Welcome! Log In Create A New Profile

Advanced

Fix building haproxy-1.7.5 with LibreSSL

Posted by Bernard Spil 
Bernard Spil
Fix building haproxy-1.7.5 with LibreSSL
April 19, 2017 09:00PM
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

haproxy 1.7.5 fails to build with LibreSSL 2.5.3.

Like OpenSSL, LibreSSL is making structs opaque. Direct access to the
members thus leads to build failures. This has been addressed by OpenBSD
for 1.6, see
cvsweb.openbsd.org/cgi-bin/cvsweb/ports/net/haproxy/patches/patch-src_ssl_sock_c
..

In making the structs opaque, OpenSSL (and LibreSSL) must make sure they
provide getters and setters for struct members that should be
accessible. OpenSSL has done that in 1.1. Haproxy started
using/emulating some of these new methods used in 1.7.5 but the
implementation is not complete. This causes build failures with
LibreSSL.
The relevant commit in OpenSSL 1.1 is
https://github.com/openssl/openssl/commit/fddfc0afc84728f8a5140685163e66ce6471742d
The haproxy code adds the defines for the methods yet fails to also add
the defines for the constants SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB and
SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG

The patch adds fixes for the 1.7 added methods aswell as the OpenBSD
fixes.

- --- src/ssl_sock.c.orig 2017-04-03 08:28:32 UTC
+++ src/ssl_sock.c
@@ -794,8 +795,11 @@ static int ssl_sock_load_ocsp(SSL_CTX *c
ocsp = NULL;

#ifndef SSL_CTX_get_tlsext_status_cb
- -# define SSL_CTX_get_tlsext_status_cb(ctx, cb) \
- - *cb = (void (*) (void))ctx->tlsext_status_cb;
+#ifndef SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB
+#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB 128
+#endif
+#define SSL_CTX_get_tlsext_status_cb(ctx, cb) \
+ *cb = SSL_CTX_ctrl(ctx,SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB,0, (void
(**)(void))cb)
#endif
SSL_CTX_get_tlsext_status_cb(ctx, &callback);

@@ -823,7 +827,10 @@ static int ssl_sock_load_ocsp(SSL_CTX *c
int key_type;
EVP_PKEY *pkey;

- -#ifdef SSL_CTX_get_tlsext_status_arg
+#if defined(SSL_CTX_get_tlsext_status_arg) ||
defined(LIBRESSL_VERSION_NUMBER)
+#ifndef SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG
+#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG 129
+#endif
SSL_CTX_ctrl(ctx, SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG, 0, &cb_arg);
#else
cb_arg = ctx->tlsext_status_arg;
@@ -3539,7 +3546,7 @@ int ssl_sock_handshake(struct connection
OSSL_HANDSHAKE_STATE state = SSL_get_state((SSL *)conn->xprt_ctx);
empty_handshake = state == TLS_ST_BEFORE;
#else
- - empty_handshake = !((SSL *)conn->xprt_ctx)->packet_length;
+ empty_handshake = SSL_state((SSL *)conn->xprt_ctx) ==
SSL_ST_BEFORE;
#endif

if (empty_handshake) {
@@ -3617,7 +3624,7 @@ int ssl_sock_handshake(struct connection
state = SSL_get_state((SSL *)conn->xprt_ctx);
empty_handshake = state == TLS_ST_BEFORE;
#else
- - empty_handshake = !((SSL *)conn->xprt_ctx)->packet_length;
+ empty_handshake = SSL_state((SSL *)conn->xprt_ctx) == SSL_ST_BEFORE;
#endif
if (empty_handshake) {
if (!errno) {
-----BEGIN PGP SIGNATURE-----

iQIcBAEBAgAGBQJY97C7AAoJEHT7/r+FArC0Vx0P/04wVZ1nsyNdeh/JLNpcKVeP
rza/wB8iQjIBLx/KiyVPppJdIPeplU9Gjtkdh68xNyRkH3sZmG6VZIM94YbGtZex
+TF4tGAHOjpi6E2oN8X9V51MYfVUoaaQfe3K7bG6yRDQG3whyRLKNXd5dZfAFoZn
D6TSAwoTdBtICdcKTonCVrw3avT31hTcW5ykv4fe29WIblW5QNKEJH+3h0c7W5sE
Uk1c1joy62MvxdrnO6KgmyatYkABAWb3AV8yMX6uNbeITwMbSKsq3UwGXNfIjhaL
bM+XHTyntXZZMSnT0N84edNOERWTL2SJW0BHzUfMpRAhEfl+fZgMDTpsPfmZXa/f
yk4XSrJ1VBySPazF17mOYbl/5LQJnO10CEvnDcczXMNWvi5bFfjsO/uDohGsZw9o
u2JUYinSDJtb6mj6Qykn+oDrWH6vKY13HroDboury+K6eGimHOGomad3HgRp6TrY
lSYDHm7L2tVNtVYbYd008Ch7nMoM88tGXyARKpBveUU1u7zS1J3gRps+HSc0mwYW
pSOnCQ1p5MxxmrAYRCU+IOT9plxM41sRxREk9aXMrJJAWAY/B5SDohfaLA+Xa7DF
OH6XoBtyzJtpciY4W0F8vqZqIrzPSaqC/K6fiSKA7uOpiL4qV2CLxG8DmgedMIuU
LxQ7aj9KS58LJ2nCbsKW
=8/pm
-----END PGP SIGNATURE-----
Sorry, only registered users may post in this forum.

Click here to login