Re: [PATCH] unveal the power of BoringSSL by setting its own version back to 1.1.1

[William Lallemand]

On Sat, Nov 21, 2020 at 11:23:32PM +0500, Илья Шипицин wrote:
> hopefully final BoringSSL patches this week.
> 
> Ilya


Thanks, all merged!

-- 
William Lallemand

[PATCH] unveal the power of BoringSSL by setting its own version back to 1.1.1

[Илья Шипицин]

hopefully final BoringSSL patches this week.

Ilya
From bebe09e8e1aaf89f12394322fa6a0387d4232f0a Mon Sep 17 00:00:00 2001
From: Ilya Shipitsin 
Date: Sat, 21 Nov 2020 23:10:04 +0500
Subject: [PATCH 1/3] CLEANUP: remove unused function "ssl_sock_is_ckch_valid"

"ssl_sock_is_ckch_valid" is not used anymore, let us remove it
---
 include/haproxy/ssl_ckch.h | 8 
 1 file changed, 8 deletions(-)

diff --git a/include/haproxy/ssl_ckch.h b/include/haproxy/ssl_ckch.h
index f8184b62a..87c69ec19 100644
--- a/include/haproxy/ssl_ckch.h
+++ b/include/haproxy/ssl_ckch.h
@@ -36,14 +36,6 @@ int ssl_sock_load_ocsp_response_from_file(const char *ocsp_path, char *buf, stru
 int ssl_sock_load_sctl_from_file(const char *sctl_path, char *buf, struct cert_key_and_chain *ckch, char **err);
 int ssl_sock_load_issuer_file_into_ckch(const char *path, char *buf, struct cert_key_and_chain *ckch, char **err);
 
-/* checks if a key and cert exists in the ckch */
-#if HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL
-static inline int ssl_sock_is_ckch_valid(struct cert_key_and_chain *ckch)
-{
-	return (ckch->cert != NULL && ckch->key != NULL);
-}
-#endif
-
 /* ckch_store functions */
 struct ckch_store *ckchs_load_cert_file(char *path, char **err);
 struct ckch_store *ckchs_lookup(char *path);
-- 
2.28.0

From d17be858cb9c4d8af095e7c9049c08189df1a869 Mon Sep 17 00:00:00 2001
From: Ilya Shipitsin 
Date: Sat, 21 Nov 2020 23:10:53 +0500
Subject: [PATCH 2/3] BUILD: SSL: add BoringSSL guarding to
 "RAND_keep_random_devices_open"

"RAND_keep_random_devices_open" is OpenSSL specific, does not present
in other OpenSSL variants like LibreSSL or BoringSSL. BoringSSL recently
"updated" its internal openssl version to 1.1.1, we temporarily set it
back to 1.1.0, as we are going to remove that hack, let us add proper
guarding.
---
 src/haproxy.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/haproxy.c b/src/haproxy.c
index cdc11a4e5..c9059f8ba 100644
--- a/src/haproxy.c
+++ b/src/haproxy.c
@@ -780,7 +780,7 @@ void mworker_reload()
 		if (fdtab)
 			deinit_pollers();
 	}
-#if defined(USE_OPENSSL) && (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
+#if defined(USE_OPENSSL) && (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(OPENSSL_IS_BORINGSSL)
 	/* close random device FDs */
 	RAND_keep_random_devices_open(0);
 #endif
-- 
2.28.0

From 7d4bf7975ee57dbb914763cb72971c2849adb3c4 Mon Sep 17 00:00:00 2001
From: Ilya Shipitsin 
Date: Sat, 21 Nov 2020 23:13:41 +0500
Subject: [PATCH 3/3] BUILD: SSL: do not "update" BoringSSL version equivalent
 anymore

we have added all required fine guarding, no need to reduce
BoringSSL version back to 1.1.0 anymore, we do not depend on it
---
 include/haproxy/openssl-compat.h | 6 --
 1 file changed, 6 deletions(-)

diff --git a/include/haproxy/openssl-compat.h b/include/haproxy/openssl-compat.h
index 6b5a489e1..42349d7c1 100644
--- a/include/haproxy/openssl-compat.h
+++ b/include/haproxy/openssl-compat.h
@@ -31,12 +31,6 @@
  * extra features with ORs and not with AND NOT.
  */
 #define HA_OPENSSL_VERSION_NUMBER 0x1000107fL
-#elif defined(OPENSSL_IS_BORINGSSL)
-/*
- * in 49e9f67d8b7cbeb3953b5548ad1009d15947a523 BoringSSL has changed its version to 1.1.1
- * Let's switch it back to 1.1.0
- */
-#define HA_OPENSSL_VERSION_NUMBER 0x1010007f
 #else /* this is for a real OpenSSL or a truly compatible derivative */
 #define HA_OPENSSL_VERSION_NUMBER OPENSSL_VERSION_NUMBER
 #endif
-- 
2.28.0