Closed mouse07410 closed 1 year ago
Here's my patch for the scripts, which includes addressing some of the SHellCheck warnings:
diff --git a/scripts/oqsprovider-ca.sh b/scripts/oqsprovider-ca.sh
index 1de9b10..68e6400 100755
--- a/scripts/oqsprovider-ca.sh
+++ b/scripts/oqsprovider-ca.sh
@@ -17,11 +17,6 @@ if [ -z "$OPENSSL_MODULES" ]; then
exit 1
fi
-if [ -z "$LD_LIBRARY_PATH" ]; then
- echo "LD_LIBRARY_PATH env var not set. Exiting."
- exit 1
-fi
-
#rm -rf tmp
mkdir -p tmp && cd tmp
rm -rf demoCA && mkdir -p demoCA/newcerts
diff --git a/scripts/oqsprovider-certgen.sh b/scripts/oqsprovider-certgen.sh
index c4d0907..d6c8b06 100755
--- a/scripts/oqsprovider-certgen.sh
+++ b/scripts/oqsprovider-certgen.sh
@@ -17,12 +17,7 @@ if [ -z "$OPENSSL_MODULES" ]; then
exit 1
fi
-if [ -z "$LD_LIBRARY_PATH" ]; then
- echo "LD_LIBRARY_PATH env var not set. Exiting."
- exit 1
-fi
-
-#rm -rf tmp
+rm -rf tmp/*
mkdir -p tmp
$OPENSSL_APP req -x509 -new -newkey $1 -keyout tmp/$1_CA.key -out tmp/$1_CA.crt -nodes -subj "/CN=oqstest CA" -days 365 -provider oqsprovider -provider default && \
$OPENSSL_APP genpkey -algorithm $1 -out tmp/$1_srv.key -provider oqsprovider -provider default && \
diff --git a/scripts/oqsprovider-certverify.sh b/scripts/oqsprovider-certverify.sh
index 0d571ce..665181f 100755
--- a/scripts/oqsprovider-certverify.sh
+++ b/scripts/oqsprovider-certverify.sh
@@ -17,11 +17,6 @@ if [ -z "$OPENSSL_MODULES" ]; then
exit 1
fi
-if [ -z "$LD_LIBRARY_PATH" ]; then
- echo "LD_LIBRARY_PATH env var not set. Exiting."
- exit 1
-fi
-
# check that CSR can be output OK
$OPENSSL_APP req -text -in tmp/$1_srv.csr -noout -provider oqsprovider -provider default 2>&1 | grep Error
diff --git a/scripts/oqsprovider-cmssign.sh b/scripts/oqsprovider-cmssign.sh
index 2408dd3..f979903 100755
--- a/scripts/oqsprovider-cmssign.sh
+++ b/scripts/oqsprovider-cmssign.sh
@@ -28,11 +28,6 @@ if [ -z "$OPENSSL_MODULES" ]; then
exit 1
fi
-if [ -z "$LD_LIBRARY_PATH" ]; then
- echo "LD_LIBRARY_PATH env var not set. Exiting."
- exit 1
-fi
-
# Assumes certgen has been run before: Quick check
if [ -f tmp/$1_CA.crt ]; then
diff --git a/scripts/oqsprovider-cmsverify.sh b/scripts/oqsprovider-cmsverify.sh
index 85d2935..c13531b 100755
--- a/scripts/oqsprovider-cmsverify.sh
+++ b/scripts/oqsprovider-cmsverify.sh
@@ -21,11 +21,6 @@ if [ -z "$OPENSSL_MODULES" ]; then
exit 1
fi
-if [ -z "$LD_LIBRARY_PATH" ]; then
- echo "LD_LIBRARY_PATH env var not set. Exiting."
