From e7db21693ff02da0466ae691f78d3f110cc7876d Mon Sep 17 00:00:00 2001 From: Christopher Faulet Date: Mon, 19 Oct 2015 13:59:24 +0200 Subject: [PATCH] BUILD: ssl: fix build error introduced in commit 7969a3 with OpenSSL < 1.0.0 The function 'EVP_PKEY_get_default_digest_nid()' was introduced in OpenSSL 1.0.0. So for older version of OpenSSL, compiled with the SNI support, the HAProxy compilation fails with the following error: src/ssl_sock.c: In function 'ssl_sock_do_create_cert': src/ssl_sock.c:1096:7: warning: implicit declaration of function 'EVP_PKEY_get_default_digest_nid' if (EVP_PKEY_get_default_digest_nid(capkey, &nid) <= 0) [...] src/ssl_sock.c:1096: undefined reference to `EVP_PKEY_get_default_digest_nid' collect2: error: ld returned 1 exit status Makefile:760: recipe for target 'haproxy' failed make: *** [haproxy] Error 1 So we must add a #ifdef to check the OpenSSL version (>= 1.0.0) to use this function. It is used to get default signature digest associated to the private key used to sign generated X509 certificates. It is called when the private key differs than EVP_PKEY_RSA, EVP_PKEY_DSA and EVP_PKEY_EC. It should be enough for most of cases. --- src/ssl_sock.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 7616a7e58..3f66af1c5 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -1089,12 +1089,16 @@ ssl_sock_do_create_cert(const char *servername, unsigned int serial, else if (EVP_PKEY_type (capkey->type) == EVP_PKEY_EC) digest = EVP_sha256(); else { +#if (OPENSSL_VERSION_NUMBER >= 0x1000000fL) int nid; if (EVP_PKEY_get_default_digest_nid(capkey, &nid) <= 0) goto mkcert_error; if (!(digest = EVP_get_digestbynid(nid))) goto mkcert_error; +#else + goto mkcert_error; +#endif } if (!(X509_sign(newcrt, capkey, digest)))