MINOR: ssl: build with recent BoringSSL library

BoringSSL switch OPENSSL_VERSION_NUMBER to 1.1.0 for compatibility. Fix BoringSSL call and openssl-compat.h/#define occordingly. This will not break openssl/libressl compat.
2025-08-07 23:56:57 +02:00 · 2017-10-02 17:12:06 +02:00 · 2017-10-02 17:12:06 +02:00 · 019f9b10ef
commit 019f9b10ef
parent e966e4e451
2 changed files with 19 additions and 11 deletions
--- a/include/proto/openssl-compat.h
+++ b/include/proto/openssl-compat.h
@ -89,9 +89,9 @@ static inline int SSL_SESSION_set1_id_context(SSL_SESSION *s, const unsigned cha
 }
 #endif
-#if (OPENSSL_VERSION_NUMBER < 0x1010000fL) || defined(LIBRESSL_VERSION_NUMBER)
+#if (OPENSSL_VERSION_NUMBER < 0x1010000fL) || defined(LIBRESSL_VERSION_NUMBER) || defined(OPENSSL_IS_BORINGSSL)
 /*
- * Functions introduced in OpenSSL 1.1.0 and not yet present in LibreSSL
+ * Functions introduced in OpenSSL 1.1.0 and not yet present in LibreSSL / BoringSSL
 */
 static inline const unsigned char *SSL_SESSION_get0_id_context(const SSL_SESSION *sess, unsigned int *sid_ctx_length)
@ -107,6 +107,11 @@ static inline int SSL_SESSION_set1_id(SSL_SESSION *s, const unsigned char *sid,
 	return 1;
 }
 static inline X509_ALGOR *X509_get0_tbs_sigalg(const X509 *x)
 {
 	return x->cert_info->signature;
 }
 #if (!defined OPENSSL_NO_OCSP)
 static inline const OCSP_CERTID *OCSP_SINGLERESP_get0_id(const OCSP_SINGLERESP *single)
 {
@ -114,6 +119,13 @@ static inline const OCSP_CERTID *OCSP_SINGLERESP_get0_id(const OCSP_SINGLERESP *
 }
 #endif
 #endif
 #if (OPENSSL_VERSION_NUMBER < 0x1010000fL) || defined(LIBRESSL_VERSION_NUMBER)
 /*
 * Functions introduced in OpenSSL 1.1.0 and not yet present in LibreSSL
 */
 static inline pem_password_cb *SSL_CTX_get_default_passwd_cb(SSL_CTX *ctx)
 {
 	return ctx->default_passwd_callback;
@ -139,11 +151,6 @@ static inline const unsigned char *ASN1_STRING_get0_data(const ASN1_STRING *x)
 	return x->data;
 }
 static inline X509_ALGOR *X509_get0_tbs_sigalg(const X509 *x)
 {
 	return x->cert_info->signature;
 }
 #endif
 #if (OPENSSL_VERSION_NUMBER >= 0x1010000fL)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@ -46,6 +46,7 @@
 #include <openssl/x509.h>
 #include <openssl/err.h>
 #include <openssl/rand.h>
 #include <openssl/hmac.h>
 #if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP)
 #include <openssl/ocsp.h>
 #endif
@ -1843,7 +1844,7 @@ ssl_sock_generate_certificate(const char *servername, struct bind_conf *bind_con
 #define SSL_MODE_SMALL_BUFFERS 0
 #endif
-#if (OPENSSL_VERSION_NUMBER < 0x1010000fL) && !defined(OPENSSL_IS_BORINGSSL)
+#if (OPENSSL_VERSION_NUMBER < 0x1010000fL)
 typedef enum { SET_CLIENT, SET_SERVER } set_context_func;
 static void ctx_set_SSLv3_func(SSL_CTX *ctx, set_context_func c)
@ -2055,7 +2056,7 @@ static int ssl_sock_switchctx_cbk(const struct ssl_early_callback_ctx *ctx)
 				goto abort;
 			}
 			cipher = SSL_get_cipher_by_value(cipher_suite);
-			if (cipher && SSL_CIPHER_is_ECDSA(cipher)) {
+			if (cipher && SSL_CIPHER_get_auth_nid(cipher) == NID_auth_ecdsa) {
 				has_ecdsa = 1;
 				break;
 			}
@ -3606,7 +3607,7 @@ ssl_sock_initial_ctx(struct bind_conf *bind_conf)
 	conf_ssl_methods->min = min;
 	conf_ssl_methods->max = max;
-#if (OPENSSL_VERSION_NUMBER < 0x1010000fL) && !defined(OPENSSL_IS_BORINGSSL)
+#if (OPENSSL_VERSION_NUMBER < 0x1010000fL)
 	/* Keep force-xxx implementation as it is in older haproxy. It's a
 	   precautionary measure to avoid any suprise with older openssl version. */
 	if (min == max)
@ -4106,7 +4107,7 @@ int ssl_sock_prepare_srv_ctx(struct server *srv)
 		cfgerr += 1;
 	}
-#if (OPENSSL_VERSION_NUMBER < 0x1010000fL) && !defined(OPENSSL_IS_BORINGSSL)
+#if (OPENSSL_VERSION_NUMBER < 0x1010000fL)
 	/* Keep force-xxx implementation as it is in older haproxy. It's a
 	   precautionary measure to avoid any suprise with older openssl version. */
 	if (min == max)