Merged update from upstream sources

This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.

Source: https://src.fedoraproject.org/rpms/gnutls.git#43597a7ec6c85dafffe67512102e1d9da6a7608a
This commit is contained in:
DistroBaker 2021-03-23 11:00:23 +00:00
parent d28c309576
commit ec246bb852
7 changed files with 120 additions and 624 deletions

2
.gitignore vendored
View File

@ -131,3 +131,5 @@ gnutls-2.10.1-nosrp.tar.bz2
/gnutls-3.6.15.tar.xz.sig /gnutls-3.6.15.tar.xz.sig
/gnutls-3.7.0.tar.xz /gnutls-3.7.0.tar.xz
/gnutls-3.7.0.tar.xz.sig /gnutls-3.7.0.tar.xz.sig
/gnutls-3.7.1.tar.xz
/gnutls-3.7.1.tar.xz.sig

View File

@ -1,403 +0,0 @@
From 09b40be6e0e0a59ba4bd764067eb353241043a70 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Mon, 28 Dec 2020 12:14:13 +0100
Subject: [PATCH] gnutls_x509_trust_list_verify_crt2: ignore duplicate
certificates
The commit ebb19db9165fed30d73c83bab1b1b8740c132dfd caused a
regression, where duplicate certificates in a certificate chain are no
longer ignored but treated as a non-contiguous segment and that
results in calling the issuer callback, or a verification failure.
This adds a mechanism to record certificates already seen in the
chain, and skip them while still allow the caller to inject missing
certificates.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
Co-authored-by: Andreas Metzler <ametzler@debian.org>
---
lib/x509/common.c | 8 ++
lib/x509/verify-high.c | 157 +++++++++++++++++++++++++++++++------
tests/missingissuer.c | 2 +
tests/test-chains-issuer.h | 101 +++++++++++++++++++++++-
4 files changed, 245 insertions(+), 23 deletions(-)
diff --git a/lib/x509/common.c b/lib/x509/common.c
index 3301aaad0..10c8db53c 100644
--- a/lib/x509/common.c
+++ b/lib/x509/common.c
@@ -1758,6 +1758,14 @@ unsigned int _gnutls_sort_clist(gnutls_x509_crt_t *clist,
* increasing DEFAULT_MAX_VERIFY_DEPTH.
*/
for (i = 0; i < clist_size; i++) {
+ /* Self-signed certificate found in the chain; skip it
+ * as it should only appear in the trusted set.
+ */
+ if (gnutls_x509_crt_check_issuer(clist[i], clist[i])) {
+ _gnutls_cert_log("self-signed cert found", clist[i]);
+ continue;
+ }
+
for (j = 1; j < clist_size; j++) {
if (i == j)
continue;
diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c
index 588e7ee0d..9a16e6b42 100644
--- a/lib/x509/verify-high.c
+++ b/lib/x509/verify-high.c
@@ -67,6 +67,80 @@ struct gnutls_x509_trust_list_iter {
#define DEFAULT_SIZE 127
+struct cert_set_node_st {
+ gnutls_x509_crt_t *certs;
+ unsigned int size;
+};
+
+struct cert_set_st {
+ struct cert_set_node_st *node;
+ unsigned int size;
+};
+
+static int
+cert_set_init(struct cert_set_st *set, unsigned int size)
+{
+ memset(set, 0, sizeof(*set));
+
+ set->size = size;
+ set->node = gnutls_calloc(size, sizeof(*set->node));
+ if (!set->node) {
+ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
+ }
+
+ return 0;
+}
+
+static void
+cert_set_deinit(struct cert_set_st *set)
+{
+ size_t i;
+
+ for (i = 0; i < set->size; i++) {
+ gnutls_free(set->node[i].certs);
+ }
+
+ gnutls_free(set->node);
+}
+
+static bool
+cert_set_contains(struct cert_set_st *set, const gnutls_x509_crt_t cert)
+{
+ size_t hash, i;
+
+ hash = hash_pjw_bare(cert->raw_dn.data, cert->raw_dn.size);
+ hash %= set->size;
+
+ for (i = 0; i < set->node[hash].size; i++) {
+ if (unlikely(gnutls_x509_crt_equals(set->node[hash].certs[i], cert))) {
+ return true;
+ }
+ }
+
+ return false;
+}
+
+static int
+cert_set_add(struct cert_set_st *set, const gnutls_x509_crt_t cert)
+{
+ size_t hash;
+
+ hash = hash_pjw_bare(cert->raw_dn.data, cert->raw_dn.size);
+ hash %= set->size;
+
+ set->node[hash].certs =
+ gnutls_realloc_fast(set->node[hash].certs,
+ (set->node[hash].size + 1) *
+ sizeof(*set->node[hash].certs));
+ if (!set->node[hash].certs) {
+ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
+ }
+ set->node[hash].certs[set->node[hash].size] = cert;
+ set->node[hash].size++;
+
+ return 0;
+}
+
/**
* gnutls_x509_trust_list_init:
* @list: A pointer to the type to be initialized
@@ -1328,6 +1402,7 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
unsigned have_set_name = 0;
unsigned saved_output;
gnutls_datum_t ip = {NULL, 0};
+ struct cert_set_st cert_set = { NULL, 0 };
if (cert_list == NULL || cert_list_size < 1)
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
@@ -1376,36 +1451,68 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
memcpy(sorted, cert_list, cert_list_size * sizeof(gnutls_x509_crt_t));
cert_list = sorted;
+ ret = cert_set_init(&cert_set, DEFAULT_MAX_VERIFY_DEPTH);
+ if (ret < 0) {
+ return ret;
+ }
+
for (i = 0; i < cert_list_size &&
- cert_list_size <= DEFAULT_MAX_VERIFY_DEPTH; i++) {
- if (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN)) {
- unsigned int sorted_size;
+ cert_list_size <= DEFAULT_MAX_VERIFY_DEPTH; ) {
+ unsigned int sorted_size = 1;
+ unsigned int j;
+ gnutls_x509_crt_t issuer;
+ if (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN)) {
sorted_size = _gnutls_sort_clist(&cert_list[i],
cert_list_size - i);
- i += sorted_size - 1;
}
- if (i == cert_list_size - 1) {
- gnutls_x509_crt_t issuer;
-
- /* If it is the last certificate and its issuer is
- * known, don't need to run issuer callback. */
- if (_gnutls_trust_list_get_issuer(list,
- cert_list[i],
- &issuer,
- 0) == 0) {
+ /* Remove duplicates. Start with index 1, as the first element
+ * may be re-checked after issuer retrieval. */
+ for (j = 1; j < sorted_size; j++) {
+ if (cert_set_contains(&cert_set, cert_list[i + j])) {
+ if (i + j < cert_list_size - 1) {
+ memmove(&cert_list[i + j],
+ &cert_list[i + j + 1],
+ sizeof(cert_list[i]));
+ }
+ cert_list_size--;
break;
}
- } else if (gnutls_x509_crt_check_issuer(cert_list[i],
- cert_list[i + 1])) {
- /* There is no gap between this and the next
- * certificate. */
+ }
+ /* Found a duplicate, try again with the same index. */
+ if (j < sorted_size) {
+ continue;
+ }
+
+ /* Record the certificates seen. */
+ for (j = 0; j < sorted_size; j++, i++) {
+ ret = cert_set_add(&cert_set, cert_list[i]);
+ if (ret < 0) {
+ goto cleanup;
+ }
+ }
+
+ /* If the issuer of the certificate is known, no need
+ * for further processing. */
+ if (_gnutls_trust_list_get_issuer(list,
+ cert_list[i - 1],
+ &issuer,
+ 0) == 0) {
+ cert_list_size = i;
+ break;
+ }
+
+ /* If there is no gap between this and the next certificate,
+ * proceed with the next certificate. */
+ if (i < cert_list_size &&
+ gnutls_x509_crt_check_issuer(cert_list[i - 1],
+ cert_list[i])) {
continue;
}
ret = retrieve_issuers(list,
- cert_list[i],
+ cert_list[i - 1],
&retrieved[retrieved_size],
DEFAULT_MAX_VERIFY_DEPTH -
MAX(retrieved_size,
@@ -1413,15 +1520,20 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
if (ret < 0) {
break;
} else if (ret > 0) {
- memmove(&cert_list[i + 1 + ret],
- &cert_list[i + 1],
- (cert_list_size - i - 1) *
+ assert((unsigned int)ret <=
+ DEFAULT_MAX_VERIFY_DEPTH - cert_list_size);
+ memmove(&cert_list[i + ret],
+ &cert_list[i],
+ (cert_list_size - i) *
sizeof(gnutls_x509_crt_t));
- memcpy(&cert_list[i + 1],
+ memcpy(&cert_list[i],
&retrieved[retrieved_size],
ret * sizeof(gnutls_x509_crt_t));
retrieved_size += ret;
cert_list_size += ret;
+
+ /* Start again from the end of the previous segment. */
+ i--;
}
}
@@ -1581,6 +1693,7 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
for (i = 0; i < retrieved_size; i++) {
gnutls_x509_crt_deinit(retrieved[i]);
}
+ cert_set_deinit(&cert_set);
return ret;
}
diff --git a/tests/missingissuer.c b/tests/missingissuer.c
index f21e2b6b0..226d09592 100644
