Not sure if it could be considered as a bug, concern the tests suite, let you see

gmail arbogast.cedric at gmail.com
Tue Mar 29 01:02:04 CEST 2011


Hello,

I have  applied the "bourne shell compatible" patch and launch the test 
suite, it's successfull on my build :

     [root at pompomgalli] make check

     ...
     make[3]: Leaving directory 
`/usr/src/gnutls-2.12.0_build/tests/safe-renegotiation'
     make[2]: Leaving directory 
`/usr/src/gnutls-2.12.0_build/tests/safe-renegotiation'
     Making check in dsa
     make[2]: Entering directory `/usr/src/gnutls-2.12.0_build/tests/dsa'
     make  testdsa
     make[3]: Entering directory `/usr/src/gnutls-2.12.0_build/tests/dsa'
     make[3]: Nothing to be done for 
`../../../gnutls-2.12.0/tests/dsa/testdsa'.
     make[3]: Leaving directory `/usr/src/gnutls-2.12.0_build/tests/dsa'
     make  check-TESTS
     make[3]: Entering directory `/usr/src/gnutls-2.12.0_build/tests/dsa'
     Checking various DSA key sizes
     Checking DSA-1024 with TLS 1.0
     Checking server DSA-1024 with client DSA-1024 and TLS 1.0
     Processed 1 client certificates...
     Processed 1 client X.509 certificates...
     Checking server DSA-1024 with client DSA-2048 and TLS 1.0
     Checking server DSA-1024 with client DSA-3072 and TLS 1.0
     Checking DSA-1024 with TLS 1.2
     Checking server DSA-1024 with client DSA-1024 and TLS 1.2
     Processed 1 client certificates...
     Processed 1 client X.509 certificates...
     Checking server DSA-1024 with client DSA-2048 and TLS 1.2
     Processed 1 client certificates...
     Processed 1 client X.509 certificates...
     Checking server DSA-1024 with client DSA-3072 and TLS 1.2
     Processed 1 client certificates...
     Processed 1 client X.509 certificates...
     Checking DSA-2048 with TLS 1.0
     Checking DSA-2048 with TLS 1.2
     Checking DSA-3072 with TLS 1.0
     Checking DSA-3072 with TLS 1.2
     PASS: testdsa
     =============
     1 test passed
     =============


I then launch a daemon on port 5559 with the goal to prevent tls server 
launch and check how the test deal with potential launch failure :

     [root at pompomgalli] sshd -p 5559

     [root at pompomgalli] netstat -pan | grep 5559
      tcp        0      0 0.0.0.0:5559            
0.0.0.0:*               LISTEN      5348/sshd

     [root at pompomgalli] make check

     ...
     make[3]: Leaving directory 
`/usr/src/gnutls-2.12.0_build/tests/safe-renegotiation'
     make[2]: Leaving directory 
`/usr/src/gnutls-2.12.0_build/tests/safe-renegotiation'
     Making check in dsa
     make[2]: Entering directory `/usr/src/gnutls-2.12.0_build/tests/dsa'
     make  testdsa
     make[3]: Entering directory `/usr/src/gnutls-2.12.0_build/tests/dsa'
     make[3]: Nothing to be done for 
`../../../gnutls-2.12.0/tests/dsa/testdsa'.
     make[3]: Leaving directory `/usr/src/gnutls-2.12.0_build/tests/dsa'
     make  check-TESTS
     make[3]: Entering directory `/usr/src/gnutls-2.12.0_build/tests/dsa'
     Checking various DSA key sizes
     Checking DSA-1024 with TLS 1.0
     *** Fatal error: An unexpected TLS packet was received.
     *** Handshake has failed
     GnuTLS error: An unexpected TLS packet was received.
     Failure: Failed connection to a server with DSA 1024 key and TLS 1.0!
     FAIL: testdsa
     ===================================
     1 of 1 test failed
     Please report to bug-gnutls at gnu.org
     ===================================


The test correctly fail, but without mention tls_server launch has failed.
To show how this could be confusing, checking again with a forced TLS 
server 1.0 :


     [root at pompomgalli] kill 5438

     [root at pompomgalli] src/gnutls-serv -d 9 -p 5559 --priority 
"NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0" --x509certfile 
../gnutls-2.12.0/tests/dsa/cert.dsa.1024.pem --x509keyfile 
../gnutls-2.12.0/tests/dsa/dsa.1024.pem >/dev/null 2>&1 &

     [1] 7091

     [root at pompomgalli] netstat -pan | grep 5559
     tcp        0      0 0.0.0.0:5559            0.0.0.0:*               
LISTEN      7091/lt-gnutls-serv

