bug#56137: bug#58650: OpenSSL 1.1.1n test failures due to expired certificates (time bomb)

unofficial mirror of bug-guix@gnu.org 
 help / color / mirror / code / Atom feed

From: Maxim Cournoyer <maxim.cournoyer@gmail.com>
To: 56137@debbugs.gnu.org
Cc: sjors@sprovoost.nl, ludo@gnu.org, 58650@debbugs.gnu.org,
	maximedevos@telenet.be, zimon.toutoune@gmail.com
Subject: bug#56137: bug#58650: OpenSSL 1.1.1n test failures due to expired certificates (time bomb)
Date: Sun, 26 Feb 2023 23:03:53 -0500	[thread overview]
Message-ID: <871qmbdaae.fsf_-_@gmail.com> (raw)
In-Reply-To: <20230226052906.784-1-maxim.cournoyer@gmail.com> (Maxim Cournoyer's message of "Sun, 26 Feb 2023 00:29:04 -0500")

Hi,

I also tried with libfaketime, which seemed more complete and easy to
setup globally via environment variables:

--8<---------------cut here---------------start------------->8---
modified   gnu/packages/tls.scm
@@ -491,11 +491,47 @@ (define (target->openssl-target target)
                (error "unsupported openssl target architecture")))))
         (string-append kernel "-" arch))))
 
+;;; A minimal version of libfaketime that should remain private.  Its only
+;;; purpose is to avoid introducing a cycle with openssl due to libfaketime's
+;;; git-fetch origin, which pulls git (which requires openssl).
+(define libfaketime-minimal
+  (package
+    (name "libfaketime")
+    (version "0.9.10")
+    (home-page "https://github.com/wolfcw/libfaketime")
+    (source (origin
+              (method url-fetch)
+              ;; XXX: We cheat and use a dynamically generated archive GitHub
+              ;; link here, since we can't fetch from git.
+              (uri (string-append  "https://github.com/wolfcw/" name
+                                   "/archive/refs/tags/v" version ".tar.gz"))
+              (sha256
+               (base32
+                "0zwlwxpya3scayf8b3ans6pp82k8k42bk5wfqvcm02kmkhxx76kj"))))
+    (build-system gnu-build-system)
+    (arguments
+     (list
+      #:make-flags #~(list "all")
+      #:tests? #f
+      #:phases
+      #~(modify-phases %standard-phases
+          (replace 'configure
+            (lambda* (#:key outputs #:allow-other-keys)
+              (setenv "CC" #$(cc-for-target))
+              (setenv "PREFIX" #$output))))))
+    (synopsis "Fake the system time for single applications")
+    (description
+     "The libfaketime library allows users to modify the system time that an
+application \"sees\".  It is meant to be loaded using the dynamic linker's
+@code{LD_PRELOAD} environment variable.  The @command{faketime} command
+provides a simple way to achieve this.")
+    (license license:gpl2)))
+
 (define-public openssl-1.1
   ;; Note to maintainers: when updating this package, make sure to update the
   ;; RELEASE-DATE variable below.  It is used by datefudge to avoid time bombs
   ;; in the test suite.
-  (let ((release-date "2021-08-24 00:00"))
+  (let ((release-date "@2021-08-24 00:00:00"))
     (package
       (name "openssl")
       (version "1.1.1l")
@@ -517,7 +553,7 @@ (define-public openssl-1.1
       (outputs '("out"
                  "doc"      ;6.8 MiB of man3 pages and full HTML documentation
                  "static")) ;6.4 MiB of .a files
-      (native-inputs (list datefudge perl))
+      (native-inputs (list libfaketime-minimal perl))
       (arguments
        (list
         #:modules '((guix build gnu-build-system)
@@ -537,6 +573,15 @@ (define-public openssl-1.1
         #:disallowed-references (list (canonical-package perl))
         #:phases
         #~(modify-phases %standard-phases
+            (add-before 'unpack 'setup-libfaketime
+              (lambda* (#:key native-inputs inputs #:allow-other-keys)
+                (let ((libfaketime.so.1 (search-input-file
+                                         (or native-inputs inputs)
+                                         "lib/faketime/libfaketime.so.1")))
+                  (setenv "LD_PRELOAD" libfaketime.so.1)
+                  (setenv "NO_FAKE_STAT" "1")
+                  (setenv "FAKETIME_DONT_RESET" "1")
+                  (setenv "FAKETIME" #$release-date))))
             #$@(if (%current-target-system)
                    #~((add-before 'configure 'set-cross-compile

