From 6e0c39d7ac3282bc255f742da36402434af0db77 Mon Sep 17 00:00:00 2001 From: William Lallemand Date: Mon, 15 May 2023 12:05:55 +0200 Subject: [PATCH] BUILD: ssl: ssl_c_r_dn fetches uses functiosn only available since 1.1.1 Fix the openssl build with older openssl version by disabling the new ssl_c_r_dn fetch. This also disable the ssl_client_samples.vtc file for OpenSSL version older than 1.1.1 --- include/haproxy/openssl-compat.h | 1 + reg-tests/ssl/ssl_client_samples.vtc | 4 ++-- src/ssl_sample.c | 4 ++++ src/ssl_utils.c | 2 ++ 4 files changed, 9 insertions(+), 2 deletions(-) diff --git a/include/haproxy/openssl-compat.h b/include/haproxy/openssl-compat.h index b857e108c..6a8a62a03 100644 --- a/include/haproxy/openssl-compat.h +++ b/include/haproxy/openssl-compat.h @@ -90,6 +90,7 @@ #if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) #define HAVE_SSL_KEYLOG +#define HAVE_SSL_get0_verified_chain #endif diff --git a/reg-tests/ssl/ssl_client_samples.vtc b/reg-tests/ssl/ssl_client_samples.vtc index 62956f1f7..5a84e4b25 100644 --- a/reg-tests/ssl/ssl_client_samples.vtc +++ b/reg-tests/ssl/ssl_client_samples.vtc @@ -1,8 +1,8 @@ #REGTEST_TYPE=devel varnishtest "Test the ssl_c_* sample fetches" -#REQUIRE_VERSION=2.2 -#REQUIRE_OPTIONS=OPENSSL +feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(2.8-dev11)'" +feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL) && openssl_version_atleast(1.1.1)'" feature ignore_unknown_macro server s1 -repeat 3 { diff --git a/src/ssl_sample.c b/src/ssl_sample.c index 582b7134c..5aec97fef 100644 --- a/src/ssl_sample.c +++ b/src/ssl_sample.c @@ -541,6 +541,7 @@ smp_fetch_ssl_fc_has_crt(const struct arg *args, struct sample *smp, const char /* string, returns a string of a formatted full dn \C=..\O=..\OU=.. \CN=.. of the * client certificate's root CA. */ +#ifdef HAVE_SSL_get0_verified_chain static int smp_fetch_ssl_r_dn(const struct arg *args, struct sample *smp, const char *kw, void *private) { @@ -593,6 +594,7 @@ smp_fetch_ssl_r_dn(const struct arg *args, struct sample *smp, const char *kw, v out: return ret; } +#endif /* binary, returns a certificate in a binary chunk (der/raw). * The 5th keyword char is used to know if SSL_get_certificate or SSL_get_peer_certificate @@ -2198,7 +2200,9 @@ static struct sample_fetch_kw_list sample_fetch_keywords = {ILH, { { "ssl_c_key_alg", smp_fetch_ssl_x_key_alg, 0, NULL, SMP_T_STR, SMP_USE_L5CLI }, { "ssl_c_notafter", smp_fetch_ssl_x_notafter, 0, NULL, SMP_T_STR, SMP_USE_L5CLI }, { "ssl_c_notbefore", smp_fetch_ssl_x_notbefore, 0, NULL, SMP_T_STR, SMP_USE_L5CLI }, +#ifdef HAVE_SSL_get0_verified_chain { "ssl_c_r_dn", smp_fetch_ssl_r_dn, ARG3(0,STR,SINT,STR),val_dnfmt, SMP_T_STR, SMP_USE_L5CLI }, +#endif { "ssl_c_sig_alg", smp_fetch_ssl_x_sig_alg, 0, NULL, SMP_T_STR, SMP_USE_L5CLI }, { "ssl_c_s_dn", smp_fetch_ssl_x_s_dn, ARG3(0,STR,SINT,STR),val_dnfmt, SMP_T_STR, SMP_USE_L5CLI }, { "ssl_c_serial", smp_fetch_ssl_x_serial, 0, NULL, SMP_T_BIN, SMP_USE_L5CLI }, diff --git a/src/ssl_utils.c b/src/ssl_utils.c index 03d43410a..4a85b8918 100644 --- a/src/ssl_utils.c +++ b/src/ssl_utils.c @@ -324,6 +324,7 @@ X509* ssl_sock_get_peer_certificate(SSL *ssl) * * Returns NULL in case of failure. */ +#ifdef HAVE_SSL_get0_verified_chain X509* ssl_sock_get_verified_chain_root(SSL *ssl) { STACK_OF(X509) *chain = NULL; @@ -343,6 +344,7 @@ X509* ssl_sock_get_verified_chain_root(SSL *ssl) return crt; } +#endif /* * Take an OpenSSL version in text format and return a numeric openssl version