From: Remi Tricot-Le Breton Date: Thu, 10 Jun 2021 16:10:32 +0000 (+0200) Subject: BUILD: ssl: Fix compilation with BoringSSL X-Git-Tag: v2.5-dev1~159 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3faf0cbba67225e86a51a0ce6e516c51392f990e;p=thirdparty%2Fhaproxy.git BUILD: ssl: Fix compilation with BoringSSL The ifdefs surrounding the "show ssl ocsp-response" functionality that were supposed to disable the code with BoringSSL were built the wrong way. It does not need to be backported. --- diff --git a/include/haproxy/ssl_sock.h b/include/haproxy/ssl_sock.h index 88a8a3f7fc..9978abc08d 100644 --- a/include/haproxy/ssl_sock.h +++ b/include/haproxy/ssl_sock.h @@ -122,7 +122,7 @@ int ssl_sock_load_srv_cert(char *path, struct server *server, char **err); void ssl_free_global_issuers(void); int ssl_sock_load_cert_list_file(char *file, int dir, struct bind_conf *bind_conf, struct proxy *curproxy, char **err); int ssl_init_single_engine(const char *engine_id, const char *def_algorithms); -#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) || defined OPENSSL_IS_BORINGSSL) +#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) && !defined OPENSSL_IS_BORINGSSL) int ssl_get_ocspresponse_detail(unsigned char *ocsp_certid, struct buffer *out); int ssl_ocsp_response_print(struct buffer *ocsp_response, struct buffer *out); #endif diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c index 67eae099b1..1ca18843d7 100644 --- a/src/ssl_ckch.c +++ b/src/ssl_ckch.c @@ -1478,7 +1478,7 @@ end: return 0; } -#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) || defined OPENSSL_IS_BORINGSSL) +#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) && !defined OPENSSL_IS_BORINGSSL) /* * Build the OCSP tree entry's key for a given ckch_store. * Returns a negative value in case of error. @@ -1534,7 +1534,7 @@ end: */ static int ckch_store_show_ocsp_certid(struct ckch_store *ckch_store, struct buffer *out) { -#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) || defined OPENSSL_IS_BORINGSSL) +#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) && !defined OPENSSL_IS_BORINGSSL) unsigned char key[OCSP_MAX_CERTID_ASN1_LENGTH] = {}; unsigned int key_length = 0; int i; @@ -1603,7 +1603,7 @@ yield: /* IO handler of the details "show ssl cert " */ static int cli_io_handler_show_cert_ocsp_detail(struct appctx *appctx) { -#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) || defined OPENSSL_IS_BORINGSSL) +#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) && !defined OPENSSL_IS_BORINGSSL) struct stream_interface *si = appctx->owner; struct ckch_store *ckchs = appctx->ctx.cli.p0; struct buffer *out = alloc_trash_chunk(); diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 13e6155451..9fb91f2d87 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -6930,14 +6930,14 @@ static int cli_parse_set_ocspresponse(char **args, char *payload, struct appctx } -#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) || defined OPENSSL_IS_BORINGSSL) +#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) && !defined OPENSSL_IS_BORINGSSL) static int cli_io_handler_show_ocspresponse_detail(struct appctx *appctx); #endif /* parsing function for 'show ssl ocsp-response [id]' */ static int cli_parse_show_ocspresponse(char **args, char *payload, struct appctx *appctx, void *private) { -#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) || defined OPENSSL_IS_BORINGSSL) +#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) && !defined OPENSSL_IS_BORINGSSL) if (*args[3]) { struct certificate_ocsp *ocsp = NULL; char *key = NULL; @@ -6973,7 +6973,7 @@ static int cli_parse_show_ocspresponse(char **args, char *payload, struct appctx } -#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) || defined OPENSSL_IS_BORINGSSL) +#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) && !defined OPENSSL_IS_BORINGSSL) /* * This function dumps the details of an OCSP_CERTID. It is based on * ocsp_certid_print in OpenSSL. @@ -7006,7 +7006,7 @@ static inline int ocsp_certid_print(BIO *bp, OCSP_CERTID *certid, int indent) */ static int cli_io_handler_show_ocspresponse(struct appctx *appctx) { -#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) || defined OPENSSL_IS_BORINGSSL) +#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) && !defined OPENSSL_IS_BORINGSSL) struct buffer *trash = alloc_trash_chunk(); struct buffer *tmp = NULL; struct ebmb_node *node; @@ -7091,7 +7091,7 @@ yield: } -#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) || defined OPENSSL_IS_BORINGSSL) +#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) && !defined OPENSSL_IS_BORINGSSL) /* * Dump the details about an OCSP response in DER format stored in * into buffer .