From: Willy Tarreau <w@1wt.eu>
Date: Sat, 22 Apr 2023 17:47:19 +0000 (+0200)
Subject: BUG/MINOR: tools: check libssl and libcrypto separately
X-Git-Tag: v2.8-dev8~18
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=997ad155fed9d4dbfec504b611b7cf57dd889a11;p=thirdparty%2Fhaproxy.git

BUG/MINOR: tools: check libssl and libcrypto separately

The lib compatibility checks introduced in 2.8-dev6 with commit c3b297d5a
("MEDIUM: tools: further relax dlopen() checks too consider grouped
symbols") were partially incorrect in that they check at the same time
libcrypto and libssl. But if loading a library that only depends on
libcrypto, the ssl-only symbols will be missing and this might present
an inconsistency. This is what is observed on FreeBSD 13.1 when
libcrypto is being loaded, where it sees two symbols having disappeared.

The fix consists in splitting the checks for libcrypto and libssl.

No backport is needed, unless the patch above finally gets backported.
---

diff --git a/src/tools.c b/src/tools.c
index b773064de6..f2b0296de8 100644
--- a/src/tools.c
+++ b/src/tools.c
@@ -6093,17 +6093,20 @@ void *dlopen(const char *filename, int flags)
 		uint64_t bit, grp;
 		void *curr, *next;
 	} check_syms[] = {
-		/* openssl checks: group bits 0x7ff */
-		{ .name="OPENSSL_init",                  .bit = 0x0000000000000001, .grp = 0x00000000000003ff, }, // openssl 1.0 / 1.1 / 3.0
-		{ .name="OPENSSL_init_crypto",           .bit = 0x0000000000000002, .grp = 0x00000000000003ff, }, // openssl 1.1 / 3.0 (libcrypto)
-		{ .name="OPENSSL_init_ssl",              .bit = 0x0000000000000004, .grp = 0x00000000000003ff, }, // openssl 1.1 / 3.0 (libssl)
-		{ .name="SSL_library_init",              .bit = 0x0000000000000008, .grp = 0x00000000000003ff, }, // openssl 1.x
-		{ .name="ENGINE_init",                   .bit = 0x0000000000000010, .grp = 0x00000000000003ff, }, // openssl 1.x / 3.x with engine
-		{ .name="EVP_CIPHER_CTX_init",           .bit = 0x0000000000000020, .grp = 0x00000000000003ff, }, // openssl 1.0
-		{ .name="HMAC_Init",                     .bit = 0x0000000000000040, .grp = 0x00000000000003ff, }, // openssl 1.x
-		{ .name="SSL_is_quic",                   .bit = 0x0000000000000080, .grp = 0x00000000000003ff, }, // quictls
-		{ .name="SSL_CTX_new_ex",                .bit = 0x0000000000000100, .grp = 0x00000000000003ff, }, // openssl 3.x
-		{ .name="SSL_CTX_get0_security_ex_data", .bit = 0x0000000000000200, .grp = 0x00000000000003ff, }, // openssl 1.x / 3.x
+		/* openssl's libcrypto checks: group bits 0x1f */
+		{ .name="OPENSSL_init",                  .bit = 0x0000000000000001, .grp = 0x000000000000001f, }, // openssl 1.0 / 1.1 / 3.0
+		{ .name="OPENSSL_init_crypto",           .bit = 0x0000000000000002, .grp = 0x000000000000001f, }, // openssl 1.1 / 3.0
+		{ .name="ENGINE_init",                   .bit = 0x0000000000000004, .grp = 0x000000000000001f, }, // openssl 1.x / 3.x with engine
+		{ .name="EVP_CIPHER_CTX_init",           .bit = 0x0000000000000008, .grp = 0x000000000000001f, }, // openssl 1.0
+		{ .name="HMAC_Init",                     .bit = 0x0000000000000010, .grp = 0x000000000000001f, }, // openssl 1.x
+
+		/* openssl's libssl checks: group bits 0x3e0 */
+		{ .name="OPENSSL_init_ssl",              .bit = 0x0000000000000020, .grp = 0x00000000000003e0, }, // openssl 1.1 / 3.0
+		{ .name="SSL_library_init",              .bit = 0x0000000000000040, .grp = 0x00000000000003e0, }, // openssl 1.x
+		{ .name="SSL_is_quic",                   .bit = 0x0000000000000080, .grp = 0x00000000000003e0, }, // quictls
+		{ .name="SSL_CTX_new_ex",                .bit = 0x0000000000000100, .grp = 0x00000000000003e0, }, // openssl 3.x
+		{ .name="SSL_CTX_get0_security_ex_data", .bit = 0x0000000000000200, .grp = 0x00000000000003e0, }, // openssl 1.x / 3.x
+
 		/* insert only above, 0 must be the last one */
 		{ 0 },
 	};