Use Botan 3.1.1 for tests

The all-zero Ed25519 public key is rejected by botan_pubkey_check_key()
when the key is loaded.

Note that Botan 3 requires GCC 11 or CLANG 14, i.e. can't easily be built
on Debian bullseye or Ubuntu 20.04.

The thread-local storage function gets flagged via various botan FFI
functions when using Botan 3, whitelist that instead of all of them.

diff --git a/scripts/test.sh b/scripts/test.sh
index 2fd5cd09d23817976c9b0664e92646e0027eac14..ea0db8ad7971e97b013f917c794c87577159a330 100755 (executable)
--- a/scripts/test.sh
+++ b/scripts/test.sh
@@ -4,7 +4,7 @@
 build_botan()
 {
        # same revision used in the build recipe of the testing environment
-       BOTAN_REV=2.19.3
+       BOTAN_REV=3.1.1
        BOTAN_DIR=$DEPS_BUILD_DIR/botan
 
        if test -d "$BOTAN_DIR"; then
@@ -246,6 +246,10 @@ all|codeql|coverage|sonarcloud|no-dbg)
                        --disable-python-eggs-install"
        # not enabled on the build server
        CONFIG="$CONFIG --disable-af-alg"
+       # unable to build Botan on Ubuntu 20.04
+       if [ "$ID" = "ubuntu" -a "$VERSION_ID" = "20.04" ]; then
+               CONFIG="$CONFIG --disable-botan"
+       fi
        if test "$TEST" != "coverage"; then
                CONFIG="$CONFIG --disable-coverage"
        else
@@ -259,7 +263,9 @@ all|codeql|coverage|sonarcloud|no-dbg)
                  libselinux1-dev libiptc-dev"
        PYDEPS="tox"
        if test "$1" = "build-deps"; then
-               build_botan
+               if [ "$ID" = "ubuntu" -a "$VERSION_ID" != "20.04" ]; then
+                       build_botan
+               fi
                build_wolfssl
                build_tss2
        fi

diff --git a/src/libstrongswan/tests/suites/test_ed25519.c b/src/libstrongswan/tests/suites/test_ed25519.c
index c90a5a39e7a3676cf66d6930fa2dd92ad7819b79..ea585a46924b7d4bf326f153c7e0a755d9f4c96c 100644 (file)
--- a/src/libstrongswan/tests/suites/test_ed25519.c
+++ b/src/libstrongswan/tests/suites/test_ed25519.c
@@ -559,10 +559,12 @@ START_TEST(test_ed25519_fail)
        pubkey->destroy(pubkey);
        pubkey = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ED25519,
                                        BUILD_BLOB_ASN1_DER, zero_pk, BUILD_END);
-       ck_assert(pubkey != NULL);
-       ck_assert(!pubkey->verify(pubkey, SIGN_ED25519, NULL, sig_tests[0].msg,
-                                                         sig));
-       pubkey->destroy(pubkey);
+       if (pubkey)
+       {
+               ck_assert(!pubkey->verify(pubkey, SIGN_ED25519, NULL, sig_tests[0].msg,
+                                                                 sig));
+               pubkey->destroy(pubkey);
+       }
 }
 END_TEST
 

diff --git a/src/libstrongswan/utils/leak_detective.c b/src/libstrongswan/utils/leak_detective.c
index 437eddab7d7d4662cc75f8c6b5de2fb3c39e358e..cc7d504c3abcc8313414c809ca58f835a1ab1f43 100644 (file)
--- a/src/libstrongswan/utils/leak_detective.c
+++ b/src/libstrongswan/utils/leak_detective.c
@@ -542,6 +542,8 @@ static char *whitelist[] = {
        "_IO_file_doallocate",
        "selinux_check_access",
        "on_exit",
+       /* glibc thread-local storage triggered primarily by Botan */
+       "__tls_get_addr",
        /* ignore dlopen, as we do not dlclose to get proper leak reports */
        "dlopen",
        "dlerror",
@@ -668,6 +670,7 @@ static char *whitelist[] = {
        "botan_kdf",
        /* C++ due to Botan */
        "__cxa_get_globals",
+       "__cxa_thread_atexit",
 };
 
 /**

diff --git a/testing/scripts/recipes/011_botan.mk b/testing/scripts/recipes/011_botan.mk
index 7c2d23b9842d2ab46857bf8859d5f328d1c46ca4..315878c125486124ccdddea9dac7bffbffc1e2a5 100644 (file)
--- a/testing/scripts/recipes/011_botan.mk
+++ b/testing/scripts/recipes/011_botan.mk
@@ -2,7 +2,7 @@
 
 PKG = botan
 SRC = https://github.com/randombit/$(PKG).git
-REV = 2.19.3
+REV = 3.1.1
 
 NUM_CPUS := $(shell getconf _NPROCESSORS_ONLN)