- exit 1
-fi
-
openssl_version=$($OPENSSL_APP version)
if [[ "$openssl_version" == "OpenSSL 3.0."* ]]; then
diff --git a/scripts/runtests.sh b/scripts/runtests.sh
index f360d0e..570bb58 100755
--- a/scripts/runtests.sh
+++ b/scripts/runtests.sh
@@ -5,17 +5,17 @@ rv=0
provider2openssl() {
echo
echo "Testing oqsprovider->oqs-openssl interop for $1:"
- $OQS_PROVIDER_TESTSCRIPTS/oqsprovider-certgen.sh $1 && $OQS_PROVIDER_TESTSCRIPTS/oqsprovider-cmssign.sh $1 sha3-384 && $OQS_PROVIDER_TESTSCRIPTS/oqs-openssl-certverify.sh $1 && $OQS_PROVIDER_TESTSCRIPTS/oqs-openssl-cmsverify.sh $1
+ "$OQS_PROVIDER_TESTSCRIPTS"/oqsprovider-certgen.sh $1 && "$OQS_PROVIDER_TESTSCRIPTS"/oqsprovider-cmssign.sh $1 sha3-384 && "$OQS_PROVIDER_TESTSCRIPTS"/oqs-openssl-certverify.sh $1 && "$OQS_PROVIDER_TESTSCRIPTS"/oqs-openssl-cmsverify.sh $1
}
openssl2provider() {
echo
echo "Testing oqs-openssl->oqsprovider interop for $1:"
- $OQS_PROVIDER_TESTSCRIPTS/oqs-openssl-certgen.sh $1 && $OQS_PROVIDER_TESTSCRIPTS/oqs-openssl-cmssign.sh $1 && $OQS_PROVIDER_TESTSCRIPTS/oqsprovider-certverify.sh $1 && $OQS_PROVIDER_TESTSCRIPTS/oqsprovider-cmsverify.sh $1
+ "$OQS_PROVIDER_TESTSCRIPTS"/oqs-openssl-certgen.sh $1 && "$OQS_PROVIDER_TESTSCRIPTS"/oqs-openssl-cmssign.sh $1 && "$OQS_PROVIDER_TESTSCRIPTS"/oqsprovider-certverify.sh $1 && "$OQS_PROVIDER_TESTSCRIPTS"/oqsprovider-cmsverify.sh $1
}
localalgtest() {
- $OQS_PROVIDER_TESTSCRIPTS/oqsprovider-certgen.sh $1 >> interop.log 2>&1 && $OQS_PROVIDER_TESTSCRIPTS/oqsprovider-certverify.sh $1 >> interop.log 2>&1 && $OQS_PROVIDER_TESTSCRIPTS/oqsprovider-cmssign.sh $1 >> interop.log 2>&1 && $OQS_PROVIDER_TESTSCRIPTS/oqsprovider-ca.sh $1 >> interop.log 2>&1
+ "$OQS_PROVIDER_TESTSCRIPTS"/oqsprovider-certgen.sh $1 >> interop.log 2>&1 && "$OQS_PROVIDER_TESTSCRIPTS"/oqsprovider-certverify.sh $1 >> interop.log 2>&1 && "$OQS_PROVIDER_TESTSCRIPTS"/oqsprovider-cmssign.sh $1 >> interop.log 2>&1 && "$OQS_PROVIDER_TESTSCRIPTS"/oqsprovider-ca.sh $1 >> interop.log 2>&1
if [ $? -ne 0 ]; then
echo "localalgtest $1 failed. Exiting.".
