MINOR: ssl: Remove call to SSL_CTX_set_tlsext_ticket_key_cb with OpenSSLv3
SSL_CTX_set_tlsext_ticket_key_cb was deprecated on OpenSSLv3 because it uses an HMAC_pointer which is deprecated as well. According to the v3's manpage it should be replaced by SSL_CTX_set_tlsext_ticket_key_evp_cb which uses a EVP_MAC_CTX pointer. This new callback was introduced in OpenSSLv3 so we need to keep the two calls in the source base and to split the usage depending on the OpenSSL version.
This commit is contained in:
Remi Tricot-Le Breton
William Lallemand
parent
3f269bb370
commit
8ea1f5f6cd
@ -24,6 +24,10 @@
|
||||
#include <openssl/async.h>
|
||||
#endif
|
||||
|
||||
#if (OPENSSL_VERSION_NUMBER >= 0x3000000fL)
|
||||
#include <openssl/core_names.h>
|
||||
#endif
|
||||
|
||||
#if defined(LIBRESSL_VERSION_NUMBER)
|
||||
/* LibreSSL is a fork of OpenSSL 1.0.1g but pretends to be 2.0.0, thus
|
||||
* systematically breaking when some code is written for a specific version
|
||||
@ -79,6 +83,14 @@
|
||||
#define HAVE_SSL_KEYLOG
|
||||
#endif
|
||||
|
||||
|
||||
#if (HA_OPENSSL_VERSION_NUMBER >= 0x3000000fL)
|
||||
#define HAVE_OSSL_PARAM
|
||||
#define MAC_CTX EVP_MAC_CTX
|
||||
#else
|
||||
#define MAC_CTX HMAC_CTX
|
||||
#endif
|
||||
|
||||
#if (HA_OPENSSL_VERSION_NUMBER < 0x0090800fL)
|
||||
/* Functions present in OpenSSL 0.9.8, older not tested */
|
||||
static inline const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *sess, unsigned int *sid_length)
|
||||
@ -298,6 +310,12 @@ static inline X509 *X509_STORE_CTX_get0_cert(X509_STORE_CTX *ctx)
|
||||
}
|
||||
#endif
|
||||
|
||||
#if (HA_OPENSSL_VERSION_NUMBER < 0x3000000fL)
|
||||
#if defined(SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB)
|
||||
#define SSL_CTX_set_tlsext_ticket_key_evp_cb SSL_CTX_set_tlsext_ticket_key_cb
|
||||
#endif
|
||||
#endif
|
||||
|
||||
#if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x2070200fL)
|
||||
#define __OPENSSL_110_CONST__ const
|
||||
#else
|
||||
|
||||
@ -1051,7 +1051,8 @@ int ssl_sock_update_ocsp_response(struct buffer *ocsp_response, char **err)
|
||||
#endif
|
||||
|
||||
#if (defined SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB && TLS_TICKETS_NO > 0)
|
||||
static int ssl_tlsext_ticket_key_cb(SSL *s, unsigned char key_name[16], unsigned char *iv, EVP_CIPHER_CTX *ectx, HMAC_CTX *hctx, int enc)
|
||||
|
||||
static int ssl_tlsext_ticket_key_cb(SSL *s, unsigned char key_name[16], unsigned char *iv, EVP_CIPHER_CTX *ectx, MAC_CTX *hctx, int enc)
|
||||
{
|
||||
struct tls_keys_ref *ref;
|
||||
union tls_sess_key *keys;
|
||||
@ -4596,7 +4597,7 @@ static int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, struct ssl_bind_con
|
||||
}
|
||||
#if (defined SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB && TLS_TICKETS_NO > 0)
|
||||
if(bind_conf->keys_ref) {
|
||||
if (!SSL_CTX_set_tlsext_ticket_key_cb(ctx, ssl_tlsext_ticket_key_cb)) {
|
||||
if (!SSL_CTX_set_tlsext_ticket_key_evp_cb(ctx, ssl_tlsext_ticket_key_cb)) {
|
||||
memprintf(err, "%sProxy '%s': unable to set callback for TLS ticket validation for bind '%s' at [%s:%d].\n",
|
||||
err && *err ? *err : "", curproxy->id, bind_conf->arg, bind_conf->file, bind_conf->line);
|
||||
cfgerr |= ERR_ALERT | ERR_FATAL;
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user