Suppressing memory leaks procuded by LeakSanitizer

These memory leaks are a known issue in libp11: From Timo Teras:

The relevant code is:

  https://github.com/OpenSC/libp11/blob/master/src/eng_front.c#L114-L123

The authors of libp11 did not get the locking right and decided
that having intentional memory leaks is better than risking a deadlock.

The leak logs indicate that it is the cached structures that should
have been freed.

These are not a run-time leaks, so suppressing these leaks is probably
okay.

(cherry picked from commit 8a4f098dee)

.gitlab-ci.yml

@@ -7,6 +7,9 @@ variables:
   CI_REGISTRY_IMAGE: registry.gitlab.isc.org/isc-projects/images/bind9
   CCACHE_DIR: "/ccache"
   SOFTHSM2_CONF: "/var/tmp/softhsm2/softhsm2.conf"
+  OPENSSL_ENGINES: "/usr/lib/x86_64-linux-gnu/engines-1.1"
+  DEFAULT_OPENSSL_CONF: "/etc/ssl/openssl.cnf"
+  OPENSSL_CONF: "/var/tmp/etc/openssl.cnf"
 
   # VirtualBox driver needs to set build_dir to "/builds" in gitlab-runner.toml
   KYUA_RESULT: "$CI_PROJECT_DIR/kyua.results"
@@ -305,16 +308,11 @@ stages:
         sudo sh -x bin/tests/system/ifconfig.sh up;
       fi
 
-.setup_softhsm: &setup_softhsm
-    - export SLOT=$(sh -x bin/tests/prepare-softhsm2.sh)
-    - test -n "${SLOT}" && test "${SLOT}" -gt 0
-
 .system_test_common: &system_test_common
   <<: *default_triggering_rules
   stage: system
   before_script:
     - *setup_interfaces
-    - *setup_softhsm
   script:
     - ( cd bin/tests/system && make -j${TEST_PARALLEL_JOBS:-1} -k test V=1 )
     - test -s bin/tests/system/systests.output
@@ -371,8 +369,6 @@ stages:
 .unit_test_common: &unit_test_common
   <<: *default_triggering_rules
   stage: unit
-  before_script:
-    - *setup_softhsm
   script:
     - make unit
   after_script:
@@ -930,11 +926,15 @@ gcc:asan:
     CC: gcc
     CFLAGS: "${CFLAGS_COMMON} -fsanitize=address,undefined -DISC_MEM_USE_INTERNAL_MALLOC=0"
     LDFLAGS: "-fsanitize=address,undefined"
+    SOFTHSM2_MODULE: "/lib64/libsofthsm2.so"
     EXTRA_CONFIGURE: "--with-libidn2"
   <<: *fedora_35_amd64_image
   <<: *build_job
 
 system:gcc:asan:
+  variables:
+    SOFTHSM2_MODULE: "/lib64/libsofthsm2.so"
+    LSAN_OPTIONS: "suppressions=/builds/isc-projects/bind9/suppr-lsan.txt"
   <<: *fedora_35_amd64_image
   <<: *system_test_job
   needs:
@@ -978,12 +978,14 @@ gcc:tsan:
     CC: gcc
     CFLAGS: "${CFLAGS_COMMON} -fsanitize=thread -DISC_MEM_USE_INTERNAL_MALLOC=0"
     LDFLAGS: "-fsanitize=thread"
+    SOFTHSM2_MODULE: "/lib64/libsofthsm2.so"
     EXTRA_CONFIGURE: "--with-libidn2 --enable-pthread-rwlock"
   <<: *fedora_35_amd64_image
   <<: *build_job
 
 system:gcc:tsan:
   variables:
+    SOFTHSM2_MODULE: "/lib64/libsofthsm2.so"
     TSAN_OPTIONS: ${TSAN_OPTIONS_COMMON}
   <<: *fedora_35_amd64_image
   <<: *system_test_tsan_job
@@ -1406,7 +1408,6 @@ respdiff-third-party:
   script:
     - *configure
     - *setup_interfaces
-    - *setup_softhsm
     - make -j${BUILD_PARALLEL_JOBS:-1} -k all V=1
     - make DESTDIR="${INSTALL_PATH}" install
     - git clone --depth 1 https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.isc.org/isc-private/bind-qa.git

