From: Michael Baentsch <57787676+baentsch@users.noreply.github.com> Date: Tue, 15 Oct 2024 10:37:52 +0000 (+0200) Subject: work around oqsprovider out-of-source build bug X-Git-Tag: openssl-3.5.0-alpha1~977 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e1886edf4bffef7663eb5bb4bee43d0232d8b68d;p=thirdparty%2Fopenssl.git work around oqsprovider out-of-source build bug Reviewed-by: Tomas Mraz Reviewed-by: Dmitry Belyavskiy Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/25702) --- diff --git a/test/recipes/95-test_external_oqsprovider_data/oqsprovider-pkcs12gen.sh b/test/recipes/95-test_external_oqsprovider_data/oqsprovider-pkcs12gen.sh new file mode 100755 index 00000000000..987c0b12fd7 --- /dev/null +++ b/test/recipes/95-test_external_oqsprovider_data/oqsprovider-pkcs12gen.sh @@ -0,0 +1,68 @@ +#!/bin/bash + +# Use newly built oqsprovider to save PKCS#12 files from keys and +# and certificates files generated using alg $1. +# Assumed oqsprovider-certgen.sh to have run before for same algorithm + +set -e +set -x + +if [ $# -lt 1 ]; then + echo "Usage: $0 . Exiting." + exit 1 +fi + +echo "oqsprovider-pkcs12gen.sh commencing..." + +if [ -z "$OPENSSL_APP" ]; then + echo "OPENSSL_APP env var not set. Exiting." + exit 1 +fi + +if [ -z "$OPENSSL_MODULES" ]; then + echo "Warning: OPENSSL_MODULES env var not set." +fi + +if [ -z "$OPENSSL_CONF" ]; then + echo "OPENSSL_CONF env var not set. Exiting." + exit 1 +fi + +# Set OSX DYLD_LIBRARY_PATH if not already externally set +if [ -z "$DYLD_LIBRARY_PATH" ]; then + export DYLD_LIBRARY_PATH=$LD_LIBRARY_PATH +fi + +# Assumes certgen has been run before: Quick check +if [[ -f tmp/$1_CA.crt && -f tmp/$1_CA.key ]]; then + echo "Key and certificate using $1 found." +else + echo "File tmp/$1_CA.crt and/or tmp/$1_CA.key not found. Did certgen run before? Exiting." + exit -1 +fi + +echo "Generating PKCS#12 files..." + +# pkcs12 test: +$OPENSSL_APP pkcs12 -export -in tmp/$1_srv.crt -inkey tmp/$1_srv.key -passout pass: -out tmp/$1_srv_1.p12 + +if [ $? -ne 0 ] || [ ! -f tmp/$1_srv_1.p12 ]; then + echo "PKCS#12 generation with oqsprovider enabled failed." + exit 1 +fi + +# Generate config file with oqsprovider disabled +sed -e 's/^oqsprovider/# oqsprovider/' $OPENSSL_CONF > tmp/openssl-ca-no-oqsprovider.cnf + +# This print an error but OpenSSL returns 0 and .p12 file is generated correctly +OPENSSL_CONF=tmp/openssl-ca-no-oqsprovider.cnf $OPENSSL_APP pkcs12 -provider default -provider oqsprovider -export -in tmp/$1_srv.crt -inkey tmp/$1_srv.key -passout pass: -out tmp/$1_srv_2.p12 + +if [ $? -ne 0 ] || [ ! -f tmp/$1_srv_2.p12 ]; then + echo "PKCS#12 generation with oqsprovider disabled failed." + exit 1 +fi + +if [ $(cat tmp/$1_srv_1.p12 | $OPENSSL_APP sha256) -neq $(cat tmp/$1_srv_2.p12 | $OPENSSL_APP sha256) ]; then + echo "PKCS#12 files differ when oqsprovider is enabled or not." + exit 1 +fi diff --git a/test/recipes/95-test_external_oqsprovider_data/oqsprovider.sh b/test/recipes/95-test_external_oqsprovider_data/oqsprovider.sh index ad4b20df45b..bcbc6983f02 100755 --- a/test/recipes/95-test_external_oqsprovider_data/oqsprovider.sh +++ b/test/recipes/95-test_external_oqsprovider_data/oqsprovider.sh @@ -46,13 +46,13 @@ echo " OpenSSL version: $OPENSSL_VERSION" echo "------------------------------------------------------------------" if [ ! -d $SRCTOP/oqs-provider/.local ]; then -# this version of oqsprovider dependent on v0.10.0 of liboqs, so set this; +# this version of oqsprovider dependent on v0.11.0 of liboqs, so set this; # also be sure to use this openssl for liboqs-internal OpenSSL use; # see all libops config options listed at # https://github.com/open-quantum-safe/liboqs/wiki/Customizing-liboqs ( cd $SRCTOP/oqs-provider \ - && git clone --depth 1 --branch 0.10.0 https://github.com/open-quantum-safe/liboqs.git \ + && git clone --depth 1 --branch 0.11.0 https://github.com/open-quantum-safe/liboqs.git \ && cd liboqs \ && mkdir build \ && cd build \ @@ -71,4 +71,6 @@ export OPENSSL_MODULES=$PWD/_build/lib export OQS_PROVIDER_TESTSCRIPTS=$SRCTOP/oqs-provider/scripts export OPENSSL_CONF=$OQS_PROVIDER_TESTSCRIPTS/openssl-ca.cnf # Be verbose if harness is verbose: +# Fixup for oqsprovider release snafu: +cp $SRCTOP/test/recipes/95-test_external_oqsprovider_data/oqsprovider-pkcs12gen.sh $SRCTOP/oqs-provider/scripts/ $SRCTOP/oqs-provider/scripts/runtests.sh -V