From fb7b46d267af0b21e59eaddaca13e64f9d19c4e4 Mon Sep 17 00:00:00 2001 From: Valentine Krasnobaeva Date: Tue, 28 May 2024 11:01:11 +0200 Subject: [PATCH] CLEANUP: ssl/ocsp: readable ifdef in ssl_sock_load_ocsp Due to the support of different TLS/SSL libraries and its different versions, sometimes we are forced to use different internal typedefs and callback functions. We strive to avoid this, but time to time "#ifdef... #endif" become inevitable. In particular, in ssl_sock_load_ocsp() we define a 'callback' variable, which will contain a function pointer to our OCSP stapling callback, assigned further via SSL_CTX_set_tlsext_status_cb() to the intenal SSL context struct in a linked crypto library. If this linked crypto library is OpenSSL 1.x.x/3.x.x, for setting and getting this callback we have the following API signatures (see doc/man3/SSL_CTX_set_tlsext_status_cb.pod): long SSL_CTX_get_tlsext_status_cb(SSL_CTX *ctx, int (**callback)(SSL *, void *)); long SSL_CTX_set_tlsext_status_cb(SSL_CTX *ctx, int (*callback)(SSL *, void *)); If we are using WolfSSL, same APIs expect tlsextStatusCb function prototype, provided via the typedef below (see wolfssl/wolfssl/ssl.h): typedef int(*tlsextStatusCb)(WOLFSSL* ssl, void*); WOLFSSL_API int wolfSSL_CTX_get_tlsext_status_cb(WOLFSSL_CTX* ctx, tlsextStatusCb* cb); WOLFSSL_API int wolfSSL_CTX_set_tlsext_status_cb(WOLFSSL_CTX* ctx, tlsextStatusCb cb); It seems, that in OpenSSL < 1.0.0, there was no support for OCSP extention, so no need to set this callback. Let's avoid #ifndef... #endif for this 'callback' variable definition to keep things clear. #ifndef... #endif are usually less readable, than straightforward "#ifdef... #endif". --- src/ssl_sock.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index b2d643c51..81affd1d3 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -1115,14 +1115,12 @@ static int ssl_sock_load_ocsp(const char *path, SSL_CTX *ctx, struct ckch_store struct certificate_ocsp *ocsp = NULL, *iocsp; char *warn = NULL; unsigned char *p; -#ifndef USE_OPENSSL_WOLFSSL -#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) - int (*callback) (SSL *, void *); +#ifdef USE_OPENSSL_WOLFSSL + tlsextStatusCb callback; +#elif (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) + int (*callback) (SSL *, void *); #else void (*callback) (void); -#endif -#else - tlsextStatusCb callback; #endif struct buffer *ocsp_uri = get_trash_chunk(); char *err = NULL;