BUILD: ssl: Fix compilation with BoringSSL

The ifdefs surrounding the "show ssl ocsp-response" functionality that
were supposed to disable the code with BoringSSL were built the wrong
way.

It does not need to be backported.

diff --git a/include/haproxy/ssl_sock.h b/include/haproxy/ssl_sock.h
index 88a8a3f7fc0296426c6bf3d9001b1737b4500ccd..9978abc08df294ceb828beaade9d93026b5b7512 100644 (file)
--- a/include/haproxy/ssl_sock.h
+++ b/include/haproxy/ssl_sock.h
@@ -122,7 +122,7 @@ int ssl_sock_load_srv_cert(char *path, struct server *server, char **err);
 void ssl_free_global_issuers(void);
 int ssl_sock_load_cert_list_file(char *file, int dir, struct bind_conf *bind_conf, struct proxy *curproxy, char **err);
 int ssl_init_single_engine(const char *engine_id, const char *def_algorithms);
-#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) || defined OPENSSL_IS_BORINGSSL)
+#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) && !defined OPENSSL_IS_BORINGSSL)
 int ssl_get_ocspresponse_detail(unsigned char *ocsp_certid, struct buffer *out);
 int ssl_ocsp_response_print(struct buffer *ocsp_response, struct buffer *out);
 #endif

diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c
index 67eae099b19bd5652377b9c52744afea9e43222f..1ca18843d7db07ad63545777a6c5f1084f0d6544 100644 (file)
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c
@@ -1478,7 +1478,7 @@ end:
        return 0;
 }
 
-#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) || defined OPENSSL_IS_BORINGSSL)
+#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) && !defined OPENSSL_IS_BORINGSSL)
 /*
  * Build the OCSP tree entry's key for a given ckch_store.
  * Returns a negative value in case of error.
@@ -1534,7 +1534,7 @@ end:
  */
 static int ckch_store_show_ocsp_certid(struct ckch_store *ckch_store, struct buffer *out)
 {
-#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) || defined OPENSSL_IS_BORINGSSL)
+#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) && !defined OPENSSL_IS_BORINGSSL)
        unsigned char key[OCSP_MAX_CERTID_ASN1_LENGTH] = {};
        unsigned int key_length = 0;
        int i;
@@ -1603,7 +1603,7 @@ yield:
 /* IO handler of the details "show ssl cert <filename.ocsp>" */
 static int cli_io_handler_show_cert_ocsp_detail(struct appctx *appctx)
 {
-#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) || defined OPENSSL_IS_BORINGSSL)
+#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) && !defined OPENSSL_IS_BORINGSSL)
        struct stream_interface *si = appctx->owner;
        struct ckch_store *ckchs = appctx->ctx.cli.p0;
        struct buffer *out = alloc_trash_chunk();

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 13e6155451f09c79d85c237dcbb2e138747e7000..9fb91f2d8797ca24f859c461c55fb1979b739034 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -6930,14 +6930,14 @@ static int cli_parse_set_ocspresponse(char **args, char *payload, struct appctx
 }
 
 
-#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) || defined OPENSSL_IS_BORINGSSL)
+#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) && !defined OPENSSL_IS_BORINGSSL)
 static int cli_io_handler_show_ocspresponse_detail(struct appctx *appctx);
 #endif
 
 /* parsing function for 'show ssl ocsp-response [id]' */
 static int cli_parse_show_ocspresponse(char **args, char *payload, struct appctx *appctx, void *private)
 {
-#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) || defined OPENSSL_IS_BORINGSSL)
+#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) && !defined OPENSSL_IS_BORINGSSL)
        if (*args[3]) {
                struct certificate_ocsp *ocsp = NULL;
                char *key = NULL;
@@ -6973,7 +6973,7 @@ static int cli_parse_show_ocspresponse(char **args, char *payload, struct appctx
 }
 
 
-#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) || defined OPENSSL_IS_BORINGSSL)
+#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) && !defined OPENSSL_IS_BORINGSSL)
 /*
  * This function dumps the details of an OCSP_CERTID. It is based on
  * ocsp_certid_print in OpenSSL.
@@ -7006,7 +7006,7 @@ static inline int ocsp_certid_print(BIO *bp, OCSP_CERTID *certid, int indent)
  */
 static int cli_io_handler_show_ocspresponse(struct appctx *appctx)
 {
-#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) || defined OPENSSL_IS_BORINGSSL)
+#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) && !defined OPENSSL_IS_BORINGSSL)
        struct buffer *trash = alloc_trash_chunk();
        struct buffer *tmp = NULL;
        struct ebmb_node *node;
@@ -7091,7 +7091,7 @@ yield:
 }
 
 
-#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) || defined OPENSSL_IS_BORINGSSL)
+#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) && !defined OPENSSL_IS_BORINGSSL)
 /*
  * Dump the details about an OCSP response in DER format stored in
  * <ocsp_response> into buffer <out>.