Update tests to use OpenSSL legacy provider if OpenSSL 3.0 used

[bukka]

This enables legacy provider when running tests with OpenSSL 3.0 as some old algorithms are used and it would be good to keep the tested. It also makes tests green when running with OpenSSL 3.0 (except maybe when the crypto RHEL policy is selected).

Summary by CodeRabbit

• CI/CD Updates

  • Enhanced Linux build configuration with separate jobs for Ubuntu 20.04 and 24.04
  • Added support for different backend dependencies in CI workflow

• Cryptography Improvements

  • Updated OpenSSL provider loading for compatibility with OpenSSL 3.0+
  • Refined preprocessor directives for OpenSSL configuration

• Build System

  • Updated include paths and compilation flags in test Makefiles
  • Added cryptographic include variables to build configuration

[coderabbitai]

Walkthrough

The pull request introduces enhancements to the continuous integration (CI) workflow and cryptographic test configurations. The changes primarily focus on updating the Linux job definitions in the GitHub Actions workflow, modifying preprocessor directives in cryptographic test files, and adjusting include paths in the Makefile. The modifications aim to improve compatibility with newer versions of OpenSSL, specifically version 3.0.0 and above, by adding provider loading functionality and updating compilation flags.

Changes

File	Change Summary
.github/workflows/ci.yml	- Renamed linux job to linux_ubuntu_20 - Added new linux_ubuntu_24 job - Enhanced job configurations with detailed comments and matrix strategy
src/lib/crypto/test/cryptotest.cpp	- Modified OpenSSL preprocessor directive - Added OpenSSL provider loading for versions 3.0.0+
src/lib/test/Makefile.am	- Updated AM_CPPFLAGS with new include paths - Added @CRYPTO_INCLUDES@ variable
src/lib/test/p11test.cpp	- Added config.h header - Implemented OpenSSL provider loading for versions 3.0.0+

Possibly related PRs

• Add configure option and code to disable OpenSSL engines #781: The changes in the main PR regarding the CI configuration for OpenSSL dependencies are related to the modifications in the configuration options for OpenSSL engines introduced in PR Add configure option and code to disable OpenSSL engines #781, as both involve handling OpenSSL versions and configurations.

Suggested reviewers

• jschlyter

Poem

🐰 In CI's realm of bits and bytes,
Where workflows dance and code takes flight,
Ubuntu's stages, now refined,
With OpenSSL's providers aligned,
A rabbit's build, both swift and bright! 🚀

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

src/lib/test/p11test.cpp (1)

81-84: Consider refactoring duplicated provider loading code.

This provider loading code is identical to the one in cryptotest.cpp. Consider extracting it to a shared utility function.

Create a new header file (e.g., test_utils.h):

#pragma once

#ifdef WITH_OPENSSL
#include <openssl/opensslv.h>
#if OPENSSL_VERSION_NUMBER >= 0x3000000
#include <openssl/provider.h>

inline bool load_openssl_providers() {
    if (!OSSL_PROVIDER_load(NULL, "legacy")) {
        fprintf(stderr, "Failed to load legacy provider\n");
        return false;
    }
    if (!OSSL_PROVIDER_load(NULL, "default")) {
        fprintf(stderr, "Failed to load default provider\n");
        return false;
    }
    return true;
}
#endif
#endif

Then use it in both test files:

#include "test_utils.h"
...
#if defined(WITH_OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x3000000
-    OSSL_PROVIDER_load(NULL, "legacy");
-    OSSL_PROVIDER_load(NULL, "default");
+    if (!load_openssl_providers()) {
+        return 1;
+    }
#endif

.github/workflows/ci.yml (1)

Line range hint 37-57: Consider adding OpenSSL version verification.

The Ubuntu 24.04 job looks good but should verify it's using OpenSSL 3.0.

Add version check after the prepare step:

      - name: Prepare
        run: |
          sudo apt update -qq
          sudo apt install libcppunit-dev libbotan-2-dev p11-kit
+      - name: Verify OpenSSL version
+        if: matrix.backend == 'openssl'
+        run: |
+          openssl version | grep -q "OpenSSL 3"

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0053e2b and 5041923.

📒 Files selected for processing (4)

• .github/workflows/ci.yml (1 hunks)
• src/lib/crypto/test/cryptotest.cpp (2 hunks)
• src/lib/test/Makefile.am (1 hunks)
• src/lib/test/p11test.cpp (2 hunks)

🔇 Additional comments (5)

src/lib/crypto/test/cryptotest.cpp (2)

47-51: LGTM! Clean preprocessor directive changes.

The simplified #ifdef WITH_OPENSSL achieves the same result as #if defined(WITH_OPENSSL) with cleaner syntax.

---

81-84: Verify provider loading success.

The provider loading looks correct, but we should verify that both providers load successfully.

Add error handling:

#if defined(WITH_OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x3000000
-    OSSL_PROVIDER_load(NULL, "legacy");
-    OSSL_PROVIDER_load(NULL, "default");
+    if (!OSSL_PROVIDER_load(NULL, "legacy")) {
+        fprintf(stderr, "Failed to load legacy provider\n");
+        return 1;
+    }
+    if (!OSSL_PROVIDER_load(NULL, "default")) {
+        fprintf(stderr, "Failed to load default provider\n");
+        return 1;
+    }
#endif

src/lib/test/p11test.cpp (1)

48-57: LGTM! Necessary includes for OpenSSL support.

