Kea issueshttps://gitlab.isc.org/isc-projects/kea/-/issues2024-02-23T18:26:02Zhttps://gitlab.isc.org/isc-projects/kea/-/issues/3194fix UTs when Kea is configured with botan without TLS2024-02-23T18:26:02ZRazvan Becheriufix UTs when Kea is configured with botan without TLSnext-stable-2.6https://gitlab.isc.org/isc-projects/kea/-/issues/3193fix use after free when using botan2024-02-23T18:44:19ZRazvan Becheriufix use after free when using botan```plaintext
WARNING: ThreadSanitizer: heap-use-after-free (pid=73943)
Atomic write of size 4 at 0x7b0800000e68 by main thread:
#0 boost::detail::atomic_decrement(unsigned int*) /usr/include/boost/smart_ptr/detail/sp_counted_base_g...```plaintext
WARNING: ThreadSanitizer: heap-use-after-free (pid=73943)
Atomic write of size 4 at 0x7b0800000e68 by main thread:
#0 boost::detail::atomic_decrement(unsigned int*) /usr/include/boost/smart_ptr/detail/sp_counted_base_gcc_atomic.hpp:40 (libkea-cryptolink.so.48+0x8a2c)
#1 boost::detail::sp_counted_base::release() /usr/include/boost/smart_ptr/detail/sp_counted_base_gcc_atomic.hpp:118 (libkea-cryptolink.so.48+0x8a2c)
#2 boost::detail::shared_count::~shared_count() /usr/include/boost/smart_ptr/detail/shared_count.hpp:432 (libkea-cryptolink.so.48+0x8a2c)
#3 boost::shared_ptr<isc::cryptolink::RNG>::~shared_ptr() /usr/include/boost/smart_ptr/shared_ptr.hpp:335 (libkea-cryptolink.so.48+0x8a2c)
#4 boost::shared_ptr<isc::cryptolink::RNG>::reset() /usr/include/boost/smart_ptr/shared_ptr.hpp:687 (libkea-cryptolink.so.48+0x8a2c)
#5 operator() /home/razvan/isc/git/kea-work/src/lib/cryptolink/botan_link.cc:74 (libkea-cryptolink.so.48+0x8a2c)
#6 _FUN /home/razvan/isc/git/kea-work/src/lib/cryptolink/botan_link.cc:74 (libkea-cryptolink.so.48+0x8a2c)
#7 cxa_at_exit_wrapper ../../../../src/libsanitizer/tsan/tsan_interceptors_posix.cpp:389 (libtsan.so.2+0x2e813)
Previous write of size 8 at 0x7b0800000e68 by main thread:
#0 operator delete(void*, unsigned long) ../../../../src/libsanitizer/tsan/tsan_new_delete.cpp:150 (libtsan.so.2+0x8cef5)
#1 boost::detail::sp_counted_impl_p<isc::cryptolink::RNGImpl>::~sp_counted_impl_p() /usr/include/boost/smart_ptr/detail/sp_counted_impl.hpp:64 (libkea-cryptolink.so.48+0x914e)
#2 boost::detail::sp_counted_base::destroy() /usr/include/boost/smart_ptr/detail/sp_counted_base_gcc_atomic.hpp:99 (libkea-cryptolink.so.48+0x8c27)
#3 boost::detail::sp_counted_base::weak_release() /usr/include/boost/smart_ptr/detail/sp_counted_base_gcc_atomic.hpp:134 (libkea-cryptolink.so.48+0x8c27)
#4 boost::detail::sp_counted_base::release() /usr/include/boost/smart_ptr/detail/sp_counted_base_gcc_atomic.hpp:121 (libkea-cryptolink.so.48+0x8c27)
