Package: guix;
Reported by: Ludovic Courtès <ludo <at> gnu.org>
Date: Wed, 22 Jun 2022 09:59:02 UTC
Severity: important
To reply to this bug, email your comments to 56137 AT debbugs.gnu.org.
Toggle the display of automated, internal messages from the tracker.
View this report as an mbox folder, status mbox, maintainer mbox
phodina <at> protonmail.com, bug-guix <at> gnu.org:bug#56137; Package guix.
(Wed, 22 Jun 2022 09:59:02 GMT) Full text and rfc822 format available.Ludovic Courtès <ludo <at> gnu.org>:phodina <at> protonmail.com, bug-guix <at> gnu.org.
(Wed, 22 Jun 2022 09:59:02 GMT) Full text and rfc822 format available.Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
From: Ludovic Courtès <ludo <at> gnu.org> To: bug-guix <at> gnu.org Subject: OpenSSL 3.0.3/1.1.1n includes a time-dependent test Date: Wed, 22 Jun 2022 11:58:04 +0200
Hello,
As reported by phodina in <https://issues.guix.gnu.org/53581>, OpenSSL
1.1.1n and 3.0.3 include a time-dependent test that now fails due to an
expired certificate:
https://github.com/openssl/openssl/issues/18441
The log looks like this:
--8<---------------cut here---------------start------------->8---
80-test_ocsp.t ..................... ok
80-test_pkcs12.t ................... ok
# ERROR: (int) 'result->result == test_ctx->expected_result' failed @ test/ssl_test.c:36
# [2] compared to [0]
# INFO: @ test/ssl_test.c:37
# ExpectedResult mismatch: expected Success, got ClientFail.
# 40B78AF7FF7F0000:error:0A000415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1584:SSL alert number 45
# OPENSSL_TEST_RAND_ORDER=1655844368
not ok 2 - iteration 2
# ------------------------------------------------------------------------------
# ERROR: (int) 'result->result == test_ctx->expected_result' failed @ test/ssl_test.c:36
# [2] compared to [0]
# INFO: @ test/ssl_test.c:37
# ExpectedResult mismatch: expected Success, got ClientFail.
# 40B78AF7FF7F0000:error:0A000415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1584:SSL alert number 45
# OPENSSL_TEST_RAND_ORDER=1655844368
not ok 4 - iteration 4
# ------------------------------------------------------------------------------
# ERROR: (int) 'result->result == test_ctx->expected_result' failed @ test/ssl_test.c:36
# [4] compared to [0]
# INFO: @ test/ssl_test.c:37
# ExpectedResult mismatch: expected Success, got FirstHandshakeFailed.
# 40B78AF7FF7F0000:error:0A000415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1584:SSL alert number 45
# OPENSSL_TEST_RAND_ORDER=1655844368
not ok 5 - iteration 5
# ------------------------------------------------------------------------------
# ERROR: (int) 'result->result == test_ctx->expected_result' failed @ test/ssl_test.c:36
# [4] compared to [0]
# INFO: @ test/ssl_test.c:37
# ExpectedResult mismatch: expected Success, got FirstHandshakeFailed.
# 40B78AF7FF7F0000:error:0A000415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1584:SSL alert number 45
# OPENSSL_TEST_RAND_ORDER=1655844368
not ok 6 - iteration 6
# ------------------------------------------------------------------------------
# OPENSSL_TEST_RAND_ORDER=1655844368
not ok 1 - test_handshake
# ------------------------------------------------------------------------------
../../util/wrap.pl ../../test/ssl_test 12-ct.cnf.none none => 1
not ok 3 - running ssl_test 12-ct.cnf
# ------------------------------------------------------------------------------
# ERROR: (int) 'result->result == test_ctx->expected_result' failed @ test/ssl_test.c:36
# [2] compared to [0]
# INFO: @ test/ssl_test.c:37
# ExpectedResult mismatch: expected Success, got ClientFail.
# 40B78AF7FF7F0000:error:0A000415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1584:SSL alert number 45
# OPENSSL_TEST_RAND_ORDER=1655844369
not ok 2 - iteration 2
# ------------------------------------------------------------------------------
# ERROR: (int) 'result->result == test_ctx->expected_result' failed @ test/ssl_test.c:36
# [2] compared to [0]
# INFO: @ test/ssl_test.c:37
# ExpectedResult mismatch: expected Success, got ClientFail.
# 40B78AF7FF7F0000:error:0A000415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1584:SSL alert number 45
# OPENSSL_TEST_RAND_ORDER=1655844369
not ok 4 - iteration 4
# ------------------------------------------------------------------------------
# ERROR: (int) 'result->result == test_ctx->expected_result' failed @ test/ssl_test.c:36
# [4] compared to [0]
# INFO: @ test/ssl_test.c:37
# ExpectedResult mismatch: expected Success, got FirstHandshakeFailed.
# 40B78AF7FF7F0000:error:0A000415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1584:SSL alert number 45
# OPENSSL_TEST_RAND_ORDER=1655844369
not ok 5 - iteration 5
# ------------------------------------------------------------------------------
# ERROR: (int) 'result->result == test_ctx->expected_result' failed @ test/ssl_test.c:36
# [4] compared to [0]
# INFO: @ test/ssl_test.c:37
# ExpectedResult mismatch: expected Success, got FirstHandshakeFailed.
# 40B78AF7FF7F0000:error:0A000415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1584:SSL alert number 45
# OPENSSL_TEST_RAND_ORDER=1655844369
not ok 6 - iteration 6
# ------------------------------------------------------------------------------
# OPENSSL_TEST_RAND_ORDER=1655844369
not ok 1 - test_handshake
# ------------------------------------------------------------------------------
../../util/wrap.pl ../../test/ssl_test 12-ct.cnf.default default => 1
not ok 6 - running ssl_test 12-ct.cnf
# ------------------------------------------------------------------------------
# Failed test 'running ssl_test 12-ct.cnf'
# at test/recipes/80-test_ssl_new.t line 171.
# Looks like you failed 2 tests of 6.
not ok 12 - Test configuration 12-ct.cnf
# ------------------------------------------------------------------------------
# Looks like you failed 1 test of 30.80-test_ssl_new.t ..................
Dubious, test returned 1 (wstat 256, 0x100)
Failed 1/30 subtests
80-test_ssl_old.t .................. ok
80-test_ssl_test_ctx.t ............. ok
--8<---------------cut here---------------end--------------->8---
That means that ‘openssl’ on current master (ca.
73761d8049f483e6685c2c736872d0366e03238a) now fails to build.
Ludo’.
Ludovic Courtès <ludo <at> gnu.org>
to control <at> debbugs.gnu.org.
(Wed, 22 Jun 2022 10:36:01 GMT) Full text and rfc822 format available.Ludovic Courtès <ludo <at> gnu.org>:Ludovic Courtès <ludo <at> gnu.org>:Message #12 received at 56137-done <at> debbugs.gnu.org (full text, mbox):
From: Ludovic Courtès <ludo <at> gnu.org> To: 56137-done <at> debbugs.gnu.org Cc: phodina <phodina <at> protonmail.com> Subject: Re: bug#56137: OpenSSL 3.0.3/1.1.1n includes a time-dependent test Date: Wed, 22 Jun 2022 12:39:12 +0200
Ludovic Courtès <ludo <at> gnu.org> skribis:
> As reported by phodina in <https://issues.guix.gnu.org/53581>, OpenSSL
> 1.1.1n and 3.0.3 include a time-dependent test that now fails due to an
> expired certificate:
>
> https://github.com/openssl/openssl/issues/18441
Fixed on ‘core-updates’ with 6cd438c4c2beb016a821143cdfdd12892aa9fd5f.
That commit skips the test. I tried another approach with ‘datefudge’,
which has the advantage of being more explicit and future-proof (should
there be similar issues lying around):
(invoke "datefudge" "2022-01-01"
"make" test-target
#$@(if (or (target-arm?) (target-riscv64?))
#~("TESTS=-test_afalg")
#~()))
For some reason it didn’t work.
Note that we cannot use libfaketime because:
--8<---------------cut here---------------start------------->8---
$ guix graph -t derivation --path libfaketime openssl <at> 1
/gnu/store/a4jcd4h7nvn97a2mw4n1yydgbh0i2wmz-libfaketime-0.9.9.drv
/gnu/store/hf5arq562aiisycnjcnhgfwzrl8lwrbc-libfaketime-0.9.9-checkout.drv
/gnu/store/xpnrk8hjfh7rvgqfsjwkjrb9cz1ws626-git-minimal-2.36.1.drv
/gnu/store/gavjhl823bhd95rijqf3iw3vl32ix494-openssl-1.1.1l.drv
--8<---------------cut here---------------end--------------->8---
Ludo’.
bug-guix <at> gnu.org:bug#56137; Package guix.
(Wed, 22 Jun 2022 10:51:02 GMT) Full text and rfc822 format available.Message #15 received at 56137-done <at> debbugs.gnu.org (full text, mbox):
From: Maxime Devos <maximedevos <at> telenet.be> To: Ludovic Courtès <ludo <at> gnu.org>, 56137-done <at> debbugs.gnu.org Cc: phodina <phodina <at> protonmail.com> Subject: Re: bug#56137: OpenSSL 3.0.3/1.1.1n includes a time-dependent test Date: Wed, 22 Jun 2022 12:49:51 +0200
[Message part 1 (text/plain, inline)]
Ludovic Courtès schreef op wo 22-06-2022 om 12:39 [+0200]:
> That commit skips the test. I tried another approach with ‘datefudge’,
> which has the advantage of being more explicit and future-proof (should
> there be similar issues lying around):
>
> (invoke "datefudge" "2022-01-01"
> "make" test-target
> #$@(if (or (target-arm?) (target-riscv64?))
> #~("TESTS=-test_afalg")
> #~()))
Looking at <https://github.com/openssl/openssl/issues/15179>,
upsteam just replaces the certificates when these things happen, so
there could easily be more time bombs. As such, WDYT of removing _all_
the certs in tests/certs for robustness, maybe generating them locally
with test/smime-certs/mksmime-certs.sh?
Greetings,
Maxime.
[signature.asc (application/pgp-signature, inline)]
bug-guix <at> gnu.org:bug#56137; Package guix.
(Fri, 24 Jun 2022 14:48:02 GMT) Full text and rfc822 format available.Message #18 received at 56137-done <at> debbugs.gnu.org (full text, mbox):
From: Ludovic Courtès <ludo <at> gnu.org> To: Maxime Devos <maximedevos <at> telenet.be> Cc: 56137-done <at> debbugs.gnu.org, phodina <phodina <at> protonmail.com> Subject: Re: bug#56137: OpenSSL 3.0.3/1.1.1n includes a time-dependent test Date: Fri, 24 Jun 2022 16:47:37 +0200
Maxime Devos <maximedevos <at> telenet.be> skribis:
> Ludovic Courtès schreef op wo 22-06-2022 om 12:39 [+0200]:
>> That commit skips the test. I tried another approach with ‘datefudge’,
>> which has the advantage of being more explicit and future-proof (should
>> there be similar issues lying around):
>>
>> (invoke "datefudge" "2022-01-01"
>> "make" test-target
>> #$@(if (or (target-arm?) (target-riscv64?))
