[gnutls-devel] GnuTLS | cve-2019-3829 testcase does not trigger error (#1021)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Sun Jun 7 18:02:29 CEST 2020

Andreas Metzler commented:

I am not sure on what is the preferred way to fix this. invalid-sigs bundles multiple test, none of which yet use datefudge. So I cannot simply do
--- a/tests/cert-tests/invalid-sig
+++ b/tests/cert-tests/invalid-sig
-${VALGRIND} "${CERTTOOL}" --verify-chain --infile "${srcdir}/data/cve-2019-3829.pem"
+datefudge -s 2020-01-01 \
+       ${VALGRIND} "${CERTTOOL}" --verify-chain --infile "${srcdir}/data/cve-2019-3829.pem"
because then the test could show up as skipped, although most of the tests actually ran. Should I move it to a separate unit?

I also think that the script is buggy, it does not FAIL for many errors:
#check whether a different PKCS #1 signature than the advertized in certificate is tolerated
${VALGRIND} "${CERTTOOL}" -e --infile "${srcdir}/data/invalid-sig.pem"

# We're done.
if test "${rc}" = "0"; then
	echo "Verification of invalid signature (1) failed"
	exit ${rc}
If certtool succeeds (although it should not) the test exits with exitcode 0, i.e. PASS.

Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1021#note_356792928
You're receiving this email because of your account on gitlab.com.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20200607/11a47750/attachment.html>

More information about the Gnutls-devel mailing list