BUILD: ssl: use feature macros for detecting ec curves manipulation support

Let us use SSL_CTX_set1_curves_list, defined by OpenSSL, as well as in
openssl-compat when SSL_CTRL_SET_CURVES_LIST is present (BoringSSL),
for feature detection instead of versions.

diff --git a/include/haproxy/ssl_sock-t.h b/include/haproxy/ssl_sock-t.h
index c8c8616ea4f30599c96466ebab37e73e8af6c732..58faebe1f6de92c91ef5e9ad2dff7485c3c89b01 100644 (file)
--- a/include/haproxy/ssl_sock-t.h
+++ b/include/haproxy/ssl_sock-t.h
@@ -274,7 +274,7 @@ struct global_ssl {
        char *listen_default_ciphersuites;
        char *connect_default_ciphersuites;
 #endif
-#if ((HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL) || defined(LIBRESSL_VERSION_NUMBER))
+#if defined(SSL_CTX_set1_curves_list)
        char *listen_default_curves;
 #endif
        int listen_default_ssloptions;

diff --git a/src/cfgparse-ssl.c b/src/cfgparse-ssl.c
index fcf2b163aa0a576caaa9c0ba55cdcbaa28464067..d24b85a5516efcde443402f9f9ba373b2ea66bf4 100644 (file)
--- a/src/cfgparse-ssl.c
+++ b/src/cfgparse-ssl.c
@@ -229,7 +229,7 @@ static int ssl_parse_global_ciphersuites(char **args, int section_type, struct p
 }
 #endif
 
-#if ((HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL) || defined(LIBRESSL_VERSION_NUMBER))
+#if defined(SSL_CTX_set1_curves_list)
 /*
  * parse the "ssl-default-bind-curves" keyword in a global section.
  * Returns <0 on alert, >0 on warning, 0 on success.
@@ -703,7 +703,7 @@ static int bind_parse_crl_file(char **args, int cur_arg, struct proxy *px, struc
 /* parse the "curves" bind keyword keyword */
 static int ssl_bind_parse_curves(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, char **err)
 {
-#if ((HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL) || defined(LIBRESSL_VERSION_NUMBER))
+#if defined(SSL_CTX_set1_curves_list)
        if (!*args[cur_arg + 1]) {
                memprintf(err, "'%s' : missing curve suite", args[cur_arg]);
                return ERR_ALERT | ERR_FATAL;
@@ -1045,7 +1045,7 @@ static int bind_parse_ssl(char **args, int cur_arg, struct proxy *px, struct bin
 
        if (global_ssl.listen_default_ciphers && !conf->ssl_conf.ciphers)
                conf->ssl_conf.ciphers = strdup(global_ssl.listen_default_ciphers);
-#if ((HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL) || defined(LIBRESSL_VERSION_NUMBER))
+#if defined(SSL_CTX_set1_curves_list)
        if (global_ssl.listen_default_curves && !conf->ssl_conf.curves)
                conf->ssl_conf.curves = strdup(global_ssl.listen_default_curves);
 #endif
@@ -1877,7 +1877,7 @@ static struct cfg_kw_list cfg_kws = {ILH, {
 #endif
        { CFG_GLOBAL, "ssl-default-bind-ciphers", ssl_parse_global_ciphers },
        { CFG_GLOBAL, "ssl-default-server-ciphers", ssl_parse_global_ciphers },
-#if ((HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL) || defined(LIBRESSL_VERSION_NUMBER))
+#if defined(SSL_CTX_set1_curves_list)
        { CFG_GLOBAL, "ssl-default-bind-curves", ssl_parse_global_curves },
 #endif
 #if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 57e5f5afe5512501a91eb785a738ac1baa7dabe3..6f73a3175470ddf0d6e814350b629f3542bacfe1 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -4177,7 +4177,7 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, struct ssl_bind_conf *ssl_
        if (ssl_conf_cur)
                SSL_CTX_set_alpn_select_cb(ctx, ssl_sock_advertise_alpn_protos, ssl_conf_cur);
 #endif
-#if ((HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL) || defined(LIBRESSL_VERSION_NUMBER))
+#if defined(SSL_CTX_set1_curves_list)
        conf_curves = (ssl_conf && ssl_conf->curves) ? ssl_conf->curves : bind_conf->ssl_conf.curves;
        if (conf_curves) {
                if (!SSL_CTX_set1_curves_list(ctx, conf_curves)) {