OpenSSL 1.1.1n test failures due to expired certificates (time bomb)

80-test_ocsp.t ..................... ok

80-test_pkcs12.t ................... ok

# ERROR: (int) 'result->result == test_ctx->expected_result' failed @ test/ssl_test.c:36

# [2] compared to [0]

# INFO: @ test/ssl_test.c:37

# ExpectedResult mismatch: expected Success, got ClientFail.

# 40B78AF7FF7F0000:error:0A000415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1584:SSL alert number 45

# OPENSSL_TEST_RAND_ORDER=1655844368

not ok 2 - iteration 2

# ------------------------------------------------------------------------------

# ERROR: (int) 'result->result == test_ctx->expected_result' failed @ test/ssl_test.c:36

# [2] compared to [0]

# INFO: @ test/ssl_test.c:37

# ExpectedResult mismatch: expected Success, got ClientFail.

# 40B78AF7FF7F0000:error:0A000415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1584:SSL alert number 45

# OPENSSL_TEST_RAND_ORDER=1655844368

not ok 4 - iteration 4

# ------------------------------------------------------------------------------

# ERROR: (int) 'result->result == test_ctx->expected_result' failed @ test/ssl_test.c:36

# [4] compared to [0]

# INFO: @ test/ssl_test.c:37

# ExpectedResult mismatch: expected Success, got FirstHandshakeFailed.

# 40B78AF7FF7F0000:error:0A000415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1584:SSL alert number 45

# OPENSSL_TEST_RAND_ORDER=1655844368

not ok 5 - iteration 5

# ------------------------------------------------------------------------------

# ERROR: (int) 'result->result == test_ctx->expected_result' failed @ test/ssl_test.c:36

# [4] compared to [0]

# INFO: @ test/ssl_test.c:37

# ExpectedResult mismatch: expected Success, got FirstHandshakeFailed.

# 40B78AF7FF7F0000:error:0A000415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1584:SSL alert number 45

# OPENSSL_TEST_RAND_ORDER=1655844368

not ok 6 - iteration 6

# ------------------------------------------------------------------------------

# OPENSSL_TEST_RAND_ORDER=1655844368

not ok 1 - test_handshake

# ------------------------------------------------------------------------------

../../util/wrap.pl ../../test/ssl_test 12-ct.cnf.none none => 1

not ok 3 - running ssl_test 12-ct.cnf

# ------------------------------------------------------------------------------

# ERROR: (int) 'result->result == test_ctx->expected_result' failed @ test/ssl_test.c:36

# [2] compared to [0]

# INFO: @ test/ssl_test.c:37

# ExpectedResult mismatch: expected Success, got ClientFail.

# 40B78AF7FF7F0000:error:0A000415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1584:SSL alert number 45

# OPENSSL_TEST_RAND_ORDER=1655844369

not ok 2 - iteration 2

# ------------------------------------------------------------------------------

# ERROR: (int) 'result->result == test_ctx->expected_result' failed @ test/ssl_test.c:36

# [2] compared to [0]

# INFO: @ test/ssl_test.c:37

# ExpectedResult mismatch: expected Success, got ClientFail.

# 40B78AF7FF7F0000:error:0A000415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1584:SSL alert number 45

# OPENSSL_TEST_RAND_ORDER=1655844369

not ok 4 - iteration 4

# ------------------------------------------------------------------------------

# ERROR: (int) 'result->result == test_ctx->expected_result' failed @ test/ssl_test.c:36

# [4] compared to [0]

# INFO: @ test/ssl_test.c:37

# ExpectedResult mismatch: expected Success, got FirstHandshakeFailed.

# 40B78AF7FF7F0000:error:0A000415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1584:SSL alert number 45

# OPENSSL_TEST_RAND_ORDER=1655844369

not ok 5 - iteration 5

