rpms/gnutls
5
0
Fork 0
Code Issues Pull Requests Releases Activity

[packit] 3.8.0 upstream release

Browse Source 
Upstream tag: 3.8.0
Upstream commit: 516e466b

Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
This commit is contained in:
Zoltan Fridrich 2023-02-15 09:04:29 +01:00
parent 9df43c9df7
commit b08c1d3cb5
11 changed files with 26 additions and 1658 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.gitignore vendored
View File

@ -141,3 +141,6 @@ gnutls-2.10.1-nosrp.tar.bz2
/gnutls-3.7.6.tar.xz
/gnutls-3.7.7.tar.xz
/gnutls-3.7.8.tar.xz
/gnutls-3.8.0.tar.xz
/gnutls-3.8.0.tar.xz.sig
/gnutls-release-keyring.gpg

1
.packit.yaml
View File

@ -15,7 +15,6 @@ actions:
post-upstream-clone:
- "wget https://src.fedoraproject.org/rpms/gnutls/raw/main/f/gnutls.spec"
- "wget https://src.fedoraproject.org/rpms/gnutls/raw/main/f/gnutls-3.2.7-rpath.patch"
- "wget https://src.fedoraproject.org/rpms/gnutls/raw/main/f/gnutls-3.6.7-no-now-guile.patch"
get-current-version:
- "git describe --abbrev=0"
create-archive:

2
README.packit
View File

@ -1,3 +1,3 @@
This repository is maintained by packit.
https://packit.dev/
The file was generated using packit 0.60.0.
The file was generated using packit 0.67.0.

11
gnutls-3.6.7-no-now-guile.patch
View File

@ -1,11 +0,0 @@
--- a/guile/src/Makefile.in 2019-03-27 11:51:55.984398001 +0100
+++ b/guile/src/Makefile.in 2019-03-27 11:52:27.259626076 +0100
@@ -1472,7 +1472,7 @@
# Use '-module' to build a "dlopenable module", in Libtool terms.
# Use '-undefined' to placate Libtool on Windows; see
# <https://lists.gnutls.org/pipermail/gnutls-devel/2014-December/007294.html>.
-guile_gnutls_v_2_la_LDFLAGS = -module -no-undefined
+guile_gnutls_v_2_la_LDFLAGS = -module -no-undefined -Wl,-z,lazy
# Linking against GnuTLS.
GNUTLS_CORE_LIBS = $(top_builddir)/lib/libgnutls.la

132
gnutls-3.7.8-gcc_analyzer-suppress_warnings.patch
View File

@ -1,132 +0,0 @@
From 7fa942e08e64b761b19753ae74503de43cc1ff91 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Thu, 6 Oct 2022 18:44:48 +0900
Subject: build: suppress GCC analyzer warnings
Signed-off-by: Daiki Ueno <ueno@gnu.org>
diff --git a/lib/auth/cert.c b/lib/auth/cert.c
index 228d98468..f122049e1 100644
--- a/lib/auth/cert.c
+++ b/lib/auth/cert.c
@@ -1636,6 +1636,10 @@ _gnutls_select_server_cert(gnutls_session_t session, const gnutls_cipher_suite_e
if (session->internals.selected_cert_list_length == 0)
return gnutls_assert_val(GNUTLS_E_INSUFFICIENT_CREDENTIALS);
+ if (unlikely(session->internals.selected_cert_list == NULL)) {
+ return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
+ }
+
_gnutls_debug_log("Selected (%s) cert\n",
gnutls_pk_get_name(session->internals.selected_cert_list[0].pubkey->params.algo));
}
diff --git a/lib/nettle/int/provable-prime.c b/lib/nettle/int/provable-prime.c
index 585cd031e..3a626a2c8 100644
--- a/lib/nettle/int/provable-prime.c
+++ b/lib/nettle/int/provable-prime.c
@@ -1173,7 +1173,7 @@ st_provable_prime(mpz_t p,
if (iterations > 0) {
storage_length = iterations * DIGEST_SIZE;
- storage = malloc(storage_length);
+ storage = gnutls_malloc(storage_length);
if (storage == NULL)
goto fail;
@@ -1307,7 +1307,7 @@ st_provable_prime(mpz_t p,
mpz_clear(t);
mpz_clear(tmp);
mpz_clear(c);
- free(pseed);
- free(storage);
+ gnutls_free(pseed);
+ gnutls_free(storage);
return ret;
}
diff --git a/lib/pk.c b/lib/pk.c
index c5600a32a..753cecd18 100644
--- a/lib/pk.c
+++ b/lib/pk.c
@@ -93,6 +93,7 @@ _gnutls_encode_ber_rs_raw(gnutls_datum_t * sig_value,
}
if (r->data[0] >= 0x80) {
+ assert(tmp);
tmp[0] = 0;
memcpy(&tmp[1], r->data, r->size);
result = asn1_write_value(sig, "r", tmp, 1+r->size);
@@ -108,6 +109,7 @@ _gnutls_encode_ber_rs_raw(gnutls_datum_t * sig_value,
if (s->data[0] >= 0x80) {
+ assert(tmp);
tmp[0] = 0;
memcpy(&tmp[1], s->data, s->size);
result = asn1_write_value(sig, "s", tmp, 1+s->size);
@@ -598,6 +600,10 @@ encode_ber_digest_info(const mac_entry_st * e,
uint8_t *tmp_output;
int tmp_output_size;
+ if (unlikely(e == NULL)) {
+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+ }
+
/* prevent asn1_write_value() treating input as string */
if (digest->size == 0)
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
diff --git a/lib/x509/pkcs7-crypt.c b/lib/x509/pkcs7-crypt.c
index 59eddcd2a..6f528a911 100644
--- a/lib/x509/pkcs7-crypt.c
+++ b/lib/x509/pkcs7-crypt.c
@@ -1211,6 +1211,10 @@ _gnutls_pkcs_raw_decrypt_data(schema_id schema, asn1_node pkcs8_asn,
}
ce = cipher_to_entry(enc_params->cipher);
+ if (unlikely(ce == NULL)) {
+ ret = gnutls_assert_val(GNUTLS_E_UNKNOWN_CIPHER_TYPE);
+ goto error;
+ }
block_size = _gnutls_cipher_get_block_size(ce);
if (ce->type == CIPHER_BLOCK) {
diff --git a/src/tests.c b/src/tests.c
index 85c4b6699..8526b6943 100644
--- a/src/tests.c
+++ b/src/tests.c
@@ -1613,7 +1613,9 @@ test_code_t test_chain_order(gnutls_session_t session)
gnutls_free(t.data);
}
- *pos = 0;
+ if (pos) {
+ *pos = 0;
+ }
t.size = p_size;
t.data = (void*)p;
diff --git a/src/tpmtool.c b/src/tpmtool.c
index 171b7fd41..1b230c2ff 100644
--- a/src/tpmtool.c
+++ b/src/tpmtool.c
@@ -263,15 +263,15 @@ static void tpm_generate(FILE * out, unsigned int key_type,
gnutls_datum_t privkey, pubkey;
if (!srk_well_known) {
- srk_pass = getpass("Enter SRK password: ");
- if (srk_pass != NULL)
- srk_pass = strdup(srk_pass);
+ char *pass = getpass("Enter SRK password: ");
+ if (pass != NULL)
+ srk_pass = strdup(pass);
}
if (!(flags & GNUTLS_TPM_REGISTER_KEY)) {
- key_pass = getpass("Enter key password: ");
- if (key_pass != NULL)
- key_pass = strdup(key_pass);
+ char *pass = getpass("Enter key password: ");
+ if (pass != NULL)
+ key_pass = strdup(pass);
}
ret =

