Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support LibreSSL #2380

Draft
wants to merge 3 commits into
base: master
Choose a base branch
from
Draft

Support LibreSSL #2380

wants to merge 3 commits into from

Conversation

orbea
Copy link
Contributor

@orbea orbea commented Jul 5, 2022

This works with LibreSSL 3.5.x.

Copy link
Member

@williamcroberts williamcroberts left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we need a test, perhaps you could create a docker image to add to the ci matrix? You could submit a docker container here: https://github.com/tpm2-software/tpm2-software-container

@orbea
Copy link
Contributor Author

orbea commented Jul 5, 2022

A test case would be a good idea, but I know almost nothing about docker and I am unsure what distro would even work?

The current situation is the primary LibreSSL user is OpenBSD and most linux distros have removed it by default, but I am still trying to keep it working for the Gentoo LibreSSL overlay.

https://github.com/gentoo/libressl

Additionally OpenBSD doesn't ship tpm2-tss, but Gentoo does.

https://repology.org/project/tpm2-tss/versions

gentoo-bot pushed a commit to gentoo/libressl that referenced this pull request Jul 5, 2022
Upstream-PR: tpm2-software/tpm2-tss#2380
Signed-off-by: orbea <[email protected]>
Signed-off-by: Quentin Retornaz <[email protected]>
@williamcroberts
Copy link
Member

A test case would be a good idea, but I know almost nothing about docker and I am unsure what distro would even work?

The current situation is the primary LibreSSL user is OpenBSD and most linux distros have removed it by default, but I am still trying to keep it working for the Gentoo LibreSSL overlay.

https://github.com/gentoo/libressl

Additionally OpenBSD doesn't ship tpm2-tss, but Gentoo does.

https://repology.org/project/tpm2-tss/versions

I'll build you a container, standby.

@@ -392,7 +392,7 @@ iesys_cryptossl_hmac_start(ESYS_CRYPTO_CONTEXT_BLOB ** context,
"Error EVP_MD_CTX_create", cleanup);
}

#if OPENSSL_VERSION_NUMBER < 0x10101000L
#if OPENSSL_VERSION_NUMBER < 0x10101000L || defined(LIBRESSL_VERSION_NUMBER)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What if it's an old version of LibreSSL, this would fail. I think the root cause is that we are not including #include <openssl/opensslv.h>

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have patches to another project that I think are a more robust fix to the same problem: https://github.com/stefanberger/libtpms/pull/340/files

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually probably not the right fix, silly libressl:

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tested with 3.5.3 and I get this error.

src/tss2-esys/esys_crypto_ossl.c: In function ‘iesys_cryptossl_hmac_start’:
src/tss2-esys/esys_crypto_ossl.c:400:18: error: implicit declaration of function ‘EVP_PKEY_new_raw_private_key’; did you mean ‘EC_KEY_set_private_key’? [-Werror=implicit-function-declaration]
  400 |     if (!(hkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL, key, size))) {
      |                  ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
      |                  EC_KEY_set_private_key
src/tss2-esys/esys_crypto_ossl.c:400:16: error: assignment to ‘EVP_PKEY *’ {aka ‘struct evp_pkey_st *’} from ‘int’ makes pointer from integer without a cast [-Werror=int-conversion]
  400 |     if (!(hkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL, key, size))) {
      |                ^
cc1: all warnings being treated as errors

Unfortunately libressl doesn't have EVP_PKEY_new_raw_private_key yet.

I'm not sure this would make a difference for older libressl versions? They would presumably need the older openssl API too. Really 3.5 changed and fixed so many issues that its been difficult to worry about older versions.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah I'm starting to understand the implications of what they did and how there version number maps. What's the lowest known working version? The newest version of 3.5.3 but you're reporting it doesn't work now?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With this PR, libressl-3.5.3 and presumably 3.5.2 the build succeeds. The first stable 3.5 release with all of the API changes was 3.5.2 while 3.5.0 was a developmental release and 3.5.1 was a security fix and 3.5.3 is a bug fix release.. However I am not sure when the last time tpm2-tss worked with older versions of libressl.

