From 341d862ca32f3ecb386b29eedb5473a9fcfbbc9a Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Wed, 25 Mar 2020 14:07:06 +0100 Subject: [PATCH 01/14] Remove gpgkey file from sources The line in the sources file causing conflict with "fedpkg local" as the gpgkey file is already tracked in the git repository. --- sources | 1 - 1 file changed, 1 deletion(-) diff --git a/sources b/sources index d770fd6..ce3867d 100644 --- a/sources +++ b/sources @@ -1,3 +1,2 @@ -SHA512 (gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg) = 3b1989dc6a64d1140f83a2af0773da2adb03c50d97b6da7357cf09525050651aafa21131f1e3180baa540a8af922119a256f5ff5bcd6602996a806e8e1816bad SHA512 (gnutls-3.6.12.tar.xz.sig) = fee2a330c047303b683824176ed2e14dba38ad22cddb548d6259bc8639e0c5dab7a1c93af84860193335271c9cb3810c046bb89b73d8c8a8cf61307108e957b5 SHA512 (gnutls-3.6.12.tar.xz) = e1031fd1239d8b0f056a6b736e4c72c9268fb635f273527f310771c608b841cad7b6631401382ec3040d9b539180bf421882bf43427ad3549a5787d2864c2fa5 From 36d1e2827be27201f1fef2106907429fd0ca75ec Mon Sep 17 00:00:00 2001 From: Anderson Toshiyuki Sasaki Date: Thu, 26 Mar 2020 15:29:23 +0100 Subject: [PATCH 02/14] Fix FIPS-140 power-on self-tests Backport upstream FIPS-140 power-on self-tests changes. This addresses the bug bz#1813384. This also includes a backport of a small fix to the gnutls-serv application to address the issue reported in rhbz#1816583. Resolves: #1813384, #1816583 --- gnutls-3.6.12-fix-echo-server.patch | 37 + gnutls-3.6.12-fix-fips-self-tests.patch | 862 ++++++++++++++++++ ...s-3.6.12-load-config-after-fips-post.patch | 38 + gnutls.spec | 9 +- 4 files changed, 945 insertions(+), 1 deletion(-) create mode 100644 gnutls-3.6.12-fix-echo-server.patch create mode 100644 gnutls-3.6.12-fix-fips-self-tests.patch create mode 100644 gnutls-3.6.12-load-config-after-fips-post.patch diff --git a/gnutls-3.6.12-fix-echo-server.patch b/gnutls-3.6.12-fix-echo-server.patch new file mode 100644 index 0000000..861eb17 --- /dev/null +++ b/gnutls-3.6.12-fix-echo-server.patch @@ -0,0 +1,37 @@ +From 10950c613c490bd33d6f489f5f61f8368730f7de Mon Sep 17 00:00:00 2001 +From: Anderson Toshiyuki Sasaki +Date: Tue, 24 Mar 2020 09:55:08 +0100 +Subject: [PATCH] gnutls-serv: Do not exit when a message to be echoed is + received + +Previously, when gnutls-serv was executed with the --echo option, it +would exit when a message to be echoed was received. Moreover, the +server would output "Memory error" although no error occurred. + +Signed-off-by: Anderson Toshiyuki Sasaki +--- + src/serv.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/serv.c b/src/serv.c +index a4dd445da..414cd0546 100644 +--- a/src/serv.c ++++ b/src/serv.c +@@ -1071,12 +1071,12 @@ get_response(gnutls_session_t session, char *request, + *response_length = strlen(*response); + return 1; + } else if (ret == 0) { ++ *response = strdup(request); + if (*response == NULL) { + fprintf(stderr, "Memory error\n"); + return 0; + } +- *response = strdup(request); +- *response_length = ((*response) ? strlen(*response) : 0); ++ *response_length = strlen(*response); + } else { + *response = NULL; + do { +-- +2.24.1 + diff --git a/gnutls-3.6.12-fix-fips-self-tests.patch b/gnutls-3.6.12-fix-fips-self-tests.patch new file mode 100644 index 0000000..467c857 --- /dev/null +++ b/gnutls-3.6.12-fix-fips-self-tests.patch @@ -0,0 +1,862 @@ +diff --git a/lib/crypto-selftests-pk.c b/lib/crypto-selftests-pk.c +index 7bdb097..6f66cd8 100644 +--- a/lib/crypto-selftests-pk.c ++++ b/lib/crypto-selftests-pk.c +@@ -22,6 +22,7 @@ + + #include "gnutls_int.h" + #include "errors.h" ++#include "fips.h" + #include + #include + #include +@@ -42,70 +43,185 @@ static const gnutls_datum_t bad_data = { + .size = sizeof(DATASTR) - 2 + }; + +-static const char rsa_key2048[] = +- "-----BEGIN RSA PRIVATE KEY-----\n" +- "MIIEogIBAAKCAQEA6yCv+BLrRP/dMPBXJWK21c0aqxIX6JkODL4K+zlyEURt8/Wp\n" +- "nw37CJwHD3VrimSnk2SJvBfTNhzYhCsLShDOPvi4qBrLZ1WozjoVJ8tRE4VCcjQJ\n" +- "snpJ7ldiV+Eos1Z3FkbV/uQcw5CYCb/TciSukaWlI+G/xas9EOOFt4aELbc1yDe0\n" +- "hyfPDtoaKfek4GhT9qT1I8pTC40P9OrA9Jt8lblqxHWwqmdunLTjPjB5zJT6QgI+\n" +- "j1xuq7ZOQhveNA/AOyzh574GIpgsuvPPLBQwsCQkscr7cFnCsyOPgYJrQW3De2+l\n" +- "wjp2D7gZeeQcFQKazXcFoiqNpJWoBWmU0qqsgwIDAQABAoIBAAghNzRioxPdrO42\n" +- "QS0fvqah0tw7Yew+7oduQr7w+4qxTQP0aIsBVr6zdmMIclF0rX6hKUoBoOHsGWho\n" +- "fJlw/1CaFPhrBMFr6sxGodigZQtBvkxolDVBmTDOgK39MQUSZke0501K4du5MiiU\n" +- "I2F89zQ9//m/onvZMeFVnJf95LAX5qHr/FLARQFtOpgWzcGVxdvJdJlYb1zMUril\n" +- "PqyAZXo1j0vgHWwSd54k8mBLus7l8KT57VFce8+9nBPrOrqW4rDVXzs/go3S+kiI\n" +- "OyzYeUs9czg1N1e3VhEaC+EdYUawc0ASuEkbsJ53L8pwDvS+2ly2ykYziJp95Fjv\n" +- "bzyd1dECgYEA8FzGCxu7A6/ei9Dn0Fmi8Ns/QvEgbdlGw4v4MlXHjrGJYdOB0BwG\n" +- "2D2k0ODNYKlUX2J4hi5x8aCH33y/v0EcOHyuqM33vOWBVbdcumCqcOmp341UebAO\n" +- "uCPgDJNhjxXaeDVPnizqnOBA1B9sTxwmCOmFIiFRLbR+XluvDh3t8L0CgYEA+my6\n" +- "124Rw7kcFx+9JoB/Z+bUJDYpefUT91gBUhhEdEMx5fujhMzAbLpIRjFQq+75Qb7v\n" +- "0NyIS09B4oKOqQYzVEJwqKY7H71BTl7QuzJ8Qtuh/DMZsVIt6xpvdeuAKpEOqz44\n" +- "ZD3fW1B59A3ja7kqZadCqq2b02UTk+gdeOrYBj8CgYACX3gZDfoHrEnPKY3QUcI5\n" +- "DIEQYR8H1phLP+uAW7ZvozMPAy6J5mzu35Tr9vwwExvhITC9amH3l7UfsLSX58Wm\n" +- "jRyQUBA9Dir7tKa2tFOab8Qcj+GgnetXSAtjNGVHK1kPzL7vedQLHm+laHYCRe3e\n" +- "Mqf80UVi5SBGQDN3OTZrJQKBgEkj2oozDqMwfGDQl0kYfJ2XEFynKQQCrVsva+tT\n" +- "RSMDwR4fmcmel5Dp81P08U/WExy9rIM+9duxAVgrs4jwU6uHYCoRqvEBMIK4NJSI\n" +- "ETzhsvTa4+UjUF/7L5SsPJmyFiuzl3rHi2W7InNCXyrGQPjBmjoJTJq4SbiIMZtw\n" +- "U7m3AoGACG2rE/Ud71kyOJcKwxzEt8kd+2CMuaZeE/xk+3zLSSjXJzKPficogM3I\n" +- "K37/N7N0FjhdQ5hRuD3GH1fcjv9AKdGHsH7RuaG+jHTRUjS1glr17SSQzh6xXnWj\n" +- "jG0M4UZm5P9STL09nZuWH0wfpr/eg+9+A6yOVfnADI13v+Ygk7k=\n" +- "-----END RSA PRIVATE KEY-----\n"; +- +-static const char ecc_key[] = +- "-----BEGIN EC PRIVATE KEY-----\n" +- "MHgCAQEEIQDzaOg65+brGV6INN0zXrUodxwRuocGG+GtKzN7ko26v6AKBggqhkjO\n" +- "PQMBB6FEA0IABEppi34ngyNQ2a9kJmnT5QxIHAUGI1SpnsAyCfze4j6MJ7o/g7qx\n" +- "MSHpe5vd0TQz+/GAa1zxle8mB/Cdh0JaTrA=\n" +- "-----END EC PRIVATE KEY-----\n"; +- +-static const char dsa_key[] = +- "-----BEGIN DSA PRIVATE KEY-----\n" +- "MIH4AgEAAkEA6KUOSXfFNcInFLPdOlLlKNCe79zJrkxnsQN+lllxuk1ifZrE07r2\n" +- "3edTrc4riQNnZ2nZ372tYUAMJg+5jM6IIwIVAOa58exwZ+42Tl+p3b4Kbpyu2Ron\n" +- "AkBocj7gkiBYHtv6HMIIzooaxn4vpGR0Ns6wBfroBUGvrnSAgfT3WyiNaHkIF28e\n" +- "quWcEeOJjUgFvatcM8gcY288AkEAyKWlgzBurIYST8TM3j4PuQJDTvdHDaGoAUAa\n" +- "EfjmOw2UXKwqTmwPiT5BYKgCo2ILS87ttlTpd8vndH37pmnmVQIUQIVuKpZ8y9Bw\n" +- "VzO8qcrLCFvTOXY=\n" +- "-----END DSA PRIVATE KEY-----\n"; +- +-static const char gost01_key[] = +- "-----BEGIN PRIVATE KEY-----\n" +- "MEUCAQAwHAYGKoUDAgITMBIGByqFAwICJAAGByqFAwICHgEEIgQgR1lBLIr4WBpn\n" +- "4MOCH8oxGWb52EPNL3gjNJiQuBQuf6U=\n" +- "-----END PRIVATE KEY-----\n"; +- +-static const char gost12_256_key[] = +- "-----BEGIN PRIVATE KEY-----\n" +- "MEgCAQAwHwYIKoUDBwEBAQEwEwYHKoUDAgIkAAYIKoUDBwEBAgIEIgQg0+JttJEV\n" +- "Ud+XBzX9q13ByKK+j2b+mEmNIo1yB0wGleo=\n" +- "-----END PRIVATE KEY-----\n"; +- +-static const char gost12_512_key[] = +- "-----BEGIN PRIVATE KEY-----\n" +- "MGoCAQAwIQYIKoUDBwEBAQIwFQYJKoUDBwECAQIBBggqhQMHAQECAwRCBECS7bAh\n" +- "TP5um5bxziaKkhb6xSI5WBQCSlaiHPBaMbgmgJiF8RubF7k0YMefpt0+sA3GvVGA\n" +- "KjL7CLBERDm7Yvlv\n" +- "-----END PRIVATE KEY-----\n"; ++/* RSA 2048 private key and signature */ ++static const char rsa_2048_privkey[] = ++ "-----BEGIN RSA PRIVATE KEY-----\n" ++ "MIIEogIBAAKCAQEA6yCv+BLrRP/dMPBXJWK21c0aqxIX6JkODL4K+zlyEURt8/Wp\n" ++ "nw37CJwHD3VrimSnk2SJvBfTNhzYhCsLShDOPvi4qBrLZ1WozjoVJ8tRE4VCcjQJ\n" ++ "snpJ7ldiV+Eos1Z3FkbV/uQcw5CYCb/TciSukaWlI+G/xas9EOOFt4aELbc1yDe0\n" ++ "hyfPDtoaKfek4GhT9qT1I8pTC40P9OrA9Jt8lblqxHWwqmdunLTjPjB5zJT6QgI+\n" ++ "j1xuq7ZOQhveNA/AOyzh574GIpgsuvPPLBQwsCQkscr7cFnCsyOPgYJrQW3De2+l\n" ++ "wjp2D7gZeeQcFQKazXcFoiqNpJWoBWmU0qqsgwIDAQABAoIBAAghNzRioxPdrO42\n" ++ "QS0fvqah0tw7Yew+7oduQr7w+4qxTQP0aIsBVr6zdmMIclF0rX6hKUoBoOHsGWho\n" ++ "fJlw/1CaFPhrBMFr6sxGodigZQtBvkxolDVBmTDOgK39MQUSZke0501K4du5MiiU\n" ++ "I2F89zQ9//m/onvZMeFVnJf95LAX5qHr/FLARQFtOpgWzcGVxdvJdJlYb1zMUril\n" ++ "PqyAZXo1j0vgHWwSd54k8mBLus7l8KT57VFce8+9nBPrOrqW4rDVXzs/go3S+kiI\n" ++ "OyzYeUs9czg1N1e3VhEaC+EdYUawc0ASuEkbsJ53L8pwDvS+2ly2ykYziJp95Fjv\n" ++ "bzyd1dECgYEA8FzGCxu7A6/ei9Dn0Fmi8Ns/QvEgbdlGw4v4MlXHjrGJYdOB0BwG\n" ++ "2D2k0ODNYKlUX2J4hi5x8aCH33y/v0EcOHyuqM33vOWBVbdcumCqcOmp341UebAO\n" ++ "uCPgDJNhjxXaeDVPnizqnOBA1B9sTxwmCOmFIiFRLbR+XluvDh3t8L0CgYEA+my6\n" ++ "124Rw7kcFx+9JoB/Z+bUJDYpefUT91gBUhhEdEMx5fujhMzAbLpIRjFQq+75Qb7v\n" ++ "0NyIS09B4oKOqQYzVEJwqKY7H71BTl7QuzJ8Qtuh/DMZsVIt6xpvdeuAKpEOqz44\n" ++ "ZD3fW1B59A3ja7kqZadCqq2b02UTk+gdeOrYBj8CgYACX3gZDfoHrEnPKY3QUcI5\n" ++ "DIEQYR8H1phLP+uAW7ZvozMPAy6J5mzu35Tr9vwwExvhITC9amH3l7UfsLSX58Wm\n" ++ "jRyQUBA9Dir7tKa2tFOab8Qcj+GgnetXSAtjNGVHK1kPzL7vedQLHm+laHYCRe3e\n" ++ "Mqf80UVi5SBGQDN3OTZrJQKBgEkj2oozDqMwfGDQl0kYfJ2XEFynKQQCrVsva+tT\n" ++ "RSMDwR4fmcmel5Dp81P08U/WExy9rIM+9duxAVgrs4jwU6uHYCoRqvEBMIK4NJSI\n" ++ "ETzhsvTa4+UjUF/7L5SsPJmyFiuzl3rHi2W7InNCXyrGQPjBmjoJTJq4SbiIMZtw\n" ++ "U7m3AoGACG2rE/Ud71kyOJcKwxzEt8kd+2CMuaZeE/xk+3zLSSjXJzKPficogM3I\n" ++ "K37/N7N0FjhdQ5hRuD3GH1fcjv9AKdGHsH7RuaG+jHTRUjS1glr17SSQzh6xXnWj\n" ++ "jG0M4UZm5P9STL09nZuWH0wfpr/eg+9+A6yOVfnADI13v+Ygk7k=\n" ++ "-----END RSA PRIVATE KEY-----\n"; ++ ++static const char rsa_2048_sig[] = ++ "\x7a\xb3\xf8\xb0\xf9\xf0\x52\x88\x37\x17\x97\x9f\xbe\x61\xb4\xd2" ++ "\x43\x78\x9f\x79\x92\xd0\xad\x08\xdb\xbd\x3c\x72\x7a\xb5\x51\x59" ++ "\x63\xd6\x7d\xf1\x9c\x1e\x10\x7b\x27\xab\xf8\xd4\x9d\xcd\xc5\xf9" ++ "\xae\xf7\x09\x6b\x40\x93\xc5\xe9\x1c\x0f\xb4\x82\xa1\x47\x86\x54" ++ "\x63\xd2\x4d\x40\x9a\x80\xb9\x38\x45\x69\xa2\xd6\x92\xb6\x69\x7f" ++ "\x3f\xf3\x5b\xa5\x1d\xac\x06\xad\xdf\x4e\xbb\xe6\xda\x68\x0d\xe5" ++ "\xab\xef\xd2\xf0\xc5\xd8\xc0\xed\x80\xe2\xd4\x76\x98\xec\x44\xa2" ++ "\xfc\x3f\xce\x2e\x8b\xc4\x4b\xab\xb0\x70\x24\x52\x85\x2a\x36\xcd" ++ "\x9a\xb5\x05\x00\xea\x98\x7c\x72\x06\x68\xb1\x38\x44\x16\x80\x6a" ++ "\x3b\x64\x72\xbb\xfd\x4b\xc9\xdd\xda\x2a\x68\xde\x7f\x6e\x48\x28" ++ "\xc1\x63\x57\x2b\xde\x83\xa3\x27\x34\xd7\xa6\x87\x18\x35\x10\xff" ++ "\x31\xd9\x47\xc9\x84\x35\xe1\xaa\xe2\xf7\x98\xfa\x19\xd3\xf1\x94" ++ "\x25\x2a\x96\xe4\xa8\xa7\x05\x10\x93\x87\xde\x96\x85\xe5\x68\xb8" ++ "\xe5\x4e\xbf\x66\x85\x91\xbd\x52\x5b\x3d\x9f\x1b\x79\xea\xe3\x8b" ++ "\xef\x62\x18\x39\x7a\x50\x01\x46\x1b\xde\x8d\x37\xbc\x90\x6c\x07" ++ "\xc0\x07\xed\x60\xce\x2e\x31\xd6\x8f\xe8\x75\xdb\x45\x21\xc6\xcb"; ++ ++/* DSA 2048 private key and signature */ ++static const char dsa_2048_privkey[] = ++ "-----BEGIN DSA PRIVATE KEY-----\n" ++ "MIIDTQIBAAKCAQEAh60B6yPMRIT7udq2kKuwnQDohvT1U0w+RJcSr23C05cM/Ovn\n" ++ "UP/8Rrj6T8K+uYhMbKgLaZiJJW9q04jaPQk0cfUphbLvRjzVHwE/0Bkb+Y1Rv7ni\n" ++ "Jot2IFMq5iuNraf889PC0WREvFCcIkSFY2Ac4WT7mCcBtfx/raGFXDUjcUrJ0HwZ\n" ++ "IOhjQDfcXUsztuyYsYA75ociEY8kyDZq/ixyr5++R1VjNf30Re8AbQlXOEGxEN5t\n" ++ "t+Tvpq8K5L3prQs2KNSzyOUmedjb/ojH4T4qe/RL9EVjjeuIGHDNUT6F197yZ91y\n" ++ "qLLTf1WjnUyZcKij5rryX0LJBBWawEZjNSHZawIdAMQlyycia4NigCdiDR+QptUn\n" ++ "2xrj9o14fXkIrXcCggEAXRZm1rbPhsjSTo6cpCVrmDzO1grv83EHiBH4MvRQQnP8\n" ++ "FpAREsBA5cYju97XvLaLhioZeMjLn08kU7TUbHRUB+ULTuVvE2dQbBpGuKiLRRt9\n" ++ "6U2T0eD3xGLoM+o8EY/kpqaWGEpZv7hzM9xuo4vy55+viAZgFWULqmltwfG/7w7V\n" ++ "NXUHNv5H4Ipw//fSDLTPqzUlNqSSswDLz6pCjWEs0rWAqNAMaOiLTz4id9pL48Oe\n" ++ "oAfpcQR9tgTEnwyXfZBnrJVclHhkHKGeXvU05IgCzpKO76Z5R+By50T0i/JV7vzM\n" ++ "l2yS9aAl/cprT6U7yI3oU/blldCVNpMcFAFb+fO8DAKCAQBVMo8xptyvQOJeSvbO\n" ++ "SSYdJ3IiI/0GdkcGWXblWg9z7mrPaWEnT7OquEm/+vYtWd3GHDtyNM+jzsN4Xgjc\n" ++ "TL3AEd2hLiozJQ1BFKw25VU08UHAYTzUxZhO4Vwtmp46Kwj8YLDQ3NHRWCBxpDQR\n" ++ "fbiFvyXP+qXap6plMfrydnUD1mae/JSOWOYgdB7tFIehstLxVXx/cAnjwgFU03Df\n" ++ "grjsad92zA1Hc9wIjbsgAQdTR5DWnFRkRt3UtayBwoyqm6QceZHsv1NAGvkQ4ion\n" ++ "bEjkHkjF9YCkR9/rspR8cLghRIXMjOpypuSbaRPeeWq0gP2UOxFL/d3iWH0ETr/L\n" ++ "kTlCAhxYGpVgtfB96qmJukyl9GOGvfkwFTgEyIDoV84M\n" ++ "-----END DSA PRIVATE KEY-----\n"; ++ ++static const char dsa_2048_sig[] = ++ "\x30\x3d\x02\x1d\x00\xbe\x87\x2f\xcf\xa1\xe4\x86\x5c\x72\x58\x4a" ++ "\x7b\x8f\x32\x7f\xa5\x1b\xdc\x5c\xae\xda\x98\xea\x15\x32\xed\x0c" ++ "\x4e\x02\x1c\x4c\x76\x01\x2b\xcd\xb9\x33\x95\xf2\xfa\xde\x56\x01" ++ "\xb7\xaa\xe4\x5a\x4a\x2e\xf1\x24\x5a\xd1\xb5\x83\x9a\x93\x61"; ++ ++/* secp256r1 private key and signature */ ++static const char ecdsa_secp256r1_privkey[] = ++ "-----BEGIN EC PRIVATE KEY-----\n" ++ "MHcCAQEEIPAKWV7+pZe9c5EubMNfAEKWRQtP/MvlO9HehwHmJssNoAoGCCqGSM49\n" ++ "AwEHoUQDQgAE2CNONRio3ciuXtoomJKs3MdbzLbd44VPhtzJN30VLFm5gvnfiCj2\n" ++ "zzz7pl9Cv0ECHl6yedNI8QEKdcwCDgEmkQ==\n" ++ "-----END EC PRIVATE KEY-----\n"; ++ ++static const char ecdsa_secp256r1_sig[] = ++ "\x30\x45\x02\x21\x00\x80\x67\x18\xb9\x72\xc6\x0b\xe1\xc9\x89\x9b" ++ "\x85\x11\x49\x29\x08\xd9\x86\x76\xcc\xfb\xc1\xf4\xd0\xa2\x5e\xa7" ++ "\xb9\x12\xfb\x1a\x68\x02\x20\x67\x12\xb1\x89\x9e\x1d\x9d\x5c\x0f" ++ "\xef\x6e\xa7\x2a\x95\x8c\xfa\x54\x20\x80\xc8\x30\x7c\xff\x06\xbc" ++ "\xc8\xe2\x9a\x2f\x05\x2f\x67"; ++ ++#ifdef ENABLE_NON_SUITEB_CURVES ++/* secp192r1 private key and signature */ ++static const char ecdsa_secp192r1_privkey[] = ++ "-----BEGIN EC PRIVATE KEY-----" ++ "MF8CAQEEGLjezFcbgDMeApVrdtZHvu/k1a8/tVZ41KAKBggqhkjOPQMBAaE0AzIA" ++ "BO1lciKdgxeRH8k64vxcaV1OYIK9akVrW02Dw21MXhRLP0l0wzCw6LGSr5rS6AaL" ++ "Fg==" "-----END EC PRIVATE KEY-----"; ++ ++static const char ecdsa_secp192r1_sig[] = ++ "\x30\x34\x02\x18\x7c\x43\xe3\xb7\x26\x90\x43\xb5\xf5\x63\x8f\xee" ++ "\xac\x78\x3d\xac\x35\x35\xd0\x1e\x83\x17\x2b\x64\x02\x18\x14\x6e" ++ "\x94\xd5\x7e\xac\x43\x42\x0b\x71\x7a\xc8\x29\xe6\xe3\xda\xf2\x95" ++ "\x0e\xe0\x63\x24\xed\xf2"; ++ ++/* secp224r1 private key and signature */ ++static const char ecdsa_secp224r1_privkey[] = ++ "-----BEGIN EC PRIVATE KEY-----" ++ "MGgCAQEEHOKWJFdWdrR/CgVrUeTeawOrJ9GozE9KKx2a8PmgBwYFK4EEACGhPAM6" ++ "AAQKQj3YpenWT7lFR41SnBvmj/+Bj+kgzQnaF65qWAtPRJsZXFlLTu3/IUNqSRu9" ++ "DqPsk8xBHAB7pA==" "-----END EC PRIVATE KEY-----"; ++ ++static const char ecdsa_secp224r1_sig[] = ++ "\x30\x3d\x02\x1c\x14\x22\x09\xa1\x51\x33\x37\xfd\x78\x73\xbd\x84" ++ "\x6e\x76\xa8\x60\x90\xf5\xb6\x57\x34\x25\xe0\x79\xe3\x01\x61\xa9" ++ "\x02\x1d\x00\xb1\xee\xdb\xae\xb3\xe6\x9c\x04\x68\xd5\xe1\x0d\xb6" ++ "\xfc\x5c\x45\xc3\x4f\xbf\x2b\xa5\xe0\x89\x37\x84\x04\x82\x5f"; ++#endif ++ ++/* secp384r1 private key and signature */ ++static const char ecdsa_secp384r1_privkey[] = ++ "-----BEGIN EC PRIVATE KEY-----" ++ "MIGkAgEBBDDevshD6gb+4rZpC9vwFcIwNs4KmGzdqCxyyN40a8uOWRbyf7aHdiSS" ++ "03oAyKtc4JCgBwYFK4EEACKhZANiAARO1KkPMno2tnNXx1S9EZkp8SOpDCZ4aobH" ++ "IYv8RHnSmKf8I3OKD6TaoeR+1MwJmNJUH90Bj45WXla68/vsPiFcfVKboxsZYe/n" ++ "pv8e4ugXagVQVBXNZJ859iYPdJR24vo=" "-----END EC PRIVATE KEY-----"; ++ ++static const char ecdsa_secp384r1_sig[] = ++ "\x30\x65\x02\x31\x00\xa7\x73\x60\x16\xdb\xf9\x1f\xfc\x9e\xd2\x12" ++ "\x23\xd4\x04\xa7\x31\x1f\x15\x28\xfd\x87\x9c\x2c\xb1\xf3\x38\x35" ++ "\x23\x3b\x6e\xfe\x6a\x5d\x89\x34\xbe\x02\x82\xc6\x27\xea\x45\x53" ++ "\xa9\x87\xc5\x31\x0a\x02\x30\x76\x32\x80\x6b\x43\x3c\xb4\xfd\x90" ++ "\x03\xe0\x1d\x5d\x77\x18\x45\xf6\x71\x29\xa9\x05\x87\x49\x75\x3a" ++ "\x78\x9c\x49\xe5\x6c\x8e\x18\xcd\x5d\xee\x2c\x6f\x92\xf7\x15\xd3" ++ "\x38\xd5\xf9\x9b\x9d\x1a\xf4"; ++ ++/* secp521r1 private key and signature */ ++static const char ecdsa_secp521r1_privkey[] = ++ "-----BEGIN EC PRIVATE KEY-----" ++ "MIHbAgEBBEGO2n7NN363qSCvJVdlQtCvudtaW4o0fEufXRjE1AsCrle+VXX0Zh0w" ++ "Y1slSeDHMndpakoiF+XkQ+bhcB867UV6aKAHBgUrgQQAI6GBiQOBhgAEAQb6jDpo" ++ "byy1tF8Zucg0TMGUzIN2DK+RZJ3QQRdWdirO25OIC3FoFi1Yird6rpoB6HlNyJ7R" ++ "0bNG9Uv34bSHMn8yAFoiqxUCdJZQbEenMoZsi6COaePe3e0QqvDMr0hEWT23Sr3t" ++ "LpEV7eZGFfFIJw5wSUp2KOcs+O9WjmoukTWtDKNV" ++ "-----END EC PRIVATE KEY-----"; ++ ++static const char ecdsa_secp521r1_sig[] = ++ "\x30\x81\x88\x02\x42\x01\x9d\x13\x2e\xc9\x75\x1b\x60\x10\x62\xc5" ++ "\x0d\xcb\x08\x9e\x86\x01\xd3\xc9\x8c\xee\x2e\x16\x3d\x8c\xc2\x65" ++ "\x80\xe1\x32\x56\xc3\x02\x9d\xf0\x4a\x89\x8d\x2e\x33\x2a\x90\x4e" ++ "\x72\x1d\xaa\x84\x14\xe8\xcb\xdf\x7a\x4a\xc9\x67\x2e\xba\xa3\xf2" ++ "\xc2\x07\xf7\x1b\xa5\x91\xbd\x02\x42\x01\xe3\x32\xd2\x25\xeb\x2e" ++ "\xaf\xb4\x6c\xc0\xaa\x5c\xc1\x56\x14\x13\x23\x7f\x62\xcf\x4c\xb8" ++ "\xd1\x96\xe0\x29\x6d\xed\x74\xdd\x23\x64\xf9\x29\x86\x40\x22\x2f" ++ "\xb6\x8d\x4c\x8e\x0b\x7a\xda\xdb\x03\x44\x01\x9b\x81\x1c\x3c\xab" ++ "\x78\xee\xf2\xc5\x24\x33\x61\x65\x01\x87\x66"; ++ ++/* GOST01 private key */ ++static const char gost01_privkey[] = ++ "-----BEGIN PRIVATE KEY-----\n" ++ "MEUCAQAwHAYGKoUDAgITMBIGByqFAwICIwEGByqFAwICHgEEIgQgdNfuHGmmTdPm\n" ++ "p5dAa3ea9UYxpdYQPP9lbDwzQwG2bJM=\n" ++ "-----END PRIVATE KEY-----\n"; ++ ++/* GOST12 256 private key */ ++static const char gost12_256_privkey[] = ++ "-----BEGIN PRIVATE KEY-----\n" ++ "MEgCAQAwHwYIKoUDBwEBAQEwEwYHKoUDAgIjAQYIKoUDBwEBAgIEIgQgKOF96tom\n" ++ "D61rhSnzKjyrmO3fv0gdlHei+6ovrc8SnBk=\n" ++ "-----END PRIVATE KEY-----\n"; ++ ++/* GOST12 512 private key */ ++static const char gost12_512_privkey[] = ++ "-----BEGIN PRIVATE KEY-----\n" ++ "MGoCAQAwIQYIKoUDBwEBAQIwFQYJKoUDBwECAQIBBggqhQMHAQECAwRCBECjFpvp\n" ++ "B0vdc7u59b99TCNXhHiB69JJtUjvieNkGYJpoaaIvoKZTNCjpSZASsZcQZCHOTof\n" ++ "hsQ3JCCy4xnd5jWT\n" ++ "-----END PRIVATE KEY-----\n"; + + static int test_rsa_enc(gnutls_pk_algorithm_t pk, + unsigned bits, gnutls_digest_algorithm_t ign) +@@ -113,7 +229,7 @@ static int test_rsa_enc(gnutls_pk_algorithm_t pk, + int ret; + gnutls_datum_t enc = { NULL, 0 }; + gnutls_datum_t dec = { NULL, 0 }; +- gnutls_datum_t raw_rsa_key = { (void*)rsa_key2048, sizeof(rsa_key2048)-1 }; ++ gnutls_datum_t raw_rsa_key = { (void*)rsa_2048_privkey, sizeof(rsa_2048_privkey)-1 }; + gnutls_privkey_t key; + gnutls_pubkey_t pub = NULL; + unsigned char plaintext2[sizeof(DATASTR) - 1]; +@@ -200,26 +316,12 @@ static int test_sig(gnutls_pk_algorithm_t pk, + unsigned bits, gnutls_sign_algorithm_t sigalgo) + { + int ret; +- gnutls_datum_t sig = { NULL, 0 }; +- gnutls_datum_t raw_rsa_key = { (void*)rsa_key2048, sizeof(rsa_key2048)-1 }; +- gnutls_datum_t raw_dsa_key = { (void*)dsa_key, sizeof(dsa_key)-1 }; +- gnutls_datum_t raw_ecc_key = { (void*)ecc_key, sizeof(ecc_key)-1 }; +- gnutls_datum_t raw_gost01_key = { (void*)gost01_key, sizeof(gost01_key)-1 }; +- gnutls_datum_t raw_gost12_256_key = { (void*)gost12_256_key, sizeof(gost12_256_key)-1 }; +- gnutls_datum_t raw_gost12_512_key = { (void*)gost12_512_key, sizeof(gost12_512_key)-1 }; + gnutls_privkey_t key; ++ gnutls_datum_t raw_key; ++ gnutls_datum_t sig = { NULL, 0 }; + gnutls_pubkey_t pub = NULL; + char param_name[32]; + +- if (pk == GNUTLS_PK_EC || pk == GNUTLS_PK_GOST_01 || +- pk == GNUTLS_PK_GOST_12_256 || pk == GNUTLS_PK_GOST_12_512) { +- snprintf(param_name, sizeof(param_name), "%s", +- gnutls_ecc_curve_get_name(GNUTLS_BITS_TO_CURVE +- (bits))); +- } else { +- snprintf(param_name, sizeof(param_name), "%u", bits); +- } +- + ret = gnutls_privkey_init(&key); + if (ret < 0) + return gnutls_assert_val(ret); +@@ -230,25 +332,83 @@ static int test_sig(gnutls_pk_algorithm_t pk, + goto cleanup; + } + +- if (pk == GNUTLS_PK_RSA) { +- ret = gnutls_privkey_import_x509_raw(key, &raw_rsa_key, GNUTLS_X509_FMT_PEM, NULL, 0); +- } else if (pk == GNUTLS_PK_RSA_PSS) { +- ret = gnutls_privkey_import_x509_raw(key, &raw_rsa_key, GNUTLS_X509_FMT_PEM, NULL, 0); +- } else if (pk == GNUTLS_PK_DSA) { +- ret = gnutls_privkey_import_x509_raw(key, &raw_dsa_key, GNUTLS_X509_FMT_PEM, NULL, 0); +- } else if (pk == GNUTLS_PK_ECC) { +- ret = gnutls_privkey_import_x509_raw(key, &raw_ecc_key, GNUTLS_X509_FMT_PEM, NULL, 0); +- } else if (pk == GNUTLS_PK_GOST_01) { +- ret = gnutls_privkey_import_x509_raw(key, &raw_gost01_key, GNUTLS_X509_FMT_PEM, NULL, 0); +- } else if (pk == GNUTLS_PK_GOST_12_256) { +- ret = gnutls_privkey_import_x509_raw(key, &raw_gost12_256_key, GNUTLS_X509_FMT_PEM, NULL, 0); +- } else if (pk == GNUTLS_PK_GOST_12_512) { +- ret = gnutls_privkey_import_x509_raw(key, &raw_gost12_512_key, GNUTLS_X509_FMT_PEM, NULL, 0); +- } else { +- gnutls_assert(); +- ret = GNUTLS_E_INTERNAL_ERROR; ++ switch(pk) { ++ case GNUTLS_PK_RSA: ++ raw_key.data = (void*)rsa_2048_privkey; ++ raw_key.size = sizeof(rsa_2048_privkey) - 1; ++ snprintf(param_name, sizeof(param_name), "%u", bits); ++ break; ++ case GNUTLS_PK_RSA_PSS: ++ raw_key.data = (void*)rsa_2048_privkey; ++ raw_key.size = sizeof(rsa_2048_privkey) - 1; ++ snprintf(param_name, sizeof(param_name), "%u", bits); ++ break; ++ case GNUTLS_PK_DSA: ++ raw_key.data = (void*)dsa_2048_privkey; ++ raw_key.size = sizeof(dsa_2048_privkey) - 1; ++ snprintf(param_name, sizeof(param_name), "%u", bits); ++ break; ++ case GNUTLS_PK_ECC: ++ switch(bits) { ++#ifdef ENABLE_NON_SUITEB_CURVES ++ case GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP192R1): ++ raw_key.data = (void*)ecdsa_secp192r1_privkey; ++ raw_key.size = sizeof(ecdsa_secp192r1_privkey) - 1; ++ break; ++ case GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP224R1): ++ raw_key.data = (void*)ecdsa_secp224r1_privkey; ++ raw_key.size = sizeof(ecdsa_secp224r1_privkey) - 1; ++ break; ++#endif ++ case GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP256R1): ++ raw_key.data = (void*)ecdsa_secp256r1_privkey; ++ raw_key.size = sizeof(ecdsa_secp256r1_privkey) - 1; ++ break; ++ case GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP384R1): ++ raw_key.data = (void*)ecdsa_secp384r1_privkey; ++ raw_key.size = sizeof(ecdsa_secp384r1_privkey) - 1; ++ break; ++ case GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP521R1): ++ raw_key.data = (void*)ecdsa_secp521r1_privkey; ++ raw_key.size = sizeof(ecdsa_secp521r1_privkey) - 1; ++ break; ++ default: ++ gnutls_assert(); ++ ret = GNUTLS_E_INTERNAL_ERROR; ++ goto cleanup; ++ } ++ snprintf(param_name, sizeof(param_name), "%s", ++ gnutls_ecc_curve_get_name(GNUTLS_BITS_TO_CURVE ++ (bits))); ++ break; ++ case GNUTLS_PK_GOST_01: ++ raw_key.data = (void*)gost01_privkey; ++ raw_key.size = sizeof(gost01_privkey) - 1; ++ snprintf(param_name, sizeof(param_name), "%s", ++ gnutls_ecc_curve_get_name(GNUTLS_BITS_TO_CURVE ++ (bits))); ++ break; ++ case GNUTLS_PK_GOST_12_256: ++ raw_key.data = (void*)gost12_256_privkey; ++ raw_key.size = sizeof(gost12_256_privkey) - 1; ++ snprintf(param_name, sizeof(param_name), "%s", ++ gnutls_ecc_curve_get_name(GNUTLS_BITS_TO_CURVE ++ (bits))); ++ break; ++ case GNUTLS_PK_GOST_12_512: ++ raw_key.data = (void*)gost12_512_privkey; ++ raw_key.size = sizeof(gost12_512_privkey) - 1; ++ snprintf(param_name, sizeof(param_name), "%s", ++ gnutls_ecc_curve_get_name(GNUTLS_BITS_TO_CURVE ++ (bits))); ++ break; ++ default: ++ gnutls_assert(); ++ ret = GNUTLS_E_INTERNAL_ERROR; ++ goto cleanup; + } + ++ ret = gnutls_privkey_import_x509_raw(key, &raw_key, GNUTLS_X509_FMT_PEM, NULL, 0); + if (ret < 0) { + gnutls_assert(); + goto cleanup; +@@ -286,7 +446,8 @@ static int test_sig(gnutls_pk_algorithm_t pk, + } + + ret = 0; +- cleanup: ++ ++cleanup: + if (pub != NULL) + gnutls_pubkey_deinit(pub); + gnutls_privkey_deinit(key); +@@ -302,123 +463,11 @@ static int test_sig(gnutls_pk_algorithm_t pk, + return ret; + } + +-/* A precomputed RSA-SHA1 signature using the rsa_key2048 */ +-static const char rsa_sig[] = +- "\x7a\xb3\xf8\xb0\xf9\xf0\x52\x88\x37\x17\x97\x9f\xbe\x61\xb4\xd2\x43\x78\x9f\x79\x92\xd0\xad\x08\xdb\xbd\x3c\x72\x7a\xb5\x51\x59\x63\xd6\x7d\xf1\x9c\x1e\x10\x7b\x27\xab\xf8\xd4\x9d\xcd\xc5\xf9\xae\xf7\x09\x6b\x40\x93\xc5\xe9\x1c\x0f\xb4\x82\xa1\x47\x86\x54\x63\xd2\x4d\x40\x9a\x80\xb9\x38\x45\x69\xa2\xd6\x92\xb6\x69\x7f\x3f\xf3\x5b\xa5\x1d\xac\x06\xad\xdf\x4e\xbb\xe6\xda\x68\x0d\xe5\xab\xef\xd2\xf0\xc5\xd8\xc0\xed\x80\xe2\xd4\x76\x98\xec\x44\xa2\xfc\x3f\xce\x2e\x8b\xc4\x4b\xab\xb0\x70\x24\x52\x85\x2a\x36\xcd\x9a\xb5\x05\x00\xea\x98\x7c\x72\x06\x68\xb1\x38\x44\x16\x80\x6a\x3b\x64\x72\xbb\xfd\x4b\xc9\xdd\xda\x2a\x68\xde\x7f\x6e\x48\x28\xc1\x63\x57\x2b\xde\x83\xa3\x27\x34\xd7\xa6\x87\x18\x35\x10\xff\x31\xd9\x47\xc9\x84\x35\xe1\xaa\xe2\xf7\x98\xfa\x19\xd3\xf1\x94\x25\x2a\x96\xe4\xa8\xa7\x05\x10\x93\x87\xde\x96\x85\xe5\x68\xb8\xe5\x4e\xbf\x66\x85\x91\xbd\x52\x5b\x3d\x9f\x1b\x79\xea\xe3\x8b\xef\x62\x18\x39\x7a\x50\x01\x46\x1b\xde\x8d\x37\xbc\x90\x6c\x07\xc0\x07\xed\x60\xce\x2e\x31\xd6\x8f\xe8\x75\xdb\x45\x21\xc6\xcb"; +- +-/* ECDSA key and signature */ +-static const char ecdsa_secp256r1_privkey[] = +- "-----BEGIN EC PRIVATE KEY-----\n" +- "MHcCAQEEIPAKWV7+pZe9c5EubMNfAEKWRQtP/MvlO9HehwHmJssNoAoGCCqGSM49\n" +- "AwEHoUQDQgAE2CNONRio3ciuXtoomJKs3MdbzLbd44VPhtzJN30VLFm5gvnfiCj2\n" +- "zzz7pl9Cv0ECHl6yedNI8QEKdcwCDgEmkQ==\n" +- "-----END EC PRIVATE KEY-----\n"; +- +-static const char ecdsa_secp256r1_sig[] = +- "\x30\x45\x02\x21\x00\x9b\x8f\x60\xed\x9e\x40\x8d\x74\x82\x73\xab\x20\x1a\x69\xfc\xf9\xee\x3c\x41\x80\xc0\x39\xdd\x21\x1a\x64\xfd\xbf\x7e\xaa\x43\x70\x02\x20\x44\x28\x05\xdd\x30\x47\x58\x96\x18\x39\x94\x18\xba\xe7\x7a\xf6\x1e\x2d\xba\xb1\xe0\x7d\x73\x9e\x2f\x58\xee\x0c\x2a\x89\xe8\x35"; +- +-#ifdef ENABLE_NON_SUITEB_CURVES +-/* sha256 */ +-static const char ecdsa_secp192r1_privkey[] = +- "-----BEGIN EC PRIVATE KEY-----" +- "MF8CAQEEGLjezFcbgDMeApVrdtZHvu/k1a8/tVZ41KAKBggqhkjOPQMBAaE0AzIA" +- "BO1lciKdgxeRH8k64vxcaV1OYIK9akVrW02Dw21MXhRLP0l0wzCw6LGSr5rS6AaL" +- "Fg==" "-----END EC PRIVATE KEY-----"; +- +-static const char ecdsa_secp192r1_sig[] = +- "\x30\x34\x02\x18\x5f\xb3\x10\x4b\x4d\x44\x48\x29\x4b\xfd\xa7\x8e\xce\x57\xac\x36\x38\x54\xab\x73\xdb\xed\xb8\x5f\x02\x18\x0b\x8b\xf3\xae\x49\x50\x0e\x47\xca\x89\x1a\x00\xca\x23\xf5\x8d\xd6\xe3\xce\x9a\xff\x2e\x4f\x5c"; +- +-static const char ecdsa_secp224r1_privkey[] = +- "-----BEGIN EC PRIVATE KEY-----" +- "MGgCAQEEHOKWJFdWdrR/CgVrUeTeawOrJ9GozE9KKx2a8PmgBwYFK4EEACGhPAM6" +- "AAQKQj3YpenWT7lFR41SnBvmj/+Bj+kgzQnaF65qWAtPRJsZXFlLTu3/IUNqSRu9" +- "DqPsk8xBHAB7pA==" "-----END EC PRIVATE KEY-----"; +- +-static const char ecdsa_secp224r1_sig[] = +- "\x30\x3d\x02\x1c\x76\x03\x8d\x74\xf4\xd3\x09\x2a\xb5\xdf\x6b\x5b\xf4\x4b\x86\xb8\x62\x81\x5d\x7b\x7a\xbb\x37\xfc\xf1\x46\x1c\x2b\x02\x1d\x00\xa0\x98\x5d\x80\x43\x89\xe5\xee\x1a\xec\x46\x08\x04\x55\xbc\x50\xfa\x2a\xd5\xa6\x18\x92\x19\xdb\x68\xa0\x2a\xda"; +-#endif +- +-static const char ecdsa_secp384r1_privkey[] = +- "-----BEGIN EC PRIVATE KEY-----" +- "MIGkAgEBBDDevshD6gb+4rZpC9vwFcIwNs4KmGzdqCxyyN40a8uOWRbyf7aHdiSS" +- "03oAyKtc4JCgBwYFK4EEACKhZANiAARO1KkPMno2tnNXx1S9EZkp8SOpDCZ4aobH" +- "IYv8RHnSmKf8I3OKD6TaoeR+1MwJmNJUH90Bj45WXla68/vsPiFcfVKboxsZYe/n" +- "pv8e4ugXagVQVBXNZJ859iYPdJR24vo=" "-----END EC PRIVATE KEY-----"; +- +-static const char