From 997ad155fed9d4dbfec504b611b7cf57dd889a11 Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Sat, 22 Apr 2023 19:47:19 +0200
Subject: [PATCH] BUG/MINOR: tools: check libssl and libcrypto separately

The lib compatibility checks introduced in 2.8-dev6 with commit c3b297d5a
("MEDIUM: tools: further relax dlopen() checks too consider grouped
symbols") were partially incorrect in that they check at the same time
libcrypto and libssl. But if loading a library that only depends on
libcrypto, the ssl-only symbols will be missing and this might present
an inconsistency. This is what is observed on FreeBSD 13.1 when
libcrypto is being loaded, where it sees two symbols having disappeared.

The fix consists in splitting the checks for libcrypto and libssl.

No backport is needed, unless the patch above finally gets backported.
---
 src/tools.c | 25 ++++++++++++++-----------
 1 file changed, 14 insertions(+), 11 deletions(-)

diff --git a/src/tools.c b/src/tools.c
index b773064de..f2b0296de 100644
--- a/src/tools.c
+++ b/src/tools.c
@@ -6093,17 +6093,20 @@ void *dlopen(const char *filename, int flags)
 		uint64_t bit, grp;
 		void *curr, *next;
 	} check_syms[] = {
-		/* openssl checks: group bits 0x7ff */
-		{ .name="OPENSSL_init",                  .bit = 0x0000000000000001, .grp = 0x00000000000003ff, }, // openssl 1.0 / 1.1 / 3.0
-		{ .name="OPENSSL_init_crypto",           .bit = 0x0000000000000002, .grp = 0x00000000000003ff, }, // openssl 1.1 / 3.0 (libcrypto)
-		{ .name="OPENSSL_init_ssl",              .bit = 0x0000000000000004, .grp = 0x00000000000003ff, }, // openssl 1.1 / 3.0 (libssl)
-		{ .name="SSL_library_init",              .bit = 0x0000000000000008, .grp = 0x00000000000003ff, }, // openssl 1.x
-		{ .name="ENGINE_init",                   .bit = 0x0000000000000010, .grp = 0x00000000000003ff, }, // openssl 1.x / 3.x with engine
-		{ .name="EVP_CIPHER_CTX_init",           .bit = 0x0000000000000020, .grp = 0x00000000000003ff, }, // openssl 1.0
-		{ .name="HMAC_Init",                     .bit = 0x0000000000000040, .grp = 0x00000000000003ff, }, // openssl 1.x
-		{ .name="SSL_is_quic",                   .bit = 0x0000000000000080, .grp = 0x00000000000003ff, }, // quictls
-		{ .name="SSL_CTX_new_ex",                .bit = 0x0000000000000100, .grp = 0x00000000000003ff, }, // openssl 3.x
-		{ .name="SSL_CTX_get0_security_ex_data", .bit = 0x0000000000000200, .grp = 0x00000000000003ff, }, // openssl 1.x / 3.x
+		/* openssl's libcrypto checks: group bits 0x1f */
+		{ .name="OPENSSL_init",                  .bit = 0x0000000000000001, .grp = 0x000000000000001f, }, // openssl 1.0 / 1.1 / 3.0
+		{ .name="OPENSSL_init_crypto",           .bit = 0x0000000000000002, .grp = 0x000000000000001f, }, // openssl 1.1 / 3.0
+		{ .name="ENGINE_init",                   .bit = 0x0000000000000004, .grp = 0x000000000000001f, }, // openssl 1.x / 3.x with engine
+		{ .name="EVP_CIPHER_CTX_init",           .bit = 0x0000000000000008, .grp = 0x000000000000001f, }, // openssl 1.0
+		{ .name="HMAC_Init",                     .bit = 0x0000000000000010, .grp = 0x000000000000001f, }, // openssl 1.x
+
+		/* openssl's libssl checks: group bits 0x3e0 */
+		{ .name="OPENSSL_init_ssl",              .bit = 0x0000000000000020, .grp = 0x00000000000003e0, }, // openssl 1.1 / 3.0
+		{ .name="SSL_library_init",              .bit = 0x0000000000000040, .grp = 0x00000000000003e0, }, // openssl 1.x
+		{ .name="SSL_is_quic",                   .bit = 0x0000000000000080, .grp = 0x00000000000003e0, }, // quictls
+		{ .name="SSL_CTX_new_ex",                .bit = 0x0000000000000100, .grp = 0x00000000000003e0, }, // openssl 3.x
+		{ .name="SSL_CTX_get0_security_ex_data", .bit = 0x0000000000000200, .grp = 0x00000000000003e0, }, // openssl 1.x / 3.x
+
 		/* insert only above, 0 must be the last one */
 		{ 0 },
 	};