regards,
>
> --
> William Lallemand
>
> >>>
--
William Lallemand
Re: [PATCH] improve ssl guarding by switching to macro SSL_CLIENT_HELLO_CB instead of openssl version
ping
вт, 19 янв. 2021 г. в 23:24, Илья Шипицин :
> Any update on this?
>
> On Mon, Jan 18, 2021, 3:56 PM Илья Шипицин wrote:
>
>> we can do nasty thing.
>> SSL_CLIENT_HELLO_CB is not defined for BoringSSL, we can (in
>> openssl-compat.h) check whether BoringSSL is used and define that macro.
>>
>> I'm not sure it is good thing.
>>
>> if you thing it is, please modify patch when applying. I'm ok with such
>> change.
>>
>> пн, 18 янв. 2021 г. в 15:53, Илья Шипицин :
>>
>>>
>>>
>>> пн, 18 янв. 2021 г. в 15:09, William Lallemand :
>>>
Hello,
On Sat, Jan 16, 2021 at 11:25:05PM +0500, Илья Шипицин wrote:
> Hello,
>
> next openssl guarding patch
>
> Ilya
> From b5ff0a9f1e0d2edc84981b39050e7f21d2b08ba8 Mon Sep 17 00:00:00 2001
> From: Ilya Shipitsin
> Date: Sat, 16 Jan 2021 23:15:12 +0500
> Subject: [PATCH] BUILD: ssl: guard Client Hello callbacks with
> SSL_CLIENT_HELLO_CB macro instead of openssl version
>
> ---
> include/haproxy/ssl_sock.h | 2 +-
> src/ssl_sock.c | 2 +-
> 2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/include/haproxy/ssl_sock.h b/include/haproxy/ssl_sock.h
> index ebfdb19ab..bde75b632 100644
> --- a/include/haproxy/ssl_sock.h
> +++ b/include/haproxy/ssl_sock.h
> @@ -92,7 +92,7 @@ int ssl_sock_load_global_dh_param_from_file(const
char *filename);
> void ssl_free_dh(void);
> #endif
> void ssl_free_engines(void);
> -#if ((HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) ||
defined(OPENSSL_IS_BORINGSSL))
> +#if (defined(SSL_CLIENT_HELLO_CB) || defined(OPENSSL_IS_BORINGSSL))
> int ssl_sock_switchctx_err_cbk(SSL *ssl, int *al, void *priv);
> #ifdef OPENSSL_IS_BORINGSSL
> int ssl_sock_switchctx_cbk(const struct ssl_early_callback_ctx *ctx);
> diff --git a/src/ssl_sock.c b/src/ssl_sock.c
> index 5ac81d36a..3e133d423 100644
> --- a/src/ssl_sock.c
> +++ b/src/ssl_sock.c
> @@ -2290,7 +2290,7 @@ static void ssl_sock_switchctx_set(SSL *ssl,
SSL_CTX *ctx)
> SSL_set_SSL_CTX(ssl, ctx);
> }
>
> -#if ((HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) ||
defined(OPENSSL_IS_BORINGSSL))
> +#if (defined(SSL_CLIENT_HELLO_CB) || defined(OPENSSL_IS_BORINGSSL))
>
> int ssl_sock_switchctx_err_cbk(SSL *ssl, int *al, void *priv)
> {
We probably want to remove the defined(IS_BORINGSSL) from the
ssl_sock.c too.
Why don't you define a macro constant with the feature name in
openssl-compat.h and test this constant in ssl_sock.c? Like it was done
for various fonctions.
>>>
>>> it depends. I'd consider removing OPENSSL_IS_BORINGSSL as a future
>>> improvements.
>>>
>>> this particular guard is used 2 times only (in *.h and *.c files),
>>> readability is good.
>>>
>>>
>>>
Regards,
--
William Lallemand
>>>
Re: [PATCH] improve ssl guarding by switching to macro SSL_CLIENT_HELLO_CB instead of openssl version
Any update on this?
