Re: [PATCH] introduce guard for SCTL openssl specific functions
On Thu, Feb 18, 2021 at 07:06:14PM +0500, Илья Шипицин wrote: > ping :) > > On Sat, Feb 13, 2021, 11:48 AM Илья Шипицин wrote: > > > I changed macro name, new patch attached > > Merged, thanks. -- William Lallemand
Re: [PATCH] introduce guard for SCTL openssl specific functions
ping :) On Sat, Feb 13, 2021, 11:48 AM Илья Шипицин wrote: > I changed macro name, new patch attached > > сб, 13 февр. 2021 г. в 03:41, William Lallemand : > >> On Sat, Feb 13, 2021 at 12:21:56AM +0500, Илья Шипицин wrote: >> > Hello, >> > >> > let as switch to feature macro instead of HA_OPENSSL_VERSION. >> > >> > Ilya >> >> Hello Ilya, >> >> For more concistency with the other macros I'd rather use >> "HAVE_SSL_SCTL" instead of "HAVE_OPENSSL_SCTL". >> >> Regards, >> >> -- >> William Lallemand >> >
Re: [PATCH] introduce guard for SCTL openssl specific functions
I changed macro name, new patch attached сб, 13 февр. 2021 г. в 03:41, William Lallemand : > On Sat, Feb 13, 2021 at 12:21:56AM +0500, Илья Шипицин wrote: > > Hello, > > > > let as switch to feature macro instead of HA_OPENSSL_VERSION. > > > > Ilya > > Hello Ilya, > > For more concistency with the other macros I'd rather use > "HAVE_SSL_SCTL" instead of "HAVE_OPENSSL_SCTL". > > Regards, > > -- > William Lallemand > From 48fda0400d94c354f3eee937896eae5c22e67705 Mon Sep 17 00:00:00 2001 From: Ilya Shipitsin Date: Sat, 13 Feb 2021 11:45:33 +0500 Subject: [PATCH] BUILD: ssl: introduce fine guard for OpenSSL specific SCTL functions SCTL (signed certificate timestamp list) specified in RFC6962 was implemented in c74ce24cd22e8c683ba0e5353c0762f8616e597d, let us introduce macro HAVE_SSL_SCTL for the HAVE_SSL_SCTL sake, which in turn is based on SN_ct_cert_scts, which comes in the same commit --- include/haproxy/openssl-compat.h | 4 src/ssl_ckch.c | 6 +++--- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/include/haproxy/openssl-compat.h b/include/haproxy/openssl-compat.h index 3fe58be40..b5f05d1ae 100644 --- a/include/haproxy/openssl-compat.h +++ b/include/haproxy/openssl-compat.h @@ -57,6 +57,10 @@ #define HAVE_SSL_CTX_get0_privatekey #endif +#if (defined(SN_ct_cert_scts) && !defined(OPENSSL_NO_TLSEXT)) +#define HAVE_SSL_SCTL +#endif + #if (HA_OPENSSL_VERSION_NUMBER < 0x0090800fL) /* Functions present in OpenSSL 0.9.8, older not tested */ static inline const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *sess, unsigned int *sid_length) diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c index f654b4b52..8aa29bd22 100644 --- a/src/ssl_ckch.c +++ b/src/ssl_ckch.c @@ -320,7 +320,7 @@ int ssl_sock_load_files_into_ckch(const char *path, struct cert_key_and_chain *c goto end; } -#if (HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT && !defined OPENSSL_IS_BORINGSSL) +#ifdef HAVE_SSL_SCTL /* try to load the sctl file */ if (global_ssl.extra_files & SSL_GF_SCTL) { struct stat st; @@ -939,7 +939,7 @@ enum { CERT_TYPE_OCSP, #endif CERT_TYPE_ISSUER, -#if (HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT && !defined OPENSSL_IS_BORINGSSL) +#ifdef HAVE_SSL_SCTL CERT_TYPE_SCTL, #endif CERT_TYPE_MAX, @@ -956,7 +956,7 @@ struct { #if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) || defined OPENSSL_IS_BORINGSSL) [CERT_TYPE_OCSP] = { "ocsp",CERT_TYPE_OCSP, _sock_load_ocsp_response_from_file }, #endif -#if (HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT && !defined OPENSSL_IS_BORINGSSL) +#ifdef HAVE_SSL_SCTL [CERT_TYPE_SCTL] = { "sctl",CERT_TYPE_SCTL, _sock_load_sctl_from_file }, #endif [CERT_TYPE_ISSUER] = { "issuer", CERT_TYPE_ISSUER, _sock_load_issuer_file_into_ckch }, -- 2.29.2