I started using Gentoo shortly before Gentoo and Alpine dropped libressl from the main repos which left the remaining users suddenly in the deep end. It was only after libressl-3.5.3 where I started going through the libressl overlay in more depth to update several neglected ebuilds when I discovered that tpm2-tss which did not build. I was able to drop the old libressl patches for tpm-tools and tpm2-tools at least. :)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok I just merged tpm2-software/tpm2-software-container#71, so in a little bit we should have a working docker container with libressl 3.5.3 in it. Ill send you a diff to add testing.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@orbea I think when the image is published, add this to your PR and re-upload, this way we can test:

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 08dba6857f9b..2e38162b02fd 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -85,6 +85,27 @@ jobs:
       - name: failure
         if: ${{ failure() }}
         run: cat $(find ../ -name test-suite.log) || true
+  test-libressl:
+    runs-on: ubuntu-latest
+    if: "!contains(github.ref, 'coverity_scan')"
+    strategy:
+      matrix:
+        docker_image: [fedora-34-libressl]
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v2
+        with:
+            fetch-depth: 0
+      - name: Launch Action
+        uses:
+          tpm2-software/ci/runCI@main
+        with:
+          CC: gcc
+          DOCKER_IMAGE: ${{ matrix.docker_image }}
+          PROJECT_NAME: ${{ github.event.repository.name }}
+      - name: failure
+        if: ${{ failure() }}
+        run: cat $(find ../ -name test-suite.log) || true

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! I added this to the PR.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

unfortunately github container registry that hosts are images is having some issues, but we will keep working through them and I will re-trigger the CI when the image is hosted.

@williamcroberts
Copy link
Member

So you now have a docker container you can test in, but it looks like some type of memory issue as it's segfaulting:

You can test in that docker container by:

docker pull ghcr.io/tpm2-software/fedora-34-libressl
docker run -it fedora-34-libressl
# run commands here

You can kick off the whole CI test by:

docker run --rm --env-file /path/to/tpm2-tss/.ci/docker.env -v /path/to/tpm2-tss:/workspace/tpm2-tss <IMAGE ID> /bin/bash -c '/workspace/tpm2-tss/.ci/docker.run'

@orbea
Copy link
Contributor Author

orbea commented Jul 14, 2022

I can reproduce failing tests locally, but only when using --enable-self-generated-certificate.
test-suite.log

