Re: USE_QUIC=1 support for awslc

[Frederic Lecaille]

On 1/17/24 00:53, Hopkins, Andrew wrote:
> AWS-LC recently plumbed support for ChaChaPoly and AES CCM through the 
> existing EVP_CIPHER API that HAProxy uses in 
> https://github.com/aws/aws-lc/pull/1311 and 
> https://github.com/aws/aws-lc/pull/1373. Do you need support for just the 
> cipher EVP_chacha20? 

Yes, EVP_chacha20 is required to protect the QUIC packet header (so
without AAD and with a longer IV length compared to EVP_chacha20_poly1305.

About TLS_AES_128_CCM_SHA256, I have noticed that it is disabled by
aws-lc during TLS 1.3 QUIC sessions. Even when I set the default
ciphersuites as mentionned in my previous mail. This is done by a call
to SSL_CTX_set_ciphersuites(). I have not found any
TLS_AES_128_CCM_SHA256 strings into aws-lc source code. So, I guess this
is the root cause of this issue.

Re: [PATCH] fix runtime 'FATAL ERROR: invalid code detected -- cannot go further' when building with Buildroot

[Willy Tarreau]

Hello Aleksandr,

On Tue, Jan 16, 2024 at 09:28:57PM +0200, Aleksandr Makarov wrote:
> In buildroot, forcing HAPROXY_CFLAGS on the haproxy build command line 
> overrides CFLAGS
> which were internally set by the package Makefile.
> 
> In such a way, a bunch of flags that were deduced by the package build script
> in *_CFLAGS variables, specifically in SPEC_CFLAGS, are omitted. Compiling and
> running haproxy without SPEC_CFLAGS taken into account results in runtime 
> error:
> 
> $ haproxy
> FATAL ERROR: invalid code detected -- cannot go further, please recompile!
> The source code was miscompiled by the compiler, which usually indicates that
> some of the CFLAGS needed to work around overzealous compiler optimizations
> were overwritten at build time. Please do not force CFLAGS, and read Makefile
> and INSTALL files to decide on the best way to pass your local build options.
> ...

Well, I'm glad that this test proved to be useful!

> This error is produced by haproxy.c [1] source which effectively ensures that 
> INT_MAX+1
> expression wraps around using twos-complement representation. It is only true 
> when -fwrapv
> gcc option is set in SPEC_CFLAGS.

Yep, that's it. Otherwise it may seem to work for a while, until it
randomly breaks.

> --- a/Makefile
> +++ b/Makefile
> @@ -289,7 +289,7 @@ ARCH_FLAGS= $(ARCH_FLAGS.$(ARCH))
>  # These CFLAGS contain general optimization options, CPU-specific 
> optimizations
>  # and debug flags. They may be overridden by some distributions which prefer 
> to
>  # set all of them at once instead of playing with the CPU and DEBUG 
> variables.
> -CFLAGS = $(ARCH_FLAGS) $(CPU_CFLAGS) $(DEBUG_CFLAGS) $(SPEC_CFLAGS)
> +override CFLAGS += $(ARCH_FLAGS) $(CPU_CFLAGS) $(DEBUG_CFLAGS) $(SPEC_CFLAGS)

I'm sorry, but no, this will break every other distro and package which
sets the flags the way they want.

"override" is generally meant to fix conflicting settings between multiple
subprojects included in the same build, but it's almost always a design
error to use it, as it consists in papering over the real problem.

If the problem is that CFLAGS is forced in the distro's build recipe,
then the solution is as simple as fixing it to stop forcing CFLAGS, or
maybe passing it into one of the sub variables that it's assembled from
above.

But just overriding it means "I know we're forcing some bogus settings
but in this fight I want the makefile to win and to silently ignore the
user's choices". That's not the correct way of dealing with packaging
issues, I'm sorry.

I don't know what the buildroot package looks like, but from your
description there's a hard-coded CFLAGS= on its command line that needs
to be dropped or renamed.

Regards,
Willy