rpms/gnutls
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Update to upstream 3.7.1 release

Browse Source 
Also remove fipscheck dependency, as it is now calculated with an
internal tool.
This commit is contained in:
Daiki Ueno 2021-03-13 10:01:24 +01:00
parent 9afae358ed
commit 8841f0c3cb
8 changed files with 99 additions and 667 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -131,3 +131,5 @@ gnutls-2.10.1-nosrp.tar.bz2
/gnutls-3.6.15.tar.xz.sig
/gnutls-3.7.0.tar.xz
/gnutls-3.7.0.tar.xz.sig
/gnutls-3.7.1.tar.xz
/gnutls-3.7.1.tar.xz.sig

44
gnutls-3.7.0-duplicate-certs-pkcs11.patch
View File

@ -1,44 +0,0 @@
From e97a5f07bc9d9394424c6520656e902019fcb380 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Fri, 5 Mar 2021 12:08:25 +0100
Subject: [PATCH] gnutls_x509_trust_list_verify_crt2: skip duped certs for
PKCS11 too
The commit 09b40be6e0e0a59ba4bd764067eb353241043a70 (part of
gnutls/gnutls!1370) didn't cover the case where the trust store is
backed by PKCS #11, because it used _gnutls_trust_list_get_issuer,
which only works with file based trust store.
This patch replaces the call with more generic
gnutls_x509_trust_list_get_issuer so it also works with other trust
store implementations.
Reported by Michal Ruprich.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
lib/x509/verify-high.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c
index 9a16e6b42..736326ee1 100644
--- a/lib/x509/verify-high.c
+++ b/lib/x509/verify-high.c
@@ -1495,10 +1495,10 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
/* If the issuer of the certificate is known, no need
* for further processing. */
- if (_gnutls_trust_list_get_issuer(list,
- cert_list[i - 1],
- &issuer,
- 0) == 0) {
+ if (gnutls_x509_trust_list_get_issuer(list,
+ cert_list[i - 1],
+ &issuer,
+ 0) == 0) {
cert_list_size = i;
break;
}
--
2.29.2