--- a/tests/missingissuer.c
+++ b/tests/missingissuer.c
@@ -145,6 +145,8 @@ void doit(void)
printf("[%d]: Chain '%s'...\n", (int)i, chains[i].name);
for (j = 0; chains[i].chain[j]; j++) {
+ assert(j < MAX_CHAIN);
+
if (debug > 2)
printf("\tAdding certificate %d...", (int)j);
diff --git a/tests/test-chains-issuer.h b/tests/test-chains-issuer.h
index 543e2d71f..bf1e65c95 100644
--- a/tests/test-chains-issuer.h
+++ b/tests/test-chains-issuer.h
@@ -24,7 +24,7 @@
#ifndef GNUTLS_TESTS_TEST_CHAINS_ISSUER_H
#define GNUTLS_TESTS_TEST_CHAINS_ISSUER_H
-#define MAX_CHAIN 6
+#define MAX_CHAIN 15
#define SERVER_CERT "-----BEGIN CERTIFICATE-----\n" \
"MIIDATCCAbmgAwIBAgIUQdvdegP8JFszFHLfV4+lrEdafzAwPQYJKoZIhvcNAQEK\n" \
@@ -338,11 +338,102 @@ static const char *missing_middle_unrelated_extra_insert[] = {
NULL,
};
+static const char *missing_middle_single_duplicate[] = {
+ SERVER_CERT,
+ SERVER_CERT,
+ CA_CERT_5,
+ CA_CERT_5,
+ CA_CERT_4,
+ CA_CERT_4,
+ CA_CERT_2,
+ CA_CERT_2,
+ CA_CERT_1,
+ CA_CERT_1,
+ NULL,
+};
+
+static const char *missing_middle_multiple_duplicate[] = {
+ SERVER_CERT,
+ SERVER_CERT,
+ CA_CERT_5,
+ CA_CERT_5,
+ CA_CERT_4,
+ CA_CERT_4,
+ CA_CERT_1,
+ CA_CERT_1,
+ NULL,
+};
+
+static const char *missing_last_single_duplicate[] = {
+ SERVER_CERT,
+ SERVER_CERT,
+ CA_CERT_5,
+ CA_CERT_5,
+ CA_CERT_4,
+ CA_CERT_4,
+ CA_CERT_3,
+ CA_CERT_3,
+ CA_CERT_2,
+ CA_CERT_2,
+ NULL,
+};
+
+static const char *missing_last_multiple_duplicate[] = {
+ SERVER_CERT,
+ SERVER_CERT,
+ CA_CERT_5,
+ CA_CERT_5,
+ CA_CERT_4,
+ CA_CERT_4,
+ CA_CERT_3,
+ CA_CERT_3,
+ NULL,
+};
+
+static const char *missing_skip_single_duplicate[] = {
+ SERVER_CERT,
+ SERVER_CERT,
+ CA_CERT_5,
+ CA_CERT_5,
+ CA_CERT_3,
+ CA_CERT_3,
+ CA_CERT_1,
+ CA_CERT_1,
+ NULL,
+};
+
+static const char *missing_skip_multiple_duplicate[] = {
+ SERVER_CERT,
+ SERVER_CERT,
+ CA_CERT_5,
+ CA_CERT_5,
+ CA_CERT_3,
+ CA_CERT_3,
+ NULL,
+};
+
static const char *missing_ca[] = {
CA_CERT_0,
NULL,
};
+static const char *middle_single_duplicate_ca[] = {
+ SERVER_CERT,
+ CA_CERT_5,
+ CA_CERT_0,
+ CA_CERT_4,
+ CA_CERT_0,
+ CA_CERT_2,
+ CA_CERT_0,
+ CA_CERT_1,
+ NULL,
+};
+
+static const char *missing_middle_single_duplicate_ca_unrelated_insert[] = {
+ CA_CERT_0,
+ NULL,
+};
+
static struct chains {
const char *name;
const char **chain;
@@ -377,6 +468,14 @@ static struct chains {
{ "skip multiple unsorted", missing_skip_multiple_unsorted, missing_skip_multiple_insert, missing_ca, 0, 0 },
{ "unrelated", missing_middle_single, missing_middle_unrelated_insert, missing_ca, 0, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_NOT_FOUND },
{ "unrelated extra", missing_middle_single, missing_middle_unrelated_extra_insert, missing_ca, 0, 0 },
+ { "middle single duplicate", missing_middle_single_duplicate, missing_middle_single_insert, missing_ca, 0, 0 },
+ { "middle multiple duplicate", missing_middle_multiple_duplicate, missing_middle_multiple_insert, missing_ca, 0, 0 },
+ { "last single duplicate", missing_last_single_duplicate, missing_last_single_insert, missing_ca, 0, 0 },
+ { "last multiple duplicate", missing_last_multiple_duplicate, missing_last_multiple_insert, missing_ca, 0, 0 },
+ { "skip single duplicate", missing_skip_single_duplicate, missing_skip_single_insert, missing_ca, 0, 0 },
+ { "skip multiple duplicate", missing_skip_multiple_duplicate, missing_skip_multiple_insert, missing_ca, 0, 0 },
+ { "middle single duplicate ca", middle_single_duplicate_ca, missing_middle_single_insert, missing_ca, 0, 0 },
+ { "middle single duplicate ca - insert unrelated", middle_single_duplicate_ca, missing_middle_single_duplicate_ca_unrelated_insert, missing_ca, 0, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_NOT_FOUND },
{ NULL, NULL, NULL, NULL },
};
--
2.29.2

