Re: opensssl 1.1.1g test failure(s)
On Wed, Apr 22, 2020 at 11:02:47AM +0200, Michael Tuexen wrote: > > On 22. Apr 2020, at 10:38, Matt Caswell wrote: > > > > > > > > On 21/04/2020 23:45, Michael Tuexen wrote: > >>> Looks like the failing call is here: > >>> > >>> if (setsockopt(sock, IPPROTO_IPV6, IPV6_V6ONLY, > >>> (const void *)&on, sizeof(on)) != 0) { > >> Can you provide a pointer to the code? > > > > Yes, its here: > > > > https://github.com/openssl/openssl/blob/fa555aa8970260c3e198d91709b2d4b3e40f8fa8/crypto/bio/b_sock2.c#L267-L282 > OK. Thanks. > > Could it be that on == 0, when you do the setsockopt() call? Disabling > IPV6_V6ONLY seems not to be supported > on OpenBSD: Yes: if (BIO_ADDR_family(addr) == AF_INET6) { /* * Note: Windows default of IPV6_V6ONLY is ON, and Linux is OFF. * Therefore we always have to use setsockopt here. */ on = options & BIO_SOCK_V6_ONLY ? 1 : 0; if (setsockopt(sock, IPPROTO_IPV6, IPV6_V6ONLY, (const void *)&on, sizeof(on)) != 0) { So something is calling BIO_listen without setting BIO_SOCK_V6_ONLY in options. All calling functions really should set BIO_SOCK_V6_ONLY if they actually support multiple sockets, and they should. Kurt
Re: opensssl 1.1.1g test failure(s)
> On 22. Apr 2020, at 10:38, Matt Caswell wrote: > > > > On 21/04/2020 23:45, Michael Tuexen wrote: >>> Looks like the failing call is here: >>> >>> if (setsockopt(sock, IPPROTO_IPV6, IPV6_V6ONLY, >>> (const void *)&on, sizeof(on)) != 0) { >> Can you provide a pointer to the code? > > Yes, its here: > > https://github.com/openssl/openssl/blob/fa555aa8970260c3e198d91709b2d4b3e40f8fa8/crypto/bio/b_sock2.c#L267-L282 OK. Thanks. Could it be that on == 0, when you do the setsockopt() call? Disabling IPV6_V6ONLY seems not to be supported on OpenBSD: From sys/netinet6/ip6_output.c: case IPV6_V6ONLY: /* * make setsockopt(IPV6_V6ONLY) * available only prior to bind(2). * see ipng mailing list, Jun 22 2001. */ if (inp->inp_lport || !IN6_IS_ADDR_UNSPECIFIED(&inp->inp_laddr6)) { error = EINVAL; break; } /* No support for IPv4-mapped addresses. */ if (!optval) error = EINVAL; else error = 0; break; I don't see a bug in OpenBSD here, or a strange behaviour. OpenBSD just does not support mapped addresses. Best regards Michael > > Matt
Re: opensssl 1.1.1g test failure(s)
On Tue, Apr 21, 2020, Matt Caswell wrote: > changes in this area. Were you successfully able to run the tests with > previous versions of OpenSSL? It's the first time I compiled 1.1.1 on that host. Just to check I tried 1.1.1d and it shows the same problem, so it's not a regression.
Re: opensssl 1.1.1g test failure(s)
On 21/04/2020 23:45, Michael Tuexen wrote: >> Looks like the failing call is here: >> >>if (setsockopt(sock, IPPROTO_IPV6, IPV6_V6ONLY, >> (const void *)&on, sizeof(on)) != 0) { > Can you provide a pointer to the code? Yes, its here: https://github.com/openssl/openssl/blob/fa555aa8970260c3e198d91709b2d4b3e40f8fa8/crypto/bio/b_sock2.c#L267-L282 Matt
Re: opensssl 1.1.1g test failure(s)
On 2020-04-21 18:45, Michael Tuexen wrote: On 21. Apr 2020, at 23:49, Matt Caswell wrote: On 21/04/2020 18:34, Claus Assmann wrote: Thanks for the reply, below is the output, It seems it only fails because the host doesn't support IPv6? Yes - it does seem to be an IPv6 problem. I don't recall any recent changes in this area. Were you successfully able to run the tests with previous versions of OpenSSL? Looks like the failing call is here: if (setsockopt(sock, IPPROTO_IPV6, IPV6_V6ONLY, (const void *)&on, sizeof(on)) != 0) { Can you provide a pointer to the code? Best regards Michael To which we get an errno indicating "Invalid argument". So it looks like your host has the relevant IPV6 macros defined (otherwise we would have got a compilation failure) - but doesn't understand them when used. If you're not using IPv6 on that host and this is the only test failure then it can probably be safely ignored. Matt Not sure what the