>> #~("TESTS=-test_afalg")
>> #~()))
>
> Looking at <https://github.com/openssl/openssl/issues/15179>,
> upsteam just replaces the certificates when these things happen, so
> there could easily be more time bombs. As such, WDYT of removing _all_
> the certs in tests/certs for robustness, maybe generating them locally
> with test/smime-certs/mksmime-certs.sh?
That’s an option, but it might be trickier than it seems? Or is it
really just about running that script?
I thought it’d be easier and more robust to use ‘datefudge’ or similar
because it’d amount to freezing things in time (GnuTLS does that in its
test suite). It didn’t work for some reason but it might be worth
investigating.
Ludo’.
bug-guix <at> gnu.org:bug#56137; Package guix.
(Fri, 24 Jun 2022 15:01:01 GMT) Full text and rfc822 format available.Message #21 received at 56137-done <at> debbugs.gnu.org (full text, mbox):
From: Maxime Devos <maximedevos <at> telenet.be> To: Ludovic Courtès <ludo <at> gnu.org> Cc: 56137-done <at> debbugs.gnu.org, phodina <phodina <at> protonmail.com> Subject: Re: bug#56137: OpenSSL 3.0.3/1.1.1n includes a time-dependent test Date: Fri, 24 Jun 2022 17:00:31 +0200
[Message part 1 (text/plain, inline)]
Ludovic Courtès schreef op vr 24-06-2022 om 16:47 [+0200]: > That’s an option, but it might be trickier than it seems? Or is it > really just about running that script? I don't know, Someone(™) would need to try it out. Though to be 100% correct, it's not sufficient, IIRC there was something about TLS certificates only supporting years up to 9999, so we would need to check that the year isn't to big and if so skip tests or something. Greetings, Maxime.
[signature.asc (application/pgp-signature, inline)]
Debbugs Internal Request <help-debbugs <at> gnu.org>
to internal_control <at> debbugs.gnu.org.
(Sat, 23 Jul 2022 11:24:06 GMT) Full text and rfc822 format available.Debbugs Internal Request <help-debbugs <at> gnu.org>
to internal_control <at> debbugs.gnu.org.
(Thu, 03 Nov 2022 11:35:02 GMT) Full text and rfc822 format available.Maxime Devos <maximedevos <at> telenet.be>
to control <at> debbugs.gnu.org.
(Tue, 08 Nov 2022 01:58:02 GMT) Full text and rfc822 format available.Debbugs Internal Request <help-debbugs <at> gnu.org>
to internal_control <at> debbugs.gnu.org.
(Tue, 08 Nov 2022 01:58:02 GMT) Full text and rfc822 format available.Maxime Devos <maximedevos <at> telenet.be>
to control <at> debbugs.gnu.org.
(Tue, 08 Nov 2022 02:00:02 GMT) Full text and rfc822 format available.Ludovic Courtès <ludo <at> gnu.org>
to control <at> debbugs.gnu.org.
(Tue, 15 Nov 2022 16:16:01 GMT) Full text and rfc822 format available.bug-guix <at> gnu.org:bug#56137; Package guix.
(Sun, 26 Feb 2023 05:30:03 GMT) Full text and rfc822 format available.Message #36 received at 56137 <at> debbugs.gnu.org (full text, mbox):
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> To: 56137 <at> debbugs.gnu.org Cc: sjors <at> sprovoost.nl, ludo <at> gnu.org, maximedevos <at> telenet.be, Maxim Cournoyer <maxim.cournoyer <at> gmail.com>, zimon.toutoune <at> gmail.com Subject: [PATCH 1/2] gnu: openssl-1.1: Do not quasiquote arguments. Date: Sun, 26 Feb 2023 00:29:04 -0500
* gnu/packages/tls.scm (openssl-1.1): Do not quasiquote arguments.
---
gnu/packages/tls.scm | 190 +++++++++++++++++++++----------------------
1 file changed, 94 insertions(+), 96 deletions(-)
diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index 59e0e28feb..524b801443 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -15,7 +15,7 @@
;;; Copyright © 2018 Clément Lassieur <clement <at> lassieur.org>
;;; Copyright © 2019 Mathieu Othacehe <m.othacehe <at> gmail.com>
;;; Copyright © 2020 Jan (janneke) Nieuwenhuizen <janneke <at> gnu.org>
-;;; Copyright © 2020, 2021 Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
+;;; Copyright © 2020, 2021, 2023 Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
;;; Copyright © 2021 Solene Rapenne <solene <at> perso.pw>
;;; Copyright © 2021 Brice Waegeneire <brice <at> waegenei.re>
;;; Copyright © 2021 Maxime Devos <maximedevos <at> telenet.be>
@@ -515,107 +515,105 @@ (define-public openssl-1.1
"static")) ;6.4 MiB of .a files
(native-inputs (list perl))
(arguments
- `(#:parallel-tests? #f
- #:test-target "test"
+ (list
+ #:parallel-tests? #f
+ #:test-target "test"
- ;; Changes to OpenSSL sometimes cause Perl to "sneak in" to the closure,
- ;; so we explicitly disallow it here.