cat interop.log
@@ -27,7 +27,7 @@ interop() {
echo ".\c"
# check if we want to run this algorithm:
if [ ! -z "$OQS_SKIP_TESTS" ]; then
- GREPTEST=$(echo $OQS_SKIP_TESTS | sed "s/\,/\\\|/g")
+ GREPTEST=$(echo "$OQS_SKIP_TESTS" | sed "s/\,/\\\|/g")
if echo $1 | grep -q "$GREPTEST"; then
echo "Not testing $1" >> interop.log
return
@@ -35,7 +35,7 @@ interop() {
fi
# Check whether algorithm is supported at all:
- $OPENSSL_APP list -signature-algorithms -provider oqsprovider | grep $1 > /dev/null 2>&1
+ "$OPENSSL_APP" list -signature-algorithms -provider oqsprovider | grep $1 > /dev/null 2>&1
if [ $? -ne 1 ]; then
if [ -z "$LOCALTESTONLY" ]; then
provider2openssl $1 >> interop.log 2>&1 && openssl2provider $1 >> interop.log 2>&1
@@ -57,24 +57,24 @@ fi
if [ ! -z "$OPENSSL_INSTALL" ]; then
# trying to set config variables suitably for pre-existing OpenSSL installation
- if [ -f $OPENSSL_INSTALL/bin/openssl ]; then
- export OPENSSL_APP=$OPENSSL_INSTALL/bin/openssl
+ if [ -f "$OPENSSL_INSTALL"/bin/openssl ] && [ -z "$OPENSSL_APP" ]; then
+ export OPENSSL_APP="$OPENSSL_INSTALL"/bin/openssl
fi
- if [ -d $OPENSSL_INSTALL/lib64 ]; then
- export LD_LIBRARY_PATH=$OPENSSL_INSTALL/lib64
+ if [ -d "$OPENSSL_INSTALL"/lib64 ]; then
+ export LD_LIBRARY_PATH="$OPENSSL_INSTALL"/lib64
fi
if [ -f $OPENSSL_INSTALL/ssl/openssl.cnf ]; then
- export OPENSSL_CONF=$OPENSSL_INSTALL/ssl/openssl.cnf
+ export OPENSSL_CONF="$OPENSSL_INSTALL"/ssl/openssl.cnf
fi
else
if [ -z "$OPENSSL_CONF" ]; then
- export OPENSSL_CONF=$(pwd)/scripts/openssl-ca.cnf
+ export OPENSSL_CONF="$(pwd)/scripts/openssl-ca.cnf"
fi
fi
if [ -z "$OPENSSL_APP" ]; then
if [ -f $(pwd)/openssl/apps/openssl ]; then
- export OPENSSL_APP=$(pwd)/openssl/apps/openssl
+ export OPENSSL_APP="$(pwd)/openssl/apps/openssl"
else # if no local openssl src directory is found, rely on PATH...
export OPENSSL_APP=openssl
fi
@@ -84,8 +84,12 @@ if [ -z "$OPENSSL_MODULES" ]; then
export OPENSSL_MODULES=$(pwd)/_build/lib
fi
-if [ -z "$LD_LIBRARY_PATH" ]; then
- export LD_LIBRARY_PATH=$(pwd)/.local/lib64
+if [ "$OSTYPE" == "darwin"* ]; then
+ export LD_LIBRARY_PATH="/opt/local/lib:/usr/local/lib:"
+else
+ if [ -z "$LD_LIBRARY_PATH" ]; then
+ export LD_LIBRARY_PATH=$(pwd)/.local/lib64
+ fi
fi
if [ ! -z "$OQS_SKIP_TESTS" ]; then
@@ -159,7 +163,7 @@ echo
# Run built-in tests:
# Without removing OPENSSL_CONF ctest hangs... ???
unset OPENSSL_CONF
-cd _build && ctest $@ && cd ..
+cd _build && ctest "$@" && cd ..
if [ $? -ne 0 ]; then
rv=1
And here's my script to drive build and test for system-wide binary OpenSSL and local sources of OpenSSL master (dev):
#!/bin/bash
# Cleaning up previous builds
make clean
rm -rf tmp/*
rm -f interop.log interop-3.log
# Set env var - flags
OQSPROV=1
OQSKM=1
OQSKEY=1
unset OPENSSL_INSTALL
# Build for local sources of master branch of OpenSSL-3.2+
if [ -d $HOME/openssl-3 ]; then
LD_LIBRARY_PATH="$HOME/openssl-3/lib:/usr/local/lib:"
OPENSSL_ROOT_DIR="$HOME/openssl-3"
OPENSSL_DIR="$OPENSSL_ROOT_DIR"
OPENSSL_INSTALL="$OPENSSL_DIR"
OPENSSL_APP="$OPENSSL_ROOT_DIR/bin/openssl"
OPENSSL="$OPENSSL_APP"
OPENSSL_CONF="$OPENSSL_ROOT_DIR/etc/openssl.cnf"
OPENSSL_MODULES="$OPENSSL_ROOT_DIR/lib/ossl-modules"
OPENSSL_LIB_DIR="$OPENSSL_ROOT_DIR/lib"
OPENSSL_INCLUDE_DIR="$OPENSSL_ROOT_DIR/include"
echo "Building for source-based OpenSSL-3.2.x-dev..."