PASS: test/unit/CommonPreparePrologue
PASS: test/unit/CopyCommandHeader
PASS: test/unit/io
PASS: test/unit/key-value-parse
PASS: test/unit/log
PASS: test/unit/tctildr
PASS: test/unit/tctildr-dl
PASS: test/unit/tctildr-nodl
PASS: test/unit/tctildr-tcti
PASS: test/unit/tctildr-getinfo
PASS: test/unit/dlopen-fail
PASS: test/unit/dlopen-UINT8-marshal
PASS: test/unit/dlopen-TPM2B-marshal
PASS: test/unit/dlopen-TPMU-marshal
PASS: test/unit/UINT8-marshal
PASS: test/unit/UINT16-marshal
PASS: test/unit/UINT32-marshal
PASS: test/unit/UINT64-marshal
PASS: test/unit/TPMA-marshal
PASS: test/unit/TPM2B-marshal
PASS: test/unit/TPMS-marshal
PASS: test/unit/TPML-marshal
PASS: test/unit/TPMT-marshal
PASS: test/unit/TPMU-marshal
PASS: test/unit/sys-execute
PASS: test/unit/dlopen_tss2_rc
PASS: test/unit/tss2_rc
PASS: test/unit/tcti-mssim
PASS: test/unit/tcti-swtpm
PASS: test/unit/tcti-libtpms
PASS: test/unit/tcti-device
PASS: test/unit/tcti-pcap
PASS: test/unit/tcti-cmd
PASS: test/unit/esys-context-null
PASS: test/unit/esys-resubmissions
PASS: test/unit/esys-sequence-finish
PASS: test/unit/esys-tcti-rcs
PASS: test/unit/esys-tpm-rcs
PASS: test/unit/esys-getpollhandles
PASS: test/unit/esys-nulltcti
PASS: test/unit/esys-crypto
PASS: test/unit/fapi-json
PASS: test/unit/fapi-helpers
PASS: test/unit/fapi-io
PASS: test/unit/fapi-profiles
PASS: test/unit/fapi-config
PASS: test/unit/fapi-get-intl-cert
PASS: test/unit/tss2_policy
PASS: test/integration/sys-asymmetric-encrypt-decrypt.int
PASS: test/integration/sys-nv-policy-locality.int
PASS: test/integration/sys-nv-readwrite.int
PASS: test/integration/sys-hmac-auth.int
PASS: test/integration/sys-primary-rsa-2K-aes128cfb.int
PASS: test/integration/sys-create-keyedhash-sha1-hmac.int
PASS: test/integration/sys-encrypt-decrypt.int
PASS: test/integration/sys-encrypt-decrypt-2.int
PASS: test/integration/sys-evict-ctrl.int
PASS: test/integration/sys-get-random.int
PASS: test/integration/sys-stir-random.int
PASS: test/integration/sys-hierarchy-change-auth.int
PASS: test/integration/sys-abi-version.int
PASS: test/integration/sys-pcr-extension.int
PASS: test/integration/sys-self-test.int
PASS: test/integration/sys-start-auth-session.int
PASS: test/integration/sys-sys-initialize.int
PASS: test/integration/sys-tpm-properties.int
PASS: test/integration/sys-system-api.int
PASS: test/integration/sys-policy-template.int
PASS: test/integration/sys-create-loaded.int
PASS: test/integration/sys-policy-authorizeNV.int
PASS: test/integration/sys-param-encrypt-decrypt.int
PASS: test/integration/sys-read-clock.int
PASS: test/tpmclient/tpmclient.int
PASS: test/integration/dlopen-esys-get-random.int
SKIP: test/integration/esys-act-set-timeout.int
PASS: test/integration/esys-certify-creation.int
PASS: test/integration/esys-certifyX509.int
PASS: test/integration/esys-certify.int
PASS: test/integration/esys-clear-control.int
PASS: test/integration/esys-clockset.int
PASS: test/integration/esys-clockset-audit.int
PASS: test/integration/esys-commit.int
PASS: test/integration/esys-create-fail.int
PASS: test/integration/esys-create-password-auth.int
PASS: test/integration/esys-create-policy-auth.int
PASS: test/integration/esys-create-primary-ecc-hmac.int
PASS: test/integration/esys-create-primary-hmac.int
PASS: test/integration/esys-create-session-auth-bound.int
PASS: test/integration/esys-create-session-null-bind-tpm-key.int
PASS: test/integration/esys-create-session-null-bind-no-tpm-key.int
PASS: test/integration/esys-create-session-auth-ecc.int
PASS: test/integration/esys-create-session-auth.int
PASS: test/integration/esys-create-session-auth-long.int
PASS: test/integration/esys-create-session-auth-xor.int
PASS: test/integration/esys-crypto.int
PASS: test/integration/esys-ecc-parameters.int
PASS: test/integration/esys-ecdh-zgen.int
PASS: test/integration/esys-event-sequence-complete.int
PASS: test/integration/esys-evict-control-serialization.int
PASS: test/integration/esys-get-capability.int
PASS: test/integration/esys-get-capability-act.int
