From 68018f33be0f49a77bd5197531b9899463942840 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Wed, 25 Mar 2020 14:07:06 +0100 Subject: [PATCH 001/152] Remove gpgkey file from sources The line in the sources file causing conflict with "fedpkg local" as the gpgkey file is already tracked in the git repository. --- sources | 1 - 1 file changed, 1 deletion(-) diff --git a/sources b/sources index d770fd6..ce3867d 100644 --- a/sources +++ b/sources @@ -1,3 +1,2 @@ -SHA512 (gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg) = 3b1989dc6a64d1140f83a2af0773da2adb03c50d97b6da7357cf09525050651aafa21131f1e3180baa540a8af922119a256f5ff5bcd6602996a806e8e1816bad SHA512 (gnutls-3.6.12.tar.xz.sig) = fee2a330c047303b683824176ed2e14dba38ad22cddb548d6259bc8639e0c5dab7a1c93af84860193335271c9cb3810c046bb89b73d8c8a8cf61307108e957b5 SHA512 (gnutls-3.6.12.tar.xz) = e1031fd1239d8b0f056a6b736e4c72c9268fb635f273527f310771c608b841cad7b6631401382ec3040d9b539180bf421882bf43427ad3549a5787d2864c2fa5 From 341d862ca32f3ecb386b29eedb5473a9fcfbbc9a Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Wed, 25 Mar 2020 14:07:06 +0100 Subject: [PATCH 002/152] Remove gpgkey file from sources The line in the sources file causing conflict with "fedpkg local" as the gpgkey file is already tracked in the git repository. --- sources | 1 - 1 file changed, 1 deletion(-) diff --git a/sources b/sources index d770fd6..ce3867d 100644 --- a/sources +++ b/sources @@ -1,3 +1,2 @@ -SHA512 (gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg) = 3b1989dc6a64d1140f83a2af0773da2adb03c50d97b6da7357cf09525050651aafa21131f1e3180baa540a8af922119a256f5ff5bcd6602996a806e8e1816bad SHA512 (gnutls-3.6.12.tar.xz.sig) = fee2a330c047303b683824176ed2e14dba38ad22cddb548d6259bc8639e0c5dab7a1c93af84860193335271c9cb3810c046bb89b73d8c8a8cf61307108e957b5 SHA512 (gnutls-3.6.12.tar.xz) = e1031fd1239d8b0f056a6b736e4c72c9268fb635f273527f310771c608b841cad7b6631401382ec3040d9b539180bf421882bf43427ad3549a5787d2864c2fa5 From 56cb0e447f07dcd16b5e14c8ac9da6c5e689bde4 Mon Sep 17 00:00:00 2001 From: Anderson Toshiyuki Sasaki Date: Thu, 26 Mar 2020 15:29:23 +0100 Subject: [PATCH 003/152] Fix FIPS-140 power-on self-tests Backport upstream FIPS-140 power-on self-tests changes. This addresses the bug bz#1813384. This also includes a backport of a small fix to the gnutls-serv application to address the issue reported in rhbz#1816583. Resolves: #1813384, #1816583 --- gnutls-3.6.12-fix-echo-server.patch | 37 + gnutls-3.6.12-fix-fips-self-tests.patch | 862 ++++++++++++++++++ ...s-3.6.12-load-config-after-fips-post.patch | 38 + gnutls.spec | 9 +- 4 files changed, 945 insertions(+), 1 deletion(-) create mode 100644 gnutls-3.6.12-fix-echo-server.patch create mode 100644 gnutls-3.6.12-fix-fips-self-tests.patch create mode 100644 gnutls-3.6.12-load-config-after-fips-post.patch diff --git a/gnutls-3.6.12-fix-echo-server.patch b/gnutls-3.6.12-fix-echo-server.patch new file mode 100644 index 0000000..861eb17 --- /dev/null +++ b/gnutls-3.6.12-fix-echo-server.patch @@ -0,0 +1,37 @@ +From 10950c613c490bd33d6f489f5f61f8368730f7de Mon Sep 17 00:00:00 2001 +From: Anderson Toshiyuki Sasaki +Date: Tue, 24 Mar 2020 09:55:08 +0100 +Subject: [PATCH] gnutls-serv: Do not exit when a message to be echoed is + received + +Previously, when gnutls-serv was executed with the --echo option, it +would exit when a message to be echoed was received. Moreover, the +server would output "Memory error" although no error occurred. + +Signed-off-by: Anderson Toshiyuki Sasaki +--- + src/serv.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/serv.c b/src/serv.c +index a4dd445da..414cd0546 100644 +--- a/src/serv.c ++++ b/src/serv.c +@@ -1071,12 +1071,12 @@ get_response(gnutls_session_t session, char *request, + *response_length = strlen(*response); + return 1; + } else if (ret == 0) { ++ *response = strdup(request); + if (*response == NULL) { + fprintf(stderr, "Memory error\n"); + return 0; + } +- *response = strdup(request); +- *response_length = ((*response) ? strlen(*response) : 0); ++ *response_length = strlen(*response); + } else { + *response = NULL; + do { +-- +2.24.1 + diff --git a/gnutls-3.6.12-fix-fips-self-tests.patch b/gnutls-3.6.12-fix-fips-self-tests.patch new file mode 100644 index 0000000..467c857 --- /dev/null +++ b/gnutls-3.6.12-fix-fips-self-tests.patch @@ -0,0 +1,862 @@ +diff --git a/lib/crypto-selftests-pk.c b/lib/crypto-selftests-pk.c +index 7bdb097..6f66cd8 100644 +--- a/lib/crypto-selftests-pk.c ++++ b/lib/crypto-selftests-pk.c +@@ -22,6 +22,7 @@ + + #include "gnutls_int.h" + #include "errors.h" ++#include "fips.h" + #include + #include + #include +@@ -42,70 +43,185 @@ static const gnutls_datum_t bad_data = { + .size = sizeof(DATASTR) - 2 + }; + +-static const char rsa_key2048[] = +- "-----BEGIN RSA PRIVATE KEY-----\n" +- "MIIEogIBAAKCAQEA6yCv+BLrRP/dMPBXJWK21c0aqxIX6JkODL4K+zlyEURt8/Wp\n" +- "nw37CJwHD3VrimSnk2SJvBfTNhzYhCsLShDOPvi4qBrLZ1WozjoVJ8tRE4VCcjQJ\n" +- "snpJ7ldiV+Eos1Z3FkbV/uQcw5CYCb/TciSukaWlI+G/xas9EOOFt4aELbc1yDe0\n" +- "hyfPDtoaKfek4GhT9qT1I8pTC40P9OrA9Jt8lblqxHWwqmdunLTjPjB5zJT6QgI+\n" +- "j1xuq7ZOQhveNA/AOyzh574GIpgsuvPPLBQwsCQkscr7cFnCsyOPgYJrQW3De2+l\n" +- "wjp2D7gZeeQcFQKazXcFoiqNpJWoBWmU0qqsgwIDAQABAoIBAAghNzRioxPdrO42\n" +- "QS0fvqah0tw7Yew+7oduQr7w+4qxTQP0aIsBVr6zdmMIclF0rX6hKUoBoOHsGWho\n" +- "fJlw/1CaFPhrBMFr6sxGodigZQtBvkxolDVBmTDOgK39MQUSZke0501K4du5MiiU\n" +- "I2F89zQ9//m/onvZMeFVnJf95LAX5qHr/FLARQFtOpgWzcGVxdvJdJlYb1zMUril\n" +- "PqyAZXo1j0vgHWwSd54k8mBLus7l8KT57VFce8+9nBPrOrqW4rDVXzs/go3S+kiI\n" +- "OyzYeUs9czg1N1e3VhEaC+EdYUawc0ASuEkbsJ53L8pwDvS+2ly2ykYziJp95Fjv\n" +- "bzyd1dECgYEA8FzGCxu7A6/ei9Dn0Fmi8Ns/QvEgbdlGw4v4MlXHjrGJYdOB0BwG\n" +- "2D2k0ODNYKlUX2J4hi5x8aCH33y/v0EcOHyuqM33vOWBVbdcumCqcOmp341UebAO\n" +- "uCPgDJNhjxXaeDVPnizqnOBA1B9sTxwmCOmFIiFRLbR+XluvDh3t8L0CgYEA+my6\n" +- "124Rw7kcFx+9JoB/Z+bUJDYpefUT91gBUhhEdEMx5fujhMzAbLpIRjFQq+75Qb7v\n" +- "0NyIS09B4oKOqQYzVEJwqKY7H71BTl7QuzJ8Qtuh/DMZsVIt6xpvdeuAKpEOqz44\n" +- "ZD3fW1B59A3ja7kqZadCqq2b02UTk+gdeOrYBj8CgYACX3gZDfoHrEnPKY3QUcI5\n" +- "DIEQYR8H1phLP+uAW7ZvozMPAy6J5mzu35Tr9vwwExvhITC9amH3l7UfsLSX58Wm\n" +- "jRyQUBA9Dir7tKa2tFOab8Qcj+GgnetXSAtjNGVHK1kPzL7vedQLHm+laHYCRe3e\n" +- "Mqf80UVi5SBGQDN3OTZrJQKBgEkj2oozDqMwfGDQl0kYfJ2XEFynKQQCrVsva+tT\n" +- "RSMDwR4fmcmel5Dp81P08U/WExy9rIM+9duxAVgrs4jwU6uHYCoRqvEBMIK4NJSI\n" +- "ETzhsvTa4+UjUF/7L5SsPJmyFiuzl3rHi2W7InNCXyrGQPjBmjoJTJq4SbiIMZtw\n" +- "U7m3AoGACG2rE/Ud71kyOJcKwxzEt8kd+2CMuaZeE/xk+3zLSSjXJzKPficogM3I\n" +- "K37/N7N0FjhdQ5hRuD3GH1fcjv9AKdGHsH7RuaG+jHTRUjS1glr17SSQzh6xXnWj\n" +- "jG0M4UZm5P9STL09nZuWH0wfpr/eg+9+A6yOVfnADI13v+Ygk7k=\n" +- "-----END RSA PRIVATE KEY-----\n"; +- +-static const char ecc_key[] = +- "-----BEGIN EC PRIVATE KEY-----\n" +- "MHgCAQEEIQDzaOg65+brGV6INN0zXrUodxwRuocGG+GtKzN7ko26v6AKBggqhkjO\n" +- "PQMBB6FEA0IABEppi34ngyNQ2a9kJmnT5QxIHAUGI1SpnsAyCfze4j6MJ7o/g7qx\n" +- "MSHpe5vd0TQz+/GAa1zxle8mB/Cdh0JaTrA=\n" +- "-----END EC PRIVATE KEY-----\n"; +- +-static const char dsa_key[] = +- "-----BEGIN DSA PRIVATE KEY-----\n" +- "MIH4AgEAAkEA6KUOSXfFNcInFLPdOlLlKNCe79zJrkxnsQN+lllxuk1ifZrE07r2\n" +- "3edTrc4riQNnZ2nZ372tYUAMJg+5jM6IIwIVAOa58exwZ+42Tl+p3b4Kbpyu2Ron\n" +- "AkBocj7gkiBYHtv6HMIIzooaxn4vpGR0Ns6wBfroBUGvrnSAgfT3WyiNaHkIF28e\n" +- "quWcEeOJjUgFvatcM8gcY288AkEAyKWlgzBurIYST8TM3j4PuQJDTvdHDaGoAUAa\n" +- "EfjmOw2UXKwqTmwPiT5BYKgCo2ILS87ttlTpd8vndH37pmnmVQIUQIVuKpZ8y9Bw\n" +- "VzO8qcrLCFvTOXY=\n" +- "-----END DSA PRIVATE KEY-----\n"; +- +-static const char gost01_key[] = +- "-----BEGIN PRIVATE KEY-----\n" +- "MEUCAQAwHAYGKoUDAgITMBIGByqFAwICJAAGByqFAwICHgEEIgQgR1lBLIr4WBpn\n" +- "4MOCH8oxGWb52EPNL3gjNJiQuBQuf6U=\n" +- "-----END PRIVATE KEY-----\n"; +- +-static const char gost12_256_key[] = +- "-----BEGIN PRIVATE KEY-----\n" +- "MEgCAQAwHwYIKoUDBwEBAQEwEwYHKoUDAgIkAAYIKoUDBwEBAgIEIgQg0+JttJEV\n" +- "Ud+XBzX9q13ByKK+j2b+mEmNIo1yB0wGleo=\n" +- "-----END PRIVATE KEY-----\n"; +- +-static const char gost12_512_key[] = +- "-----BEGIN PRIVATE KEY-----\n" +- "MGoCAQAwIQYIKoUDBwEBAQIwFQYJKoUDBwECAQIBBggqhQMHAQECAwRCBECS7bAh\n" +- "TP5um5bxziaKkhb6xSI5WBQCSlaiHPBaMbgmgJiF8RubF7k0YMefpt0+sA3GvVGA\n" +- "KjL7CLBERDm7Yvlv\n" +- "-----END PRIVATE KEY-----\n"; ++/* RSA 2048 private key and signature */ ++static const char rsa_2048_privkey[] = ++ "-----BEGIN RSA PRIVATE KEY-----\n" ++ "MIIEogIBAAKCAQEA6yCv+BLrRP/dMPBXJWK21c0aqxIX6JkODL4K+zlyEURt8/Wp\n" ++ "nw37CJwHD3VrimSnk2SJvBfTNhzYhCsLShDOPvi4qBrLZ1WozjoVJ8tRE4VCcjQJ\n" ++ "snpJ7ldiV+Eos1Z3FkbV/uQcw5CYCb/TciSukaWlI+G/xas9EOOFt4aELbc1yDe0\n" ++ "hyfPDtoaKfek4GhT9qT1I8pTC40P9OrA9Jt8lblqxHWwqmdunLTjPjB5zJT6QgI+\n" ++ "j1xuq7ZOQhveNA/AOyzh574GIpgsuvPPLBQwsCQkscr7cFnCsyOPgYJrQW3De2+l\n" ++ "wjp2D7gZeeQcFQKazXcFoiqNpJWoBWmU0qqsgwIDAQABAoIBAAghNzRioxPdrO42\n" ++ "QS0fvqah0tw7Yew+7oduQr7w+4qxTQP0aIsBVr6zdmMIclF0rX6hKUoBoOHsGWho\n" ++ "fJlw/1CaFPhrBMFr6sxGodigZQtBvkxolDVBmTDOgK39MQUSZke0501K4du5MiiU\n" ++ "I2F89zQ9//m/onvZMeFVnJf95LAX5qHr/FLARQFtOpgWzcGVxdvJdJlYb1zMUril\n" ++ "PqyAZXo1j0vgHWwSd54k8mBLus7l8KT57VFce8+9nBPrOrqW4rDVXzs/go3S+kiI\n" ++ "OyzYeUs9czg1N1e3VhEaC+EdYUawc0ASuEkbsJ53L8pwDvS+2ly2ykYziJp95Fjv\n" ++ "bzyd1dECgYEA8FzGCxu7A6/ei9Dn0Fmi8Ns/QvEgbdlGw4v4MlXHjrGJYdOB0BwG\n" ++ "2D2k0ODNYKlUX2J4hi5x8aCH33y/v0EcOHyuqM33vOWBVbdcumCqcOmp341UebAO\n" ++ "uCPgDJNhjxXaeDVPnizqnOBA1B9sTxwmCOmFIiFRLbR+XluvDh3t8L0CgYEA+my6\n" ++ "124Rw7kcFx+9JoB/Z+bUJDYpefUT91gBUhhEdEMx5fujhMzAbLpIRjFQq+75Qb7v\n" ++ "0NyIS09B4oKOqQYzVEJwqKY7H71BTl7QuzJ8Qtuh/DMZsVIt6xpvdeuAKpEOqz44\n" ++ "ZD3fW1B59A3ja7kqZadCqq2b02UTk+gdeOrYBj8CgYACX3gZDfoHrEnPKY3QUcI5\n" ++ "DIEQYR8H1phLP+uAW7ZvozMPAy6J5mzu35Tr9vwwExvhITC9amH3l7UfsLSX58Wm\n" ++ "jRyQUBA9Dir7tKa2tFOab8Qcj+GgnetXSAtjNGVHK1kPzL7vedQLHm+laHYCRe3e\n" ++ "Mqf80UVi5SBGQDN3OTZrJQKBgEkj2oozDqMwfGDQl0kYfJ2XEFynKQQCrVsva+tT\n" ++ "RSMDwR4fmcmel5Dp81P08U/WExy9rIM+9duxAVgrs4jwU6uHYCoRqvEBMIK4NJSI\n" ++ "ETzhsvTa4+UjUF/7L5SsPJmyFiuzl3rHi2W7InNCXyrGQPjBmjoJTJq4SbiIMZtw\n" ++ "U7m3AoGACG2rE/Ud71kyOJcKwxzEt8kd+2CMuaZeE/xk+3zLSSjXJzKPficogM3I\n" ++ "K37/N7N0FjhdQ5hRuD3GH1fcjv9AKdGHsH7RuaG+jHTRUjS1glr17SSQzh6xXnWj\n" ++ "jG0M4UZm5P9STL09nZuWH0wfpr/eg+9+A6yOVfnADI13v+Ygk7k=\n" ++ "-----END RSA PRIVATE KEY-----\n"; ++ ++static const char rsa_2048_sig[] = ++ "\x7a\xb3\xf8\xb0\xf9\xf0\x52\x88\x37\x17\x97\x9f\xbe\x61\xb4\xd2" ++ "\x43\x78\x9f\x79\x92\xd0\xad\x08\xdb\xbd\x3c\x72\x7a\xb5\x51\x59" ++ "\x63\xd6\x7d\xf1\x9c\x1e\x10\x7b\x27\xab\xf8\xd4\x9d\xcd\xc5\xf9" ++ "\xae\xf7\x09\x6b\x40\x93\xc5\xe9\x1c\x0f\xb4\x82\xa1\x47\x86\x54" ++ "\x63\xd2\x4d\x40\x9a\x80\xb9\x38\x45\x69\xa2\xd6\x92\xb6\x69\x7f" ++ "\x3f\xf3\x5b\xa5\x1d\xac\x06\xad\xdf\x4e\xbb\xe6\xda\x68\x0d\xe5" ++ "\xab\xef\xd2\xf0\xc5\xd8\xc0\xed\x80\xe2\xd4\x76\x98\xec\x44\xa2" ++ "\xfc\x3f\xce\x2e\x8b\xc4\x4b\xab\xb0\x70\x24\x52\x85\x2a\x36\xcd" ++ "\x9a\xb5\x05\x00\xea\x98\x7c\x72\x06\x68\xb1\x38\x44\x16\x80\x6a" ++ "\x3b\x64\x72\xbb\xfd\x4b\xc9\xdd\xda\x2a\x68\xde\x7f\x6e\x48\x28" ++ "\xc1\x63\x57\x2b\xde\x83\xa3\x27\x34\xd7\xa6\x87\x18\x35\x10\xff" ++ "\x31\xd9\x47\xc9\x84\x35\xe1\xaa\xe2\xf7\x98\xfa\x19\xd3\xf1\x94" ++ "\x25\x2a\x96\xe4\xa8\xa7\x05\x10\x93\x87\xde\x96\x85\xe5\x68\xb8" ++ "\xe5\x4e\xbf\x66\x85\x91\xbd\x52\x5b\x3d\x9f\x1b\x79\xea\xe3\x8b" ++ "\xef\x62\x18\x39\x7a\x50\x01\x46\x1b\xde\x8d\x37\xbc\x90\x6c\x07" ++ "\xc0\x07\xed\x60\xce\x2e\x31\xd6\x8f\xe8\x75\xdb\x45\x21\xc6\xcb"; ++ ++/* DSA 2048 private key and signature */ ++static const char dsa_2048_privkey[] = ++ "-----BEGIN DSA PRIVATE KEY-----\n" ++ "MIIDTQIBAAKCAQEAh60B6yPMRIT7udq2kKuwnQDohvT1U0w+RJcSr23C05cM/Ovn\n" ++ "UP/8Rrj6T8K+uYhMbKgLaZiJJW9q04jaPQk0cfUphbLvRjzVHwE/0Bkb+Y1Rv7ni\n" ++ "Jot2IFMq5iuNraf889PC0WREvFCcIkSFY2Ac4WT7mCcBtfx/raGFXDUjcUrJ0HwZ\n" ++ "IOhjQDfcXUsztuyYsYA75ociEY8kyDZq/ixyr5++R1VjNf30Re8AbQlXOEGxEN5t\n" ++ "t+Tvpq8K5L3prQs2KNSzyOUmedjb/ojH4T4qe/RL9EVjjeuIGHDNUT6F197yZ91y\n" ++ "qLLTf1WjnUyZcKij5rryX0LJBBWawEZjNSHZawIdAMQlyycia4NigCdiDR+QptUn\n" ++ "2xrj9o14fXkIrXcCggEAXRZm1rbPhsjSTo6cpCVrmDzO1grv83EHiBH4MvRQQnP8\n" ++ "FpAREsBA5cYju97XvLaLhioZeMjLn08kU7TUbHRUB+ULTuVvE2dQbBpGuKiLRRt9\n" ++ "6U2T0eD3xGLoM+o8EY/kpqaWGEpZv7hzM9xuo4vy55+viAZgFWULqmltwfG/7w7V\n" ++ "NXUHNv5H4Ipw//fSDLTPqzUlNqSSswDLz6pCjWEs0rWAqNAMaOiLTz4id9pL48Oe\n" ++ "oAfpcQR9tgTEnwyXfZBnrJVclHhkHKGeXvU05IgCzpKO76Z5R+By50T0i/JV7vzM\n" ++ "l2yS9aAl/cprT6U7yI3oU/blldCVNpMcFAFb+fO8DAKCAQBVMo8xptyvQOJeSvbO\n" ++ "SSYdJ3IiI/0GdkcGWXblWg9z7mrPaWEnT7OquEm/+vYtWd3GHDtyNM+jzsN4Xgjc\n" ++ "TL3AEd2hLiozJQ1BFKw25VU08UHAYTzUxZhO4Vwtmp46Kwj8YLDQ3NHRWCBxpDQR\n" ++ "fbiFvyXP+qXap6plMfrydnUD1mae/JSOWOYgdB7tFIehstLxVXx/cAnjwgFU03Df\n" ++ "grjsad92zA1Hc9wIjbsgAQdTR5DWnFRkRt3UtayBwoyqm6QceZHsv1NAGvkQ4ion\n" ++ "bEjkHkjF9YCkR9/rspR8cLghRIXMjOpypuSbaRPeeWq0gP2UOxFL/d3iWH0ETr/L\n" ++ "kTlCAhxYGpVgtfB96qmJukyl9GOGvfkwFTgEyIDoV84M\n" ++ "-----END DSA PRIVATE KEY-----\n"; ++ ++static const char dsa_2048_sig[] = ++ "\x30\x3d\x02\x1d\x00\xbe\x87\x2f\xcf\xa1\xe4\x86\x5c\x72\x58\x4a" ++ "\x7b\x8f\x32\x7f\xa5\x1b\xdc\x5c\xae\xda\x98\xea\x15\x32\xed\x0c" ++ "\x4e\x02\x1c\x4c\x76\x01\x2b\xcd\xb9\x33\x95\xf2\xfa\xde\x56\x01" ++ "\xb7\xaa\xe4\x5a\x4a\x2e\xf1\x24\x5a\xd1\xb5\x83\x9a\x93\x61"; ++ ++/* secp256r1 private key and signature */ ++static const char ecdsa_secp256r1_privkey[] = ++ "-----BEGIN EC PRIVATE KEY-----\n" ++ "MHcCAQEEIPAKWV7+pZe9c5EubMNfAEKWRQtP/MvlO9HehwHmJssNoAoGCCqGSM49\n" ++ "AwEHoUQDQgAE2CNONRio3ciuXtoomJKs3MdbzLbd44VPhtzJN30VLFm5gvnfiCj2\n" ++ "zzz7pl9Cv0ECHl6yedNI8QEKdcwCDgEmkQ==\n" ++ "-----END EC PRIVATE KEY-----\n"; ++ ++static const char ecdsa_secp256r1_sig[] = ++ "\x30\x45\x02\x21\x00\x80\x67\x18\xb9\x72\xc6\x0b\xe1\xc9\x89\x9b" ++ "\x85\x11\x49\x29\x08\xd9\x86\x76\xcc\xfb\xc1\xf4\xd0\xa2\x5e\xa7" ++ "\xb9\x12\xfb\x1a\x68\x02\x20\x67\x12\xb1\x89\x9e\x1d\x9d\x5c\x0f" ++ "\xef\x6e\xa7\x2a\x95\x8c\xfa\x54\x20\x80\xc8\x30\x7c\xff\x06\xbc" ++ "\xc8\xe2\x9a\x2f\x05\x2f\x67"; ++ ++#ifdef ENABLE_NON_SUITEB_CURVES ++/* secp192r1 private key and signature */ ++static const char ecdsa_secp192r1_privkey[] = ++ "-----BEGIN EC PRIVATE KEY-----" ++ "MF8CAQEEGLjezFcbgDMeApVrdtZHvu/k1a8/tVZ41KAKBggqhkjOPQMBAaE0AzIA" ++ "BO1lciKdgxeRH8k64vxcaV1OYIK9akVrW02Dw21MXhRLP0l0wzCw6LGSr5rS6AaL" ++ "Fg==" "-----END EC PRIVATE KEY-----"; ++ ++static const char ecdsa_secp192r1_sig[] = ++ "\x30\x34\x02\x18\x7c\x43\xe3\xb7\x26\x90\x43\xb5\xf5\x63\x8f\xee" ++ "\xac\x78\x3d\xac\x35\x35\xd0\x1e\x83\x17\x2b\x64\x02\x18\x14\x6e" ++ "\x94\xd5\x7e\xac\x43\x42\x0b\x71\x7a\xc8\x29\xe6\xe3\xda\xf2\x95" ++ "\x0e\xe0\x63\x24\xed\xf2"; ++ ++/* secp224r1 private key and signature */ ++static const char ecdsa_secp224r1_privkey[] = ++ "-----BEGIN EC PRIVATE KEY-----" ++ "MGgCAQEEHOKWJFdWdrR/CgVrUeTeawOrJ9GozE9KKx2a8PmgBwYFK4EEACGhPAM6" ++ "AAQKQj3YpenWT7lFR41SnBvmj/+Bj+kgzQnaF65qWAtPRJsZXFlLTu3/IUNqSRu9" ++ "DqPsk8xBHAB7pA==" "-----END EC PRIVATE KEY-----"; ++ ++static const char ecdsa_secp224r1_sig[] = ++ "\x30\x3d\x02\x1c\x14\x22\x09\xa1\x51\x33\x37\xfd\x78\x73\xbd\x84" ++ "\x6e\x76\xa8\x60\x90\xf5\xb6\x57\x34\x25\xe0\x79\xe3\x01\x61\xa9" ++ "\x02\x1d\x00\xb1\xee\xdb\xae\xb3\xe6\x9c\x04\x68\xd5\xe1\x0d\xb6" ++ "\xfc\x5c\x45\xc3\x4f\xbf\x2b\xa5\xe0\x89\x37\x84\x04\x82\x5f"; ++#endif ++ ++/* secp384r1 private key and signature */ ++static const char ecdsa_secp384r1_privkey[] = ++ "-----BEGIN EC PRIVATE KEY-----" ++ "MIGkAgEBBDDevshD6gb+4rZpC9vwFcIwNs4KmGzdqCxyyN40a8uOWRbyf7aHdiSS" ++ "03oAyKtc4JCgBwYFK4EEACKhZANiAARO1KkPMno2tnNXx1S9EZkp8SOpDCZ4aobH" ++ "IYv8RHnSmKf8I3OKD6TaoeR+1MwJmNJUH90Bj45WXla68/vsPiFcfVKboxsZYe/n" ++ "pv8e4ugXagVQVBXNZJ859iYPdJR24vo=" "-----END EC PRIVATE KEY-----"; ++ ++static const char ecdsa_secp384r1_sig[] = ++ "\x30\x65\x02\x31\x00\xa7\x73\x60\x16\xdb\xf9\x1f\xfc\x9e\xd2\x12" ++ "\x23\xd4\x04\xa7\x31\x1f\x15\x28\xfd\x87\x9c\x2c\xb1\xf3\x38\x35" ++ "\x23\x3b\x6e\xfe\x6a\x5d\x89\x34\xbe\x02\x82\xc6\x27\xea\x45\x53" ++ "\xa9\x87\xc5\x31\x0a\x02\x30\x76\x32\x80\x6b\x43\x3c\xb4\xfd\x90" ++ "\x03\xe0\x1d\x5d\x77\x18\x45\xf6\x71\x29\xa9\x05\x87\x49\x75\x3a" ++ "\x78\x9c\x49\xe5\x6c\x8e\x18\xcd\x5d\xee\x2c\x6f\x92\xf7\x15\xd3" ++ "\x38\xd5\xf9\x9b\x9d\x1a\xf4"; ++ ++/* secp521r1 private key and signature */ ++static const char ecdsa_secp521r1_privkey[] = ++ "-----BEGIN EC PRIVATE KEY-----" ++ "MIHbAgEBBEGO2n7NN363qSCvJVdlQtCvudtaW4o0fEufXRjE1AsCrle+VXX0Zh0w" ++ "Y1slSeDHMndpakoiF+XkQ+bhcB867UV6aKAHBgUrgQQAI6GBiQOBhgAEAQb6jDpo" ++ "byy1tF8Zucg0TMGUzIN2DK+RZJ3QQRdWdirO25OIC3FoFi1Yird6rpoB6HlNyJ7R" ++ "0bNG9Uv34bSHMn8yAFoiqxUCdJZQbEenMoZsi6COaePe3e0QqvDMr0hEWT23Sr3t" ++ "LpEV7eZGFfFIJw5wSUp2KOcs+O9WjmoukTWtDKNV" ++ "-----END EC PRIVATE KEY-----"; ++ ++static const char ecdsa_secp521r1_sig[] = ++ "\x30\x81\x88\x02\x42\x01\x9d\x13\x2e\xc9\x75\x1b\x60\x10\x62\xc5" ++ "\x0d\xcb\x08\x9e\x86\x01\xd3\xc9\x8c\xee\x2e\x16\x3d\x8c\xc2\x65" ++ "\x80\xe1\x32\x56\xc3\x02\x9d\xf0\x4a\x89\x8d\x2e\x33\x2a\x90\x4e" ++ "\x72\x1d\xaa\x84\x14\xe8\xcb\xdf\x7a\x4a\xc9\x67\x2e\xba\xa3\xf2" ++ "\xc2\x07\xf7\x1b\xa5\x91\xbd\x02\x42\x01\xe3\x32\xd2\x25\xeb\x2e" ++ "\xaf\xb4\x6c\xc0\xaa\x5c\xc1\x56\x14\x13\x23\x7f\x62\xcf\x4c\xb8" ++ "\xd1\x96\xe0\x29\x6d\xed\x74\xdd\x23\x64\xf9\x29\x86\x40\x22\x2f" ++ "\xb6\x8d\x4c\x8e\x0b\x7a\xda\xdb\x03\x44\x01\x9b\x81\x1c\x3c\xab" ++ "\x78\xee\xf2\xc5\x24\x33\x61\x65\x01\x87\x66"; ++ ++/* GOST01 private key */ ++static const char gost01_privkey[] = ++ "-----BEGIN PRIVATE KEY-----\n" ++ "MEUCAQAwHAYGKoUDAgITMBIGByqFAwICIwEGByqFAwICHgEEIgQgdNfuHGmmTdPm\n" ++ "p5dAa3ea9UYxpdYQPP9lbDwzQwG2bJM=\n" ++ "-----END PRIVATE KEY-----\n"; ++ ++/* GOST12 256 private key */ ++static const char gost12_256_privkey[] = ++ "-----BEGIN PRIVATE KEY-----\n" ++ "MEgCAQAwHwYIKoUDBwEBAQEwEwYHKoUDAgIjAQYIKoUDBwEBAgIEIgQgKOF96tom\n" ++ "D61rhSnzKjyrmO3fv0gdlHei+6ovrc8SnBk=\n" ++ "-----END PRIVATE KEY-----\n"; ++ ++/* GOST12 512 private key */ ++static const char gost12_512_privkey[] = ++ "-----BEGIN PRIVATE KEY-----\n" ++ "MGoCAQAwIQYIKoUDBwEBAQIwFQYJKoUDBwECAQIBBggqhQMHAQECAwRCBECjFpvp\n" ++ "B0vdc7u59b99TCNXhHiB69JJtUjvieNkGYJpoaaIvoKZTNCjpSZASsZcQZCHOTof\n" ++ "hsQ3JCCy4xnd5jWT\n" ++ "-----END PRIVATE KEY-----\n"; + + static int test_rsa_enc(gnutls_pk_algorithm_t pk, + unsigned bits, gnutls_digest_algorithm_t ign) +@@ -113,7 +229,7 @@ static int test_rsa_enc(gnutls_pk_algorithm_t pk, + int ret; + gnutls_datum_t enc = { NULL, 0 }; + gnutls_datum_t dec = { NULL, 0 }; +- gnutls_datum_t raw_rsa_key = { (void*)rsa_key2048, sizeof(rsa_key2048)-1 }; ++ gnutls_datum_t raw_rsa_key = { (void*)rsa_2048_privkey, sizeof(rsa_2048_privkey)-1 }; + gnutls_privkey_t key; + gnutls_pubkey_t pub = NULL; + unsigned char plaintext2[sizeof(DATASTR) - 1]; +@@ -200,26 +316,12 @@ static int test_sig(gnutls_pk_algorithm_t pk, + unsigned bits, gnutls_sign_algorithm_t sigalgo) + { + int ret; +- gnutls_datum_t sig = { NULL, 0 }; +- gnutls_datum_t raw_rsa_key = { (void*)rsa_key2048, sizeof(rsa_key2048)-1 }; +- gnutls_datum_t raw_dsa_key = { (void*)dsa_key, sizeof(dsa_key)-1 }; +- gnutls_datum_t raw_ecc_key = { (void*)ecc_key, sizeof(ecc_key)-1 }; +- gnutls_datum_t raw_gost01_key = { (void*)gost01_key, sizeof(gost01_key)-1 }; +- gnutls_datum_t raw_gost12_256_key = { (void*)gost12_256_key, sizeof(gost12_256_key)-1 }; +- gnutls_datum_t raw_gost12_512_key = { (void*)gost12_512_key, sizeof(gost12_512_key)-1 }; + gnutls_privkey_t key; ++ gnutls_datum_t raw_key; ++ gnutls_datum_t sig = { NULL, 0 }; + gnutls_pubkey_t pub = NULL; + char param_name[32]; + +- if (pk == GNUTLS_PK_EC || pk == GNUTLS_PK_GOST_01 || +- pk == GNUTLS_PK_GOST_12_256 || pk == GNUTLS_PK_GOST_12_512) { +- snprintf(param_name, sizeof(param_name), "%s", +- gnutls_ecc_curve_get_name(GNUTLS_BITS_TO_CURVE +- (bits))); +- } else { +- snprintf(param_name, sizeof(param_name), "%u", bits); +- } +- + ret = gnutls_privkey_init(&key); + if (ret < 0) + return gnutls_assert_val(ret); +@@ -230,25 +332,83 @@ static int test_sig(gnutls_pk_algorithm_t pk, + goto cleanup; + } + +- if (pk == GNUTLS_PK_RSA) { +- ret = gnutls_privkey_import_x509_raw(key, &raw_rsa_key, GNUTLS_X509_FMT_PEM, NULL, 0); +- } else if (pk == GNUTLS_PK_RSA_PSS) { +- ret = gnutls_privkey_import_x509_raw(key, &raw_rsa_key, GNUTLS_X509_FMT_PEM, NULL, 0); +- } else if (pk == GNUTLS_PK_DSA) { +- ret = gnutls_privkey_import_x509_raw(key, &raw_dsa_key, GNUTLS_X509_FMT_PEM, NULL, 0); +- } else if (pk == GNUTLS_PK_ECC) { +- ret = gnutls_privkey_import_x509_raw(key, &raw_ecc_key, GNUTLS_X509_FMT_PEM, NULL, 0); +- } else if (pk == GNUTLS_PK_GOST_01) { +- ret = gnutls_privkey_import_x509_raw(key, &raw_gost01_key, GNUTLS_X509_FMT_PEM, NULL, 0); +- } else if (pk == GNUTLS_PK_GOST_12_256) { +- ret = gnutls_privkey_import_x509_raw(key, &raw_gost12_256_key, GNUTLS_X509_FMT_PEM, NULL, 0); +- } else if (pk == GNUTLS_PK_GOST_12_512) { +- ret = gnutls_privkey_import_x509_raw(key, &raw_gost12_512_key, GNUTLS_X509_FMT_PEM, NULL, 0); +- } else { +- gnutls_assert(); +- ret = GNUTLS_E_INTERNAL_ERROR; ++ switch(pk) { ++ case GNUTLS_PK_RSA: ++ raw_key.data = (void*)rsa_2048_privkey; ++ raw_key.size = sizeof(rsa_2048_privkey) - 1; ++ snprintf(param_name, sizeof(param_name), "%u", bits); ++ break; ++ case GNUTLS_PK_RSA_PSS: ++ raw_key.data = (void*)rsa_2048_privkey; ++ raw_key.size = sizeof(rsa_2048_privkey) - 1; ++ snprintf(param_name, sizeof(param_name), "%u", bits); ++ break; ++ case GNUTLS_PK_DSA: ++ raw_key.data = (void*)dsa_2048_privkey; ++ raw_key.size = sizeof(dsa_2048_privkey) - 1; ++ snprintf(param_name, sizeof(param_name), "%u", bits); ++ break; ++ case GNUTLS_PK_ECC: ++ switch(bits) { ++#ifdef ENABLE_NON_SUITEB_CURVES ++ case GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP192R1): ++ raw_key.data = (void*)ecdsa_secp192r1_privkey; ++ raw_key.size = sizeof(ecdsa_secp192r1_privkey) - 1; ++ break; ++ case GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP224R1): ++ raw_key.data = (void*)ecdsa_secp224r1_privkey; ++ raw_key.size = sizeof(ecdsa_secp224r1_privkey) - 1; ++ break; ++#endif ++ case GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP256R1): ++ raw_key.data = (void*)ecdsa_secp256r1_privkey; ++ raw_key.size = sizeof(ecdsa_secp256r1_privkey) - 1; ++ break; ++ case GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP384R1): ++ raw_key.data = (void*)ecdsa_secp384r1_privkey; ++ raw_key.size = sizeof(ecdsa_secp384r1_privkey) - 1; ++ break; ++ case GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP521R1): ++ raw_key.data = (void*)ecdsa_secp521r1_privkey; ++ raw_key.size = sizeof(ecdsa_secp521r1_privkey) - 1; ++ break; ++ default: ++ gnutls_assert(); ++ ret = GNUTLS_E_INTERNAL_ERROR; ++ goto cleanup; ++ } ++ snprintf(param_name, sizeof(param_name), "%s", ++ gnutls_ecc_curve_get_name(GNUTLS_BITS_TO_CURVE ++ (bits))); ++ break; ++ case GNUTLS_PK_GOST_01: ++ raw_key.data = (void*)gost01_privkey; ++ raw_key.size = sizeof(gost01_privkey) - 1; ++ snprintf(param_name, sizeof(param_name), "%s", ++ gnutls_ecc_curve_get_name(GNUTLS_BITS_TO_CURVE ++ (bits))); ++ break; ++ case GNUTLS_PK_GOST_12_256: ++ raw_key.data = (void*)gost12_256_privkey; ++ raw_key.size = sizeof(gost12_256_privkey) - 1; ++ snprintf(param_name, sizeof(param_name), "%s", ++ gnutls_ecc_curve_get_name(GNUTLS_BITS_TO_CURVE ++ (bits))); ++ break; ++ case GNUTLS_PK_GOST_12_512: ++ raw_key.data = (void*)gost12_512_privkey; ++ raw_key.size = sizeof(gost12_512_privkey) - 1; ++ snprintf(param_name, sizeof(param_name), "%s", ++ gnutls_ecc_curve_get_name(GNUTLS_BITS_TO_CURVE ++ (bits))); ++ break; ++ default: ++ gnutls_assert(); ++ ret = GNUTLS_E_INTERNAL_ERROR; ++ goto cleanup; + } + ++ ret = gnutls_privkey_import_x509_raw(key, &raw_key, GNUTLS_X509_FMT_PEM, NULL, 0); + if (ret < 0) { + gnutls_assert(); + goto cleanup; +@@ -286,7 +446,8 @@ static int test_sig(gnutls_pk_algorithm_t pk, + } + + ret = 0; +- cleanup: ++ ++cleanup: + if (pub != NULL) + gnutls_pubkey_deinit(pub); + gnutls_privkey_deinit(key); +@@ -302,123 +463,11 @@ static int test_sig(gnutls_pk_algorithm_t pk, + return ret; + } + +-/* A precomputed RSA-SHA1 signature using the rsa_key2048 */ +-static const char rsa_sig[] = +- "\x7a\xb3\xf8\xb0\xf9\xf0\x52\x88\x37\x17\x97\x9f\xbe\x61\xb4\xd2\x43\x78\x9f\x79\x92\xd0\xad\x08\xdb\xbd\x3c\x72\x7a\xb5\x51\x59\x63\xd6\x7d\xf1\x9c\x1e\x10\x7b\x27\xab\xf8\xd4\x9d\xcd\xc5\xf9\xae\xf7\x09\x6b\x40\x93\xc5\xe9\x1c\x0f\xb4\x82\xa1\x47\x86\x54\x63\xd2\x4d\x40\x9a\x80\xb9\x38\x45\x69\xa2\xd6\x92\xb6\x69\x7f\x3f\xf3\x5b\xa5\x1d\xac\x06\xad\xdf\x4e\xbb\xe6\xda\x68\x0d\xe5\xab\xef\xd2\xf0\xc5\xd8\xc0\xed\x80\xe2\xd4\x76\x98\xec\x44\xa2\xfc\x3f\xce\x2e\x8b\xc4\x4b\xab\xb0\x70\x24\x52\x85\x2a\x36\xcd\x9a\xb5\x05\x00\xea\x98\x7c\x72\x06\x68\xb1\x38\x44\x16\x80\x6a\x3b\x64\x72\xbb\xfd\x4b\xc9\xdd\xda\x2a\x68\xde\x7f\x6e\x48\x28\xc1\x63\x57\x2b\xde\x83\xa3\x27\x34\xd7\xa6\x87\x18\x35\x10\xff\x31\xd9\x47\xc9\x84\x35\xe1\xaa\xe2\xf7\x98\xfa\x19\xd3\xf1\x94\x25\x2a\x96\xe4\xa8\xa7\x05\x10\x93\x87\xde\x96\x85\xe5\x68\xb8\xe5\x4e\xbf\x66\x85\x91\xbd\x52\x5b\x3d\x9f\x1b\x79\xea\xe3\x8b\xef\x62\x18\x39\x7a\x50\x01\x46\x1b\xde\x8d\x37\xbc\x90\x6c\x07\xc0\x07\xed\x60\xce\x2e\x31\xd6\x8f\xe8\x75\xdb\x45\x21\xc6\xcb"; +- +-/* ECDSA key and signature */ +-static const char ecdsa_secp256r1_privkey[] = +- "-----BEGIN EC PRIVATE KEY-----\n" +- "MHcCAQEEIPAKWV7+pZe9c5EubMNfAEKWRQtP/MvlO9HehwHmJssNoAoGCCqGSM49\n" +- "AwEHoUQDQgAE2CNONRio3ciuXtoomJKs3MdbzLbd44VPhtzJN30VLFm5gvnfiCj2\n" +- "zzz7pl9Cv0ECHl6yedNI8QEKdcwCDgEmkQ==\n" +- "-----END EC PRIVATE KEY-----\n"; +- +-static const char ecdsa_secp256r1_sig[] = +- "\x30\x45\x02\x21\x00\x9b\x8f\x60\xed\x9e\x40\x8d\x74\x82\x73\xab\x20\x1a\x69\xfc\xf9\xee\x3c\x41\x80\xc0\x39\xdd\x21\x1a\x64\xfd\xbf\x7e\xaa\x43\x70\x02\x20\x44\x28\x05\xdd\x30\x47\x58\x96\x18\x39\x94\x18\xba\xe7\x7a\xf6\x1e\x2d\xba\xb1\xe0\x7d\x73\x9e\x2f\x58\xee\x0c\x2a\x89\xe8\x35"; +- +-#ifdef ENABLE_NON_SUITEB_CURVES +-/* sha256 */ +-static const char ecdsa_secp192r1_privkey[] = +- "-----BEGIN EC PRIVATE KEY-----" +- "MF8CAQEEGLjezFcbgDMeApVrdtZHvu/k1a8/tVZ41KAKBggqhkjOPQMBAaE0AzIA" +- "BO1lciKdgxeRH8k64vxcaV1OYIK9akVrW02Dw21MXhRLP0l0wzCw6LGSr5rS6AaL" +- "Fg==" "-----END EC PRIVATE KEY-----"; +- +-static const char ecdsa_secp192r1_sig[] = +- "\x30\x34\x02\x18\x5f\xb3\x10\x4b\x4d\x44\x48\x29\x4b\xfd\xa7\x8e\xce\x57\xac\x36\x38\x54\xab\x73\xdb\xed\xb8\x5f\x02\x18\x0b\x8b\xf3\xae\x49\x50\x0e\x47\xca\x89\x1a\x00\xca\x23\xf5\x8d\xd6\xe3\xce\x9a\xff\x2e\x4f\x5c"; +- +-static const char ecdsa_secp224r1_privkey[] = +- "-----BEGIN EC PRIVATE KEY-----" +- "MGgCAQEEHOKWJFdWdrR/CgVrUeTeawOrJ9GozE9KKx2a8PmgBwYFK4EEACGhPAM6" +- "AAQKQj3YpenWT7lFR41SnBvmj/+Bj+kgzQnaF65qWAtPRJsZXFlLTu3/IUNqSRu9" +- "DqPsk8xBHAB7pA==" "-----END EC PRIVATE KEY-----"; +- +-static const char ecdsa_secp224r1_sig[] = +- "\x30\x3d\x02\x1c\x76\x03\x8d\x74\xf4\xd3\x09\x2a\xb5\xdf\x6b\x5b\xf4\x4b\x86\xb8\x62\x81\x5d\x7b\x7a\xbb\x37\xfc\xf1\x46\x1c\x2b\x02\x1d\x00\xa0\x98\x5d\x80\x43\x89\xe5\xee\x1a\xec\x46\x08\x04\x55\xbc\x50\xfa\x2a\xd5\xa6\x18\x92\x19\xdb\x68\xa0\x2a\xda"; +-#endif +- +-static const char ecdsa_secp384r1_privkey[] = +- "-----BEGIN EC PRIVATE KEY-----" +- "MIGkAgEBBDDevshD6gb+4rZpC9vwFcIwNs4KmGzdqCxyyN40a8uOWRbyf7aHdiSS" +- "03oAyKtc4JCgBwYFK4EEACKhZANiAARO1KkPMno2tnNXx1S9EZkp8SOpDCZ4aobH" +- "IYv8RHnSmKf8I3OKD6TaoeR+1MwJmNJUH90Bj45WXla68/vsPiFcfVKboxsZYe/n" +- "pv8e4ugXagVQVBXNZJ859iYPdJR24vo=" "-----END EC PRIVATE KEY-----"; +- +-static const char ecdsa_secp384r1_sig[] = +- "\x30\x66\x02\x31\x00\xbb\x4d\x25\x30\x13\x1b\x3b\x75\x60\x07\xed\x53\x8b\x52\xee\xd8\x6e\xf1\x9d\xa8\x36\x0e\x2e\x20\x31\x51\x11\x48\x78\xdd\xaf\x24\x38\x64\x81\x71\x6b\xa6\xb7\x29\x58\x28\x82\x32\xba\x29\x29\xd9\x02\x31\x00\xeb\x70\x09\x87\xac\x7b\x78\x0d\x4c\x4f\x08\x2b\x86\x27\xe2\x60\x1f\xc9\x11\x9f\x1d\xf5\x82\x4c\xc7\x3d\xb0\x27\xc8\x93\x29\xc7\xd0\x0e\x88\x02\x09\x93\xc2\x72\xce\xa5\x74\x8c\x3d\xe0\x8c\xad"; +- +-static const char ecdsa_secp521r1_privkey[] = +- "-----BEGIN EC PRIVATE KEY-----" +- "MIHbAgEBBEGO2n7NN363qSCvJVdlQtCvudtaW4o0fEufXRjE1AsCrle+VXX0Zh0w" +- "Y1slSeDHMndpakoiF+XkQ+bhcB867UV6aKAHBgUrgQQAI6GBiQOBhgAEAQb6jDpo" +- "byy1tF8Zucg0TMGUzIN2DK+RZJ3QQRdWdirO25OIC3FoFi1Yird6rpoB6HlNyJ7R" +- "0bNG9Uv34bSHMn8yAFoiqxUCdJZQbEenMoZsi6COaePe3e0QqvDMr0hEWT23Sr3t" +- "LpEV7eZGFfFIJw5wSUp2KOcs+O9WjmoukTWtDKNV" +- "-----END EC PRIVATE KEY-----"; +- +-static const char ecdsa_secp521r1_sig[] = +- "\x30\x81\x87\x02\x42\x01\xb8\xcb\x52\x9e\x10\xa8\x49\x3f\xe1\x9e\x14\x0a\xcf\x96\xed\x7e\xab\x7d\x0c\xe1\x9b\xa4\x97\xdf\x01\xf5\x35\x42\x5f\x5b\x28\x15\x24\x33\x6e\x59\x6c\xaf\x10\x8b\x98\x8e\xe9\x4c\x23\x0d\x76\x92\x03\xdd\x6d\x8d\x08\x47\x15\x5b\xf8\x66\x75\x75\x40\xe8\xf4\xa0\x52\x02\x41\x15\x27\x7c\x5f\xa6\x33\xa6\x29\x68\x3f\x55\x8d\x7f\x1d\x4f\x88\xc6\x61\x6e\xac\x21\xdf\x2b\x7b\xde\x76\x9a\xdc\xe6\x3b\x94\x3f\x03\x9c\xa2\xa6\xa3\x63\x39\x48\xbd\x79\x70\x21\xf2\x6b\xff\x58\x66\xf1\x58\xc2\x58\xad\x4f\x84\x14\x5d\x05\x12\x83\xd0\x87\xbd\xf3"; +- +-/* DSA key and signature */ +-static const char dsa_privkey[] = +- "-----BEGIN DSA PRIVATE KEY-----\n" +- "MIIDTQIBAAKCAQEAh60B6yPMRIT7udq2kKuwnQDohvT1U0w+RJcSr23C05cM/Ovn\n" +- "UP/8Rrj6T8K+uYhMbKgLaZiJJW9q04jaPQk0cfUphbLvRjzVHwE/0Bkb+Y1Rv7ni\n" +- "Jot2IFMq5iuNraf889PC0WREvFCcIkSFY2Ac4WT7mCcBtfx/raGFXDUjcUrJ0HwZ\n" +- "IOhjQDfcXUsztuyYsYA75ociEY8kyDZq/ixyr5++R1VjNf30Re8AbQlXOEGxEN5t\n" +- "t+Tvpq8K5L3prQs2KNSzyOUmedjb/ojH4T4qe/RL9EVjjeuIGHDNUT6F197yZ91y\n" +- "qLLTf1WjnUyZcKij5rryX0LJBBWawEZjNSHZawIdAMQlyycia4NigCdiDR+QptUn\n" +- "2xrj9o14fXkIrXcCggEAXRZm1rbPhsjSTo6cpCVrmDzO1grv83EHiBH4MvRQQnP8\n" +- "FpAREsBA5cYju97XvLaLhioZeMjLn08kU7TUbHRUB+ULTuVvE2dQbBpGuKiLRRt9\n" +- "6U2T0eD3xGLoM+o8EY/kpqaWGEpZv7hzM9xuo4vy55+viAZgFWULqmltwfG/7w7V\n" +- "NXUHNv5H4Ipw//fSDLTPqzUlNqSSswDLz6pCjWEs0rWAqNAMaOiLTz4id9pL48Oe\n" +- "oAfpcQR9tgTEnwyXfZBnrJVclHhkHKGeXvU05IgCzpKO76Z5R+By50T0i/JV7vzM\n" +- "l2yS9aAl/cprT6U7yI3oU/blldCVNpMcFAFb+fO8DAKCAQBVMo8xptyvQOJeSvbO\n" +- "SSYdJ3IiI/0GdkcGWXblWg9z7mrPaWEnT7OquEm/+vYtWd3GHDtyNM+jzsN4Xgjc\n" +- "TL3AEd2hLiozJQ1BFKw25VU08UHAYTzUxZhO4Vwtmp46Kwj8YLDQ3NHRWCBxpDQR\n" +- "fbiFvyXP+qXap6plMfrydnUD1mae/JSOWOYgdB7tFIehstLxVXx/cAnjwgFU03Df\n" +- "grjsad92zA1Hc9wIjbsgAQdTR5DWnFRkRt3UtayBwoyqm6QceZHsv1NAGvkQ4ion\n" +- "bEjkHkjF9YCkR9/rspR8cLghRIXMjOpypuSbaRPeeWq0gP2UOxFL/d3iWH0ETr/L\n" +- "kTlCAhxYGpVgtfB96qmJukyl9GOGvfkwFTgEyIDoV84M\n" +- "-----END DSA PRIVATE KEY-----\n"; +- +-static const char dsa_sig[] = +- "\x30\x3d\x02\x1c\x2e\x40\x14\xb3\x7a\x3f\xc0\x4f\x06\x74\x4f\xa6\x5f\xc2\x0a\x46\x35\x38\x88\xb4\x1a\xcf\x94\x02\x40\x42\x7c\x7f\x02\x1d\x00\x98\xfc\xf1\x08\x66\xf1\x86\x28\xc9\x73\x9e\x2b\x5d\xce\x57\xe8\xb5\xeb\xcf\xa3\xf6\x60\xf6\x63\x16\x0e\xc0\x42"; +- +-static const char gost01_privkey[] = +- "-----BEGIN PRIVATE KEY-----\n" +- "MEUCAQAwHAYGKoUDAgITMBIGByqFAwICIwEGByqFAwICHgEEIgQgdNfuHGmmTdPm\n" +- "p5dAa3ea9UYxpdYQPP9lbDwzQwG2bJM=\n" +- "-----END PRIVATE KEY-----\n"; +- +-static const char gost01_sig[] = +- "\xc5\xc8\xf8\xdc\x22\x51\xb0\x72\xe9\xa2\xbb\x84\x6c\xe2\x24\xd5\x72\x39\x2a\x5a\x0e\x7a\x43\xfc\x9c\xc3\x5d\x32\x92\xbb\xab\xc0\x4b\x99\xbd\xc8\x47\x24\x70\x06\x7e\xa1\xc6\xe3\xa0\xdc\x42\xed\xa0\x66\xf0\xcc\x50\x97\xe9\x5a\x7d\x3f\x65\x2d\x7b\x1b\x03\xcb"; +- +-static const char gost12_256_privkey[] = +- "-----BEGIN PRIVATE KEY-----\n" +- "MEgCAQAwHwYIKoUDBwEBAQEwEwYHKoUDAgIjAQYIKoUDBwEBAgIEIgQgKOF96tom\n" +- "D61rhSnzKjyrmO3fv0gdlHei+6ovrc8SnBk=\n" +- "-----END PRIVATE KEY-----\n"; +- +-static const char gost12_256_sig[] = +- "\xb2\x51\x5a\x1a\xbd\x95\x4e\x71\x55\xad\x74\x74\x81\xa6\xca\x6c\x14\x01\xe0\x18\xda\xe4\x0d\x02\x4f\x14\xd2\x39\xd6\x3c\xb5\x85\xa8\x37\xfd\x7f\x2b\xfa\xe4\xf5\xbc\xbc\x15\x20\x8b\x83\x4b\x84\x0d\x5d\x02\x21\x8c\x0d\xb9\xc4\x2b\xc0\x3e\xfd\x42\x55\x1d\xb0"; +- +-static const char gost12_512_privkey[] = +- "-----BEGIN PRIVATE KEY-----\n" +- "MGoCAQAwIQYIKoUDBwEBAQIwFQYJKoUDBwECAQIBBggqhQMHAQECAwRCBECjFpvp\n" +- "B0vdc7u59b99TCNXhHiB69JJtUjvieNkGYJpoaaIvoKZTNCjpSZASsZcQZCHOTof\n" +- "hsQ3JCCy4xnd5jWT\n" +- "-----END PRIVATE KEY-----\n"; +- +-static const char gost12_512_sig[] = +- "\x52\x4f\xa2\x77\x51\xd2\xc5\xef\xd3\xa3\x99\x4e\xec\xff\xc6\xe9\xfc\x2f\xc0\x28\x42\x03\x95\x6c\x9a\x38\xee\xea\x89\x79\xae\x1a\xc3\x68\x5e\xe4\x15\x15\x4b\xec\x0f\xf1\x7e\x0f\xba\x01\xc7\x84\x16\xc7\xb5\xac\x9d\x0c\x22\xdd\x31\xf7\xb0\x9b\x59\x4b\xf0\x02\xa8\x7d\xfd\x6d\x02\x43\xc7\x4f\x65\xbd\x84\x5c\x54\x91\xba\x75\x9f\x5a\x61\x19\x5c\x9a\x10\x78\x34\xa0\xa6\xf6\xdc\xb6\xb0\x50\x22\x38\x5f\xb0\x16\x66\xf1\xd5\x46\x00\xd5\xe2\xa8\xe5\xd2\x11\x5f\xd1\xbe\x6e\xac\xb2\x9c\x14\x34\x96\xe7\x58\x94\xb8\xf4\x5f"; +- + static int test_known_sig(gnutls_pk_algorithm_t pk, unsigned bits, + gnutls_digest_algorithm_t dig, + const void *privkey, size_t privkey_size, + const void *stored_sig, size_t stored_sig_size, +- unsigned deterministic_sigs) ++ gnutls_privkey_flags_t flags) + { + int ret; + gnutls_datum_t sig = { NULL, 0 }; +@@ -427,8 +476,11 @@ static int test_known_sig(gnutls_pk_algorithm_t pk, unsigned bits, + gnutls_privkey_t key; + char param_name[32]; + +- if (pk == GNUTLS_PK_EC || pk == GNUTLS_PK_GOST_01 || +- pk == GNUTLS_PK_GOST_12_256 || pk == GNUTLS_PK_GOST_12_512) { ++ if (pk == GNUTLS_PK_EC || ++ pk == GNUTLS_PK_GOST_01 || ++ pk == GNUTLS_PK_GOST_12_256 || ++ pk == GNUTLS_PK_GOST_12_512) ++ { + snprintf(param_name, sizeof(param_name), "%s", + gnutls_ecc_curve_get_name(GNUTLS_BITS_TO_CURVE + (bits))); +@@ -462,39 +514,37 @@ static int test_known_sig(gnutls_pk_algorithm_t pk, unsigned bits, + goto cleanup; + } + +- /* Test if the signature we generate matches the stored */ ++ ret = gnutls_privkey_sign_data(key, dig, flags, &signed_data, &sig); ++ if (ret < 0) { ++ gnutls_assert(); ++ goto cleanup; ++ } ++ ++ /* Test if the generated signature matches the stored */ + ssig.data = (void *) stored_sig; + ssig.size = stored_sig_size; + +- if (deterministic_sigs != 0) { /* do not compare against stored signature if not provided */ +- ret = +- gnutls_privkey_sign_data(key, dig, 0, &signed_data, +- &sig); +- if (ret < 0) { +- gnutls_assert(); +- goto cleanup; +- } +- +- if (sig.size != ssig.size +- || memcmp(sig.data, ssig.data, sig.size) != 0) { +- ret = GNUTLS_E_SELF_TEST_ERROR; ++ if (sig.size != ssig.size ++ || memcmp(sig.data, ssig.data, sig.size) != 0) { ++ ret = GNUTLS_E_SELF_TEST_ERROR; + #if 0 +- unsigned i; +- fprintf(stderr, "\nstored[%d]: ", ssig.size); +- for (i = 0; i < ssig.size; i++) +- fprintf(stderr, "\\x%.2x", ssig.data[i]); +- +- fprintf(stderr, "\ngenerated[%d]: ", sig.size); +- for (i = 0; i < sig.size; i++) +- fprintf(stderr, "\\x%.2x", sig.data[i]); +- fprintf(stderr, "\n"); ++ unsigned i; ++ fprintf(stderr, "Algorithm: %s-%s\n", ++ gnutls_pk_get_name(pk), param_name); ++ fprintf(stderr, "\nstored[%d]: ", ssig.size); ++ for (i = 0; i < ssig.size; i++) ++ fprintf(stderr, "\\x%.2x", ssig.data[i]); ++ ++ fprintf(stderr, "\ngenerated[%d]: ", sig.size); ++ for (i = 0; i < sig.size; i++) ++ fprintf(stderr, "\\x%.2x", sig.data[i]); ++ fprintf(stderr, "\n"); + #endif +- gnutls_assert(); +- goto cleanup; +- } ++ gnutls_assert(); ++ goto cleanup; + } + +- /* Test if we can verify the signature */ ++ /* Test if we can verify the generated signature */ + + ret = gnutls_pubkey_import_privkey(pub, key, 0, 0); + if (ret < 0) { +@@ -504,7 +554,7 @@ static int test_known_sig(gnutls_pk_algorithm_t pk, unsigned bits, + + ret = + gnutls_pubkey_verify_data2(pub, gnutls_pk_to_sign(pk, dig), 0, +- &signed_data, &ssig); ++ &signed_data, &sig); + if (ret < 0) { + ret = GNUTLS_E_SELF_TEST_ERROR; + gnutls_assert(); +@@ -515,7 +565,7 @@ static int test_known_sig(gnutls_pk_algorithm_t pk, unsigned bits, + + ret = + gnutls_pubkey_verify_data2(pub, gnutls_pk_to_sign(pk, dig), 0, +- &bad_data, &ssig); ++ &bad_data, &sig); + + if (ret != GNUTLS_E_PK_SIG_VERIFY_FAILED) { + ret = GNUTLS_E_SELF_TEST_ERROR; +@@ -546,18 +596,14 @@ static int test_known_sig(gnutls_pk_algorithm_t pk, unsigned bits, + if (ret < 0) { \ + gnutls_assert(); \ + goto cleanup; \ +- } \ +- if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL)) \ +- return 0 ++ } + +-#define PK_KNOWN_TEST(pk, det, bits, dig, pkey, sig) \ +- ret = test_known_sig(pk, bits, dig, pkey, sizeof(pkey)-1, sig, sizeof(sig)-1, det); \ ++#define PK_KNOWN_TEST(pk, bits, dig, pkey, sig, flags) \ ++ ret = test_known_sig(pk, bits, dig, pkey, sizeof(pkey)-1, sig, sizeof(sig)-1, flags); \ + if (ret < 0) { \ + gnutls_assert(); \ + goto cleanup; \ +- } \ +- if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL)) \ +- return 0 ++ } + + + /* Known answer tests for DH */ +@@ -764,9 +810,18 @@ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk) + { + int ret; + ++ bool is_post = false; ++ bool is_fips140_mode_enabled = false; ++ + if (flags & GNUTLS_SELF_TEST_FLAG_ALL) + pk = GNUTLS_PK_UNKNOWN; + ++ if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST) ++ is_post = true; ++ ++ if (gnutls_fips140_mode_enabled()) ++ is_fips140_mode_enabled = true; ++ + switch (pk) { + case GNUTLS_PK_UNKNOWN: + FALLTHROUGH; +@@ -781,26 +836,32 @@ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk) + return 0; + FALLTHROUGH; + case GNUTLS_PK_RSA: +- PK_KNOWN_TEST(GNUTLS_PK_RSA, 1, 2048, GNUTLS_DIG_SHA256, +- rsa_key2048, rsa_sig); ++ PK_KNOWN_TEST(GNUTLS_PK_RSA, 2048, GNUTLS_DIG_SHA256, ++ rsa_2048_privkey, rsa_2048_sig, 0); ++ + PK_TEST(GNUTLS_PK_RSA, test_rsa_enc, 2048, 0); +- PK_TEST(GNUTLS_PK_RSA, test_sig, 3072, GNUTLS_SIGN_RSA_SHA256); + + if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL)) + return 0; + + FALLTHROUGH; + case GNUTLS_PK_RSA_PSS: +- PK_TEST(GNUTLS_PK_RSA_PSS, test_sig, 2048, GNUTLS_SIGN_RSA_PSS_RSAE_SHA256); ++ PK_TEST(GNUTLS_PK_RSA_PSS, test_sig, 2048, ++ GNUTLS_SIGN_RSA_PSS_RSAE_SHA256); + + if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL)) + return 0; + + FALLTHROUGH; + case GNUTLS_PK_DSA: +- PK_KNOWN_TEST(GNUTLS_PK_DSA, 0, 2048, GNUTLS_DIG_SHA256, +- dsa_privkey, dsa_sig); +- PK_TEST(GNUTLS_PK_DSA, test_sig, 3072, GNUTLS_SIGN_DSA_SHA256); ++ if (is_post || !is_fips140_mode_enabled) { ++ PK_KNOWN_TEST(GNUTLS_PK_DSA, 2048, GNUTLS_DIG_SHA256, ++ dsa_2048_privkey, dsa_2048_sig, ++ GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE); ++ } else { ++ PK_TEST(GNUTLS_PK_DSA, test_sig, 2048, ++ GNUTLS_SIGN_DSA_SHA256); ++ } + + if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL)) + return 0; +@@ -815,62 +876,72 @@ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk) + } + + /* Test ECDSA */ +- PK_KNOWN_TEST(GNUTLS_PK_EC, 0, +- GNUTLS_CURVE_TO_BITS +- (GNUTLS_ECC_CURVE_SECP256R1), +- GNUTLS_DIG_SHA256, ecdsa_secp256r1_privkey, +- ecdsa_secp256r1_sig); +- PK_TEST(GNUTLS_PK_EC, test_sig, +- GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP256R1), +- GNUTLS_SIGN_ECDSA_SHA256); ++ if (is_post || !is_fips140_mode_enabled) { ++ PK_KNOWN_TEST(GNUTLS_PK_EC, ++ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP256R1), ++ GNUTLS_DIG_SHA256, ecdsa_secp256r1_privkey, ++ ecdsa_secp256r1_sig, GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE); ++ } else { ++ PK_TEST(GNUTLS_PK_EC, test_sig, ++ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP256R1), ++ GNUTLS_SIGN_ECDSA_SHA256); ++ } + + if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL)) + return 0; + +- PK_KNOWN_TEST(GNUTLS_PK_EC, 0, +- GNUTLS_CURVE_TO_BITS +- (GNUTLS_ECC_CURVE_SECP384R1), +- GNUTLS_DIG_SHA256, ecdsa_secp384r1_privkey, +- ecdsa_secp384r1_sig); +- PK_TEST(GNUTLS_PK_EC, test_sig, +- GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP384R1), +- GNUTLS_SIGN_ECDSA_SHA384); +- +- PK_KNOWN_TEST(GNUTLS_PK_EC, 0, +- GNUTLS_CURVE_TO_BITS +- (GNUTLS_ECC_CURVE_SECP521R1), +- GNUTLS_DIG_SHA512, ecdsa_secp521r1_privkey, +- ecdsa_secp521r1_sig); +- PK_TEST(GNUTLS_PK_EC, test_sig, +- GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP521R1), +- GNUTLS_SIGN_ECDSA_SHA512); ++ if (is_post || !is_fips140_mode_enabled) { ++ PK_KNOWN_TEST(GNUTLS_PK_EC, ++ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP384R1), ++ GNUTLS_DIG_SHA384, ecdsa_secp384r1_privkey, ++ ecdsa_secp384r1_sig, GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE); ++ } else { ++ PK_TEST(GNUTLS_PK_EC, test_sig, ++ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP384R1), ++ GNUTLS_SIGN_ECDSA_SHA384); ++ } ++ ++ if (is_post || !is_fips140_mode_enabled) { ++ PK_KNOWN_TEST(GNUTLS_PK_EC, ++ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP521R1), ++ GNUTLS_DIG_SHA512, ecdsa_secp521r1_privkey, ++ ecdsa_secp521r1_sig, GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE); ++ } else { ++ PK_TEST(GNUTLS_PK_EC, test_sig, ++ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP521R1), ++ GNUTLS_SIGN_ECDSA_SHA512); ++ } + + #ifdef ENABLE_NON_SUITEB_CURVES +- PK_KNOWN_TEST(GNUTLS_PK_EC, 0, +- GNUTLS_CURVE_TO_BITS +- (GNUTLS_ECC_CURVE_SECP192R1), +- GNUTLS_DIG_SHA256, ecdsa_secp192r1_privkey, +- ecdsa_secp192r1_sig); +- PK_TEST(GNUTLS_PK_EC, test_sig, +- GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP192R1), +- GNUTLS_SIGN_ECDSA_SHA256); +- +- PK_KNOWN_TEST(GNUTLS_PK_EC, 0, +- GNUTLS_CURVE_TO_BITS +- (GNUTLS_ECC_CURVE_SECP224R1), +- GNUTLS_DIG_SHA256, ecdsa_secp224r1_privkey, +- ecdsa_secp224r1_sig); +- PK_TEST(GNUTLS_PK_EC, test_sig, +- GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP224R1), +- GNUTLS_SIGN_ECDSA_SHA256); ++ if (is_post || !is_fips140_mode_enabled) { ++ PK_KNOWN_TEST(GNUTLS_PK_EC, ++ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP192R1), ++ GNUTLS_DIG_SHA256, ecdsa_secp192r1_privkey, ++ ecdsa_secp192r1_sig, GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE); ++ } else { ++ PK_TEST(GNUTLS_PK_EC, test_sig, ++ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP192R1), ++ GNUTLS_SIGN_ECDSA_SHA256); ++ } ++ ++ if (is_post || !is_fips140_mode_enabled) { ++ PK_KNOWN_TEST(GNUTLS_PK_EC, ++ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP224R1), ++ GNUTLS_DIG_SHA256, ecdsa_secp224r1_privkey, ++ ecdsa_secp224r1_sig, GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE); ++ } else { ++ PK_TEST(GNUTLS_PK_EC, test_sig, ++ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP224R1), ++ GNUTLS_SIGN_ECDSA_SHA256); ++ } + #endif + ++ + #if ENABLE_GOST + FALLTHROUGH; + case GNUTLS_PK_GOST_01: +- PK_KNOWN_TEST(GNUTLS_PK_GOST_01, 0, GNUTLS_ECC_CURVE_GOST256CPA, GNUTLS_DIG_GOSTR_94, +- gost01_privkey, gost01_sig); +- PK_TEST(GNUTLS_PK_GOST_01, test_sig, GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_GOST256CPA), ++ PK_TEST(GNUTLS_PK_GOST_01, test_sig, ++ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_GOST256CPA), + GNUTLS_SIGN_GOST_94); + + if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL)) +@@ -878,9 +949,8 @@ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk) + + FALLTHROUGH; + case GNUTLS_PK_GOST_12_256: +- PK_KNOWN_TEST(GNUTLS_PK_GOST_12_256, 0, GNUTLS_ECC_CURVE_GOST256CPA, GNUTLS_DIG_STREEBOG_256, +- gost12_256_privkey, gost12_256_sig); +- PK_TEST(GNUTLS_PK_GOST_12_256, test_sig, GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_GOST256CPA), ++ PK_TEST(GNUTLS_PK_GOST_12_256, test_sig, ++ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_GOST256CPA), + GNUTLS_SIGN_GOST_256); + + if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL)) +@@ -888,15 +958,13 @@ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk) + + FALLTHROUGH; + case GNUTLS_PK_GOST_12_512: +- PK_KNOWN_TEST(GNUTLS_PK_GOST_12_512, 0, GNUTLS_ECC_CURVE_GOST512A, GNUTLS_DIG_STREEBOG_512, +- gost12_512_privkey, gost12_512_sig); +- PK_TEST(GNUTLS_PK_GOST_12_512, test_sig, GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_GOST512A), ++ PK_TEST(GNUTLS_PK_GOST_12_512, test_sig, ++ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_GOST512A), + GNUTLS_SIGN_GOST_512); + + if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL)) + return 0; + #endif +- + break; + default: + return gnutls_assert_val(GNUTLS_E_NO_SELF_TEST); diff --git a/gnutls-3.6.12-load-config-after-fips-post.patch b/gnutls-3.6.12-load-config-after-fips-post.patch new file mode 100644 index 0000000..59ffe6c --- /dev/null +++ b/gnutls-3.6.12-load-config-after-fips-post.patch @@ -0,0 +1,38 @@ +From 17bcd7a60fb0b7d07718515946ebb064d33ef45b Mon Sep 17 00:00:00 2001 +From: Anderson Toshiyuki Sasaki +Date: Wed, 18 Mar 2020 16:17:39 +0100 +Subject: [PATCH] global: Load configuration after FIPS POST + +Previously, if the loaded configuration file disabled an algorithm +tested during FIPS-140 power-on self-tests, the test would fail. By +loading the configuration file after the test is finished, such failure +is avoided as any algorithm is allowed during the tests. + +Signed-off-by: Anderson Toshiyuki Sasaki +--- + lib/global.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/global.c b/lib/global.c +index b42fcb263..9a65d114c 100644 +--- a/lib/global.c ++++ b/lib/global.c +@@ -368,7 +368,6 @@ static int _gnutls_global_init(unsigned constructor) + + _gnutls_register_accel_crypto(); + _gnutls_cryptodev_init(); +- _gnutls_load_system_priorities(); + + #ifdef ENABLE_FIPS140 + /* These self tests are performed on the overridden algorithms +@@ -385,6 +384,7 @@ static int _gnutls_global_init(unsigned constructor) + _gnutls_fips_mode_reset_zombie(); + } + #endif ++ _gnutls_load_system_priorities(); + _gnutls_switch_lib_state(LIB_STATE_OPERATIONAL); + ret = 0; + +-- +2.24.1 + diff --git a/gnutls.spec b/gnutls.spec index 64d57c8..fa81959 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,8 +1,11 @@ # This spec file has been automatically updated Version: 3.6.12 -Release: 1%{?dist} +Release: 2%{?dist} Patch1: gnutls-3.6.7-no-now-guile.patch Patch2: gnutls-3.2.7-rpath.patch +Patch3: gnutls-3.6.12-fix-fips-self-tests.patch +Patch4: gnutls-3.6.12-load-config-after-fips-post.patch +Patch5: gnutls-3.6.12-fix-echo-server.patch %bcond_without dane %if 0%{?rhel} %bcond_with guile @@ -279,6 +282,10 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null %endif %changelog +* Thu Mar 26 2020 Anderson Sasaki - 3.6.12-2 +- Fix FIPS POST (#1813384) +- Fix gnutls-serv --echo to not exit when a message is received (#1816583) + * Sun Feb 02 2020 Nikos Mavrogiannopoulos - 3.6.12-1 - Update to upstream 3.6.12 release From 36d1e2827be27201f1fef2106907429fd0ca75ec Mon Sep 17 00:00:00 2001 From: Anderson Toshiyuki Sasaki Date: Thu, 26 Mar 2020 15:29:23 +0100 Subject: [PATCH 004/152] Fix FIPS-140 power-on self-tests Backport upstream FIPS-140 power-on self-tests changes. This addresses the bug bz#1813384. This also includes a backport of a small fix to the gnutls-serv application to address the issue reported in rhbz#1816583. Resolves: #1813384, #1816583 --- gnutls-3.6.12-fix-echo-server.patch | 37 + gnutls-3.6.12-fix-fips-self-tests.patch | 862 ++++++++++++++++++ ...s-3.6.12-load-config-after-fips-post.patch | 38 + gnutls.spec | 9 +- 4 files changed, 945 insertions(+), 1 deletion(-) create mode 100644 gnutls-3.6.12-fix-echo-server.patch create mode 100644 gnutls-3.6.12-fix-fips-self-tests.patch create mode 100644 gnutls-3.6.12-load-config-after-fips-post.patch diff --git a/gnutls-3.6.12-fix-echo-server.patch b/gnutls-3.6.12-fix-echo-server.patch new file mode 100644 index 0000000..861eb17 --- /dev/null +++ b/gnutls-3.6.12-fix-echo-server.patch @@ -0,0 +1,37 @@ +From 10950c613c490bd33d6f489f5f61f8368730f7de Mon Sep 17 00:00:00 2001 +From: Anderson Toshiyuki Sasaki +Date: Tue, 24 Mar 2020 09:55:08 +0100 +Subject: [PATCH] gnutls-serv: Do not exit when a message to be echoed is + received + +Previously, when gnutls-serv was executed with the --echo option, it +would exit when a message to be echoed was received. Moreover, the +server would output "Memory error" although no error occurred. + +Signed-off-by: Anderson Toshiyuki Sasaki +--- + src/serv.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/serv.c b/src/serv.c +index a4dd445da..414cd0546 100644 +--- a/src/serv.c ++++ b/src/serv.c +@@ -1071,12 +1071,12 @@ get_response(gnutls_session_t session, char *request, + *response_length = strlen(*response); + return 1; + } else if (ret == 0) { ++ *response = strdup(request); + if (*response == NULL) { + fprintf(stderr, "Memory error\n"); + return 0; + } +- *response = strdup(request); +- *response_length = ((*response) ? strlen(*response) : 0); ++ *response_length = strlen(*response); + } else { + *response = NULL; + do { +-- +2.24.1 + diff --git a/gnutls-3.6.12-fix-fips-self-tests.patch b/gnutls-3.6.12-fix-fips-self-tests.patch new file mode 100644 index 0000000..467c857 --- /dev/null +++ b/gnutls-3.6.12-fix-fips-self-tests.patch @@ -0,0 +1,862 @@ +diff --git a/lib/crypto-selftests-pk.c b/lib/crypto-selftests-pk.c +index 7bdb097..6f66cd8 100644 +--- a/lib/crypto-selftests-pk.c ++++ b/lib/crypto-selftests-pk.c +@@ -22,6 +22,7 @@ + + #include "gnutls_int.h" + #include "errors.h" ++#include "fips.h" + #include + #include + #include +@@ -42,70 +43,185 @@ static const gnutls_datum_t bad_data = { + .size = sizeof(DATASTR) - 2 + }; + +-static const char rsa_key2048[] = +- "-----BEGIN RSA PRIVATE KEY-----\n" +- "MIIEogIBAAKCAQEA6yCv+BLrRP/dMPBXJWK21c0aqxIX6JkODL4K+zlyEURt8/Wp\n" +- "nw37CJwHD3VrimSnk2SJvBfTNhzYhCsLShDOPvi4qBrLZ1WozjoVJ8tRE4VCcjQJ\n" +- "snpJ7ldiV+Eos1Z3FkbV/uQcw5CYCb/TciSukaWlI+G/xas9EOOFt4aELbc1yDe0\n" +- "hyfPDtoaKfek4GhT9qT1I8pTC40P9OrA9Jt8lblqxHWwqmdunLTjPjB5zJT6QgI+\n" +- "j1xuq7ZOQhveNA/AOyzh574GIpgsuvPPLBQwsCQkscr7cFnCsyOPgYJrQW3De2+l\n" +- "wjp2D7gZeeQcFQKazXcFoiqNpJWoBWmU0qqsgwIDAQABAoIBAAghNzRioxPdrO42\n" +- "QS0fvqah0tw7Yew+7oduQr7w+4qxTQP0aIsBVr6zdmMIclF0rX6hKUoBoOHsGWho\n" +- "fJlw/1CaFPhrBMFr6sxGodigZQtBvkxolDVBmTDOgK39MQUSZke0501K4du5MiiU\n" +- "I2F89zQ9//m/onvZMeFVnJf95LAX5qHr/FLARQFtOpgWzcGVxdvJdJlYb1zMUril\n" +- "PqyAZXo1j0vgHWwSd54k8mBLus7l8KT57VFce8+9nBPrOrqW4rDVXzs/go3S+kiI\n" +- "OyzYeUs9czg1N1e3VhEaC+EdYUawc0ASuEkbsJ53L8pwDvS+2ly2ykYziJp95Fjv\n" +- "bzyd1dECgYEA8FzGCxu7A6/ei9Dn0Fmi8Ns/QvEgbdlGw4v4MlXHjrGJYdOB0BwG\n" +- "2D2k0ODNYKlUX2J4hi5x8aCH33y/v0EcOHyuqM33vOWBVbdcumCqcOmp341UebAO\n" +- "uCPgDJNhjxXaeDVPnizqnOBA1B9sTxwmCOmFIiFRLbR+XluvDh3t8L0CgYEA+my6\n" +- "124Rw7kcFx+9JoB/Z+bUJDYpefUT91gBUhhEdEMx5fujhMzAbLpIRjFQq+75Qb7v\n" +- "0NyIS09B4oKOqQYzVEJwqKY7H71BTl7QuzJ8Qtuh/DMZsVIt6xpvdeuAKpEOqz44\n" +- "ZD3fW1B59A3ja7kqZadCqq2b02UTk+gdeOrYBj8CgYACX3gZDfoHrEnPKY3QUcI5\n" +- "DIEQYR8H1phLP+uAW7ZvozMPAy6J5mzu35Tr9vwwExvhITC9amH3l7UfsLSX58Wm\n" +- "jRyQUBA9Dir7tKa2tFOab8Qcj+GgnetXSAtjNGVHK1kPzL7vedQLHm+laHYCRe3e\n" +- "Mqf80UVi5SBGQDN3OTZrJQKBgEkj2oozDqMwfGDQl0kYfJ2XEFynKQQCrVsva+tT\n" +- "RSMDwR4fmcmel5Dp81P08U/WExy9rIM+9duxAVgrs4jwU6uHYCoRqvEBMIK4NJSI\n" +- "ETzhsvTa4+UjUF/7L5SsPJmyFiuzl3rHi2W7InNCXyrGQPjBmjoJTJq4SbiIMZtw\n" +- "U7m3AoGACG2rE/Ud71kyOJcKwxzEt8kd+2CMuaZeE/xk+3zLSSjXJzKPficogM3I\n" +- "K37/N7N0FjhdQ5hRuD3GH1fcjv9AKdGHsH7RuaG+jHTRUjS1glr17SSQzh6xXnWj\n" +- "jG0M4UZm5P9STL09nZuWH0wfpr/eg+9+A6yOVfnADI13v+Ygk7k=\n" +- "-----END RSA PRIVATE KEY-----\n"; +- +-static const char ecc_key[] = +- "-----BEGIN EC PRIVATE KEY-----\n" +- "MHgCAQEEIQDzaOg65+brGV6INN0zXrUodxwRuocGG+GtKzN7ko26v6AKBggqhkjO\n" +- "PQMBB6FEA0IABEppi34ngyNQ2a9kJmnT5QxIHAUGI1SpnsAyCfze4j6MJ7o/g7qx\n" +- "MSHpe5vd0TQz+/GAa1zxle8mB/Cdh0JaTrA=\n" +- "-----END EC PRIVATE KEY-----\n"; +- +-static const char dsa_key[] = +- "-----BEGIN DSA PRIVATE KEY-----\n" +- "MIH4AgEAAkEA6KUOSXfFNcInFLPdOlLlKNCe79zJrkxnsQN+lllxuk1ifZrE07r2\n" +- "3edTrc4riQNnZ2nZ372tYUAMJg+5jM6IIwIVAOa58exwZ+42Tl+p3b4Kbpyu2Ron\n" +- "AkBocj7gkiBYHtv6HMIIzooaxn4vpGR0Ns6wBfroBUGvrnSAgfT3WyiNaHkIF28e\n" +- "quWcEeOJjUgFvatcM8gcY288AkEAyKWlgzBurIYST8TM3j4PuQJDTvdHDaGoAUAa\n" +- "EfjmOw2UXKwqTmwPiT5BYKgCo2ILS87ttlTpd8vndH37pmnmVQIUQIVuKpZ8y9Bw\n" +- "VzO8qcrLCFvTOXY=\n" +- "-----END DSA PRIVATE KEY-----\n"; +- +-static const char gost01_key[] = +- "-----BEGIN PRIVATE KEY-----\n" +- "MEUCAQAwHAYGKoUDAgITMBIGByqFAwICJAAGByqFAwICHgEEIgQgR1lBLIr4WBpn\n" +- "4MOCH8oxGWb52EPNL3gjNJiQuBQuf6U=\n" +- "-----END PRIVATE KEY-----\n"; +- +-static const char gost12_256_key[] = +- "-----BEGIN PRIVATE KEY-----\n" +- "MEgCAQAwHwYIKoUDBwEBAQEwEwYHKoUDAgIkAAYIKoUDBwEBAgIEIgQg0+JttJEV\n" +- "Ud+XBzX9q13ByKK+j2b+mEmNIo1yB0wGleo=\n" +- "-----END PRIVATE KEY-----\n"; +- +-static const char gost12_512_key[] = +- "-----BEGIN PRIVATE KEY-----\n" +- "MGoCAQAwIQYIKoUDBwEBAQIwFQYJKoUDBwECAQIBBggqhQMHAQECAwRCBECS7bAh\n" +- "TP5um5bxziaKkhb6xSI5WBQCSlaiHPBaMbgmgJiF8RubF7k0YMefpt0+sA3GvVGA\n" +- "KjL7CLBERDm7Yvlv\n" +- "-----END PRIVATE KEY-----\n"; ++/* RSA 2048 private key and signature */ ++static const char rsa_2048_privkey[] = ++ "-----BEGIN RSA PRIVATE KEY-----\n" ++ "MIIEogIBAAKCAQEA6yCv+BLrRP/dMPBXJWK21c0aqxIX6JkODL4K+zlyEURt8/Wp\n" ++ "nw37CJwHD3VrimSnk2SJvBfTNhzYhCsLShDOPvi4qBrLZ1WozjoVJ8tRE4VCcjQJ\n" ++ "snpJ7ldiV+Eos1Z3FkbV/uQcw5CYCb/TciSukaWlI+G/xas9EOOFt4aELbc1yDe0\n" ++ "hyfPDtoaKfek4GhT9qT1I8pTC40P9OrA9Jt8lblqxHWwqmdunLTjPjB5zJT6QgI+\n" ++ "j1xuq7ZOQhveNA/AOyzh574GIpgsuvPPLBQwsCQkscr7cFnCsyOPgYJrQW3De2+l\n" ++ "wjp2D7gZeeQcFQKazXcFoiqNpJWoBWmU0qqsgwIDAQABAoIBAAghNzRioxPdrO42\n" ++ "QS0fvqah0tw7Yew+7oduQr7w+4qxTQP0aIsBVr6zdmMIclF0rX6hKUoBoOHsGWho\n" ++ "fJlw/1CaFPhrBMFr6sxGodigZQtBvkxolDVBmTDOgK39MQUSZke0501K4du5MiiU\n" ++ "I2F89zQ9//m/onvZMeFVnJf95LAX5qHr/FLARQFtOpgWzcGVxdvJdJlYb1zMUril\n" ++ "PqyAZXo1j0vgHWwSd54k8mBLus7l8KT57VFce8+9nBPrOrqW4rDVXzs/go3S+kiI\n" ++ "OyzYeUs9czg1N1e3VhEaC+EdYUawc0ASuEkbsJ53L8pwDvS+2ly2ykYziJp95Fjv\n" ++ "bzyd1dECgYEA8FzGCxu7A6/ei9Dn0Fmi8Ns/QvEgbdlGw4v4MlXHjrGJYdOB0BwG\n" ++ "2D2k0ODNYKlUX2J4hi5x8aCH33y/v0EcOHyuqM33vOWBVbdcumCqcOmp341UebAO\n" ++ "uCPgDJNhjxXaeDVPnizqnOBA1B9sTxwmCOmFIiFRLbR+XluvDh3t8L0CgYEA+my6\n" ++ "124Rw7kcFx+9JoB/Z+bUJDYpefUT91gBUhhEdEMx5fujhMzAbLpIRjFQq+75Qb7v\n" ++ "0NyIS09B4oKOqQYzVEJwqKY7H71BTl7QuzJ8Qtuh/DMZsVIt6xpvdeuAKpEOqz44\n" ++ "ZD3fW1B59A3ja7kqZadCqq2b02UTk+gdeOrYBj8CgYACX3gZDfoHrEnPKY3QUcI5\n" ++ "DIEQYR8H1phLP+uAW7ZvozMPAy6J5mzu35Tr9vwwExvhITC9amH3l7UfsLSX58Wm\n" ++ "jRyQUBA9Dir7tKa2tFOab8Qcj+GgnetXSAtjNGVHK1kPzL7vedQLHm+laHYCRe3e\n" ++ "Mqf80UVi5SBGQDN3OTZrJQKBgEkj2oozDqMwfGDQl0kYfJ2XEFynKQQCrVsva+tT\n" ++ "RSMDwR4fmcmel5Dp81P08U/WExy9rIM+9duxAVgrs4jwU6uHYCoRqvEBMIK4NJSI\n" ++ "ETzhsvTa4+UjUF/7L5SsPJmyFiuzl3rHi2W7InNCXyrGQPjBmjoJTJq4SbiIMZtw\n" ++ "U7m3AoGACG2rE/Ud71kyOJcKwxzEt8kd+2CMuaZeE/xk+3zLSSjXJzKPficogM3I\n" ++ "K37/N7N0FjhdQ5hRuD3GH1fcjv9AKdGHsH7RuaG+jHTRUjS1glr17SSQzh6xXnWj\n" ++ "jG0M4UZm5P9STL09nZuWH0wfpr/eg+9+A6yOVfnADI13v+Ygk7k=\n" ++ "-----END RSA PRIVATE KEY-----\n"; ++ ++static const char rsa_2048_sig[] = ++ "\x7a\xb3\xf8\xb0\xf9\xf0\x52\x88\x37\x17\x97\x9f\xbe\x61\xb4\xd2" ++ "\x43\x78\x9f\x79\x92\xd0\xad\x08\xdb\xbd\x3c\x72\x7a\xb5\x51\x59" ++ "\x63\xd6\x7d\xf1\x9c\x1e\x10\x7b\x27\xab\xf8\xd4\x9d\xcd\xc5\xf9" ++ "\xae\xf7\x09\x6b\x40\x93\xc5\xe9\x1c\x0f\xb4\x82\xa1\x47\x86\x54" ++ "\x63\xd2\x4d\x40\x9a\x80\xb9\x38\x45\x69\xa2\xd6\x92\xb6\x69\x7f" ++ "\x3f\xf3\x5b\xa5\x1d\xac\x06\xad\xdf\x4e\xbb\xe6\xda\x68\x0d\xe5" ++ "\xab\xef\xd2\xf0\xc5\xd8\xc0\xed\x80\xe2\xd4\x76\x98\xec\x44\xa2" ++ "\xfc\x3f\xce\x2e\x8b\xc4\x4b\xab\xb0\x70\x24\x52\x85\x2a\x36\xcd" ++ "\x9a\xb5\x05\x00\xea\x98\x7c\x72\x06\x68\xb1\x38\x44\x16\x80\x6a" ++ "\x3b\x64\x72\xbb\xfd\x4b\xc9\xdd\xda\x2a\x68\xde\x7f\x6e\x48\x28" ++ "\xc1\x63\x57\x2b\xde\x83\xa3\x27\x34\xd7\xa6\x87\x18\x35\x10\xff" ++ "\x31\xd9\x47\xc9\x84\x35\xe1\xaa\xe2\xf7\x98\xfa\x19\xd3\xf1\x94" ++ "\x25\x2a\x96\xe4\xa8\xa7\x05\x10\x93\x87\xde\x96\x85\xe5\x68\xb8" ++ "\xe5\x4e\xbf\x66\x85\x91\xbd\x52\x5b\x3d\x9f\x1b\x79\xea\xe3\x8b" ++ "\xef\x62\x18\x39\x7a\x50\x01\x46\x1b\xde\x8d\x37\xbc\x90\x6c\x07" ++ "\xc0\x07\xed\x60\xce\x2e\x31\xd6\x8f\xe8\x75\xdb\x45\x21\xc6\xcb"; ++ ++/* DSA 2048 private key and signature */ ++static const char dsa_2048_privkey[] = ++ "-----BEGIN DSA PRIVATE KEY-----\n" ++ "MIIDTQIBAAKCAQEAh60B6yPMRIT7udq2kKuwnQDohvT1U0w+RJcSr23C05cM/Ovn\n" ++ "UP/8Rrj6T8K+uYhMbKgLaZiJJW9q04jaPQk0cfUphbLvRjzVHwE/0Bkb+Y1Rv7ni\n" ++ "Jot2IFMq5iuNraf889PC0WREvFCcIkSFY2Ac4WT7mCcBtfx/raGFXDUjcUrJ0HwZ\n" ++ "IOhjQDfcXUsztuyYsYA75ociEY8kyDZq/ixyr5++R1VjNf30Re8AbQlXOEGxEN5t\n" ++ "t+Tvpq8K5L3prQs2KNSzyOUmedjb/ojH4T4qe/RL9EVjjeuIGHDNUT6F197yZ91y\n" ++ "qLLTf1WjnUyZcKij5rryX0LJBBWawEZjNSHZawIdAMQlyycia4NigCdiDR+QptUn\n" ++ "2xrj9o14fXkIrXcCggEAXRZm1rbPhsjSTo6cpCVrmDzO1grv83EHiBH4MvRQQnP8\n" ++ "FpAREsBA5cYju97XvLaLhioZeMjLn08kU7TUbHRUB+ULTuVvE2dQbBpGuKiLRRt9\n" ++ "6U2T0eD3xGLoM+o8EY/kpqaWGEpZv7hzM9xuo4vy55+viAZgFWULqmltwfG/7w7V\n" ++ "NXUHNv5H4Ipw//fSDLTPqzUlNqSSswDLz6pCjWEs0rWAqNAMaOiLTz4id9pL48Oe\n" ++ "oAfpcQR9tgTEnwyXfZBnrJVclHhkHKGeXvU05IgCzpKO76Z5R+By50T0i/JV7vzM\n" ++ "l2yS9aAl/cprT6U7yI3oU/blldCVNpMcFAFb+fO8DAKCAQBVMo8xptyvQOJeSvbO\n" ++ "SSYdJ3IiI/0GdkcGWXblWg9z7mrPaWEnT7OquEm/+vYtWd3GHDtyNM+jzsN4Xgjc\n" ++ "TL3AEd2hLiozJQ1BFKw25VU08UHAYTzUxZhO4Vwtmp46Kwj8YLDQ3NHRWCBxpDQR\n" ++ "fbiFvyXP+qXap6plMfrydnUD1mae/JSOWOYgdB7tFIehstLxVXx/cAnjwgFU03Df\n" ++ "grjsad92zA1Hc9wIjbsgAQdTR5DWnFRkRt3UtayBwoyqm6QceZHsv1NAGvkQ4ion\n" ++ "bEjkHkjF9YCkR9/rspR8cLghRIXMjOpypuSbaRPeeWq0gP2UOxFL/d3iWH0ETr/L\n" ++ "kTlCAhxYGpVgtfB96qmJukyl9GOGvfkwFTgEyIDoV84M\n" ++ "-----END DSA PRIVATE KEY-----\n"; ++ ++static const char dsa_2048_sig[] = ++ "\x30\x3d\x02\x1d\x00\xbe\x87\x2f\xcf\xa1\xe4\x86\x5c\x72\x58\x4a" ++ "\x7b\x8f\x32\x7f\xa5\x1b\xdc\x5c\xae\xda\x98\xea\x15\x32\xed\x0c" ++ "\x4e\x02\x1c\x4c\x76\x01\x2b\xcd\xb9\x33\x95\xf2\xfa\xde\x56\x01" ++ "\xb7\xaa\xe4\x5a\x4a\x2e\xf1\x24\x5a\xd1\xb5\x83\x9a\x93\x61"; ++ ++/* secp256r1 private key and signature */ ++static const char ecdsa_secp256r1_privkey[] = ++ "-----BEGIN EC PRIVATE KEY-----\n" ++ "MHcCAQEEIPAKWV7+pZe9c5EubMNfAEKWRQtP/MvlO9HehwHmJssNoAoGCCqGSM49\n" ++ "AwEHoUQDQgAE2CNONRio3ciuXtoomJKs3MdbzLbd44VPhtzJN30VLFm5gvnfiCj2\n" ++ "zzz7pl9Cv0ECHl6yedNI8QEKdcwCDgEmkQ==\n" ++ "-----END EC PRIVATE KEY-----\n"; ++ ++static const char ecdsa_secp256r1_sig[] = ++ "\x30\x45\x02\x21\x00\x80\x67\x18\xb9\x72\xc6\x0b\xe1\xc9\x89\x9b" ++ "\x85\x11\x49\x29\x08\xd9\x86\x76\xcc\xfb\xc1\xf4\xd0\xa2\x5e\xa7" ++ "\xb9\x12\xfb\x1a\x68\x02\x20\x67\x12\xb1\x89\x9e\x1d\x9d\x5c\x0f" ++ "\xef\x6e\xa7\x2a\x95\x8c\xfa\x54\x20\x80\xc8\x30\x7c\xff\x06\xbc" ++ "\xc8\xe2\x9a\x2f\x05\x2f\x67"; ++ ++#ifdef ENABLE_NON_SUITEB_CURVES ++/* secp192r1 private key and signature */ ++static const char ecdsa_secp192r1_privkey[] = ++ "-----BEGIN EC PRIVATE KEY-----" ++ "MF8CAQEEGLjezFcbgDMeApVrdtZHvu/k1a8/tVZ41KAKBggqhkjOPQMBAaE0AzIA" ++ "BO1lciKdgxeRH8k64vxcaV1OYIK9akVrW02Dw21MXhRLP0l0wzCw6LGSr5rS6AaL" ++ "Fg==" "-----END EC PRIVATE KEY-----"; ++ ++static const char ecdsa_secp192r1_sig[] = ++ "\x30\x34\x02\x18\x7c\x43\xe3\xb7\x26\x90\x43\xb5\xf5\x63\x8f\xee" ++ "\xac\x78\x3d\xac\x35\x35\xd0\x1e\x83\x17\x2b\x64\x02\x18\x14\x6e" ++ "\x94\xd5\x7e\xac\x43\x42\x0b\x71\x7a\xc8\x29\xe6\xe3\xda\xf2\x95" ++ "\x0e\xe0\x63\x24\xed\xf2"; ++ ++/* secp224r1 private key and signature */ ++static const char ecdsa_secp224r1_privkey[] = ++ "-----BEGIN EC PRIVATE KEY-----" ++ "MGgCAQEEHOKWJFdWdrR/CgVrUeTeawOrJ9GozE9KKx2a8PmgBwYFK4EEACGhPAM6" ++ "AAQKQj3YpenWT7lFR41SnBvmj/+Bj+kgzQnaF65qWAtPRJsZXFlLTu3/IUNqSRu9" ++ "DqPsk8xBHAB7pA==" "-----END EC PRIVATE KEY-----"; ++ ++static const char ecdsa_secp224r1_sig[] = ++ "\x30\x3d\x02\x1c\x14\x22\x09\xa1\x51\x33\x37\xfd\x78\x73\xbd\x84" ++ "\x6e\x76\xa8\x60\x90\xf5\xb6\x57\x34\x25\xe0\x79\xe3\x01\x61\xa9" ++ "\x02\x1d\x00\xb1\xee\xdb\xae\xb3\xe6\x9c\x04\x68\xd5\xe1\x0d\xb6" ++ "\xfc\x5c\x45\xc3\x4f\xbf\x2b\xa5\xe0\x89\x37\x84\x04\x82\x5f"; ++#endif ++ ++/* secp384r1 private key and signature */ ++static const char ecdsa_secp384r1_privkey[] = ++ "-----BEGIN EC PRIVATE KEY-----" ++ "MIGkAgEBBDDevshD6gb+4rZpC9vwFcIwNs4KmGzdqCxyyN40a8uOWRbyf7aHdiSS" ++ "03oAyKtc4JCgBwYFK4EEACKhZANiAARO1KkPMno2tnNXx1S9EZkp8SOpDCZ4aobH" ++ "IYv8RHnSmKf8I3OKD6TaoeR+1MwJmNJUH90Bj45WXla68/vsPiFcfVKboxsZYe/n" ++ "pv8e4ugXagVQVBXNZJ859iYPdJR24vo=" "-----END EC PRIVATE KEY-----"; ++ ++static const char ecdsa_secp384r1_sig[] = ++ "\x30\x65\x02\x31\x00\xa7\x73\x60\x16\xdb\xf9\x1f\xfc\x9e\xd2\x12" ++ "\x23\xd4\x04\xa7\x31\x1f\x15\x28\xfd\x87\x9c\x2c\xb1\xf3\x38\x35" ++ "\x23\x3b\x6e\xfe\x6a\x5d\x89\x34\xbe\x02\x82\xc6\x27\xea\x45\x53" ++ "\xa9\x87\xc5\x31\x0a\x02\x30\x76\x32\x80\x6b\x43\x3c\xb4\xfd\x90" ++ "\x03\xe0\x1d\x5d\x77\x18\x45\xf6\x71\x29\xa9\x05\x87\x49\x75\x3a" ++ "\x78\x9c\x49\xe5\x6c\x8e\x18\xcd\x5d\xee\x2c\x6f\x92\xf7\x15\xd3" ++ "\x38\xd5\xf9\x9b\x9d\x1a\xf4"; ++ ++/* secp521r1 private key and signature */ ++static const char ecdsa_secp521r1_privkey[] = ++ "-----BEGIN EC PRIVATE KEY-----" ++ "MIHbAgEBBEGO2n7NN363qSCvJVdlQtCvudtaW4o0fEufXRjE1AsCrle+VXX0Zh0w" ++ "Y1slSeDHMndpakoiF+XkQ+bhcB867UV6aKAHBgUrgQQAI6GBiQOBhgAEAQb6jDpo" ++ "byy1tF8Zucg0TMGUzIN2DK+RZJ3QQRdWdirO25OIC3FoFi1Yird6rpoB6HlNyJ7R" ++ "0bNG9Uv34bSHMn8yAFoiqxUCdJZQbEenMoZsi6COaePe3e0QqvDMr0hEWT23Sr3t" ++ "LpEV7eZGFfFIJw5wSUp2KOcs+O9WjmoukTWtDKNV" ++ "-----END EC PRIVATE KEY-----"; ++ ++static const char ecdsa_secp521r1_sig[] = ++ "\x30\x81\x88\x02\x42\x01\x9d\x13\x2e\xc9\x75\x1b\x60\x10\x62\xc5" ++ "\x0d\xcb\x08\x9e\x86\x01\xd3\xc9\x8c\xee\x2e\x16\x3d\x8c\xc2\x65" ++ "\x80\xe1\x32\x56\xc3\x02\x9d\xf0\x4a\x89\x8d\x2e\x33\x2a\x90\x4e" ++ "\x72\x1d\xaa\x84\x14\xe8\xcb\xdf\x7a\x4a\xc9\x67\x2e\xba\xa3\xf2" ++ "\xc2\x07\xf7\x1b\xa5\x91\xbd\x02\x42\x01\xe3\x32\xd2\x25\xeb\x2e" ++ "\xaf\xb4\x6c\xc0\xaa\x5c\xc1\x56\x14\x13\x23\x7f\x62\xcf\x4c\xb8" ++ "\xd1\x96\xe0\x29\x6d\xed\x74\xdd\x23\x64\xf9\x29\x86\x40\x22\x2f" ++ "\xb6\x8d\x4c\x8e\x0b\x7a\xda\xdb\x03\x44\x01\x9b\x81\x1c\x3c\xab" ++ "\x78\xee\xf2\xc5\x24\x33\x61\x65\x01\x87\x66"; ++ ++/* GOST01 private key */ ++static const char gost01_privkey[] = ++ "-----BEGIN PRIVATE KEY-----\n" ++ "MEUCAQAwHAYGKoUDAgITMBIGByqFAwICIwEGByqFAwICHgEEIgQgdNfuHGmmTdPm\n" ++ "p5dAa3ea9UYxpdYQPP9lbDwzQwG2bJM=\n" ++ "-----END PRIVATE KEY-----\n"; ++ ++/* GOST12 256 private key */ ++static const char gost12_256_privkey[] = ++ "-----BEGIN PRIVATE KEY-----\n" ++ "MEgCAQAwHwYIKoUDBwEBAQEwEwYHKoUDAgIjAQYIKoUDBwEBAgIEIgQgKOF96tom\n" ++ "D61rhSnzKjyrmO3fv0gdlHei+6ovrc8SnBk=\n" ++ "-----END PRIVATE KEY-----\n"; ++ ++/* GOST12 512 private key */ ++static const char gost12_512_privkey[] = ++ "-----BEGIN PRIVATE KEY-----\n" ++ "MGoCAQAwIQYIKoUDBwEBAQIwFQYJKoUDBwECAQIBBggqhQMHAQECAwRCBECjFpvp\n" ++ "B0vdc7u59b99TCNXhHiB69JJtUjvieNkGYJpoaaIvoKZTNCjpSZASsZcQZCHOTof\n" ++ "hsQ3JCCy4xnd5jWT\n" ++ "-----END PRIVATE KEY-----\n"; + + static int test_rsa_enc(gnutls_pk_algorithm_t pk, + unsigned bits, gnutls_digest_algorithm_t ign) +@@ -113,7 +229,7 @@ static int test_rsa_enc(gnutls_pk_algorithm_t pk, + int ret; + gnutls_datum_t enc = { NULL, 0 }; + gnutls_datum_t dec = { NULL, 0 }; +- gnutls_datum_t raw_rsa_key = { (void*)rsa_key2048, sizeof(rsa_key2048)-1 }; ++ gnutls_datum_t raw_rsa_key = { (void*)rsa_2048_privkey, sizeof(rsa_2048_privkey)-1 }; + gnutls_privkey_t key; + gnutls_pubkey_t pub = NULL; + unsigned char plaintext2[sizeof(DATASTR) - 1]; +@@ -200,26 +316,12 @@ static int test_sig(gnutls_pk_algorithm_t pk, + unsigned bits, gnutls_sign_algorithm_t sigalgo) + { + int ret; +- gnutls_datum_t sig = { NULL, 0 }; +- gnutls_datum_t raw_rsa_key = { (void*)rsa_key2048, sizeof(rsa_key2048)-1 }; +- gnutls_datum_t raw_dsa_key = { (void*)dsa_key, sizeof(dsa_key)-1 }; +- gnutls_datum_t raw_ecc_key = { (void*)ecc_key, sizeof(ecc_key)-1 }; +- gnutls_datum_t raw_gost01_key = { (void*)gost01_key, sizeof(gost01_key)-1 }; +- gnutls_datum_t raw_gost12_256_key = { (void*)gost12_256_key, sizeof(gost12_256_key)-1 }; +- gnutls_datum_t raw_gost12_512_key = { (void*)gost12_512_key, sizeof(gost12_512_key)-1 }; + gnutls_privkey_t key; ++ gnutls_datum_t raw_key; ++ gnutls_datum_t sig = { NULL, 0 }; + gnutls_pubkey_t pub = NULL; + char param_name[32]; + +- if (pk == GNUTLS_PK_EC || pk == GNUTLS_PK_GOST_01 || +- pk == GNUTLS_PK_GOST_12_256 || pk == GNUTLS_PK_GOST_12_512) { +- snprintf(param_name, sizeof(param_name), "%s", +- gnutls_ecc_curve_get_name(GNUTLS_BITS_TO_CURVE +- (bits))); +- } else { +- snprintf(param_name, sizeof(param_name), "%u", bits); +- } +- + ret = gnutls_privkey_init(&key); + if (ret < 0) + return gnutls_assert_val(ret); +@@ -230,25 +332,83 @@ static int test_sig(gnutls_pk_algorithm_t pk, + goto cleanup; + } + +- if (pk == GNUTLS_PK_RSA) { +- ret = gnutls_privkey_import_x509_raw(key, &raw_rsa_key, GNUTLS_X509_FMT_PEM, NULL, 0); +- } else if (pk == GNUTLS_PK_RSA_PSS) { +- ret = gnutls_privkey_import_x509_raw(key, &raw_rsa_key, GNUTLS_X509_FMT_PEM, NULL, 0); +- } else if (pk == GNUTLS_PK_DSA) { +- ret = gnutls_privkey_import_x509_raw(key, &raw_dsa_key, GNUTLS_X509_FMT_PEM, NULL, 0); +- } else if (pk == GNUTLS_PK_ECC) { +- ret = gnutls_privkey_import_x509_raw(key, &raw_ecc_key, GNUTLS_X509_FMT_PEM, NULL, 0); +- } else if (pk == GNUTLS_PK_GOST_01) { +- ret = gnutls_privkey_import_x509_raw(key, &raw_gost01_key, GNUTLS_X509_FMT_PEM, NULL, 0); +- } else if (pk == GNUTLS_PK_GOST_12_256) { +- ret = gnutls_privkey_import_x509_raw(key, &raw_gost12_256_key, GNUTLS_X509_FMT_PEM, NULL, 0); +- } else if (pk == GNUTLS_PK_GOST_12_512) { +- ret = gnutls_privkey_import_x509_raw(key, &raw_gost12_512_key, GNUTLS_X509_FMT_PEM, NULL, 0); +- } else { +- gnutls_assert(); +- ret = GNUTLS_E_INTERNAL_ERROR; ++ switch(pk) { ++ case GNUTLS_PK_RSA: ++ raw_key.data = (void*)rsa_2048_privkey; ++ raw_key.size = sizeof(rsa_2048_privkey) - 1; ++ snprintf(param_name, sizeof(param_name), "%u", bits); ++ break; ++ case GNUTLS_PK_RSA_PSS: ++ raw_key.data = (void*)rsa_2048_privkey; ++ raw_key.size = sizeof(rsa_2048_privkey) - 1; ++ snprintf(param_name, sizeof(param_name), "%u", bits); ++ break; ++ case GNUTLS_PK_DSA: ++ raw_key.data = (void*)dsa_2048_privkey; ++ raw_key.size = sizeof(dsa_2048_privkey) - 1; ++ snprintf(param_name, sizeof(param_name), "%u", bits); ++ break; ++ case GNUTLS_PK_ECC: ++ switch(bits) { ++#ifdef ENABLE_NON_SUITEB_CURVES ++ case GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP192R1): ++ raw_key.data = (void*)ecdsa_secp192r1_privkey; ++ raw_key.size = sizeof(ecdsa_secp192r1_privkey) - 1; ++ break; ++ case GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP224R1): ++ raw_key.data = (void*)ecdsa_secp224r1_privkey; ++ raw_key.size = sizeof(ecdsa_secp224r1_privkey) - 1; ++ break; ++#endif ++ case GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP256R1): ++ raw_key.data = (void*)ecdsa_secp256r1_privkey; ++ raw_key.size = sizeof(ecdsa_secp256r1_privkey) - 1; ++ break; ++ case GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP384R1): ++ raw_key.data = (void*)ecdsa_secp384r1_privkey; ++ raw_key.size = sizeof(ecdsa_secp384r1_privkey) - 1; ++ break; ++ case GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP521R1): ++ raw_key.data = (void*)ecdsa_secp521r1_privkey; ++ raw_key.size = sizeof(ecdsa_secp521r1_privkey) - 1; ++ break; ++ default: ++ gnutls_assert(); ++ ret = GNUTLS_E_INTERNAL_ERROR; ++ goto cleanup; ++ } ++ snprintf(param_name, sizeof(param_name), "%s", ++ gnutls_ecc_curve_get_name(GNUTLS_BITS_TO_CURVE ++ (bits))); ++ break; ++ case GNUTLS_PK_GOST_01: ++ raw_key.data = (void*)gost01_privkey; ++ raw_key.size = sizeof(gost01_privkey) - 1; ++ snprintf(param_name, sizeof(param_name), "%s", ++ gnutls_ecc_curve_get_name(GNUTLS_BITS_TO_CURVE ++ (bits))); ++ break; ++ case GNUTLS_PK_GOST_12_256: ++ raw_key.data = (void*)gost12_256_privkey; ++ raw_key.size = sizeof(gost12_256_privkey) - 1; ++ snprintf(param_name, sizeof(param_name), "%s", ++ gnutls_ecc_curve_get_name(GNUTLS_BITS_TO_CURVE ++ (bits))); ++ break; ++ case GNUTLS_PK_GOST_12_512: ++ raw_key.data = (void*)gost12_512_privkey; ++ raw_key.size = sizeof(gost12_512_privkey) - 1; ++ snprintf(param_name, sizeof(param_name), "%s", ++ gnutls_ecc_curve_get_name(GNUTLS_BITS_TO_CURVE ++ (bits))); ++ break; ++ default: ++ gnutls_assert(); ++ ret = GNUTLS_E_INTERNAL_ERROR; ++ goto cleanup; + } + ++ ret = gnutls_privkey_import_x509_raw(key, &raw_key, GNUTLS_X509_FMT_PEM, NULL, 0); + if (ret < 0) { + gnutls_assert(); + goto cleanup; +@@ -286,7 +446,8 @@ static int test_sig(gnutls_pk_algorithm_t pk, + } + + ret = 0; +- cleanup: ++ ++cleanup: + if (pub != NULL) + gnutls_pubkey_deinit(pub); + gnutls_privkey_deinit(key); +@@ -302,123 +463,11 @@ static int test_sig(gnutls_pk_algorithm_t pk, + return ret; + } + +-/* A precomputed RSA-SHA1 signature using the rsa_key2048 */ +-static const char rsa_sig[] = +- "\x7a\xb3\xf8\xb0\xf9\xf0\x52\x88\x37\x17\x97\x9f\xbe\x61\xb4\xd2\x43\x78\x9f\x79\x92\xd0\xad\x08\xdb\xbd\x3c\x72\x7a\xb5\x51\x59\x63\xd6\x7d\xf1\x9c\x1e\x10\x7b\x27\xab\xf8\xd4\x9d\xcd\xc5\xf9\xae\xf7\x09\x6b\x40\x93\xc5\xe9\x1c\x0f\xb4\x82\xa1\x47\x86\x54\x63\xd2\x4d\x40\x9a\x80\xb9\x38\x45\x69\xa2\xd6\x92\xb6\x69\x7f\x3f\xf3\x5b\xa5\x1d\xac\x06\xad\xdf\x4e\xbb\xe6\xda\x68\x0d\xe5\xab\xef\xd2\xf0\xc5\xd8\xc0\xed\x80\xe2\xd4\x76\x98\xec\x44\xa2\xfc\x3f\xce\x2e\x8b\xc4\x4b\xab\xb0\x70\x24\x52\x85\x2a\x36\xcd\x9a\xb5\x05\x00\xea\x98\x7c\x72\x06\x68\xb1\x38\x44\x16\x80\x6a\x3b\x64\x72\xbb\xfd\x4b\xc9\xdd\xda\x2a\x68\xde\x7f\x6e\x48\x28\xc1\x63\x57\x2b\xde\x83\xa3\x27\x34\xd7\xa6\x87\x18\x35\x10\xff\x31\xd9\x47\xc9\x84\x35\xe1\xaa\xe2\xf7\x98\xfa\x19\xd3\xf1\x94\x25\x2a\x96\xe4\xa8\xa7\x05\x10\x93\x87\xde\x96\x85\xe5\x68\xb8\xe5\x4e\xbf\x66\x85\x91\xbd\x52\x5b\x3d\x9f\x1b\x79\xea\xe3\x8b\xef\x62\x18\x39\x7a\x50\x01\x46\x1b\xde\x8d\x37\xbc\x90\x6c\x07\xc0\x07\xed\x60\xce\x2e\x31\xd6\x8f\xe8\x75\xdb\x45\x21\xc6\xcb"; +- +-/* ECDSA key and signature */ +-static const char ecdsa_secp256r1_privkey[] = +- "-----BEGIN EC PRIVATE KEY-----\n" +- "MHcCAQEEIPAKWV7+pZe9c5EubMNfAEKWRQtP/MvlO9HehwHmJssNoAoGCCqGSM49\n" +- "AwEHoUQDQgAE2CNONRio3ciuXtoomJKs3MdbzLbd44VPhtzJN30VLFm5gvnfiCj2\n" +- "zzz7pl9Cv0ECHl6yedNI8QEKdcwCDgEmkQ==\n" +- "-----END EC PRIVATE KEY-----\n"; +- +-static const char ecdsa_secp256r1_sig[] = +- "\x30\x45\x02\x21\x00\x9b\x8f\x60\xed\x9e\x40\x8d\x74\x82\x73\xab\x20\x1a\x69\xfc\xf9\xee\x3c\x41\x80\xc0\x39\xdd\x21\x1a\x64\xfd\xbf\x7e\xaa\x43\x70\x02\x20\x44\x28\x05\xdd\x30\x47\x58\x96\x18\x39\x94\x18\xba\xe7\x7a\xf6\x1e\x2d\xba\xb1\xe0\x7d\x73\x9e\x2f\x58\xee\x0c\x2a\x89\xe8\x35"; +- +-#ifdef ENABLE_NON_SUITEB_CURVES +-/* sha256 */ +-static const char ecdsa_secp192r1_privkey[] = +- "-----BEGIN EC PRIVATE KEY-----" +- "MF8CAQEEGLjezFcbgDMeApVrdtZHvu/k1a8/tVZ41KAKBggqhkjOPQMBAaE0AzIA" +- "BO1lciKdgxeRH8k64vxcaV1OYIK9akVrW02Dw21MXhRLP0l0wzCw6LGSr5rS6AaL" +- "Fg==" "-----END EC PRIVATE KEY-----"; +- +-static const char ecdsa_secp192r1_sig[] = +- "\x30\x34\x02\x18\x5f\xb3\x10\x4b\x4d\x44\x48\x29\x4b\xfd\xa7\x8e\xce\x57\xac\x36\x38\x54\xab\x73\xdb\xed\xb8\x5f\x02\x18\x0b\x8b\xf3\xae\x49\x50\x0e\x47\xca\x89\x1a\x00\xca\x23\xf5\x8d\xd6\xe3\xce\x9a\xff\x2e\x4f\x5c"; +- +-static const char ecdsa_secp224r1_privkey[] = +- "-----BEGIN EC PRIVATE KEY-----" +- "MGgCAQEEHOKWJFdWdrR/CgVrUeTeawOrJ9GozE9KKx2a8PmgBwYFK4EEACGhPAM6" +- "AAQKQj3YpenWT7lFR41SnBvmj/+Bj+kgzQnaF65qWAtPRJsZXFlLTu3/IUNqSRu9" +- "DqPsk8xBHAB7pA==" "-----END EC PRIVATE KEY-----"; +- +-static const char ecdsa_secp224r1_sig[] = +- "\x30\x3d\x02\x1c\x76\x03\x8d\x74\xf4\xd3\x09\x2a\xb5\xdf\x6b\x5b\xf4\x4b\x86\xb8\x62\x81\x5d\x7b\x7a\xbb\x37\xfc\xf1\x46\x1c\x2b\x02\x1d\x00\xa0\x98\x5d\x80\x43\x89\xe5\xee\x1a\xec\x46\x08\x04\x55\xbc\x50\xfa\x2a\xd5\xa6\x18\x92\x19\xdb\x68\xa0\x2a\xda"; +-#endif +- +-static const char ecdsa_secp384r1_privkey[] = +- "-----BEGIN EC PRIVATE KEY-----" +- "MIGkAgEBBDDevshD6gb+4rZpC9vwFcIwNs4KmGzdqCxyyN40a8uOWRbyf7aHdiSS" +- "03oAyKtc4JCgBwYFK4EEACKhZANiAARO1KkPMno2tnNXx1S9EZkp8SOpDCZ4aobH" +- "IYv8RHnSmKf8I3OKD6TaoeR+1MwJmNJUH90Bj45WXla68/vsPiFcfVKboxsZYe/n" +- "pv8e4ugXagVQVBXNZJ859iYPdJR24vo=" "-----END EC PRIVATE KEY-----"; +- +-static const char ecdsa_secp384r1_sig[] = +- "\x30\x66\x02\x31\x00\xbb\x4d\x25\x30\x13\x1b\x3b\x75\x60\x07\xed\x53\x8b\x52\xee\xd8\x6e\xf1\x9d\xa8\x36\x0e\x2e\x20\x31\x51\x11\x48\x78\xdd\xaf\x24\x38\x64\x81\x71\x6b\xa6\xb7\x29\x58\x28\x82\x32\xba\x29\x29\xd9\x02\x31\x00\xeb\x70\x09\x87\xac\x7b\x78\x0d\x4c\x4f\x08\x2b\x86\x27\xe2\x60\x1f\xc9\x11\x9f\x1d\xf5\x82\x4c\xc7\x3d\xb0\x27\xc8\x93\x29\xc7\xd0\x0e\x88\x02\x09\x93\xc2\x72\xce\xa5\x74\x8c\x3d\xe0\x8c\xad"; +- +-static const char ecdsa_secp521r1_privkey[] = +- "-----BEGIN EC PRIVATE KEY-----" +- "MIHbAgEBBEGO2n7NN363qSCvJVdlQtCvudtaW4o0fEufXRjE1AsCrle+VXX0Zh0w" +- "Y1slSeDHMndpakoiF+XkQ+bhcB867UV6aKAHBgUrgQQAI6GBiQOBhgAEAQb6jDpo" +- "byy1tF8Zucg0TMGUzIN2DK+RZJ3QQRdWdirO25OIC3FoFi1Yird6rpoB6HlNyJ7R" +- "0bNG9Uv34bSHMn8yAFoiqxUCdJZQbEenMoZsi6COaePe3e0QqvDMr0hEWT23Sr3t" +- "LpEV7eZGFfFIJw5wSUp2KOcs+O9WjmoukTWtDKNV" +- "-----END EC PRIVATE KEY-----"; +- +-static const char ecdsa_secp521r1_sig[] = +- "\x30\x81\x87\x02\x42\x01\xb8\xcb\x52\x9e\x10\xa8\x49\x3f\xe1\x9e\x14\x0a\xcf\x96\xed\x7e\xab\x7d\x0c\xe1\x9b\xa4\x97\xdf\x01\xf5\x35\x42\x5f\x5b\x28\x15\x24\x33\x6e\x59\x6c\xaf\x10\x8b\x98\x8e\xe9\x4c\x23\x0d\x76\x92\x03\xdd\x6d\x8d\x08\x47\x15\x5b\xf8\x66\x75\x75\x40\xe8\xf4\xa0\x52\x02\x41\x15\x27\x7c\x5f\xa6\x33\xa6\x29\x68\x3f\x55\x8d\x7f\x1d\x4f\x88\xc6\x61\x6e\xac\x21\xdf\x2b\x7b\xde\x76\x9a\xdc\xe6\x3b\x94\x3f\x03\x9c\xa2\xa6\xa3\x63\x39\x48\xbd\x79\x70\x21\xf2\x6b\xff\x58\x66\xf1\x58\xc2\x58\xad\x4f\x84\x14\x5d\x05\x12\x83\xd0\x87\xbd\xf3"; +- +-/* DSA key and signature */ +-static const char dsa_privkey[] = +- "-----BEGIN DSA PRIVATE KEY-----\n" +- "MIIDTQIBAAKCAQEAh60B6yPMRIT7udq2kKuwnQDohvT1U0w+RJcSr23C05cM/Ovn\n" +- "UP/8Rrj6T8K+uYhMbKgLaZiJJW9q04jaPQk0cfUphbLvRjzVHwE/0Bkb+Y1Rv7ni\n" +- "Jot2IFMq5iuNraf889PC0WREvFCcIkSFY2Ac4WT7mCcBtfx/raGFXDUjcUrJ0HwZ\n" +- "IOhjQDfcXUsztuyYsYA75ociEY8kyDZq/ixyr5++R1VjNf30Re8AbQlXOEGxEN5t\n" +- "t+Tvpq8K5L3prQs2KNSzyOUmedjb/ojH4T4qe/RL9EVjjeuIGHDNUT6F197yZ91y\n" +- "qLLTf1WjnUyZcKij5rryX0LJBBWawEZjNSHZawIdAMQlyycia4NigCdiDR+QptUn\n" +- "2xrj9o14fXkIrXcCggEAXRZm1rbPhsjSTo6cpCVrmDzO1grv83EHiBH4MvRQQnP8\n" +- "FpAREsBA5cYju97XvLaLhioZeMjLn08kU7TUbHRUB+ULTuVvE2dQbBpGuKiLRRt9\n" +- "6U2T0eD3xGLoM+o8EY/kpqaWGEpZv7hzM9xuo4vy55+viAZgFWULqmltwfG/7w7V\n" +- "NXUHNv5H4Ipw//fSDLTPqzUlNqSSswDLz6pCjWEs0rWAqNAMaOiLTz4id9pL48Oe\n" +- "oAfpcQR9tgTEnwyXfZBnrJVclHhkHKGeXvU05IgCzpKO76Z5R+By50T0i/JV7vzM\n" +- "l2yS9aAl/cprT6U7yI3oU/blldCVNpMcFAFb+fO8DAKCAQBVMo8xptyvQOJeSvbO\n" +- "SSYdJ3IiI/0GdkcGWXblWg9z7mrPaWEnT7OquEm/+vYtWd3GHDtyNM+jzsN4Xgjc\n" +- "TL3AEd2hLiozJQ1BFKw25VU08UHAYTzUxZhO4Vwtmp46Kwj8YLDQ3NHRWCBxpDQR\n" +- "fbiFvyXP+qXap6plMfrydnUD1mae/JSOWOYgdB7tFIehstLxVXx/cAnjwgFU03Df\n" +- "grjsad92zA1Hc9wIjbsgAQdTR5DWnFRkRt3UtayBwoyqm6QceZHsv1NAGvkQ4ion\n" +- "bEjkHkjF9YCkR9/rspR8cLghRIXMjOpypuSbaRPeeWq0gP2UOxFL/d3iWH0ETr/L\n" +- "kTlCAhxYGpVgtfB96qmJukyl9GOGvfkwFTgEyIDoV84M\n" +- "-----END DSA PRIVATE KEY-----\n"; +- +-static const char dsa_sig[] = +- "\x30\x3d\x02\x1c\x2e\x40\x14\xb3\x7a\x3f\xc0\x4f\x06\x74\x4f\xa6\x5f\xc2\x0a\x46\x35\x38\x88\xb4\x1a\xcf\x94\x02\x40\x42\x7c\x7f\x02\x1d\x00\x98\xfc\xf1\x08\x66\xf1\x86\x28\xc9\x73\x9e\x2b\x5d\xce\x57\xe8\xb5\xeb\xcf\xa3\xf6\x60\xf6\x63\x16\x0e\xc0\x42"; +- +-static const char gost01_privkey[] = +- "-----BEGIN PRIVATE KEY-----\n" +- "MEUCAQAwHAYGKoUDAgITMBIGByqFAwICIwEGByqFAwICHgEEIgQgdNfuHGmmTdPm\n" +- "p5dAa3ea9UYxpdYQPP9lbDwzQwG2bJM=\n" +- "-----END PRIVATE KEY-----\n"; +- +-static const char gost01_sig[] = +- "\xc5\xc8\xf8\xdc\x22\x51\xb0\x72\xe9\xa2\xbb\x84\x6c\xe2\x24\xd5\x72\x39\x2a\x5a\x0e\x7a\x43\xfc\x9c\xc3\x5d\x32\x92\xbb\xab\xc0\x4b\x99\xbd\xc8\x47\x24\x70\x06\x7e\xa1\xc6\xe3\xa0\xdc\x42\xed\xa0\x66\xf0\xcc\x50\x97\xe9\x5a\x7d\x3f\x65\x2d\x7b\x1b\x03\xcb"; +- +-static const char gost12_256_privkey[] = +- "-----BEGIN PRIVATE KEY-----\n" +- "MEgCAQAwHwYIKoUDBwEBAQEwEwYHKoUDAgIjAQYIKoUDBwEBAgIEIgQgKOF96tom\n" +- "D61rhSnzKjyrmO3fv0gdlHei+6ovrc8SnBk=\n" +- "-----END PRIVATE KEY-----\n"; +- +-static const char gost12_256_sig[] = +- "\xb2\x51\x5a\x1a\xbd\x95\x4e\x71\x55\xad\x74\x74\x81\xa6\xca\x6c\x14\x01\xe0\x18\xda\xe4\x0d\x02\x4f\x14\xd2\x39\xd6\x3c\xb5\x85\xa8\x37\xfd\x7f\x2b\xfa\xe4\xf5\xbc\xbc\x15\x20\x8b\x83\x4b\x84\x0d\x5d\x02\x21\x8c\x0d\xb9\xc4\x2b\xc0\x3e\xfd\x42\x55\x1d\xb0"; +- +-static const char gost12_512_privkey[] = +- "-----BEGIN PRIVATE KEY-----\n" +- "MGoCAQAwIQYIKoUDBwEBAQIwFQYJKoUDBwECAQIBBggqhQMHAQECAwRCBECjFpvp\n" +- "B0vdc7u59b99TCNXhHiB69JJtUjvieNkGYJpoaaIvoKZTNCjpSZASsZcQZCHOTof\n" +- "hsQ3JCCy4xnd5jWT\n" +- "-----END PRIVATE KEY-----\n"; +- +-static const char gost12_512_sig[] = +- "\x52\x4f\xa2\x77\x51\xd2\xc5\xef\xd3\xa3\x99\x4e\xec\xff\xc6\xe9\xfc\x2f\xc0\x28\x42\x03\x95\x6c\x9a\x38\xee\xea\x89\x79\xae\x1a\xc3\x68\x5e\xe4\x15\x15\x4b\xec\x0f\xf1\x7e\x0f\xba\x01\xc7\x84\x16\xc7\xb5\xac\x9d\x0c\x22\xdd\x31\xf7\xb0\x9b\x59\x4b\xf0\x02\xa8\x7d\xfd\x6d\x02\x43\xc7\x4f\x65\xbd\x84\x5c\x54\x91\xba\x75\x9f\x5a\x61\x19\x5c\x9a\x10\x78\x34\xa0\xa6\xf6\xdc\xb6\xb0\x50\x22\x38\x5f\xb0\x16\x66\xf1\xd5\x46\x00\xd5\xe2\xa8\xe5\xd2\x11\x5f\xd1\xbe\x6e\xac\xb2\x9c\x14\x34\x96\xe7\x58\x94\xb8\xf4\x5f"; +- + static int test_known_sig(gnutls_pk_algorithm_t pk, unsigned bits, + gnutls_digest_algorithm_t dig, + const void *privkey, size_t privkey_size, + const void *stored_sig, size_t stored_sig_size, +- unsigned deterministic_sigs) ++ gnutls_privkey_flags_t flags) + { + int ret; + gnutls_datum_t sig = { NULL, 0 }; +@@ -427,8 +476,11 @@ static int test_known_sig(gnutls_pk_algorithm_t pk, unsigned bits, + gnutls_privkey_t key; + char param_name[32]; + +- if (pk == GNUTLS_PK_EC || pk == GNUTLS_PK_GOST_01 || +- pk == GNUTLS_PK_GOST_12_256 || pk == GNUTLS_PK_GOST_12_512) { ++ if (pk == GNUTLS_PK_EC || ++ pk == GNUTLS_PK_GOST_01 || ++ pk == GNUTLS_PK_GOST_12_256 || ++ pk == GNUTLS_PK_GOST_12_512) ++ { + snprintf(param_name, sizeof(param_name), "%s", + gnutls_ecc_curve_get_name(GNUTLS_BITS_TO_CURVE + (bits))); +@@ -462,39 +514,37 @@ static int test_known_sig(gnutls_pk_algorithm_t pk, unsigned bits, + goto cleanup; + } + +- /* Test if the signature we generate matches the stored */ ++ ret = gnutls_privkey_sign_data(key, dig, flags, &signed_data, &sig); ++ if (ret < 0) { ++ gnutls_assert(); ++ goto cleanup; ++ } ++ ++ /* Test if the generated signature matches the stored */ + ssig.data = (void *) stored_sig; + ssig.size = stored_sig_size; + +- if (deterministic_sigs != 0) { /* do not compare against stored signature if not provided */ +- ret = +- gnutls_privkey_sign_data(key, dig, 0, &signed_data, +- &sig); +- if (ret < 0) { +- gnutls_assert(); +- goto cleanup; +- } +- +- if (sig.size != ssig.size +- || memcmp(sig.data, ssig.data, sig.size) != 0) { +- ret = GNUTLS_E_SELF_TEST_ERROR; ++ if (sig.size != ssig.size ++ || memcmp(sig.data, ssig.data, sig.size) != 0) { ++ ret = GNUTLS_E_SELF_TEST_ERROR; + #if 0 +- unsigned i; +- fprintf(stderr, "\nstored[%d]: ", ssig.size); +- for (i = 0; i < ssig.size; i++) +- fprintf(stderr, "\\x%.2x", ssig.data[i]); +- +- fprintf(stderr, "\ngenerated[%d]: ", sig.size); +- for (i = 0; i < sig.size; i++) +- fprintf(stderr, "\\x%.2x", sig.data[i]); +- fprintf(stderr, "\n"); ++ unsigned i; ++ fprintf(stderr, "Algorithm: %s-%s\n", ++ gnutls_pk_get_name(pk), param_name); ++ fprintf(stderr, "\nstored[%d]: ", ssig.size); ++ for (i = 0; i < ssig.size; i++) ++ fprintf(stderr, "\\x%.2x", ssig.data[i]); ++ ++ fprintf(stderr, "\ngenerated[%d]: ", sig.size); ++ for (i = 0; i < sig.size; i++) ++ fprintf(stderr, "\\x%.2x", sig.data[i]); ++ fprintf(stderr, "\n"); + #endif +- gnutls_assert(); +- goto cleanup; +- } ++ gnutls_assert(); ++ goto cleanup; + } + +- /* Test if we can verify the signature */ ++ /* Test if we can verify the generated signature */ + + ret = gnutls_pubkey_import_privkey(pub, key, 0, 0); + if (ret < 0) { +@@ -504,7 +554,7 @@ static int test_known_sig(gnutls_pk_algorithm_t pk, unsigned bits, + + ret = + gnutls_pubkey_verify_data2(pub, gnutls_pk_to_sign(pk, dig), 0, +- &signed_data, &ssig); ++ &signed_data, &sig); + if (ret < 0) { + ret = GNUTLS_E_SELF_TEST_ERROR; + gnutls_assert(); +@@ -515,7 +565,7 @@ static int test_known_sig(gnutls_pk_algorithm_t pk, unsigned bits, + + ret = + gnutls_pubkey_verify_data2(pub, gnutls_pk_to_sign(pk, dig), 0, +- &bad_data, &ssig); ++ &bad_data, &sig); + + if (ret != GNUTLS_E_PK_SIG_VERIFY_FAILED) { + ret = GNUTLS_E_SELF_TEST_ERROR; +@@ -546,18 +596,14 @@ static int test_known_sig(gnutls_pk_algorithm_t pk, unsigned bits, + if (ret < 0) { \ + gnutls_assert(); \ + goto cleanup; \ +- } \ +- if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL)) \ +- return 0 ++ } + +-#define PK_KNOWN_TEST(pk, det, bits, dig, pkey, sig) \ +- ret = test_known_sig(pk, bits, dig, pkey, sizeof(pkey)-1, sig, sizeof(sig)-1, det); \ ++#define PK_KNOWN_TEST(pk, bits, dig, pkey, sig, flags) \ ++ ret = test_known_sig(pk, bits, dig, pkey, sizeof(pkey)-1, sig, sizeof(sig)-1, flags); \ + if (ret < 0) { \ + gnutls_assert(); \ + goto cleanup; \ +- } \ +- if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL)) \ +- return 0 ++ } + + + /* Known answer tests for DH */ +@@ -764,9 +810,18 @@ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk) + { + int ret; + ++ bool is_post = false; ++ bool is_fips140_mode_enabled = false; ++ + if (flags & GNUTLS_SELF_TEST_FLAG_ALL) + pk = GNUTLS_PK_UNKNOWN; + ++ if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST) ++ is_post = true; ++ ++ if (gnutls_fips140_mode_enabled()) ++ is_fips140_mode_enabled = true; ++ + switch (pk) { + case GNUTLS_PK_UNKNOWN: + FALLTHROUGH; +@@ -781,26 +836,32 @@ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk) + return 0; + FALLTHROUGH; + case GNUTLS_PK_RSA: +- PK_KNOWN_TEST(GNUTLS_PK_RSA, 1, 2048, GNUTLS_DIG_SHA256, +- rsa_key2048, rsa_sig); ++ PK_KNOWN_TEST(GNUTLS_PK_RSA, 2048, GNUTLS_DIG_SHA256, ++ rsa_2048_privkey, rsa_2048_sig, 0); ++ + PK_TEST(GNUTLS_PK_RSA, test_rsa_enc, 2048, 0); +- PK_TEST(GNUTLS_PK_RSA, test_sig, 3072, GNUTLS_SIGN_RSA_SHA256); + + if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL)) + return 0; + + FALLTHROUGH; + case GNUTLS_PK_RSA_PSS: +- PK_TEST(GNUTLS_PK_RSA_PSS, test_sig, 2048, GNUTLS_SIGN_RSA_PSS_RSAE_SHA256); ++ PK_TEST(GNUTLS_PK_RSA_PSS, test_sig, 2048, ++ GNUTLS_SIGN_RSA_PSS_RSAE_SHA256); + + if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL)) + return 0; + + FALLTHROUGH; + case GNUTLS_PK_DSA: +- PK_KNOWN_TEST(GNUTLS_PK_DSA, 0, 2048, GNUTLS_DIG_SHA256, +- dsa_privkey, dsa_sig); +- PK_TEST(GNUTLS_PK_DSA, test_sig, 3072, GNUTLS_SIGN_DSA_SHA256); ++ if (is_post || !is_fips140_mode_enabled) { ++ PK_KNOWN_TEST(GNUTLS_PK_DSA, 2048, GNUTLS_DIG_SHA256, ++ dsa_2048_privkey, dsa_2048_sig, ++ GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE); ++ } else { ++ PK_TEST(GNUTLS_PK_DSA, test_sig, 2048, ++ GNUTLS_SIGN_DSA_SHA256); ++ } + + if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL)) + return 0; +@@ -815,62 +876,72 @@ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk) + } + + /* Test ECDSA */ +- PK_KNOWN_TEST(GNUTLS_PK_EC, 0, +- GNUTLS_CURVE_TO_BITS +- (GNUTLS_ECC_CURVE_SECP256R1), +- GNUTLS_DIG_SHA256, ecdsa_secp256r1_privkey, +- ecdsa_secp256r1_sig); +- PK_TEST(GNUTLS_PK_EC, test_sig, +- GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP256R1), +- GNUTLS_SIGN_ECDSA_SHA256); ++ if (is_post || !is_fips140_mode_enabled) { ++ PK_KNOWN_TEST(GNUTLS_PK_EC, ++ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP256R1), ++ GNUTLS_DIG_SHA256, ecdsa_secp256r1_privkey, ++ ecdsa_secp256r1_sig, GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE); ++ } else { ++ PK_TEST(GNUTLS_PK_EC, test_sig, ++ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP256R1), ++ GNUTLS_SIGN_ECDSA_SHA256); ++ } + + if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL)) + return 0; + +- PK_KNOWN_TEST(GNUTLS_PK_EC, 0, +- GNUTLS_CURVE_TO_BITS +- (GNUTLS_ECC_CURVE_SECP384R1), +- GNUTLS_DIG_SHA256, ecdsa_secp384r1_privkey, +- ecdsa_secp384r1_sig); +- PK_TEST(GNUTLS_PK_EC, test_sig, +- GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP384R1), +- GNUTLS_SIGN_ECDSA_SHA384); +- +- PK_KNOWN_TEST(GNUTLS_PK_EC, 0, +- GNUTLS_CURVE_TO_BITS +- (GNUTLS_ECC_CURVE_SECP521R1), +- GNUTLS_DIG_SHA512, ecdsa_secp521r1_privkey, +- ecdsa_secp521r1_sig); +- PK_TEST(GNUTLS_PK_EC, test_sig, +- GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP521R1), +- GNUTLS_SIGN_ECDSA_SHA512); ++ if (is_post || !is_fips140_mode_enabled) { ++ PK_KNOWN_TEST(GNUTLS_PK_EC, ++ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP384R1), ++ GNUTLS_DIG_SHA384, ecdsa_secp384r1_privkey, ++ ecdsa_secp384r1_sig, GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE); ++ } else { ++ PK_TEST(GNUTLS_PK_EC, test_sig, ++ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP384R1), ++ GNUTLS_SIGN_ECDSA_SHA384); ++ } ++ ++ if (is_post || !is_fips140_mode_enabled) { ++ PK_KNOWN_TEST(GNUTLS_PK_EC, ++ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP521R1), ++ GNUTLS_DIG_SHA512, ecdsa_secp521r1_privkey, ++ ecdsa_secp521r1_sig, GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE); ++ } else { ++ PK_TEST(GNUTLS_PK_EC, test_sig, ++ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP521R1), ++ GNUTLS_SIGN_ECDSA_SHA512); ++ } + + #ifdef ENABLE_NON_SUITEB_CURVES +- PK_KNOWN_TEST(GNUTLS_PK_EC, 0, +- GNUTLS_CURVE_TO_BITS +- (GNUTLS_ECC_CURVE_SECP192R1), +- GNUTLS_DIG_SHA256, ecdsa_secp192r1_privkey, +- ecdsa_secp192r1_sig); +- PK_TEST(GNUTLS_PK_EC, test_sig, +- GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP192R1), +- GNUTLS_SIGN_ECDSA_SHA256); +- +- PK_KNOWN_TEST(GNUTLS_PK_EC, 0, +- GNUTLS_CURVE_TO_BITS +- (GNUTLS_ECC_CURVE_SECP224R1), +- GNUTLS_DIG_SHA256, ecdsa_secp224r1_privkey, +- ecdsa_secp224r1_sig); +- PK_TEST(GNUTLS_PK_EC, test_sig, +- GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP224R1), +- GNUTLS_SIGN_ECDSA_SHA256); ++ if (is_post || !is_fips140_mode_enabled) { ++ PK_KNOWN_TEST(GNUTLS_PK_EC, ++ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP192R1), ++ GNUTLS_DIG_SHA256, ecdsa_secp192r1_privkey, ++ ecdsa_secp192r1_sig, GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE); ++ } else { ++ PK_TEST(GNUTLS_PK_EC, test_sig, ++ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP192R1), ++ GNUTLS_SIGN_ECDSA_SHA256); ++ } ++ ++ if (is_post || !is_fips140_mode_enabled) { ++ PK_KNOWN_TEST(GNUTLS_PK_EC, ++ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP224R1), ++ GNUTLS_DIG_SHA256, ecdsa_secp224r1_privkey, ++ ecdsa_secp224r1_sig, GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE); ++ } else { ++ PK_TEST(GNUTLS_PK_EC, test_sig, ++ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP224R1), ++ GNUTLS_SIGN_ECDSA_SHA256); ++ } + #endif + ++ + #if ENABLE_GOST + FALLTHROUGH; + case GNUTLS_PK_GOST_01: +- PK_KNOWN_TEST(GNUTLS_PK_GOST_01, 0, GNUTLS_ECC_CURVE_GOST256CPA, GNUTLS_DIG_GOSTR_94, +- gost01_privkey, gost01_sig); +- PK_TEST(GNUTLS_PK_GOST_01, test_sig, GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_GOST256CPA), ++ PK_TEST(GNUTLS_PK_GOST_01, test_sig, ++ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_GOST256CPA), + GNUTLS_SIGN_GOST_94); + + if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL)) +@@ -878,9 +949,8 @@ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk) + + FALLTHROUGH; + case GNUTLS_PK_GOST_12_256: +- PK_KNOWN_TEST(GNUTLS_PK_GOST_12_256, 0, GNUTLS_ECC_CURVE_GOST256CPA, GNUTLS_DIG_STREEBOG_256, +- gost12_256_privkey, gost12_256_sig); +- PK_TEST(GNUTLS_PK_GOST_12_256, test_sig, GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_GOST256CPA), ++ PK_TEST(GNUTLS_PK_GOST_12_256, test_sig, ++ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_GOST256CPA), + GNUTLS_SIGN_GOST_256); + + if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL)) +@@ -888,15 +958,13 @@ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk) + + FALLTHROUGH; + case GNUTLS_PK_GOST_12_512: +- PK_KNOWN_TEST(GNUTLS_PK_GOST_12_512, 0, GNUTLS_ECC_CURVE_GOST512A, GNUTLS_DIG_STREEBOG_512, +- gost12_512_privkey, gost12_512_sig); +- PK_TEST(GNUTLS_PK_GOST_12_512, test_sig, GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_GOST512A), ++ PK_TEST(GNUTLS_PK_GOST_12_512, test_sig, ++ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_GOST512A), + GNUTLS_SIGN_GOST_512); + + if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL)) + return 0; + #endif +- + break; + default: + return gnutls_assert_val(GNUTLS_E_NO_SELF_TEST); diff --git a/gnutls-3.6.12-load-config-after-fips-post.patch b/gnutls-3.6.12-load-config-after-fips-post.patch new file mode 100644 index 0000000..59ffe6c --- /dev/null +++ b/gnutls-3.6.12-load-config-after-fips-post.patch @@ -0,0 +1,38 @@ +From 17bcd7a60fb0b7d07718515946ebb064d33ef45b Mon Sep 17 00:00:00 2001 +From: Anderson Toshiyuki Sasaki +Date: Wed, 18 Mar 2020 16:17:39 +0100 +Subject: [PATCH] global: Load configuration after FIPS POST + +Previously, if the loaded configuration file disabled an algorithm +tested during FIPS-140 power-on self-tests, the test would fail. By +loading the configuration file after the test is finished, such failure +is avoided as any algorithm is allowed during the tests. + +Signed-off-by: Anderson Toshiyuki Sasaki +--- + lib/global.