BoringSSL commit dddb60e, "Make most of crypto/x509 opaque.", breaks
compilation of HAProxy with the following errors (log from compiling HAProxy
2.4.4 with BoringSSL master branch commit a03c34c, but I suppose all other
versions are equally affected):
...
CC src/ssl_sample.o
In file included from include/haproxy/listener-t.h:37,
from include/haproxy/server-t.h:36,
from include/haproxy/lb_map-t.h:26,
from include/haproxy/backend-t.h:30,
from include/haproxy/proxy-t.h:35,
from include/haproxy/applet-t.h:31,
from include/haproxy/obj_type.h:26,
from src/ssl_sample.c:27:
include/haproxy/openssl-compat.h: In function 'X509_OBJECT_get0_X509_CRL':
include/haproxy/openssl-compat.h:182:23: error: dereferencing pointer to
incomplete type 'X509_OBJECT' {aka 'const struct x509_object_st'}
if (a == NULL || a->type != X509_LU_CRL) {
^~
src/ssl_sample.c: In function 'smp_fetch_ssl_x_key_alg':
include/haproxy/openssl-compat.h:122:37: error: dereferencing pointer to
incomplete type 'X509' {aka 'struct x509_st'}
#define X509_get_X509_PUBKEY(x) ((x)->cert_info->key)
^~
src/ssl_sample.c:716:55: note: in expansion of macro 'X509_get_X509_PUBKEY'
X509_PUBKEY_get0_param(&algorithm, NULL, NULL, NULL,
X509_get_X509_PUBKEY(crt));
^~~~~~~~~~~~~~~~~~~~
make: *** [Makefile:945: src/ssl_sample.o] Error 1
Indeed, BoringSSL commit dddb60e "unexported" these structs "aligning with
OpenSSL" and directs to "Use the accessor APIs instead". I couldn't figure out
an easy fix to this - simply removing the two macros conditional on
OPENSSL_IS_BORINGSSL in affected places doesn't fully help because while
X509_get_X509_PUBKEY() accessor is now defined, X509_OBJECT_get0_X509_CRL() is
still missing in BoringSSL. Therefore I defer the fix to HAProxy SSL experts -
maybe it's actually BoringSSL that needs to be fixed by adding the missing
accessor, or maybe the single loop in ssl_set_cert_crl_file() over all X509
store objects needs to be broken into two loops: one over certs returned by
X509_STORE_get1_certs() and another over CRLs returned by
X509_STORE_get1_crls().
Thanks in advance for taking a stab at this,
Bob