Solve OpenSSL on Azure Linux

microsoft / CCF

Confidential Consortium Framework

https://microsoft.github.io/CCF/

Apache License 2.0

784 stars 211 forks source link

Solve OpenSSL on Azure Linux #6588

Open maxtropets opened 2 weeks ago

maxtropets commented 2 weeks ago

CCF shall use OpenSSL of (major) version 3. It is to be determined in this ticket which exact version is supported by Azure Linux.

Ticket for reference: #5291

Subtasks to track the progress

[x] Try fix ./crypto_test (patched, see discussions in comments)
[x] What backend is used in Azure Linux? SymCrypt? Prove by tracking the lib we link against
[x] breakdown initial issues

achamayou commented 2 weeks ago

@maxtropets current is 3.3.2, so that one :)

maxtropets commented 2 weeks ago

Currently removed the SECP256K1 curve from crypto_test, fails on EVP_PKEY_CTX_set_ec_paramgen_curve_nid with err = 0.

Checked OpenSSL source, same NID for 3.1 and 3.3 impl, NID matches.

#define NID_secp256k1           714

Needs investigation.

maxtropets commented 2 weeks ago

Tried all other unit tests (crypto test patched with #6591)

 ./tests.sh -VV -L unit
...
The following tests FAILED:
     11 - crypto_test (Failed)
     13 - key_exchange_test (SEGFAULT)
     18 - endorsements_test (Failed)
     19 - historical_queries_test (SEGFAULT)
     21 - snapshotter_test (SEGFAULT)
     27 - channels_test (SEGFAULT)
     28 - http_test (Failed)
     37 - csr_test (Failed)

achamayou commented 2 weeks ago

256k1 is not a NIST standard, which is likely why SymCrypt rejects it - it would be good to confirm and document though

maxtropets commented 2 weeks ago

What backend is used in Azure Linux? SymCrypt? Prove by tracking the lib we link against

Figured out it's not explicitly linked, but rather being loaded during runtime

openat(AT_FDCWD, "/usr/lib/libsymcrypt.so.103", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\0\0\0\0\0\0\0"..., 832) = 832
newfstatat(3, "", {st_mode=S_IFREG|0755, st_size=778048, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 557528, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f2af8423000
mmap(0x7f2af842f000, 380928, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xc000) = 0x7f2af842f000
mmap(0x7f2af848c000, 118784, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x69000) = 0x7f2af848c000
mmap(0x7f2af84a9000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x86000) = 0x7f2af84a9000

Confirmed dependency chain ccf -> librypto -> libsymcrypt (monolithic lib):

root [ /workspace/build ]# ldd /usr/lib/libsymcrypt.so.103
    statically linked

maxtropets commented 2 weeks ago

Tried all other unit tests (crypto test patched with #6591)

 ./tests.sh -VV -L unit
...
The following tests FAILED:
   11 - crypto_test (Failed)
   13 - key_exchange_test (SEGFAULT)
   18 - endorsements_test (Failed)
   19 - historical_queries_test (SEGFAULT)
   21 - snapshotter_test (SEGFAULT)
   27 - channels_test (SEGFAULT)
   28 - http_test (Failed)
   37 - csr_test (Failed)

Split into smaller sub-issues except http_test, doesn't look openssl related, looking into it

UPD: Fixed in #6598

maxtropets commented 2 weeks ago

Got to the bottom of UVM endorsements test failure, filed a ticket (#6600)

So far, all the known issues are filed in sub-issues or solved.

Next steps

solve all sub-issues
rebase #6591 on fixed main and rerun CI
file/solve more issues if any
extend CI with long tests
wrap up the #6591 itself and merge