#5 boost::detail::shared_count::~shared_count() /usr/include/boost/smart_ptr/detail/shared_count.hpp:432 (libkea-cryptolink.so.48+0x8c27)
#6 boost::shared_ptr<isc::cryptolink::RNG>::~shared_ptr() /usr/include/boost/smart_ptr/shared_ptr.hpp:335 (libkea-cryptolink.so.48+0x8c27)
#7 isc::cryptolink::CryptoLink::~CryptoLink() /home/razvan/isc/git/kea-work/src/lib/cryptolink/botan_link.cc:27 (libkea-cryptolink.so.48+0x8c27)
#8 cxa_at_exit_wrapper ../../../../src/libsanitizer/tsan/tsan_interceptors_posix.cpp:389 (libtsan.so.2+0x2e813)
SUMMARY: ThreadSanitizer: heap-use-after-free /usr/include/boost/smart_ptr/detail/sp_counted_base_gcc_atomic.hpp:40 in boost::detail::atomic_decrement(unsigned int*)
==================
ThreadSanitizer: reported 1 warnings
```kea2.5.6Razvan BecheriuRazvan Becheriuhttps://gitlab.isc.org/isc-projects/kea/-/issues/2457HMACTest.HMAC_MD5_RFC2202_SIGN crashes under newer compilers2022-06-27T14:58:44ZAndrei Pavelandrei@isc.orgHMACTest.HMAC_MD5_RFC2202_SIGN crashes under newer compilers```
[ RUN ] HMACTest.HMAC_MD5_RFC2202_SIGN
/usr/include/c++/12.1.0/bits/stl_vector.h:1123: std::vector<_Tp, _Alloc>::reference std::vector<_Tp, _Alloc>::operator[](size_type) [with _Tp = unsigned char; _Alloc = std::allocator<unsign...```
[ RUN ] HMACTest.HMAC_MD5_RFC2202_SIGN
/usr/include/c++/12.1.0/bits/stl_vector.h:1123: std::vector<_Tp, _Alloc>::reference std::vector<_Tp, _Alloc>::operator[](size_type) [with _Tp = unsigned char; _Alloc = std::allocator<unsigned char>; reference = unsigned char&; size_type = long unsigned int]: Assertion '__n < this->size()' failed.
FAIL: run_unittests
```
Can be replicated on Ubuntu 22.04.
Here is a job that fails: https://jenkins.aws.isc.org/job/kea-dev/job/ut-extended/772/testReport/junit/(root)/Crash/run_tests___ubuntu_22_04_amd64___ubuntu_22_04_amd64_results_____RUN________HMACTest_HMAC_MD5_RFC2202_SIGN/kea2.1.7Andrei Pavelandrei@isc.orgAndrei Pavelandrei@isc.orghttps://gitlab.isc.org/isc-projects/kea/-/issues/1974Verify that random calls are seeded and used appropriately2021-09-25T08:16:25ZMichael McNallyVerify that random calls are seeded and used appropriatelyA recent issue with [weak randomization used by the dhclient part of the ISC DHCP project](https://gitlab.isc.org/isc-projects/dhcp/-/issues/197) is a good reminder that we should examine PRNG use in each of ISC's open source projects to...A recent issue with [weak randomization used by the dhclient part of the ISC DHCP project](https://gitlab.isc.org/isc-projects/dhcp/-/issues/197) is a good reminder that we should examine PRNG use in each of ISC's open source projects to ensure that we are using (pseudo-)randomness appropriately.
