Re: [PATCH] MINOR: ssl: BoringSSL matches OpenSSL 1.1.0

2018-07-27 Thread Willy Tarreau 
Hi Manu,

On Wed, Jul 25, 2018 at 10:34:46AM +0200, Emmanuel Hocdet wrote:
> It's ok because this function is inserted upper in the patch.
> 
> As said, it's only a revert from 019f9b10 patches for openssl-compat.h.
> From:
> # Functions introduced in OpenSSL 1.1.0 and not yet present in LibreSSL / 
> BoringSSL
> # Functions introduced in OpenSSL 1.1.0 and not yet present in LibreSSL
> To:
> # Functions introduced in OpenSSL 1.1.0 and not yet present in LibreSSL

OK thanks for the explanation, I've just merged your latest version.

Willy

Re: [PATCH] MINOR: ssl: BoringSSL matches OpenSSL 1.1.0

2018-07-25 Thread Emmanuel Hocdet 
Le 25 juil. 2018 à 10:34, Emmanuel Hocdet  a écrit :Hi WillyLe 24 juil. 2018 à 18:59, Willy Tarreau  a écrit :Hi Manu,On Mon, Jul 23, 2018 at 06:12:34PM +0200, Emmanuel Hocdet wrote:Hi Willy,This patch is necessary to build with current BoringSSL (SSL_SESSION is now opaque).BoringSSL correctly matches OpenSSL 1.1.0 since 3b2ff028 for haproxy needs.The patch revert part of haproxy 019f9b10 (openssl-compat.h).This will not break openssl/libressl compat.OK, but the chunk here seems to contradict this assertion :@@ -119,13 +114,6 @@ static inline const OCSP_CERTID *OCSP_SINGLERESP_get0_id(const OCSP_SINGLERESP *}#endif-#endif--#if (OPENSSL_VERSION_NUMBER < 0x101fL) || defined(LIBRESSL_VERSION_NUMBER)-/*- * Functions introduced in OpenSSL 1.1.0 and not yet present in LibreSSL- */-static inline pem_password_cb *SSL_CTX_get_default_passwd_cb(SSL_CTX *ctx){	return ctx->default_passwd_callback;I'm seeing that libressl will use a different code that is commonwith openssl while you seem to have targetted boringssl only. Maybe this part escaped from a larger patch that you used during development ?It’s ok because this function is inserted upper in the patch.As said, it's only a revert from 019f9b10 patches for openssl-compat.h.From:# Functions introduced in OpenSSL 1.1.0 and not yet present in LibreSSL / BoringSSL# Functions introduced in OpenSSL 1.1.0 and not yet present in LibreSSLTo:# Functions introduced in OpenSSL 1.1.0 and not yet present in LibreSSLThis patch is easier to read out of context:

0001-MINOR-ssl-BoringSSL-matches-OpenSSL-1.1.0.patch
Description: Binary data

Re: [PATCH] MINOR: ssl: BoringSSL matches OpenSSL 1.1.0

2018-07-25 Thread Emmanuel Hocdet 
Hi Willy

> Le 24 juil. 2018 à 18:59, Willy Tarreau  a écrit :
> 
> Hi Manu,
> 
> On Mon, Jul 23, 2018 at 06:12:34PM +0200, Emmanuel Hocdet wrote:
>> Hi Willy,
>> 
>> This patch is necessary to build with current BoringSSL (SSL_SESSION is now 
>> opaque).
>> BoringSSL correctly matches OpenSSL 1.1.0 since 3b2ff028 for haproxy needs.
>> The patch revert part of haproxy 019f9b10 (openssl-compat.h).
>> This will not break openssl/libressl compat.
> 
> OK, but the chunk here seems to contradict this assertion :
> 
> 
> @@ -119,13 +114,6 @@ static inline const OCSP_CERTID 
> *OCSP_SINGLERESP_get0_id(const OCSP_SINGLERESP *
> }
> #endif
> 
> -#endif
> -
> -#if (OPENSSL_VERSION_NUMBER < 0x101fL) || 
> defined(LIBRESSL_VERSION_NUMBER)
> -/*
> - * Functions introduced in OpenSSL 1.1.0 and not yet present in LibreSSL
> - */
> -
> static inline pem_password_cb *SSL_CTX_get_default_passwd_cb(SSL_CTX *ctx)
> {
>   return ctx->default_passwd_callback;
> 
> I'm seeing that libressl will use a different code that is common
> with openssl while you seem to have targetted boringssl only. Maybe 
> this part escaped from a larger patch that you used during development ?
> 

It’s ok because this function is inserted upper in the patch.

As said, it's only a revert from 019f9b10 patches for openssl-compat.h.
From:
# Functions introduced in OpenSSL 1.1.0 and not yet present in LibreSSL / 
BoringSSL
# Functions introduced in OpenSSL 1.1.0 and not yet present in LibreSSL
To:
# Functions introduced in OpenSSL 1.1.0 and not yet present in LibreSSL

++
Manu

Re: [PATCH] MINOR: ssl: BoringSSL matches OpenSSL 1.1.0

2018-07-24 Thread Willy Tarreau 
Hi Manu,

On Mon, Jul 23, 2018 at 06:12:34PM +0200, Emmanuel Hocdet wrote:
> Hi Willy,
> 
> This patch is necessary to build with current BoringSSL (SSL_SESSION is now 
> opaque).
> BoringSSL correctly matches OpenSSL 1.1.0 since 3b2ff028 for haproxy needs.
> The patch revert part of haproxy 019f9b10 (openssl-compat.h).
> This will not break openssl/libressl compat.

OK, but the chunk here seems to contradict this assertion :


@@ -119,13 +114,6 @@ static inline const OCSP_CERTID 
*OCSP_SINGLERESP_get0_id(const OCSP_SINGLERESP *
 }
 #endif
 
-#endif
-
-#if (OPENSSL_VERSION_NUMBER < 0x101fL) || defined(LIBRESSL_VERSION_NUMBER)
-/*
- * Functions introduced in OpenSSL 1.1.0 and not yet present in LibreSSL
- */
-
 static inline pem_password_cb *SSL_CTX_get_default_passwd_cb(SSL_CTX *ctx)
 {
return ctx->default_passwd_callback;

I'm seeing that libressl will use a different code that is common
with openssl while you seem to have targetted boringssl only. Maybe 
this part escaped from a larger patch that you used during development ?

Thanks,
Willy

[PATCH] MINOR: ssl: BoringSSL matches OpenSSL 1.1.0

2018-07-23 Thread Emmanuel Hocdet 
Hi Willy,

This patch is necessary to build with current BoringSSL (SSL_SESSION is now 
opaque).
BoringSSL correctly matches OpenSSL 1.1.0 since 3b2ff028 for haproxy needs.
The patch revert part of haproxy 019f9b10 (openssl-compat.h).
This will not break openssl/libressl compat.

Can you consider it for 1.9?
Thanks.

Manu



0001-MINOR-ssl-BoringSSL-matches-OpenSSL-1.1.0.patch
Description: Binary data