PASS: test/integration/esys-get-random.int
PASS: test/integration/esys-hash.int
PASS: test/integration/esys-hashsequencestart.int
PASS: test/integration/esys-hashsequencestart-session.int
PASS: test/integration/esys-hierarchychangeauth.int
PASS: test/integration/esys-hmac.int
PASS: test/integration/esys-hmacsequencestart.int
PASS: test/integration/esys-hmacsequencestart-session.int
PASS: test/integration/esys-import.int
PASS: test/integration/esys-make-credential.int
PASS: test/integration/esys-make-credential-session.int
PASS: test/integration/esys-nv-ram-counter.int
PASS: test/integration/esys-nv-ram-counter-session.int
PASS: test/integration/esys-nv-ram-counter-session-long-auth.int
PASS: test/integration/esys-nv-ram-extend-index.int
PASS: test/integration/esys-nv-ram-extend-index-session.int
PASS: test/integration/esys-nv-ram-ordinary-index-rlock.int
PASS: test/integration/esys-nv-ram-ordinary-index-rlock-session.int
PASS: test/integration/esys-nv-ram-ordinary-index-wlock.int
PASS: test/integration/esys-nv-ram-ordinary-index-wlock-session.int
PASS: test/integration/esys-nv-ram-set-bits.int
PASS: test/integration/esys-nv-ram-set-bits-session.int
PASS: test/integration/esys-object-changeauth.int
PASS: test/integration/esys-policy-authorize.int
PASS: test/integration/esys-policy-nv-changeauth.int
PASS: test/integration/esys-policy-nv-undefine-special.int
PASS: test/integration/esys-policy-password.int
PASS: test/integration/esys-policy-regression.int
PASS: test/integration/esys-quote.int
PASS: test/integration/esys-rsa-encrypt-decrypt.int
PASS: test/integration/esys-save-and-load-context.int
PASS: test/integration/esys-session-attributes.int
PASS: test/integration/esys-stir-random.int
PASS: test/integration/esys-testparms.int
PASS: test/integration/esys-tpm-tests.int
PASS: test/integration/esys-tr-fromTpmPublic-key.int
PASS: test/integration/esys-tr-fromTpmPublic-nv.int
PASS: test/integration/esys-tr-fromTpmPublic-session.int
PASS: test/integration/esys-tr-getName-hierarchy.int
PASS: test/integration/esys-tr-getTpmHandle-key.int
PASS: test/integration/esys-tr-getTpmHandle-nv.int
PASS: test/integration/esys-unseal-password-auth.int
PASS: test/integration/esys-verify-signature.int
PASS: test/integration/esys-ecdh-keygen.int
PASS: test/integration/esys-policy-ticket.int
PASS: test/integration/esys-audit.int
PASS: test/integration/esys-createloaded.int
PASS: test/integration/esys-createloaded-session.int
PASS: test/integration/esys-duplicate.int
PASS: test/integration/esys-encrypt-decrypt.int
PASS: test/integration/esys-encrypt-decrypt2.int
PASS: test/integration/esys-get-time.int
PASS: test/integration/esys-hierarchy-control.int
PASS: test/integration/esys-nv-certify.int
PASS: test/integration/esys-pcr-auth-value.int
PASS: test/integration/esys-pcr-basic.int
PASS: test/integration/esys-policy-authorize-nv-opt.int
PASS: test/integration/esys-policy-physical-presence-opt.int
PASS: test/integration/esys-policy-template-opt.int
PASS: test/integration/esys-pp-commands.int
PASS: test/integration/esys-zgen-2phase.int
PASS: test/integration/esys-auto-session-flags.int
PASS: test/integration/esys-change-eps.int
PASS: test/integration/esys-clear.int
PASS: test/integration/esys-tpm-clear-auth.int
PASS: test/integration/esys-clear-session.int
SKIP: test/integration/esys-field-upgrade.int
SKIP: test/integration/esys-firmware-read.int
PASS: test/integration/esys-lock.int
PASS: test/integration/esys-set-algorithm-set.int
FAIL: test/integration/dlopen-fapi-get-random.fint
FAIL: test/integration/fapi-check-wrong-paths.fint
FAIL: test/integration/fapi-data-crypt.fint
FAIL: test/integration/fapi-data-crypt-persistent.fint
FAIL: test/integration/fapi-data-crypt-rsa.fint
FAIL: test/integration/fapi-data-crypt-rsa-persistent.fint
FAIL: test/integration/fapi-duplicate.fint
FAIL: test/integration/fapi-export-policy.fint
PASS: test/integration/fapi-ext-public-key.fint
FAIL: test/integration/fapi-get-esys-blobs.fint
FAIL: test/integration/fapi-get-random.fint