env | grep OPENSSL > build-out-s.txt
echo "" >> build-out-s.txt
cmake -DCMAKE_BUILD_TYPE=Debug -DOPENSSL_ROOT_DIR="$HOME/src/openssl" -DCMAKE_C_FLAGS="$CFLAGS -I/opt/local/include -L/opt/local/lib" -DCMAKE_VERBOSE_MAKEFILE:BOOL=True -S . -B _build 2>&1 | tee -a build-out-s.txt
cmake --build _build 2>&1 | tee -a build-out-s.txt
if [ -x _build/lib/oqsprovider.0.5.0-dev.dylib ]; then
echo "Successful build for source-based OpenSSL"
scripts/runtests.sh 2>&1 | tee tests-out-s.txt
else
echo "Apparently, building for source-based OpenSSL-3.2.x-dev failed"
echo ""
fi
else
echo ""
echo "Sources of OpenSSL-3.2.x-dev not found, skipping..."
echo ""
fi
# Build for Macports-installed binaries of OpenSSL-3.+
if [ -d /opt/local/libexec/openssl3 ]; then
LD_LIBRARY_PATH="/opt/local/lib:/usr/local/lib:"
OPENSSL_ROOT_DIR="/opt/local/libexec/openssl3"
OPENSSL_DIR="$OPENSSL_ROOT_DIR"
OPENSSL_INSTALL="$OPENSSL_DIR"
OPENSSL_APP="$OPENSSL_ROOT_DIR/bin/openssl"
OPENSSL="$OPENSSL_APP"
OPENSSL_CONF="$OPENSSL_ROOT_DIR/etc/openssl/openssl.cnf"
OPENSSL_MODULES="$OPENSSL_ROOT_DIR/lib/ossl-modules"
OPENSSL_LIB_DIR="$OPENSSL_ROOT_DIR/lib"
OPENSSL_INCLUDE_DIR="$OPENSSL_ROOT_DIR/include"
env | grep OPENSSL > build-out.txt
echo "" >> build-out.txt
echo "Building for Macports-installed OpenSSL-3..."
cmake -DCMAKE_BUILD_TYPE=Debug -DOPENSSL_ROOT_DIR="/opt/local/libexec/openssl3" -DCMAKE_C_FLAGS="$CFLAGS -I/opt/local/include -L/opt/local/lib" -DCMAKE_VERBOSE_MAKEFILE:BOOL=True -S . -B _build 2>&1 | tee -a build-out.txt
echo "" >> build-out.txt
cmake --build _build 2>&1 | tee -a build-out.txt
if [ -x _build/lib/oqsprovider.0.5.0-dev.dylib ]; then
echo "Successful build for Macports-installed OpenSSL"
scripts/runtests.sh 2>&1 | tee tests-out.txt
else
echo "Apparently, building for Macports-installed OpenSSL-3 failed"
echo ""
fi
else
echo ""
echo "Macports-installed OpenSSL-3 not found, skipping..."
echo ""
fi
exit 0
Here's my patch for the scripts, which includes addressing some of the SHellCheck warnings:
Thanks for those proposals. Would you want to do this as a PR (it's your contribution, really) or do you want me to just copy those changes into #140? If the latter, I'd probably add the second script as an OSX-only script.
do you want me to just copy those changes into https://github.com/open-quantum-safe/oqs-provider/pull/140?
Yes please.
If the latter, I'd probably add the second script as an OSX-only script.
I can probably make it usable on MacOS and Linux. Main (only?) difference would be where the OpenSSL is installed.
It looks like Mac has become like Windows! DLL HELL!
We have been unable to repro this issue on Windows. We suspect this could be a broken/polluted (user) environment issue.
We will continue with our testing and report any findings.
It looks like Mac has become like Windows! DLL HELL!
Thankfully, not even close. But written-for-Linux test scripts have difficulty locating shared libraries located in various not-necessarily-expected places.