On Mon, Jan 18, 2021, 3:56 PM Илья Шипицин wrote:
> we can do nasty thing.
> SSL_CLIENT_HELLO_CB is not defined for BoringSSL, we can (in
> openssl-compat.h) check whether BoringSSL is used and define that macro.
>
> I'm not sure it is good thing.
>
> if you thing it is, please modify patch when applying. I'm ok with such
> change.
>
> пн, 18 янв. 2021 г. в 15:53, Илья Шипицин :
>
>>
>>
>> пн, 18 янв. 2021 г. в 15:09, William Lallemand :
>>
>>> Hello,
>>>
>>> On Sat, Jan 16, 2021 at 11:25:05PM +0500, Илья Шипицин wrote:
>>> > Hello,
>>> >
>>> > next openssl guarding patch
>>> >
>>> > Ilya
>>>
>>> > From b5ff0a9f1e0d2edc84981b39050e7f21d2b08ba8 Mon Sep 17 00:00:00 2001
>>> > From: Ilya Shipitsin
>>> > Date: Sat, 16 Jan 2021 23:15:12 +0500
>>> > Subject: [PATCH] BUILD: ssl: guard Client Hello callbacks with
>>> > SSL_CLIENT_HELLO_CB macro instead of openssl version
>>> >
>>> > ---
>>> > include/haproxy/ssl_sock.h | 2 +-
>>> > src/ssl_sock.c | 2 +-
>>> > 2 files changed, 2 insertions(+), 2 deletions(-)
>>> >
>>> > diff --git a/include/haproxy/ssl_sock.h b/include/haproxy/ssl_sock.h
>>> > index ebfdb19ab..bde75b632 100644
>>> > --- a/include/haproxy/ssl_sock.h
>>> > +++ b/include/haproxy/ssl_sock.h
>>> > @@ -92,7 +92,7 @@ int ssl_sock_load_global_dh_param_from_file(const
>>> char *filename);
>>> > void ssl_free_dh(void);
>>> > #endif
>>> > void ssl_free_engines(void);
>>> > -#if ((HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) ||
>>> defined(OPENSSL_IS_BORINGSSL))
>>> > +#if (defined(SSL_CLIENT_HELLO_CB) || defined(OPENSSL_IS_BORINGSSL))
>>> > int ssl_sock_switchctx_err_cbk(SSL *ssl, int *al, void *priv);
>>> > #ifdef OPENSSL_IS_BORINGSSL
>>> > int ssl_sock_switchctx_cbk(const struct ssl_early_callback_ctx *ctx);
>>> > diff --git a/src/ssl_sock.c b/src/ssl_sock.c
>>> > index 5ac81d36a..3e133d423 100644
>>> > --- a/src/ssl_sock.c
>>> > +++ b/src/ssl_sock.c
>>> > @@ -2290,7 +2290,7 @@ static void ssl_sock_switchctx_set(SSL *ssl,
>>> SSL_CTX *ctx)
>>> > SSL_set_SSL_CTX(ssl, ctx);
>>> > }
>>> >
>>> > -#if ((HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) ||
>>> defined(OPENSSL_IS_BORINGSSL))
>>> > +#if (defined(SSL_CLIENT_HELLO_CB) || defined(OPENSSL_IS_BORINGSSL))
>>> >
>>> > int ssl_sock_switchctx_err_cbk(SSL *ssl, int *al, void *priv)
>>> > {
>>>
>>> We probably want to remove the defined(IS_BORINGSSL) from the ssl_sock.c
>>> too.
>>> Why don't you define a macro constant with the feature name in
>>> openssl-compat.h and test this constant in ssl_sock.c? Like it was done
>>> for various fonctions.
>>>
>>
>> it depends. I'd consider removing OPENSSL_IS_BORINGSSL as a future
>> improvements.
>>
>> this particular guard is used 2 times only (in *.h and *.c files),
>> readability is good.
