diff --git a/gnutls-3.6.15.tar.xz b/gnutls-3.6.15.tar.xz deleted file mode 100644 index 8190b58..0000000 --- a/gnutls-3.6.15.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:0ea8c3283de8d8335d7ae338ef27c53a916f15f382753b174c18b45ffd481558 -size 6081656 diff --git a/gnutls-3.6.15.tar.xz.sig b/gnutls-3.6.15.tar.xz.sig deleted file mode 100644 index 4aeddf6..0000000 Binary files a/gnutls-3.6.15.tar.xz.sig and /dev/null differ diff --git a/gnutls-3.7.0.tar.xz b/gnutls-3.7.0.tar.xz new file mode 100644 index 0000000..2fefaf7 --- /dev/null +++ b/gnutls-3.7.0.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:49e2a22691d252c9f24a9829b293a8f359095bc5a818351f05f1c0a5188a1df8 +size 6129176 diff --git a/gnutls-3.7.0.tar.xz.sig b/gnutls-3.7.0.tar.xz.sig new file mode 100644 index 0000000..777ae61 Binary files /dev/null and b/gnutls-3.7.0.tar.xz.sig differ diff --git a/gnutls-FIPS-TLS_KDF_selftest.patch b/gnutls-FIPS-TLS_KDF_selftest.patch new file mode 100644 index 0000000..baa8106 --- /dev/null +++ b/gnutls-FIPS-TLS_KDF_selftest.patch @@ -0,0 +1,33 @@ +Index: gnutls-3.6.15/lib/fips.c +=================================================================== +--- gnutls-3.6.15.orig/lib/fips.c 2020-09-03 16:59:05.000000000 +0200 ++++ gnutls-3.6.15/lib/fips.c 2020-11-10 12:51:40.420071675 +0100 +@@ -398,6 +398,28 @@ int _gnutls_fips_perform_self_checks2(vo + goto error; + } + ++ /* KDF */ ++ ++ char derived[512]; ++ ++ gnutls_datum_t secret = { (void *)"\x04\x50\xb0\xea\x9e\xcd\x36\x02\xee\x0d\x76\xc5\xc3\xc8\x6f\x4a", 16 }; ++ gnutls_datum_t seed = { (void *)"\x20\x7a\xcc\x02\x54\xb8\x67\xf5\xb9\x25\xb4\x5a\x33\x60\x1d\x8b", 16 }; ++ gnutls_datum_t label = { (void *)"test label", 10 }; ++ gnutls_datum_t expected = { (void *)"\xae\x67\x9e\x0e\x71\x4f\x59\x75\x76\x37\x68\xb1\x66\x97\x9e\x1d", 16 }; ++ ++ ret = _gnutls_prf_raw(GNUTLS_MAC_SHA256, secret.size, secret.data, ++ label.size, (char*)label.data, seed.size, seed.data, expected.size, derived); ++ if (ret < 0) { ++ gnutls_assert(); ++ goto error; ++ } ++ ++ ret = memcmp(derived, expected.data, expected.size); ++ if (ret != 0) { ++ gnutls_assert(); ++ goto error; ++ } ++ + /* PK */ + ret = gnutls_pk_self_test(0, GNUTLS_PK_RSA); + if (ret < 0) { diff --git a/gnutls-gnutls-cli-debug.patch b/gnutls-gnutls-cli-debug.patch new file mode 100644 index 0000000..1156efd --- /dev/null +++ b/gnutls-gnutls-cli-debug.patch @@ -0,0 +1,39 @@ +From 5a64e896a56ef602bb86242bbac01e4319f12cbe Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Tue, 9 Feb 2021 15:26:07 +0100 +Subject: [PATCH] tests/gnutls-cli-debug.sh: don't unset system priority + settings + +When the test is exercised, GNUTLS_SYSTEM_PRIORITY_FILE is set in many +places, such as TESTS_ENVIRONMENT tests/Makefile.am or a packaging +system that runs the test in a restricted environment. Unsetting it +after a temporary use forces the remaining part of the test to use the +default system priority, which might not be the intention of the user. + +Signed-off-by: Daiki Ueno +--- + tests/gnutls-cli-debug.sh | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/tests/gnutls-cli-debug.sh b/tests/gnutls-cli-debug.sh +index a73910dea6..3c3e2214e5 100755 +--- a/tests/gnutls-cli-debug.sh ++++ b/tests/gnutls-cli-debug.sh +@@ -184,13 +184,11 @@ cat <<_EOF_ > ${TMPFILE} + tls-disabled-cipher = CAMELLIA-128-CBC + tls-disabled-cipher = CAMELLIA-256-CBC + _EOF_ +-export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}" + ++GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}" \ + timeout 1800 datefudge "2017-08-9" \ + "${DCLI}" -p "${PORT}" localhost >$OUTFILE 2>&1 || fail ${PID} "gnutls-cli-debug run should have succeeded!" + +-unset GNUTLS_SYSTEM_PRIORITY_FILE +- + kill ${PID} + wait + +-- +GitLab + diff --git a/gnutls-ignore-duplicate-certificates.patch b/gnutls-ignore-duplicate-certificates.patch new file mode 100644 index 0000000..ffed25e --- /dev/null +++ b/gnutls-ignore-duplicate-certificates.patch @@ -0,0 +1,403 @@ +From 09b40be6e0e0a59ba4bd764067eb353241043a70 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Mon, 28 Dec 2020 12:14:13 +0100 +Subject: [PATCH] gnutls_x509_trust_list_verify_crt2: ignore duplicate + certificates + +The commit ebb19db9165fed30d73c83bab1b1b8740c132dfd caused a +regression, where duplicate certificates in a certificate chain are no +longer ignored but treated as a non-contiguous segment and that +results in calling the issuer callback, or a verification failure. + +This adds a mechanism to record certificates already seen in the +chain, and skip them while still allow the caller to inject missing +certificates. + +Signed-off-by: Daiki Ueno +Co-authored-by: Andreas Metzler +--- + lib/x509/common.c | 8 ++ + lib/x509/verify-high.c | 157 +++++++++++++++++++++++++++++++------ + tests/missingissuer.c | 2 + + tests/test-chains-issuer.h | 101 +++++++++++++++++++++++- + 4 files changed, 245 insertions(+), 23 deletions(-) + +diff --git a/lib/x509/common.c b/lib/x509/common.c +index 3301aaad0c..10c8db53c0 100644 +--- a/lib/x509/common.c ++++ b/lib/x509/common.c +@@ -1758,6 +1758,14 @@ unsigned int _gnutls_sort_clist(gnutls_x509_crt_t *clist, + * increasing DEFAULT_MAX_VERIFY_DEPTH. + */ + for (i = 0; i < clist_size; i++) { ++ /* Self-signed certificate found in the chain; skip it ++ * as it should only appear in the trusted set. ++ */ ++ if (gnutls_x509_crt_check_issuer(clist[i], clist[i])) { ++ _gnutls_cert_log("self-signed cert found", clist[i]); ++ continue; ++ } ++ + for (j = 1; j < clist_size; j++) { + if (i == j) + continue; +diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c +index 588e7ee0dc..9a16e6b42a 100644 +--- a/lib/x509/verify-high.c ++++ b/lib/x509/verify-high.c +@@ -67,6 +67,80 @@ struct gnutls_x509_trust_list_iter { + + #define DEFAULT_SIZE 127 + ++struct cert_set_node_st { ++ gnutls_x509_crt_t *certs; ++ unsigned int size; ++}; ++ ++struct cert_set_st { ++ struct cert_set_node_st *node; ++ unsigned int size; ++}; ++ ++static int ++cert_set_init(struct cert_set_st *set, unsigned int size) ++{ ++ memset(set, 0, sizeof(*set)); ++ ++ set->size = size; ++ set->node = gnutls_calloc(size, sizeof(*set->node)); ++ if (!set->node) { ++ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); ++ } ++ ++ return 0; ++} ++ ++static void ++cert_set_deinit(struct cert_set_st *set) ++{ ++ size_t i; ++ ++ for (i = 0; i < set->size; i++) { ++ gnutls_free(set->node[i].certs); ++ } ++ ++ gnutls_free(set->node); ++} ++ ++static bool ++cert_set_contains(struct cert_set_st *set, const gnutls_x509_crt_t cert) ++{ ++ size_t hash, i; ++ ++ hash = hash_pjw_bare(cert->raw_dn.data, cert->raw_dn.size); ++ hash %= set->size; ++ ++ for (i = 0; i < set->node[hash].size; i++) { ++ if (unlikely(gnutls_x509_crt_equals(set->node[hash].certs[i], cert))) { ++ return true; ++ } ++ } ++ ++ return false; ++} ++ ++static int ++cert_set_add(struct cert_set_st *set, const gnutls_x509_crt_t cert) ++{ ++ size_t hash; ++ ++ hash = hash_pjw_bare(cert->raw_dn.data, cert->raw_dn.size); ++ hash %= set->size; ++ ++ set->node[hash].certs = ++ gnutls_realloc_fast(set->node[hash].certs, ++ (set->node[hash].size + 1) * ++ sizeof(*set->node[hash].certs)); ++ if (!set->node[hash].certs) { ++ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); ++ } ++ set->node[hash].certs[set->node[hash].size] = cert; ++ set->node[hash].size++; ++ ++ return 0; ++} ++ + /** + * gnutls_x509_trust_list_init: + * @list: A pointer to the type to be initialized +@@ -1328,6 +1402,7 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, + unsigned have_set_name = 0; + unsigned saved_output; + gnutls_datum_t ip = {NULL, 0}; ++ struct cert_set_st cert_set = { NULL, 0 }; + + if (cert_list == NULL || cert_list_size < 1) + return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); +@@ -1376,36 +1451,68 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, + memcpy(sorted, cert_list, cert_list_size * sizeof(gnutls_x509_crt_t)); + cert_list = sorted; + ++ ret = cert_set_init(&cert_set, DEFAULT_MAX_VERIFY_DEPTH); ++ if (ret < 0) { ++ return ret; ++ } ++ + for (i = 0; i < cert_list_size && +- cert_list_size <= DEFAULT_MAX_VERIFY_DEPTH; i++) { +- if (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN)) { +- unsigned int sorted_size; ++ cert_list_size <= DEFAULT_MAX_VERIFY_DEPTH; ) { ++ unsigned int sorted_size = 1; ++ unsigned int j; ++ gnutls_x509_crt_t issuer; + ++ if (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN)) { + sorted_size = _gnutls_sort_clist(&cert_list[i], + cert_list_size - i); +- i += sorted_size - 1; + } + +- if (i == cert_list_size - 1) { +- gnutls_x509_crt_t issuer; +- +- /* If it is the last certificate and its issuer is +- * known, don't need to run issuer callback. */ +- if (_gnutls_trust_list_get_issuer(list, +- cert_list[i], +- &issuer, +- 0) == 0) { ++ /* Remove duplicates. Start with index 1, as the first element ++ * may be re-checked after issuer retrieval. */ ++ for (j = 1; j < sorted_size; j++) { ++ if (cert_set_contains(&cert_set, cert_list[i + j])) { ++ if (i + j < cert_list_size - 1) { ++ memmove(&cert_list[i + j], ++ &cert_list[i + j + 1], ++ sizeof(cert_list[i])); ++ } ++ cert_list_size--; + break; + } +- } else if (gnutls_x509_crt_check_issuer(cert_list[i], +- cert_list[i + 1])) { +- /* There is no gap between this and the next +- * certificate. */ ++ } ++ /* Found a duplicate, try again with the same index. */ ++ if (j < sorted_size) { ++ continue; ++ } ++ ++ /* Record the certificates seen. */ ++ for (j = 0; j < sorted_size; j++, i++) { ++ ret = cert_set_add(&cert_set, cert_list[i]); ++ if (ret < 0) { ++ goto cleanup; ++ } ++ } ++ ++ /* If the issuer of the certificate is known, no need ++ * for further processing. */ ++ if (_gnutls_trust_list_get_issuer(list, ++ cert_list[i - 1], ++ &issuer, ++ 0) == 0) { ++ cert_list_size = i; ++ break; ++ } ++ ++ /* If there is no gap between this and the next certificate, ++ * proceed with the next certificate. */ ++ if (i < cert_list_size && ++ gnutls_x509_crt_check_issuer(cert_list[i - 1], ++ cert_list[i])) { + continue; + } + + ret = retrieve_issuers(list, +- cert_list[i], ++ cert_list[i - 1], + &retrieved[retrieved_size], + DEFAULT_MAX_VERIFY_DEPTH - + MAX(retrieved_size, +@@ -1413,15 +1520,20 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, + if (ret < 0) { + break; + } else if (ret > 0) { +- memmove(&cert_list[i + 1 + ret], +- &cert_list[i + 1], +- (cert_list_size - i - 1) * ++ assert((unsigned int)ret <= ++ DEFAULT_MAX_VERIFY_DEPTH - cert_list_size); ++ memmove(&cert_list[i + ret], ++ &cert_list[i], ++ (cert_list_size - i) * + sizeof(gnutls_x509_crt_t)); +- memcpy(&cert_list[i + 1], ++ memcpy(&cert_list[i], + &retrieved[retrieved_size], + ret * sizeof(gnutls_x509_crt_t)); + retrieved_size += ret; + cert_list_size += ret; ++ ++ /* Start again from the end of the previous segment. */ ++ i--; + } + } + +@@ -1581,6 +1693,7 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, + for (i = 0; i < retrieved_size; i++) { + gnutls_x509_crt_deinit(retrieved[i]); + } ++ cert_set_deinit(&cert_set); + return ret; + } + +diff --git a/tests/missingissuer.c b/tests/missingissuer.c +index f21e2b6b0c..226d095929 100644 +--- a/tests/missingissuer.c ++++ b/tests/missingissuer.c +@@ -145,6 +145,8 @@ void doit(void) + printf("[%d]: Chain '%s'...\n", (int)i, chains[i].name); + + for (j = 0; chains[i].chain[j]; j++) { ++ assert(j < MAX_CHAIN); ++ + if (debug > 2) + printf("\tAdding certificate %d...", (int)j); + +diff --git a/tests/test-chains-issuer.h b/tests/test-chains-issuer.h +index 543e2d71fb..bf1e65c956 100644 +--- a/tests/test-chains-issuer.h ++++ b/tests/test-chains-issuer.h +@@ -24,7 +24,7 @@ + #ifndef GNUTLS_TESTS_TEST_CHAINS_ISSUER_H + #define GNUTLS_TESTS_TEST_CHAINS_ISSUER_H + +-#define MAX_CHAIN 6 ++#define MAX_CHAIN 15 + + #define SERVER_CERT "-----BEGIN CERTIFICATE-----\n" \ + "MIIDATCCAbmgAwIBAgIUQdvdegP8JFszFHLfV4+lrEdafzAwPQYJKoZIhvcNAQEK\n" \ +@@ -338,11 +338,102 @@ static const char *missing_middle_unrelated_extra_insert[] = { + NULL, + }; + ++static const char *missing_middle_single_duplicate[] = { ++ SERVER_CERT, ++ SERVER_CERT, ++ CA_CERT_5, ++ CA_CERT_5, ++ CA_CERT_4, ++ CA_CERT_4, ++ CA_CERT_2, ++ CA_CERT_2, ++ CA_CERT_1, ++ CA_CERT_1, ++ NULL, ++}; ++ ++static const char *missing_middle_multiple_duplicate[] = { ++ SERVER_CERT, ++ SERVER_CERT, ++ CA_CERT_5, ++ CA_CERT_5, ++ CA_CERT_4, ++ CA_CERT_4, ++ CA_CERT_1, ++ CA_CERT_1, ++ NULL, ++}; ++ ++static const char *missing_last_single_duplicate[] = { ++ SERVER_CERT, ++ SERVER_CERT, ++ CA_CERT_5, ++ CA_CERT_5, ++ CA_CERT_4, ++ CA_CERT_4, ++ CA_CERT_3, ++ CA_CERT_3, ++ CA_CERT_2, ++ CA_CERT_2, ++ NULL, ++}; ++ ++static const char *missing_last_multiple_duplicate[] = { ++ SERVER_CERT, ++ SERVER_CERT, ++ CA_CERT_5, ++ CA_CERT_5, ++ CA_CERT_4, ++ CA_CERT_4, ++ CA_CERT_3, ++ CA_CERT_3, ++ NULL, ++}; ++ ++static const char *missing_skip_single_duplicate[] = { ++ SERVER_CERT, ++ SERVER_CERT, ++ CA_CERT_5, ++ CA_CERT_5, ++ CA_CERT_3, ++ CA_CERT_3, ++ CA_CERT_1, ++ CA_CERT_1, ++ NULL, ++}; ++ ++static const char *missing_skip_multiple_duplicate[] = { ++ SERVER_CERT, ++ SERVER_CERT, ++ CA_CERT_5, ++ CA_CERT_5, ++ CA_CERT_3, ++ CA_CERT_3, ++ NULL, ++}; ++ + static const char *missing_ca[] = { + CA_CERT_0, + NULL, + }; + ++static const char *middle_single_duplicate_ca[] = { ++ SERVER_CERT, ++ CA_CERT_5, ++ CA_CERT_0, ++ CA_CERT_4, ++ CA_CERT_0, ++ CA_CERT_2, ++ CA_CERT_0, ++ CA_CERT_1, ++ NULL, ++}; ++ ++static const char *missing_middle_single_duplicate_ca_unrelated_insert[] = { ++ CA_CERT_0, ++ NULL, ++}; ++ + static struct chains { + const char *name; + const char **chain; +@@ -377,6 +468,14 @@ static struct chains { + { "skip multiple unsorted", missing_skip_multiple_unsorted, missing_skip_multiple_insert, missing_ca, 0, 0 }, + { "unrelated", missing_middle_single, missing_middle_unrelated_insert, missing_ca, 0, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_NOT_FOUND }, + { "unrelated extra", missing_middle_single, missing_middle_unrelated_extra_insert, missing_ca, 0, 0 }, ++ { "middle single duplicate", missing_middle_single_duplicate, missing_middle_single_insert, missing_ca, 0, 0 }, ++ { "middle multiple duplicate", missing_middle_multiple_duplicate, missing_middle_multiple_insert, missing_ca, 0, 0 }, ++ { "last single duplicate", missing_last_single_duplicate, missing_last_single_insert, missing_ca, 0, 0 }, ++ { "last multiple duplicate", missing_last_multiple_duplicate, missing_last_multiple_insert, missing_ca, 0, 0 }, ++ { "skip single duplicate", missing_skip_single_duplicate, missing_skip_single_insert, missing_ca, 0, 0 }, ++ { "skip multiple duplicate", missing_skip_multiple_duplicate, missing_skip_multiple_insert, missing_ca, 0, 0 }, ++ { "middle single duplicate ca", middle_single_duplicate_ca, missing_middle_single_insert, missing_ca, 0, 0 }, ++ { "middle single duplicate ca - insert unrelated", middle_single_duplicate_ca, missing_middle_single_duplicate_ca_unrelated_insert, missing_ca, 0, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_NOT_FOUND }, + { NULL, NULL, NULL, NULL }, + }; + +-- +GitLab + diff --git a/gnutls-test-fixes.patch b/gnutls-test-fixes.patch new file mode 100644 index 0000000..0cad930 --- /dev/null +++ b/gnutls-test-fixes.patch @@ -0,0 +1,117 @@ +diff --git a/tests/testpkcs11.sh b/tests/testpkcs11.sh +index 38b9585bc002ac9d32003ec7127153f9950ad1b1..09a6274776935f07f91a5be1eb79a573165ded93 100755 +--- a/tests/testpkcs11.sh ++++ b/tests/testpkcs11.sh +@@ -67,6 +67,8 @@ have_ed25519=0 + P11TOOL="${VALGRIND} ${P11TOOL} --batch" + SERV="${SERV} -q" + ++TESTDATE=2020-12-01 ++ + . ${srcdir}/scripts/common.sh + + rm -f "${LOGFILE}" +@@ -79,6 +81,8 @@ exit_error () { + exit 1 + } + ++skip_if_no_datefudge ++ + # $1: token + # $2: PIN + # $3: filename +@@ -523,6 +527,7 @@ write_certificate_test () { + pubkey="$5" + + echo -n "* Generating client certificate... " ++ datefudge -s "$TESTDATE" \ + "${CERTTOOL}" ${CERTTOOL_PARAM} ${ADDITIONAL_PARAM} --generate-certificate --load-ca-privkey "${cakey}" --load-ca-certificate "${cacert}" \ + --template ${srcdir}/testpkcs11-certs/client-tmpl --load-privkey "${token};object=gnutls-client;object-type=private" \ + --load-pubkey "$pubkey" --outfile tmp-client.crt >>"${LOGFILE}" 2>&1 +@@ -900,7 +905,9 @@ use_certificate_test () { + echo -n "* Using PKCS #11 with gnutls-cli (${txt})... " + # start server + eval "${GETPORT}" +- launch_server ${ADDITIONAL_PARAM} --echo --priority NORMAL --x509certfile="${certfile}" \ ++ launch_bare_server datefudge -s "$TESTDATE" \ ++ $VALGRIND $SERV $DEBUG -p "$PORT" \ ++ ${ADDITIONAL_PARAM} --debug 10 --echo --priority NORMAL --x509certfile="${certfile}" \ + --x509keyfile="$keyfile" --x509cafile="${cafile}" \ + --verify-client-cert --require-client-cert >>"${LOGFILE}" 2>&1 + +@@ -908,13 +915,16 @@ use_certificate_test () { + wait_server ${PID} + + # connect to server using SC ++ datefudge -s "$TESTDATE" \ + ${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509cafile="${cafile}" >"${LOGFILE}" 2>&1 && \ + fail ${PID} "Connection should have failed!" + ++ datefudge -s "$TESTDATE" \ + ${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509certfile="${certfile}" \ + --x509keyfile="$keyfile" --x509cafile="${cafile}" >"${LOGFILE}" 2>&1 || \ + fail ${PID} "Connection (with files) should have succeeded!" + ++ datefudge -s "$TESTDATE" \ + ${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509certfile="${token};object=gnutls-client;object-type=cert" \ + --x509keyfile="${token};object=gnutls-client;object-type=private" \ + --x509cafile="${cafile}" >"${LOGFILE}" 2>&1 || \ +diff --git a/tests/tpmtool_test.sh b/tests/tpmtool_test.sh +index eba502612a293eb11134a62ce749ff87e6778ab2..77fe17e59341a344590ea22f62076e4db54dd91a 100755 +--- a/tests/tpmtool_test.sh ++++ b/tests/tpmtool_test.sh +@@ -138,6 +138,7 @@ start_tcsd() + local tcsd_conf=$workdir/tcsd.conf + local tcsd_system_ps_file=$workdir/system_ps_file + local tcsd_pidfile=$workdir/tcsd.pid ++ local owner + + start_swtpm "$workdir" + [ $? -ne 0 ] && return 1 +@@ -146,20 +147,36 @@ start_tcsd() + port = $TCSD_LISTEN_PORT + system_ps_file = $tcsd_system_ps_file + _EOF_ ++ # older versions of trousers require tss:tss ownership of the ++ # config file, later ones root:tss ++ for owner in tss root; do ++ if [ "$owner" = "tss" ]; then ++ chmod 0600 $tcsd_conf ++ else ++ chmod 0640 $tcsd_conf ++ fi ++ chown $owner:tss $tcsd_conf + +- chown tss:tss $tcsd_conf +- chmod 0600 $tcsd_conf ++ bash -c "TCSD_USE_TCP_DEVICE=1 TCSD_TCP_DEVICE_PORT=$SWTPM_SERVER_PORT tcsd -c $tcsd_conf -e -f &>/dev/null & echo \$! > $tcsd_pidfile; wait" & ++ BASH_PID=$! + +- bash -c "TCSD_USE_TCP_DEVICE=1 TCSD_TCP_DEVICE_PORT=$SWTPM_SERVER_PORT tcsd -c $tcsd_conf -e -f &>/dev/null & echo \$! > $tcsd_pidfile; wait" & +- BASH_PID=$! ++ if wait_for_file $tcsd_pidfile 3; then ++ echo "Could not get TCSD's PID file" ++ return 1 ++ fi + +- if wait_for_file $tcsd_pidfile 3; then +- echo "Could not get TCSD's PID file" +- return 1 +- fi ++ sleep 0.5 ++ TCSD_PID=$(cat $tcsd_pidfile) ++ kill -0 "${TCSD_PID}" ++ if [ $? -ne 0 ]; then ++ # Try again with other owner ++ continue ++ fi ++ return 0 ++ done + +- TCSD_PID=$(cat $tcsd_pidfile) +- return 0 ++ echo "TCSD could not be started" ++ return 1 + } + + stop_tcsd() diff --git a/gnutls.changes b/gnutls.changes index 424fa54..fd18e4f 100644 --- a/gnutls.changes +++ b/gnutls.changes @@ -1,3 +1,70 @@ +------------------------------------------------------------------- +Wed Feb 10 12:08:05 UTC 2021 - Pedro Monreal + +- Fix the test suite for tests/gnutls-cli-debug.sh [bsc#1171565] + * Don't unset system priority settings in gnutls-cli-debug.sh + * Upstream: gitlab.com/gnutls/gnutls/merge_requests/1387 +- Add gnutls-gnutls-cli-debug.patch + +------------------------------------------------------------------- +Wed Feb 10 11:17:51 UTC 2021 - Pedro Monreal + +- Fix: Test certificates in tests/testpkcs11-certs have expired + * Upstream bug: gitlab.com/gnutls/gnutls/issues/1135 +- Add gnutls-test-fixes.patch + +------------------------------------------------------------------- +Mon Feb 8 18:05:56 UTC 2021 - Pedro Monreal + +- gnutls_x509_trust_list_verify_crt2: ignore duplicate certificates + * Upstream bug: https://gitlab.com/gnutls/gnutls/issues/1131 +- Add gnutls-ignore-duplicate-certificates.patch + +------------------------------------------------------------------- +Wed Jan 27 23:33:15 UTC 2021 - Pedro Monreal + +- Update to 3.7.0 + * Depend on nettle 3.6 + * Added a new API that provides a callback function to retrieve + missing certificates from incomplete certificate chains + * Added a new API that provides a callback function to output the + complete path to the trusted root during certificate chain + verification + * OIDs exposed as gnutls_datum_t no longer account for the + terminating null bytes, while the data field is null terminated. + The affected API functions are: gnutls_ocsp_req_get_extension, + gnutls_ocsp_resp_get_response, and gnutls_ocsp_resp_get_extension + * Added a new set of API to enable QUIC implementation + * The crypto implementation override APIs deprecated in 3.6.9 are + now no-op + * Added MAGMA/KUZNYECHIK CTR-ACPKM and CMAC support + * Support for padlock has been fixed to make it work with Zhaoxin CPU + * The maximum PIN length for PKCS #11 has been increased from 31 + bytes to 255 bytes +- Remove patch fixed upstream: + * gnutls-FIPS-use_2048_bit_prime_in_DH_selftest.patch +- Add version guards for the crypto-policies package +- Fix threading bug in libgnutls [bsc#1173434] + * Upstream bug: gitlab.com/gnutls/gnutls/issues/1044 + +------------------------------------------------------------------- +Thu Dec 17 17:16:08 UTC 2020 - Pedro Monreal + +- Require the crypto-policies package [bsc#1180051] + +------------------------------------------------------------------- +Tue Nov 24 15:43:02 UTC 2020 - Vítězslav Čížek + +- Use the centralized crypto policy profile (jsc#SLE-15832) + +------------------------------------------------------------------- +Tue Nov 10 11:25:02 UTC 2020 - Vítězslav Čížek + +- FIPS: Use 2048 bit prime in DH selftest (bsc#1176086) + * add gnutls-FIPS-use_2048_bit_prime_in_DH_selftest.patch +- FIPS: Add TLS KDF selftest (bsc#1176671) + * add gnutls-FIPS-TLS_KDF_selftest.patch + ------------------------------------------------------------------- Mon Oct 12 11:54:00 UTC 2020 - Dominique Leuenberger diff --git a/gnutls.spec b/gnutls.spec index f9a206a..80623fc 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,7 +1,7 @@ # # spec file for package gnutls # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -28,19 +28,26 @@ %bcond_with tpm %bcond_without guile Name: gnutls -Version: 3.6.15 +Version: 3.7.0 Release: 0 Summary: The GNU Transport Layer Security Library License: LGPL-2.1-or-later AND GPL-3.0-or-later Group: Productivity/Networking/Security URL: https://www.gnutls.org/ -Source0: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.6/%{name}-%{version}.tar.xz -Source1: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.6/%{name}-%{version}.tar.xz.sig -Source2: %{name}.keyring +Source0: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.7/%{name}-%{version}.tar.xz +Source1: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.7/%{name}-%{version}.tar.xz.sig +Source2: gnutls.keyring Source3: baselibs.conf -Patch1: gnutls-3.5.11-skip-trust-store-tests.patch -Patch4: gnutls-3.6.6-set_guile_site_dir.patch -Patch6: gnutls-temporarily_disable_broken_guile_reauth_test.patch +Patch0: gnutls-3.5.11-skip-trust-store-tests.patch +Patch1: gnutls-3.6.6-set_guile_site_dir.patch +Patch2: gnutls-temporarily_disable_broken_guile_reauth_test.patch +Patch3: gnutls-FIPS-TLS_KDF_selftest.patch +#PATCH-FIX-UPSTREAM gitlab.com/gnutls/gnutls/issues/1131 +Patch4: gnutls-ignore-duplicate-certificates.patch +#PATCH-FIX-UPSTREAM gitlab.com/gnutls/gnutls/issues/1135 +Patch5: gnutls-test-fixes.patch +#PATCH-FIX-UPSTREAM bsc#1171565 gitlab.com/gnutls/gnutls/merge_requests/1387 +Patch6: gnutls-gnutls-cli-debug.patch BuildRequires: autogen BuildRequires: automake BuildRequires: datefudge @@ -50,7 +57,7 @@ BuildRequires: gcc-c++ # The test suite calls /usr/bin/ss from iproute2. It's our own duty to ensure we have it present BuildRequires: iproute2 BuildRequires: libidn2-devel -BuildRequires: libnettle-devel >= 3.4.1 +BuildRequires: libnettle-devel >= 3.6 BuildRequires: libtasn1-devel >= 4.9 BuildRequires: libtool BuildRequires: libunistring-devel @@ -79,6 +86,9 @@ BuildRequires: libunbound-devel %if %{with guile} BuildRequires: guile-devel %endif +%if 0%{?suse_version} && ! 0%{?sle_version} +Requires: crypto-policies +%endif %description The GnuTLS library provides a secure layer over a reliable transport @@ -159,6 +169,7 @@ Requires(pre): %{install_info_prereq} %description -n libgnutlsxx-devel Files needed for software development using gnutls. +%if %{with guile} %package guile Summary: Guile wrappers for gnutls License: LGPL-2.1-or-later @@ -167,11 +178,15 @@ Requires: guile %description guile GnuTLS Wrappers for GNU Guile, a dialect of Scheme. +%endif %prep %autosetup -p1 +echo "SYSTEM=NORMAL" >> tests/system.prio + %build +%define _lto_cflags %{nil} export LDFLAGS="-pie" export CFLAGS="%{optflags} -fPIE" export CXXFLAGS="%{optflags} -fPIE" @@ -182,7 +197,9 @@ export CXXFLAGS="%{optflags} -fPIE" --disable-static \ --disable-rpath \ --disable-silent-rules \ - --with-default-trust-store-dir=%{_localstatedir}/lib/ca-certificates/pem \ + --with-default-trust-store-dir=%{_localstatedir}/lib/ca-certificates/pem \ + --with-system-priority-file=%{_sysconfdir}/crypto-policies/back-ends/gnutls.config \ + --with-default-priority-string="@SYSTEM" \ --with-sysroot=/%{?_sysroot} \ %if %{without tpm} --without-tpm \ @@ -193,7 +210,8 @@ export CXXFLAGS="%{optflags} -fPIE" --disable-libdane \ %endif --enable-fips140-mode \ - %{nil} + %{nil} + make %{?_smp_mflags} # the hmac hashes: @@ -235,7 +253,8 @@ rm -rf %{buildroot}%{_datadir}/doc/gnutls %check %if ! 0%{?qemu_user_space_build} -make %{?_smp_mflags} check || { +#make %%{?_smp_mflags} check || { +make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null || { find -name test-suite.log -print -exec cat {} + exit 1 } @@ -330,8 +349,19 @@ make %{?_smp_mflags} check || { %if %{with guile} %files guile +%if 0%{?suse_version} > 1550 +%{_libdir}/guile/3.0/guile-gnutls*.so* +%{_libdir}/guile/3.0/site-ccache +%{_libdir}/guile/3.0/site-ccache/gnutls +%{_libdir}/guile/3.0/site-ccache/gnutls.go +%{_libdir}/guile/3.0/site-ccache/gnutls/extra.go +%{_datadir}/guile/gnutls +%{_datadir}/guile/gnutls.scm +%{_datadir}/guile/gnutls/extra.scm +%else %{_libdir}/guile/* %{_datadir}/guile/gnutls* %endif +%endif %changelog