<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html lang="en">
<head>
<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">
<title>
GitLab
</title>
<style>img {
max-width: 100%; height: auto;
}
</style>
</head>
<body>
<div class="content">
<div></div>
<h2 dir="auto">
<a id="user-content-description-of-problem" class="anchor" href="#description-of-problem" aria-hidden="true"></a>Description of problem:</h2>
<p dir="auto">Running <code>make check</code> fails when OpenSSL is the back-end.</p>
<h2 dir="auto">
<a id="user-content-version-of-gnutls-used" class="anchor" href="#version-of-gnutls-used" aria-hidden="true"></a>Version of gnutls used:</h2>
<p dir="auto">GnuTLS 3.6.8</p>
<h2 dir="auto">
<a id="user-content-distributor-of-gnutls" class="anchor" href="#distributor-of-gnutls" aria-hidden="true"></a>Distributor of gnutls</h2>
<p dir="auto">GnuTLS from 3.6.8 source tarball. Fetched from <a href="https://www.gnupg.org/ftp/gcrypt/gnutls/v3.6/" rel="nofollow noreferrer noopener" target="_blank">https://www.gnupg.org/ftp/gcrypt/gnutls/v3.6/</a>.</p>
<p dir="auto">Working on Fedora 29 x86_64 fully patched. OpenSSL was built from 1.0.2s source tarball.</p>
<h2 dir="auto">
<a id="user-content-how-reproducible" class="anchor" href="#how-reproducible" aria-hidden="true"></a>How reproducible:</h2>
<p dir="auto">This is very reproducible. It has been nagging me for the last couple of years.</p>
<p dir="auto">I build GnuTLS with OpenSSL as the back-end. It is done for expediency because OpenSSL has few to no dependencies.</p>
<p dir="auto">GnuTLS <code>make check</code> fails when using the OpenSSL back-end. The first failure is for the GCM tests in <a href="https://github.com/gnutls/gnutls/blob/master/tests/slow/cipher-api-test.c" rel="nofollow noreferrer noopener" target="_blank"><code>cipher-api-test.c</code></a>. Nettle may not allow a second update of AAD data, but OpenSSL surely does.</p>
<p dir="auto">This patch gets GnuTLS beyond the GCM failure:</p>
<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">--- tests/slow/cipher-api-test.c</span>
<span id="LC2" class="line" lang="plaintext">+++ tests/slow/cipher-api-test.c</span>
<span id="LC3" class="line" lang="plaintext">@@ -137,9 +144,15 @@</span>
<span id="LC4" class="line" lang="plaintext"> if (ret < 0)</span>
<span id="LC5" class="line" lang="plaintext"> fail("could not add auth data\n");</span>
<span id="LC6" class="line" lang="plaintext"></span>
<span id="LC7" class="line" lang="plaintext">+#if defined(OPENSSL_VERSION_NUMBER)</span>
<span id="LC8" class="line" lang="plaintext">+ ret = gnutls_cipher_add_auth(ch, data, 16);</span>
<span id="LC9" class="line" lang="plaintext">+ if (ret < 0)</span>
<span id="LC10" class="line" lang="plaintext">+ fail("failed in adding auth data after partial data were given\n");</span>
<span id="LC11" class="line" lang="plaintext">+#else</span>
<span id="LC12" class="line" lang="plaintext"> ret = gnutls_cipher_add_auth(ch, data, 16);</span>
<span id="LC13" class="line" lang="plaintext"> if (ret >= 0)</span>
<span id="LC14" class="line" lang="plaintext">- fail("succeeded in adding auth data data after partial data were given\n");</span>
<span id="LC15" class="line" lang="plaintext">+ fail("succeeded in adding auth data after partial data were given\n");</span>
<span id="LC16" class="line" lang="plaintext">+#endif</span>
<span id="LC17" class="line" lang="plaintext"></span>
<span id="LC18" class="line" lang="plaintext"> gnutls_cipher_deinit(ch);</span>
<span id="LC19" class="line" lang="plaintext"></span></code></pre>
<p dir="auto">There is a failure after the GCM fix. It seems to be related to the test named <em>"3des-cbc"</em> (last message printed). I have not been able to track it down beyond the <em>"child died with signal 11"</em>. I tried stepping it under GDB, but GDB refuses to follow the child. About all I can do is watch the child die under GDB.</p>
<p dir="auto">This program may help in determining what OpenSSL can do: <a href="https://gitlab.com/gnutls/gnutls/uploads/f560babf72c108674f47192fef88e86e/test.c">test.c</a>. It creates a AES/GCM cipher, then inserts AAD, inserts AAD, inserts plaintext, inserts AAD. The third AAD insertion dies as expected.</p>
<p dir="auto">It may be noteworthy that I do <em><strong>not</strong></em> configure with Nettle. Nettle is available, but I don't configure with it. I'm not sure if running Nettle tests are expected (or not).</p>
</div>
<div class="footer" style="margin-top: 10px;">
<p style="font-size: small; color: #777;">
—
<br>
Reply to this email directly or <a href="https://gitlab.com/gnutls/gnutls/issues/780">view it on GitLab</a>.
<br>
You're receiving this email because of your account on gitlab.com.
If you'd like to receive fewer emails, you can
<a href="https://gitlab.com/sent_notifications/84e5914d8aeac4c56a7329fed25d2c48/unsubscribe">unsubscribe</a>
from this thread or
adjust your notification settings.
<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Issue","url":"https://gitlab.com/gnutls/gnutls/issues/780"}}</script>
</p>
</div>
</body>
</html>