View File

@ -1,12 +0,0 @@
diff -up ./tests/gnutls-cli-debug.sh.gost ./tests/gnutls-cli-debug.sh
--- ./tests/gnutls-cli-debug.sh.gost 2021-02-09 13:28:46.528821113 +0100
+++ ./tests/gnutls-cli-debug.sh 2021-02-09 13:29:18.851646678 +0100
@@ -217,6 +217,8 @@ if test "${ENABLE_GOST}" = "1" && test "
kill ${PID}
wait
+ cat $OUTFILE
+
check_text "for VKO GOST-2012 (draft-smyshlyaev-tls12-gost-suites) support... yes"
check_text "for GOST28147-CNT cipher (draft-smyshlyaev-tls12-gost-suites) support... yes"
check_text "for GOST28147-IMIT MAC (draft-smyshlyaev-tls12-gost-suites) support... yes"

View File

@ -1,195 +0,0 @@
From c815f725448af8d023818a968e1296946ceb0f1c Mon Sep 17 00:00:00 2001
From: Stefan Berger <stefanb@linux.ibm.com>
Date: Mon, 21 Dec 2020 09:36:47 -0500
Subject: [PATCH 1/2] tests: Fix tpmtool_test due to changes in trousers
Recent changes to trousers now require an ownership of root:tss for
the tcsd config file, older ones requires tss:tss. So, start tcsd
using trial and error with either one of these ownership configurations
until one works.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
tests/tpmtool_test.sh | 37 +++++++++++++++++++++++++++----------
1 file changed, 27 insertions(+), 10 deletions(-)
diff --git a/tests/tpmtool_test.sh b/tests/tpmtool_test.sh
index eba502612..77fe17e59 100755
--- a/tests/tpmtool_test.sh
+++ b/tests/tpmtool_test.sh
@@ -138,6 +138,7 @@ start_tcsd()
local tcsd_conf=$workdir/tcsd.conf
local tcsd_system_ps_file=$workdir/system_ps_file
local tcsd_pidfile=$workdir/tcsd.pid
+ local owner
start_swtpm "$workdir"
[ $? -ne 0 ] && return 1
@@ -146,20 +147,36 @@ start_tcsd()
port = $TCSD_LISTEN_PORT
system_ps_file = $tcsd_system_ps_file
_EOF_
+ # older versions of trousers require tss:tss ownership of the
+ # config file, later ones root:tss
+ for owner in tss root; do
+ if [ "$owner" = "tss" ]; then
+ chmod 0600 $tcsd_conf
+ else
+ chmod 0640 $tcsd_conf
+ fi
+ chown $owner:tss $tcsd_conf
- chown tss:tss $tcsd_conf
- chmod 0600 $tcsd_conf
+ bash -c "TCSD_USE_TCP_DEVICE=1 TCSD_TCP_DEVICE_PORT=$SWTPM_SERVER_PORT tcsd -c $tcsd_conf -e -f &>/dev/null & echo \$! > $tcsd_pidfile; wait" &
+ BASH_PID=$!
- bash -c "TCSD_USE_TCP_DEVICE=1 TCSD_TCP_DEVICE_PORT=$SWTPM_SERVER_PORT tcsd -c $tcsd_conf -e -f &>/dev/null & echo \$! > $tcsd_pidfile; wait" &
- BASH_PID=$!
+ if wait_for_file $tcsd_pidfile 3; then
+ echo "Could not get TCSD's PID file"
+ return 1
+ fi
- if wait_for_file $tcsd_pidfile 3; then
- echo "Could not get TCSD's PID file"
- return 1
- fi
+ sleep 0.5
+ TCSD_PID=$(cat $tcsd_pidfile)
+ kill -0 "${TCSD_PID}"
+ if [ $? -ne 0 ]; then
+ # Try again with other owner
+ continue
+ fi
+ return 0
+ done
- TCSD_PID=$(cat $tcsd_pidfile)
- return 0
+ echo "TCSD could not be started"
+ return 1
}
stop_tcsd()
--
2.29.2
From 2b0f6f3a2ff13153aaa70c764ba7a8b90aef794d Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Mon, 28 Dec 2020 16:16:53 +0100
Subject: [PATCH 2/2] testpkcs11: use datefudge to trick certificate expiry
The certificates stored in tests/testpkcs11-certs expired on
2020-12-13. To avoid verification failure due to that, use datefudge
to set custom date when calling gnutls-cli, gnutls-serv, and certtool.
Based on the patch by Andreas Metzler:
https://gitlab.com/gnutls/gnutls/-/issues/1135#note_469682121
Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
tests/testpkcs11.sh | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/tests/testpkcs11.sh b/tests/testpkcs11.sh