Please treat this ticket as:
- a reminder to review PRNG use in your project to ensure that it is used properly
- a request to report on the status of that review, so that users who search for this ticket can satisfy themselves that we have checked our usage and believe it to be reasonable.kea2.0.0 (formerly 1.9.12)https://gitlab.isc.org/isc-projects/kea/-/issues/1939Kea 1.8.2 configure fails when linking to static OpenSSL library2022-11-02T15:10:41ZGreg RabilKea 1.8.2 configure fails when linking to static OpenSSL libraryI am attempting to build a static Kea 1.8.2 binary on CentOS7. I have built a static version of OpenSSL 1.1.1k (./config no-shared). When running configure for Kea 1.8.2 and specifying the --with-openssl directive, it fails with the fo...I am attempting to build a static Kea 1.8.2 binary on CentOS7. I have built a static version of OpenSSL 1.1.1k (./config no-shared). When running configure for Kea 1.8.2 and specifying the --with-openssl directive, it fails with the following:
```
checking OS type... Linux
checking for sa_len in struct sockaddr... no
checking for usuable C++11 regex... no
checking for OpenSSL library... yes
checking OpenSSL version... OpenSSL 1.1.1k 25 Mar 2021
checking support of SHA-2... configure: error: missing EVP entry for SHA-2
```
Attached is the config.log file. [config.log](/uploads/68a099b66729e0f428375ce2fd77a95c/config.log)
As a work around, I am able to force it to configure properly by specifying LDFLAGS and LIBS:
`LDFLAGS="-L/opt/tmp/install/openssl/lib" LIBS="-lcrypto -lpthread"`
Note that this problem does not occur if OpenSSL is built with dynamic libraries.backloghttps://gitlab.isc.org/isc-projects/kea/-/issues/1776Move to system (vs autoseeded) RNG on Botan2022-11-02T15:10:17ZFrancis DupontMove to system (vs autoseeded) RNG on BotanOn Botan we use the autoseeded RNG when on all supported platforms we can use the system RNG. This also works better in a multi threaded environment: on old Botan stateful RNGs including the autoseeded one are not MT safe, on recent (>= ...On Botan we use the autoseeded RNG when on all supported platforms we can use the system RNG. This also works better in a multi threaded environment: on old Botan stateful RNGs including the autoseeded one are not MT safe, on recent (>= 2.16, the last when I write this 2.17.3) versions they are MT safes but for performance it is recommended to make them thread local...
The define to use in the code is BOTAN_HAS_SYSTEM_RNG, include is system_rng.h and the class System_RNG.
BTW IMHO the best should be to use the processor RNG but it is recent and can be tested only at runtime...backloghttps://gitlab.isc.org/isc-projects/kea/-/issues/1754Botan option in hammer2022-11-02T15:10:18ZFrancis DupontBotan option in hammerI'd like to get a Botan option in hammer. It does not need to cover all systems.
Note I can only help indirectly: vagrant does not support VMware Fusion, I deeply dislike VirtualBox and since Big Sur some advanced CPU features are no al...I'd like to get a Botan option in hammer. It does not need to cover all systems.
Note I can only help indirectly: vagrant does not support VMware Fusion, I deeply dislike VirtualBox and since Big Sur some advanced CPU features are no allowed so no VM inside a VM too. At the opposite I can find what is the package to use when it exists so my constraint is only in direct testing (i.e. I can't review).
I'll look at for the Botan boost support too but it is 4 header files so something potentially easier than to add --with-boost in package sources and rebuild them.backloghttps://gitlab.isc.org/isc-projects/kea/-/issues/1665Botan TLS2021-05-05T10:18:02ZTomek MrugalskiBotan TLSThe #1661 to #1664 tickets assume the code się using boost.SSL lib, which uses OpenSSL internally. The goal of this ticket is to try to come up with a solution that uses Botan instead.
If it’s too difficult or requires too many changes ...The #1661 to #1664 tickets assume the code się using boost.SSL lib, which uses OpenSSL internally. The goal of this ticket is to try to come up with a solution that uses Botan instead.
If it’s too difficult or requires too many changes compared to boost.ssl, then it is acceptable to have TLS support only when compiling with OpenSSL. If compiling with Botan, we could disable TLS support. Obviously, getting it work would be better...