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/global.c b/lib/global.c +index b42fcb263..9a65d114c 100644 +--- a/lib/global.c ++++ b/lib/global.c +@@ -368,7 +368,6 @@ static int _gnutls_global_init(unsigned constructor) + + _gnutls_register_accel_crypto(); + _gnutls_cryptodev_init(); +- _gnutls_load_system_priorities(); + + #ifdef ENABLE_FIPS140 + /* These self tests are performed on the overridden algorithms +@@ -385,6 +384,7 @@ static int _gnutls_global_init(unsigned constructor) + _gnutls_fips_mode_reset_zombie(); + } + #endif ++ _gnutls_load_system_priorities(); + _gnutls_switch_lib_state(LIB_STATE_OPERATIONAL); + ret = 0; + +-- +2.24.1 + diff --git a/gnutls.spec b/gnutls.spec index 64d57c8..fa81959 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,8 +1,11 @@ # This spec file has been automatically updated Version: 3.6.12 -Release: 1%{?dist} +Release: 2%{?dist} Patch1: gnutls-3.6.7-no-now-guile.patch Patch2: gnutls-3.2.7-rpath.patch +Patch3: gnutls-3.6.12-fix-fips-self-tests.patch +Patch4: gnutls-3.6.12-load-config-after-fips-post.patch +Patch5: gnutls-3.6.12-fix-echo-server.patch %bcond_without dane %if 0%{?rhel} %bcond_with guile @@ -279,6 +282,10 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null %endif %changelog +* Thu Mar 26 2020 Anderson Sasaki - 3.6.12-2 +- Fix FIPS POST (#1813384) +- Fix gnutls-serv --echo to not exit when a message is received (#1816583) + * Sun Feb 02 2020 Nikos Mavrogiannopoulos - 3.6.12-1 - Update to upstream 3.6.12 release From 39036e4f9ad105a8eed05aa7503026f335ddb8f6 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Tue, 31 Mar 2020 09:46:45 +0200 Subject: [PATCH 005/152] Update to 3.6.13-1 - Update to upstream 3.6.13 release --- .gitignore | 3 + gnutls-3.6.12-fix-echo-server.patch | 37 - gnutls-3.6.12-fix-fips-self-tests.patch | 862 ------------------ ...s-3.6.12-load-config-after-fips-post.patch | 38 - gnutls.spec | 10 +- sources | 5 +- 6 files changed, 11 insertions(+), 944 deletions(-) delete mode 100644 gnutls-3.6.12-fix-echo-server.patch delete mode 100644 gnutls-3.6.12-fix-fips-self-tests.patch delete mode 100644 gnutls-3.6.12-load-config-after-fips-post.patch diff --git a/.gitignore b/.gitignore index 0800d67..9dec2f3 100644 --- a/.gitignore +++ b/.gitignore @@ -121,3 +121,6 @@ gnutls-2.10.1-nosrp.tar.bz2 /gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg /gnutls-3.6.12.tar.xz.sig /gnutls-3.6.12.tar.xz +/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg +/gnutls-3.6.13.tar.xz.sig +/gnutls-3.6.13.tar.xz diff --git a/gnutls-3.6.12-fix-echo-server.patch b/gnutls-3.6.12-fix-echo-server.patch deleted file mode 100644 index 861eb17..0000000 --- a/gnutls-3.6.12-fix-echo-server.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 10950c613c490bd33d6f489f5f61f8368730f7de Mon Sep 17 00:00:00 2001 -From: Anderson Toshiyuki Sasaki -Date: Tue, 24 Mar 2020 09:55:08 +0100 -Subject: [PATCH] gnutls-serv: Do not exit when a message to be echoed is - received - -Previously, when gnutls-serv was executed with the --echo option, it -would exit when a message to be echoed was received. Moreover, the -server would output "Memory error" although no error occurred. - -Signed-off-by: Anderson Toshiyuki Sasaki ---- - src/serv.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/serv.c b/src/serv.c -index a4dd445da..414cd0546 100644 ---- a/src/serv.c -+++ b/src/serv.c -@@ -1071,12 +1071,12 @@ get_response(gnutls_session_t session, char *request, - *response_length = strlen(*response); - return 1; - } else if (ret == 0) { -+ *response = strdup(request); - if (*response == NULL) { - fprintf(stderr, "Memory error\n"); - return 0; - } -- *response = strdup(request); -- *response_length = ((*response) ? strlen(*response) : 0); -+ *response_length = strlen(*response); - } else { - *response = NULL; - do { --- -2.24.1 - diff --git a/gnutls-3.6.12-fix-fips-self-tests.patch b/gnutls-3.6.12-fix-fips-self-tests.patch deleted file mode 100644 index 467c857..0000000 --- a/gnutls-3.6.12-fix-fips-self-tests.patch +++ /dev/null @@ -1,862 +0,0 @@ -diff --git a/lib/crypto-selftests-pk.c b/lib/crypto-selftests-pk.c -index 7bdb097..6f66cd8 100644 ---- a/lib/crypto-selftests-pk.c -+++ b/lib/crypto-selftests-pk.c -@@ -22,6 +22,7 @@ - - #include "gnutls_int.h" - #include "errors.h" -+#include "fips.h" - #include - #include - #include -@@ -42,70 +43,185 @@ static const gnutls_datum_t bad_data = { - .size = sizeof(DATASTR) - 2 - }; - --static const char rsa_key2048[] = -- "-----BEGIN RSA PRIVATE KEY-----\n" -- "MIIEogIBAAKCAQEA6yCv+BLrRP/dMPBXJWK21c0aqxIX6JkODL4K+zlyEURt8/Wp\n" -- "nw37CJwHD3VrimSnk2SJvBfTNhzYhCsLShDOPvi4qBrLZ1WozjoVJ8tRE4VCcjQJ\n" -- "snpJ7ldiV+Eos1Z3FkbV/uQcw5CYCb/TciSukaWlI+G/xas9EOOFt4aELbc1yDe0\n" -- "hyfPDtoaKfek4GhT9qT1I8pTC40P9OrA9Jt8lblqxHWwqmdunLTjPjB5zJT6QgI+\n" -- "j1xuq7ZOQhveNA/AOyzh574GIpgsuvPPLBQwsCQkscr7cFnCsyOPgYJrQW3De2+l\n" -- "wjp2D7gZeeQcFQKazXcFoiqNpJWoBWmU0qqsgwIDAQABAoIBAAghNzRioxPdrO42\n" -- "QS0fvqah0tw7Yew+7oduQr7w+4qxTQP0aIsBVr6zdmMIclF0rX6hKUoBoOHsGWho\n" -- "fJlw/1CaFPhrBMFr6sxGodigZQtBvkxolDVBmTDOgK39MQUSZke0501K4du5MiiU\n" -- "I2F89zQ9//m/onvZMeFVnJf95LAX5qHr/FLARQFtOpgWzcGVxdvJdJlYb1zMUril\n" -- "PqyAZXo1j0vgHWwSd54k8mBLus7l8KT57VFce8+9nBPrOrqW4rDVXzs/go3S+kiI\n" -- "OyzYeUs9czg1N1e3VhEaC+EdYUawc0ASuEkbsJ53L8pwDvS+2ly2ykYziJp95Fjv\n" -- "bzyd1dECgYEA8FzGCxu7A6/ei9Dn0Fmi8Ns/QvEgbdlGw4v4MlXHjrGJYdOB0BwG\n" -- "2D2k0ODNYKlUX2J4hi5x8aCH33y/v0EcOHyuqM33vOWBVbdcumCqcOmp341UebAO\n" -- "uCPgDJNhjxXaeDVPnizqnOBA1B9sTxwmCOmFIiFRLbR+XluvDh3t8L0CgYEA+my6\n" -- "124Rw7kcFx+9JoB/Z+bUJDYpefUT91gBUhhEdEMx5fujhMzAbLpIRjFQq+75Qb7v\n" -- "0NyIS09B4oKOqQYzVEJwqKY7H71BTl7QuzJ8Qtuh/DMZsVIt6xpvdeuAKpEOqz44\n" -- "ZD3fW1B59A3ja7kqZadCqq2b02UTk+gdeOrYBj8CgYACX3gZDfoHrEnPKY3QUcI5\n" -- "DIEQYR8H1phLP+uAW7ZvozMPAy6J5mzu35Tr9vwwExvhITC9amH3l7UfsLSX58Wm\n" -- "jRyQUBA9Dir7tKa2tFOab8Qcj+GgnetXSAtjNGVHK1kPzL7vedQLHm+laHYCRe3e\n" -- "Mqf80UVi5SBGQDN3OTZrJQKBgEkj2oozDqMwfGDQl0kYfJ2XEFynKQQCrVsva+tT\n" -- "RSMDwR4fmcmel5Dp81P08U/WExy9rIM+9duxAVgrs4jwU6uHYCoRqvEBMIK4NJSI\n" -- "ETzhsvTa4+UjUF/7L5SsPJmyFiuzl3rHi2W7InNCXyrGQPjBmjoJTJq4SbiIMZtw\n" -- "U7m3AoGACG2rE/Ud71kyOJcKwxzEt8kd+2CMuaZeE/xk+3zLSSjXJzKPficogM3I\n" -- "K37/N7N0FjhdQ5hRuD3GH1fcjv9AKdGHsH7RuaG+jHTRUjS1glr17SSQzh6xXnWj\n" -- "jG0M4UZm5P9STL09nZuWH0wfpr/eg+9+A6yOVfnADI13v+Ygk7k=\n" -- "-----END RSA PRIVATE KEY-----\n"; -- --static const char ecc_key[] = -- "-----BEGIN EC PRIVATE KEY-----\n" -- "MHgCAQEEIQDzaOg65+brGV6INN0zXrUodxwRuocGG+GtKzN7ko26v6AKBggqhkjO\n" -- "PQMBB6FEA0IABEppi34ngyNQ2a9kJmnT5QxIHAUGI1SpnsAyCfze4j6MJ7o/g7qx\n" -- "MSHpe5vd0TQz+/GAa1zxle8mB/Cdh0JaTrA=\n" -- "-----END EC PRIVATE KEY-----\n"; -- --static const char dsa_key[] = -- "-----BEGIN DSA PRIVATE KEY-----\n" -- "MIH4AgEAAkEA6KUOSXfFNcInFLPdOlLlKNCe79zJrkxnsQN+lllxuk1ifZrE07r2\n" -- "3edTrc4riQNnZ2nZ372tYUAMJg+5jM6IIwIVAOa58exwZ+42Tl+p3b4Kbpyu2Ron\n" -- "AkBocj7gkiBYHtv6HMIIzooaxn4vpGR0Ns6wBfroBUGvrnSAgfT3WyiNaHkIF28e\n" -- "quWcEeOJjUgFvatcM8gcY288AkEAyKWlgzBurIYST8TM3j4PuQJDTvdHDaGoAUAa\n" -- "EfjmOw2UXKwqTmwPiT5BYKgCo2ILS87ttlTpd8vndH37pmnmVQIUQIVuKpZ8y9Bw\n" -- "VzO8qcrLCFvTOXY=\n" -- "-----END DSA PRIVATE KEY-----\n"; -- --static const char gost01_key[] = -- "-----BEGIN PRIVATE KEY-----\n" -- "MEUCAQAwHAYGKoUDAgITMBIGByqFAwICJAAGByqFAwICHgEEIgQgR1lBLIr4WBpn\n" -- "4MOCH8oxGWb52EPNL3gjNJiQuBQuf6U=\n" -- "-----END PRIVATE KEY-----\n"; -- --static const char gost12_256_key[] = -- "-----BEGIN PRIVATE KEY-----\n" -- "MEgCAQAwHwYIKoUDBwEBAQEwEwYHKoUDAgIkAAYIKoUDBwEBAgIEIgQg0+JttJEV\n" -- "Ud+XBzX9q13ByKK+j2b+mEmNIo1yB0wGleo=\n" -- "-----END PRIVATE KEY-----\n"; -- --static const char gost12_512_key[] = -- "-----BEGIN PRIVATE KEY-----\n" -- "MGoCAQAwIQYIKoUDBwEBAQIwFQYJKoUDBwECAQIBBggqhQMHAQECAwRCBECS7bAh\n" -- "TP5um5bxziaKkhb6xSI5WBQCSlaiHPBaMbgmgJiF8RubF7k0YMefpt0+sA3GvVGA\n" -- "KjL7CLBERDm7Yvlv\n" -- "-----END PRIVATE KEY-----\n"; -+/* RSA 2048 private key and signature */ -+static const char rsa_2048_privkey[] = -+ "-----BEGIN RSA PRIVATE KEY-----\n" -+ "MIIEogIBAAKCAQEA6yCv+BLrRP/dMPBXJWK21c0aqxIX6JkODL4K+zlyEURt8/Wp\n" -+ "nw37CJwHD3VrimSnk2SJvBfTNhzYhCsLShDOPvi4qBrLZ1WozjoVJ8tRE4VCcjQJ\n" -+ "snpJ7ldiV+Eos1Z3FkbV/uQcw5CYCb/TciSukaWlI+G/xas9EOOFt4aELbc1yDe0\n" -+ "hyfPDtoaKfek4GhT9qT1I8pTC40P9OrA9Jt8lblqxHWwqmdunLTjPjB5zJT6QgI+\n" -+ "j1xuq7ZOQhveNA/AOyzh574GIpgsuvPPLBQwsCQkscr7cFnCsyOPgYJrQW3De2+l\n" -+ "wjp2D7gZeeQcFQKazXcFoiqNpJWoBWmU0qqsgwIDAQABAoIBAAghNzRioxPdrO42\n" -+ "QS0fvqah0tw7Yew+7oduQr7w+4qxTQP0aIsBVr6zdmMIclF0rX6hKUoBoOHsGWho\n" -+ "fJlw/1CaFPhrBMFr6sxGodigZQtBvkxolDVBmTDOgK39MQUSZke0501K4du5MiiU\n" -+ "I2F89zQ9//m/onvZMeFVnJf95LAX5qHr/FLARQFtOpgWzcGVxdvJdJlYb1zMUril\n" -+ "PqyAZXo1j0vgHWwSd54k8mBLus7l8KT57VFce8+9nBPrOrqW4rDVXzs/go3S+kiI\n" -+ "OyzYeUs9czg1N1e3VhEaC+EdYUawc0ASuEkbsJ53L8pwDvS+2ly2ykYziJp95Fjv\n" -+ "bzyd1dECgYEA8FzGCxu7A6/ei9Dn0Fmi8Ns/QvEgbdlGw4v4MlXHjrGJYdOB0BwG\n" -+ "2D2k0ODNYKlUX2J4hi5x8aCH33y/v0EcOHyuqM33vOWBVbdcumCqcOmp341UebAO\n" -+ "uCPgDJNhjxXaeDVPnizqnOBA1B9sTxwmCOmFIiFRLbR+XluvDh3t8L0CgYEA+my6\n" -+ "124Rw7kcFx+9JoB/Z+bUJDYpefUT91gBUhhEdEMx5fujhMzAbLpIRjFQq+75Qb7v\n" -+ "0NyIS09B4oKOqQYzVEJwqKY7H71BTl7QuzJ8Qtuh/DMZsVIt6xpvdeuAKpEOqz44\n" -+ "ZD3fW1B59A3ja7kqZadCqq2b02UTk+gdeOrYBj8CgYACX3gZDfoHrEnPKY3QUcI5\n" -+ "DIEQYR8H1phLP+uAW7ZvozMPAy6J5mzu35Tr9vwwExvhITC9amH3l7UfsLSX58Wm\n" -+ "jRyQUBA9Dir7tKa2tFOab8Qcj+GgnetXSAtjNGVHK1kPzL7vedQLHm+laHYCRe3e\n" -+ "Mqf80UVi5SBGQDN3OTZrJQKBgEkj2oozDqMwfGDQl0kYfJ2XEFynKQQCrVsva+tT\n" -+ "RSMDwR4fmcmel5Dp81P08U/WExy9rIM+9duxAVgrs4jwU6uHYCoRqvEBMIK4NJSI\n" -+ "ETzhsvTa4+UjUF/7L5SsPJmyFiuzl3rHi2W7InNCXyrGQPjBmjoJTJq4SbiIMZtw\n" -+ "U7m3AoGACG2rE/Ud71kyOJcKwxzEt8kd+2CMuaZeE/xk+3zLSSjXJzKPficogM3I\n" -+ "K37/N7N0FjhdQ5hRuD3GH1fcjv9AKdGHsH7RuaG+jHTRUjS1glr17SSQzh6xXnWj\n" -+ "jG0M4UZm5P9STL09nZuWH0wfpr/eg+9+A6yOVfnADI13v+Ygk7k=\n" -+ "-----END RSA PRIVATE KEY-----\n"; -+ -+static const char rsa_2048_sig[] = -+ "\x7a\xb3\xf8\xb0\xf9\xf0\x52\x88\x37\x17\x97\x9f\xbe\x61\xb4\xd2" -+ "\x43\x78\x9f\x79\x92\xd0\xad\x08\xdb\xbd\x3c\x72\x7a\xb5\x51\x59" -+ "\x63\xd6\x7d\xf1\x9c\x1e\x10\x7b\x27\xab\xf8\xd4\x9d\xcd\xc5\xf9" -+ "\xae\xf7\x09\x6b\x40\x93\xc5\xe9\x1c\x0f\xb4\x82\xa1\x47\x86\x54" -+ "\x63\xd2\x4d\x40\x9a\x80\xb9\x38\x45\x69\xa2\xd6\x92\xb6\x69\x7f" -+ "\x3f\xf3\x5b\xa5\x1d\xac\x06\xad\xdf\x4e\xbb\xe6\xda\x68\x0d\xe5" -+ "\xab\xef\xd2\xf0\xc5\xd8\xc0\xed\x80\xe2\xd4\x76\x98\xec\x44\xa2" -+ "\xfc\x3f\xce\x2e\x8b\xc4\x4b\xab\xb0\x70\x24\x52\x85\x2a\x36\xcd" -+ "\x9a\xb5\x05\x00\xea\x98\x7c\x72\x06\x68\xb1\x38\x44\x16\x80\x6a" -+ "\x3b\x64\x72\xbb\xfd\x4b\xc9\xdd\xda\x2a\x68\xde\x7f\x6e\x48\x28" -+ "\xc1\x63\x57\x2b\xde\x83\xa3\x27\x34\xd7\xa6\x87\x18\x35\x10\xff" -+ "\x31\xd9\x47\xc9\x84\x35\xe1\xaa\xe2\xf7\x98\xfa\x19\xd3\xf1\x94" -+ "\x25\x2a\x96\xe4\xa8\xa7\x05\x10\x93\x87\xde\x96\x85\xe5\x68\xb8" -+ "\xe5\x4e\xbf\x66\x85\x91\xbd\x52\x5b\x3d\x9f\x1b\x79\xea\xe3\x8b" -+ "\xef\x62\x18\x39\x7a\x50\x01\x46\x1b\xde\x8d\x37\xbc\x90\x6c\x07" -+ "\xc0\x07\xed\x60\xce\x2e\x31\xd6\x8f\xe8\x75\xdb\x45\x21\xc6\xcb"; -+ -+/* DSA 2048 private key and signature */ -+static const char dsa_2048_privkey[] = -+ "-----BEGIN DSA PRIVATE KEY-----\n" -+ "MIIDTQIBAAKCAQEAh60B6yPMRIT7udq2kKuwnQDohvT1U0w+RJcSr23C05cM/Ovn\n" -+ "UP/8Rrj6T8K+uYhMbKgLaZiJJW9q04jaPQk0cfUphbLvRjzVHwE/0Bkb+Y1Rv7ni\n" -+ "Jot2IFMq5iuNraf889PC0WREvFCcIkSFY2Ac4WT7mCcBtfx/raGFXDUjcUrJ0HwZ\n" -+ "IOhjQDfcXUsztuyYsYA75ociEY8kyDZq/ixyr5++R1VjNf30Re8AbQlXOEGxEN5t\n" -+ "t+Tvpq8K5L3prQs2KNSzyOUmedjb/ojH4T4qe/RL9EVjjeuIGHDNUT6F197yZ91y\n" -+ "qLLTf1WjnUyZcKij5rryX0LJBBWawEZjNSHZawIdAMQlyycia4NigCdiDR+QptUn\n" -+ "2xrj9o14fXkIrXcCggEAXRZm1rbPhsjSTo6cpCVrmDzO1grv83EHiBH4MvRQQnP8\n" -+ "FpAREsBA5cYju97XvLaLhioZeMjLn08kU7TUbHRUB+ULTuVvE2dQbBpGuKiLRRt9\n" -+ "6U2T0eD3xGLoM+o8EY/kpqaWGEpZv7hzM9xuo4vy55+viAZgFWULqmltwfG/7w7V\n" -+ "NXUHNv5H4Ipw//fSDLTPqzUlNqSSswDLz6pCjWEs0rWAqNAMaOiLTz4id9pL48Oe\n" -+ "oAfpcQR9tgTEnwyXfZBnrJVclHhkHKGeXvU05IgCzpKO76Z5R+By50T0i/JV7vzM\n" -+ "l2yS9aAl/cprT6U7yI3oU/blldCVNpMcFAFb+fO8DAKCAQBVMo8xptyvQOJeSvbO\n" -+ "SSYdJ3IiI/0GdkcGWXblWg9z7mrPaWEnT7OquEm/+vYtWd3GHDtyNM+jzsN4Xgjc\n" -+ "TL3AEd2hLiozJQ1BFKw25VU08UHAYTzUxZhO4Vwtmp46Kwj8YLDQ3NHRWCBxpDQR\n" -+ "fbiFvyXP+qXap6plMfrydnUD1mae/JSOWOYgdB7tFIehstLxVXx/cAnjwgFU03Df\n" -+ "grjsad92zA1Hc9wIjbsgAQdTR5DWnFRkRt3UtayBwoyqm6QceZHsv1NAGvkQ4ion\n" -+ "bEjkHkjF9YCkR9/rspR8cLghRIXMjOpypuSbaRPeeWq0gP2UOxFL/d3iWH0ETr/L\n" -+ "kTlCAhxYGpVgtfB96qmJukyl9GOGvfkwFTgEyIDoV84M\n" -+ "-----END DSA PRIVATE KEY-----\n"; -+ -+static const char dsa_2048_sig[] = -+ "\x30\x3d\x02\x1d\x00\xbe\x87\x2f\xcf\xa1\xe4\x86\x5c\x72\x58\x4a" -+ "\x7b\x8f\x32\x7f\xa5\x1b\xdc\x5c\xae\xda\x98\xea\x15\x32\xed\x0c" -+ "\x4e\x02\x1c\x4c\x76\x01\x2b\xcd\xb9\x33\x95\xf2\xfa\xde\x56\x01" -+ "\xb7\xaa\xe4\x5a\x4a\x2e\xf1\x24\x5a\xd1\xb5\x83\x9a\x93\x61"; -+ -+/* secp256r1 private key and signature */ -+static const char ecdsa_secp256r1_privkey[] = -+ "-----BEGIN EC PRIVATE KEY-----\n" -+ "MHcCAQEEIPAKWV7+pZe9c5EubMNfAEKWRQtP/MvlO9HehwHmJssNoAoGCCqGSM49\n" -+ "AwEHoUQDQgAE2CNONRio3ciuXtoomJKs3MdbzLbd44VPhtzJN30VLFm5gvnfiCj2\n" -+ "zzz7pl9Cv0ECHl6yedNI8QEKdcwCDgEmkQ==\n" -+ "-----END EC PRIVATE KEY-----\n"; -+ -+static const char ecdsa_secp256r1_sig[] = -+ "\x30\x45\x02\x21\x00\x80\x67\x18\xb9\x72\xc6\x0b\xe1\xc9\x89\x9b" -+ "\x85\x11\x49\x29\x08\xd9\x86\x76\xcc\xfb\xc1\xf4\xd0\xa2\x5e\xa7" -+ "\xb9\x12\xfb\x1a\x68\x02\x20\x67\x12\xb1\x89\x9e\x1d\x9d\x5c\x0f" -+ "\xef\x6e\xa7\x2a\x95\x8c\xfa\x54\x20\x80\xc8\x30\x7c\xff\x06\xbc" -+ "\xc8\xe2\x9a\x2f\x05\x2f\x67"; -+ -+#ifdef ENABLE_NON_SUITEB_CURVES -+/* secp192r1 private key and signature */ -+static const char ecdsa_secp192r1_privkey[] = -+ "-----BEGIN EC PRIVATE KEY-----" -+ "MF8CAQEEGLjezFcbgDMeApVrdtZHvu/k1a8/tVZ41KAKBggqhkjOPQMBAaE0AzIA" -+ "BO1lciKdgxeRH8k64vxcaV1OYIK9akVrW02Dw21MXhRLP0l0wzCw6LGSr5rS6AaL" -+ "Fg==" "-----END EC PRIVATE KEY-----"; -+ -+static const char ecdsa_secp192r1_sig[] = -+ "\x30\x34\x02\x18\x7c\x43\xe3\xb7\x26\x90\x43\xb5\xf5\x63\x8f\xee" -+ "\xac\x78\x3d\xac\x35\x35\xd0\x1e\x83\x17\x2b\x64\x02\x18\x14\x6e" -+ "\x94\xd5\x7e\xac\x43\x42\x0b\x71\x7a\xc8\x29\xe6\xe3\xda\xf2\x95" -+ "\x0e\xe0\x63\x24\xed\xf2"; -+ -+/* secp224r1 private key and signature */ -+static const char ecdsa_secp224r1_privkey[] = -+ "-----BEGIN EC PRIVATE KEY-----" -+ "MGgCAQEEHOKWJFdWdrR/CgVrUeTeawOrJ9GozE9KKx2a8PmgBwYFK4EEACGhPAM6" -+ "AAQKQj3YpenWT7lFR41SnBvmj/+Bj+kgzQnaF65qWAtPRJsZXFlLTu3/IUNqSRu9" -+ "DqPsk8xBHAB7pA==" "-----END EC PRIVATE KEY-----"; -+ -+static const char ecdsa_secp224r1_sig[] = -+ "\x30\x3d\x02\x1c\x14\x22\x09\xa1\x51\x33\x37\xfd\x78\x73\xbd\x84" -+ "\x6e\x76\xa8\x60\x90\xf5\xb6\x57\x34\x25\xe0\x79\xe3\x01\x61\xa9" -+ "\x02\x1d\x00\xb1\xee\xdb\xae\xb3\xe6\x9c\x04\x68\xd5\xe1\x0d\xb6" -+ "\xfc\x5c\x45\xc3\x4f\xbf\x2b\xa5\xe0\x89\x37\x84\x04\x82\x5f"; -+#endif -+ -+/* secp384r1 private key and signature */ -+static const char ecdsa_secp384r1_privkey[] = -+ "-----BEGIN EC PRIVATE KEY-----" -+ "MIGkAgEBBDDevshD6gb+4rZpC9vwFcIwNs4KmGzdqCxyyN40a8uOWRbyf7aHdiSS" -+ "03oAyKtc4JCgBwYFK4EEACKhZANiAARO1KkPMno2tnNXx1S9EZkp8SOpDCZ4aobH" -+ "IYv8RHnSmKf8I3OKD6TaoeR+1MwJmNJUH90Bj45WXla68/vsPiFcfVKboxsZYe/n" -+ "pv8e4ugXagVQVBXNZJ859iYPdJR24vo=" "-----END EC PRIVATE KEY-----"; -+ -+static const char ecdsa_secp384r1_sig[] = -+ "\x30\x65\x02\x31\x00\xa7\x73\x60\x16\xdb\xf9\x1f\xfc\x9e\xd2\x12" -+ "\x23\xd4\x04\xa7\x31\x1f\x15\x28\xfd\x87\x9c\x2c\xb1\xf3\x38\x35" -+ "\x23\x3b\x6e\xfe\x6a\x5d\x89\x34\xbe\x02\x82\xc6\x27\xea\x45\x53" -+ "\xa9\x87\xc5\x31\x0a\x02\x30\x76\x32\x80\x6b\x43\x3c\xb4\xfd\x90" -+ "\x03\xe0\x1d\x5d\x77\x18\x45\xf6\x71\x29\xa9\x05\x87\x49\x75\x3a" -+ "\x78\x9c\x49\xe5\x6c\x8e\x18\xcd\x5d\xee\x2c\x6f\x92\xf7\x15\xd3" -+ "\x38\xd5\xf9\x9b\x9d\x1a\xf4"; -+ -+/* secp521r1 private key and signature */ -+static const char ecdsa_secp521r1_privkey[] = -+ "-----BEGIN EC PRIVATE KEY-----" -+ "MIHbAgEBBEGO2n7NN363qSCvJVdlQtCvudtaW4o0fEufXRjE1AsCrle+VXX0Zh0w" -+ "Y1slSeDHMndpakoiF+XkQ+bhcB867UV6aKAHBgUrgQQAI6GBiQOBhgAEAQb6jDpo" -+ "byy1tF8Zucg0TMGUzIN2DK+RZJ3QQRdWdirO25OIC3FoFi1Yird6rpoB6HlNyJ7R" -+ "0bNG9Uv34bSHMn8yAFoiqxUCdJZQbEenMoZsi6COaePe3e0QqvDMr0hEWT23Sr3t" -+ "LpEV7eZGFfFIJw5wSUp2KOcs+O9WjmoukTWtDKNV" -+ "-----END EC PRIVATE KEY-----"; -+ -+static const char ecdsa_secp521r1_sig[] = -+ "\x30\x81\x88\x02\x42\x01\x9d\x13\x2e\xc9\x75\x1b\x60\x10\x62\xc5" -+ "\x0d\xcb\x08\x9e\x86\x01\xd3\xc9\x8c\xee\x2e\x16\x3d\x8c\xc2\x65" -+ "\x80\xe1\x32\x56\xc3\x02\x9d\xf0\x4a\x89\x8d\x2e\x33\x2a\x90\x4e" -+ "\x72\x1d\xaa\x84\x14\xe8\xcb\xdf\x7a\x4a\xc9\x67\x2e\xba\xa3\xf2" -+ "\xc2\x07\xf7\x1b\xa5\x91\xbd\x02\x42\x01\xe3\x32\xd2\x25\xeb\x2e" -+ "\xaf\xb4\x6c\xc0\xaa\x5c\xc1\x56\x14\x13\x23\x7f\x62\xcf\x4c\xb8" -+ "\xd1\x96\xe0\x29\x6d\xed\x74\xdd\x23\x64\xf9\x29\x86\x40\x22\x2f" -+ "\xb6\x8d\x4c\x8e\x0b\x7a\xda\xdb\x03\x44\x01\x9b\x81\x1c\x3c\xab" -+ "\x78\xee\xf2\xc5\x24\x33\x61\x65\x01\x87\x66"; -+ -+/* GOST01 private key */ -+static const char gost01_privkey[] = -+ "-----BEGIN PRIVATE KEY-----\n" -+ "MEUCAQAwHAYGKoUDAgITMBIGByqFAwICIwEGByqFAwICHgEEIgQgdNfuHGmmTdPm\n" -+ "p5dAa3ea9UYxpdYQPP9lbDwzQwG2bJM=\n" -+ "-----END PRIVATE KEY-----\n"; -+ -+/* GOST12 256 private key */ -+static const char gost12_256_privkey[] = -+ "-----BEGIN PRIVATE KEY-----\n" -+ "MEgCAQAwHwYIKoUDBwEBAQEwEwYHKoUDAgIjAQYIKoUDBwEBAgIEIgQgKOF96tom\n" -+ "D61rhSnzKjyrmO3fv0gdlHei+6ovrc8SnBk=\n" -+ "-----END PRIVATE KEY-----\n"; -+ -+/* GOST12 512 private key */ -+static const char gost12_512_privkey[] = -+ "-----BEGIN PRIVATE KEY-----\n" -+ "MGoCAQAwIQYIKoUDBwEBAQIwFQYJKoUDBwECAQIBBggqhQMHAQECAwRCBECjFpvp\n" -+ "B0vdc7u59b99TCNXhHiB69JJtUjvieNkGYJpoaaIvoKZTNCjpSZASsZcQZCHOTof\n" -+ "hsQ3JCCy4xnd5jWT\n" -+ "-----END PRIVATE KEY-----\n"; - - static int test_rsa_enc(gnutls_pk_algorithm_t pk, - unsigned bits, gnutls_digest_algorithm_t ign) -@@ -113,7 +229,7 @@ static int test_rsa_enc(gnutls_pk_algorithm_t pk, - int ret; - gnutls_datum_t enc = { NULL, 0 }; - gnutls_datum_t dec = { NULL, 0 }; -- gnutls_datum_t raw_rsa_key = { (void*)rsa_key2048, sizeof(rsa_key2048)-1 }; -+ gnutls_datum_t raw_rsa_key = { (void*)rsa_2048_privkey, sizeof(rsa_2048_privkey)-1 }; - gnutls_privkey_t key; - gnutls_pubkey_t pub = NULL; - unsigned char plaintext2[sizeof(DATASTR) - 1]; -@@ -200,26 +316,12 @@ static int test_sig(gnutls_pk_algorithm_t pk, - unsigned bits, gnutls_sign_algorithm_t sigalgo) - { - int ret; -- gnutls_datum_t sig = { NULL, 0 }; -- gnutls_datum_t raw_rsa_key = { (void*)rsa_key2048, sizeof(rsa_key2048)-1 }; -- gnutls_datum_t raw_dsa_key = { (void*)dsa_key, sizeof(dsa_key)-1 }; -- gnutls_datum_t raw_ecc_key = { (void*)ecc_key, sizeof(ecc_key)-1 }; -- gnutls_datum_t raw_gost01_key = { (void*)gost01_key, sizeof(gost01_key)-1 }; -- gnutls_datum_t raw_gost12_256_key = { (void*)gost12_256_key, sizeof(gost12_256_key)-1 }; -- gnutls_datum_t raw_gost12_512_key = { (void*)gost12_512_key, sizeof(gost12_512_key)-1 }; - gnutls_privkey_t key; -+ gnutls_datum_t raw_key; -+ gnutls_datum_t sig = { NULL, 0 }; - gnutls_pubkey_t pub = NULL; - char param_name[32]; - -- if (pk == GNUTLS_PK_EC || pk == GNUTLS_PK_GOST_01 || -- pk == GNUTLS_PK_GOST_12_256 || pk == GNUTLS_PK_GOST_12_512) { -- snprintf(param_name, sizeof(param_name), "%s", -- gnutls_ecc_curve_get_name(GNUTLS_BITS_TO_CURVE -- (bits))); -- } else { -- snprintf(param_name, sizeof(param_name), "%u", bits); -- } -- - ret = gnutls_privkey_init(&key); - if (ret < 0) - return gnutls_assert_val(ret); -@@ -230,25 +332,83 @@ static int test_sig(gnutls_pk_algorithm_t pk, - goto cleanup; - } - -- if (pk == GNUTLS_PK_RSA) { -- ret = gnutls_privkey_import_x509_raw(key, &raw_rsa_key, GNUTLS_X509_FMT_PEM, NULL, 0); -- } else if (pk == GNUTLS_PK_RSA_PSS) { -- ret = gnutls_privkey_import_x509_raw(key, &raw_rsa_key, GNUTLS_X509_FMT_PEM, NULL, 0); -- } else if (pk == GNUTLS_PK_DSA) { -- ret = gnutls_privkey_import_x509_raw(key, &raw_dsa_key, GNUTLS_X509_FMT_PEM, NULL, 0); -- } else if (pk == GNUTLS_PK_ECC) { -- ret = gnutls_privkey_import_x509_raw(key, &raw_ecc_key, GNUTLS_X509_FMT_PEM, NULL, 0); -- } else if (pk == GNUTLS_PK_GOST_01) { -- ret = gnutls_privkey_import_x509_raw(key, &raw_gost01_key, GNUTLS_X509_FMT_PEM, NULL, 0); -- } else if (pk == GNUTLS_PK_GOST_12_256) { -- ret = gnutls_privkey_import_x509_raw(key, &raw_gost12_256_key, GNUTLS_X509_FMT_PEM, NULL, 0); -- } else if (pk == GNUTLS_PK_GOST_12_512) { -- ret = gnutls_privkey_import_x509_raw(key, &raw_gost12_512_key, GNUTLS_X509_FMT_PEM, NULL, 0); -- } else { -- gnutls_assert(); -- ret = GNUTLS_E_INTERNAL_ERROR; -+ switch(pk) { -+ case GNUTLS_PK_RSA: -+ raw_key.data = (void*)rsa_2048_privkey; -+ raw_key.size = sizeof(rsa_2048_privkey) - 1; -+ snprintf(param_name, sizeof(param_name), "%u", bits); -+ break; -+ case GNUTLS_PK_RSA_PSS: -+ raw_key.data = (void*)rsa_2048_privkey; -+ raw_key.size = sizeof(rsa_2048_privkey) - 1; -+ snprintf(param_name, sizeof(param_name), "%u", bits); -+ break; -+ case GNUTLS_PK_DSA: -+ raw_key.data = (void*)dsa_2048_privkey; -+ raw_key.size = sizeof(dsa_2048_privkey) - 1; -+ snprintf(param_name, sizeof(param_name), "%u", bits); -+ break; -+ case GNUTLS_PK_ECC: -+ switch(bits) { -+#ifdef ENABLE_NON_SUITEB_CURVES -+ case GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP192R1): -+ raw_key.data = (void*)ecdsa_secp192r1_privkey; -+ raw_key.size = sizeof(ecdsa_secp192r1_privkey) - 1; -+ break; -+ case GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP224R1): -+ raw_key.data = (void*)ecdsa_secp224r1_privkey; -+ raw_key.size = sizeof(ecdsa_secp224r1_privkey) - 1; -+ break; -+#endif -+ case GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP256R1): -+ raw_key.data = (void*)ecdsa_secp256r1_privkey; -+ raw_key.size = sizeof(ecdsa_secp256r1_privkey) - 1; -+ break; -+ case GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP384R1): -+ raw_key.data = (void*)ecdsa_secp384r1_privkey; -+ raw_key.size = sizeof(ecdsa_secp384r1_privkey) - 1; -+ break; -+ case GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP521R1): -+ raw_key.data = (void*)ecdsa_secp521r1_privkey; -+ raw_key.size = sizeof(ecdsa_secp521r1_privkey) - 1; -+ break; -+ default: -+ gnutls_assert(); -+ ret = GNUTLS_E_INTERNAL_ERROR; -+ goto cleanup; -+ } -+ snprintf(param_name, sizeof(param_name), "%s", -+ gnutls_ecc_curve_get_name(GNUTLS_BITS_TO_CURVE -+ (bits))); -+ break; -+ case GNUTLS_PK_GOST_01: -+ raw_key.data = (void*)gost01_privkey; -+ raw_key.size = sizeof(gost01_privkey) - 1; -+ snprintf(param_name, sizeof(param_name), "%s", -+ gnutls_ecc_curve_get_name(GNUTLS_BITS_TO_CURVE -+ (bits))); -+ break; -+ case GNUTLS_PK_GOST_12_256: -+ raw_key.data = (void*)gost12_256_privkey; -+ raw_key.size = sizeof(gost12_256_privkey) - 1; -+ snprintf(param_name, sizeof(param_name), "%s", -+ gnutls_ecc_curve_get_name(GNUTLS_BITS_TO_CURVE -+ (bits))); -+ break; -+ case GNUTLS_PK_GOST_12_512: -+ raw_key.data = (void*)gost12_512_privkey; -+ raw_key.size = sizeof(gost12_512_privkey) - 1; -+ snprintf(param_name, sizeof(param_name), "%s", -+ gnutls_ecc_curve_get_name(GNUTLS_BITS_TO_CURVE -+ (bits))); -+ break; -+ default: -+ gnutls_assert(); -+ ret = GNUTLS_E_INTERNAL_ERROR; -+ goto cleanup; - } - -+ ret = gnutls_privkey_import_x509_raw(key, &raw_key, GNUTLS_X509_FMT_PEM, NULL, 0); - if (ret < 0) { - gnutls_assert(); - goto cleanup; -@@ -286,7 +446,8 @@ static int test_sig(gnutls_pk_algorithm_t pk, - } - - ret = 0; -- cleanup: -+ -+cleanup: - if (pub != NULL) - gnutls_pubkey_deinit(pub); - gnutls_privkey_deinit(key); -@@ -302,123 +463,11 @@ static int test_sig(gnutls_pk_algorithm_t pk, - return ret; - } - --/* A precomputed RSA-SHA1 signature using the rsa_key2048 */ --static const char rsa_sig[] = -- "\x7a\xb3\xf8\xb0\xf9\xf0\x52\x88\x37\x17\x97\x9f\xbe\x61\xb4\xd2\x43\x78\x9f\x79\x92\xd0\xad\x08\xdb\xbd\x3c\x72\x7a\xb5\x51\x59\x63\xd6\x7d\xf1\x9c\x1e\x10\x7b\x27\xab\xf8\xd4\x9d\xcd\xc5\xf9\xae\xf7\x09\x6b\x40\x93\xc5\xe9\x1c\x0f\xb4\x82\xa1\x47\x86\x54\x63\xd2\x4d\x40\x9a\x80\xb9\x38\x45\x69\xa2\xd6\x92\xb6\x69\x7f\x3f\xf3\x5b\xa5\x1d\xac\x06\xad\xdf\x4e\xbb\xe6\xda\x68\x0d\xe5\xab\xef\xd2\xf0\xc5\xd8\xc0\xed\x80\xe2\xd4\x76\x98\xec\x44\xa2\xfc\x3f\xce\x2e\x8b\xc4\x4b\xab\xb0\x70\x24\x52\x85\x2a\x36\xcd\x9a\xb5\x05\x00\xea\x98\x7c\x72\x06\x68\xb1\x38\x44\x16\x80\x6a\x3b\x64\x72\xbb\xfd\x4b\xc9\xdd\xda\x2a\x68\xde\x7f\x6e\x48\x28\xc1\x63\x57\x2b\xde\x83\xa3\x27\x34\xd7\xa6\x87\x18\x35\x10\xff\x31\xd9\x47\xc9\x84\x35\xe1\xaa\xe2\xf7\x98\xfa\x19\xd3\xf1\x94\x25\x2a\x96\xe4\xa8\xa7\x05\x10\x93\x87\xde\x96\x85\xe5\x68\xb8\xe5\x4e\xbf\x66\x85\x91\xbd\x52\x5b\x3d\x9f\x1b\x79\xea\xe3\x8b\xef\x62\x18\x39\x7a\x50\x01\x46\x1b\xde\x8d\x37\xbc\x90\x6c\x07\xc0\x07\xed\x60\xce\x2e\x31\xd6\x8f\xe8\x75\xdb\x45\x21\xc6\xcb"; -- --/* ECDSA key and signature */ --static const char ecdsa_secp256r1_privkey[] = -- "-----BEGIN EC PRIVATE KEY-----\n" -- "MHcCAQEEIPAKWV7+pZe9c5EubMNfAEKWRQtP/MvlO9HehwHmJssNoAoGCCqGSM49\n" -- "AwEHoUQDQgAE2CNONRio3ciuXtoomJKs3MdbzLbd44VPhtzJN30VLFm5gvnfiCj2\n" -- "zzz7pl9Cv0ECHl6yedNI8QEKdcwCDgEmkQ==\n" -- "-----END EC PRIVATE KEY-----\n"; -- --static const char ecdsa_secp256r1_sig[] = -- "\x30\x45\x02\x21\x00\x9b\x8f\x60\xed\x9e\x40\x8d\x74\x82\x73\xab\x20\x1a\x69\xfc\xf9\xee\x3c\x41\x80\xc0\x39\xdd\x21\x1a\x64\xfd\xbf\x7e\xaa\x43\x70\x02\x20\x44\x28\x05\xdd\x30\x47\x58\x96\x18\x39\x94\x18\xba\xe7\x7a\xf6\x1e\x2d\xba\xb1\xe0\x7d\x73\x9e\x2f\x58\xee\x0c\x2a\x89\xe8\x35"; -- --#ifdef ENABLE_NON_SUITEB_CURVES --/* sha256 */ --static const char ecdsa_secp192r1_privkey[] = -- "-----BEGIN EC PRIVATE KEY-----" -- "MF8CAQEEGLjezFcbgDMeApVrdtZHvu/k1a8/tVZ41KAKBggqhkjOPQMBAaE0AzIA" -- "BO1lciKdgxeRH8k64vxcaV1OYIK9akVrW02Dw21MXhRLP0l0wzCw6LGSr5rS6AaL" -- "Fg==" "-----END EC PRIVATE KEY-----"; -- --static const char ecdsa_secp192r1_sig[] = -- "\x30\x34\x02\x18\x5f\xb3\x10\x4b\x4d\x44\x48\x29\x4b\xfd\xa7\x8e\xce\x57\xac\x36\x38\x54\xab\x73\xdb\xed\xb8\x5f\x02\x18\x0b\x8b\xf3\xae\x49\x50\x0e\x47\xca\x89\x1a\x00\xca\x23\xf5\x8d\xd6\xe3\xce\x9a\xff\x2e\x4f\x5c"; -- --static const char ecdsa_secp224r1_privkey[] = -- "-----BEGIN EC PRIVATE KEY-----" -- "MGgCAQEEHOKWJFdWdrR/CgVrUeTeawOrJ9GozE9KKx2a8PmgBwYFK4EEACGhPAM6" -- "AAQKQj3YpenWT7lFR41SnBvmj/+Bj+kgzQnaF65qWAtPRJsZXFlLTu3/IUNqSRu9" -- "DqPsk8xBHAB7pA==" "-----END EC PRIVATE KEY-----"; -- --static const char ecdsa_secp224r1_sig[] = -- "\x30\x3d\x02\x1c\x76\x03\x8d\x74\xf4\xd3\x09\x2a\xb5\xdf\x6b\x5b\xf4\x4b\x86\xb8\x62\x81\x5d\x7b\x7a\xbb\x37\xfc\xf1\x46\x1c\x2b\x02\x1d\x00\xa0\x98\x5d\x80\x43\x89\xe5\xee\x1a\xec\x46\x08\x04\x55\xbc\x50\xfa\x2a\xd5\xa6\x18\x92\x19\xdb\x68\xa0\x2a\xda"; --#endif -- --static const char ecdsa_secp384r1_privkey[] = -- "-----BEGIN EC PRIVATE KEY-----" -- "MIGkAgEBBDDevshD6gb+4rZpC9vwFcIwNs4KmGzdqCxyyN40a8uOWRbyf7aHdiSS" -- "03oAyKtc4JCgBwYFK4EEACKhZANiAARO1KkPMno2tnNXx1S9EZkp8SOpDCZ4aobH" -- "IYv8RHnSmKf8I3OKD6TaoeR+1MwJmNJUH90Bj45WXla68/vsPiFcfVKboxsZYe/n" -- "pv8e4ugXagVQVBXNZJ859iYPdJR24vo=" "-----END EC PRIVATE KEY-----"; -- --static const char ecdsa_secp384r1_sig[] = -- "\x30\x66\x02\x31\x00\xbb\x4d\x25\x30\x13\x1b\x3b\x75\x60\x07\xed\x53\x8b\x52\xee\xd8\x6e\xf1\x9d\xa8\x36\x0e\x2e\x20\x31\x51\x11\x48\x78\xdd\xaf\x24\x38\x64\x81\x71\x6b\xa6\xb7\x29\x58\x28\x82\x32\xba\x29\x29\xd9\x02\x31\x00\xeb\x70\x09\x87\xac\x7b\x78\x0d\x4c\x4f\x08\x2b\x86\x27\xe2\x60\x1f\xc9\x11\x9f\x1d\xf5\x82\x4c\xc7\x3d\xb0\x27\xc8\x93\x29\xc7\xd0\x0e\x88\x02\x09\x93\xc2\x72\xce\xa5\x74\x8c\x3d\xe0\x8c\xad"; -- --static const char ecdsa_secp521r1_privkey[] = -- "-----BEGIN EC PRIVATE KEY-----" -- "MIHbAgEBBEGO2n7NN363qSCvJVdlQtCvudtaW4o0fEufXRjE1AsCrle+VXX0Zh0w" -- "Y1slSeDHMndpakoiF+XkQ+bhcB867UV6aKAHBgUrgQQAI6GBiQOBhgAEAQb6jDpo" -- "byy1tF8Zucg0TMGUzIN2DK+RZJ3QQRdWdirO25OIC3FoFi1Yird6rpoB6HlNyJ7R" -- "0bNG9Uv34bSHMn8yAFoiqxUCdJZQbEenMoZsi6COaePe3e0QqvDMr0hEWT23Sr3t" -- "LpEV7eZGFfFIJw5wSUp2KOcs+O9WjmoukTWtDKNV" -- "-----END EC PRIVATE KEY-----"; -- --static const char ecdsa_secp521r1_sig[] = -- "\x30\x81\x87\x02\x42\x01\xb8\xcb\x52\x9e\x10\xa8\x49\x3f\xe1\x9e\x14\x0a\xcf\x96\xed\x7e\xab\x7d\x0c\xe1\x9b\xa4\x97\xdf\x01\xf5\x35\x42\x5f\x5b\x28\x15\x24\x33\x6e\x59\x6c\xaf\x10\x8b\x98\x8e\xe9\x4c\x23\x0d\x76\x92\x03\xdd\x6d\x8d\x08\x47\x15\x5b\xf8\x66\x75\x75\x40\xe8\xf4\xa0\x52\x02\x41\x15\x27\x7c\x5f\xa6\x33\xa6\x29\x68\x3f\x55\x8d\x7f\x1d\x4f\x88\xc6\x61\x6e\xac\x21\xdf\x2b\x7b\xde\x76\x9a\xdc\xe6\x3b\x94\x3f\x03\x9c\xa2\xa6\xa3\x63\x39\x48\xbd\x79\x70\x21\xf2\x6b\xff\x58\x66\xf1\x58\xc2\x58\xad\x4f\x84\x14\x5d\x05\x12\x83\xd0\x87\xbd\xf3"; -- --/* DSA key and signature */ --static const char dsa_privkey[] = -- "-----BEGIN DSA PRIVATE KEY-----\n" -- "MIIDTQIBAAKCAQEAh60B6yPMRIT7udq2kKuwnQDohvT1U0w+RJcSr23C05cM/Ovn\n" -- "UP/8Rrj6T8K+uYhMbKgLaZiJJW9q04jaPQk0cfUphbLvRjzVHwE/0Bkb+Y1Rv7ni\n" -- "Jot2IFMq5iuNraf889PC0WREvFCcIkSFY2Ac4WT7mCcBtfx/raGFXDUjcUrJ0HwZ\n" -- "IOhjQDfcXUsztuyYsYA75ociEY8kyDZq/ixyr5++R1VjNf30Re8AbQlXOEGxEN5t\n" -- "t+Tvpq8K5L3prQs2KNSzyOUmedjb/ojH4T4qe/RL9EVjjeuIGHDNUT6F197yZ91y\n" -- "qLLTf1WjnUyZcKij5rryX0LJBBWawEZjNSHZawIdAMQlyycia4NigCdiDR+QptUn\n" -- "2xrj9o14fXkIrXcCggEAXRZm1rbPhsjSTo6cpCVrmDzO1grv83EHiBH4MvRQQnP8\n" -- "FpAREsBA5cYju97XvLaLhioZeMjLn08kU7TUbHRUB+ULTuVvE2dQbBpGuKiLRRt9\n" -- "6U2T0eD3xGLoM+o8EY/kpqaWGEpZv7hzM9xuo4vy55+viAZgFWULqmltwfG/7w7V\n" -- "NXUHNv5H4Ipw//fSDLTPqzUlNqSSswDLz6pCjWEs0rWAqNAMaOiLTz4id9pL48Oe\n" -- "oAfpcQR9tgTEnwyXfZBnrJVclHhkHKGeXvU05IgCzpKO76Z5R+By50T0i/JV7vzM\n" -- "l2yS9aAl/cprT6U7yI3oU/blldCVNpMcFAFb+fO8DAKCAQBVMo8xptyvQOJeSvbO\n" -- "SSYdJ3IiI/0GdkcGWXblWg9z7mrPaWEnT7OquEm/+vYtWd3GHDtyNM+jzsN4Xgjc\n" -- "TL3AEd2hLiozJQ1BFKw25VU08UHAYTzUxZhO4Vwtmp46Kwj8YLDQ3NHRWCBxpDQR\n" -- "fbiFvyXP+qXap6plMfrydnUD1mae/JSOWOYgdB7tFIehstLxVXx/cAnjwgFU03Df\n" -- "grjsad92zA1Hc9wIjbsgAQdTR5DWnFRkRt3UtayBwoyqm6QceZHsv1NAGvkQ4ion\n" -- "bEjkHkjF9YCkR9/rspR8cLghRIXMjOpypuSbaRPeeWq0gP2UOxFL/d3iWH0ETr/L\n" -- "kTlCAhxYGpVgtfB96qmJukyl9GOGvfkwFTgEyIDoV84M\n" -- "-----END DSA PRIVATE KEY-----\n"; -- --static const char dsa_sig[] = -- "\x30\x3d\x02\x1c\x2e\x40\x14\xb3\x7a\x3f\xc0\x4f\x06\x74\x4f\xa6\x5f\xc2\x0a\x46\x35\x38\x88\xb4\x1a\xcf\x94\x02\x40\x42\x7c\x7f\x02\x1d\x00\x98\xfc\xf1\x08\x66\xf1\x86\x28\xc9\x73\x9e\x2b\x5d\xce\x57\xe8\xb5\xeb\xcf\xa3\xf6\x60\xf6\x63\x16\x0e\xc0\x42"; -- --static const char gost01_privkey[] = -- "-----BEGIN PRIVATE KEY-----\n" -- "MEUCAQAwHAYGKoUDAgITMBIGByqFAwICIwEGByqFAwICHgEEIgQgdNfuHGmmTdPm\n" -- "p5dAa3ea9UYxpdYQPP9lbDwzQwG2bJM=\n" -- "-----END PRIVATE KEY-----\n"; -- --static const char gost01_sig[] = -- "\xc5\xc8\xf8\xdc\x22\x51\xb0\x72\xe9\xa2\xbb\x84\x6c\xe2\x24\xd5\x72\x39\x2a\x5a\x0e\x7a\x43\xfc\x9c\xc3\x5d\x32\x92\xbb\xab\xc0\x4b\x99\xbd\xc8\x47\x24\x70\x06\x7e\xa1\xc6\xe3\xa0\xdc\x42\xed\xa0\x66\xf0\xcc\x50\x97\xe9\x5a\x7d\x3f\x65\x2d\x7b\x1b\x03\xcb"; -- --static const char gost12_256_privkey[] = -- "-----BEGIN PRIVATE KEY-----\n" -- "MEgCAQAwHwYIKoUDBwEBAQEwEwYHKoUDAgIjAQYIKoUDBwEBAgIEIgQgKOF96tom\n" -- "D61rhSnzKjyrmO3fv0gdlHei+6ovrc8SnBk=\n" -- "-----END PRIVATE KEY-----\n"; -- --static const char gost12_256_sig[] = -- "\xb2\x51\x5a\x1a\xbd\x95\x4e\x71\x55\xad\x74\x74\x81\xa6\xca\x6c\x14\x01\xe0\x18\xda\xe4\x0d\x02\x4f\x14\xd2\x39\xd6\x3c\xb5\x85\xa8\x37\xfd\x7f\x2b\xfa\xe4\xf5\xbc\xbc\x15\x20\x8b\x83\x4b\x84\x0d\x5d\x02\x21\x8c\x0d\xb9\xc4\x2b\xc0\x3e\xfd\x42\x55\x1d\xb0"; -- --static const char gost12_512_privkey[] = -- "-----BEGIN PRIVATE KEY-----\n" -- "MGoCAQAwIQYIKoUDBwEBAQIwFQYJKoUDBwECAQIBBggqhQMHAQECAwRCBECjFpvp\n" -- "B0vdc7u59b99TCNXhHiB69JJtUjvieNkGYJpoaaIvoKZTNCjpSZASsZcQZCHOTof\n" -- "hsQ3JCCy4xnd5jWT\n" -- "-----END PRIVATE KEY-----\n"; -- --static const char gost12_512_sig[] = -- "\x52\x4f\xa2\x77\x51\xd2\xc5\xef\xd3\xa3\x99\x4e\xec\xff\xc6\xe9\xfc\x2f\xc0\x28\x42\x03\x95\x6c\x9a\x38\xee\xea\x89\x79\xae\x1a\xc3\x68\x5e\xe4\x15\x15\x4b\xec\x0f\xf1\x7e\x0f\xba\x01\xc7\x84\x16\xc7\xb5\xac\x9d\x0c\x22\xdd\x31\xf7\xb0\x9b\x59\x4b\xf0\x02\xa8\x7d\xfd\x6d\x02\x43\xc7\x4f\x65\xbd\x84\x5c\x54\x91\xba\x75\x9f\x5a\x61\x19\x5c\x9a\x10\x78\x34\xa0\xa6\xf6\xdc\xb6\xb0\x50\x22\x38\x5f\xb0\x16\x66\xf1\xd5\x46\x00\xd5\xe2\xa8\xe5\xd2\x11\x5f\xd1\xbe\x6e\xac\xb2\x9c\x14\x34\x96\xe7\x58\x94\xb8\xf4\x5f"; -- - static int test_known_sig(gnutls_pk_algorithm_t pk, unsigned bits, - gnutls_digest_algorithm_t dig, - const void *privkey, size_t privkey_size, - const void *stored_sig, size_t stored_sig_size, -- unsigned deterministic_sigs) -+ gnutls_privkey_flags_t flags) - { - int ret; - gnutls_datum_t sig = { NULL, 0 }; -@@ -427,8 +476,11 @@ static int test_known_sig(gnutls_pk_algorithm_t pk, unsigned bits, - gnutls_privkey_t key; - char param_name[32]; - -- if (pk == GNUTLS_PK_EC || pk == GNUTLS_PK_GOST_01 || -- pk == GNUTLS_PK_GOST_12_256 || pk == GNUTLS_PK_GOST_12_512) { -+ if (pk == GNUTLS_PK_EC || -+ pk == GNUTLS_PK_GOST_01 || -+ pk == GNUTLS_PK_GOST_12_256 || -+ pk == GNUTLS_PK_GOST_12_512) -+ { - snprintf(param_name, sizeof(param_name), "%s", - gnutls_ecc_curve_get_name(GNUTLS_BITS_TO_CURVE - (bits))); -@@ -462,39 +514,37 @@ static int test_known_sig(gnutls_pk_algorithm_t pk, unsigned bits, - goto cleanup; - } - -- /* Test if the signature we generate matches the stored */ -+ ret = gnutls_privkey_sign_data(key, dig, flags, &signed_data, &sig); -+ if (ret < 0) { -+ gnutls_assert(); -+ goto cleanup; -+ } -+ -+ /* Test if the generated signature matches the stored */ - ssig.data = (void *) stored_sig; - ssig.size = stored_sig_size; - -- if (deterministic_sigs != 0) { /* do not compare against stored signature if not provided */ -- ret = -- gnutls_privkey_sign_data(key, dig, 0, &signed_data, -- &sig); -- if (ret < 0) { -- gnutls_assert(); -- goto cleanup; -- } -- -- if (sig.size != ssig.size -- || memcmp(sig.data, ssig.data, sig.size) != 0) { -- ret = GNUTLS_E_SELF_TEST_ERROR; -+ if (sig.size != ssig.size -+ || memcmp(sig.data, ssig.data, sig.size) != 0) { -+ ret = GNUTLS_E_SELF_TEST_ERROR; - #if 0 -- unsigned i; -- fprintf(stderr, "\nstored[%d]: ", ssig.size); -- for (i = 0; i < ssig.size; i++) -- fprintf(stderr, "\\x%.2x", ssig.data[i]); -- -- fprintf(stderr, "\ngenerated[%d]: ", sig.size); -- for (i = 0; i < sig.size; i++) -- fprintf(stderr, "\\x%.2x", sig.data[i]); -- fprintf(stderr, "\n"); -+ unsigned i; -+ fprintf(stderr, "Algorithm: %s-%s\n", -+ gnutls_pk_get_name(pk), param_name); -+ fprintf(stderr, "\nstored[%d]: ", ssig.size); -+ for (i = 0; i < ssig.size; i++) -+ fprintf(stderr, "\\x%.2x", ssig.data[i]); -+ -+ fprintf(stderr, "\ngenerated[%d]: ", sig.size); -+ for (i = 0; i < sig.size; i++) -+ fprintf(stderr, "\\x%.2x", sig.data[i]); -+ fprintf(stderr, "\n"); - #endif -- gnutls_assert(); -- goto cleanup; -- } -+ gnutls_assert(); -+ goto cleanup; - } - -- /* Test if we can verify the signature */ -+ /* Test if we can verify the generated signature */ - - ret = gnutls_pubkey_import_privkey(pub, key, 0, 0); - if (ret < 0) { -@@ -504,7 +554,7 @@ static int test_known_sig(gnutls_pk_algorithm_t pk, unsigned bits, - - ret = - gnutls_pubkey_verify_data2(pub, gnutls_pk_to_sign(pk, dig), 0, -- &signed_data, &ssig); -+ &signed_data, &sig); - if (ret < 0) { - ret = GNUTLS_E_SELF_TEST_ERROR; - gnutls_assert(); -@@ -515,7 +565,7 @@ static int test_known_sig(gnutls_pk_algorithm_t pk, unsigned bits, - - ret = - gnutls_pubkey_verify_data2(pub, gnutls_pk_to_sign(pk, dig), 0, -- &bad_data, &ssig); -+ &bad_data, &sig); - - if (ret != GNUTLS_E_PK_SIG_VERIFY_FAILED) { - ret = GNUTLS_E_SELF_TEST_ERROR; -@@ -546,18 +596,14 @@ static int test_known_sig(gnutls_pk_algorithm_t pk, unsigned bits, - if (ret < 0) { \ - gnutls_assert(); \ - goto cleanup; \ -- } \ -- if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL)) \ -- return 0 -+ } - --#define PK_KNOWN_TEST(pk, det, bits, dig, pkey, sig) \ -- ret = test_known_sig(pk, bits, dig, pkey, sizeof(pkey)-1, sig, sizeof(sig)-1, det); \ -+#define PK_KNOWN_TEST(pk, bits, dig, pkey, sig, flags) \ -+ ret = test_known_sig(pk, bits, dig, pkey, sizeof(pkey)-1, sig, sizeof(sig)-1, flags); \ - if (ret < 0) { \ - gnutls_assert(); \ - goto cleanup; \ -- } \ -- if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL)) \ -- return 0 -+ } - - - /* Known answer tests for DH */ -@@ -764,9 +810,18 @@ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk) - { - int ret; - -+ bool is_post = false; -+ bool is_fips140_mode_enabled = false; -+ - if (flags & GNUTLS_SELF_TEST_FLAG_ALL) - pk = GNUTLS_PK_UNKNOWN; - -+ if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST) -+ is_post = true; -+ -+ if (gnutls_fips140_mode_enabled()) -+ is_fips140_mode_enabled = true; -+ - switch (pk) { - case GNUTLS_PK_UNKNOWN: - FALLTHROUGH; -@@ -781,26 +836,32 @@ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk) - return 0; - FALLTHROUGH; - case GNUTLS_PK_RSA: -- PK_KNOWN_TEST(GNUTLS_PK_RSA, 1, 2048, GNUTLS_DIG_SHA256, -- rsa_key2048, rsa_sig); -+ PK_KNOWN_TEST(GNUTLS_PK_RSA, 2048, GNUTLS_DIG_SHA256, -+ rsa_2048_privkey, rsa_2048_sig, 0); -+ - PK_TEST(GNUTLS_PK_RSA, test_rsa_enc, 2048, 0); -- PK_TEST(GNUTLS_PK_RSA, test_sig, 3072, GNUTLS_SIGN_RSA_SHA256); - - if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL)) - return 0; - - FALLTHROUGH; - case GNUTLS_PK_RSA_PSS: -- PK_TEST(GNUTLS_PK_RSA_PSS, test_sig, 2048, GNUTLS_SIGN_RSA_PSS_RSAE_SHA256); -+ PK_TEST(GNUTLS_PK_RSA_PSS, test_sig, 2048, -+ GNUTLS_SIGN_RSA_PSS_RSAE_SHA256); - - if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL)) - return 0; - - FALLTHROUGH; - case GNUTLS_PK_DSA: -- PK_KNOWN_TEST(GNUTLS_PK_DSA, 0, 2048, GNUTLS_DIG_SHA256, -- dsa_privkey, dsa_sig); -- PK_TEST(GNUTLS_PK_DSA, test_sig, 3072, GNUTLS_SIGN_DSA_SHA256); -+ if (is_post || !is_fips140_mode_enabled) { -+ PK_KNOWN_TEST(GNUTLS_PK_DSA, 2048, GNUTLS_DIG_SHA256, -+ dsa_2048_privkey, dsa_2048_sig, -+ GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE); -+ } else { -+ PK_TEST(GNUTLS_PK_DSA, test_sig, 2048, -+ GNUTLS_SIGN_DSA_SHA256); -+ } - - if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL)) - return 0; -@@ -815,62 +876,72 @@ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk) - } - - /* Test ECDSA */ -- PK_KNOWN_TEST(GNUTLS_PK_EC, 0, -- GNUTLS_CURVE_TO_BITS -- (GNUTLS_ECC_CURVE_SECP256R1), -- GNUTLS_DIG_SHA256, ecdsa_secp256r1_privkey, -- ecdsa_secp256r1_sig); -- PK_TEST(GNUTLS_PK_EC, test_sig, -- GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP256R1), -- GNUTLS_SIGN_ECDSA_SHA256); -+ if (is_post || !is_fips140_mode_enabled) { -+ PK_KNOWN_TEST(GNUTLS_PK_EC, -+ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP256R1), -+ GNUTLS_DIG_SHA256, ecdsa_secp256r1_privkey, -+ ecdsa_secp256r1_sig, GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE); -+ } else { -+ PK_TEST(GNUTLS_PK_EC, test_sig, -+ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP256R1), -+ GNUTLS_SIGN_ECDSA_SHA256); -+ } - - if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL)) - return 0; - -- PK_KNOWN_TEST(GNUTLS_PK_EC, 0, -- GNUTLS_CURVE_TO_BITS -- (GNUTLS_ECC_CURVE_SECP384R1), -- GNUTLS_DIG_SHA256, ecdsa_secp384r1_privkey, -- ecdsa_secp384r1_sig); -- PK_TEST(GNUTLS_PK_EC, test_sig, -- GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP384R1), -- GNUTLS_SIGN_ECDSA_SHA384); -- -- PK_KNOWN_TEST(GNUTLS_PK_EC, 0, -- GNUTLS_CURVE_TO_BITS -- (GNUTLS_ECC_CURVE_SECP521R1), -- GNUTLS_DIG_SHA512, ecdsa_secp521r1_privkey, -- ecdsa_secp521r1_sig); -- PK_TEST(GNUTLS_PK_EC, test_sig, -- GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP521R1), -- GNUTLS_SIGN_ECDSA_SHA512); -+ if (is_post || !is_fips140_mode_enabled) { -+ PK_KNOWN_TEST(GNUTLS_PK_EC, -+ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP384R1), -+ GNUTLS_DIG_SHA384, ecdsa_secp384r1_privkey, -+ ecdsa_secp384r1_sig, GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE); -+ } else { -+ PK_TEST(GNUTLS_PK_EC, test_sig, -+ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP384R1), -+ GNUTLS_SIGN_ECDSA_SHA384); -+ } -+ -+ if (is_post || !is_fips140_mode_enabled) { -+ PK_KNOWN_TEST(GNUTLS_PK_EC, -+ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP521R1), -+ GNUTLS_DIG_SHA512, ecdsa_secp521r1_privkey, -+ ecdsa_secp521r1_sig, GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE); -+ } else { -+ PK_TEST(GNUTLS_PK_EC, test_sig, -+ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP521R1), -+ GNUTLS_SIGN_ECDSA_SHA512); -+ } - - #ifdef ENABLE_NON_SUITEB_CURVES -- PK_KNOWN_TEST(GNUTLS_PK_EC, 0, -- GNUTLS_CURVE_TO_BITS -- (GNUTLS_ECC_CURVE_SECP192R1), -- GNUTLS_DIG_SHA256, ecdsa_secp192r1_privkey, -- ecdsa_secp192r1_sig); -- PK_TEST(GNUTLS_PK_EC, test_sig, -- GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP192R1), -- GNUTLS_SIGN_ECDSA_SHA256); -- -- PK_KNOWN_TEST(GNUTLS_PK_EC, 0, -- GNUTLS_CURVE_TO_BITS -- (GNUTLS_ECC_CURVE_SECP224R1), -- GNUTLS_DIG_SHA256, ecdsa_secp224r1_privkey, -- ecdsa_secp224r1_sig); -- PK_TEST(GNUTLS_PK_EC, test_sig, -- GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP224R1), -- GNUTLS_SIGN_ECDSA_SHA256); -+ if (is_post || !is_fips140_mode_enabled) { -+ PK_KNOWN_TEST(GNUTLS_PK_EC, -+ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP192R1), -+ GNUTLS_DIG_SHA256, ecdsa_secp192r1_privkey, -+ ecdsa_secp192r1_sig, GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE); -+ } else { -+ PK_TEST(GNUTLS_PK_EC, test_sig, -+ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP192R1), -+ GNUTLS_SIGN_ECDSA_SHA256); -+ } -+ -+ if (is_post || !is_fips140_mode_enabled) { -+ PK_KNOWN_TEST(GNUTLS_PK_EC, -+ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP224R1), -+ GNUTLS_DIG_SHA256, ecdsa_secp224r1_privkey, -+ ecdsa_secp224r1_sig, GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE); -+ } else { -+ PK_TEST(GNUTLS_PK_EC, test_sig, -+ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP224R1), -+ GNUTLS_SIGN_ECDSA_SHA256); -+ } - #endif - -+ - #if ENABLE_GOST - FALLTHROUGH; - case GNUTLS_PK_GOST_01: -- PK_KNOWN_TEST(GNUTLS_PK_GOST_01, 0, GNUTLS_ECC_CURVE_GOST256CPA, GNUTLS_DIG_GOSTR_94, -- gost01_privkey, gost01_sig); -- PK_TEST(GNUTLS_PK_GOST_01, test_sig, GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_GOST256CPA), -+ PK_TEST(GNUTLS_PK_GOST_01, test_sig, -+ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_GOST256CPA), - GNUTLS_SIGN_GOST_94); - - if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL)) -@@ -878,9 +949,8 @@ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk) - - FALLTHROUGH; - case GNUTLS_PK_GOST_12_256: -- PK_KNOWN_TEST(GNUTLS_PK_GOST_12_256, 0, GNUTLS_ECC_CURVE_GOST256CPA, GNUTLS_DIG_STREEBOG_256, -- gost12_256_privkey, gost12_256_sig); -- PK_TEST(GNUTLS_PK_GOST_12_256, test_sig, GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_GOST256CPA), -+ PK_TEST(GNUTLS_PK_GOST_12_256, test_sig, -+ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_GOST256CPA), - GNUTLS_SIGN_GOST_256); - - if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL)) -@@ -888,15 +958,13 @@ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk) - - FALLTHROUGH; - case GNUTLS_PK_GOST_12_512: -- PK_KNOWN_TEST(GNUTLS_PK_GOST_12_512, 0, GNUTLS_ECC_CURVE_GOST512A, GNUTLS_DIG_STREEBOG_512, -- gost12_512_privkey, gost12_512_sig); -- PK_TEST(GNUTLS_PK_GOST_12_512, test_sig, GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_GOST512A), -+ PK_TEST(GNUTLS_PK_GOST_12_512, test_sig, -+ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_GOST512A), - GNUTLS_SIGN_GOST_512); - - if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL)) - return 0; - #endif -- - break; - default: - return gnutls_assert_val(GNUTLS_E_NO_SELF_TEST); diff --git a/gnutls-3.6.12-load-config-after-fips-post.patch b/gnutls-3.6.12-load-config-after-fips-post.patch deleted file mode 100644 index 59ffe6c..0000000 --- a/gnutls-3.6.12-load-config-after-fips-post.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 17bcd7a60fb0b7d07718515946ebb064d33ef45b Mon Sep 17 00:00:00 2001 -From: Anderson Toshiyuki Sasaki -Date: Wed, 18 Mar 2020 16:17:39 +0100 -Subject: [PATCH] global: Load configuration after FIPS POST - -Previously, if the loaded configuration file disabled an algorithm -tested during FIPS-140 power-on self-tests, the test would fail. By -loading the configuration file after the test is finished, such failure -is avoided as any algorithm is allowed during the tests. - -Signed-off-by: Anderson Toshiyuki Sasaki ---- - lib/global.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/lib/global.c b/lib/global.c -index b42fcb263..9a65d114c 100644 ---- a/lib/global.c -+++ b/lib/global.c -@@ -368,7 +368,6 @@ static int _gnutls_global_init(unsigned constructor) - - _gnutls_register_accel_crypto(); - _gnutls_cryptodev_init(); -- _gnutls_load_system_priorities(); - - #ifdef ENABLE_FIPS140 - /* These self tests are performed on the overridden algorithms -@@ -385,6 +384,7 @@ static int _gnutls_global_init(unsigned constructor) - _gnutls_fips_mode_reset_zombie(); - } - #endif -+ _gnutls_load_system_priorities(); - _gnutls_switch_lib_state(LIB_STATE_OPERATIONAL); - ret = 0; - --- -2.24.1 - diff --git a/gnutls.spec b/gnutls.spec index fa81959..9588e92 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,11 +1,8 @@ # This spec file has been automatically updated -Version: 3.6.12 -Release: 2%{?dist} +Version: 3.6.13 +Release: 1%{?dist} Patch1: gnutls-3.6.7-no-now-guile.patch Patch2: gnutls-3.2.7-rpath.patch -Patch3: gnutls-3.6.12-fix-fips-self-tests.patch -Patch4: gnutls-3.6.12-load-config-after-fips-post.patch -Patch5: gnutls-3.6.12-fix-echo-server.patch %bcond_without dane %if 0%{?rhel} %bcond_with guile @@ -282,6 +279,9 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null %endif %changelog +* Tue Mar 31 2020 Daiki Ueno - 3.6.13-1 +- Update to upstream 3.6.13 release + * Thu Mar 26 2020 Anderson Sasaki - 3.6.12-2 - Fix FIPS POST (#1813384) - Fix gnutls-serv --echo to not exit when a message is received (#1816583) diff --git a/sources b/sources index ce3867d..38b5228 100644 --- a/sources +++ b/sources @@ -1,2 +1,3 @@ -SHA512 (gnutls-3.6.12.tar.xz.sig) = fee2a330c047303b683824176ed2e14dba38ad22cddb548d6259bc8639e0c5dab7a1c93af84860193335271c9cb3810c046bb89b73d8c8a8cf61307108e957b5 -SHA512 (gnutls-3.6.12.tar.xz) = e1031fd1239d8b0f056a6b736e4c72c9268fb635f273527f310771c608b841cad7b6631401382ec3040d9b539180bf421882bf43427ad3549a5787d2864c2fa5 +SHA512 (gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg) = 3b1989dc6a64d1140f83a2af0773da2adb03c50d97b6da7357cf09525050651aafa21131f1e3180baa540a8af922119a256f5ff5bcd6602996a806e8e1816bad +SHA512 (gnutls-3.6.13.tar.xz.sig) = 130d6ee78da87087de0070a5a5ecb62dd0a2919c838796b3e4273d74b10c4c537b72e017f55b69df69ee7cc11257ebe392e3bd0ff25b35484ed78bb9bf9d3856 +SHA512 (gnutls-3.6.13.tar.xz) = 23581952cb72c9a34f378c002bb62413d5a1243b74b48ad8dc49eaea4020d33c550f8dc1dd374cf7fbfa4187b0ca1c5698c8a0430398268a8b8a863f8633305c From 262cc0d5618f0fce3f50107d17ec92af28383be9 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Tue, 31 Mar 2020 11:25:12 +0200 Subject: [PATCH 006/152] Update to 3.6.13-1 - Update to upstream 3.6.13 release --- .gitignore | 3 + gnutls-3.6.12-fix-echo-server.patch | 37 - gnutls-3.6.12-fix-fips-self-tests.patch | 862 ------------------ ...s-3.6.12-load-config-after-fips-post.patch | 38 - gnutls.spec | 10 +- sources | 5 +- 6 files changed, 11 insertions(+), 944 deletions(-) delete mode 100644 gnutls-3.6.12-fix-echo-server.patch delete mode 100644 gnutls-3.6.12-fix-fips-self-tests.patch delete mode 100644 gnutls-3.6.12-load-config-after-fips-post.patch diff --git a/.gitignore b/.gitignore index 0800d67..9dec2f3 100644 --- a/.gitignore +++ b/.gitignore @@ -121,3 +121,6 @@ gnutls-2.10.1-nosrp.tar.bz2 /gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg /gnutls-3.6.12.tar.xz.sig /gnutls-3.6.12.tar.xz +/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg +/gnutls-3.6.13.tar.xz.sig +/gnutls-3.6.13.tar.xz diff --git a/gnutls-3.6.12-fix-echo-server.patch b/gnutls-3.6.12-fix-echo-server.patch deleted file mode 100644 index 861eb17..0000000 --- a/gnutls-3.6.12-fix-echo-server.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 10950c613c490bd33d6f489f5f61f8368730f7de Mon Sep 17 00:00:00 2001 -From: Anderson Toshiyuki Sasaki -Date: Tue, 24 Mar 2020 09:55:08 +0100 -Subject: [PATCH] gnutls-serv: Do not exit when a message to be echoed is - received - -Previously, when gnutls-serv was executed with the --echo option, it -would exit when a message to be echoed was received. Moreover, the -server would output "Memory error" although no error occurred. - -Signed-off-by: Anderson Toshiyuki Sasaki ---- - src/serv.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/serv.c b/src/serv.c -index a4dd445da..414cd0546 100644 ---- a/src/serv.c -+++ b/src/serv.c -@@ -1071,12 +1071,12 @@ get_response(gnutls_session_t session, char *request, - *response_length = strlen(*response); - return 1; - } else if (ret == 0) { -+ *response = strdup(request); - if (*response == NULL) { - fprintf(stderr, "Memory error\n"); - return 0; - } -- *response = strdup(request); -- *response_length = ((*response) ? strlen(*response) : 0); -+ *response_length = strlen(*response); - } else { - *response = NULL; - do { --- -2.24.1 - diff --git a/gnutls-3.6.12-fix-fips-self-tests.patch b/gnutls-3.6.12-fix-fips-self-tests.patch deleted file mode 100644 index 467c857..0000000 --- a/gnutls-3.6.12-fix-fips-self-tests.patch +++ /dev/null @@ -1,862 +0,0 @@ -diff --git a/lib/crypto-selftests-pk.c b/lib/crypto-selftests-pk.c -index 7bdb097..6f66cd8 100644 ---- a/lib/crypto-selftests-pk.c -+++ b/lib/crypto-selftests-pk.c -@@ -22,6 +22,7 @@ - - #include "gnutls_int.h" - #include "errors.h" -+#include "fips.h" - #include - #include - #include -@@ -42,70 +43,185 @@ static const gnutls_datum_t bad_data = { - .size = sizeof(DATASTR) - 2 - }; - --static const char rsa_key2048[] = -- "-----BEGIN RSA PRIVATE KEY-----\n" -- "MIIEogIBAAKCAQEA6yCv+BLrRP/dMPBXJWK21c0aqxIX6JkODL4K+zlyEURt8/Wp\n" -- "nw37CJwHD3VrimSnk2SJvBfTNhzYhCsLShDOPvi4qBrLZ1WozjoVJ8tRE4VCcjQJ\n" -- "snpJ7ldiV+Eos1Z3FkbV/uQcw5CYCb/TciSukaWlI+G/xas9EOOFt4aELbc1yDe0\n" -- "hyfPDtoaKfek4GhT9qT1I8pTC40P9OrA9Jt8lblqxHWwqmdunLTjPjB5zJT6QgI+\n" -- "j1xuq7ZOQhveNA/AOyzh574GIpgsuvPPLBQwsCQkscr7cFnCsyOPgYJrQW3De2+l\n" -- "wjp2D7gZeeQcFQKazXcFoiqNpJWoBWmU0qqsgwIDAQABAoIBAAghNzRioxPdrO42\n" -- "QS0fvqah0tw7Yew+7oduQr7w+4qxTQP0aIsBVr6zdmMIclF0rX6hKUoBoOHsGWho\n" -- "fJlw/1CaFPhrBMFr6sxGodigZQtBvkxolDVBmTDOgK39MQUSZke0501K4du5MiiU\n" -- "I2F89zQ9//m/onvZMeFVnJf95LAX5qHr/FLARQFtOpgWzcGVxdvJdJlYb1zMUril\n" -- "PqyAZXo1j0vgHWwSd54k8mBLus7l8KT57VFce8+9nBPrOrqW4rDVXzs/go3S+kiI\n" -- "OyzYeUs9czg1N1e3VhEaC+EdYUawc0ASuEkbsJ53L8pwDvS+2ly2ykYziJp95Fjv\n" -- "bzyd1dECgYEA8FzGCxu7A6/ei9Dn0Fmi8Ns/QvEgbdlGw4v4MlXHjrGJYdOB0BwG\n" -- "2D2k0ODNYKlUX2J4hi5x8aCH33y/v0EcOHyuqM33vOWBVbdcumCqcOmp341UebAO\n" -- "uCPgDJNhjxXaeDVPnizqnOBA1B9sTxwmCOmFIiFRLbR+XluvDh3t8L0CgYEA+my6\n" -- "124Rw7kcFx+9JoB/Z+bUJDYpefUT91gBUhhEdEMx5fujhMzAbLpIRjFQq+75Qb7v\n" -- "0NyIS09B4oKOqQYzVEJwqKY7H71BTl7QuzJ8Qtuh/DMZsVIt6xpvdeuAKpEOqz44\n" -- "ZD3fW1B59A3ja7kqZadCqq2b02UTk+gdeOrYBj8CgYACX3gZDfoHrEnPKY3QUcI5\n" -- "DIEQYR8H1phLP+uAW7ZvozMPAy6J5mzu35Tr9vwwExvhITC9amH3l7UfsLSX58Wm\n" -- "jRyQUBA9Dir7tKa2tFOab8Qcj+GgnetXSAtjNGVHK1kPzL7vedQLHm+laHYCRe3e\n" -- "Mqf80UVi5SBGQDN3OTZrJQKBgEkj2oozDqMwfGDQl0kYfJ2XEFynKQQCrVsva+tT\n" -- "RSMDwR4fmcmel5Dp81P08U/WExy9rIM+9duxAVgrs4jwU6uHYCoRqvEBMIK4NJSI\n" -- "ETzhsvTa4+UjUF/7L5SsPJmyFiuzl3rHi2W7InNCXyrGQPjBmjoJTJq4SbiIMZtw\n" -- "U7m3AoGACG2rE/Ud71kyOJcKwxzEt8kd+2CMuaZeE/xk+3zLSSjXJzKPficogM3I\n" -- "K37/N7N0FjhdQ5hRuD3GH1fcjv9AKdGHsH7RuaG+jHTRUjS1glr17SSQzh6xXnWj\n" -- "jG0M4UZm5P9STL09nZuWH0wfpr/eg+9+A6yOVfnADI13v+Ygk7k=\n" -- "-----END RSA PRIVATE KEY-----\n"; -- --static const char ecc_key[] = -- "-----BEGIN EC PRIVATE KEY-----\n" -- "MHgCAQEEIQDzaOg65+brGV6INN0zXrUodxwRuocGG+GtKzN7ko26v6AKBggqhkjO\n" -- "PQMBB6FEA0IABEppi34ngyNQ2a9kJmnT5QxIHAUGI1SpnsAyCfze4j6MJ7o/g7qx\n" -- "MSHpe5vd0TQz+/GAa1zxle8mB/Cdh0JaTrA=\n" -- "-----END EC PRIVATE KEY-----\n"; -- --static const char dsa_key[] = -- "-----BEGIN DSA PRIVATE KEY-----\n" -- "MIH4AgEAAkEA6KUOSXfFNcInFLPdOlLlKNCe79zJrkxnsQN+lllxuk1ifZrE07r2\n" -- "3edTrc4riQNnZ2nZ372tYUAMJg+5jM6IIwIVAOa58exwZ+42Tl+p3b4Kbpyu2Ron\n" -- "AkBocj7gkiBYHtv6HMIIzooaxn4vpGR0Ns6wBfroBUGvrnSAgfT3WyiNaHkIF28e\n" -- "quWcEeOJjUgFvatcM8gcY288AkEAyKWlgzBurIYST8TM3j4PuQJDTvdHDaGoAUAa\n" -- "EfjmOw2UXKwqTmwPiT5BYKgCo2ILS87ttlTpd8vndH37pmnmVQIUQIVuKpZ8y9Bw\n" -- "VzO8qcrLCFvTOXY=\n" -- "-----END DSA PRIVATE KEY-----\n"; -- --static const char gost01_key[] = -- "-----BEGIN PRIVATE KEY-----\n" -- "MEUCAQAwHAYGKoUDAgITMBIGByqFAwICJAAGByqFAwICHgEEIgQgR1lBLIr4WBpn\n" -- "4MOCH8oxGWb52EPNL3gjNJiQuBQuf6U=\n" -- "-----END PRIVATE KEY-----\n"; -- --static const char gost12_256_key[] = -- "-----BEGIN PRIVATE KEY-----\n" -- "MEgCAQAwHwYIKoUDBwEBAQEwEwYHKoUDAgIkAAYIKoUDBwEBAgIEIgQg0+JttJEV\n" -- "Ud+XBzX9q13ByKK+j2b+mEmNIo1yB0wGleo=\n" -- "-----END PRIVATE KEY-----\n"; -- --static const char gost12_512_key[] = -- "-----BEGIN PRIVATE KEY-----\n" -- "MGoCAQAwIQYIKoUDBwEBAQIwFQYJKoUDBwECAQIBBggqhQMHAQECAwRCBECS7bAh\n" -- "TP5um5bxziaKkhb6xSI5WBQCSlaiHPBaMbgmgJiF8RubF7k0YMefpt0+sA3GvVGA\n" -- "KjL7CLBERDm7Yvlv\n" -- "-----END PRIVATE KEY-----\n"; -+/* RSA 2048 private key and signature */ -+static const char rsa_2048_privkey[] = -+ "-----BEGIN RSA PRIVATE KEY-----\n" -+ "MIIEogIBAAKCAQEA6yCv+BLrRP/dMPBXJWK21c0aqxIX6JkODL4K+zlyEURt8/Wp\n" -+ "nw37CJwHD3VrimSnk2SJvBfTNhzYhCsLShDOPvi4qBrLZ1WozjoVJ8tRE4VCcjQJ\n" -+ "snpJ7ldiV+Eos1Z3FkbV/uQcw5CYCb/TciSukaWlI+G/xas9EOOFt4aELbc1yDe0\n" -+ "hyfPDtoaKfek4GhT9qT1I8pTC40P9OrA9Jt8lblqxHWwqmdunLTjPjB5zJT6QgI+\n" -+ "j1xuq7ZOQhveNA/AOyzh574GIpgsuvPPLBQwsCQkscr7cFnCsyOPgYJrQW3De2+l\n" -+ "wjp2D7gZeeQcFQKazXcFoiqNpJWoBWmU0qqsgwIDAQABAoIBAAghNzRioxPdrO42\n" -+ "QS0fvqah0tw7Yew+7oduQr7w+4qxTQP0aIsBVr6zdmMIclF0rX6hKUoBoOHsGWho\n" -+ "fJlw/1CaFPhrBMFr6sxGodigZQtBvkxolDVBmTDOgK39MQUSZke0501K4du5MiiU\n" -+ "I2F89zQ9//m/onvZMeFVnJf95LAX5qHr/FLARQFtOpgWzcGVxdvJdJlYb1zMUril\n" -+ "PqyAZXo1j0vgHWwSd54k8mBLus7l8KT57VFce8+9nBPrOrqW4rDVXzs/go3S+kiI\n" -+ "OyzYeUs9czg1N1e3VhEaC+EdYUawc0ASuEkbsJ53L8pwDvS+2ly2ykYziJp95Fjv\n" -+ "bzyd1dECgYEA8FzGCxu7A6/ei9Dn0Fmi8Ns/QvEgbdlGw4v4MlXHjrGJYdOB0BwG\n" -+ "2D2k0ODNYKlUX2J4hi5x8aCH33y/v0EcOHyuqM33vOWBVbdcumCqcOmp341UebAO\n" -+ "uCPgDJNhjxXaeDVPnizqnOBA1B9sTxwmCOmFIiFRLbR+XluvDh3t8L0CgYEA+my6\n" -+ "124Rw7kcFx+9JoB/Z+bUJDYpefUT91gBUhhEdEMx5fujhMzAbLpIRjFQq+75Qb7v\n" -+ "0NyIS09B4oKOqQYzVEJwqKY7H71BTl7QuzJ8Qtuh/DMZsVIt6xpvdeuAKpEOqz44\n" -+ "ZD3fW1B59A3ja7kqZadCqq2b02UTk+gdeOrYBj8CgYACX3gZDfoHrEnPKY3QUcI5\n" -+ "DIEQYR8H1phLP+uAW7ZvozMPAy6J5mzu35Tr9vwwExvhITC9amH3l7UfsLSX58Wm\n" -+ "jRyQUBA9Dir7tKa2tFOab8Qcj+GgnetXSAtjNGVHK1kPzL7vedQLHm+laHYCRe3e\n" -+ "Mqf80UVi5SBGQDN3OTZrJQKBgEkj2oozDqMwfGDQl0kYfJ2XEFynKQQCrVsva+tT\n" -+ "RSMDwR4fmcmel5Dp81P08U/WExy9rIM+9duxAVgrs4jwU6uHYCoRqvEBMIK4NJSI\n" -+ "ETzhsvTa4+UjUF/7L5SsPJmyFiuzl3rHi2W7InNCXyrGQPjBmjoJTJq4SbiIMZtw\n" -+ "U7m3AoGACG2rE/Ud71kyOJcKwxzEt8kd+2CMuaZeE/xk+3zLSSjXJzKPficogM3I\n" -+ "K37/N7N0FjhdQ5hRuD3GH1fcjv9AKdGHsH7RuaG+jHTRUjS1glr17SSQzh6xXnWj\n" -+ "jG0M4UZm5P9STL09nZuWH0wfpr/eg+9+A6yOVfnADI13v+Ygk7k=\n" -+ "-----END RSA PRIVATE KEY-----\n"; -+ -+static const char rsa_2048_sig[] = -+ "\x7a\xb3\xf8\xb0\xf9\xf0\x52\x88\x37\x17\x97\x9f\xbe\x61\xb4\xd2" -+ "\x43\x78\x9f\x79\x92\xd0\xad\x08\xdb\xbd\x3c\x72\x7a\xb5\x51\x59" -+ "\x63\xd6\x7d\xf1\x9c\x1e\x10\x7b\x27\xab\xf8\xd4\x9d\xcd\xc5\xf9" -+ "\xae\xf7\x09\x6b\x40\x93\xc5\xe9\x1c\x0f\xb4\x82\xa1\x47\x86\x54" -+ "\x63\xd2\x4d\x40\x9a\x80\xb9\x38\x45\x69\xa2\xd6\x92\xb6\x69\x7f" -+ "\x3f\xf3\x5b\xa5\x1d\xac\x06\xad\xdf\x4e\xbb\xe6\xda\x68\x0d\xe5" -+ "\xab\xef\xd2\xf0\xc5\xd8\xc0\xed\x80\xe2\xd4\x76\x98\xec\x44\xa2" -+ "\xfc\x3f\xce\x2e\x8b\xc4\x4b\xab\xb0\x70\x24\x52\x85\x2a\x36\xcd" -+ "\x9a\xb5\x05\x00\xea\x98\x7c\x72\x06\x68\xb1\x38\x44\x16\x80\x6a" -+ "\x3b\x64\x72\xbb\xfd\x4b\xc9\xdd\xda\x2a\x68\xde\x7f\x6e\x48\x28" -+ "\xc1\x63\x57\x2b\xde\x83\xa3\x27\x34\xd7\xa6\x87\x18\x35\x10\xff" -+ "\x31\xd9\x47\xc9\x84\x35\xe1\xaa\xe2\xf7\x98\xfa\x19\xd3\xf1\x94" -+ "\x25\x2a\x96\xe4\xa8\xa7\x05\x10\x93\x87\xde\x96\x85\xe5\x68\xb8" -+ "\xe5\x4e\xbf\x66\x85\x91\xbd\x52\x5b\x3d\x9f\x1b\x79\xea\xe3\x8b" -+ "\xef\x62\x18\x39\x7a\x50\x01\x46\x1b\xde\x8d\x37\xbc\x90\x6c\x07" -+ "\xc0\x07\xed\x60\xce\x2e\x31\xd6\x8f\xe8\x75\xdb\x45\x21\xc6\xcb"; -+ -+/* DSA 2048 private key and signature */ -+static const char dsa_2048_privkey[] = -+ "-----BEGIN DSA PRIVATE KEY-----\n" -+ "MIIDTQIBAAKCAQEAh60B6yPMRIT7udq2kKuwnQDohvT1U0w+RJcSr23C05cM/Ovn\n" -+ "UP/8Rrj6T8K+uYhMbKgLaZiJJW9q04jaPQk0cfUphbLvRjzVHwE/0Bkb+Y1Rv7ni\n" -+ "Jot2IFMq5iuNraf889PC0WREvFCcIkSFY2Ac4WT7mCcBtfx/raGFXDUjcUrJ0HwZ\n" -+ "IOhjQDfcXUsztuyYsYA75ociEY8kyDZq/ixyr5++R1VjNf30Re8AbQlXOEGxEN5t\n" -+ "t+Tvpq8K5L3prQs2KNSzyOUmedjb/ojH4T4qe/RL9EVjjeuIGHDNUT6F197yZ91y\n" -+ "qLLTf1WjnUyZcKij5rryX0LJBBWawEZjNSHZawIdAMQlyycia4NigCdiDR+QptUn\n" -+ "2xrj9o14fXkIrXcCggEAXRZm1rbPhsjSTo6cpCVrmDzO1grv83EHiBH4MvRQQnP8\n" -+ "FpAREsBA5cYju97XvLaLhioZeMjLn08kU7TUbHRUB+ULTuVvE2dQbBpGuKiLRRt9\n" -+ "6U2T0eD3xGLoM+o8EY/kpqaWGEpZv7hzM9xuo4vy55+viAZgFWULqmltwfG/7w7V\n" -+ "NXUHNv5H4Ipw//fSDLTPqzUlNqSSswDLz6pCjWEs0rWAqNAMaOiLTz4id9pL48Oe\n" -+ "oAfpcQR9tgTEnwyXfZBnrJVclHhkHKGeXvU05IgCzpKO76Z5R+By50T0i/JV7vzM\n" -+ "l2yS9aAl/cprT6U7yI3oU/blldCVNpMcFAFb+fO8DAKCAQBVMo8xptyvQOJeSvbO\n" -+ "SSYdJ3IiI/0GdkcGWXblWg9z7mrPaWEnT7OquEm/+vYtWd3GHDtyNM+jzsN4Xgjc\n" -+ "TL3AEd2hLiozJQ1BFKw25VU08UHAYTzUxZhO4Vwtmp46Kwj8YLDQ3NHRWCBxpDQR\n" -+ "fbiFvyXP+qXap6plMfrydnUD1mae/JSOWOYgdB7tFIehstLxVXx/cAnjwgFU03Df\n" -+ "grjsad92zA1Hc9wIjbsgAQdTR5DWnFRkRt3UtayBwoyqm6QceZHsv1NAGvkQ4ion\n" -+ "bEjkHkjF9YCkR9/rspR8cLghRIXMjOpypuSbaRPeeWq0gP2UOxFL/d3iWH0ETr/L\n" -+ "kTlCAhxYGpVgtfB96qmJukyl9GOGvfkwFTgEyIDoV84M\n" -+ "-----END DSA PRIVATE KEY-----\n"; -+ -+static const char dsa_2048_sig[] = -+ "\x30\x3d\x02\x1d\x00\xbe\x87\x2f\xcf\xa1\xe4\x86\x5c\x72\x58\x4a" -+ "\x7b\x8f\x32\x7f\xa5\x1b\xdc\x5c\xae\xda\x98\xea\x15\x32\xed\x0c" -+ "\x4e\x02\x1c\x4c\x76\x01\x2b\xcd\xb9\x33\x95\xf2\xfa\xde\x56\x01" -+ "\xb7\xaa\xe4\x5a\x4a\x2e\xf1\x24\x5a\xd1\xb5\x83\x9a\x93\x61"; -+ -+/* secp256r1 private key and signature */ -+static const char ecdsa_secp256r1_privkey[] = -+ "-----BEGIN EC PRIVATE KEY-----\n" -+ "MHcCAQEEIPAKWV7+pZe9c5EubMNfAEKWRQtP/MvlO9HehwHmJssNoAoGCCqGSM49\n" -+ "AwEHoUQDQgAE2CNONRio3ciuXtoomJKs3MdbzLbd44VPhtzJN30VLFm5gvnfiCj2\n" -+ "zzz7pl9Cv0ECHl6yedNI8QEKdcwCDgEmkQ==\n" -+ "-----END EC PRIVATE KEY-----\n"; -+ -+static const char ecdsa_secp256r1_sig[] = -+ "\x30\x45\x02\x21\x00\x80\x67\x18\xb9\x72\xc6\x0b\xe1\xc9\x89\x9b" -+ "\x85\x11\x49\x29\x08\xd9\x86\x76\xcc\xfb\xc1\xf4\xd0\xa2\x5e\xa7" -+ "\xb9\x12\xfb\x1a\x68\x02\x20\x67\x12\xb1\x89\x9e\x1d\x9d\x5c\x0f" -+ "\xef\x6e\xa7\x2a\x95\x8c\xfa\x54\x20\x80\xc8\x30\x7c\xff\x06\xbc" -+ "\xc8\xe2\x9a\x2f\x05\x2f\x67"; -+ -+#ifdef ENABLE_NON_SUITEB_CURVES -+/* secp192r1 private key and signature */ -+static const char ecdsa_secp192r1_privkey[] = -+ "-----BEGIN EC PRIVATE KEY-----" -+ "MF8CAQEEGLjezFcbgDMeApVrdtZHvu/k1a8/tVZ41KAKBggqhkjOPQMBAaE0AzIA" -+ "BO1lciKdgxeRH8k64vxcaV1OYIK9akVrW02Dw21MXhRLP0l0wzCw6LGSr5rS6AaL" -+ "Fg==" "-----END EC PRIVATE KEY-----"; -+ -+static const char ecdsa_secp192r1_sig[] = -+ "\x30\x34\x02\x18\x7c\x43\xe3\xb7\x26\x90\x43\xb5\xf5\x63\x8f\xee" -+ "\xac\x78\x3d\xac\x35\x35\xd0\x1e\x83\x17\x2b\x64\x02\x18\x14\x6e" -+ "\x94\xd5\x7e\xac\x43\x42\x0b\x71\x7a\xc8\x29\xe6\xe3\xda\xf2\x95" -+ "\x0e\xe0\x63\x24\xed\xf2"; -+ -+/* secp224r1 private key and signature */ -+static const char ecdsa_secp224r1_privkey[] = -+ "-----BEGIN EC PRIVATE KEY-----" -+ "MGgCAQEEHOKWJFdWdrR/CgVrUeTeawOrJ9GozE9KKx2a8PmgBwYFK4EEACGhPAM6" -+ "AAQKQj3YpenWT7lFR41SnBvmj/+Bj+kgzQnaF65qWAtPRJsZXFlLTu3/IUNqSRu9" -+ "DqPsk8xBHAB7pA==" "-----END EC PRIVATE KEY-----"; -+ -+static const char ecdsa_secp224r1_sig[] = -+ "\x30\x3d\x02\x1c\x14\x22\x09\xa1\x51\x33\x37\xfd\x78\x73\xbd\x84" -+ "\x6e\x76\xa8\x60\x90\xf5\xb6\x57\x34\x25\xe0\x79\xe3\x01\x61\xa9" -+ "\x02\x1d\x00\xb1\xee\xdb\xae\xb3\xe6\x9c\x04\x68\xd5\xe1\x0d\xb6" -+ "\xfc\x5c\x45\xc3\x4f\xbf\x2b\xa5\xe0\x89\x37\x84\x04\x82\x5f"; -+#endif -+ -+/* secp384r1 private key and signature */ -+static const char ecdsa_secp384r1_privkey[] = -+ "-----BEGIN EC PRIVATE KEY-----" -+ "MIGkAgEBBDDevshD6gb+4rZpC9vwFcIwNs4KmGzdqCxyyN40a8uOWRbyf7aHdiSS" -+ "03oAyKtc4JCgBwYFK4EEACKhZANiAARO1KkPMno2tnNXx1S9EZkp8SOpDCZ4aobH" -+ "IYv8RHnSmKf8I3OKD6TaoeR+1MwJmNJUH90Bj45WXla68/vsPiFcfVKboxsZYe/n" -+ "pv8e4ugXagVQVBXNZJ859iYPdJR24vo=" "-----END EC PRIVATE KEY-----"; -+ -+static const char ecdsa_secp384r1_sig[] = -+ "\x30\x65\x02\x31\x00\xa7\x73\x60\x16\xdb\xf9\x1f\xfc\x9e\xd2\x12" -+ "\x23\xd4\x04\xa7\x31\x1f\x15\x28\xfd\x87\x9c\x2c\xb1\xf3\x38\x35" -+ "\x23\x3b\x6e\xfe\x6a\x5d\x89\x34\xbe\x02\x82\xc6\x27\xea\x45\x53" -+ "\xa9\x87\xc5\x31\x0a\x02\x30\x76\x32\x80\x6b\x43\x3c\xb4\xfd\x90" -+ "\x03\xe0\x1d\x5d\x77\x18\x45\xf6\x71\x29\xa9\x05\x87\x49\x75\x3a" -+ "\x78\x9c\x49\xe5\x6c\x8e\x18\xcd\x5d\xee\x2c\x6f\x92\xf7\x15\xd3" -+ "\x38\xd5\xf9\x9b\x9d\x1a\xf4"; -+ -+/* secp521r1 private key and signature */ -+static const char ecdsa_secp521r1_privkey[] = -+ "-----BEGIN EC PRIVATE KEY-----" -+ "MIHbAgEBBEGO2n7NN363qSCvJVdlQtCvudtaW4o0fEufXRjE1AsCrle+VXX0Zh0w" -+ "Y1slSeDHMndpakoiF+XkQ+bhcB867UV6aKAHBgUrgQQAI6GBiQOBhgAEAQb6jDpo" -+ "byy1tF8Zucg0TMGUzIN2DK+RZJ3QQRdWdirO25OIC3FoFi1Yird6rpoB6HlNyJ7R" -+ "0bNG9Uv34bSHMn8yAFoiqxUCdJZQbEenMoZsi6COaePe3e0QqvDMr0hEWT23Sr3t" -+ "LpEV7eZGFfFIJw5wSUp2KOcs+O9WjmoukTWtDKNV" -+ "-----END EC PRIVATE KEY-----"; -+ -+static const char ecdsa_secp521r1_sig[] = -+ "\x30\x81\x88\x02\x42\x01\x9d\x13\x2e\xc9\x75\x1b\x60\x10\x62\xc5" -+ "\x0d\xcb\x08\x9e\x86\x01\xd3\xc9\x8c\xee\x2e\x16\x3d\x8c\xc2\x65" -+ "\x80\xe1\x32\x56\xc3\x02\x9d\xf0\x4a\x89\x8d\x2e\x33\x2a\x90\x4e" -+ "\x72\x1d\xaa\x84\x14\xe8\xcb\xdf\x7a\x4a\xc9\x67\x2e\xba\xa3\xf2" -+ "\xc2\x07\xf7\x1b\xa5\x91\xbd\x02\x42\x01\xe3\x32\xd2\x25\xeb\x2e" -+ "\xaf\xb4\x6c\xc0\xaa\x5c\xc1\x56\x14\x13\x23\x7f\x62\xcf\x4c\xb8" -+ "\xd1\x96\xe0\x29\x6d\xed\x74\xdd\x23\x64\xf9\x29\x86\x40\x22\x2f" -+ "\xb6\x8d\x4c\x8e\x0b\x7a\xda\xdb\x03\x44\x01\x9b\x81\x1c\x3c\xab" -+ "\x78\xee\xf2\xc5\x24\x33\x61\x65\x01\x87\x66"; -+ -+/* GOST01 private key */ -+static const char gost01_privkey[] = -+ "-----BEGIN PRIVATE KEY-----\n" -+ "MEUCAQAwHAYGKoUDAgITMBIGByqFAwICIwEGByqFAwICHgEEIgQgdNfuHGmmTdPm\n" -+ "p5dAa3ea9UYxpdYQPP9lbDwzQwG2bJM=\n" -+ "-----END PRIVATE KEY-----\n"; -+ -+/* GOST12 256 private key */ -+static const char gost12_256_privkey[] = -+ "-----BEGIN PRIVATE KEY-----\n" -+ "MEgCAQAwHwYIKoUDBwEBAQEwEwYHKoUDAgIjAQYIKoUDBwEBAgIEIgQgKOF96tom\n" -+ "D61rhSnzKjyrmO3fv0gdlHei+6ovrc8SnBk=\n" -+ "-----END PRIVATE KEY-----\n"; -+ -+/* GOST12 512 private key */ -+static const char gost12_512_privkey[] = -+ "-----BEGIN PRIVATE KEY-----\n" -+ "MGoCAQAwIQYIKoUDBwEBAQIwFQYJKoUDBwECAQIBBggqhQMHAQECAwRCBECjFpvp\n" -+ "B0vdc7u59b99TCNXhHiB69JJtUjvieNkGYJpoaaIvoKZTNCjpSZASsZcQZCHOTof\n" -+ "hsQ3JCCy4xnd5jWT\n" -+ "-----END PRIVATE KEY-----\n"; - - static int test_rsa_enc(gnutls_pk_algorithm_t pk, - unsigned bits, gnutls_digest_algorithm_t ign) -@@ -113,7 +229,7 @@ static int test_rsa_enc(gnutls_pk_algorithm_t pk, - int ret; - gnutls_datum_t enc = { NULL, 0 }; - gnutls_datum_t dec = { NULL, 0 }; -- gnutls_datum_t raw_rsa_key = { (void*)rsa_key2048, sizeof(rsa_key2048)-1 }; -+ gnutls_datum_t raw_rsa_key = { (void*)rsa_2048_privkey, sizeof(rsa_2048_privkey)-1 }; - gnutls_privkey_t key; - gnutls_pubkey_t pub = NULL; - unsigned char plaintext2[sizeof(DATASTR) - 1]; -@@ -200,26 +316,12 @@ static int test_sig(gnutls_pk_algorithm_t pk, - unsigned bits, gnutls_sign_algorithm_t sigalgo) - { - int ret; -- gnutls_datum_t sig = { NULL, 0 }; -- gnutls_datum_t raw_rsa_key = { (void*)rsa_key2048, sizeof(rsa_key2048)-1 }; -- gnutls_datum_t raw_dsa_key = { (void*)dsa_key, sizeof(dsa_key)-1 }; -- gnutls_datum_t raw_ecc_key = { (void*)ecc_key, sizeof(ecc_key)-1 }; -- gnutls_datum_t raw_gost01_key = { (void*)gost01_key, sizeof(gost01_key)-1 }; -- gnutls_datum_t raw_gost12_256_key = { (void*)gost12_256_key, sizeof(gost12_256_key)-1 }; -- gnutls_datum_t raw_gost12_512_key = { (void*)gost12_512_key, sizeof(gost12_512_key)-1 }; - gnutls_privkey_t key; -+ gnutls_datum_t raw_key; -+ gnutls_datum_t sig = { NULL, 0 }; - gnutls_pubkey_t pub = NULL; - char param_name[32]; - -- if (pk == GNUTLS_PK_EC || pk == GNUTLS_PK_GOST_01 || -- pk == GNUTLS_PK_GOST_12_256 || pk == GNUTLS_PK_GOST_12_512) { -- snprintf(param_name, sizeof(param_name), "%s", -- gnutls_ecc_curve_get_name(GNUTLS_BITS_TO_CURVE -- (bits))); -- } else { -- snprintf(param_name, sizeof(param_name), "%u", bits); -- } -- - ret = gnutls_privkey_init(&key); - if (ret < 0) - return gnutls_assert_val(ret); -@@ -230,25 +332,83 @@ static int test_sig(gnutls_pk_algorithm_t pk, - goto cleanup; - } - -- if (pk == GNUTLS_PK_RSA) { -- ret = gnutls_privkey_import_x509_raw(key, &raw_rsa_key, GNUTLS_X509_FMT_PEM, NULL, 0); -- } else if (pk == GNUTLS_PK_RSA_PSS) { -- ret = gnutls_privkey_import_x509_raw(key, &raw_rsa_key, GNUTLS_X509_FMT_PEM, NULL, 0); -- } else if (pk == GNUTLS_PK_DSA) { -- ret = gnutls_privkey_import_x509_raw(key, &raw_dsa_key, GNUTLS_X509_FMT_PEM, NULL, 0); -- } else if (pk == GNUTLS_PK_ECC) { -- ret = gnutls_privkey_import_x509_raw(key, &raw_ecc_key, GNUTLS_X509_FMT_PEM, NULL, 0); -- } else if (pk == GNUTLS_PK_GOST_01) { -- ret = gnutls_privkey_import_x509_raw(key, &raw_gost01_key, GNUTLS_X509_FMT_PEM, NULL, 0); -- } else if (pk == GNUTLS_PK_GOST_12_256) { -- ret = gnutls_privkey_import_x509_raw(key, &raw_gost12_256_key, GNUTLS_X509_FMT_PEM, NULL, 0); -- } else if (pk == GNUTLS_PK_GOST_12_512) { -- ret = gnutls_privkey_import_x509_raw(key, &raw_gost12_512_key, GNUTLS_X509_FMT_PEM, NULL, 0); -- } else { -- gnutls_assert(); -- ret = GNUTLS_E_INTERNAL_ERROR; -+ switch(pk) { -+ case GNUTLS_PK_RSA: -+ raw_key.data = (void*)rsa_2048_privkey; -+ raw_key.size = sizeof(rsa_2048_privkey) - 1; -+ snprintf(param_name, sizeof(param_name), "%u", bits); -+ break; -+ case GNUTLS_PK_RSA_PSS: -+ raw_key.data = (void*)rsa_2048_privkey; -+ raw_key.size = sizeof(rsa_2048_privkey) - 1; -+ snprintf(param_name, sizeof(param_name), "%u", bits); -+ break; -+ case GNUTLS_PK_DSA: -+ raw_key.data = (void*)dsa_2048_privkey; -+ raw_key.size = sizeof(dsa_2048_privkey) - 1; -+ snprintf(param_name, sizeof(param_name), "%u", bits); -+ break; -+ case GNUTLS_PK_ECC: -+ switch(bits) { -+#ifdef ENABLE_NON_SUITEB_CURVES -+ case GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP192R1): -+ raw_key.data = (void*)ecdsa_secp192r1_privkey; -+ raw_key.size = sizeof(ecdsa_secp192r1_privkey) - 1; -+ break; -+ case GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP224R1): -+ raw_key.data = (void*)ecdsa_secp224r1_privkey; -+ raw_key.size = sizeof(ecdsa_secp224r1_privkey) - 1; -+ break; -+#endif -+ case GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP256R1): -+ raw_key.data = (void*)ecdsa_secp256r1_privkey; -+ raw_key.size = sizeof(ecdsa_secp256r1_privkey) - 1; -+ break; -+ case GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP384R1): -+ raw_key.data = (void*)ecdsa_secp384r1_privkey; -+ raw_key.size = sizeof(ecdsa_secp384r1_privkey) - 1; -+ break; -+ case GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP521R1): -+ raw_key.data = (void*)ecdsa_secp521r1_privkey; -+ raw_key.size = sizeof(ecdsa_secp521r1_privkey) - 1; -+ break; -+ default: -+ gnutls_assert(); -+ ret = GNUTLS_E_INTERNAL_ERROR; -+ goto cleanup; -+ } -+ snprintf(param_name, sizeof(param_name), "%s", -+ gnutls_ecc_curve_get_name(GNUTLS_BITS_TO_CURVE -+ (bits))); -+ break; -+ case GNUTLS_PK_GOST_01: -+ raw_key.data = (void*)gost01_privkey; -+ raw_key.size = sizeof(gost01_privkey) - 1; -+ snprintf(param_name, sizeof(param_name), "%s", -+ gnutls_ecc_curve_get_name(GNUTLS_BITS_TO_CURVE -+ (bits))); -+ break; -+ case GNUTLS_PK_GOST_12_256: -+ raw_key.data = (void*)gost12_256_privkey; -+ raw_key.size = sizeof(gost12_256_privkey) - 1; -+ snprintf(param_name, sizeof(param_name), "%s", -+ gnutls_ecc_curve_get_name(GNUTLS_BITS_TO_CURVE -+ (bits))); -+ break; -+ case GNUTLS_PK_GOST_12_512: -+ raw_key.data = (void*)gost12_512_privkey; -+ raw_key.size = sizeof(gost12_512_privkey) - 1; -+ snprintf(param_name, sizeof(param_name), "%s", -+ gnutls_ecc_curve_get_name(GNUTLS_BITS_TO_CURVE -+ (bits))); -+ break; -+ default: -+ gnutls_assert(); -+ ret = GNUTLS_E_INTERNAL_ERROR; -+ goto cleanup; - } - -+ ret = gnutls_privkey_import_x509_raw(key, &raw_key, GNUTLS_X509_FMT_PEM, NULL, 0); - if (ret < 0) { - gnutls_assert(); - goto cleanup; -@@ -286,7 +446,8 @@ static int test_sig(gnutls_pk_algorithm_t pk, - } - - ret = 0; -- cleanup: -+ -+cleanup: - if (pub != NULL) - gnutls_pubkey_deinit(pub); - gnutls_privkey_deinit(key); -@@ -302,123 +463,11 @@ static int test_sig(gnutls_pk_algorithm_t pk, - return ret; - } - --/* A precomputed RSA-SHA1 signature using the rsa_key2048 */ --static const char rsa_sig[] = -- "\x7a\xb3\xf8\xb0\xf9\xf0\x52\x88\x37\x17\x97\x9f\xbe\x61\xb4\xd2\x43\x78\x9f\x79\x92\xd0\xad\x08\xdb\xbd\x3c\x72\x7a\xb5\x51\x59\x63\xd6\x7d\xf1\x9c\x1e\x10\x7b\x27\xab\xf8\xd4\x9d\xcd\xc5\xf9\xae\xf7\x09\x6b\x40\x93\xc5\xe9\x1c\x0f\xb4\x82\xa1\x47\x86\x54\x63\xd2\x4d\x40\x9a\x80\xb9\x38\x45\x69\xa2\xd6\x92\xb6\x69\x7f\x3f\xf3\x5b\xa5\x1d\xac\x06\xad\xdf\x4e\xbb\xe6\xda\x68\x0d\xe5\xab\xef\xd2\xf0\xc5\xd8\xc0\xed\x80\xe2\xd4\x76\x98\xec\x44\xa2\xfc\x3f\xce\x2e\x8b\xc4\x4b\xab\xb0\x70\x24\x52\x85\x2a\x36\xcd\x9a\xb5\x05\x00\xea\x98\x7c\x72\x06\x68\xb1\x38\x44\x16\x80\x6a\x3b\x64\x72\xbb\xfd\x4b\xc9\xdd\xda\x2a\x68\xde\x7f\x6e\x48\x28\xc1\x63\x57\x2b\xde\x83\xa3\x27\x34\xd7\xa6\x87\x18\x35\x10\xff\x31\xd9\x47\xc9\x84\x35\xe1\xaa\xe2\xf7\x98\xfa\x19\xd3\xf1\x94\x25\x2a\x96\xe4\xa8\xa7\x05\x10\x93\x87\xde\x96\x85\xe5\x68\xb8\xe5\x4e\xbf\x66\x85\x91\xbd\x52\x5b\x3d\x9f\x1b\x79\xea\xe3\x8b\xef\x62\x18\x39\x7a\x50\x01\x46\x1b\xde\x8d\x37\xbc\x90\x6c\x07\xc0\x07\xed\x60\xce\x2e\x31\xd6\x8f\xe8\x75\xdb\x45\x21\xc6\xcb"; -- --/* ECDSA key and signature */ --static const char ecdsa_secp256r1_privkey[] = -- "-----BEGIN EC PRIVATE KEY-----\n" -- "MHcCAQEEIPAKWV7+pZe9c5EubMNfAEKWRQtP/MvlO9HehwHmJssNoAoGCCqGSM49\n" -- "AwEHoUQDQgAE2CNONRio3ciuXtoomJKs3MdbzLbd44VPhtzJN30VLFm5gvnfiCj2\n" -- "zzz7pl9Cv0ECHl6yedNI8QEKdcwCDgEmkQ==\n" -- "-----END EC PRIVATE KEY-----\n"; -- --static const char ecdsa_secp256r1_sig[] = -- "\x30\x45\x02\x21\x00\x9b\x8f\x60\xed\x9e\x40\x8d\x74\x82\x73\xab\x20\x1a\x69\xfc\xf9\xee\x3c\x41\x80\xc0\x39\xdd\x21\x1a\x64\xfd\xbf\x7e\xaa\x43\x70\x02\x20\x44\x28\x05\xdd\x30\x47\x58\x96\x18\x39\x94\x18\xba\xe7\x7a\xf6\x1e\x2d\xba\xb1\xe0\x7d\x73\x9e\x2f\x58\xee\x0c\x2a\x89\xe8\x35"; -- --#ifdef ENABLE_NON_SUITEB_CURVES --/* sha256 */ --static const char ecdsa_secp192r1_privkey[] = -- "-----BEGIN EC PRIVATE KEY-----" -- "MF8CAQEEGLjezFcbgDMeApVrdtZHvu/k1a8/tVZ41KAKBggqhkjOPQMBAaE0AzIA" -- "BO1lciKdgxeRH8k64vxcaV1OYIK9akVrW02Dw21MXhRLP0l0wzCw6LGSr5rS6AaL" -- "Fg==" "-----END EC PRIVATE KEY-----"; -- --static const char ecdsa_secp192r1_sig[] = -- "\x30\x34\x02\x18\x5f\xb3\x10\x4b\x4d\x44\x48\x29\x4b\xfd\xa7\x8e\xce\x57\xac\x36\x38\x54\xab\x73\xdb\xed\xb8\x5f\x02\x18\x0b\x8b\xf3\xae\x49\x50\x0e\x47\xca\x89\x1a\x00\xca\x23\xf5\x8d\xd6\xe3\xce\x9a\xff\x2e\x4f\x5c"; -- --static const char ecdsa_secp224r1_privkey[] = -- "-----BEGIN EC PRIVATE KEY-----" -- "MGgCAQEEHOKWJFdWdrR/CgVrUeTeawOrJ9GozE9KKx2a8PmgBwYFK4EEACGhPAM6" -- "AAQKQj3YpenWT7lFR41SnBvmj/+Bj+kgzQnaF65qWAtPRJsZXFlLTu3/IUNqSRu9" -- "DqPsk8xBHAB7pA==" "-----END EC PRIVATE KEY-----"; -- --static const char ecdsa_secp224r1_sig[] = -- "\x30\x3d\x02\x1c\x76\x03\x8d\x74\xf4\xd3\x09\x2a\xb5\xdf\x6b\x5b\xf4\x4b\x86\xb8\x62\x81\x5d\x7b\x7a\xbb\x37\xfc\xf1\x46\x1c\x2b\x02\x1d\x00\xa0\x98\x5d\x80\x43\x89\xe5\xee\x1a\xec\x46\x08\x04\x55\xbc\x50\xfa\x2a\xd5\xa6\x18\x92\x19\xdb\x68\xa0\x2a\xda"; --#endif -- --static const char ecdsa_secp384r1_privkey[] = -- "-----BEGIN EC PRIVATE KEY-----" -- "MIGkAgEBBDDevshD6gb+4rZpC9vwFcIwNs4KmGzdqCxyyN40a8uOWRbyf7aHdiSS" -- "03oAyKtc4JCgBwYFK4EEACKhZANiAARO1KkPMno2tnNXx1S9EZkp8SOpDCZ4aobH" -- "IYv8RHnSmKf8I3OKD6TaoeR+1MwJmNJUH90Bj45WXla68/vsPiFcfVKboxsZYe/n" -- "pv8e4ugXagVQVBXNZJ859iYPdJR24vo=" "-----END EC PRIVATE KEY-----"; -- --static const char ecdsa_secp384r1_sig[] = -- "\x30\x66\x02\x31\x00\xbb\x4d\x25\x30\x13\x1b\x3b\x75\x60\x07\xed\x53\x8b\x52\xee\xd8\x6e\xf1\x9d\xa8\x36\x0e\x2e\x20\x31\x51\x11\x48\x78\xdd\xaf\x24\x38\x64\x81\x71\x6b\xa6\xb7\x29\x58\x28\x82\x32\xba\x29\x29\xd9\x02\x31\x00\xeb\x70\x09\x87\xac\x7b\x78\x0d\x4c\x4f\x08\x2b\x86\x27\xe2\x60\x1f\xc9\x11\x9f\x1d\xf5\x82\x4c\xc7\x3d\xb0\x27\xc8\x93\x29\xc7\xd0\x0e\x88\x02\x09\x93\xc2\x72\xce\xa5\x74\x8c\x3d\xe0\x8c\xad"; -- --static const char ecdsa_secp521r1_privkey[] = -- "-----BEGIN EC PRIVATE KEY-----" -- "MIHbAgEBBEGO2n7NN363qSCvJVdlQtCvudtaW4o0fEufXRjE1AsCrle+VXX0Zh0w" -- "Y1slSeDHMndpakoiF+XkQ+bhcB867UV6aKAHBgUrgQQAI6GBiQOBhgAEAQb6jDpo" -- "byy1tF8Zucg0TMGUzIN2DK+RZJ3QQRdWdirO25OIC3FoFi1Yird6rpoB6HlNyJ7R" -- "0bNG9Uv34bSHMn8yAFoiqxUCdJZQbEenMoZsi6COaePe3e0QqvDMr0hEWT23Sr3t" -- "LpEV7eZGFfFIJw5wSUp2KOcs+O9WjmoukTWtDKNV" -- "-----END EC PRIVATE KEY-----"; -- --static const char ecdsa_secp521r1_sig[] = -- "\x30\x81\x87\x02\x42\x01\xb8\xcb\x52\x9e\x10\xa8\x49\x3f\xe1\x9e\x14\x0a\xcf\x96\xed\x7e\xab\x7d\x0c\xe1\x9b\xa4\x97\xdf\x01\xf5\x35\x42\x5f\x5b\x28\x15\x24\x33\x6e\x59\x6c\xaf\x10\x8b\x98\x8e\xe9\x4c\x23\x0d\x76\x92\x03\xdd\x6d\x8d\x08\x47\x15\x5b\xf8\x66\x75\x75\x40\xe8\xf4\xa0\x52\x02\x41\x15\x27\x7c\x5f\xa6\x33\xa6\x29\x68\x3f\x55\x8d\x7f\x1d\x4f\x88\xc6\x61\x6e\xac\x21\xdf\x2b\x7b\xde\x76\x9a\xdc\xe6\x3b\x94\x3f\x03\x9c\xa2\xa6\xa3\x63\x39\x48\xbd\x79\x70\x21\xf2\x6b\xff\x58\x66\xf1\x58\xc2\x58\xad\x4f\x84\x14\x5d\x05\x12\x83\xd0\x87\xbd\xf3"; -- --/* DSA key and signature */ --static const char dsa_privkey[] = -- "-----BEGIN DSA PRIVATE KEY-----\n" -- "MIIDTQIBAAKCAQEAh60B6yPMRIT7udq2kKuwnQDohvT1U0w+RJcSr23C05cM/Ovn\n" -- "UP/8Rrj6T8K+uYhMbKgLaZiJJW9q04jaPQk0cfUphbLvRjzVHwE/0Bkb+Y1Rv7ni\n" -- "Jot2IFMq5iuNraf889PC0WREvFCcIkSFY2Ac4WT7mCcBtfx/raGFXDUjcUrJ0HwZ\n" -- "IOhjQDfcXUsztuyYsYA75ociEY8kyDZq/ixyr5++R1VjNf30Re8AbQlXOEGxEN5t\n" -- "t+Tvpq8K5L3prQs2KNSzyOUmedjb/ojH4T4qe/RL9EVjjeuIGHDNUT6F197yZ91y\n" -- "qLLTf1WjnUyZcKij5rryX0LJBBWawEZjNSHZawIdAMQlyycia4NigCdiDR+QptUn\n" -- "2xrj9o14fXkIrXcCggEAXRZm1rbPhsjSTo6cpCVrmDzO1grv83EHiBH4MvRQQnP8\n" -- "FpAREsBA5cYju97XvLaLhioZeMjLn08kU7TUbHRUB+ULTuVvE2dQbBpGuKiLRRt9\n" -- "6U2T0eD3xGLoM+o8EY/kpqaWGEpZv7hzM9xuo4vy55+viAZgFWULqmltwfG/7w7V\n" -- "NXUHNv5H4Ipw//fSDLTPqzUlNqSSswDLz6pCjWEs0rWAqNAMaOiLTz4id9pL48Oe\n" -- "oAfpcQR9tgTEnwyXfZBnrJVclHhkHKGeXvU05IgCzpKO76Z5R+By50T0i/JV7vzM\n" -- "l2yS9aAl/cprT6U7yI3oU/blldCVNpMcFAFb+fO8DAKCAQBVMo8xptyvQOJeSvbO\n" -- "SSYdJ3IiI/0GdkcGWXblWg9z7mrPaWEnT7OquEm/+vYtWd3GHDtyNM+jzsN4Xgjc\n" -- "TL3AEd2hLiozJQ1BFKw25VU08UHAYTzUxZhO4Vwtmp46Kwj8YLDQ3NHRWCBxpDQR\n" -- "fbiFvyXP+qXap6plMfrydnUD1mae/JSOWOYgdB7tFIehstLxVXx/cAnjwgFU03Df\n" -- "grjsad92zA1Hc9wIjbsgAQdTR5DWnFRkRt3UtayBwoyqm6QceZHsv1NAGvkQ4ion\n" -- "bEjkHkjF9YCkR9/rspR8cLghRIXMjOpypuSbaRPeeWq0gP2UOxFL/d3iWH0ETr/L\n" -- "kTlCAhxYGpVgtfB96qmJukyl9GOGvfkwFTgEyIDoV84M\n" -- "-----END DSA PRIVATE KEY-----\n"; -- --static const char dsa_sig[] = -- "\x30\x3d\x02\x1c\x2e\x40\x14\xb3\x7a\x3f\xc0\x4f\x06\x74\x4f\xa6\x5f\xc2\x0a\x46\x35\x38\x88\xb4\x1a\xcf\x94\x02\x40\x42\x7c\x7f\x02\x1d\x00\x98\xfc\xf1\x08\x66\xf1\x86\x28\xc9\x73\x9e\x2b\x5d\xce\x57\xe8\xb5\xeb\xcf\xa3\xf6\x60\xf6\x63\x16\x0e\xc0\x42"; -- --static const char gost01_privkey[] = -- "-----BEGIN PRIVATE KEY-----\n" -- "MEUCAQAwHAYGKoUDAgITMBIGByqFAwICIwEGByqFAwICHgEEIgQgdNfuHGmmTdPm\n" -- "p5dAa3ea9UYxpdYQPP9lbDwzQwG2bJM=\n" -- "-----END PRIVATE KEY-----\n"; -- --static const char gost01_sig[] = -- "\xc5\xc8\xf8\xdc\x22\x51\xb0\x72\xe9\xa2\xbb\x84\x6c\xe2\x24\xd5\x72\x39\x2a\x5a\x0e\x7a\x43\xfc\x9c\xc3\x5d\x32\x92\xbb\xab\xc0\x4b\x99\xbd\xc8\x47\x24\x70\x06\x7e\xa1\xc6\xe3\xa0\xdc\x42\xed\xa0\x66\xf0\xcc\x50\x97\xe9\x5a\x7d\x3f\x65\x2d\x7b\x1b\x03\xcb"; -- --static const char gost12_256_privkey[] = -- "-----BEGIN PRIVATE KEY-----\n" -- "MEgCAQAwHwYIKoUDBwEBAQEwEwYHKoUDAgIjAQYIKoUDBwEBAgIEIgQgKOF96tom\n" -- "D61rhSnzKjyrmO3fv0gdlHei+6ovrc8SnBk=\n" -- "-----END PRIVATE KEY-----\n"; -- --static const char gost12_256_sig[] = -- "\xb2\x51\x5a\x1a\xbd\x95\x4e\x71\x55\xad\x74\x74\x81\xa6\xca\x6c\x14\x01\xe0\x18\xda\xe4\x0d\x02\x4f\x14\xd2\x39\xd6\x3c\xb5\x85\xa8\x37\xfd\x7f\x2b\xfa\xe4\xf5\xbc\xbc\x15\x20\x8b\x83\x4b\x84\x0d\x5d\x02\x21\x8c\x0d\xb9\xc4\x2b\xc0\x3e\xfd\x42\x55\x1d\xb0"; -- --static const char gost12_512_privkey[] = -- "-----BEGIN PRIVATE KEY-----\n" -- "MGoCAQAwIQYIKoUDBwEBAQIwFQYJKoUDBwECAQIBBggqhQMHAQECAwRCBECjFpvp\n" -- "B0vdc7u59b99TCNXhHiB69JJtUjvieNkGYJpoaaIvoKZTNCjpSZASsZcQZCHOTof\n" -- "hsQ3JCCy4xnd5jWT\n" -- "-----END PRIVATE KEY-----\n"; -- --static const char gost12_512_sig[] = -- "\x52\x4f\xa2\x77\x51\xd2\xc5\xef\xd3\xa3\x99\x4e\xec\xff\xc6\xe9\xfc\x2f\xc0\x28\x42\x03\x95\x6c\x9a\x38\xee\xea\x89\x79\xae\x1a\xc3\x68\x5e\xe4\x15\x15\x4b\xec\x0f\xf1\x7e\x0f\xba\x01\xc7\x84\x16\xc7\xb5\xac\x9d\x0c\x22\xdd\x31\xf7\xb0\x9b\x59\x4b\xf0\x02\xa8\x7d\xfd\x6d\x02\x43\xc7\x4f\x65\xbd\x84\x5c\x54\x91\xba\x75\x9f\x5a\x61\x19\x5c\x9a\x10\x78\x34\xa0\xa6\xf6\xdc\xb6\xb0\x50\x22\x38\x5f\xb0\x16\x66\xf1\xd5\x46\x00\xd5\xe2\xa8\xe5\xd2\x11\x5f\xd1\xbe\x6e\xac\xb2\x9c\x14\x34\x96\xe7\x58\x94\xb8\xf4\x5f"; -- - static int test_known_sig(gnutls_pk_algorithm_t pk, unsigned bits, - gnutls_digest_algorithm_t dig, - const void *privkey, size_t privkey_size, - const void *stored_sig, size_t stored_sig_size, -- unsigned deterministic_sigs) -+ gnutls_privkey_flags_t flags) - { - int ret; - gnutls_datum_t sig = { NULL, 0 }; -@@ -427,8 +476,11 @@ static int test_known_sig(gnutls_pk_algorithm_t pk, unsigned bits, - gnutls_privkey_t key; - char param_name[32]; - -- if (pk == GNUTLS_PK_EC || pk == GNUTLS_PK_GOST_01 || -- pk == GNUTLS_PK_GOST_12_256 || pk == GNUTLS_PK_GOST_12_512) { -+ if (pk == GNUTLS_PK_EC || -+ pk == GNUTLS_PK_GOST_01 || -+ pk == GNUTLS_PK_GOST_12_256 || -+ pk == GNUTLS_PK_GOST_12_512) -+ { - snprintf(param_name, sizeof(param_name), "%s", - gnutls_ecc_curve_get_name(GNUTLS_BITS_TO_CURVE - (bits))); -@@ -462,39 +514,37 @@ static int test_known_sig(gnutls_pk_algorithm_t pk, unsigned bits, - goto cleanup; - } - -- /* Test if the signature we generate matches the stored */ -+ ret = gnutls_privkey_sign_data(key, dig, flags, &signed_data, &sig); -+ if (ret < 0) { -+ gnutls_assert(); -+ goto cleanup; -+ } -+ -+ /* Test if the generated signature matches the stored */ - ssig.data = (void *) stored_sig; - ssig.size = stored_sig_size; - -- if (deterministic_sigs != 0) { /* do not compare against stored signature if not provided */ -- ret = -- gnutls_privkey_sign_data(key, dig, 0, &signed_data, -- &sig); -- if (ret < 0) { -- gnutls_assert(); -- goto cleanup; -- } -- -- if (sig.size != ssig.size -- || memcmp(sig.data, ssig.data, sig.size) != 0) { -- ret = GNUTLS_E_SELF_TEST_ERROR; -+ if (sig.size != ssig.size -+ || memcmp(sig.data, ssig.data, sig.size) != 0) { -+ ret = GNUTLS_E_SELF_TEST_ERROR; - #if 0 -- unsigned i; -- fprintf(stderr, "\nstored[%d]: ", ssig.size); -- for (i = 0; i < ssig.size; i++) -- fprintf(stderr, "\\x%.2x", ssig.data[i]); -- -- fprintf(stderr, "\ngenerated[%d]: ", sig.size); -- for (i = 0; i < sig.size; i++) -- fprintf(stderr, "\\x%.2x", sig.data[i]); -- fprintf(stderr, "\n"); -+ unsigned i; -+ fprintf(stderr, "Algorithm: %s-%s\n", -+ gnutls_pk_get_name(pk), param_name); -+ fprintf(stderr, "\nstored[%d]: ", ssig.size); -+ for (i = 0; i < ssig.size; i++) -+ fprintf(stderr, "\\x%.2x", ssig.data[i]); -+ -+ fprintf(stderr, "\ngenerated[%d]: ", sig.size); -+ for (i = 0; i < sig.size; i++) -+ fprintf(stderr, "\\x%.2x", sig.data[i]); -+ fprintf(stderr, "\n"); - #endif -- gnutls_assert(); -- goto cleanup; -- } -+ gnutls_assert(); -+ goto cleanup; - } - -- /* Test if we can verify the signature */ -+ /* Test if we can verify the generated signature */ - - ret = gnutls_pubkey_import_privkey(pub, key, 0, 0); - if (ret < 0) { -@@ -504,7 +554,7 @@ static int test_known_sig(gnutls_pk_algorithm_t pk, unsigned bits, - - ret = - gnutls_pubkey_verify_data2(pub, gnutls_pk_to_sign(pk, dig), 0, -- &signed_data, &ssig); -+ &signed_data, &sig); - if (ret < 0) { - ret = GNUTLS_E_SELF_TEST_ERROR; - gnutls_assert(); -@@ -515,7 +565,7 @@ static int test_known_sig(gnutls_pk_algorithm_t pk, unsigned bits, - - ret = - gnutls_pubkey_verify_data2(pub, gnutls_pk_to_sign(pk, dig), 0, -- &bad_data, &ssig); -+ &bad_data, &sig); - - if (ret != GNUTLS_E_PK_SIG_VERIFY_FAILED) { - ret = GNUTLS_E_SELF_TEST_ERROR; -@@ -546,18 +596,14 @@ static int test_known_sig(gnutls_pk_algorithm_t pk, unsigned bits, - if (ret < 0) { \ - gnutls_assert(); \ - goto cleanup; \ -- } \ -- if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL)) \ -- return 0 -+ } - --#define PK_KNOWN_TEST(pk, det, bits, dig, pkey, sig) \ -- ret = test_known_sig(pk, bits, dig, pkey, sizeof(pkey)-1, sig, sizeof(sig)-1, det); \ -+#define PK_KNOWN_TEST(pk, bits, dig, pkey, sig, flags) \ -+ ret = test_known_sig(pk, bits, dig, pkey, sizeof(pkey)-1, sig, sizeof(sig)-1, flags); \ - if (ret < 0) { \ - gnutls_assert(); \ - goto cleanup; \ -- } \ -- if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL)) \ -- return 0 -+ } - - - /* Known answer tests for DH */ -@@ -764,9 +810,18 @@ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk) - { - int ret; - -+ bool is_post = false; -+ bool is_fips140_mode_enabled = false; -+ - if (flags & GNUTLS_SELF_TEST_FLAG_ALL) - pk = GNUTLS_PK_UNKNOWN; - -+ if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST) -+ is_post = true; -+ -+ if (gnutls_fips140_mode_enabled()) -+ is_fips140_mode_enabled = true; -+ - switch (pk) { - case GNUTLS_PK_UNKNOWN: - FALLTHROUGH; -@@ -781,26 +836,32 @@ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk) - return 0; - FALLTHROUGH; - case GNUTLS_PK_RSA: -- PK_KNOWN_TEST(GNUTLS_PK_RSA, 1, 2048, GNUTLS_DIG_SHA256, -- rsa_key2048, rsa_sig); -+ PK_KNOWN_TEST(GNUTLS_PK_RSA, 2048, GNUTLS_DIG_SHA256, -+ rsa_2048_privkey, rsa_2048_sig, 0); -+ - PK_TEST(GNUTLS_PK_RSA, test_rsa_enc, 2048, 0); -- PK_TEST(GNUTLS_PK_RSA, test_sig, 3072, GNUTLS_SIGN_RSA_SHA256); - - if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL)) - return 0; - - FALLTHROUGH; - case GNUTLS_PK_RSA_PSS: -- PK_TEST(GNUTLS_PK_RSA_PSS, test_sig, 2048, GNUTLS_SIGN_RSA_PSS_RSAE_SHA256); -+ PK_TEST(GNUTLS_PK_RSA_PSS, test_sig, 2048, -+ GNUTLS_SIGN_RSA_PSS_RSAE_SHA256); - - if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL)) - return 0; - - FALLTHROUGH; - case GNUTLS_PK_DSA: -- PK_KNOWN_TEST(GNUTLS_PK_DSA, 0, 2048, GNUTLS_DIG_SHA256, -- dsa_privkey, dsa_sig); -- PK_TEST(GNUTLS_PK_DSA, test_sig, 3072, GNUTLS_SIGN_DSA_SHA256); -+ if (is_post || !is_fips140_mode_enabled) { -+ PK_KNOWN_TEST(GNUTLS_PK_DSA, 2048, GNUTLS_DIG_SHA256, -+ dsa_2048_privkey, dsa_2048_sig, -+ GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE); -+ } else { -+ PK_TEST(GNUTLS_PK_DSA, test_sig, 2048, -+ GNUTLS_SIGN_DSA_SHA256); -+ } - - if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL)) - return 0; -@@ -815,62 +876,72 @@ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk) - } - - /* Test ECDSA */ -- PK_KNOWN_TEST(GNUTLS_PK_EC, 0, -- GNUTLS_CURVE_TO_BITS -- (GNUTLS_ECC_CURVE_SECP256R1), -- GNUTLS_DIG_SHA256, ecdsa_secp256r1_privkey, -- ecdsa_secp256r1_sig); -- PK_TEST(GNUTLS_PK_EC, test_sig, -- GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP256R1), -- GNUTLS_SIGN_ECDSA_SHA256); -+ if (is_post || !is_fips140_mode_enabled) { -+ PK_KNOWN_TEST(GNUTLS_PK_EC, -+ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP256R1), -+ GNUTLS_DIG_SHA256, ecdsa_secp256r1_privkey, -+ ecdsa_secp256r1_sig, GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE); -+ } else { -+ PK_TEST(GNUTLS_PK_EC, test_sig, -+ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP256R1), -+ GNUTLS_SIGN_ECDSA_SHA256); -+ } - - if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL)) - return 0; - -- PK_KNOWN_TEST(GNUTLS_PK_EC, 0, -- GNUTLS_CURVE_TO_BITS -- (GNUTLS_ECC_CURVE_SECP384R1), -- GNUTLS_DIG_SHA256, ecdsa_secp384r1_privkey, -- ecdsa_secp384r1_sig); -- PK_TEST(GNUTLS_PK_EC, test_sig, -- GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP384R1), -- GNUTLS_SIGN_ECDSA_SHA384); -- -- PK_KNOWN_TEST(GNUTLS_PK_EC, 0, -- GNUTLS_CURVE_TO_BITS -- (GNUTLS_ECC_CURVE_SECP521R1), -- GNUTLS_DIG_SHA512, ecdsa_secp521r1_privkey, -- ecdsa_secp521r1_sig); -- PK_TEST(GNUTLS_PK_EC, test_sig, -- GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP521R1), -- GNUTLS_SIGN_ECDSA_SHA512); -+ if (is_post || !is_fips140_mode_enabled) { -+ PK_KNOWN_TEST(GNUTLS_PK_EC, -+ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP384R1), -+ GNUTLS_DIG_SHA384, ecdsa_secp384r1_privkey, -+ ecdsa_secp384r1_sig, GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE); -+ } else { -+ PK_TEST(GNUTLS_PK_EC, test_sig, -+ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP384R1), -+ GNUTLS_SIGN_ECDSA_SHA384); -+ } -+ -+ if (is_post || !is_fips140_mode_enabled) { -+ PK_KNOWN_TEST(GNUTLS_PK_EC, -+ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP521R1), -+ GNUTLS_DIG_SHA512, ecdsa_secp521r1_privkey, -+ ecdsa_secp521r1_sig, GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE); -+ } else { -+ PK_TEST(GNUTLS_PK_EC, test_sig, -+ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP521R1), -+ GNUTLS_SIGN_ECDSA_SHA512); -+ } - - #ifdef ENABLE_NON_SUITEB_CURVES -- PK_KNOWN_TEST(GNUTLS_PK_EC, 0, -- GNUTLS_CURVE_TO_BITS -- (GNUTLS_ECC_CURVE_SECP192R1), -- GNUTLS_DIG_SHA256, ecdsa_secp192r1_privkey, -- ecdsa_secp192r1_sig); -- PK_TEST(GNUTLS_PK_EC, test_sig, -- GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP192R1), -- GNUTLS_SIGN_ECDSA_SHA256); -- -- PK_KNOWN_TEST(GNUTLS_PK_EC, 0, -- GNUTLS_CURVE_TO_BITS -- (GNUTLS_ECC_CURVE_SECP224R1), -- GNUTLS_DIG_SHA256, ecdsa_secp224r1_privkey, -- ecdsa_secp224r1_sig); -- PK_TEST(GNUTLS_PK_EC, test_sig, -- GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP224R1), -- GNUTLS_SIGN_ECDSA_SHA256); -+ if (is_post || !is_fips140_mode_enabled) { -+ PK_KNOWN_TEST(GNUTLS_PK_EC, -+ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP192R1), -+ GNUTLS_DIG_SHA256, ecdsa_secp192r1_privkey, -+ ecdsa_secp192r1_sig, GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE); -+ } else { -+ PK_TEST(GNUTLS_PK_EC, test_sig, -+ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP192R1), -+ GNUTLS_SIGN_ECDSA_SHA256); -+ } -+ -+ if (is_post || !is_fips140_mode_enabled) { -+ PK_KNOWN_TEST(GNUTLS_PK_EC, -+ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP224R1), -+ GNUTLS_DIG_SHA256, ecdsa_secp224r1_privkey, -+ ecdsa_secp224r1_sig, GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE); -+ } else { -+ PK_TEST(GNUTLS_PK_EC, test_sig, -+ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP224R1), -+ GNUTLS_SIGN_ECDSA_SHA256); -+ } - #endif - -+ - #if ENABLE_GOST - FALLTHROUGH; - case GNUTLS_PK_GOST_01: -- PK_KNOWN_TEST(GNUTLS_PK_GOST_01, 0, GNUTLS_ECC_CURVE_GOST256CPA, GNUTLS_DIG_GOSTR_94, -- gost01_privkey, gost01_sig); -- PK_TEST(GNUTLS_PK_GOST_01, test_sig, GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_GOST256CPA), -+ PK_TEST(GNUTLS_PK_GOST_01, test_sig, -+ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_GOST256CPA), - GNUTLS_SIGN_GOST_94); - - if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL)) -@@ -878,9 +949,8 @@ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk) - - FALLTHROUGH; - case GNUTLS_PK_GOST_12_256: -- PK_KNOWN_TEST(GNUTLS_PK_GOST_12_256, 0, GNUTLS_ECC_CURVE_GOST256CPA, GNUTLS_DIG_STREEBOG_256, -- gost12_256_privkey, gost12_256_sig); -- PK_TEST(GNUTLS_PK_GOST_12_256, test_sig, GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_GOST256CPA), -+ PK_TEST(GNUTLS_PK_GOST_12_256, test_sig, -+ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_GOST256CPA), - GNUTLS_SIGN_GOST_256); - - if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL)) -@@ -888,15 +958,13 @@ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk) - - FALLTHROUGH; - case GNUTLS_PK_GOST_12_512: -- PK_KNOWN_TEST(GNUTLS_PK_GOST_12_512, 0, GNUTLS_ECC_CURVE_GOST512A, GNUTLS_DIG_STREEBOG_512, -- gost12_512_privkey, gost12_512_sig); -- PK_TEST(GNUTLS_PK_GOST_12_512, test_sig, GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_GOST512A), -+ PK_TEST(GNUTLS_PK_GOST_12_512, test_sig, -+ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_GOST512A), - GNUTLS_SIGN_GOST_512); - - if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL)) - return 0; - #endif -- - break; - default: - return gnutls_assert_val(GNUTLS_E_NO_SELF_TEST); diff --git a/gnutls-3.6.12-load-config-after-fips-post.patch b/gnutls-3.6.12-load-config-after-fips-post.patch deleted file mode 100644 index 59ffe6c..0000000 --- a/gnutls-3.6.12-load-config-after-fips-post.