403
gnutls-3.7.0-duplicate-certs.patch
View File

@ -1,403 +0,0 @@
From 09b40be6e0e0a59ba4bd764067eb353241043a70 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Mon, 28 Dec 2020 12:14:13 +0100
Subject: [PATCH] gnutls_x509_trust_list_verify_crt2: ignore duplicate
certificates
The commit ebb19db9165fed30d73c83bab1b1b8740c132dfd caused a
regression, where duplicate certificates in a certificate chain are no
longer ignored but treated as a non-contiguous segment and that
results in calling the issuer callback, or a verification failure.
This adds a mechanism to record certificates already seen in the
chain, and skip them while still allow the caller to inject missing
certificates.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
Co-authored-by: Andreas Metzler <ametzler@debian.org>
---
lib/x509/common.c | 8 ++
lib/x509/verify-high.c | 157 +++++++++++++++++++++++++++++++------
tests/missingissuer.c | 2 +
tests/test-chains-issuer.h | 101 +++++++++++++++++++++++-
4 files changed, 245 insertions(+), 23 deletions(-)
diff --git a/lib/x509/common.c b/lib/x509/common.c
index 3301aaad0..10c8db53c 100644
--- a/lib/x509/common.c
+++ b/lib/x509/common.c
@@ -1758,6 +1758,14 @@ unsigned int _gnutls_sort_clist(gnutls_x509_crt_t *clist,
* increasing DEFAULT_MAX_VERIFY_DEPTH.
*/
for (i = 0; i < clist_size; i++) {
+ /* Self-signed certificate found in the chain; skip it
+ * as it should only appear in the trusted set.
+ */
+ if (gnutls_x509_crt_check_issuer(clist[i], clist[i])) {
+ _gnutls_cert_log("self-signed cert found", clist[i]);
+ continue;
+ }
+
for (j = 1; j < clist_size; j++) {
if (i == j)
continue;
diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c
index 588e7ee0d..9a16e6b42 100644
--- a/lib/x509/verify-high.c
+++ b/lib/x509/verify-high.c
@@ -67,6 +67,80 @@ struct gnutls_x509_trust_list_iter {
#define DEFAULT_SIZE 127
+struct cert_set_node_st {
+ gnutls_x509_crt_t *certs;
+ unsigned int size;
+};
+
+struct cert_set_st {
+ struct cert_set_node_st *node;
+ unsigned int size;
+};
+
+static int
+cert_set_init(struct cert_set_st *set, unsigned int size)
+{
+ memset(set, 0, sizeof(*set));
+
+ set->size = size;
+ set->node = gnutls_calloc(size, sizeof(*set->node));
+ if (!set->node) {
+ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
+ }
+
+ return 0;
+}
+
+static void
+cert_set_deinit(struct cert_set_st *set)
+{
+ size_t i;
+
+ for (i = 0; i < set->size; i++) {
+ gnutls_free(set->node[i].certs);
+ }
+
+ gnutls_free(set->node);
+}
+
+static bool
+cert_set_contains(struct cert_set_st *set, const gnutls_x509_crt_t cert)
+{
+ size_t hash, i;
+
+ hash = hash_pjw_bare(cert->raw_dn.data, cert->raw_dn.size);
+ hash %= set->size;
+
+ for (i = 0; i < set->node[hash].size; i++) {
+ if (unlikely(gnutls_x509_crt_equals(set->node[hash].certs[i], cert))) {
+ return true;
+ }
+ }
+
+ return false;
+}
+
+static int
+cert_set_add(struct cert_set_st *set, const gnutls_x509_crt_t cert)
+{
+ size_t hash;
+
+ hash = hash_pjw_bare(cert->raw_dn.data, cert->raw_dn.size);
+ hash %= set->size;
+
+ set->node[hash].certs =
+ gnutls_realloc_fast(set->node[hash].certs,
+ (set->node[hash].size + 1) *
+ sizeof(*set->node[hash].certs));
+ if (!set->node[hash].certs) {
+ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
+ }
+ set->node[hash].certs[set->node[hash].size] = cert;
+ set->node[hash].size++;
+
+ return 0;
+}
+
/**
* gnutls_x509_trust_list_init:
* @list: A pointer to the type to be initialized
@@ -1328,6 +1402,7 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
unsigned have_set_name = 0;
unsigned saved_output;