We have been unable to repro this issue on Windows.
First, I'm all shocked that different OS may show different behaviors and problems. Second, I'm not sure at all that you replicated this issue exactly as described above.
We suspect this could be a broken/polluted (user) environment issue.
Thanks for this very useful observation. It appears that "broken user environment" in this context means system-wide installation of OpenSSL and of LIBOQS, both of which were not installed by this provider's scripts, and available to this process only as binaries. Compounded by the presence of other providers (e.g., PKCS11) and engines (e.g., GOST). Did you bother to install all of those, system-wide? If not - your "repro" itself is a big suspect.
We will continue with our testing and report any findings.
If you wish. I think we (thanks, @baentsch !) figured out already most everything - except why (some of the) tests fail when system-wide oqs-provider
is available and listed in openssl.cnf
. And the remaining problem with the GOST engine (or provider) - but again, it doesn't look like you'd be helpful there.
@baentsch any idea why tests fail if the main (system-wide) openssl.cnf
points at a working oqsprovider.dylib
?
It's not a show-stopper - just a considerable inconvenience, being forced to edit openssl.cnf
whenever I need to update or re-test OQS provider. Thanks!
The problem seems to be related to multiple calls to something supposed to be called only once, and this time it's not related to GOST provider or engine (engines and GOST are disabled):
Application Specific Information:
BUG IN CLIENT OF LIBPLATFORM: Trying to recursively lock an os_once_t
Abort Cause 259
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0 libsystem_platform.dylib 0x19f5d5260 _os_once_gate_recursive_abort + 36
1 libsystem_platform.dylib 0x19f5d1ed8 _os_once_gate_wait + 348
2 libsystem_pthread.dylib 0x19f59fcf8 pthread_once + 100
3 libcrypto.3.dylib 0x101111fcc CRYPTO_THREAD_run_once + 12
4 libcrypto.3.dylib 0x101124408 OBJ_sn2nid + 112
5 libcrypto.3.dylib 0x1011242f4 OBJ_txt2obj + 216
6 libcrypto.3.dylib 0x101124944 OBJ_txt2nid + 20
7 libcrypto.3.dylib 0x101111048 core_obj_create + 36
8 oqsprovider.0.5.0-dev.dylib 0x101403bbc OSSL_provider_init + 280 (oqsprov.c:620)
9 libcrypto.3.dylib 0x10110fddc provider_activate + 260
10 libcrypto.3.dylib 0x10110fc48 ossl_provider_activate + 56
11 libcrypto.3.dylib 0x10110e93c provider_conf_init + 608
12 libcrypto.3.dylib 0x101066c4c CONF_modules_load + 856
13 libcrypto.3.dylib 0x101066ee8 CONF_modules_load_file_ex + 120
14 libcrypto.3.dylib 0x101067738 ossl_config_int + 68
15 libcrypto.3.dylib 0x101106400 ossl_init_config_ossl_ + 16
16 libsystem_pthread.dylib 0x19f59fd60 __pthread_once_handler + 76
17 libsystem_platform.dylib 0x19f5cffa0 _os_once_callout + 32
18 libsystem_pthread.dylib 0x19f59fcf8 pthread_once + 100
19 libcrypto.3.dylib 0x101111fcc CRYPTO_THREAD_run_once + 12
20 libcrypto.3.dylib 0x101106208 OPENSSL_init_crypto + 1104
21 libcrypto.3.dylib 0x101125098 obj_lock_initialise_ossl_ + 20
22 libsystem_pthread.dylib 0x19f59fd60 __pthread_once_handler + 76
23 libsystem_platform.dylib 0x19f5cffa0 _os_once_callout + 32
24 libsystem_pthread.dylib 0x19f59fcf8 pthread_once + 100
25 libcrypto.3.dylib 0x101111fcc CRYPTO_THREAD_run_once + 12
26 libcrypto.3.dylib 0x101124408 OBJ_sn2nid + 112
27 libcrypto.3.dylib 0x1011242f4 OBJ_txt2obj + 216
28 libcrypto.3.dylib 0x101124944 OBJ_txt2nid + 20
29 libcrypto.3.dylib 0x101111048 core_obj_create + 36
30 oqsprovider.0.5.0-dev.dylib 0x100dffbbc OSSL_provider_init + 280 (oqsprov.c:620)
31 libcrypto.3.dylib 0x10110fddc provider_activate + 260
32 libcrypto.3.dylib 0x10110fc48 ossl_provider_activate + 56
33 libcrypto.3.dylib 0x10110e93c provider_conf_init + 608
34 libcrypto.3.dylib 0x101066c4c CONF_modules_load + 856
35 libcrypto.3.dylib 0x101066ee8 CONF_modules_load_file_ex + 120
36 libcrypto.3.dylib 0x1011031a4 OSSL_LIB_CTX_load_config + 20
37 oqs_test_kems 0x100c772e0 main + 84 (oqs_test_kems.c:153)
38 dyld 0x19f24bf28 start + 2236
@levitte do you have an opinion here?