- #:disallowed-references ,(list (canonical-package perl))
- #:phases
- ,#~
- (modify-phases %standard-phases
- #$@(if (%current-target-system)
- #~((add-before
- 'configure 'set-cross-compile
- (lambda* (#:key target #:allow-other-keys)
- (setenv "CROSS_COMPILE" (string-append target "-"))
- (setenv "CONFIGURE_TARGET_ARCH"
- #$(target->openssl-target
- (%current-target-system))))))
- #~())
- ;; This test seems to be dependant on kernel features.
- ;; https://github.com/openssl/openssl/issues/12242
- #$@(if (or (target-arm?)
- (target-riscv64?))
- #~((replace 'check
- (lambda* (#:key tests? test-target #:allow-other-keys)
- (when tests?
- (invoke "make" "TESTS=-test_afalg" test-target)))))
- #~())
- (replace 'configure
- (lambda* (#:key configure-flags #:allow-other-keys)
- (let* ((out #$output)
- (lib (string-append out "/lib")))
- ;; It's not a shebang so patch-source-shebangs misses it.
- (substitute* "config"
- (("/usr/bin/env")
- (string-append (assoc-ref %build-inputs "coreutils")
- "/bin/env")))
- (apply
- invoke #$@(if (%current-target-system)
- #~("./Configure")
- #~("./config"))
- "shared" ;build shared libraries
- "--libdir=lib"
+ ;; Changes to OpenSSL sometimes cause Perl to "sneak in" to the closure,
+ ;; so we explicitly disallow it here.
+ #:disallowed-references (list (canonical-package perl))
+ #:phases
+ #~(modify-phases %standard-phases
+ #$@(if (%current-target-system)
+ #~((add-before 'configure 'set-cross-compile
+ (lambda* (#:key target #:allow-other-keys)
+ (setenv "CROSS_COMPILE" (string-append target "-"))
+ (setenv "CONFIGURE_TARGET_ARCH"
+ #$(target->openssl-target
+ (%current-target-system))))))
+ #~())
+ ;; This test seems to be dependant on kernel features.
+ ;; https://github.com/openssl/openssl/issues/12242
+ #$@(if (or (target-arm?)
+ (target-riscv64?))
+ #~((replace 'check
+ (lambda* (#:key tests? test-target #:allow-other-keys)
+ (when tests?
+ (invoke "make" "TESTS=-test_afalg" test-target)))))
+ #~())
+ (replace 'configure
+ (lambda* (#:key configure-flags #:allow-other-keys)
+ (let* ((out #$output)
+ (lib (string-append out "/lib")))
+ ;; It's not a shebang so patch-source-shebangs misses it.
+ (substitute* "config"
+ (("/usr/bin/env")
+ (string-append (assoc-ref %build-inputs "coreutils")
+ "/bin/env")))
+ (apply
+ invoke #$@(if (%current-target-system)
+ #~("./Configure")
+ #~("./config"))
+ "shared" ;build shared libraries
+ "--libdir=lib"
- ;; The default for this catch-all directory is
- ;; PREFIX/ssl. Change that to something more
- ;; conventional.
- (string-append "--openssldir=" out
- "/share/openssl-"
- #$(package-version this-package))
+ ;; The default for this catch-all directory is
+ ;; PREFIX/ssl. Change that to something more
+ ;; conventional.
+ (string-append "--openssldir=" out
+ "/share/openssl-"
+ #$(package-version this-package))
- (string-append "--prefix=" out)
- (string-append "-Wl,-rpath," lib)
- #$@(if (%current-target-system)
- #~((getenv "CONFIGURE_TARGET_ARCH"))
- #~())
- configure-flags)
- ;; Output the configure variables.
- (invoke "perl" "configdata.pm" "--dump"))))
- (add-after 'install 'move-static-libraries
- (lambda _
- ;; Move static libraries to the "static" output.
- (let* ((out #$output)
- (lib (string-append out "/lib"))
- (static #$output:static)
- (slib (string-append static "/lib")))
- (for-each (lambda (file)
- (install-file file slib)
- (delete-file file))
- (find-files
- lib
- #$(if (target-mingw?)
- '(lambda (filename _)
- (and (string-suffix? ".a" filename)
- (not (string-suffix? ".dll.a" filename))))
- "\\.a$"))))))
- (add-after 'install 'move-extra-documentation
- (lambda _
- ;; Move man pages and full HTML documentation to "doc".
- (let* ((out #$output)
- (man (string-append out "/share/man"))
- (html (string-append out "/share/doc/openssl"))
- (doc #$output:doc)
- (man-target (string-append doc "/share/man"))
- (html-target (string-append doc "/share/doc/openssl")))
- (mkdir-p (dirname man-target))
- (mkdir-p (dirname html-target))
- (rename-file man man-target)
- (rename-file html html-target))))
- (add-after
- 'install 'remove-miscellany
- (lambda _
- ;; The 'misc' directory contains random undocumented shell and Perl
- ;; scripts. Remove them to avoid retaining a reference on Perl.
- (delete-file-recursively (string-append #$output "/share/openssl-"
- #$(package-version this-package)
- "/misc")))))))
+ (string-append "--prefix=" out)
+ (string-append "-Wl,-rpath," lib)
+ #$@(if (%current-target-system)
+ #~((getenv "CONFIGURE_TARGET_ARCH"))
+ #~())
+ configure-flags)
+ ;; Output the configure variables.
+ (invoke "perl" "configdata.pm" "--dump"))))
+ (add-after 'install 'move-static-libraries
+ (lambda _
+ ;; Move static libraries to the "static" output.
+ (let* ((out #$output)
+ (lib (string-append out "/lib"))
+ (static #$output:static)
+ (slib (string-append static "/lib")))
+ (for-each (lambda (file)
+ (install-file file slib)
+ (delete-file file))
+ (find-files
+ lib
+ #$(if (target-mingw?)
