Merged update from upstream sources
This is an automated DistroBaker update from upstream sources. If you do not know what this is about or would like to opt out, contact the OSCI team. Source: https://src.fedoraproject.org/rpms/gnutls.git#43597a7ec6c85dafffe67512102e1d9da6a7608a
This commit is contained in:
parent
d28c309576
commit
ec246bb852
2
.gitignore
vendored
2
.gitignore
vendored
@ -131,3 +131,5 @@ gnutls-2.10.1-nosrp.tar.bz2
|
|||||||
/gnutls-3.6.15.tar.xz.sig
|
/gnutls-3.6.15.tar.xz.sig
|
||||||
/gnutls-3.7.0.tar.xz
|
/gnutls-3.7.0.tar.xz
|
||||||
/gnutls-3.7.0.tar.xz.sig
|
/gnutls-3.7.0.tar.xz.sig
|
||||||
|
/gnutls-3.7.1.tar.xz
|
||||||
|
/gnutls-3.7.1.tar.xz.sig
|
||||||
|
@ -1,403 +0,0 @@
|
|||||||
From 09b40be6e0e0a59ba4bd764067eb353241043a70 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Daiki Ueno <ueno@gnu.org>
|
|
||||||
Date: Mon, 28 Dec 2020 12:14:13 +0100
|
|
||||||
Subject: [PATCH] gnutls_x509_trust_list_verify_crt2: ignore duplicate
|
|
||||||
certificates
|
|
||||||
|
|
||||||
The commit ebb19db9165fed30d73c83bab1b1b8740c132dfd caused a
|
|
||||||
regression, where duplicate certificates in a certificate chain are no
|
|
||||||
longer ignored but treated as a non-contiguous segment and that
|
|
||||||
results in calling the issuer callback, or a verification failure.
|
|
||||||
|
|
||||||
This adds a mechanism to record certificates already seen in the
|
|
||||||
chain, and skip them while still allow the caller to inject missing
|
|
||||||
certificates.
|
|
||||||
|
|
||||||
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
||||||
Co-authored-by: Andreas Metzler <ametzler@debian.org>
|
|
||||||
---
|
|
||||||
lib/x509/common.c | 8 ++
|
|
||||||
lib/x509/verify-high.c | 157 +++++++++++++++++++++++++++++++------
|
|
||||||
tests/missingissuer.c | 2 +
|
|
||||||
tests/test-chains-issuer.h | 101 +++++++++++++++++++++++-
|
|
||||||
4 files changed, 245 insertions(+), 23 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/lib/x509/common.c b/lib/x509/common.c
|
|
||||||
index 3301aaad0..10c8db53c 100644
|
|
||||||
--- a/lib/x509/common.c
|
|
||||||
+++ b/lib/x509/common.c
|
|
||||||
@@ -1758,6 +1758,14 @@ unsigned int _gnutls_sort_clist(gnutls_x509_crt_t *clist,
|
|
||||||
* increasing DEFAULT_MAX_VERIFY_DEPTH.
|
|
||||||
*/
|
|
||||||
for (i = 0; i < clist_size; i++) {
|
|
||||||
+ /* Self-signed certificate found in the chain; skip it
|
|
||||||
+ * as it should only appear in the trusted set.
|
|
||||||
+ */
|
|
||||||
+ if (gnutls_x509_crt_check_issuer(clist[i], clist[i])) {
|
|
||||||
+ _gnutls_cert_log("self-signed cert found", clist[i]);
|
|
||||||
+ continue;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
for (j = 1; j < clist_size; j++) {
|
|
||||||
if (i == j)
|
|
||||||
continue;
|
|
||||||
diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c
|
|
||||||
index 588e7ee0d..9a16e6b42 100644
|
|
||||||
--- a/lib/x509/verify-high.c
|
|
||||||
+++ b/lib/x509/verify-high.c
|
|
||||||
@@ -67,6 +67,80 @@ struct gnutls_x509_trust_list_iter {
|
|
||||||
|
|
||||||
#define DEFAULT_SIZE 127
|
|
||||||
|
|
||||||
+struct cert_set_node_st {
|
|
||||||
+ gnutls_x509_crt_t *certs;
|
|
||||||
+ unsigned int size;
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
+struct cert_set_st {
|
|
||||||
+ struct cert_set_node_st *node;
|
|
||||||
+ unsigned int size;
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
+static int
|
|
||||||
+cert_set_init(struct cert_set_st *set, unsigned int size)
|
|
||||||
+{
|
|
||||||
+ memset(set, 0, sizeof(*set));
|
|
||||||
+
|
|
||||||
+ set->size = size;
|
|
||||||
+ set->node = gnutls_calloc(size, sizeof(*set->node));
|
|
||||||
+ if (!set->node) {
|
|
||||||
+ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return 0;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static void
|
|
||||||
+cert_set_deinit(struct cert_set_st *set)
|
|
||||||
+{
|
|
||||||
+ size_t i;
|
|
||||||
+
|
|
||||||
+ for (i = 0; i < set->size; i++) {
|
|
||||||
+ gnutls_free(set->node[i].certs);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ gnutls_free(set->node);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static bool
|
|
||||||
+cert_set_contains(struct cert_set_st *set, const gnutls_x509_crt_t cert)
|
|
||||||
+{
|
|
||||||
+ size_t hash, i;
|
|
||||||
+
|
|
||||||
+ hash = hash_pjw_bare(cert->raw_dn.data, cert->raw_dn.size);
|
|
||||||
+ hash %= set->size;
|
|
||||||
+
|
|
||||||
+ for (i = 0; i < set->node[hash].size; i++) {
|
|
||||||
+ if (unlikely(gnutls_x509_crt_equals(set->node[hash].certs[i], cert))) {
|
|
||||||
+ return true;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return false;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static int
