Accepting request 873444 from security:tls

- Fix the test suite for tests/gnutls-cli-debug.sh [bsc#1171565]
  * Don't unset system priority settings in gnutls-cli-debug.sh
  * Upstream: gitlab.com/gnutls/gnutls/merge_requests/1387
- Add gnutls-gnutls-cli-debug.patch

- Fix: Test certificates in tests/testpkcs11-certs have expired
  * Upstream bug: gitlab.com/gnutls/gnutls/issues/1135
- Add gnutls-test-fixes.patch

- gnutls_x509_trust_list_verify_crt2: ignore duplicate certificates
  * Upstream bug: https://gitlab.com/gnutls/gnutls/issues/1131
- Add gnutls-ignore-duplicate-certificates.patch

- Update to 3.7.0
  * Depend on nettle 3.6
  * Added a new API that provides a callback function to retrieve
    missing certificates from incomplete certificate chains
  * Added a new API that provides a callback function to output the
    complete path to the trusted root during certificate chain
	verification
  * OIDs exposed as gnutls_datum_t no longer account for the
    terminating null bytes, while the data field is null terminated.
    The affected API functions are: gnutls_ocsp_req_get_extension,
    gnutls_ocsp_resp_get_response, and gnutls_ocsp_resp_get_extension
  * Added a new set of API to enable QUIC implementation
  * The crypto implementation override APIs deprecated in 3.6.9 are
    now no-op
  * Added MAGMA/KUZNYECHIK CTR-ACPKM and CMAC support
  * Support for padlock has been fixed to make it work with Zhaoxin CPU
  * The maximum PIN length for PKCS #11 has been increased from 31

OBS-URL: https://build.opensuse.org/request/show/873444
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=128

gnutls-3.6.15.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:0ea8c3283de8d8335d7ae338ef27c53a916f15f382753b174c18b45ffd481558
-size 6081656

gnutls-3.7.0.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:49e2a22691d252c9f24a9829b293a8f359095bc5a818351f05f1c0a5188a1df8
+size 6129176

gnutls-FIPS-TLS_KDF_selftest.patch

@@ -0,0 +1,33 @@
+Index: gnutls-3.6.15/lib/fips.c
+===================================================================
+--- gnutls-3.6.15.orig/lib/fips.c	2020-09-03 16:59:05.000000000 +0200
++++ gnutls-3.6.15/lib/fips.c	2020-11-10 12:51:40.420071675 +0100
+@@ -398,6 +398,28 @@ int _gnutls_fips_perform_self_checks2(vo
+ 		goto error;
+ 	}
+ 
++        /* KDF */
++
++	char derived[512];
++
++	gnutls_datum_t secret = { (void *)"\x04\x50\xb0\xea\x9e\xcd\x36\x02\xee\x0d\x76\xc5\xc3\xc8\x6f\x4a", 16 };
++	gnutls_datum_t seed = { (void *)"\x20\x7a\xcc\x02\x54\xb8\x67\xf5\xb9\x25\xb4\x5a\x33\x60\x1d\x8b", 16 };
++	gnutls_datum_t label = { (void *)"test label", 10 };
++	gnutls_datum_t expected = { (void *)"\xae\x67\x9e\x0e\x71\x4f\x59\x75\x76\x37\x68\xb1\x66\x97\x9e\x1d", 16 };
++
++	ret = _gnutls_prf_raw(GNUTLS_MAC_SHA256, secret.size, secret.data,
++		label.size, (char*)label.data, seed.size, seed.data, expected.size, derived);
++	if (ret < 0) {
++		gnutls_assert();
++		goto error;
++	}
++
++	ret = memcmp(derived, expected.data, expected.size);
++	if (ret != 0) {
++		gnutls_assert();
++		goto error;
++	}
++
+ 	/* PK */
+ 	ret = gnutls_pk_self_test(0, GNUTLS_PK_RSA);
+ 	if (ret < 0) {

