embhorn
commented
2 years ago Hi @ryandesign
Is this a persistent failure? Could you please share the wolfSSL configuration used to reproduce this?
Closed ryandesign closed 2 years ago
embhorn
commented
2 years ago Hi @ryandesign
Is this a persistent failure? Could you please share the wolfSSL configuration used to reproduce this?
ryandesign
commented
2 years ago It happened all three times I tried the tests (once with 5.0.0, twice with 5.1.1), so yes, so far it is persistent.
./configure was run with --prefix=/opt/local --enable-distro --disable-jobserver --disable-silent-rules. The environment variables that were set were:
CC='ccache /usr/bin/clang'
CC_PRINT_OPTIONS='YES'
CC_PRINT_OPTIONS_FILE='/opt/local/var/macports/build/_Users_rschmidt_macports_macports-ports-ryandesign-fork_devel_wolfssl/wolfssl/work/.CC_PRINT_OPTIONS'
CFLAGS='-pipe -Os -isysroot/Library/Developer/CommandLineTools/SDKs/MacOSX10.15.sdk -arch x86_64'
CPATH='/opt/local/include'
CPPFLAGS='-I/opt/local/include -isysroot/Library/Developer/CommandLineTools/SDKs/MacOSX10.15.sdk'
CXX='ccache /usr/bin/clang++'
CXXFLAGS='-pipe -Os -stdlib=libc++ -isysroot/Library/Developer/CommandLineTools/SDKs/MacOSX10.15.sdk -arch x86_64'
DEVELOPER_DIR='/Library/Developer/CommandLineTools'
F90FLAGS='-pipe -Os -m64'
FCFLAGS='-pipe -Os -m64'
FFLAGS='-pipe -Os -m64'
INSTALL='/usr/bin/install -c'
LDFLAGS='-L/opt/local/lib -Wl,-headerpad_max_install_names -Wl,-syslibroot,/Library/Developer/CommandLineTools/SDKs/MacOSX10.15.sdk -arch x86_64'
LIBRARY_PATH='/opt/local/lib'
MACOSX_DEPLOYMENT_TARGET='10.15'
OBJC='ccache /usr/bin/clang'
OBJCFLAGS='-pipe -Os -isysroot/Library/Developer/CommandLineTools/SDKs/MacOSX10.15.sdk -arch x86_64'
OBJCXX='ccache /usr/bin/clang++'
OBJCXXFLAGS='-pipe -Os -stdlib=libc++ -isysroot/Library/Developer/CommandLineTools/SDKs/MacOSX10.15.sdk -arch x86_64'
SDKROOT='/Library/Developer/CommandLineTools/SDKs/MacOSX10.15.sdk'The summary output from the configure script was:
Configuration summary for wolfssl version 5.1.1
* Installation prefix: /opt/local
* System type: apple-darwin19.6.0
* Host CPU: x86_64
* C Compiler: ccache /usr/bin/clang
* C Flags: -pipe -Os -isysroot/Library/Developer/CommandLineTools/SDKs/MacOSX10.15.sdk -arch x86_64 -Wno-pragmas -Wall -Wno-strict-aliasing -Wextra -Wunknown-pragmas --param=ssp-buffer-size=1 -Waddress -Warray-bounds -Wbad-function-cast -Wchar-subscripts -Wcomment -Wfloat-equal -Wformat-security -Wformat=2 -Wmissing-field-initializers -Wmissing-noreturn -Wmissing-prototypes -Wnested-externs -Woverride-init -Wpointer-arith -Wpointer-sign -Wredundant-decls -Wshadow -Wshorten-64-to-32 -Wsign-compare -Wstrict-overflow=1 -Wstrict-prototypes -Wswitch-enum -Wundef -Wunused -Wunused-result -Wunused-variable -Wwrite-strings -fwrapv
* C++ Compiler: ccache /usr/bin/clang++
* C++ Flags: -pipe -Os -stdlib=libc++ -isysroot/Library/Developer/CommandLineTools/SDKs/MacOSX10.15.sdk -arch x86_64
* CPP Flags: -I/opt/local/include -isysroot/Library/Developer/CommandLineTools/SDKs/MacOSX10.15.sdk
* CCAS Flags: -pipe -Os -isysroot/Library/Developer/CommandLineTools/SDKs/MacOSX10.15.sdk -arch x86_64
* LIB Flags:
* Debug enabled: no
* Coverage enabled:
* Warnings as failure: no
* make -j: no
* VCS checkout: no
Features
* FIPS: no
* Single threaded: no