gnutls_datum_t ip = {NULL, 0};
+ struct cert_set_st cert_set = { NULL, 0 };
if (cert_list == NULL || cert_list_size < 1)
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
@@ -1376,36 +1451,68 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
memcpy(sorted, cert_list, cert_list_size * sizeof(gnutls_x509_crt_t));
cert_list = sorted;
+ ret = cert_set_init(&cert_set, DEFAULT_MAX_VERIFY_DEPTH);
+ if (ret < 0) {
+ return ret;
+ }
+
for (i = 0; i < cert_list_size &&
- cert_list_size <= DEFAULT_MAX_VERIFY_DEPTH; i++) {
- if (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN)) {
- unsigned int sorted_size;
+ cert_list_size <= DEFAULT_MAX_VERIFY_DEPTH; ) {
+ unsigned int sorted_size = 1;
+ unsigned int j;
+ gnutls_x509_crt_t issuer;
+ if (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN)) {
sorted_size = _gnutls_sort_clist(&cert_list[i],
cert_list_size - i);
- i += sorted_size - 1;
}
- if (i == cert_list_size - 1) {
- gnutls_x509_crt_t issuer;
-
- /* If it is the last certificate and its issuer is
- * known, don't need to run issuer callback. */
- if (_gnutls_trust_list_get_issuer(list,
- cert_list[i],
- &issuer,
- 0) == 0) {
+ /* Remove duplicates. Start with index 1, as the first element
+ * may be re-checked after issuer retrieval. */
+ for (j = 1; j < sorted_size; j++) {
+ if (cert_set_contains(&cert_set, cert_list[i + j])) {
+ if (i + j < cert_list_size - 1) {
+ memmove(&cert_list[i + j],
+ &cert_list[i + j + 1],
+ sizeof(cert_list[i]));
+ }
+ cert_list_size--;
break;
}
- } else if (gnutls_x509_crt_check_issuer(cert_list[i],
- cert_list[i + 1])) {
- /* There is no gap between this and the next
- * certificate. */
+ }
+ /* Found a duplicate, try again with the same index. */
+ if (j < sorted_size) {
+ continue;
+ }
+
+ /* Record the certificates seen. */
+ for (j = 0; j < sorted_size; j++, i++) {
+ ret = cert_set_add(&cert_set, cert_list[i]);
+ if (ret < 0) {
+ goto cleanup;
+ }
+ }
+
+ /* If the issuer of the certificate is known, no need
+ * for further processing. */
+ if (_gnutls_trust_list_get_issuer(list,
+ cert_list[i - 1],
+ &issuer,
+ 0) == 0) {
+ cert_list_size = i;
+ break;
+ }
+
+ /* If there is no gap between this and the next certificate,
+ * proceed with the next certificate. */
+ if (i < cert_list_size &&
+ gnutls_x509_crt_check_issuer(cert_list[i - 1],
+ cert_list[i])) {
continue;
}
ret = retrieve_issuers(list,
- cert_list[i],
+ cert_list[i - 1],
&retrieved[retrieved_size],
DEFAULT_MAX_VERIFY_DEPTH -
MAX(retrieved_size,
@@ -1413,15 +1520,20 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
if (ret < 0) {
break;
} else if (ret > 0) {
- memmove(&cert_list[i + 1 + ret],
- &cert_list[i + 1],
- (cert_list_size - i - 1) *
+ assert((unsigned int)ret <=
+ DEFAULT_MAX_VERIFY_DEPTH - cert_list_size);
+ memmove(&cert_list[i + ret],
+ &cert_list[i],
+ (cert_list_size - i) *
sizeof(gnutls_x509_crt_t));
- memcpy(&cert_list[i + 1],
+ memcpy(&cert_list[i],
&retrieved[retrieved_size],
ret * sizeof(gnutls_x509_crt_t));
retrieved_size += ret;
cert_list_size += ret;
+
+ /* Start again from the end of the previous segment. */
+ i--;
}
}
@@ -1581,6 +1693,7 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
for (i = 0; i < retrieved_size; i++) {
gnutls_x509_crt_deinit(retrieved[i]);
}
+ cert_set_deinit(&cert_set);
return ret;
}
diff --git a/tests/missingissuer.c b/tests/missingissuer.c
index f21e2b6b0..226d09592 100644
--- a/tests/missingissuer.c
+++ b/tests/missingissuer.c
@@ -145,6 +145,8 @@ void doit(void)
printf("[%d]: Chain '%s'...\n", (int)i, chains[i].name);
for (j = 0; chains[i].chain[j]; j++) {
