From: Emmanuel Hocdet <manu@gandi.net>
Date: Mon, 20 Mar 2017 10:11:49 +0000 (+0100)
Subject: BUILD: ssl: simplify SSL_CTX_set_ecdh_auto compatibility
X-Git-Tag: v1.8-dev1~68
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a52bb15cc78ecf07f2c4be3f6e5aba417dafd098;p=thirdparty%2Fhaproxy.git

BUILD: ssl: simplify SSL_CTX_set_ecdh_auto compatibility

SSL_CTX_set_ecdh_auto is declared (when present) with #define. A simple #ifdef
avoid to list all cases of ssllibs. It's a placebo in new ssllibs. It's ok with
openssl 1.0.1, 1.0.2, 1.1.0, libressl and boringssl.
Thanks to Piotr Kubaj for postponing and testing with libressl.
---

diff --git a/include/proto/openssl-compat.h b/include/proto/openssl-compat.h
index f9ecc9955e..c56619951f 100644
--- a/include/proto/openssl-compat.h
+++ b/include/proto/openssl-compat.h
@@ -182,10 +182,4 @@ static inline int EVP_PKEY_base_id(EVP_PKEY *pkey)
 #define RAND_pseudo_bytes(x,y) RAND_bytes(x,y)
 #endif
 
-/* This function does nothing in 1.1.0 and doesn't exist in boringssl */
-#if defined(OPENSSL_IS_BORINGSSL) || (OPENSSL_VERSION_NUMBER >= 0x1010000fL)
-#undef  SSL_CTX_set_ecdh_auto
-#define SSL_CTX_set_ecdh_auto(ctx, onoff)
-#endif
-
 #endif /* _PROTO_OPENSSL_COMPAT_H */
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index f947c9965e..1e63c5703a 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -3402,8 +3402,9 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, struct ssl_bind_conf *ssl_
 			      curproxy->id, conf_curves, bind_conf->arg, bind_conf->file, bind_conf->line);
 			cfgerr++;
 		}
-		else
-			SSL_CTX_set_ecdh_auto(ctx, 1);
+#if defined(SSL_CTX_set_ecdh_auto)
+		(void)SSL_CTX_set_ecdh_auto(ctx, 1);
+#endif
 	}
 #endif
 #if defined(SSL_CTX_set_tmp_ecdh) && !defined(OPENSSL_NO_ECDH)