* Filesystem: yes
* OpenSSH Build: yes
* OpenSSL Extra API: yes
* OpenSSL Coexist: no
* Old Names: no
* Max Strength Build: no
* Distro Build: yes
* Reproducible Build: yes
* fastmath: yes
* Assembly Allowed: yes
* sniffer: no
* snifftest: no
* ARC4: yes
* AES: yes
* AES-NI: no
* AES-CBC: yes
* AES-CBC length checks: yes
* AES-GCM: yes
* AES-GCM streaming: yes
* AES-CCM: yes
* AES-CTR: yes
* AES-CFB: yes
* AES-OFB: yes
* DES3: yes
* IDEA: yes
* Camellia: yes
* NULL Cipher: yes
* MD2: yes
* MD4: yes
* MD5: yes
* RIPEMD: yes
* SHA: yes
* SHA-224: yes
* SHA-384: yes
* SHA-512: yes
* SHA3: yes
* SHAKE256: yes
* BLAKE2: yes
* BLAKE2S: yes
* CMAC: yes
* keygen: yes
* certgen: yes
* certreq: yes
* certext: yes
* certgencache: no
* HC-128: yes
* RABBIT: yes
* CHACHA: yes
* XCHACHA: yes
* Hash DRBG: yes
* PWDBASED: yes
* scrypt: yes
* wolfCrypt Only: no
* HKDF: yes
* X9.63 KDF: yes
* MD4: yes
* PSK: yes
* Poly1305: yes
* LEANPSK: no
* LEANTLS: no
* RSA: yes
* RSA-PSS: yes
* DSA: yes
* DH: yes
* DH Default Parameters: yes
* ECC: yes
* ECC Custom Curves: yes
* ECC Minimum Bits: 224
* CURVE25519: yes
* ED25519: yes
* ED25519 streaming: yes
* CURVE448: yes
* ED448: yes
* ED448 streaming: yes
* FPECC: yes
* ECC_ENCRYPT: yes
* ECCSI yes
* SAKKE yes
* ASN: yes
* Anonymous cipher: yes
* CODING: yes
* MEMORY: yes
* I/O POOL: no
* wolfSentry: no
* LIGHTY: yes
* HAPROXY: no
* STUNNEL: yes
* tcpdump: yes
* libssh2: no
* ntp: no
* rsyslog: no
* Apache httpd: no
* NGINX: yes
* OpenResty: no
* ASIO: yes
* LIBWEBSOCKETS: yes
* Qt: yes
* Qt Unit Testing: no
* SIGNAL: no
* ERROR_STRINGS: yes
* DTLS: yes
* SCTP: no
* Indefinite Length: yes
* Multicast: yes
* SSL v3.0 (Old): no
* TLS v1.0 (Old): no
* TLS v1.1 (Old): yes
* TLS v1.2: yes
* TLS v1.3: yes
* Post-handshake Auth: yes
* Early Data: no
* Send State in HRR Cookie: yes
* OCSP: yes
* OCSP Stapling: yes
* OCSP Stapling v2: yes
* CRL: yes
* CRL-MONITOR: yes
* Persistent session cache: yes
* Persistent cert cache: yes
* Atomic User Record Layer: yes
* Public Key Callbacks: yes
* liboqs: no
* Whitewood netRandom: no
* Server Name Indication: yes
* ALPN: yes
* Maximum Fragment Length: yes
* Trusted CA Indication: yes
* Truncated HMAC: yes
* Supported Elliptic Curves: yes
* FFDHE only in client: no
* Session Ticket: yes
* Extended Master Secret: yes
* Renegotiation Indication: no
* Secure Renegotiation: no
* Fallback SCSV: yes
* Keying Material Exporter: no
* All TLS Extensions: yes
* PKCS#7: yes
* S/MIME: yes
* wolfSSH: yes
* wolfTPM: no
* wolfCLU: no
* wolfSCEP: yes
* Secure Remote Password: yes
* Small Stack: no
* Linux Kernel Module: no
* valgrind unit tests: no
* LIBZ: no
* Examples: yes
* Crypt tests: yes
* Stack sizes in tests: no
* Heap stats in tests: no
* User Crypto: no
* Fast RSA: no
* Single Precision: no
* SP math implementation: no
* Async Crypto: no
* PKCS#8: yes
* PKCS#11: no
* PKCS#12: yes
* Cavium Nitrox: no
* Cavium Octeon (Sync): no
* Intel Quick Assist: no
* ARM ASM: no
* ARM ASM SHA512 Crypto
* AES Key Wrap: yes
* Write duplicate: no
* Xilinx Hardware Acc.: no
* Inline Code: yes
* Linux AF_ALG: no
* Linux KCAPI: no
* Linux devcrypto: no
* Crypto callbacks: yes
* i.MX6 CAAM: no
* IoT-Safe: no
* IoT-Safe HWRNG: no
* NXP SE050: noI was doing with MacPorts by running sudo port test wolfssl.