gnutls-gnutls-cli-debug.patch

@@ -0,0 +1,39 @@
+From 5a64e896a56ef602bb86242bbac01e4319f12cbe Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Tue, 9 Feb 2021 15:26:07 +0100
+Subject: [PATCH] tests/gnutls-cli-debug.sh: don't unset system priority
+ settings
+
+When the test is exercised, GNUTLS_SYSTEM_PRIORITY_FILE is set in many
+places, such as TESTS_ENVIRONMENT tests/Makefile.am or a packaging
+system that runs the test in a restricted environment.  Unsetting it
+after a temporary use forces the remaining part of the test to use the
+default system priority, which might not be the intention of the user.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ tests/gnutls-cli-debug.sh | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/tests/gnutls-cli-debug.sh b/tests/gnutls-cli-debug.sh
+index a73910dea6..3c3e2214e5 100755
+--- a/tests/gnutls-cli-debug.sh
++++ b/tests/gnutls-cli-debug.sh
+@@ -184,13 +184,11 @@ cat <<_EOF_ > ${TMPFILE}
+ tls-disabled-cipher = CAMELLIA-128-CBC
+ tls-disabled-cipher = CAMELLIA-256-CBC
+ _EOF_
+-export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}"
+ 
++GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}" \
+ timeout 1800 datefudge "2017-08-9" \
+ "${DCLI}" -p "${PORT}" localhost >$OUTFILE 2>&1 || fail ${PID} "gnutls-cli-debug run should have succeeded!"
+ 
+-unset GNUTLS_SYSTEM_PRIORITY_FILE
+-
+ kill ${PID}
+ wait
+ 
+-- 
+GitLab
+