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 17bcd7a60fb0b7d07718515946ebb064d33ef45b Mon Sep 17 00:00:00 2001 -From: Anderson Toshiyuki Sasaki -Date: Wed, 18 Mar 2020 16:17:39 +0100 -Subject: [PATCH] global: Load configuration after FIPS POST - -Previously, if the loaded configuration file disabled an algorithm -tested during FIPS-140 power-on self-tests, the test would fail. By -loading the configuration file after the test is finished, such failure -is avoided as any algorithm is allowed during the tests. - -Signed-off-by: Anderson Toshiyuki Sasaki ---- - lib/global.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/lib/global.c b/lib/global.c -index b42fcb263..9a65d114c 100644 ---- a/lib/global.c -+++ b/lib/global.c -@@ -368,7 +368,6 @@ static int _gnutls_global_init(unsigned constructor) - - _gnutls_register_accel_crypto(); - _gnutls_cryptodev_init(); -- _gnutls_load_system_priorities(); - - #ifdef ENABLE_FIPS140 - /* These self tests are performed on the overridden algorithms -@@ -385,6 +384,7 @@ static int _gnutls_global_init(unsigned constructor) - _gnutls_fips_mode_reset_zombie(); - } - #endif -+ _gnutls_load_system_priorities(); - _gnutls_switch_lib_state(LIB_STATE_OPERATIONAL); - ret = 0; - --- -2.24.1 - diff --git a/gnutls.spec b/gnutls.spec index fa81959..9588e92 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,11 +1,8 @@ # This spec file has been automatically updated -Version: 3.6.12 -Release: 2%{?dist} +Version: 3.6.13 +Release: 1%{?dist} Patch1: gnutls-3.6.7-no-now-guile.patch Patch2: gnutls-3.2.7-rpath.patch -Patch3: gnutls-3.6.12-fix-fips-self-tests.patch -Patch4: gnutls-3.6.12-load-config-after-fips-post.patch -Patch5: gnutls-3.6.12-fix-echo-server.patch %bcond_without dane %if 0%{?rhel} %bcond_with guile @@ -282,6 +279,9 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null %endif %changelog +* Tue Mar 31 2020 Daiki Ueno - 3.6.13-1 +- Update to upstream 3.6.13 release + * Thu Mar 26 2020 Anderson Sasaki - 3.6.12-2 - Fix FIPS POST (#1813384) - Fix gnutls-serv --echo to not exit when a message is received (#1816583) diff --git a/sources b/sources index ce3867d..38b5228 100644 --- a/sources +++ b/sources @@ -1,2 +1,3 @@ -SHA512 (gnutls-3.6.12.tar.xz.sig) = fee2a330c047303b683824176ed2e14dba38ad22cddb548d6259bc8639e0c5dab7a1c93af84860193335271c9cb3810c046bb89b73d8c8a8cf61307108e957b5 -SHA512 (gnutls-3.6.12.tar.xz) = e1031fd1239d8b0f056a6b736e4c72c9268fb635f273527f310771c608b841cad7b6631401382ec3040d9b539180bf421882bf43427ad3549a5787d2864c2fa5 +SHA512 (gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg) = 3b1989dc6a64d1140f83a2af0773da2adb03c50d97b6da7357cf09525050651aafa21131f1e3180baa540a8af922119a256f5ff5bcd6602996a806e8e1816bad +SHA512 (gnutls-3.6.13.tar.xz.sig) = 130d6ee78da87087de0070a5a5ecb62dd0a2919c838796b3e4273d74b10c4c537b72e017f55b69df69ee7cc11257ebe392e3bd0ff25b35484ed78bb9bf9d3856 +SHA512 (gnutls-3.6.13.tar.xz) = 23581952cb72c9a34f378c002bb62413d5a1243b74b48ad8dc49eaea4020d33c550f8dc1dd374cf7fbfa4187b0ca1c5698c8a0430398268a8b8a863f8633305c From fbf404e4b278f45c701218b3d588ac273cbcbc93 Mon Sep 17 00:00:00 2001 From: Anderson Toshiyuki Sasaki Date: Wed, 13 May 2020 16:32:58 +0200 Subject: [PATCH 007/152] Remove gpg key from sources --- sources | 1 - 1 file changed, 1 deletion(-) diff --git a/sources b/sources index 38b5228..08912b9 100644 --- a/sources +++ b/sources @@ -1,3 +1,2 @@ -SHA512 (gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg) = 3b1989dc6a64d1140f83a2af0773da2adb03c50d97b6da7357cf09525050651aafa21131f1e3180baa540a8af922119a256f5ff5bcd6602996a806e8e1816bad SHA512 (gnutls-3.6.13.tar.xz.sig) = 130d6ee78da87087de0070a5a5ecb62dd0a2919c838796b3e4273d74b10c4c537b72e017f55b69df69ee7cc11257ebe392e3bd0ff25b35484ed78bb9bf9d3856 SHA512 (gnutls-3.6.13.tar.xz) = 23581952cb72c9a34f378c002bb62413d5a1243b74b48ad8dc49eaea4020d33c550f8dc1dd374cf7fbfa4187b0ca1c5698c8a0430398268a8b8a863f8633305c From bdd006b41273dddbbb0edf1a7cdc46a5503d89b5 Mon Sep 17 00:00:00 2001 From: Anderson Toshiyuki Sasaki Date: Wed, 13 May 2020 19:03:33 +0200 Subject: [PATCH 008/152] Remove gpg key from sources --- sources | 1 - 1 file changed, 1 deletion(-) diff --git a/sources b/sources index 38b5228..08912b9 100644 --- a/sources +++ b/sources @@ -1,3 +1,2 @@ -SHA512 (gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg) = 3b1989dc6a64d1140f83a2af0773da2adb03c50d97b6da7357cf09525050651aafa21131f1e3180baa540a8af922119a256f5ff5bcd6602996a806e8e1816bad SHA512 (gnutls-3.6.13.tar.xz.sig) = 130d6ee78da87087de0070a5a5ecb62dd0a2919c838796b3e4273d74b10c4c537b72e017f55b69df69ee7cc11257ebe392e3bd0ff25b35484ed78bb9bf9d3856 SHA512 (gnutls-3.6.13.tar.xz) = 23581952cb72c9a34f378c002bb62413d5a1243b74b48ad8dc49eaea4020d33c550f8dc1dd374cf7fbfa4187b0ca1c5698c8a0430398268a8b8a863f8633305c From ee88c45f9fdd5d13311c2ef2bf8d89d4b020a56d Mon Sep 17 00:00:00 2001 From: Anderson Toshiyuki Sasaki Date: Wed, 13 May 2020 19:04:05 +0200 Subject: [PATCH 009/152] Bump linked libs soname to fix FIPS self-tests Resolves: rhbz#1835265 --- gnutls-3.6.13-bump-linked-libs-soname-f32.patch | 13 +++++++++++++ gnutls.spec | 6 +++++- 2 files changed, 18 insertions(+), 1 deletion(-) create mode 100644 gnutls-3.6.13-bump-linked-libs-soname-f32.patch diff --git a/gnutls-3.6.13-bump-linked-libs-soname-f32.patch b/gnutls-3.6.13-bump-linked-libs-soname-f32.patch new file mode 100644 index 0000000..e48477a --- /dev/null +++ b/gnutls-3.6.13-bump-linked-libs-soname-f32.patch @@ -0,0 +1,13 @@ +--- a/lib/fips.c 2020-01-01 21:10:19.000000000 +0100 ++++ b/lib/fips.c 2020-05-13 17:31:47.310301627 +0200 +@@ -136,8 +136,8 @@ + } + + #define GNUTLS_LIBRARY_NAME "libgnutls.so.30" +-#define NETTLE_LIBRARY_NAME "libnettle.so.6" +-#define HOGWEED_LIBRARY_NAME "libhogweed.so.4" ++#define NETTLE_LIBRARY_NAME "libnettle.so.7" ++#define HOGWEED_LIBRARY_NAME "libhogweed.so.5" + #define GMP_LIBRARY_NAME "libgmp.so.10" + + #define HMAC_SUFFIX ".hmac" diff --git a/gnutls.spec b/gnutls.spec index 9588e92..d5b7fb9 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,8 +1,9 @@ # This spec file has been automatically updated Version: 3.6.13 -Release: 1%{?dist} +Release: 2%{?dist} Patch1: gnutls-3.6.7-no-now-guile.patch Patch2: gnutls-3.2.7-rpath.patch +Patch3: gnutls-3.6.13-bump-linked-libs-soname-f32.patch %bcond_without dane %if 0%{?rhel} %bcond_with guile @@ -279,6 +280,9 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null %endif %changelog +* Wed May 13 2020 Anderson Sasaki - 3.6.13-2 +- Bump linked libraries soname to fix FIPS selftests (#1835265) + * Tue Mar 31 2020 Daiki Ueno - 3.6.13-1 - Update to upstream 3.6.13 release From 5de0851cf96398fcbfcda5eeff6e8911a68e8f2f Mon Sep 17 00:00:00 2001 From: Anderson Toshiyuki Sasaki Date: Thu, 14 May 2020 10:59:56 +0200 Subject: [PATCH 010/152] Bump linked libs soname to fix FIPS self-tests Resolves: rhbz#1835265 --- gnutls-3.6.13-bump-linked-libs-soname-f33.patch | 13 +++++++++++++ gnutls.spec | 6 +++++- 2 files changed, 18 insertions(+), 1 deletion(-) create mode 100644 gnutls-3.6.13-bump-linked-libs-soname-f33.patch diff --git a/gnutls-3.6.13-bump-linked-libs-soname-f33.patch b/gnutls-3.6.13-bump-linked-libs-soname-f33.patch new file mode 100644 index 0000000..5888f1c --- /dev/null +++ b/gnutls-3.6.13-bump-linked-libs-soname-f33.patch @@ -0,0 +1,13 @@ +--- a/lib/fips.c 2020-01-01 21:10:19.000000000 +0100 ++++ b/lib/fips.c 2020-05-13 17:29:43.098868100 +0200 +@@ -136,8 +136,8 @@ + } + + #define GNUTLS_LIBRARY_NAME "libgnutls.so.30" +-#define NETTLE_LIBRARY_NAME "libnettle.so.6" +-#define HOGWEED_LIBRARY_NAME "libhogweed.so.4" ++#define NETTLE_LIBRARY_NAME "libnettle.so.8" ++#define HOGWEED_LIBRARY_NAME "libhogweed.so.6" + #define GMP_LIBRARY_NAME "libgmp.so.10" + + #define HMAC_SUFFIX ".hmac" diff --git a/gnutls.spec b/gnutls.spec index 9588e92..2cf9c3a 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,8 +1,9 @@ # This spec file has been automatically updated Version: 3.6.13 -Release: 1%{?dist} +Release: 2%{?dist} Patch1: gnutls-3.6.7-no-now-guile.patch Patch2: gnutls-3.2.7-rpath.patch +Patch3: gnutls-3.6.13-bump-linked-libs-soname-f33.patch %bcond_without dane %if 0%{?rhel} %bcond_with guile @@ -279,6 +280,9 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null %endif %changelog +* Thu May 14 2020 Anderson Sasaki - 3.6.13-2 +- Bump linked libraries soname to fix FIPS selftests (#1835265) + * Tue Mar 31 2020 Daiki Ueno - 3.6.13-1 - Update to upstream 3.6.13 release From f2ea860ff5f102b01f2d9ef41a311abf1d2c2a40 Mon Sep 17 00:00:00 2001 From: Anderson Toshiyuki Sasaki Date: Wed, 20 May 2020 10:41:58 +0200 Subject: [PATCH 011/152] Disable RSA blinding during FIPS self-tests Related: rhbz#1835265 --- ...sable-RSA-blinding-in-FIPS-selftests.patch | 124 ++++++++++++++++++ gnutls.spec | 6 +- 2 files changed, 129 insertions(+), 1 deletion(-) create mode 100644 gnutls-3.6.13-nettle-disable-RSA-blinding-in-FIPS-selftests.patch diff --git a/gnutls-3.6.13-nettle-disable-RSA-blinding-in-FIPS-selftests.patch b/gnutls-3.6.13-nettle-disable-RSA-blinding-in-FIPS-selftests.patch new file mode 100644 index 0000000..559ea0a --- /dev/null +++ b/gnutls-3.6.13-nettle-disable-RSA-blinding-in-FIPS-selftests.patch @@ -0,0 +1,124 @@ +From 8f8615c4ef0b92b95e7bcb3bd1400124a203eef3 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Fri, 16 Aug 2019 17:01:05 +0200 +Subject: [PATCH] nettle: disable RSA blinding in FIPS selftests + +Nettle's RSA signing, encryption and decryption functions still +require randomness for blinding, so fallback to use a fixed buffer in +selftests where entropy might not be available. + +Signed-off-by: Daiki Ueno +--- + lib/nettle/pk.c | 37 +++++++++++++++++++++++++++++++++---- + 1 file changed, 33 insertions(+), 4 deletions(-) + +diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c +index 15ad4b4e9..ccf403b00 100644 +--- a/lib/nettle/pk.c ++++ b/lib/nettle/pk.c +@@ -107,6 +107,15 @@ static void rnd_mpz_func(void *_ctx, size_t length, uint8_t * data) + nettle_mpz_get_str_256 (length, data, *k); + } + ++static void rnd_nonce_func_fallback(void *_ctx, size_t length, uint8_t * data) ++{ ++ if (unlikely(_gnutls_get_lib_state() != LIB_STATE_SELFTEST)) { ++ _gnutls_switch_lib_state(LIB_STATE_ERROR); ++ } ++ ++ memset(data, 0xAA, length); ++} ++ + static void + ecc_scalar_zclear (struct ecc_scalar *s) + { +@@ -526,6 +535,7 @@ _wrap_nettle_pk_encrypt(gnutls_pk_algorithm_t algo, + case GNUTLS_PK_RSA: + { + struct rsa_public_key pub; ++ nettle_random_func *random_func; + + ret = _rsa_params_to_pubkey(pk_params, &pub); + if (ret < 0) { +@@ -533,8 +543,12 @@ _wrap_nettle_pk_encrypt(gnutls_pk_algorithm_t algo, + goto cleanup; + } + ++ if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST) ++ random_func = rnd_nonce_func_fallback; ++ else ++ random_func = rnd_nonce_func; + ret = +- rsa_encrypt(&pub, NULL, rnd_nonce_func, ++ rsa_encrypt(&pub, NULL, random_func, + plaintext->size, plaintext->data, + p); + if (ret == 0 || HAVE_LIB_ERROR()) { +@@ -587,6 +601,7 @@ _wrap_nettle_pk_decrypt(gnutls_pk_algorithm_t algo, + struct rsa_public_key pub; + size_t length; + bigint_t c; ++ nettle_random_func *random_func; + + _rsa_params_to_privkey(pk_params, &priv); + ret = _rsa_params_to_pubkey(pk_params, &pub); +@@ -617,8 +632,12 @@ _wrap_nettle_pk_decrypt(gnutls_pk_algorithm_t algo, + goto cleanup; + } + ++ if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST) ++ random_func = rnd_nonce_func_fallback; ++ else ++ random_func = rnd_nonce_func; + ret = +- rsa_decrypt_tr(&pub, &priv, NULL, rnd_nonce_func, ++ rsa_decrypt_tr(&pub, &priv, NULL, random_func, + &length, plaintext->data, + TOMPZ(c)); + _gnutls_mpi_release(&c); +@@ -664,6 +683,7 @@ _wrap_nettle_pk_decrypt2(gnutls_pk_algorithm_t algo, + bigint_t c; + uint32_t is_err; + int ret; ++ nettle_random_func *random_func; + + if (algo != GNUTLS_PK_RSA || plaintext == NULL) { + gnutls_assert(); +@@ -683,7 +703,11 @@ _wrap_nettle_pk_decrypt2(gnutls_pk_algorithm_t algo, + return gnutls_assert_val (GNUTLS_E_MPI_SCAN_FAILED); + } + +- ret = rsa_sec_decrypt(&pub, &priv, NULL, rnd_nonce_func, ++ if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST) ++ random_func = rnd_nonce_func_fallback; ++ else ++ random_func = rnd_nonce_func; ++ ret = rsa_sec_decrypt(&pub, &priv, NULL, random_func, + plaintext_size, plaintext, TOMPZ(c)); + /* after this point, any conditional on failure that cause differences + * in execution may create a timing or cache access pattern side +@@ -1072,6 +1096,7 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo, + { + struct rsa_private_key priv; + struct rsa_public_key pub; ++ nettle_random_func *random_func; + mpz_t s; + + _rsa_params_to_privkey(pk_params, &priv); +@@ -1082,8 +1107,12 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo, + + mpz_init(s); + ++ if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST) ++ random_func = rnd_nonce_func_fallback; ++ else ++ random_func = rnd_nonce_func; + ret = +- rsa_pkcs1_sign_tr(&pub, &priv, NULL, rnd_nonce_func, ++ rsa_pkcs1_sign_tr(&pub, &priv, NULL, random_func, + vdata->size, vdata->data, s); + if (ret == 0 || HAVE_LIB_ERROR()) { + gnutls_assert(); +-- +2.25.4 + diff --git a/gnutls.spec b/gnutls.spec index 2cf9c3a..6944fd9 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,9 +1,10 @@ # This spec file has been automatically updated Version: 3.6.13 -Release: 2%{?dist} +Release: 3%{?dist} Patch1: gnutls-3.6.7-no-now-guile.patch Patch2: gnutls-3.2.7-rpath.patch Patch3: gnutls-3.6.13-bump-linked-libs-soname-f33.patch +Patch4: gnutls-3.6.13-nettle-disable-RSA-blinding-in-FIPS-selftests.patch %bcond_without dane %if 0%{?rhel} %bcond_with guile @@ -280,6 +281,9 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null %endif %changelog +* Tue May 19 2020 Anderson Sasaki - 3.6.13-3 +- Disable RSA blinding during FIPS self-tests + * Thu May 14 2020 Anderson Sasaki - 3.6.13-2 - Bump linked libraries soname to fix FIPS selftests (#1835265) From 75c72994c62000f565b15bf1541ba187a30f2652 Mon Sep 17 00:00:00 2001 From: Anderson Toshiyuki Sasaki Date: Wed, 20 May 2020 10:41:58 +0200 Subject: [PATCH 012/152] Disable RSA blinding during FIPS self-tests Related: rhbz#1835265 --- ...sable-RSA-blinding-in-FIPS-selftests.patch | 124 ++++++++++++++++++ gnutls.spec | 6 +- 2 files changed, 129 insertions(+), 1 deletion(-) create mode 100644 gnutls-3.6.13-nettle-disable-RSA-blinding-in-FIPS-selftests.patch diff --git a/gnutls-3.6.13-nettle-disable-RSA-blinding-in-FIPS-selftests.patch b/gnutls-3.6.13-nettle-disable-RSA-blinding-in-FIPS-selftests.patch new file mode 100644 index 0000000..559ea0a --- /dev/null +++ b/gnutls-3.6.13-nettle-disable-RSA-blinding-in-FIPS-selftests.patch @@ -0,0 +1,124 @@ +From 8f8615c4ef0b92b95e7bcb3bd1400124a203eef3 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Fri, 16 Aug 2019 17:01:05 +0200 +Subject: [PATCH] nettle: disable RSA blinding in FIPS selftests + +Nettle's RSA signing, encryption and decryption functions still +require randomness for blinding, so fallback to use a fixed buffer in +selftests where entropy might not be available. + +Signed-off-by: Daiki Ueno +--- + lib/nettle/pk.c | 37 +++++++++++++++++++++++++++++++++---- + 1 file changed, 33 insertions(+), 4 deletions(-) + +diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c +index 15ad4b4e9..ccf403b00 100644 +--- a/lib/nettle/pk.c ++++ b/lib/nettle/pk.c +@@ -107,6 +107,15 @@ static void rnd_mpz_func(void *_ctx, size_t length, uint8_t * data) + nettle_mpz_get_str_256 (length, data, *k); + } + ++static void rnd_nonce_func_fallback(void *_ctx, size_t length, uint8_t * data) ++{ ++ if (unlikely(_gnutls_get_lib_state() != LIB_STATE_SELFTEST)) { ++ _gnutls_switch_lib_state(LIB_STATE_ERROR); ++ } ++ ++ memset(data, 0xAA, length); ++} ++ + static void + ecc_scalar_zclear (struct ecc_scalar *s) + { +@@ -526,6 +535,7 @@ _wrap_nettle_pk_encrypt(gnutls_pk_algorithm_t algo, + case GNUTLS_PK_RSA: + { + struct rsa_public_key pub; ++ nettle_random_func *random_func; + + ret = _rsa_params_to_pubkey(pk_params, &pub); + if (ret < 0) { +@@ -533,8 +543,12 @@ _wrap_nettle_pk_encrypt(gnutls_pk_algorithm_t algo, + goto cleanup; + } + ++ if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST) ++ random_func = rnd_nonce_func_fallback; ++ else ++ random_func = rnd_nonce_func; + ret = +- rsa_encrypt(&pub, NULL, rnd_nonce_func, ++ rsa_encrypt(&pub, NULL, random_func, + plaintext->size, plaintext->data, + p); + if (ret == 0 || HAVE_LIB_ERROR()) { +@@ -587,6 +601,7 @@ _wrap_nettle_pk_decrypt(gnutls_pk_algorithm_t algo, + struct rsa_public_key pub; + size_t length; + bigint_t c; ++ nettle_random_func *random_func; + + _rsa_params_to_privkey(pk_params, &priv); + ret = _rsa_params_to_pubkey(pk_params, &pub); +@@ -617,8 +632,12 @@ _wrap_nettle_pk_decrypt(gnutls_pk_algorithm_t algo, + goto cleanup; + } + ++ if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST) ++ random_func = rnd_nonce_func_fallback; ++ else ++ random_func = rnd_nonce_func; + ret = +- rsa_decrypt_tr(&pub, &priv, NULL, rnd_nonce_func, ++ rsa_decrypt_tr(&pub, &priv, NULL, random_func, + &length, plaintext->data, + TOMPZ(c)); + _gnutls_mpi_release(&c); +@@ -664,6 +683,7 @@ _wrap_nettle_pk_decrypt2(gnutls_pk_algorithm_t algo, + bigint_t c; + uint32_t is_err; + int ret; ++ nettle_random_func *random_func; + + if (algo != GNUTLS_PK_RSA || plaintext == NULL) { + gnutls_assert(); +@@ -683,7 +703,11 @@ _wrap_nettle_pk_decrypt2(gnutls_pk_algorithm_t algo, + return gnutls_assert_val (GNUTLS_E_MPI_SCAN_FAILED); + } + +- ret = rsa_sec_decrypt(&pub, &priv, NULL, rnd_nonce_func, ++ if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST) ++ random_func = rnd_nonce_func_fallback; ++ else ++ random_func = rnd_nonce_func; ++ ret = rsa_sec_decrypt(&pub, &priv, NULL, random_func, + plaintext_size, plaintext, TOMPZ(c)); + /* after this point, any conditional on failure that cause differences + * in execution may create a timing or cache access pattern side +@@ -1072,6 +1096,7 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo, + { + struct rsa_private_key priv; + struct rsa_public_key pub; ++ nettle_random_func *random_func; + mpz_t s; + + _rsa_params_to_privkey(pk_params, &priv); +@@ -1082,8 +1107,12 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo, + + mpz_init(s); + ++ if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST) ++ random_func = rnd_nonce_func_fallback; ++ else ++ random_func = rnd_nonce_func; + ret = +- rsa_pkcs1_sign_tr(&pub, &priv, NULL, rnd_nonce_func, ++ rsa_pkcs1_sign_tr(&pub, &priv, NULL, random_func, + vdata->size, vdata->data, s); + if (ret == 0 || HAVE_LIB_ERROR()) { + gnutls_assert(); +-- +2.25.4 + diff --git a/gnutls.spec b/gnutls.spec index d5b7fb9..ced629c 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,9 +1,10 @@ # This spec file has been automatically updated Version: 3.6.13 -Release: 2%{?dist} +Release: 3%{?dist} Patch1: gnutls-3.6.7-no-now-guile.patch Patch2: gnutls-3.2.7-rpath.patch Patch3: gnutls-3.6.13-bump-linked-libs-soname-f32.patch +Patch4: gnutls-3.6.13-nettle-disable-RSA-blinding-in-FIPS-selftests.patch %bcond_without dane %if 0%{?rhel} %bcond_with guile @@ -280,6 +281,9 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null %endif %changelog +* Tue May 19 2020 Anderson Sasaki - 3.6.13-3 +- Disable RSA blinding during FIPS self-tests + * Wed May 13 2020 Anderson Sasaki - 3.6.13-2 - Bump linked libraries soname to fix FIPS selftests (#1835265) From bff55b411ba91f2a69653ab2f3b1325c3cb5c69e Mon Sep 17 00:00:00 2001 From: Anderson Toshiyuki Sasaki Date: Mon, 25 May 2020 15:05:15 +0200 Subject: [PATCH 013/152] Add option to gnutls-cli to wait for resumption under TLS 1.3 --- gnutls-3.6.13-cli-wait-resumption.patch | 87 +++++++++++++++++++++++++ gnutls.spec | 6 +- 2 files changed, 92 insertions(+), 1 deletion(-) create mode 100644 gnutls-3.6.13-cli-wait-resumption.patch diff --git a/gnutls-3.6.13-cli-wait-resumption.patch b/gnutls-3.6.13-cli-wait-resumption.patch new file mode 100644 index 0000000..4c56344 --- /dev/null +++ b/gnutls-3.6.13-cli-wait-resumption.patch @@ -0,0 +1,87 @@ +From f27358ecba654ef931c0a761a540dc9e2d2e67f0 Mon Sep 17 00:00:00 2001 +From: Anderson Toshiyuki Sasaki +Date: Fri, 20 Mar 2020 16:37:33 +0100 +Subject: [PATCH] gnutls-cli: Add option to wait for resumption data + +This introduces the --waitresumption command line option which makes the +client to wait for the resumption data until a ticket is received under +TLS1.3. The client will block if no ticket is received. The new option +has no effect if the option --resume is not provided. + +This is useful to force the client to wait for the resumption data when +the server takes long to send the ticket, allowing the session +resumption to be tested. This is a common scenario in CI systems where +the testing machines have limited resources. + +Signed-off-by: Anderson Toshiyuki Sasaki +--- + src/cli-args.def | 6 ++++++ + src/cli.c | 21 +++++++++++++++------ + 2 files changed, 21 insertions(+), 6 deletions(-) + +diff --git a/src/cli-args.def b/src/cli-args.def +index a8760fab9..56ae77b07 100644 +--- a/src/cli-args.def ++++ b/src/cli-args.def +@@ -471,6 +471,12 @@ flag = { + doc = ""; + }; + ++flag = { ++ name = waitresumption; ++ descrip = "Block waiting for the resumption data under TLS1.3"; ++ doc = "This option makes the client to block waiting for the resumption data under TLS1.3. The option has effect only when --resume is provided."; ++}; ++ + doc-section = { + ds-type = 'SEE ALSO'; // or anything else + ds-format = 'texi'; // or texi or mdoc format +diff --git a/src/cli.c b/src/cli.c +index db072b930..c3d074f08 100644 +--- a/src/cli.c ++++ b/src/cli.c +@@ -78,7 +78,7 @@ + + /* global stuff here */ + int resume, starttls, insecure, ranges, rehandshake, udp, mtu, +- inline_commands; ++ inline_commands, waitresumption; + unsigned int global_vflags = 0; + char *hostname = NULL; + char service[32]=""; +@@ -992,11 +992,19 @@ static int try_resume(socket_st * hd) + gnutls_datum_t edata = {NULL, 0}; + + if (gnutls_session_is_resumed(hd->session) == 0) { +- /* not resumed - obtain the session data */ +- ret = gnutls_session_get_data2(hd->session, &rdata); +- if (ret < 0) { +- rdata.data = NULL; +- } ++ do { ++ /* not resumed - obtain the session data */ ++ ret = gnutls_session_get_data2(hd->session, &rdata); ++ if (ret < 0) { ++ rdata.data = NULL; ++ } ++ ++ if ((gnutls_protocol_get_version(hd->session) != GNUTLS_TLS1_3) || ++ ((gnutls_session_get_flags(hd->session) & ++ GNUTLS_SFLAGS_SESSION_TICKET))) { ++ break; ++ } ++ } while (waitresumption); + } else { + /* resumed - try to reuse the previous session data */ + rdata.data = hd->rdata.data; +@@ -1688,6 +1696,7 @@ static void cmd_parser(int argc, char **argv) + rehandshake = HAVE_OPT(REHANDSHAKE); + insecure = HAVE_OPT(INSECURE); + ranges = HAVE_OPT(RANGES); ++ waitresumption = HAVE_OPT(WAITRESUMPTION); + + if (insecure || HAVE_OPT(VERIFY_ALLOW_BROKEN)) { + global_vflags |= GNUTLS_VERIFY_ALLOW_BROKEN; +-- +2.25.4 + diff --git a/gnutls.spec b/gnutls.spec index 6944fd9..bc7e6bb 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,10 +1,11 @@ # This spec file has been automatically updated Version: 3.6.13 -Release: 3%{?dist} +Release: 4%{?dist} Patch1: gnutls-3.6.7-no-now-guile.patch Patch2: gnutls-3.2.7-rpath.patch Patch3: gnutls-3.6.13-bump-linked-libs-soname-f33.patch Patch4: gnutls-3.6.13-nettle-disable-RSA-blinding-in-FIPS-selftests.patch +Patch5: gnutls-3.6.13-cli-wait-resumption.patch %bcond_without dane %if 0%{?rhel} %bcond_with guile @@ -281,6 +282,9 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null %endif %changelog +* Mon May 25 2020 Anderson Sasaki - 3.6.13-4 +- Add option to gnutls-cli to wait for resumption under TLS 1.3 + * Tue May 19 2020 Anderson Sasaki - 3.6.13-3 - Disable RSA blinding during FIPS self-tests From 10f6e9929306900b45bd7bc3c25adbbc98ebf569 Mon Sep 17 00:00:00 2001 From: Anderson Toshiyuki Sasaki Date: Mon, 25 May 2020 15:05:15 +0200 Subject: [PATCH 014/152] Add option to gnutls-cli to wait for resumption under TLS 1.3 --- gnutls-3.6.13-cli-wait-resumption.patch | 87 +++++++++++++++++++++++++ gnutls.spec | 6 +- 2 files changed, 92 insertions(+), 1 deletion(-) create mode 100644 gnutls-3.6.13-cli-wait-resumption.patch diff --git a/gnutls-3.6.13-cli-wait-resumption.patch b/gnutls-3.6.13-cli-wait-resumption.patch new file mode 100644 index 0000000..4c56344 --- /dev/null +++ b/gnutls-3.6.13-cli-wait-resumption.patch @@ -0,0 +1,87 @@ +From f27358ecba654ef931c0a761a540dc9e2d2e67f0 Mon Sep 17 00:00:00 2001 +From: Anderson Toshiyuki Sasaki +Date: Fri, 20 Mar 2020 16:37:33 +0100 +Subject: [PATCH] gnutls-cli: Add option to wait for resumption data + +This introduces the --waitresumption command line option which makes the +client to wait for the resumption data until a ticket is received under +TLS1.3. The client will block if no ticket is received. The new option +has no effect if the option --resume is not provided. + +This is useful to force the client to wait for the resumption data when +the server takes long to send the ticket, allowing the session +resumption to be tested. This is a common scenario in CI systems where +the testing machines have limited resources. + +Signed-off-by: Anderson Toshiyuki Sasaki +--- + src/cli-args.def | 6 ++++++ + src/cli.c | 21 +++++++++++++++------ + 2 files changed, 21 insertions(+), 6 deletions(-) + +diff --git a/src/cli-args.def b/src/cli-args.def +index a8760fab9..56ae77b07 100644 +--- a/src/cli-args.def ++++ b/src/cli-args.def +@@ -471,6 +471,12 @@ flag = { + doc = ""; + }; + ++flag = { ++ name = waitresumption; ++ descrip = "Block waiting for the resumption data under TLS1.3"; ++ doc = "This option makes the client to block waiting for the resumption data under TLS1.3. The option has effect only when --resume is provided."; ++}; ++ + doc-section = { + ds-type = 'SEE ALSO'; // or anything else + ds-format = 'texi'; // or texi or mdoc format +diff --git a/src/cli.c b/src/cli.c +index db072b930..c3d074f08 100644 +--- a/src/cli.c ++++ b/src/cli.c +@@ -78,7 +78,7 @@ + + /* global stuff here */ + int resume, starttls, insecure, ranges, rehandshake, udp, mtu, +- inline_commands; ++ inline_commands, waitresumption; + unsigned int global_vflags = 0; + char *hostname = NULL; + char service[32]=""; +@@ -992,11 +992,19 @@ static int try_resume(socket_st * hd) + gnutls_datum_t edata = {NULL, 0}; + + if (gnutls_session_is_resumed(hd->session) == 0) { +- /* not resumed - obtain the session data */ +- ret = gnutls_session_get_data2(hd->session, &rdata); +- if (ret < 0) { +- rdata.data = NULL; +- } ++ do { ++ /* not resumed - obtain the session data */ ++ ret = gnutls_session_get_data2(hd->session, &rdata); ++ if (ret < 0) { ++ rdata.data = NULL; ++ } ++ ++ if ((gnutls_protocol_get_version(hd->session) != GNUTLS_TLS1_3) || ++ ((gnutls_session_get_flags(hd->session) & ++ GNUTLS_SFLAGS_SESSION_TICKET))) { ++ break; ++ } ++ } while (waitresumption); + } else { + /* resumed - try to reuse the previous session data */ + rdata.data = hd->rdata.data; +@@ -1688,6 +1696,7 @@ static void cmd_parser(int argc, char **argv) + rehandshake = HAVE_OPT(REHANDSHAKE); + insecure = HAVE_OPT(INSECURE); + ranges = HAVE_OPT(RANGES); ++ waitresumption = HAVE_OPT(WAITRESUMPTION); + + if (insecure || HAVE_OPT(VERIFY_ALLOW_BROKEN)) { + global_vflags |= GNUTLS_VERIFY_ALLOW_BROKEN; +-- +2.25.4 + diff --git a/gnutls.spec b/gnutls.spec index ced629c..febe56d 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,10 +1,11 @@ # This spec file has been automatically updated Version: 3.6.13 -Release: 3%{?dist} +Release: 4%{?dist} Patch1: gnutls-3.6.7-no-now-guile.patch Patch2: gnutls-3.2.7-rpath.patch Patch3: gnutls-3.6.13-bump-linked-libs-soname-f32.patch Patch4: gnutls-3.6.13-nettle-disable-RSA-blinding-in-FIPS-selftests.patch +Patch5: gnutls-3.6.13-cli-wait-resumption.patch %bcond_without dane %if 0%{?rhel} %bcond_with guile @@ -281,6 +282,9 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null %endif %changelog +* Mon May 25 2020 Anderson Sasaki - 3.6.13-4 +- Add option to gnutls-cli to wait for resumption under TLS 1.3 + * Tue May 19 2020 Anderson Sasaki - 3.6.13-3 - Disable RSA blinding during FIPS self-tests From ff6457e1d16e9ab54e7b70cc7d8d32f047332e70 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Sun, 31 May 2020 15:03:57 +0200 Subject: [PATCH 015/152] Fix cert chain validation behavior if the last cert has expired (#1842178) --- gnutls-3.6.13-superseding-chain.patch | 387 ++++++++++++++++++++++++++ gnutls.spec | 6 +- 2 files changed, 392 insertions(+), 1 deletion(-) create mode 100644 gnutls-3.6.13-superseding-chain.patch diff --git a/gnutls-3.6.13-superseding-chain.patch b/gnutls-3.6.13-superseding-chain.patch new file mode 100644 index 0000000..99ceca1 --- /dev/null +++ b/gnutls-3.6.13-superseding-chain.patch @@ -0,0 +1,387 @@ +From f6ce3a62cb39fb281f5a47c543de7d9db3206050 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Sun, 31 May 2020 12:39:14 +0200 +Subject: [PATCH 1/3] _gnutls_pkcs11_verify_crt_status: check validity against + system cert + +To verify a certificate chain, this function replaces known +certificates with the ones in the system trust store if possible. + +However, if it is found, the function checked the validity of the +original certificate rather than the certificate found in the trust +store. That reveals a problem in a scenario that (1) a certificate is +signed by multiple issuers and (2) one of the issuers' certificate has +expired and included in the input chain. + +This patch makes it a little robuster by actually retrieving the +certificate from the trust store and check against it. + +Signed-off-by: Daiki Ueno +--- + lib/pkcs11.c | 96 +++++++++++++++++++++++++++++++++-------------- + lib/pkcs11_int.h | 5 +++ + lib/x509/verify.c | 7 +++- + 3 files changed, 78 insertions(+), 30 deletions(-) + +diff --git a/lib/pkcs11.c b/lib/pkcs11.c +index fad16aaf4..662dda441 100644 +--- a/lib/pkcs11.c ++++ b/lib/pkcs11.c +@@ -4547,34 +4547,10 @@ int gnutls_pkcs11_get_raw_issuer_by_subject_key_id (const char *url, + return ret; + } + +-/** +- * gnutls_pkcs11_crt_is_known: +- * @url: A PKCS 11 url identifying a token +- * @cert: is the certificate to find issuer for +- * @issuer: Will hold the issuer if any in an allocated buffer. +- * @fmt: The format of the exported issuer. +- * @flags: Use zero or flags from %GNUTLS_PKCS11_OBJ_FLAG. +- * +- * This function will check whether the provided certificate is stored +- * in the specified token. This is useful in combination with +- * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED or +- * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED, +- * to check whether a CA is present or a certificate is blacklisted in +- * a trust PKCS #11 module. +- * +- * This function can be used with a @url of "pkcs11:", and in that case all modules +- * will be searched. To restrict the modules to the marked as trusted in p11-kit +- * use the %GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE flag. +- * +- * Note that the flag %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED is +- * specific to p11-kit trust modules. +- * +- * Returns: If the certificate exists non-zero is returned, otherwise zero. +- * +- * Since: 3.3.0 +- **/ +-unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, +- unsigned int flags) ++unsigned ++_gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, ++ unsigned int flags, ++ gnutls_x509_crt_t *trusted_cert) + { + int ret; + struct find_cert_st priv; +@@ -4586,6 +4562,15 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, + + memset(&priv, 0, sizeof(priv)); + ++ if (trusted_cert) { ++ ret = gnutls_pkcs11_obj_init(&priv.obj); ++ if (ret < 0) { ++ gnutls_assert(); ++ goto cleanup; ++ } ++ priv.need_import = 1; ++ } ++ + if (url == NULL || url[0] == 0) { + url = "pkcs11:"; + } +@@ -4634,6 +4619,14 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, + gnutls_assert(); + gnutls_free(priv.serial.data); + memset(&priv, 0, sizeof(priv)); ++ if (trusted_cert) { ++ ret = gnutls_pkcs11_obj_init(&priv.obj); ++ if (ret < 0) { ++ gnutls_assert(); ++ goto cleanup; ++ } ++ priv.need_import = 1; ++ } + priv.crt = cert; + priv.flags = flags; + +@@ -4650,9 +4643,26 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, + goto cleanup; + } + ++ if (trusted_cert) { ++ ret = gnutls_x509_crt_init(trusted_cert); ++ if (ret < 0) { ++ gnutls_assert(); ++ ret = 0; ++ goto cleanup; ++ } ++ ret = gnutls_x509_crt_import_pkcs11(*trusted_cert, priv.obj); ++ if (ret < 0) { ++ gnutls_assert(); ++ gnutls_x509_crt_deinit(*trusted_cert); ++ ret = 0; ++ goto cleanup; ++ } ++ } + ret = 1; + + cleanup: ++ if (priv.obj) ++ gnutls_pkcs11_obj_deinit(priv.obj); + if (info) + p11_kit_uri_free(info); + gnutls_free(priv.serial.data); +@@ -4660,6 +4670,36 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, + return ret; + } + ++/** ++ * gnutls_pkcs11_crt_is_known: ++ * @url: A PKCS 11 url identifying a token ++ * @cert: is the certificate to find issuer for ++ * @flags: Use zero or flags from %GNUTLS_PKCS11_OBJ_FLAG. ++ * ++ * This function will check whether the provided certificate is stored ++ * in the specified token. This is useful in combination with ++ * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED or ++ * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED, ++ * to check whether a CA is present or a certificate is blacklisted in ++ * a trust PKCS #11 module. ++ * ++ * This function can be used with a @url of "pkcs11:", and in that case all modules ++ * will be searched. To restrict the modules to the marked as trusted in p11-kit ++ * use the %GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE flag. ++ * ++ * Note that the flag %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED is ++ * specific to p11-kit trust modules. ++ * ++ * Returns: If the certificate exists non-zero is returned, otherwise zero. ++ * ++ * Since: 3.3.0 ++ **/ ++unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, ++ unsigned int flags) ++{ ++ return _gnutls_pkcs11_crt_is_known(url, cert, flags, NULL); ++} ++ + /** + * gnutls_pkcs11_obj_get_flags: + * @obj: The pkcs11 object +diff --git a/lib/pkcs11_int.h b/lib/pkcs11_int.h +index 9d8880709..86cce0dee 100644 +--- a/lib/pkcs11_int.h ++++ b/lib/pkcs11_int.h +@@ -460,6 +460,11 @@ inline static bool is_pkcs11_url_object(const char *url) + return 0; + } + ++unsigned ++_gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, ++ unsigned int flags, ++ gnutls_x509_crt_t *trusted_cert); ++ + #endif /* ENABLE_PKCS11 */ + + #endif /* GNUTLS_LIB_PKCS11_INT_H */ +diff --git a/lib/x509/verify.c b/lib/x509/verify.c +index d20267019..fd7c6a164 100644 +--- a/lib/x509/verify.c ++++ b/lib/x509/verify.c +@@ -34,6 +34,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -1188,6 +1189,7 @@ _gnutls_pkcs11_verify_crt_status(const char* url, + + for (; i < clist_size; i++) { + unsigned vflags; ++ gnutls_x509_crt_t trusted_cert; + + if (i == 0) /* in the end certificate do full comparison */ + vflags = GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE| +@@ -1196,9 +1198,10 @@ _gnutls_pkcs11_verify_crt_status(const char* url, + vflags = GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE| + GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY|GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED; + +- if (gnutls_pkcs11_crt_is_known (url, certificate_list[i], vflags) != 0) { ++ if (_gnutls_pkcs11_crt_is_known (url, certificate_list[i], vflags, &trusted_cert) != 0) { + +- status |= check_ca_sanity(certificate_list[i], now, flags); ++ status |= check_ca_sanity(trusted_cert, now, flags); ++ gnutls_x509_crt_deinit(trusted_cert); + + if (func) + func(certificate_list[i], +-- +2.26.2 + + +From 2b83f612f2b2647c271969f3df64fb3a52753724 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Sun, 31 May 2020 13:59:53 +0200 +Subject: [PATCH 2/3] x509: trigger fallback verification path when cert is + expired + +gnutls_x509_trust_list_verify_crt2 use the macro SIGNER_OLD_OR_UNKNOWN +to trigger the fallback verification path if the signer of the last +certificate is not in the trust store. Previously, it doesn't take +into account of the condition where the certificate is expired. + +Signed-off-by: Daiki Ueno +--- + lib/x509/verify-high.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c +index b1421ef17..40638ad3a 100644 +--- a/lib/x509/verify-high.c ++++ b/lib/x509/verify-high.c +@@ -1192,11 +1192,13 @@ gnutls_x509_trust_list_verify_crt(gnutls_x509_trust_list_t list, + + #define LAST_DN cert_list[cert_list_size-1]->raw_dn + #define LAST_IDN cert_list[cert_list_size-1]->raw_issuer_dn +-/* This macro is introduced to detect a verification output +- * which indicates an unknown signer, or a signer which uses +- * an insecure algorithm (e.g., sha1), something that indicates +- * a superseded signer */ +-#define SIGNER_OLD_OR_UNKNOWN(output) ((output & GNUTLS_CERT_SIGNER_NOT_FOUND) || (output & GNUTLS_CERT_INSECURE_ALGORITHM)) ++/* This macro is introduced to detect a verification output which ++ * indicates an unknown signer, a signer which uses an insecure ++ * algorithm (e.g., sha1), a signer has expired, or something that ++ * indicates a superseded signer */ ++#define SIGNER_OLD_OR_UNKNOWN(output) ((output & GNUTLS_CERT_SIGNER_NOT_FOUND) || \ ++ (output & GNUTLS_CERT_EXPIRED) || \ ++ (output & GNUTLS_CERT_INSECURE_ALGORITHM)) + #define SIGNER_WAS_KNOWN(output) (!(output & GNUTLS_CERT_SIGNER_NOT_FOUND)) + + /** +-- +2.26.2 + + +From e337e56adfeeb4af7fe34291ed15d15b362a94bb Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Sun, 31 May 2020 14:28:48 +0200 +Subject: [PATCH 3/3] tests: add test case for certificate chain superseding + +Signed-off-by: Daiki Ueno +--- + tests/test-chains.h | 97 +++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 97 insertions(+) + +diff --git a/tests/test-chains.h b/tests/test-chains.h +index dd19e6a81..9b06b85f5 100644 +--- a/tests/test-chains.h ++++ b/tests/test-chains.h +@@ -4010,6 +4010,102 @@ static const char *ed448[] = { + NULL + }; + ++/* This contains an expired intermediate CA, which should be superseded. */ ++static const char *superseding[] = { ++ "-----BEGIN CERTIFICATE-----" ++ "MIIDrzCCAmegAwIBAgIUcozIBhMJvM/rd1PVI7LOq7Kscs8wDQYJKoZIhvcNAQEL" ++ "BQAwJjEkMCIGA1UEAxMbR251VExTIHRlc3QgaW50ZXJtZWRpYXRlIENBMCAXDTIw" ++ "MDUzMTEyMTczN1oYDzk5OTkxMjMxMjM1OTU5WjA3MRgwFgYDVQQDEw90ZXN0Lmdu" ++ "dXRscy5vcmcxGzAZBgNVBAoTEkdudVRMUyB0ZXN0IHNlcnZlcjCCASAwCwYJKoZI" ++ "hvcNAQEKA4IBDwAwggEKAoIBAQCd2PBnWn+b0FsIMbG+f/K+og2iK/BoLCsJD3j9" ++ "yRNSHD6wTifYwNTbe1LF/8BzxcwVRCD0zpbpFQawbjxbmBSzrXqQlUFFG11DvNBa" ++ "w58rgHGo3TYCrtFIBfLbziyB1w/vWeX0xHvv8MMJ1iRSdY+7Y36a2cV+s85PdO4B" ++ "TpZlLfy8LPP6p6+dgVoC+9tTu2H1wARYOVog+jt9A3Hx0L1xxVWTedFoiK2sVouz" ++ "fLRjfp5cOwuRHSD2qbpGOAeNVVaOE88Bv3pIGPguMw0qAdEDo20hRYH23LIyvBwB" ++ "oCnyFNnAViMtLa2QlXSliV9a9BKOXYjWzAeso2SF4pdHcvd5AgMBAAGjgZMwgZAw" ++ "DAYDVR0TAQH/BAIwADAaBgNVHREEEzARgg90ZXN0LmdudXRscy5vcmcwEwYDVR0l" ++ "BAwwCgYIKwYBBQUHAwEwDwYDVR0PAQH/BAUDAweAADAdBgNVHQ4EFgQUan6mlccq" ++ "Uy1Z64wvRv3xxg4h2ykwHwYDVR0jBBgwFoAUSCM0UwqJMThKWurKttKm3s4dKxgw" ++ "DQYJKoZIhvcNAQELBQADggExAKAOMyMLpk0u2UTwwFWtr1hfx7evo2J7dgco410I" ++ "DN/QWoe2Xlcxcp1h5R9rX1I3KU2WGFtdXqiMsllCLnrDEKZmlks0uz76bCpKmM99" ++ "/1MDlY7mGCr/2PPx53USK5J5JTiqgp6r7qAcDAnpYvrPH45kk7iqwh02DhAxRnGR" ++ "CW7KWK8h7uu0Az9iBT2YfV372g4fRDK3fqYzJofQwbhSiUuJ7wyZCRhGOoxMMmDb" ++ "KBbc1wAYXW+tlv2cSbfzRvSxMR+CzkyH2tGDxeN//aZUfGmQ8IzWUQ7UtK5z+Q0E" ++ "fL6fZtm2SdGabGpV1UYoGpwOtOngK+m0i9SqrMD7g5+SMhc1VuvVuTtxjr5Cha8l" ++ "X0HEZtxgFrkdfMD4yLAqiguaCBngtbRmELF5VpebmJbiLVU=" ++ "-----END CERTIFICATE-----", ++ "-----BEGIN CERTIFICATE-----" ++ "MIIDkTCCAkmgAwIBAgIUY9cJ4NLNFEaojJHdP1I4Q7OHNJwwDQYJKoZIhvcNAQEL" ++ "BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwHhcNMTgxMjMxMjMwMDAwWhcN" ++ "MjAwNTMwMjIwMDAwWjAmMSQwIgYDVQQDExtHbnVUTFMgdGVzdCBpbnRlcm1lZGlh" ++ "dGUgQ0EwggFSMA0GCSqGSIb3DQEBAQUAA4IBPwAwggE6AoIBMQC0ayeYJa/B/x7K" ++ "sH702LztQ4ZnVF3atB7CkF+DPAIR/BNyhbKIpGVBC3ZfI76Kn/55S3M7LsdLPL8W" ++ "yZdVNRfzoXJLMMLgJ5QS81YA5s6CSxFdpB6b+vq5GypNGLW6peYMx6iooW2qiITc" ++ "lg6ybBw1qufHlD351cfCog1Ls2569whfxQnNFZMa95jfKkxmiSTtH9AWY4FlpVg7" ++ "oc0lYpuZgVQIFxjsfC8IojsoVzKdF0cKhvtisUGZ5vveqOogfvMb7rrqmiFkKZLy" ++ "rXPlGQWdN1PiEZ8YXyK64osNAIyeL6eHPUC+SqKlkggMLmHAWHyameHWrIM5Jc8+" ++ "G+3ro22dy8U43sHHbps0FL4wPoKQHrlKmnbk7zMMRqIxcvbDYQv4qmeJ9KXldjeh" ++ "KZ+Aeap1AgMBAAGjZDBiMA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0PAQH/BAUDAwcE" ++ "ADAdBgNVHQ4EFgQUSCM0UwqJMThKWurKttKm3s4dKxgwHwYDVR0jBBgwFoAUHncj" ++ "bWcxH5EHm5Yv7PzIRv6M4QMwDQYJKoZIhvcNAQELBQADggExAHP1UAQ/nvuQtRZF" ++ "Q4b96yxVwCjMjn7knLyLNtyYGE3466xvE/ofvx5lgaR06ez/G17XP+Ok5SLJNUVc" ++ "mplTERCv5CgnX7R5VdGJkkD1repaYxaTtwyJz0AfYEMRUj3jfaeLaiUKJvEW5RRs" ++ "I3solY18sy/m/xGrH2X0GTNfKM9BURENABsppt07jxH719nF9m9SynV/Z2hE5hlv" ++ "5e5vyPt4wyRPIJLUI3TKAlvb1s40zz3ua7ZTgQL/cOxfY4f9pRKW9CMB3uF69OP9" ++ "COAxrmHVZsImmDZ6qO1qQrbY1KN/cX5kG4pKg7Ium723aOlwcWzEDXKumD960fN1" ++ "5g+HrjNs6kW+r9Q5QS8qV5s8maZNcxTrMvQ1fF2AKBNI3Z3U7vmtrSeqxIXp3rGH" ++ "iJwOKIk=" ++ "-----END CERTIFICATE-----", ++ NULL ++}; ++ ++static const char *superseding_ca[] = { ++ "-----BEGIN CERTIFICATE-----" ++ "MIIDkzCCAkugAwIBAgIUIs7jB4Q4sFcdCmzWVHbJLESC3T4wDQYJKoZIhvcNAQEL" ++ "BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwIBcNMjAwNTMxMTIxMzEwWhgP" ++ "OTk5OTEyMzEyMzU5NTlaMCYxJDAiBgNVBAMTG0dudVRMUyB0ZXN0IGludGVybWVk" ++ "aWF0ZSBDQTCCAVIwDQYJKoZIhvcNAQEBBQADggE/ADCCAToCggExALRrJ5glr8H/" ++ "HsqwfvTYvO1DhmdUXdq0HsKQX4M8AhH8E3KFsoikZUELdl8jvoqf/nlLczsux0s8" ++ "vxbJl1U1F/OhckswwuAnlBLzVgDmzoJLEV2kHpv6+rkbKk0Ytbql5gzHqKihbaqI" ++ "hNyWDrJsHDWq58eUPfnVx8KiDUuzbnr3CF/FCc0Vkxr3mN8qTGaJJO0f0BZjgWWl" ++ "WDuhzSVim5mBVAgXGOx8LwiiOyhXMp0XRwqG+2KxQZnm+96o6iB+8xvuuuqaIWQp" ++ "kvKtc+UZBZ03U+IRnxhfIrriiw0AjJ4vp4c9QL5KoqWSCAwuYcBYfJqZ4dasgzkl" ++ "zz4b7eujbZ3LxTjewcdumzQUvjA+gpAeuUqaduTvMwxGojFy9sNhC/iqZ4n0peV2" ++ "N6Epn4B5qnUCAwEAAaNkMGIwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMD" ++ "BwQAMB0GA1UdDgQWBBRIIzRTCokxOEpa6sq20qbezh0rGDAfBgNVHSMEGDAWgBQe" ++ "dyNtZzEfkQebli/s/MhG/ozhAzANBgkqhkiG9w0BAQsFAAOCATEAcF9R9VGQxTwW" ++ "aOjeIeQ9ZJxybaj0BaXC8xR4b9uZloS9d/RBFTjgRbQ82yqaj7f80mgUtabKRfTA" ++ "ltV2MgTbJdOjwGzEDtKGhClBbovnEGrYTbPBT9rgfYPt0q7SMBr6AzGAPt+ltwI7" ++ "9yntV81qvTxvW5MEEo0j2MuA3NT3oqe+w1rUKNQCWhnN2TUhJGkTlaaMozcgNFaE" ++ "Dplop4dtvCGtupxOjC3Nf6FWq1k7iZQxX70AFBYVMpuF7qGh6qDp+T1hmTCSVzxP" ++ "SfDQIBjhKgy4clhkuR5SRxhN74RX+/5eiQyVLxzr+eIhqzJhPqUCmVnCLcqYdNRi" ++ "hpHic4uJm0wGOKYTI7EG8rb4ZP4Jz6k4iN9CnL/+kiiW5otSl3YyCAuao5VKdDq9" ++ "izchzb9eow==" ++ "-----END CERTIFICATE-----", ++ "-----BEGIN CERTIFICATE-----" ++ "MIIDZTCCAh2gAwIBAgIULcrECQOBgPaePBfBHXcyZiU0IiYwDQYJKoZIhvcNAQEL" ++ "BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwIBcNMjAwNTMxMTIxMTQzWhgP" ++ "OTk5OTEyMzEyMzU5NTlaMBkxFzAVBgNVBAMTDkdudVRMUyB0ZXN0IENBMIIBUjAN" ++ "BgkqhkiG9w0BAQEFAAOCAT8AMIIBOgKCATEAnORCsX1unl//fy2d1054XduIg/3C" ++ "qVBaT3Hca65SEoDwh0KiPtQoOgZLdKY2cobGs/ojYtOjcs0KnlPYdmtjEh6WEhuJ" ++ "U95v4TQdC4OLMiE56eIGq252hZAbHoTL84Q14DxQWGuzQK830iml7fbw2WcIcRQ8" ++ "vFGs8SzfXw63+MI6Fq6iMAQIqP08WzGmRRzL5wvCiPhCVkrPmwbXoABub6AAsYwW" ++ "PJB91M9/lx5gFH5k9/iPfi3s2Kg3F8MOcppqFYjxDSnsfiz6eMh1+bYVIAo367vG" ++ "VYHigXMEZC2FezlwIHaZzpEoFlY3a7LFJ00yrjQ910r8UE+CEMTYzE40D0olCMo7" ++ "FA9RCjeO3bUIoYaIdVTUGWEGHWSeoxGei9Gkm6u+ASj8f+i0jxdD2qXsewIDAQAB" ++ "o0MwQTAPBgNVHRMBAf8EBTADAQH/MA8GA1UdDwEB/wQFAwMHBAAwHQYDVR0OBBYE" ++ "FB53I21nMR+RB5uWL+z8yEb+jOEDMA0GCSqGSIb3DQEBCwUAA4IBMQAeMSzMyuTy" ++ "FjXTjxAUv010bsr6e6fI9txq/S1tXmWWJV/8aeARthuOFZO5Jjy3C5aMbac2HDV4" ++ "Otu0+JLaoEMSXvorAhValVuq06i5cmaPzvJBcxMWzlEAXfavSwHv5Q+kqNU3z81S" ++ "WnjEpMHcl9OyER7o9IhF55Xom2BXY5XL83QOzQ4C3bpKrNevZC7i7zS8NoYRGP+8" ++ "w21JseXkWQW4o2hkFqbCcRE1dlMW02iJE28RZ5aBFDIm2Y6zuLaXZIkaO7E41CAw" ++ "IUyhowm/S1HcmQnhruAGKJvQtB6jvnhZb7pgnuSkhIvAQgw93CLE985KEua1ifY2" ++ "p1d/6ho2TWotHHqDnDkB8pC0Wzai8R+63z18Kt0gROX2QItCyFksjNJqYPbgwZgt" ++ "eh1COrLsOJo+" ++ "-----END CERTIFICATE-----", ++ NULL ++}; ++ + #if defined __clang__ || __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 5) + # pragma GCC diagnostic push + # pragma GCC diagnostic ignored "-Wunused-variable" +@@ -4178,6 +4274,7 @@ static struct + GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID, NULL, 1576759855, 1}, + { "ed448 - ok", ed448, &ed448[0], GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_ULTRA), + 0, NULL, 1584352960, 1}, ++ { "superseding - ok", superseding, superseding_ca, 0, 0, 0, 1590928011 }, + { NULL, NULL, NULL, 0, 0} + }; + +-- +2.26.2 + diff --git a/gnutls.spec b/gnutls.spec index bc7e6bb..ab35232 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,11 +1,12 @@ # This spec file has been automatically updated Version: 3.6.13 -Release: 4%{?dist} +Release: 5%{?dist} Patch1: gnutls-3.6.7-no-now-guile.patch Patch2: gnutls-3.2.7-rpath.patch Patch3: gnutls-3.6.13-bump-linked-libs-soname-f33.patch Patch4: gnutls-3.6.13-nettle-disable-RSA-blinding-in-FIPS-selftests.patch Patch5: gnutls-3.6.13-cli-wait-resumption.patch +Patch6: gnutls-3.6.13-superseding-chain.patch %bcond_without dane %if 0%{?rhel} %bcond_with guile @@ -282,6 +283,9 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null %endif %changelog +* Sun May 31 2020 Daiki Ueno - 3.6.13-5 +- Fix cert chain validation behavior if the last cert has expired (#1842178) + * Mon May 25 2020 Anderson Sasaki - 3.6.13-4 - Add option to gnutls-cli to wait for resumption under TLS 1.3 From a68aefef9976711d513faf958bcb9b04b53fb729 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Sun, 31 May 2020 15:03:57 +0200 Subject: [PATCH 016/152] Fix cert chain validation behavior if the last cert has expired (#1842178) --- gnutls-3.6.13-superseding-chain.patch | 387 ++++++++++++++++++++++++++ gnutls.spec | 6 +- 2 files changed, 392 insertions(+), 1 deletion(-) create mode 100644 gnutls-3.6.13-superseding-chain.patch diff --git a/gnutls-3.6.13-superseding-chain.patch b/gnutls-3.6.13-superseding-chain.patch new file mode 100644 index 0000000..99ceca1 --- /dev/null +++ b/gnutls-3.6.13-superseding-chain.patch @@ -0,0 +1,387 @@ +From f6ce3a62cb39fb281f5a47c543de7d9db3206050 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Sun, 31 May 2020 12:39:14 +0200 +Subject: [PATCH 1/3] _gnutls_pkcs11_verify_crt_status: check validity against + system cert + +To verify a certificate chain, this function replaces known +certificates with the ones in the system trust store if possible. + +However, if it is found, the function checked the validity of the +original certificate rather than the certificate found in the trust +store. That reveals a problem in a scenario that (1) a certificate is +signed by multiple issuers and (2) one of the issuers' certificate has +expired and included in the input chain. + +This patch makes it a little robuster by actually retrieving the +certificate from the trust store and check against it. + +Signed-off-by: Daiki Ueno +--- + lib/pkcs11.c | 96 +++++++++++++++++++++++++++++++++-------------- + lib/pkcs11_int.h | 5 +++ + lib/x509/verify.c | 7 +++- + 3 files changed, 78 insertions(+), 30 deletions(-) + +diff --git a/lib/pkcs11.c b/lib/pkcs11.c +index fad16aaf4..662dda441 100644 +--- a/lib/pkcs11.c ++++ b/lib/pkcs11.c +@@ -4547,34 +4547,10 @@ int gnutls_pkcs11_get_raw_issuer_by_subject_key_id (const char *url, + return ret; + } + +-/** +- * gnutls_pkcs11_crt_is_known: +- * @url: A PKCS 11 url identifying a token +- * @cert: is the certificate to find issuer for +- * @issuer: Will hold the issuer if any in an allocated buffer. +- * @fmt: The format of the exported issuer. +- * @flags: Use zero or flags from %GNUTLS_PKCS11_OBJ_FLAG. +- * +- * This function will check whether the provided certificate is stored +- * in the specified token. This is useful in combination with +- * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED or +- * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED, +- * to check whether a CA is present or a certificate is blacklisted in +- * a trust PKCS #11 module. +- * +- * This function can be used with a @url of "pkcs11:", and in that case all modules +- * will be searched. To restrict the modules to the marked as trusted in p11-kit +- * use the %GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE flag. +- * +- * Note that the flag %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED is +- * specific to p11-kit trust modules. +- * +- * Returns: If the certificate exists non-zero is returned, otherwise zero. +- * +- * Since: 3.3.0 +- **/ +-unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, +- unsigned int flags) ++unsigned ++_gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, ++ unsigned int flags, ++ gnutls_x509_crt_t *trusted_cert) + { + int ret; + struct find_cert_st priv; +@@ -4586,6 +4562,15 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, + + memset(&priv, 0, sizeof(priv)); + ++ if (trusted_cert) { ++ ret = gnutls_pkcs11_obj_init(&priv.obj); ++ if (ret < 0) { ++ gnutls_assert(); ++ goto cleanup; ++ } ++ priv.need_import = 1; ++ } ++ + if (url == NULL || url[0] == 0) { + url = "pkcs11:"; + } +@@ -4634,6 +4619,14 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, + gnutls_assert(); + gnutls_free(priv.serial.data); + memset(&priv, 0, sizeof(priv)); ++ if (trusted_cert) { ++ ret = gnutls_pkcs11_obj_init(&priv.obj); ++ if (ret < 0) { ++ gnutls_assert(); ++ goto cleanup; ++ } ++ priv.need_import = 1; ++ } + priv.crt = cert; + priv.flags = flags; + +@@ -4650,9 +4643,26 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, + goto cleanup; + } + ++ if (trusted_cert) { ++ ret = gnutls_x509_crt_init(trusted_cert); ++ if (ret < 0) { ++ gnutls_assert(); ++ ret = 0; ++ goto cleanup; ++ } ++ ret = gnutls_x509_crt_import_pkcs11(*trusted_cert, priv.obj); ++ if (ret < 0) { ++ gnutls_assert(); ++ gnutls_x509_crt_deinit(*trusted_cert); ++ ret = 0; ++ goto cleanup; ++ } ++ } + ret = 1; + + cleanup: ++ if (priv.obj) ++ gnutls_pkcs11_obj_deinit(priv.obj); + if (info) + p11_kit_uri_free(info); + gnutls_free(priv.serial.data); +@@ -4660,6 +4670,36 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, + return ret; + } + ++/** ++ * gnutls_pkcs11_crt_is_known: ++ * @url: A PKCS 11 url identifying a token ++ * @cert: is the certificate to find issuer for ++ * @flags: Use zero or flags from %GNUTLS_PKCS11_OBJ_FLAG. ++ * ++ * This function will check whether the provided certificate is stored ++ * in the specified token. This is useful in combination with ++ * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED or ++ * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED, ++ * to check whether a CA is present or a certificate is blacklisted in ++ * a trust PKCS #11 module. ++ * ++ * This function can be used with a @url of "pkcs11:", and in that case all modules ++ * will be searched. To restrict the modules to the marked as trusted in p11-kit ++ * use the %GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE flag. ++ * ++ * Note that the flag %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED is ++ * specific to p11-kit trust modules. ++ * ++ * Returns: If the certificate exists non-zero is returned, otherwise zero. ++ * ++ * Since: 3.3.0 ++ **/ ++unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, ++ unsigned int flags) ++{ ++ return _gnutls_pkcs11_crt_is_known(url, cert, flags, NULL); ++} ++ + /** + * gnutls_pkcs11_obj_get_flags: + * @obj: The pkcs11 object +diff --git a/lib/pkcs11_int.h b/lib/pkcs11_int.h +index 9d8880709..86cce0dee 100644 +--- a/lib/pkcs11_int.h ++++ b/lib/pkcs11_int.h +@@ -460,6 +460,11 @@ inline static bool is_pkcs11_url_object(const char *url) + return 0; + } + ++unsigned ++_gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, ++ unsigned int flags, ++ gnutls_x509_crt_t *trusted_cert); ++ + #endif /* ENABLE_PKCS11 */ + + #endif /* GNUTLS_LIB_PKCS11_INT_H */ +diff --git a/lib/x509/verify.c b/lib/x509/verify.c +index d20267019..fd7c6a164 100644 +--- a/lib/x509/verify.c ++++ b/lib/x509/verify.c +@@ -34,6 +34,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -1188,6 +1189,7 @@ _gnutls_pkcs11_verify_crt_status(const char* url, + + for (; i < clist_size; i++) { + unsigned vflags; ++ gnutls_x509_crt_t trusted_cert; + + if (i == 0) /* in the end certificate do full comparison */ + vflags = GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE| +@@ -1196,9 +1198,10 @@ _gnutls_pkcs11_verify_crt_status(const char* url, + vflags = GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE| + GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY|GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED; + +- if (gnutls_pkcs11_crt_is_known (url, certificate_list[i], vflags) != 0) { ++ if (_gnutls_pkcs11_crt_is_known (url, certificate_list[i], vflags, &trusted_cert) != 0) { + +- status |= check_ca_sanity(certificate_list[i], now, flags); ++ status |= check_ca_sanity(trusted_cert, now, flags); ++ gnutls_x509_crt_deinit(trusted_cert); + + if (func) + func(certificate_list[i], +-- +2.26.2 + + +From 2b83f612f2b2647c271969f3df64fb3a52753724 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Sun, 31 May 2020 13:59:53 +0200 +Subject: [PATCH 2/3] x509: trigger fallback verification path when cert is + expired + +gnutls_x509_trust_list_verify_crt2 use the macro SIGNER_OLD_OR_UNKNOWN +to trigger the fallback verification path if the signer of the last +certificate is not in the trust store. Previously, it doesn't take +into account of the condition where the certificate is expired. + +Signed-off-by: Daiki Ueno +--- + lib/x509/verify-high.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c +index b1421ef17..40638ad3a 100644 +--- a/lib/x509/verify-high.c ++++ b/lib/x509/verify-high.c +@@ -1192,11 +1192,13 @@ gnutls_x509_trust_list_verify_crt(gnutls_x509_trust_list_t list, + + #define LAST_DN cert_list[cert_list_size-1]->raw_dn + #define LAST_IDN cert_list[cert_list_size-1]->raw_issuer_dn +-/* This macro is introduced to detect a verification output +- * which indicates an unknown signer, or a signer which uses +- * an insecure algorithm (e.g., sha1), something that indicates +- * a superseded signer */ +-#define SIGNER_OLD_OR_UNKNOWN(output) ((output & GNUTLS_CERT_SIGNER_NOT_FOUND) || (output & GNUTLS_CERT_INSECURE_ALGORITHM)) ++/* This macro is introduced to detect a verification output which ++ * indicates an unknown signer, a signer which uses an insecure ++ * algorithm (e.g., sha1), a signer has expired, or something that ++ * indicates a superseded signer */ ++#define SIGNER_OLD_OR_UNKNOWN(output) ((output & GNUTLS_CERT_SIGNER_NOT_FOUND) || \ ++ (output & GNUTLS_CERT_EXPIRED) || \ ++ (output & GNUTLS_CERT_INSECURE_ALGORITHM)) + #define SIGNER_WAS_KNOWN(output) (!(output & GNUTLS_CERT_SIGNER_NOT_FOUND)) + + /** +-- +2.26.2 + + +From e337e56adfeeb4af7fe34291ed15d15b362a94bb Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Sun, 31 May 2020 14:28:48 +0200 +Subject: [PATCH 3/3] tests: add test case for certificate chain superseding + +Signed-off-by: Daiki Ueno +--- + tests/test-chains.h | 97 +++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 97 insertions(+) + +diff --git a/tests/test-chains.h b/tests/test-chains.h +index dd19e6a81..9b06b85f5 100644 +--- a/tests/test-chains.h ++++ b/tests/test-chains.h +@@ -4010,6 +4010,102 @@ static const char *ed448[] = { + NULL + }; + ++/* This contains an expired intermediate CA, which should be superseded. */ ++static const char *superseding[] = { ++ "-----BEGIN CERTIFICATE-----" ++ "MIIDrzCCAmegAwIBAgIUcozIBhMJvM/rd1PVI7LOq7Kscs8wDQYJKoZIhvcNAQEL" ++ "BQAwJjEkMCIGA1UEAxMbR251VExTIHRlc3QgaW50ZXJtZWRpYXRlIENBMCAXDTIw" ++ "MDUzMTEyMTczN1oYDzk5OTkxMjMxMjM1OTU5WjA3MRgwFgYDVQQDEw90ZXN0Lmdu" ++ "dXRscy5vcmcxGzAZBgNVBAoTEkdudVRMUyB0ZXN0IHNlcnZlcjCCASAwCwYJKoZI" ++ "hvcNAQEKA4IBDwAwggEKAoIBAQCd2PBnWn+b0FsIMbG+f/K+og2iK/BoLCsJD3j9" ++ "yRNSHD6wTifYwNTbe1LF/8BzxcwVRCD0zpbpFQawbjxbmBSzrXqQlUFFG11DvNBa" ++ "w58rgHGo3TYCrtFIBfLbziyB1w/vWeX0xHvv8MMJ1iRSdY+7Y36a2cV+s85PdO4B" ++ "TpZlLfy8LPP6p6+dgVoC+9tTu2H1wARYOVog+jt9A3Hx0L1xxVWTedFoiK2sVouz" ++ "fLRjfp5cOwuRHSD2qbpGOAeNVVaOE88Bv3pIGPguMw0qAdEDo20hRYH23LIyvBwB" ++ "oCnyFNnAViMtLa2QlXSliV9a9BKOXYjWzAeso2SF4pdHcvd5AgMBAAGjgZMwgZAw" ++ "DAYDVR0TAQH/BAIwADAaBgNVHREEEzARgg90ZXN0LmdudXRscy5vcmcwEwYDVR0l" ++ "BAwwCgYIKwYBBQUHAwEwDwYDVR0PAQH/BAUDAweAADAdBgNVHQ4EFgQUan6mlccq" ++ "Uy1Z64wvRv3xxg4h2ykwHwYDVR0jBBgwFoAUSCM0UwqJMThKWurKttKm3s4dKxgw" ++ "DQYJKoZIhvcNAQELBQADggExAKAOMyMLpk0u2UTwwFWtr1hfx7evo2J7dgco410I" ++ "DN/QWoe2Xlcxcp1h5R9rX1I3KU2WGFtdXqiMsllCLnrDEKZmlks0uz76bCpKmM99" ++ "/1MDlY7mGCr/2PPx53USK5J5JTiqgp6r7qAcDAnpYvrPH45kk7iqwh02DhAxRnGR" ++ "CW7KWK8h7uu0Az9iBT2YfV372g4fRDK3fqYzJofQwbhSiUuJ7wyZCRhGOoxMMmDb" ++ "KBbc1wAYXW+tlv2cSbfzRvSxMR+CzkyH2tGDxeN//aZUfGmQ8IzWUQ7UtK5z+Q0E" ++ "fL6fZtm2SdGabGpV1UYoGpwOtOngK+m0i9SqrMD7g5+SMhc1VuvVuTtxjr5Cha8l" ++ "X0HEZtxgFrkdfMD4yLAqiguaCBngtbRmELF5VpebmJbiLVU=" ++ "-----END CERTIFICATE-----", ++ "-----BEGIN CERTIFICATE-----" ++ "MIIDkTCCAkmgAwIBAgIUY9cJ4NLNFEaojJHdP1I4Q7OHNJwwDQYJKoZIhvcNAQEL" ++ "BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwHhcNMTgxMjMxMjMwMDAwWhcN" ++ "MjAwNTMwMjIwMDAwWjAmMSQwIgYDVQQDExtHbnVUTFMgdGVzdCBpbnRlcm1lZGlh" ++ "dGUgQ0EwggFSMA0GCSqGSIb3DQEBAQUAA4IBPwAwggE6AoIBMQC0ayeYJa/B/x7K" ++ "sH702LztQ4ZnVF3atB7CkF+DPAIR/BNyhbKIpGVBC3ZfI76Kn/55S3M7LsdLPL8W" ++ "yZdVNRfzoXJLMMLgJ5QS81YA5s6CSxFdpB6b+vq5GypNGLW6peYMx6iooW2qiITc" ++ "lg6ybBw1qufHlD351cfCog1Ls2569whfxQnNFZMa95jfKkxmiSTtH9AWY4FlpVg7" ++ "oc0lYpuZgVQIFxjsfC8IojsoVzKdF0cKhvtisUGZ5vveqOogfvMb7rrqmiFkKZLy" ++ "rXPlGQWdN1PiEZ8YXyK64osNAIyeL6eHPUC+SqKlkggMLmHAWHyameHWrIM5Jc8+" ++ "G+3ro22dy8U43sHHbps0FL4wPoKQHrlKmnbk7zMMRqIxcvbDYQv4qmeJ9KXldjeh" ++ "KZ+Aeap1AgMBAAGjZDBiMA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0PAQH/BAUDAwcE" ++ "ADAdBgNVHQ4EFgQUSCM0UwqJMThKWurKttKm3s4dKxgwHwYDVR0jBBgwFoAUHncj" ++ "bWcxH5EHm5Yv7PzIRv6M4QMwDQYJKoZIhvcNAQELBQADggExAHP1UAQ/nvuQtRZF" ++ "Q4b96yxVwCjMjn7knLyLNtyYGE3466xvE/ofvx5lgaR06ez/G17XP+Ok5SLJNUVc" ++ "mplTERCv5CgnX7R5VdGJkkD1repaYxaTtwyJz0AfYEMRUj3jfaeLaiUKJvEW5RRs" ++ "I3solY18sy/m/xGrH2X0GTNfKM9BURENABsppt07jxH719nF9m9SynV/Z2hE5hlv" ++ "5e5vyPt4wyRPIJLUI3TKAlvb1s40zz3ua7ZTgQL/cOxfY4f9pRKW9CMB3uF69OP9" ++ "COAxrmHVZsImmDZ6qO1qQrbY1KN/cX5kG4pKg7Ium723aOlwcWzEDXKumD960fN1" ++ "5g+HrjNs6kW+r9Q5QS8qV5s8maZNcxTrMvQ1fF2AKBNI3Z3U7vmtrSeqxIXp3rGH" ++ "iJwOKIk=" ++ "-----END CERTIFICATE-----", ++ NULL ++}; ++ ++static const char *superseding_ca[] = { ++ "-----BEGIN CERTIFICATE-----" ++ "MIIDkzCCAkugAwIBAgIUIs7jB4Q4sFcdCmzWVHbJLESC3T4wDQYJKoZIhvcNAQEL" ++ "BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwIBcNMjAwNTMxMTIxMzEwWhgP" ++ "OTk5OTEyMzEyMzU5NTlaMCYxJDAiBgNVBAMTG0dudVRMUyB0ZXN0IGludGVybWVk" ++ "aWF0ZSBDQTCCAVIwDQYJKoZIhvcNAQEBBQADggE/ADCCAToCggExALRrJ5glr8H/" ++ "HsqwfvTYvO1DhmdUXdq0HsKQX4M8AhH8E3KFsoikZUELdl8jvoqf/nlLczsux0s8" ++ "vxbJl1U1F/OhckswwuAnlBLzVgDmzoJLEV2kHpv6+rkbKk0Ytbql5gzHqKihbaqI" ++ "hNyWDrJsHDWq58eUPfnVx8KiDUuzbnr3CF/FCc0Vkxr3mN8qTGaJJO0f0BZjgWWl" ++ "WDuhzSVim5mBVAgXGOx8LwiiOyhXMp0XRwqG+2KxQZnm+96o6iB+8xvuuuqaIWQp" ++ "kvKtc+UZBZ03U+IRnxhfIrriiw0AjJ4vp4c9QL5KoqWSCAwuYcBYfJqZ4dasgzkl" ++ "zz4b7eujbZ3LxTjewcdumzQUvjA+gpAeuUqaduTvMwxGojFy9sNhC/iqZ4n0peV2" ++ "N6Epn4B5qnUCAwEAAaNkMGIwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMD" ++ "BwQAMB0GA1UdDgQWBBRIIzRTCokxOEpa6sq20qbezh0rGDAfBgNVHSMEGDAWgBQe" ++ "dyNtZzEfkQebli/s/MhG/ozhAzANBgkqhkiG9w0BAQsFAAOCATEAcF9R9VGQxTwW" ++ "aOjeIeQ9ZJxybaj0BaXC8xR4b9uZloS9d/RBFTjgRbQ82yqaj7f80mgUtabKRfTA" ++ "ltV2MgTbJdOjwGzEDtKGhClBbovnEGrYTbPBT9rgfYPt0q7SMBr6AzGAPt+ltwI7" ++ "9yntV81qvTxvW5MEEo0j2MuA3NT3oqe+w1rUKNQCWhnN2TUhJGkTlaaMozcgNFaE" ++ "Dplop4dtvCGtupxOjC3Nf6FWq1k7iZQxX70AFBYVMpuF7qGh6qDp+T1hmTCSVzxP" ++ "SfDQIBjhKgy4clhkuR5SRxhN74RX+/5eiQyVLxzr+eIhqzJhPqUCmVnCLcqYdNRi" ++ "hpHic4uJm0wGOKYTI7EG8rb4ZP4Jz6k4iN9CnL/+kiiW5otSl3YyCAuao5VKdDq9" ++ "izchzb9eow==" ++ "-----END CERTIFICATE-----", ++ "-----BEGIN CERTIFICATE-----" ++ "MIIDZTCCAh2gAwIBAgIULcrECQOBgPaePBfBHXcyZiU0IiYwDQYJKoZIhvcNAQEL" ++ "BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwIBcNMjAwNTMxMTIxMTQzWhgP" ++ "OTk5OTEyMzEyMzU5NTlaMBkxFzAVBgNVBAMTDkdudVRMUyB0ZXN0IENBMIIBUjAN" ++ "BgkqhkiG9w0BAQEFAAOCAT8AMIIBOgKCATEAnORCsX1unl//fy2d1054XduIg/3C" ++ "qVBaT3Hca65SEoDwh0KiPtQoOgZLdKY2cobGs/ojYtOjcs0KnlPYdmtjEh6WEhuJ" ++ "U95v4TQdC4OLMiE56eIGq252hZAbHoTL84Q14DxQWGuzQK830iml7fbw2WcIcRQ8" ++ "vFGs8SzfXw63+MI6Fq6iMAQIqP08WzGmRRzL5wvCiPhCVkrPmwbXoABub6AAsYwW" ++ "PJB91M9/lx5gFH5k9/iPfi3s2Kg3F8MOcppqFYjxDSnsfiz6eMh1+bYVIAo367vG" ++ "VYHigXMEZC2FezlwIHaZzpEoFlY3a7LFJ00yrjQ910r8UE+CEMTYzE40D0olCMo7" ++ "FA9RCjeO3bUIoYaIdVTUGWEGHWSeoxGei9Gkm6u+ASj8f+i0jxdD2qXsewIDAQAB" ++ "o0MwQTAPBgNVHRMBAf8EBTADAQH/MA8GA1UdDwEB/wQFAwMHBAAwHQYDVR0OBBYE" ++ "FB53I21nMR+RB5uWL+z8yEb+jOEDMA0GCSqGSIb3DQEBCwUAA4IBMQAeMSzMyuTy" ++ "FjXTjxAUv010bsr6e6fI9txq/S1tXmWWJV/8aeARthuOFZO5Jjy3C5aMbac2HDV4" ++ "Otu0+JLaoEMSXvorAhValVuq06i5cmaPzvJBcxMWzlEAXfavSwHv5Q+kqNU3z81S" ++ "WnjEpMHcl9OyER7o9IhF55Xom2BXY5XL83QOzQ4C3bpKrNevZC7i7zS8NoYRGP+8" ++ "w21JseXkWQW4o2hkFqbCcRE1dlMW02iJE28RZ5aBFDIm2Y6zuLaXZIkaO7E41CAw" ++ "IUyhowm/S1HcmQnhruAGKJvQtB6jvnhZb7pgnuSkhIvAQgw93CLE985KEua1ifY2" ++ "p1d/6ho2TWotHHqDnDkB8pC0Wzai8R+63z18Kt0gROX2QItCyFksjNJqYPbgwZgt" ++ "eh1COrLsOJo+" ++ "-----END CERTIFICATE-----", ++ NULL ++}; ++ + #if defined __clang__ || __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 5) + # pragma GCC diagnostic push + # pragma GCC diagnostic ignored "-Wunused-variable" +@@ -4178,6 +4274,7 @@ static struct + GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID, NULL, 1576759855, 1}, + { "ed448 - ok", ed448, &ed448[0], GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_ULTRA), + 0, NULL, 1584352960, 1}, ++ { "superseding - ok", superseding, superseding_ca, 0, 0, 0, 1590928011 }, + { NULL, NULL, NULL, 0, 0} + }; + +-- +2.26.2 + diff --git a/gnutls.spec b/gnutls.spec index febe56d..cf94d7b 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,11 +1,12 @@ # This spec file has been automatically updated Version: 3.6.13 -Release: 4%{?dist} +Release: 5%{?dist} Patch1: gnutls-3.6.7-no-now-guile.patch Patch2: gnutls-3.2.7-rpath.patch Patch3: gnutls-3.6.13-bump-linked-libs-soname-f32.patch Patch4: gnutls-3.6.13-nettle-disable-RSA-blinding-in-FIPS-selftests.patch Patch5: gnutls-3.6.13-cli-wait-resumption.patch +Patch6: gnutls-3.6.13-superseding-chain.patch %bcond_without dane %if 0%{?rhel} %bcond_with guile @@ -282,6 +283,9 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null %endif %changelog +* Sun May 31 2020 Daiki Ueno - 3.6.13-5 +- Fix cert chain validation behavior if the last cert has expired (#1842178) + * Mon May 25 2020 Anderson Sasaki - 3.6.13-4 - Add option to gnutls-cli to wait for resumption under TLS 1.3 From 230640c591f99be71d03109eaeabf0bb3a470bd4 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Sun, 31 May 2020 15:39:54 +0200 Subject: [PATCH 017/152] Update gnutls-3.6.13-superseding-chain.patch --- gnutls-3.6.13-superseding-chain.patch | 26 +++++++++++++++----------- gnutls.spec | 5 ++++- 2 files changed, 19 insertions(+), 12 deletions(-) diff --git a/gnutls-3.6.13-superseding-chain.patch b/gnutls-3.6.13-superseding-chain.patch index 99ceca1..4010c42 100644 --- a/gnutls-3.6.13-superseding-chain.patch +++ b/gnutls-3.6.13-superseding-chain.patch @@ -1,4 +1,4 @@ -From f6ce3a62cb39fb281f5a47c543de7d9db3206050 Mon Sep 17 00:00:00 2001 +From 299bd4f113d0bd39fa1577a671a04ed7899eff3c Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Sun, 31 May 2020 12:39:14 +0200 Subject: [PATCH 1/3] _gnutls_pkcs11_verify_crt_status: check validity against @@ -7,24 +7,24 @@ Subject: [PATCH 1/3] _gnutls_pkcs11_verify_crt_status: check validity against To verify a certificate chain, this function replaces known certificates with the ones in the system trust store if possible. -However, if it is found, the function checked the validity of the +However, if it is found, the function checks the validity of the original certificate rather than the certificate found in the trust store. That reveals a problem in a scenario that (1) a certificate is signed by multiple issuers and (2) one of the issuers' certificate has expired and included in the input chain. This patch makes it a little robuster by actually retrieving the -certificate from the trust store and check against it. +certificate from the trust store and perform check against it. Signed-off-by: Daiki Ueno --- - lib/pkcs11.c | 96 +++++++++++++++++++++++++++++++++-------------- + lib/pkcs11.c | 98 +++++++++++++++++++++++++++++++++-------------- lib/pkcs11_int.h | 5 +++ lib/x509/verify.c | 7 +++- - 3 files changed, 78 insertions(+), 30 deletions(-) + 3 files changed, 80 insertions(+), 30 deletions(-) diff --git a/lib/pkcs11.c b/lib/pkcs11.c -index fad16aaf4..662dda441 100644 +index fad16aaf4..d8d4a6511 100644 --- a/lib/pkcs11.c +++ b/lib/pkcs11.c @@ -4547,34 +4547,10 @@ int gnutls_pkcs11_get_raw_issuer_by_subject_key_id (const char *url, @@ -82,8 +82,12 @@ index fad16aaf4..662dda441 100644 if (url == NULL || url[0] == 0) { url = "pkcs11:"; } -@@ -4634,6 +4619,14 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, +@@ -4632,8 +4617,18 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, + _gnutls_debug_log("crt_is_known: did not find cert, using issuer DN + serial, using DN only\n"); + /* attempt searching with the subject DN only */ gnutls_assert(); ++ if (priv.obj) ++ gnutls_pkcs11_obj_deinit(priv.obj); gnutls_free(priv.serial.data); memset(&priv, 0, sizeof(priv)); + if (trusted_cert) { @@ -97,7 +101,7 @@ index fad16aaf4..662dda441 100644 priv.crt = cert; priv.flags = flags; -@@ -4650,9 +4643,26 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, +@@ -4650,9 +4645,26 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, goto cleanup; } @@ -124,7 +128,7 @@ index fad16aaf4..662dda441 100644 if (info) p11_kit_uri_free(info); gnutls_free(priv.serial.data); -@@ -4660,6 +4670,36 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, +@@ -4660,6 +4672,36 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, return ret; } @@ -214,7 +218,7 @@ index d20267019..fd7c6a164 100644 2.26.2 -From 2b83f612f2b2647c271969f3df64fb3a52753724 Mon Sep 17 00:00:00 2001 +From cdf075e7f54cb77f046ef3e7c2147f159941faca Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Sun, 31 May 2020 13:59:53 +0200 Subject: [PATCH 2/3] x509: trigger fallback verification path when cert is @@ -257,7 +261,7 @@ index b1421ef17..40638ad3a 100644 2.26.2 -From e337e56adfeeb4af7fe34291ed15d15b362a94bb Mon Sep 17 00:00:00 2001 +From 9067bcbee8ff18badff1e829d22e63590dbd7a5c Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Sun, 31 May 2020 14:28:48 +0200 Subject: [PATCH 3/3] tests: add test case for certificate chain superseding diff --git a/gnutls.spec b/gnutls.spec index ab35232..4d445ec 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,6 +1,6 @@ # This spec file has been automatically updated Version: 3.6.13 -Release: 5%{?dist} +Release: 6%{?dist} Patch1: gnutls-3.6.7-no-now-guile.patch Patch2: gnutls-3.2.7-rpath.patch Patch3: gnutls-3.6.13-bump-linked-libs-soname-f33.patch @@ -283,6 +283,9 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null %endif %changelog +* Sun May 31 2020 Daiki Ueno - 3.6.13-6 +- Update gnutls-3.6.13-superseding-chain.patch + * Sun May 31 2020 Daiki Ueno - 3.6.13-5 - Fix cert chain validation behavior if the last cert has expired (#1842178) From a5bbb28088a75defb5d4ece1ba76c49b19609e6f Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Sun, 31 May 2020 15:39:54 +0200 Subject: [PATCH 018/152] Update gnutls-3.6.13-superseding-chain.patch --- gnutls-3.6.13-superseding-chain.patch | 26 +++++++++++++++----------- gnutls.spec | 5 ++++- 2 files changed, 19 insertions(+), 12 deletions(-) diff --git a/gnutls-3.6.13-superseding-chain.patch b/gnutls-3.6.13-superseding-chain.patch index 99ceca1..4010c42 100644 --- a/gnutls-3.6.13-superseding-chain.patch +++ b/gnutls-3.6.13-superseding-chain.patch @@ -1,4 +1,4 @@ -From f6ce3a62cb39fb281f5a47c543de7d9db3206050 Mon Sep 17 00:00:00 2001 +From 299bd4f113d0bd39fa1577a671a04ed7899eff3c Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Sun, 31 May 2020 12:39:14 +0200 Subject: [PATCH 1/3] _gnutls_pkcs11_verify_crt_status: check validity against @@ -7,24 +7,24 @@ Subject: [PATCH 1/3] _gnutls_pkcs11_verify_crt_status: check validity against To verify a certificate chain, this function replaces known certificates with the ones in the system trust store if possible. -However, if it is found, the function checked the validity of the +However, if it is found, the function checks the validity of the original certificate rather than the certificate found in the trust store. That reveals a problem in a scenario that (1) a certificate is signed by multiple issuers and (2) one of the issuers' certificate has expired and included in the input chain. This patch makes it a little robuster by actually retrieving the -certificate from the trust store and check against it. +certificate from the trust store and perform check against it. Signed-off-by: Daiki Ueno --- - lib/pkcs11.c | 96 +++++++++++++++++++++++++++++++++-------------- + lib/pkcs11.c | 98 +++++++++++++++++++++++++++++++++-------------- lib/pkcs11_int.h | 5 +++ lib/x509/verify.c | 7 +++- - 3 files changed, 78 insertions(+), 30 deletions(-) + 3 files changed, 80 insertions(+), 30 deletions(-) diff --git a/lib/pkcs11.c b/lib/pkcs11.c -index fad16aaf4..662dda441 100644 +index fad16aaf4..d8d4a6511 100644 --- a/lib/pkcs11.c +++ b/lib/pkcs11.c @@ -4547,34 +4547,10 @@ int gnutls_pkcs11_get_raw_issuer_by_subject_key_id (const char *url, @@ -82,8 +82,12 @@ index fad16aaf4..662dda441 100644 if (url == NULL || url[0] == 0) { url = "pkcs11:"; } -@@ -4634,6 +4619,14 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, +@@ -4632,8 +4617,18 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, + _gnutls_debug_log("crt_is_known: did not find cert, using issuer DN + serial, using DN only\n"); + /* attempt searching with the subject DN only */ gnutls_assert(); ++ if (priv.obj) ++ gnutls_pkcs11_obj_deinit(priv.obj); gnutls_free(priv.serial.data); memset(&priv, 0, sizeof(priv)); + if (trusted_cert) { @@ -97,7 +101,7 @@ index fad16aaf4..662dda441 100644 priv.crt = cert; priv.flags = flags; -@@ -4650,9 +4643,26 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, +@@ -4650,9 +4645,26 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, goto cleanup; } @@ -124,7 +128,7 @@ index fad16aaf4..662dda441 100644 if (info) p11_kit_uri_free(info); gnutls_free(priv.serial.data); -@@ -4660,6 +4670,36 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, +@@ -4660,6 +4672,36 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, return ret; } @@ -214,7 +218,7 @@ index d20267019..fd7c6a164 100644 2.26.2 -From 2b83f612f2b2647c271969f3df64fb3a52753724 Mon Sep 17 00:00:00 2001 +From cdf075e7f54cb77f046ef3e7c2147f159941faca Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Sun, 31 May 2020 13:59:53 +0200 Subject: [PATCH 2/3] x509: trigger fallback verification path when cert is @@ -257,7 +261,7 @@ index b1421ef17..40638ad3a 100644 2.26.2 -From e337e56adfeeb4af7fe34291ed15d15b362a94bb Mon Sep 17 00:00:00 2001 +From 9067bcbee8ff18badff1e829d22e63590dbd7a5c Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Sun, 31 May 2020 14:28:48 +0200 Subject: [PATCH 3/3] tests: add test case for certificate chain superseding diff --git a/gnutls.spec b/gnutls.spec index cf94d7b..83bd54b 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,6 +1,6 @@ # This spec file has been automatically updated Version: 3.6.13 -Release: 5%{?dist} +Release: 6%{?dist} Patch1: gnutls-3.6.7-no-now-guile.patch Patch2: gnutls-3.2.7-rpath.patch Patch3: gnutls-3.6.13-bump-linked-libs-soname-f32.patch @@ -283,6 +283,9 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null %endif %changelog +* Sun May 31 2020 Daiki Ueno - 3.6.13-6 +- Update gnutls-3.6.13-superseding-chain.patch + * Sun May 31 2020 Daiki Ueno - 3.6.13-5 - Fix cert chain validation behavior if the last cert has expired (#1842178) From 86e1a47129223d0fd07ec7533dcff668a5421e05 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Thu, 4 Jun 2020 08:11:47 +0200 Subject: [PATCH 019/152] Update to 3.6.14-1. --- .gitignore | 3 + ...s-3.6.13-bump-linked-libs-soname-f33.patch | 13 - gnutls-3.6.13-cli-wait-resumption.patch | 87 ---- ...sable-RSA-blinding-in-FIPS-selftests.patch | 124 ------ gnutls-3.6.13-superseding-chain.patch | 391 ------------------ gnutls.spec | 11 +- sources | 5 +- 7 files changed, 9 insertions(+), 625 deletions(-) delete mode 100644 gnutls-3.6.13-bump-linked-libs-soname-f33.patch delete mode 100644 gnutls-3.6.13-cli-wait-resumption.patch delete mode 100644 gnutls-3.6.13-nettle-disable-RSA-blinding-in-FIPS-selftests.patch delete mode 100644 gnutls-3.6.13-superseding-chain.patch diff --git a/.gitignore b/.gitignore index 9dec2f3..7d1a9d2 100644 --- a/.gitignore +++ b/.gitignore @@ -124,3 +124,6 @@ gnutls-2.10.1-nosrp.tar.bz2 /gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg /gnutls-3.6.13.tar.xz.sig /gnutls-3.6.13.tar.xz +/gnutls-3.6.14.tar.xz +/gnutls-3.6.14.tar.xz.sig +/gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg diff --git a/gnutls-3.6.13-bump-linked-libs-soname-f33.patch b/gnutls-3.6.13-bump-linked-libs-soname-f33.patch deleted file mode 100644 index 5888f1c..0000000 --- a/gnutls-3.6.13-bump-linked-libs-soname-f33.patch +++ /dev/null @@ -1,13 +0,0 @@ ---- a/lib/fips.c 2020-01-01 21:10:19.000000000 +0100 -+++ b/lib/fips.c 2020-05-13 17:29:43.098868100 +0200 -@@ -136,8 +136,8 @@ - } - - #define GNUTLS_LIBRARY_NAME "libgnutls.so.30" --#define NETTLE_LIBRARY_NAME "libnettle.so.6" --#define HOGWEED_LIBRARY_NAME "libhogweed.so.4" -+#define NETTLE_LIBRARY_NAME "libnettle.so.8" -+#define HOGWEED_LIBRARY_NAME "libhogweed.so.6" - #define GMP_LIBRARY_NAME "libgmp.so.10" - - #define HMAC_SUFFIX ".hmac" diff --git a/gnutls-3.6.13-cli-wait-resumption.patch b/gnutls-3.6.13-cli-wait-resumption.patch deleted file mode 100644 index 4c56344..0000000 --- a/gnutls-3.6.13-cli-wait-resumption.patch +++ /dev/null @@ -1,87 +0,0 @@ -From f27358ecba654ef931c0a761a540dc9e2d2e67f0 Mon Sep 17 00:00:00 2001 -From: Anderson Toshiyuki Sasaki -Date: Fri, 20 Mar 2020 16:37:33 +0100 -Subject: [PATCH] gnutls-cli: Add option to wait for resumption data - -This introduces the --waitresumption command line option which makes the -client to wait for the resumption data until a ticket is received under -TLS1.3. The client will block if no ticket is received. The new option -has no effect if the option --resume is not provided. - -This is useful to force the client to wait for the resumption data when -the server takes long to send the ticket, allowing the session -resumption to be tested. This is a common scenario in CI systems where -the testing machines have limited resources. - -Signed-off-by: Anderson Toshiyuki Sasaki ---- - src/cli-args.def | 6 ++++++ - src/cli.c | 21 +++++++++++++++------ - 2 files changed, 21 insertions(+), 6 deletions(-) - -diff --git a/src/cli-args.def b/src/cli-args.def -index a8760fab9..56ae77b07 100644 ---- a/src/cli-args.def -+++ b/src/cli-args.def -@@ -471,6 +471,12 @@ flag = { - doc = ""; - }; - -+flag = { -+ name = waitresumption; -+ descrip = "Block waiting for the resumption data under TLS1.3"; -+ doc = "This option makes the client to block waiting for the resumption data under TLS1.3. The option has effect only when --resume is provided."; -+}; -+ - doc-section = { - ds-type = 'SEE ALSO'; // or anything else - ds-format = 'texi'; // or texi or mdoc format -diff --git a/src/cli.c b/src/cli.c -index db072b930..c3d074f08 100644 ---- a/src/cli.c -+++ b/src/cli.c -@@ -78,7 +78,7 @@ - - /* global stuff here */ - int resume, starttls, insecure, ranges, rehandshake, udp, mtu, -- inline_commands; -+ inline_commands, waitresumption; - unsigned int global_vflags = 0; - char *hostname = NULL; - char service[32]=""; -@@ -992,11 +992,19 @@ static int try_resume(socket_st * hd) - gnutls_datum_t edata = {NULL, 0}; - - if (gnutls_session_is_resumed(hd->session) == 0) { -- /* not resumed - obtain the session data */ -- ret = gnutls_session_get_data2(hd->session, &rdata); -- if (ret < 0) { -- rdata.data = NULL; -- } -+ do { -+ /* not resumed - obtain the session data */ -+ ret = gnutls_session_get_data2(hd->session, &rdata); -+ if (ret < 0) { -+ rdata.data = NULL; -+ } -+ -+ if ((gnutls_protocol_get_version(hd->session) != GNUTLS_TLS1_3) || -+ ((gnutls_session_get_flags(hd->session) & -+ GNUTLS_SFLAGS_SESSION_TICKET))) { -+ break; -+ } -+ } while (waitresumption); - } else { - /* resumed - try to reuse the previous session data */ - rdata.data = hd->rdata.data; -@@ -1688,6 +1696,7 @@ static void cmd_parser(int argc, char **argv) - rehandshake = HAVE_OPT(REHANDSHAKE); - insecure = HAVE_OPT(INSECURE); - ranges = HAVE_OPT(RANGES); -+ waitresumption = HAVE_OPT(WAITRESUMPTION); - - if (insecure || HAVE_OPT(VERIFY_ALLOW_BROKEN)) { - global_vflags |= GNUTLS_VERIFY_ALLOW_BROKEN; --- -2.25.4 - diff --git a/gnutls-3.6.13-nettle-disable-RSA-blinding-in-FIPS-selftests.patch b/gnutls-3.6.13-nettle-disable-RSA-blinding-in-FIPS-selftests.patch deleted file mode 100644 index 559ea0a..0000000 --- a/gnutls-3.6.13-nettle-disable-RSA-blinding-in-FIPS-selftests.patch +++ /dev/null @@ -1,124 +0,0 @@ -From 8f8615c4ef0b92b95e7bcb3bd1400124a203eef3 Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Fri, 16 Aug 2019 17:01:05 +0200 -Subject: [PATCH] nettle: disable RSA blinding in FIPS selftests - -Nettle's RSA signing, encryption and decryption functions still -require randomness for blinding, so fallback to use a fixed buffer in -selftests where entropy might not be available. - -Signed-off-by: Daiki Ueno ---- - lib/nettle/pk.c | 37 +++++++++++++++++++++++++++++++++---- - 1 file changed, 33 insertions(+), 4 deletions(-) - -diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c -index 15ad4b4e9..ccf403b00 100644 ---- a/lib/nettle/pk.c -+++ b/lib/nettle/pk.c -@@ -107,6 +107,15 @@ static void rnd_mpz_func(void *_ctx, size_t length, uint8_t * data) - nettle_mpz_get_str_256 (length, data, *k); - } - -+static void rnd_nonce_func_fallback(void *_ctx, size_t length, uint8_t * data) -+{ -+ if (unlikely(_gnutls_get_lib_state() != LIB_STATE_SELFTEST)) { -+ _gnutls_switch_lib_state(LIB_STATE_ERROR); -+ } -+ -+ memset(data, 0xAA, length); -+} -+ - static void - ecc_scalar_zclear (struct ecc_scalar *s) - { -@@ -526,6 +535,7 @@ _wrap_nettle_pk_encrypt(gnutls_pk_algorithm_t algo, - case GNUTLS_PK_RSA: - { - struct rsa_public_key pub; -+ nettle_random_func *random_func; - - ret = _rsa_params_to_pubkey(pk_params, &pub); - if (ret < 0) { -@@ -533,8 +543,12 @@ _wrap_nettle_pk_encrypt(gnutls_pk_algorithm_t algo, - goto cleanup; - } - -+ if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST) -+ random_func = rnd_nonce_func_fallback; -+ else -+ random_func = rnd_nonce_func; - ret = -- rsa_encrypt(&pub, NULL, rnd_nonce_func, -+ rsa_encrypt(&pub, NULL, random_func, - plaintext->size, plaintext->data, - p); - if (ret == 0 || HAVE_LIB_ERROR()) { -@@ -587,6 +601,7 @@ _wrap_nettle_pk_decrypt(gnutls_pk_algorithm_t algo, - struct rsa_public_key pub; - size_t length; - bigint_t c; -+ nettle_random_func *random_func; - - _rsa_params_to_privkey(pk_params, &priv); - ret = _rsa_params_to_pubkey(pk_params, &pub); -@@ -617,8 +632,12 @@ _wrap_nettle_pk_decrypt(gnutls_pk_algorithm_t algo, - goto cleanup; - } - -+ if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST) -+ random_func = rnd_nonce_func_fallback; -+ else -+ random_func = rnd_nonce_func; - ret = -- rsa_decrypt_tr(&pub, &priv, NULL, rnd_nonce_func, -+ rsa_decrypt_tr(&pub, &priv, NULL, random_func, - &length, plaintext->data, - TOMPZ(c)); - _gnutls_mpi_release(&c); -@@ -664,6 +683,7 @@ _wrap_nettle_pk_decrypt2(gnutls_pk_algorithm_t algo, - bigint_t c; - uint32_t is_err; - int ret; -+ nettle_random_func *random_func; - - if (algo != GNUTLS_PK_RSA || plaintext == NULL) { - gnutls_assert(); -@@ -683,7 +703,11 @@ _wrap_nettle_pk_decrypt2(gnutls_pk_algorithm_t algo, - return gnutls_assert_val (GNUTLS_E_MPI_SCAN_FAILED); - } - -- ret = rsa_sec_decrypt(&pub, &priv, NULL, rnd_nonce_func, -+ if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST) -+ random_func = rnd_nonce_func_fallback; -+ else -+ random_func = rnd_nonce_func; -+ ret = rsa_sec_decrypt(&pub, &priv, NULL, random_func, - plaintext_size, plaintext, TOMPZ(c)); - /* after this point, any conditional on failure that cause differences - * in execution may create a timing or cache access pattern side -@@ -1072,6 +1096,7 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo, - { - struct rsa_private_key priv; - struct rsa_public_key pub; -+ nettle_random_func *random_func; - mpz_t s; - - _rsa_params_to_privkey(pk_params, &priv); -@@ -1082,8 +1107,12 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo, - - mpz_init(s); - -+ if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST) -+ random_func = rnd_nonce_func_fallback; -+ else -+ random_func = rnd_nonce_func; - ret = -- rsa_pkcs1_sign_tr(&pub, &priv, NULL, rnd_nonce_func, -+ rsa_pkcs1_sign_tr(&pub, &priv, NULL, random_func, - vdata->size, vdata->data, s); - if (ret == 0 || HAVE_LIB_ERROR()) { - gnutls_assert(); --- -2.25.4 - diff --git a/gnutls-3.6.13-superseding-chain.patch b/gnutls-3.6.13-superseding-chain.patch deleted file mode 100644 index 4010c42..0000000 --- a/gnutls-3.6.13-superseding-chain.patch +++ /dev/null @@ -1,391 +0,0 @@ -From 299bd4f113d0bd39fa1577a671a04ed7899eff3c Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Sun, 31 May 2020 12:39:14 +0200 -Subject: [PATCH 1/3] _gnutls_pkcs11_verify_crt_status: check validity against - system cert - -To verify a certificate chain, this function replaces known -certificates with the ones in the system trust store if possible. - -However, if it is found, the function checks the validity of the -original certificate rather than the certificate found in the trust -store. That reveals a problem in a scenario that (1) a certificate is -signed by multiple issuers and (2) one of the issuers' certificate has -expired and included in the input chain. - -This patch makes it a little robuster by actually retrieving the -certificate from the trust store and perform check against it. - -Signed-off-by: Daiki Ueno ---- - lib/pkcs11.c | 98 +++++++++++++++++++++++++++++++++-------------- - lib/pkcs11_int.h | 5 +++ - lib/x509/verify.c | 7 +++- - 3 files changed, 80 insertions(+), 30 deletions(-) - -diff --git a/lib/pkcs11.c b/lib/pkcs11.c -index fad16aaf4..d8d4a6511 100644 ---- a/lib/pkcs11.c -+++ b/lib/pkcs11.c -@@ -4547,34 +4547,10 @@ int gnutls_pkcs11_get_raw_issuer_by_subject_key_id (const char *url, - return ret; - } - --/** -- * gnutls_pkcs11_crt_is_known: -- * @url: A PKCS 11 url identifying a token -- * @cert: is the certificate to find issuer for -- * @issuer: Will hold the issuer if any in an allocated buffer. -- * @fmt: The format of the exported issuer. -- * @flags: Use zero or flags from %GNUTLS_PKCS11_OBJ_FLAG. -- * -- * This function will check whether the provided certificate is stored -- * in the specified token. This is useful in combination with -- * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED or -- * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED, -- * to check whether a CA is present or a certificate is blacklisted in -- * a trust PKCS #11 module. -- * -- * This function can be used with a @url of "pkcs11:", and in that case all modules -- * will be searched. To restrict the modules to the marked as trusted in p11-kit -- * use the %GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE flag. -- * -- * Note that the flag %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED is -- * specific to p11-kit trust modules. -- * -- * Returns: If the certificate exists non-zero is returned, otherwise zero. -- * -- * Since: 3.3.0 -- **/ --unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, -- unsigned int flags) -+unsigned -+_gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, -+ unsigned int flags, -+ gnutls_x509_crt_t *trusted_cert) - { - int ret; - struct find_cert_st priv; -@@ -4586,6 +4562,15 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, - - memset(&priv, 0, sizeof(priv)); - -+ if (trusted_cert) { -+ ret = gnutls_pkcs11_obj_init(&priv.obj); -+ if (ret < 0) { -+ gnutls_assert(); -+ goto cleanup; -+ } -+ priv.need_import = 1; -+ } -+ - if (url == NULL || url[0] == 0) { - url = "pkcs11:"; - } -@@ -4632,8 +4617,18 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, - _gnutls_debug_log("crt_is_known: did not find cert, using issuer DN + serial, using DN only\n"); - /* attempt searching with the subject DN only */ - gnutls_assert(); -+ if (priv.obj) -+ gnutls_pkcs11_obj_deinit(priv.obj); - gnutls_free(priv.serial.data); - memset(&priv, 0, sizeof(priv)); -+ if (trusted_cert) { -+ ret = gnutls_pkcs11_obj_init(&priv.obj); -+ if (ret < 0) { -+ gnutls_assert(); -+ goto cleanup; -+ } -+ priv.need_import = 1; -+ } - priv.crt = cert; - priv.flags = flags; - -@@ -4650,9 +4645,26 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, - goto cleanup; - } - -+ if (trusted_cert) { -+ ret = gnutls_x509_crt_init(trusted_cert); -+ if (ret < 0) { -+ gnutls_assert(); -+ ret = 0; -+ goto cleanup; -+ } -+ ret = gnutls_x509_crt_import_pkcs11(*trusted_cert, priv.obj); -+ if (ret < 0) { -+ gnutls_assert(); -+ gnutls_x509_crt_deinit(*trusted_cert); -+ ret = 0; -+ goto cleanup; -+ } -+ } - ret = 1; - - cleanup: -+ if (priv.obj) -+ gnutls_pkcs11_obj_deinit(priv.obj); - if (info) - p11_kit_uri_free(info); - gnutls_free(priv.serial.data); -@@ -4660,6 +4672,36 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, - return ret; - } - -+/** -+ * gnutls_pkcs11_crt_is_known: -+ * @url: A PKCS 11 url identifying a token -+ * @cert: is the certificate to find issuer for -+ * @flags: Use zero or flags from %GNUTLS_PKCS11_OBJ_FLAG. -+ * -+ * This function will check whether the provided certificate is stored -+ * in the specified token. This is useful in combination with -+ * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED or -+ * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED, -+ * to check whether a CA is present or a certificate is blacklisted in -+ * a trust PKCS #11 module. -+ * -+ * This function can be used with a @url of "pkcs11:", and in that case all modules -+ * will be searched. To restrict the modules to the marked as trusted in p11-kit -+ * use the %GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE flag. -+ * -+ * Note that the flag %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED is -+ * specific to p11-kit trust modules. -+ * -+ * Returns: If the certificate exists non-zero is returned, otherwise zero. -+ * -+ * Since: 3.3.0 -+ **/ -+unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, -+ unsigned int flags) -+{ -+ return _gnutls_pkcs11_crt_is_known(url, cert, flags, NULL); -+} -+ - /** - * gnutls_pkcs11_obj_get_flags: - * @obj: The pkcs11 object -diff --git a/lib/pkcs11_int.h b/lib/pkcs11_int.h -index 9d8880709..86cce0dee 100644 ---- a/lib/pkcs11_int.h -+++ b/lib/pkcs11_int.h -@@ -460,6 +460,11 @@ inline static bool is_pkcs11_url_object(const char *url) - return 0; - } - -+unsigned -+_gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, -+ unsigned int flags, -+ gnutls_x509_crt_t *trusted_cert); -+ - #endif /* ENABLE_PKCS11 */ - - #endif /* GNUTLS_LIB_PKCS11_INT_H */ -diff --git a/lib/x509/verify.c b/lib/x509/verify.c -index d20267019..fd7c6a164 100644 ---- a/lib/x509/verify.c -+++ b/lib/x509/verify.c -@@ -34,6 +34,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -1188,6 +1189,7 @@ _gnutls_pkcs11_verify_crt_status(const char* url, - - for (; i < clist_size; i++) { - unsigned vflags; -+ gnutls_x509_crt_t trusted_cert; - - if (i == 0) /* in the end certificate do full comparison */ - vflags = GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE| -@@ -1196,9 +1198,10 @@ _gnutls_pkcs11_verify_crt_status(const char* url, - vflags = GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE| - GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY|GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED; - -- if (gnutls_pkcs11_crt_is_known (url, certificate_list[i], vflags) != 0) { -+ if (_gnutls_pkcs11_crt_is_known (url, certificate_list[i], vflags, &trusted_cert) != 0) { - -- status |= check_ca_sanity(certificate_list[i], now, flags); -+ status |= check_ca_sanity(trusted_cert, now, flags); -+ gnutls_x509_crt_deinit(trusted_cert); - - if (func) - func(certificate_list[i], --- -2.26.2 - - -From cdf075e7f54cb77f046ef3e7c2147f159941faca Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Sun, 31 May 2020 13:59:53 +0200 -Subject: [PATCH 2/3] x509: trigger fallback verification path when cert is - expired - -gnutls_x509_trust_list_verify_crt2 use the macro SIGNER_OLD_OR_UNKNOWN -to trigger the fallback verification path if the signer of the last -certificate is not in the trust store. Previously, it doesn't take -into account of the condition where the certificate is expired. - -Signed-off-by: Daiki Ueno ---- - lib/x509/verify-high.c | 12 +++++++----- - 1 file changed, 7 insertions(+), 5 deletions(-) - -diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c -index b1421ef17..40638ad3a 100644 ---- a/lib/x509/verify-high.c -+++ b/lib/x509/verify-high.c -@@ -1192,11 +1192,13 @@ gnutls_x509_trust_list_verify_crt(gnutls_x509_trust_list_t list, - - #define LAST_DN cert_list[cert_list_size-1]->raw_dn - #define LAST_IDN cert_list[cert_list_size-1]->raw_issuer_dn --/* This macro is introduced to detect a verification output -- * which indicates an unknown signer, or a signer which uses -- * an insecure algorithm (e.g., sha1), something that indicates -- * a superseded signer */ --#define SIGNER_OLD_OR_UNKNOWN(output) ((output & GNUTLS_CERT_SIGNER_NOT_FOUND) || (output & GNUTLS_CERT_INSECURE_ALGORITHM)) -+/* This macro is introduced to detect a verification output which -+ * indicates an unknown signer, a signer which uses an insecure -+ * algorithm (e.g., sha1), a signer has expired, or something that -+ * indicates a superseded signer */ -+#define SIGNER_OLD_OR_UNKNOWN(output) ((output & GNUTLS_CERT_SIGNER_NOT_FOUND) || \ -+ (output & GNUTLS_CERT_EXPIRED) || \ -+ (output & GNUTLS_CERT_INSECURE_ALGORITHM)) - #define SIGNER_WAS_KNOWN(output) (!