something has changed. build is passing now, reg-tests fail (they used to work earlier)
I'd apply those patches (and we will fix reg-tests later) вс, 5 мая 2019 г. в 15:51, Willy Tarreau <w...@1wt.eu>: > On Sun, May 05, 2019 at 02:26:11PM +0500, ???? ??????? wrote: > > can we also apply patch from > > https://www.mail-archive.com/haproxy@formilux.org/msg33439.html ? > > it should repair libressl builds > > Ah indeed I remember having noticed this one and postponed it because it > needed to be edited to have a commit message and I didn't have the time > to study it further. Could you please provide a commit message indicating > what problem it fixes, how/when this problem manifests itself and how the > patch fixes it ? > > Thanks! > willy >
From f59ae0892b1ec660ec62e1284048b004d6bc995a Mon Sep 17 00:00:00 2001 From: Ilya Shipitsin <chipits...@gmail.com> Date: Sun, 5 May 2019 23:27:54 +0500 Subject: [PATCH 3/3] BUILD: enable several LibreSSL hacks, including SSL_SESSION_get0_id_context is introduced in LibreSSL-2.7.0 async operations are not supported by LibreSSL early data is not supported by LibreSSL packet_length is removed from SSL struct in LibreSSL --- include/proto/openssl-compat.h | 4 ++-- include/proto/ssl_sock.h | 2 +- src/cli.c | 2 +- src/ssl_sock.c | 44 +++++++++++++++++----------------- 4 files changed, 26 insertions(+), 26 deletions(-) diff --git a/include/proto/openssl-compat.h b/include/proto/openssl-compat.h index ffee2e40..ed5c1ba3 100644 --- a/include/proto/openssl-compat.h +++ b/include/proto/openssl-compat.h @@ -89,9 +89,9 @@ static inline int SSL_SESSION_set1_id_context(SSL_SESSION *s, const unsigned cha } #endif -#if (OPENSSL_VERSION_NUMBER < 0x1010000fL) || defined(LIBRESSL_VERSION_NUMBER) +#if (OPENSSL_VERSION_NUMBER < 0x1010000fL) || (defined(LIBRESSL_VERSION_NUMBER) && (LIBRESSL_VERSION_NUMBER < 0x2070000fL)) /* - * Functions introduced in OpenSSL 1.1.0 and not yet present in LibreSSL + * Functions introduced in OpenSSL 1.1.0 and in LibreSSL 2.7.0 */ static inline const unsigned char *SSL_SESSION_get0_id_context(const SSL_SESSION *sess, unsigned int *sid_ctx_length) diff --git a/include/proto/ssl_sock.h b/include/proto/ssl_sock.h index ce52fb74..586ebb90 100644 --- a/include/proto/ssl_sock.h +++ b/include/proto/ssl_sock.h @@ -85,7 +85,7 @@ SSL_CTX *ssl_sock_get_generated_cert(unsigned int key, struct bind_conf *bind_co int ssl_sock_set_generated_cert(SSL_CTX *ctx, unsigned int key, struct bind_conf *bind_conf); unsigned int ssl_sock_generated_cert_key(const void *data, size_t len); -#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) +#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER) void ssl_async_fd_handler(int fd); void ssl_async_fd_free(int fd); #endif diff --git a/src/cli.c b/src/cli.c index 88fbae33..e91e33b3 100644 --- a/src/cli.c +++ b/src/cli.c @@ -1002,7 +1002,7 @@ static int cli_io_handler_show_fd(struct appctx *appctx) (fdt.iocb == poller_pipe_io_handler) ? "poller_pipe_io_handler" : (fdt.iocb == mworker_accept_wrapper) ? "mworker_accept_wrapper" : #ifdef USE_OPENSSL -#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) +#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER) (fdt.iocb == ssl_async_fd_free) ? "ssl_async_fd_free" : (fdt.iocb == ssl_async_fd_handler) ? "ssl_async_fd_handler" : #endif diff --git a/src/ssl_sock.c b/src/ssl_sock.c index f2d80e8c..e11ddb53 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -57,7 +57,7 @@ #include <openssl/engine.h> #endif -#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) +#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER) #include <openssl/async.h> #endif @@ -575,7 +575,7 @@ fail_get: } #endif -#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) +#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER) /* * openssl async fd handler */ @@ -2297,7 +2297,7 @@ static void ssl_sock_switchctx_set(SSL *ssl, SSL_CTX *ctx) SSL_set_SSL_CTX(ssl, ctx); } -#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) || defined(OPENSSL_IS_BORINGSSL) +#if ((OPENSSL_VERSION_NUMBER >= 0x10101000L) || defined(OPENSSL_IS_BORINGSSL)) && !defined(LIBRESSL_VERSION_NUMBER) static int ssl_sock_switchctx_err_cbk(SSL *ssl, int *al, void *priv) { @@ -4029,7 +4029,7 @@ ssl_sock_initial_ctx(struct bind_conf *bind_conf) SSL_CTX_set_options(ctx, options); -#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) +#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER) if (global_ssl.async) mode |= SSL_MODE_ASYNC; #endif @@ -4041,7 +4041,7 @@ ssl_sock_initial_ctx(struct bind_conf *bind_conf) #ifdef OPENSSL_IS_BORINGSSL SSL_CTX_set_select_certificate_cb(ctx, ssl_sock_switchctx_cbk); SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_err_cbk); -#elif (OPENSSL_VERSION_NUMBER >= 0x10101000L) +#elif (OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(LIBRESSL_VERSION_NUMBER) if (bind_conf->ssl_conf.early_data) { SSL_CTX_set_options(ctx, SSL_OP_NO_ANTI_REPLAY); SSL_CTX_set_max_early_data(ctx, global.tune.bufsize - global.tune.maxrewrite); @@ -4817,7 +4817,7 @@ int ssl_sock_prepare_srv_ctx(struct server *srv) options |= SSL_OP_NO_TICKET; SSL_CTX_set_options(ctx, options); -#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) +#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER) if (global_ssl.async) mode |= SSL_MODE_ASYNC; #endif @@ -5370,7 +5370,7 @@ int ssl_sock_handshake(struct connection *conn, unsigned int flag) if (!conn->xprt_ctx) goto out_error; -#if OPENSSL_VERSION_NUMBER >= 0x10101000L +#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined (LIBRESSL_VERSION_NUMBER) /* * Check if we have early data. If we do, we have to read them * before SSL_do_handshake() is called, And there's no way to @@ -5427,7 +5427,7 @@ int ssl_sock_handshake(struct connection *conn, unsigned int flag) fd_cant_recv(conn->handle.fd); return 0; } -#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) +#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER) else if (ret == SSL_ERROR_WANT_ASYNC) { ssl_async_process_fds(conn, ctx->ssl); return 0; @@ -5446,7 +5446,7 @@ int ssl_sock_handshake(struct connection *conn, unsigned int flag) OSSL_HANDSHAKE_STATE state = SSL_get_state((SSL *)ctx->ssl); empty_handshake = state == TLS_ST_BEFORE; #else - empty_handshake = !ctx->ssl->packet_length; + empty_handshake = SSL_state((SSL *)ctx->ssl) == SSL_ST_BEFORE; #endif if (empty_handshake) { if (!errno) { @@ -5511,7 +5511,7 @@ check_error: fd_cant_recv(conn->handle.fd); return 0; } -#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) +#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER) else if (ret == SSL_ERROR_WANT_ASYNC) { ssl_async_process_fds(conn, ctx->ssl); return 0; @@ -5530,7 +5530,7 @@ check_error: OSSL_HANDSHAKE_STATE state = SSL_get_state(ctx->ssl); empty_handshake = state == TLS_ST_BEFORE; #else - empty_handshake = !ctx->ssl->packet_length; + empty_handshake = SSL_state((SSL *)ctx->ssl) == SSL_ST_BEFORE; #endif if (empty_handshake) { if (!errno) { @@ -5570,7 +5570,7 @@ check_error: goto out_error; } } -#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) +#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(LIBRESSL_VERSION_NUMBER) else { /* * If the server refused the early data, we have to send a @@ -5589,7 +5589,7 @@ check_error: reneg_ok: -#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) +#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER) /* ASYNC engine API doesn't support moving read/write * buffers. So we disable ASYNC mode right after * the handshake to avoid buffer oveflows. @@ -5698,7 +5698,7 @@ static size_t ssl_sock_to_buf(struct connection *conn, void *xprt_ctx, struct bu continue; } -#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) +#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(LIBRESSL_VERSION_NUMBER) if (conn->flags & CO_FL_EARLY_SSL_HS) { size_t read_length; @@ -5750,7 +5750,7 @@ static size_t ssl_sock_to_buf(struct connection *conn, void *xprt_ctx, struct bu /* handshake is running, and it needs to enable write */ conn->flags |= CO_FL_SSL_WAIT_HS; __conn_sock_want_send(conn); -#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) +#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER) /* Async mode can be re-enabled, because we're leaving data state.