- add haproxy-1.6.0-ssl-098.patch:

fix building on openssl 0.9.8 OBS-URL: https://build.opensuse.org/package/show/server:http/haproxy?expand=0&rev=120
2015-10-19 16:16:21 +00:00 · 2015-10-19 16:16:21 +00:00 · 4ee640c9c5
commit 4ee640c9c5
parent e8450b8cfb
3 changed files with 60 additions and 0 deletions
--- a/haproxy-1.6.0-ssl-098.patch
+++ b/haproxy-1.6.0-ssl-098.patch
@ -0,0 +1,52 @@
+From 76e79a8c8a98474f3caf701b75370f50729516b2 Mon Sep 17 00:00:00 2001
+From: Christopher Faulet <cfaulet@qualys.com>
+Date: Mon, 19 Oct 2015 13:59:24 +0200
+Subject: [PATCH 2/2] BUILD: ssl: fix build error introduced in commit 7969a3
+ with OpenSSL < 1.0.0
+
+The function 'EVP_PKEY_get_default_digest_nid()' was introduced in OpenSSL
+1.0.0. So for older version of OpenSSL, compiled with the SNI support, the
+HAProxy compilation fails with the following error:
+
+src/ssl_sock.c: In function 'ssl_sock_do_create_cert':
+src/ssl_sock.c:1096:7: warning: implicit declaration of function 'EVP_PKEY_get_default_digest_nid'
+   if (EVP_PKEY_get_default_digest_nid(capkey, &nid) <= 0)
+[...]
+src/ssl_sock.c:1096: undefined reference to `EVP_PKEY_get_default_digest_nid'
+collect2: error: ld returned 1 exit status
+Makefile:760: recipe for target 'haproxy' failed
+make: *** [haproxy] Error 1
+
+So we must add a #ifdef to check the OpenSSL version (>= 1.0.0) to use this
+function. It is used to get default signature digest associated to the private
+key used to sign generated X509 certificates. It is called when the private key
+differs than EVP_PKEY_RSA, EVP_PKEY_DSA and EVP_PKEY_EC. It should be enough for
+most of cases.
+---
+ src/ssl_sock.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/ssl_sock.c b/src/ssl_sock.c
+index 35a3edf..7c82464 100644
+--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
+@@ -1091,12 +1091,16 @@ ssl_sock_do_create_cert(const char *servername, unsigned int serial,
+ 	else if (EVP_PKEY_type (capkey->type) == EVP_PKEY_EC)
+ 		digest = EVP_sha256();
+ 	else {
+#if (OPENSSL_VERSION_NUMBER >= 0x1000000fL)
+ 		int nid;
+ 
+ 		if (EVP_PKEY_get_default_digest_nid(capkey, &nid) <= 0)
+ 			goto mkcert_error;
+ 		if (!(digest = EVP_get_digestbynid(nid)))
+ 			goto mkcert_error;
+#else
+		goto mkcert_error;
+#endif
+ 	}
+ 
+ 	if (!(X509_sign(newcrt, capkey, digest)))
+-- 
+2.4.3
+
--- a/haproxy.changes
+++ b/haproxy.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Mon Oct 19 16:15:57 UTC 2015 - mrueckert@suse.de
+
+- add haproxy-1.6.0-ssl-098.patch:
+  fix building on openssl 0.9.8
+
 -------------------------------------------------------------------
 Fri Oct 16 17:16:40 UTC 2015 - mrueckert@suse.de

--- a/haproxy.spec
+++ b/haproxy.spec
@ -72,6 +72,7 @@ Patch1:         haproxy-1.6.0_config_haproxy_user.patch
 Patch2:         haproxy-1.6.0-makefile_lib.patch
 Patch3:         haproxy-1.6.0-sec-options.patch
 Patch4:         haproxy-1.6.0-ssl.crash.patch
+Patch5:         haproxy-1.6.0-ssl-098.patch
 #
 Source99:       haproxy-rpmlintrc
 #
@ -106,6 +107,7 @@ the most work done from every CPU cycle.
 %patch2
 %patch3
 %patch4 -p1
+%patch5 -p1

 %build
 %{__make} \