(output & GNUTLS_CERT_SIGNER_NOT_FOUND)) - - /** --- -2.26.2 - - -From 9067bcbee8ff18badff1e829d22e63590dbd7a5c Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Sun, 31 May 2020 14:28:48 +0200 -Subject: [PATCH 3/3] tests: add test case for certificate chain superseding - -Signed-off-by: Daiki Ueno ---- - tests/test-chains.h | 97 +++++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 97 insertions(+) - -diff --git a/tests/test-chains.h b/tests/test-chains.h -index dd19e6a81..9b06b85f5 100644 ---- a/tests/test-chains.h -+++ b/tests/test-chains.h -@@ -4010,6 +4010,102 @@ static const char *ed448[] = { - NULL - }; - -+/* This contains an expired intermediate CA, which should be superseded. */ -+static const char *superseding[] = { -+ "-----BEGIN CERTIFICATE-----" -+ "MIIDrzCCAmegAwIBAgIUcozIBhMJvM/rd1PVI7LOq7Kscs8wDQYJKoZIhvcNAQEL" -+ "BQAwJjEkMCIGA1UEAxMbR251VExTIHRlc3QgaW50ZXJtZWRpYXRlIENBMCAXDTIw" -+ "MDUzMTEyMTczN1oYDzk5OTkxMjMxMjM1OTU5WjA3MRgwFgYDVQQDEw90ZXN0Lmdu" -+ "dXRscy5vcmcxGzAZBgNVBAoTEkdudVRMUyB0ZXN0IHNlcnZlcjCCASAwCwYJKoZI" -+ "hvcNAQEKA4IBDwAwggEKAoIBAQCd2PBnWn+b0FsIMbG+f/K+og2iK/BoLCsJD3j9" -+ "yRNSHD6wTifYwNTbe1LF/8BzxcwVRCD0zpbpFQawbjxbmBSzrXqQlUFFG11DvNBa" -+ "w58rgHGo3TYCrtFIBfLbziyB1w/vWeX0xHvv8MMJ1iRSdY+7Y36a2cV+s85PdO4B" -+ "TpZlLfy8LPP6p6+dgVoC+9tTu2H1wARYOVog+jt9A3Hx0L1xxVWTedFoiK2sVouz" -+ "fLRjfp5cOwuRHSD2qbpGOAeNVVaOE88Bv3pIGPguMw0qAdEDo20hRYH23LIyvBwB" -+ "oCnyFNnAViMtLa2QlXSliV9a9BKOXYjWzAeso2SF4pdHcvd5AgMBAAGjgZMwgZAw" -+ "DAYDVR0TAQH/BAIwADAaBgNVHREEEzARgg90ZXN0LmdudXRscy5vcmcwEwYDVR0l" -+ "BAwwCgYIKwYBBQUHAwEwDwYDVR0PAQH/BAUDAweAADAdBgNVHQ4EFgQUan6mlccq" -+ "Uy1Z64wvRv3xxg4h2ykwHwYDVR0jBBgwFoAUSCM0UwqJMThKWurKttKm3s4dKxgw" -+ "DQYJKoZIhvcNAQELBQADggExAKAOMyMLpk0u2UTwwFWtr1hfx7evo2J7dgco410I" -+ "DN/QWoe2Xlcxcp1h5R9rX1I3KU2WGFtdXqiMsllCLnrDEKZmlks0uz76bCpKmM99" -+ "/1MDlY7mGCr/2PPx53USK5J5JTiqgp6r7qAcDAnpYvrPH45kk7iqwh02DhAxRnGR" -+ "CW7KWK8h7uu0Az9iBT2YfV372g4fRDK3fqYzJofQwbhSiUuJ7wyZCRhGOoxMMmDb" -+ "KBbc1wAYXW+tlv2cSbfzRvSxMR+CzkyH2tGDxeN//aZUfGmQ8IzWUQ7UtK5z+Q0E" -+ "fL6fZtm2SdGabGpV1UYoGpwOtOngK+m0i9SqrMD7g5+SMhc1VuvVuTtxjr5Cha8l" -+ "X0HEZtxgFrkdfMD4yLAqiguaCBngtbRmELF5VpebmJbiLVU=" -+ "-----END CERTIFICATE-----", -+ "-----BEGIN CERTIFICATE-----" -+ "MIIDkTCCAkmgAwIBAgIUY9cJ4NLNFEaojJHdP1I4Q7OHNJwwDQYJKoZIhvcNAQEL" -+ "BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwHhcNMTgxMjMxMjMwMDAwWhcN" -+ "MjAwNTMwMjIwMDAwWjAmMSQwIgYDVQQDExtHbnVUTFMgdGVzdCBpbnRlcm1lZGlh" -+ "dGUgQ0EwggFSMA0GCSqGSIb3DQEBAQUAA4IBPwAwggE6AoIBMQC0ayeYJa/B/x7K" -+ "sH702LztQ4ZnVF3atB7CkF+DPAIR/BNyhbKIpGVBC3ZfI76Kn/55S3M7LsdLPL8W" -+ "yZdVNRfzoXJLMMLgJ5QS81YA5s6CSxFdpB6b+vq5GypNGLW6peYMx6iooW2qiITc" -+ "lg6ybBw1qufHlD351cfCog1Ls2569whfxQnNFZMa95jfKkxmiSTtH9AWY4FlpVg7" -+ "oc0lYpuZgVQIFxjsfC8IojsoVzKdF0cKhvtisUGZ5vveqOogfvMb7rrqmiFkKZLy" -+ "rXPlGQWdN1PiEZ8YXyK64osNAIyeL6eHPUC+SqKlkggMLmHAWHyameHWrIM5Jc8+" -+ "G+3ro22dy8U43sHHbps0FL4wPoKQHrlKmnbk7zMMRqIxcvbDYQv4qmeJ9KXldjeh" -+ "KZ+Aeap1AgMBAAGjZDBiMA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0PAQH/BAUDAwcE" -+ "ADAdBgNVHQ4EFgQUSCM0UwqJMThKWurKttKm3s4dKxgwHwYDVR0jBBgwFoAUHncj" -+ "bWcxH5EHm5Yv7PzIRv6M4QMwDQYJKoZIhvcNAQELBQADggExAHP1UAQ/nvuQtRZF" -+ "Q4b96yxVwCjMjn7knLyLNtyYGE3466xvE/ofvx5lgaR06ez/G17XP+Ok5SLJNUVc" -+ "mplTERCv5CgnX7R5VdGJkkD1repaYxaTtwyJz0AfYEMRUj3jfaeLaiUKJvEW5RRs" -+ "I3solY18sy/m/xGrH2X0GTNfKM9BURENABsppt07jxH719nF9m9SynV/Z2hE5hlv" -+ "5e5vyPt4wyRPIJLUI3TKAlvb1s40zz3ua7ZTgQL/cOxfY4f9pRKW9CMB3uF69OP9" -+ "COAxrmHVZsImmDZ6qO1qQrbY1KN/cX5kG4pKg7Ium723aOlwcWzEDXKumD960fN1" -+ "5g+HrjNs6kW+r9Q5QS8qV5s8maZNcxTrMvQ1fF2AKBNI3Z3U7vmtrSeqxIXp3rGH" -+ "iJwOKIk=" -+ "-----END CERTIFICATE-----", -+ NULL -+}; -+ -+static const char *superseding_ca[] = { -+ "-----BEGIN CERTIFICATE-----" -+ "MIIDkzCCAkugAwIBAgIUIs7jB4Q4sFcdCmzWVHbJLESC3T4wDQYJKoZIhvcNAQEL" -+ "BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwIBcNMjAwNTMxMTIxMzEwWhgP" -+ "OTk5OTEyMzEyMzU5NTlaMCYxJDAiBgNVBAMTG0dudVRMUyB0ZXN0IGludGVybWVk" -+ "aWF0ZSBDQTCCAVIwDQYJKoZIhvcNAQEBBQADggE/ADCCAToCggExALRrJ5glr8H/" -+ "HsqwfvTYvO1DhmdUXdq0HsKQX4M8AhH8E3KFsoikZUELdl8jvoqf/nlLczsux0s8" -+ "vxbJl1U1F/OhckswwuAnlBLzVgDmzoJLEV2kHpv6+rkbKk0Ytbql5gzHqKihbaqI" -+ "hNyWDrJsHDWq58eUPfnVx8KiDUuzbnr3CF/FCc0Vkxr3mN8qTGaJJO0f0BZjgWWl" -+ "WDuhzSVim5mBVAgXGOx8LwiiOyhXMp0XRwqG+2KxQZnm+96o6iB+8xvuuuqaIWQp" -+ "kvKtc+UZBZ03U+IRnxhfIrriiw0AjJ4vp4c9QL5KoqWSCAwuYcBYfJqZ4dasgzkl" -+ "zz4b7eujbZ3LxTjewcdumzQUvjA+gpAeuUqaduTvMwxGojFy9sNhC/iqZ4n0peV2" -+ "N6Epn4B5qnUCAwEAAaNkMGIwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMD" -+ "BwQAMB0GA1UdDgQWBBRIIzRTCokxOEpa6sq20qbezh0rGDAfBgNVHSMEGDAWgBQe" -+ "dyNtZzEfkQebli/s/MhG/ozhAzANBgkqhkiG9w0BAQsFAAOCATEAcF9R9VGQxTwW" -+ "aOjeIeQ9ZJxybaj0BaXC8xR4b9uZloS9d/RBFTjgRbQ82yqaj7f80mgUtabKRfTA" -+ "ltV2MgTbJdOjwGzEDtKGhClBbovnEGrYTbPBT9rgfYPt0q7SMBr6AzGAPt+ltwI7" -+ "9yntV81qvTxvW5MEEo0j2MuA3NT3oqe+w1rUKNQCWhnN2TUhJGkTlaaMozcgNFaE" -+ "Dplop4dtvCGtupxOjC3Nf6FWq1k7iZQxX70AFBYVMpuF7qGh6qDp+T1hmTCSVzxP" -+ "SfDQIBjhKgy4clhkuR5SRxhN74RX+/5eiQyVLxzr+eIhqzJhPqUCmVnCLcqYdNRi" -+ "hpHic4uJm0wGOKYTI7EG8rb4ZP4Jz6k4iN9CnL/+kiiW5otSl3YyCAuao5VKdDq9" -+ "izchzb9eow==" -+ "-----END CERTIFICATE-----", -+ "-----BEGIN CERTIFICATE-----" -+ "MIIDZTCCAh2gAwIBAgIULcrECQOBgPaePBfBHXcyZiU0IiYwDQYJKoZIhvcNAQEL" -+ "BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwIBcNMjAwNTMxMTIxMTQzWhgP" -+ "OTk5OTEyMzEyMzU5NTlaMBkxFzAVBgNVBAMTDkdudVRMUyB0ZXN0IENBMIIBUjAN" -+ "BgkqhkiG9w0BAQEFAAOCAT8AMIIBOgKCATEAnORCsX1unl//fy2d1054XduIg/3C" -+ "qVBaT3Hca65SEoDwh0KiPtQoOgZLdKY2cobGs/ojYtOjcs0KnlPYdmtjEh6WEhuJ" -+ "U95v4TQdC4OLMiE56eIGq252hZAbHoTL84Q14DxQWGuzQK830iml7fbw2WcIcRQ8" -+ "vFGs8SzfXw63+MI6Fq6iMAQIqP08WzGmRRzL5wvCiPhCVkrPmwbXoABub6AAsYwW" -+ "PJB91M9/lx5gFH5k9/iPfi3s2Kg3F8MOcppqFYjxDSnsfiz6eMh1+bYVIAo367vG" -+ "VYHigXMEZC2FezlwIHaZzpEoFlY3a7LFJ00yrjQ910r8UE+CEMTYzE40D0olCMo7" -+ "FA9RCjeO3bUIoYaIdVTUGWEGHWSeoxGei9Gkm6u+ASj8f+i0jxdD2qXsewIDAQAB" -+ "o0MwQTAPBgNVHRMBAf8EBTADAQH/MA8GA1UdDwEB/wQFAwMHBAAwHQYDVR0OBBYE" -+ "FB53I21nMR+RB5uWL+z8yEb+jOEDMA0GCSqGSIb3DQEBCwUAA4IBMQAeMSzMyuTy" -+ "FjXTjxAUv010bsr6e6fI9txq/S1tXmWWJV/8aeARthuOFZO5Jjy3C5aMbac2HDV4" -+ "Otu0+JLaoEMSXvorAhValVuq06i5cmaPzvJBcxMWzlEAXfavSwHv5Q+kqNU3z81S" -+ "WnjEpMHcl9OyER7o9IhF55Xom2BXY5XL83QOzQ4C3bpKrNevZC7i7zS8NoYRGP+8" -+ "w21JseXkWQW4o2hkFqbCcRE1dlMW02iJE28RZ5aBFDIm2Y6zuLaXZIkaO7E41CAw" -+ "IUyhowm/S1HcmQnhruAGKJvQtB6jvnhZb7pgnuSkhIvAQgw93CLE985KEua1ifY2" -+ "p1d/6ho2TWotHHqDnDkB8pC0Wzai8R+63z18Kt0gROX2QItCyFksjNJqYPbgwZgt" -+ "eh1COrLsOJo+" -+ "-----END CERTIFICATE-----", -+ NULL -+}; -+ - #if defined __clang__ || __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 5) - # pragma GCC diagnostic push - # pragma GCC diagnostic ignored "-Wunused-variable" -@@ -4178,6 +4274,7 @@ static struct - GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID, NULL, 1576759855, 1}, - { "ed448 - ok", ed448, &ed448[0], GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_ULTRA), - 0, NULL, 1584352960, 1}, -+ { "superseding - ok", superseding, superseding_ca, 0, 0, 0, 1590928011 }, - { NULL, NULL, NULL, 0, 0} - }; - --- -2.26.2 - diff --git a/gnutls.spec b/gnutls.spec index 4d445ec..c41ac17 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,12 +1,8 @@ # This spec file has been automatically updated -Version: 3.6.13 -Release: 6%{?dist} +Version: 3.6.14 +Release: 1%{?dist} Patch1: gnutls-3.6.7-no-now-guile.patch Patch2: gnutls-3.2.7-rpath.patch -Patch3: gnutls-3.6.13-bump-linked-libs-soname-f33.patch -Patch4: gnutls-3.6.13-nettle-disable-RSA-blinding-in-FIPS-selftests.patch -Patch5: gnutls-3.6.13-cli-wait-resumption.patch -Patch6: gnutls-3.6.13-superseding-chain.patch %bcond_without dane %if 0%{?rhel} %bcond_with guile @@ -51,7 +47,7 @@ BuildRequires: guile22-devel URL: http://www.gnutls.org/ Source0: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.6/%{name}-%{version}.tar.xz Source1: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.6/%{name}-%{version}.tar.xz.sig -Source2: gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg +Source2: gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg # Wildcard bundling exception https://fedorahosted.org/fpc/ticket/174 Provides: bundled(gnulib) = 20130424 @@ -147,7 +143,6 @@ This package contains Guile bindings for the library. gpgv2 --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0} %autosetup -p1 -autoreconf sed -i -e 's|sys_lib_dlsearch_path_spec="/lib /usr/lib|sys_lib_dlsearch_path_spec="/lib /usr/lib %{_libdir}|g' configure rm -f lib/minitasn1/*.c lib/minitasn1/*.h diff --git a/sources b/sources index 08912b9..322ad17 100644 --- a/sources +++ b/sources @@ -1,2 +1,3 @@ -SHA512 (gnutls-3.6.13.tar.xz.sig) = 130d6ee78da87087de0070a5a5ecb62dd0a2919c838796b3e4273d74b10c4c537b72e017f55b69df69ee7cc11257ebe392e3bd0ff25b35484ed78bb9bf9d3856 -SHA512 (gnutls-3.6.13.tar.xz) = 23581952cb72c9a34f378c002bb62413d5a1243b74b48ad8dc49eaea4020d33c550f8dc1dd374cf7fbfa4187b0ca1c5698c8a0430398268a8b8a863f8633305c +SHA512 (gnutls-3.6.14.tar.xz) = b2d427b5542a4679117c011dffa8efb0e0bffa3ce9cebc319f8998d03f80f4168d08f9fda35df18dbeaaada59e479d325a6c1c77d5ca7f8ce221b44e42bfe604 +SHA512 (gnutls-3.6.14.tar.xz.sig) = 88e31d484ab2e2e9a6a080d1bb0e2219aa0ec85af9ea4abe8292bc8ae2d6784273414227142a2ebe0142b907a5ac6aa4d407388357f13d96b96eca8f8c61103a +SHA512 (gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg) = a74b92826fd0e5388c9f6d9231959e38b26aeef83138648fab66df951d8e1a4db5302b569d08515d4d6443e5e4f6c466f98319f330c820790260d22a9b9f7173 From 79aed5310bd1cdb369057a2b6b8a57ad868cefbf Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Thu, 4 Jun 2020 08:53:10 +0200 Subject: [PATCH 020/152] Add missing changelog entry --- gnutls.spec | 3 +++ 1 file changed, 3 insertions(+) diff --git a/gnutls.spec b/gnutls.spec index c41ac17..1ed6680 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -278,6 +278,9 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null %endif %changelog +* Thu Jun 4 2020 Daiki Ueno - 3.6.14-1 +- Update to upstream 3.6.14 release + * Sun May 31 2020 Daiki Ueno - 3.6.13-6 - Update gnutls-3.6.13-superseding-chain.patch From 7b240b09595173d9c398e95fe5c5c0637b0206d2 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Thu, 4 Jun 2020 08:11:47 +0200 Subject: [PATCH 021/152] Update to 3.6.14-1 --- .gitignore | 3 + ...s-3.6.13-bump-linked-libs-soname-f32.patch | 13 - gnutls-3.6.13-cli-wait-resumption.patch | 87 ---- ...sable-RSA-blinding-in-FIPS-selftests.patch | 124 ------ gnutls-3.6.13-superseding-chain.patch | 391 ------------------ gnutls.spec | 14 +- sources | 5 +- 7 files changed, 12 insertions(+), 625 deletions(-) delete mode 100644 gnutls-3.6.13-bump-linked-libs-soname-f32.patch delete mode 100644 gnutls-3.6.13-cli-wait-resumption.patch delete mode 100644 gnutls-3.6.13-nettle-disable-RSA-blinding-in-FIPS-selftests.patch delete mode 100644 gnutls-3.6.13-superseding-chain.patch diff --git a/.gitignore b/.gitignore index 9dec2f3..7d1a9d2 100644 --- a/.gitignore +++ b/.gitignore @@ -124,3 +124,6 @@ gnutls-2.10.1-nosrp.tar.bz2 /gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg /gnutls-3.6.13.tar.xz.sig /gnutls-3.6.13.tar.xz +/gnutls-3.6.14.tar.xz +/gnutls-3.6.14.tar.xz.sig +/gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg diff --git a/gnutls-3.6.13-bump-linked-libs-soname-f32.patch b/gnutls-3.6.13-bump-linked-libs-soname-f32.patch deleted file mode 100644 index e48477a..0000000 --- a/gnutls-3.6.13-bump-linked-libs-soname-f32.patch +++ /dev/null @@ -1,13 +0,0 @@ ---- a/lib/fips.c 2020-01-01 21:10:19.000000000 +0100 -+++ b/lib/fips.c 2020-05-13 17:31:47.310301627 +0200 -@@ -136,8 +136,8 @@ - } - - #define GNUTLS_LIBRARY_NAME "libgnutls.so.30" --#define NETTLE_LIBRARY_NAME "libnettle.so.6" --#define HOGWEED_LIBRARY_NAME "libhogweed.so.4" -+#define NETTLE_LIBRARY_NAME "libnettle.so.7" -+#define HOGWEED_LIBRARY_NAME "libhogweed.so.5" - #define GMP_LIBRARY_NAME "libgmp.so.10" - - #define HMAC_SUFFIX ".hmac" diff --git a/gnutls-3.6.13-cli-wait-resumption.patch b/gnutls-3.6.13-cli-wait-resumption.patch deleted file mode 100644 index 4c56344..0000000 --- a/gnutls-3.6.13-cli-wait-resumption.patch +++ /dev/null @@ -1,87 +0,0 @@ -From f27358ecba654ef931c0a761a540dc9e2d2e67f0 Mon Sep 17 00:00:00 2001 -From: Anderson Toshiyuki Sasaki -Date: Fri, 20 Mar 2020 16:37:33 +0100 -Subject: [PATCH] gnutls-cli: Add option to wait for resumption data - -This introduces the --waitresumption command line option which makes the -client to wait for the resumption data until a ticket is received under -TLS1.3. The client will block if no ticket is received. The new option -has no effect if the option --resume is not provided. - -This is useful to force the client to wait for the resumption data when -the server takes long to send the ticket, allowing the session -resumption to be tested. This is a common scenario in CI systems where -the testing machines have limited resources. - -Signed-off-by: Anderson Toshiyuki Sasaki ---- - src/cli-args.def | 6 ++++++ - src/cli.c | 21 +++++++++++++++------ - 2 files changed, 21 insertions(+), 6 deletions(-) - -diff --git a/src/cli-args.def b/src/cli-args.def -index a8760fab9..56ae77b07 100644 ---- a/src/cli-args.def -+++ b/src/cli-args.def -@@ -471,6 +471,12 @@ flag = { - doc = ""; - }; - -+flag = { -+ name = waitresumption; -+ descrip = "Block waiting for the resumption data under TLS1.3"; -+ doc = "This option makes the client to block waiting for the resumption data under TLS1.3. The option has effect only when --resume is provided."; -+}; -+ - doc-section = { - ds-type = 'SEE ALSO'; // or anything else - ds-format = 'texi'; // or texi or mdoc format -diff --git a/src/cli.c b/src/cli.c -index db072b930..c3d074f08 100644 ---- a/src/cli.c -+++ b/src/cli.c -@@ -78,7 +78,7 @@ - - /* global stuff here */ - int resume, starttls, insecure, ranges, rehandshake, udp, mtu, -- inline_commands; -+ inline_commands, waitresumption; - unsigned int global_vflags = 0; - char *hostname = NULL; - char service[32]=""; -@@ -992,11 +992,19 @@ static int try_resume(socket_st * hd) - gnutls_datum_t edata = {NULL, 0}; - - if (gnutls_session_is_resumed(hd->session) == 0) { -- /* not resumed - obtain the session data */ -- ret = gnutls_session_get_data2(hd->session, &rdata); -- if (ret < 0) { -- rdata.data = NULL; -- } -+ do { -+ /* not resumed - obtain the session data */ -+ ret = gnutls_session_get_data2(hd->session, &rdata); -+ if (ret < 0) { -+ rdata.data = NULL; -+ } -+ -+ if ((gnutls_protocol_get_version(hd->session) != GNUTLS_TLS1_3) || -+ ((gnutls_session_get_flags(hd->session) & -+ GNUTLS_SFLAGS_SESSION_TICKET))) { -+ break; -+ } -+ } while (waitresumption); - } else { - /* resumed - try to reuse the previous session data */ - rdata.data = hd->rdata.data; -@@ -1688,6 +1696,7 @@ static void cmd_parser(int argc, char **argv) - rehandshake = HAVE_OPT(REHANDSHAKE); - insecure = HAVE_OPT(INSECURE); - ranges = HAVE_OPT(RANGES); -+ waitresumption = HAVE_OPT(WAITRESUMPTION); - - if (insecure || HAVE_OPT(VERIFY_ALLOW_BROKEN)) { - global_vflags |= GNUTLS_VERIFY_ALLOW_BROKEN; --- -2.25.4 - diff --git a/gnutls-3.6.13-nettle-disable-RSA-blinding-in-FIPS-selftests.patch b/gnutls-3.6.13-nettle-disable-RSA-blinding-in-FIPS-selftests.patch deleted file mode 100644 index 559ea0a..0000000 --- a/gnutls-3.6.13-nettle-disable-RSA-blinding-in-FIPS-selftests.patch +++ /dev/null @@ -1,124 +0,0 @@ -From 8f8615c4ef0b92b95e7bcb3bd1400124a203eef3 Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Fri, 16 Aug 2019 17:01:05 +0200 -Subject: [PATCH] nettle: disable RSA blinding in FIPS selftests - -Nettle's RSA signing, encryption and decryption functions still -require randomness for blinding, so fallback to use a fixed buffer in -selftests where entropy might not be available. - -Signed-off-by: Daiki Ueno ---- - lib/nettle/pk.c | 37 +++++++++++++++++++++++++++++++++---- - 1 file changed, 33 insertions(+), 4 deletions(-) - -diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c -index 15ad4b4e9..ccf403b00 100644 ---- a/lib/nettle/pk.c -+++ b/lib/nettle/pk.c -@@ -107,6 +107,15 @@ static void rnd_mpz_func(void *_ctx, size_t length, uint8_t * data) - nettle_mpz_get_str_256 (length, data, *k); - } - -+static void rnd_nonce_func_fallback(void *_ctx, size_t length, uint8_t * data) -+{ -+ if (unlikely(_gnutls_get_lib_state() != LIB_STATE_SELFTEST)) { -+ _gnutls_switch_lib_state(LIB_STATE_ERROR); -+ } -+ -+ memset(data, 0xAA, length); -+} -+ - static void - ecc_scalar_zclear (struct ecc_scalar *s) - { -@@ -526,6 +535,7 @@ _wrap_nettle_pk_encrypt(gnutls_pk_algorithm_t algo, - case GNUTLS_PK_RSA: - { - struct rsa_public_key pub; -+ nettle_random_func *random_func; - - ret = _rsa_params_to_pubkey(pk_params, &pub); - if (ret < 0) { -@@ -533,8 +543,12 @@ _wrap_nettle_pk_encrypt(gnutls_pk_algorithm_t algo, - goto cleanup; - } - -+ if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST) -+ random_func = rnd_nonce_func_fallback; -+ else -+ random_func = rnd_nonce_func; - ret = -- rsa_encrypt(&pub, NULL, rnd_nonce_func, -+ rsa_encrypt(&pub, NULL, random_func, - plaintext->size, plaintext->data, - p); - if (ret == 0 || HAVE_LIB_ERROR()) { -@@ -587,6 +601,7 @@ _wrap_nettle_pk_decrypt(gnutls_pk_algorithm_t algo, - struct rsa_public_key pub; - size_t length; - bigint_t c; -+ nettle_random_func *random_func; - - _rsa_params_to_privkey(pk_params, &priv); - ret = _rsa_params_to_pubkey(pk_params, &pub); -@@ -617,8 +632,12 @@ _wrap_nettle_pk_decrypt(gnutls_pk_algorithm_t algo, - goto cleanup; - } - -+ if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST) -+ random_func = rnd_nonce_func_fallback; -+ else -+ random_func = rnd_nonce_func; - ret = -- rsa_decrypt_tr(&pub, &priv, NULL, rnd_nonce_func, -+ rsa_decrypt_tr(&pub, &priv, NULL, random_func, - &length, plaintext->data, - TOMPZ(c)); - _gnutls_mpi_release(&c); -@@ -664,6 +683,7 @@ _wrap_nettle_pk_decrypt2(gnutls_pk_algorithm_t algo, - bigint_t c; - uint32_t is_err; - int ret; -+ nettle_random_func *random_func; - - if (algo != GNUTLS_PK_RSA || plaintext == NULL) { - gnutls_assert(); -@@ -683,7 +703,11 @@ _wrap_nettle_pk_decrypt2(gnutls_pk_algorithm_t algo, - return gnutls_assert_val (GNUTLS_E_MPI_SCAN_FAILED); - } - -- ret = rsa_sec_decrypt(&pub, &priv, NULL, rnd_nonce_func, -+ if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST) -+ random_func = rnd_nonce_func_fallback; -+ else -+ random_func = rnd_nonce_func; -+ ret = rsa_sec_decrypt(&pub, &priv, NULL, random_func, - plaintext_size, plaintext, TOMPZ(c)); - /* after this point, any conditional on failure that cause differences - * in execution may create a timing or cache access pattern side -@@ -1072,6 +1096,7 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo, - { - struct rsa_private_key priv; - struct rsa_public_key pub; -+ nettle_random_func *random_func; - mpz_t s; - - _rsa_params_to_privkey(pk_params, &priv); -@@ -1082,8 +1107,12 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo, - - mpz_init(s); - -+ if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST) -+ random_func = rnd_nonce_func_fallback; -+ else -+ random_func = rnd_nonce_func; - ret = -- rsa_pkcs1_sign_tr(&pub, &priv, NULL, rnd_nonce_func, -+ rsa_pkcs1_sign_tr(&pub, &priv, NULL, random_func, - vdata->size, vdata->data, s); - if (ret == 0 || HAVE_LIB_ERROR()) { - gnutls_assert(); --- -2.25.4 - diff --git a/gnutls-3.6.13-superseding-chain.patch b/gnutls-3.6.13-superseding-chain.patch deleted file mode 100644 index 4010c42..0000000 --- a/gnutls-3.6.13-superseding-chain.patch +++ /dev/null @@ -1,391 +0,0 @@ -From 299bd4f113d0bd39fa1577a671a04ed7899eff3c Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Sun, 31 May 2020 12:39:14 +0200 -Subject: [PATCH 1/3] _gnutls_pkcs11_verify_crt_status: check validity against - system cert - -To verify a certificate chain, this function replaces known -certificates with the ones in the system trust store if possible. - -However, if it is found, the function checks the validity of the -original certificate rather than the certificate found in the trust -store. That reveals a problem in a scenario that (1) a certificate is -signed by multiple issuers and (2) one of the issuers' certificate has -expired and included in the input chain. - -This patch makes it a little robuster by actually retrieving the -certificate from the trust store and perform check against it. - -Signed-off-by: Daiki Ueno ---- - lib/pkcs11.c | 98 +++++++++++++++++++++++++++++++++-------------- - lib/pkcs11_int.h | 5 +++ - lib/x509/verify.c | 7 +++- - 3 files changed, 80 insertions(+), 30 deletions(-) - -diff --git a/lib/pkcs11.c b/lib/pkcs11.c -index fad16aaf4..d8d4a6511 100644 ---- a/lib/pkcs11.c -+++ b/lib/pkcs11.c -@@ -4547,34 +4547,10 @@ int gnutls_pkcs11_get_raw_issuer_by_subject_key_id (const char *url, - return ret; - } - --/** -- * gnutls_pkcs11_crt_is_known: -- * @url: A PKCS 11 url identifying a token -- * @cert: is the certificate to find issuer for -- * @issuer: Will hold the issuer if any in an allocated buffer. -- * @fmt: The format of the exported issuer. -- * @flags: Use zero or flags from %GNUTLS_PKCS11_OBJ_FLAG. -- * -- * This function will check whether the provided certificate is stored -- * in the specified token. This is useful in combination with -- * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED or -- * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED, -- * to check whether a CA is present or a certificate is blacklisted in -- * a trust PKCS #11 module. -- * -- * This function can be used with a @url of "pkcs11:", and in that case all modules -- * will be searched. To restrict the modules to the marked as trusted in p11-kit -- * use the %GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE flag. -- * -- * Note that the flag %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED is -- * specific to p11-kit trust modules. -- * -- * Returns: If the certificate exists non-zero is returned, otherwise zero. -- * -- * Since: 3.3.0 -- **/ --unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, -- unsigned int flags) -+unsigned -+_gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, -+ unsigned int flags, -+ gnutls_x509_crt_t *trusted_cert) - { - int ret; - struct find_cert_st priv; -@@ -4586,6 +4562,15 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, - - memset(&priv, 0, sizeof(priv)); - -+ if (trusted_cert) { -+ ret = gnutls_pkcs11_obj_init(&priv.obj); -+ if (ret < 0) { -+ gnutls_assert(); -+ goto cleanup; -+ } -+ priv.need_import = 1; -+ } -+ - if (url == NULL || url[0] == 0) { - url = "pkcs11:"; - } -@@ -4632,8 +4617,18 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, - _gnutls_debug_log("crt_is_known: did not find cert, using issuer DN + serial, using DN only\n"); - /* attempt searching with the subject DN only */ - gnutls_assert(); -+ if (priv.obj) -+ gnutls_pkcs11_obj_deinit(priv.obj); - gnutls_free(priv.serial.data); - memset(&priv, 0, sizeof(priv)); -+ if (trusted_cert) { -+ ret = gnutls_pkcs11_obj_init(&priv.obj); -+ if (ret < 0) { -+ gnutls_assert(); -+ goto cleanup; -+ } -+ priv.need_import = 1; -+ } - priv.crt = cert; - priv.flags = flags; - -@@ -4650,9 +4645,26 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, - goto cleanup; - } - -+ if (trusted_cert) { -+ ret = gnutls_x509_crt_init(trusted_cert); -+ if (ret < 0) { -+ gnutls_assert(); -+ ret = 0; -+ goto cleanup; -+ } -+ ret = gnutls_x509_crt_import_pkcs11(*trusted_cert, priv.obj); -+ if (ret < 0) { -+ gnutls_assert(); -+ gnutls_x509_crt_deinit(*trusted_cert); -+ ret = 0; -+ goto cleanup; -+ } -+ } - ret = 1; - - cleanup: -+ if (priv.obj) -+ gnutls_pkcs11_obj_deinit(priv.obj); - if (info) - p11_kit_uri_free(info); - gnutls_free(priv.serial.data); -@@ -4660,6 +4672,36 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, - return ret; - } - -+/** -+ * gnutls_pkcs11_crt_is_known: -+ * @url: A PKCS 11 url identifying a token -+ * @cert: is the certificate to find issuer for -+ * @flags: Use zero or flags from %GNUTLS_PKCS11_OBJ_FLAG. -+ * -+ * This function will check whether the provided certificate is stored -+ * in the specified token. This is useful in combination with -+ * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED or -+ * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED, -+ * to check whether a CA is present or a certificate is blacklisted in -+ * a trust PKCS #11 module. -+ * -+ * This function can be used with a @url of "pkcs11:", and in that case all modules -+ * will be searched. To restrict the modules to the marked as trusted in p11-kit -+ * use the %GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE flag. -+ * -+ * Note that the flag %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED is -+ * specific to p11-kit trust modules. -+ * -+ * Returns: If the certificate exists non-zero is returned, otherwise zero. -+ * -+ * Since: 3.3.0 -+ **/ -+unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, -+ unsigned int flags) -+{ -+ return _gnutls_pkcs11_crt_is_known(url, cert, flags, NULL); -+} -+ - /** - * gnutls_pkcs11_obj_get_flags: - * @obj: The pkcs11 object -diff --git a/lib/pkcs11_int.h b/lib/pkcs11_int.h -index 9d8880709..86cce0dee 100644 ---- a/lib/pkcs11_int.h -+++ b/lib/pkcs11_int.h -@@ -460,6 +460,11 @@ inline static bool is_pkcs11_url_object(const char *url) - return 0; - } - -+unsigned -+_gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, -+ unsigned int flags, -+ gnutls_x509_crt_t *trusted_cert); -+ - #endif /* ENABLE_PKCS11 */ - - #endif /* GNUTLS_LIB_PKCS11_INT_H */ -diff --git a/lib/x509/verify.c b/lib/x509/verify.c -index d20267019..fd7c6a164 100644 ---- a/lib/x509/verify.c -+++ b/lib/x509/verify.c -@@ -34,6 +34,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -1188,6 +1189,7 @@ _gnutls_pkcs11_verify_crt_status(const char* url, - - for (; i < clist_size; i++) { - unsigned vflags; -+ gnutls_x509_crt_t trusted_cert; - - if (i == 0) /* in the end certificate do full comparison */ - vflags = GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE| -@@ -1196,9 +1198,10 @@ _gnutls_pkcs11_verify_crt_status(const char* url, - vflags = GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE| - GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY|GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED; - -- if (gnutls_pkcs11_crt_is_known (url, certificate_list[i], vflags) != 0) { -+ if (_gnutls_pkcs11_crt_is_known (url, certificate_list[i], vflags, &trusted_cert) != 0) { - -- status |= check_ca_sanity(certificate_list[i], now, flags); -+ status |= check_ca_sanity(trusted_cert, now, flags); -+ gnutls_x509_crt_deinit(trusted_cert); - - if (func) - func(certificate_list[i], --- -2.26.2 - - -From cdf075e7f54cb77f046ef3e7c2147f159941faca Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Sun, 31 May 2020 13:59:53 +0200 -Subject: [PATCH 2/3] x509: trigger fallback verification path when cert is - expired - -gnutls_x509_trust_list_verify_crt2 use the macro SIGNER_OLD_OR_UNKNOWN -to trigger the fallback verification path if the signer of the last -certificate is not in the trust store. Previously, it doesn't take -into account of the condition where the certificate is expired. - -Signed-off-by: Daiki Ueno ---- - lib/x509/verify-high.c | 12 +++++++----- - 1 file changed, 7 insertions(+), 5 deletions(-) - -diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c -index b1421ef17..40638ad3a 100644 ---- a/lib/x509/verify-high.c -+++ b/lib/x509/verify-high.c -@@ -1192,11 +1192,13 @@ gnutls_x509_trust_list_verify_crt(gnutls_x509_trust_list_t list, - - #define LAST_DN cert_list[cert_list_size-1]->raw_dn - #define LAST_IDN cert_list[cert_list_size-1]->raw_issuer_dn --/* This macro is introduced to detect a verification output -- * which indicates an unknown signer, or a signer which uses -- * an insecure algorithm (e.g., sha1), something that indicates -- * a superseded signer */ --#define SIGNER_OLD_OR_UNKNOWN(output) ((output & GNUTLS_CERT_SIGNER_NOT_FOUND) || (output & GNUTLS_CERT_INSECURE_ALGORITHM)) -+/* This macro is introduced to detect a verification output which -+ * indicates an unknown signer, a signer which uses an insecure -+ * algorithm (e.g., sha1), a signer has expired, or something that -+ * indicates a superseded signer */ -+#define SIGNER_OLD_OR_UNKNOWN(output) ((output & GNUTLS_CERT_SIGNER_NOT_FOUND) || \ -+ (output & GNUTLS_CERT_EXPIRED) || \ -+ (output & GNUTLS_CERT_INSECURE_ALGORITHM)) - #define SIGNER_WAS_KNOWN(output) (!(output & GNUTLS_CERT_SIGNER_NOT_FOUND)) - - /** --- -2.26.2 - - -From 9067bcbee8ff18badff1e829d22e63590dbd7a5c Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Sun, 31 May 2020 14:28:48 +0200 -Subject: [PATCH 3/3] tests: add test case for certificate chain superseding - -Signed-off-by: Daiki Ueno ---- - tests/test-chains.h | 97 +++++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 97 insertions(+) - -diff --git a/tests/test-chains.h b/tests/test-chains.h -index dd19e6a81..9b06b85f5 100644 ---- a/tests/test-chains.h -+++ b/tests/test-chains.h -@@ -4010,6 +4010,102 @@ static const char *ed448[] = { - NULL - }; - -+/* This contains an expired intermediate CA, which should be superseded. */ -+static const char *superseding[] = { -+ "-----BEGIN CERTIFICATE-----" -+ "MIIDrzCCAmegAwIBAgIUcozIBhMJvM/rd1PVI7LOq7Kscs8wDQYJKoZIhvcNAQEL" -+ "BQAwJjEkMCIGA1UEAxMbR251VExTIHRlc3QgaW50ZXJtZWRpYXRlIENBMCAXDTIw" -+ "MDUzMTEyMTczN1oYDzk5OTkxMjMxMjM1OTU5WjA3MRgwFgYDVQQDEw90ZXN0Lmdu" -+ "dXRscy5vcmcxGzAZBgNVBAoTEkdudVRMUyB0ZXN0IHNlcnZlcjCCASAwCwYJKoZI" -+ "hvcNAQEKA4IBDwAwggEKAoIBAQCd2PBnWn+b0FsIMbG+f/K+og2iK/BoLCsJD3j9" -+ "yRNSHD6wTifYwNTbe1LF/8BzxcwVRCD0zpbpFQawbjxbmBSzrXqQlUFFG11DvNBa" -+ "w58rgHGo3TYCrtFIBfLbziyB1w/vWeX0xHvv8MMJ1iRSdY+7Y36a2cV+s85PdO4B" -+ "TpZlLfy8LPP6p6+dgVoC+9tTu2H1wARYOVog+jt9A3Hx0L1xxVWTedFoiK2sVouz" -+ "fLRjfp5cOwuRHSD2qbpGOAeNVVaOE88Bv3pIGPguMw0qAdEDo20hRYH23LIyvBwB" -+ "oCnyFNnAViMtLa2QlXSliV9a9BKOXYjWzAeso2SF4pdHcvd5AgMBAAGjgZMwgZAw" -+ "DAYDVR0TAQH/BAIwADAaBgNVHREEEzARgg90ZXN0LmdudXRscy5vcmcwEwYDVR0l" -+ "BAwwCgYIKwYBBQUHAwEwDwYDVR0PAQH/BAUDAweAADAdBgNVHQ4EFgQUan6mlccq" -+ "Uy1Z64wvRv3xxg4h2ykwHwYDVR0jBBgwFoAUSCM0UwqJMThKWurKttKm3s4dKxgw" -+ "DQYJKoZIhvcNAQELBQADggExAKAOMyMLpk0u2UTwwFWtr1hfx7evo2J7dgco410I" -+ "DN/QWoe2Xlcxcp1h5R9rX1I3KU2WGFtdXqiMsllCLnrDEKZmlks0uz76bCpKmM99" -+ "/1MDlY7mGCr/2PPx53USK5J5JTiqgp6r7qAcDAnpYvrPH45kk7iqwh02DhAxRnGR" -+ "CW7KWK8h7uu0Az9iBT2YfV372g4fRDK3fqYzJofQwbhSiUuJ7wyZCRhGOoxMMmDb" -+ "KBbc1wAYXW+tlv2cSbfzRvSxMR+CzkyH2tGDxeN//aZUfGmQ8IzWUQ7UtK5z+Q0E" -+ "fL6fZtm2SdGabGpV1UYoGpwOtOngK+m0i9SqrMD7g5+SMhc1VuvVuTtxjr5Cha8l" -+ "X0HEZtxgFrkdfMD4yLAqiguaCBngtbRmELF5VpebmJbiLVU=" -+ "-----END CERTIFICATE-----", -+ "-----BEGIN CERTIFICATE-----" -+ "MIIDkTCCAkmgAwIBAgIUY9cJ4NLNFEaojJHdP1I4Q7OHNJwwDQYJKoZIhvcNAQEL" -+ "BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwHhcNMTgxMjMxMjMwMDAwWhcN" -+ "MjAwNTMwMjIwMDAwWjAmMSQwIgYDVQQDExtHbnVUTFMgdGVzdCBpbnRlcm1lZGlh" -+ "dGUgQ0EwggFSMA0GCSqGSIb3DQEBAQUAA4IBPwAwggE6AoIBMQC0ayeYJa/B/x7K" -+ "sH702LztQ4ZnVF3atB7CkF+DPAIR/BNyhbKIpGVBC3ZfI76Kn/55S3M7LsdLPL8W" -+ "yZdVNRfzoXJLMMLgJ5QS81YA5s6CSxFdpB6b+vq5GypNGLW6peYMx6iooW2qiITc" -+ "lg6ybBw1qufHlD351cfCog1Ls2569whfxQnNFZMa95jfKkxmiSTtH9AWY4FlpVg7" -+ "oc0lYpuZgVQIFxjsfC8IojsoVzKdF0cKhvtisUGZ5vveqOogfvMb7rrqmiFkKZLy" -+ "rXPlGQWdN1PiEZ8YXyK64osNAIyeL6eHPUC+SqKlkggMLmHAWHyameHWrIM5Jc8+" -+ "G+3ro22dy8U43sHHbps0FL4wPoKQHrlKmnbk7zMMRqIxcvbDYQv4qmeJ9KXldjeh" -+ "KZ+Aeap1AgMBAAGjZDBiMA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0PAQH/BAUDAwcE" -+ "ADAdBgNVHQ4EFgQUSCM0UwqJMThKWurKttKm3s4dKxgwHwYDVR0jBBgwFoAUHncj" -+ "bWcxH5EHm5Yv7PzIRv6M4QMwDQYJKoZIhvcNAQELBQADggExAHP1UAQ/nvuQtRZF" -+ "Q4b96yxVwCjMjn7knLyLNtyYGE3466xvE/ofvx5lgaR06ez/G17XP+Ok5SLJNUVc" -+ "mplTERCv5CgnX7R5VdGJkkD1repaYxaTtwyJz0AfYEMRUj3jfaeLaiUKJvEW5RRs" -+ "I3solY18sy/m/xGrH2X0GTNfKM9BURENABsppt07jxH719nF9m9SynV/Z2hE5hlv" -+ "5e5vyPt4wyRPIJLUI3TKAlvb1s40zz3ua7ZTgQL/cOxfY4f9pRKW9CMB3uF69OP9" -+ "COAxrmHVZsImmDZ6qO1qQrbY1KN/cX5kG4pKg7Ium723aOlwcWzEDXKumD960fN1" -+ "5g+HrjNs6kW+r9Q5QS8qV5s8maZNcxTrMvQ1fF2AKBNI3Z3U7vmtrSeqxIXp3rGH" -+ "iJwOKIk=" -+ "-----END CERTIFICATE-----", -+ NULL -+}; -+ -+static const char *superseding_ca[] = { -+ "-----BEGIN CERTIFICATE-----" -+ "MIIDkzCCAkugAwIBAgIUIs7jB4Q4sFcdCmzWVHbJLESC3T4wDQYJKoZIhvcNAQEL" -+ "BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwIBcNMjAwNTMxMTIxMzEwWhgP" -+ "OTk5OTEyMzEyMzU5NTlaMCYxJDAiBgNVBAMTG0dudVRMUyB0ZXN0IGludGVybWVk" -+ "aWF0ZSBDQTCCAVIwDQYJKoZIhvcNAQEBBQADggE/ADCCAToCggExALRrJ5glr8H/" -+ "HsqwfvTYvO1DhmdUXdq0HsKQX4M8AhH8E3KFsoikZUELdl8jvoqf/nlLczsux0s8" -+ "vxbJl1U1F/OhckswwuAnlBLzVgDmzoJLEV2kHpv6+rkbKk0Ytbql5gzHqKihbaqI" -+ "hNyWDrJsHDWq58eUPfnVx8KiDUuzbnr3CF/FCc0Vkxr3mN8qTGaJJO0f0BZjgWWl" -+ "WDuhzSVim5mBVAgXGOx8LwiiOyhXMp0XRwqG+2KxQZnm+96o6iB+8xvuuuqaIWQp" -+ "kvKtc+UZBZ03U+IRnxhfIrriiw0AjJ4vp4c9QL5KoqWSCAwuYcBYfJqZ4dasgzkl" -+ "zz4b7eujbZ3LxTjewcdumzQUvjA+gpAeuUqaduTvMwxGojFy9sNhC/iqZ4n0peV2" -+ "N6Epn4B5qnUCAwEAAaNkMGIwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMD" -+ "BwQAMB0GA1UdDgQWBBRIIzRTCokxOEpa6sq20qbezh0rGDAfBgNVHSMEGDAWgBQe" -+ "dyNtZzEfkQebli/s/MhG/ozhAzANBgkqhkiG9w0BAQsFAAOCATEAcF9R9VGQxTwW" -+ "aOjeIeQ9ZJxybaj0BaXC8xR4b9uZloS9d/RBFTjgRbQ82yqaj7f80mgUtabKRfTA" -+ "ltV2MgTbJdOjwGzEDtKGhClBbovnEGrYTbPBT9rgfYPt0q7SMBr6AzGAPt+ltwI7" -+ "9yntV81qvTxvW5MEEo0j2MuA3NT3oqe+w1rUKNQCWhnN2TUhJGkTlaaMozcgNFaE" -+ "Dplop4dtvCGtupxOjC3Nf6FWq1k7iZQxX70AFBYVMpuF7qGh6qDp+T1hmTCSVzxP" -+ "SfDQIBjhKgy4clhkuR5SRxhN74RX+/5eiQyVLxzr+eIhqzJhPqUCmVnCLcqYdNRi" -+ "hpHic4uJm0wGOKYTI7EG8rb4ZP4Jz6k4iN9CnL/+kiiW5otSl3YyCAuao5VKdDq9" -+ "izchzb9eow==" -+ "-----END CERTIFICATE-----", -+ "-----BEGIN CERTIFICATE-----" -+ "MIIDZTCCAh2gAwIBAgIULcrECQOBgPaePBfBHXcyZiU0IiYwDQYJKoZIhvcNAQEL" -+ "BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwIBcNMjAwNTMxMTIxMTQzWhgP" -+ "OTk5OTEyMzEyMzU5NTlaMBkxFzAVBgNVBAMTDkdudVRMUyB0ZXN0IENBMIIBUjAN" -+ "BgkqhkiG9w0BAQEFAAOCAT8AMIIBOgKCATEAnORCsX1unl//fy2d1054XduIg/3C" -+ "qVBaT3Hca65SEoDwh0KiPtQoOgZLdKY2cobGs/ojYtOjcs0KnlPYdmtjEh6WEhuJ" -+ "U95v4TQdC4OLMiE56eIGq252hZAbHoTL84Q14DxQWGuzQK830iml7fbw2WcIcRQ8" -+ "vFGs8SzfXw63+MI6Fq6iMAQIqP08WzGmRRzL5wvCiPhCVkrPmwbXoABub6AAsYwW" -+ "PJB91M9/lx5gFH5k9/iPfi3s2Kg3F8MOcppqFYjxDSnsfiz6eMh1+bYVIAo367vG" -+ "VYHigXMEZC2FezlwIHaZzpEoFlY3a7LFJ00yrjQ910r8UE+CEMTYzE40D0olCMo7" -+ "FA9RCjeO3bUIoYaIdVTUGWEGHWSeoxGei9Gkm6u+ASj8f+i0jxdD2qXsewIDAQAB" -+ "o0MwQTAPBgNVHRMBAf8EBTADAQH/MA8GA1UdDwEB/wQFAwMHBAAwHQYDVR0OBBYE" -+ "FB53I21nMR+RB5uWL+z8yEb+jOEDMA0GCSqGSIb3DQEBCwUAA4IBMQAeMSzMyuTy" -+ "FjXTjxAUv010bsr6e6fI9txq/S1tXmWWJV/8aeARthuOFZO5Jjy3C5aMbac2HDV4" -+ "Otu0+JLaoEMSXvorAhValVuq06i5cmaPzvJBcxMWzlEAXfavSwHv5Q+kqNU3z81S" -+ "WnjEpMHcl9OyER7o9IhF55Xom2BXY5XL83QOzQ4C3bpKrNevZC7i7zS8NoYRGP+8" -+ "w21JseXkWQW4o2hkFqbCcRE1dlMW02iJE28RZ5aBFDIm2Y6zuLaXZIkaO7E41CAw" -+ "IUyhowm/S1HcmQnhruAGKJvQtB6jvnhZb7pgnuSkhIvAQgw93CLE985KEua1ifY2" -+ "p1d/6ho2TWotHHqDnDkB8pC0Wzai8R+63z18Kt0gROX2QItCyFksjNJqYPbgwZgt" -+ "eh1COrLsOJo+" -+ "-----END CERTIFICATE-----", -+ NULL -+}; -+ - #if defined __clang__ || __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 5) - # pragma GCC diagnostic push - # pragma GCC diagnostic ignored "-Wunused-variable" -@@ -4178,6 +4274,7 @@ static struct - GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID, NULL, 1576759855, 1}, - { "ed448 - ok", ed448, &ed448[0], GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_ULTRA), - 0, NULL, 1584352960, 1}, -+ { "superseding - ok", superseding, superseding_ca, 0, 0, 0, 1590928011 }, - { NULL, NULL, NULL, 0, 0} - }; - --- -2.26.2 - diff --git a/gnutls.spec b/gnutls.spec index 83bd54b..a602060 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,12 +1,8 @@ # This spec file has been automatically updated -Version: 3.6.13 -Release: 6%{?dist} +Version: 3.6.14 +Release: 1%{?dist} Patch1: gnutls-3.6.7-no-now-guile.patch Patch2: gnutls-3.2.7-rpath.patch -Patch3: gnutls-3.6.13-bump-linked-libs-soname-f32.patch -Patch4: gnutls-3.6.13-nettle-disable-RSA-blinding-in-FIPS-selftests.patch -Patch5: gnutls-3.6.13-cli-wait-resumption.patch -Patch6: gnutls-3.6.13-superseding-chain.patch %bcond_without dane %if 0%{?rhel} %bcond_with guile @@ -51,7 +47,7 @@ BuildRequires: guile22-devel URL: http://www.gnutls.org/ Source0: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.6/%{name}-%{version}.tar.xz Source1: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.6/%{name}-%{version}.tar.xz.sig -Source2: gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg +Source2: gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg # Wildcard bundling exception https://fedorahosted.org/fpc/ticket/174 Provides: bundled(gnulib) = 20130424 @@ -147,7 +143,6 @@ This package contains Guile bindings for the library. gpgv2 --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0} %autosetup -p1 -autoreconf sed -i -e 's|sys_lib_dlsearch_path_spec="/lib /usr/lib|sys_lib_dlsearch_path_spec="/lib /usr/lib %{_libdir}|g' configure rm -f lib/minitasn1/*.c lib/minitasn1/*.h @@ -283,6 +278,9 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null %endif %changelog +* Thu Jun 4 2020 Daiki Ueno - 3.6.14-1 +- Update to upstream 3.6.14 release + * Sun May 31 2020 Daiki Ueno - 3.6.13-6 - Update gnutls-3.6.13-superseding-chain.patch diff --git a/sources b/sources index 08912b9..322ad17 100644 --- a/sources +++ b/sources @@ -1,2 +1,3 @@ -SHA512 (gnutls-3.6.13.tar.xz.sig) = 130d6ee78da87087de0070a5a5ecb62dd0a2919c838796b3e4273d74b10c4c537b72e017f55b69df69ee7cc11257ebe392e3bd0ff25b35484ed78bb9bf9d3856 -SHA512 (gnutls-3.6.13.tar.xz) = 23581952cb72c9a34f378c002bb62413d5a1243b74b48ad8dc49eaea4020d33c550f8dc1dd374cf7fbfa4187b0ca1c5698c8a0430398268a8b8a863f8633305c +SHA512 (gnutls-3.6.14.tar.xz) = b2d427b5542a4679117c011dffa8efb0e0bffa3ce9cebc319f8998d03f80f4168d08f9fda35df18dbeaaada59e479d325a6c1c77d5ca7f8ce221b44e42bfe604 +SHA512 (gnutls-3.6.14.tar.xz.sig) = 88e31d484ab2e2e9a6a080d1bb0e2219aa0ec85af9ea4abe8292bc8ae2d6784273414227142a2ebe0142b907a5ac6aa4d407388357f13d96b96eca8f8c61103a +SHA512 (gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg) = a74b92826fd0e5388c9f6d9231959e38b26aeef83138648fab66df951d8e1a4db5302b569d08515d4d6443e5e4f6c466f98319f330c820790260d22a9b9f7173 From 7ed5f7db0d37b99df19be4596a5e72922faa1595 Mon Sep 17 00:00:00 2001 From: Anderson Toshiyuki Sasaki Date: Tue, 9 Jun 2020 14:58:13 +0200 Subject: [PATCH 022/152] Fix memory leak when serializing iovec_t Resolves: #1845083 --- gnutls-3.6.14-fix-iovec-memory-leak.patch | 152 ++++++++++++++++++++++ gnutls.spec | 6 +- 2 files changed, 157 insertions(+), 1 deletion(-) create mode 100644 gnutls-3.6.14-fix-iovec-memory-leak.patch diff --git a/gnutls-3.6.14-fix-iovec-memory-leak.patch b/gnutls-3.6.14-fix-iovec-memory-leak.patch new file mode 100644 index 0000000..15b2c51 --- /dev/null +++ b/gnutls-3.6.14-fix-iovec-memory-leak.patch @@ -0,0 +1,152 @@ +From 6fbff7fc8aabeee2254405f254220bbe8c05c67d Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Fri, 5 Jun 2020 16:26:33 +0200 +Subject: [PATCH] crypto-api: always allocate memory when serializing iovec_t + +The AEAD iov interface falls back to serializing the input buffers if +the low-level cipher doesn't support scatter/gather encryption. +However, there was a bug in the functions used for the serialization, +which causes memory leaks under a certain condition (i.e. the number +of input buffers is 1). + +This patch makes the logic of the functions simpler, by removing a +micro-optimization that tries to minimize the number of calls to +malloc/free. + +The original problem was reported by Marius Steffen in: +https://bugzilla.samba.org/show_bug.cgi?id=14399 +and the cause was investigated by Alexander Haase in: +https://gitlab.com/gnutls/gnutls/-/merge_requests/1277 + +Signed-off-by: Daiki Ueno +--- + lib/crypto-api.c | 36 +++++++++++------------------------- + tests/aead-cipher-vec.c | 33 ++++++++++++++++++--------------- + 2 files changed, 29 insertions(+), 40 deletions(-) + +diff --git a/lib/crypto-api.c b/lib/crypto-api.c +index 45be64ed1..8524f5ed4 100644 +--- a/lib/crypto-api.c ++++ b/lib/crypto-api.c +@@ -891,32 +891,23 @@ gnutls_aead_cipher_encrypt(gnutls_aead_cipher_hd_t handle, + struct iov_store_st { + void *data; + size_t size; +- unsigned allocated; + }; + + static void iov_store_free(struct iov_store_st *s) + { +- if (s->allocated) { +- gnutls_free(s->data); +- s->allocated = 0; +- } ++ gnutls_free(s->data); + } + + static int iov_store_grow(struct iov_store_st *s, size_t length) + { +- if (s->allocated || s->data == NULL) { +- s->size += length; +- s->data = gnutls_realloc(s->data, s->size); +- if (s->data == NULL) +- return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); +- s->allocated = 1; +- } else { +- void *data = s->data; +- size_t size = s->size + length; +- s->data = gnutls_malloc(size); +- memcpy(s->data, data, s->size); +- s->size += length; +- } ++ void *data; ++ ++ s->size += length; ++ data = gnutls_realloc(s->data, s->size); ++ if (data == NULL) ++ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); ++ ++ s->data = data; + return 0; + } + +@@ -926,11 +917,6 @@ copy_from_iov(struct iov_store_st *dst, const giovec_t *iov, int iovcnt) + memset(dst, 0, sizeof(*dst)); + if (iovcnt == 0) { + return 0; +- } else if (iovcnt == 1) { +- dst->data = iov[0].iov_base; +- dst->size = iov[0].iov_len; +- /* implies: dst->allocated = 0; */ +- return 0; + } else { + int i; + uint8_t *p; +@@ -944,11 +930,11 @@ copy_from_iov(struct iov_store_st *dst, const giovec_t *iov, int iovcnt) + + p = dst->data; + for (i=0;i 0) ++ memcpy(p, iov[i].iov_base, iov[i].iov_len); + p += iov[i].iov_len; + } + +- dst->allocated = 1; + return 0; + } + } +diff --git a/tests/aead-cipher-vec.c b/tests/aead-cipher-vec.c +index fba9010d9..6a30a35f7 100644 +--- a/tests/aead-cipher-vec.c ++++ b/tests/aead-cipher-vec.c +@@ -49,6 +49,7 @@ static void start(const char *name, int algo) + giovec_t auth_iov[2]; + uint8_t tag[64]; + size_t tag_size = 0; ++ size_t i; + + key.data = key16; + key.size = gnutls_cipher_get_key_size(algo); +@@ -82,21 +83,23 @@ static void start(const char *name, int algo) + if (ret < 0) + fail("gnutls_cipher_init: %s\n", gnutls_strerror(ret)); + +- ret = gnutls_aead_cipher_encryptv2(ch, +- iv.data, iv.size, +- auth_iov, 2, +- iov, 3, +- tag, &tag_size); +- if (ret < 0) +- fail("could not encrypt data: %s\n", gnutls_strerror(ret)); +- +- ret = gnutls_aead_cipher_decryptv2(ch, +- iv.data, iv.size, +- auth_iov, 2, +- iov, 3, +- tag, tag_size); +- if (ret < 0) +- fail("could not decrypt data: %s\n", gnutls_strerror(ret)); ++ for (i = 0; i < 2; i++) { ++ ret = gnutls_aead_cipher_encryptv2(ch, ++ iv.data, iv.size, ++ auth_iov, 2, ++ iov, i + 1, ++ tag, &tag_size); ++ if (ret < 0) ++ fail("could not encrypt data: %s\n", gnutls_strerror(ret)); ++ ++ ret = gnutls_aead_cipher_decryptv2(ch, ++ iv.data, iv.size, ++ auth_iov, 2, ++ iov, i + 1, ++ tag, tag_size); ++ if (ret < 0) ++ fail("could not decrypt data: %s\n", gnutls_strerror(ret)); ++ } + + gnutls_aead_cipher_deinit(ch); + } +-- +2.25.4 + diff --git a/gnutls.spec b/gnutls.spec index 1ed6680..16c40c4 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,8 +1,9 @@ # This spec file has been automatically updated Version: 3.6.14 -Release: 1%{?dist} +Release: 2%{?dist} Patch1: gnutls-3.6.7-no-now-guile.patch Patch2: gnutls-3.2.7-rpath.patch +Patch3: gnutls-3.6.14-fix-iovec-memory-leak.patch %bcond_without dane %if 0%{?rhel} %bcond_with guile @@ -278,6 +279,9 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null %endif %changelog +* Tue Jun 09 2020 Anderson Sasaki - 3.6.14-2 +- Fix memory leak when serializing iovec_t (#1845083) + * Thu Jun 4 2020 Daiki Ueno - 3.6.14-1 - Update to upstream 3.6.14 release From 62fe4ffb9837e0b2024cdc1a904a099ea321949e Mon Sep 17 00:00:00 2001 From: Anderson Toshiyuki Sasaki Date: Tue, 9 Jun 2020 18:14:26 +0200 Subject: [PATCH 023/152] Fix automatic libraries soname detection Previously, the automatic soname detection were failing when the -Wl,--as-needed option was provided in LDFLAGS, which lead the FIPS self-tests to fail. --- ....6.14-configure-fix-soname-detection.patch | 60 +++++++++++++++++++ gnutls.spec | 2 + 2 files changed, 62 insertions(+) create mode 100644 gnutls-3.6.14-configure-fix-soname-detection.patch diff --git a/gnutls-3.6.14-configure-fix-soname-detection.patch b/gnutls-3.6.14-configure-fix-soname-detection.patch new file mode 100644 index 0000000..28b33ad --- /dev/null +++ b/gnutls-3.6.14-configure-fix-soname-detection.patch @@ -0,0 +1,60 @@ +From b57b820a3f0464e3151dd675af4f28ad109d683c Mon Sep 17 00:00:00 2001 +From: Vitezslav Cizek +Date: Tue, 9 Jun 2020 13:54:04 +0200 +Subject: [PATCH] configure: improve nettle, gmp, and hogweed soname detection + +Some linkers might optimize away the libraries passed on the +command line if they aren't actually needed, such as gnu ld with +--as-needed. +The ldd output then won't list the shared libraries and the +detection will fail. +Make sure nettle and others are really used. + +Signed-off-by: Vitezslav Cizek +--- + configure.ac | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +diff --git a/configure.ac b/configure.ac +index e4ca66aec..ccbe4e563 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -741,7 +741,10 @@ LIBS=$save_LIBS + save_LIBS=$LIBS + LIBS="$LIBS $GMP_LIBS" + AC_MSG_CHECKING([gmp soname]) +-AC_LINK_IFELSE([AC_LANG_PROGRAM([], [])], ++AC_LINK_IFELSE([AC_LANG_PROGRAM([ ++ #include ],[ ++ mpz_t n; ++ mpz_init(n);])], + [gmp_so=`(eval "$LDDPROG conftest$EXEEXT $LDDPOSTPROC") | grep '^libgmp\.so'`], + [gmp_so=none]) + if test -z "$gmp_so"; then +@@ -754,7 +757,10 @@ LIBS=$save_LIBS + save_LIBS=$LIBS + LIBS="$LIBS $NETTLE_LIBS" + AC_MSG_CHECKING([nettle soname]) +-AC_LINK_IFELSE([AC_LANG_PROGRAM([], [])], ++AC_LINK_IFELSE([AC_LANG_PROGRAM([ ++ #include ],[ ++ struct sha256_ctx ctx; ++ sha256_init(&ctx);])], + [nettle_so=`(eval "$LDDPROG conftest$EXEEXT $LDDPOSTPROC") | grep '^libnettle\.so'`], + [nettle_so=none]) + if test -z "$nettle_so"; then +@@ -767,7 +773,10 @@ LIBS=$save_LIBS + save_LIBS=$LIBS + LIBS="$LIBS $HOGWEED_LIBS" + AC_MSG_CHECKING([hogweed soname]) +-AC_LINK_IFELSE([AC_LANG_PROGRAM([], [])], ++AC_LINK_IFELSE([AC_LANG_PROGRAM([ ++ #include ],[ ++ struct rsa_private_key priv; ++ nettle_rsa_private_key_init(&priv);])], + [hogweed_so=`(eval "$LDDPROG conftest$EXEEXT $LDDPOSTPROC") | grep '^libhogweed\.so'`], + [hogweed_so=none]) + if test -z "$hogweed_so"; then +-- +2.25.4 + diff --git a/gnutls.spec b/gnutls.spec index 16c40c4..1973b8f 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -4,6 +4,7 @@ Release: 2%{?dist} Patch1: gnutls-3.6.7-no-now-guile.patch Patch2: gnutls-3.2.7-rpath.patch Patch3: gnutls-3.6.14-fix-iovec-memory-leak.patch +Patch4: gnutls-3.6.14-configure-fix-soname-detection.patch %bcond_without dane %if 0%{?rhel} %bcond_with guile @@ -281,6 +282,7 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null %changelog * Tue Jun 09 2020 Anderson Sasaki - 3.6.14-2 - Fix memory leak when serializing iovec_t (#1845083) +- Fix automatic libraries sonames detection (#1845806) * Thu Jun 4 2020 Daiki Ueno - 3.6.14-1 - Update to upstream 3.6.14 release From cf8e00c764682fa0da93cdfa5e49ca85acdde987 Mon Sep 17 00:00:00 2001 From: Anderson Toshiyuki Sasaki Date: Tue, 9 Jun 2020 14:58:13 +0200 Subject: [PATCH 024/152] Fix memory leak when serializing iovec_t Resolves: #1845083 --- gnutls-3.6.14-fix-iovec-memory-leak.patch | 152 ++++++++++++++++++++++ gnutls.spec | 6 +- 2 files changed, 157 insertions(+), 1 deletion(-) create mode 100644 gnutls-3.6.14-fix-iovec-memory-leak.patch diff --git a/gnutls-3.6.14-fix-iovec-memory-leak.patch b/gnutls-3.6.14-fix-iovec-memory-leak.patch new file mode 100644 index 0000000..15b2c51 --- /dev/null +++ b/gnutls-3.6.14-fix-iovec-memory-leak.patch @@ -0,0 +1,152 @@ +From 6fbff7fc8aabeee2254405f254220bbe8c05c67d Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Fri, 5 Jun 2020 16:26:33 +0200 +Subject: [PATCH] crypto-api: always allocate memory when serializing iovec_t + +The AEAD iov interface falls back to serializing the input buffers if +the low-level cipher doesn't support scatter/gather encryption. +However, there was a bug in the functions used for the serialization, +which causes memory leaks under a certain condition (i.e. the number +of input buffers is 1). + +This patch makes the logic of the functions simpler, by removing a +micro-optimization that tries to minimize the number of calls to +malloc/free. + +The original problem was reported by Marius Steffen in: +https://bugzilla.samba.org/show_bug.cgi?id=14399 +and the cause was investigated by Alexander Haase in: +https://gitlab.com/gnutls/gnutls/-/merge_requests/1277 + +Signed-off-by: Daiki Ueno +--- + lib/crypto-api.c | 36 +++++++++++------------------------- + tests/aead-cipher-vec.c | 33 ++++++++++++++++++--------------- + 2 files changed, 29 insertions(+), 40 deletions(-) + +diff --git a/lib/crypto-api.c b/lib/crypto-api.c +index 45be64ed1..8524f5ed4 100644 +--- a/lib/crypto-api.c ++++ b/lib/crypto-api.c +@@ -891,32 +891,23 @@ gnutls_aead_cipher_encrypt(gnutls_aead_cipher_hd_t handle, + struct iov_store_st { + void *data; + size_t size; +- unsigned allocated; + }; + + static void iov_store_free(struct iov_store_st *s) + { +- if (s->allocated) { +- gnutls_free(s->data); +- s->allocated = 0; +- } ++ gnutls_free(s->data); + } + + static int iov_store_grow(struct iov_store_st *s, size_t length) + { +- if (s->allocated || s->data == NULL) { +- s->size += length; +- s->data = gnutls_realloc(s->data, s->size); +- if (s->data == NULL) +- return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); +- s->allocated = 1; +- } else { +- void *data = s->data; +- size_t size = s->size + length; +- s->data = gnutls_malloc(size); +- memcpy(s->data, data, s->size); +- s->size += length; +- } ++ void *data; ++ ++ s->size += length; ++ data = gnutls_realloc(s->data, s->size); ++ if (data == NULL) ++ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); ++ ++ s->data = data; + return 0; + } + +@@ -926,11 +917,6 @@ copy_from_iov(struct iov_store_st *dst, const giovec_t *iov, int iovcnt) + memset(dst, 0, sizeof(*dst)); + if (iovcnt == 0) { + return 0; +- } else if (iovcnt == 1) { +- dst->data = iov[0].iov_base; +- dst->size = iov[0].iov_len; +- /* implies: dst->allocated = 0; */ +- return 0; + } else { + int i; + uint8_t *p; +@@ -944,11 +930,11 @@ copy_from_iov(struct iov_store_st *dst, const giovec_t *iov, int iovcnt) + + p = dst->data; + for (i=0;i 0) ++ memcpy(p, iov[i].iov_base, iov[i].iov_len); + p += iov[i].iov_len; + } + +- dst->allocated = 1; + return 0; + } + } +diff --git a/tests/aead-cipher-vec.c b/tests/aead-cipher-vec.c +index fba9010d9..6a30a35f7 100644 +--- a/tests/aead-cipher-vec.c ++++ b/tests/aead-cipher-vec.c +@@ -49,6 +49,7 @@ static void start(const char *name, int algo) + giovec_t auth_iov[2]; + uint8_t tag[64]; + size_t tag_size = 0; ++ size_t i; + + key.data = key16; + key.size = gnutls_cipher_get_key_size(algo); +@@ -82,21 +83,23 @@ static void start(const char *name, int algo) + if (ret < 0) + fail("gnutls_cipher_init: %s\n", gnutls_strerror(ret)); + +- ret = gnutls_aead_cipher_encryptv2(ch, +- iv.data, iv.size, +- auth_iov, 2, +- iov, 3, +- tag, &tag_size); +- if (ret < 0) +- fail("could not encrypt data: %s\n", gnutls_strerror(ret)); +- +- ret = gnutls_aead_cipher_decryptv2(ch, +- iv.data, iv.size, +- auth_iov, 2, +- iov, 3, +- tag, tag_size); +- if (ret < 0) +- fail("could not decrypt data: %s\n", gnutls_strerror(ret)); ++ for (i = 0; i < 2; i++) { ++ ret = gnutls_aead_cipher_encryptv2(ch, ++ iv.data, iv.size, ++ auth_iov, 2, ++ iov, i + 1, ++ tag, &tag_size); ++ if (ret < 0) ++ fail("could not encrypt data: %s\n", gnutls_strerror(ret)); ++ ++ ret = gnutls_aead_cipher_decryptv2(ch, ++ iv.data, iv.size, ++ auth_iov, 2, ++ iov, i + 1, ++ tag, tag_size); ++ if (ret < 0) ++ fail("could not decrypt data: %s\n", gnutls_strerror(ret)); ++ } + + gnutls_aead_cipher_deinit(ch); + } +-- +2.25.4 + diff --git a/gnutls.spec b/gnutls.spec index a602060..e4a0b59 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,8 +1,9 @@ # This spec file has been automatically updated Version: 3.6.14 -Release: 1%{?dist} +Release: 2%{?dist} Patch1: gnutls-3.6.7-no-now-guile.patch Patch2: gnutls-3.2.7-rpath.patch +Patch3: gnutls-3.6.14-fix-iovec-memory-leak.patch %bcond_without dane %if 0%{?rhel} %bcond_with guile @@ -278,6 +279,9 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null %endif %changelog +* Tue Jun 09 2020 Anderson Sasaki - 3.6.14-2 +- Fix memory leak when serializing iovec_t (#1845083) + * Thu Jun 4 2020 Daiki Ueno - 3.6.14-1 - Update to upstream 3.6.14 release From 02604373b4a66a3a9c8824f26b215bc309e20e80 Mon Sep 17 00:00:00 2001 From: Anderson Toshiyuki Sasaki Date: Tue, 9 Jun 2020 18:14:26 +0200 Subject: [PATCH 025/152] Fix automatic libraries soname detection Previously, the automatic soname detection were failing when the -Wl,--as-needed option was provided in LDFLAGS, which lead the FIPS self-tests to fail. --- ....6.14-configure-fix-soname-detection.patch | 60 +++++++++++++++++++ gnutls.spec | 2 + 2 files changed, 62 insertions(+) create mode 100644 gnutls-3.6.14-configure-fix-soname-detection.patch diff --git a/gnutls-3.6.14-configure-fix-soname-detection.patch b/gnutls-3.6.14-configure-fix-soname-detection.patch new file mode 100644 index 0000000..28b33ad --- /dev/null +++ b/gnutls-3.6.14-configure-fix-soname-detection.patch @@ -0,0 +1,60 @@ +From b57b820a3f0464e3151dd675af4f28ad109d683c Mon Sep 17 00:00:00 2001 +From: Vitezslav Cizek +Date: Tue, 9 Jun 2020 13:54:04 +0200 +Subject: [PATCH] configure: improve nettle, gmp, and hogweed soname detection + +Some linkers might optimize away the libraries passed on the +command line if they aren't actually needed, such as gnu ld with +--as-needed. +The ldd output then won't list the shared libraries and the +detection will fail. +Make sure nettle and others are really used. + +Signed-off-by: Vitezslav Cizek +--- + configure.ac | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +diff --git a/configure.ac b/configure.ac +index e4ca66aec..ccbe4e563 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -741,7 +741,10 @@ LIBS=$save_LIBS + save_LIBS=$LIBS + LIBS="$LIBS $GMP_LIBS" + AC_MSG_CHECKING([gmp soname]) +-AC_LINK_IFELSE([AC_LANG_PROGRAM([], [])], ++AC_LINK_IFELSE([AC_LANG_PROGRAM([ ++ #include ],[ ++ mpz_t n; ++ mpz_init(n);])], + [gmp_so=`(eval "$LDDPROG conftest$EXEEXT $LDDPOSTPROC") | grep '^libgmp\.so'`], + [gmp_so=none]) + if test -z "$gmp_so"; then +@@ -754,7 +757,10 @@ LIBS=$save_LIBS + save_LIBS=$LIBS + LIBS="$LIBS $NETTLE_LIBS" + AC_MSG_CHECKING([nettle soname]) +-AC_LINK_IFELSE([AC_LANG_PROGRAM([], [])], ++AC_LINK_IFELSE([AC_LANG_PROGRAM([ ++ #include ],[ ++ struct sha256_ctx ctx; ++ sha256_init(&ctx);])], + [nettle_so=`(eval "$LDDPROG conftest$EXEEXT $LDDPOSTPROC") | grep '^libnettle\.so'`], + [nettle_so=none]) + if test -z "$nettle_so"; then +@@ -767,7 +773,10 @@ LIBS=$save_LIBS + save_LIBS=$LIBS + LIBS="$LIBS $HOGWEED_LIBS" + AC_MSG_CHECKING([hogweed soname]) +-AC_LINK_IFELSE([AC_LANG_PROGRAM([], [])], ++AC_LINK_IFELSE([AC_LANG_PROGRAM([ ++ #include ],[ ++ struct rsa_private_key priv; ++ nettle_rsa_private_key_init(&priv);])], + [hogweed_so=`(eval "$LDDPROG conftest$EXEEXT $LDDPOSTPROC") | grep '^libhogweed\.so'`], + [hogweed_so=none]) + if test -z "$hogweed_so"; then +-- +2.25.4 + diff --git a/gnutls.spec b/gnutls.spec index e4a0b59..c0f328d 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -4,6 +4,7 @@ Release: 2%{?dist} Patch1: gnutls-3.6.7-no-now-guile.patch Patch2: gnutls-3.2.7-rpath.patch Patch3: gnutls-3.6.14-fix-iovec-memory-leak.patch +Patch4: gnutls-3.6.14-configure-fix-soname-detection.patch %bcond_without dane %if 0%{?rhel} %bcond_with guile @@ -281,6 +282,7 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null %changelog * Tue Jun 09 2020 Anderson Sasaki - 3.6.14-2 - Fix memory leak when serializing iovec_t (#1845083) +- Fix automatic libraries sonames detection (#1845806) * Thu Jun 4 2020 Daiki Ueno - 3.6.14-1 - Update to upstream 3.6.14 release From 981ebf78f179cab326c3ba621a279aa6b411723f Mon Sep 17 00:00:00 2001 From: Anderson Toshiyuki Sasaki Date: Thu, 2 Jul 2020 18:32:46 +0200 Subject: [PATCH 026/152] Rebuild with autogen built with guile-2.2 Resolves: #1852706 --- gnutls.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/gnutls.spec b/gnutls.spec index 1973b8f..bbcb87a 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,6 +1,6 @@ # This spec file has been automatically updated Version: 3.6.14 -Release: 2%{?dist} +Release: 3%{?dist} Patch1: gnutls-3.6.7-no-now-guile.patch Patch2: gnutls-3.2.7-rpath.patch Patch3: gnutls-3.6.14-fix-iovec-memory-leak.patch @@ -280,6 +280,9 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null %endif %changelog +* Thu Jul 02 2020 Anderson Sasaki - 3.6.14-3 +- Rebuild with autogen built with guile-2.2 (#1852706) + * Tue Jun 09 2020 Anderson Sasaki - 3.6.14-2 - Fix memory leak when serializing iovec_t (#1845083) - Fix automatic libraries sonames detection (#1845806) From 1ca10e2bd1c14f7c9157741d28d1303a894fade5 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Mon, 27 Jul 2020 20:54:30 +0000 Subject: [PATCH 027/152] - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- gnutls.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/gnutls.spec b/gnutls.spec index bbcb87a..a357657 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,6 +1,6 @@ # This spec file has been automatically updated Version: 3.6.14 -Release: 3%{?dist} +Release: 4%{?dist} Patch1: gnutls-3.6.7-no-now-guile.patch Patch2: gnutls-3.2.7-rpath.patch Patch3: gnutls-3.6.14-fix-iovec-memory-leak.patch @@ -280,6 +280,9 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null %endif %changelog +* Mon Jul 27 2020 Fedora Release Engineering - 3.6.14-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + * Thu Jul 02 2020 Anderson Sasaki - 3.6.14-3 - Rebuild with autogen built with guile-2.2 (#1852706) From d3626cfa1e2003a54ea2b2b19fee909e576d52c4 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Sat, 1 Aug 2020 02:26:43 +0000 Subject: [PATCH 028/152] - Second attempt - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- gnutls.spec | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/gnutls.spec b/gnutls.spec index a357657..82965fd 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,6 +1,6 @@ # This spec file has been automatically updated Version: 3.6.14 -Release: 4%{?dist} +Release: 5%{?dist} Patch1: gnutls-3.6.7-no-now-guile.patch Patch2: gnutls-3.2.7-rpath.patch Patch3: gnutls-3.6.14-fix-iovec-memory-leak.patch @@ -280,6 +280,10 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null %endif %changelog +* Sat Aug 01 2020 Fedora Release Engineering - 3.6.14-5 +- Second attempt - Rebuilt for + https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + * Mon Jul 27 2020 Fedora Release Engineering - 3.6.14-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild From edf183f7fd40d0ca1f67605944eb5a3ef838fdec Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Tue, 4 Aug 2020 09:48:35 +0200 Subject: [PATCH 029/152] Fix underlinking of libpthread --- gnutls-3.6.14-pthreads.patch | 50 ++++++++++++++++++++++++++++++++++++ gnutls.spec | 7 ++++- 2 files changed, 56 insertions(+), 1 deletion(-) create mode 100644 gnutls-3.6.14-pthreads.patch diff --git a/gnutls-3.6.14-pthreads.patch b/gnutls-3.6.14-pthreads.patch new file mode 100644 index 0000000..c69d97d --- /dev/null +++ b/gnutls-3.6.14-pthreads.patch @@ -0,0 +1,50 @@ +From f15c02b1fb9faf3e06db2c51196a27b0f9d72672 Mon Sep 17 00:00:00 2001 +From: James Bottomley +Date: Sun, 28 Jun 2020 21:33:09 +0200 +Subject: [PATCH] build: use $(LIBPTHREAD) rather than non-existent + $(LTLIBPTHREAD) + +On a very recent openSUSE build, libgnutls is getting built without +libpthread. This caused a thread related error when trying to load a +pkcs11 module that uses threading. The reason is rather convoluted: +glibc actually controls all the pthread_ function calls, but it +returns success without doing anything unless -lpthread is in the link +list. What's happening is that gnutls_system_mutex_init() is being +called on _gnutls_pkcs11_mutex before library pthreading is +initialized, so the pthread_mutex_init ends up being a nop. Then, when +the pkcs11 module is loaded, pthreads get initialized and the call to +pthread_mutex_lock is real, but errors out on the uninitialized mutex. + +The problem seems to be that nothing in the gnulib macros gnutls +relies on for threading support detection actually sets LTLIBPTHREAD, +they only set LIBPTHREAD. The fix is to use LIBPTHREAD in +lib/Makefile.in + +Signed-off-by: James Bottomley +--- + bootstrap.conf | 4 ++-- + lib/Makefile.am | 8 +++++++- + 2 files changed, 9 insertions(+), 3 deletions(-) + +diff --git a/lib/Makefile.am b/lib/Makefile.am +index fa47ac5e6..02504d8d1 100644 +--- a/lib/Makefile.am ++++ b/lib/Makefile.am +@@ -168,7 +168,13 @@ libgnutls_la_LIBADD += accelerated/libaccelerated.la + endif + + if !WINDOWS +-thirdparty_libadd += $(LTLIBPTHREAD) ++# p11-kit does not work without threading support: ++# https://github.com/p11-glue/p11-kit/pull/183 ++if ENABLE_PKCS11 ++thirdparty_libadd += $(LIBPMULTITHREAD) ++else ++thirdparty_libadd += $(LIBPTHREAD) ++endif + endif + + if NEEDS_LIBRT +-- +2.26.2 + diff --git a/gnutls.spec b/gnutls.spec index 82965fd..8767ccc 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,10 +1,11 @@ # This spec file has been automatically updated Version: 3.6.14 -Release: 5%{?dist} +Release: 6%{?dist} Patch1: gnutls-3.6.7-no-now-guile.patch Patch2: gnutls-3.2.7-rpath.patch Patch3: gnutls-3.6.14-fix-iovec-memory-leak.patch Patch4: gnutls-3.6.14-configure-fix-soname-detection.patch +Patch5: gnutls-3.6.14-pthreads.patch %bcond_without dane %if 0%{?rhel} %bcond_with guile @@ -145,6 +146,7 @@ This package contains Guile bindings for the library. gpgv2 --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0} %autosetup -p1 +autoreconf -fi sed -i -e 's|sys_lib_dlsearch_path_spec="/lib /usr/lib|sys_lib_dlsearch_path_spec="/lib /usr/lib %{_libdir}|g' configure rm -f lib/minitasn1/*.c lib/minitasn1/*.h @@ -280,6 +282,9 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null %endif %changelog +* Tue Aug 4 2020 Daiki Ueno - 3.6.14-6 +- Fix underlinking of libpthread + * Sat Aug 01 2020 Fedora Release Engineering - 3.6.14-5 - Second attempt - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild From f21c1c5adf6897ddb92a036ca6aa83dee659b189 Mon Sep 17 00:00:00 2001 From: Jeff Law Date: Mon, 17 Aug 2020 22:15:19 -0600 Subject: [PATCH 030/152] Disable LTO on ppc64le --- gnutls.spec | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/gnutls.spec b/gnutls.spec index 8767ccc..fddce83 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,6 +1,6 @@ # This spec file has been automatically updated Version: 3.6.14 -Release: 6%{?dist} +Release: 7%{?dist} Patch1: gnutls-3.6.7-no-now-guile.patch Patch2: gnutls-3.2.7-rpath.patch Patch3: gnutls-3.6.14-fix-iovec-memory-leak.patch @@ -158,6 +158,11 @@ echo "SYSTEM=NORMAL" >> tests/system.prio # via the crypto policies %build +# gnulib has bogus floating point tests which are compromised by +# LTO affecting ppc64le builds +%ifarch ppc64le +%define _lto_cflags %{nil} +%endif CCASFLAGS="$CCASFLAGS -Wa,--generate-missing-build-notes=yes" export CCASFLAGS @@ -282,6 +287,9 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null %endif %changelog +* Mon Aug 17 2020 Jeff Law - 3.6.14-7 +- Disable LTO on ppc64le + * Tue Aug 4 2020 Daiki Ueno - 3.6.14-6 - Fix underlinking of libpthread From aa2ff1da1291829a47b0297b6dc9b8f18e642d37 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Fri, 4 Sep 2020 12:47:44 +0200 Subject: [PATCH 031/152] Update to the upstream 3.6.15 release --- .gitignore | 2 ++ gnutls.spec | 7 +++++-- ...1F42418905D8206AA754CCDC29EE58B996865171.gpg | Bin 58697 -> 0 bytes sources | 4 ++-- 4 files changed, 9 insertions(+), 4 deletions(-) delete mode 100644 gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg diff --git a/.gitignore b/.gitignore index 7d1a9d2..ea6a2e0 100644 --- a/.gitignore +++ b/.gitignore @@ -127,3 +127,5 @@ gnutls-2.10.1-nosrp.tar.bz2 /gnutls-3.6.14.tar.xz /gnutls-3.6.14.tar.xz.sig /gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg +/gnutls-3.6.15.tar.xz +/gnutls-3.6.15.tar.xz.sig diff --git a/gnutls.spec b/gnutls.spec index fddce83..7a0c210 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,6 +1,6 @@ # This spec file has been automatically updated -Version: 3.6.14 -Release: 7%{?dist} +Version: 3.6.15 +Release: 1%{?dist} Patch1: gnutls-3.6.7-no-now-guile.patch Patch2: gnutls-3.2.7-rpath.patch Patch3: gnutls-3.6.14-fix-iovec-memory-leak.patch @@ -287,6 +287,9 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null %endif %changelog +* Fri Sep 4 2020 Daiki Ueno - 3.6.15-1 +- Update to upstream 3.6.15 release + * Mon Aug 17 2020 Jeff Law - 3.6.14-7 - Disable LTO on ppc64le diff --git a/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg b/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg deleted file mode 100644 index b1ee43c60379c783e5f3457c480d6a7ecc2447c5..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 58697 zcmb5#gL9?PyXg5H+qP}nwr$%sJ4VMz$2L0Z*tVUHZ9BP@-#K?~pPH$fnSbE3_FB(3 zEALL_%>YUOmBc$}1cD{pxXIaBVJ{hWJA4%Z)9ni{SHt5yt#wqrchRH}nVar+Hg16F zb)B38Lw{tz5e0U;n8D@MMBjiku$@o$9b!zR>J)Li;lyXD^sHJ~Wp6q- z0yXavWO2O;<#hYK2ABm-Tz8iOqOtR5$)65eONbbZI^*!NeJO|ljurm^x1@h4m)2vW zUeaK6U7O~oldSCtC{mVzHLzMPnOZ+V*%2W!J65foX@`K@ydA{uC5*@0Wb1 zeW5;GRFe6ThZJ$+-VDDMqV-(fyc$ux%tbl28IZZ^g=gNBei_x9a5cKv&+xT)RIv`a z@F8k69-rjTJjDBjlH1t%1(L?fdomeXh=U>`0RzCnfF+rJ}ke72fhDD6WmFZaET^IgW5za`-4hWFLY7|``6^>`K zOFsIcPaNZX4Ssw0e;hgaV!Ut1YTwvhVK7HDDh7}j=5BiZJOgozfiI(Z0}6UJXI5hk z$jgEUQJ~TAPqrv2FY4#Jy~OMYhx^A-SX=#eq}XA2@ZR!G*;fF$=H7r6`5k)QwA)+E z%}uatXU}eKK;FoJseFjfM6UzF!B?O6>HC!yr1!th!TYy!z=U?tlAmQIRtw0+#`@B= zpXei@`YfeaXW=woM*ZU`f_{BFu^mTe?O4Yk zN9BNA->_0|0wd?h(4Fxsc=3TZuma|3KsG^^_@8{YJ}+*G8LNd>Am&88i{5`7AKGt+ z5jd7q5~b<0A03dZ$6I4bro>e6IiAMD^#aE}&-F3}$bt_5UVv&bU-nW~@O~-ZCM-fa z|7Y%U%9q98jtg$>yh?8&gZDTfZ~MW%nzW`-O&;gfiv-^lzoOcv0FXDuOTjc8pJ)A3 zM2_=Z+0Qw4;)3{}&!d9U^X=Hd408)=Vsf~O0&*yNvekel*%$1t5B$`Z3@TYYsKo%e z*3WgHYd@KB&eP)$GK~=E#Fz7n{&fhBzn!@4Ou9qdt=y~@K&}Tm`{(1MPgmcsjD;jH z(_5Y?^hrQAw#z%vvP(4H6iKa{hGOVW9}24DKaQ#|)wjcdJ>x>f3-+N31jtKA&7A_~ z_8;LAY{No{C^4Gbb2SCz#SYk*1it&Gn*73T%doM}V3*Jj`o~eDuljbncI;`X{elTI zx&gU%Gc(IAbkBE+$goCs8X=yuw56ngyn1u@wzDq+er+O=w>r&OU*|se&3_z?{)%r0 z_-77w;s=VeJQE-rGmF#{bLeWyQVOYr2pep$$UA@tkhh6_nzuthVQg)x{1c&j+?=y? z%l{uolRxI$*{ooOX2yC6Q0=m?F^#U#>o@`_45(| z@={|KFo|xk5rt=sqOX(BxasaF>i~I&20S`sFl*o~2fLw1cl*_4Ui~{Nga#Qhhb?4+=S3N+k7$({pD+$t~@a0xZ@b>l43MbR& z|8W$4P=|gy>PKHul!C*Mj+1~~?cDV9S)!dh*9qEb^Lm2#t4oLlKwdq(%@bg=S1e+mw{0vZQV(U zF`5Q>d*v^K$wyMP|2UA}_q?2@*DiO zbF6O6SqIz1Vn74Pi@#KloBSjWtC8gbG-emF9fU5<0rEyMM_yLY+0R~~_eu>5+)9V5 z2hIO+G&OF%9Zqle6#q82FF{B^ULu%^Vj-8R8#9*NWcQ}0nXP103?SDQi=6!4rZBxTG5tGNe0N_ z)Shfa(a!9S8#`GZrI-o^Ixt&|5C=v1?|ms+n0`A9DQJ)thrslwsDQkfdaD;=>mTE( z*;&(0vd{gz){i@YY`l09jlWawISYmd(@wJD5l07*ud4Ph->+kd55e?QIt;qG}S44i<`;cEe5(;`WcDR{{8TezNrk zIFdp<(cuH~Huubnp$l3Vi3K{{pF`AJGnPfq0XbySTz62!^wmZ5x_jgozBLK6az6iY zp#Rg4!jsjv^Iq4kYe3NLXtM#x#!}#+lJz4XEYwiuo41q49gi_)0OU~eFlF(dMpzeNe>z?peX>`P%{3u0yoJIK_7z0=&Z^NWwfUS?w5} zYnrB`q?U!@uT=sE$8YPy^grTllXaedw&c+gm%NB7*^+JaaE{T2(dyNGj{hzmQWp z7;8uPCA6064607oqJFkmM3{l1AVC7iz<}k{2U_s4EnQt5xfvKdJUr+v99%6e92{KC z={91*8e~(4Ae5qHATXwAg3?rk>wj(wRxn^Wg;_nie|KZV>`8B8$zW>6VB=u# zYGm`D9nm>D*jkx*(ObIO*?w=%$xal7FNT;-z8jD$%+%=V{q@tm6e@AB^)u1HK;BIX zkSiax#Xa{4&dk_0>J8lW-b(+l*ZMzJb@>0ks`?@o|EM>(>d_P+R~LK5bs>^Ky#7gk zVc++&c5Ozx9gwTuY`su=138D?NNC%%!*Z(WVXPD3_n#Yt4-8n&a6zB>-@V#fnb6rA znb0{pJ6M~UxPCvtGx!_Z8W}k<{Ig*YFd)zGO*=1aJumd%q+JLBazthAg3t$pC?|we)6?R z=aP?gQb<51LsEfE9_zmHt_#Se{Dp^S zbyfOh4%oYuJSS-RC=ES{hL@4zZTx8%)7e2H|9q`bK_TpOLw}1?V~w(+70@rU+u&Y~x{5?x z*sZnFyK=&*TFH>HZuP7gM9iym?OWbPeJ#V<9zTib$fQzUbBOj#_@xoQOfHYO!eg7X zm}uR9k4Fh9_WPW(YNwIZT^&+-_8{KCJcN}>!I4p6;^=E?g40y*_*)2fO?)8~IrXqn z%`Nl@GJSLxQ%(XiO2mzx3P=4J$lU3Bi(!!PQzs5bFtkx9aPA8XVLB|+ihDO(%NG_I zlcimnAg4D;mVG>?01x-z7A2^uEo-U_!JnpYg3-5aRib(KVgC< zZ5?80$rI|OiieE`NvNSO*^ImK>wBV;Y-AB>45hD4Act!1FVHYSw2;vC;q@95rvsVnlU4}BYJ=E-ec3MS%dDQ>Y9`O`W=^u+1QyEp)bLIJj<6nYRM8E9RaAO?jeOR834w<-wSk9&S3| ze7XX)dYhMX#vXm?IOMu`UxUqB~z6|S} zwta__|E4OHgv-eTbVfKKi*V3`;|wa~5; za&?v>Ddd89s0d(_tCrz)t7L(T@0P;sG*H)8@-o9r(^M*H;;&-@^1Dc_@z*WyIqN;F zk}aBL`J_^ymcMtR8c8vUOf-EO!j-tI&_Xcf2t13vKSFnk&GL|xm4*}3d&{p@V^qwG zG(hyh`@LxJQY~VGkx}Lu=ae?&4!)bCIT*T1{HbR=%ALhnj&beXl;KJ%0JS-IeaEF8 z7@n8>imRXs?8T%+kj3Nk+pe-BRGu^=mHH{ihjM&^pFDLuU@I@TT?918k@Wj`Q2zVw zQ7YN`{^2^&4r<8}>SC|lhxp`IQ$a(4U*V7OA?F`yB9V1n3#*n;p$&StxEc~j_ABAI z!5;TRBwKpz8krSMq9^jc=zZP&z%c7jXDCm0DiZi{l-TG9!qKDlj2aRRs?DSER+{a` z+_udFf{5v8qk(Q9amsliD8WjVzs(G(TD`E9tDmoTW5fP?2@+^Lyb>2C`}chcTZ#_J z2^@vqX^Ba1@T~Ls>7G}sQ%c@uu2PkAU{`Q+9@3EnAqIb!UUiYw{QMhIrYo5qewzH2 zeyLLVkhBx5Tk9KkC4kycMGuk5gjpGUUz)nfGM4X`%`a~Dsjy~AI@N|CaNU0Qhh;5` z$>l>ae0Wy*yxLC7(SiWPQi6A?)FCol82etrUfoE;blPUTY*)p((x=Ke#PlV#s*+L5 z$mLXh?CbOy%2zP);-&f3B?fd01_~Qf6enh$XcO)^cTa$2bIfL~B0W>YR287k`Q7TS zAy-)=Y9qt~Mwvqhk)YrX&O6KByQ^;!4OK3T?_4Mh`_@R1{SETV-Sx(mv$(p^<34dJ z=5l925(*_hCiaB&r#wk*>Yj*%(a!4}r+IE(`o(k+n%Q?Y;Yf}cD^d9ANSGW+%MpwE_Iz7ym>)hWEX%n6B_0p~MJ0ix8M`y)Z? zDUE?)%qrN<4Wb)d2TXjeURU-8@S@44ZB?U?svc63(x;fe7BB~VoZ?|L67hNd`eugI zLGvWZ)EN9hFc96m#x|3NCygSFa zcJPOhHXp-h-BT%W8MH{C>+KJ$mF*Ocj*?ZZbUGx?3c9mUQD*2@<~B+sP|ttHL;n4z z&Vxo^91t)lvUG3&I1Cgd1PCxF8ZaaXC^|3*5HLOvFh=0__^2*5TT{c7oCwol3Dp0x z%I8epIkGpQmEG9S?b?&x!5+rtl}1FU_PDcaWCD|d!M%X;V%i)K3F?JJ(;{l`nsmzi zt%qaUKQoghv|n#HXu>(`cuX3k8uR(P{I#ftE{$vOdiG~4pQKR!q+3_qj+-DIh?HEr zhF#9?&2VjCAVc3fg%wE9>O9aSQ8FI?*b-Z}k4mS)%IrnerJq(HMXO|qyMP~mk!QoE zq@m6q(|Wg4lkIx0d9ADShT1%4KX#0?B>{qh7&cW0Da0GkonG!_kLiX7zgo)L_xNLR z`<5?B<7L+G=cA7rRkQu3b#L(^caZLrtb;A3qtv94+sIu; zH%U3EzqHss*3*+Lln^M0Avef-z;t5e33i1hc3p*8W9$3pg3qc5p-{t-(#-tFGiB?p*&jD1*7?Ne`MM~nwydb%oO`qDCg9z-1{ zP}W_|pR_lMEFqwQ3mak|wL@nP$@xg2{{M`S>i=zcV8D`7br8Ttqhg%}nGjDhvl ziQM>y&{y{KwJiDH!U%4udoIv4yj@z96Qf~_<}AvCb!hr63dh)!6~tDa;idxio=1su z*NN8h7p!59B!Vb;joswyWQCVyrDrwrp)C`H(z)au?uv9nj|pL-(Yk2>8jypz)+E-e zVr`WU9ue9K4cdgF)EM-j-tTt+3>&e=@8ES7w@bUnH>K%l-WGV_yz0g6{xhIjV_A=% zxs^uE8Yq4d5$e~W0bR`7RJ@sA@UEqytv@|rD(C~Em-$HmIpf_nT90d;rskljRIbGv zf0N&i!?pG#jm&YjnkCweaRpY3ZFNMS7A%HRy!`i+cDHz(Gi;Yw(;(q}$Ck8}PS@@H z$V#qUG8VfntTvc`LQUM`!lg_z_5cMV%0vsnOu3 z6OIoW!@_LUS8u4pl}`Oeix2)SDK3{zw48j7o`0DKS(Bf#yfrC$bJ({h-)ranpiOxd zM3B<}}hNCD(M>X8+^X=#a;A>m>~K|DdHL{;8@Pg~8N zzyw{bT%cECd-0Vd6B~^nTT7w&^{_@6ojr>nWq#(*|>q(Zm{}Gk)?c3r(P>}4>l>c zbLYSbW6i?R+cT-dV&Sv6I8}5D%ioLlP8}^}et3aM%O!f75FE}>m;Cg6dS0idlPam9 zH+P(d3jfubhG+(iLp{mN+CM9{0n+cE3_m_SI>|V09eQs!O#7Yqy=A z#_H;0@7jC1H--F!Jn3#$MM1|nnKe=~dty5aDV5PKz=N6V_-`Hx>)hXY_@_~ie?oiT zd1E4cX*P25rCfPfI6-4NoDds$Z8_h~W zzl5VaF^=2_#E#RycgIVyqm!3qmX2x|RHfJ%Y(d))cz~?onwD}Ip$er|*ZbHz?%RD#`cMpF9U0$S zB&*=BEV{tk${AIX?kbf^xpv;YY>Yxa2V;C`2WAujV;f%E9x>pBzyc7m`@ ziIF^hdrwM5rcOLs&Y2^;7~++}&c|~i!x;dIy*zOhZfuDFU+QL*&_yvkT&{A1=X6RS z9{186hZT`F^B5#4x-n34@0|FvyYtDVBL}9%!=H&g^uR{FVz%}2)p3KrX5Olb2SHVH z{73Z*gK}lYdi0*n+OBW4l-JX)IW*ux*pwHjEb&O{?w#jvkSOC(=wD@URj%2&p)aCW zp?jERYa}O40^F$=Ad1B?owK$G*S}zQsXyzA+3bzZlYjJaaL;WzMop?7VKoZ1$o!j! zqK@Eq9!EyN+moMF3^06%fRr{7GclZPS~}@a5cOo&>1uhTIu(fqQdO<_{w6RR zF%&Deu;QRb@UbA>B+2pw`UFpdtz5xLbg)(eI0Sj7B3hP~r{|USMC?HYJ^{oRVLf^g zJLmhW8{NFIkzy0&#-4%K{wPfOif|P&rX&i#p}Hr5JY~1!5mq0XrTaJ+34ml5I@W3-+~Xg^U*T*fgCxkp3ka5 z@iQo8UGYPdqHbqPy)SbWb2=y!@Ze4=SiIe6a%ay(ReUK}UAiWWRqt`YnA)x!!2m*V zztpWb*@?m5hiU^Thm?7XP1pJ3(|~^4eGC+Yb4>Vd3aAO02#=4qhe~xx?JXJBRAq!_ zk8ROo`i?kLN=>QX;SSZI<`w4ICSttr5)Q2?1a)topz&(-oZ70K?leQ1_EmbF)yOyg z_PzcJhwF`K-ZF|UwKtA^E9*%PBKEjBDFCryWSq1Ibe5QasJSaCDOS_UtzjnGk+7on zcEcu0$G9{RuevjyXM1wMWveDVpqe9VJ)u8hR=JSpMUWD)P*e^i}# z0Q!AqW=zAO(_@owTGOv$o~Dbz^)=OeXj93#AA3q;%%`FBiGII2rI-Zehv410Jf$u3 zt`#wPrHbsOc=iesqM%p5Pdii!gHSEu*5iKtW;y;UHTaF~2XAw(5U3sIYR&5Kn)oVV zt69>ZvIj{&c&EmhenziR<|_pn!?EN4dx}f;cDXajPK3Y0&rg3tE31FXuo*cdq>8Iz z$&2(W;e7lU)rKDJU6u{SY~RHSn$J5OwHw1;T{Qc{MUpl0aDXCoNdGfY0~lh0zpwaU z0%b^vO*Ni0tuyAhzKWK8$u3#Z#z0?>m}($iG_eOw*O6Um9<|k)b!LoyAS8u$DD}zi zk@OsILWzrYojl8Qm!c9q?ktUO6^y#EY1lm{z<#WWt=VKxzdqo%5Z>PtAw!yl_h)&a z8=u0X{fp~+wph#Qef)y5BUuCd(KdD^Ko6W0iVi%#o;WcwTDUN5IUN@_&yCZnCypQbwe+|sh+dJw&`Q$?N$d_-zaUl--u zrQ}P+GxvHcE+#?QG3|jRpyYUVEFxPt=|?pUuMXYlb4(-9{5TnEK=8v+XrCmEW_om# zvIYZaYgN)$ z+1wQ|+6iv*3=b`UhnSHN$>Dcoi@h(s#(R@NLZ(HN+poserMY3Ri_37EQzDc}}SB@0dA5}zyu z#TNbO%s4M*X*IuAsUs$|u}P%YqB{J3ha{i#h)zci2+dQs4NEh8w0oXp!Yn(4Y` z`Xhl#VaZX{Wo4*^J#q)DpsZDV795&XE$hvx{o;r~ErxAB8e;TK7zKxXGQ%n{1yyAv zL+j(ks|MXge~Vz;#7z;yLWB+wx|^_w*Y-8C_dYqK2>H^aCTJ3xJJeDc8Tb5B&?ure zzJ%SPji!9&{-53AbI(!;!d{Hm0_C|0r_S-!