BUILD: SSL: guard TLS13 ciphersuites with HAVE_SSL_CTX_SET_CIPHERSUITES

HAVE_SSL_CTX_SET_CIPHERSUITES is newly defined macro set in openssl-compat.h,
which helps to identify ssl libs (currently OpenSSL-1.1.1 only) that supports
TLS13 cipersuites manipulation on TLS13 context

diff --git a/include/haproxy/listener-t.h b/include/haproxy/listener-t.h
index 77a3eb055515fd5d2ad336ca6d35b06931fc808a..ec57f8867afe2644b7501a2da2c6e22b916ca7fa 100644 (file)
--- a/include/haproxy/listener-t.h
+++ b/include/haproxy/listener-t.h
@@ -136,7 +136,7 @@ struct ssl_bind_conf {
        char *ca_verify_file;      /* CAverify file to use on verify only */
        char *crl_file;            /* CRLfile to use on verify */
        char *ciphers;             /* cipher suite to use if non-null */
-#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
+#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
        char *ciphersuites;        /* TLS 1.3 cipher suite to use if non-null */
 #endif
        char *curves;              /* curves suite to use for ECDHE */

diff --git a/include/haproxy/openssl-compat.h b/include/haproxy/openssl-compat.h
index 0bc9ac07af73a1ff8d6c680a1767c5587687e246..6b5a489e1c0a46acda074e05c183c56fdae23813 100644 (file)
--- a/include/haproxy/openssl-compat.h
+++ b/include/haproxy/openssl-compat.h
@@ -47,6 +47,10 @@
 #define OpenSSL_version_num     SSLeay
 #endif
 
+#if ((OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_IS_BORINGSSL))
+#define HAVE_SSL_CTX_SET_CIPHERSUITES
+#endif
+
 #if (HA_OPENSSL_VERSION_NUMBER < 0x0090800fL)
 /* Functions present in OpenSSL 0.9.8, older not tested */
 static inline const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *sess, unsigned int *sid_length)

diff --git a/include/haproxy/server-t.h b/include/haproxy/server-t.h
index 694cc3d9665a78191b3a61866c5b598c9ac6bb74..0e66be693f8ee0d49ea7083f9bc510a5b7262d8d 100644 (file)
--- a/include/haproxy/server-t.h
+++ b/include/haproxy/server-t.h
@@ -309,7 +309,7 @@ struct server {
                        int allocated_size;
                } * reused_sess;
                char *ciphers;                  /* cipher suite to use if non-null */
-#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
+#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
                char *ciphersuites;                     /* TLS 1.3 cipher suite to use if non-null */
 #endif
                int options;                    /* ssl options */

diff --git a/include/haproxy/ssl_sock-t.h b/include/haproxy/ssl_sock-t.h
index 58faebe1f6de92c91ef5e9ad2dff7485c3c89b01..c0f47cbb678a977e77344733b3782d09e316ce0d 100644 (file)
--- a/include/haproxy/ssl_sock-t.h
+++ b/include/haproxy/ssl_sock-t.h
@@ -270,7 +270,7 @@ struct global_ssl {
 
        char *listen_default_ciphers;
        char *connect_default_ciphers;
-#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
+#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
        char *listen_default_ciphersuites;
        char *connect_default_ciphersuites;
 #endif

diff --git a/src/cfgparse-ssl.c b/src/cfgparse-ssl.c
index 0d7c7c368fdd5c1753ed3f3f45a59c954a5091c8..47e05929755c2e69ff1fae18b5e6da719c1b1872 100644 (file)
--- a/src/cfgparse-ssl.c
+++ b/src/cfgparse-ssl.c
@@ -203,7 +203,7 @@ static int ssl_parse_global_ciphers(char **args, int section_type, struct proxy
        return 0;
 }
 
-#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
+#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
 /* parse the "ssl-default-bind-ciphersuites" / "ssl-default-server-ciphersuites" keywords
  * in global section. Returns <0 on alert, >0 on warning, 0 on success.
  */
@@ -613,7 +613,7 @@ static int bind_parse_ciphers(char **args, int cur_arg, struct proxy *px, struct
        return ssl_bind_parse_ciphers(args, cur_arg, px, &conf->ssl_conf, err);
 }
 
