From: Willy Tarreau Date: Thu, 9 May 2019 12:13:35 +0000 (+0200) Subject: CLEANUP: ssl: remove 57 occurrences of useless tests on LIBRESSL_VERSION_NUMBER X-Git-Tag: v2.0-dev3~67 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5db847ab6530eb2da7ba246243d1a9ac791417e3;p=thirdparty%2Fhaproxy.git CLEANUP: ssl: remove 57 occurrences of useless tests on LIBRESSL_VERSION_NUMBER They were all check to comply with the advertised openssl version. Now that libressl doesn't pretend to be a more recent openssl anymore, we can simply rely on the regular openssl version tests without having to deal with exceptions for libressl. --- diff --git a/src/backend.c b/src/backend.c index ed3c459c2e..b7894f8a25 100644 --- a/src/backend.c +++ b/src/backend.c @@ -1582,8 +1582,7 @@ int connect_server(struct stream *s) } -#if USE_OPENSSL && (defined(OPENSSL_IS_BORINGSSL) || \ - ((HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(LIBRESSL_VERSION_NUMBER))) +#if USE_OPENSSL && (defined(OPENSSL_IS_BORINGSSL) || (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)) if (!reuse && cli_conn && srv && (srv->ssl_ctx.options & SRV_SSL_O_EARLY_DATA) && diff --git a/src/cli.c b/src/cli.c index eb93079200..fe50d9d176 100644 --- a/src/cli.c +++ b/src/cli.c @@ -1002,7 +1002,7 @@ static int cli_io_handler_show_fd(struct appctx *appctx) (fdt.iocb == poller_pipe_io_handler) ? "poller_pipe_io_handler" : (fdt.iocb == mworker_accept_wrapper) ? "mworker_accept_wrapper" : #ifdef USE_OPENSSL -#if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER) +#if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) (fdt.iocb == ssl_async_fd_free) ? "ssl_async_fd_free" : (fdt.iocb == ssl_async_fd_handler) ? "ssl_async_fd_handler" : #endif diff --git a/src/haproxy.c b/src/haproxy.c index ea85da3f95..2dec3f1549 100644 --- a/src/haproxy.c +++ b/src/haproxy.c @@ -590,7 +590,7 @@ void mworker_reload() ptdf->fct(); if (fdtab) deinit_pollers(); -#if defined(USE_OPENSSL) && (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(LIBRESSL_VERSION_NUMBER) +#if defined(USE_OPENSSL) && (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) if (global.ssl_used_frontend || global.ssl_used_backend) /* close random device FDs */ RAND_keep_random_devices_open(0); diff --git a/src/server.c b/src/server.c index e77d3bcdfd..b88ab30dfa 100644 --- a/src/server.c +++ b/src/server.c @@ -1544,7 +1544,7 @@ static void srv_ssl_settings_cpy(struct server *srv, struct server *src) srv->ssl_ctx.verify_host = strdup(src->ssl_ctx.verify_host); if (src->ssl_ctx.ciphers != NULL) srv->ssl_ctx.ciphers = strdup(src->ssl_ctx.ciphers); -#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER) +#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL) if (src->ssl_ctx.ciphersuites != NULL) srv->ssl_ctx.ciphersuites = strdup(src->ssl_ctx.ciphersuites); #endif diff --git a/src/ssl_sock.c b/src/ssl_sock.c index b2cbd1be83..794b6c9c48 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -190,7 +190,7 @@ static struct { char *listen_default_ciphers; char *connect_default_ciphers; -#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER) +#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL) char *listen_default_ciphersuites; char *connect_default_ciphersuites; #endif @@ -212,7 +212,7 @@ static struct { #ifdef CONNECT_DEFAULT_CIPHERS .connect_default_ciphers = CONNECT_DEFAULT_CIPHERS, #endif -#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER) +#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL) #ifdef LISTEN_DEFAULT_CIPHERSUITES .listen_default_ciphersuites = LISTEN_DEFAULT_CIPHERSUITES, #endif @@ -348,7 +348,7 @@ static int ha_ssl_free(BIO *data) } -#if defined(USE_THREAD) && ((HA_OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)) +#if defined(USE_THREAD) && (HA_OPENSSL_VERSION_NUMBER < 0x10100000L) static HA_RWLOCK_T *ssl_rwlocks; @@ -575,7 +575,7 @@ fail_get: } #endif -#if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER) +#if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) /* * openssl async fd handler */ @@ -1442,7 +1442,7 @@ static int ssl_sock_set_ocsp_response_from_file(SSL_CTX *ctx, const char *cert_p } #endif -#if (HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER) +#if (HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT && !defined OPENSSL_IS_BORINGSSL) #define CT_EXTENSION_TYPE 18 @@ -1893,7 +1893,7 @@ ssl_sock_do_create_cert(const char *servername, struct bind_conf *bind_conf, SSL int key_type; /* Get the private key of the default certificate and use it */ -#if (HA_OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined LIBRESSL_VERSION_NUMBER) +#if (HA_OPENSSL_VERSION_NUMBER >= 0x10002000L) pkey = SSL_CTX_get0_privatekey(bind_conf->default_ctx); #else tmp_ssl = SSL_new(bind_conf->default_ctx); @@ -2297,7 +2297,7 @@ static void ssl_sock_switchctx_set(SSL *ssl, SSL_CTX *ctx) SSL_set_SSL_CTX(ssl, ctx); } -#if ((HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) || defined(OPENSSL_IS_BORINGSSL)) && !defined(LIBRESSL_VERSION_NUMBER) +#if ((HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) || defined(OPENSSL_IS_BORINGSSL)) static int ssl_sock_switchctx_err_cbk(SSL *ssl, int *al, void *priv) { @@ -2948,7 +2948,7 @@ static int ssl_sock_add_cert_sni(SSL_CTX *ctx, struct bind_conf *s, struct ssl_b /* The following code is used for loading multiple crt files into * SSL_CTX's based on CN/SAN */ -#if HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined(LIBRESSL_VERSION_NUMBER) +#if HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL /* This is used to preload the certifcate, private key * and Cert Chain of a file passed in via the crt * argument @@ -3603,7 +3603,7 @@ static int ssl_sock_load_cert_file(const char *path, struct bind_conf *bind_conf ssl_sock_set_ocsp_response_from_file(ctx, path); #endif -#if (HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER) +#if (HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT && !defined OPENSSL_IS_BORINGSSL) if (sctl_ex_index >= 0) { ret = ssl_sock_load_sctl(ctx, path); if (ret < 0) { @@ -3764,7 +3764,7 @@ void ssl_sock_free_ssl_conf(struct ssl_bind_conf *conf) conf->crl_file = NULL; free(conf->ciphers); conf->ciphers = NULL; -#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER) +#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL) free(conf->ciphersuites); conf->ciphersuites = NULL; #endif @@ -4029,7 +4029,7 @@ ssl_sock_initial_ctx(struct bind_conf *bind_conf) SSL_CTX_set_options(ctx, options); -#if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER) +#if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) if (global_ssl.async) mode |= SSL_MODE_ASYNC; #endif @@ -4041,7 +4041,7 @@ ssl_sock_initial_ctx(struct bind_conf *bind_conf) #ifdef OPENSSL_IS_BORINGSSL SSL_CTX_set_select_certificate_cb(ctx, ssl_sock_switchctx_cbk); SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_err_cbk); -#elif (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(LIBRESSL_VERSION_NUMBER) +#elif (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) if (bind_conf->ssl_conf.early_data) { SSL_CTX_set_options(ctx, SSL_OP_NO_ANTI_REPLAY); SSL_CTX_set_max_early_data(ctx, global.tune.bufsize - global.tune.maxrewrite); @@ -4311,7 +4311,7 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, struct ssl_bind_conf *ssl_ int verify = SSL_VERIFY_NONE; struct ssl_bind_conf __maybe_unused *ssl_conf_cur; const char *conf_ciphers; -#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER) +#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL) const char *conf_ciphersuites; #endif const char *conf_curves = NULL; @@ -4413,7 +4413,7 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, struct