gnutls-ignore-duplicate-certificates.patch

@@ -0,0 +1,403 @@
+From 09b40be6e0e0a59ba4bd764067eb353241043a70 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Mon, 28 Dec 2020 12:14:13 +0100
+Subject: [PATCH] gnutls_x509_trust_list_verify_crt2: ignore duplicate
+ certificates
+
+The commit ebb19db9165fed30d73c83bab1b1b8740c132dfd caused a
+regression, where duplicate certificates in a certificate chain are no
+longer ignored but treated as a non-contiguous segment and that
+results in calling the issuer callback, or a verification failure.
+
+This adds a mechanism to record certificates already seen in the
+chain, and skip them while still allow the caller to inject missing
+certificates.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+Co-authored-by: Andreas Metzler <ametzler@debian.org>
+---
+ lib/x509/common.c          |   8 ++
+ lib/x509/verify-high.c     | 157 +++++++++++++++++++++++++++++++------
+ tests/missingissuer.c      |   2 +
+ tests/test-chains-issuer.h | 101 +++++++++++++++++++++++-
+ 4 files changed, 245 insertions(+), 23 deletions(-)
+
+diff --git a/lib/x509/common.c b/lib/x509/common.c
+index 3301aaad0c..10c8db53c0 100644
+--- a/lib/x509/common.c
++++ b/lib/x509/common.c
+@@ -1758,6 +1758,14 @@ unsigned int _gnutls_sort_clist(gnutls_x509_crt_t *clist,
+ 	 * increasing DEFAULT_MAX_VERIFY_DEPTH.
+ 	 */
+ 	for (i = 0; i < clist_size; i++) {
++		/* Self-signed certificate found in the chain; skip it
++		 * as it should only appear in the trusted set.
++		 */
++		if (gnutls_x509_crt_check_issuer(clist[i], clist[i])) {
++			_gnutls_cert_log("self-signed cert found", clist[i]);
++			continue;
++		}
++
+ 		for (j = 1; j < clist_size; j++) {
+ 			if (i == j)
+ 				continue;
+diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c
+index 588e7ee0dc..9a16e6b42a 100644
+--- a/lib/x509/verify-high.c
++++ b/lib/x509/verify-high.c
+@@ -67,6 +67,80 @@ struct gnutls_x509_trust_list_iter {
+ 
+ #define DEFAULT_SIZE 127
+ 
++struct cert_set_node_st {
++	gnutls_x509_crt_t *certs;
++	unsigned int size;
++};
++
++struct cert_set_st {
++	struct cert_set_node_st *node;
++	unsigned int size;
++};
++
++static int
++cert_set_init(struct cert_set_st *set, unsigned int size)
++{
++	memset(set, 0, sizeof(*set));
++
++	set->size = size;
++	set->node = gnutls_calloc(size, sizeof(*set->node));
++	if (!set->node) {
++		return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
++	}
++
++	return 0;
++}
++
++static void
++cert_set_deinit(struct cert_set_st *set)
++{
++	size_t i;
++
++	for (i = 0; i < set->size; i++) {
++		gnutls_free(set->node[i].certs);
++	}
++
++	gnutls_free(set->node);
++}
++
++static bool
++cert_set_contains(struct cert_set_st *set, const gnutls_x509_crt_t cert)
++{
++	size_t hash, i;
++
++	hash = hash_pjw_bare(cert->raw_dn.data, cert->raw_dn.size);
++	hash %= set->size;
++
++	for (i = 0; i < set->node[hash].size; i++) {
++		if (unlikely(gnutls_x509_crt_equals(set->node[hash].certs[i], cert))) {
++			return true;
++		}
++	}
++
++	return false;
++}
++
++static int
++cert_set_add(struct cert_set_st *set, const gnutls_x509_crt_t cert)
++{
++	size_t hash;
++
++	hash = hash_pjw_bare(cert->raw_dn.data, cert->raw_dn.size);
++	hash %= set->size;
++
++	set->node[hash].certs =
++		gnutls_realloc_fast(set->node[hash].certs,
++				    (set->node[hash].size + 1) *
++				    sizeof(*set->node[hash].certs));
++	if (!set->node[hash].certs) {
++		return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
++	}
++	set->node[hash].certs[set->node[hash].size] = cert;
++	set->node[hash].size++;
++
++	return 0;
++}
++
+ /**
+  * gnutls_x509_trust_list_init:
+  * @list: A pointer to the type to be initialized
+@@ -1328,6 +1402,7 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
+ 	unsigned have_set_name = 0;
+ 	unsigned saved_output;
+ 	gnutls_datum_t ip = {NULL, 0};
++	struct cert_set_st cert_set = { NULL, 0 };
+ 
