Skip to content

Libressl integration and CI #2495

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
frankmorgner merged 5 commits into from
Jan 24, 2022
Merged

Libressl integration and CI #2495

frankmorgner merged 5 commits into from
Jan 24, 2022

Conversation

@frankmorgner
Copy link
Member

@frankmorgner frankmorgner commented Jan 20, 2022

I think we should not drop LibreSSL integration as it's a low hanging fruit and there actually are some distros which use LibreSSL. Tested with Yubikey.

Checklist
  • PKCS#11 module is tested

@frankmorgner
Copy link
Member Author

frankmorgner commented Jan 20, 2022

Testing this locally works fine (pkcs11-tool --test --login), but the CI machine has some problems doing so with soft-hsm. Unfortunately I cannot spot the actual problem in the log nor whether or not it is actually related to switching to libressl...

@Jakuje could you have a look at the logfile? test-suite.log

@Jakuje
Copy link
Member

Jakuje commented Jan 21, 2022

Testing this locally works fine (pkcs11-tool --test --login), but the CI machine has some problems doing so with soft-hsm. Unfortunately I cannot spot the actual problem in the log nor whether or not it is actually related to switching to libressl...

@Jakuje could you have a look at the logfile? test-suite.log

The XFAIL tests are expected failures, but what is not expected is the failure of the wrap tests:

FAIL: test-pkcs11-tool-unwrap-wrap-test.sh
==========================================

Testing /usr/local/lib/softhsm/libsofthsm2.so
Testing /usr/lib/softhsm/libsofthsm2.so
Setting P11LIB=/usr/lib/softhsm/libsofthsm2.so
=======================================================
Setup SoftHSM
=======================================================
The token has been initialized and is reassigned to slot 1456621156
=======================================================
 Unwrap test
=======================================================
Using slot 0 with a present token (0x56d24664)
Key pair generated:
Private Key Object; RSA 
  label:      
  ID:         85
  Usage:      decrypt, sign, unwrap
  Access:     sensitive, always sensitive, never extractable, local
Public Key Object; RSA 1024 bits
  label:      
  ID:         85
  Usage:      encrypt, verify, wrap
  Access:     local
Using slot 0 with a present token (0x56d24664)
unknown option '--keyform'
usage: rsautl [-asn1parse] [-certin] [-decrypt] [-encrypt] [-hexdump]
    [-in file] [-inkey file] [-keyform der | pem]
    [-oaep | -pkcs | -raw | -x931] [-out file] [-passin arg]
    [-pubin] [-rev] [-sign] [-verify]

 -asn1parse         ASN.1 parse the output data
 -certin            Input is a certificate containing an RSA public key
 -decrypt           Decrypt the input data using RSA private key
 -encrypt           Encrypt the input data using RSA public key
 -hexdump           Hex dump the output data
 -in file           Input file (default stdin)
 -inkey file        Input key file
 -keyform fmt       Input key format (DER, TXT or PEM (default))
 -oaep              Use PKCS#1 OAEP padding
 -out file          Output file (default stdout)
 -passin arg        Key password source
 -pkcs              Use PKCS#1 v1.5 padding (default)
 -pubin             Input is an RSA public key
 -raw               Use no padding
 -rev               Reverse the input data
 -sign              Sign the input data using RSA private key
 -verify            Verify the input data using RSA public key
 -x931              Use ANSI X9.31 padding
====> ERROR: Failed wrap AES key
====> ERROR: Unwrap failed
Using slot 0 with a present token (0x56d24664)
error: object not found
Aborting.
====> ERROR: unable to read key value
====> ERROR: extracted key does not match the input key
====> ERROR: Unwrap failed
====> ERROR: Fail/pkcs11-tool encrypt
====> ERROR: Fail, AES-CBC - wrong encrypt
=======================================================
 Wrap test
=======================================================
Using slot 0 with a present token (0x56d24664)
error: Secret key (to be wrapped) not found
Aborting.
====> ERROR: Fail, unable to wrap
Using slot 0 with a present token (0x56d24664)
Using decrypt algorithm RSA-PKCS
error: Cannot open wrapped.key: No such file or directory
Aborting.
====> ERROR: Fail, unable to decrypt wrapped key
====> ERROR: wrapped key after decipher does not match the original key
=======================================================
Cleanup
=======================================================
rm: cannot remove 'aes_wrapped_key': No such file or directory
rm: cannot remove 'aes_ciphertext_pkcs11.data': No such file or directory
rm: cannot remove 'generic_extracted_key': No such file or directory
rm: cannot remove 'wrapped.key': No such file or directory
rm: cannot remove 'plain_wrapped.key': No such file or directory
FAIL test-pkcs11-tool-unwrap-wrap-test.sh (exit status: 1)

It looks like the libressl commandline api is missing some features @popovec used when writing this test. So we will either have to adjust the test to not use the --keyform or somehow skip (or expect to fail) on libressl tests.

@dengert
Copy link
Member

dengert commented Jan 21, 2022

I think problem with 97c380a is caused by LibreSSL does not use the lib64 which can then cause problem.97c380a#diff-01777b8211405b5ca734f053a69b200b01d7d3b1fb10fbdb337cff18417438f5R5

openssl/openssl@74b7f33 looks it screwed it up and started using their config version, even when /usr/local/lib64 did not exist.

But OpenSSL says to YOU CAN run make with LIBDIR=lib
And I would bet distro packages have addressed this. But we are building from git clone or tar,gz files.

The support for LIBDIR has been around for years but never needed before 3.0:

Add support for --libdir option and LIBDIR variable in makefiles. This makes it possible to install openssl libraries in locations which have names other than "lib", for example "/usr/lib64" which some systems need.

Running the OpenSSL make and make install:
LIBDIR=lib make -e ...
So both OpenSSL and LibreSSL will endup using /usr/local/lib and /usr/local/lib/pkgconfig

Jakuje
Jakuje reviewed Jan 21, 2022
View reviewed changes
.github/setup-linux.sh
fi

# install libressl if needed
if [ "$1" == "libressl" -o "$2" == "libressl" ]; then
Copy link
Member

@Jakuje Jakuje Jan 21, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We might use the elif here to explicitly signalize that only one of these three options (ossl3, libressl, mingw), can be used at a time.

Copy link
Member Author

@frankmorgner frankmorgner Jan 22, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's better to provoke an error if both libressl and ossl3 were given. otherwise it's possible to pass both options and the script would silently ignore libressl.

@Jakuje Jakuje mentioned this pull request Jan 21, 2022
Closed
5 tasks
@frankmorgner
Copy link
Member Author

frankmorgner commented Jan 21, 2022

Thanks for the hits.

  • It seems libressl doesn't use lib64, so I removed its special handling.
  • The test script had a typo, which the original openssl seemed to tolerate, but libressl seemed to error on.

@frankmorgner
Copy link
Member Author

frankmorgner commented Jan 22, 2022

the internal tests should be green now. I've removed tests with oseid, because its test suite is not (yet) compatible with libressl (popovec/oseid#1)

@popovec
Copy link
Member

popovec commented Jan 24, 2022

I have already fixed OsEID-tool, all OsEID tests with libressl run without problems.

https://github.com/popovec/OpenSC/actions/runs/1738417499
https://github.com/popovec/OpenSC/tree/libressl_test1

@frankmorgner frankmorgner merged commit c94100a into OpenSC:master Jan 24, 2022
@frankmorgner frankmorgner deleted the libressl branch January 24, 2022 15:41
@xhanulik xhanulik mentioned this pull request Jul 12, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Jakuje Jakuje Jakuje approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@frankmorgner @Jakuje @dengert @popovec