ecdsa_secp384r1_sig[] = +- "\x30\x66\x02\x31\x00\xbb\x4d\x25\x30\x13\x1b\x3b\x75\x60\x07\xed\x53\x8b\x52\xee\xd8\x6e\xf1\x9d\xa8\x36\x0e\x2e\x20\x31\x51\x11\x48\x78\xdd\xaf\x24\x38\x64\x81\x71\x6b\xa6\xb7\x29\x58\x28\x82\x32\xba\x29\x29\xd9\x02\x31\x00\xeb\x70\x09\x87\xac\x7b\x78\x0d\x4c\x4f\x08\x2b\x86\x27\xe2\x60\x1f\xc9\x11\x9f\x1d\xf5\x82\x4c\xc7\x3d\xb0\x27\xc8\x93\x29\xc7\xd0\x0e\x88\x02\x09\x93\xc2\x72\xce\xa5\x74\x8c\x3d\xe0\x8c\xad"; +- +-static const char ecdsa_secp521r1_privkey[] = +- "-----BEGIN EC PRIVATE KEY-----" +- "MIHbAgEBBEGO2n7NN363qSCvJVdlQtCvudtaW4o0fEufXRjE1AsCrle+VXX0Zh0w" +- "Y1slSeDHMndpakoiF+XkQ+bhcB867UV6aKAHBgUrgQQAI6GBiQOBhgAEAQb6jDpo" +- "byy1tF8Zucg0TMGUzIN2DK+RZJ3QQRdWdirO25OIC3FoFi1Yird6rpoB6HlNyJ7R" +- "0bNG9Uv34bSHMn8yAFoiqxUCdJZQbEenMoZsi6COaePe3e0QqvDMr0hEWT23Sr3t" +- "LpEV7eZGFfFIJw5wSUp2KOcs+O9WjmoukTWtDKNV" +- "-----END EC PRIVATE KEY-----"; +- +-static const char ecdsa_secp521r1_sig[] = +- "\x30\x81\x87\x02\x42\x01\xb8\xcb\x52\x9e\x10\xa8\x49\x3f\xe1\x9e\x14\x0a\xcf\x96\xed\x7e\xab\x7d\x0c\xe1\x9b\xa4\x97\xdf\x01\xf5\x35\x42\x5f\x5b\x28\x15\x24\x33\x6e\x59\x6c\xaf\x10\x8b\x98\x8e\xe9\x4c\x23\x0d\x76\x92\x03\xdd\x6d\x8d\x08\x47\x15\x5b\xf8\x66\x75\x75\x40\xe8\xf4\xa0\x52\x02\x41\x15\x27\x7c\x5f\xa6\x33\xa6\x29\x68\x3f\x55\x8d\x7f\x1d\x4f\x88\xc6\x61\x6e\xac\x21\xdf\x2b\x7b\xde\x76\x9a\xdc\xe6\x3b\x94\x3f\x03\x9c\xa2\xa6\xa3\x63\x39\x48\xbd\x79\x70\x21\xf2\x6b\xff\x58\x66\xf1\x58\xc2\x58\xad\x4f\x84\x14\x5d\x05\x12\x83\xd0\x87\xbd\xf3"; +- +-/* DSA key and signature */ +-static const char dsa_privkey[] = +- "-----BEGIN DSA PRIVATE KEY-----\n" +- "MIIDTQIBAAKCAQEAh60B6yPMRIT7udq2kKuwnQDohvT1U0w+RJcSr23C05cM/Ovn\n" +- "UP/8Rrj6T8K+uYhMbKgLaZiJJW9q04jaPQk0cfUphbLvRjzVHwE/0Bkb+Y1Rv7ni\n" +- "Jot2IFMq5iuNraf889PC0WREvFCcIkSFY2Ac4WT7mCcBtfx/raGFXDUjcUrJ0HwZ\n" +- "IOhjQDfcXUsztuyYsYA75ociEY8kyDZq/ixyr5++R1VjNf30Re8AbQlXOEGxEN5t\n" +- "t+Tvpq8K5L3prQs2KNSzyOUmedjb/ojH4T4qe/RL9EVjjeuIGHDNUT6F197yZ91y\n" +- "qLLTf1WjnUyZcKij5rryX0LJBBWawEZjNSHZawIdAMQlyycia4NigCdiDR+QptUn\n" +- "2xrj9o14fXkIrXcCggEAXRZm1rbPhsjSTo6cpCVrmDzO1grv83EHiBH4MvRQQnP8\n" +- "FpAREsBA5cYju97XvLaLhioZeMjLn08kU7TUbHRUB+ULTuVvE2dQbBpGuKiLRRt9\n" +- "6U2T0eD3xGLoM+o8EY/kpqaWGEpZv7hzM9xuo4vy55+viAZgFWULqmltwfG/7w7V\n" +- "NXUHNv5H4Ipw//fSDLTPqzUlNqSSswDLz6pCjWEs0rWAqNAMaOiLTz4id9pL48Oe\n" +- "oAfpcQR9tgTEnwyXfZBnrJVclHhkHKGeXvU05IgCzpKO76Z5R+By50T0i/JV7vzM\n" +- "l2yS9aAl/cprT6U7yI3oU/blldCVNpMcFAFb+fO8DAKCAQBVMo8xptyvQOJeSvbO\n" +- "SSYdJ3IiI/0GdkcGWXblWg9z7mrPaWEnT7OquEm/+vYtWd3GHDtyNM+jzsN4Xgjc\n" +- "TL3AEd2hLiozJQ1BFKw25VU08UHAYTzUxZhO4Vwtmp46Kwj8YLDQ3NHRWCBxpDQR\n" +- "fbiFvyXP+qXap6plMfrydnUD1mae/JSOWOYgdB7tFIehstLxVXx/cAnjwgFU03Df\n" +- "grjsad92zA1Hc9wIjbsgAQdTR5DWnFRkRt3UtayBwoyqm6QceZHsv1NAGvkQ4ion\n" +- "bEjkHkjF9YCkR9/rspR8cLghRIXMjOpypuSbaRPeeWq0gP2UOxFL/d3iWH0ETr/L\n" +- "kTlCAhxYGpVgtfB96qmJukyl9GOGvfkwFTgEyIDoV84M\n" +- "-----END DSA PRIVATE KEY-----\n"; +- +-static const char dsa_sig[] = +- "\x30\x3d\x02\x1c\x2e\x40\x14\xb3\x7a\x3f\xc0\x4f\x06\x74\x4f\xa6\x5f\xc2\x0a\x46\x35\x38\x88\xb4\x1a\xcf\x94\x02\x40\x42\x7c\x7f\x02\x1d\x00\x98\xfc\xf1\x08\x66\xf1\x86\x28\xc9\x73\x9e\x2b\x5d\xce\x57\xe8\xb5\xeb\xcf\xa3\xf6\x60\xf6\x63\x16\x0e\xc0\x42"; +- +-static const char gost01_privkey[] = +- "-----BEGIN PRIVATE KEY-----\n" +- "MEUCAQAwHAYGKoUDAgITMBIGByqFAwICIwEGByqFAwICHgEEIgQgdNfuHGmmTdPm\n" +- "p5dAa3ea9UYxpdYQPP9lbDwzQwG2bJM=\n" +- "-----END PRIVATE KEY-----\n"; +- +-static const char gost01_sig[] = +- "\xc5\xc8\xf8\xdc\x22\x51\xb0\x72\xe9\xa2\xbb\x84\x6c\xe2\x24\xd5\x72\x39\x2a\x5a\x0e\x7a\x43\xfc\x9c\xc3\x5d\x32\x92\xbb\xab\xc0\x4b\x99\xbd\xc8\x47\x24\x70\x06\x7e\xa1\xc6\xe3\xa0\xdc\x42\xed\xa0\x66\xf0\xcc\x50\x97\xe9\x5a\x7d\x3f\x65\x2d\x7b\x1b\x03\xcb"; +- +-static const char gost12_256_privkey[] = +- "-----BEGIN PRIVATE KEY-----\n" +- "MEgCAQAwHwYIKoUDBwEBAQEwEwYHKoUDAgIjAQYIKoUDBwEBAgIEIgQgKOF96tom\n" +- "D61rhSnzKjyrmO3fv0gdlHei+6ovrc8SnBk=\n" +- "-----END PRIVATE KEY-----\n"; +- +-static const char gost12_256_sig[] = +- "\xb2\x51\x5a\x1a\xbd\x95\x4e\x71\x55\xad\x74\x74\x81\xa6\xca\x6c\x14\x01\xe0\x18\xda\xe4\x0d\x02\x4f\x14\xd2\x39\xd6\x3c\xb5\x85\xa8\x37\xfd\x7f\x2b\xfa\xe4\xf5\xbc\xbc\x15\x20\x8b\x83\x4b\x84\x0d\x5d\x02\x21\x8c\x0d\xb9\xc4\x2b\xc0\x3e\xfd\x42\x55\x1d\xb0"; +- +-static const char gost12_512_privkey[] = +- "-----BEGIN PRIVATE KEY-----\n" +- "MGoCAQAwIQYIKoUDBwEBAQIwFQYJKoUDBwECAQIBBggqhQMHAQECAwRCBECjFpvp\n" +- "B0vdc7u59b99TCNXhHiB69JJtUjvieNkGYJpoaaIvoKZTNCjpSZASsZcQZCHOTof\n" +- "hsQ3JCCy4xnd5jWT\n" +- "-----END PRIVATE KEY-----\n"; +- +-static const char gost12_512_sig[] = +- "\x52\x4f\xa2\x77\x51\xd2\xc5\xef\xd3\xa3\x99\x4e\xec\xff\xc6\xe9\xfc\x2f\xc0\x28\x42\x03\x95\x6c\x9a\x38\xee\xea\x89\x79\xae\x1a\xc3\x68\x5e\xe4\x15\x15\x4b\xec\x0f\xf1\x7e\x0f\xba\x01\xc7\x84\x16\xc7\xb5\xac\x9d\x0c\x22\xdd\x31\xf7\xb0\x9b\x59\x4b\xf0\x02\xa8\x7d\xfd\x6d\x02\x43\xc7\x4f\x65\xbd\x84\x5c\x54\x91\xba\x75\x9f\x5a\x61\x19\x5c\x9a\x10\x78\x34\xa0\xa6\xf6\xdc\xb6\xb0\x50\x22\x38\x5f\xb0\x16\x66\xf1\xd5\x46\x00\xd5\xe2\xa8\xe5\xd2\x11\x5f\xd1\xbe\x6e\xac\xb2\x9c\x14\x34\x96\xe7\x58\x94\xb8\xf4\x5f"; +- + static int test_known_sig(gnutls_pk_algorithm_t pk, unsigned bits, + gnutls_digest_algorithm_t dig, + const void *privkey, size_t privkey_size, + const void *stored_sig, size_t stored_sig_size, +- unsigned deterministic_sigs) ++ gnutls_privkey_flags_t flags) + { + int ret; + gnutls_datum_t sig = { NULL, 0 }; +@@ -427,8 +476,11 @@ static int test_known_sig(gnutls_pk_algorithm_t pk, unsigned bits, + gnutls_privkey_t key; + char param_name[32]; + +- if (pk == GNUTLS_PK_EC || pk == GNUTLS_PK_GOST_01 || +- pk == GNUTLS_PK_GOST_12_256 || pk == GNUTLS_PK_GOST_12_512) { ++ if (pk == GNUTLS_PK_EC || ++ pk == GNUTLS_PK_GOST_01 || ++ pk == GNUTLS_PK_GOST_12_256 || ++ pk == GNUTLS_PK_GOST_12_512) ++ { + snprintf(param_name, sizeof(param_name), "%s", + gnutls_ecc_curve_get_name(GNUTLS_BITS_TO_CURVE + (bits))); +@@ -462,39 +514,37 @@ static int test_known_sig(gnutls_pk_algorithm_t pk, unsigned bits, + goto cleanup; + } + +- /* Test if the signature we generate matches the stored */ ++ ret = gnutls_privkey_sign_data(key, dig, flags, &signed_data, &sig); ++ if (ret < 0) { ++ gnutls_assert(); ++ goto cleanup; ++ } ++ ++ /* Test if the generated signature matches the stored */ + ssig.data = (void *) stored_sig; + ssig.size = stored_sig_size; + +- if (deterministic_sigs != 0) { /* do not compare against stored signature if not provided */ +- ret = +- gnutls_privkey_sign_data(key, dig, 0, &signed_data, +- &sig); +- if (ret < 0) { +- gnutls_assert(); +- goto cleanup; +- } +- +- if (sig.size != ssig.size +- || memcmp(sig.data, ssig.data, sig.size) != 0) { +- ret = GNUTLS_E_SELF_TEST_ERROR; ++ if (sig.size != ssig.size ++ || memcmp(sig.data, ssig.data, sig.size) != 0) { ++ ret = GNUTLS_E_SELF_TEST_ERROR; + #if 0 +- unsigned i; +- fprintf(stderr, "\nstored[%d]: ", ssig.size); +- for (i = 0; i < ssig.size; i++) +- fprintf(stderr, "\\x%.2x", ssig.data[i]); +- +- fprintf(stderr, "\ngenerated[%d]: ", sig.size); +- for (i = 0; i < sig.size; i++) +- fprintf(stderr, "\\x%.2x", sig.data[i]); +- fprintf(stderr, "\n"); ++ unsigned i; ++ fprintf(stderr, "Algorithm: %s-%s\n", ++ gnutls_pk_get_name(pk), param_name); ++ fprintf(stderr, "\nstored[%d]: ", ssig.size); ++ for (i = 0; i < ssig.size; i++) ++ fprintf(stderr, "\\x%.2x", ssig.data[i]); ++ ++ fprintf(stderr, "\ngenerated[%d]: ", sig.size); ++ for (i = 0; i < sig.size; i++) ++ fprintf(stderr, "\\x%.2x", sig.data[i]); ++ fprintf(stderr, "\n"); + #endif +- gnutls_assert(); +- goto cleanup; +- } ++ gnutls_assert(); ++ goto cleanup; + } + +- /* Test if we can verify the signature */ ++ /* Test if we can verify the generated signature */ + + ret = gnutls_pubkey_import_privkey(pub, key, 0, 0); + if (ret < 0) { +@@ -504,7 +554,7 @@ static int test_known_sig(gnutls_pk_algorithm_t pk, unsigned bits, + + ret = + gnutls_pubkey_verify_data2(pub, gnutls_pk_to_sign(pk, dig), 0, +- &signed_data, &ssig); ++ &signed_data, &sig); + if (ret < 0) { + ret = GNUTLS_E_SELF_TEST_ERROR; + gnutls_assert(); +@@ -515,7 +565,7 @@ static int test_known_sig(gnutls_pk_algorithm_t pk, unsigned bits, + + ret = + gnutls_pubkey_verify_data2(pub, gnutls_pk_to_sign(pk, dig), 0, +- &bad_data, &ssig); ++ &bad_data, &sig); + + if (ret != GNUTLS_E_PK_SIG_VERIFY_FAILED) { + ret = GNUTLS_E_SELF_TEST_ERROR; +@@ -546,18 +596,14 @@ static int test_known_sig(gnutls_pk_algorithm_t pk, unsigned bits, + if (ret < 0) { \ + gnutls_assert(); \ + goto cleanup; \ +- } \ +- if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL)) \ +- return 0 ++ } + +-#define PK_KNOWN_TEST(pk, det, bits, dig, pkey, sig) \ +- ret = test_known_sig(pk, bits, dig, pkey, sizeof(pkey)-1, sig, sizeof(sig)-1, det); \ ++#define PK_KNOWN_TEST(pk, bits, dig, pkey, sig, flags) \ ++ ret = test_known_sig(pk, bits, dig, pkey, sizeof(pkey)-1, sig, sizeof(sig)-1, flags); \ + if (ret < 0) { \ + gnutls_assert(); \ + goto cleanup; \ +- } \ +- if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL)) \ +- return 0 ++ } + + + /* Known answer tests for DH */ +@@ -764,9 +810,18 @@ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk) + { + int ret; + ++ bool is_post = false; ++ bool is_fips140_mode_enabled = false; ++ + if (flags & GNUTLS_SELF_TEST_FLAG_ALL) + pk = GNUTLS_PK_UNKNOWN; + ++ if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST) ++ is_post = true; ++ ++ if (gnutls_fips140_mode_enabled()) ++ is_fips140_mode_enabled = true; ++ + switch (pk) { + case GNUTLS_PK_UNKNOWN: + FALLTHROUGH; +@@ -781,26 +836,32 @@ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk) + return 0; + FALLTHROUGH; + case GNUTLS_PK_RSA: +- PK_KNOWN_TEST(GNUTLS_PK_RSA, 1, 2048, GNUTLS_DIG_SHA256, +- rsa_key2048, rsa_sig); ++ PK_KNOWN_TEST(GNUTLS_PK_RSA, 2048, GNUTLS_DIG_SHA256, ++ rsa_2048_privkey, rsa_2048_sig, 0); ++ + PK_TEST(GNUTLS_PK_RSA, test_rsa_enc, 2048, 0); +- PK_TEST(GNUTLS_PK_RSA, test_sig, 3072, GNUTLS_SIGN_RSA_SHA256); + + if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL)) + return 0; + + FALLTHROUGH; + case GNUTLS_PK_RSA_PSS: +- PK_TEST(GNUTLS_PK_RSA_PSS, test_sig, 2048, GNUTLS_SIGN_RSA_PSS_RSAE_SHA256); ++ PK_TEST(GNUTLS_PK_RSA_PSS, test_sig, 2048, ++ GNUTLS_SIGN_RSA_PSS_RSAE_SHA256); + + if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL)) + return 0; + + FALLTHROUGH; + case GNUTLS_PK_DSA: +- PK_KNOWN_TEST(GNUTLS_PK_DSA, 0, 2048, GNUTLS_DIG_SHA256, +- dsa_privkey, dsa_sig); +- PK_TEST(GNUTLS_PK_DSA, test_sig, 3072, GNUTLS_SIGN_DSA_SHA256); ++ if (is_post || !is_fips140_mode_enabled) { ++ PK_KNOWN_TEST(GNUTLS_PK_DSA, 2048, GNUTLS_DIG_SHA256, ++ dsa_2048_privkey, dsa_2048_sig, ++ GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE); ++ } else { ++ PK_TEST(GNUTLS_PK_DSA, test_sig, 2048, ++ GNUTLS_SIGN_DSA_SHA256); ++ } + + if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL)) + return 0; +@@ -815,62 +876,72 @@ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk) + } + + /* Test ECDSA */ +- PK_KNOWN_TEST(GNUTLS_PK_EC, 0, +- GNUTLS_CURVE_TO_BITS +- (GNUTLS_ECC_CURVE_SECP256R1), +- GNUTLS_DIG_SHA256, ecdsa_secp256r1_privkey, +- ecdsa_secp256r1_sig); +- PK_TEST(GNUTLS_PK_EC, test_sig, +- GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP256R1), +- GNUTLS_SIGN_ECDSA_SHA256); ++ if (is_post || !is_fips140_mode_enabled) { ++ PK_KNOWN_TEST(GNUTLS_PK_EC, ++ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP256R1), ++ GNUTLS_DIG_SHA256, ecdsa_secp256r1_privkey, ++ ecdsa_secp256r1_sig, GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE); ++ } else { ++ PK_TEST(GNUTLS_PK_EC, test_sig, ++ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP256R1), ++ GNUTLS_SIGN_ECDSA_SHA256); ++ } + + if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL)) + return 0; + +- PK_KNOWN_TEST(GNUTLS_PK_EC, 0, +- GNUTLS_CURVE_TO_BITS +- (GNUTLS_ECC_CURVE_SECP384R1), +- GNUTLS_DIG_SHA256, ecdsa_secp384r1_privkey, +- ecdsa_secp384r1_sig); +- PK_TEST(GNUTLS_PK_EC, test_sig, +- GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP384R1), +- GNUTLS_SIGN_ECDSA_SHA384); +- +- PK_KNOWN_TEST(GNUTLS_PK_EC, 0, +- GNUTLS_CURVE_TO_BITS +- (GNUTLS_ECC_CURVE_SECP521R1), +- GNUTLS_DIG_SHA512, ecdsa_secp521r1_privkey, +- ecdsa_secp521r1_sig); +- PK_TEST(GNUTLS_PK_EC, test_sig, +- GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP521R1), +- GNUTLS_SIGN_ECDSA_SHA512); ++ if (is_post || !is_fips140_mode_enabled) { ++ PK_KNOWN_TEST(GNUTLS_PK_EC, ++ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP384R1), ++ GNUTLS_DIG_SHA384, ecdsa_secp384r1_privkey, ++ ecdsa_secp384r1_sig, GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE); ++ } else { ++ PK_TEST(GNUTLS_PK_EC, test_sig, ++ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP384R1), ++ GNUTLS_SIGN_ECDSA_SHA384); ++ } ++ ++ if (is_post || !is_fips140_mode_enabled) { ++ PK_KNOWN_TEST(GNUTLS_PK_EC, ++ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP521R1), ++ GNUTLS_DIG_SHA512, ecdsa_secp521r1_privkey, ++ ecdsa_secp521r1_sig, GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE); ++ } else { ++ PK_TEST(GNUTLS_PK_EC, test_sig, ++ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP521R1), ++ GNUTLS_SIGN_ECDSA_SHA512); ++ } + + #ifdef ENABLE_NON_SUITEB_CURVES +- PK_KNOWN_TEST(GNUTLS_PK_EC, 0, +- GNUTLS_CURVE_TO_BITS +- (GNUTLS_ECC_CURVE_SECP192R1), +- GNUTLS_DIG_SHA256, ecdsa_secp192r1_privkey, +- ecdsa_secp192r1_sig); +- PK_TEST(GNUTLS_PK_EC, test_sig, +- GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP192R1), +- GNUTLS_SIGN_ECDSA_SHA256); +- +- PK_KNOWN_TEST(GNUTLS_PK_EC, 0, +- GNUTLS_CURVE_TO_BITS +- (GNUTLS_ECC_CURVE_SECP224R1), +- GNUTLS_DIG_SHA256, ecdsa_secp224r1_privkey, +- ecdsa_secp224r1_sig); +- PK_TEST(GNUTLS_PK_EC, test_sig, +- GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP224R1), +- GNUTLS_SIGN_ECDSA_SHA256); ++ if (is_post || !is_fips140_mode_enabled) { ++ PK_KNOWN_TEST(GNUTLS_PK_EC, ++ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP192R1), ++ GNUTLS_DIG_SHA256, ecdsa_secp192r1_privkey, ++ ecdsa_secp192r1_sig, GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE); ++ } else { ++ PK_TEST(GNUTLS_PK_EC, test_sig, ++ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP192R1), ++ GNUTLS_SIGN_ECDSA_SHA256); ++ } ++ ++ if (is_post || !is_fips140_mode_enabled) { ++ PK_KNOWN_TEST(GNUTLS_PK_EC, ++ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP224R1), ++ GNUTLS_DIG_SHA256, ecdsa_secp224r1_privkey, ++ ecdsa_secp224r1_sig, GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE); ++ } else { ++ PK_TEST(GNUTLS_PK_EC, test_sig, ++ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP224R1), ++ GNUTLS_SIGN_ECDSA_SHA256); ++ } + #endif + ++ + #if ENABLE_GOST + FALLTHROUGH; + case GNUTLS_PK_GOST_01: +- PK_KNOWN_TEST(GNUTLS_PK_GOST_01, 0, GNUTLS_ECC_CURVE_GOST256CPA, GNUTLS_DIG_GOSTR_94, +- gost01_privkey, gost01_sig); +- PK_TEST(GNUTLS_PK_GOST_01, test_sig, GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_GOST256CPA), ++ PK_TEST(GNUTLS_PK_GOST_01, test_sig, ++ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_GOST256CPA), + GNUTLS_SIGN_GOST_94); + + if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL)) +@@ -878,9 +949,8 @@ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk) + + FALLTHROUGH; + case GNUTLS_PK_GOST_12_256: +- PK_KNOWN_TEST(GNUTLS_PK_GOST_12_256, 0, GNUTLS_ECC_CURVE_GOST256CPA, GNUTLS_DIG_STREEBOG_256, +- gost12_256_privkey, gost12_256_sig); +- PK_TEST(GNUTLS_PK_GOST_12_256, test_sig, GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_GOST256CPA), ++ PK_TEST(GNUTLS_PK_GOST_12_256, test_sig, ++ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_GOST256CPA), + GNUTLS_SIGN_GOST_256); + + if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL)) +@@ -888,15 +958,13 @@ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk) + + FALLTHROUGH; + case GNUTLS_PK_GOST_12_512: +- PK_KNOWN_TEST(GNUTLS_PK_GOST_12_512, 0, GNUTLS_ECC_CURVE_GOST512A, GNUTLS_DIG_STREEBOG_512, +- gost12_512_privkey, gost12_512_sig); +- PK_TEST(GNUTLS_PK_GOST_12_512, test_sig, GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_GOST512A), ++ PK_TEST(GNUTLS_PK_GOST_12_512, test_sig, ++ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_GOST512A), + GNUTLS_SIGN_GOST_512); + + if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL)) + return 0; + #endif +- + break; + default: + return gnutls_assert_val(GNUTLS_E_NO_SELF_TEST); diff --git a/gnutls-3.6.12-load-config-after-fips-post.patch b/gnutls-3.6.12-load-config-after-fips-post.patch new file mode 100644 index 0000000..59ffe6c --- /dev/null +++ b/gnutls-3.6.12-load-config-after-fips-post.patch @@ -0,0 +1,38 @@ +From 17bcd7a60fb0b7d07718515946ebb064d33ef45b Mon Sep 17 00:00:00 2001 +From: Anderson Toshiyuki Sasaki +Date: Wed, 18 Mar 2020 16:17:39 +0100 +Subject: [PATCH] global: Load configuration after FIPS POST + +Previously, if the loaded configuration file disabled an algorithm +tested during FIPS-140 power-on self-tests, the test would fail. By +loading the configuration file after the test is finished, such failure +is avoided as any algorithm is allowed during the tests. + +Signed-off-by: Anderson Toshiyuki Sasaki +--- + lib/global.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/global.c b/lib/global.c +index b42fcb263..9a65d114c 100644 +--- a/lib/global.c ++++ b/lib/global.c +@@ -368,7 +368,6 @@ static int _gnutls_global_init(unsigned constructor) + + _gnutls_register_accel_crypto(); + _gnutls_cryptodev_init(); +- _gnutls_load_system_priorities(); + + #ifdef ENABLE_FIPS140 + /* These self tests are performed on the overridden algorithms +@@ -385,6 +384,7 @@ static int _gnutls_global_init(unsigned constructor) + _gnutls_fips_mode_reset_zombie(); + } + #endif ++ _gnutls_load_system_priorities(); + _gnutls_switch_lib_state(LIB_STATE_OPERATIONAL); + ret = 0; + +-- +2.24.1 + diff --git a/gnutls.spec b/gnutls.spec index 64d57c8..fa81959 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,8 +1,11 @@ # This spec file has been automatically updated Version: 3.6.12 -Release: 1%{?dist} +Release: 2%{?dist} Patch1: gnutls-3.6.7-no-now-guile.patch Patch2: gnutls-3.2.7-rpath.patch +Patch3: gnutls-3.6.12-fix-fips-self-tests.patch +Patch4: gnutls-3.6.12-load-config-after-fips-post.patch +Patch5: gnutls-3.6.12-fix-echo-server.patch %bcond_without dane %if 0%{?rhel} %bcond_with guile @@ -279,6 +282,10 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null %endif %changelog +* Thu Mar 26 2020 Anderson Sasaki - 3.6.12-2 +- Fix FIPS POST (#1813384) +- Fix gnutls-serv --echo to not exit when a message is received (#1816583) + * Sun Feb 02 2020 Nikos Mavrogiannopoulos - 3.6.12-1 - Update to upstream 3.6.12 release From 262cc0d5618f0fce3f50107d17ec92af28383be9 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Tue, 31 Mar 2020 11:25:12 +0200 Subject: [PATCH 03/14] Update to 3.6.13-1 - Update to upstream 3.6.13 release --- .gitignore | 3 + gnutls-3.6.12-fix-echo-server.patch | 37 - gnutls-3.6.12-fix-fips-self-tests.patch | 862 ------------------ ...s-3.6.12-load-config-after-fips-post.patch | 38 - gnutls.spec | 10 +- sources | 5 +- 6 files changed, 11 insertions(+), 944 deletions(-) delete mode 100644 gnutls-3.6.12-fix-echo-server.patch delete mode 100644 gnutls-3.6.12-fix-fips-self-tests.patch delete mode 100644 gnutls-3.6.12-load-config-after-fips-post.patch diff --git a/.gitignore b/.gitignore index 0800d67..9dec2f3 100644 --- a/.gitignore +++ b/.gitignore @@ -121,3 +121,6 @@ gnutls-2.10.1-nosrp.tar.bz2 /gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg /gnutls-3.6.12.tar.xz.sig /gnutls-3.6.12.tar.xz +/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg +/gnutls-3.6.13.tar.xz.sig +/gnutls-3.6.13.tar.xz diff --git a/gnutls-3.6.12-fix-echo-server.patch b/gnutls-3.6.12-fix-echo-server.patch deleted file mode 100644 index 861eb17..0000000 --- a/gnutls-3.6.12-fix-echo-server.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 10950c613c490bd33d6f489f5f61f8368730f7de Mon Sep 17 00:00:00 2001 -From: Anderson Toshiyuki Sasaki -Date: Tue, 24 Mar 2020 09:55:08 +0100 -Subject: [PATCH] gnutls-serv: Do not exit when a message to be echoed is - received - -Previously, when gnutls-serv was executed with the --echo option, it -would exit when a message to be echoed was received. Moreover, the -server would output "Memory error" although no error occurred. - -Signed-off-by: Anderson Toshiyuki Sasaki ---- - src/serv.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/serv.c b/src/serv.c -index a4dd445da..414cd0546 100644 ---- a/src/serv.c -+++ b/src/serv.c -@@ -1071,12 +1071,12 @@ get_response(gnutls_session_t session, char *request, - *response_length = strlen(*response); - return 1; - } else if (ret == 0) { -+ *response = strdup(request); - if (*response == NULL) { - fprintf(stderr, "Memory error\n"); - return 0; - } -- *response = strdup(request); -- *response_length = ((*response) ? strlen(*response) : 0); -+ *response_length = strlen(*response); - } else { - *response = NULL; - do { --- -2.24.1 - diff --git a/gnutls-3.6.12-fix-fips-self-tests.patch b/gnutls-3.6.12-fix-fips-self-tests.patch deleted file mode 100644 index 467c857..0000000 --- a/gnutls-3.6.12-fix-fips-self-tests.patch +++ /dev/null @@ -1,862 +0,0 @@ -diff --git a/lib/crypto-selftests-pk.c b/lib/crypto-selftests-pk.c -index 7bdb097..6f66cd8 100644 ---- a/lib/crypto-selftests-pk.c -+++ b/lib/crypto-selftests-pk.c -@@ -22,6 +22,7 @@ - - #include "gnutls_int.h" - #include "errors.h" -+#include "fips.h" - #include - #include - #include -@@ -42,70 +43,185 @@ static const gnutls_datum_t bad_data = { - .size = sizeof(DATASTR) - 2 - }; - --static const char rsa_key2048[] = -- "-----BEGIN RSA PRIVATE KEY-----\n" -- "MIIEogIBAAKCAQEA6yCv+BLrRP/dMPBXJWK21c0aqxIX6JkODL4K+zlyEURt8/Wp\n" -- "nw37CJwHD3VrimSnk2SJvBfTNhzYhCsLShDOPvi4qBrLZ1WozjoVJ8tRE4VCcjQJ\n" -- "snpJ7ldiV+Eos1Z3FkbV/uQcw5CYCb/TciSukaWlI+G/xas9EOOFt4aELbc1yDe0\n" -- "hyfPDtoaKfek4GhT9qT1I8pTC40P9OrA9Jt8lblqxHWwqmdunLTjPjB5zJT6QgI+\n" -- "j1xuq7ZOQhveNA/AOyzh574GIpgsuvPPLBQwsCQkscr7cFnCsyOPgYJrQW3De2+l\n" -- "wjp2D7gZeeQcFQKazXcFoiqNpJWoBWmU0qqsgwIDAQABAoIBAAghNzRioxPdrO42\n" -- "QS0fvqah0tw7Yew+7oduQr7w+4qxTQP0aIsBVr6zdmMIclF0rX6hKUoBoOHsGWho\n" -- "fJlw/1CaFPhrBMFr6sxGodigZQtBvkxolDVBmTDOgK39MQUSZke0501K4du5MiiU\n" -- "I2F89zQ9//m/onvZMeFVnJf95LAX5qHr/FLARQFtOpgWzcGVxdvJdJlYb1zMUril\n" -- "PqyAZXo1j0vgHWwSd54k8mBLus7l8KT57VFce8+9nBPrOrqW4rDVXzs/go3S+kiI\n" -- "OyzYeUs9czg1N1e3VhEaC+EdYUawc0ASuEkbsJ53L8pwDvS+2ly2ykYziJp95Fjv\n" -- "bzyd1dECgYEA8FzGCxu7A6/ei9Dn0Fmi8Ns/QvEgbdlGw4v4MlXHjrGJYdOB0BwG\n" -- "2D2k0ODNYKlUX2J4hi5x8aCH33y/v0EcOHyuqM33vOWBVbdcumCqcOmp341UebAO\n" -- "uCPgDJNhjxXaeDVPnizqnOBA1B9sTxwmCOmFIiFRLbR+XluvDh3t8L0CgYEA+my6\n" -- "124Rw7kcFx+9JoB/Z+bUJDYpefUT91gBUhhEdEMx5fujhMzAbLpIRjFQq+75Qb7v\n" -- "0NyIS09B4oKOqQYzVEJwqKY7H71BTl7QuzJ8Qtuh/DMZsVIt6xpvdeuAKpEOqz44\n" -- "ZD3fW1B59A3ja7kqZadCqq2b02UTk+gdeOrYBj8CgYACX3gZDfoHrEnPKY3QUcI5\n" -- "DIEQYR8H1phLP+uAW7ZvozMPAy6J5mzu35Tr9vwwExvhITC9amH3l7UfsLSX58Wm\n" -- "jRyQUBA9Dir7tKa2tFOab8Qcj+GgnetXSAtjNGVHK1kPzL7vedQLHm+laHYCRe3e\n" -- "Mqf80UVi5SBGQDN3OTZrJQKBgEkj2oozDqMwfGDQl0kYfJ2XEFynKQQCrVsva+tT\n" -- "RSMDwR4fmcmel5Dp81P08U/WExy9rIM+9duxAVgrs4jwU6uHYCoRqvEBMIK4NJSI\n" -- "ETzhsvTa4+UjUF/7L5SsPJmyFiuzl3rHi2W7InNCXyrGQPjBmjoJTJq4SbiIMZtw\n" -- "U7m3AoGACG2rE/Ud71kyOJcKwxzEt8kd+2CMuaZeE/xk+3zLSSjXJzKPficogM3I\n" -- "K37/N7N0FjhdQ5hRuD3GH1fcjv9AKdGHsH7RuaG+jHTRUjS1glr17SSQzh6xXnWj\n" -- "jG0M4UZm5P9STL09nZuWH0wfpr/eg+9+A6yOVfnADI13v+Ygk7k=\n" -- "-----END RSA PRIVATE KEY-----\n"; -- --static const char ecc_key[] = -- "-----BEGIN EC PRIVATE KEY-----\n" -- "MHgCAQEEIQDzaOg65+brGV6INN0zXrUodxwRuocGG+GtKzN7ko26v6AKBggqhkjO\n" -- "PQMBB6FEA0IABEppi34ngyNQ2a9kJmnT5QxIHAUGI1SpnsAyCfze4j6MJ7o/g7qx\n" -- "MSHpe5vd0TQz+/GAa1zxle8mB/Cdh0JaTrA=\n" -- "-----END EC PRIVATE KEY-----\n"; -- --static const char dsa_key[] = -- "-----BEGIN DSA PRIVATE KEY-----\n" -- "MIH4AgEAAkEA6KUOSXfFNcInFLPdOlLlKNCe79zJrkxnsQN+lllxuk1ifZrE07r2\n" -- "3edTrc4riQNnZ2nZ372tYUAMJg+5jM6IIwIVAOa58exwZ+42Tl+p3b4Kbpyu2Ron\n" -- "AkBocj7gkiBYHtv6HMIIzooaxn4vpGR0Ns6wBfroBUGvrnSAgfT3WyiNaHkIF28e\n" -- "quWcEeOJjUgFvatcM8gcY288AkEAyKWlgzBurIYST8TM3j4PuQJDTvdHDaGoAUAa\n" -- "EfjmOw2UXKwqTmwPiT5BYKgCo2ILS87ttlTpd8vndH37pmnmVQIUQIVuKpZ8y9Bw\n" -- "VzO8qcrLCFvTOXY=\n" -- "-----END DSA PRIVATE KEY-----\n"; -- --static const char gost01_key[] = -- "-----BEGIN PRIVATE KEY-----\n" -- "MEUCAQAwHAYGKoUDAgITMBIGByqFAwICJAAGByqFAwICHgEEIgQgR1lBLIr4WBpn\n" -- "4MOCH8oxGWb52EPNL3gjNJiQuBQuf6U=\n" -- "-----END PRIVATE KEY-----\n"; -- --static const char gost12_256_key[] = -- "-----BEGIN PRIVATE KEY-----\n" -- "MEgCAQAwHwYIKoUDBwEBAQEwEwYHKoUDAgIkAAYIKoUDBwEBAgIEIgQg0+JttJEV\n" -- "Ud+XBzX9q13ByKK+j2b+mEmNIo1yB0wGleo=\n" -- "-----END PRIVATE KEY-----\n"; -- --static const char gost12_512_key[] = -- "-----BEGIN PRIVATE KEY-----\n" -- "MGoCAQAwIQYIKoUDBwEBAQIwFQYJKoUDBwECAQIBBggqhQMHAQECAwRCBECS7bAh\n" -- "TP5um5bxziaKkhb6xSI5WBQCSlaiHPBaMbgmgJiF8RubF7k0YMefpt0+sA3GvVGA\n" -- "KjL7CLBERDm7Yvlv\n" -- "-----END PRIVATE KEY-----\n"; -+/* RSA 2048 private key and signature */ -+static const char rsa_2048_privkey[] = -+ "-----BEGIN RSA PRIVATE KEY-----\n" -+ "MIIEogIBAAKCAQEA6yCv+BLrRP/dMPBXJWK21c0aqxIX6JkODL4K+zlyEURt8/Wp\n" -+ "nw37CJwHD3VrimSnk2SJvBfTNhzYhCsLShDOPvi4qBrLZ1WozjoVJ8tRE4VCcjQJ\n" -+ "snpJ7ldiV+Eos1Z3FkbV/uQcw5CYCb/TciSukaWlI+G/xas9EOOFt4aELbc1yDe0\n" -+ "hyfPDtoaKfek4GhT9qT1I8pTC40P9OrA9Jt8lblqxHWwqmdunLTjPjB5zJT6QgI+\n" -+ "j1xuq7ZOQhveNA/AOyzh574GIpgsuvPPLBQwsCQkscr7cFnCsyOPgYJrQW3De2+l\n" -+ "wjp2D7gZeeQcFQKazXcFoiqNpJWoBWmU0qqsgwIDAQABAoIBAAghNzRioxPdrO42\n" -+ "QS0fvqah0tw7Yew+7oduQr7w+4qxTQP0aIsBVr6zdmMIclF0rX6hKUoBoOHsGWho\n" -+ "fJlw/1CaFPhrBMFr6sxGodigZQtBvkxolDVBmTDOgK39MQUSZke0501K4du5MiiU\n" -+ "I2F89zQ9//m/onvZMeFVnJf95LAX5qHr/FLARQFtOpgWzcGVxdvJdJlYb1zMUril\n" -+ "PqyAZXo1j0vgHWwSd54k8mBLus7l8KT57VFce8+9nBPrOrqW4rDVXzs/go3S+kiI\n" -+ "OyzYeUs9czg1N1e3VhEaC+EdYUawc0ASuEkbsJ53L8pwDvS+2ly2ykYziJp95Fjv\n" -+ "bzyd1dECgYEA8FzGCxu7A6/ei9Dn0Fmi8Ns/QvEgbdlGw4v4MlXHjrGJYdOB0BwG\n" -+ "2D2k0ODNYKlUX2J4hi5x8aCH33y/v0EcOHyuqM33vOWBVbdcumCqcOmp341UebAO\n" -+ "uCPgDJNhjxXaeDVPnizqnOBA1B9sTxwmCOmFIiFRLbR+XluvDh3t8L0CgYEA+my6\n" -+ "124Rw7kcFx+9JoB/Z+bUJDYpefUT91gBUhhEdEMx5fujhMzAbLpIRjFQq+75Qb7v\n" -+ "0NyIS09B4oKOqQYzVEJwqKY7H71BTl7QuzJ8Qtuh/DMZsVIt6xpvdeuAKpEOqz44\n" -+ "ZD3fW1B59A3ja7kqZadCqq2b02UTk+gdeOrYBj8CgYACX3gZDfoHrEnPKY3QUcI5\n" -+ "DIEQYR8H1phLP+uAW7ZvozMPAy6J5mzu35Tr9vwwExvhITC9amH3l7UfsLSX58Wm\n" -+ "jRyQUBA9Dir7tKa2tFOab8Qcj+GgnetXSAtjNGVHK1kPzL7vedQLHm+laHYCRe3e\n" -+ "Mqf80UVi5SBGQDN3OTZrJQKBgEkj2oozDqMwfGDQl0kYfJ2XEFynKQQCrVsva+tT\n" -+ "RSMDwR4fmcmel5Dp81P08U/WExy9rIM+9duxAVgrs4jwU6uHYCoRqvEBMIK4NJSI\n" -+ "ETzhsvTa4+UjUF/7L5SsPJmyFiuzl3rHi2W7InNCXyrGQPjBmjoJTJq4SbiIMZtw\n" -+ "U7m3AoGACG2rE/Ud71kyOJcKwxzEt8kd+2CMuaZeE/xk+3zLSSjXJzKPficogM3I\n" -+ "K37/N7N0FjhdQ5hRuD3GH1fcjv9AKdGHsH7RuaG+jHTRUjS1glr17SSQzh6xXnWj\n" -+ "jG0M4UZm5P9STL09nZuWH0wfpr/eg+9+A6yOVfnADI13v+Ygk7k=\n" -+ "-----END RSA PRIVATE KEY-----\n"; -+ -+static const char rsa_2048_sig[] = -+ "\x7a\xb3\xf8\xb0\xf9\xf0\x52\x88\x37\x17\x97\x9f\xbe\x61\xb4\xd2" -+ "\x43\x78\x9f\x79\x92\xd0\xad\x08\xdb\xbd\x3c\x72\x7a\xb5\x51\x59" -+ "\x63\xd6\x7d\xf1\x9c\x1e\x10\x7b\x27\xab\xf8\xd4\x9d\xcd\xc5\xf9" -+ "\xae\xf7\x09\x6b\x40\x93\xc5\xe9\x1c\x0f\xb4\x82\xa1\x47\x86\x54" -+ "\x63\xd2\x4d\x40\x9a\x80\xb9\x38\x45\x69\xa2\xd6\x92\xb6\x69\x7f" -+ "\x3f\xf3\x5b\xa5\x1d\xac\x06\xad\xdf\x4e\xbb\xe6\xda\x68\x0d\xe5" -+ "\xab\xef\xd2\xf0\xc5\xd8\xc0\xed\x80\xe2\xd4\x76\x98\xec\x44\xa2" -+ "\xfc\x3f\xce\x2e\x8b\xc4\x4b\xab\xb0\x70\x24\x52\x85\x2a\x36\xcd" -+ "\x9a\xb5\x05\x00\xea\x98\x7c\x72\x06\x68\xb1\x38\x44\x16\x80\x6a" -+ "\x3b\x64\x72\xbb\xfd\x4b\xc9\xdd\xda\x2a\x68\xde\x7f\x6e\x48\x28" -+ "\xc1\x63\x57\x2b\xde\x83\xa3\x27\x34\xd7\xa6\x87\x18\x35\x10\xff" -+ "\x31\xd9\x47\xc9\x84\x35\xe1\xaa\xe2\xf7\x98\xfa\x19\xd3\xf1\x94" -+ "\x25\x2a\x96\xe4\xa8\xa7\x05\x10\x93\x87\xde\x96\x85\xe5\x68\xb8" -+ "\xe5\x4e\xbf\x66\x85\x91\xbd\x52\x5b\x3d\x9f\x1b\x79\xea\xe3\x8b" -+ "\xef\x62\x18\x39\x7a\x50\x01\x46\x1b\xde\x8d\x37\xbc\x90\x6c\x07" -+ "\xc0\x07\xed\x60\xce\x2e\x31\xd6\x8f\xe8\x75\xdb\x45\x21\xc6\xcb"; -+ -+/* DSA 2048 private key and signature */ -+static const char dsa_2048_privkey[] = -+ "-----BEGIN DSA PRIVATE KEY-----\n" -+ "MIIDTQIBAAKCAQEAh60B6yPMRIT7udq2kKuwnQDohvT1U0w+RJcSr23C05cM/Ovn\n" -+ "UP/8Rrj6T8K+uYhMbKgLaZiJJW9q04jaPQk0cfUphbLvRjzVHwE/0Bkb+Y1Rv7ni\n" -+ "Jot2IFMq5iuNraf889PC0WREvFCcIkSFY2Ac4WT7mCcBtfx/raGFXDUjcUrJ0HwZ\n" -+ "IOhjQDfcXUsztuyYsYA75ociEY8kyDZq/ixyr5++R1VjNf30Re8AbQlXOEGxEN5t\n" -+ "t+Tvpq8K5L3prQs2KNSzyOUmedjb/ojH4T4qe/RL9EVjjeuIGHDNUT6F197yZ91y\n" -+ "qLLTf1WjnUyZcKij5rryX0LJBBWawEZjNSHZawIdAMQlyycia4NigCdiDR+QptUn\n" -+ "2xrj9o14fXkIrXcCggEAXRZm1rbPhsjSTo6cpCVrmDzO1grv83EHiBH4MvRQQnP8\n" -+ "FpAREsBA5cYju97XvLaLhioZeMjLn08kU7TUbHRUB+ULTuVvE2dQbBpGuKiLRRt9\n" -+ "6U2T0eD3xGLoM+o8EY/kpqaWGEpZv7hzM9xuo4vy55+viAZgFWULqmltwfG/7w7V\n" -+ "NXUHNv5H4Ipw//fSDLTPqzUlNqSSswDLz6pCjWEs0rWAqNAMaOiLTz4id9pL48Oe\n" -+ "oAfpcQR9tgTEnwyXfZBnrJVclHhkHKGeXvU05IgCzpKO76Z5R+By50T0i/JV7vzM\n" -+ "l2yS9aAl/cprT6U7yI3oU/blldCVNpMcFAFb+fO8DAKCAQBVMo8xptyvQOJeSvbO\n" -+ "SSYdJ3IiI/0GdkcGWXblWg9z7mrPaWEnT7OquEm/+vYtWd3GHDtyNM+jzsN4Xgjc\n" -+ "TL3AEd2hLiozJQ1BFKw25VU08UHAYTzUxZhO4Vwtmp46Kwj8YLDQ3NHRWCBxpDQR\n" -+ "fbiFvyXP+qXap6plMfrydnUD1mae/JSOWOYgdB7tFIehstLxVXx/cAnjwgFU03Df\n" -+ "grjsad92zA1Hc9wIjbsgAQdTR5DWnFRkRt3UtayBwoyqm6QceZHsv1NAGvkQ4ion\n" -+ "bEjkHkjF9YCkR9/rspR8cLghRIXMjOpypuSbaRPeeWq0gP2UOxFL/d3iWH0ETr/L\n" -+ "kTlCAhxYGpVgtfB96qmJukyl9GOGvfkwFTgEyIDoV84M\n" -+ "-----END DSA PRIVATE KEY-----\n"; -+ -+static const char dsa_2048_sig[] = -+ "\x30\x3d\x02\x1d\x00\xbe\x87\x2f\xcf\xa1\xe4\x86\x5c\x72\x58\x4a" -+ "\x7b\x8f\x32\x7f\xa5\x1b\xdc\x5c\xae\xda\x98\xea\x15\x32\xed\x0c" -+ "\x4e\x02\x1c\x4c\x76\x01\x2b\xcd\xb9\x33\x95\xf2\xfa\xde\x56\x01" -+ "\xb7\xaa\xe4\x5a\x4a\x2e\xf1\x24\x5a\xd1\xb5\x83\x9a\x93\x61"; -+ -+/* secp256r1 private key and signature */ -+static const char ecdsa_secp256r1_privkey[] = -+ "-----BEGIN EC PRIVATE KEY-----\n" -+ "MHcCAQEEIPAKWV7+pZe9c5EubMNfAEKWRQtP/MvlO9HehwHmJssNoAoGCCqGSM49\n" -+ "AwEHoUQDQgAE2CNONRio3ciuXtoomJKs3MdbzLbd44VPhtzJN30VLFm5gvnfiCj2\n" -+ "zzz7pl9Cv0ECHl6yedNI8QEKdcwCDgEmkQ==\n" -+ "-----END EC PRIVATE KEY-----\n"; -+ -+static const char ecdsa_secp256r1_sig[] = -+ "\x30\x45\x02\x21\x00\x80\x67\x18\xb9\x72\xc6\x0b\xe1\xc9\x89\x9b" -+ "\x85\x11\x49\x29\x08\xd9\x86\x76\xcc\xfb\xc1\xf4\xd0\xa2\x5e\xa7" -+ "\xb9\x12\xfb\x1a\x68\x02\x20\x67\x12\xb1\x89\x9e\x1d\x9d\x5c\x0f" -+ "\xef\x6e\xa7\x2a\x95\x8c\xfa\x54\x20\x80\xc8\x30\x7c\xff\x06\xbc" -+ "\xc8\xe2\x9a\x2f\x05\x2f\x67"; -+ -+#ifdef ENABLE_NON_SUITEB_CURVES -+/* secp192r1 private key and signature */ -+static const char ecdsa_secp192r1_privkey[] = -+ "-----BEGIN EC PRIVATE KEY-----" -+ "MF8CAQEEGLjezFcbgDMeApVrdtZHvu/k1a8/tVZ41KAKBggqhkjOPQMBAaE0AzIA" -+ "BO1lciKdgxeRH8k64vxcaV1OYIK9akVrW02Dw21MXhRLP0l0wzCw6LGSr5rS6AaL" -+ "Fg==" "-----END EC PRIVATE KEY-----"; -+ -+static const char ecdsa_secp192r1_sig[] = -+ "\x30\x34\x02\x18\x7c\x43\xe3\xb7\x26\x90\x43\xb5\xf5\x63\x8f\xee" -+ "\xac\x78\x3d\xac\x35\x35\xd0\x1e\x83\x17\x2b\x64\x02\x18\x14\x6e" -+ "\x94\xd5\x7e\xac\x43\x42\x0b\x71\x7a\xc8\x29\xe6\xe3\xda\xf2\x95" -+ "\x0e\xe0\x63\x24\xed\xf2"; -+ -+/* secp224r1 private key and signature */ -+static const char ecdsa_secp224r1_privkey[] = -+ "-----BEGIN EC PRIVATE KEY-----" -+ "MGgCAQEEHOKWJFdWdrR/CgVrUeTeawOrJ9GozE9KKx2a8PmgBwYFK4EEACGhPAM6" -+ "AAQKQj3YpenWT7lFR41SnBvmj/+Bj+kgzQnaF65qWAtPRJsZXFlLTu3/IUNqSRu9" -+ "DqPsk8xBHAB7pA==" "-----END EC PRIVATE KEY-----"; -+ -+static const char ecdsa_secp224r1_sig[] = -+ "\x30\x3d\x02\x1c\x14\x22\x09\xa1\x51\x33\x37\xfd\x78\x73\xbd\x84" -+ "\x6e\x76\xa8\x60\x90\xf5\xb6\x57\x34\x25\xe0\x79\xe3\x01\x61\xa9" -+ "\x02\x1d\x00\xb1\xee\xdb\xae\xb3\xe6\x9c\x04\x68\xd5\xe1\x0d\xb6" -+ "\xfc\x5c\x45\xc3\x4f\xbf\x2b\xa5\xe0\x89\x37\x84\x04\x82\x5f"; -+#endif -+ -+/* secp384r1 private key and signature */ -+static const char ecdsa_secp384r1_privkey[] = -+ "-----BEGIN EC PRIVATE KEY-----" -+ "MIGkAgEBBDDevshD6gb+4rZpC9vwFcIwNs4KmGzdqCxyyN40a8uOWRbyf7aHdiSS" -+ "03oAyKtc4JCgBwYFK4EEACKhZANiAARO1KkPMno2tnNXx1S9EZkp8SOpDCZ4aobH" -+ "IYv8RHnSmKf8I3OKD6TaoeR+1MwJmNJUH90Bj45WXla68/vsPiFcfVKboxsZYe/n" -+ "pv8e4ugXagVQVBXNZJ859iYPdJR24vo=" "-----END EC PRIVATE KEY-----"; -+ -+static const char ecdsa_secp384r1_sig[] = -+ "\x30\x65\x02\x31\x00\xa7\x73\x60\x16\xdb\xf9\x1f\xfc\x9e\xd2\x12" -+ "\x23\xd4\x04\xa7\x31\x1f\x15\x28\xfd\x87\x9c\x2c\xb1\xf3\x38\x35" -+ "\x23\x3b\x6e\xfe\x6a\x5d\x89\x34\xbe\x02\x82\xc6\x27\xea\x45\x53" -+ "\xa9\x87\xc5\x31\x0a\x02\x30\x76\x32\x80\x6b\x43\x3c\xb4\xfd\x90" -+ "\x03\xe0\x1d\x5d\x77\x18\x45\xf6\x71\x29\xa9\x05\x87\x49\x75\x3a" -+ "\x78\x9c\x49\xe5\x6c\x8e\x18\xcd\x5d\xee\x2c\x6f\x92\xf7\x15\xd3" -+ "\x38\xd5\xf9\x9b\x9d\x1a\xf4"; -+ -+/* secp521r1 private key and signature */ -+static const char ecdsa_secp521r1_privkey[] = -+ "-----BEGIN EC PRIVATE KEY-----" -+ "MIHbAgEBBEGO2n7NN363qSCvJVdlQtCvudtaW4o0fEufXRjE1AsCrle+VXX0Zh0w" -+ "Y1slSeDHMndpakoiF+XkQ+bhcB867UV6aKAHBgUrgQQAI6GBiQOBhgAEAQb6jDpo" -+ "byy1tF8Zucg0TMGUzIN2DK+RZJ3QQRdWdirO25OIC3FoFi1Yird6rpoB6HlNyJ7R" -+ "0bNG9Uv34bSHMn8yAFoiqxUCdJZQbEenMoZsi6COaePe3e0QqvDMr0hEWT23Sr3t" -+ "LpEV7eZGFfFIJw5wSUp2KOcs+O9WjmoukTWtDKNV" -+ "-----END EC PRIVATE KEY-----"; -+ -+static const char ecdsa_secp521r1_sig[] = -+ "\x30\x81\x88\x02\x42\x01\x9d\x13\x2e\xc9\x75\x1b\x60\x10\x62\xc5" -+ "\x0d\xcb\x08\x9e\x86\x01\xd3\xc9\x8c\xee\x2e\x16\x3d\x8c\xc2\x65" -+ "\x80\xe1\x32\x56\xc3\x02\x9d\xf0\x4a\x89\x8d\x2e\x33\x2a\x90\x4e" -+ "\x72\x1d\xaa\x84\x14\xe8\xcb\xdf\x7a\x4a\xc9\x67\x2e\xba\xa3\xf2" -+ "\xc2\x07\xf7\x1b\xa5\x91\xbd\x02\x42\x01\xe3\x32\xd2\x25\xeb\x2e" -+ "\xaf\xb4\x6c\xc0\xaa\x5c\xc1\x56\x14\x13\x23\x7f\x62\xcf\x4c\xb8" -+ "\xd1\x96\xe0\x29\x6d\xed\x74\xdd\x23\x64\xf9\x29\x86\x40\x22\x2f" -+ "\xb6\x8d\x4c\x8e\x0b\x7a\xda\xdb\x03\x44\x01\x9b\x81\x1c\x3c\xab" -+ "\x78\xee\xf2\xc5\x24\x33\x61\x65\x01\x87\x66"; -+ -+/* GOST01 private key */ -+static const char gost01_privkey[] = -+ "-----BEGIN PRIVATE KEY-----\n" -+ "MEUCAQAwHAYGKoUDAgITMBIGByqFAwICIwEGByqFAwICHgEEIgQgdNfuHGmmTdPm\n" -+ "p5dAa3ea9UYxpdYQPP9lbDwzQwG2bJM=\n" -+ "-----END PRIVATE KEY-----\n"; -+ -+/* GOST12 256 private key */ -+static const char gost12_256_privkey[] = -+ "-----BEGIN PRIVATE KEY-----\n" -+ "MEgCAQAwHwYIKoUDBwEBAQEwEwYHKoUDAgIjAQYIKoUDBwEBAgIEIgQgKOF96tom\n" -+ "D61rhSnzKjyrmO3fv0gdlHei+6ovrc8SnBk=\n" -+ "-----END PRIVATE KEY-----\n"; -+ -+/* GOST12 512 private key */ -+static const char gost12_512_privkey[] = -+ "-----BEGIN PRIVATE KEY-----\n" -+ "MGoCAQAwIQYIKoUDBwEBAQIwFQYJKoUDBwECAQIBBggqhQMHAQECAwRCBECjFpvp\n" -+ "B0vdc7u59b99TCNXhHiB69JJtUjvieNkGYJpoaaIvoKZTNCjpSZASsZcQZCHOTof\n" -+ "hsQ3JCCy4xnd5jWT\n" -+ "-----END PRIVATE KEY-----\n"; - - static int test_rsa_enc(gnutls_pk_algorithm_t pk, - unsigned bits, gnutls_digest_algorithm_t ign) -@@ -113,7 +229,7 @@ static int test_rsa_enc(gnutls_pk_algorithm_t pk, - int ret; - gnutls_datum_t enc = { NULL, 0 }; - gnutls_datum_t dec = { NULL, 0 }; -- gnutls_datum_t raw_rsa_key = { (void*)rsa_key2048, sizeof(rsa_key2048)-1 }; -+ gnutls_datum_t raw_rsa_key = { (void*)rsa_2048_privkey, sizeof(rsa_2048_privkey)-1 }; - gnutls_privkey_t key; - gnutls_pubkey_t pub = NULL; - unsigned char plaintext2[sizeof(DATASTR) - 1]; -@@ -200,26 +316,12 @@ static int test_sig(gnutls_pk_algorithm_t pk, - unsigned bits, gnutls_sign_algorithm_t sigalgo) - { - int ret; -- gnutls_datum_t sig = { NULL, 0 }; -- gnutls_datum_t raw_rsa_key = { (void*)rsa_key2048, sizeof(rsa_key2048)-1 }; -- gnutls_datum_t raw_dsa_key = { (void*)dsa_key, sizeof(dsa_key)-1 }; -- gnutls_datum_t raw_ecc_key = { (void*)ecc_key, sizeof(ecc_key)-1 }; -- gnutls_datum_t raw_gost01_key = { (void*)gost01_key, sizeof(gost01_key)-1 }; -- gnutls_datum_t raw_gost12_256_key = { (void*)gost12_256_key, sizeof(gost12_256_key)-1 }; -- gnutls_datum_t raw_gost12_512_key = { (void*)gost12_512_key, sizeof(gost12_512_key)-1 }; - gnutls_privkey_t key; -+ gnutls_datum_t raw_key; -+ gnutls_datum_t sig = { NULL, 0 }; - gnutls_pubkey_t pub = NULL; - char param_name[32]; - -- if (pk == GNUTLS_PK_EC || pk == GNUTLS_PK_GOST_01 || -- pk == GNUTLS_PK_GOST_12_256 || pk == GNUTLS_PK_GOST_12_512) { -- snprintf(param_name, sizeof(param_name), "%s", -- gnutls_ecc_curve_get_name(GNUTLS_BITS_TO_CURVE -- (bits))); -- } else { -- snprintf(param_name, sizeof(param_name), "%u", bits); -- } -- - ret = gnutls_privkey_init(&key); - if (ret < 0) - return gnutls_assert_val(ret); -@@ -230,25 +332,83 @@ static int test_sig(gnutls_pk_algorithm_t pk, - goto cleanup; - } - -- if (pk == GNUTLS_PK_RSA) { -- ret = gnutls_privkey_import_x509_raw(key, &raw_rsa_key, GNUTLS_X509_FMT_PEM, NULL, 0); -- } else if (pk == GNUTLS_PK_RSA_PSS) { -- ret = gnutls_privkey_import_x509_raw(key, &raw_rsa_key, GNUTLS_X509_FMT_PEM, NULL, 0); -- } else if (pk == GNUTLS_PK_DSA) { -- ret = gnutls_privkey_import_x509_raw(key, &raw_dsa_key, GNUTLS_X509_FMT_PEM, NULL, 0); -- } else if (pk == GNUTLS_PK_ECC) { -- ret = gnutls_privkey_import_x509_raw(key, &raw_ecc_key, GNUTLS_X509_FMT_PEM, NULL, 0); -- } else if (pk == GNUTLS_PK_GOST_01) { -- ret = gnutls_privkey_import_x509_raw(key, &raw_gost01_key, GNUTLS_X509_FMT_PEM, NULL, 0); -- } else if (pk == GNUTLS_PK_GOST_12_256) { -- ret = gnutls_privkey_import_x509_raw(key, &raw_gost12_256_key, GNUTLS_X509_FMT_PEM, NULL, 0); -- } else if (pk == GNUTLS_PK_GOST_12_512) { -- ret = gnutls_privkey_import_x509_raw(key, &raw_gost12_512_key, GNUTLS_X509_FMT_PEM, NULL, 0); -- } else { -- gnutls_assert(); -- ret = GNUTLS_E_INTERNAL_ERROR; -+ switch(pk) { -+ case GNUTLS_PK_RSA: -+ raw_key.data = (void*)rsa_2048_privkey; -+ raw_key.size = sizeof(rsa_2048_privkey) - 1; -+ snprintf(param_name, sizeof(param_name), "%u", bits); -+ break; -+ case GNUTLS_PK_RSA_PSS: -+ raw_key.data = (void*)rsa_2048_privkey; -+ raw_key.size = sizeof(rsa_2048_privkey) - 1; -+ snprintf(param_name, sizeof(param_name), "%u", bits); -+ break; -+ case GNUTLS_PK_DSA: -+ raw_key.data = (void*)dsa_2048_privkey; -+ raw_key.size = sizeof(dsa_2048_privkey) - 1; -+ snprintf(param_name, sizeof(param_name), "%u", bits); -+ break; -+ case GNUTLS_PK_ECC: -+ switch(bits) { -+#ifdef ENABLE_NON_SUITEB_CURVES -+ case GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP192R1): -+ raw_key.data = (void*)ecdsa_secp192r1_privkey; -+ raw_key.size = sizeof(ecdsa_secp192r1_privkey) - 1; -+ break; -+ case GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP224R1): -+ raw_key.data = (void*)ecdsa_secp224r1_privkey; -+ raw_key.size = sizeof(ecdsa_secp224r1_privkey) - 1; -+ break; -+#endif -+ case GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP256R1): -+ raw_key.data = (void*)ecdsa_secp256r1_privkey; -+ raw_key.size = sizeof(ecdsa_secp256r1_privkey) - 1; -+ break; -+ case GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP384R1): -+ raw_key.data = (void*)ecdsa_secp384r1_privkey; -+ raw_key.size = sizeof(ecdsa_secp384r1_privkey) - 1; -+ break; -+ case GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP521R1): -+ raw_key.data = (void*)ecdsa_secp521r1_privkey; -+ raw_key.size = sizeof(ecdsa_secp521r1_privkey) - 1; -+ break; -+ default: -+ gnutls_assert(); -+ ret = GNUTLS_E_INTERNAL_ERROR; -+ goto cleanup; -+ } -+ snprintf(param_name, sizeof(param_name), "%s", -+ gnutls_ecc_curve_get_name(GNUTLS_BITS_TO_CURVE -+ (bits))); -+ break; -+ case GNUTLS_PK_GOST_01: -+ raw_key.data = (void*)gost01_privkey; -+ raw_key.size = sizeof(gost01_privkey) - 1; -+ snprintf(param_name, sizeof(param_name), "%s", -+ gnutls_ecc_curve_get_name(GNUTLS_BITS_TO_CURVE -+ (bits))); -+ break; -+ case GNUTLS_PK_GOST_12_256: -+ raw_key.data = (void*)gost12_256_privkey; -+ raw_key.size = sizeof(gost12_256_privkey) - 1; -+ snprintf(param_name, sizeof(param_name), "%s", -+ gnutls_ecc_curve_get_name(GNUTLS_BITS_TO_CURVE -+ (bits))); -+ break; -+ case GNUTLS_PK_GOST_12_512: -+ raw_key.data = (void*)gost12_512_privkey; -+ raw_key.size = sizeof(gost12_512_privkey) - 1; -+ snprintf(param_name, sizeof(param_name), "%s", -+ gnutls_ecc_curve_get_name(GNUTLS_BITS_TO_CURVE -+ (bits))); -+ break; -+ default: -+ gnutls_assert(); -+ ret = GNUTLS_E_INTERNAL_ERROR; -+ goto cleanup; - } - -+ ret = gnutls_privkey_import_x509_raw(key, &raw_key, GNUTLS_X509_FMT_PEM, NULL, 0); - if (ret < 0) { - gnutls_assert(); - goto cleanup; -@@ -286,7 +446,8 @@ static int test_sig(gnutls_pk_algorithm_t pk, - } - - ret = 0; -- cleanup: -+ -+cleanup: - if (pub != NULL) - gnutls_pubkey_deinit(pub); - gnutls_privkey_deinit(key); -@@ -302,123 +463,11 @@ static int test_sig(gnutls_pk_algorithm_t pk, - return ret; - } - --/* A precomputed RSA-SHA1 signature using the rsa_key2048 */ --static const char rsa_sig[] = -- "\x7a\xb3\xf8\xb0\xf9\xf0\x52\x88\x37\x17\x97\x9f\xbe\x61\xb4\xd2\x43\x78\x9f\x79\x92\xd0\xad\x08\xdb\xbd\x3c\x72\x7a\xb5\x51\x59\x63\xd6\x7d\xf1\x9c\x1e\x10\x7b\x27\xab\xf8\xd4\x9d\xcd\xc5\xf9\xae\xf7\x09\x6b\x40\x93\xc5\xe9\x1c\x0f\xb4\x82\xa1\x47\x86\x54\x63\xd2\x4d\x40\x9a\x80\xb9\x38\x45\x69\xa2\xd6\x92\xb6\x69\x7f\x3f\xf3\x5b\xa5\x1d\xac\x06\xad\xdf\x4e\xbb\xe6\xda\x68\x0d\xe5\xab\xef\xd2\xf0\xc5\xd8\xc0\xed\x80\xe2\xd4\x76\x98\xec\x44\xa2\xfc\x3f\xce\x2e\x8b\xc4\x4b\xab\xb0\x70\x24\x52\x85\x2a\x36\xcd\x9a\xb5\x05\x00\xea\x98\x7c\x72\x06\x68\xb1\x38\x44\x16\x80\x6a\x3b\x64\x72\xbb\xfd\x4b\xc9\xdd\xda\x2a\x68\xde\x7f\x6e\x48\x28\xc1\x63\x57\x2b\xde\x83\xa3\x27\x34\xd7\xa6\x87\x18\x35\x10\xff\x31\xd9\x47\xc9\x84\x35\xe1\xaa\xe2\xf7\x98\xfa\x19\xd3\xf1\x94\x25\x2a\x96\xe4\xa8\xa7\x05\x10\x93\x87\xde\x96\x85\xe5\x68\xb8\xe5\x4e\xbf\x66\x85\x91\xbd\x52\x5b\x3d\x9f\x1b\x79\xea\xe3\x8b\xef\x62\x18\x39\x7a\x50\x01\x46\x1b\xde\x8d\x37\xbc\x90\x6c\x07\xc0\x07\xed\x60\xce\x2e\x31\xd6\x8f\xe8\x75\xdb\x45\x21\xc6\xcb"; -- --/* ECDSA key and signature */ --static const char ecdsa_secp256r1_privkey[] = -- "-----BEGIN EC PRIVATE KEY-----\n" -- "MHcCAQEEIPAKWV7+pZe9c5EubMNfAEKWRQtP/MvlO9HehwHmJssNoAoGCCqGSM49\n" -- "AwEHoUQDQgAE2CNONRio3ciuXtoomJKs3MdbzLbd44VPhtzJN30VLFm5gvnfiCj2\n" -- "zzz7pl9Cv0ECHl6yedNI8QEKdcwCDgEmkQ==\n" -- "-----END EC PRIVATE KEY-----\n"; -- --static const char ecdsa_secp256r1_sig[] = -- "\x30\x45\x02\x21\x00\x9b\x8f\x60\xed\x9e\x40\x8d\x74\x82\x73\xab\x20\x1a\x69\xfc\xf9\xee\x3c\x41\x80\xc0\x39\xdd\x21\x1a\x64\xfd\xbf\x7e\xaa\x43\x70\x02\x20\x44\x28\x05\xdd\x30\x47\x58\x96\x18\x39\x94\x18\xba\xe7\x7a\xf6\x1e\x2d\xba\xb1\xe0\x7d\x73\x9e\x2f\x58\xee\x0c\x2a\x89\xe8\x35"; -- --#ifdef ENABLE_NON_SUITEB_CURVES --/* sha256 */ --static const char ecdsa_secp192r1_privkey[] = -- "-----BEGIN EC PRIVATE KEY-----" -- "MF8CAQEEGLjezFcbgDMeApVrdtZHvu/k1a8/tVZ41KAKBggqhkjOPQMBAaE0AzIA" -- "BO1lciKdgxeRH8k64vxcaV1OYIK9akVrW02Dw21MXhRLP0l0wzCw6LGSr5rS6AaL" -- "Fg==" "-----END EC PRIVATE KEY-----"; -- --static const char ecdsa_secp192r1_sig[] = -- "\x30\x34\x02\x18\x5f\xb3\x10\x4b\x4d\x44\x48\x29\x4b\xfd\xa7\x8e\xce\x57\xac\x36\x38\x54\xab\x73\xdb\xed\xb8\x5f\x02\x18\x0b\x8b\xf3\xae\x49\x50\x0e\x47\xca\x89\x1a\x00\xca\x23\xf5\x8d\xd6\xe3\xce\x9a\xff\x2e\x4f\x5c"; -- --static const char ecdsa_secp224r1_privkey[] = -- "-----BEGIN EC PRIVATE KEY-----" -- "MGgCAQEEHOKWJFdWdrR/CgVrUeTeawOrJ9GozE9KKx2a8PmgBwYFK4EEACGhPAM6" -- "AAQKQj3YpenWT7lFR41SnBvmj/+Bj+kgzQnaF65qWAtPRJsZXFlLTu3/IUNqSRu9" -- "DqPsk8xBHAB7pA==" "-----END EC PRIVATE KEY-----"; -- --static const char ecdsa_secp224r1_sig[] = -- "\x30\x3d\x02\x1c\x76\x03\x8d\x74\xf4\xd3\x09\x2a\xb5\xdf\x6b\x5b\xf4\x4b\x86\xb8\x62\x81\x5d\x7b\x7a\xbb\x37\xfc\xf1\x46\x1c\x2b\x02\x1d\x00\xa0\x98\x5d\x80\x43\x89\xe5\xee\x1a\xec\x46\x08\x04\x55\xbc\x50\xfa\x2a\xd5\xa6\x18\x92\x19\xdb\x68\xa0\x2a\xda"; --#endif -- --static const char ecdsa_secp384r1_privkey[] = -- "-----BEGIN EC PRIVATE KEY-----" -- "MIGkAgEBBDDevshD6gb+4rZpC9vwFcIwNs4KmGzdqCxyyN40a8uOWRbyf7aHdiSS" -- "03oAyKtc4JCgBwYFK4EEACKhZANiAARO1KkPMno2tnNXx1S9EZkp8SOpDCZ4aobH" -- "IYv8RHnSmKf8I3OKD6TaoeR+1MwJmNJUH90Bj45WXla68/vsPiFcfVKboxsZYe/n" -- "pv8e4ugXagVQVBXNZJ859iYPdJR24vo=" "-----END EC PRIVATE KEY-----"; -- --static const char ecdsa_secp384r1_sig[] = -- "\x30\x66\x02\x31\x00\xbb\x4d\x25\x30\x13\x1b\x3b\x75\x60\x07\xed\x53\x8b\x52\xee\xd8\x6e\xf1\x9d\xa8\x36\x0e\x2e\x20\x31\x51\x11\x48\x78\xdd\xaf\x24\x38\x64\x81\x71\x6b\xa6\xb7\x29\x58\x28\x82\x32\xba\x29\x29\xd9\x02\x31\x00\xeb\x70\x09\x87\xac\x7b\x78\x0d\x4c\x4f\x08\x2b\x86\x27\xe2\x60\x1f\xc9\x11\x9f\x1d\xf5\x82\x4c\xc7\x3d\xb0\x27\xc8\x93\x29\xc7\xd0\x0e\x88\x02\x09\x93\xc2\x72\xce\xa5\x74\x8c\x3d\xe0\x8c\xad"; -- --static const char ecdsa_secp521r1_privkey[] = -- "-----BEGIN EC PRIVATE KEY-----" -- "MIHbAgEBBEGO2n7NN363qSCvJVdlQtCvudtaW4o0fEufXRjE1AsCrle+VXX0Zh0w" -- "Y1slSeDHMndpakoiF+XkQ+bhcB867UV6aKAHBgUrgQQAI6GBiQOBhgAEAQb6jDpo" -- "byy1tF8Zucg0TMGUzIN2DK+RZJ3QQRdWdirO25OIC3FoFi1Yird6rpoB6HlNyJ7R" -- "0bNG9Uv34bSHMn8yAFoiqxUCdJZQbEenMoZsi6COaePe3e0QqvDMr0hEWT23Sr3t" -- "LpEV7eZGFfFIJw5wSUp2KOcs+O9WjmoukTWtDKNV" -- "-----END EC PRIVATE KEY-----"; -- --static const char ecdsa_secp521r1_sig[] = -- "\x30\x81\x87\x02\x42\x01\xb8\xcb\x52\x9e\x10\xa8\x49\x3f\xe1\x9e\x14\x0a\xcf\x96\xed\x7e\xab\x7d\x0c\xe1\x9b\xa4\x97\xdf\x01\xf5\x35\x42\x5f\x5b\x28\x15\x24\x33\x6e\x59\x6c\xaf\x10\x8b\x98\x8e\xe9\x4c\x23\x0d\x76\x92\x03\xdd\x6d\x8d\x08\x47\x15\x5b\xf8\x66\x75\x75\x40\xe8\xf4\xa0\x52\x02\x41\x15\x27\x7c\x5f\xa6\x33\xa6\x29\x68\x3f\x55\x8d\x7f\x1d\x4f\x88\xc6\x61\x6e\xac\x21\xdf\x2b\x7b\xde\x76\x9a\xdc\xe6\x3b\x94\x3f\x03\x9c\xa2\xa6\xa3\x63\x39\x48\xbd\x79\x70\x21\xf2\x6b\xff\x58\x66\xf1\x58\xc2\x58\xad\x4f\x84\x14\x5d\x05\x12\x83\xd0\x87\xbd\xf3"; -- --/* DSA key and signature */ --static const char dsa_privkey[] = -- "-----BEGIN DSA PRIVATE KEY-----\n" -- "MIIDTQIBAAKCAQEAh60B6yPMRIT7udq2kKuwnQDohvT1U0w+RJcSr23C05cM/Ovn\n" -- "UP/8Rrj6T8K+uYhMbKgLaZiJJW9q04jaPQk0cfUphbLvRjzVHwE/0Bkb+Y1Rv7ni\n" -- "Jot2IFMq5iuNraf889PC0WREvFCcIkSFY2Ac4WT7mCcBtfx/raGFXDUjcUrJ0HwZ\n" -- "IOhjQDfcXUsztuyYsYA75ociEY8kyDZq/ixyr5++R1VjNf30Re8AbQlXOEGxEN5t\n" -- "t+Tvpq8K5L3prQs2KNSzyOUmedjb/ojH4T4qe/RL9EVjjeuIGHDNUT6F197yZ91y\n" -- "qLLTf1WjnUyZcKij5rryX0LJBBWawEZjNSHZawIdAMQlyycia4NigCdiDR+QptUn\n" -- "2xrj9o14fXkIrXcCggEAXRZm1rbPhsjSTo6cpCVrmDzO1grv83EHiBH4MvRQQnP8\n" -- "FpAREsBA5cYju97XvLaLhioZeMjLn08kU7TUbHRUB+ULTuVvE2dQbBpGuKiLRRt9\n" -- "6U2T0eD3xGLoM+o8EY/kpqaWGEpZv7hzM9xuo4vy55+viAZgFWULqmltwfG/7w7V\n" -- "NXUHNv5H4Ipw//fSDLTPqzUlNqSSswDLz6pCjWEs0rWAqNAMaOiLTz4id9pL48Oe\n" -- "oAfpcQR9tgTEnwyXfZBnrJVclHhkHKGeXvU05IgCzpKO76Z5R+By50T0i/JV7vzM\n" -- "l2yS9aAl/cprT6U7yI3oU/blldCVNpMcFAFb+fO8DAKCAQBVMo8xptyvQOJeSvbO\n" -- "SSYdJ3IiI/0GdkcGWXblWg9z7mrPaWEnT7OquEm/+vYtWd3GHDtyNM+jzsN4Xgjc\n" -- "TL3AEd2hLiozJQ1BFKw25VU08UHAYTzUxZhO4Vwtmp46Kwj8YLDQ3NHRWCBxpDQR\n" -- "fbiFvyXP+qXap6plMfrydnUD1mae/JSOWOYgdB7tFIehstLxVXx/cAnjwgFU03Df\n" -- "grjsad92zA1Hc9wIjbsgAQdTR5DWnFRkRt3UtayBwoyqm6QceZHsv1NAGvkQ4ion\n" -- "bEjkHkjF9YCkR9/rspR8cLghRIXMjOpypuSbaRPeeWq0gP2UOxFL/d3iWH0ETr/L\n" -- "kTlCAhxYGpVgtfB96qmJukyl9GOGvfkwFTgEyIDoV84M\n" -- "-----END DSA PRIVATE KEY-----\n"; -- --static const char dsa_sig[] = -- "\x30\x3d\x02\x1c\x2e\x40\x14\xb3\x7a\x3f\xc0\x4f\x06\x74\x4f\xa6\x5f\xc2\x0a\x46\x35\x38\x88\xb4\x1a\xcf\x94\x02\x40\x42\x7c\x7f\x02\x1d\x00\x98\xfc\xf1\x08\x66\xf1\x86\x28\xc9\x73\x9e\x2b\x5d\xce\x57\xe8\xb5\xeb\xcf\xa3\xf6\x60\xf6\x63\x16\x0e\xc0\x42"; -- --static const char gost01_privkey[] = -- "-----BEGIN PRIVATE KEY-----\n" -- "MEUCAQAwHAYGKoUDAgITMBIGByqFAwICIwEGByqFAwICHgEEIgQgdNfuHGmmTdPm\n" -- "p5dAa3ea9UYxpdYQPP9lbDwzQwG2bJM=\n" -- "-----END PRIVATE KEY-----\n"; -- --static const char gost01_sig[] = -- "\xc5\xc8\xf8\xdc\x22\x51\xb0\x72\xe9\xa2\xbb\x84\x6c\xe2\x24\xd5\x72\x39\x2a\x5a\x0e\x7a\x43\xfc\x9c\xc3\x5d\x32\x92\xbb\xab\xc0\x4b\x99\xbd\xc8\x47\x24\x70\x06\x7e\xa1\xc6\xe3\xa0\xdc\x42\xed\xa0\x66\xf0\xcc\x50\x97\xe9\x5a\x7d\x3f\x65\x2d\x7b\x1b\x03\xcb"; -- --static const char gost12_256_privkey[] = -- "-----BEGIN PRIVATE KEY-----\n" -- "MEgCAQAwHwYIKoUDBwEBAQEwEwYHKoUDAgIjAQYIKoUDBwEBAgIEIgQgKOF96tom\n" -- "D61rhSnzKjyrmO3fv0gdlHei+6ovrc8SnBk=\n" -- "-----END PRIVATE KEY-----\n"; -- --static const char gost12_256_sig[] = -- "\xb2\x51\x5a\x1a\xbd\x95\x4e\x71\x55\xad\x74\x74\x81\xa6\xca\x6c\x14\x01\xe0\x18\xda\xe4\x0d\x02\x4f\x14\xd2\x39\xd6\x3c\xb5\x85\xa8\x37\xfd\x7f\x2b\xfa\xe4\xf5\xbc\xbc\x15\x20\x8b\x83\x4b\x84\x0d\x5d\x02\x21\x8c\x0d\xb9\xc4\x2b\xc0\x3e\xfd\x42\x55\x1d\xb0"; -- --static const char gost12_512_privkey[] = -- "-----BEGIN PRIVATE KEY-----\n" -- "MGoCAQAwIQYIKoUDBwEBAQIwFQYJKoUDBwECAQIBBggqhQMHAQECAwRCBECjFpvp\n" -- "B0vdc7u59b99TCNXhHiB69JJtUjvieNkGYJpoaaIvoKZTNCjpSZASsZcQZCHOTof\n" -- "hsQ3JCCy4xnd5jWT\n" -- "-----END PRIVATE KEY-----\n"; -- --static const char gost12_512_sig[] = -- "\x52\x4f\xa2\x77\x51\xd2\xc5\xef\xd3\xa3\x99\x4e\xec\xff\xc6\xe9\xfc\x2f\xc0\x28\x42\x03\x95\x6c\x9a\x38\xee\xea\x89\x79\xae\x1a\xc3\x68\x5e\xe4\x15\x15\x4b\xec\x0f\xf1\x7e\x0f\xba\x01\xc7\x84\x16\xc7\xb5\xac\x9d\x0c\x22\xdd\x31\xf7\xb0\x9b\x59\x4b\xf0\x02\xa8\x7d\xfd\x6d\x02\x43\xc7\x4f\x65\xbd\x84\x5c\x54\x91\xba\x75\x9f\x5a\x61\x19\x5c\x9a\x10\x78\x34\xa0\xa6\xf6\xdc\xb6\xb0\x50\x22\x38\x5f\xb0\x16\x66\xf1\xd5\x46\x00\xd5\xe2\xa8\xe5\xd2\x11\x5f\xd1\xbe\x6e\xac\xb2\x9c\x14\x34\x96\xe7\x58\x94\xb8\xf4\x5f"; -- - static int test_known_sig(gnutls_pk_algorithm_t pk, unsigned bits, - gnutls_digest_algorithm_t dig, - const void *privkey, size_t privkey_size, - const void *stored_sig, size_t stored_sig_size, -- unsigned deterministic_sigs) -+ gnutls_privkey_flags_t flags) - { - int ret; - gnutls_datum_t sig = { NULL, 0 }; -@@ -427,8 +476,11 @@ static int test_known_sig(gnutls_pk_algorithm_t pk, unsigned bits, - gnutls_privkey_t key; - char param_name[32]; - -- if (pk == GNUTLS_PK_EC || pk == GNUTLS_PK_GOST_01 || -- pk == GNUTLS_PK_GOST_12_256 || pk == GNUTLS_PK_GOST_12_512) { -+ if (pk == GNUTLS_PK_EC || -+ pk == GNUTLS_PK_GOST_01 || -+ pk == GNUTLS_PK_GOST_12_256 || -+ pk == GNUTLS_PK_GOST_12_512) -+ { - snprintf(param_name, sizeof(param_name), "%s", - gnutls_ecc_curve_get_name(GNUTLS_BITS_TO_CURVE - (bits))); -@@ -462,39 +514,37 @@ static int test_known_sig(gnutls_pk_algorithm_t pk, unsigned bits, - goto cleanup; - } - -- /* Test if the signature we generate matches the stored */ -+ ret = gnutls_privkey_sign_data(key, dig, flags, &signed_data, &sig); -+ if (ret < 0) { -+ gnutls_assert(); -+ goto cleanup; -+ } -+ -+ /* Test if the generated signature matches the stored */ - ssig.data = (void *) stored_sig; - ssig.size = stored_sig_size; - -- if (deterministic_sigs != 0) { /* do not compare against stored signature if not provided */ -- ret = -- gnutls_privkey_sign_data(key, dig, 0, &signed_data, -- &sig); -- if (ret < 0) { -- gnutls_assert(); -- goto cleanup; -- } -- -- if (sig.size != ssig.size -- || memcmp(sig.data, ssig.data, sig.size) != 0) { -- ret = GNUTLS_E_SELF_TEST_ERROR; -+ if (sig.size != ssig.size -+ || memcmp(sig.data, ssig.data, sig.size) != 0) { -+ ret = GNUTLS_E_SELF_TEST_ERROR; - #if 0 -- unsigned i; -- fprintf(stderr, "\nstored[%d]: ", ssig.size); -- for (i = 0; i < ssig.size; i++) -- fprintf(stderr, "\\x%.2x", ssig.data[i]); -- -- fprintf(stderr, "\ngenerated[%d]: ", sig.size); -- for (i = 0; i < sig.size; i++) -- fprintf(stderr, "\\x%.2x", sig.data[i]); -- fprintf(stderr, "\n"); -+ unsigned i; -+ fprintf(stderr, "Algorithm: %s-%s\n", -+ gnutls_pk_get_name(pk), param_name); -+ fprintf(stderr, "\nstored[%d]: ", ssig.size); -+ for (i = 0; i < ssig.size; i++) -+ fprintf(stderr, "\\x%.2x", ssig.data[i]); -+ -+ fprintf(stderr, "\ngenerated[%d]: ", sig.size); -+ for (i = 0; i < sig.size; i++) -+ fprintf(stderr, "\\x%.2x", sig.data[i]); -+ fprintf(stderr, "\n"); - #endif -- gnutls_assert(); -- goto cleanup; -- } -+ gnutls_assert(); -+ goto cleanup; - } - -- /* Test if we can verify the signature */ -+ /* Test if we can verify the generated signature */ - - ret = gnutls_pubkey_import_privkey(pub, key, 0, 0); - if (ret < 0) { -@@ -504,7 +554,7 @@ static int test_known_sig(gnutls_pk_algorithm_t pk, unsigned bits, - - ret = - gnutls_pubkey_verify_data2(pub, gnutls_pk_to_sign(pk, dig), 0, -- &signed_data, &ssig); -+ &signed_data, &sig); - if (ret < 0) { - ret = GNUTLS_E_SELF_TEST_ERROR; - gnutls_assert(); -@@ -515,7 +565,7 @@ static int test_known_sig(gnutls_pk_algorithm_t pk, unsigned bits, - - ret = - gnutls_pubkey_verify_data2(pub, gnutls_pk_to_sign(pk, dig), 0, -- &bad_data, &ssig); -+ &bad_data, &sig); - - if (ret != GNUTLS_E_PK_SIG_VERIFY_FAILED) { - ret = GNUTLS_E_SELF_TEST_ERROR; -@@ -546,18 +596,14 @@ static int test_known_sig(gnutls_pk_algorithm_t pk, unsigned bits, - if (ret < 0) { \ - gnutls_assert(); \ - goto cleanup; \ -- } \ -- if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL)) \ -- return 0 -+ } - --#define PK_KNOWN_TEST(pk, det, bits, dig, pkey, sig) \ -- ret = test_known_sig(pk, bits, dig, pkey, sizeof(pkey)-1, sig, sizeof(sig)-1, det); \ -+#define PK_KNOWN_TEST(pk, bits, dig, pkey, sig, flags) \ -+ ret = test_known_sig(pk, bits, dig, pkey, sizeof(pkey)-1, sig, sizeof(sig)-1, flags); \ - if (ret < 0) { \ - gnutls_assert(); \ - goto cleanup; \ -- } \ -- if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL)) \ -- return 0 -+ } - - - /* Known answer tests for DH */ -@@ -764,9 +810,18 @@ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk) - { - int ret; - -+ bool is_post = false; -+ bool is_fips140_mode_enabled = false; -+ - if (flags & GNUTLS_SELF_TEST_FLAG_ALL) - pk = GNUTLS_PK_UNKNOWN; - -+ if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST) -+ is_post = true; -+ -+ if (gnutls_fips140_mode_enabled()) -+ is_fips140_mode_enabled = true; -+ - switch (pk) { - case GNUTLS_PK_UNKNOWN: - FALLTHROUGH; -@@ -781,26 +836,32 @@ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk) - return 0; - FALLTHROUGH; - case GNUTLS_PK_RSA: -- PK_KNOWN_TEST(GNUTLS_PK_RSA, 1, 2048, GNUTLS_DIG_SHA256, -- rsa_key2048, rsa_sig); -+ PK_KNOWN_TEST(GNUTLS_PK_RSA, 2048, GNUTLS_DIG_SHA256, -+ rsa_2048_privkey, rsa_2048_sig, 0); -+ - PK_TEST(GNUTLS_PK_RSA, test_rsa_enc, 2048, 0); -- PK_TEST(GNUTLS_PK_RSA, test_sig, 3072, GNUTLS_SIGN_RSA_SHA256); - - if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL)) - return 0; - - FALLTHROUGH; - case GNUTLS_PK_RSA_PSS: -- PK_TEST(GNUTLS_PK_RSA_PSS, test_sig, 2048, GNUTLS_SIGN_RSA_PSS_RSAE_SHA256); -+ PK_TEST(GNUTLS_PK_RSA_PSS, test_sig, 2048, -+ GNUTLS_SIGN_RSA_PSS_RSAE_SHA256); - - if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL)) - return 0; - - FALLTHROUGH; - case GNUTLS_PK_DSA: -- PK_KNOWN_TEST(GNUTLS_PK_DSA, 0, 2048, GNUTLS_DIG_SHA256, -- dsa_privkey, dsa_sig); -- PK_TEST(GNUTLS_PK_DSA, test_sig, 3072, GNUTLS_SIGN_DSA_SHA256); -+ if (is_post || !is_fips140_mode_enabled) { -+ PK_KNOWN_TEST(GNUTLS_PK_DSA, 2048, GNUTLS_DIG_SHA256, -+ dsa_2048_privkey, dsa_2048_sig, -+ GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE); -+ } else { -+ PK_TEST(GNUTLS_PK_DSA, test_sig, 2048, -+ GNUTLS_SIGN_DSA_SHA256); -+ } - - if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL)) - return 0; -@@ -815,62 +876,72 @@ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk) - } - - /* Test ECDSA */ -- PK_KNOWN_TEST(GNUTLS_PK_EC, 0, -- GNUTLS_CURVE_TO_BITS -- (GNUTLS_ECC_CURVE_SECP256R1), -- GNUTLS_DIG_SHA256, ecdsa_secp256r1_privkey, -- ecdsa_secp256r1_sig); -- PK_TEST(GNUTLS_PK_EC, test_sig, -- GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP256R1), -- GNUTLS_SIGN_ECDSA_SHA256); -+ if (is_post || !is_fips140_mode_enabled) { -+ PK_KNOWN_TEST(GNUTLS_PK_EC, -+ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP256R1), -+ GNUTLS_DIG_SHA256, ecdsa_secp256r1_privkey, -+ ecdsa_secp256r1_sig, GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE); -+ } else { -+ PK_TEST(GNUTLS_PK_EC, test_sig, -+ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP256R1), -+ GNUTLS_SIGN_ECDSA_SHA256); -+ } - - if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL)) - return 0; - -- PK_KNOWN_TEST(GNUTLS_PK_EC, 0, -- GNUTLS_CURVE_TO_BITS -- (GNUTLS_ECC_CURVE_SECP384R1), -- GNUTLS_DIG_SHA256, ecdsa_secp384r1_privkey, -- ecdsa_secp384r1_sig); -- PK_TEST(GNUTLS_PK_EC, test_sig, -- GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP384R1), -- GNUTLS_SIGN_ECDSA_SHA384); -- -- PK_KNOWN_TEST(GNUTLS_PK_EC, 0, -- GNUTLS_CURVE_TO_BITS -- (GNUTLS_ECC_CURVE_SECP521R1), -- GNUTLS_DIG_SHA512, ecdsa_secp521r1_privkey, -- ecdsa_secp521r1_sig); -- PK_TEST(GNUTLS_PK_EC, test_sig, -- GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP521R1), -- GNUTLS_SIGN_ECDSA_SHA512); -+ if (is_post || !is_fips140_mode_enabled) { -+ PK_KNOWN_TEST(GNUTLS_PK_EC, -+ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP384R1), -+ GNUTLS_DIG_SHA384, ecdsa_secp384r1_privkey, -+ ecdsa_secp384r1_sig, GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE); -+ } else { -+ PK_TEST(GNUTLS_PK_EC, test_sig, -+ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP384R1), -+ GNUTLS_SIGN_ECDSA_SHA384); -+ } -+ -+ if (is_post || !is_fips140_mode_enabled) { -+ PK_KNOWN_TEST(GNUTLS_PK_EC, -+ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP521R1), -+ GNUTLS_DIG_SHA512, ecdsa_secp521r1_privkey, -+ ecdsa_secp521r1_sig, GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE); -+ } else { -+ PK_TEST(GNUTLS_PK_EC, test_sig, -+ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP521R1), -+ GNUTLS_SIGN_ECDSA_SHA512); -+ } - - #ifdef ENABLE_NON_SUITEB_CURVES -- PK_KNOWN_TEST(GNUTLS_PK_EC, 0, -- GNUTLS_CURVE_TO_BITS -- (GNUTLS_ECC_CURVE_SECP192R1), -- GNUTLS_DIG_SHA256, ecdsa_secp192r1_privkey, -- ecdsa_secp192r1_sig); -- PK_TEST(GNUTLS_PK_EC, test_sig, -- GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP192R1), -- GNUTLS_SIGN_ECDSA_SHA256); -- -- PK_KNOWN_TEST(GNUTLS_PK_EC, 0, -- GNUTLS_CURVE_TO_BITS -- (GNUTLS_ECC_CURVE_SECP224R1), -- GNUTLS_DIG_SHA256, ecdsa_secp224r1_privkey, -- ecdsa_secp224r1_sig); -- PK_TEST(GNUTLS_PK_EC, test_sig, -- GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP224R1), -- GNUTLS_SIGN_ECDSA_SHA256); -+ if (is_post || !is_fips140_mode_enabled) { -+ PK_KNOWN_TEST(GNUTLS_PK_EC, -+ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP192R1), -+ GNUTLS_DIG_SHA256, ecdsa_secp192r1_privkey, -+ ecdsa_secp192r1_sig, GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE); -+ } else { -+ PK_TEST(GNUTLS_PK_EC, test_sig, -+ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP192R1), -+ GNUTLS_SIGN_ECDSA_SHA256); -+ } -+ -+ if (is_post || !is_fips140_mode_enabled) { -+ PK_KNOWN_TEST(GNUTLS_PK_EC, -+ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP224R1), -+ GNUTLS_DIG_SHA256, ecdsa_secp224r1_privkey, -+ ecdsa_secp224r1_sig, GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE); -+ } else { -+ PK_TEST(GNUTLS_PK_EC, test_sig, -+ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP224R1), -+ GNUTLS_SIGN_ECDSA_SHA256); -+ } - #endif - -+ - #if ENABLE_GOST - FALLTHROUGH; - case GNUTLS_PK_GOST_01: -- PK_KNOWN_TEST(GNUTLS_PK_GOST_01, 0, GNUTLS_ECC_CURVE_GOST256CPA, GNUTLS_DIG_GOSTR_94, -- gost01_privkey, gost01_sig); -- PK_TEST(GNUTLS_PK_GOST_01, test_sig, GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_GOST256CPA), -+ PK_TEST(GNUTLS_PK_GOST_01, test_sig, -+ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_GOST256CPA), - GNUTLS_SIGN_GOST_94); - - if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL)) -@@ -878,9 +949,8 @@ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk) - - FALLTHROUGH; - case GNUTLS_PK_GOST_12_256: -- PK_KNOWN_TEST(GNUTLS_PK_GOST_12_256, 0, GNUTLS_ECC_CURVE_GOST256CPA, GNUTLS_DIG_STREEBOG_256, -- gost12_256_privkey, gost12_256_sig); -- PK_TEST(GNUTLS_PK_GOST_12_256, test_sig, GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_GOST256CPA), -+ PK_TEST(GNUTLS_PK_GOST_12_256, test_sig, -+ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_GOST256CPA), - GNUTLS_SIGN_GOST_256); - - if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL)) -@@ -888,15 +958,13 @@ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk) - - FALLTHROUGH; - case GNUTLS_PK_GOST_12_512: -- PK_KNOWN_TEST(GNUTLS_PK_GOST_12_512, 0, GNUTLS_ECC_CURVE_GOST512A, GNUTLS_DIG_STREEBOG_512, -- gost12_512_privkey, gost12_512_sig); -- PK_TEST(GNUTLS_PK_GOST_12_512, test_sig, GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_GOST512A), -+ PK_TEST(GNUTLS_PK_GOST_12_512, test_sig, -+ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_GOST512A), - GNUTLS_SIGN_GOST_512); - - if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL)) - return 0; - #endif -- - break; - default: - return gnutls_assert_val(GNUTLS_E_NO_SELF_TEST); diff --git a/gnutls-3.6.12-load-config-after-fips-post.patch b/gnutls-3.6.12-load-config-after-fips-post.patch deleted file mode 100644 index 59ffe6c..0000000 --- a/gnutls-3.6.12-load-config-after-fips-post.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 17bcd7a60fb0b7d07718515946ebb064d33ef45b Mon Sep 17 00:00:00 2001 -From: Anderson Toshiyuki Sasaki -Date: Wed, 18 Mar 2020 16:17:39 +0100 -Subject: [PATCH] global: Load configuration after FIPS POST - -Previously, if the loaded configuration file disabled an algorithm -tested during FIPS-140 power-on self-tests, the test would fail. By -loading the configuration file after the test is finished, such failure -is avoided as any algorithm is allowed during the tests. - -Signed-off-by: Anderson Toshiyuki Sasaki ---- - lib/global.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/lib/global.c b/lib/global.c -index b42fcb263..9a65d114c 100644 ---- a/lib/global.c -+++ b/lib/global.c -@@ -368,7 +368,6 @@ static int _gnutls_global_init(unsigned constructor) - - _gnutls_register_accel_crypto(); - _gnutls_cryptodev_init(); -- _gnutls_load_system_priorities(); - - #ifdef ENABLE_FIPS140 - /* These self tests are performed on the overridden algorithms -@@ -385,6 +384,7 @@ static int _gnutls_global_init(unsigned constructor) - _gnutls_fips_mode_reset_zombie(); - } - #endif -+ _gnutls_load_system_priorities(); - _gnutls_switch_lib_state(LIB_STATE_OPERATIONAL); - ret = 0; - --- -2.24.1 - diff --git a/gnutls.spec b/gnutls.spec index fa81959..9588e92 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,11 +1,8 @@ # This spec file has been automatically updated -Version: 3.6.12 -Release: 2%{?dist} +Version: 3.6.13 +Release: 1%{?dist} Patch1: gnutls-3.6.7-no-now-guile.patch Patch2: gnutls-3.2.7-rpath.patch -Patch3: gnutls-3.6.12-fix-fips-self-tests.patch -Patch4: gnutls-3.6.12-load-config-after-fips-post.patch -Patch5: gnutls-3.6.12-fix-echo-server.patch %bcond_without dane %if 0%{?rhel} %bcond_with guile @@ -282,6 +279,9 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null %endif %changelog +* Tue Mar 31 2020 Daiki Ueno - 3.6.13-1 +- Update to upstream 3.6.13 release + * Thu Mar 26 2020 Anderson Sasaki - 3.6.12-2 - Fix FIPS POST (#1813384) - Fix gnutls-serv --echo to not exit when a message is received (#1816583) diff --git a/sources b/sources index ce3867d..38b5228 100644 --- a/sources +++ b/sources @@ -1,2 +1,3 @@ -SHA512 (gnutls-3.6.12.tar.xz.sig) = fee2a330c047303b683824176ed2e14dba38ad22cddb548d6259bc8639e0c5dab7a1c93af84860193335271c9cb3810c046bb89b73d8c8a8cf61307108e957b5 -SHA512 (gnutls-3.6.12.tar.xz) = e1031fd1239d8b0f056a6b736e4c72c9268fb635f273527f310771c608b841cad7b6631401382ec3040d9b539180bf421882bf43427ad3549a5787d2864c2fa5 +SHA512 (gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg) = 3b1989dc6a64d1140f83a2af0773da2adb03c50d97b6da7357cf09525050651aafa21131f1e3180baa540a8af922119a256f5ff5bcd6602996a806e8e1816bad +SHA512 (gnutls-3.6.13.tar.xz.sig) = 130d6ee78da87087de0070a5a5ecb62dd0a2919c838796b3e4273d74b10c4c537b72e017f55b69df69ee7cc11257ebe392e3bd0ff25b35484ed78bb9bf9d3856 +SHA512 (gnutls-3.6.13.tar.xz) = 23581952cb72c9a34f378c002bb62413d5a1243b74b48ad8dc49eaea4020d33c550f8dc1dd374cf7fbfa4187b0ca1c5698c8a0430398268a8b8a863f8633305c From bdd006b41273dddbbb0edf1a7cdc46a5503d89b5 Mon Sep 17 00:00:00 2001 From: Anderson Toshiyuki Sasaki Date: Wed, 13 May 2020 19:03:33 +0200 Subject: [PATCH 04/14] Remove gpg key from sources --- sources | 1 - 1 file changed, 1 deletion(-) diff --git a/sources b/sources index 38b5228..08912b9 100644 --- a/sources +++ b/sources @@ -1,3 +1,2 @@ -SHA512 (gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg) = 3b1989dc6a64d1140f83a2af0773da2adb03c50d97b6da7357cf09525050651aafa21131f1e3180baa540a8af922119a256f5ff5bcd6602996a806e8e1816bad SHA512 (gnutls-3.6.13.tar.xz.sig) = 130d6ee78da87087de0070a5a5ecb62dd0a2919c838796b3e4273d74b10c4c537b72e017f55b69df69ee7cc11257ebe392e3bd0ff25b35484ed78bb9bf9d3856 SHA512 (gnutls-3.6.13.tar.xz) = 23581952cb72c9a34f378c002bb62413d5a1243b74b48ad8dc49eaea4020d33c550f8dc1dd374cf7fbfa4187b0ca1c5698c8a0430398268a8b8a863f8633305c From ee88c45f9fdd5d13311c2ef2bf8d89d4b020a56d Mon Sep 17 00:00:00 2001 From: Anderson Toshiyuki Sasaki Date: Wed, 13 May 2020 19:04:05 +0200 Subject: [PATCH 05/14] Bump linked libs soname to fix FIPS self-tests Resolves: rhbz#1835265 --- gnutls-3.6.13-bump-linked-libs-soname-f32.patch | 13 +++++++++++++ gnutls.spec | 6 +++++- 2 files changed, 18 insertions(+), 1 deletion(-) create mode 100644 gnutls-3.6.13-bump-linked-libs-soname-f32.patch diff --git a/gnutls-3.6.13-bump-linked-libs-soname-f32.patch b/gnutls-3.6.13-bump-linked-libs-soname-f32.patch new file mode 100644 index 0000000..e48477a --- /dev/null +++ b/gnutls-3.6.13-bump-linked-libs-soname-f32.patch @@ -0,0 +1,13 @@ +--- a/lib/fips.c 2020-01-01 21:10:19.000000000 +0100 ++++ b/lib/fips.c 2020-05-13 17:31:47.310301627 +0200 +@@ -136,8 +136,8 @@ + } + + #define GNUTLS_LIBRARY_NAME "libgnutls.so.30" +-#define NETTLE_LIBRARY_NAME "libnettle.so.6" +-#define HOGWEED_LIBRARY_NAME "libhogweed.so.4" ++#define NETTLE_LIBRARY_NAME "libnettle.so.7" ++#define HOGWEED_LIBRARY_NAME "libhogweed.so.5" + #define GMP_LIBRARY_NAME "libgmp.so.10" + + #define HMAC_SUFFIX ".hmac" diff --git a/gnutls.spec b/gnutls.spec index 9588e92..d5b7fb9 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,8 +1,9 @@ # This spec file has been automatically updated Version: 3.6.13 -Release: 1%{?dist} +Release: 2%{?dist} Patch1: gnutls-3.6.7-no-now-guile.patch Patch2: gnutls-3.2.7-rpath.patch +Patch3: gnutls-3.6.13-bump-linked-libs-soname-f32.patch %bcond_without dane %if 0%{?rhel} %bcond_with guile @@ -279,6 +280,9 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null %endif %changelog +* Wed May 13 2020 Anderson Sasaki - 3.6.13-2 +- Bump linked libraries soname to fix FIPS selftests (#1835265) + * Tue Mar 31 2020 Daiki Ueno - 3.6.13-1 - Update to upstream 3.6.13 release From 75c72994c62000f565b15bf1541ba187a30f2652 Mon Sep 17 00:00:00 2001 From: Anderson Toshiyuki Sasaki Date: Wed, 20 May 2020 10:41:58 +0200 Subject: [PATCH 06/14] Disable RSA blinding during FIPS self-tests Related: rhbz#1835265 --- ...sable-RSA-blinding-in-FIPS-selftests.patch | 124 ++++++++++++++++++ gnutls.spec | 6 +- 2 files changed, 129 insertions(+), 1 deletion(-) create mode 100644 gnutls-3.6.13-nettle-disable-RSA-blinding-in-FIPS-selftests.patch diff --git a/gnutls-3.6.13-nettle-disable-RSA-blinding-in-FIPS-selftests.patch b/gnutls-3.6.13-nettle-disable-RSA-blinding-in-FIPS-selftests.patch new file mode 100644 index 0000000..559ea0a --- /dev/null +++ b/gnutls-3.6.13-nettle-disable-RSA-blinding-in-FIPS-selftests.patch @@ -0,0 +1,124 @@ +From 8f8615c4ef0b92b95e7bcb3bd1400124a203eef3 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Fri, 16 Aug 2019 17:01:05 +0200 +Subject: [PATCH] nettle: disable RSA blinding in FIPS selftests + +Nettle's RSA signing, encryption and decryption functions still +require randomness for blinding, so fallback to use a fixed buffer in +selftests where entropy might not be available. + +Signed-off-by: Daiki Ueno +--- + lib/nettle/pk.c | 37 +++++++++++++++++++++++++++++++++---- + 1 file changed, 33 insertions(+), 4 deletions(-) + +diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c +index 15ad4b4e9..ccf403b00 100644 +--- a/lib/nettle/pk.c ++++ b/lib/nettle/pk.c +@@ -107,6 +107,15 @@ static void rnd_mpz_func(void *_ctx, size_t length, uint8_t * data) + nettle_mpz_get_str_256 (length, data, *k); + } + ++static void rnd_nonce_func_fallback(void *_ctx, size_t length, uint8_t * data) ++{ ++ if (unlikely(_gnutls_get_lib_state() != LIB_STATE_SELFTEST)) { ++ _gnutls_switch_lib_state(LIB_STATE_ERROR); ++ } ++ ++ memset(data, 0xAA, length); ++} ++ + static void + ecc_scalar_zclear (struct ecc_scalar *s) + { +@@ -526,6 +535,7 @@ _wrap_nettle_pk_encrypt(gnutls_pk_algorithm_t algo, + case GNUTLS_PK_RSA: + { + struct rsa_public_key pub; ++ nettle_random_func *random_func; + + ret = _rsa_params_to_pubkey(pk_params, &pub); + if (ret < 0) { +@@ -533,8 +543,12 @@ _wrap_nettle_pk_encrypt(gnutls_pk_algorithm_t algo, + goto cleanup; + } + ++ if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST) ++ random_func = rnd_nonce_func_fallback; ++ else ++ random_func = rnd_nonce_func; + ret = +- rsa_encrypt(&pub, NULL, rnd_nonce_func, ++ rsa_encrypt(&pub, NULL, random_func, + plaintext->size, plaintext->data, + p); + if (ret == 0 || HAVE_LIB_ERROR()) { +@@ -587,6 +601,7 @@ _wrap_nettle_pk_decrypt(gnutls_pk_algorithm_t algo, + struct rsa_public_key pub; + size_t length; + bigint_t c; ++ nettle_random_func *random_func; + + _rsa_params_to_privkey(pk_params, &priv); + ret = _rsa_params_to_pubkey(pk_params, &pub); +@@ -617,8 +632,12 @@ _wrap_nettle_pk_decrypt(gnutls_pk_algorithm_t algo, + goto cleanup; + } + ++ if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST) ++ random_func = rnd_nonce_func_fallback; ++ else ++ random_func = rnd_nonce_func; + ret = +- rsa_decrypt_tr(&pub, &priv, NULL, rnd_nonce_func, ++ rsa_decrypt_tr(&pub, &priv, NULL, random_func, + &length, plaintext->data, + TOMPZ(c)); + _gnutls_mpi_release(&c); +@@ -664,6 +683,7 @@ _wrap_nettle_pk_decrypt2(gnutls_pk_algorithm_t algo, + bigint_t c; + uint32_t is_err; + int ret; ++ nettle_random_func *random_func; + + if (algo != GNUTLS_PK_RSA || plaintext == NULL) { + gnutls_assert(); +@@ -683,7 +703,11 @@ _wrap_nettle_pk_decrypt2(gnutls_pk_algorithm_t algo, + return gnutls_assert_val (GNUTLS_E_MPI_SCAN_FAILED); + } + +- ret = rsa_sec_decrypt(&pub, &priv, NULL, rnd_nonce_func, ++ if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST) ++ random_func = rnd_nonce_func_fallback; ++ else ++ random_func = rnd_nonce_func; ++ ret = rsa_sec_decrypt(&pub, &priv, NULL, random_func, + plaintext_size, plaintext, TOMPZ(c)); + /* after this point, any conditional on failure that cause differences + * in execution may create a timing or cache access pattern side +@@ -1072,6 +1096,7 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo, + { + struct rsa_private_key priv; + struct rsa_public_key pub; ++ nettle_random_func *random_func; + mpz_t s; + + _rsa_params_to_privkey(pk_params, &priv); +@@ -1082,8 +1107,12 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo, + + mpz_init(s); + ++ if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST) ++ random_func = rnd_nonce_func_fallback; ++ else ++ random_func = rnd_nonce_func; + ret = +- rsa_pkcs1_sign_tr(&pub, &priv, NULL, rnd_nonce_func, ++ rsa_pkcs1_sign_tr(&pub, &priv, NULL, random_func, + vdata->size, vdata->data, s); + if (ret == 0 || HAVE_LIB_ERROR()) { + gnutls_assert(); +-- +2.25.4 + diff --git a/gnutls.spec b/gnutls.spec index d5b7fb9..ced629c 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,9 +1,10 @@ # This spec file has been automatically updated Version: 3.6.13 -Release: 2%{?dist} +Release: 3%{?dist} Patch1: gnutls-3.6.7-no-now-guile.patch Patch2: gnutls-3.2.7-rpath.patch Patch3: gnutls-3.6.13-bump-linked-libs-soname-f32.patch +Patch4: gnutls-3.6.13-nettle-disable-RSA-blinding-in-FIPS-selftests.patch %bcond_without dane %if 0%{?rhel} %bcond_with guile @@ -280,6 +281,9 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null %endif %changelog +* Tue May 19 2020 Anderson Sasaki - 3.6.13-3 +- Disable RSA blinding during FIPS self-tests + * Wed May 13 2020 Anderson Sasaki - 3.6.13-2 - Bump linked libraries soname to fix FIPS selftests (#1835265) From 10f6e9929306900b45bd7bc3c25adbbc98ebf569 Mon Sep 17 00:00:00 2001 From: Anderson Toshiyuki Sasaki Date: Mon, 25 May 2020 15:05:15 +0200 Subject: [PATCH 07/14] Add option to gnutls-cli to wait for resumption under TLS 1.3 --- gnutls-3.6.13-cli-wait-resumption.patch | 87 +++++++++++++++++++++++++ gnutls.spec | 6 +- 2 files changed, 92 insertions(+), 1 deletion(-) create mode 100644 gnutls-3.6.13-cli-wait-resumption.patch diff --git a/gnutls-3.6.13-cli-wait-resumption.patch b/gnutls-3.6.13-cli-wait-resumption.patch new file mode 100644 index 0000000..4c56344 --- /dev/null +++ b/gnutls-3.6.13-cli-wait-resumption.patch @@ -0,0 +1,87 @@ +From f27358ecba654ef931c0a761a540dc9e2d2e67f0 Mon Sep 17 00:00:00 2001 +From: Anderson Toshiyuki Sasaki +Date: Fri, 20 Mar 2020 16:37:33 +0100 +Subject: [PATCH] gnutls-cli: Add option to wait for resumption data + +This introduces the --waitresumption command line option which makes the +client to wait for the resumption data until a ticket is received under +TLS1.3. The client will block if no ticket is received. The new option +has no effect if the option --resume is not provided. + +This is useful to force the client to wait for the resumption data when +the server takes long to send the ticket, allowing the session +resumption to be tested. This is a common scenario in CI systems where +the testing machines have limited resources. + +Signed-off-by: Anderson Toshiyuki Sasaki +--- + src/cli-args.def | 6 ++++++ + src/cli.c | 21 +++++++++++++++------ + 2 files changed, 21 insertions(+), 6 deletions(-) + +diff --git a/src/cli-args.def b/src/cli-args.def +index a8760fab9..56ae77b07 100644 +--- a/src/cli-args.def ++++ b/src/cli-args.def +@@ -471,6 +471,12 @@ flag = { + doc = ""; + }; + ++flag = { ++ name = waitresumption; ++ descrip = "Block waiting for the resumption data under TLS1.3"; ++ doc = "This option makes the client to block waiting for the resumption data under TLS1.3. The option has effect only when --resume is provided."; ++}; ++ + doc-section = { + ds-type = 'SEE ALSO'; // or anything else + ds-format = 'texi'; // or texi or mdoc format +diff --git a/src/cli.c b/src/cli.c +index db072b930..c3d074f08 100644 +--- a/src/cli.c ++++ b/src/cli.c +@@ -78,7 +78,7 @@ + + /* global stuff here */ + int resume, starttls, insecure, ranges, rehandshake, udp, mtu, +- inline_commands; ++ inline_commands, waitresumption; + unsigned int global_vflags = 0; + char *hostname = NULL; + char service[32]=""; +@@ -992,11 +992,19 @@ static int try_resume(socket_st * hd) + gnutls_datum_t edata = {NULL, 0}; + + if (gnutls_session_is_resumed(hd->session) == 0) { +- /* not resumed - obtain the session data */ +- ret = gnutls_session_get_data2(hd->session, &rdata); +- if (ret < 0) { +- rdata.data = NULL; +- } ++ do { ++ /* not resumed - obtain the session data */ ++ ret = gnutls_session_get_data2(hd->session, &rdata); ++ if (ret < 0) { ++ rdata.data = NULL; ++ } ++ ++ if ((gnutls_protocol_get_version(hd->session) != GNUTLS_TLS1_3) || ++ ((gnutls_session_get_flags(hd->session) & ++ GNUTLS_SFLAGS_SESSION_TICKET))) { ++ break; ++ } ++ } while (waitresumption); + } else { + /* resumed - try to reuse the previous session data */ + rdata.data = hd->rdata.data; +@@ -1688,6 +1696,7 @@ static void cmd_parser(int argc, char **argv) + rehandshake = HAVE_OPT(REHANDSHAKE); + insecure = HAVE_OPT(INSECURE); + ranges = HAVE_OPT(RANGES); ++ waitresumption = HAVE_OPT(WAITRESUMPTION); + + if (insecure || HAVE_OPT(VERIFY_ALLOW_BROKEN)) { + global_vflags |= GNUTLS_VERIFY_ALLOW_BROKEN; +-- +2.25.4 + diff --git a/gnutls.spec b/gnutls.spec index ced629c..febe56d 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,10 +1,11 @@ # This spec file has been automatically updated Version: 3.6.13 -Release: 3%{?dist} +Release: 4%{?dist} Patch1: gnutls-3.6.7-no-now-guile.patch Patch2: gnutls-3.2.7-rpath.patch Patch3: gnutls-3.6.13-bump-linked-libs-soname-f32.patch Patch4: gnutls-3.6.13-nettle-disable-RSA-blinding-in-FIPS-selftests.patch +Patch5: gnutls-3.6.13-cli-wait-resumption.patch %bcond_without dane %if 0%{?rhel} %bcond_with guile @@ -281,6 +282,9 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null %endif %changelog +* Mon May 25 2020 Anderson Sasaki - 3.6.13-4 +- Add option to gnutls-cli to wait for resumption under TLS 1.3 + * Tue May 19 2020 Anderson Sasaki - 3.6.13-3 - Disable RSA blinding during FIPS self-tests From a68aefef9976711d513faf958bcb9b04b53fb729 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Sun, 31 May 2020 15:03:57 +0200 Subject: [PATCH 08/14] Fix cert chain validation behavior if the last cert has expired (#1842178) --- gnutls-3.6.13-superseding-chain.patch | 387 ++++++++++++++++++++++++++ gnutls.spec | 6 +- 2 files changed, 392 insertions(+), 1 deletion(-) create mode 100644 gnutls-3.6.13-superseding-chain.patch diff --git a/gnutls-3.6.13-superseding-chain.patch b/gnutls-3.6.13-superseding-chain.patch new file mode 100644 index 0000000..99ceca1 --- /dev/null +++ b/gnutls-3.6.13-superseding-chain.patch @@ -0,0 +1,387 @@ +From f6ce3a62cb39fb281f5a47c543de7d9db3206050 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Sun, 31 May 2020 12:39:14 +0200 +Subject: [PATCH 1/3] _gnutls_pkcs11_verify_crt_status: check validity against + system cert + +To verify a certificate chain, this function replaces known +certificates with the ones in the system trust store if possible. + +However, if it is found, the function checked the validity of the +original certificate rather than the certificate found in the trust +store. That reveals a problem in a scenario that (1) a certificate is +signed by multiple issuers and (2) one of the issuers' certificate has +expired and included in the input chain. + +This patch makes it a little robuster by actually retrieving the +certificate from the trust store and check against it. + +Signed-off-by: Daiki Ueno +--- + lib/pkcs11.c | 96 +++++++++++++++++++++++++++++++++-------------- + lib/pkcs11_int.h | 5 +++ + lib/x509/verify.c | 7 +++- + 3 files changed, 78 insertions(+), 30 deletions(-) + +diff --git a/lib/pkcs11.c b/lib/pkcs11.c +index fad16aaf4..662dda441 100644 +--- a/lib/pkcs11.c ++++ b/lib/pkcs11.c +@@ -4547,34 +4547,10 @@ int gnutls_pkcs11_get_raw_issuer_by_subject_key_id (const char *url, + return ret; + } + +-/** +- * gnutls_pkcs11_crt_is_known: +- * @url: A PKCS 11 url identifying a token +- * @cert: is the certificate to find issuer for +- * @issuer: Will hold the issuer if any in an allocated buffer. +- * @fmt: The format of the exported issuer. +- * @flags: Use zero or flags from %GNUTLS_PKCS11_OBJ_FLAG. +- * +- * This function will check whether the provided certificate is stored +- * in the specified token. This is useful in combination with +- * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED or +- * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED, +- * to check whether a CA is present or a certificate is blacklisted in +- * a trust PKCS #11 module. +- * +- * This function can be used with a @url of "pkcs11:", and in that case all modules +- * will be searched. To restrict the modules to the marked as trusted in p11-kit +- * use the %GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE flag. +- * +- * Note that the flag %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED is +- * specific to p11-kit trust modules. +- * +- * Returns: If the certificate exists non-zero is returned, otherwise zero. +- * +- * Since: 3.3.0 +- **/ +-unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, +- unsigned int flags) ++unsigned ++_gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, ++ unsigned int flags, ++ gnutls_x509_crt_t *trusted_cert) + { + int ret; + struct find_cert_st priv; +@@ -4586,6 +4562,15 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, + + memset(&priv, 0, sizeof(priv)); + ++ if (trusted_cert) { ++ ret = gnutls_pkcs11_obj_init(&priv.obj); ++ if (ret < 0) { ++ gnutls_assert(); ++ goto cleanup; ++ } ++ priv.need_import = 1; ++ } ++ + if (url == NULL || url[0] == 0) { + url = "pkcs11:"; + } +@@ -4634,6 +4619,14 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, + gnutls_assert(); + gnutls_free(priv.serial.data); + memset(&priv, 0, sizeof(priv)); ++ if (trusted_cert) { ++ ret = gnutls_pkcs11_obj_init(&priv.obj); ++ if (ret < 0) { ++ gnutls_assert(); ++ goto cleanup; ++ } ++ priv.need_import = 1; ++ } + priv.crt = cert; + priv.flags = flags; + +@@ -4650,9 +4643,26 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, + goto cleanup; + } + ++ if (trusted_cert) { ++ ret = gnutls_x509_crt_init(trusted_cert); ++ if (ret < 0) { ++ gnutls_assert(); ++ ret = 0; ++ goto cleanup; ++ } ++ ret = gnutls_x509_crt_import_pkcs11(*trusted_cert, priv.obj); ++ if (ret < 0) { ++ gnutls_assert(); ++ gnutls_x509_crt_deinit(*trusted_cert); ++ ret = 0; ++ goto cleanup; ++ } ++ } + ret = 1; + + cleanup: ++ if (priv.obj) ++ gnutls_pkcs11_obj_deinit(priv.obj); + if (info) + p11_kit_uri_free(info); + gnutls_free(priv.serial.data); +@@ -4660,6 +4670,36 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, + return ret; + } + ++/** ++ * gnutls_pkcs11_crt_is_known: ++ * @url: A PKCS 11 url identifying a token ++ * @cert: is the certificate to find issuer for ++ * @flags: Use zero or flags from %GNUTLS_PKCS11_OBJ_FLAG. ++ * ++ * This function will check whether the provided certificate is stored ++ * in the specified token. This is useful in combination with ++ * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED or ++ * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED, ++ * to check whether a CA is present or a certificate is blacklisted in ++ * a trust PKCS #11 module. ++ * ++ * This function can be used with a @url of "pkcs11:", and in that case all modules ++ * will be searched. To restrict the modules to the marked as trusted in p11-kit ++ * use the %GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE flag. ++ * ++ * Note that the flag %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED is ++ * specific to p11-kit trust modules. ++ * ++ * Returns: If the certificate exists non-zero is returned, otherwise zero. ++ * ++ * Since: 3.3.0 ++ **/ ++unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, ++ unsigned int flags) ++{ ++ return _gnutls_pkcs11_crt_is_known(url, cert, flags, NULL); ++} ++ + /** + * gnutls_pkcs11_obj_get_flags: + * @obj: The pkcs11 object +diff --git a/lib/pkcs11_int.h b/lib/pkcs11_int.h +index 9d8880709..86cce0dee 100644 +--- a/lib/pkcs11_int.h ++++ b/lib/pkcs11_int.h +@@ -460,6 +460,11 @@ inline static bool is_pkcs11_url_object(const char *url) + return 0; + } + ++unsigned ++_gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, ++ unsigned int flags, ++ gnutls_x509_crt_t *trusted_cert); ++ + #endif /* ENABLE_PKCS11 */ + + #endif /* GNUTLS_LIB_PKCS11_INT_H */ +diff --git a/lib/x509/verify.c b/lib/x509/verify.c +index d20267019..fd7c6a164 100644 +--- a/lib/x509/verify.c ++++ b/lib/x509/verify.c +@@ -34,6 +34,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -1188,6 +1189,7 @@ _gnutls_pkcs11_verify_crt_status(const char* url, + + for (; i < clist_size; i++) { + unsigned vflags; ++ gnutls_x509_crt_t trusted_cert; + + if (i == 0) /* in the end certificate do full comparison */ + vflags = GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE| +@@ -1196,9 +1198,10 @@ _gnutls_pkcs11_verify_crt_status(const char* url, + vflags = GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE| + GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY|GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED; + +- if (gnutls_pkcs11_crt_is_known (url, certificate_list[i], vflags) != 0) { ++ if (_gnutls_pkcs11_crt_is_known (url, certificate_list[i], vflags, &trusted_cert) != 0) { + +- status |= check_ca_sanity(certificate_list[i], now, flags); ++ status |= check_ca_sanity(trusted_cert, now, flags); ++ gnutls_x509_crt_deinit(trusted_cert); + + if (func) + func(certificate_list[i], +-- +2.26.2 + + +From 2b83f612f2b2647c271969f3df64fb3a52753724 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Sun, 31 May 2020 13:59:53 +0200 +Subject: [PATCH 2/3] x509: trigger fallback verification path when cert is + expired + +gnutls_x509_trust_list_verify_crt2 use the macro SIGNER_OLD_OR_UNKNOWN +to trigger the fallback verification path if the signer of the last +certificate is not in the trust store. Previously, it doesn't take +into account of the condition where the certificate is expired. + +Signed-off-by: Daiki Ueno +--- + lib/x509/verify-high.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c +index b1421ef17..40638ad3a 100644 +--- a/lib/x509/verify-high.c ++++ b/lib/x509/verify-high.c +@@ -1192,11 +1192,13 @@ gnutls_x509_trust_list_verify_crt(gnutls_x509_trust_list_t list, + + #define LAST_DN cert_list[cert_list_size-1]->raw_dn + #define LAST_IDN cert_list[cert_list_size-1]->raw_issuer_dn +-/* This macro is introduced to detect a verification output +- * which indicates an unknown signer, or a signer which uses +- * an insecure algorithm (e.g., sha1), something that indicates +- * a superseded signer */ +-#define SIGNER_OLD_OR_UNKNOWN(output) ((output & GNUTLS_CERT_SIGNER_NOT_FOUND) || (output & GNUTLS_CERT_INSECURE_ALGORITHM)) ++/* This macro is introduced to detect a verification output which ++ * indicates an unknown signer, a signer which uses an insecure ++ * algorithm (e.g., sha1), a signer has expired, or something that ++ * indicates a superseded signer */ ++#define SIGNER_OLD_OR_UNKNOWN(output) ((output & GNUTLS_CERT_SIGNER_NOT_FOUND) || \ ++ (output & GNUTLS_CERT_EXPIRED) || \ ++ (output & GNUTLS_CERT_INSECURE_ALGORITHM)) + #define SIGNER_WAS_KNOWN(output) (!(output & GNUTLS_CERT_SIGNER_NOT_FOUND)) + + /** +-- +2.26.2 + + +From e337e56adfeeb4af7fe34291ed15d15b362a94bb Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Sun, 31 May 2020 14:28:48 +0200 +Subject: [PATCH 3/3] tests: add test case for certificate chain superseding + +Signed-off-by: Daiki Ueno +--- + tests/test-chains.h | 97 +++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 97 insertions(+) + +diff --git a/tests/test-chains.h b/tests/test-chains.h +index dd19e6a81..9b06b85f5 100644 +--- a/tests/test-chains.h ++++ b/tests/test-chains.h +@@ -4010,6 +4010,102 @@ static const char *ed448[] = { + NULL + }; + ++/* This contains an expired intermediate CA, which should be superseded. */ ++static const char *superseding[] = { ++ "-----BEGIN CERTIFICATE-----" ++ "MIIDrzCCAmegAwIBAgIUcozIBhMJvM/rd1PVI7LOq7Kscs8wDQYJKoZIhvcNAQEL" ++ "BQAwJjEkMCIGA1UEAxMbR251VExTIHRlc3QgaW50ZXJtZWRpYXRlIENBMCAXDTIw" ++ "MDUzMTEyMTczN1oYDzk5OTkxMjMxMjM1OTU5WjA3MRgwFgYDVQQDEw90ZXN0Lmdu" ++ "dXRscy5vcmcxGzAZBgNVBAoTEkdudVRMUyB0ZXN0IHNlcnZlcjCCASAwCwYJKoZI" ++ "hvcNAQEKA4IBDwAwggEKAoIBAQCd2PBnWn+b0FsIMbG+f/K+og2iK/BoLCsJD3j9" ++ "yRNSHD6wTifYwNTbe1LF/8BzxcwVRCD0zpbpFQawbjxbmBSzrXqQlUFFG11DvNBa" ++ "w58rgHGo3TYCrtFIBfLbziyB1w/vWeX0xHvv8MMJ1iRSdY+7Y36a2cV+s85PdO4B" ++ "TpZlLfy8LPP6p6+dgVoC+9tTu2H1wARYOVog+jt9A3Hx0L1xxVWTedFoiK2sVouz" ++ "fLRjfp5cOwuRHSD2qbpGOAeNVVaOE88Bv3pIGPguMw0qAdEDo20hRYH23LIyvBwB" ++ "oCnyFNnAViMtLa2QlXSliV9a9BKOXYjWzAeso2SF4pdHcvd5AgMBAAGjgZMwgZAw" ++ "DAYDVR0TAQH/BAIwADAaBgNVHREEEzARgg90ZXN0LmdudXRscy5vcmcwEwYDVR0l" ++ "BAwwCgYIKwYBBQUHAwEwDwYDVR0PAQH/BAUDAweAADAdBgNVHQ4EFgQUan6mlccq" ++ "Uy1Z64wvRv3xxg4h2ykwHwYDVR0jBBgwFoAUSCM0UwqJMThKWurKttKm3s4dKxgw" ++ "DQYJKoZIhvcNAQELBQADggExAKAOMyMLpk0u2UTwwFWtr1hfx7evo2J7dgco410I" ++ "DN/QWoe2Xlcxcp1h5R9rX1I3KU2WGFtdXqiMsllCLnrDEKZmlks0uz76bCpKmM99" ++ "/1MDlY7mGCr/2PPx53USK5J5JTiqgp6r7qAcDAnpYvrPH45kk7iqwh02DhAxRnGR" ++ "CW7KWK8h7uu0Az9iBT2YfV372g4fRDK3fqYzJofQwbhSiUuJ7wyZCRhGOoxMMmDb" ++ "KBbc1wAYXW+tlv2cSbfzRvSxMR+CzkyH2tGDxeN//aZUfGmQ8IzWUQ7UtK5z+Q0E" ++ "fL6fZtm2SdGabGpV1UYoGpwOtOngK+m0i9SqrMD7g5+SMhc1VuvVuTtxjr5Cha8l" ++ "X0HEZtxgFrkdfMD4yLAqiguaCBngtbRmELF5VpebmJbiLVU=" ++ "-----END CERTIFICATE-----", ++ "-----BEGIN CERTIFICATE-----" ++ "MIIDkTCCAkmgAwIBAgIUY9cJ4NLNFEaojJHdP1I4Q7OHNJwwDQYJKoZIhvcNAQEL" ++ "BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwHhcNMTgxMjMxMjMwMDAwWhcN" ++ "MjAwNTMwMjIwMDAwWjAmMSQwIgYDVQQDExtHbnVUTFMgdGVzdCBpbnRlcm1lZGlh" ++ "dGUgQ0EwggFSMA0GCSqGSIb3DQEBAQUAA4IBPwAwggE6AoIBMQC0ayeYJa/B/x7K" ++ "sH702LztQ4ZnVF3atB7CkF+DPAIR/BNyhbKIpGVBC3ZfI76Kn/55S3M7LsdLPL8W" ++ "yZdVNRfzoXJLMMLgJ5QS81YA5s6CSxFdpB6b+vq5GypNGLW6peYMx6iooW2qiITc" ++ "lg6ybBw1qufHlD351cfCog1Ls2569whfxQnNFZMa95jfKkxmiSTtH9AWY4FlpVg7" ++ "oc0lYpuZgVQIFxjsfC8IojsoVzKdF0cKhvtisUGZ5vveqOogfvMb7rrqmiFkKZLy" ++ "rXPlGQWdN1PiEZ8YXyK64osNAIyeL6eHPUC+SqKlkggMLmHAWHyameHWrIM5Jc8+" ++ "G+3ro22dy8U43sHHbps0FL4wPoKQHrlKmnbk7zMMRqIxcvbDYQv4qmeJ9KXldjeh" ++ "KZ+Aeap1AgMBAAGjZDBiMA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0PAQH/BAUDAwcE" ++ "ADAdBgNVHQ4EFgQUSCM0UwqJMThKWurKttKm3s4dKxgwHwYDVR0jBBgwFoAUHncj" ++ "bWcxH5EHm5Yv7PzIRv6M4QMwDQYJKoZIhvcNAQELBQADggExAHP1UAQ/nvuQtRZF" ++ "Q4b96yxVwCjMjn7knLyLNtyYGE3466xvE/ofvx5lgaR06ez/G17XP+Ok5SLJNUVc" ++ "mplTERCv5CgnX7R5VdGJkkD1repaYxaTtwyJz0AfYEMRUj3jfaeLaiUKJvEW5RRs" ++ "I3solY18sy/m/xGrH2X0GTNfKM9BURENABsppt07jxH719nF9m9SynV/Z2hE5hlv" ++ "5e5vyPt4wyRPIJLUI3TKAlvb1s40zz3ua7ZTgQL/cOxfY4f9pRKW9CMB3uF69OP9" ++ "COAxrmHVZsImmDZ6qO1qQrbY1KN/cX5kG4pKg7Ium723aOlwcWzEDXKumD960fN1" ++ "5g+HrjNs6kW+r9Q5QS8qV5s8maZNcxTrMvQ1fF2AKBNI3Z3U7vmtrSeqxIXp3rGH" ++ "iJwOKIk=" ++ "-----END CERTIFICATE-----", ++ NULL ++}; ++ ++static const char *superseding_ca[] = { ++ "-----BEGIN CERTIFICATE-----" ++ "MIIDkzCCAkugAwIBAgIUIs7jB4Q4sFcdCmzWVHbJLESC3T4wDQYJKoZIhvcNAQEL" ++ "BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwIBcNMjAwNTMxMTIxMzEwWhgP" ++ "OTk5OTEyMzEyMzU5NTlaMCYxJDAiBgNVBAMTG0dudVRMUyB0ZXN0IGludGVybWVk" ++ "aWF0ZSBDQTCCAVIwDQYJKoZIhvcNAQEBBQADggE/ADCCAToCggExALRrJ5glr8H/" ++ "HsqwfvTYvO1DhmdUXdq0HsKQX4M8AhH8E3KFsoikZUELdl8jvoqf/nlLczsux0s8" ++ "vxbJl1U1F/OhckswwuAnlBLzVgDmzoJLEV2kHpv6+rkbKk0Ytbql5gzHqKihbaqI" ++ "hNyWDrJsHDWq58eUPfnVx8KiDUuzbnr3CF/FCc0Vkxr3mN8qTGaJJO0f0BZjgWWl" ++ "WDuhzSVim5mBVAgXGOx8LwiiOyhXMp0XRwqG+2KxQZnm+96o6iB+8xvuuuqaIWQp" ++ "kvKtc+UZBZ03U+IRnxhfIrriiw0AjJ4vp4c9QL5KoqWSCAwuYcBYfJqZ4dasgzkl" ++ "zz4b7eujbZ3LxTjewcdumzQUvjA+gpAeuUqaduTvMwxGojFy9sNhC/iqZ4n0peV2" ++ "N6Epn4B5qnUCAwEAAaNkMGIwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMD" ++ "BwQAMB0GA1UdDgQWBBRIIzRTCokxOEpa6sq20qbezh0rGDAfBgNVHSMEGDAWgBQe" ++ "dyNtZzEfkQebli/s/MhG/ozhAzANBgkqhkiG9w0BAQsFAAOCATEAcF9R9VGQxTwW" ++ "aOjeIeQ9ZJxybaj0BaXC8xR4b9uZloS9d/RBFTjgRbQ82yqaj7f80mgUtabKRfTA" ++ "ltV2MgTbJdOjwGzEDtKGhClBbovnEGrYTbPBT9rgfYPt0q7SMBr6AzGAPt+ltwI7" ++ "9yntV81qvTxvW5MEEo0j2MuA3NT3oqe+w1rUKNQCWhnN2TUhJGkTlaaMozcgNFaE" ++ "Dplop4dtvCGtupxOjC3Nf6FWq1k7iZQxX70AFBYVMpuF7qGh6qDp+T1hmTCSVzxP" ++ "SfDQIBjhKgy4clhkuR5SRxhN74RX+/5eiQyVLxzr+eIhqzJhPqUCmVnCLcqYdNRi" ++ "hpHic4uJm0wGOKYTI7EG8rb4ZP4Jz6k4iN9CnL/+kiiW5otSl3YyCAuao5VKdDq9" ++ "izchzb9eow==" ++ "-----END CERTIFICATE-----", ++ "-----BEGIN CERTIFICATE-----" ++ "MIIDZTCCAh2gAwIBAgIULcrECQOBgPaePBfBHXcyZiU0IiYwDQYJKoZIhvcNAQEL" ++ "BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwIBcNMjAwNTMxMTIxMTQzWhgP" ++ "OTk5OTEyMzEyMzU5NTlaMBkxFzAVBgNVBAMTDkdudVRMUyB0ZXN0IENBMIIBUjAN" ++ "BgkqhkiG9w0BAQEFAAOCAT8AMIIBOgKCATEAnORCsX1unl//fy2d1054XduIg/3C" ++ "qVBaT3Hca65SEoDwh0KiPtQoOgZLdKY2cobGs/ojYtOjcs0KnlPYdmtjEh6WEhuJ" ++ "U95v4TQdC4OLMiE56eIGq252hZAbHoTL84Q14DxQWGuzQK830iml7fbw2WcIcRQ8" ++ "vFGs8SzfXw63+MI6Fq6iMAQIqP08WzGmRRzL5wvCiPhCVkrPmwbXoABub6AAsYwW" ++ "PJB91M9/lx5gFH5k9/iPfi3s2Kg3F8MOcppqFYjxDSnsfiz6eMh1+bYVIAo367vG" ++ "VYHigXMEZC2FezlwIHaZzpEoFlY3a7LFJ00yrjQ910r8UE+CEMTYzE40D0olCMo7" ++ "FA9RCjeO3bUIoYaIdVTUGWEGHWSeoxGei9Gkm6u+ASj8f+i0jxdD2qXsewIDAQAB" ++ "o0MwQTAPBgNVHRMBAf8EBTADAQH/MA8GA1UdDwEB/wQFAwMHBAAwHQYDVR0OBBYE" ++ "FB53I21nMR+RB5uWL+z8yEb+jOEDMA0GCSqGSIb3DQEBCwUAA4IBMQAeMSzMyuTy" ++ "FjXTjxAUv010bsr6e6fI9txq/S1tXmWWJV/8aeARthuOFZO5Jjy3C5aMbac2HDV4" ++ "Otu0+JLaoEMSXvorAhValVuq06i5cmaPzvJBcxMWzlEAXfavSwHv5Q+kqNU3z81S" ++ "WnjEpMHcl9OyER7o9IhF55Xom2BXY5XL83QOzQ4C3bpKrNevZC7i7zS8NoYRGP+8" ++ "w21JseXkWQW4o2hkFqbCcRE1dlMW02iJE28RZ5aBFDIm2Y6zuLaXZIkaO7E41CAw" ++ "IUyhowm/S1HcmQnhruAGKJvQtB6jvnhZb7pgnuSkhIvAQgw93CLE985KEua1ifY2" ++ "p1d/6ho2TWotHHqDnDkB8pC0Wzai8R+63z18Kt0gROX2QItCyFksjNJqYPbgwZgt" ++ "eh1COrLsOJo+" ++ "-----END CERTIFICATE-----", ++ NULL ++}; ++ + #if defined __clang__ || __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 5) + # pragma GCC diagnostic push + # pragma GCC diagnostic ignored "-Wunused-variable" +@@ -4178,6 +4274,7 @@ static struct + GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID, NULL, 1576759855, 1}, + { "ed448 - ok", ed448, &ed448[0], GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_ULTRA), + 0, NULL, 1584352960, 1}, ++ { "superseding - ok", superseding, superseding_ca, 0, 0, 0, 1590928011 }, + { NULL, NULL, NULL, 0, 0} + }; + +-- +2.26.2 + diff --git a/gnutls.spec b/gnutls.spec index febe56d..cf94d7b 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,11 +1,12 @@ # This spec file has been automatically updated Version: 3.6.13 -Release: 4%{?dist} +Release: 5%{?dist} Patch1: gnutls-3.6.7-no-now-guile.patch Patch2: gnutls-3.2.7-rpath.patch Patch3: gnutls-3.6.13-bump-linked-libs-soname-f32.patch Patch4: gnutls-3.6.13-nettle-disable-RSA-blinding-in-FIPS-selftests.patch Patch5: gnutls-3.6.13-cli-wait-resumption.patch +Patch6: gnutls-3.6.13-superseding-chain.patch %bcond_without dane %if 0%{?rhel} %bcond_with guile @@ -282,6 +283,9 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null %endif %changelog +* Sun May 31 2020 Daiki Ueno - 3.6.13-5 +- Fix cert chain validation behavior if the last cert has expired (#1842178) + * Mon May 25 2020 Anderson Sasaki - 3.6.13-4 - Add option to gnutls-cli to wait for resumption under TLS 1.3 From a5bbb28088a75defb5d4ece1ba76c49b19609e6f Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Sun, 31 May 2020 15:39:54 +0200 Subject: [PATCH 09/14] Update gnutls-3.6.13-superseding-chain.patch --- gnutls-3.6.13-superseding-chain.patch | 26 +++++++++++++++----------- gnutls.spec | 5 ++++- 2 files changed, 19 insertions(+), 12 deletions(-) diff --git a/gnutls-3.6.13-superseding-chain.patch b/gnutls-3.6.13-superseding-chain.patch index 99ceca1..4010c42 100644 --- a/gnutls-3.6.13-superseding-chain.patch +++ b/gnutls-3.6.13-superseding-chain.patch @@ -1,4 +1,4 @@ -From f6ce3a62cb39fb281f5a47c543de7d9db3206050 Mon Sep 17 00:00:00 2001 +From 299bd4f113d0bd39fa1577a671a04ed7899eff3c Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Sun, 31 May 2020 12:39:14 +0200 Subject: [PATCH 1/3] _gnutls_pkcs11_verify_crt_status: check validity against @@ -7,24 +7,24 @@ Subject: [PATCH 1/3] _gnutls_pkcs11_verify_crt_status: check validity against To verify a certificate chain, this function replaces known certificates with the ones in the system trust store if possible. -However, if it is found, the function checked the validity of the +However, if it is found, the function checks the validity of the original certificate rather than the certificate found in the trust store. That reveals a problem in a scenario that (1) a certificate is signed by multiple issuers and (2) one of the issuers' certificate has expired and included in the input chain. This patch makes it a little robuster by actually retrieving the -certificate from the trust store and check against it. +certificate from the trust store and perform check against it. Signed-off-by: Daiki Ueno --- - lib/pkcs11.c | 96 +++++++++++++++++++++++++++++++++-------------- + lib/pkcs11.c | 98 +++++++++++++++++++++++++++++++++-------------- lib/pkcs11_int.h | 5 +++ lib/x509/verify.c | 7 +++- - 3 files changed, 78 insertions(+), 30 deletions(-) + 3 files changed, 80 insertions(+), 30 deletions(-) diff --git a/lib/pkcs11.c b/lib/pkcs11.c -index fad16aaf4..662dda441 100644 +index fad16aaf4..d8d4a6511 100644 --- a/lib/pkcs11.c +++ b/lib/pkcs11.c @@ -4547,34 +4547,10 @@ int gnutls_pkcs11_get_raw_issuer_by_subject_key_id (const char *url, @@ -82,8 +82,12 @@ index fad16aaf4..662dda441 100644 if (url == NULL || url[0] == 0) { url = "pkcs11:"; } -@@ -4634,6 +4619,14 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, +@@ -4632,8 +4617,18 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, + _gnutls_debug_log("crt_is_known: did not find cert, using issuer DN + serial, using DN only\n"); + /* attempt searching with the subject DN only */ gnutls_assert(); ++ if (priv.obj) ++ gnutls_pkcs11_obj_deinit(priv.obj); gnutls_free(priv.serial.data); memset(&priv, 0, sizeof(priv)); + if (trusted_cert) { @@ -97,7 +101,7 @@ index fad16aaf4..662dda441 100644 priv.crt = cert; priv.flags = flags; -@@ -4650,9 +4643,26 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, +@@ -4650,9 +4645,26 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, goto cleanup; } @@ -124,7 +128,7 @@ index fad16aaf4..662dda441 100644 if (info) p11_kit_uri_free(info); gnutls_free(priv.serial.data); -@@ -4660,6 +4670,36 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, +@@ -4660,6 +4672,36 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, return ret; } @@ -214,7 +218,7 @@ index d20267019..fd7c6a164 100644 2.26.2 -From 2b83f612f2b2647c271969f3df64fb3a52753724 Mon Sep 17 00:00:00 2001 +From cdf075e7f54cb77f046ef3e7c2147f159941faca Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Sun, 31 May 2020 13:59:53 +0200 Subject: [PATCH 2/3] x509: trigger fallback verification path when cert is @@ -257,7 +261,7 @@ index b1421ef17..40638ad3a 100644 2.26.2 -From e337e56adfeeb4af7fe34291ed15d15b362a94bb Mon Sep 17 00:00:00 2001 +From 9067bcbee8ff18badff1e829d22e63590dbd7a5c Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Sun, 31 May 2020 14:28:48 +0200 Subject: [PATCH 3/3] tests: add test case for certificate chain superseding diff --git a/gnutls.spec b/gnutls.spec index cf94d7b..83bd54b 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,6 +1,6 @@ # This spec file has been automatically updated Version: 3.6.13 -Release: 5%{?dist} +Release: 6%{?dist} Patch1: gnutls-3.6.7-no-now-guile.patch Patch2: gnutls-3.2.7-rpath.patch Patch3: gnutls-3.6.13-bump-linked-libs-soname-f32.patch @@ -283,6 +283,9 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null %endif %changelog +* Sun May 31 2020 Daiki Ueno - 3.6.13-6 +- Update gnutls-3.6.13-superseding-chain.patch + * Sun May 31 2020 Daiki Ueno - 3.6.13-5 - Fix cert chain validation behavior if the last cert has expired (#1842178) From 7b240b09595173d9c398e95fe5c5c0637b0206d2 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Thu, 4 Jun 2020 08:11:47 +0200 Subject: [PATCH 10/14] Update to 3.6.14-1 --- .gitignore | 3 + ...s-3.6.13-bump-linked-libs-soname-f32.patch | 13 - gnutls-3.6.13-cli-wait-resumption.patch | 87 ---- ...sable-RSA-blinding-in-FIPS-selftests.patch | 124 ------ gnutls-3.6.13-superseding-chain.patch | 391 ------------------ gnutls.spec | 14 +- sources | 5 +- 7 files changed, 12 insertions(+), 625 deletions(-) delete mode 100644 gnutls-3.6.13-bump-linked-libs-soname-f32.patch delete mode 100644 gnutls-3.6.13-cli-wait-resumption.patch delete mode 100644 gnutls-3.6.13-nettle-disable-RSA-blinding-in-FIPS-selftests.patch delete mode 100644 gnutls-3.6.13-superseding-chain.patch diff --git a/.gitignore b/.gitignore index 9dec2f3..7d1a9d2 100644 --- a/.gitignore +++ b/.gitignore @@ -124,3 +124,6 @@ gnutls-2.10.1-nosrp.tar.bz2 /gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg /gnutls-3.6.13.tar.xz.sig /gnutls-3.6.13.tar.xz +/gnutls-3.6.14.tar.xz +/gnutls-3.6.14.tar.xz.sig +/gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg diff --git a/gnutls-3.6.13-bump-linked-libs-soname-f32.patch b/gnutls-3.6.13-bump-linked-libs-soname-f32.patch deleted file mode 100644 index e48477a..0000000 --- a/gnutls-3.6.13-bump-linked-libs-soname-f32.patch +++ /dev/null @@ -1,13 +0,0 @@ ---- a/lib/fips.c 2020-01-01 21:10:19.000000000 +0100 -+++ b/lib/fips.c 2020-05-13 17:31:47.310301627 +0200 -@@ -136,8 +136,8 @@ - } - - #define GNUTLS_LIBRARY_NAME "libgnutls.so.30" --#define NETTLE_LIBRARY_NAME "libnettle.so.6" --#define HOGWEED_LIBRARY_NAME "libhogweed.so.4" -+#define NETTLE_LIBRARY_NAME "libnettle.so.7" -+#define HOGWEED_LIBRARY_NAME "libhogweed.so.5" - #define GMP_LIBRARY_NAME "libgmp.so.10" - - #define HMAC_SUFFIX ".hmac" diff --git a/gnutls-3.6.13-cli-wait-resumption.patch b/gnutls-3.6.13-cli-wait-resumption.patch deleted file mode 100644 index 4c56344..0000000 --- a/gnutls-3.6.13-cli-wait-resumption.patch +++ /dev/null @@ -1,87 +0,0 @@ -From f27358ecba654ef931c0a761a540dc9e2d2e67f0 Mon Sep 17 00:00:00 2001 -From: Anderson Toshiyuki Sasaki -Date: Fri, 20 Mar 2020 16:37:33 +0100 -Subject: [PATCH] gnutls-cli: Add option to wait for resumption data - -This introduces the --waitresumption command line option which makes the -client to wait for the resumption data until a ticket is received under -TLS1.3. The client will block if no ticket is received. The new option -has no effect if the option --resume is not provided. - -This is useful to force the client to wait for the resumption data when -the server takes long to send the ticket, allowing the session -resumption to be tested. This is a common scenario in CI systems where -the testing machines have limited resources. - -Signed-off-by: Anderson Toshiyuki Sasaki ---- - src/cli-args.def | 6 ++++++ - src/cli.c | 21 +++++++++++++++------ - 2 files changed, 21 insertions(+), 6 deletions(-) - -diff --git a/src/cli-args.def b/src/cli-args.def -index a8760fab9..56ae77b07 100644 ---- a/src/cli-args.def -+++ b/src/cli-args.def -@@ -471,6 +471,12 @@ flag = { - doc = ""; - }; - -+flag = { -+ name = waitresumption; -+ descrip = "Block waiting for the resumption data under TLS1.3"; -+ doc = "This option makes the client to block waiting for the resumption data under TLS1.3. The option has effect only when --resume is provided."; -+}; -+ - doc-section = { - ds-type = 'SEE ALSO'; // or anything else - ds-format = 'texi'; // or texi or mdoc format -diff --git a/src/cli.c b/src/cli.c -index db072b930..c3d074f08 100644 ---- a/src/cli.c -+++ b/src/cli.c -@@ -78,7 +78,7 @@ - - /* global stuff here */ - int resume, starttls, insecure, ranges, rehandshake, udp, mtu, -- inline_commands; -+ inline_commands, waitresumption; - unsigned int global_vflags = 0; - char *hostname = NULL; - char service[32]=""; -@@ -992,11 +992,19 @@ static int try_resume(socket_st * hd) - gnutls_datum_t edata = {NULL, 0}; - - if (gnutls_session_is_resumed(hd->session) == 0) { -- /* not resumed - obtain the session data */ -- ret = gnutls_session_get_data2(hd->session, &rdata); -- if (ret < 0) { -- rdata.data = NULL; -- } -+ do { -+ /* not resumed - obtain the session data */ -+ ret = gnutls_session_get_data2(hd->session, &rdata); -+ if (ret < 0) { -+ rdata.data = NULL; -+ } -+ -+ if ((gnutls_protocol_get_version(hd->session) != GNUTLS_TLS1_3) || -+ ((gnutls_session_get_flags(hd->session) & -+ GNUTLS_SFLAGS_SESSION_TICKET))) { -+ break; -+ } -+ } while (waitresumption); - } else { - /* resumed - try to reuse the previous session data */ - rdata.data = hd->rdata.data; -@@ -1688,6 +1696,7 @@ static void cmd_parser(int argc, char **argv) - rehandshake = HAVE_OPT(REHANDSHAKE); - insecure = HAVE_OPT(INSECURE); - ranges = HAVE_OPT(RANGES); -+ waitresumption = HAVE_OPT(WAITRESUMPTION); - - if (insecure || HAVE_OPT(VERIFY_ALLOW_BROKEN)) { - global_vflags |= GNUTLS_VERIFY_ALLOW_BROKEN; --- -2.25.4 - diff --git a/gnutls-3.6.13-nettle-disable-RSA-blinding-in-FIPS-selftests.patch b/gnutls-3.6.13-nettle-disable-RSA-blinding-in-FIPS-selftests.patch deleted file mode 100644 index 559ea0a..0000000 --- a/gnutls-3.6.13-nettle-disable-RSA-blinding-in-FIPS-selftests.patch +++ /dev/null @@ -1,124 +0,0 @@ -From 8f8615c4ef0b92b95e7bcb3bd1400124a203eef3 Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Fri, 16 Aug 2019 17:01:05 +0200 -Subject: [PATCH] nettle: disable RSA blinding in FIPS selftests - -Nettle's RSA signing, encryption and decryption functions still -require randomness for blinding, so fallback to use a fixed buffer in -selftests where entropy might not be available. - -Signed-off-by: Daiki Ueno ---- - lib/nettle/pk.c | 37 +++++++++++++++++++++++++++++++++---- - 1 file changed, 33 insertions(+), 4 deletions(-) - -diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c -index 15ad4b4e9..ccf403b00 100644 ---- a/lib/nettle/pk.c -+++ b/lib/nettle/pk.c -@@ -107,6 +107,15 @@ static void rnd_mpz_func(void *_ctx, size_t length, uint8_t * data) - nettle_mpz_get_str_256 (length, data, *k); - } - -+static void rnd_nonce_func_fallback(void *_ctx, size_t length, uint8_t * data) -+{ -+ if (unlikely(_gnutls_get_lib_state() != LIB_STATE_SELFTEST)) { -+ _gnutls_switch_lib_state(LIB_STATE_ERROR); -+ } -+ -+ memset(data, 0xAA, length); -+} -+ - static void - ecc_scalar_zclear (struct ecc_scalar *s) - { -@@ -526,6 +535,7 @@ _wrap_nettle_pk_encrypt(gnutls_pk_algorithm_t algo, - case GNUTLS_PK_RSA: - { - struct rsa_public_key pub; -+ nettle_random_func *random_func; - - ret = _rsa_params_to_pubkey(pk_params, &pub); - if (ret < 0) { -@@ -533,8 +543,12 @@ _wrap_nettle_pk_encrypt(gnutls_pk_algorithm_t