Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 263589 - dev-libs/libgcrypt-1.4.4 breaks SVN (AES-128 test encryption failed - Bad record MAC)
Summary: dev-libs/libgcrypt-1.4.4 breaks SVN (AES-128 test encryption failed - Bad rec...
Status: VERIFIED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: All Linux
: High major
Assignee: Crypto team [DISABLED]
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-03-24 11:53 UTC by Thierry De Leeuw
Modified: 2010-01-28 22:03 UTC (History)
9 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
emerge --info (emerge.info,3.78 KB, text/plain)
2009-03-28 14:02 UTC, jackieku
Details
emerge --info (emerge.info,3.42 KB, text/plain)
2009-03-28 14:41 UTC, Daniele Boffi
Details
emerge --info (bar,3.11 KB, text/plain)
2009-03-28 15:39 UTC, T Chan
Details
make check (make-check,5.21 KB, text/plain)
2009-03-28 16:02 UTC, T Chan
Details
emerge --info (emergeinfo.txt,4.03 KB, text/plain)
2009-04-01 14:05 UTC, justXi
Details
emerge ---info (ebuild.txt,3.60 KB, text/plain)
2009-04-03 04:30 UTC, Rob Gilreath
Details
libgcrypt-1.4.4-r1 ebuild patch (libgcrypt-1.4.4-r1.ebuild.patch,340 bytes, patch)
2009-09-30 13:51 UTC, mephinet
Details | Diff
emerge --info (emerge.info,4.43 KB, text/plain)
2009-09-30 13:52 UTC, mephinet
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Thierry De Leeuw 2009-03-24 11:53:01 UTC
Updated my system to libgcrypt-1.4.4 and as of then SVN 1.5.5 stopped working.
Attempt connections to my repository fail with error:

AES-128 test encryption failed.
svnsync: OPTIONS of 'https://<<MySVNServer>>/blablabla': SSL negotiation failed: SSL alert received: Bad record MAC

Rolling back to libgcrypt-1.4.0-r1 solved the issue

If you need more info do not hesitate to ask.

Best regards,

Thierry
Comment 1 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev 2009-03-24 11:56:35 UTC
Could you test dev-libs/libgcrypt-1.4.4 + net-libs/gnutls-2.6.4?
Comment 2 Thierry De Leeuw 2009-03-24 15:05:54 UTC
Tried with emerge -u =net-libs/gnutls-2.6.4 and dev-libs/libgcrypt-1.4.4, problem reoccurs (even after recompile of SVN)
Comment 3 Daniele Boffi 2009-03-25 09:59:11 UTC
For me libgcrypt-1.4.4 breaks gnupg with the same error about AES-128 test. Downgraded to libgcrypt-1.4.0-r1 and everything resumed working OK. Should I open a new bug against gnupg? I guess not.
Comment 4 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev 2009-03-25 13:49:42 UTC
Nobody reported this bug before stabilization of dev-libs/libgcrypt-1.4.4, so it might be caused by combination of newer libgcrypt and older some other packages.

(In reply to comment #1)
> Could you test dev-libs/libgcrypt-1.4.4 + net-libs/gnutls-2.6.4?

Also test with dev-libs/libksba-1.0.5 and dev-libs/libassuan-1.0.5.
Comment 5 gtlinuxman 2009-03-25 15:11:43 UTC
>> Comment  #3 From Daniele Boffi  2009-03-25 09:59:11 0000
>> For me libgcrypt-1.4.4 breaks gnupg with the same error about AES-128 test.

% cat /etc/portage/env/dev-libs/libgcrypt
CFLAGS="-march=athlon-xp -O2 -pipe -fomit-frame-pointer"
CXXFLAGS="$CFLAGS"

just downgrade your cflags to -O2
Comment 6 Daniele Boffi 2009-03-25 16:01:38 UTC
(In reply to comment #5)

> just downgrade your cflags to -O2

This fixes it for me. Thanks a lot!
Comment 7 jackieku 2009-03-27 06:28:36 UTC
Some situation here, downgrade to -O2 fix it.