# ------------------------------------------------------------------------------

# ERROR: (int) 'result->result == test_ctx->expected_result' failed @ test/ssl_test.c:36

# [4] compared to [0]

# INFO: @ test/ssl_test.c:37

# ExpectedResult mismatch: expected Success, got FirstHandshakeFailed.

# 40B78AF7FF7F0000:error:0A000415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1584:SSL alert number 45

# OPENSSL_TEST_RAND_ORDER=1655844369

not ok 6 - iteration 6

# ------------------------------------------------------------------------------

# OPENSSL_TEST_RAND_ORDER=1655844369

not ok 1 - test_handshake

# ------------------------------------------------------------------------------

../../util/wrap.pl ../../test/ssl_test 12-ct.cnf.default default => 1

not ok 6 - running ssl_test 12-ct.cnf

# ------------------------------------------------------------------------------

# Failed test 'running ssl_test 12-ct.cnf'

# at test/recipes/80-test_ssl_new.t line 171.

# Looks like you failed 2 tests of 6.

not ok 12 - Test configuration 12-ct.cnf

# ------------------------------------------------------------------------------

# Looks like you failed 1 test of 30.80-test_ssl_new.t ..................

Dubious, test returned 1 (wstat 256, 0x100)

Failed 1/30 subtests

80-test_ssl_old.t .................. ok

80-test_ssl_test_ctx.t ............. ok

$ guix graph -t derivation --path libfaketime openssl@1

/gnu/store/a4jcd4h7nvn97a2mw4n1yydgbh0i2wmz-libfaketime-0.9.9.drv

/gnu/store/hf5arq562aiisycnjcnhgfwzrl8lwrbc-libfaketime-0.9.9-checkout.drv

/gnu/store/xpnrk8hjfh7rvgqfsjwkjrb9cz1ws626-git-minimal-2.36.1.drv

/gnu/store/gavjhl823bhd95rijqf3iw3vl32ix494-openssl-1.1.1l.drv

modified gnu/packages/tls.scm

@@ -491,11 +491,47 @@ (define (target->openssl-target target)

(error "unsupported openssl target architecture")))))

(string-append kernel "-" arch))))

+;;; A minimal version of libfaketime that should remain private. Its only

+;;; purpose is to avoid introducing a cycle with openssl due to libfaketime's

+;;; git-fetch origin, which pulls git (which requires openssl).

+(define libfaketime-minimal

+ (package

+ (name "libfaketime")

+ (version "0.9.10")

+ (home-page "https://github.com/wolfcw/libfaketime")

+ (source (origin

+ (method url-fetch)

+ ;; XXX: We cheat and use a dynamically generated archive GitHub

+ ;; link here, since we can't fetch from git.

+ (uri (string-append "https://github.com/wolfcw/" name

+ "/archive/refs/tags/v" version ".tar.gz"))

+ (sha256

+ (base32

+ "0zwlwxpya3scayf8b3ans6pp82k8k42bk5wfqvcm02kmkhxx76kj"))))

+ (build-system gnu-build-system)

+ (arguments

+ (list

+ #:make-flags #~(list "all")

+ #:tests? #f

+ #:phases

+ #~(modify-phases %standard-phases

+ (replace 'configure

+ (lambda* (#:key outputs #:allow-other-keys)

+ (setenv "CC" #$(cc-for-target))

+ (setenv "PREFIX" #$output))))))

+ (synopsis "Fake the system time for single applications")

+ (description

+ "The libfaketime library allows users to modify the system time that an

+application \"sees\". It is meant to be loaded using the dynamic linker's

+@code{LD_PRELOAD} environment variable. The @command{faketime} command

+provides a simple way to achieve this.")

+ (license license:gpl2)))

+

(define-public openssl-1.1

;; Note to maintainers: when updating this package, make sure to update the

;; RELEASE-DATE variable below. It is used by datefudge to avoid time bombs

;; in the test suite.

- (let ((release-date "2021-08-24 00:00"))

+ (let ((release-date "@2021-08-24 00:00:00"))

(package

(name "openssl")

(version "1.1.1l")

@@ -517,7 +553,7 @@ (define-public openssl-1.1

(outputs '("out"

"doc" ;6.8 MiB of man3 pages and full HTML documentation

"static")) ;6.4 MiB of .a files

- (native-inputs (list datefudge perl))

+ (native-inputs (list libfaketime-minimal perl))

(arguments

(list

#:modules '((guix build gnu-build-system)

@@ -537,6 +573,15 @@ (define-public openssl-1.1

#:disallowed-references (list (canonical-package perl))

#:phases

#~(modify-phases %standard-phases

+ (add-before 'unpack 'setup-libfaketime

+ (lambda* (#:key native-inputs inputs #:allow-other-keys)

+ (let ((libfaketime.so.1 (search-input-file

+ (or native-inputs inputs)

+ "lib/faketime/libfaketime.so.1")))

+ (setenv "LD_PRELOAD" libfaketime.so.1)

+ (setenv "NO_FAKE_STAT" "1")

+ (setenv "FAKETIME_DONT_RESET" "1")

+ (setenv "FAKETIME" #$release-date))))

#$@(if (%current-target-system)

#~((add-before 'configure 'set-cross-compile

../../util/shlib_wrap.sh /gnu/store/hy6abswwv4d89zp464fw52z65fkzr7h5-perl-5.34.0/bin/perl -I ../../util/perl ../generate_ssl_tests.pl ../ssl-tests/12-ct.conf.in > 12-ct.conf.30543.tmp => 0

ok 1 - Getting output from generate_ssl_tests.pl.

ok 2 - Comparing generated sources.

# Subtest: ../ssl_test

1..1

# Subtest: test_handshake

1..6

ok 1 - iteration 1

# ERROR: (int) 'result->result == test_ctx->expected_result' failed @ test/ssl_test.c:33

# [2] compared to [0]

# INFO: @ test/ssl_test.c:34

# ExpectedResult mismatch: expected Success, got ClientFail.

# 140450700142400:error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1543:SSL alert number 45

not ok 2 - iteration 2

ok 3 - iteration 3

# ERROR: (int) 'result->result == test_ctx->expected_result' failed @ test/ssl_test.c:33

# [2] compared to [0]

# INFO: @ test/ssl_test.c:34

# ExpectedResult mismatch: expected Success, got ClientFail.

# 140450700142400:error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1543:SSL alert number 45

not ok 4 - iteration 4

# ERROR: (int) 'result->result == test_ctx->expected_result' failed @ test/ssl_test.c:33

# [4] compared to [0]

# INFO: @ test/ssl_test.c:34

# ExpectedResult mismatch: expected Success, got FirstHandshakeFailed.

# 140450700142400:error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1543:SSL alert number 45

not ok 5 - iteration 5

# ERROR: (int) 'result->result == test_ctx->expected_result' failed @ test/ssl_test.c:33

# [4] compared to [0]

# INFO: @ test/ssl_test.c:34

# ExpectedResult mismatch: expected Success, got FirstHandshakeFailed.

# 140450700142400:error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1543:SSL alert number 45

not ok 6 - iteration 6

not ok 1 - test_handshake

../../util/shlib_wrap.sh ../ssl_test 12-ct.conf.30543.tmp => 1

not ok 3 - running ssl_test 12-ct.conf

# Failed test 'running ssl_test 12-ct.conf'

# at ../test/recipes/80-test_ssl_new.t line 148.

# Looks like you failed 1 test of 3.

not ok 12 - Test configuration 12-ct.conf

# Failed test 'Test configuration 12-ct.conf'

# at

# /tmp/guix-build-openssl-1.1.1l.drv-0/openssl-1.1.1l/test/../util/perl/OpenSSL/Test.pm

# line 1212.

./pre-inst-env guix build --no-grafts -e '(@@ (gnu packages tls) openssl-1.1)'