273
gnutls-3.7.8-ktls_add_ciphersuites.patch
View File

@ -1,273 +0,0 @@
From 4380f347b2fff4af10537930400b68df61bee442 Mon Sep 17 00:00:00 2001
From: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
Date: Thu, 1 Dec 2022 15:37:33 +0100
Subject: [PATCH 1/2] KTLS: add ciphersuites
* TLS_AES_128_CCM_SHA256
* TLS_CHACHA20_POLY1305_SHA256
Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
---
lib/system/ktls.c | 159 ++++++++++++++++++++++++++++++++++++++++++++--
1 file changed, 153 insertions(+), 6 deletions(-)
diff --git a/lib/system/ktls.c b/lib/system/ktls.c
index 703775960..792d09ccf 100644
--- a/lib/system/ktls.c
+++ b/lib/system/ktls.c
@@ -86,7 +86,7 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable
gnutls_datum_t mac_key;
gnutls_datum_t iv;
gnutls_datum_t cipher_key;
- unsigned char seq_number[8];
+ unsigned char seq_number[12];
int sockin, sockout;
int ret;
@@ -97,7 +97,9 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable
int version = gnutls_protocol_get_version(session);
if ((version != GNUTLS_TLS1_3 && version != GNUTLS_TLS1_2) ||
(gnutls_cipher_get(session) != GNUTLS_CIPHER_AES_128_GCM &&
- gnutls_cipher_get(session) != GNUTLS_CIPHER_AES_256_GCM)) {
+ gnutls_cipher_get(session) != GNUTLS_CIPHER_AES_256_GCM &&
+ gnutls_cipher_get(session) != GNUTLS_CIPHER_AES_128_CCM &&
+ gnutls_cipher_get(session) != GNUTLS_CIPHER_CHACHA20_POLY1305)) {
return GNUTLS_E_UNIMPLEMENTED_FEATURE;
}
@@ -114,7 +116,7 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable
case GNUTLS_CIPHER_AES_128_GCM:
{
struct tls12_crypto_info_aes_gcm_128 crypto_info;
- memset(&crypto_info, 0, sizeof(crypto_info));
+ memset(&crypto_info, 0, sizeof (crypto_info));
crypto_info.info.cipher_type = TLS_CIPHER_AES_GCM_128;
assert(cipher_key.size == TLS_CIPHER_AES_GCM_128_KEY_SIZE);
@@ -150,7 +152,7 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable
case GNUTLS_CIPHER_AES_256_GCM:
{
struct tls12_crypto_info_aes_gcm_256 crypto_info;
- memset(&crypto_info, 0, sizeof(crypto_info));
+ memset(&crypto_info, 0, sizeof (crypto_info));
crypto_info.info.cipher_type = TLS_CIPHER_AES_GCM_256;
assert (cipher_key.size == TLS_CIPHER_AES_GCM_256_KEY_SIZE);
@@ -182,9 +184,83 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable
}
}
break;
+ case GNUTLS_CIPHER_AES_128_CCM:
+ {
+ struct tls12_crypto_info_aes_ccm_128 crypto_info;
+ memset(&crypto_info, 0, sizeof (crypto_info));
+
+ crypto_info.info.cipher_type = TLS_CIPHER_AES_CCM_128;
+ assert(cipher_key.size == TLS_CIPHER_AES_CCM_128_KEY_SIZE);
+
+ /* for TLS 1.2 IV is generated in kernel */
+ if (version == GNUTLS_TLS1_2) {
+ crypto_info.info.version = TLS_1_2_VERSION;
+ memcpy(crypto_info.iv, seq_number, TLS_CIPHER_AES_CCM_128_IV_SIZE);
+ } else {
+ crypto_info.info.version = TLS_1_3_VERSION;
+ assert(iv.size == TLS_CIPHER_AES_CCM_128_SALT_SIZE
+ + TLS_CIPHER_AES_CCM_128_IV_SIZE);
+
+ memcpy(crypto_info.iv, iv.data +
+ TLS_CIPHER_AES_CCM_128_SALT_SIZE,
+ TLS_CIPHER_AES_CCM_128_IV_SIZE);
+ }
+
+ memcpy(crypto_info.salt, iv.data,
+ TLS_CIPHER_AES_CCM_128_SALT_SIZE);
+ memcpy(crypto_info.rec_seq, seq_number,
+ TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
+ memcpy(crypto_info.key, cipher_key.data,
+ TLS_CIPHER_AES_CCM_128_KEY_SIZE);
+
+ if (setsockopt (sockin, SOL_TLS, TLS_RX,
+ &crypto_info, sizeof (crypto_info))) {
+ session->internals.ktls_enabled &= ~GNUTLS_KTLS_RECV;
+ return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
+ }
+ }
+ break;
+ case GNUTLS_CIPHER_CHACHA20_POLY1305:
+ {
+ struct tls12_crypto_info_chacha20_poly1305 crypto_info;
+ memset(&crypto_info, 0, sizeof (crypto_info));
+
+ crypto_info.info.cipher_type = TLS_CIPHER_CHACHA20_POLY1305;
+ assert(cipher_key.size == TLS_CIPHER_CHACHA20_POLY1305_KEY_SIZE);
+
+ /* for TLS 1.2 IV is generated in kernel */
+ if (version == GNUTLS_TLS1_2) {
+ crypto_info.info.version = TLS_1_2_VERSION;
+ memcpy(crypto_info.iv, seq_number, TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE);
+ } else {
+ crypto_info.info.version = TLS_1_3_VERSION;
+ assert(iv.size == TLS_CIPHER_CHACHA20_POLY1305_SALT_SIZE
+ + TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE);
+
+ memcpy(crypto_info.iv, iv.data +
+ TLS_CIPHER_CHACHA20_POLY1305_SALT_SIZE,
+ TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE);
+ }
+
+ memcpy(crypto_info.salt, iv.data,
+ TLS_CIPHER_CHACHA20_POLY1305_SALT_SIZE);
+ memcpy(crypto_info.rec_seq, seq_number,
+ TLS_CIPHER_CHACHA20_POLY1305_REC_SEQ_SIZE);
+ memcpy(crypto_info.key, cipher_key.data,
+ TLS_CIPHER_CHACHA20_POLY1305_KEY_SIZE);
+
+ if (setsockopt (sockin, SOL_TLS, TLS_RX,
+ &crypto_info, sizeof (crypto_info))) {
+ session->internals.ktls_enabled &= ~GNUTLS_KTLS_RECV;
+ return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
+ }
+ }
+ break;
default:
assert(0);
}
+
+
}
ret = gnutls_record_get_state (session, 0, &mac_key, &iv, &cipher_key,
@@ -198,7 +274,7 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable
case GNUTLS_CIPHER_AES_128_GCM:
{
struct tls12_crypto_info_aes_gcm_128 crypto_info;
- memset(&crypto_info, 0, sizeof(crypto_info));
+ memset(&crypto_info, 0, sizeof (crypto_info));
crypto_info.info.cipher_type = TLS_CIPHER_AES_GCM_128;
@@ -234,7 +310,7 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable
case GNUTLS_CIPHER_AES_256_GCM:
{
struct tls12_crypto_info_aes_gcm_256 crypto_info;
- memset(&crypto_info, 0, sizeof(crypto_info));
+ memset(&crypto_info, 0, sizeof (crypto_info));
crypto_info.info.cipher_type = TLS_CIPHER_AES_GCM_256;
assert (cipher_key.size == TLS_CIPHER_AES_GCM_256_KEY_SIZE);
@@ -266,10 +342,81 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable
}
}
break;
+ case GNUTLS_CIPHER_AES_128_CCM:
+ {
+ struct tls12_crypto_info_aes_ccm_128 crypto_info;
+ memset(&crypto_info, 0, sizeof (crypto_info));
+
+ crypto_info.info.cipher_type = TLS_CIPHER_AES_CCM_128;
+ assert (cipher_key.size == TLS_CIPHER_AES_CCM_128_KEY_SIZE);
+
+ /* for TLS 1.2 IV is generated in kernel */
+ if (version == GNUTLS_TLS1_2) {
+ crypto_info.info.version = TLS_1_2_VERSION;
+ memcpy(crypto_info.iv, seq_number, TLS_CIPHER_AES_CCM_128_IV_SIZE);
+ } else {
+ crypto_info.info.version = TLS_1_3_VERSION;
+ assert (iv.size == TLS_CIPHER_AES_CCM_128_SALT_SIZE +
+ TLS_CIPHER_AES_CCM_128_IV_SIZE);
+
+ memcpy (crypto_info.iv, iv.data + TLS_CIPHER_AES_CCM_128_SALT_SIZE,
+ TLS_CIPHER_AES_CCM_128_IV_SIZE);
+ }
+
+ memcpy (crypto_info.salt, iv.data,
+ TLS_CIPHER_AES_CCM_128_SALT_SIZE);
+ memcpy (crypto_info.rec_seq, seq_number,
+ TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
+ memcpy (crypto_info.key, cipher_key.data,
+ TLS_CIPHER_AES_CCM_128_KEY_SIZE);
+
+ if (setsockopt (sockout, SOL_TLS, TLS_TX,
+ &crypto_info, sizeof (crypto_info))) {
+ session->internals.ktls_enabled &= ~GNUTLS_KTLS_SEND;
+ return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
+ }
+ }
+ break;
+ case GNUTLS_CIPHER_CHACHA20_POLY1305:
+ {
+ struct tls12_crypto_info_chacha20_poly1305 crypto_info;
+ memset(&crypto_info, 0, sizeof (crypto_info));
+
+ crypto_info.info.cipher_type = TLS_CIPHER_CHACHA20_POLY1305;
+ assert (cipher_key.size == TLS_CIPHER_CHACHA20_POLY1305_KEY_SIZE);
+
+ /* for TLS 1.2 IV is generated in kernel */
+ if (version == GNUTLS_TLS1_2) {
+ crypto_info.info.version = TLS_1_2_VERSION;
+ memcpy(crypto_info.iv, seq_number, TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE);
+ } else {
+ crypto_info.info.version = TLS_1_3_VERSION;
+ assert (iv.size == TLS_CIPHER_CHACHA20_POLY1305_SALT_SIZE +
+ TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE);
+
+ memcpy (crypto_info.iv, iv.data + TLS_CIPHER_CHACHA20_POLY1305_SALT_SIZE,
+ TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE);
+ }
+
+ memcpy (crypto_info.salt, iv.data,
+ TLS_CIPHER_CHACHA20_POLY1305_SALT_SIZE);
+ memcpy (crypto_info.rec_seq, seq_number,
+ TLS_CIPHER_CHACHA20_POLY1305_REC_SEQ_SIZE);
+ memcpy (crypto_info.key, cipher_key.data,
+ TLS_CIPHER_CHACHA20_POLY1305_KEY_SIZE);
+
+ if (setsockopt (sockout, SOL_TLS, TLS_TX,
+ &crypto_info, sizeof (crypto_info))) {
+ session->internals.ktls_enabled &= ~GNUTLS_KTLS_SEND;
+ return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
+ }
+ }
+ break;
default:
assert(0);
}
+
// set callback for sending handshake messages
gnutls_handshake_set_read_function(session,
_gnutls_ktls_send_handshake_msg);
--
2.38.1
From 24bd0559302f8a7adf9f072f61f2aa03efa664f6 Mon Sep 17 00:00:00 2001
From: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
Date: Fri, 2 Dec 2022 11:07:48 +0100
Subject: [PATCH 2/2] KTLS: add ciphersuites (tests)
Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
---
tests/gnutls_ktls.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/tests/gnutls_ktls.c b/tests/gnutls_ktls.c
index 8f9c5fa36..919270778 100644
--- a/tests/gnutls_ktls.c
+++ b/tests/gnutls_ktls.c
@@ -350,8 +350,12 @@ void doit(void)
{
run("NORMAL:-VERS-ALL:+VERS-TLS1.2:-CIPHER-ALL:+AES-128-GCM");
run("NORMAL:-VERS-ALL:+VERS-TLS1.2:-CIPHER-ALL:+AES-256-GCM");
+ run("NORMAL:-VERS-ALL:+VERS-TLS1.2:-CIPHER-ALL:+AES-128-CCM");
+ run("NORMAL:-VERS-ALL:+VERS-TLS1.2:-CIPHER-ALL:+CHACHA20-POLY1305");
run("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-128-GCM");
run("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-256-GCM");
+ run("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-128-CCM");
+ run("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+CHACHA20-POLY1305");
}
#endif /* _WIN32 */
--
2.38.1