-#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
+#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
 /* parse the "ciphersuites" bind keyword */
 static int ssl_bind_parse_ciphersuites(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, char **err)
 {
@@ -1049,7 +1049,7 @@ static int bind_parse_ssl(char **args, int cur_arg, struct proxy *px, struct bin
        if (global_ssl.listen_default_curves && !conf->ssl_conf.curves)
                conf->ssl_conf.curves = strdup(global_ssl.listen_default_curves);
 #endif
-#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
+#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
        if (global_ssl.listen_default_ciphersuites && !conf->ssl_conf.ciphersuites)
                conf->ssl_conf.ciphersuites = strdup(global_ssl.listen_default_ciphersuites);
 #endif
@@ -1362,7 +1362,7 @@ static void ssl_sock_init_srv(struct server *s)
 {
        if (global_ssl.connect_default_ciphers && !s->ssl_ctx.ciphers)
                s->ssl_ctx.ciphers = strdup(global_ssl.connect_default_ciphers);
-#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
+#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
        if (global_ssl.connect_default_ciphersuites && !s->ssl_ctx.ciphersuites)
                s->ssl_ctx.ciphersuites = strdup(global_ssl.connect_default_ciphersuites);
 #endif
@@ -1397,7 +1397,7 @@ static int srv_parse_ciphers(char **args, int *cur_arg, struct proxy *px, struct
        return 0;
 }
 
-#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
+#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
 /* parse the "ciphersuites" server keyword */
 static int srv_parse_ciphersuites(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
 {
@@ -1733,7 +1733,7 @@ struct ssl_bind_kw ssl_bind_kws[] = {
        { "ca-file",               ssl_bind_parse_ca_file,          1 }, /* set CAfile to process ca-names and verify on client cert */
        { "ca-verify-file",        ssl_bind_parse_ca_verify_file,   1 }, /* set CAverify file to process verify on client cert */
        { "ciphers",               ssl_bind_parse_ciphers,          1 }, /* set SSL cipher suite */
-#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
+#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
        { "ciphersuites",          ssl_bind_parse_ciphersuites,     1 }, /* set TLS 1.3 cipher suite */
 #endif
        { "crl-file",              ssl_bind_parse_crl_file,         1 }, /* set certificate revocation list file use on client cert verify */
@@ -1758,7 +1758,7 @@ static struct bind_kw_list bind_kws = { "SSL", { }, {
        { "ca-sign-file",          bind_parse_ca_sign_file,       1 }, /* set CAFile used to generate and sign server certs */
        { "ca-sign-pass",          bind_parse_ca_sign_pass,       1 }, /* set CAKey passphrase */
        { "ciphers",               bind_parse_ciphers,            1 }, /* set SSL cipher suite */
-#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
+#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
        { "ciphersuites",          bind_parse_ciphersuites,       1 }, /* set TLS 1.3 cipher suite */
 #endif
        { "crl-file",              bind_parse_crl_file,           1 }, /* set certificate revocation list file use on client cert verify */
@@ -1808,7 +1808,7 @@ static struct srv_kw_list srv_kws = { "SSL", { }, {
        { "check-sni",               srv_parse_check_sni,          1, 1 }, /* set SNI */
        { "check-ssl",               srv_parse_check_ssl,          0, 1 }, /* enable SSL for health checks */
        { "ciphers",                 srv_parse_ciphers,            1, 1 }, /* select the cipher suite */
-#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
+#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
        { "ciphersuites",            srv_parse_ciphersuites,       1, 1 }, /* select the cipher suite */
 #endif
        { "crl-file",                srv_parse_crl_file,           1, 1 }, /* set certificate revocation list file use on server cert verify */
@@ -1877,7 +1877,7 @@ static struct cfg_kw_list cfg_kws = {ILH, {
 #if defined(SSL_CTX_set1_curves_list)
        { CFG_GLOBAL, "ssl-default-bind-curves", ssl_parse_global_curves },
 #endif
-#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
+#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
        { CFG_GLOBAL, "ssl-default-bind-ciphersuites", ssl_parse_global_ciphersuites },
        { CFG_GLOBAL, "ssl-default-server-ciphersuites", ssl_parse_global_ciphersuites },
 #endif