This looks like a different instance of the same problem as fixed by openssl/openssl#20662.
In your callstack above you can see these lines which were the cause of the original problem (i.e. calling OPENSSL_init_crypto from obj_lock_initialise):
20 libcrypto.3.dylib 0x101106208 OPENSSL_init_crypto + 1104 21 libcrypto.3.dylib 0x101125098 obj_lock_initialiseossl + 20
This looks like a different instance of the same problem as fixed by https://github.com/openssl/openssl/pull/20662.
Yes, probably - but (a) where in your opinion the root cause is (aka, what component issues those improper calls, and why), and (b) how do we fix it, and where (in what component)?
Also, it looks like the fix was merged two-three weeks ago into 3.1, so should've been picked by Macports by now? I'm trying to understand why I don't see the behavior change yet on my machines...
Yes, probably - but (a) where in your opinion the root cause is (aka, what component issues those improper calls, and why), and (b) how do we fix it, and where (in what component)?
This is a bug in the OpenSSL library, not in the config or providers.
Also, it looks like the fix was merged two-three weeks ago into 3.1, so should've been picked by Macports by now? I'm trying to understand why I don't see the behavior change yet on my machines...
Because its only in git, not in a stable release yet. When 3.1.1 eventually gets released the fix will be included.
@mattcaswell I seem to have this problem with the OpenSSL-3.2.0-dev built from source/master as well. Which presumably has the fix merged...
Test setup:
LD_LIBRARY_PATH=/Users/ur20980/src/oqs-provider/.local/lib64
OPENSSL_APP=/Users/ur20980/openssl-3/bin/openssl
OPENSSL_CONF=/Users/ur20980/openssl-3/etc/openssl.cnf
OPENSSL_MODULES=/Users/ur20980/openssl-3/lib/ossl-modules
No OQS-OpenSSL111 interop test because of absence of docker
Version information:
OpenSSL 3.2.0-dev (Library: OpenSSL 3.2.0-dev )
Providers:
base
name: OpenSSL Base Provider
version: 3.2.0
status: active
build info: 3.2.0-dev
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
default
name: OpenSSL Default Provider
version: 3.2.0
status: active
build info: 3.2.0-dev
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
oqs
name: OpenSSL OQS Provider
version: 0.5.0-dev
status: active
build info: OQS Provider v.0.5.0-dev (27d33d2) based on liboqs v.0.8.0-dev using qsc-key-encoder v.draft-00-dev
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
oqsprovider
name: OpenSSL OQS Provider
version: 0.5.0-dev
status: active
build info: OQS Provider v.0.5.0-dev (fbd2538) based on liboqs v.0.8.0-dev
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
pkcs11
name: PKCS#11 Provider
version: 3.2.0
status: active
build info: 3.2.0-dev
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
Cert gen/verify, CMS sign/verify, CA tests for all enabled algorithms commencing...
.localalgtest dilithium2 failed. Exiting..
