Hello,
small fix for OPENSSL_NO_DH and weekly CI job.
Ilya
From 8ccbc7a3fdad681bbdad17d337ba6b86fa038b43 Mon Sep 17 00:00:00 2001
From: Ilya Shipitsin <chipits...@gmail.com>
Date: Sat, 12 Feb 2022 21:28:49 +0500
Subject: [PATCH 2/2] CI: github actions: add weekly build with OPENSSL_NO_DH
set
---
...nodeprecated.yml => openssl-nondefault.yml} | 18 ++++++++++++++++--
1 file changed, 16 insertions(+), 2 deletions(-)
rename .github/workflows/{openssl-nodeprecated.yml => openssl-nondefault.yml} (62%)
diff --git a/.github/workflows/openssl-nodeprecated.yml b/.github/workflows/openssl-nondefault.yml
similarity index 62%
rename from .github/workflows/openssl-nodeprecated.yml
rename to .github/workflows/openssl-nondefault.yml
index e423f58dd..e3dfef520 100644
--- a/.github/workflows/openssl-nodeprecated.yml
+++ b/.github/workflows/openssl-nondefault.yml
@@ -1,5 +1,5 @@
#
-# special purpose CI: test against OpenSSL built in "no-deprecated" mode
+# special purpose CI: test against OpenSSL built in non default mode
# let us run those builds weekly
#
# for example, OpenWRT uses such OpenSSL builds (those builds are smaller)
@@ -18,7 +18,7 @@ permissions:
contents: read
jobs:
- test:
+ OPENSSL_NO_DEPRECATED:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
@@ -31,3 +31,17 @@ jobs:
- name: Run VTest
run: |
make reg-tests VTEST_PROGRAM=../vtest/vtest REGTESTS_TYPES=default,bug,devel
+
+ OPENSSL_NO_DH:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v2
+ - name: Install VTest
+ run: |
+ scripts/build-vtest.sh
+ - name: Compile HAProxy
+ run: |
+ make DEFINE="-DOPENSSL_NO_DH=1" -j3 CC=gcc ERR=1 TARGET=linux-glibc USE_OPENSSL=1
+ - name: Run VTest
+ run: |
+ make reg-tests VTEST_PROGRAM=../vtest/vtest REGTESTS_TYPES=default,bug,devel
--
2.34.1
From 2fe1fe47296c2931c8e87c9a2783dbc1efd3fb1b Mon Sep 17 00:00:00 2001
From: Ilya Shipitsin <chipits...@gmail.com>
Date: Sat, 12 Feb 2022 21:15:13 +0500
Subject: [PATCH 1/2] BUILD: SSL: fix guarding when OpenSSL is built with
OPENSSL_NO_DH
some parts of the code support OPENSSL_NO_DH macro, but other do not.
let us add wherever appropriate
---
src/ssl_ckch.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c
index 192ad6c66..75e6d2351 100644
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c
@@ -499,7 +499,9 @@ int ssl_sock_load_pem_into_ckch(const char *path, char *buf, struct cert_key_and
X509 *ca;
X509 *cert = NULL;
EVP_PKEY *key = NULL;
+#ifndef OPENSSL_NO_DH
DH *dh = NULL;
+#endif
STACK_OF(X509) *chain = NULL;
if (buf) {
@@ -591,7 +593,9 @@ int ssl_sock_load_pem_into_ckch(const char *path, char *buf, struct cert_key_and
/* no error, fill ckch with new context, old context will be free at end: */
SWAP(ckch->key, key);
+#ifndef OPENSSL_NO_DH
SWAP(ckch->dh, dh);
+#endif
SWAP(ckch->cert, cert);
SWAP(ckch->chain, chain);
@@ -604,8 +608,10 @@ int ssl_sock_load_pem_into_ckch(const char *path, char *buf, struct cert_key_and
BIO_free(in);
if (key)
EVP_PKEY_free(key);
+#ifndef OPENSSL_NO_DH
if (dh)
DH_free(dh);
+#endif
if (cert)
X509_free(cert);
if (chain)
@@ -636,9 +642,11 @@ void ssl_sock_free_cert_key_and_chain_contents(struct cert_key_and_chain *ckch)
sk_X509_pop_free(ckch->chain, X509_free);
ckch->chain = NULL;
+#ifndef OPENSSL_NO_DH
if (ckch->dh)
DH_free(ckch->dh);
ckch->dh = NULL;
+#endif
if (ckch->sctl) {
ha_free(&ckch->sctl->area);
@@ -684,10 +692,12 @@ struct cert_key_and_chain *ssl_sock_copy_cert_key_and_chain(struct cert_key_and_
dst->chain = X509_chain_up_ref(src->chain);
}
+#ifndef OPENSSL_NO_DH
if (src->dh) {
DH_up_ref(src->dh);
dst->dh = src->dh;
}
+#endif
if (src->sctl) {
struct buffer *sctl;
--
2.34.1
