diff --git a/.gitignore b/.gitignore index 7137263..0f9ce46 100644 --- a/.gitignore +++ b/.gitignore @@ -131,3 +131,5 @@ gnutls-2.10.1-nosrp.tar.bz2 /gnutls-3.6.15.tar.xz.sig /gnutls-3.7.0.tar.xz /gnutls-3.7.0.tar.xz.sig +/gnutls-3.7.1.tar.xz +/gnutls-3.7.1.tar.xz.sig diff --git a/gnutls-3.7.0-duplicate-certs-pkcs11.patch b/gnutls-3.7.0-duplicate-certs-pkcs11.patch deleted file mode 100644 index 02284b4..0000000 --- a/gnutls-3.7.0-duplicate-certs-pkcs11.patch +++ /dev/null @@ -1,44 +0,0 @@ -From e97a5f07bc9d9394424c6520656e902019fcb380 Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Fri, 5 Mar 2021 12:08:25 +0100 -Subject: [PATCH] gnutls_x509_trust_list_verify_crt2: skip duped certs for - PKCS11 too - -The commit 09b40be6e0e0a59ba4bd764067eb353241043a70 (part of -gnutls/gnutls!1370) didn't cover the case where the trust store is -backed by PKCS #11, because it used _gnutls_trust_list_get_issuer, -which only works with file based trust store. - -This patch replaces the call with more generic -gnutls_x509_trust_list_get_issuer so it also works with other trust -store implementations. - -Reported by Michal Ruprich. - -Signed-off-by: Daiki Ueno ---- - lib/x509/verify-high.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c -index 9a16e6b42..736326ee1 100644 ---- a/lib/x509/verify-high.c -+++ b/lib/x509/verify-high.c -@@ -1495,10 +1495,10 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, - - /* If the issuer of the certificate is known, no need - * for further processing. */ -- if (_gnutls_trust_list_get_issuer(list, -- cert_list[i - 1], -- &issuer, -- 0) == 0) { -+ if (gnutls_x509_trust_list_get_issuer(list, -+ cert_list[i - 1], -+ &issuer, -+ 0) == 0) { - cert_list_size = i; - break; - } --- -2.29.2 - diff --git a/gnutls-3.7.0-duplicate-certs.patch b/gnutls-3.7.0-duplicate-certs.patch deleted file mode 100644 index d86b855..0000000 --- a/gnutls-3.7.0-duplicate-certs.patch +++ /dev/null @@ -1,403 +0,0 @@ -From 09b40be6e0e0a59ba4bd764067eb353241043a70 Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Mon, 28 Dec 2020 12:14:13 +0100 -Subject: [PATCH] gnutls_x509_trust_list_verify_crt2: ignore duplicate - certificates - -The commit ebb19db9165fed30d73c83bab1b1b8740c132dfd caused a -regression, where duplicate certificates in a certificate chain are no -longer ignored but treated as a non-contiguous segment and that -results in calling the issuer callback, or a verification failure. - -This adds a mechanism to record certificates already seen in the -chain, and skip them while still allow the caller to inject missing -certificates. - -Signed-off-by: Daiki Ueno -Co-authored-by: Andreas Metzler ---- - lib/x509/common.c | 8 ++ - lib/x509/verify-high.c | 157 +++++++++++++++++++++++++++++++------ - tests/missingissuer.c | 2 + - tests/test-chains-issuer.h | 101 +++++++++++++++++++++++- - 4 files changed, 245 insertions(+), 23 deletions(-) - -diff --git a/lib/x509/common.c b/lib/x509/common.c -index 3301aaad0..10c8db53c 100644 ---- a/lib/x509/common.c -+++ b/lib/x509/common.c -@@ -1758,6 +1758,14 @@ unsigned int _gnutls_sort_clist(gnutls_x509_crt_t *clist, - * increasing DEFAULT_MAX_VERIFY_DEPTH. - */ - for (i = 0; i < clist_size; i++) { -+ /* Self-signed certificate