Comments (69)
baentsch
commented on August 26, 2024
1
Finally, confirmation that OSX builds and tests OK via CI: https://app.circleci.com/pipelines/github/open-quantum-safe/oqs-provider/418/workflows/2b807d0b-0dbb-4c93-ada0-b41242e02c63/jobs/440. Thanks for triggering us to support OSX, @mouse07410 : Looks like you were the first person caring to use (or actually test :) oqs-provider on that platform!
from oqs-provider.
baentsch
commented on August 26, 2024
1
Thanks very much for these thoughts, trials and very helpful comments!
First, I'd rather not do a full rebuild of everything (OpenSSL, liboqs) merely for the pleasure of being able to run the tests locally.
Completely understandable and logical. I just need(ed) a baseline to see whether oqsprovider works at all under OSX.
I am building this provider for the system-wide (Macports-installed) OpenSSL-3.1.0, which is binaries-only. So, I am trying to test it against that.
Very good goal and one I'd (also) like to see achieved for sure.
what would happen if I change it to activate = 0. Would the corresponding provider still load automatically when needed?
No. But I'd argue it's not needed for this (oqsprovider) test. oqsprovider only needs the default provider to function properly (for classic/PQ hybrid algs). So setting all "activate=0" except for default and oqsprovider would be a(nother) baseline.
- insufficient configurability of the oqs-provider
Well, we're relying on the configuration capabilities of openssl, namely OPENSSL_MODULES env var. The test scripts set a default (sensible for a local build) if nothing else is set (which may be more sensible in a setup without a local openssl build).
But then again, I'm all ears for suggestions what additional config options you'd find helpful.
Also, note that the script thinks the all tests "passed", despite evidence to the contrary.
That's a clear mistake -- not checking the retval of ctest. Noted for improvement.
The immediate cause of this failure is the insistence of the scripts to find openssl.cnf in the same directory as the openssl executable
Agreed, the scripts should not set them "hard" via the -conf parameter (but instead rely on the standard OPENSSL_CONF env var -- which then needs to have contents needed for testing, i.e., something along the lines of "scripts/openssl-ca.cnf"). Noted as further point for improvement.
Certificate request self-signature did not match the contents
8096FA56F87F0000:error:4000000D:lib(128):oqs_sig_verify:reason(13):/Users/ur20980/src/oqs-provider/oqsprov/oqs_sig.c:400:
8096FA56F87F0000:error:06880006:asn1 encoding routines:ASN1_item_verify_ctx:EVP lib:crypto/asn1/a_verify.c:217:
Those are very helpful hints. But one I cannot understand (how it hits that error condition -- short of maybe being unable to get the file input). Did any files get created in the tmp directory? The "interop.log" file should be a bit more informative...
BTW, and talking about "informative": if/as debugging is a pain, if you build oqsprovider with -DCMAKE_BUILD_TYPE=Debug you can make it very chatty by enabling environment variables, the most relevant being listed here.
--> Would you have time/inclination to give this a try in your setup (and run the tests with all of them set (at least OQSPROV=1 OQSKM=1 OQSKEY=1)? interop.log then should become telltale as to what the problem is.
In the mean time, I'll try to create a setup mirroring yours on the M1 I have remotely available....
from oqs-provider.
baentsch
commented on August 26, 2024
1
Recommendations?
I'll work on #136 . As we always aimed to support all OpenSSL3.x versions that should solve the problem. Stay tuned.
from oqs-provider.
mouse07410
commented on August 26, 2024
1
Done: openssl/openssl#20653
Another thought/question: Does sth change if you (also) disable PKCS#11 provider? And Legacy provider?
For the (perverted) fun of it, I tried it - with the very obvious and very much expected result: no, it makes no difference.
Which should've been obvious from the fact that just disabling the GOST provider remedied the problem, with all the other providers remaining enabled.
Summary: disabling GOST provider remedies the problem, regardless of the other providers. Enabling GOST provider manifests this problem, regardless of the other providers.
from oqs-provider.
baentsch
commented on August 26, 2024
1
Thus, if tests are supported at all, limiting "full test suite" (5 tests?) to the unreleased master only does not seem like a good idea.
Formulated that way, I'd agree. However, the tests I consider most important (openssl req|verify|ca|dgst|cms|x509|s_client|s_server for quite some params and all algorithms) are run for each version. The ones I'd limit are 3 (of the 5) additional ctest tests: Those are API tests with limited additional value over the tests mentioned above -- limited knowing that these tests ran successfully in master over time/while master was 3.0 and then 3.1 and under the assumption that OpenSSL doesn't change API functionality in non-master versions -- which I'd consider a pretty safe bet.
But whatever, using the internal ssltestlib only was meant to eliminate the need to write my own separate test harness -- I'm pretty much on my own doing this project, so need to be "economical". A much cleaner way indeed would be to "break free" from this dependency. Added #137 to track.
I'd be willing to go with even a patch for test/helpers/ssltestlib.c in this repo (maybe just include it in the README), since OpenSSL does not want to incorporate it.
Agreed, that'd be a stopgap measure short of resolving #137. However, I've been there before (patching upstream code for this purpose in oqsprovider) and it was a never-ending problem: As soon as sth changed upstream I had to change the patch. "Doing" this in documentation is IMO too problematic for most users (who typically anyway don't read documentation). I may give it a try again, though, considering that older (I know, I know....) OpenSSL versions shouldn't change code so quickly such as to make the patch worthless equally quickly.
Thanks for the feedback and food for thought.
from oqs-provider.
baentsch
commented on August 26, 2024
1
A comment at the same moment. Impressive :)
from oqs-provider.
mattcaswell
commented on August 26, 2024
1
Yes, probably - but (a) where in your opinion the root cause is (aka, what component issues those improper calls, and why), and (b) how do we fix it, and where (in what component)?
This is a bug in the OpenSSL library, not in the config or providers.
Also, it looks like the fix was merged two-three weeks ago into 3.1, so should've been picked by Macports by now? I'm trying to understand why I don't see the behavior change yet on my machines...
Because its only in git, not in a stable release yet. When 3.1.1 eventually gets released the fix will be included.
from oqs-provider.
baentsch
commented on August 26, 2024
1
Finally finding time to work on oqsprovider again... :-/ So, thanks, @mouse07410 for the report above. I could reproduce and track in #160. If you agree this is the same (remaining) issue in this issue thread (?), let's close this and continue in #160.
from oqs-provider.
baentsch
commented on August 26, 2024
Thanks for the report -- actually the first report oqsprovider "somewhat" runs on OSX... (never tried -- see #46) -- I could try to debug into this on a remote M1, now that I think about it... Would you be willing to share instructions or a script how you built everything on OSX? Any suggestions as to which command line tools (I have ssh access only) exist on OSX for debugging into this (gdb style)? Just looking at the stack trace, though, I have a nagging feeling this is an OpenSSL issue: There's no reason why oqsprovider would trigger (loading) gostprovider....
Note: commenting out, e.g., GOST provider in openssl.cnf did not help.
But this cannot be: What code then triggers the load of gostprovider in the stack trace above? Could you please try to simply disable gostprovider from being loaded (e.g., chmod gou-rwx gostprovider*)? Sorry for the "guessworks" -- I never saw all of these providers running at the same time.... So, a script to replicate this setup would be very helpful indeed.
from oqs-provider.
baentsch
commented on August 26, 2024
Update: With the minimal change in #134 a complete build and test cycle (running scripts/fullbuild.sh and scripts/runtests.sh) passes successfully on OSX.
Therefore, please provide full script set to reproduce the problem described. Also, please describe how OpenSSL3 and the various other providers were built/installed.
from oqs-provider.
baentsch
commented on August 26, 2024
Further update excluding the OpenSSL version chosen as a contributor to the issue: MAKE_PARAMS=-j OPENSSL_BRANCH=openssl-3.1.0 ./scripts/fullbuild.sh -F && ./scripts/runtests.sh -V also passes without problems using
Apple clang version 14.0.0 (clang-1400.0.29.202)
Target: arm64-apple-darwin22.2.0
Thread model: posix
from oqs-provider.
mouse07410
commented on August 26, 2024
. . . a complete build and test cycle (running scripts/fullbuild.sh and scripts/runtests.sh) passes successfully on OSX
First, I'd rather not do a full rebuild of everything (OpenSSL, liboqs) merely for the pleasure of being able to run the tests locally.
So, while I do have a clone of the OpenSSL master ($HOME/src/openssl/ 3.2.0-dev), I am building this provider for the system-wide (Macports-installed) OpenSSL-3.1.0, which is binaries-only. So, I am trying to test it against that.
Would you be willing to share instructions or a script how you built everything on OSX?
Certainly.
$ cmake -DOPENSSL_ROOT_DIR="/opt/local/libexec/openssl3" -DCMAKE_C_FLAGS="$CFLAGS -I/opt/local/include -L/opt/local/lib " -DCMAKE_VERBOSE_MAKEFILE:BOOL=True -S . -B _build
. . .
$ cmake --build _build
What code [then] triggers the load of gostprovider in the stack trace above?
My assumption is - this (in /opt/local/lib/etc/openssl/openssl.cnf):
[provider_sect]
default = default_sect
legacy = legacy_sect
pkcs11 = pkcs11_sect
gost = gost_sect
base = base_sect
oqs = oqs_sect
[default_sect]
activate = 1
[legacy_sect]
activate = 1
[pkcs11_sect]
module = /opt/local/libexec/openssl3/lib/ossl-modules/pkcs11.dylib
pkcs11-module-path = /Library/OpenSC/lib/opensc-pkcs11.so
activate = 1
[gost_sect]
module = /opt/local/libexec/openssl3/lib/ossl-modules/gostprov.dylib
activate = 1
[base_sect]
activate = 1
[oqs_sect]
module = /opt/local/libexec/openssl3/lib/ossl-modules/oqsprovider.dylib
activate = 1
As you see, GOST provider is activated by default. I'm not sure I fully understand the meaning/implication of activate = 1 here, or, rather, what would happen if I change it to activate = 0. Would the corresponding provider still load automatically when needed?
Any suggestions as to which command line tools (I have ssh access only) exist on OSX for debugging into this (
gdbstyle)?
Here you got me. As far as I'm concerned, debugging on OSX is living hell. OSX Xcode includes lldb, but I never mastered its commands. One can install gdb (I do it via Macports, it provides executable named ggdb which you'd need to digitlly sign with codesigning key using codesign CLI command), but it wasn't a great help to me. YMMV. Just in case, here's how I sign executables:
- Get code-signing identity via
security find-identity -p codesigning -vand copy the text looking like "Apple Development: My Name (LKEUYAD994)" - Run
sudo codesign -s "Apple Development: My Name (LKEUYAD994)" --force /opt/local/bin/ggdb
I think I know why the tests fail - insufficient configurability of the oqs-provider. Here's what I'm trying to do (after successful build), and how it fails:
$ OPENSSL_APP=/opt/local/bin/openssl OPENSSL_MODULES=/opt/local/lib/ossl-modules/ DYLD_LIBRARY_PATH="/opt/local/lib:$DYLD_LIBRARY_PATH" LD_LIBRARY_PATH=/opt/local/lib scripts/runtests.sh
No OQS-OpenSSL111 interop test because of absence of docker
OpenSSL app: /opt/local/bin/openssl
Version information:
OpenSSL 3.1.0 14 Mar 2023 (Library: OpenSSL 3.1.0 14 Mar 2023)
list: unable to load provider oqsprovider
Hint: use -provider-path option or OPENSSL_MODULES environment variable.
8096FA56F87F0000:error:12800067:DSO support routines:dlfcn_load:could not load the shared library:crypto/dso/dso_dlfcn.c:118:filename(_build/lib/oqsprovider.dylib): dlopen(_build/lib/oqsprovider.dylib, 0x0002): Library not loaded: @rpath/liboqs.2.dylib
Referenced from: <66672B79-87AB-3F61-9D83-E3580EE7C899> /Users/ur20980/src/oqs-provider/_build/lib/oqsprovider.0.5.0-dev.dylib
Reason: tried: '/System/Volumes/Preboot/Cryptexes/OS@rpath/liboqs.2.dylib' (no such file), '/usr/local/lib/liboqs.2.dylib' (no such file), '/usr/lib/liboqs.2.dylib' (no such file, not in dyld cache)
8096FA56F87F0000:error:12800067:DSO support routines:DSO_load:could not load the shared library:crypto/dso/dso_lib.c:152:
8096FA56F87F0000:error:07880025:common libcrypto routines:provider_init:reason(524325):crypto/provider_core.c:904:name=oqsprovider
Cert gen/verify, CMS sign/verify tests for all enabled algorithms commencing...
-n .
list: unable to load provider oqsprovider
Hint: use -provider-path option or OPENSSL_MODULES environment variable.
8096FA56F87F0000:error:12800067:DSO support routines:dlfcn_load:could not load the shared library:crypto/dso/dso_dlfcn.c:118:filename(/opt/local/lib/ossl-modules/oqsprovider.dylib): dlopen(/opt/local/lib/ossl-modules/oqsprovider.dylib, 0x0002): Library not loaded: @rpath/liboqs.2.dylib
Referenced from: <66672B79-87AB-3F61-9D83-E3580EE7C899> /opt/local/libexec/openssl3/lib/ossl-modules/oqsprovider.dylib
Reason: tried: '/System/Volumes/Preboot/Cryptexes/OS@rpath/liboqs.2.dylib' (no such file), '/usr/local/lib/liboqs.2.dylib' (no such file), '/usr/lib/liboqs.2.dylib' (no such file, not in dyld cache)
8096FA56F87F0000:error:12800067:DSO support routines:DSO_load:could not load the shared library:crypto/dso/dso_lib.c:152:
8096FA56F87F0000:error:07880025:common libcrypto routines:provider_init:reason(524325):crypto/provider_core.c:904:name=oqsprovider
-n .
. . .
list: unable to load provider oqsprovider
Hint: use -provider-path option or OPENSSL_MODULES environment variable.
8096FA56F87F0000:error:12800067:DSO support routines:dlfcn_load:could not load the shared library:crypto/dso/dso_dlfcn.c:118:filename(/opt/local/lib/ossl-modules/oqsprovider.dylib): dlopen(/opt/local/lib/ossl-modules/oqsprovider.dylib, 0x0002): Library not loaded: @rpath/liboqs.2.dylib
Referenced from: <66672B79-87AB-3F61-9D83-E3580EE7C899> /opt/local/libexec/openssl3/lib/ossl-modules/oqsprovider.dylib
Reason: tried: '/System/Volumes/Preboot/Cryptexes/OS@rpath/liboqs.2.dylib' (no such file), '/usr/local/lib/liboqs.2.dylib' (no such file), '/usr/lib/liboqs.2.dylib' (no such file, not in dyld cache)
8096FA56F87F0000:error:12800067:DSO support routines:DSO_load:could not load the shared library:crypto/dso/dso_lib.c:152:
8096FA56F87F0000:error:07880025:common libcrypto routines:provider_init:reason(524325):crypto/provider_core.c:904:name=oqsprovider
Test project /Users/ur20980/src/oqs-provider/_build
Start 1: oqs_signatures
1/2 Test #1: oqs_signatures ...................Subprocess aborted***Exception: 0.01 sec
Start 2: oqs_kems
2/2 Test #2: oqs_kems .........................Subprocess aborted***Exception: 0.01 sec
0% tests passed, 2 tests failed out of 2
Total Test time (real) = 0.02 sec
The following tests FAILED:
1 - oqs_signatures (Subprocess aborted)
2 - oqs_kems (Subprocess aborted)
Errors while running CTest
Output from these tests are in: /Users/ur20980/src/oqs-provider/_build/Testing/Temporary/LastTest.log
Use "--rerun-failed --output-on-failure" to re-run the failed cases verbosely.
All oqsprovider tests passed.
$
$ ll /opt/local/lib/liboqs*.dylib
-rwxr-xr-x 1 root wheel 9793096 Mar 26 14:26 /opt/local/lib/liboqs.0.8.0-dev.dylib*
lrwxr-xr-x 1 root wheel 22 Mar 10 17:05 /opt/local/lib/liboqs.2.dylib@ -> liboqs.0.8.0-dev.dylib
lrwxr-xr-x 1 root wheel 14 Mar 10 17:05 /opt/local/lib/liboqs.dylib@ -> liboqs.2.dylib
$
Also, note that the script thinks the all tests "passed", despite evidence to the contrary.
After I decided to bite the bullet and put a copy of liboqs.2.dylib where the script can't fail to locate it:
$ sudo ln -s /opt/local/lib/liboqs.2.dylib /usr/local/lib/
$ OPENSSL_APP=/opt/local/bin/openssl OPENSSL_MODULES=/opt/local/lib/ossl-modules/ DYLD_LIBRARY_PATH="/opt/local/lib:$DYLD_LIBRARY_PATH" LD_LIBRARY_PATH=/opt/local/lib scripts/runtests.sh
No OQS-OpenSSL111 interop test because of absence of docker
OpenSSL app: /opt/local/bin/openssl
Version information:
OpenSSL 3.1.0 14 Mar 2023 (Library: OpenSSL 3.1.0 14 Mar 2023)
Providers:
base
name: OpenSSL Base Provider
version: 3.1.0
status: active
build info: 3.1.0
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
default
name: OpenSSL Default Provider
version: 3.1.0
status: active
build info: 3.1.0
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
gost
name: OpenSSL GOST Provider
status: active
legacy
name: OpenSSL Legacy Provider
version: 3.1.0
status: active
build info: 3.1.0
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
oqs
name: OpenSSL OQS Provider
version: 0.5.0-dev
status: active
build info: OQS Provider v.0.5.0-dev (c71c2ad) based on liboqs v.0.8.0-dev using qsc-key-encoder v.draft-00-dev
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
oqsprovider
name: OpenSSL OQS Provider
version: 0.5.0-dev
status: active
build info: OQS Provider v.0.5.0-dev (c71c2ad) based on liboqs v.0.8.0-dev using qsc-key-encoder v.draft-00-dev
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
pkcs11
name: PKCS#11 Provider
version: 3.1.0
status: active
build info: 3.1.0
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
Cert gen/verify, CMS sign/verify tests for all enabled algorithms commencing...