ssl_bind_conf *ssl_ cfgerr++; } -#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER) +#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL) conf_ciphersuites = (ssl_conf && ssl_conf->ciphersuites) ? ssl_conf->ciphersuites : bind_conf->ssl_conf.ciphersuites; if (conf_ciphersuites && !SSL_CTX_set_ciphersuites(ctx, conf_ciphersuites)) { @@ -4817,7 +4817,7 @@ int ssl_sock_prepare_srv_ctx(struct server *srv) options |= SSL_OP_NO_TICKET; SSL_CTX_set_options(ctx, options); -#if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER) +#if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) if (global_ssl.async) mode |= SSL_MODE_ASYNC; #endif @@ -4907,7 +4907,7 @@ int ssl_sock_prepare_srv_ctx(struct server *srv) cfgerr++; } -#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER) +#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL) if (srv->ssl_ctx.ciphersuites && !SSL_CTX_set_ciphersuites(srv->ssl_ctx.ctx, srv->ssl_ctx.ciphersuites)) { ha_alert("Proxy '%s', server '%s' [%s:%d] : unable to set TLS 1.3 cipher suites to '%s'.\n", @@ -5336,8 +5336,7 @@ static int ssl_sock_init(struct connection *conn, void **xprt_ctx) /* leave init state and start handshake */ conn->flags |= CO_FL_SSL_WAIT_HS | CO_FL_WAIT_L6_CONN; -#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)) || \ - defined(OPENSSL_IS_BORINGSSL) +#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) || defined(OPENSSL_IS_BORINGSSL) conn->flags |= CO_FL_EARLY_SSL_HS; #endif @@ -5371,7 +5370,7 @@ int ssl_sock_handshake(struct connection *conn, unsigned int flag) if (!conn->xprt_ctx) goto out_error; -#if HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined (LIBRESSL_VERSION_NUMBER) +#if HA_OPENSSL_VERSION_NUMBER >= 0x10101000L /* * Check if we have early data. If we do, we have to read them * before SSL_do_handshake() is called, And there's no way to @@ -5428,7 +5427,7 @@ int ssl_sock_handshake(struct connection *conn, unsigned int flag) fd_cant_recv(conn->handle.fd); return 0; } -#if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER) +#if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) else if (ret == SSL_ERROR_WANT_ASYNC) { ssl_async_process_fds(conn, ctx->ssl); return 0; @@ -5443,7 +5442,7 @@ int ssl_sock_handshake(struct connection *conn, unsigned int flag) conn->err_code = CO_ER_SSL_HANDSHAKE; #else int empty_handshake; -#if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(LIBRESSL_VERSION_NUMBER) +#if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) OSSL_HANDSHAKE_STATE state = SSL_get_state((SSL *)ctx->ssl); empty_handshake = state == TLS_ST_BEFORE; #else @@ -5512,7 +5511,7 @@ check_error: fd_cant_recv(conn->handle.fd); return 0; } -#if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER) +#if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) else if (ret == SSL_ERROR_WANT_ASYNC) { ssl_async_process_fds(conn, ctx->ssl); return 0; @@ -5527,7 +5526,7 @@ check_error: conn->err_code = CO_ER_SSL_HANDSHAKE; #else int empty_handshake; -#if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(LIBRESSL_VERSION_NUMBER) +#if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) OSSL_HANDSHAKE_STATE state = SSL_get_state(ctx->ssl); empty_handshake = state == TLS_ST_BEFORE; #else @@ -5571,7 +5570,7 @@ check_error: goto out_error; } } -#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(LIBRESSL_VERSION_NUMBER) +#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) else { /* * If the server refused the early data, we have to send a @@ -5590,7 +5589,7 @@ check_error: reneg_ok: -#if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER) +#if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) /* ASYNC engine API doesn't support moving read/write * buffers. So we disable ASYNC mode right after * the handshake to avoid buffer oveflows. @@ -5699,7 +5698,7 @@ static size_t ssl_sock_to_buf(struct connection *conn, void *xprt_ctx, struct bu continue; } -#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(LIBRESSL_VERSION_NUMBER) +#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) if (conn->flags & CO_FL_EARLY_SSL_HS) { size_t read_length; @@ -5751,7 +5750,7 @@ static size_t ssl_sock_to_buf(struct connection *conn, void *xprt_ctx, struct bu /* handshake is running, and it needs to enable write */ conn->flags |= CO_FL_SSL_WAIT_HS; __conn_sock_want_send(conn); -#if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER) +#if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) /* Async mode can be re-enabled, because we're leaving data state.*/ if (global_ssl.async) SSL_set_mode(ctx->ssl, SSL_MODE_ASYNC); @@ -5763,7 +5762,7 @@ static size_t ssl_sock_to_buf(struct connection *conn, void *xprt_ctx, struct bu /* handshake is running, and it may need to re-enable read */ conn->flags |= CO_FL_SSL_WAIT_HS; __conn_sock_want_recv(conn); -#if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER) +#if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) /* Async mode can be re-enabled, because we're leaving data state.*/ if (global_ssl.async) SSL_set_mode(ctx->ssl, SSL_MODE_ASYNC); @@ -5840,7 +5839,7 @@ static size_t ssl_sock_from_buf(struct connection *conn, void *xprt_ctx, const s * in which case we accept to do it once again. */ while (count) { -#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined (LIBRESSL_VERSION_NUMBER) +#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) size_t written_data; #endif @@ -5861,7 +5860,7 @@ static size_t ssl_sock_from_buf(struct connection *conn, void *xprt_ctx, const s ctx->xprt_st |= SSL_SOCK_SEND_UNLIMITED; } -#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined (LIBRESSL_VERSION_NUMBER) +#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) if (!SSL_is_init_finished(ctx->ssl) && conn_is_back(conn)) { unsigned int max_early; @@ -5913,7 +5912,7 @@ static size_t ssl_sock_from_buf(struct connection *conn, void *xprt_ctx, const s /* handshake is running, and it may need to re-enable write */ conn->flags |= CO_FL_SSL_WAIT_HS; __conn_sock_want_send(conn); -#if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER) +#if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) /* Async mode can be re-enabled, because we're leaving data state.*/ if (global_ssl.async) SSL_set_mode(ctx->ssl, SSL_MODE_ASYNC); @@ -5928,7 +5927,7 @@ static size_t ssl_sock_from_buf(struct connection *conn, void *xprt_ctx, const s /* handshake is running, and it needs to enable read */ conn->flags |= CO_FL_SSL_WAIT_HS; __conn_sock_want_recv(conn); -#if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER) +#if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) /* Async mode can be re-enabled, because we're leaving data state.*/ if (global_ssl.async) SSL_set_mode(ctx->ssl, SSL_MODE_ASYNC); @@ -5956,7 +5955,7 @@ static void ssl_sock_close(struct connection *conn, void *xprt_ctx) { struct ssl_sock_ctx *ctx = xprt_ctx; if (ctx) { -#if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER) +#if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) if (global_ssl.async) { OSSL_ASYNC_FD all_fd[32], afd; size_t num_all_fds = 0; @@ -7413,7 +7412,7 @@ smp_fetch_ssl_fc_cl_xxh64(const struct arg *args, struct sample *smp, const char static int smp_fetch_ssl_fc_cl_str(const struct arg *args, struct sample *smp, const char *kw, void *private) { -#if (HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL) && !defined(LIBRESSL_VERSION_NUMBER) +#if (HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL) struct buffer *data; int i; @@ -7655,7 +7654,7 @@ static int bind_parse_ciphers(char **args, int cur_arg, struct proxy *px, struct return