found in the chain; skip it -+ * as it should only appear in the trusted set. -+ */ -+ if (gnutls_x509_crt_check_issuer(clist[i], clist[i])) { -+ _gnutls_cert_log("self-signed cert found", clist[i]); -+ continue; -+ } -+ - for (j = 1; j < clist_size; j++) { - if (i == j) - continue; -diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c -index 588e7ee0d..9a16e6b42 100644 ---- a/lib/x509/verify-high.c -+++ b/lib/x509/verify-high.c -@@ -67,6 +67,80 @@ struct gnutls_x509_trust_list_iter { - - #define DEFAULT_SIZE 127 - -+struct cert_set_node_st { -+ gnutls_x509_crt_t *certs; -+ unsigned int size; -+}; -+ -+struct cert_set_st { -+ struct cert_set_node_st *node; -+ unsigned int size; -+}; -+ -+static int -+cert_set_init(struct cert_set_st *set, unsigned int size) -+{ -+ memset(set, 0, sizeof(*set)); -+ -+ set->size = size; -+ set->node = gnutls_calloc(size, sizeof(*set->node)); -+ if (!set->node) { -+ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); -+ } -+ -+ return 0; -+} -+ -+static void -+cert_set_deinit(struct cert_set_st *set) -+{ -+ size_t i; -+ -+ for (i = 0; i < set->size; i++) { -+ gnutls_free(set->node[i].certs); -+ } -+ -+ gnutls_free(set->node); -+} -+ -+static bool -+cert_set_contains(struct cert_set_st *set, const gnutls_x509_crt_t cert) -+{ -+ size_t hash, i; -+ -+ hash = hash_pjw_bare(cert->raw_dn.data, cert->raw_dn.size); -+ hash %= set->size; -+ -+ for (i = 0; i < set->node[hash].size; i++) { -+ if (unlikely(gnutls_x509_crt_equals(set->node[hash].certs[i], cert))) { -+ return true; -+ } -+ } -+ -+ return false; -+} -+ -+static int -+cert_set_add(struct cert_set_st *set, const gnutls_x509_crt_t cert) -+{ -+ size_t hash; -+ -+ hash = hash_pjw_bare(cert->raw_dn.data, cert->raw_dn.size); -+ hash %= set->size; -+ -+ set->node[hash].certs = -+ gnutls_realloc_fast(set->node[hash].certs, -+ (set->node[hash].size + 1) * -+ sizeof(*set->node[hash].certs)); -+ if (!set->node[hash].certs) { -+ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); -+ } -+ set->node[hash].certs[set->node[hash].size] = cert; -+ set->node[hash].size++; -+ -+ return 0; -+} -+ - /** - * gnutls_x509_trust_list_init: - * @list: A pointer to the type to be initialized -@@ -1328,6 +1402,7 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, - unsigned have_set_name = 0; - unsigned saved_output; - gnutls_datum_t ip = {NULL, 0}; -+ struct cert_set_st cert_set = { NULL, 0 }; - - if (cert_list == NULL || cert_list_size < 1) - return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); -@@ -1376,36 +1451,68 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, - memcpy(sorted, cert_list, cert_list_size * sizeof(gnutls_x509_crt_t)); - cert_list = sorted; - -+ ret = cert_set_init(&cert_set, DEFAULT_MAX_VERIFY_DEPTH); -+ if (ret < 0) { -+ return ret; -+ } -+ - for (i = 0; i < cert_list_size && -- cert_list_size <= DEFAULT_MAX_VERIFY_DEPTH; i++) { -- if (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN)) { -- unsigned int sorted_size; -+ cert_list_size <= DEFAULT_MAX_VERIFY_DEPTH; ) { -+ unsigned int sorted_size = 1; -+ unsigned int j; -+ gnutls_x509_crt_t issuer; - -+ if (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN)) { - sorted_size = _gnutls_sort_clist(&cert_list[i], - cert_list_size - i); -- i += sorted_size - 1; - } - -- if (i == cert_list_size - 1) { -- gnutls_x509_crt_t issuer; -- -- /* If it is the last certificate and its issuer is -- * known, don't need to run issuer callback. */ -- if (_gnutls_trust_list_get_issuer(list, -- cert_list[i], -- &issuer, -- 0) == 0) { -+ /* Remove duplicates. Start with index 1, as the first element -+ * may be re-checked after issuer retrieval. */ -+ for (j = 1; j < sorted_size; j++) { -+ if (cert_set_contains(&cert_set, cert_list[i + j])) { -+ if (i + j < cert_list_size - 1) { -+ memmove(&cert_list[i + j], -+ &cert_list[i + j + 1], -+ sizeof(cert_list[i])); -+ } -+ cert_list_size--; - break; - } -- } else if (gnutls_x509_crt_check_issuer(cert_list[i], -- cert_list[i + 1])) { -- /* There is no gap between this and the next -- * certificate. */ -+ } -+ /* Found a duplicate, try again with the same index. */ -+ if (j < sorted_size) { -+ continue; -+ } -+ -+ /* Record the certificates seen. */ -+ for (j = 0; j < sorted_size; j++, i++) { -+ ret = cert_set_add(&cert_set, cert_list[i]); -+ if (ret < 0) { -+ goto cleanup; -+ } -+ } -+ -+ /* If the issuer of the certificate is known, no need -+ * for further processing. */ -+ if (_gnutls_trust_list_get_issuer(list, -+ cert_list[i - 1], -+ &issuer, -+ 0) == 0) { -+ cert_list_size = i; -+ break; -+ } -+ -+ /* If there is no gap between this and the next certificate, -+ * proceed with the next certificate. */ -+ if (i < cert_list_size && -+ gnutls_x509_crt_check_issuer(cert_list[i - 1], -+ cert_list[i])) { - continue; - } - - ret = retrieve_issuers(list, -- cert_list[i], -+ cert_list[i - 1], - &retrieved[retrieved_size], - DEFAULT_MAX_VERIFY_DEPTH - - MAX(retrieved_size, -@@ -1413,15 +1520,20 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, - if (ret < 0) { - break; - } else if (ret > 0) { -- memmove(&cert_list[i + 1 + ret], -- &cert_list[i + 1], -- (cert_list_size - i - 1) * -+ assert((unsigned int)ret <= -+ DEFAULT_MAX_VERIFY_DEPTH - cert_list_size); -+ memmove(&cert_list[i + ret], -+ &cert_list[i], -+ (cert_list_size - i) * - sizeof(gnutls_x509_crt_t)); -- memcpy(&cert_list[i + 1], -+ memcpy(&cert_list[i], - &retrieved[retrieved_size], - ret * sizeof(gnutls_x509_crt_t)); - retrieved_size += ret; - cert_list_size += ret; -+ -+ /* Start again from the end of the previous segment. */ -+ i--; - } - } - -@@ -1581,6 +1693,7 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, - for (i = 0; i < retrieved_size; i++) { - gnutls_x509_crt_deinit(retrieved[i]); - } -+ cert_set_deinit(&cert_set); - return ret; - } - -diff --git a/tests/missingissuer.c b/tests/missingissuer.c -index f21e2b6b0..226d09592 100644 ---- a/tests/missingissuer.c -+++ b/tests/missingissuer.c -@@ -145,6 +145,8 @@ void doit(void) - printf("[%d]: Chain '%s'...