|
|
||||||
+cert_set_add(struct cert_set_st *set, const gnutls_x509_crt_t cert)
|
|
||||||
+{
|
|
||||||
+ size_t hash;
|
|
||||||
+
|
|
||||||
+ hash = hash_pjw_bare(cert->raw_dn.data, cert->raw_dn.size);
|
|
||||||
+ hash %= set->size;
|
|
||||||
+
|
|
||||||
+ set->node[hash].certs =
|
|
||||||
+ gnutls_realloc_fast(set->node[hash].certs,
|
|
||||||
+ (set->node[hash].size + 1) *
|
|
||||||
+ sizeof(*set->node[hash].certs));
|
|
||||||
+ if (!set->node[hash].certs) {
|
|
||||||
+ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
|
|
||||||
+ }
|
|
||||||
+ set->node[hash].certs[set->node[hash].size] = cert;
|
|
||||||
+ set->node[hash].size++;
|
|
||||||
+
|
|
||||||
+ return 0;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
/**
|
|
||||||
* gnutls_x509_trust_list_init:
|
|
||||||
* @list: A pointer to the type to be initialized
|
|
||||||
@@ -1328,6 +1402,7 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
|
|
||||||
unsigned have_set_name = 0;
|
|
||||||
unsigned saved_output;
|
|
||||||
gnutls_datum_t ip = {NULL, 0};
|
|
||||||
+ struct cert_set_st cert_set = { NULL, 0 };
|
|
||||||
|
|
||||||
if (cert_list == NULL || cert_list_size < 1)
|
|
||||||
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
|
|
||||||
@@ -1376,36 +1451,68 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
|
|
||||||
memcpy(sorted, cert_list, cert_list_size * sizeof(gnutls_x509_crt_t));
|
|
||||||
cert_list = sorted;
|
|
||||||
|
|
||||||
+ ret = cert_set_init(&cert_set, DEFAULT_MAX_VERIFY_DEPTH);
|
|
||||||
+ if (ret < 0) {
|
|
||||||
+ return ret;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
for (i = 0; i < cert_list_size &&
|
|
||||||
- cert_list_size <= DEFAULT_MAX_VERIFY_DEPTH; i++) {
|
|
||||||
- if (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN)) {
|
|
||||||
- unsigned int sorted_size;
|
|
||||||
+ cert_list_size <= DEFAULT_MAX_VERIFY_DEPTH; ) {
|
|
||||||
+ unsigned int sorted_size = 1;
|
|
||||||
+ unsigned int j;
|
|
||||||
+ gnutls_x509_crt_t issuer;
|
|
||||||
|
|
||||||
+ if (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN)) {
|
|
||||||
sorted_size = _gnutls_sort_clist(&cert_list[i],
|
|
||||||
cert_list_size - i);
|
|
||||||
- i += sorted_size - 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (i == cert_list_size - 1) {
|
|
||||||
- gnutls_x509_crt_t issuer;
|
|
||||||
-
|
|
||||||
- /* If it is the last certificate and its issuer is
|
|
||||||
- * known, don't need to run issuer callback. */
|
|
||||||
- if (_gnutls_trust_list_get_issuer(list,
|
|
||||||
- cert_list[i],
|
|
||||||
- &issuer,
|
|
||||||
- 0) == 0) {
|
|
||||||
+ /* Remove duplicates. Start with index 1, as the first element
|
|
||||||
+ * may be re-checked after issuer retrieval. */
|
|
||||||
+ for (j = 1; j < sorted_size; j++) {
|
|
||||||
+ if (cert_set_contains(&cert_set, cert_list[i + j])) {
|
|
||||||
+ if (i + j < cert_list_size - 1) {
|
|
||||||
+ memmove(&cert_list[i + j],
|
|
||||||
+ &cert_list[i + j + 1],
|
|
||||||
+ sizeof(cert_list[i]));
|
|
||||||
+ }
|
|
||||||
+ cert_list_size--;
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
- } else if (gnutls_x509_crt_check_issuer(cert_list[i],
|
|
||||||
- cert_list[i + 1])) {
|
|
||||||
- /* There is no gap between this and the next
|
|
||||||
- * certificate. */
|
|
||||||
+ }
|
|
||||||
+ /* Found a duplicate, try again with the same index. */
|
|
||||||
+ if (j < sorted_size) {
|
|
||||||
+ continue;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* Record the certificates seen. */
|
|
||||||
+ for (j = 0; j < sorted_size; j++, i++) {
|
|
||||||
+ ret = cert_set_add(&cert_set, cert_list[i]);
|
|
||||||
+ if (ret < 0) {
|
|
||||||
+ goto cleanup;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* If the issuer of the certificate is known, no need
|
|
||||||
+ * for further processing. */
|
|
||||||
+ if (_gnutls_trust_list_get_issuer(list,
|
|
||||||
+ cert_list[i - 1],
|
|
||||||
+ &issuer,
|
|
||||||
+ 0) == 0) {
|
|
||||||
+ cert_list_size = i;
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* If there is no gap between this and the next certificate,
|
|
||||||
+ * proceed with the next certificate. */
|
|
||||||
+ if (i < cert_list_size &&
|
|
||||||
+ gnutls_x509_crt_check_issuer(cert_list[i - 1],
|
|
||||||
+ cert_list[i])) {
|
|
||||||
continue;
|
|
||||||
}
|
|
||||||
|
|
||||||
ret = retrieve_issuers(list,
|
|
||||||
- cert_list[i],
|
|
||||||
+ cert_list[i - 1],
|
|
||||||
&retrieved[retrieved_size],
|
|
||||||
DEFAULT_MAX_VERIFY_DEPTH -
|
|
||||||
MAX(retrieved_size,
|
|
||||||
@@ -1413,15 +1520,20 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
|
|
||||||
if (ret < 0) {
|
|
||||||
break;
|
|
||||||
