-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi,
haproxy 1.7.5 fails to build with LibreSSL 2.5.3. Like OpenSSL, LibreSSL is making structs opaque. Direct access to the members thus leads to build failures. This has been addressed by OpenBSD for 1.6, see cvsweb.openbsd.org/cgi-bin/cvsweb/ports/net/haproxy/patches/patch-src_ssl_sock_c . In making the structs opaque, OpenSSL (and LibreSSL) must make sure they provide getters and setters for struct members that should be accessible. OpenSSL has done that in 1.1. Haproxy started using/emulating some of these new methods used in 1.7.5 but the implementation is not complete. This causes build failures with LibreSSL. The relevant commit in OpenSSL 1.1 is https://github.com/openssl/openssl/commit/fddfc0afc84728f8a5140685163e66ce6471742d The haproxy code adds the defines for the methods yet fails to also add the defines for the constants SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB and SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG The patch adds fixes for the 1.7 added methods aswell as the OpenBSD fixes. - --- src/ssl_sock.c.orig 2017-04-03 08:28:32 UTC +++ src/ssl_sock.c @@ -794,8 +795,11 @@ static int ssl_sock_load_ocsp(SSL_CTX *c ocsp = NULL; #ifndef SSL_CTX_get_tlsext_status_cb - -# define SSL_CTX_get_tlsext_status_cb(ctx, cb) \ - - *cb = (void (*) (void))ctx->tlsext_status_cb; +#ifndef SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB +#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB 128 +#endif +#define SSL_CTX_get_tlsext_status_cb(ctx, cb) \ + *cb = SSL_CTX_ctrl(ctx,SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB,0, (void (**)(void))cb) #endif SSL_CTX_get_tlsext_status_cb(ctx, &callback); @@ -823,7 +827,10 @@ static int ssl_sock_load_ocsp(SSL_CTX *c int key_type; EVP_PKEY *pkey; - -#ifdef SSL_CTX_get_tlsext_status_arg +#if defined(SSL_CTX_get_tlsext_status_arg) || defined(LIBRESSL_VERSION_NUMBER) +#ifndef SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG +#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG 129 +#endif SSL_CTX_ctrl(ctx, SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG, 0, &cb_arg); #else cb_arg = ctx->tlsext_status_arg; @@ -3539,7 +3546,7 @@ int ssl_sock_handshake(struct connection OSSL_HANDSHAKE_STATE state = SSL_get_state((SSL *)conn->xprt_ctx); empty_handshake = state == TLS_ST_BEFORE; #else - - empty_handshake = !((SSL *)conn->xprt_ctx)->packet_length; + empty_handshake = SSL_state((SSL *)conn->xprt_ctx) == SSL_ST_BEFORE; #endif if (empty_handshake) { @@ -3617,7 +3624,7 @@ int ssl_sock_handshake(struct connection state = SSL_get_state((SSL *)conn->xprt_ctx); empty_handshake = state == TLS_ST_BEFORE; #else - - empty_handshake = !((SSL *)conn->xprt_ctx)->packet_length; + empty_handshake = SSL_state((SSL *)conn->xprt_ctx) == SSL_ST_BEFORE; #endif if (empty_handshake) { if (!errno) { -----BEGIN PGP SIGNATURE----- iQIcBAEBAgAGBQJY97C7AAoJEHT7/r+FArC0Vx0P/04wVZ1nsyNdeh/JLNpcKVeP rza/wB8iQjIBLx/KiyVPppJdIPeplU9Gjtkdh68xNyRkH3sZmG6VZIM94YbGtZex +TF4tGAHOjpi6E2oN8X9V51MYfVUoaaQfe3K7bG6yRDQG3whyRLKNXd5dZfAFoZn D6TSAwoTdBtICdcKTonCVrw3avT31hTcW5ykv4fe29WIblW5QNKEJH+3h0c7W5sE Uk1c1joy62MvxdrnO6KgmyatYkABAWb3AV8yMX6uNbeITwMbSKsq3UwGXNfIjhaL bM+XHTyntXZZMSnT0N84edNOERWTL2SJW0BHzUfMpRAhEfl+fZgMDTpsPfmZXa/f yk4XSrJ1VBySPazF17mOYbl/5LQJnO10CEvnDcczXMNWvi5bFfjsO/uDohGsZw9o u2JUYinSDJtb6mj6Qykn+oDrWH6vKY13HroDboury+K6eGimHOGomad3HgRp6TrY lSYDHm7L2tVNtVYbYd008Ch7nMoM88tGXyARKpBveUU1u7zS1J3gRps+HSc0mwYW pSOnCQ1p5MxxmrAYRCU+IOT9plxM41sRxREk9aXMrJJAWAY/B5SDohfaLA+Xa7DF OH6XoBtyzJtpciY4W0F8vqZqIrzPSaqC/K6fiSKA7uOpiL4qV2CLxG8DmgedMIuU LxQ7aj9KS58LJ2nCbsKW =8/pm -----END PGP SIGNATURE-----