%qjC|LJ}f%VnbYQl80GP4?e^sRCUVC zE#+^uRV}4}TI6J~p+c*xt)ezI0Avh!B6Id6I|gCvAL^MA7*Y+IftIhucb?g?USpUh zY#*UnG~7W{c^Z?LPAfy4Kc^JoBOmP+IDjJg&;Xu8IU?O*0HA2;`JidDmo`Iqqx{kA z>u|RPCqyiwn%!KZg)s%!kHsa6hKxWu6&H?6qU`~Hdfx-(z+Lr1`;RmgnM_^34qZm_ zhe4Lp^q!s-KOKso;p8sI-sngz z8BK&Fts;Ie`qrE>tYq7(6&gMa07YE$rZZ&nLd40${A(eTYNM@$Q|T^c~Gg%HR_>sStj_LC$S7% zuG6A^Qr?Zp{ac8jt1~SLK2K515_l+-L=edqzv7e)q#D^VY@QNbA6xn|co-nE!K|pL z27|iYpL=Ubv$pH#Fxzi}Az*NKcfgzgWBc}4$J z$^juE8oY@oC(guyo%YnejvhA}2V-71l;$fIaE5eOI?G3YL#&h76Mb39%Ru9 zF2kFcN!3f0Revsbx;k}vRH~=V4%Uq*+Xd1uqkP0RcD^Q-TU`y|OZs7`%D!P%UbbCYQHCM6Ze^9AyuC2{pu;NZ z)(z96EsQQo6)k4#u4G0P4Yn0RnAv*OtKZ1P7{rT5McB1;s*zoZrBAY%GwNWZMt`fj zS1s1(LR<8Y{GpvvXFq0B5#lCrbSU|ty_nCrdy0u-F*(_Ec<6>Sp!j1}RI&FSY{ctm z5SzO8=$W~f-$gy&OT|k-txI<>Lz~N5vNQ1q0(R|;h)xrZ)Gs*aO;M)YylC{0k_0kQ z8yi2QN&jECR-Kc5X#0dG=X*=)5~r3&-3Q=2XK^ga67y|b?kd$Y9ItMTIO9)0B%#+4 z9S}-8X;Qp@l#!ib{oci!X7<3{6RPjPuJvR#d6g%uo$m^iC-uG{_%y6m%JhBH;G7OA zXqgF7va4wNz;FKaxSP~a_eqH;M?MpNFSn0;0VTRlU#BbwzMXq)_PKg4IlAiP*}r)% zj6B?!n_aZUBG;&Jz&Iwy?qxVxHmezCfF8V7p(G4Wee@+M}= z?&TN_-c{Q8mmO`|nv=;KL81SIL@v#A0M`Rn>u8f0sq02I)7gdC`YWy*K}iyKK%o?p z&V`E22>GWd`cJY%lng6=D|sn8D~CR^D6lj9)#Ze&{aJ}J4-kLVhY~*ecbERalFn_` zQ%d`fJ6|Zl+3`41hr;%B&+z_Qo9wqpv3SXfgWpwXIQ^SC&tT3tT> z%#>PR`9ZomEO3bP+c}hoGebUyno_bA9LM#uJY7GVNMzo@zztzwiMx@^LvtKBOwB_a z(H_$|^Ii^e5YxU{l~8K1obEXZU|8dY;x-#4mpH5~;g-cL+KhNVmLH*{2;5H%1DXHzeDPXf z&GvC?PS&Q7NlVv)#Q;)`wGNz@?GrNixtHJE&nGqQydp<>ZE{QSNR@^d>Vi17@ndPE z5ifIXlxjvXye30dl#R*L5GW+aO>Ki=mZ(|CNBUWB1kM0`)aiq?@#h!83UP4kE7=oM z1|YWQ9YQK%6byDr|0BOG%Zc?OmqL!p*7+c~B^)}33U;L={@k1m9mmhVY+%H+p z9{C*L!Ow{4IJaj+U&=Wk%xSUg`6TAWwh|P4@hm%)=1m?eypsv|VLnHHpR03{_P#4cE5ujVOnsx_cB{$zjZ;T7&yt z>H}-Dg>KDICuuA@)Svc}=eUKDc)o=HSF3-juykw8B_PHc^QTMQ=*_eo~mOU{cy@x&aTm-phYHIDA9~_K^eWf&$ zoT@KLghD`K`m&Bcxaalb3}-Tt>|~uamyvL_6TBcTTh1Tg700fkM(i(?Pz`FLXeieQ z!+yj*sM7j3iFU&V2Al-N9TX5EE6o$(&@~Xr^5YoUn96+qoScq@q?qjAJPZcLzi$r^ zkS%4hk-e}*c!W+J|MSesL#yoC%F!@7zY7d z1>E9URcdJEyv^WkyjLNQlxSP&1Yl^qI_b1(A$gyIhYCr#A&1T51nNgLrBosp{+$-b zU7yN1y#hE;_9?bHqCsN#rm3&=yI9VVZqY#~h+lRk@sS^k*F!1YqoalzbobS<6<+8eA#cA0 zy`VsPYh@4ySKED6Vp~WYU{UV!J}jO3Q5*g~5&jIGH15xCRJO2<*3 zvt9c*RlShE^zsDh{yvhKThQ{LhMidtEJuy;dPO7(9}-_t45>)4TN@fvW>?>qfoRYb zHk#G>0Wy)-i`kTqs1~KUbP| z=Ks1uH1KwTZ$9v<=Lh1QxIO*L{G+8M6~YlOOMHbg7i5QlwtCVVOJOa^Mi^9D?kX7W z!1`#|If%0md+~rvQ!HJ;nK0UwE|*s3$w=V7triyg;urZf{{EG9`mf(MELDxJx8WKA z!~w5Am0Muci6P7`Z2sE0oI&)SOc)7KqFt)H79Z79c*kIAZ@!0Z8p!y{IQhZyP(=_g zE+x>2{+ox3qw#khqg*d(Uua=1D18W@EdAH2#{!j}jfuz)mO9He(vX3kSPIe?*R>=i zdcfcjvN0RRu3BV9xjU{@L$-V;(us%L#>akjws3{A#$CSOZD1|z?~oDHYibHax!{veayH*lzc z`8gQaNoHK>ouS*nP)p2FHHk&IAv%WtSQPoFeR^@4?{Dsc@*}jXwmHAIzkaMnTh*!*u(d7$ z-9p9*Dn(jYyN`FpSV^%Tg9Am5&U&1#77%$OZB4 zL^l(Tvc-p4HqjP>AJj%NdjIATp4jxA2OyKh&E{8yT8TO$AR>?7%V_ww{7}|p*b+xm zIw*_F{C(gW? z4DwUi=mg>39rR^_4h3S&yKDfq>(MoYixv$B7`O+`Fr%9mj(g=ae zSlliouA@dfsUP=-jqqYH#9~292!6d28RgUX6Hw4~3N zl!CFrCg*x&QR3@}l|rL|yrr(kJXSKId+uCh2Om;Fm$_0VP~F9h>H(p!H%ln$xAK0% z{yeXZgVe8KHh<4}OI7#0oM*L0^U+QCuXwAz+442|r>#PQ2K*&G2i)cGnqC>GW4e44 zt;B9q7rSArR-0`7w1OjoWrXOR%>vJ@Js`WHAI_bEN(|av2)dvnABIMyPhcp}ZVv=x z`mrZ=Eb}bo(VC6o_xs|~3H0zb%NKuaczcDn=~vccgb$<_ zp}%QOe$&;gtaeUMRF+;izIJqG{?$D@nkSOM!WP^ID!-1S7ubPRE z%O82?MZ*CBQNvvQ834%HkSbs#urB+Wz5peey=~|~E~cVv#k6g+mw#aQ>F-&*{JO{` z_+dD4((uzf6Q>X%jBjAPl5FscD;A>S7dG$J@}_O`ZKnDN5B1{Fb%TKS^GloJD=S`w zTs*cFHuwVLbVFb_`jy-)?a$cwn{i@AC!rE)@8%F=91JgZms3>Ti*Z${Fsvt#rVEy; zqtU@+b8oO1Hs<8ShnXcKponu_4WvFNZJ5B({G(Nr&OZiRBzvULj!}XKaPRy-!H5A0 zb!({RoyclO?2E0Y1lvM4=)cV*SYPz0Wv4GAN7hfzlYoH{W;)6QCA}PmAg_2FQhh2i z(HXg8La=`OiJ2Q#YSGUl8fM}4E+EIvEez<>X8B3EmAoC)2TfO;KR28A@yLxi)1;`Z&;QCz5Y@ZjP4nro3ULB$!9G7S04ZM_JBfj z@OK_fIe&q^QkF3Vr+{e>B3NHAoB{{q}KMMQAOl!gh7^Ty0cLu zvgm*)endCtTwv{idVl?JnU&5?wBln}Eu3d;&xytX?;4|N$rE_b*7Gec*BccBOirJ* z`NfJWUW3xWHHpNYLLkdgX#2}scr@ge8*}&^8_&blBd)*4_x|a&t3Z-9GC15cFB}u26*>8Fh z;i`U#P5iJZ69pl^6q}noAeOXl;0HMnT&61L>aFQjqPp?NUQOkulofFq<@|Iu&WAl{ zykfh%Pe7jrUwcHKyQx|CQ9i`|%!}c$lcrw!R#SakDEC?{t=8+ZIH^E7FxFkhiUM{> zA?*nydN}v;-#iov|MT)+8AE%>-J&B4D@SGwO8BPOrX?Soqm;;ukFZ*kyHw?|6$$$r96uSt_qIn1wv5s7a4c`lp zitYNDN{-n}2eC9MSx-~rftu9GEI<2?I<^bOCh?3mSDYZ+)5T$I87o@P90^XaQYI|P zvuxIGTaV2z|JUx7sB%ILQ;wX&68W}HUQ@-`!-=t8B=?AfdD-BGHof1!1>)QGTn!==nXf41)eYaKX*z`F|+@w}(yG7y{c;`~CXZqX#FuW9{^0B zha~AINq+Fl#)qs!`Vu()VFAe2Zhs$dR&%F55ht_Ie^ha-Ldt4~YA>gY`>BR|U*da!i&G3? zbZKo^Q2{17Q;;9{WPAfsmOIHl1`^@=tO^Mf>ilGl?dt1a->mV4yVe_#god8k1k~4z ze*(ahiTsr8%H|#$honQ_-{x{jR**{eWnZ=<8ZVPX_pIQ=f!wTLH7=;%g$Mk3L2Y?# z6)vTM98_+~axVP$F6)*AtoV) zpb)SI*KiB>P^3-b;9u?-|7L5!o&M&P#1_?q--sQjs zAMW=RYMfVkw8V4o=THN9G+DHWhWa!l9x|d&fZPYVMQvCnYHU~wrW~nN_of|6L9riK zN0y=)5~$*Kf`M7VEtEzHtTMLn7mldWiGr9SMh=ifSot>(k4M<=Jd$JQ0n8d|nK~8- zpJec@{7{&N=TmtXpg`)@3K@K8>WoxxOPdf4*f2}D@XId7G*-X@zxGp$)6lAsIROq( zwGLBYIvse=e5L3}7T6Ki$s}qQU;~CIgkB~caXpudXnY}pN~>hlGINXDpZ9?ZoTR!! zn1Z~!9=XKgJ)=X*94Iz2Z_RxCd=yj1^x;r%d! zEU4bQr$VXpZ_7<~<0}_5i1oomcUTu!7eH16{aO5(3F|Rl)*ZfqSEq?$Nt*wa$A7(f zrqTbO7hA~pM%+q839rCm5kAla1tB3UzrZ7rZ`;;!{$6CF3R6_vl^+h5LNQdhokwor z^ZD2q@91w~jVHo?n#ut`$nNks;;}`SA5K4a4&|z<*ar-qm9E4XUO?~v9N&<$0`SHj zi&qgbZl_%0+%*;j5NNya>us}0CCeGOH;_q|rVlI%$e3)Y5>)U!iA-as@1=20mi|fU zyCnv1OGcDlZGcpB22rc9rXd=Z6-png)n-A_iHVZ(B+P?YdmW>sGQM{*a8zEZxb@!m z`=due)GcQmtu3jbpC79FEh^mdeEv)!8Z1A&QC2o3z5Mv_$= z+a5fAQMMub>9VOwb*`XOsg+sUsy+d;+k`xbs5`;obijj@#qU&|81xM*P|~9 z@}g%GiB zQQHxrPvYEtq*1bf2Y+UGxpe9h2d3l^2;?|@edhx!I?hLd=v6)>)9RQDA?{P5|~TvI~+ zhH7}WRbg5qX5K^#)e@?GCE#@y8D!T;^{Y3q*Vn^W3$KJ3#4VF1&W*rq8XFwo)Qbm? zU~ne#$4kjl+mnR~f$~TXeL0`|#NWHJPjoO;k6a#ZVi4|P%UdSFl@l)iMZb3gpC6KK z47{gC_`{vCC*J~GimvVBWzy~8f3bEC&XKO+y6`*p#5O0IU}D?O#1q@LZQJQ+Vq>C- zZQHiZQ)}(L&Ym^3_o?sH`Tl{cyWYOK`|f_~y?+dGgBIk5U^cd#kK&}_8}^Q?TGDU% z8n@pu-BNZ`&%vG-;e=vYo)X3YMn~v`apjOaJwd#j@83Mg?>WVB#CYsax8GG9O7uD8kb!*4yYhV(ui6f17W0#jm$Wh((Fy zsfAAo@-jVCKg9_Kvd2N$94i5fsxPM!ekbe^S z3-QBXRe1nzbz+i~*~+d09)bA_I-o+$oxj^wc(UGgzY+>Tz19kryl*pMr_E*jcuFouRn}E zMIC*`S!Hd}`e9#-#)r81>B9?8C6SdB7DSt#p=*5`)-t80WEW0jlen#iZ_>s9{Zpy?C!k)T{G!yy?G_Fn+ zjKc7@=Wy`b${4M|>CXwCS>IF%q91m%>>tavtmb~cS|A~^prRvJ&5VM4fp@665Y1W( zrtl=Rz-lAS>&b`JBlqm}|y)<3BXA2pn-WjdyiOoGcipS$Rv2x`S^?;vbkIXqW zKXKNkPN$)E%zfjih&41XSU)-jg?u$+ZQJ%JjT3*^6M@sT#0~Qtp%uM66s{(>m&$Fw zIO7IV{D85}h@NF88EEEMmM#=Jk8~x>GDC|W3{_I5H-a=%gss2(xVv9@mF#A(hFW$w zR^t2Uh8_OwWKRRffmf^Lh(~LAi$)^AKUg3|*gkYqbUlRRZx}WcD`xI#cnkvt=vB|{ zgc;J&^+&Vvl9u;*Gy>aF&rXn5>9c_&)rZ6f(aYMhSQ)_H_%(21cH?e%yfd^&QXz-yXpm3Ey0tC!~-3Z-~1l80vjCG?$qSX8Q7H= zTo`ZpZ6h=${fCo*IK#N^6X85~z7z#K=TTudxZzDWk2@e)^VKq~4>p zK}L@q$n`---FN($+J-xt-Iv^w!#Kcg^Y|nThQ5XCj++{mmF6PW%{u=cd$ykI^-fZ; zToos z4hAMIAMl|r$Hf)&0LS(AQtY3?*i35iZJ;AXi|K{1D@I=qA8?QLkTo-1W55-p{QG0w2Tf(=TT3`#`}9cEdY zR5*dQXPO^ONSv$N=GUnDHCni%Mu&cLDGGNTQuejLxi`brPjZ>pS+XhWdM1Q-aL$v5 z(d=)M1V--#fo5!-n^t0f)#IN#dSoB|-U`sRlJpZczvI(F1mYXo2wEwsTK+`-7JBLK zX?sk$f}$uLFve{%A=uN;WZ5=`FthL5ppP+!tcJj;{t>cXw^e3S&u&#LorjA6p;^G} zR|7cop{DU#luM@7zAfCu*GhaL)wEUoysZj4a2X}+O6ZT*QfK2^jUM zM_lf+#^*zY*S4@k`SDxNa?c7-9_JyZXjLHl#*vTQ$Ww-_q`{$ho48PHy96qVW+s(R zMO9JIPkAscL53Hho*psXk+zW&IhpjAgTOU}-lVUNYT;~r%Ye|QAH5skb#`E^eRYT} zK+(=zL~1ofGvd@ytuaD~i!&{Hf@x~7@mx~d<4{@_1w1WHW>bnR6;~KfZYsH125bd# z#24+FpwrNN06c;<`<{54sK^)2{9VHgRB{37itwo4>me8P_cETe1OoCU0uWkCZ^SoD zxrQYCaOK-ito7LA;ml!-ml^Cr;17!IJf9o5)j~N6l$Aj;cvoszx&$aKGe{H046jiz zN-5SEcd^Ra%TUq9_MFh~#Xf0Y=1xmB(dEbqmw)lx2cP6Q==OqdZOx4e7`_Xwbq6~+ z45s6g?Xqrd=;lgKks-%D7iJB+=@+^W!CFV=3~VN}@OVjAk7K^3i9+0dINv-Wj{p}| zAgiH)#~J=fJQ8M%MK^8Q00sf(qFKDdhB-FaD(tWCRU&SiOVz*cUMHsY-F|!LdJgTI zR?e=rZpM@{oRfmM%g{T*mrD-{iF>5(AXNo)vVltX8`WQCM{Bs)Kq=>A;?@`vd4zSr z2>UUkN4c+Z_!~Q>Q0O4SGUj0~5WHSnksw|dn6=|Yj6eN?meEf{WwCh$iITk1x4Umo zq9?CTX+pG6bZ^nJOS?jhdPZz--Z`eAV%(-Vd4i?o)55SGUkTX0znY!joz1+LQd`!2 zXf$W1H69OuQQm&d`xFSFJSNh%#2^Mumv%JA!5Bah+Ns<30qi$aJZQDDuc`t1U7!o}!j9K2 zC!cRf4gbWETmH7>BTDG4xR?9b$-+oM3wMfldP8_+U%C1s`HGeoe%uiD#|L~wY}-=P<5um!xV4WqgCuVl3e z&41^iuJb3Er3BK!m2KE$fAMKaqp?@U+~~)xr(<&tzphiV20!oU;xb6H`-m1itfu`~ zg_2VG24RIim$pjbi$B14Kv~R>aF`@a7ZlPJPLt^SqijM9`>G}FN@bc?RE$HSdOVmY;0 zZ~e*({xSP2brT9Omg_44*3H$P;spx0yl|{qJ*TiARv~ksk##4o!Qcen;W0ByaDj+u z0QS9N2Y<$H>k6=S06FB~^$T#@yJo7!fX9&CrV(MzT;uXFE|h?3!H*+QeWG!ZJP2dT z;`AhO=J$Gh+xdG%5Y)Q&v9iZFyn8j`8@g|h6l&}AnIUsW{oASJsG=L>riehn8Ot!b z5tC(0iMY;oB-C^~ScOGeZzLpb?lbr}PrDO>S%>2jwMlZpAu+H{%QpdXN?{9kKEaTm z0*yDW5x&EDB`*&p2h4SR+q16WT=!c$ub;S{=@BphkZoGP&IUIS7l;z+qfeuM#_1}5 zkHXBmFsi&0S6i8>IsM@0K7%_GvAX}Ws0)$)#-z*t&UedvBsOHQIw5c4i3Ar~#D`u$ zRsMyc`l`yz%8|R?W~?;7$`G0tPC_CHYM3H#%KBd5k+>Kgnv^fuUtx!r)uZf1xnEK3 zaG7SyZ#Ko731R*@wX~xnyGx}7@7Wy+egoH|Q%M_3U3Sp=2Fla9Sk=a-{FJRPK=mmS zMtWlUwe@n?3@m@WH_pO4Szxw<`{nug!bwbb5LOTU?(>5qDGZ2z$iLt`wWL+l-J2_r86MOVD9{*(=hB`aH z?=G%*Xo!83Mli=52FFKEpZk6!BAVx7=^bs7WNq~I4iP zH+Big+}O8S)jlQ3=sDd7xw0kG+>sXkZE7dbvq`f9N1C7}mNaQ`x0wa1zNsI<=f`3ZQBUACEVhg6(jz@g$Y%V z$jdavSvteo57zlP9O(Oi8FBO?>_MA2E*DRiL;n#%wdpXwjXR~J^&{qKgLtVsB}>OV znD|peu*FJhSzky=TfpZAaEym{TF<3{v2`EPajp%!n)Srf9T4MQLS^Fc)JT=@imb2D zj|+>4!@+o$ay6_)v9Cv%9vMyTJ)%9!Ov$Zob;XHu)D^`^n)=0)zzX4t6_H=G<>z%% zml9p;XGadFz=J&>J6ZXAJrw$_|Eh-^oM1rGmEr_OOtey-70ZK}@qYGVln~9lcim=?N^c(}{ezaMw?0;xlS5$Bn1= zC+BTE@-2lJ(L3;xFO{9zM`LO?y5EuFsx2ZV7!a2z-}>Yq0K9DzO>eUdM_iv>TN45e zujGfKDJvizK`lJPZdE6Gy62HLZUh4vad8BjP`fbu2Xn4H zz&KZ?dene=K#KQJ>W_fbFc&vRP1G6M=S1+T9zNR<9TGOWuniq+eU=|b8ZFtq`Pc@N z<*TA5yrbVTj46Fgmsitdw&};PecG@e$fMvVHJcaUz#5Tt82!TBy|E~ zFaCu)qija(OW?3D59D~;m#8i3df&=JbCcm&LG|lKLaYq(Gq)fs1;PVYwA7EQ$kD)w2-_}B-=40{pvgF z;`*JjsG-}YB=Ba6G1uP$0qVSWGFcpO(Dn01W0q&K zl4V`D52yZWzrJ#k*}zhKIBdVHxtRI5vtmLQ?ZG=-Cc2c7y(k?OTtM*YA}L+j$=wNW zqUg&p{?2ISc~GGp;!5kT(cb2DUk2+D+34w4{I=wR;C0iFvr;9HSt68VkH(%g=}5}~ zt3AOiSw({`JD3nVJSuL}%+j+%;Egcc!)AVh#FS4*nT>QZ3@;IcEhuMVoG*1HbV^t_ z;EVe{l%Uwp8dxyj>J#=8g4HXdj268@@>i*ju$cFQaMzbq8I3Ytd+MF+Q-p7Bra!!z z=~A}j``Te<=*<$KHW8Sct{oltYUC!OBUdkqv^eSJJkT9ZLp$7!Ip$ZPm&9lJ?08Q} z`ZUyzWgfj5UFM3*Jx_W8A3>B@@o&5sdZRCys-~nOjF*poJY4+1e5kU#_i2WK9O*ix8Sgzs@K$*0$9RRjrC1gGtZwd@6m;24^eHn zE@DJ9W4~wX6a7a${#obt_n+$7t3z>1Wg_07Rfr$j2st%)YlEkZB{bvtdPP-7BPI>m6l5XU^R0`Yn#;581;{MMjR?^{p58e^ z(v&cp-=HErpKyVPG2uRSv4Qj;=NMz$rQh9Jtnd%m>3==I9qfGux_PJW9%9BQvcr*H zKa2+E_&|UNMlb<&x;(xG**4TD;ai58-kOx;Xp(WFOr&baIN`;d*Q)BNd6x|*ZRaZ` zd)I~lgq0$~%IEeLj#~TJ1sZ^<?ONr6Do86y_~okX@C4QUw%3$41e|9p5;1XRQz}aa37+5T9#WM3MK)n zM#FF$l4x*ig%HvKqex(w7n{Iq5&g&}?b!vg81vhifD_Btf{`TJf|jX;o~>47xGvfG zU-@e;oO%{EM5mjWT9wxwumpmMZW55;6o;)WFxl9XY1u{A{$PGe8ER2^;h0T7dp>Ae z*3d@qK+SPC-|Miy8j-t5U_BI^sDOU|E-xAKDhNi`F~qMVP2dpMU&0Ovd0{Ms79Vlf z`YGink`q3kJaP-Ppq;I)QbTNFTeb|d}p`jXIQC}gn?cqu6_V9T}mnTd*kE9?B zF58XX^r~u3G)c}6nuWhb;@Qtd+T1%`&3q?K>Ut$&sKne7A!f8frwi>AZGq2qtAcd> zff>^Ay4WzX<5HUDuVAl7ie&iCRQ_Xlkc^s5kx}!KCZ?}smQ5IZu~DndcAgl3E>Ry8 z$~uUJU=g(fp|7>G+}SBauU#M0+EeulT|M5)5rNgUj`5u*7NU%{1m7ruV`s1~CMxk4 zG{2me)Gzr4p@@L1}DEY8+Y*tOkM+iOwAz;&fP|0{`KL4^dFO} z^888lU*A1=p9R^-0WM^8Q%Hc^0tc*Y%bxsB{>PPq658Tk$~1_AXahC1IH?p*^5y4U zN0go!NawXSVl#OEjD68>y;mf({&Z9IDJXhhRdezheO@o)9$3+3H6GrCjLR$x~Pv$vX4f zM=4eY41YM|tXn2P#V zivF0X&My!-h0NtHJ>YQjSb>5tOCEb&ID{P%cdMXOIDFOZ41j-%litj3DVf9yN>}tt zLCZ1?KqMIYC*H~{uCMZuOFF7Dp8C1@mR@iSn*VnRq@jE75{>RK3?4%RdNRS3EBmv? zu?idhV-eZ|W*aQk-|Mkd_xH-*{vZCw27~l?5CTYmAf$p%5XeYUe(A87HN$tK_|05F zaAj1fUXAXKb+MPXf2;^rwQ$|iMMecC;rn<7 zwRJ+-NKiDn8=-`B%=*jjjb0F@-&oB?aonp``SpGl03XDlG%a*o6vJNadWOu7)b#7| z<4rQ74wsf*iVf;;yW>tBl$(%}EYpi1$`aW`r{!{}1Clw@U)CUlXO}aaKT*lYwleKG z+kF$;6mMUG%bq##O>}gjwvq~nE~rIu^kE~A_h-g)b2=`UDp28mx|+%oLI70{i;F%Y zg0N)w+&iM9tJR%L0MjH~k#)_|HufaI%fcZfvRQRo@~)J4J6aY=>cpD-Q7B%4-5MY< z)hv0w%&d?(PNRDAracg5PW2J$8xt%Cy8^aKK?q*yc?tGzUoYipgO*F5;c%d$0+^!? zy5{Hp1j#F!XDr7PEax6$NB0?sLQ9b0L9Xwr@UGB%4sN2thsr;{U6Aq^zphuV-q#S6 zAgRJ|=4@WcSX>9srYC?EQX-^{6u4e3v%+QyCsrKcZn|4hd-3H5U%+)iQX++v-w*Vl z+m1w=FcBkNxqdi|MT^Lq97t;Ng0lG53J)682b!w2SbT#+>CN6iq?!;%W){M6E?2|v z0b?^emYGUIxL9L$rNb(85CL$=O;(xp&Hqu4zef`l44Ux2K0SJVxqdZ;hq2t1KmsJq zgulTv*|*I~Wf;-7cA2HiLcYw4gd{q=+D4 z)gEw=QR_IC4J`PSVI#&w)~t?bJpvytTFsH%PoDi#qG{deC988x2d%m0^yEQ>M1~~$ zMbsDo6bc-GacPBow|-`tIeQs-67}C-k3uzjEGhf=nu!A&p%TkVxa*}-=%-8Xpt&ml zJuxv)t*P^Adwxq~hch&>K~?vwkeAbslK5JieyHN6`n7L9H3c=oUSR5dYZU^U1z0uk zL}UV2OnALzeviSX)`R5RmmJj$6VlAJa(r6^#zLG4moPVnR^C{129Dql8e;dx<5INc z&?LFCMfBEAusBTtUIZVcd2*!ReB2`BC>%qQm=nu>3U=kr4lJ7eJR^l=p(Q2IWyhda3(rkt!E(zfoj6OImr9NM$eQbM?Hc)zca zf$?h(eddD+D7d1{jb>s~-i3?=QE$41^NiX}h22slJNi{@&<3`b0XK9(P!Myoultp=Y2%phM-$4xv=y) z+ZoT9u;p-Pw~W4lQR}ZP6pE^^_TkSyu%2s*90GA^i#86L|4xi<#<4!wth`CEOwAjE zK;c{#M=7G{-`qtk`Q4kq+ux=t0FwQu=qb)m`ZVXap)klnR8MxYcVcNg$hhT1nuuB5 z;qt`yh*tq7*0E<*yjI&HEvP2&f8T;10P|Gj3mAHOp%Go3%!qV|u zZmL)Bb3FSB;8#xRH3D6&c5k&sp-#%CZWpLLQZObC8f=mw-6RI+xZ!e+KgB`uaJG$v z-6(GBY5vdhg{hN+sg<6YC7pqd6>k_w_ut2Rln|f_G_wSME)|1BhX#d#h5H|N!ugBC z6GfM1;tzL&HI>hP<#^LVRVJwm4ddLL{W9U8PkNVvG$4HH(c$Ofl7yOp4mbZM^r6n1 z>`jwG4HM}Eok}4*YTE$uev%+|ec{LId%m4Www%9s((jGVf0XBccr*x3$R=w%S}v2% zQ$!9?)?|3#7#>%*87K*+krAIZM;b`H!$yt>#7z2hn=vKAEoH&778Uy$bboTw)&3^z zR;HLkZ=Y&zwFO#xyoSi&J;0)GdiePgORW7wXXz+>g1i7aNc=}RxKY6?>`Sk_vg-F` zV=I|1$C5{(f$Pd#bh8ZEhAPh}4eo>_xyAm{A%iF#I_}(>@h_Gy@l5jIC!E<{i%|V= zwvZ@=Vx}&F*&ut?Nwg&m!@E1s_5C#;MEp)GK|K1H%p{nJly4hZgtcdq&_0%>US%$w z%$-jLn-Hx%iXzy|&DdR4AJOtCBFIT+c^rv94r8!0CSc6Wx^ko8mw4tlPl?qj3!{+7 z*Cizc%x3B;Vmm6yB(Y?WDH76caW=>OpcQ@}C+1IvexEiIh7muMOKQM_t5g;Zs{33w)Xs#q_^bSj6e7+S-T@9<#^it#E0&JBn9A1$FnD9p z70;hCet7f`*i4C@ppXn5UJ#criNwFsh8O?5C=f323h*O?L%K;I%$7@i zab}OiZ%OEFp&=hG;8pFYT@K%*W5y~^Jk{Lkk)(AB<&ljxQJr%3IrPtHT}isl#>@-} zG;z=kPd=SQl~y27ZSZ!gME3ol66k;BrMWn8xzE#p09gc>uU&j6A74{Aw^Z7(QS0Cy z8nKLBw0y{D!W}qFJYJ8f(vW$1QK*w1e`yKmmuBRG0-N1Dc!1gll{mU$|B0M)>35B> z$v)-8$?M3Eq?1OAh8f}!AE@GO?G|p=?QwJw1vgH1A-Q~XKdO6AMi6Na=-KZ53JVA6 zru@?wr0^<`Kk;kIuLOG*wbH{G_-~_YjDp=>4jk4{2h|PJpatq+XfYk;m?WMi=Wh#n zb`3&mmQ1*x%JiFj=JFgh2;&1fZrogxWOBRG&6xSN<$!OK8=bb1b;<^_?P<5nSTG7| zAmKy(0~$BHF`(%jM&aLC2Nelh(q>P}kB^$@F%GnjWPh*6AJb-pIpT-8*Cf9JaeE6| z;t&@xmDqP~QdrifWTJAIEO@JT_)kx&$>J`nwN&xOHe?q~m~HXIBQSolIRGzf9!t>V z^k>BFIV)Agec0hiU;NwaT*XTjF~@M zdaFnu)p0K-#i$ujp^3&zlBpmSlt&5|G=KC82*$sXB{Xz*-YTG2tMZ(&inSQFR7*0> zo3^25DK!n|uMl9lGd3#uoF(0(uUd`sMRH?e<82ULHDob~Ya0i1+kBP$e(JkpAdxnwU?pcXCPP*j*w1lUm z;Wrn6)1N3@^TspMqb$#sfD50eJS@Lu3Ed9rQ6U-B4H%I4_c-ydX%p)N@k3mLB+Ql^ zXTr~l)X2h)x^X7Q`AhAVjy|4EI6l#551Wb(9;HcAn{czXRzXoR?|~M63OIF<&T&Pa zUtjQiA!gclJu_q{7Rtz~)~#oN04++;sHitiL1|Pp;M<5nn*KR@B#1#(=LdnN|^% zJz+;p#2$|_Bq5+uRJX2>d7V6KwZFzi4kmqCO^F#9vDj_6pdbG}WkLGiKSusFZF0yV zzQSLEh|wsWtl1KDc1bYA-y_4=j6O}=?0LM6`Uk<4c7CUcqvrB%3$p#hNup=>G%Ya_ z*&gEZpdb-3@CL<$qzu+vJ!CLCtfPFvgW%{|<56=Ia6-V}NDAZSK22w;s_^SxFE~%n zt)G^8T`40(iT*^hyL~&RGtT;>VIk0h0!x8zjhkL*NDv`M2XzGbK2Vtg&2M~~KQfyz zn*2*rVf7kwZ=b_*o#G}M%j#1vdba6aF-8Bg^3^uwGEl&RzU+?>u%@02fm@3yo3xHM3VmO9FwS)*^ev@F~QH$FBh zH7~lz3YI095%4K~;x^9!?e(D5^@EtL2$(#_*3DmZma^dh0=X!RZXqY_O834FvR@wj{xM(b`{a0IAIBKqu*ec|1p zq;6lKza#r*PS6Aj0X7DbXN;*yW#sOOBo9K5)TrJ~&u8Nn6X{V|qIeqorOeZ|=22Nw ze?3;_Tt8V}Wf-vlg&csCg$>;GTucgW@|BXlhN2=B<-pryq%PmPra2WSP+}de!hC0O zD`m14srRJx_|Cd9`T_*TQR|r_xs3{URkGUqat~(^b=!{{H2Rje@rS(b)Kxv(|2%Ed zS^bHx@tgeb$@9NdA94Ks^}lA8f7CV65w z4-jSGrkeZuy1R&+YYnle<+q$a)V1_l05EWXHe15_#e33YLFb~>{n9TASq_ke$Ho8g zMK@c0Qz#rncbNUx^Z8R<^AZB&h@%hZLkV_lXkj`AP4cX9qP#r<0l?FTb_5&2 zlS7!bX9(k%go@5)8r9!({;jS(e*@%5c8|2_Jh*-$mEFz|9JF4^n#h3xJ5AnBt^N+el^8v`_?A#KxQjWi{$8kSa9tPcIHWmT}jX5|HEMzV0~4ixx3*itV024?%sfT_Xno1}Nhn zU-ipMvC?C4+Kl^+rqsIru1o!)t|>48fUE6%#9ugAV6TcT*nXW7`eeW4Xaj&L;!Tre z;E^o6Z-+VZjzHA%j@qBBoFl3iwo>$a&cD?)Qf@#t9nisTJV0h2R8vD+5sE54B+BT3P7}cxSKEe1D3uP70g?KhBE+vclU&_#bYJ`8PYr3(395*(NsD*9TUoQJ8dNapz>tv^Ok$@a`8M_wZ zz@Iz$pc6K7*Mi5Jk9oDf<@}+pNp%8pG&MwHJ$Ew$x&*|gy#pXy`&uB?0XbeNAs@5m z*(Xs9Rk{vR!{)B~Ptw2TsPV@C^*;SaT{D;fWHYvv1@|3H@gr!X5?Lym$#*9lwE=(; z6-PSEI$gA>Q{73drYG}LSh-C9%IWwk=O1;gvI39+9?Hg1JYJNwPfiuO8otf0ht5F* z$kBSamm5YQ^|96MxuA~_JwVH#5&bPkIsd3@S9Snkr7sgUlFpgAzNzmVWH(zQ zB^XT>AjdF2D|vA`UK9^W4lh>9-^nR^<@vXq?}u)G<-ln0ohwSgs5zGdvXCp5zlN?% z0y_pa-Rpa^e=W8i<^zD04Jc4|t9(f!DuhVcfo;zqf@i&c;SV1iwV9 zKL=0@mq~i6QnuU!fH%yrk9{gey^~kIBQKKcww|1OQe$^3carhniURrG|s_b>M)WWBjFW{b!&5$@xcbYv=@IVIddZ zL>jKQZ{qj%J$^+&Vt&m@1pxi|6VB_;ZsvF>dBU_Tm zD1`5q)2Kf&%aosW^{CSf$mUDNp(AvP-Zr(RnxR!s5oJ9O!Ty)t_VcgT{U5!Jy#N4= z`H)u%pMmh*=K2h$AzKE35YP^nd@#SD-Xi!?k8Xc8A~0)WZMacxq1DqSL%ixMC2IV_HYY8Q4J>?X4p2BM?{qGgHQFK5Sb_551F9G<6DtJ(|?`?`eyjt%TAV(mSmK^V(%SnydYMo2A zol2SMVD-10KNPr-eL#*bdJnl6ity2jnT)my_y%)966zWt$BQyEY*CCR-VX7mDmF(R zUO8mWJyh#|Qs90i0v?NyEK7CaAgNK<*uRm>zbig^&X<_S@apr89S6SRVFEr3x=u`` zMo5r44NLPLu;3is1S~ZR#F-zJyUMak$|;|JL)!j8;8-I7&tMGo4NM^xA;aM#ow;T* zD4aFcaC|+V*M1e%0=ff?{Q(~io1QNabMw?0MtKU-(??fa6(!#Ct^9{<)63(2s#adV z<^O@eMVSFUl&iiP$&r`n-ok}yk7VeBo53KWk`^4uzkV_1bof$G&Jz+Kp6hUad0=MOVJ7y!6%vDR?I&4#m3vwMvfjElI| zv6Th@?#l?>UVrya9u|!-OV4(54f4vVfyoFWa!Wy;5Kf9~0o@WaNRWfA~6bF={F|M3z?)-yiki zFx)1!I6aFFo#}=swf9n@p8T$o!OO3{Z&>#(x^GMgdziW0c<=unyc-yhPJ3xc+Z}P0 zuF=ucSQ#@_faFpBHkGp2YerByJs@ZxO?jVGxLz0O4U|e$d|0t(48WnhkQ%f_uF42c z6_bPI<@Ru1s(DMKy%^z7-^{KO)(NZlQXk|gX-#(b;L!5b%>v_Td)>Oi-dbE{3m@86 z^T;zjb1j@3Gdt8dV+~UgysxleQW={`WpF2Fo<=!AA`M2;ER@<1tL|aa9BK1 zHq9?M{j)uPugvNjR%AGkmrI=QHSe;8UzfvA-cVNkzbt_$6#GzOzpJ7&4S&Z$gMc(M z(-P#B0h_ZRiK$b!8AX9#6oKzt%`TU?G?aaoT)4?#g!CYSZyu6`zFI!pm;dg|?4ra@ zjkOWlD1_NWY4${VCviwi&i1vO1QV}#^TZDc%@N)`{lo>G-OS;=N9^9Ot#-klaLxH# zsG1cQhMbw)f7CoH^F0}6K*g{u>g@p9MyyUy-!-xcmVaF4x6AX-*z*qpcft+zVLfjh zNrW8^#^>0*=Z#2Uc@fxFuICN6_JFRY7)5`^0i4K;~7|D~dCvv`bq z;hpGUM*yyQB~P8EPN1YjAq@6cNaD{SbB(_EJPJ@~O>yfL+B7;(L(S#6idm`MsXN_< zIRztrWwI>oOTvXv&x1S*2zmomH5Fp^P|(7=k~0++WiD{bKbu&<0Pub%02doU$YiSIdwxXT)L^~h?c ztgg!NkR)TG-q6tp2S%#0f(X!+F`z>##P+Kuo7&&eVbn{CVBRcU}JjANO*X!u zyG6A5+@!y;C`11nfqVaJX8s3(D+q!Ighhk!#SAlKJG8?0y?SUxg}!`0{6*vLSkP7A zWPWD)bkMGta)w-FOxZ?ff)hVBFnhM9bIi=R1R6$$IkCW7j@NB5ht`VedAZWniQ;o6 zf;`vh;|sg~qwr_7q_U3NbP#OM1Q^93&_NrlJ`{^RG#np|J2=9#{#)U3g}zvXoc@r* zGYoD5CRdjsR`s*Ohxc@_cfCLYnPKJR86Ms}f=|FSHasF=y-h!&fgor(9Ff{UecGc(B2z$eazy;`p#*kKm04eFezWn5(5`w0K@q|7f=h=KKTUf{fQ zc%nX1ilxwoV2@bSc}GRB@R?&AN5D-%b<2WFMo{C^{G+rPg& zXCm+b-xf6@4W+O311Dp77zI1{yUWE2cxD=Pcm`s}w!>}dMb(oIp(Rlf;!)InDhO1$ zp!R#v+x$5pWJ1kxG(T4d1$q!1{N#q%KL1ShLuJjq5?KnY5Qmlr)k){tOM36ZzKJo= z&7?glN1iTk|1$q0**0A2a&i3#(s+23>ZFGk>NfLBup9J4F#xxgCb`z3)WFM*6DjfS zN!ZPrrVe^@qOoBO!;T(7V{e*O4pVX!N|vU8UyPKK1+!y8Gf89D`IV9!_6?OkCdR) z1pd|tuhYE%I4FV_ZNid)1O;6p;=wOJr>`DX4(YNxbyJ^8>|#YKuat}E<`>?Oy?FfG z?1Fe03}7`^y)sA~gip})#T>2!Ra~#;3IBz_?a%#rTn@R->dRg?w{qW@>J2jQ}jIl z;I~wYYl}yz%;|j^(}i6J2-+MVdIjyF&?=Sc-eytJv~-t`MkMmZgxa)6ruVN?ohSI0 zIoLtPtVK|y^k%8ykmKXTz$M`=c)fv@#ka|yb4b}sco~_MHgo@Y)h(>{9hrC(qg}wvaF6-&xl(*HTowW<*N#`P4(->6-xY zEhZ(KOO)mNclfjffw%x>0Wb9U;MCd-bp6$aME|*wNu^$zXORMrL2DfSw&e!l+x3=j z4NVt*HXY~&T$2MX&^qft(eU)bX`aywkVNVAd$l{i3}hv26%}E(%V3kH`!Adpp+KVt zW|ag;SsJ4JbxrAREc$I%+W{1>Uuo%Z2@}fY)a_>ml1>z)p%3tMiE8PWn&h- z=^LSF$@{oT>-%&@h&=ysWcMFH@gIDc5gOu$vgVjWVFCRpI8`F70?0EnQoFdmKwUD} z2Hhde3g@Cmi2JG0wRK%tus-{AgSV9F+fNsaZm#DcxaO}v5odQF?aDK8kVK0=edDV1 z`*`P|4S7^4Gab&HvwFe{Kg(F0ug*q3MI$XHzgb45kxS!u{{&X>g64E~3%et)k=(+) zgzvbv8A^rWfpK?y0F57uO8s@|<3bChIYq~e0_wEBWTwna3Gs;PDc=;3F_cOd5LS&c zGf{db0fA*iGKO7f$qMOVT~Zg3*-c zPPRV$1+b5cD8|DF@IHhfX&JpB0WMUsc`l&K#5l8>4?ob-gGcFR53&qkI5ix7LiEn| zz`fYXmUTM=o>pe+J4NyR(T;>K*Q|WA9$RU3{O-$=A7uvNZeJG6go?5nTgR$EBSyl_ zfMTsRjU2sSbA1qd`EKxbdpG(MW7DnNIA;>A^3)W;*>a=qi<1SnbHX=Zm9Z?PCgAKp zg`E@93s-usxvI-{x4M3#_g6jJ#QnV&X-I$=s~Kl&Q7*kJ)mp?A{7#Ezi2P>< zWf8jev|Bty3~DK9> zMa8uG=UHf%*?_itBc{%mX`N2^)E=D@PI&k=N={}q6@7)q@P%sf^*f%+Pv5GaqR@8m z^lJ5`&6hk{^w*Y~P$*}|(hwljEbw$7N@R!SpoE9H9)q?S<2U$Bs3D<6A=$>yPY9{x z?lmO*5-)%zE048K_F31K6VS)S$(2d3!;VL`UJ-{Vo1Ad_R$6eRq-6(T<|Iu_E@O}Z z{#?EAonp=9LO)UDE+xK;L-3~oAshcuy7z~IjFCyb(eDH#JseO{brGD-eliwVyg*%M&Op($IQ{+2azY{LCO(vU?S@c_sNZojnqS_M1uDA|__6(`N8+P_DHRG3tPj%?ZHO7J%Y;& z{q9ZfO_O9-d0JBtlFJTECqA#sFFY4|ZW34(?o#!V|>u1IKak~zJ!H5#actisiZo9yw zfNHgi_L1>4u`HUwIhO!hoNbz>1mj6(Q74!hHxkE-y~#>`xGbx^P$jD{jv}J1u;?b7JGFDSsJI^D)xc2;DQ(Of#6U|?IY`&N zFQXn=11iStn0>0-Q{WqI_YHwp@#3?)FgdhrDFE7~`F=hE?m)e&>GhFpIt5N-jcDys z%rerwb~J$xNUn|{;S-x5*{EB3@N!N+W4YTX)Np|cDNtfJ;0i?^dXcklYRo1HEu2#} z56Os8@otU>t_3CZY5{C|oZPkTlb(bOvo9`CP3;fZ1E|t!GE&K{xW~DmJhrVs zdS@_y&wcH16V%r69hi$qI@0LNO(1lZ3I%8PKmytd!J+)Liol#n$(4J4zqENuwQdik z0SZGh-)A?{B_qq?u||_b&@GI-4QlpGB3f6@w#DD`_!l2GY=QXgRrDi-%~9^XWW!5W z|JL1XuBFz;Pb`4L_Ht{72UQCa0iyNe@RKG`cuwf=Ze z_8zE1Cb|XN+DTai+r1OYQ>`~7{jvTW`yo%hF4yddRS-v#+c&o4Q-z|}1r?A#Y6()M z=XfIZ_QyP?tEneX>oet5pzEMz;Cv}-Bb{DgE=sIlTvu0oa=Edr$Do+X*3GnMgL-IL{48iC=M?WElnJN2h#QW+2$KlerJ zlLPU374&22fPX!`o_%Jd(*3-#o|uCXV>huUvR1aIEwmk7!13;^-72j5sVt7KYWDe$ zwRZ2pZYQTELfi1B&Bm6)4>1zB4iS>xvQ@M9h-uejDc>D%FK5TH?YAoqBXrUvN2%A*+smplubk+Gv5U$ z9hRaf{17&S!zB)A4P|3^PXz-#a-`XLjv5!WUR(Vvxvhl9mx7oqq>Ajl6G4>ckp??n zjnRbL^puRIfos=}le=F2XA1G%b1(@EiewkDaQO*f|IFhbd>Csa5>O(`E0EXvl5CD7 zlN;5exRsvpc;tQvS=c+Y7sKrAL23=XL`_#%tJ=z2SFH+1BCY>Gs~;Z0AfdIV<4{1T z>T^LKR0ebkH1=^OoD=|Ykzm@(;nR()4oUF24(JpS=?DE~WXt5xNvtGvHQ^1?f^^#} zj-k-ia?uhdqpn7N)cYAm**4@d8yDnOmtt(ZCr8hGJ&0uG_MtyU@+1)^*3%gj~ z`HxCIxUkE&$;8Ka+gIf8M7Q_48YBls3SkhDQjDR<=spB^{^ZS4)EEM41KLTxm%5%> z{NPUdx&~x^*RKSg3lblrXN;m;G{q>7`^%KE=S;fT1DQLla($gAY$e&GMn1JyG84+K zSsHR-Z@D(**s9LfVl=u%|GQ|S=`0gkP@MPBaVulmBf%9rgz(lv*XF$1(*>jDE7rYQ z(NfrnPE};>NmiZ8=qVJ7Js=HXazKv`XGm-Y9!lI21Z#;xsy6%WSgfQfUfIW3%iV#2 zd}YAY!qjIL3+vHqKVos~N;5>g6$JOXIF`(*T&Itp;H5%VlTG7`HnsKcIX-FAH>p~M zt(4srsCVOSQW7-T9#kSNTZ)cqTHR!57U{fH9=xqyFVdym#VzEc$BMiTA z@E&22Y#E3Xzh7R8#jQgSw6wn+^w>c3(rKvLzUAIEAlUxj=JEaiKmT8T{+`FbbUAfO zB%tXbv0Ou)24Uux23i_wjS3)QIJ4HEb3-b5l>=##62I}-nY(+6G^HbGzeC>@d&mjt z1w`v8biPYiTk|EAjJy`3H%=P?5R2I`cq5o796^C~?xhtL!{Znl3Y%`+T;4;O{0d>y z%G`kou}ki;rN-$H2s0GJ0yN5qVLQee&P&i4JMUWnn8$YbdwU(q8%W^DObSQ?!q>>+ z>U4bK`OV>C_7_d(qsG=go~Q$%m=B)+ec_5jcfv5X90^^@XMKxYOe2Hh^0Q+VKnlzs zXyRO01Mk^9-c+Y3x`t1aH9;Csap1UW!nj2b@9w?j+(+^locIg#tBddATbk#Ip%?Ra zOFx&c2wKR*@+Oqs?K+cA+yZKGHCKcgpaayYv2*6}8aUg_z!9u5gORf`Z`xZ1U|~4{ z*8arc8`Uky;oOsip9J}Y<~5Vh^VuCz7Y+ppM3UBQL!GqTw;JSutbA0X6&PWTaNQ<< zm{9H}S2gKYoDTtcU9Cq!PdW>Guo1t}x^yM5-PnwMIg_+olba~hec+pR3*}R3%{m>b zroYX4yvKa*SCHHhA~neAwK{m~k-Aa>TBsLP4W>`1O=W?7QjZQY85f8qN==!Gcro`OxFsDB5N6dtHu{e|{;A7R z`6GTSDB^m3ZU$?`wrZnCKoP%S%95Ex|30~M{v;Gw=l&rwBy9Ee*peod=)iZNhvgj4 z&L1ANn6!`F+YPL+%xfHNQf|`h6QHmzVQ%|zoH6AVJt>4$@!Piy;~KK6t$8uv>u0$- z9So?omlgJpQi5wqC!#``4djh1Nlk++!81(kk%(EK2exB(e8KvZPdr0{l)`Plg|4VW z9R?<~fE5ia<}^j(%&~@ZojteW^H_U%Xxs^U3U48l!QWgoUmxW>L8k~msS{mvS{Zy{ zFQ+{08KuY*=45@!18!cRMc-fGtxPv1iq1#cG?$PLqWK|LiR_zBMempVCDuo+v$ZHj zk1X?ySenna15~8A-KEo1%upoML*q#keU&foeuy`8xrl{W7+pm+qP{nfgws>y1dy#c z?_#{1;q%mBgZq8rxD_@RefGmI2Hb! zzL@>aXFQ|cM$N_p|4@vuN;sXTSyDp;r8Q2i2oY#l@SVVl@jL&eD~juyu~@6J1p{5_9< z>2i=&i0|ONdhh5FY5v1O+m+s>9%BoZ9pieobbwKCA8RA*MAmWzlg}vBvsqdcGdJfvm_Jc7?X8?-c6jaMQZjFag1t6t zaXLbd{g7ED4AAX{m#b7^Ag~f+3}{1q^n~}MExy26L>Kmv_35AOawTpm9ow8xj|(ES zXwHEqBCEwt^Kz)$uJxzals#TnqYTerFZ&0A{I5xO)c2ByASP$urLi0>fzU~ms54Gh z6cRn|T<%wP*P$;~lG~f0>l0IBDGB;6O^y|icg z7~aiS6A~rxM^Y&+B^d?Laywkk2m+2eFxyo2=HV~Pd_-TS9Ah7V`O0=i2S}eOu#bDA z@za#P%gPmcg_PV@K$1-{dr}%)gdurKSwPJr3C*sU`4ao*JXpWZNaoa^PE;9L^_|XH zH+(dtg%Re3U(i$V&_p4kxa#CIqtKcR$8QQ&>Ny!N^5P2OLp$cEzqBm8N(ci?QW>!# zZn&8>Up}q2$pNp)@QLtllvN`j55YO_a}e+y(#CZRvY8fCC;kS-npJ0gWr*st{$>5) zdLBr^ybl}!F{wF~qf^@)=DRxRhBRsA#b|_e%7}N3k{&E`Q)d=|YwC=I!*_E!sdQ<@ z>~FhS^f`$Ms_V6_2jY**&uczheR5agCplin%I5pZmKa4{+3*7ggX##^5z?*xSO>|e;Iwatq)>B_6+*cGN?BcJgv_wH zWw7ZVVGwn#U8B7>@@gc}1>hTAO{ORmmvY?8miu*%_8_ZyaqBVy{#3tIb z_SCnkCvo^J>ezGRp{}*2CX3e+)D_&{9!i2Bp3K^%4>^H>$_A3|=WNoE1nFaQnOPb?19^joZ(>xBwdnR&Ui zOqpETCqkacjUn;LBwtWUyT>(LWdxS6Dj$ zuKjjz`dQVuAY=}3QowFJ>-hKS@h^OE#0?23@S;#0#7V|0M76dX22zS{lJZ0Pm-nEl zOZvU6=+Mmrf{4|^pc^v$Ht4pK93EXJaXkNdY+P?af6<%XBH09@XmLIzj5yklPFue; zc9`}~1o+AR3F@0aNAVt~f~;>B| ztD~;9S3rNHEmX)1SB9+Q{BfcPHI4oP48uL0x+SekK6zlGw}qzfubMe5>YJ!V(uqezlO@0VrslbA zG0_+8uJl#4a?;e*>}NI=D{=!YjsB~j1FPt0bu70MnZRb}{y z9S8KV!R>1g-hlJRCohBFIqn{iAsxTxG|CC}`#y*V&-9)kqNOV`2BKRM==B-|-A)*^ z?{J>RBo-9|7~P#$RNhuj7H-!D=1kK{>YpYf9ks1iu>Uw4wvIP}TpE_snqTAq{dvS6 zzVxhQ45mXIj9>8BqeU8AWjfXaB;M|z>%)a=w8G)>wlmzkhLSpU?=TGf9B>k`cj^5Q zR6JRUR&~n9^CC7|!kU7I5K%OLYnG}azpo^NJtYA$!#7a^qC1%+L=OJlS>@(XbpR3+ zd&xIVWc9=uz*Te$Ot!2^8Vh54hP~i|CBz?`y!f*{BHw#0yDZgBI+;_?i-CdM#b2;& zo1kpa+}Wb-8rpU8d4ztRO7LMYf9Y*6xwj3+VOe&T+2uV+&ZSG`}Oq4z4Xxe7oucbE2~&u-58L4)}$QH#fqE;M?N zLz-O40%3a_@k|^W`V!6JyyGc#dH(^)qx~95gzVrnim={jRH=4~o(T`tj0C#e2 zR`$*QB)xGs+sAh3*=E^2d6(=uT-790(wo|X z&9L)3*^_KDUKm#zKC*-6AuI`dC9`;X<&~@GK4ktS__0_x6=KX%du@^-%Nwb2w)a^w zkiC0u`m0C=ky@)n_NV2>{kTn~XUB=|@J!vjNK8{iSDXQnO#1A;-Wt(YE{@20p6(^A#=T$=YGJxI8xjGW8aLFCPt&OMndlH!_NMpc4_>+Z}81 zScxXP<<&D0&GSXRJ&^Tb#-DCM0HHFUS3Bp>W(vl0IDa9TfCvuB6*F55}aIlc;LiqO3yUC_& z@$7GKUuveqDsiFk7_;Ol+@F4eEIzw6np~E2_z%ap<{1wBHp4Qef{fC=yQr) zjOAo@75ipmW2{kqo;TpUgsmAY?DP4d%Otokg2d!Kw>g4AoGn`hU;kU-%%yFygnMn@>#S0oMumyrhZpV}n+U zolYUh4RW$SvZ}~*a9YpPtMFHb46YPai zMaz;2#mDfj4&%mf88?^(cbSt@#8`&KLod$!Olk2cT8LrVifVXKGR`4^njhDW zC2em?j$Jc#rnI^DW*cA#VZ(cx+GJH^rX&4^GvyaKAE+E{Q#cR#LzR2!?2QBUOuVjB z&z~j3mfvao=G`TP zH1>&*eHoH-Gq)GE|58bcA}b$PW`VdLB6eoc(Amc_>T%B5b)Wcnlz!`9Xw2QSVqvRd zv`Pime7E4`A9DnnsE(*>J{~&2`ABh^mg`-X+u{kNMp0Y5h~gDr|bX{VW0em z+^?Cm_At)5O)y5IE8L*dDrGSh;3wi>6lBm+vURQ;U{&HmFtUNoQqv ztmrPU=~OAiWaRH}8#s+A1qVM#+jz243=1Os#IcLkXH#5=sA?ekvC7{nI3GKdsFnc% z7}U!XjDyG{Y*CEttjRPbzcADTV9Y76QlG9Z4c(sa=~&OO80J3Dqgh;6tzA`OKo(v` zmGOOYo<`5C)esVSZRcVcxppW*5QCVk!@i|40b}POo;(fyK$w3Phx@BMj<|)u6f1|} zF8t(YxKpaff3@u;u#qi7G-w8FtOw~wG1;TNy*BbNFk?r6d)jn^sx;w0;fqjecP{>7E$gC+W%*I{IB?+s1o8AHx2u^mV%;m78I0; zRUIL-zucYy@)amNAw!Mwb@tI|G&s!1HNQzAqXDxujbFSJFzapYmjwX-DQKj(K1 z#KxQk2omCWeC+eZ`o-47E*Dky85{$9Kl2BZuPHAvPdST@gTl$cmm5zhE>oD)OluR> z@aSKsYn`5Hos>1@W(eSKs+JYoafxqd)XRJ}GT2Ty@dr|OrpTUNhYhu_UZ)O_lQ#pA zNaN@EZ9gW=liDuY^=TLcq;5p{b(f(%;7^kMln|EU$njl{LI0fLBrgV zep#O4f6dI@IeZ-v5U1JNEt&>$2SQnfAXswy5cc_*K68_#}7n!4+t zbN}H+E8!Um6q-L@x#$tC2Q=R}qcfaav2p^{O=7Khfe9m+$Or$jxAfMeFWr#9uhlG_ zgmj~@vTAC>tkYmCrtB4*^5N;Bh;?hUnYHJBM}?959^DXg;9TkD!%1Hj%M=3&g8#@=Nd^)cH>+p;nR+m(j#TYH)?6*4 zV|#_3n!-x}vidvT5`2_ld_xOGb)}`})QEF3opLWE=->1B7e4s8g9OwM-HCpeiK&ty z7)*RwtztooSY{W#On^6%OwdP^-F73F<8CcVtM%K`Tz14HZCIJkW5@v6#}UfTAGR3` zcxA`tO3M!6aoL)7c?(!j4C|F?9zkkhj6Q$00ra}Xl3un=`hDNs-hDelmST+R68f-ZGGB4BLo zVR_ZmE$Zj*pq1UQ_8QMqH0AYrry_l9S1{wf`M32G=+}^j zP5hdsSqqG%5&1851$V4wyRj4F=j%{)Dn{cI_CW*XybAWfnh=@CffF1H`BX$dx`Rwx z3~;im@K+Z=4XzoN&XGKqhNW!7^0MbL`r0*vkd}kDgQCaspddRAXQy0fTvxm$a+ z2-8r3DsarW%El6nM6}_Dc(=TevS9vxJdQ4~Fy? z`18>W^UZ2of%w?bwYCZP(&{G|lQXf;8QhQc&&diS=k@KLMT=DZk$RUnEpLFL$ zJjod^$s9gFZ>QvTP24PxJhqVRyq(+64?C8BRGZm==V0}Mt{b_WM*k+wp%(*9{b^et z+}D{NL#6;;$tp*Uv(+|+0wnCB@~mh_rI<(+X=YjkcqPeugH zj+vK|HFJ@r>p0})kWMR*TVX@Jl9BBqsp(wko0mgRr95AR^%vF~(!}sjVyb?JY$F%r zgtMD0n*lfeW-|RuB`ZmMRr8^buZmSVjV6g@1;6sXckc`1*y#8D#UFVihc_i@%{6hv zQ|%YPuB>?xMdxUU-hz}ZKa9n229itVW4$5GT6jSHg7|HK5-Qiu61gK#H<&zJi6~$R zU{_imqTDR#Xde=o6$5=ywD&x}>EIxEkDXCwij4!uJuifMp#MHST%Y0pT8sS`AN15h z{I*+N=6V^jS;m$q(aTxu!oV|TG&|Ap9!d20^?RxS+XH)9NiZ#x4O@zZ8 z@+5Yp4>xfQ660{18BY=DcvOlq4N*VpIDj7{Cn7@bILzp+iw=yKX=o0X`PZ~l#;zm+e6Z@Yxd0XdiG^+ghyF=XNos15;K z3O)KZ>}|2xU~wL89nj|%zGy8>4@4x<19x|B`;_IOnZ4@_B`c)@O1a}`Tf=7!rwe1R z19RL;pg26g4;Js~E3^`n!7Bq4S^P`xKp{*??ncV|`&81E=~2G>4TPnmuTlG%IGE+o zMCGUf!;(nz+65%*tGl3X;QXLw=4q_LL@eQI&tr!g>QTouo)FgT{S6%DKVUSf(~O?& z8=_07hrZDfKG!X&3-s@+WQ`Lvx{1Iqh@0lOs_zcsZDKu>s~1Bv`fQYsx`HG|ArHd< z$W<=i+HizUR%afxImkb&LJH&05B`vHyz~{}D#R%q_rDM=WHN$;;pPU%l%Ehsmpi4)whT=k1Cn)V_^Q~E+iy!r2^ z<@LPP5Knol7GI`B;x!$y^??h&@07(~-C0E?u^Wqq+T&I;8!<`d)5jhc7#e7c{1aFd zHa&={&W7M!`f6?qU-v?DK?lIWCbe{qp0ynHXM`SD2dxbNLpB0|wdw+|;Lv0CKTr%m!3P8_PR^=}{$+5Pa zQ@=sUiBHr12KypJSn%j~1IgiFn*qV}WbZJU03*@EJ)pI*fR%PkpE8xRg#x^z~U z%ag(5eUqF458}bvWjN#qbxT~#9a)1wNY{)>zGD+@e0OU%XJh*xqRh`iE*fh>0RpS`@^c9cWooTiX+h`reI_ zZC<&25vga#Y~{B)oBON-a#k~g%53LLoMrZ%;*YQGFjdrH3INovQ?LS^3G$MTK^zEP z*YhfO$CsKkyN-nxg8Vi=z5A;RX*a#@7-ZldhP62W2Zh`lUr~#eD?Dr(dMz8beid8! z^dE)Um64t+EIvzfxrXroM%-=_QqCEWErk-3ce!QOaITT@0D+6fcXbWJlW0W{GRc~K z=upzrak=UNEK8;zvUF#(_}2Iqy2_<1uL#i2l^zOOOrx(*ZXeKaiPcV0(G*ZXZ!494 z!9|*$xX(1osE>UMxhBiP+8IzCEZ}~L19-m7mq|6fwinP7wM>d(&kALBVqD_e3>V9dk4fEp&Yh}W6KmF_WbYzo{wX@lPhFCxSpkgj;N~aaS{A_&M z?_8VeDVK>c5}%l^@@6&cYx%$;ghIMF@^Q$+GZi1VcrZ-3FXjW-Z#bF}VHO!l%La^A zr)mHqM|Ua`U)m;s?_Zv_LGiSVJ;w__e*F^f>~^CdJJwGW6RbcM_|!%g^tA~~B2hYU zIp{$K6%aYGqx9@!mhFpoo+T`^vj&)cTGu&Z_&V{z%-nnA9pmFvbKbta0-rp8ADDAt~c`(Bwm;&BRsy2WSrZT+e z@&Tt$ziwdvGsd-lP ztFI&^=OcFmqWBD7G&m_;w<0v4?i1kK7R&o$KeA#s(xIS~A>K{=5Z&Ek{)C}PX0{&b zqSqw=Du~PZ1^E)9! zlF>|V-mq4H_9l^dWU(WQklS-bEUP-zu#77}J zG>}082TeHqE=_dEzb_>jp`wSzQh+XFy=`yf=yt#YhDBkd7^4-MtFBx~-$#N1ItE96 z6b2`)D>SfJGu&*OmU~S2(hL<72@2TCMWd@ZI{J$uti!QvOXq@b?F&rMQNZU(@Rwai z_lcwtFoWJTVj4l+LCH||hprinG~s%v0iP&=hG`1sv(ww$@3oxw?7x73ngz1Hbw6ra=za^j3{`^BV?Cw;*1p z&c2EWqdoOaQDq}|yRdDmZ%rVV-GKtzo>1i&23(}>YK!Hy7uzP_a;cPFd?-jZ0m>uX zy;_44`Cj6$2?@wQJ=rO(HH-&xR?%PS z6;98L2`0r(M(mS6$g|N6d4=#QbnfnAvB{)UaF@GeRmJFs`)1fyMF!;;xvpMA62W8{=n5661=}br5*_Wc{un|?(b~?$ zIf3h(-g4BsXaa6)6fS$CW`9nszH4G|r*2g~gx-b3z56v-YV_SWOIXFxjqXtG=Jjr%{Ujn(M<4^*0Sz8WU{!EK5;RRK!MIrK6*xFAynTK5tyTv7@Tu zXb%d%U`7;iuWY(b6C{(XOX`Bx0v%a%(>g4PL>=T@lh&J+cDfhoa?^5i!QNbieMK)maEVgXHn*mS3C4hS^3=Er1v^;9E!syrNncrWp z#i!W3#@0Ix-EexZY!wzEz+g?&SsNgtsOW3NXm18q-y5t-hufK8K!cF?I2@>Or0u$fnJ%h)vH(*3@ZUppk*PIldyXw^(dW*gA6 zCUX?w;%xwN6YLn)OZZT*0W(rbmoS`G1K^PHe$RU$)D2N}YLF*Am%R(*AgFZdWbeMy zi9$E_>?le>#<`gX6dJLIB^sWpmM}9qN?^n%r}SaXk{=W0ZX0U6m)!*FwV^~^feiH6 z{;KaK5iwphdm%v}=8m%A+XT6?x@o8bUBlp3o&4mE3s7OYUyrlMjE8~!Zb=@Ymx3^$Kg6KsHi1NRSEJz5Qy~QGEWt$dc+&78`&Q|g6~Lo83IIJ zB0&psIOFHGt6c2QIkNjzd@hP6FOK$Fkl25M!Qand^Joq)3dKeK5o? z3hP%l>GBx^KK{cdQRnnIqC^Ba5V;L3{QZrZEzv^Z0`(yYgRrLv8(Gh@^XQq}yik^$ zbadFRo1emerY_tTbSohA!bE% z%*+6&mwj3%aK@Ry4@Gn}FNzfpw#FjHk~O!f0+eVchsDjGkNO_rK<^k5anxg(N&F(E z)E(`L)vg!M9xA8;&&a=?z{4UWGBCAF11TQ*E=Ez9JvcCx_CBzuO;wf#`OMde6?^Q^ zcUj3=$J}o*xvJdTcw`v+Rs7LSCmnk=BVh5v$IUXwUB@>ECkUH=e6B7p&Tq9E^d4&u z2^2)M2%Dh$w?b%MRq+)g8o9GXWKX7oP@DlKb`BRxnPqoUN(A}=(cSN2&#OT3GlTqy^7`XDv(SUM8~aL zA9zggPMhPl8I0a(!0+w@O>*UXGCN%%3enZtt7+0Nk(#`Ar(=#u`MecQf6wDzHl=$M z;Em#(^s&+h8C!1_%hrKpqe}>Po7JY}1k)Ci_5s$k z6iU=cpNbG9=a(R^R1~G(EBx)46bqdBbT*U^28yB!8=pU?Rg^RTNT(x-A>BKmb_}vX zX=pE>;|Hq^9gLr1jLQBzYt!b>CrzH{V#oN-kzqTu2LFoJT#_#{&(uX%ckL6t0{+s9?A{t){f}-9B*N%t1%PS1Z zdIo2#abtL5^7*%G(DkPcp+N>}u6dUs4+IH8b@MY}p(ISFS9@Q%3t;Fh8PQ6IDRl?2 zTD&U&k;ow=cE23L0lZb|REBoizy9DNSZ#?2k1*Oz_9C30`MA=b@u{f?m__UFc_RjreWTjlQPKd<8L%cA(LnGqWRm{jgk0Ml}?08Af`GZTeZjc2chEm8qlD75*xdxJ7Im~JjhOYr{7FAqgY zLb{wK3f4L3;m;jESTclJ=9J<72>Y^^R{$X}qj*AM-k?1v60f~la@WVkp{vO;s=1ev zOx0Wyy%Zcp)whIPw48P0)P~Z>1Iu)V(9Yt_Ra+_fNouzHCW2nTrqp8wP`huD=}&0? z(90Mle|}29sdw4%#ZI`o)iB(vm);9($NWg#{}Emr_2H z?Q$F7>?Cbbe8Z-8Q!W{J*zm@;7b^~Tw)@WnK-hG=xgb;@1MIXF} zaA}tTu;Hh{A#EHOR-fc-o4ck~$g;lWv&W8a-c@cf(5V(4q{Q2~EKv2w81Wq-ZK5PT zcJQM8Bw++7$vGZn@ZR)RB`Ac1Fn)b{V`G&#hAhbrkYKrTxHVUG%SE8v z?$5*j$>V>uDf5w#fSUPnsvUHm5>nAHN?W$I(dVIKnQwkH`JO+EEa={CdJVDmxDvDB zDrYd2hdP#zmDxD(-gujR0SS$NB*IeCHM7#A7;J{;6wBvzf?E(frHnx$WT$VsbsLNV zoyEt`zkdlaPc32JDdef3`n7;-$a^MCEX+NkZpWzzvM{S&rCDJ^2Inut>4=mlhH5qj zDQ_R5C;OdpmWU^HGnjLj-N7Khs7Ss_r|o>|)D9W+KG?Zy(e$-=Nq9;zL*o)TfJTFP z)B5YdDhu!F4cPG&j7|UqND0+P+du;qZZ*?#( zJss2gyzk%h_%&?%*Yx01mw3XSt7Tgg{n`J+=78>5-E+#9l4Nd-T0VSnlFoy zgUN0aBad@=sVo~@4SQB<-dd(oE%zNm6nqc$($|e2V1Pd7zJs*Evsz&!F-=W=B%TbX zJ`F+^8e>EXJINjdU_V8+(cE0Qu0uZ09X~q{MVHtesGjbb-=yL3GRzT5=B1wx&-W#f z3e@1AJBldz+pku0z?TvYh$Mh|Jv`+llpRV0Q6&EYVC2n z_Vthw)_{f_BP%AzLO`OYLkLq>*`Wie_B(7{UARhs1V!~zB3WwtPLLf_fuQxRM2O!I zWHWxKm)#b|DDWz5oh7sRe$^t@NcOw<4+*4CJ1AnDG(%ZirU|K0H!}Ma`vH*Ek%EV5 z*DVt<29K*+mUAKw1{dV-{YwK(kTH$#L>|~LKi`hvt{l;DVzk;YuwDL$7*`pR?ur*p zIUXH*>HF`FTnK9TFl=!iMdc!In7l(l2OvCsJj(YBq7_ccg~WESd9<3hEc~iH0Y6(+ z0WDG7*wUydM@03|vH#hc{-w)7fP=^?!~D5%s6E<*4t1g3;pHDMp(5s~P2vfM5f60Y^c|Hnsg_x!?3x>g3M%mX<4{ zvT*Tk6#4_Fi_rj~nHr{{Cf!RsfA#0|6d*5wXv}D*@$jk)kc}!M`y!--uXmXnhD(2q zoK|#|eGZ*@{*wAo4k0_$S%D3wo;jV^9mb z1Z~pl(-tn-?426LnhLflpZ;k$TFPq5r}tSf^DlD^oiSvKYapU6YT z^$Ow1*`yK&hZoaPc)L&%H25v>8>;p6s&31jwm)$b-oV=IUC1W(6%ImPbGChy7JP7h z@0#PQIF{0e30dur&CC3J{2#cU>ym2Ke!kcXuPZ_O`);xpdbjyYNKy}{fCumiXkx}I zcnuqLz$~Z9)5apMEhKw68xsUdl|R7{=C={9UsD5tE2c^_X418Tt6_ZWjY|i{8hE@5 z>3Vw!2A~!#rDwUVKPq-iWT2SwO+Tw~F582T{bzdouQuf*KN3)$I986b*p=HA+*vn( z-DW0?!rXb>PhIY3kp-^c0V9H~rxd}K)(QHul_6>dqG#o{IYUd;QR<|}V%(?MWM5E= z3zBG{pzFBAz1>TjhjaBV;(}I5e@wOFB(RzSxA3JGRyJM$s!NmW4$xp)wyEf|+tc`v z7F!r_){wNBliBIl2lGe%iwNt+eJq)ugGEEro@8cT-6cRUMPhjD+8ZtVr{iFuR3)>p z*%;h34|-bAMpUo^{{Wrk&@HMA5)8djqdQyt;I;hsf$%I-L39W4YlxDBesO^FMrZ?Z$Q;F{Aibwm)6%BMX=QgF9C=yTG*L#pKfTOEWC6C1P^OZ z+7-@T=2V7rQ{yus)uv4Yd;U5R>5`Iy+S_{qxAI%S%4ToI`%N#R7I`APd94bK%vLOM zpsgRr64I@@iL13us?9Qf8Xxe!nh1zU1Dk3&qWA4R34&RYdKcgoDa{6c}xI_jm*QpF(m3@1J`g+O+w@MS850>YmeI8r zQy@|j&NtZ_w}0HnRA=aKu(a2Lb}FCPbtKghMH69;qhe`vKN87SYgp5l(UeI++yP2^ z{hS8=%@tq0%rVJFNIr_pkBpk7{`d7I;qrtL1#sxlrA1^DYC>0M*w4#p^64Bk`LE6D z6}$=LsatnV*yCAPUVJjEG>?xMmohN#P0-;~%0z9U>4hID9-VIRL8V&=1&308iXr11 z_7M`xGgS0}n{l)#55hW^Um5h^6)_H&dfew=K&&)>4VVAhru>H%gxZYw0bNhaKfX|3 z!{L5jg);Mj>>ik39d|bw%i1P}aizxKetd6hvPm+xyE#kzmh>maFdQm&hgXfB&wDL-j!&wHUSWB8`erpmFV~7 zsnlGkMRepK25XFgIk*+2rK4^A=EAAP9*w{b)j;=$o)^H>F*JmN>4zPe?lLXdlkov& zpb1J59eaDK3vJFf0&oGrlXz0NvJi8l60LAv^)ENhbQ*gyYS2kxdBW#W8{u%Eby^!C z>GSyf2c=A}_8-~G(8N5T9 zh~sRxj{c~Z%tBAj3Ua#ro`pAe6HHZ2k)n4z_S?CbsH4bo0^*(5Nv~B$kSPYk%bNdJ zduJIF2iN8C8Qh&IQ`}vOy9{1npt!phXiJM0cPq5GODQtA6dRzpyHf^hf#R+M6xej1 z=gGU9yqnE_->)}0Uv7Tq{7!Ci^Zz9k#+Gs?(a3}`B6jd?SZC=0^C3#G$o=ZlN7CNa zN*ZK5RUfMv>rtbId! zfY&hY?|`q=)_>vgZ^H+ZiwN(@wDf)Y$celOdSuF{fZnq{GH6U3OP^vN6z(4)FQ7Mg z3T?fJRNyeR@;I~6tybhLKQsDWRK|hPq!f7scjF!xBmjut`?+4SC?a8JoI#-sPAxm_ zG_EqXX4`Wkt@A9BMARKD09xUqWhO|^IW3MTrFZf5PncU3y2_jM5K#SjW)!0|(aWSe z1k?F}uWIfcxyfT>wkHbqz*SrP@nHi8YDsH}Tr|;Vf54h6M0zo=n(0f)57z0lclyNc z!as1X35n^9-!~NW50ch~A%lX%GZ@upPoo`=baAW6pTFpmm4FI^`H9HQgL(8xe>-Oe>`;B99 zNi)Q75rJqNN^DksO?;yqwB-gXA`MF|41{`gz&Z zH57&!{LVZ~ITF;kIAzI*Rc@?K%Vem~Ke5YQdI~nb^LKY=n# zKD%wm_b8jt$!8_FJK+MYOW7Mw|HS*vXWX@pB%$E%BJ?%Kdoeb_$d)GGtaVecxq&En zVlj!>vF1iMwa`UzmAh#`gtl?7OKti>XEGHB*Vw3B%l#o4y`0A+ri@AQl8rmUXT@0G z`D>b_x0U6ax4bC>{5C;TIx!gVuCVtZCiX#uw)sX9Y^mm*pEIdmzCL^Zk>aPKeR5yS z2WNDj*U%pE?>!&HO9td$4!Ge~=R_o#K!w8Ag*nVB6*zanJ=+=39Gsi30;?!Gl(h3l zG4w`Y2?EWlR7nIS64+J-(=kr;=ms{DA~92#6gd5CJV#q% zuku2VRLo)hA|&i9j!-6PR70|4RQ$q*Z=+Qn8>UqG(Q`ZjaGN1DbFDJm__r3#k}EB~ zLanPCN1??Fy*$xutlb)xc1$2R2fx-6sUeKWrS^kdoyFhNO^)L1k^!p6tFPy`6W^k7 zk0fKIfEWk>MxzX(Q2QP8nTMo|Gkc5EW{ zBSUy<#0$4hGdeWzU;k27sJD3jycOh_mtB1#ZH7Ek!2(3sN8L@h_%uSUqr+#Nq0MqG zX9$Q3m5f3@kr+mo^Ih1y&?;n@|9m)|Nq9&Y#CB<{noUue z?}K!~)o0`n7E}wKIqcB+5#9!b(MiiUe3IEL)@1$Ntk3PYU3CW+Z*U`{y)=$7omdwQ zom(yK6kEX7>O$R48f3Ko;atgyd4U|lmTIV%`clvJ1>9KNZ$3l%z#Z>d+qIUJ;Oqpf zD`c4}LJ+-IW+krrizZM5`y)+3I*D~#Gy!oaX=ryZ9$oMf8d1dqAXd8BIdU?wg@D`s zpp`wR7AkN%OXCr9{zNZNI#b+;N_0-n$<QrM3r$5hhV~_7N7E7h zEgE*1hYKqtSq$~PG5S*RkUJJ#6aRg!v3<9=m6dWREA4O16PD}c;|cSsMz!RorjJ9O zMWn2zTH*}fyKn7liFvl#COde0Cc{dpr<$aM<$Z?M)>cM0YdJ=m;9Q zdY{eRyVv0^Lr$J9f%q7o^Kn|aq4ll9u$;Qxyuvy>FALMS9p1b3U1# z%a06htYl|!ZVEITvL~_X=^i_~k)p``T?|Q@2pIB@2FYUcLrlY`(+sXDHi+|5Hp$UM zG10`Kuf}DDEZz5=LxPAVmQ-CsI9v^Pna6dU*S zWPc1FS+6GC>)0`lh1zrn22f?Sq;brgR^i2A6k6q#5hSt&c-=Pd1=0OVPow1HyGYi(=Av&ou*|u)vNMyFJFD&$uEEs3UuK2qY>mX-d8$ zR!D)*h$JIk$8GsFxydGh8Z<22o6q|xM`ty61G^Lg+c;feP6o0x;ptTwODXnpzYiv} zza^Yczi|iFb9fi25)qP0&H8XwAbu9f<|TD<(#Q09)haZ%(pypa9*(21`W>KPVaD2T z3+)c~TLG>j6%A@IZ8U9NQKYQ(?SNeG22Lzer5NlRSmIK6`+N~Fm&Agb8Nn-#72rLg`I1+MseeF$~*d9 zb>$QuVU&D`hJD{y*v#XEb)+|AP!47l5_Zkitnm4wGMk!^!e$mJGc^-l^?&908vXLe zJV`TBg;+rdj*Ii;#$Z`fzKOBmqHYssrx9s(VilRA5s(jup+V@hj_lCbrPjLLgsuXI%z_|RXL0+#+4 zOF5xX;{9c*KPvjiQr=8>bd`Iy-uw5|A?@woC{x3Ju-<@P{90@W^;sx?=%qJKoKI)K z)+bH*SUQ?Fr!i<&Nzq$|?p*#pBQjwOB9S0?F59?HY5gU;p$jHCN}crhb@u9oTGa%Uy-laj`DlopWr?&P>c#nNyS8tje%^9F}GKBox4>jSe9Tkq4B5b;N3YTFaiGgM={$d%S z?H^zpRV`^}|`TqlsK zGD+t0sTvZ&>SPtn>HLGSPkLh+Uv&eumYp5$CE6u>h|P5}FX9b_p0^OzaSz#gi{8qc z;;t?IYX6SWx*l&m8c7wb#$_nnkxrZ}*RGy*lEquh6Tx`y5L&Kmk^hHXV;|XFAQqrz z(VN6DX&mwHCFL;rD_wAtq637s#R-DT8O8o8DQ!rMA-}jK#rSnQN-#z_l=zlWedMW3 zIk`LDi_a@i!9&1@uP3i_nI!D%Hojhba|FgIR18VMa=-g3ZGt^6S{09SvzCE-eF zcP56rybV$e$AIu}w9PF@ckiJ_9Nx7#r%ZnuAWgd?{qIqbVrx};T9d`&u#t7Ry3_s7;)MmE2GOG#-8Gn&oWsiT zv_#&0r&5VLb;z{)tMpG3{Bt7gjQPM8z@>wNmc4qTqas1tnsuLl-`D0z#R@4yX{T4q ztZnBk((r;L79fAaUe^^F1Ql%TNB1o7rYLRt)P)<(9}UR~nO%wYDrpM|22izU6+)}w zl&O7>N9$-Om@4*3ZbmD%9;bQLT8HpovCNJW05!zM*( zGvuKML$6Jn;@&mkWm-Oi4?iu?lhf}mCewedhWcwf*Yp5590wyZK?lwKV2vUyV3qaB zoPipUi+?+02CfNBiNhuLfxO~@xqjB%nMf;2X5by?crlKqVZx06cAeyxV*_qE6sc6% zvnuVwGE(qLeY=*QlEGRj?(jP~9$k1_?^49b6)Bil=g2JkST~hMSZq>wENva~k&Yl{ z`jE)_kSfu&|4}y6NtyLWEFnHhqwAM73a0PHo8Im?MX)xnE_2_Q^IAPAqtaQ6LCa&# zYkD_oP$IVD3{Jv!PCCa7-|f!{-NQ%*ZS=aav*~i~r5n2QYA^~X^U_mYsthuTT9?_F zvgo;Q`l!8xwF2#7cbz;+TBg>^XRq`IJHwyes$zH&X+6!MN1x=dENhO^OVBs2+X$5~ zUnADmc-y+vcry|FmJ^z5oGuz2Ut&8DA)w^l+)5!{+0E52L@zL(d)xL4t?HUjxn^w0 zfFB;y^V>u3CyvL?_p@p60BY43rfWB59sbsG^ocVub;pU++TGc-xyQOLYvTBhfl1q( zr|Q%@_Q+XXr_?v7qg#W(89R*q)7@~G;I$*I`1@Rx8c^ta+nu?(TFaI~kiNnUFDZB` z&IyUvLrPv8}#4?!z8zkK6_#r_ABRJQzPkl%FX0$`MJ%)kiNSe&L{;4vnLyXJn(JN*>87<8y^q+L1m!n7ZU zb6N@bQl25KLU8Mc<=)ojQ>mhP)nb~a-ndeJ%9>_$*CCU+?I5LbaQnnuH;OMD3eT27 z$9rwH^eA5;`X=81@L5s(u+Z>~Xyyq7vVtaz8>*()x@08$EX3vZh*ntiCEsx(UKe!_ zDh(-hc(-_3>Mj=cE_IlkWWD;?qoP%9*meDV=tb260XQdpqJTYjGOYlMmR*v4Ep=Hj rLf(OypdZ`Nw|k#w7~l`fbx}vqq~JNVEg^57Ab-}WQ&%{Q^SJ#7)4!2= diff --git a/sources b/sources index 322ad17..b005a4a 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (gnutls-3.6.14.tar.xz) = b2d427b5542a4679117c011dffa8efb0e0bffa3ce9cebc319f8998d03f80f4168d08f9fda35df18dbeaaada59e479d325a6c1c77d5ca7f8ce221b44e42bfe604 -SHA512 (gnutls-3.6.14.tar.xz.sig) = 88e31d484ab2e2e9a6a080d1bb0e2219aa0ec85af9ea4abe8292bc8ae2d6784273414227142a2ebe0142b907a5ac6aa4d407388357f13d96b96eca8f8c61103a +SHA512 (gnutls-3.6.15.tar.xz) = f757d1532198f44bcad7b73856ce6a05bab43f6fb77fcc81c59607f146202f73023d0796d3e1e7471709cf792c8ee7d436e19407e0601bc0bda2f21512b3b01c +SHA512 (gnutls-3.6.15.tar.xz.sig) = a6dbb6093fefddce4c76ce0015d1e0ff7bb712985007c5c6bd5ed6a8cd7529ab250bcbc98b70beeb9dc1b43dcfc65495c77b9abb43e690f24eb7bf0042af1f68 SHA512 (gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg) = a74b92826fd0e5388c9f6d9231959e38b26aeef83138648fab66df951d8e1a4db5302b569d08515d4d6443e5e4f6c466f98319f330c820790260d22a9b9f7173 From 655fab0edb90599b83983b952b5d58c90d2c2d7b Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Fri, 4 Sep 2020 12:51:12 +0200 Subject: [PATCH 032/152] Remove unnecessary patches and bootstrapping process --- ....6.14-configure-fix-soname-detection.patch | 60 ------- gnutls-3.6.14-fix-iovec-memory-leak.patch | 152 ------------------ gnutls-3.6.14-pthreads.patch | 50 ------ gnutls.spec | 5 +- 4 files changed, 1 insertion(+), 266 deletions(-) delete mode 100644 gnutls-3.6.14-configure-fix-soname-detection.patch delete mode 100644 gnutls-3.6.14-fix-iovec-memory-leak.patch delete mode 100644 gnutls-3.6.14-pthreads.patch diff --git a/gnutls-3.6.14-configure-fix-soname-detection.patch b/gnutls-3.6.14-configure-fix-soname-detection.patch deleted file mode 100644 index 28b33ad..0000000 --- a/gnutls-3.6.14-configure-fix-soname-detection.patch +++ /dev/null @@ -1,60 +0,0 @@ -From b57b820a3f0464e3151dd675af4f28ad109d683c Mon Sep 17 00:00:00 2001 -From: Vitezslav Cizek -Date: Tue, 9 Jun 2020 13:54:04 +0200 -Subject: [PATCH] configure: improve nettle, gmp, and hogweed soname detection - -Some linkers might optimize away the libraries passed on the -command line if they aren't actually needed, such as gnu ld with ---as-needed. -The ldd output then won't list the shared libraries and the -detection will fail. -Make sure nettle and others are really used. - -Signed-off-by: Vitezslav Cizek ---- - configure.ac | 15 ++++++++++++--- - 1 file changed, 12 insertions(+), 3 deletions(-) - -diff --git a/configure.ac b/configure.ac -index e4ca66aec..ccbe4e563 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -741,7 +741,10 @@ LIBS=$save_LIBS - save_LIBS=$LIBS - LIBS="$LIBS $GMP_LIBS" - AC_MSG_CHECKING([gmp soname]) --AC_LINK_IFELSE([AC_LANG_PROGRAM([], [])], -+AC_LINK_IFELSE([AC_LANG_PROGRAM([ -+ #include ],[ -+ mpz_t n; -+ mpz_init(n);])], - [gmp_so=`(eval "$LDDPROG conftest$EXEEXT $LDDPOSTPROC") | grep '^libgmp\.so'`], - [gmp_so=none]) - if test -z "$gmp_so"; then -@@ -754,7 +757,10 @@ LIBS=$save_LIBS - save_LIBS=$LIBS - LIBS="$LIBS $NETTLE_LIBS" - AC_MSG_CHECKING([nettle soname]) --AC_LINK_IFELSE([AC_LANG_PROGRAM([], [])], -+AC_LINK_IFELSE([AC_LANG_PROGRAM([ -+ #include ],[ -+ struct sha256_ctx ctx; -+ sha256_init(&ctx);])], - [nettle_so=`(eval "$LDDPROG conftest$EXEEXT $LDDPOSTPROC") | grep '^libnettle\.so'`], - [nettle_so=none]) - if test -z "$nettle_so"; then -@@ -767,7 +773,10 @@ LIBS=$save_LIBS - save_LIBS=$LIBS - LIBS="$LIBS $HOGWEED_LIBS" - AC_MSG_CHECKING([hogweed soname]) --AC_LINK_IFELSE([AC_LANG_PROGRAM([], [])], -+AC_LINK_IFELSE([AC_LANG_PROGRAM([ -+ #include ],[ -+ struct rsa_private_key priv; -+ nettle_rsa_private_key_init(&priv);])], - [hogweed_so=`(eval "$LDDPROG conftest$EXEEXT $LDDPOSTPROC") | grep '^libhogweed\.so'`], - [hogweed_so=none]) - if test -z "$hogweed_so"; then --- -2.25.4 - diff --git a/gnutls-3.6.14-fix-iovec-memory-leak.patch b/gnutls-3.6.14-fix-iovec-memory-leak.patch deleted file mode 100644 index 15b2c51..0000000 --- a/gnutls-3.6.14-fix-iovec-memory-leak.patch +++ /dev/null @@ -1,152 +0,0 @@ -From 6fbff7fc8aabeee2254405f254220bbe8c05c67d Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Fri, 5 Jun 2020 16:26:33 +0200 -Subject: [PATCH] crypto-api: always allocate memory when serializing iovec_t - -The AEAD iov interface falls back to serializing the input buffers if -the low-level cipher doesn't support scatter/gather encryption. -However, there was a bug in the functions used for the serialization, -which causes memory leaks under a certain condition (i.e. the number -of input buffers is 1). - -This patch makes the logic of the functions simpler, by removing a -micro-optimization that tries to minimize the number of calls to -malloc/free. - -The original problem was reported by Marius Steffen in: -https://bugzilla.samba.org/show_bug.cgi?id=14399 -and the cause was investigated by Alexander Haase in: -https://gitlab.com/gnutls/gnutls/-/merge_requests/1277 - -Signed-off-by: Daiki Ueno ---- - lib/crypto-api.c | 36 +++++++++++------------------------- - tests/aead-cipher-vec.c | 33 ++++++++++++++++++--------------- - 2 files changed, 29 insertions(+), 40 deletions(-) - -diff --git a/lib/crypto-api.c b/lib/crypto-api.c -index 45be64ed1..8524f5ed4 100644 ---- a/lib/crypto-api.c -+++ b/lib/crypto-api.c -@@ -891,32 +891,23 @@ gnutls_aead_cipher_encrypt(gnutls_aead_cipher_hd_t handle, - struct iov_store_st { - void *data; - size_t size; -- unsigned allocated; - }; - - static void iov_store_free(struct iov_store_st *s) - { -- if (s->allocated) { -- gnutls_free(s->data); -- s->allocated = 0; -- } -+ gnutls_free(s->data); - } - - static int iov_store_grow(struct iov_store_st *s, size_t length) - { -- if (s->allocated || s->data == NULL) { -- s->size += length; -- s->data = gnutls_realloc(s->data, s->size); -- if (s->data == NULL) -- return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); -- s->allocated = 1; -- } else { -- void *data = s->data; -- size_t size = s->size + length; -- s->data = gnutls_malloc(size); -- memcpy(s->data, data, s->size); -- s->size += length; -- } -+ void *data; -+ -+ s->size += length; -+ data = gnutls_realloc(s->data, s->size); -+ if (data == NULL) -+ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); -+ -+ s->data = data; - return 0; - } - -@@ -926,11 +917,6 @@ copy_from_iov(struct iov_store_st *dst, const giovec_t *iov, int iovcnt) - memset(dst, 0, sizeof(*dst)); - if (iovcnt == 0) { - return 0; -- } else if (iovcnt == 1) { -- dst->data = iov[0].iov_base; -- dst->size = iov[0].iov_len; -- /* implies: dst->allocated = 0; */ -- return 0; - } else { - int i; - uint8_t *p; -@@ -944,11 +930,11 @@ copy_from_iov(struct iov_store_st *dst, const giovec_t *iov, int iovcnt) - - p = dst->data; - for (i=0;i 0) -+ memcpy(p, iov[i].iov_base, iov[i].iov_len); - p += iov[i].iov_len; - } - -- dst->allocated = 1; - return 0; - } - } -diff --git a/tests/aead-cipher-vec.c b/tests/aead-cipher-vec.c -index fba9010d9..6a30a35f7 100644 ---- a/tests/aead-cipher-vec.c -+++ b/tests/aead-cipher-vec.c -@@ -49,6 +49,7 @@ static void start(const char *name, int algo) - giovec_t auth_iov[2]; - uint8_t tag[64]; - size_t tag_size = 0; -+ size_t i; - - key.data = key16; - key.size = gnutls_cipher_get_key_size(algo); -@@ -82,21 +83,23 @@ static void start(const char *name, int algo) - if (ret < 0) - fail("gnutls_cipher_init: %s\n", gnutls_strerror(ret)); - -- ret = gnutls_aead_cipher_encryptv2(ch, -- iv.data, iv.size, -- auth_iov, 2, -- iov, 3, -- tag, &tag_size); -- if (ret < 0) -- fail("could not encrypt data: %s\n", gnutls_strerror(ret)); -- -- ret = gnutls_aead_cipher_decryptv2(ch, -- iv.data, iv.size, -- auth_iov, 2, -- iov, 3, -- tag, tag_size); -- if (ret < 0) -- fail("could not decrypt data: %s\n", gnutls_strerror(ret)); -+ for (i = 0; i < 2; i++) { -+ ret = gnutls_aead_cipher_encryptv2(ch, -+ iv.data, iv.size, -+ auth_iov, 2, -+ iov, i + 1, -+ tag, &tag_size); -+ if (ret < 0) -+ fail("could not encrypt data: %s\n", gnutls_strerror(ret)); -+ -+ ret = gnutls_aead_cipher_decryptv2(ch, -+ iv.data, iv.size, -+ auth_iov, 2, -+ iov, i + 1, -+ tag, tag_size); -+ if (ret < 0) -+ fail("could not decrypt data: %s\n", gnutls_strerror(ret)); -+ } - - gnutls_aead_cipher_deinit(ch); - } --- -2.25.4 - diff --git a/gnutls-3.6.14-pthreads.patch b/gnutls-3.6.14-pthreads.patch deleted file mode 100644 index c69d97d..0000000 --- a/gnutls-3.6.14-pthreads.patch +++ /dev/null @@ -1,50 +0,0 @@ -From f15c02b1fb9faf3e06db2c51196a27b0f9d72672 Mon Sep 17 00:00:00 2001 -From: James Bottomley -Date: Sun, 28 Jun 2020 21:33:09 +0200 -Subject: [PATCH] build: use $(LIBPTHREAD) rather than non-existent - $(LTLIBPTHREAD) - -On a very recent openSUSE build, libgnutls is getting built without -libpthread. This caused a thread related error when trying to load a -pkcs11 module that uses threading. The reason is rather convoluted: -glibc actually controls all the pthread_ function calls, but it -returns success without doing anything unless -lpthread is in the link -list. What's happening is that gnutls_system_mutex_init() is being -called on _gnutls_pkcs11_mutex before library pthreading is -initialized, so the pthread_mutex_init ends up being a nop. Then, when -the pkcs11 module is loaded, pthreads get initialized and the call to -pthread_mutex_lock is real, but errors out on the uninitialized mutex. - -The problem seems to be that nothing in the gnulib macros gnutls -relies on for threading support detection actually sets LTLIBPTHREAD, -they only set LIBPTHREAD. The fix is to use LIBPTHREAD in -lib/Makefile.in - -Signed-off-by: James Bottomley ---- - bootstrap.conf | 4 ++-- - lib/Makefile.am | 8 +++++++- - 2 files changed, 9 insertions(+), 3 deletions(-) - -diff --git a/lib/Makefile.am b/lib/Makefile.am -index fa47ac5e6..02504d8d1 100644 ---- a/lib/Makefile.am -+++ b/lib/Makefile.am -@@ -168,7 +168,13 @@ libgnutls_la_LIBADD += accelerated/libaccelerated.la - endif - - if !WINDOWS --thirdparty_libadd += $(LTLIBPTHREAD) -+# p11-kit does not work without threading support: -+# https://github.com/p11-glue/p11-kit/pull/183 -+if ENABLE_PKCS11 -+thirdparty_libadd += $(LIBPMULTITHREAD) -+else -+thirdparty_libadd += $(LIBPTHREAD) -+endif - endif - - if NEEDS_LIBRT --- -2.26.2 - diff --git a/gnutls.spec b/gnutls.spec index 7a0c210..1565bb7 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -3,9 +3,6 @@ Version: 3.6.15 Release: 1%{?dist} Patch1: gnutls-3.6.7-no-now-guile.patch Patch2: gnutls-3.2.7-rpath.patch -Patch3: gnutls-3.6.14-fix-iovec-memory-leak.patch -Patch4: gnutls-3.6.14-configure-fix-soname-detection.patch -Patch5: gnutls-3.6.14-pthreads.patch %bcond_without dane %if 0%{?rhel} %bcond_with guile @@ -146,7 +143,7 @@ This package contains Guile bindings for the library. gpgv2 --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0} %autosetup -p1 -autoreconf -fi +#autoreconf -fi sed -i -e 's|sys_lib_dlsearch_path_spec="/lib /usr/lib|sys_lib_dlsearch_path_spec="/lib /usr/lib %{_libdir}|g' configure rm -f lib/minitasn1/*.c lib/minitasn1/*.h From 0e56ef2311e2f8154351b5087295b7338a7cf2d8 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Fri, 4 Sep 2020 13:13:24 +0200 Subject: [PATCH 033/152] Port Gnulib test fixes from upstream --- gnutls-3.6.15-gnulib-perror-tests.patch | 46 +++++++++++++++++++++++++ gnutls.spec | 1 + 2 files changed, 47 insertions(+) create mode 100644 gnutls-3.6.15-gnulib-perror-tests.patch diff --git a/gnutls-3.6.15-gnulib-perror-tests.patch b/gnutls-3.6.15-gnulib-perror-tests.patch new file mode 100644 index 0000000..5de2e14 --- /dev/null +++ b/gnutls-3.6.15-gnulib-perror-tests.patch @@ -0,0 +1,46 @@ +From 175e0bc72808d564074c4adcc72aeadb74adfcc6 Mon Sep 17 00:00:00 2001 +From: Paul Eggert +Date: Thu, 27 Aug 2020 17:52:58 -0700 +Subject: [PATCH] perror, strerror_r: remove unportable tests + +Problem reported by Florian Weimer in: +https://lists.gnu.org/r/bug-gnulib/2020-08/msg00220.html +* tests/test-perror2.c (main): +* tests/test-strerror_r.c (main): Omit unportable tests. +--- + ChangeLog | 8 ++++++++ + tests/test-perror2.c | 3 --- + tests/test-strerror_r.c | 3 --- + 3 files changed, 8 insertions(+), 6 deletions(-) + +diff --git a/gl/tests/test-perror2.c b/gl/tests/test-perror2.c +index 1d14eda7b..c6214dd25 100644 +--- a/gl/tests/test-perror2.c ++++ b/gl/tests/test-perror2.c +@@ -79,9 +79,6 @@ main (void) + errno = -5; + perror (""); + ASSERT (!ferror (stderr)); +- ASSERT (msg1 == msg2 || msg1 == msg4 || STREQ (msg1, str1)); +- ASSERT (msg2 == msg4 || STREQ (msg2, str2)); +- ASSERT (msg3 == msg4 || STREQ (msg3, str3)); + ASSERT (STREQ (msg4, str4)); + + free (str1); +diff --git a/gl/tests/test-strerror_r.c b/gl/tests/test-strerror_r.c +index b11d6fd9f..c1dbcf837 100644 +--- a/gl/tests/test-strerror_r.c ++++ b/gl/tests/test-strerror_r.c +@@ -165,9 +165,6 @@ main (void) + + strerror_r (EACCES, buf, sizeof buf); + strerror_r (-5, buf, sizeof buf); +- ASSERT (msg1 == msg2 || msg1 == msg4 || STREQ (msg1, str1)); +- ASSERT (msg2 == msg4 || STREQ (msg2, str2)); +- ASSERT (msg3 == msg4 || STREQ (msg3, str3)); + ASSERT (STREQ (msg4, str4)); + + free (str1); +-- +2.26.2 + diff --git a/gnutls.spec b/gnutls.spec index 1565bb7..dd1ba97 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -3,6 +3,7 @@ Version: 3.6.15 Release: 1%{?dist} Patch1: gnutls-3.6.7-no-now-guile.patch Patch2: gnutls-3.2.7-rpath.patch +Patch3: gnutls-3.6.15-gnulib-perror-tests.patch %bcond_without dane %if 0%{?rhel} %bcond_with guile From 2d25b601bfb3b0b0f356aceba9a665705fbe6ef1 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Fri, 4 Sep 2020 12:47:44 +0200 Subject: [PATCH 034/152] Update to the upstream 3.6.15 release --- .gitignore | 2 ++ gnutls.spec | 9 +++++---- ...1F42418905D8206AA754CCDC29EE58B996865171.gpg | Bin 58697 -> 0 bytes sources | 4 ++-- 4 files changed, 9 insertions(+), 6 deletions(-) delete mode 100644 gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg diff --git a/.gitignore b/.gitignore index 7d1a9d2..ea6a2e0 100644 --- a/.gitignore +++ b/.gitignore @@ -127,3 +127,5 @@ gnutls-2.10.1-nosrp.tar.bz2 /gnutls-3.6.14.tar.xz /gnutls-3.6.14.tar.xz.sig /gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg +/gnutls-3.6.15.tar.xz +/gnutls-3.6.15.tar.xz.sig diff --git a/gnutls.spec b/gnutls.spec index c0f328d..5280aa8 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,10 +1,8 @@ # This spec file has been automatically updated -Version: 3.6.14 -Release: 2%{?dist} +Version: 3.6.15 +Release: 1%{?dist} Patch1: gnutls-3.6.7-no-now-guile.patch Patch2: gnutls-3.2.7-rpath.patch -Patch3: gnutls-3.6.14-fix-iovec-memory-leak.patch -Patch4: gnutls-3.6.14-configure-fix-soname-detection.patch %bcond_without dane %if 0%{?rhel} %bcond_with guile @@ -280,6 +278,9 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null %endif %changelog +* Fri Sep 4 2020 Daiki Ueno - 3.6.15-1 +- Update to upstream 3.6.15 release + * Tue Jun 09 2020 Anderson Sasaki - 3.6.14-2 - Fix memory leak when serializing iovec_t (#1845083) - Fix automatic libraries sonames detection (#1845806) diff --git a/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg b/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg deleted file mode 100644 index b1ee43c60379c783e5f3457c480d6a7ecc2447c5..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 58697 zcmb5#gL9?PyXg5H+qP}nwr$%sJ4VMz$2L0Z*tVUHZ9BP@-#K?~pPH$fnSbE3_FB(3 zEALL_%>YUOmBc$}1cD{pxXIaBVJ{hWJA4%Z)9ni{SHt5yt#wqrchRH}nVar+Hg16F zb)B38Lw{tz5e0U;n8D@MMBjiku$@o$9b!zR>J)Li;lyXD^sHJ~Wp6q- z0yXavWO2O;<#hYK2ABm-Tz8iOqOtR5$)65eONbbZI^*!NeJO|ljurm^x1@h4m)2vW zUeaK6U7O~oldSCtC{mVzHLzMPnOZ+V*%2W!J65foX@`K@ydA{uC5*@0Wb1 zeW5;GRFe6ThZJ$+-VDDMqV-(fyc$ux%tbl28IZZ^g=gNBei_x9a5cKv&+xT)RIv`a z@F8k69-rjTJjDBjlH1t%1(L?fdomeXh=U>`0RzCnfF+rJ}ke72fhDD6WmFZaET^IgW5za`-4hWFLY7|``6^>`K zOFsIcPaNZX4Ssw0e;hgaV!Ut1YTwvhVK7HDDh7}j=5BiZJOgozfiI(Z0}6UJXI5hk z$jgEUQJ~TAPqrv2FY4#Jy~OMYhx^A-SX=#eq}XA2@ZR!G*;fF$=H7r6`5k)QwA)+E z%}uatXU}eKK;FoJseFjfM6UzF!B?O6>HC!yr1!th!TYy!z=U?tlAmQIRtw0+#`@B= zpXei@`YfeaXW=woM*ZU`f_{BFu^mTe?O4Yk zN9BNA->_0|0wd?h(4Fxsc=3TZuma|3KsG^^_@8{YJ}+*G8LNd>Am&88i{5`7AKGt+ z5jd7q5~b<0A03dZ$6I4bro>e6IiAMD^#aE}&-F3}$bt_5UVv&bU-nW~@O~-ZCM-fa z|7Y%U%9q98jtg$>yh?8&gZDTfZ~MW%nzW`-O&;gfiv-^lzoOcv0FXDuOTjc8pJ)A3 zM2_=Z+0Qw4;)3{}&!d9U^X=Hd408)=Vsf~O0&*yNvekel*%$1t5B$`Z3@TYYsKo%e z*3WgHYd@KB&eP)$GK~=E#Fz7n{&fhBzn!@4Ou9qdt=y~@K&}Tm`{(1MPgmcsjD;jH z(_5Y?^hrQAw#z%vvP(4H6iKa{hGOVW9}24DKaQ#|)wjcdJ>x>f3-+N31jtKA&7A_~ z_8;LAY{No{C^4Gbb2SCz#SYk*1it&Gn*73T%doM}V3*Jj`o~eDuljbncI;`X{elTI zx&gU%Gc(IAbkBE+$goCs8X=yuw56ngyn1u@wzDq+er+O=w>r&OU*|se&3_z?{)%r0 z_-77w;s=VeJQE-rGmF#{bLeWyQVOYr2pep$$UA@tkhh6_nzuthVQg)x{1c&j+?=y? z%l{uolRxI$*{ooOX2yC6Q0=m?F^#U#>o@`_45(| z@={|KFo|xk5rt=sqOX(BxasaF>i~I&20S`sFl*o~2fLw1cl*_4Ui~{Nga#Qhhb?4+=S3N+k7$({pD+$t~@a0xZ@b>l43MbR& z|8W$4P=|gy>PKHul!C*Mj+1~~?cDV9S)!dh*9qEb^Lm2#t4oLlKwdq(%@bg=S1e+mw{0vZQV(U zF`5Q>d*v^K$wyMP|2UA}_q?2@*DiO zbF6O6SqIz1Vn74Pi@#KloBSjWtC8gbG-emF9fU5<0rEyMM_yLY+0R~~_eu>5+)9V5 z2hIO+G&OF%9Zqle6#q82FF{B^ULu%^Vj-8R8#9*NWcQ}0nXP103?SDQi=6!4rZBxTG5tGNe0N_ z)Shfa(a!9S8#`GZrI-o^Ixt&|5C=v1?|ms+n0`A9DQJ)thrslwsDQkfdaD;=>mTE( z*;&(0vd{gz){i@YY`l09jlWawISYmd(@wJD5l07*ud4Ph->+kd55e?QIt;qG}S44i<`;cEe5(;`WcDR{{8TezNrk zIFdp<(cuH~Huubnp$l3Vi3K{{pF`AJGnPfq0XbySTz62!^wmZ5x_jgozBLK6az6iY zp#Rg4!jsjv^Iq4kYe3NLXtM#x#!}#+lJz4XEYwiuo41q49gi_)0OU~eFlF(dMpzeNe>z?peX>`P%{3u0yoJIK_7z0=&Z^NWwfUS?w5} zYnrB`q?U!@uT=sE$8YPy^grTllXaedw&c+gm%NB7*^+JaaE{T2(dyNGj{hzmQWp z7;8uPCA6064607oqJFkmM3{l1AVC7iz<}k{2U_s4EnQt5xfvKdJUr+v99%6e92{KC z={91*8e~(4Ae5qHATXwAg3?rk>wj(wRxn^Wg;_nie|KZV>`8B8$zW>6VB=u# zYGm`D9nm>D*jkx*(ObIO*?w=%$xal7FNT;-z8jD$%+%=V{q@tm6e@AB^)u1HK;BIX zkSiax#Xa{4&dk_0>J8lW-b(+l*ZMzJb@>0ks`?@o|EM>(>d_P+R~LK5bs>^Ky#7gk zVc++&c5Ozx9gwTuY`su=138D?NNC%%!*Z(WVXPD3_n#Yt4-8n&a6zB>-@V#fnb6rA znb0{pJ6M~UxPCvtGx!_Z8W}k<{Ig*YFd)zGO*=1aJumd%q+JLBazthAg3t$pC?|we)6?R z=aP?gQb<51LsEfE9_zmHt_#Se{Dp^S zbyfOh4%oYuJSS-RC=ES{hL@4zZTx8%)7e2H|9q`bK_TpOLw}1?V~w(+70@rU+u&Y~x{5?x z*sZnFyK=&*TFH>HZuP7gM9iym?OWbPeJ#V<9zTib$fQzUbBOj#_@xoQOfHYO!eg7X zm}uR9k4Fh9_WPW(YNwIZT^&+-_8{KCJcN}>!I4p6;^=E?g40y*_*)2fO?)8~IrXqn z%`Nl@GJSLxQ%(XiO2mzx3P=4J$lU3Bi(!!PQzs5bFtkx9aPA8XVLB|+ihDO(%NG_I zlcimnAg4D;mVG>?01x-z7A2^uEo-U_!JnpYg3-5aRib(KVgC< zZ5?80$rI|OiieE`NvNSO*^ImK>wBV;Y-AB>45hD4Act!1FVHYSw2;vC;q@95rvsVnlU4}BYJ=E-ec3MS%dDQ>Y9`O`W=^u+1QyEp)bLIJj<6nYRM8E9RaAO?jeOR834w<-wSk9&S3| ze7XX)dYhMX#vXm?IOMu`UxUqB~z6|S} zwta__|E4OHgv-eTbVfKKi*V3`;|wa~5; za&?v>Ddd89s0d(_tCrz)t7L(T@0P;sG*H)8@-o9r(^M*H;;&-@^1Dc_@z*WyIqN;F zk}aBL`J_^ymcMtR8c8vUOf-EO!j-tI&_Xcf2t13vKSFnk&GL|xm4*}3d&{p@V^qwG zG(hyh`@LxJQY~VGkx}Lu=ae?&4!)bCIT*T1{HbR=%ALhnj&beXl;KJ%0JS-IeaEF8 z7@n8>imRXs?8T%+kj3Nk+pe-BRGu^=mHH{ihjM&^pFDLuU@I@TT?918k@Wj`Q2zVw zQ7YN`{^2^&4r<8}>SC|lhxp`IQ$a(4U*V7OA?F`yB9V1n3#*n;p$&StxEc~j_ABAI z!5;TRBwKpz8krSMq9^jc=zZP&z%c7jXDCm0DiZi{l-TG9!qKDlj2aRRs?DSER+{a` z+_udFf{5v8qk(Q9amsliD8WjVzs(G(TD`E9tDmoTW5fP?2@+^Lyb>2C`}chcTZ#_J z2^@vqX^Ba1@T~Ls>7G}sQ%c@uu2PkAU{`Q+9@3EnAqIb!UUiYw{QMhIrYo5qewzH2 zeyLLVkhBx5Tk9KkC4kycMGuk5gjpGUUz)nfGM4X`%`a~Dsjy~AI@N|CaNU0Qhh;5` z$>l>ae0Wy*yxLC7(SiWPQi6A?)FCol82etrUfoE;blPUTY*)p((x=Ke#PlV#s*+L5 z$mLXh?CbOy%2zP);-&f3B?fd01_~Qf6enh$XcO)^cTa$2bIfL~B0W>YR287k`Q7TS zAy-)=Y9qt~Mwvqhk)YrX&O6KByQ^;!4OK3T?_4Mh`_@R1{SETV-Sx(mv$(p^<34dJ z=5l925(*_hCiaB&r#wk*>Yj*%(a!4}r+IE(`o(k+n%Q?Y;Yf}cD^d9ANSGW+%MpwE_Iz7ym>)hWEX%n6B_0p~MJ0ix8M`y)Z? zDUE?)%qrN<4Wb)d2TXjeURU-8@S@44ZB?U?svc63(x;fe7BB~VoZ?|L67hNd`eugI zLGvWZ)EN9hFc96m#x|3NCygSFa zcJPOhHXp-h-BT%W8MH{C>+KJ$mF*Ocj*?ZZbUGx?3c9mUQD*2@<~B+sP|ttHL;n4z z&Vxo^91t)lvUG3&I1Cgd1PCxF8ZaaXC^|3*5HLOvFh=0__^2*5TT{c7oCwol3Dp0x z%I8epIkGpQmEG9S?b?&x!5+rtl}1FU_PDcaWCD|d!M%X;V%i)K3F?JJ(;{l`nsmzi zt%qaUKQoghv|n#HXu>(`cuX3k8uR(P{I#ftE{$vOdiG~4pQKR!q+3_qj+-DIh?HEr zhF#9?&2VjCAVc3fg%wE9>O9aSQ8FI?*b-Z}k4mS)%IrnerJq(HMXO|qyMP~mk!QoE zq@m6q(|Wg4lkIx0d9ADShT1%4KX#0?B>{qh7&cW0Da0GkonG!_kLiX7zgo)L_xNLR z`<5?B<7L+G=cA7rRkQu3b#L(^caZLrtb;A3qtv94+sIu; zH%U3EzqHss*3*+Lln^M0Avef-z;t5e33i1hc3p*8W9$3pg3qc5p-{t-(#-tFGiB?p*&jD1*7?Ne`MM~nwydb%oO`qDCg9z-1{ zP}W_|pR_lMEFqwQ3mak|wL@nP$@xg2{{M`S>i=zcV8D`7br8Ttqhg%}nGjDhvl ziQM>y&{y{KwJiDH!U%4udoIv4yj@z96Qf~_<}AvCb!hr63dh)!6~tDa;idxio=1su z*NN8h7p!59B!Vb;joswyWQCVyrDrwrp)C`H(z)au?uv9nj|pL-(Yk2>8jypz)+E-e zVr`WU9ue9K4cdgF)EM-j-tTt+3>&e=@8ES7w@bUnH>K%l-WGV_yz0g6{xhIjV_A=% zxs^uE8Yq4d5$e~W0bR`7RJ@sA@UEqytv@|rD(C~Em-$HmIpf_nT90d;rskljRIbGv zf0N&i!?pG#jm&YjnkCweaRpY3ZFNMS7A%HRy!`i+cDHz(Gi;Yw(;(q}$Ck8}PS@@H z$V#qUG8VfntTvc`LQUM`!lg_z_5cMV%0vsnOu3 z6OIoW!@_LUS8u4pl}`Oeix2)SDK3{zw48j7o`0DKS(Bf#yfrC$bJ({h-)ranpiOxd zM3B<}}hNCD(M>X8+^X=#a;A>m>~K|DdHL{;8@Pg~8N zzyw{bT%cECd-0Vd6B~^nTT7w&^{_@6ojr>nWq#(*|>q(Zm{}Gk)?c3r(P>}4>l>c zbLYSbW6i?R+cT-dV&Sv6I8}5D%ioLlP8}^}et3aM%O!f75FE}>m;Cg6dS0idlPam9 zH+P(d3jfubhG+(iLp{mN+CM9{0n+cE3_m_SI>|V09eQs!O#7Yqy=A z#_H;0@7jC1H--F!Jn3#$MM1|nnKe=~dty5aDV5PKz=N6V_-`Hx>)hXY_@_~ie?oiT zd1E4cX*P25rCfPfI6-4NoDds$Z8_h~W zzl5VaF^=2_#E#RycgIVyqm!3qmX2x|RHfJ%Y(d))cz~?onwD}Ip$er|*ZbHz?%RD#`cMpF9U0$S zB&*=BEV{tk${AIX?kbf^xpv;YY>Yxa2V;C`2WAujV;f%E9x>pBzyc7m`@ ziIF^hdrwM5rcOLs&Y2^;7~++}&c|~i!x;dIy*zOhZfuDFU+QL*&_yvkT&{A1=X6RS z9{186hZT`F^B5#4x-n34@0|FvyYtDVBL}9%!=H&g^uR{FVz%}2)p3KrX5Olb2SHVH z{73Z*gK}lYdi0*n+OBW4l-JX)IW*ux*pwHjEb&O{?w#jvkSOC(=wD@URj%2&p)aCW zp?jERYa}O40^F$=Ad1B?owK$G*S}zQsXyzA+3bzZlYjJaaL;WzMop?7VKoZ1$o!j! zqK@Eq9!EyN+moMF3^06%fRr{7GclZPS~}@a5cOo&>1uhTIu(fqQdO<_{w6RR zF%&Deu;QRb@UbA>B+2pw`UFpdtz5xLbg)(eI0Sj7B3hP~r{|USMC?HYJ^{oRVLf^g zJLmhW8{NFIkzy0&#-4%K{wPfOif|P&rX&i#p}Hr5JY~1!5mq0XrTaJ+34ml5I@W3-+~Xg^U*T*fgCxkp3ka5 z@iQo8UGYPdqHbqPy)SbWb2=y!@Ze4=SiIe6a%ay(ReUK}UAiWWRqt`YnA)x!!2m*V zztpWb*@?m5hiU^Thm?7XP1pJ3(|~^4eGC+Yb4>Vd3aAO02#=4qhe~xx?JXJBRAq!_ zk8ROo`i?kLN=>QX;SSZI<`w4ICSttr5)Q2?1a)topz&(-oZ70K?leQ1_EmbF)yOyg z_PzcJhwF`K-ZF|UwKtA^E9*%PBKEjBDFCryWSq1Ibe5QasJSaCDOS_UtzjnGk+7on zcEcu0$G9{RuevjyXM1wMWveDVpqe9VJ)u8hR=JSpMUWD)P*e^i}# z0Q!AqW=zAO(_@owTGOv$o~Dbz^)=OeXj93#AA3q;%%`FBiGII2rI-Zehv410Jf$u3 zt`#wPrHbsOc=iesqM%p5Pdii!gHSEu*5iKtW;y;UHTaF~2XAw(5U3sIYR&5Kn)oVV zt69>ZvIj{&c&EmhenziR<|_pn!?EN4dx}f;cDXajPK3Y0&rg3tE31FXuo*cdq>8Iz z$&2(W;e7lU)rKDJU6u{SY~RHSn$J5OwHw1;T{Qc{MUpl0aDXCoNdGfY0~lh0zpwaU z0%b^vO*Ni0tuyAhzKWK8$u3#Z#z0?>m}($iG_eOw*O6Um9<|k)b!LoyAS8u$DD}zi zk@OsILWzrYojl8Qm!c9q?ktUO6^y#EY1lm{z<#WWt=VKxzdqo%5Z>PtAw!yl_h)&a z8=u0X{fp~+wph#Qef)y5BUuCd(KdD^Ko6W0iVi%#o;WcwTDUN5IUN@_&yCZnCypQbwe+|sh+dJw&`Q$?N$d_-zaUl--u zrQ}P+GxvHcE+#?QG3|jRpyYUVEFxPt=|?pUuMXYlb4(-9{5TnEK=8v+XrCmEW_om# zvIYZaYgN)$ z+1wQ|+6iv*3=b`UhnSHN$>Dcoi@h(s#(R@NLZ(HN+poserMY3Ri_37EQzDc}}SB@0dA5}zyu z#TNbO%s4M*X*IuAsUs$|u}P%YqB{J3ha{i#h)zci2+dQs4NEh8w0oXp!Yn(4Y` z`Xhl#VaZX{Wo4*^J#q)DpsZDV795&XE$hvx{o;r~ErxAB8e;TK7zKxXGQ%n{1yyAv zL+j(ks|MXge~Vz;#7z;yLWB+wx|^_w*Y-8C_dYqK2>H^aCTJ3xJJeDc8Tb5B&?ure zzJ%SPji!9&{-53AbI(!;!d{Hm0_C|0r_S-!%qjC|LJ}f%VnbYQl80GP4?e^sRCUVC zE#+^uRV}4}TI6J~p+c*xt)ezI0Avh!B6Id6I|gCvAL^MA7*Y+IftIhucb?g?USpUh zY#*UnG~7W{c^Z?LPAfy4Kc^JoBOmP+IDjJg&;Xu8IU?O*0HA2;`JidDmo`Iqqx{kA z>u|RPCqyiwn%!KZg)s%!kHsa6hKxWu6&H?6qU`~Hdfx-(z+Lr1`;RmgnM_^34qZm_ zhe4Lp^q!s-KOKso;p8sI-sngz z8BK&Fts;Ie`qrE>tYq7(6&gMa07YE$rZZ&nLd40${A(eTYNM@$Q|T^c~Gg%HR_>sStj_LC$S7% zuG6A^Qr?Zp{ac8jt1~SLK2K515_l+-L=edqzv7e)q#D^VY@QNbA6xn|co-nE!K|pL z27|iYpL=Ubv$pH#Fxzi}Az*NKcfgzgWBc}4$J z$^juE8oY@oC(guyo%YnejvhA}2V-71l;$fIaE5eOI?G3YL#&h76Mb39%Ru9 zF2kFcN!3f0Revsbx;k}vRH~=V4%Uq*+Xd1uqkP0RcD^Q-TU`y|OZs7`%D!P%UbbCYQHCM6Ze^9AyuC2{pu;NZ z)(z96EsQQo6)k4#u4G0P4Yn0RnAv*OtKZ1P7{rT5McB1;s*zoZrBAY%GwNWZMt`fj zS1s1(LR<8Y{GpvvXFq0B5#lCrbSU|ty_nCrdy0u-F*(_Ec<6>Sp!j1}RI&FSY{ctm z5SzO8=$W~f-$gy&OT|k-txI<>Lz~N5vNQ1q0(R|;h)xrZ)Gs*aO;M)YylC{0k_0kQ z8yi2QN&jECR-Kc5X#0dG=X*=)5~r3&-3Q=2XK^ga67y|b?kd$Y9ItMTIO9)0B%#+4 z9S}-8X;Qp@l#!ib{oci!X7<3{6RPjPuJvR#d6g%uo$m^iC-uG{_%y6m%JhBH;G7OA zXqgF7va4wNz;FKaxSP~a_eqH;M?MpNFSn0;0VTRlU#BbwzMXq)_PKg4IlAiP*}r)% zj6B?!n_aZUBG;&Jz&Iwy?qxVxHmezCfF8V7p(G4Wee@+M}= z?&TN_-c{Q8mmO`|nv=;KL81SIL@v#A0M`Rn>u8f0sq02I)7gdC`YWy*K}iyKK%o?p z&V`E22>GWd`cJY%lng6=D|sn8D~CR^D6lj9)#Ze&{aJ}J4-kLVhY~*ecbERalFn_` zQ%d`fJ6|Zl+3`41hr;%B&+z_Qo9wqpv3SXfgWpwXIQ^SC&tT3tT> z%#>PR`9ZomEO3bP+c}hoGebUyno_bA9LM#uJY7GVNMzo@zztzwiMx@^LvtKBOwB_a z(H_$|^Ii^e5YxU{l~8K1obEXZU|8dY;x-#4mpH5~;g-cL+KhNVmLH*{2;5H%1DXHzeDPXf z&GvC?PS&Q7NlVv)#Q;)`wGNz@?GrNixtHJE&nGqQydp<>ZE{QSNR@^d>Vi17@ndPE z5ifIXlxjvXye30dl#R*L5GW+aO>Ki=mZ(|CNBUWB1kM0`)aiq?@#h!83UP4kE7=oM z1|YWQ9YQK%6byDr|0BOG%Zc?OmqL!p*7+c~B^)}33U;L={@k1m9mmhVY+%H+p z9{C*L!Ow{4IJaj+U&=Wk%xSUg`6TAWwh|P4@hm%)=1m?eypsv|VLnHHpR03{_P#4cE5ujVOnsx_cB{$zjZ;T7&yt z>H}-Dg>KDICuuA@)Svc}=eUKDc)o=HSF3-juykw8B_PHc^QTMQ=*_eo~mOU{cy@x&aTm-phYHIDA9~_K^eWf&$ zoT@KLghD`K`m&Bcxaalb3}-Tt>|~uamyvL_6TBcTTh1Tg700fkM(i(?Pz`FLXeieQ z!+yj*sM7j3iFU&V2Al-N9TX5EE6o$(&@~Xr^5YoUn96+qoScq@q?qjAJPZcLzi$r^ zkS%4hk-e}*c!W+J|MSesL#yoC%F!@7zY7d z1>E9URcdJEyv^WkyjLNQlxSP&1Yl^qI_b1(A$gyIhYCr#A&1T51nNgLrBosp{+$-b zU7yN1y#hE;_9?bHqCsN#rm3&=yI9VVZqY#~h+lRk@sS^k*F!1YqoalzbobS<6<+8eA#cA0 zy`VsPYh@4ySKED6Vp~WYU{UV!J}jO3Q5*g~5&jIGH15xCRJO2<*3 zvt9c*RlShE^zsDh{yvhKThQ{LhMidtEJuy;dPO7(9}-_t45>)4TN@fvW>?>qfoRYb zHk#G>0Wy)-i`kTqs1~KUbP| z=Ks1uH1KwTZ$9v<=Lh1QxIO*L{G+8M6~YlOOMHbg7i5QlwtCVVOJOa^Mi^9D?kX7W z!1`#|If%0md+~rvQ!HJ;nK0UwE|*s3$w=V7triyg;urZf{{EG9`mf(MELDxJx8WKA z!~w5Am0Muci6P7`Z2sE0oI&)SOc)7KqFt)H79Z79c*kIAZ@!0Z8p!y{IQhZyP(=_g zE+x>2{+ox3qw#khqg*d(Uua=1D18W@EdAH2#{!j}jfuz)mO9He(vX3kSPIe?*R>=i zdcfcjvN0RRu3BV9xjU{@L$-V;(us%L#>akjws3{A#$CSOZD1|z?~oDHYibHax!{veayH*lzc z`8gQaNoHK>ouS*nP)p2FHHk&IAv%WtSQPoFeR^@4?{Dsc@*}jXwmHAIzkaMnTh*!*u(d7$ z-9p9*Dn(jYyN`FpSV^%Tg9Am5&U&1#77%$OZB4 zL^l(Tvc-p4HqjP>AJj%NdjIATp4jxA2OyKh&E{8yT8TO$AR>?7%V_ww{7}|p*b+xm zIw*_F{C(gW? z4DwUi=mg>39rR^_4h3S&yKDfq>(MoYixv$B7`O+`Fr%9mj(g=ae zSlliouA@dfsUP=-jqqYH#9~292!6d28RgUX6Hw4~3N zl!CFrCg*x&QR3@}l|rL|yrr(kJXSKId+uCh2Om;Fm$_0VP~F9h>H(p!H%ln$xAK0% z{yeXZgVe8KHh<4}OI7#0oM*L0^U+QCuXwAz+442|r>#PQ2K*&G2i)cGnqC>GW4e44 zt;B9q7rSArR-0`7w1OjoWrXOR%>vJ@Js`WHAI_bEN(|av2)dvnABIMyPhcp}ZVv=x z`mrZ=Eb}bo(VC6o_xs|~3H0zb%NKuaczcDn=~vccgb$<_ zp}%QOe$&;gtaeUMRF+;izIJqG{?$D@nkSOM!WP^ID!-1S7ubPRE z%O82?MZ*CBQNvvQ834%HkSbs#urB+Wz5peey=~|~E~cVv#k6g+mw#aQ>F-&*{JO{` z_+dD4((uzf6Q>X%jBjAPl5FscD;A>S7dG$J@}_O`ZKnDN5B1{Fb%TKS^GloJD=S`w zTs*cFHuwVLbVFb_`jy-)?a$cwn{i@AC!rE)@8%F=91JgZms3>Ti*Z${Fsvt#rVEy; zqtU@+b8oO1Hs<8ShnXcKponu_4WvFNZJ5B({G(Nr&OZiRBzvULj!}XKaPRy-!H5A0 zb!({RoyclO?2E0Y1lvM4=)cV*SYPz0Wv4GAN7hfzlYoH{W;)6QCA}PmAg_2FQhh2i z(HXg8La=`OiJ2Q#YSGUl8fM}4E+EIvEez<>X8B3EmAoC)2TfO;KR28A@yLxi)1;`Z&;QCz5Y@ZjP4nro3ULB$!9G7S04ZM_JBfj z@OK_fIe&q^QkF3Vr+{e>B3NHAoB{{q}KMMQAOl!gh7^Ty0cLu zvgm*)endCtTwv{idVl?JnU&5?wBln}Eu3d;&xytX?;4|N$rE_b*7Gec*BccBOirJ* z`NfJWUW3xWHHpNYLLkdgX#2}scr@ge8*}&^8_&blBd)*4_x|a&t3Z-9GC15cFB}u26*>8Fh z;i`U#P5iJZ69pl^6q}noAeOXl;0HMnT&61L>aFQjqPp?NUQOkulofFq<@|Iu&WAl{ zykfh%Pe7jrUwcHKyQx|CQ9i`|%!}c$lcrw!R#SakDEC?{t=8+ZIH^E7FxFkhiUM{> zA?*nydN}v;-#iov|MT)+8AE%>-J&B4D@SGwO8BPOrX?Soqm;;ukFZ*kyHw?|6$$$r96uSt_qIn1wv5s7a4c`lp zitYNDN{-n}2eC9MSx-~rftu9GEI<2?I<^bOCh?3mSDYZ+)5T$I87o@P90^XaQYI|P zvuxIGTaV2z|JUx7sB%ILQ;wX&68W}HUQ@-`!-=t8B=?AfdD-BGHof1!1>)QGTn!==nXf41)eYaKX*z`F|+@w}(yG7y{c;`~CXZqX#FuW9{^0B zha~AINq+Fl#)qs!`Vu()VFAe2Zhs$dR&%F55ht_Ie^ha-Ldt4~YA>gY`>BR|U*da!i&G3? zbZKo^Q2{17Q;;9{WPAfsmOIHl1`^@=tO^Mf>ilGl?dt1a->mV4yVe_#god8k1k~4z ze*(ahiTsr8%H|#$honQ_-{x{jR**{eWnZ=<8ZVPX_pIQ=f!wTLH7=;%g$Mk3L2Y?# z6)vTM98_+~axVP$F6)*AtoV) zpb)SI*KiB>P^3-b;9u?-|7L5!o&M&P#1_?q--sQjs zAMW=RYMfVkw8V4o=THN9G+DHWhWa!l9x|d&fZPYVMQvCnYHU~wrW~nN_of|6L9riK zN0y=)5~$*Kf`M7VEtEzHtTMLn7mldWiGr9SMh=ifSot>(k4M<=Jd$JQ0n8d|nK~8- zpJec@{7{&N=TmtXpg`)@3K@K8>WoxxOPdf4*f2}D@XId7G*-X@zxGp$)6lAsIROq( zwGLBYIvse=e5L3}7T6Ki$s}qQU;~CIgkB~caXpudXnY}pN~>hlGINXDpZ9?ZoTR!! zn1Z~!9=XKgJ)=X*94Iz2Z_RxCd=yj1^x;r%d! zEU4bQr$VXpZ_7<~<0}_5i1oomcUTu!7eH16{aO5(3F|Rl)*ZfqSEq?$Nt*wa$A7(f zrqTbO7hA~pM%+q839rCm5kAla1tB3UzrZ7rZ`;;!{$6CF3R6_vl^+h5LNQdhokwor z^ZD2q@91w~jVHo?n#ut`$nNks;;}`SA5K4a4&|z<*ar-qm9E4XUO?~v9N&<$0`SHj zi&qgbZl_%0+%*;j5NNya>us}0CCeGOH;_q|rVlI%$e3)Y5>)U!iA-as@1=20mi|fU zyCnv1OGcDlZGcpB22rc9rXd=Z6-png)n-A_iHVZ(B+P?YdmW>sGQM{*a8zEZxb@!m z`=due)GcQmtu3jbpC79FEh^mdeEv)!8Z1A&QC2o3z5Mv_$= z+a5fAQMMub>9VOwb*`XOsg+sUsy+d;+k`xbs5`;obijj@#qU&|81xM*P|~9 z@}g%GiB zQQHxrPvYEtq*1bf2Y+UGxpe9h2d3l^2;?|@edhx!I?hLd=v6)>)9RQDA?{P5|~TvI~+ zhH7}WRbg5qX5K^#)e@?GCE#@y8D!T;^{Y3q*Vn^W3$KJ3#4VF1&W*rq8XFwo)Qbm? zU~ne#$4kjl+mnR~f$~TXeL0`|#NWHJPjoO;k6a#ZVi4|P%UdSFl@l)iMZb3gpC6KK z47{gC_`{vCC*J~GimvVBWzy~8f3bEC&XKO+y6`*p#5O0IU}D?O#1q@LZQJQ+Vq>C- zZQHiZQ)}(L&Ym^3_o?sH`Tl{cyWYOK`|f_~y?+dGgBIk5U^cd#kK&}_8}^Q?TGDU% z8n@pu-BNZ`&%vG-;e=vYo)X3YMn~v`apjOaJwd#j@83Mg?>WVB#CYsax8GG9O7uD8kb!*4yYhV(ui6f17W0#jm$Wh((Fy zsfAAo@-jVCKg9_Kvd2N$94i5fsxPM!ekbe^S z3-QBXRe1nzbz+i~*~+d09)bA_I-o+$oxj^wc(UGgzY+>Tz19kryl*pMr_E*jcuFouRn}E zMIC*`S!Hd}`e9#-#)r81>B9?8C6SdB7DSt#p=*5`)-t80WEW0jlen#iZ_>s9{Zpy?C!k)T{G!yy?G_Fn+ zjKc7@=Wy`b${4M|>CXwCS>IF%q91m%>>tavtmb~cS|A~^prRvJ&5VM4fp@665Y1W( zrtl=Rz-lAS>&b`JBlqm}|y)<3BXA2pn-WjdyiOoGcipS$Rv2x`S^?;vbkIXqW zKXKNkPN$)E%zfjih&41XSU)-jg?u$+ZQJ%JjT3*^6M@sT#0~Qtp%uM66s{(>m&$Fw zIO7IV{D85}h@NF88EEEMmM#=Jk8~x>GDC|W3{_I5H-a=%gss2(xVv9@mF#A(hFW$w zR^t2Uh8_OwWKRRffmf^Lh(~LAi$)^AKUg3|*gkYqbUlRRZx}WcD`xI#cnkvt=vB|{ zgc;J&^+&Vvl9u;*Gy>aF&rXn5>9c_&)rZ6f(aYMhSQ)_H_%(21cH?e%yfd^&QXz-yXpm3Ey0tC!~-3Z-~1l80vjCG?$qSX8Q7H= zTo`ZpZ6h=${fCo*IK#N^6X85~z7z#K=TTudxZzDWk2@e)^VKq~4>p zK}L@q$n`---FN($+J-xt-Iv^w!#Kcg^Y|nThQ5XCj++{mmF6PW%{u=cd$ykI^-fZ; zToos z4hAMIAMl|r$Hf)&0LS(AQtY3?*i35iZJ;AXi|K{1D@I=qA8?QLkTo-1W55-p{QG0w2Tf(=TT3`#`}9cEdY zR5*dQXPO^ONSv$N=GUnDHCni%Mu&cLDGGNTQuejLxi`brPjZ>pS+XhWdM1Q-aL$v5 z(d=)M1V--#fo5!-n^t0f)#IN#dSoB|-U`sRlJpZczvI(F1mYXo2wEwsTK+`-7JBLK zX?sk$f}$uLFve{%A=uN;WZ5=`FthL5ppP+!tcJj;{t>cXw^e3S&u&#LorjA6p;^G} zR|7cop{DU#luM@7zAfCu*GhaL)wEUoysZj4a2X}+O6ZT*QfK2^jUM zM_lf+#^*zY*S4@k`SDxNa?c7-9_JyZXjLHl#*vTQ$Ww-_q`{$ho48PHy96qVW+s(R zMO9JIPkAscL53Hho*psXk+zW&IhpjAgTOU}-lVUNYT;~r%Ye|QAH5skb#`E^eRYT} zK+(=zL~1ofGvd@ytuaD~i!&{Hf@x~7@mx~d<4{@_1w1WHW>bnR6;~KfZYsH125bd# z#24+FpwrNN06c;<`<{54sK^)2{9VHgRB{37itwo4>me8P_cETe1OoCU0uWkCZ^SoD zxrQYCaOK-ito7LA;ml!-ml^Cr;17!IJf9o5)j~N6l$Aj;cvoszx&$aKGe{H046jiz zN-5SEcd^Ra%TUq9_MFh~#Xf0Y=1xmB(dEbqmw)lx2cP6Q==OqdZOx4e7`_Xwbq6~+ z45s6g?Xqrd=;lgKks-%D7iJB+=@+^W!CFV=3~VN}@OVjAk7K^3i9+0dINv-Wj{p}| zAgiH)#~J=fJQ8M%MK^8Q00sf(qFKDdhB-FaD(tWCRU&SiOVz*cUMHsY-F|!LdJgTI zR?e=rZpM@{oRfmM%g{T*mrD-{iF>5(AXNo)vVltX8`WQCM{Bs)Kq=>A;?@`vd4zSr z2>UUkN4c+Z_!~Q>Q0O4SGUj0~5WHSnksw|dn6=|Yj6eN?meEf{WwCh$iITk1x4Umo zq9?CTX+pG6bZ^nJOS?jhdPZz--Z`eAV%(-Vd4i?o)55SGUkTX0znY!joz1+LQd`!2 zXf$W1H69OuQQm&d`xFSFJSNh%#2^Mumv%JA!5Bah+Ns<30qi$aJZQDDuc`t1U7!o}!j9K2 zC!cRf4gbWETmH7>BTDG4xR?9b$-+oM3wMfldP8_+U%C1s`HGeoe%uiD#|L~wY}-=P<5um!xV4WqgCuVl3e z&41^iuJb3Er3BK!m2KE$fAMKaqp?@U+~~)xr(<&tzphiV20!oU;xb6H`-m1itfu`~ zg_2VG24RIim$pjbi$B14Kv~R>aF`@a7ZlPJPLt^SqijM9`>G}FN@bc?RE$HSdOVmY;0 zZ~e*({xSP2brT9Omg_44*3H$P;spx0yl|{qJ*TiARv~ksk##4o!Qcen;W0ByaDj+u z0QS9N2Y<$H>k6=S06FB~^$T#@yJo7!fX9&CrV(MzT;uXFE|h?3!H*+QeWG!ZJP2dT z;`AhO=J$Gh+xdG%5Y)Q&v9iZFyn8j`8@g|h6l&}AnIUsW{oASJsG=L>riehn8Ot!b z5tC(0iMY;oB-C^~ScOGeZzLpb?lbr}PrDO>S%>2jwMlZpAu+H{%QpdXN?{9kKEaTm z0*yDW5x&EDB`*&p2h4SR+q16WT=!c$ub;S{=@BphkZoGP&IUIS7l;z+qfeuM#_1}5 zkHXBmFsi&0S6i8>IsM@0K7%_GvAX}Ws0)$)#-z*t&UedvBsOHQIw5c4i3Ar~#D`u$ zRsMyc`l`yz%8|R?W~?;7$`G0tPC_CHYM3H#%KBd5k+>Kgnv^fuUtx!r)uZf1xnEK3 zaG7SyZ#Ko731R*@wX~xnyGx}7@7Wy+egoH|Q%M_3U3Sp=2Fla9Sk=a-{FJRPK=mmS zMtWlUwe@n?3@m@WH_pO4Szxw<`{nug!bwbb5LOTU?(>5qDGZ2z$iLt`wWL+l-J2_r86MOVD9{*(=hB`aH z?=G%*Xo!83Mli=52FFKEpZk6!BAVx7=^bs7WNq~I4iP zH+Big+}O8S)jlQ3=sDd7xw0kG+>sXkZE7dbvq`f9N1C7}mNaQ`x0wa1zNsI<=f`3ZQBUACEVhg6(jz@g$Y%V z$jdavSvteo57zlP9O(Oi8FBO?>_MA2E*DRiL;n#%wdpXwjXR~J^&{qKgLtVsB}>OV znD|peu*FJhSzky=TfpZAaEym{TF<3{v2`EPajp%!n)Srf9T4MQLS^Fc)JT=@imb2D zj|+>4!@+o$ay6_)v9Cv%9vMyTJ)%9!Ov$Zob;XHu)D^`^n)=0)zzX4t6_H=G<>z%% zml9p;XGadFz=J&>J6ZXAJrw$_|Eh-^oM1rGmEr_OOtey-70ZK}@qYGVln~9lcim=?N^c(}{ezaMw?0;xlS5$Bn1= zC+BTE@-2lJ(L3;xFO{9zM`LO?y5EuFsx2ZV7!a2z-}>Yq0K9DzO>eUdM_iv>TN45e zujGfKDJvizK`lJPZdE6Gy62HLZUh4vad8BjP`fbu2Xn4H zz&KZ?dene=K#KQJ>W_fbFc&vRP1G6M=S1+T9zNR<9TGOWuniq+eU=|b8ZFtq`Pc@N z<*TA5yrbVTj46Fgmsitdw&};PecG@e$fMvVHJcaUz#5Tt82!TBy|E~ zFaCu)qija(OW?3D59D~;m#8i3df&=JbCcm&LG|lKLaYq(Gq)fs1;PVYwA7EQ$kD)w2-_}B-=40{pvgF z;`*JjsG-}YB=Ba6G1uP$0qVSWGFcpO(Dn01W0q&K zl4V`D52yZWzrJ#k*}zhKIBdVHxtRI5vtmLQ?ZG=-Cc2c7y(k?OTtM*YA}L+j$=wNW zqUg&p{?2ISc~GGp;!5kT(cb2DUk2+D+34w4{I=wR;C0iFvr;9HSt68VkH(%g=}5}~ zt3AOiSw({`JD3nVJSuL}%+j+%;Egcc!)AVh#FS4*nT>QZ3@;IcEhuMVoG*1HbV^t_ z;EVe{l%Uwp8dxyj>J#=8g4HXdj268@@>i*ju$cFQaMzbq8I3Ytd+MF+Q-p7Bra!!z z=~A}j``Te<=*<$KHW8Sct{oltYUC!OBUdkqv^eSJJkT9ZLp$7!Ip$ZPm&9lJ?08Q} z`ZUyzWgfj5UFM3*Jx_W8A3>B@@o&5sdZRCys-~nOjF*poJY4+1e5kU#_i2WK9O*ix8Sgzs@K$*0$9RRjrC1gGtZwd@6m;24^eHn zE@DJ9W4~wX6a7a${#obt_n+$7t3z>1Wg_07Rfr$j2st%)YlEkZB{bvtdPP-7BPI>m6l5XU^R0`Yn#;581;{MMjR?^{p58e^ z(v&cp-=HErpKyVPG2uRSv4Qj;=NMz$rQh9Jtnd%m>3==I9qfGux_PJW9%9BQvcr*H zKa2+E_&|UNMlb<&x;(xG**4TD;ai58-kOx;Xp(WFOr&baIN`;d*Q)BNd6x|*ZRaZ` zd)I~lgq0$~%IEeLj#~TJ1sZ^<?ONr6Do86y_~okX@C4QUw%3$41e|9p5;1XRQz}aa37+5T9#WM3MK)n zM#FF$l4x*ig%HvKqex(w7n{Iq5&g&}?b!vg81vhifD_Btf{`TJf|jX;o~>47xGvfG zU-@e;oO%{EM5mjWT9wxwumpmMZW55;6o;)WFxl9XY1u{A{$PGe8ER2^;h0T7dp>Ae z*3d@qK+SPC-|Miy8j-t5U_BI^sDOU|E-xAKDhNi`F~qMVP2dpMU&0Ovd0{Ms79Vlf z`YGink`q3kJaP-Ppq;I)QbTNFTeb|d}p`jXIQC}gn?cqu6_V9T}mnTd*kE9?B zF58XX^r~u3G)c}6nuWhb;@Qtd+T1%`&3q?K>Ut$&sKne7A!f8frwi>AZGq2qtAcd> zff>^Ay4WzX<5HUDuVAl7ie&iCRQ_Xlkc^s5kx}!KCZ?}smQ5IZu~DndcAgl3E>Ry8 z$~uUJU=g(fp|7>G+}SBauU#M0+EeulT|M5)5rNgUj`5u*7NU%{1m7ruV`s1~CMxk4 zG{2me)Gzr4p@@L1}DEY8+Y*tOkM+iOwAz;&fP|0{`KL4^dFO} z^888lU*A1=p9R^-0WM^8Q%Hc^0tc*Y%bxsB{>PPq658Tk$~1_AXahC1IH?p*^5y4U zN0go!NawXSVl#OEjD68>y;mf({&Z9IDJXhhRdezheO@o)9$3+3H6GrCjLR$x~Pv$vX4f zM=4eY41YM|tXn2P#V zivF0X&My!-h0NtHJ>YQjSb>5tOCEb&ID{P%cdMXOIDFOZ41j-%litj3DVf9yN>}tt zLCZ1?KqMIYC*H~{uCMZuOFF7Dp8C1@mR@iSn*VnRq@jE75{>RK3?4%RdNRS3EBmv? zu?idhV-eZ|W*aQk-|Mkd_xH-*{vZCw27~l?5CTYmAf$p%5XeYUe(A87HN$tK_|05F zaAj1fUXAXKb+MPXf2;^rwQ$|iMMecC;rn<7 zwRJ+-NKiDn8=-`B%=*jjjb0F@-&oB?aonp``SpGl03XDlG%a*o6vJNadWOu7)b#7| z<4rQ74wsf*iVf;;yW>tBl$(%}EYpi1$`aW`r{!{}1Clw@U)CUlXO}aaKT*lYwleKG z+kF$;6mMUG%bq##O>}gjwvq~nE~rIu^kE~A_h-g)b2=`UDp28mx|+%oLI70{i;F%Y zg0N)w+&iM9tJR%L0MjH~k#)_|HufaI%fcZfvRQRo@~)J4J6aY=>cpD-Q7B%4-5MY< z)hv0w%&d?(PNRDAracg5PW2J$8xt%Cy8^aKK?q*yc?tGzUoYipgO*F5;c%d$0+^!? zy5{Hp1j#F!XDr7PEax6$NB0?sLQ9b0L9Xwr@UGB%4sN2thsr;{U6Aq^zphuV-q#S6 zAgRJ|=4@WcSX>9srYC?EQX-^{6u4e3v%+QyCsrKcZn|4hd-3H5U%+)iQX++v-w*Vl z+m1w=FcBkNxqdi|MT^Lq97t;Ng0lG53J)682b!w2SbT#+>CN6iq?!;%W){M6E?2|v z0b?^emYGUIxL9L$rNb(85CL$=O;(xp&Hqu4zef`l44Ux2K0SJVxqdZ;hq2t1KmsJq zgulTv*|*I~Wf;-7cA2HiLcYw4gd{q=+D4 z)gEw=QR_IC4J`PSVI#&w)~t?bJpvytTFsH%PoDi#qG{deC988x2d%m0^yEQ>M1~~$ zMbsDo6bc-GacPBow|-`tIeQs-67}C-k3uzjEGhf=nu!A&p%TkVxa*}-=%-8Xpt&ml zJuxv)t*P^Adwxq~hch&>K~?vwkeAbslK5JieyHN6`n7L9H3c=oUSR5dYZU^U1z0uk zL}UV2OnALzeviSX)`R5RmmJj$6VlAJa(r6^#zLG4moPVnR^C{129Dql8e;dx<5INc z&?LFCMfBEAusBTtUIZVcd2*!ReB2`BC>%qQm=nu>3U=kr4lJ7eJR^l=p(Q2IWyhda3(rkt!E(zfoj6OImr9NM$eQbM?Hc)zca zf$?h(eddD+D7d1{jb>s~-i3?=QE$41^NiX}h22slJNi{@&<3`b0XK9(P!Myoultp=Y2%phM-$4xv=y) z+ZoT9u;p-Pw~W4lQR}ZP6pE^^_TkSyu%2s*90GA^i#86L|4xi<#<4!wth`CEOwAjE zK;c{#M=7G{-`qtk`Q4kq+ux=t0FwQu=qb)m`ZVXap)klnR8MxYcVcNg$hhT1nuuB5 z;qt`yh*tq7*0E<*yjI&HEvP2&f8T;10P|Gj3mAHOp%Go3%!qV|u zZmL)Bb3FSB;8#xRH3D6&c5k&sp-#%CZWpLLQZObC8f=mw-6RI+xZ!e+KgB`uaJG$v z-6(GBY5vdhg{hN+sg<6YC7pqd6>k_w_ut2Rln|f_G_wSME)|1BhX#d#h5H|N!ugBC z6GfM1;tzL&HI>hP<#^LVRVJwm4ddLL{W9U8PkNVvG$4HH(c$Ofl7yOp4mbZM^r6n1 z>`jwG4HM}Eok}4*YTE$uev%+|ec{LId%m4Www%9s((jGVf0XBccr*x3$R=w%S}v2% zQ$!9?)?|3#7#>%*87K*+krAIZM;b`H!$yt>#7z2hn=vKAEoH&778Uy$bboTw)&3^z zR;HLkZ=Y&zwFO#xyoSi&J;0)GdiePgORW7wXXz+>g1i7aNc=}RxKY6?>`Sk_vg-F` zV=I|1$C5{(f$Pd#bh8ZEhAPh}4eo>_xyAm{A%iF#I_}(>@h_Gy@l5jIC!E<{i%|V= zwvZ@=Vx}&F*&ut?Nwg&m!@E1s_5C#;MEp)GK|K1H%p{nJly4hZgtcdq&_0%>US%$w z%$-jLn-Hx%iXzy|&DdR4AJOtCBFIT+c^rv94r8!0CSc6Wx^ko8mw4tlPl?qj3!{+7 z*Cizc%x3B;Vmm6yB(Y?WDH76caW=>OpcQ@}C+1IvexEiIh7muMOKQM_t5g;Zs{33w)Xs#q_^bSj6e7+S-T@9<#^it#E0&JBn9A1$FnD9p z70;hCet7f`*i4C@ppXn5UJ#criNwFsh8O?5C=f323h*O?L%K;I%$7@i zab}OiZ%OEFp&=hG;8pFYT@K%*W5y~^Jk{Lkk)(AB<&ljxQJr%3IrPtHT}isl#>@-} zG;z=kPd=SQl~y27ZSZ!gME3ol66k;BrMWn8xzE#p09gc>uU&j6A74{Aw^Z7(QS0Cy z8nKLBw0y{D!W}qFJYJ8f(vW$1QK*w1e`yKmmuBRG0-N1Dc!1gll{mU$|B0M)>35B> z$v)-8$?M3Eq?1OAh8f}!AE@GO?G|p=?QwJw1vgH1A-Q~XKdO6AMi6Na=-KZ53JVA6 zru@?wr0^<`Kk;kIuLOG*wbH{G_-~_YjDp=>4jk4{2h|PJpatq+XfYk;m?WMi=Wh#n zb`3&mmQ1*x%JiFj=JFgh2;&1fZrogxWOBRG&6xSN<$!OK8=bb1b;<^_?P<5nSTG7| zAmKy(0~$BHF`(%jM&aLC2Nelh(q>P}kB^$@F%GnjWPh*6AJb-pIpT-8*Cf9JaeE6| z;t&@xmDqP~QdrifWTJAIEO@JT_)kx&$>J`nwN&xOHe?q~m~HXIBQSolIRGzf9!t>V z^k>BFIV)Agec0hiU;NwaT*XTjF~@M zdaFnu)p0K-#i$ujp^3&zlBpmSlt&5|G=KC82*$sXB{Xz*-YTG2tMZ(&inSQFR7*0> zo3^25DK!n|uMl9lGd3#uoF(0(uUd`sMRH?e<82ULHDob~Ya0i1+kBP$e(JkpAdxnwU?pcXCPP*j*w1lUm z;Wrn6)1N3@^TspMqb$#sfD50eJS@Lu3Ed9rQ6U-B4H%I4_c-ydX%p)N@k3mLB+Ql^ zXTr~l)X2h)x^X7Q`AhAVjy|4EI6l#551Wb(9;HcAn{czXRzXoR?|~M63OIF<&T&Pa zUtjQiA!gclJu_q{7Rtz~)~#oN04++;sHitiL1|Pp;M<5nn*KR@B#1#(=LdnN|^% zJz+;p#2$|_Bq5+uRJX2>d7V6KwZFzi4kmqCO^F#9vDj_6pdbG}WkLGiKSusFZF0yV zzQSLEh|wsWtl1KDc1bYA-y_4=j6O}=?0LM6`Uk<4c7CUcqvrB%3$p#hNup=>G%Ya_ z*&gEZpdb-3@CL<$qzu+vJ!CLCtfPFvgW%{|<56=Ia6-V}NDAZSK22w;s_^SxFE~%n zt)G^8T`40(iT*^hyL~&RGtT;>VIk0h0!x8zjhkL*NDv`M2XzGbK2Vtg&2M~~KQfyz zn*2*rVf7kwZ=b_*o#G}M%j#1vdba6aF-8Bg^3^uwGEl&RzU+?>u%@02fm@3yo3xHM3VmO9FwS)*^ev@F~QH$FBh zH7~lz3YI095%4K~;x^9!?e(D5^@EtL2$(#_*3DmZma^dh0=X!RZXqY_O834FvR@wj{xM(b`{a0IAIBKqu*ec|1p zq;6lKza#r*PS6Aj0X7DbXN;*yW#sOOBo9K5)TrJ~&u8Nn6X{V|qIeqorOeZ|=22Nw ze?3;_Tt8V}Wf-vlg&csCg$>;GTucgW@|BXlhN2=B<-pryq%PmPra2WSP+}de!hC0O zD`m14srRJx_|Cd9`T_*TQR|r_xs3{URkGUqat~(^b=!{{H2Rje@rS(b)Kxv(|2%Ed zS^bHx@tgeb$@9NdA94Ks^}lA8f7CV65w z4-jSGrkeZuy1R&+YYnle<+q$a)V1_l05EWXHe15_#e33YLFb~>{n9TASq_ke$Ho8g zMK@c0Qz#rncbNUx^Z8R<^AZB&h@%hZLkV_lXkj`AP4cX9qP#r<0l?FTb_5&2 zlS7!bX9(k%go@5)8r9!({;jS(e*@%5c8|2_Jh*-$mEFz|9JF4^n#h3xJ5AnBt^N+el^8v`_?A#KxQjWi{$8kSa9tPcIHWmT}jX5|HEMzV0~4ixx3*itV024?%sfT_Xno1}Nhn zU-ipMvC?C4+Kl^+rqsIru1o!)t|>48fUE6%#9ugAV6TcT*nXW7`eeW4Xaj&L;!Tre z;E^o6Z-+VZjzHA%j@qBBoFl3iwo>$a&cD?)Qf@#t9nisTJV0h2R8vD+5sE54B+BT3P7}cxSKEe1D3uP70g?KhBE+vclU&_#bYJ`8PYr3(395*(NsD*9TUoQJ8dNapz>tv^Ok$@a`8M_wZ zz@Iz$pc6K7*Mi5Jk9oDf<@}+pNp%8pG&MwHJ$Ew$x&*|gy#pXy`&uB?0XbeNAs@5m z*(Xs9Rk{vR!{)B~Ptw2TsPV@C^*;SaT{D;fWHYvv1@|3H@gr!X5?Lym$#*9lwE=(; z6-PSEI$gA>Q{73drYG}LSh-C9%IWwk=O1;gvI39+9?Hg1JYJNwPfiuO8otf0ht5F* z$kBSamm5YQ^|96MxuA~_JwVH#5&bPkIsd3@S9Snkr7sgUlFpgAzNzmVWH(zQ zB^XT>AjdF2D|vA`UK9^W4lh>9-^nR^<@vXq?}u)G<-ln0ohwSgs5zGdvXCp5zlN?% z0y_pa-Rpa^e=W8i<^zD04Jc4|t9(f!DuhVcfo;zqf@i&c;SV1iwV9 zKL=0@mq~i6QnuU!fH%yrk9{gey^~kIBQKKcww|1OQe$^3carhniURrG|s_b>M)WWBjFW{b!&5$@xcbYv=@IVIddZ zL>jKQZ{qj%J$^+&Vt&m@1pxi|6VB_;ZsvF>dBU_Tm zD1`5q)2Kf&%aosW^{CSf$mUDNp(AvP-Zr(RnxR!s5oJ9O!Ty)t_VcgT{U5!Jy#N4= z`H)u%pMmh*=K2h$AzKE35YP^nd@#SD-Xi!?k8Xc8A~0)WZMacxq1DqSL%ixMC2IV_HYY8Q4J>?X4p2BM?{qGgHQFK5Sb_551F9G<6DtJ(|?`?`eyjt%TAV(mSmK^V(%SnydYMo2A zol2SMVD-10KNPr-eL#*bdJnl6ity2jnT)my_y%)966zWt$BQyEY*CCR-VX7mDmF(R zUO8mWJyh#|Qs90i0v?NyEK7CaAgNK<*uRm>zbig^&X<_S@apr89S6SRVFEr3x=u`` zMo5r44NLPLu;3is1S~ZR#F-zJyUMak$|;|JL)!j8;8-I7&tMGo4NM^xA;aM#ow;T* zD4aFcaC|+V*M1e%0=ff?{Q(~io1QNabMw?0MtKU-(??fa6(!#Ct^9{<)63(2s#adV z<^O@eMVSFUl&iiP$&r`n-ok}yk7VeBo53KWk`^4uzkV_1bof$G&Jz+Kp6hUad0=MOVJ7y!6%vDR?I&4#m3vwMvfjElI| zv6Th@?#l?>UVrya9u|!-OV4(54f4vVfyoFWa!Wy;5Kf9~0o@WaNRWfA~6bF={F|M3z?)-yiki zFx)1!I6aFFo#}=swf9n@p8T$o!OO3{Z&>#(x^GMgdziW0c<=unyc-yhPJ3xc+Z}P0 zuF=ucSQ#@_faFpBHkGp2YerByJs@ZxO?jVGxLz0O4U|e$d|0t(48WnhkQ%f_uF42c z6_bPI<@Ru1s(DMKy%^z7-^{KO)(NZlQXk|gX-#(b;L!5b%>v_Td)>Oi-dbE{3m@86 z^T;zjb1j@3Gdt8dV+~UgysxleQW={`WpF2Fo<=!AA`M2;ER@<1tL|aa9BK1 zHq9?M{j)uPugvNjR%AGkmrI=QHSe;8UzfvA-cVNkzbt_$6#GzOzpJ7&4S&Z$gMc(M z(-P#B0h_ZRiK$b!8AX9#6oKzt%`TU?G?aaoT)4?#g!CYSZyu6`zFI!pm;dg|?4ra@ zjkOWlD1_NWY4${VCviwi&i1vO1QV}#^TZDc%@N)`{lo>G-OS;=N9^9Ot#-klaLxH# zsG1cQhMbw)f7CoH^F0}6K*g{u>g@p9MyyUy-!-xcmVaF4x6AX-*z*qpcft+zVLfjh zNrW8^#^>0*=Z#2Uc@fxFuICN6_JFRY7)5`^0i4K;~7|D~dCvv`bq z;hpGUM*yyQB~P8EPN1YjAq@6cNaD{SbB(_EJPJ@~O>yfL+B7;(L(S#6idm`MsXN_< zIRztrWwI>oOTvXv&x1S*2zmomH5Fp^P|(7=k~0++WiD{bKbu&<0Pub%02doU$YiSIdwxXT)L^~h?c ztgg!NkR)TG-q6tp2S%#0f(X!+F`z>##P+Kuo7&&eVbn{CVBRcU}JjANO*X!u zyG6A5+@!y;C`11nfqVaJX8s3(D+q!Ighhk!#SAlKJG8?0y?SUxg}!`0{6*vLSkP7A zWPWD)bkMGta)w-FOxZ?ff)hVBFnhM9bIi=R1R6$$IkCW7j@NB5ht`VedAZWniQ;o6 zf;`vh;|sg~qwr_7q_U3NbP#OM1Q^93&_NrlJ`{^RG#np|J2=9#{#)U3g}zvXoc@r* zGYoD5CRdjsR`s*Ohxc@_cfCLYnPKJR86Ms}f=|FSHasF=y-h!&fgor(9Ff{UecGc(B2z$eazy;`p#*kKm04eFezWn5(5`w0K@q|7f=h=KKTUf{fQ zc%nX1ilxwoV2@bSc}GRB@R?&AN5D-%b<2WFMo{C^{G+rPg& zXCm+b-xf6@4W+O311Dp77zI1{yUWE2cxD=Pcm`s}w!>}dMb(oIp(Rlf;!)InDhO1$ zp!R#v+x$5pWJ1kxG(T4d1$q!1{N#q%KL1ShLuJjq5?KnY5Qmlr)k){tOM36ZzKJo= z&7?glN1iTk|1$q0**0A2a&i3#(s+23>ZFGk>NfLBup9J4F#xxgCb`z3)WFM*6DjfS zN!ZPrrVe^@qOoBO!;T(7V{e*O4pVX!N|vU8UyPKK1+!y8Gf89D`IV9!_6?OkCdR) z1pd|tuhYE%I4FV_ZNid)1O;6p;=wOJr>`DX4(YNxbyJ^8>|#YKuat}E<`>?Oy?FfG z?1Fe03}7`^y)sA~gip})#T>2!Ra~#;3IBz_?a%#rTn@R->dRg?w{qW@>J2jQ}jIl z;I~wYYl}yz%;|j^(}i6J2-+MVdIjyF&?=Sc-eytJv~-t`MkMmZgxa)6ruVN?ohSI0 zIoLtPtVK|y^k%8ykmKXTz$M`=c)fv@#ka|yb4b}sco~_MHgo@Y)h(>{9hrC(qg}wvaF6-&xl(*HTowW<*N#`P4(->6-xY zEhZ(KOO)mNclfjffw%x>0Wb9U;MCd-bp6$aME|*wNu^$zXORMrL2DfSw&e!l+x3=j z4NVt*HXY~&T$2MX&^qft(eU)bX`aywkVNVAd$l{i3}hv26%}E(%V3kH`!Adpp+KVt zW|ag;SsJ4JbxrAREc$I%+W{1>Uuo%Z2@}fY)a_>ml1>z)p%3tMiE8PWn&h- z=^LSF$@{oT>-%&@h&=ysWcMFH@gIDc5gOu$vgVjWVFCRpI8`F70?0EnQoFdmKwUD} z2Hhde3g@Cmi2JG0wRK%tus-{AgSV9F+fNsaZm#DcxaO}v5odQF?aDK8kVK0=edDV1 z`*`P|4S7^4Gab&HvwFe{Kg(F0ug*q3MI$XHzgb45kxS!u{{&X>g64E~3%et)k=(+) zgzvbv8A^rWfpK?y0F57uO8s@|<3bChIYq~e0_wEBWTwna3Gs;PDc=;3F_cOd5LS&c zGf{db0fA*iGKO7f$qMOVT~Zg3*-c zPPRV$1+b5cD8|DF@IHhfX&JpB0WMUsc`l&K#5l8>4?ob-gGcFR53&qkI5ix7LiEn| zz`fYXmUTM=o>pe+J4NyR(T;>K*Q|WA9$RU3{O-$=A7uvNZeJG6go?5nTgR$EBSyl_ zfMTsRjU2sSbA1qd`EKxbdpG(MW7DnNIA;>A^3)W;*>a=qi<1SnbHX=Zm9Z?PCgAKp zg`E@93s-usxvI-{x4M3#_g6jJ#QnV&X-I$=s~Kl&Q7*kJ)mp?A{7#Ezi2P>< zWf8jev|Bty3~DK9> zMa8uG=UHf%*?_itBc{%mX`N2^)E=D@PI&k=N={}q6@7)q@P%sf^*f%+Pv5GaqR@8m z^lJ5`&6hk{^w*Y~P$*}|(hwljEbw$7N@R!SpoE9H9)q?S<2U$Bs3D<6A=$>yPY9{x z?lmO*5-)%zE048K_F31K6VS)S$(2d3!;VL`UJ-{Vo1Ad_R$6eRq-6(T<|Iu_E@O}Z z{#?EAonp=9LO)UDE+xK;L-3~oAshcuy7z~IjFCyb(eDH#JseO{brGD-eliwVyg*%M&Op($IQ{+2azY{LCO(vU?S@c_sNZojnqS_M1uDA|__6(`N8+P_DHRG3tPj%?ZHO7J%Y;& z{q9ZfO_O9-d0JBtlFJTECqA#sFFY4|ZW34(?o#!V|>u1IKak~zJ!H5#actisiZo9yw zfNHgi_L1>4u`HUwIhO!hoNbz>1mj6(Q74!hHxkE-y~#>`xGbx^P$jD{jv}J1u;?b7JGFDSsJI^D)xc2;DQ(Of#6U|?IY`&N zFQXn=11iStn0>0-Q{WqI_YHwp@#3?)FgdhrDFE7~`F=hE?m)e&>GhFpIt5N-jcDys z%rerwb~J$xNUn|{;S-x5*{EB3@N!N+W4YTX)Np|cDNtfJ;0i?^dXcklYRo1HEu2#} z56Os8@otU>t_3CZY5{C|oZPkTlb(bOvo9`CP3;fZ1E|t!GE&K{xW~DmJhrVs zdS@_y&wcH16V%r69hi$qI@0LNO(1lZ3I%8PKmytd!J+)Liol#n$(4J4zqENuwQdik z0SZGh-)A?{B_qq?u||_b&@GI-4QlpGB3f6@w#DD`_!l2GY=QXgRrDi-%~9^XWW!5W z|JL1XuBFz;Pb`4L_Ht{72UQCa0iyNe@RKG`cuwf=Ze z_8zE1Cb|XN+DTai+r1OYQ>`~7{jvTW`yo%hF4yddRS-v#+c&o4Q-z|}1r?A#Y6()M z=XfIZ_QyP?tEneX>oet5pzEMz;Cv}-Bb{DgE=sIlTvu0oa=Edr$Do+X*3GnMgL-IL{48iC=M?WElnJN2h#QW+2$KlerJ zlLPU374&22fPX!`o_%Jd(*3-#o|uCXV>huUvR1aIEwmk7!13;^-72j5sVt7KYWDe$ zwRZ2pZYQTELfi1B&Bm6)4>1zB4iS>xvQ@M9h-uejDc>D%FK5TH?YAoqBXrUvN2%A*+smplubk+Gv5U$ z9hRaf{17&S!zB)A4P|3^PXz-#a-`XLjv5!WUR(Vvxvhl9mx7oqq>Ajl6G4>ckp??n zjnRbL^puRIfos=}le=F2XA1G%b1(@EiewkDaQO*f|IFhbd>Csa5>O(`E0EXvl5CD7 zlN;5exRsvpc;tQvS=c+Y7sKrAL23=XL`_#%tJ=z2SFH+1BCY>Gs~;Z0AfdIV<4{1T z>T^LKR0ebkH1=^OoD=|Ykzm@(;nR()4oUF24(JpS=?DE~WXt5xNvtGvHQ^1?f^^#} zj-k-ia?uhdqpn7N)cYAm**4@d8yDnOmtt(ZCr8hGJ&0uG_MtyU@+1)^*3%gj~ z`HxCIxUkE&$;8Ka+gIf8M7Q_48YBls3SkhDQjDR<=spB^{^ZS4)EEM41KLTxm%5%> z{NPUdx&~x^*RKSg3lblrXN;m;G{q>7`^%KE=S;fT1DQLla($gAY$e&GMn1JyG84+K zSsHR-Z@D(**s9LfVl=u%|GQ|S=`0gkP@MPBaVulmBf%9rgz(lv*XF$1(*>jDE7rYQ z(NfrnPE};>NmiZ8=qVJ7Js=HXazKv`XGm-Y9!lI21Z#;xsy6%WSgfQfUfIW3%iV#2 zd}YAY!qjIL3+vHqKVos~N;5>g6$JOXIF`(*T&Itp;H5%VlTG7`HnsKcIX-FAH>p~M zt(4srsCVOSQW7-T9#kSNTZ)cqTHR!57U{fH9=xqyFVdym#VzEc$BMiTA z@E&22Y#E3Xzh7R8#jQgSw6wn+^w>c3(rKvLzUAIEAlUxj=JEaiKmT8T{+`FbbUAfO zB%tXbv0Ou)24Uux23i_wjS3)QIJ4HEb3-b5l>=##62I}-nY(+6G^HbGzeC>@d&mjt z1w`v8biPYiTk|EAjJy`3H%=P?5R2I`cq5o796^C~?xhtL!{Znl3Y%`+T;4;O{0d>y z%G`kou}ki;rN-$H2s0GJ0yN5qVLQee&P&i4JMUWnn8$YbdwU(q8%W^DObSQ?!q>>+ z>U4bK`OV>C_7_d(qsG=go~Q$%m=B)+ec_5jcfv5X90^^@XMKxYOe2Hh^0Q+VKnlzs zXyRO01Mk^9-c+Y3x`t1aH9;Csap1UW!nj2b@9w?j+(+^locIg#tBddATbk#Ip%?Ra zOFx&c2wKR*@+Oqs?K+cA+yZKGHCKcgpaayYv2*6}8aUg_z!9u5gORf`Z`xZ1U|~4{ z*8arc8`Uky;oOsip9J}Y<~5Vh^VuCz7Y+ppM3UBQL!GqTw;JSutbA0X6&PWTaNQ<< zm{9H}S2gKYoDTtcU9Cq!PdW>Guo1t}x^yM5-PnwMIg_+olba~hec+pR3*}R3%{m>b zroYX4yvKa*SCHHhA~neAwK{m~k-Aa>TBsLP4W>`1O=W?7QjZQY85f8qN==!Gcro`OxFsDB5N6dtHu{e|{;A7R z`6GTSDB^m3ZU$?`wrZnCKoP%S%95Ex|30~M{v;Gw=l&rwBy9Ee*peod=)iZNhvgj4 z&L1ANn6!`F+YPL+%xfHNQf|`h6QHmzVQ%|zoH6AVJt>4$@!Piy;~KK6t$8uv>u0$- z9So?omlgJpQi5wqC!#``4djh1Nlk++!81(kk%(EK2exB(e8KvZPdr0{l)`Plg|4VW z9R?<~fE5ia<}^j(%&~@ZojteW^H_U%Xxs^U3U48l!QWgoUmxW>L8k~msS{mvS{Zy{ zFQ+{08KuY*=45@!18!cRMc-fGtxPv1iq1#cG?$PLqWK|LiR_zBMempVCDuo+v$ZHj zk1X?ySenna15~8A-KEo1%upoML*q#keU&foeuy`8xrl{W7+pm+qP{nfgws>y1dy#c z?_#{1;q%mBgZq8rxD_@RefGmI2Hb! zzL@>aXFQ|cM$N_p|4@vuN;sXTSyDp;r8Q2i2oY#l@SVVl@jL&eD~juyu~@6J1p{5_9< z>2i=&i0|ONdhh5FY5v1O+m+s>9%BoZ9pieobbwKCA8RA*MAmWzlg}vBvsqdcGdJfvm_Jc7?X8?-c6jaMQZjFag1t6t zaXLbd{g7ED4AAX{m#b7^Ag~f+3}{1q^n~}MExy26L>Kmv_35AOawTpm9ow8xj|(ES zXwHEqBCEwt^Kz)$uJxzals#TnqYTerFZ&0A{I5xO)c2ByASP$urLi0>fzU~ms54Gh z6cRn|T<%wP*P$;~lG~f0>l0IBDGB;6O^y|icg z7~aiS6A~rxM^Y&+B^d?Laywkk2m+2eFxyo2=HV~Pd_-TS9Ah7V`O0=i2S}eOu#bDA z@za#P%gPmcg_PV@K$1-{dr}%)gdurKSwPJr3C*sU`4ao*JXpWZNaoa^PE;9L^_|XH zH+(dtg%Re3U(i$V&_p4kxa#CIqtKcR$8QQ&>Ny!N^5P2OLp$cEzqBm8N(ci?QW>!# zZn&8>Up}q2$pNp)@QLtllvN`j55YO_a}e+y(#CZRvY8fCC;kS-npJ0gWr*st{$>5) zdLBr^ybl}!F{wF~qf^@)=DRxRhBRsA#b|_e%7}N3k{&E`Q)d=|YwC=I!*_E!sdQ<@ z>~FhS^f`$Ms_V6_2jY**&uczheR5agCplin%I5pZmKa4{+3*7ggX##^5z?*xSO>|e;Iwatq)>B_6+*cGN?BcJgv_wH zWw7ZVVGwn#U8B7>@@gc}1>hTAO{ORmmvY?8miu*%_8_ZyaqBVy{#3tIb z_SCnkCvo^J>ezGRp{}*2CX3e+)D_&{9!i2Bp3K^%4>^H>$_A3|=WNoE1nFaQnOPb?19^joZ(>xBwdnR&Ui zOqpETCqkacjUn;LBwtWUyT>(LWdxS6Dj$ zuKjjz`dQVuAY=}3QowFJ>-hKS@h^OE#0?23@S;#0#7V|0M76dX22zS{lJZ0Pm-nEl zOZvU6=+Mmrf{4|^pc^v$Ht4pK93EXJaXkNdY+P?af6<%XBH09@XmLIzj5yklPFue; zc9`}~1o+AR3F@0aNAVt~f~;>B| ztD~;9S3rNHEmX)1SB9+Q{BfcPHI4oP48uL0x+SekK6zlGw}qzfubMe5>YJ!V(uqezlO@0VrslbA zG0_+8uJl#4a?;e*>}NI=D{=!YjsB~j1FPt0bu70MnZRb}{y z9S8KV!R>1g-hlJRCohBFIqn{iAsxTxG|CC}`#y*V&-9)kqNOV`2BKRM==B-|-A)*^ z?{J>RBo-9|7~P#$RNhuj7H-!D=1kK{>YpYf9ks1iu>Uw4wvIP}TpE_snqTAq{dvS6 zzVxhQ45mXIj9>8BqeU8AWjfXaB;M|z>%)a=w8G)>wlmzkhLSpU?=TGf9B>k`cj^5Q zR6JRUR&~n9^CC7|!kU7I5K%OLYnG}azpo^NJtYA$!#7a^qC1%+L=OJlS>@(XbpR3+ zd&xIVWc9=uz*Te$Ot!2^8Vh54hP~i|CBz?`y!f*{BHw#0yDZgBI+;_?i-CdM#b2;& zo1kpa+}Wb-8rpU8d4ztRO7LMYf9Y*6xwj3+VOe&T+2uV+&ZSG`}Oq4z4Xxe7oucbE2~&u-58L4)}$QH#fqE;M?N zLz-O40%3a_@k|^W`V!6JyyGc#dH(^)qx~95gzVrnim={jRH=4~o(T`tj0C#e2 zR`$*QB)xGs+sAh3*=E^2d6(=uT-790(wo|X z&9L)3*^_KDUKm#zKC*-6AuI`dC9`;X<&~@GK4ktS__0_x6=KX%du@^-%Nwb2w)a^w zkiC0u`m0C=ky@)n_NV2>{kTn~XUB=|@J!vjNK8{iSDXQnO#1A;-Wt(YE{@20p6(^A#=T$=YGJxI8xjGW8aLFCPt&OMndlH!_NMpc4_>+Z}81 zScxXP<<&D0&GSXRJ&^Tb#-DCM0HHFUS3Bp>W(vl0IDa9TfCvuB6*F55}aIlc;LiqO3yUC_& z@$7GKUuveqDsiFk7_;Ol+@F4eEIzw6np~E2_z%ap<{1wBHp4Qef{fC=yQr) zjOAo@75ipmW2{kqo;TpUgsmAY?DP4d%Otokg2d!Kw>g4AoGn`hU;kU-%%yFygnMn@>#S0oMumyrhZpV}n+U zolYUh4RW$SvZ}~*a9YpPtMFHb46YPai zMaz;2#mDfj4&%mf88?^(cbSt@#8`&KLod$!Olk2cT8LrVifVXKGR`4^njhDW zC2em?j$Jc#rnI^DW*cA#VZ(cx+GJH^rX&4^GvyaKAE+E{Q#cR#LzR2!?2QBUOuVjB z&z~j3mfvao=G`TP zH1>&*eHoH-Gq)GE|58bcA}b$PW`VdLB6eoc(Amc_>T%B5b)Wcnlz!`9Xw2QSVqvRd zv`Pime7E4`A9DnnsE(*>J{~&2`ABh^mg`-X+u{kNMp0Y5h~gDr|bX{VW0em z+^?Cm_At)5O)y5IE8L*dDrGSh;3wi>6lBm+vURQ;U{&HmFtUNoQqv ztmrPU=~OAiWaRH}8#s+A1qVM#+jz243=1Os#IcLkXH#5=sA?ekvC7{nI3GKdsFnc% z7}U!XjDyG{Y*CEttjRPbzcADTV9Y76QlG9Z4c(sa=~&OO80J3Dqgh;6tzA`OKo(v` zmGOOYo<`5C)esVSZRcVcxppW*5QCVk!@i|40b}POo;(fyK$w3Phx@BMj<|)u6f1|} zF8t(YxKpaff3@u;u#qi7G-w8FtOw~wG1;TNy*BbNFk?r6d)jn^sx;w0;fqjecP{>7E$gC+W%*I{IB?+s1o8AHx2u^mV%;m78I0; zRUIL-zucYy@)amNAw!Mwb@tI|G&s!1HNQzAqXDxujbFSJFzapYmjwX-DQKj(K1 z#KxQk2omCWeC+eZ`o-47E*Dky85{$9Kl2BZuPHAvPdST@gTl$cmm5zhE>oD)OluR> z@aSKsYn`5Hos>1@W(eSKs+JYoafxqd)XRJ}GT2Ty@dr|OrpTUNhYhu_UZ)O_lQ#pA zNaN@EZ9gW=liDuY^=TLcq;5p{b(f(%;7^kMln|EU$njl{LI0fLBrgV zep#O4f6dI@IeZ-v5U1JNEt&>$2SQnfAXswy5cc_*K68_#}7n!4+t zbN}H+E8!Um6q-L@x#$tC2Q=R}qcfaav2p^{O=7Khfe9m+$Or$jxAfMeFWr#9uhlG_ zgmj~@vTAC>tkYmCrtB4*^5N;Bh;?hUnYHJBM}?959^DXg;9TkD!%1Hj%M=3&g8#@=Nd^)cH>+p;nR+m(j#TYH)?6*4 zV|#_3n!-x}vidvT5`2_ld_xOGb)}`})QEF3opLWE=->1B7e4s8g9OwM-HCpeiK&ty z7)*RwtztooSY{W#On^6%OwdP^-F73F<8CcVtM%K`Tz14HZCIJkW5@v6#}UfTAGR3` zcxA`tO3M!6aoL)7c?(!j4C|F?9zkkhj6Q$00ra}Xl3un=`hDNs-hDelmST+R68f-ZGGB4BLo zVR_ZmE$Zj*pq1UQ_8QMqH0AYrry_l9S1{wf`M32G=+}^j zP5hdsSqqG%5&1851$V4wyRj4F=j%{)Dn{cI_CW*XybAWfnh=@CffF1H`BX$dx`Rwx z3~;im@K+Z=4XzoN&XGKqhNW!7^0MbL`r0*vkd}kDgQCaspddRAXQy0fTvxm$a+ z2-8r3DsarW%El6nM6}_Dc(=TevS9vxJdQ4~Fy? z`18>W^UZ2of%w?bwYCZP(&{G|lQXf;8QhQc&&diS=k@KLMT=DZk$RUnEpLFL$ zJjod^$s9gFZ>QvTP24PxJhqVRyq(+64?C8BRGZm==V0}Mt{b_WM*k+wp%(*9{b^et z+}D{NL#6;;$tp*Uv(+|+0wnCB@~mh_rI<(+X=YjkcqPeugH zj+vK|HFJ@r>p0})kWMR*TVX@Jl9BBqsp(wko0mgRr95AR^%vF~(!}sjVyb?JY$F%r zgtMD0n*lfeW-|RuB`ZmMRr8^buZmSVjV6g@1;6sXckc`1*y#8D#UFVihc_i@%{6hv zQ|%YPuB>?xMdxUU-hz}ZKa9n229itVW4$5GT6jSHg7|HK5-Qiu61gK#H<&zJi6~$R zU{_imqTDR#Xde=o6$5=ywD&x}>EIxEkDXCwij4!uJuifMp#MHST%Y0pT8sS`AN15h z{I*+N=6V^jS;m$q(aTxu!oV|TG&|Ap9!d20^?RxS+XH)9NiZ#x4O@zZ8 z@+5Yp4>xfQ660{18BY=DcvOlq4N*VpIDj7{Cn7@bILzp+iw=yKX=o0X`PZ~l#;zm+e6Z@Yxd0XdiG^+ghyF=XNos15;K z3O)KZ>}|2xU~wL89nj|%zGy8>4@4x<19x|B`;_IOnZ4@_B`c)@O1a}`Tf=7!rwe1R z19RL;pg26g4;Js~E3^`n!7Bq4S^P`xKp{*??ncV|`&81E=~2G>4TPnmuTlG%IGE+o zMCGUf!;(nz+65%*tGl3X;QXLw=4q_LL@eQI&tr!g>QTouo)FgT{S6%DKVUSf(~O?& z8=_07hrZDfKG!X&3-s@+WQ`Lvx{1Iqh@0lOs_zcsZDKu>s~1Bv`fQYsx`HG|ArHd< z$W<=i+HizUR%afxImkb&LJH&05B`vHyz~{}D#R%q_rDM=WHN$;;pPU%l%Ehsmpi4)whT=k1Cn)V_^Q~E+iy!r2^ z<@LPP5Knol7GI`B;x!$y^??h&@07(~-C0E?u^Wqq+T&I;8!<`d)5jhc7#e7c{1aFd zHa&={&W7M!