BUILD: quic: Fix build error when building QUIC against libressl.

This previous commit was not sufficient to completely fix the building issue in relation with the TLS stack 0-RTT support. LibreSSL was the last TLS stack to refuse to compile because of undefined a QUIC specific function for 0-RTT: SSL_set_quic_early_data_enabled(). To get rid of such compilation issues, define HA_OPENSSL_HAVE_0RTT_SUPPORT only when building against TLS stack with 0-RTT support. No need to backport.
2025-01-19 04:00:46 +00:00 · 2024-01-24 15:37:40 +01:00 · 2024-01-24 15:37:40 +01:00 · ab75d89e07
commit ab75d89e07
parent 40f9902388
2 changed files with 8 additions and 5 deletions
--- a/include/haproxy/openssl-compat.h
+++ b/include/haproxy/openssl-compat.h
@ -48,6 +48,11 @@
 #include <haproxy/quic_openssl_compat.h>
 #endif

+/* At this time, wolfssl, libressl and the openssl QUIC compatibility do not support 0-RTT */
+#if !defined(USE_QUIC_OPENSSL_COMPAT) && !defined(LIBRESSL_VERSION_NUMBER) && !defined(USE_OPENSSL_WOLFSSL)
+#define HA_OPENSSL_HAVE_0RTT_SUPPORT
+#endif
+
 #if defined(LIBRESSL_VERSION_NUMBER)
 /* LibreSSL is a fork of OpenSSL 1.0.1g but pretends to be 2.0.0, thus
 * systematically breaking when some code is written for a specific version
--- a/src/quic_ssl.c
+++ b/src/quic_ssl.c
@ -735,7 +735,7 @@ static int qc_ssl_sess_init(struct quic_conn *qc, SSL_CTX *ssl_ctx, SSL **ssl)
 	return ret;
 }

-#if !defined(USE_QUIC_OPENSSL_COMPAT) && !defined(USE_OPENSSL_WOLFSSL)
+#ifdef HA_OPENSSL_HAVE_0RTT_SUPPORT

 /* Enable early data for <ssl> QUIC TLS session.
 * Return 1 if succeeded, 0 if not.
@ -770,7 +770,7 @@ static int qc_set_quic_early_data_enabled(struct quic_conn *qc, SSL *ssl)

 	return 1;
 }
-#endif // USE_QUIC_OPENSSL_COMPAT
+#endif // HA_OPENSSL_HAVE_0RTT_SUPPORT

 /* Allocate the ssl_sock_ctx from connection <qc>. This creates the tasklet
 * used to process <qc> received packets. The allocated context is stored in
@ -807,12 +807,10 @@ int qc_alloc_ssl_sock_ctx(struct quic_conn *qc)
 	if (qc_is_listener(qc)) {
 		if (qc_ssl_sess_init(qc, bc->initial_ctx, &ctx->ssl) == -1)
 		        goto err;
-#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
-#if !defined(USE_QUIC_OPENSSL_COMPAT) && !defined(USE_OPENSSL_WOLFSSL)
+#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) && defined(HA_OPENSSL_HAVE_0RTT_SUPPORT)
 		/* Enabling 0-RTT */
 		if (bc->ssl_conf.early_data && !qc_set_quic_early_data_enabled(qc, ctx->ssl))
 			goto err;
-#endif
 #endif

 		SSL_set_accept_state(ctx->ssl);