CLEANUP: ssl: never include openssl/*.h outside of openssl-compat.h anymore

Since we're providing a compatibility layer for multiple OpenSSL
implementations and their derivatives, it is important that no C file
directly includes openssl headers but only passes via openssl-compat
instead. As a bonus this also gets rid of redundant complex rules for
inclusion of certain files (engines etc).

diff --git a/include/common/openssl-compat.h b/include/common/openssl-compat.h
index 5ac3abaf8a3d96e214b42b9b024c8bf4b9b48027..0ceca08376366b40a0c16fb36423cd1fc98e975c 100644 (file)
--- a/include/common/openssl-compat.h
+++ b/include/common/openssl-compat.h
@@ -1,18 +1,27 @@
 #ifndef _COMMON_OPENSSL_COMPAT_H
 #define _COMMON_OPENSSL_COMPAT_H
+
+#include <openssl/bn.h>
 #include <openssl/crypto.h>
 #include <openssl/ssl.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
-#include <openssl/x509.h>
 #include <openssl/err.h>
 #include <openssl/rand.h>
+#include <openssl/hmac.h>
 #if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP)
 #include <openssl/ocsp.h>
 #endif
 #ifndef OPENSSL_NO_DH
 #include <openssl/dh.h>
 #endif
+#ifndef OPENSSL_NO_ENGINE
+#include <openssl/engine.h>
+#endif
+
+#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER)
+#include <openssl/async.h>
+#endif
 
 #if defined(LIBRESSL_VERSION_NUMBER)
 /* LibreSSL is a fork of OpenSSL 1.0.1g but pretends to be 2.0.0, thus

diff --git a/include/proto/ssl_sock.h b/include/proto/ssl_sock.h
index 9e27bfaee82f0a0cc3dacdda1aa210971355e951..f3d3ff8f53e21ae2deedc2b1273560ed6ad38849 100644 (file)
--- a/include/proto/ssl_sock.h
+++ b/include/proto/ssl_sock.h
@@ -21,7 +21,7 @@
 
 #ifndef _PROTO_SSL_SOCK_H
 #define _PROTO_SSL_SOCK_H
-#include <openssl/ssl.h>
+#include <common/openssl-compat.h>
 
 #include <types/connection.h>
 #include <types/listener.h>

diff --git a/include/types/listener.h b/include/types/listener.h
index 7b4226f816e64558fd0c43c0c3cd963652404dca..def48b0db459007d00f605e8b4845d6678064da4 100644 (file)
--- a/include/types/listener.h
+++ b/include/types/listener.h
@@ -26,7 +26,7 @@
 #include <sys/socket.h>
 
 #ifdef USE_OPENSSL
-#include <openssl/ssl.h>
+#include <common/openssl-compat.h>
 #include <types/ssl_sock.h>
 #endif
 

diff --git a/include/types/server.h b/include/types/server.h
index dfc753e77c37c2d571254c7a3b249494855e2405..2951cf68fe13d157ec9a8902dc6fa1fb54d57dff 100644 (file)
--- a/include/types/server.h
+++ b/include/types/server.h
@@ -26,7 +26,7 @@
 #include <arpa/inet.h>
 
 #ifdef USE_OPENSSL
-#include <openssl/ssl.h>
+#include <common/openssl-compat.h>
 #include <types/ssl_sock.h>
 #endif
 

diff --git a/include/types/ssl_sock.h b/include/types/ssl_sock.h
index 3de01e96180be0a0df32b2bf6aa47e4f987c9e28..45f89c9b872e22e31cfc5e4086f1d6c26cc1d306 100644 (file)
--- a/include/types/ssl_sock.h
+++ b/include/types/ssl_sock.h
@@ -22,7 +22,6 @@
 #ifndef _TYPES_SSL_SOCK_H
 #define _TYPES_SSL_SOCK_H
 
-#include <openssl/ssl.h>
 #include <ebmbtree.h>
 
 #include <common/hathreads.h>

diff --git a/src/haproxy.c b/src/haproxy.c
index 8803e6ea769261e78b8458dfb248cca9034a8dd3..e085ce2c21233bf78c4dade6bfed3b2842c00989 100644 (file)
--- a/src/haproxy.c
+++ b/src/haproxy.c
@@ -128,7 +128,6 @@
 #ifdef USE_OPENSSL
 #include <common/openssl-compat.h>
 #include <proto/ssl_sock.h>
-#include <openssl/rand.h>
 #endif
 
 /* array of init calls for older platforms */

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index f7247f7beb3ac803d0f00a17120f53faae9663db..f8b248b3390791dc7d497d042de7a36e24297aac 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -23,6 +23,7 @@
  *
  */
 
+/* Note: do NOT include openssl/xxx.h here, do it in openssl-compat.h */
 #define _GNU_SOURCE
 #include <ctype.h>
 #include <dirent.h>
@@ -39,28 +40,6 @@
 #include <netdb.h>
 #include <netinet/tcp.h>
 
-#include <openssl/bn.h>
-#include <openssl/crypto.h>
-#include <openssl/ssl.h>
-#include <openssl/x509.h>
-#include <openssl/x509v3.h>
-#include <openssl/err.h>
-#include <openssl/rand.h>
-#include <openssl/hmac.h>
-#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP)
-#include <openssl/ocsp.h>
-#endif
-#ifndef OPENSSL_NO_DH
-#include <openssl/dh.h>
-#endif
-#ifndef OPENSSL_NO_ENGINE
-#include <openssl/engine.h>
-#endif
-
-#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER)
-#include <openssl/async.h>
-#endif
-
 #include <import/lru.h>
 #include <import/xxhash.h>