-----
-----
Warning: CSR self-signature does not match the contentsCertificate request self-signature did not match the contents
40E38760F87F0000:error:4000000D:pkcs11:oqs_sig_verify:reason(13):/Users/ur20980/src/oqs-provider/oqsprov/oqs_sig.c:400:
40E38760F87F0000:error:06880006:asn1 encoding routines:ASN1_item_verify_ctx:EVP lib:crypto/asn1/a_verify.c:215:
40E38760F87F0000:error:4000000D:pkcs11:oqs_sig_verify:reason(13):/Users/ur20980/src/oqs-provider/oqsprov/oqs_sig.c:400:
40E38760F87F0000:error:06880006:asn1 encoding routines:ASN1_item_verify_ctx:EVP lib:crypto/asn1/a_verify.c:215:
$
Again, with the current (as of today) OpenSSL master, tests still fail if openssl.cnf
already has oqs-provider defined.
Why shouldn't I be able to build a provider in debug mode without OpenSSL source available?
FYI, this oqsprovider
limitation is gone as of today (resolving https://github.com/open-quantum-safe/oqs-provider/issues/137)
Again, with the current (as of today) OpenSSL master, tests still fail if openssl.cnf already has oqs-provider defined.
Does it also happen if pkcs11
provider is not active? Just wondering whether that may deliver an "unexpected" algorithm implementation to oqsprovider
...
Does it also happen if pkcs11 provider is not active? Just wondering whether that may deliver an "unexpected" algorithm implementation to oqsprovider...
Yes, same thing, same behavior.
Yes, same thing, same behavior.
So all you need is (one) oqsprovider and default provider active and the error above happens? Just asking as the listing above shows two active oqsprovider
instances...
If you can still reproduce, would you mind building oqsprovider
as "Debug" (in "main" branch should now be possible without OpenSSL dependency) and set env vars OQSSIG=1 and OQSKM=1 when running the test again and sharing the log output?
the listing above shows two active
oqsprovider
instances...
Exactly! One is what's been already installed and configured in openssl.cnf
, and the other one is the provider being just built and tested. I believe the "pre-existing one" is listed as oqs
, and the one just-built (not installed yet) that's presumably being tested is listed as oqsprovider
.
If you can still reproduce,
Alas, I can, easily. :-) :-(
would you mind building oqsprovider as "Debug" (in "main" branch should now be possible without OpenSSL dependency) and set env vars OQSSIG=1 and OQSKM=1 when running the test again and sharing the log output?
All that is already done.
Here's the screen for OpenSSL-3.2.0-dev (failing):
. . .
Test setup:
LD_LIBRARY_PATH=/Users/ur20980/src/oqs-provider/.local/lib64
OPENSSL_APP=/Users/ur20980/openssl-3/bin/openssl
OPENSSL_CONF=/Users/ur20980/openssl-3/etc/openssl.cnf
OPENSSL_MODULES=/Users/ur20980/openssl-3/lib/ossl-modules
No OQS-OpenSSL111 interop test because of absence of docker
Version information:
OpenSSL 3.2.0-dev (Library: OpenSSL 3.2.0-dev )
Providers:
base
name: OpenSSL Base Provider
version: 3.2.0
status: active
build info: 3.2.0-dev
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
default
name: OpenSSL Default Provider
version: 3.2.0
status: active
build info: 3.2.0-dev
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
oqs
name: OpenSSL OQS Provider
version: 0.5.0-dev
status: active
build info: OQS Provider v.0.5.0-dev (12a6418) based on liboqs v.0.8.0-dev
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
oqsprovider
name: OpenSSL OQS Provider
version: 0.5.0-dev
status: active
build info: OQS Provider v.0.5.0-dev (12a6418) based on liboqs v.0.8.0-dev
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
Cert gen/verify, CMS sign/verify, CA tests for all enabled algorithms commencing...
.localalgtest dilithium2 failed. Exiting..
