From: Ilya Shipitsin <chipitsine@gmail.com>
Date: Sun, 18 Oct 2020 04:11:50 +0000 (+0500)
Subject: BUG/MINOR: disable dynamic OCSP load with BoringSSL
X-Git-Tag: v2.1.10~22
X-Git-Url: http://git.haproxy.org/?a=commitdiff_plain;h=3f8e7d01326e930f1851b532eaa2104ae38563b2;p=haproxy-2.1.git

BUG/MINOR: disable dynamic OCSP load with BoringSSL

it was accidently enabled on BoringSSL while
actually it is not supported

wla: Fix part of the issue mentionned in #895.
It fixes build of boringSSL versions prior to commit
https://boringssl.googlesource.com/boringssl/+/49e9f67d8b7cbeb3953b5548ad1009d15947a523

Could be backported in 2.2, 2.1, 2.0, 1.8. Where the patch fcb69d7
("BUILD: ssl: make BoringSSL use its own version numbers") is also
relevant.

Signed-off-by: William Lallemand <wlallemand@haproxy.org>
(cherry picked from commit b3201a3e077198b3f75ebe8661aa45589b811552)
Signed-off-by: William Lallemand <wlallemand@haproxy.org>
---

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index a40e8b6..0f57517 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -1221,7 +1221,7 @@ int ssl_sock_ocsp_stapling_cbk(SSL *ssl, void *arg)
 
 #endif
 
-#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) || defined OPENSSL_IS_BORINGSSL)
+#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) && !defined OPENSSL_IS_BORINGSSL)
 
 
 /*
@@ -3493,7 +3493,7 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_an
 	}
 #endif
 
-#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) || defined OPENSSL_IS_BORINGSSL)
+#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) && !defined OPENSSL_IS_BORINGSSL)
 	/* Load OCSP Info into context */
 	if (ckch->ocsp_response) {
 		if (ssl_sock_load_ocsp(ctx, ckch) < 0) {