Re: GnuTLS 2.3.12 - second release candidate for 2.4.0

[Simon Josefsson]

"Nikos Mavrogiannopoulos" <address@hidden> writes:

> On Mon, Jun 9, 2008 at 12:57 AM, Daniel Kahn Gillmor
> <address@hidden> wrote:
>
>> It's not clear to me if you mean that this should be resolved in
>> 2.3.12, or after 2.3.12, Nikos.  It looks to me like it has *not* been
>> resolved in 2.3.12 yet.  In particular, it appears to fail open: when
>> one userid is verified, it treats them all as verified, even User IDs
>> that have no certifications other than self-signatures.
>
>> When i run the tests from
>> http://trac.gnutls.org/cgi-bin/trac.cgi/attachment/ticket/32/openpgp-certs.tgz
>> against the 2.3.12 packages in debian experimental, i get the
>> following output:
>
> Hello Daniel!
>  I was talking about a recent commit in the git repository. I've also
> modified your tests to check the gnutls behaviour (as it is now both
> of your tests should fail). The new behaviour is to consider not
> verified all openpgp keys that have at least one unsigned by a trusted
> party user id.

Nikos, the self-test doesn't seem to work, see below.

/Simon

make[1]: Entering directory `/home/jas/src/gnutls/tests/openpgp-certs'
+ srcdir=.
+ SERV='../../src/gnutls-serv -q'
+ CLI=../../src/gnutls-cli
+ unset RETCODE
+ echo 'Checking OpenPGP certificate verification'
Checking OpenPGP certificate verification
+ ../../src/gnutls-serv -q -p 5556 --pgpcertfile 
./srv-public-127.0.0.1-signed.gpg --pgpkeyfile ./srv-secret.gpg
+ sleep 2
+ ../../src/gnutls-cli -p 5556 127.0.0.2 --pgpkeyring ./ca-public.gpg
*** Fatal error: A TLS fatal alert has been received.
*** Handshake has failed
GNUTLS ERROR: A TLS fatal alert has been received.
+ ../../src/gnutls-cli -p 5556 localhost --pgpkeyring ./ca-public.gpg
*** Fatal error: A TLS fatal alert has been received.
*** Handshake has failed
GNUTLS ERROR: A TLS fatal alert has been received.
+ kill %1
+ wait
+ ../../src/gnutls-serv -q -p 5556 --pgpcertfile 
./srv-public-localhost-signed.gpg --pgpkeyfile ./srv-secret.gpg
+ sleep 2
+ echo
+ ../../src/gnutls-cli -p 5556 127.0.0.1 --pgpkeyring ./ca-public.gpg
*** Fatal error: A TLS fatal alert has been received.
*** Handshake has failed
GNUTLS ERROR: A TLS fatal alert has been received.
+ ../../src/gnutls-cli -p 5556 127.0.0.2 --pgpkeyring ./ca-public.gpg
*** Fatal error: A TLS fatal alert has been received.
*** Handshake has failed
GNUTLS ERROR: A TLS fatal alert has been received.
+ kill %1
+ wait
+ ../../src/gnutls-serv -q -p 5556 --pgpcertfile ./srv-public-all-signed.gpg 
--pgpkeyfile ./srv-secret.gpg
+ sleep 2
+ echo
+ ../../src/gnutls-cli -p 5556 127.0.0.1 --pgpkeyring ./ca-public.gpg
*** Fatal error: A TLS fatal alert has been received.
*** Handshake has failed
GNUTLS ERROR: A TLS fatal alert has been received.
+ fail 'Connection to signed PGP certificate should have succeeded! (error code 
1)' 1
+ echo 'Failure: Connection to signed PGP certificate should have succeeded! 
(error code 1)'
Failure: Connection to signed PGP certificate should have succeeded! (error 
code 1)
+ RETCODE=1
+ ../../src/gnutls-cli -p 5556 127.0.0.2 --pgpkeyring ./ca-public.gpg
*** Fatal error: A TLS fatal alert has been received.
*** Handshake has failed
GNUTLS ERROR: A TLS fatal alert has been received.
+ kill %1
+ wait
+ exit 1
FAIL: testcerts
===================================
1 of 1 tests failed
Please report to address@hidden
===================================
make[1]: *** [check-TESTS] Error 1
make[1]: Leaving directory `/home/jas/src/gnutls/tests/openpgp-certs'
make: *** [check-am] Error 2
address@hidden:~/src/gnutls/tests/openpgp-certs$