From: Ilya Shipitsin Date: Tue, 3 Nov 2020 19:39:07 +0000 (+0500) Subject: BUILD: ssl: use feature macros for detecting ec curves manipulation support X-Git-Tag: v2.3.0~6 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0aa8c29460fddfc588226e2e1b56005973dca694;p=thirdparty%2Fhaproxy.git BUILD: ssl: use feature macros for detecting ec curves manipulation support Let us use SSL_CTX_set1_curves_list, defined by OpenSSL, as well as in openssl-compat when SSL_CTRL_SET_CURVES_LIST is present (BoringSSL), for feature detection instead of versions. --- diff --git a/include/haproxy/ssl_sock-t.h b/include/haproxy/ssl_sock-t.h index c8c8616ea4..58faebe1f6 100644 --- a/include/haproxy/ssl_sock-t.h +++ b/include/haproxy/ssl_sock-t.h @@ -274,7 +274,7 @@ struct global_ssl { char *listen_default_ciphersuites; char *connect_default_ciphersuites; #endif -#if ((HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL) || defined(LIBRESSL_VERSION_NUMBER)) +#if defined(SSL_CTX_set1_curves_list) char *listen_default_curves; #endif int listen_default_ssloptions; diff --git a/src/cfgparse-ssl.c b/src/cfgparse-ssl.c index fcf2b163aa..d24b85a551 100644 --- a/src/cfgparse-ssl.c +++ b/src/cfgparse-ssl.c @@ -229,7 +229,7 @@ static int ssl_parse_global_ciphersuites(char **args, int section_type, struct p } #endif -#if ((HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL) || defined(LIBRESSL_VERSION_NUMBER)) +#if defined(SSL_CTX_set1_curves_list) /* * parse the "ssl-default-bind-curves" keyword in a global section. * Returns <0 on alert, >0 on warning, 0 on success. @@ -703,7 +703,7 @@ static int bind_parse_crl_file(char **args, int cur_arg, struct proxy *px, struc /* parse the "curves" bind keyword keyword */ static int ssl_bind_parse_curves(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, char **err) { -#if ((HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL) || defined(LIBRESSL_VERSION_NUMBER)) +#if defined(SSL_CTX_set1_curves_list) if (!*args[cur_arg + 1]) { memprintf(err, "'%s' : missing curve suite", args[cur_arg]); return ERR_ALERT | ERR_FATAL; @@ -1045,7 +1045,7 @@ static int bind_parse_ssl(char **args, int cur_arg, struct proxy *px, struct bin if (global_ssl.listen_default_ciphers && !conf->ssl_conf.ciphers) conf->ssl_conf.ciphers = strdup(global_ssl.listen_default_ciphers); -#if ((HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL) || defined(LIBRESSL_VERSION_NUMBER)) +#if defined(SSL_CTX_set1_curves_list) if (global_ssl.listen_default_curves && !conf->ssl_conf.curves) conf->ssl_conf.curves = strdup(global_ssl.listen_default_curves); #endif @@ -1877,7 +1877,7 @@ static struct cfg_kw_list cfg_kws = {ILH, { #endif { CFG_GLOBAL, "ssl-default-bind-ciphers", ssl_parse_global_ciphers }, { CFG_GLOBAL, "ssl-default-server-ciphers", ssl_parse_global_ciphers }, -#if ((HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL) || defined(LIBRESSL_VERSION_NUMBER)) +#if defined(SSL_CTX_set1_curves_list) { CFG_GLOBAL, "ssl-default-bind-curves", ssl_parse_global_curves }, #endif #if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 57e5f5afe5..6f73a31754 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -4177,7 +4177,7 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, struct ssl_bind_conf *ssl_ if (ssl_conf_cur) SSL_CTX_set_alpn_select_cb(ctx, ssl_sock_advertise_alpn_protos, ssl_conf_cur); #endif -#if ((HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL) || defined(LIBRESSL_VERSION_NUMBER)) +#if defined(SSL_CTX_set1_curves_list) conf_curves = (ssl_conf && ssl_conf->curves) ? ssl_conf->curves : bind_conf->ssl_conf.curves; if (conf_curves) { if (!SSL_CTX_set1_curves_list(ctx, conf_curves)) {