+ '(lambda (filename _)
+ (and (string-suffix? ".a" filename)
+ (not (string-suffix? ".dll.a" filename))))
+ "\\.a$"))))))
+ (add-after 'install 'move-extra-documentation
+ (lambda _
+ ;; Move man pages and full HTML documentation to "doc".
+ (let* ((out #$output)
+ (man (string-append out "/share/man"))
+ (html (string-append out "/share/doc/openssl"))
+ (doc #$output:doc)
+ (man-target (string-append doc "/share/man"))
+ (html-target (string-append doc "/share/doc/openssl")))
+ (mkdir-p (dirname man-target))
+ (mkdir-p (dirname html-target))
+ (rename-file man man-target)
+ (rename-file html html-target))))
+ (add-after
+ 'install 'remove-miscellany
+ (lambda _
+ ;; The 'misc' directory contains random undocumented shell and Perl
+ ;; scripts. Remove them to avoid retaining a reference on Perl.
+ (delete-file-recursively (string-append #$output "/share/openssl-"
+ #$(package-version this-package)
+ "/misc")))))))
(native-search-paths
(list $SSL_CERT_DIR $SSL_CERT_FILE))
(synopsis "SSL/TLS implementation")
- (description
- "OpenSSL is an implementation of SSL/TLS.")
+ (description "OpenSSL is an implementation of SSL/TLS.")
(license license:openssl)
(home-page "https://www.openssl.org/")))
base-commit: cb0d8100b288b5b0d130820207db17764b7d2140
--
2.39.1
bug-guix <at> gnu.org:bug#56137; Package guix.
(Sun, 26 Feb 2023 05:30:03 GMT) Full text and rfc822 format available.Message #39 received at 56137 <at> debbugs.gnu.org (full text, mbox):
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> To: 56137 <at> debbugs.gnu.org Cc: sjors <at> sprovoost.nl, ludo <at> gnu.org, maximedevos <at> telenet.be, Maxim Cournoyer <maxim.cournoyer <at> gmail.com>, zimon.toutoune <at> gmail.com Subject: [PATCH 2/2] gnu: openssl-1.1: Run the test suite through datefudge. Date: Sun, 26 Feb 2023 00:29:05 -0500
Fixes <https://issues.guix.gnu.org/56137>.
* gnu/packages/tls.scm (openssl-1.1): Bind a RELEASE-DATE variable.
[arguments]: Invoke the test suite through datefudge, to avoid certificates
from expiring as time passes.
[native-inputs]: Add datefudge.
---
gnu/packages/tls.scm | 266 +++++++++++++++++++++++--------------------
1 file changed, 144 insertions(+), 122 deletions(-)
diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index 524b801443..c20548e89a 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -492,130 +492,152 @@ (define (target->openssl-target target)
(string-append kernel "-" arch))))
(define-public openssl-1.1
- (package
- (name "openssl")
- (version "1.1.1l")
- (replacement openssl/fixed)
- (source (origin
- (method url-fetch)
- (uri (list (string-append "https://www.openssl.org/source/openssl-"
- version ".tar.gz")
- (string-append "ftp://ftp.openssl.org/source/"
- "openssl-" version ".tar.gz")
- (string-append "ftp://ftp.openssl.org/source/old/"
- (string-trim-right version char-set:letter)
- "/openssl-" version ".tar.gz")))
- (patches (search-patches "openssl-1.1-c-rehash-in.patch"))
- (sha256
- (base32
- "1lbblxps2fhmz7bqh058iywh5wxfignbfx1s1kz2fj63b5g3wyhb"))))
- (build-system gnu-build-system)
- (outputs '("out"
- "doc" ;6.8 MiB of man3 pages and full HTML documentation
- "static")) ;6.4 MiB of .a files
- (native-inputs (list perl))
- (arguments
- (list
- #:parallel-tests? #f
- #:test-target "test"
-
- ;; Changes to OpenSSL sometimes cause Perl to "sneak in" to the closure,
- ;; so we explicitly disallow it here.
- #:disallowed-references (list (canonical-package perl))
- #:phases
- #~(modify-phases %standard-phases
- #$@(if (%current-target-system)
- #~((add-before 'configure 'set-cross-compile
- (lambda* (#:key target #:allow-other-keys)
- (setenv "CROSS_COMPILE" (string-append target "-"))
- (setenv "CONFIGURE_TARGET_ARCH"
- #$(target->openssl-target
- (%current-target-system))))))
- #~())
- ;; This test seems to be dependant on kernel features.
- ;; https://github.com/openssl/openssl/issues/12242
- #$@(if (or (target-arm?)
- (target-riscv64?))
- #~((replace 'check
- (lambda* (#:key tests? test-target #:allow-other-keys)
- (when tests?
- (invoke "make" "TESTS=-test_afalg" test-target)))))
- #~())
- (replace 'configure
- (lambda* (#:key configure-flags #:allow-other-keys)
- (let* ((out #$output)
- (lib (string-append out "/lib")))
- ;; It's not a shebang so patch-source-shebangs misses it.
- (substitute* "config"
- (("/usr/bin/env")
- (string-append (assoc-ref %build-inputs "coreutils")
- "/bin/env")))
- (apply
- invoke #$@(if (%current-target-system)
- #~("./Configure")
- #~("./config"))
- "shared" ;build shared libraries
- "--libdir=lib"
+ ;; Note to maintainers: when updating this package, make sure to update the
+ ;; RELEASE-DATE variable below. It is used by datefudge to avoid time bombs
+ ;; in the test suite.