+ 	if (cert_list == NULL || cert_list_size < 1)
+ 		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+@@ -1376,36 +1451,68 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
+ 	memcpy(sorted, cert_list, cert_list_size * sizeof(gnutls_x509_crt_t));
+ 	cert_list = sorted;
+ 
++	ret = cert_set_init(&cert_set, DEFAULT_MAX_VERIFY_DEPTH);
++	if (ret < 0) {
++		return ret;
++	}
++
+ 	for (i = 0; i < cert_list_size &&
+-		     cert_list_size <= DEFAULT_MAX_VERIFY_DEPTH; i++) {
+-		if (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN)) {
+-			unsigned int sorted_size;
++		     cert_list_size <= DEFAULT_MAX_VERIFY_DEPTH; ) {
++		unsigned int sorted_size = 1;
++		unsigned int j;
++		gnutls_x509_crt_t issuer;
+ 
++		if (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN)) {
+ 			sorted_size = _gnutls_sort_clist(&cert_list[i],
+ 							 cert_list_size - i);
+-			i += sorted_size - 1;
+ 		}
+ 
+-		if (i == cert_list_size - 1) {
+-			gnutls_x509_crt_t issuer;
+-
+-			/* If it is the last certificate and its issuer is
+-			 * known, don't need to run issuer callback. */
+-			if (_gnutls_trust_list_get_issuer(list,
+-							  cert_list[i],
+-							  &issuer,
+-							  0) == 0) {
++		/* Remove duplicates. Start with index 1, as the first element
++		 * may be re-checked after issuer retrieval. */
++		for (j = 1; j < sorted_size; j++) {
++			if (cert_set_contains(&cert_set, cert_list[i + j])) {
++				if (i + j < cert_list_size - 1) {
++					memmove(&cert_list[i + j],
++						&cert_list[i + j + 1],
++						sizeof(cert_list[i]));
++				}
++				cert_list_size--;
+ 				break;
+ 			}
+-		} else if (gnutls_x509_crt_check_issuer(cert_list[i],
+-							cert_list[i + 1])) {
+-			/* There is no gap between this and the next
+-			 * certificate. */
++		}
++		/* Found a duplicate, try again with the same index. */
++		if (j < sorted_size) {
++			continue;
++		}
++
++		/* Record the certificates seen. */
++		for (j = 0; j < sorted_size; j++, i++) {
++			ret = cert_set_add(&cert_set, cert_list[i]);
++			if (ret < 0) {
++				goto cleanup;
++			}
++		}
++
++		/* If the issuer of the certificate is known, no need
++		 * for further processing. */
++		if (_gnutls_trust_list_get_issuer(list,
++						  cert_list[i - 1],
++						  &issuer,
++						  0) == 0) {
++			cert_list_size = i;
++			break;
++		}
++
++		/* If there is no gap between this and the next certificate,
++		 * proceed with the next certificate. */
++		if (i < cert_list_size &&
++		    gnutls_x509_crt_check_issuer(cert_list[i - 1],
++						 cert_list[i])) {
+ 			continue;
+ 		}
+ 
+ 		ret = retrieve_issuers(list,
+-				       cert_list[i],
++				       cert_list[i - 1],
+ 				       &retrieved[retrieved_size],
+ 				       DEFAULT_MAX_VERIFY_DEPTH -
+ 				       MAX(retrieved_size,
+@@ -1413,15 +1520,20 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
+ 		if (ret < 0) {
+ 			break;
+ 		} else if (ret > 0) {
+-			memmove(&cert_list[i + 1 + ret],
+-				&cert_list[i + 1],
+-				(cert_list_size - i - 1) *
++			assert((unsigned int)ret <=
++			       DEFAULT_MAX_VERIFY_DEPTH - cert_list_size);
++			memmove(&cert_list[i + ret],
++				&cert_list[i],
++				(cert_list_size - i) *
+ 				sizeof(gnutls_x509_crt_t));
+-			memcpy(&cert_list[i + 1],
++			memcpy(&cert_list[i],
+ 			       &retrieved[retrieved_size],
+ 			       ret * sizeof(gnutls_x509_crt_t));
+ 			retrieved_size += ret;
+ 			cert_list_size += ret;
++
++			/* Start again from the end of the previous segment. */
++			i--;
+ 		}
+ 	}
+ 
+@@ -1581,6 +1693,7 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
+ 	for (i = 0; i < retrieved_size; i++) {
+ 		gnutls_x509_crt_deinit(retrieved[i]);
+ 	}
++	cert_set_deinit(&cert_set);
+ 	return ret;
+ }
+ 
+diff --git a/tests/missingissuer.c b/tests/missingissuer.c
+index f21e2b6b0c..226d095929 100644
+--- a/tests/missingissuer.c
++++ b/tests/missingissuer.c
+@@ -145,6 +145,8 @@ void doit(void)