algo, - goto cleanup; - } - -+ if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST) -+ random_func = rnd_nonce_func_fallback; -+ else -+ random_func = rnd_nonce_func; - ret = -- rsa_encrypt(&pub, NULL, rnd_nonce_func, -+ rsa_encrypt(&pub, NULL, random_func, - plaintext->size, plaintext->data, - p); - if (ret == 0 || HAVE_LIB_ERROR()) { -@@ -587,6 +601,7 @@ _wrap_nettle_pk_decrypt(gnutls_pk_algorithm_t algo, - struct rsa_public_key pub; - size_t length; - bigint_t c; -+ nettle_random_func *random_func; - - _rsa_params_to_privkey(pk_params, &priv); - ret = _rsa_params_to_pubkey(pk_params, &pub); -@@ -617,8 +632,12 @@ _wrap_nettle_pk_decrypt(gnutls_pk_algorithm_t algo, - goto cleanup; - } - -+ if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST) -+ random_func = rnd_nonce_func_fallback; -+ else -+ random_func = rnd_nonce_func; - ret = -- rsa_decrypt_tr(&pub, &priv, NULL, rnd_nonce_func, -+ rsa_decrypt_tr(&pub, &priv, NULL, random_func, - &length, plaintext->data, - TOMPZ(c)); - _gnutls_mpi_release(&c); -@@ -664,6 +683,7 @@ _wrap_nettle_pk_decrypt2(gnutls_pk_algorithm_t algo, - bigint_t c; - uint32_t is_err; - int ret; -+ nettle_random_func *random_func; - - if (algo != GNUTLS_PK_RSA || plaintext == NULL) { - gnutls_assert(); -@@ -683,7 +703,11 @@ _wrap_nettle_pk_decrypt2(gnutls_pk_algorithm_t algo, - return gnutls_assert_val (GNUTLS_E_MPI_SCAN_FAILED); - } - -- ret = rsa_sec_decrypt(&pub, &priv, NULL, rnd_nonce_func, -+ if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST) -+ random_func = rnd_nonce_func_fallback; -+ else -+ random_func = rnd_nonce_func; -+ ret = rsa_sec_decrypt(&pub, &priv, NULL, random_func, - plaintext_size, plaintext, TOMPZ(c)); - /* after this point, any conditional on failure that cause differences - * in execution may create a timing or cache access pattern side -@@ -1072,6 +1096,7 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo, - { - struct rsa_private_key priv; - struct rsa_public_key pub; -+ nettle_random_func *random_func; - mpz_t s; - - _rsa_params_to_privkey(pk_params, &priv); -@@ -1082,8 +1107,12 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo, - - mpz_init(s); - -+ if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST) -+ random_func = rnd_nonce_func_fallback; -+ else -+ random_func = rnd_nonce_func; - ret = -- rsa_pkcs1_sign_tr(&pub, &priv, NULL, rnd_nonce_func, -+ rsa_pkcs1_sign_tr(&pub, &priv, NULL, random_func, - vdata->size, vdata->data, s); - if (ret == 0 || HAVE_LIB_ERROR()) { - gnutls_assert(); --- -2.25.4 - diff --git a/gnutls-3.6.13-superseding-chain.patch b/gnutls-3.6.13-superseding-chain.patch deleted file mode 100644 index 4010c42..0000000 --- a/gnutls-3.6.13-superseding-chain.patch +++ /dev/null @@ -1,391 +0,0 @@ -From 299bd4f113d0bd39fa1577a671a04ed7899eff3c Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Sun, 31 May 2020 12:39:14 +0200 -Subject: [PATCH 1/3] _gnutls_pkcs11_verify_crt_status: check validity against - system cert - -To verify a certificate chain, this function replaces known -certificates with the ones in the system trust store if possible. - -However, if it is found, the function checks the validity of the -original certificate rather than the certificate found in the trust -store. That reveals a problem in a scenario that (1) a certificate is -signed by multiple issuers and (2) one of the issuers' certificate has -expired and included in the input chain. - -This patch makes it a little robuster by actually retrieving the -certificate from the trust store and perform check against it. - -Signed-off-by: Daiki Ueno ---- - lib/pkcs11.c | 98 +++++++++++++++++++++++++++++++++-------------- - lib/pkcs11_int.h | 5 +++ - lib/x509/verify.c | 7 +++- - 3 files changed, 80 insertions(+), 30 deletions(-) - -diff --git a/lib/pkcs11.c b/lib/pkcs11.c -index fad16aaf4..d8d4a6511 100644 ---- a/lib/pkcs11.c -+++ b/lib/pkcs11.c -@@ -4547,34 +4547,10 @@ int gnutls_pkcs11_get_raw_issuer_by_subject_key_id (const char *url, - return ret; - } - --/** -- * gnutls_pkcs11_crt_is_known: -- * @url: A PKCS 11 url identifying a token -- * @cert: is the certificate to find issuer for -- * @issuer: Will hold the issuer if any in an allocated buffer. -- * @fmt: The format of the exported issuer. -- * @flags: Use zero or flags from %GNUTLS_PKCS11_OBJ_FLAG. -- * -- * This function will check whether the provided certificate is stored -- * in the specified token. This is useful in combination with -- * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED or -- * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED, -- * to check whether a CA is present or a certificate is blacklisted in -- * a trust PKCS #11 module. -- * -- * This function can be used with a @url of "pkcs11:", and in that case all modules -- * will be searched. To restrict the modules to the marked as trusted in p11-kit -- * use the %GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE flag. -- * -- * Note that the flag %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED is -- * specific to p11-kit trust modules. -- * -- * Returns: If the certificate exists non-zero is returned, otherwise zero. -- * -- * Since: 3.3.0 -- **/ --unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, -- unsigned int flags) -+unsigned -+_gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, -+ unsigned int flags, -+ gnutls_x509_crt_t *trusted_cert) - { - int ret; - struct find_cert_st priv; -@@ -4586,6 +4562,15 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, - - memset(&priv, 0, sizeof(priv)); - -+ if (trusted_cert) { -+ ret = gnutls_pkcs11_obj_init(&priv.obj); -+ if (ret < 0) { -+ gnutls_assert(); -+ goto cleanup; -+ } -+ priv.need_import = 1; -+ } -+ - if (url == NULL || url[0] == 0) { - url = "pkcs11:"; - } -@@ -4632,8 +4617,18 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, - _gnutls_debug_log("crt_is_known: did not find cert, using issuer DN + serial, using DN only\n"); - /* attempt searching with the subject DN only */ - gnutls_assert(); -+ if (priv.obj) -+ gnutls_pkcs11_obj_deinit(priv.obj); - gnutls_free(priv.serial.data); - memset(&priv, 0, sizeof(priv)); -+ if (trusted_cert) { -+ ret = gnutls_pkcs11_obj_init(&priv.obj); -+ if (ret < 0) { -+ gnutls_assert(); -+ goto cleanup; -+ } -+ priv.need_import = 1; -+ } - priv.crt = cert; - priv.flags = flags; - -@@ -4650,9 +4645,26 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, - goto cleanup; - } - -+ if (trusted_cert) { -+ ret = gnutls_x509_crt_init(trusted_cert); -+ if (ret < 0) { -+ gnutls_assert(); -+ ret = 0; -+ goto cleanup; -+ } -+ ret = gnutls_x509_crt_import_pkcs11(*trusted_cert, priv.obj); -+ if (ret < 0) { -+ gnutls_assert(); -+ gnutls_x509_crt_deinit(*trusted_cert); -+ ret = 0; -+ goto cleanup; -+ } -+ } - ret = 1; - - cleanup: -+ if (priv.obj) -+ gnutls_pkcs11_obj_deinit(priv.obj); - if (info) - p11_kit_uri_free(info); - gnutls_free(priv.serial.data); -@@ -4660,6 +4672,36 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, - return ret; - } - -+/** -+ * gnutls_pkcs11_crt_is_known: -+ * @url: A PKCS 11 url identifying a token -+ * @cert: is the certificate to find issuer for -+ * @flags: Use zero or flags from %GNUTLS_PKCS11_OBJ_FLAG. -+ * -+ * This function will check whether the provided certificate is stored -+ * in the specified token. This is useful in combination with -+ * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED or -+ * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED, -+ * to check whether a CA is present or a certificate is blacklisted in -+ * a trust PKCS #11 module. -+ * -+ * This function can be used with a @url of "pkcs11:", and in that case all modules -+ * will be searched. To restrict the modules to the marked as trusted in p11-kit -+ * use the %GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE flag. -+ * -+ * Note that the flag %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED is -+ * specific to p11-kit trust modules. -+ * -+ * Returns: If the certificate exists non-zero is returned, otherwise zero. -+ * -+ * Since: 3.3.0 -+ **/ -+unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, -+ unsigned int flags) -+{ -+ return _gnutls_pkcs11_crt_is_known(url, cert, flags, NULL); -+} -+ - /** - * gnutls_pkcs11_obj_get_flags: - * @obj: The pkcs11 object -diff --git a/lib/pkcs11_int.h b/lib/pkcs11_int.h -index 9d8880709..86cce0dee 100644 ---- a/lib/pkcs11_int.h -+++ b/lib/pkcs11_int.h -@@ -460,6 +460,11 @@ inline static bool is_pkcs11_url_object(const char *url) - return 0; - } - -+unsigned -+_gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, -+ unsigned int flags, -+ gnutls_x509_crt_t *trusted_cert); -+ - #endif /* ENABLE_PKCS11 */ - - #endif /* GNUTLS_LIB_PKCS11_INT_H */ -diff --git a/lib/x509/verify.c b/lib/x509/verify.c -index d20267019..fd7c6a164 100644 ---- a/lib/x509/verify.c -+++ b/lib/x509/verify.c -@@ -34,6 +34,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -1188,6 +1189,7 @@ _gnutls_pkcs11_verify_crt_status(const char* url, - - for (; i < clist_size; i++) { - unsigned vflags; -+ gnutls_x509_crt_t trusted_cert; - - if (i == 0) /* in the end certificate do full comparison */ - vflags = GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE| -@@ -1196,9 +1198,10 @@ _gnutls_pkcs11_verify_crt_status(const char* url, - vflags = GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE| - GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY|GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED; - -- if (gnutls_pkcs11_crt_is_known (url, certificate_list[i], vflags) != 0) { -+ if (_gnutls_pkcs11_crt_is_known (url, certificate_list[i], vflags, &trusted_cert) != 0) { - -- status |= check_ca_sanity(certificate_list[i], now, flags); -+ status |= check_ca_sanity(trusted_cert, now, flags); -+ gnutls_x509_crt_deinit(trusted_cert); - - if (func) - func(certificate_list[i], --- -2.26.2 - - -From cdf075e7f54cb77f046ef3e7c2147f159941faca Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Sun, 31 May 2020 13:59:53 +0200 -Subject: [PATCH 2/3] x509: trigger fallback verification path when cert is - expired - -gnutls_x509_trust_list_verify_crt2 use the macro SIGNER_OLD_OR_UNKNOWN -to trigger the fallback verification path if the signer of the last -certificate is not in the trust store. Previously, it doesn't take -into account of the condition where the certificate is expired. - -Signed-off-by: Daiki Ueno ---- - lib/x509/verify-high.c | 12 +++++++----- - 1 file changed, 7 insertions(+), 5 deletions(-) - -diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c -index b1421ef17..40638ad3a 100644 ---- a/lib/x509/verify-high.c -+++ b/lib/x509/verify-high.c -@@ -1192,11 +1192,13 @@ gnutls_x509_trust_list_verify_crt(gnutls_x509_trust_list_t list, - - #define LAST_DN cert_list[cert_list_size-1]->raw_dn - #define LAST_IDN cert_list[cert_list_size-1]->raw_issuer_dn --/* This macro is introduced to detect a verification output -- * which indicates an unknown signer, or a signer which uses -- * an insecure algorithm (e.g., sha1), something that indicates -- * a superseded signer */ --#define SIGNER_OLD_OR_UNKNOWN(output) ((output & GNUTLS_CERT_SIGNER_NOT_FOUND) || (output & GNUTLS_CERT_INSECURE_ALGORITHM)) -+/* This macro is introduced to detect a verification output which -+ * indicates an unknown signer, a signer which uses an insecure -+ * algorithm (e.g., sha1), a signer has expired, or something that -+ * indicates a superseded signer */ -+#define SIGNER_OLD_OR_UNKNOWN(output) ((output & GNUTLS_CERT_SIGNER_NOT_FOUND) || \ -+ (output & GNUTLS_CERT_EXPIRED) || \ -+ (output & GNUTLS_CERT_INSECURE_ALGORITHM)) - #define SIGNER_WAS_KNOWN(output) (!(output & GNUTLS_CERT_SIGNER_NOT_FOUND)) - - /** --- -2.26.2 - - -From 9067bcbee8ff18badff1e829d22e63590dbd7a5c Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Sun, 31 May 2020 14:28:48 +0200 -Subject: [PATCH 3/3] tests: add test case for certificate chain superseding - -Signed-off-by: Daiki Ueno ---- - tests/test-chains.h | 97 +++++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 97 insertions(+) - -diff --git a/tests/test-chains.h b/tests/test-chains.h -index dd19e6a81..9b06b85f5 100644 ---- a/tests/test-chains.h -+++ b/tests/test-chains.h -@@ -4010,6 +4010,102 @@ static const char *ed448[] = { - NULL - }; - -+/* This contains an expired intermediate CA, which should be superseded. */ -+static const char *superseding[] = { -+ "-----BEGIN CERTIFICATE-----" -+ "MIIDrzCCAmegAwIBAgIUcozIBhMJvM/rd1PVI7LOq7Kscs8wDQYJKoZIhvcNAQEL" -+ "BQAwJjEkMCIGA1UEAxMbR251VExTIHRlc3QgaW50ZXJtZWRpYXRlIENBMCAXDTIw" -+ "MDUzMTEyMTczN1oYDzk5OTkxMjMxMjM1OTU5WjA3MRgwFgYDVQQDEw90ZXN0Lmdu" -+ "dXRscy5vcmcxGzAZBgNVBAoTEkdudVRMUyB0ZXN0IHNlcnZlcjCCASAwCwYJKoZI" -+ "hvcNAQEKA4IBDwAwggEKAoIBAQCd2PBnWn+b0FsIMbG+f/K+og2iK/BoLCsJD3j9" -+ "yRNSHD6wTifYwNTbe1LF/8BzxcwVRCD0zpbpFQawbjxbmBSzrXqQlUFFG11DvNBa" -+ "w58rgHGo3TYCrtFIBfLbziyB1w/vWeX0xHvv8MMJ1iRSdY+7Y36a2cV+s85PdO4B" -+ "TpZlLfy8LPP6p6+dgVoC+9tTu2H1wARYOVog+jt9A3Hx0L1xxVWTedFoiK2sVouz" -+ "fLRjfp5cOwuRHSD2qbpGOAeNVVaOE88Bv3pIGPguMw0qAdEDo20hRYH23LIyvBwB" -+ "oCnyFNnAViMtLa2QlXSliV9a9BKOXYjWzAeso2SF4pdHcvd5AgMBAAGjgZMwgZAw" -+ "DAYDVR0TAQH/BAIwADAaBgNVHREEEzARgg90ZXN0LmdudXRscy5vcmcwEwYDVR0l" -+ "BAwwCgYIKwYBBQUHAwEwDwYDVR0PAQH/BAUDAweAADAdBgNVHQ4EFgQUan6mlccq" -+ "Uy1Z64wvRv3xxg4h2ykwHwYDVR0jBBgwFoAUSCM0UwqJMThKWurKttKm3s4dKxgw" -+ "DQYJKoZIhvcNAQELBQADggExAKAOMyMLpk0u2UTwwFWtr1hfx7evo2J7dgco410I" -+ "DN/QWoe2Xlcxcp1h5R9rX1I3KU2WGFtdXqiMsllCLnrDEKZmlks0uz76bCpKmM99" -+ "/1MDlY7mGCr/2PPx53USK5J5JTiqgp6r7qAcDAnpYvrPH45kk7iqwh02DhAxRnGR" -+ "CW7KWK8h7uu0Az9iBT2YfV372g4fRDK3fqYzJofQwbhSiUuJ7wyZCRhGOoxMMmDb" -+ "KBbc1wAYXW+tlv2cSbfzRvSxMR+CzkyH2tGDxeN//aZUfGmQ8IzWUQ7UtK5z+Q0E" -+ "fL6fZtm2SdGabGpV1UYoGpwOtOngK+m0i9SqrMD7g5+SMhc1VuvVuTtxjr5Cha8l" -+ "X0HEZtxgFrkdfMD4yLAqiguaCBngtbRmELF5VpebmJbiLVU=" -+ "-----END CERTIFICATE-----", -+ "-----BEGIN CERTIFICATE-----" -+ "MIIDkTCCAkmgAwIBAgIUY9cJ4NLNFEaojJHdP1I4Q7OHNJwwDQYJKoZIhvcNAQEL" -+ "BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwHhcNMTgxMjMxMjMwMDAwWhcN" -+ "MjAwNTMwMjIwMDAwWjAmMSQwIgYDVQQDExtHbnVUTFMgdGVzdCBpbnRlcm1lZGlh" -+ "dGUgQ0EwggFSMA0GCSqGSIb3DQEBAQUAA4IBPwAwggE6AoIBMQC0ayeYJa/B/x7K" -+ "sH702LztQ4ZnVF3atB7CkF+DPAIR/BNyhbKIpGVBC3ZfI76Kn/55S3M7LsdLPL8W" -+ "yZdVNRfzoXJLMMLgJ5QS81YA5s6CSxFdpB6b+vq5GypNGLW6peYMx6iooW2qiITc" -+ "lg6ybBw1qufHlD351cfCog1Ls2569whfxQnNFZMa95jfKkxmiSTtH9AWY4FlpVg7" -+ "oc0lYpuZgVQIFxjsfC8IojsoVzKdF0cKhvtisUGZ5vveqOogfvMb7rrqmiFkKZLy" -+ "rXPlGQWdN1PiEZ8YXyK64osNAIyeL6eHPUC+SqKlkggMLmHAWHyameHWrIM5Jc8+" -+ "G+3ro22dy8U43sHHbps0FL4wPoKQHrlKmnbk7zMMRqIxcvbDYQv4qmeJ9KXldjeh" -+ "KZ+Aeap1AgMBAAGjZDBiMA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0PAQH/BAUDAwcE" -+ "ADAdBgNVHQ4EFgQUSCM0UwqJMThKWurKttKm3s4dKxgwHwYDVR0jBBgwFoAUHncj" -+ "bWcxH5EHm5Yv7PzIRv6M4QMwDQYJKoZIhvcNAQELBQADggExAHP1UAQ/nvuQtRZF" -+ "Q4b96yxVwCjMjn7knLyLNtyYGE3466xvE/ofvx5lgaR06ez/G17XP+Ok5SLJNUVc" -+ "mplTERCv5CgnX7R5VdGJkkD1repaYxaTtwyJz0AfYEMRUj3jfaeLaiUKJvEW5RRs" -+ "I3solY18sy/m/xGrH2X0GTNfKM9BURENABsppt07jxH719nF9m9SynV/Z2hE5hlv" -+ "5e5vyPt4wyRPIJLUI3TKAlvb1s40zz3ua7ZTgQL/cOxfY4f9pRKW9CMB3uF69OP9" -+ "COAxrmHVZsImmDZ6qO1qQrbY1KN/cX5kG4pKg7Ium723aOlwcWzEDXKumD960fN1" -+ "5g+HrjNs6kW+r9Q5QS8qV5s8maZNcxTrMvQ1fF2AKBNI3Z3U7vmtrSeqxIXp3rGH" -+ "iJwOKIk=" -+ "-----END CERTIFICATE-----", -+ NULL -+}; -+ -+static const char *superseding_ca[] = { -+ "-----BEGIN CERTIFICATE-----" -+ "MIIDkzCCAkugAwIBAgIUIs7jB4Q4sFcdCmzWVHbJLESC3T4wDQYJKoZIhvcNAQEL" -+ "BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwIBcNMjAwNTMxMTIxMzEwWhgP" -+ "OTk5OTEyMzEyMzU5NTlaMCYxJDAiBgNVBAMTG0dudVRMUyB0ZXN0IGludGVybWVk" -+ "aWF0ZSBDQTCCAVIwDQYJKoZIhvcNAQEBBQADggE/ADCCAToCggExALRrJ5glr8H/" -+ "HsqwfvTYvO1DhmdUXdq0HsKQX4M8AhH8E3KFsoikZUELdl8jvoqf/nlLczsux0s8" -+ "vxbJl1U1F/OhckswwuAnlBLzVgDmzoJLEV2kHpv6+rkbKk0Ytbql5gzHqKihbaqI" -+ "hNyWDrJsHDWq58eUPfnVx8KiDUuzbnr3CF/FCc0Vkxr3mN8qTGaJJO0f0BZjgWWl" -+ "WDuhzSVim5mBVAgXGOx8LwiiOyhXMp0XRwqG+2KxQZnm+96o6iB+8xvuuuqaIWQp" -+ "kvKtc+UZBZ03U+IRnxhfIrriiw0AjJ4vp4c9QL5KoqWSCAwuYcBYfJqZ4dasgzkl" -+ "zz4b7eujbZ3LxTjewcdumzQUvjA+gpAeuUqaduTvMwxGojFy9sNhC/iqZ4n0peV2" -+ "N6Epn4B5qnUCAwEAAaNkMGIwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMD" -+ "BwQAMB0GA1UdDgQWBBRIIzRTCokxOEpa6sq20qbezh0rGDAfBgNVHSMEGDAWgBQe" -+ "dyNtZzEfkQebli/s/MhG/ozhAzANBgkqhkiG9w0BAQsFAAOCATEAcF9R9VGQxTwW" -+ "aOjeIeQ9ZJxybaj0BaXC8xR4b9uZloS9d/RBFTjgRbQ82yqaj7f80mgUtabKRfTA" -+ "ltV2MgTbJdOjwGzEDtKGhClBbovnEGrYTbPBT9rgfYPt0q7SMBr6AzGAPt+ltwI7" -+ "9yntV81qvTxvW5MEEo0j2MuA3NT3oqe+w1rUKNQCWhnN2TUhJGkTlaaMozcgNFaE" -+ "Dplop4dtvCGtupxOjC3Nf6FWq1k7iZQxX70AFBYVMpuF7qGh6qDp+T1hmTCSVzxP" -+ "SfDQIBjhKgy4clhkuR5SRxhN74RX+/5eiQyVLxzr+eIhqzJhPqUCmVnCLcqYdNRi" -+ "hpHic4uJm0wGOKYTI7EG8rb4ZP4Jz6k4iN9CnL/+kiiW5otSl3YyCAuao5VKdDq9" -+ "izchzb9eow==" -+ "-----END CERTIFICATE-----", -+ "-----BEGIN CERTIFICATE-----" -+ "MIIDZTCCAh2gAwIBAgIULcrECQOBgPaePBfBHXcyZiU0IiYwDQYJKoZIhvcNAQEL" -+ "BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwIBcNMjAwNTMxMTIxMTQzWhgP" -+ "OTk5OTEyMzEyMzU5NTlaMBkxFzAVBgNVBAMTDkdudVRMUyB0ZXN0IENBMIIBUjAN" -+ "BgkqhkiG9w0BAQEFAAOCAT8AMIIBOgKCATEAnORCsX1unl//fy2d1054XduIg/3C" -+ "qVBaT3Hca65SEoDwh0KiPtQoOgZLdKY2cobGs/ojYtOjcs0KnlPYdmtjEh6WEhuJ" -+ "U95v4TQdC4OLMiE56eIGq252hZAbHoTL84Q14DxQWGuzQK830iml7fbw2WcIcRQ8" -+ "vFGs8SzfXw63+MI6Fq6iMAQIqP08WzGmRRzL5wvCiPhCVkrPmwbXoABub6AAsYwW" -+ "PJB91M9/lx5gFH5k9/iPfi3s2Kg3F8MOcppqFYjxDSnsfiz6eMh1+bYVIAo367vG" -+ "VYHigXMEZC2FezlwIHaZzpEoFlY3a7LFJ00yrjQ910r8UE+CEMTYzE40D0olCMo7" -+ "FA9RCjeO3bUIoYaIdVTUGWEGHWSeoxGei9Gkm6u+ASj8f+i0jxdD2qXsewIDAQAB" -+ "o0MwQTAPBgNVHRMBAf8EBTADAQH/MA8GA1UdDwEB/wQFAwMHBAAwHQYDVR0OBBYE" -+ "FB53I21nMR+RB5uWL+z8yEb+jOEDMA0GCSqGSIb3DQEBCwUAA4IBMQAeMSzMyuTy" -+ "FjXTjxAUv010bsr6e6fI9txq/S1tXmWWJV/8aeARthuOFZO5Jjy3C5aMbac2HDV4" -+ "Otu0+JLaoEMSXvorAhValVuq06i5cmaPzvJBcxMWzlEAXfavSwHv5Q+kqNU3z81S" -+ "WnjEpMHcl9OyER7o9IhF55Xom2BXY5XL83QOzQ4C3bpKrNevZC7i7zS8NoYRGP+8" -+ "w21JseXkWQW4o2hkFqbCcRE1dlMW02iJE28RZ5aBFDIm2Y6zuLaXZIkaO7E41CAw" -+ "IUyhowm/S1HcmQnhruAGKJvQtB6jvnhZb7pgnuSkhIvAQgw93CLE985KEua1ifY2" -+ "p1d/6ho2TWotHHqDnDkB8pC0Wzai8R+63z18Kt0gROX2QItCyFksjNJqYPbgwZgt" -+ "eh1COrLsOJo+" -+ "-----END CERTIFICATE-----", -+ NULL -+}; -+ - #if defined __clang__ || __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 5) - # pragma GCC diagnostic push - # pragma GCC diagnostic ignored "-Wunused-variable" -@@ -4178,6 +4274,7 @@ static struct - GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID, NULL, 1576759855, 1}, - { "ed448 - ok", ed448, &ed448[0], GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_ULTRA), - 0, NULL, 1584352960, 1}, -+ { "superseding - ok", superseding, superseding_ca, 0, 0, 0, 1590928011 }, - { NULL, NULL, NULL, 0, 0} - }; - --- -2.26.2 - diff --git a/gnutls.spec b/gnutls.spec index 83bd54b..a602060 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,12 +1,8 @@ # This spec file has been automatically updated -Version: 3.6.13 -Release: 6%{?dist} +Version: 3.6.14 +Release: 1%{?dist} Patch1: gnutls-3.6.7-no-now-guile.patch Patch2: gnutls-3.2.7-rpath.patch -Patch3: gnutls-3.6.13-bump-linked-libs-soname-f32.patch -Patch4: gnutls-3.6.13-nettle-disable-RSA-blinding-in-FIPS-selftests.patch -Patch5: gnutls-3.6.13-cli-wait-resumption.patch -Patch6: gnutls-3.6.13-superseding-chain.patch %bcond_without dane %if 0%{?rhel} %bcond_with guile @@ -51,7 +47,7 @@ BuildRequires: guile22-devel URL: http://www.gnutls.org/ Source0: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.6/%{name}-%{version}.tar.xz Source1: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.6/%{name}-%{version}.tar.xz.sig -Source2: gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg +Source2: gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg # Wildcard bundling exception https://fedorahosted.org/fpc/ticket/174 Provides: bundled(gnulib) = 20130424 @@ -147,7 +143,6 @@ This package contains Guile bindings for the library. gpgv2 --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0} %autosetup -p1 -autoreconf sed -i -e 's|sys_lib_dlsearch_path_spec="/lib /usr/lib|sys_lib_dlsearch_path_spec="/lib /usr/lib %{_libdir}|g' configure rm -f lib/minitasn1/*.c lib/minitasn1/*.h @@ -283,6 +278,9 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null %endif %changelog +* Thu Jun 4 2020 Daiki Ueno - 3.6.14-1 +- Update to upstream 3.6.14 release + * Sun May 31 2020 Daiki Ueno - 3.6.13-6 - Update gnutls-3.6.13-superseding-chain.patch diff --git a/sources b/sources index 08912b9..322ad17 100644 --- a/sources +++ b/sources @@ -1,2 +1,3 @@ -SHA512 (gnutls-3.6.13.tar.xz.sig) = 130d6ee78da87087de0070a5a5ecb62dd0a2919c838796b3e4273d74b10c4c537b72e017f55b69df69ee7cc11257ebe392e3bd0ff25b35484ed78bb9bf9d3856 -SHA512 (gnutls-3.6.13.tar.xz) = 23581952cb72c9a34f378c002bb62413d5a1243b74b48ad8dc49eaea4020d33c550f8dc1dd374cf7fbfa4187b0ca1c5698c8a0430398268a8b8a863f8633305c +SHA512 (gnutls-3.6.14.tar.xz) = b2d427b5542a4679117c011dffa8efb0e0bffa3ce9cebc319f8998d03f80f4168d08f9fda35df18dbeaaada59e479d325a6c1c77d5ca7f8ce221b44e42bfe604 +SHA512 (gnutls-3.6.14.tar.xz.sig) = 88e31d484ab2e2e9a6a080d1bb0e2219aa0ec85af9ea4abe8292bc8ae2d6784273414227142a2ebe0142b907a5ac6aa4d407388357f13d96b96eca8f8c61103a +SHA512 (gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg) = a74b92826fd0e5388c9f6d9231959e38b26aeef83138648fab66df951d8e1a4db5302b569d08515d4d6443e5e4f6c466f98319f330c820790260d22a9b9f7173 From cf8e00c764682fa0da93cdfa5e49ca85acdde987 Mon Sep 17 00:00:00 2001 From: Anderson Toshiyuki Sasaki Date: Tue, 9 Jun 2020 14:58:13 +0200 Subject: [PATCH 11/14] Fix memory leak when serializing iovec_t Resolves: #1845083 --- gnutls-3.6.14-fix-iovec-memory-leak.patch | 152 ++++++++++++++++++++++ gnutls.spec | 6 +- 2 files changed, 157 insertions(+), 1 deletion(-) create mode 100644 gnutls-3.6.14-fix-iovec-memory-leak.patch diff --git a/gnutls-3.6.14-fix-iovec-memory-leak.patch b/gnutls-3.6.14-fix-iovec-memory-leak.patch new file mode 100644 index 0000000..15b2c51 --- /dev/null +++ b/gnutls-3.6.14-fix-iovec-memory-leak.patch @@ -0,0 +1,152 @@ +From 6fbff7fc8aabeee2254405f254220bbe8c05c67d Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Fri, 5 Jun 2020 16:26:33 +0200 +Subject: [PATCH] crypto-api: always allocate memory when serializing iovec_t + +The AEAD iov interface falls back to serializing the input buffers if +the low-level cipher doesn't support scatter/gather encryption. +However, there was a bug in the functions used for the serialization, +which causes memory leaks under a certain condition (i.e. the number +of input buffers is 1). + +This patch makes the logic of the functions simpler, by removing a +micro-optimization that tries to minimize the number of calls to +malloc/free. + +The original problem was reported by Marius Steffen in: +https://bugzilla.samba.org/show_bug.cgi?id=14399 +and the cause was investigated by Alexander Haase in: +https://gitlab.com/gnutls/gnutls/-/merge_requests/1277 + +Signed-off-by: Daiki Ueno +--- + lib/crypto-api.c | 36 +++++++++++------------------------- + tests/aead-cipher-vec.c | 33 ++++++++++++++++++--------------- + 2 files changed, 29 insertions(+), 40 deletions(-) + +diff --git a/lib/crypto-api.c b/lib/crypto-api.c +index 45be64ed1..8524f5ed4 100644 +--- a/lib/crypto-api.c ++++ b/lib/crypto-api.c +@@ -891,32 +891,23 @@ gnutls_aead_cipher_encrypt(gnutls_aead_cipher_hd_t handle, + struct iov_store_st { + void *data; + size_t size; +- unsigned allocated; + }; + + static void iov_store_free(struct iov_store_st *s) + { +- if (s->allocated) { +- gnutls_free(s->data); +- s->allocated = 0; +- } ++ gnutls_free(s->data); + } + + static int iov_store_grow(struct iov_store_st *s, size_t length) + { +- if (s->allocated || s->data == NULL) { +- s->size += length; +- s->data = gnutls_realloc(s->data, s->size); +- if (s->data == NULL) +- return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); +- s->allocated = 1; +- } else { +- void *data = s->data; +- size_t size = s->size + length; +- s->data = gnutls_malloc(size); +- memcpy(s->data, data, s->size); +- s->size += length; +- } ++ void *data; ++ ++ s->size += length; ++ data = gnutls_realloc(s->data, s->size); ++ if (data == NULL) ++ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); ++ ++ s->data = data; + return 0; + } + +@@ -926,11 +917,6 @@ copy_from_iov(struct iov_store_st *dst, const giovec_t *iov, int iovcnt) + memset(dst, 0, sizeof(*dst)); + if (iovcnt == 0) { + return 0; +- } else if (iovcnt == 1) { +- dst->data = iov[0].iov_base; +- dst->size = iov[0].iov_len; +- /* implies: dst->allocated = 0; */ +- return 0; + } else { + int i; + uint8_t *p; +@@ -944,11 +930,11 @@ copy_from_iov(struct iov_store_st *dst, const giovec_t *iov, int iovcnt) + + p = dst->data; + for (i=0;i 0) ++ memcpy(p, iov[i].iov_base, iov[i].iov_len); + p += iov[i].iov_len; + } + +- dst->allocated = 1; + return 0; + } + } +diff --git a/tests/aead-cipher-vec.c b/tests/aead-cipher-vec.c +index fba9010d9..6a30a35f7 100644 +--- a/tests/aead-cipher-vec.c ++++ b/tests/aead-cipher-vec.c +@@ -49,6 +49,7 @@ static void start(const char *name, int algo) + giovec_t auth_iov[2]; + uint8_t tag[64]; + size_t tag_size = 0; ++ size_t i; + + key.data = key16; + key.size = gnutls_cipher_get_key_size(algo); +@@ -82,21 +83,23 @@ static void start(const char *name, int algo) + if (ret < 0) + fail("gnutls_cipher_init: %s\n", gnutls_strerror(ret)); + +- ret = gnutls_aead_cipher_encryptv2(ch, +- iv.data, iv.size, +- auth_iov, 2, +- iov, 3, +- tag, &tag_size); +- if (ret < 0) +- fail("could not encrypt data: %s\n", gnutls_strerror(ret)); +- +- ret = gnutls_aead_cipher_decryptv2(ch, +- iv.data, iv.size, +- auth_iov, 2, +- iov, 3, +- tag, tag_size); +- if (ret < 0) +- fail("could not decrypt data: %s\n", gnutls_strerror(ret)); ++ for (i = 0; i < 2; i++) { ++ ret = gnutls_aead_cipher_encryptv2(ch, ++ iv.data, iv.size, ++ auth_iov, 2, ++ iov, i + 1, ++ tag, &tag_size); ++ if (ret < 0) ++ fail("could not encrypt data: %s\n", gnutls_strerror(ret)); ++ ++ ret = gnutls_aead_cipher_decryptv2(ch, ++ iv.data, iv.size, ++ auth_iov, 2, ++ iov, i + 1, ++ tag, tag_size); ++ if (ret < 0) ++ fail("could not decrypt data: %s\n", gnutls_strerror(ret)); ++ } + + gnutls_aead_cipher_deinit(ch); + } +-- +2.25.4 + diff --git a/gnutls.spec