-n .
localalgtest dilithium2 failed. Exiting..
$
Alas, no more data here, I can only guess what it was trying to do, or what/why failed.
The immediate cause of this failure is the insistence of the scripts to find openssl.cnf in the same directory as the openssl executable.. From interop.log:
Can't open "/opt/local/bin/openssl.cnf" for reading, No such file or directory
8096FA56F87F0000:error:80000002:system library:BIO_new_file:No such file or directory:crypto/bio/bss_file.c:67:calling fopen(/opt/local/bin/openssl.cnf, r)
8096FA56F87F0000:error:10000080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:75:
Can't open "/opt/local/bin/openssl.cnf" for reading, No such file or directory
8096FA56F87F0000:error:80000002:system library:BIO_new_file:No such file or directory:crypto/bio/bss_file.c:67:calling fopen(/opt/local/bin/openssl.cnf, r)
8096FA56F87F0000:error:10000080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:75:
Can't open "/opt/local/bin/openssl.cnf" for reading, No such file or directory
8096FA56F87F0000:error:80000002:system library:BIO_new_file:No such file or directory:crypto/bio/bss_file.c:67:calling fopen(/opt/local/bin/openssl.cnf, r)
8096FA56F87F0000:error:10000080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:75:
from oqs-provider.
mouse07410
commented on August 26, 2024
Update
After mucking with the scripts, here's where we are now:
$ LOCALTESTONLY="yes" OPENSSL_APP=/opt/local/bin/openssl OPENSSL_MODULES=/opt/local/lib/ossl-modules/ LD_LIBRARY_PATH=/opt/local/lib scripts/runtests.sh
No OQS-OpenSSL111 interop test because of absence of docker
OpenSSL app: /opt/local/bin/openssl
Version information:
OpenSSL 3.1.0 14 Mar 2023 (Library: OpenSSL 3.1.0 14 Mar 2023)
Providers:
base
name: OpenSSL Base Provider
version: 3.1.0
status: active
build info: 3.1.0
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
default
name: OpenSSL Default Provider
version: 3.1.0
status: active
build info: 3.1.0
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
gost
name: OpenSSL GOST Provider
status: active
legacy
name: OpenSSL Legacy Provider
version: 3.1.0
status: active
build info: 3.1.0
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
oqs
name: OpenSSL OQS Provider
version: 0.5.0-dev
status: active
build info: OQS Provider v.0.5.0-dev (c71c2ad) based on liboqs v.0.8.0-dev using qsc-key-encoder v.draft-00-dev
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
oqsprovider
name: OpenSSL OQS Provider
version: 0.5.0-dev
status: active
build info: OQS Provider v.0.5.0-dev (c71c2ad) based on liboqs v.0.8.0-dev using qsc-key-encoder v.draft-00-dev
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
pkcs11
name: PKCS#11 Provider
version: 3.1.0
status: active
build info: 3.1.0
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
Cert gen/verify, CMS sign/verify tests for all enabled algorithms commencing...
-n .
localalgtest dilithium2 failed. Exiting..
$ !cat
cat interop.log
-----
-----
Certificate request self-signature did not match the contents
8096FA56F87F0000:error:4000000D:lib(128):oqs_sig_verify:reason(13):/Users/ur20980/src/oqs-provider/oqsprov/oqs_sig.c:400:
8096FA56F87F0000:error:06880006:asn1 encoding routines:ASN1_item_verify_ctx:EVP lib:crypto/asn1/a_verify.c:217:
$
These are the edits against your master branch:
diff --git a/scripts/oqsprovider-certgen.sh b/scripts/oqsprovider-certgen.sh
index 0c772c2..9664812 100755
--- a/scripts/oqsprovider-certgen.sh
+++ b/scripts/oqsprovider-certgen.sh
@@ -24,9 +24,9 @@ fi
#rm -rf tmp
mkdir -p tmp
-$OPENSSL_APP req -x509 -new -newkey $1 -keyout tmp/$1_CA.key -out tmp/$1_CA.crt -nodes -subj "/CN=oqstest CA" -days 365 -config $OPENSSL_APP.cnf -provider oqsprovider -provider default && \
+$OPENSSL_APP req -x509 -new -newkey $1 -keyout tmp/$1_CA.key -out tmp/$1_CA.crt -nodes -subj "/CN=oqstest CA" -days 365 -config $OPENSSL_CONF -provider oqsprovider -provider default && \
$OPENSSL_APP genpkey -algorithm $1 -out tmp/$1_srv.key -provider oqsprovider -provider default && \
-$OPENSSL_APP req -new -newkey $1 -keyout tmp/$1_srv.key -out tmp/$1_srv.csr -nodes -subj "/CN=oqstest server" -config $OPENSSL_APP.cnf -provider oqsprovider -provider default && \
+$OPENSSL_APP req -new -newkey $1 -keyout tmp/$1_srv.key -out tmp/$1_srv.csr -nodes -subj "/CN=oqstest server" -config $OPENSSL_CONF -provider oqsprovider -provider default && \
$OPENSSL_APP x509 -req -in tmp/$1_srv.csr -out tmp/$1_srv.crt -CA tmp/$1_CA.crt -CAkey tmp/$1_CA.key -CAcreateserial -days 365 -provider oqsprovider -provider default && \
$OPENSSL_APP verify -provider oqsprovider -provider default -CAfile tmp/$1_CA.crt tmp/$1_srv.crt
diff --git a/scripts/oqsprovider-certverify.sh b/scripts/oqsprovider-certverify.sh
index b874a2d..3145c61 100755
--- a/scripts/oqsprovider-certverify.sh
+++ b/scripts/oqsprovider-certverify.sh
@@ -24,7 +24,7 @@ fi
# check that CSR can be output OK
-$OPENSSL_APP req -text -in tmp/$1_srv.csr -noout -provider oqsprovider -provider default -config $OPENSSL_APP.cnf 2>&1 | grep Error
+$OPENSSL_APP req -text -in tmp/$1_srv.csr -noout -provider oqsprovider -provider default -config $OPENSSL_CONF 2>&1 | grep Error
if [ $? -eq 0 ]; then
echo "Couldn't print CSR correctly. Exiting."
exit 1$ env | grep OPENSSL
OPENSSL_LIB_DIR=/opt/local/lib
OPENSSL_INCLUDE_DIR=/opt/local/include
OPENSSL_CFLAGS= -I/opt/local/include
OPENSSL_ROOT_DIR=/opt/local/libexec/openssl3
OPENSSL_CONF=/opt/local/etc/openssl/openssl.cnf
OPENSSL_DIR=/opt/local/libexec/openssl3
$
from oqs-provider.
mouse07410
commented on August 26, 2024
Offhand - more details later.
Did any files get created in the
tmpdirectory?
None whatsoever.
$ pwd
/Users/ur20980/src/oqs-provider
$ ls -l tmp
total 0
$ The "interop.log" file should be a bit more informative...
My point exactly! ;-)
if/as debugging is a pain, if you build oqsprovider with -DCMAKE_BUILD_TYPE=Debug you can make it very chatty by enabling environment variables, the most relevant being listed here.
--> Would you have time/inclination to give this a try in your setup (and run the tests with all of them set (at least OQSPROV=1 OQSKM=1 OQSKEY=1)? interop.log then should become telltale as to what the problem is.
Will do my best.
In the mean time, I'll try to create a setup mirroring yours on the M1 I have remotely available....
Great! In the meanwhile, I'm observing exactly the same behavior on my Intel-based Macs. So, most likely it is not Apple Silicon-specific.
from oqs-provider.
mouse07410
commented on August 26, 2024
I tried to rebuild with -DCMAKE_BUILD_TYPE=Debug, and immediately hit this problem:
-- The C compiler identification is AppleClang 14.0.0.14000029
-- Detecting C compiler ABI info
-- Detecting C compiler ABI info - done
-- Check for working C compiler: /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/clang - skipped
-- Detecting C compile features
-- Detecting C compile features - done
-- Creating Debug build with OQS-Debug env vars enabled
-- Build will store public keys in PKCS#8 structures
-- Build will include external encoding library for SPKI/PKCS#8
-- Found OpenSSL: /opt/local/libexec/openssl3/lib/libcrypto.dylib (found suitable version "3.1.0", minimum required is "3.0")
-- Building commit c71c2ad in /Users/ur20980/src/oqs-provider
-- Configuring done
CMake Error at test/CMakeLists.txt:46 (add_executable):
Cannot find source file:
/Users/ur20980/src/oqs-provider/openssl/test/helpers/ssltestlib.c
Tried extensions .c .C .c++ .cc .cpp .cxx .cu .mpp .m .M .mm .ixx .cppm .h
.hh .h++ .hm .hpp .hxx .in .txx .f .F .for .f77 .f90 .f95 .f03 .hip .ispc
CMake Error at test/CMakeLists.txt:46 (add_executable):
No SOURCES given to target: oqs_test_groups
CMake Error at test/CMakeLists.txt:66 (add_executable):
No SOURCES given to target: oqs_test_tlssig
CMake Generate step failed. Build files cannot be regenerated correctly.
If the above succeeded, you can buila with: cmake --build _buil
Why shouldn't I be able to build a provider in debug mode without OpenSSL source available? not to mention that my OpenSSL source is master, and I'd rather not mess with either cloning another copy of OpenSSL, or reconfiguring the 3.2.0-dev build tree.
Would you have time/inclination to give this a try in your setup (and run the tests with all of them set (at least OQSPROV=1 OQSKM=1 OQSKEY=1)?
It doesn't tell a lot to me, but maybe it would be of use to you:
$ rm interop.log
$ OQSPROV=1 OQSKM=1 OQSKEY=1 scripts/runtests.sh
No OQS-OpenSSL111 interop test because of absence of docker
OpenSSL app: /opt/local/libexec/openssl3/bin/openssl
Version information:
OpenSSL 3.1.0 14 Mar 2023 (Library: OpenSSL 3.1.0 14 Mar 2023)
OQS PROV: successfully registered dilithium2 with NID 1250
OQS PROV: successfully registered p256_dilithium2 with NID 1251
OQS PROV: successfully registered rsa3072_dilithium2 with NID 1252
OQS PROV: successfully registered dilithium3 with NID 1253
OQS PROV: successfully registered p384_dilithium3 with NID 1254
OQS PROV: successfully registered dilithium5 with NID 1255
OQS PROV: successfully registered p521_dilithium5 with NID 1256
OQS PROV: successfully registered dilithium2_aes with NID 1257
OQS PROV: successfully registered p256_dilithium2_aes with NID 1258
OQS PROV: successfully registered rsa3072_dilithium2_aes with NID 1259
OQS PROV: successfully registered dilithium3_aes with NID 1260
OQS PROV: successfully registered p384_dilithium3_aes with NID 1261
OQS PROV: successfully registered dilithium5_aes with NID 1262
OQS PROV: successfully registered p521_dilithium5_aes with NID 1263
OQS PROV: successfully registered falcon512 with NID 1264
OQS PROV: successfully registered p256_falcon512 with NID 1265
OQS PROV: successfully registered rsa3072_falcon512 with NID 1266
OQS PROV: successfully registered falcon1024 with NID 1267
OQS PROV: successfully registered p521_falcon1024 with NID 1268
OQS PROV: successfully registered sphincsharaka128frobust with NID 1269
OQS PROV: successfully registered p256_sphincsharaka128frobust with NID 1270
OQS PROV: successfully registered rsa3072_sphincsharaka128frobust with NID 1271
OQS PROV: successfully registered sphincsharaka128fsimple with NID 1272
OQS PROV: successfully registered p256_sphincsharaka128fsimple with NID 1273
OQS PROV: successfully registered rsa3072_sphincsharaka128fsimple with NID 1274
OQS PROV: successfully registered sphincssha256128frobust with NID 1275
OQS PROV: successfully registered p256_sphincssha256128frobust with NID 1276
OQS PROV: successfully registered rsa3072_sphincssha256128frobust with NID 1277
OQS PROV: successfully registered sphincssha256128ssimple with NID 1278
OQS PROV: successfully registered p256_sphincssha256128ssimple with NID 1279
OQS PROV: successfully registered rsa3072_sphincssha256128ssimple with NID 1280
OQS PROV: successfully registered sphincsshake256128fsimple with NID 1281
OQS PROV: successfully registered p256_sphincsshake256128fsimple with NID 1282
OQS PROV: successfully registered rsa3072_sphincsshake256128fsimple with NID 1283
OQS PROV: Default or FIPS provider available.
Providers:
base
name: OpenSSL Base Provider
version: 3.1.0
status: active
build info: 3.1.0
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
default
name: OpenSSL Default Provider
version: 3.1.0
status: active
build info: 3.1.0
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
gost
name: OpenSSL GOST Provider
status: active
legacy
name: OpenSSL Legacy Provider
version: 3.1.0
status: active
build info: 3.1.0
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
oqs
name: OpenSSL OQS Provider
version: 0.5.0-dev
status: active
build info: OQS Provider v.0.5.0-dev (c71c2ad) based on liboqs v.0.8.0-dev using qsc-key-encoder v.draft-00-dev
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
oqsprovider
name: OpenSSL OQS Provider
version: 0.5.0-dev
status: active
build info: OQS Provider v.0.5.0-dev (c71c2ad) based on liboqs v.0.8.0-dev using qsc-key-encoder v.draft-00-dev
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
pkcs11
name: PKCS#11 Provider
version: 3.1.0
status: active
build info: 3.1.0
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
Cert gen/verify, CMS sign/verify tests for all enabled algorithms commencing...
-n .
localalgtest dilithium2 failed. Exiting..
$ cat interop.log
-----
Unknown operation 5 requested from OQS provider
Unknown operation 5 requested from OQS provider
Unknown operation 5 requested from OQS provider
Unknown operation 5 requested from OQS provider
Unknown operation 2 requested from OQS provider
Unknown operation 2 requested from OQS provider
Unknown operation 2 requested from OQS provider
Unknown operation 2 requested from OQS provider
Unknown operation 1 requested from OQS provider
Unknown operation 1 requested from OQS provider
Unknown operation 5 requested from OQS provider
Unknown operation 5 requested from OQS provider
Unknown operation 5 requested from OQS provider
Unknown operation 5 requested from OQS provider
Unknown operation 2 requested from OQS provider
Unknown operation 2 requested from OQS provider
Unknown operation 2 requested from OQS provider
Unknown operation 2 requested from OQS provider
-----
Unknown operation 5 requested from OQS provider
Unknown operation 5 requested from OQS provider
Unknown operation 5 requested from OQS provider
Unknown operation 5 requested from OQS provider
Unknown operation 2 requested from OQS provider
Unknown operation 2 requested from OQS provider
Unknown operation 2 requested from OQS provider
Unknown operation 2 requested from OQS provider
Certificate request self-signature did not match the contents
40C17D0102000000:error:4000000D:lib(128):oqs_sig_verify:reason(13):/Users/ur20980/src/oqs-provider/oqsprov/oqs_sig.c:400:
40C17D0102000000:error:06880006:asn1 encoding routines:ASN1_item_verify_ctx:EVP lib:crypto/asn1/a_verify.c:217:
Unknown operation 1 requested from OQS provider
Unknown operation 1 requested from OQS provider
$ ll tmp
total 64
drwxr-xr-x 6 ur20980 staff 192 Mar 29 17:52 ./
drwxr-xr-x 19 ur20980 staff 608 Mar 29 17:54 ../
-rw-r--r-- 1 ur20980 staff 5458 Mar 29 17:54 dilithium2_CA.crt
-rw------- 1 ur20980 staff 5295 Mar 29 17:54 dilithium2_CA.key
-rw-r--r-- 1 ur20980 staff 5238 Mar 29 17:54 dilithium2_srv.csr
-rw------- 1 ur20980 staff 5295 Mar 29 17:54 dilithium2_srv.key
$
from oqs-provider.
mouse07410
commented on August 26, 2024
After some messing around with scripts and disabling OQS provider in the $OPENSSL_CONF file:
$ OQSPROV=1 OQSKM=1 OQSKEY=1 scripts/runtests.sh
No OQS-OpenSSL111 interop test because of absence of docker
OpenSSL app: /opt/local/libexec/openssl3/bin/openssl
Version information:
OpenSSL 3.1.0 14 Mar 2023 (Library: OpenSSL 3.1.0 14 Mar 2023)
OQS PROV: successfully registered dilithium2 with NID 1250
OQS PROV: successfully registered p256_dilithium2 with NID 1251
OQS PROV: successfully registered rsa3072_dilithium2 with NID 1252
OQS PROV: successfully registered dilithium3 with NID 1253
OQS PROV: successfully registered p384_dilithium3 with NID 1254
OQS PROV: successfully registered dilithium5 with NID 1255
OQS PROV: successfully registered p521_dilithium5 with NID 1256
OQS PROV: successfully registered dilithium2_aes with NID 1257
OQS PROV: successfully registered p256_dilithium2_aes with NID 1258
OQS PROV: successfully registered rsa3072_dilithium2_aes with NID 1259
OQS PROV: successfully registered dilithium3_aes with NID 1260
OQS PROV: successfully registered p384_dilithium3_aes with NID 1261
OQS PROV: successfully registered dilithium5_aes with NID 1262
OQS PROV: successfully registered p521_dilithium5_aes with NID 1263
OQS PROV: successfully registered falcon512 with NID 1264
OQS PROV: successfully registered p256_falcon512 with NID 1265
OQS PROV: successfully registered rsa3072_falcon512 with NID 1266
OQS PROV: successfully registered falcon1024 with NID 1267
OQS PROV: successfully registered p521_falcon1024 with NID 1268
OQS PROV: successfully registered sphincsharaka128frobust with NID 1269
OQS PROV: successfully registered p256_sphincsharaka128frobust with NID 1270
OQS PROV: successfully registered rsa3072_sphincsharaka128frobust with NID 1271
OQS PROV: successfully registered sphincsharaka128fsimple with NID 1272
OQS PROV: successfully registered p256_sphincsharaka128fsimple with NID 1273
OQS PROV: successfully registered rsa3072_sphincsharaka128fsimple with NID 1274
OQS PROV: successfully registered sphincssha256128frobust with NID 1275
OQS PROV: successfully registered p256_sphincssha256128frobust with NID 1276
OQS PROV: successfully registered rsa3072_sphincssha256128frobust with NID 1277
OQS PROV: successfully registered sphincssha256128ssimple with NID 1278
OQS PROV: successfully registered p256_sphincssha256128ssimple with NID 1279
OQS PROV: successfully registered rsa3072_sphincssha256128ssimple with NID 1280
OQS PROV: successfully registered sphincsshake256128fsimple with NID 1281
OQS PROV: successfully registered p256_sphincsshake256128fsimple with NID 1282
OQS PROV: successfully registered rsa3072_sphincsshake256128fsimple with NID 1283
OQS PROV: Default or FIPS provider available.