index 38b9585bc..09a627477 100755
--- a/tests/testpkcs11.sh
+++ b/tests/testpkcs11.sh
@@ -67,6 +67,8 @@ have_ed25519=0
P11TOOL="${VALGRIND} ${P11TOOL} --batch"
SERV="${SERV} -q"
+TESTDATE=2020-12-01
+
. ${srcdir}/scripts/common.sh
rm -f "${LOGFILE}"
@@ -79,6 +81,8 @@ exit_error () {
exit 1
}
+skip_if_no_datefudge
+
# $1: token
# $2: PIN
# $3: filename
@@ -523,6 +527,7 @@ write_certificate_test () {
pubkey="$5"
echo -n "* Generating client certificate... "
+ datefudge -s "$TESTDATE" \
"${CERTTOOL}" ${CERTTOOL_PARAM} ${ADDITIONAL_PARAM} --generate-certificate --load-ca-privkey "${cakey}" --load-ca-certificate "${cacert}" \
--template ${srcdir}/testpkcs11-certs/client-tmpl --load-privkey "${token};object=gnutls-client;object-type=private" \
--load-pubkey "$pubkey" --outfile tmp-client.crt >>"${LOGFILE}" 2>&1
@@ -900,7 +905,9 @@ use_certificate_test () {
echo -n "* Using PKCS #11 with gnutls-cli (${txt})... "
# start server
eval "${GETPORT}"
- launch_server ${ADDITIONAL_PARAM} --echo --priority NORMAL --x509certfile="${certfile}" \
+ launch_bare_server datefudge -s "$TESTDATE" \
+ $VALGRIND $SERV $DEBUG -p "$PORT" \
+ ${ADDITIONAL_PARAM} --debug 10 --echo --priority NORMAL --x509certfile="${certfile}" \
--x509keyfile="$keyfile" --x509cafile="${cafile}" \
--verify-client-cert --require-client-cert >>"${LOGFILE}" 2>&1
@@ -908,13 +915,16 @@ use_certificate_test () {
wait_server ${PID}
# connect to server using SC
+ datefudge -s "$TESTDATE" \
${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509cafile="${cafile}" </dev/null >>"${LOGFILE}" 2>&1 && \
fail ${PID} "Connection should have failed!"
+ datefudge -s "$TESTDATE" \
${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509certfile="${certfile}" \
--x509keyfile="$keyfile" --x509cafile="${cafile}" </dev/null >>"${LOGFILE}" 2>&1 || \
fail ${PID} "Connection (with files) should have succeeded!"
+ datefudge -s "$TESTDATE" \
${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509certfile="${token};object=gnutls-client;object-type=cert" \
--x509keyfile="${token};object=gnutls-client;object-type=private" \
--x509cafile="${cafile}" </dev/null >>"${LOGFILE}" 2>&1 || \
--
2.29.2
From 5a64e896a56ef602bb86242bbac01e4319f12cbe Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Tue, 9 Feb 2021 15:26:07 +0100
Subject: [PATCH] tests/gnutls-cli-debug.sh: don't unset system priority
settings
When the test is exercised, GNUTLS_SYSTEM_PRIORITY_FILE is set in many
places, such as TESTS_ENVIRONMENT tests/Makefile.am or a packaging
system that runs the test in a restricted environment. Unsetting it
after a temporary use forces the remaining part of the test to use the
default system priority, which might not be the intention of the user.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
tests/gnutls-cli-debug.sh | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/tests/gnutls-cli-debug.sh b/tests/gnutls-cli-debug.sh
index a73910dea..3c3e2214e 100755
--- a/tests/gnutls-cli-debug.sh
+++ b/tests/gnutls-cli-debug.sh
@@ -184,13 +184,11 @@ cat <<_EOF_ > ${TMPFILE}
tls-disabled-cipher = CAMELLIA-128-CBC
tls-disabled-cipher = CAMELLIA-256-CBC
_EOF_
-export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}"
+GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}" \
timeout 1800 datefudge "2017-08-9" \
"${DCLI}" -p "${PORT}" localhost >$OUTFILE 2>&1 || fail ${PID} "gnutls-cli-debug run should have succeeded!"
-unset GNUTLS_SYSTEM_PRIORITY_FILE
-
kill ${PID}
wait
--
2.29.2

