[gnutls-devel] GnuTLS | OpenSSL backend and failures in cipher-api-test.c (#780)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Wed Jun 5 11:10:17 CEST 2019 


New Issue was created.

Issue 780: https://gitlab.com/gnutls/gnutls/issues/780
Author:    Jeffrey Walton
Assignees: 

## Description of problem:

Running `make check` fails when OpenSSL is the back-end.

## Version of gnutls used:

GnuTLS 3.6.8

## Distributor of gnutls

GnuTLS from 3.6.8 source tarball. Fetched from https://www.gnupg.org/ftp/gcrypt/gnutls/v3.6/.

Working on Fedora 29 x86_64 fully patched. OpenSSL was built from 1.0.2s source tarball.

## How reproducible:

This is very reproducible. It has been nagging me for the last couple of years.

I build GnuTLS with OpenSSL as the back-end. It is done for expediency because OpenSSL has few to no dependencies.

GnuTLS `make check` fails when using the OpenSSL back-end. The first failure is for the GCM tests in [`cipher-api-test.c`](https://github.com/gnutls/gnutls/blob/master/tests/slow/cipher-api-test.c). Nettle may not allow a second update of AAD data, but OpenSSL surely does.

This patch gets GnuTLS beyond the GCM failure:

```
--- tests/slow/cipher-api-test.c
+++ tests/slow/cipher-api-test.c
@@ -137,9 +144,15 @@
        if (ret < 0)
                fail("could not add auth data\n");

+#if defined(OPENSSL_VERSION_NUMBER)
+        ret = gnutls_cipher_add_auth(ch, data, 16);
+        if (ret < 0)
+                fail("failed in adding auth data after partial data were given\n");
+#else
        ret = gnutls_cipher_add_auth(ch, data, 16);
        if (ret >= 0)
-               fail("succeeded in adding auth data data after partial data were given\n");
+               fail("succeeded in adding auth data after partial data were given\n");
+#endif

        gnutls_cipher_deinit(ch);

```

There is a failure after the GCM fix. It seems to be related to the test named *"3des-cbc"* (last message printed). I have not been able to track it down beyond the *"child died with signal 11"*. I tried stepping it under GDB, but GDB refuses to follow the child. About all I can do is watch the child die under GDB.

This program may help in determining what OpenSSL can do: [test.c](/uploads/f560babf72c108674f47192fef88e86e/test.c). It creates a AES/GCM cipher, then inserts AAD, inserts AAD, inserts plaintext, inserts AAD. The third AAD insertion dies as expected.

It may be noteworthy that I do ***not*** configure with Nettle. Nettle is available, but I don't configure with it. I'm not sure if running Nettle tests are expected (or not).

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/780
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20190605/bfe21be4/attachment.html>

More information about the Gnutls-devel mailing list