Providers:
base
name: OpenSSL Base Provider
version: 3.1.0
status: active
build info: 3.1.0
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
default
name: OpenSSL Default Provider
version: 3.1.0
status: active
build info: 3.1.0
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
gost
name: OpenSSL GOST Provider
status: active
legacy
name: OpenSSL Legacy Provider
version: 3.1.0
status: active
build info: 3.1.0
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
oqsprovider
name: OpenSSL OQS Provider
version: 0.5.0-dev
status: active
build info: OQS Provider v.0.5.0-dev (c71c2ad) based on liboqs v.0.8.0-dev using qsc-key-encoder v.draft-00-dev
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
pkcs11
name: PKCS#11 Provider
version: 3.1.0
status: active
build info: 3.1.0
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
Cert gen/verify, CMS sign/verify tests for all enabled algorithms commencing...
-n .
-n .
-n .
-n .
-n .
-n .
-n .
-n .
-n .
-n .
-n .
-n .
-n .
-n .
-n .
-n .
-n .
-n .
-n .
-n .
-n .
-n .
-n .
-n .
-n .
-n .
-n .
-n .
-n .
-n .
-n .
-n .
-n .
-n .
Test project /Users/ur20980/src/oqs-provider/_build
Start 1: oqs_signatures
1/2 Test #1: oqs_signatures ...................SIGTRAP***Exception: 0.01 sec
Start 2: oqs_kems
2/2 Test #2: oqs_kems .........................SIGTRAP***Exception: 0.01 sec
0% tests passed, 2 tests failed out of 2
Total Test time (real) = 0.01 sec
The following tests FAILED:
1 - oqs_signatures (SIGTRAP)
2 - oqs_kems (SIGTRAP)
Errors while running CTest
Output from these tests are in: /Users/ur20980/src/oqs-provider/_build/Testing/Temporary/LastTest.log
Use "--rerun-failed --output-on-failure" to re-run the failed cases verbosely.
All oqsprovider tests passed.
$
$ ls tmp
demoCA p384_dilithium3_aes_rootCA.crt
dgstsignfile p384_dilithium3_aes_rootCA.key
dilithium2.crt p384_dilithium3_aes_srv.crt
dilithium2.csr p384_dilithium3_aes_srv.csr
dilithium2.key p384_dilithium3_aes_srv.key
dilithium2_CA.crt p384_dilithium3_aes_srv.pubkey
dilithium2_CA.key p384_dilithium3_rootCA.crt
dilithium2_CA.srl p384_dilithium3_rootCA.key
dilithium2_aes.crt p384_dilithium3_srv.crt
dilithium2_aes.csr p384_dilithium3_srv.csr
dilithium2_aes.key p384_dilithium3_srv.key
dilithium2_aes_CA.crt p384_dilithium3_srv.pubkey
dilithium2_aes_CA.key p521_dilithium5.crt
dilithium2_aes_CA.srl p521_dilithium5.csr
dilithium2_aes_rootCA.crt p521_dilithium5.key
dilithium2_aes_rootCA.key p521_dilithium5_CA.crt
dilithium2_aes_srv.crt p521_dilithium5_CA.key
dilithium2_aes_srv.csr p521_dilithium5_CA.srl
dilithium2_aes_srv.key p521_dilithium5_aes.crt
dilithium2_aes_srv.pubkey p521_dilithium5_aes.csr
dilithium2_rootCA.crt p521_dilithium5_aes.key
dilithium2_rootCA.key p521_dilithium5_aes_CA.crt
dilithium2_srv.crt p521_dilithium5_aes_CA.key
dilithium2_srv.csr p521_dilithium5_aes_CA.srl
dilithium2_srv.key p521_dilithium5_aes_rootCA.crt
dilithium2_srv.pubkey p521_dilithium5_aes_rootCA.key
dilithium3.crt p521_dilithium5_aes_srv.crt
dilithium3.csr p521_dilithium5_aes_srv.csr
dilithium3.key p521_dilithium5_aes_srv.key
dilithium3_CA.crt p521_dilithium5_aes_srv.pubkey
dilithium3_CA.key p521_dilithium5_rootCA.crt
dilithium3_CA.srl p521_dilithium5_rootCA.key
dilithium3_aes.crt p521_dilithium5_srv.crt
dilithium3_aes.csr p521_dilithium5_srv.csr
dilithium3_aes.key p521_dilithium5_srv.key
dilithium3_aes_CA.crt p521_dilithium5_srv.pubkey
dilithium3_aes_CA.key p521_falcon1024.crt
dilithium3_aes_CA.srl p521_falcon1024.csr
dilithium3_aes_rootCA.crt p521_falcon1024.key
dilithium3_aes_rootCA.key p521_falcon1024_CA.crt
dilithium3_aes_srv.crt p521_falcon1024_CA.key
dilithium3_aes_srv.csr p521_falcon1024_CA.srl
dilithium3_aes_srv.key p521_falcon1024_rootCA.crt
dilithium3_aes_srv.pubkey p521_falcon1024_rootCA.key
dilithium3_rootCA.crt p521_falcon1024_srv.crt
dilithium3_rootCA.key p521_falcon1024_srv.csr
dilithium3_srv.crt p521_falcon1024_srv.key
dilithium3_srv.csr p521_falcon1024_srv.pubkey
dilithium3_srv.key rsa3072_dilithium2.crt
dilithium3_srv.pubkey rsa3072_dilithium2.csr
dilithium5.crt rsa3072_dilithium2.key
dilithium5.csr rsa3072_dilithium2_CA.crt
dilithium5.key rsa3072_dilithium2_CA.key
dilithium5_CA.crt rsa3072_dilithium2_CA.srl
dilithium5_CA.key rsa3072_dilithium2_aes.crt
dilithium5_CA.srl rsa3072_dilithium2_aes.csr
dilithium5_aes.crt rsa3072_dilithium2_aes.key
dilithium5_aes.csr rsa3072_dilithium2_aes_CA.crt
dilithium5_aes.key rsa3072_dilithium2_aes_CA.key
dilithium5_aes_CA.crt rsa3072_dilithium2_aes_CA.srl
dilithium5_aes_CA.key rsa3072_dilithium2_aes_rootCA.crt
dilithium5_aes_CA.srl rsa3072_dilithium2_aes_rootCA.key
dilithium5_aes_rootCA.crt rsa3072_dilithium2_aes_srv.crt
dilithium5_aes_rootCA.key rsa3072_dilithium2_aes_srv.csr
dilithium5_aes_srv.crt rsa3072_dilithium2_aes_srv.key
dilithium5_aes_srv.csr rsa3072_dilithium2_aes_srv.pubkey
dilithium5_aes_srv.key rsa3072_dilithium2_rootCA.crt
dilithium5_aes_srv.pubkey rsa3072_dilithium2_rootCA.key
dilithium5_rootCA.crt rsa3072_dilithium2_srv.crt
dilithium5_rootCA.key rsa3072_dilithium2_srv.csr
dilithium5_srv.crt rsa3072_dilithium2_srv.key
dilithium5_srv.csr rsa3072_dilithium2_srv.pubkey
dilithium5_srv.key rsa3072_falcon512.crt
dilithium5_srv.pubkey rsa3072_falcon512.csr
falcon1024.crt rsa3072_falcon512.key
falcon1024.csr rsa3072_falcon512_CA.crt
falcon1024.key rsa3072_falcon512_CA.key
falcon1024_CA.crt rsa3072_falcon512_CA.srl
falcon1024_CA.key rsa3072_falcon512_rootCA.crt
falcon1024_CA.srl rsa3072_falcon512_rootCA.key
falcon1024_rootCA.crt rsa3072_falcon512_srv.crt
falcon1024_rootCA.key rsa3072_falcon512_srv.csr
falcon1024_srv.crt rsa3072_falcon512_srv.key
falcon1024_srv.csr rsa3072_falcon512_srv.pubkey
falcon1024_srv.key rsa3072_sphincsharaka128frobust.crt
falcon1024_srv.pubkey rsa3072_sphincsharaka128frobust.csr
falcon512.crt rsa3072_sphincsharaka128frobust.key
falcon512.csr rsa3072_sphincsharaka128frobust_CA.crt
falcon512.key rsa3072_sphincsharaka128frobust_CA.key
falcon512_CA.crt rsa3072_sphincsharaka128frobust_CA.srl
falcon512_CA.key rsa3072_sphincsharaka128frobust_rootCA.crt
falcon512_CA.srl rsa3072_sphincsharaka128frobust_rootCA.key
falcon512_rootCA.crt rsa3072_sphincsharaka128frobust_srv.crt
falcon512_rootCA.key rsa3072_sphincsharaka128frobust_srv.csr
falcon512_srv.crt rsa3072_sphincsharaka128frobust_srv.key
falcon512_srv.csr rsa3072_sphincsharaka128frobust_srv.pubkey
falcon512_srv.key rsa3072_sphincsharaka128fsimple.crt
falcon512_srv.pubkey rsa3072_sphincsharaka128fsimple.csr
inputfile rsa3072_sphincsharaka128fsimple.key
p256_dilithium2.crt rsa3072_sphincsharaka128fsimple_CA.crt
p256_dilithium2.csr rsa3072_sphincsharaka128fsimple_CA.key
p256_dilithium2.key rsa3072_sphincsharaka128fsimple_CA.srl
p256_dilithium2_CA.crt rsa3072_sphincsharaka128fsimple_rootCA.crt
p256_dilithium2_CA.key rsa3072_sphincsharaka128fsimple_rootCA.key
p256_dilithium2_CA.srl rsa3072_sphincsharaka128fsimple_srv.crt
p256_dilithium2_aes.crt rsa3072_sphincsharaka128fsimple_srv.csr
p256_dilithium2_aes.csr rsa3072_sphincsharaka128fsimple_srv.key
p256_dilithium2_aes.key rsa3072_sphincsharaka128fsimple_srv.pubkey
p256_dilithium2_aes_CA.crt rsa3072_sphincssha256128frobust.crt
p256_dilithium2_aes_CA.key rsa3072_sphincssha256128frobust.csr
p256_dilithium2_aes_CA.srl rsa3072_sphincssha256128frobust.key
p256_dilithium2_aes_rootCA.crt rsa3072_sphincssha256128frobust_CA.crt
p256_dilithium2_aes_rootCA.key rsa3072_sphincssha256128frobust_CA.key
p256_dilithium2_aes_srv.crt rsa3072_sphincssha256128frobust_CA.srl
p256_dilithium2_aes_srv.csr rsa3072_sphincssha256128frobust_rootCA.crt
p256_dilithium2_aes_srv.key rsa3072_sphincssha256128frobust_rootCA.key
p256_dilithium2_aes_srv.pubkey rsa3072_sphincssha256128frobust_srv.crt
p256_dilithium2_rootCA.crt rsa3072_sphincssha256128frobust_srv.csr
p256_dilithium2_rootCA.key rsa3072_sphincssha256128frobust_srv.key
p256_dilithium2_srv.crt rsa3072_sphincssha256128frobust_srv.pubkey
p256_dilithium2_srv.csr rsa3072_sphincssha256128ssimple.crt
p256_dilithium2_srv.key rsa3072_sphincssha256128ssimple.csr
p256_dilithium2_srv.pubkey rsa3072_sphincssha256128ssimple.key
p256_falcon512.crt rsa3072_sphincssha256128ssimple_CA.crt
p256_falcon512.csr rsa3072_sphincssha256128ssimple_CA.key
p256_falcon512.key rsa3072_sphincssha256128ssimple_CA.srl
p256_falcon512_CA.crt rsa3072_sphincssha256128ssimple_rootCA.crt
p256_falcon512_CA.key rsa3072_sphincssha256128ssimple_rootCA.key
p256_falcon512_CA.srl rsa3072_sphincssha256128ssimple_srv.crt
p256_falcon512_rootCA.crt rsa3072_sphincssha256128ssimple_srv.csr
p256_falcon512_rootCA.key rsa3072_sphincssha256128ssimple_srv.key
p256_falcon512_srv.crt rsa3072_sphincssha256128ssimple_srv.pubkey
p256_falcon512_srv.csr rsa3072_sphincsshake256128fsimple.crt
p256_falcon512_srv.key rsa3072_sphincsshake256128fsimple.csr
p256_falcon512_srv.pubkey rsa3072_sphincsshake256128fsimple.key
p256_sphincsharaka128frobust.crt rsa3072_sphincsshake256128fsimple_CA.crt
p256_sphincsharaka128frobust.csr rsa3072_sphincsshake256128fsimple_CA.key
p256_sphincsharaka128frobust.key rsa3072_sphincsshake256128fsimple_CA.srl
p256_sphincsharaka128frobust_CA.crt rsa3072_sphincsshake256128fsimple_rootCA.crt
p256_sphincsharaka128frobust_CA.key rsa3072_sphincsshake256128fsimple_rootCA.key
p256_sphincsharaka128frobust_CA.srl rsa3072_sphincsshake256128fsimple_srv.crt
p256_sphincsharaka128frobust_rootCA.crt rsa3072_sphincsshake256128fsimple_srv.csr
p256_sphincsharaka128frobust_rootCA.key rsa3072_sphincsshake256128fsimple_srv.key
p256_sphincsharaka128frobust_srv.crt rsa3072_sphincsshake256128fsimple_srv.pubkey
p256_sphincsharaka128frobust_srv.csr signeddatafile
p256_sphincsharaka128frobust_srv.key signedfile.cms
p256_sphincsharaka128frobust_srv.pubkey sphincsharaka128frobust.crt
p256_sphincsharaka128fsimple.crt sphincsharaka128frobust.csr
p256_sphincsharaka128fsimple.csr sphincsharaka128frobust.key
p256_sphincsharaka128fsimple.key sphincsharaka128frobust_CA.crt
p256_sphincsharaka128fsimple_CA.crt sphincsharaka128frobust_CA.key
p256_sphincsharaka128fsimple_CA.key sphincsharaka128frobust_CA.srl
p256_sphincsharaka128fsimple_CA.srl sphincsharaka128frobust_rootCA.crt
p256_sphincsharaka128fsimple_rootCA.crt sphincsharaka128frobust_rootCA.key
p256_sphincsharaka128fsimple_rootCA.key sphincsharaka128frobust_srv.crt
p256_sphincsharaka128fsimple_srv.crt sphincsharaka128frobust_srv.csr
p256_sphincsharaka128fsimple_srv.csr sphincsharaka128frobust_srv.key
p256_sphincsharaka128fsimple_srv.key sphincsharaka128frobust_srv.pubkey
p256_sphincsharaka128fsimple_srv.pubkey sphincsharaka128fsimple.crt
p256_sphincssha256128frobust.crt sphincsharaka128fsimple.csr
p256_sphincssha256128frobust.csr sphincsharaka128fsimple.key
p256_sphincssha256128frobust.key sphincsharaka128fsimple_CA.crt
p256_sphincssha256128frobust_CA.crt sphincsharaka128fsimple_CA.key
p256_sphincssha256128frobust_CA.key sphincsharaka128fsimple_CA.srl
p256_sphincssha256128frobust_CA.srl sphincsharaka128fsimple_rootCA.crt
p256_sphincssha256128frobust_rootCA.crt sphincsharaka128fsimple_rootCA.key
p256_sphincssha256128frobust_rootCA.key sphincsharaka128fsimple_srv.crt
p256_sphincssha256128frobust_srv.crt sphincsharaka128fsimple_srv.csr
p256_sphincssha256128frobust_srv.csr sphincsharaka128fsimple_srv.key
p256_sphincssha256128frobust_srv.key sphincsharaka128fsimple_srv.pubkey
p256_sphincssha256128frobust_srv.pubkey sphincssha256128frobust.crt
p256_sphincssha256128ssimple.crt sphincssha256128frobust.csr
p256_sphincssha256128ssimple.csr sphincssha256128frobust.key
p256_sphincssha256128ssimple.key sphincssha256128frobust_CA.crt
p256_sphincssha256128ssimple_CA.crt sphincssha256128frobust_CA.key
p256_sphincssha256128ssimple_CA.key sphincssha256128frobust_CA.srl
p256_sphincssha256128ssimple_CA.srl sphincssha256128frobust_rootCA.crt
p256_sphincssha256128ssimple_rootCA.crt sphincssha256128frobust_rootCA.key
p256_sphincssha256128ssimple_rootCA.key sphincssha256128frobust_srv.crt
p256_sphincssha256128ssimple_srv.crt sphincssha256128frobust_srv.csr
p256_sphincssha256128ssimple_srv.csr sphincssha256128frobust_srv.key
p256_sphincssha256128ssimple_srv.key sphincssha256128frobust_srv.pubkey
p256_sphincssha256128ssimple_srv.pubkey sphincssha256128ssimple.crt
p256_sphincsshake256128fsimple.crt sphincssha256128ssimple.csr
p256_sphincsshake256128fsimple.csr sphincssha256128ssimple.key
p256_sphincsshake256128fsimple.key sphincssha256128ssimple_CA.crt
p256_sphincsshake256128fsimple_CA.crt sphincssha256128ssimple_CA.key
p256_sphincsshake256128fsimple_CA.key sphincssha256128ssimple_CA.srl
p256_sphincsshake256128fsimple_CA.srl sphincssha256128ssimple_rootCA.crt
p256_sphincsshake256128fsimple_rootCA.crt sphincssha256128ssimple_rootCA.key
p256_sphincsshake256128fsimple_rootCA.key sphincssha256128ssimple_srv.crt
p256_sphincsshake256128fsimple_srv.crt sphincssha256128ssimple_srv.csr
p256_sphincsshake256128fsimple_srv.csr sphincssha256128ssimple_srv.key
p256_sphincsshake256128fsimple_srv.key sphincssha256128ssimple_srv.pubkey
p256_sphincsshake256128fsimple_srv.pubkey sphincsshake256128fsimple.crt
p384_dilithium3.crt sphincsshake256128fsimple.csr
p384_dilithium3.csr sphincsshake256128fsimple.key
p384_dilithium3.key sphincsshake256128fsimple_CA.crt
p384_dilithium3_CA.crt sphincsshake256128fsimple_CA.key
p384_dilithium3_CA.key sphincsshake256128fsimple_CA.srl
p384_dilithium3_CA.srl sphincsshake256128fsimple_rootCA.crt
p384_dilithium3_aes.crt sphincsshake256128fsimple_rootCA.key
p384_dilithium3_aes.csr sphincsshake256128fsimple_srv.crt
p384_dilithium3_aes.key sphincsshake256128fsimple_srv.csr
p384_dilithium3_aes_CA.crt sphincsshake256128fsimple_srv.key
p384_dilithium3_aes_CA.key sphincsshake256128fsimple_srv.pubkey
p384_dilithium3_aes_CA.srl
$
interop.log: interop.log.txt
Crash report for oqs_test_kems:
-------------------------------------
Translated Report (Full Report Below)
-------------------------------------
Process: oqs_test_kems [61073]
Path: /Users/USER/*/oqs_test_kems
Identifier: oqs_test_kems
Version: ???
