[gnutls-devel] GnuTLS | Regression in 3.6 when built with mingw (#751)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Wed Apr 10 14:35:36 CEST 2019 


New Issue was created.

Issue 751: https://gitlab.com/gnutls/gnutls/issues/751
Author:    J_ Ali Harlow
Assignee:  

## Description of problem:
gnutls-cli v3.6.7.1 fails when built using mingw (works with v3.5.19)

## Version of gnutls used:
3.6.7.1

## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
Built locally

## How reproducible:

Steps to Reproduce:

 * Build gnutls using spec file attached
 * Run gnutls-cli -d 3 www.google.co.uk

## Actual results:
Processed 0 CA certificate(s).
Resolving 'www.google.co.uk:443'...
Connecting to '216.58.212.99:443'...
|<2>| Initializing needed PKCS #11 modules
|<2>| p11: Initializing module: p11-kit-trust
|<2>| p11: No login requested.
|<3>| p11 attrs: CKA_CLASS (CERT), CKA_CERTIFICATE_TYPE
|<3>| p11 attrs: CKA_TRUSTED
|<3>| p11 attrs: CKA_CERTIFICATE_CATEGORY=CA
|<3>| ASSERT: ../../lib/pkcs11.c[find_multi_objs_cb]:3101
|<2>| added 6 protocols, 29 ciphersuites, 18 sig algos and 9 groups into priority list
|<2>| Keeping ciphersuite 13.02 (GNUTLS_AES_256_GCM_SHA384)
|<2>| Keeping ciphersuite 13.03 (GNUTLS_CHACHA20_POLY1305_SHA256)
|<2>| Keeping ciphersuite 13.01 (GNUTLS_AES_128_GCM_SHA256)
|<2>| Keeping ciphersuite 13.04 (GNUTLS_AES_128_CCM_SHA256)
|<2>| Keeping ciphersuite c0.2c (GNUTLS_ECDHE_ECDSA_AES_256_GCM_SHA384)
|<2>| Keeping ciphersuite cc.a9 (GNUTLS_ECDHE_ECDSA_CHACHA20_POLY1305)
|<2>| Keeping ciphersuite c0.ad (GNUTLS_ECDHE_ECDSA_AES_256_CCM)
|<2>| Keeping ciphersuite c0.0a (GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA1)
|<2>| Keeping ciphersuite c0.2b (GNUTLS_ECDHE_ECDSA_AES_128_GCM_SHA256)
|<2>| Keeping ciphersuite c0.ac (GNUTLS_ECDHE_ECDSA_AES_128_CCM)
|<2>| Keeping ciphersuite c0.09 (GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA1)
|<2>| Keeping ciphersuite c0.30 (GNUTLS_ECDHE_RSA_AES_256_GCM_SHA384)
|<2>| Keeping ciphersuite cc.a8 (GNUTLS_ECDHE_RSA_CHACHA20_POLY1305)
|<2>| Keeping ciphersuite c0.14 (GNUTLS_ECDHE_RSA_AES_256_CBC_SHA1)
|<2>| Keeping ciphersuite c0.2f (GNUTLS_ECDHE_RSA_AES_128_GCM_SHA256)
|<2>| Keeping ciphersuite c0.13 (GNUTLS_ECDHE_RSA_AES_128_CBC_SHA1)
|<2>| Keeping ciphersuite 00.9d (GNUTLS_RSA_AES_256_GCM_SHA384)
|<2>| Keeping ciphersuite c0.9d (GNUTLS_RSA_AES_256_CCM)
|<2>| Keeping ciphersuite 00.35 (GNUTLS_RSA_AES_256_CBC_SHA1)
|<2>| Keeping ciphersuite 00.9c (GNUTLS_RSA_AES_128_GCM_SHA256)
|<2>| Keeping ciphersuite c0.9c (GNUTLS_RSA_AES_128_CCM)
|<2>| Keeping ciphersuite 00.2f (GNUTLS_RSA_AES_128_CBC_SHA1)
|<2>| Keeping ciphersuite 00.9f (GNUTLS_DHE_RSA_AES_256_GCM_SHA384)
|<2>| Keeping ciphersuite cc.aa (GNUTLS_DHE_RSA_CHACHA20_POLY1305)
|<2>| Keeping ciphersuite c0.9f (GNUTLS_DHE_RSA_AES_256_CCM)
|<2>| Keeping ciphersuite 00.39 (GNUTLS_DHE_RSA_AES_256_CBC_SHA1)
|<2>| Keeping ciphersuite 00.9e (GNUTLS_DHE_RSA_AES_128_GCM_SHA256)
|<2>| Keeping ciphersuite c0.9e (GNUTLS_DHE_RSA_AES_128_CCM)
|<2>| Keeping ciphersuite 00.33 (GNUTLS_DHE_RSA_AES_128_CBC_SHA1)
|<2>| Advertizing version 3.4
|<2>| Advertizing version 3.3
|<2>| Advertizing version 3.2
|<2>| Advertizing version 3.1
|<2>| HSK[0000000000530320]: sent server name: 'www.google.co.uk'
|<3>| ASSERT: ../../lib/buffers.c[_gnutls_writev_emu]:464
|<2>| WRITE: -1 returned from 000000000022eae0, errno: 0
|<3>| ASSERT: ../../lib/buffers.c[errno_to_gerr]:230
|<3>| ASSERT: ../../lib/buffers.c[_gnutls_io_write_flush]:722
|<3>| ASSERT: ../../lib/handshake.c[handshake_client]:2973
*** Fatal error: Error in the push function.
|<3>| ASSERT: ../../lib/buffers.c[_gnutls_writev_emu]:464
|<2>| WRITE: -1 returned from 000000000022eae0, errno: 0
|<3>| ASSERT: ../../lib/buffers.c[errno_to_gerr]:230
|<3>| ASSERT: ../../lib/buffers.c[_gnutls_io_write_flush]:722
|<3>| ASSERT: ../../lib/record.c[_gnutls_send_tlen_int]:574
Could not connect to 216.58.212.99:443: Bad file descriptor


