Not sure if it could be considered as a bug, concern the tests suite, let you see

gmail arbogast.cedric at gmail.com
Sun Mar 27 19:13:50 CEST 2011


Hello,

I have build gnutls-2.12.0 in a chroot jail (gcc 4.5.2/libc 
2.13/binutils 2.21/make 3.82) on an athlon architecture as root and got 
the following trouble whi dsatest :

     [root at pompomgalli] ../gnutls-2.12.0/configure && make

     ...

     [root at pompomgalli] make check

     ...

     make[3]: Leaving directory 
`/usr/src/gnutls-2.12.0_build/tests/safe-renegotiation'
     make[2]: Leaving directory 
`/usr/src/gnutls-2.12.0_build/tests/safe-renegotiation'
     Making check in dsa
     make[2]: Entering directory `/usr/src/gnutls-2.12.0_build/tests/dsa'
     make  testdsa
     make[3]: Entering directory `/usr/src/gnutls-2.12.0_build/tests/dsa'
     make[3]: Nothing to be done for 
`../../../gnutls-2.12.0/tests/dsa/testdsa'.
     make[3]: Leaving directory `/usr/src/gnutls-2.12.0_build/tests/dsa'
     make  check-TESTS
     make[3]: Entering directory `/usr/src/gnutls-2.12.0_build/tests/dsa'
     Checking various DSA key sizes
     Checking DSA-1024 with TLS 1.0
     Checking server DSA-1024 with client DSA-1024 and TLS 1.0
     Processed 1 client certificates...
     Processed 1 client X.509 certificates...
     Checking server DSA-1024 with client DSA-2048 and TLS 1.0
     Checking server DSA-1024 with client DSA-3072 and TLS 1.0
     ../../../gnutls-2.12.0/tests/dsa/testdsa: line 83: kill: `%1': not 
a pid or valid job spec

<[CTRL][C]>

   ^CFAIL: testdsa
     ===================================
     1 of 1 test failed
     Please report to bug-gnutls at gnu.org
     ===================================
     ...

     [root at pompomgalli]



I choose to ignore the kill notice and focus on the freeze of the test 
(a bad idea, as i will see later...),
i relaunch a second time the tests suite to check if it could be repeated :



     [root at pompomgalli] make check

     ...

     make[3]: Leaving directory 
`/usr/src/gnutls-2.12.0_build/tests/safe-renegotiation'
     make[2]: Leaving directory 
`/usr/src/gnutls-2.12.0_build/tests/safe-renegotiation'
     Making check in dsa
     make[2]: Entering directory `/usr/src/gnutls-2.12.0_build/tests/dsa'
     make  testdsa
     make[3]: Entering directory `/usr/src/gnutls-2.12.0_build/tests/dsa'
     make[3]: Nothing to be done for 
`../../../gnutls-2.12.0/tests/dsa/testdsa'.
     make[3]: Leaving directory `/usr/src/gnutls-2.12.0_build/tests/dsa'
     make  check-TESTS
     make[3]: Entering directory `/usr/src/gnutls-2.12.0_build/tests/dsa'
     Checking various DSA key sizes
     Checking DSA-1024 with TLS 1.0
     Checking server DSA-1024 with client DSA-1024 and TLS 1.0
     Processed 1 client certificates...
     Processed 1 client X.509 certificates...
     Checking server DSA-1024 with client DSA-2048 and TLS 1.0
     Checking server DSA-1024 with client DSA-3072 and TLS 1.0
     ../../../gnutls-2.12.0/tests/dsa/testdsa: line 67: kill: `%1': not 
a pid or valid job spec
     Checking DSA-1024 with TLS 1.2
     Checking server DSA-1024 with client DSA-1024 and TLS 1.2
     Processed 1 client certificates...
     Processed 1 client X.509 certificates...
     Checking server DSA-1024 with client DSA-2048 and TLS 1.2
     Processed 1 client certificates...
     Processed 1 client X.509 certificates...
     *** Fatal error: The given DSA key is incompatible with the 
selected TLS protocol.
     *** Handshake has failed
     GnuTLS error: The given DSA key is incompatible with the selected 
TLS protocol.
     Failure: Failed connection to a server with a client DSA 2048 key 
and TLS 1.2!
     FAIL: testdsa
     ===================================
     1 of 1 test failed
     Please report to bug-gnutls at gnu.org
     ===================================
     ...