\n", (int)i, chains[i].name); - - for (j = 0; chains[i].chain[j]; j++) { -+ assert(j < MAX_CHAIN); -+ - if (debug > 2) - printf("\tAdding certificate %d...", (int)j); - -diff --git a/tests/test-chains-issuer.h b/tests/test-chains-issuer.h -index 543e2d71f..bf1e65c95 100644 ---- a/tests/test-chains-issuer.h -+++ b/tests/test-chains-issuer.h -@@ -24,7 +24,7 @@ - #ifndef GNUTLS_TESTS_TEST_CHAINS_ISSUER_H - #define GNUTLS_TESTS_TEST_CHAINS_ISSUER_H - --#define MAX_CHAIN 6 -+#define MAX_CHAIN 15 - - #define SERVER_CERT "-----BEGIN CERTIFICATE-----\n" \ - "MIIDATCCAbmgAwIBAgIUQdvdegP8JFszFHLfV4+lrEdafzAwPQYJKoZIhvcNAQEK\n" \ -@@ -338,11 +338,102 @@ static const char *missing_middle_unrelated_extra_insert[] = { - NULL, - }; - -+static const char *missing_middle_single_duplicate[] = { -+ SERVER_CERT, -+ SERVER_CERT, -+ CA_CERT_5, -+ CA_CERT_5, -+ CA_CERT_4, -+ CA_CERT_4, -+ CA_CERT_2, -+ CA_CERT_2, -+ CA_CERT_1, -+ CA_CERT_1, -+ NULL, -+}; -+ -+static const char *missing_middle_multiple_duplicate[] = { -+ SERVER_CERT, -+ SERVER_CERT, -+ CA_CERT_5, -+ CA_CERT_5, -+ CA_CERT_4, -+ CA_CERT_4, -+ CA_CERT_1, -+ CA_CERT_1, -+ NULL, -+}; -+ -+static const char *missing_last_single_duplicate[] = { -+ SERVER_CERT, -+ SERVER_CERT, -+ CA_CERT_5, -+ CA_CERT_5, -+ CA_CERT_4, -+ CA_CERT_4, -+ CA_CERT_3, -+ CA_CERT_3, -+ CA_CERT_2, -+ CA_CERT_2, -+ NULL, -+}; -+ -+static const char *missing_last_multiple_duplicate[] = { -+ SERVER_CERT, -+ SERVER_CERT, -+ CA_CERT_5, -+ CA_CERT_5, -+ CA_CERT_4, -+ CA_CERT_4, -+ CA_CERT_3, -+ CA_CERT_3, -+ NULL, -+}; -+ -+static const char *missing_skip_single_duplicate[] = { -+ SERVER_CERT, -+ SERVER_CERT, -+ CA_CERT_5, -+ CA_CERT_5, -+ CA_CERT_3, -+ CA_CERT_3, -+ CA_CERT_1, -+ CA_CERT_1, -+ NULL, -+}; -+ -+static const char *missing_skip_multiple_duplicate[] = { -+ SERVER_CERT, -+ SERVER_CERT, -+ CA_CERT_5, -+ CA_CERT_5, -+ CA_CERT_3, -+ CA_CERT_3, -+ NULL, -+}; -+ - static const char *missing_ca[] = { - CA_CERT_0, - NULL, - }; - -+static const char *middle_single_duplicate_ca[] = { -+ SERVER_CERT, -+ CA_CERT_5, -+ CA_CERT_0, -+ CA_CERT_4, -+ CA_CERT_0, -+ CA_CERT_2, -+ CA_CERT_0, -+ CA_CERT_1, -+ NULL, -+}; -+ -+static const char *missing_middle_single_duplicate_ca_unrelated_insert[] = { -+ CA_CERT_0, -+ NULL, -+}; -+ - static struct chains { - const char *name; - const char **chain; -@@ -377,6 +468,14 @@ static struct chains { - { "skip multiple unsorted", missing_skip_multiple_unsorted, missing_skip_multiple_insert, missing_ca, 0, 0 }, - { "unrelated", missing_middle_single, missing_middle_unrelated_insert, missing_ca, 0, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_NOT_FOUND }, - { "unrelated extra", missing_middle_single, missing_middle_unrelated_extra_insert, missing_ca, 0, 0 }, -+ { "middle single duplicate", missing_middle_single_duplicate, missing_middle_single_insert, missing_ca, 0, 0 }, -+ { "middle multiple duplicate", missing_middle_multiple_duplicate, missing_middle_multiple_insert, missing_ca, 0, 0 }, -+ { "last single duplicate", missing_last_single_duplicate, missing_last_single_insert, missing_ca, 0, 0 }, -+ { "last multiple duplicate", missing_last_multiple_duplicate, missing_last_multiple_insert, missing_ca, 0, 0 }, -+ { "skip single duplicate", missing_skip_single_duplicate, missing_skip_single_insert, missing_ca, 0, 0 }, -+ { "skip multiple duplicate", missing_skip_multiple_duplicate, missing_skip_multiple_insert, missing_ca, 0, 0 }, -+ { "middle single duplicate ca", middle_single_duplicate_ca, missing_middle_single_insert, missing_ca, 0, 0 }, -+ { "middle single duplicate ca - insert unrelated", middle_single_duplicate_ca, missing_middle_single_duplicate_ca_unrelated_insert, missing_ca, 0, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_NOT_FOUND }, - { NULL, NULL, NULL, NULL }, - }; - --- -2.29.2 - diff --git a/gnutls-3.7.0-gost.patch b/gnutls-3.7.0-gost.patch deleted file mode 100644 index 7cad9b5..0000000 --- a/gnutls-3.7.0-gost.