62
gnutls-3.7.8-ktls_invalidate_session.patch
View File

@ -1,62 +0,0 @@
From 9533fcbacdb5532425568e3874cfea9f0a9b55d5 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Mon, 28 Nov 2022 11:10:58 +0900
Subject: [PATCH 1/2] src: fix memory leak in print_rawpk_info
Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
src/common.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/common.c b/src/common.c
index 6d2056f95..20327b41c 100644
--- a/src/common.c
+++ b/src/common.c
@@ -222,7 +222,7 @@ print_rawpk_info(gnutls_session_t session, FILE *out, int flag, int print_cert,
if (ret < 0) {
fprintf(stderr, "Encoding error: %s\n",
gnutls_strerror(ret));
- return;
+ goto cleanup;
}
log_msg(out, "\n%s\n", (char*)pem.data);
@@ -230,6 +230,8 @@ print_rawpk_info(gnutls_session_t session, FILE *out, int flag, int print_cert,
gnutls_free(pem.data);
}
+ cleanup:
+ gnutls_pcert_deinit(&pk_cert);
}
/* returns false (0) if not verified, or true (1) otherwise
--
2.38.1
From ceac5211c073ba8dc86fe7cfb25504db33729fa9 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Mon, 28 Nov 2022 11:14:53 +0900
Subject: [PATCH 2/2] tests: fix memory leak in resume-with-previous-stek
Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
tests/resume-with-previous-stek.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/tests/resume-with-previous-stek.c b/tests/resume-with-previous-stek.c
index 94f165627..98aba8d84 100644
--- a/tests/resume-with-previous-stek.c
+++ b/tests/resume-with-previous-stek.c
@@ -127,6 +127,8 @@ static void client(int fd, int *resume, unsigned rounds, const char *prio)
gnutls_deinit(session);
}
+
+ gnutls_free(session_data.data);
}
typedef void (* gnutls_stek_rotation_callback_t) (const gnutls_datum_t *prev_key,
--
2.38.1