+ (let ((release-date "2021-12-14 00:00"))
+ (package
+ (name "openssl")
+ (version "1.1.1l")
+ (replacement openssl/fixed)
+ (source (origin
+ (method url-fetch)
+ (uri (list (string-append "https://www.openssl.org/source/openssl-"
+ version ".tar.gz")
+ (string-append "ftp://ftp.openssl.org/source/"
+ "openssl-" version ".tar.gz")
+ (string-append "ftp://ftp.openssl.org/source/old/"
+ (string-trim-right version char-set:letter)
+ "/openssl-" version ".tar.gz")))
+ (patches (search-patches "openssl-1.1-c-rehash-in.patch"))
+ (sha256
+ (base32
+ "1lbblxps2fhmz7bqh058iywh5wxfignbfx1s1kz2fj63b5g3wyhb"))))
+ (build-system gnu-build-system)
+ (outputs '("out"
+ "doc" ;6.8 MiB of man3 pages and full HTML documentation
+ "static")) ;6.4 MiB of .a files
+ (native-inputs (list datefudge perl))
+ (arguments
+ (list
+ #:modules '((guix build gnu-build-system)
+ (guix build utils)
+ (srfi srfi-34))
+ #:parallel-tests? #f
+ #:test-target "test"
+ #:make-flags
+ #~(list #$@(if (or (target-arm?)
+ (target-riscv64?))
+ ;; This test seems to be dependant on kernel features.
+ ;; https://github.com/openssl/openssl/issues/12242
+ #~("TESTS=-test_afalg")
+ #~()))
+ ;; Changes to OpenSSL sometimes cause Perl to "sneak in" to the closure,
+ ;; so we explicitly disallow it here.
+ #:disallowed-references (list (canonical-package perl))
+ #:phases
+ #~(modify-phases %standard-phases
+ #$@(if (%current-target-system)
+ #~((add-before 'configure 'set-cross-compile
+ (lambda* (#:key target #:allow-other-keys)
+ (setenv "CROSS_COMPILE" (string-append target "-"))
+ (setenv "CONFIGURE_TARGET_ARCH"
+ #$(target->openssl-target
+ (%current-target-system))))))
+ #~())
+ (replace 'check
+ (lambda* (#:key target make-flags tests? test-target
+ parallel-tests? test-suite-log-regexp
+ #:allow-other-keys)
+ (if tests?
+ (guard (c ((invoke-error? c)
+ ;; Dump the test suite log to facilitate debugging.
+ (display "\nTest suite failed, dumping logs.\n"
+ (current-error-port))
+ (dump-file-contents "." test-suite-log-regexp)
+ (raise c)))
+ (apply invoke "datefudge" #$release-date
+ "make" test-target
+ `(,@(if parallel-tests?
+ `("-j" ,(number->string (parallel-job-count)))
+ '())
+ ,@make-flags)))
+ (format #t "test suite not run~%"))))
+ (replace 'configure
+ (lambda* (#:key configure-flags #:allow-other-keys)
+ (let* ((out #$output)
+ (lib (string-append out "/lib")))
+ ;; It's not a shebang so patch-source-shebangs misses it.
+ (substitute* "config"
+ (("/usr/bin/env")
+ (string-append (assoc-ref %build-inputs "coreutils")
+ "/bin/env")))
+ (apply
+ invoke #$@(if (%current-target-system)
+ #~("./Configure")
+ #~("./config"))
+ "shared" ;build shared libraries
+ "--libdir=lib"
- ;; The default for this catch-all directory is
- ;; PREFIX/ssl. Change that to something more
- ;; conventional.
- (string-append "--openssldir=" out
- "/share/openssl-"
- #$(package-version this-package))
+ ;; The default for this catch-all directory is
+ ;; PREFIX/ssl. Change that to something more
+ ;; conventional.
+ (string-append "--openssldir=" out
+ "/share/openssl-"
+ #$(package-version this-package))
- (string-append "--prefix=" out)
- (string-append "-Wl,-rpath," lib)
- #$@(if (%current-target-system)
- #~((getenv "CONFIGURE_TARGET_ARCH"))
- #~())
- configure-flags)
- ;; Output the configure variables.
- (invoke "perl" "configdata.pm" "--dump"))))
- (add-after 'install 'move-static-libraries
- (lambda _
- ;; Move static libraries to the "static" output.
- (let* ((out #$output)
- (lib (string-append out "/lib"))
- (static #$output:static)
- (slib (string-append static "/lib")))
- (for-each (lambda (file)
- (install-file file slib)
- (delete-file file))
- (find-files
- lib
- #$(if (target-mingw?)
- '(lambda (filename _)
- (and (string-suffix? ".a" filename)
- (not (string-suffix? ".dll.a" filename))))
- "\\.a$"))))))
- (add-after 'install 'move-extra-documentation
- (lambda _
- ;; Move man pages and full HTML documentation to "doc".
- (let* ((out #$output)
- (man (string-append out "/share/man"))
- (html (string-append out "/share/doc/openssl"))
- (doc #$output:doc)
- (man-target (string-append doc "/share/man"))
- (html-target (string-append doc "/share/doc/openssl")))
- (mkdir-p (dirname man-target))
- (mkdir-p (dirname html-target))
- (rename-file man man-target)
- (rename-file html html-target))))
- (add-after
- 'install 'remove-miscellany
- (lambda _
- ;; The 'misc' directory contains random undocumented shell and Perl
- ;; scripts. Remove them to avoid retaining a reference on Perl.
