openssl: Extended tests are failing due to hard coded pyca test errors

The external pyca tests are currently failing due to hard coded OpenSSL error constants having been included in the tests. Due to recent refactoring a number of error codes have changed (in particular because errors that used to be raised by the EVP sub-lib are now being raised by providers instead).

I can get the pyca tests to pass by applying the following patch/hack:

diff --git a/include/openssl/err.h b/include/openssl/err.h
index 7398029bee..b096717580 100644
--- a/include/openssl/err.h
+++ b/include/openssl/err.h
@@ -141,7 +141,10 @@ typedef struct err_state_st {
 # define SM2err(f,r) ERR_PUT_error(ERR_LIB_SM2,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
 # define ESSerr(f,r) ERR_PUT_error(ERR_LIB_ESS,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
 # define PROPerr(f,r) ERR_PUT_error(ERR_LIB_PROP,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
+#if 0
 # define PROVerr(f,r) ERR_PUT_error(ERR_LIB_PROV,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
+#endif
+# define PROVerr(f,r) ERR_PUT_error(ERR_LIB_EVP,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
 
 # define ERR_PACK(l,f,r) ( \
         (((unsigned int)(l) & 0x0FF) << 24L) | \
diff --git a/providers/common/ciphers/aes.c b/providers/common/ciphers/aes.c
index 8d91ff4804..92b5bfb8d2 100644
--- a/providers/common/ciphers/aes.c
+++ b/providers/common/ciphers/aes.c
@@ -162,7 +162,11 @@ static int aes_block_final(void *vctx, unsigned char *out, size_t *outl,
             *outl = 0;
             return 1;
         } else if (ctx->bufsz != AES_BLOCK_SIZE) {
+#if 0
             PROVerr(PROV_F_AES_BLOCK_FINAL, PROV_R_WRONG_FINAL_BLOCK_LENGTH);
+#endif
+            EVPerr(EVP_F_EVP_ENCRYPTFINAL_EX,
+                   EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH);
             return 0;
         }
 
@@ -185,7 +189,11 @@ static int aes_block_final(void *vctx, unsigned char *out, size_t *outl,
             *outl = 0;
             return 1;
         }
+#if 0
         PROVerr(PROV_F_AES_BLOCK_FINAL, PROV_R_WRONG_FINAL_BLOCK_LENGTH);
+#endif
+        EVPerr(EVP_F_EVP_DECRYPTFINAL_EX,
+               EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH);
         return 0;
     }

This is clearly not the correct solution. I think probably the right answer is for the pyca tests to change to be more accepting of different errors being raised.

Ping @reaperhulk, @alex

About this issue

Original URL
State: open
Created 5 years ago
Comments: 16 (16 by maintainers)

Commits related to this issue

Temporarily disable PYCA external tests [extented tests] Currently [extended tests] fails due to issue #8968 : until that is resolved we should disable the PYCA external tests. — committed to romen/openssl by romen 5 years ago

Most upvoted comments

Checking the library area and the reason code is not uncommon - because reason codes are relative to the library area. So anything that is doing any handling of any error condition to do anything intelligent for the user basically will get caught by a change like this.

The way to “fix” this would be to make all the LIB values the same and make all the REASON codes different.

t-j-h on Jul 23, 2019