BUILD: make tune.ssl.keylog available again

Since commit 04a5a44 ("BUILD: ssl: use HAVE_OPENSSL_KEYLOG instead of
OpenSSL versions") the "tune.ssl.keylog" feature is broken because
HAVE_OPENSSL_KEYLOG does not exist.

Replace this by a HAVE_SSL_KEYLOG which is defined in openssl-compat.h.
Also add an error when not built with the right openssl version.

Must be backported as far as 2.3.

(cherry picked from commit 722180aca8757d8807b21cf125a2d68249be5bf8)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit ca5cf0a196ef2e7d1a16ecaeda5f983551604a30)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

diff --git a/include/haproxy/openssl-compat.h b/include/haproxy/openssl-compat.h
index 78e7c70..f7f6080 100644 (file)
--- a/include/haproxy/openssl-compat.h
+++ b/include/haproxy/openssl-compat.h
@@ -59,6 +59,10 @@
 #define HAVE_SSL_SCTL
 #endif
 
+#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
+#define HAVE_SSL_KEYLOG
+#endif
+
 #if (HA_OPENSSL_VERSION_NUMBER < 0x0090800fL)
 /* Functions present in OpenSSL 0.9.8, older not tested */
 static inline const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *sess, unsigned int *sid_length)

diff --git a/include/haproxy/ssl_sock-t.h b/include/haproxy/ssl_sock-t.h
index 58faebe..2831280 100644 (file)
--- a/include/haproxy/ssl_sock-t.h
+++ b/include/haproxy/ssl_sock-t.h
@@ -226,7 +226,7 @@ struct ssl_capture {
        char ciphersuite[VAR_ARRAY];
 };
 
-#ifdef HAVE_OPENSSL_KEYLOG
+#ifdef HAVE_SSL_KEYLOG
 #define SSL_KEYLOG_MAX_SECRET_SIZE 129
 
 struct ssl_keylog {

diff --git a/src/cfgparse-ssl.c b/src/cfgparse-ssl.c
index b309ef9..24ef092 100644 (file)
--- a/src/cfgparse-ssl.c
+++ b/src/cfgparse-ssl.c
@@ -318,7 +318,7 @@ static int ssl_parse_global_capture_cipherlist(char **args, int section_type, st
 }
 
 /* init the SSLKEYLOGFILE pool */
-#ifdef HAVE_OPENSSL_KEYLOG
+#ifdef HAVE_SSL_KEYLOG
 static int ssl_parse_global_keylog(char **args, int section_type, struct proxy *curpx,
                                        struct proxy *defpx, const char *file, int line,
                                        char **err)
@@ -353,6 +353,14 @@ static int ssl_parse_global_keylog(char **args, int section_type, struct proxy *
 
        return 0;
 }
+#else
+static int ssl_parse_global_keylog(char **args, int section_type, struct proxy *curpx,
+                                       const struct proxy *defpx, const char *file, int line,
+                                       char **err)
+{
+       memprintf(err, "'%s' requires at least OpenSSL 1.1.1.", args[0]);
+       return -1;
+}
 #endif
 
 /* parse "ssl.force-private-cache".
@@ -1872,9 +1880,7 @@ static struct cfg_kw_list cfg_kws = {ILH, {
        { CFG_GLOBAL, "tune.ssl.maxrecord", ssl_parse_global_int },
        { CFG_GLOBAL, "tune.ssl.ssl-ctx-cache-size", ssl_parse_global_int },
        { CFG_GLOBAL, "tune.ssl.capture-cipherlist-size", ssl_parse_global_capture_cipherlist },
-#ifdef HAVE_OPENSSL_KEYLOG
        { CFG_GLOBAL, "tune.ssl.keylog", ssl_parse_global_keylog },
-#endif
        { CFG_GLOBAL, "ssl-default-bind-ciphers", ssl_parse_global_ciphers },
        { CFG_GLOBAL, "ssl-default-server-ciphers", ssl_parse_global_ciphers },
 #if defined(SSL_CTX_set1_curves_list)

diff --git a/src/ssl_sample.c b/src/ssl_sample.c
index a67743e..b2acbb8 100644 (file)
--- a/src/ssl_sample.c
+++ b/src/ssl_sample.c
@@ -1189,7 +1189,7 @@ smp_fetch_ssl_fc_cl_xxh64(const struct arg *args, struct sample *smp, const char
 }
 
 /* Dump the SSL keylog, it only works with "tune.ssl.keylog 1" */
-#ifdef HAVE_OPENSSL_KEYLOG
+#ifdef HAVE_SSL_KEYLOG
 static int smp_fetch_ssl_x_keylog(const struct arg *args, struct sample *smp, const char *kw, void *private)
 {
        struct connection *conn;
@@ -1520,7 +1520,7 @@ static struct sample_fetch_kw_list sample_fetch_keywords = {ILH, {
        { "ssl_fc_session_key",     smp_fetch_ssl_fc_session_key, 0,                   NULL,    SMP_T_BIN,  SMP_USE_L5CLI },
 #endif
 