b/gnutls.spec index a602060..e4a0b59 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,8 +1,9 @@ # This spec file has been automatically updated Version: 3.6.14 -Release: 1%{?dist} +Release: 2%{?dist} Patch1: gnutls-3.6.7-no-now-guile.patch Patch2: gnutls-3.2.7-rpath.patch +Patch3: gnutls-3.6.14-fix-iovec-memory-leak.patch %bcond_without dane %if 0%{?rhel} %bcond_with guile @@ -278,6 +279,9 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null %endif %changelog +* Tue Jun 09 2020 Anderson Sasaki - 3.6.14-2 +- Fix memory leak when serializing iovec_t (#1845083) + * Thu Jun 4 2020 Daiki Ueno - 3.6.14-1 - Update to upstream 3.6.14 release From 02604373b4a66a3a9c8824f26b215bc309e20e80 Mon Sep 17 00:00:00 2001 From: Anderson Toshiyuki Sasaki Date: Tue, 9 Jun 2020 18:14:26 +0200 Subject: [PATCH 12/14] Fix automatic libraries soname detection Previously, the automatic soname detection were failing when the -Wl,--as-needed option was provided in LDFLAGS, which lead the FIPS self-tests to fail. --- ....6.14-configure-fix-soname-detection.patch | 60 +++++++++++++++++++ gnutls.spec | 2 + 2 files changed, 62 insertions(+) create mode 100644 gnutls-3.6.14-configure-fix-soname-detection.patch diff --git a/gnutls-3.6.14-configure-fix-soname-detection.patch b/gnutls-3.6.14-configure-fix-soname-detection.patch new file mode 100644 index 0000000..28b33ad --- /dev/null +++ b/gnutls-3.6.14-configure-fix-soname-detection.patch @@ -0,0 +1,60 @@ +From b57b820a3f0464e3151dd675af4f28ad109d683c Mon Sep 17 00:00:00 2001 +From: Vitezslav Cizek +Date: Tue, 9 Jun 2020 13:54:04 +0200 +Subject: [PATCH] configure: improve nettle, gmp, and hogweed soname detection + +Some linkers might optimize away the libraries passed on the +command line if they aren't actually needed, such as gnu ld with +--as-needed. +The ldd output then won't list the shared libraries and the +detection will fail. +Make sure nettle and others are really used. + +Signed-off-by: Vitezslav Cizek +--- + configure.ac | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +diff --git a/configure.ac b/configure.ac +index e4ca66aec..ccbe4e563 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -741,7 +741,10 @@ LIBS=$save_LIBS + save_LIBS=$LIBS + LIBS="$LIBS $GMP_LIBS" + AC_MSG_CHECKING([gmp soname]) +-AC_LINK_IFELSE([AC_LANG_PROGRAM([], [])], ++AC_LINK_IFELSE([AC_LANG_PROGRAM([ ++ #include ],[ ++ mpz_t n; ++ mpz_init(n);])], + [gmp_so=`(eval "$LDDPROG conftest$EXEEXT $LDDPOSTPROC") | grep '^libgmp\.so'`], + [gmp_so=none]) + if test -z "$gmp_so"; then +@@ -754,7 +757,10 @@ LIBS=$save_LIBS + save_LIBS=$LIBS + LIBS="$LIBS $NETTLE_LIBS" + AC_MSG_CHECKING([nettle soname]) +-AC_LINK_IFELSE([AC_LANG_PROGRAM([], [])], ++AC_LINK_IFELSE([AC_LANG_PROGRAM([ ++ #include ],[ ++ struct sha256_ctx ctx; ++ sha256_init(&ctx);])], + [nettle_so=`(eval "$LDDPROG conftest$EXEEXT $LDDPOSTPROC") | grep '^libnettle\.so'`], + [nettle_so=none]) + if test -z "$nettle_so"; then +@@ -767,7 +773,10 @@ LIBS=$save_LIBS + save_LIBS=$LIBS + LIBS="$LIBS $HOGWEED_LIBS" + AC_MSG_CHECKING([hogweed soname]) +-AC_LINK_IFELSE([AC_LANG_PROGRAM([], [])], ++AC_LINK_IFELSE([AC_LANG_PROGRAM([ ++ #include ],[ ++ struct rsa_private_key priv; ++ nettle_rsa_private_key_init(&priv);])], + [hogweed_so=`(eval "$LDDPROG conftest$EXEEXT $LDDPOSTPROC") | grep '^libhogweed\.so'`], + [hogweed_so=none]) + if test -z "$hogweed_so"; then +-- +2.25.4 + diff --git a/gnutls.spec b/gnutls.spec index e4a0b59..c0f328d 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -4,6 +4,7 @@ Release: 2%{?dist} Patch1: gnutls-3.6.7-no-now-guile.patch Patch2: gnutls-3.2.7-rpath.patch Patch3: gnutls-3.6.14-fix-iovec-memory-leak.patch +Patch4: gnutls-3.6.14-configure-fix-soname-detection.patch %bcond_without dane %if 0%{?rhel} %bcond_with guile @@ -281,6 +282,7 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null %changelog * Tue Jun 09 2020 Anderson Sasaki - 3.6.14-2 - Fix memory leak when serializing iovec_t (#1845083) +- Fix automatic libraries sonames detection (#1845806) * Thu Jun 4 2020 Daiki Ueno - 3.6.14-1 - Update to upstream 3.6.14 release From 2d25b601bfb3b0b0f356aceba9a665705fbe6ef1 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Fri, 4 Sep 2020 12:47:44 +0200 Subject: [PATCH 13/14] Update to the upstream 3.6.15 release --- .gitignore | 2 ++ gnutls.spec | 9 +++++---- ...1F42418905D8206AA754CCDC29EE58B996865171.gpg | Bin 58697 -> 0 bytes sources | 4 ++-- 4 files changed, 9 insertions(+), 6 deletions(-) delete mode 100644 gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg diff --git a/.gitignore b/.gitignore index 7d1a9d2..ea6a2e0 100644 --- a/.gitignore +++ b/.gitignore @@ -127,3 +127,5 @@ gnutls-2.10.1-nosrp.tar.bz2 /gnutls-3.6.14.tar.xz /gnutls-3.6.14.tar.xz.sig /gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg +/gnutls-3.6.15.tar.xz +/gnutls-3.6.15.tar.xz.sig diff --git a/gnutls.spec b/gnutls.spec index c0f328d..5280aa8 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,10 +1,8 @@ # This spec file has been automatically updated -Version: 3.6.14 -Release: 2%{?dist} +Version: 3.6.15 +Release: 1%{?dist} Patch1: gnutls-3.6.7-no-now-guile.patch Patch2: gnutls-3.2.7-rpath.patch -Patch3: gnutls-3.6.14-fix-iovec-memory-leak.patch -Patch4: gnutls-3.6.14-configure-fix-soname-detection.patch %bcond_without dane %if 0%{?rhel} %bcond_with guile @@ -280,6 +278,9 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null %endif %changelog +* Fri Sep 4 2020 Daiki Ueno - 3.6.15-1 +- Update to upstream 3.6.15 release + * Tue Jun 09 2020 Anderson Sasaki - 3.6.14-2 - Fix memory leak when serializing iovec_t (#1845083) - Fix automatic libraries sonames detection (#1845806) diff --git a/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg b/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg deleted file mode 100644 index b1ee43c60379c783e5f3457c480d6a7ecc2447c5..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 58697 zcmb5#gL9?PyXg5H+qP}nwr$%sJ4VMz$2L0Z*tVUHZ9BP@-#K?~pPH$fnSbE3_FB(3 zEALL_%>YUOmBc$}1cD{pxXIaBVJ{hWJA4%Z)9ni{SHt5yt#wqrchRH}nVar+Hg16F zb)B38Lw{tz5e0U;n8D@MMBjiku$@o$9b!zR>J)Li;lyXD^sHJ~Wp6q- z0yXavWO2O;<#hYK2ABm-Tz8iOqOtR5$)65eONbbZI^*!NeJO|ljurm^x1@h4m)2vW zUeaK6U7O~oldSCtC{mVzHLzMPnOZ+V*%2W!J65foX@`K@ydA{uC5*@0Wb1 zeW5;GRFe6ThZJ$+-VDDMqV-(fyc$ux%tbl28IZZ^g=gNBei_x9a5cKv&+xT)RIv`a z@F8k69-rjTJjDBjlH1t%1(L?fdomeXh=U>`0RzCnfF+rJ}ke72fhDD6WmFZaET^IgW5za`-4hWFLY7|``6^>`K zOFsIcPaNZX4Ssw0e;hgaV!Ut1YTwvhVK7HDDh7}j=5BiZJOgozfiI(Z0}6UJXI5hk z$jgEUQJ~TAPqrv2FY4#Jy~OMYhx^A-SX=#eq}XA2@ZR!G*;fF$=H7r6`5k)QwA)+E z%}uatXU}eKK;FoJseFjfM6UzF!B?O6>HC!yr1!th!TYy!z=U?tlAmQIRtw0+#`@B= zpXei@`YfeaXW=woM*ZU`f_{BFu^mTe?O4Yk zN9BNA->_0|0wd?h(4Fxsc=3TZuma|3KsG^^_@8{YJ}+*G8LNd>Am&88i{5`7AKGt+ z5jd7q5~b<0A03dZ$6I4bro>e6IiAMD^#aE}&-F3}$bt_5UVv&bU-nW~@O~-ZCM-fa z|7Y%U%9q98jtg$>yh?8&gZDTfZ~MW%nzW`-O&;gfiv-^lzoOcv0FXDuOTjc8pJ)A3 zM2_=Z+0Qw4;)3{}&!d9U^X=Hd408)=Vsf~O0&*yNvekel*%$1t5B$`Z3@TYYsKo%e z*3WgHYd@KB&eP)$GK~=E#Fz7n{&fhBzn!@4Ou9qdt=y~@K&}Tm`{(1MPgmcsjD;jH z(_5Y?^hrQAw#z%vvP(4H6iKa{hGOVW9}24DKaQ#|)wjcdJ>x>f3-+N31jtKA&7A_~ z_8;LAY{No{C^4Gbb2SCz#SYk*1it&Gn*73T%doM}V3*Jj`o~eDuljbncI;`X{elTI zx&gU%Gc(IAbkBE+$goCs8X=yuw56ngyn1u@wzDq+er+O=w>r&OU*|se&3_z?{)%r0 z_-77w;s=VeJQE-rGmF#{bLeWyQVOYr2pep$$UA@tkhh6_nzuthVQg)x{1c&j+?=y? z%l{uolRxI$*{ooOX2yC6Q0=m?F^#U#>o@`_45(| z@={|KFo|xk5rt=sqOX(BxasaF>i~I&20S`sFl*o~2fLw1cl*_4Ui~{Nga#Qhhb?4+=S3N+k7$({pD+$t~@a0xZ@b>l43MbR& z|8W$4P=|gy>PKHul!C*Mj+1~~?cDV9S)!dh*9qEb^Lm2#t4oLlKwdq(%@bg=S1e+mw{0vZQV(U zF`5Q>d*v^K$wyMP|2UA}_q?2@*DiO zbF6O6SqIz1Vn74Pi@#KloBSjWtC8gbG-emF9fU5<0rEyMM_yLY+0R~~_eu>5+)9V5 z2hIO+G&OF%9Zqle6#q82FF{B^ULu%^Vj-8R8#9*NWcQ}0nXP103?SDQi=6!4rZBxTG5tGNe0N_ z)Shfa(a!9S8#`GZrI-o^Ixt&|5C=v1?|ms+n0`A9DQJ)thrslwsDQkfdaD;=>mTE( z*;&(0vd{gz){i@YY`l09jlWawISYmd(@wJD5l07*ud4Ph->+kd55e?QIt;qG}S44i<`;cEe5(;`WcDR{{8TezNrk zIFdp<(cuH~Huubnp$l3Vi3K{{pF`AJGnPfq0XbySTz62!^wmZ5x_jgozBLK6az6iY zp#Rg4!jsjv^Iq4kYe3NLXtM#x#!}#+lJz4XEYwiuo41q49gi_)0OU~eFlF(dMpzeNe>z?peX>`P%{3u0yoJIK_7z0=&Z^NWwfUS?w5} zYnrB`q?U!@uT=sE$8YPy^grTllXaedw&c+gm%NB7*^+JaaE{T2(dyNGj{hzmQWp z7;8uPCA6064607oqJFkmM3{l1AVC7iz<}k{2U_s4EnQt5xfvKdJUr+v99%6e92{KC z={91*8e~(4Ae5qHATXwAg3?rk>wj(wRxn^Wg;_nie|KZV>`8B8$zW>6VB=u# zYGm`D9nm>D*jkx*(ObIO*?w=%$xal7FNT;-z8jD$%+%=V{q@tm6e@AB^)u1HK;BIX zkSiax#Xa{4&dk_0>J8lW-b(+l*ZMzJb@>0ks`?@o|EM>(>d_P+R~LK5bs>^Ky#7gk zVc++&c5Ozx9gwTuY`su=138D?NNC%%!*Z(WVXPD3_n#Yt4-8n&a6zB>-@V#fnb6rA znb0{pJ6M~UxPCvtGx!_Z8W}k<{Ig*YFd)zGO*=1aJumd%q+JLBazthAg3t$pC?|we)6?R z=aP?gQb<51LsEfE9_zmHt_#Se{Dp^S zbyfOh4%oYuJSS-RC=ES{hL@4zZTx8%)7e2H|9q`bK_TpOLw}1?V~w(+70@rU+u&Y~x{5?x z*sZnFyK=&*TFH>HZuP7gM9iym?OWbPeJ#V<9zTib$fQzUbBOj#_@xoQOfHYO!eg7X zm}uR9k4Fh9_WPW(YNwIZT^&+-_8{KCJcN}>!I4p6;^=E?g40y*_*)2fO?)8~IrXqn z%`Nl@GJSLxQ%(XiO2mzx3P=4J$lU3Bi(!!PQzs5bFtkx9aPA8XVLB|+ihDO(%NG_I zlcimnAg4D;mVG>?01x-z7A2^uEo-U_!JnpYg3-5aRib(KVgC< zZ5?80$rI|OiieE`NvNSO*^ImK>wBV;Y-AB>45hD4Act!1FVHYSw2;vC;q@95rvsVnlU4}BYJ=E-ec3MS%dDQ>Y9`O`W=^u+1QyEp)bLIJj<6nYRM8E9RaAO?jeOR834w<-wSk9&S3| ze7XX)dYhMX#vXm?IOMu`UxUqB~z6|S} zwta__|E4OHgv-eTbVfKKi*V3`;|wa~5; za&?v>Ddd89s0d(_tCrz)t7L(T@0P;sG*H)8@-o9r(^M*H;;&-@^1Dc_@z*WyIqN;F zk}aBL`J_^ymcMtR8c8vUOf-EO!j-tI&_Xcf2t13vKSFnk&GL|xm4*}3d&{p@V^qwG zG(hyh`@LxJQY~VGkx}Lu=ae?&4!)bCIT*T1{HbR=%ALhnj&beXl;KJ%0JS-IeaEF8 z7@n8>imRXs?8T%+kj3Nk+pe-BRGu^=mHH{ihjM&^pFDLuU@I@TT?918k@Wj`Q2zVw zQ7YN`{^2^&4r<8}>SC|lhxp`IQ$a(4U*V7OA?F`yB9V1n3#*n;p$&StxEc~j_ABAI z!5;TRBwKpz8krSMq9^jc=zZP&z%c7jXDCm0DiZi{l-TG9!qKDlj2aRRs?DSER+{a` z+_udFf{5v8qk(Q9amsliD8WjVzs(G(TD`E9tDmoTW5fP?2@+^Lyb>2C`}chcTZ#_J z2^@vqX^Ba1@T~Ls>7G}sQ%c@uu2PkAU{`Q+9@3EnAqIb!UUiYw{QMhIrYo5qewzH2 zeyLLVkhBx5Tk9KkC4kycMGuk5gjpGUUz)nfGM4X`%`a~Dsjy~AI@N|CaNU0Qhh;5` z$>l>ae0Wy*yxLC7(SiWPQi6A?)FCol82etrUfoE;blPUTY*)p((x=Ke#PlV#s*+L5 z$mLXh?CbOy%2zP);-&f3B?fd01_~Qf6enh$XcO)^cTa$2bIfL~B0W>YR287k`Q7TS zAy-)=Y9qt~Mwvqhk)YrX&O6KByQ^;!4OK3T?_4Mh`_@R1{SETV-Sx(mv$(p^<34dJ z=5l925(*_hCiaB&r#wk*>Yj*%(a!4}r+IE(`o(k+n%Q?Y;Yf}cD^d9ANSGW+%MpwE_Iz7ym>)hWEX%n6B_0p~MJ0ix8M`y)Z? zDUE?)%qrN<4Wb)d2TXjeURU-8@S@44ZB?U?svc63(x;fe7BB~VoZ?|L67hNd`eugI zLGvWZ)EN9hFc96m#x|3NCygSFa zcJPOhHXp-h-BT%W8MH{C>+KJ$mF*Ocj*?ZZbUGx?3c9mUQD*2@<~B+sP|ttHL;n4z z&Vxo^91t)lvUG3&I1Cgd1PCxF8ZaaXC^|3*5HLOvFh=0__^2*5TT{c7oCwol3Dp0x z%I8epIkGpQmEG9S?b?&x!5+rtl}1FU_PDcaWCD|d!M%X;V%i)K3F?JJ(;{l`nsmzi zt%qaUKQoghv|n#HXu>(`cuX3k8uR(P{I#ftE{$vOdiG~4pQKR!q+3_qj+-DIh?HEr zhF#9?&2VjCAVc3fg%wE9>O9aSQ8FI?*b-Z}k4mS)%IrnerJq(HMXO|qyMP~mk!QoE zq@m6q(|Wg4lkIx0d9ADShT1%4KX#0?B>{qh7&cW0Da0GkonG!_kLiX7zgo)L_xNLR z`<5?B<7L+G=cA7rRkQu3b#L(^caZLrtb;A3qtv94+sIu; zH%U3EzqHss*3*+Lln^M0Avef-z;t5e33i1hc3p*8W9$3pg3qc5p-{t-(#-tFGiB?p*&jD1*7?Ne`MM~nwydb%oO`qDCg9z-1{ zP}W_|pR_lMEFqwQ3mak|wL@nP$@xg2{{M`S>i=zcV8D`7br8Ttqhg%}nGjDhvl ziQM>y&{y{KwJiDH!U%4udoIv4yj@z96Qf~_<}AvCb!hr63dh)!6~tDa;idxio=1su z*NN8h7p!59B!Vb;joswyWQCVyrDrwrp)C`H(z)au?uv9nj|pL-(Yk2>8jypz)+E-e zVr`WU9ue9K4cdgF)EM-j-tTt+3>&e=@8ES7w@bUnH>K%l-WGV_yz0g6{xhIjV_A=% zxs^uE8Yq4d5$e~W0bR`7RJ@sA@UEqytv@|rD(C~Em-$HmIpf_nT90d;rskljRIbGv zf0N&i!?pG#jm&YjnkCweaRpY3ZFNMS7A%HRy!`i+cDHz(Gi;Yw(;(q}$Ck8}PS@@H z$V#qUG8VfntTvc`LQUM`!lg_z_5cMV%0vsnOu3 z6OIoW!@_LUS8u4pl}`Oeix2)SDK3{zw48j7o`0DKS(Bf#yfrC$bJ({h-)ranpiOxd zM3B<}}hNCD(M>X8+^X=#a;A>m>~K|DdHL{;8@Pg~8N zzyw{bT%cECd-0Vd6B~^nTT7w&^{_@6ojr>nWq#(*|>q(Zm{}Gk)?c3r(P>}4>l>c zbLYSbW6i?R+cT-dV&Sv6I8}5D%ioLlP8}^}et3aM%O!f75FE}>m;Cg6dS0idlPam9 zH+P(d3jfubhG+(iLp{mN+CM9{0n+cE3_m_SI>|V09eQs!O#7Yqy=A z#_H;0@7jC1H--F!Jn3#$MM1|nnKe=~dty5aDV5PKz=N6V_-`Hx>)hXY_@_~ie?oiT zd1E4cX*P25rCfPfI6-4NoDds$Z8_h~W zzl5VaF^=2_#E#RycgIVyqm!3qmX2x|RHfJ%Y(d))cz~?onwD}Ip$er|*ZbHz?%RD#`cMpF9U0$S zB&*=BEV{tk${AIX?kbf^xpv;YY>Yxa2V;C`2WAujV;f%E9x>pBzyc7m`@ ziIF^hdrwM5rcOLs&Y2^;7~++}&c|~i!x;dIy*zOhZfuDFU+QL*&_yvkT&{A1=X6RS z9{186hZT`F^B5#4x-n34@0|FvyYtDVBL}9%!=H&g^uR{FVz%}2)p3KrX5Olb2SHVH z{73Z*gK}lYdi0*n+OBW4l-JX)IW*ux*pwHjEb&O{?w#jvkSOC(=wD@URj%2&p)aCW zp?jERYa}O40^F$=Ad1B?owK$G*S}zQsXyzA+3bzZlYjJaaL;WzMop?7VKoZ1$o!j! zqK@Eq9!EyN+moMF3^06%fRr{7GclZPS~}@a5cOo&>1uhTIu(fqQdO<_{w6RR zF%&Deu;QRb@UbA>B+2pw`UFpdtz5xLbg)(eI0Sj7B3hP~r{|USMC?HYJ^{oRVLf^g zJLmhW8{NFIkzy0&#-4%K{wPfOif|P&rX&i#p}Hr5JY~1!5mq0XrTaJ+34ml5I@W3-+~Xg^U*T*fgCxkp3ka5 z@iQo8UGYPdqHbqPy)SbWb2=y!@Ze4=SiIe6a%ay(ReUK}UAiWWRqt`YnA)x!!2m*V zztpWb*@?m5hiU^Thm?7XP1pJ3(|~^4eGC+Yb4>Vd3aAO02#=4qhe~xx?JXJBRAq!_ zk8ROo`i?kLN=>QX;SSZI<`w4ICSttr5)Q2?1a)topz&(-oZ70K?leQ1_EmbF)yOyg z_PzcJhwF`K-ZF|UwKtA^E9*%PBKEjBDFCryWSq1Ibe5QasJSaCDOS_UtzjnGk+7on zcEcu0$G9{RuevjyXM1wMWveDVpqe9VJ)u8hR=JSpMUWD)P*e^i}# z0Q!AqW=zAO(_@owTGOv$o~Dbz^)=OeXj93#AA3q;%%`FBiGII2rI-Zehv410Jf$u3 zt`#wPrHbsOc=iesqM%p5Pdii!gHSEu*5iKtW;y;UHTaF~2XAw(5U3sIYR&5Kn)oVV zt69>ZvIj{&c&EmhenziR<|_pn!?EN4dx}f;cDXajPK3Y0&rg3tE31FXuo*cdq>8Iz z$&2(W;e7lU)rKDJU6u{SY~RHSn$J5OwHw1;T{Qc{MUpl0aDXCoNdGfY0~lh0zpwaU z0%b^vO*Ni0tuyAhzKWK8$u3#Z#z0?>m}($iG_eOw*O6Um9<|k)b!LoyAS8u$DD}zi zk@OsILWzrYojl8Qm!c9q?ktUO6^y#EY1lm{z<#WWt=VKxzdqo%5Z>PtAw!yl_h)&a z8=u0X{fp~+wph#Qef)y5BUuCd(KdD^Ko6W0iVi%#o;WcwTDUN5IUN@_&yCZnCypQbwe+|sh+dJw&`Q$?N$d_-zaUl--u zrQ}P+GxvHcE+#?QG3|jRpyYUVEFxPt=|?pUuMXYlb4(-9{5TnEK=8v+XrCmEW_om# zvIYZaYgN)$ z+1wQ|+6iv*3=b`UhnSHN$>Dcoi@h(s#(R@NLZ(HN+poserMY3Ri_37EQzDc}}SB@0dA5}zyu z#TNbO%s4M*X*IuAsUs$|u}P%YqB{J3ha{i#h)zci2+dQs4NEh8w0oXp!Yn(4Y` z`Xhl#VaZX{Wo4*^J#q)DpsZDV795&XE$hvx{o;r~ErxAB8e;TK7zKxXGQ%n{1yyAv zL+j(ks|MXge~Vz;#7z;yLWB+wx|^_w*Y-8C_dYqK2>H^aCTJ3xJJeDc8Tb5B&?ure zzJ%SPji!9&{-53AbI(!;!d{Hm0_C|0r_S-!%qjC|LJ}f%VnbYQl80GP4?e^sRCUVC zE#+^uRV}4}TI6J~p+c*xt)ezI0Avh!B6Id6I|gCvAL^MA7*Y+IftIhucb?g?USpUh zY#*UnG~7W{c^Z?LPAfy4Kc^JoBOmP+IDjJg&;Xu8IU?O*0HA2;`JidDmo`Iqqx{kA z>u|RPCqyiwn%!KZg)s%!kHsa6hKxWu6&H?6qU`~Hdfx-(z+Lr1`;RmgnM_^34qZm_ zhe4Lp^q!s-KOKso;p8sI-sngz z8BK&Fts;Ie`qrE>tYq7(6&gMa07YE$rZZ&nLd40${A(eTYNM@$Q|T^c~Gg%HR_>sStj_LC$S7% zuG6A^Qr?Zp{ac8jt1~SLK2K515_l+-L=edqzv7e)q#D^VY@QNbA6xn|co-nE!K|pL z27|iYpL=Ubv$pH#Fxzi}Az*NKcfgzgWBc}4$J z$^juE8oY@oC(guyo%YnejvhA}2V-71l;$fIaE5eOI?G3YL#&h76Mb39%Ru9 zF2kFcN!3f0Revsbx;k}vRH~=V4%Uq*+Xd1uqkP0RcD^Q-TU`y|OZs7`%D!P%UbbCYQHCM6Ze^9AyuC2{pu;NZ z)(z96EsQQo6)k4#u4G0P4Yn0RnAv*OtKZ1P7{rT5McB1;s*zoZrBAY%GwNWZMt`fj zS1s1(LR<8Y{GpvvXFq0B5#lCrbSU|ty_nCrdy0u-F*(_Ec<6>Sp!j1}RI&FSY{ctm z5SzO8=$W~f-$gy&OT|k-txI<>Lz~N5vNQ1q0(R|;h)xrZ)Gs*aO;M)YylC{0k_0kQ z8yi2QN&jECR-Kc5X#0dG=X*=)5~r3&-3Q=2XK^ga67y|b?kd$Y9ItMTIO9)0B%#+4 z9S}-8X;Qp@l#!ib{oci!X7<3{6RPjPuJvR#d6g%uo$m^iC-uG{_%y6m%JhBH;G7OA zXqgF7va4wNz;FKaxSP~a_eqH;M?MpNFSn0;0VTRlU#BbwzMXq)_PKg4IlAiP*}r)% zj6B?!n_aZUBG;&Jz&Iwy?qxVxHmezCfF8V7p(G4Wee@+M}= z?&TN_-c{Q8mmO`|nv=;KL81SIL@v#A0M`Rn>u8f0sq02I)7gdC`YWy*K}iyKK%o?p z&V`E22>GWd`cJY%lng6=D|sn8D~CR^D6lj9)#Ze&{aJ}J4-kLVhY~*ecbERalFn_` zQ%d`fJ6|Zl+3`41hr;%B&+z_Qo9wqpv3SXfgWpwXIQ^SC&tT3tT> z%#>PR`9ZomEO3bP+c}hoGebUyno_bA9LM#uJY7GVNMzo@zztzwiMx@^LvtKBOwB_a z(H_$|^Ii^e5YxU{l~8K1obEXZU|8dY;x-#4mpH5~;g-cL+KhNVmLH*{2;5H%1DXHzeDPXf z&GvC?PS&Q7NlVv)#Q;)`wGNz@?GrNixtHJE&nGqQydp<>ZE{QSNR@^d>Vi17@ndPE z5ifIXlxjvXye30dl#R*L5GW+aO>Ki=mZ(|CNBUWB1kM0`)aiq?@#h!83UP4kE7=oM z1|YWQ9YQK%6byDr|0BOG%Zc?OmqL!p*7+c~B^)}33U;L={@k1m9mmhVY+%H+p z9{C*L!Ow{4IJaj+U&=Wk%xSUg`6TAWwh|P4@hm%)=1m?eypsv|VLnHHpR03{_P#4cE5ujVOnsx_cB{$zjZ;T7&yt z>H}-Dg>KDICuuA@)Svc}=eUKDc)o=HSF3-juykw8B_PHc^QTMQ=*_eo~mOU{cy@x&aTm-phYHIDA9~_K^eWf&$ zoT@KLghD`K`m&Bcxaalb3}-Tt>|~uamyvL_6TBcTTh1Tg700fkM(i(?Pz`FLXeieQ z!+yj*sM7j3iFU&V2Al-N9TX5EE6o$(&@~Xr^5YoUn96+qoScq@q?qjAJPZcLzi$r^ zkS%4hk-e}*c!W+J|MSesL#yoC%F!@7zY7d z1>E9URcdJEyv^WkyjLNQlxSP&1Yl^qI_b1(A$gyIhYCr#A&1T51nNgLrBosp{+$-b zU7yN1y#hE;_9?bHqCsN#rm3&=yI9VVZqY#~h+lRk@sS^k*F!1YqoalzbobS<6<+8eA#cA0 zy`VsPYh@4ySKED6Vp~WYU{UV!J}jO3Q5*g~5&jIGH15xCRJO2<*3 zvt9c*RlShE^zsDh{yvhKThQ{LhMidtEJuy;dPO7(9}-_t45>)4TN@fvW>?>qfoRYb zHk#G>0Wy)-i`kTqs1~KUbP| z=Ks1uH1KwTZ$9v<=Lh1QxIO*L{G+8M6~YlOOMHbg7i5QlwtCVVOJOa^Mi^9D?kX7W z!1`#|If%0md+~rvQ!HJ;nK0UwE|*s3$w=V7triyg;urZf{{EG9`mf(MELDxJx8WKA z!~w5Am0Muci6P7`Z2sE0oI&)SOc)7KqFt)H79Z79c*kIAZ@!0Z8p!y{IQhZyP(=_g zE+x>2{+ox3qw#khqg*d(Uua=1D18W@EdAH2#{!j}jfuz)mO9He(vX3kSPIe?*R>=i zdcfcjvN0RRu3BV9xjU{@L$-V;(us%L#>akjws3{A#$CSOZD1|z?~oDHYibHax!{veayH*lzc z`8gQaNoHK>ouS*nP)p2FHHk&IAv%WtSQPoFeR^@4?{Dsc@*}jXwmHAIzkaMnTh*!*u(d7$ z-9p9*Dn(jYyN`FpSV^%Tg9Am5&U&1#77%$OZB4 zL^l(Tvc-p4HqjP>AJj%NdjIATp4jxA2OyKh&E{8yT8TO$AR>?7%V_ww{7}|p*b+xm zIw*_F{C(gW? z4DwUi=mg>39rR^_4h3S&yKDfq>(MoYixv$B7`O+`Fr%9mj(g=ae zSlliouA@dfsUP=-jqqYH#9~292!6d28RgUX6Hw4~3N zl!CFrCg*x&QR3@}l|rL|yrr(kJXSKId+uCh2Om;Fm$_0VP~F9h>H(p!H%ln$xAK0% z{yeXZgVe8KHh<4}OI7#0oM*L0^U+QCuXwAz+442|r>#PQ2K*&G2i)cGnqC>GW4e44 zt;B9q7rSArR-0`7w1OjoWrXOR%>vJ@Js`WHAI_bEN(|av2)dvnABIMyPhcp}ZVv=x z`mrZ=Eb}bo(VC6o_xs|~3H0zb%NKuaczcDn=~vccgb$<_ zp}%QOe$&;gtaeUMRF+;izIJqG{?$D@nkSOM!WP^ID!-1S7ubPRE z%O82?MZ*CBQNvvQ834%HkSbs#urB+Wz5peey=~|~E~cVv#k6g+mw#aQ>F-&*{JO{` z_+dD4((uzf6Q>X%jBjAPl5FscD;A>S7dG$J@}_O`ZKnDN5B1{Fb%TKS^GloJD=S`w zTs*cFHuwVLbVFb_`jy-)?a$cwn{i@AC!rE)@8%F=91JgZms3>Ti*Z${Fsvt#rVEy; zqtU@+b8oO1Hs<8ShnXcKponu_4WvFNZJ5B({G(Nr&OZiRBzvULj!}XKaPRy-!H5A0 zb!({RoyclO?2E0Y1lvM4=)cV*SYPz0Wv4GAN7hfzlYoH{W;)6QCA}PmAg_2FQhh2i z(HXg8La=`OiJ2Q#YSGUl8fM}4E+EIvEez<>X8B3EmAoC)2TfO;KR28A@yLxi)1;`Z&;QCz5Y@ZjP4nro3ULB$!9G7S04ZM_JBfj z@OK_fIe&q^QkF3Vr+{e>B3NHAoB{{q}KMMQAOl!gh7^Ty0cLu zvgm*)endCtTwv{idVl?JnU&5?wBln}Eu3d;&xytX?;4|N$rE_b*7Gec*BccBOirJ* z`NfJWUW3xWHHpNYLLkdgX#2}scr@ge8*}&^8_&blBd)*4_x|a&t3Z-9GC15cFB}u26*>8Fh z;i`U#P5iJZ69pl^6q}noAeOXl;0HMnT&61L>aFQjqPp?NUQOkulofFq<@|Iu&WAl{ zykfh%Pe7jrUwcHKyQx|CQ9i`|%!}c$lcrw!R#SakDEC?{t=8+ZIH^E7FxFkhiUM{> zA?*nydN}v;-#iov|MT)+8AE%>-J&B4D@SGwO8BPOrX?Soqm;;ukFZ*kyHw?|6$$$r96uSt_qIn1wv5s7a4c`lp zitYNDN{-n}2eC9MSx-~rftu9GEI<2?I<^bOCh?3mSDYZ+)5T$I87o@P90^XaQYI|P zvuxIGTaV2z|JUx7sB%ILQ;wX&68W}HUQ@-`!-=t8B=?AfdD-BGHof1!1>)QGTn!==nXf41)eYaKX*z`F|+@w}(yG7y{c;`~CXZqX#FuW9{^0B zha~AINq+Fl#)qs!`Vu()VFAe2Zhs$dR&%F55ht_Ie^ha-Ldt4~YA>gY`>BR|U*da!i&G3? zbZKo^Q2{17Q;;9{WPAfsmOIHl1`^@=tO^Mf>ilGl?dt1a->mV4yVe_#god8k1k~4z ze*(ahiTsr8%H|#$honQ_-{x{jR**{eWnZ=<8ZVPX_pIQ=f!wTLH7=;%g$Mk3L2Y?# z6)vTM98_+~axVP$F6)*AtoV) zpb)SI*KiB>P^3-b;9u?-|7L5!o&M&P#1_?q--sQjs zAMW=RYMfVkw8V4o=THN9G+DHWhWa!l9x|d&fZPYVMQvCnYHU~wrW~nN_of|6L9riK zN0y=)5~$*Kf`M7VEtEzHtTMLn7mldWiGr9SMh=ifSot>(k4M<=Jd$JQ0n8d|nK~8- zpJec@{7{&N=TmtXpg`)@3K@K8>WoxxOPdf4*f2}D@XId7G*-X@zxGp$)6lAsIROq( zwGLBYIvse=e5L3}7T6Ki$s}qQU;~CIgkB~caXpudXnY}pN~>hlGINXDpZ9?ZoTR!! zn1Z~!9=XKgJ)=X*94Iz2Z_RxCd=yj1^x;r%d! zEU4bQr$VXpZ_7<~<0}_5i1oomcUTu!7eH16{aO5(3F|Rl)*ZfqSEq?$Nt*wa$A7(f zrqTbO7hA~pM%+q839rCm5kAla1tB3UzrZ7rZ`;;!{$6CF3R6_vl^+h5LNQdhokwor z^ZD2q@91w~jVHo?n#ut`$nNks;;}`SA5K4a4&|z<*ar-qm9E4XUO?~v9N&<$0`SHj zi&qgbZl_%0+%*;j5NNya>us}0CCeGOH;_q|rVlI%$e3)Y5>)U!iA-as@1=20mi|fU zyCnv1OGcDlZGcpB22rc9rXd=Z6-png)n-A_iHVZ(B+P?YdmW>sGQM{*a8zEZxb@!m z`=due)GcQmtu3jbpC79FEh^mdeEv)!8Z1A&QC2o3z5Mv_$= z+a5fAQMMub>9VOwb*`XOsg+sUsy+d;+k`xbs5`;obijj@#qU&|81xM*P|~9 z@}g%GiB zQQHxrPvYEtq*1bf2Y+UGxpe9h2d3l^2;?|@edhx!I?hLd=v6)>)9RQDA?{P5|~TvI~+ zhH7}WRbg5qX5K^#)e@?GCE#@y8D!T;^{Y3q*Vn^W3$KJ3#4VF1&W*rq8XFwo)Qbm? zU~ne#$4kjl+mnR~f$~TXeL0`|#NWHJPjoO;k6a#ZVi4|P%UdSFl@l)iMZb3gpC6KK z47{gC_`{vCC*J~GimvVBWzy~8f3bEC&XKO+y6`*p#5O0IU}D?O#1q@LZQJQ+Vq>C- zZQHiZQ)}(L&Ym^3_o?sH`Tl{cyWYOK`|f_~y?+dGgBIk5U^cd#kK&}_8}^Q?TGDU% z8n@pu-BNZ`&%vG-;e=vYo)X3YMn~v`apjOaJwd#j@83Mg?>WVB#CYsax8GG9O7uD8kb!*4yYhV(ui6f17W0#jm$Wh((Fy zsfAAo@-jVCKg9_Kvd2N$94i5fsxPM!ekbe^S z3-QBXRe1nzbz+i~*~+d09)bA_I-o+$oxj^wc(UGgzY+>Tz19kryl*pMr_E*jcuFouRn}E zMIC*`S!Hd}`e9#-#)r81>B9?8C6SdB7DSt#p=*5`)-t80WEW0jlen#iZ_>s9{Zpy?C!k)T{G!yy?G_Fn+ zjKc7@=Wy`b${4M|>CXwCS>IF%q91m%>>tavtmb~cS|A~^prRvJ&5VM4fp@665Y1W( zrtl=Rz-lAS>&b`JBlqm}|y)<3BXA2pn-WjdyiOoGcipS$Rv2x`S^?;vbkIXqW zKXKNkPN$)E%zfjih&41XSU)-jg?u$+ZQJ%JjT3*^6M@sT#0~Qtp%uM66s{(>m&$Fw zIO7IV{D85}h@NF88EEEMmM#=Jk8~x>GDC|W3{_I5H-a=%gss2(xVv9@mF#A(hFW$w zR^t2Uh8_OwWKRRffmf^Lh(~LAi$)^AKUg3|*gkYqbUlRRZx}WcD`xI#cnkvt=vB|{ zgc;J&^+&Vvl9u;*Gy>aF&rXn5>9c_&)rZ6f(aYMhSQ)_H_%(21cH?e%yfd^&QXz-yXpm3Ey0tC!~-3Z-~1l80vjCG?$qSX8Q7H= zTo`ZpZ6h=${fCo*IK#N^6X85~z7z#K=TTudxZzDWk2@e)^VKq~4>p zK}L@q$n`---FN($+J-xt-Iv^w!#Kcg^Y|nThQ5XCj++{mmF6PW%{u=cd$ykI^-fZ; zToos z4hAMIAMl|r$Hf)&0LS(AQtY3?*i35iZJ;AXi|K{1D@I=qA8?QLkTo-1W55-p{QG0w2Tf(=TT3`#`}9cEdY zR5*dQXPO^ONSv$N=GUnDHCni%Mu&cLDGGNTQuejLxi`brPjZ>pS+XhWdM1Q-aL$v5 z(d=)M1V--#fo5!-n^t0f)#IN#dSoB|-U`sRlJpZczvI(F1mYXo2wEwsTK+`-7JBLK zX?sk$f}$uLFve{%A=uN;WZ5=`FthL5ppP+!tcJj;{t>cXw^e3S&u&#LorjA6p;^G} zR|7cop{DU#luM@7zAfCu*GhaL)wEUoysZj4a2X}+O6ZT*QfK2^jUM zM_lf+#^*zY*S4@k`SDxNa?c7-9_JyZXjLHl#*vTQ$Ww-_q`{$ho48PHy96qVW+s(R zMO9JIPkAscL53Hho*psXk+zW&IhpjAgTOU}-lVUNYT;~r%Ye|QAH5skb#`E^eRYT} zK+(=zL~1ofGvd@ytuaD~i!&{Hf@x~7@mx~d<4{@_1w1WHW>bnR6;~KfZYsH125bd# z#24+FpwrNN06c;<`<{54sK^)2{9VHgRB{37itwo4>me8P_cETe1OoCU0uWkCZ^SoD zxrQYCaOK-ito7LA;ml!-ml^Cr;17!IJf9o5)j~N6l$Aj;cvoszx&$aKGe{H046jiz zN-5SEcd^Ra%TUq9_MFh~#Xf0Y=1xmB(dEbqmw)lx2cP6Q==OqdZOx4e7`_Xwbq6~+ z45s6g?Xqrd=;lgKks-%D7iJB+=@+^W!CFV=3~VN}@OVjAk7K^3i9+0dINv-Wj{p}| zAgiH)#~J=fJQ8M%MK^8Q00sf(qFKDdhB-FaD(tWCRU&SiOVz*cUMHsY-F|!LdJgTI zR?e=rZpM@{oRfmM%g{T*mrD-{iF>5(AXNo)vVltX8`WQCM{Bs)Kq=>A;?@`vd4zSr z2>UUkN4c+Z_!~Q>Q0O4SGUj0~5WHSnksw|dn6=|Yj6eN?meEf{WwCh$iITk1x4Umo zq9?CTX+pG6bZ^nJOS?jhdPZz--Z`eAV%(-Vd4i?o)55SGUkTX0znY!joz1+LQd`!2 zXf$W1H69OuQQm&d`xFSFJSNh%#2^Mumv%JA!5Bah+Ns<30qi$aJZQDDuc`t1U7!o}!j9K2 zC!cRf4gbWETmH7>BTDG4xR?9b$-+oM3wMfldP8_+U%C1s`HGeoe%uiD#|L~wY}-=P<5um!xV4WqgCuVl3e z&41^iuJb3Er3BK!m2KE$fAMKaqp?@U+~~)xr(<&tzphiV20!oU;xb6H`-m1itfu`~ zg_2VG24RIim$pjbi$B14Kv~R>aF`@a7ZlPJPLt^SqijM9`>G}FN@bc?RE$HSdOVmY;0 zZ~e*({xSP2brT9Omg_44*3H$P;spx0yl|{qJ*TiARv~ksk##4o!Qcen;W0ByaDj+u z0QS9N2Y<$H>k6=S06FB~^$T#@yJo7!fX9&CrV(MzT;uXFE|h?3!H*+QeWG!ZJP2dT z;`AhO=J$Gh+xdG%5Y)Q&v9iZFyn8j`8@g|h6l&}AnIUsW{oASJsG=L>riehn8Ot!b z5tC(0iMY;oB-C^~ScOGeZzLpb?lbr}PrDO>S%>2jwMlZpAu+H{%QpdXN?{9kKEaTm z0*yDW5x&EDB`*&p2h4SR+q16WT=!c$ub;S{=@BphkZoGP&IUIS7l;z+qfeuM#_1}5 zkHXBmFsi&0S6i8>IsM@0K7%_GvAX}Ws0)$)#-z*t&UedvBsOHQIw5c4i3Ar~#D`u$ zRsMyc`l`yz%8|R?W~?;7$`G0tPC_CHYM3H#%KBd5k+>Kgnv^fuUtx!r)uZf1xnEK3 zaG7SyZ#Ko731R*@wX~xnyGx}7@7Wy+egoH|Q%M_3U3Sp=2Fla9Sk=a-{FJRPK=mmS zMtWlUwe@n?3@m@WH_pO4Szxw<`{nug!bwbb5LOTU?(>5qDGZ2z$iLt`wWL+l-J2_r86MOVD9{*(=hB`aH z?=G%*Xo!83Mli=52FFKEpZk6!BAVx7=^bs7WNq~I4iP zH+Big+}O8S)jlQ3=sDd7xw0kG+>sXkZE7dbvq`f9N1C7}mNaQ`x0wa1zNsI<=f`3ZQBUACEVhg6(jz@g$Y%V z$jdavSvteo57zlP9O(Oi8FBO?>_MA2E*DRiL;n#%wdpXwjXR~J^&{qKgLtVsB}>OV znD|peu*FJhSzky=TfpZAaEym{TF<3{v2`EPajp%!n)Srf9T4MQLS^Fc)JT=@imb2D zj|+>4!@+o$ay6_)v9Cv%9vMyTJ)%9!Ov$Zob;XHu)D^`^n)=0)zzX4t6_H=G<>z%% zml9p;XGadFz=J&>J6ZXAJrw$_|Eh-^oM1rGmEr_OOtey-70ZK}@qYGVln~9lcim=?N^c(}{ezaMw?0;xlS5$Bn1= zC+BTE@-2lJ(L3;xFO{9zM`LO?y5EuFsx2ZV7!a2z-}>Yq0K9DzO>eUdM_iv>TN45e zujGfKDJvizK`lJPZdE6Gy62HLZUh4vad8BjP`fbu2Xn4H zz&KZ?dene=K#KQJ>W_fbFc&vRP1G6M=S1+T9zNR<9TGOWuniq+eU=|b8ZFtq`Pc@N z<*TA5yrbVTj46Fgmsitdw&};PecG@e$fMvVHJcaUz#5Tt82!TBy|E~ zFaCu)qija(OW?3D59D~;m#8i3df&=JbCcm&LG|lKLaYq(Gq)fs1;PVYwA7EQ$kD)w2-_}B-=40{pvgF z;`*JjsG-}YB=Ba6G1uP$0qVSWGFcpO(Dn01W0q&K zl4V`D52yZWzrJ#k*}zhKIBdVHxtRI5vtmLQ?ZG=-Cc2c7y(k?OTtM*YA}L+j$=wNW zqUg&p{?2ISc~GGp;!5kT(cb2DUk2+D+34w4{I=wR;C0iFvr;9HSt68VkH(%g=}5}~ zt3AOiSw({`JD3nVJSuL}%+j+%;Egcc!)AVh#FS4*nT>QZ3@;IcEhuMVoG*1HbV^t_ z;EVe{l%Uwp8dxyj>J#=8g4HXdj268@@>i*ju$cFQaMzbq8I3Ytd+MF+Q-p7Bra!!z z=~A}j``Te<=*<$KHW8Sct{oltYUC!OBUdkqv^eSJJkT9ZLp$7!Ip$ZPm&9lJ?08Q} z`ZUyzWgfj5UFM3*Jx_W8A3>B@@o&5sdZRCys-~nOjF*poJY4+1e5kU#_i2WK9O*ix8Sgzs@K$*0$9RRjrC1gGtZwd@6m;24^eHn zE@DJ9W4~wX6a7a${#obt_n+$7t3z>1Wg_07Rfr$j2st%)YlEkZB{bvtdPP-7BPI>m6l5XU^R0`Yn#;581;{MMjR?^{p58e^ z(v&cp-=HErpKyVPG2uRSv4Qj;=NMz$rQh9Jtnd%m>3==I9qfGux_PJW9%9BQvcr*H zKa2+E_&|UNMlb<&x;(xG**4TD;ai58-kOx;Xp(WFOr&baIN`;d*Q)BNd6x|*ZRaZ` zd)I~lgq0$~%IEeLj#~TJ1sZ^<?ONr6Do86y_~okX@C4QUw%3$41e|9p5;1XRQz}aa37+5T9#WM3MK)n zM#FF$l4x*ig%HvKqex(w7n{Iq5&g&}?b!vg81vhifD_Btf{`TJf|jX;o~>47xGvfG zU-@e;oO%{EM5mjWT9wxwumpmMZW55;6o;)WFxl9XY1u{A{$PGe8ER2^;h0T7dp>Ae z*3d@qK+SPC-|Miy8j-t5U_BI^sDOU|E-xAKDhNi`F~qMVP2dpMU&0Ovd0{Ms79Vlf z`YGink`q3kJaP-Ppq;I)QbTNFTeb|d}p`jXIQC}gn?cqu6_V9T}mnTd*kE9?B zF58XX^r~u3G)c}6nuWhb;@Qtd+T1%`&3q?K>Ut$&sKne7A!f8frwi>AZGq2qtAcd> zff>^Ay4WzX<5HUDuVAl7ie&iCRQ_Xlkc^s5kx}!KCZ?}smQ5IZu~DndcAgl3E>Ry8 z$~uUJU=g(fp|7>G+}SBauU#M0+EeulT|M5)5rNgUj`5u*7NU%{1m7ruV`s1~CMxk4 zG{2me)Gzr4p@@L1}DEY8+Y*tOkM+iOwAz;&fP|0{`KL4^dFO} z^888lU*A1=p9R^-0WM^8Q%Hc^0tc*Y%bxsB{>PPq658Tk$~1_AXahC1IH?p*^5y4U zN0go!NawXSVl#OEjD68>y;mf({&Z9IDJXhhRdezheO@o)9$3+3H6GrCjLR$x~Pv$vX4f zM=4eY41YM|tXn2P#V zivF0X&My!-h0NtHJ>YQjSb>5tOCEb&ID{P%cdMXOIDFOZ41j-%litj3DVf9yN>}tt zLCZ1?KqMIYC*H~{uCMZuOFF7Dp8C1@mR@iSn*VnRq@jE75{>RK3?4%RdNRS3EBmv? zu?idhV-eZ|W*aQk-|Mkd_xH-*{vZCw27~l?5CTYmAf$p%5XeYUe(A87HN$tK_|05F zaAj1fUXAXKb+MPXf2;^rwQ$|iMMecC;rn<7 zwRJ+-NKiDn8=-`B%=*jjjb0F@-&oB?aonp``SpGl03XDlG%a*o6vJNadWOu7)b#7| z<4rQ74wsf*iVf;;yW>tBl$(%}EYpi1$`aW`r{!{}1Clw@U)CUlXO}aaKT*lYwleKG z+kF$;6mMUG%bq##O>}gjwvq~nE~rIu^kE~A_h-g)b2=`UDp28mx|+%oLI70{i;F%Y zg0N)w+&iM9tJR%L0MjH~k#)_|HufaI%fcZfvRQRo@~)J4J6aY=>cpD-Q7B%4-5MY< z)hv0w%&d?(PNRDAracg5PW2J$8xt%Cy8^aKK?q*yc?tGzUoYipgO*F5;c%d$0+^!? zy5{Hp1j#F!XDr7PEax6$NB0?sLQ9b0L9Xwr@UGB%4sN2thsr;{U6Aq^zphuV-q#S6 zAgRJ|=4@WcSX>9srYC?EQX-^{6u4e3v%+QyCsrKcZn|4hd-3H5U%+)iQX++v-w*Vl z+m1w=FcBkNxqdi|MT^Lq97t;Ng0lG53J)682b!w2SbT#+>CN6iq?!;%W){M6E?2|v z0b?^emYGUIxL9L$rNb(85CL$=O;(xp&Hqu4zef`l44Ux2K0SJVxqdZ;hq2t1KmsJq zgulTv*|*I~Wf;-7cA2HiLcYw4gd{q=+D4 z)gEw=QR_IC4J`PSVI#&w)~t?bJpvytTFsH%PoDi#qG{deC988x2d%m0^yEQ>M1~~$ zMbsDo6bc-GacPBow|-`tIeQs-67}C-k3uzjEGhf=nu!A&p%TkVxa*}-=%-8Xpt&ml zJuxv)t*P^Adwxq~hch&>K~?vwkeAbslK5JieyHN6`n7L9H3c=oUSR5dYZU^U1z0uk zL}UV2OnALzeviSX)`R5RmmJj$6VlAJa(r6^#zLG4moPVnR^C{129Dql8e;dx<5INc z&?LFCMfBEAusBTtUIZVcd2*!ReB2`BC>%qQm=nu>3U=kr4lJ7eJR^l=p(Q2IWyhda3(rkt!E(zfoj6OImr9NM$eQbM?Hc)zca zf$?h(eddD+D7d1{jb>s~-i3?=QE$41^NiX}h22slJNi{@&<3`b0XK9(P!Myoultp=Y2%phM-$4xv=y) z+ZoT9u;p-Pw~W4lQR}ZP6pE^^_TkSyu%2s*90GA^i#86L|4xi<#<4!wth`CEOwAjE zK;c{#M=7G{-`qtk`Q4kq+ux=t0FwQu=qb)m`ZVXap)klnR8MxYcVcNg$hhT1nuuB5 z;qt`yh*tq7*0E<*yjI&HEvP2&f8T;10P|Gj3mAHOp%Go3%!qV|u zZmL)Bb3FSB;8#xRH3D6&c5k&sp-#%CZWpLLQZObC8f=mw-6RI+xZ!e+KgB`uaJG$v z-6(GBY5vdhg{hN+sg<6YC7pqd6>k_w_ut2Rln|f_G_wSME)|1BhX#d#h5H|N!ugBC z6GfM1;tzL&HI>hP<#^LVRVJwm4ddLL{W9U8PkNVvG$4HH(c$Ofl7yOp4mbZM^r6n1 z>`jwG4HM}Eok}4*YTE$uev%+|ec{LId%m4Www%9s((jGVf0XBccr*x3$R=w%S}v2% zQ$!9?)?|3#7#>%*87K*+krAIZM;b`H!$yt>#7z2hn=vKAEoH&778Uy$bboTw)&3^z zR;HLkZ=Y&zwFO#xyoSi&J;0)GdiePgORW7wXXz+>g1i7aNc=}RxKY6?>`Sk_vg-F` zV=I|1$C5{(f$Pd#bh8ZEhAPh}4eo>_xyAm{A%iF#I_}(>@h_Gy@l5jIC!E<{i%|V= zwvZ@=Vx}&F*&ut?Nwg&m!@E1s_5C#;MEp)GK|K1H%p{nJly4hZgtcdq&_0%>US%$w z%$-jLn-Hx%iXzy|&DdR4AJOtCBFIT+c^rv94r8!0CSc6Wx^ko8mw4tlPl?qj3!