Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make conf_diagnostics apply also to the SSL conf errors #24275

Closed
wants to merge 10 commits into from
Closed

Make conf_diagnostics apply also to the SSL conf errors #24275

wants to merge 10 commits into from

Conversation

t8m
Copy link
Member

@t8m t8m commented Apr 26, 2024

Checklist
  • documentation is added or updated
  • tests are added or updated

@t8m t8m added branch: master Merge to master branch approval: review pending This pull request needs review by a committer approval: otc review pending This pull request needs review by an OTC member triaged: bug The issue/pr is/fixes a bug tests: present The PR has suitable tests present labels Apr 26, 2024
@t8m
Copy link
Member Author

t8m commented Apr 26, 2024

This is a draft PR - the CI failures demonstrate that conf_diagnostics work and make SSL_CTX_new to fail.

@github-actions github-actions bot added severity: fips change The pull request changes FIPS provider sources severity: ABI change This pull request contains ABI changes labels Apr 26, 2024
@t8m t8m mentioned this pull request Apr 26, 2024
Open
@t-j-h
Copy link
Member

t-j-h commented Apr 30, 2024

Looks good to me in terms of improving what we currently have ...

@beldmit
Copy link
Member

beldmit commented Apr 30, 2024

I'd like to have some syntax check for the config file as a part of the openssl command line util but it can be a separate PR

paulidale
paulidale reviewed Apr 30, 2024
View reviewed changes
crypto/context.c Outdated Show resolved Hide resolved
mattcaswell
mattcaswell requested changes May 1, 2024
View reviewed changes
ssl/ssl_mcnf.c Show resolved Hide resolved
crypto/context.c Show resolved Hide resolved
@t8m t8m marked this pull request as ready for review May 2, 2024 13:58
@t8m t8m requested review from mattcaswell and paulidale May 2, 2024 13:59
@t8m t8m force-pushed the conf-diagnostics-sigalg branch from 793a8ee to 0882a91 Compare May 2, 2024 14:09
@mattcaswell
Copy link
Member

The CI failure looks relevant

mattcaswell
mattcaswell requested changes May 2, 2024
View reviewed changes
CHANGES.md Outdated Show resolved Hide resolved
doc/man3/OSSL_LIB_CTX_set_conf_diagnostics.pod Outdated Show resolved Hide resolved
@t8m
Copy link
Member Author

t8m commented May 2, 2024
edited

The CI failure looks relevant

The question is whether the failing test really makes sense. It basically loads a config into a single libctx concurrently from multiple threads. What is the semantics of such call? If the same file is being loaded then it could somewhat work, although I would not be surprised if there are some strange circumstances where it would not. However if a different file would be loaded concurrently into the same libctx, what the application can expect then? Random results.

I am very much inclined to drop the testcase.

@paulidale paulidale removed the approval: otc review pending This pull request needs review by an OTC member label May 6, 2024
@t8m t8m requested a review from mattcaswell May 6, 2024 10:36
@t8m t8m added approval: done This pull request has the required number of approvals and removed approval: review pending This pull request needs review by a committer labels May 7, 2024
@openssl-machine openssl-machine added approval: ready to merge The 24 hour grace period has passed, ready to merge and removed approval: done This pull request has the required number of approvals labels May 8, 2024
@openssl-machine
Copy link
Collaborator

This pull request is ready to merge

openssl-machine pushed a commit that referenced this pull request May 9, 2024
@t8m
Make conf_diagnostics apply also to the SSL conf errors
21819f7 
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from #24275)
openssl-machine pushed a commit that referenced this pull request May 9, 2024
@t8m
Do not use bit fields for context data flag variables
a008494 
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from #24275)
openssl-machine pushed a commit that referenced this pull request May 9, 2024
@t8m
Set SSL_CONF_FLAG_SHOW_ERRORS when conf_diagnostics is enabled
af0561d 
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from #24275)
openssl-machine pushed a commit that referenced this pull request May 9, 2024
@t8m
Add documentation for OSSL_LIB_CTX_set/get_conf_diagnostics
a0d37e2 
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from #24275)
openssl-machine pushed a commit that referenced this pull request May 9, 2024
@t8m
Do not overwrite conf diagnostics in OSSL_LIB_CTX if not set in confi…
64bfdeb 
…g file

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from #24275)
openssl-machine pushed a commit that referenced this pull request May 9, 2024
@t8m
Add tests for conf_diagnostics
3e191f4 
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from #24275)
openssl-machine pushed a commit that referenced this pull request May 9, 2024
@t8m
OSSL_LIB_CTX_load_config() must not be called concurrently on same li…
fb65849 
…bctx

The semantics of such concurrent call is not defined.

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from #24275)
@nhorman
Copy link
Contributor

nhorman commented May 9, 2024

@t8m the fixups appear to be causing some conflicts during merge. I can merge them if you like, but if you can I would prefer you take a look at them

@t8m
Copy link
Member Author

t8m commented May 10, 2024

I've merged this yesterday. Thank you for the reviews.