-#ifdef HAVE_OPENSSL_KEYLOG
+#ifdef HAVE_SSL_KEYLOG
        { "ssl_fc_client_early_traffic_secret",     smp_fetch_ssl_x_keylog,       0,   NULL,    SMP_T_STR,  SMP_USE_L5CLI },
        { "ssl_fc_client_handshake_traffic_secret", smp_fetch_ssl_x_keylog,       0,   NULL,    SMP_T_STR,  SMP_USE_L5CLI },
        { "ssl_fc_server_handshake_traffic_secret", smp_fetch_ssl_x_keylog,       0,   NULL,    SMP_T_STR,  SMP_USE_L5CLI },

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 1561ddc..77c6d93 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -130,7 +130,7 @@ struct global_ssl global_ssl = {
        .capture_cipherlist = 0,
        .extra_files = SSL_GF_ALL,
        .extra_files_noext = 0,
-#ifdef HAVE_OPENSSL_KEYLOG
+#ifdef HAVE_SSL_KEYLOG
        .keylog = 0
 #endif
 };
@@ -446,7 +446,7 @@ struct pool_head *pool_head_ssl_capture = NULL;
 int ssl_capture_ptr_index = -1;
 static int ssl_app_data_index = -1;
 
-#ifdef HAVE_OPENSSL_KEYLOG
+#ifdef HAVE_SSL_KEYLOG
 int ssl_keylog_index = -1;
 struct pool_head *pool_head_ssl_keylog = NULL;
 struct pool_head *pool_head_ssl_keylog_str = NULL;
@@ -522,7 +522,7 @@ static void ssl_sock_parse_clienthello(struct connection *conn, int write_p, int
                                        int content_type, const void *buf, size_t len,
                                        SSL *ssl);
 
-#ifdef HAVE_OPENSSL_KEYLOG
+#ifdef HAVE_SSL_KEYLOG
 static void ssl_init_keylog(struct connection *conn, int write_p, int version,
                             int content_type, const void *buf, size_t len,
                             SSL *ssl);
@@ -567,7 +567,7 @@ static int ssl_sock_register_msg_callbacks(void)
                if (!ssl_sock_register_msg_callback(ssl_sock_parse_clienthello))
                        return ERR_ABORT;
        }
-#ifdef HAVE_OPENSSL_KEYLOG
+#ifdef HAVE_SSL_KEYLOG
        if (global_ssl.keylog > 0) {
                if (!ssl_sock_register_msg_callback(ssl_init_keylog))
                        return ERR_ABORT;
@@ -1746,7 +1746,7 @@ static void ssl_sock_parse_clienthello(struct connection *conn, int write_p, int
 }
 
 
-#ifdef HAVE_OPENSSL_KEYLOG
+#ifdef HAVE_SSL_KEYLOG
 static void ssl_init_keylog(struct connection *conn, int write_p, int version,
                             int content_type, const void *buf, size_t len,
                             SSL *ssl)
@@ -3945,7 +3945,7 @@ void ssl_set_shctx(SSL_CTX *ctx)
  * We only need to copy the secret as there is a sample fetch for the ClientRandom
  */
 
-#ifdef HAVE_OPENSSL_KEYLOG
+#ifdef HAVE_SSL_KEYLOG
 void SSL_CTX_keylog(const SSL *ssl, const char *line)
 {
        struct ssl_keylog *keylog;
@@ -4181,7 +4181,7 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, struct ssl_bind_conf *ssl_
 #ifdef SSL_CTRL_SET_MSG_CALLBACK
        SSL_CTX_set_msg_callback(ctx, ssl_sock_msgcbk);
 #endif
-#ifdef HAVE_OPENSSL_KEYLOG
+#ifdef HAVE_SSL_KEYLOG
        SSL_CTX_set_keylog_callback(ctx, SSL_CTX_keylog);
 #endif
 
@@ -6742,7 +6742,7 @@ static void ssl_sock_capture_free_func(void *parent, void *ptr, CRYPTO_EX_DATA *
        pool_free(pool_head_ssl_capture, ptr);
 }
 
-#ifdef HAVE_OPENSSL_KEYLOG
+#ifdef HAVE_SSL_KEYLOG
 static void ssl_sock_keylog_free_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad, int idx, long argl, void *argp)
 {
        struct ssl_keylog *keylog;
@@ -6809,7 +6809,7 @@ static void __ssl_sock_init(void)
 
        ssl_app_data_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
        ssl_capture_ptr_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, ssl_sock_capture_free_func);
-#ifdef HAVE_OPENSSL_KEYLOG
+#ifdef HAVE_SSL_KEYLOG
        ssl_keylog_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, ssl_sock_keylog_free_func);
 #endif
 #ifndef OPENSSL_NO_ENGINE