     [root at pompomgalli]



Apparently, something was wrong with TLS 1.2, so i turn on debugging in 
testdsa :



--- gnutls-2.12.0/tests/dsa/testdsa.orig        2011-03-23 
19:46:59.000000000 +0100
+++ gnutls-2.12.0/tests/dsa/testdsa    2011-03-27 14:01:10.000000000 +0200
@@ -24,7 +24,7 @@
  SERV="${SERV:-../../src/gnutls-serv} -q"
  CLI="${CLI:-../../src/gnutls-cli}"
  PORT="${PORT:-5559}"
-DEBUG=""
+DEBUG="-d 9"
  unset RETCODE

  fail() {



and relaunch a third time the tests suite :



     [root at pompomgalli] make check

     ...

     Checking server DSA-1024 with client DSA-2048 and TLS 1.2
     Processed 1 client certificates...
     |<2>| ASSERT: ../../gnutls-2.12.0/lib/x509_b64.c:453
     |<2>| Could not find '-----BEGIN RSA PRIVATE KEY'
     Processed 1 client X.509 certificates...
     |<4>| REC[0x8062b20]: Allocating epoch #0
     |<2>| ASSERT: ../../gnutls-2.12.0/lib/gnutls_constate.c:695
     |<4>| REC[0x8062b20]: Allocating epoch #1
     |<3>| HSK[0x8062b20]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA256
     |<3>| HSK[0x8062b20]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA1
     |<3>| HSK[0x8062b20]: Keeping ciphersuite: 
DHE_RSA_CAMELLIA_128_CBC_SHA1
     |<3>| HSK[0x8062b20]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA256
     |<3>| HSK[0x8062b20]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA1
     |<3>| HSK[0x8062b20]: Keeping ciphersuite: 
DHE_RSA_CAMELLIA_256_CBC_SHA1
     |<3>| HSK[0x8062b20]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1
     |<3>| HSK[0x8062b20]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA256
     |<3>| HSK[0x8062b20]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA1
     |<3>| HSK[0x8062b20]: Keeping ciphersuite: 
DHE_DSS_CAMELLIA_128_CBC_SHA1
     |<3>| HSK[0x8062b20]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA256
     |<3>| HSK[0x8062b20]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA1
     |<3>| HSK[0x8062b20]: Keeping ciphersuite: 
DHE_DSS_CAMELLIA_256_CBC_SHA1
     |<3>| HSK[0x8062b20]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1
     |<3>| HSK[0x8062b20]: Keeping ciphersuite: DHE_DSS_ARCFOUR_SHA1
     |<3>| HSK[0x8062b20]: Keeping ciphersuite: RSA_AES_128_CBC_SHA256
     |<3>| HSK[0x8062b20]: Keeping ciphersuite: RSA_AES_128_CBC_SHA1
     |<3>| HSK[0x8062b20]: Keeping ciphersuite: RSA_CAMELLIA_128_CBC_SHA1
     |<3>| HSK[0x8062b20]: Keeping ciphersuite: RSA_AES_256_CBC_SHA256
     |<3>| HSK[0x8062b20]: Keeping ciphersuite: RSA_AES_256_CBC_SHA1
     |<3>| HSK[0x8062b20]: Keeping ciphersuite: RSA_CAMELLIA_256_CBC_SHA1
     |<3>| HSK[0x8062b20]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1
     |<3>| HSK[0x8062b20]: Keeping ciphersuite: RSA_ARCFOUR_SHA1
     |<2>| EXT[0x8062b20]: Sending extension CERT TYPE (3 bytes)
     |<2>| EXT[0x8062b20]: Sending extension SERVER NAME (14 bytes)
     |<2>| EXT[0x8062b20]: Sending extension SAFE RENEGOTIATION (1 bytes)
     |<2>| EXT[0x8062b20]: Sending extension SESSION TICKET (0 bytes)
     |<2>| EXT[SIGA]: sent signature algo (4.2) DSA-SHA256
     |<2>| EXT[SIGA]: sent signature algo (4.1) RSA-SHA256
     |<2>| EXT[SIGA]: sent signature algo (2.1) RSA-SHA1
     |<2>| EXT[SIGA]: sent signature algo (2.2) DSA-SHA1
     |<2>| EXT[0x8062b20]: Sending extension SIGNATURE ALGORITHMS (10 bytes)
     |<3>| HSK[0x8062b20]: CLIENT HELLO was sent [139 bytes]