+ 		printf("[%d]: Chain '%s'...\n", (int)i, chains[i].name);
+ 
+ 		for (j = 0; chains[i].chain[j]; j++) {
++			assert(j < MAX_CHAIN);
++
+ 			if (debug > 2)
+ 				printf("\tAdding certificate %d...", (int)j);
+ 
+diff --git a/tests/test-chains-issuer.h b/tests/test-chains-issuer.h
+index 543e2d71fb..bf1e65c956 100644
+--- a/tests/test-chains-issuer.h
++++ b/tests/test-chains-issuer.h
+@@ -24,7 +24,7 @@
+ #ifndef GNUTLS_TESTS_TEST_CHAINS_ISSUER_H
+ #define GNUTLS_TESTS_TEST_CHAINS_ISSUER_H
+ 
+-#define MAX_CHAIN 6
++#define MAX_CHAIN 15
+ 
+ #define SERVER_CERT "-----BEGIN CERTIFICATE-----\n"			\
+ 	"MIIDATCCAbmgAwIBAgIUQdvdegP8JFszFHLfV4+lrEdafzAwPQYJKoZIhvcNAQEK\n" \
+@@ -338,11 +338,102 @@ static const char *missing_middle_unrelated_extra_insert[] = {
+ 	NULL,
+ };
+ 
++static const char *missing_middle_single_duplicate[] = {
++	SERVER_CERT,
++	SERVER_CERT,
++	CA_CERT_5,
++	CA_CERT_5,
++	CA_CERT_4,
++	CA_CERT_4,
++	CA_CERT_2,
++	CA_CERT_2,
++	CA_CERT_1,
++	CA_CERT_1,
++	NULL,
++};
++
++static const char *missing_middle_multiple_duplicate[] = {
++	SERVER_CERT,
++	SERVER_CERT,
++	CA_CERT_5,
++	CA_CERT_5,
++	CA_CERT_4,
++	CA_CERT_4,
++	CA_CERT_1,
++	CA_CERT_1,
++	NULL,
++};
++
++static const char *missing_last_single_duplicate[] = {
++	SERVER_CERT,
++	SERVER_CERT,
++	CA_CERT_5,
++	CA_CERT_5,
++	CA_CERT_4,
++	CA_CERT_4,
++	CA_CERT_3,
++	CA_CERT_3,
++	CA_CERT_2,
++	CA_CERT_2,
++	NULL,
++};
++
++static const char *missing_last_multiple_duplicate[] = {
++	SERVER_CERT,
++	SERVER_CERT,
++	CA_CERT_5,
++	CA_CERT_5,
++	CA_CERT_4,
++	CA_CERT_4,
++	CA_CERT_3,
++	CA_CERT_3,
++	NULL,
++};
++
++static const char *missing_skip_single_duplicate[] = {
++	SERVER_CERT,
++	SERVER_CERT,
++	CA_CERT_5,
++	CA_CERT_5,
++	CA_CERT_3,
++	CA_CERT_3,
++	CA_CERT_1,
++	CA_CERT_1,
++	NULL,
++};
++
++static const char *missing_skip_multiple_duplicate[] = {
++	SERVER_CERT,
++	SERVER_CERT,
++	CA_CERT_5,
++	CA_CERT_5,
++	CA_CERT_3,
++	CA_CERT_3,
++	NULL,
++};
++
+ static const char *missing_ca[] = {
+ 	CA_CERT_0,
+ 	NULL,
+ };
+ 
++static const char *middle_single_duplicate_ca[] = {
++	SERVER_CERT,
++	CA_CERT_5,
++	CA_CERT_0,
++	CA_CERT_4,
++	CA_CERT_0,
++	CA_CERT_2,
++	CA_CERT_0,
++	CA_CERT_1,
++	NULL,
++};
++
++static const char *missing_middle_single_duplicate_ca_unrelated_insert[] = {
++	CA_CERT_0,
++	NULL,
++};
++
+ static struct chains {
+ 	const char *name;
+ 	const char **chain;
+@@ -377,6 +468,14 @@ static struct chains {
+ 	{ "skip multiple unsorted", missing_skip_multiple_unsorted, missing_skip_multiple_insert, missing_ca, 0, 0 },
+ 	{ "unrelated", missing_middle_single, missing_middle_unrelated_insert, missing_ca, 0, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_NOT_FOUND },
+ 	{ "unrelated extra", missing_middle_single, missing_middle_unrelated_extra_insert, missing_ca, 0, 0 },
++	{ "middle single duplicate", missing_middle_single_duplicate, missing_middle_single_insert, missing_ca, 0, 0 },
++	{ "middle multiple duplicate", missing_middle_multiple_duplicate, missing_middle_multiple_insert, missing_ca, 0, 0 },
++	{ "last single duplicate", missing_last_single_duplicate, missing_last_single_insert, missing_ca, 0, 0 },
++	{ "last multiple duplicate", missing_last_multiple_duplicate, missing_last_multiple_insert, missing_ca, 0, 0 },
++	{ "skip single duplicate", missing_skip_single_duplicate, missing_skip_single_insert, missing_ca, 0, 0 },
++	{ "skip multiple duplicate", missing_skip_multiple_duplicate, missing_skip_multiple_insert, missing_ca, 0, 0 },
++	{ "middle single duplicate ca", middle_single_duplicate_ca, missing_middle_single_insert, missing_ca, 0, 0 },
++	{ "middle single duplicate ca - insert unrelated", middle_single_duplicate_ca, missing_middle_single_duplicate_ca_unrelated_insert, missing_ca, 0, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_NOT_FOUND },
+ 	{ NULL, NULL, NULL, NULL },
+ };
+ 
+-- 
+GitLab
+

