From: Remi Tricot-Le Breton Date: Tue, 8 Feb 2022 16:45:58 +0000 (+0100) Subject: MINOR: ssl: Remove call to SSL_CTX_set_tlsext_ticket_key_cb with OpenSSLv3 X-Git-Tag: v2.6-dev2~191 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8ea1f5f6cd4fda36748dd5b7178957c0779e9a58;p=thirdparty%2Fhaproxy.git MINOR: ssl: Remove call to SSL_CTX_set_tlsext_ticket_key_cb with OpenSSLv3 SSL_CTX_set_tlsext_ticket_key_cb was deprecated on OpenSSLv3 because it uses an HMAC_pointer which is deprecated as well. According to the v3's manpage it should be replaced by SSL_CTX_set_tlsext_ticket_key_evp_cb which uses a EVP_MAC_CTX pointer. This new callback was introduced in OpenSSLv3 so we need to keep the two calls in the source base and to split the usage depending on the OpenSSL version. --- diff --git a/include/haproxy/openssl-compat.h b/include/haproxy/openssl-compat.h index d34a22efcd..10a4fa60fd 100644 --- a/include/haproxy/openssl-compat.h +++ b/include/haproxy/openssl-compat.h @@ -24,6 +24,10 @@ #include #endif +#if (OPENSSL_VERSION_NUMBER >= 0x3000000fL) +#include +#endif + #if defined(LIBRESSL_VERSION_NUMBER) /* LibreSSL is a fork of OpenSSL 1.0.1g but pretends to be 2.0.0, thus * systematically breaking when some code is written for a specific version @@ -79,6 +83,14 @@ #define HAVE_SSL_KEYLOG #endif + +#if (HA_OPENSSL_VERSION_NUMBER >= 0x3000000fL) +#define HAVE_OSSL_PARAM +#define MAC_CTX EVP_MAC_CTX +#else +#define MAC_CTX HMAC_CTX +#endif + #if (HA_OPENSSL_VERSION_NUMBER < 0x0090800fL) /* Functions present in OpenSSL 0.9.8, older not tested */ static inline const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *sess, unsigned int *sid_length) @@ -298,6 +310,12 @@ static inline X509 *X509_STORE_CTX_get0_cert(X509_STORE_CTX *ctx) } #endif +#if (HA_OPENSSL_VERSION_NUMBER < 0x3000000fL) +#if defined(SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB) +#define SSL_CTX_set_tlsext_ticket_key_evp_cb SSL_CTX_set_tlsext_ticket_key_cb +#endif +#endif + #if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x2070200fL) #define __OPENSSL_110_CONST__ const #else diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 1bfb186898..815a34cf37 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -1051,7 +1051,8 @@ int ssl_sock_update_ocsp_response(struct buffer *ocsp_response, char **err) #endif #if (defined SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB && TLS_TICKETS_NO > 0) -static int ssl_tlsext_ticket_key_cb(SSL *s, unsigned char key_name[16], unsigned char *iv, EVP_CIPHER_CTX *ectx, HMAC_CTX *hctx, int enc) + +static int ssl_tlsext_ticket_key_cb(SSL *s, unsigned char key_name[16], unsigned char *iv, EVP_CIPHER_CTX *ectx, MAC_CTX *hctx, int enc) { struct tls_keys_ref *ref; union tls_sess_key *keys; @@ -4596,7 +4597,7 @@ static int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, struct ssl_bind_con } #if (defined SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB && TLS_TICKETS_NO > 0) if(bind_conf->keys_ref) { - if (!SSL_CTX_set_tlsext_ticket_key_cb(ctx, ssl_tlsext_ticket_key_cb)) { + if (!SSL_CTX_set_tlsext_ticket_key_evp_cb(ctx, ssl_tlsext_ticket_key_cb)) { memprintf(err, "%sProxy '%s': unable to set callback for TLS ticket validation for bind '%s' at [%s:%d].\n", err && *err ? *err : "", curproxy->id, bind_conf->arg, bind_conf->file, bind_conf->line); cfgerr |= ERR_ALERT | ERR_FATAL;