View File

@ -0,0 +1,84 @@
From e1cf5b8694b23cdc88f4a4a344f8262aa8ab0f8e Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Wed, 10 Mar 2021 16:11:29 +0100
Subject: [PATCH 1/2] _gnutls_buffer_resize: account for unused area if
AGGRESSIVE_REALLOC
Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
lib/str.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lib/str.c b/lib/str.c
index 506fe1721..bc20ebb04 100644
--- a/lib/str.c
+++ b/lib/str.c
@@ -155,12 +155,12 @@ int _gnutls_buffer_resize(gnutls_buffer_st * dest, size_t new_size)
unused = MEMSUB(dest->data, dest->allocd);
dest->allocd =
- gnutls_realloc_fast(dest->allocd, new_size);
+ gnutls_realloc_fast(dest->allocd, new_size + unused);
if (dest->allocd == NULL) {
gnutls_assert();
return GNUTLS_E_MEMORY_ERROR;
}
- dest->max_length = new_size;
+ dest->max_length = new_size + unused;
dest->data = dest->allocd + unused;
return 0;
--
2.30.2
From 78691bfe4555c4d610b405173987ed7515515d20 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Wed, 10 Mar 2021 16:12:23 +0100
Subject: [PATCH 2/2] str: suppress -Wunused-function if AGGRESSIVE_REALLOC is
defined
Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
lib/str.c | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/lib/str.c b/lib/str.c
index bc20ebb04..8007340f1 100644
--- a/lib/str.c
+++ b/lib/str.c
@@ -87,15 +87,6 @@ void _gnutls_buffer_clear(gnutls_buffer_st * str)
#define MIN_CHUNK 1024
-static void align_allocd_with_data(gnutls_buffer_st * dest)
-{
- assert(dest->allocd != NULL);
- assert(dest->data != NULL);
- if (dest->length)
- memmove(dest->allocd, dest->data, dest->length);
- dest->data = dest->allocd;
-}
-
/**
* gnutls_buffer_append_data:
* @dest: the buffer to append to
@@ -168,6 +159,15 @@ int _gnutls_buffer_resize(gnutls_buffer_st * dest, size_t new_size)
#else
+static void align_allocd_with_data(gnutls_buffer_st * dest)
+{
+ assert(dest->allocd != NULL);
+ assert(dest->data != NULL);
+ if (dest->length)
+ memmove(dest->allocd, dest->data, dest->length);
+ dest->data = dest->allocd;
+}
+
int _gnutls_buffer_resize(gnutls_buffer_st * dest, size_t new_size)
{
if (unlikely(dest->data != NULL && dest->allocd == NULL))
--
2.30.2

