New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update invalid EC key test for compatibility with upcoming OpenSSL changes #7833
Conversation
@romen our test suite checks for errors on the stack between every single test so any teardown error means that an unexpected error was added to the stack during that test. These may be bugs in OpenSSL 3.1.x or they may be new errors that should be present on the stack and we need to handle them. We actually test against |
@reaperhulk the new surprising errors are specifically triggered by the changes in openssl/openssl#19681 which will likely land in
|
@reaperhulk 689b687 is not meant to be merged, but is just a way to experiment if I can get the CI here to trigger the same errors by testing against openssl/openssl#19681 |
@reaperhulk @alex @levitte @mspncp here are the errors also in the CI run here: https://github.com/pyca/cryptography/actions/runs/3527647029/jobs/5916940092 |
@levitte did dig a bit on the OpenSSL side of things:
In the same comment he suggested a way to try and highlight the places where this is happening. Here is the new log which highlights various python functions that seems to be doing this: 📎 @reaperhulk @alex : Does this help figuring out what is going on in |
I'm not quite sure what's going on, but that log file is basically unreadable. Output appears to be interleaved between multiple threads or something. That said, looking at the crashing stacks, the top python frame is |
It's unclear under which conditions this might be happening: in our internal tests we don't seem to have that problem, and it's suspicious that this is happening in DSA and ECX tests, when the upcoming change only affects EC keys. |
I've run these tests locally and it's adding errors to the stack in int main(void) {
char *p8 = "-----BEGIN PRIVATE KEY-----\nMIIBTAIBADCCASwGByqGSM44BAEwggEfAoGBAKoJMMwUWCUiHK/6KKwolBlqJ4M9\n5ewhJweRaJQgd3Si57I4sNNvGySZosJYUIPrAUMpJEGNhn+qIS3RBx1NzrJ4J5St\nOTzAik1K2n9o1ug5pfzTS05ALYLLioy0D+wxkRv5vTYLA0yqy0xelHmSVzyekAmc\nGw8FlAyr5dLeSaFnAhUArcDoabNvCsATpoH99NSJnWmCBFECgYEAjGtFia+lOk0Q\nSL/DRtHzhsp1UhzPct2qJRKGiA7hMgH/SIkLv8M9ebrK7HHnp3hQe9XxpmQi45QV\nvgPnEUG6Mk9bkxMZKRgsiKn6QGKDYGbOvnS1xmkMfRARBsJAq369VOTjMB/Qhs5q\n2ski+ycTorCIfLoTubxozlz/8kHNMkYEFwIVAKU1qOHQ2Rvq/IvuHZsqOo3jMRID\n-----END PRIVATE KEY-----";
BIO *b = BIO_new_mem_buf(p8, strlen(p8));
assert(b != NULL);
EVP_PKEY *pkey = PEM_read_bio_PrivateKey(b, NULL, NULL, NULL);
assert(pkey != NULL);
const BIO_METHOD *m = BIO_s_mem();
assert(m != NULL);
BIO *write_bio = BIO_new(m);
assert(write_bio != NULL);
const EVP_CIPHER *cipher = EVP_get_cipherbyname("aes-256-cbc");
assert(cipher != NULL);
int res = PEM_write_bio_PKCS8PrivateKey(write_bio, pkey, cipher, "s", 1, NULL, NULL);
assert(res == 1);
assert(ERR_get_error() == 0);
} |
Thank you for your help @reaperhulk! |
Thanks @reaperhulk! Using your reproducer I managed to figure out that this was fixed recently in I pushed another commit tweaking the CI to run against |
So I think with the CI changes reverted this can be merged. |
…anges One of the tests checking behavior with invalid EC keys hardcoded the error reason. This commit replaces the string matching with a regex to match both the current string and a new reason, introduced by upcoming OpenSSL changes [0], which would otherwise trigger a false positive failure. [0]: openssl/openssl#19681
e05b2b5
to
d222736
Compare
Rebased on latest |
Assuming this will be merged to |
We generally only backport security or critical fixes. Since this isn't even a functional change for users, it wouldn't qualify. Notwithstanding that, if we do a 38.0.4 for some other reason we can include this. Otherwise it'll be in 39.0. |
…anges (pyca#7833) One of the tests checking behavior with invalid EC keys hardcoded the error reason. This commit replaces the string matching with a regex to match both the current string and a new reason, introduced by upcoming OpenSSL changes [0], which would otherwise trigger a false positive failure. [0]: openssl/openssl#19681
* Update invalid EC key test for compatibility with upcoming OpenSSL changes (#7833) One of the tests checking behavior with invalid EC keys hardcoded the error reason. This commit replaces the string matching with a regex to match both the current string and a new reason, introduced by upcoming OpenSSL changes [0], which would otherwise trigger a false positive failure. [0]: openssl/openssl#19681 * fix CI * fixes #7653 -- handle OPENSSL_cleanup existing on LibreSSL 3.6.0 (#7654) * kill CI cache * endless CI fixing Co-authored-by: Nicola Tuveri <nic.tuv@gmail.com> Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
We ended up doing a 38.0.4 today which includes this commit. |
@alex @reaperhulk Thanks for the update, and for all the help! |
This is a rebase of #7829 to target
main
rather than38.0.x
, as requested.The original description:
Asking for help
Ping @alex, who has been helping me since #7829 (thanks!)
Ping @levitte and @mspncp who also might lend me a hand (or four) in figuring out how to root cause the remaining errors. This PR is rebased on latest
main@pyca
and includes formatting amendments to my original patch to appeaseflake
, but it does still trigger the same errors that i mentioned in openssl/openssl#19681 (comment). I also include again a discussion of the samelog.txt
below.Surprising errors specific to
main@pyca/cryptography
log.txt
The log above is obtained running
test_external_pyca
from the tip of openssl/openssl#19681, after ensuring the submodulepyca-cryptography
points to an older (but equivalent) version of this PR.These errors are not triggered when checking out
openssl-3.1
and the same commit underpyca-cryptography/
, so it seems they are an indirect consequence of the openssl/openssl#19681 changes.The errors are due to a
param of incompatible type
left on the error stack during teardown, but are surprising and hard to debug because they happen during the teardown of seemingly unrelated tests, e.g. :Notice that these errors are specific to
main@pyca/cryptography
, and they are not triggered when running against the38.0.x
branch (as exemplified by the original #7829.