     |<4>| REC[0x8062b20]: Sending Packet[0] Handshake(22) with length: 139
     |<4>| REC[0x8062b20]: Sent Packet[1] Handshake(22) with length: 144
     |<4>| REC[0x8062b20]: Expected Packet[0] Handshake(22) with length: 1
     |<4>| REC[0x8062b20]: Received Packet[0] Handshake(22) with length: 85
     |<4>| REC[0x8062b20]: Decrypted Packet[0] Handshake(22) with length: 85
     |<3>| HSK[0x8062b20]: SERVER HELLO was received [85 bytes]
     |<3>| HSK[0x8062b20]: Server's version: 3.1
     |<3>| HSK[0x8062b20]: SessionID length: 32
     |<3>| HSK[0x8062b20]: SessionID: 
42fdb8a2c661db286038ab89073cbb496eace1fa7f43a23b4e5b23a91e09924a
     |<3>| HSK[0x8062b20]: Selected cipher suite: DHE_DSS_AES_128_CBC_SHA1
     |<2>| EXT[0x8062b20]: Parsing extension 'SAFE RENEGOTIATION/65281' 
(1 bytes)
     |<2>| EXT[0x8062b20]: Parsing extension 'SESSION TICKET/35' (0 bytes)
     |<3>| HSK[0x8062b20]: Safe renegotiation succeeded
     |<4>| REC[0x8062b20]: Expected Packet[1] Handshake(22) with length: 1
     |<4>| REC[0x8062b20]: Received Packet[1] Handshake(22) with length: 863
     |<4>| REC[0x8062b20]: Decrypted Packet[1] Handshake(22) with 
length: 863
     |<3>| HSK[0x8062b20]: CERTIFICATE was received [863 bytes]
     |<2>| ASSERT: ../../gnutls-2.12.0/lib/ext_signature.c:386
     |<4>| REC[0x8062b20]: Expected Packet[2] Handshake(22) with length: 1
     |<4>| REC[0x8062b20]: Received Packet[2] Handshake(22) with length: 315
     |<4>| REC[0x8062b20]: Decrypted Packet[2] Handshake(22) with 
length: 315
     |<3>| HSK[0x8062b20]: SERVER KEY EXCHANGE was received [315 bytes]
     |<4>| REC[0x8062b20]: Expected Packet[3] Handshake(22) with length: 1
     |<4>| REC[0x8062b20]: Received Packet[3] Handshake(22) with length: 9
     |<4>| REC[0x8062b20]: Decrypted Packet[3] Handshake(22) with length: 9
     |<3>| HSK[0x8062b20]: CERTIFICATE REQUEST was received [9 bytes]
     |<2>| ASSERT: ../../gnutls-2.12.0/lib/ext_signature.c:499
     |<4>| REC[0x8062b20]: Expected Packet[4] Handshake(22) with length: 1
     |<4>| REC[0x8062b20]: Received Packet[4] Handshake(22) with length: 4
     |<4>| REC[0x8062b20]: Decrypted Packet[4] Handshake(22) with length: 4
     |<3>| HSK[0x8062b20]: SERVER HELLO DONE was received [4 bytes]
     |<3>| HSK[0x8062b20]: CERTIFICATE was sent [1293 bytes]
     |<3>| HSK[0x8062b20]: CLIENT KEY EXCHANGE was sent [134 bytes]
     |<2>| ASSERT: ../../gnutls-2.12.0/lib/gnutls_sig.c:716
     |<2>| ASSERT: ../../gnutls-2.12.0/lib/auth_cert.c:1559
     |<2>| ASSERT: ../../gnutls-2.12.0/lib/gnutls_kx.c:336
     |<2>| ASSERT: ../../gnutls-2.12.0/lib/gnutls_handshake.c:2832
     *** Fatal error: The given DSA key is incompatible with the 
selected TLS protocol.
     |<4>| REC: Sending Alert[2|40] - Handshake failed
     |<4>| REC[0x8062b20]: Sending Packet[1] Alert(21) with length: 2
     |<4>| REC[0x8062b20]: Sent Packet[2] Alert(21) with length: 7
     *** Handshake has failed
     GnuTLS error: The given DSA key is incompatible with the selected 
TLS protocol.
     |<4>| REC[0x8062b20]: Epoch #0 freed
     |<4>| REC[0x8062b20]: Epoch #1 freed
     Failure: Failed connection to a server with a client DSA 2048 key 
and TLS 1.2!
     FAIL: testdsa
     ===================================
     1 of 1 test failed
     Please report to bug-gnutls at gnu.org
     ===================================
     ...