     [root at pompomgalli] make check

     ...
     make[3]: Leaving directory 
`/usr/src/gnutls-2.12.0_build/tests/safe-renegotiation'
     make[2]: Leaving directory 
`/usr/src/gnutls-2.12.0_build/tests/safe-renegotiation'
     Making check in dsa
     make[2]: Entering directory `/usr/src/gnutls-2.12.0_build/tests/dsa'
     make  testdsa
     make[3]: Entering directory `/usr/src/gnutls-2.12.0_build/tests/dsa'
     make[3]: Nothing to be done for 
`../../../gnutls-2.12.0/tests/dsa/testdsa'.
     make[3]: Leaving directory `/usr/src/gnutls-2.12.0_build/tests/dsa'
     make  check-TESTS
     make[3]: Entering directory `/usr/src/gnutls-2.12.0_build/tests/dsa'
     Checking various DSA key sizes
     Checking DSA-1024 with TLS 1.0
     Checking server DSA-1024 with client DSA-1024 and TLS 1.0
     Processed 1 client certificates...
     Processed 1 client X.509 certificates...
     Checking server DSA-1024 with client DSA-2048 and TLS 1.0
     Checking server DSA-1024 with client DSA-3072 and TLS 1.0
     ../../../gnutls-2.12.0/tests/dsa/testdsa: line 68: kill: (8793) - 
No such process
     Checking DSA-1024 with TLS 1.2
     Checking server DSA-1024 with client DSA-1024 and TLS 1.2
     Processed 1 client certificates...
     Processed 1 client X.509 certificates...
     Checking server DSA-1024 with client DSA-2048 and TLS 1.2
     Processed 1 client certificates...
     Processed 1 client X.509 certificates...
     *** Fatal error: The given DSA key is incompatible with the 
selected TLS protocol.
     *** Handshake has failed
     GnuTLS error: The given DSA key is incompatible with the selected 
TLS protocol.
     Failure: Failed connection to a server with a client DSA 2048 key 
and TLS 1.2!
     FAIL: testdsa
     ===================================
     1 of 1 test failed
     Please report to bug-gnutls at gnu.org
     ===================================



The test correclty fail,  the "./../../gnutls-2.12.0/tests/dsa/testdsa: 
line 68: kill: (8793) - No such process" gives some tips about the real 
issue but the "incompatible DSA key" messages could lead to misundertood it.

Perhaps this does not worth any efforts, but what did you think about 
this (normaly bourne compatible) patch :



--- tests/dsa/testdsa.man       2011-03-29 00:33:24.000000000 +0200
+++ tests/dsa/testdsa.cea       2011-03-29 00:27:21.000000000 +0200
@@ -32,13 +32,31 @@
     exit 1
  }

+
+launch_server() {
+       PARENT=$1;
+       shift;
+       $SERV $DEBUG -p $PORT $* >/dev/null 2>&1 &
+       LOCALPID="$!";
+       trap "[ ! -z \"${LOCALPID}\" ] && kill ${LOCALPID};" 15
+       wait "${LOCALPID}"
+       LOCALRET="$?"
+       if [ "${LOCALRET}" != "0" -a "${LOCALRET}" != "143" ] ; then
+               # Houston, we'v got a problem...
+               echo "Failed to launch a gnutls-serv server !"
+               kill -10 ${PARENT}
+       fi
+}
+
+trap "fail \"Failed to launch a gnutls-serv server, aborting dsatest... 
\"" 10
+
  echo "Checking various DSA key sizes"

  # DSA 1024 + TLS 1.0

  echo "Checking DSA-1024 with TLS 1.0"

-$SERV $DEBUG -p $PORT --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0" 
--x509certfile $srcdir/cert.dsa.1024.pem --x509keyfile 
$srcdir/dsa.1024.pem >/dev/null 2>&1 & PID=$!
+launch_server $$  --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0" 
--x509certfile $srcdir/cert.dsa.1024.pem --x509keyfile 
$srcdir/dsa.1024.pem & PID=$!
  trap "kill $PID" 1 15 2

  # give the server a chance to initialize
@@ -72,7 +90,7 @@

  echo "Checking DSA-1024 with TLS 1.2"

-$SERV $DEBUG -p $PORT --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2" 
--x509certfile $srcdir/cert.dsa.1024.pem --x509keyfile 
$srcdir/dsa.1024.pem >/dev/null 2>&1 & PID=$!
+launch_server $$  --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2" 
--x509certfile $srcdir/cert.dsa.1024.pem --x509keyfile 
$srcdir/dsa.1024.pem & PID=$!
  trap "kill $PID" 1 15 2

  # give the server a chance to initialize
@@ -107,7 +125,7 @@

  echo "Checking DSA-2048 with TLS 1.0"