} else if (ret > 0) {
|
|
||||||
- memmove(&cert_list[i + 1 + ret],
|
|
||||||
- &cert_list[i + 1],
|
|
||||||
- (cert_list_size - i - 1) *
|
|
||||||
+ assert((unsigned int)ret <=
|
|
||||||
+ DEFAULT_MAX_VERIFY_DEPTH - cert_list_size);
|
|
||||||
+ memmove(&cert_list[i + ret],
|
|
||||||
+ &cert_list[i],
|
|
||||||
+ (cert_list_size - i) *
|
|
||||||
sizeof(gnutls_x509_crt_t));
|
|
||||||
- memcpy(&cert_list[i + 1],
|
|
||||||
+ memcpy(&cert_list[i],
|
|
||||||
&retrieved[retrieved_size],
|
|
||||||
ret * sizeof(gnutls_x509_crt_t));
|
|
||||||
retrieved_size += ret;
|
|
||||||
cert_list_size += ret;
|
|
||||||
+
|
|
||||||
+ /* Start again from the end of the previous segment. */
|
|
||||||
+ i--;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -1581,6 +1693,7 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
|
|
||||||
for (i = 0; i < retrieved_size; i++) {
|
|
||||||
gnutls_x509_crt_deinit(retrieved[i]);
|
|
||||||
}
|
|
||||||
+ cert_set_deinit(&cert_set);
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
diff --git a/tests/missingissuer.c b/tests/missingissuer.c
|
|
||||||
index f21e2b6b0..226d09592 100644
|
|
||||||
--- a/tests/missingissuer.c
|
|
||||||
+++ b/tests/missingissuer.c
|
|
||||||
@@ -145,6 +145,8 @@ void doit(void)
|
|
||||||
printf("[%d]: Chain '%s'...\n", (int)i, chains[i].name);
|
|
||||||
|
|
||||||
for (j = 0; chains[i].chain[j]; j++) {
|
|
||||||
+ assert(j < MAX_CHAIN);
|
|
||||||
+
|
|
||||||
if (debug > 2)
|
|
||||||
printf("\tAdding certificate %d...", (int)j);
|
|
||||||
|
|
||||||
diff --git a/tests/test-chains-issuer.h b/tests/test-chains-issuer.h
|
|
||||||
index 543e2d71f..bf1e65c95 100644
|
|
||||||
--- a/tests/test-chains-issuer.h
|
|
||||||
+++ b/tests/test-chains-issuer.h
|
|
||||||
@@ -24,7 +24,7 @@
|
|
||||||
#ifndef GNUTLS_TESTS_TEST_CHAINS_ISSUER_H
|
|
||||||
#define GNUTLS_TESTS_TEST_CHAINS_ISSUER_H
|
|
||||||
|
|
||||||
-#define MAX_CHAIN 6
|
|
||||||
+#define MAX_CHAIN 15
|
|
||||||
|
|
||||||
#define SERVER_CERT "-----BEGIN CERTIFICATE-----\n" \
|
|
||||||
"MIIDATCCAbmgAwIBAgIUQdvdegP8JFszFHLfV4+lrEdafzAwPQYJKoZIhvcNAQEK\n" \
|
|
||||||
@@ -338,11 +338,102 @@ static const char *missing_middle_unrelated_extra_insert[] = {
|
|
||||||
NULL,
|
|
||||||
};
|
|
||||||
|
|
||||||
+static const char *missing_middle_single_duplicate[] = {
|
|
||||||
+ SERVER_CERT,
|
|
||||||
+ SERVER_CERT,
|
|
||||||
+ CA_CERT_5,
|
|
||||||
+ CA_CERT_5,
|
|
||||||
+ CA_CERT_4,
|
|
||||||
+ CA_CERT_4,
|
|
||||||
+ CA_CERT_2,
|
|
||||||
+ CA_CERT_2,
|
|
||||||
+ CA_CERT_1,
|
|
||||||
+ CA_CERT_1,
|
|
||||||
+ NULL,
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
+static const char *missing_middle_multiple_duplicate[] = {
|
|
||||||
+ SERVER_CERT,
|
|
||||||
+ SERVER_CERT,
|
|
||||||
+ CA_CERT_5,
|
|
||||||
+ CA_CERT_5,
|
|
||||||
+ CA_CERT_4,
|
|
||||||
+ CA_CERT_4,
|
|
||||||
+ CA_CERT_1,
|
|
||||||
+ CA_CERT_1,
|
|
||||||
+ NULL,
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
+static const char *missing_last_single_duplicate[] = {
|
|
||||||
+ SERVER_CERT,
|
|
||||||
+ SERVER_CERT,
|
|
||||||
+ CA_CERT_5,
|
|
||||||
+ CA_CERT_5,
|
|
||||||
+ CA_CERT_4,
|
|
||||||
+ CA_CERT_4,
|
|
||||||
+ CA_CERT_3,
|
|
||||||
+ CA_CERT_3,
|
|
||||||
+ CA_CERT_2,
|
|
||||||
+ CA_CERT_2,
|
|
||||||
+ NULL,
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
+static const char *missing_last_multiple_duplicate[] = {
|
|
||||||
+ SERVER_CERT,
|
|
||||||
+ SERVER_CERT,
|
|
||||||
+ CA_CERT_5,
|
|
||||||
+ CA_CERT_5,
|
|
||||||
+ CA_CERT_4,
|
|
||||||
+ CA_CERT_4,
|
|
||||||
+ CA_CERT_3,
|
|
||||||
+ CA_CERT_3,
|
|
||||||
+ NULL,
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
+static const char *missing_skip_single_duplicate[] = {
|
|
||||||
+ SERVER_CERT,
|
|
||||||
+ SERVER_CERT,
|
|
||||||
+ CA_CERT_5,
|
|
||||||
+ CA_CERT_5,
|
|
||||||
+ CA_CERT_3,
|
|
||||||
+ CA_CERT_3,
|
|
||||||
+ CA_CERT_1,
|
|
||||||
+ CA_CERT_1,
|
|
||||||
+ NULL,
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
+static const char *missing_skip_multiple_duplicate[] = {
|
|
||||||
+ SERVER_CERT,
|
|
||||||
+ SERVER_CERT,
|
|
||||||
+ CA_CERT_5,
|
|
||||||
+ CA_CERT_5,
|
|
||||||
+ CA_CERT_3,
|
|
||||||
+ CA_CERT_3,
|
|
||||||
+ NULL,
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
static const char *missing_ca[] = {
|
|
||||||
CA_CERT_0,
|
|
||||||
NULL,
|
|
||||||
};
|
|
||||||
|
|
||||||
+static const char *middle_single_duplicate_ca[] = {
|
|
||||||
+ SERVER_CERT,
|
|
||||||
+ CA_CERT_5,
|
|
||||||
+ CA_CERT_0,
|
|
||||||
+ CA_CERT_4,
|
|
||||||
+ CA_CERT_0,
|
|
||||||
+ CA_CERT_2,
|
|
||||||
+ CA_CERT_0,
|
|
||||||
+ CA_CERT_1,
|
|
||||||
+ NULL,
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