`f6?qU-v?DK?lIWCbe{qp0ynHXM`SD2dxbNLpB0|wdw+|;Lv0CKTr%m!3P8_PR^=}{$+5Pa zQ@=sUiBHr12KypJSn%j~1IgiFn*qV}WbZJU03*@EJ)pI*fR%PkpE8xRg#x^z~U z%ag(5eUqF458}bvWjN#qbxT~#9a)1wNY{)>zGD+@e0OU%XJh*xqRh`iE*fh>0RpS`@^c9cWooTiX+h`reI_ zZC<&25vga#Y~{B)oBON-a#k~g%53LLoMrZ%;*YQGFjdrH3INovQ?LS^3G$MTK^zEP z*YhfO$CsKkyN-nxg8Vi=z5A;RX*a#@7-ZldhP62W2Zh`lUr~#eD?Dr(dMz8beid8! z^dE)Um64t+EIvzfxrXroM%-=_QqCEWErk-3ce!QOaITT@0D+6fcXbWJlW0W{GRc~K z=upzrak=UNEK8;zvUF#(_}2Iqy2_<1uL#i2l^zOOOrx(*ZXeKaiPcV0(G*ZXZ!494 z!9|*$xX(1osE>UMxhBiP+8IzCEZ}~L19-m7mq|6fwinP7wM>d(&kALBVqD_e3>V9dk4fEp&Yh}W6KmF_WbYzo{wX@lPhFCxSpkgj;N~aaS{A_&M z?_8VeDVK>c5}%l^@@6&cYx%$;ghIMF@^Q$+GZi1VcrZ-3FXjW-Z#bF}VHO!l%La^A zr)mHqM|Ua`U)m;s?_Zv_LGiSVJ;w__e*F^f>~^CdJJwGW6RbcM_|!%g^tA~~B2hYU zIp{$K6%aYGqx9@!mhFpoo+T`^vj&)cTGu&Z_&V{z%-nnA9pmFvbKbta0-rp8ADDAt~c`(Bwm;&BRsy2WSrZT+e z@&Tt$ziwdvGsd-lP ztFI&^=OcFmqWBD7G&m_;w<0v4?i1kK7R&o$KeA#s(xIS~A>K{=5Z&Ek{)C}PX0{&b zqSqw=Du~PZ1^E)9! zlF>|V-mq4H_9l^dWU(WQklS-bEUP-zu#77}J zG>}082TeHqE=_dEzb_>jp`wSzQh+XFy=`yf=yt#YhDBkd7^4-MtFBx~-$#N1ItE96 z6b2`)D>SfJGu&*OmU~S2(hL<72@2TCMWd@ZI{J$uti!QvOXq@b?F&rMQNZU(@Rwai z_lcwtFoWJTVj4l+LCH||hprinG~s%v0iP&=hG`1sv(ww$@3oxw?7x73ngz1Hbw6ra=za^j3{`^BV?Cw;*1p z&c2EWqdoOaQDq}|yRdDmZ%rVV-GKtzo>1i&23(}>YK!Hy7uzP_a;cPFd?-jZ0m>uX zy;_44`Cj6$2?@wQJ=rO(HH-&xR?%PS z6;98L2`0r(M(mS6$g|N6d4=#QbnfnAvB{)UaF@GeRmJFs`)1fyMF!;;xvpMA62W8{=n5661=}br5*_Wc{un|?(b~?$ zIf3h(-g4BsXaa6)6fS$CW`9nszH4G|r*2g~gx-b3z56v-YV_SWOIXFxjqXtG=Jjr%{Ujn(M<4^*0Sz8WU{!EK5;RRK!MIrK6*xFAynTK5tyTv7@Tu zXb%d%U`7;iuWY(b6C{(XOX`Bx0v%a%(>g4PL>=T@lh&J+cDfhoa?^5i!QNbieMK)maEVgXHn*mS3C4hS^3=Er1v^;9E!syrNncrWp z#i!W3#@0Ix-EexZY!wzEz+g?&SsNgtsOW3NXm18q-y5t-hufK8K!cF?I2@>Or0u$fnJ%h)vH(*3@ZUppk*PIldyXw^(dW*gA6 zCUX?w;%xwN6YLn)OZZT*0W(rbmoS`G1K^PHe$RU$)D2N}YLF*Am%R(*AgFZdWbeMy zi9$E_>?le>#<`gX6dJLIB^sWpmM}9qN?^n%r}SaXk{=W0ZX0U6m)!*FwV^~^feiH6 z{;KaK5iwphdm%v}=8m%A+XT6?x@o8bUBlp3o&4mE3s7OYUyrlMjE8~!Zb=@Ymx3^$Kg6KsHi1NRSEJz5Qy~QGEWt$dc+&78`&Q|g6~Lo83IIJ zB0&psIOFHGt6c2QIkNjzd@hP6FOK$Fkl25M!Qand^Joq)3dKeK5o? z3hP%l>GBx^KK{cdQRnnIqC^Ba5V;L3{QZrZEzv^Z0`(yYgRrLv8(Gh@^XQq}yik^$ zbadFRo1emerY_tTbSohA!bE% z%*+6&mwj3%aK@Ry4@Gn}FNzfpw#FjHk~O!f0+eVchsDjGkNO_rK<^k5anxg(N&F(E z)E(`L)vg!M9xA8;&&a=?z{4UWGBCAF11TQ*E=Ez9JvcCx_CBzuO;wf#`OMde6?^Q^ zcUj3=$J}o*xvJdTcw`v+Rs7LSCmnk=BVh5v$IUXwUB@>ECkUH=e6B7p&Tq9E^d4&u z2^2)M2%Dh$w?b%MRq+)g8o9GXWKX7oP@DlKb`BRxnPqoUN(A}=(cSN2&#OT3GlTqy^7`XDv(SUM8~aL zA9zggPMhPl8I0a(!0+w@O>*UXGCN%%3enZtt7+0Nk(#`Ar(=#u`MecQf6wDzHl=$M z;Em#(^s&+h8C!1_%hrKpqe}>Po7JY}1k)Ci_5s$k z6iU=cpNbG9=a(R^R1~G(EBx)46bqdBbT*U^28yB!8=pU?Rg^RTNT(x-A>BKmb_}vX zX=pE>;|Hq^9gLr1jLQBzYt!b>CrzH{V#oN-kzqTu2LFoJT#_#{&(uX%ckL6t0{+s9?A{t){f}-9B*N%t1%PS1Z zdIo2#abtL5^7*%G(DkPcp+N>}u6dUs4+IH8b@MY}p(ISFS9@Q%3t;Fh8PQ6IDRl?2 zTD&U&k;ow=cE23L0lZb|REBoizy9DNSZ#?2k1*Oz_9C30`MA=b@u{f?m__UFc_RjreWTjlQPKd<8L%cA(LnGqWRm{jgk0Ml}?08Af`GZTeZjc2chEm8qlD75*xdxJ7Im~JjhOYr{7FAqgY zLb{wK3f4L3;m;jESTclJ=9J<72>Y^^R{$X}qj*AM-k?1v60f~la@WVkp{vO;s=1ev zOx0Wyy%Zcp)whIPw48P0)P~Z>1Iu)V(9Yt_Ra+_fNouzHCW2nTrqp8wP`huD=}&0? z(90Mle|}29sdw4%#ZI`o)iB(vm);9($NWg#{}Emr_2H z?Q$F7>?Cbbe8Z-8Q!W{J*zm@;7b^~Tw)@WnK-hG=xgb;@1MIXF} zaA}tTu;Hh{A#EHOR-fc-o4ck~$g;lWv&W8a-c@cf(5V(4q{Q2~EKv2w81Wq-ZK5PT zcJQM8Bw++7$vGZn@ZR)RB`Ac1Fn)b{V`G&#hAhbrkYKrTxHVUG%SE8v z?$5*j$>V>uDf5w#fSUPnsvUHm5>nAHN?W$I(dVIKnQwkH`JO+EEa={CdJVDmxDvDB zDrYd2hdP#zmDxD(-gujR0SS$NB*IeCHM7#A7;J{;6wBvzf?E(frHnx$WT$VsbsLNV zoyEt`zkdlaPc32JDdef3`n7;-$a^MCEX+NkZpWzzvM{S&rCDJ^2Inut>4=mlhH5qj zDQ_R5C;OdpmWU^HGnjLj-N7Khs7Ss_r|o>|)D9W+KG?Zy(e$-=Nq9;zL*o)TfJTFP z)B5YdDhu!F4cPG&j7|UqND0+P+du;qZZ*?#( zJss2gyzk%h_%&?%*Yx01mw3XSt7Tgg{n`J+=78>5-E+#9l4Nd-T0VSnlFoy zgUN0aBad@=sVo~@4SQB<-dd(oE%zNm6nqc$($|e2V1Pd7zJs*Evsz&!F-=W=B%TbX zJ`F+^8e>EXJINjdU_V8+(cE0Qu0uZ09X~q{MVHtesGjbb-=yL3GRzT5=B1wx&-W#f z3e@1AJBldz+pku0z?TvYh$Mh|Jv`+llpRV0Q6&EYVC2n z_Vthw)_{f_BP%AzLO`OYLkLq>*`Wie_B(7{UARhs1V!~zB3WwtPLLf_fuQxRM2O!I zWHWxKm)#b|DDWz5oh7sRe$^t@NcOw<4+*4CJ1AnDG(%ZirU|K0H!}Ma`vH*Ek%EV5 z*DVt<29K*+mUAKw1{dV-{YwK(kTH$#L>|~LKi`hvt{l;DVzk;YuwDL$7*`pR?ur*p zIUXH*>HF`FTnK9TFl=!iMdc!In7l(l2OvCsJj(YBq7_ccg~WESd9<3hEc~iH0Y6(+ z0WDG7*wUydM@03|vH#hc{-w)7fP=^?!~D5%s6E<*4t1g3;pHDMp(5s~P2vfM5f60Y^c|Hnsg_x!?3x>g3M%mX<4{ zvT*Tk6#4_Fi_rj~nHr{{Cf!RsfA#0|6d*5wXv}D*@$jk)kc}!M`y!--uXmXnhD(2q zoK|#|eGZ*@{*wAo4k0_$S%D3wo;jV^9mb z1Z~pl(-tn-?426LnhLflpZ;k$TFPq5r}tSf^DlD^oiSvKYapU6YT z^$Ow1*`yK&hZoaPc)L&%H25v>8>;p6s&31jwm)$b-oV=IUC1W(6%ImPbGChy7JP7h z@0#PQIF{0e30dur&CC3J{2#cU>ym2Ke!kcXuPZ_O`);xpdbjyYNKy}{fCumiXkx}I zcnuqLz$~Z9)5apMEhKw68xsUdl|R7{=C={9UsD5tE2c^_X418Tt6_ZWjY|i{8hE@5 z>3Vw!2A~!#rDwUVKPq-iWT2SwO+Tw~F582T{bzdouQuf*KN3)$I986b*p=HA+*vn( z-DW0?!rXb>PhIY3kp-^c0V9H~rxd}K)(QHul_6>dqG#o{IYUd;QR<|}V%(?MWM5E= z3zBG{pzFBAz1>TjhjaBV;(}I5e@wOFB(RzSxA3JGRyJM$s!NmW4$xp)wyEf|+tc`v z7F!r_){wNBliBIl2lGe%iwNt+eJq)ugGEEro@8cT-6cRUMPhjD+8ZtVr{iFuR3)>p z*%;h34|-bAMpUo^{{Wrk&@HMA5)8djqdQyt;I;hsf$%I-L39W4YlxDBesO^FMrZ?Z$Q;F{Aibwm)6%BMX=QgF9C=yTG*L#pKfTOEWC6C1P^OZ z+7-@T=2V7rQ{yus)uv4Yd;U5R>5`Iy+S_{qxAI%S%4ToI`%N#R7I`APd94bK%vLOM zpsgRr64I@@iL13us?9Qf8Xxe!nh1zU1Dk3&qWA4R34&RYdKcgoDa{6c}xI_jm*QpF(m3@1J`g+O+w@MS850>YmeI8r zQy@|j&NtZ_w}0HnRA=aKu(a2Lb}FCPbtKghMH69;qhe`vKN87SYgp5l(UeI++yP2^ z{hS8=%@tq0%rVJFNIr_pkBpk7{`d7I;qrtL1#sxlrA1^DYC>0M*w4#p^64Bk`LE6D z6}$=LsatnV*yCAPUVJjEG>?xMmohN#P0-;~%0z9U>4hID9-VIRL8V&=1&308iXr11 z_7M`xGgS0}n{l)#55hW^Um5h^6)_H&dfew=K&&)>4VVAhru>H%gxZYw0bNhaKfX|3 z!{L5jg);Mj>>ik39d|bw%i1P}aizxKetd6hvPm+xyE#kzmh>maFdQm&hgXfB&wDL-j!&wHUSWB8`erpmFV~7 zsnlGkMRepK25XFgIk*+2rK4^A=EAAP9*w{b)j;=$o)^H>F*JmN>4zPe?lLXdlkov& zpb1J59eaDK3vJFf0&oGrlXz0NvJi8l60LAv^)ENhbQ*gyYS2kxdBW#W8{u%Eby^!C z>GSyf2c=A}_8-~G(8N5T9 zh~sRxj{c~Z%tBAj3Ua#ro`pAe6HHZ2k)n4z_S?CbsH4bo0^*(5Nv~B$kSPYk%bNdJ zduJIF2iN8C8Qh&IQ`}vOy9{1npt!phXiJM0cPq5GODQtA6dRzpyHf^hf#R+M6xej1 z=gGU9yqnE_->)}0Uv7Tq{7!Ci^Zz9k#+Gs?(a3}`B6jd?SZC=0^C3#G$o=ZlN7CNa zN*ZK5RUfMv>rtbId! zfY&hY?|`q=)_>vgZ^H+ZiwN(@wDf)Y$celOdSuF{fZnq{GH6U3OP^vN6z(4)FQ7Mg z3T?fJRNyeR@;I~6tybhLKQsDWRK|hPq!f7scjF!xBmjut`?+4SC?a8JoI#-sPAxm_ zG_EqXX4`Wkt@A9BMARKD09xUqWhO|^IW3MTrFZf5PncU3y2_jM5K#SjW)!0|(aWSe z1k?F}uWIfcxyfT>wkHbqz*SrP@nHi8YDsH}Tr|;Vf54h6M0zo=n(0f)57z0lclyNc z!as1X35n^9-!~NW50ch~A%lX%GZ@upPoo`=baAW6pTFpmm4FI^`H9HQgL(8xe>-Oe>`;B99 zNi)Q75rJqNN^DksO?;yqwB-gXA`MF|41{`gz&Z zH57&!{LVZ~ITF;kIAzI*Rc@?K%Vem~Ke5YQdI~nb^LKY=n# zKD%wm_b8jt$!8_FJK+MYOW7Mw|HS*vXWX@pB%$E%BJ?%Kdoeb_$d)GGtaVecxq&En zVlj!>vF1iMwa`UzmAh#`gtl?7OKti>XEGHB*Vw3B%l#o4y`0A+ri@AQl8rmUXT@0G z`D>b_x0U6ax4bC>{5C;TIx!gVuCVtZCiX#uw)sX9Y^mm*pEIdmzCL^Zk>aPKeR5yS z2WNDj*U%pE?>!&HO9td$4!Ge~=R_o#K!w8Ag*nVB6*zanJ=+=39Gsi30;?!Gl(h3l zG4w`Y2?EWlR7nIS64+J-(=kr;=ms{DA~92#6gd5CJV#q% zuku2VRLo)hA|&i9j!-6PR70|4RQ$q*Z=+Qn8>UqG(Q`ZjaGN1DbFDJm__r3#k}EB~ zLanPCN1??Fy*$xutlb)xc1$2R2fx-6sUeKWrS^kdoyFhNO^)L1k^!p6tFPy`6W^k7 zk0fKIfEWk>MxzX(Q2QP8nTMo|Gkc5EW{ zBSUy<#0$4hGdeWzU;k27sJD3jycOh_mtB1#ZH7Ek!2(3sN8L@h_%uSUqr+#Nq0MqG zX9$Q3m5f3@kr+mo^Ih1y&?;n@|9m)|Nq9&Y#CB<{noUue z?}K!~)o0`n7E}wKIqcB+5#9!b(MiiUe3IEL)@1$Ntk3PYU3CW+Z*U`{y)=$7omdwQ zom(yK6kEX7>O$R48f3Ko;atgyd4U|lmTIV%`clvJ1>9KNZ$3l%z#Z>d+qIUJ;Oqpf zD`c4}LJ+-IW+krrizZM5`y)+3I*D~#Gy!oaX=ryZ9$oMf8d1dqAXd8BIdU?wg@D`s zpp`wR7AkN%OXCr9{zNZNI#b+;N_0-n$<QrM3r$5hhV~_7N7E7h zEgE*1hYKqtSq$~PG5S*RkUJJ#6aRg!v3<9=m6dWREA4O16PD}c;|cSsMz!RorjJ9O zMWn2zTH*}fyKn7liFvl#COde0Cc{dpr<$aM<$Z?M)>cM0YdJ=m;9Q zdY{eRyVv0^Lr$J9f%q7o^Kn|aq4ll9u$;Qxyuvy>FALMS9p1b3U1# z%a06htYl|!ZVEITvL~_X=^i_~k)p``T?|Q@2pIB@2FYUcLrlY`(+sXDHi+|5Hp$UM zG10`Kuf}DDEZz5=LxPAVmQ-CsI9v^Pna6dU*S zWPc1FS+6GC>)0`lh1zrn22f?Sq;brgR^i2A6k6q#5hSt&c-=Pd1=0OVPow1HyGYi(=Av&ou*|u)vNMyFJFD&$uEEs3UuK2qY>mX-d8$ zR!D)*h$JIk$8GsFxydGh8Z<22o6q|xM`ty61G^Lg+c;feP6o0x;ptTwODXnpzYiv} zza^Yczi|iFb9fi25)qP0&H8XwAbu9f<|TD<(#Q09)haZ%(pypa9*(21`W>KPVaD2T z3+)c~TLG>j6%A@IZ8U9NQKYQ(?SNeG22Lzer5NlRSmIK6`+N~Fm&Agb8Nn-#72rLg`I1+MseeF$~*d9 zb>$QuVU&D`hJD{y*v#XEb)+|AP!47l5_Zkitnm4wGMk!^!e$mJGc^-l^?&908vXLe zJV`TBg;+rdj*Ii;#$Z`fzKOBmqHYssrx9s(VilRA5s(jup+V@hj_lCbrPjLLgsuXI%z_|RXL0+#+4 zOF5xX;{9c*KPvjiQr=8>bd`Iy-uw5|A?@woC{x3Ju-<@P{90@W^;sx?=%qJKoKI)K z)+bH*SUQ?Fr!i<&Nzq$|?p*#pBQjwOB9S0?F59?HY5gU;p$jHCN}crhb@u9oTGa%Uy-laj`DlopWr?&P>c#nNyS8tje%^9F}GKBox4>jSe9Tkq4B5b;N3YTFaiGgM={$d%S z?H^zpRV`^}|`TqlsK zGD+t0sTvZ&>SPtn>HLGSPkLh+Uv&eumYp5$CE6u>h|P5}FX9b_p0^OzaSz#gi{8qc z;;t?IYX6SWx*l&m8c7wb#$_nnkxrZ}*RGy*lEquh6Tx`y5L&Kmk^hHXV;|XFAQqrz z(VN6DX&mwHCFL;rD_wAtq637s#R-DT8O8o8DQ!rMA-}jK#rSnQN-#z_l=zlWedMW3 zIk`LDi_a@i!9&1@uP3i_nI!D%Hojhba|FgIR18VMa=-g3ZGt^6S{09SvzCE-eF zcP56rybV$e$AIu}w9PF@ckiJ_9Nx7#r%ZnuAWgd?{qIqbVrx};T9d`&u#t7Ry3_s7;)MmE2GOG#-8Gn&oWsiT zv_#&0r&5VLb;z{)tMpG3{Bt7gjQPM8z@>wNmc4qTqas1tnsuLl-`D0z#R@4yX{T4q ztZnBk((r;L79fAaUe^^F1Ql%TNB1o7rYLRt)P)<(9}UR~nO%wYDrpM|22izU6+)}w zl&O7>N9$-Om@4*3ZbmD%9;bQLT8HpovCNJW05!zM*( zGvuKML$6Jn;@&mkWm-Oi4?iu?lhf}mCewedhWcwf*Yp5590wyZK?lwKV2vUyV3qaB zoPipUi+?+02CfNBiNhuLfxO~@xqjB%nMf;2X5by?crlKqVZx06cAeyxV*_qE6sc6% zvnuVwGE(qLeY=*QlEGRj?(jP~9$k1_?^49b6)Bil=g2JkST~hMSZq>wENva~k&Yl{ z`jE)_kSfu&|4}y6NtyLWEFnHhqwAM73a0PHo8Im?MX)xnE_2_Q^IAPAqtaQ6LCa&# zYkD_oP$IVD3{Jv!PCCa7-|f!{-NQ%*ZS=aav*~i~r5n2QYA^~X^U_mYsthuTT9?_F zvgo;Q`l!8xwF2#7cbz;+TBg>^XRq`IJHwyes$zH&X+6!MN1x=dENhO^OVBs2+X$5~ zUnADmc-y+vcry|FmJ^z5oGuz2Ut&8DA)w^l+)5!{+0E52L@zL(d)xL4t?HUjxn^w0 zfFB;y^V>u3CyvL?_p@p60BY43rfWB59sbsG^ocVub;pU++TGc-xyQOLYvTBhfl1q( zr|Q%@_Q+XXr_?v7qg#W(89R*q)7@~G;I$*I`1@Rx8c^ta+nu?(TFaI~kiNnUFDZB` z&IyUvLrPv8}#4?!z8zkK6_#r_ABRJQzPkl%FX0$`MJ%)kiNSe&L{;4vnLyXJn(JN*>87<8y^q+L1m!n7ZU zb6N@bQl25KLU8Mc<=)ojQ>mhP)nb~a-ndeJ%9>_$*CCU+?I5LbaQnnuH;OMD3eT27 z$9rwH^eA5;`X=81@L5s(u+Z>~Xyyq7vVtaz8>*()x@08$EX3vZh*ntiCEsx(UKe!_ zDh(-hc(-_3>Mj=cE_IlkWWD;?qoP%9*meDV=tb260XQdpqJTYjGOYlMmR*v4Ep=Hj rLf(OypdZ`Nw|k#w7~l`fbx}vqq~JNVEg^57Ab-}WQ&%{Q^SJ#7)4!2= diff --git a/sources b/sources index 322ad17..b005a4a 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (gnutls-3.6.14.tar.xz) = b2d427b5542a4679117c011dffa8efb0e0bffa3ce9cebc319f8998d03f80f4168d08f9fda35df18dbeaaada59e479d325a6c1c77d5ca7f8ce221b44e42bfe604 -SHA512 (gnutls-3.6.14.tar.xz.sig) = 88e31d484ab2e2e9a6a080d1bb0e2219aa0ec85af9ea4abe8292bc8ae2d6784273414227142a2ebe0142b907a5ac6aa4d407388357f13d96b96eca8f8c61103a +SHA512 (gnutls-3.6.15.tar.xz) = f757d1532198f44bcad7b73856ce6a05bab43f6fb77fcc81c59607f146202f73023d0796d3e1e7471709cf792c8ee7d436e19407e0601bc0bda2f21512b3b01c +SHA512 (gnutls-3.6.15.tar.xz.sig) = a6dbb6093fefddce4c76ce0015d1e0ff7bb712985007c5c6bd5ed6a8cd7529ab250bcbc98b70beeb9dc1b43dcfc65495c77b9abb43e690f24eb7bf0042af1f68 SHA512 (gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg) = a74b92826fd0e5388c9f6d9231959e38b26aeef83138648fab66df951d8e1a4db5302b569d08515d4d6443e5e4f6c466f98319f330c820790260d22a9b9f7173 From 5aacc8cd4f40d1c658b9091106a975dd25403720 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Fri, 4 Sep 2020 13:13:24 +0200 Subject: [PATCH 035/152] Port Gnulib test fixes from upstream --- gnutls-3.6.15-gnulib-perror-tests.patch | 46 +++++++++++++++++++++++++ gnutls.spec | 1 + 2 files changed, 47 insertions(+) create mode 100644 gnutls-3.6.15-gnulib-perror-tests.patch diff --git a/gnutls-3.6.15-gnulib-perror-tests.patch b/gnutls-3.6.15-gnulib-perror-tests.patch new file mode 100644 index 0000000..5de2e14 --- /dev/null +++ b/gnutls-3.6.15-gnulib-perror-tests.patch @@ -0,0 +1,46 @@ +From 175e0bc72808d564074c4adcc72aeadb74adfcc6 Mon Sep 17 00:00:00 2001 +From: Paul Eggert +Date: Thu, 27 Aug 2020 17:52:58 -0700 +Subject: [PATCH] perror, strerror_r: remove unportable tests + +Problem reported by Florian Weimer in: +https://lists.gnu.org/r/bug-gnulib/2020-08/msg00220.html +* tests/test-perror2.c (main): +* tests/test-strerror_r.c (main): Omit unportable tests. +--- + ChangeLog | 8 ++++++++ + tests/test-perror2.c | 3 --- + tests/test-strerror_r.c | 3 --- + 3 files changed, 8 insertions(+), 6 deletions(-) + +diff --git a/gl/tests/test-perror2.c b/gl/tests/test-perror2.c +index 1d14eda7b..c6214dd25 100644 +--- a/gl/tests/test-perror2.c ++++ b/gl/tests/test-perror2.c +@@ -79,9 +79,6 @@ main (void) + errno = -5; + perror (""); + ASSERT (!ferror (stderr)); +- ASSERT (msg1 == msg2 || msg1 == msg4 || STREQ (msg1, str1)); +- ASSERT (msg2 == msg4 || STREQ (msg2, str2)); +- ASSERT (msg3 == msg4 || STREQ (msg3, str3)); + ASSERT (STREQ (msg4, str4)); + + free (str1); +diff --git a/gl/tests/test-strerror_r.c b/gl/tests/test-strerror_r.c +index b11d6fd9f..c1dbcf837 100644 +--- a/gl/tests/test-strerror_r.c ++++ b/gl/tests/test-strerror_r.c +@@ -165,9 +165,6 @@ main (void) + + strerror_r (EACCES, buf, sizeof buf); + strerror_r (-5, buf, sizeof buf); +- ASSERT (msg1 == msg2 || msg1 == msg4 || STREQ (msg1, str1)); +- ASSERT (msg2 == msg4 || STREQ (msg2, str2)); +- ASSERT (msg3 == msg4 || STREQ (msg3, str3)); + ASSERT (STREQ (msg4, str4)); + + free (str1); +-- +2.26.2 + diff --git a/gnutls.spec b/gnutls.spec index 5280aa8..dddb863 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -3,6 +3,7 @@ Version: 3.6.15 Release: 1%{?dist} Patch1: gnutls-3.6.7-no-now-guile.patch Patch2: gnutls-3.2.7-rpath.patch +Patch3: gnutls-3.6.15-gnulib-perror-tests.patch %bcond_without dane %if 0%{?rhel} %bcond_with guile From 6b130b528abcdb4eed61a78ca9e9d7f8dc89d0ec Mon Sep 17 00:00:00 2001 From: Jeff Law Date: Mon, 28 Sep 2020 14:57:30 -0600 Subject: [PATCH 036/152] - Re-enable LTO now that upstream GCC bugs have been fixed --- gnutls.spec | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/gnutls.spec b/gnutls.spec index dd1ba97..3b871c0 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,6 +1,6 @@ # This spec file has been automatically updated Version: 3.6.15 -Release: 1%{?dist} +Release: 2%{?dist} Patch1: gnutls-3.6.7-no-now-guile.patch Patch2: gnutls-3.2.7-rpath.patch Patch3: gnutls-3.6.15-gnulib-perror-tests.patch @@ -156,11 +156,6 @@ echo "SYSTEM=NORMAL" >> tests/system.prio # via the crypto policies %build -# gnulib has bogus floating point tests which are compromised by -# LTO affecting ppc64le builds -%ifarch ppc64le -%define _lto_cflags %{nil} -%endif CCASFLAGS="$CCASFLAGS -Wa,--generate-missing-build-notes=yes" export CCASFLAGS @@ -285,6 +280,9 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null %endif %changelog +* Mon Sep 28 2020 Jeff Law - 3.6.14-8 +- Re-enable LTO now that upstream GCC bugs have been fixed + * Fri Sep 4 2020 Daiki Ueno - 3.6.15-1 - Update to upstream 3.6.15 release From 0eb271a9f50934ccfe291006f4150e982adc2bff Mon Sep 17 00:00:00 2001 From: Tom Stellard Date: Tue, 5 Jan 2021 05:13:32 +0000 Subject: [PATCH 037/152] Add BuildRequires: make https://fedoraproject.org/wiki/Changes/Remove_make_from_BuildRoot --- gnutls.spec | 1 + 1 file changed, 1 insertion(+) diff --git a/gnutls.spec b/gnutls.spec index 3b871c0..f8e76fb 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -45,6 +45,7 @@ BuildRequires: unbound-devel unbound-libs %if %{with guile} BuildRequires: guile22-devel %endif +BuildRequires: make URL: http://www.gnutls.org/ Source0: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.6/%{name}-%{version}.tar.xz Source1: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.6/%{name}-%{version}.tar.xz.sig From 2a8763ec3a805e299d7bdb339c378d0e81f1429b Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Tue, 26 Jan 2021 08:54:44 +0000 Subject: [PATCH 038/152] - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- gnutls.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/gnutls.spec b/gnutls.spec index f8e76fb..87a2dec 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,6 +1,6 @@ # This spec file has been automatically updated Version: 3.6.15 -Release: 2%{?dist} +Release: 3%{?dist} Patch1: gnutls-3.6.7-no-now-guile.patch Patch2: gnutls-3.2.7-rpath.patch Patch3: gnutls-3.6.15-gnulib-perror-tests.patch @@ -281,6 +281,9 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null %endif %changelog +* Tue Jan 26 2021 Fedora Release Engineering - 3.6.15-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + * Mon Sep 28 2020 Jeff Law - 3.6.14-8 - Re-enable LTO now that upstream GCC bugs have been fixed From 868ffea2e19e55a308644414f8690108b296369f Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Tue, 26 Jan 2021 11:26:20 +0100 Subject: [PATCH 039/152] Fix broken tests on rawhide (#1908110) --- gnutls-3.6.15-test-fixes.patch | 173 +++++++++++++++++++++++++++++++++ gnutls.spec | 9 +- 2 files changed, 180 insertions(+), 2 deletions(-) create mode 100644 gnutls-3.6.15-test-fixes.patch diff --git a/gnutls-3.6.15-test-fixes.patch b/gnutls-3.6.15-test-fixes.patch new file mode 100644 index 0000000..7bf84c5 --- /dev/null +++ b/gnutls-3.6.15-test-fixes.patch @@ -0,0 +1,173 @@ +From c2e39386e5df376620264b820fde2994b12d035d Mon Sep 17 00:00:00 2001 +From: Stefan Berger +Date: Mon, 21 Dec 2020 09:36:47 -0500 +Subject: [PATCH 1/2] tests: Fix tpmtool_test due to changes in trousers + +Recent changes to trousers now require an ownership of root:tss for +the tcsd config file, older ones requires tss:tss. So, start tcsd +using trial and error with either one of these ownership configurations +until one works. + +Signed-off-by: Stefan Berger +--- + tests/tpmtool_test.sh | 37 +++++++++++++++++++++++++++---------- + 1 file changed, 27 insertions(+), 10 deletions(-) + +diff --git a/tests/tpmtool_test.sh b/tests/tpmtool_test.sh +index c6e4bc42e..137552d62 100755 +--- a/tests/tpmtool_test.sh ++++ b/tests/tpmtool_test.sh +@@ -138,6 +138,7 @@ start_tcsd() + local tcsd_conf=$workdir/tcsd.conf + local tcsd_system_ps_file=$workdir/system_ps_file + local tcsd_pidfile=$workdir/tcsd.pid ++ local owner + + start_swtpm "$workdir" + [ $? -ne 0 ] && return 1 +@@ -146,20 +147,36 @@ start_tcsd() + port = $TCSD_LISTEN_PORT + system_ps_file = $tcsd_system_ps_file + _EOF_ ++ # older versions of trousers require tss:tss ownership of the ++ # config file, later ones root:tss ++ for owner in tss root; do ++ if [ "$owner" = "tss" ]; then ++ chmod 0600 $tcsd_conf ++ else ++ chmod 0640 $tcsd_conf ++ fi ++ chown $owner:tss $tcsd_conf + +- chown tss:tss $tcsd_conf +- chmod 0600 $tcsd_conf ++ bash -c "TCSD_USE_TCP_DEVICE=1 TCSD_TCP_DEVICE_PORT=$SWTPM_SERVER_PORT tcsd -c $tcsd_conf -e -f &>/dev/null & echo \$! > $tcsd_pidfile; wait" & ++ BASH_PID=$! + +- bash -c "TCSD_USE_TCP_DEVICE=1 TCSD_TCP_DEVICE_PORT=$SWTPM_SERVER_PORT tcsd -c $tcsd_conf -e -f &>/dev/null & echo \$! > $tcsd_pidfile; wait" & +- BASH_PID=$! ++ if wait_for_file $tcsd_pidfile 3; then ++ echo "Could not get TCSD's PID file" ++ return 1 ++ fi + +- if wait_for_file $tcsd_pidfile 3; then +- echo "Could not get TCSD's PID file" +- return 1 +- fi ++ sleep 0.5 ++ TCSD_PID=$(cat $tcsd_pidfile) ++ kill -0 "${TCSD_PID}" ++ if [ $? -ne 0 ]; then ++ # Try again with other owner ++ continue ++ fi ++ return 0 ++ done + +- TCSD_PID=$(cat $tcsd_pidfile) +- return 0 ++ echo "TCSD could not be started" ++ return 1 + } + + stop_tcsd() +-- +2.29.2 + + +From 40203390a48b8fa01d72c6a9739d963cf24556b8 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Mon, 28 Dec 2020 16:16:53 +0100 +Subject: [PATCH 2/2] testpkcs11: use datefudge to trick certificate expiry + +The certificates stored in tests/testpkcs11-certs expired on +2020-12-13. To avoid verification failure due to that, use datefudge +to set custom date when calling gnutls-cli, gnutls-serv, and certtool. + +Based on the patch by Andreas Metzler: +https://gitlab.com/gnutls/gnutls/-/issues/1135#note_469682121 + +Signed-off-by: Daiki Ueno +--- + tests/scripts/common.sh | 5 +++++ + tests/testpkcs11.sh | 12 +++++++++++- + 2 files changed, 16 insertions(+), 1 deletion(-) + +diff --git a/tests/scripts/common.sh b/tests/scripts/common.sh +index 6ae19fa58..69b5fd612 100644 +--- a/tests/scripts/common.sh ++++ b/tests/scripts/common.sh +@@ -187,6 +187,11 @@ launch_bare_server() { + ${SERV} $* >${LOGFILE-/dev/null} & + } + ++launch_bare_server2() { ++ wait_for_free_port "$PORT" ++ "$@" >${LOGFILE-/dev/null} & ++} ++ + wait_server() { + local PID=$1 + trap "test -n \"${PID}\" && kill ${PID};exit 1" 1 15 2 +diff --git a/tests/testpkcs11.sh b/tests/testpkcs11.sh +index 9458af238..3d74bfea6 100755 +--- a/tests/testpkcs11.sh ++++ b/tests/testpkcs11.sh +@@ -67,6 +67,8 @@ have_ed25519=0 + P11TOOL="${VALGRIND} ${P11TOOL} --batch" + SERV="${SERV} -q" + ++TESTDATE=2020-12-01 ++ + . ${srcdir}/scripts/common.sh + + rm -f "${LOGFILE}" +@@ -79,6 +81,8 @@ exit_error () { + exit 1 + } + ++skip_if_no_datefudge ++ + # $1: token + # $2: PIN + # $3: filename +@@ -523,6 +527,7 @@ write_certificate_test () { + pubkey="$5" + + echo -n "* Generating client certificate... " ++ datefudge -s "$TESTDATE" \ + "${CERTTOOL}" ${CERTTOOL_PARAM} ${ADDITIONAL_PARAM} --generate-certificate --load-ca-privkey "${cakey}" --load-ca-certificate "${cacert}" \ + --template ${srcdir}/testpkcs11-certs/client-tmpl --load-privkey "${token};object=gnutls-client;object-type=private" \ + --load-pubkey "$pubkey" --outfile tmp-client.crt >>"${LOGFILE}" 2>&1 +@@ -900,7 +905,9 @@ use_certificate_test () { + echo -n "* Using PKCS #11 with gnutls-cli (${txt})... " + # start server + eval "${GETPORT}" +- launch_pkcs11_server $$ "${ADDITIONAL_PARAM}" --echo --priority NORMAL --x509certfile="${certfile}" \ ++ launch_bare_server2 datefudge -s "$TESTDATE" \ ++ $VALGRIND $SERV $DEBUG -p "$PORT" \ ++ ${ADDITIONAL_PARAM} --debug 10 --echo --priority NORMAL --x509certfile="${certfile}" \ + --x509keyfile="$keyfile" --x509cafile="${cafile}" \ + --verify-client-cert --require-client-cert >>"${LOGFILE}" 2>&1 + +@@ -908,13 +915,16 @@ use_certificate_test () { + wait_server ${PID} + + # connect to server using SC ++ datefudge -s "$TESTDATE" \ + ${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509cafile="${cafile}" >"${LOGFILE}" 2>&1 && \ + fail ${PID} "Connection should have failed!" + ++ datefudge -s "$TESTDATE" \ + ${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509certfile="${certfile}" \ + --x509keyfile="$keyfile" --x509cafile="${cafile}" >"${LOGFILE}" 2>&1 || \ + fail ${PID} "Connection (with files) should have succeeded!" + ++ datefudge -s "$TESTDATE" \ + ${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509certfile="${token};object=gnutls-client;object-type=cert" \ + --x509keyfile="${token};object=gnutls-client;object-type=private" \ + --x509cafile="${cafile}" >"${LOGFILE}" 2>&1 || \ +-- +2.29.2 + diff --git a/gnutls.spec b/gnutls.spec index 87a2dec..e2bf429 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,9 +1,10 @@ # This spec file has been automatically updated Version: 3.6.15 -Release: 3%{?dist} +Release: 4%{?dist} Patch1: gnutls-3.6.7-no-now-guile.patch Patch2: gnutls-3.2.7-rpath.patch Patch3: gnutls-3.6.15-gnulib-perror-tests.patch +Patch4: gnutls-3.6.15-test-fixes.patch %bcond_without dane %if 0%{?rhel} %bcond_with guile @@ -281,10 +282,14 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null %endif %changelog +* Tue Jan 26 2021 Daiki Ueno - 3.6.15-4 +- Fix broken tests on rawhide (#1908110) +- Add BuildRequires: make (by Tom Stellard) + * Tue Jan 26 2021 Fedora Release Engineering - 3.6.15-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild -* Mon Sep 28 2020 Jeff Law - 3.6.14-8 +* Mon Sep 28 2020 Jeff Law - 3.6.15-2 - Re-enable LTO now that upstream GCC bugs have been fixed * Fri Sep 4 2020 Daiki Ueno - 3.6.15-1 From 07736fd8044bae2b15bc95b2ca051c91ac96d67c Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Wed, 10 Feb 2021 14:16:17 +0100 Subject: [PATCH 040/152] Update to 3.7.0 upstream release --- .gitignore | 2 + gnutls-3.6.15-gnulib-perror-tests.patch | 46 ------------ gnutls-3.7.0-gost.patch | 12 ++++ ...xes.patch => gnutls-3.7.0-test-fixes.patch | 72 ++++++++++++------- gnutls.spec | 14 ++-- sources | 4 +- 6 files changed, 73 insertions(+), 77 deletions(-) delete mode 100644 gnutls-3.6.15-gnulib-perror-tests.patch create mode 100644 gnutls-3.7.0-gost.patch rename gnutls-3.6.15-test-fixes.patch => gnutls-3.7.0-test-fixes.patch (73%) diff --git a/.gitignore b/.gitignore index ea6a2e0..7137263 100644 --- a/.gitignore +++ b/.gitignore @@ -129,3 +129,5 @@ gnutls-2.10.1-nosrp.tar.bz2 /gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg /gnutls-3.6.15.tar.xz /gnutls-3.6.15.tar.xz.sig +/gnutls-3.7.0.tar.xz +/gnutls-3.7.0.tar.xz.sig diff --git a/gnutls-3.6.15-gnulib-perror-tests.patch b/gnutls-3.6.15-gnulib-perror-tests.patch deleted file mode 100644 index 5de2e14..0000000 --- a/gnutls-3.6.15-gnulib-perror-tests.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 175e0bc72808d564074c4adcc72aeadb74adfcc6 Mon Sep 17 00:00:00 2001 -From: Paul Eggert -Date: Thu, 27 Aug 2020 17:52:58 -0700 -Subject: [PATCH] perror, strerror_r: remove unportable tests - -Problem reported by Florian Weimer in: -https://lists.gnu.org/r/bug-gnulib/2020-08/msg00220.html -* tests/test-perror2.c (main): -* tests/test-strerror_r.c (main): Omit unportable tests. ---- - ChangeLog | 8 ++++++++ - tests/test-perror2.c | 3 --- - tests/test-strerror_r.c | 3 --- - 3 files changed, 8 insertions(+), 6 deletions(-) - -diff --git a/gl/tests/test-perror2.c b/gl/tests/test-perror2.c -index 1d14eda7b..c6214dd25 100644 ---- a/gl/tests/test-perror2.c -+++ b/gl/tests/test-perror2.c -@@ -79,9 +79,6 @@ main (void) - errno = -5; - perror (""); - ASSERT (!ferror (stderr)); -- ASSERT (msg1 == msg2 || msg1 == msg4 || STREQ (msg1, str1)); -- ASSERT (msg2 == msg4 || STREQ (msg2, str2)); -- ASSERT (msg3 == msg4 || STREQ (msg3, str3)); - ASSERT (STREQ (msg4, str4)); - - free (str1); -diff --git a/gl/tests/test-strerror_r.c b/gl/tests/test-strerror_r.c -index b11d6fd9f..c1dbcf837 100644 ---- a/gl/tests/test-strerror_r.c -+++ b/gl/tests/test-strerror_r.c -@@ -165,9 +165,6 @@ main (void) - - strerror_r (EACCES, buf, sizeof buf); - strerror_r (-5, buf, sizeof buf); -- ASSERT (msg1 == msg2 || msg1 == msg4 || STREQ (msg1, str1)); -- ASSERT (msg2 == msg4 || STREQ (msg2, str2)); -- ASSERT (msg3 == msg4 || STREQ (msg3, str3)); - ASSERT (STREQ (msg4, str4)); - - free (str1); --- -2.26.2 - diff --git a/gnutls-3.7.0-gost.patch b/gnutls-3.7.0-gost.patch new file mode 100644 index 0000000..7cad9b5 --- /dev/null +++ b/gnutls-3.7.0-gost.patch @@ -0,0 +1,12 @@ +diff -up ./tests/gnutls-cli-debug.sh.gost ./tests/gnutls-cli-debug.sh +--- ./tests/gnutls-cli-debug.sh.gost 2021-02-09 13:28:46.528821113 +0100 ++++ ./tests/gnutls-cli-debug.sh 2021-02-09 13:29:18.851646678 +0100 +@@ -217,6 +217,8 @@ if test "${ENABLE_GOST}" = "1" && test " + kill ${PID} + wait + ++ cat $OUTFILE ++ + check_text "for VKO GOST-2012 (draft-smyshlyaev-tls12-gost-suites) support... yes" + check_text "for GOST28147-CNT cipher (draft-smyshlyaev-tls12-gost-suites) support... yes" + check_text "for GOST28147-IMIT MAC (draft-smyshlyaev-tls12-gost-suites) support... yes" diff --git a/gnutls-3.6.15-test-fixes.patch b/gnutls-3.7.0-test-fixes.patch similarity index 73% rename from gnutls-3.6.15-test-fixes.patch rename to gnutls-3.7.0-test-fixes.patch index 7bf84c5..066feb4 100644 --- a/gnutls-3.6.15-test-fixes.patch +++ b/gnutls-3.7.0-test-fixes.patch @@ -1,4 +1,4 @@ -From c2e39386e5df376620264b820fde2994b12d035d Mon Sep 17 00:00:00 2001 +From c815f725448af8d023818a968e1296946ceb0f1c Mon Sep 17 00:00:00 2001 From: Stefan Berger Date: Mon, 21 Dec 2020 09:36:47 -0500 Subject: [PATCH 1/2] tests: Fix tpmtool_test due to changes in trousers @@ -14,7 +14,7 @@ Signed-off-by: Stefan Berger 1 file changed, 27 insertions(+), 10 deletions(-) diff --git a/tests/tpmtool_test.sh b/tests/tpmtool_test.sh -index c6e4bc42e..137552d62 100755 +index eba502612..77fe17e59 100755 --- a/tests/tpmtool_test.sh +++ b/tests/tpmtool_test.sh @@ -138,6 +138,7 @@ start_tcsd() @@ -76,7 +76,7 @@ index c6e4bc42e..137552d62 100755 2.29.2 -From 40203390a48b8fa01d72c6a9739d963cf24556b8 Mon Sep 17 00:00:00 2001 +From 2b0f6f3a2ff13153aaa70c764ba7a8b90aef794d Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Mon, 28 Dec 2020 16:16:53 +0100 Subject: [PATCH 2/2] testpkcs11: use datefudge to trick certificate expiry @@ -90,28 +90,11 @@ https://gitlab.com/gnutls/gnutls/-/issues/1135#note_469682121 Signed-off-by: Daiki Ueno --- - tests/scripts/common.sh | 5 +++++ - tests/testpkcs11.sh | 12 +++++++++++- - 2 files changed, 16 insertions(+), 1 deletion(-) + tests/testpkcs11.sh | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) -diff --git a/tests/scripts/common.sh b/tests/scripts/common.sh -index 6ae19fa58..69b5fd612 100644 ---- a/tests/scripts/common.sh -+++ b/tests/scripts/common.sh -@@ -187,6 +187,11 @@ launch_bare_server() { - ${SERV} $* >${LOGFILE-/dev/null} & - } - -+launch_bare_server2() { -+ wait_for_free_port "$PORT" -+ "$@" >${LOGFILE-/dev/null} & -+} -+ - wait_server() { - local PID=$1 - trap "test -n \"${PID}\" && kill ${PID};exit 1" 1 15 2 diff --git a/tests/testpkcs11.sh b/tests/testpkcs11.sh -index 9458af238..3d74bfea6 100755 +index 38b9585bc..09a627477 100755 --- a/tests/testpkcs11.sh +++ b/tests/testpkcs11.sh @@ -67,6 +67,8 @@ have_ed25519=0 @@ -144,8 +127,8 @@ index 9458af238..3d74bfea6 100755 echo -n "* Using PKCS #11 with gnutls-cli (${txt})... " # start server eval "${GETPORT}" -- launch_pkcs11_server $$ "${ADDITIONAL_PARAM}" --echo --priority NORMAL --x509certfile="${certfile}" \ -+ launch_bare_server2 datefudge -s "$TESTDATE" \ +- launch_server ${ADDITIONAL_PARAM} --echo --priority NORMAL --x509certfile="${certfile}" \ ++ launch_bare_server datefudge -s "$TESTDATE" \ + $VALGRIND $SERV $DEBUG -p "$PORT" \ + ${ADDITIONAL_PARAM} --debug 10 --echo --priority NORMAL --x509certfile="${certfile}" \ --x509keyfile="$keyfile" --x509cafile="${cafile}" \ @@ -171,3 +154,42 @@ index 9458af238..3d74bfea6 100755 -- 2.29.2 +From 5a64e896a56ef602bb86242bbac01e4319f12cbe Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Tue, 9 Feb 2021 15:26:07 +0100 +Subject: [PATCH] tests/gnutls-cli-debug.sh: don't unset system priority + settings + +When the test is exercised, GNUTLS_SYSTEM_PRIORITY_FILE is set in many +places, such as TESTS_ENVIRONMENT tests/Makefile.am or a packaging +system that runs the test in a restricted environment. Unsetting it +after a temporary use forces the remaining part of the test to use the +default system priority, which might not be the intention of the user. + +Signed-off-by: Daiki Ueno +--- + tests/gnutls-cli-debug.sh | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/tests/gnutls-cli-debug.sh b/tests/gnutls-cli-debug.sh +index a73910dea..3c3e2214e 100755 +--- a/tests/gnutls-cli-debug.sh ++++ b/tests/gnutls-cli-debug.sh +@@ -184,13 +184,11 @@ cat <<_EOF_ > ${TMPFILE} + tls-disabled-cipher = CAMELLIA-128-CBC + tls-disabled-cipher = CAMELLIA-256-CBC + _EOF_ +-export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}" + ++GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}" \ + timeout 1800 datefudge "2017-08-9" \ + "${DCLI}" -p "${PORT}" localhost >$OUTFILE 2>&1 || fail ${PID} "gnutls-cli-debug run should have succeeded!" + +-unset GNUTLS_SYSTEM_PRIORITY_FILE +- + kill ${PID} + wait + +-- +2.29.2 + diff --git a/gnutls.spec b/gnutls.spec index e2bf429..adba8c2 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,10 +1,10 @@ # This spec file has been automatically updated -Version: 3.6.15 -Release: 4%{?dist} +Version: 3.7.0 +Release: 1%{?dist} Patch1: gnutls-3.6.7-no-now-guile.patch Patch2: gnutls-3.2.7-rpath.patch -Patch3: gnutls-3.6.15-gnulib-perror-tests.patch -Patch4: gnutls-3.6.15-test-fixes.patch +Patch3: gnutls-3.7.0-test-fixes.patch +Patch4: gnutls-3.7.0-gost.patch %bcond_without dane %if 0%{?rhel} %bcond_with guile @@ -158,6 +158,8 @@ echo "SYSTEM=NORMAL" >> tests/system.prio # via the crypto policies %build +%define _lto_cflags %{nil} + CCASFLAGS="$CCASFLAGS -Wa,--generate-missing-build-notes=yes" export CCASFLAGS @@ -282,6 +284,10 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null %endif %changelog +* Mon Feb 8 2021 Daiki Ueno - 3.7.0-1 +- Update to upstream 3.7.0 release +- Temporarily disable LTO + * Tue Jan 26 2021 Daiki Ueno - 3.6.15-4 - Fix broken tests on rawhide (#1908110) - Add BuildRequires: make (by Tom Stellard) diff --git a/sources b/sources index b005a4a..da7e44a 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (gnutls-3.6.15.tar.xz) = f757d1532198f44bcad7b73856ce6a05bab43f6fb77fcc81c59607f146202f73023d0796d3e1e7471709cf792c8ee7d436e19407e0601bc0bda2f21512b3b01c -SHA512 (gnutls-3.6.15.tar.xz.sig) = a6dbb6093fefddce4c76ce0015d1e0ff7bb712985007c5c6bd5ed6a8cd7529ab250bcbc98b70beeb9dc1b43dcfc65495c77b9abb43e690f24eb7bf0042af1f68 +SHA512 (gnutls-3.7.0.tar.xz) = 5cf1025f2d0a0cbf5a83dd7f3b22dafd1769f7c3349096c0272d08573bb5ff87f510e0e69b4bbb47dad1b64476aa5479804b2f4ceb2216cd747bbc53bf42d885 +SHA512 (gnutls-3.7.0.tar.xz.sig) = 25793ac5e3d2610f95f26a2aa6f444a0cebe45a173cd330ed95b38c82b8f469024c9fa35249917f6b880ae32192b5e74988169a68724c08f5c82a3379fff82fd SHA512 (gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg) = a74b92826fd0e5388c9f6d9231959e38b26aeef83138648fab66df951d8e1a4db5302b569d08515d4d6443e5e4f6c466f98319f330c820790260d22a9b9f7173 From 25ae742c52349fc7767c2311cafdd93f9879606d Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Wed, 10 Feb 2021 16:42:27 +0100 Subject: [PATCH 041/152] Tolerate duplicate certs in the chain --- gnutls-3.7.0-duplicate-certs.patch | 403 +++++++++++++++++++++++++++++ gnutls.spec | 6 +- 2 files changed, 408 insertions(+), 1 deletion(-) create mode 100644 gnutls-3.7.0-duplicate-certs.patch diff --git a/gnutls-3.7.0-duplicate-certs.patch b/gnutls-3.7.0-duplicate-certs.patch new file mode 100644 index 0000000..d86b855 --- /dev/null +++ b/gnutls-3.7.0-duplicate-certs.patch @@ -0,0 +1,403 @@ +From 09b40be6e0e0a59ba4bd764067eb353241043a70 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Mon, 28 Dec 2020 12:14:13 +0100 +Subject: [PATCH] gnutls_x509_trust_list_verify_crt2: ignore duplicate + certificates + +The commit ebb19db9165fed30d73c83bab1b1b8740c132dfd caused a +regression, where duplicate certificates in a certificate chain are no +longer ignored but treated as a non-contiguous segment and that +results in calling the issuer callback, or a verification failure. + +This adds a mechanism to record certificates already seen in the +chain, and skip them while still allow the caller to inject missing +certificates. + +Signed-off-by: Daiki Ueno +Co-authored-by: Andreas Metzler +--- + lib/x509/common.c | 8 ++ + lib/x509/verify-high.c | 157 +++++++++++++++++++++++++++++++------ + tests/missingissuer.c | 2 + + tests/test-chains-issuer.h | 101 +++++++++++++++++++++++- + 4 files changed, 245 insertions(+), 23 deletions(-) + +diff --git a/lib/x509/common.c b/lib/x509/common.c +index 3301aaad0..10c8db53c 100644 +--- a/lib/x509/common.c ++++ b/lib/x509/common.c +@@ -1758,6 +1758,14 @@ unsigned int _gnutls_sort_clist(gnutls_x509_crt_t *clist, + * increasing DEFAULT_MAX_VERIFY_DEPTH. + */ + for (i = 0; i < clist_size; i++) { ++ /* Self-signed certificate found in the chain; skip it ++ * as it should only appear in the trusted set. ++ */ ++ if (gnutls_x509_crt_check_issuer(clist[i], clist[i])) { ++ _gnutls_cert_log("self-signed cert found", clist[i]); ++ continue; ++ } ++ + for (j = 1; j < clist_size; j++) { + if (i == j) + continue; +diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c +index 588e7ee0d..9a16e6b42 100644 +--- a/lib/x509/verify-high.c ++++ b/lib/x509/verify-high.c +@@ -67,6 +67,80 @@ struct gnutls_x509_trust_list_iter { + + #define DEFAULT_SIZE 127 + ++struct cert_set_node_st { ++ gnutls_x509_crt_t *certs; ++ unsigned int size; ++}; ++ ++struct cert_set_st { ++ struct cert_set_node_st *node; ++ unsigned int size; ++}; ++ ++static int ++cert_set_init(struct cert_set_st *set, unsigned int size) ++{ ++ memset(set, 0, sizeof(*set)); ++ ++ set->size = size; ++ set->node = gnutls_calloc(size, sizeof(*set->node)); ++ if (!set->node) { ++ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); ++ } ++ ++ return 0; ++} ++ ++static void ++cert_set_deinit(struct cert_set_st *set) ++{ ++ size_t i; ++ ++ for (i = 0; i < set->size; i++) { ++ gnutls_free(set->node[i].certs); ++ } ++ ++ gnutls_free(set->node); ++} ++ ++static bool ++cert_set_contains(struct cert_set_st *set, const gnutls_x509_crt_t cert) ++{ ++ size_t hash, i; ++ ++ hash = hash_pjw_bare(cert->raw_dn.data, cert->raw_dn.size); ++ hash %= set->size; ++ ++ for (i = 0; i < set->node[hash].size; i++) { ++ if (unlikely(gnutls_x509_crt_equals(set->node[hash].certs[i], cert))) { ++ return true; ++ } ++ } ++ ++ return false; ++} ++ ++static int ++cert_set_add(struct cert_set_st *set, const gnutls_x509_crt_t cert) ++{ ++ size_t hash; ++ ++ hash = hash_pjw_bare(cert->raw_dn.data, cert->raw_dn.size); ++ hash %= set->size; ++ ++ set->node[hash].certs = ++ gnutls_realloc_fast(set->node[hash].certs, ++ (set->node[hash].size + 1) * ++ sizeof(*set->node[hash].certs)); ++ if (!set->node[hash].certs) { ++ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); ++ } ++ set->node[hash].certs[set->node[hash].size] = cert; ++ set->node[hash].size++; ++ ++ return 0; ++} ++ + /** + * gnutls_x509_trust_list_init: + * @list: A pointer to the type to be initialized +@@ -1328,6 +1402,7 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, + unsigned have_set_name = 0; + unsigned saved_output; + gnutls_datum_t ip = {NULL, 0}; ++ struct cert_set_st cert_set = { NULL, 0 }; + + if (cert_list == NULL || cert_list_size < 1) + return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); +@@ -1376,36 +1451,68 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, + memcpy(sorted, cert_list, cert_list_size * sizeof(gnutls_x509_crt_t)); + cert_list = sorted; + ++ ret = cert_set_init(&cert_set, DEFAULT_MAX_VERIFY_DEPTH); ++ if (ret < 0) { ++ return ret; ++ } ++ + for (i = 0; i < cert_list_size && +- cert_list_size <= DEFAULT_MAX_VERIFY_DEPTH; i++) { +- if (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN)) { +- unsigned int sorted_size; ++ cert_list_size <= DEFAULT_MAX_VERIFY_DEPTH; ) { ++ unsigned int sorted_size = 1; ++ unsigned int j; ++ gnutls_x509_crt_t issuer; + ++ if (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN)) { + sorted_size = _gnutls_sort_clist(&cert_list[i], + cert_list_size - i); +- i += sorted_size - 1; + } + +- if (i == cert_list_size - 1) { +- gnutls_x509_crt_t issuer; +- +- /* If it is the last certificate and its issuer is +- * known, don't need to run issuer callback. */ +- if (_gnutls_trust_list_get_issuer(list, +- cert_list[i], +- &issuer, +- 0) == 0) { ++ /* Remove duplicates. Start with index 1, as the first element ++ * may be re-checked after issuer retrieval. */ ++ for (j = 1; j < sorted_size; j++) { ++ if (cert_set_contains(&cert_set, cert_list[i + j])) { ++ if (i + j < cert_list_size - 1) { ++ memmove(&cert_list[i + j], ++ &cert_list[i + j + 1], ++ sizeof(cert_list[i])); ++ } ++ cert_list_size--; + break; + } +- } else if (gnutls_x509_crt_check_issuer(cert_list[i], +- cert_list[i + 1])) { +- /* There is no gap between this and the next +- * certificate. */ ++ } ++ /* Found a duplicate, try again with the same index. */ ++ if (j < sorted_size) { ++ continue; ++ } ++ ++ /* Record the certificates seen. */ ++ for (j = 0; j < sorted_size; j++, i++) { ++ ret = cert_set_add(&cert_set, cert_list[i]); ++ if (ret < 0) { ++ goto cleanup; ++ } ++ } ++ ++ /* If the issuer of the certificate is known, no need ++ * for further processing. */ ++ if (_gnutls_trust_list_get_issuer(list, ++ cert_list[i - 1], ++ &issuer, ++ 0) == 0) { ++ cert_list_size = i; ++ break; ++ } ++ ++ /* If there is no gap between this and the next certificate, ++ * proceed with the next certificate. */ ++ if (i < cert_list_size && ++ gnutls_x509_crt_check_issuer(cert_list[i - 1], ++ cert_list[i])) { + continue; + } + + ret = retrieve_issuers(list, +- cert_list[i], ++ cert_list[i - 1], + &retrieved[retrieved_size], + DEFAULT_MAX_VERIFY_DEPTH - + MAX(retrieved_size, +@@ -1413,15 +1520,20 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, + if (ret < 0) { + break; + } else if (ret > 0) { +- memmove(&cert_list[i + 1 + ret], +- &cert_list[i + 1], +- (cert_list_size - i - 1) * ++ assert((unsigned int)ret <= ++ DEFAULT_MAX_VERIFY_DEPTH - cert_list_size); ++ memmove(&cert_list[i + ret], ++ &cert_list[i], ++ (cert_list_size - i) * + sizeof(gnutls_x509_crt_t)); +- memcpy(&cert_list[i + 1], ++ memcpy(&cert_list[i], + &retrieved[retrieved_size], + ret * sizeof(gnutls_x509_crt_t)); + retrieved_size += ret; + cert_list_size += ret; ++ ++ /* Start again from the end of the previous segment. */ ++ i--; + } + } + +@@ -1581,6 +1693,7 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, + for (i = 0; i < retrieved_size; i++) { + gnutls_x509_crt_deinit(retrieved[i]); + } ++ cert_set_deinit(&cert_set); + return ret; + } + +diff --git a/tests/missingissuer.c b/tests/missingissuer.c +index f21e2b6b0..226d09592 100644 +--- a/tests/missingissuer.c ++++ b/tests/missingissuer.c +@@ -145,6 +145,8 @@ void doit(void) + printf("[%d]: Chain '%s'...\n", (int)i, chains[i].name); + + for (j = 0; chains[i].chain[j]; j++) { ++ assert(j < MAX_CHAIN); ++ + if (debug > 2) + printf("\tAdding certificate %d...", (int)j); + +diff --git a/tests/test-chains-issuer.h b/tests/test-chains-issuer.h +index 543e2d71f..bf1e65c95 100644 +--- a/tests/test-chains-issuer.h ++++ b/tests/test-chains-issuer.h +@@ -24,7 +24,7 @@ + #ifndef GNUTLS_TESTS_TEST_CHAINS_ISSUER_H + #define GNUTLS_TESTS_TEST_CHAINS_ISSUER_H + +-#define MAX_CHAIN 6 ++#define MAX_CHAIN 15 + + #define SERVER_CERT "-----BEGIN CERTIFICATE-----\n" \ + "MIIDATCCAbmgAwIBAgIUQdvdegP8JFszFHLfV4+lrEdafzAwPQYJKoZIhvcNAQEK\n" \ +@@ -338,11 +338,102 @@ static const char *missing_middle_unrelated_extra_insert[] = { + NULL, + }; + ++static const char *missing_middle_single_duplicate[] = { ++ SERVER_CERT, ++ SERVER_CERT, ++ CA_CERT_5, ++ CA_CERT_5, ++ CA_CERT_4, ++ CA_CERT_4, ++ CA_CERT_2, ++ CA_CERT_2, ++ CA_CERT_1, ++ CA_CERT_1, ++ NULL, ++}; ++ ++static const char *missing_middle_multiple_duplicate[] = { ++ SERVER_CERT, ++ SERVER_CERT, ++ CA_CERT_5, ++ CA_CERT_5, ++ CA_CERT_4, ++ CA_CERT_4, ++ CA_CERT_1, ++ CA_CERT_1, ++ NULL, ++}; ++ ++static const char *missing_last_single_duplicate[] = { ++ SERVER_CERT, ++ SERVER_CERT, ++ CA_CERT_5, ++ CA_CERT_5, ++ CA_CERT_4, ++ CA_CERT_4, ++ CA_CERT_3, ++ CA_CERT_3, ++ CA_CERT_2, ++ CA_CERT_2, ++ NULL, ++}; ++ ++static const char *missing_last_multiple_duplicate[] = { ++ SERVER_CERT, ++ SERVER_CERT, ++ CA_CERT_5, ++ CA_CERT_5, ++ CA_CERT_4, ++ CA_CERT_4, ++ CA_CERT_3, ++ CA_CERT_3, ++ NULL, ++}; ++ ++static const char *missing_skip_single_duplicate[] = { ++ SERVER_CERT, ++ SERVER_CERT, ++ CA_CERT_5, ++ CA_CERT_5, ++ CA_CERT_3, ++ CA_CERT_3, ++ CA_CERT_1, ++ CA_CERT_1, ++ NULL, ++}; ++ ++static const char *missing_skip_multiple_duplicate[] = { ++ SERVER_CERT, ++ SERVER_CERT, ++ CA_CERT_5, ++ CA_CERT_5, ++ CA_CERT_3, ++ CA_CERT_3, ++ NULL, ++}; ++ + static const char *missing_ca[] = { + CA_CERT_0, + NULL, + }; + ++static const char *middle_single_duplicate_ca[] = { ++ SERVER_CERT, ++ CA_CERT_5, ++ CA_CERT_0, ++ CA_CERT_4, ++ CA_CERT_0, ++ CA_CERT_2, ++ CA_CERT_0, ++ CA_CERT_1, ++ NULL, ++}; ++ ++static const char *missing_middle_single_duplicate_ca_unrelated_insert[] = { ++ CA_CERT_0, ++ NULL, ++}; ++ + static struct chains { + const char *name; + const char **chain; +@@ -377,6 +468,14 @@ static struct chains { + { "skip multiple unsorted", missing_skip_multiple_unsorted, missing_skip_multiple_insert, missing_ca, 0, 0 }, + { "unrelated", missing_middle_single, missing_middle_unrelated_insert, missing_ca, 0, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_NOT_FOUND }, + { "unrelated extra", missing_middle_single, missing_middle_unrelated_extra_insert, missing_ca, 0, 0 }, ++ { "middle single duplicate", missing_middle_single_duplicate, missing_middle_single_insert, missing_ca, 0, 0 }, ++ { "middle multiple duplicate", missing_middle_multiple_duplicate, missing_middle_multiple_insert, missing_ca, 0, 0 }, ++ { "last single duplicate", missing_last_single_duplicate, missing_last_single_insert, missing_ca, 0, 0 }, ++ { "last multiple duplicate", missing_last_multiple_duplicate, missing_last_multiple_insert, missing_ca, 0, 0 }, ++ { "skip single duplicate", missing_skip_single_duplicate, missing_skip_single_insert, missing_ca, 0, 0 }, ++ { "skip multiple duplicate", missing_skip_multiple_duplicate, missing_skip_multiple_insert, missing_ca, 0, 0 }, ++ { "middle single duplicate ca", middle_single_duplicate_ca, missing_middle_single_insert, missing_ca, 0, 0 }, ++ { "middle single duplicate ca - insert unrelated", middle_single_duplicate_ca, missing_middle_single_duplicate_ca_unrelated_insert, missing_ca, 0, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_NOT_FOUND }, + { NULL, NULL, NULL, NULL }, + }; + +-- +2.29.2 + diff --git a/gnutls.spec b/gnutls.spec index adba8c2..a183863 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,10 +1,11 @@ # This spec file has been automatically updated Version: 3.7.0 -Release: 1%{?dist} +Release: 2%{?dist} Patch1: gnutls-3.6.7-no-now-guile.patch Patch2: gnutls-3.2.7-rpath.patch Patch3: gnutls-3.7.0-test-fixes.patch Patch4: gnutls-3.7.0-gost.patch +Patch5: gnutls-3.7.0-duplicate-certs.patch %bcond_without dane %if 0%{?rhel} %bcond_with guile @@ -284,6 +285,9 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null %endif %changelog +* Wed Feb 10 2021 Daiki Ueno - 3.7.0-2 +- Tolerate duplicate certs in the chain + * Mon Feb 8 2021 Daiki Ueno - 3.7.0-1 - Update to upstream 3.7.0 release - Temporarily disable LTO From 7e113a5794a9140de84745a08883d8b46d04a48b Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Tue, 2 Mar 2021 09:20:21 +0100 Subject: [PATCH 042/152] Reduce BRs for non-bootstrapping build Also disable guile tweaks if it's not enabled and remove non-existing build-time options from configure command-line. Signed-off-by: Daiki Ueno --- gnutls.spec | 28 +++++++++++++++++++--------- 1 file changed, 19 insertions(+), 9 deletions(-) diff --git a/gnutls.spec b/gnutls.spec index a183863..3811ea9 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,11 +1,12 @@ # This spec file has been automatically updated Version: 3.7.0 -Release: 2%{?dist} +Release: 3%{?dist} Patch1: gnutls-3.6.7-no-now-guile.patch Patch2: gnutls-3.2.7-rpath.patch Patch3: gnutls-3.7.0-test-fixes.patch Patch4: gnutls-3.7.0-gost.patch Patch5: gnutls-3.7.0-duplicate-certs.patch +%bcond_with bootstrap %bcond_without dane %if 0%{?rhel} %bcond_with guile @@ -21,13 +22,15 @@ Name: gnutls License: GPLv3+ and LGPLv2+ BuildRequires: p11-kit-devel >= 0.21.3, gettext-devel BuildRequires: zlib-devel, readline-devel, libtasn1-devel >= 4.3 -BuildRequires: libtool, automake, autoconf, texinfo -BuildRequires: autogen-libopts-devel >= 5.18 autogen +%if %{with bootstrap} +BuildRequires: automake, autoconf, gperf, libtool, texinfo +BuildRequires: autogen-libopts-devel >= 5.18, autogen +%endif BuildRequires: nettle-devel >= 3.5.1 BuildRequires: trousers-devel >= 0.3.11.2 BuildRequires: libidn2-devel BuildRequires: libunistring-devel -BuildRequires: gperf, net-tools, datefudge, softhsm, gcc, gcc-c++ +BuildRequires: net-tools, datefudge, softhsm, gcc, gcc-c++ BuildRequires: gnupg2 %if %{with fips} BuildRequires: fipscheck @@ -147,11 +150,13 @@ This package contains Guile bindings for the library. gpgv2 --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0} %autosetup -p1 -#autoreconf -fi +%if %{with bootstrap} +rm -f src/libopts/*.c src/libopts/*.h src/libopts/compat/*.c src/libopts/compat/*.h +autoreconf -fi +%endif sed -i -e 's|sys_lib_dlsearch_path_spec="/lib /usr/lib|sys_lib_dlsearch_path_spec="/lib /usr/lib %{_libdir}|g' configure rm -f lib/minitasn1/*.c lib/minitasn1/*.h -rm -f src/libopts/*.c src/libopts/*.h src/libopts/compat/*.c src/libopts/compat/*.h echo "SYSTEM=NORMAL" >> tests/system.prio @@ -164,14 +169,16 @@ echo "SYSTEM=NORMAL" >> tests/system.prio CCASFLAGS="$CCASFLAGS -Wa,--generate-missing-build-notes=yes" export CCASFLAGS +%if %{with guile} # These should be checked by m4/guile.m4 instead of configure.ac # taking into account of _guile_suffix guile_snarf=%{_bindir}/guile-snarf2.2 export guile_snarf GUILD=%{_bindir}/guild2.2 export GUILD +%endif -%configure --with-libtasn1-prefix=%{_prefix} \ +%configure \ %if %{with fips} --enable-fips140-mode \ %endif @@ -191,9 +198,9 @@ export GUILD %endif %if %{with dane} --with-unbound-root-key-file=/var/lib/unbound/root.key \ - --enable-dane \ + --enable-libdane \ %else - --disable-dane \ + --disable-libdane \ %endif --disable-rpath \ --with-default-priority-string="@SYSTEM" @@ -285,6 +292,9 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null %endif %changelog +* Tue Mar 2 2021 Daiki Ueno - 3.7.0-3 +- Reduce BRs for non-bootstrapping build + * Wed Feb 10 2021 Daiki Ueno - 3.7.0-2 - Tolerate duplicate certs in the chain From 9afae358ed30fa685a3927797e1b6e428732b7b4 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Fri, 5 Mar 2021 12:16:43 +0100 Subject: [PATCH 043/152] Tolerate duplicate certs in the chain also with PKCS #11 trust store --- gnutls-3.7.0-duplicate-certs-pkcs11.patch | 44 +++++++++++++++++++++++ gnutls.spec | 6 +++- 2 files changed, 49 insertions(+), 1 deletion(-) create mode 100644 gnutls-3.7.0-duplicate-certs-pkcs11.patch diff --git a/gnutls-3.7.0-duplicate-certs-pkcs11.patch b/gnutls-3.7.0-duplicate-certs-pkcs11.patch new file mode 100644 index 0000000..02284b4 --- /dev/null +++ b/gnutls-3.7.0-duplicate-certs-pkcs11.patch @@ -0,0 +1,44 @@ +From e97a5f07bc9d9394424c6520656e902019fcb380 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Fri, 5 Mar 2021 12:08:25 +0100 +Subject: [PATCH] gnutls_x509_trust_list_verify_crt2: skip duped certs for + PKCS11 too + +The commit 09b40be6e0e0a59ba4bd764067eb353241043a70 (part of +gnutls/gnutls!1370) didn't cover the case where the trust store is +backed by PKCS #11, because it used _gnutls_trust_list_get_issuer, +which only works with file based trust store. + +This patch replaces the call with more generic +gnutls_x509_trust_list_get_issuer so it also works with other trust +store implementations. + +Reported by Michal Ruprich. + +Signed-off-by: Daiki Ueno +--- + lib/x509/verify-high.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c +index 9a16e6b42..736326ee1 100644 +--- a/lib/x509/verify-high.c ++++ b/lib/x509/verify-high.c +@@ -1495,10 +1495,10 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, + + /* If the issuer of the certificate is known, no need + * for further processing. */ +- if (_gnutls_trust_list_get_issuer(list, +- cert_list[i - 1], +- &issuer, +- 0) == 0) { ++ if (gnutls_x509_trust_list_get_issuer(list, ++ cert_list[i - 1], ++ &issuer, ++ 0) == 0) { + cert_list_size = i; + break; + } +-- +2.29.2 + diff --git a/gnutls.spec b/gnutls.spec index 3811ea9..51ff567 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,11 +1,12 @@ # This spec file has been automatically updated Version: 3.7.0 -Release: 3%{?dist} +Release: 4%{?dist} Patch1: gnutls-3.6.7-no-now-guile.patch Patch2: gnutls-3.2.7-rpath.patch Patch3: gnutls-3.7.0-test-fixes.patch Patch4: gnutls-3.7.0-gost.patch Patch5: gnutls-3.7.0-duplicate-certs.patch +Patch6: gnutls-3.7.0-duplicate-certs-pkcs11.patch %bcond_with bootstrap %bcond_without dane %if 0%{?rhel} @@ -292,6 +293,9 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null %endif %changelog +* Fri Mar 5 2021 Daiki Ueno - 3.7.0-4 +- Tolerate duplicate certs in the chain also with PKCS #11 trust store + * Tue Mar 2 2021 Daiki Ueno - 3.7.0-3 - Reduce BRs for non-bootstrapping build From 8841f0c3cbcd111aadc97aa25c02b70a90e09e5b Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Sat, 13 Mar 2021 10:01:24 +0100 Subject: [PATCH 044/152] Update to upstream 3.7.1 release Also remove fipscheck dependency, as it is now calculated with an internal tool. --- .gitignore | 2 + gnutls-3.7.0-duplicate-certs-pkcs11.patch | 44 --- gnutls-3.7.0-duplicate-certs.patch | 403 -------------------- gnutls-3.7.0-gost.patch | 12 - gnutls-3.7.0-test-fixes.patch | 195 ---------- gnutls-3.7.1-aggressive-realloc-fixes.patch | 84 ++++ gnutls.spec | 22 +- sources | 4 +- 8 files changed, 99 insertions(+), 667 deletions(-) delete mode 100644 gnutls-3.7.0-duplicate-certs-pkcs11.patch delete mode 100644 gnutls-3.7.0-duplicate-certs.patch delete mode 100644 gnutls-3.7.0-gost.patch delete mode 100644 gnutls-3.7.0-test-fixes.patch create mode 100644 gnutls-3.7.1-aggressive-realloc-fixes.patch diff --git a/.gitignore b/.gitignore index 7137263..0f9ce46 100644 --- a/.gitignore +++ b/.gitignore @@ -131,3 +131,5 @@ gnutls-2.10.1-nosrp.tar.bz2 /gnutls-3.6.15.tar.xz.sig /gnutls-3.7.0.tar.xz /gnutls-3.7.0.tar.xz.sig +/gnutls-3.7.1.tar.xz +/gnutls-3.7.1.tar.xz.sig diff --git a/gnutls-3.7.0-duplicate-certs-pkcs11.patch b/gnutls-3.7.0-duplicate-certs-pkcs11.patch deleted file mode 100644 index 02284b4..0000000 --- a/gnutls-3.7.0-duplicate-certs-pkcs11.patch +++ /dev/null @@ -1,44 +0,0 @@ -From e97a5f07bc9d9394424c6520656e902019fcb380 Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Fri, 5 Mar 2021 12:08:25 +0100 -Subject: [PATCH] gnutls_x509_trust_list_verify_crt2: skip duped certs for - PKCS11 too - -The commit 09b40be6e0e0a59ba4bd764067eb353241043a70 (part of -gnutls/gnutls!1370) didn't cover the case where the trust store is -backed by PKCS #11, because it used _gnutls_trust_list_get_issuer, -which only works with file based trust store. - -This patch replaces the call with more generic -gnutls_x509_trust_list_get_issuer so it also works with other trust -store implementations. - -Reported by Michal Ruprich. - -Signed-off-by: Daiki Ueno ---- - lib/x509/verify-high.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c -index 9a16e6b42..736326ee1 100644 ---- a/lib/x509/verify-high.c -+++ b/lib/x509/verify-high.c -@@ -1495,10 +1495,10 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, - - /* If the issuer of the certificate is known, no need - * for further processing. */ -- if (_gnutls_trust_list_get_issuer(list, -- cert_list[i - 1], -- &issuer, -- 0) == 0) { -+ if (gnutls_x509_trust_list_get_issuer(list, -+ cert_list[i - 1], -+ &issuer, -+ 0) == 0) { - cert_list_size = i; - break; - } --- -2.29.2 - diff --git a/gnutls-3.7.0-duplicate-certs.patch b/gnutls-3.7.0-duplicate-certs.patch deleted file mode 100644 index d86b855..0000000 --- a/gnutls-3.7.0-duplicate-certs.patch +++ /dev/null @@ -1,403 +0,0 @@ -From 09b40be6e0e0a59ba4bd764067eb353241043a70 Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Mon, 28 Dec 2020 12:14:13 +0100 -Subject: [PATCH] gnutls_x509_trust_list_verify_crt2: ignore duplicate - certificates - -The commit ebb19db9165fed30d73c83bab1b1b8740c132dfd caused a -regression, where duplicate certificates in a certificate chain are no -longer ignored but treated as a non-contiguous segment and that -results in calling the issuer callback, or a verification failure. - -This adds a mechanism to record certificates already seen in the -chain, and skip them while still allow the caller to inject missing -certificates. - -Signed-off-by: Daiki Ueno -Co-authored-by: Andreas Metzler ---- - lib/x509/common.c | 8 ++ - lib/x509/verify-high.c | 157 +++++++++++++++++++++++++++++++------ - tests/missingissuer.c | 2 + - tests/test-chains-issuer.h | 101 +++++++++++++++++++++++- - 4 files changed, 245 insertions(+), 23 deletions(-) - -diff --git a/lib/x509/common.c b/lib/x509/common.c -index 3301aaad0..10c8db53c 100644 ---- a/lib/x509/common.c -+++ b/lib/x509/common.c -@@ -1758,6 +1758,14 @@ unsigned int _gnutls_sort_clist(gnutls_x509_crt_t *clist, - * increasing DEFAULT_MAX_VERIFY_DEPTH. - */ - for (i = 0; i < clist_size; i++) { -+ /* Self-signed certificate found in the chain; skip it -+ * as it should only appear in the trusted set. -+ */ -+ if (gnutls_x509_crt_check_issuer(clist[i], clist[i])) { -+ _gnutls_cert_log("self-signed cert found", clist[i]); -+ continue; -+ } -+ - for (j = 1; j < clist_size; j++) { - if (i == j) - continue; -diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c -index 588e7ee0d..9a16e6b42 100644 ---- a/lib/x509/verify-high.c -+++ b/lib/x509/verify-high.c -@@ -67,6 +67,80 @@ struct gnutls_x509_trust_list_iter { - - #define DEFAULT_SIZE 127 - -+struct cert_set_node_st { -+ gnutls_x509_crt_t *certs; -+ unsigned int size; -+}; -+ -+struct cert_set_st { -+ struct cert_set_node_st *node; -+ unsigned int size; -+}; -+ -+static int -+cert_set_init(struct cert_set_st *set, unsigned int size) -+{ -+ memset(set, 0, sizeof(*set)); -+ -+ set->size = size; -+ set->node = gnutls_calloc(size, sizeof(*set->node)); -+ if (!set->node) { -+ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); -+ } -+ -+ return 0; -+} -+ -+static void -+cert_set_deinit(struct cert_set_st *set) -+{ -+ size_t i; -+ -+ for (i = 0; i < set->size; i++) { -+ gnutls_free(set->node[i].certs); -+ } -+ -+ gnutls_free(set->node); -+} -+ -+static bool -+cert_set_contains(struct cert_set_st *set, const gnutls_x509_crt_t cert) -+{ -+ size_t hash, i; -+ -+ hash = hash_pjw_bare(cert->raw_dn.data, cert->raw_dn.size); -+ hash %= set->size; -+ -+ for (i = 0; i < set->node[hash].size; i++) { -+ if (unlikely(gnutls_x509_crt_equals(set->node[hash].certs[i], cert))) { -+ return true; -+ } -+ } -+ -+ return false; -+} -+ -+static int -+cert_set_add(struct cert_set_st *set, const gnutls_x509_crt_t cert) -+{ -+ size_t hash; -+ -+ hash = hash_pjw_bare(cert->raw_dn.data, cert->raw_dn.size); -+ hash %= set->size; -+ -+ set->node[hash].certs = -+ gnutls_realloc_fast(set->node[hash].certs, -+ (set->node[hash].size + 1) * -+ sizeof(*set->node[hash].certs)); -+ if (!set->node[hash].certs) { -+ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); -+ } -+ set->node[hash].certs[set->node[hash].size] = cert; -+ set->node[hash].size++; -+ -+ return 0; -+} -+ - /** - * gnutls_x509_trust_list_init: - * @list: A pointer to the type to be initialized -@@ -1328,6 +1402,7 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, - unsigned have_set_name = 0; - unsigned saved_output; - gnutls_datum_t ip = {NULL, 0}; -+ struct cert_set_st cert_set = { NULL, 0 }; - - if (cert_list == NULL || cert_list_size < 1) - return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); -@@ -1376,36 +1451,68 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, - memcpy(sorted, cert_list, cert_list_size * sizeof(gnutls_x509_crt_t)); - cert_list = sorted; - -+ ret = cert_set_init(&cert_set, DEFAULT_MAX_VERIFY_DEPTH); -+ if (ret < 0) { -+ return ret; -+ } -+ - for (i = 0; i < cert_list_size && -- cert_list_size <= DEFAULT_MAX_VERIFY_DEPTH; i++) { -- if (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN)) { -- unsigned int sorted_size; -+ cert_list_size <= DEFAULT_MAX_VERIFY_DEPTH; ) { -+ unsigned int sorted_size = 1; -+ unsigned int j; -+ gnutls_x509_crt_t issuer; - -+ if (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN)) { - sorted_size = _gnutls_sort_clist(&cert_list[i], - cert_list_size - i); -- i += sorted_size - 1; - } - -- if (i == cert_list_size - 1) { -- gnutls_x509_crt_t issuer; -- -- /* If it is the last certificate and its issuer is -- * known, don't need to run issuer callback. */ -- if (_gnutls_trust_list_get_issuer(list, -- cert_list[i], -- &issuer, -- 0) == 0) { -+ /* Remove duplicates. Start with index 1, as the first element -+ * may be re-checked after issuer retrieval. */ -+ for (j = 1; j < sorted_size; j++) { -+ if (cert_set_contains(&cert_set, cert_list[i + j])) { -+ if (i + j < cert_list_size - 1) { -+ memmove(&cert_list[i + j], -+ &cert_list[i + j + 1], -+ sizeof(cert_list[i])); -+ } -+ cert_list_size--; - break; - } -- } else if (gnutls_x509_crt_check_issuer(cert_list[i], -- cert_list[i + 1])) { -- /* There is no gap between this and the next -- * certificate. */ -+ } -+ /* Found a duplicate, try again with the same index. */ -+ if (j < sorted_size) { -+ continue; -+ } -+ -+ /* Record the certificates seen. */ -+ for (j = 0; j < sorted_size; j++, i++) { -+ ret = cert_set_add(&cert_set, cert_list[i]); -+ if (ret < 0) { -+ goto cleanup; -+ } -+ } -+ -+ /* If the issuer of the certificate is known, no need -+ * for further processing. */ -+ if (_gnutls_trust_list_get_issuer(list, -+ cert_list[i - 1], -+ &issuer, -+ 0) == 0) { -+ cert_list_size = i; -+ break; -+ } -+ -+ /* If there is no gap between this and the next certificate, -+ * proceed with the next certificate. */ -+ if (i < cert_list_size && -+ gnutls_x509_crt_check_issuer(cert_list[i - 1], -+ cert_list[i])) { - continue; - } - - ret = retrieve_issuers(list, -- cert_list[i], -+ cert_list[i - 1], - &retrieved[retrieved_size], - DEFAULT_MAX_VERIFY_DEPTH - - MAX(retrieved_size, -@@ -1413,15 +1520,20 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, - if (ret < 0) { - break; - } else if (ret > 0) { -- memmove(&cert_list[i + 1 + ret], -- &cert_list[i + 1], -- (cert_list_size - i - 1) * -+ assert((unsigned int)ret <= -+ DEFAULT_MAX_VERIFY_DEPTH - cert_list_size); -+ memmove(&cert_list[i + ret], -+ &cert_list[i], -+ (cert_list_size - i) * - sizeof(gnutls_x509_crt_t)); -- memcpy(&cert_list[i + 1], -+ memcpy(&cert_list[i], - &retrieved[retrieved_size], - ret * sizeof(gnutls_x509_crt_t)); - retrieved_size += ret; - cert_list_size += ret; -+ -+ /* Start again from the end of the previous segment. */ -+ i--; - } - } - -@@ -1581,6 +1693,7 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, - for (i = 0; i < retrieved_size; i++) { - gnutls_x509_crt_deinit(retrieved[i]); - } -+ cert_set_deinit(&cert_set); - return ret; - } - -diff --git a/tests/missingissuer.c b/tests/missingissuer.c -index f21e2b6b0..226d09592 100644 ---- a/tests/missingissuer.c -+++ b/tests/missingissuer.c -@@ -145,6 +145,8 @@ void doit(void) - printf("[%d]: Chain '%s'...\n", (int)i, chains[i].name); - - for (j = 0; chains[i].chain[j]; j++) { -+ assert(j < MAX_CHAIN); -+ - if (debug > 2) - printf("\tAdding certificate %d...", (int)j); - -diff --git a/tests/test-chains-issuer.h b/tests/test-chains-issuer.h -index 543e2d71f..bf1e65c95 100644 ---- a/tests/test-chains-issuer.h -+++ b/tests/test-chains-issuer.h -@@ -24,7 +24,7 @@ - #ifndef GNUTLS_TESTS_TEST_CHAINS_ISSUER_H - #define GNUTLS_TESTS_TEST_CHAINS_ISSUER_H - --#define MAX_CHAIN 6 -+#define MAX_CHAIN 15 - - #define SERVER_CERT "-----BEGIN CERTIFICATE-----\n" \ - "MIIDATCCAbmgAwIBAgIUQdvdegP8JFszFHLfV4+lrEdafzAwPQYJKoZIhvcNAQEK\n" \ -@@ -338,11 +338,102 @@ static const char *missing_middle_unrelated_extra_insert[] = { - NULL, - }; - -+static const char *missing_middle_single_duplicate[] = { -+ SERVER_CERT, -+ SERVER_CERT, -+ CA_CERT_5, -+ CA_CERT_5, -+ CA_CERT_4, -+ CA_CERT_4, -+ CA_CERT_2, -+ CA_CERT_2, -+ CA_CERT_1, -+ CA_CERT_1, -+ NULL, -+}; -+ -+static const char *missing_middle_multiple_duplicate[] = { -+ SERVER_CERT, -+ SERVER_CERT, -+ CA_CERT_5, -+ CA_CERT_5, -+ CA_CERT_4, -+ CA_CERT_4, -+ CA_CERT_1, -+ CA_CERT_1, -+ NULL, -+}; -+ -+static const char *missing_last_single_duplicate[] = { -+ SERVER_CERT, -+ SERVER_CERT, -+ CA_CERT_5, -+ CA_CERT_5, -+ CA_CERT_4, -+ CA_CERT_4, -+ CA_CERT_3, -+ CA_CERT_3, -+ CA_CERT_2, -+ CA_CERT_2, -+ NULL, -+}; -+ -+static const char *missing_last_multiple_duplicate[] = { -+ SERVER_CERT, -+ SERVER_CERT, -+ CA_CERT_5, -+ CA_CERT_5, -+ CA_CERT_4, -+ CA_CERT_4, -+ CA_CERT_3, -+ CA_CERT_3, -+ NULL, -+}; -+ -+static const char *missing_skip_single_duplicate[] = { -+ SERVER_CERT, -+ SERVER_CERT, -+ CA_CERT_5, -+ CA_CERT_5, -+ CA_CERT_3, -+ CA_CERT_3, -+ CA_CERT_1, -+ CA_CERT_1, -+ NULL, -+}; -+ -+static const char *missing_skip_multiple_duplicate[] = { -+ SERVER_CERT, -+ SERVER_CERT, -+ CA_CERT_5, -+ CA_CERT_5, -+ CA_CERT_3, -+ CA_CERT_3, -+ NULL, -+}; -+ - static const char *missing_ca[] = { - CA_CERT_0, - NULL, - }; - -+static const char *middle_single_duplicate_ca[] = { -+ SERVER_CERT, -+ CA_CERT_5, -+ CA_CERT_0, -+ CA_CERT_4, -+ CA_CERT_0, -+ CA_CERT_2, -+ CA_CERT_0, -+ CA_CERT_1, -+ NULL, -+}; -+ -+static const char *missing_middle_single_duplicate_ca_unrelated_insert[] = { -+ CA_CERT_0, -+ NULL, -+}; -+ - static struct chains { - const char *name; - const char **chain; -@@ -377,6 +468,14 @@ static struct chains { - { "skip multiple unsorted", missing_skip_multiple_unsorted, missing_skip_multiple_insert, missing_ca, 0, 0 }, - { "unrelated", missing_middle_single, missing_middle_unrelated_insert, missing_ca, 0, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_NOT_FOUND }, - { "unrelated extra", missing_middle_single, missing_middle_unrelated_extra_insert, missing_ca, 0, 0 }, -+ { "middle single duplicate", missing_middle_single_duplicate, missing_middle_single_insert, missing_ca, 0, 0 }, -+ { "middle multiple duplicate", missing_middle_multiple_duplicate, missing_middle_multiple_insert, missing_ca, 0, 0 }, -+ { "last single duplicate", missing_last_single_duplicate, missing_last_single_insert, missing_ca, 0, 0 }, -+ { "last multiple duplicate", missing_last_multiple_duplicate, missing_last_multiple_insert, missing_ca, 0, 0 }, -+ { "skip single duplicate", missing_skip_single_duplicate, missing_skip_single_insert, missing_ca, 0, 0 }, -+ { "skip multiple duplicate", missing_skip_multiple_duplicate, missing_skip_multiple_insert, missing_ca, 0, 0 }, -+ { "middle single duplicate ca", middle_single_duplicate_ca, missing_middle_single_insert, missing_ca, 0, 0 }, -+ { "middle single duplicate ca - insert unrelated", middle_single_duplicate_ca, missing_middle_single_duplicate_ca_unrelated_insert, missing_ca, 0, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_NOT_FOUND }, - { NULL, NULL, NULL, NULL }, - }; - --- -2.29.2 - diff --git a/gnutls-3.7.0-gost.patch b/gnutls-3.7.0-gost.patch deleted file mode 100644 index 7cad9b5..0000000 --- a/gnutls-3.7.0-gost.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up ./tests/gnutls-cli-debug.sh.gost ./tests/gnutls-cli-debug.sh ---- ./tests/gnutls-cli-debug.sh.gost 2021-02-09 13:28:46.528821113 +0100 -+++ ./tests/gnutls-cli-debug.sh 2021-02-09 13:29:18.851646678 +0100 -@@ -217,6 +217,8 @@ if test "${ENABLE_GOST}" = "1" && test " - kill ${PID} - wait - -+ cat $OUTFILE -+ - check_text "for VKO GOST-2012 (draft-smyshlyaev-tls12-gost-suites) support... yes" - check_text "for GOST28147-CNT cipher (draft-smyshlyaev-tls12-gost-suites) support... yes" - check_text "for GOST28147-IMIT MAC (draft-smyshlyaev-tls12-gost-suites) support... yes" diff --git a/gnutls-3.7.0-test-fixes.patch b/gnutls-3.7.0-test-fixes.patch deleted file mode 100644 index 066feb4..0000000 --- a/gnutls-3.7.0-test-fixes.patch +++ /dev/null @@ -1,195 +0,0 @@ -From c815f725448af8d023818a968e1296946ceb0f1c Mon Sep 17 00:00:00 2001 -From: Stefan Berger -Date: Mon, 21 Dec 2020 09:36:47 -0500 -Subject: [PATCH 1/2] tests: Fix tpmtool_test due to changes in trousers - -Recent changes to trousers now require an ownership of root:tss for -the tcsd config file, older ones requires tss:tss. So, start tcsd -using trial and error with either one of these ownership configurations -until one works. - -Signed-off-by: Stefan Berger ---- - tests/tpmtool_test.sh | 37 +++++++++++++++++++++++++++---------- - 1 file changed, 27 insertions(+), 10 deletions(-) - -diff --git a/tests/tpmtool_test.sh b/tests/tpmtool_test.sh -index eba502612..77fe17e59 100755 ---- a/tests/tpmtool_test.sh -+++ b/tests/tpmtool_test.sh -@@ -138,6 +138,7 @@ start_tcsd() - local tcsd_conf=$workdir/tcsd.conf - local tcsd_system_ps_file=$workdir/system_ps_file - local tcsd_pidfile=$workdir/tcsd.pid -+ local owner - - start_swtpm "$workdir" - [ $? -ne 0 ] && return 1 -@@ -146,20 +147,36 @@ start_tcsd() - port = $TCSD_LISTEN_PORT - system_ps_file = $tcsd_system_ps_file - _EOF_ -+ # older versions of trousers require tss:tss ownership of the -+ # config file, later ones root:tss -+ for owner in tss root; do -+ if [ "$owner" = "tss" ]; then -+ chmod 0600 $tcsd_conf -+ else -+ chmod 0640 $tcsd_conf -+ fi -+ chown $owner:tss $tcsd_conf - -- chown tss:tss $tcsd_conf -- chmod 0600 $tcsd_conf -+ bash -c "TCSD_USE_TCP_DEVICE=1 TCSD_TCP_DEVICE_PORT=$SWTPM_SERVER_PORT tcsd -c $tcsd_conf -e -f &>/dev/null & echo \$! > $tcsd_pidfile; wait" & -+ BASH_PID=$! - -- bash -c "TCSD_USE_TCP_DEVICE=1 TCSD_TCP_DEVICE_PORT=$SWTPM_SERVER_PORT tcsd -c $tcsd_conf -e -f &>/dev/null & echo \$! > $tcsd_pidfile; wait" & -- BASH_PID=$! -+ if wait_for_file $tcsd_pidfile 3; then -+ echo "Could not get TCSD's PID file" -+ return 1 -+ fi - -- if wait_for_file $tcsd_pidfile 3; then -- echo "Could not get TCSD's PID file" -- return 1 -- fi -+ sleep 0.5 -+ TCSD_PID=$(cat $tcsd_pidfile) -+ kill -0 "${TCSD_PID}" -+ if [ $? -ne 0 ]; then -+ # Try again with other owner -+ continue -+ fi -+ return 0 -+ done - -- TCSD_PID=$(cat $tcsd_pidfile) -- return 0 -+ echo "TCSD could not be started" -+ return 1 - } - - stop_tcsd() --- -2.29.2 - - -From 2b0f6f3a2ff13153aaa70c764ba7a8b90aef794d Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Mon, 28 Dec 2020 16:16:53 +0100 -Subject: [PATCH 2/2] testpkcs11: use datefudge to trick certificate expiry - -The certificates stored in tests/testpkcs11-certs expired on -2020-12-13. To avoid verification failure due to that, use datefudge -to set custom date when calling gnutls-cli, gnutls-serv, and certtool. - -Based on the patch by Andreas Metzler: -https://gitlab.com/gnutls/gnutls/-/issues/1135#note_469682121 - -Signed-off-by: Daiki Ueno ---- - tests/testpkcs11.sh | 12 +++++++++++- - 1 file changed, 11 insertions(+), 1 deletion(-) - -diff --git a/tests/testpkcs11.sh b/tests/testpkcs11.sh -index 38b9585bc..09a627477 100755 ---- a/tests/testpkcs11.sh -+++ b/tests/testpkcs11.sh -@@ -67,6 +67,8 @@ have_ed25519=0 - P11TOOL="${VALGRIND} ${P11TOOL} --batch" - SERV="${SERV} -q" - -+TESTDATE=2020-12-01 -+ - . ${srcdir}/scripts/common.sh - - rm -f "${LOGFILE}" -@@ -79,6 +81,8 @@ exit_error () { - exit 1 - } - -+skip_if_no_datefudge -+ - # $1: token - # $2: PIN - # $3: filename -@@ -523,6 +527,7 @@ write_certificate_test () { - pubkey="$5" - - echo -n "* Generating client certificate... " -+ datefudge -s "$TESTDATE" \ - "${CERTTOOL}" ${CERTTOOL_PARAM} ${ADDITIONAL_PARAM} --generate-certificate --load-ca-privkey "${cakey}" --load-ca-certificate "${cacert}" \ - --template ${srcdir}/testpkcs11-certs/client-tmpl --load-privkey "${token};object=gnutls-client;object-type=private" \ - --load-pubkey "$pubkey" --outfile tmp-client.crt >>"${LOGFILE}" 2>&1 -@@ -900,7 +905,9 @@ use_certificate_test () { - echo -n "* Using PKCS #11 with gnutls-cli (${txt})... " - # start server - eval "${GETPORT}" -- launch_server ${ADDITIONAL_PARAM} --echo --priority NORMAL --x509certfile="${certfile}" \ -+ launch_bare_server datefudge -s "$TESTDATE" \ -+ $VALGRIND $SERV $DEBUG -p "$PORT" \ -+ ${ADDITIONAL_PARAM} --debug 10 --echo --priority NORMAL --x509certfile="${certfile}" \ - --x509keyfile="$keyfile" --x509cafile="${cafile}" \ - --verify-client-cert --require-client-cert >>"${LOGFILE}" 2>&1 - -@@ -908,13 +915,16 @@ use_certificate_test () { - wait_server ${PID} - - # connect to server using SC -+ datefudge -s "$TESTDATE" \ - ${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509cafile="${cafile}" >"${LOGFILE}" 2>&1 && \ - fail ${PID} "Connection should have failed!" - -+ datefudge -s "$TESTDATE" \ - ${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509certfile="${certfile}" \ - --x509keyfile="$keyfile" --x509cafile="${cafile}" >"${LOGFILE}" 2>&1 || \ - fail ${PID} "Connection (with files) should have succeeded!" - -+ datefudge -s "$TESTDATE" \ - ${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509certfile="${token};object=gnutls-client;object-type=cert" \ - --x509keyfile="${token};object=gnutls-client;object-type=private" \ - --x509cafile="${cafile}" >"${LOGFILE}" 2>&1 || \ --- -2.29.2 - -From 5a64e896a56ef602bb86242bbac01e4319f12cbe Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Tue, 9 Feb 2021 15:26:07 +0100 -Subject: [PATCH] tests/gnutls-cli-debug.sh: don't unset system priority - settings - -When the test is exercised, GNUTLS_SYSTEM_PRIORITY_FILE is set in many -places, such as TESTS_ENVIRONMENT tests/Makefile.am or a packaging -system that runs the test in a restricted environment. Unsetting it -after a temporary use forces the remaining part of the test to use the -default system priority, which might not be the intention of the user. - -Signed-off-by: Daiki Ueno ---- - tests/gnutls-cli-debug.sh | 4 +--- - 1 file changed, 1 insertion(+), 3 deletions(-) - -diff --git a/tests/gnutls-cli-debug.sh b/tests/gnutls-cli-debug.sh -index a73910dea..3c3e2214e 100755 ---- a/tests/gnutls-cli-debug.sh -+++ b/tests/gnutls-cli-debug.sh -@@ -184,13 +184,11 @@ cat <<_EOF_ > ${TMPFILE} - tls-disabled-cipher = CAMELLIA-128-CBC - tls-disabled-cipher = CAMELLIA-256-CBC - _EOF_ --export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}" - -+GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}" \ - timeout 1800 datefudge "2017-08-9" \ - "${DCLI}" -p "${PORT}" localhost >$OUTFILE 2>&1 || fail ${PID} "gnutls-cli-debug run should have succeeded!" - --unset GNUTLS_SYSTEM_PRIORITY_FILE -- - kill ${PID} - wait - --- -2.29.2 - diff --git a/gnutls-3.7.1-aggressive-realloc-fixes.patch b/gnutls-3.7.1-aggressive-realloc-fixes.patch new file mode 100644 index 0000000..dfe035f --- /dev/null +++ b/gnutls-3.7.1-aggressive-realloc-fixes.patch @@ -0,0 +1,84 @@ +From e1cf5b8694b23cdc88f4a4a344f8262aa8ab0f8e Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Wed, 10 Mar 2021 16:11:29 +0100 +Subject: [PATCH 1/2] _gnutls_buffer_resize: account for unused area if + AGGRESSIVE_REALLOC + +Signed-off-by: Daiki Ueno +--- + lib/str.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/str.c b/lib/str.c +index 506fe1721..bc20ebb04 100644 +--- a/lib/str.c ++++ b/lib/str.c +@@ -155,12 +155,12 @@ int _gnutls_buffer_resize(gnutls_buffer_st * dest, size_t new_size) + + unused = MEMSUB(dest->data, dest->allocd); + dest->allocd = +- gnutls_realloc_fast(dest->allocd, new_size); ++ gnutls_realloc_fast(dest->allocd, new_size + unused); + if (dest->allocd == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } +- dest->max_length = new_size; ++ dest->max_length = new_size + unused; + dest->data = dest->allocd + unused; + + return 0; +-- +2.30.2 + + +From 78691bfe4555c4d610b405173987ed7515515d20 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Wed, 10 Mar 2021 16:12:23 +0100 +Subject: [PATCH 2/2] str: suppress -Wunused-function if AGGRESSIVE_REALLOC is + defined + +Signed-off-by: Daiki Ueno +--- + lib/str.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/lib/str.c b/lib/str.c +index bc20ebb04..8007340f1 100644 +--- a/lib/str.c ++++ b/lib/str.c +@@ -87,15 +87,6 @@ void _gnutls_buffer_clear(gnutls_buffer_st * str) + + #define MIN_CHUNK 1024 + +-static void align_allocd_with_data(gnutls_buffer_st * dest) +-{ +- assert(dest->allocd != NULL); +- assert(dest->data != NULL); +- if (dest->length) +- memmove(dest->allocd, dest->data, dest->length); +- dest->data = dest->allocd; +-} +- + /** + * gnutls_buffer_append_data: + * @dest: the buffer to append to +@@ -168,6 +159,15 @@ int _gnutls_buffer_resize(gnutls_buffer_st * dest, size_t new_size) + + #else + ++static void align_allocd_with_data(gnutls_buffer_st * dest) ++{ ++ assert(dest->allocd != NULL); ++ assert(dest->data != NULL); ++ if (dest->length) ++ memmove(dest->allocd, dest->data, dest->length); ++ dest->data = dest->allocd; ++} ++ + int _gnutls_buffer_resize(gnutls_buffer_st * dest, size_t new_size) + { + if (unlikely(dest->data != NULL && dest->allocd == NULL)) +-- +2.30.2 + diff --git a/gnutls.spec b/gnutls.spec index 51ff567..e743644 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,12 +1,9 @@ # This spec file has been automatically updated -Version: 3.7.0 -Release: 4%{?dist} +Version: 3.7.1 +Release: 1%{?dist} Patch1: gnutls-3.6.7-no-now-guile.patch Patch2: gnutls-3.2.7-rpath.patch -Patch3: gnutls-3.7.0-test-fixes.patch -Patch4: gnutls-3.7.0-gost.patch -Patch5: gnutls-3.7.0-duplicate-certs.patch -Patch6: gnutls-3.7.0-duplicate-certs-pkcs11.patch +Patch3: gnutls-3.7.1-aggressive-realloc-fixes.patch %bcond_with bootstrap %bcond_without dane %if 0%{?rhel} @@ -33,9 +30,6 @@ BuildRequires: libidn2-devel BuildRequires: libunistring-devel BuildRequires: net-tools, datefudge, softhsm, gcc, gcc-c++ BuildRequires: gnupg2 -%if %{with fips} -BuildRequires: fipscheck -%endif # for a sanity check on cert loading BuildRequires: p11-kit-trust, ca-certificates @@ -213,8 +207,9 @@ make %{?_smp_mflags} V=1 %{?__debug_package:%{__debug_install_post}} \ %{__arch_install_post} \ %{__os_install_post} \ - fipshmac -d $RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_libdir}/libgnutls.so.30.*.* \ - file=`basename $RPM_BUILD_ROOT%{_libdir}/libgnutls.so.30.*.hmac` && mv $RPM_BUILD_ROOT%{_libdir}/$file $RPM_BUILD_ROOT%{_libdir}/.$file && ln -s .$file $RPM_BUILD_ROOT%{_libdir}/.libgnutls.so.30.hmac \ + file=`basename $RPM_BUILD_ROOT%{_libdir}/libgnutls.so.30.*`.hmac && \ + mv $RPM_BUILD_ROOT%{_libdir}/.libgnutls.so.30.hmac $RPM_BUILD_ROOT%{_libdir}/.$file && \ + ln -s .$file $RPM_BUILD_ROOT%{_libdir}/.libgnutls.so.30.hmac \ %{nil} %endif @@ -293,6 +288,11 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null %endif %changelog +* Sat Mar 13 2021 Daiki Ueno - 3.7.1-1 +- Update to upstream 3.7.1 release +- Remove fipscheck dependency, as it is now calculated with an + internal tool + * Fri Mar 5 2021 Daiki Ueno - 3.7.0-4 - Tolerate duplicate certs in the chain also with PKCS #11 trust store diff --git a/sources b/sources index da7e44a..37216a4 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (gnutls-3.7.0.tar.xz) = 5cf1025f2d0a0cbf5a83dd7f3b22dafd1769f7c3349096c0272d08573bb5ff87f510e0e69b4bbb47dad1b64476aa5479804b2f4ceb2216cd747bbc53bf42d885 -SHA512 (gnutls-3.7.0.tar.xz.sig) = 25793ac5e3d2610f95f26a2aa6f444a0cebe45a173cd330ed95b38c82b8f469024c9fa35249917f6b880ae32192b5e74988169a68724c08f5c82a3379fff82fd +SHA512 (gnutls-3.7.1.tar.xz) = 0fe801f03676c3bd970387f94578c8be7ba6030904989e7d21dffdc726209bab44c8096fbcb6d51fed2de239537bd00df2338ee9c8d984a1c386826b91062a95 +SHA512 (gnutls-3.7.1.tar.xz.sig) = 78327723cd23e515326bee4348f00ef2c11626267a715243d9392490e30d44965fc8997184a348d0c9a5beaf50be4028304a49a0c569a1e9f3998bda9000713d SHA512 (gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg) = a74b92826fd0e5388c9f6d9231959e38b26aeef83138648fab66df951d8e1a4db5302b569d08515d4d6443e5e4f6c466f98319f330c820790260d22a9b9f7173 From 9bbca443d6a33e7c7c1b1ef0c6a9047f50e661aa Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Tue, 16 Mar 2021 08:03:06 +0100 Subject: [PATCH 045/152] Temporarily restore fipscheck dependency This seems to be causing self-test failure in FIPS mode: https://gitlab.com/gnutls/gnutls/-/issues/1191 --- gnutls.spec | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/gnutls.spec b/gnutls.spec index e743644..4d80526 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,6 +1,6 @@ # This spec file has been automatically updated Version: 3.7.1 -Release: 1%{?dist} +Release: 2%{?dist} Patch1: gnutls-3.6.7-no-now-guile.patch Patch2: gnutls-3.2.7-rpath.patch Patch3: gnutls-3.7.1-aggressive-realloc-fixes.patch @@ -30,6 +30,9 @@ BuildRequires: libidn2-devel BuildRequires: libunistring-devel BuildRequires: net-tools, datefudge, softhsm, gcc, gcc-c++ BuildRequires: gnupg2 +%if %{with fips} +BuildRequires: fipscheck +%endif # for a sanity check on cert loading BuildRequires: p11-kit-trust, ca-certificates @@ -207,9 +210,9 @@ make %{?_smp_mflags} V=1 %{?__debug_package:%{__debug_install_post}} \ %{__arch_install_post} \ %{__os_install_post} \ - file=`basename $RPM_BUILD_ROOT%{_libdir}/libgnutls.so.30.*`.hmac && \ - mv $RPM_BUILD_ROOT%{_libdir}/.libgnutls.so.30.hmac $RPM_BUILD_ROOT%{_libdir}/.$file && \ - ln -s .$file $RPM_BUILD_ROOT%{_libdir}/.libgnutls.so.30.hmac \ + rm -f $RPM_BUILD_ROOT%{_libdir}/.libgnutls.so.*.hmac \ + fipshmac -d $RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_libdir}/libgnutls.so.30.*.* \ + file=`basename $RPM_BUILD_ROOT%{_libdir}/libgnutls.so.30.*.hmac` && mv $RPM_BUILD_ROOT%{_libdir}/$file $RPM_BUILD_ROOT%{_libdir}/.$file && ln -s .$file $RPM_BUILD_ROOT%{_libdir}/.libgnutls.so.30.hmac \ %{nil} %endif @@ -288,6 +291,9 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null %endif %changelog +* Tue Mar 16 2021 Daiki Ueno - 3.7.1-2 +- Restore fipscheck dependency + * Sat Mar 13 2021 Daiki Ueno - 3.7.1-1 - Update to upstream 3.7.1 release - Remove fipscheck dependency, as it is now calculated with an From 39ffb6cb2137580cf1d893b95ad86fe7437f3782 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Sun, 14 Mar 2021 11:03:06 +0100 Subject: [PATCH 046/152] Remove %defattr invocations which are no longer necessary --- gnutls.spec | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/gnutls.spec b/gnutls.spec index 4d80526..b650258 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,6 +1,6 @@ # This spec file has been automatically updated Version: 3.7.1 -Release: 2%{?dist} +Release: 3%{?dist} Patch1: gnutls-3.6.7-no-now-guile.patch Patch2: gnutls-3.2.7-rpath.patch Patch3: gnutls-3.7.1-aggressive-realloc-fixes.patch @@ -234,7 +234,6 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/pkgconfig/gnutls-dane.pc make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null %files -f gnutls.lang -%defattr(-,root,root,-) %{_libdir}/libgnutls.so.30* %if %{with fips} %{_libdir}/.libgnutls.so.30*.hmac @@ -246,7 +245,6 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null %{_libdir}/libgnutlsxx.so.* %files devel -%defattr(-,root,root,-) %{_includedir}/* %{_libdir}/libgnutls*.so %if %{with fips} @@ -260,7 +258,6 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null %{_docdir}/manual/* %files utils -%defattr(-,root,root,-) %{_bindir}/certtool %{_bindir}/tpmtool %{_bindir}/ocsptool @@ -276,13 +273,11 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null %if %{with dane} %files dane -%defattr(-,root,root,-) %{_libdir}/libgnutls-dane.so.* %endif %if %{with guile} %files guile -%defattr(-,root,root,-) %{_libdir}/guile/2.2/guile-gnutls*.so* %{_libdir}/guile/2.2/site-ccache/gnutls.go %{_libdir}/guile/2.2/site-ccache/gnutls/extra.go @@ -291,6 +286,9 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null %endif %changelog +* Sun Mar 28 2021 Daiki Ueno - 3.7.1-3 +- Remove %%defattr invocations which are no longer necessary + * Tue Mar 16 2021 Daiki Ueno - 3.7.1-2 - Restore fipscheck dependency From c13cb3cf697598fe8000c05380291f8f7af938f5 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Sun, 14 Mar 2021 11:04:54 +0100 Subject: [PATCH 047/152] libpkcs11mock1.* is not installed anymore --- gnutls.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gnutls.spec b/gnutls.spec index b650258..64ca31d 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -223,7 +223,6 @@ rm -f $RPM_BUILD_ROOT%{_infodir}/dir rm -f $RPM_BUILD_ROOT%{_libdir}/*.la rm -f $RPM_BUILD_ROOT%{_libdir}/guile/2.2/guile-gnutls*.a rm -f $RPM_BUILD_ROOT%{_libdir}/guile/2.2/guile-gnutls*.la -rm -f $RPM_BUILD_ROOT%{_libdir}/gnutls/libpkcs11mock1.* %if %{without dane} rm -f $RPM_BUILD_ROOT%{_libdir}/pkgconfig/gnutls-dane.pc %endif @@ -288,6 +287,7 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null %changelog * Sun Mar 28 2021 Daiki Ueno - 3.7.1-3 - Remove %%defattr invocations which are no longer necessary +- libpkcs11mock1.* is not installed anymore * Tue Mar 16 2021 Daiki Ueno - 3.7.1-2 - Restore fipscheck dependency From 46d865d8451be0f4576dcc56841175a9faa06d1a Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Sun, 14 Mar 2021 11:07:59 +0100 Subject: [PATCH 048/152] hobble-gnutls: Remove SRP removal The SRP patent expired in May 2015 so this doesn't make any sense. We actually haven't used this hobble-gnutls script since 3.5.12 update in 2017: https://src.fedoraproject.org/rpms/gnutls/c/5651d6db313d5d2a15f7efe6b05c7eb85cfdb30b OpenSSL also does no longer disable it since: https://src.fedoraproject.org/rpms/openssl/c/1ff978b22e53e729cb86c4b8783b2d13cf3734b6 --- gnutls.spec | 1 + hobble-gnutls | 7 ------- 2 files changed, 1 insertion(+), 7 deletions(-) diff --git a/gnutls.spec b/gnutls.spec index 64ca31d..bed226a 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -288,6 +288,7 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null * Sun Mar 28 2021 Daiki Ueno - 3.7.1-3 - Remove %%defattr invocations which are no longer necessary - libpkcs11mock1.* is not installed anymore +- hobble-gnutls: Remove SRP removal * Tue Mar 16 2021 Daiki Ueno - 3.7.1-2 - Restore fipscheck dependency diff --git a/hobble-gnutls b/hobble-gnutls index 0989b6c..dd914a5 100755 --- a/hobble-gnutls +++ b/hobble-gnutls @@ -6,10 +6,3 @@ if [ "$1" = "-e" ] ; then else CMD="rm -f" fi - -# SRP -for f in auth/srp_sb64.c auth/srp_passwd.c auth/srp_rsa.c \ - srp.c auth/srp.c ext/srp.c ; do - eval "$CMD lib/$f" -done - From 0ef0aa89fa258787a1400c475b5ee6376265438d Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Sun, 14 Mar 2021 11:14:36 +0100 Subject: [PATCH 049/152] Use correct source URL --- gnutls.spec | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/gnutls.spec b/gnutls.spec index bed226a..64387a8 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -50,8 +50,8 @@ BuildRequires: guile22-devel %endif BuildRequires: make URL: http://www.gnutls.org/ -Source0: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.6/%{name}-%{version}.tar.xz -Source1: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.6/%{name}-%{version}.tar.xz.sig +Source0: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.7/%{name}-%{version}.tar.xz +Source1: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.7/%{name}-%{version}.tar.xz.sig Source2: gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg # Wildcard bundling exception https://fedorahosted.org/fpc/ticket/174 @@ -289,6 +289,7 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null - Remove %%defattr invocations which are no longer necessary - libpkcs11mock1.