commit f205f116 broke tests

[mouse07410]

Describe the bug

Version information:
OpenSSL 3.2.0 23 Nov 2023 (Library: OpenSSL 3.2.0 23 Nov 2023)
Providers:
  default
    name: OpenSSL Default Provider
    version: 3.2.0
    status: active
    build info: 3.2.0
    gettable provider parameters:
      name: pointer to a UTF8 encoded string (arbitrary size)
      version: pointer to a UTF8 encoded string (arbitrary size)
      buildinfo: pointer to a UTF8 encoded string (arbitrary size)
      status: integer (arbitrary size)

Known providers:
Providers:
  default
    name: OpenSSL Default Provider
    version: 3.2.0
    status: active
  oqsprovider
    name: OpenSSL OQS Provider
    version: 0.5.3-dev
    status: active
Known signature algorithms:
  { 1.2.840.113549.1.1.1, 2.5.8.1.1, RSA, rsaEncryption } @ default
  HMAC @ default
  SIPHASH @ default
  POLY1305 @ default
  CMAC @ default
  { 1.2.840.10040.4.1, 1.2.840.10040.4.3, 1.3.14.3.2.12, 1.3.14.3.2.13, 1.3.14.3.2.27, DSA, DSA-old, DSA-SHA, DSA-SHA1, DSA-SHA1-old, dsaEncryption, dsaEncryption-old, dsaWithSHA, dsaWithSHA1, dsaWithSHA1-old } @ default
  { 1.3.101.112, ED25519 } @ default
  { 1.3.101.113, ED448 } @ default
  { 1.2.156.10197.1.301, SM2 } @ default
  ECDSA @ default
  rsa3072_falcon512 @ oqsprovider
  falcon1024 @ oqsprovider
  p521_falcon1024 @ oqsprovider
  sphincssha2128fsimple @ oqsprovider
  p256_sphincssha2128fsimple @ oqsprovider
  rsa3072_sphincssha2128fsimple @ oqsprovider
  sphincssha2128ssimple @ oqsprovider
  p256_sphincssha2128ssimple @ oqsprovider
  rsa3072_sphincssha2128ssimple @ oqsprovider
  sphincssha2192fsimple @ oqsprovider
  p384_sphincssha2192fsimple @ oqsprovider
  sphincsshake128fsimple @ oqsprovider
  p256_sphincsshake128fsimple @ oqsprovider
  rsa3072_sphincsshake128fsimple @ oqsprovider
  dilithium2 @ oqsprovider
  p256_dilithium2 @ oqsprovider
  rsa3072_dilithium2 @ oqsprovider
  dilithium3 @ oqsprovider
  p384_dilithium3 @ oqsprovider
  dilithium5 @ oqsprovider
  p521_dilithium5 @ oqsprovider
  falcon512 @ oqsprovider
  p256_falcon512 @ oqsprovider

Cert gen/verify, CMS sign/verify, CA tests for all enabled OQS signature algorithms commencing: 
.Algorithm rsa3072_falcon512 not enabled. Exit testing.

To Reproduce
Steps to reproduce the behavior:

1. Clone and build.
2. Observe the above.

Expected behavior

OpenSSL 3.2.0 23 Nov 2023 (Library: OpenSSL 3.2.0 23 Nov 2023)
Providers:
  default
    name: OpenSSL Default Provider
    version: 3.2.0
    status: active
    build info: 3.2.0
    gettable provider parameters:
      name: pointer to a UTF8 encoded string (arbitrary size)
      version: pointer to a UTF8 encoded string (arbitrary size)
      buildinfo: pointer to a UTF8 encoded string (arbitrary size)
      status: integer (arbitrary size)
  oqsprovider
    name: OpenSSL OQS Provider
    version: 0.5.3-dev
    status: active
    build info: OQS Provider v.0.5.3-dev (58ba840) based on liboqs v.0.10.0-dev
    gettable provider parameters:
      name: pointer to a UTF8 encoded string (arbitrary size)
      version: pointer to a UTF8 encoded string (arbitrary size)
      buildinfo: pointer to a UTF8 encoded string (arbitrary size)
      status: integer (arbitrary size)

Known providers:
Providers:
  default
    name: OpenSSL Default Provider
    version: 3.2.0
    status: active
  oqsprovider
    name: OpenSSL OQS Provider
    version: 0.5.3-dev
    status: active
Known signature algorithms:
  { 1.2.840.113549.1.1.1, 2.5.8.1.1, RSA, rsaEncryption } @ default
  HMAC @ default
  SIPHASH @ default
  POLY1305 @ default
  CMAC @ default
  { 1.2.840.10040.4.1, 1.2.840.10040.4.3, 1.3.14.3.2.12, 1.3.14.3.2.13, 1.3.14.3.2.27, DSA, DSA-old, DSA-SHA, DSA-SHA1, DSA-SHA1-old, dsaEncryption, dsaEncryption-old, dsaWithSHA, dsaWithSHA1, dsaWithSHA1-old } @ default
  { 1.3.101.112, ED25519 } @ default
  { 1.3.101.113, ED448 } @ default
  { 1.2.156.10197.1.301, SM2 } @ default
  ECDSA @ default
  rsa3072_falcon512 @ oqsprovider
  falcon1024 @ oqsprovider
  p521_falcon1024 @ oqsprovider
  sphincssha2128fsimple @ oqsprovider
  p256_sphincssha2128fsimple @ oqsprovider
  rsa3072_sphincssha2128fsimple @ oqsprovider
  sphincssha2128ssimple @ oqsprovider
  p256_sphincssha2128ssimple @ oqsprovider
  rsa3072_sphincssha2128ssimple @ oqsprovider
  sphincssha2192fsimple @ oqsprovider
  p384_sphincssha2192fsimple @ oqsprovider
  sphincsshake128fsimple @ oqsprovider
  p256_sphincsshake128fsimple @ oqsprovider
  rsa3072_sphincsshake128fsimple @ oqsprovider
  dilithium2 @ oqsprovider
  p256_dilithium2 @ oqsprovider
  rsa3072_dilithium2 @ oqsprovider
  dilithium3 @ oqsprovider
  p384_dilithium3 @ oqsprovider
  dilithium5 @ oqsprovider
  p521_dilithium5 @ oqsprovider
  falcon512 @ oqsprovider
  p256_falcon512 @ oqsprovider

