From: Willy Tarreau <w@1wt.eu>
Date: Thu, 19 Jan 2017 16:10:54 +0000 (+0100)
Subject: BUILD: ssl: eliminate warning with OpenSSL 1.1.0 regarding RAND_pseudo_bytes()
X-Git-Tag: v1.8-dev1~151
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=77d88da7e1be29ff1ba5cd4634e2997060d30b2b;p=thirdparty%2Fhaproxy.git

BUILD: ssl: eliminate warning with OpenSSL 1.1.0 regarding RAND_pseudo_bytes()

This function was deprecated in 1.1.0 causing this warning :

  src/ssl_sock.c:551:3: warning: 'RAND_pseudo_bytes' is deprecated (declared at /opt/openssl-1.1.0/include/openssl/rand.h:47) [-Wdeprecated-declarations]

The man suggests to use RAND_bytes() instead. While the return codes
differ, it turns out that the function was already misused and was
relying on RAND_bytes() return code instead.

The patch was tested on 0.9.8, 1.0.0, 1.0.1, 1.0.2 and 1.1.0.

This fix must be backported to 1.7 and the return code check should
be backported to earlier versions if relevant.
---

diff --git a/include/proto/openssl-compat.h b/include/proto/openssl-compat.h
index 0194eaa670..c56619951f 100644
--- a/include/proto/openssl-compat.h
+++ b/include/proto/openssl-compat.h
@@ -171,4 +171,15 @@ static inline int EVP_PKEY_base_id(EVP_PKEY *pkey)
 #define ERR_remove_state(x)
 #endif
 
+
+/* RAND_pseudo_bytes() is deprecated in 1.1.0 in favor of RAND_bytes(). Note
+ * that the return codes differ, but it happens that the only use case (ticket
+ * key update) was already wrong, considering a non-cryptographic random as a
+ * failure.
+ */
+#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL)
+#undef  RAND_pseudo_bytes
+#define RAND_pseudo_bytes(x,y) RAND_bytes(x,y)
+#endif
+
 #endif /* _PROTO_OPENSSL_COMPAT_H */