957
gnutls-3.7.8-ktls_key_update.patch
View File

@ -1,957 +0,0 @@
From c83b9ecbe8e7e5442867281236d8c9e1bd227204 Mon Sep 17 00:00:00 2001
From: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
Date: Tue, 2 Aug 2022 15:00:50 +0200
Subject: [PATCH 1/7] KTLS: set key on specific interfaces
It is now possible to set key on specific interface.
If interface given is not ktls enabled then it will be ignored.
Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
---
lib/handshake.c | 2 +-
lib/system/ktls.c | 12 +++++++-----
lib/system/ktls.h | 7 ++++++-
3 files changed, 14 insertions(+), 7 deletions(-)
diff --git a/lib/handshake.c b/lib/handshake.c
index 21edc5ece..cb2bc3ae9 100644
--- a/lib/handshake.c
+++ b/lib/handshake.c
@@ -2924,7 +2924,7 @@ int gnutls_handshake(gnutls_session_t session)
#ifdef ENABLE_KTLS
if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_DUPLEX)) {
- _gnutls_ktls_set_keys(session);
+ _gnutls_ktls_set_keys(session, GNUTLS_KTLS_DUPLEX);
}
#endif
diff --git a/lib/system/ktls.c b/lib/system/ktls.c
index ddf27fac7..70b9b9b3a 100644
--- a/lib/system/ktls.c
+++ b/lib/system/ktls.c
@@ -80,7 +80,7 @@ void _gnutls_ktls_enable(gnutls_session_t session)
}
}
-int _gnutls_ktls_set_keys(gnutls_session_t session)
+int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable_flags_t in)
{
gnutls_cipher_algorithm_t cipher = gnutls_cipher_get(session);
gnutls_datum_t mac_key;
@@ -107,7 +107,9 @@ int _gnutls_ktls_set_keys(gnutls_session_t session)
return ret;
}
- if(session->internals.ktls_enabled & GNUTLS_KTLS_RECV){
+ in &= session->internals.ktls_enabled;
+
+ if(in & GNUTLS_KTLS_RECV){
switch (cipher) {
case GNUTLS_CIPHER_AES_128_GCM:
{
@@ -191,7 +193,7 @@ int _gnutls_ktls_set_keys(gnutls_session_t session)
return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
}
- if(session->internals.ktls_enabled & GNUTLS_KTLS_SEND){
+ if(in & GNUTLS_KTLS_SEND){
switch (cipher) {
case GNUTLS_CIPHER_AES_128_GCM:
{
@@ -269,7 +271,7 @@ int _gnutls_ktls_set_keys(gnutls_session_t session)
}
}
- return 0;
+ return in;
}
ssize_t _gnutls_ktls_send_file(gnutls_session_t session, int fd,
@@ -465,7 +467,7 @@ gnutls_transport_is_ktls_enabled(gnutls_session_t session) {
void _gnutls_ktls_enable(gnutls_session_t session) {
}
-int _gnutls_ktls_set_keys(gnutls_session_t session) {
+int _gnutls_ktls_set_keys(gnutls_session_t sessioni, gnutls_transport_ktls_enable_flags_t in) {
return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE);
}
diff --git a/lib/system/ktls.h b/lib/system/ktls.h
index 8a98a8eb8..c8059092d 100644
--- a/lib/system/ktls.h
+++ b/lib/system/ktls.h
@@ -4,14 +4,19 @@
#include "gnutls_int.h"
void _gnutls_ktls_enable(gnutls_session_t session);
-int _gnutls_ktls_set_keys(gnutls_session_t session);
+
+int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable_flags_t in);
+
ssize_t _gnutls_ktls_send_file(gnutls_session_t session, int fd,
off_t *offset, size_t count);
+
int _gnutls_ktls_send_control_msg(gnutls_session_t session, unsigned char record_type,
const void *data, size_t data_size);
#define _gnutls_ktls_send(x, y, z) _gnutls_ktls_send_control_msg(x, GNUTLS_APPLICATION_DATA, y, z);
+
int _gnutls_ktls_recv_control_msg(gnutls_session_t session, unsigned char *record_type,
void *data, size_t data_size);
+
int _gnutls_ktls_recv_int(gnutls_session_t session, content_type_t type, void *data, size_t data_size);
#define _gnutls_ktls_recv(x, y, z) _gnutls_ktls_recv_int(x, GNUTLS_APPLICATION_DATA, y, z)
--
2.39.0
From f8c71030151e3a0d397e9712541236f1a76434a3 Mon Sep 17 00:00:00 2001
From: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
Date: Tue, 2 Aug 2022 13:35:39 +0200
Subject: [PATCH 2/7] KTLS: set new keys for keyupdate
set new keys durring gnutls_session_key_update()
setting keys
Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
---
lib/tls13/key_update.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/lib/tls13/key_update.c b/lib/tls13/key_update.c
index c6f6e0aa1..10c0a9110 100644
--- a/lib/tls13/key_update.c
+++ b/lib/tls13/key_update.c
@@ -27,6 +27,7 @@
#include "mem.h"
#include "mbuffers.h"
#include "secrets.h"
+#include "system/ktls.h"
#define KEY_UPDATES_WINDOW 1000
#define KEY_UPDATES_PER_WINDOW 8
@@ -49,8 +50,16 @@ static int update_keys(gnutls_session_t session, hs_stage_t stage)
* write keys */
if (session->internals.recv_state == RECV_STATE_EARLY_START) {
ret = _tls13_write_connection_state_init(session, stage);
+ if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_SEND))
+ ret = _gnutls_ktls_set_keys(session, GNUTLS_KTLS_SEND);
} else {
ret = _tls13_connection_state_init(session, stage);
+
+ if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_SEND) && stage == STAGE_UPD_OURS)
+ ret = _gnutls_ktls_set_keys(session, GNUTLS_KTLS_SEND);
+ else if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_RECV) && stage == STAGE_UPD_PEERS)
+ ret = _gnutls_ktls_set_keys(session, GNUTLS_KTLS_RECV);
+
}
if (ret < 0)
return gnutls_assert_val(ret);
--
2.39.0
From b93af37d972e02b095e14d4209bf5d5520a4893c Mon Sep 17 00:00:00 2001
From: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
Date: Wed, 3 Aug 2022 14:20:35 +0200
Subject: [PATCH 3/7] KTLS: send update key request
Set hanshake send function after interface initialization
TODO: handel setting function differently
Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
---
lib/record.c | 23 ++++++++++++++++-------
lib/system/ktls.c | 21 +++++++++++++++++++++
lib/system/ktls.h | 5 +++++
3 files changed, 42 insertions(+), 7 deletions(-)
diff --git a/lib/record.c b/lib/record.c
index fd24acaf1..aad128e1f 100644
--- a/lib/record.c
+++ b/lib/record.c
@@ -2065,11 +2065,17 @@ gnutls_record_send2(gnutls_session_t session, const void *data,
session->internals.rsend_state = RECORD_SEND_KEY_UPDATE_3;
FALLTHROUGH;
case RECORD_SEND_KEY_UPDATE_3:
- ret = _gnutls_send_int(session, GNUTLS_APPLICATION_DATA,
- -1, EPOCH_WRITE_CURRENT,
- session->internals.record_key_update_buffer.data,
- session->internals.record_key_update_buffer.length,
- MBUFFER_FLUSH);
+ if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_SEND)) {
+ return _gnutls_ktls_send(session,
+ session->internals.record_key_update_buffer.data,
+ session->internals.record_key_update_buffer.length);
+ } else {
+ ret = _gnutls_send_int(session, GNUTLS_APPLICATION_DATA,
+ -1, EPOCH_WRITE_CURRENT,
+ session->internals.record_key_update_buffer.data,
+ session->internals.record_key_update_buffer.length,
+ MBUFFER_FLUSH);
+ }
_gnutls_buffer_clear(&session->internals.record_key_update_buffer);
session->internals.rsend_state = RECORD_SEND_NORMAL;
if (ret < 0)
@@ -2494,8 +2500,11 @@ gnutls_handshake_write(gnutls_session_t session,
return gnutls_assert_val(0);
/* When using this, the outgoing handshake messages should
- * also be handled manually */
- if (!session->internals.h_read_func)
+ * also be handled manually unless KTLS is enabled exclusively
+ * in GNUTLS_KTLS_RECV mode in which case the outgoing messages
+ * are handled by GnuTLS.
+ */
+ if (!session->internals.h_read_func && !IS_KTLS_ENABLED(session, GNUTLS_KTLS_RECV))
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
if (session->internals.initial_negotiation_completed) {
diff --git a/lib/system/ktls.c b/lib/system/ktls.c
index 70b9b9b3a..5da0a8069 100644
--- a/lib/system/ktls.c
+++ b/lib/system/ktls.c
@@ -269,6 +269,9 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable
default:
assert(0);
}
+ // set callback for sending handshake messages
+ gnutls_handshake_set_read_function(session,
+ _gnutls_ktls_send_handshake_msg);
}
return in;
@@ -355,6 +358,15 @@ int _gnutls_ktls_send_control_msg(gnutls_session_t session,
return data_size;
}
+int _gnutls_ktls_send_handshake_msg(gnutls_session_t session,
+ gnutls_record_encryption_level_t level,
+ gnutls_handshake_description_t htype,
+ const void *data, size_t data_size)
+{
+ return _gnutls_ktls_send_control_msg(session, GNUTLS_HANDSHAKE,
+ data, data_size);
+}
+
int _gnutls_ktls_recv_control_msg(gnutls_session_t session,
unsigned char *record_type, void *data, size_t data_size)
{
@@ -481,6 +493,15 @@ int _gnutls_ktls_send_control_msg(gnutls_session_t session,
return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE);
}
+int _gnutls_ktls_send_handshake_msg(gnutls_session_t session,
+ gnutls_record_encryption_level_t level,
+ gnutls_handshake_description_t htype,
+ const void *data, size_t data_size)
+{
+ (void)level;
+ return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE);
+}
+
int _gnutls_ktls_recv_int(gnutls_session_t session, content_type_t type,
void *data, size_t data_size) {
return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE);