Code Type: ARM-64 (Native)
Parent Process: ctest [61071]
Responsible: Terminal [53861]
User ID: 501
Date/Time: 2023-03-29 18:01:07.2313 -0400
OS Version: macOS 13.2.1 (22D68)
Report Version: 12
Anonymous UUID: 161C054B-E964-CDD3-5EBC-5A9DBE3E2AE2
Time Awake Since Boot: 240000 seconds
System Integrity Protection: enabled
Crashed Thread: 0 Dispatch queue: com.apple.main-thread
Exception Type: EXC_BREAKPOINT (SIGTRAP)
Exception Codes: 0x0000000000000001, 0x00000001a6283108
Termination Reason: Namespace SIGNAL, Code 5 Trace/BPT trap: 5
Terminating Process: exc handler [61073]
Application Specific Information:
BUG IN CLIENT OF LIBPLATFORM: Trying to recursively lock an os_once_t
Abort Cause 259
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0 libsystem_platform.dylib 0x1a6283108 _os_once_gate_recursive_abort + 36
1 libsystem_platform.dylib 0x1a627f710 _os_once_gate_wait + 348
2 libsystem_pthread.dylib 0x1a624dd84 pthread_once + 100
3 libcrypto.3.dylib 0x105111fcc CRYPTO_THREAD_run_once + 12
4 libcrypto.3.dylib 0x105124ea4 ossl_obj_add_object + 236
5 gostprov.dylib 0x1054135b4 populate_gost_engine + 116
6 gostprov.dylib 0x105411478 OSSL_provider_init + 116
7 libcrypto.3.dylib 0x10510fddc provider_activate + 260
8 libcrypto.3.dylib 0x10510fc48 ossl_provider_activate + 56
9 libcrypto.3.dylib 0x10510e93c provider_conf_init + 608
10 libcrypto.3.dylib 0x105066c4c CONF_modules_load + 856
11 libcrypto.3.dylib 0x105066ee8 CONF_modules_load_file_ex + 120
12 libcrypto.3.dylib 0x105067738 ossl_config_int + 68
13 libcrypto.3.dylib 0x105106400 ossl_init_config_ossl_ + 16
14 libsystem_pthread.dylib 0x1a624ddec __pthread_once_handler + 76
15 libsystem_platform.dylib 0x1a627d7e0 _os_once_callout + 32
16 libsystem_pthread.dylib 0x1a624dd84 pthread_once + 100
17 libcrypto.3.dylib 0x105111fcc CRYPTO_THREAD_run_once + 12
18 libcrypto.3.dylib 0x105106208 OPENSSL_init_crypto + 1104
19 libcrypto.3.dylib 0x105125098 obj_lock_initialise_ossl_ + 20
20 libsystem_pthread.dylib 0x1a624ddec __pthread_once_handler + 76
21 libsystem_platform.dylib 0x1a627d7e0 _os_once_callout + 32
22 libsystem_pthread.dylib 0x1a624dd84 pthread_once + 100
23 libcrypto.3.dylib 0x105111fcc CRYPTO_THREAD_run_once + 12
24 libcrypto.3.dylib 0x105124408 OBJ_sn2nid + 112
25 libcrypto.3.dylib 0x1051242f4 OBJ_txt2obj + 216
26 libcrypto.3.dylib 0x105124944 OBJ_txt2nid + 20
27 libcrypto.3.dylib 0x105111048 core_obj_create + 36
28 oqsprovider.0.5.0-dev.dylib 0x104dff538 OSSL_provider_init + 280 (oqsprov.c:586)
29 libcrypto.3.dylib 0x10510fddc provider_activate + 260
30 libcrypto.3.dylib 0x10510fc48 ossl_provider_activate + 56
31 libcrypto.3.dylib 0x10510e93c provider_conf_init + 608
32 libcrypto.3.dylib 0x105066c4c CONF_modules_load + 856
33 libcrypto.3.dylib 0x105066ee8 CONF_modules_load_file_ex + 120
34 libcrypto.3.dylib 0x1051031a4 OSSL_LIB_CTX_load_config + 20
35 oqs_test_kems 0x104c3b2e0 main + 84 (oqs_test_kems.c:153)
36 dyld 0x1a5f27e50 start + 2544
from oqs-provider.
mouse07410
commented on August 26, 2024
On Intel Mac (latest MacOS 13.4) tests fail to compile:
$ pwd
/Users/ur20980/src/oqs-provider
$ ln -s $HOME/src/openssl .
$ cmake -DCMAKE_BUILD_TYPE=Debug -DOPENSSL_ROOT_DIR="/opt/local/libexec/openssl3" -DCMAKE_C_FLAGS="$CFLAGS -I/opt/local/include -L/opt/local/lib " -DCMAKE_VERBOSE_MAKEFILE:BOOL=True -S . -B _build
-- Detecting C compiler ABI info
-- Detecting C compiler ABI info - done
-- Check for working C compiler: /opt/local/bin/clang - skipped
-- Detecting C compile features
-- Detecting C compile features - done
-- Creating Debug build with OQS-Debug env vars enabled
-- Build will store public keys in PKCS#8 structures
-- Build will include external encoding library for SPKI/PKCS#8
-- Found OpenSSL: /opt/local/libexec/openssl3/lib/libcrypto.dylib (found suitable version "3.1.0", minimum required is "3.0")
-- Building commit 53cc629 in /Users/ur20980/src/oqs-provider
-- Configuring done
-- Generating done
-- Build files have been written to: /Users/ur20980/src/oqs-provider/_build
$ cmake --build _build
. . .
[ 77%] Building C object test/CMakeFiles/oqs_test_groups.dir/__/openssl/test/helpers/ssltestlib.c.o
cd /Users/ur20980/src/oqs-provider/_build/test && /opt/local/bin/clang -DUSE_ENCODING_LIB -I/opt/local/libexec/openssl3/include -I/Users/ur20980/src/oqs-provider/test/../openssl -I/Users/ur20980/src/oqs-provider/test/../openssl/include -I/Users/ur20980/src/oqs-provider/test/../openssl/test -I/Users/ur20980/src/oqs-provider/test/../openssl/apps/include -O3 -std=gnu18 -march=native -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX13.1.sdk -I/opt/local/include -L/opt/local/lib -g -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX13.1.sdk -std=gnu11 -MD -MT test/CMakeFiles/oqs_test_groups.dir/__/openssl/test/helpers/ssltestlib.c.o -MF CMakeFiles/oqs_test_groups.dir/__/openssl/test/helpers/ssltestlib.c.o.d -o CMakeFiles/oqs_test_groups.dir/__/openssl/test/helpers/ssltestlib.c.o -c /Users/ur20980/src/oqs-provider/openssl/test/helpers/ssltestlib.c
clang: warning: argument unused during compilation: '-L/opt/local/lib' [-Wunused-command-line-argument]
/Users/ur20980/src/oqs-provider/openssl/test/helpers/ssltestlib.c:1182:13: error: implicit declaration of function 'OSSL_sleep' is invalid in C99 [-Werror,-Wimplicit-function-declaration]
OSSL_sleep(50);
^
1 error generated.
gmake[2]: *** [test/CMakeFiles/oqs_test_groups.dir/build.make:107: test/CMakeFiles/oqs_test_groups.dir/__/openssl/test/helpers/ssltestlib.c.o] Error 1
Reason: I'm building against OpenSSL-3.1.0, but the available source is 3.2.0-dev - and 3.2.0 added OSSL_sleep() function that was not included in 3.1.0. Recommendations?
from oqs-provider.
mouse07410
commented on August 26, 2024
OK, somehow I seem to have gotten the tests to pass. Here's what I did.
- Made sure all the appropriate env vars are set (some may be excessive, but it definitely includes the requires ones):
$ env | grep OPENSSL
OPENSSL_LIB_DIR=/opt/local/lib
OPENSSL_INCLUDE_DIR=/opt/local/include
OPENSSL_APP=/opt/local/libexec/openssl3/bin/openssl
OPENSSL_MODULES=/opt/local/libexec/openssl3/lib/ossl-modules
OPENSSL_CFLAGS= -I/opt/local/include
OPENSSL_ROOT_DIR=/opt/local/libexec/openssl3
OPENSSL_CONF=/opt/local/etc/openssl/openssl.cnf
OPENSSL_CXXFLAGS= -I/opt/local/include
OPENSSL_DIR=/opt/local/libexec/openssl3
$ - Symlinked
/opt/local/lib/liboqs.2.dylibto/usr/local/lib/liboqs.2.dylib- a silly step, but it was cheaper than trying to figure out how to convince tests and$pwd/_build/lib/oqsprovider.dylibto actually look at/opt/local/lib/liboqs.2.dylib - Edited scripts, changing
$OPENSSL_APP.cnfto a (more reasonable)$OPENSSL_CONF(if you can expect three-four env vars set - I see no issue with adding one or two.) - Edited
test/helpers/ssltestlib.cin the OpenSSL source tree:
diff --git a/test/helpers/ssltestlib.c b/test/helpers/ssltestlib.c
index 94100b9ca4..e65b8cdd45 100644
--- a/test/helpers/ssltestlib.c
+++ b/test/helpers/ssltestlib.c
@@ -1179,7 +1179,12 @@ int create_bare_ssl_connection(SSL *serverssl, SSL *clientssl, int want,
* give the DTLS timer a chance to do something. We only do this for
* the first few times to prevent hangs.
*/
+#if OPENSSL_VERSION_MAJOR >= 3 && OPENSSL_VERSION_MINOR >= 2
OSSL_sleep(50);
+#else
+#include <unistd.h>
+ sleep(1);
+#endif /* OpenSSL 3.2.0+ */
}
} while (retc <=0 || rets <= 0);
- In
$OPENSSL_CONFcommented out both OQS provider and GOST provider, and all the engines (leaving the actual definitions):
[provider_sect]
default = default_sect
legacy = legacy_sect
pkcs11 = pkcs11_sect
#gost = gost_sect
base = base_sect
#oqs = oqs_sect
. . .
[engine_sect]
#pkcs11 = pkcs11_section
#gost = gost_section
After that force-major:
$ OQSPROV=1 OQSKM=1 OQSKEY=1 scripts/runtests.sh
No OQS-OpenSSL111 interop test because of absence of docker
OpenSSL app: /opt/local/libexec/openssl3/bin/openssl
Version information:
OpenSSL 3.1.0 14 Mar 2023 (Library: OpenSSL 3.1.0 14 Mar 2023)
OQS PROV: successfully registered dilithium2 with NID 1248
OQS PROV: successfully registered p256_dilithium2 with NID 1249
OQS PROV: successfully registered rsa3072_dilithium2 with NID 1250
OQS PROV: successfully registered dilithium3 with NID 1251
OQS PROV: successfully registered p384_dilithium3 with NID 1252
OQS PROV: successfully registered dilithium5 with NID 1253
OQS PROV: successfully registered p521_dilithium5 with NID 1254
OQS PROV: successfully registered dilithium2_aes with NID 1255
OQS PROV: successfully registered p256_dilithium2_aes with NID 1256
OQS PROV: successfully registered rsa3072_dilithium2_aes with NID 1257
OQS PROV: successfully registered dilithium3_aes with NID 1258
OQS PROV: successfully registered p384_dilithium3_aes with NID 1259
OQS PROV: successfully registered dilithium5_aes with NID 1260
OQS PROV: successfully registered p521_dilithium5_aes with NID 1261
OQS PROV: successfully registered falcon512 with NID 1262
OQS PROV: successfully registered p256_falcon512 with NID 1263
OQS PROV: successfully registered rsa3072_falcon512 with NID 1264
OQS PROV: successfully registered falcon1024 with NID 1265
OQS PROV: successfully registered p521_falcon1024 with NID 1266
OQS PROV: successfully registered sphincsharaka128frobust with NID 1267
OQS PROV: successfully registered p256_sphincsharaka128frobust with NID 1268
OQS PROV: successfully registered rsa3072_sphincsharaka128frobust with NID 1269
OQS PROV: successfully registered sphincsharaka128fsimple with NID 1270
OQS PROV: successfully registered p256_sphincsharaka128fsimple with NID 1271
OQS PROV: successfully registered rsa3072_sphincsharaka128fsimple with NID 1272
OQS PROV: successfully registered sphincssha256128frobust with NID 1273
OQS PROV: successfully registered p256_sphincssha256128frobust with NID 1274
OQS PROV: successfully registered rsa3072_sphincssha256128frobust with NID 1275
OQS PROV: successfully registered sphincssha256128ssimple with NID 1276
OQS PROV: successfully registered p256_sphincssha256128ssimple with NID 1277
OQS PROV: successfully registered rsa3072_sphincssha256128ssimple with NID 1278
OQS PROV: successfully registered sphincsshake256128fsimple with NID 1279
OQS PROV: successfully registered p256_sphincsshake256128fsimple with NID 1280
OQS PROV: successfully registered rsa3072_sphincsshake256128fsimple with NID 1281
OQS PROV: Default or FIPS provider available.
Providers:
base
name: OpenSSL Base Provider
version: 3.1.0
status: active
build info: 3.1.0
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
default
name: OpenSSL Default Provider
version: 3.1.0
status: active
build info: 3.1.0
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
legacy
name: OpenSSL Legacy Provider
version: 3.1.0
status: active
build info: 3.1.0
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
oqsprovider
name: OpenSSL OQS Provider
version: 0.5.0-dev
status: active
build info: OQS Provider v.0.5.0-dev (53cc629) based on liboqs v.0.8.0-dev using qsc-key-encoder v.draft-00-dev
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
pkcs11
name: PKCS#11 Provider
version: 3.1.0
status: active
build info: 3.1.0
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
Cert gen/verify, CMS sign/verify tests for all enabled algorithms commencing...
-n .
-n .
-n .
-n .
-n .
-n .
-n .
-n .
-n .
-n .
-n .
-n .
-n .
-n .
-n .
-n .
-n .
-n .
-n .
-n .
-n .
-n .
-n .
-n .
-n .
-n .
-n .
-n .
-n .
-n .
-n .
-n .
-n .
-n .
Test project /Users/ur20980/src/oqs-provider/_build
Start 1: oqs_signatures
1/5 Test #1: oqs_signatures ................... Passed 4.74 sec
Start 2: oqs_kems
2/5 Test #2: oqs_kems ......................... Passed 0.26 sec
Start 3: oqs_groups
3/5 Test #3: oqs_groups ....................... Passed 0.40 sec
Start 4: oqs_tlssig
4/5 Test #4: oqs_tlssig ....................... Passed 0.01 sec
Start 5: oqs_endecode
5/5 Test #5: oqs_endecode ..................... Passed 2.26 sec
100% tests passed, 0 tests failed out of 5
Total Test time (real) = 7.68 sec
All oqsprovider tests passed.
$ tail interop.log
OQSKEYMGMT: has called
OQSKEYMGMT: get_params called for default-digest
0x600003f0c140: 2:OQSX_KEY
0x600003f0c140: 3:OQSX_KEY
Unknown operation 1 requested from OQS provider
0x600003f0c140: 2:OQSX_KEY
0x600003f0c140: 1:OQSX_KEY
rsa3072_sphincsshake256128fsimple.crt: OK
0x600003f0c320: 0:OQSX_KEY
0x600003f0c140: 0:OQSX_KEY
$ from oqs-provider.
mouse07410
commented on August 26, 2024
@beldmit could you please take a look at #132 (comment) crash report? It appears that if GOST provider (and/or engine) is active, tests of other providers fail/crash. Debugging it, I had to first disable GOST engine (in openssl.cnf), but things still did not work until I disabled GOST provider as well.
from oqs-provider.
beldmit
commented on August 26, 2024
@mouse07410 First, I strongly don't recommend using GOST engine and provider simultaneously. Provider is quite limited and I also am quite limited in capacity.
As you use it for purposes, and if GOST and OQS providers being loaded simultaneously cause problems, it may be an openssl bug.
from oqs-provider.
mouse07410
commented on August 26, 2024
@beldmit you recommend using GOST engine für now, not the provider?
from oqs-provider.
beldmit
commented on August 26, 2024
@mouse07410 yes. But could you please check whether the problem is caused by simultaneous presence of GOST provider and OQS provider and has nothing to do with GOST engine?
from oqs-provider.
mouse07410
commented on August 26, 2024
But could you please check whether the problem is caused by simultaneous presence of GOST provider and OQS provider and has nothing to do with GOST engine?