>>
>>
>>
>>>
>>> Regards,
>>>
>>> --
>>> William Lallemand
>>>
>>
Re: [PATCH] improve ssl guarding by switching to macro SSL_CLIENT_HELLO_CB instead of openssl version
we can do nasty thing.
SSL_CLIENT_HELLO_CB is not defined for BoringSSL, we can (in
openssl-compat.h) check whether BoringSSL is used and define that macro.
I'm not sure it is good thing.
if you thing it is, please modify patch when applying. I'm ok with such
change.
пн, 18 янв. 2021 г. в 15:53, Илья Шипицин :
>
>
> пн, 18 янв. 2021 г. в 15:09, William Lallemand :
>
>> Hello,
>>
>> On Sat, Jan 16, 2021 at 11:25:05PM +0500, Илья Шипицин wrote:
>> > Hello,
>> >
>> > next openssl guarding patch
>> >
>> > Ilya
>>
>> > From b5ff0a9f1e0d2edc84981b39050e7f21d2b08ba8 Mon Sep 17 00:00:00 2001
>> > From: Ilya Shipitsin
>> > Date: Sat, 16 Jan 2021 23:15:12 +0500
>> > Subject: [PATCH] BUILD: ssl: guard Client Hello callbacks with
>> > SSL_CLIENT_HELLO_CB macro instead of openssl version
>> >
>> > ---
>> > include/haproxy/ssl_sock.h | 2 +-
>> > src/ssl_sock.c | 2 +-
>> > 2 files changed, 2 insertions(+), 2 deletions(-)
>> >
>> > diff --git a/include/haproxy/ssl_sock.h b/include/haproxy/ssl_sock.h
>> > index ebfdb19ab..bde75b632 100644
>> > --- a/include/haproxy/ssl_sock.h
>> > +++ b/include/haproxy/ssl_sock.h
>> > @@ -92,7 +92,7 @@ int ssl_sock_load_global_dh_param_from_file(const
>> char *filename);
>> > void ssl_free_dh(void);
>> > #endif
>> > void ssl_free_engines(void);
>> > -#if ((HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) ||
>> defined(OPENSSL_IS_BORINGSSL))
>> > +#if (defined(SSL_CLIENT_HELLO_CB) || defined(OPENSSL_IS_BORINGSSL))
>> > int ssl_sock_switchctx_err_cbk(SSL *ssl, int *al, void *priv);
>> > #ifdef OPENSSL_IS_BORINGSSL
>> > int ssl_sock_switchctx_cbk(const struct ssl_early_callback_ctx *ctx);
>> > diff --git a/src/ssl_sock.c b/src/ssl_sock.c
>> > index 5ac81d36a..3e133d423 100644
>> > --- a/src/ssl_sock.c
>> > +++ b/src/ssl_sock.c
>> > @@ -2290,7 +2290,7 @@ static void ssl_sock_switchctx_set(SSL *ssl,
>> SSL_CTX *ctx)
>> > SSL_set_SSL_CTX(ssl, ctx);
>> > }
>> >
>> > -#if ((HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) ||
>> defined(OPENSSL_IS_BORINGSSL))
>> > +#if (defined(SSL_CLIENT_HELLO_CB) || defined(OPENSSL_IS_BORINGSSL))
>> >
>> > int ssl_sock_switchctx_err_cbk(SSL *ssl, int *al, void *priv)
>> > {
>>
>> We probably want to remove the defined(IS_BORINGSSL) from the ssl_sock.c
>> too.
>> Why don't you define a macro constant with the feature name in
>> openssl-compat.h and test this constant in ssl_sock.c? Like it was done
>> for various fonctions.
>>
>
> it depends. I'd consider removing OPENSSL_IS_BORINGSSL as a future
> improvements.
>
> this particular guard is used 2 times only (in *.h and *.c files),
> readability is good.