diff --git a/lib/system/ktls.h b/lib/system/ktls.h
index c8059092d..8d61a49df 100644
--- a/lib/system/ktls.h
+++ b/lib/system/ktls.h
@@ -10,6 +10,11 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable
ssize_t _gnutls_ktls_send_file(gnutls_session_t session, int fd,
off_t *offset, size_t count);
+int _gnutls_ktls_send_handshake_msg(gnutls_session_t session,
+ gnutls_record_encryption_level_t level,
+ gnutls_handshake_description_t htype,
+ const void *data, size_t data_size);
+
int _gnutls_ktls_send_control_msg(gnutls_session_t session, unsigned char record_type,
const void *data, size_t data_size);
#define _gnutls_ktls_send(x, y, z) _gnutls_ktls_send_control_msg(x, GNUTLS_APPLICATION_DATA, y, z);
--
2.39.0
From 7128338208d092275ac72785f85019d16951fab9 Mon Sep 17 00:00:00 2001
From: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
Date: Mon, 22 Aug 2022 10:50:37 +0200
Subject: [PATCH 4/7] KTLS: receive key update
handle received GNUTLS_HANDSHAKE_KEY_UPDATE set keys accordingly
Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
---
lib/system/ktls.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/lib/system/ktls.c b/lib/system/ktls.c
index 5da0a8069..f3cb343ae 100644
--- a/lib/system/ktls.c
+++ b/lib/system/ktls.c
@@ -452,7 +452,13 @@ int _gnutls_ktls_recv_int(gnutls_session_t session, content_type_t type,
ret = 0;
break;
case GNUTLS_HANDSHAKE:
- // ignore post-handshake messages
+ ret = gnutls_handshake_write(session,
+ GNUTLS_ENCRYPTION_LEVEL_APPLICATION,
+ data, ret);
+
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
if (type != record_type)
return GNUTLS_E_AGAIN;
break;
--
2.39.0
From 14eadde1f2cdfaf858dc2029dac5503e48a49935 Mon Sep 17 00:00:00 2001
From: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
Date: Fri, 5 Aug 2022 16:38:02 +0200
Subject: [PATCH 5/7] KTLS: set write alert callback
Use callback for sending alerts.
Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
---
lib/alert.c | 13 ++++---------
lib/system/ktls.c | 15 +++++++++++++++
lib/system/ktls.h | 5 +++++
3 files changed, 24 insertions(+), 9 deletions(-)
diff --git a/lib/alert.c b/lib/alert.c
index 50bd1d3de..fda8cd79f 100644
--- a/lib/alert.c
+++ b/lib/alert.c
@@ -182,15 +182,10 @@ gnutls_alert_send(gnutls_session_t session, gnutls_alert_level_t level,
return ret;
}
- if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_SEND)) {
- ret =
- _gnutls_ktls_send_control_msg(session, GNUTLS_ALERT, data, 2);
- } else {
- ret =
- _gnutls_send_int(session, GNUTLS_ALERT, -1,
- EPOCH_WRITE_CURRENT, data, 2,
- MBUFFER_FLUSH);
- }
+ ret = _gnutls_send_int(session, GNUTLS_ALERT, -1,
+ EPOCH_WRITE_CURRENT, data, 2,
+ MBUFFER_FLUSH);
+
return (ret < 0) ? ret : 0;
}
diff --git a/lib/system/ktls.c b/lib/system/ktls.c
index f3cb343ae..703775960 100644
--- a/lib/system/ktls.c
+++ b/lib/system/ktls.c
@@ -269,9 +269,13 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable
default:
assert(0);
}
+
// set callback for sending handshake messages
gnutls_handshake_set_read_function(session,
_gnutls_ktls_send_handshake_msg);
+
+ // set callback for sending alert messages
+ gnutls_alert_set_read_function(session, _gnutls_ktls_send_alert_msg);
}
return in;
@@ -367,6 +371,17 @@ int _gnutls_ktls_send_handshake_msg(gnutls_session_t session,
data, data_size);
}
+int _gnutls_ktls_send_alert_msg(gnutls_session_t session,
+ gnutls_record_encryption_level_t level,
+ gnutls_alert_level_t alert_level,
+ gnutls_alert_description_t alert_desc)
+{
+ uint8_t data[2];
+ data[0] = (uint8_t) alert_level;
+ data[1] = (uint8_t) alert_desc;
+ return _gnutls_ktls_send_control_msg(session, GNUTLS_ALERT, data, 2);
+}
+
int _gnutls_ktls_recv_control_msg(gnutls_session_t session,
unsigned char *record_type, void *data, size_t data_size)
{
diff --git a/lib/system/ktls.h b/lib/system/ktls.h
index 8d61a49df..64e1c9c1c 100644
--- a/lib/system/ktls.h
+++ b/lib/system/ktls.h
@@ -15,6 +15,11 @@ int _gnutls_ktls_send_handshake_msg(gnutls_session_t session,
gnutls_handshake_description_t htype,
const void *data, size_t data_size);
+int _gnutls_ktls_send_alert_msg(gnutls_session_t session,
+ gnutls_record_encryption_level_t level,
+ gnutls_alert_level_t alert_level,
+ gnutls_alert_description_t alert_desc);
+
int _gnutls_ktls_send_control_msg(gnutls_session_t session, unsigned char record_type,
const void *data, size_t data_size);
#define _gnutls_ktls_send(x, y, z) _gnutls_ktls_send_control_msg(x, GNUTLS_APPLICATION_DATA, y, z);
--
2.39.0
From 38b8708d66e592c09edf2745c921436f56607a96 Mon Sep 17 00:00:00 2001
From: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
Date: Tue, 9 Aug 2022 12:11:16 +0200
Subject: [PATCH 6/7] KTLS: rekey test
Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
---
tests/Makefile.am | 2 +
tests/ktls_keyupdate.c | 381 ++++++++++++++++++++++++++++++++++++++++
tests/ktls_keyupdate.sh | 46 +++++
3 files changed, 429 insertions(+)
create mode 100644 tests/ktls_keyupdate.c
create mode 100755 tests/ktls_keyupdate.sh
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 1122886b3..2d345d478 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -500,6 +500,8 @@ endif
if ENABLE_KTLS
indirect_tests += gnutls_ktls
dist_check_SCRIPTS += ktls.sh
+indirect_tests += ktls_keyupdate
+dist_check_SCRIPTS += ktls_keyupdate.sh
endif
if !WINDOWS
diff --git a/tests/ktls_keyupdate.c b/tests/ktls_keyupdate.c
new file mode 100644
index 000000000..9fbff38ae
--- /dev/null
+++ b/tests/ktls_keyupdate.c
@@ -0,0 +1,381 @@
+// Copyright (C) 2022 Red Hat, Inc.
+//
+// Author: Frantisek Krenzelok
+//
+// This file is part of GnuTLS.
+//
+// GnuTLS is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License as published by the
+// Free Software Foundation; either version 3 of the License, or (at
+// your option) any later version.
+//
+// GnuTLS is distributed in the hope that it will be useful, but
+// WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+// General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with GnuTLS; if not, write to the Free Software Foundation,
+// Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <sys/socket.h>
+#include <sys/wait.h>
+#include <arpa/inet.h>
+#include <unistd.h>
+#include <gnutls/gnutls.h>
+#include <gnutls/crypto.h>
+#include <gnutls/dtls.h>
+#include <gnutls/socket.h>
+#include <signal.h>
+#include <assert.h>
+#include <errno.h>
+
+#include "cert-common.h"
+#include "utils.h"
+
+#if defined(_WIN32)
+
+int main(void)
+{
+ exit(77);
+}
+
+#else
+
+
+#define MAX_BUF 1024
+#define MSG "Hello world!"
+
+#define HANDSHAKE(session, name, ret)\
+{\
+ do {\
+ ret = gnutls_handshake(session);\
+ }\
+ while (ret < 0 && gnutls_error_is_fatal(ret) == 0);\
+ if (ret < 0) {\
+ fail("%s: Handshake failed\n", name);\
+ goto end;\
+ }\
+}
+
+#define SEND_MSG(session, name, ret)\
+{\
+ do {\
+ ret = gnutls_record_send(session, MSG, strlen(MSG)+1);\
+ } while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);\
+ if (ret < 0) {\
+ fail("%s: data sending has failed (%s)\n",name,\
+ gnutls_strerror(ret));\
+ goto end;\
+ }\
+}
+
+#define RECV_MSG(session, name, buffer, buffer_len, ret)\
+{\
+ memset(buffer, 0, sizeof(buffer));\
+ do{\
+ ret = gnutls_record_recv(session, buffer, sizeof(buffer));\
+ }\
+ while(ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);\
+ if (ret == 0) {\
+ success("%s: Peer has closed the TLS connection\n", name);\
+ goto end;\
+ } else if (ret < 0) {\
+ fail("%s: Error -> %s\n", name, gnutls_strerror(ret));\
+ goto end;\
+ }\
+ if(strncmp(buffer, MSG, ret)){\
+ fail("%s: Message doesn't match\n", name);\
+ goto end;\
+ }\
+}
+
+#define KEY_UPDATE(session, name, peer_req, ret)\
+{\
+ do {\
+ ret = gnutls_session_key_update(session, peer_req);\
+ } while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);\
+ if (ret < 0) {\
+ fail("%s: key update has failed (%s)\n", name, \
+ gnutls_strerror(ret));\
+ goto end;\
+ }\
+}
+
+#define CHECK_KTLS_ENABLED(session, ret)\
+{\
+ ret = gnutls_transport_is_ktls_enabled(session);\
+ if (!(ret & GNUTLS_KTLS_RECV)){\
+ fail("client: KTLS was not properly initialized\n");\
+ goto end;\
+ }\
+}
+
+static void server_log_func(int level, const char *str)
+{
+ fprintf(stderr, "server|<%d>| %s", level, str);
+}
+
+static void client_log_func(int level, const char *str)
+{
+ fprintf(stderr, "client|<%d>| %s", level, str);
+}
+
+
+static void client(int fd, const char *prio, int pipe)
+{
+ const char *name = "client";
+ int ret;
+ char foo;
+ char buffer[MAX_BUF + 1];
+ gnutls_certificate_credentials_t x509_cred;
+ gnutls_session_t session;
+
+ global_init();
+
+ if (debug) {
+ gnutls_global_set_log_function(client_log_func);
