CRYPTO_memcmp introduced in https://github.com/openssl/openssl/commit/7c770d572a719fa40fa9c82807a0bd3840baf4a0
no good guard candidate :( пт, 22 янв. 2021 г. в 02:26, Илья Шипицин <[email protected]>: > we use openssl-1.0.2u for ci builds: > > https://github.com/haproxy/haproxy/runs/1743866222?check_suite_focus=true > > > not sure about 1.0.2 beta > > пт, 22 янв. 2021 г. в 02:19, Bertrand Jacquin <[email protected]>: > >> According to INSTALL file, OpenSSL 1.0.2 is still supported by HAProxy, >> however OpenSSL 1.0.2 lacking CRYPTO_memcmp(), haproxy does not build: >> >> $ make V=1 TARGET=linux-glibc USE_NS= USE_OPENSSL=1 >> .. >> cc -Iinclude -O2 -g -Wall -Wextra -Wdeclaration-after-statement >> -fwrapv -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter >> -Wno-clobbered -Wno-missing-field-initializers -Wtype-limits >> -DUSE_EPOLL -DUSE_NETFILTER -DUSE_POLL -DUSE_THREAD >> -DUSE_BACKTRACE -DUSE_TPROXY -DUSE_LINUX_TPROXY -DUSE_LINUX_SPLICE >> -DUSE_LIBCRYPT -DUSE_CRYPT_H -DUSE_GETADDRINFO -DUSE_OPENSSL -DUSE_FUTEX >> -DUSE_ACCEPT4 -DUSE_CPU_AFFINITY -DUSE_TFO -DUSE_DL -DUSE_RT >> -DUSE_PRCTL -DUSE_THREAD_DUMP >> -DCONFIG_HAPROXY_VERSION=\"2.4-dev5-37286a-78\" >> -DCONFIG_HAPROXY_DATE=\"2021/01/21\" -c -o src/sample.o src/sample.c >> src/sample.c: In function 'sample_conv_secure_memcmp': >> src/sample.c:3130:2: warning: implicit declaration of function >> 'CRYPTO_memcmp' >> .. >> cc -g -o haproxy src/ev_poll.o src/ev_epoll.o src/ssl_sample.o >> src/ssl_sock.o src/ssl_crtlist.o src/ssl_ckch.o src/ssl_utils.o >> src/cfgparse-ssl.o src/mux_h2.o src/mux_fcgi.o src/http_ana.o src/stream.o >> src/mux_h1.o src/stats.o src/flt_spoe.o src/backend.o src/tcpcheck.o >> src/server.o src/tools.o src/cli.o src/cfgparse.o src/log.o >> src/cfgparse-listen.o src/check.o src/stick_table.o src/peers.o src/dns.o >> src/stream_interface.o src/sample.o src/http_htx.o src/haproxy.o >> src/http_act.o src/proxy.o src/pattern.o src/listener.o src/cache.o >> src/http_fetch.o src/session.o src/connection.o src/sink.o src/task.o >> src/filters.o src/fcgi-app.o src/tcp_rules.o src/payload.o src/mux_pt.o >> src/flt_http_comp.o src/cfgparse-global.o src/vars.o src/map.o src/debug.o >> src/queue.o src/h1_htx.o src/compression.o src/mworker.o src/flt_trace.o >> src/acl.o src/trace.o src/proto_sockpair.o src/proto_tcp.o src/lb_chash.o >> src/htx.o src/xprt_handshake.o src/h1.o src/sock.o src/ring.o >> src/extcheck.o src/tcp_sample.o src/frontend.o src/h2.o src/channel.o >> src/applet.o src/tcp_act.o src/http_rules.o src/fd.o src/raw_sock.o >> src/pool.o src/mailers.o src/http_conv.o src/lb_fwrr.o src/proto_uxst.o >> src/http.o src/lb_fwlc.o src/lb_fas.o src/activity.o src/sock_unix.o >> src/protocol.o src/mworker-prog.o src/signal.o src/proto_udp.o src/lb_map.o >> src/sock_inet.o src/ev_select.o src/cfgparse-tcp.o src/action.o >> src/thread.o src/sha1.o src/ebmbtree.o src/cfgparse-unix.o src/dict.o >> src/time.o src/hpack-dec.o src/arg.o src/hpack-tbl.o src/eb64tree.o >> src/chunk.o src/shctx.o src/regex.o src/fcgi.o src/eb32tree.o >> src/eb32sctree.o src/dynbuf.o src/pipe.o src/lru.o src/ebimtree.o >> src/uri_auth.o src/freq_ctr.o src/ebsttree.o src/ebistree.o src/auth.o >> src/wdt.o src/http_acl.o src/hpack-enc.o src/hpack-huff.o src/ebtree.o >> src/base64.o src/hash.o src/dgram.o src/version.o src/fix.o src/mqtt.o >> -lcrypt -ldl -lrt -lpthread -Wl,--export-dynamic -lssl -lcrypto -ldl >> src/sample.o: In function `sample_conv_secure_memcmp': >> src/sample.c:3130: undefined reference to `CRYPTO_memcmp' >> collect2: ld returned 1 exit status >> make: *** [haproxy] Error 1 >> >> See: >> https://git.openssl.org/?p=openssl.git;a=commitdiff;h=f5cd3561ba9363e6bcc58fcb6b1e94930f81967d >> >> $ git describe --contains f5cd3561ba9363e6bcc58fcb6b1e94930f81967d >> OpenSSL_1_0_2-beta1~439 >> >> Since secure_memcmp is meant to be used in constant time sensible >> environment, this commit removes the converter when the version of >> OpenSSL does not meant the requirement. Adjusting related documentation, >> pointing the user to strcmp instead. >> >> Cc: Emeric Brun <[email protected]> >> Cc: William Lallemand <[email protected]> >> --- >> doc/configuration.txt | 6 +++++- >> src/sample.c | 12 +++++++----- >> 2 files changed, 12 insertions(+), 6 deletions(-) >> >> diff --git a/doc/configuration.txt b/doc/configuration.txt >> index 899bdf553a85..f25da9c1bfa6 100644 >> --- a/doc/configuration.txt >> +++ b/doc/configuration.txt >> @@ -15996,7 +15996,11 @@ secure_memcmp(<var>) >> performed in constant time. >> >> Please note that this converter is only available when haproxy has been >> - compiled with USE_OPENSSL. >> + compiled with USE_OPENSSL. Requires at least OpenSSL 1.0.2. >> + >> + See also the strcmp converter if you need to compare two binary >> + strings without concern related to constant time or if OpenSSL is not >> + enabled. >> >> Example : >> >> diff --git a/src/sample.c b/src/sample.c >> index bf2de2a2522d..bb12789b551f 100644 >> --- a/src/sample.c >> +++ b/src/sample.c >> @@ -3100,12 +3100,14 @@ static int sample_conv_strcmp(const struct arg >> *arg_p, struct sample *smp, void >> return 1; >> } >> >> -#ifdef USE_OPENSSL >> +#if defined(USE_OPENSSL) && HA_OPENSSL_VERSION_NUMBER > 0x1000200fL >> /* Compares bytestring with a variable containing a bytestring. Return >> value >> * is `true` if both bytestrings are bytewise identical and `false` >> otherwise. >> * >> - * Comparison will be performed in constant time if both bytestrings are >> of >> - * the same length. If the lengths differ execution time will not be >> constant. >> + * Comparison will be performed in constant time if the library support >> + * constant time memcmp (starting with OpenSSL 1.0.2) and if both >> + * bytestrings are of the same length. Otherwise execution time will not >> + * be constant. >> */ >> static int sample_conv_secure_memcmp(const struct arg *arg_p, struct >> sample *smp, void *private) >> { >> @@ -3422,7 +3424,7 @@ static int smp_check_strcmp(struct arg *args, >> struct sample_conv *conv, >> return 0; >> } >> >> -#ifdef USE_OPENSSL >> +#if defined(USE_OPENSSL) && HA_OPENSSL_VERSION_NUMBER > 0x1000200fL >> /* This function checks the "secure_memcmp" converter's arguments and >> extracts the >> * variable name and its scope. >> */ >> @@ -3988,7 +3990,7 @@ static struct sample_conv_kw_list sample_conv_kws = >> {ILH, { >> #endif >> { "concat", sample_conv_concat, ARG3(1,STR,STR,STR), >> smp_check_concat, SMP_T_STR, SMP_T_STR }, >> { "strcmp", sample_conv_strcmp, ARG1(1,STR), smp_check_strcmp, >> SMP_T_STR, SMP_T_SINT }, >> -#ifdef USE_OPENSSL >> +#if defined(USE_OPENSSL) && HA_OPENSSL_VERSION_NUMBER > 0x1000200fL >> { "secure_memcmp", sample_conv_secure_memcmp, ARG1(1,STR), >> smp_check_secure_memcmp, SMP_T_BIN, SMP_T_BOOL }, >> #endif >> >> >>