+ assert(j < MAX_CHAIN);
+
if (debug > 2)
printf("\tAdding certificate %d...", (int)j);
diff --git a/tests/test-chains-issuer.h b/tests/test-chains-issuer.h
index 543e2d71f..bf1e65c95 100644
--- a/tests/test-chains-issuer.h
+++ b/tests/test-chains-issuer.h
@@ -24,7 +24,7 @@
#ifndef GNUTLS_TESTS_TEST_CHAINS_ISSUER_H
#define GNUTLS_TESTS_TEST_CHAINS_ISSUER_H
-#define MAX_CHAIN 6
+#define MAX_CHAIN 15
#define SERVER_CERT "-----BEGIN CERTIFICATE-----\n" \
"MIIDATCCAbmgAwIBAgIUQdvdegP8JFszFHLfV4+lrEdafzAwPQYJKoZIhvcNAQEK\n" \
@@ -338,11 +338,102 @@ static const char *missing_middle_unrelated_extra_insert[] = {
NULL,
};
+static const char *missing_middle_single_duplicate[] = {
+ SERVER_CERT,
+ SERVER_CERT,
+ CA_CERT_5,
+ CA_CERT_5,
+ CA_CERT_4,
+ CA_CERT_4,
+ CA_CERT_2,
+ CA_CERT_2,
+ CA_CERT_1,
+ CA_CERT_1,
+ NULL,
+};
+
+static const char *missing_middle_multiple_duplicate[] = {
+ SERVER_CERT,
+ SERVER_CERT,
+ CA_CERT_5,
+ CA_CERT_5,
+ CA_CERT_4,
+ CA_CERT_4,
+ CA_CERT_1,
+ CA_CERT_1,
+ NULL,
+};
+
+static const char *missing_last_single_duplicate[] = {
+ SERVER_CERT,
+ SERVER_CERT,
+ CA_CERT_5,
+ CA_CERT_5,
+ CA_CERT_4,
+ CA_CERT_4,
+ CA_CERT_3,
+ CA_CERT_3,
+ CA_CERT_2,
+ CA_CERT_2,
+ NULL,
+};
+
+static const char *missing_last_multiple_duplicate[] = {
+ SERVER_CERT,
+ SERVER_CERT,
+ CA_CERT_5,
+ CA_CERT_5,
+ CA_CERT_4,
+ CA_CERT_4,
+ CA_CERT_3,
+ CA_CERT_3,
+ NULL,
+};
+
+static const char *missing_skip_single_duplicate[] = {
+ SERVER_CERT,
+ SERVER_CERT,
+ CA_CERT_5,
+ CA_CERT_5,
+ CA_CERT_3,
+ CA_CERT_3,
+ CA_CERT_1,
+ CA_CERT_1,
+ NULL,
+};
+
+static const char *missing_skip_multiple_duplicate[] = {
+ SERVER_CERT,
+ SERVER_CERT,
+ CA_CERT_5,
+ CA_CERT_5,
+ CA_CERT_3,
+ CA_CERT_3,
+ NULL,
+};
+
static const char *missing_ca[] = {
CA_CERT_0,
NULL,
};
+static const char *middle_single_duplicate_ca[] = {
+ SERVER_CERT,
+ CA_CERT_5,
+ CA_CERT_0,
+ CA_CERT_4,
+ CA_CERT_0,
+ CA_CERT_2,
+ CA_CERT_0,
+ CA_CERT_1,
+ NULL,
+};
+
+static const char *missing_middle_single_duplicate_ca_unrelated_insert[] = {
+ CA_CERT_0,
+ NULL,
+};
+
static struct chains {
const char *name;
const char **chain;
@@ -377,6 +468,14 @@ static struct chains {
{ "skip multiple unsorted", missing_skip_multiple_unsorted, missing_skip_multiple_insert, missing_ca, 0, 0 },
{ "unrelated", missing_middle_single, missing_middle_unrelated_insert, missing_ca, 0, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_NOT_FOUND },
{ "unrelated extra", missing_middle_single, missing_middle_unrelated_extra_insert, missing_ca, 0, 0 },
+ { "middle single duplicate", missing_middle_single_duplicate, missing_middle_single_insert, missing_ca, 0, 0 },
+ { "middle multiple duplicate", missing_middle_multiple_duplicate, missing_middle_multiple_insert, missing_ca, 0, 0 },
+ { "last single duplicate", missing_last_single_duplicate, missing_last_single_insert, missing_ca, 0, 0 },
+ { "last multiple duplicate", missing_last_multiple_duplicate, missing_last_multiple_insert, missing_ca, 0, 0 },
+ { "skip single duplicate", missing_skip_single_duplicate, missing_skip_single_insert, missing_ca, 0, 0 },
+ { "skip multiple duplicate", missing_skip_multiple_duplicate, missing_skip_multiple_insert, missing_ca, 0, 0 },
+ { "middle single duplicate ca", middle_single_duplicate_ca, missing_middle_single_insert, missing_ca, 0, 0 },
+ { "middle single duplicate ca - insert unrelated", middle_single_duplicate_ca, missing_middle_single_duplicate_ca_unrelated_insert, missing_ca, 0, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_NOT_FOUND },
{ NULL, NULL, NULL, NULL },
};
--
2.29.2