+ gnutls_global_set_log_level(7);
+ }
+
+ gnutls_certificate_allocate_credentials(&x509_cred);
+
+ gnutls_init(&session, GNUTLS_CLIENT);
+ gnutls_handshake_set_timeout(session, 0);
+
+ assert(gnutls_priority_set_direct(session, prio, NULL) >= 0);
+
+ gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred);
+
+ gnutls_transport_set_int(session, fd);
+
+ HANDSHAKE(session, name, ret);
+
+ CHECK_KTLS_ENABLED(session, ret)
+
+ // Test 0: Try sending/receiving data
+ RECV_MSG(session, name, buffer, MAX_BUF+1, ret)
+ SEND_MSG(session, name, ret)
+
+ CHECK_KTLS_ENABLED(session, ret)
+
+ // Test 1: Servers does key update
+ read(pipe, &foo, 1);
+ RECV_MSG(session, name, buffer, MAX_BUF+1, ret)
+ SEND_MSG(session, name, ret)
+
+ CHECK_KTLS_ENABLED(session, ret)
+
+ // Test 2: Does key update witch request
+ read(pipe, &foo, 1);
+ RECV_MSG(session, name, buffer, MAX_BUF+1, ret)
+ SEND_MSG(session, name, ret)
+
+ CHECK_KTLS_ENABLED(session, ret)
+
+ ret = gnutls_bye(session, GNUTLS_SHUT_RDWR);
+ if (ret < 0) {
+ fail("client: error in closing session: %s\n", gnutls_strerror(ret));
+ }
+
+ ret = 0;
+ end:
+
+ close(fd);
+
+ gnutls_deinit(session);
+
+ gnutls_certificate_free_credentials(x509_cred);
+
+ gnutls_global_deinit();
+
+ if (ret != 0)
+ exit(1);
+}
+
+pid_t child;
+static void terminate(void)
+{
+ assert(child);
+ kill(child, SIGTERM);
+ exit(1);
+}
+
+static void server(int fd, const char *prio, int pipe)
+{
+ const char *name = "server";
+ int ret;
+ char bar = 0;
+ char buffer[MAX_BUF + 1];
+ gnutls_certificate_credentials_t x509_cred;
+ gnutls_session_t session;
+
+ global_init();
+
+ if (debug) {
+ gnutls_global_set_log_function(server_log_func);
+ gnutls_global_set_log_level(7);
+ }
+
+ gnutls_certificate_allocate_credentials(&x509_cred);
+ ret = gnutls_certificate_set_x509_key_mem(x509_cred, &server_cert,
+ &server_key,
+ GNUTLS_X509_FMT_PEM);
+ if (ret < 0)
+ exit(1);
+
+ gnutls_init(&session, GNUTLS_SERVER);
+ gnutls_handshake_set_timeout(session, 0);
+
+ assert(gnutls_priority_set_direct(session, prio, NULL)>=0);
+
+ gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred);
+
+ gnutls_transport_set_int(session, fd);
+
+ HANDSHAKE(session, name, ret)
+
+ CHECK_KTLS_ENABLED(session, ret)
+
+ success("Test 0: sending/receiving data\n");
+ SEND_MSG(session, name, ret)
+ RECV_MSG(session, name, buffer, MAX_BUF+1, ret)
+
+ CHECK_KTLS_ENABLED(session, ret)
+
+ success("Test 1: server key update without request\n");
+ KEY_UPDATE(session, name, 0, ret)
+ write(pipe, &bar, 1);
+ SEND_MSG(session, name, ret)
+ RECV_MSG(session, name, buffer, MAX_BUF+1, ret)
+
+ CHECK_KTLS_ENABLED(session, ret)
+
+ success("Test 2: server key update with request\n");
+ KEY_UPDATE(session, name, GNUTLS_KU_PEER, ret)
+ write(pipe, &bar, 1);
+ SEND_MSG(session, name, ret)
+ RECV_MSG(session, name, buffer, MAX_BUF+1, ret)
+
+ CHECK_KTLS_ENABLED(session, ret)
+
+ ret = gnutls_bye(session, GNUTLS_SHUT_RDWR);
+ if (ret < 0) {
+ fail("server: error in closing session: %s\n", gnutls_strerror(ret));
+ }
+
+ ret = 0;
+end:
+ close(fd);
+ gnutls_deinit(session);
+
+ gnutls_certificate_free_credentials(x509_cred);
+
+ gnutls_global_deinit();
+
+ if (ret){
+ terminate();
+ }
+
+ if (debug)
+ success("server: finished\n");
+}
+
+static void ch_handler(int sig)
+{
+ return;
+}
+
+static void run(const char *prio)
+{
+ int ret;
+ struct sockaddr_in saddr;
+ socklen_t addrlen;
+ int listener;
+ int fd;
+
+ int sync_pipe[2]; //used for synchronization
+ pipe(sync_pipe);
+
+ success("running ktls test with %s\n", prio);
+
+ signal(SIGCHLD, ch_handler);
+ signal(SIGPIPE, SIG_IGN);
+
+ listener = socket(AF_INET, SOCK_STREAM, 0);
+ if (listener == -1){
+ fail("error in listener(): %s\n", strerror(errno));
+ }
+
+ memset(&saddr, 0, sizeof(saddr));
+ saddr.sin_family = AF_INET;
+ saddr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
+ saddr.sin_port = 0;
+
+ ret = bind(listener, (struct sockaddr*)&saddr, sizeof(saddr));
+ if (ret == -1){
+ fail("error in bind(): %s\n", strerror(errno));
+ }
+
+ addrlen = sizeof(saddr);
+ ret = getsockname(listener, (struct sockaddr*)&saddr, &addrlen);
+ if (ret == -1){
+ fail("error in getsockname(): %s\n", strerror(errno));
+ }
+
+ child = fork();
+ if (child < 0) {
+ fail("error in fork(): %s\n", strerror(errno));
+ exit(1);
+ }
+
+ if (child) {
+ int status;
+ /* parent */
+ ret = listen(listener, 1);
+ if (ret == -1) {
+ fail("error in listen(): %s\n", strerror(errno));
+ }
+
+ fd = accept(listener, NULL, NULL);
+ if (fd == -1) {
+ fail("error in accept(): %s\n", strerror(errno));
+ }
+
+ close(sync_pipe[0]);
+ server(fd, prio, sync_pipe[1]);
+
+ wait(&status);
+ check_wait_status(status);
+ } else {
+ fd = socket(AF_INET, SOCK_STREAM, 0);
+ if (fd == -1){
+ fail("error in socket(): %s\n", strerror(errno));
+ exit(1);
+ }
+
+ usleep(1000000);
+ connect(fd, (struct sockaddr*)&saddr, addrlen);
+
+ close(sync_pipe[1]);
+ client(fd, prio, sync_pipe[0]);
+ exit(0);
+ }
+}
+
+void doit(void)
+{
+ run("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-128-GCM");
+ run("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-256-GCM");
+}
+
+#endif /* _WIN32 */
diff --git a/tests/ktls_keyupdate.sh b/tests/ktls_keyupdate.sh
new file mode 100755
index 000000000..d072acafc
--- /dev/null
+++ b/tests/ktls_keyupdate.sh
@@ -0,0 +1,46 @@
+#!/bin/sh
+
+# Copyright (C) 2022 Red Hat, Inc.
+#
+# Author: Daiki Ueno
+#
+# This file is part of GnuTLS.
+#
+# GnuTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GnuTLS; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+: ${builddir=.}
+
+. "$srcdir/scripts/common.sh"
+
+if ! grep '^tls ' /proc/modules 2>&1 /dev/null; then
+ exit 77
+fi
+
+testdir=`create_testdir ktls_keyupdate`
+
+cfg="$testdir/config"
+
+cat <<EOF > "$cfg"
+[global]
+ktls = true
+EOF
+
+GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1 \
+GNUTLS_SYSTEM_PRIORITY_FILE="$cfg" \
+"$builddir/ktls_keyupdate" "$@"
+rc=$?
+
+rm -rf "$testdir"
+exit $rc
--
2.39.0
From 67843b3a8e28e4c74296caea2d1019065c87afb3 Mon Sep 17 00:00:00 2001
From: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
Date: Mon, 5 Sep 2022 13:05:17 +0200
Subject: [PATCH 7/7] KTLS: fallback to default
If an error occurs during setting of keys either initial or key update
then fallback to default mode of operation (disable ktls) and let the
user know
Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
---
lib/handshake.c | 7 ++++++-
lib/tls13/key_update.c | 23 +++++++++++++++++++----
2 files changed, 25 insertions(+), 5 deletions(-)
diff --git a/lib/handshake.c b/lib/handshake.c
index cb2bc3ae9..14bcdea56 100644
--- a/lib/handshake.c
+++ b/lib/handshake.c
@@ -2924,7 +2924,12 @@ int gnutls_handshake(gnutls_session_t session)
#ifdef ENABLE_KTLS
if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_DUPLEX)) {
- _gnutls_ktls_set_keys(session, GNUTLS_KTLS_DUPLEX);
+ ret = _gnutls_ktls_set_keys(session, GNUTLS_KTLS_DUPLEX);
+ if (ret < 0) {
+ session->internals.ktls_enabled = 0;
+ _gnutls_audit_log(session,
+ "disabling KTLS: failed to set keys\n");
+ }
}
#endif
diff --git a/lib/tls13/key_update.c b/lib/tls13/key_update.c
index 10c0a9110..acfda4129 100644
--- a/lib/tls13/key_update.c
+++ b/lib/tls13/key_update.c
@@ -32,6 +32,20 @@
#define KEY_UPDATES_WINDOW 1000
#define KEY_UPDATES_PER_WINDOW 8
+/*
+ * Sets kTLS keys if enabled.
+ * If this operation fails with GNUTLS_E_INTERNAL_ERROR, KTLS is disabled
+ * because KTLS most likely doesn't support key update.
+ */
+#define SET_KTLS_KEYS(session, interface)\
+{\
+ if(_gnutls_ktls_set_keys(session, interface) < 0) {\
+ session->internals.ktls_enabled = 0;\
+ _gnutls_audit_log(session, \
+ "disabling KTLS: couldn't update keys\n");\
+ }\
+}
+
static int update_keys(gnutls_session_t session, hs_stage_t stage)
{
int ret;
@@ -51,15 +65,16 @@ static int update_keys(gnutls_session_t session, hs_stage_t stage)
if (session->internals.recv_state == RECV_STATE_EARLY_START) {
ret = _tls13_write_connection_state_init(session, stage);
if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_SEND))
- ret = _gnutls_ktls_set_keys(session, GNUTLS_KTLS_SEND);
+ SET_KTLS_KEYS(session, GNUTLS_KTLS_SEND)
} else {
ret = _tls13_connection_state_init(session, stage);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_SEND) && stage == STAGE_UPD_OURS)
- ret = _gnutls_ktls_set_keys(session, GNUTLS_KTLS_SEND);
+ SET_KTLS_KEYS(session, GNUTLS_KTLS_SEND)
else if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_RECV) && stage == STAGE_UPD_PEERS)
- ret = _gnutls_ktls_set_keys(session, GNUTLS_KTLS_RECV);
-
+ SET_KTLS_KEYS(session, GNUTLS_KTLS_RECV)
}
if (ret < 0)
return gnutls_assert_val(ret);
--
2.39.0