     [root at pompomgalli]


After having check the assert at line 716 in 
gnutls-2.12.0/lib/gnutls_sig.c and seen nothing wrong,
i modify it to get details on what the client get from the server :

--- gnutls-2.12.0/lib/gnutls_sig.c.orig 2011-03-23 19:46:37.000000000 +0100
+++ gnutls-2.12.0/lib/gnutls_sig.c      2011-03-27 14:47:22.000000000 +0200
@@ -712,8 +712,10 @@
      case GNUTLS_PK_DSA:
        /* ensure 1024 bit DSA keys are used */
        hash_algo = _gnutls_dsa_q_to_hash (cert->params[1]);
-      if (!_gnutls_version_has_selectable_sighash (ver) && hash_algo != 
GNUTLS_DIG_SHA1)
+      if (!_gnutls_version_has_selectable_sighash (ver) && hash_algo != 
GNUTLS_DIG_SHA1) {
+        _gnutls_debug_log ("DEBUGLOG: %d, %d, %s\n", ver, hash_algo, 
gnutls_mac_get_name (hash_algo));
          return 
gnutls_assert_val(GNUTLS_E_INCOMPAT_DSA_KEY_WITH_TLS_PROTOCOL);
+      }

        dconcat.data = &concat[16];
        dconcat.size = 20;




And relaunch, fourth time, the tests suite :


     [root at pompomgalli] make check

     ...

     |<3>| HSK[0x8062b20]: CERTIFICATE REQUEST was received [9 bytes]
     |<2>| ASSERT: ../../gnutls-2.12.0/lib/ext_signature.c:499
     |<4>| REC[0x8062b20]: Expected Packet[4] Handshake(22) with length: 1
     |<4>| REC[0x8062b20]: Received Packet[4] Handshake(22) with length: 4
     |<4>| REC[0x8062b20]: Decrypted Packet[4] Handshake(22) with length: 4
     |<3>| HSK[0x8062b20]: SERVER HELLO DONE was received [4 bytes]
     |<3>| HSK[0x8062b20]: CERTIFICATE was sent [1293 bytes]
     |<3>| HSK[0x8062b20]: CLIENT KEY EXCHANGE was sent [134 bytes]
     |<2>| DEBUGLOG: 2, 6, SHA256
     |<2>| ASSERT: ../../gnutls-2.12.0/lib/gnutls_sig.c:717
     |<2>| ASSERT: ../../gnutls-2.12.0/lib/auth_cert.c:1559
     |<2>| ASSERT: ../../gnutls-2.12.0/lib/gnutls_kx.c:336
     |<2>| ASSERT: ../../gnutls-2.12.0/lib/gnutls_handshake.c:2832
     *** Fatal error: The given DSA key is incompatible with the 
selected TLS protocol.
     |<4>| REC: Sending Alert[2|40] - Handshake failed
     |<4>| REC[0x8062b20]: Sending Packet[1] Alert(21) with length: 2
     |<4>| REC[0x8062b20]: Sent Packet[2] Alert(21) with length: 7
     *** Handshake has failed
     GnuTLS error: The given DSA key is incompatible with the selected 
TLS protocol.
     |<4>| REC[0x8062b20]: Epoch #0 freed
     |<4>| REC[0x8062b20]: Epoch #1 freed
     Failure: Failed connection to a server with a client DSA 2048 key 
and TLS 1.2!
     FAIL: testdsa
     ===================================
     1 of 1 test failed
     Please report to bug-gnutls at gnu.org
     ===================================

     ...

     [root at pompomgalli]


The value 2 in (|<2>| DEBUGLOG: 2, 6, SHA256) mean TLS 1.0, but the test 
was supposed to deal with a TLS 1.2 server at this step...
I then remember, with a shiver in the back,  the kill notice... :

     [root at pompomgalli]  ps -efa | grep tls

     root      2329 26908  0 15:01 pts/10   00:00:00 vi 
gnutls-2.12.0/tests/dsa/testd
     root      2361  7462  0 15:07 pts/2    00:00:00 grep tls
     root      5752     1  0 Mar26 pts/2    00:00:00 
/usr/src/gnutls-2.12.0_build/src

     [root at pompomgalli]  cat /proc/5752/cmdline

     
/usr/src/gnutls-2.12.0_build/src/.libs/lt-gnutls-serv-q-p5559--priorityNORMAL:-VERS-TLS-ALL:+VERS-TLS1.0--x509certfile../../../gnutls-2.12.0/tests/dsa/cert.dsa.1024.pem--x509keyfile../../../gnutls-2.12.0/tests/dsa/dsa.1024.pem