12
gnutls-3.7.0-gost.patch
View File

@ -1,12 +0,0 @@
diff -up ./tests/gnutls-cli-debug.sh.gost ./tests/gnutls-cli-debug.sh
--- ./tests/gnutls-cli-debug.sh.gost 2021-02-09 13:28:46.528821113 +0100
+++ ./tests/gnutls-cli-debug.sh 2021-02-09 13:29:18.851646678 +0100
@@ -217,6 +217,8 @@ if test "${ENABLE_GOST}" = "1" && test "
kill ${PID}
wait
+ cat $OUTFILE
+
check_text "for VKO GOST-2012 (draft-smyshlyaev-tls12-gost-suites) support... yes"
check_text "for GOST28147-CNT cipher (draft-smyshlyaev-tls12-gost-suites) support... yes"
check_text "for GOST28147-IMIT MAC (draft-smyshlyaev-tls12-gost-suites) support... yes"

195
gnutls-3.7.0-test-fixes.patch
View File

@ -1,195 +0,0 @@
From c815f725448af8d023818a968e1296946ceb0f1c Mon Sep 17 00:00:00 2001
From: Stefan Berger <stefanb@linux.ibm.com>
Date: Mon, 21 Dec 2020 09:36:47 -0500
Subject: [PATCH 1/2] tests: Fix tpmtool_test due to changes in trousers
Recent changes to trousers now require an ownership of root:tss for
the tcsd config file, older ones requires tss:tss. So, start tcsd
using trial and error with either one of these ownership configurations
until one works.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
tests/tpmtool_test.sh | 37 +++++++++++++++++++++++++++----------
1 file changed, 27 insertions(+), 10 deletions(-)
diff --git a/tests/tpmtool_test.sh b/tests/tpmtool_test.sh
index eba502612..77fe17e59 100755
--- a/tests/tpmtool_test.sh
+++ b/tests/tpmtool_test.sh
@@ -138,6 +138,7 @@ start_tcsd()
local tcsd_conf=$workdir/tcsd.conf
local tcsd_system_ps_file=$workdir/system_ps_file
local tcsd_pidfile=$workdir/tcsd.pid
+ local owner
start_swtpm "$workdir"
[ $? -ne 0 ] && return 1
@@ -146,20 +147,36 @@ start_tcsd()
port = $TCSD_LISTEN_PORT
system_ps_file = $tcsd_system_ps_file
_EOF_
+ # older versions of trousers require tss:tss ownership of the
+ # config file, later ones root:tss
+ for owner in tss root; do
+ if [ "$owner" = "tss" ]; then
+ chmod 0600 $tcsd_conf
+ else
+ chmod 0640 $tcsd_conf
+ fi
+ chown $owner:tss $tcsd_conf
- chown tss:tss $tcsd_conf
- chmod 0600 $tcsd_conf
+ bash -c "TCSD_USE_TCP_DEVICE=1 TCSD_TCP_DEVICE_PORT=$SWTPM_SERVER_PORT tcsd -c $tcsd_conf -e -f &>/dev/null & echo \$! > $tcsd_pidfile; wait" &
+ BASH_PID=$!
- bash -c "TCSD_USE_TCP_DEVICE=1 TCSD_TCP_DEVICE_PORT=$SWTPM_SERVER_PORT tcsd -c $tcsd_conf -e -f &>/dev/null & echo \$! > $tcsd_pidfile; wait" &
- BASH_PID=$!
+ if wait_for_file $tcsd_pidfile 3; then
+ echo "Could not get TCSD's PID file"
+ return 1
+ fi
- if wait_for_file $tcsd_pidfile 3; then
- echo "Could not get TCSD's PID file"
- return 1
- fi
+ sleep 0.5
+ TCSD_PID=$(cat $tcsd_pidfile)
+ kill -0 "${TCSD_PID}"
+ if [ $? -ne 0 ]; then
+ # Try again with other owner
+ continue
+ fi
+ return 0
+ done
- TCSD_PID=$(cat $tcsd_pidfile)
- return 0
+ echo "TCSD could not be started"
+ return 1
}
stop_tcsd()
--
2.29.2
From 2b0f6f3a2ff13153aaa70c764ba7a8b90aef794d Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Mon, 28 Dec 2020 16:16:53 +0100
Subject: [PATCH 2/2] testpkcs11: use datefudge to trick certificate expiry
The certificates stored in tests/testpkcs11-certs expired on
2020-12-13. To avoid verification failure due to that, use datefudge
to set custom date when calling gnutls-cli, gnutls-serv, and certtool.
Based on the patch by Andreas Metzler:
https://gitlab.com/gnutls/gnutls/-/issues/1135#note_469682121
Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
tests/testpkcs11.sh | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/tests/testpkcs11.sh b/tests/testpkcs11.sh