-$SERV $DEBUG -p $PORT --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0" 
--x509certfile $srcdir/cert.dsa.2048.pem --x509keyfile 
$srcdir/dsa.2048.pem >/dev/null 2>&1 & PID=$!
+launch_server $$  --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0" 
--x509certfile $srcdir/cert.dsa.2048.pem --x509keyfile 
$srcdir/dsa.2048.pem & PID=$!
  trap "kill $PID" 1 15 2

  # give the server a chance to initialize
@@ -123,7 +141,7 @@

  echo "Checking DSA-2048 with TLS 1.2"

-$SERV $DEBUG -p $PORT --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2" 
--x509certfile $srcdir/cert.dsa.2048.pem --x509keyfile 
$srcdir/dsa.2048.pem >/dev/null 2>&1 & PID=$!
+launch_server $$  --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2" 
--x509certfile $srcdir/cert.dsa.2048.pem --x509keyfile 
$srcdir/dsa.2048.pem & PID=$!
  trap "kill $PID" 1 15 2

  # give the server a chance to initialize
@@ -139,7 +157,7 @@

  echo "Checking DSA-3072 with TLS 1.0"

-$SERV $DEBUG -p $PORT --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0" 
--x509certfile $srcdir/cert.dsa.3072.pem --x509keyfile 
$srcdir/dsa.3072.pem >/dev/null 2>&1 & PID=$!
+launch_server $$  --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0" 
--x509certfile $srcdir/cert.dsa.3072.pem --x509keyfile 
$srcdir/dsa.3072.pem & PID=$!
  trap "kill $PID" 1 15 2

  # give the server a chance to initialize
@@ -155,7 +173,7 @@

  echo "Checking DSA-3072 with TLS 1.2"

-$SERV $DEBUG -p $PORT --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2" 
--x509certfile $srcdir/cert.dsa.3072.pem --x509keyfile 
$srcdir/dsa.3072.pem >/dev/null 2>&1 & PID=$!
+launch_server $$  --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2" 
--x509certfile $srcdir/cert.dsa.3072.pem --x509keyfile 
$srcdir/dsa.3072.pem & PID=$!
  trap "kill $PID" 1 15 2

  # give the server a chance to initialize





The testdsa script abort properly with a gnutls server TLS 1.0 occupying 
port 5559 :

     [root at pompomgalli] netstat -pan | grep 5559
     tcp        0      0 0.0.0.0:5559            0.0.0.0:*               
LISTEN      7091/lt-gnutls-serv

     [root at pompomgalli] make check

     ...
     make[3]: Leaving directory 
`/usr/src/gnutls-2.12.0_build/tests/safe-renegotiation'
     make[2]: Leaving directory 
`/usr/src/gnutls-2.12.0_build/tests/safe-renegotiation'
     Making check in dsa
     make[2]: Entering directory `/usr/src/gnutls-2.12.0_build/tests/dsa'
     make  testdsa
     make[3]: Entering directory `/usr/src/gnutls-2.12.0_build/tests/dsa'
     make[3]: Nothing to be done for 
`../../../gnutls-2.12.0/tests/dsa/testdsa'.
     make[3]: Leaving directory `/usr/src/gnutls-2.12.0_build/tests/dsa'
     make  check-TESTS
     make[3]: Entering directory `/usr/src/gnutls-2.12.0_build/tests/dsa'
     Checking various DSA key sizes
     Checking DSA-1024 with TLS 1.0
     Failed to launch a gnutls-serv server !
     Failure: Failed to launch a gnutls-serv server, aborting dsatest...
     FAIL: testdsa
     ===================================
     1 of 1 test failed
     Please report to bug-gnutls at gnu.org
     ===================================


It abort properly too with something on port 5559 or if the tls server 
can't start for any reason :

     [root at pompomgalli] kill 7091

     [root at pompomgalli] sshd -p 5559

     [root at pompomgalli] netstat -pan | grep 5559
     tcp        0      0 0.0.0.0:5559            0.0.0.0:*               
LISTEN      25080/sshd

     [root at pompomgalli] make check

     ...

     make[3]: Leaving directory 
`/usr/src/gnutls-2.12.0_build/tests/safe-renegotiation'
     make[2]: Leaving directory 
`/usr/src/gnutls-2.12.0_build/tests/safe-renegotiation'
     Making check in dsa
     make[2]: Entering directory `/usr/src/gnutls-2.12.0_build/tests/dsa'
     make  testdsa
     make[3]: Entering directory `/usr/src/gnutls-2.12.0_build/tests/dsa'
     make[3]: Nothing to be done for 
`../../../gnutls-2.12.0/tests/dsa/testdsa'.
     make[3]: Leaving directory `/usr/src/gnutls-2.12.0_build/tests/dsa'
     make  check-TESTS
     make[3]: Entering directory `/usr/src/gnutls-2.12.0_build/tests/dsa'
     Checking various DSA key sizes
     Checking DSA-1024 with TLS 1.0
     Failed to launch a gnutls-serv server !
     Failure: Failed to launch a gnutls-serv server, aborting dsatest...
     FAIL: testdsa
     ===================================
     1 of 1 test failed
     Please report to bug-gnutls at gnu.org
     ===================================