     [root at pompomgalli]


Well... The client was still discussing with the TLS 1.0 server launched 
a the first tests suite run, which was never killed...
I then modify gnutls-2.12.0/tests/dsa/testdsa to signal the fact there 
was a problem with server's launch (full patch at the end of the mail), 
remove debug mode and launch the tests suite :



     [root at pompomgalli] make check

     ...

     make[3]: Leaving directory 
`/usr/src/gnutls-2.12.0_build/tests/safe-renegotiation'
     make[2]: Leaving directory 
`/usr/src/gnutls-2.12.0_build/tests/safe-renegotiation'
     Making check in dsa
     make[2]: Entering directory `/usr/src/gnutls-2.12.0_build/tests/dsa'
     make  testdsa
     make[3]: Entering directory `/usr/src/gnutls-2.12.0_build/tests/dsa'
     make[3]: Nothing to be done for 
`../../../gnutls-2.12.0/tests/dsa/testdsa'.
     make[3]: Leaving directory `/usr/src/gnutls-2.12.0_build/tests/dsa'
     make  check-TESTS
     make[3]: Entering directory `/usr/src/gnutls-2.12.0_build/tests/dsa'
     Checking various DSA key sizes
     Checking DSA-1024 with TLS 1.0
     Failure: Unable to launch server DSA-1024 with TLS 1.0 !
     FAIL: testdsa
     ===================================
     1 of 1 test failed
     Please report to bug-gnutls at gnu.org
     ===================================

     ...

     [root at pompomgalli]


Ok, this time the testdsa script warn about some trouble with the server 
launch from the first server launch.
It's the expected behavior, considering there is still a running server 
on the 5559 tcp port.
I finally focus on the kill notice and do some basics checks :


     [root at pompomgalli]  read &

     [1] 12466

     [root at pompomgalli]  /bin/kill %1

     kill: can't find process "%1"

     [1]+  Stopped                 read

     [root at pompomgalli]  /bin/kill --version

     kill from util-linux 2.19

     [root at pompomgalli] kill %1

     [1]+  Stopped                 read

     [root at pompomgalli]



The testdsa shell does not use shell builtin kill command and builtin 
kill command is mandatory for job control monitoring.
I then modfy the testdsa in this way :


--- gnutls-2.12.0/tests/dsa/testdsa.orig        2011-03-23 
19:46:59.000000000 +0100
+++ gnutls-2.12.0/tests/dsa/testdsa     2011-03-27 17:37:04.000000000 +0200
@@ -32,6 +32,26 @@
     exit 1
  }

+enable_bash_job_monitoring() {
+       set -m
+       enable jobs
+       enable kill
+}
+
+# Check for ps or /proc availability
+if test "$(ps 2>&1 > /dev/null; echo $?)" != "0" ; then
+        # Check for porc filesusyem
+        if test -d /proc -a -d /proc/$$ ; then
+                CHECKPS="test -d /proc/\${PROCESS}"
+        fi
+else
+        CHECKPS="test \"\$(ps -p \${PROCESS} 2>&1 > /dev/null; echo 
\$?)\" = \"0\""
+fi
+
+# Required for bash allowing job montioring bultins
+enable_bash_job_monitoring 2>&1 > /dev/null
+
+
  echo "Checking various DSA key sizes"

  # DSA 1024 + TLS 1.0
@@ -39,127 +59,166 @@
  echo "Checking DSA-1024 with TLS 1.0"

  $SERV $DEBUG -p $PORT --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0" 
--x509certfile $srcdir/cert.dsa.1024.pem --x509keyfile 
$srcdir/dsa.1024.pem >/dev/null 2>&1 &
+PROCESS=$!

  # give the server a chance to initialize
  sleep 2

-$CLI $DEBUG -p $PORT 127.0.0.1 --insecure </dev/null >/dev/null || \
-  fail "Failed connection to a server with DSA 1024 key and TLS 1.0!"
+if eval ${CHECKPS} ; then
+
+       $CLI $DEBUG -p $PORT 127.0.0.1 --insecure </dev/null >/dev/null || \
+         fail "Failed connection to a server with DSA 1024 key and TLS 
1.0!"