gnutls-test-fixes.patch

@@ -0,0 +1,117 @@
+diff --git a/tests/testpkcs11.sh b/tests/testpkcs11.sh
+index 38b9585bc002ac9d32003ec7127153f9950ad1b1..09a6274776935f07f91a5be1eb79a573165ded93 100755
+--- a/tests/testpkcs11.sh
++++ b/tests/testpkcs11.sh
+@@ -67,6 +67,8 @@ have_ed25519=0
+ P11TOOL="${VALGRIND} ${P11TOOL} --batch"
+ SERV="${SERV} -q"
+ 
++TESTDATE=2020-12-01
++
+ . ${srcdir}/scripts/common.sh
+ 
+ rm -f "${LOGFILE}"
+@@ -79,6 +81,8 @@ exit_error () {
+ 	exit 1
+ }
+ 
++skip_if_no_datefudge
++
+ # $1: token
+ # $2: PIN
+ # $3: filename
+@@ -523,6 +527,7 @@ write_certificate_test () {
+ 	pubkey="$5"
+ 
+ 	echo -n "* Generating client certificate... "
++	datefudge -s "$TESTDATE" \
+ 	"${CERTTOOL}" ${CERTTOOL_PARAM} ${ADDITIONAL_PARAM}  --generate-certificate --load-ca-privkey "${cakey}"  --load-ca-certificate "${cacert}"  \
+ 	--template ${srcdir}/testpkcs11-certs/client-tmpl --load-privkey "${token};object=gnutls-client;object-type=private" \
+ 	--load-pubkey "$pubkey" --outfile tmp-client.crt >>"${LOGFILE}" 2>&1
+@@ -900,7 +905,9 @@ use_certificate_test () {
+ 	echo -n "* Using PKCS #11 with gnutls-cli (${txt})... "
+ 	# start server
+ 	eval "${GETPORT}"
+-	launch_server ${ADDITIONAL_PARAM} --echo --priority NORMAL --x509certfile="${certfile}" \
++	launch_bare_server datefudge -s "$TESTDATE" \
++		$VALGRIND $SERV $DEBUG -p "$PORT" \
++		${ADDITIONAL_PARAM} --debug 10 --echo --priority NORMAL --x509certfile="${certfile}" \
+ 		--x509keyfile="$keyfile" --x509cafile="${cafile}" \
+ 		--verify-client-cert --require-client-cert >>"${LOGFILE}" 2>&1
+ 
+@@ -908,13 +915,16 @@ use_certificate_test () {
+ 	wait_server ${PID}
+ 
+ 	# connect to server using SC
++	datefudge -s "$TESTDATE" \
+ 	${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509cafile="${cafile}" </dev/null >>"${LOGFILE}" 2>&1 && \
+ 		fail ${PID} "Connection should have failed!"
+ 
++	datefudge -s "$TESTDATE" \
+ 	${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509certfile="${certfile}" \
+ 	--x509keyfile="$keyfile" --x509cafile="${cafile}" </dev/null >>"${LOGFILE}" 2>&1 || \
+ 		fail ${PID} "Connection (with files) should have succeeded!"
+ 
++	datefudge -s "$TESTDATE" \
+ 	${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509certfile="${token};object=gnutls-client;object-type=cert" \
+ 		--x509keyfile="${token};object=gnutls-client;object-type=private" \
+ 		--x509cafile="${cafile}" </dev/null >>"${LOGFILE}" 2>&1 || \
+diff --git a/tests/tpmtool_test.sh b/tests/tpmtool_test.sh
+index eba502612a293eb11134a62ce749ff87e6778ab2..77fe17e59341a344590ea22f62076e4db54dd91a 100755
+--- a/tests/tpmtool_test.sh
++++ b/tests/tpmtool_test.sh
+@@ -138,6 +138,7 @@ start_tcsd()
+ 	local tcsd_conf=$workdir/tcsd.conf
+ 	local tcsd_system_ps_file=$workdir/system_ps_file
+ 	local tcsd_pidfile=$workdir/tcsd.pid
++	local owner
+ 
+ 	start_swtpm "$workdir"
+ 	[ $? -ne 0 ] && return 1
+@@ -146,20 +147,36 @@ start_tcsd()
+ port = $TCSD_LISTEN_PORT
+ system_ps_file = $tcsd_system_ps_file
+ _EOF_
++	# older versions of trousers require tss:tss ownership of the
++	# config file, later ones root:tss
++	for owner in tss root; do
++		if [ "$owner" = "tss" ]; then
++			chmod 0600 $tcsd_conf
++		else
++			chmod 0640 $tcsd_conf
++		fi
++		chown $owner:tss $tcsd_conf
+ 
+-	chown tss:tss $tcsd_conf
+-	chmod 0600 $tcsd_conf
++		bash -c "TCSD_USE_TCP_DEVICE=1 TCSD_TCP_DEVICE_PORT=$SWTPM_SERVER_PORT tcsd -c $tcsd_conf -e -f &>/dev/null & echo \$! > $tcsd_pidfile; wait" &
++		BASH_PID=$!
+ 
+-	bash -c "TCSD_USE_TCP_DEVICE=1 TCSD_TCP_DEVICE_PORT=$SWTPM_SERVER_PORT tcsd -c $tcsd_conf -e -f &>/dev/null & echo \$! > $tcsd_pidfile; wait" &
+-	BASH_PID=$!
++		if wait_for_file $tcsd_pidfile 3; then
++			echo "Could not get TCSD's PID file"
++			return 1
++		fi
+ 
+-	if wait_for_file $tcsd_pidfile 3; then
+-		echo "Could not get TCSD's PID file"
+-		return 1
+-	fi
++		sleep 0.5
++		TCSD_PID=$(cat $tcsd_pidfile)
++		kill -0 "${TCSD_PID}"
++		if [ $? -ne 0 ]; then
++			# Try again with other owner
++			continue
++		fi
++		return 0
++	done
+ 
+-	TCSD_PID=$(cat $tcsd_pidfile)
+-	return 0
++	echo "TCSD could not be started"
++	return 1
+ }
+ 
+ stop_tcsd()

