mirror of
https://git.haproxy.org/git/haproxy.git/
synced 2025-11-24 04:11:02 +01:00
BUILD: make tune.ssl.keylog available again
Since commit 04a5a44 ("BUILD: ssl: use HAVE_OPENSSL_KEYLOG instead of
OpenSSL versions") the "tune.ssl.keylog" feature is broken because
HAVE_OPENSSL_KEYLOG does not exist.
Replace this by a HAVE_SSL_KEYLOG which is defined in openssl-compat.h.
Also add an error when not built with the right openssl version.
Must be backported as far as 2.3.
This commit is contained in:
William Lallemand
parent
871ef2ffbc
commit
722180aca8
@ -74,6 +74,10 @@
|
||||
#define HAVE_SSL_SCTL
|
||||
#endif
|
||||
|
||||
#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
|
||||
#define HAVE_SSL_KEYLOG
|
||||
#endif
|
||||
|
||||
#if (HA_OPENSSL_VERSION_NUMBER < 0x0090800fL)
|
||||
/* Functions present in OpenSSL 0.9.8, older not tested */
|
||||
static inline const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *sess, unsigned int *sid_length)
|
||||
|
||||
@ -206,7 +206,7 @@ struct ssl_capture {
|
||||
char ciphersuite[VAR_ARRAY];
|
||||
};
|
||||
|
||||
#ifdef HAVE_OPENSSL_KEYLOG
|
||||
#ifdef HAVE_SSL_KEYLOG
|
||||
#define SSL_KEYLOG_MAX_SECRET_SIZE 129
|
||||
|
||||
struct ssl_keylog {
|
||||
|
||||
@ -319,7 +319,7 @@ static int ssl_parse_global_capture_cipherlist(char **args, int section_type, st
|
||||
}
|
||||
|
||||
/* init the SSLKEYLOGFILE pool */
|
||||
#ifdef HAVE_OPENSSL_KEYLOG
|
||||
#ifdef HAVE_SSL_KEYLOG
|
||||
static int ssl_parse_global_keylog(char **args, int section_type, struct proxy *curpx,
|
||||
const struct proxy *defpx, const char *file, int line,
|
||||
char **err)
|
||||
@ -354,6 +354,14 @@ static int ssl_parse_global_keylog(char **args, int section_type, struct proxy *
|
||||
|
||||
return 0;
|
||||
}
|
||||
#else
|
||||
static int ssl_parse_global_keylog(char **args, int section_type, struct proxy *curpx,
|
||||
const struct proxy *defpx, const char *file, int line,
|
||||
char **err)
|
||||
{
|
||||
memprintf(err, "'%s' requires at least OpenSSL 1.1.1.", args[0]);
|
||||
return -1;
|
||||
}
|
||||
#endif
|
||||
|
||||
/* parse "ssl.force-private-cache".
|
||||
@ -1878,9 +1886,7 @@ static struct cfg_kw_list cfg_kws = {ILH, {
|
||||
{ CFG_GLOBAL, "tune.ssl.maxrecord", ssl_parse_global_int },
|
||||
{ CFG_GLOBAL, "tune.ssl.ssl-ctx-cache-size", ssl_parse_global_int },
|
||||
{ CFG_GLOBAL, "tune.ssl.capture-cipherlist-size", ssl_parse_global_capture_cipherlist },
|
||||
#ifdef HAVE_OPENSSL_KEYLOG
|
||||
{ CFG_GLOBAL, "tune.ssl.keylog", ssl_parse_global_keylog },
|
||||
#endif
|
||||
{ CFG_GLOBAL, "ssl-default-bind-ciphers", ssl_parse_global_ciphers },
|
||||
{ CFG_GLOBAL, "ssl-default-server-ciphers", ssl_parse_global_ciphers },
|
||||
#if defined(SSL_CTX_set1_curves_list)
|
||||
|
||||
@ -1189,7 +1189,7 @@ smp_fetch_ssl_fc_cl_xxh64(const struct arg *args, struct sample *smp, const char
|
||||
}
|
||||
|
||||
/* Dump the SSL keylog, it only works with "tune.ssl.keylog 1" */
|
||||
#ifdef HAVE_OPENSSL_KEYLOG
|
||||
#ifdef HAVE_SSL_KEYLOG
|
||||
static int smp_fetch_ssl_x_keylog(const struct arg *args, struct sample *smp, const char *kw, void *private)
|
||||
{
|
||||
struct connection *conn;
|
||||
@ -1520,7 +1520,7 @@ static struct sample_fetch_kw_list sample_fetch_keywords = {ILH, {
|
||||
{ "ssl_fc_session_key", smp_fetch_ssl_fc_session_key, 0, NULL, SMP_T_BIN, SMP_USE_L5CLI },
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_OPENSSL_KEYLOG
|
||||
#ifdef HAVE_SSL_KEYLOG
|
||||
{ "ssl_fc_client_early_traffic_secret", smp_fetch_ssl_x_keylog, 0, NULL, SMP_T_STR, SMP_USE_L5CLI },
|
||||