-----
-----
Warning: CSR self-signature does not match the contentsCertificate request self-signature did not match the contents
4083FE52F87F0000:error:4000000D:lib(128):oqs_sig_verify:reason(13):/Users/ur20980/src/oqs-provider/oqsprov/oqs_sig.c:400:
4083FE52F87F0000:error:06880006:asn1 encoding routines:ASN1_item_verify_ctx:EVP lib:crypto/asn1/a_verify.c:215:
4083FE52F87F0000:error:4000000D:lib(128):oqs_sig_verify:reason(13):/Users/ur20980/src/oqs-provider/oqsprov/oqs_sig.c:400:
4083FE52F87F0000:error:06880006:asn1 encoding routines:ASN1_item_verify_ctx:EVP lib:crypto/asn1/a_verify.c:215:
and for OpenSSL-3.1.0, installed system-wide. OQS provider is present in openssl.cnf
, but (a) tests are succeeding, and (b) this already-installed provider is not listed below! Only the oqs-provider that's being tested is shown:
Test setup:
LD_LIBRARY_PATH=/Users/ur20980/src/oqs-provider/.local/lib64
OPENSSL_APP=/opt/local/libexec/openssl3/bin/openssl
OPENSSL_CONF=/opt/local/libexec/openssl3/etc/openssl/openssl.cnf
OPENSSL_MODULES=/opt/local/libexec/openssl3/lib/ossl-modules
No OQS-OpenSSL111 interop test because of absence of docker
Version information:
OpenSSL 3.1.0 14 Mar 2023 (Library: OpenSSL 3.1.0 14 Mar 2023)
Providers:
base
name: OpenSSL Base Provider
version: 3.1.0
status: active
build info: 3.1.0
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
default
name: OpenSSL Default Provider
version: 3.1.0
status: active
build info: 3.1.0
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
legacy
name: OpenSSL Legacy Provider
version: 3.1.0
status: active
build info: 3.1.0
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
oqsprovider
name: OpenSSL OQS Provider
version: 0.5.0-dev
status: active
build info: OQS Provider v.0.5.0-dev (12a6418) based on liboqs v.0.8.0-dev
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
pkcs11
name: PKCS#11 Provider
version: 3.1.0
status: active
build info: 3.1.0
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
Cert gen/verify, CMS sign/verify, CA tests for all enabled algorithms commencing...
..................................
Test project /Users/ur20980/src/oqs-provider/_build
Start 1: oqs_signatures
1/5 Test #1: oqs_signatures ................... Passed 4.50 sec
Start 2: oqs_kems
2/5 Test #2: oqs_kems ......................... Passed 0.24 sec
Start 3: oqs_groups
3/5 Test #3: oqs_groups ....................... Passed 0.39 sec
Start 4: oqs_tlssig
4/5 Test #4: oqs_tlssig ....................... Passed 0.01 sec
Start 5: oqs_endecode
5/5 Test #5: oqs_endecode ..................... Passed 7.03 sec
100% tests passed, 0 tests failed out of 5
Total Test time (real) = 12.18 sec
All oqsprovider tests passed.
and files: screenlog.txt
Finally finding time to work on oqsprovider again... :-/ So, thanks, @mouse07410 for the report above. I could reproduce and track in #160. If you agree this is the same (remaining) issue in this issue thread (?), let's close this and continue in #160.
Sure, whatever's the easiest way for you to track it.
Updated
To make some details clear, as previous overly-generic description invited useless overly-generic observations, like "could not replicate on Windows".
Describe the bug
ctest
crashes withSIGTRAP
.To Reproduce Steps to reproduce the behavior:
/opt/local/libexec/openssl3
. For this test I used OpenSSL-3.1.0, and used Macports to get the binary installed.liboqs
system-wide. I usedliboqs
master, and installed it inopt/local
:/opt/local/lib
for the shared library,/opt/local/include
for the header files.openssl.cnf
as appropriate).export OPENSSL_APP=/opt/local/libexec/openssl3/bin/openssl
,export OPENSSL_MODULES=/opt/local/libexec/openssl3/lib/ossl-modules
pkcs11-provider
and GOST engine system-wide, and adjustopenssl.cnf
to point at them.oqs-provider
and make it available system-wide by adding it toopenssl.cnf
._build
and doctest --output-on-failure
Expected behavior Tests passing.
Screenshots
Crash report
Environment (please complete the following information):
Additional context This is on MacBook Pro - Apple Silicon M2 chip. Similar problem on Intel-based iMac (used same process as above).
Note: commenting out, e.g., GOST provider in
openssl.cnf
did not help.