@t8m t8m closed this May 10, 2024
@xnox
Copy link
Contributor

xnox commented May 10, 2024
edited 

make test TESTS=test_sysdefault
...
make[2]: Entering directory '/home/xnox/upstream/openssl'
( SRCTOP=. \
  BLDTOP=. \
  PERL="/usr/bin/perl" \
  FIPSKEY="f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813" \
  EXE_EXT= \
  /usr/bin/perl ./test/run_tests.pl test_sysdefault )
00-prep_fipsmodule_cnf.t .. ok   
All tests successful.
Files=1, Tests=1,  0 wallclock secs ( 0.01 usr  0.00 sys +  0.27 cusr  0.05 csys =  0.33 CPU)
Result: PASS
90-test_sysdefault.t .. 
    # ERROR: (ptr) 'ctx = SSL_CTX_new(TLS_method()) != NULL' failed @ test/sysdefaulttest.c:25
    # 0x0
    # 80CB81B9097E0000:error:0A0001A3:SSL routines:SSL_CTX_new_ex:error in system default config:ssl/ssl_lib.c:4100:
    # OPENSSL_TEST_RAND_SEED=1715381166
    not ok 1 - test_func
# ------------------------------------------------------------------------------
../../util/wrap.pl ../../test/sysdefaulttest => 1
not ok 1 - sysdefaulttest
90-test_sysdefault.t .. 1/? ----------------------------------------------------
#   Failed test 'sysdefaulttest'
#   at test/recipes/90-test_sysdefault.t line 23.
90-test_sysdefault.t .. Dubious, test returned 1 (wstat 256, 0x100)
Failed 1/1 subtests 

Test Summary Report
-------------------
90-test_sysdefault.t (Wstat: 256 (exited 1) Tests: 1 Failed: 1)
  Failed test:  1
  Non-zero exit status: 1
Files=1, Tests=1,  0 wallclock secs ( 0.01 usr  0.01 sys +  0.17 cusr  0.04 csys =  0.23 CPU)
Result: FAIL
make[2]: *** [Makefile:3949: run_tests] Error 1
make[2]: Leaving directory '/home/xnox/upstream/openssl'
make[1]: *** [Makefile:3946: _tests] Error 2
make[1]: Leaving directory '/home/xnox/upstream/openssl'
make: *** [Makefile:3944: tests] Error 2

Fails for me, and git bisect blames:

21819f78b057c254254646a7854bfad0cd40ed83 is the first bad commit
commit 21819f78b057c254254646a7854bfad0cd40ed83
Date:   Fri Apr 26 17:23:13 2024 +0200

    Make conf_diagnostics apply also to the SSL conf errors
    
    Reviewed-by: Paul Dale <ppzgs1@>
    Reviewed-by: Neil Horman <nhorman@>
    (Merged from https://github.com/openssl/openssl/pull/24275)

 crypto/conf/conf_mod.c      |  1 +
 crypto/context.c            | 17 +++++++++++++++++
 crypto/err/openssl.txt      |  1 +
 include/openssl/crypto.h.in |  2 ++
 include/openssl/sslerr.h    |  1 +
 ssl/ssl_err.c               |  2 ++
 ssl/ssl_lib.c               |  5 ++++-
 ssl/ssl_local.h             |  2 +-
 ssl/ssl_mcnf.c              | 13 +++++++++----
 test/sysdefaulttest.c       | 18 ++++++++----------
 util/libcrypto.num          |  2 ++
 11 files changed, 48 insertions(+), 16 deletions(-)

This is on Ubuntu 24.04 host x86-64 with gcc-13.

Is my host system config somehow bad? or is the test case looking for something incorrect? or is Ubuntu 24.04 missbuilding things?

@t8m
Copy link
Member Author

t8m commented May 13, 2024

@xnox please open a new issue for this. Is this a clean build without any patches on top?

@xnox xnox mentioned this pull request May 13, 2024
Closed
jvdsn pushed a commit to jvdsn/openssl that referenced this pull request Jun 3, 2024
@t8m @jvdsn
Make conf_diagnostics apply also to the SSL conf errors
bc884e3 
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from openssl#24275)
jvdsn pushed a commit to jvdsn/openssl that referenced this pull request Jun 3, 2024
@t8m @jvdsn
Do not use bit fields for context data flag variables
3c52888 
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from openssl#24275)
jvdsn pushed a commit to jvdsn/openssl that referenced this pull request Jun 3, 2024
@t8m @jvdsn
Set SSL_CONF_FLAG_SHOW_ERRORS when conf_diagnostics is enabled
050a7a3 
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from openssl#24275)
jvdsn pushed a commit to jvdsn/openssl that referenced this pull request Jun 3, 2024
@t8m @jvdsn
Add documentation for OSSL_LIB_CTX_set/get_conf_diagnostics
ee8a978 
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from openssl#24275)
jvdsn pushed a commit to jvdsn/openssl that referenced this pull request Jun 3, 2024
@t8m @jvdsn
Do not overwrite conf diagnostics in OSSL_LIB_CTX if not set in confi…
5eefab3 
…g file

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from openssl#24275)
jvdsn pushed a commit to jvdsn/openssl that referenced this pull request Jun 3, 2024
@t8m @jvdsn
Add tests for conf_diagnostics
83cf407 
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from openssl#24275)
jvdsn pushed a commit to jvdsn/openssl that referenced this pull request Jun 3, 2024
@t8m @jvdsn
OSSL_LIB_CTX_load_config() must not be called concurrently on same li…
cb6bca4 
…bctx

The semantics of such concurrent call is not defined.

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from openssl#24275)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nhorman nhorman nhorman approved these changes

@paulidale paulidale paulidale approved these changes

@mattcaswell mattcaswell Awaiting requested review from mattcaswell

Assignees

@t8m t8m

Labels
approval: ready to merge The 24 hour grace period has passed, ready to merge branch: master Merge to master branch severity: ABI change This pull request contains ABI changes severity: fips change The pull request changes FIPS provider sources tests: present The PR has suitable tests present triaged: bug The issue/pr is/fixes a bug
Projects
Project Board
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
8 participants
@t8m @t-j-h @beldmit @mattcaswell @openssl-machine @nhorman @xnox @paulidale