ssl_bind_parse_ciphers(args, cur_arg, px, &conf->ssl_conf, err); } -#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER) +#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL) /* parse the "ciphersuites" bind keyword */ static int ssl_bind_parse_ciphersuites(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, char **err) { @@ -8065,7 +8064,7 @@ static int bind_parse_ssl(char **args, int cur_arg, struct proxy *px, struct bin if (global_ssl.listen_default_ciphers && !conf->ssl_conf.ciphers) conf->ssl_conf.ciphers = strdup(global_ssl.listen_default_ciphers); -#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER) +#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL) if (global_ssl.listen_default_ciphersuites && !conf->ssl_conf.ciphersuites) conf->ssl_conf.ciphersuites = strdup(global_ssl.listen_default_ciphersuites); #endif @@ -8428,7 +8427,7 @@ static int srv_parse_check_ssl(char **args, int *cur_arg, struct proxy *px, stru newsrv->check.use_ssl = 1; if (global_ssl.connect_default_ciphers && !newsrv->ssl_ctx.ciphers) newsrv->ssl_ctx.ciphers = strdup(global_ssl.connect_default_ciphers); -#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER) +#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL) if (global_ssl.connect_default_ciphersuites && !newsrv->ssl_ctx.ciphersuites) newsrv->ssl_ctx.ciphersuites = strdup(global_ssl.connect_default_ciphersuites); #endif @@ -8455,7 +8454,7 @@ static int srv_parse_ciphers(char **args, int *cur_arg, struct proxy *px, struct return 0; } -#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER) +#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL) /* parse the "ciphersuites" server keyword */ static int srv_parse_ciphersuites(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err) { @@ -8611,7 +8610,7 @@ static int srv_parse_ssl(char **args, int *cur_arg, struct proxy *px, struct ser newsrv->use_ssl = 1; if (global_ssl.connect_default_ciphers && !newsrv->ssl_ctx.ciphers) newsrv->ssl_ctx.ciphers = strdup(global_ssl.connect_default_ciphers); -#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER) +#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL) if (global_ssl.connect_default_ciphersuites && !newsrv->ssl_ctx.ciphersuites) newsrv->ssl_ctx.ciphersuites = strdup(global_ssl.connect_default_ciphersuites); #endif @@ -8766,7 +8765,7 @@ static int ssl_parse_global_ssl_async(char **args, int section_type, struct prox struct proxy *defpx, const char *file, int line, char **err) { -#if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER) +#if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) global_ssl.async = 1; global.ssl_used_async_engines = nb_engines; return 0; @@ -8854,7 +8853,7 @@ static int ssl_parse_global_ciphers(char **args, int section_type, struct proxy return 0; } -#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER) +#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL) /* parse the "ssl-default-bind-ciphersuites" / "ssl-default-server-ciphersuites" keywords * in global section. Returns <0 on alert, >0 on warning, 0 on success. */ @@ -9581,7 +9580,7 @@ static struct ssl_bind_kw ssl_bind_kws[] = { { "alpn", ssl_bind_parse_alpn, 1 }, /* set ALPN supported protocols */ { "ca-file", ssl_bind_parse_ca_file, 1 }, /* set CAfile to process verify on client cert */ { "ciphers", ssl_bind_parse_ciphers, 1 }, /* set SSL cipher suite */ -#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER) +#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL) { "ciphersuites", ssl_bind_parse_ciphersuites, 1 }, /* set TLS 1.3 cipher suite */ #endif { "crl-file", ssl_bind_parse_crl_file, 1 }, /* set certificat revocation list file use on client cert verify */ @@ -9605,7 +9604,7 @@ static struct bind_kw_list bind_kws = { "SSL", { }, { { "ca-sign-file", bind_parse_ca_sign_file, 1 }, /* set CAFile used to generate and sign