Cert gen/verify, CMS sign/verify, CA tests for all enabled OQS signature algorithms commencing: 
.......................
External interop tests commencing
Using Web proxy "http://llproxy.llan.ll.mit.edu:8080"
 Cloudflare:
kex=X25519Kyber768Draft00
kex=X25519Kyber512Draft00
Test project /Users/ur20980/src/oqs-provider/_build
    Start 1: oqs_signatures
1/5 Test #1: oqs_signatures ...................   Passed    2.36 sec
    Start 2: oqs_kems
2/5 Test #2: oqs_kems .........................   Passed    0.31 sec
    Start 3: oqs_groups
3/5 Test #3: oqs_groups .......................   Passed    0.40 sec
    Start 4: oqs_tlssig
4/5 Test #4: oqs_tlssig .......................   Passed    1.61 sec
    Start 5: oqs_endecode
5/5 Test #5: oqs_endecode .....................   Passed    4.90 sec

100% tests passed, 0 tests failed out of 5

Total Test time (real) =   9.58 sec

Environment (please complete the following information):

• OS: macOS Sonoma 14.2
• OpenSSL 3.2.0
• oqsprovider 0.5.3-dev

Please run the following commands to obtain the version information:

$ openssl version
OpenSSL 3.2.0 23 Nov 2023 (Library: OpenSSL 3.2.0 23 Nov 2023)
$ openssl list -providers
Providers:
  base
    name: OpenSSL Base Provider
    version: 3.2.0
    status: active
  default
    name: OpenSSL Default Provider
    version: 3.2.0
    status: active
  legacy
    name: OpenSSL Legacy Provider
    version: 3.2.0
    status: active
  oqs
    name: OpenSSL OQS Provider
    version: 0.5.3-dev
    status: active
  pkcs11
    name: PKCS#11 Provider
    version: 3.2.0
    status: active
$ 

Note: OQS provider is installed system-wide under the name "oqs". It's more convenient for me this way.

Additional context
git revert f205f116 alleviated the problems, and restored pristine nice working build with all tests passing.

[baentsch]

git revert f205f11 alleviated the problems, and restored pristine nice working build with all tests passing.

Upps -- @thb-sb do you have a machine with the above config to look into this?

[mouse07410]

May I suggest reverting f205f11 in the meanwhile? Especially since usefulness of this change IMHO is dubious?

[baentsch]

May I suggest reverting f205f11 in the meanwhile? Especially since usefulness of this change IMHO is dubious?

It also caused problems in the latest release process. @mouse07410 Would you please confirm or deny that that (pre)release would work for you? Same question to @beldmit. I'd withdraw it if it doesn't integrate well. I would welcome CI tests checking your setups in that case though.

[mouse07410]

Would you please confirm or deny that that (pre)release would work for you?

What is "that" pre-release?

I confirm that with commit f205f11 this provider fails the tests, and when I revert it, things work again 100%. What else would you like confirmed?

I'd withdraw it if it doesn't integrate well

I don't maintain a fork of this repo, but on all of my machines, the cloned source tree has this commit removed/reverted, and all tests pass, including the over-the-firewall KEX with Cloudflare. With that commit present, none of my machines passes the tests. Would that count for "doesn't integrate well"?

I can't dictate you what to do, of course - but the common sense seems to suggest that it's useless to keep a change that contributes nothing functionality-wise, and breaks at least some setups.

I would welcome CI tests checking your setups in that case though

I don't run CI, and don't see anything special about my setup, except:

• majority of my machines are behind a corporate firewall, which (among other things) means that you can't just HTTP/HTTPS to wherever you want without being blocked - you need to either respect and use HTTP_PROXY/HTTPS_PROXY env vars, or use other proxy-aware mechanisms;
• my OS is MacOS, which shouldn't have any effect - but who knows;
• all of my machines have system-wide OpenSSL binaries installed in /opt/local (to be more specific, /opt/local/libexec/openssl3/ contains all the OpenSSL stuff, with libraries symlinked to /opt/local/lib/, executable - to /opt/local/bin/, and content of /opt/local/libexec/openssl3/lib/ossl-modules/ - to /opt/local/lib/ossl-modules/), and user-installed development version of OpenSSL with binaries in $HOME/openssl-3/ and sources in $HOME/src/openssl/.

As I said, my setup works perfectly with your current main as long as that offending commit f205f11 is reverted.

[baentsch]

What is "that" pre-release?

https://github.com/open-quantum-safe/oqs-provider/releases/tag/0.5.3

I confirm that with commit f205f11 this provider fails the tests, and when I revert it, things work again 100%. What else would you like confirmed?

Nothing. Any disagreement to revert #314, @thb-sb ?

[mouse07410]

https://github.com/open-quantum-safe/oqs-provider/releases/tag/0.5.3

Does it differ from the current main? Because I'm tracking only main, not the individual tags...

[baentsch]

https://github.com/open-quantum-safe/oqs-provider/releases/tag/0.5.3

Does it differ from the current main? Because I'm tracking only main, not the individual tags...

No.

[mouse07410]

In that case, as I said - main works for me without #314, and fails with it.

[baentsch]

Resolved by #325