+static const char *missing_middle_single_duplicate_ca_unrelated_insert[] = {
|
|
||||||
+ CA_CERT_0,
|
|
||||||
+ NULL,
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
static struct chains {
|
|
||||||
const char *name;
|
|
||||||
const char **chain;
|
|
||||||
@@ -377,6 +468,14 @@ static struct chains {
|
|
||||||
{ "skip multiple unsorted", missing_skip_multiple_unsorted, missing_skip_multiple_insert, missing_ca, 0, 0 },
|
|
||||||
{ "unrelated", missing_middle_single, missing_middle_unrelated_insert, missing_ca, 0, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_NOT_FOUND },
|
|
||||||
{ "unrelated extra", missing_middle_single, missing_middle_unrelated_extra_insert, missing_ca, 0, 0 },
|
|
||||||
+ { "middle single duplicate", missing_middle_single_duplicate, missing_middle_single_insert, missing_ca, 0, 0 },
|
|
||||||
+ { "middle multiple duplicate", missing_middle_multiple_duplicate, missing_middle_multiple_insert, missing_ca, 0, 0 },
|
|
||||||
+ { "last single duplicate", missing_last_single_duplicate, missing_last_single_insert, missing_ca, 0, 0 },
|
|
||||||
+ { "last multiple duplicate", missing_last_multiple_duplicate, missing_last_multiple_insert, missing_ca, 0, 0 },
|
|
||||||
+ { "skip single duplicate", missing_skip_single_duplicate, missing_skip_single_insert, missing_ca, 0, 0 },
|
|
||||||
+ { "skip multiple duplicate", missing_skip_multiple_duplicate, missing_skip_multiple_insert, missing_ca, 0, 0 },
|
|
||||||
+ { "middle single duplicate ca", middle_single_duplicate_ca, missing_middle_single_insert, missing_ca, 0, 0 },
|
|
||||||
+ { "middle single duplicate ca - insert unrelated", middle_single_duplicate_ca, missing_middle_single_duplicate_ca_unrelated_insert, missing_ca, 0, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_NOT_FOUND },
|
|
||||||
{ NULL, NULL, NULL, NULL },
|
|
||||||
};
|
|
||||||
|
|
||||||
--
|
|
||||||
2.29.2
|
|
||||||
|
|
@ -1,12 +0,0 @@
|
|||||||
diff -up ./tests/gnutls-cli-debug.sh.gost ./tests/gnutls-cli-debug.sh
|
|
||||||
--- ./tests/gnutls-cli-debug.sh.gost 2021-02-09 13:28:46.528821113 +0100
|
|
||||||
+++ ./tests/gnutls-cli-debug.sh 2021-02-09 13:29:18.851646678 +0100
|
|
||||||
@@ -217,6 +217,8 @@ if test "${ENABLE_GOST}" = "1" && test "
|
|
||||||
kill ${PID}
|
|
||||||
wait
|
|
||||||
|
|
||||||
+ cat $OUTFILE
|
|
||||||
+
|
|
||||||
check_text "for VKO GOST-2012 (draft-smyshlyaev-tls12-gost-suites) support... yes"
|
|
||||||
check_text "for GOST28147-CNT cipher (draft-smyshlyaev-tls12-gost-suites) support... yes"
|
|
||||||
check_text "for GOST28147-IMIT MAC (draft-smyshlyaev-tls12-gost-suites) support... yes"
|
|
@ -1,195 +0,0 @@
|
|||||||
From c815f725448af8d023818a968e1296946ceb0f1c Mon Sep 17 00:00:00 2001
|
|
||||||
From: Stefan Berger <stefanb@linux.ibm.com>
|
|
||||||
Date: Mon, 21 Dec 2020 09:36:47 -0500
|
|
||||||
Subject: [PATCH 1/2] tests: Fix tpmtool_test due to changes in trousers
|
|
||||||
|
|
||||||
Recent changes to trousers now require an ownership of root:tss for
|
|
||||||
the tcsd config file, older ones requires tss:tss. So, start tcsd
|
|
||||||
using trial and error with either one of these ownership configurations
|
|
||||||
until one works.
|
|
||||||
|
|
||||||
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
|
|
||||||
---
|
|
||||||
tests/tpmtool_test.sh | 37 +++++++++++++++++++++++++++----------
|
|
||||||
1 file changed, 27 insertions(+), 10 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/tests/tpmtool_test.sh b/tests/tpmtool_test.sh
|
|
||||||
index eba502612..77fe17e59 100755
|
|
||||||
--- a/tests/tpmtool_test.sh
|
|
||||||
+++ b/tests/tpmtool_test.sh
|
|
||||||
@@ -138,6 +138,7 @@ start_tcsd()
|
|
||||||
local tcsd_conf=$workdir/tcsd.conf
|
|
||||||
local tcsd_system_ps_file=$workdir/system_ps_file
|
|
||||||
local tcsd_pidfile=$workdir/tcsd.pid
|
|
||||||
+ local owner
|
|
||||||
|
|
||||||
start_swtpm "$workdir"
|
|
||||||
[ $? -ne 0 ] && return 1
|
|
||||||
@@ -146,20 +147,36 @@ start_tcsd()
|
|
||||||
port = $TCSD_LISTEN_PORT
|
|
||||||
system_ps_file = $tcsd_system_ps_file
|
|
||||||
_EOF_
|
|
||||||
+ # older versions of trousers require tss:tss ownership of the
|
|
||||||
+ # config file, later ones root:tss
|
|
||||||
+ for owner in tss root; do
|
|
||||||
+ if [ "$owner" = "tss" ]; then
|
|
||||||
+ chmod 0600 $tcsd_conf
|
|
||||||
+ else
|
|
||||||
+ chmod 0640 $tcsd_conf
|
|
||||||
+ fi
|
|
||||||
+ chown $owner:tss $tcsd_conf
|
|
||||||
|
|
||||||
- chown tss:tss $tcsd_conf
|
|
||||||
- chmod 0600 $tcsd_conf
|
|
||||||
+ bash -c "TCSD_USE_TCP_DEVICE=1 TCSD_TCP_DEVICE_PORT=$SWTPM_SERVER_PORT tcsd -c $tcsd_conf -e -f &>/dev/null & echo \$! > $tcsd_pidfile; wait" &
|
|
||||||
+ BASH_PID=$!
