[gnutls-devel] GnuTLS | cve-2019-3829 testcase does not trigger error (#1021)
Development of GNU's TLS library
gnutls-devel at lists.gnutls.org
Sun Jun 7 18:02:29 CEST 2020
Andreas Metzler commented:
I am not sure on what is the preferred way to fix this. invalid-sigs bundles multiple test, none of which yet use datefudge. So I cannot simply do
~~~diff
--- a/tests/cert-tests/invalid-sig
+++ b/tests/cert-tests/invalid-sig
-${VALGRIND} "${CERTTOOL}" --verify-chain --infile "${srcdir}/data/cve-2019-3829.pem"
+check_for_datefudge
+datefudge -s 2020-01-01 \
+ ${VALGRIND} "${CERTTOOL}" --verify-chain --infile "${srcdir}/data/cve-2019-3829.pem"
~~~
because then the test could show up as skipped, although most of the tests actually ran. Should I move it to a separate unit?
I also think that the script is buggy, it does not FAIL for many errors:
~~~shell
#check whether a different PKCS #1 signature than the advertized in certificate is tolerated
${VALGRIND} "${CERTTOOL}" -e --infile "${srcdir}/data/invalid-sig.pem"
rc=$?
# We're done.
if test "${rc}" = "0"; then
echo "Verification of invalid signature (1) failed"
exit ${rc}
fi
~~~
If certtool succeeds (although it should not) the test exits with exitcode 0, i.e. PASS.
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1021#note_356792928
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20200607/11a47750/attachment.html>
More information about the Gnutls-devel
mailing list