View File

@ -1,11 +1,10 @@
# This spec file has been automatically updated # This spec file has been automatically updated
Version: 3.7.0 Version: 3.7.1
Release: 2%{?dist} Release: 2%{?dist}
Patch1: gnutls-3.6.7-no-now-guile.patch Patch1: gnutls-3.6.7-no-now-guile.patch
Patch2: gnutls-3.2.7-rpath.patch Patch2: gnutls-3.2.7-rpath.patch
Patch3: gnutls-3.7.0-test-fixes.patch Patch3: gnutls-3.7.1-aggressive-realloc-fixes.patch
Patch4: gnutls-3.7.0-gost.patch %bcond_with bootstrap
Patch5: gnutls-3.7.0-duplicate-certs.patch
%bcond_without dane %bcond_without dane
%if 0%{?rhel} %if 0%{?rhel}
%bcond_with guile %bcond_with guile
@ -21,13 +20,15 @@ Name: gnutls
License: GPLv3+ and LGPLv2+ License: GPLv3+ and LGPLv2+
BuildRequires: p11-kit-devel >= 0.21.3, gettext-devel BuildRequires: p11-kit-devel >= 0.21.3, gettext-devel
BuildRequires: zlib-devel, readline-devel, libtasn1-devel >= 4.3 BuildRequires: zlib-devel, readline-devel, libtasn1-devel >= 4.3
BuildRequires: libtool, automake, autoconf, texinfo %if %{with bootstrap}
BuildRequires: autogen-libopts-devel >= 5.18 autogen BuildRequires: automake, autoconf, gperf, libtool, texinfo
BuildRequires: autogen-libopts-devel >= 5.18, autogen
%endif
BuildRequires: nettle-devel >= 3.5.1 BuildRequires: nettle-devel >= 3.5.1
BuildRequires: trousers-devel >= 0.3.11.2 BuildRequires: trousers-devel >= 0.3.11.2
BuildRequires: libidn2-devel BuildRequires: libidn2-devel
BuildRequires: libunistring-devel BuildRequires: libunistring-devel
BuildRequires: gperf, net-tools, datefudge, softhsm, gcc, gcc-c++ BuildRequires: net-tools, datefudge, softhsm, gcc, gcc-c++
BuildRequires: gnupg2 BuildRequires: gnupg2
%if %{with fips} %if %{with fips}
BuildRequires: fipscheck BuildRequires: fipscheck
@ -147,11 +148,13 @@ This package contains Guile bindings for the library.
gpgv2 --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0} gpgv2 --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0}
%autosetup -p1 %autosetup -p1
#autoreconf -fi %if %{with bootstrap}
rm -f src/libopts/*.c src/libopts/*.h src/libopts/compat/*.c src/libopts/compat/*.h
autoreconf -fi
%endif
sed -i -e 's|sys_lib_dlsearch_path_spec="/lib /usr/lib|sys_lib_dlsearch_path_spec="/lib /usr/lib %{_libdir}|g' configure sed -i -e 's|sys_lib_dlsearch_path_spec="/lib /usr/lib|sys_lib_dlsearch_path_spec="/lib /usr/lib %{_libdir}|g' configure
rm -f lib/minitasn1/*.c lib/minitasn1/*.h rm -f lib/minitasn1/*.c lib/minitasn1/*.h
rm -f src/libopts/*.c src/libopts/*.h src/libopts/compat/*.c src/libopts/compat/*.h
echo "SYSTEM=NORMAL" >> tests/system.prio echo "SYSTEM=NORMAL" >> tests/system.prio
@ -164,14 +167,16 @@ echo "SYSTEM=NORMAL" >> tests/system.prio
CCASFLAGS="$CCASFLAGS -Wa,--generate-missing-build-notes=yes" CCASFLAGS="$CCASFLAGS -Wa,--generate-missing-build-notes=yes"
export CCASFLAGS export CCASFLAGS
%if %{with guile}
# These should be checked by m4/guile.m4 instead of configure.ac # These should be checked by m4/guile.m4 instead of configure.ac
# taking into account of _guile_suffix # taking into account of _guile_suffix
guile_snarf=%{_bindir}/guile-snarf2.2 guile_snarf=%{_bindir}/guile-snarf2.2
export guile_snarf export guile_snarf
GUILD=%{_bindir}/guild2.2 GUILD=%{_bindir}/guild2.2
export GUILD export GUILD
%endif
%configure --with-libtasn1-prefix=%{_prefix} \ %configure \
%if %{with fips} %if %{with fips}
--enable-fips140-mode \ --enable-fips140-mode \
%endif %endif
@ -191,9 +196,9 @@ export GUILD
%endif %endif
%if %{with dane} %if %{with dane}
--with-unbound-root-key-file=/var/lib/unbound/root.key \ --with-unbound-root-key-file=/var/lib/unbound/root.key \
--enable-dane \ --enable-libdane \
%else %else
--disable-dane \ --disable-libdane \
%endif %endif
--disable-rpath \ --disable-rpath \
--with-default-priority-string="@SYSTEM" --with-default-priority-string="@SYSTEM"
@ -205,6 +210,7 @@ make %{?_smp_mflags} V=1
%{?__debug_package:%{__debug_install_post}} \ %{?__debug_package:%{__debug_install_post}} \
%{__arch_install_post} \ %{__arch_install_post} \
%{__os_install_post} \ %{__os_install_post} \
rm -f $RPM_BUILD_ROOT%{_libdir}/.libgnutls.so.*.hmac \
fipshmac -d $RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_libdir}/libgnutls.so.30.*.* \ fipshmac -d $RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_libdir}/libgnutls.so.30.*.* \
file=`basename $RPM_BUILD_ROOT%{_libdir}/libgnutls.so.30.*.hmac` && mv $RPM_BUILD_ROOT%{_libdir}/$file $RPM_BUILD_ROOT%{_libdir}/.$file && ln -s .$file $RPM_BUILD_ROOT%{_libdir}/.libgnutls.so.30.hmac \ file=`basename $RPM_BUILD_ROOT%{_libdir}/libgnutls.so.30.*.hmac` && mv $RPM_BUILD_ROOT%{_libdir}/$file $RPM_BUILD_ROOT%{_libdir}/.$file && ln -s .$file $RPM_BUILD_ROOT%{_libdir}/.libgnutls.so.30.hmac \
%{nil} %{nil}
@ -285,6 +291,20 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null
%endif %endif
%changelog %changelog
* Tue Mar 16 2021 Daiki Ueno <dueno@redhat.com> - 3.7.1-2
- Restore fipscheck dependency
* Sat Mar 13 2021 Daiki Ueno <dueno@redhat.com> - 3.7.1-1
- Update to upstream 3.7.1 release
- Remove fipscheck dependency, as it is now calculated with an
internal tool
* Fri Mar 5 2021 Daiki Ueno <dueno@redhat.com> - 3.7.0-4
- Tolerate duplicate certs in the chain also with PKCS #11 trust store
* Tue Mar 2 2021 Daiki Ueno <dueno@redhat.com> - 3.7.0-3
- Reduce BRs for non-bootstrapping build
* Wed Feb 10 2021 Daiki Ueno <dueno@redhat.com> - 3.7.0-2 * Wed Feb 10 2021 Daiki Ueno <dueno@redhat.com> - 3.7.0-2
- Tolerate duplicate certs in the chain - Tolerate duplicate certs in the chain

