OpenSSL backend and failures in cipher-api-test.c
Description of problem:
Running make check
fails when OpenSSL is the back-end.
trying aes128-gcm
test_aead_cipher1:142: succeeded in adding auth data data after partial data were given
check_status:209: Child died with status 1
default cipher tests failed
FAIL test-ciphers-api.sh (exit status: 1)
Version of gnutls used:
GnuTLS 3.6.8
Distributor of gnutls
GnuTLS from 3.6.8 source tarball. Fetched from https://www.gnupg.org/ftp/gcrypt/gnutls/v3.6/.
Working on Fedora 29 x86_64 fully patched. OpenSSL was built from 1.0.2s source tarball.
How reproducible:
This is very reproducible. It has been nagging me for the last couple of years.
I build GnuTLS with OpenSSL as the back-end. It is done for expediency because OpenSSL has few to no dependencies.
GnuTLS make check
fails when using the OpenSSL back-end. The first failure is for the GCM tests in cipher-api-test.c
. Nettle may not allow a second update of AAD data, but OpenSSL surely does.
This patch gets GnuTLS beyond the GCM failure:
--- tests/slow/cipher-api-test.c
+++ tests/slow/cipher-api-test.c
@@ -137,9 +144,15 @@
if (ret < 0)
fail("could not add auth data\n");
+#if defined(OPENSSL_VERSION_NUMBER)
+ ret = gnutls_cipher_add_auth(ch, data, 16);
+ if (ret < 0)
+ fail("failed in adding auth data after partial data were given\n");
+#else
ret = gnutls_cipher_add_auth(ch, data, 16);
if (ret >= 0)
- fail("succeeded in adding auth data data after partial data were given\n");
+ fail("succeeded in adding auth data after partial data were given\n");
+#endif
gnutls_cipher_deinit(ch);
There is a failure after the GCM fix. It seems to be related to the test named "3des-cbc" (last message printed). I have not been able to track it down beyond the "child died with signal 11". I tried stepping it under GDB, but GDB refuses to follow the child. About all I can do is watch the child die under GDB:
trying 3des-cbc
check_status:225: Child died with signal 11
default cipher tests failed
FAIL test-ciphers-api.sh (exit status: 1)
This program may help in determining what OpenSSL can do: test.c. It creates an AES/GCM cipher, then inserts AAD, inserts AAD, inserts plaintext, inserts AAD. The third AAD insertion dies as expected.
It may be noteworthy that I do not configure with Nettle. Nettle is available, but I don't configure with it. I'm not sure if running Nettle tests are expected (or not). Here is the full recipe to build GnuTLS.