The addition of config.h and OpenSSL headers is required for version checks and provider loading.

src/lib/test/Makefile.am (1)

3-8: LGTM! Necessary include path and crypto flag additions.

The changes correctly add:

1. Access to higher-level includes via -I$(srcdir)/../..
2. Crypto-specific includes via @CRYPTO_INCLUDES@

.github/workflows/ci.yml (1)

11-36: LGTM! Well-structured Ubuntu 20.04 job configuration.

The job is correctly configured to test with OpenSSL 1.1.1 and includes proper error handling by outputting test logs on failure.

[abbra]

@bukka thanks for this PR. You may want to add this patch that further constraints engine support to only openssl 1.x. It is from our Fedora patchset, I adjusted it to this PR.

[bukka]

@abbra I have actually already created another PR to allow configurable disabling of engines and also skipping them if not available: #781

[jschlyter]

#781 is now merged, please rebase and ensure tests are not failing.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.github/workflows/ci.yml (1)

54-54: Consider standardizing error handling between Ubuntu versions.

The CXXFLAGS configuration differs between Ubuntu versions:

• Ubuntu 20.04: -Werror -DBOTAN_NO_DEPRECATED_WARNINGS
• Ubuntu 24.04: -DBOTAN_NO_DEPRECATED_WARNINGS

Consider standardizing the -Werror flag usage across both configurations to maintain consistent error handling.

Also applies to: 28-28

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5041923 and 533ca3e.

📒 Files selected for processing (4)

• .github/workflows/ci.yml (2 hunks)
• src/lib/crypto/test/cryptotest.cpp (2 hunks)
• src/lib/test/Makefile.am (1 hunks)
• src/lib/test/p11test.cpp (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (3)

• src/lib/test/p11test.cpp
• src/lib/crypto/test/cryptotest.cpp
• src/lib/test/Makefile.am

⏰ Context from checks skipped due to timeout of 90000ms (9)

• GitHub Check: macOS (botan)
• GitHub Check: Linux (botan)
• GitHub Check: Windows (x86, openssl)
• GitHub Check: Linux (botan)
• GitHub Check: Windows (x64, botan)
• GitHub Check: Linux (openssl)
• GitHub Check: Windows (x64, openssl)
• GitHub Check: Linux (openssl)
• GitHub Check: macOS (openssl)

🔇 Additional comments (2)

.github/workflows/ci.yml (2)

11-13: LGTM! Clear job naming and version documentation.

The job renaming from 'linux' to 'linux_ubuntu_20' with explicit version comment improves clarity by indicating the exact Ubuntu version and its associated OpenSSL/Botan versions.

---

37-62: Verify OpenSSL 3.0 compatibility in the new Ubuntu 24.04 job.

The new job configuration aligns with the PR objectives to support OpenSSL 3.0. However, there are a few considerations:

1. The -Werror flag is omitted in the Ubuntu 24.04 job. This might allow warnings that would be errors in the 20.04 job to pass silently.
2. Based on the PR objectives mentioning "legacy provider", we should verify if any additional environment variables are needed for OpenSSL 3.0 compatibility.

Let's verify the OpenSSL version and available providers in Ubuntu 24.04:

✅ Verification successful

The Ubuntu 24.04 job configuration is correct for OpenSSL 3.0 compatibility

The omission of -Werror in the Ubuntu 24.04 job is intentional and appropriate during the transition to OpenSSL 3.0. The codebase already includes proper version checks and test cases for OpenSSL 3.0 compatibility. No additional environment variables for legacy provider support are needed as the code handles version differences appropriately.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check OpenSSL version and providers in Ubuntu 24.04
# Note: This is for information only as the actual environment will be in the CI

# Search for OpenSSL version checks or provider loading in the codebase
rg -n "OPENSSL_VERSION|OPENSSL.*_provider" --type cpp

# Search for any OpenSSL environment variables in test scripts
rg -n "OPENSSL.*=" --type sh

Length of output: 2418

---

Script:

#!/bin/bash
# Check configure scripts and build system for OpenSSL settings
rg -n "openssl|OPENSSL|Werror" configure.ac
rg -n "openssl|OPENSSL|Werror" Makefile.am
fd configure --type f --exec grep -l "openssl|OPENSSL|Werror" {} \;

Length of output: 163

---

Script:

#!/bin/bash
# Check other CI jobs and build configurations
rg -n "ubuntu-20|ubuntu-22" .github/workflows/
rg -n "CXXFLAGS|CFLAGS" .github/workflows/
rg -n "Werror|Wall" .github/workflows/

Length of output: 650

[bukka]

Ok I rebased it and fixed the 1.1.1 build / tests but Ubuntu 24.04 still has got some failure (on both Botan and OpenSSL). The tests work for me with custom OpenSSL builds (tested with latest 3.0 and 3.4) so it might be something Ubuntu 24.04 specific. I will look into it next week.