Hello, small fix for OPENSSL_NO_DH and weekly CI job.
Ilya
From 8ccbc7a3fdad681bbdad17d337ba6b86fa038b43 Mon Sep 17 00:00:00 2001 From: Ilya Shipitsin <chipits...@gmail.com> Date: Sat, 12 Feb 2022 21:28:49 +0500 Subject: [PATCH 2/2] CI: github actions: add weekly build with OPENSSL_NO_DH set --- ...nodeprecated.yml => openssl-nondefault.yml} | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) rename .github/workflows/{openssl-nodeprecated.yml => openssl-nondefault.yml} (62%) diff --git a/.github/workflows/openssl-nodeprecated.yml b/.github/workflows/openssl-nondefault.yml similarity index 62% rename from .github/workflows/openssl-nodeprecated.yml rename to .github/workflows/openssl-nondefault.yml index e423f58dd..e3dfef520 100644 --- a/.github/workflows/openssl-nodeprecated.yml +++ b/.github/workflows/openssl-nondefault.yml @@ -1,5 +1,5 @@ # -# special purpose CI: test against OpenSSL built in "no-deprecated" mode +# special purpose CI: test against OpenSSL built in non default mode # let us run those builds weekly # # for example, OpenWRT uses such OpenSSL builds (those builds are smaller) @@ -18,7 +18,7 @@ permissions: contents: read jobs: - test: + OPENSSL_NO_DEPRECATED: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 @@ -31,3 +31,17 @@ jobs: - name: Run VTest run: | make reg-tests VTEST_PROGRAM=../vtest/vtest REGTESTS_TYPES=default,bug,devel + + OPENSSL_NO_DH: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Install VTest + run: | + scripts/build-vtest.sh + - name: Compile HAProxy + run: | + make DEFINE="-DOPENSSL_NO_DH=1" -j3 CC=gcc ERR=1 TARGET=linux-glibc USE_OPENSSL=1 + - name: Run VTest + run: | + make reg-tests VTEST_PROGRAM=../vtest/vtest REGTESTS_TYPES=default,bug,devel -- 2.34.1
From 2fe1fe47296c2931c8e87c9a2783dbc1efd3fb1b Mon Sep 17 00:00:00 2001 From: Ilya Shipitsin <chipits...@gmail.com> Date: Sat, 12 Feb 2022 21:15:13 +0500 Subject: [PATCH 1/2] BUILD: SSL: fix guarding when OpenSSL is built with OPENSSL_NO_DH some parts of the code support OPENSSL_NO_DH macro, but other do not. let us add wherever appropriate --- src/ssl_ckch.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c index 192ad6c66..75e6d2351 100644 --- a/src/ssl_ckch.c +++ b/src/ssl_ckch.c @@ -499,7 +499,9 @@ int ssl_sock_load_pem_into_ckch(const char *path, char *buf, struct cert_key_and X509 *ca; X509 *cert = NULL; EVP_PKEY *key = NULL; +#ifndef OPENSSL_NO_DH DH *dh = NULL; +#endif STACK_OF(X509) *chain = NULL; if (buf) { @@ -591,7 +593,9 @@ int ssl_sock_load_pem_into_ckch(const char *path, char *buf, struct cert_key_and /* no error, fill ckch with new context, old context will be free at end: */ SWAP(ckch->key, key); +#ifndef OPENSSL_NO_DH SWAP(ckch->dh, dh); +#endif SWAP(ckch->cert, cert); SWAP(ckch->chain, chain); @@ -604,8 +608,10 @@ int ssl_sock_load_pem_into_ckch(const char *path, char *buf, struct cert_key_and BIO_free(in); if (key) EVP_PKEY_free(key); +#ifndef OPENSSL_NO_DH if (dh) DH_free(dh); +#endif if (cert) X509_free(cert); if (chain) @@ -636,9 +642,11 @@ void ssl_sock_free_cert_key_and_chain_contents(struct cert_key_and_chain *ckch) sk_X509_pop_free(ckch->chain, X509_free); ckch->chain = NULL; +#ifndef OPENSSL_NO_DH if (ckch->dh) DH_free(ckch->dh); ckch->dh = NULL; +#endif if (ckch->sctl) { ha_free(&ckch->sctl->area); @@ -684,10 +692,12 @@ struct cert_key_and_chain *ssl_sock_copy_cert_key_and_chain(struct cert_key_and_ dst->chain = X509_chain_up_ref(src->chain); } +#ifndef OPENSSL_NO_DH if (src->dh) { DH_up_ref(src->dh); dst->dh = src->dh; } +#endif if (src->sctl) { struct buffer *sctl; -- 2.34.1