diff options
author | William Lallemand <wlallemand@haproxy.org> | 2021-08-21 23:59:56 +0200 |
---|---|---|
committer | William Lallemand <wlallemand@haproxy.org> | 2021-08-22 00:30:24 +0200 |
commit | 3aeb3f934772bcced0d0a4e349384ea0dbeab009 (patch) | |
tree | 78702af8a3090615b42a134e9d1d1d803d8cfff5 | |
parent | 44d862d8d403ebb41dd20246ab7ba7df0285a73d (diff) | |
download | haproxy-3aeb3f934772bcced0d0a4e349384ea0dbeab009.tar.gz |
MINOR: cfgcond: implements openssl_version_atleast and openssl_version_before
Implements a way of checking the running openssl version:
If the OpenSSL support was not compiled within HAProxy it will returns a
error, so it's recommanded to do a SSL feature check before:
$ ./haproxy -cc 'feature(OPENSSL) && openssl_version_atleast(0.9.8zh) && openssl_version_before(3.0.0)'
This will allow to select the SSL reg-tests more carefully.
-rw-r--r-- | include/haproxy/cfgcond-t.h | 2 | ||||
-rw-r--r-- | include/haproxy/tools.h | 4 | ||||
-rw-r--r-- | src/cfgcond.c | 32 | ||||
-rw-r--r-- | src/tools.c | 33 |
4 files changed, 65 insertions, 6 deletions
diff --git a/include/haproxy/cfgcond-t.h b/include/haproxy/cfgcond-t.h index bb1961234..b4be9fe86 100644 --- a/include/haproxy/cfgcond-t.h +++ b/include/haproxy/cfgcond-t.h @@ -50,6 +50,8 @@ enum cond_predicate { CFG_PRED_STRNEQ, // "strneq" CFG_PRED_VERSION_ATLEAST, // "version_atleast" CFG_PRED_VERSION_BEFORE, // "version_before" + CFG_PRED_OSSL_VERSION_ATLEAST, // "openssl_version_atleast" + CFG_PRED_OSSL_VERSION_BEFORE, // "openssl_version_before" }; /* types for condition terms */ diff --git a/include/haproxy/tools.h b/include/haproxy/tools.h index e376a716e..dec82e6b7 100644 --- a/include/haproxy/tools.h +++ b/include/haproxy/tools.h @@ -1093,4 +1093,8 @@ static inline void update_char_fingerprint(uint8_t *fp, char prev, char curr) fp[32 * from + to]++; } + +/* compare the current OpenSSL version to a string */ +int openssl_compare_current_version(const char *version); + #endif /* _HAPROXY_TOOLS_H */ diff --git a/src/cfgcond.c b/src/cfgcond.c index 4654c1be8..4aaa92d9d 100644 --- a/src/cfgcond.c +++ b/src/cfgcond.c @@ -18,12 +18,14 @@ /* supported condition predicates */ const struct cond_pred_kw cond_predicates[] = { - { "defined", CFG_PRED_DEFINED, ARG1(1, STR) }, - { "feature", CFG_PRED_FEATURE, ARG1(1, STR) }, - { "streq", CFG_PRED_STREQ, ARG2(2, STR, STR) }, - { "strneq", CFG_PRED_STRNEQ, ARG2(2, STR, STR) }, - { "version_atleast", CFG_PRED_VERSION_ATLEAST, ARG1(1, STR) }, - { "version_before", CFG_PRED_VERSION_BEFORE, ARG1(1, STR) }, + { "defined", CFG_PRED_DEFINED, ARG1(1, STR) }, + { "feature", CFG_PRED_FEATURE, ARG1(1, STR) }, + { "streq", CFG_PRED_STREQ, ARG2(2, STR, STR) }, + { "strneq", CFG_PRED_STRNEQ, ARG2(2, STR, STR) }, + { "version_atleast", CFG_PRED_VERSION_ATLEAST, ARG1(1, STR) }, + { "version_before", CFG_PRED_VERSION_BEFORE, ARG1(1, STR) }, + { "openssl_version_atleast", CFG_PRED_OSSL_VERSION_ATLEAST, ARG1(1, STR) }, + { "openssl_version_before", CFG_PRED_OSSL_VERSION_BEFORE, ARG1(1, STR) }, { NULL, CFG_PRED_NONE, 0 } }; @@ -230,6 +232,24 @@ int cfg_eval_cond_term(const struct cfg_cond_term *term, char **err) ret = compare_current_version(term->args[0].data.str.area) > 0; break; + case CFG_PRED_OSSL_VERSION_ATLEAST: { // checks if the current openssl version is at least this one + int opensslret = openssl_compare_current_version(term->args[0].data.str.area); + + if (opensslret < -1) /* can't parse the string or no openssl available */ + ret = -1; + else + ret = opensslret <= 0; + break; + } + case CFG_PRED_OSSL_VERSION_BEFORE: { // checks if the current openssl version is older than this one + int opensslret = openssl_compare_current_version(term->args[0].data.str.area); + + if (opensslret < -1) /* can't parse the string or no openssl available */ + ret = -1; + else + ret = opensslret > 0; + break; + } default: memprintf(err, "internal error: unhandled conditional expression predicate '%s'", term->pred->word); break; diff --git a/src/tools.c b/src/tools.c index 1961689dd..4f536efc3 100644 --- a/src/tools.c +++ b/src/tools.c @@ -62,6 +62,7 @@ extern void *__elf_aux_vector; #include <haproxy/resolvers.h> #include <haproxy/sock.h> #include <haproxy/ssl_sock.h> +#include <haproxy/ssl_utils.h> #include <haproxy/stream_interface.h> #include <haproxy/task.h> #include <haproxy/tools.h> @@ -5592,6 +5593,38 @@ int word_fingerprint_distance(const uint8_t *fp1, const uint8_t *fp2) return dist; } +/* + * This function compares the loaded openssl version with a string <version> + * This function use the same return code as compare_current_version: + * + * -1 : the version in argument is older than the current openssl version + * 0 : the version in argument is the same as the current openssl version + * 1 : the version in argument is newer than the current openssl version + * + * Or some errors: + * -2 : openssl is not available on this process + * -3 : the version in argument is not parsable + */ +int openssl_compare_current_version(const char *version) +{ +#ifdef USE_OPENSSL + int numversion; + + numversion = openssl_version_parser(version); + if (numversion == 0) + return -3; + + if (numversion < OPENSSL_VERSION_NUMBER) + return -1; + else if (numversion > OPENSSL_VERSION_NUMBER) + return 1; + else + return 0; +#else + return -2; +#endif +} + static int init_tools_per_thread() { /* Let's make each thread start from a different position */ |