Re: Distros based on OpenSSL 3 fail on lib-dcrypt/test-crypto

On 07/06/2022 20:27 Sloane Bernstein wrote:

Hello,

I am getting our Dovecot packages preliminarily ready to support Linux distributions which rely on OpenSSL 3. I notice that even the main dev branch will build, but the test suite fails (among other places) at test_password_change in src/lib-dcrypt/test-crypto.c:

--

[root@al9 lib-dcrypt]# ./test-crypto test_cipher_test_vectors ............................................. : ok test_cipher_aead_test_vectors ........................................ : ok test_hmac_test_vectors ............................................... : ok test_load_v1_keys .................................................... : ok test_load_v1_key ..................................................... : ok test_load_v1_public_key .............................................. : ok test_load_v2_key ..................................................... : ok test_load_v2_public_key .............................................. : ok test_get_info_v2_key ................................................. : ok test_gen_and_get_info_rsa_pem ........................................ : ok test_get_info_rsa_private_key ........................................ : ok test_get_info_invalid_keys ........................................... : ok test_get_info_key_encrypted .......................................... : ok test_get_info_pw_encrypted ........................................... : ok test-crypto.c:827: Assert failed: ret == TRUE Panic: file dcrypt-openssl.c: line 2636 (dcrypt_openssl_private_to_public_key): assertion failed: (priv_key != NULL && pub_key_r != NULL) Error: Raw backtrace: ./test-crypto(backtrace_append+0x42) [0x445332] -> ./test-crypto(backtrace_get+0x1e) [0x44544e] -> ./test-crypto() [0x42414b] -> ./test-crypto() [0x424181] -> ./test-crypto() [0x412b69] -> .libs/libdcrypt_openssl.so(+0x5f25) [0x7fb61954df25] -> ./test-crypto() [0x41cd9a] -> ./test-crypto() [0x4200af] -> ./test-crypto(test_run+0x4c) [0x420c5c] -> ./test-crypto(main+0x4b) [0x41717b] -> /lib64/libc.so.6(+0x44e50) [0x7fb6195a3e50] -> /lib64/libc.so.6(__libc_start_main+0x7c) [0x7fb6195a3efc] -> ./test-crypto(_start+0x25) [0x417295] Aborted (core dumped)

--

Looking at how various distros handle this test failure when building packages, they all seem to apply the same patch developed by Red Hat to get this test to pass, attached to https://bugzilla.redhat.com/show_bug.cgi?id=1962035:

--

diff -up dovecot-2.3.14/src/lib-dcrypt/dcrypt-openssl.c.opensslv3 dovecot-2.3.14/src/lib-dcrypt/dcrypt-openssl.c --- dovecot-2.3.14/src/lib-dcrypt/dcrypt-openssl.c.opensslv3 2021-06-03 18:56:52.573174433 +0200 +++ dovecot-2.3.14/src/lib-dcrypt/dcrypt-openssl.c 2021-06-03 18:56:52.585174274 +0200 @@ -73,10 +73,30 @@ 2<tab>key algo oid<tab>1<tab>symmetric algo name<tab>salt<tab>hash algo<tab>rounds<tab>E(RSA = i2d_PrivateKey, EC=Private Point)<tab>key id **/

+#if OPENSSL_VERSION_MAJOR == 3 +static EC_KEY *EVP_PKEY_get0_EC_KEYv3(EVP_PKEY *key) +{ + EC_KEY *eck = EVP_PKEY_get1_EC_KEY(key); + EVP_PKEY_set1_EC_KEY(key, eck); + EC_KEY_free(eck); + return eck; +} + +static EC_KEY *EVP_PKEY_get1_EC_KEYv3(EVP_PKEY *key) +{ + EC_KEY *eck = EVP_PKEY_get1_EC_KEY(key); + EVP_PKEY_set1_EC_KEY(key, eck); + return eck; +} + +#define EVP_PKEY_get0_EC_KEY EVP_PKEY_get0_EC_KEYv3 +#define EVP_PKEY_get1_EC_KEY EVP_PKEY_get1_EC_KEYv3 +#else #ifndef HAVE_EVP_PKEY_get0 #define EVP_PKEY_get0_EC_KEY(x) x->pkey.ec #define EVP_PKEY_get0_RSA(x) x->pkey.rsa #endif +#endif

#ifndef HAVE_OBJ_LENGTH #define OBJ_length(o) ((o)->length)

--

I presume that either this patch or an equivalent is planned for eventual inclusion into upstream?

-- Sloane Bernstein Developer I cPanel, L.L.C.

Hi! We'll look into this. Thanks. Aki