* is not installed anymore - hobble-gnutls: Remove SRP removal +- Use correct source URL * Tue Mar 16 2021 Daiki Ueno - 3.7.1-2 - Restore fipscheck dependency From 6d9878cbb22baaf30a943d0af2a3f09022958c11 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Sun, 28 Mar 2021 08:53:10 +0200 Subject: [PATCH 050/152] Switch to using %gpgverify macro --- gnutls.spec | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/gnutls.spec b/gnutls.spec index 64387a8..5f67111 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -145,7 +145,7 @@ This package contains Guile bindings for the library. %endif %prep -gpgv2 --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0} +%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' %autosetup -p1 %if %{with bootstrap} @@ -290,6 +290,7 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null - libpkcs11mock1.* is not installed anymore - hobble-gnutls: Remove SRP removal - Use correct source URL +- Switch to using %%gpgverify macro * Tue Mar 16 2021 Daiki Ueno - 3.7.1-2 - Restore fipscheck dependency From 64c7d6867d961ab8665c5c14b2e3ba30e9f2c2b0 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Sat, 29 May 2021 16:06:11 +0200 Subject: [PATCH 051/152] Update to upstream 3.7.2 release --- .gitignore | 2 + gnutls-3.7.1-aggressive-realloc-fixes.patch | 84 --------------------- gnutls.spec | 8 +- sources | 4 +- 4 files changed, 9 insertions(+), 89 deletions(-) delete mode 100644 gnutls-3.7.1-aggressive-realloc-fixes.patch diff --git a/.gitignore b/.gitignore index 0f9ce46..9ea9030 100644 --- a/.gitignore +++ b/.gitignore @@ -133,3 +133,5 @@ gnutls-2.10.1-nosrp.tar.bz2 /gnutls-3.7.0.tar.xz.sig /gnutls-3.7.1.tar.xz /gnutls-3.7.1.tar.xz.sig +/gnutls-3.7.2.tar.xz +/gnutls-3.7.2.tar.xz.sig diff --git a/gnutls-3.7.1-aggressive-realloc-fixes.patch b/gnutls-3.7.1-aggressive-realloc-fixes.patch deleted file mode 100644 index dfe035f..0000000 --- a/gnutls-3.7.1-aggressive-realloc-fixes.patch +++ /dev/null @@ -1,84 +0,0 @@ -From e1cf5b8694b23cdc88f4a4a344f8262aa8ab0f8e Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Wed, 10 Mar 2021 16:11:29 +0100 -Subject: [PATCH 1/2] _gnutls_buffer_resize: account for unused area if - AGGRESSIVE_REALLOC - -Signed-off-by: Daiki Ueno ---- - lib/str.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/lib/str.c b/lib/str.c -index 506fe1721..bc20ebb04 100644 ---- a/lib/str.c -+++ b/lib/str.c -@@ -155,12 +155,12 @@ int _gnutls_buffer_resize(gnutls_buffer_st * dest, size_t new_size) - - unused = MEMSUB(dest->data, dest->allocd); - dest->allocd = -- gnutls_realloc_fast(dest->allocd, new_size); -+ gnutls_realloc_fast(dest->allocd, new_size + unused); - if (dest->allocd == NULL) { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } -- dest->max_length = new_size; -+ dest->max_length = new_size + unused; - dest->data = dest->allocd + unused; - - return 0; --- -2.30.2 - - -From 78691bfe4555c4d610b405173987ed7515515d20 Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Wed, 10 Mar 2021 16:12:23 +0100 -Subject: [PATCH 2/2] str: suppress -Wunused-function if AGGRESSIVE_REALLOC is - defined - -Signed-off-by: Daiki Ueno ---- - lib/str.c | 18 +++++++++--------- - 1 file changed, 9 insertions(+), 9 deletions(-) - -diff --git a/lib/str.c b/lib/str.c -index bc20ebb04..8007340f1 100644 ---- a/lib/str.c -+++ b/lib/str.c -@@ -87,15 +87,6 @@ void _gnutls_buffer_clear(gnutls_buffer_st * str) - - #define MIN_CHUNK 1024 - --static void align_allocd_with_data(gnutls_buffer_st * dest) --{ -- assert(dest->allocd != NULL); -- assert(dest->data != NULL); -- if (dest->length) -- memmove(dest->allocd, dest->data, dest->length); -- dest->data = dest->allocd; --} -- - /** - * gnutls_buffer_append_data: - * @dest: the buffer to append to -@@ -168,6 +159,15 @@ int _gnutls_buffer_resize(gnutls_buffer_st * dest, size_t new_size) - - #else - -+static void align_allocd_with_data(gnutls_buffer_st * dest) -+{ -+ assert(dest->allocd != NULL); -+ assert(dest->data != NULL); -+ if (dest->length) -+ memmove(dest->allocd, dest->data, dest->length); -+ dest->data = dest->allocd; -+} -+ - int _gnutls_buffer_resize(gnutls_buffer_st * dest, size_t new_size) - { - if (unlikely(dest->data != NULL && dest->allocd == NULL)) --- -2.30.2 - diff --git a/gnutls.spec b/gnutls.spec index 5f67111..6d2895a 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,9 +1,8 @@ # This spec file has been automatically updated -Version: 3.7.1 -Release: 3%{?dist} +Version: 3.7.2 +Release: 1%{?dist} Patch1: gnutls-3.6.7-no-now-guile.patch Patch2: gnutls-3.2.7-rpath.patch -Patch3: gnutls-3.7.1-aggressive-realloc-fixes.patch %bcond_with bootstrap %bcond_without dane %if 0%{?rhel} @@ -285,6 +284,9 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null %endif %changelog +* Sat May 29 2021 Daiki Ueno - 3.7.2-1 +- Update to upstream 3.7.2 release + * Sun Mar 28 2021 Daiki Ueno - 3.7.1-3 - Remove %%defattr invocations which are no longer necessary - libpkcs11mock1.* is not installed anymore diff --git a/sources b/sources index 37216a4..52f21ca 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (gnutls-3.7.1.tar.xz) = 0fe801f03676c3bd970387f94578c8be7ba6030904989e7d21dffdc726209bab44c8096fbcb6d51fed2de239537bd00df2338ee9c8d984a1c386826b91062a95 -SHA512 (gnutls-3.7.1.tar.xz.sig) = 78327723cd23e515326bee4348f00ef2c11626267a715243d9392490e30d44965fc8997184a348d0c9a5beaf50be4028304a49a0c569a1e9f3998bda9000713d +SHA512 (gnutls-3.7.2.tar.xz) = 5d01d561a05379da71e4847e30ba13c2abe09f7a5c4359fd539d8bd19abad0ce87120f82ee7b6264e787bd3edbc5ae16beffa892983cbc3d59f11a1811c10329 +SHA512 (gnutls-3.7.2.tar.xz.sig) = fc3314c0ce5fb608352fcd8e19efd14435e4cfa5c0eb843d86febb6053fec7d46774b637037b96c5a621a7001f89d6c110f75bff96f94c2a77caf5d9c3aa9447 SHA512 (gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg) = a74b92826fd0e5388c9f6d9231959e38b26aeef83138648fab66df951d8e1a4db5302b569d08515d4d6443e5e4f6c466f98319f330c820790260d22a9b9f7173 From cb40e7efeffc2351af557dcc573c177eb87a4745 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 22 Jul 2021 02:30:57 +0000 Subject: [PATCH 052/152] - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- gnutls.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/gnutls.spec b/gnutls.spec index 6d2895a..ed71b71 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,6 +1,6 @@ # This spec file has been automatically updated Version: 3.7.2 -Release: 1%{?dist} +Release: 2%{?dist} Patch1: gnutls-3.6.7-no-now-guile.patch Patch2: gnutls-3.2.7-rpath.patch %bcond_with bootstrap @@ -284,6 +284,9 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null %endif %changelog +* Thu Jul 22 2021 Fedora Release Engineering - 3.7.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + * Sat May 29 2021 Daiki Ueno - 3.7.2-1 - Update to upstream 3.7.2 release From eaa69df8d9aed2193553b954bb92d605bcc239b4 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Tue, 18 Jan 2022 09:40:12 +0100 Subject: [PATCH 053/152] Add build-time conditional for TPM 1.2 support Signed-off-by: Daiki Ueno --- gnutls.spec | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/gnutls.spec b/gnutls.spec index ed71b71..60914ee 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -12,6 +12,7 @@ Patch2: gnutls-3.2.7-rpath.patch %bcond_without guile %bcond_without fips %endif +%bcond_with tpm12 Summary: A TLS protocol implementation Name: gnutls @@ -24,7 +25,9 @@ BuildRequires: automake, autoconf, gperf, libtool, texinfo BuildRequires: autogen-libopts-devel >= 5.18, autogen %endif BuildRequires: nettle-devel >= 3.5.1 +%if %{with tpm12} BuildRequires: trousers-devel >= 0.3.11.2 +%endif BuildRequires: libidn2-devel BuildRequires: libunistring-devel BuildRequires: net-tools, datefudge, softhsm, gcc, gcc-c++ @@ -39,7 +42,9 @@ Requires: crypto-policies Requires: p11-kit-trust Requires: libtasn1 >= 4.3 Requires: nettle >= 3.4.1 +%if %{with tpm12} Recommends: trousers >= 0.3.11.2 +%endif %if %{with dane} BuildRequires: unbound-devel unbound-libs @@ -185,7 +190,11 @@ export GUILD --disable-non-suiteb-curves \ --with-system-priority-file=%{_sysconfdir}/crypto-policies/back-ends/gnutls.config \ --with-default-trust-store-pkcs11="pkcs11:" \ +%if %{with tpm12} --with-trousers-lib=%{_libdir}/libtspi.so.1 \ +%else + --without-tpm \ +%endif --htmldir=%{_docdir}/manual \ %if %{with guile} --enable-guile \ @@ -257,7 +266,9 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null %files utils %{_bindir}/certtool +%if %{with tpm12} %{_bindir}/tpmtool +%endif %{_bindir}/ocsptool %{_bindir}/psktool %{_bindir}/p11tool From beca303c2928e620991f58c759e2f4817558eea3 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Tue, 18 Jan 2022 09:42:49 +0100 Subject: [PATCH 054/152] Add build-time conditional for GOST cryptography support Signed-off-by: Daiki Ueno --- gnutls.spec | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/gnutls.spec b/gnutls.spec index 60914ee..0ae71ef 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -13,6 +13,7 @@ Patch2: gnutls-3.2.7-rpath.patch %bcond_without fips %endif %bcond_with tpm12 +%bcond_without gost Summary: A TLS protocol implementation Name: gnutls @@ -183,6 +184,11 @@ export GUILD %configure \ %if %{with fips} --enable-fips140-mode \ +%endif +%if %{with gost} + --enable-gost \ +%else + --disable-gost \ %endif --enable-sha1-support \ --disable-static \ From 2244afa0e8f682091f47e0ffebcc106efd60638d Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Tue, 18 Jan 2022 09:42:04 +0100 Subject: [PATCH 055/152] Update to upstream 3.7.3 release Signed-off-by: Daiki Ueno --- .gitignore | 2 ++ gnutls.spec | 10 +++++++--- sources | 4 ++-- 3 files changed, 11 insertions(+), 5 deletions(-) diff --git a/.gitignore b/.gitignore index 9ea9030..7f5c956 100644 --- a/.gitignore +++ b/.gitignore @@ -135,3 +135,5 @@ gnutls-2.10.1-nosrp.tar.bz2 /gnutls-3.7.1.tar.xz.sig /gnutls-3.7.2.tar.xz /gnutls-3.7.2.tar.xz.sig +/gnutls-3.7.3.tar.xz +/gnutls-3.7.3.tar.xz.sig diff --git a/gnutls.spec b/gnutls.spec index 0ae71ef..ed7ac26 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,6 +1,6 @@ # This spec file has been automatically updated -Version: 3.7.2 -Release: 2%{?dist} +Version: 3.7.3 +Release: 1%{?dist} Patch1: gnutls-3.6.7-no-now-guile.patch Patch2: gnutls-3.2.7-rpath.patch %bcond_with bootstrap @@ -23,7 +23,6 @@ BuildRequires: p11-kit-devel >= 0.21.3, gettext-devel BuildRequires: zlib-devel, readline-devel, libtasn1-devel >= 4.3 %if %{with bootstrap} BuildRequires: automake, autoconf, gperf, libtool, texinfo -BuildRequires: autogen-libopts-devel >= 5.18, autogen %endif BuildRequires: nettle-devel >= 3.5.1 %if %{with tpm12} @@ -301,6 +300,11 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null %endif %changelog +* Tue Jan 18 2022 Daiki Ueno - 3.7.3-1 +- Update to upstream 3.7.3 release +- Remove dependency on autogen +- Add build-time conditionals for TPM 1.2 and GOST cryptography + * Thu Jul 22 2021 Fedora Release Engineering - 3.7.2-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild diff --git a/sources b/sources index 52f21ca..28ec0a1 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (gnutls-3.7.2.tar.xz) = 5d01d561a05379da71e4847e30ba13c2abe09f7a5c4359fd539d8bd19abad0ce87120f82ee7b6264e787bd3edbc5ae16beffa892983cbc3d59f11a1811c10329 -SHA512 (gnutls-3.7.2.tar.xz.sig) = fc3314c0ce5fb608352fcd8e19efd14435e4cfa5c0eb843d86febb6053fec7d46774b637037b96c5a621a7001f89d6c110f75bff96f94c2a77caf5d9c3aa9447 +SHA512 (gnutls-3.7.3.tar.xz) = 3ace744affe23e284342658d6d2d2de49dd50065489cbc8be18fc7d38187253e5268ca54027ce5cd517056c249ac039a7481e4548cec04325de37ae85617d077 +SHA512 (gnutls-3.7.3.tar.xz.sig) = 93e62730570a6f65ec98538e812ed9c0bd35c25f0906b22f2ae3e762981b0e01bfb7ffcb747c64b42c586d6f0d5c90a7c3abfdc39088cc05f9975b865c309d50 SHA512 (gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg) = a74b92826fd0e5388c9f6d9231959e38b26aeef83138648fab66df951d8e1a4db5302b569d08515d4d6443e5e4f6c466f98319f330c820790260d22a9b9f7173 From 4b09fb236cecd597792e92b205b56ed7d746a596 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 20 Jan 2022 06:53:57 +0000 Subject: [PATCH 056/152] - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- gnutls.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/gnutls.spec b/gnutls.spec index ed7ac26..3844faa 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,6 +1,6 @@ # This spec file has been automatically updated Version: 3.7.3 -Release: 1%{?dist} +Release: 2%{?dist} Patch1: gnutls-3.6.7-no-now-guile.patch Patch2: gnutls-3.2.7-rpath.patch %bcond_with bootstrap @@ -300,6 +300,9 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null %endif %changelog +* Thu Jan 20 2022 Fedora Release Engineering - 3.7.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + * Tue Jan 18 2022 Daiki Ueno - 3.7.3-1 - Update to upstream 3.7.3 release - Remove dependency on autogen From 505c517370ee47c9c3da0c2a0e733d73d7d910a9 Mon Sep 17 00:00:00 2001 From: Zoltan Fridrich Date: Thu, 14 Apr 2022 12:19:54 +0200 Subject: [PATCH 057/152] Add gpgkey due to packit Signed-off-by: Zoltan Fridrich --- .gitignore | 1 - ...462225C3B46F34879FC8496CD605848ED7E69871.gpg | Bin 0 -> 48528 bytes 2 files changed, 1 deletion(-) create mode 100644 gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg diff --git a/.gitignore b/.gitignore index 7f5c956..7f7e886 100644 --- a/.gitignore +++ b/.gitignore @@ -126,7 +126,6 @@ gnutls-2.10.1-nosrp.tar.bz2 /gnutls-3.6.13.tar.xz /gnutls-3.6.14.tar.xz /gnutls-3.6.14.tar.xz.sig -/gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg /gnutls-3.6.15.tar.xz /gnutls-3.6.15.tar.xz.sig /gnutls-3.7.0.tar.xz diff --git a/gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg b/gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg new file mode 100644 index 0000000000000000000000000000000000000000..30cd72996164fbba16fd2ee7098b8d28633c03e8 GIT binary patch literal 48528 zcmb5VQ;=<2x2>DDZQHhO+qP}n_DtKhjhVLXoN4pMT>Jj_tP?w8$G)%ap^V;Yd{KI@ zrPh%N1PdZ%eoY6608p?9sJDjauB61Mal}5@*d`MbUTX6-OAM5_0Dpt4eG}#{jV5rl zOUETAD1jo6LxP_{go z1S(C}bY0VK&qWh^*|DHRHK4h%|7c~RPf8$|M|N5GyTg_9?Z^mn3++O4C7Hh~7S%*% zhAtR5-t1wTkld;^S2}>x|KeVHvgFZ@gxt(~9o=-=^kKjXQ;^h!RHN8FDRwTDf3DOd zMI%Hnr2}!n)F)CNR*lJu@*0eIO?OUi68G1a-qYS;*JoN8XFPal0My1McQ-Sic3#7| zC`;7X5MIrs^n;&Th8%2mt-nR7nKHo4j-iKOaz9A-@nEo4yP`)D*1TmAfQs4%946qg z1Z~Uh`P@ViNIl)471$FZR3>Z7Y0nVq??D{h!EjUpgjzX2!Utu63zAzUG+oPX*-+sM zB}xsU-~f+DesFlL4U;fV1A;GB>+HJPkH;aEi?vl^x-2JS$}^-pY)mWSq-)Y~QZ!cs z=x0B}t$>nogi05GIHpzUZHsJ-NE4e=G~ExxS5-u)Z@ng9L?AV(E~ee{nBbW-Rc+#O z?<1TyI^gs{Kg|;+uyEInMEO`YiMoy_?nf!IKh0f7Jr zK!N^Z1B49>1`P=T4h#f>3IqWRf(8T(2!sa+gdP9@1&Oc%8WOj9lHq7K0RJOnrc%)I zqidW@3P;o$c|=h0q-AIT^Ie3e!IcgfK_{&C{3jZn+^#8wqc_yE53z%#l+XCulq$z? zYqew$fmNCiDz-c&4O4pT>0rj%SmqLue2zBSp9KRX4t&DzFbJq$-}#wbWzjWDvTT2?!#) z2B1OEW|XO_O`cZ%HK-AiGZ#k2L7tIRfkGF_sL_E&%IWJ*O+Q1`@b+=Yg7>(XOQu^K0jFLAlUd773p3#U z(GwShy$xj8i{cn(Htz+%ya`+*I2nVKsL7t%QJ`?>l-F*r@RZxV)VGAZve(X00vs)N zc!OLe+-89ggY4#eOM5zX%kk1+i-Al+p8@oy&)!IQ6-uMDGE0#Zs%xuUr@J8}M1tAQ zAjEDUU`MT?3C=K`{Oxc-9pd&YF`DRoHAF0T=dijMz$b`*}Oh3Bo(Z z7gf`yDyVo}*A*0fF_QE}*=oM{)%b{H!kperZS+`M3{cYu0zkTXF|S43W?N zUT{F0t3#Nvd+J<=vg~yGKl<_gsRIhyR3Bdm$5s9@e2YJ!<1J{BK{8kP?h-CGlEKRhwQ|FdWT=l|=op_yWp_2l>KFB{?^{Uvaf`e)SES?yLr= z^=R$uqsbi%m0@AN^sHn5;oF%|1DuDyJr6O1sjQ*K^`oB>FWM+W8*>qQxB#Dj1X5*K z#VASKZPjj)Fm&_`rk7eArUdd+#$x-*Xlyc8v~=!ig_39V@S;4z$pHO|ge6J&^GG zlqv}&&^UuXP6maYa~yMiDnbkd0TBoQ>@P2ms(P;CpkxBbGf`@Ia~g@w_3ktc$Rk3|Cm~V+jt~Pu{;%he z_JkV$tE1iYgsFk%iA4?vkOK=Dr8PJB<#rvnHsX)B^uE;}aSo6lc%#1PpmYuu8(~6l z)~eEbGo!HoZyj{5Go7yGAP5dY{F zbRGSDzNOfd3Kt{wowt??5AKM_OJj2LH_}z82qZQN-i1&kP`gNJi>ujTHl3Oc1P{xZwFbTd=U}%$Hkcy{JliqAn?2XUns+>&B zYfVo*=PJ%t8~thvG?(6;tH{z30`;iCTHvrWdx(Hd&Gq62ghD%vi!1@m;Ul{3htZ|@ z^Skme_vEH{27>0KMla7&JGqX+IzE|Jai(m&K|DyiI(Z6QGCF&0xEIXX%qV^rXeJoS1+|2sbo0yeSdY>vuE<5~*9ao`(h%kRfZ9;pJ%YdQZU{T$dtx2Rse zgDwowlT>6y^v&0quM_Fa`7s)}HgCp+^$m<2{y_ooi3*javkeNTr(}9}vSw)3_ZRV2 zaATyu3KY(b6SG7aSdV<1cNaB^KrCUUW&3!jiEzF%fA@!w$h?Hy_pw1vTa%MEHr``} zvwCf!2+Tb6s3sBONt<8Z2HosNvU9p)=OZ?U##6KXplo;@D4dLw#PlTHN)40dXuEK< z;eN{x7^)>q$_Wp>HTomh&W>G|#L*+bM4F9QVpJA>pPxJF^JLm@HmoKn&A$Eo zx1J^$Xq96!}Q2#Gx>3`|?1;)JJN(vd8v;&YXAT@%R zxpWe7Q@O-)+{ycdtw9Blf3i0OlOM@~SxS&DJ~gVSPAE zjAIFqpTep%4M!78J6%1huM0jj@e=+sCGhq zutgv(6Y;fy3GJxwhqO9HZ;>+`3`=Gl?dCL^Xo5ZPuukijJVU@+YFbrLT))OvtU){l zrQuWFtU!lE-`*8qx!IeNA)cVm6-U&BALgl8+=}S{(4~#JWXUR!5En;A8|!k5R-uq2 z3~K#HqQS35;^Qg_>%jCpSu<)W5af;aOIp3SJ4mWgppb{6j}ZSi$%}AO={pqA1c%!? zLJz9JKs%d6H7;sTb8&k#(z_IaY_lQ+=bFRVK)Rq|Ip^5{ef-mjIDC9Wp*LcK>d zg4P%}Ic|$6O%jtB##;a6L5i;F1}C#lf~8{mq4OEL8YaY3&zOTBw4cF@3-Wu}w=C@* zne=N2}H#xrv`57^dGFqbed8Ye(OU8_tj*8b^saNw~1Om5F1t;>ONWKv;_sEBri*-snR(x+Aw8 zF?ShAKJeaV0IvseYS=iaH?NVzP;G^%AUIcfB=&kpkQwlF;*SBU6)pF!$d|r9CSAM> zBKa-rb8uuFOU+`pY)0R)lbTQFq6a=sH)=MEH3Ec)YL5QH_b3FWC_mKl)aCASBg7+hUyOnj`&%5hglkATizvh zGF+bvR*S7-x>j`RZJ3n~?Cw8bF!n?rBg4?hZoFw-k%X-A8hGYbb-nDEz5r;E1qiTU5VgI>nO8 zG1xd251V-AY!%m?gT$v!^Y>VT29rv}qU#luiBGb-NgH2##?avNnw5Uu*KIcHHeA`1 zyAJTgMq>00y>*?wfba7?9^H5Z%jx}IZ6;v)I)3}b;4k>ZPD5~&WFZ&1A#JR{6hFEM zeqG{aP8C%m>eC>7(nA~VeLG&#-mTfhGcOw0v>_=ZY&RK60p@l8@884bxz-Ms8D=?C z`lRj13}3-eu4Ubon`HdM`LSh*z_X5{bgU=Xh zpD}(5*qV}2gmlkYO$t?hhOkuHE`#9WEY|fFIJ$K+X5V4>z?=xWVi(4ony%*s&e`R? zTkM_{y5jFz;}L?(=9OxNq<7Co*utjrVa(WZHZK!|fsl*UEws0n0>HX1Ts|TzDU97--lf)0!zd7ylF;xkxc1Zo zLHptEXTI0yHQ|`af_* zENW#poK=fJs1fyczhs>0?;wmlY=ZS@oFl|r5jpH+GkAn0V+Xl!nOl6F4m{>PWC*xG zOLBe)d@|>Arh0qjMM3dxS6r4t>pBw}keD`BaZu3p*BYvz zqLFJ&y7O8uA?xZf<^2N!!KhviqU_t^yzu4qvm2#f%dtV*F>d~Il$Q$HB<%k+Gyb&UX+NhU|(ZBFhR`L)@|%t0l95_GM4Y4<}>om>szc5_4= zW%pnn=c2}~E*4EywSZnj_}}hP_+|MQk9|e1O#GQsl9mVrfY>giZ%&-}XzRfcTrM?lSd+(&XwGQ`*Zy&<7ZIr5Bl(&P4N^-2sZhA8jsu|m$Iss zHEK<^m_^kzFzE_zApHt5BVTf_`&GST^yt?fD;a*m=frTXAZ%NJYX$~7w)&!c6ud;S z1!+Gom^>%|u%^Yq_K-an>6)WtB)iF8u_0NXH=~wbK{H5-axVCOjDkv~Wuj|#RH@sc z(AJ{$_Af|*)cw5|$x^XYsW{HH;S7THQPZwvUT_?>R?X=OnTG<(S2N;|b=XU=O7d7# z+xuOtQ)4t2=sA|a#=wqKlGXhDjAPV@9gP|511c!w8!N`CY(2~vq>&S?TKsCppOlsC zv3VOU;YiexMVz|Jf;|nR^WLL#SN~UmXyOW130@(mhN#D z2%mZu;7u9eNX={a{gZ_jIk*PLdn4; zl&7VowD(7`{m(Pq8Kb%&-Vv?8XwAQaM>!u~=Wta3h8|dMH!PKzNBf)Pg?s5+b=(@r zd6{Dm+ixon4mnA+HCFH7hnD7`BC#<8Z*l!9)&7k~ku=X=JWRIvm&&q7@+)!Rzximl z5}O2JT`mS2cX=r1l6(&|HL?dvzQopkrUkMC!J@rD18G zT<}+QO0&m7HP~%k0@))vo+5y!8VCuvi#Np#%0j5!%5DTX1-^k zYy?!fCq#6>SvVhHo$p|L_q;|SD6H|ntz74>5)@5DuT6d@MzHF0rVA`knvCvw#7Di2 zTK>HRNd-A3cMdGTZDhflSNJOxV@#F>{M`pFGir#CKoT`n_>%gL`__9?6WB3K(PCWb zYVLiVr)Udsuc7m-N`8$Zj?C7G?KZj0*bY#>=P{SK^C*_EoHJq}a%5;#ca|U;b!{S} zieZ3e$-$VQeVlPD%UK66QKsnv`#7>!VpxCXz0>yCpaJjfFtzICmqFa`z%ZO~(nyTc z3R})t`isc$z=rwj}{lr~` zhXU--r^hM3QL5FZez}=68)fP;w8!StY7QX*{=4)|HR=G|`(I5mXeSI7Dk#-4ku!nv6qRI&<<)!E$1*NuPZVd9(gcl@-4%T1 zFDy2T$E3~GSX~F*>Ho%~nzZvT9@b<%7d1$PQeMpn0G-Y8KfKf^bfnMrmHe6Q*6rzs z5lq8oHF=Q*SubgI8L^-@{*z%c;_*zWRaTR2|E}LMTMN z40l2~sHBDgY{Plw9azQ+uY@sQ%`<^KREmmbWiWyMB;g>TN-lTB!k0`8-0A4-b&?X| z=Hc=+i&~gfT?YHf5bY zt}m+BI$TQ4XeCVwfM_f92V0f2BC|RU3I*b4p;yd@oDWXEcq-p~Yd~HrKVL zHn5tgYi{}E$|SM@bD2UJR_zOu{r-C1L*5S4fQJa?MVrJGOZaxWP1sCapvBY;=V_h5 z=uTYQT@}2K<>e4`!21B{1uZXe=no;yDu@K){b!s+{(r_v|80;23Z$^EiUJA=p_HZf zm!JQPBa!FezuEox$$c(k2=|t&y76veP|x~4-^f!7h=RW9F5(ueSAclGYGGiy?%c{# zBMc7anR`*QOXvTLYN3N_)s1S=S~DGTSXrKSiLH;nvz13$+B(K3z836&;DRH&8%XLb z#e>B5_EYW?F9;Gk(WMT=9Q0s{QVE>ccBj;dgJ16)V6~=mW&o{Ab{&Mj&SjXUYGn{> z+by6Nn}*Fx4YD}Wsq3bJ2M!cUrZwCQqfs^?59&MXsTS>$~!uKsV`!DHMwjD)lta<7Z%aA5qz$a zMqO}cjDXl~+g1V5a^=dN{RS-Wly4brce7&rUF_DfT$EM5*DKk0x9jLzB~cbOqbHra z{~Q!Dw&`~ls{I~fItRacTsNxkq#uf}#I{KuQ>a;^g)@udq$i}0oWq+>JYbb$(UOa> zUCPtLAtGKt)*y6g{8R&b!oCGFe0VuzxSp9M$lXQsq&*D)=qjxofrYBE4nS0RAY9s+ zk#zlSO{|mVHnB-!8MK~1_PEx z0WR*tLa^sI1&uI0SdG)v78RO;usSx2PsUzvC!gmS1$|Z{d*UwKG?NIlApqMdvQN5s z7XL4MQBnZE`-=ySiAfz*oD9&3C;T^WYaI46tAVvzZaPGn_^uC$x;)~!CU}Su$GM#O z!r3ApGD1P|BUZd8cX^5EL|QmW9_2vrd;-(-bv1pUzTlLO#V~eN846y~cI~E@OXM)s zqnqfaSN{E+XXDlwi&InUZ zGNA8xzIg?pG1y7Uq}gSAc-bUT4-`PjP)$C3+BYO>xBVEN}Fd}6x#z~yUa2@?Sv0!Ki{s>#omj!mLCmu~}x{u*3t|pL7 zu^suJ$|X>W#e<5o-qL`IjM#%GN&_5t8UfJ#_#Uk7=DKn$-OzHitgsqVUX4dOjAfE& z$d}`L1S$gTMA?-tgSI%YoAUMfoDxxB=`sA07_JM@=P%%QsUQrw`>B*zsKSVSMfS~W z6DiFPipll7apLm~D>>c&oxLb2#QXt;gpJ{3`?tM_TEl-ri12Wcg(HVL6w!=vLZj4+b)RtwW`nu<&D80zgSr8eBsidEkm_Q>sHW8S z3xgrPn7OjnD9VPuS}TgSVI37}F6*Pomo`^SKMcpmW#}aag3(m|et4y=YJeUVR!ud@ z_7Ct0<)5wgbU+=<(<4F}hHpw7S^dm&^&XFNT<#zb|1H#Hzkf*XkDklDD?f8IyOih6 zgYHG`V{cB6N>CyJ>wi@eo->??BUbUgpB;8AsJ2D-c~~h5lT`SntdbYZ_dBs)Kc6gi0B2 za`#(pu4@*oHkH7EHUyY^&nF-_5`0b3xmZKEm(iB?PM*Kq|>Y zjfkyg#dXpv0`MwcrzSbzo}e|iCC*5?!>_f2|1CeGRiKcFa_j&2&wpM|s4wt8?z>jk zx!79XPByJ3JrqM46A1U>fO@rCA9drE_qj$kzZEeDcYHDGbe12w?LBXUG{zC4&~DyV zj9`l$+GnjcB!Fio8;jShLUl4ehql%Mb(Ade+AQeD$w9QU1e>FLT3eQM^MX?1hu6K6h)@na z0}W`9N0W$&vE$AJB#-4FJivHE)s0|FJws`loa3gsB<)h3hwzW`2Tcr}ghvMTLoqd3 z{nQy#wTAO+`rQY&_q4_SL^<8ofEjbfB2ynBpPsuHCeED(NpaDY4O_tQ@{jp!-o%Mm zK=+%k+zy~(sf(YWoR4%eFEuD0N};Taq=B!s`zl`VzC){ueO{vo9do>8Ah4Q3;%Q`? z$Y`Df=5UFK#4u%;&jm$-Y~8NAq1)o|KS5v4!Zy7Xr8a5giuZMoMXG1vZjbNYUsVN9-#+<^k1`gMK&7w zzwRP7S5o7k;M~Hv3-HY+gES>idK{s3D*|q%$6`^sLvp)j$!v`#{*xW<*mVyG5ZO=j zeC!+>E3hpOxx=qx-=Z|tvfo#OoW4gk%1Ju+pTz0Y#s??9Ca6JgT5_}qOR z)uxbsBJpZr?a5)bmMX}oKaa6QFzAtbUzNq;xbhzaOE*W)n%oWrP4o(SaO2Kz9GbZx z!dw#0E(~g+Q9dODv%Ir6n6mX9LRqM~^O?LXarG!DeF$fYo5O%a4dw{h~9V$0Grm|JjPbMI!{kKVga6 zDJLzYbT}T4T?Bzg;u(4b1=4nC;rd&(|D50+fPa7<*!neAAT1RT%vioIto@?0y1TE~ zaFO#?9=}VBHJ0TeJ8`BKDG`4OU`X$hZ2yzFw-TSXA^3-2R}$PoI=r$oFIV(iP$-l2 zA^kK{G}?K>I;Nk0lqTWkvi2I|-j2hc!iN^Oo!<>dcGf8*9Via_g>@)pxec;SlLVi! zr%w$)_1C>x?G~<*C(hV98T*0KYfP33f8a~?bL{9&Z|JQKWheqp*{p>ch5r8ZFhr}i zB%r0T%?uy~ii3QwOS%ObQ7~)IAr5Dxjhj%NeaZrmuS^D0=A)vR)XohlZ(Nc$~SRYdDwq2q}5HuG9Q<9K*KRYi@ zmai^BazE-o?(tPYQAh6fd7?ppL78U`)iGERTGS0QC36-~Ut`r!6V}r5TPi(TJxdV4 z^N-R!laOcU*G56X#7AZ@ck4n~sfIclDmdWq#IK1v1B|7;QTm370wdTmPx0z1QyS81 zxt!XeR?d8|s2T8&l{}+Z)A11ecv)a`X&J#6y=JGo_3ANTvYNgI_t1q^86evl&`C5} zUMtYHOal%}MELyrCK4CSndWi0-zP#zN1;O`WM|PT?<~y`&K51~zmkT4I1f7SN5&W8 zTCm`4uuSG9_;=Nw{e0~L;7Qa>wl?#Wt-K(k9)?1dGopuR(j+qn1!DhkCt4IuE z0cJbbD#6RVWwLGiF*)|RVPtRv!vw-h9ZDCWO?OjqSPt2lGdMtTb%K5QM@AMVEAV|F zlNusl`6UQcdis)jv?AMa91Azu>hub?!=q@I0~gtdjn*lRb-UEg9-y{Uqe^|nTc=}v znzo{PXp5f2*~#6d&hvuu1T{RF=61TqL;Y5o>V$qK%oAT-6K5}%Iw2BB<)0Rl?|*19 z(Fj4rh)9Q;?ODR}#wBh3^9lzA(yqel0)@n?po9GjU~$!b;Uf{{ygjgnxBKkKpC)YIHxgplUI{DZZL*Y76uBEt zNFw8(i1;5OkADG|mve`;xjlKHwj)DO4k+kT6XAaLvfro(HvF-#EJ|umGy(GepUlxs9M#P#%|pX_&54qD;54>^J23KullijxdxQ}x_*G!&M$;^C ztGkyTg5W!q)u90I>p=u}0QVRa$G?x)%4zTYyQACt3#5$cK zXvQL(ii!F$&$~wXO;6FgYd+J#ENnU|j@<=xns~o$iDS4^+CiKYj{?s^x z9SkV|4bsK`HZ#>wI94?$=MZwaL~1%NJ=c%QSS=zGMQjqo@$YUOm?N~N2t@BVQ`mzp z=-cnwe=z87GI|x!R6X$rsNWpxUz?@+qzy0ByJ<7C>rCLedJl1}AeKOe?9*`z{nOaM zBZiL_U)+{$`&x+41d8DK(h3H1w=zd}dJHpi1(I7n=bZx9xq*I2n>@9;G-8V zx?xjRa~zqusoNmt_E~^@uKpdunINg*E+Zg3O|d0J`Fy)CknMQ7;xn2DR(3KrBdgvx zGqT8HxY{QJoru-ObY5%HB3$y7M8t+L8=9g?p$8Ve9%yq*?JUfTN=pRG^6;=D>r!TT zwbxDKw-~MH+l{{k+=e}WJi&1-yg`^xgLB20TZx<(5Zm%V1I{rXkwa-(^or+vLcfnL zcB!&kuC4!I%FE_M@=-gO?>Djh0So`cgVP4-kzR?<2*&j({bFFqDr)ER_Muq&0gd_N zLzG2^T~Vfi&3L7u_3m17u?jY&JQf?OfU>A)(dI{jjXkLl7&Es#Xskz=J)CRJ_StBY zn~^vdjwd=gXSq50&UWYjkZR}*!~X~?Rt+DwoSuk5en3Oc^j%YSSM=l0D))tux_6e_ zS%XXxTi(<`HAnq&L&);nc8sI%r4rob{#el>Ng4haJGbNF+m=E-5ahkjE}lT^NK_7{ zAT3Eiwewz~^`U|=LFX7bYc}8gB}19#YT{^tSq`8Gt>`U#`e>H77u8e#My0la1A}JK zmaewGNXTU^yGJ!Y%SAW-LDBD~eKAx1Q^)DRLCd&1xzaiCjVF;mYEuK9fg9b_W&4M0 zhIQ~Y!AHIsPiRC)uf|F@ypPSlCd5kJ;-&s)^}0+PU0HpOYV)S!*m zf*Z+j(<5lTVCm?#HD^G`xjK^nFIfwtj5&>_m*f9eEKP7n@Q;|%{ z4WaFpK@bX*8XK6g2g?ZczDI*qoIRD^rA8+tf10SZKdMWBxx`9!cx#;jH<1$c0a!v% z!E9Ex=Y4#&>*D+XPgucAjDm)IniE@ddOOiwKrKDO=!6YGbo$JE8i2-Sbb%sz=*JAL zx6}9{4!F!W-RACd?1?6vVz$kiC9C73NEdB~3FF|2U6l|s$&Q^9A3kn!*r?O3IagvXV(anAx%oH`0S)w4FqFuY04V@ zps+4W(mrJZJvQa(dng*{ozeDhVuOi@SFv zeqBHR)5mi?d)Fit=i?}-jPl1HQLCbu<;Au>!okbxbr#knAx2?|QZ9!HsE~T%5H8C8 zn>KYgPzLGfDqRJj)l+!}_hE&^_l!4`agrhzt;liiYhAA?<|V2jL9#Z0bK~pKOsgEt zcE0aczmqjLIB*S02A#A_k22s$gJIh)!#vLSdkpi1-NvBmHia3jE+wxh85{D`#)UY@ zU!VfJ_mw&g_spmQ+8NN(D;}%%Ukoe&P z5qRV-JKdzc;a|M8BJ1KW=vD9$lZ=TGew%)68O6He1&UooTjuv-aQb}Dqrj;B~%^3ZjQI((~7}WH|=tq z`Hq!`#U;-H3uZp5ZP+iUA|@X*Dm|I*e+|%R>3`2PdXM3M%ri&*n`~Soq%c}NUBDr9 z8T_oB*YzIHU^P{eNyKPA>vxH+C>Dy7qTj2?NtbU&vwqLe@7bsKn??>#%v0K?VRyuc z6M8DDd<2+wC=)QFwh`UsMlK3V1a$(9=<8Xq`>+{#9aRoK^ioVXd zB}XL19c*<4OZ~>ka6?!-IH7cQ_Rew4`fTOkHJMF9&6Psd!RBc)Rymj`s@KrYQpr++ zX^1oYNbvNUmx{=|0E^^jU8LT&v6+6$pFinBFVa1|T!DAf$pGf_t(*Q~kt*Vpx{Ad` zb0fxlM9UlH^!DhdZDqaX%=n`E+2buepE3BsWybgU5l#mNb`C~CGrIY%)m71yiFx$SPS+7gk6vhCis#IvY(T$?FF8t`x|2_okr z-s!7H&Y2oR?TJAfay|3pIuYvp4J5<{H>{wXKga`iq;yM)%3Qpk9l240L%2?e3OL+; zvshy+No~P5;4^}1*h|C(G0XQ<-OoodGuLiZAa@S8NqqziB8>=^4N!^^LJ!e;>Io}} zEPNS~mMDaeoN+sKD_P81IF(!GCRi0V67Wa-o1Vtr!(p|2_$U1Xab>S7?b+g!WI)ME zL)_8ujxa?)I5PA8tvV}|g-Tp|P0o6BUDQL+@qY*fzFEP)xvSEJQ&|&)i(3oW?9MGM z`gLM@G^vvLAoZ;&Nl!R`1Hb1pinXF(b*5>sr9*#=`yp|#7j)bpC-LKc@T8~;Ab^wa ztHXA#=hh)R+Ic`uSVdif^3O9h9iLO=Wy#ho;qz&aPT64Q0kGbE;Q%#^kb@_a9=x6M zXQ7mF@P%@xU`2BK{c#GDx8%-B+JODe#BuaIIuCVtHy)RL9>=OMe&|anTgv3cB&Jeq z{SyNS;rM(n-C~b@ZyxG!3DZXJ=B1ji`Y{?8pj-1ydsXFVgi+KjmgoA$U1)E$dB#3q($%xvp(B)e%{@$!$wEHeqcS{o0B%H(1`s7Buo z3^6fe7jFc*BPu$XhT zuB?x)GmxfZRZo@TLw#a!q`{^l(GdR%) zDyr0Y{~(8A#Ms*(@Rn(Xxoq==@cp3O(`Sy5P^|7_-{IpJBP#IU|E}8qE)>9;g8&GV z#r7*Cr*|h$ZGJ2EIC9^<7&!yY^DU`C|YG8?heC68-XBF2=BF`eP$PphS&|Lhu26;BA(mVXLF{QcNY= z0)h?LDMkEcYe!?PtD5ty1^jcD*h4Yw59ptVo8Ofb6=Vy$%sqy9=)VX36y|4es`_ATTtt&L^*^?9 zjFfN7v&u7v7wbe6P+(o5hq~e9OIUz^AWI*z*9A^4z4>nqW|}hYUJetyZJM~n6%@{$ zLp95vUY(ezF>q`5rZEtC|9D<_xmv>n8Y2?3j<5oqzDZu0>vqjqiTuE`j5Yr0nGV#J zocqPM@RR4g)%;1{Z#f)4?apcsR1%1Fppli|Qvf6cU6o@o=fXnDp zv1P<_2g#N{J&}$1kcWyCqnN4o)~Plwcz5Vv#08q-jV~Ny@Dwk4Z(EdJA1p|^6WAuc>-G*fYZC>wpET^d>No=*Zv5>)T zs_#VC6Ow=YW}+pxh>SHajo>Mk5#XQ7DzgT>@O@`{SZUYXgdWPgO4pS! z#5GE~an~5t%L35S2)1>&GSSXOlpd$F5M9HXH4Zp%^T=;BR)dx50!wpe8$NEtvx#ut zZc%i`mc)hn%~3SVy(tkU&_OLo-%6q0gIbe=pRELHE*o7*jq9Em(f5ntU@@f7k~-r; zlELy=?9jqZRKL9vOh#|5W*M$o`Svj`1TL6J zd(E3vS%CM4N^w7f4f>vTHpqw+;1*3wicl*UtqFHS%KJJlgon`u*A{I=OmH*0)idVT z$r`TuzG`e87ILIIA62&eN)H(F)`g^0<PYi)pa`0#~6bp!|U zLKDy}znlb>yx|`jgk1fr78jk6CRB^bNqXPq^-fKRIM|j5NdcSHtGngKZ%6}#bjW?h z5FiJd?j#>$c35`-C~Ua6`EvUYw1=R&<6y3nfx9e>n!UM>q9jID$Ui+{aSd#F=nHYs zWBG+s^7SB&3X4V|X7uE#(YH&j1E4ZmuO0YnvBkjVn;MQQCHNG_N+u^=+YH9C*&O5=j4Z?3%DKNc$Kcc}% zp+{D&8cH1dbLzL-oLFq&+6C?g#~sN{4LYCq@z0)lx*<0J)oTi3srk-$+g0ZfS2`*9 zLb!FXJ>|UP@(-s7M6X+}Igsvn`RnangK)HiDUyvC9kGb;BmiLSbTSn1<%NF1 z7ht#ji!Y;BKR5(pmz0}$x%gyt_6K-e(<&Jh`^5diXvf_CaT`lH8m zuEc21hfNTw8q8FZB@KVMkx03<*SCbvv)t)t3A*WBr=8_Qs`s%+gq(YctCY^(mrh1H zJ<=-^VatSxSvO(f)RILrH!>35)=o*3p?!SWND)8~s}5@!t1HYl452C_B?Pfe3l8Sa z62&RiauZN>d+a!5);?$HD5~P9$ar*YQ<3=gX>_)$;U}5$F0s?u5#a; zM9Ab&II1K*nxpdqlom z@PH~SPaX`jh$TTe8WEFVkZYCuAa$MBLe_Bt%vwJgb!tQ>3P|j)J=n;}m$XzQ)845- zOT!i0chg=9uOP95npF6Ky#1P35}i1)@+MN{1)J)*;dTF(@gX;k?l;b2(ciw>_?-vq zw=UK$9V`q;b@k&Bph&~0H7IfJ{pSQW7_~^H1ulczXcwYaVMItZF(st75CZ0KCQ@Ma z(3KW5LXtHjV&f1V(SXSfO|HNx#QQXS-)tE=&}Vo~M9h-?98IzIfGsVXv@mg{={@`n z5SKTj!;1etlF%3s3ZQW!3K@WZ zgT9pXMLdaI#||wySoSxQXf~{*n3R-JeQwFwV>{9sF3W_PTh5=j8p!~V>YtG|NLw;0!&ppzWpG$ESD|AGoVp#{dhDv*Ym6gU^6 z99;XeRJIqH{q`jln_WsMvL#1lm%an`O#HikUA^>sGu_FqUX?_#`|aLi&xFs zRv41^#&mkfX!{mi{J4!WVCeX>rs8K1nF*_i?X-(uLlZ<(v10G*QA&)}FiQ01+e&)x z&q54Gh6GmCH&bu3-zp#H`a-|gyRvT8&Zh3=5C8NdTq!WhEk$;cO$K}G3b1m&s;B&H zYrRpQ|M%t#Qh7^L8)rhf!4?}EQzt@RJ4{c z=kGh2pfx2{{y6Zd>;}l?Iist}2r$mj1o0I7h%EpVl5WfZ@`V5Bddzpvj}6C4NU4~K z`xFxIn*S5$pP6Xon-bx_aRLQSxn0sENxg0WdFoph5=>d|U94o5QGOsIHTMI1fa) zUy2%wi){|U2I@m!KY#D{GX5w2jaKpB_`q8Ah}IbA_}z$rFA_BH%llZ{oYI}Gbp_sJ99}x)WK)U;X)pP3B85? z#D9bn{TqM$wk0j+z;6j`74WU)LaGl(md`QawFXoJdAf+ZX*ZnOXyEY5H8E3gHvJp$ z?eBilPH?T*irKvm(&joS(1CL_cU?Y)!k({XoiVO-6K)EMf&>j90|Qn8oV?>>Te!G5 za5FHtySvky+q+np+uJ*v(%YH3FgTbyF#KJ<$#oy1qdABQEfbKR%-}NkqUmSg|83Wb zdelpzFVHFi$lv)n+G>H}Y~MwA=0Qj;_$bCtqx#=vPQm{lmPw9V$=^dzq@TnG7PWA0H_`=Kb=Uz0>RRBOa?_9Ha^eun=uoUDA^z5Vxj znfyve(sAV_1)?AUi52!|5Q?G}B8MYJh6(BTqwqU1eWom1hTJdET z^d)Sl>~kWRJg_XHP3VqoBl{PUbJ#)-t?qgR7ezZLsGVMN9BxurB7}4Yz4_~tr2`Ga zzx})&&h|c%lz!c?qi~wU( z<(j<0y1;Nd2EYL2;|=3S5O4`?g{oD;Ru7dZmo^~%dR^vmDGLgo%p#Kz2`?aav8Ek{ zOkWw!yEMf7{BL^h?f;qG7J8dsCTf>%SIUI=cJI+!V}oLS6G%C6jaK=PSECXQq|5TZ z3UTJURx@s+?DZ|sli#`G6vwKFcY31o?bpIC>AE0@i@M&qx)NOffsKV*mrttMs8W6M zaEX20dk3~J%&hh*Mu$vU`Ht!D#L#2oFcuW!FTy66niSk0AsQgFsea&l#X*@SOj>pg zp~a%BPxUsJis0ZGg;E9zxTvKDshYn?wXS=T3>J;x5ezFYUF1P$VgIh9t7^_ZM3FJ7 z=kE1kyaTpMXy?8>(Mc#ZJhgKZV&c<*<%uc%asG3O%h1H!@d88&2y=qA8SS}pkEibf zBFmfMk$uL?NbL3K;)*eIQKKc2fpu&K_&@1UzwyoctH*Ke?wdW@%)Lb(5|9(Hxq9+P zi*&zLeVl|QX~7`}RdT}FPV2g$BEgve%Kj}$*s-j|a=tn^;Ix>YR_uIzH(vD932g?t zFmk=>V;L0CU=Tzmx|MN}oLZ>fb`UOau_+0mRZ_nK&X#!>lx#j~8+ch}yzU)`4jKv}~khEBD{Az;#EOlwR<>EkSsgIpr zUvi@v&U@B6x|1w|8j*6%RJb<+o_Jv&A_CT$vxaEL2|(rR^Jq&w*k6)3{*KCj{YvLB zy(l%zI)+$(=z0?1rM{4|2w|Sj^VAm&D1@%M>0$LJyLOhg8E(QSxBQzPWT1bpB2a#r z8vUD|-39-b=llm`G-`-%DIbn3IpI8lt0rca@}6F5HP!vv#S$&|gq=Bkf(m%JrvfxL z$!y{;OvxW6Id!Z{uV73NZm+vm&-uqlD#(CwO<{ca@1UOCPB4nojTukQCAf_yr)^}H zG}pmZcsIr~Yy5ncgxg9OztJ>+P@pB3?u>s0hfF7>Q|A#uxukg(W&}e(cUZJR(U|X% zDEx6r@B_;NU1kXVcy_|&7%*%T>_pV=4}LoL_y>d~YtvIwO%TSTM%&=AOIjT8TLFq? zV%CU}mryKK6_+suSetmDy zN}S+-mAxv!OLU%k~JG{*OseuaYKD@9Mr>c>& zmzbs02n$Or{fyxu7hQ2&=+$cS7P9pAhy~}U5QwK>2QsX|$p*{r{ZQL(%l}AzSM^vi z8R&rj_|B|rHU>(|+5-5!ymo&$osQw+o4}nULpf^eGi|b!m^*NX$a&wyts!WzO53?( zhIdlf_&th`q8TA&P`->;nhRHNMp-{3lH+o(S%SP3#ciD}DJE8ujOMvO7480;5;+K` zZ`}g!)Yr-Sk*BxHfc)`|2|9_x%{nxMl==Q(E#7}ZKMFYG$7oW=VORu^-@kQWFyOzx z@PKhZz@U()Kmh-{YU}^53I9#tgJ#|<<%m;yr7hG4JkA*tSNT(+79VLX8IZJ<(=V^& z+3nvF1-3VEc?Z4FULW%d)k^nBy9oB80fhtxO8hAn`Iz!jWsY+QLR*`I4O`gxoL z1VmAf$hGl_2IB{3OVD;#n1X@E<^+U%#|%^Ubi0AVtg`EiONwUIy&a-X9J?|}K=cBE zYE^OE_N|sdUn4MwKU30Ronlk8`(?QJCzvWE7R$)pkQAy_(*c2loetGTh+T z5KW(V!S7w_2MsyNzi_j%BFJi$=F{G`z3&^zN3c6yJj$!YH@zoA4M|GMGSG(Od@T*6 z(;w155soAkpX=W;p*}7P%v>7a2V+yBYk3A$&(n4M(z(SvQ`8sz{BIrgrXcfgdOZ?g zhg7->;886R-oY)hVULfza$(!I=W1Mwu{pZWAJH2c{l z4zM?;)f$#hcQ`mX1ZSVKY3_u>i)KoTlWE!vO6gl)pfb={SZI-IC>#&0o%S2Eo0`(o zKscd?SkO8u$c$fqvGo#Do5#((P4kO0;SA!COxDbSFNYDEAepbg&Oxb-Zk~b_N~-me zs6a-C^S7EX|3<%J_H>1y=|j+V#O1`<^BQ5b*B zL;OY*6`3Qd#8i!EV@%2)Py8)OtaK{=CtcL~s*rhsm0PfMkpDTByl!bI_%}RWmdT$A z<{Q}3etI)VkBPVu>EXce#D|BP=eQv~tbk15PLF-2VyySi@&F2?h_aCZFQr`HwfpT5 zaiWbj5Q^5R{t+LL0Lno?!KC>w34%J27u8e|t5YG@*0+%9V|Kz!d=57MCo79i6~4Ri zF<`vn_KIB8NDZrca=R>qUt;crm=5KghL&h^3Fy_|Bt4s|Q<$L>vShgCu$Hc)<=8jj zX3t@+9(q}KfvyTizl@8>$ZQX3iHj)jYO;`I+>vRjbweCd!%0F3W}_rqc`s_t#;LKB;vJW8-hx~_Y;tXqILe+-Q z?hpRU<2EPkFON-rx7PAVJ%%trL_nKFkz~HJLoO!q46XkS3qCy4r znzJKcaG*zimP|tY>eIcjheFGln2=8xW@^eMv(UHOw~;jcT97V#!~FvAFfDF z%D&FsEHv0sIu<5iW-_ftR}I7iHEpGukFV3|pQ6=UwPzbcUq4a#r6eg1rR5lgOfab< zOI~9Pk#AH-c>O6AhUwI~_kSgZy?TyREooOJn9p>*1#K(m-)}Bj(+*}>JNpGl+ z2PaL!FX~?9x(Og}ZsjD4e#9irsxtoobz&jx&ME@Odmw2g+ZN;WarhK&V#qlKn;5Bc zQpi$b!BHtvqXcV^FHlp_ks!K#9q}U*v~eItb*( zdg;77HVD^lsO)S8_Co+EbX#Cmp9XJ3=H)bHonLw2qJt0z63=4LS6?L6@ zXZHEVID~p&^(FWtHuuzjc|4r(|K;%0etRjXy8!%)+K+Ey!0n& zTSI-2AWEHs=+E_mF^eV^+bg9)Xc-wa)T^2ORXSQ|r-X=X%BQ?NOBkGAvC;FnJa1>h zH3bEYf^(B{!QP(hPDGk8d)QiDgCId6mROH?L(T}uw}>{nK#ZtR(+4tHY>_5sAA(*} zdxBgU0Ds`w$h^3?sfGUO7oMov1@*`}2AKtb*4Jn%TQ*b+Rc4km>wS=a%ayoU zF(b)Yt4DSiH(?!`?5egnrJluXfRR2TpBQ}NejQp_Vw7;YYlGMrq99=tqP82Llx&zPW?)LcU-{ zAo?weIDP(`yC$PdJ18#1SYBh+KSnzTJeA zq$JlT^$o>|71hyM^+J4X4+!W?jEFPN!_aG>?qT0N)0q_CDl#{a$En}0{lr6aw8)Mf zbeC!PGMo8u+M)q2dm$9fmC8&XH1nB_n{C*R zIs6k{G4SSN%=E0-Jey1oGIY~Bo;NNu>M2f6o9Tm=-a#Q(aNuetbrA6V97Y>(t#Ai1=v8(?5XP+HRCvpgF zI_);ezI&l+=)6^&qO7lJcrt;Q{KLinZf)dq?Ik^LcvKp~oOx{6bat7|1sp}UM`+t+ zJG;GwyE?o$PA_0u#vaS7wYLF7WjXK!cLIz8Wa?DKJT=ToU|Z9)a3u+BSVV3&lo2wUYNU9J!JvPTlP zh>rqgN>cXwW?SiM9NSVU`l(~CAIoXM$*goN!;bR0+8?p_{gY`$_tMRMb+LGJy_>=B+@<}^0}b_z4!6E%mmf=x zs~u2Yrm~ym;j4W3_Lw0d8FHx@h6>;Z1Poq0{WSA+aSdV=uvxENm zGchc&Ns`BlANqJbtXvs=25rsS(71a1>cepA%}~m;CW!_EzqH}=DHC#j+@rXM+_O{ORYk0^<7}tq$6v;@N(D1`m@x>$l=R*8$S-CmHV@K*c&& zk#<;`^LeDQM$M~sW>`i%WDAmVt;yb*0*&=fiNoG+yi%l$|9gtoC9#!&M($Ums%tlaOPKsNk`{7K8~agI7jHJsatZH4@<$AtEE z5FTTHNjfRt0xg|9*#(Y+o!UB_7NY^r8n1d;Q6B=qjUC*o|G6CUOw^rjT_)uqMIswD z67t%0xx!Q^dpr42CpXS>EEO?>+7<>+5jgKghLXLb8z1zxa$3&o+Kw%?F^(GGCqEr> zS$?EN_Y_tub#p3GI(%- z2ir{_PJxD^(8Ba_r^8pGM|Q)|;AHEc3TkHso1}_L|M@s+wKOHvuo-=T|7De)8q_9V z2k|VGn@_tcHxRcXHtZ@6{7RgXup=4es?8H?(5Z@b0R!!3A3O3Ag@)QDo$zCIrRPa# zd>mcV^C+f3ulvx8&!7;fd>sp-7z)B$Mb_)L&!l=f38Z;uf|o=3!FxspbirGVPP**v zu*^w4ppDHm5#N}~s=0ZtW4qa0I*xz+h3ZEU(7gh8`k>X5q?myvuq3!mEH4;7ZLdDl zl^lV;GDa`&q)X9%c&I>oL;vLgm8x`Y%FPIk>46Any?4z^DY+TP_Mm2K>iCo~_h3C0 z`^0Q}noH&+&gH49`_^ZfHk{&IjjJ<{y8o$KdEu_;(X*cCCQ$SF6e~}aq-R45g>F!) z5i%<)bERZPypOAM0#~&!r7TAKn_`$f+iS+ukGe90mMyBWcC0vmAnBVe$qy`DNtCoi zy-QlzA^fy{{54YvdEQ(J;S=o11&gCbe(HPjB?*<$Oh0kJYczPHByan4Fr}J2w4mK* z4Iv7TJXltg*wbRYP(}aURi3-*f+c?m3{95#Lc)C}BydcyX<_J;gXYX^Mc+cwVa`{$ zwZ>^Rv9iE-3}oHfwvR-ccQuJ)Pb;Gfw#k;wD2H&kHTOg;Ci5NIOJkd#ATe}usYSG5 zYiZnQ(jxm*o}_v5cfBf~uvRe#FFw~82PXAYR4yLF$IzTbpEL9)fk;-rOcWQ{{fy7C zSCXp&MSEP_+>0Jp0!pH!u!-Xe;aHX|FU}*3R;dw&R}uz)?aIQt`xFL(kP3{n3x2ZT zL}JlNQ3$)Z@kCtL_n8D~tJH|5HdIHN3)HyO$jpdiK{;Ucp6|#(5`hmko$SJAChr<4 zz)yu&1^!+J~?en9hgD(kXl0zI0J+RT>I4c+Eh z8X|nG2PX;qdpr!J)WImONXcQZ-=gmAe|f+pa{T2Hv`p$9*t_L`FpcoV)Ea{WP>m#n z7jhnC(&LMO+JjLGuO{N!CdPb4xgJ)@>3JbVn|d}MDuqMPhG6)tWygvU*wh{*0YtT{y+*NhAdeY&P3 zID|uby!Y#r_Ac254rGaMJ7GU)vIJm`egySKRP1C*Z>$^0SXW}#exPhWgzM)%^E!Ot z)qJBWqrz~Xx7XfhytfTxSf4&q@9LXl*=|Ue(|3~g(&tC+dXV-pJ_&e*cAHgv#0kz$ zQvjpE>Ad|?k;Nez5>o!)o#OnqxiJY+7z&3JZ8kxe^tzo3N@C%G`m|N8Lc~MZ;_DPJ zFfM)3i^%CS@%yu$2aw{;bYm{-Q>4NLD;lZxf@@Lay-0 zSj!iVdYxDwA7*~8*j_GeLEc47p$Ov5&~Oj*G%o0(ee|e2|yt=q4{`ohF=51Z|Zq&XW;~ph0lXq{JOlEGY<#(&P5-e|eb4k^kipr4dk94U9QT zo{R9U@Ac@M60fhaxV}(!D1A#VVyq2@Hj%1B+^1l-9J+ln#wH_SXNfq?!OK!XQ-}Kb zk_|ar>gG{kB{c1KHF9>hhZ4&Oq)}Md?pU?vAfRS<5WA8WO6K;C^^lV*Qg0>1k94oh z%oE$W#}iYYX+hg0EmR~K$AmOd>4k4jdE-YDgal`yh#PQy8Al;fP~V4`F$u5!!B2n} zE5+29K%5%K*cory?yMtkWmebM+m?z|$qRg9@673$7>|ghPG__1dAXd%0Mfg6n$6uc zz=Iw^-bmtkOi2|h%?2enq@aLIgQeTdX`Y5_bPh$*k|mOtJ8nvxSsyTcD!UWWjKE}X z1A6daPtf?bv=aifT7F^i?EfU1CqKEY&U6RQ|D{vs&?iR|`0X!3hp*=9<8v6k6<1w) zU6^ImDmXI0UNAMFOAZe&#MR9Szm~X>uzrF&3hFk-k~qWv=V${H`5^GDNVr16KoK8Y~H%8%=57fW@z%Wd+#Yp$ClWI{* zqor@t)-xouthT`f(2GV+m`GVSHrhaYwYy^dB%$?`ES9-8MFCX>-Fdmkbv@*GszO9Q zRhNr)wMVM|>9T0^)h2fb9d=>9zq)AGaB40TgiXI4*~1^Zd!v@IZ}C}{WD4`&@d6d| zIJUn$Bte_H1b$qC2aQzo$4y!}*s^aK~LdLEZ{loQXw_xKK)g+L5Mk(7sdPh3nX z-nNq~mcU$NUkB2{&nktjp1BW7TO|?il<)-fOqH|xijQa&+?rYD(am3fY%yc-m0f=y- zDLQnzXEV+>TpAJ+*4g4EOp{VW60vYW5JRQ6bs-c6%4b3MhZY_g5Z(DSNn`?O5o*zd zL0uHWECCJX7Ku%;mk|^sba)2?4iD|?3HRF$J&;oY1PS%w`3kv3MVPu%hNwa!srnMp z>2H1@izX?|^kK8BrFF+G<4j;pU?`#F1+LFT27*Dm-=%|hyKjuVb_<{vp$#_P$6aKq|)h1hyh1F!q+A*-skRW_UPH#=doOQhpGK_QbCA!qwo7w3 zcd}yydgUJ1Q2WT8TE>}9aYEHwcV7D0&>50F@9?**<=7L;I4kxU#%inRFalyb| zGC;vqG5nMydNIiTm7@V6Y>u~ATG*t31-{fR#_8GOAc&97>gT{!(w9I@7Vk5`sr%e? z7t^`ME!cI|*^G2wyV3HtCQXr2bZ=J=|i|#Hwv>zyVbi{kr z-x)x#n8@A(m6IPj3xm|9rEk};AxpG5@Q+q#dqM>q-`8}qjoeDvlZ zyNaq0cupN@I>9HntV!nSkd$2%K{S6H`j@$ z21}1V^^|~;X^ST87n8bTAA@|V8eOQAFjEx@K0jIvows$tzR&xWu`xMnJHCeSriI$M z`|Z3;m1nKA`2ZML+$a9ez18buUjKi2{M)N=z0&y4;d1I(Pw9-0J9~xjEj>2CC)5Ur z%wucqxU}j6m*e%6&a&n(jZG7G=$SD+B-y53X zVXw50IZ)utZuN+BI`87F%puWj=UKa@y#T#FEVNrR$ocksGYZ{MI)-Pmws*(wLEvUZ zpjcvngD21kB TE+bP#h8N{or-u4VqP(2Ae6=ZFGmnF)z>V{x3d#jXUdwk4s5K*h zi*~_eDHE8;qZt*x{F`s!jNZ-BcEPQ4*pQrkb&r*&0}bwVbm>WJt@w(!znn;_)ux&X zo}F=fPGJ~lJ{8o@4G>D!YArihHfnOF=we_o%GxHX=p#vFm-D0LklBgmD`8LMHJ*vH z@++)%XDdlc$%yZRdi^Z5ZN)c4#V3o_Up(8Nr~VsADsXp}y&l6G3W+<>VP;R5I&~wH zj~3Zzw^Var$fHD3lL2n8Yw?7;)k9s2VCwO=}dd*yE3%KznYQ^xm~2d6uDp=J8f zP(ePzx0Hh>1Sx=Cz?oU?$uv@;MS-Lvb|7g7R6^rWbp{gzsPE|Q%<(;`&o z!Xh^lLsEe<>U%%dannZ0O@X_3erGfs>hRtV?LM)C{Q4r-C)RS6m2tJ zh8v9k|Jw|^AKsaa2=%QOd-Yv8W0<39W;#&g;x;f{*= zllZRgx?P)t5*rp!5$&6|OQ;9ky$|XUr&5zHf6Ci2((=xheymft+>E83V=?ZaYPwI> zRo<0On+?`Eg2Paz&?C7|+3{Kl&V=i9B%Ptj4`r;j=3WEE)UAgQQ(E4AvL<1{DjRVy ztECCa-RuH4(?UHph9T$ME}vtz^`W zVr<6WVx@p>TXAWlmu0S{DLRo8!c z+_F^u<>5;`T_>(GOUY@C2TNDeRKq}JS&wz3SAMuGJrtGT=E!!>A znswp_dCfzfVMShJ!{IyE=Vp~oO}Q=SR5cm zzMQ?YlTydKV^NNqNpUY--K^0>(pn^Cg0TdtB`$PeR4K(U>x^`CCvnfk%c$LC180nj z7NjlMt9B{wy|22Q58n4t5wGWroF`%x9iG{Z>B@uSyVjK>flZOoXFBf0o{h-X7AED9 zsEG#0MTtjmU#;}lZ8`&^(2t?`nS?wd9z*jNK~QIq-e)*E!TF4!?8BXv-wn!@HAQ!< z%bu|v$t+ee7i_G@r^}5GT8<`8Cc$vx{U#R{fiYN44pYCVc*u>qd-UEzKwKMhAefUQ zy9rTvzaK}!(`YQoi=2EoyYbG-mQqk?qGH-f&}NpU^Xf=B-W!GpwQp{Os=LDK<#Z?2 zbOIGPH2_&1wF1R%i#ns&ySxU9BA=uEz3y3vPLYqx`9V*haip)WqVtOr?1@(*G}smj ze8hA=B5f$P&AW$^Xcot5E9c|+#IJ`2)j5=&tyxY=SInqa&;Sy4y)njG4DLbx7xHy} z9k1f^UF&hf{r@Vq{~j*)v`K$?SlKMMni|t_3v?sAgAr0O*LJ`3ijvtVhZ^^IY(?N@ zgFqEMjj9gjdFt%U0On8rRK&J?^tVpxNNd2Cqn$}bi7+~ltAsTzCxQnt*{v<4E! zA0lNH)lLf9{4s{tP)q{k5tW{WuHMOM%IbZ?5FF5WVvyirbw7JuAs(8p1VUVem1s9=y1tPnDY<&99)%lqX zH|H!wBuyM&K%NInhds#B&LW-yGDAQMsLrM*H8I(ptWUNCv(%y4nWq-YbR)gclej=| z^A|~YNFE6nVU}ki^c@;o-ndAs$%0t2%!=%qS5gjuEi^x#b1OKv*~j2GUKoxk zggjoW48;6KrLn=QDg8*tmu>+4(22!ayk)VTq9^O*AKCI|j2hST_Oc-Y3U)WQ=R4KQ znYeQHCiucAT6X%CpQpGX*m1CQ=_2%m*tne$7%siCryLO7)CYkiYNac5DM~i0di0EO zuQP@Xs8M)ceg3fQ6=foe@_dR8!Mb_e|GV<|-=3UnuYdXvU4l&Y82wn4Q9lsAIBxa% zk8j@b(W;lfJwuA{^UwdVU!lqq6v(R%4SxOE=-*CCnX##YeG+)eo!l0L-q=CME8mHR z>A+x|wMNkYoTgS-!knd(N~RwXg_ywla9axBvZ2mH(14rDV8-#RR{zXD8YZYM8g&gF zl5tXR0SZ9~5Dr@^Hgt`YxG77F#e6K?@a$b2xuT-FF?08C;r;zl%&(DX9BJ$D}tBs^a$)7>7nMWSQw4* zSw<`)f1DGV{rn6oR{t3V$&Qt5QxghE*f`@0fQKp0)q^+%BRBtE4M(|C{JFBAazmf;a$xX ztvsQ>@$DtFHmhH773)jR0Irn{fg|aUjojIcf7zhN zq+Im1Z&sJF%bOh=oJ{i*K4t_Y*NFo@Jp@@g!jZ52bL0qk4mu%tVw(potCX&z3hZ*t zFH6?T@q(t&Fy__0gq+dzun%6> zpRWgPvW-b~mpVLXvm|-$Uzl$bcpa}0h47V|=IN@GBvGvmjNILYTmK#||MIv+;rzRM zfP+59PYC|#A`nIdL=iE$UfCqyH*ekZ9>Y?mYFYqs_gLRE8)4L^pTVNnKAyAVMT5po z&q+S6X5ubT&i9s$^;loguadxB?RyzuT}P<2xz-`hN9%`BsOE4u*vi7L)mCIH+HjEK z)7ycNq2rf}!T->M?%v3Tqc)JAUkopw4sX(|?w*9d4Imm9Ipb+#AR9XimE7?bSvy0;aUU}hZDAK7OieDPdD1_o zd z@`LE|)hA7)7@xtIPv%>@r#9vCc^0=2)hx`&543XJ>{o|TzzuRgLuN|9@BY_nY>{hZ2p zo^^B}KN+MM7X8Z|G0%H*sxCYYvv$_v>g^@ykBddmurVbIC4i%~hq zWYU7oP+PKw7u74}sgH;eIa-g<)3^$WiAR0I&R4wIQQ#oWwR>qW+zL+rWR~o%WjIiZ zi!&sW&wqHR;D?9)<-tV}Q;wKxB>KpP@NLeB-^1DTW5YQACd3sY2LDYiZqZ(EcPnZ# z^3z(F2ym|?&hvfiVN6hCb_Vz|;`}_zfC=nMaeIGhEQ{tbIHl%_WrnQgZ6hjeR8)Gi zFnLgsrEXJfWRjWAyNtFNQ|!Uo_*ERlP#R)qYL%EA3prenADb}wcJ-H*> z)l?IS+>6s{TM&_S-PH%H+G1Pc1wUyfdjGr(F`L2fdUJ>0B@UH?H_*|8e5L96k%>_*JH^8(icgUyrT- zzLMDaCOz%cxt;%^jg6ZL3; za-B-&kb9DivlV^b2v+4l)pX_kG(^SPN6aDS7bQbk7GPT#-4e;OeP{*>yL=h9c}jzd%TWxpY5^njkliI^ViPlszS4DG|HIabba|(39zfL)El#Xt9thDN>f& z`}S6(+$LA|-UQW0E-? z=ZKcd=3@pM#bI8tApFyE&rWRx2`IGxk03FOl(oM+kp6A9S4pZT{=0h^bag7|tp2%i zHbD3mVgE@XcD3w!`|RhJ{fite)CCJ%7-mZODau*reW1IFN7iV=xQT0pVsph99-T=b zr?`Tcj=#;qYY|FTzOnjL*dxJXUZ0k6Jy8zc`trH5_X>V{9h1sfFA-ae@>#udcMHcj z8T5`BPFB*me5S{$;iVS_u`o?pf(kUP+X_18C8+G~sUe9+RgF0uBvdB``zVYVS61V6 zNeE4q^42@w0ZAHJ`ITIo%9ZB$g0Kw|1o_&KPydmUP!7yo!k6Is4h3{5CsmxHf9IMe zhtP>}eQ3NJDWz8Fjw~)YLRgFCmRDjWK7*b#)0q)V+Y?O7{TkT2++z<7Tf1U=q9JBF zU@$29M~SA{pY#5>cn&!frzGyq_r9%Od1rT4#?S(^N#qMi)Z(%)Hh@ihIP>D8`P%$5 z^i>=DOZ+zu+_xmT|L;f$4dU6_1^LeFHZY+Vr-aSg=Ghu$I*G#>`5|cIM`|&QnaHWM zfj{a%OnOD70^>FMsU34p0m0Fpk}Uf~{e`jYrBxxb;k`m=n~lLrwHb3=z>usUUV-st zi}uhLMAxI&=>?Q{9zJZtQhx%4Y&U)s^SEv?fj%wo;ZJsuOdk>Dqy_S8ZmNBSkc#vk z-<`!+e!yI*riHYMEKA9wLgy*7uHENtDy_~>W;J52MnfHdG|IQS&<+J%VVSNB{pErD zzgdizl$yUhv~vp#&EjX1eY6k(6W?moZtosGuP(MU$@xY*pkE)5ATGyHwl>XFbt$id z_%58W5jm#=FH?s3UB5T^EHjzLje~ZKM-v{fI^T@<758^``+njqn6jP@gXQX5E@faQ zK0%y%3(`~KR91UsQR0x)g;H(2pm6sbtVA=uAmVEHX}em^(rfM9@o_?5DqG=)ErBgl zs?laz?9W~J;cn9-?7PqAKxD{BqIr)+7$(~=6m>|keR5o~kFp>@L(v-q&2h8kV#)nM z?kT~lk+V#F4zw`0i=`jzPC`D%V+h1N*u+0k?2_LPc6*W#XYqiCLugt4Wx{mcWXfh% zQ)l?(tzgXhXAy14#fap6lFP+p%Y2o$-Cfs2c4%O9K3{Kng&$tqdY+u-Z1=>ZQe3e_ z{LJZ+jNG{1)nW--$tYxe?TyTq!#k%>@^k)3?2~Ck?~3laq}%{G>}x<8G?W)GmSJNO{hm+A=A(Z;35T>Dk>il2d(d@z%=CWFjXT z?(8<*AYf!yXfU+B;=7MthX-EVqiHRAV9iT~97{d!ijBD6U`c4@TbqprZ7yUP(C2}5B{Nk6_G8+13s~l5}<@=yoz@G10;UWj&m>@xY z0`|Pvz>dE864w}3$bWdK5Y>VICU>@QGuxA*@AoGR?g?(q7BY+X#oz z2V{cW&vf0jkV++ums$iV?kwDnG&vH62#>w4!}6h$ECH(zUo{wd2n$PQWu(jAk_1t| zOLkj!Pgxry%WQat^$qTG@3+aMa3JW@8}g*O0vR@d*Lco=oAt(Ztpj3|BP0>OD5PRZ zlvSGD?V@{@=bJ5i+Mr?vMelIszCgV;Ul^&JBFj^mU{R863el3nCq@VSohi2>osi`j z&S#!7CRK$IE>dsxT#8*Ul-=**SVThmBZ75PSqCcDOqD<%?x0D$H^EC`nxA{cyNkUb zVgpCQQlOzm;%c>cipf{oZO0;MUmUqK7D0}&1i&62@{8hfoN!Nr2cP?r%ZXzsJh$raXU`85LmmB( z`KLytJd}bdK4tYE!EI=(!d3o@<-8G#xY4+mQ%hHaAp%m2 zB8{XQ8R>NT*7o;BZbd9YH}`$^K4$0mzsu5;6yXyTko3eqskQ>_MBqwaj{9 zP31c!KlG>CKGj;Hv{kW_R|=RtfR=T&DTj3i$=v-H8*U7QEV7hq^kP>MWm`YO^lK1n zl`x;hrU(6v9S)QuO{GKL_jiTEj6Dkbb7G4KuV5#U5|K8VE1xji1Nagz$?2v@;6BjR z!)Tmfxgfas+VJ(ck1RyWJXSt5K%m!c(BDWS(yIrN84v3zw#s14wvhxAp&d|>8Iv(n z0h_cFzXg-tIX*Fn8yFqtxkJ;=Vx$5DfBy*pN zmAJ#WVJ|Q0jBdkZu{1$KhtZNisycc^S;UgyRC|5`g77C?D-RqKh~nA9W39hXd@nE= z%|F3c`x3-?`sdehr;LJh{T@+j&n+NCw0a-F(_|Bhv=BQNN5|k0Ul+u^Au-ils&z_F zYli8%f3CPk6`)6AR0rOU*1c`$WG}y;scg4=&7#OV%gW5maie6_B z0qQ7+5O%!jr`UHJf}?_o`y$5?(&FhU1F9dw5ADMd{8(0-J&g`j?Tj(XGM9(e(?2ZGj9cg457Gk(%GR73wp6PJ0_;0iHNq?2T*s~ z2RWXRRK7OBggXqSR@bR4V~-9lK{l! z96-@}dAvqm9do7uiaZ(bdkVKRNh@awX0= zAG_{z^<&ih4sQ>Tm+Rb7tl217V$=xI&MUw4^B85d;x~@CQ%On(IyvX`DSFeM5bscs zRY`wexuLE@pu4dK{z)tBSy;V;E+z7Q<{Zs#(*%NCS+p&(c%1gQo&S#e^Ku2$N7)<4 z#c!{z5xIS**Bq3E`@}%UcqxyQ?=wlvu$sCd*F&nmWeE$LLSXlsy#wbMH}x}>?;_uk z^75(R5>F~#Vbvic$-vxO1Ms44w(?lg(uD=z5LC^*B8RiA1AVTp@)~}BbkQ;D*{XLM z<1VHOF-*c9B_vb~n@ECFYcf+{q(R#15Se;9^E6UpGzCUj$Rl_~Gt8i>3AP*%s4cAbt!K6CGXu>H|5jSv&>tgy*u>Yk_H6Cu+x`u6MO8z~#^PRCy$2Vae1B+fe4 ziLW$aO;{|lCR7L4v_l_Dbb73vJp!2LA0GcqJ)c7TKa3-Lfrkp?N5l*3;Uav%7Q`<# z23uDRG?H^MWPn7U-jNe7FVZu1Dy$w01rgOB$648C9n8{`P7&ltmjY^MgSW!Fp;HjTUg zrnzqWCBeAyS%mUO0a|bd7lllz%jLKfG3R>y+a~|`=9ji*=}z=|_(aujPskg8|G4kM z1$8O@Dc&c@$#{c$*7#Nq-cX_OqAoL3&GMHB&q`dgW@gPzVzQoIs4zN-j(I0qMeNB) z%K|CH*O||bL(^9`XT>}`s$F(zVmX{-j`Nk-IvZ}iB>VnQu6MdHDhB3y|4l=#_8xGB z@RJN_<`hT8 zfl0>khUoa-Uri}^>_&DBaX(qPp)`p=jD_8LX|xIU7I@HrYD>gJ8Xq5r6)qkGb_xTX z1V;sd2DCtcDn5KGf(QWFX7zPI^929^00Mxtt&x#|qq(h(pv@oK1qNfFqZ7TejRVlY z$c(`dNTO+OZ4Gp=Hn6eT@l8-NaC9`VHn1TwG;jnO6IlY?i5$&MZOm;3;2viGCG5@tglgNZF$avn4~N^wzaK zu1^AXXN^LN#h!5Y9%^{t37`DgSX18Wq@KOJbVetmiVH+fymBj@j1>Nufu6MkwmQ!& z=Jlb7k1{u|`Qm`zIh~HzE$lMyow1tt_IJa+3x@HxV&16Yxx~txG*GgAOynoKuhMAA z?c?**wI_<1y1g0DM#WN2I=~`O^L!NGk6lTqawkmiJDz+TcVY;QGMgqu7F$+nBnRV z|E;-tIm6K0CuceA*1ijUOeOl66J8pkvG8<^RfBpmO`WNEQafKJ zHM|Iw_WW&8kh_=Kw(mW;$(nbW9X~Eiv+}+(yJzX3 zsB@H|j1?zW|5S1d1Izr&vL6xxRPi#;{*OE~Vv@=pMl$vM>+t~X0oK(q@+xb9cl_d< zfn|RLvid_9%(&Mv!)8S&M)f%nR4e2c3e%Lj0(}Y;#_Z>HTV*V#!C};aHc<5%wRlS z&OIhEEK(puDLeqQ)eZXn)09O`@F~ioVL!~8{mk0a>Gc~lQLlicj!8+l`;i#GkLFk#<{zsE3noz z%GA>aw>!{VT5F#Sa}gPA$FK3jJB?VKoAm z6LlGs4F0HBjv+N-8XC8_*23JA#Dcyw2^AR>@G-&e3l|x)4%7L>n_>>NF~Vr+_I4sg zd^sru^(9U~m$j#SxHG*d{B#@HWM7_8pk03DrTl3#5;m6z;~X~FVu)9p=!HsYh)q2h zFH~L~u|{Xj6c?z9i*7^Y)5i(H;8qw8e>ZAr={R3Ns(d<|!J8kV31EYcEu`@EzA2ga zPk8>xH-EzOiuSLW>HmbMbQK<8c%w&7{(QR*a_R~m$YXl=MQl#T2Ux2E)^tXT_DW34 zJ?DZ*FI+AflRLJaT21%fAhRp=8iDlVn! z%fwli4qb(q#f{M|#W7UsBmIGn0kxyxu6#X=+?jdyz_`@XLKqZ_$;g&ND$JqvvD|>* z)ss*jqxOr)<(rAOYA|DNY{%EobWe~Vn08gx2)D=@DWv$X{Z`+FJr^L^cQ=Q-Kxi?= zBScuke1TGiGXX1Zj{NX9q!Cr)2o6Nu?6$uXzu(bT`GQL?Y~+ZQO?(-fYeAx*@hwd1 z&dpcvgtnfsqx>{!-LdA|rWbI%7b6=G&I@LebF~h0A7|$ zg=E}r2UwU@umfbMoIGap9v0Ce=OtRMpK^QN|B zca))MX5D9}#O^&4Sfh*#)hZe>iN=@8(H^Vm05^(T$vVzpuEHe$t@Ie7nM|bJ#$~~H z-a$5o!5KMG1l1tzw$H4xHVnF}=A_m0mm`f@83Wf3sAEhww)lv{ApON-u@+r!RluUKVI{riVil#nX6gnq#q(BHd_ zBkM`d#AND>B9?uTO7j-HquCthw78N7;vO3 zttlGsM_)5sdwTZl6=C4gyHmgGZl7v928(O{ASLR1S`iSr>WVHx^l+DGU9!{O!Tqnj7wFwwtvdB!;ray7jKbBv|KOZ(KZ2Y zTAob7`prbsge~cPWGx`kO7fL$Q)8>W)Xq`u=a3fYWutRgSQ5r7%`e2*9-QorIB~Ub z1AD)PD5cZ3UnGYeQ5Z(Mg3`0!$3&;G3D7;e6U#wqLy7>0$6L#qd3IVxN0RJO^HiWC z3E%y_wSi0t99~q9VyJz@JFag(^3qJ0rs1;8`PRYw7ML8ka8PYHcW7ngK`o|}srlXZ zQc-r8aghApNa`*@PsU>Vt>1^;rb$Ru&=DZDc409ocWPhY)`?E(X=5SB8;^PlH#FNS zD(~b`+}g@9Yr5*61LeCs^zaG)VflyK_80BOd>W4x5%G_DUOcM9 zBpN71ijNq)Pq^4AQ_6V8MNx+^vy%J(VFpdD(8B?Chv(Thvx!#)@53lOnQt1rJ}L%Y zf6&XIQ-t3ZOMnc`@S9RH#P%JaXzxbkCfvBR7tNV@B8N6B53Rm2p=H7eU@KrN;KdaA zUeL7uuAu(FG14FWy`;=2oL;jn!PV%=xuu8{cYsUX6w|u4<%ZXcafrAd=!fADL{jxC z;sACi3wM5L-Q; z^;i(ddIe}|lE!wvPC{-li&xiiTt;s6pDkei)!Nk5eC~Kx%EaXn_R2I*QeXNM%m8(e?1nHc?FVj{X z=K{m~yRH#x`&zdEM~|P{PItELp4TKKGWpvW#B47Z7nCB&JztKEK{ZJKAuMVO*D=M< zco|&14N}yo|$fJSPH#5nu4@e}7ZpnDNioukwn`H;B8^y+FXY=papU#s&Y% z!N~`aW5%K%4|Dlj3MpEP5HDhj3p89yV+|%rzcnGFc89@NGHI-0>>Q_jTx@k~HA7^8 zI1#&s6|`Ql^!uJ*M=!BZ{>tHd%SRrcC~0!XF)3HfE@GtlD=GQqc-t>oYtIjsl)a^5 zVAq%^l~saBw{l;Jie|sWNPX`JZJk!xy4XpYIL`|2r7w=PAhFBcxt^CS(<(M#6;XW% znI=hccq|Dz0zMyw!7(_v#(-Oml1g~Q8*Xktqt0`6wc9t7zfm@xp(i=NOrXUDd{z&az(hQZT2KBi z={hQgcBTr~SYc?(zlP^oU}7>!984RP&5FZ!I-gYzunUTFrHLp5OPF$a(m-ebWFien zB=@UF5L6et|KhsoNcj;8+0gsgp=qWfJR57|VWY+o$|IZWA5(k~CX%U|fBh4mz)W5( zrj!1FulGKSNX4#lIbTfs=CnIpX;)cRqtrs|?#|eL(nH5H1qGw`)la68y_w(+37kw# zg|8$MBx5Z-n|qJ=mc2gO*|w@F>98Z#`S;LCdSN8&{@WKV(Gr)ny2?9V{#erJUOis*B!q435@T1z3CrM~*|`(Z zAH=MhoF;t6=n6+Q*<;80TgJeK^QTCN(rh@ykV!PRQY5NohL#YwCmxl33cxlY#`tV` zas#VjA}Vl3qO~P)FGkL%?LO|^0Z}C)R@J8&%zYlN8zaFYoql~>2}J2Nuy~nm(8Ti; z>GuVpMKDKWFw8Zw96B^|#!8%frwg2Z&Gq^&lxL_ADC|0mbNrg|7QV1GtM5ULBWn}T zXyL*q>jTpXGs7p7dV)2CBPu;p?Ma(su)0{rr~2&uTE+$@Vl)jsYju4z^-Cv}pW&~= zm=}Z4%Z~$|N;tQlfi60){BUdGyH_4rjJnZN{>K%vJ5Zlwy)N2XVdoOxW4(`BQF-Fw zjnqMg0oVH9Zlt4$yArRl77iDkubnxmO>z;u{ffOPU?yyR#-f*}VSCbi?}5jA&x?Rn zIl0>St9Vn#0!i{C4;&FPEGwG56Hn-`q*|-;rqbP78<^2v#i1OXT4KL4a#G&vCnpJu z!>2Ut-#rC3tc&V;85k3|4jvD2T_4Ldo*83$_nn+tLJbzw)m+=?rjw>ywo%L6H`wgH z*Uhorp=WP^@da+bmEI2(yN~ZRFjXOs)I}{ADxbJO3!&ermy!%}oV^~c`|0hrj_@6; zHP~n!9&w&{$8{KS9F!tgdA0G}I-Dn>W6w<0XV=_kN0jLq;J(on;`Z|bg_gqg!(I^M zynKv#EL8~K8*VNS5knRj@7P?fFn@fP(TmYOcVRihFaNH=zvCI@o;N;I$YG?*FA4vv zmY{xQt=-LVql|Z9n*7s4f;Q@J|6dT`U;e*H|5$**|7`*Ghr9ncePN5kd?RH|~gf_IUW zzfb&YxW{y5@tMFu1c$6hiYZ0w%CVN#`EoL%;hbXTNV7@6I3?e508Gu2^`~f7O`p!x z>8Gr{w^y{^CX)oxwj1{ z7+`6j2;hqHnpq&ofRk1O*J(vk%d6kAUoztv3rR4}2eI4TODMr?OP?nOkN5$-=*f$> zxn4?!;=3#u2F|(PiaALn=T8g?h0xg9g$Nra2nV`{Ruo%Bd~@y5$BQp$c$oMh*OUjO z@I26l3UBcyK^6JISISI$hr~~9*DBV;IwZeE*`skOmUl#5*sH*jTe00}!w03a*sNXE zh0bsfSGqlyn1kzer;L|``7{fkiSpr=J`^C;;7w-e=%-RpzH`YlC6H#BFDRzQwnes; zPLz)vR{n4X&Cj{3yw}#!NEp~I=}f8tB9{&*E6Ijh3HERORw)_U>PaISdgx8S1w*GmrSW z8*WcV!0SBNetw0>uT0iS#vH;BLhUT>1CvKZ$;}aavHN6vuioL2dkKAi>4XLkOd1+M zmLzXcx{3bz&Qar$K&e3*`W}^U3{Pw7rgq=H?i}si)>eqIJc_%M9Lr6!Z%QbR3z8K5 zmi1;FtW9&O-Q!_==D^{Mud;}eSre~Xw|Eo(yzzz`52)&Lwt0$+k^XrI7kF< z3msu@z(#M%txAVAOl_0!nK&PuEd@@%MJCF1evv0)F6BM4}arD&MEji5k=7+nS7 z+BoY*zx}rhFqg1{vyCm0gn_xC6_AKZ&JJipq-5*tU<4!*1-byOZ0)RpHcr$;yoP_S z6Ew0iceMN8hqpn1{t?t)rhRbY?El%cPfk)Qk>MLgFQ+~-Ad!;65KJT@kD@IAgm@!U zyYa2X0}N8$M{bGxN^qr`J0J0)X+ld)cBhr8i|jJkc(TC8YjP=?deITu@|~5CvD7`xKq);2s=Q+8sFEkk+1YYW=lwnzP=+IdFOS43LF@de^g0d0`-mRnZdRP~ zji{Pc6fdwOdO*&Ec%Zf_xGZ_~aMW{B+yz{bb}s9xT7=ncaodG$z{mUBr3`d8HAyJP zWPAR1pkY)o*#q~6J&{B!xI;A@5q;-vZaJL#JCpPhtK_W6$?v&M&y5;im=|#P!|yi- zIYf}sU+1&Ne3Z8%Qw``GJ9;y*Y8gn_*K<_z-a@{yg8&1-H+-MEjl#*0C zu5`wK!z}xz1H7$i)?jnx}jYQ`6iLVB_ zX4y!BU?z;m2+8{tyN;<9OwJcKzA61;_f|wuaOD5CmR6M4`fKLz5RMG+N~3mW%LkB& zK(^DAmt^r)XExYKfm;lZK&NF5$bdq^x+tU(`g(j8VI$klH=Cg7{Pt&*z`u|-D_L=T zMIM}T!qkNd&Q5pgcd+cPC^q0`B$IMs>_3bLo`i(k;YyOIoJMo+ZqqmSE_yqF0i_5* zv8s-;sedj%O}xkf()8rj{|(Yxgw&e2SxRL7vhHV)MEin5xi*Fdiizyi81!9?rE1>T zt*}mL3hl#Y$d{Mcj0Igx>u0Zi${&_f-`P@9!~$^0)R$B)pXdXZa3)ABW#z>#c3Pkv z*1ZD5$>(@=t9u!Ca;{-I)vlI`NaE{38IEb>VWn%$*d3v!o~J$cVYbuoJM_LV62lY} zfO_8#SoH7yXGN)pvIy zTP3=TVOLPFWcM&U!aHPcfL9C9=xfEBRa_n!Ood5udrGUxzYFkzgK_RYTE|Y$W7Imc zf?=twPPD+PE8WLK?uHV;S>R*`Uclo7X zm74t`glfkgO4qAiCr0*nU5fPH%7kF#J(#YD{j#d?^y;#riM%xNV~`DPwd&cKi^Ks; znwdVVx}vH@Ea?cX2_Y9UQKoPX?oZjOZ&f`2y()=cj6?;&4nv>%%zu{>pydCQ5`TjU z9^x-B{V65>;g7B`GN5Zof%gP5)v--Md)Ja1yPvJFu60$>?~45Jj3qfRp~?aL#8b2JDA97wt|n82Ft37KaezGFiOh&t5)9pe{m))C^J zNB!f^J5?q~$%9uC0?ngapMFpZNxgMtqa^umQy2p=^VKwvOi~n!S1&3TpGuxifp5Ru ze)>aM&af#s_2sEzgo9XlilVUwX8qumBZy_KMfsa%4*X{_2>!U0NHx09f4xXc{X z-ySs-0fQ6y4Sh~!7;SECNr(Bm6xX!Hi?bR3HWCH>Z&$$ukD{pJz=4o6}FOP zbeh_#YE0{8zF>qjbtNksODfRTDK7$Y z=i*B!hI=B*F-_1^t13_(Gzxp#OA`?Ueex}w=}YG7API2iou1?0R=_2*ake=SqSxCX zPhW;J%65rJ3IH_vwyVJg434FC(FA61oe@f=RBVxl=$@%dd>(WZu`<;Vy9&#MR@1)n z_7PX*35}h$gq|kKeZz;_Cmyx-tTFzf*(d|hn<+9kahf=7zPDAI!p$y|M@h%+mwv$O z-sYU8hZl#<+;CfvSw=IY78(X9Pho;SVaan=wp4TjA?jdXO#|^MBdI#3`&-ab&Hf+0 z4-D5D2KZF2IGZwGRBKqZU=3*zv>@{){jYVvc#f*{S#IH>N|49bk-QpXVFcl}5-oZ1 zwsY-CDi(qd;`rS*VB{WFB4guY>2jjkyV?>jp{uajzTB!m`VBsnm^e@lF@?81Y#wmR zU7yiWWnuGexgjj>>Ues2?yS>BrrUDSD~V# zFIv@s#*^G3A2%id*3Vv_pKB%zlLJWT&wS;na~OW5{7{5h=kcisRxU_ir7MtX3wGAB z;(8=3%FyUrZ2!9yVpMVhni$yF63G}iIT<*Z+n5vaI{tl%!Rnt=f~J33w+u$M*8E|h zTz}aXlR$v}(b0dJko1Q=`p=LcHiFKMJ^@Idj%nBgsem8eheelAn4_+i_5IdodH!_c zh0e^{PmmF58YxMB8r_ISVbwbiNk#x_{@{EoQ)f2JjU-#!*8(4FOle#EO`SHO8^C-h z7KvP*$r@6qd;mquiayW!R6z-U_60I^yW4SDfi$P5lwq}XO|oJXnNRoHx@U#-Q5+lY zgHHN5BPLJQvT)+#3tK#kP4on9vv*Qq<~Q}ve36F9-gqf_x)cWilTI<1LA(9RE7Z5s zAT`as64ldirom1acd`rBJGG(i&|`V2S4CSIP&?1X0l3fTv^Nuy-qd}h7!1eO*aeO@ z!M)y^P-p*km9CMolf7}+5$AbIq$E_g6wsfi$qyl)?G3;nBy5B;VsA!#%m`%;UbXI& z!+L`(lKn5ZnIteniQbNUqn={K(FReze$-ncXBM8GYWs>h>SN^SuU|sL`{YJa8V^NppKSsB1|W;nm7F< z%?p-Ah5(`IlOVgU3Yij6n3eZH0J>i1q^3S|3q=HB7Ju0G^$zkVTXrMR=;qMV?+0uM z4ln!~4UTPWbIZJ6uL5@Rc1))m-{rT}|lo*n=3L zMAd#vF`*5O<_UMQLQy;^_&9|OrmPUeZC_yoM`cr=(?4!rt^{t zn!z@gu`5HHSX5>Ms$~^wz48DxcLh;$+$FUi)$*-fNR_+JG;LU3_6f&^xf-+YC*5Qe zowoO>%$;`wYjFfnztirrt0?E%OPgxHBezBgXjHW<`DYQn%uj*okplVF>z>Nc6dD_k zp%h>D7K@o$AdRz#IW0VnXX~Bv5F+bbt7P(~`mdgQ#+ORx*S)sL_(g6yKZq`<9@@W) z*VBe7-vv?&7H7W5+nWhQpm^<&s+#{QvK(7oh<{YUf=| z@gK|#V=UzePkAOs%#>Z%qV9SBs#*SP{L$Yi`D^^qKg7_~M+W>%{dBEmdPBkx&yk6z zQH^ufO~n^5$!?7Ps=Gg6l5vQXpjFa=*E#Q0v8z9 zGD|Zi`L6tKsz_CU$m*Z);=NXmK7P2s3{xabU8KgiMuXV0w=Dul1hWg^u z??pF_&QB`Jh}RSx1m^1HLN0jrqE^3xeF5UuS(cUE36)F9q8p6nkA%}-yRbykp))spQ9M3cYDs&gGEmBzXU4^SO; zoA90o4^#4W)+;<)S^9${@_e|msi^+yOs-pE=xgx*0iKbJ_w#v&wgi5{JS`XLO>KZ~j21Qv~6It0Ol+ z8L#BQ8UG$;w#w)z6(4&^qJI;w;Icq*TgK1TcD<1u-JHLL2`isQ5S3_NAcNs~Nkb&P zOZs`n#_K2~cmWq)HdWy%%(evSzI2$b@=hhal%VRCN?N3SwvU$l2m!G$nmsLfDNkWc z&zrmO)i-Ef7<1{~NVG;Dq6g{=;|;yW7_Ufn^3O6vK9FruA>X~yVjLH5hoKPrOi%MRh{fD z9y44Xv|GT#S2a(Rt|5d;{EHhiv1UZ%Aa28%Cz-(&+I~riw`u1z^_xn!IG1fR^sxg- zF$!DNNfOEFoMZwVOQ;`;*EVN|5&;3XCgHZ~LQDifel>9O35=YQBA_a)=g0};3 z$J>ddg6BlC3^N~_F~Zi9gDl-wk#y#+qOyO38-y1e>(5vI|3PN(5P!++-{m9>4)v+c z=wo4kE_55RDJ)y@X5^i)=3dk_e0lpqCcb5u&Q%Cl(n0i|r~Jg6BKJFzBJoPbDq!-? z(U_ymNL*_PKU`mG?YZs=xh$Z(%0|nLK!5{N`14iU&4&T8b zV2JuAPF@yCX~cgI8G>xX$HpvWf)-L*po~SRBOv1n-?{nj(WjZ6ESJ0NsW%C2yi>$t zdgXU;0Nirxyo%X{oSQO7m65up&vyv^XMg&Igfts(eqB+9veueMo6gA>(Xv~HF`+(7 z<@k<+a(E>;2yH@e8dCdK-RK@H=p*QWu>t)CsDwhu{v26lk*1GJ#k7JGxSGd5RMVcu zPX~bpqz4fJi@w7@Z0PdD+&8KP04oU5K8nOemELf9w)i|nNfaMfQh4NgX($Oc%kE6? z4ciX*2f+KvFVGNgfrWH(2WYQBIHzq@=c9G!mo^BAmzcQXv&NbfDQXXPirfj%O)K#L zJfZoPuw2z-FUjr()2;-{FoA#=p&ylZ$6*dr9J2jEQ{@7VQ9*fhXuFxE3bYB=r`}yX z_x>uJdpX?Jbfm^wm_n~|H(rVqcL6efa=vzFrzh=!JHoWYv#ge*G5kkEwQZN0s38yR zs^D%-^i1Du8g4X0Y;oD#HNBBzPP2s<`Yo64%L&5XS`?O;Fa5Tq{d556w+p>FbIQc6 ze^U)t%GS(=NYoZc#A{(|W+Mo6GqAR^0{-1`{WqjJr}iC}d&omRQGPOQ33-kOWr;6C zfc{y^zmc}h>ieIN_RlR;5zv5C4?6@GGiBoR#tq>JloOwoK#FQdrV58vQuBG5n8d8O zDO?~AOS9PBbnchMLBk!8^;U%7*@B9QA?w@FH{Zm?<;Y$wVz7)=mr7;m)b3X+>L`Q` zX ze07yW3t%TfVt?e{yORC!2WkJ(VB!AzUMS{gu1fB^ep+aQxi+GUp6FsZ@H&7FbYo@h z%-ITk`O#NQ3tO=HT!Mmi>>By8xTIT6C&I_0O6JEt*s3QnxuKLqkDcC+JQJjsT|X_+^S58PfR$|piii%9=tH<`lZk<+;Y)H}grmMDCZJEMvkRS_tH z9=Es)v?BI4nF)W6Jx^<><`M?}e!gIt2gYGc@ zPm90;EV47g- z(mWt!qyc1F`Ac7a)08uF+d7<$ed5BHbdaeUYEd^s1>Ls3%1E=y}NqaR?z+!B(WShebF2dM{->5my8Wv_gkv>u{Lx)=`#6+!u$J*0Hh|B z;EYXXq88tsf859f{Z0kjbrKQ?$*xlRl%Rrd^$1^;3mVzK$thP$-N&COtc3uT5lIHj zl-c%f1xpU8j8GhCkwVMoinDx}Lw35%^gu3J(FGzluXaSscKfaLn^Zz$j9u4xDrBic z#hSP+1zhV&=7%}7KjP(#eOb7#2M*{WOrpUp_H=J zD@50H@04whc{2tDJphb+wCj?_5q^p zz3%ZedM714_4-zk8;WM#;)%mWzMaJYCX@>NsndW7Jl)HJ991BpzAH)Nv`qg7P`O5rAHdzz1(iVeF`2ip z-^fIBixEoI?xDlc4d7%8X_t;cn7@RMNd5?XOuFfjdI6;qC<0lXp+aUku_P=+=iI@_ z!q9Js->-UXcNuEUXS6ZVJF9YCtnuhN_Vi`?;?58 zK(9C^q#C^6c(o5mWbs}-)#IZsCRx<52x=SCYo5siv)dBrpSma@Ht*>AlOc6r4HiJ4 z0Ua0v%XhHfciPR&id{i-TYS4O>n?giI|OZfyG)+SC`Jdznq+`dff6A0lSEhA&B_Km zeG-I8EJfpkP!j09#N=AFEF>eQqng5Y}IFR_trw_Uc9I{4@zNs^#SGQ#A<| znxkb&JleYzp-Edr#bcBBqg_tdeUWSWH;%{tg7=9?FKf`;@+ZC62c>M(nOc&{Zs}t_ zn7`;qf@w81Y{Yu$GWu!Q}x7Hw)LsilcWG)_-S6 zR#5|UOLHO>pp7jNm9?#hxs{axkt5K^*#SuOr!_}S#B1yfw6PU*02-SaIQ`wJ1Nr{f zW`GNW7@SHHw>@^9YT@3jp0l_F^*AiYtO^43&l3O1od01P@Xy8EuuvZiwD07HG^ix( z5Pals7^)lG#@S@VpFPnT13z})!UO=;6zP>jS5{}^zXj9a2{Qr%VIItB)W0TgWIx~3 zL<{kyDaoYy!lK8RJ8_azGl6yp7TO!0?Y=bd*=0W`T{?ZG4zZ=GGvhkbzRF4%{uC~G zU?(v+F0Pu3(4uhjmQ6x9A+;5e)k%9k-u76&?&S45{BTdTSVfcWEKw=Y!@naMYF77H z!VwmlaiKa_v{wO^Gqk&}2>2c#no06qhisxXD=CoLg_FyiGlOL=W8GM6hXSkY(7Fqe z6s8~|-@+ovEoY4{AB=LjPr{9BG*WTioPLHV&xlmiX=wHm8Vkbzf!x1Txx*`M)ynmI zaX($Jf#s$P5J3>wrR}oQw4eJZFzmf*GUPYiT{WE0+_A58u!eprF`PP;RUks#AJ^pC zP&3oV@3e$pgM;~lV=9Pg@X36uvnLwNEUygKJ!TutU<`d6%+})3+fj}OUvFW7DhCNM z9~!L~@JZXOq4XT0U;_ay;RLHNN6WF#;Q2Gug0ieP%qd0RcUl5bMUwPO$`?FzJiL zS=Ohou|Ch!{&1f*4bXmckVnCt8(&>biS?`-@W?4}7D!W>`V^nANdE;nj=#16ME`@p z{%Y&|BP5u2s840dsutJyGcch*%knTlrdym$q8Q6GM zM9XT_m}YHMI-Q~KWqcMo5+CJPE&8^ZOjQj+tV<)WlP`&`5S~zQxWVWeC|VoX&sg1* zt(;E9m+u0QW`!=Ytm3Ry@32Xgl*r<3t~nef8Pu6**Bb1~ox4XDgnj7$eKv--755E0@g7<^{ZVH3`7zAk_f+5=+G@g$NUL>o~_dO|L{9A48oM3_VLVY0hqGb`8#5*!w|yiK{Bh@q{`AhVGj=58L~#I5Qf${-5oTz8f@n LgW^y2I9&e=>2^@# literal 0 HcmV?d00001 From 58cc7dbef06d8ae84be47efbfa64f9b622c25d2f Mon Sep 17 00:00:00 2001 From: Zoltan Fridrich Date: Tue, 19 Apr 2022 13:47:15 +0200 Subject: [PATCH 058/152] Use rpmautospec Signed-off-by: Zoltan Fridrich --- changelog | 815 +++++++++++++++++++++++++++++++++++++++++++++++++++ gnutls.spec | 820 +--------------------------------------------------- sources | 1 - 3 files changed, 818 insertions(+), 818 deletions(-) create mode 100644 changelog diff --git a/changelog b/changelog new file mode 100644 index 0000000..f1700a7 --- /dev/null +++ b/changelog @@ -0,0 +1,815 @@ +* Thu Jan 20 2022 Fedora Release Engineering - 3.7.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Tue Jan 18 2022 Daiki Ueno - 3.7.3-1 +- Update to upstream 3.7.3 release +- Remove dependency on autogen +- Add build-time conditionals for TPM 1.2 and GOST cryptography + +* Thu Jul 22 2021 Fedora Release Engineering - 3.7.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Sat May 29 2021 Daiki Ueno - 3.7.2-1 +- Update to upstream 3.7.2 release + +* Sun Mar 28 2021 Daiki Ueno - 3.7.1-3 +- Remove %%defattr invocations which are no longer necessary +- libpkcs11mock1.* is not installed anymore +- hobble-gnutls: Remove SRP removal +- Use correct source URL +- Switch to using %%gpgverify macro + +* Tue Mar 16 2021 Daiki Ueno - 3.7.1-2 +- Restore fipscheck dependency + +* Sat Mar 13 2021 Daiki Ueno - 3.7.1-1 +- Update to upstream 3.7.1 release +- Remove fipscheck dependency, as it is now calculated with an + internal tool + +* Fri Mar 5 2021 Daiki Ueno - 3.7.0-4 +- Tolerate duplicate certs in the chain also with PKCS #11 trust store + +* Tue Mar 2 2021 Daiki Ueno - 3.7.0-3 +- Reduce BRs for non-bootstrapping build + +* Wed Feb 10 2021 Daiki Ueno - 3.7.0-2 +- Tolerate duplicate certs in the chain + +* Mon Feb 8 2021 Daiki Ueno - 3.7.0-1 +- Update to upstream 3.7.0 release +- Temporarily disable LTO + +* Tue Jan 26 2021 Daiki Ueno - 3.6.15-4 +- Fix broken tests on rawhide (#1908110) +- Add BuildRequires: make (by Tom Stellard) + +* Tue Jan 26 2021 Fedora Release Engineering - 3.6.15-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Mon Sep 28 2020 Jeff Law - 3.6.15-2 +- Re-enable LTO now that upstream GCC bugs have been fixed + +* Fri Sep 4 2020 Daiki Ueno - 3.6.15-1 +- Update to upstream 3.6.15 release + +* Mon Aug 17 2020 Jeff Law - 3.6.14-7 +- Disable LTO on ppc64le + +* Tue Aug 4 2020 Daiki Ueno - 3.6.14-6 +- Fix underlinking of libpthread + +* Sat Aug 01 2020 Fedora Release Engineering - 3.6.14-5 +- Second attempt - Rebuilt for + https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Mon Jul 27 2020 Fedora Release Engineering - 3.6.14-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Thu Jul 02 2020 Anderson Sasaki - 3.6.14-3 +- Rebuild with autogen built with guile-2.2 (#1852706) + +* Tue Jun 09 2020 Anderson Sasaki - 3.6.14-2 +- Fix memory leak when serializing iovec_t (#1845083) +- Fix automatic libraries sonames detection (#1845806) + +* Thu Jun 4 2020 Daiki Ueno - 3.6.14-1 +- Update to upstream 3.6.14 release + +* Sun May 31 2020 Daiki Ueno - 3.6.13-6 +- Update gnutls-3.6.13-superseding-chain.patch + +* Sun May 31 2020 Daiki Ueno - 3.6.13-5 +- Fix cert chain validation behavior if the last cert has expired (#1842178) + +* Mon May 25 2020 Anderson Sasaki - 3.6.13-4 +- Add option to gnutls-cli to wait for resumption under TLS 1.3 + +* Tue May 19 2020 Anderson Sasaki - 3.6.13-3 +- Disable RSA blinding during FIPS self-tests + +* Thu May 14 2020 Anderson Sasaki - 3.6.13-2 +- Bump linked libraries soname to fix FIPS selftests (#1835265) + +* Tue Mar 31 2020 Daiki Ueno - 3.6.13-1 +- Update to upstream 3.6.13 release + +* Thu Mar 26 2020 Anderson Sasaki - 3.6.12-2 +- Fix FIPS POST (#1813384) +- Fix gnutls-serv --echo to not exit when a message is received (#1816583) + +* Sun Feb 02 2020 Nikos Mavrogiannopoulos - 3.6.12-1 +- Update to upstream 3.6.12 release + +* Tue Jan 28 2020 Fedora Release Engineering - 3.6.11-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Mon Dec 02 2019 Nikos Mavrogiannopoulos - 3.6.11-1 +- Update to upstream 3.6.11 release + +* Sun Sep 29 2019 Nikos Mavrogiannopoulos - 3.6.10-1 +- Update to upstream 3.6.10 release + +* Fri Jul 26 2019 Nikos Mavrogiannopoulos - 3.6.9-1 +- Update to upstream 3.6.9 release + +* Thu Jul 25 2019 Fedora Release Engineering - 3.6.8-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Mon Jul 15 2019 Nikos Mavrogiannopoulos - 3.6.8-2 +- Rebuilt with guile-2.2 + +* Tue May 28 2019 Nikos Mavrogiannopoulos - 3.6.8-1 +- Update to upstream 3.6.8 release + +* Wed Mar 27 2019 Anderson Toshiyuki Sasaki - 3.6.7-1 +- Update to upstream 3.6.7 release +- Fixed CVE-2019-3836 (#1693214) +- Fixed CVE-2019-3829 (#1693210) + +* Fri Feb 1 2019 Nikos Mavrogiannopoulos - 3.6.6-1 +- Update to upstream 3.6.6 release + +* Thu Jan 31 2019 Fedora Release Engineering - 3.6.5-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Fri Jan 11 2019 Anderson Toshiyuki Sasaki - 3.6.5-2 +- Added explicit Requires for nettle >= 3.4.1 + +* Tue Dec 11 2018 Anderson Toshiyuki Sasaki - 3.6.5-1 +- Update to upstream 3.6.5 release + +* Mon Oct 29 2018 James Antill - 3.6.4-5 +- Remove ldconfig scriptlet, now done via. transfiletrigger in glibc. + +* Wed Oct 17 2018 Nikos Mavrogiannopoulos - 3.6.4-4 +- Fix issue with rehandshake affecting glib-networking (#1634736) + +* Tue Oct 16 2018 Tomáš Mráz - 3.6.4-3 +- Add missing annobin notes for assembler sources + +* Tue Oct 09 2018 Petr Menšík - 3.6.4-2 +- Rebuilt for unbound 1.8 + +* Tue Sep 25 2018 Nikos Mavrogiannopoulos - 3.6.4-1 +- Updated to upstream 3.6.4 release +- Added support for the latest version of the TLS1.3 protocol +- Enabled SHA1 support as SHA1 deprecation is handled via the + fedora crypto policies. + +* Thu Aug 16 2018 Nikos Mavrogiannopoulos - 3.6.3-4 +- Fixed gnutls-cli input reading +- Ensure that we do not cause issues with version rollback detection + and TLS1.3. + +* Tue Aug 07 2018 Nikos Mavrogiannopoulos - 3.6.3-3 +- Fixed ECDSA public key import (#1612803) + +* Thu Jul 26 2018 Nikos Mavrogiannopoulos - 3.6.3-2 +- Backported regression fixes from 3.6.2 + +* Mon Jul 16 2018 Nikos Mavrogiannopoulos - 3.6.3-1 +- Update to upstream 3.6.3 release + +* Fri Jul 13 2018 Fedora Release Engineering - 3.6.2-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Wed Jun 13 2018 Nikos Mavrogiannopoulos - 3.6.2-4 +- Enable FIPS140-2 mode in Fedora + +* Wed Jun 06 2018 Nikos Mavrogiannopoulos - 3.6.2-3 +- Update to upstream 3.6.2 release + +* Fri May 25 2018 David Abdurachmanov - 3.6.2-2 +- Add missing BuildRequires: gnupg2 for gpgv2 in %%prep + +* Fri Feb 16 2018 Nikos Mavrogiannopoulos - 3.6.2-1 +- Update to upstream 3.6.2 release + +* Wed Feb 07 2018 Fedora Release Engineering - 3.6.1-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Fri Feb 2 2018 Nikos Mavrogiannopoulos - 3.6.1-4 +- Rebuilt to address incompatibility with new nettle + +* Thu Nov 30 2017 Nikos Mavrogiannopoulos - 3.6.1-3 +- Corrected regression from 3.6.1-2 which prevented the loading of + arbitrary p11-kit modules (#1507402) + +* Mon Nov 6 2017 Nikos Mavrogiannopoulos - 3.6.1-2 +- Prevent the loading of all PKCS#11 modules on certificate verification + but only restrict to p11-kit trust module (#1507402) + +* Sat Oct 21 2017 Nikos Mavrogiannopoulos - 3.6.1-1 +- Update to upstream 3.6.1 release + +* Mon Aug 21 2017 Nikos Mavrogiannopoulos - 3.6.0-1 +- Update to upstream 3.6.0 release + +* Wed Aug 02 2017 Fedora Release Engineering - 3.5.14-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 3.5.14-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Tue Jul 04 2017 Nikos Mavrogiannopoulos - 3.5.14-1 +- Update to upstream 3.5.14 release + +* Wed Jun 07 2017 Nikos Mavrogiannopoulos - 3.5.13-1 +- Update to upstream 3.5.13 release + +* Thu May 11 2017 Nikos Mavrogiannopoulos - 3.5.12-2 +- Fix issue with p11-kit-trust arch dependency + +* Thu May 11 2017 Nikos Mavrogiannopoulos - 3.5.12-1 +- Update to upstream 3.5.12 release + +* Fri Apr 07 2017 Nikos Mavrogiannopoulos - 3.5.11-1 +- Update to upstream 3.5.11 release + +* Mon Mar 06 2017 Nikos Mavrogiannopoulos - 3.5.10-1 +- Update to upstream 3.5.10 release + +* Wed Feb 15 2017 Nikos Mavrogiannopoulos - 3.5.9-2 +- Work around missing pkg-config file (#1422256) + +* Tue Feb 14 2017 Nikos Mavrogiannopoulos - 3.5.9-1 +- Update to upstream 3.5.9 release + +* Fri Feb 10 2017 Fedora Release Engineering - 3.5.8-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Sat Feb 4 2017 Nikos Mavrogiannopoulos 3.5.8-2 +- Added patch fix initialization issue in gnutls_pkcs11_obj_list_import_url4 + +* Mon Jan 9 2017 Nikos Mavrogiannopoulos 3.5.8-1 +- New upstream release + +* Tue Dec 13 2016 Nikos Mavrogiannopoulos 3.5.7-3 +- Fix PKCS#8 file loading (#1404084) + +* Thu Dec 8 2016 Nikos Mavrogiannopoulos 3.5.7-1 +- New upstream release + +* Fri Nov 4 2016 Nikos Mavrogiannopoulos 3.5.6-1 +- New upstream release + +* Tue Oct 11 2016 walters@redhat.com - 3.5.5-2 +- Apply patch to fix compatibility with ostree (#1383708) + +* Mon Oct 10 2016 Nikos Mavrogiannopoulos 3.5.5-1 +- New upstream release + +* Thu Sep 8 2016 Nikos Mavrogiannopoulos 3.5.4-1 +- New upstream release + +* Mon Aug 29 2016 Nikos Mavrogiannopoulos 3.5.3-2 +- Work around #1371082 for x86 +- Fixed issue with DTLS sliding window implementation (#1370881) + +* Tue Aug 9 2016 Nikos Mavrogiannopoulos 3.5.3-1 +- New upstream release + +* Wed Jul 6 2016 Nikos Mavrogiannopoulos 3.5.2-1 +- New upstream release + +* Wed Jun 15 2016 Nikos Mavrogiannopoulos 3.5.1-1 +- New upstream release + +* Tue Jun 7 2016 Nikos Mavrogiannopoulos 3.4.13-1 +- New upstream release (#1343258) +- Addresses issue with setuid programs introduced in 3.4.12 (#1343342) + +* Fri May 20 2016 Nikos Mavrogiannopoulos 3.4.12-1 +- New upstream release + +* Mon Apr 11 2016 Nikos Mavrogiannopoulos 3.4.11-1 +- New upstream release + +* Fri Mar 4 2016 Nikos Mavrogiannopoulos 3.4.10-1 +- New upstream release (#1314576) + +* Wed Feb 3 2016 Nikos Mavrogiannopoulos 3.4.9-1 +- Fix broken key usage flags introduced in 3.4.8 (#1303355) + +* Mon Jan 11 2016 Nikos Mavrogiannopoulos 3.4.8-1 +- New upstream release (#1297079) + +* Mon Nov 23 2015 Nikos Mavrogiannopoulos 3.4.7-1 +- New upstream release (#1284300) +- Documentation updates (#1282864) +- Adds interface to set unique IDs in certificates (#1281343) +- Allow arbitrary key sizes with ARCFOUR (#1284401) + +* Wed Oct 21 2015 Nikos Mavrogiannopoulos 3.4.6-1 +- New upstream release (#1273672) +- Enhances p11tool to write CKA_ISSUER and CKA_SERIAL_NUMBER (#1272178) + +* Tue Oct 20 2015 Adam Williamson - 3.4.5-2 +- fix interaction with Chrome 45+ (master secret extension) (#1273102) + +* Mon Sep 14 2015 Nikos Mavrogiannopoulos 3.4.5-1 +- New upstream release (#1252192) +- Eliminates hard limits on CRL parsing of certtool. + +* Mon Aug 10 2015 Nikos Mavrogiannopoulos 3.4.4-1 +- new upstream release +- no longer requires trousers patch +- fixes issue in gnutls_x509_privkey_import (#1250020) + +* Mon Jul 13 2015 Nikos Mavrogiannopoulos 3.4.3-2 +- Don't link against trousers but rather dlopen() it when available. + That avoids a dependency on openssl by the main library. + +* Mon Jul 13 2015 Nikos Mavrogiannopoulos 3.4.3-1 +- new upstream release + +* Thu Jul 02 2015 Adam Jackson 3.4.2-3 +- Only disable -z now for the guile modules + +* Thu Jun 18 2015 Nikos Mavrogiannopoulos 3.4.2-2 +- rename the symbol version for internal symbols to avoid clashes + with 3.3.x. + +* Wed Jun 17 2015 Nikos Mavrogiannopoulos 3.4.2-1 +- new upstream release + +* Tue May 5 2015 Nikos Mavrogiannopoulos 3.4.1-2 +- Provide missing GNUTLS_SUPPLEMENTAL_USER_MAPPING_DATA definition + +* Mon May 4 2015 Nikos Mavrogiannopoulos 3.4.1-1 +- new upstream release + +* Sat May 02 2015 Kalev Lember - 3.3.14-2 +- Rebuilt for GCC 5 C++11 ABI change + +* Mon Mar 30 2015 Nikos Mavrogiannopoulos 3.3.14-1 +- new upstream release +- improved BER decoding of PKCS #12 structures (#1131461) + +* Fri Mar 6 2015 Nikos Mavrogiannopoulos 3.3.13-3 +- Build with hardened flags +- Removed -Wl,--no-add-needed linker flag + +* Fri Feb 27 2015 Till Maas - 3.3.13-2 +- Do not build with hardened flags + +* Thu Feb 26 2015 Nikos Mavrogiannopoulos 3.3.13-1 +- new upstream release + +* Sat Feb 21 2015 Till Maas - 3.3.12-3 +- Make build verbose +- Use %%license + +* Sat Feb 21 2015 Till Maas - 3.3.12-2 +- Rebuilt for Fedora 23 Change + https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code + +* Mon Jan 19 2015 Nikos Mavrogiannopoulos 3.3.12-1 +- new upstream release + +* Mon Jan 5 2015 Nikos Mavrogiannopoulos 3.3.11-2 +- enabled guile bindings (#1177847) + +* Thu Dec 11 2014 Nikos Mavrogiannopoulos 3.3.11-1 +- new upstream release + +* Mon Nov 10 2014 Nikos Mavrogiannopoulos 3.3.10-1 +- new upstream release + +* Thu Oct 23 2014 Nikos Mavrogiannopoulos 3.3.9-2 +- applied fix for issue in get-issuer (#1155901) + +* Mon Oct 13 2014 Nikos Mavrogiannopoulos 3.3.9-1 +- new upstream release + +* Fri Sep 19 2014 Nikos Mavrogiannopoulos 3.3.8-2 +- strip rpath from library + +* Thu Sep 18 2014 Nikos Mavrogiannopoulos 3.3.8-1 +- new upstream release + +* Mon Aug 25 2014 Nikos Mavrogiannopoulos 3.3.7-1 +- new upstream release + +* Sat Aug 16 2014 Fedora Release Engineering - 3.3.6-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Wed Jul 23 2014 Nikos Mavrogiannopoulos 3.3.6-1 +- new upstream release + +* Tue Jul 01 2014 Nikos Mavrogiannopoulos 3.3.5-2 +- Added work-around for s390 builds with gcc 4.9 (#1102324) + +* Mon Jun 30 2014 Nikos Mavrogiannopoulos 3.3.5-1 +- new upstream release + +* Tue Jun 17 2014 Nikos Mavrogiannopoulos 3.3.4-3 +- explicitly depend on p11-kit-trust + +* Sat Jun 07 2014 Fedora Release Engineering - 3.3.4-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Mon Jun 02 2014 Nikos Mavrogiannopoulos 3.3.4-1 +- new upstream release + +* Fri May 30 2014 Nikos Mavrogiannopoulos 3.3.3-1 +- new upstream release + +* Wed May 21 2014 Nikos Mavrogiannopoulos 3.3.2-2 +- Require crypto-policies + +* Fri May 09 2014 Nikos Mavrogiannopoulos 3.3.2-1 +- new upstream release + +* Mon May 05 2014 Nikos Mavrogiannopoulos 3.3.1-4 +- Replaced /etc/crypto-profiles/apps with /etc/crypto-policies/back-ends. +- Added support for "very weak" profile. + +* Mon Apr 28 2014 Nikos Mavrogiannopoulos 3.3.1-2 +- gnutls_global_deinit() will not do anything if the previous + initialization has failed (#1091053) + +* Mon Apr 28 2014 Nikos Mavrogiannopoulos 3.3.1-1 +- new upstream release + +* Mon Apr 14 2014 Nikos Mavrogiannopoulos 3.3.0-1 +- new upstream release + +* Tue Apr 08 2014 Nikos Mavrogiannopoulos 3.2.13-1 +- new upstream release + +* Wed Mar 05 2014 Nikos Mavrogiannopoulos 3.2.12.1-1 +- new upstream release + +* Mon Mar 03 2014 Nikos Mavrogiannopoulos 3.2.12-1 +- new upstream release + +* Mon Feb 03 2014 Nikos Mavrogiannopoulos 3.2.10-2 +- use p11-kit trust store for certificate verification + +* Mon Feb 03 2014 Nikos Mavrogiannopoulos 3.2.10-1 +- new upstream release + +* Tue Jan 14 2014 Tomáš Mráz 3.2.8-2 +- build the crywrap tool + +* Mon Dec 23 2013 Nikos Mavrogiannopoulos 3.2.8-1 +- new upstream release + +* Wed Dec 4 2013 Nikos Mavrogiannopoulos 3.2.7-2 +- Use the correct root key for unbound /var/lib/unbound/root.key (#1012494) +- Pull asm fixes from upstream (#973210) + +* Mon Nov 25 2013 Nikos Mavrogiannopoulos 3.2.7-1 +- new upstream release +- added dependency to autogen-libopts-devel to use the system's + libopts library +- added dependency to trousers-devel to enable TPM support + +* Mon Nov 4 2013 Tomáš Mráz 3.1.16-1 +- new upstream release +- fixes CVE-2013-4466 off-by-one in dane_query_tlsa() + +* Fri Oct 25 2013 Tomáš Mráz 3.1.15-1 +- new upstream release +- fixes CVE-2013-4466 buffer overflow in handling DANE entries + +* Wed Oct 16 2013 Tomáš Mráz 3.1.13-3 +- enable ECC NIST Suite B curves + +* Sat Aug 03 2013 Fedora Release Engineering - 3.1.13-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Mon Jul 15 2013 Tomáš Mráz 3.1.13-1 +- new upstream release + +* Mon May 13 2013 Tomáš Mráz 3.1.11-1 +- new upstream release + +* Mon Mar 25 2013 Tomas Mraz 3.1.10-1 +- new upstream release +- license of the library is back to LGPLv2.1+ + +* Fri Mar 15 2013 Tomas Mraz 3.1.9-1 +- new upstream release + +* Thu Mar 7 2013 Tomas Mraz 3.1.8-3 +- drop the temporary old library + +* Tue Feb 26 2013 Tomas Mraz 3.1.8-2 +- don't send ECC algos as supported (#913797) + +* Thu Feb 21 2013 Tomas Mraz 3.1.8-1 +- new upstream version + +* Wed Feb 6 2013 Tomas Mraz 3.1.7-1 +- new upstream version, requires rebuild of dependencies +- this release temporarily includes old compatibility .so + +* Tue Feb 5 2013 Tomas Mraz 2.12.22-2 +- rebuilt with new libtasn1 +- make guile bindings optional - breaks i686 build and there is + no dependent package + +* Tue Jan 8 2013 Tomas Mraz 2.12.22-1 +- new upstream version + +* Wed Nov 28 2012 Tomas Mraz 2.12.21-2 +- use RSA bit sizes supported by libgcrypt in FIPS mode for security + levels (#879643) + +* Fri Nov 9 2012 Tomas Mraz 2.12.21-1 +- new upstream version + +* Thu Nov 1 2012 Tomas Mraz 2.12.20-4 +- negotiate only FIPS approved algorithms in the FIPS mode (#871826) + +* Wed Aug 8 2012 Tomas Mraz 2.12.20-3 +- fix the gnutls-cli-debug manpage - patch by Peter Schiffer + +* Thu Jul 19 2012 Fedora Release Engineering - 2.12.20-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Mon Jun 18 2012 Tomas Mraz 2.12.20-1 +- new upstream version + +* Fri May 18 2012 Tomas Mraz 2.12.19-1 +- new upstream version + +* Thu Mar 29 2012 Tomas Mraz 2.12.18-1 +- new upstream version + +* Thu Mar 8 2012 Tomas Mraz 2.12.17-1 +- new upstream version +- fix leaks in key generation (#796302) + +* Fri Feb 03 2012 Kevin Fenzi - 2.12.14-3 +- Disable largefile on arm arch. (#787287) + +* Fri Jan 13 2012 Fedora Release Engineering - 2.12.14-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Tue Nov 8 2011 Tomas Mraz 2.12.14-1 +- new upstream version + +* Mon Oct 24 2011 Tomas Mraz 2.12.12-1 +- new upstream version + +* Thu Sep 29 2011 Tomas Mraz 2.12.11-1 +- new upstream version + +* Fri Aug 26 2011 Tomas Mraz 2.12.9-1 +- new upstream version + +* Tue Aug 16 2011 Tomas Mraz 2.12.8-1 +- new upstream version + +* Mon Jul 25 2011 Tomas Mraz 2.12.7-2 +- fix problem when using new libgcrypt +- split libgnutlsxx to a subpackage (#455146) +- drop libgnutls-openssl (#460310) + +* Tue Jun 21 2011 Tomas Mraz 2.12.7-1 +- new upstream version + +* Mon May 9 2011 Tomas Mraz 2.12.4-1 +- new upstream version + +* Tue Apr 26 2011 Tomas Mraz 2.12.3-1 +- new upstream version + +* Mon Apr 18 2011 Tomas Mraz 2.12.2-1 +- new upstream version + +* Thu Mar 3 2011 Tomas Mraz 2.10.5-1 +- new upstream version + +* Tue Feb 08 2011 Fedora Release Engineering - 2.10.4-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Wed Dec 8 2010 Tomas Mraz 2.10.4-1 +- new upstream version + +* Thu Dec 2 2010 Tomas Mraz 2.10.3-2 +- fix buffer overflow in gnutls-serv (#659259) + +* Fri Nov 19 2010 Tomas Mraz 2.10.3-1 +- new upstream version + +* Thu Sep 30 2010 Tomas Mraz 2.10.2-1 +- new upstream version + +* Wed Sep 29 2010 jkeating - 2.10.1-4 +- Rebuilt for gcc bug 634757 + +* Thu Sep 23 2010 Tomas Mraz 2.10.1-3 +- more patching for internal errors regression (#629858) + patch by Vivek Dasmohapatra + +* Tue Sep 21 2010 Tomas Mraz 2.10.1-2 +- backported patch from upstream git hopefully fixing internal errors + (#629858) + +* Wed Aug 4 2010 Tomas Mraz 2.10.1-1 +- new upstream version + +* Wed Jun 2 2010 Tomas Mraz 2.8.6-2 +- add support for safe renegotiation CVE-2009-3555 (#533125) + +* Wed May 12 2010 Tomas Mraz 2.8.6-1 +- upgrade to a new upstream version + +* Mon Feb 15 2010 Rex Dieter 2.8.5-4 +- FTBFS gnutls-2.8.5-3.fc13: ImplicitDSOLinking (#564624) + +* Thu Jan 28 2010 Tomas Mraz 2.8.5-3 +- drop superfluous rpath from binaries +- do not call autoreconf during build +- specify the license on utils subpackage + +* Mon Jan 18 2010 Tomas Mraz 2.8.5-2 +- do not create static libraries (#556052) + +* Mon Nov 2 2009 Tomas Mraz 2.8.5-1 +- upgrade to a new upstream version + +* Wed Sep 23 2009 Tomas Mraz 2.8.4-1 +- upgrade to a new upstream version + +* Fri Aug 14 2009 Tomas Mraz 2.8.3-1 +- upgrade to a new upstream version + +* Fri Jul 24 2009 Fedora Release Engineering - 2.8.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Wed Jun 10 2009 Tomas Mraz 2.8.1-1 +- upgrade to a new upstream version + +* Wed Jun 3 2009 Tomas Mraz 2.8.0-1 +- upgrade to a new upstream version + +* Mon May 4 2009 Tomas Mraz 2.6.6-1 +- upgrade to a new upstream version - security fixes + +* Tue Apr 14 2009 Tomas Mraz 2.6.5-1 +- upgrade to a new upstream version, minor bugfixes only + +* Fri Mar 6 2009 Tomas Mraz 2.6.4-1 +- upgrade to a new upstream version + +* Tue Feb 24 2009 Fedora Release Engineering - 2.6.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Mon Dec 15 2008 Tomas Mraz 2.6.3-1 +- upgrade to a new upstream version + +* Thu Dec 4 2008 Tomas Mraz 2.6.2-1 +- upgrade to a new upstream version + +* Tue Nov 11 2008 Tomas Mraz 2.4.2-3 +- fix chain verification issue CVE-2008-4989 (#470079) + +* Thu Sep 25 2008 Tomas Mraz 2.4.2-2 +- add guile subpackage (#463735) +- force new libtool through autoreconf to drop unnecessary rpaths + +* Tue Sep 23 2008 Tomas Mraz 2.4.2-1 +- new upstream version + +* Tue Jul 1 2008 Tomas Mraz 2.4.1-1 +- new upstream version +- correct the license tag +- explicit --with-included-opencdk not needed +- use external lzo library, internal not included anymore + +* Tue Jun 24 2008 Tomas Mraz 2.4.0-1 +- upgrade to latest upstream + +* Tue May 20 2008 Tomas Mraz 2.0.4-3 +- fix three security issues in gnutls handshake - GNUTLS-SA-2008-1 + (#447461, #447462, #447463) + +* Mon Feb 4 2008 Joe Orton 2.0.4-2 +- use system libtasn1 + +* Tue Dec 4 2007 Tomas Mraz 2.0.4-1 +- upgrade to latest upstream + +* Tue Aug 21 2007 Tomas Mraz 1.6.3-2 +- license tag fix + +* Wed Jun 6 2007 Tomas Mraz 1.6.3-1 +- upgrade to latest upstream (#232445) + +* Tue Apr 10 2007 Tomas Mraz 1.4.5-2 +- properly require install-info (patch by Ville Skyttä) +- standard buildroot and use dist tag +- add COPYING and README to doc + +* Wed Feb 7 2007 Tomas Mraz 1.4.5-1 +- new upstream version +- drop libtermcap-devel from buildrequires + +* Thu Sep 14 2006 Tomas Mraz 1.4.1-2 +- detect forged signatures - CVE-2006-4790 (#206411), patch + from upstream + +* Tue Jul 18 2006 Tomas Mraz - 1.4.1-1 +- upgrade to new upstream version, only minor changes + +* Wed Jul 12 2006 Jesse Keating - 1.4.0-1.1 +- rebuild + +* Wed Jun 14 2006 Tomas Mraz - 1.4.0-1 +- upgrade to new upstream version (#192070), rebuild + of dependent packages required + +* Tue May 16 2006 Tomas Mraz - 1.2.10-2 +- added missing buildrequires + +* Mon Feb 13 2006 Tomas Mraz - 1.2.10-1 +- updated to new version (fixes CVE-2006-0645) + +* Fri Feb 10 2006 Jesse Keating - 1.2.9-3.2 +- bump again for double-long bug on ppc(64) + +* Tue Feb 07 2006 Jesse Keating - 1.2.9-3.1 +- rebuilt for new gcc4.1 snapshot and glibc changes + +* Tue Jan 3 2006 Jesse Keating 1.2.9-3 +- rebuilt + +* Fri Dec 9 2005 Tomas Mraz 1.2.9-2 +- replaced *-config scripts with calls to pkg-config to + solve multilib conflicts + +* Wed Nov 23 2005 Tomas Mraz 1.2.9-1 +- upgrade to newest upstream +- removed .la files (#172635) + +* Sun Aug 7 2005 Tomas Mraz 1.2.6-1 +- upgrade to newest upstream (rebuild of dependencies necessary) + +* Mon Jul 4 2005 Tomas Mraz 1.0.25-2 +- split the command line tools to utils subpackage + +* Sat Apr 30 2005 Tomas Mraz 1.0.25-1 +- new upstream version fixes potential DOS attack + +* Sat Apr 23 2005 Tomas Mraz 1.0.24-2 +- readd the version script dropped by upstream + +* Fri Apr 22 2005 Tomas Mraz 1.0.24-1 +- update to the latest upstream version on the 1.0 branch + +* Wed Mar 2 2005 Warren Togami 1.0.20-6 +- gcc4 rebuild + +* Tue Jan 4 2005 Ivana Varekova 1.0.20-5 +- add gnutls Requires zlib-devel (#144069) + +* Mon Nov 08 2004 Colin Walters 1.0.20-4 +- Make gnutls-devel Require libgcrypt-devel + +* Tue Sep 21 2004 Jeff Johnson 1.0.20-3 +- rebuild with release++, otherwise unchanged. + +* Tue Sep 7 2004 Jeff Johnson 1.0.20-2 +- patent tainted SRP code removed. + +* Sun Sep 5 2004 Jeff Johnson 1.0.20-1 +- update to 1.0.20. +- add --with-included-opencdk --with-included-libtasn1 +- add --with-included-libcfg --with-included-lzo +- add --disable-srp-authentication. +- do "make check" after build. + +* Fri Mar 21 2003 Jeff Johnson 0.9.2-1 +- upgrade to 0.9.2 + +* Tue Jun 25 2002 Jeff Johnson 0.4.4-1 +- update to 0.4.4. + +* Fri Jun 21 2002 Tim Powers +- automated rebuild + +* Sat May 25 2002 Jeff Johnson 0.4.3-1 +- update to 0.4.3. + +* Tue May 21 2002 Jeff Johnson 0.4.2-1 +- update to 0.4.2. +- change license to LGPL. +- include splint annotations patch. + +* Tue Apr 2 2002 Nalin Dahyabhai 0.4.0-1 +- update to 0.4.0 + +* Thu Jan 17 2002 Nalin Dahyabhai 0.3.2-1 +- update to 0.3.2 + +* Thu Jan 10 2002 Nalin Dahyabhai 0.3.0-1 +- add a URL + +* Thu Dec 20 2001 Nalin Dahyabhai +- initial package diff --git a/gnutls.spec b/gnutls.spec index 3844faa..517dca7 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,6 +1,6 @@ # This spec file has been automatically updated -Version: 3.7.3 -Release: 2%{?dist} +Version: 3.7.3 +Release: %autorelease Patch1: gnutls-3.6.7-no-now-guile.patch Patch2: gnutls-3.2.7-rpath.patch %bcond_with bootstrap @@ -300,818 +300,4 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null %endif %changelog -* Thu Jan 20 2022 Fedora Release Engineering - 3.7.3-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild - -* Tue Jan 18 2022 Daiki Ueno - 3.7.3-1 -- Update to upstream 3.7.3 release -- Remove dependency on autogen -- Add build-time conditionals for TPM 1.2 and GOST cryptography - -* Thu Jul 22 2021 Fedora Release Engineering - 3.7.2-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild - -* Sat May 29 2021 Daiki Ueno - 3.7.2-1 -- Update to upstream 3.7.2 release - -* Sun Mar 28 2021 Daiki Ueno - 3.7.1-3 -- Remove %%defattr invocations which are no longer necessary -- libpkcs11mock1.