Distros based on OpenSSL 3 fail on lib-dcrypt/test-crypto

Tue Jun 7 17:27:27 UTC 2022

Hello,

I am getting our Dovecot packages preliminarily ready to support Linux distributions which rely on OpenSSL 3. I notice that even the main dev branch will build, but the test suite fails (among other places) at test_password_change in src/lib-dcrypt/test-crypto.c:

--

[root at al9 lib-dcrypt]# ./test-crypto
test_cipher_test_vectors ............................................. : ok
test_cipher_aead_test_vectors ........................................ : ok
test_hmac_test_vectors ............................................... : ok
test_load_v1_keys .................................................... : ok
test_load_v1_key ..................................................... : ok
test_load_v1_public_key .............................................. : ok
test_load_v2_key ..................................................... : ok
test_load_v2_public_key .............................................. : ok
test_get_info_v2_key ................................................. : ok
test_gen_and_get_info_rsa_pem ........................................ : ok
test_get_info_rsa_private_key ........................................ : ok
test_get_info_invalid_keys ........................................... : ok
test_get_info_key_encrypted .......................................... : ok
test_get_info_pw_encrypted ........................................... : ok
test-crypto.c:827: Assert failed: ret == TRUE
Panic: file dcrypt-openssl.c: line 2636 (dcrypt_openssl_private_to_public_key): assertion failed: (priv_key != NULL && pub_key_r != NULL)
Error: Raw backtrace: ./test-crypto(backtrace_append+0x42) [0x445332] -> ./test-crypto(backtrace_get+0x1e) [0x44544e] -> ./test-crypto() [0x42414b] -> ./test-crypto() [0x424181] -> ./test-crypto() [0x412b69] -> .libs/libdcrypt_openssl.so(+0x5f25) [0x7fb61954df25] -> ./test-crypto() [0x41cd9a] -> ./test-crypto() [0x4200af] -> ./test-crypto(test_run+0x4c) [0x420c5c] -> ./test-crypto(main+0x4b) [0x41717b] -> /lib64/libc.so.6(+0x44e50) [0x7fb6195a3e50] -> /lib64/libc.so.6(__libc_start_main+0x7c) [0x7fb6195a3efc] -> ./test-crypto(_start+0x25) [0x417295]
Aborted (core dumped)

--

Looking at how various distros handle this test failure when building packages, they all seem to apply the same patch developed by Red Hat to get this test to pass, attached to https://bugzilla.redhat.com/show_bug.cgi?id=1962035:

--

diff -up dovecot-2.3.14/src/lib-dcrypt/dcrypt-openssl.c.opensslv3 dovecot-2.3.14/src/lib-dcrypt/dcrypt-openssl.c

--- dovecot-2.3.14/src/lib-dcrypt/dcrypt-openssl.c.opensslv3   2021-06-03 18:56:52.573174433 +0200
+++ dovecot-2.3.14/src/lib-dcrypt/dcrypt-openssl.c     2021-06-03 18:56:52.585174274 +0200
@@ -73,10 +73,30 @@
   2<tab>key algo oid<tab>1<tab>symmetric algo name<tab>salt<tab>hash algo<tab>rounds<tab>E(RSA = i2d_PrivateKey, EC=Private Point)<tab>key id
**/
+#if OPENSSL_VERSION_MAJOR == 3
+static EC_KEY *EVP_PKEY_get0_EC_KEYv3(EVP_PKEY *key)
+{
+  EC_KEY *eck = EVP_PKEY_get1_EC_KEY(key);
+  EVP_PKEY_set1_EC_KEY(key, eck);
+  EC_KEY_free(eck);
+  return eck;
+}
+
+static EC_KEY *EVP_PKEY_get1_EC_KEYv3(EVP_PKEY *key)
+{
+  EC_KEY *eck = EVP_PKEY_get1_EC_KEY(key);
+  EVP_PKEY_set1_EC_KEY(key, eck);
+  return eck;
+}
+
+#define EVP_PKEY_get0_EC_KEY EVP_PKEY_get0_EC_KEYv3
+#define EVP_PKEY_get1_EC_KEY EVP_PKEY_get1_EC_KEYv3
+#else
#ifndef HAVE_EVP_PKEY_get0
#define EVP_PKEY_get0_EC_KEY(x) x->pkey.ec
#define EVP_PKEY_get0_RSA(x) x->pkey.rsa
#endif
+#endif
 #ifndef HAVE_OBJ_LENGTH
#define OBJ_length(o) ((o)->length)

--

I presume that either this patch or an equivalent is planned for eventual inclusion into upstream?

--
Sloane Bernstein
Developer I
cPanel, L.L.C.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20220607/541166d2/attachment-0001.htm>