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up ./tests/gnutls-cli-debug.sh.gost ./tests/gnutls-cli-debug.sh ---- ./tests/gnutls-cli-debug.sh.gost 2021-02-09 13:28:46.528821113 +0100 -+++ ./tests/gnutls-cli-debug.sh 2021-02-09 13:29:18.851646678 +0100 -@@ -217,6 +217,8 @@ if test "${ENABLE_GOST}" = "1" && test " - kill ${PID} - wait - -+ cat $OUTFILE -+ - check_text "for VKO GOST-2012 (draft-smyshlyaev-tls12-gost-suites) support... yes" - check_text "for GOST28147-CNT cipher (draft-smyshlyaev-tls12-gost-suites) support... yes" - check_text "for GOST28147-IMIT MAC (draft-smyshlyaev-tls12-gost-suites) support... yes" diff --git a/gnutls-3.7.0-test-fixes.patch b/gnutls-3.7.0-test-fixes.patch deleted file mode 100644 index 066feb4..0000000 --- a/gnutls-3.7.0-test-fixes.patch +++ /dev/null @@ -1,195 +0,0 @@ -From c815f725448af8d023818a968e1296946ceb0f1c Mon Sep 17 00:00:00 2001 -From: Stefan Berger -Date: Mon, 21 Dec 2020 09:36:47 -0500 -Subject: [PATCH 1/2] tests: Fix tpmtool_test due to changes in trousers - -Recent changes to trousers now require an ownership of root:tss for -the tcsd config file, older ones requires tss:tss. So, start tcsd -using trial and error with either one of these ownership configurations -until one works. - -Signed-off-by: Stefan Berger ---- - tests/tpmtool_test.sh | 37 +++++++++++++++++++++++++++---------- - 1 file changed, 27 insertions(+), 10 deletions(-) - -diff --git a/tests/tpmtool_test.sh b/tests/tpmtool_test.sh -index eba502612..77fe17e59 100755 ---- a/tests/tpmtool_test.sh -+++ b/tests/tpmtool_test.sh -@@ -138,6 +138,7 @@ start_tcsd() - local tcsd_conf=$workdir/tcsd.conf - local tcsd_system_ps_file=$workdir/system_ps_file - local tcsd_pidfile=$workdir/tcsd.pid -+ local owner - - start_swtpm "$workdir" - [ $? -ne 0 ] && return 1 -@@ -146,20 +147,36 @@ start_tcsd() - port = $TCSD_LISTEN_PORT - system_ps_file = $tcsd_system_ps_file - _EOF_ -+ # older versions of trousers require tss:tss ownership of the -+ # config file, later ones root:tss -+ for owner in tss root; do -+ if [ "$owner" = "tss" ]; then -+ chmod 0600 $tcsd_conf -+ else -+ chmod 0640 $tcsd_conf -+ fi -+ chown $owner:tss $tcsd_conf - -- chown tss:tss $tcsd_conf -- chmod 0600 $tcsd_conf -+ bash -c "TCSD_USE_TCP_DEVICE=1 TCSD_TCP_DEVICE_PORT=$SWTPM_SERVER_PORT tcsd -c $tcsd_conf -e -f &>/dev/null & echo \$! > $tcsd_pidfile; wait" & -+ BASH_PID=$! - -- bash -c "TCSD_USE_TCP_DEVICE=1 TCSD_TCP_DEVICE_PORT=$SWTPM_SERVER_PORT tcsd -c $tcsd_conf -e -f &>/dev/null & echo \$! > $tcsd_pidfile; wait" & -- BASH_PID=$! -+ if wait_for_file $tcsd_pidfile 3; then -+ echo "Could not get TCSD's PID file" -+ return 1 -+ fi - -- if wait_for_file $tcsd_pidfile 3; then -- echo "Could not get TCSD's PID file" -- return 1 -- fi -+ sleep 0.5 -+ TCSD_PID=$(cat $tcsd_pidfile) -+ kill -0 "${TCSD_PID}" -+ if [ $? -ne 0 ]; then -+ # Try again with other owner -+ continue -+ fi -+ return 0 -+ done - -- TCSD_PID=$(cat $tcsd_pidfile) -- return 0 -+ echo "TCSD could not be started" -+ return 1 - } - - stop_tcsd() --- -2.29.2 - - -From 2b0f6f3a2ff13153aaa70c764ba7a8b90aef794d Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Mon, 28 Dec 2020 16:16:53 +0100 -Subject: [PATCH 2/2] testpkcs11: use datefudge to trick certificate expiry - -The certificates stored in tests/testpkcs11-certs expired on -2020-12-13. To avoid verification failure due to that, use datefudge -to set custom date when calling gnutls-cli, gnutls-serv, and certtool. - -Based on the patch by Andreas Metzler: -https://gitlab.com/gnutls/gnutls/-/issues/1135#note_469682121 - -Signed-off-by: Daiki Ueno ---- - tests/testpkcs11.sh | 12 +++++++++++- - 1 file changed, 11 insertions(+), 1 deletion(-) - -diff --git a/tests/testpkcs11.sh b/tests/testpkcs11.sh -index 38b9585bc..09a627477 100755 ---- a/tests/testpkcs11.sh -+++ b/tests/testpkcs11.sh -@@ -67,6 +67,8 @@ have_ed25519=0 - P11TOOL="${VALGRIND} ${P11TOOL} --batch" - SERV="${SERV} -q" - -+TESTDATE=2020-12-01 -+ - . ${srcdir}/scripts/common.sh - - rm -f "${LOGFILE}" -@@ -79,6 +81,8 @@ exit_error () { - exit 1 - } - -+skip_if_no_datefudge -+ - # $1: token - # $2: PIN - # $3: filename -@@ -523,6 +527,7 @@ write_certificate_test () { - pubkey="$5" - - echo -n "* Generating client certificate... " -+ datefudge -s "$TESTDATE" \ - "${CERTTOOL}" ${CERTTOOL_PARAM} ${ADDITIONAL_PARAM} --generate-certificate --load-ca-privkey "${cakey}" --load-ca-certificate "${cacert}" \ - --template ${srcdir}/testpkcs11-certs/client-tmpl --load-privkey "${token};object=gnutls-client;object-type=private" \ - --load-pubkey "$pubkey" --outfile tmp-client.crt >>"${LOGFILE}" 2>&1 -@@ -900,7 +905,9 @@ use_certificate_test () { - echo -n "* Using PKCS #11 with gnutls-cli (${txt})... " - # start server - eval "${GETPORT}" -- launch_server ${ADDITIONAL_PARAM} --echo --priority NORMAL --x509certfile="${certfile}" \ -+ launch_bare_server datefudge -s "$TESTDATE" \ -+ $VALGRIND $SERV $DEBUG -p "$PORT" \ -+ ${ADDITIONAL_PARAM} --debug 10 --echo --priority NORMAL --x509certfile="${certfile}" \ - --x509keyfile="$keyfile" --x509cafile="${cafile}" \ - --verify-client-cert --require-client-cert >>"${LOGFILE}" 2>&1 - -@@ -908,13 +915,16 @@ use_certificate_test () { - wait_server ${PID} - - # connect to server using SC -+ datefudge -s "$TESTDATE" \ - ${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509cafile="${cafile}" >"${LOGFILE}" 2>&1 && \ - fail ${PID} "Connection should have failed!" - -+ datefudge -s "$TESTDATE" \ - ${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509certfile="${certfile}" \ - --x509keyfile="$keyfile" --x509cafile="${cafile}" >"${LOGFILE}" 2>&1 || \ - fail ${PID} "Connection (with files) should have succeeded!" - -+ datefudge -s "$TESTDATE" \ - ${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509certfile="${token};object=gnutls-client;object-type=cert" \ - --x509keyfile="${token};object=gnutls-client;object-type=private" \ - --x509cafile="${cafile}" >"${LOGFILE}" 2>&1 || \ --- -2.29.2 - -From 5a64e896a56ef602bb86242bbac01e4319f12cbe Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Tue, 9 Feb 2021 15:26:07 +0100 -Subject: [PATCH] tests/gnutls-cli-debug.sh: don't unset system priority - settings - -When the test is exercised, GNUTLS_SYSTEM_PRIORITY_FILE is set in many -places, such as TESTS_ENVIRONMENT tests/Makefile.am or a packaging -system that runs the test in a restricted environment. Unsetting it -after a temporary use forces the remaining part of the test to use the -default system priority, which might not be the intention of the user. - -Signed-off-by: Daiki Ueno ---- - tests/gnutls-cli-debug.sh | 4 +--- - 1 file changed, 1 insertion(+), 3 deletions(-) - -diff --git a/tests/gnutls-cli-debug.sh b/tests/gnutls-cli-debug.sh -index a73910dea..3c3e2214e 100755 ---- a/tests/gnutls-cli-debug.sh -+++ b/tests/gnutls-cli-debug.sh -@@ -184,13 +184,11 @@ cat <<_EOF_ > ${TMPFILE} - tls-disabled-cipher = CAMELLIA-128-CBC - tls-disabled-cipher = CAMELLIA-256-CBC - _EOF_ --export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}" - -+GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}" \ - timeout 1800 datefudge "2017-08-9" \ - "${DCLI}" -p "${PORT}" localhost >$OUTFILE 2>&1 || fail ${PID} "gnutls-cli-debug run should have succeeded!" - --unset GNUTLS_SYSTEM_PRIORITY_FILE -- - kill ${PID} - wait - --- -2.29.2 - diff --git a/gnutls-3.7.1-aggressive-realloc-fixes.patch b/gnutls-3.7.1-aggressive-realloc-fixes.patch new file mode 100644 index 0000000..dfe035f --- /dev/null +++ b/gnutls-3.7.1-aggressive-realloc-fixes.patch @@ -0,0 +1,84 @@ +From e1cf5b8694b23cdc88f4a4a344f8262aa8ab0f8e Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Wed, 10 Mar 2021 16:11:29 +0100 +Subject: [PATCH 1/2] _gnutls_buffer_resize: account for unused area if + AGGRESSIVE_REALLOC + +Signed-off-by: Daiki Ueno +--- + lib/str.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/str.c b/lib/str.c +index 506fe1721..bc20ebb04 100644 +--- a/lib/str.c ++++ b/lib/str.c +@@ -155,12 +155,12 @@ int _gnutls_buffer_resize(gnutls_buffer_st * dest, size_t new_size) + + unused = MEMSUB(dest->data, dest->allocd); + dest->allocd = +- gnutls_realloc_fast(dest->allocd, new_size); ++ gnutls_realloc_fast(dest->allocd, new_size + unused); + if (dest->allocd == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } +- dest->max_length = new_size; ++ dest->max_length = new_size + unused; + dest->data = dest->allocd + unused; + + return 0; +-- +2.30.2 + + +From 78691bfe4555c4d610b405173987ed7515515d20 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Wed, 10 Mar 2021 16:12:23 +0100 +Subject: [PATCH 2/2] str: suppress -Wunused-function if AGGRESSIVE_REALLOC is + defined + +Signed-off-by: Daiki Ueno +--- + lib/str.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/lib/str.c b/lib/str.c +index bc20ebb04..8007340f1 100644 +--- a/lib/str.c ++++ b/lib/str.c +@@ -87,15 +87,6 @@ void _gnutls_buffer_clear(gnutls_buffer_st * str) + + #define MIN_CHUNK 1024 + +-static void align_allocd_with_data(gnutls_buffer_st * dest) +-{ +- assert(dest->allocd != NULL); +- assert(dest->data != NULL); +- if (dest->length) +- memmove(dest->allocd, dest->data, dest->length); +- dest->data = dest->allocd; +-} +- + /** + * gnutls_buffer_append_data: + * @dest: the buffer to append to +@@ -168,6 +159,15 @@ int _gnutls_buffer_resize(gnutls_buffer_st * dest, size_t new_size) + + #else + ++static void align_allocd_with_data(gnutls_buffer_st * dest) ++{ ++ assert(dest->allocd != NULL); ++ assert(dest->data != NULL); ++ if (dest->length) ++ memmove(dest->allocd, dest->data, dest->length); ++ dest->data = dest->allocd; ++} ++ + int _gnutls_buffer_resize(gnutls_buffer_st * dest, size_t new_size) + { + if (unlikely(dest->data != NULL && dest->allocd == NULL)) +-- +2.30.2 + diff --git a/gnutls.spec b/gnutls.spec index 51ff567..e743644 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,12 +1,9 @@ # This spec file has been automatically updated -Version: 3.7.0 -Release: 4%{?dist} +Version: 3.7.1 +Release: 1%{?dist} Patch1: gnutls-3.6.7-no-now-guile.patch Patch2: gnutls-3.2.7-rpath.patch -Patch3: gnutls-3.7.0-test-fixes.patch -Patch4: gnutls-3.7.0-gost.patch -Patch5: gnutls-3.7.0-duplicate-certs.patch -Patch6: gnutls-3.7.0-duplicate-certs-pkcs11.patch +Patch3: gnutls-3.7.1-aggressive-realloc-fixes.patch %bcond_with bootstrap %bcond_without dane %if 0%{?rhel} @@ -33,9 +30,6 @@ BuildRequires: libidn2-devel BuildRequires: libunistring-devel BuildRequires: net-tools, datefudge, softhsm, gcc, gcc-c++ BuildRequires: gnupg2 -%if %{with fips} -BuildRequires: fipscheck -%endif # for a sanity check on cert loading BuildRequires: p11-kit-trust, ca-certificates @@ -213,8 +207,9 @@ make %{?_smp_mflags} V=1 %{?__debug_package:%{__debug_install_post}} \ %{__arch_install_post} \ %{__os_install_post} \ - fipshmac -d $RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_libdir}/libgnutls.so.30.*.* \ - file=`basename $RPM_BUILD_ROOT%{_libdir}/libgnutls.so.30.*.hmac` && mv $RPM_BUILD_ROOT%{_libdir}/$file $RPM_BUILD_ROOT%{_libdir}/.$file && ln -s .$file $RPM_BUILD_ROOT%{_libdir}/.libgnutls.so.30.hmac \ + file=`basename $RPM_BUILD_ROOT%{_libdir}/libgnutls.so.30.*`.hmac && \ + mv $RPM_BUILD_ROOT%{_libdir}/.libgnutls.so.30.hmac $RPM_BUILD_ROOT%{_libdir}/.$file && \ + ln -s .$file $RPM_BUILD_ROOT%{_libdir}/.libgnutls.so.30.hmac \ %{nil} %endif @@ -293,6 +288,11 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null %endif %changelog +* Sat Mar 13 2021 Daiki Ueno - 3.7.1-1 +- Update to upstream 3.7.1 release +- Remove fipscheck dependency, as it is now calculated with an + internal tool + * Fri Mar 5 2021 Daiki Ueno - 3.7.0-4 - Tolerate duplicate certs in the chain also with PKCS #11 trust store diff --git a/sources b/sources index da7e44a..37216a4 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (gnutls-3.7.0.tar.xz) = 5cf1025f2d0a0cbf5a83dd7f3b22dafd1769f7c3349096c0272d08573bb5ff87f510e0e69b4bbb47dad1b64476aa5479804b2f4ceb2216cd747bbc53bf42d885 -SHA512 (gnutls-3.7.0.tar.xz.sig) = 25793ac5e3d2610f95f26a2aa6f444a0cebe45a173cd330ed95b38c82b8f469024c9fa35249917f6b880ae32192b5e74988169a68724c08f5c82a3379fff82fd +SHA512 (gnutls-3.7.1.tar.xz) = 0fe801f03676c3bd970387f94578c8be7ba6030904989e7d21dffdc726209bab44c8096fbcb6d51fed2de239537bd00df2338ee9c8d984a1c386826b91062a95 +SHA512 (gnutls-3.7.1.tar.xz.sig) = 78327723cd23e515326bee4348f00ef2c11626267a715243d9392490e30d44965fc8997184a348d0c9a5beaf50be4028304a49a0c569a1e9f3998bda9000713d SHA512 (gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg) = a74b92826fd0e5388c9f6d9231959e38b26aeef83138648fab66df951d8e1a4db5302b569d08515d4d6443e5e4f6c466f98319f330c820790260d22a9b9f7173