server certs */ { "ca-sign-pass", bind_parse_ca_sign_pass, 1 }, /* set CAKey passphrase */ { "ciphers", bind_parse_ciphers, 1 }, /* set SSL cipher suite */ -#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER) +#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL) { "ciphersuites", bind_parse_ciphersuites, 1 }, /* set TLS 1.3 cipher suite */ #endif { "crl-file", bind_parse_crl_file, 1 }, /* set certificat revocation list file use on client cert verify */ @@ -9655,7 +9654,7 @@ static struct srv_kw_list srv_kws = { "SSL", { }, { { "check-sni", srv_parse_check_sni, 1, 1 }, /* set SNI */ { "check-ssl", srv_parse_check_ssl, 0, 1 }, /* enable SSL for health checks */ { "ciphers", srv_parse_ciphers, 1, 1 }, /* select the cipher suite */ -#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER) +#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL) { "ciphersuites", srv_parse_ciphersuites, 1, 1 }, /* select the cipher suite */ #endif { "crl-file", srv_parse_crl_file, 1, 1 }, /* set certificate revocation list file use on server cert verify */ @@ -9716,7 +9715,7 @@ static struct cfg_kw_list cfg_kws = {ILH, { { CFG_GLOBAL, "tune.ssl.capture-cipherlist-size", ssl_parse_global_capture_cipherlist }, { CFG_GLOBAL, "ssl-default-bind-ciphers", ssl_parse_global_ciphers }, { CFG_GLOBAL, "ssl-default-server-ciphers", ssl_parse_global_ciphers }, -#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER) +#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL) { CFG_GLOBAL, "ssl-default-bind-ciphersuites", ssl_parse_global_ciphersuites }, { CFG_GLOBAL, "ssl-default-server-ciphersuites", ssl_parse_global_ciphersuites }, #endif @@ -9788,7 +9787,7 @@ static struct action_kw_list http_req_actions = {ILH, { INITCALL1(STG_REGISTER, http_req_keywords_register, &http_req_actions); -#if (HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER) +#if (HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT && !defined OPENSSL_IS_BORINGSSL) static void ssl_sock_sctl_free_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad, int idx, long argl, void *argp) { @@ -9813,7 +9812,7 @@ static void __ssl_sock_init(void) global_ssl.listen_default_ciphers = strdup(global_ssl.listen_default_ciphers); if (global_ssl.connect_default_ciphers) global_ssl.connect_default_ciphers = strdup(global_ssl.connect_default_ciphers); -#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER) +#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL) if (global_ssl.listen_default_ciphersuites) global_ssl.listen_default_ciphersuites = strdup(global_ssl.listen_default_ciphersuites); if (global_ssl.connect_default_ciphersuites) @@ -9826,10 +9825,10 @@ static void __ssl_sock_init(void) #endif cm = SSL_COMP_get_compression_methods(); sk_SSL_COMP_zero(cm); -#if defined(USE_THREAD) && ((HA_OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)) +#if defined(USE_THREAD) && (HA_OPENSSL_VERSION_NUMBER < 0x10100000L) ssl_locking_init(); #endif -#if (HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER) +#if (HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT && !defined OPENSSL_IS_BORINGSSL) sctl_ex_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, ssl_sock_sctl_free_func); #endif ssl_app_data_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); @@ -9969,14 +9968,14 @@ static void __ssl_sock_deinit(void) } #endif -#if (HA_OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER) +#if (HA_OPENSSL_VERSION_NUMBER < 0x10100000L) ERR_remove_state(0); ERR_free_strings(); EVP_cleanup(); #endif -#if ((HA_OPENSSL_VERSION_NUMBER >= 0x00907000L) && (HA_OPENSSL_VERSION_NUMBER < 0x10100000L)) || defined(LIBRESSL_VERSION_NUMBER) +#if (HA_OPENSSL_VERSION_NUMBER >= 0x00907000L) && (HA_OPENSSL_VERSION_NUMBER < 0x10100000L) CRYPTO_cleanup_all_ex_data(); #endif #if (HA_OPENSSL_VERSION_NUMBER < 0x10100000L)