diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 2eb344dfa..2676fcd18 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -157,7 +157,7 @@ static struct { char *listen_default_ciphers; char *connect_default_ciphers; -#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL) +#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) char *listen_default_ciphersuites; char *connect_default_ciphersuites; #endif @@ -179,7 +179,7 @@ static struct { #ifdef CONNECT_DEFAULT_CIPHERS .connect_default_ciphers = CONNECT_DEFAULT_CIPHERS, #endif -#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL) +#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) #ifdef LISTEN_DEFAULT_CIPHERSUITES .listen_default_ciphersuites = LISTEN_DEFAULT_CIPHERSUITES, #endif @@ -3667,7 +3667,7 @@ void ssl_sock_free_ssl_conf(struct ssl_bind_conf *conf) conf->crl_file = NULL; free(conf->ciphers); conf->ciphers = NULL; -#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL) +#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) free(conf->ciphersuites); conf->ciphersuites = NULL; #endif @@ -4214,7 +4214,7 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, struct ssl_bind_conf *ssl_ int verify = SSL_VERIFY_NONE; struct ssl_bind_conf __maybe_unused *ssl_conf_cur; const char *conf_ciphers; -#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL) +#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) const char *conf_ciphersuites; #endif const char *conf_curves = NULL; @@ -4316,7 +4316,7 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, struct ssl_bind_conf *ssl_ cfgerr++; } -#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL) +#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) conf_ciphersuites = (ssl_conf && ssl_conf->ciphersuites) ? ssl_conf->ciphersuites : bind_conf->ssl_conf.ciphersuites; if (conf_ciphersuites && !SSL_CTX_set_ciphersuites(ctx, conf_ciphersuites)) { @@ -4810,7 +4810,7 @@ int ssl_sock_prepare_srv_ctx(struct server *srv) cfgerr++; } -#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL) +#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) if (srv->ssl_ctx.ciphersuites && !SSL_CTX_set_ciphersuites(srv->ssl_ctx.ctx, srv->ssl_ctx.ciphersuites)) { ha_alert("Proxy '%s', server '%s' [%s:%d] : unable to set TLS 1.3 cipher suites to '%s'.\n", @@ -7194,7 +7194,7 @@ smp_fetch_ssl_fc_session_id(const struct arg *args, struct sample *smp, const ch #endif -#if HA_OPENSSL_VERSION_NUMBER >= 0x10100000L || defined(OPENSSL_IS_BORINGSSL) +#if HA_OPENSSL_VERSION_NUMBER >= 0x10100000L static int smp_fetch_ssl_fc_session_key(const struct arg *args, struct sample *smp, const char *kw, void *private) { @@ -7555,7 +7555,7 @@ static int bind_parse_ciphers(char **args, int cur_arg, struct proxy *px, struct return ssl_bind_parse_ciphers(args, cur_arg, px, &conf->ssl_conf, err); } -#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL) +#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) /* parse the "ciphersuites" bind keyword */ static int ssl_bind_parse_ciphersuites(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, char **err) { @@ -7965,7 +7965,7 @@ static int bind_parse_ssl(char **args, int cur_arg, struct proxy *px, struct bin if (global_ssl.listen_default_ciphers && !conf->ssl_conf.ciphers) conf->ssl_conf.ciphers = strdup(global_ssl.listen_default_ciphers); -#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL) +#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) if (global_ssl.listen_default_ciphersuites && !conf->ssl_conf.ciphersuites) conf->ssl_conf.ciphersuites = strdup(global_ssl.listen_default_ciphersuites); #endif @@ -8328,7 +8328,7 @@ static int srv_parse_check_ssl(char **args, int *cur_arg, struct proxy *px, stru newsrv->check.use_ssl = 1; if (global_ssl.connect_default_ciphers && !newsrv->ssl_ctx.ciphers) newsrv->ssl_ctx.ciphers = strdup(global_ssl.connect_default_ciphers); -#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL) +#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) if (global_ssl.connect_default_ciphersuites && !newsrv->ssl_ctx.ciphersuites) newsrv->ssl_ctx.ciphersuites = strdup(global_ssl.connect_default_ciphersuites); #endif @@ -8355,7 +8355,7 @@ static int srv_parse_ciphers(char **args, int *cur_arg, struct proxy *px, struct return 0; } -#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL) +#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) /* parse the "ciphersuites" server keyword */ static int srv_parse_ciphersuites(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err) { @@ -8511,7 +8511,7 @@ static int srv_parse_ssl(char **args, int *cur_arg, struct proxy *px, struct ser newsrv->use_ssl = 1; if (global_ssl.connect_default_ciphers && !newsrv->ssl_ctx.ciphers) newsrv->ssl_ctx.ciphers = strdup(global_ssl.connect_default_ciphers); -#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL) +#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) if (global_ssl.connect_default_ciphersuites && !newsrv->ssl_ctx.ciphersuites) newsrv->ssl_ctx.ciphersuites = strdup(global_ssl.connect_default_ciphersuites); #endif @@ -8754,7 +8754,7 @@ static int ssl_parse_global_ciphers(char **args, int section_type, struct proxy return 0; } -#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL) +#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) /* parse the "ssl-default-bind-ciphersuites" / "ssl-default-server-ciphersuites" keywords * in global section. Returns <0 on alert, >0 on warning, 0 on success. */ @@ -9394,7 +9394,7 @@ static struct sample_fetch_kw_list sample_fetch_keywords = {ILH, { #if HA_OPENSSL_VERSION_NUMBER > 0x0090800fL { "ssl_bc_session_id", smp_fetch_ssl_fc_session_id, 0, NULL, SMP_T_BIN, SMP_USE_L5SRV }, #endif -#if HA_OPENSSL_VERSION_NUMBER >= 0x10100000L || defined(OPENSSL_IS_BORINGSSL) +#if HA_OPENSSL_VERSION_NUMBER >= 0x10100000L { "ssl_bc_session_key", smp_fetch_ssl_fc_session_key, 0, NULL, SMP_T_BIN, SMP_USE_L5SRV }, #endif { "ssl_c_ca_err", smp_fetch_ssl_c_ca_err, 0, NULL, SMP_T_SINT, SMP_USE_L5CLI }, @@ -9443,7 +9443,7 @@ static struct sample_fetch_kw_list sample_fetch_keywords = {ILH, { #if HA_OPENSSL_VERSION_NUMBER > 0x0090800fL { "ssl_fc_session_id", smp_fetch_ssl_fc_session_id, 0, NULL, SMP_T_BIN, SMP_USE_L5CLI }, #endif -#if HA_OPENSSL_VERSION_NUMBER >= 0x10100000L || defined(OPENSSL_IS_BORINGSSL) +#if HA_OPENSSL_VERSION_NUMBER >= 0x10100000L { "ssl_fc_session_key", smp_fetch_ssl_fc_session_key, 0, NULL, SMP_T_BIN, SMP_USE_L5CLI }, #endif #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME @@ -9481,7 +9481,7 @@ static struct ssl_bind_kw ssl_bind_kws[] = { { "alpn", ssl_bind_parse_alpn, 1 }, /* set ALPN supported protocols */ { "ca-file", ssl_bind_parse_ca_file, 1 }, /* set CAfile to process verify on client cert */ { "ciphers", ssl_bind_parse_ciphers, 1 }, /* set SSL cipher suite */ -#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL) +#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) { "ciphersuites", ssl_bind_parse_ciphersuites, 1 }, /* set TLS 1.3 cipher suite */ #endif { "crl-file", ssl_bind_parse_crl_file, 1 }, /* set certificat revocation list file use on client cert verify */ @@ -9505,7 +9505,7 @@ static struct bind_kw_list bind_kws = { "SSL", { }, { { "ca-sign-file", bind_parse_ca_sign_file, 1 }, /* set CAFile used to generate and sign server certs */ { "ca-sign-pass", bind_parse_ca_sign_pass, 1 }, /* set CAKey passphrase */ { "ciphers", bind_parse_ciphers, 1 }, /* set SSL cipher suite */ -#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL) +#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) { "ciphersuites", bind_parse_ciphersuites, 1 }, /* set TLS 1.3 cipher suite */ #endif { "crl-file", bind_parse_crl_file, 1 }, /* set certificat revocation list file use on client cert verify */ @@ -9555,7 +9555,7 @@ static struct srv_kw_list srv_kws = { "SSL", { }, { { "check-sni", srv_parse_check_sni, 1, 1 }, /* set SNI */ { "check-ssl", srv_parse_check_ssl, 0, 1 }, /* enable SSL for health checks */ { "ciphers", srv_parse_ciphers, 1, 1 }, /* select the cipher suite */ -#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL) +#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) { "ciphersuites", srv_parse_ciphersuites, 1, 1 }, /* select the cipher suite */ #endif { "crl-file", srv_parse_crl_file, 1, 1 }, /* set certificate revocation list file use on server cert verify */ @@ -9616,7 +9616,7 @@ static struct cfg_kw_list cfg_kws = {ILH, { { CFG_GLOBAL, "tune.ssl.capture-cipherlist-size", ssl_parse_global_capture_cipherlist }, { CFG_GLOBAL, "ssl-default-bind-ciphers", ssl_parse_global_ciphers }, { CFG_GLOBAL, "ssl-default-server-ciphers", ssl_parse_global_ciphers }, -#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL) +#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) { CFG_GLOBAL, "ssl-default-bind-ciphersuites", ssl_parse_global_ciphersuites }, { CFG_GLOBAL, "ssl-default-server-ciphersuites", ssl_parse_global_ciphersuites }, #endif @@ -9716,7 +9716,7 @@ static void __ssl_sock_init(void) global_ssl.listen_default_ciphers = strdup(global_ssl.listen_default_ciphers); if (global_ssl.connect_default_ciphers) global_ssl.connect_default_ciphers = strdup(global_ssl.connect_default_ciphers); -#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL) +#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) if (global_ssl.listen_default_ciphersuites) global_ssl.listen_default_ciphersuites = strdup(global_ssl.listen_default_ciphersuites); if (global_ssl.connect_default_ciphersuites)