-
Notifications
You must be signed in to change notification settings - Fork 705
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ci: add openssl111 to LD_LIBRARY_PATH for integv2 testing #3464
Conversation
@@ -28,7 +28,7 @@ endif | |||
define run_tox | |||
( \ | |||
DYLD_LIBRARY_PATH="$(LIBCRYPTO_ROOT)/lib:$$DYLD_LIBRARY_PATH" \ | |||
LD_LIBRARY_PATH="$(LIBCRYPTO_ROOT)/lib:"$(S2N_ROOT)/test-deps/gnutls37/nettle/lib":$$LD_LIBRARY_PATH" \ | |||
LD_LIBRARY_PATH="$(LIBCRYPTO_ROOT)/lib:"$(S2N_ROOT)/test-deps/openssl-1.1.1/lib":"$(S2N_ROOT)/test-deps/gnutls37/nettle/lib":$$LD_LIBRARY_PATH" \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why cant we just have LD_LIBRARY_PATH="$(LIBCRYPTO_ROOT)/lib
? seems like we should always specify the LIBCRYPTO_ROOT
in our testing. If that doesnt exist then failing seems like the better option rather than continuing with 111 or gnutls37/nettle/lib
(which is default i assume?)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We're using the openssl
utility regardless of what S2N_LIBCRYPTO
is set to, and ld can't find the correct libcrypto.so file, because it's in a non-standard location and it's not in LD_LIBRARY_PATH.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Alternative fix is to remove OPENSSL_1_1_1_INSTALL_DIR
from the PATH here, but this means we'll be using openssl3 on ubuntu22/AL2022 and I wasn't sure if that would cause other issues/concerns.
Resolved issues:
Partial for #3465
Description of changes:
For integration testing on Linux distributions that don't use openssl-1.1.1 as their default OS libcrypto, trying to use the openssl-1.1.1 binary fails when
S2N_LIBCRYPTO
is not openssl-1.1.1.This is because we're not adding the lib path to LD_LIBRARY_PATH, and we've modified PATH so that our hand rolled openssl binary comes before the distribution provided binary.
Repro steps
On ubuntu22 with gcc-9 installed:
ad-hoc CodeBuild job
Call-outs:
Longer term, a refactor of the integv2 tests is needed, likely bundled with the move to cmake, where we should stop putting openssl-1.1.1 first in the PATH.
Testing:
How is this change tested (unit tests, fuzz tests, etc.)? Are there any testing steps to be verified by the reviewer?
Is this a refactor change? If so, how have you proved that the intended behavior hasn't changed?
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.