From: Michał Kępień <michal@isc.org>
Date: Wed, 22 Dec 2021 17:17:26 +0000 (+0100)
Subject: Check for SSL_CTX_set_keylog_callback() support
X-Git-Tag: v9.17.22~27^2~4
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=7983d5fa7c0fd1a5410791461fb221d385d24ed4;p=thirdparty%2Fbind9.git

Check for SSL_CTX_set_keylog_callback() support

The SSL_CTX_set_keylog_callback() function is a fairly recent OpenSSL
addition, having first appeared in version 1.1.1.  Add a configure.ac
check for the availability of that function to prevent build errors on
older platforms.  Sort similar checks alphabetically.

This makes the SSLKEYLOGFILE mechanism a silent no-op on unsupported
platforms, which is considered acceptable for a debugging feature.
---

diff --git a/configure.ac b/configure.ac
index e4eace9f274..38e8b927ee3 100644
--- a/configure.ac
+++ b/configure.ac
@@ -624,16 +624,17 @@ AC_COMPILE_IFELSE(
 # Check for functions added in OpenSSL or LibreSSL
 #
 
-AC_CHECK_FUNCS([OPENSSL_init_ssl OPENSSL_init_crypto OPENSSL_cleanup])
+AC_CHECK_FUNCS([BIO_read_ex BIO_write_ex])
 AC_CHECK_FUNCS([CRYPTO_zalloc])
-AC_CHECK_FUNCS([EVP_PKEY_new_raw_private_key EVP_PKEY_eq])
+AC_CHECK_FUNCS([ERR_get_error_all])
 AC_CHECK_FUNCS([EVP_CIPHER_CTX_new EVP_CIPHER_CTX_free])
 AC_CHECK_FUNCS([EVP_MD_CTX_new EVP_MD_CTX_free EVP_MD_CTX_reset EVP_MD_CTX_get0_md])
-AC_CHECK_FUNCS([ERR_get_error_all])
-AC_CHECK_FUNCS([SSL_read_ex SSL_peek_ex SSL_write_ex])
-AC_CHECK_FUNCS([BIO_read_ex BIO_write_ex])
-AC_CHECK_FUNCS([SSL_CTX_up_ref])
+AC_CHECK_FUNCS([EVP_PKEY_new_raw_private_key EVP_PKEY_eq])
+AC_CHECK_FUNCS([OPENSSL_init_ssl OPENSSL_init_crypto OPENSSL_cleanup])
+AC_CHECK_FUNCS([SSL_CTX_set_keylog_callback])
 AC_CHECK_FUNCS([SSL_CTX_set_min_proto_version])
+AC_CHECK_FUNCS([SSL_CTX_up_ref])
+AC_CHECK_FUNCS([SSL_read_ex SSL_peek_ex SSL_write_ex])
 
 #
 # Check for algorithm support in OpenSSL
diff --git a/lib/isc/tls.c b/lib/isc/tls.c
index f3129d2ab2b..7515d833cf6 100644
--- a/lib/isc/tls.c
+++ b/lib/isc/tls.c
@@ -176,6 +176,7 @@ isc_tlsctx_free(isc_tlsctx_t **ctxp) {
 	SSL_CTX_free(ctx);
 }
 
+#if HAVE_SSL_CTX_SET_KEYLOG_CALLBACK
 /*
  * Callback invoked by the SSL library whenever a new TLS pre-master secret
  * needs to be logged.
@@ -199,6 +200,9 @@ sslkeylogfile_init(isc_tlsctx_t *ctx) {
 		SSL_CTX_set_keylog_callback(ctx, sslkeylogfile_append);
 	}
 }
+#else /* HAVE_SSL_CTX_SET_KEYLOG_CALLBACK */
+#define sslkeylogfile_init(ctx)
+#endif /* HAVE_SSL_CTX_SET_KEYLOG_CALLBACK */
 
 isc_result_t
 isc_tlsctx_createclient(isc_tlsctx_t **ctxp) {