Open laek3 opened 1 year ago
Thanks for the issue! Can you do a rpm -qi <openssl-fips package name>
or describe how openssl fips was installed so we can reproduce this?
Thanks for your answer. This is the output I get with rpm -qi:
Name : openssl
Epoch : 1
Version : 1.0.2k
Release : 24.amzn2.0.6
Architecture: x86_64
Group : System Environment/Libraries
Size : 850012
License : OpenSSL
Source RPM : openssl-1.0.2k-24.amzn2.0.6.src.rpm
Build Host : build.amazon.com
Relocations : (not relocatable)
Packager : Amazon Linux
Vendor : Amazon Linux
URL : http://www.openssl.org/
Summary : Utilities from the general purpose cryptography library with TLS implementation
Description :
The OpenSSL toolkit provides support for secure communications between
machines. OpenSSL includes a certificate management tool and shared
libraries which provide various cryptographic algorithms and
protocols.
Hi @laek3,
Could you try running the tests with the following ARGS="--output-on-failure"
argument? This should output which test failed in s2n_x509_validator.c, which may help to debug this issue. Also, enabling the stacktrace might help as well:
CTEST_PARALLEL_LEVEL=$(nproc) S2N_PRINT_STACKTRACE=1 make -C build test -- ARGS="--output-on-failure"
Thanks!
I ran the test with the given command:
CTEST_PARALLEL_LEVEL=$(nproc) S2N_PRINT_STACKTRACE=1 make -C build test -- ARGS="--output-on-failure"
This is the output I got:
Start 238: s2n_x509_validator_test
238/238 Test #238: s2n_x509_validator_test ..........................***Failed 0.03 sec
Stacktrace is:
/root/s2n-tls/build/bin/s2n_x509_validator_test(s2n_calculate_stacktrace+0x52) [0x445e21]
/root/s2n-tls/build/bin/s2n_x509_validator_test() [0x487ed9]
/root/s2n-tls/build/bin/s2n_x509_validator_test() [0x488237]
/root/s2n-tls/build/bin/s2n_x509_validator_test(main+0xb3bc) [0x41525d]
/lib64/libc.so.6(__libc_start_main+0xea) [0x7fe06fae213a]
/root/s2n-tls/build/bin/s2n_x509_validator_test(_start+0x2a) [0x409c1a]
FAILED test 95
(s2n_errno) == (S2N_ERR_CERT_EXPIRED) is not true (/root/s2n-tls/tests/unit/s2n_x509_validator_test.c:449)
Error Message: 'Certificate is untrusted'
Debug String: 'Error encountered in /root/s2n-tls/tls/s2n_x509_validator.c:529'
System Error: Success (0)
Running /root/s2n-tls/tests/unit/s2n_x509_validator_test.c ...
99% tests passed, 1 tests failed out of 238
Label Time Summary:
unit = 313.50 sec*proc (238 tests)
Total Test time (real) = 313.58 sec
The following tests FAILED:
238 - s2n_x509_validator_test (Failed)
Errors while running CTest
make: *** [test] Error 8
The feature probe depends on tcp.h to get kTLS definitions, e.g. TCP_ULP.
Linux/Unix? systems includes two tcp headers
$ sudo find / -name "tcp.h"
/usr/include/netinet/tcp.h <- we use this one for our build logic
/usr/include/linux/tcp
/netinet/tcp.h
is provided by glibc, and linux/tcp.h
is provided by the kernel.
For most of our ubuntu builds, both of these are recent enough to include the TCP_ULP
constant.
For AL2, glibc is too old to include TCP_ULP
, so the feature probe fails.
However the feature probe test does the following check
// maycj note: doesn't care about glibc age
#if (LINUX_VERSION_CODE >= KERNEL_VERSION(5, 10, 130))
EXPECT_TRUE(s2n_ktls_is_supported_on_platform());
#endif
Problem is that this is unnecessarily restrictive for AL2, because the kernel might actually support kTLS.
When using ktls, we should use the linux/tcp.h
header. this isn't portable (e.g. BSD platforms don't have a linux/tcp.h header) but that seems correct because our linux ktls functionality won't work on those platforms.
I think we've resolved all the issues, although we still need to get AL2 added to our CI testing. The s2n_x509_validator_test was failing due to a bug in that old version of openssl-1.0.2 not present in more recent versions.
Is your build unblocked?
Problem:
After building s2n on Amazon Linux with the default openssl 1.0.2, one test is failing.
The build is done following the README guidelines:
The last step
CTEST_PARALLEL_LEVEL=$(nproc) make -C build test
is failing with the following error:With OpenSSL 1.0.2k-fips 26 Jan 2017 On Amazon Linux 2