{ "ssl_fc_client_handshake_traffic_secret", smp_fetch_ssl_x_keylog, 0, NULL, SMP_T_STR, SMP_USE_L5CLI },
|
||||
{ "ssl_fc_server_handshake_traffic_secret", smp_fetch_ssl_x_keylog, 0, NULL, SMP_T_STR, SMP_USE_L5CLI },
|
||||
|
||||
@ -127,7 +127,7 @@ struct global_ssl global_ssl = {
|
||||
.capture_cipherlist = 0,
|
||||
.extra_files = SSL_GF_ALL,
|
||||
.extra_files_noext = 0,
|
||||
#ifdef HAVE_OPENSSL_KEYLOG
|
||||
#ifdef HAVE_SSL_KEYLOG
|
||||
.keylog = 0
|
||||
#endif
|
||||
};
|
||||
@ -437,7 +437,7 @@ struct pool_head *pool_head_ssl_capture __read_mostly = NULL;
|
||||
int ssl_capture_ptr_index = -1;
|
||||
int ssl_app_data_index = -1;
|
||||
|
||||
#ifdef HAVE_OPENSSL_KEYLOG
|
||||
#ifdef HAVE_SSL_KEYLOG
|
||||
int ssl_keylog_index = -1;
|
||||
struct pool_head *pool_head_ssl_keylog __read_mostly = NULL;
|
||||
struct pool_head *pool_head_ssl_keylog_str __read_mostly = NULL;
|
||||
@ -513,7 +513,7 @@ static void ssl_sock_parse_clienthello(struct connection *conn, int write_p, int
|
||||
int content_type, const void *buf, size_t len,
|
||||
SSL *ssl);
|
||||
|
||||
#ifdef HAVE_OPENSSL_KEYLOG
|
||||
#ifdef HAVE_SSL_KEYLOG
|
||||
static void ssl_init_keylog(struct connection *conn, int write_p, int version,
|
||||
int content_type, const void *buf, size_t len,
|
||||
SSL *ssl);
|
||||
@ -558,7 +558,7 @@ static int ssl_sock_register_msg_callbacks(void)
|
||||
if (!ssl_sock_register_msg_callback(ssl_sock_parse_clienthello))
|
||||
return ERR_ABORT;
|
||||
}
|
||||
#ifdef HAVE_OPENSSL_KEYLOG
|
||||
#ifdef HAVE_SSL_KEYLOG
|
||||
if (global_ssl.keylog > 0) {
|
||||
if (!ssl_sock_register_msg_callback(ssl_init_keylog))
|
||||
return ERR_ABORT;
|
||||
@ -1737,7 +1737,7 @@ static void ssl_sock_parse_clienthello(struct connection *conn, int write_p, int
|
||||
}
|
||||
|
||||
|
||||
#ifdef HAVE_OPENSSL_KEYLOG
|
||||
#ifdef HAVE_SSL_KEYLOG
|
||||
static void ssl_init_keylog(struct connection *conn, int write_p, int version,
|
||||
int content_type, const void *buf, size_t len,
|
||||
SSL *ssl)
|
||||
@ -4147,7 +4147,7 @@ void ssl_set_shctx(SSL_CTX *ctx)
|
||||
* We only need to copy the secret as there is a sample fetch for the ClientRandom
|
||||
*/
|
||||
|
||||
#ifdef HAVE_OPENSSL_KEYLOG
|
||||
#ifdef HAVE_SSL_KEYLOG
|
||||
void SSL_CTX_keylog(const SSL *ssl, const char *line)
|
||||
{
|
||||
struct ssl_keylog *keylog;
|
||||
@ -4383,7 +4383,7 @@ static int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, struct ssl_bind_con
|
||||
#ifdef SSL_CTRL_SET_MSG_CALLBACK
|
||||
SSL_CTX_set_msg_callback(ctx, ssl_sock_msgcbk);
|
||||
#endif
|
||||
#ifdef HAVE_OPENSSL_KEYLOG
|
||||
#ifdef HAVE_SSL_KEYLOG
|
||||
SSL_CTX_set_keylog_callback(ctx, SSL_CTX_keylog);
|
||||
#endif
|
||||
|
||||
@ -7037,7 +7037,7 @@ static void ssl_sock_capture_free_func(void *parent, void *ptr, CRYPTO_EX_DATA *
|
||||
pool_free(pool_head_ssl_capture, ptr);
|
||||
}
|
||||
|
||||
#ifdef HAVE_OPENSSL_KEYLOG
|
||||
#ifdef HAVE_SSL_KEYLOG
|
||||
static void ssl_sock_keylog_free_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad, int idx, long argl, void *argp)
|
||||
{
|
||||
struct ssl_keylog *keylog;
|
||||
@ -7104,7 +7104,7 @@ static void __ssl_sock_init(void)
|
||||
|
||||
ssl_app_data_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
|
||||
ssl_capture_ptr_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, ssl_sock_capture_free_func);
|
||||
#ifdef HAVE_OPENSSL_KEYLOG
|
||||
#ifdef HAVE_SSL_KEYLOG
|
||||
ssl_keylog_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, ssl_sock_keylog_free_func);
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user