>
>
>
>>
>> Regards,
>>
>> --
>> William Lallemand
>>
>
Re: [PATCH] improve ssl guarding by switching to macro SSL_CLIENT_HELLO_CB instead of openssl version
пн, 18 янв. 2021 г. в 15:09, William Lallemand :
> Hello,
>
> On Sat, Jan 16, 2021 at 11:25:05PM +0500, Илья Шипицин wrote:
> > Hello,
> >
> > next openssl guarding patch
> >
> > Ilya
>
> > From b5ff0a9f1e0d2edc84981b39050e7f21d2b08ba8 Mon Sep 17 00:00:00 2001
> > From: Ilya Shipitsin
> > Date: Sat, 16 Jan 2021 23:15:12 +0500
> > Subject: [PATCH] BUILD: ssl: guard Client Hello callbacks with
> > SSL_CLIENT_HELLO_CB macro instead of openssl version
> >
> > ---
> > include/haproxy/ssl_sock.h | 2 +-
> > src/ssl_sock.c | 2 +-
> > 2 files changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/include/haproxy/ssl_sock.h b/include/haproxy/ssl_sock.h
> > index ebfdb19ab..bde75b632 100644
> > --- a/include/haproxy/ssl_sock.h
> > +++ b/include/haproxy/ssl_sock.h
> > @@ -92,7 +92,7 @@ int ssl_sock_load_global_dh_param_from_file(const char
> *filename);
> > void ssl_free_dh(void);
> > #endif
> > void ssl_free_engines(void);
> > -#if ((HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) ||
> defined(OPENSSL_IS_BORINGSSL))
> > +#if (defined(SSL_CLIENT_HELLO_CB) || defined(OPENSSL_IS_BORINGSSL))
> > int ssl_sock_switchctx_err_cbk(SSL *ssl, int *al, void *priv);
> > #ifdef OPENSSL_IS_BORINGSSL
> > int ssl_sock_switchctx_cbk(const struct ssl_early_callback_ctx *ctx);
> > diff --git a/src/ssl_sock.c b/src/ssl_sock.c
> > index 5ac81d36a..3e133d423 100644
> > --- a/src/ssl_sock.c
> > +++ b/src/ssl_sock.c
> > @@ -2290,7 +2290,7 @@ static void ssl_sock_switchctx_set(SSL *ssl,
> SSL_CTX *ctx)
> > SSL_set_SSL_CTX(ssl, ctx);
> > }
> >
> > -#if ((HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) ||
> defined(OPENSSL_IS_BORINGSSL))
> > +#if (defined(SSL_CLIENT_HELLO_CB) || defined(OPENSSL_IS_BORINGSSL))
> >
> > int ssl_sock_switchctx_err_cbk(SSL *ssl, int *al, void *priv)
> > {
>
> We probably want to remove the defined(IS_BORINGSSL) from the ssl_sock.c
> too.
> Why don't you define a macro constant with the feature name in
> openssl-compat.h and test this constant in ssl_sock.c? Like it was done
> for various fonctions.
>
it depends. I'd consider removing OPENSSL_IS_BORINGSSL as a future
improvements.
this particular guard is used 2 times only (in *.h and *.c files),
readability is good.
