From: William Lallemand <wlallemand@haproxy.org>
Date: Fri, 2 Sep 2022 13:27:32 +0000 (+0200)
Subject: BUILD: ssl: fix ssl_sock_switchtx_cbk when no client_hello_cb
X-Git-Tag: v2.7-dev6~100
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=844009d77ac42182ab4d5cf3efaaf227318505a1;p=thirdparty%2Fhaproxy.git

BUILD: ssl: fix ssl_sock_switchtx_cbk when no client_hello_cb

When building HAProxy with USE_QUIC and libressl 3.6.0, the
ssl_sock_switchtx_cbk symbol is not found because libressl does not
implement the client_hello_cb.

A ssl_sock_switchtx_cbk version for the servername callback is available
but wasn't exported correctly.
---

diff --git a/include/haproxy/ssl_sock.h b/include/haproxy/ssl_sock.h
index 8d1ce50b7e..d7cc33075a 100644
--- a/include/haproxy/ssl_sock.h
+++ b/include/haproxy/ssl_sock.h
@@ -104,13 +104,16 @@ void ssl_free_engines(void);
 #ifdef HAVE_SSL_PROVIDERS
 void ssl_unload_providers(void);
 #endif
+
 #ifdef HAVE_SSL_CLIENT_HELLO_CB
 int ssl_sock_switchctx_err_cbk(SSL *ssl, int *al, void *priv);
-#ifdef OPENSSL_IS_BORINGSSL
+# ifdef OPENSSL_IS_BORINGSSL
 int ssl_sock_switchctx_cbk(const struct ssl_early_callback_ctx *ctx);
-#else
+# else /* ! OPENSSL_IS_BORINGSSL */
 int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *arg);
-#endif
+# endif
+#else /* ! HAVE_SSL_CLIENT_HELLO_CB */
+int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *priv);
 #endif
 
 SSL_CTX *ssl_sock_assign_generated_cert(unsigned int key, struct bind_conf *bind_conf, SSL *ssl);
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index caf41eb9a0..5af91d1b84 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -2945,7 +2945,7 @@ allow_early:
  * warning when no match is found, which implies the default (first) cert
  * will keep being used.
  */
-static int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *priv)
+int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *priv)
 {
 	const char *servername;
 	const char *wildp = NULL;