Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[PATCH] Minor: ssl: Build with new cryptographic library AWS-LC #1

Merged
merged 4 commits into from
Aug 31, 2023
Merged

[PATCH] Minor: ssl: Build with new cryptographic library AWS-LC #1

merged 4 commits into from
Aug 31, 2023

Conversation

andrewhop
Copy link
Owner

Trigger github runners.

@andrewhop andrewhop force-pushed the add_aws-lc branch 2 times, most recently from 1616f82 to ea51e84 Compare July 12, 2023 17:34
@andrewhop andrewhop mentioned this pull request Jul 12, 2023
Merged
@andrewhop andrewhop force-pushed the add_aws-lc branch 8 times, most recently from 56354b4 to 2117c11 Compare July 13, 2023 07:53
@andrewhop andrewhop force-pushed the add_aws-lc branch 4 times, most recently from 1c2b73f to 7634f86 Compare July 17, 2023 18:53
@andrewhop andrewhop mentioned this pull request Jul 17, 2023
Merged
@andrewhop andrewhop force-pushed the add_aws-lc branch 4 times, most recently from f43e42b to 97ab405 Compare August 18, 2023 23:38
andrewhop pushed a commit that referenced this pull request Aug 30, 2023
@wtarreau
BUG/MINOR: stream: protect stream_dump() against incomplete streams
e64bcca 
If a stream is interrupted during its initialization by a panic signal
and tries to dump itself, it may cause a crash during the dump due to
scf and/or scb not being fully initialized. This may also happen while
releasing an endpoint to attach a new one. The effect is that instead
of dying on an abort, the process dies on a segv. This race is ultra-
rare but totally possible. E.g:

  #0  se_fl_test (test=1, se=0x0) at include/haproxy/stconn.h:98
  #1  sc_ep_test (test=1, sc=0x7ff8d5cbd560) at include/haproxy/stconn.h:148
  haproxy#2  sc_conn (sc=0x7ff8d5cbd560) at include/haproxy/stconn.h:223
  haproxy#3  stream_dump (buf=buf@entry=0x7ff9507e7678, s=0x7ff4c40c8800, pfx=pfx@entry=0x55996c558cb3 ' ' <repeats 13 times>, eol=eol@entry=10 '\n') at src/stream.c:2840
  haproxy#4  0x000055996c493b42 in ha_task_dump (buf=buf@entry=0x7ff9507e7678, task=<optimized out>, pfx=pfx@entry=0x55996c558cb3 ' ' <repeats 13 times>) at src/debug.c:328
  haproxy#5  0x000055996c493edb in ha_thread_dump_one (thr=thr@entry=18, from_signal=from_signal@entry=0) at src/debug.c:227
  haproxy#6  0x000055996c493ff1 in ha_thread_dump (buf=buf@entry=0x7ff9507e7678, thr=thr@entry=18) at src/debug.c:270
  haproxy#7  0x000055996c494257 in ha_panic () at src/debug.c:430
  haproxy#8  ha_panic () at src/debug.c:411
  (...)
  haproxy#23 0x000055996c341fe8 in ssl_sock_close (conn=<optimized out>, xprt_ctx=0x7ff8dcae3880) at src/ssl_sock.c:6699
  haproxy#24 0x000055996c397648 in conn_xprt_close (conn=0x7ff8c297b0c0) at include/haproxy/connection.h:148
  haproxy#25 conn_full_close (conn=0x7ff8c297b0c0) at include/haproxy/connection.h:192
  haproxy#26 h1_release (h1c=0x7ff8c297b3c0) at src/mux_h1.c:1074
  haproxy#27 0x000055996c39c9f0 in h1_detach (sd=<optimized out>) at src/mux_h1.c:3502
  haproxy#28 0x000055996c474de4 in sc_detach_endp (scp=scp@entry=0x7ff9507e3148) at src/stconn.c:375
  haproxy#29 0x000055996c4752a5 in sc_reset_endp (sc=<optimized out>, sc@entry=0x7ff8d5cbd560) at src/stconn.c:475

Note that this cannot happen on "show sess" since a stream never leaves
process_stream in such an uninitialized state, thus it's really only the
crash dump that may cause this.

It should be backported to 2.8.
@andrewhop
BUILD: ssl: Build with new cryptographic library AWS-LC
787760d 
This adds a new option for the Makefile USE_OPENSSL_AWSLC, and
update the documentation with instructions to use HAProxy with
AWS-LC.

Update the type of the OCSP callback retrieved with
SSL_CTX_get_tlsext_status_cb with the actual type for
libcrypto versions greater than 1.0.2. This doesn't affect
OpenSSL which casts the callback to void* in SSL_CTX_ctrl.
@andrewhop
MINOR: test: skip ssl_dh test when HAProxy is built with AWS-LC
3720a2e 
which does not support FFDH ciphersuites.
@andrewhop
MINOR: ci: Add a weekly CI run with AWS-LC.
765578f 
Add support to determine latest AWS-LC release, build and cache
the libcrypto/libssl, and run the tests.
@andrewhop
Add test workflow every 10 minutes
7776c30
@andrewhop andrewhop merged commit 8b9f328 into master Aug 31, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ilia-shipitsin ilia-shipitsin ilia-shipitsin left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@andrewhop @ilia-shipitsin