>
> Regards,
>
> --
> William Lallemand
>
Re: [PATCH] improve ssl guarding by switching to macro SSL_CLIENT_HELLO_CB instead of openssl version
Hello,
On Sat, Jan 16, 2021 at 11:25:05PM +0500, Илья Шипицин wrote:
> Hello,
>
> next openssl guarding patch
>
> Ilya
> From b5ff0a9f1e0d2edc84981b39050e7f21d2b08ba8 Mon Sep 17 00:00:00 2001
> From: Ilya Shipitsin
> Date: Sat, 16 Jan 2021 23:15:12 +0500
> Subject: [PATCH] BUILD: ssl: guard Client Hello callbacks with
> SSL_CLIENT_HELLO_CB macro instead of openssl version
>
> ---
> include/haproxy/ssl_sock.h | 2 +-
> src/ssl_sock.c | 2 +-
> 2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/include/haproxy/ssl_sock.h b/include/haproxy/ssl_sock.h
> index ebfdb19ab..bde75b632 100644
> --- a/include/haproxy/ssl_sock.h
> +++ b/include/haproxy/ssl_sock.h
> @@ -92,7 +92,7 @@ int ssl_sock_load_global_dh_param_from_file(const char
> *filename);
> void ssl_free_dh(void);
> #endif
> void ssl_free_engines(void);
> -#if ((HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) ||
> defined(OPENSSL_IS_BORINGSSL))
> +#if (defined(SSL_CLIENT_HELLO_CB) || defined(OPENSSL_IS_BORINGSSL))
> int ssl_sock_switchctx_err_cbk(SSL *ssl, int *al, void *priv);
> #ifdef OPENSSL_IS_BORINGSSL
> int ssl_sock_switchctx_cbk(const struct ssl_early_callback_ctx *ctx);
> diff --git a/src/ssl_sock.c b/src/ssl_sock.c
> index 5ac81d36a..3e133d423 100644
> --- a/src/ssl_sock.c
> +++ b/src/ssl_sock.c
> @@ -2290,7 +2290,7 @@ static void ssl_sock_switchctx_set(SSL *ssl, SSL_CTX
> *ctx)
> SSL_set_SSL_CTX(ssl, ctx);
> }
>
> -#if ((HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) ||
> defined(OPENSSL_IS_BORINGSSL))
> +#if (defined(SSL_CLIENT_HELLO_CB) || defined(OPENSSL_IS_BORINGSSL))
>
> int ssl_sock_switchctx_err_cbk(SSL *ssl, int *al, void *priv)
> {
We probably want to remove the defined(IS_BORINGSSL) from the ssl_sock.c too.
Why don't you define a macro constant with the feature name in
openssl-compat.h and test this constant in ssl_sock.c? Like it was done
for various fonctions.
Regards,
--
William Lallemand
[PATCH] improve ssl guarding by switching to macro SSL_CLIENT_HELLO_CB instead of openssl version
Hello,
next openssl guarding patch
Ilya
From b5ff0a9f1e0d2edc84981b39050e7f21d2b08ba8 Mon Sep 17 00:00:00 2001
From: Ilya Shipitsin
Date: Sat, 16 Jan 2021 23:15:12 +0500
Subject: [PATCH] BUILD: ssl: guard Client Hello callbacks with
SSL_CLIENT_HELLO_CB macro instead of openssl version
---
include/haproxy/ssl_sock.h | 2 +-
src/ssl_sock.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/include/haproxy/ssl_sock.h b/include/haproxy/ssl_sock.h
index ebfdb19ab..bde75b632 100644
--- a/include/haproxy/ssl_sock.h
+++ b/include/haproxy/ssl_sock.h
@@ -92,7 +92,7 @@ int ssl_sock_load_global_dh_param_from_file(const char *filename);
void ssl_free_dh(void);
#endif
void ssl_free_engines(void);
-#if ((HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) || defined(OPENSSL_IS_BORINGSSL))
+#if (defined(SSL_CLIENT_HELLO_CB) || defined(OPENSSL_IS_BORINGSSL))
int ssl_sock_switchctx_err_cbk(SSL *ssl, int *al, void *priv);
#ifdef OPENSSL_IS_BORINGSSL
int ssl_sock_switchctx_cbk(const struct ssl_early_callback_ctx *ctx);
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 5ac81d36a..3e133d423 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -2290,7 +2290,7 @@ static void ssl_sock_switchctx_set(SSL *ssl, SSL_CTX *ctx)
