There are periodically some heap-use-after-free reported in ratelim
tests by TSan, which I cannot reproduce locally and even on CI it is
flaky.
Let's try to use recent clang, maybe it fixes some issues in sanitizers.
Refs: #1206
Right now because we have separate workflows there is no one page with
all the jobs, instead we have separate page for each workflow (linux,
windows, ...)
This is pretty inconvenient, so let's make it cleaner, and now we will
have only two:
- for pull requests
- for upstream/master
Previously evdns was using HOST_NAME_MAX, and define it to 255 *only* if
it not set, however it does set on linux:
$ egrep -r define.*HOST_NAME_MAX /usr/include/bits
/usr/include/bits/local_lim.h:#define HOST_NAME_MAX 64
/usr/include/bits/posix1_lim.h:#define _POSIX_HOST_NAME_MAX 255
/usr/include/bits/confname.h:#define _SC_HOST_NAME_MAX _SC_HOST_NAME_MAX
But 64 should be the limit of the host component, not for the whole
hostname, as also noted by @ploxiln
So use our own EVDNS_NAME_MAX const, which is set to 255.
Fixes: #1280
Public CI workers has pretty high load, and sometimes you need to test
only specific workflow, i.e. windows.
So let's add ability to limit which workflow should be run.
* openssl-3:
ci: use ubuntu 22.04 with OpenSSl 3.0 instead of building OpenSSL from sources
ci: set LD_LIBRARY_PATH for openssl 3.0 build
test: suppress warning for already defined SSL_get_peer_certificate
autotools: print $OPENSSL_LIBS/$OPENSSL_INCS
Suppress -Wunused-value for BIO_set_close()
Use OPENSSL_VERSION_NUMBER over OPENSSL_VERSION_MAJOR (for compatibility)
Attempt to add OpenSSL 3 to the Linux build matrix
Initial OpenSSL 3.0 support
Fixes:
/home/runner/work/libevent/libevent/build/test/.libs/regress: error while loading shared libraries: libssl.so.3: cannot open shared object file: No such file or directory
build report:
[1/2] Building C object CMakeFiles/regress.dir/test/regress_mbedtls.c.o
/src/le/libevent/test/regress_mbedtls.c:50: warning: "SSL_get_peer_certificate" redefined
50 | #define SSL_get_peer_certificate mbedtls_ssl_get_peer_cert
|
In file included from /src/le/libevent/test/regress.h:139,
from /src/le/libevent/test/regress_mbedtls.c:35:
/src/oss/openssl/include/openssl/ssl.h:1799: note: this is the location of the previous definition
1799 | # define SSL_get_peer_certificate SSL_get1_peer_certificate
|
[2/2] Linking C executable bin/regress
But this should be cleaned up.
Since OpenSSL 3.0 there is new OPENSSL_VERSION_MAJOR, but previous
releases does not have it.
So let's use plain old OPENSSL_VERSION_NUMBER to avoid more preprocessor
macros.
* Don't use deprecated functions when building against OpenSSL 3.0.
* Recognise that OpenSSL 3.0 can signal a dirty shutdown as a protocol.
error in addition to the expected IO error produced by OpenSSL 1.1.1
* Update regress_mbedtls.c for compatibility with OpenSSL 3
* mbedtls-3:
sample/ssl-client-mbedtls.c: fix for MbedTLS 3
sample/ssl-client-mbedtls.c: break the loop on EOF
sample/ssl-client-mbedtls.c: fix printing response in readcb
Initial Mbed-TLS 3 support to get the GitHub Actions working again
Support build dir of the MbedTLS
@ploxiln:
On current homebrew, openssl@1.1 is the only openssl:
[pierce@plo-mbp15 libevent]$ brew --prefix openssl
/usr/local/opt/openssl@1.1
[pierce@plo-mbp15 libevent]$ brew info openssl
openssl@1.1: stable 1.1.1g (bottled) [keg-only]
Cryptography and SSL/TLS Toolkit
@fanquake
Indeed. OpenSSL 1.0 was removed from homebew in Homebrew/homebrew-core#46876. Related discussion also in Homebrew/homebrew-core#46454.
