openssl: Test 80-test_cmp_http fails at alpha17 on NonStop x86/ia64

This is a net-new failure compared with alpha16. Virtually every sub-test fails in this test. What information is needed to further investigate? An example:

# ------------------------------------------------------------------------------
    #   Failed test 'p10cr csr non-existing file'
    #   at test/recipes/80-test_cmp_http.t line 147.
Warning: certificate from 'trusted.crt' with subject '/O=openssl_cmp' is not a CA cert
Unable to load PKCS#10 CSR
error: unable to load PKCS#10 CSR from file 'empty.txt'
cmp_main:/home/ituglib/randall/openssl-3.0/apps/cmp.c:2778:CMP error: cannot set up CMP context
# cmp_main:/home/ituglib/randall/openssl-3.0/apps/cmp.c:2602:CMP info: using section(s) 'Mock enrollment' of OpenSSL configuration file '../Mock/test.cnf'
# opt_str:/home/ituglib/randall/openssl-3.0/apps/cmp.c:2203:CMP warning: -proxy option argument is empty string, resetting option
# setup_request_ctx:/home/ituglib/randall/openssl-3.0/apps/cmp.c:1488:CMP warning: -subject option is ignored for commands other than 'ir', 'cr', and 'kur' since -ref or -cert is given
# setup_request_ctx:/home/ituglib/randall/openssl-3.0/apps/cmp.c:1500:CMP warning: -policies option is ignored for commands other than 'ir', 'cr', and 'kur'
# setup_request_ctx:/home/ituglib/randall/openssl-3.0/apps/cmp.c:1536:CMP warning: -newkeytype option is ignored for 'p10cr' and 'rr' commands
# setup_request_ctx:/home/ituglib/randall/openssl-3.0/apps/cmp.c:1538:CMP warning: -newkey option is ignored for 'p10cr' and 'rr' commands
../../../../util/wrap.pl ../../../../apps/openssl cmp -server '127.0.0.1:61432' -config ../Mock/test.cnf -section 'Mock enrollment' -certout ../../../../test-runs/test_cmp_http/test.cert.pem -proxy '' -no_proxy 127.0.0.1 -cmd p10cr -newkey new.key -newkeypass 'pass:' -certout ../../../../test-runs/test_cmp_http/test.certout_p10cr4.pem -out_trusted root.crt -csr empty.txt => 255

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 121 (120 by maintainers)

Commits related to this issue

Most upvoted comments

Good news from NonStop ia64:

80-test_cmp_http.t .. ok   d=1291845692
All tests successful.
Files=1, Tests=5, 191 wallclock secs ( 0.62 usr  0.00 sys + 54.22 cusr  1.88 csys = 56.73 CPU)
Result: PASS
+1
rsbeckerca on May 26, 2021

Anyway, it is already clear from the successful positive test cases that the fix I did to acpt_state() was sufficient. So I removed the exclusion of nonstop-nse from 80-test_cmp_http.t and my tentative documentation of apparent bugs in NonStop ia64.

Actually, NonStop is correct here but 80-test_cmp_http.t and acpt_state() in OpenSSL were wrong. Thanks a lot @rsbeckerca for helping to find this out!

+1
DDvO on May 27, 2021

Thanks @DDvO. #15417 appears to work for cmp. I am doing a full rebuild and trying 80-test_cmp_http.t without the NonStop ia64 restriction. Will report back shortly.

+1
rsbeckerca on May 25, 2021

Thanks @DDvO . I will try the latest version. By the way, my comment was deleted by myself. I noticed the text formatting was bad, so deleted it.

+1
Cassielcc on May 25, 2021

Which information do you need specifically? Would adding BIO_set_accept_ip_family(bio, BIO_FAMILY_IPV4) be a viable workaround?

Something like that, I guess. I don’t know the BIO code well enough. What git and OpenSSH do (apparently) is try AF_INET6 first, and if it fails with address family, tries AF_INET.

In other words, you propose that OpenSSL should not stick to AF_INET6 in case getaddrinfo happens to choose this when called with AF_UNSPEC?

Again, please try adding BIO_set_accept_ip_family(acbio, BIO_FAMILY_IPV4) before BIO_set_accept_port(acbio, port) in apps/lib/http_server.c to confirm that the test server would work if directed to use IPv4.

Result good:

ACCEPT 0.0.0.0:13024
+1
rsbeckerca on May 24, 2021

You can find out if it’s the new code within the test server or the Perl script by

cd test/recipes/80-test_cmp_http_data/Mock && LD_LIBRARY_PATH=../../../.. ../../../../apps/openssl cmp -config server.cnf

which should give something like

cmp_main:apps/cmp.c:2679:CMP info: using section(s) 'cmp' of OpenSSL configuration file 'server.cnf'
ACCEPT 0.0.0.0:41175

In progress. I have to rebuild first.

+1
rsbeckerca on May 21, 2021

While not architecture dependent, it is an older version and has some… uh… ugly bits interactions as we have seen before. That and I’m not going to get any fixes for that particular perl no matter how much begging and pleading nor a new version on ia64 - it’s pretty much done.

Sorry to hear.

+1
DDvO on May 21, 2021

These remaining failures are not due to BIO_set_accept_port(bio, "0") - that is used only at the test server side. Note that the client says: will contact http://127.0.0.1:80/pkix/

At the moment I have no idea where they come from, neither where the hang after them comes from. Strange that for NonStop ia64 the tests now work as expected, but not for x86.

Actually the reverse. ia64 hangs but not x86. That’s working. It’s a newer OS.

+1
rsbeckerca on May 21, 2021

Excellent - thanks 👍 This confirms that the fix was sufficient and even the tests using invalid port numbers went fine 😄

+1
DDvO on May 21, 2021

@DDvO note to self: turn off github notification sounds at night.

+1
rsbeckerca on May 21, 2021

Ah, the problem is in my test/recipes/80-test_cmp_http.t:

        my $OK = $actual_exit == $expected_exit;

and the fact that in the *.csv files expected failure is coded as 1, which does not hold for NonStop. I’ll re-work those.

+1
DDvO on May 21, 2021
Read more comments on GitHub
← openssl: Test 30-test_evp_extra broken on master and 3.1 on NonStop platforms
openssl: Test 80-test_cmp_http fails at alpha17 on NonStop x86/ia64 (round 2) →