SSL_set_SSL_CTX(ssl, ctx);
}
-#if ((HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) || defined(OPENSSL_IS_BORINGSSL))
+#if (defined(SSL_CLIENT_HELLO_CB) || defined(OPENSSL_IS_BORINGSSL))
int ssl_sock_switchctx_err_cbk(SSL *ssl, int *al, void *priv)
{
--
2.29.2
Re: [PATCH] improve SSL guarding, use macro instead of openssl version
On Thu, Jan 07, 2021 at 12:28:02PM +0500, Илья Шипицин wrote: > Hi, > > another series of removing HA_OPENSSL_VERSION > > Ilya Thanks, merged. -- William Lallemand
[PATCH] improve SSL guarding, use macro instead of openssl version
Hi,
another series of removing HA_OPENSSL_VERSION
Ilya
From 13b0f8e575021b4d3c10fd3a2066ff83b26588bc Mon Sep 17 00:00:00 2001
From: Ilya Shipitsin
Date: Thu, 7 Jan 2021 11:55:45 +0500
Subject: [PATCH 1/3] BUILD: SSL: guard TLS13 ciphersuites with
HAVE_SSL_CTX_SET_CIPHERSUITES
accidently src/server.c still used earlier guarding
---
src/server.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/server.c b/src/server.c
index 9463882fe..1c4ad7aaf 100644
--- a/src/server.c
+++ b/src/server.c
@@ -1553,7 +1553,7 @@ static void srv_ssl_settings_cpy(struct server *srv, struct server *src)
if (src->ssl_ctx.methods.max)
srv->ssl_ctx.methods.max = src->ssl_ctx.methods.max;
-#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL)
+#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
if (src->ssl_ctx.ciphersuites != NULL)
srv->ssl_ctx.ciphersuites = strdup(src->ssl_ctx.ciphersuites);
#endif
--
2.29.2
From 5bc44a8a35b5234a57e63325317175e33af9a924 Mon Sep 17 00:00:00 2001
From: Ilya Shipitsin
Date: Thu, 7 Jan 2021 11:57:42 +0500
Subject: [PATCH 2/3] BUILD: ssl: guard EVP_PKEY_get_default_digest_nid with
ASN1_PKEY_CTRL_DEFAULT_MD_NID
let us switch to openssl specific macro instead of versions
---
src/ssl_sock.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 830dc3e69..587140f1b 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -2001,7 +2001,7 @@ ssl_sock_do_create_cert(const char *servername, struct bind_conf *bind_conf, SSL
else if (key_type == EVP_PKEY_EC)
digest = EVP_sha256();
else {
-#if (HA_OPENSSL_VERSION_NUMBER >= 0x100fL) && !defined(OPENSSL_IS_BORINGSSL)
+#ifdef ASN1_PKEY_CTRL_DEFAULT_MD_NID
int nid;
if (EVP_PKEY_get_default_digest_nid(capkey, ) <= 0)
--
2.29.2
From c3971d1290d0bf460ce167a94ece0a99f16d34fd Mon Sep 17 00:00:00 2001
From: Ilya Shipitsin
Date: Thu, 7 Jan 2021 11:59:58 +0500
Subject: [PATCH 3/3] BUILD: ssl: guard openssl specific with
SSL_READ_EARLY_DATA_SUCCESS
let us switch to SSL_READ_EARLY_DATA_SUCCESS instead of openssl versions
---
src/ssl_sock.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 587140f1b..5ac81d36a 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -5630,7 +5630,7 @@ static struct task *ssl_sock_io_cb(struct task *t, void *context, unsigned short
goto leave;
}
}
-#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
+#ifdef SSL_READ_EARLY_DATA_SUCCESS
/* If we have early data and somebody wants to receive, let them */
else if (b_data(>early_buf) && ctx->subs &&
ctx->subs->events & SUB_RETRY_RECV) {
@@ -5669,7 +5669,7 @@ static size_t ssl_sock_to_buf(struct connection *conn, void *xprt_ctx, struct bu
if (!ctx)
goto out_error;
-#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
+#ifdef SSL_READ_EARLY_DATA_SUCCESS
if (b_data(>early_buf)) {
try = b_contig_space(buf);
if (try > b_data(>early_buf))
--
2.29.2