## Expected results:
Processed 0 CA certificate(s).
Resolving 'www.google.co.uk'...
Connecting to '216.58.206.67:443'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
 - subject `C=US,ST=California,L=Mountain View,O=Google
LLC,CN=www.google.co.uk', issuer `C=US,O=Google Trust Services,CN=Google
Internet Authority G3', RSA key 2048 bits, signed using RSA-SHA256, activated
`2019-03-01 09:34:53 UTC', expires `2019-05-24 09:25:00 UTC', SHA-1 fingerprint
`9da50c1e55eac98d35f2fdd72cdb1f75d21c25cd'
        Public Key ID:
                e0128e3442a67b393f7f59a6648bd67cf087fd13
        Public key's random art:
                +--[ RSA 2048]----+
                | o               |
                |+                |
                |o o . .          |
                | + = o .         |
                |. = o . S        |
                | . o .  + o   E  |
                |    o  * O o   . |
                |     oo B + o .  |
                |     ... . . ... |
                +-----------------+

- Certificate[1] info:
 - subject `C=US,O=Google Trust Services,CN=Google Internet Authority G3',
issuer `OU=GlobalSign Root CA - R2,O=GlobalSign,CN=GlobalSign', RSA key 2048
bits, signed using RSA-SHA256, activated `2017-06-15 00:00:42 UTC', expires
`2021-12-15 00:00:42 UTC', SHA-1 fingerprint
`eeacbd0cb452819577911e1e6203db262f84a318'
- Status: The certificate is NOT trusted. The certificate issuer is unknown.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
*** Handshake has failed
GnuTLS error: Error in the certificate.


## Analysis
See attached debug session and note in particular the value of hd passed to socket_open2() and the value of fd passed to _gnutls_writev_emu(). Clearly the correct value of fd should be hd->fd rather than hd itself, but I don't know enough about the internals of gnutls to hazard a guess as to where this should be occurring.

[mingw-gnutls.spec](/uploads/1d8457da791daeb7447f9635c0ed4c2c/mingw-gnutls.spec)[gnutls.typescript](/uploads/88bd736c65168b279078badaff765afb/gnutls.typescript)[debug-session.txt](/uploads/1b9d5f8b6ef0c250972c98a787fdd3b3/debug-session.txt)

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/751
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20190410/ac5739fa/attachment.html>

More information about the Gnutls-devel mailing list