*/ if (global_ssl.async) SSL_set_mode(ctx->ssl, SSL_MODE_ASYNC); @@ -5762,7 +5762,7 @@ static size_t ssl_sock_to_buf(struct connection *conn, void *xprt_ctx, struct bu /* handshake is running, and it may need to re-enable read */ conn->flags |= CO_FL_SSL_WAIT_HS; __conn_sock_want_recv(conn); -#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) +#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER) /* Async mode can be re-enabled, because we're leaving data state.*/ if (global_ssl.async) SSL_set_mode(ctx->ssl, SSL_MODE_ASYNC); @@ -5839,7 +5839,7 @@ static size_t ssl_sock_from_buf(struct connection *conn, void *xprt_ctx, const s * in which case we accept to do it once again. */ while (count) { -#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) +#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined (LIBRESSL_VERSION_NUMBER) size_t written_data; #endif @@ -5860,7 +5860,7 @@ static size_t ssl_sock_from_buf(struct connection *conn, void *xprt_ctx, const s ctx->xprt_st |= SSL_SOCK_SEND_UNLIMITED; } -#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) +#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined (LIBRESSL_VERSION_NUMBER) if (!SSL_is_init_finished(ctx->ssl) && conn_is_back(conn)) { unsigned int max_early; @@ -5912,7 +5912,7 @@ static size_t ssl_sock_from_buf(struct connection *conn, void *xprt_ctx, const s /* handshake is running, and it may need to re-enable write */ conn->flags |= CO_FL_SSL_WAIT_HS; __conn_sock_want_send(conn); -#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) +#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER) /* Async mode can be re-enabled, because we're leaving data state.*/ if (global_ssl.async) SSL_set_mode(ctx->ssl, SSL_MODE_ASYNC); @@ -5927,7 +5927,7 @@ static size_t ssl_sock_from_buf(struct connection *conn, void *xprt_ctx, const s /* handshake is running, and it needs to enable read */ conn->flags |= CO_FL_SSL_WAIT_HS; __conn_sock_want_recv(conn); -#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) +#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER) /* Async mode can be re-enabled, because we're leaving data state.*/ if (global_ssl.async) SSL_set_mode(ctx->ssl, SSL_MODE_ASYNC); @@ -5955,7 +5955,7 @@ static void ssl_sock_close(struct connection *conn, void *xprt_ctx) { struct ssl_sock_ctx *ctx = xprt_ctx; if (ctx) { -#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) +#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER) if (global_ssl.async) { OSSL_ASYNC_FD all_fd[32], afd; size_t num_all_fds = 0; @@ -8765,7 +8765,7 @@ static int ssl_parse_global_ssl_async(char **args, int section_type, struct prox struct proxy *defpx, const char *file, int line, char **err) { -#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) +#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER) global_ssl.async = 1; global.ssl_used_async_engines = nb_engines; return 0; -- 2.21.0
From 6bda152d794850d597f68c20338ce9d4f698965e Mon Sep 17 00:00:00 2001 From: Ilya Shipitsin <chipits...@gmail.com> Date: Sun, 5 May 2019 17:43:37 +0500 Subject: [PATCH 2/3] BUILD: travis-ci: get back to osx without openssl support there's some issue with socket path, after it is resolved, we will enable openssl for osx --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 4dd7e9aa..159e0d05 100644 --- a/.travis.yml +++ b/.travis.yml @@ -44,7 +44,7 @@ matrix: env: TARGET=linux2628 FLAGS= - os: osx compiler: clang - env: TARGET=generic FLAGS="USE_OPENSSL=1" OPENSSL_VERSION=1.1.1b + env: TARGET=generic FLAGS= install: - git clone https://github.com/VTest/VTest.git ../vtest -- 2.21.0
From 115f35ebb7e641a17c8b8ca3e3da8ff14cf3c958 Mon Sep 17 00:00:00 2001 From: Ilya Shipitsin <chipits...@gmail.com> Date: Sun, 5 May 2019 17:41:12 +0500 Subject: [PATCH 1/3] BUILD: remove "build_libressl" duplicate declaration --- scripts/build-ssl.sh | 8 -------- 1 file changed, 8 deletions(-) diff --git a/scripts/build-ssl.sh b/scripts/build-ssl.sh index 4898724e..a8863ed3 100755 --- a/scripts/build-ssl.sh +++ b/scripts/build-ssl.sh @@ -44,14 +44,6 @@ download_libressl () { fi } -build_libressl() { - ( - cd "libressl-${LIBRESSL_VERSION}/" - ./configure --prefix="${HOME}/opt" - make all install - ) -} - build_libressl () { if [ "$(cat ${HOME}/opt/.libressl-version)" != "${LIBRESSL_VERSION}" ]; then tar zxf "download-cache/libressl-${LIBRESSL_VERSION}.tar.gz" -- 2.21.0