Checked, and presence of either one of them breaks OQS provider tests for good.
$ OQSPROV=1 OQSKM=1 OQSKEY=1 scripts/runtests.sh
No OQS-OpenSSL111 interop test because of absence of docker
OpenSSL app: /opt/local/libexec/openssl3/bin/openssl
Version information:
OpenSSL 3.1.0 14 Mar 2023 (Library: OpenSSL 3.1.0 14 Mar 2023)
OQS PROV: successfully registered dilithium2 with NID 1250
OQS PROV: successfully registered p256_dilithium2 with NID 1251
OQS PROV: successfully registered rsa3072_dilithium2 with NID 1252
. . .
localalgtest dilithium2 failed. Exiting..
$ cat interop.log
Error configuring OpenSSL modules
405BE5DC01000000:error:1300006D:engine routines:dynamic_load:init failed:crypto/engine/eng_dyn.c:514:
405BE5DC01000000:error:13000066:engine routines:int_engine_configure:engine configuration error:crypto/engine/eng_cnf.c:139:section=gost_section, name=dynamic_path, value=/opt/local/libexec/openssl3/lib/engines-3/gost.dylib
405BE5DC01000000:error:0700006D:configuration file routines:module_run:module initialization error:crypto/conf/conf_mod.c:270:module=engines, value=engine_sect retcode=-1
$ ll /opt/local/libexec/openssl3/lib/engines-3/gost.dylib
lrwxr-xr-x 1 root admin 56 Mar 20 08:28 /opt/local/libexec/openssl3/lib/engines-3/gost.dylib@ -> /opt/local/libexec/openssl3/lib/engines-3/gost.3.0.dylib
$ ll /opt/local/libexec/openssl3/lib/engines-3/gost.3.0.dylib
-rwxr-xr-x 1 root admin 841911 Mar 20 08:28 /opt/local/libexec/openssl3/lib/engines-3/gost.3.0.dylib*
$
$ openssl list -engines
Engines:
dynamic
gost
$ openssl list -providers
Providers:
base
name: OpenSSL Base Provider
version: 3.1.0
status: active
default
name: OpenSSL Default Provider
version: 3.1.0
status: active
legacy
name: OpenSSL Legacy Provider
version: 3.1.0
status: active
pkcs11
name: PKCS#11 Provider
version: 3.1.0
status: active
$ @baentsch and @beldmit one more thing: changing activate = 1 to activate = 0 for the GOST provider did not help at all. Same applies to making engine's init = 0:
Application Specific Information:
BUG IN CLIENT OF LIBPLATFORM: Trying to recursively lock an os_once_t
Abort Cause 259
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0 libsystem_platform.dylib 0x181a2d260 _os_once_gate_recursive_abort + 36
1 libsystem_platform.dylib 0x181a29ed8 _os_once_gate_wait + 348
2 libsystem_pthread.dylib 0x1819f7cf8 pthread_once + 100
3 libcrypto.3.dylib 0x100de5fcc CRYPTO_THREAD_run_once + 12
4 libcrypto.3.dylib 0x100df8ea4 ossl_obj_add_object + 236
5 gostprov.dylib 0x1010e75b4 populate_gost_engine + 116
6 gostprov.dylib 0x1010e5478 OSSL_provider_init + 116
7 libcrypto.3.dylib 0x100de3ddc provider_activate + 260
8 libcrypto.3.dylib 0x100de3c48 ossl_provider_activate + 56
9 libcrypto.3.dylib 0x100de293c provider_conf_init + 608
10 libcrypto.3.dylib 0x100d3ac4c CONF_modules_load + 856
11 libcrypto.3.dylib 0x100d3aee8 CONF_modules_load_file_ex + 120
12 libcrypto.3.dylib 0x100d3b738 ossl_config_int + 68
13 libcrypto.3.dylib 0x100dda400 ossl_init_config_ossl_ + 16
14 libsystem_pthread.dylib 0x1819f7d60 __pthread_once_handler + 76
15 libsystem_platform.dylib 0x181a27fa0 _os_once_callout + 32
16 libsystem_pthread.dylib 0x1819f7cf8 pthread_once + 100
17 libcrypto.3.dylib 0x100de5fcc CRYPTO_THREAD_run_once + 12
18 libcrypto.3.dylib 0x100dda208 OPENSSL_init_crypto + 1104
19 libcrypto.3.dylib 0x100df9098 obj_lock_initialise_ossl_ + 20
20 libsystem_pthread.dylib 0x1819f7d60 __pthread_once_handler + 76
21 libsystem_platform.dylib 0x181a27fa0 _os_once_callout + 32
22 libsystem_pthread.dylib 0x1819f7cf8 pthread_once + 100
23 libcrypto.3.dylib 0x100de5fcc CRYPTO_THREAD_run_once + 12
24 libcrypto.3.dylib 0x100df8408 OBJ_sn2nid + 112
25 libcrypto.3.dylib 0x100df82f4 OBJ_txt2obj + 216
26 libcrypto.3.dylib 0x100df8944 OBJ_txt2nid + 20
27 libcrypto.3.dylib 0x100de5048 core_obj_create + 36
28 oqsprovider.0.5.0-dev.dylib 0x100ad3538 OSSL_provider_init + 280 (oqsprov.c:586)
29 libcrypto.3.dylib 0x100de3ddc provider_activate + 260
30 libcrypto.3.dylib 0x100de3c48 ossl_provider_activate + 56
31 libcrypto.3.dylib 0x100de293c provider_conf_init + 608
32 libcrypto.3.dylib 0x100d3ac4c CONF_modules_load + 856
33 libcrypto.3.dylib 0x100d3aee8 CONF_modules_load_file_ex + 120
34 libcrypto.3.dylib 0x100dd71a4 OSSL_LIB_CTX_load_config + 20
35 oqs_test_kems 0x10094b2e0 main + 84 (oqs_test_kems.c:153)
36 dyld 0x1816a3f28 start + 2236
from oqs-provider.
beldmit
commented on August 26, 2024
Nice... Could you please raise an upstream issue?
from oqs-provider.
baentsch
commented on August 26, 2024
changing activate = 1 to activate = 0 for the GOST provider did not help at all. Same applies to making engine's init = 0:
Interesting -- but I repeat myself: How/what causes GOST provider to be loaded? oqsprovider surely doesn't request this load.
Another thought/question: Does sth change if you (also) disable PKCS#11 provider? And Legacy provider?
Nice... Could you please raise an upstream issue?
Makes sense. In doing so, please consider linking to openssl/openssl#19326 -- it just "feels" related.
Edit/Add: Disregard the last comment: The stack trace is really bad: CRYPTO_THREAD_run_once being called more than once looks like a different issue...
from oqs-provider.
mouse07410
commented on August 26, 2024
@baentsch here's the answer from OpenSSL triage. While I asked them to reconsider, because the patch to rectify this situation is trivially simple - perhaps, what they suggest is the right thing to do?
This looks like a problem for the oqs-provider to solve not the OpenSSL project. ssltestlib.c is a purely internal file used for our own testing. oqs-provider has taken the decision to reuse it for their own purposes - which is fine - but this surely means that it is an oqs-provider problem to solve version incompatibilities like this.
from oqs-provider.
baentsch
commented on August 26, 2024
what they suggest is the right thing to do?
Yes. FYI, I'm working in https://github.com/open-quantum-safe/oqs-provider/tree/mb-standalonebuild to solve this issue (basically disabling these ssltestapi-dependent tests when they cannot run due to an absence of the corresponding openssl code). The highlevel tests will continue to run and detect oqsprovider problems only visible in older openssl versions.
from oqs-provider.
mouse07410
commented on August 26, 2024
What you call "older" is the current/latest stable OpenSSL version, aka 3.1.0. Thus, if tests are supported at all, limiting "full test suite" (5 tests?) to the unreleased master only does not seem like a good idea.
I'd be willing to go with even a patch for test/helpers/ssltestlib.c in this repo (maybe just include it in the README), since OpenSSL does not want to incorporate it.
from oqs-provider.
baentsch
commented on August 26, 2024
@mouse07410 As #138 just landed, could you please check whether things work "out of the box" on current main better now for you or whether you still feel something needs to be done (beyond #137)?
from oqs-provider.
mouse07410
commented on August 26, 2024
Re-cloning this repo, commenting out OQS provider, and everything GOST-related from the openssl.cnf, configuring and building from scratch - everything worked as expected "out of the box".
Config (I will need to add CMAKE_INSTALL_PREFIX there to ensure sudo make install -C _build works as intended):
cmake -DCMAKE_BUILD_TYPE=Debug -DOPENSSL_ROOT_DIR="/opt/local/libexec/openssl3" -DCMAKE_C_FLAGS="$CFLAGS -I/opt/local/include -L/opt/local/lib " -DCMAKE_VERBOSE_MAKEFILE:BOOL=True -S . -B _build
Result of OQSPROV=1 OQSKM=1 OQSKEY=1 scripts/runtests.sh:
Cert gen/verify, CMS sign/verify, CA tests for all enabled algorithms commencing...
..................................
Test project /Users/ur20980/src/oqs-provider/_build
Start 1: oqs_signatures
1/2 Test #1: oqs_signatures ................... Passed 6.47 sec
Start 2: oqs_kems
2/2 Test #2: oqs_kems ......................... Passed 0.47 sec
100% tests passed, 0 tests failed out of 2
Total Test time (real) = 6.95 sec
Thanks!
from oqs-provider.
mouse07410
commented on August 26, 2024
Oh, and of course enabling GOST engine in openssl.cnf leads to
Cert gen/verify, CMS sign/verify, CA tests for all enabled algorithms commencing...
..................................
Test project /Users/ur20980/src/oqs-provider/_build
Start 1: oqs_signatures
1/5 Test #1: oqs_signatures ...................***Exception: Illegal 0.01 sec
Start 2: oqs_kems
2/5 Test #2: oqs_kems .........................***Exception: Illegal 0.01 sec
Start 3: oqs_groups
3/5 Test #3: oqs_groups .......................***Exception: Illegal 0.01 sec
Start 4: oqs_tlssig
4/5 Test #4: oqs_tlssig .......................***Exception: Illegal 0.01 sec
Start 5: oqs_endecode
5/5 Test #5: oqs_endecode ..................... Passed 2.48 sec
20% tests passed, 4 tests failed out of 5
Total Test time (real) = 2.54 sec
The following tests FAILED:
1 - oqs_signatures (ILLEGAL)
2 - oqs_kems (ILLEGAL)
3 - oqs_groups (ILLEGAL)
4 - oqs_tlssig (ILLEGAL)
Errors while running CTest
Output from these tests are in: /Users/ur20980/src/oqs-provider/_build/Testing/Temporary/LastTest.log
Use "--rerun-failed --output-on-failure" to re-run the failed cases verbosely.
Tests failed.
So, @beldmit I do suggest that a fix to the GOST engine (and provider) is in order.
from oqs-provider.
beldmit
commented on August 26, 2024
@mouse07410 could you please provide any backtrace? Does it happen with the proposed upstream fix?
from oqs-provider.
mouse07410
commented on August 26, 2024
could you please provide any backtrace?
Sure:
Application Specific Information:
BUG IN CLIENT OF LIBPLATFORM: Trying to recursively lock an os_once_t
Abort Cause 259
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0 libsystem_platform.dylib 0x7ff80cf523eb _os_once_gate_recursive_abort + 23
1 libsystem_platform.dylib 0x7ff80cf4dfb1 _os_once_gate_wait + 200
2 libsystem_pthread.dylib 0x7ff80cf1d8f4 pthread_once + 74
3 libcrypto.3.dylib 0x105838940 CRYPTO_THREAD_run_once + 9
4 libcrypto.3.dylib 0x1058ed433 ossl_obj_add_object + 254
5 gost.3.0.dylib 0x105540cbd bind_engine + 237
6 libcrypto.3.dylib 0x1057ea1c1 dynamic_ctrl + 1802
7 libcrypto.3.dylib 0x1057e996c ENGINE_ctrl_cmd_string + 534
8 libcrypto.3.dylib 0x1057e8f94 int_engine_module_init + 571
9 libcrypto.3.dylib 0x1057813e4 CONF_modules_load + 893
10 libcrypto.3.dylib 0x105781677 CONF_modules_load_file_ex + 121
11 libcrypto.3.dylib 0x105781e47 ossl_config_int + 55
12 libcrypto.3.dylib 0x10582d02a ossl_init_config_ossl_ + 11
13 libsystem_pthread.dylib 0x7ff80cf1d946 __pthread_once_handler + 65
14 libsystem_platform.dylib 0x7ff80cf4bf86 _os_once_callout + 18
15 libsystem_pthread.dylib 0x7ff80cf1d8f4 pthread_once + 74
16 libcrypto.3.dylib 0x105838940 CRYPTO_THREAD_run_once + 9
17 libcrypto.3.dylib 0x10582ce7e OPENSSL_init_crypto + 1095
18 libcrypto.3.dylib 0x1058ed620 obj_lock_initialise_ossl_ + 16
19 libsystem_pthread.dylib 0x7ff80cf1d946 __pthread_once_handler + 65
20 libsystem_platform.dylib 0x7ff80cf4bf86 _os_once_callout + 18
21 libsystem_pthread.dylib 0x7ff80cf1d8f4 pthread_once + 74
22 libcrypto.3.dylib 0x105838940 CRYPTO_THREAD_run_once + 9
23 libcrypto.3.dylib 0x1058ec958 OBJ_sn2nid + 106
24 libcrypto.3.dylib 0x1058ec847 OBJ_txt2obj + 215
25 libcrypto.3.dylib 0x1058ecebb OBJ_txt2nid + 14
26 libcrypto.3.dylib 0x105837a82 core_obj_create + 27
27 oqsprovider.0.5.0-dev.dylib 0x1053aa784 OSSL_provider_init + 260 (oqsprov.c:586)
28 libcrypto.3.dylib 0x10583677f provider_activate + 280
29 libcrypto.3.dylib 0x1058365d5 ossl_provider_activate + 67
30 libcrypto.3.dylib 0x1058352f6 provider_conf_init + 663
31 libcrypto.3.dylib 0x1057813e4 CONF_modules_load + 893
32 libcrypto.3.dylib 0x105781677 CONF_modules_load_file_ex + 121
33 libcrypto.3.dylib 0x105829d06 OSSL_LIB_CTX_load_config + 13
34 oqs_test_tlssig 0x10517c4b5 main + 85 (oqs_test_tlssig.c:139)
35 dyld 0x7ff80cbc741f start + 1903
Does it happen with the proposed upstream fix?
My problem here is that I don't build OpenSSL-3.1.0 myself. Thus, I can "test" that fix only after (a) it's merged into a new release, e.g., 3.1.1 or such, and (b) Macports picks it up and releases a new binary.
from oqs-provider.
beldmit
commented on August 26, 2024
This backtrace does not show any gost-engine problem - but still libcrypto one on registering objects. And that's exactly the problem that was to be resolved by the recent patch.
from oqs-provider.
mouse07410
commented on August 26, 2024
In the above backtrace - any idea why CONF_modules_load appears at 31, and again at 9? Likewise, CRYPTO_THREAD_run_once appears trice at 22, 16, and 3?
This backtrace does not show any gost-engine problem
OK, you know your engine better - but why presence of no other engine seems to cause this problem? What's so "special" about GOST engine?
from oqs-provider.
baentsch
commented on August 26, 2024
Does it happen with the proposed upstream fix?
@beldmit Could you please point at some documentation how to enable/build GOST provider? I'd then try openssl/openssl#20662
from oqs-provider.
baentsch
commented on August 26, 2024
@beldmit : Disregard the above: Found and build gostprov; "unfortunately" oqsprovider ctest for me runs just fine (on Linux) even when gostprov is active (at least strace says it's been loaded...). Now I understand why @t8m labels openssl/openssl#20662 "tests: exempted".... Will now try to reproduce this on OSX...
from oqs-provider.
beldmit
commented on August 26, 2024
https://github.com/gost-engine/engine/blob/master/INSTALL.md provides some minimal information. Both engine and provider are built, and you are to place gostprov.so to the OpenSSL provider folder and activate it via config.
from oqs-provider.
beldmit
commented on August 26, 2024
In the above backtrace - any idea why
CONF_modules_loadappears at 31, and again at 9? Likewise,CRYPTO_THREAD_run_onceappears trice at 22, 16, and 3?
I have some ideas - the initialization of OpenSSL is quite complicated. CONF_modules_load may be invoked several times, and should be noop in case of they are already initialized.
This backtrace does not show any gost-engine problem
OK, you know your engine better - but why presence of no other engine seems to cause this problem? What's so "special" about GOST engine?
Probably object registration (where you - and some other people - found a problem). Probably presense of non-standard algorithms (all the other providers and engines except the OQS provider reimplement classic algorithms). Looks like Mac is also undertested.
from oqs-provider.
baentsch
commented on August 26, 2024
Looks like Mac is also undertested.
That's a bit of an understatement: When trying to reproduce the problem on OSX using oqsprovider, I noted that not even one of the "external" OpenSSL tests pass on OSX (Python: ldd not existing; krb5: "cannot compute sizeof (time_t)"; gost&oqsprovider: Cannot find libcrypto.3.dylib, i.e., (DY)LD_LIBRARY_PATH issues). @mattcaswell: Is this known/acceptable, worth while an OpenSSL issue or am I doing sth wrong?
from oqs-provider.
baentsch
commented on August 26, 2024
@mouse07410 As you started this issue regarding OSX testing, may I assume you know OSX some more than I do? Most notably, is it correct that the LD_LIBRARY_PATH equivalent DYLD_LIBRARY_PATH is not getting passed to child processes (at least when SIP is active)? I'm tempted to now export DYLD_LIBRARY_PATH=$LD_LIBRARY_PATH in all oqsprovider test scripts to get them to pass in non-system install (i.e., testing) setups. Is that correct? Do you know a better way?
from oqs-provider.
mouse07410
commented on August 26, 2024
- Yes
DYLD_LIBRARY_PATHis MacOS analog ofLD_LIBRARY_PATH, so your intuition is correct.LD_LIBRARY_PATHis stinky ignored on Mac, AFAIK. - There's also
DYLD_FALLBACK_LIBRARY_PATH(please check the spelling - I could transpose the words), which is used when the library needed was not found inDYLD_LIBRARY_PATH.
