BoringSSL commit dddb60e breaks compilation of HAProxy

Tue, 07 Sep 2021 10:55:51 -0700 

BoringSSL commit dddb60e, "Make most of crypto/x509 opaque.", breaks 
compilation of HAProxy with the following errors (log from compiling HAProxy 
2.4.4 with BoringSSL master branch commit a03c34c, but I suppose all other 
versions are equally affected):

...
  CC      src/ssl_sample.o
In file included from include/haproxy/listener-t.h:37,
                 from include/haproxy/server-t.h:36,
                 from include/haproxy/lb_map-t.h:26,
                 from include/haproxy/backend-t.h:30,
                 from include/haproxy/proxy-t.h:35,
                 from include/haproxy/applet-t.h:31,
                 from include/haproxy/obj_type.h:26,
                 from src/ssl_sample.c:27:
include/haproxy/openssl-compat.h: In function 'X509_OBJECT_get0_X509_CRL':
include/haproxy/openssl-compat.h:182:23: error: dereferencing pointer to 
incomplete type 'X509_OBJECT' {aka 'const struct x509_object_st'}
     if (a == NULL || a->type != X509_LU_CRL) {
                       ^~
src/ssl_sample.c: In function 'smp_fetch_ssl_x_key_alg':
include/haproxy/openssl-compat.h:122:37: error: dereferencing pointer to 
incomplete type 'X509' {aka 'struct x509_st'}
#define X509_get_X509_PUBKEY(x) ((x)->cert_info->key)
                                     ^~
src/ssl_sample.c:716:55: note: in expansion of macro 'X509_get_X509_PUBKEY'
  X509_PUBKEY_get0_param(&algorithm, NULL, NULL, NULL, 
X509_get_X509_PUBKEY(crt));
                                                       ^~~~~~~~~~~~~~~~~~~~
make: *** [Makefile:945: src/ssl_sample.o] Error 1

Indeed, BoringSSL commit dddb60e "unexported" these structs "aligning with 
OpenSSL" and directs to "Use the accessor APIs instead". I couldn't figure out 
an easy fix to this - simply removing the two macros conditional on 
OPENSSL_IS_BORINGSSL in affected places doesn't fully help because while 
X509_get_X509_PUBKEY() accessor is now defined, X509_OBJECT_get0_X509_CRL() is 
still missing in BoringSSL. Therefore I defer the fix to HAProxy SSL experts - 
maybe it's actually BoringSSL that needs to be fixed by adding the missing 
accessor, or maybe the single loop in ssl_set_cert_crl_file() over all X509 
store objects needs to be broken into two loops: one over certs returned by 
X509_STORE_get1_certs() and another over CRLs returned by 
X509_STORE_get1_crls().

Thanks in advance for taking a stab at this,
  Bob

Reply via email to