FAIL: test/integration/fapi-platform-certificates.fint
FAIL: test/integration/fapi-key-create-sign.fint
FAIL: test/integration/fapi-key-create-he-sign.fint
FAIL: test/integration/fapi-key-create-primary-sign.fint
FAIL: test/integration/fapi-key-create2-sign.fint
FAIL: test/integration/fapi-key-create-null-key-sign.fint
FAIL: test/integration/fapi-key-create-sign-persistent-key.fint
FAIL: test/integration/fapi-key-create-sign-password-provision.fint
FAIL: test/integration/fapi-key-create-sign-rsa.fint
FAIL: test/integration/fapi-key-create-policy-authorize-sign.fint
FAIL: test/integration/fapi-key-create-policy-authorize-rsa-pem-sign.fint
FAIL: test/integration/fapi-key-create-policy-authorize-ecc-pem-sign.fint
PASS: test/integration/fapi-key-create-policy-authorize-sign-rsa.fint
FAIL: test/integration/fapi-key-create-policy-authorize-nv-sign.fint
PASS: test/integration/fapi-key-create-policy-secret-nv-sign.fint
FAIL: test/integration/fapi-key-create-policy-pcr-sign.fint
FAIL: test/integration/fapi-key-create-policy-signed.fint
FAIL: test/integration/fapi-key-create-policy-signed-ecc.fint
FAIL: test/integration/fapi-key-create-policy-nv-sign.fint
FAIL: test/integration/fapi-key-create-policy-nv-counter-sign.fint
FAIL: test/integration/fapi-key-create-policy-or-sign.fint
FAIL: test/integration/fapi-key-create-policy-password-sign.fint
FAIL: test/integration/fapi-key-create-policy-countertimer-sign.fint
FAIL: test/integration/fapi-key-create-policy-physical-presence-sign.fint
FAIL: test/integration/fapi-key-create-policy-locality-sign.fint
FAIL: test/integration/fapi-key-create-policy-command-code-sign.fint
FAIL: test/integration/fapi-key-create-policy-auth-value-sign.fint
FAIL: test/integration/fapi-key-create-ckda-sign.fint
FAIL: test/integration/fapi-key-change-auth.fint
PASS: test/integration/fapi-key-create-sign-persistent.fint
FAIL: test/integration/fapi-key-create-sign-password.fint
FAIL: test/integration/fapi-key-create-ckda-sign-password.fint
FAIL: test/integration/fapi-key-create-sign-password-da.fint
FAIL: test/integration/fapi-key-create-ckda-sign-password-da.fint
FAIL: test/integration/fapi-nv-authorizenv-cphash.fint
FAIL: test/integration/fapi-nv-ordinary.fint
FAIL: test/integration/fapi-nv-written-policy.fint
FAIL: test/integration/fapi-nv-extend.fint
FAIL: test/integration/fapi-nv-increment.fint
FAIL: test/integration/fapi-nv-set-bits.fint
FAIL: test/integration/fapi-pcr-test.fint
FAIL: test/integration/fapi-quote.fint
FAIL: test/integration/fapi-quote-with-primary.fint
FAIL: test/integration/fapi-quote-rsa.fint
FAIL: test/integration/fapi-policy-or-nv-read-write.fint
FAIL: test/integration/fapi-second-provisioning.fint
FAIL: test/integration/fapi-provisioning-error.fint
PASS: test/integration/fapi-info.fint
FAIL: test/integration/fapi-unseal.fint
FAIL: test/integration/fapi-unseal-persistent.fint
PASS: test/integration/fapi-key-create-sign-policy-provision.fint
PASS: test/integration/fapi-provision-fingerprint.fint
FAIL: test/integration/fapi-provision-certificate.fint
PASS: test/integration/fapi-provision-fingerprint_ecc.fint
FAIL: test/integration/fapi-provision-certificate_ecc.fint
FAIL: test/integration/fapi-quote-destructive.fint
PASS: test/integration/policy-execute.int
============================================================================
Testsuite summary for tpm2-tss 3.2.0-44-g22db58eb
============================================================================
# TOTAL: 239
# PASS:  177
# SKIP:  3
# XFAIL: 0
# FAIL:  59
# XPASS: 0
# ERROR: 0
============================================================================
See ./test-suite.log
Please report to https://github.com/tpm2-software/tpm2-tss/issues
============================================================================
make[2]: *** [Makefile:28943: test-suite.log] Error 1
make[2]: Leaving directory '/tmp/tpm2-tss'
make[1]: *** [Makefile:29051: check-TESTS] Error 2
make[1]: Leaving directory '/tmp/tpm2-tss'
make: *** [Makefile:29620: check-am] Error 2

