BoringSSL decided it is 1.1.1 on 16 Sep 2020, nobody was prepared: https://boringssl.googlesource.com/boringssl/+/49e9f67d8b7cbeb3953b5548ad1009d15947a523%5E%21/include/openssl/base.h
we missed it because our CI was running openssl instead of boringssl (it is fixed now). boringssl fixes will be released next few days. вс, 11 окт. 2020 г. в 23:50, Илья Шипицин <[email protected]>: > for master branch (I sent travis-ci patch): > > > > sr/include -DCONFIG_HAPROXY_VERSION=\"2.3-dev6\" > -DCONFIG_HAPROXY_DATE=\"2020/10/10\" -c -o src/ssl_crtlist.o > src/ssl_crtlist.c > src/ssl_crtlist.c: In function ‘ssl_sock_free_ssl_conf’: > src/ssl_crtlist.c:54:12: error: ‘struct ssl_bind_conf’ has no member named > ‘ciphersuites’ > 54 | free(conf->ciphersuites); > | ^~ > src/ssl_crtlist.c:55:7: error: ‘struct ssl_bind_conf’ has no member named > ‘ciphersuites’ > 55 | conf->ciphersuites = NULL; > | ^~ > src/ssl_crtlist.c: In function ‘crtlist_dup_ssl_conf’: > src/ssl_crtlist.c:113:9: error: ‘struct ssl_bind_conf’ has no member named > ‘ciphersuites’ > 113 | if (src->ciphersuites) { > | ^~ > src/ssl_crtlist.c:114:6: error: ‘struct ssl_bind_conf’ has no member named > ‘ciphersuites’ > 114 | dst->ciphersuites = strdup(src->ciphersuites); > | ^~ > src/ssl_crtlist.c:114:33: error: ‘struct ssl_bind_conf’ has no member > named ‘ciphersuites’ > 114 | dst->ciphersuites = strdup(src->ciphersuites); > | ^~ > src/ssl_crtlist.c:115:11: error: ‘struct ssl_bind_conf’ has no member > named ‘ciphersuites’ > 115 | if (!dst->ciphersuites) > | ^~ > src/ssl_sock.c:1288:39: error: ‘struct certificate_ocsp’ declared inside > parameter list will not be visible outside of this definition or > declaration [-Werror] > 1288 | static void ssl_sock_free_ocsp(struct certificate_ocsp *ocsp) > | ^~~~~~~~~~~~~~~~ > src/ssl_sock.c: In function ‘ssl_sock_free_ocsp’: > src/ssl_sock.c:1293:6: error: invalid use of undefined type ‘struct > certificate_ocsp’ > 1293 | ocsp->refcount--; > | ^~ > src/ssl_sock.c:1294:10: error: invalid use of undefined type ‘struct > certificate_ocsp’ > 1294 | if (ocsp->refcount <= 0) { > | ^~ > src/ssl_sock.c:1295:20: error: invalid use of undefined type ‘struct > certificate_ocsp’ > 1295 | ebmb_delete(&ocsp->key); > | ^~ > src/ssl_sock.c:1296:22: error: invalid use of undefined type ‘struct > certificate_ocsp’ > 1296 | chunk_destroy(&ocsp->response); > | ^~ > make: *** [Makefile:889: src/ssl_crtlist.o] Error 1 > make: *** Waiting for unfinished jobs.... > src/ssl_sock.c: In function ‘ssl_sock_prepare_ctx’: > src/ssl_sock.c:4116:43: error: ‘struct ssl_bind_conf’ has no member named > ‘ciphersuites’ > 4116 | conf_ciphersuites = (ssl_conf && ssl_conf->ciphersuites) ? > ssl_conf->ciphersuites : bind_conf->ssl_conf.ciphersuites; > | ^~ > src/ssl_sock.c:4116:69: error: ‘struct ssl_bind_conf’ has no member named > ‘ciphersuites’ > 4116 | conf_ciphersuites = (ssl_conf && ssl_conf->ciphersuites) ? > ssl_conf->ciphersuites : bind_conf->ssl_conf.ciphersuites; > | > ^~ > src/ssl_sock.c:4116:105: error: ‘struct ssl_bind_conf’ has no member named > ‘ciphersuites’ > 4116 | conf_ciphersuites = (ssl_conf && ssl_conf->ciphersuites) ? > ssl_conf->ciphersuites : bind_conf->ssl_conf.ciphersuites; > | > ^ > src/ssl_sock.c:4118:7: error: implicit declaration of function > ‘SSL_CTX_set_ciphersuites’; did you mean ‘SSL_CTX_set_cipher_list’? > [-Werror=implicit-function-declaration] > 4118 | !SSL_CTX_set_ciphersuites(ctx, conf_ciphersuites)) { > | ^~~~~~~~~~~~~~~~~~~~~~~~ > | SSL_CTX_set_cipher_list > src/ssl_sock.c: In function ‘ssl_sock_prepare_srv_ctx’: > src/ssl_sock.c:4573:18: error: ‘struct <anonymous>’ has no member named > ‘ciphersuites’ > 4573 | if (srv->ssl_ctx.ciphersuites && > | ^ > src/ssl_sock.c:4574:59: error: ‘struct <anonymous>’ has no member named > ‘ciphersuites’ > 4574 | !SSL_CTX_set_ciphersuites(srv->ssl_ctx.ctx, > srv->ssl_ctx.ciphersuites)) { > | ^ > src/ssl_sock.c:4577:49: error: ‘struct <anonymous>’ has no member named > ‘ciphersuites’ > 4577 | srv->conf.file, srv->conf.line, srv->ssl_ctx.ciphersuites); > | ^ > src/ssl_sock.c: In function ‘ssl_sock_init’: > src/ssl_sock.c:5036:4: error: implicit declaration of function > ‘SSL_set_max_early_data’; did you mean ‘SSL_in_early_data’? > [-Werror=implicit-function-declaration] > 5036 | SSL_set_max_early_data(ctx->ssl, > | ^~~~~~~~~~~~~~~~~~~~~~ > | SSL_in_early_data > src/ssl_sock.c: In function ‘ssl_sock_handshake’: > src/ssl_sock.c:5097:10: error: implicit declaration of function > ‘SSL_read_early_data’; did you mean ‘SSL_in_early_data’? > [-Werror=implicit-function-declaration] > 5097 | ret = SSL_read_early_data(ctx->ssl, > | ^~~~~~~~~~~~~~~~~~~ > | SSL_in_early_data > src/ssl_sock.c:5100:15: error: ‘SSL_READ_EARLY_DATA_ERROR’ undeclared > (first use in this function); did you mean ‘SSL_AD_DECRYPT_ERROR’? > 5100 | if (ret == SSL_READ_EARLY_DATA_ERROR) > | ^~~~~~~~~~~~~~~~~~~~~~~~~ > | SSL_AD_DECRYPT_ERROR > src/ssl_sock.c:5100:15: note: each undeclared identifier is reported only > once for each function it appears in > src/ssl_sock.c:5106:15: error: ‘SSL_READ_EARLY_DATA_FINISH’ undeclared > (first use in this function) > 5106 | if (ret == SSL_READ_EARLY_DATA_FINISH) { > | ^~~~~~~~~~~~~~~~~~~~~~~~~~ > src/ssl_sock.c:5302:8: error: implicit declaration of function > ‘SSL_get_early_data_status’; did you mean ‘SSL_get_early_data_reason’? > [-Werror=implicit-function-declaration] > 5302 | if (SSL_get_early_data_status(ctx->ssl) == > SSL_EARLY_DATA_REJECTED) { > | ^~~~~~~~~~~~~~~~~~~~~~~~~ > | SSL_get_early_data_reason > src/ssl_sock.c:5302:47: error: ‘SSL_EARLY_DATA_REJECTED’ undeclared (first > use in this function); did you mean ‘SSL_ERROR_EARLY_DATA_REJECTED’? > 5302 | if (SSL_get_early_data_status(ctx->ssl) == > SSL_EARLY_DATA_REJECTED) { > | > ^~~~~~~~~~~~~~~~~~~~~~~ > | > SSL_ERROR_EARLY_DATA_REJECTED > src/ssl_sock.c: In function ‘ssl_sock_from_buf’: > src/ssl_sock.c:5714:17: error: implicit declaration of function > ‘SSL_get_max_early_data’; did you mean ‘SSL_in_early_data’? > [-Werror=implicit-function-declaration] > 5714 | max_early = SSL_get_max_early_data(ctx->ssl); > | ^~~~~~~~~~~~~~~~~~~~~~ > | SSL_in_early_data > src/ssl_sock.c:5717:18: error: implicit declaration of function > ‘SSL_SESSION_get_max_early_data’; did you mean ‘SSL_SESSION_get_ex_data’? > [-Werror=implicit-function-declaration] > 5717 | max_early = > SSL_SESSION_get_max_early_data(SSL_get0_session(ctx->ssl)); > | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > | SSL_SESSION_get_ex_data > src/ssl_sock.c:5730:10: error: implicit declaration of function > ‘SSL_write_early_data’; did you mean ‘SSL_in_early_data’? > [-Werror=implicit-function-declaration] > 5730 | ret = SSL_write_early_data(ctx->ssl, b_peek(buf, done), try, > &written_data); > | ^~~~~~~~~~~~~~~~~~~~ > | SSL_in_early_data > At top level: > src/ssl_sock.c:1288:13: error: ‘ssl_sock_free_ocsp’ defined but not used > [-Werror=unused-function] > 1288 | static void ssl_sock_free_ocsp(struct certificate_ocsp *ocsp) > | ^~~~~~~~~~~~~~~~~~ > cc1: all warnings being treated as errors > > вс, 11 окт. 2020 г. в 23:19, Илья Шипицин <[email protected]>: > >> seems, our CI for boringssl is broken. I see "openssl" there >> >> https://travis-ci.com/github/haproxy/haproxy/jobs/397911591#L1102-L1103 >> >> вс, 11 окт. 2020 г. в 15:06, László Soós <[email protected]>: >> >>> Hi Willy, All, >>> >>> Starting from 2.1.9 compilation