Sometimes @rpath does good, but for me it usually just caused more problems.
Unfortunately, I don't know about possible SIP effects on passing DYLD_LIBRARY_PATH. In my case, defaults usually worked. Also, please keep in mind that, e.g., Macports places it's systemwide shared libraries in /opt/local/lib, and DYLD_LIBRARY_PATH would override it.
from oqs-provider.
t8m
commented on August 26, 2024
I do not think the external tests are tested on anything else than at least somewhat contemporary Linux distros.
from oqs-provider.
mouse07410
commented on August 26, 2024
Looks like Mac is also undertested.
That's a bit of an understatement: When trying to reproduce the problem on OSX using
oqsprovider, I noted that not even one of the "external" OpenSSL tests pass on OSX (Python:lddnot existing; krb5: "cannot compute sizeof (time_t)"; gost&oqsprovider: Cannot findlibcrypto.3.dylib, i.e., (DY)LD_LIBRARY_PATH issues). @mattcaswell: Is this known/acceptable, worth while an OpenSSL issue or am I doing sth wrong?
@baentsch I'm not sure what to say, but both building OpenSSL-3.2.0-dev from the source and running its full test-suite succeeds on my MacOS, for both Intel and Apple Silicon machines.
So, I'd say being even unable to find libcrypto.3.dylib is not acceptable - it indicates that something is badly wrong.
Tests of oqsprovider also all pass. Also, when I patch ssltestlib.c the way I showed, symlink ln -s $HOME/src/openssl $HOME/src/oqs-provider/, then configure, build and run tests - all the oqs-provider tests pass.
You asked about dynamic loading. From man dyld:
NAME
dyld - the dynamic linker
SYNOPSIS
DYLD_FRAMEWORK_PATH
DYLD_FALLBACK_FRAMEWORK_PATH
DYLD_VERSIONED_FRAMEWORK_PATH
DYLD_LIBRARY_PATH
DYLD_FALLBACK_LIBRARY_PATH
DYLD_VERSIONED_LIBRARY_PATH
DYLD_IMAGE_SUFFIX
DYLD_INSERT_LIBRARIES
DYLD_PRINT_TO_FILE
DYLD_PRINT_LIBRARIES
DYLD_PRINT_LOADERS
DYLD_PRINT_SEARCHING
DYLD_PRINT_APIS
DYLD_PRINT_BINDINGS
DYLD_PRINT_INITIALIZERS
DYLD_PRINT_SEGMENTS
DYLD_PRINT_ENV
DYLD_SHARED_REGION
DYLD_SHARED_CACHE_DIR
DESCRIPTION
The dynamic linker (dyld) checks the following environment variables during the launch of
each process.
Note: If System Integrity Protection is enabled, these environment variables are
ignored when executing binaries protected by System Integrity Protection.
First, it tells you what env vars control dynamic loading. Second, it tells you that only SIP-protected binaries (i.e., part of the OS or system commands, like what's in /usr/bin) would ignore those env vars.
There's no ldd on MacOS - but use otool -L instead, like
$ otool -L /opt/local/lib/ossl-modules/oqsprovider.dylib
/opt/local/lib/ossl-modules/oqsprovider.dylib:
@rpath/oqsprovider.1.dylib (compatibility version 1.0.0, current version 0.5.0)
@rpath/liboqs.2.dylib (compatibility version 2.0.0, current version 0.8.0)
/opt/local/libexec/openssl3/lib/libcrypto.3.dylib (compatibility version 3.0.0, current version 3.0.0)
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1319.100.3)
$ Feel free to ask more specific questions - I'll do my best to answer.
from oqs-provider.
baentsch
commented on August 26, 2024
both building OpenSSL-3.2.0-dev from the source and running its full test-suite succeeds on my MacOS, for both Intel and Apple Silicon machines.
Are you certain you have run the full test suite? The external tests are AFAIK not auto-enabled: Please run git submodule update --init && ./config shared enable-external-tests && make && make test VERBOSE=1 TESTS="test_external_pyca test_external_krb5 test test_external_gost_engine test_external_oqsprovider" to see what I meant above. May I suggest to move this discussion to openssl/openssl#20679?
from oqs-provider.
mouse07410
commented on August 26, 2024
Are you certain you have run the full test suite? The external tests are AFAIK not auto-enabled...
Ah, in that case - no, I'm not. I'm running the "normal" set of tests (which appears extensive enough :-). Without ./config . . . enable-external-tests.
BTW, the current pqs-provider test-scripts are broken again. Now there's new OPENSSL_INSTALL var, LD_LIBRARY_PATH gets set to some weird value and then claims LD_LIBRARY_PATH env var not set.
from oqs-provider.
mouse07410
commented on August 26, 2024
Also, if a binary of the same version of the oqs-provider is installed in ossl-modules - why do the tests (oqs-signature and oqs-kem) all crash?
I.e., why do I have to explicitly disable oqs-provider in the system-wide openssl.cnf for the tests to work (when they do work ;)?
from oqs-provider.
baentsch
commented on August 26, 2024
why do I have to explicitly disable oqs-provider in the system-wide openssl.cnf for the tests to work (when they do work
That's truly puzzling. Which tests in particular do crash (and how)? What do I need to do to reproduce this?
from oqs-provider.
mouse07410
commented on August 26, 2024
That's truly puzzling.
Indeed ;-)
Which tests in particular do crash (and how)?
On this box: Certificate request self-signature did not match the contents
On other boxes - $OPENSSL_APP list -providers -verbose -provider-path _build/lib -provider oqsprovider segfaults.
What do I need to do to reproduce this?
A bit of luck - and this:
[provider_sect]
default = default_sect
legacy = legacy_sect
pkcs11 = pkcs11_sect
#gost = gost_sect
base = base_sect
oqs = oqs_sect
[default_sect]
activate = 1
[legacy_sect]
activate = 1
[pkcs11_sect]
module = /opt/local/libexec/openssl3/lib/ossl-modules/pkcs11.dylib
pkcs11-module-path = /Library/OpenSC/lib/opensc-pkcs11.so
activate = 1
[gost_sect]
module = /opt/local/libexec/openssl3/lib/ossl-modules/gostprov.dylib
activate = 1
[base_sect]
activate = 1
[oqs_sect]
module = /opt/local/libexec/openssl3/lib/ossl-modules/oqsprovider.dylib
activate = 1
[engine_sect]
#pkcs11 = pkcs11_section
#gost = gost_section
$ scripts/runtests.sh
Test setup:
LD_LIBRARY_PATH=/Users/ur20980/src/oqs-provider/.local/lib64
OPENSSL_APP=/opt/local/libexec/openssl3/bin/openssl
OPENSSL_CONF=/opt/local/etc/openssl/openssl.cnf
OPENSSL_MODULES=/opt/local/libexec/openssl3/lib/ossl-modules
No OQS-OpenSSL111 interop test because of absence of docker
Version information:
OpenSSL 3.1.0 14 Mar 2023 (Library: OpenSSL 3.1.0 14 Mar 2023)
Providers:
base
name: OpenSSL Base Provider
version: 3.1.0
status: active
build info: 3.1.0
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
default
name: OpenSSL Default Provider
version: 3.1.0
status: active
build info: 3.1.0
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
legacy
name: OpenSSL Legacy Provider
version: 3.1.0
status: active
build info: 3.1.0
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
oqs
name: OpenSSL OQS Provider
version: 0.5.0-dev
status: active
build info: OQS Provider v.0.5.0-dev (53cc629) based on liboqs v.0.8.0-dev using qsc-key-encoder v.draft-00-dev
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
oqsprovider
name: OpenSSL OQS Provider
version: 0.5.0-dev
status: active
build info: OQS Provider v.0.5.0-dev (0e46745) based on liboqs v.0.8.0-dev using qsc-key-encoder v.draft-00-dev
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
pkcs11
name: PKCS#11 Provider
version: 3.1.0
status: active
build info: 3.1.0
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
Cert gen/verify, CMS sign/verify, CA tests for all enabled algorithms commencing...
.localalgtest dilithium2 failed. Exiting..
-----
-----
Certificate request self-signature did not match the contents
40435F50F87F0000:error:4000000D:lib(128):oqs_sig_verify:reason(13):/Users/ur20980/src/oqs-provider/oqsprov/oqs_sig.c:400:
40435F50F87F0000:error:06880006:asn1 encoding routines:ASN1_item_verify_ctx:EVP lib:crypto/asn1/a_verify.c:217:
$
$ cat interop.log
-----
-----
Certificate request self-signature did not match the contents
40435F50F87F0000:error:4000000D:lib(128):oqs_sig_verify:reason(13):/Users/ur20980/src/oqs-provider/oqsprov/oqs_sig.c:400:
40435F50F87F0000:error:06880006:asn1 encoding routines:ASN1_item_verify_ctx:EVP lib:crypto/asn1/a_verify.c:217:
$ On a Mac (running an older MacOS, I admit) openssl crashes:
Test setup:
LD_LIBRARY_PATH=/Users/uri/src/oqs-provider/.local/lib64
OPENSSL_APP=/opt/local/libexec/openssl3/bin/openssl
OPENSSL_CONF=/opt/local/libexec/openssl3/etc/openssl/openssl.cnf
OPENSSL_MODULES=/opt/local/libexec/openssl3/lib/ossl-modules
Version information:
OpenSSL 3.1.0 14 Mar 2023 (Library: OpenSSL 3.1.0 14 Mar 2023)
scripts/runtests.sh: line 116: 50545 Segmentation fault: 11 $OPENSSL_APP list -providers -verbose -provider-path _build/lib -provider oqsprovider
Cert gen/verify, CMS sign/verify, CA tests for all enabled algorithms commencing...
..................................
Test project /Users/uri/src/oqs-provider/_build
Start 1: oqs_signatures
1/2 Test #1: oqs_signatures ...................***Exception: Illegal 0.01 sec
Start 2: oqs_kems
2/2 Test #2: oqs_kems .........................***Exception: Illegal 0.02 sec
0% tests passed, 2 tests failed out of 2
Total Test time (real) = 0.03 sec
The following tests FAILED:
1 - oqs_signatures (ILLEGAL)
2 - oqs_kems (ILLEGAL)
Errors while running CTest
Output from these tests are in: /Users/uri/src/oqs-provider/_build/Testing/Temporary/LastTest.log
Use "--rerun-failed --output-on-failure" to re-run the failed cases verbosely.
Tests failed.
with crash report
Exception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000000
Exception Note: EXC_CORPSE_NOTIFY
Termination Signal: Segmentation fault: 11
Termination Reason: Namespace SIGNAL, Code 0xb
Terminating Process: exc handler [50566]
VM Regions Near 0:
-->
__TEXT 100d4e000-100dd2000 [ 528K] r-x/r-x SM=COW /opt/local/libexec/*
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0 libsystem_pthread.dylib 0x00007fff20883b7b pthread_rwlock_wrlock + 0
1 libcrypto.3.dylib 0x0000000101eb39c9 CRYPTO_THREAD_write_lock + 9 (threads_pthread.c:110)
2 libcrypto.3.dylib 0x0000000101e50d99 ERR_unload_strings + 57 (err.c:314)
3 libcrypto.3.dylib 0x0000000101eb00de ossl_provider_free + 78 (provider_core.c:691)
4 libcrypto.3.dylib 0x0000000101fd3c3b OPENSSL_sk_pop_free + 59 (stack.c:424)
5 libcrypto.3.dylib 0x0000000101eafb04 sk_OSSL_PROVIDER_pop_free + 12 (provider_core.c:199) [inlined]
6 libcrypto.3.dylib 0x0000000101eafb04 ossl_provider_store_free + 68 (provider_core.c:295)
7 libcrypto.3.dylib 0x0000000101e9f632 context_deinit_objs + 194 (context.c:250)
8 libcrypto.3.dylib 0x0000000101e9ef46 context_deinit + 16 (context.c:334) [inlined]
9 libcrypto.3.dylib 0x0000000101e9ef46 OSSL_LIB_CTX_free + 118 (context.c:450)
10 oqsprovider.0.5.0-dev.dylib 0x0000000101369d52 oqsx_freeprovctx + 18 (oqsprov_keys.c:178)
11 libcrypto.3.dylib 0x0000000100fe60ce ossl_provider_free + 61
12 libcrypto.3.dylib 0x00000001010f598e OPENSSL_sk_pop_free + 45
13 libcrypto.3.dylib 0x0000000100fe5bb7 ossl_provider_store_free + 63
14 libcrypto.3.dylib 0x0000000100fda48b context_deinit_objs + 194
15 libcrypto.3.dylib 0x0000000100fd9cf4 context_deinit + 27
16 libcrypto.3.dylib 0x0000000100fd9ccc ossl_lib_ctx_default_deinit + 16
17 libcrypto.3.dylib 0x0000000100fdccde OPENSSL_cleanup + 200
18 libsystem_c.dylib 0x00007fff207b5d30 __cxa_finalize_ranges + 327
19 libsystem_c.dylib 0x00007fff207b6010 exit + 53
20 openssl 0x0000000100d7218b main + 594
21 libdyld.dylib 0x00007fff208a1f3d start + 1
from oqs-provider.
mouse07410
commented on August 26, 2024
Why did you get rid of OPENSSL_CONF? It's (one of) the most reasonable env vars people set.
And why is OPENSSL_INSTALL introduced? It's the first time I'm seeing it anywhere, and it doesn't seem like a good idea to me, honestly.
from oqs-provider.
mouse07410
commented on August 26, 2024
OK, got tired of fighting with this, just went through your scripts and removed the check for LD_LIBRARY_PATH:
diff --git a/scripts/oqsprovider-ca.sh b/scripts/oqsprovider-ca.sh
index 1de9b10..68e6400 100755
--- a/scripts/oqsprovider-ca.sh
+++ b/scripts/oqsprovider-ca.sh
@@ -17,11 +17,6 @@ if [ -z "$OPENSSL_MODULES" ]; then
exit 1
fi
-if [ -z "$LD_LIBRARY_PATH" ]; then
- echo "LD_LIBRARY_PATH env var not set. Exiting."
- exit 1
-fi
-
#rm -rf tmp
mkdir -p tmp && cd tmp
rm -rf demoCA && mkdir -p demoCA/newcerts
diff --git a/scripts/oqsprovider-certgen.sh b/scripts/oqsprovider-certgen.sh
index c4d0907..d6c8b06 100755
--- a/scripts/oqsprovider-certgen.sh
+++ b/scripts/oqsprovider-certgen.sh
@@ -17,12 +17,7 @@ if [ -z "$OPENSSL_MODULES" ]; then
exit 1
fi
-if [ -z "$LD_LIBRARY_PATH" ]; then
- echo "LD_LIBRARY_PATH env var not set. Exiting."
- exit 1
-fi
-
-#rm -rf tmp
+rm -rf tmp/*
mkdir -p tmp
$OPENSSL_APP req -x509 -new -newkey $1 -keyout tmp/$1_CA.key -out tmp/$1_CA.crt -nodes -subj "/CN=oqstest CA" -days 365 -provider oqsprovider -provider default && \
$OPENSSL_APP genpkey -algorithm $1 -out tmp/$1_srv.key -provider oqsprovider -provider default && \
diff --git a/scripts/oqsprovider-certverify.sh b/scripts/oqsprovider-certverify.sh
index 0d571ce..665181f 100755
--- a/scripts/oqsprovider-certverify.sh
+++ b/scripts/oqsprovider-certverify.sh
@@ -17,11 +17,6 @@ if [ -z "$OPENSSL_MODULES" ]; then
exit 1
fi
-if [ -z "$LD_LIBRARY_PATH" ]; then
- echo "LD_LIBRARY_PATH env var not set. Exiting."
- exit 1
-fi
-
# check that CSR can be output OK
$OPENSSL_APP req -text -in tmp/$1_srv.csr -noout -provider oqsprovider -provider default 2>&1 | grep Error
diff --git a/scripts/oqsprovider-cmssign.sh b/scripts/oqsprovider-cmssign.sh
index 2408dd3..f979903 100755
--- a/scripts/oqsprovider-cmssign.sh
+++ b/scripts/oqsprovider-cmssign.sh
@@ -28,11 +28,6 @@ if [ -z "$OPENSSL_MODULES" ]; then
exit 1
fi
-if [ -z "$LD_LIBRARY_PATH" ]; then
- echo "LD_LIBRARY_PATH env var not set. Exiting."
- exit 1
-fi
-
# Assumes certgen has been run before: Quick check
if [ -f tmp/$1_CA.crt ]; then
diff --git a/scripts/oqsprovider-cmsverify.sh b/scripts/oqsprovider-cmsverify.sh
index 85d2935..c13531b 100755
--- a/scripts/oqsprovider-cmsverify.sh
+++ b/scripts/oqsprovider-cmsverify.sh
@@ -21,11 +21,6 @@ if [ -z "$OPENSSL_MODULES" ]; then
exit 1
fi
-if [ -z "$LD_LIBRARY_PATH" ]; then
- echo "LD_LIBRARY_PATH env var not set. Exiting."