@williamcroberts
Copy link
Member

I can reproduce failing tests locally, but only when using --enable-self-generated-certificate. test-suite.log

Yeah that config seems to be used in the test harness on the CI

Copy link
Member

@williamcroberts williamcroberts left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Need to find the bug in the docker container run...

@orbea
Copy link
Contributor Author

orbea commented Oct 27, 2022

I've been meaning to find time to work on trying to debug this, but real life took over.

@orbea orbea marked this pull request as draft April 13, 2023 23:22
@orbea
Copy link
Contributor Author

orbea commented Apr 13, 2023

I rebased the PR removing the check for EVP_PKEY_new_raw_private_key() which was added in LibreSSL 3.7.

I have also found out why the tests are failing, libressl doesn't have openssl x590 -force_pubkey. I pushed a second commit which is a hack to remove this, but perhaps as expected it still fails.

For example in ./test/integration/dlopen-fapi-get-random.log.

Trying to start simulator swtpm
Starting simulator on port 1950
successfully started daemon: swtpm with PID: 6029
/tmp/tpm2-tss
simulator PID: 6029
LISTEN 0      1          127.0.0.1:1950       0.0.0.0:*    users:(("swtpm",pid=6029,fd=3)) 
LISTEN 0      1          127.0.0.1:1951       0.0.0.0:*    users:(("swtpm",pid=6029,fd=2)) 
Simulator with PID 6029 bound to port 1950 and  1951 successfully.
TPM20TEST_TCTI_NAME=swtpm
TPM20TEST_DEVICE_FILE=
TPM20TEST_SOCKET_ADDRESS=127.0.0.1
TPM20TEST_SOCKET_PORT=1950
TPM20TEST_TCTI=swtpm:host=127.0.0.1,port=1950
WARNING:test:test/helper/tpm_writeekcert.c:93:main() Cert input size is 1208 
WARNING:test:test/helper/tpm_writeekcert.c:96:main() Define NV cert with nv index: 1c00002 
WARNING:test:test/helper/tpm_writeekcert.c:93:main() Cert input size is 1208 
WARNING:test:test/helper/tpm_writeekcert.c:96:main() Define NV cert with nv index: 1c0000a 
Execute the test script
info:test:test/integration/main-fapi.c:413:init_fapi() Using config:
{
     "profile_name": "P_ECC",
     "profile_dir": "./test/data/fapi/",
     "user_dir": "/tmp/fapi_tmpdir.MIaDIf/user/dir",
     "system_dir": "/tmp/fapi_tmpdir.MIaDIf/system_dir",
     "system_pcrs" : [],
     "log_dir" : "/tmp/fapi_tmpdir.MIaDIf",
     "tcti": "swtpm:host=127.0.0.1,port=1950",
} 
WARNING:fapi:src/tss2-fapi/ifapi_io.c:339:ifapi_io_check_create_dir() Directory /tmp/fapi_tmpdir.MIaDIf/user/dir does not exist, creating 
WARNING:fapi:src/tss2-fapi/ifapi_io.c:339:ifapi_io_check_create_dir() Directory /tmp/fapi_tmpdir.MIaDIf/system_dir/policy does not exist, creating 
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:885:Fapi_Provision_Finish() ErrorCode (0x00060025) No EK certificate found. 
ERROR:esys:src/tss2-esys/esys_iutil.c:395:iesys_handle_to_tpm_handle() Error: Esys invalid ESAPI handle (ff). 
ERROR:esys:src/tss2-esys/esys_iutil.c:1178:esys_GetResourceObject() Unknown ESYS handle. ErrorCode (0x0007000b) 
ERROR:esys:src/tss2-esys/api/Esys_FlushContext.c:138:Esys_FlushContext_Async() flushHandle unknown. ErrorCode (0x0007000b) 
ERROR:esys:src/tss2-esys/api/Esys_FlushContext.c:66:Esys_FlushContext() Error in async function ErrorCode (0x0007000b) 
ERROR:fapi:src/tss2-fapi/fapi_util.c:1199:ifapi_session_clean() Cleanup session failed. 
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:174:Fapi_Provision() ErrorCode (0x00060025) Provision 
ERROR:test:test/integration/fapi-get-random.int.c:47:test_fapi_get_random() Error Fapi_Provision ErrorCode (0x00060025) 
ERROR:fapi:src/tss2-fapi/api/Fapi_Delete.c:405:Fapi_Delete_Async() ErrorCode (0x00060034) FAPI not provisioned. 
ERROR:fapi:src/tss2-fapi/api/Fapi_Delete.c:313:Fapi_Delete() ErrorCode (0x00060034) Entity_Delete 
info:test:test/integration/main-fapi.c:504:main() Test returned 1 
Script returned 1
FAIL test/integration/dlopen-fapi-get-random.fint (exit status: 1)

@JuergenReppSIT
Copy link
Member

I have also found out why the tests are failing, libressl doesn't have openssl x590 -force_pubkey. I pushed a second commit which is a hack to remove this, but perhaps as expected it still fails.

you could use the configure option --disable-self-generated-certificate if libressl is used to avoid this error.