(done (i.e. it works) and the description obviously needs more edit than this one)kea1.9.8Francis DupontFrancis Duponthttps://gitlab.isc.org/isc-projects/kea/-/issues/1614Make Kea compatible with OpenSSL 3.02022-06-24T15:49:13ZFrancis DupontMake Kea compatible with OpenSSL 3.0kea2.1.7Tomek MrugalskiTomek Mrugalskihttps://gitlab.isc.org/isc-projects/kea/-/issues/1558EVP_MD_CTX_create issues2020-11-20T15:47:57ZFrancis DupontEVP_MD_CTX_create issuesAt least on Jenkins a virtual machine has a problem with EVP_MD_CTX_create:
```
[2020-11-18T19:14:11.131Z] [ RUN ] NSEC3HashTest.calculate
[2020-11-18T19:14:11.131Z] ld-elf.so.1: /usr/home/jenkins/workspace/kea-dev/ut-thread/src/lib...At least on Jenkins a virtual machine has a problem with EVP_MD_CTX_create:
```
[2020-11-18T19:14:11.131Z] [ RUN ] NSEC3HashTest.calculate
[2020-11-18T19:14:11.131Z] ld-elf.so.1: /usr/home/jenkins/workspace/kea-dev/ut-thread/src/lib/cryptolink/.libs/libkea-cryptolink.so.5: Undefined symbol "EVP_MD_CTX_create"
```
This shows a problem with the OpenSSL library which should have been detected in configure. As it can happen too in production I propose to address this. The first step should be to identify the virtual machine and its system.kea1.9.2Francis DupontFrancis Duponthttps://gitlab.isc.org/isc-projects/kea/-/issues/990Better support for recent Botan (configure, warnings)2022-11-02T15:10:18ZFrancis DupontBetter support for recent Botan (configure, warnings)Recent versions of Botan display some warnings:
```
In file included from botan_hash.cc:14:
/usr/local/Cellar/botan/2.12.1/include/botan-2/botan/lookup.h:35:1: warning: this header is deprecated [-W#pragma-messages]
BOTAN_DEPRECATED_HEAD...Recent versions of Botan display some warnings:
```
In file included from botan_hash.cc:14:
/usr/local/Cellar/botan/2.12.1/include/botan-2/botan/lookup.h:35:1: warning: this header is deprecated [-W#pragma-messages]
BOTAN_DEPRECATED_HEADER(lookup.h)
^
/usr/local/Cellar/botan/2.12.1/include/botan-2/botan/compiler.h:104:42: note: expanded from macro 'BOTAN_DEPRECATED_HEADER'
#define BOTAN_DEPRECATED_HEADER(hdr) _Pragma("message \"this header is deprecated\"")
^
<scratch space>:214:2: note: expanded from here
message "this header is deprecated"
^
1 warning generated.
In file included from botan_hmac.cc:14:
/usr/local/Cellar/botan/2.12.1/include/botan-2/botan/hmac.h:14:1: warning: this header will be made internal in the future [-W#pragma-messages]
BOTAN_FUTURE_INTERNAL_HEADER(hmac.h)
^
/usr/local/Cellar/botan/2.12.1/include/botan-2/botan/compiler.h:107:49: note: expanded from macro 'BOTAN_FUTURE_INTERNAL_HEADER'
#define BOTAN_FUTURE_INTERNAL_HEADER(hdr) _Pragma("message \"this header will be made internal in the future\"")
^
<scratch space>:214:2: note: expanded from here
message "this header will be made internal in the future"
^
In file included from botan_hmac.cc:15:
/usr/local/Cellar/botan/2.12.1/include/botan-2/botan/lookup.h:35:1: warning: this header is deprecated [-W#pragma-messages]
BOTAN_DEPRECATED_HEADER(lookup.h)
^
/usr/local/Cellar/botan/2.12.1/include/botan-2/botan/compiler.h:104:42: note: expanded from macro 'BOTAN_DEPRECATED_HEADER'
#define BOTAN_DEPRECATED_HEADER(hdr) _Pragma("message \"this header is deprecated\"")
^
<scratch space>:216:2: note: expanded from here
message "this header is deprecated"
^
2 warnings generated.
```
BTW these warnings are only displayed: the quote is from a --with-werror build.backloghttps://gitlab.isc.org/isc-projects/kea/-/issues/386Remove obsolete experimental DHCPv6 options2019-01-11T13:29:57ZTomek MrugalskiRemove obsolete experimental DHCPv6 optionsThe User's guide still lists experimental sedhcpv6 options (search for "List of experimental DHCPv6 options"). Sadly, the draft is dead and there's no chance to revive it in the future.
We should remove the related code and the docs sec...The User's guide still lists experimental sedhcpv6 options (search for "List of experimental DHCPv6 options"). Sadly, the draft is dead and there's no chance to revive it in the future.
We should remove the related code and the docs section.Kea1.6Francis DupontFrancis Dupont