-echo "Checking server DSA-1024 with client DSA-1024 and TLS 1.0"
+       echo "Checking server DSA-1024 with client DSA-1024 and TLS 1.0"

-#try with client key of 1024 bits (should succeed)
-$CLI $DEBUG -p $PORT 127.0.0.1 --insecure --x509certfile 
$srcdir/cert.dsa.1024.pem --x509keyfile $srcdir/dsa.1024.pem </dev/null 
 >/dev/null || \
-  fail "Failed connection to a server with DSA 1024 key and TLS 1.0!"
+       #try with client key of 1024 bits (should succeed)
+       $CLI $DEBUG -p $PORT 127.0.0.1 --insecure --x509certfile 
$srcdir/cert.dsa.1024.pem --x509keyfile $srcdir/dsa.1024.pem </dev/null 
 >/dev/null || \
+         fail "Failed connection to a server with DSA 1024 key and TLS 
1.0!"

-echo "Checking server DSA-1024 with client DSA-2048 and TLS 1.0"
+       echo "Checking server DSA-1024 with client DSA-2048 and TLS 1.0"

-#try with client key of 2048 bits (should fail)
-$CLI $DEBUG -p $PORT 127.0.0.1 --insecure --x509certfile 
$srcdir/cert.dsa.2048.pem --x509keyfile $srcdir/dsa.2048.pem </dev/null 
 >/dev/null 2>&1 && \
-  fail "Succeeded connection to a server with a client DSA 2048 key and 
TLS 1.0!"
+       #try with client key of 2048 bits (should fail)
+       $CLI $DEBUG -p $PORT 127.0.0.1 --insecure --x509certfile 
$srcdir/cert.dsa.2048.pem --x509keyfile $srcdir/dsa.2048.pem </dev/null 
 >/dev/null 2>&1 && \
+         fail "Succeeded connection to a server with a client DSA 2048 
key and TLS 1.0!"


-echo "Checking server DSA-1024 with client DSA-3072 and TLS 1.0"
+       echo "Checking server DSA-1024 with client DSA-3072 and TLS 1.0"

-#try with client key of 3072 bits (should fail)
-$CLI $DEBUG -p $PORT 127.0.0.1 --insecure --x509certfile 
$srcdir/cert.dsa.3072.pem --x509keyfile $srcdir/dsa.3072.pem </dev/null 
 >/dev/null 2>&1 && \
-  fail "Succeeded connection to a server with a client DSA 3072 key and 
TLS 1.0!"
+       #try with client key of 3072 bits (should fail)
+       $CLI $DEBUG -p $PORT 127.0.0.1 --insecure --x509certfile 
$srcdir/cert.dsa.3072.pem --x509keyfile $srcdir/dsa.3072.pem </dev/null 
 >/dev/null 2>&1 && \
+         fail "Succeeded connection to a server with a client DSA 3072 
key and TLS 1.0!"

-kill %1
-wait
+       jobs >&2
+       kill %1
+       wait
+else
+       fail "Unable to launch server DSA-1024 with TLS 1.0 !"
+fi

  # DSA 1024 + TLS 1.2

  echo "Checking DSA-1024 with TLS 1.2"

  $SERV $DEBUG -p $PORT --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2" 
--x509certfile $srcdir/cert.dsa.1024.pem --x509keyfile 
$srcdir/dsa.1024.pem >/dev/null 2>&1 &
+PROCESS=$!

  # give the server a chance to initialize
  sleep 2

-$CLI $DEBUG -p $PORT 127.0.0.1 --insecure </dev/null >/dev/null || \
-  fail "Failed connection to a server with DSA 1024 key and TLS 1.2!"
+if eval ${CHECKPS} ; then
+
+       $CLI $DEBUG -p $PORT 127.0.0.1 --insecure </dev/null >/dev/null || \
+         fail "Failed connection to a server with DSA 1024 key and TLS 
1.2!"

-echo "Checking server DSA-1024 with client DSA-1024 and TLS 1.2"
+       echo "Checking server DSA-1024 with client DSA-1024 and TLS 1.2"

-#try with client key of 1024 bits (should succeed)
-$CLI $DEBUG -p $PORT 127.0.0.1 --insecure --x509certfile 
$srcdir/cert.dsa.1024.pem --x509keyfile $srcdir/dsa.1024.pem </dev/null 
 >/dev/null || \
-  fail "Failed connection to a server with DSA 1024 key and TLS 1.2!"
+       #try with client key of 1024 bits (should succeed)
+       $CLI $DEBUG -p $PORT 127.0.0.1 --insecure --x509certfile 
$srcdir/cert.dsa.1024.pem --x509keyfile $srcdir/dsa.1024.pem </dev/null 
 >/dev/null || \
+         fail "Failed connection to a server with DSA 1024 key and TLS 
1.2!"