gnutls.changes

@@ -1,3 +1,70 @@
+-------------------------------------------------------------------
+Wed Feb 10 12:08:05 UTC 2021 - Pedro Monreal <pmonreal@suse.com>
+
+- Fix the test suite for tests/gnutls-cli-debug.sh [bsc#1171565]
+  * Don't unset system priority settings in gnutls-cli-debug.sh
+  * Upstream: gitlab.com/gnutls/gnutls/merge_requests/1387
+- Add gnutls-gnutls-cli-debug.patch
+
+-------------------------------------------------------------------
+Wed Feb 10 11:17:51 UTC 2021 - Pedro Monreal <pmonreal@suse.com>
+
+- Fix: Test certificates in tests/testpkcs11-certs have expired
+  * Upstream bug: gitlab.com/gnutls/gnutls/issues/1135
+- Add gnutls-test-fixes.patch
+
+-------------------------------------------------------------------
+Mon Feb  8 18:05:56 UTC 2021 - Pedro Monreal <pmonreal@suse.com>
+
+- gnutls_x509_trust_list_verify_crt2: ignore duplicate certificates
+  * Upstream bug: https://gitlab.com/gnutls/gnutls/issues/1131
+- Add gnutls-ignore-duplicate-certificates.patch
+
+-------------------------------------------------------------------
+Wed Jan 27 23:33:15 UTC 2021 - Pedro Monreal <pmonreal@suse.com>
+
+- Update to 3.7.0
+  * Depend on nettle 3.6
+  * Added a new API that provides a callback function to retrieve
+    missing certificates from incomplete certificate chains
+  * Added a new API that provides a callback function to output the
+    complete path to the trusted root during certificate chain
+	verification
+  * OIDs exposed as gnutls_datum_t no longer account for the
+    terminating null bytes, while the data field is null terminated.
+    The affected API functions are: gnutls_ocsp_req_get_extension,
+    gnutls_ocsp_resp_get_response, and gnutls_ocsp_resp_get_extension
+  * Added a new set of API to enable QUIC implementation
+  * The crypto implementation override APIs deprecated in 3.6.9 are
+    now no-op
+  * Added MAGMA/KUZNYECHIK CTR-ACPKM and CMAC support
+  * Support for padlock has been fixed to make it work with Zhaoxin CPU
+  * The maximum PIN length for PKCS #11 has been increased from 31
+    bytes to 255 bytes
+- Remove patch fixed upstream:
+  * gnutls-FIPS-use_2048_bit_prime_in_DH_selftest.patch
+- Add version guards for the crypto-policies package
+- Fix threading bug in libgnutls [bsc#1173434]
+  * Upstream bug: gitlab.com/gnutls/gnutls/issues/1044
+
+-------------------------------------------------------------------
+Thu Dec 17 17:16:08 UTC 2020 - Pedro Monreal <pmonreal@suse.com>
+
+- Require the crypto-policies package [bsc#1180051]
+
+-------------------------------------------------------------------
+Tue Nov 24 15:43:02 UTC 2020 - Vítězslav Čížek <vcizek@suse.com>
+
+- Use the centralized crypto policy profile (jsc#SLE-15832)
+
+-------------------------------------------------------------------
+Tue Nov 10 11:25:02 UTC 2020 - Vítězslav Čížek <vcizek@suse.com>
+
+- FIPS: Use 2048 bit prime in DH selftest (bsc#1176086)
+  * add gnutls-FIPS-use_2048_bit_prime_in_DH_selftest.patch
+- FIPS: Add TLS KDF selftest (bsc#1176671)
+  * add gnutls-FIPS-TLS_KDF_selftest.patch
+
 -------------------------------------------------------------------
 Mon Oct 12 11:54:00 UTC 2020 - Dominique Leuenberger <dimstar@opensuse.org>
 

