diff --git a/glib2.spec b/glib2.spec index 2dd161c..6d58b51 100644 --- a/glib2.spec +++ b/glib2.spec @@ -41,6 +41,7 @@ BuildRequires: /usr/bin/update-desktop-database # For gnutls-hmac.patch. We now dlopen libgnutls.so.30 so that we can build a # static glib2 without depending on a static build of GnuTLS as well. This will # ensure we notice if the GnuTLS soname bumps, so that we can update our patch. +BuildRequires: gnutls %if 0%{?__isa_bits} == 64 Requires: libgnutls.so.30()(64bit) %else diff --git a/gnutls-hmac.patch b/gnutls-hmac.patch index 52681f2..e9c9b0d 100644 --- a/gnutls-hmac.patch +++ b/gnutls-hmac.patch @@ -1,4 +1,4 @@ -From d6208fb067695ebf9e1f06b690e82c2b78994e8b Mon Sep 17 00:00:00 2001 +From 79c6d81cad24e488c8c17fb5043f29fef11a245e Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Fri, 7 Jun 2019 18:44:43 +0000 Subject: [PATCH 1/4] ghmac: Split off wrapper functions into ghmac-utils.c @@ -296,10 +296,10 @@ index d2efebadc..d261dde5a 100644 'ghostutils.c', 'giochannel.c', -- -2.44.0 +2.45.2 -From a9e3f0c8cc8b06c97958ea1e99e61d9f8200dab7 Mon Sep 17 00:00:00 2001 +From 6be9a415a7af65a2cee5518e87a3f313068a2e0e Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Fri, 7 Jun 2019 19:36:54 +0000 Subject: [PATCH 2/4] Add a gnutls backend for GHmac @@ -702,7 +702,7 @@ index d261dde5a..b3663f184 100644 libintl_deps, libm, diff --git a/meson.build b/meson.build -index 753454209..61ad30b97 100644 +index 85e24aa69..34d14f90a 100644 --- a/meson.build +++ b/meson.build @@ -2286,6 +2286,13 @@ if host_system == 'linux' @@ -736,10 +736,10 @@ index 69a2135bc..e8599abaa 100644 type : 'boolean', value : false, -- -2.44.0 +2.45.2 -From 4e84c697544b099c6e8faea6439d8e03883488be Mon Sep 17 00:00:00 2001 +From 678df1ffadcd7fa326d4c5234dd4dbf561f3d09c Mon Sep 17 00:00:00 2001 From: Michael Catanzaro Date: Wed, 16 Jun 2021 20:35:00 -0500 Subject: [PATCH 3/4] dlopen GnuTLS instead of linking directly @@ -933,7 +933,7 @@ index b3663f184..2340d12b2 100644 libintl_deps, libm, diff --git a/meson.build b/meson.build -index 61ad30b97..25beac81a 100644 +index 34d14f90a..1e6e14554 100644 --- a/meson.build +++ b/meson.build @@ -2286,11 +2286,9 @@ if host_system == 'linux' @@ -951,30 +951,22 @@ index 61ad30b97..25beac81a 100644 if host_system == 'windows' -- -2.44.0 +2.45.2 -From 820417a079f19179201d0ad2378ed3398139339b Mon Sep 17 00:00:00 2001 +From c76bfa6e30ee14bcfb19666ec3e1f3bd379143bd Mon Sep 17 00:00:00 2001 From: Michael Catanzaro Date: Wed, 16 Jun 2021 20:46:24 -0500 -Subject: [PATCH] Add test for GHmac in FIPS mode +Subject: [PATCH 4/4] Disable MD5 and SHA-1 HMac tests -This will test a few problems that we hit recently: - -g_hmac_copy() is broken, https://bugzilla.redhat.com/show_bug.cgi?id=1786538 - -Crash in g_hmac_update() in FIPS mode, https://bugzilla.redhat.com/show_bug.cgi?id=1971533 - -Crash when passing -1 length to g_hmac_update() (discovered in #1971533) - -We'll also test to ensure MD5 fails, and stop compiling the other MD5 -tests. +These are expected to be broken, depending on system crypto policy, +which may disable the algorithms. --- - glib/tests/hmac.c | 48 +++++++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 48 insertions(+) + glib/tests/hmac.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) diff --git a/glib/tests/hmac.c b/glib/tests/hmac.c -index 3ac3206df..264d4fb84 100644 +index 3ac3206df..e7f3fdf08 100644 --- a/glib/tests/hmac.c +++ b/glib/tests/hmac.c @@ -1,7 +1,10 @@ @@ -1012,48 +1004,10 @@ index 3ac3206df..264d4fb84 100644 HmacCase hmac_sha256_tests[] = { { G_CHECKSUM_SHA256, key_sha_test1, 20, "Hi There", 8, result_sha256_test1 }, -@@ -493,13 +499,48 @@ test_hmac_for_bytes (void) - g_bytes_unref (data); - } - -+#ifdef USE_GNUTLS -+static void -+test_gnutls_fips_mode (void) -+{ -+ GHmac *hmac; -+ GHmac *copy; -+ -+ /* No MD5 in FIPS mode. */ -+ hmac = g_hmac_new (G_CHECKSUM_MD5, (guchar*)"abc123", sizeof ("abc123")); -+ g_assert_null (hmac); -+ -+ /* SHA-256 should be good. */ -+ hmac = g_hmac_new (G_CHECKSUM_SHA256, (guchar*)"abc123", sizeof ("abc123")); -+ g_assert_nonnull (hmac); -+ -+ /* Ensure g_hmac_update() does not crash when called with -1. */ -+ g_hmac_update (hmac, (guchar*)"You win again, gravity!", -1); -+ -+ /* Ensure g_hmac_copy() does not crash. */ -+ copy = g_hmac_copy (hmac); -+ g_assert_nonnull (hmac); -+ g_hmac_unref (hmac); -+ -+ g_assert_cmpstr (g_hmac_get_string (copy), ==, "795ba6900bcb22e8ce65c2ec02db4e85697da921deb960ee3143bf88a4a60f83"); -+ g_hmac_unref (copy); -+} -+#endif -+ - int - main (int argc, +@@ -498,8 +504,10 @@ main (int argc, char **argv) { int i; -+ -+#ifdef USE_GNUTLS -+ /* This has to happen before GnuTLS is dlopened. */ -+ g_setenv ("GNUTLS_FORCE_FIPS_MODE", "1", FALSE); -+#endif + g_test_init (&argc, &argv, NULL); @@ -1061,7 +1015,7 @@ index 3ac3206df..264d4fb84 100644 for (i = 0 ; hmac_sha1_tests[i].key_len > 0 ; i++) { gchar *name = g_strdup_printf ("/hmac/sha1-%d", i + 1); -@@ -507,6 +548,7 @@ main (int argc, +@@ -507,6 +515,7 @@ main (int argc, (void (*)(const void *)) test_hmac); g_free (name); } @@ -1069,7 +1023,7 @@ index 3ac3206df..264d4fb84 100644 for (i = 0 ; hmac_sha256_tests[i].key_len > 0 ; i++) { -@@ -532,6 +574,7 @@ main (int argc, +@@ -532,6 +541,7 @@ main (int argc, g_free (name); } @@ -1077,7 +1031,7 @@ index 3ac3206df..264d4fb84 100644 for (i = 0 ; hmac_md5_tests[i].key_len > 0 ; i++) { gchar *name = g_strdup_printf ("/hmac/md5-%d", i + 1); -@@ -539,6 +582,7 @@ main (int argc, +@@ -539,6 +549,7 @@ main (int argc, (void (*)(const void *)) test_hmac); g_free (name); } @@ -1085,16 +1039,6 @@ index 3ac3206df..264d4fb84 100644 g_test_add_func ("/hmac/ref-unref", test_hmac_ref_unref); g_test_add_func ("/hmac/copy", test_hmac_copy); -@@ -546,5 +590,9 @@ main (int argc, - g_test_add_func ("/hmac/for-string", test_hmac_for_string); - g_test_add_func ("/hmac/for-bytes", test_hmac_for_bytes); - -+#ifdef USE_GNUTLS -+ g_test_add_func ("/hmac/gnutls-fips-mode", test_gnutls_fips_mode); -+#endif -+ - return g_test_run (); - } -- 2.45.2