index 38b9585bc..09a627477 100755
--- a/tests/testpkcs11.sh
+++ b/tests/testpkcs11.sh
@@ -67,6 +67,8 @@ have_ed25519=0
P11TOOL="${VALGRIND} ${P11TOOL} --batch"
SERV="${SERV} -q"
+TESTDATE=2020-12-01
+
. ${srcdir}/scripts/common.sh
rm -f "${LOGFILE}"
@@ -79,6 +81,8 @@ exit_error () {
exit 1
}
+skip_if_no_datefudge
+
# $1: token
# $2: PIN
# $3: filename
@@ -523,6 +527,7 @@ write_certificate_test () {
pubkey="$5"
echo -n "* Generating client certificate... "
+ datefudge -s "$TESTDATE" \
"${CERTTOOL}" ${CERTTOOL_PARAM} ${ADDITIONAL_PARAM} --generate-certificate --load-ca-privkey "${cakey}" --load-ca-certificate "${cacert}" \
--template ${srcdir}/testpkcs11-certs/client-tmpl --load-privkey "${token};object=gnutls-client;object-type=private" \
--load-pubkey "$pubkey" --outfile tmp-client.crt >>"${LOGFILE}" 2>&1
@@ -900,7 +905,9 @@ use_certificate_test () {
echo -n "* Using PKCS #11 with gnutls-cli (${txt})... "
# start server
eval "${GETPORT}"
- launch_server ${ADDITIONAL_PARAM} --echo --priority NORMAL --x509certfile="${certfile}" \
+ launch_bare_server datefudge -s "$TESTDATE" \
+ $VALGRIND $SERV $DEBUG -p "$PORT" \
+ ${ADDITIONAL_PARAM} --debug 10 --echo --priority NORMAL --x509certfile="${certfile}" \
--x509keyfile="$keyfile" --x509cafile="${cafile}" \
--verify-client-cert --require-client-cert >>"${LOGFILE}" 2>&1
@@ -908,13 +915,16 @@ use_certificate_test () {
wait_server ${PID}
# connect to server using SC
+ datefudge -s "$TESTDATE" \
${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509cafile="${cafile}" </dev/null >>"${LOGFILE}" 2>&1 && \
fail ${PID} "Connection should have failed!"
+ datefudge -s "$TESTDATE" \
${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509certfile="${certfile}" \
--x509keyfile="$keyfile" --x509cafile="${cafile}" </dev/null >>"${LOGFILE}" 2>&1 || \
fail ${PID} "Connection (with files) should have succeeded!"
+ datefudge -s "$TESTDATE" \
${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509certfile="${token};object=gnutls-client;object-type=cert" \
--x509keyfile="${token};object=gnutls-client;object-type=private" \
--x509cafile="${cafile}" </dev/null >>"${LOGFILE}" 2>&1 || \
--
2.29.2
From 5a64e896a56ef602bb86242bbac01e4319f12cbe Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Tue, 9 Feb 2021 15:26:07 +0100
Subject: [PATCH] tests/gnutls-cli-debug.sh: don't unset system priority
settings
When the test is exercised, GNUTLS_SYSTEM_PRIORITY_FILE is set in many
places, such as TESTS_ENVIRONMENT tests/Makefile.am or a packaging
system that runs the test in a restricted environment. Unsetting it
after a temporary use forces the remaining part of the test to use the
default system priority, which might not be the intention of the user.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
tests/gnutls-cli-debug.sh | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/tests/gnutls-cli-debug.sh b/tests/gnutls-cli-debug.sh
index a73910dea..3c3e2214e 100755
--- a/tests/gnutls-cli-debug.sh
+++ b/tests/gnutls-cli-debug.sh
@@ -184,13 +184,11 @@ cat <<_EOF_ > ${TMPFILE}
tls-disabled-cipher = CAMELLIA-128-CBC
tls-disabled-cipher = CAMELLIA-256-CBC
_EOF_
-export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}"
+GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}" \
timeout 1800 datefudge "2017-08-9" \
"${DCLI}" -p "${PORT}" localhost >$OUTFILE 2>&1 || fail ${PID} "gnutls-cli-debug run should have succeeded!"
-unset GNUTLS_SYSTEM_PRIORITY_FILE
-
kill ${PID}
wait
--
2.29.2