- (delete-file-recursively (string-append #$output "/share/openssl-"
- #$(package-version this-package)
- "/misc")))))))
- (native-search-paths
- (list $SSL_CERT_DIR $SSL_CERT_FILE))
- (synopsis "SSL/TLS implementation")
- (description "OpenSSL is an implementation of SSL/TLS.")
- (license license:openssl)
- (home-page "https://www.openssl.org/")))
+ (string-append "--prefix=" out)
+ (string-append "-Wl,-rpath," lib)
+ #$@(if (%current-target-system)
+ #~((getenv "CONFIGURE_TARGET_ARCH"))
+ #~())
+ configure-flags)
+ ;; Output the configure variables.
+ (invoke "perl" "configdata.pm" "--dump"))))
+ (add-after 'install 'move-static-libraries
+ (lambda _
+ ;; Move static libraries to the "static" output.
+ (let* ((out #$output)
+ (lib (string-append out "/lib"))
+ (static #$output:static)
+ (slib (string-append static "/lib")))
+ (for-each (lambda (file)
+ (install-file file slib)
+ (delete-file file))
+ (find-files
+ lib
+ #$(if (target-mingw?)
+ '(lambda (filename _)
+ (and (string-suffix? ".a" filename)
+ (not (string-suffix? ".dll.a" filename))))
+ "\\.a$"))))))
+ (add-after 'install 'move-extra-documentation
+ (lambda _
+ ;; Move man pages and full HTML documentation to "doc".
+ (let* ((out #$output)
+ (man (string-append out "/share/man"))
+ (html (string-append out "/share/doc/openssl"))
+ (doc #$output:doc)
+ (man-target (string-append doc "/share/man"))
+ (html-target (string-append doc "/share/doc/openssl")))
+ (mkdir-p (dirname man-target))
+ (mkdir-p (dirname html-target))
+ (rename-file man man-target)
+ (rename-file html html-target))))
+ (add-after
+ 'install 'remove-miscellany
+ (lambda _
+ ;; The 'misc' directory contains random undocumented shell and Perl
+ ;; scripts. Remove them to avoid retaining a reference on Perl.
+ (delete-file-recursively (string-append #$output "/share/openssl-"
+ #$(package-version this-package)
+ "/misc")))))))
+ (native-search-paths
+ (list $SSL_CERT_DIR $SSL_CERT_FILE))
+ (synopsis "SSL/TLS implementation")
+ (description "OpenSSL is an implementation of SSL/TLS.")
+ (license license:openssl)
+ (home-page "https://www.openssl.org/"))))
(define openssl/fixed
(package
--
2.39.1
bug-guix <at> gnu.org:bug#56137; Package guix.
(Sun, 26 Feb 2023 06:04:01 GMT) Full text and rfc822 format available.Message #42 received at 56137 <at> debbugs.gnu.org (full text, mbox):
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> To: 56137 <at> debbugs.gnu.org Cc: sjors <at> sprovoost.nl, ludo <at> gnu.org, maximedevos <at> telenet.be, zimon.toutoune <at> gmail.com Subject: Re: [PATCH 2/2] gnu: openssl-1.1: Run the test suite through datefudge. Date: Sun, 26 Feb 2023 01:03:40 -0500
Hello, Maxim Cournoyer <maxim.cournoyer <at> gmail.com> writes: > Fixes <https://issues.guix.gnu.org/56137>. > > * gnu/packages/tls.scm (openssl-1.1): Bind a RELEASE-DATE variable. > [arguments]: Invoke the test suite through datefudge, to avoid certificates > from expiring as time passes. > [native-inputs]: Add datefudge. Hmm, sorry for the noise, I got tricked into building the graft, which is openssl-1.1.1t, not openssl-1.1.1l. The patch doesn't fix the issue :-(. -- Thanks, Maxim
bug-guix <at> gnu.org:bug#56137; Package guix.
(Mon, 27 Feb 2023 04:05:01 GMT) Full text and rfc822 format available.Message #45 received at 56137 <at> debbugs.gnu.org (full text, mbox):
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> To: 56137 <at> debbugs.gnu.org Cc: sjors <at> sprovoost.nl, ludo <at> gnu.org, 58650 <at> debbugs.gnu.org, maximedevos <at> telenet.be, zimon.toutoune <at> gmail.com Subject: Re: bug#58650: OpenSSL 1.1.1n test failures due to expired certificates (time bomb) Date: Sun, 26 Feb 2023 23:03:53 -0500
Hi,
I also tried with libfaketime, which seemed more complete and easy to
setup globally via environment variables:
--8<---------------cut here---------------start------------->8---
modified gnu/packages/tls.scm
@@ -491,11 +491,47 @@ (define (target->openssl-target target)
(error "unsupported openssl target architecture")))))
(string-append kernel "-" arch))))
+;;; A minimal version of libfaketime that should remain private. Its only
+;;; purpose is to avoid introducing a cycle with openssl due to libfaketime's
+;;; git-fetch origin, which pulls git (which requires openssl).
+(define libfaketime-minimal
+ (package
+ (name "libfaketime")
+ (version "0.9.10")
+ (home-page "https://github.com/wolfcw/libfaketime")
+ (source (origin
+ (method url-fetch)
+ ;; XXX: We cheat and use a dynamically generated archive GitHub
+ ;; link here, since we can't fetch from git.