dgarske
commented
2 years ago Hi @ryandesign ,
Looks like an issue with synchronization due to the ready file using the same name.
In my logs here it shows:
------------- TEST CASE 7 LOAD CERT IN SSL -------------------
removing ready file: /Users/davidgarske/GitHub/wolfssl/workspace.pid91533/wolf_ocsp_s2_readyF591533
waiting for ready file...
Also load cert/key into wolfSSL object
found ready file, starting client...
CONNECTED(00000003)In yours the logs immediately show found ready file, starting client... and the openssl client tries to connect before the server is ready.
I am working on a fix and will point you to it shortly.
Thanks, David Garske, wolfSSL
dgarske
commented
2 years ago Hi @ryandesign ,
Actually it is removing the file before, but the server thinks it still exists. Is there something MacPorts is doing with the file system that could cause this sync behavior? If you add a call to sync or even sleep 0.1 does the behavior resolve?
I am not familiar with MacPorts use to reproduce. Perhaps you can share some instructions? I am on macOS 11.6.1.
Thanks, David Garske, wolfSSL
ryandesign
commented
2 years ago I am using the APFS filesystem, which does have different characteristics than the old HFS+ filesystem, but all users on macOS 10.14 and later are using APFS since the OS upgrade auto-converts HFS+ disks to APFS.
Based on your comments I thought it might be due to running the tests in parallel with make check -j8. Normally in MacPorts we don't run tests in parallel but because wolfssl's build system is unusual and enables parallel building and testing by default, I figured it would be ok. But the test failure remains if I test serially with make check -j1 so that's not it.
To rule out any problems with MacPorts, I tried building 5.1.1 outside of MacPorts using just ./configure && make check. It only ran 7 tests which all passed, which didn't include ocsp-stapling2.test. Then I tried ./configure --enable-distro && make check which ran 14 tests, 13 of which passed; ocsp-stapling2.test still failed, so that rules out any MacPorts involvement. I also tried ./configure --disable-jobserver --enable-distro && make -j8 && make check with the same result.
I tried adding sync or sleep 1 at the end of remove_single_rF in ocsp-stapling2.test; no change.
If I run this test by itself outside of make by running ./scripts/ocsp-stapling2.test; echo $? it still fails with exit status 1.
dgarske
commented
2 years ago Hi @ryandesign,
This test relies on the openssl command line to setup a OCSP responder. What does your openssl version report? I do not see that issue here on my Mac. Perhaps you can try building wolfSSL with --enable-debug also and provide the log running ./scripts/ocsp-stapling2.test?
Thanks, David Garske, wolfSSL
ryandesign
commented
2 years ago MacPorts recently updated to openssl 3...
$ openssl version
OpenSSL 3.0.1 14 Dec 2021 (Library: OpenSSL 3.0.1 14 Dec 2021)Going back to openssl 1.1 fixes the test.
$ /opt/local/libexec/openssl11/bin/openssl version
OpenSSL 1.1.1l 24 Aug 2021Hi @ryandesign ,
Okay that explains it. We will investigate.