|
|
||||||
|
|
||||||
- bash -c "TCSD_USE_TCP_DEVICE=1 TCSD_TCP_DEVICE_PORT=$SWTPM_SERVER_PORT tcsd -c $tcsd_conf -e -f &>/dev/null & echo \$! > $tcsd_pidfile; wait" &
|
|
||||||
- BASH_PID=$!
|
|
||||||
+ if wait_for_file $tcsd_pidfile 3; then
|
|
||||||
+ echo "Could not get TCSD's PID file"
|
|
||||||
+ return 1
|
|
||||||
+ fi
|
|
||||||
|
|
||||||
- if wait_for_file $tcsd_pidfile 3; then
|
|
||||||
- echo "Could not get TCSD's PID file"
|
|
||||||
- return 1
|
|
||||||
- fi
|
|
||||||
+ sleep 0.5
|
|
||||||
+ TCSD_PID=$(cat $tcsd_pidfile)
|
|
||||||
+ kill -0 "${TCSD_PID}"
|
|
||||||
+ if [ $? -ne 0 ]; then
|
|
||||||
+ # Try again with other owner
|
|
||||||
+ continue
|
|
||||||
+ fi
|
|
||||||
+ return 0
|
|
||||||
+ done
|
|
||||||
|
|
||||||
- TCSD_PID=$(cat $tcsd_pidfile)
|
|
||||||
- return 0
|
|
||||||
+ echo "TCSD could not be started"
|
|
||||||
+ return 1
|
|
||||||
}
|
|
||||||
|
|
||||||
stop_tcsd()
|
|
||||||
--
|
|
||||||
2.29.2
|
|
||||||
|
|
||||||
|
|
||||||
From 2b0f6f3a2ff13153aaa70c764ba7a8b90aef794d Mon Sep 17 00:00:00 2001
|
|
||||||
From: Daiki Ueno <ueno@gnu.org>
|
|
||||||
Date: Mon, 28 Dec 2020 16:16:53 +0100
|
|
||||||
Subject: [PATCH 2/2] testpkcs11: use datefudge to trick certificate expiry
|
|
||||||
|
|
||||||
The certificates stored in tests/testpkcs11-certs expired on
|
|
||||||
2020-12-13. To avoid verification failure due to that, use datefudge
|
|
||||||
to set custom date when calling gnutls-cli, gnutls-serv, and certtool.
|
|
||||||
|
|
||||||
Based on the patch by Andreas Metzler:
|
|
||||||
https://gitlab.com/gnutls/gnutls/-/issues/1135#note_469682121
|
|
||||||
|
|
||||||
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
||||||
---
|
|
||||||
tests/testpkcs11.sh | 12 +++++++++++-
|
|
||||||
1 file changed, 11 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/tests/testpkcs11.sh b/tests/testpkcs11.sh
|
|
||||||
index 38b9585bc..09a627477 100755
|
|
||||||
--- a/tests/testpkcs11.sh
|
|
||||||
+++ b/tests/testpkcs11.sh
|
|
||||||
@@ -67,6 +67,8 @@ have_ed25519=0
|
|
||||||
P11TOOL="${VALGRIND} ${P11TOOL} --batch"
|
|
||||||
SERV="${SERV} -q"
|
|
||||||
|
|
||||||
+TESTDATE=2020-12-01
|
|
||||||
+
|
|
||||||
. ${srcdir}/scripts/common.sh
|
|
||||||
|
|
||||||
rm -f "${LOGFILE}"
|
|
||||||
@@ -79,6 +81,8 @@ exit_error () {
|
|
||||||
exit 1
|
|
||||||
}
|
|
||||||
|
|
||||||
+skip_if_no_datefudge
|
|
||||||
+
|
|
||||||
# $1: token
|
|
||||||
# $2: PIN
|
|
||||||
# $3: filename
|
|
||||||
@@ -523,6 +527,7 @@ write_certificate_test () {
|
|
||||||
pubkey="$5"
|
|
||||||
|
|
||||||
echo -n "* Generating client certificate... "
|
|
||||||
+ datefudge -s "$TESTDATE" \
|
|
||||||
"${CERTTOOL}" ${CERTTOOL_PARAM} ${ADDITIONAL_PARAM} --generate-certificate --load-ca-privkey "${cakey}" --load-ca-certificate "${cacert}" \
|
|
||||||
--template ${srcdir}/testpkcs11-certs/client-tmpl --load-privkey "${token};object=gnutls-client;object-type=private" \
|
|
||||||
--load-pubkey "$pubkey" --outfile tmp-client.crt >>"${LOGFILE}" 2>&1
|
|
||||||
@@ -900,7 +905,9 @@ use_certificate_test () {
|
|
||||||
echo -n "* Using PKCS #11 with gnutls-cli (${txt})... "
|
|
||||||
# start server
|
|
||||||
eval "${GETPORT}"
|
|
||||||
- launch_server ${ADDITIONAL_PARAM} --echo --priority NORMAL --x509certfile="${certfile}" \
|
|
||||||
+ launch_bare_server datefudge -s "$TESTDATE" \
|
|
||||||
+ $VALGRIND $SERV $DEBUG -p "$PORT" \
|
|
||||||
+ ${ADDITIONAL_PARAM} --debug 10 --echo --priority NORMAL --x509certfile="${certfile}" \
|
|
||||||
--x509keyfile="$keyfile" --x509cafile="${cafile}" \
|
|
||||||
--verify-client-cert --require-client-cert >>"${LOGFILE}" 2>&1
|
|
||||||
|
|
||||||
@@ -908,13 +915,16 @@ use_certificate_test () {
|
|
||||||
wait_server ${PID}
|
|
||||||
|
|
||||||
# connect to server using SC
|
|
||||||
+ datefudge -s "$TESTDATE" \
|
|
||||||
${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509cafile="${cafile}" </dev/null >>"${LOGFILE}" 2>&1 && \
|
|
||||||
fail ${PID} "Connection should have failed!"
