From 019f9b10ef4e99d2ddd017f75d5e2050cf593678 Mon Sep 17 00:00:00 2001 From: Emmanuel Hocdet Date: Mon, 2 Oct 2017 17:12:06 +0200 Subject: [PATCH] MINOR: ssl: build with recent BoringSSL library BoringSSL switch OPENSSL_VERSION_NUMBER to 1.1.0 for compatibility. Fix BoringSSL call and openssl-compat.h/#define occordingly. This will not break openssl/libressl compat. --- include/proto/openssl-compat.h | 21 ++++++++++++++------- src/ssl_sock.c | 9 +++++---- 2 files changed, 19 insertions(+), 11 deletions(-) diff --git a/include/proto/openssl-compat.h b/include/proto/openssl-compat.h index 8fe1c183c4..b6fe1d2c1d 100644 --- a/include/proto/openssl-compat.h +++ b/include/proto/openssl-compat.h @@ -89,9 +89,9 @@ static inline int SSL_SESSION_set1_id_context(SSL_SESSION *s, const unsigned cha } #endif -#if (OPENSSL_VERSION_NUMBER < 0x1010000fL) || defined(LIBRESSL_VERSION_NUMBER) +#if (OPENSSL_VERSION_NUMBER < 0x1010000fL) || defined(LIBRESSL_VERSION_NUMBER) || defined(OPENSSL_IS_BORINGSSL) /* - * Functions introduced in OpenSSL 1.1.0 and not yet present in LibreSSL + * Functions introduced in OpenSSL 1.1.0 and not yet present in LibreSSL / BoringSSL */ static inline const unsigned char *SSL_SESSION_get0_id_context(const SSL_SESSION *sess, unsigned int *sid_ctx_length) @@ -107,6 +107,11 @@ static inline int SSL_SESSION_set1_id(SSL_SESSION *s, const unsigned char *sid, return 1; } +static inline X509_ALGOR *X509_get0_tbs_sigalg(const X509 *x) +{ + return x->cert_info->signature; +} + #if (!defined OPENSSL_NO_OCSP) static inline const OCSP_CERTID *OCSP_SINGLERESP_get0_id(const OCSP_SINGLERESP *single) { @@ -114,6 +119,13 @@ static inline const OCSP_CERTID *OCSP_SINGLERESP_get0_id(const OCSP_SINGLERESP * } #endif +#endif + +#if (OPENSSL_VERSION_NUMBER < 0x1010000fL) || defined(LIBRESSL_VERSION_NUMBER) +/* + * Functions introduced in OpenSSL 1.1.0 and not yet present in LibreSSL + */ + static inline pem_password_cb *SSL_CTX_get_default_passwd_cb(SSL_CTX *ctx) { return ctx->default_passwd_callback; @@ -139,11 +151,6 @@ static inline const unsigned char *ASN1_STRING_get0_data(const ASN1_STRING *x) return x->data; } -static inline X509_ALGOR *X509_get0_tbs_sigalg(const X509 *x) -{ - return x->cert_info->signature; -} - #endif #if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 94d1290d0b..bb1d691564 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -46,6 +46,7 @@ #include #include #include +#include #if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) #include #endif @@ -1843,7 +1844,7 @@ ssl_sock_generate_certificate(const char *servername, struct bind_conf *bind_con #define SSL_MODE_SMALL_BUFFERS 0 #endif -#if (OPENSSL_VERSION_NUMBER < 0x1010000fL) && !defined(OPENSSL_IS_BORINGSSL) +#if (OPENSSL_VERSION_NUMBER < 0x1010000fL) typedef enum { SET_CLIENT, SET_SERVER } set_context_func; static void ctx_set_SSLv3_func(SSL_CTX *ctx, set_context_func c) @@ -2055,7 +2056,7 @@ static int ssl_sock_switchctx_cbk(const struct ssl_early_callback_ctx *ctx) goto abort; } cipher = SSL_get_cipher_by_value(cipher_suite); - if (cipher && SSL_CIPHER_is_ECDSA(cipher)) { + if (cipher && SSL_CIPHER_get_auth_nid(cipher) == NID_auth_ecdsa) { has_ecdsa = 1; break; } @@ -3606,7 +3607,7 @@ ssl_sock_initial_ctx(struct bind_conf *bind_conf) conf_ssl_methods->min = min; conf_ssl_methods->max = max; -#if (OPENSSL_VERSION_NUMBER < 0x1010000fL) && !defined(OPENSSL_IS_BORINGSSL) +#if (OPENSSL_VERSION_NUMBER < 0x1010000fL) /* Keep force-xxx implementation as it is in older haproxy. It's a precautionary measure to avoid any suprise with older openssl version. */ if (min == max) @@ -4106,7 +4107,7 @@ int ssl_sock_prepare_srv_ctx(struct server *srv) cfgerr += 1; } -#if (OPENSSL_VERSION_NUMBER < 0x1010000fL) && !defined(OPENSSL_IS_BORINGSSL) +#if (OPENSSL_VERSION_NUMBER < 0x1010000fL) /* Keep force-xxx implementation as it is in older haproxy. It's a precautionary measure to avoid any suprise with older openssl version. */ if (min == max) -- 2.39.5