--8<---------------cut here---------------end--------------->8---

But I still get the same error:

--8<---------------cut here---------------start------------->8---
../../util/shlib_wrap.sh /gnu/store/hy6abswwv4d89zp464fw52z65fkzr7h5-perl-5.34.0/bin/perl -I ../../util/perl ../generate_ssl_tests.pl ../ssl-tests/12-ct.conf.in > 12-ct.conf.30543.tmp => 0
    ok 1 - Getting output from generate_ssl_tests.pl.
    ok 2 - Comparing generated sources.
        # Subtest: ../ssl_test
        1..1
            # Subtest: test_handshake
            1..6
            ok 1 - iteration 1
            # ERROR: (int) 'result->result == test_ctx->expected_result' failed @ test/ssl_test.c:33
            # [2] compared to [0]
            # INFO:  @ test/ssl_test.c:34
            # ExpectedResult mismatch: expected Success, got ClientFail.
            # 140450700142400:error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1543:SSL alert number 45
            not ok 2 - iteration 2
            ok 3 - iteration 3
            # ERROR: (int) 'result->result == test_ctx->expected_result' failed @ test/ssl_test.c:33
            # [2] compared to [0]
            # INFO:  @ test/ssl_test.c:34
            # ExpectedResult mismatch: expected Success, got ClientFail.
            # 140450700142400:error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1543:SSL alert number 45
            not ok 4 - iteration 4
            # ERROR: (int) 'result->result == test_ctx->expected_result' failed @ test/ssl_test.c:33
            # [4] compared to [0]
            # INFO:  @ test/ssl_test.c:34
            # ExpectedResult mismatch: expected Success, got FirstHandshakeFailed.
            # 140450700142400:error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1543:SSL alert number 45
            not ok 5 - iteration 5
            # ERROR: (int) 'result->result == test_ctx->expected_result' failed @ test/ssl_test.c:33
            # [4] compared to [0]
            # INFO:  @ test/ssl_test.c:34
            # ExpectedResult mismatch: expected Success, got FirstHandshakeFailed.
            # 140450700142400:error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1543:SSL alert number 45
            not ok 6 - iteration 6
        not ok 1 - test_handshake
../../util/shlib_wrap.sh ../ssl_test 12-ct.conf.30543.tmp => 1
    not ok 3 - running ssl_test 12-ct.conf

    #   Failed test 'running ssl_test 12-ct.conf'
    #   at ../test/recipes/80-test_ssl_new.t line 148.
    # Looks like you failed 1 test of 3.
not ok 12 - Test configuration 12-ct.conf

#   Failed test 'Test configuration 12-ct.conf'
#   at
#   /tmp/guix-build-openssl-1.1.1l.drv-0/openssl-1.1.1l/test/../util/perl/OpenSSL/Test.pm
#   line 1212.
--8<---------------cut here---------------end--------------->8---

When attempting to build with

--8<---------------cut here---------------start------------->8---
./pre-inst-env guix build --no-grafts -e '(@@ (gnu packages tls) openssl-1.1)'
--8<---------------cut here---------------end--------------->8---

Upstream seems to have moved to give very large expiry dates on their
test certs (100 years), so perhaps we can simply remove this test and
hope the problem doesn't come back to haunt us...

-- 
Thanks,
Maxim

     prev parent reply	other threads:[~2023-02-27  4:31 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-06-22  9:58 bug#56137: OpenSSL 3.0.3/1.1.1n includes a time-dependent test Ludovic Courtès
2022-06-22 10:39 ` Ludovic Courtès
2022-06-22 10:49   ` Maxime Devos
2022-06-24 14:47     ` Ludovic Courtès
2022-06-24 15:00       ` Maxime Devos
2023-02-26  5:29 ` bug#56137: [PATCH 1/2] gnu: openssl-1.1: Do not quasiquote arguments Maxim Cournoyer
2023-02-26  5:29   ` bug#56137: [PATCH 2/2] gnu: openssl-1.1: Run the test suite through datefudge Maxim Cournoyer
2023-02-26  6:03     ` Maxim Cournoyer
2023-02-27  4:03   ` Maxim Cournoyer [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=871qmbdaae.fsf_-_@gmail.com \
    --to=maxim.cournoyer@gmail.com \
    --cc=56137@debbugs.gnu.org \
    --cc=58650@debbugs.gnu.org \
    --cc=ludo@gnu.org \
    --cc=maximedevos@telenet.be \
    --cc=sjors@sprovoost.nl \
    --cc=zimon.toutoune@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).