     [root at pompomgalli] kill 25080

     [root at pompomgalli] netstat -pan | grep 5559

     [root at pompomgalli] echo "exit 1;" > src/gnutls-serv

     [root at pompomgalli] make check

     ...

     make[3]: Leaving directory 
`/usr/src/gnutls-2.12.0_build/tests/safe-renegotiation'
     make[2]: Leaving directory 
`/usr/src/gnutls-2.12.0_build/tests/safe-renegotiation'
     Making check in dsa
     make[2]: Entering directory `/usr/src/gnutls-2.12.0_build/tests/dsa'
     make  testdsa
     make[3]: Entering directory `/usr/src/gnutls-2.12.0_build/tests/dsa'
     make[3]: Nothing to be done for 
`../../../gnutls-2.12.0/tests/dsa/testdsa'.
     make[3]: Leaving directory `/usr/src/gnutls-2.12.0_build/tests/dsa'
     make  check-TESTS
     make[3]: Entering directory `/usr/src/gnutls-2.12.0_build/tests/dsa'
     Checking various DSA key sizes
     Checking DSA-1024 with TLS 1.0
     Failed to launch a gnutls-serv server !
     Failure: Failed to launch a gnutls-serv server, aborting dsatest...
     FAIL: testdsa
     ===================================
     1 of 1 test failed
     Please report to bug-gnutls at gnu.org
     ===================================


And if all is ok, testdsa is successfull :

     [root at pompomgalli] rm src/gnutls-serv

     [root at pompomgalli] make check

     ...

     make[3]: Leaving directory 
`/usr/src/gnutls-2.12.0_build/tests/safe-renegotiation'
     make[2]: Leaving directory 
`/usr/src/gnutls-2.12.0_build/tests/safe-renegotiation'
     Making check in dsa
     make[2]: Entering directory `/usr/src/gnutls-2.12.0_build/tests/dsa'
     make  testdsa
     make[3]: Entering directory `/usr/src/gnutls-2.12.0_build/tests/dsa'
     make[3]: Nothing to be done for 
`../../../gnutls-2.12.0/tests/dsa/testdsa'.
     make[3]: Leaving directory `/usr/src/gnutls-2.12.0_build/tests/dsa'
     make  check-TESTS
     make[3]: Entering directory `/usr/src/gnutls-2.12.0_build/tests/dsa'
     Checking various DSA key sizes
     Checking DSA-1024 with TLS 1.0
     Checking server DSA-1024 with client DSA-1024 and TLS 1.0
     Processed 1 client certificates...
     Processed 1 client X.509 certificates...
     Checking server DSA-1024 with client DSA-2048 and TLS 1.0
     Checking server DSA-1024 with client DSA-3072 and TLS 1.0
     Checking DSA-1024 with TLS 1.2
     Checking server DSA-1024 with client DSA-1024 and TLS 1.2
     Processed 1 client certificates...
     Processed 1 client X.509 certificates...
     Checking server DSA-1024 with client DSA-2048 and TLS 1.2
     Processed 1 client certificates...
     Processed 1 client X.509 certificates...
     Checking server DSA-1024 with client DSA-3072 and TLS 1.2
     Processed 1 client certificates...
     Processed 1 client X.509 certificates...
     Checking DSA-2048 with TLS 1.0
     Checking DSA-2048 with TLS 1.2
     Checking DSA-3072 with TLS 1.0
     Checking DSA-3072 with TLS 1.2
     PASS: testdsa
     =============
     1 test passed
     =============


If you think it 's worth the effort, i can launch the test suite with a 
"pure" bourne shell.


Best regard, Cédric.


Le 28/03/2011 21:36, Nikos Mavrogiannopoulos a écrit :
> On 03/27/2011 07:13 PM, gmail wrote:
>> Hello,
>>
>> I have build gnutls-2.12.0 in a chroot jail (gcc 4.5.2/libc
>> 2.13/binutils 2.21/make 3.82) on an athlon architecture as root and got
>> the following trouble whi dsatest :
> Hello thank you for reporting and investigating that. I've fixed it
> similarly to your proposal, but in a different way. I've committed
> the fix at:
> http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=2df3b9d72f283d6a52b1625465a9d1b07cd8d0c3
> that should make the whole test bourne compatible. I hope
> this will result to more systems being able to run those
> tests with less issues.
>
>
> best regards,
> Nikos





More information about the Gnutls-devel mailing list