From 7ccc6de301786c4198817db4a7f967aa1e6b5b48 Mon Sep 17 00:00:00 2001
From: Daniel McCarney <daniel@binaryparadox.net>
Date: Tue, 23 Apr 2024 09:48:37 -0400
Subject: [PATCH] Makefile: only use ASAN for debug+clang

Previously if `$CC` was `clang` the `Makefile` would configure `CFLAGS`
and `LDFLAGS` with address sanitizer (ASAN) enabled.

We only want this to happen for _debug_ builds that are using `clang`,
since it's generally considered bad practice to ship sanitizer builds as
release artifacts.

This commit updates the logic to require `PROFILE=debug`, and then
switches CI to use that profile when running tests. The Valgrind test
continues to use `PROFILE=release` because ASAN and Valgrind will
conflict, raising the error "ASan runtime does not come first in initial
library list;". It may be possible to use both with more
care/configuration, but for now we'll just use valgrind with a release
build.
---
 .github/workflows/libssl.yaml | 6 +++---
 rustls-libssl/Makefile        | 2 ++
 rustls-libssl/simpleserv.sh   | 8 ++++++++
 3 files changed, 13 insertions(+), 3 deletions(-)
 create mode 100755 rustls-libssl/simpleserv.sh

diff --git a/.github/workflows/libssl.yaml b/.github/workflows/libssl.yaml
index 18b73b8..cce577a 100644
--- a/.github/workflows/libssl.yaml
+++ b/.github/workflows/libssl.yaml
@@ -39,8 +39,8 @@ jobs:
         with:
           toolchain: ${{ matrix.rust }}
 
-      - run: make PROFILE=release test
-      - run: make PROFILE=release integration
+      - run: make PROFILE=debug test
+      - run: make PROFILE=debug integration
 
   valgrind:
     name: Valgrind
@@ -55,7 +55,7 @@ jobs:
         run: sudo apt-get update && sudo apt-get install -y valgrind
       - name: Install build dependencies
         run: sudo apt-get update && sudo apt-get install -y openssl libssl3 libssl-dev lld
-      - run: VALGRIND="valgrind -q" make test integration
+      - run: VALGRIND="valgrind -q" make PROFILE=release test integration
 
   docs:
     name: Check for documentation errors
diff --git a/rustls-libssl/Makefile b/rustls-libssl/Makefile
index 1092470..d7c5acf 100644
--- a/rustls-libssl/Makefile
+++ b/rustls-libssl/Makefile
@@ -4,10 +4,12 @@ CARGOFLAGS += --locked
 CFLAGS := -Werror -Wall -Wextra -Wpedantic -g $(shell pkg-config --cflags openssl)
 PROFILE := debug
 
+ifeq ($(PROFILE), debug)
 ifeq ($(CC), clang)
 	CFLAGS += -fsanitize=address -fsanitize=undefined
 	LDFLAGS += -fsanitize=address
 endif
+endif
 
 ifeq ($(PROFILE), release)
 	CFLAGS += -O3
diff --git a/rustls-libssl/simpleserv.sh b/rustls-libssl/simpleserv.sh
new file mode 100755
index 0000000..cd6c6c9
--- /dev/null
+++ b/rustls-libssl/simpleserv.sh
@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+openssl s_server \
+  -cert test-ca/rsa/end.cert \
+  -cert_chain test-ca/rsa/inter.cert \
+  -key test-ca/rsa/end.key \
+  -alpn "hello,world" \
+  -accept localhost:4443 \
+  -rev