Comment 8 echtler 2009-03-28 10:28:23 UTC
I can confirm this bug and also that it's fixed by CFLAGS=-O2. It also affects wpa_supplicant when connecting to an AES-encrypted WPA2 WLAN. Maybe the ebuild should filter "-O3"?
Comment 9 Christian Schaas 2009-03-28 11:23:05 UTC
Same problems here with following programms:

Pidgin-2.5.5 with USE-Flag gnutls - Error on tls connections: handshake failed
Pidgin-otr-3.1.0 give allways: Selftest failed

-O2 for libgcrypt-1.4.4 fixed all issues for me too.
Comment 10 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev 2009-03-28 13:38:29 UTC
On my amd64 system libgcrypt works when built with '-march=core2 -O3 ...'.

People, who can reproduce this bug, please post the output of `emerge --info`.
Comment 11 jackieku 2009-03-28 14:02:05 UTC
Created attachment 186545 [details]
emerge --info
Comment 12 jackieku 2009-03-28 14:05:10 UTC
I think it is broken in x86, and affects any package using gcrypt. I can confirm this problem with gnutls (gnutls-cli).
Comment 13 Daniele Boffi 2009-03-28 14:41:31 UTC
Created attachment 186552 [details]
emerge --info
Comment 14 T Chan 2009-03-28 15:39:52 UTC
Created attachment 186559 [details]
emerge --info

Fails make check (details to follow)
Comment 15 T Chan 2009-03-28 16:02:42 UTC
Created attachment 186566 [details]
make check

Fails "make check". The segfault (/bin/sh: line 4: 27025 Segmentation fault      ${dir}$tst) is somewhat worrying.

Succeeds with -O2. GCC bug?
Comment 16 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev 2009-03-28 16:07:36 UTC
Could you test libgcrypt built with =sys-devel/gcc-4.3*?
Comment 17 jackieku 2009-03-30 09:46:55 UTC
I used sys-devel/gcc-4.3.3-r2 to build dev-libs/libgcrypt-1.4.4 with -O3 on x86. It works fine.
Comment 18 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev 2009-03-30 11:49:41 UTC
(In reply to comment #17)
> I used sys-devel/gcc-4.3.3-r2 to build dev-libs/libgcrypt-1.4.4 with -O3 on
> x86. It works fine.

Maybe gcc-4.1.2 produces invalid code during compilation of libgcrypt. CC-ing toolchain for advice.
Comment 19 Toralf Förster gentoo-dev 2009-03-30 12:27:10 UTC
(In reply to comment #17)
> I used sys-devel/gcc-4.3.3-r2 to build dev-libs/libgcrypt-1.4.4 with -O3 on
> x86. It works fine.
> 

Did you test it w/ 4.3.2 too (b/c that version goes stable soon)
Comment 20 jackieku 2009-03-30 14:29:25 UTC
(In reply to comment #19)
> Did you test it w/ 4.3.2 too (b/c that version goes stable soon)
Retried with gcc-4.3.2-r3, it also works.
Comment 21 Christian Schaas 2009-03-30 17:38:09 UTC
(In reply to comment #16)
> Could you test libgcrypt built with =sys-devel/gcc-4.3*?
> 

I tested it with gcc-4.3.3-r2 and gcc-4.3.2-r3 and with this two versions there are no problems with -O3 flag on libgcrypt.