|
|
||||||
|
|
||||||
+ datefudge -s "$TESTDATE" \
|
|
||||||
${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509certfile="${certfile}" \
|
|
||||||
--x509keyfile="$keyfile" --x509cafile="${cafile}" </dev/null >>"${LOGFILE}" 2>&1 || \
|
|
||||||
fail ${PID} "Connection (with files) should have succeeded!"
|
|
||||||
|
|
||||||
+ datefudge -s "$TESTDATE" \
|
|
||||||
${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509certfile="${token};object=gnutls-client;object-type=cert" \
|
|
||||||
--x509keyfile="${token};object=gnutls-client;object-type=private" \
|
|
||||||
--x509cafile="${cafile}" </dev/null >>"${LOGFILE}" 2>&1 || \
|
|
||||||
--
|
|
||||||
2.29.2
|
|
||||||
|
|
||||||
From 5a64e896a56ef602bb86242bbac01e4319f12cbe Mon Sep 17 00:00:00 2001
|
|
||||||
From: Daiki Ueno <ueno@gnu.org>
|
|
||||||
Date: Tue, 9 Feb 2021 15:26:07 +0100
|
|
||||||
Subject: [PATCH] tests/gnutls-cli-debug.sh: don't unset system priority
|
|
||||||
settings
|
|
||||||
|
|
||||||
When the test is exercised, GNUTLS_SYSTEM_PRIORITY_FILE is set in many
|
|
||||||
places, such as TESTS_ENVIRONMENT tests/Makefile.am or a packaging
|
|
||||||
system that runs the test in a restricted environment. Unsetting it
|
|
||||||
after a temporary use forces the remaining part of the test to use the
|
|
||||||
default system priority, which might not be the intention of the user.
|
|
||||||
|
|
||||||
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
||||||
---
|
|
||||||
tests/gnutls-cli-debug.sh | 4 +---
|
|
||||||
1 file changed, 1 insertion(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/tests/gnutls-cli-debug.sh b/tests/gnutls-cli-debug.sh
|
|
||||||
index a73910dea..3c3e2214e 100755
|
|
||||||
--- a/tests/gnutls-cli-debug.sh
|
|
||||||
+++ b/tests/gnutls-cli-debug.sh
|
|
||||||
@@ -184,13 +184,11 @@ cat <<_EOF_ > ${TMPFILE}
|
|
||||||
tls-disabled-cipher = CAMELLIA-128-CBC
|
|
||||||
tls-disabled-cipher = CAMELLIA-256-CBC
|
|
||||||
_EOF_
|
|
||||||
-export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}"
|
|
||||||
|
|
||||||
+GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}" \
|
|
||||||
timeout 1800 datefudge "2017-08-9" \
|
|
||||||
"${DCLI}" -p "${PORT}" localhost >$OUTFILE 2>&1 || fail ${PID} "gnutls-cli-debug run should have succeeded!"
|
|
||||||
|
|
||||||
-unset GNUTLS_SYSTEM_PRIORITY_FILE
|
|
||||||
-
|
|
||||||
kill ${PID}
|
|
||||||
wait
|
|
||||||
|
|
||||||
--
|
|
||||||
2.29.2
|
|
||||||
|
|
84
gnutls-3.7.1-aggressive-realloc-fixes.patch
Normal file
84
gnutls-3.7.1-aggressive-realloc-fixes.patch
Normal file
@ -0,0 +1,84 @@
|
|||||||
|
From e1cf5b8694b23cdc88f4a4a344f8262aa8ab0f8e Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daiki Ueno <ueno@gnu.org>
|
||||||
|
Date: Wed, 10 Mar 2021 16:11:29 +0100
|
||||||
|
Subject: [PATCH 1/2] _gnutls_buffer_resize: account for unused area if
|
||||||
|
AGGRESSIVE_REALLOC
|
||||||
|
|
||||||
|
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
||||||
|
---
|
||||||
|
lib/str.c | 4 ++--
|
||||||
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/str.c b/lib/str.c
|
||||||
|
index 506fe1721..bc20ebb04 100644
|
||||||
|
--- a/lib/str.c
|
||||||
|
+++ b/lib/str.c
|
||||||
|
@@ -155,12 +155,12 @@ int _gnutls_buffer_resize(gnutls_buffer_st * dest, size_t new_size)
|
||||||
|
|
||||||
|
unused = MEMSUB(dest->data, dest->allocd);
|
||||||
|
dest->allocd =
|
||||||
|
- gnutls_realloc_fast(dest->allocd, new_size);
|
||||||
|
+ gnutls_realloc_fast(dest->allocd, new_size + unused);
|
||||||
|
if (dest->allocd == NULL) {
|
||||||
|
gnutls_assert();
|
||||||
|
return GNUTLS_E_MEMORY_ERROR;
|
||||||
|
}
|
||||||
|
- dest->max_length = new_size;
|
||||||
|
+ dest->max_length = new_size + unused;
|
||||||
|
dest->data = dest->allocd + unused;
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
--
|
||||||
|
2.30.2
|
||||||
|
|
||||||
|
|
||||||
|
From 78691bfe4555c4d610b405173987ed7515515d20 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daiki Ueno <ueno@gnu.org>