155
gnutls-3.7.8-ktls_minor_fixes.patch
View File

@ -1,155 +0,0 @@
From ccf4463f343a9394a22833ee1de7886e459d3c91 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Mon, 28 Nov 2022 12:17:12 +0900
Subject: [PATCH 1/3] includes: move KTLS function definition out of
<gnutls/socket.h>
<gnutls/socket.h> is meant for the functions that depend on
<sys/socket.h>, which is not available on Windows platforms.
As the KTLS API doesn't rely on <sys/socket.h>, move the function and
enum to <gnutls/gnutls.h>.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
lib/includes/gnutls/gnutls.h.in | 21 +++++++++++++++++++++
lib/includes/gnutls/socket.h | 21 ---------------------
2 files changed, 21 insertions(+), 21 deletions(-)
diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index 394d465e3..830ce5f95 100644
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -3421,6 +3421,27 @@ int gnutls_fips140_pop_context(void);
int gnutls_fips140_run_self_tests(void);
+/**
+ * gnutls_transport_ktls_enable_flags_t:
+ * @GNUTLS_KTLS_RECV: ktls enabled for recv function.
+ * @GNUTLS_KTLS_SEND: ktls enabled for send function.
+ * @GNUTLS_KTLS_DUPLEX: ktls enabled for both recv and send functions.
+ *
+ * Flag enumeration of ktls enable status for recv and send functions.
+ * This is used by gnutls_transport_is_ktls_enabled().
+ *
+ * Since: 3.7.3
+ */
+typedef enum {
+ GNUTLS_KTLS_RECV = 1 << 0,
+ GNUTLS_KTLS_SEND = 1 << 1,
+ GNUTLS_KTLS_DUPLEX = GNUTLS_KTLS_RECV | GNUTLS_KTLS_SEND,
+} gnutls_transport_ktls_enable_flags_t;
+
+
+gnutls_transport_ktls_enable_flags_t
+gnutls_transport_is_ktls_enabled(gnutls_session_t session);
+
/* Gnutls error codes. The mapping to a TLS alert is also shown in
* comments.
*/
diff --git a/lib/includes/gnutls/socket.h b/lib/includes/gnutls/socket.h
index 4df7bb2e0..64eb19f89 100644
--- a/lib/includes/gnutls/socket.h
+++ b/lib/includes/gnutls/socket.h
@@ -37,27 +37,6 @@ extern "C" {
#endif
/* *INDENT-ON* */
-/**
- * gnutls_transport_ktls_enable_flags_t:
- * @GNUTLS_KTLS_RECV: ktls enabled for recv function.
- * @GNUTLS_KTLS_SEND: ktls enabled for send function.
- * @GNUTLS_KTLS_DUPLEX: ktls enabled for both recv and send functions.
- *
- * Flag enumeration of ktls enable status for recv and send functions.
- * This is used by gnutls_transport_is_ktls_enabled().
- *
- * Since: 3.7.3
- */
-typedef enum {
- GNUTLS_KTLS_RECV = 1 << 0,
- GNUTLS_KTLS_SEND = 1 << 1,
- GNUTLS_KTLS_DUPLEX = GNUTLS_KTLS_RECV | GNUTLS_KTLS_SEND,
-} gnutls_transport_ktls_enable_flags_t;
-
-
-gnutls_transport_ktls_enable_flags_t
-gnutls_transport_is_ktls_enabled(gnutls_session_t session);
-
void gnutls_transport_set_fastopen(gnutls_session_t session,
int fd,
struct sockaddr *connect_addr,
--
2.38.1
From 90b036e82a95f9379d99d5cabd0e33905d1e3ddc Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Mon, 28 Nov 2022 12:13:31 +0900
Subject: [PATCH 2/3] src: print KTLS enablement status in
gnutls-serv/gnutls-cli
Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
src/common.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/src/common.c b/src/common.c
index 6d2056f95..d357c7fb8 100644
--- a/src/common.c
+++ b/src/common.c
@@ -498,6 +498,7 @@ int print_info(gnutls_session_t session, int verbose, int flags)
gnutls_datum_t p;
char *desc;
gnutls_protocol_t version;
+ gnutls_transport_ktls_enable_flags_t ktls_flags;
int rc;
desc = gnutls_session_get_desc(session);
@@ -646,6 +647,15 @@ int print_info(gnutls_session_t session, int verbose, int flags)
print_channel_bindings(session, verbose);
+ ktls_flags = gnutls_transport_is_ktls_enabled(session);
+ if (ktls_flags != 0) {
+ log_msg(stdout, "- KTLS: %s\n",
+ (ktls_flags & GNUTLS_KTLS_DUPLEX) == GNUTLS_KTLS_DUPLEX ? "send, recv" :
+ (ktls_flags & GNUTLS_KTLS_SEND) == GNUTLS_KTLS_SEND ? "send" :
+ (ktls_flags & GNUTLS_KTLS_RECV) == GNUTLS_KTLS_RECV ? "recv" :
+ "unknown");
+ }
+
fflush(stdout);
return 0;
--
2.38.1
From aefd7319c0b7b2410d06238246b7755b289e4837 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Mon, 28 Nov 2022 12:15:26 +0900
Subject: [PATCH 3/3] priority: accept "ktls = false" in configuration file
Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
lib/priority.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/lib/priority.c b/lib/priority.c
index 97831e63b..6266bb571 100644
--- a/lib/priority.c
+++ b/lib/priority.c
@@ -1548,6 +1548,8 @@ static int global_ini_handler(void *ctx, const char *section, const char *name,
p = clear_spaces(value, str);
if (c_strcasecmp(p, "true") == 0) {
cfg->ktls_enabled = true;
+ } else if (c_strcasecmp(p, "false") == 0) {
+ cfg->ktls_enabled = false;
} else {
_gnutls_debug_log("cfg: unknown ktls mode %s\n",
p);
--
2.38.1