CHANGES

@@ -1,3 +1,5 @@
+5798.	[test]		Add system test to test dnssec-keyfromlabel. [GL #3092]
+
 5797.	[bug]		A failed view configuration during a named
 			reconfiguration procedure could cause inconsistencies
 			in BIND internal structures, causing a crash or other

bin/tests/prepare-softhsm2.sh

@@ -1,22 +0,0 @@
-#!/bin/sh
-
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# SPDX-License-Identifier: MPL-2.0
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0.  If a copy of the MPL was not distributed with this
-# file, you can obtain one at https://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-if [ -n "${SOFTHSM2_CONF}" ] && command -v softhsm2-util >/dev/null; then
-    SOFTHSM2_DIR=$(dirname "$SOFTHSM2_CONF")
-    mkdir -p "${SOFTHSM2_DIR}/tokens"
-    echo "directories.tokendir = ${SOFTHSM2_DIR}/tokens" > "${SOFTHSM2_CONF}"
-    echo "objectstore.backend = file" >> "${SOFTHSM2_CONF}"
-    echo "log.level = DEBUG" >> "${SOFTHSM2_CONF}"
-    softhsm2-util --init-token --free --pin 1234 --so-pin 1234 --label "softhsm2" | awk '/^The token has been initialized and is reassigned to slot/ { print $NF }'
-fi
-exit 0

bin/tests/system/conf.sh.common

@@ -93,6 +93,7 @@ integrity \
 ixfr \
 journal \
 kasp \
+keyfromlabel \
 keepalive \
 keymgr2kasp \
 legacy \

bin/tests/system/keyfromlabel/clean.sh

@@ -0,0 +1,27 @@
+#!/bin/sh
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. ../conf.sh
+
+set -e
+
+rm -f K*
+rm -f pin
+rm -f dsset-*
+rm -f *.example.db *.example.db.signed
+rm -f keyfromlabel.out.*
+rm -f pkcs11-tool.out.*
+rm -f signer.out.*
+
+softhsm2-util --delete-token --token "softhsm2" || echo_i "softhsm2 token not found"

bin/tests/system/keyfromlabel/prereq.sh

@@ -0,0 +1,21 @@
+#!/bin/sh -e
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+. ../conf.sh
+
+if [ -n "${SOFTHSM2_MODULE}" ] && command -v softhsm2-util >/dev/null; then
+	exit 0
+fi
+
+echo_i "skip: softhsm2-util not available"
+exit 255

bin/tests/system/keyfromlabel/setup.sh

@@ -0,0 +1,22 @@
+#!/bin/sh
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. ../conf.sh
+
+set -e
+
+softhsm2-util --init-token --free --pin 1234 --so-pin 1234 --label "softhsm2" | awk '/^The token has been initialized and is reassigned to slot/ { print $NF }'
+
+printf '%s' "${HSMPIN:-1234}" > pin
+PWD=$(pwd)

bin/tests/system/keyfromlabel/template.db.in

@@ -0,0 +1,24 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	ns root (
+				2000082401 ; serial
+				1800       ; refresh (30 minutes)
+				1800       ; retry (30 minutes)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.1
+
+txt			TXT	"test"
+