|
||||||
|
Date: Wed, 10 Mar 2021 16:12:23 +0100
|
||||||
|
Subject: [PATCH 2/2] str: suppress -Wunused-function if AGGRESSIVE_REALLOC is
|
||||||
|
defined
|
||||||
|
|
||||||
|
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
||||||
|
---
|
||||||
|
lib/str.c | 18 +++++++++---------
|
||||||
|
1 file changed, 9 insertions(+), 9 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/str.c b/lib/str.c
|
||||||
|
index bc20ebb04..8007340f1 100644
|
||||||
|
--- a/lib/str.c
|
||||||
|
+++ b/lib/str.c
|
||||||
|
@@ -87,15 +87,6 @@ void _gnutls_buffer_clear(gnutls_buffer_st * str)
|
||||||
|
|
||||||
|
#define MIN_CHUNK 1024
|
||||||
|
|
||||||
|
-static void align_allocd_with_data(gnutls_buffer_st * dest)
|
||||||
|
-{
|
||||||
|
- assert(dest->allocd != NULL);
|
||||||
|
- assert(dest->data != NULL);
|
||||||
|
- if (dest->length)
|
||||||
|
- memmove(dest->allocd, dest->data, dest->length);
|
||||||
|
- dest->data = dest->allocd;
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
/**
|
||||||
|
* gnutls_buffer_append_data:
|
||||||
|
* @dest: the buffer to append to
|
||||||
|
@@ -168,6 +159,15 @@ int _gnutls_buffer_resize(gnutls_buffer_st * dest, size_t new_size)
|
||||||
|
|
||||||
|
#else
|
||||||
|
|
||||||
|
+static void align_allocd_with_data(gnutls_buffer_st * dest)
|
||||||
|
+{
|
||||||
|
+ assert(dest->allocd != NULL);
|
||||||
|
+ assert(dest->data != NULL);
|
||||||
|
+ if (dest->length)
|
||||||
|
+ memmove(dest->allocd, dest->data, dest->length);
|
||||||
|
+ dest->data = dest->allocd;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
int _gnutls_buffer_resize(gnutls_buffer_st * dest, size_t new_size)
|
||||||
|
{
|
||||||
|
if (unlikely(dest->data != NULL && dest->allocd == NULL))
|
||||||
|
--
|
||||||
|
2.30.2
|
||||||
|
|
44
gnutls.spec
44
gnutls.spec
@ -1,11 +1,10 @@
|
|||||||
# This spec file has been automatically updated
|
# This spec file has been automatically updated
|
||||||
Version: 3.7.0
|
Version: 3.7.1
|
||||||
Release: 2%{?dist}
|
Release: 2%{?dist}
|
||||||
Patch1: gnutls-3.6.7-no-now-guile.patch
|
Patch1: gnutls-3.6.7-no-now-guile.patch
|
||||||
Patch2: gnutls-3.2.7-rpath.patch
|
Patch2: gnutls-3.2.7-rpath.patch
|
||||||
Patch3: gnutls-3.7.0-test-fixes.patch
|
Patch3: gnutls-3.7.1-aggressive-realloc-fixes.patch
|
||||||
Patch4: gnutls-3.7.0-gost.patch
|
%bcond_with bootstrap
|
||||||
Patch5: gnutls-3.7.0-duplicate-certs.patch
|
|
||||||
%bcond_without dane
|
%bcond_without dane
|
||||||
%if 0%{?rhel}
|
%if 0%{?rhel}
|
||||||
%bcond_with guile
|
%bcond_with guile
|
||||||
@ -21,13 +20,15 @@ Name: gnutls
|
|||||||
License: GPLv3+ and LGPLv2+
|
License: GPLv3+ and LGPLv2+
|
||||||
BuildRequires: p11-kit-devel >= 0.21.3, gettext-devel
|
BuildRequires: p11-kit-devel >= 0.21.3, gettext-devel
|
||||||
BuildRequires: zlib-devel, readline-devel, libtasn1-devel >= 4.3
|
BuildRequires: zlib-devel, readline-devel, libtasn1-devel >= 4.3
|
||||||
BuildRequires: libtool, automake, autoconf, texinfo
|
%if %{with bootstrap}
|
||||||
BuildRequires: autogen-libopts-devel >= 5.18 autogen
|
BuildRequires: automake, autoconf, gperf, libtool, texinfo
|
||||||
|
BuildRequires: autogen-libopts-devel >= 5.18, autogen
|
||||||
|
%endif
|
||||||
BuildRequires: nettle-devel >= 3.5.1
|
BuildRequires: nettle-devel >= 3.5.1
|
||||||
BuildRequires: trousers-devel >= 0.3.11.2
|
BuildRequires: trousers-devel >= 0.3.11.2
|
||||||
BuildRequires: libidn2-devel
|
BuildRequires: libidn2-devel
|
||||||
BuildRequires: libunistring-devel
|
BuildRequires: libunistring-devel
|
||||||
BuildRequires: gperf, net-tools, datefudge, softhsm, gcc, gcc-c++
|
BuildRequires: net-tools, datefudge, softhsm, gcc, gcc-c++
|
||||||
BuildRequires: gnupg2
|
BuildRequires: gnupg2
|
||||||
%if %{with fips}
|
%if %{with fips}
|
||||||
BuildRequires: fipscheck
|
BuildRequires: fipscheck
|
||||||
@ -147,11 +148,13 @@ This package contains Guile bindings for the library.
