From b32469435c88ea9715b5e101b12756dd7170929c Mon Sep 17 00:00:00 2001 From: William Lallemand Date: Wed, 9 Jun 2021 16:46:12 +0200 Subject: [PATCH] BUILD: make tune.ssl.keylog available again Since commit 04a5a44 ("BUILD: ssl: use HAVE_OPENSSL_KEYLOG instead of OpenSSL versions") the "tune.ssl.keylog" feature is broken because HAVE_OPENSSL_KEYLOG does not exist. Replace this by a HAVE_SSL_KEYLOG which is defined in openssl-compat.h. Also add an error when not built with the right openssl version. Must be backported as far as 2.3. (cherry picked from commit 722180aca8757d8807b21cf125a2d68249be5bf8) Signed-off-by: Christopher Faulet (cherry picked from commit ca5cf0a196ef2e7d1a16ecaeda5f983551604a30) Signed-off-by: Christopher Faulet --- include/haproxy/openssl-compat.h | 4 ++++ include/haproxy/ssl_sock-t.h | 2 +- src/cfgparse-ssl.c | 12 +++++++++--- src/ssl_sample.c | 4 ++-- src/ssl_sock.c | 18 +++++++++--------- 5 files changed, 25 insertions(+), 15 deletions(-) diff --git a/include/haproxy/openssl-compat.h b/include/haproxy/openssl-compat.h index 78e7c70..f7f6080 100644 --- a/include/haproxy/openssl-compat.h +++ b/include/haproxy/openssl-compat.h @@ -59,6 +59,10 @@ #define HAVE_SSL_SCTL #endif +#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) +#define HAVE_SSL_KEYLOG +#endif + #if (HA_OPENSSL_VERSION_NUMBER < 0x0090800fL) /* Functions present in OpenSSL 0.9.8, older not tested */ static inline const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *sess, unsigned int *sid_length) diff --git a/include/haproxy/ssl_sock-t.h b/include/haproxy/ssl_sock-t.h index 58faebe..2831280 100644 --- a/include/haproxy/ssl_sock-t.h +++ b/include/haproxy/ssl_sock-t.h @@ -226,7 +226,7 @@ struct ssl_capture { char ciphersuite[VAR_ARRAY]; }; -#ifdef HAVE_OPENSSL_KEYLOG +#ifdef HAVE_SSL_KEYLOG #define SSL_KEYLOG_MAX_SECRET_SIZE 129 struct ssl_keylog { diff --git a/src/cfgparse-ssl.c b/src/cfgparse-ssl.c index b309ef9..24ef092 100644 --- a/src/cfgparse-ssl.c +++ b/src/cfgparse-ssl.c @@ -318,7 +318,7 @@ static int ssl_parse_global_capture_cipherlist(char **args, int section_type, st } /* init the SSLKEYLOGFILE pool */ -#ifdef HAVE_OPENSSL_KEYLOG +#ifdef HAVE_SSL_KEYLOG static int ssl_parse_global_keylog(char **args, int section_type, struct proxy *curpx, struct proxy *defpx, const char *file, int line, char **err) @@ -353,6 +353,14 @@ static int ssl_parse_global_keylog(char **args, int section_type, struct proxy * return 0; } +#else +static int ssl_parse_global_keylog(char **args, int section_type, struct proxy *curpx, + const struct proxy *defpx, const char *file, int line, + char **err) +{ + memprintf(err, "'%s' requires at least OpenSSL 1.1.1.", args[0]); + return -1; +} #endif /* parse "ssl.force-private-cache". @@ -1872,9 +1880,7 @@ static struct cfg_kw_list cfg_kws = {ILH, { { CFG_GLOBAL, "tune.ssl.maxrecord", ssl_parse_global_int }, { CFG_GLOBAL, "tune.ssl.ssl-ctx-cache-size", ssl_parse_global_int }, { CFG_GLOBAL, "tune.ssl.capture-cipherlist-size", ssl_parse_global_capture_cipherlist }, -#ifdef HAVE_OPENSSL_KEYLOG { CFG_GLOBAL, "tune.ssl.keylog", ssl_parse_global_keylog }, -#endif { CFG_GLOBAL, "ssl-default-bind-ciphers", ssl_parse_global_ciphers }, { CFG_GLOBAL, "ssl-default-server-ciphers", ssl_parse_global_ciphers }, #if defined(SSL_CTX_set1_curves_list) diff --git a/src/ssl_sample.c b/src/ssl_sample.c index a67743e..b2acbb8 100644 --- a/src/ssl_sample.c +++ b/src/ssl_sample.c @@ -1189,7 +1189,7 @@ smp_fetch_ssl_fc_cl_xxh64(const struct arg *args, struct sample *smp, const char } /* Dump the SSL keylog, it only works with "tune.ssl.keylog 1" */ -#ifdef HAVE_OPENSSL_KEYLOG +#ifdef HAVE_SSL_KEYLOG static int smp_fetch_ssl_x_keylog(const struct arg *args, struct sample *smp, const char *kw, void *private) { struct connection *conn; @@ -1520,7 +1520,7 @@ static struct sample_fetch_kw_list sample_fetch_keywords = {ILH, { { "ssl_fc_session_key", smp_fetch_ssl_fc_session_key, 0, NULL, SMP_T_BIN, SMP_USE_L5CLI }, #endif -#ifdef HAVE_OPENSSL_KEYLOG +#ifdef HAVE_SSL_KEYLOG { "ssl_fc_client_early_traffic_secret", smp_fetch_ssl_x_keylog, 0, NULL, SMP_T_STR, SMP_USE_L5CLI }, { "ssl_fc_client_handshake_traffic_secret", smp_fetch_ssl_x_keylog, 0, NULL, SMP_T_STR, SMP_USE_L5CLI }, { "ssl_fc_server_handshake_traffic_secret", smp_fetch_ssl_x_keylog, 0, NULL, SMP_T_STR, SMP_USE_L5CLI }, diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 1561ddc..77c6d93 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -130,7 +130,7 @@ struct global_ssl global_ssl = { .capture_cipherlist = 0, .extra_files = SSL_GF_ALL, .extra_files_noext = 0, -#ifdef HAVE_OPENSSL_KEYLOG +#ifdef HAVE_SSL_KEYLOG .keylog = 0 #endif }; @@ -446,7 +446,7 @@ struct pool_head *pool_head_ssl_capture = NULL; int ssl_capture_ptr_index = -1; static int ssl_app_data_index = -1; -#ifdef HAVE_OPENSSL_KEYLOG +#ifdef HAVE_SSL_KEYLOG int ssl_keylog_index = -1; struct pool_head *pool_head_ssl_keylog = NULL; struct pool_head *pool_head_ssl_keylog_str = NULL; @@ -522,7 +522,7 @@ static void ssl_sock_parse_clienthello(struct connection *conn, int write_p, int int content_type, const void *buf, size_t len, SSL *ssl); -#ifdef HAVE_OPENSSL_KEYLOG +#ifdef HAVE_SSL_KEYLOG static void ssl_init_keylog(struct connection *conn, int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl); @@ -567,7 +567,7 @@ static int ssl_sock_register_msg_callbacks(void) if (!ssl_sock_register_msg_callback(ssl_sock_parse_clienthello)) return ERR_ABORT; } -#ifdef HAVE_OPENSSL_KEYLOG +#ifdef HAVE_SSL_KEYLOG if (global_ssl.keylog > 0) { if (!ssl_sock_register_msg_callback(ssl_init_keylog)) return ERR_ABORT; @@ -1746,7 +1746,7 @@ static void ssl_sock_parse_clienthello(struct connection *conn, int write_p, int } -#ifdef HAVE_OPENSSL_KEYLOG +#ifdef HAVE_SSL_KEYLOG static void ssl_init_keylog(struct connection *conn, int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl) @@ -3945,7 +3945,7 @@ void ssl_set_shctx(SSL_CTX *ctx) * We only need to copy the secret as there is a sample fetch for the ClientRandom */ -#ifdef HAVE_OPENSSL_KEYLOG +#ifdef HAVE_SSL_KEYLOG void SSL_CTX_keylog(const SSL *ssl, const char *line) { struct ssl_keylog *keylog; @@ -4181,7 +4181,7 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, struct ssl_bind_conf *ssl_ #ifdef SSL_CTRL_SET_MSG_CALLBACK SSL_CTX_set_msg_callback(ctx, ssl_sock_msgcbk); #endif -#ifdef HAVE_OPENSSL_KEYLOG +#ifdef HAVE_SSL_KEYLOG SSL_CTX_set_keylog_callback(ctx, SSL_CTX_keylog); #endif @@ -6742,7 +6742,7 @@ static void ssl_sock_capture_free_func(void *parent, void *ptr, CRYPTO_EX_DATA * pool_free(pool_head_ssl_capture, ptr); } -#ifdef HAVE_OPENSSL_KEYLOG +#ifdef HAVE_SSL_KEYLOG static void ssl_sock_keylog_free_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad, int idx, long argl, void *argp) { struct ssl_keylog *keylog; @@ -6809,7 +6809,7 @@ static void __ssl_sock_init(void) ssl_app_data_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); ssl_capture_ptr_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, ssl_sock_capture_free_func); -#ifdef HAVE_OPENSSL_KEYLOG +#ifdef HAVE_SSL_KEYLOG ssl_keylog_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, ssl_sock_keylog_free_func); #endif #ifndef OPENSSL_NO_ENGINE -- 1.7.10.4