After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 771623 - test-suite failue after GnuTLS update to 3.5.4: ERROR:test-crypto.c:243:test_load_pkcs8: assertion failed: (nm_utils_file_is_private_key (path, NULL))
test-suite failue after GnuTLS update to 3.5.4: ERROR:test-crypto.c:243:test_...
Status: RESOLVED FIXED
Product: NetworkManager
Classification: Platform
Component: general
1.4.x
Other Linux
: Normal normal
: ---
Assigned To: NetworkManager maintainer(s)
NetworkManager maintainer(s)
Depends on:
Blocks: nm-review
 
 
Reported: 2016-09-18 15:23 UTC by Michael Biebl
Modified: 2016-09-23 16:33 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
backtrace (7.13 KB, text/plain)
2016-09-18 15:24 UTC, Michael Biebl 		  Details
[PATCH] crypto: don't try to decrypt PKCS#8 key if no password is supplied (5.90 KB, patch)
2016-09-19 08:02 UTC, Beniamino Galvani 		none Details | Review

Description Michael Biebl 2016-09-18 15:23:40 UTC 
The Debian package uses --with-crypto=gnutls.
After the upgrade from GnuTLS 3.5.3 to 3.5.4, the test-suite fails with the following error

**
ERROR:test-crypto.c:243:test_load_pkcs8: assertion failed: (nm_utils_file_is_private_key (path, NULL))
# random seed: R02Sfc6db412d08a61a9941b3f4556e46f40
1..15
# Start of libnm tests
# Start of crypto tests
Aborted
# ERROR:test-crypto.c:243:test_load_pkcs8: assertion failed: (nm_utils_file_is_private_key (path, NULL))
ERROR: test-crypto - too few tests run (expected 15, got 0)
ERROR: test-crypto - exited with status 134 (terminated by signal 6?)

Attached is also a backtrace
Comment 1 Michael Biebl 2016-09-18 15:24:27 UTC 
Created attachment 335808 [details]
backtrace
Comment 2 Michael Biebl 2016-09-18 17:20:00 UTC 
I've asked our Debian GnuTLS maintainer and he ran git bisect to identify the relevant upstream change in GnuTLS.
The test started failing after commit 
https://gitlab.com/gnutls/gnutls/commit/b643e4fafa694695c67dacdda8cad5b7e588d5a7

pkcs8: added support for decryption with PBES1-DES-CBC-MD5

While this is a legacy (and insecure) cipher combination it is the
default output of openssl up until the 1.0.2 version. We introduce
this option to allow decrypting private keys from these versions of
openssl.
------------------

As additional information (with 3.5.4 including commit b643e4fafa694695c67dacdda8cad5b7e588d5a7)
certtool --p8-info --infile=/tmp/NETW/network-manager-1.4.0/libnm-core/tests/certs/pkcs8-enc-key.pem
PKCS #8 information:
        Cipher: DES-CBC
        Schema: PBES1-DES-CBC-MD5 (1.2.840.113549.1.5.3)
        Salt:
        Salt size: 0
        Iteration count: 2048

certtool with 3.5.3 (i.e. without b643e4fafa694695c67dacdda8cad5b7e588d5a7)
PKCS #8 information:
        Schema: unsupported (1.2.840.113549.1.5.3)


He concludes that this is probably something which needs to be addressed in NetworkManager.
Comment 3 Beniamino Galvani 2016-09-19 08:02:54 UTC 
Created attachment 335844 [details] [review]
[PATCH] crypto: don't try to decrypt PKCS#8 key if no password is supplied
Comment 4 Thomas Haller 2016-09-19 15:54:21 UTC 
I don't understand why the change

-              if (crypto_verify_pkcs8 (tmp, is_encrypted, password, error))
+              if (!password || crypto_verify_pkcs8 (tmp, is_encrypted, 

is there. Could you comment on that?
Comment 5 Beniamino Galvani 2016-09-19 16:23:09 UTC 
The function can be called with a NULL password only to check that the
key has a valid format but without actually decrypting it (for example
when it's called from nm_utils_file_is_private_key()). As done few
lines above for the PKCS#12 case, if the password is NULL we shouldn't
try to verify it.
Comment 6 Michael Biebl 2016-09-21 23:11:30 UTC 
Fwiw, the patch does fix the test-suite failure for me