{+7 z*Cizc%x3B;Vmm6yB(Y?WDH76caW=>OpcQ@}C+1IvexEiIh7muMOKQM_t5g;Zs{33w)Xs#q_^bSj6e7+S-T@9<#^it#E0&JBn9A1$FnD9p z70;hCet7f`*i4C@ppXn5UJ#criNwFsh8O?5C=f323h*O?L%K;I%$7@i zab}OiZ%OEFp&=hG;8pFYT@K%*W5y~^Jk{Lkk)(AB<&ljxQJr%3IrPtHT}isl#>@-} zG;z=kPd=SQl~y27ZSZ!gME3ol66k;BrMWn8xzE#p09gc>uU&j6A74{Aw^Z7(QS0Cy z8nKLBw0y{D!W}qFJYJ8f(vW$1QK*w1e`yKmmuBRG0-N1Dc!1gll{mU$|B0M)>35B> z$v)-8$?M3Eq?1OAh8f}!AE@GO?G|p=?QwJw1vgH1A-Q~XKdO6AMi6Na=-KZ53JVA6 zru@?wr0^<`Kk;kIuLOG*wbH{G_-~_YjDp=>4jk4{2h|PJpatq+XfYk;m?WMi=Wh#n zb`3&mmQ1*x%JiFj=JFgh2;&1fZrogxWOBRG&6xSN<$!OK8=bb1b;<^_?P<5nSTG7| zAmKy(0~$BHF`(%jM&aLC2Nelh(q>P}kB^$@F%GnjWPh*6AJb-pIpT-8*Cf9JaeE6| z;t&@xmDqP~QdrifWTJAIEO@JT_)kx&$>J`nwN&xOHe?q~m~HXIBQSolIRGzf9!t>V z^k>BFIV)Agec0hiU;NwaT*XTjF~@M zdaFnu)p0K-#i$ujp^3&zlBpmSlt&5|G=KC82*$sXB{Xz*-YTG2tMZ(&inSQFR7*0> zo3^25DK!n|uMl9lGd3#uoF(0(uUd`sMRH?e<82ULHDob~Ya0i1+kBP$e(JkpAdxnwU?pcXCPP*j*w1lUm z;Wrn6)1N3@^TspMqb$#sfD50eJS@Lu3Ed9rQ6U-B4H%I4_c-ydX%p)N@k3mLB+Ql^ zXTr~l)X2h)x^X7Q`AhAVjy|4EI6l#551Wb(9;HcAn{czXRzXoR?|~M63OIF<&T&Pa zUtjQiA!gclJu_q{7Rtz~)~#oN04++;sHitiL1|Pp;M<5nn*KR@B#1#(=LdnN|^% zJz+;p#2$|_Bq5+uRJX2>d7V6KwZFzi4kmqCO^F#9vDj_6pdbG}WkLGiKSusFZF0yV zzQSLEh|wsWtl1KDc1bYA-y_4=j6O}=?0LM6`Uk<4c7CUcqvrB%3$p#hNup=>G%Ya_ z*&gEZpdb-3@CL<$qzu+vJ!CLCtfPFvgW%{|<56=Ia6-V}NDAZSK22w;s_^SxFE~%n zt)G^8T`40(iT*^hyL~&RGtT;>VIk0h0!x8zjhkL*NDv`M2XzGbK2Vtg&2M~~KQfyz zn*2*rVf7kwZ=b_*o#G}M%j#1vdba6aF-8Bg^3^uwGEl&RzU+?>u%@02fm@3yo3xHM3VmO9FwS)*^ev@F~QH$FBh zH7~lz3YI095%4K~;x^9!?e(D5^@EtL2$(#_*3DmZma^dh0=X!RZXqY_O834FvR@wj{xM(b`{a0IAIBKqu*ec|1p zq;6lKza#r*PS6Aj0X7DbXN;*yW#sOOBo9K5)TrJ~&u8Nn6X{V|qIeqorOeZ|=22Nw ze?3;_Tt8V}Wf-vlg&csCg$>;GTucgW@|BXlhN2=B<-pryq%PmPra2WSP+}de!hC0O zD`m14srRJx_|Cd9`T_*TQR|r_xs3{URkGUqat~(^b=!{{H2Rje@rS(b)Kxv(|2%Ed zS^bHx@tgeb$@9NdA94Ks^}lA8f7CV65w z4-jSGrkeZuy1R&+YYnle<+q$a)V1_l05EWXHe15_#e33YLFb~>{n9TASq_ke$Ho8g zMK@c0Qz#rncbNUx^Z8R<^AZB&h@%hZLkV_lXkj`AP4cX9qP#r<0l?FTb_5&2 zlS7!bX9(k%go@5)8r9!({;jS(e*@%5c8|2_Jh*-$mEFz|9JF4^n#h3xJ5AnBt^N+el^8v`_?A#KxQjWi{$8kSa9tPcIHWmT}jX5|HEMzV0~4ixx3*itV024?%sfT_Xno1}Nhn zU-ipMvC?C4+Kl^+rqsIru1o!)t|>48fUE6%#9ugAV6TcT*nXW7`eeW4Xaj&L;!Tre z;E^o6Z-+VZjzHA%j@qBBoFl3iwo>$a&cD?)Qf@#t9nisTJV0h2R8vD+5sE54B+BT3P7}cxSKEe1D3uP70g?KhBE+vclU&_#bYJ`8PYr3(395*(NsD*9TUoQJ8dNapz>tv^Ok$@a`8M_wZ zz@Iz$pc6K7*Mi5Jk9oDf<@}+pNp%8pG&MwHJ$Ew$x&*|gy#pXy`&uB?0XbeNAs@5m z*(Xs9Rk{vR!{)B~Ptw2TsPV@C^*;SaT{D;fWHYvv1@|3H@gr!X5?Lym$#*9lwE=(; z6-PSEI$gA>Q{73drYG}LSh-C9%IWwk=O1;gvI39+9?Hg1JYJNwPfiuO8otf0ht5F* z$kBSamm5YQ^|96MxuA~_JwVH#5&bPkIsd3@S9Snkr7sgUlFpgAzNzmVWH(zQ zB^XT>AjdF2D|vA`UK9^W4lh>9-^nR^<@vXq?}u)G<-ln0ohwSgs5zGdvXCp5zlN?% z0y_pa-Rpa^e=W8i<^zD04Jc4|t9(f!DuhVcfo;zqf@i&c;SV1iwV9 zKL=0@mq~i6QnuU!fH%yrk9{gey^~kIBQKKcww|1OQe$^3carhniURrG|s_b>M)WWBjFW{b!&5$@xcbYv=@IVIddZ zL>jKQZ{qj%J$^+&Vt&m@1pxi|6VB_;ZsvF>dBU_Tm zD1`5q)2Kf&%aosW^{CSf$mUDNp(AvP-Zr(RnxR!s5oJ9O!Ty)t_VcgT{U5!Jy#N4= z`H)u%pMmh*=K2h$AzKE35YP^nd@#SD-Xi!?k8Xc8A~0)WZMacxq1DqSL%ixMC2IV_HYY8Q4J>?X4p2BM?{qGgHQFK5Sb_551F9G<6DtJ(|?`?`eyjt%TAV(mSmK^V(%SnydYMo2A zol2SMVD-10KNPr-eL#*bdJnl6ity2jnT)my_y%)966zWt$BQyEY*CCR-VX7mDmF(R zUO8mWJyh#|Qs90i0v?NyEK7CaAgNK<*uRm>zbig^&X<_S@apr89S6SRVFEr3x=u`` zMo5r44NLPLu;3is1S~ZR#F-zJyUMak$|;|JL)!j8;8-I7&tMGo4NM^xA;aM#ow;T* zD4aFcaC|+V*M1e%0=ff?{Q(~io1QNabMw?0MtKU-(??fa6(!#Ct^9{<)63(2s#adV z<^O@eMVSFUl&iiP$&r`n-ok}yk7VeBo53KWk`^4uzkV_1bof$G&Jz+Kp6hUad0=MOVJ7y!6%vDR?I&4#m3vwMvfjElI| zv6Th@?#l?>UVrya9u|!-OV4(54f4vVfyoFWa!Wy;5Kf9~0o@WaNRWfA~6bF={F|M3z?)-yiki zFx)1!I6aFFo#}=swf9n@p8T$o!OO3{Z&>#(x^GMgdziW0c<=unyc-yhPJ3xc+Z}P0 zuF=ucSQ#@_faFpBHkGp2YerByJs@ZxO?jVGxLz0O4U|e$d|0t(48WnhkQ%f_uF42c z6_bPI<@Ru1s(DMKy%^z7-^{KO)(NZlQXk|gX-#(b;L!5b%>v_Td)>Oi-dbE{3m@86 z^T;zjb1j@3Gdt8dV+~UgysxleQW={`WpF2Fo<=!AA`M2;ER@<1tL|aa9BK1 zHq9?M{j)uPugvNjR%AGkmrI=QHSe;8UzfvA-cVNkzbt_$6#GzOzpJ7&4S&Z$gMc(M z(-P#B0h_ZRiK$b!8AX9#6oKzt%`TU?G?aaoT)4?#g!CYSZyu6`zFI!pm;dg|?4ra@ zjkOWlD1_NWY4${VCviwi&i1vO1QV}#^TZDc%@N)`{lo>G-OS;=N9^9Ot#-klaLxH# zsG1cQhMbw)f7CoH^F0}6K*g{u>g@p9MyyUy-!-xcmVaF4x6AX-*z*qpcft+zVLfjh zNrW8^#^>0*=Z#2Uc@fxFuICN6_JFRY7)5`^0i4K;~7|D~dCvv`bq z;hpGUM*yyQB~P8EPN1YjAq@6cNaD{SbB(_EJPJ@~O>yfL+B7;(L(S#6idm`MsXN_< zIRztrWwI>oOTvXv&x1S*2zmomH5Fp^P|(7=k~0++WiD{bKbu&<0Pub%02doU$YiSIdwxXT)L^~h?c ztgg!NkR)TG-q6tp2S%#0f(X!+F`z>##P+Kuo7&&eVbn{CVBRcU}JjANO*X!u zyG6A5+@!y;C`11nfqVaJX8s3(D+q!Ighhk!#SAlKJG8?0y?SUxg}!`0{6*vLSkP7A zWPWD)bkMGta)w-FOxZ?ff)hVBFnhM9bIi=R1R6$$IkCW7j@NB5ht`VedAZWniQ;o6 zf;`vh;|sg~qwr_7q_U3NbP#OM1Q^93&_NrlJ`{^RG#np|J2=9#{#)U3g}zvXoc@r* zGYoD5CRdjsR`s*Ohxc@_cfCLYnPKJR86Ms}f=|FSHasF=y-h!&fgor(9Ff{UecGc(B2z$eazy;`p#*kKm04eFezWn5(5`w0K@q|7f=h=KKTUf{fQ zc%nX1ilxwoV2@bSc}GRB@R?&AN5D-%b<2WFMo{C^{G+rPg& zXCm+b-xf6@4W+O311Dp77zI1{yUWE2cxD=Pcm`s}w!>}dMb(oIp(Rlf;!)InDhO1$ zp!R#v+x$5pWJ1kxG(T4d1$q!1{N#q%KL1ShLuJjq5?KnY5Qmlr)k){tOM36ZzKJo= z&7?glN1iTk|1$q0**0A2a&i3#(s+23>ZFGk>NfLBup9J4F#xxgCb`z3)WFM*6DjfS zN!ZPrrVe^@qOoBO!;T(7V{e*O4pVX!N|vU8UyPKK1+!y8Gf89D`IV9!_6?OkCdR) z1pd|tuhYE%I4FV_ZNid)1O;6p;=wOJr>`DX4(YNxbyJ^8>|#YKuat}E<`>?Oy?FfG z?1Fe03}7`^y)sA~gip})#T>2!Ra~#;3IBz_?a%#rTn@R->dRg?w{qW@>J2jQ}jIl z;I~wYYl}yz%;|j^(}i6J2-+MVdIjyF&?=Sc-eytJv~-t`MkMmZgxa)6ruVN?ohSI0 zIoLtPtVK|y^k%8ykmKXTz$M`=c)fv@#ka|yb4b}sco~_MHgo@Y)h(>{9hrC(qg}wvaF6-&xl(*HTowW<*N#`P4(->6-xY zEhZ(KOO)mNclfjffw%x>0Wb9U;MCd-bp6$aME|*wNu^$zXORMrL2DfSw&e!l+x3=j z4NVt*HXY~&T$2MX&^qft(eU)bX`aywkVNVAd$l{i3}hv26%}E(%V3kH`!Adpp+KVt zW|ag;SsJ4JbxrAREc$I%+W{1>Uuo%Z2@}fY)a_>ml1>z)p%3tMiE8PWn&h- z=^LSF$@{oT>-%&@h&=ysWcMFH@gIDc5gOu$vgVjWVFCRpI8`F70?0EnQoFdmKwUD} z2Hhde3g@Cmi2JG0wRK%tus-{AgSV9F+fNsaZm#DcxaO}v5odQF?aDK8kVK0=edDV1 z`*`P|4S7^4Gab&HvwFe{Kg(F0ug*q3MI$XHzgb45kxS!u{{&X>g64E~3%et)k=(+) zgzvbv8A^rWfpK?y0F57uO8s@|<3bChIYq~e0_wEBWTwna3Gs;PDc=;3F_cOd5LS&c zGf{db0fA*iGKO7f$qMOVT~Zg3*-c zPPRV$1+b5cD8|DF@IHhfX&JpB0WMUsc`l&K#5l8>4?ob-gGcFR53&qkI5ix7LiEn| zz`fYXmUTM=o>pe+J4NyR(T;>K*Q|WA9$RU3{O-$=A7uvNZeJG6go?5nTgR$EBSyl_ zfMTsRjU2sSbA1qd`EKxbdpG(MW7DnNIA;>A^3)W;*>a=qi<1SnbHX=Zm9Z?PCgAKp zg`E@93s-usxvI-{x4M3#_g6jJ#QnV&X-I$=s~Kl&Q7*kJ)mp?A{7#Ezi2P>< zWf8jev|Bty3~DK9> zMa8uG=UHf%*?_itBc{%mX`N2^)E=D@PI&k=N={}q6@7)q@P%sf^*f%+Pv5GaqR@8m z^lJ5`&6hk{^w*Y~P$*}|(hwljEbw$7N@R!SpoE9H9)q?S<2U$Bs3D<6A=$>yPY9{x z?lmO*5-)%zE048K_F31K6VS)S$(2d3!;VL`UJ-{Vo1Ad_R$6eRq-6(T<|Iu_E@O}Z z{#?EAonp=9LO)UDE+xK;L-3~oAshcuy7z~IjFCyb(eDH#JseO{brGD-eliwVyg*%M&Op($IQ{+2azY{LCO(vU?S@c_sNZojnqS_M1uDA|__6(`N8+P_DHRG3tPj%?ZHO7J%Y;& z{q9ZfO_O9-d0JBtlFJTECqA#sFFY4|ZW34(?o#!V|>u1IKak~zJ!H5#actisiZo9yw zfNHgi_L1>4u`HUwIhO!hoNbz>1mj6(Q74!hHxkE-y~#>`xGbx^P$jD{jv}J1u;?b7JGFDSsJI^D)xc2;DQ(Of#6U|?IY`&N zFQXn=11iStn0>0-Q{WqI_YHwp@#3?)FgdhrDFE7~`F=hE?m)e&>GhFpIt5N-jcDys z%rerwb~J$xNUn|{;S-x5*{EB3@N!N+W4YTX)Np|cDNtfJ;0i?^dXcklYRo1HEu2#} z56Os8@otU>t_3CZY5{C|oZPkTlb(bOvo9`CP3;fZ1E|t!GE&K{xW~DmJhrVs zdS@_y&wcH16V%r69hi$qI@0LNO(1lZ3I%8PKmytd!J+)Liol#n$(4J4zqENuwQdik z0SZGh-)A?{B_qq?u||_b&@GI-4QlpGB3f6@w#DD`_!l2GY=QXgRrDi-%~9^XWW!5W z|JL1XuBFz;Pb`4L_Ht{72UQCa0iyNe@RKG`cuwf=Ze z_8zE1Cb|XN+DTai+r1OYQ>`~7{jvTW`yo%hF4yddRS-v#+c&o4Q-z|}1r?A#Y6()M z=XfIZ_QyP?tEneX>oet5pzEMz;Cv}-Bb{DgE=sIlTvu0oa=Edr$Do+X*3GnMgL-IL{48iC=M?WElnJN2h#QW+2$KlerJ zlLPU374&22fPX!`o_%Jd(*3-#o|uCXV>huUvR1aIEwmk7!13;^-72j5sVt7KYWDe$ zwRZ2pZYQTELfi1B&Bm6)4>1zB4iS>xvQ@M9h-uejDc>D%FK5TH?YAoqBXrUvN2%A*+smplubk+Gv5U$ z9hRaf{17&S!zB)A4P|3^PXz-#a-`XLjv5!WUR(Vvxvhl9mx7oqq>Ajl6G4>ckp??n zjnRbL^puRIfos=}le=F2XA1G%b1(@EiewkDaQO*f|IFhbd>Csa5>O(`E0EXvl5CD7 zlN;5exRsvpc;tQvS=c+Y7sKrAL23=XL`_#%tJ=z2SFH+1BCY>Gs~;Z0AfdIV<4{1T z>T^LKR0ebkH1=^OoD=|Ykzm@(;nR()4oUF24(JpS=?DE~WXt5xNvtGvHQ^1?f^^#} zj-k-ia?uhdqpn7N)cYAm**4@d8yDnOmtt(ZCr8hGJ&0uG_MtyU@+1)^*3%gj~ z`HxCIxUkE&$;8Ka+gIf8M7Q_48YBls3SkhDQjDR<=spB^{^ZS4)EEM41KLTxm%5%> z{NPUdx&~x^*RKSg3lblrXN;m;G{q>7`^%KE=S;fT1DQLla($gAY$e&GMn1JyG84+K zSsHR-Z@D(**s9LfVl=u%|GQ|S=`0gkP@MPBaVulmBf%9rgz(lv*XF$1(*>jDE7rYQ z(NfrnPE};>NmiZ8=qVJ7Js=HXazKv`XGm-Y9!lI21Z#;xsy6%WSgfQfUfIW3%iV#2 zd}YAY!qjIL3+vHqKVos~N;5>g6$JOXIF`(*T&Itp;H5%VlTG7`HnsKcIX-FAH>p~M zt(4srsCVOSQW7-T9#kSNTZ)cqTHR!57U{fH9=xqyFVdym#VzEc$BMiTA z@E&22Y#E3Xzh7R8#jQgSw6wn+^w>c3(rKvLzUAIEAlUxj=JEaiKmT8T{+`FbbUAfO zB%tXbv0Ou)24Uux23i_wjS3)QIJ4HEb3-b5l>=##62I}-nY(+6G^HbGzeC>@d&mjt z1w`v8biPYiTk|EAjJy`3H%=P?5R2I`cq5o796^C~?xhtL!{Znl3Y%`+T;4;O{0d>y z%G`kou}ki;rN-$H2s0GJ0yN5qVLQee&P&i4JMUWnn8$YbdwU(q8%W^DObSQ?!q>>+ z>U4bK`OV>C_7_d(qsG=go~Q$%m=B)+ec_5jcfv5X90^^@XMKxYOe2Hh^0Q+VKnlzs zXyRO01Mk^9-c+Y3x`t1aH9;Csap1UW!nj2b@9w?j+(+^locIg#tBddATbk#Ip%?Ra zOFx&c2wKR*@+Oqs?K+cA+yZKGHCKcgpaayYv2*6}8aUg_z!9u5gORf`Z`xZ1U|~4{ z*8arc8`Uky;oOsip9J}Y<~5Vh^VuCz7Y+ppM3UBQL!GqTw;JSutbA0X6&PWTaNQ<< zm{9H}S2gKYoDTtcU9Cq!PdW>Guo1t}x^yM5-PnwMIg_+olba~hec+pR3*}R3%{m>b zroYX4yvKa*SCHHhA~neAwK{m~k-Aa>TBsLP4W>`1O=W?7QjZQY85f8qN==!Gcro`OxFsDB5N6dtHu{e|{;A7R z`6GTSDB^m3ZU$?`wrZnCKoP%S%95Ex|30~M{v;Gw=l&rwBy9Ee*peod=)iZNhvgj4 z&L1ANn6!`F+YPL+%xfHNQf|`h6QHmzVQ%|zoH6AVJt>4$@!Piy;~KK6t$8uv>u0$- z9So?omlgJpQi5wqC!#``4djh1Nlk++!81(kk%(EK2exB(e8KvZPdr0{l)`Plg|4VW z9R?<~fE5ia<}^j(%&~@ZojteW^H_U%Xxs^U3U48l!QWgoUmxW>L8k~msS{mvS{Zy{ zFQ+{08KuY*=45@!18!cRMc-fGtxPv1iq1#cG?$PLqWK|LiR_zBMempVCDuo+v$ZHj zk1X?ySenna15~8A-KEo1%upoML*q#keU&foeuy`8xrl{W7+pm+qP{nfgws>y1dy#c z?_#{1;q%mBgZq8rxD_@RefGmI2Hb! zzL@>aXFQ|cM$N_p|4@vuN;sXTSyDp;r8Q2i2oY#l@SVVl@jL&eD~juyu~@6J1p{5_9< z>2i=&i0|ONdhh5FY5v1O+m+s>9%BoZ9pieobbwKCA8RA*MAmWzlg}vBvsqdcGdJfvm_Jc7?X8?-c6jaMQZjFag1t6t zaXLbd{g7ED4AAX{m#b7^Ag~f+3}{1q^n~}MExy26L>Kmv_35AOawTpm9ow8xj|(ES zXwHEqBCEwt^Kz)$uJxzals#TnqYTerFZ&0A{I5xO)c2ByASP$urLi0>fzU~ms54Gh z6cRn|T<%wP*P$;~lG~f0>l0IBDGB;6O^y|icg z7~aiS6A~rxM^Y&+B^d?Laywkk2m+2eFxyo2=HV~Pd_-TS9Ah7V`O0=i2S}eOu#bDA z@za#P%gPmcg_PV@K$1-{dr}%)gdurKSwPJr3C*sU`4ao*JXpWZNaoa^PE;9L^_|XH zH+(dtg%Re3U(i$V&_p4kxa#CIqtKcR$8QQ&>Ny!N^5P2OLp$cEzqBm8N(ci?QW>!# zZn&8>Up}q2$pNp)@QLtllvN`j55YO_a}e+y(#CZRvY8fCC;kS-npJ0gWr*st{$>5) zdLBr^ybl}!F{wF~qf^@)=DRxRhBRsA#b|_e%7}N3k{&E`Q)d=|YwC=I!*_E!sdQ<@ z>~FhS^f`$Ms_V6_2jY**&uczheR5agCplin%I5pZmKa4{+3*7ggX##^5z?*xSO>|e;Iwatq)>B_6+*cGN?BcJgv_wH zWw7ZVVGwn#U8B7>@@gc}1>hTAO{ORmmvY?8miu*%_8_ZyaqBVy{#3tIb z_SCnkCvo^J>ezGRp{}*2CX3e+)D_&{9!i2Bp3K^%4>^H>$_A3|=WNoE1nFaQnOPb?19^joZ(>xBwdnR&Ui zOqpETCqkacjUn;LBwtWUyT>(LWdxS6Dj$ zuKjjz`dQVuAY=}3QowFJ>-hKS@h^OE#0?23@S;#0#7V|0M76dX22zS{lJZ0Pm-nEl zOZvU6=+Mmrf{4|^pc^v$Ht4pK93EXJaXkNdY+P?af6<%XBH09@XmLIzj5yklPFue; zc9`}~1o+AR3F@0aNAVt~f~;>B| ztD~;9S3rNHEmX)1SB9+Q{BfcPHI4oP48uL0x+SekK6zlGw}qzfubMe5>YJ!V(uqezlO@0VrslbA zG0_+8uJl#4a?;e*>}NI=D{=!YjsB~j1FPt0bu70MnZRb}{y z9S8KV!R>1g-hlJRCohBFIqn{iAsxTxG|CC}`#y*V&-9)kqNOV`2BKRM==B-|-A)*^ z?{J>RBo-9|7~P#$RNhuj7H-!D=1kK{>YpYf9ks1iu>Uw4wvIP}TpE_snqTAq{dvS6 zzVxhQ45mXIj9>8BqeU8AWjfXaB;M|z>%)a=w8G)>wlmzkhLSpU?=TGf9B>k`cj^5Q zR6JRUR&~n9^CC7|!kU7I5K%OLYnG}azpo^NJtYA$!#7a^qC1%+L=OJlS>@(XbpR3+ zd&xIVWc9=uz*Te$Ot!2^8Vh54hP~i|CBz?`y!f*{BHw#0yDZgBI+;_?i-CdM#b2;& zo1kpa+}Wb-8rpU8d4ztRO7LMYf9Y*6xwj3+VOe&T+2uV+&ZSG`}Oq4z4Xxe7oucbE2~&u-58L4)}$QH#fqE;M?N zLz-O40%3a_@k|^W`V!6JyyGc#dH(^)qx~95gzVrnim={jRH=4~o(T`tj0C#e2 zR`$*QB)xGs+sAh3*=E^2d6(=uT-790(wo|X z&9L)3*^_KDUKm#zKC*-6AuI`dC9`;X<&~@GK4ktS__0_x6=KX%du@^-%Nwb2w)a^w zkiC0u`m0C=ky@)n_NV2>{kTn~XUB=|@J!vjNK8{iSDXQnO#1A;-Wt(YE{@20p6(^A#=T$=YGJxI8xjGW8aLFCPt&OMndlH!_NMpc4_>+Z}81 zScxXP<<&D0&GSXRJ&^Tb#-DCM0HHFUS3Bp>W(vl0IDa9TfCvuB6*F55}aIlc;LiqO3yUC_& z@$7GKUuveqDsiFk7_;Ol+@F4eEIzw6np~E2_z%ap<{1wBHp4Qef{fC=yQr) zjOAo@75ipmW2{kqo;TpUgsmAY?DP4d%Otokg2d!Kw>g4AoGn`hU;kU-%%yFygnMn@>#S0oMumyrhZpV}n+U zolYUh4RW$SvZ}~*a9YpPtMFHb46YPai zMaz;2#mDfj4&%mf88?^(cbSt@#8`&KLod$!Olk2cT8LrVifVXKGR`4^njhDW zC2em?j$Jc#rnI^DW*cA#VZ(cx+GJH^rX&4^GvyaKAE+E{Q#cR#LzR2!?2QBUOuVjB z&z~j3mfvao=G`TP zH1>&*eHoH-Gq)GE|58bcA}b$PW`VdLB6eoc(Amc_>T%B5b)Wcnlz!`9Xw2QSVqvRd zv`Pime7E4`A9DnnsE(*>J{~&2`ABh^mg`-X+u{kNMp0Y5h~gDr|bX{VW0em z+^?Cm_At)5O)y5IE8L*dDrGSh;3wi>6lBm+vURQ;U{&HmFtUNoQqv ztmrPU=~OAiWaRH}8#s+A1qVM#+jz243=1Os#IcLkXH#5=sA?ekvC7{nI3GKdsFnc% z7}U!XjDyG{Y*CEttjRPbzcADTV9Y76QlG9Z4c(sa=~&OO80J3Dqgh;6tzA`OKo(v` zmGOOYo<`5C)esVSZRcVcxppW*5QCVk!@i|40b}POo;(fyK$w3Phx@BMj<|)u6f1|} zF8t(YxKpaff3@u;u#qi7G-w8FtOw~wG1;TNy*BbNFk?r6d)jn^sx;w0;fqjecP{>7E$gC+W%*I{IB?+s1o8AHx2u^mV%;m78I0; zRUIL-zucYy@)amNAw!Mwb@tI|G&s!1HNQzAqXDxujbFSJFzapYmjwX-DQKj(K1 z#KxQk2omCWeC+eZ`o-47E*Dky85{$9Kl2BZuPHAvPdST@gTl$cmm5zhE>oD)OluR> z@aSKsYn`5Hos>1@W(eSKs+JYoafxqd)XRJ}GT2Ty@dr|OrpTUNhYhu_UZ)O_lQ#pA zNaN@EZ9gW=liDuY^=TLcq;5p{b(f(%;7^kMln|EU$njl{LI0fLBrgV zep#O4f6dI@IeZ-v5U1JNEt&>$2SQnfAXswy5cc_*K68_#}7n!4+t zbN}H+E8!Um6q-L@x#$tC2Q=R}qcfaav2p^{O=7Khfe9m+$Or$jxAfMeFWr#9uhlG_ zgmj~@vTAC>tkYmCrtB4*^5N;Bh;?hUnYHJBM}?959^DXg;9TkD!%1Hj%M=3&g8#@=Nd^)cH>+p;nR+m(j#TYH)?6*4 zV|#_3n!-x}vidvT5`2_ld_xOGb)}`})QEF3opLWE=->1B7e4s8g9OwM-HCpeiK&ty z7)*RwtztooSY{W#On^6%OwdP^-F73F<8CcVtM%K`Tz14HZCIJkW5@v6#}UfTAGR3` zcxA`tO3M!6aoL)7c?(!j4C|F?9zkkhj6Q$00ra}Xl3un=`hDNs-hDelmST+R68f-ZGGB4BLo zVR_ZmE$Zj*pq1UQ_8QMqH0AYrry_l9S1{wf`M32G=+}^j zP5hdsSqqG%5&1851$V4wyRj4F=j%{)Dn{cI_CW*XybAWfnh=@CffF1H`BX$dx`Rwx z3~;im@K+Z=4XzoN&XGKqhNW!7^0MbL`r0*vkd}kDgQCaspddRAXQy0fTvxm$a+ z2-8r3DsarW%El6nM6}_Dc(=TevS9vxJdQ4~Fy? z`18>W^UZ2of%w?bwYCZP(&{G|lQXf;8QhQc&&diS=k@KLMT=DZk$RUnEpLFL$ zJjod^$s9gFZ>QvTP24PxJhqVRyq(+64?C8BRGZm==V0}Mt{b_WM*k+wp%(*9{b^et z+}D{NL#6;;$tp*Uv(+|+0wnCB@~mh_rI<(+X=YjkcqPeugH zj+vK|HFJ@r>p0})kWMR*TVX@Jl9BBqsp(wko0mgRr95AR^%vF~(!}sjVyb?JY$F%r zgtMD0n*lfeW-|RuB`ZmMRr8^buZmSVjV6g@1;6sXckc`1*y#8D#UFVihc_i@%{6hv zQ|%YPuB>?xMdxUU-hz}ZKa9n229itVW4$5GT6jSHg7|HK5-Qiu61gK#H<&zJi6~$R zU{_imqTDR#Xde=o6$5=ywD&x}>EIxEkDXCwij4!uJuifMp#MHST%Y0pT8sS`AN15h z{I*+N=6V^jS;m$q(aTxu!oV|TG&|Ap9!d20^?RxS+XH)9NiZ#x4O@zZ8 z@+5Yp4>xfQ660{18BY=DcvOlq4N*VpIDj7{Cn7@bILzp+iw=yKX=o0X`PZ~l#;zm+e6Z@Yxd0XdiG^+ghyF=XNos15;K z3O)KZ>}|2xU~wL89nj|%zGy8>4@4x<19x|B`;_IOnZ4@_B`c)@O1a}`Tf=7!rwe1R z19RL;pg26g4;Js~E3^`n!7Bq4S^P`xKp{*??ncV|`&81E=~2G>4TPnmuTlG%IGE+o zMCGUf!;(nz+65%*tGl3X;QXLw=4q_LL@eQI&tr!g>QTouo)FgT{S6%DKVUSf(~O?& z8=_07hrZDfKG!X&3-s@+WQ`Lvx{1Iqh@0lOs_zcsZDKu>s~1Bv`fQYsx`HG|ArHd< z$W<=i+HizUR%afxImkb&LJH&05B`vHyz~{}D#R%q_rDM=WHN$;;pPU%l%Ehsmpi4)whT=k1Cn)V_^Q~E+iy!r2^ z<@LPP5Knol7GI`B;x!$y^??h&@07(~-C0E?u^Wqq+T&I;8!<`d)5jhc7#e7c{1aFd zHa&={&W7M!`f6?qU-v?DK?lIWCbe{qp0ynHXM`SD2dxbNLpB0|wdw+|;Lv0CKTr%m!3P8_PR^=}{$+5Pa zQ@=sUiBHr12KypJSn%j~1IgiFn*qV}WbZJU03*@EJ)pI*fR%PkpE8xRg#x^z~U z%ag(5eUqF458}bvWjN#qbxT~#9a)1wNY{)>zGD+@e0OU%XJh*xqRh`iE*fh>0RpS`@^c9cWooTiX+h`reI_ zZC<&25vga#Y~{B)oBON-a#k~g%53LLoMrZ%;*YQGFjdrH3INovQ?LS^3G$MTK^zEP z*YhfO$CsKkyN-nxg8Vi=z5A;RX*a#@7-ZldhP62W2Zh`lUr~#eD?Dr(dMz8beid8! z^dE)Um64t+EIvzfxrXroM%-=_QqCEWErk-3ce!QOaITT@0D+6fcXbWJlW0W{GRc~K z=upzrak=UNEK8;zvUF#(_}2Iqy2_<1uL#i2l^zOOOrx(*ZXeKaiPcV0(G*ZXZ!494 z!9|*$xX(1osE>UMxhBiP+8IzCEZ}~L19-m7mq|6fwinP7wM>d(&kALBVqD_e3>V9dk4fEp&Yh}W6KmF_WbYzo{wX@lPhFCxSpkgj;N~aaS{A_&M z?_8VeDVK>c5}%l^@@6&cYx%$;ghIMF@^Q$+GZi1VcrZ-3FXjW-Z#bF}VHO!l%La^A zr)mHqM|Ua`U)m;s?_Zv_LGiSVJ;w__e*F^f>~^CdJJwGW6RbcM_|!%g^tA~~B2hYU zIp{$K6%aYGqx9@!mhFpoo+T`^vj&)cTGu&Z_&V{z%-nnA9pmFvbKbta0-rp8ADDAt~c`(Bwm;&BRsy2WSrZT+e z@&Tt$ziwdvGsd-lP ztFI&^=OcFmqWBD7G&m_;w<0v4?i1kK7R&o$KeA#s(xIS~A>K{=5Z&Ek{)C}PX0{&b zqSqw=Du~PZ1^E)9! zlF>|V-mq4H_9l^dWU(WQklS-bEUP-zu#77}J zG>}082TeHqE=_dEzb_>jp`wSzQh+XFy=`yf=yt#YhDBkd7^4-MtFBx~-$#N1ItE96 z6b2`)D>SfJGu&*OmU~S2(hL<72@2TCMWd@ZI{J$uti!QvOXq@b?F&rMQNZU(@Rwai z_lcwtFoWJTVj4l+LCH||hprinG~s%v0iP&=hG`1sv(ww$@3oxw?7x73ngz1Hbw6ra=za^j3{`^BV?Cw;*1p z&c2EWqdoOaQDq}|yRdDmZ%rVV-GKtzo>1i&23(}>YK!Hy7uzP_a;cPFd?-jZ0m>uX zy;_44`Cj6$2?@wQJ=rO(HH-&xR?%PS z6;98L2`0r(M(mS6$g|N6d4=#QbnfnAvB{)UaF@GeRmJFs`)1fyMF!;;xvpMA62W8{=n5661=}br5*_Wc{un|?(b~?$ zIf3h(-g4BsXaa6)6fS$CW`9nszH4G|r*2g~gx-b3z56v-YV_SWOIXFxjqXtG=Jjr%{Ujn(M<4^*0Sz8WU{!EK5;RRK!MIrK6*xFAynTK5tyTv7@Tu zXb%d%U`7;iuWY(b6C{(XOX`Bx0v%a%(>g4PL>=T@lh&J+cDfhoa?^5i!QNbieMK)maEVgXHn*mS3C4hS^3=Er1v^;9E!syrNncrWp z#i!W3#@0Ix-EexZY!wzEz+g?&SsNgtsOW3NXm18q-y5t-hufK8K!cF?I2@>Or0u$fnJ%h)vH(*3@ZUppk*PIldyXw^(dW*gA6 zCUX?w;%xwN6YLn)OZZT*0W(rbmoS`G1K^PHe$RU$)D2N}YLF*Am%R(*AgFZdWbeMy zi9$E_>?le>#<`gX6dJLIB^sWpmM}9qN?^n%r}SaXk{=W0ZX0U6m)!*FwV^~^feiH6 z{;KaK5iwphdm%v}=8m%A+XT6?x@o8bUBlp3o&4mE3s7OYUyrlMjE8~!Zb=@Ymx3^$Kg6KsHi1NRSEJz5Qy~QGEWt$dc+&78`&Q|g6~Lo83IIJ zB0&psIOFHGt6c2QIkNjzd@hP6FOK$Fkl25M!Qand^Joq)3dKeK5o? z3hP%l>GBx^KK{cdQRnnIqC^Ba5V;L3{QZrZEzv^Z0`(yYgRrLv8(Gh@^XQq}yik^$ zbadFRo1emerY_tTbSohA!bE% z%*+6&mwj3%aK@Ry4@Gn}FNzfpw#FjHk~O!f0+eVchsDjGkNO_rK<^k5anxg(N&F(E z)E(`L)vg!M9xA8;&&a=?z{4UWGBCAF11TQ*E=Ez9JvcCx_CBzuO;wf#`OMde6?^Q^ zcUj3=$J}o*xvJdTcw`v+Rs7LSCmnk=BVh5v$IUXwUB@>ECkUH=e6B7p&Tq9E^d4&u z2^2)M2%Dh$w?b%MRq+)g8o9GXWKX7oP@DlKb`BRxnPqoUN(A}=(cSN2&#OT3GlTqy^7`XDv(SUM8~aL zA9zggPMhPl8I0a(!0+w@O>*UXGCN%%3enZtt7+0Nk(#`Ar(=#u`MecQf6wDzHl=$M z;Em#(^s&+h8C!1_%hrKpqe}>Po7JY}1k)Ci_5s$k z6iU=cpNbG9=a(R^R1~G(EBx)46bqdBbT*U^28yB!8=pU?Rg^RTNT(x-A>BKmb_}vX zX=pE>;|Hq^9gLr1jLQBzYt!b>CrzH{V#oN-kzqTu2LFoJT#_#{&(uX%ckL6t0{+s9?A{t){f}-9B*N%t1%PS1Z zdIo2#abtL5^7*%G(DkPcp+N>}u6dUs4+IH8b@MY}p(ISFS9@Q%3t;Fh8PQ6IDRl?2 zTD&U&k;ow=cE23L0lZb|REBoizy9DNSZ#?2k1*Oz_9C30`MA=b@u{f?m__UFc_RjreWTjlQPKd<8L%cA(LnGqWRm{jgk0Ml}?08Af`GZTeZjc2chEm8qlD75*xdxJ7Im~JjhOYr{7FAqgY zLb{wK3f4L3;m;jESTclJ=9J<72>Y^^R{$X}qj*AM-k?1v60f~la@WVkp{vO;s=1ev zOx0Wyy%Zcp)whIPw48P0)P~Z>1Iu)V(9Yt_Ra+_fNouzHCW2nTrqp8wP`huD=}&0? z(90Mle|}29sdw4%#ZI`o)iB(vm);9($NWg#{}Emr_2H z?Q$F7>?Cbbe8Z-8Q!W{J*zm@;7b^~Tw)@WnK-hG=xgb;@1MIXF} zaA}tTu;Hh{A#EHOR-fc-o4ck~$g;lWv&W8a-c@cf(5V(4q{Q2~EKv2w81Wq-ZK5PT zcJQM8Bw++7$vGZn@ZR)RB`Ac1Fn)b{V`G&#hAhbrkYKrTxHVUG%SE8v z?$5*j$>V>uDf5w#fSUPnsvUHm5>nAHN?W$I(dVIKnQwkH`JO+EEa={CdJVDmxDvDB zDrYd2hdP#zmDxD(-gujR0SS$NB*IeCHM7#A7;J{;6wBvzf?E(frHnx$WT$VsbsLNV zoyEt`zkdlaPc32JDdef3`n7;-$a^MCEX+NkZpWzzvM{S&rCDJ^2Inut>4=mlhH5qj zDQ_R5C;OdpmWU^HGnjLj-N7Khs7Ss_r|o>|)D9W+KG?Zy(e$-=Nq9;zL*o)TfJTFP z)B5YdDhu!F4cPG&j7|UqND0+P+du;qZZ*?#( zJss2gyzk%h_%&?%*Yx01mw3XSt7Tgg{n`J+=78>5-E+#9l4Nd-T0VSnlFoy zgUN0aBad@=sVo~@4SQB<-dd(oE%zNm6nqc$($|e2V1Pd7zJs*Evsz&!F-=W=B%TbX zJ`F+^8e>EXJINjdU_V8+(cE0Qu0uZ09X~q{MVHtesGjbb-=yL3GRzT5=B1wx&-W#f z3e@1AJBldz+pku0z?TvYh$Mh|Jv`+llpRV0Q6&EYVC2n z_Vthw)_{f_BP%AzLO`OYLkLq>*`Wie_B(7{UARhs1V!~zB3WwtPLLf_fuQxRM2O!I zWHWxKm)#b|DDWz5oh7sRe$^t@NcOw<4+*4CJ1AnDG(%ZirU|K0H!}Ma`vH*Ek%EV5 z*DVt<29K*+mUAKw1{dV-{YwK(kTH$#L>|~LKi`hvt{l;DVzk;YuwDL$7*`pR?ur*p zIUXH*>HF`FTnK9TFl=!iMdc!In7l(l2OvCsJj(YBq7_ccg~WESd9<3hEc~iH0Y6(+ z0WDG7*wUydM@03|vH#hc{-w)7fP=^?!~D5%s6E<*4t1g3;pHDMp(5s~P2vfM5f60Y^c|Hnsg_x!?3x>g3M%mX<4{ zvT*Tk6#4_Fi_rj~nHr{{Cf!RsfA#0|6d*5wXv}D*@$jk)kc}!M`y!--uXmXnhD(2q zoK|#|eGZ*@{*wAo4k0_$S%D3wo;jV^9mb z1Z~pl(-tn-?426LnhLflpZ;k$TFPq5r}tSf^DlD^oiSvKYapU6YT z^$Ow1*`yK&hZoaPc)L&%H25v>8>;p6s&31jwm)$b-oV=IUC1W(6%ImPbGChy7JP7h z@0#PQIF{0e30dur&CC3J{2#cU>ym2Ke!kcXuPZ_O`);xpdbjyYNKy}{fCumiXkx}I zcnuqLz$~Z9)5apMEhKw68xsUdl|R7{=C={9UsD5tE2c^_X418Tt6_ZWjY|i{8hE@5 z>3Vw!2A~!#rDwUVKPq-iWT2SwO+Tw~F582T{bzdouQuf*KN3)$I986b*p=HA+*vn( z-DW0?!rXb>PhIY3kp-^c0V9H~rxd}K)(QHul_6>dqG#o{IYUd;QR<|}V%(?MWM5E= z3zBG{pzFBAz1>TjhjaBV;(}I5e@wOFB(RzSxA3JGRyJM$s!NmW4$xp)wyEf|+tc`v z7F!r_){wNBliBIl2lGe%iwNt+eJq)ugGEEro@8cT-6cRUMPhjD+8ZtVr{iFuR3)>p z*%;h34|-bAMpUo^{{Wrk&@HMA5)8djqdQyt;I;hsf$%I-L39W4YlxDBesO^FMrZ?Z$Q;F{Aibwm)6%BMX=QgF9C=yTG*L#pKfTOEWC6C1P^OZ z+7-@T=2V7rQ{yus)uv4Yd;U5R>5`Iy+S_{qxAI%S%4ToI`%N#R7I`APd94bK%vLOM zpsgRr64I@@iL13us?9Qf8Xxe!nh1zU1Dk3&qWA4R34&RYdKcgoDa{6c}xI_jm*QpF(m3@1J`g+O+w@MS850>YmeI8r zQy@|j&NtZ_w}0HnRA=aKu(a2Lb}FCPbtKghMH69;qhe`vKN87SYgp5l(UeI++yP2^ z{hS8=%@tq0%rVJFNIr_pkBpk7{`d7I;qrtL1#sxlrA1^DYC>0M*w4#p^64Bk`LE6D z6}$=LsatnV*yCAPUVJjEG>?xMmohN#P0-;~%0z9U>4hID9-VIRL8V&=1&308iXr11 z_7M`xGgS0}n{l)#55hW^Um5h^6)_H&dfew=K&&)>4VVAhru>H%gxZYw0bNhaKfX|3 z!{L5jg);Mj>>ik39d|bw%i1P}aizxKetd6hvPm+xyE#kzmh>maFdQm&hgXfB&wDL-j!&wHUSWB8`erpmFV~7 zsnlGkMRepK25XFgIk*+2rK4^A=EAAP9*w{b)j;=$o)^H>F*JmN>4zPe?lLXdlkov& zpb1J59eaDK3vJFf0&oGrlXz0NvJi8l60LAv^)ENhbQ*gyYS2kxdBW#W8{u%Eby^!C z>GSyf2c=A}_8-~G(8N5T9 zh~sRxj{c~Z%tBAj3Ua#ro`pAe6HHZ2k)n4z_S?CbsH4bo0^*(5Nv~B$kSPYk%bNdJ zduJIF2iN8C8Qh&IQ`}vOy9{1npt!phXiJM0cPq5GODQtA6dRzpyHf^hf#R+M6xej1 z=gGU9yqnE_->)}0Uv7Tq{7!Ci^Zz9k#+Gs?(a3}`B6jd?SZC=0^C3#G$o=ZlN7CNa zN*ZK5RUfMv>rtbId! zfY&hY?|`q=)_>vgZ^H+ZiwN(@wDf)Y$celOdSuF{fZnq{GH6U3OP^vN6z(4)FQ7Mg z3T?fJRNyeR@;I~6tybhLKQsDWRK|hPq!f7scjF!xBmjut`?+4SC?a8JoI#-sPAxm_ zG_EqXX4`Wkt@A9BMARKD09xUqWhO|^IW3MTrFZf5PncU3y2_jM5K#SjW)!0|(aWSe z1k?F}uWIfcxyfT>wkHbqz*SrP@nHi8YDsH}Tr|;Vf54h6M0zo=n(0f)57z0lclyNc z!as1X35n^9-!~NW50ch~A%lX%GZ@upPoo`=baAW6pTFpmm4FI^`H9HQgL(8xe>-Oe>`;B99 zNi)Q75rJqNN^DksO?;yqwB-gXA`MF|41{`gz&Z zH57&!{LVZ~ITF;kIAzI*Rc@?K%Vem~Ke5YQdI~nb^LKY=n# zKD%wm_b8jt$!8_FJK+MYOW7Mw|HS*vXWX@pB%$E%BJ?%Kdoeb_$d)GGtaVecxq&En zVlj!>vF1iMwa`UzmAh#`gtl?7OKti>XEGHB*Vw3B%l#o4y`0A+ri@AQl8rmUXT@0G z`D>b_x0U6ax4bC>{5C;TIx!gVuCVtZCiX#uw)sX9Y^mm*pEIdmzCL^Zk>aPKeR5yS z2WNDj*U%pE?>!&HO9td$4!Ge~=R_o#K!w8Ag*nVB6*zanJ=+=39Gsi30;?!Gl(h3l zG4w`Y2?EWlR7nIS64+J-(=kr;=ms{DA~92#6gd5CJV#q% zuku2VRLo)hA|&i9j!-6PR70|4RQ$q*Z=+Qn8>UqG(Q`ZjaGN1DbFDJm__r3#k}EB~ zLanPCN1??Fy*$xutlb)xc1$2R2fx-6sUeKWrS^kdoyFhNO^)L1k^!p6tFPy`6W^k7 zk0fKIfEWk>MxzX(Q2QP8nTMo|Gkc5EW{ zBSUy<#0$4hGdeWzU;k27sJD3jycOh_mtB1#ZH7Ek!2(3sN8L@h_%uSUqr+#Nq0MqG zX9$Q3m5f3@kr+mo^Ih1y&?;n@|9m)|Nq9&Y#CB<{noUue z?}K!~)o0`n7E}wKIqcB+5#9!b(MiiUe3IEL)@1$Ntk3PYU3CW+Z*U`{y)=$7omdwQ zom(yK6kEX7>O$R48f3Ko;atgyd4U|lmTIV%`clvJ1>9KNZ$3l%z#Z>d+qIUJ;Oqpf zD`c4}LJ+-IW+krrizZM5`y)+3I*D~#Gy!oaX=ryZ9$oMf8d1dqAXd8BIdU?wg@D`s zpp`wR7AkN%OXCr9{zNZNI#b+;N_0-n$<QrM3r$5hhV~_7N7E7h zEgE*1hYKqtSq$~PG5S*RkUJJ#6aRg!v3<9=m6dWREA4O16PD}c;|cSsMz!RorjJ9O zMWn2zTH*}fyKn7liFvl#COde0Cc{dpr<$aM<$Z?M)>cM0YdJ=m;9Q zdY{eRyVv0^Lr$J9f%q7o^Kn|aq4ll9u$;Qxyuvy>FALMS9p1b3U1# z%a06htYl|!ZVEITvL~_X=^i_~k)p``T?|Q@2pIB@2FYUcLrlY`(+sXDHi+|5Hp$UM zG10`Kuf}DDEZz5=LxPAVmQ-CsI9v^Pna6dU*S zWPc1FS+6GC>)0`lh1zrn22f?Sq;brgR^i2A6k6q#5hSt&c-=Pd1=0OVPow1HyGYi(=Av&ou*|u)vNMyFJFD&$uEEs3UuK2qY>mX-d8$ zR!D)*h$JIk$8GsFxydGh8Z<22o6q|xM`ty61G^Lg+c;feP6o0x;ptTwODXnpzYiv} zza^Yczi|iFb9fi25)qP0&H8XwAbu9f<|TD<(#Q09)haZ%(pypa9*(21`W>KPVaD2T z3+)c~TLG>j6%A@IZ8U9NQKYQ(?SNeG22Lzer5NlRSmIK6`+N~Fm&Agb8Nn-#72rLg`I1+MseeF$~*d9 zb>$QuVU&D`hJD{y*v#XEb)+|AP!47l5_Zkitnm4wGMk!^!e$mJGc^-l^?&908vXLe zJV`TBg;+rdj*Ii;#$Z`fzKOBmqHYssrx9s(VilRA5s(jup+V@hj_lCbrPjLLgsuXI%z_|RXL0+#+4 zOF5xX;{9c*KPvjiQr=8>bd`Iy-uw5|A?@woC{x3Ju-<@P{90@W^;sx?=%qJKoKI)K z)+bH*SUQ?Fr!i<&Nzq$|?p*#pBQjwOB9S0?F59?HY5gU;p$jHCN}crhb@u9oTGa%Uy-laj`DlopWr?&P>c#nNyS8tje%^9F}GKBox4>jSe9Tkq4B5b;N3YTFaiGgM={$d%S z?H^zpRV`^}|`TqlsK zGD+t0sTvZ&>SPtn>HLGSPkLh+Uv&eumYp5$CE6u>h|P5}FX9b_p0^OzaSz#gi{8qc z;;t?IYX6SWx*l&m8c7wb#$_nnkxrZ}*RGy*lEquh6Tx`y5L&Kmk^hHXV;|XFAQqrz z(VN6DX&mwHCFL;rD_wAtq637s#R-DT8O8o8DQ!rMA-}jK#rSnQN-#z_l=zlWedMW3 zIk`LDi_a@i!9&1@uP3i_nI!D%Hojhba|FgIR18VMa=-g3ZGt^6S{09SvzCE-eF zcP56rybV$e$AIu}w9PF@ckiJ_9Nx7#r%ZnuAWgd?{qIqbVrx};T9d`&u#t7Ry3_s7;)MmE2GOG#-8Gn&oWsiT zv_#&0r&5VLb;z{)tMpG3{Bt7gjQPM8z@>wNmc4qTqas1tnsuLl-`D0z#R@4yX{T4q ztZnBk((r;L79fAaUe^^F1Ql%TNB1o7rYLRt)P)<(9}UR~nO%wYDrpM|22izU6+)}w zl&O7>N9$-Om@4*3ZbmD%9;bQLT8HpovCNJW05!zM*( zGvuKML$6Jn;@&mkWm-Oi4?iu?lhf}mCewedhWcwf*Yp5590wyZK?lwKV2vUyV3qaB zoPipUi+?+02CfNBiNhuLfxO~@xqjB%nMf;2X5by?crlKqVZx06cAeyxV*_qE6sc6% zvnuVwGE(qLeY=*QlEGRj?(jP~9$k1_?^49b6)Bil=g2JkST~hMSZq>wENva~k&Yl{ z`jE)_kSfu&|4}y6NtyLWEFnHhqwAM73a0PHo8Im?MX)xnE_2_Q^IAPAqtaQ6LCa&# zYkD_oP$IVD3{Jv!PCCa7-|f!{-NQ%*ZS=aav*~i~r5n2QYA^~X^U_mYsthuTT9?_F zvgo;Q`l!8xwF2#7cbz;+TBg>^XRq`IJHwyes$zH&X+6!MN1x=dENhO^OVBs2+X$5~ zUnADmc-y+vcry|FmJ^z5oGuz2Ut&8DA)w^l+)5!{+0E52L@zL(d)xL4t?HUjxn^w0 zfFB;y^V>u3CyvL?_p@p60BY43rfWB59sbsG^ocVub;pU++TGc-xyQOLYvTBhfl1q( zr|Q%@_Q+XXr_?v7qg#W(89R*q)7@~G;I$*I`1@Rx8c^ta+nu?(TFaI~kiNnUFDZB` z&IyUvLrPv8}#4?!z8zkK6_#r_ABRJQzPkl%FX0$`MJ%)kiNSe&L{;4vnLyXJn(JN*>87<8y^q+L1m!n7ZU zb6N@bQl25KLU8Mc<=)ojQ>mhP)nb~a-ndeJ%9>_$*CCU+?I5LbaQnnuH;OMD3eT27 z$9rwH^eA5;`X=81@L5s(u+Z>~Xyyq7vVtaz8>*()x@08$EX3vZh*ntiCEsx(UKe!_ zDh(-hc(-_3>Mj=cE_IlkWWD;?qoP%9*meDV=tb260XQdpqJTYjGOYlMmR*v4Ep=Hj rLf(OypdZ`Nw|k#w7~l`fbx}vqq~JNVEg^57Ab-}WQ&%{Q^SJ#7)4!2= diff --git a/sources b/sources index 322ad17..b005a4a 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (gnutls-3.6.14.tar.xz) = b2d427b5542a4679117c011dffa8efb0e0bffa3ce9cebc319f8998d03f80f4168d08f9fda35df18dbeaaada59e479d325a6c1c77d5ca7f8ce221b44e42bfe604 -SHA512 (gnutls-3.6.14.tar.xz.sig) = 88e31d484ab2e2e9a6a080d1bb0e2219aa0ec85af9ea4abe8292bc8ae2d6784273414227142a2ebe0142b907a5ac6aa4d407388357f13d96b96eca8f8c61103a +SHA512 (gnutls-3.6.15.tar.xz) = f757d1532198f44bcad7b73856ce6a05bab43f6fb77fcc81c59607f146202f73023d0796d3e1e7471709cf792c8ee7d436e19407e0601bc0bda2f21512b3b01c +SHA512 (gnutls-3.6.15.tar.xz.sig) = a6dbb6093fefddce4c76ce0015d1e0ff7bb712985007c5c6bd5ed6a8cd7529ab250bcbc98b70beeb9dc1b43dcfc65495c77b9abb43e690f24eb7bf0042af1f68 SHA512 (gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg) = a74b92826fd0e5388c9f6d9231959e38b26aeef83138648fab66df951d8e1a4db5302b569d08515d4d6443e5e4f6c466f98319f330c820790260d22a9b9f7173 From 5aacc8cd4f40d1c658b9091106a975dd25403720 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Fri, 4 Sep 2020 13:13:24 +0200 Subject: [PATCH 14/14] Port Gnulib test fixes from upstream --- gnutls-3.6.15-gnulib-perror-tests.patch | 46 +++++++++++++++++++++++++ gnutls.spec | 1 + 2 files changed, 47 insertions(+) create mode 100644 gnutls-3.6.15-gnulib-perror-tests.patch diff --git a/gnutls-3.6.15-gnulib-perror-tests.patch b/gnutls-3.6.15-gnulib-perror-tests.patch new file mode 100644 index 0000000..5de2e14 --- /dev/null +++ b/gnutls-3.6.15-gnulib-perror-tests.patch @@ -0,0 +1,46 @@ +From 175e0bc72808d564074c4adcc72aeadb74adfcc6 Mon Sep 17 00:00:00 2001 +From: Paul Eggert +Date: Thu, 27 Aug 2020 17:52:58 -0700 +Subject: [PATCH] perror, strerror_r: remove unportable tests + +Problem reported by Florian Weimer in: +https://lists.gnu.org/r/bug-gnulib/2020-08/msg00220.html +* tests/test-perror2.c (main): +* tests/test-strerror_r.c (main): Omit unportable tests. +--- + ChangeLog | 8 ++++++++ + tests/test-perror2.c | 3 --- + tests/test-strerror_r.c | 3 --- + 3 files changed, 8 insertions(+), 6 deletions(-) + +diff --git a/gl/tests/test-perror2.c b/gl/tests/test-perror2.c +index 1d14eda7b..c6214dd25 100644 +--- a/gl/tests/test-perror2.c ++++ b/gl/tests/test-perror2.c +@@ -79,9 +79,6 @@ main (void) + errno = -5; + perror (""); + ASSERT (!ferror (stderr)); +- ASSERT (msg1 == msg2 || msg1 == msg4 || STREQ (msg1, str1)); +- ASSERT (msg2 == msg4 || STREQ (msg2, str2)); +- ASSERT (msg3 == msg4 || STREQ (msg3, str3)); + ASSERT (STREQ (msg4, str4)); + + free (str1); +diff --git a/gl/tests/test-strerror_r.c b/gl/tests/test-strerror_r.c +index b11d6fd9f..c1dbcf837 100644 +--- a/gl/tests/test-strerror_r.c ++++ b/gl/tests/test-strerror_r.c +@@ -165,9 +165,6 @@ main (void) + + strerror_r (EACCES, buf, sizeof buf); + strerror_r (-5, buf, sizeof buf); +- ASSERT (msg1 == msg2 || msg1 == msg4 || STREQ (msg1, str1)); +- ASSERT (msg2 == msg4 || STREQ (msg2, str2)); +- ASSERT (msg3 == msg4 || STREQ (msg3, str3)); + ASSERT (STREQ (msg4, str4)); + + free (str1); +-- +2.26.2 + diff --git a/gnutls.spec b/gnutls.spec index 5280aa8..dddb863 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -3,6 +3,7 @@ Version: 3.6.15 Release: 1%{?dist} Patch1: gnutls-3.6.7-no-now-guile.patch Patch2: gnutls-3.2.7-rpath.patch +Patch3: gnutls-3.6.15-gnulib-perror-tests.patch %bcond_without dane %if 0%{?rhel} %bcond_with guile