Thanks, David Garske, wolfSSL
dgarske
commented
2 years ago Hi @ryandesign ,
I can reproduce with openssl version OpenSSL 3.0.1 14 Dec 2021 (Library: OpenSSL 3.0.1 14 Dec 2021).
SSL_accept error -132, Buffer error, output too small or input too big
wolfSSL error: SSL_accept failed@embhorn will you take a look or assign to someone?
Thanks, David Garske, wolfSSL
ryandesign
commented
2 years ago SSL_accept error -132, Buffer error, output too small or input too big wolfSSL error: SSL_accept failed
This error does also appear in many of the other tests which purportedly completed successfully.
elms
commented
2 years ago @ryandesign I'm reproducing the error and digging into it. Can you provide a list of any other specific occurrences?
ryandesign
commented
2 years ago Here's what I see:
$ grep 'output too small or input too big' -r scripts
scripts/ocsp-stapling.log:SSL_accept error -132, Buffer error, output too small or input too big
scripts/ocsp-stapling2.log:SSL_accept error -132, Buffer error, output too small or input too big
scripts/ocsp-stapling2.log:SSL_accept error -132, Buffer error, output too small or input too big
scripts/ocsp-stapling2.log:SSL_accept error -132, Buffer error, output too small or input too big
scripts/ocsp-stapling2.log:SSL_accept error -132, Buffer error, output too small or input too big
scripts/ocsp-stapling2.log:SSL_accept error -132, Buffer error, output too small or input too big
scripts/ocsp-stapling2.log:SSL_accept error -132, Buffer error, output too small or input too big
scripts/ocsp-stapling2.log.standalone:SSL_accept error -132, Buffer error, output too small or input too big
scripts/ocsp-stapling2.log.standalone:SSL_accept error -132, Buffer error, output too small or input too big
scripts/ocsp-stapling2.log.standalone:SSL_accept error -132, Buffer error, output too small or input too big
scripts/ocsp-stapling2.log.standalone:SSL_accept error -132, Buffer error, output too small or input too big
scripts/ocsp-stapling2.log.standalone:SSL_accept error -132, Buffer error, output too small or input too big
scripts/unit.log:SSL_accept error -132, Buffer error, output too small or input too big
scripts/unit.log:SSL_accept error -132, Buffer error, output too small or input too big
scripts/unit.log:SSL_accept error -132, Buffer error, output too small or input too big
scripts/unit.log:SSL_accept error -132, Buffer error, output too small or input too big
scripts/unit.log:SSL_accept error -132, Buffer error, output too small or input too big
scripts/unit.log:SSL_accept error -132, Buffer error, output too small or input too big
scripts/unit.log:SSL_accept error -132, Buffer error, output too small or input too big
scripts/unit.log:SSL_accept error -132, Buffer error, output too small or input too big
scripts/unit.log:SSL_accept error -132, Buffer error, output too small or input too big
scripts/unit.log:SSL_accept error -132, Buffer error, output too small or input too big
scripts/unit.log:SSL_accept error -132, Buffer error, output too small or input too big
scripts/unit.log:SSL_accept error -132, Buffer error, output too small or input too big
scripts/unit.log:SSL_accept error -132, Buffer error, output too small or input too big
scripts/unit.log:SSL_accept error -132, Buffer error, output too small or input too big
scripts/unit.log:SSL_accept error -132, Buffer error, output too small or input too big
scripts/crl-revoked.log:SSL_accept error -132, Buffer error, output too small or input too big
scripts/crl-revoked.log:SSL_accept error -132, Buffer error, output too small or input too big@ryandesign After digging into the error I was able to pass the test by using ./configure --enable-secure-renegotiation --enable-ocspstapling2. openssl3 appears to have changed a warning to an error for use of legacy renegotiation.
Instead of requiring secure renegotiation, I've changed the test in https://github.com/wolfSSL/wolfssl/pull/4735 to address the test with openSSL 3. I'll look for the other -132 errors you reported now.
elms
commented
2 years ago @ryandesign I'm closing as this is fixed with #4742. Thanks for the report and let us know if you run into anything else.
With wolfssl 5.1.1 on macOS 10.15.7, ocsp-stapling2.test fails for me.
I'm not sure if I'm reading the test-suite.log correctly but it looks like the problem might be:
test-suite.log