Use Botan 3.1.1 for tests

The all-zero Ed25519 public key is rejected by botan_pubkey_check_key() when the key is loaded. Note that Botan 3 requires GCC 11 or CLANG 14, i.e. can't easily be built on Debian bullseye or Ubuntu 20.04. The thread-local storage function gets flagged via various botan FFI functions when using Botan 3, whitelist that instead of all of them.
2025-10-03 00:00:24 -04:00 · 2023-04-14 09:30:35 +02:00 · 2023-04-14 09:30:35 +02:00 · 36b1a6d76c
commit 36b1a6d76c
parent 1762040ef8
4 changed files with 18 additions and 7 deletions
--- a/scripts/test.sh
+++ b/scripts/test.sh
@ -4,7 +4,7 @@
 build_botan()
 {
 	# same revision used in the build recipe of the testing environment
-	BOTAN_REV=2.19.3
+	BOTAN_REV=3.1.1
 	BOTAN_DIR=$DEPS_BUILD_DIR/botan

 	if test -d "$BOTAN_DIR"; then
@ -246,6 +246,10 @@ all|codeql|coverage|sonarcloud|no-dbg)
 			--disable-python-eggs-install"
 	# not enabled on the build server
 	CONFIG="$CONFIG --disable-af-alg"
+	# unable to build Botan on Ubuntu 20.04
+	if [ "$ID" = "ubuntu" -a "$VERSION_ID" = "20.04" ]; then
+		CONFIG="$CONFIG --disable-botan"
+	fi
 	if test "$TEST" != "coverage"; then
 		CONFIG="$CONFIG --disable-coverage"
 	else
@ -259,7 +263,9 @@ all|codeql|coverage|sonarcloud|no-dbg)
 		  libselinux1-dev libiptc-dev"
 	PYDEPS="tox"
 	if test "$1" = "build-deps"; then
+		if [ "$ID" = "ubuntu" -a "$VERSION_ID" != "20.04" ]; then
 			build_botan
+		fi
 		build_wolfssl
 		build_tss2
 	fi
--- a/src/libstrongswan/tests/suites/test_ed25519.c
+++ b/src/libstrongswan/tests/suites/test_ed25519.c
@ -559,11 +559,13 @@ START_TEST(test_ed25519_fail)
 	pubkey->destroy(pubkey);
 	pubkey = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ED25519,
 					BUILD_BLOB_ASN1_DER, zero_pk, BUILD_END);
-	ck_assert(pubkey != NULL);
+	if (pubkey)
+	{
 		ck_assert(!pubkey->verify(pubkey, SIGN_ED25519, NULL, sig_tests[0].msg,
 								  sig));
 		pubkey->destroy(pubkey);
 	}
+}
 END_TEST

 Suite *ed25519_suite_create()
--- a/src/libstrongswan/utils/leak_detective.c
+++ b/src/libstrongswan/utils/leak_detective.c
@ -542,6 +542,8 @@ static char *whitelist[] = {
 	"_IO_file_doallocate",
 	"selinux_check_access",
 	"on_exit",
+	/* glibc thread-local storage triggered primarily by Botan */
+	"__tls_get_addr",
 	/* ignore dlopen, as we do not dlclose to get proper leak reports */
 	"dlopen",
 	"dlerror",
@ -668,6 +670,7 @@ static char *whitelist[] = {
 	"botan_kdf",
 	/* C++ due to Botan */
 	"__cxa_get_globals",
+	"__cxa_thread_atexit",
 };

 /**
--- a/testing/scripts/recipes/011_botan.mk
+++ b/testing/scripts/recipes/011_botan.mk
@ -2,7 +2,7 @@

 PKG = botan
 SRC = https://github.com/randombit/$(PKG).git
-REV = 2.19.3
+REV = 3.1.1

 NUM_CPUS := $(shell getconf _NPROCESSORS_ONLN)