fails with: >>> >>> src/ssl_sock.c:1231:39: warning: 'struct certificate_ocsp' declared >>> inside parameter list will not be visible outside of this definition or >>> declaration >>> 1231 | static void ssl_sock_free_ocsp(struct certificate_ocsp *ocsp) >>> | ^~~~~~~~~~~~~~~~ >>> src/ssl_sock.c: In function 'ssl_sock_free_ocsp': >>> src/ssl_sock.c:1236:6: error: dereferencing pointer to incomplete type >>> 'struct certificate_ocsp' >>> 1236 | ocsp->refcount--; >>> | ^~ >>> CC src/mux_fcgi.o >>> CC src/cfgparse-listen.o >>> CC src/http_ana.o >>> At top level: >>> src/ssl_sock.c:1231:13: warning: 'ssl_sock_free_ocsp' defined but not >>> used [-Wunused-function] >>> 1231 | static void ssl_sock_free_ocsp(struct certificate_ocsp *ocsp) >>> >>> ---- >>> I went and checked source code (for 2.2.4 as it has the same problem) >>> >>> https://git.haproxy.org/?p=haproxy-2.2.git;a=blob;f=src/ssl_sock.c;h=019597ae76f2cb926b7ad42baf6378cf3456c417;hb=HEAD >>> LINE 1290 >>> static void ssl_sock_free_ocsp(struct certificate_ocsp *ocsp) >>> >>> This is defined in a section: >>> >>> #if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined >>> OPENSSL_NO_OCSP) || defined OPENSSL_IS_BORINGSSL) >>> >>> If I go up to LINE 851 where struct certificate_ocsp is defined, it's >>> being in a section: >>> >>> #if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) >>> >>> >>> So struct certificate_ocsp will not be defined for BORINGSSL and >>> compilation fails. >>> >>> My quick solution was (maybe not the best but it works) to move the >>> struct def above the wrong section like this: >>> #if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined >>> OPENSSL_NO_OCSP) || defined OPENSSL_IS_BORINGSSL) >>> /* >>> * struct alignment works here such that the key.key is the same as >>> key_data >>> * Do not change the placement of key_data >>> */ >>> struct certificate_ocsp { >>> struct ebmb_node key; >>> unsigned char key_data[OCSP_MAX_CERTID_ASN1_LENGTH]; >>> struct buffer response; >>> int refcount; >>> long expire; >>> }; >>> #endif >>> >>> Can you consider this as a bug and maybe potentially fix it in future >>> releases? >>> >>> >>> For the records after this 'patch' I get the below warnings with >>> BoringSSL but I think it's safe to ignore (?): >>> .... >>> CC src/hlua_fcn.o >>> CC src/namespace.o >>> src/ssl_sock.c:1292:13: warning: 'ssl_sock_free_ocsp' defined but not >>> used [-Wunused-function] >>> 1292 | static void ssl_sock_free_ocsp(struct certificate_ocsp *ocsp) >>> | ^~~~~~~~~~~~~~~~~~ >>> CC src/mux_fcgi.o >>> CC src/mux_h1.o >>> In file included from include/haproxy/pool.h:29, >>> from include/haproxy/chunk.h:31, >>> from include/haproxy/dynbuf.h:33, >>> from include/haproxy/channel.h:27, >>> from src/ssl_crtlist.c:23: >>> src/ssl_crtlist.c: In function 'crtlist_parse_file': >>> include/haproxy/list.h:51:70: warning: potential null pointer >>> dereference [-Wnull-dereference] >>> 51 | #define LIST_ADDQ(lh, el) ({ (el)->p = (lh)->p; (el)->p->n = >>> (lh)->p = (el); (el)->n = (lh); (el); }) >>> | >>> ~~~~~~~~^~~~~~ >>> src/ssl_crtlist.c:425:3: note: in expansion of macro 'LIST_ADDQ' >>> 425 | LIST_ADDQ(&ckchs->crtlist_entry, &entry->by_ckch_store); >>> | ^~~~~~~~~ >>> include/haproxy/list.h:51:44: warning: potential null pointer >>> dereference [-Wnull-dereference] >>> 51 | #define LIST_ADDQ(lh, el) ({ (el)->p = (lh)->p; (el)->p->n = >>> (lh)->p = (el); (el)->n = (lh); (el); }) >>> | ~~~~^~~ >>> src/ssl_crtlist.c:425:3: note: in expansion of macro 'LIST_ADDQ' >>> 425 | LIST_ADDQ(&ckchs->crtlist_entry, &entry->by_ckch_store); >>> | ^~~~~~~~~ >>> CC src/mux_h2.o >>> CC src/backend.o >>> CC src/cfgparse.o >>> .... >>> >>> Thanks, >>> sooslaca >>> >>>
