Hello,

 

I am getting our Dovecot packages preliminarily ready to support Linux distributions which rely on OpenSSL 3. I notice that even the main dev branch will build, but the test suite fails (among other places) at test_password_change in src/lib-dcrypt/test-crypto.c:

 

--

 

[root@al9 lib-dcrypt]# ./test-crypto

test_cipher_test_vectors ............................................. : ok

test_cipher_aead_test_vectors ........................................ : ok

test_hmac_test_vectors ............................................... : ok

test_load_v1_keys .................................................... : ok

test_load_v1_key ..................................................... : ok

test_load_v1_public_key .............................................. : ok

test_load_v2_key ..................................................... : ok

test_load_v2_public_key .............................................. : ok

test_get_info_v2_key ................................................. : ok

test_gen_and_get_info_rsa_pem ........................................ : ok

test_get_info_rsa_private_key ........................................ : ok

test_get_info_invalid_keys ........................................... : ok

test_get_info_key_encrypted .......................................... : ok

test_get_info_pw_encrypted ........................................... : ok

test-crypto.c:827: Assert failed: ret == TRUE

Panic: file dcrypt-openssl.c: line 2636 (dcrypt_openssl_private_to_public_key): assertion failed: (priv_key != NULL && pub_key_r != NULL)

Error: Raw backtrace: ./test-crypto(backtrace_append+0x42) [0x445332] -> ./test-crypto(backtrace_get+0x1e) [0x44544e] -> ./test-crypto() [0x42414b] -> ./test-crypto() [0x424181] -> ./test-crypto() [0x412b69] -> .libs/libdcrypt_openssl.so(+0x5f25) [0x7fb61954df25] -> ./test-crypto() [0x41cd9a] -> ./test-crypto() [0x4200af] -> ./test-crypto(test_run+0x4c) [0x420c5c] -> ./test-crypto(main+0x4b) [0x41717b] -> /lib64/libc.so.6(+0x44e50) [0x7fb6195a3e50] -> /lib64/libc.so.6(__libc_start_main+0x7c) [0x7fb6195a3efc] -> ./test-crypto(_start+0x25) [0x417295]

Aborted (core dumped)

 

--

 

Looking at how various distros handle this test failure when building packages, they all seem to apply the same patch developed by Red Hat to get this test to pass, attached to https://bugzilla.redhat.com/show_bug.cgi?id=1962035:

 

--

 

diff -up dovecot-2.3.14/src/lib-dcrypt/dcrypt-openssl.c.opensslv3 dovecot-2.3.14/src/lib-dcrypt/dcrypt-openssl.c

--- dovecot-2.3.14/src/lib-dcrypt/dcrypt-openssl.c.opensslv3   2021-06-03 18:56:52.573174433 +0200

+++ dovecot-2.3.14/src/lib-dcrypt/dcrypt-openssl.c     2021-06-03 18:56:52.585174274 +0200

@@ -73,10 +73,30 @@

   2<tab>key algo oid<tab>1<tab>symmetric algo name<tab>salt<tab>hash algo<tab>rounds<tab>E(RSA = i2d_PrivateKey, EC=Private Point)<tab>key id

**/

+#if OPENSSL_VERSION_MAJOR == 3

+static EC_KEY *EVP_PKEY_get0_EC_KEYv3(EVP_PKEY *key)

+{

+  EC_KEY *eck = EVP_PKEY_get1_EC_KEY(key);

+  EVP_PKEY_set1_EC_KEY(key, eck);

+  EC_KEY_free(eck);

+  return eck;

+}

+

+static EC_KEY *EVP_PKEY_get1_EC_KEYv3(EVP_PKEY *key)

+{

+  EC_KEY *eck = EVP_PKEY_get1_EC_KEY(key);

+  EVP_PKEY_set1_EC_KEY(key, eck);

+  return eck;

+}

+

+#define EVP_PKEY_get0_EC_KEY EVP_PKEY_get0_EC_KEYv3

+#define EVP_PKEY_get1_EC_KEY EVP_PKEY_get1_EC_KEYv3

+#else

#ifndef HAVE_EVP_PKEY_get0

#define EVP_PKEY_get0_EC_KEY(x) x->pkey.ec

#define EVP_PKEY_get0_RSA(x) x->pkey.rsa

#endif

+#endif

 #ifndef HAVE_OBJ_LENGTH

#define OBJ_length(o) ((o)->length)

 

--

 

I presume that either this patch or an equivalent is planned for eventual inclusion into upstream?

 

-- 

Sloane Bernstein

Developer I

cPanel, L.L.C.