Merged update from upstream sources

This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.

Source: https://src.fedoraproject.org/rpms/gnutls.git#70bde1a03dde2a0335db58f9c2ce45b66f283967

.gitignore

@@ -129,3 +129,5 @@ gnutls-2.10.1-nosrp.tar.bz2
 /gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg
 /gnutls-3.6.15.tar.xz
 /gnutls-3.6.15.tar.xz.sig
+/gnutls-3.7.0.tar.xz
+/gnutls-3.7.0.tar.xz.sig

gnutls-3.6.15-gnulib-perror-tests.patch

@@ -1,46 +0,0 @@
-From 175e0bc72808d564074c4adcc72aeadb74adfcc6 Mon Sep 17 00:00:00 2001
-From: Paul Eggert <eggert@cs.ucla.edu>
-Date: Thu, 27 Aug 2020 17:52:58 -0700
-Subject: [PATCH] perror, strerror_r: remove unportable tests
-
-Problem reported by Florian Weimer in:
-https://lists.gnu.org/r/bug-gnulib/2020-08/msg00220.html
-* tests/test-perror2.c (main):
-* tests/test-strerror_r.c (main): Omit unportable tests.
----
- ChangeLog               | 8 ++++++++
- tests/test-perror2.c    | 3 ---
- tests/test-strerror_r.c | 3 ---
- 3 files changed, 8 insertions(+), 6 deletions(-)
-
-diff --git a/gl/tests/test-perror2.c b/gl/tests/test-perror2.c
-index 1d14eda7b..c6214dd25 100644
---- a/gl/tests/test-perror2.c
-+++ b/gl/tests/test-perror2.c
-@@ -79,9 +79,6 @@ main (void)
-     errno = -5;
-     perror ("");
-     ASSERT (!ferror (stderr));
--    ASSERT (msg1 == msg2 || msg1 == msg4 || STREQ (msg1, str1));
--    ASSERT (msg2 == msg4 || STREQ (msg2, str2));
--    ASSERT (msg3 == msg4 || STREQ (msg3, str3));
-     ASSERT (STREQ (msg4, str4));
- 
-     free (str1);
-diff --git a/gl/tests/test-strerror_r.c b/gl/tests/test-strerror_r.c
-index b11d6fd9f..c1dbcf837 100644
---- a/gl/tests/test-strerror_r.c
-+++ b/gl/tests/test-strerror_r.c
-@@ -165,9 +165,6 @@ main (void)
- 
-     strerror_r (EACCES, buf, sizeof buf);
-     strerror_r (-5, buf, sizeof buf);
--    ASSERT (msg1 == msg2 || msg1 == msg4 || STREQ (msg1, str1));
--    ASSERT (msg2 == msg4 || STREQ (msg2, str2));
--    ASSERT (msg3 == msg4 || STREQ (msg3, str3));
-     ASSERT (STREQ (msg4, str4));
- 
-     free (str1);
--- 
-2.26.2
-

gnutls-3.7.0-duplicate-certs.patch

@@ -0,0 +1,403 @@
+From 09b40be6e0e0a59ba4bd764067eb353241043a70 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Mon, 28 Dec 2020 12:14:13 +0100
+Subject: [PATCH] gnutls_x509_trust_list_verify_crt2: ignore duplicate
+ certificates
+
+The commit ebb19db9165fed30d73c83bab1b1b8740c132dfd caused a
+regression, where duplicate certificates in a certificate chain are no
+longer ignored but treated as a non-contiguous segment and that
+results in calling the issuer callback, or a verification failure.
+
+This adds a mechanism to record certificates already seen in the
+chain, and skip them while still allow the caller to inject missing
+certificates.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+Co-authored-by: Andreas Metzler <ametzler@debian.org>
+---
+ lib/x509/common.c          |   8 ++
+ lib/x509/verify-high.c     | 157 +++++++++++++++++++++++++++++++------
+ tests/missingissuer.c      |   2 +
+ tests/test-chains-issuer.h | 101 +++++++++++++++++++++++-
+ 4 files changed, 245 insertions(+), 23 deletions(-)
+
+diff --git a/lib/x509/common.c b/lib/x509/common.c
+index 3301aaad0..10c8db53c 100644
+--- a/lib/x509/common.c
++++ b/lib/x509/common.c
+@@ -1758,6 +1758,14 @@ unsigned int _gnutls_sort_clist(gnutls_x509_crt_t *clist,
+ 	 * increasing DEFAULT_MAX_VERIFY_DEPTH.
+ 	 */
+ 	for (i = 0; i < clist_size; i++) {
++		/* Self-signed certificate found in the chain; skip it
++		 * as it should only appear in the trusted set.
++		 */
++		if (gnutls_x509_crt_check_issuer(clist[i], clist[i])) {
++			_gnutls_cert_log("self-signed cert found", clist[i]);
++			continue;
++		}
++
+ 		for (j = 1; j < clist_size; j++) {
+ 			if (i == j)
+ 				continue;
+diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c
+index 588e7ee0d..9a16e6b42 100644
+--- a/lib/x509/verify-high.c
++++ b/lib/x509/verify-high.c
+@@ -67,6 +67,80 @@ struct gnutls_x509_trust_list_iter {
+ 
+ #define DEFAULT_SIZE 127
+ 
++struct cert_set_node_st {
++	gnutls_x509_crt_t *certs;
++	unsigned int size;
++};
++
++struct cert_set_st {
++	struct cert_set_node_st *node;
++	unsigned int size;
++};
++
++static int
++cert_set_init(struct cert_set_st *set, unsigned int size)
++{
++	memset(set, 0, sizeof(*set));
++
++	set->size = size;
++	set->node = gnutls_calloc(size, sizeof(*set->node));
++	if (!set->node) {
++		return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
++	}
++
++	return 0;
++}
++
++static void
++cert_set_deinit(struct cert_set_st *set)
++{
++	size_t i;
++
++	for (i = 0; i < set->size; i++) {
++		gnutls_free(set->node[i].certs);
++	}
++
++	gnutls_free(set->node);
++}
++
++static bool
++cert_set_contains(struct cert_set_st *set, const gnutls_x509_crt_t cert)
++{
++	size_t hash, i;
++
++	hash = hash_pjw_bare(cert->raw_dn.data, cert->raw_dn.size);
++	hash %= set->size;
++
++	for (i = 0; i < set->node[hash].size; i++) {
++		if (unlikely(gnutls_x509_crt_equals(set->node[hash].certs[i], cert))) {
++			return true;
++		}
++	}
++
++	return false;
++}
++
++static int
++cert_set_add(struct cert_set_st *set, const gnutls_x509_crt_t cert)
++{
++	size_t hash;
++
++	hash = hash_pjw_bare(cert->raw_dn.data, cert->raw_dn.size);
++	hash %= set->size;
++
++	set->node[hash].certs =
++		gnutls_realloc_fast(set->node[hash].certs,
++				    (set->node[hash].size + 1) *
++				    sizeof(*set->node[hash].certs));
++	if (!set->node[hash].certs) {
++		return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
++	}
++	set->node[hash].certs[set->node[hash].size] = cert;
++	set->node[hash].size++;
++
++	return 0;
++}
++
+ /**
+  * gnutls_x509_trust_list_init:
+  * @list: A pointer to the type to be initialized
+@@ -1328,6 +1402,7 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
+ 	unsigned have_set_name = 0;
+ 	unsigned saved_output;
+ 	gnutls_datum_t ip = {NULL, 0};
++	struct cert_set_st cert_set = { NULL, 0 };
+ 
+ 	if (cert_list == NULL || cert_list_size < 1)
+ 		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+@@ -1376,36 +1451,68 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
+ 	memcpy(sorted, cert_list, cert_list_size * sizeof(gnutls_x509_crt_t));
+ 	cert_list = sorted;
+ 
++	ret = cert_set_init(&cert_set, DEFAULT_MAX_VERIFY_DEPTH);
++	if (ret < 0) {
++		return ret;
++	}
++
+ 	for (i = 0; i < cert_list_size &&
+-		     cert_list_size <= DEFAULT_MAX_VERIFY_DEPTH; i++) {
+-		if (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN)) {
+-			unsigned int sorted_size;
++		     cert_list_size <= DEFAULT_MAX_VERIFY_DEPTH; ) {
++		unsigned int sorted_size = 1;
++		unsigned int j;
++		gnutls_x509_crt_t issuer;
+ 
++		if (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN)) {
+ 			sorted_size = _gnutls_sort_clist(&cert_list[i],
+ 							 cert_list_size - i);
+-			i += sorted_size - 1;
+ 		}
+ 
+-		if (i == cert_list_size - 1) {
+-			gnutls_x509_crt_t issuer;
+-
+-			/* If it is the last certificate and its issuer is
+-			 * known, don't need to run issuer callback. */
+-			if (_gnutls_trust_list_get_issuer(list,
+-							  cert_list[i],
+-							  &issuer,
+-							  0) == 0) {
++		/* Remove duplicates. Start with index 1, as the first element
++		 * may be re-checked after issuer retrieval. */
++		for (j = 1; j < sorted_size; j++) {
++			if (cert_set_contains(&cert_set, cert_list[i + j])) {
++				if (i + j < cert_list_size - 1) {
++					memmove(&cert_list[i + j],
++						&cert_list[i + j + 1],
++						sizeof(cert_list[i]));
++				}
++				cert_list_size--;
+ 				break;
+ 			}
+-		} else if (gnutls_x509_crt_check_issuer(cert_list[i],
+-							cert_list[i + 1])) {
+-			/* There is no gap between this and the next
+-			 * certificate. */
++		}
++		/* Found a duplicate, try again with the same index. */
++		if (j < sorted_size) {
++			continue;
++		}
++
++		/* Record the certificates seen. */
++		for (j = 0; j < sorted_size; j++, i++) {
++			ret = cert_set_add(&cert_set, cert_list[i]);
++			if (ret < 0) {
++				goto cleanup;
++			}
++		}
++
++		/* If the issuer of the certificate is known, no need
++		 * for further processing. */
++		if (_gnutls_trust_list_get_issuer(list,
++						  cert_list[i - 1],
++						  &issuer,
++						  0) == 0) {
++			cert_list_size = i;
++			break;
++		}
++
++		/* If there is no gap between this and the next certificate,
++		 * proceed with the next certificate. */
++		if (i < cert_list_size &&
++		    gnutls_x509_crt_check_issuer(cert_list[i - 1],
++						 cert_list[i])) {
+ 			continue;
+ 		}
+ 
+ 		ret = retrieve_issuers(list,
+-				       cert_list[i],
++				       cert_list[i - 1],
+ 				       &retrieved[retrieved_size],
+ 				       DEFAULT_MAX_VERIFY_DEPTH -
+ 				       MAX(retrieved_size,
+@@ -1413,15 +1520,20 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
+ 		if (ret < 0) {
+ 			break;
+ 		} else if (ret > 0) {
+-			memmove(&cert_list[i + 1 + ret],
+-				&cert_list[i + 1],
+-				(cert_list_size - i - 1) *
++			assert((unsigned int)ret <=
++			       DEFAULT_MAX_VERIFY_DEPTH - cert_list_size);
++			memmove(&cert_list[i + ret],
++				&cert_list[i],
++				(cert_list_size - i) *
+ 				sizeof(gnutls_x509_crt_t));
+-			memcpy(&cert_list[i + 1],
++			memcpy(&cert_list[i],
+ 			       &retrieved[retrieved_size],
+ 			       ret * sizeof(gnutls_x509_crt_t));
+ 			retrieved_size += ret;
+ 			cert_list_size += ret;
++
++			/* Start again from the end of the previous segment. */
++			i--;
+ 		}
+ 	}
+ 
+@@ -1581,6 +1693,7 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
+ 	for (i = 0; i < retrieved_size; i++) {
+ 		gnutls_x509_crt_deinit(retrieved[i]);
+ 	}
++	cert_set_deinit(&cert_set);
+ 	return ret;
+ }
+ 
+diff --git a/tests/missingissuer.c b/tests/missingissuer.c
+index f21e2b6b0..226d09592 100644
+--- a/tests/missingissuer.c
++++ b/tests/missingissuer.c
+@@ -145,6 +145,8 @@ void doit(void)
+ 		printf("[%d]: Chain '%s'...\n", (int)i, chains[i].name);
+ 
+ 		for (j = 0; chains[i].chain[j]; j++) {
++			assert(j < MAX_CHAIN);
++
+ 			if (debug > 2)
+ 				printf("\tAdding certificate %d...", (int)j);
+ 
+diff --git a/tests/test-chains-issuer.h b/tests/test-chains-issuer.h
+index 543e2d71f..bf1e65c95 100644
+--- a/tests/test-chains-issuer.h
++++ b/tests/test-chains-issuer.h
+@@ -24,7 +24,7 @@
+ #ifndef GNUTLS_TESTS_TEST_CHAINS_ISSUER_H
+ #define GNUTLS_TESTS_TEST_CHAINS_ISSUER_H
+ 
+-#define MAX_CHAIN 6
++#define MAX_CHAIN 15
+ 
+ #define SERVER_CERT "-----BEGIN CERTIFICATE-----\n"			\
+ 	"MIIDATCCAbmgAwIBAgIUQdvdegP8JFszFHLfV4+lrEdafzAwPQYJKoZIhvcNAQEK\n" \
+@@ -338,11 +338,102 @@ static const char *missing_middle_unrelated_extra_insert[] = {
+ 	NULL,
+ };
+ 
++static const char *missing_middle_single_duplicate[] = {
++	SERVER_CERT,
++	SERVER_CERT,
++	CA_CERT_5,
++	CA_CERT_5,
++	CA_CERT_4,
++	CA_CERT_4,
++	CA_CERT_2,
++	CA_CERT_2,
++	CA_CERT_1,
++	CA_CERT_1,
++	NULL,
++};
++
++static const char *missing_middle_multiple_duplicate[] = {
++	SERVER_CERT,
++	SERVER_CERT,
++	CA_CERT_5,
++	CA_CERT_5,
++	CA_CERT_4,
++	CA_CERT_4,
++	CA_CERT_1,
++	CA_CERT_1,
++	NULL,
++};
++
++static const char *missing_last_single_duplicate[] = {
++	SERVER_CERT,
++	SERVER_CERT,
++	CA_CERT_5,
++	CA_CERT_5,
++	CA_CERT_4,
++	CA_CERT_4,
++	CA_CERT_3,
++	CA_CERT_3,
++	CA_CERT_2,
++	CA_CERT_2,
++	NULL,
++};
++
++static const char *missing_last_multiple_duplicate[] = {
++	SERVER_CERT,
++	SERVER_CERT,
++	CA_CERT_5,
++	CA_CERT_5,
++	CA_CERT_4,
++	CA_CERT_4,
++	CA_CERT_3,
++	CA_CERT_3,
++	NULL,
++};
++
++static const char *missing_skip_single_duplicate[] = {
++	SERVER_CERT,
++	SERVER_CERT,
++	CA_CERT_5,
++	CA_CERT_5,
++	CA_CERT_3,
++	CA_CERT_3,
++	CA_CERT_1,
++	CA_CERT_1,
++	NULL,
++};
++
++static const char *missing_skip_multiple_duplicate[] = {
++	SERVER_CERT,
++	SERVER_CERT,
++	CA_CERT_5,
++	CA_CERT_5,
++	CA_CERT_3,
++	CA_CERT_3,
++	NULL,
++};
++
+ static const char *missing_ca[] = {
+ 	CA_CERT_0,
+ 	NULL,
+ };
+ 
++static const char *middle_single_duplicate_ca[] = {
++	SERVER_CERT,
++	CA_CERT_5,
++	CA_CERT_0,
++	CA_CERT_4,
++	CA_CERT_0,
++	CA_CERT_2,
++	CA_CERT_0,
++	CA_CERT_1,
++	NULL,
++};
++
++static const char *missing_middle_single_duplicate_ca_unrelated_insert[] = {
++	CA_CERT_0,
++	NULL,
++};
++
+ static struct chains {
+ 	const char *name;
+ 	const char **chain;
+@@ -377,6 +468,14 @@ static struct chains {
+ 	{ "skip multiple unsorted", missing_skip_multiple_unsorted, missing_skip_multiple_insert, missing_ca, 0, 0 },
+ 	{ "unrelated", missing_middle_single, missing_middle_unrelated_insert, missing_ca, 0, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_NOT_FOUND },
+ 	{ "unrelated extra", missing_middle_single, missing_middle_unrelated_extra_insert, missing_ca, 0, 0 },
++	{ "middle single duplicate", missing_middle_single_duplicate, missing_middle_single_insert, missing_ca, 0, 0 },
++	{ "middle multiple duplicate", missing_middle_multiple_duplicate, missing_middle_multiple_insert, missing_ca, 0, 0 },
++	{ "last single duplicate", missing_last_single_duplicate, missing_last_single_insert, missing_ca, 0, 0 },
++	{ "last multiple duplicate", missing_last_multiple_duplicate, missing_last_multiple_insert, missing_ca, 0, 0 },
++	{ "skip single duplicate", missing_skip_single_duplicate, missing_skip_single_insert, missing_ca, 0, 0 },
++	{ "skip multiple duplicate", missing_skip_multiple_duplicate, missing_skip_multiple_insert, missing_ca, 0, 0 },
++	{ "middle single duplicate ca", middle_single_duplicate_ca, missing_middle_single_insert, missing_ca, 0, 0 },
++	{ "middle single duplicate ca - insert unrelated", middle_single_duplicate_ca, missing_middle_single_duplicate_ca_unrelated_insert, missing_ca, 0, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_NOT_FOUND },
+ 	{ NULL, NULL, NULL, NULL },
+ };
+ 
+-- 
+2.29.2
+

gnutls-3.7.0-gost.patch

@@ -0,0 +1,12 @@
+diff -up ./tests/gnutls-cli-debug.sh.gost ./tests/gnutls-cli-debug.sh
+--- ./tests/gnutls-cli-debug.sh.gost	2021-02-09 13:28:46.528821113 +0100
++++ ./tests/gnutls-cli-debug.sh	2021-02-09 13:29:18.851646678 +0100
+@@ -217,6 +217,8 @@ if test "${ENABLE_GOST}" = "1" && test "
+ 	kill ${PID}
+ 	wait
+ 
++	cat $OUTFILE
++
+ 	check_text "for VKO GOST-2012 (draft-smyshlyaev-tls12-gost-suites) support... yes"
+ 	check_text "for GOST28147-CNT cipher (draft-smyshlyaev-tls12-gost-suites) support... yes"
+ 	check_text "for GOST28147-IMIT MAC (draft-smyshlyaev-tls12-gost-suites) support... yes"

gnutls-3.7.0-test-fixes.patch

@@ -0,0 +1,195 @@
+From c815f725448af8d023818a968e1296946ceb0f1c Mon Sep 17 00:00:00 2001
+From: Stefan Berger <stefanb@linux.ibm.com>
+Date: Mon, 21 Dec 2020 09:36:47 -0500
+Subject: [PATCH 1/2] tests: Fix tpmtool_test due to changes in trousers
+
+Recent changes to trousers now require an ownership of root:tss for
+the tcsd config file, older ones requires tss:tss. So, start tcsd
+using trial and error with either one of these ownership configurations
+until one works.
+
+Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
+---
+ tests/tpmtool_test.sh | 37 +++++++++++++++++++++++++++----------
+ 1 file changed, 27 insertions(+), 10 deletions(-)
+
+diff --git a/tests/tpmtool_test.sh b/tests/tpmtool_test.sh
+index eba502612..77fe17e59 100755
+--- a/tests/tpmtool_test.sh
++++ b/tests/tpmtool_test.sh
+@@ -138,6 +138,7 @@ start_tcsd()
+ 	local tcsd_conf=$workdir/tcsd.conf
+ 	local tcsd_system_ps_file=$workdir/system_ps_file
+ 	local tcsd_pidfile=$workdir/tcsd.pid
++	local owner
+ 
+ 	start_swtpm "$workdir"
+ 	[ $? -ne 0 ] && return 1
+@@ -146,20 +147,36 @@ start_tcsd()
+ port = $TCSD_LISTEN_PORT
+ system_ps_file = $tcsd_system_ps_file
+ _EOF_
++	# older versions of trousers require tss:tss ownership of the
++	# config file, later ones root:tss
++	for owner in tss root; do
++		if [ "$owner" = "tss" ]; then
++			chmod 0600 $tcsd_conf
++		else
++			chmod 0640 $tcsd_conf
++		fi
++		chown $owner:tss $tcsd_conf
+ 
+-	chown tss:tss $tcsd_conf
+-	chmod 0600 $tcsd_conf
++		bash -c "TCSD_USE_TCP_DEVICE=1 TCSD_TCP_DEVICE_PORT=$SWTPM_SERVER_PORT tcsd -c $tcsd_conf -e -f &>/dev/null & echo \$! > $tcsd_pidfile; wait" &
++		BASH_PID=$!
+ 
+-	bash -c "TCSD_USE_TCP_DEVICE=1 TCSD_TCP_DEVICE_PORT=$SWTPM_SERVER_PORT tcsd -c $tcsd_conf -e -f &>/dev/null & echo \$! > $tcsd_pidfile; wait" &
+-	BASH_PID=$!
++		if wait_for_file $tcsd_pidfile 3; then
++			echo "Could not get TCSD's PID file"
++			return 1
++		fi
+ 
+-	if wait_for_file $tcsd_pidfile 3; then
+-		echo "Could not get TCSD's PID file"
+-		return 1
+-	fi
++		sleep 0.5
++		TCSD_PID=$(cat $tcsd_pidfile)
++		kill -0 "${TCSD_PID}"
++		if [ $? -ne 0 ]; then
++			# Try again with other owner
++			continue
++		fi
++		return 0
++	done
+ 
+-	TCSD_PID=$(cat $tcsd_pidfile)
+-	return 0
++	echo "TCSD could not be started"
++	return 1
+ }
+ 
+ stop_tcsd()
+-- 
+2.29.2
+
+
+From 2b0f6f3a2ff13153aaa70c764ba7a8b90aef794d Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Mon, 28 Dec 2020 16:16:53 +0100
+Subject: [PATCH 2/2] testpkcs11: use datefudge to trick certificate expiry
+
+The certificates stored in tests/testpkcs11-certs expired on
+2020-12-13.  To avoid verification failure due to that, use datefudge
+to set custom date when calling gnutls-cli, gnutls-serv, and certtool.
+
+Based on the patch by Andreas Metzler:
+https://gitlab.com/gnutls/gnutls/-/issues/1135#note_469682121
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ tests/testpkcs11.sh | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/tests/testpkcs11.sh b/tests/testpkcs11.sh
+index 38b9585bc..09a627477 100755
+--- a/tests/testpkcs11.sh
++++ b/tests/testpkcs11.sh
+@@ -67,6 +67,8 @@ have_ed25519=0
+ P11TOOL="${VALGRIND} ${P11TOOL} --batch"
+ SERV="${SERV} -q"
+ 
++TESTDATE=2020-12-01
++
+ . ${srcdir}/scripts/common.sh
+ 
+ rm -f "${LOGFILE}"
+@@ -79,6 +81,8 @@ exit_error () {
+ 	exit 1
+ }
+ 
++skip_if_no_datefudge
++
+ # $1: token
+ # $2: PIN
+ # $3: filename
+@@ -523,6 +527,7 @@ write_certificate_test () {
+ 	pubkey="$5"
+ 
+ 	echo -n "* Generating client certificate... "
++	datefudge -s "$TESTDATE" \
+ 	"${CERTTOOL}" ${CERTTOOL_PARAM} ${ADDITIONAL_PARAM}  --generate-certificate --load-ca-privkey "${cakey}"  --load-ca-certificate "${cacert}"  \
+ 	--template ${srcdir}/testpkcs11-certs/client-tmpl --load-privkey "${token};object=gnutls-client;object-type=private" \
+ 	--load-pubkey "$pubkey" --outfile tmp-client.crt >>"${LOGFILE}" 2>&1
+@@ -900,7 +905,9 @@ use_certificate_test () {
+ 	echo -n "* Using PKCS #11 with gnutls-cli (${txt})... "
+ 	# start server
+ 	eval "${GETPORT}"
+-	launch_server ${ADDITIONAL_PARAM} --echo --priority NORMAL --x509certfile="${certfile}" \
++	launch_bare_server datefudge -s "$TESTDATE" \
++	        $VALGRIND $SERV $DEBUG -p "$PORT" \
++		${ADDITIONAL_PARAM} --debug 10 --echo --priority NORMAL --x509certfile="${certfile}" \
+ 		--x509keyfile="$keyfile" --x509cafile="${cafile}" \
+ 		--verify-client-cert --require-client-cert >>"${LOGFILE}" 2>&1
+ 
+@@ -908,13 +915,16 @@ use_certificate_test () {
+ 	wait_server ${PID}
+ 
+ 	# connect to server using SC
++	datefudge -s "$TESTDATE" \
+ 	${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509cafile="${cafile}" </dev/null >>"${LOGFILE}" 2>&1 && \
+ 		fail ${PID} "Connection should have failed!"
+ 
++	datefudge -s "$TESTDATE" \
+ 	${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509certfile="${certfile}" \
+ 	--x509keyfile="$keyfile" --x509cafile="${cafile}" </dev/null >>"${LOGFILE}" 2>&1 || \
+ 		fail ${PID} "Connection (with files) should have succeeded!"
+ 
++	datefudge -s "$TESTDATE" \
+ 	${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509certfile="${token};object=gnutls-client;object-type=cert" \
+ 		--x509keyfile="${token};object=gnutls-client;object-type=private" \
+ 		--x509cafile="${cafile}" </dev/null >>"${LOGFILE}" 2>&1 || \
+-- 
+2.29.2
+
+From 5a64e896a56ef602bb86242bbac01e4319f12cbe Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Tue, 9 Feb 2021 15:26:07 +0100
+Subject: [PATCH] tests/gnutls-cli-debug.sh: don't unset system priority
+ settings
+
+When the test is exercised, GNUTLS_SYSTEM_PRIORITY_FILE is set in many
+places, such as TESTS_ENVIRONMENT tests/Makefile.am or a packaging
+system that runs the test in a restricted environment.  Unsetting it
+after a temporary use forces the remaining part of the test to use the
+default system priority, which might not be the intention of the user.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ tests/gnutls-cli-debug.sh | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/tests/gnutls-cli-debug.sh b/tests/gnutls-cli-debug.sh
+index a73910dea..3c3e2214e 100755
+--- a/tests/gnutls-cli-debug.sh
++++ b/tests/gnutls-cli-debug.sh
+@@ -184,13 +184,11 @@ cat <<_EOF_ > ${TMPFILE}
+ tls-disabled-cipher = CAMELLIA-128-CBC
+ tls-disabled-cipher = CAMELLIA-256-CBC
+ _EOF_
+-export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}"
+ 
++GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}" \
+ timeout 1800 datefudge "2017-08-9" \
+ "${DCLI}" -p "${PORT}" localhost >$OUTFILE 2>&1 || fail ${PID} "gnutls-cli-debug run should have succeeded!"
+ 
+-unset GNUTLS_SYSTEM_PRIORITY_FILE
+-
+ kill ${PID}
+ wait
+ 
+-- 
+2.29.2
+

gnutls.spec

@@ -1,9 +1,11 @@
 # This spec file has been automatically updated
-Version:	3.6.15
+Version:	3.7.0
 Release: 2%{?dist}
 Patch1:	gnutls-3.6.7-no-now-guile.patch
 Patch2:	gnutls-3.2.7-rpath.patch
-Patch3:	gnutls-3.6.15-gnulib-perror-tests.patch
+Patch3:	gnutls-3.7.0-test-fixes.patch
+Patch4:	gnutls-3.7.0-gost.patch
+Patch5:	gnutls-3.7.0-duplicate-certs.patch
 %bcond_without dane
 %if 0%{?rhel}
 %bcond_with guile
@@ -45,6 +47,7 @@ BuildRequires: unbound-devel unbound-libs
 %if %{with guile}
 BuildRequires: guile22-devel
 %endif
+BuildRequires: make
 URL: http://www.gnutls.org/
 Source0: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.6/%{name}-%{version}.tar.xz
 Source1: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.6/%{name}-%{version}.tar.xz.sig
@@ -156,6 +159,8 @@ echo "SYSTEM=NORMAL" >> tests/system.prio
 # via the crypto policies
 
 %build
+%define _lto_cflags %{nil}
+
 CCASFLAGS="$CCASFLAGS -Wa,--generate-missing-build-notes=yes"
 export CCASFLAGS
 
@@ -280,7 +285,21 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null
 %endif
 
 %changelog
-* Mon Sep 28 2020 Jeff Law <law@redhat.com> - 3.6.14-8
+* Wed Feb 10 2021 Daiki Ueno <dueno@redhat.com> - 3.7.0-2
+- Tolerate duplicate certs in the chain
+
+* Mon Feb  8 2021 Daiki Ueno <dueno@redhat.com> - 3.7.0-1
+- Update to upstream 3.7.0 release
+- Temporarily disable LTO
+
+* Tue Jan 26 2021 Daiki Ueno <dueno@redhat.com> - 3.6.15-4
+- Fix broken tests on rawhide (#1908110)
+- Add BuildRequires: make (by Tom Stellard)
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.6.15-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Mon Sep 28 2020 Jeff Law <law@redhat.com> - 3.6.15-2
 - Re-enable LTO now that upstream GCC bugs have been fixed
 
 * Fri Sep  4 2020 Daiki Ueno <dueno@redhat.com> - 3.6.15-1

sources

@@ -1,3 +1,3 @@
-SHA512 (gnutls-3.6.15.tar.xz) = f757d1532198f44bcad7b73856ce6a05bab43f6fb77fcc81c59607f146202f73023d0796d3e1e7471709cf792c8ee7d436e19407e0601bc0bda2f21512b3b01c
-SHA512 (gnutls-3.6.15.tar.xz.sig) = a6dbb6093fefddce4c76ce0015d1e0ff7bb712985007c5c6bd5ed6a8cd7529ab250bcbc98b70beeb9dc1b43dcfc65495c77b9abb43e690f24eb7bf0042af1f68
+SHA512 (gnutls-3.7.0.tar.xz) = 5cf1025f2d0a0cbf5a83dd7f3b22dafd1769f7c3349096c0272d08573bb5ff87f510e0e69b4bbb47dad1b64476aa5479804b2f4ceb2216cd747bbc53bf42d885
+SHA512 (gnutls-3.7.0.tar.xz.sig) = 25793ac5e3d2610f95f26a2aa6f444a0cebe45a173cd330ed95b38c82b8f469024c9fa35249917f6b880ae32192b5e74988169a68724c08f5c82a3379fff82fd
 SHA512 (gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg) = a74b92826fd0e5388c9f6d9231959e38b26aeef83138648fab66df951d8e1a4db5302b569d08515d4d6443e5e4f6c466f98319f330c820790260d22a9b9f7173