84
gnutls-3.7.1-aggressive-realloc-fixes.patch Normal file
View File

@ -0,0 +1,84 @@
From e1cf5b8694b23cdc88f4a4a344f8262aa8ab0f8e Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Wed, 10 Mar 2021 16:11:29 +0100
Subject: [PATCH 1/2] _gnutls_buffer_resize: account for unused area if
AGGRESSIVE_REALLOC
Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
lib/str.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lib/str.c b/lib/str.c
index 506fe1721..bc20ebb04 100644
--- a/lib/str.c
+++ b/lib/str.c
@@ -155,12 +155,12 @@ int _gnutls_buffer_resize(gnutls_buffer_st * dest, size_t new_size)
unused = MEMSUB(dest->data, dest->allocd);
dest->allocd =
- gnutls_realloc_fast(dest->allocd, new_size);
+ gnutls_realloc_fast(dest->allocd, new_size + unused);
if (dest->allocd == NULL) {
gnutls_assert();
return GNUTLS_E_MEMORY_ERROR;
}
- dest->max_length = new_size;
+ dest->max_length = new_size + unused;
dest->data = dest->allocd + unused;
return 0;
--
2.30.2
From 78691bfe4555c4d610b405173987ed7515515d20 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Wed, 10 Mar 2021 16:12:23 +0100
Subject: [PATCH 2/2] str: suppress -Wunused-function if AGGRESSIVE_REALLOC is
defined
Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
lib/str.c | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/lib/str.c b/lib/str.c
index bc20ebb04..8007340f1 100644
--- a/lib/str.c
+++ b/lib/str.c
@@ -87,15 +87,6 @@ void _gnutls_buffer_clear(gnutls_buffer_st * str)
#define MIN_CHUNK 1024
-static void align_allocd_with_data(gnutls_buffer_st * dest)
-{
- assert(dest->allocd != NULL);
- assert(dest->data != NULL);
- if (dest->length)
- memmove(dest->allocd, dest->data, dest->length);
- dest->data = dest->allocd;
-}
-
/**
* gnutls_buffer_append_data:
* @dest: the buffer to append to
@@ -168,6 +159,15 @@ int _gnutls_buffer_resize(gnutls_buffer_st * dest, size_t new_size)
#else
+static void align_allocd_with_data(gnutls_buffer_st * dest)
+{
+ assert(dest->allocd != NULL);
+ assert(dest->data != NULL);
+ if (dest->length)
+ memmove(dest->allocd, dest->data, dest->length);
+ dest->data = dest->allocd;
+}
+
int _gnutls_buffer_resize(gnutls_buffer_st * dest, size_t new_size)
{
if (unlikely(dest->data != NULL && dest->allocd == NULL))
--
2.30.2

