BUILD: ssl: ssl_c_r_dn fetches uses functiosn only available since 1.1.1

Fix the openssl build with older openssl version by disabling the new ssl_c_r_dn fetch. This also disable the ssl_client_samples.vtc file for OpenSSL version older than 1.1.1
2023-05-15 12:05:55 +02:00 · 2023-05-15 12:05:55 +02:00 · 6e0c39d7ac
parent d38d8c6ccb
commit 6e0c39d7ac
4 changed files with 9 additions and 2 deletions
--- a/include/haproxy/openssl-compat.h
+++ b/include/haproxy/openssl-compat.h
@ -90,6 +90,7 @@

 #if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
 #define HAVE_SSL_KEYLOG
+#define HAVE_SSL_get0_verified_chain
 #endif


--- a/reg-tests/ssl/ssl_client_samples.vtc
+++ b/reg-tests/ssl/ssl_client_samples.vtc
@ -1,8 +1,8 @@
 #REGTEST_TYPE=devel

 varnishtest "Test the ssl_c_* sample fetches"
-#REQUIRE_VERSION=2.2
-#REQUIRE_OPTIONS=OPENSSL
+feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(2.8-dev11)'"
+feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL) && openssl_version_atleast(1.1.1)'"
 feature ignore_unknown_macro

 server s1 -repeat 3 {
--- a/src/ssl_sample.c
+++ b/src/ssl_sample.c
@ -541,6 +541,7 @@ smp_fetch_ssl_fc_has_crt(const struct arg *args, struct sample *smp, const char
 /* string, returns a string of a formatted full dn \C=..\O=..\OU=.. \CN=.. of the
 * client certificate's root CA.
 */
+#ifdef HAVE_SSL_get0_verified_chain
 static int
 smp_fetch_ssl_r_dn(const struct arg *args, struct sample *smp, const char *kw, void *private)
 {
@ -593,6 +594,7 @@ smp_fetch_ssl_r_dn(const struct arg *args, struct sample *smp, const char *kw, v
 out:
 	return ret;
 }
+#endif

 /* binary, returns a certificate in a binary chunk (der/raw).
 * The 5th keyword char is used to know if SSL_get_certificate or SSL_get_peer_certificate
@ -2198,7 +2200,9 @@ static struct sample_fetch_kw_list sample_fetch_keywords = {ILH, {
 	{ "ssl_c_key_alg",          smp_fetch_ssl_x_key_alg,      0,                   NULL,    SMP_T_STR,  SMP_USE_L5CLI },
 	{ "ssl_c_notafter",         smp_fetch_ssl_x_notafter,     0,                   NULL,    SMP_T_STR,  SMP_USE_L5CLI },
 	{ "ssl_c_notbefore",        smp_fetch_ssl_x_notbefore,    0,                   NULL,    SMP_T_STR,  SMP_USE_L5CLI },
+#ifdef HAVE_SSL_get0_verified_chain
 	{ "ssl_c_r_dn",             smp_fetch_ssl_r_dn,           ARG3(0,STR,SINT,STR),val_dnfmt,    SMP_T_STR,  SMP_USE_L5CLI },
+#endif
 	{ "ssl_c_sig_alg",          smp_fetch_ssl_x_sig_alg,      0,                   NULL,    SMP_T_STR,  SMP_USE_L5CLI },
 	{ "ssl_c_s_dn",             smp_fetch_ssl_x_s_dn,         ARG3(0,STR,SINT,STR),val_dnfmt,    SMP_T_STR,  SMP_USE_L5CLI },
 	{ "ssl_c_serial",           smp_fetch_ssl_x_serial,       0,                   NULL,    SMP_T_BIN,  SMP_USE_L5CLI },
--- a/src/ssl_utils.c
+++ b/src/ssl_utils.c
@ -324,6 +324,7 @@ X509* ssl_sock_get_peer_certificate(SSL *ssl)
 *
 * Returns NULL in case of failure.
 */
+#ifdef HAVE_SSL_get0_verified_chain
 X509* ssl_sock_get_verified_chain_root(SSL *ssl)
 {
 	STACK_OF(X509) *chain = NULL;
@ -343,6 +344,7 @@ X509* ssl_sock_get_verified_chain_root(SSL *ssl)

 	return crt;
 }
+#endif

 /*
 * Take an OpenSSL version in text format and return a numeric openssl version