- exit 1
-fi
-
openssl_version=$($OPENSSL_APP version)
if [[ "$openssl_version" == "OpenSSL 3.0."* ]]; thenResult was pleasing:
$ scripts/runtests.sh 2>&1 | tee tests-out.txt
Test setup:
LD_LIBRARY_PATH=/Users/uri/src/oqs-provider/.local/lib64
OPENSSL_APP=/opt/local/libexec/openssl3/bin/openssl
OPENSSL_CONF=/opt/local/etc/openssl/openssl.cnf
OPENSSL_MODULES=/opt/local/libexec/openssl3/lib/ossl-modules
Version information:
OpenSSL 3.1.0 14 Mar 2023 (Library: OpenSSL 3.1.0 14 Mar 2023)
Providers:
base
name: OpenSSL Base Provider
version: 3.1.0
status: active
build info: 3.1.0
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
default
name: OpenSSL Default Provider
version: 3.1.0
status: active
build info: 3.1.0
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
legacy
name: OpenSSL Legacy Provider
version: 3.1.0
status: active
build info: 3.1.0
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
oqsprovider
name: OpenSSL OQS Provider
version: 0.5.0-dev
status: active
build info: OQS Provider v.0.5.0-dev (0e46745) based on liboqs v.0.8.0-dev using qsc-key-encoder v.draft-00-dev
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
pkcs11
name: PKCS#11 Provider
version: 3.0.8
status: active
build info: 3.0.8
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
Cert gen/verify, CMS sign/verify, CA tests for all enabled algorithms commencing...
...............................
Test project /Users/uri/src/oqs-provider/_build
Start 1: oqs_signatures
1/2 Test #1: oqs_signatures ................... Passed 9.49 sec
Start 2: oqs_kems
2/2 Test #2: oqs_kems ......................... Passed 0.51 sec
100% tests passed, 0 tests failed out of 2
Total Test time (real) = 10.02 sec
All oqsprovider tests passed.
$
from oqs-provider.
mouse07410
commented on August 26, 2024
And here what I (mistakenly, until you explained) used to call "full test-suite":
$ scripts/runtests.sh 2>&1 | tee tests-out.txt
Test setup:
LD_LIBRARY_PATH=/Users/uri/src/oqs-provider/.local/lib64
OPENSSL_APP=/opt/local/libexec/openssl3/bin/openssl
OPENSSL_CONF=/opt/local/etc/openssl/openssl.cnf
OPENSSL_MODULES=/opt/local/libexec/openssl3/lib/ossl-modules
Version information:
OpenSSL 3.1.0 14 Mar 2023 (Library: OpenSSL 3.1.0 14 Mar 2023)
Providers:
base
name: OpenSSL Base Provider
version: 3.1.0
status: active
build info: 3.1.0
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
default
name: OpenSSL Default Provider
version: 3.1.0
status: active
build info: 3.1.0
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
legacy
name: OpenSSL Legacy Provider
version: 3.1.0
status: active
build info: 3.1.0
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
oqsprovider
name: OpenSSL OQS Provider
version: 0.5.0-dev
status: active
build info: OQS Provider v.0.5.0-dev (0e46745) based on liboqs v.0.8.0-dev using qsc-key-encoder v.draft-00-dev
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
pkcs11
name: PKCS#11 Provider
version: 3.0.8
status: active
build info: 3.0.8
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
Cert gen/verify, CMS sign/verify, CA tests for all enabled algorithms commencing...
..................................
Test project /Users/uri/src/oqs-provider/_build
Start 1: oqs_signatures
1/5 Test #1: oqs_signatures ................... Passed 13.15 sec
Start 2: oqs_kems
2/5 Test #2: oqs_kems ......................... Passed 0.71 sec
Start 3: oqs_groups
3/5 Test #3: oqs_groups ....................... Passed 1.10 sec
Start 4: oqs_tlssig
4/5 Test #4: oqs_tlssig ....................... Passed 0.02 sec
Start 5: oqs_endecode
5/5 Test #5: oqs_endecode ..................... Passed 11.59 sec
100% tests passed, 0 tests failed out of 5
Total Test time (real) = 26.59 sec
All oqsprovider tests passed.
Get rid of LD_LIBRARY_PATH. Moral: less is more! ;-)
from oqs-provider.
mouse07410
commented on August 26, 2024
Here's my patch for the scripts, which includes addressing some of the SHellCheck warnings:
diff --git a/scripts/oqsprovider-ca.sh b/scripts/oqsprovider-ca.sh
index 1de9b10..68e6400 100755
--- a/scripts/oqsprovider-ca.sh
+++ b/scripts/oqsprovider-ca.sh
@@ -17,11 +17,6 @@ if [ -z "$OPENSSL_MODULES" ]; then
exit 1
fi
-if [ -z "$LD_LIBRARY_PATH" ]; then
- echo "LD_LIBRARY_PATH env var not set. Exiting."
- exit 1
-fi
-
#rm -rf tmp
mkdir -p tmp && cd tmp
rm -rf demoCA && mkdir -p demoCA/newcerts
diff --git a/scripts/oqsprovider-certgen.sh b/scripts/oqsprovider-certgen.sh
index c4d0907..d6c8b06 100755
--- a/scripts/oqsprovider-certgen.sh
+++ b/scripts/oqsprovider-certgen.sh
@@ -17,12 +17,7 @@ if [ -z "$OPENSSL_MODULES" ]; then
exit 1
fi
-if [ -z "$LD_LIBRARY_PATH" ]; then
- echo "LD_LIBRARY_PATH env var not set. Exiting."
- exit 1
-fi
-
-#rm -rf tmp
+rm -rf tmp/*
mkdir -p tmp
$OPENSSL_APP req -x509 -new -newkey $1 -keyout tmp/$1_CA.key -out tmp/$1_CA.crt -nodes -subj "/CN=oqstest CA" -days 365 -provider oqsprovider -provider default && \
$OPENSSL_APP genpkey -algorithm $1 -out tmp/$1_srv.key -provider oqsprovider -provider default && \
diff --git a/scripts/oqsprovider-certverify.sh b/scripts/oqsprovider-certverify.sh
index 0d571ce..665181f 100755
--- a/scripts/oqsprovider-certverify.sh
+++ b/scripts/oqsprovider-certverify.sh
@@ -17,11 +17,6 @@ if [ -z "$OPENSSL_MODULES" ]; then
exit 1
fi
-if [ -z "$LD_LIBRARY_PATH" ]; then
- echo "LD_LIBRARY_PATH env var not set. Exiting."
- exit 1
-fi
-
# check that CSR can be output OK
$OPENSSL_APP req -text -in tmp/$1_srv.csr -noout -provider oqsprovider -provider default 2>&1 | grep Error
diff --git a/scripts/oqsprovider-cmssign.sh b/scripts/oqsprovider-cmssign.sh
index 2408dd3..f979903 100755
--- a/scripts/oqsprovider-cmssign.sh
+++ b/scripts/oqsprovider-cmssign.sh
@@ -28,11 +28,6 @@ if [ -z "$OPENSSL_MODULES" ]; then
exit 1
fi
-if [ -z "$LD_LIBRARY_PATH" ]; then
- echo "LD_LIBRARY_PATH env var not set. Exiting."
- exit 1
-fi
-
# Assumes certgen has been run before: Quick check
if [ -f tmp/$1_CA.crt ]; then
diff --git a/scripts/oqsprovider-cmsverify.sh b/scripts/oqsprovider-cmsverify.sh
index 85d2935..c13531b 100755
--- a/scripts/oqsprovider-cmsverify.sh
+++ b/scripts/oqsprovider-cmsverify.sh
@@ -21,11 +21,6 @@ if [ -z "$OPENSSL_MODULES" ]; then
exit 1
fi
-if [ -z "$LD_LIBRARY_PATH" ]; then
- echo "LD_LIBRARY_PATH env var not set. Exiting."
- exit 1
-fi
-
openssl_version=$($OPENSSL_APP version)
if [[ "$openssl_version" == "OpenSSL 3.0."* ]]; then
diff --git a/scripts/runtests.sh b/scripts/runtests.sh
index f360d0e..570bb58 100755
--- a/scripts/runtests.sh
+++ b/scripts/runtests.sh
@@ -5,17 +5,17 @@ rv=0
provider2openssl() {
echo
echo "Testing oqsprovider->oqs-openssl interop for $1:"
- $OQS_PROVIDER_TESTSCRIPTS/oqsprovider-certgen.sh $1 && $OQS_PROVIDER_TESTSCRIPTS/oqsprovider-cmssign.sh $1 sha3-384 && $OQS_PROVIDER_TESTSCRIPTS/oqs-openssl-certverify.sh $1 && $OQS_PROVIDER_TESTSCRIPTS/oqs-openssl-cmsverify.sh $1
+ "$OQS_PROVIDER_TESTSCRIPTS"/oqsprovider-certgen.sh $1 && "$OQS_PROVIDER_TESTSCRIPTS"/oqsprovider-cmssign.sh $1 sha3-384 && "$OQS_PROVIDER_TESTSCRIPTS"/oqs-openssl-certverify.sh $1 && "$OQS_PROVIDER_TESTSCRIPTS"/oqs-openssl-cmsverify.sh $1
}
openssl2provider() {
echo
echo "Testing oqs-openssl->oqsprovider interop for $1:"
- $OQS_PROVIDER_TESTSCRIPTS/oqs-openssl-certgen.sh $1 && $OQS_PROVIDER_TESTSCRIPTS/oqs-openssl-cmssign.sh $1 && $OQS_PROVIDER_TESTSCRIPTS/oqsprovider-certverify.sh $1 && $OQS_PROVIDER_TESTSCRIPTS/oqsprovider-cmsverify.sh $1
+ "$OQS_PROVIDER_TESTSCRIPTS"/oqs-openssl-certgen.sh $1 && "$OQS_PROVIDER_TESTSCRIPTS"/oqs-openssl-cmssign.sh $1 && "$OQS_PROVIDER_TESTSCRIPTS"/oqsprovider-certverify.sh $1 && "$OQS_PROVIDER_TESTSCRIPTS"/oqsprovider-cmsverify.sh $1
}
localalgtest() {
- $OQS_PROVIDER_TESTSCRIPTS/oqsprovider-certgen.sh $1 >> interop.log 2>&1 && $OQS_PROVIDER_TESTSCRIPTS/oqsprovider-certverify.sh $1 >> interop.log 2>&1 && $OQS_PROVIDER_TESTSCRIPTS/oqsprovider-cmssign.sh $1 >> interop.log 2>&1 && $OQS_PROVIDER_TESTSCRIPTS/oqsprovider-ca.sh $1 >> interop.log 2>&1
+ "$OQS_PROVIDER_TESTSCRIPTS"/oqsprovider-certgen.sh $1 >> interop.log 2>&1 && "$OQS_PROVIDER_TESTSCRIPTS"/oqsprovider-certverify.sh $1 >> interop.log 2>&1 && "$OQS_PROVIDER_TESTSCRIPTS"/oqsprovider-cmssign.sh $1 >> interop.log 2>&1 && "$OQS_PROVIDER_TESTSCRIPTS"/oqsprovider-ca.sh $1 >> interop.log 2>&1
if [ $? -ne 0 ]; then
echo "localalgtest $1 failed. Exiting.".
cat interop.log
@@ -27,7 +27,7 @@ interop() {
echo ".\c"
# check if we want to run this algorithm:
if [ ! -z "$OQS_SKIP_TESTS" ]; then
- GREPTEST=$(echo $OQS_SKIP_TESTS | sed "s/\,/\\\|/g")
+ GREPTEST=$(echo "$OQS_SKIP_TESTS" | sed "s/\,/\\\|/g")
if echo $1 | grep -q "$GREPTEST"; then
echo "Not testing $1" >> interop.log
return
@@ -35,7 +35,7 @@ interop() {
fi
# Check whether algorithm is supported at all:
- $OPENSSL_APP list -signature-algorithms -provider oqsprovider | grep $1 > /dev/null 2>&1
+ "$OPENSSL_APP" list -signature-algorithms -provider oqsprovider | grep $1 > /dev/null 2>&1
if [ $? -ne 1 ]; then
if [ -z "$LOCALTESTONLY" ]; then
provider2openssl $1 >> interop.log 2>&1 && openssl2provider $1 >> interop.log 2>&1
@@ -57,24 +57,24 @@ fi
if [ ! -z "$OPENSSL_INSTALL" ]; then
# trying to set config variables suitably for pre-existing OpenSSL installation
- if [ -f $OPENSSL_INSTALL/bin/openssl ]; then
- export OPENSSL_APP=$OPENSSL_INSTALL/bin/openssl
+ if [ -f "$OPENSSL_INSTALL"/bin/openssl ] && [ -z "$OPENSSL_APP" ]; then
+ export OPENSSL_APP="$OPENSSL_INSTALL"/bin/openssl
fi
- if [ -d $OPENSSL_INSTALL/lib64 ]; then
- export LD_LIBRARY_PATH=$OPENSSL_INSTALL/lib64
+ if [ -d "$OPENSSL_INSTALL"/lib64 ]; then
+ export LD_LIBRARY_PATH="$OPENSSL_INSTALL"/lib64
fi
if [ -f $OPENSSL_INSTALL/ssl/openssl.cnf ]; then
- export OPENSSL_CONF=$OPENSSL_INSTALL/ssl/openssl.cnf
+ export OPENSSL_CONF="$OPENSSL_INSTALL"/ssl/openssl.cnf
fi
else
if [ -z "$OPENSSL_CONF" ]; then
- export OPENSSL_CONF=$(pwd)/scripts/openssl-ca.cnf
+ export OPENSSL_CONF="$(pwd)/scripts/openssl-ca.cnf"
fi
fi
if [ -z "$OPENSSL_APP" ]; then
if [ -f $(pwd)/openssl/apps/openssl ]; then
- export OPENSSL_APP=$(pwd)/openssl/apps/openssl
+ export OPENSSL_APP="$(pwd)/openssl/apps/openssl"
else # if no local openssl src directory is found, rely on PATH...
export OPENSSL_APP=openssl
fi
@@ -84,8 +84,12 @@ if [ -z "$OPENSSL_MODULES" ]; then
export OPENSSL_MODULES=$(pwd)/_build/lib
fi
-if [ -z "$LD_LIBRARY_PATH" ]; then
- export LD_LIBRARY_PATH=$(pwd)/.local/lib64
+if [ "$OSTYPE" == "darwin"* ]; then
+ export LD_LIBRARY_PATH="/opt/local/lib:/usr/local/lib:"
+else
+ if [ -z "$LD_LIBRARY_PATH" ]; then
+ export LD_LIBRARY_PATH=$(pwd)/.local/lib64
+ fi
fi
if [ ! -z "$OQS_SKIP_TESTS" ]; then
@@ -159,7 +163,7 @@ echo
# Run built-in tests:
# Without removing OPENSSL_CONF ctest hangs... ???
unset OPENSSL_CONF
-cd _build && ctest $@ && cd ..
+cd _build && ctest "$@" && cd ..
if [ $? -ne 0 ]; then
rv=1from oqs-provider.
mouse07410
commented on August 26, 2024
And here's my script to drive build and test for system-wide binary OpenSSL and local sources of OpenSSL master (dev):
#!/bin/bash
# Cleaning up previous builds
make clean
rm -rf tmp/*
rm -f interop.log interop-3.log
# Set env var - flags
OQSPROV=1
OQSKM=1
OQSKEY=1
unset OPENSSL_INSTALL
# Build for local sources of master branch of OpenSSL-3.2+
if [ -d $HOME/openssl-3 ]; then
LD_LIBRARY_PATH="$HOME/openssl-3/lib:/usr/local/lib:"
OPENSSL_ROOT_DIR="$HOME/openssl-3"
OPENSSL_DIR="$OPENSSL_ROOT_DIR"
OPENSSL_INSTALL="$OPENSSL_DIR"
OPENSSL_APP="$OPENSSL_ROOT_DIR/bin/openssl"
OPENSSL="$OPENSSL_APP"
OPENSSL_CONF="$OPENSSL_ROOT_DIR/etc/openssl.cnf"
OPENSSL_MODULES="$OPENSSL_ROOT_DIR/lib/ossl-modules"
OPENSSL_LIB_DIR="$OPENSSL_ROOT_DIR/lib"
OPENSSL_INCLUDE_DIR="$OPENSSL_ROOT_DIR/include"
echo "Building for source-based OpenSSL-3.2.x-dev..."
env | grep OPENSSL > build-out-s.txt
echo "" >> build-out-s.txt
cmake -DCMAKE_BUILD_TYPE=Debug -DOPENSSL_ROOT_DIR="$HOME/src/openssl" -DCMAKE_C_FLAGS="$CFLAGS -I/opt/local/include -L/opt/local/lib" -DCMAKE_VERBOSE_MAKEFILE:BOOL=True -S . -B _build 2>&1 | tee -a build-out-s.txt
cmake --build _build 2>&1 | tee -a build-out-s.txt
if [ -x _build/lib/oqsprovider.0.5.0-dev.dylib ]; then
echo "Successful build for source-based OpenSSL"
scripts/runtests.sh 2>&1 | tee tests-out-s.txt
else
echo "Apparently, building for source-based OpenSSL-3.2.x-dev failed"
echo ""
fi
else
echo ""
echo "Sources of OpenSSL-3.2.x-dev not found, skipping..."
echo ""
fi
# Build for Macports-installed binaries of OpenSSL-3.+
if [ -d /opt/local/libexec/openssl3 ]; then
LD_LIBRARY_PATH="/opt/local/lib:/usr/local/lib:"
OPENSSL_ROOT_DIR="/opt/local/libexec/openssl3"
OPENSSL_DIR="$OPENSSL_ROOT_DIR"
OPENSSL_INSTALL="$OPENSSL_DIR"
OPENSSL_APP="$OPENSSL_ROOT_DIR/bin/openssl"
OPENSSL="$OPENSSL_APP"
OPENSSL_CONF="$OPENSSL_ROOT_DIR/etc/openssl/openssl.cnf"
OPENSSL_MODULES="$OPENSSL_ROOT_DIR/lib/ossl-modules"
OPENSSL_LIB_DIR="$OPENSSL_ROOT_DIR/lib"
OPENSSL_INCLUDE_DIR="$OPENSSL_ROOT_DIR/include"
env | grep OPENSSL > build-out.txt
echo "" >> build-out.txt
echo "Building for Macports-installed OpenSSL-3..."
cmake -DCMAKE_BUILD_TYPE=Debug -DOPENSSL_ROOT_DIR="/opt/local/libexec/openssl3" -DCMAKE_C_FLAGS="$CFLAGS -I/opt/local/include -L/opt/local/lib" -DCMAKE_VERBOSE_MAKEFILE:BOOL=True -S . -B _build 2>&1 | tee -a build-out.txt
echo "" >> build-out.txt
cmake --build _build 2>&1 | tee -a build-out.txt
if [ -x _build/lib/oqsprovider.0.5.0-dev.dylib ]; then
echo "Successful build for Macports-installed OpenSSL"
scripts/runtests.sh 2>&1 | tee tests-out.txt
else
echo "Apparently, building for Macports-installed OpenSSL-3 failed"
echo ""
fi
else
echo ""
echo "Macports-installed OpenSSL-3 not found, skipping..."
echo ""
fi
exit 0from oqs-provider.
baentsch
commented on August 26, 2024
Here's my patch for the scripts, which includes addressing some of the SHellCheck warnings:
Thanks for those proposals. Would you want to do this as a PR (it's your contribution, really) or do you want me to just copy those changes into #140? If the latter, I'd probably add the second script as an OSX-only script.
from oqs-provider.
mouse07410
commented on August 26, 2024
do you want me to just copy those changes into #140?
