Test failures on Alpinelinux using OpenSSL 3.2+

andypost commented 4 months ago

Description

The follow-up to https://github.com/php/php-src/issues/13806#issuecomment-2066573669

Lot's of openssl tests are failing and disabled historically https://github.com/alpinelinux/aports/blob/300996aa8dd41d6a958bd2ec512ab64dead76f48/community/php83/disabled-tests.list#L31-L74

The list is

# THIS SHOULD BE REALLY FIXED!
ext/openssl/tests/bug46127.phpt
ext/openssl/tests/bug48182.phpt
ext/openssl/tests/bug54992.phpt
ext/openssl/tests/bug65538_001.phpt
ext/openssl/tests/bug65538_003.phpt
ext/openssl/tests/bug65729.phpt
ext/openssl/tests/bug68265.phpt
ext/openssl/tests/bug68879.phpt
ext/openssl/tests/bug68920.phpt
ext/openssl/tests/bug69215.phpt
ext/openssl/tests/bug72333.phpt
ext/openssl/tests/bug73072.phpt
ext/openssl/tests/bug74159.phpt
ext/openssl/tests/bug76705.phpt
ext/openssl/tests/bug77390.phpt
ext/openssl/tests/capture_peer_cert_001.phpt
ext/openssl/tests/openssl_peer_fingerprint_basic.phpt
ext/openssl/tests/peer_verification.phpt
ext/openssl/tests/san_peer_matching.phpt
ext/openssl/tests/session_meta_capture.phpt
ext/openssl/tests/session_meta_capture_tlsv13.phpt
ext/openssl/tests/sni_server.phpt
ext/openssl/tests/sni_server_key_cert.phpt
ext/openssl/tests/stream_crypto_flags_001.phpt
ext/openssl/tests/stream_crypto_flags_002.phpt
ext/openssl/tests/stream_crypto_flags_003.phpt
ext/openssl/tests/stream_crypto_flags_004.phpt
ext/openssl/tests/stream_security_level.phpt
ext/openssl/tests/stream_verify_peer_name_001.phpt
ext/openssl/tests/stream_verify_peer_name_002.phpt
ext/openssl/tests/stream_verify_peer_name_003.phpt
ext/openssl/tests/streams_crypto_method.phpt
ext/openssl/tests/tls_min_v1.0_max_v1.1_wrapper.phpt
ext/openssl/tests/tls_wrapper.phpt
ext/openssl/tests/tls_wrapper_with_tls_v1.3.phpt
ext/openssl/tests/tlsv1.0_wrapper.phpt
ext/openssl/tests/tlsv1.1_wrapper.phpt
ext/openssl/tests/tlsv1.2_wrapper.phpt
ext/openssl/tests/tlsv1.3_wrapper.phpt

# Needs to open tls socket
ext/openssl/tests/bug62890.phpt

# fails since 8.2_RC1
ext/openssl/tests/gh9310.phpt

# openssl 1 and unstable
ext/openssl/tests/openssl_error_string_basic.phpt

# openssl 3.2.1
ext/openssl/tests/openssl_error_string_basic_openssl3.phpt
ext/openssl/tests/openssl_private_decrypt_basic.phpt
ext/openssl/tests/openssl_x509_parse_basic.phpt

PHP Version

PHP 8.2.18

Operating System

Alpinelinux

andypost commented 4 months ago

@bukka You can use following image/docker but it's supposed to work with aports to build

So workflow is

git clone https://github.com/alpinelinux/aports
docker run --rm -it -v $(shell pwd):/mnt --network host skilldlabs/aports-build:edge ash
doas apk upgrade -a
cd community/php83
abuild deps unpack prepare build
TESTS='--show-diff ext/openssl' abuild check

but before checking you need to remove/comment tests disabled-tests.list and run abuild checksum to prevent removal of tests

andypost commented 4 months ago

Meantime testing of 8.2.19RC1 shows 2 more failed tests with openssl 3.3

https://gitlab.alpinelinux.org/alpine/aports/-/merge_requests/64729#note_398179

andypost commented 4 months ago

Disabled for OpenSSL 3.3.0 ext/openssl/tests/bug74341.phpt

TEST 9026/16464 [ext/openssl/tests/bug74341.phpt]
========DIFF========
+ Warning: Trying to access array offset on value of type bool in /builds/.../php-8.2.19RC1/ext/openssl/tests/bug74341.php on line 42
+ NULL
- int(1389052800)
- int(1459494000)
+ 
+ Warning: Trying to access array offset on value of type bool in /builds/.../php-8.2.19RC1/ext/openssl/tests/bug74341.php on line 43
+ NULL
========DONE========

andypost commented 4 months ago

Building 8.2.19 and disabled ext/openssl/tests/gh10495.php

TEST 9043/16463 [ext/openssl/tests/gh10495.phpt]
========DIFF========
+ Warning: stream_socket_client(): Unable to connect to tlsv1.2://127.0.0.1:10012 (Connection refused) in /builds/alpine/aports/community/php82/src/php-8.2.19/ext/openssl/tests/ServerClientTestCase.inc(159) : eval()'d code on line 7
+ 
+ Fatal error: Uncaught TypeError: feof(): Argument #1 ($stream) must be of type resource, bool given in /builds/alpine/aports/community/php82/src/php-8.2.19/ext/openssl/tests/ServerClientTestCase.inc(159) : eval()'d code:12
- bool(false)
- bool(true)
- string(6) "warmup"
+ Stack trace:
+ #0 /builds/alpine/aports/community/php82/src/php-8.2.19/ext/openssl/tests/ServerClientTestCase.inc(159) : eval()'d code(12): feof(false)
+ #1 /builds/alpine/aports/community/php82/src/php-8.2.19/ext/openssl/tests/ServerClientTestCase.inc(159): eval()
+ #2 /builds/alpine/aports/community/php82/src/php-8.2.19/ext/openssl/tests/gh10495.php(95): ServerClientTestCase->run('    $context = ...', Array)
+ #3 {main}
+   thrown in /builds/alpine/aports/community/php82/src/php-8.2.19/ext/openssl/tests/ServerClientTestCase.inc(159) : eval()'d code on line 12
========DONE========

bukka commented 3 months ago

I just noticed that bug74341 ( https://github.com/php/php-src/issues/14036#issuecomment-2075950245 ) is actually not Alpine specific but failing for me as well. I did some debugging and it's failing on ASN.1 parsing of the cert. My suspicion is that's it's due those changes in OpenSSL 3.3

The d2i_ASN1_GENERALIZEDTIME(), d2i_ASN1_UTCTIME(), ASN1_TIME_check(), and related functions have been augmented to check for a minimum length of the input string, in accordance with ITU-T X.690 section 11.7 and 11.8.

I will need to investigate more what those change are about and how we can best fix the test.

bukka commented 3 months ago

So it was really caused by that OpenSSL change. The actual PHP bug PR that fixed might not be really correct so I created a PR to more or less revert it. There is actually already a bug for that change: https://github.com/php/php-src/issues/13343

bukka commented 3 months ago

That test was just disabled on lower branches and fix of the logic merged to master.

php / php-src