complaints are however here on the most strict POSIX risc environment with a really strict compiler : . . . All tests successful. Files=155, Tests=1460, 1378 wallclock secs (10.52 usr 1.12 sys + 1251.44 cusr 53.76 csys = 1316.84 CPU) Result: PASS gmake[1]: Leaving directory '/usr/local/build/openssl-1.1.1g_SunOS5.10_sparc64vii+.001' alpha$ alpha$ alpha$ uname -a SunOS alpha 5.10 Generic_150400-65 sun4u sparc SUNW,SPARC-Enterprise alpha$ alpha$ psrinfo -pv The physical processor has 2 virtual processors (2 3) SPARC64-VII+ (portid 1024 impl 0x7 ver 0xa1 clock 2860 MHz) alpha$ alpha$ cc -V cc: Studio 12.6 Sun C 5.15 SunOS_sparc 2017/05/30 alpha$ alpha$ -- Dennis Clarke RISC-V/SPARC/PPC/ARM/CISC UNIX and Linux spoken GreyBeard and suspenders optional
Re: opensssl 1.1.1g test failure(s)
> On 21. Apr 2020, at 23:49, Matt Caswell wrote: > > > > On 21/04/2020 18:34, Claus Assmann wrote: >> Thanks for the reply, below is the output, It seems it only fails >> because the host doesn't support IPv6? > > Yes - it does seem to be an IPv6 problem. I don't recall any recent > changes in this area. Were you successfully able to run the tests with > previous versions of OpenSSL? > > Looks like the failing call is here: > >if (setsockopt(sock, IPPROTO_IPV6, IPV6_V6ONLY, > (const void *)&on, sizeof(on)) != 0) { Can you provide a pointer to the code? Best regards Michael > > To which we get an errno indicating "Invalid argument". So it looks like > your host has the relevant IPV6 macros defined (otherwise we would have > got a compilation failure) - but doesn't understand them when used. > > If you're not using IPv6 on that host and this is the only test failure > then it can probably be safely ignored. > > Matt
Re: opensssl 1.1.1g test failure(s)
On Tue, Apr 21, 2020 at 10:49:25PM +0100, Matt Caswell wrote: > > Looks like the failing call is here: > > if (setsockopt(sock, IPPROTO_IPV6, IPV6_V6ONLY, >(const void *)&on, sizeof(on)) != 0) { > > To which we get an errno indicating "Invalid argument". So it looks like > your host has the relevant IPV6 macros defined (otherwise we would have > got a compilation failure) - but doesn't understand them when used. OpenBSD is really weird in this regard. They always use the behavior of IPV6_V6ONLY set to on. But if you actually try to set it on, they return an error. They should instead return an error when you try to set it off. Kurt
Re: opensssl 1.1.1g test failure(s)
On 21/04/2020 18:34, Claus Assmann wrote: > Thanks for the reply, below is the output, It seems it only fails > because the host doesn't support IPv6? Yes - it does seem to be an IPv6 problem. I don't recall any recent changes in this area. Were you successfully able to run the tests with previous versions of OpenSSL? Looks like the failing call is here: if (setsockopt(sock, IPPROTO_IPV6, IPV6_V6ONLY, (const void *)&on, sizeof(on)) != 0) { To which we get an errno indicating "Invalid argument". So it looks like your host has the relevant IPV6 macros defined (otherwise we would have got a compilation failure) - but doesn't understand them when used. If you're not using IPv6 on that host and this is the only test failure then it can probably be safely ignored. Matt
Re: opensssl 1.1.1g test failure(s)
Summary: The OpenSSL 1.1.1g test suite contains at least two bugs: TestBug#1: Test suite fails if local network has no IPv6, error message (non- verbose) doesn't say that's the issue. [ Testing IPv6 makes sense, rejecting regression tests on inadequate machines is important to avoid silent failures, but not telling testers that a test precondition failed or which ones is bad. ] TestBug#2: Test suite uses ambiguous wording to report the index of failed test. Should have said "Failed test indexes: 2" or "Failed test: #2" (latter needs to repeat "#" for each index listed) On 21/04/2020 19:34, Claus Assmann wrote: On Tue, Apr 21, 2020, Benjamin Kaduk via openssl-users wrote: On Tue, Apr 21, 