[gnutls-devel] GnuTLS | Fix cipher-openssl-compat failing with LibreSSL (!846)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Wed Dec 26 14:49:58 CET 2018 

Update - LibreSSL portable dev already sent patch to OpenBSD list that fixes the AES CCM tests. The ChaCha20-poly1305 will take more work on their part.

So with the patch their dev sent to their mailing list applied, the following modification (the second part of patch) to the PR works:

    diff -ur gnutls-3.6.5.orig/tests/slow/cipher-openssl-compat.c gnutls-3.6.5/tests/slow/cipher-openssl-compat.c
    --- gnutls-3.6.5.orig/tests/slow/cipher-openssl-compat.c	2018-03-22 00:56:48.000000000 -0700
    +++ gnutls-3.6.5/tests/slow/cipher-openssl-compat.c	2018-12-26 05:26:10.916608565 -0800
    @@ -98,7 +98,6 @@
     #if OPENSSL_VERSION_NUMBER >= 0x10100000L
     		if (gcipher == GNUTLS_CIPHER_AES_128_CCM
     		    || gcipher == GNUTLS_CIPHER_AES_256_CCM) {
    -			assert(EVP_CIPHER_CTX_init(ctx)==1);
     			assert(EVP_CipherInit_ex(ctx, evp_cipher, 0, 0, 0, 0) >
     			       0);
     
    @@ -190,9 +189,11 @@
     	cipher_test("aes-128-gcm", GNUTLS_CIPHER_AES_128_GCM, 16);
     	cipher_test("aes-256-gcm", GNUTLS_CIPHER_AES_256_GCM, 16);
     #if OPENSSL_VERSION_NUMBER >= 0x10100000L
    +# if !defined (LIBRESSL_VERSION_NUMBER)
     	if (!gnutls_fips140_mode_enabled()) {
     		cipher_test("chacha20-poly1305", GNUTLS_CIPHER_CHACHA20_POLY1305, 16);
     	}
    +# endif
     	cipher_test("aes-128-ccm", GNUTLS_CIPHER_AES_128_CCM, 16);
     	cipher_test("aes-256-ccm", GNUTLS_CIPHER_AES_256_CCM, 16);
     #endif

My guess is the fix for AES CCM will be in next LibreSSL but I don't know when it will be released.
I'm going to retract !845 because this PR fixes the fixable issue the right way.

Whether you want to add LibreSSL specific fix to second issue or just wait for the chacha20-poly1305 to be added to their EVP (it sounds like it will) and deal w/ occasional people reporting test failures with LibreSSL I don't have an opinion on what is best, either is fine by me.

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/846#note_127317115
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20181226/3a276609/attachment.html>

More information about the Gnutls-devel mailing list