* fix-brew-autodetection:
ci: fix cmake build w/o OPENSSL_ROOT_DIR
ci: remove separate build for BREW_AUTODETECT_OPENSSL (use it by default)
autotools: fix autodetection of openssl location via brew
mingw has upgraded to Mbed-TLS 3.1.0, so all the mingw tests that need
Mbed-TLS currently don't work.
v2: add missing mbedtls/version.h into test/regress_mbedtls.c
v3: suppress #warning "Including compat-2.x.h is deprecated" for mbedtls/compat-2.x.h
Error
configure.ac:291: warning: AC_CHECK_FUNCS(getnameinfo
): you should use literals
../autoconf-2.71/lib/autoconf/functions.m4:117: AC_CHECK_FUNCS is expanded from...
../autoconf-2.71/lib/m4sugar/m4sh.m4:692: _AS_IF_ELSE is expanded from...
../autoconf-2.71/lib/m4sugar/m4sh.m4:699: AS_IF is expanded from...
configure.ac:291: the top level
configure.ac:291: warning: AC_CHECK_FUNCS(getprotobynumber
): you should use literals
../autoconf-2.71/lib/autoconf/functions.m4:117: AC_CHECK_FUNCS is expanded from...
../autoconf-2.71/lib/m4sugar/m4sh.m4:692: _AS_IF_ELSE is expanded from...
../autoconf-2.71/lib/m4sugar/m4sh.m4:699: AS_IF is expanded from...
configure.ac:291: the top level
configure.ac:291: warning: AC_CHECK_FUNCS(getservbyname
): you should use literals
../autoconf-2.71/lib/autoconf/functions.m4:117: AC_CHECK_FUNCS is expanded from...
../autoconf-2.71/lib/m4sugar/m4sh.m4:692: _AS_IF_ELSE is expanded from...
../autoconf-2.71/lib/m4sugar/m4sh.m4:699: AS_IF is expanded from...
configure.ac:291: the top level
configure.ac:291: warning: AC_CHECK_FUNCS(inet_ntop
): you should use literals
../autoconf-2.71/lib/autoconf/functions.m4:117: AC_CHECK_FUNCS is expanded from...
../autoconf-2.71/lib/m4sugar/m4sh.m4:692: _AS_IF_ELSE is expanded from...
../autoconf-2.71/lib/m4sugar/m4sh.m4:699: AS_IF is expanded from...
configure.ac:291: the top level
configure.ac:291: warning: AC_CHECK_FUNCS(inet_pton
): you should use literals
../autoconf-2.71/lib/autoconf/functions.m4:117: AC_CHECK_FUNCS is expanded from...
../autoconf-2.71/lib/m4sugar/m4sh.m4:692: _AS_IF_ELSE is expanded from...
../autoconf-2.71/lib/m4sugar/m4sh.m4:699: AS_IF is expanded from...
configure.ac:291: the top level
In function evconnlistener_new_bind() after go to "err:", The
evutil_closesocket() would clear the error code( I found this under
Windows ). User can not use EVUTIL_SOCKET_ERROR() to get the
evconnlistener_new_bind()'s failing error.
I add a err_code variable to store and restore the last error code.