gnutls.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package gnutls
 #
-# Copyright (c) 2020 SUSE LLC
+# Copyright (c) 2021 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -28,19 +28,26 @@
 %bcond_with tpm
 %bcond_without guile
 Name:           gnutls
-Version:        3.6.15
+Version:        3.7.0
 Release:        0
 Summary:        The GNU Transport Layer Security Library
 License:        LGPL-2.1-or-later AND GPL-3.0-or-later
 Group:          Productivity/Networking/Security
 URL:            https://www.gnutls.org/
-Source0:        ftp://ftp.gnutls.org/gcrypt/gnutls/v3.6/%{name}-%{version}.tar.xz
-Source1:        ftp://ftp.gnutls.org/gcrypt/gnutls/v3.6/%{name}-%{version}.tar.xz.sig
-Source2:        %{name}.keyring
+Source0:        https://www.gnupg.org/ftp/gcrypt/gnutls/v3.7/%{name}-%{version}.tar.xz
+Source1:        https://www.gnupg.org/ftp/gcrypt/gnutls/v3.7/%{name}-%{version}.tar.xz.sig
+Source2:        gnutls.keyring
 Source3:        baselibs.conf
-Patch1:         gnutls-3.5.11-skip-trust-store-tests.patch
-Patch4:         gnutls-3.6.6-set_guile_site_dir.patch
-Patch6:         gnutls-temporarily_disable_broken_guile_reauth_test.patch
+Patch0:         gnutls-3.5.11-skip-trust-store-tests.patch
+Patch1:         gnutls-3.6.6-set_guile_site_dir.patch
+Patch2:         gnutls-temporarily_disable_broken_guile_reauth_test.patch
+Patch3:         gnutls-FIPS-TLS_KDF_selftest.patch
+#PATCH-FIX-UPSTREAM gitlab.com/gnutls/gnutls/issues/1131
+Patch4:         gnutls-ignore-duplicate-certificates.patch
+#PATCH-FIX-UPSTREAM gitlab.com/gnutls/gnutls/issues/1135
+Patch5:         gnutls-test-fixes.patch
+#PATCH-FIX-UPSTREAM bsc#1171565 gitlab.com/gnutls/gnutls/merge_requests/1387
+Patch6:         gnutls-gnutls-cli-debug.patch
 BuildRequires:  autogen
 BuildRequires:  automake
 BuildRequires:  datefudge
@@ -50,7 +57,7 @@ BuildRequires:  gcc-c++
 # The test suite calls /usr/bin/ss from iproute2. It's our own duty to ensure we have it present
 BuildRequires:  iproute2
 BuildRequires:  libidn2-devel
-BuildRequires:  libnettle-devel >= 3.4.1
+BuildRequires:  libnettle-devel >= 3.6
 BuildRequires:  libtasn1-devel >= 4.9
 BuildRequires:  libtool
 BuildRequires:  libunistring-devel
@@ -79,6 +86,9 @@ BuildRequires:  libunbound-devel
 %if %{with guile}
 BuildRequires:  guile-devel
 %endif
+%if 0%{?suse_version} && ! 0%{?sle_version}
+Requires:       crypto-policies
+%endif
 
 %description
 The GnuTLS library provides a secure layer over a reliable transport
@@ -159,6 +169,7 @@ Requires(pre):  %{install_info_prereq}
 %description -n libgnutlsxx-devel
 Files needed for software development using gnutls.
 
+%if %{with guile}
 %package guile
 Summary:        Guile wrappers for gnutls
 License:        LGPL-2.1-or-later
@@ -167,11 +178,15 @@ Requires:       guile
 
 %description guile
 GnuTLS Wrappers for GNU Guile, a dialect of Scheme.
+%endif
 
 %prep
 %autosetup -p1
 
+echo "SYSTEM=NORMAL" >> tests/system.prio
+
 %build
+%define _lto_cflags %{nil}
 export LDFLAGS="-pie"
 export CFLAGS="%{optflags} -fPIE"
 export CXXFLAGS="%{optflags} -fPIE"
@@ -183,6 +198,8 @@ export CXXFLAGS="%{optflags} -fPIE"
         --disable-rpath \
         --disable-silent-rules \
         --with-default-trust-store-dir=%{_localstatedir}/lib/ca-certificates/pem \
+        --with-system-priority-file=%{_sysconfdir}/crypto-policies/back-ends/gnutls.config \
+        --with-default-priority-string="@SYSTEM" \
         --with-sysroot=/%{?_sysroot} \
 %if %{without tpm}
         --without-tpm \
@@ -194,6 +211,7 @@ export CXXFLAGS="%{optflags} -fPIE"
 %endif
         --enable-fips140-mode \
         %{nil}
+
 make %{?_smp_mflags}
 
 # the hmac hashes:
@@ -235,7 +253,8 @@ rm -rf %{buildroot}%{_datadir}/doc/gnutls
 
 %check
 %if ! 0%{?qemu_user_space_build}
-make %{?_smp_mflags} check || {
+#make %%{?_smp_mflags} check || {
+make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null || {
     find -name test-suite.log -print -exec cat {} +
     exit 1
 }
@@ -330,8 +349,19 @@ make %{?_smp_mflags} check || {
 
 %if %{with guile}
 %files guile
+%if 0%{?suse_version} > 1550
+%{_libdir}/guile/3.0/guile-gnutls*.so*
+%{_libdir}/guile/3.0/site-ccache
+%{_libdir}/guile/3.0/site-ccache/gnutls
+%{_libdir}/guile/3.0/site-ccache/gnutls.go
+%{_libdir}/guile/3.0/site-ccache/gnutls/extra.go
+%{_datadir}/guile/gnutls
+%{_datadir}/guile/gnutls.scm
+%{_datadir}/guile/gnutls/extra.scm
+%else
 %{_libdir}/guile/*
 %{_datadir}/guile/gnutls*
 %endif
+%endif
 
 %changelog