View File

@ -1,3 +1,3 @@
SHA512 (gnutls-3.7.0.tar.xz) = 5cf1025f2d0a0cbf5a83dd7f3b22dafd1769f7c3349096c0272d08573bb5ff87f510e0e69b4bbb47dad1b64476aa5479804b2f4ceb2216cd747bbc53bf42d885 SHA512 (gnutls-3.7.1.tar.xz) = 0fe801f03676c3bd970387f94578c8be7ba6030904989e7d21dffdc726209bab44c8096fbcb6d51fed2de239537bd00df2338ee9c8d984a1c386826b91062a95
SHA512 (gnutls-3.7.0.tar.xz.sig) = 25793ac5e3d2610f95f26a2aa6f444a0cebe45a173cd330ed95b38c82b8f469024c9fa35249917f6b880ae32192b5e74988169a68724c08f5c82a3379fff82fd SHA512 (gnutls-3.7.1.tar.xz.sig) = 78327723cd23e515326bee4348f00ef2c11626267a715243d9392490e30d44965fc8997184a348d0c9a5beaf50be4028304a49a0c569a1e9f3998bda9000713d
SHA512 (gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg) = a74b92826fd0e5388c9f6d9231959e38b26aeef83138648fab66df951d8e1a4db5302b569d08515d4d6443e5e4f6c466f98319f330c820790260d22a9b9f7173 SHA512 (gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg) = a74b92826fd0e5388c9f6d9231959e38b26aeef83138648fab66df951d8e1a4db5302b569d08515d4d6443e5e4f6c466f98319f330c820790260d22a9b9f7173