v2: rebased by azat to make the patch simpler
* Werror:
test: ignore -Walloc-size-larger-than error for calloc() returns ENOMEM
Fix EVBASE_ACQUIRE_LOCK/EVBASE_RELEASE_LOCK for EVENT__DISABLE_THREAD_SUPPORT
http: suppress "flags may be used uninitialized in this function" error
Detech -Wno-unused-functions for GCC too
cmake: add compiler version to the status message
Fix BEV_LOCK/BEV_UNLOCK macros for EVENT__DISABLE_THREAD_SUPPORT
Run builds with -Werror on CI for linux
Fix -Werror for autotools
Add -Wundef for cmake and fix EVENT__SIZEOF_TIME_T usage
Compiler report:
/home/runner/work/libevent/libevent/test/regress_util.c: In function ‘test_event_calloc’:
/home/runner/work/libevent/libevent/test/regress_util.c:1318:4: error: argument 2 value ‘9223372036854775815’ exceeds maximum object size 9223372036854775807 [-Werror=alloc-size-larger-than=]
p = mm_calloc(EV_SIZE_MAX/2, EV_SIZE_MAX/2 + 8);
In file included from /home/runner/work/libevent/libevent/test/../util-internal.h:37:0,
from /home/runner/work/libevent/libevent/test/regress_util.c:30:
/usr/include/stdlib.h:541:14: note: in a call to allocation function ‘calloc’ declared here
extern void *calloc (size_t __nmemb, size_t __size)
v2: clang on CI does not have this option
Some GCC reports [1]:
/home/runner/work/libevent/libevent/http.c: In function ‘evhttp_make_header’:
/home/runner/work/libevent/libevent/http.c:503:14: error: ‘flags’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
ev_uint16_t flags;
^~~~~
/home/runner/work/libevent/libevent/http.c: In function ‘evhttp_get_body’:
/home/runner/work/libevent/libevent/http.c:2354:14: error: ‘flags’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
ev_uint16_t flags;
^~~~~
[1]: https://github.com/libevent/libevent/runs/7263518338?check_suite_focus=true#logs
Otherwise build fails [1]:
/home/runner/work/libevent/libevent/dist/libevent-2.2.0-alpha-dev/minheap-internal.h:64:6: error: ‘min_heap_ctor_’ defined but not used [-Werror=unused-function]
void min_heap_ctor_(min_heap_t* s) { s->p = 0; s->n = 0; s->a = 0; }
^~~~~~~~~~~~~~
In file included from /home/runner/work/libevent/libevent/dist/libevent-2.2.0-alpha-dev/buffer.c:91:0:
/home/runner/work/libevent/libevent/dist/libevent-2.2.0-alpha-dev/bufferevent-internal.h:414:1: error: ‘bufferevent_trigger_nolock_’ defined but not used [-Werror=unused-function]
bufferevent_trigger_nolock_(struct bufferevent *bufev, short iotype, int options)
^~~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from /home/runner/work/libevent/libevent/dist/libevent-2.2.0-alpha-dev/buffer.c:89:0:
/home/runner/work/libevent/libevent/dist/libevent-2.2.0-alpha-dev/evthread-internal.h:140:1: error: ‘EVLOCK_TRY_LOCK_’ defined but not used [-Werror=unused-function]
EVLOCK_TRY_LOCK_(void *lock)
[1]: https://github.com/libevent/libevent/runs/7263518180?check_suite_focus=true
These are updates to help with OpenSSL 3 compilation. I found
https://github.com/libevent/libevent/pull/1288 after I started this, but
these seem independent, and fix a different set of problems:
- First off, OpenSSL 3 does not by default allow signing with SHA1
digests - moving this to SHA256 universally at this point seems a
better idea than continuing to use the insecure SHA1 for older OpenSSL
versions. This fixes X509_sign failing in regress_openssl for a number
of tests, eg:
```
regress: http/https_openssl_basic:
FAIL ../test/regress_openssl.c:106: assert(0 != X509_sign(x509, key, EVP_sha1()))[Lost connection!] http/https_openssl_filter_basic:
FAIL ../test/regress_openssl.c:106: assert(0 != X509_sign(x509, key, EVP_sha1()))[Lost connection!] http/https_openssl_simple:
...
```
- Secondly, when using TLS 1.3, there's no support for renegotiation, so
for the renegotiation tests, we need to disable TLS v1.3, and expect
to negotiate TLS 1.1 or 1.2
Fixes: #661
* upstream/pr/1291:
OpenSSL 3 fixes: Disable TLS 1.3 when testing renegotiation support
OpenSSL 3 fixes: use SHA256 instead of SHA1
Otherwise GCC will warn. i.e:
```bash
CCLD libevent_openssl.la
cc1: note: unrecognized command-line option ‘-Wno-void-pointer-to-enum-cast’
may have been intended to silence earlier diagnostics
CCLD libevent_mbedtls.la
```
TLS 1.3 does not support renegotation - it has been removed from the
protocol. Disable TLS 1.3 when testing this, so we negotiate an older
protocol version
