From: Tobias Brunner <tobias@strongswan.org>
Date: Fri, 14 Apr 2023 07:30:35 +0000 (+0200)
Subject: Use Botan 3.1.1 for tests
X-Git-Tag: android-2.4.2~21
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=36b1a6d76c1bc0d3bd1e3e7c04e89817c8b953e4;p=thirdparty%2Fstrongswan.git

Use Botan 3.1.1 for tests

The all-zero Ed25519 public key is rejected by botan_pubkey_check_key()
when the key is loaded.

Note that Botan 3 requires GCC 11 or CLANG 14, i.e. can't easily be built
on Debian bullseye or Ubuntu 20.04.

The thread-local storage function gets flagged via various botan FFI
functions when using Botan 3, whitelist that instead of all of them.
---

diff --git a/scripts/test.sh b/scripts/test.sh
index 2fd5cd09d2..ea0db8ad79 100755
--- a/scripts/test.sh
+++ b/scripts/test.sh
@@ -4,7 +4,7 @@
 build_botan()
 {
 	# same revision used in the build recipe of the testing environment
-	BOTAN_REV=2.19.3
+	BOTAN_REV=3.1.1
 	BOTAN_DIR=$DEPS_BUILD_DIR/botan
 
 	if test -d "$BOTAN_DIR"; then
@@ -246,6 +246,10 @@ all|codeql|coverage|sonarcloud|no-dbg)
 			--disable-python-eggs-install"
 	# not enabled on the build server
 	CONFIG="$CONFIG --disable-af-alg"
+	# unable to build Botan on Ubuntu 20.04
+	if [ "$ID" = "ubuntu" -a "$VERSION_ID" = "20.04" ]; then
+		CONFIG="$CONFIG --disable-botan"
+	fi
 	if test "$TEST" != "coverage"; then
 		CONFIG="$CONFIG --disable-coverage"
 	else
@@ -259,7 +263,9 @@ all|codeql|coverage|sonarcloud|no-dbg)
 		  libselinux1-dev libiptc-dev"
 	PYDEPS="tox"
 	if test "$1" = "build-deps"; then
-		build_botan
+		if [ "$ID" = "ubuntu" -a "$VERSION_ID" != "20.04" ]; then
+			build_botan
+		fi
 		build_wolfssl
 		build_tss2
 	fi
diff --git a/src/libstrongswan/tests/suites/test_ed25519.c b/src/libstrongswan/tests/suites/test_ed25519.c
index c90a5a39e7..ea585a4692 100644
--- a/src/libstrongswan/tests/suites/test_ed25519.c
+++ b/src/libstrongswan/tests/suites/test_ed25519.c
@@ -559,10 +559,12 @@ START_TEST(test_ed25519_fail)
 	pubkey->destroy(pubkey);
 	pubkey = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ED25519,
 					BUILD_BLOB_ASN1_DER, zero_pk, BUILD_END);
-	ck_assert(pubkey != NULL);
-	ck_assert(!pubkey->verify(pubkey, SIGN_ED25519, NULL, sig_tests[0].msg,
-							  sig));
-	pubkey->destroy(pubkey);
+	if (pubkey)
+	{
+		ck_assert(!pubkey->verify(pubkey, SIGN_ED25519, NULL, sig_tests[0].msg,
+								  sig));
+		pubkey->destroy(pubkey);
+	}
 }
 END_TEST
 
diff --git a/src/libstrongswan/utils/leak_detective.c b/src/libstrongswan/utils/leak_detective.c
index 437eddab7d..cc7d504c3a 100644
--- a/src/libstrongswan/utils/leak_detective.c
+++ b/src/libstrongswan/utils/leak_detective.c
@@ -542,6 +542,8 @@ static char *whitelist[] = {
 	"_IO_file_doallocate",
 	"selinux_check_access",
 	"on_exit",
+	/* glibc thread-local storage triggered primarily by Botan */
+	"__tls_get_addr",
 	/* ignore dlopen, as we do not dlclose to get proper leak reports */
 	"dlopen",
 	"dlerror",
@@ -668,6 +670,7 @@ static char *whitelist[] = {
 	"botan_kdf",
 	/* C++ due to Botan */
 	"__cxa_get_globals",
+	"__cxa_thread_atexit",
 };
 
 /**
diff --git a/testing/scripts/recipes/011_botan.mk b/testing/scripts/recipes/011_botan.mk
index 7c2d23b984..315878c125 100644
--- a/testing/scripts/recipes/011_botan.mk
+++ b/testing/scripts/recipes/011_botan.mk
@@ -2,7 +2,7 @@
 
 PKG = botan
 SRC = https://github.com/randombit/$(PKG).git
-REV = 2.19.3
+REV = 3.1.1
 
 NUM_CPUS := $(shell getconf _NPROCESSORS_ONLN)