-echo "Checking server DSA-1024 with client DSA-2048 and TLS 1.2"
+       echo "Checking server DSA-1024 with client DSA-2048 and TLS 1.2"

-#try with client key of 2048 bits (should succeed)
-$CLI $DEBUG -p $PORT 127.0.0.1 --insecure --x509certfile 
$srcdir/cert.dsa.2048.pem --x509keyfile $srcdir/dsa.2048.pem </dev/null 
 >/dev/null || \
-  fail "Failed connection to a server with a client DSA 2048 key and 
TLS 1.2!"
+       #try with client key of 2048 bits (should succeed)
+       $CLI $DEBUG -p $PORT 127.0.0.1 --insecure --x509certfile 
$srcdir/cert.dsa.2048.pem --x509keyfile $srcdir/dsa.2048.pem </dev/null 
 >/dev/null || \
+         fail "Failed connection to a server with a client DSA 2048 key 
and TLS 1.2!"

-echo "Checking server DSA-1024 with client DSA-3072 and TLS 1.2"
+       echo "Checking server DSA-1024 with client DSA-3072 and TLS 1.2"

-#try with client key of 3072 bits (should succeed)
-$CLI $DEBUG -p $PORT 127.0.0.1 --insecure --x509certfile 
$srcdir/cert.dsa.3072.pem --x509keyfile $srcdir/dsa.3072.pem </dev/null 
 >/dev/null || \
-  fail "Failed connection to a server with a client DSA 3072 key and 
TLS 1.2!"
+       #try with client key of 3072 bits (should succeed)
+       $CLI $DEBUG -p $PORT 127.0.0.1 --insecure --x509certfile 
$srcdir/cert.dsa.3072.pem --x509keyfile $srcdir/dsa.3072.pem </dev/null 
 >/dev/null || \
+         fail "Failed connection to a server with a client DSA 3072 key 
and TLS 1.2!"


-kill %1
-wait
+       kill %1
+       wait
+else
+       fail "Unable to launch server DSA-1024 with TLS 1.2 !"
+fi

  # DSA 2048 + TLS 1.0

  echo "Checking DSA-2048 with TLS 1.0"

  $SERV $DEBUG -p $PORT --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0" 
--x509certfile $srcdir/cert.dsa.2048.pem --x509keyfile 
$srcdir/dsa.2048.pem >/dev/null 2>&1 &
+PROCESS=$!

  # give the server a chance to initialize
  sleep 2

-$CLI $DEBUG -p $PORT 127.0.0.1 --insecure </dev/null >/dev/null 2>&1 && \
-  fail "Succeeded connection to a server with DSA 2048 key and TLS 1.0. 
Should have failed!"
+if eval ${CHECKPS} ; then

-kill %1
-wait
+       $CLI $DEBUG -p $PORT 127.0.0.1 --insecure </dev/null >/dev/null 
2>&1 && \
+         fail "Succeeded connection to a server with DSA 2048 key and 
TLS 1.0. Should have failed!"
+
+       kill %1
+       wait
+else
+       fail "Unable to launch server DSA-2048 with TLS 1.0 !"
+fi

  # DSA 2048 + TLS 1.2

  echo "Checking DSA-2048 with TLS 1.2"

  $SERV $DEBUG -p $PORT --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2" 
--x509certfile $srcdir/cert.dsa.2048.pem --x509keyfile 
$srcdir/dsa.2048.pem >/dev/null 2>&1 &
+PROCESS=$!

  # give the server a chance to initialize
  sleep 2

-$CLI $DEBUG -p $PORT 127.0.0.1 --insecure </dev/null >/dev/null || \
-  fail "Failed connection to a server with DSA 2048 key and TLS 1.2!"
+if eval ${CHECKPS} ; then
+
+       $CLI $DEBUG -p $PORT 127.0.0.1 --insecure </dev/null >/dev/null || \
+         fail "Failed connection to a server with DSA 2048 key and TLS 
1.2!"

-kill %1
-wait
+       kill %1
+       wait
+else
+       fail "Unable to launch server DSA-2048 with TLS 1.2 !"
+fi

  # DSA 3072 + TLS 1.0

  echo "Checking DSA-3072 with TLS 1.0"

  $SERV $DEBUG -p $PORT --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0" 
--x509certfile $srcdir/cert.dsa.3072.pem --x509keyfile 
$srcdir/dsa.3072.pem >/dev/null 2>&1 &
+PROCESS=$!

