yep :) CI: Github Actions: temporarily disable BoringSSL builds · haproxy/haproxy@30ee296 <https://github.com/haproxy/haproxy/commit/30ee2965b66f20a2649323ca36029bf2440e34b9>
I had a look, I found the same as you (no easy fix). let us open github issue for tracking this. вт, 7 сент. 2021 г. в 22:58, Zakharychev, Bob <[email protected]>: > BoringSSL commit dddb60e, "Make most of crypto/x509 opaque.", breaks > compilation of HAProxy with the following errors (log from compiling > HAProxy 2.4.4 with BoringSSL master branch commit a03c34c, but I suppose > all other versions are equally affected): > > > … > > CC src/ssl_sample.o > > In file included from include/haproxy/listener-t.h:37, > > from include/haproxy/server-t.h:36, > > from include/haproxy/lb_map-t.h:26, > > from include/haproxy/backend-t.h:30, > > from include/haproxy/proxy-t.h:35, > > from include/haproxy/applet-t.h:31, > > from include/haproxy/obj_type.h:26, > > from src/ssl_sample.c:27: > > include/haproxy/openssl-compat.h: In function ‘X509_OBJECT_get0_X509_CRL’: > > include/haproxy/openssl-compat.h:182:23: error: dereferencing pointer to > incomplete type ‘X509_OBJECT’ {aka ‘const struct x509_object_st’} > > if (a == NULL || a->type != X509_LU_CRL) { > > ^~ > > src/ssl_sample.c: In function ‘smp_fetch_ssl_x_key_alg’: > > include/haproxy/openssl-compat.h:122:37: error: dereferencing pointer to > incomplete type ‘X509’ {aka ‘struct x509_st’} > > #define X509_get_X509_PUBKEY(x) ((x)->cert_info->key) > > ^~ > > src/ssl_sample.c:716:55: note: in expansion of macro ‘X509_get_X509_PUBKEY’ > > X509_PUBKEY_get0_param(&algorithm, NULL, NULL, NULL, > X509_get_X509_PUBKEY(crt)); > > ^~~~~~~~~~~~~~~~~~~~ > > make: *** [Makefile:945: src/ssl_sample.o] Error 1 > > > > Indeed, BoringSSL commit dddb60e “unexported” these structs “aligning with > OpenSSL” and directs to “Use the accessor APIs instead”. I couldn't figure > out an easy fix to this - simply removing the two macros conditional on > OPENSSL_IS_BORINGSSL in affected places doesn't fully help because while > X509_get_X509_PUBKEY() accessor is now defined, X509_OBJECT_get0_X509_CRL() > is still missing in BoringSSL. Therefore I defer the fix to HAProxy SSL > experts - maybe it's actually BoringSSL that needs to be fixed by adding > the missing accessor, or maybe the single loop in ssl_set_cert_crl_file() > over all X509 store objects needs to be broken into two loops: one over > certs returned by X509_STORE_get1_certs() and another over CRLs returned by > X509_STORE_get1_crls(). > > Thanks in advance for taking a stab at this, > Bob > > > > >
