search

aws / s2n-tls

An implementation of the TLS/SSL protocols
https://aws.github.io/s2n-tls/usage-guide/
Apache License 2.0
4.53k stars 705 forks source link

Build on Amazon Linux with openssl 1.0.2 #3949

Open laek3 opened 1 year ago

laek3 commented 1 year ago

Problem:

After building s2n on Amazon Linux with the default openssl 1.0.2, one test is failing.

The build is done following the README guidelines:

git clone https://github.com/${YOUR_GITHUB_ACCOUNT_NAME}/s2n-tls.git
cd s2n-tls
cmake3 . -Bbuild -DCMAKE_EXE_LINKER_FLAGS="-lcrypto -lz" -DCMAKE_EXPORT_COMPILE_COMMANDS=ON
cmake3 --build ./build -j $(nproc)
CTEST_PARALLEL_LEVEL=$(nproc) make -C build test

The last step CTEST_PARALLEL_LEVEL=$(nproc) make -C build test is failing with the following error:

99% tests passed, 1 tests failed out of 238

Label Time Summary:
unit    = 244.04 sec*proc (238 tests)

Total Test time (real) =  60.37 sec

The following tests FAILED:
        238 - s2n_x509_validator_test (Failed)
Errors while running CTest
make: *** [test] Error 8

With OpenSSL 1.0.2k-fips 26 Jan 2017 On Amazon Linux 2

dougch commented 1 year ago

Thanks for the issue! Can you do a rpm -qi <openssl-fips package name> or describe how openssl fips was installed so we can reproduce this?

laek3 commented 1 year ago

Thanks for your answer. This is the output I get with rpm -qi:

Name        : openssl
Epoch       : 1
Version     : 1.0.2k
Release     : 24.amzn2.0.6
Architecture: x86_64
Group       : System Environment/Libraries
Size        : 850012
License     : OpenSSL
Source RPM  : openssl-1.0.2k-24.amzn2.0.6.src.rpm
Build Host  : build.amazon.com
Relocations : (not relocatable)
Packager    : Amazon Linux
Vendor      : Amazon Linux
URL         : http://www.openssl.org/
Summary     : Utilities from the general purpose cryptography library with TLS implementation
Description :
The OpenSSL toolkit provides support for secure communications between
machines. OpenSSL includes a certificate management tool and shared
libraries which provide various cryptographic algorithms and
protocols.
goatgoose commented 1 year ago

Hi @laek3,

Could you try running the tests with the following ARGS="--output-on-failure" argument? This should output which test failed in s2n_x509_validator.c, which may help to debug this issue. Also, enabling the stacktrace might help as well:

CTEST_PARALLEL_LEVEL=$(nproc) S2N_PRINT_STACKTRACE=1 make -C build test -- ARGS="--output-on-failure"

Thanks!

laek3 commented 1 year ago

I ran the test with the given command: CTEST_PARALLEL_LEVEL=$(nproc) S2N_PRINT_STACKTRACE=1 make -C build test -- ARGS="--output-on-failure"

This is the output I got:

 Start 238: s2n_x509_validator_test
238/238 Test #238: s2n_x509_validator_test ..........................***Failed    0.03 sec

Stacktrace is:
/root/s2n-tls/build/bin/s2n_x509_validator_test(s2n_calculate_stacktrace+0x52) [0x445e21]
/root/s2n-tls/build/bin/s2n_x509_validator_test() [0x487ed9]
/root/s2n-tls/build/bin/s2n_x509_validator_test() [0x488237]
/root/s2n-tls/build/bin/s2n_x509_validator_test(main+0xb3bc) [0x41525d]
/lib64/libc.so.6(__libc_start_main+0xea) [0x7fe06fae213a]
/root/s2n-tls/build/bin/s2n_x509_validator_test(_start+0x2a) [0x409c1a]
FAILED test 95
(s2n_errno) == (S2N_ERR_CERT_EXPIRED) is not true  (/root/s2n-tls/tests/unit/s2n_x509_validator_test.c:449)
Error Message: 'Certificate is untrusted'
 Debug String: 'Error encountered in /root/s2n-tls/tls/s2n_x509_validator.c:529'
 System Error: Success (0)
Running /root/s2n-tls/tests/unit/s2n_x509_validator_test.c ...

99% tests passed, 1 tests failed out of 238

Label Time Summary:
unit    = 313.50 sec*proc (238 tests)

Total Test time (real) = 313.58 sec

The following tests FAILED:
        238 - s2n_x509_validator_test (Failed)
Errors while running CTest
make: *** [test] Error 8
jmayclin commented 1 year ago

kTLS feature probe failure

The feature probe depends on tcp.h to get kTLS definitions, e.g. TCP_ULP.

Linux/Unix? systems includes two tcp headers

$ sudo find / -name "tcp.h"
/usr/include/netinet/tcp.h <- we use this one for our build logic
/usr/include/linux/tcp

/netinet/tcp.h is provided by glibc, and linux/tcp.h is provided by the kernel. For most of our ubuntu builds, both of these are recent enough to include the TCP_ULP constant.

For AL2, glibc is too old to include TCP_ULP, so the feature probe fails.

However the feature probe test does the following check

    // maycj note: doesn't care about glibc age
    #if (LINUX_VERSION_CODE >= KERNEL_VERSION(5, 10, 130))
        EXPECT_TRUE(s2n_ktls_is_supported_on_platform());
    #endif

Possible Solutions

alter the feature probe test to "if kernel recent AND glibc recent"

Problem is that this is unnecessarily restrictive for AL2, because the kernel might actually support kTLS.

change build logic to include linux/tcp.h instead of netinet/tcp.h

When using ktls, we should use the linux/tcp.h header. this isn't portable (e.g. BSD platforms don't have a linux/tcp.h header) but that seems correct because our linux ktls functionality won't work on those platforms.

lrstewart commented 1 year ago

I think we've resolved all the issues, although we still need to get AL2 added to our CI testing. The s2n_x509_validator_test was failing due to a bug in that old version of openssl-1.0.2 not present in more recent versions.

Is your build unblocked?