  # give the server a chance to initialize
  sleep 2

-$CLI $DEBUG -p $PORT 127.0.0.1 --insecure </dev/null >/dev/null 2>&1 && \
-  fail "Succeeded connection to a server with DSA 2048 key and TLS 1.0. 
Should have failed!"
+if eval ${CHECKPS} ; then
+
+       $CLI $DEBUG -p $PORT 127.0.0.1 --insecure </dev/null >/dev/null 
2>&1 && \
+         fail "Succeeded connection to a server with DSA 2048 key and 
TLS 1.0. Should have failed!"
+
+       kill %1
+       wait
+else
+       fail "Unable to launch server DSA-3072 with TLS 1.0 !"
+fi

-kill %1
-wait

  # DSA 3072 + TLS 1.2

  echo "Checking DSA-3072 with TLS 1.2"

  $SERV $DEBUG -p $PORT --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2" 
--x509certfile $srcdir/cert.dsa.3072.pem --x509keyfile 
$srcdir/dsa.3072.pem >/dev/null 2>&1 &
+PROCESS=$!

  # give the server a chance to initialize
  sleep 2

-$CLI $DEBUG -p $PORT 127.0.0.1 --insecure </dev/null >/dev/null || \
-  fail "Failed connection to a server with DSA 3072 key and TLS 1.2!"
+if eval ${CHECKPS} ; then
+
+       $CLI $DEBUG -p $PORT 127.0.0.1 --insecure </dev/null >/dev/null || \
+         fail "Failed connection to a server with DSA 3072 key and TLS 
1.2!"
+
+       kill %1
+       wait
+else
+       fail "Unable to launch server DSA-3072 with TLS 1.2 !"
+fi

-kill %1
-wait

  exit 0




And then kill the still running TLS server and relaunch the tests suite :



     [root at pompomgalli] kill 5752

     [root at pompomgalli] make check

     ...

     make[3]: Leaving directory 
`/usr/src/gnutls-2.12.0_build/tests/safe-renegotiation'
     make[2]: Leaving directory 
`/usr/src/gnutls-2.12.0_build/tests/safe-renegotiation'
     Making check in dsa
     make[2]: Entering directory `/usr/src/gnutls-2.12.0_build/tests/dsa'
     make  testdsa
     make[3]: Entering directory `/usr/src/gnutls-2.12.0_build/tests/dsa'
     make[3]: Nothing to be done for 
`../../../gnutls-2.12.0/tests/dsa/testdsa'.
     make[3]: Leaving directory `/usr/src/gnutls-2.12.0_build/tests/dsa'
     make  check-TESTS
     make[3]: Entering directory `/usr/src/gnutls-2.12.0_build/tests/dsa'
     Checking various DSA key sizes
     Checking DSA-1024 with TLS 1.0
     Checking server DSA-1024 with client DSA-1024 and TLS 1.0
     Processed 1 client certificates...
     Processed 1 client X.509 certificates...
     Checking server DSA-1024 with client DSA-2048 and TLS 1.0
     Checking server DSA-1024 with client DSA-3072 and TLS 1.0
     [1]+  Running                 $SERV $DEBUG -p $PORT --priority 
"NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0" --x509certfile 
$srcdir/cert.dsa.1024.pem --x509keyfile $srcdir/dsa.1024.pem >/dev/null 
2>&1 &
     Checking DSA-1024 with TLS 1.2
     Checking server DSA-1024 with client DSA-1024 and TLS 1.2
     Processed 1 client certificates...
     Processed 1 client X.509 certificates...
     Checking server DSA-1024 with client DSA-2048 and TLS 1.2
     Processed 1 client certificates...
     Processed 1 client X.509 certificates...
     Checking server DSA-1024 with client DSA-3072 and TLS 1.2
     Processed 1 client certificates...
     Processed 1 client X.509 certificates...
     Checking DSA-2048 with TLS 1.0
     Checking DSA-2048 with TLS 1.2
     Checking DSA-3072 with TLS 1.0
     Checking DSA-3072 with TLS 1.2
     PASS: testdsa
     =============
     1 test passed
     =============

     ...


Finally it's successfull...

And this time, i have checked the gnutls commit's page before sending 
this report :-)

Hope this will help, best regards, Cedric.






More information about the Gnutls-devel mailing list