84
gnutls.spec
View File

@ -12,21 +12,16 @@ sha256sum:close()
print(string.sub(hash, 0, 16))
}
%global with_srp 0%{?fedora} < 38
%global with_mingw 0
%if 0%{?fedora}
%global with_mingw 0%{!?_without_mingw:1}
%endif
Version: 3.7.8
Version: 3.8.0
Release: %{?autorelease}%{!?autorelease:1%{?dist}}
Patch: gnutls-3.7.8-gcc_analyzer-suppress_warnings.patch
Patch: gnutls-3.2.7-rpath.patch
Patch: gnutls-3.6.7-no-now-guile.patch
Patch: gnutls-3.7.8-ktls_key_update.patch
Patch: gnutls-3.7.8-ktls_add_ciphersuites.patch
Patch: gnutls-3.7.8-ktls_minor_fixes.patch
Patch: gnutls-3.7.8-ktls_invalidate_session.patch
# Delete only after the kernel has been patched for thested systems
Patch: gnutls-3.7.8-ktls_disable_keyupdate_test.patch
@ -36,13 +31,7 @@ Patch: gnutls-3.7.8-ktls_skip_tls12_chachapoly_test.patch
%bcond_without bootstrap
%bcond_without dane
%if 0%{?rhel}
%bcond_with guile
%bcond_without fips
%else
%bcond_without guile
%bcond_without fips
%endif
%bcond_with tpm12
%bcond_without tpm2
%bcond_without gost
@ -87,9 +76,6 @@ Recommends: trousers >= 0.3.11.2
%if %{with dane}
BuildRequires: unbound-devel unbound-libs
%endif
%if %{with guile}
BuildRequires: guile22-devel
%endif
BuildRequires: make gtk-doc
%if %{with_mingw}
@ -147,13 +133,6 @@ Summary: A DANE protocol implementation for GnuTLS
Requires: %{name}%{?_isa} = %{version}-%{release}
%endif
%if %{with guile}
%package guile
Summary: Guile bindings for the GNUTLS library
Requires: %{name}%{?_isa} = %{version}-%{release}
Requires: guile22
%endif
%description
GnuTLS is a secure communications library implementing the SSL, TLS and DTLS
protocols and technologies around them. It provides a simple C language
@ -197,16 +176,6 @@ This package contains library that implements the DANE protocol for verifying
TLS certificates through DNSSEC.
%endif
%if %{with guile}
%description guile
GnuTLS is a secure communications library implementing the SSL, TLS and DTLS
protocols and technologies around them. It provides a simple C language
application programming interface (API) to access the secure communications
protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and
other required structures.
This package contains Guile bindings for the library.
%endif
%if %{with_mingw}
%package -n mingw32-%{name}
Summary: MinGW GnuTLS TLS/SSL encryption library
@ -251,15 +220,6 @@ echo "SYSTEM=NORMAL" >> tests/system.prio
CCASFLAGS="$CCASFLAGS -Wa,--generate-missing-build-notes=yes"
export CCASFLAGS
%if %{with guile}
# These should be checked by m4/guile.m4 instead of configure.ac
# taking into account of _guile_suffix
guile_snarf=%{_bindir}/guile-snarf2.2
export guile_snarf
GUILD=%{_bindir}/guild2.2
export GUILD
%endif
%if %{with fips}
eval $(sed -n 's/^\(\(NAME\|VERSION_ID\)=.*\)/OS_\1/p' /etc/os-release)
export FIPS_MODULE_NAME="$OS_NAME ${OS_VERSION_ID%%.*} %name"
@ -278,6 +238,9 @@ pushd native_build
--enable-gost \
%else
--disable-gost \
%endif
%if %{with_srp}
--enable-srp-authentication \
%endif
--enable-sha1-support \
--disable-static \
@ -297,12 +260,6 @@ pushd native_build
%endif
--enable-ktls \
--htmldir=%{_docdir}/manual \
%if %{with guile}
--enable-guile \
--with-guile-extension-dir=%{_libdir}/guile/2.2 \
%else
--disable-guile \
%endif
%if %{with dane}
--with-unbound-root-key-file=/var/lib/unbound/root.key \
--enable-libdane \
@ -324,11 +281,13 @@ popd
# MinGW does not support CCASFLAGS
export CCASFLAGS=""
%mingw_configure \
%if %{with_srp}
--enable-srp-authentication \
%endif
--enable-sha1-support \
--disable-static \
--disable-openssl-compatibility \
--disable-non-suiteb-curves \
--disable-guile \
--disable-libdane \
--disable-rpath \
--disable-nls \
@ -348,8 +307,6 @@ pushd native_build
make -C doc install-html DESTDIR=$RPM_BUILD_ROOT
rm -f $RPM_BUILD_ROOT%{_infodir}/dir
rm -f $RPM_BUILD_ROOT%{_libdir}/*.la
rm -f $RPM_BUILD_ROOT%{_libdir}/guile/2.2/guile-gnutls*.a
rm -f $RPM_BUILD_ROOT%{_libdir}/guile/2.2/guile-gnutls*.la
%if %{without dane}
rm -f $RPM_BUILD_ROOT%{_libdir}/pkgconfig/gnutls-dane.pc
%endif
@ -358,8 +315,10 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/pkgconfig/gnutls-dane.pc
# doing it twice should be a no-op the second time,
# and this way we avoid redefining it and missing a future change
%{__spec_install_post}
./lib/fipshmac "$RPM_BUILD_ROOT%{_libdir}/libgnutls.so.30" > $RPM_BUILD_ROOT%{_libdir}/.gnutls.hmac
sed -i "s^$RPM_BUILD_ROOT/usr^^" $RPM_BUILD_ROOT%{_libdir}/.gnutls.hmac
fname=`basename $RPM_BUILD_ROOT%{_libdir}/libgnutls.so.30.*.*`
./lib/fipshmac "$RPM_BUILD_ROOT%{_libdir}/libgnutls.so.30" > "$RPM_BUILD_ROOT%{_libdir}/.$fname.hmac"
sed -i "s^$RPM_BUILD_ROOT/usr^^" "$RPM_BUILD_ROOT%{_libdir}/.$fname.hmac"
ln -s ".$fname.hmac" "$RPM_BUILD_ROOT%{_libdir}/.libgnutls.so.30.hmac"
%endif
%if %{with fips}
@ -412,7 +371,7 @@ popd
%files -f native_build/gnutls.lang
%{_libdir}/libgnutls.so.30*
%if %{with fips}
%{_libdir}/.gnutls.hmac
%{_libdir}/.libgnutls.so.30*.hmac
%endif
%doc README.md AUTHORS NEWS THANKS
%license LICENSE doc/COPYING doc/COPYING.LESSER
@ -438,7 +397,9 @@ popd
%{_bindir}/ocsptool
%{_bindir}/psktool
%{_bindir}/p11tool
%if %{with_srp}
%{_bindir}/srptool
%endif
%if %{with dane}
%{_bindir}/danetool
%endif
@ -451,15 +412,6 @@ popd
%{_libdir}/libgnutls-dane.so.*
%endif
%if %{with guile}
%files guile
%{_libdir}/guile/2.2/guile-gnutls*.so*
%{_libdir}/guile/2.2/site-ccache/gnutls.go
%{_libdir}/guile/2.2/site-ccache/gnutls/extra.go
%{_datadir}/guile/site/2.2/gnutls.scm
%{_datadir}/guile/site/2.2/gnutls/extra.scm
%endif
%if %{with_mingw}
%files -n mingw32-%{name}
%license LICENSE doc/COPYING doc/COPYING.LESSER
@ -471,7 +423,9 @@ popd
%{mingw32_bindir}/ocsptool.exe
%{mingw32_bindir}/p11tool.exe
%{mingw32_bindir}/psktool.exe
%if %{with_srp}
%{mingw32_bindir}/srptool.exe
%endif
%{mingw32_libdir}/libgnutls.dll.a
%{mingw32_libdir}/libgnutls-30.def
%{mingw32_libdir}/pkgconfig/gnutls.pc
@ -487,7 +441,9 @@ popd
%{mingw64_bindir}/ocsptool.exe
%{mingw64_bindir}/p11tool.exe
%{mingw64_bindir}/psktool.exe
%if %{with_srp}
%{mingw64_bindir}/srptool.exe
%endif
%{mingw64_libdir}/libgnutls.dll.a
%{mingw64_libdir}/libgnutls-30.def
%{mingw64_libdir}/pkgconfig/gnutls.pc

4
sources
View File

@ -1,3 +1,3 @@
SHA512 (gnutls-3.7.8.tar.xz) = 4199bcf7c9e3aab2f52266aadceefc563dfe2d938d0ea1f3ec3be95d66f4a8c8e5494d3a800c03dd02ad386dec1738bd63e1fe0d8b394a2ccfc7d6c6a0cc9359
SHA512 (gnutls-3.7.8.tar.xz.sig) = cecf9843e8683a278d065b663dc98ac2b5fcad1905ee25333038c93c2289b518c974629367e77e66552ac1c9d122d551616edba35cb0c4204202ec676f1a2db7
SHA512 (gnutls-3.8.0.tar.xz) = 2507b3133423fdaf90fbd826ccb1142e9ff6fc90fcd5531720218f19ddf0e6bbb8267d23bad35c0954860e5a4179da74823e0c8357db56a14f252e6ec9d59629
SHA512 (gnutls-3.8.0.tar.xz.sig) = 9db8db74aa0ebd871287b07b6a8a9f4ce90188633618e669fe07cb8bb314b624c14761f6fe1970e2fbffa87f7c0d6daa4b0fa838bd05f74b8b18cd1b5325c654
SHA512 (gnutls-release-keyring.gpg) = 5c14d83f4f37bd319c652db0d76fc5bb04752fb461bbe853e25b20ffe41d6d14faae6c0bdd0193ac6242975bf1205ce606a9d0082261cc4581fd680abfcdbd4d