From: William Lallemand <wlallemand@haproxy.com>
Date: Fri, 14 Jun 2024 08:01:46 +0000 (+0200)
Subject: BUILD: ssl: disable deprecated functions for AWS-LC 1.29.0
X-Git-Tag: v3.1-dev1~5
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ee5aa4e5e6acf541a42c0dce739aaf6c11e75806;p=thirdparty%2Fhaproxy.git

BUILD: ssl: disable deprecated functions for AWS-LC 1.29.0

AWS-LC have a lot of functions that does nothing, which are now
deprecated and emits some warning.

This patch disables the following useless functions that emits a warning:
SSL_CTX_get_security_level(), SSL_CTX_set_tmp_dh_callback(),
ERR_load_SSL_strings(), RAND_keep_random_devices_open()

The list of deprecated functions is here:

https://github.com/aws/aws-lc/blob/main/docs/porting/functionality-differences.md
---

diff --git a/include/haproxy/openssl-compat.h b/include/haproxy/openssl-compat.h
index 66c30ff091..e4e5261eb0 100644
--- a/include/haproxy/openssl-compat.h
+++ b/include/haproxy/openssl-compat.h
@@ -48,6 +48,10 @@
 #include <haproxy/quic_openssl_compat.h>
 #endif
 
+#if defined(USE_OPENSSL_AWSLC)
+#define OPENSSL_NO_DH
+#endif
+
 
 #if defined(LIBRESSL_VERSION_NUMBER)
 /* LibreSSL is a fork of OpenSSL 1.0.1g but pretends to be 2.0.0, thus
@@ -70,7 +74,7 @@
 #define HAVE_SSL_EXTRACT_RANDOM
 #endif
 
-#if ((OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(OPENSSL_IS_BORINGSSL) && !defined(LIBRESSL_VERSION_NUMBER))
+#if ((OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(OPENSSL_IS_BORINGSSL) && !defined(USE_OPENSSL_AWSLC) && !defined(LIBRESSL_VERSION_NUMBER))
 #define HAVE_SSL_RAND_KEEP_RANDOM_DEVICES_OPEN
 #endif
 
@@ -119,7 +123,7 @@
 #endif
 
 
-#if defined(SSL_CTX_set_security_level) || HA_OPENSSL_VERSION_NUMBER >= 0x1010100fL
+#if (defined(SSL_CTX_set_security_level) || HA_OPENSSL_VERSION_NUMBER >= 0x1010100fL) && !defined(USE_OPENSSL_AWSLC)
 #define HAVE_SSL_SET_SECURITY_LEVEL
 #endif
 
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index e5eb746cf5..acfa15b266 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -2560,10 +2560,12 @@ static int ssl_sock_load_dh_params(SSL_CTX *ctx, const struct ckch_data *data,
 				}
 			}
 			else {
+#ifndef OPENSSL_NO_DH
 #if (HA_OPENSSL_VERSION_NUMBER < 0x3000000fL)
 				SSL_CTX_set_tmp_dh_callback(ctx, ssl_get_tmp_dh_cbk);
 #else
 				ssl_sock_set_tmp_dh_from_pkey(ctx, data ? data->key : NULL);
+#endif
 #endif
 			}
 		}
@@ -6945,7 +6947,7 @@ static void __ssl_sock_init(void)
 #ifdef HAVE_SSL_PROVIDERS
 	hap_register_post_deinit(ssl_unload_providers);
 #endif
-#if HA_OPENSSL_VERSION_NUMBER < 0x3000000fL
+#if (HA_OPENSSL_VERSION_NUMBER < 0x3000000fL) && !defined(USE_OPENSSL_AWSLC)
 	/* Load SSL string for the verbose & debug mode. */
 	ERR_load_SSL_strings();
 #endif