Hi Ilya,
On Wed, Nov 04, 2020 at 12:43:44AM +0500, ???? ??????? wrote:
> Hi,
>
> let us use macros instead of openssl versions.
>
> Cheers,
> Ilya
> From 278857e7d21e593e1b5a05a05605c89bdb08581d Mon Sep 17 00:00:00 2001
> From: Ilya Shipitsin <chipits...@gmail.com>
> Date: Wed, 4 Nov 2020 00:39:07 +0500
> Subject: [PATCH 1/2] BUILD: ssl: use feature macros for detecting ec curves
> manipulation support
>
> let us use SSL_CTX_set1_curves_list (OpenSSL), SSL_CTRL_SET_CURVES_LIST
> (BoringSSL)
> for feature detection instead of versions
> ---
> include/haproxy/ssl_sock-t.h | 2 +-
> src/cfgparse-ssl.c | 8 ++++----
> src/ssl_sock.c | 2 +-
> 3 files changed, 6 insertions(+), 6 deletions(-)
>
> diff --git a/include/haproxy/ssl_sock-t.h b/include/haproxy/ssl_sock-t.h
> index c8c8616ea..1f9045cb9 100644
> --- a/include/haproxy/ssl_sock-t.h
> +++ b/include/haproxy/ssl_sock-t.h
> @@ -274,7 +274,7 @@ struct global_ssl {
> char *listen_default_ciphersuites;
> char *connect_default_ciphersuites;
> #endif
> -#if ((HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL) ||
> defined(LIBRESSL_VERSION_NUMBER))
> +#if (defined SSL_CTX_set1_curves_list || defined SSL_CTRL_SET_CURVES_LIST)
I could run that from 0.9.8 to 1.1.1 and confirm it gives the same
resultss (not tested on libressl though). However given that it results
in yet another "OR" between two variables supposedly identical, I think
we should remap the boringssl one to the SSL_CTX_set1_curves_list in
openssl-compat.h, something like this:
#if !defined(SSL_CTX_set1_curves_list) && defined(SSL_CTRL_SET_CURVES_LIST)
// boringSSL only sets SSL_CTRL_SET_CURVES_LIST
#define SSL_CTX_set1_curves_list
#endif
This way it's cleaner to only test on the canonical name through the
code (SSL_CTX_set1_curves_list).
Not very important, I'll let William decide, it's just a suggestion,
because as you've certainly figured by yourself now, this code full
of #ifdef has become a real mess.
Cheers,
Willy