+ (uri (string-append "https://github.com/wolfcw/" name
+ "/archive/refs/tags/v" version ".tar.gz"))
+ (sha256
+ (base32
+ "0zwlwxpya3scayf8b3ans6pp82k8k42bk5wfqvcm02kmkhxx76kj"))))
+ (build-system gnu-build-system)
+ (arguments
+ (list
+ #:make-flags #~(list "all")
+ #:tests? #f
+ #:phases
+ #~(modify-phases %standard-phases
+ (replace 'configure
+ (lambda* (#:key outputs #:allow-other-keys)
+ (setenv "CC" #$(cc-for-target))
+ (setenv "PREFIX" #$output))))))
+ (synopsis "Fake the system time for single applications")
+ (description
+ "The libfaketime library allows users to modify the system time that an
+application \"sees\". It is meant to be loaded using the dynamic linker's
+@code{LD_PRELOAD} environment variable. The @command{faketime} command
+provides a simple way to achieve this.")
+ (license license:gpl2)))
+
(define-public openssl-1.1
;; Note to maintainers: when updating this package, make sure to update the
;; RELEASE-DATE variable below. It is used by datefudge to avoid time bombs
;; in the test suite.
- (let ((release-date "2021-08-24 00:00"))
+ (let ((release-date "@2021-08-24 00:00:00"))
(package
(name "openssl")
(version "1.1.1l")
@@ -517,7 +553,7 @@ (define-public openssl-1.1
(outputs '("out"
"doc" ;6.8 MiB of man3 pages and full HTML documentation
"static")) ;6.4 MiB of .a files
- (native-inputs (list datefudge perl))
+ (native-inputs (list libfaketime-minimal perl))
(arguments
(list
#:modules '((guix build gnu-build-system)
@@ -537,6 +573,15 @@ (define-public openssl-1.1
#:disallowed-references (list (canonical-package perl))
#:phases
#~(modify-phases %standard-phases
+ (add-before 'unpack 'setup-libfaketime
+ (lambda* (#:key native-inputs inputs #:allow-other-keys)
+ (let ((libfaketime.so.1 (search-input-file
+ (or native-inputs inputs)
+ "lib/faketime/libfaketime.so.1")))
+ (setenv "LD_PRELOAD" libfaketime.so.1)
+ (setenv "NO_FAKE_STAT" "1")
+ (setenv "FAKETIME_DONT_RESET" "1")
+ (setenv "FAKETIME" #$release-date))))
#$@(if (%current-target-system)
#~((add-before 'configure 'set-cross-compile
--8<---------------cut here---------------end--------------->8---
But I still get the same error:
--8<---------------cut here---------------start------------->8---
../../util/shlib_wrap.sh /gnu/store/hy6abswwv4d89zp464fw52z65fkzr7h5-perl-5.34.0/bin/perl -I ../../util/perl ../generate_ssl_tests.pl ../ssl-tests/12-ct.conf.in > 12-ct.conf.30543.tmp => 0
ok 1 - Getting output from generate_ssl_tests.pl.
ok 2 - Comparing generated sources.
# Subtest: ../ssl_test
1..1
# Subtest: test_handshake
1..6
ok 1 - iteration 1
# ERROR: (int) 'result->result == test_ctx->expected_result' failed @ test/ssl_test.c:33
# [2] compared to [0]
# INFO: @ test/ssl_test.c:34
# ExpectedResult mismatch: expected Success, got ClientFail.
# 140450700142400:error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1543:SSL alert number 45
not ok 2 - iteration 2
ok 3 - iteration 3
# ERROR: (int) 'result->result == test_ctx->expected_result' failed @ test/ssl_test.c:33
# [2] compared to [0]
# INFO: @ test/ssl_test.c:34
# ExpectedResult mismatch: expected Success, got ClientFail.
# 140450700142400:error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1543:SSL alert number 45
not ok 4 - iteration 4
# ERROR: (int) 'result->result == test_ctx->expected_result' failed @ test/ssl_test.c:33
# [4] compared to [0]
# INFO: @ test/ssl_test.c:34
# ExpectedResult mismatch: expected Success, got FirstHandshakeFailed.
# 140450700142400:error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1543:SSL alert number 45
not ok 5 - iteration 5
# ERROR: (int) 'result->result == test_ctx->expected_result' failed @ test/ssl_test.c:33
# [4] compared to [0]
# INFO: @ test/ssl_test.c:34
# ExpectedResult mismatch: expected Success, got FirstHandshakeFailed.
# 140450700142400:error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1543:SSL alert number 45
not ok 6 - iteration 6
not ok 1 - test_handshake
../../util/shlib_wrap.sh ../ssl_test 12-ct.conf.30543.tmp => 1
not ok 3 - running ssl_test 12-ct.conf
# Failed test 'running ssl_test 12-ct.conf'
# at ../test/recipes/80-test_ssl_new.t line 148.
# Looks like you failed 1 test of 3.
not ok 12 - Test configuration 12-ct.conf
# Failed test 'Test configuration 12-ct.conf'
# at
# /tmp/guix-build-openssl-1.1.1l.drv-0/openssl-1.1.1l/test/../util/perl/OpenSSL/Test.pm
# line 1212.
--8<---------------cut here---------------end--------------->8---
When attempting to build with
--8<---------------cut here---------------start------------->8---
./pre-inst-env guix build --no-grafts -e '(@@ (gnu packages tls) openssl-1.1)'
--8<---------------cut here---------------end--------------->8---
Upstream seems to have moved to give very large expiry dates on their
test certs (100 years), so perhaps we can simply remove this test and
hope the problem doesn't come back to haunt us...
--
Thanks,
Maxim
Ludovic Courtès <ludo <at> gnu.org>
to control <at> debbugs.gnu.org.
(Mon, 17 Apr 2023 13:24:02 GMT) Full text and rfc822 format available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.