According to INSTALL file, OpenSSL 1.0.1d is still supported by HAProxy, however OpenSSL 1.0.2 lacking CRYPTO_memcmp(), haproxy does not build:
$ make V=1 TARGET=linux-glibc USE_NS= USE_OPENSSL=1 .. cc -Iinclude -O2 -g -Wall -Wextra -Wdeclaration-after-statement -fwrapv -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-clobbered -Wno-missing-field-initializers -Wtype-limits -DUSE_EPOLL -DUSE_NETFILTER -DUSE_POLL -DUSE_THREAD -DUSE_BACKTRACE -DUSE_TPROXY -DUSE_LINUX_TPROXY -DUSE_LINUX_SPLICE -DUSE_LIBCRYPT -DUSE_CRYPT_H -DUSE_GETADDRINFO -DUSE_OPENSSL -DUSE_FUTEX -DUSE_ACCEPT4 -DUSE_CPU_AFFINITY -DUSE_TFO -DUSE_DL -DUSE_RT -DUSE_PRCTL -DUSE_THREAD_DUMP -DCONFIG_HAPROXY_VERSION=\"2.4-dev5-37286a-78\" -DCONFIG_HAPROXY_DATE=\"2021/01/21\" -c -o src/sample.o src/sample.c src/sample.c: In function 'sample_conv_secure_memcmp': src/sample.c:3130:2: warning: implicit declaration of function 'CRYPTO_memcmp' .. cc -g -o haproxy src/ev_poll.o src/ev_epoll.o src/ssl_sample.o src/ssl_sock.o src/ssl_crtlist.o src/ssl_ckch.o src/ssl_utils.o src/cfgparse-ssl.o src/mux_h2.o src/mux_fcgi.o src/http_ana.o src/stream.o src/mux_h1.o src/stats.o src/flt_spoe.o src/backend.o src/tcpcheck.o src/server.o src/tools.o src/cli.o src/cfgparse.o src/log.o src/cfgparse-listen.o src/check.o src/stick_table.o src/peers.o src/dns.o src/stream_interface.o src/sample.o src/http_htx.o src/haproxy.o src/http_act.o src/proxy.o src/pattern.o src/listener.o src/cache.o src/http_fetch.o src/session.o src/connection.o src/sink.o src/task.o src/filters.o src/fcgi-app.o src/tcp_rules.o src/payload.o src/mux_pt.o src/flt_http_comp.o src/cfgparse-global.o src/vars.o src/map.o src/debug.o src/queue.o src/h1_htx.o src/compression.o src/mworker.o src/flt_trace.o src/acl.o src/trace.o src/proto_sockpair.o src/proto_tcp.o src/lb_chash.o src/htx.o src/xprt_handshake.o src/h1.o src/sock.o src/ring.o src/extcheck.o src/tcp_sample.o src/frontend.o src/h2.o src/channel.o src/applet.o src/tcp_act.o src/http_rules.o src/fd.o src/raw_sock.o src/pool.o src/mailers.o src/http_conv.o src/lb_fwrr.o src/proto_uxst.o src/http.o src/lb_fwlc.o src/lb_fas.o src/activity.o src/sock_unix.o src/protocol.o src/mworker-prog.o src/signal.o src/proto_udp.o src/lb_map.o src/sock_inet.o src/ev_select.o src/cfgparse-tcp.o src/action.o src/thread.o src/sha1.o src/ebmbtree.o src/cfgparse-unix.o src/dict.o src/time.o src/hpack-dec.o src/arg.o src/hpack-tbl.o src/eb64tree.o src/chunk.o src/shctx.o src/regex.o src/fcgi.o src/eb32tree.o src/eb32sctree.o src/dynbuf.o src/pipe.o src/lru.o src/ebimtree.o src/uri_auth.o src/freq_ctr.o src/ebsttree.o src/ebistree.o src/auth.o src/wdt.o src/http_acl.o src/hpack-enc.o src/hpack-huff.o src/ebtree.o src/base64.o src/hash.o src/dgram.o src/version.o src/fix.o src/mqtt.o -lcrypt -ldl -lrt -lpthread -Wl,--export-dynamic -lssl -lcrypto -ldl src/sample.o: In function `sample_conv_secure_memcmp': src/sample.c:3130: undefined reference to `CRYPTO_memcmp' collect2: ld returned 1 exit status make: *** [haproxy] Error 1 See: https://git.openssl.org/?p=openssl.git;a=commit;h=2ee798880a246d648ecddadc5b91367bee4a5d98 $ git describe --contains 2ee798880a246d648ecddadc5b91367bee4a5d98 OpenSSL_1_0_1d~26 Since secure_memcmp is meant to be used in constant time sensible environment, this commit removes the converter when the version of OpenSSL does not meant the requirement. Adjusting related documentation, pointing the user to strcmp instead. Cc: Emeric Brun <[email protected]> Cc: William Lallemand <[email protected]> Cc: Tim Düsterhus <[email protected]> Cc: Илья Шипицин <[email protected]> --- doc/configuration.txt | 2 +- src/sample.c | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/doc/configuration.txt b/doc/configuration.txt index 899bdf553a85..4c9d75dbc9a9 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -15996,7 +15996,7 @@ secure_memcmp(<var>) performed in constant time. Please note that this converter is only available when haproxy has been - compiled with USE_OPENSSL. + compiled with USE_OPENSSL. Requires at least OpenSSL 1.0.1d. Example : diff --git a/src/sample.c b/src/sample.c index bf2de2a2522d..22246abf8dd7 100644 --- a/src/sample.c +++ b/src/sample.c @@ -3100,7 +3100,7 @@ static int sample_conv_strcmp(const struct arg *arg_p, struct sample *smp, void return 1; } -#ifdef USE_OPENSSL +#if defined(USE_OPENSSL) && HA_OPENSSL_VERSION_NUMBER >= 0x1010104fL /* Compares bytestring with a variable containing a bytestring. Return value * is `true` if both bytestrings are bytewise identical and `false` otherwise. * @@ -3422,7 +3422,7 @@ static int smp_check_strcmp(struct arg *args, struct sample_conv *conv, return 0; } -#ifdef USE_OPENSSL +#if defined(USE_OPENSSL) && HA_OPENSSL_VERSION_NUMBER >= 0x1010104fL /* This function checks the "secure_memcmp" converter's arguments and extracts the * variable name and its scope. */ @@ -3988,7 +3988,7 @@ static struct sample_conv_kw_list sample_conv_kws = {ILH, { #endif { "concat", sample_conv_concat, ARG3(1,STR,STR,STR), smp_check_concat, SMP_T_STR, SMP_T_STR }, { "strcmp", sample_conv_strcmp, ARG1(1,STR), smp_check_strcmp, SMP_T_STR, SMP_T_SINT }, -#ifdef USE_OPENSSL +#if defined(USE_OPENSSL) && HA_OPENSSL_VERSION_NUMBER >= 0x1010104fL { "secure_memcmp", sample_conv_secure_memcmp, ARG1(1,STR), smp_check_secure_memcmp, SMP_T_BIN, SMP_T_BOOL }, #endif
