<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">

<html lang="en">

<head>

<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">

<title>

GitLab

</title>

<style>img {

max-width: 100%; height: auto;

}

</style>

</head>

<body>

<div class="content">

<div></div>

<h2 dir="auto">

<a id="user-content-description-of-problem" class="anchor" href="#description-of-problem" aria-hidden="true"></a>Description of problem:</h2>

<p dir="auto">Running <code>make check</code> fails when OpenSSL is the back-end.</p>

<h2 dir="auto">

<a id="user-content-version-of-gnutls-used" class="anchor" href="#version-of-gnutls-used" aria-hidden="true"></a>Version of gnutls used:</h2>

<p dir="auto">GnuTLS 3.6.8</p>

<h2 dir="auto">

<a id="user-content-distributor-of-gnutls" class="anchor" href="#distributor-of-gnutls" aria-hidden="true"></a>Distributor of gnutls</h2>

<p dir="auto">GnuTLS from 3.6.8 source tarball. Fetched from <a href="https://www.gnupg.org/ftp/gcrypt/gnutls/v3.6/" rel="nofollow noreferrer noopener" target="_blank">https://www.gnupg.org/ftp/gcrypt/gnutls/v3.6/</a>.</p>

<p dir="auto">Working on Fedora 29 x86_64 fully patched. OpenSSL was built from 1.0.2s source tarball.</p>

<h2 dir="auto">

<a id="user-content-how-reproducible" class="anchor" href="#how-reproducible" aria-hidden="true"></a>How reproducible:</h2>

<p dir="auto">This is very reproducible. It has been nagging me for the last couple of years.</p>

<p dir="auto">I build GnuTLS with OpenSSL as the back-end. It is done for expediency because OpenSSL has few to no dependencies.</p>

<p dir="auto">GnuTLS <code>make check</code> fails when using the OpenSSL back-end. The first failure is for the GCM tests in <a href="https://github.com/gnutls/gnutls/blob/master/tests/slow/cipher-api-test.c" rel="nofollow noreferrer noopener" target="_blank"><code>cipher-api-test.c</code></a>. Nettle may not allow a second update of AAD data, but OpenSSL surely does.</p>

<p dir="auto">This patch gets GnuTLS beyond the GCM failure:</p>

<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">--- tests/slow/cipher-api-test.c</span>

<span id="LC2" class="line" lang="plaintext">+++ tests/slow/cipher-api-test.c</span>

<span id="LC3" class="line" lang="plaintext">@@ -137,9 +144,15 @@</span>

<span id="LC4" class="line" lang="plaintext">        if (ret < 0)</span>

<span id="LC5" class="line" lang="plaintext">                fail("could not add auth data\n");</span>

<span id="LC6" class="line" lang="plaintext"></span>

<span id="LC7" class="line" lang="plaintext">+#if defined(OPENSSL_VERSION_NUMBER)</span>

<span id="LC8" class="line" lang="plaintext">+        ret = gnutls_cipher_add_auth(ch, data, 16);</span>

<span id="LC9" class="line" lang="plaintext">+        if (ret < 0)</span>

<span id="LC10" class="line" lang="plaintext">+                fail("failed in adding auth data after partial data were given\n");</span>

<span id="LC11" class="line" lang="plaintext">+#else</span>

<span id="LC12" class="line" lang="plaintext">        ret = gnutls_cipher_add_auth(ch, data, 16);</span>

<span id="LC13" class="line" lang="plaintext">        if (ret >= 0)</span>

<span id="LC14" class="line" lang="plaintext">-               fail("succeeded in adding auth data data after partial data were given\n");</span>

<span id="LC15" class="line" lang="plaintext">+               fail("succeeded in adding auth data after partial data were given\n");</span>

<span id="LC16" class="line" lang="plaintext">+#endif</span>

<span id="LC17" class="line" lang="plaintext"></span>

<span id="LC18" class="line" lang="plaintext">        gnutls_cipher_deinit(ch);</span>

<span id="LC19" class="line" lang="plaintext"></span></code></pre>

<p dir="auto">There is a failure after the GCM fix. It seems to be related to the test named <em>"3des-cbc"</em> (last message printed). I have not been able to track it down beyond the <em>"child died with signal 11"</em>. I tried stepping it under GDB, but GDB refuses to follow the child. About all I can do is watch the child die under GDB.</p>

<p dir="auto">This program may help in determining what OpenSSL can do: <a href="https://gitlab.com/gnutls/gnutls/uploads/f560babf72c108674f47192fef88e86e/test.c">test.c</a>. It creates a AES/GCM cipher, then inserts AAD, inserts AAD, inserts plaintext, inserts AAD. The third AAD insertion dies as expected.</p>

<p dir="auto">It may be noteworthy that I do <em><strong>not</strong></em> configure with Nettle. Nettle is available, but I don't configure with it. I'm not sure if running Nettle tests are expected (or not).</p>

</div>

<div class="footer" style="margin-top: 10px;">

<p style="font-size: small; color: #777;">

—

<br>

Reply to this email directly or <a href="https://gitlab.com/gnutls/gnutls/issues/780">view it on GitLab</a>.

<br>

You're receiving this email because of your account on gitlab.com.

If you'd like to receive fewer emails, you can

<a href="https://gitlab.com/sent_notifications/84e5914d8aeac4c56a7329fed25d2c48/unsubscribe">unsubscribe</a>

from this thread or

adjust your notification settings.

<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Issue","url":"https://gitlab.com/gnutls/gnutls/issues/780"}}</script>

</p>

</div>

</body>

</html>