From 8d164dc5684a9ccf7afa4cf0ef0bbcad290c3222 Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Fri, 10 May 2019 09:35:00 +0200 Subject: [PATCH] CLEANUP: ssl: never include openssl/*.h outside of openssl-compat.h anymore Since we're providing a compatibility layer for multiple OpenSSL implementations and their derivatives, it is important that no C file directly includes openssl headers but only passes via openssl-compat instead. As a bonus this also gets rid of redundant complex rules for inclusion of certain files (engines etc). --- include/common/openssl-compat.h | 11 ++++++++++- include/proto/ssl_sock.h | 2 +- include/types/listener.h | 2 +- include/types/server.h | 2 +- include/types/ssl_sock.h | 1 - src/haproxy.c | 1 - src/ssl_sock.c | 23 +---------------------- 7 files changed, 14 insertions(+), 28 deletions(-) diff --git a/include/common/openssl-compat.h b/include/common/openssl-compat.h index 5ac3abaf8..0ceca0837 100644 --- a/include/common/openssl-compat.h +++ b/include/common/openssl-compat.h @@ -1,18 +1,27 @@ #ifndef _COMMON_OPENSSL_COMPAT_H #define _COMMON_OPENSSL_COMPAT_H + +#include #include #include #include #include -#include #include #include +#include #if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) #include #endif #ifndef OPENSSL_NO_DH #include #endif +#ifndef OPENSSL_NO_ENGINE +#include +#endif + +#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER) +#include +#endif #if defined(LIBRESSL_VERSION_NUMBER) /* LibreSSL is a fork of OpenSSL 1.0.1g but pretends to be 2.0.0, thus diff --git a/include/proto/ssl_sock.h b/include/proto/ssl_sock.h index 9e27bfaee..f3d3ff8f5 100644 --- a/include/proto/ssl_sock.h +++ b/include/proto/ssl_sock.h @@ -21,7 +21,7 @@ #ifndef _PROTO_SSL_SOCK_H #define _PROTO_SSL_SOCK_H -#include +#include #include #include diff --git a/include/types/listener.h b/include/types/listener.h index 7b4226f81..def48b0db 100644 --- a/include/types/listener.h +++ b/include/types/listener.h @@ -26,7 +26,7 @@ #include #ifdef USE_OPENSSL -#include +#include #include #endif diff --git a/include/types/server.h b/include/types/server.h index dfc753e77..2951cf68f 100644 --- a/include/types/server.h +++ b/include/types/server.h @@ -26,7 +26,7 @@ #include #ifdef USE_OPENSSL -#include +#include #include #endif diff --git a/include/types/ssl_sock.h b/include/types/ssl_sock.h index 3de01e961..45f89c9b8 100644 --- a/include/types/ssl_sock.h +++ b/include/types/ssl_sock.h @@ -22,7 +22,6 @@ #ifndef _TYPES_SSL_SOCK_H #define _TYPES_SSL_SOCK_H -#include #include #include diff --git a/src/haproxy.c b/src/haproxy.c index 8803e6ea7..e085ce2c2 100644 --- a/src/haproxy.c +++ b/src/haproxy.c @@ -128,7 +128,6 @@ #ifdef USE_OPENSSL #include #include -#include #endif /* array of init calls for older platforms */ diff --git a/src/ssl_sock.c b/src/ssl_sock.c index f7247f7be..f8b248b33 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -23,6 +23,7 @@ * */ +/* Note: do NOT include openssl/xxx.h here, do it in openssl-compat.h */ #define _GNU_SOURCE #include #include @@ -39,28 +40,6 @@ #include #include -#include -#include -#include -#include -#include -#include -#include -#include -#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) -#include -#endif -#ifndef OPENSSL_NO_DH -#include -#endif -#ifndef OPENSSL_NO_ENGINE -#include -#endif - -#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER) -#include -#endif - #include #include