bin/tests/system/keyfromlabel/tests.sh

@@ -0,0 +1,90 @@
+#!/bin/sh
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. ../conf.sh
+
+PWD=$(pwd)
+
+keygen() {
+	type="$1"
+	bits="$2"
+	zone="$3"
+	id="$4"
+
+	label="${id}-${zone}"
+	p11id=$(echo "${label}" | sha1sum - | awk '{print $1}')
+	pkcs11-tool --module $SOFTHSM2_MODULE -l -k --key-type $type:$bits --label "${label}" --id "${p11id//$'\n'/}" --pin $(cat $PWD/pin) > pkcs11-tool.out.$zone.$id || return 1
+}
+
+keyfromlabel() {
+        alg="$1"
+        zone="$2"
+        id="$3"
+        shift 3
+
+	$KEYFRLAB -E pkcs11 -a $alg -l "token=softhsm2;object=${id}-${zone};pin-source=$PWD/pin" "$@" $zone >> keyfromlabel.out.$zone.$id 2>> /dev/null || return 1
+	cat keyfromlabel.out.$zone.$id
+}
+
+infile="template.db.in"
+for algtypebits in rsasha256:rsa:2048 rsasha512:rsa:2048 \
+		   ecdsap256sha256:EC:prime256v1 ecdsap384sha384:EC:prime384v1
+		   # Edwards curves are not yet supported by OpenSC
+		   # ed25519:EC:edwards25519 ed448:EC:edwards448
+do
+	alg=$(echo "$algtypebits" | cut -f 1 -d :)
+	type=$(echo "$algtypebits" | cut -f 2 -d :)
+	bits=$(echo "$algtypebits" | cut -f 3 -d :)
+
+	if $SHELL ../testcrypto.sh $alg; then
+		zone="$alg.example"
+		zonefile="zone.$alg.example.db"
+		ret=0
+
+		echo_i "Generate keys $alg $type:$bits for zone $zone"
+		keygen $type $bits $zone keyfromlabel-zsk || ret=1
+		keygen $type $bits $zone keyfromlabel-ksk || ret=1
+		test "$ret" -eq 0 || echo_i "failed"
+		status=$((status+ret))
+
+		# Skip dnssec-keyfromlabel if key generation failed.
+		test $ret == 0 || continue
+
+		echo_i "Get ZSK $alg $id-$zone $type:$bits"
+		ret=0
+		zsk=$(keyfromlabel $alg $zone keyfromlabel-zsk)
+		test -z "$zsk" && ret=1
+
+		echo_i "Get KSK $alg $id-$zone $type:$bits"
+		ret=0
+		ksk=$(keyfromlabel $alg $zone keyfromlabel-ksk -f KSK)
+		test -z "$ksk" && ret=1
+
+		test "$ret" -eq 0 || echo_i "failed (zsk=$zsk ksk=$ksk)"
+		status=$((status+ret))
+
+		# Skip signing if dnssec-keyfromlabel failed.
+		test $ret == 0 || continue
+
+		echo_i "Sign zone with $ksk $zsk"
+		ret=0
+		cat "$infile" "$ksk.key" "$zsk.key" > "$zonefile"
+		$SIGNER -E pkcs11 -S -a -g -o "$zone" "$zonefile" > signer.out.$zone || ret=1
+		test "$ret" -eq 0 || echo_i "failed"
+		status=$((status+ret))
+	fi
+done
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1

bin/tests/system/runtime/tests.sh

@@ -229,8 +229,6 @@ if [ "$(id -u)" -eq 0 ] && [ -z "$CYGWIN" ]; then
     TEMP_NAMED_DIR=$(mktemp -d "$(pwd)/ns2/tmp.XXXXXXXX")
     if [ "$?" -eq 0 ]; then
 	copy_setports ns2/named-alt9.conf.in "${TEMP_NAMED_DIR}/named-alt9.conf"
-	export SOFTHSM2_CONF="${TEMP_NAMED_DIR}/softhsm2.conf"
-	sh "$TOP/bin/tests/prepare-softhsm2.sh"
 	chown -R nobody: "${TEMP_NAMED_DIR}"
 	chmod 0700 "${TEMP_NAMED_DIR}"
 	testpid=$(run_named "${TEMP_NAMED_DIR}" "${TEMP_NAMED_DIR}/named$n.run" -u nobody -c named-alt9.conf)

suppr-lsan.txt

@@ -0,0 +1,26 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# These are known leaks in libp11.
+leak:BN_MONT_CTX_new
+leak:C_LoadModule
+leak:ctx_new
+leak:ctx_try_load_object
+leak:dlfcn_name_converter
+leak:EC_GROUP_set_seed
+leak:CRYPTO_strdup
+leak:CRYPTO_zalloc
+leak:pkcs11_check_token
+leak:pkcs11_CTX_new
+leak:pkcs11_enumerate_slots
+leak:pkcs11_getattr_alloc
+leak:pkcs11_init_key
+leak:pkcs11_strdup