@orbea
Copy link
Contributor Author

orbea commented Apr 14, 2023

Actually I didn't notice earlier that starting with 4.0.0 two new tests were added which fail even with --disable-self-generated-certificate.

FAIL: test/integration/fapi-provisioning-with-template.fint
FAIL: test/integration/fapi-provisioning-with-template-rsa.fint

Looking at the log it shows they also use create_ca.sh which fails because the certs weren't created, should they be changed to only run with --enable-self-generated-certificate?

I confirmed that this started in commit 37bb561.

@JuergenReppSIT
Copy link
Member

There is already a fix that is currently in pr jam: #2585

@JuergenReppSIT
Copy link
Member

@orbea since this is a draft pr you could temporally cherry pick the fix to see whether all tests in the ci are ok.

@orbea orbea force-pushed the libressl branch 2 times, most recently from 420a9d8 to e15a7cb Compare April 14, 2023 23:18
@orbea
Copy link
Contributor Author

orbea commented Apr 14, 2023

CI fails on a new test.

FAIL: test/unit/fapi-get-intl-cert

Perhaps its a problem exposed by the build config or maybe by using a now older LibreSSL version. I currently have 3.7.2 installed locally.

@JuergenReppSIT
Copy link
Member

JuergenReppSIT commented Apr 15, 2023

Perhaps its a problem exposed by the build config or maybe by using a now older LibreSSL version. I currently have 3.7.2 installed locally.

The seems to be a problem with curl which uses openssl and libasan (docker image from github):

program received signal SIGSEGV, Segmentation fault.
0x00007fcfef50a54b in __interceptor_strcmp.part.0 () from /lib64/libasan.so.6

#0  0x00007fcfef50a54b in __interceptor_strcmp.part.0 () from /lib64/libasan.so.6
#1  0x00007fcfedfc124c in getrn	(lh=lh@entry=0x60f000000220, data=data@entry=0x6030000145f0, rhash=rhash@entry=0x7ffc58cb4448) at lhash/lhash.c:396
#2  0x00007fcfedfc1450 in lh_insert (lh=0x60f000000220, data=0x6030000145f0) at lhash/lhash.c:169
#3  0x00007fcfedfc6755 in OBJ_NAME_add (name=0x0, type=2, data=0x7fcfecdce9a0 "c\004") at objects/o_names.c:184
#4  0x00007fcfece260c2 in ossl_init_ssl_base_ossl_.lto_priv () from /lib64/libssl.so.1.1
#5  0x00007fcfede76ca8 in __pthread_once_slow () from /lib64/libpthread.so.0
#6  0x00007fcfecc84c7d in CRYPTO_THREAD_run_once () from /lib64/libcrypto.so.1.1
#7  0x00007fcfece2a3ab in OPENSSL_init_ssl () from /lib64/libssl.so.1.1
#8  0x00007fcfee1301a7 in ossl_init.lto_priv () from /lib64/libcurl.so.4
#9  0x00007fcfee0de729 in global_init.part () from /lib64/libcurl.so.4
#10 0x00007fcfee0dfecc in curl_easy_init () from /lib64/libcurl.so.4
#11 0x0000000000407187 in base64_encode	(buffer=0x603000000100 "\237d\247G\341\271\177\023\037\253\266\264G)l\233o\002\001\305\065nlw\350\233j\200j\002\021") at ../src/tss2-
fapi/ifapi_get_intl_cert.c:179
#12 0x0000000000407b7b in ifapi_get_intl_ek_certificate	(context=0x62e000000400, ek_public=0x507700 <eccPublic>, cert_buffer=0x7ffc58cb47e0, cert_size=0x7ffc58cb4800) at ../
src/tss2-fapi/ifapi_get_intl_cert.c:329

also without --enable-code-coverage the error occurs:

0  0x00007f6608a27c8e in __strcmp_avx2 () from /lib64/libc.so.6
#1  0x00007f6608c0924c in getrn	(lh=lh@entry=0x173bef0, data=data@entry=0x1747970, rhash=rhash@entry=0x7ffe6370e3c8) at lhash/lhash.c:396
#2  0x00007f6608c09450 in lh_insert (lh=0x173bef0, data=0x1747970) at lhash/lhash.c:169
#3  0x00007f6608c0e755 in OBJ_NAME_add (name=0x0, type=2, data=0x7f66087119a0 "c\004") at objects/o_names.c:184
#4  0x00007f66087690c2 in ossl_init_ssl_base_ossl_.lto_priv () from /lib64/libssl.so.1.1
#5  0x00007f6608ac0ca8 in __pthread_once_slow () from /lib64/libpthread.so.0
#6  0x00007f66085c7c7d in CRYPTO_THREAD_run_once () from /lib64/libcrypto.so.1.1
#7  0x00007f660876d3ab in OPENSSL_init_ssl () from /lib64/libssl.so.1.1
#8  0x00007f6608d781a7 in ossl_init.lto_priv () from /lib64/libcurl.so.4
#9  0x00007f6608d26729 in global_init.part () from /lib64/libcurl.so.4
#10 0x00007f6608d27ecc in curl_easy_init () from /lib64/libcurl.so.4
#11 0x0000000000405a8a in base64_encode (buffer=0x17369b0 "\237d\247G\341\271\177\023\037\253\266\264G)l\233o\002\001\305\065nlw\350\233j\200j") at ../src/tss2-fapi/ifapi_ge
t_intl_cert.c:179
#12 0x0000000000405e6b in ifapi_get_intl_ek_certificate	(context=0x172b230, ek_public=0x4425c0 <eccPublic>, cert_buffer=0x7ffe6370e650, cert_size=0x7ffe6370e658) at ../src/t
ss2-fapi/ifapi_get_intl_cert.c:329
#13 0x0000000000404e03 in check_get_intl_cert_ok (state=0x172ad90) at ../test/unit/fapi-get-intl-cert.c:180

@orbea
Copy link
Contributor Author

orbea commented Apr 15, 2023

As pointed out in my LibreSSL issue (libressl/portable#840 (comment)) RAND_set_rand_method() and RAND_OpenSSL() are both deprecated in OpenSSL >= 3.0. Additionally RAND_set_rand_method() is only there for compatibility and is not functional in LibreSSL as explained in their man page.

They are kept for ABI compatibility but are no longer functional, and should not be used in new programs.

Probably the best solution is to just hide it with LibreSSL or if possible entirely replace or remove it.

For the tests I will have to try this with asan and see if I can reproduce any of these failures.

@orbea
Copy link
Contributor Author

orbea commented Apr 17, 2023

I am having trouble running the tests with asan where they all fail with.

==15155==ASan runtime does not come first in initial library list; you should either link runtime to your application or manually preload it with LD_PRELOAD.
FAIL test/unit/CommonPreparePrologue (exit status: 1)

However this seems restricted to tpm2-tss where asan does work in other projects and example programs I have tried.

JuergenReppSIT and others added 3 commits April 20, 2023 07:11
… is available.

If the configure option --enable-self-generated-certificate is not used this
test can't be executed because no certificate will be stored in NV ram. The
test will be skipped if no certificate is available.
Fixes: tpm2-software#2558

Signed-off-by: Juergen Repp <[email protected]>
This works with LibreSSL 3.5.x.

Missing in LibreSSL:

* RAND_OpenSSL (Deprecated in OpenSSL >= 3.0)
* NID_sm2

Signed-off-by: orbea <[email protected]>
@codecov
Copy link

codecov bot commented Apr 23, 2023

Codecov Report

Merging #2380 (d5bac43) into master (56d9030) will decrease coverage by 1.03%.
The diff coverage is n/a.

❗ Current head d5bac43 differs from pull request most recent head d8d605d. Consider uploading reports for the commit d8d605d to get more accurate results

@@            Coverage Diff             @@
##           master    #2380      +/-   ##
==========================================
- Coverage   83.61%   82.58%   -1.03%     
==========================================
  Files         363      363              
  Lines       41686    41682       -4     
==========================================
- Hits        34855    34423     -432     
- Misses       6831     7259     +428     
Impacted Files Coverage Δ
src/tss2-esys/esys_crypto_ossl.c 75.90% <ø> (-0.11%) ⬇️
src/tss2-fapi/fapi_crypto.c 65.89% <ø> (-13.46%) ⬇️

... and 5 files with indirect coverage changes

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants