Merged update from upstream sources

This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.

Source: https://src.fedoraproject.org/rpms/gnutls.git#70bde1a03dde2a0335db58f9c2ce45b66f283967
This commit is contained in:
DistroBaker 2021-02-11 17:06:03 +00:00
parent ad80000939
commit 4cec910829
7 changed files with 636 additions and 51 deletions

2
.gitignore vendored
View File

@ -129,3 +129,5 @@ gnutls-2.10.1-nosrp.tar.bz2
/gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg
/gnutls-3.6.15.tar.xz
/gnutls-3.6.15.tar.xz.sig
/gnutls-3.7.0.tar.xz
/gnutls-3.7.0.tar.xz.sig

View File

@ -1,46 +0,0 @@
From 175e0bc72808d564074c4adcc72aeadb74adfcc6 Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@cs.ucla.edu>
Date: Thu, 27 Aug 2020 17:52:58 -0700
Subject: [PATCH] perror, strerror_r: remove unportable tests
Problem reported by Florian Weimer in:
https://lists.gnu.org/r/bug-gnulib/2020-08/msg00220.html
* tests/test-perror2.c (main):
* tests/test-strerror_r.c (main): Omit unportable tests.
---
ChangeLog | 8 ++++++++
tests/test-perror2.c | 3 ---
tests/test-strerror_r.c | 3 ---
3 files changed, 8 insertions(+), 6 deletions(-)
diff --git a/gl/tests/test-perror2.c b/gl/tests/test-perror2.c
index 1d14eda7b..c6214dd25 100644
--- a/gl/tests/test-perror2.c
+++ b/gl/tests/test-perror2.c
@@ -79,9 +79,6 @@ main (void)
errno = -5;
perror ("");
ASSERT (!ferror (stderr));
- ASSERT (msg1 == msg2 || msg1 == msg4 || STREQ (msg1, str1));
- ASSERT (msg2 == msg4 || STREQ (msg2, str2));
- ASSERT (msg3 == msg4 || STREQ (msg3, str3));
ASSERT (STREQ (msg4, str4));
free (str1);
diff --git a/gl/tests/test-strerror_r.c b/gl/tests/test-strerror_r.c
index b11d6fd9f..c1dbcf837 100644
--- a/gl/tests/test-strerror_r.c
+++ b/gl/tests/test-strerror_r.c
@@ -165,9 +165,6 @@ main (void)
strerror_r (EACCES, buf, sizeof buf);
strerror_r (-5, buf, sizeof buf);
- ASSERT (msg1 == msg2 || msg1 == msg4 || STREQ (msg1, str1));
- ASSERT (msg2 == msg4 || STREQ (msg2, str2));
- ASSERT (msg3 == msg4 || STREQ (msg3, str3));
ASSERT (STREQ (msg4, str4));
free (str1);
--
2.26.2

View File

@ -0,0 +1,403 @@
From 09b40be6e0e0a59ba4bd764067eb353241043a70 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Mon, 28 Dec 2020 12:14:13 +0100
Subject: [PATCH] gnutls_x509_trust_list_verify_crt2: ignore duplicate
certificates
The commit ebb19db9165fed30d73c83bab1b1b8740c132dfd caused a
regression, where duplicate certificates in a certificate chain are no
longer ignored but treated as a non-contiguous segment and that
results in calling the issuer callback, or a verification failure.
This adds a mechanism to record certificates already seen in the
chain, and skip them while still allow the caller to inject missing
certificates.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
Co-authored-by: Andreas Metzler <ametzler@debian.org>
---
lib/x509/common.c | 8 ++
lib/x509/verify-high.c | 157 +++++++++++++++++++++++++++++++------
tests/missingissuer.c | 2 +
tests/test-chains-issuer.h | 101 +++++++++++++++++++++++-
4 files changed, 245 insertions(+), 23 deletions(-)
diff --git a/lib/x509/common.c b/lib/x509/common.c
index 3301aaad0..10c8db53c 100644
--- a/lib/x509/common.c
+++ b/lib/x509/common.c
@@ -1758,6 +1758,14 @@ unsigned int _gnutls_sort_clist(gnutls_x509_crt_t *clist,
* increasing DEFAULT_MAX_VERIFY_DEPTH.
*/
for (i = 0; i < clist_size; i++) {
+ /* Self-signed certificate found in the chain; skip it
+ * as it should only appear in the trusted set.
+ */
+ if (gnutls_x509_crt_check_issuer(clist[i], clist[i])) {
+ _gnutls_cert_log("self-signed cert found", clist[i]);
+ continue;
+ }
+
for (j = 1; j < clist_size; j++) {
if (i == j)
continue;
diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c
index 588e7ee0d..9a16e6b42 100644
--- a/lib/x509/verify-high.c
+++ b/lib/x509/verify-high.c
@@ -67,6 +67,80 @@ struct gnutls_x509_trust_list_iter {
#define DEFAULT_SIZE 127
+struct cert_set_node_st {
+ gnutls_x509_crt_t *certs;
+ unsigned int size;
+};
+
+struct cert_set_st {
+ struct cert_set_node_st *node;
+ unsigned int size;
+};
+
+static int
+cert_set_init(struct cert_set_st *set, unsigned int size)
+{
+ memset(set, 0, sizeof(*set));
+
+ set->size = size;
+ set->node = gnutls_calloc(size, sizeof(*set->node));
+ if (!set->node) {
+ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
+ }
+
+ return 0;
+}
+
+static void
+cert_set_deinit(struct cert_set_st *set)
+{
+ size_t i;
+
+ for (i = 0; i < set->size; i++) {
+ gnutls_free(set->node[i].certs);
+ }
+
+ gnutls_free(set->node);
+}
+
+static bool
+cert_set_contains(struct cert_set_st *set, const gnutls_x509_crt_t cert)
+{
+ size_t hash, i;
+
+ hash = hash_pjw_bare(cert->raw_dn.data, cert->raw_dn.size);
+ hash %= set->size;
+
+ for (i = 0; i < set->node[hash].size; i++) {
+ if (unlikely(gnutls_x509_crt_equals(set->node[hash].certs[i], cert))) {
+ return true;
+ }
+ }
+
+ return false;
+}
+
+static int
+cert_set_add(struct cert_set_st *set, const gnutls_x509_crt_t cert)
+{
+ size_t hash;
+
+ hash = hash_pjw_bare(cert->raw_dn.data, cert->raw_dn.size);
+ hash %= set->size;
+
+ set->node[hash].certs =
+ gnutls_realloc_fast(set->node[hash].certs,
+ (set->node[hash].size + 1) *
+ sizeof(*set->node[hash].certs));
+ if (!set->node[hash].certs) {
+ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
+ }
+ set->node[hash].certs[set->node[hash].size] = cert;
+ set->node[hash].size++;
+
+ return 0;
+}
+
/**
* gnutls_x509_trust_list_init:
* @list: A pointer to the type to be initialized
@@ -1328,6 +1402,7 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
unsigned have_set_name = 0;
unsigned saved_output;
gnutls_datum_t ip = {NULL, 0};
+ struct cert_set_st cert_set = { NULL, 0 };
if (cert_list == NULL || cert_list_size < 1)
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
@@ -1376,36 +1451,68 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
memcpy(sorted, cert_list, cert_list_size * sizeof(gnutls_x509_crt_t));
cert_list = sorted;
+ ret = cert_set_init(&cert_set, DEFAULT_MAX_VERIFY_DEPTH);
+ if (ret < 0) {
+ return ret;
+ }
+
for (i = 0; i < cert_list_size &&
- cert_list_size <= DEFAULT_MAX_VERIFY_DEPTH; i++) {
- if (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN)) {
- unsigned int sorted_size;
+ cert_list_size <= DEFAULT_MAX_VERIFY_DEPTH; ) {
+ unsigned int sorted_size = 1;
+ unsigned int j;
+ gnutls_x509_crt_t issuer;
+ if (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN)) {
sorted_size = _gnutls_sort_clist(&cert_list[i],
cert_list_size - i);
- i += sorted_size - 1;
}
- if (i == cert_list_size - 1) {
- gnutls_x509_crt_t issuer;
-
- /* If it is the last certificate and its issuer is
- * known, don't need to run issuer callback. */
- if (_gnutls_trust_list_get_issuer(list,
- cert_list[i],
- &issuer,
- 0) == 0) {
+ /* Remove duplicates. Start with index 1, as the first element
+ * may be re-checked after issuer retrieval. */
+ for (j = 1; j < sorted_size; j++) {
+ if (cert_set_contains(&cert_set, cert_list[i + j])) {
+ if (i + j < cert_list_size - 1) {
+ memmove(&cert_list[i + j],
+ &cert_list[i + j + 1],
+ sizeof(cert_list[i]));
+ }
+ cert_list_size--;
break;
}
- } else if (gnutls_x509_crt_check_issuer(cert_list[i],
- cert_list[i + 1])) {
- /* There is no gap between this and the next
- * certificate. */
+ }
+ /* Found a duplicate, try again with the same index. */
+ if (j < sorted_size) {
+ continue;
+ }
+
+ /* Record the certificates seen. */
+ for (j = 0; j < sorted_size; j++, i++) {
+ ret = cert_set_add(&cert_set, cert_list[i]);
+ if (ret < 0) {
+ goto cleanup;
+ }
+ }
+
+ /* If the issuer of the certificate is known, no need
+ * for further processing. */
+ if (_gnutls_trust_list_get_issuer(list,
+ cert_list[i - 1],
+ &issuer,
+ 0) == 0) {
+ cert_list_size = i;
+ break;
+ }
+
+ /* If there is no gap between this and the next certificate,
+ * proceed with the next certificate. */
+ if (i < cert_list_size &&
+ gnutls_x509_crt_check_issuer(cert_list[i - 1],
+ cert_list[i])) {
continue;
}
ret = retrieve_issuers(list,
- cert_list[i],
+ cert_list[i - 1],
&retrieved[retrieved_size],
DEFAULT_MAX_VERIFY_DEPTH -
MAX(retrieved_size,
@@ -1413,15 +1520,20 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
if (ret < 0) {
break;
} else if (ret > 0) {
- memmove(&cert_list[i + 1 + ret],
- &cert_list[i + 1],
- (cert_list_size - i - 1) *
+ assert((unsigned int)ret <=
+ DEFAULT_MAX_VERIFY_DEPTH - cert_list_size);
+ memmove(&cert_list[i + ret],
+ &cert_list[i],
+ (cert_list_size - i) *
sizeof(gnutls_x509_crt_t));
- memcpy(&cert_list[i + 1],
+ memcpy(&cert_list[i],
&retrieved[retrieved_size],
ret * sizeof(gnutls_x509_crt_t));
retrieved_size += ret;
cert_list_size += ret;
+
+ /* Start again from the end of the previous segment. */
+ i--;
}
}
@@ -1581,6 +1693,7 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
for (i = 0; i < retrieved_size; i++) {
gnutls_x509_crt_deinit(retrieved[i]);
}
+ cert_set_deinit(&cert_set);
return ret;
}
diff --git a/tests/missingissuer.c b/tests/missingissuer.c
index f21e2b6b0..226d09592 100644
--- a/tests/missingissuer.c
+++ b/tests/missingissuer.c
@@ -145,6 +145,8 @@ void doit(void)
printf("[%d]: Chain '%s'...\n", (int)i, chains[i].name);
for (j = 0; chains[i].chain[j]; j++) {
+ assert(j < MAX_CHAIN);
+
if (debug > 2)
printf("\tAdding certificate %d...", (int)j);
diff --git a/tests/test-chains-issuer.h b/tests/test-chains-issuer.h
index 543e2d71f..bf1e65c95 100644
--- a/tests/test-chains-issuer.h
+++ b/tests/test-chains-issuer.h
@@ -24,7 +24,7 @@
#ifndef GNUTLS_TESTS_TEST_CHAINS_ISSUER_H
#define GNUTLS_TESTS_TEST_CHAINS_ISSUER_H
-#define MAX_CHAIN 6
+#define MAX_CHAIN 15
#define SERVER_CERT "-----BEGIN CERTIFICATE-----\n" \
"MIIDATCCAbmgAwIBAgIUQdvdegP8JFszFHLfV4+lrEdafzAwPQYJKoZIhvcNAQEK\n" \
@@ -338,11 +338,102 @@ static const char *missing_middle_unrelated_extra_insert[] = {
NULL,
};
+static const char *missing_middle_single_duplicate[] = {
+ SERVER_CERT,
+ SERVER_CERT,
+ CA_CERT_5,
+ CA_CERT_5,
+ CA_CERT_4,
+ CA_CERT_4,
+ CA_CERT_2,
+ CA_CERT_2,
+ CA_CERT_1,
+ CA_CERT_1,
+ NULL,
+};
+
+static const char *missing_middle_multiple_duplicate[] = {
+ SERVER_CERT,
+ SERVER_CERT,
+ CA_CERT_5,
+ CA_CERT_5,
+ CA_CERT_4,
+ CA_CERT_4,
+ CA_CERT_1,
+ CA_CERT_1,
+ NULL,
+};
+
+static const char *missing_last_single_duplicate[] = {
+ SERVER_CERT,
+ SERVER_CERT,
+ CA_CERT_5,
+ CA_CERT_5,
+ CA_CERT_4,
+ CA_CERT_4,
+ CA_CERT_3,
+ CA_CERT_3,
+ CA_CERT_2,
+ CA_CERT_2,
+ NULL,
+};
+
+static const char *missing_last_multiple_duplicate[] = {
+ SERVER_CERT,
+ SERVER_CERT,
+ CA_CERT_5,
+ CA_CERT_5,
+ CA_CERT_4,
+ CA_CERT_4,
+ CA_CERT_3,
+ CA_CERT_3,
+ NULL,
+};
+
+static const char *missing_skip_single_duplicate[] = {
+ SERVER_CERT,
+ SERVER_CERT,
+ CA_CERT_5,
+ CA_CERT_5,
+ CA_CERT_3,
+ CA_CERT_3,
+ CA_CERT_1,
+ CA_CERT_1,
+ NULL,
+};
+
+static const char *missing_skip_multiple_duplicate[] = {
+ SERVER_CERT,
+ SERVER_CERT,
+ CA_CERT_5,
+ CA_CERT_5,
+ CA_CERT_3,
+ CA_CERT_3,
+ NULL,
+};
+
static const char *missing_ca[] = {
CA_CERT_0,
NULL,
};
+static const char *middle_single_duplicate_ca[] = {
+ SERVER_CERT,
+ CA_CERT_5,
+ CA_CERT_0,
+ CA_CERT_4,
+ CA_CERT_0,
+ CA_CERT_2,
+ CA_CERT_0,
+ CA_CERT_1,
+ NULL,
+};
+
+static const char *missing_middle_single_duplicate_ca_unrelated_insert[] = {
+ CA_CERT_0,
+ NULL,
+};
+
static struct chains {
const char *name;
const char **chain;
@@ -377,6 +468,14 @@ static struct chains {
{ "skip multiple unsorted", missing_skip_multiple_unsorted, missing_skip_multiple_insert, missing_ca, 0, 0 },
{ "unrelated", missing_middle_single, missing_middle_unrelated_insert, missing_ca, 0, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_NOT_FOUND },
{ "unrelated extra", missing_middle_single, missing_middle_unrelated_extra_insert, missing_ca, 0, 0 },
+ { "middle single duplicate", missing_middle_single_duplicate, missing_middle_single_insert, missing_ca, 0, 0 },
+ { "middle multiple duplicate", missing_middle_multiple_duplicate, missing_middle_multiple_insert, missing_ca, 0, 0 },
+ { "last single duplicate", missing_last_single_duplicate, missing_last_single_insert, missing_ca, 0, 0 },
+ { "last multiple duplicate", missing_last_multiple_duplicate, missing_last_multiple_insert, missing_ca, 0, 0 },
+ { "skip single duplicate", missing_skip_single_duplicate, missing_skip_single_insert, missing_ca, 0, 0 },
+ { "skip multiple duplicate", missing_skip_multiple_duplicate, missing_skip_multiple_insert, missing_ca, 0, 0 },
+ { "middle single duplicate ca", middle_single_duplicate_ca, missing_middle_single_insert, missing_ca, 0, 0 },
+ { "middle single duplicate ca - insert unrelated", middle_single_duplicate_ca, missing_middle_single_duplicate_ca_unrelated_insert, missing_ca, 0, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_NOT_FOUND },
{ NULL, NULL, NULL, NULL },
};
--
2.29.2

12
gnutls-3.7.0-gost.patch Normal file
View File

@ -0,0 +1,12 @@
diff -up ./tests/gnutls-cli-debug.sh.gost ./tests/gnutls-cli-debug.sh
--- ./tests/gnutls-cli-debug.sh.gost 2021-02-09 13:28:46.528821113 +0100
+++ ./tests/gnutls-cli-debug.sh 2021-02-09 13:29:18.851646678 +0100
@@ -217,6 +217,8 @@ if test "${ENABLE_GOST}" = "1" && test "
kill ${PID}
wait
+ cat $OUTFILE
+
check_text "for VKO GOST-2012 (draft-smyshlyaev-tls12-gost-suites) support... yes"
check_text "for GOST28147-CNT cipher (draft-smyshlyaev-tls12-gost-suites) support... yes"
check_text "for GOST28147-IMIT MAC (draft-smyshlyaev-tls12-gost-suites) support... yes"

View File

@ -0,0 +1,195 @@
From c815f725448af8d023818a968e1296946ceb0f1c Mon Sep 17 00:00:00 2001
From: Stefan Berger <stefanb@linux.ibm.com>
Date: Mon, 21 Dec 2020 09:36:47 -0500
Subject: [PATCH 1/2] tests: Fix tpmtool_test due to changes in trousers
Recent changes to trousers now require an ownership of root:tss for
the tcsd config file, older ones requires tss:tss. So, start tcsd
using trial and error with either one of these ownership configurations
until one works.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
tests/tpmtool_test.sh | 37 +++++++++++++++++++++++++++----------
1 file changed, 27 insertions(+), 10 deletions(-)
diff --git a/tests/tpmtool_test.sh b/tests/tpmtool_test.sh
index eba502612..77fe17e59 100755
--- a/tests/tpmtool_test.sh
+++ b/tests/tpmtool_test.sh
@@ -138,6 +138,7 @@ start_tcsd()
local tcsd_conf=$workdir/tcsd.conf
local tcsd_system_ps_file=$workdir/system_ps_file
local tcsd_pidfile=$workdir/tcsd.pid
+ local owner
start_swtpm "$workdir"
[ $? -ne 0 ] && return 1
@@ -146,20 +147,36 @@ start_tcsd()
port = $TCSD_LISTEN_PORT
system_ps_file = $tcsd_system_ps_file
_EOF_
+ # older versions of trousers require tss:tss ownership of the
+ # config file, later ones root:tss
+ for owner in tss root; do
+ if [ "$owner" = "tss" ]; then
+ chmod 0600 $tcsd_conf
+ else
+ chmod 0640 $tcsd_conf
+ fi
+ chown $owner:tss $tcsd_conf
- chown tss:tss $tcsd_conf
- chmod 0600 $tcsd_conf
+ bash -c "TCSD_USE_TCP_DEVICE=1 TCSD_TCP_DEVICE_PORT=$SWTPM_SERVER_PORT tcsd -c $tcsd_conf -e -f &>/dev/null & echo \$! > $tcsd_pidfile; wait" &
+ BASH_PID=$!
- bash -c "TCSD_USE_TCP_DEVICE=1 TCSD_TCP_DEVICE_PORT=$SWTPM_SERVER_PORT tcsd -c $tcsd_conf -e -f &>/dev/null & echo \$! > $tcsd_pidfile; wait" &
- BASH_PID=$!
+ if wait_for_file $tcsd_pidfile 3; then
+ echo "Could not get TCSD's PID file"
+ return 1
+ fi
- if wait_for_file $tcsd_pidfile 3; then
- echo "Could not get TCSD's PID file"
- return 1
- fi
+ sleep 0.5
+ TCSD_PID=$(cat $tcsd_pidfile)
+ kill -0 "${TCSD_PID}"
+ if [ $? -ne 0 ]; then
+ # Try again with other owner
+ continue
+ fi
+ return 0
+ done
- TCSD_PID=$(cat $tcsd_pidfile)
- return 0
+ echo "TCSD could not be started"
+ return 1
}
stop_tcsd()
--
2.29.2
From 2b0f6f3a2ff13153aaa70c764ba7a8b90aef794d Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Mon, 28 Dec 2020 16:16:53 +0100
Subject: [PATCH 2/2] testpkcs11: use datefudge to trick certificate expiry
The certificates stored in tests/testpkcs11-certs expired on
2020-12-13. To avoid verification failure due to that, use datefudge
to set custom date when calling gnutls-cli, gnutls-serv, and certtool.
Based on the patch by Andreas Metzler:
https://gitlab.com/gnutls/gnutls/-/issues/1135#note_469682121
Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
tests/testpkcs11.sh | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/tests/testpkcs11.sh b/tests/testpkcs11.sh
index 38b9585bc..09a627477 100755
--- a/tests/testpkcs11.sh
+++ b/tests/testpkcs11.sh
@@ -67,6 +67,8 @@ have_ed25519=0
P11TOOL="${VALGRIND} ${P11TOOL} --batch"
SERV="${SERV} -q"
+TESTDATE=2020-12-01
+
. ${srcdir}/scripts/common.sh
rm -f "${LOGFILE}"
@@ -79,6 +81,8 @@ exit_error () {
exit 1
}
+skip_if_no_datefudge
+
# $1: token
# $2: PIN
# $3: filename
@@ -523,6 +527,7 @@ write_certificate_test () {
pubkey="$5"
echo -n "* Generating client certificate... "
+ datefudge -s "$TESTDATE" \
"${CERTTOOL}" ${CERTTOOL_PARAM} ${ADDITIONAL_PARAM} --generate-certificate --load-ca-privkey "${cakey}" --load-ca-certificate "${cacert}" \
--template ${srcdir}/testpkcs11-certs/client-tmpl --load-privkey "${token};object=gnutls-client;object-type=private" \
--load-pubkey "$pubkey" --outfile tmp-client.crt >>"${LOGFILE}" 2>&1
@@ -900,7 +905,9 @@ use_certificate_test () {
echo -n "* Using PKCS #11 with gnutls-cli (${txt})... "
# start server
eval "${GETPORT}"
- launch_server ${ADDITIONAL_PARAM} --echo --priority NORMAL --x509certfile="${certfile}" \
+ launch_bare_server datefudge -s "$TESTDATE" \
+ $VALGRIND $SERV $DEBUG -p "$PORT" \
+ ${ADDITIONAL_PARAM} --debug 10 --echo --priority NORMAL --x509certfile="${certfile}" \
--x509keyfile="$keyfile" --x509cafile="${cafile}" \
--verify-client-cert --require-client-cert >>"${LOGFILE}" 2>&1
@@ -908,13 +915,16 @@ use_certificate_test () {
wait_server ${PID}
# connect to server using SC
+ datefudge -s "$TESTDATE" \
${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509cafile="${cafile}" </dev/null >>"${LOGFILE}" 2>&1 && \
fail ${PID} "Connection should have failed!"
+ datefudge -s "$TESTDATE" \
${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509certfile="${certfile}" \
--x509keyfile="$keyfile" --x509cafile="${cafile}" </dev/null >>"${LOGFILE}" 2>&1 || \
fail ${PID} "Connection (with files) should have succeeded!"
+ datefudge -s "$TESTDATE" \
${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509certfile="${token};object=gnutls-client;object-type=cert" \
--x509keyfile="${token};object=gnutls-client;object-type=private" \
--x509cafile="${cafile}" </dev/null >>"${LOGFILE}" 2>&1 || \
--
2.29.2
From 5a64e896a56ef602bb86242bbac01e4319f12cbe Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Tue, 9 Feb 2021 15:26:07 +0100
Subject: [PATCH] tests/gnutls-cli-debug.sh: don't unset system priority
settings
When the test is exercised, GNUTLS_SYSTEM_PRIORITY_FILE is set in many
places, such as TESTS_ENVIRONMENT tests/Makefile.am or a packaging
system that runs the test in a restricted environment. Unsetting it
after a temporary use forces the remaining part of the test to use the
default system priority, which might not be the intention of the user.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
tests/gnutls-cli-debug.sh | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/tests/gnutls-cli-debug.sh b/tests/gnutls-cli-debug.sh
index a73910dea..3c3e2214e 100755
--- a/tests/gnutls-cli-debug.sh
+++ b/tests/gnutls-cli-debug.sh
@@ -184,13 +184,11 @@ cat <<_EOF_ > ${TMPFILE}
tls-disabled-cipher = CAMELLIA-128-CBC
tls-disabled-cipher = CAMELLIA-256-CBC
_EOF_
-export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}"
+GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}" \
timeout 1800 datefudge "2017-08-9" \
"${DCLI}" -p "${PORT}" localhost >$OUTFILE 2>&1 || fail ${PID} "gnutls-cli-debug run should have succeeded!"
-unset GNUTLS_SYSTEM_PRIORITY_FILE
-
kill ${PID}
wait
--
2.29.2

View File

@ -1,9 +1,11 @@
# This spec file has been automatically updated
Version: 3.6.15
Version: 3.7.0
Release: 2%{?dist}
Patch1: gnutls-3.6.7-no-now-guile.patch
Patch2: gnutls-3.2.7-rpath.patch
Patch3: gnutls-3.6.15-gnulib-perror-tests.patch
Patch3: gnutls-3.7.0-test-fixes.patch
Patch4: gnutls-3.7.0-gost.patch
Patch5: gnutls-3.7.0-duplicate-certs.patch
%bcond_without dane
%if 0%{?rhel}
%bcond_with guile
@ -45,6 +47,7 @@ BuildRequires: unbound-devel unbound-libs
%if %{with guile}
BuildRequires: guile22-devel
%endif
BuildRequires: make
URL: http://www.gnutls.org/
Source0: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.6/%{name}-%{version}.tar.xz
Source1: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.6/%{name}-%{version}.tar.xz.sig
@ -156,6 +159,8 @@ echo "SYSTEM=NORMAL" >> tests/system.prio
# via the crypto policies
%build
%define _lto_cflags %{nil}
CCASFLAGS="$CCASFLAGS -Wa,--generate-missing-build-notes=yes"
export CCASFLAGS
@ -280,7 +285,21 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null
%endif
%changelog
* Mon Sep 28 2020 Jeff Law <law@redhat.com> - 3.6.14-8
* Wed Feb 10 2021 Daiki Ueno <dueno@redhat.com> - 3.7.0-2
- Tolerate duplicate certs in the chain
* Mon Feb 8 2021 Daiki Ueno <dueno@redhat.com> - 3.7.0-1
- Update to upstream 3.7.0 release
- Temporarily disable LTO
* Tue Jan 26 2021 Daiki Ueno <dueno@redhat.com> - 3.6.15-4
- Fix broken tests on rawhide (#1908110)
- Add BuildRequires: make (by Tom Stellard)
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.6.15-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Mon Sep 28 2020 Jeff Law <law@redhat.com> - 3.6.15-2
- Re-enable LTO now that upstream GCC bugs have been fixed
* Fri Sep 4 2020 Daiki Ueno <dueno@redhat.com> - 3.6.15-1

View File

@ -1,3 +1,3 @@
SHA512 (gnutls-3.6.15.tar.xz) = f757d1532198f44bcad7b73856ce6a05bab43f6fb77fcc81c59607f146202f73023d0796d3e1e7471709cf792c8ee7d436e19407e0601bc0bda2f21512b3b01c
SHA512 (gnutls-3.6.15.tar.xz.sig) = a6dbb6093fefddce4c76ce0015d1e0ff7bb712985007c5c6bd5ed6a8cd7529ab250bcbc98b70beeb9dc1b43dcfc65495c77b9abb43e690f24eb7bf0042af1f68
SHA512 (gnutls-3.7.0.tar.xz) = 5cf1025f2d0a0cbf5a83dd7f3b22dafd1769f7c3349096c0272d08573bb5ff87f510e0e69b4bbb47dad1b64476aa5479804b2f4ceb2216cd747bbc53bf42d885
SHA512 (gnutls-3.7.0.tar.xz.sig) = 25793ac5e3d2610f95f26a2aa6f444a0cebe45a173cd330ed95b38c82b8f469024c9fa35249917f6b880ae32192b5e74988169a68724c08f5c82a3379fff82fd
SHA512 (gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg) = a74b92826fd0e5388c9f6d9231959e38b26aeef83138648fab66df951d8e1a4db5302b569d08515d4d6443e5e4f6c466f98319f330c820790260d22a9b9f7173