Re: [Openvpn-devel] [PATCH] check_engine_keys: make pass with OpenSSL 3

Wed, 11 Jan 2023 04:20:00 -0800 

On Wed, Jan 11, 2023 at 08:39:51AM +0100, Gert Doering wrote:
> Hi,
> 
> On Tue, Jan 10, 2023 at 06:02:57PM +0100, Frank Lichtenheld wrote:
> > @@ -27,7 +27,7 @@ ${top_builddir}/src/openvpn/openvpn --cd 
> > ${top_srcdir}/sample --config sample-co
> >  # first off check we died because of a key mismatch.  If this doesn't
> >  # pass, suspect openssl of returning different messages and update the
> >  # test accordingly
> > -loggrep '(X509_check_private_key:key values 
> > mismatch|func\(128\):reason\(116\))' log.txt || { echo "Key mismatch not 
> > detected"; exit 1; }
> > +loggrep '(x509 certificate routines:(X509_check_private_key)?:key values 
> > mismatch|func\(128\):reason\(116\))' log.txt || { echo "Key mismatch not 
> > detected"; exit 1; }
> 
> This change does not convince me - assuming normal regex here, the
> original grep would have found any lines with
> 
>   X509_check_private_key:key values mismatch
> 
> in them, while the new one would find
> 
>   X509_check_private_key::key values mismatch
>   X509_check_private_key:X509_check_private_key:key values mismatch
> 
> but not "the old one with just one :"
> 
> Should this be
> 
>   (x509 certificate routines:(X509_check_private_key:)?key va...
> 
> with the second ":" part of the (...:)? zero-or-once match?

So, OpenSSL 3 prints:

x509 certificate routines::key values mismatch

yes, two colons!

OpenSSL 1.1 prints:

x509 certificate routines:X509_check_private_key:key values mismatch

My patch matches for both. But you are right that I made it slightly stricter,
since it previously we only matched on

X509_check_private_key:key values mismatch

for OpenSSL 1.1. If you would prefer that we could go for

(x509 certificate routines:|X509_check_private_key):key values mismatch

But I like my version better.  If that passes buildbot, I think it
should be "good enough".

> (... as a side note, I hate this test... it's easily the test with the
> most commits to make it behave across platforms and SSL library versions)

yeah, definitely.

Regards,
-- 
  Frank Lichtenheld


_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to