2020 at 07:22:38PM +0200, Claus Assmann wrote: ../test/recipes/80-test_ssl_old.t .. Dubious, test returned 1 (wstat 256, 0x100) Please run again with `make V=1 TESTS=test_ssl_old test` and post the relevant parts of the output? Thanks for the reply, below is the output, It seems it only fails because the host doesn't support IPv6? make depend && make _tests ( cd test; mkdir -p test-runs; SRCTOP=../. BLDTOP=../. RESULT_D=test-runs PERL="/usr/bin/perl" EXE_EXT= OPENSSL_ENGINES=`cd .././engines 2>/dev/null && pwd` OPENSSL_DEBUG_MEMORY=on /usr/bin/perl .././test/run_tests.pl test_ssl_old ) ../test/recipes/80-test_ssl_old.t .. 1..6 # Subtest: test_ss 1..17 ... 0:error:0200E016:system library:setsockopt:Invalid argument:crypto/bio/b_sock2.c:255: 0:error:2008B088:BIO routines:BIO_listen:listen v6 only:crypto/bio/b_sock2.c:256: Doing handshakes=1 bytes=256 TLSv1.3, cipher (NONE) (NONE) ../../util/shlib_wrap.sh ../ssltest_old -s_key keyU.ss -s_cert certU.ss -c_key keyU.ss -c_cert certU.ss -ipv6 => 1 not ok 13 - test TLS via IPv6 # Failed test 'test TLS via IPv6' # at ../test/recipes/80-test_ssl_old.t line 390. # Looks like you failed 1 test of 13. not ok 2 - standard SSL tests # Failed test 'standard SSL tests' # at /home/ca/pd/security/openssl-1.1.1g/test/../util/perl/OpenSSL/Test.pm line 1212. ... # Looks like you failed 1 test of 6. Dubious, test returned 1 (wstat 256, 0x100) Failed 1/6 subtests Test Summary Report --- ../test/recipes/80-test_ssl_old.t (Wstat: 256 Tests: 6 Failed: 1) Failed test: 2 Non-zero exit status: 1 Files=1, Tests=6, 12 wallclock secs ( 0.04 usr 0.06 sys + 1.77 cusr 9.78 csys = 11.65 CPU) Result: FAIL *** Error 1 in . (Makefile:217 '_tests') *** Error 1 in /home/ca/pd/security/openssl-1.1.1g (Makefile:205 'tests') Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2860 Soborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded
Re: opensssl 1.1.1g test failure(s)
On Tue, Apr 21, 2020, Benjamin Kaduk via openssl-users wrote: > On Tue, Apr 21, 2020 at 07:22:38PM +0200, Claus Assmann wrote: > > ../test/recipes/80-test_ssl_old.t .. > > Dubious, test returned 1 (wstat 256, 0x100) > Please run again with `make V=1 TESTS=test_ssl_old test` and post the > relevant parts of the output? Thanks for the reply, below is the output, It seems it only fails because the host doesn't support IPv6? make depend && make _tests ( cd test; mkdir -p test-runs; SRCTOP=../. BLDTOP=../. RESULT_D=test-runs PERL="/usr/bin/perl" EXE_EXT= OPENSSL_ENGINES=`cd .././engines 2>/dev/null && pwd` OPENSSL_DEBUG_MEMORY=on /usr/bin/perl .././test/run_tests.pl test_ssl_old ) ../test/recipes/80-test_ssl_old.t .. 1..6 # Subtest: test_ss 1..17 Generating a RSA private key ..+ ..+ writing new private key to 'keyCA.ss' - You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. - Country Name (2 letter code) [AU]:AU Organization Name (eg, company) []:Dodgy Brothers Common Name (eg, YOUR name) []:Dodgy CA ../../util/shlib_wrap.sh ../../apps/openssl req -config ../CAss.cnf -out reqCA.ss -keyout keyCA.ss -new => 0 ok 1 - make cert request Signature ok subject=C = AU, O = Dodgy Brothers, CN = Dodgy CA Getting Private key ../../util/shlib_wrap.sh ../../apps/openssl x509 -sha1 -CAcreateserial -in reqCA.ss -days 30 -req -out certCA.ss -signkey keyCA.ss -extfile ../CAss.cnf -extensions v3_ca > err.ss => 0 ok 2 - convert request into self-signed cert Getting request Private Key Generating certificate request ../../util/shlib_wrap.sh ../../apps/openssl x509 -sha1 -in certCA.ss -x509toreq -signkey keyCA.ss -out req2CA.ss > err.ss => 0 ok 3 - convert cert into a cert request verify OK ../../util/shlib_wrap.sh ../../apps/openssl req -config ../../apps/openssl.cnf -verify -in reqCA.ss -noout => 0 ok 4 - verify request 1 verify OK ../../util/shlib_wrap.sh ../../apps/openssl req -config ../../apps/openssl.cnf -verify -in req2CA.ss -noout => 0 ok 5 - verify request 2 certCA.ss: OK ../../util/shlib_wrap.sh ../../apps/openssl verify -CAfile certCA.ss certCA.ss => 0 ok 6 - verify signature Generating a RSA private key .