Yes please.
If the latter, I'd probably add the second script as an OSX-only script.
I can probably make it usable on MacOS and Linux. Main (only?) difference would be where the OpenSSL is installed.
from oqs-provider.
mingw-io
commented on August 26, 2024
It looks like Mac has become like Windows! DLL HELL!
We have been unable to repro this issue on Windows.
We suspect this could be a broken/polluted (user) environment issue.
We will continue with our testing and report any findings.
from oqs-provider.
mouse07410
commented on August 26, 2024
It looks like Mac has become like Windows! DLL HELL!
Thankfully, not even close. But written-for-Linux test scripts have difficulty locating shared libraries located in various not-necessarily-expected places.
We have been unable to repro this issue on Windows.
First, I'm all shocked that different OS may show different behaviors and problems. Second, I'm not sure at all that you replicated this issue exactly as described above.
We suspect this could be a broken/polluted (user) environment issue.
Thanks for this very useful observation. It appears that "broken user environment" in this context means system-wide installation of OpenSSL and of LIBOQS, both of which were not installed by this provider's scripts, and available to this process only as binaries. Compounded by the presence of other providers (e.g., PKCS11) and engines (e.g., GOST). Did you bother to install all of those, system-wide? If not - your "repro" itself is a big suspect.
We will continue with our testing and report any findings.
If you wish. I think we (thanks, @baentsch !) figured out already most everything - except why (some of the) tests fail when system-wide oqs-provider is available and listed in openssl.cnf. And the remaining problem with the GOST engine (or provider) - but again, it doesn't look like you'd be helpful there.
from oqs-provider.
mouse07410
commented on August 26, 2024
@baentsch any idea why tests fail if the main (system-wide) openssl.cnf points at a working oqsprovider.dylib?
It's not a show-stopper - just a considerable inconvenience, being forced to edit openssl.cnf whenever I need to update or re-test OQS provider. Thanks!
from oqs-provider.
mouse07410
commented on August 26, 2024
The problem seems to be related to multiple calls to something supposed to be called only once, and this time it's not related to GOST provider or engine (engines and GOST are disabled):
Application Specific Information:
BUG IN CLIENT OF LIBPLATFORM: Trying to recursively lock an os_once_t
Abort Cause 259
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0 libsystem_platform.dylib 0x19f5d5260 _os_once_gate_recursive_abort + 36
1 libsystem_platform.dylib 0x19f5d1ed8 _os_once_gate_wait + 348
2 libsystem_pthread.dylib 0x19f59fcf8 pthread_once + 100
3 libcrypto.3.dylib 0x101111fcc CRYPTO_THREAD_run_once + 12
4 libcrypto.3.dylib 0x101124408 OBJ_sn2nid + 112
5 libcrypto.3.dylib 0x1011242f4 OBJ_txt2obj + 216
6 libcrypto.3.dylib 0x101124944 OBJ_txt2nid + 20
7 libcrypto.3.dylib 0x101111048 core_obj_create + 36
8 oqsprovider.0.5.0-dev.dylib 0x101403bbc OSSL_provider_init + 280 (oqsprov.c:620)
9 libcrypto.3.dylib 0x10110fddc provider_activate + 260
10 libcrypto.3.dylib 0x10110fc48 ossl_provider_activate + 56
11 libcrypto.3.dylib 0x10110e93c provider_conf_init + 608
12 libcrypto.3.dylib 0x101066c4c CONF_modules_load + 856
13 libcrypto.3.dylib 0x101066ee8 CONF_modules_load_file_ex + 120
14 libcrypto.3.dylib 0x101067738 ossl_config_int + 68
15 libcrypto.3.dylib 0x101106400 ossl_init_config_ossl_ + 16
16 libsystem_pthread.dylib 0x19f59fd60 __pthread_once_handler + 76
17 libsystem_platform.dylib 0x19f5cffa0 _os_once_callout + 32
18 libsystem_pthread.dylib 0x19f59fcf8 pthread_once + 100
19 libcrypto.3.dylib 0x101111fcc CRYPTO_THREAD_run_once + 12
20 libcrypto.3.dylib 0x101106208 OPENSSL_init_crypto + 1104
21 libcrypto.3.dylib 0x101125098 obj_lock_initialise_ossl_ + 20
22 libsystem_pthread.dylib 0x19f59fd60 __pthread_once_handler + 76
23 libsystem_platform.dylib 0x19f5cffa0 _os_once_callout + 32
24 libsystem_pthread.dylib 0x19f59fcf8 pthread_once + 100
25 libcrypto.3.dylib 0x101111fcc CRYPTO_THREAD_run_once + 12
26 libcrypto.3.dylib 0x101124408 OBJ_sn2nid + 112
27 libcrypto.3.dylib 0x1011242f4 OBJ_txt2obj + 216
28 libcrypto.3.dylib 0x101124944 OBJ_txt2nid + 20
29 libcrypto.3.dylib 0x101111048 core_obj_create + 36
30 oqsprovider.0.5.0-dev.dylib 0x100dffbbc OSSL_provider_init + 280 (oqsprov.c:620)
31 libcrypto.3.dylib 0x10110fddc provider_activate + 260
32 libcrypto.3.dylib 0x10110fc48 ossl_provider_activate + 56
33 libcrypto.3.dylib 0x10110e93c provider_conf_init + 608
34 libcrypto.3.dylib 0x101066c4c CONF_modules_load + 856
35 libcrypto.3.dylib 0x101066ee8 CONF_modules_load_file_ex + 120
36 libcrypto.3.dylib 0x1011031a4 OSSL_LIB_CTX_load_config + 20
37 oqs_test_kems 0x100c772e0 main + 84 (oqs_test_kems.c:153)
38 dyld 0x19f24bf28 start + 2236
@levitte do you have an opinion here?
from oqs-provider.
mattcaswell
commented on August 26, 2024
This looks like a different instance of the same problem as fixed by openssl/openssl#20662.
In your callstack above you can see these lines which were the cause of the original problem (i.e. calling OPENSSL_init_crypto from obj_lock_initialise):
20 libcrypto.3.dylib 0x101106208 OPENSSL_init_crypto + 1104
21 libcrypto.3.dylib 0x101125098 obj_lock_initialise_ossl_ + 20
from oqs-provider.
mouse07410
commented on August 26, 2024
This looks like a different instance of the same problem as fixed by openssl/openssl#20662.
Yes, probably - but (a) where in your opinion the root cause is (aka, what component issues those improper calls, and why), and (b) how do we fix it, and where (in what component)?
Also, it looks like the fix was merged two-three weeks ago into 3.1, so should've been picked by Macports by now? I'm trying to understand why I don't see the behavior change yet on my machines...
from oqs-provider.
mouse07410
commented on August 26, 2024
@mattcaswell I seem to have this problem with the OpenSSL-3.2.0-dev built from source/master as well. Which presumably has the fix merged...
Update - adding info
Test setup:
LD_LIBRARY_PATH=/Users/ur20980/src/oqs-provider/.local/lib64
OPENSSL_APP=/Users/ur20980/openssl-3/bin/openssl
OPENSSL_CONF=/Users/ur20980/openssl-3/etc/openssl.cnf
OPENSSL_MODULES=/Users/ur20980/openssl-3/lib/ossl-modules
No OQS-OpenSSL111 interop test because of absence of docker
Version information:
OpenSSL 3.2.0-dev (Library: OpenSSL 3.2.0-dev )
Providers:
base
name: OpenSSL Base Provider
version: 3.2.0
status: active
build info: 3.2.0-dev
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
default
name: OpenSSL Default Provider
version: 3.2.0
status: active
build info: 3.2.0-dev
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
oqs
name: OpenSSL OQS Provider
version: 0.5.0-dev
status: active
build info: OQS Provider v.0.5.0-dev (27d33d2) based on liboqs v.0.8.0-dev using qsc-key-encoder v.draft-00-dev
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
oqsprovider
name: OpenSSL OQS Provider
version: 0.5.0-dev
status: active
build info: OQS Provider v.0.5.0-dev (fbd2538) based on liboqs v.0.8.0-dev
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
pkcs11
name: PKCS#11 Provider
version: 3.2.0
status: active
build info: 3.2.0-dev
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
Cert gen/verify, CMS sign/verify, CA tests for all enabled algorithms commencing...
.localalgtest dilithium2 failed. Exiting..
-----
-----
Warning: CSR self-signature does not match the contentsCertificate request self-signature did not match the contents
40E38760F87F0000:error:4000000D:pkcs11:oqs_sig_verify:reason(13):/Users/ur20980/src/oqs-provider/oqsprov/oqs_sig.c:400:
40E38760F87F0000:error:06880006:asn1 encoding routines:ASN1_item_verify_ctx:EVP lib:crypto/asn1/a_verify.c:215:
40E38760F87F0000:error:4000000D:pkcs11:oqs_sig_verify:reason(13):/Users/ur20980/src/oqs-provider/oqsprov/oqs_sig.c:400:
40E38760F87F0000:error:06880006:asn1 encoding routines:ASN1_item_verify_ctx:EVP lib:crypto/asn1/a_verify.c:215:
$
from oqs-provider.
mouse07410
commented on August 26, 2024
Again, with the current (as of today) OpenSSL master, tests still fail if openssl.cnf already has oqs-provider defined.
from oqs-provider.
baentsch
commented on August 26, 2024
Why shouldn't I be able to build a provider in debug mode without OpenSSL source available?
FYI, this oqsprovider limitation is gone as of today (resolving #137)
Again, with the current (as of today) OpenSSL master, tests still fail if openssl.cnf already has oqs-provider defined.
Does it also happen if pkcs11 provider is not active? Just wondering whether that may deliver an "unexpected" algorithm implementation to oqsprovider...
from oqs-provider.
mouse07410
commented on August 26, 2024
Does it also happen if pkcs11 provider is not active? Just wondering whether that may deliver an "unexpected" algorithm implementation to oqsprovider...
Yes, same thing, same behavior.
from oqs-provider.
baentsch
commented on August 26, 2024
Yes, same thing, same behavior.
So all you need is (one) oqsprovider and default provider active and the error above happens? Just asking as the listing above shows two active oqsprovider instances...
If you can still reproduce, would you mind building oqsprovider as "Debug" (in "main" branch should now be possible without OpenSSL dependency) and set env vars OQSSIG=1 and OQSKM=1 when running the test again and sharing the log output?
from oqs-provider.
mouse07410
commented on August 26, 2024
the listing above shows two active
oqsproviderinstances...
Exactly! One is what's been already installed and configured in openssl.cnf, and the other one is the provider being just built and tested. I believe the "pre-existing one" is listed as oqs, and the one just-built (not installed yet) that's presumably being tested is listed as oqsprovider.
If you can still reproduce,
Alas, I can, easily. :-) :-(
would you mind building oqsprovider as "Debug" (in "main" branch should now be possible without OpenSSL dependency) and set env vars OQSSIG=1 and OQSKM=1 when running the test again and sharing the log output?
All that is already done.
Here's the screen for OpenSSL-3.2.0-dev (failing):
. . .
Test setup:
LD_LIBRARY_PATH=/Users/ur20980/src/oqs-provider/.local/lib64
OPENSSL_APP=/Users/ur20980/openssl-3/bin/openssl
OPENSSL_CONF=/Users/ur20980/openssl-3/etc/openssl.cnf
OPENSSL_MODULES=/Users/ur20980/openssl-3/lib/ossl-modules
No OQS-OpenSSL111 interop test because of absence of docker
Version information:
OpenSSL 3.2.0-dev (Library: OpenSSL 3.2.0-dev )
Providers:
base
name: OpenSSL Base Provider
version: 3.2.0
status: active
build info: 3.2.0-dev
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
default
name: OpenSSL Default Provider
version: 3.2.0
status: active
build info: 3.2.0-dev
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
oqs
name: OpenSSL OQS Provider
version: 0.5.0-dev
status: active
build info: OQS Provider v.0.5.0-dev (12a6418) based on liboqs v.0.8.0-dev
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
oqsprovider
name: OpenSSL OQS Provider
version: 0.5.0-dev
status: active
build info: OQS Provider v.0.5.0-dev (12a6418) based on liboqs v.0.8.0-dev
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
Cert gen/verify, CMS sign/verify, CA tests for all enabled algorithms commencing...
.localalgtest dilithium2 failed. Exiting..
-----
-----
Warning: CSR self-signature does not match the contentsCertificate request self-signature did not match the contents
4083FE52F87F0000:error:4000000D:lib(128):oqs_sig_verify:reason(13):/Users/ur20980/src/oqs-provider/oqsprov/oqs_sig.c:400:
4083FE52F87F0000:error:06880006:asn1 encoding routines:ASN1_item_verify_ctx:EVP lib:crypto/asn1/a_verify.c:215:
4083FE52F87F0000:error:4000000D:lib(128):oqs_sig_verify:reason(13):/Users/ur20980/src/oqs-provider/oqsprov/oqs_sig.c:400:
4083FE52F87F0000:error:06880006:asn1 encoding routines:ASN1_item_verify_ctx:EVP lib:crypto/asn1/a_verify.c:215:
and for OpenSSL-3.1.0, installed system-wide. OQS provider is present in openssl.cnf, but (a) tests are succeeding, and (b) this already-installed provider is not listed below! Only the oqs-provider that's being tested is shown:
Test setup:
LD_LIBRARY_PATH=/Users/ur20980/src/oqs-provider/.local/lib64
OPENSSL_APP=/opt/local/libexec/openssl3/bin/openssl
OPENSSL_CONF=/opt/local/libexec/openssl3/etc/openssl/openssl.cnf
OPENSSL_MODULES=/opt/local/libexec/openssl3/lib/ossl-modules
No OQS-OpenSSL111 interop test because of absence of docker
Version information:
OpenSSL 3.1.0 14 Mar 2023 (Library: OpenSSL 3.1.0 14 Mar 2023)
Providers:
base
name: OpenSSL Base Provider
version: 3.1.0
status: active
build info: 3.1.0
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
default
name: OpenSSL Default Provider
version: 3.1.0
status: active
build info: 3.1.0
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
legacy
name: OpenSSL Legacy Provider
version: 3.1.0
status: active
build info: 3.1.0
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
oqsprovider
name: OpenSSL OQS Provider
version: 0.5.0-dev
status: active
build info: OQS Provider v.0.5.0-dev (12a6418) based on liboqs v.0.8.0-dev
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
pkcs11
name: PKCS#11 Provider
version: 3.1.0
status: active
build info: 3.1.0
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
Cert gen/verify, CMS sign/verify, CA tests for all enabled algorithms commencing...
..................................
Test project /Users/ur20980/src/oqs-provider/_build
Start 1: oqs_signatures
1/5 Test #1: oqs_signatures ................... Passed 4.50 sec
Start 2: oqs_kems
2/5 Test #2: oqs_kems ......................... Passed 0.24 sec
Start 3: oqs_groups
3/5 Test #3: oqs_groups ....................... Passed 0.39 sec
Start 4: oqs_tlssig
4/5 Test #4: oqs_tlssig ....................... Passed 0.01 sec
Start 5: oqs_endecode
5/5 Test #5: oqs_endecode ..................... Passed 7.03 sec
100% tests passed, 0 tests failed out of 5
Total Test time (real) = 12.18 sec
All oqsprovider tests passed.
and files:
screenlog.txt
build-out-3.2.0-dev.txt
tests-out-3.2.0-dev.txt
build-out-3.1.0.txt
tests-out-3.1.0.txt
from oqs-provider.
mouse07410
commented on August 26, 2024
Sure, whatever's the easiest way for you to track it.
from oqs-provider.
Related Issues (20)
- Update SPECIFICATIONS.md HOT 2
- Too many advertised sig algs cause TLS server hang-up HOT 103
- Custom OID by environment variable offset misalignment HOT 3
- Error initializing dilithium2 context HOT 2
- OpenSSL Git Link in fullbuild.sh HOT 2
- Dilithium cert is not recognized HOT 1
- Is p256_dilithium3 supported ? HOT 3
- CircleCI tests failing on main HOT 10
- Too many agruments to function 'mkdir' on Windows HOT 2
- Guard against wrong CI feedback HOT 1
- Not able to decrypt certificate private key (generated using PQC algorithm) HOT 2
- Target install does nothing with static oqsprovider.a library HOT 2
- Build static library only without tests nor examples.
- Not able to read dilithium private key using PEM_read_bio_PrivateKey routine HOT 4
- Can't cross compile on Linux for Windows HOT 2
- Interoperablity issue. - Unable to load Dilithium2 Public key in OpenSSL with OQSP Provider created by thirdparty CA HOT 4
- Support deterministic key generation HOT 12
- Convert EVP_PKEY to uint8_t HOT 1
- Generate a Kyber Certificate HOT 18
- Do project self-assessment HOT 13
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from oqs-provider.