22
gnutls.spec
View File

@ -1,12 +1,9 @@
# This spec file has been automatically updated
Version: 3.7.0
Release: 4%{?dist}
Version: 3.7.1
Release: 1%{?dist}
Patch1: gnutls-3.6.7-no-now-guile.patch
Patch2: gnutls-3.2.7-rpath.patch
Patch3: gnutls-3.7.0-test-fixes.patch
Patch4: gnutls-3.7.0-gost.patch
Patch5: gnutls-3.7.0-duplicate-certs.patch
Patch6: gnutls-3.7.0-duplicate-certs-pkcs11.patch
Patch3: gnutls-3.7.1-aggressive-realloc-fixes.patch
%bcond_with bootstrap
%bcond_without dane
%if 0%{?rhel}
@ -33,9 +30,6 @@ BuildRequires: libidn2-devel
BuildRequires: libunistring-devel
BuildRequires: net-tools, datefudge, softhsm, gcc, gcc-c++
BuildRequires: gnupg2
%if %{with fips}
BuildRequires: fipscheck
%endif
# for a sanity check on cert loading
BuildRequires: p11-kit-trust, ca-certificates
@ -213,8 +207,9 @@ make %{?_smp_mflags} V=1
%{?__debug_package:%{__debug_install_post}} \
%{__arch_install_post} \
%{__os_install_post} \
fipshmac -d $RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_libdir}/libgnutls.so.30.*.* \
file=`basename $RPM_BUILD_ROOT%{_libdir}/libgnutls.so.30.*.hmac` && mv $RPM_BUILD_ROOT%{_libdir}/$file $RPM_BUILD_ROOT%{_libdir}/.$file && ln -s .$file $RPM_BUILD_ROOT%{_libdir}/.libgnutls.so.30.hmac \
file=`basename $RPM_BUILD_ROOT%{_libdir}/libgnutls.so.30.*`.hmac && \
mv $RPM_BUILD_ROOT%{_libdir}/.libgnutls.so.30.hmac $RPM_BUILD_ROOT%{_libdir}/.$file && \
ln -s .$file $RPM_BUILD_ROOT%{_libdir}/.libgnutls.so.30.hmac \
%{nil}
%endif
@ -293,6 +288,11 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null
%endif
%changelog
* Sat Mar 13 2021 Daiki Ueno <dueno@redhat.com> - 3.7.1-1
- Update to upstream 3.7.1 release
- Remove fipscheck dependency, as it is now calculated with an
internal tool
* Fri Mar 5 2021 Daiki Ueno <dueno@redhat.com> - 3.7.0-4
- Tolerate duplicate certs in the chain also with PKCS #11 trust store

4
sources
View File

@ -1,3 +1,3 @@
SHA512 (gnutls-3.7.0.tar.xz) = 5cf1025f2d0a0cbf5a83dd7f3b22dafd1769f7c3349096c0272d08573bb5ff87f510e0e69b4bbb47dad1b64476aa5479804b2f4ceb2216cd747bbc53bf42d885
SHA512 (gnutls-3.7.0.tar.xz.sig) = 25793ac5e3d2610f95f26a2aa6f444a0cebe45a173cd330ed95b38c82b8f469024c9fa35249917f6b880ae32192b5e74988169a68724c08f5c82a3379fff82fd
SHA512 (gnutls-3.7.1.tar.xz) = 0fe801f03676c3bd970387f94578c8be7ba6030904989e7d21dffdc726209bab44c8096fbcb6d51fed2de239537bd00df2338ee9c8d984a1c386826b91062a95
SHA512 (gnutls-3.7.1.tar.xz.sig) = 78327723cd23e515326bee4348f00ef2c11626267a715243d9392490e30d44965fc8997184a348d0c9a5beaf50be4028304a49a0c569a1e9f3998bda9000713d
SHA512 (gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg) = a74b92826fd0e5388c9f6d9231959e38b26aeef83138648fab66df951d8e1a4db5302b569d08515d4d6443e5e4f6c466f98319f330c820790260d22a9b9f7173