|
|||||||
gpgv2 --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0}
|
gpgv2 --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0}
|
||||||
|
|
||||||
%autosetup -p1
|
%autosetup -p1
|
||||||
#autoreconf -fi
|
%if %{with bootstrap}
|
||||||
|
rm -f src/libopts/*.c src/libopts/*.h src/libopts/compat/*.c src/libopts/compat/*.h
|
||||||
|
autoreconf -fi
|
||||||
|
%endif
|
||||||
|
|
||||||
sed -i -e 's|sys_lib_dlsearch_path_spec="/lib /usr/lib|sys_lib_dlsearch_path_spec="/lib /usr/lib %{_libdir}|g' configure
|
sed -i -e 's|sys_lib_dlsearch_path_spec="/lib /usr/lib|sys_lib_dlsearch_path_spec="/lib /usr/lib %{_libdir}|g' configure
|
||||||
rm -f lib/minitasn1/*.c lib/minitasn1/*.h
|
rm -f lib/minitasn1/*.c lib/minitasn1/*.h
|
||||||
rm -f src/libopts/*.c src/libopts/*.h src/libopts/compat/*.c src/libopts/compat/*.h
|
|
||||||
|
|
||||||
echo "SYSTEM=NORMAL" >> tests/system.prio
|
echo "SYSTEM=NORMAL" >> tests/system.prio
|
||||||
|
|
||||||
@ -164,14 +167,16 @@ echo "SYSTEM=NORMAL" >> tests/system.prio
|
|||||||
CCASFLAGS="$CCASFLAGS -Wa,--generate-missing-build-notes=yes"
|
CCASFLAGS="$CCASFLAGS -Wa,--generate-missing-build-notes=yes"
|
||||||
export CCASFLAGS
|
export CCASFLAGS
|
||||||
|
|
||||||
|
%if %{with guile}
|
||||||
# These should be checked by m4/guile.m4 instead of configure.ac
|
# These should be checked by m4/guile.m4 instead of configure.ac
|
||||||
# taking into account of _guile_suffix
|
# taking into account of _guile_suffix
|
||||||
guile_snarf=%{_bindir}/guile-snarf2.2
|
guile_snarf=%{_bindir}/guile-snarf2.2
|
||||||
export guile_snarf
|
export guile_snarf
|
||||||
GUILD=%{_bindir}/guild2.2
|
GUILD=%{_bindir}/guild2.2
|
||||||
export GUILD
|
export GUILD
|
||||||
|
%endif
|
||||||
|
|
||||||
%configure --with-libtasn1-prefix=%{_prefix} \
|
%configure \
|
||||||
%if %{with fips}
|
%if %{with fips}
|
||||||
--enable-fips140-mode \
|
--enable-fips140-mode \
|
||||||
%endif
|
%endif
|
||||||
@ -191,9 +196,9 @@ export GUILD
|
|||||||
%endif
|
%endif
|
||||||
%if %{with dane}
|
%if %{with dane}
|
||||||
--with-unbound-root-key-file=/var/lib/unbound/root.key \
|
--with-unbound-root-key-file=/var/lib/unbound/root.key \
|
||||||
--enable-dane \
|
--enable-libdane \
|
||||||
%else
|
%else
|
||||||
--disable-dane \
|
--disable-libdane \
|
||||||
%endif
|
%endif
|
||||||
--disable-rpath \
|
--disable-rpath \
|
||||||
--with-default-priority-string="@SYSTEM"
|
--with-default-priority-string="@SYSTEM"
|
||||||
@ -205,6 +210,7 @@ make %{?_smp_mflags} V=1
|
|||||||
%{?__debug_package:%{__debug_install_post}} \
|
%{?__debug_package:%{__debug_install_post}} \
|
||||||
%{__arch_install_post} \
|
%{__arch_install_post} \
|
||||||
%{__os_install_post} \
|
%{__os_install_post} \
|
||||||
|
rm -f $RPM_BUILD_ROOT%{_libdir}/.libgnutls.so.*.hmac \
|
||||||
fipshmac -d $RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_libdir}/libgnutls.so.30.*.* \
|
fipshmac -d $RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_libdir}/libgnutls.so.30.*.* \
|
||||||
file=`basename $RPM_BUILD_ROOT%{_libdir}/libgnutls.so.30.*.hmac` && mv $RPM_BUILD_ROOT%{_libdir}/$file $RPM_BUILD_ROOT%{_libdir}/.$file && ln -s .$file $RPM_BUILD_ROOT%{_libdir}/.libgnutls.so.30.hmac \
|
file=`basename $RPM_BUILD_ROOT%{_libdir}/libgnutls.so.30.*.hmac` && mv $RPM_BUILD_ROOT%{_libdir}/$file $RPM_BUILD_ROOT%{_libdir}/.$file && ln -s .$file $RPM_BUILD_ROOT%{_libdir}/.libgnutls.so.30.hmac \
|
||||||
%{nil}
|
%{nil}
|
||||||
@ -285,6 +291,20 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Mar 16 2021 Daiki Ueno <dueno@redhat.com> - 3.7.1-2
|
||||||
|
- Restore fipscheck dependency
|
||||||
|
|
||||||
|
* Sat Mar 13 2021 Daiki Ueno <dueno@redhat.com> - 3.7.1-1
|
||||||
|
- Update to upstream 3.7.1 release
|
||||||
|
- Remove fipscheck dependency, as it is now calculated with an
|
||||||
|
internal tool
|
||||||
|
|
||||||
|
* Fri Mar 5 2021 Daiki Ueno <dueno@redhat.com> - 3.7.0-4
|
||||||
|
- Tolerate duplicate certs in the chain also with PKCS #11 trust store
|
||||||
|
|
||||||
|
* Tue Mar 2 2021 Daiki Ueno <dueno@redhat.com> - 3.7.0-3
|
||||||
|
- Reduce BRs for non-bootstrapping build
|
||||||
|
|
||||||
* Wed Feb 10 2021 Daiki Ueno <dueno@redhat.com> - 3.7.0-2
|
* Wed Feb 10 2021 Daiki Ueno <dueno@redhat.com> - 3.7.0-2
|
||||||
- Tolerate duplicate certs in the chain
|
- Tolerate duplicate certs in the chain
|
||||||
|
|
||||||
|
4
sources
4
sources
@ -1,3 +1,3 @@
|
|||||||
SHA512 (gnutls-3.7.0.tar.xz) = 5cf1025f2d0a0cbf5a83dd7f3b22dafd1769f7c3349096c0272d08573bb5ff87f510e0e69b4bbb47dad1b64476aa5479804b2f4ceb2216cd747bbc53bf42d885
|
SHA512 (gnutls-3.7.1.tar.xz) = 0fe801f03676c3bd970387f94578c8be7ba6030904989e7d21dffdc726209bab44c8096fbcb6d51fed2de239537bd00df2338ee9c8d984a1c386826b91062a95
|
||||||
SHA512 (gnutls-3.7.0.tar.xz.sig) = 25793ac5e3d2610f95f26a2aa6f444a0cebe45a173cd330ed95b38c82b8f469024c9fa35249917f6b880ae32192b5e74988169a68724c08f5c82a3379fff82fd
|
SHA512 (gnutls-3.7.1.tar.xz.sig) = 78327723cd23e515326bee4348f00ef2c11626267a715243d9392490e30d44965fc8997184a348d0c9a5beaf50be4028304a49a0c569a1e9f3998bda9000713d
|
||||||
SHA512 (gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg) = a74b92826fd0e5388c9f6d9231959e38b26aeef83138648fab66df951d8e1a4db5302b569d08515d4d6443e5e4f6c466f98319f330c820790260d22a9b9f7173
|
SHA512 (gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg) = a74b92826fd0e5388c9f6d9231959e38b26aeef83138648fab66df951d8e1a4db5302b569d08515d4d6443e5e4f6c466f98319f330c820790260d22a9b9f7173
|
||||||
|
Loading…
Reference in New Issue
Block a user