diff --git a/src/ssl_crtlist.c b/src/ssl_crtlist.c
index f72f60ea924a6403a891e27a7d9762a10a5b27a7..ba097999784f614edc9a35f8f8022a5bb0c133e4 100644 (file)
--- a/src/ssl_crtlist.c
+++ b/src/ssl_crtlist.c
@@ -50,7 +50,7 @@ void ssl_sock_free_ssl_conf(struct ssl_bind_conf *conf)
                conf->crl_file = NULL;
                free(conf->ciphers);
                conf->ciphers = NULL;
-#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
+#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
                free(conf->ciphersuites);
                conf->ciphersuites = NULL;
 #endif
@@ -109,7 +109,7 @@ struct ssl_bind_conf *crtlist_dup_ssl_conf(struct ssl_bind_conf *src)
                if (!dst->ciphers)
                        goto error;
        }
-#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
+#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
        if (src->ciphersuites) {
                dst->ciphersuites = strdup(src->ciphersuites);
                if (!dst->ciphersuites)
@@ -832,7 +832,7 @@ static void dump_crtlist_sslconf(struct buffer *buf, const struct ssl_bind_conf
                chunk_appendf(buf, "ciphers %s", conf->ciphers);
                space++;
        }
-#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
+#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
        if (conf->ciphersuites) {
                if (space) chunk_appendf(buf, " ");
                chunk_appendf(buf, "ciphersuites %s", conf->ciphersuites);

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 5a0cd2b3d5bbf6036a17ba0d1d812c42e230c886..b7d3b92b435d4023c76b12723f3c4854ae662fa4 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -104,13 +104,9 @@ struct global_ssl global_ssl = {
 #ifdef CONNECT_DEFAULT_CIPHERS
        .connect_default_ciphers = CONNECT_DEFAULT_CIPHERS,
 #endif
-#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
-#ifdef LISTEN_DEFAULT_CIPHERSUITES
+#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
        .listen_default_ciphersuites = LISTEN_DEFAULT_CIPHERSUITES,
-#endif
-#ifdef CONNECT_DEFAULT_CIPHERSUITES
        .connect_default_ciphersuites = CONNECT_DEFAULT_CIPHERSUITES,
-#endif
 #endif
        .listen_default_ssloptions = BC_SSL_O_NONE,
        .connect_default_ssloptions = SRV_SSL_O_NONE,
@@ -4054,7 +4050,7 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, struct ssl_bind_conf *ssl_
        int verify = SSL_VERIFY_NONE;
        struct ssl_bind_conf __maybe_unused *ssl_conf_cur;
        const char *conf_ciphers;
-#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
+#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
        const char *conf_ciphersuites;
 #endif
        const char *conf_curves = NULL;
@@ -4162,7 +4158,7 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, struct ssl_bind_conf *ssl_
                cfgerr |= ERR_ALERT | ERR_FATAL;
        }
 
-#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
+#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
        conf_ciphersuites = (ssl_conf && ssl_conf->ciphersuites) ? ssl_conf->ciphersuites : bind_conf->ssl_conf.ciphersuites;
        if (conf_ciphersuites &&
            !SSL_CTX_set_ciphersuites(ctx, conf_ciphersuites)) {
@@ -4619,7 +4615,7 @@ int ssl_sock_prepare_srv_ctx(struct server *srv)
                cfgerr++;
        }
 
-#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
+#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
        if (srv->ssl_ctx.ciphersuites &&
                !SSL_CTX_set_ciphersuites(srv->ssl_ctx.ctx, srv->ssl_ctx.ciphersuites)) {
                ha_alert("Proxy '%s', server '%s' [%s:%d] : unable to set TLS 1.3 cipher suites to '%s'.\n",
@@ -6721,7 +6717,7 @@ static void __ssl_sock_init(void)
                global_ssl.listen_default_ciphers = strdup(global_ssl.listen_default_ciphers);
        if (global_ssl.connect_default_ciphers)
                global_ssl.connect_default_ciphers = strdup(global_ssl.connect_default_ciphers);
-#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
+#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
        if (global_ssl.listen_default_ciphersuites)
                global_ssl.listen_default_ciphersuites = strdup(global_ssl.listen_default_ciphersuites);
        if (global_ssl.connect_default_ciphersuites)