rpms/glib2
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Refresh gnutls-hmac patchset to fix leaks in error path

Browse Source 
Related: #1971823
This commit is contained in:
Michael Catanzaro 2021-07-01 15:49:06 -05:00
parent 52d9d08376
commit c7a3ee8328
2 changed files with 45 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
glib2.spec
View File

@ -1,6 +1,6 @@
Name: glib2
Version: 2.68.3
Release: 1%{?dist}
Release: 2%{?dist}
Summary: A library of handy utility functions
License: LGPLv2+
@ -236,6 +236,10 @@ glib-compile-schemas %{_datadir}/glib-2.0/schemas &> /dev/null || :
%{_datadir}/installed-tests
%changelog
* Thu Jul 01 2021 Michael Catanzaro <mcatanzaro@redhat.com> - 2.68.3-2
- Refresh gnutls-hmac patchset to fix leaks in error path
- Related: #1971823
* Mon Jun 28 2021 Michael Catanzaro <mcatanzaro@redhat.com> - 2.68.3-1
- Update to 2.68.3
- Resolves: #1976713

78
gnutls-hmac.patch
View File

@ -1,4 +1,4 @@
From 86412ea2265ae018ba6146d525cafce78782c0fc Mon Sep 17 00:00:00 2001
From ff90bb8474b1e724727f4014b446e7c851e609bd Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Fri, 7 Jun 2019 18:44:43 +0000
Subject: [PATCH 1/4] ghmac: Split off wrapper functions into ghmac-utils.c
@ -284,10 +284,10 @@ index 49fd272f0..4f181f21f 100644
- (const guchar *) str, length);
-}
diff --git a/glib/meson.build b/glib/meson.build
index 28bfae200..0a37d19ea 100644
index 8c18e6de4..329b8d197 100644
--- a/glib/meson.build
+++ b/glib/meson.build
@@ -254,6 +254,7 @@ glib_sources = files(
@@ -253,6 +253,7 @@ glib_sources = files(
'ggettext.c',
'ghash.c',
'ghmac.c',
@ -298,7 +298,7 @@ index 28bfae200..0a37d19ea 100644
--
2.31.1
From a5ee9970772e182de1c249ee514e87ef38e08360 Mon Sep 17 00:00:00 2001
From 5395d36e6685e0b7377794c59c5820970bb472ef Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Fri, 7 Jun 2019 19:36:54 +0000
Subject: [PATCH 2/4] Add a gnutls backend for GHmac
@ -354,8 +354,8 @@ https://gitlab.gnome.org/GNOME/glib/-/merge_requests/903
glib/ghmac.c | 15 ++++
glib/meson.build | 10 ++-
meson.build | 7 ++
meson_options.txt | 5 ++
7 files changed, 259 insertions(+), 6 deletions(-)
meson_options.txt | 7 +-
7 files changed, 260 insertions(+), 7 deletions(-)
create mode 100644 glib/gchecksumprivate.h
create mode 100644 glib/ghmac-gnutls.c
@ -434,10 +434,10 @@ index 000000000..86c7a3b61
\ No newline at end of file
diff --git a/glib/ghmac-gnutls.c b/glib/ghmac-gnutls.c
new file mode 100644
index 000000000..a55375060
index 000000000..9fb775f89
--- /dev/null
+++ b/glib/ghmac-gnutls.c
@@ -0,0 +1,186 @@
@@ -0,0 +1,187 @@
+/* ghmac.h - data hashing functions
+ *
+ * Copyright (C) 2011 Collabora Ltd.
@ -516,6 +516,7 @@ index 000000000..a55375060
+ algo = GNUTLS_MAC_SHA512;
+ break;
+ default:
+ g_free (hmac);
+ g_return_val_if_reached (NULL);
+ }
+
@ -525,7 +526,7 @@ index 000000000..a55375060
+ /* There is no way to report an error here, but one possible cause of
+ * failure is that the requested digest may be disabled by FIPS mode.
+ */
+ g_free (hmac->hmac);
+ g_free (hmac);
+ return NULL;
+ }
+
@ -658,10 +659,10 @@ index 4f181f21f..0e39ea40a 100644
* Use g_hmac_unref() to free the memory allocated by it.
*
diff --git a/glib/meson.build b/glib/meson.build
index 0a37d19ea..b17c89dd9 100644
index 329b8d197..2417de53d 100644
--- a/glib/meson.build
+++ b/glib/meson.build
@@ -253,7 +253,6 @@ glib_sources = files(
@@ -252,7 +252,6 @@ glib_sources = files(
'gfileutils.c',
'ggettext.c',
'ghash.c',
@ -669,7 +670,7 @@ index 0a37d19ea..b17c89dd9 100644
'ghmac-utils.c',
'ghook.c',
'ghostutils.c',
@@ -309,6 +308,7 @@ glib_sources = files(
@@ -308,6 +307,7 @@ glib_sources = files(
'guriprivate.h',
'gutils.c',
'gutilsprivate.h',
@ -677,7 +678,7 @@ index 0a37d19ea..b17c89dd9 100644
'guuid.c',
'gvariant.c',
'gvariant-core.c',
@@ -353,6 +353,12 @@ else
@@ -352,6 +352,12 @@ else
glib_dtrace_hdr = []
endif
@ -690,20 +691,20 @@ index 0a37d19ea..b17c89dd9 100644
pcre_static_args = []
if use_pcre_static_flag
@@ -379,7 +385,7 @@ libglib = library('glib-2.0',
@@ -378,7 +384,7 @@ libglib = library('glib-2.0',
# intl.lib is not compatible with SAFESEH
link_args : [noseh_link_args, glib_link_flags, win32_ldflags],
include_directories : configinc,
- dependencies : pcre_deps + [thread_dep, librt] + libintl_deps + libiconv + platform_deps + [gnulib_libm_dependency, libm] + [libsysprof_capture_dep],
+ dependencies : pcre_deps + libgnutls_dep + [thread_dep, librt] + libintl_deps + libiconv + platform_deps + [gnulib_libm_dependency, libm] + [libsysprof_capture_dep],
+ dependencies : pcre_deps + [thread_dep, librt] + libgnutls_dep + libintl_deps + libiconv + platform_deps + [gnulib_libm_dependency, libm] + [libsysprof_capture_dep],
c_args : glib_c_args,
objc_args : glib_c_args,
)
diff --git a/meson.build b/meson.build
index a0ee8b774..064dba800 100644
index e2eba1871..cca15f653 100644
--- a/meson.build
+++ b/meson.build
@@ -2104,6 +2104,13 @@ if host_system == 'linux'
@@ -2090,6 +2090,13 @@ if host_system == 'linux'
glib_conf.set('HAVE_LIBMOUNT', libmount_dep.found())
endif
@ -718,25 +719,25 @@ index a0ee8b774..064dba800 100644
winsock2 = cc.find_library('ws2_32')
endif
diff --git a/meson_options.txt b/meson_options.txt
index 072765361..d2370042f 100644
index 072765361..c8f26ac02 100644
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -34,6 +34,11 @@ option('libmount',
value : 'auto',
description : 'build with libmount support')
@@ -39,6 +39,11 @@ option('internal_pcre',
value : false,
description : 'whether to use internal PCRE')
+option('gnutls',
+ type : 'boolean',
+ value : false,
+ description : 'build with gnutls support')
+
option('internal_pcre',
option('man',
type : 'boolean',
value : false,
--
2.31.1
From cde56a63aa12ae7c30f85af7d058fa5e666aa2e9 Mon Sep 17 00:00:00 2001
From a2429b6b2b12ebec5b51ec1bd287674c104877c1 Mon Sep 17 00:00:00 2001
From: Michael Catanzaro <mcatanzaro@redhat.com>
Date: Wed, 16 Jun 2021 20:35:00 -0500
Subject: [PATCH 3/4] dlopen GnuTLS instead of linking directly
@ -764,7 +765,7 @@ for our purposes.
4 files changed, 102 insertions(+), 9 deletions(-)
diff --git a/glib/ghmac-gnutls.c b/glib/ghmac-gnutls.c
index a55375060..0469d2bd0 100644
index 9fb775f89..1800fc2e0 100644
--- a/glib/ghmac-gnutls.c
+++ b/glib/ghmac-gnutls.c
@@ -19,8 +19,8 @@
@ -918,23 +919,23 @@ index 0e39ea40a..2d9be91b8 100644
#endif
diff --git a/glib/meson.build b/glib/meson.build
index b17c89dd9..a015f7755 100644
index 2417de53d..1b4a2477c 100644
--- a/glib/meson.build
+++ b/glib/meson.build
@@ -385,7 +385,7 @@ libglib = library('glib-2.0',
@@ -384,7 +384,7 @@ libglib = library('glib-2.0',
# intl.lib is not compatible with SAFESEH
link_args : [noseh_link_args, glib_link_flags, win32_ldflags],
include_directories : configinc,
- dependencies : pcre_deps + libgnutls_dep + [thread_dep, librt] + libintl_deps + libiconv + platform_deps + [gnulib_libm_dependency, libm] + [libsysprof_capture_dep],
+ dependencies : pcre_deps + [thread_dep, librt] + libintl_deps + libiconv + platform_deps + [gnulib_libm_dependency, libm] + [libsysprof_capture_dep] + [libdl_dep],
- dependencies : pcre_deps + [thread_dep, librt] + libgnutls_dep + libintl_deps + libiconv + platform_deps + [gnulib_libm_dependency, libm] + [libsysprof_capture_dep],
+ dependencies : pcre_deps + [thread_dep, librt] + libintl_deps + libiconv + platform_deps + [gnulib_libm_dependency, libm] + [libsysprof_capture_dep],
c_args : glib_c_args,
objc_args : glib_c_args,
)
diff --git a/meson.build b/meson.build
index 064dba800..7aae7dfea 100644
index cca15f653..404ef1790 100644
--- a/meson.build
+++ b/meson.build
@@ -2104,11 +2104,9 @@ if host_system == 'linux'
@@ -2090,11 +2090,9 @@ if host_system == 'linux'
glib_conf.set('HAVE_LIBMOUNT', libmount_dep.found())
endif
@ -951,7 +952,7 @@ index 064dba800..7aae7dfea 100644
--
2.31.1
From b61ea19037287cae2e6152e9616767a691bf4af0 Mon Sep 17 00:00:00 2001
From 14b214e82d7f58739c180d3c777b0a000cf0590f Mon Sep 17 00:00:00 2001
From: Michael Catanzaro <mcatanzaro@redhat.com>
Date: Wed, 16 Jun 2021 20:46:24 -0500
Subject: [PATCH 4/4] Add test for GHmac in FIPS mode
@ -967,11 +968,11 @@ Crash when passing -1 length to g_hmac_update() (discovered in #1971533)
We'll also test to ensure MD5 fails, and stop compiling the other MD5
tests.
---
glib/tests/hmac.c | 45 +++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 45 insertions(+)
glib/tests/hmac.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 46 insertions(+)
diff --git a/glib/tests/hmac.c b/glib/tests/hmac.c
index 3ac3206df..6698c4d19 100644
index 3ac3206df..2fa447984 100644
--- a/glib/tests/hmac.c
+++ b/glib/tests/hmac.c
@@ -1,7 +1,10 @@
@ -1009,7 +1010,7 @@ index 3ac3206df..6698c4d19 100644
HmacCase hmac_sha1_tests[] = {
{ G_CHECKSUM_SHA1, key_sha_test1, 20, "Hi There", 8, result_sha1_test1 },
@@ -493,11 +499,44 @@ test_hmac_for_bytes (void)
@@ -493,11 +499,45 @@ test_hmac_for_bytes (void)
g_bytes_unref (data);
}
@ -1048,13 +1049,14 @@ index 3ac3206df..6698c4d19 100644
int i;
+
+#ifdef USE_GNUTLS
+ /* This has to happen before GnuTLS is dlopened. */
+ g_setenv ("GNUTLS_FORCE_FIPS_MODE", "1", FALSE);
+#endif
+
g_test_init (&argc, &argv, NULL);
for (i = 0 ; hmac_sha1_tests[i].key_len > 0 ; i++)
@@ -532,6 +571,7 @@ main (int argc,
@@ -532,6 +572,7 @@ main (int argc,
g_free (name);
}
@ -1062,7 +1064,7 @@ index 3ac3206df..6698c4d19 100644
for (i = 0 ; hmac_md5_tests[i].key_len > 0 ; i++)
{
gchar *name = g_strdup_printf ("/hmac/md5-%d", i + 1);
@@ -539,6 +579,7 @@ main (int argc,
@@ -539,6 +580,7 @@ main (int argc,
(void (*)(const void *)) test_hmac);
g_free (name);
}
@ -1070,7 +1072,7 @@ index 3ac3206df..6698c4d19 100644
g_test_add_func ("/hmac/ref-unref", test_hmac_ref_unref);
g_test_add_func ("/hmac/copy", test_hmac_copy);
@@ -546,5 +587,9 @@ main (int argc,
@@ -546,5 +588,9 @@ main (int argc,
g_test_add_func ("/hmac/for-string", test_hmac_for_string);
g_test_add_func ("/hmac/for-bytes", test_hmac_for_bytes);