Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / 8ea1f5f6cd4fda36748dd5b7178957c0779e9a58^! / .
commit8ea1f5f6cd4fda36748dd5b7178957c0779e9a58[log] [tgz]
authorRemi Tricot-Le Breton <rlebreton@haproxy.com>Tue Feb 08 17:45:58 2022 +0100
committerWilliam Lallemand <wlallemand@haproxy.org>Wed Feb 09 12:11:31 2022 +0100
tree0250ce78c5d7cd6cb4528974f6001f426516644a
parent3f269bb3709c3c4bc83c35bd1719a6bbea6506e5 [diff]
MINOR: ssl: Remove call to SSL_CTX_set_tlsext_ticket_key_cb with OpenSSLv3

SSL_CTX_set_tlsext_ticket_key_cb was deprecated on OpenSSLv3 because it
uses an HMAC_pointer which is deprecated as well. According to the v3's
manpage it should be replaced by SSL_CTX_set_tlsext_ticket_key_evp_cb
which uses a EVP_MAC_CTX pointer.
This new callback was introduced in OpenSSLv3 so we need to keep the two
calls in the source base and to split the usage depending on the OpenSSL
version.

diff --git a/include/haproxy/openssl-compat.h b/include/haproxy/openssl-compat.h
index d34a22e..10a4fa6 100644
--- a/include/haproxy/openssl-compat.h
+++ b/include/haproxy/openssl-compat.h

@@ -24,6 +24,10 @@
 #include <openssl/async.h>
 #endif
 
+#if (OPENSSL_VERSION_NUMBER >= 0x3000000fL)
+#include <openssl/core_names.h>
+#endif
+
 #if defined(LIBRESSL_VERSION_NUMBER)
 /* LibreSSL is a fork of OpenSSL 1.0.1g but pretends to be 2.0.0, thus
  * systematically breaking when some code is written for a specific version
@@ -79,6 +83,14 @@
 #define HAVE_SSL_KEYLOG
 #endif
 
+
+#if (HA_OPENSSL_VERSION_NUMBER >= 0x3000000fL)
+#define HAVE_OSSL_PARAM
+#define MAC_CTX EVP_MAC_CTX
+#else
+#define MAC_CTX HMAC_CTX
+#endif
+
 #if (HA_OPENSSL_VERSION_NUMBER < 0x0090800fL)
 /* Functions present in OpenSSL 0.9.8, older not tested */
 static inline const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *sess, unsigned int *sid_length)
@@ -298,6 +310,12 @@
 }
 #endif
 
+#if (HA_OPENSSL_VERSION_NUMBER < 0x3000000fL)
+#if defined(SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB)
+#define SSL_CTX_set_tlsext_ticket_key_evp_cb SSL_CTX_set_tlsext_ticket_key_cb
+#endif
+#endif
+
 #if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x2070200fL)
 #define __OPENSSL_110_CONST__ const
 #else

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 1bfb186..815a34c 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c

@@ -1051,7 +1051,8 @@
 #endif
 
 #if (defined SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB && TLS_TICKETS_NO > 0)
-static int ssl_tlsext_ticket_key_cb(SSL *s, unsigned char key_name[16], unsigned char *iv, EVP_CIPHER_CTX *ectx, HMAC_CTX *hctx, int enc)
+
+static int ssl_tlsext_ticket_key_cb(SSL *s, unsigned char key_name[16], unsigned char *iv, EVP_CIPHER_CTX *ectx, MAC_CTX *hctx, int enc)
 {
 	struct tls_keys_ref *ref;
 	union tls_sess_key *keys;
@@ -4596,7 +4597,7 @@
 	}
 #if (defined SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB && TLS_TICKETS_NO > 0)
 	if(bind_conf->keys_ref) {
-		if (!SSL_CTX_set_tlsext_ticket_key_cb(ctx, ssl_tlsext_ticket_key_cb)) {
+		if (!SSL_CTX_set_tlsext_ticket_key_evp_cb(ctx, ssl_tlsext_ticket_key_cb)) {
 			memprintf(err, "%sProxy '%s': unable to set callback for TLS ticket validation for bind '%s' at [%s:%d].\n",
 			          err && *err ? *err : "", curproxy->id, bind_conf->arg, bind_conf->file, bind_conf->line);
 			cfgerr |= ERR_ALERT | ERR_FATAL;