From: William Lallemand <wlallemand@haproxy.com>
Date: Fri, 8 Dec 2023 10:33:03 +0000 (+0100)
Subject: MINOR: ssl: activate the certificate selection callback for WolfSSL
X-Git-Tag: v3.0-dev1~112
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=86376f591e3d87365c6da3b0ae91e3ede2ec4943;p=thirdparty%2Fhaproxy.git

MINOR: ssl: activate the certificate selection callback for WolfSSL

The PR which allows to chose a certificate depending on the ciphers and
the signature algorithms was merged in WolfSSL. Let's activate this
code.

This could be backported in 2.9 only when the next WolfSSL release is
available (5.6.5). It will also need a check on the version.
---

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 4dc14df012..986a232869 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -2797,7 +2797,7 @@ int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *priv)
 #endif /* (!) OPENSSL_IS_BORINGSSL */
 #endif /* SSL_CTRL_SET_TLSEXT_HOSTNAME */
 
-#if 0 && defined(USE_OPENSSL_WOLFSSL)
+#if defined(USE_OPENSSL_WOLFSSL)
 /* This implement the equivalent of the clientHello Callback but using the cert_cb.
  * WolfSSL is able to extract the sigalgs and ciphers of the client byt using the API
  * provided in https://github.com/wolfSSL/wolfssl/pull/6963
@@ -4352,7 +4352,7 @@ ssl_sock_initial_ctx(struct bind_conf *bind_conf)
 #  endif /* ! SSL_OP_NO_ANTI_REPLAY */
 	SSL_CTX_set_client_hello_cb(ctx, ssl_sock_switchctx_cbk, NULL);
 	SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_err_cbk);
-# elif 0 && defined(USE_OPENSSL_WOLFSSL)
+# elif defined(USE_OPENSSL_WOLFSSL)
 	SSL_CTX_set_cert_cb(ctx, ssl_sock_switchctx_wolfSSL_cbk, bind_conf);
 # else
 	/* ! OPENSSL_IS_BORINGSSL && ! HAVE_SSL_CLIENT_HELLO_CB */