+ .+ writing new private key to 'keyU.ss' - ../../util/shlib_wrap.sh ../../apps/openssl req -config ../Uss.cnf -out reqU.ss -keyout keyU.ss -new > err.ss => 0 ok 7 - make a user cert request Signature ok subject=C = AU, O = Dodgy Brothers, CN = Brother 1, CN = Brother 2 Getting CA Private Key ../../util/shlib_wrap.sh ../../apps/openssl x509 -sha1 -CAcreateserial -in reqU.ss -days 30 -req -out certU.ss -CA certCA.ss -CAkey keyCA.ss -CAserial certCA.srl -extfile ../Uss.cnf -extensions v3_ee > err.ss => 0 certU.ss: OK ../../util/shlib_wrap.sh ../../apps/openssl verify -CAfile certCA.ss certU.ss => 0 ok 8 - sign user cert request # subject=C = AU, O = Dodgy Brothers, CN = Brother 1, CN = Brother 2 # issuer=C = AU, O = Dodgy Brothers, CN = Dodgy CA # notBefore=Apr 21 17:30:29 2020 GMT # notAfter=May 21 17:30:29 2020 GMT ../../util/shlib_wrap.sh ../../apps/openssl x509 -sha1 -subject -issuer -startdate -enddate -noout -in certU.ss => 0 ok 9 - Certificate details # Subtest: DSA certificate creation 1..5 Generating DSA key, 1024 bits ../../util/shlib_wrap.sh ../../apps/openssl gendsa -out keyD.ss ../../apps/dsa1024.pem > err.ss => 0 ok 1 - make a DSA key ../../util/shlib_wrap.sh ../../apps/openssl req -new -config ../Uss.cnf -out reqD.ss -key keyD.ss > err.ss => 0 ok 2 - make a DSA user cert request Signature ok subject=C = AU, O = Dodgy Brothers, CN = Brother 1, CN = DSA Certificate Getting CA Private Key ../../util/shlib_wrap.sh ../../apps/openssl x509 -sha1 -CAcreateserial -in reqD.ss -days 30 -req -out certD.ss -CA certCA.ss -CAkey keyCA.ss -CAserial certCA.srl -extfile ../Uss.cnf -extensions v3_ee_dsa > err.ss => 0 ok 3 - sign DSA user cert request certD.ss: OK ../../util/shlib_wrap.sh ../../apps/openssl verify -CAfile certCA.ss certD.ss => 0 ok 4 - verify DSA user cert # subject=C = AU, O = Dodgy Brothers, CN = Brother 1, CN = DSA Certificate # issuer=C = AU, O = Dodgy Brothers, CN = Dodgy CA # notBefore=Apr 21 17:30:29 2020 GMT # notAfter=May 21 17:30:29 2020 GMT ../../util/shlib_wrap.sh ../../apps/openssl x509 -sha1 -subject -issuer -startdate -enddate -noout -in certD.ss => 0 ok 5 - DSA Certificate details ok 10 - DSA certificate creation # Subtest: ECDSA/ECDH certificate creation 1..5 ../../util/shlib_wrap.sh ../../apps/openssl
Re: opensssl 1.1.1g test failure(s)
On Tue, Apr 21, 2020 at 07:22:38PM +0200, Claus Assmann wrote: > Note sure whether this is already known (a search didn't bring up > anything meaningful): > > ../test/recipes/80-test_ssl_old.t .. > Dubious, test returned 1 (wstat 256, 0x100) > Failed 1/6 subtests > Test Summary Report > --- > ../test/recipes/80-test_ssl_old.t(Wstat: 256 Tests: 6 Failed: > 1) ^ this is the number of failed tests > Failed test: 2 > ^ Is that supposed to be the number of failed tests? No, that's the index of the failing test(s). (I always have to check whether it's 0-indexed or 1-indexed, though.) > If so, I don't see the 2nd test failure > (and it should probably be "Failed test(s):"?) > > Files=155, Tests=1256, 298 wallclock secs ( 0.32 usr 2.07 sys + 126.58 cusr > 156.65 csys = 285.62 CPU) > Result: FAIL Please run again with `make V=1 TESTS=test_ssl_old test` and post the relevant parts of the output? Thanks, Ben
opensssl 1.1.1g test failure(s)
Note sure whether this is already known (a search didn't bring up anything meaningful): ../test/recipes/80-test_ssl_old.t .. Dubious, test returned 1 (wstat 256, 0x100) Failed 1/6 subtests Test Summary Report --- ../test/recipes/80-test_ssl_old.t(Wstat: 256 Tests: 6 Failed: 1) Failed test: 2 ^ Is that supposed to be the number of failed tests? If so, I don't see the 2nd test failure (and it should probably be "Failed test(s):"?) Files=155, Tests=1256, 298 wallclock secs ( 0.32 usr 2.07 sys + 126.58 cusr 156.65 csys = 285.62 CPU) Result: FAIL OS Version: OpenBSD 6.5 amd64