Perhaps gcc bug?
Comment 22 SpanKY gentoo-dev 2009-03-30 20:33:57 UTC
i would add something to the ebuild along the lines of:
[[ $(tc-arch) == x86 && $(gcc-version) == 4.1 ]] && replace-flags -O3 -O2 #263589

we add flag filters for current stable gcc versions ... while we are looking at stabilizing 4.3.2 soonish, this flag filter cant hurt

may want to revbump as well ...
Comment 23 justXi 2009-04-01 14:05:56 UTC
Created attachment 186985 [details]
emerge --info

switching to "-02" and emerge libgcrypt work here too.
Comment 24 Rob Gilreath 2009-04-03 04:30:15 UTC
Created attachment 187153 [details]
emerge ---info

also breaks vpnc when connecting to AES encrypted VPN

switching to -O2 on libgcrypt and recompiling vpnc fixes issue
Comment 25 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev 2009-04-05 05:41:28 UTC
Fixed.
Comment 26 Steven Elling 2009-06-13 20:56:03 UTC
This problem is specifically caused by '-finline-functions'.

I'm running x86_64 with CFLAGS set to '-O2 -march=nocona -finline-functions -mmmx -msse -msse2 -msse3 -mfpmath=sse -w -pipe'

I removed '-finline-functions' and rebuilt 'libgcrypt-1.4.4' to fix the problem.
Comment 27 Cristian Tarsoaga 2009-08-06 12:58:31 UTC
Problem still exists in the latest ebuild for libgcrypt 1.4.4

I am running an amd64 with CFLAGS="-march=nocona -O3 -pipe -fomit-frame-pointer"

I do NOT use -finline-functions and I still have the problem.

I use gcc 4.3.2-r3 p1.6

The problem dissapears if I use -O2. 

The current ebuild only fixes/solves the problem for x86 architecture!!!
Comment 28 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev 2009-08-06 13:26:22 UTC
I can't reproduce this bug on amd64.
Comment 29 Cristian Tarsoaga 2009-08-06 13:28:38 UTC
I can. 
All the attempts to decrypt a message fail with this error: "Selftest failed"

Comment 30 Cristian Tarsoaga 2009-08-10 16:11:00 UTC
this is NOT
RESOLVED FIXED

for x86_64 (gcc 4.3)
in 1.4.4's ebuild
Comment 31 mephinet 2009-09-30 13:50:55 UTC
This bug is also not fixed for me, on amd64.
When starting pidgin:
AES-128 test encryption failed.
I guess that following line in the ebuild:
	[[ $(tc-arch) == x86 && $(gcc-version) == 4.1 ]] && replace-flags -O3 -O2
should also include amd64.
Comment 32 mephinet 2009-09-30 13:51:31 UTC
Created attachment 205672 [details, diff]
libgcrypt-1.4.4-r1 ebuild patch
Comment 33 mephinet 2009-09-30 13:52:11 UTC
Created attachment 205674 [details]
emerge --info
Comment 34 mephinet 2009-09-30 13:53:18 UTC
The patched ebuild works for me.
Comment 35 Cristian Tarsoaga 2009-10-02 09:23:05 UTC
Hi mephinet, I think this will solve the problem for amd64 AND gcc 4.1

But I have this problem on amd64 using gcc 4.3

So, shouldn't you just test for amd64 in the ebuild?

  chris

(In reply to comment #31)
> This bug is also not fixed for me, on amd64.
> When starting pidgin:
> AES-128 test encryption failed.
> I guess that following line in the ebuild:
>         [[ $(tc-arch) == x86 && $(gcc-version) == 4.1 ]] && replace-flags -O3
> -O2
> should also include amd64.
> 

Comment 36 mephinet 2009-10-02 12:26:14 UTC
(In reply to comment #35)
> But I have this problem on amd64 using gcc 4.3

I haven't test this on gcc 4.3 - but if the problem occurs there, too, sure, this should be filtered as well...
Comment 37 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev 2009-10-02 13:23:20 UTC
(In reply to comment #35)

The problem doesn't occur for me on amd64 with GCC 4.3.
Comment 38 Manuel Hartl 2010-01-28 22:03:54 UTC
-O3 failes too on gcc4.3.3 / x86(32bit).
-O2 works.

will this be fixed in the ebuild?