Re: [PATCH] introduce guard for SCTL openssl specific functions
On Sat, Feb 13, 2021 at 12:21:56AM +0500, Илья Шипицин wrote: > Hello, > > let as switch to feature macro instead of HA_OPENSSL_VERSION. > > Ilya Hello Ilya, For more concistency with the other macros I'd rather use "HAVE_SSL_SCTL" instead of "HAVE_OPENSSL_SCTL". Regards, -- William Lallemand
[PATCH] introduce guard for SCTL openssl specific functions
Hello, let as switch to feature macro instead of HA_OPENSSL_VERSION. Ilya From ddae23ca3503f29416cb04dc5689282be67df087 Mon Sep 17 00:00:00 2001 From: Ilya Shipitsin Date: Sat, 13 Feb 2021 00:16:58 +0500 Subject: [PATCH] BUILD: ssl: introduce fine guard for OpenSSL specific SCTL functions SCTL (signed certificate timestamp list) specified in RFC6962 was implemented in c74ce24cd22e8c683ba0e5353c0762f8616e597d, let us introduce macro HAVE_OPENSSL_SCTL for the HAVE_OPENSSL_SCTL sake, which in turn is based on SN_ct_cert_scts, which comes in the same commit --- include/haproxy/openssl-compat.h | 4 src/ssl_ckch.c | 6 +++--- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/include/haproxy/openssl-compat.h b/include/haproxy/openssl-compat.h index 3fe58be40..f3044228a 100644 --- a/include/haproxy/openssl-compat.h +++ b/include/haproxy/openssl-compat.h @@ -57,6 +57,10 @@ #define HAVE_SSL_CTX_get0_privatekey #endif +#if (defined(SN_ct_cert_scts) && !defined(OPENSSL_NO_TLSEXT)) +#define HAVE_OPENSSL_SCTL +#endif + #if (HA_OPENSSL_VERSION_NUMBER < 0x0090800fL) /* Functions present in OpenSSL 0.9.8, older not tested */ static inline const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *sess, unsigned int *sid_length) diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c index f654b4b52..d0cc562c0 100644 --- a/src/ssl_ckch.c +++ b/src/ssl_ckch.c @@ -320,7 +320,7 @@ int ssl_sock_load_files_into_ckch(const char *path, struct cert_key_and_chain *c goto end; } -#if (HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT && !defined OPENSSL_IS_BORINGSSL) +#ifdef HAVE_OPENSSL_SCTL /* try to load the sctl file */ if (global_ssl.extra_files & SSL_GF_SCTL) { struct stat st; @@ -939,7 +939,7 @@ enum { CERT_TYPE_OCSP, #endif CERT_TYPE_ISSUER, -#if (HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT && !defined OPENSSL_IS_BORINGSSL) +#ifdef HAVE_OPENSSL_SCTL CERT_TYPE_SCTL, #endif CERT_TYPE_MAX, @@ -956,7 +956,7 @@ struct { #if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) || defined OPENSSL_IS_BORINGSSL) [CERT_TYPE_OCSP] = { "ocsp",CERT_TYPE_OCSP, _sock_load_ocsp_response_from_file }, #endif -#if (HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT && !defined OPENSSL_IS_BORINGSSL) +#ifdef HAVE_OPENSSL_SCTL [CERT_TYPE_SCTL] = { "sctl",CERT_TYPE_SCTL, _sock_load_sctl_from_file }, #endif [CERT_TYPE_ISSUER] = { "issuer", CERT_TYPE_ISSUER, _sock_load_issuer_file_into_ckch }, -- 2.29.2