CLEANUP: ssl/ocsp: readable ifdef in ssl_sock_load_ocsp

Due to the support of different TLS/SSL libraries and its different versions,
sometimes we are forced to use different internal typedefs and callback
functions. We strive to avoid this, but time to time "#ifdef... #endif"
become inevitable.

In particular, in ssl_sock_load_ocsp() we define a 'callback' variable, which
will contain a function pointer to our OCSP stapling callback, assigned
further via SSL_CTX_set_tlsext_status_cb() to the intenal SSL context
struct in a linked crypto library.

If this linked crypto library is OpenSSL 1.x.x/3.x.x, for setting and
getting this callback we have the following API signatures
(see doc/man3/SSL_CTX_set_tlsext_status_cb.pod):

  long SSL_CTX_get_tlsext_status_cb(SSL_CTX *ctx, int (**callback)(SSL *, void *));
  long SSL_CTX_set_tlsext_status_cb(SSL_CTX *ctx, int (*callback)(SSL *, void *));

If we are using WolfSSL, same APIs expect tlsextStatusCb function prototype,
provided via the typedef below (see wolfssl/wolfssl/ssl.h):

  typedef int(*tlsextStatusCb)(WOLFSSL* ssl, void*);
  WOLFSSL_API int wolfSSL_CTX_get_tlsext_status_cb(WOLFSSL_CTX* ctx, tlsextStatusCb* cb);
  WOLFSSL_API int wolfSSL_CTX_set_tlsext_status_cb(WOLFSSL_CTX* ctx, tlsextStatusCb cb);

It seems, that in OpenSSL < 1.0.0, there was no support for OCSP extention, so
no need to set this callback.

Let's avoid #ifndef... #endif for this 'callback' variable definition to keep
things clear. #ifndef... #endif are usually less readable, than
straightforward "#ifdef... #endif".
This commit is contained in:
Valentine Krasnobaeva 2024-05-28 11:01:11 +02:00 committed by William Lallemand
parent f9740230fc
commit fb7b46d267

View File

@ -1115,14 +1115,12 @@ static int ssl_sock_load_ocsp(const char *path, SSL_CTX *ctx, struct ckch_store
struct certificate_ocsp *ocsp = NULL, *iocsp;
char *warn = NULL;
unsigned char *p;
#ifndef USE_OPENSSL_WOLFSSL
#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
int (*callback) (SSL *, void *);
#ifdef USE_OPENSSL_WOLFSSL
tlsextStatusCb callback;
#elif (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
int (*callback) (SSL *, void *);
#else
void (*callback) (void);
#endif
#else
tlsextStatusCb callback;
#endif
struct buffer *ocsp_uri = get_trash_chunk();
char *err = NULL;