* is not installed anymore -- hobble-gnutls: Remove SRP removal -- Use correct source URL -- Switch to using %%gpgverify macro - -* Tue Mar 16 2021 Daiki Ueno - 3.7.1-2 -- Restore fipscheck dependency - -* Sat Mar 13 2021 Daiki Ueno - 3.7.1-1 -- Update to upstream 3.7.1 release -- Remove fipscheck dependency, as it is now calculated with an - internal tool - -* Fri Mar 5 2021 Daiki Ueno - 3.7.0-4 -- Tolerate duplicate certs in the chain also with PKCS #11 trust store - -* Tue Mar 2 2021 Daiki Ueno - 3.7.0-3 -- Reduce BRs for non-bootstrapping build - -* Wed Feb 10 2021 Daiki Ueno - 3.7.0-2 -- Tolerate duplicate certs in the chain - -* Mon Feb 8 2021 Daiki Ueno - 3.7.0-1 -- Update to upstream 3.7.0 release -- Temporarily disable LTO - -* Tue Jan 26 2021 Daiki Ueno - 3.6.15-4 -- Fix broken tests on rawhide (#1908110) -- Add BuildRequires: make (by Tom Stellard) - -* Tue Jan 26 2021 Fedora Release Engineering - 3.6.15-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild - -* Mon Sep 28 2020 Jeff Law - 3.6.15-2 -- Re-enable LTO now that upstream GCC bugs have been fixed - -* Fri Sep 4 2020 Daiki Ueno - 3.6.15-1 -- Update to upstream 3.6.15 release - -* Mon Aug 17 2020 Jeff Law - 3.6.14-7 -- Disable LTO on ppc64le - -* Tue Aug 4 2020 Daiki Ueno - 3.6.14-6 -- Fix underlinking of libpthread - -* Sat Aug 01 2020 Fedora Release Engineering - 3.6.14-5 -- Second attempt - Rebuilt for - https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild - -* Mon Jul 27 2020 Fedora Release Engineering - 3.6.14-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild - -* Thu Jul 02 2020 Anderson Sasaki - 3.6.14-3 -- Rebuild with autogen built with guile-2.2 (#1852706) - -* Tue Jun 09 2020 Anderson Sasaki - 3.6.14-2 -- Fix memory leak when serializing iovec_t (#1845083) -- Fix automatic libraries sonames detection (#1845806) - -* Thu Jun 4 2020 Daiki Ueno - 3.6.14-1 -- Update to upstream 3.6.14 release - -* Sun May 31 2020 Daiki Ueno - 3.6.13-6 -- Update gnutls-3.6.13-superseding-chain.patch - -* Sun May 31 2020 Daiki Ueno - 3.6.13-5 -- Fix cert chain validation behavior if the last cert has expired (#1842178) - -* Mon May 25 2020 Anderson Sasaki - 3.6.13-4 -- Add option to gnutls-cli to wait for resumption under TLS 1.3 - -* Tue May 19 2020 Anderson Sasaki - 3.6.13-3 -- Disable RSA blinding during FIPS self-tests - -* Thu May 14 2020 Anderson Sasaki - 3.6.13-2 -- Bump linked libraries soname to fix FIPS selftests (#1835265) - -* Tue Mar 31 2020 Daiki Ueno - 3.6.13-1 -- Update to upstream 3.6.13 release - -* Thu Mar 26 2020 Anderson Sasaki - 3.6.12-2 -- Fix FIPS POST (#1813384) -- Fix gnutls-serv --echo to not exit when a message is received (#1816583) - -* Sun Feb 02 2020 Nikos Mavrogiannopoulos - 3.6.12-1 -- Update to upstream 3.6.12 release - -* Tue Jan 28 2020 Fedora Release Engineering - 3.6.11-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild - -* Mon Dec 02 2019 Nikos Mavrogiannopoulos - 3.6.11-1 -- Update to upstream 3.6.11 release - -* Sun Sep 29 2019 Nikos Mavrogiannopoulos - 3.6.10-1 -- Update to upstream 3.6.10 release - -* Fri Jul 26 2019 Nikos Mavrogiannopoulos - 3.6.9-1 -- Update to upstream 3.6.9 release - -* Thu Jul 25 2019 Fedora Release Engineering - 3.6.8-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild - -* Mon Jul 15 2019 Nikos Mavrogiannopoulos - 3.6.8-2 -- Rebuilt with guile-2.2 - -* Tue May 28 2019 Nikos Mavrogiannopoulos - 3.6.8-1 -- Update to upstream 3.6.8 release - -* Wed Mar 27 2019 Anderson Toshiyuki Sasaki - 3.6.7-1 -- Update to upstream 3.6.7 release -- Fixed CVE-2019-3836 (#1693214) -- Fixed CVE-2019-3829 (#1693210) - -* Fri Feb 1 2019 Nikos Mavrogiannopoulos - 3.6.6-1 -- Update to upstream 3.6.6 release - -* Thu Jan 31 2019 Fedora Release Engineering - 3.6.5-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild - -* Fri Jan 11 2019 Anderson Toshiyuki Sasaki - 3.6.5-2 -- Added explicit Requires for nettle >= 3.4.1 - -* Tue Dec 11 2018 Anderson Toshiyuki Sasaki - 3.6.5-1 -- Update to upstream 3.6.5 release - -* Mon Oct 29 2018 James Antill - 3.6.4-5 -- Remove ldconfig scriptlet, now done via. transfiletrigger in glibc. - -* Wed Oct 17 2018 Nikos Mavrogiannopoulos - 3.6.4-4 -- Fix issue with rehandshake affecting glib-networking (#1634736) - -* Tue Oct 16 2018 Tomáš Mráz - 3.6.4-3 -- Add missing annobin notes for assembler sources - -* Tue Oct 09 2018 Petr Menšík - 3.6.4-2 -- Rebuilt for unbound 1.8 - -* Tue Sep 25 2018 Nikos Mavrogiannopoulos - 3.6.4-1 -- Updated to upstream 3.6.4 release -- Added support for the latest version of the TLS1.3 protocol -- Enabled SHA1 support as SHA1 deprecation is handled via the - fedora crypto policies. - -* Thu Aug 16 2018 Nikos Mavrogiannopoulos - 3.6.3-4 -- Fixed gnutls-cli input reading -- Ensure that we do not cause issues with version rollback detection - and TLS1.3. - -* Tue Aug 07 2018 Nikos Mavrogiannopoulos - 3.6.3-3 -- Fixed ECDSA public key import (#1612803) - -* Thu Jul 26 2018 Nikos Mavrogiannopoulos - 3.6.3-2 -- Backported regression fixes from 3.6.2 - -* Mon Jul 16 2018 Nikos Mavrogiannopoulos - 3.6.3-1 -- Update to upstream 3.6.3 release - -* Fri Jul 13 2018 Fedora Release Engineering - 3.6.2-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild - -* Wed Jun 13 2018 Nikos Mavrogiannopoulos - 3.6.2-4 -- Enable FIPS140-2 mode in Fedora - -* Wed Jun 06 2018 Nikos Mavrogiannopoulos - 3.6.2-3 -- Update to upstream 3.6.2 release - -* Fri May 25 2018 David Abdurachmanov - 3.6.2-2 -- Add missing BuildRequires: gnupg2 for gpgv2 in %%prep - -* Fri Feb 16 2018 Nikos Mavrogiannopoulos - 3.6.2-1 -- Update to upstream 3.6.2 release - -* Wed Feb 07 2018 Fedora Release Engineering - 3.6.1-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild - -* Fri Feb 2 2018 Nikos Mavrogiannopoulos - 3.6.1-4 -- Rebuilt to address incompatibility with new nettle - -* Thu Nov 30 2017 Nikos Mavrogiannopoulos - 3.6.1-3 -- Corrected regression from 3.6.1-2 which prevented the loading of - arbitrary p11-kit modules (#1507402) - -* Mon Nov 6 2017 Nikos Mavrogiannopoulos - 3.6.1-2 -- Prevent the loading of all PKCS#11 modules on certificate verification - but only restrict to p11-kit trust module (#1507402) - -* Sat Oct 21 2017 Nikos Mavrogiannopoulos - 3.6.1-1 -- Update to upstream 3.6.1 release - -* Mon Aug 21 2017 Nikos Mavrogiannopoulos - 3.6.0-1 -- Update to upstream 3.6.0 release - -* Wed Aug 02 2017 Fedora Release Engineering - 3.5.14-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild - -* Wed Jul 26 2017 Fedora Release Engineering - 3.5.14-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild - -* Tue Jul 04 2017 Nikos Mavrogiannopoulos - 3.5.14-1 -- Update to upstream 3.5.14 release - -* Wed Jun 07 2017 Nikos Mavrogiannopoulos - 3.5.13-1 -- Update to upstream 3.5.13 release - -* Thu May 11 2017 Nikos Mavrogiannopoulos - 3.5.12-2 -- Fix issue with p11-kit-trust arch dependency - -* Thu May 11 2017 Nikos Mavrogiannopoulos - 3.5.12-1 -- Update to upstream 3.5.12 release - -* Fri Apr 07 2017 Nikos Mavrogiannopoulos - 3.5.11-1 -- Update to upstream 3.5.11 release - -* Mon Mar 06 2017 Nikos Mavrogiannopoulos - 3.5.10-1 -- Update to upstream 3.5.10 release - -* Wed Feb 15 2017 Nikos Mavrogiannopoulos - 3.5.9-2 -- Work around missing pkg-config file (#1422256) - -* Tue Feb 14 2017 Nikos Mavrogiannopoulos - 3.5.9-1 -- Update to upstream 3.5.9 release - -* Fri Feb 10 2017 Fedora Release Engineering - 3.5.8-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild - -* Sat Feb 4 2017 Nikos Mavrogiannopoulos 3.5.8-2 -- Added patch fix initialization issue in gnutls_pkcs11_obj_list_import_url4 - -* Mon Jan 9 2017 Nikos Mavrogiannopoulos 3.5.8-1 -- New upstream release - -* Tue Dec 13 2016 Nikos Mavrogiannopoulos 3.5.7-3 -- Fix PKCS#8 file loading (#1404084) - -* Thu Dec 8 2016 Nikos Mavrogiannopoulos 3.5.7-1 -- New upstream release - -* Fri Nov 4 2016 Nikos Mavrogiannopoulos 3.5.6-1 -- New upstream release - -* Tue Oct 11 2016 walters@redhat.com - 3.5.5-2 -- Apply patch to fix compatibility with ostree (#1383708) - -* Mon Oct 10 2016 Nikos Mavrogiannopoulos 3.5.5-1 -- New upstream release - -* Thu Sep 8 2016 Nikos Mavrogiannopoulos 3.5.4-1 -- New upstream release - -* Mon Aug 29 2016 Nikos Mavrogiannopoulos 3.5.3-2 -- Work around #1371082 for x86 -- Fixed issue with DTLS sliding window implementation (#1370881) - -* Tue Aug 9 2016 Nikos Mavrogiannopoulos 3.5.3-1 -- New upstream release - -* Wed Jul 6 2016 Nikos Mavrogiannopoulos 3.5.2-1 -- New upstream release - -* Wed Jun 15 2016 Nikos Mavrogiannopoulos 3.5.1-1 -- New upstream release - -* Tue Jun 7 2016 Nikos Mavrogiannopoulos 3.4.13-1 -- New upstream release (#1343258) -- Addresses issue with setuid programs introduced in 3.4.12 (#1343342) - -* Fri May 20 2016 Nikos Mavrogiannopoulos 3.4.12-1 -- New upstream release - -* Mon Apr 11 2016 Nikos Mavrogiannopoulos 3.4.11-1 -- New upstream release - -* Fri Mar 4 2016 Nikos Mavrogiannopoulos 3.4.10-1 -- New upstream release (#1314576) - -* Wed Feb 3 2016 Nikos Mavrogiannopoulos 3.4.9-1 -- Fix broken key usage flags introduced in 3.4.8 (#1303355) - -* Mon Jan 11 2016 Nikos Mavrogiannopoulos 3.4.8-1 -- New upstream release (#1297079) - -* Mon Nov 23 2015 Nikos Mavrogiannopoulos 3.4.7-1 -- New upstream release (#1284300) -- Documentation updates (#1282864) -- Adds interface to set unique IDs in certificates (#1281343) -- Allow arbitrary key sizes with ARCFOUR (#1284401) - -* Wed Oct 21 2015 Nikos Mavrogiannopoulos 3.4.6-1 -- New upstream release (#1273672) -- Enhances p11tool to write CKA_ISSUER and CKA_SERIAL_NUMBER (#1272178) - -* Tue Oct 20 2015 Adam Williamson - 3.4.5-2 -- fix interaction with Chrome 45+ (master secret extension) (#1273102) - -* Mon Sep 14 2015 Nikos Mavrogiannopoulos 3.4.5-1 -- New upstream release (#1252192) -- Eliminates hard limits on CRL parsing of certtool. - -* Mon Aug 10 2015 Nikos Mavrogiannopoulos 3.4.4-1 -- new upstream release -- no longer requires trousers patch -- fixes issue in gnutls_x509_privkey_import (#1250020) - -* Mon Jul 13 2015 Nikos Mavrogiannopoulos 3.4.3-2 -- Don't link against trousers but rather dlopen() it when available. - That avoids a dependency on openssl by the main library. - -* Mon Jul 13 2015 Nikos Mavrogiannopoulos 3.4.3-1 -- new upstream release - -* Thu Jul 02 2015 Adam Jackson 3.4.2-3 -- Only disable -z now for the guile modules - -* Thu Jun 18 2015 Nikos Mavrogiannopoulos 3.4.2-2 -- rename the symbol version for internal symbols to avoid clashes - with 3.3.x. - -* Wed Jun 17 2015 Nikos Mavrogiannopoulos 3.4.2-1 -- new upstream release - -* Tue May 5 2015 Nikos Mavrogiannopoulos 3.4.1-2 -- Provide missing GNUTLS_SUPPLEMENTAL_USER_MAPPING_DATA definition - -* Mon May 4 2015 Nikos Mavrogiannopoulos 3.4.1-1 -- new upstream release - -* Sat May 02 2015 Kalev Lember - 3.3.14-2 -- Rebuilt for GCC 5 C++11 ABI change - -* Mon Mar 30 2015 Nikos Mavrogiannopoulos 3.3.14-1 -- new upstream release -- improved BER decoding of PKCS #12 structures (#1131461) - -* Fri Mar 6 2015 Nikos Mavrogiannopoulos 3.3.13-3 -- Build with hardened flags -- Removed -Wl,--no-add-needed linker flag - -* Fri Feb 27 2015 Till Maas - 3.3.13-2 -- Do not build with hardened flags - -* Thu Feb 26 2015 Nikos Mavrogiannopoulos 3.3.13-1 -- new upstream release - -* Sat Feb 21 2015 Till Maas - 3.3.12-3 -- Make build verbose -- Use %%license - -* Sat Feb 21 2015 Till Maas - 3.3.12-2 -- Rebuilt for Fedora 23 Change - https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code - -* Mon Jan 19 2015 Nikos Mavrogiannopoulos 3.3.12-1 -- new upstream release - -* Mon Jan 5 2015 Nikos Mavrogiannopoulos 3.3.11-2 -- enabled guile bindings (#1177847) - -* Thu Dec 11 2014 Nikos Mavrogiannopoulos 3.3.11-1 -- new upstream release - -* Mon Nov 10 2014 Nikos Mavrogiannopoulos 3.3.10-1 -- new upstream release - -* Thu Oct 23 2014 Nikos Mavrogiannopoulos 3.3.9-2 -- applied fix for issue in get-issuer (#1155901) - -* Mon Oct 13 2014 Nikos Mavrogiannopoulos 3.3.9-1 -- new upstream release - -* Fri Sep 19 2014 Nikos Mavrogiannopoulos 3.3.8-2 -- strip rpath from library - -* Thu Sep 18 2014 Nikos Mavrogiannopoulos 3.3.8-1 -- new upstream release - -* Mon Aug 25 2014 Nikos Mavrogiannopoulos 3.3.7-1 -- new upstream release - -* Sat Aug 16 2014 Fedora Release Engineering - 3.3.6-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild - -* Wed Jul 23 2014 Nikos Mavrogiannopoulos 3.3.6-1 -- new upstream release - -* Tue Jul 01 2014 Nikos Mavrogiannopoulos 3.3.5-2 -- Added work-around for s390 builds with gcc 4.9 (#1102324) - -* Mon Jun 30 2014 Nikos Mavrogiannopoulos 3.3.5-1 -- new upstream release - -* Tue Jun 17 2014 Nikos Mavrogiannopoulos 3.3.4-3 -- explicitly depend on p11-kit-trust - -* Sat Jun 07 2014 Fedora Release Engineering - 3.3.4-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild - -* Mon Jun 02 2014 Nikos Mavrogiannopoulos 3.3.4-1 -- new upstream release - -* Fri May 30 2014 Nikos Mavrogiannopoulos 3.3.3-1 -- new upstream release - -* Wed May 21 2014 Nikos Mavrogiannopoulos 3.3.2-2 -- Require crypto-policies - -* Fri May 09 2014 Nikos Mavrogiannopoulos 3.3.2-1 -- new upstream release - -* Mon May 05 2014 Nikos Mavrogiannopoulos 3.3.1-4 -- Replaced /etc/crypto-profiles/apps with /etc/crypto-policies/back-ends. -- Added support for "very weak" profile. - -* Mon Apr 28 2014 Nikos Mavrogiannopoulos 3.3.1-2 -- gnutls_global_deinit() will not do anything if the previous - initialization has failed (#1091053) - -* Mon Apr 28 2014 Nikos Mavrogiannopoulos 3.3.1-1 -- new upstream release - -* Mon Apr 14 2014 Nikos Mavrogiannopoulos 3.3.0-1 -- new upstream release - -* Tue Apr 08 2014 Nikos Mavrogiannopoulos 3.2.13-1 -- new upstream release - -* Wed Mar 05 2014 Nikos Mavrogiannopoulos 3.2.12.1-1 -- new upstream release - -* Mon Mar 03 2014 Nikos Mavrogiannopoulos 3.2.12-1 -- new upstream release - -* Mon Feb 03 2014 Nikos Mavrogiannopoulos 3.2.10-2 -- use p11-kit trust store for certificate verification - -* Mon Feb 03 2014 Nikos Mavrogiannopoulos 3.2.10-1 -- new upstream release - -* Tue Jan 14 2014 Tomáš Mráz 3.2.8-2 -- build the crywrap tool - -* Mon Dec 23 2013 Nikos Mavrogiannopoulos 3.2.8-1 -- new upstream release - -* Wed Dec 4 2013 Nikos Mavrogiannopoulos 3.2.7-2 -- Use the correct root key for unbound /var/lib/unbound/root.key (#1012494) -- Pull asm fixes from upstream (#973210) - -* Mon Nov 25 2013 Nikos Mavrogiannopoulos 3.2.7-1 -- new upstream release -- added dependency to autogen-libopts-devel to use the system's - libopts library -- added dependency to trousers-devel to enable TPM support - -* Mon Nov 4 2013 Tomáš Mráz 3.1.16-1 -- new upstream release -- fixes CVE-2013-4466 off-by-one in dane_query_tlsa() - -* Fri Oct 25 2013 Tomáš Mráz 3.1.15-1 -- new upstream release -- fixes CVE-2013-4466 buffer overflow in handling DANE entries - -* Wed Oct 16 2013 Tomáš Mráz 3.1.13-3 -- enable ECC NIST Suite B curves - -* Sat Aug 03 2013 Fedora Release Engineering - 3.1.13-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild - -* Mon Jul 15 2013 Tomáš Mráz 3.1.13-1 -- new upstream release - -* Mon May 13 2013 Tomáš Mráz 3.1.11-1 -- new upstream release - -* Mon Mar 25 2013 Tomas Mraz 3.1.10-1 -- new upstream release -- license of the library is back to LGPLv2.1+ - -* Fri Mar 15 2013 Tomas Mraz 3.1.9-1 -- new upstream release - -* Thu Mar 7 2013 Tomas Mraz 3.1.8-3 -- drop the temporary old library - -* Tue Feb 26 2013 Tomas Mraz 3.1.8-2 -- don't send ECC algos as supported (#913797) - -* Thu Feb 21 2013 Tomas Mraz 3.1.8-1 -- new upstream version - -* Wed Feb 6 2013 Tomas Mraz 3.1.7-1 -- new upstream version, requires rebuild of dependencies -- this release temporarily includes old compatibility .so - -* Tue Feb 5 2013 Tomas Mraz 2.12.22-2 -- rebuilt with new libtasn1 -- make guile bindings optional - breaks i686 build and there is - no dependent package - -* Tue Jan 8 2013 Tomas Mraz 2.12.22-1 -- new upstream version - -* Wed Nov 28 2012 Tomas Mraz 2.12.21-2 -- use RSA bit sizes supported by libgcrypt in FIPS mode for security - levels (#879643) - -* Fri Nov 9 2012 Tomas Mraz 2.12.21-1 -- new upstream version - -* Thu Nov 1 2012 Tomas Mraz 2.12.20-4 -- negotiate only FIPS approved algorithms in the FIPS mode (#871826) - -* Wed Aug 8 2012 Tomas Mraz 2.12.20-3 -- fix the gnutls-cli-debug manpage - patch by Peter Schiffer - -* Thu Jul 19 2012 Fedora Release Engineering - 2.12.20-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild - -* Mon Jun 18 2012 Tomas Mraz 2.12.20-1 -- new upstream version - -* Fri May 18 2012 Tomas Mraz 2.12.19-1 -- new upstream version - -* Thu Mar 29 2012 Tomas Mraz 2.12.18-1 -- new upstream version - -* Thu Mar 8 2012 Tomas Mraz 2.12.17-1 -- new upstream version -- fix leaks in key generation (#796302) - -* Fri Feb 03 2012 Kevin Fenzi - 2.12.14-3 -- Disable largefile on arm arch. (#787287) - -* Fri Jan 13 2012 Fedora Release Engineering - 2.12.14-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild - -* Tue Nov 8 2011 Tomas Mraz 2.12.14-1 -- new upstream version - -* Mon Oct 24 2011 Tomas Mraz 2.12.12-1 -- new upstream version - -* Thu Sep 29 2011 Tomas Mraz 2.12.11-1 -- new upstream version - -* Fri Aug 26 2011 Tomas Mraz 2.12.9-1 -- new upstream version - -* Tue Aug 16 2011 Tomas Mraz 2.12.8-1 -- new upstream version - -* Mon Jul 25 2011 Tomas Mraz 2.12.7-2 -- fix problem when using new libgcrypt -- split libgnutlsxx to a subpackage (#455146) -- drop libgnutls-openssl (#460310) - -* Tue Jun 21 2011 Tomas Mraz 2.12.7-1 -- new upstream version - -* Mon May 9 2011 Tomas Mraz 2.12.4-1 -- new upstream version - -* Tue Apr 26 2011 Tomas Mraz 2.12.3-1 -- new upstream version - -* Mon Apr 18 2011 Tomas Mraz 2.12.2-1 -- new upstream version - -* Thu Mar 3 2011 Tomas Mraz 2.10.5-1 -- new upstream version - -* Tue Feb 08 2011 Fedora Release Engineering - 2.10.4-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild - -* Wed Dec 8 2010 Tomas Mraz 2.10.4-1 -- new upstream version - -* Thu Dec 2 2010 Tomas Mraz 2.10.3-2 -- fix buffer overflow in gnutls-serv (#659259) - -* Fri Nov 19 2010 Tomas Mraz 2.10.3-1 -- new upstream version - -* Thu Sep 30 2010 Tomas Mraz 2.10.2-1 -- new upstream version - -* Wed Sep 29 2010 jkeating - 2.10.1-4 -- Rebuilt for gcc bug 634757 - -* Thu Sep 23 2010 Tomas Mraz 2.10.1-3 -- more patching for internal errors regression (#629858) - patch by Vivek Dasmohapatra - -* Tue Sep 21 2010 Tomas Mraz 2.10.1-2 -- backported patch from upstream git hopefully fixing internal errors - (#629858) - -* Wed Aug 4 2010 Tomas Mraz 2.10.1-1 -- new upstream version - -* Wed Jun 2 2010 Tomas Mraz 2.8.6-2 -- add support for safe renegotiation CVE-2009-3555 (#533125) - -* Wed May 12 2010 Tomas Mraz 2.8.6-1 -- upgrade to a new upstream version - -* Mon Feb 15 2010 Rex Dieter 2.8.5-4 -- FTBFS gnutls-2.8.5-3.fc13: ImplicitDSOLinking (#564624) - -* Thu Jan 28 2010 Tomas Mraz 2.8.5-3 -- drop superfluous rpath from binaries -- do not call autoreconf during build -- specify the license on utils subpackage - -* Mon Jan 18 2010 Tomas Mraz 2.8.5-2 -- do not create static libraries (#556052) - -* Mon Nov 2 2009 Tomas Mraz 2.8.5-1 -- upgrade to a new upstream version - -* Wed Sep 23 2009 Tomas Mraz 2.8.4-1 -- upgrade to a new upstream version - -* Fri Aug 14 2009 Tomas Mraz 2.8.3-1 -- upgrade to a new upstream version - -* Fri Jul 24 2009 Fedora Release Engineering - 2.8.1-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild - -* Wed Jun 10 2009 Tomas Mraz 2.8.1-1 -- upgrade to a new upstream version - -* Wed Jun 3 2009 Tomas Mraz 2.8.0-1 -- upgrade to a new upstream version - -* Mon May 4 2009 Tomas Mraz 2.6.6-1 -- upgrade to a new upstream version - security fixes - -* Tue Apr 14 2009 Tomas Mraz 2.6.5-1 -- upgrade to a new upstream version, minor bugfixes only - -* Fri Mar 6 2009 Tomas Mraz 2.6.4-1 -- upgrade to a new upstream version - -* Tue Feb 24 2009 Fedora Release Engineering - 2.6.3-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild - -* Mon Dec 15 2008 Tomas Mraz 2.6.3-1 -- upgrade to a new upstream version - -* Thu Dec 4 2008 Tomas Mraz 2.6.2-1 -- upgrade to a new upstream version - -* Tue Nov 11 2008 Tomas Mraz 2.4.2-3 -- fix chain verification issue CVE-2008-4989 (#470079) - -* Thu Sep 25 2008 Tomas Mraz 2.4.2-2 -- add guile subpackage (#463735) -- force new libtool through autoreconf to drop unnecessary rpaths - -* Tue Sep 23 2008 Tomas Mraz 2.4.2-1 -- new upstream version - -* Tue Jul 1 2008 Tomas Mraz 2.4.1-1 -- new upstream version -- correct the license tag -- explicit --with-included-opencdk not needed -- use external lzo library, internal not included anymore - -* Tue Jun 24 2008 Tomas Mraz 2.4.0-1 -- upgrade to latest upstream - -* Tue May 20 2008 Tomas Mraz 2.0.4-3 -- fix three security issues in gnutls handshake - GNUTLS-SA-2008-1 - (#447461, #447462, #447463) - -* Mon Feb 4 2008 Joe Orton 2.0.4-2 -- use system libtasn1 - -* Tue Dec 4 2007 Tomas Mraz 2.0.4-1 -- upgrade to latest upstream - -* Tue Aug 21 2007 Tomas Mraz 1.6.3-2 -- license tag fix - -* Wed Jun 6 2007 Tomas Mraz 1.6.3-1 -- upgrade to latest upstream (#232445) - -* Tue Apr 10 2007 Tomas Mraz 1.4.5-2 -- properly require install-info (patch by Ville Skyttä) -- standard buildroot and use dist tag -- add COPYING and README to doc - -* Wed Feb 7 2007 Tomas Mraz 1.4.5-1 -- new upstream version -- drop libtermcap-devel from buildrequires - -* Thu Sep 14 2006 Tomas Mraz 1.4.1-2 -- detect forged signatures - CVE-2006-4790 (#206411), patch - from upstream - -* Tue Jul 18 2006 Tomas Mraz - 1.4.1-1 -- upgrade to new upstream version, only minor changes - -* Wed Jul 12 2006 Jesse Keating - 1.4.0-1.1 -- rebuild - -* Wed Jun 14 2006 Tomas Mraz - 1.4.0-1 -- upgrade to new upstream version (#192070), rebuild - of dependent packages required - -* Tue May 16 2006 Tomas Mraz - 1.2.10-2 -- added missing buildrequires - -* Mon Feb 13 2006 Tomas Mraz - 1.2.10-1 -- updated to new version (fixes CVE-2006-0645) - -* Fri Feb 10 2006 Jesse Keating - 1.2.9-3.2 -- bump again for double-long bug on ppc(64) - -* Tue Feb 07 2006 Jesse Keating - 1.2.9-3.1 -- rebuilt for new gcc4.1 snapshot and glibc changes - -* Tue Jan 3 2006 Jesse Keating 1.2.9-3 -- rebuilt - -* Fri Dec 9 2005 Tomas Mraz 1.2.9-2 -- replaced *-config scripts with calls to pkg-config to - solve multilib conflicts - -* Wed Nov 23 2005 Tomas Mraz 1.2.9-1 -- upgrade to newest upstream -- removed .la files (#172635) - -* Sun Aug 7 2005 Tomas Mraz 1.2.6-1 -- upgrade to newest upstream (rebuild of dependencies necessary) - -* Mon Jul 4 2005 Tomas Mraz 1.0.25-2 -- split the command line tools to utils subpackage - -* Sat Apr 30 2005 Tomas Mraz 1.0.25-1 -- new upstream version fixes potential DOS attack - -* Sat Apr 23 2005 Tomas Mraz 1.0.24-2 -- readd the version script dropped by upstream - -* Fri Apr 22 2005 Tomas Mraz 1.0.24-1 -- update to the latest upstream version on the 1.0 branch - -* Wed Mar 2 2005 Warren Togami 1.0.20-6 -- gcc4 rebuild - -* Tue Jan 4 2005 Ivana Varekova 1.0.20-5 -- add gnutls Requires zlib-devel (#144069) - -* Mon Nov 08 2004 Colin Walters 1.0.20-4 -- Make gnutls-devel Require libgcrypt-devel - -* Tue Sep 21 2004 Jeff Johnson 1.0.20-3 -- rebuild with release++, otherwise unchanged. - -* Tue Sep 7 2004 Jeff Johnson 1.0.20-2 -- patent tainted SRP code removed. - -* Sun Sep 5 2004 Jeff Johnson 1.0.20-1 -- update to 1.0.20. -- add --with-included-opencdk --with-included-libtasn1 -- add --with-included-libcfg --with-included-lzo -- add --disable-srp-authentication. -- do "make check" after build. - -* Fri Mar 21 2003 Jeff Johnson 0.9.2-1 -- upgrade to 0.9.2 - -* Tue Jun 25 2002 Jeff Johnson 0.4.4-1 -- update to 0.4.4. - -* Fri Jun 21 2002 Tim Powers -- automated rebuild - -* Sat May 25 2002 Jeff Johnson 0.4.3-1 -- update to 0.4.3. - -* Tue May 21 2002 Jeff Johnson 0.4.2-1 -- update to 0.4.2. -- change license to LGPL. -- include splint annotations patch. - -* Tue Apr 2 2002 Nalin Dahyabhai 0.4.0-1 -- update to 0.4.0 - -* Thu Jan 17 2002 Nalin Dahyabhai 0.3.2-1 -- update to 0.3.2 - -* Thu Jan 10 2002 Nalin Dahyabhai 0.3.0-1 -- add a URL - -* Thu Dec 20 2001 Nalin Dahyabhai -- initial package +%autochangelog diff --git a/sources b/sources index 28ec0a1..0263421 100644 --- a/sources +++ b/sources @@ -1,3 +1,2 @@ SHA512 (gnutls-3.7.3.tar.xz) = 3ace744affe23e284342658d6d2d2de49dd50065489cbc8be18fc7d38187253e5268ca54027ce5cd517056c249ac039a7481e4548cec04325de37ae85617d077 SHA512 (gnutls-3.7.3.tar.xz.sig) = 93e62730570a6f65ec98538e812ed9c0bd35c25f0906b22f2ae3e762981b0e01bfb7ffcb747c64b42c586d6f0d5c90a7c3abfdc39088cc05f9975b865c309d50 -SHA512 (gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg) = a74b92826fd0e5388c9f6d9231959e38b26aeef83138648fab66df951d8e1a4db5302b569d08515d4d6443e5e4f6c466f98319f330c820790260d22a9b9f7173 From 4ef1497ac47d1cfc1a891028e2997336f8845999 Mon Sep 17 00:00:00 2001 From: Zoltan Fridrich Date: Mon, 25 Apr 2022 13:48:23 +0200 Subject: [PATCH 059/152] Adjust macros Signed-off-by: Zoltan Fridrich --- gnutls.spec | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/gnutls.spec b/gnutls.spec index 517dca7..77d7e14 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,6 +1,6 @@ # This spec file has been automatically updated Version: 3.7.3 -Release: %autorelease +Release: %{?autorel}%{!?autorel:1} Patch1: gnutls-3.6.7-no-now-guile.patch Patch2: gnutls-3.2.7-rpath.patch %bcond_with bootstrap @@ -54,8 +54,9 @@ BuildRequires: guile22-devel %endif BuildRequires: make URL: http://www.gnutls.org/ -Source0: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.7/%{name}-%{version}.tar.xz -Source1: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.7/%{name}-%{version}.tar.xz.sig +%define short_version %(echo %{version} | grep -m1 -o "[0-9]*\.[0-9]*" | head -1) +Source0: https://www.gnupg.org/ftp/gcrypt/gnutls/v%{short_version}/%{name}-%{version}.tar.xz +Source1: https://www.gnupg.org/ftp/gcrypt/gnutls/v%{short_version}/%{name}-%{version}.tar.xz.sig Source2: gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg # Wildcard bundling exception https://fedorahosted.org/fpc/ticket/174 From 51d4b1440b1500aced3e999ca4be5ad05e1c7273 Mon Sep 17 00:00:00 2001 From: Zoltan Fridrich Date: Mon, 25 Apr 2022 14:36:46 +0200 Subject: [PATCH 060/152] [packit] 3.7.4 upstream release Upstream tag: 3.7.4 Upstream commit: c46725bc Signed-off-by: Zoltan Fridrich --- .gitignore | 1 + README.packit | 3 +++ gnutls-3.7.4.tar.xz.sig | Bin 0 -> 685 bytes gnutls-release-keyring.gpg | Bin 0 -> 20850 bytes gnutls.spec | 4 ++-- ...462225C3B46F34879FC8496CD605848ED7E69871.gpg | Bin 48528 -> 0 bytes sources | 3 +-- 7 files changed, 7 insertions(+), 4 deletions(-) create mode 100644 README.packit create mode 100644 gnutls-3.7.4.tar.xz.sig create mode 100644 gnutls-release-keyring.gpg delete mode 100644 gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg diff --git a/.gitignore b/.gitignore index 7f7e886..7c7df98 100644 --- a/.gitignore +++ b/.gitignore @@ -136,3 +136,4 @@ gnutls-2.10.1-nosrp.tar.bz2 /gnutls-3.7.2.tar.xz.sig /gnutls-3.7.3.tar.xz /gnutls-3.7.3.tar.xz.sig +/gnutls-3.7.4.tar.xz diff --git a/README.packit b/README.packit new file mode 100644 index 0000000..06da437 --- /dev/null +++ b/README.packit @@ -0,0 +1,3 @@ +This repository is maintained by packit. +https://packit.dev/ +The file was generated using packit 0.49.0. diff --git a/gnutls-3.7.4.tar.xz.sig b/gnutls-3.7.4.tar.xz.sig new file mode 100644 index 0000000000000000000000000000000000000000..b9c03b613433c41a237be8218cedfb14bbb47c87 GIT binary patch literal 685 zcmV;e0#f~mbp!ww3IH7zAp~7U%MW%m1*ZiyR`hyxrbx5-A`ArrVlyr80162ZdUd8q zv-u(n1fT%@6p|Gjsi!d%jZayHA(`cQ<>+~sy4$WtrhapJo4T(K0RXwd%q}q}Ybf;b z%vd1>kQOV+LR^s~^WXqaLUuumtqh3*GXwwu2ml=xAp}MuCBw9DG>4zaNo>{ygpSwd zm~jOHVlz7C0162Z)&+!)*XEdUbkz_26y8?IDiWQ~yL{S3<@MyX0J#&?!B!Hmkuqjr zVjSXJp&OyeF&uRa*1-ZjIZQ|HW5c4yp=uLm>WYU-Ib4Irr?CgoL7fZ1l$y6 z!bx4F4Jylhe5XS-;?wZ38V=L4I0Z)%$ zmHdQpnRXGHNa_UoPKj_Kdd5(Pc!UPKU8^0qG>GF{yJD%H&W;gP{`zG7$PG;qSKAr; Ty-KhOFJ<0WcXPu(BNiKNz}7%A literal 0 HcmV?d00001 diff --git a/gnutls-release-keyring.gpg b/gnutls-release-keyring.gpg new file mode 100644 index 0000000000000000000000000000000000000000..e33ee430307d77bbf4ea2b05e65a1bb9ac795769 GIT binary patch literal 20850 zcmb5VV~{4@wyyn@ZQHhO+qP}nw$)|Zw$)|3%j`0`{6)WOuf5lf6LG#c|1xJp-kBrg znj`1TagQuuI8bSeYkD9=K;aUQ{yM&gvNDtA5ywzdyKHPkneFEs32@RP!VR9zO?ZF| zy5Q9wJ-57&Fy0s~*19~h+4e{}CnS}9OcO~G(bIR6h5bMQ7NXN0l&1%&ZTA`sQV-@s z`N~u>m<)aMb!~?OH*MTy=b|$8pw{O8qqV648KF=<`DM}1PB*UCBV(v-^b4)k6oKwI zG*j7G`Vf!=^M@HC3hTN&nLw_9i+h==(notz3Ui+g46_-the2yBAu?Ao%@T*?xcM-F z`7+Z~%~1W+PNYRM-zWt*b!Ka-YjBcvy?Oa5yxdRyr(cKNAL->>2@qj{(3_V$JuLh> z`HkmdtkL7c__b3q5B}9!s`@58 z7SORIUF+@n{A4j`1O1RS_!AOz7F+9S?=afWAzZzo2sA>(I(dJh2Nl5!(pzP8J*ytM zFp)}SDox>#K+i`32n6j-({L_B!cR7vocg-=$6?ir^)(XuY-bayGvqrQENhbFYqAM4 zbT>noXMdyZz|slCD%Svb<~5le%N)!oQ`=K?y?3NPYDmyu`pqCn!0OW7%zNjtA+zaf zIwTc7N4T%_AQ?mcS|>dG)o~O+xhZH#2(&K{tCVPd67cXL<)`3;rlzRZtWl zU;sZb4hS$l5HLm{7z`971PB-!G!!HZ7&xW$1rB7Z{4b`>l%e(faF z2@F`L8oL_|3cHdX4gd{>`0w%SGK5b&fdX2%*crOo15t)nHc0RUgi%@Uo@4YEP8xhG z@;Wv85R@`K<7C*9j|LoejdXWdVdQ!6fDj#$jk`(xs0brQELxa=yA^7Drwg$L(Wy$Q zcsXZaTcKZ&Ma(LTXYIHkjvP1_jzL2WuflQUQ&H=n$p&-Sq)`b^!~zdd$GIRC6+GeX z?oXa*9Vn1ggNg<;#CRWl95<>$jlUhLijzB%Ou;?L`V#4TAb(CpbB36#FG;r}JponG zj*_{<`%dpdNDyJGZG(=}TsUwks}>?5!1#EncUy=`xIOKNY-l{Th2x&X~FO28qd zSTFYPBQIfktZV`Tj?oxn3<4@8pzXi7+i)LVXgVX8kkBy|yQ>!y{UByPlkmR(oi(k&HXP`aa{=jg zJkO)ItPWwMx7w{NA}jkf#ZmhJQa25?m8z1|z#Z7^d>SIZ{P8@NL(kv>lcwZ4q9IK5 zHI13H}u?hJ@OURIghM!&Ho0IoUAob@wRj|A(T$ z6MP*M!h_JCSRz()afSmwQXCW!2^atl1}tsysP>l*P<*a>r|9TWK`#*RR{uR2W2gU&b{|8TC zP&8mj5YWGP{)^iG1kipE;ak>RwXpSD&m@Hmp13XQh_LcW+sF|1s~BICI|C|`UPS%* zcMJxFeRC>jUzk@vQYUK}zsa>3^$(-%wbCI(HW?!5xQf(tES(Vy`c%mlC-n>%xJYeg z17v$8HInx(vR~)d@^)WuD6?Log-Gz>qn$fJPzPG3M%a1v-U4!A($HdHCwrqg(aHnt3B} zoYb~N&{N-?e#jSN`0c)ABK5pMp%243Jcq=hqrN_k3QS~*lzPaR91W96=dk<<(&QtyLt z)t-c^!R7c0x^h%t##L!JEZBQZ65TPqsF^iaLnr9Dt)d!;lV&W*)$k{*B}D#c5ee(3 z86@=^kbz=Vh<``1VSAIhrEqk@6#W?Jg8;IWc{T>??5VD2Sl@|FB*`G%96N-Bk>;RWtco!m_lIagnBkXKku|H?xZS|EYsP@mI$gr?$@uNs&~X z6Oiwul~V1JF=Qy%>T1IO2NP%6|J@jnM`dv>okg9hT+)gSY@GCIY^oh36{!x2hy?R@ zV*NX=``WM?eBovb(K5iEFD^SplGoU!-Q5A1I&unI10}&VoBJW$(V+?^U{C10S%!M5 zs#OZ{iud8sHg~UwZw!&xCmPSbLj0fi1^JI|VfWGB=UYDhT{D2nN2g*6$oG*+!F!-K zi}|{56rL+6A6^Yn%L5ej4?RA%uvIq*9S)G+3n7M@iI{st0po%q0{vU)>#tA*gCnh+ zJy}JKIKmg3#Ck%9WigMdB~?dgchFCwd4^8hqxj}zGCvIRVZL|jnLjJ!-e;TDQ#{%k zL9*VILdghKg2P(^Le#uPS`6k>;;;O+R~6*q-s}1rKd$2KbTF>A!SWb9xQnfvAkmHr zZ3GX?a)t@n)!i;`Kq+;?xycj39p7WxznNT1KEA3B^GopG&*rI( zHLs-sPJ>^-+y39y3doh<-YW$s8RsCTdc_S2o%G>IUSy)HVy}KK{9VXrE{`!Fb@{WV zY_H%P2oH)tPt<6vUG31gy`?jIQ?hU6mZ!Qf?`C1Q%`sqe7F@y30pZ2o6;DO zRp-EQ6!M}v>dx_Y?kqp3kvwr(y0tDLbV9{y^444D)}f3;(neZHc6aT&C668flj*kN zNzvH^{r(+e${Lc_|n!ws&oxln42@Roo%I6yGU3H7Omku$uPHxLP+n<_;As(ebvP$dh^~$lf+dotwr>rD9F)BNWTNV}ZEk z5f6zO}k zUYt+wU#N%H`N! zb_72*A#GQpedm4qFV4Mt9T9olLQw_mvuk!{X?tQ1DKxy+FD)!snx=P22*t#yrU!58 z4IZq?b(>Qce;PoC^w(yBbpjjSw~N_4!5nRyn-?)YBYvW;hxr}r+iQ8{x3Xk z3IF0zw?$-X5CSjlQiJfVlJs2WAL^sb?B#aZDb{d>T$@th4_WTYx;MssF%>F8dO-98 zCWKYIt+ODWQ{7&!8fNfqaWOZ6!!Xg`JHctf=$OZLrUO$~RrQh_A6KJ8sZ@Ym%nkPE zBg1g9%teVGNmExD5S(SHH9@{*U(6vq{gL~wxQ8qhKSW;(!23ah1}+}@)q6B4Oh+*~ z7~V|*nWF&;bQU6mZSj;X*b`ZXhG}7JUlt)a*OyayYW}tl-84l*nzL} zjrwRAp1I}^a>tL5CY3>fTge@;2f>pHRuzK93-WYcM)dlJ^Dn>9Sfho^O=XuccJ-3w zG(kSl@KM0<_{E4EC&)^5Jfa`h!kjG zSD28AHaA4WacT*>)z6tpvf{1D7Ae*}#<}d{Bbxn4Y2~q68*GlrA|;~qUW|j423nnV zME)cZ!*z1uGDb3d=cvuxsED`P!Zk4)w7yC1X1YBWu9aBFcCYF-*s>@e*x!G=VEz(& zj0#65zwx1SLl(BdZ{(d{)BOZ0R)`X><*~Q&IgSnBJihzL9B)z{zuYgl=ENIK3&t4u{a<)I`~Stm&!Ip4N{CQo=NaLP120z!9ae?#VZKGwszlKi%`LVYveCaw z?YJma-S$*WZ!SEU>7Q#)(x~p%E^t72YG$Zn?3nZ(g%8BOu z1egZ}YuQ*TuZd7dh{#$pso1Jus9UN(FD^iAd%tEc4+=9^h%{w<8bk+p0)`rIjU~E2T4y|7H@Hejiyyd z#n-E-lON=FQ?`B%OkpACwW|Yse|Feu+VSL4?>Zrpnn*A<^*40;1HaCH@#-ZYTFvbD z=`e#Z)C)K)g?u6;bs0gZrU<*r59?qDrTWuH3h0rnaH*;h)0_qykR96U?A!B^^=;23 zoq5y3r4LIZb>Cg^w2Y=`bVt)B94|+G!gxCcC%u&zY!d@j_VMF z1glMhC9Yomtoc_s0SFhOp7@0cmzLXkp-WCh-!_L=rJlr__C%!6iba)r5!v0dF^-6t zLO6?sC&f$$J5NEOiL(_HHi%E=GNH3`xA2JvF*zwQ4rKpO)K5) zr67o&E4Q!cYAREYw@;bP(+DbLl@tuZ3!VebVDNr~$C=+XMr{OE3PrqVlp9TEF#wEy zF5QfD0Vp%l^jw^2-fLvUlj3z!D8cS9X4HZq)+dt*c8(8SNpnHTYZ|Hus^Rj(G;hjYdJ8wMY>voxhXbobI1b-1dk~hQ zzD(nBzb!yPEo{=i8lx+siU&@7;l$m(+G)Q0<&SObWlP{D;&uDZlk9zLCjr`$;7qc> znXm62E&5Y}_A$o2%^-iO_MeXHO{E#{OU;sIL>x%uo=#? zX`TpwRrIin-S82PoCEZ}b$;p3OwcjkA!FbLda}zy&_m$*iOeXqi~kYF<;zaPNJ|`o zD-`w-$-)S7d~=2?+v!Zzi%h`Q~Y>M;QAQXSWRtPoxrR3ecW_-UvA(=EPKvn!& zT^2vRzxSdI>Nq#)Iwvf?k5Y1Eky6)(qXh|@^8G3#lIhDCZx-J2jZz@zNt zDRrhk4Qo&sa14u_e0burnN+^VGD%@Xpv$7P;k6C>F!?M2A;WGXK_|hxzLQWdJ(A-F zSk@MExt)@s>P<4HxZhdbv4S^#Pc`EtWnAfaP!1w5oV>}7Tm~UnpJwOFZR>;}%(6ce zU+3k&Q2w+Sn>(roQh}}4EbqN5X;7#GZns7yQ1=cNa4%}z>*LVX)Cw6iMgB8;6n$F# z#baNIJBwiUl(aPx5fImn{KbWv5MwhGif0a#w&_ecKr)(zR-`QB1biRgaq>uP+qIf^ zaDQ%4ZSoAp^Ue_QV@o1c3X)x+fYvi_*tNX6b)80wJ$6Yg9bBf82iTyJ+}Mx8`+iOT z7$fFSueGcI(Q{G+cQB3};F^(3z15NsNIIOLBqvI1wFm3 z#+X_63LgZndYjfvrR+l?)gN<`_YJs9@G6QpG`ssf>{AnTSD1O$pr)YCQ_{79g3M#I z$X(4@n*(ZSlpAZN=^TBmSmeFWv;>dO7oS{z{wNKUz}{#|`1_vsim3SRs8IoS8Slqr#R@%mUn!EXuVUWl7r7 zL^Tb4VwpoPzaDW}1~ct&@#D-Cv2P5{SP;w@nb4S-29}KlLFJv-so8X9vsY4}?=fN~uoE%INNo;s%~)dosuLKz$@XF|Dg2`5 zzxXw$ZV`?!#%{j?B%EmH(ubkMIThJ7SIv#eS z$qT$&iqo6h=-@Rxa+Z9GfDu;LG6dd6P%F5m2R-wIs)JZu1=C>WGA;Lb1@HSNR-k_+ zQUhLpTJ)LyrWG~H%fQ9}6!i7B!hlsBipL*Lj;Zze*Re%6k6H}?WPW)mT04cVy;mV? zb{XhOmH20%+ZJVak?t-Z*Ajc8mNc5KRK)1Sp&j~jTA9YOcA?-+@7VRpIC=x7l|N3+ z3^n)}+0m#i<&_hKsMIXng;(QZ2JAN$rC5e`;mTI9tb(f3;B&^0!e{V7f$>shD9jaO z`8K+CQ(JT_i>TutgPTfwaf?o^%V}o2em-Ls8D%geV`51|>Q~^LiQCv8wH-Wh(jojJJ z$}zuU9NhslAdhuyR{jOEaqh?|sm;u#G#tj0mG3_>E1ie@D^zq@x6t+qEF^`D@QIJl zT@%M@6!#Nd#lLYyd)v_$R*CAQ94l2zDPQLCgqkCL&HzMRJ3Ps9j!ryS<}H#I460aj zPG(d^M}fU%ZW*pw9EOB#XBktn)AlpJG)0@{dDq&G= zz-`qAPqmO(5=LFh8wsLyzYBd(q4HEr?;`=)ZS=~|WhiQ>artu)K^|jEzWk!xG|X{1 zR){xW^sMM%B0?#&Fp*1|JDyvgEiDkIa3#wL<*WI(4c_8ypkIw$XVnVpl=0+t#_YE# zEuJn*6Mb^R6TLdYd6Fcdmq>)E|?agj^IILi8f{^k@n1cR@f6xaV!@D3Rx`IBL z)wEHicg~aPH530O9U*mmx9sAt57mz{d|s+8GK#5tbk$q%Q&H1x22uS0J`$=g^&GLN zUIGe&f+4~GqJ`};oF+=Z1lW!OEA4$n04pT4eQ0m#gQ-XNmWCN##2*56aPr;FOyy!{<>yJei zu%~Kq@tiCc@b6??WHhOj?l^?f$-z5a-Ctc~M0ojl{4HXZ=9L$F(g}|+D=J9S77kRJ z4Z9v@-((=|b$cOVx^qFF0%!>_#fRb~s!Yw$1lbss3!&#EbKegL2%O5>E@t>o^E}u{FL~>rdfI3Lfo=5?npUQgZd@5OhHtLd ziy}R4vKqqLuVwy}2n6X_)5v5q#8M7~tuOJ#4-#vTyGqX^Q5H%v>ppB~cMaX}C zKL0}53D-n`4B(v%+R*qn?)mSuU~XORAxObgl&vYRq{q zZ?Sl`#E*hlSn`OS;Kfr>DmIxOL7GoB7_yMaJab*c5M&@Ut!p`gQ(caVpS)AI>rV)Luy%-^#bkvjTU5s$0 z^V4Tvy;s5qbUM}m?^oI%YEeIjCXb=9U~BN?2_D}>pMH2uj%lun7Oagevj=jRR^3$u z;7%zPt2}S^Nh4G%F4H0ZtPD}}W7&{jb+i(*nmm7?h+}@mPYHY|dG4Hy-rTk)w7@Oo zS=em5EZ%+z>^>LmKd!oI()EWEt8g<-;WkC+8r+G8z&Hv-+IhV!a$rC4YT3}gk7RQ< zgJy~EDtuQhgHbLWRG#&f1y*Lp9XwGP;v&!rg6${tV(+xnS77UfRj6l&*OKvRKGI{Z zkj6m09N!~S6XGPvt#%u>$9vyYY%KgJ6$6nOCn$~Oz5sjv1bLGV#+1LGPK|>uiriP? z*t#~A)_SL$+Q^?EInT6~*NX!B@0x?^b*jr>JOC~Fy|U$9eb4d`Z@^WFli@Ob1U&tn zHD*x$q6zBZ9Vy{j~ULYD&=IRlK9DyeWztJ^s_Yq-^( z2?eiVD_qLo2AuBgTwgS;f#QE}Rk6g09i4w|R2&hn`Nw3!OtfJA9~J-$d$<3p{;T~{ zUKRMC!YVi#Brp^-%zu`-_eM1pKpiSkj$x%a*reII;@@F_lN4%EB#qC+$)8Gpz~GHJ zJIV|ShfeCK9CqO56*+8Q86pVI%_ltM*+!&w9o`UXIRD>FZ8x#3B&l;s4T_LT+sPlEA1`aGE&g2D;w*$ux*0M3+R6$!$n$+fC zYblG<+|Y%gFRbwR#Y|Pw1?D=2VUlr{85L(y7Rg&8D=09XU2X$(;rGV=u-c)u1v8v= zm7ynVglC+5(GS$gLl9`~g6kErhGYLF!_bg~KQHPW622b~3A31Kq zw~ch!X;pH;k-~%i$yq$dvn3fW*hwSA&_=1zi&p!CAV(R@LN2C?2G1iYvOkycU@5f7 ziYD_yiqYy={Ls=}%%GzRTvmU*b_Kpg<@PZ?^+Rp(R<;AyBuq2dmYlBdW#7JN>it<7 zYIrkmK;&)pogq4b4=aYT@{WvIl{sLg4L$pklLg0;*HS!g9?L*Boc-sf(;d=tphIt? zAFFi?>1U!;D49H+fRJwZ!T%*;>y99Nizro(9JijHh(o=@K+X1FQ}t915X`Cchmv`8 zRoL5rPLWvM)I+yK=ei?id+j*IGxSjl?eV;?YLljpypNyTbMx;=qa6tG-RG1{qIV{# zgiw-|CZgH^bBpU*; zg`q>(t?kbH`Rg_$1OQLiAe~h$q^I!(_cmQ* zY)A`+^)uGz$vU3KzFJ&8HcFHRKXs16YA-m-_Jx#m)$l6o7f_280+Q)7UNGnfTV0?{ z#K?tVO(ZAEVl(iqfV?ENg3)hU#5{wmR#)B7W;DyGDF(lljV>+8c(~R`DM8z{tGkt^ zFDOIA45)pjP+&*eo@8GW4mb}%XdL+Xg$jpv^oQX3;}GtX!MkkC+F$dX#mP)+P``V_ z;~UxYF&5)t#tVw36&gUD6qk%c%^4`tVs4k)2Ek;tCz2TJ`-O+PcttSs>8W4NWqA#? z%Jz$##NO_ZAt|T^EZu9}qX!m|l;MEUMmt30AZ)FG8dS{R=bsCrWqTzjy#5?iHYd8Zd$S&{r%Hcnh=siZA9BdLvgNg z7)=Q|F_?WuXee)vI9|Dqhmg9*bJsDe?m1gmNex$3*0Xbmn$)jfv#Uc5za4%24w(u6 z0gtdDer^78jpybhQuYU>lX_#Cn4%$Jb`MF=DmX~I$18^ZuXm0iI_IPYT% z?l6;oK*eq9ct*Wk@PetROdX7{iYG%m8IzD=QfOEBB6pwHLDh2s=4_sfyEJ2x1SR*^ zA8h3nN?R*a=D@s~zev5bo!sE;A^rl7(=_+!gd$UZ2&{qs;7`=JBL46%2N~hV~i%lv%&gRxY z5(_9Bx0qT{M;mO!TV-WMNcz0S_aWU6!l*r(Yk8l)p7Q(#P#b91?~J;yialqtfEtZx z7o$VbfCGU7ZAu^j0YL~JD*!u$%NkN%1J%`5Eapg{Jxq?YMRw23SP|PAKKos_kZC*E zx*FLNiaT4GI$N1o67qVR|LaiD+04|^$d%s2!Hz#N8x#c{8X$~L1ga-Kjo{7-Ru0Cd z{^;#iCfWQ-3=0PQ_s+mLAYf1+Ll%I4+@ruC#K1t{|2Rm2|7#%$0gUmFNAKU4S*-&B zid1$5JY%RVc<(gy&!^Oz05Z?Jv-Z@l;>9XtYoyhtK!7{AY5<|R8@H-|SUauVPtrKD z6_=O9L3&L_W0qNvP2djBf8s`l{wMAXH6XCRfsa&hPX}^8m%O`&p2o~QP#-i2mX2_t zt3Ym>I{Uu3d4m8!LPYw5VxmI>$p3$$g8f%if9Ko3pL}iv@QKDTyE<5m%K@%C6#@Q1 zU~p(4S;WM2Bl5r)D3tm_2MqX@c+1X&vIqu%%$m0H68XNHbs@L&eBgjHqHDf+J zN3QK8O|?3{4~ASp`Mg3|M5eu67{9~1TA5gEY&k4ErO1@nEi$}!T`q{`E*x-8bW>C5 zNYuLs2If|f4pi&pSI;EWCf3W2y#0swxNv`ue;x=jvPC}_9*gkw6_ueZqkqlY2wb4e zZ br3mjnvaYXfYvewcG^Fk=qVN7@G@ z4>qUIU<0ZhXmGMfJN{#}VD5QM4pCZC;W_q)4jbwdi-C9ot0O#%>yZO+9Sje^EQfuwQFsiTBDgwNd3E7EB9pZ7 zrQsFHtBr+zV7K)%q~OIQhyw~}fCrO2uNo}G(7>~%lkA^E_ZW)w{M z6o1+Imrt8e)yj@gdAP^Y#mt_N*VW37-r3FU?}?y=ohQAi8GjToA1DeCG=KsO_%AsB zd&d1QzxMw)Vj&sn+KMbdDK(rB0j-Dc5F?(dA`LF|$2uiJLqZab?;p(>Gk+v6*tE7 zc#r(O$5ZE1|Kr2Hv_{I8kdN3M#{pX~4yh0|W@_LW8S0i>K?+e~O*j*iaVRiXW-qjSV<|FxnUwG(pxT>WON~`y8I#Z_K@Bkf#+6c(D z<4Dy&{ZAu!cz%ch@|$$2mp9oz9~A~q_isjn()Sqk`e_!<+T>vX`;$2(Z)Ft* znT`x8o#LYf$QN{f+PG#QMVXAJt3T`Djr}p)8TYTf-G2#f?fez`0*TjBY%LbaB1HIN zs4IE&9{^>PtklJA5`%P+d3%6UW+8z^_WfYcFTzp0`BWb|?P;O(^07=I(wxrCCwL2u zs1c~iOUqqcGh_SDtz zqtz>&4L zZr{q`6>Uh`AdeTwnV$+tG-o1JeWzhF-i`tLey@4Qk3R?et33n+VgGbc@Q=lvDWmaF z#1gafEoFO98>fR|=lmvzr8Ta7xw2xmmivnJ0%H~Ewrn1ws%8w_#+WPiUkxSD|1^~R zpRFYSN=@iQptwzbJ()%_beck@cK^;&V8FWW+vQ+TuyKqSf3f=a_!&3C2c!=W#*Z}% zZxHw!=9?M29ef{9y5kSBUT@3-uga91G=7w=LUG2nbg)(|m!{gDn5OmCMJx$(RDIc4 zyL!!B&PBdoS2S7LpZ2~&>w230y$XSZtxIrIyQbpg*kP9`&55i`z+k)+OU@P6TXni# zy5C(^q~BZCE2{~IPno}(kTmzJNPnRap4{OfrK?Pxg?r&HeO|ND$}Ui>@oFDwq(v}5 z%GBPmexAxDCV`X%t3^jLbXS1QZs^Cu2z|SF#cS79Qtw6M4<5e?fjbDYvJ9bbw$mI$ zUD|9UbX7O72;?j1WH2O`CJlYeg71des%Y&R*%rIdN8GlxTMfp?zb5jVF3 zE;+U(Y_QGN&wCBVXz%-Ia*xBfVGm5V7Ya_$k8kI2S{v_0SRo7XClH3>j!Bam*0DeN zptH9Dj>+d384V3Rci9J`c9CgP)*q1Jok^J1YYj;8!rDs#KtGg6yO)HeO|gsK$^2s! zb7yhdVAv{;*ox8)+zu#Vrs4~&1a=Q#KY!$p>WGy_EsLMJFywSbHP9dNyo z&nbXT|7j#D&NWE|v z)&^-yD1z@i__7kCeUVtm%V@T#KGjYlR7{5RlY*Bths^1RZtaAk&JaS9`H#ubf%Mmq zVJ00~cq;+!eaDrSci*LvdPyur?>$e=pa^>yWqz#81I{_f3+N!9jk(>~FiUOb?XFxj zo=J$WbH*)S1ZK@?dP<$^`x(U}NnBf%x>i!5Qs9-?pI9wB^Qj8SG2b?eRrRj|Cx%)} z1XwMr6=3~-*uTIfFaKQ6V)>jkU0f(zvzpVCh#xzyo?QeEPP2=HI>b@L&G}p8`hego zPYkKQ9Zj@j5|exKBh3=)Ced%pSKGQy8lf9PG^EliNe>Ci?cYu3&V6#;(q=w6k3(K` z{s$f!Gh0r7@z}ca_9k4uJRHD8`1Ts^uq{MeG!}Y%0_MDATp^Y%FZqoy6-35r;e<&W z6G5oZy62C^>`V^{VDI5sJXktBZG?#U8TaTDa8@b#OkW0iq?2#q zeR&o!8)3CL0OkeH!N<|5y*}!am3d|vc1@xra8nHOjg&7;yE>OJfm5@qu(JH&SuUu~ zIel~*u_%v}p8eV0dhWC;kKk3;W!n{poq0n@EV{b1D_067kh?nmnYPk7#OU%%X>2=X zKzTsc40kIhy?qmpVBH{Qa+^Pt5P$DxVMBN1X(w>~-8g!-$nK4*pAC*Bg_*g^B{oezkv^2==2QJ~V89ZWhHYZky zJk1Z%Z`TcVZT$n1|5*44V`s5daxSs`c-!Ydw8J+Cj^x z6#J}WxaWzDW#Cq9r;BD^hdwMm;pNc=?OPlUTJeTSio+alhs4ol;075b2|{L-MH%eX z;CjV1^SnFr^2JO>{FD89$7_KG&>*iGRI=YeM(au8S+JW*Nh}IR*r-TGc z3q?ux$#ny#GEf4slOXi#C17^)GkFB{IR31;G`xr~GY7?}dtN{XS4UaROU%yu?u2UR z{zGdXIn5z2ebzEj*`%7ntjO6l6LKjk(vsGeHIU3}Ows6N=Z$RW5OXzk#`hgO_EiD+ z1FYwY8hH+f8sS!Y1uo?A;SoX$aG|=Y8Gg>H8=(cq96OWP@7zJLNrCPCwe478OVYKk zf6=J#^u^TOA7MPK5k9n!96gDvSYALaev$+&Da7(zWXY`c{Z1DWfXEzH8U}CJqN<=u zJtCjq5MI83*r56`z3If%`C3`y^z#m$u&oKw#_7%g(%A0Y=eL0lISO#tdo(8;*oXEd zio~GFd$n9yGM;pEd8Z9d!ek$sX@^97#P!1kogCPCCCT#8Pg}82!lL36O3|X|KMmi@ zGF~3gtE{boo((x!b|nWn#LVlHwh-Agd>27JdWi<9@2!f4A$V12! zUE>I2y;9dT33l5nAEE4feu7weuFcfrp1fxC0rx~tBSnTA4U}Pk;zBbnZ@IaVaQ{&1 z21|18YB9lL?BRKDFQck{`V*ex6Eo?dq9T(J-Cv^7o;-RteK{^PjXSV6Qm^vn2zzUj z(x{yyV2t%>I2xyNx8d%ATM3-HeCSt;40{k|Q)c!Vp5Q5$8-9&1aI9Z4w>E!T7tToK zGuwV0b~Ec;FI24jWe6-2&CW_WA@muQ`1@SF^Lh*Er{X>~GK2l51qZ@n_7Cj?!&?zm6oDVdobj(6eOjW(elH{Xt7sFLV0u|KBB znaX$X6ED_bQUjRryuj}?K^aMKq1DTa=H#Rcq>|$JC;er`xmWf5H}29n+54VLh&~%l z=qS=#*}0LV#{M7~VKp;daVlawFS#2qiQi}9dzWnW^5)=Fry}$j`V>#P``NgTYCsSZ zLN*u}wSyeL+bLsabs;xVekm?qo%7Ib9Vu1~q`odNG$qkNvZh|0He3Y8#B4Z%t_N?Vh!l#q$L)gWQlg07FxB0}Ecqp01Q9Yl~BR}E^{&Bo9Vb^U4 zZKw_BV2zt}%mD7GCS|<3^m8D*Ag?d4YeKuX{UFsfeKf9jWQRK%)SVM0Zg)L%GqFHU z)qI()u59tssF&Vo5HdO-(Vnea zkPsK3NGnRiy=Pz6Oj=_M&!XIBp@`fo5R&Wj$3*swc*t&5P!d_ZBu8x-M`T$mo26!@ zNHOCgrJ*5T9xBqMn`o>py`zBzrLC)QiEY#fn;DYOKD@9E&NO7R1AmsYJN}E-I%->0^fIsA_>D{Ipy#VLfi5VA;-@q@X8(NaMEln@!1p zj7z}nDdU^u?dLlg9*VGk>;6ZbIYpp0)es)8$ET7hc%jR@y{5W96RjaAk_}7C!`8;- zO<1)UeHXIg*bfnMIt1>W-?1#=grLC04bKrW--PH}yfJG?o3TGBXJR1+`12^?n)Jy@ z#Y?9?8FOE3{+k~#V3qEc|F{1<7D|YK8mw(8f}2x%R0Tg{X&$OaI`h{=LX?3G{&D%Q zCY3O2sz0@1B+rcFo$O}Q!bM8L`~);!qMVAICRaFVGdGZE^wgyjK3X(eQO5YG>34D0 zu+lu674p`5r2C3>c@;C6YDFe+NCX9yn@hK`c|ble%siRaLmVAD@n}~vMBf67ac3>o z;IM1t@_21dZske>YLZt~A5@m?PV%sexP6uv$@l+%kH>M2V%| zLa8SQ4O|0a5Kv*}8}@a$=MgD#xeS?#|G!eLDl7^{+rq#wgtQ6_-Jl|aDF2Xybj{Gx z-8qzibSVrqgdiauqev>!HKcTlLrF^vAt4}jKkqsJJ^#~rxv%SC@0b0pwfA1@U4~p7 zZq-zuWjiG*)wX$&#!x8L>Y_f~VHU(Lie#ftX<+MSeY8eAYLMwG&>tFYvLSC6bM!5A zaYlH-_ab?7u9()&MGMvD&w8Nc($6tz!r_NEu%YN@Ox$puK5mdJP!7jq+apsNgOb!5 z1j=w%uN%xYYqAsy+#5Fhz0#Z8^9GKWp$E)G&oal%nI6u=Nl(f{%I7A6^mIt?9Ebta zyfmX`+l#Q0fyRfA{DhODvlE=gnr(JOqQmOABab^9Jh@Z@Jh)C{%!%p$_2)4v8$$eH zmx`fuWvTP}hNB5ToC%YwFBPQ!6A3k{RlNFBKi0wXtAR=B);Sn52*JaBniy((Z(oSt&uFho}Qm*2Fp%r2hVCX^-{zqL~N>O!U`cT5I zUQR8h0K*t=i}G?Hz^KQ&`A_}7k(pW0jjqT^14RKX8rIh9O?#b2w1mwota+`!QTy7> zHU4-dAdmLc@w+N$X>|1hAhWTWD%yPW0ZGT;B?A{-CwDaDsmP-p=c>H{1&TN)hR%`9 z6s5URg9)@rz$gHslkSrY5>d;WvKAxGy$^n3&Hnu5>igfUcwYUf&u4rtL>UZ@NQhDu zRN3=edn-bu&ON$7t$OCHN#O;t>1WLQyP1XaVqNG;qG|86dO+0!ueik15>tpHf&N1N z35qW$tE{`XL&e-+sZw39Xe0DvSu*8MsxCIzlGW z5L|%E^s~a#jH;>w5-rbpI-8LHV~78$E(T`zZh&MU?-1la)up_i`il9h=%EW=*UDCH zNj4-*P#8RWSxSnQisc?KN@J9BMNooQbJHj%<%tvZiVc9?V~Qw^gg6o)KL zDSkX%QSRj2V;SGyjgDV<#~XxAF2&!~zEcf)Dha?t_nB5nb{R z+Qjzlugk$N3eC^en-_W{^;VDwdv|eJ?%}*)?o2_$$w7hi{xOoS_>Lmr*H>j0M-uCh z>U_OJ-flLuPvRs@X>F@RIJ^S62Yslc*ntJ92dm&pkO@*0@?O-OzC3T|>WM#+7kZLy zLnGYZv$+SXoX}_wOy8MnlD}z>zD;IOG@9~iKbOr>yu%`s?YNZ?^mdBum)(42dU{)Z zukl|AITd6U*KS##1n9N_w+VHi=RU7WYtn?j2PZHZXj}dsLH;K2fudh`>M)~YDOv2! z_8$oEGZO|EBqVCyEqU>d3T}hY+ubcm0krw?xYc<8mDGyI`#08$B9<~jCvEOHO2#gN zGf3er%sW^!J^;#5rB7$>`Aka1Jr#g6#e@V;)bqR3G0%x(WB1u(o#(k^+sDF) z?$5w|7b!&`z!VA4`P27rWExI=Nl`_fo%Z2}Q6DkWWf@_oH^LE}1YV zFU{nL9AajecQr{6^_{vj8<>Sf_V1A8BG863RgNpWkco`hj*bV^O5rfs4NzkpxX%_D zu1#Hxr&0ye<#-=;#yp9;qSo^q|AIiow=5~b>y*V%ei}O=Frgg@(({3PyNo}b(x<~G zR=7S6iCRaB*gqaW&h{!Bf`djoMI(AW@pazGeYlqWOq}th`)^bX=i{JqQsfuQhl3o) z=dU=L8D^fFLYLgPt+7IgX|6cT%`wG!bTo{6r%Cn>q#ep9nK3U}8~%719^cwgfZ3QGm|OL;9sXtIagM36nMclLL=}m>Qvthq~0v)ODac*3Dw^Vb@tsQlDUS_}sfvV92Izyb_77p1l=#r{#z*aw-%j zjec>PEcpVMjUY=SA|NDMhQVo0lYyQRadRMcJ}5M?iF^lg&>ngDWYKU!+0l#; z@M@WMVr$eJ>mq^Rh3DqVjr4$EcJ6Y<7-4AufnJCTxpsa z>eEGcq-@|PJK2LdStk2X_f$WpFBJU8mme*#&zz+8Qfi_pb9Wq9d3K3LYGAqOagTVn z6hRZ8j|()+n`rMvRjVy(Yes*dLp4>-!#ef~BOQ9$|a^?B=Y! zhxMen=iQ)u#y)jnEBxJ~aVj}^;4;dpX|?F$L=!7!r1{*wWp4U-vdc8!BWR!Byk2j| z8y-B@t7T`4Rp7k%P>Q*_85sOoakAYQG(V|xAH36pkqDxQsuw6)Z*Pgxl!NEDsKw|O z7<8XHd8riK%WG)EaEutJbq zQ7veWF|WaS`lwje;@1q9!HCVJa>yu7_O;Yd(i>Nfh`>|v@GlbQbn4Y#Ka)S=mJJ3@ z`?}{0c`pVI2;UiOBy3^fzrE)A>_$3!K!hhhYu#D(EmmVMmhDS}@xCgi201A3ZLxAK zR5*JrJn6x0ZzL~CXB6p*o_}x)DZ{M{lVkxy;MIYX5^t9P8u-SGHaokA^YC|mm@1It zdy^k-O?Rd#*Fw+sDplEvMC8vj(0$PNRtsC_ zo@&u97zOxPVgL7DHKR0ZQA<)};>{<$-x@f&E#*R% z&68sZ#Wgm0{=%7$5vTgDSSgVGJ6|P9%t%O1zz1Ny_1~;1?EhL*BLAe5stD>+&*8di zh1ia)4)1#QL>3kE-{_hZ*<5&uKr_1MXYEj|=q>uO7xNbcTzwOOS9Y#FE2Y{Gz}+FH zLzg8zb;{~d;}Y~z!P6mPCrj12Ds9-yTuPXMH)>I{wKtE=oO(#@Lln1iO^ntQP;I4W ziD?nWxA`v zEySK2=adZ?q_biv4QYTADIPiYg?6QWu$=E3eIVvtv-lI2LI30NI$9auxjX^!DppAQ z;TW`>;Q#U>T*+QDzS<*wZk}$dionf%KN5#(F*B^I7*FCv% z&A9Zd3Zk?Yh<$Y8xW!qU?*&7m%aIh2gK-ehCxR!Hi}u&L=ybwL;bM{v40IzsGg@w)Swd1{-Wldu*u)p2t}!TOGhG&eQyqgH6|1 t{2}Ob>92!N(jIs;&qFtyN1hyy|9&&(k-SYLagnUTRoF>ICSDDZQHhO+qP}n_DtKhjhVLXoN4pMT>Jj_tP?w8$G)%ap^V;Yd{KI@ zrPh%N1PdZ%eoY6608p?9sJDjauB61Mal}5@*d`MbUTX6-OAM5_0Dpt4eG}#{jV5rl zOUETAD1jo6LxP_{go z1S(C}bY0VK&qWh^*|DHRHK4h%|7c~RPf8$|M|N5GyTg_9?Z^mn3++O4C7Hh~7S%*% zhAtR5-t1wTkld;^S2}>x|KeVHvgFZ@gxt(~9o=-=^kKjXQ;^h!RHN8FDRwTDf3DOd zMI%Hnr2}!n)F)CNR*lJu@*0eIO?OUi68G1a-qYS;*JoN8XFPal0My1McQ-Sic3#7| zC`;7X5MIrs^n;&Th8%2mt-nR7nKHo4j-iKOaz9A-@nEo4yP`)D*1TmAfQs4%946qg z1Z~Uh`P@ViNIl)471$FZR3>Z7Y0nVq??D{h!EjUpgjzX2!Utu63zAzUG+oPX*-+sM zB}xsU-~f+DesFlL4U;fV1A;GB>+HJPkH;aEi?vl^x-2JS$}^-pY)mWSq-)Y~QZ!cs z=x0B}t$>nogi05GIHpzUZHsJ-NE4e=G~ExxS5-u)Z@ng9L?AV(E~ee{nBbW-Rc+#O z?<1TyI^gs{Kg|;+uyEInMEO`YiMoy_?nf!IKh0f7Jr zK!N^Z1B49>1`P=T4h#f>3IqWRf(8T(2!sa+gdP9@1&Oc%8WOj9lHq7K0RJOnrc%)I zqidW@3P;o$c|=h0q-AIT^Ie3e!IcgfK_{&C{3jZn+^#8wqc_yE53z%#l+XCulq$z? zYqew$fmNCiDz-c&4O4pT>0rj%SmqLue2zBSp9KRX4t&DzFbJq$-}#wbWzjWDvTT2?!#) z2B1OEW|XO_O`cZ%HK-AiGZ#k2L7tIRfkGF_sL_E&%IWJ*O+Q1`@b+=Yg7>(XOQu^K0jFLAlUd773p3#U z(GwShy$xj8i{cn(Htz+%ya`+*I2nVKsL7t%QJ`?>l-F*r@RZxV)VGAZve(X00vs)N zc!OLe+-89ggY4#eOM5zX%kk1+i-Al+p8@oy&)!IQ6-uMDGE0#Zs%xuUr@J8}M1tAQ zAjEDUU`MT?3C=K`{Oxc-9pd&YF`DRoHAF0T=dijMz$b`*}Oh3Bo(Z z7gf`yDyVo}*A*0fF_QE}*=oM{)%b{H!kperZS+`M3{cYu0zkTXF|S43W?N zUT{F0t3#Nvd+J<=vg~yGKl<_gsRIhyR3Bdm$5s9@e2YJ!<1J{BK{8kP?h-CGlEKRhwQ|FdWT=l|=op_yWp_2l>KFB{?^{Uvaf`e)SES?yLr= z^=R$uqsbi%m0@AN^sHn5;oF%|1DuDyJr6O1sjQ*K^`oB>FWM+W8*>qQxB#Dj1X5*K z#VASKZPjj)Fm&_`rk7eArUdd+#$x-*Xlyc8v~=!ig_39V@S;4z$pHO|ge6J&^GG zlqv}&&^UuXP6maYa~yMiDnbkd0TBoQ>@P2ms(P;CpkxBbGf`@Ia~g@w_3ktc$Rk3|Cm~V+jt~Pu{;%he z_JkV$tE1iYgsFk%iA4?vkOK=Dr8PJB<#rvnHsX)B^uE;}aSo6lc%#1PpmYuu8(~6l z)~eEbGo!HoZyj{5Go7yGAP5dY{F zbRGSDzNOfd3Kt{wowt??5AKM_OJj2LH_}z82qZQN-i1&kP`gNJi>ujTHl3Oc1P{xZwFbTd=U}%$Hkcy{JliqAn?2XUns+>&B zYfVo*=PJ%t8~thvG?(6;tH{z30`;iCTHvrWdx(Hd&Gq62ghD%vi!1@m;Ul{3htZ|@ z^Skme_vEH{27>0KMla7&JGqX+IzE|Jai(m&K|DyiI(Z6QGCF&0xEIXX%qV^rXeJoS1+|2sbo0yeSdY>vuE<5~*9ao`(h%kRfZ9;pJ%YdQZU{T$dtx2Rse zgDwowlT>6y^v&0quM_Fa`7s)}HgCp+^$m<2{y_ooi3*javkeNTr(}9}vSw)3_ZRV2 zaATyu3KY(b6SG7aSdV<1cNaB^KrCUUW&3!jiEzF%fA@!w$h?Hy_pw1vTa%MEHr``} zvwCf!2+Tb6s3sBONt<8Z2HosNvU9p)=OZ?U##6KXplo;@D4dLw#PlTHN)40dXuEK< z;eN{x7^)>q$_Wp>HTomh&W>G|#L*+bM4F9QVpJA>pPxJF^JLm@HmoKn&A$Eo zx1J^$Xq96!}Q2#Gx>3`|?1;)JJN(vd8v;&YXAT@%R zxpWe7Q@O-)+{ycdtw9Blf3i0OlOM@~SxS&DJ~gVSPAE zjAIFqpTep%4M!78J6%1huM0jj@e=+sCGhq zutgv(6Y;fy3GJxwhqO9HZ;>+`3`=Gl?dCL^Xo5ZPuukijJVU@+YFbrLT))OvtU){l zrQuWFtU!lE-`*8qx!IeNA)cVm6-U&BALgl8+=}S{(4~#JWXUR!5En;A8|!k5R-uq2 z3~K#HqQS35;^Qg_>%jCpSu<)W5af;aOIp3SJ4mWgppb{6j}ZSi$%}AO={pqA1c%!? zLJz9JKs%d6H7;sTb8&k#(z_IaY_lQ+=bFRVK)Rq|Ip^5{ef-mjIDC9Wp*LcK>d zg4P%}Ic|$6O%jtB##;a6L5i;F1}C#lf~8{mq4OEL8YaY3&zOTBw4cF@3-Wu}w=C@* zne=N2}H#xrv`57^dGFqbed8Ye(OU8_tj*8b^saNw~1Om5F1t;>ONWKv;_sEBri*-snR(x+Aw8 zF?ShAKJeaV0IvseYS=iaH?NVzP;G^%AUIcfB=&kpkQwlF;*SBU6)pF!$d|r9CSAM> zBKa-rb8uuFOU+`pY)0R)lbTQFq6a=sH)=MEH3Ec)YL5QH_b3FWC_mKl)aCASBg7+hUyOnj`&%5hglkATizvh zGF+bvR*S7-x>j`RZJ3n~?Cw8bF!n?rBg4?hZoFw-k%X-A8hGYbb-nDEz5r;E1qiTU5VgI>nO8 zG1xd251V-AY!%m?gT$v!^Y>VT29rv}qU#luiBGb-NgH2##?avNnw5Uu*KIcHHeA`1 zyAJTgMq>00y>*?wfba7?9^H5Z%jx}IZ6;v)I)3}b;4k>ZPD5~&WFZ&1A#JR{6hFEM zeqG{aP8C%m>eC>7(nA~VeLG&#-mTfhGcOw0v>_=ZY&RK60p@l8@884bxz-Ms8D=?C z`lRj13}3-eu4Ubon`HdM`LSh*z_X5{bgU=Xh zpD}(5*qV}2gmlkYO$t?hhOkuHE`#9WEY|fFIJ$K+X5V4>z?=xWVi(4ony%*s&e`R? zTkM_{y5jFz;}L?(=9OxNq<7Co*utjrVa(WZHZK!|fsl*UEws0n0>HX1Ts|TzDU97--lf)0!zd7ylF;xkxc1Zo zLHptEXTI0yHQ|`af_* zENW#poK=fJs1fyczhs>0?;wmlY=ZS@oFl|r5jpH+GkAn0V+Xl!nOl6F4m{>PWC*xG zOLBe)d@|>Arh0qjMM3dxS6r4t>pBw}keD`BaZu3p*BYvz zqLFJ&y7O8uA?xZf<^2N!!KhviqU_t^yzu4qvm2#f%dtV*F>d~Il$Q$HB<%k+Gyb&UX+NhU|(ZBFhR`L)@|%t0l95_GM4Y4<}>om>szc5_4= zW%pnn=c2}~E*4EywSZnj_}}hP_+|MQk9|e1O#GQsl9mVrfY>giZ%&-}XzRfcTrM?lSd+(&XwGQ`*Zy&<7ZIr5Bl(&P4N^-2sZhA8jsu|m$Iss zHEK<^m_^kzFzE_zApHt5BVTf_`&GST^yt?fD;a*m=frTXAZ%NJYX$~7w)&!c6ud;S z1!+Gom^>%|u%^Yq_K-an>6)WtB)iF8u_0NXH=~wbK{H5-axVCOjDkv~Wuj|#RH@sc z(AJ{$_Af|*)cw5|$x^XYsW{HH;S7THQPZwvUT_?>R?X=OnTG<(S2N;|b=XU=O7d7# z+xuOtQ)4t2=sA|a#=wqKlGXhDjAPV@9gP|511c!w8!N`CY(2~vq>&S?TKsCppOlsC zv3VOU;YiexMVz|Jf;|nR^WLL#SN~UmXyOW130@(mhN#D z2%mZu;7u9eNX={a{gZ_jIk*PLdn4; zl&7VowD(7`{m(Pq8Kb%&-Vv?8XwAQaM>!u~=Wta3h8|dMH!PKzNBf)Pg?s5+b=(@r zd6{Dm+ixon4mnA+HCFH7hnD7`BC#<8Z*l!9)&7k~ku=X=JWRIvm&&q7@+)!Rzximl z5}O2JT`mS2cX=r1l6(&|HL?dvzQopkrUkMC!J@rD18G zT<}+QO0&m7HP~%k0@))vo+5y!8VCuvi#Np#%0j5!%5DTX1-^k zYy?!fCq#6>SvVhHo$p|L_q;|SD6H|ntz74>5)@5DuT6d@MzHF0rVA`knvCvw#7Di2 zTK>HRNd-A3cMdGTZDhflSNJOxV@#F>{M`pFGir#CKoT`n_>%gL`__9?6WB3K(PCWb zYVLiVr)Udsuc7m-N`8$Zj?C7G?KZj0*bY#>=P{SK^C*_EoHJq}a%5;#ca|U;b!{S} zieZ3e$-$VQeVlPD%UK66QKsnv`#7>!VpxCXz0>yCpaJjfFtzICmqFa`z%ZO~(nyTc z3R})t`isc$z=rwj}{lr~` zhXU--r^hM3QL5FZez}=68)fP;w8!StY7QX*{=4)|HR=G|`(I5mXeSI7Dk#-4ku!nv6qRI&<<)!E$1*NuPZVd9(gcl@-4%T1 zFDy2T$E3~GSX~F*>Ho%~nzZvT9@b<%7d1$PQeMpn0G-Y8KfKf^bfnMrmHe6Q*6rzs z5lq8oHF=Q*SubgI8L^-@{*z%c;_*zWRaTR2|E}LMTMN z40l2~sHBDgY{Plw9azQ+uY@sQ%`<^KREmmbWiWyMB;g>TN-lTB!k0`8-0A4-b&?X| z=Hc=+i&~gfT?YHf5bY zt}m+BI$TQ4XeCVwfM_f92V0f2BC|RU3I*b4p;yd@oDWXEcq-p~Yd~HrKVL zHn5tgYi{}E$|SM@bD2UJR_zOu{r-C1L*5S4fQJa?MVrJGOZaxWP1sCapvBY;=V_h5 z=uTYQT@}2K<>e4`!21B{1uZXe=no;yDu@K){b!s+{(r_v|80;23Z$^EiUJA=p_HZf zm!JQPBa!FezuEox$$c(k2=|t&y76veP|x~4-^f!7h=RW9F5(ueSAclGYGGiy?%c{# zBMc7anR`*QOXvTLYN3N_)s1S=S~DGTSXrKSiLH;nvz13$+B(K3z836&;DRH&8%XLb z#e>B5_EYW?F9;Gk(WMT=9Q0s{QVE>ccBj;dgJ16)V6~=mW&o{Ab{&Mj&SjXUYGn{> z+by6Nn}*Fx4YD}Wsq3bJ2M!cUrZwCQqfs^?59&MXsTS>$~!uKsV`!DHMwjD)lta<7Z%aA5qz$a zMqO}cjDXl~+g1V5a^=dN{RS-Wly4brce7&rUF_DfT$EM5*DKk0x9jLzB~cbOqbHra z{~Q!Dw&`~ls{I~fItRacTsNxkq#uf}#I{KuQ>a;^g)@udq$i}0oWq+>JYbb$(UOa> zUCPtLAtGKt)*y6g{8R&b!oCGFe0VuzxSp9M$lXQsq&*D)=qjxofrYBE4nS0RAY9s+ zk#zlSO{|mVHnB-!8MK~1_PEx z0WR*tLa^sI1&uI0SdG)v78RO;usSx2PsUzvC!gmS1$|Z{d*UwKG?NIlApqMdvQN5s z7XL4MQBnZE`-=ySiAfz*oD9&3C;T^WYaI46tAVvzZaPGn_^uC$x;)~!CU}Su$GM#O z!r3ApGD1P|BUZd8cX^5EL|QmW9_2vrd;-(-bv1pUzTlLO#V~eN846y~cI~E@OXM)s zqnqfaSN{E+XXDlwi&InUZ zGNA8xzIg?pG1y7Uq}gSAc-bUT4-`PjP)$C3+BYO>xBVEN}Fd}6x#z~yUa2@?Sv0!Ki{s>#omj!mLCmu~}x{u*3t|pL7 zu^suJ$|X>W#e<5o-qL`IjM#%GN&_5t8UfJ#_#Uk7=DKn$-OzHitgsqVUX4dOjAfE& z$d}`L1S$gTMA?-tgSI%YoAUMfoDxxB=`sA07_JM@=P%%QsUQrw`>B*zsKSVSMfS~W z6DiFPipll7apLm~D>>c&oxLb2#QXt;gpJ{3`?tM_TEl-ri12Wcg(HVL6w!=vLZj4+b)RtwW`nu<&D80zgSr8eBsidEkm_Q>sHW8S z3xgrPn7OjnD9VPuS}TgSVI37}F6*Pomo`^SKMcpmW#}aag3(m|et4y=YJeUVR!ud@ z_7Ct0<)5wgbU+=<(<4F}hHpw7S^dm&^&XFNT<#zb|1H#Hzkf*XkDklDD?f8IyOih6 zgYHG`V{cB6N>CyJ>wi@eo->??BUbUgpB;8AsJ2D-c~~h5lT`SntdbYZ_dBs)Kc6gi0B2 za`#(pu4@*oHkH7EHUyY^&nF-_5`0b3xmZKEm(iB?PM*Kq|>Y zjfkyg#dXpv0`MwcrzSbzo}e|iCC*5?!>_f2|1CeGRiKcFa_j&2&wpM|s4wt8?z>jk zx!79XPByJ3JrqM46A1U>fO@rCA9drE_qj$kzZEeDcYHDGbe12w?LBXUG{zC4&~DyV zj9`l$+GnjcB!Fio8;jShLUl4ehql%Mb(Ade+AQeD$w9QU1e>FLT3eQM^MX?1hu6K6h)@na z0}W`9N0W$&vE$AJB#-4FJivHE)s0|FJws`loa3gsB<)h3hwzW`2Tcr}ghvMTLoqd3 z{nQy#wTAO+`rQY&_q4_SL^<8ofEjbfB2ynBpPsuHCeED(NpaDY4O_tQ@{jp!-o%Mm zK=+%k+zy~(sf(YWoR4%eFEuD0N};Taq=B!s`zl`VzC){ueO{vo9do>8Ah4Q3;%Q`? z$Y`Df=5UFK#4u%;&jm$-Y~8NAq1)o|KS5v4!Zy7Xr8a5giuZMoMXG1vZjbNYUsVN9-#+<^k1`gMK&7w zzwRP7S5o7k;M~Hv3-HY+gES>idK{s3D*|q%$6`^sLvp)j$!v`#{*xW<*mVyG5ZO=j zeC!+>E3hpOxx=qx-=Z|tvfo#OoW4gk%1Ju+pTz0Y#s??9Ca6JgT5_}qOR z)uxbsBJpZr?a5)bmMX}oKaa6QFzAtbUzNq;xbhzaOE*W)n%oWrP4o(SaO2Kz9GbZx z!dw#0E(~g+Q9dODv%Ir6n6mX9LRqM~^O?LXarG!DeF$fYo5O%a4dw{h~9V$0Grm|JjPbMI!{kKVga6 zDJLzYbT}T4T?Bzg;u(4b1=4nC;rd&(|D50+fPa7<*!neAAT1RT%vioIto@?0y1TE~ zaFO#?9=}VBHJ0TeJ8`BKDG`4OU`X$hZ2yzFw-TSXA^3-2R}$PoI=r$oFIV(iP$-l2 zA^kK{G}?K>I;Nk0lqTWkvi2I|-j2hc!iN^Oo!<>dcGf8*9Via_g>@)pxec;SlLVi! zr%w$)_1C>x?G~<*C(hV98T*0KYfP33f8a~?bL{9&Z|JQKWheqp*{p>ch5r8ZFhr}i zB%r0T%?uy~ii3QwOS%ObQ7~)IAr5Dxjhj%NeaZrmuS^D0=A)vR)XohlZ(Nc$~SRYdDwq2q}5HuG9Q<9K*KRYi@ zmai^BazE-o?(tPYQAh6fd7?ppL78U`)iGERTGS0QC36-~Ut`r!6V}r5TPi(TJxdV4 z^N-R!laOcU*G56X#7AZ@ck4n~sfIclDmdWq#IK1v1B|7;QTm370wdTmPx0z1QyS81 zxt!XeR?d8|s2T8&l{}+Z)A11ecv)a`X&J#6y=JGo_3ANTvYNgI_t1q^86evl&`C5} zUMtYHOal%}MELyrCK4CSndWi0-zP#zN1;O`WM|PT?<~y`&K51~zmkT4I1f7SN5&W8 zTCm`4uuSG9_;=Nw{e0~L;7Qa>wl?#Wt-K(k9)?1dGopuR(j+qn1!DhkCt4IuE z0cJbbD#6RVWwLGiF*)|RVPtRv!vw-h9ZDCWO?OjqSPt2lGdMtTb%K5QM@AMVEAV|F zlNusl`6UQcdis)jv?AMa91Azu>hub?!=q@I0~gtdjn*lRb-UEg9-y{Uqe^|nTc=}v znzo{PXp5f2*~#6d&hvuu1T{RF=61TqL;Y5o>V$qK%oAT-6K5}%Iw2BB<)0Rl?|*19 z(Fj4rh)9Q;?ODR}#wBh3^9lzA(yqel0)@n?po9GjU~$!b;Uf{{ygjgnxBKkKpC)YIHxgplUI{DZZL*Y76uBEt zNFw8(i1;5OkADG|mve`;xjlKHwj)DO4k+kT6XAaLvfro(HvF-#EJ|umGy(GepUlxs9M#P#%|pX_&54qD;54>^J23KullijxdxQ}x_*G!&M$;^C ztGkyTg5W!q)u90I>p=u}0QVRa$G?x)%4zTYyQACt3#5$cK zXvQL(ii!F$&$~wXO;6FgYd+J#ENnU|j@<=xns~o$iDS4^+CiKYj{?s^x z9SkV|4bsK`HZ#>wI94?$=MZwaL~1%NJ=c%QSS=zGMQjqo@$YUOm?N~N2t@BVQ`mzp z=-cnwe=z87GI|x!R6X$rsNWpxUz?@+qzy0ByJ<7C>rCLedJl1}AeKOe?9*`z{nOaM zBZiL_U)+{$`&x+41d8DK(h3H1w=zd}dJHpi1(I7n=bZx9xq*I2n>@9;G-8V zx?xjRa~zqusoNmt_E~^@uKpdunINg*E+Zg3O|d0J`Fy)CknMQ7;xn2DR(3KrBdgvx zGqT8HxY{QJoru-ObY5%HB3$y7M8t+L8=9g?p$8Ve9%yq*?JUfTN=pRG^6;=D>r!TT zwbxDKw-~MH+l{{k+=e}WJi&1-yg`^xgLB20TZx<(5Zm%V1I{rXkwa-(^or+vLcfnL zcB!&kuC4!I%FE_M@=-gO?>Djh0So`cgVP4-kzR?<2*&j({bFFqDr)ER_Muq&0gd_N zLzG2^T~Vfi&3L7u_3m17u?jY&JQf?OfU>A)(dI{jjXkLl7&Es#Xskz=J)CRJ_StBY zn~^vdjwd=gXSq50&UWYjkZR}*!~X~?Rt+DwoSuk5en3Oc^j%YSSM=l0D))tux_6e_ zS%XXxTi(<`HAnq&L&);nc8sI%r4rob{#el>Ng4haJGbNF+m=E-5ahkjE}lT^NK_7{ zAT3Eiwewz~^`U|=LFX7bYc}8gB}19#YT{^tSq`8Gt>`U#`e>H77u8e#My0la1A}JK zmaewGNXTU^yGJ!Y%SAW-LDBD~eKAx1Q^)DRLCd&1xzaiCjVF;mYEuK9fg9b_W&4M0 zhIQ~Y!AHIsPiRC)uf|F@ypPSlCd5kJ;-&s)^}0+PU0HpOYV)S!*m zf*Z+j(<5lTVCm?#HD^G`xjK^nFIfwtj5&>_m*f9eEKP7n@Q;|%{ z4WaFpK@bX*8XK6g2g?ZczDI*qoIRD^rA8+tf10SZKdMWBxx`9!cx#;jH<1$c0a!v% z!E9Ex=Y4#&>*D+XPgucAjDm)IniE@ddOOiwKrKDO=!6YGbo$JE8i2-Sbb%sz=*JAL zx6}9{4!F!W-RACd?1?6vVz$kiC9C73NEdB~3FF|2U6l|s$&Q^9A3kn!*r?O3IagvXV(anAx%oH`0S)w4FqFuY04V@ zps+4W(mrJZJvQa(dng*{ozeDhVuOi@SFv zeqBHR)5mi?d)Fit=i?}-jPl1HQLCbu<;Au>!okbxbr#knAx2?|QZ9!HsE~T%5H8C8 zn>KYgPzLGfDqRJj)l+!}_hE&^_l!4`agrhzt;liiYhAA?<|V2jL9#Z0bK~pKOsgEt zcE0aczmqjLIB*S02A#A_k22s$gJIh)!#vLSdkpi1-NvBmHia3jE+wxh85{D`#)UY@ zU!VfJ_mw&g_spmQ+8NN(D;}%%Ukoe&P z5qRV-JKdzc;a|M8BJ1KW=vD9$lZ=TGew%)68O6He1&UooTjuv-aQb}Dqrj;B~%^3ZjQI((~7}WH|=tq z`Hq!`#U;-H3uZp5ZP+iUA|@X*Dm|I*e+|%R>3`2PdXM3M%ri&*n`~Soq%c}NUBDr9 z8T_oB*YzIHU^P{eNyKPA>vxH+C>Dy7qTj2?NtbU&vwqLe@7bsKn??>#%v0K?VRyuc z6M8DDd<2+wC=)QFwh`UsMlK3V1a$(9=<8Xq`>+{#9aRoK^ioVXd zB}XL19c*<4OZ~>ka6?!-IH7cQ_Rew4`fTOkHJMF9&6Psd!RBc)Rymj`s@KrYQpr++ zX^1oYNbvNUmx{=|0E^^jU8LT&v6+6$pFinBFVa1|T!DAf$pGf_t(*Q~kt*Vpx{Ad` zb0fxlM9UlH^!DhdZDqaX%=n`E+2buepE3BsWybgU5l#mNb`C~CGrIY%)m71yiFx$SPS+7gk6vhCis#IvY(T$?FF8t`x|2_okr z-s!7H&Y2oR?TJAfay|3pIuYvp4J5<{H>{wXKga`iq;yM)%3Qpk9l240L%2?e3OL+; zvshy+No~P5;4^}1*h|C(G0XQ<-OoodGuLiZAa@S8NqqziB8>=^4N!^^LJ!e;>Io}} zEPNS~mMDaeoN+sKD_P81IF(!GCRi0V67Wa-o1Vtr!(p|2_$U1Xab>S7?b+g!WI)ME zL)_8ujxa?)I5PA8tvV}|g-Tp|P0o6BUDQL+@qY*fzFEP)xvSEJQ&|&)i(3oW?9MGM z`gLM@G^vvLAoZ;&Nl!R`1Hb1pinXF(b*5>sr9*#=`yp|#7j)bpC-LKc@T8~;Ab^wa ztHXA#=hh)R+Ic`uSVdif^3O9h9iLO=Wy#ho;qz&aPT64Q0kGbE;Q%#^kb@_a9=x6M zXQ7mF@P%@xU`2BK{c#GDx8%-B+JODe#BuaIIuCVtHy)RL9>=OMe&|anTgv3cB&Jeq z{SyNS;rM(n-C~b@ZyxG!3DZXJ=B1ji`Y{?8pj-1ydsXFVgi+KjmgoA$U1)E$dB#3q($%xvp(B)e%{@$!$wEHeqcS{o0B%H(1`s7Buo z3^6fe7jFc*BPu$XhT zuB?x)GmxfZRZo@TLw#a!q`{^l(GdR%) zDyr0Y{~(8A#Ms*(@Rn(Xxoq==@cp3O(`Sy5P^|7_-{IpJBP#IU|E}8qE)>9;g8&GV z#r7*Cr*|h$ZGJ2EIC9^<7&!yY^DU`C|YG8?heC68-XBF2=BF`eP$PphS&|Lhu26;BA(mVXLF{QcNY= z0)h?LDMkEcYe!?PtD5ty1^jcD*h4Yw59ptVo8Ofb6=Vy$%sqy9=)VX36y|4es`_ATTtt&L^*^?9 zjFfN7v&u7v7wbe6P+(o5hq~e9OIUz^AWI*z*9A^4z4>nqW|}hYUJetyZJM~n6%@{$ zLp95vUY(ezF>q`5rZEtC|9D<_xmv>n8Y2?3j<5oqzDZu0>vqjqiTuE`j5Yr0nGV#J zocqPM@RR4g)%;1{Z#f)4?apcsR1%1Fppli|Qvf6cU6o@o=fXnDp zv1P<_2g#N{J&}$1kcWyCqnN4o)~Plwcz5Vv#08q-jV~Ny@Dwk4Z(EdJA1p|^6WAuc>-G*fYZC>wpET^d>No=*Zv5>)T zs_#VC6Ow=YW}+pxh>SHajo>Mk5#XQ7DzgT>@O@`{SZUYXgdWPgO4pS! z#5GE~an~5t%L35S2)1>&GSSXOlpd$F5M9HXH4Zp%^T=;BR)dx50!wpe8$NEtvx#ut zZc%i`mc)hn%~3SVy(tkU&_OLo-%6q0gIbe=pRELHE*o7*jq9Em(f5ntU@@f7k~-r; zlELy=?9jqZRKL9vOh#|5W*M$o`Svj`1TL6J zd(E3vS%CM4N^w7f4f>vTHpqw+;1*3wicl*UtqFHS%KJJlgon`u*A{I=OmH*0)idVT z$r`TuzG`e87ILIIA62&eN)H(F)`g^0<PYi)pa`0#~6bp!|U zLKDy}znlb>yx|`jgk1fr78jk6CRB^bNqXPq^-fKRIM|j5NdcSHtGngKZ%6}#bjW?h z5FiJd?j#>$c35`-C~Ua6`EvUYw1=R&<6y3nfx9e>n!UM>q9jID$Ui+{aSd#F=nHYs zWBG+s^7SB&3X4V|X7uE#(YH&j1E4ZmuO0YnvBkjVn;MQQCHNG_N+u^=+YH9C*&O5=j4Z?3%DKNc$Kcc}% zp+{D&8cH1dbLzL-oLFq&+6C?g#~sN{4LYCq@z0)lx*<0J)oTi3srk-$+g0ZfS2`*9 zLb!FXJ>|UP@(-s7M6X+}Igsvn`RnangK)HiDUyvC9kGb;BmiLSbTSn1<%NF1 z7ht#ji!Y;BKR5(pmz0}$x%gyt_6K-e(<&Jh`^5diXvf_CaT`lH8m zuEc21hfNTw8q8FZB@KVMkx03<*SCbvv)t)t3A*WBr=8_Qs`s%+gq(YctCY^(mrh1H zJ<=-^VatSxSvO(f)RILrH!>35)=o*3p?!SWND)8~s}5@!t1HYl452C_B?Pfe3l8Sa z62&RiauZN>d+a!5);?$HD5~P9$ar*YQ<3=gX>_)$;U}5$F0s?u5#a; zM9Ab&II1K*nxpdqlom z@PH~SPaX`jh$TTe8WEFVkZYCuAa$MBLe_Bt%vwJgb!tQ>3P|j)J=n;}m$XzQ)845- zOT!i0chg=9uOP95npF6Ky#1P35}i1)@+MN{1)J)*;dTF(@gX;k?l;b2(ciw>_?-vq zw=UK$9V`q;b@k&Bph&~0H7IfJ{pSQW7_~^H1ulczXcwYaVMItZF(st75CZ0KCQ@Ma z(3KW5LXtHjV&f1V(SXSfO|HNx#QQXS-)tE=&}Vo~M9h-?98IzIfGsVXv@mg{={@`n z5SKTj!;1etlF%3s3ZQW!3K@WZ zgT9pXMLdaI#||wySoSxQXf~{*n3R-JeQwFwV>{9sF3W_PTh5=j8p!~V>YtG|NLw;0!&ppzWpG$ESD|AGoVp#{dhDv*Ym6gU^6 z99;XeRJIqH{q`jln_WsMvL#1lm%an`O#HikUA^>sGu_FqUX?_#`|aLi&xFs zRv41^#&mkfX!{mi{J4!WVCeX>rs8K1nF*_i?X-(uLlZ<(v10G*QA&)}FiQ01+e&)x z&q54Gh6GmCH&bu3-zp#H`a-|gyRvT8&Zh3=5C8NdTq!WhEk$;cO$K}G3b1m&s;B&H zYrRpQ|M%t#Qh7^L8)rhf!4?}EQzt@RJ4{c z=kGh2pfx2{{y6Zd>;}l?Iist}2r$mj1o0I7h%EpVl5WfZ@`V5Bddzpvj}6C4NU4~K z`xFxIn*S5$pP6Xon-bx_aRLQSxn0sENxg0WdFoph5=>d|U94o5QGOsIHTMI1fa) zUy2%wi){|U2I@m!KY#D{GX5w2jaKpB_`q8Ah}IbA_}z$rFA_BH%llZ{oYI}Gbp_sJ99}x)WK)U;X)pP3B85? z#D9bn{TqM$wk0j+z;6j`74WU)LaGl(md`QawFXoJdAf+ZX*ZnOXyEY5H8E3gHvJp$ z?eBilPH?T*irKvm(&joS(1CL_cU?Y)!k({XoiVO-6K)EMf&>j90|Qn8oV?>>Te!G5 za5FHtySvky+q+np+uJ*v(%YH3FgTbyF#KJ<$#oy1qdABQEfbKR%-}NkqUmSg|83Wb zdelpzFVHFi$lv)n+G>H}Y~MwA=0Qj;_$bCtqx#=vPQm{lmPw9V$=^dzq@TnG7PWA0H_`=Kb=Uz0>RRBOa?_9Ha^eun=uoUDA^z5Vxj znfyve(sAV_1)?AUi52!|5Q?G}B8MYJh6(BTqwqU1eWom1hTJdET z^d)Sl>~kWRJg_XHP3VqoBl{PUbJ#)-t?qgR7ezZLsGVMN9BxurB7}4Yz4_~tr2`Ga zzx})&&h|c%lz!c?qi~wU( z<(j<0y1;Nd2EYL2;|=3S5O4`?g{oD;Ru7dZmo^~%dR^vmDGLgo%p#Kz2`?aav8Ek{ zOkWw!yEMf7{BL^h?f;qG7J8dsCTf>%SIUI=cJI+!V}oLS6G%C6jaK=PSECXQq|5TZ z3UTJURx@s+?DZ|sli#`G6vwKFcY31o?bpIC>AE0@i@M&qx)NOffsKV*mrttMs8W6M zaEX20dk3~J%&hh*Mu$vU`Ht!D#L#2oFcuW!FTy66niSk0AsQgFsea&l#X*@SOj>pg zp~a%BPxUsJis0ZGg;E9zxTvKDshYn?wXS=T3>J;x5ezFYUF1P$VgIh9t7^_ZM3FJ7 z=kE1kyaTpMXy?8>(Mc#ZJhgKZV&c<*<%uc%asG3O%h1H!@d88&2y=qA8SS}pkEibf zBFmfMk$uL?NbL3K;)*eIQKKc2fpu&K_&@1UzwyoctH*Ke?wdW@%)Lb(5|9(Hxq9+P zi*&zLeVl|QX~7`}RdT}FPV2g$BEgve%Kj}$*s-j|a=tn^;Ix>YR_uIzH(vD932g?t zFmk=>V;L0CU=Tzmx|MN}oLZ>fb`UOau_+0mRZ_nK&X#!>lx#j~8+ch}yzU)`4jKv}~khEBD{Az;#EOlwR<>EkSsgIpr zUvi@v&U@B6x|1w|8j*6%RJb<+o_Jv&A_CT$vxaEL2|(rR^Jq&w*k6)3{*KCj{YvLB zy(l%zI)+$(=z0?1rM{4|2w|Sj^VAm&D1@%M>0$LJyLOhg8E(QSxBQzPWT1bpB2a#r z8vUD|-39-b=llm`G-`-%DIbn3IpI8lt0rca@}6F5HP!vv#S$&|gq=Bkf(m%JrvfxL z$!y{;OvxW6Id!Z{uV73NZm+vm&-uqlD#(CwO<{ca@1UOCPB4nojTukQCAf_yr)^}H zG}pmZcsIr~Yy5ncgxg9OztJ>+P@pB3?u>s0hfF7>Q|A#uxukg(W&}e(cUZJR(U|X% zDEx6r@B_;NU1kXVcy_|&7%*%T>_pV=4}LoL_y>d~YtvIwO%TSTM%&=AOIjT8TLFq? zV%CU}mryKK6_+suSetmDy zN}S+-mAxv!OLU%k~JG{*OseuaYKD@9Mr>c>& zmzbs02n$Or{fyxu7hQ2&=+$cS7P9pAhy~}U5QwK>2QsX|$p*{r{ZQL(%l}AzSM^vi z8R&rj_|B|rHU>(|+5-5!ymo&$osQw+o4}nULpf^eGi|b!m^*NX$a&wyts!WzO53?( zhIdlf_&th`q8TA&P`->;nhRHNMp-{3lH+o(S%SP3#ciD}DJE8ujOMvO7480;5;+K` zZ`}g!)Yr-Sk*BxHfc)`|2|9_x%{nxMl==Q(E#7}ZKMFYG$7oW=VORu^-@kQWFyOzx z@PKhZz@U()Kmh-{YU}^53I9#tgJ#|<<%m;yr7hG4JkA*tSNT(+79VLX8IZJ<(=V^& z+3nvF1-3VEc?Z4FULW%d)k^nBy9oB80fhtxO8hAn`Iz!jWsY+QLR*`I4O`gxoL z1VmAf$hGl_2IB{3OVD;#n1X@E<^+U%#|%^Ubi0AVtg`EiONwUIy&a-X9J?|}K=cBE zYE^OE_N|sdUn4MwKU30Ronlk8`(?QJCzvWE7R$)pkQAy_(*c2loetGTh+T z5KW(V!S7w_2MsyNzi_j%BFJi$=F{G`z3&^zN3c6yJj$!YH@zoA4M|GMGSG(Od@T*6 z(;w155soAkpX=W;p*}7P%v>7a2V+yBYk3A$&(n4M(z(SvQ`8sz{BIrgrXcfgdOZ?g zhg7->;886R-oY)hVULfza$(!I=W1Mwu{pZWAJH2c{l z4zM?;)f$#hcQ`mX1ZSVKY3_u>i)KoTlWE!vO6gl)pfb={SZI-IC>#&0o%S2Eo0`(o zKscd?SkO8u$c$fqvGo#Do5#((P4kO0;SA!COxDbSFNYDEAepbg&Oxb-Zk~b_N~-me zs6a-C^S7EX|3<%J_H>1y=|j+V#O1`<^BQ5b*B zL;OY*6`3Qd#8i!EV@%2)Py8)OtaK{=CtcL~s*rhsm0PfMkpDTByl!bI_%}RWmdT$A z<{Q}3etI)VkBPVu>EXce#D|BP=eQv~tbk15PLF-2VyySi@&F2?h_aCZFQr`HwfpT5 zaiWbj5Q^5R{t+LL0Lno?!KC>w34%J27u8e|t5YG@*0+%9V|Kz!d=57MCo79i6~4Ri zF<`vn_KIB8NDZrca=R>qUt;crm=5KghL&h^3Fy_|Bt4s|Q<$L>vShgCu$Hc)<=8jj zX3t@+9(q}KfvyTizl@8>$ZQX3iHj)jYO;`I+>vRjbweCd!%0F3W}_rqc`s_t#;LKB;vJW8-hx~_Y;tXqILe+-Q z?hpRU<2EPkFON-rx7PAVJ%%trL_nKFkz~HJLoO!q46XkS3qCy4r znzJKcaG*zimP|tY>eIcjheFGln2=8xW@^eMv(UHOw~;jcT97V#!~FvAFfDF z%D&FsEHv0sIu<5iW-_ftR}I7iHEpGukFV3|pQ6=UwPzbcUq4a#r6eg1rR5lgOfab< zOI~9Pk#AH-c>O6AhUwI~_kSgZy?TyREooOJn9p>*1#K(m-)}Bj(+*}>JNpGl+ z2PaL!FX~?9x(Og}ZsjD4e#9irsxtoobz&jx&ME@Odmw2g+ZN;WarhK&V#qlKn;5Bc zQpi$b!BHtvqXcV^FHlp_ks!K#9q}U*v~eItb*( zdg;77HVD^lsO)S8_Co+EbX#Cmp9XJ3=H)bHonLw2qJt0z63=4LS6?L6@ zXZHEVID~p&^(FWtHuuzjc|4r(|K;%0etRjXy8!%)+K+Ey!0n& zTSI-2AWEHs=+E_mF^eV^+bg9)Xc-wa)T^2ORXSQ|r-X=X%BQ?NOBkGAvC;FnJa1>h zH3bEYf^(B{!QP(hPDGk8d)QiDgCId6mROH?L(T}uw}>{nK#ZtR(+4tHY>_5sAA(*} zdxBgU0Ds`w$h^3?sfGUO7oMov1@*`}2AKtb*4Jn%TQ*b+Rc4km>wS=a%ayoU zF(b)Yt4DSiH(?!`?5egnrJluXfRR2TpBQ}NejQp_Vw7;YYlGMrq99=tqP82Llx&zPW?)LcU-{ zAo?weIDP(`yC$PdJ18#1SYBh+KSnzTJeA zq$JlT^$o>|71hyM^+J4X4+!W?jEFPN!_aG>?qT0N)0q_CDl#{a$En}0{lr6aw8)Mf zbeC!PGMo8u+M)q2dm$9fmC8&XH1nB_n{C*R zIs6k{G4SSN%=E0-Jey1oGIY~Bo;NNu>M2f6o9Tm=-a#Q(aNuetbrA6V97Y>(t#Ai1=v8(?5XP+HRCvpgF zI_);ezI&l+=)6^&qO7lJcrt;Q{KLinZf)dq?Ik^LcvKp~oOx{6bat7|1sp}UM`+t+ zJG;GwyE?o$PA_0u#vaS7wYLF7WjXK!cLIz8Wa?DKJT=ToU|Z9)a3u+BSVV3&lo2wUYNU9J!JvPTlP zh>rqgN>cXwW?SiM9NSVU`l(~CAIoXM$*goN!;bR0+8?p_{gY`$_tMRMb+LGJy_>=B+@<}^0}b_z4!6E%mmf=x zs~u2Yrm~ym;j4W3_Lw0d8FHx@h6>;Z1Poq0{WSA+aSdV=uvxENm zGchc&Ns`BlANqJbtXvs=25rsS(71a1>cepA%}~m;CW!_EzqH}=DHC#j+@rXM+_O{ORYk0^<7}tq$6v;@N(D1`m@x>$l=R*8$S-CmHV@K*c&& zk#<;`^LeDQM$M~sW>`i%WDAmVt;yb*0*&=fiNoG+yi%l$|9gtoC9#!&M($Ums%tlaOPKsNk`{7K8~agI7jHJsatZH4@<$AtEE z5FTTHNjfRt0xg|9*#(Y+o!UB_7NY^r8n1d;Q6B=qjUC*o|G6CUOw^rjT_)uqMIswD z67t%0xx!Q^dpr42CpXS>EEO?>+7<>+5jgKghLXLb8z1zxa$3&o+Kw%?F^(GGCqEr> zS$?EN_Y_tub#p3GI(%- z2ir{_PJxD^(8Ba_r^8pGM|Q)|;AHEc3TkHso1}_L|M@s+wKOHvuo-=T|7De)8q_9V z2k|VGn@_tcHxRcXHtZ@6{7RgXup=4es?8H?(5Z@b0R!!3A3O3Ag@)QDo$zCIrRPa# zd>mcV^C+f3ulvx8&!7;fd>sp-7z)B$Mb_)L&!l=f38Z;uf|o=3!FxspbirGVPP**v zu*^w4ppDHm5#N}~s=0ZtW4qa0I*xz+h3ZEU(7gh8`k>X5q?myvuq3!mEH4;7ZLdDl zl^lV;GDa`&q)X9%c&I>oL;vLgm8x`Y%FPIk>46Any?4z^DY+TP_Mm2K>iCo~_h3C0 z`^0Q}noH&+&gH49`_^ZfHk{&IjjJ<{y8o$KdEu_;(X*cCCQ$SF6e~}aq-R45g>F!) z5i%<)bERZPypOAM0#~&!r7TAKn_`$f+iS+ukGe90mMyBWcC0vmAnBVe$qy`DNtCoi zy-QlzA^fy{{54YvdEQ(J;S=o11&gCbe(HPjB?*<$Oh0kJYczPHByan4Fr}J2w4mK* z4Iv7TJXltg*wbRYP(}aURi3-*f+c?m3{95#Lc)C}BydcyX<_J;gXYX^Mc+cwVa`{$ zwZ>^Rv9iE-3}oHfwvR-ccQuJ)Pb;Gfw#k;wD2H&kHTOg;Ci5NIOJkd#ATe}usYSG5 zYiZnQ(jxm*o}_v5cfBf~uvRe#FFw~82PXAYR4yLF$IzTbpEL9)fk;-rOcWQ{{fy7C zSCXp&MSEP_+>0Jp0!pH!u!-Xe;aHX|FU}*3R;dw&R}uz)?aIQt`xFL(kP3{n3x2ZT zL}JlNQ3$)Z@kCtL_n8D~tJH|5HdIHN3)HyO$jpdiK{;Ucp6|#(5`hmko$SJAChr<4 zz)yu&1^!+J~?en9hgD(kXl0zI0J+RT>I4c+Eh z8X|nG2PX;qdpr!J)WImONXcQZ-=gmAe|f+pa{T2Hv`p$9*t_L`FpcoV)Ea{WP>m#n z7jhnC(&LMO+JjLGuO{N!CdPb4xgJ)@>3JbVn|d}MDuqMPhG6)tWygvU*wh{*0YtT{y+*NhAdeY&P3 zID|uby!Y#r_Ac254rGaMJ7GU)vIJm`egySKRP1C*Z>$^0SXW}#exPhWgzM)%^E!Ot z)qJBWqrz~Xx7XfhytfTxSf4&q@9LXl*=|Ue(|3~g(&tC+dXV-pJ_&e*cAHgv#0kz$ zQvjpE>Ad|?k;Nez5>o!)o#OnqxiJY+7z&3JZ8kxe^tzo3N@C%G`m|N8Lc~MZ;_DPJ zFfM)3i^%CS@%yu$2aw{;bYm{-Q>4NLD;lZxf@@Lay-0 zSj!iVdYxDwA7*~8*j_GeLEc47p$Ov5&~Oj*G%o0(ee|e2|yt=q4{`ohF=51Z|Zq&XW;~ph0lXq{JOlEGY<#(&P5-e|eb4k^kipr4dk94U9QT zo{R9U@Ac@M60fhaxV}(!D1A#VVyq2@Hj%1B+^1l-9J+ln#wH_SXNfq?!OK!XQ-}Kb zk_|ar>gG{kB{c1KHF9>hhZ4&Oq)}Md?pU?vAfRS<5WA8WO6K;C^^lV*Qg0>1k94oh z%oE$W#}iYYX+hg0EmR~K$AmOd>4k4jdE-YDgal`yh#PQy8Al;fP~V4`F$u5!!B2n} zE5+29K%5%K*cory?yMtkWmebM+m?z|$qRg9@673$7>|ghPG__1dAXd%0Mfg6n$6uc zz=Iw^-bmtkOi2|h%?2enq@aLIgQeTdX`Y5_bPh$*k|mOtJ8nvxSsyTcD!UWWjKE}X z1A6daPtf?bv=aifT7F^i?EfU1CqKEY&U6RQ|D{vs&?iR|`0X!3hp*=9<8v6k6<1w) zU6^ImDmXI0UNAMFOAZe&#MR9Szm~X>uzrF&3hFk-k~qWv=V${H`5^GDNVr16KoK8Y~H%8%=57fW@z%Wd+#Yp$ClWI{* zqor@t)-xouthT`f(2GV+m`GVSHrhaYwYy^dB%$?`ES9-8MFCX>-Fdmkbv@*GszO9Q zRhNr)wMVM|>9T0^)h2fb9d=>9zq)AGaB40TgiXI4*~1^Zd!v@IZ}C}{WD4`&@d6d| zIJUn$Bte_H1b$qC2aQzo$4y!}*s^aK~LdLEZ{loQXw_xKK)g+L5Mk(7sdPh3nX z-nNq~mcU$NUkB2{&nktjp1BW7TO|?il<)-fOqH|xijQa&+?rYD(am3fY%yc-m0f=y- zDLQnzXEV+>TpAJ+*4g4EOp{VW60vYW5JRQ6bs-c6%4b3MhZY_g5Z(DSNn`?O5o*zd zL0uHWECCJX7Ku%;mk|^sba)2?4iD|?3HRF$J&;oY1PS%w`3kv3MVPu%hNwa!srnMp z>2H1@izX?|^kK8BrFF+G<4j;pU?`#F1+LFT27*Dm-=%|hyKjuVb_<{vp$#_P$6aKq|)h1hyh1F!q+A*-skRW_UPH#=doOQhpGK_QbCA!qwo7w3 zcd}yydgUJ1Q2WT8TE>}9aYEHwcV7D0&>50F@9?**<=7L;I4kxU#%inRFalyb| zGC;vqG5nMydNIiTm7@V6Y>u~ATG*t31-{fR#_8GOAc&97>gT{!(w9I@7Vk5`sr%e? z7t^`ME!cI|*^G2wyV3HtCQXr2bZ=J=|i|#Hwv>zyVbi{kr z-x)x#n8@A(m6IPj3xm|9rEk};AxpG5@Q+q#dqM>q-`8}qjoeDvlZ zyNaq0cupN@I>9HntV!nSkd$2%K{S6H`j@$ z21}1V^^|~;X^ST87n8bTAA@|V8eOQAFjEx@K0jIvows$tzR&xWu`xMnJHCeSriI$M z`|Z3;m1nKA`2ZML+$a9ez18buUjKi2{M)N=z0&y4;d1I(Pw9-0J9~xjEj>2CC)5Ur z%wucqxU}j6m*e%6&a&n(jZG7G=$SD+B-y53X zVXw50IZ)utZuN+BI`87F%puWj=UKa@y#T#FEVNrR$ocksGYZ{MI)-Pmws*(wLEvUZ zpjcvngD21kB TE+bP#h8N{or-u4VqP(2Ae6=ZFGmnF)z>V{x3d#jXUdwk4s5K*h zi*~_eDHE8;qZt*x{F`s!jNZ-BcEPQ4*pQrkb&r*&0}bwVbm>WJt@w(!znn;_)ux&X zo}F=fPGJ~lJ{8o@4G>D!YArihHfnOF=we_o%GxHX=p#vFm-D0LklBgmD`8LMHJ*vH z@++)%XDdlc$%yZRdi^Z5ZN)c4#V3o_Up(8Nr~VsADsXp}y&l6G3W+<>VP;R5I&~wH zj~3Zzw^Var$fHD3lL2n8Yw?7;)k9s2VCwO=}dd*yE3%KznYQ^xm~2d6uDp=J8f zP(ePzx0Hh>1Sx=Cz?oU?$uv@;MS-Lvb|7g7R6^rWbp{gzsPE|Q%<(;`&o z!Xh^lLsEe<>U%%dannZ0O@X_3erGfs>hRtV?LM)C{Q4r-C)RS6m2tJ zh8v9k|Jw|^AKsaa2=%QOd-Yv8W0<39W;#&g;x;f{*= zllZRgx?P)t5*rp!5$&6|OQ;9ky$|XUr&5zHf6Ci2((=xheymft+>E83V=?ZaYPwI> zRo<0On+?`Eg2Paz&?C7|+3{Kl&V=i9B%Ptj4`r;j=3WEE)UAgQQ(E4AvL<1{DjRVy ztECCa-RuH4(?UHph9T$ME}vtz^`W zVr<6WVx@p>TXAWlmu0S{DLRo8!c z+_F^u<>5;`T_>(GOUY@C2TNDeRKq}JS&wz3SAMuGJrtGT=E!!>A znswp_dCfzfVMShJ!{IyE=Vp~oO}Q=SR5cm zzMQ?YlTydKV^NNqNpUY--K^0>(pn^Cg0TdtB`$PeR4K(U>x^`CCvnfk%c$LC180nj z7NjlMt9B{wy|22Q58n4t5wGWroF`%x9iG{Z>B@uSyVjK>flZOoXFBf0o{h-X7AED9 zsEG#0MTtjmU#;}lZ8`&^(2t?`nS?wd9z*jNK~QIq-e)*E!TF4!?8BXv-wn!@HAQ!< z%bu|v$t+ee7i_G@r^}5GT8<`8Cc$vx{U#R{fiYN44pYCVc*u>qd-UEzKwKMhAefUQ zy9rTvzaK}!(`YQoi=2EoyYbG-mQqk?qGH-f&}NpU^Xf=B-W!GpwQp{Os=LDK<#Z?2 zbOIGPH2_&1wF1R%i#ns&ySxU9BA=uEz3y3vPLYqx`9V*haip)WqVtOr?1@(*G}smj ze8hA=B5f$P&AW$^Xcot5E9c|+#IJ`2)j5=&tyxY=SInqa&;Sy4y)njG4DLbx7xHy} z9k1f^UF&hf{r@Vq{~j*)v`K$?SlKMMni|t_3v?sAgAr0O*LJ`3ijvtVhZ^^IY(?N@ zgFqEMjj9gjdFt%U0On8rRK&J?^tVpxNNd2Cqn$}bi7+~ltAsTzCxQnt*{v<4E! zA0lNH)lLf9{4s{tP)q{k5tW{WuHMOM%IbZ?5FF5WVvyirbw7JuAs(8p1VUVem1s9=y1tPnDY<&99)%lqX zH|H!wBuyM&K%NInhds#B&LW-yGDAQMsLrM*H8I(ptWUNCv(%y4nWq-YbR)gclej=| z^A|~YNFE6nVU}ki^c@;o-ndAs$%0t2%!=%qS5gjuEi^x#b1OKv*~j2GUKoxk zggjoW48;6KrLn=QDg8*tmu>+4(22!ayk)VTq9^O*AKCI|j2hST_Oc-Y3U)WQ=R4KQ znYeQHCiucAT6X%CpQpGX*m1CQ=_2%m*tne$7%siCryLO7)CYkiYNac5DM~i0di0EO zuQP@Xs8M)ceg3fQ6=foe@_dR8!Mb_e|GV<|-=3UnuYdXvU4l&Y82wn4Q9lsAIBxa% zk8j@b(W;lfJwuA{^UwdVU!lqq6v(R%4SxOE=-*CCnX##YeG+)eo!l0L-q=CME8mHR z>A+x|wMNkYoTgS-!knd(N~RwXg_ywla9axBvZ2mH(14rDV8-#RR{zXD8YZYM8g&gF zl5tXR0SZ9~5Dr@^Hgt`YxG77F#e6K?@a$b2xuT-FF?08C;r;zl%&(DX9BJ$D}tBs^a$)7>7nMWSQw4* zSw<`)f1DGV{rn6oR{t3V$&Qt5QxghE*f`@0fQKp0)q^+%BRBtE4M(|C{JFBAazmf;a$xX ztvsQ>@$DtFHmhH773)jR0Irn{fg|aUjojIcf7zhN zq+Im1Z&sJF%bOh=oJ{i*K4t_Y*NFo@Jp@@g!jZ52bL0qk4mu%tVw(potCX&z3hZ*t zFH6?T@q(t&Fy__0gq+dzun%6> zpRWgPvW-b~mpVLXvm|-$Uzl$bcpa}0h47V|=IN@GBvGvmjNILYTmK#||MIv+;rzRM zfP+59PYC|#A`nIdL=iE$UfCqyH*ekZ9>Y?mYFYqs_gLRE8)4L^pTVNnKAyAVMT5po z&q+S6X5ubT&i9s$^;loguadxB?RyzuT}P<2xz-`hN9%`BsOE4u*vi7L)mCIH+HjEK z)7ycNq2rf}!T->M?%v3Tqc)JAUkopw4sX(|?w*9d4Imm9Ipb+#AR9XimE7?bSvy0;aUU}hZDAK7OieDPdD1_o zd z@`LE|)hA7)7@xtIPv%>@r#9vCc^0=2)hx`&543XJ>{o|TzzuRgLuN|9@BY_nY>{hZ2p zo^^B}KN+MM7X8Z|G0%H*sxCYYvv$_v>g^@ykBddmurVbIC4i%~hq zWYU7oP+PKw7u74}sgH;eIa-g<)3^$WiAR0I&R4wIQQ#oWwR>qW+zL+rWR~o%WjIiZ zi!&sW&wqHR;D?9)<-tV}Q;wKxB>KpP@NLeB-^1DTW5YQACd3sY2LDYiZqZ(EcPnZ# z^3z(F2ym|?&hvfiVN6hCb_Vz|;`}_zfC=nMaeIGhEQ{tbIHl%_WrnQgZ6hjeR8)Gi zFnLgsrEXJfWRjWAyNtFNQ|!Uo_*ERlP#R)qYL%EA3prenADb}wcJ-H*> z)l?IS+>6s{TM&_S-PH%H+G1Pc1wUyfdjGr(F`L2fdUJ>0B@UH?H_*|8e5L96k%>_*JH^8(icgUyrT- zzLMDaCOz%cxt;%^jg6ZL3; za-B-&kb9DivlV^b2v+4l)pX_kG(^SPN6aDS7bQbk7GPT#-4e;OeP{*>yL=h9c}jzd%TWxpY5^njkliI^ViPlszS4DG|HIabba|(39zfL)El#Xt9thDN>f& z`}S6(+$LA|-UQW0E-? z=ZKcd=3@pM#bI8tApFyE&rWRx2`IGxk03FOl(oM+kp6A9S4pZT{=0h^bag7|tp2%i zHbD3mVgE@XcD3w!`|RhJ{fite)CCJ%7-mZODau*reW1IFN7iV=xQT0pVsph99-T=b zr?`Tcj=#;qYY|FTzOnjL*dxJXUZ0k6Jy8zc`trH5_X>V{9h1sfFA-ae@>#udcMHcj z8T5`BPFB*me5S{$;iVS_u`o?pf(kUP+X_18C8+G~sUe9+RgF0uBvdB``zVYVS61V6 zNeE4q^42@w0ZAHJ`ITIo%9ZB$g0Kw|1o_&KPydmUP!7yo!k6Is4h3{5CsmxHf9IMe zhtP>}eQ3NJDWz8Fjw~)YLRgFCmRDjWK7*b#)0q)V+Y?O7{TkT2++z<7Tf1U=q9JBF zU@$29M~SA{pY#5>cn&!frzGyq_r9%Od1rT4#?S(^N#qMi)Z(%)Hh@ihIP>D8`P%$5 z^i>=DOZ+zu+_xmT|L;f$4dU6_1^LeFHZY+Vr-aSg=Ghu$I*G#>`5|cIM`|&QnaHWM zfj{a%OnOD70^>FMsU34p0m0Fpk}Uf~{e`jYrBxxb;k`m=n~lLrwHb3=z>usUUV-st zi}uhLMAxI&=>?Q{9zJZtQhx%4Y&U)s^SEv?fj%wo;ZJsuOdk>Dqy_S8ZmNBSkc#vk z-<`!+e!yI*riHYMEKA9wLgy*7uHENtDy_~>W;J52MnfHdG|IQS&<+J%VVSNB{pErD zzgdizl$yUhv~vp#&EjX1eY6k(6W?moZtosGuP(MU$@xY*pkE)5ATGyHwl>XFbt$id z_%58W5jm#=FH?s3UB5T^EHjzLje~ZKM-v{fI^T@<758^``+njqn6jP@gXQX5E@faQ zK0%y%3(`~KR91UsQR0x)g;H(2pm6sbtVA=uAmVEHX}em^(rfM9@o_?5DqG=)ErBgl zs?laz?9W~J;cn9-?7PqAKxD{BqIr)+7$(~=6m>|keR5o~kFp>@L(v-q&2h8kV#)nM z?kT~lk+V#F4zw`0i=`jzPC`D%V+h1N*u+0k?2_LPc6*W#XYqiCLugt4Wx{mcWXfh% zQ)l?(tzgXhXAy14#fap6lFP+p%Y2o$-Cfs2c4%O9K3{Kng&$tqdY+u-Z1=>ZQe3e_ z{LJZ+jNG{1)nW--$tYxe?TyTq!#k%>@^k)3?2~Ck?~3laq}%{G>}x<8G?W)GmSJNO{hm+A=A(Z;35T>Dk>il2d(d@z%=CWFjXT z?(8<*AYf!yXfU+B;=7MthX-EVqiHRAV9iT~97{d!ijBD6U`c4@TbqprZ7yUP(C2}5B{Nk6_G8+13s~l5}<@=yoz@G10;UWj&m>@xY z0`|Pvz>dE864w}3$bWdK5Y>VICU>@QGuxA*@AoGR?g?(q7BY+X#oz z2V{cW&vf0jkV++ums$iV?kwDnG&vH62#>w4!}6h$ECH(zUo{wd2n$PQWu(jAk_1t| zOLkj!Pgxry%WQat^$qTG@3+aMa3JW@8}g*O0vR@d*Lco=oAt(Ztpj3|BP0>OD5PRZ zlvSGD?V@{@=bJ5i+Mr?vMelIszCgV;Ul^&JBFj^mU{R863el3nCq@VSohi2>osi`j z&S#!7CRK$IE>dsxT#8*Ul-=**SVThmBZ75PSqCcDOqD<%?x0D$H^EC`nxA{cyNkUb zVgpCQQlOzm;%c>cipf{oZO0;MUmUqK7D0}&1i&62@{8hfoN!Nr2cP?r%ZXzsJh$raXU`85LmmB( z`KLytJd}bdK4tYE!EI=(!d3o@<-8G#xY4+mQ%hHaAp%m2 zB8{XQ8R>NT*7o;BZbd9YH}`$^K4$0mzsu5;6yXyTko3eqskQ>_MBqwaj{9 zP31c!KlG>CKGj;Hv{kW_R|=RtfR=T&DTj3i$=v-H8*U7QEV7hq^kP>MWm`YO^lK1n zl`x;hrU(6v9S)QuO{GKL_jiTEj6Dkbb7G4KuV5#U5|K8VE1xji1Nagz$?2v@;6BjR z!)Tmfxgfas+VJ(ck1RyWJXSt5K%m!c(BDWS(yIrN84v3zw#s14wvhxAp&d|>8Iv(n z0h_cFzXg-tIX*Fn8yFqtxkJ;=Vx$5DfBy*pN zmAJ#WVJ|Q0jBdkZu{1$KhtZNisycc^S;UgyRC|5`g77C?D-RqKh~nA9W39hXd@nE= z%|F3c`x3-?`sdehr;LJh{T@+j&n+NCw0a-F(_|Bhv=BQNN5|k0Ul+u^Au-ils&z_F zYli8%f3CPk6`)6AR0rOU*1c`$WG}y;scg4=&7#OV%gW5maie6_B z0qQ7+5O%!jr`UHJf}?_o`y$5?(&FhU1F9dw5ADMd{8(0-J&g`j?Tj(XGM9(e(?2ZGj9cg457Gk(%GR73wp6PJ0_;0iHNq?2T*s~ z2RWXRRK7OBggXqSR@bR4V~-9lK{l! z96-@}dAvqm9do7uiaZ(bdkVKRNh@awX0= zAG_{z^<&ih4sQ>Tm+Rb7tl217V$=xI&MUw4^B85d;x~@CQ%On(IyvX`DSFeM5bscs zRY`wexuLE@pu4dK{z)tBSy;V;E+z7Q<{Zs#(*%NCS+p&(c%1gQo&S#e^Ku2$N7)<4 z#c!{z5xIS**Bq3E`@}%UcqxyQ?=wlvu$sCd*F&nmWeE$LLSXlsy#wbMH}x}>?;_uk z^75(R5>F~#Vbvic$-vxO1Ms44w(?lg(uD=z5LC^*B8RiA1AVTp@)~}BbkQ;D*{XLM z<1VHOF-*c9B_vb~n@ECFYcf+{q(R#15Se;9^E6UpGzCUj$Rl_~Gt8i>3AP*%s4cAbt!K6CGXu>H|5jSv&>tgy*u>Yk_H6Cu+x`u6MO8z~#^PRCy$2Vae1B+fe4 ziLW$aO;{|lCR7L4v_l_Dbb73vJp!2LA0GcqJ)c7TKa3-Lfrkp?N5l*3;Uav%7Q`<# z23uDRG?H^MWPn7U-jNe7FVZu1Dy$w01rgOB$648C9n8{`P7&ltmjY^MgSW!Fp;HjTUg zrnzqWCBeAyS%mUO0a|bd7lllz%jLKfG3R>y+a~|`=9ji*=}z=|_(aujPskg8|G4kM z1$8O@Dc&c@$#{c$*7#Nq-cX_OqAoL3&GMHB&q`dgW@gPzVzQoIs4zN-j(I0qMeNB) z%K|CH*O||bL(^9`XT>}`s$F(zVmX{-j`Nk-IvZ}iB>VnQu6MdHDhB3y|4l=#_8xGB z@RJN_<`hT8 zfl0>khUoa-Uri}^>_&DBaX(qPp)`p=jD_8LX|xIU7I@HrYD>gJ8Xq5r6)qkGb_xTX z1V;sd2DCtcDn5KGf(QWFX7zPI^929^00Mxtt&x#|qq(h(pv@oK1qNfFqZ7TejRVlY z$c(`dNTO+OZ4Gp=Hn6eT@l8-NaC9`VHn1TwG;jnO6IlY?i5$&MZOm;3;2viGCG5@tglgNZF$avn4~N^wzaK zu1^AXXN^LN#h!5Y9%^{t37`DgSX18Wq@KOJbVetmiVH+fymBj@j1>Nufu6MkwmQ!& z=Jlb7k1{u|`Qm`zIh~HzE$lMyow1tt_IJa+3x@HxV&16Yxx~txG*GgAOynoKuhMAA z?c?**wI_<1y1g0DM#WN2I=~`O^L!NGk6lTqawkmiJDz+TcVY;QGMgqu7F$+nBnRV z|E;-tIm6K0CuceA*1ijUOeOl66J8pkvG8<^RfBpmO`WNEQafKJ zHM|Iw_WW&8kh_=Kw(mW;$(nbW9X~Eiv+}+(yJzX3 zsB@H|j1?zW|5S1d1Izr&vL6xxRPi#;{*OE~Vv@=pMl$vM>+t~X0oK(q@+xb9cl_d< zfn|RLvid_9%(&Mv!)8S&M)f%nR4e2c3e%Lj0(}Y;#_Z>HTV*V#!C};aHc<5%wRlS z&OIhEEK(puDLeqQ)eZXn)09O`@F~ioVL!~8{mk0a>Gc~lQLlicj!8+l`;i#GkLFk#<{zsE3noz z%GA>aw>!{VT5F#Sa}gPA$FK3jJB?VKoAm z6LlGs4F0HBjv+N-8XC8_*23JA#Dcyw2^AR>@G-&e3l|x)4%7L>n_>>NF~Vr+_I4sg zd^sru^(9U~m$j#SxHG*d{B#@HWM7_8pk03DrTl3#5;m6z;~X~FVu)9p=!HsYh)q2h zFH~L~u|{Xj6c?z9i*7^Y)5i(H;8qw8e>ZAr={R3Ns(d<|!J8kV31EYcEu`@EzA2ga zPk8>xH-EzOiuSLW>HmbMbQK<8c%w&7{(QR*a_R~m$YXl=MQl#T2Ux2E)^tXT_DW34 zJ?DZ*FI+AflRLJaT21%fAhRp=8iDlVn! z%fwli4qb(q#f{M|#W7UsBmIGn0kxyxu6#X=+?jdyz_`@XLKqZ_$;g&ND$JqvvD|>* z)ss*jqxOr)<(rAOYA|DNY{%EobWe~Vn08gx2)D=@DWv$X{Z`+FJr^L^cQ=Q-Kxi?= zBScuke1TGiGXX1Zj{NX9q!Cr)2o6Nu?6$uXzu(bT`GQL?Y~+ZQO?(-fYeAx*@hwd1 z&dpcvgtnfsqx>{!-LdA|rWbI%7b6=G&I@LebF~h0A7|$ zg=E}r2UwU@umfbMoIGap9v0Ce=OtRMpK^QN|B zca))MX5D9}#O^&4Sfh*#)hZe>iN=@8(H^Vm05^(T$vVzpuEHe$t@Ie7nM|bJ#$~~H z-a$5o!5KMG1l1tzw$H4xHVnF}=A_m0mm`f@83Wf3sAEhww)lv{ApON-u@+r!RluUKVI{riVil#nX6gnq#q(BHd_ zBkM`d#AND>B9?uTO7j-HquCthw78N7;vO3 zttlGsM_)5sdwTZl6=C4gyHmgGZl7v928(O{ASLR1S`iSr>WVHx^l+DGU9!{O!Tqnj7wFwwtvdB!;ray7jKbBv|KOZ(KZ2Y zTAob7`prbsge~cPWGx`kO7fL$Q)8>W)Xq`u=a3fYWutRgSQ5r7%`e2*9-QorIB~Ub z1AD)PD5cZ3UnGYeQ5Z(Mg3`0!$3&;G3D7;e6U#wqLy7>0$6L#qd3IVxN0RJO^HiWC z3E%y_wSi0t99~q9VyJz@JFag(^3qJ0rs1;8`PRYw7ML8ka8PYHcW7ngK`o|}srlXZ zQc-r8aghApNa`*@PsU>Vt>1^;rb$Ru&=DZDc409ocWPhY)`?E(X=5SB8;^PlH#FNS zD(~b`+}g@9Yr5*61LeCs^zaG)VflyK_80BOd>W4x5%G_DUOcM9 zBpN71ijNq)Pq^4AQ_6V8MNx+^vy%J(VFpdD(8B?Chv(Thvx!#)@53lOnQt1rJ}L%Y zf6&XIQ-t3ZOMnc`@S9RH#P%JaXzxbkCfvBR7tNV@B8N6B53Rm2p=H7eU@KrN;KdaA zUeL7uuAu(FG14FWy`;=2oL;jn!PV%=xuu8{cYsUX6w|u4<%ZXcafrAd=!fADL{jxC z;sACi3wM5L-Q; z^;i(ddIe}|lE!wvPC{-li&xiiTt;s6pDkei)!Nk5eC~Kx%EaXn_R2I*QeXNM%m8(e?1nHc?FVj{X z=K{m~yRH#x`&zdEM~|P{PItELp4TKKGWpvW#B47Z7nCB&JztKEK{ZJKAuMVO*D=M< zco|&14N}yo|$fJSPH#5nu4@e}7ZpnDNioukwn`H;B8^y+FXY=papU#s&Y% z!N~`aW5%K%4|Dlj3MpEP5HDhj3p89yV+|%rzcnGFc89@NGHI-0>>Q_jTx@k~HA7^8 zI1#&s6|`Ql^!uJ*M=!BZ{>tHd%SRrcC~0!XF)3HfE@GtlD=GQqc-t>oYtIjsl)a^5 zVAq%^l~saBw{l;Jie|sWNPX`JZJk!xy4XpYIL`|2r7w=PAhFBcxt^CS(<(M#6;XW% znI=hccq|Dz0zMyw!7(_v#(-Oml1g~Q8*Xktqt0`6wc9t7zfm@xp(i=NOrXUDd{z&az(hQZT2KBi z={hQgcBTr~SYc?(zlP^oU}7>!984RP&5FZ!I-gYzunUTFrHLp5OPF$a(m-ebWFien zB=@UF5L6et|KhsoNcj;8+0gsgp=qWfJR57|VWY+o$|IZWA5(k~CX%U|fBh4mz)W5( zrj!1FulGKSNX4#lIbTfs=CnIpX;)cRqtrs|?#|eL(nH5H1qGw`)la68y_w(+37kw# zg|8$MBx5Z-n|qJ=mc2gO*|w@F>98Z#`S;LCdSN8&{@WKV(Gr)ny2?9V{#erJUOis*B!q435@T1z3CrM~*|`(Z zAH=MhoF;t6=n6+Q*<;80TgJeK^QTCN(rh@ykV!PRQY5NohL#YwCmxl33cxlY#`tV` zas#VjA}Vl3qO~P)FGkL%?LO|^0Z}C)R@J8&%zYlN8zaFYoql~>2}J2Nuy~nm(8Ti; z>GuVpMKDKWFw8Zw96B^|#!8%frwg2Z&Gq^&lxL_ADC|0mbNrg|7QV1GtM5ULBWn}T zXyL*q>jTpXGs7p7dV)2CBPu;p?Ma(su)0{rr~2&uTE+$@Vl)jsYju4z^-Cv}pW&~= zm=}Z4%Z~$|N;tQlfi60){BUdGyH_4rjJnZN{>K%vJ5Zlwy)N2XVdoOxW4(`BQF-Fw zjnqMg0oVH9Zlt4$yArRl77iDkubnxmO>z;u{ffOPU?yyR#-f*}VSCbi?}5jA&x?Rn zIl0>St9Vn#0!i{C4;&FPEGwG56Hn-`q*|-;rqbP78<^2v#i1OXT4KL4a#G&vCnpJu z!>2Ut-#rC3tc&V;85k3|4jvD2T_4Ldo*83$_nn+tLJbzw)m+=?rjw>ywo%L6H`wgH z*Uhorp=WP^@da+bmEI2(yN~ZRFjXOs)I}{ADxbJO3!&ermy!%}oV^~c`|0hrj_@6; zHP~n!9&w&{$8{KS9F!tgdA0G}I-Dn>W6w<0XV=_kN0jLq;J(on;`Z|bg_gqg!(I^M zynKv#EL8~K8*VNS5knRj@7P?fFn@fP(TmYOcVRihFaNH=zvCI@o;N;I$YG?*FA4vv zmY{xQt=-LVql|Z9n*7s4f;Q@J|6dT`U;e*H|5$**|7`*Ghr9ncePN5kd?RH|~gf_IUW zzfb&YxW{y5@tMFu1c$6hiYZ0w%CVN#`EoL%;hbXTNV7@6I3?e508Gu2^`~f7O`p!x z>8Gr{w^y{^CX)oxwj1{ z7+`6j2;hqHnpq&ofRk1O*J(vk%d6kAUoztv3rR4}2eI4TODMr?OP?nOkN5$-=*f$> zxn4?!;=3#u2F|(PiaALn=T8g?h0xg9g$Nra2nV`{Ruo%Bd~@y5$BQp$c$oMh*OUjO z@I26l3UBcyK^6JISISI$hr~~9*DBV;IwZeE*`skOmUl#5*sH*jTe00}!w03a*sNXE zh0bsfSGqlyn1kzer;L|``7{fkiSpr=J`^C;;7w-e=%-RpzH`YlC6H#BFDRzQwnes; zPLz)vR{n4X&Cj{3yw}#!NEp~I=}f8tB9{&*E6Ijh3HERORw)_U>PaISdgx8S1w*GmrSW z8*WcV!0SBNetw0>uT0iS#vH;BLhUT>1CvKZ$;}aavHN6vuioL2dkKAi>4XLkOd1+M zmLzXcx{3bz&Qar$K&e3*`W}^U3{Pw7rgq=H?i}si)>eqIJc_%M9Lr6!Z%QbR3z8K5 zmi1;FtW9&O-Q!_==D^{Mud;}eSre~Xw|Eo(yzzz`52)&Lwt0$+k^XrI7kF< z3msu@z(#M%txAVAOl_0!nK&PuEd@@%MJCF1evv0)F6BM4}arD&MEji5k=7+nS7 z+BoY*zx}rhFqg1{vyCm0gn_xC6_AKZ&JJipq-5*tU<4!*1-byOZ0)RpHcr$;yoP_S z6Ew0iceMN8hqpn1{t?t)rhRbY?El%cPfk)Qk>MLgFQ+~-Ad!;65KJT@kD@IAgm@!U zyYa2X0}N8$M{bGxN^qr`J0J0)X+ld)cBhr8i|jJkc(TC8YjP=?deITu@|~5CvD7`xKq);2s=Q+8sFEkk+1YYW=lwnzP=+IdFOS43LF@de^g0d0`-mRnZdRP~ zji{Pc6fdwOdO*&Ec%Zf_xGZ_~aMW{B+yz{bb}s9xT7=ncaodG$z{mUBr3`d8HAyJP zWPAR1pkY)o*#q~6J&{B!xI;A@5q;-vZaJL#JCpPhtK_W6$?v&M&y5;im=|#P!|yi- zIYf}sU+1&Ne3Z8%Qw``GJ9;y*Y8gn_*K<_z-a@{yg8&1-H+-MEjl#*0C zu5`wK!z}xz1H7$i)?jnx}jYQ`6iLVB_ zX4y!BU?z;m2+8{tyN;<9OwJcKzA61;_f|wuaOD5CmR6M4`fKLz5RMG+N~3mW%LkB& zK(^DAmt^r)XExYKfm;lZK&NF5$bdq^x+tU(`g(j8VI$klH=Cg7{Pt&*z`u|-D_L=T zMIM}T!qkNd&Q5pgcd+cPC^q0`B$IMs>_3bLo`i(k;YyOIoJMo+ZqqmSE_yqF0i_5* zv8s-;sedj%O}xkf()8rj{|(Yxgw&e2SxRL7vhHV)MEin5xi*Fdiizyi81!9?rE1>T zt*}mL3hl#Y$d{Mcj0Igx>u0Zi${&_f-`P@9!~$^0)R$B)pXdXZa3)ABW#z>#c3Pkv z*1ZD5$>(@=t9u!Ca;{-I)vlI`NaE{38IEb>VWn%$*d3v!o~J$cVYbuoJM_LV62lY} zfO_8#SoH7yXGN)pvIy zTP3=TVOLPFWcM&U!aHPcfL9C9=xfEBRa_n!Ood5udrGUxzYFkzgK_RYTE|Y$W7Imc zf?=twPPD+PE8WLK?uHV;S>R*`Uclo7X zm74t`glfkgO4qAiCr0*nU5fPH%7kF#J(#YD{j#d?^y;#riM%xNV~`DPwd&cKi^Ks; znwdVVx}vH@Ea?cX2_Y9UQKoPX?oZjOZ&f`2y()=cj6?;&4nv>%%zu{>pydCQ5`TjU z9^x-B{V65>;g7B`GN5Zof%gP5)v--Md)Ja1yPvJFu60$>?~45Jj3qfRp~?aL#8b2JDA97wt|n82Ft37KaezGFiOh&t5)9pe{m))C^J zNB!f^J5?q~$%9uC0?ngapMFpZNxgMtqa^umQy2p=^VKwvOi~n!S1&3TpGuxifp5Ru ze)>aM&af#s_2sEzgo9XlilVUwX8qumBZy_KMfsa%4*X{_2>!U0NHx09f4xXc{X z-ySs-0fQ6y4Sh~!7;SECNr(Bm6xX!Hi?bR3HWCH>Z&$$ukD{pJz=4o6}FOP zbeh_#YE0{8zF>qjbtNksODfRTDK7$Y z=i*B!hI=B*F-_1^t13_(Gzxp#OA`?Ueex}w=}YG7API2iou1?0R=_2*ake=SqSxCX zPhW;J%65rJ3IH_vwyVJg434FC(FA61oe@f=RBVxl=$@%dd>(WZu`<;Vy9&#MR@1)n z_7PX*35}h$gq|kKeZz;_Cmyx-tTFzf*(d|hn<+9kahf=7zPDAI!p$y|M@h%+mwv$O z-sYU8hZl#<+;CfvSw=IY78(X9Pho;SVaan=wp4TjA?jdXO#|^MBdI#3`&-ab&Hf+0 z4-D5D2KZF2IGZwGRBKqZU=3*zv>@{){jYVvc#f*{S#IH>N|49bk-QpXVFcl}5-oZ1 zwsY-CDi(qd;`rS*VB{WFB4guY>2jjkyV?>jp{uajzTB!m`VBsnm^e@lF@?81Y#wmR zU7yiWWnuGexgjj>>Ues2?yS>BrrUDSD~V# zFIv@s#*^G3A2%id*3Vv_pKB%zlLJWT&wS;na~OW5{7{5h=kcisRxU_ir7MtX3wGAB z;(8=3%FyUrZ2!9yVpMVhni$yF63G}iIT<*Z+n5vaI{tl%!Rnt=f~J33w+u$M*8E|h zTz}aXlR$v}(b0dJko1Q=`p=LcHiFKMJ^@Idj%nBgsem8eheelAn4_+i_5IdodH!_c zh0e^{PmmF58YxMB8r_ISVbwbiNk#x_{@{EoQ)f2JjU-#!*8(4FOle#EO`SHO8^C-h z7KvP*$r@6qd;mquiayW!R6z-U_60I^yW4SDfi$P5lwq}XO|oJXnNRoHx@U#-Q5+lY zgHHN5BPLJQvT)+#3tK#kP4on9vv*Qq<~Q}ve36F9-gqf_x)cWilTI<1LA(9RE7Z5s zAT`as64ldirom1acd`rBJGG(i&|`V2S4CSIP&?1X0l3fTv^Nuy-qd}h7!1eO*aeO@ z!M)y^P-p*km9CMolf7}+5$AbIq$E_g6wsfi$qyl)?G3;nBy5B;VsA!#%m`%;UbXI& z!+L`(lKn5ZnIteniQbNUqn={K(FReze$-ncXBM8GYWs>h>SN^SuU|sL`{YJa8V^NppKSsB1|W;nm7F< z%?p-Ah5(`IlOVgU3Yij6n3eZH0J>i1q^3S|3q=HB7Ju0G^$zkVTXrMR=;qMV?+0uM z4ln!~4UTPWbIZJ6uL5@Rc1))m-{rT}|lo*n=3L zMAd#vF`*5O<_UMQLQy;^_&9|OrmPUeZC_yoM`cr=(?4!rt^{t zn!z@gu`5HHSX5>Ms$~^wz48DxcLh;$+$FUi)$*-fNR_+JG;LU3_6f&^xf-+YC*5Qe zowoO>%$;`wYjFfnztirrt0?E%OPgxHBezBgXjHW<`DYQn%uj*okplVF>z>Nc6dD_k zp%h>D7K@o$AdRz#IW0VnXX~Bv5F+bbt7P(~`mdgQ#+ORx*S)sL_(g6yKZq`<9@@W) z*VBe7-vv?&7H7W5+nWhQpm^<&s+#{QvK(7oh<{YUf=| z@gK|#V=UzePkAOs%#>Z%qV9SBs#*SP{L$Yi`D^^qKg7_~M+W>%{dBEmdPBkx&yk6z zQH^ufO~n^5$!?7Ps=Gg6l5vQXpjFa=*E#Q0v8z9 zGD|Zi`L6tKsz_CU$m*Z);=NXmK7P2s3{xabU8KgiMuXV0w=Dul1hWg^u z??pF_&QB`Jh}RSx1m^1HLN0jrqE^3xeF5UuS(cUE36)F9q8p6nkA%}-yRbykp))spQ9M3cYDs&gGEmBzXU4^SO; zoA90o4^#4W)+;<)S^9${@_e|msi^+yOs-pE=xgx*0iKbJ_w#v&wgi5{JS`XLO>KZ~j21Qv~6It0Ol+ z8L#BQ8UG$;w#w)z6(4&^qJI;w;Icq*TgK1TcD<1u-JHLL2`isQ5S3_NAcNs~Nkb&P zOZs`n#_K2~cmWq)HdWy%%(evSzI2$b@=hhal%VRCN?N3SwvU$l2m!G$nmsLfDNkWc z&zrmO)i-Ef7<1{~NVG;Dq6g{=;|;yW7_Ufn^3O6vK9FruA>X~yVjLH5hoKPrOi%MRh{fD z9y44Xv|GT#S2a(Rt|5d;{EHhiv1UZ%Aa28%Cz-(&+I~riw`u1z^_xn!IG1fR^sxg- zF$!DNNfOEFoMZwVOQ;`;*EVN|5&;3XCgHZ~LQDifel>9O35=YQBA_a)=g0};3 z$J>ddg6BlC3^N~_F~Zi9gDl-wk#y#+qOyO38-y1e>(5vI|3PN(5P!++-{m9>4)v+c z=wo4kE_55RDJ)y@X5^i)=3dk_e0lpqCcb5u&Q%Cl(n0i|r~Jg6BKJFzBJoPbDq!-? z(U_ymNL*_PKU`mG?YZs=xh$Z(%0|nLK!5{N`14iU&4&T8b zV2JuAPF@yCX~cgI8G>xX$HpvWf)-L*po~SRBOv1n-?{nj(WjZ6ESJ0NsW%C2yi>$t zdgXU;0Nirxyo%X{oSQO7m65up&vyv^XMg&Igfts(eqB+9veueMo6gA>(Xv~HF`+(7 z<@k<+a(E>;2yH@e8dCdK-RK@H=p*QWu>t)CsDwhu{v26lk*1GJ#k7JGxSGd5RMVcu zPX~bpqz4fJi@w7@Z0PdD+&8KP04oU5K8nOemELf9w)i|nNfaMfQh4NgX($Oc%kE6? z4ciX*2f+KvFVGNgfrWH(2WYQBIHzq@=c9G!mo^BAmzcQXv&NbfDQXXPirfj%O)K#L zJfZoPuw2z-FUjr()2;-{FoA#=p&ylZ$6*dr9J2jEQ{@7VQ9*fhXuFxE3bYB=r`}yX z_x>uJdpX?Jbfm^wm_n~|H(rVqcL6efa=vzFrzh=!JHoWYv#ge*G5kkEwQZN0s38yR zs^D%-^i1Du8g4X0Y;oD#HNBBzPP2s<`Yo64%L&5XS`?O;Fa5Tq{d556w+p>FbIQc6 ze^U)t%GS(=NYoZc#A{(|W+Mo6GqAR^0{-1`{WqjJr}iC}d&omRQGPOQ33-kOWr;6C zfc{y^zmc}h>ieIN_RlR;5zv5C4?6@GGiBoR#tq>JloOwoK#FQdrV58vQuBG5n8d8O zDO?~AOS9PBbnchMLBk!8^;U%7*@B9QA?w@FH{Zm?<;Y$wVz7)=mr7;m)b3X+>L`Q` zX ze07yW3t%TfVt?e{yORC!2WkJ(VB!AzUMS{gu1fB^ep+aQxi+GUp6FsZ@H&7FbYo@h z%-ITk`O#NQ3tO=HT!Mmi>>By8xTIT6C&I_0O6JEt*s3QnxuKLqkDcC+JQJjsT|X_+^S58PfR$|piii%9=tH<`lZk<+;Y)H}grmMDCZJEMvkRS_tH z9=Es)v?BI4nF)W6Jx^<><`M?}e!gIt2gYGc@ zPm90;EV47g- z(mWt!qyc1F`Ac7a)08uF+d7<$ed5BHbdaeUYEd^s1>Ls3%1E=y}NqaR?z+!B(WShebF2dM{->5my8Wv_gkv>u{Lx)=`#6+!u$J*0Hh|B z;EYXXq88tsf859f{Z0kjbrKQ?$*xlRl%Rrd^$1^;3mVzK$thP$-N&COtc3uT5lIHj zl-c%f1xpU8j8GhCkwVMoinDx}Lw35%^gu3J(FGzluXaSscKfaLn^Zz$j9u4xDrBic z#hSP+1zhV&=7%}7KjP(#eOb7#2M*{WOrpUp_H=J zD@50H@04whc{2tDJphb+wCj?_5q^p zz3%ZedM714_4-zk8;WM#;)%mWzMaJYCX@>NsndW7Jl)HJ991BpzAH)Nv`qg7P`O5rAHdzz1(iVeF`2ip z-^fIBixEoI?xDlc4d7%8X_t;cn7@RMNd5?XOuFfjdI6;qC<0lXp+aUku_P=+=iI@_ z!q9Js->-UXcNuEUXS6ZVJF9YCtnuhN_Vi`?;?58 zK(9C^q#C^6c(o5mWbs}-)#IZsCRx<52x=SCYo5siv)dBrpSma@Ht*>AlOc6r4HiJ4 z0Ua0v%XhHfciPR&id{i-TYS4O>n?giI|OZfyG)+SC`Jdznq+`dff6A0lSEhA&B_Km zeG-I8EJfpkP!j09#N=AFEF>eQqng5Y}IFR_trw_Uc9I{4@zNs^#SGQ#A<| znxkb&JleYzp-Edr#bcBBqg_tdeUWSWH;%{tg7=9?FKf`;@+ZC62c>M(nOc&{Zs}t_ zn7`;qf@w81Y{Yu$GWu!Q}x7Hw)LsilcWG)_-S6 zR#5|UOLHO>pp7jNm9?#hxs{axkt5K^*#SuOr!_}S#B1yfw6PU*02-SaIQ`wJ1Nr{f zW`GNW7@SHHw>@^9YT@3jp0l_F^*AiYtO^43&l3O1od01P@Xy8EuuvZiwD07HG^ix( z5Pals7^)lG#@S@VpFPnT13z})!UO=;6zP>jS5{}^zXj9a2{Qr%VIItB)W0TgWIx~3 zL<{kyDaoYy!lK8RJ8_azGl6yp7TO!0?Y=bd*=0W`T{?ZG4zZ=GGvhkbzRF4%{uC~G zU?(v+F0Pu3(4uhjmQ6x9A+;5e)k%9k-u76&?&S45{BTdTSVfcWEKw=Y!@naMYF77H z!VwmlaiKa_v{wO^Gqk&}2>2c#no06qhisxXD=CoLg_FyiGlOL=W8GM6hXSkY(7Fqe z6s8~|-@+ovEoY4{AB=LjPr{9BG*WTioPLHV&xlmiX=wHm8Vkbzf!x1Txx*`M)ynmI zaX($Jf#s$P5J3>wrR}oQw4eJZFzmf*GUPYiT{WE0+_A58u!eprF`PP;RUks#AJ^pC zP&3oV@3e$pgM;~lV=9Pg@X36uvnLwNEUygKJ!TutU<`d6%+})3+fj}OUvFW7DhCNM z9~!L~@JZXOq4XT0U;_ay;RLHNN6WF#;Q2Gug0ieP%qd0RcUl5bMUwPO$`?FzJiL zS=Ohou|Ch!{&1f*4bXmckVnCt8(&>biS?`-@W?4}7D!W>`V^nANdE;nj=#16ME`@p z{%Y&|BP5u2s840dsutJyGcch*%knTlrdym$q8Q6GM zM9XT_m}YHMI-Q~KWqcMo5+CJPE&8^ZOjQj+tV<)WlP`&`5S~zQxWVWeC|VoX&sg1* zt(;E9m+u0QW`!=Ytm3Ry@32Xgl*r<3t~nef8Pu6**Bb1~ox4XDgnj7$eKv--755E0@g7<^{ZVH3`7zAk_f+5=+G@g$NUL>o~_dO|L{9A48oM3_VLVY0hqGb`8#5*!w|yiK{Bh@q{`AhVGj=58L~#I5Qf${-5oTz8f@n LgW^y2I9&e=>2^@# diff --git a/sources b/sources index 0263421..bb1d91b 100644 --- a/sources +++ b/sources @@ -1,2 +1 @@ -SHA512 (gnutls-3.7.3.tar.xz) = 3ace744affe23e284342658d6d2d2de49dd50065489cbc8be18fc7d38187253e5268ca54027ce5cd517056c249ac039a7481e4548cec04325de37ae85617d077 -SHA512 (gnutls-3.7.3.tar.xz.sig) = 93e62730570a6f65ec98538e812ed9c0bd35c25f0906b22f2ae3e762981b0e01bfb7ffcb747c64b42c586d6f0d5c90a7c3abfdc39088cc05f9975b865c309d50 +SHA512 (gnutls-3.7.4.tar.xz) = 38b488ca1223d9aa8fc25756df08db6f29aaf76fb5816fdeaa14bd89fb431a2e1c495fefc64094f726337d5b89e198146ec7dc22e9a1bca6841a9d881b0d99e6 From c8d9176d272c2cb4f3719b4b14f95a33c5e45661 Mon Sep 17 00:00:00 2001 From: Zoltan Fridrich Date: Tue, 26 Apr 2022 11:28:27 +0200 Subject: [PATCH 061/152] Add dist tag to release Signed-off-by: Zoltan Fridrich --- gnutls.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gnutls.spec b/gnutls.spec index b7f1a91..186c77c 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,6 +1,6 @@ # This spec file has been automatically updated Version: 3.7.4 -Release: %{?autorel}%{!?autorel:1} +Release: %{?autorel}%{!?autorel:1}%{?dist} Patch1: gnutls-3.6.7-no-now-guile.patch Patch2: gnutls-3.2.7-rpath.patch %bcond_with bootstrap From b4e5f3f89f846e86808f4c72cdb70637467f1a4b Mon Sep 17 00:00:00 2001 From: Zoltan Fridrich Date: Tue, 17 May 2022 07:57:16 +0200 Subject: [PATCH 062/152] [packit] 3.7.5 upstream release Upstream tag: 3.7.5 Upstream commit: 96ce6ad4 Signed-off-by: Zoltan Fridrich --- .gitignore | 1 + .packit.yaml | 33 +++++++++++++++++++++++++++++++++ README.packit | 2 +- gnutls-3.7.5.tar.xz.sig | Bin 0 -> 685 bytes gnutls.spec | 2 +- sources | 2 +- 6 files changed, 37 insertions(+), 3 deletions(-) create mode 100644 .packit.yaml create mode 100644 gnutls-3.7.5.tar.xz.sig diff --git a/.gitignore b/.gitignore index 7c7df98..dabacd7 100644 --- a/.gitignore +++ b/.gitignore @@ -137,3 +137,4 @@ gnutls-2.10.1-nosrp.tar.bz2 /gnutls-3.7.3.tar.xz /gnutls-3.7.3.tar.xz.sig /gnutls-3.7.4.tar.xz +/gnutls-3.7.5.tar.xz diff --git a/.packit.yaml b/.packit.yaml new file mode 100644 index 0000000..a27df63 --- /dev/null +++ b/.packit.yaml @@ -0,0 +1,33 @@ +# See the documentation for more information: +# https://packit.dev/docs/configuration/ + +specfile_path: gnutls.spec + +files_to_sync: + - .packit.yaml + - gnutls.spec + +upstream_project_url: https://gitlab.com/gnutls/gnutls +upstream_package_name: gnutls +downstream_package_name: gnutls + +actions: + post-upstream-clone: + - "wget https://src.fedoraproject.org/rpms/gnutls/raw/main/f/gnutls.spec" + - "wget https://src.fedoraproject.org/rpms/gnutls/raw/main/f/gnutls-3.2.7-rpath.patch" + - "wget https://src.fedoraproject.org/rpms/gnutls/raw/main/f/gnutls-3.6.7-no-now-guile.patch" + get-current-version: + - "git describe --abbrev=0" + create-archive: + - | + bash -c "wget https://www.gnupg.org/ftp/gcrypt/gnutls/v$(expr $PACKIT_PROJECT_VERSION : '^\([0-9]*\.[0-9]*\)')/gnutls-${PACKIT_PROJECT_VERSION}.tar.xz" + - | + bash -c "wget https://www.gnupg.org/ftp/gcrypt/gnutls/v$(expr $PACKIT_PROJECT_VERSION : '^\([0-9]*\.[0-9]*\)')/gnutls-${PACKIT_PROJECT_VERSION}.tar.xz.sig" + - bash -c "echo gnutls-${PACKIT_PROJECT_VERSION}.tar.xz" + - bash -c "echo gnutls-${PACKIT_PROJECT_VERSION}.tar.xz.sig" + +jobs: + - job: propose_downstream + trigger: release + metadata: + dist_git_branches: fedora-all diff --git a/README.packit b/README.packit index 06da437..65c3b70 100644 --- a/README.packit +++ b/README.packit @@ -1,3 +1,3 @@ This repository is maintained by packit. https://packit.dev/ -The file was generated using packit 0.49.0. +The file was generated using packit 0.50.0. diff --git a/gnutls-3.7.5.tar.xz.sig b/gnutls-3.7.5.tar.xz.sig new file mode 100644 index 0000000000000000000000000000000000000000..b1e591f3f7c26af957334d33efb4ff3085501d1b GIT binary patch literal 685 zcmV;e0#f~mbp!ww3IH7zAp~7U%MW%m1*ZiyR`hyxrbx5-A`ArrVtojB0162ZdUd8q zv-u(nw*>(IQVa%7W49>fM5KR_wVg;cFShzNT&Y1NDK&B`xlr5W0RL^^JLh<|DKQ|4 z8}_{OUkD!EFGKQ54zaNo>{ygpSwd zm~jOHVtpTt0162Z)&+!)*XEdUsZ0<5K?NGDVyp9oAj!B=TrD?H!L(8*Fxq>^>+_!( zX?Ub3u#)1@-RqY>v88qw`^m_WEG1$14ofMBfgIz_MmE~pVIAV4$rQ@*RrX*D!`I~a!kAQ(04)dm?K94|16jz}> zv1Z;%Vph$#iMI-N{M`_yC1hz*#vMYUnlMTYmy4bktI6P3Mr)yVC+g%CeKykz{>=HV zND_ePY5}YAhh(x1+mAF^k=^mrDC$^YNHeZrP0JvfqT1%*6w;kw_ zR>R%#rt)OQ;Vb*ELgr&6HSR6|X#6dJvJQ16z>W?Tk(Q1ystr(LRrw!>!4qNj;~>G{y)@OgqHv11 Tgh%PbJ8f@0Zcx^u-OUEF literal 0 HcmV?d00001 diff --git a/gnutls.spec b/gnutls.spec index 186c77c..6be02fb 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,5 +1,5 @@ # This spec file has been automatically updated -Version: 3.7.4 +Version: 3.7.5 Release: %{?autorel}%{!?autorel:1}%{?dist} Patch1: gnutls-3.6.7-no-now-guile.patch Patch2: gnutls-3.2.7-rpath.patch diff --git a/sources b/sources index bb1d91b..d8f0c0b 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (gnutls-3.7.4.tar.xz) = 38b488ca1223d9aa8fc25756df08db6f29aaf76fb5816fdeaa14bd89fb431a2e1c495fefc64094f726337d5b89e198146ec7dc22e9a1bca6841a9d881b0d99e6 +SHA512 (gnutls-3.7.5.tar.xz) = 2e4898e6aeff4f82abd48e6a442f5c9ebe4ecaeb0c038b76e2da8e468f6a7ae37fef5e8de17d90346f29aa0b56a08abf67fe8b81ba09dcf4612cc3b97b830bec From 960c18ac9eb5f12411547d6acb28978be9a84e7a Mon Sep 17 00:00:00 2001 From: Alexander Sosedkin Date: Wed, 18 May 2022 18:59:09 +0200 Subject: [PATCH 063/152] Fix hmac calculation: * use the new format/location * do not redefine __spec_install_post which we should not have visibility into, instead call it twice, which should be safe --- gnutls.spec | 32 +++++++++++++++++--------------- 1 file changed, 17 insertions(+), 15 deletions(-) diff --git a/gnutls.spec b/gnutls.spec index 6be02fb..e8cbff0 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -219,17 +219,6 @@ export GUILD make %{?_smp_mflags} V=1 -%if %{with fips} -%define __spec_install_post \ - %{?__debug_package:%{__debug_install_post}} \ - %{__arch_install_post} \ - %{__os_install_post} \ - rm -f $RPM_BUILD_ROOT%{_libdir}/.libgnutls.so.*.hmac \ - fipshmac -d $RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_libdir}/libgnutls.so.30.*.* \ - file=`basename $RPM_BUILD_ROOT%{_libdir}/libgnutls.so.30.*.hmac` && mv $RPM_BUILD_ROOT%{_libdir}/$file $RPM_BUILD_ROOT%{_libdir}/.$file && ln -s .$file $RPM_BUILD_ROOT%{_libdir}/.libgnutls.so.30.hmac \ -%{nil} -%endif - %install make install DESTDIR=$RPM_BUILD_ROOT make -C doc install-html DESTDIR=$RPM_BUILD_ROOT @@ -241,6 +230,22 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/guile/2.2/guile-gnutls*.la rm -f $RPM_BUILD_ROOT%{_libdir}/pkgconfig/gnutls-dane.pc %endif +%if %{with fips} +# doing it twice should be a no-op the second time, +# and this way we avoid redefining it and missing a future change +%{__spec_install_post} +./lib/fipshmac "$RPM_BUILD_ROOT%{_libdir}/libgnutls.so.30" > $RPM_BUILD_ROOT%{_libdir}/.gnutls.hmac +sed -i "s^$RPM_BUILD_ROOT/usr^^" $RPM_BUILD_ROOT%{_libdir}/.gnutls.hmac +%endif + +%if %{with fips} +%define __spec_install_post \ + %{?__debug_package:%{__debug_install_post}} \ + %{__arch_install_post} \ + %{__os_install_post} \ +%{nil} +%endif + %find_lang gnutls %check @@ -249,7 +254,7 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null %files -f gnutls.lang %{_libdir}/libgnutls.so.30* %if %{with fips} -%{_libdir}/.libgnutls.so.30*.hmac +%{_libdir}/.gnutls.hmac %endif %doc README.md AUTHORS NEWS THANKS %license LICENSE doc/COPYING doc/COPYING.LESSER @@ -260,9 +265,6 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null %files devel %{_includedir}/* %{_libdir}/libgnutls*.so -%if %{with fips} -%{_libdir}/.libgnutls.so.*.hmac -%endif %{_libdir}/pkgconfig/*.pc %{_mandir}/man3/* From f080bc92ec8d56337858ae5c4cdd89b7eb589804 Mon Sep 17 00:00:00 2001 From: Zoltan Fridrich Date: Fri, 27 May 2022 14:01:14 +0200 Subject: [PATCH 064/152] [packit] 3.7.6 upstream release Upstream tag: 3.7.6 Upstream commit: 1f8b1ff2 Signed-off-by: Zoltan Fridrich --- .gitignore | 1 + README.packit | 2 +- gnutls-3.7.6.tar.xz.sig | Bin 0 -> 685 bytes gnutls.spec | 2 +- sources | 2 +- 5 files changed, 4 insertions(+), 3 deletions(-) create mode 100644 gnutls-3.7.6.tar.xz.sig diff --git a/.gitignore b/.gitignore index dabacd7..28bf8cc 100644 --- a/.gitignore +++ b/.gitignore @@ -138,3 +138,4 @@ gnutls-2.10.1-nosrp.tar.bz2 /gnutls-3.7.3.tar.xz.sig /gnutls-3.7.4.tar.xz /gnutls-3.7.5.tar.xz +/gnutls-3.7.6.tar.xz diff --git a/README.packit b/README.packit index 65c3b70..c242324 100644 --- a/README.packit +++ b/README.packit @@ -1,3 +1,3 @@ This repository is maintained by packit. https://packit.dev/ -The file was generated using packit 0.50.0. +The file was generated using packit 0.51.0. diff --git a/gnutls-3.7.6.tar.xz.sig b/gnutls-3.7.6.tar.xz.sig new file mode 100644 index 0000000000000000000000000000000000000000..70cb359cfa200e21bbf41fbe8a97062d6596949b GIT binary patch literal 685 zcmV;e0#f~n0y6{v0SEvc79j*iA|=DLZ#0LW$VqJ01%!^*=9qB>0%DM=asUbm5Y`2R zj@Raxag~S<|6D@l3C3#|Jf^=OwKKysslXB+p;!Ex&05zgiTPH4f-KUI^0rO|%5HLC zcqlZLJfI{ft90^YHlVmsW)tiIu5|vOl1A3=r=NDpLbuo^P5iV~Z+iBr#DLYG_l^-N z+@%p;65TrGX*i(k0ncB=DN2|=SdBdZ{z}TT7YJzgd1Gl)R-71t9Q>nrlmFsxeI4)7 z>|q#*M2D~Y380*5)@$X#B`lg0oraC@$tlt)#8EE*=!619mLQo7xciwU-KDl|G~PmX zY_{lGs%M0eh}D7x4UyAoekX+{eM$g-=HuV9rmaV_{JKfa+Z~^qu|4^2?Jp0oi>E#I zKXKXFg;k#?1p~(g-e*Y1yN6xR1Hruv@nk8NM7n`s3rV{Hw(j&apnj*?g(n&OGf0Cy zt$0!7N0u;x={}M;VX>uG_`zH0vX4YYSf8wj_pC&#>tiUL{%EMrFH8<(>LG!Ha_@i- z4Fo0C@#5uqcs zZL4w_X10cGjIq8Gs_rimDBxqByOUO7eR~O!%%s8ni;$kT5P65+Hn#qFy(#!8gF{|f z{fKo002T@W9Tp)3T}I0fb~FX21vOUmdUd8qv-u(n1p;D_l4Sr22@ra9rbx5-A`I}} z0RA~Yf@MX8iwd_>M6_sh73C=7B7}?+21`rW9!3W-oTC8%yxSB_;^bY^-$zRA&RE{( THJM||bc2D~!02dd{ Date: Fri, 3 Jun 2022 09:57:19 +0900 Subject: [PATCH 065/152] Fix %autorelease usage The deprecated %autorel has been no-op since rpmautospec 0.2. Also put %{?dist} inside the fallback conditional as suggested: https://packit.dev/docs/faq/#does-packit-work-with-rpmautospec --- gnutls.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gnutls.spec b/gnutls.spec index f00f43f..9f920a5 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,6 +1,6 @@ # This spec file has been automatically updated Version: 3.7.6 -Release: %{?autorel}%{!?autorel:1}%{?dist} +Release: %{?autorelease}%{!?autorelease:1%{?dist}} Patch1: gnutls-3.6.7-no-now-guile.patch Patch2: gnutls-3.2.7-rpath.patch %bcond_with bootstrap From eaf4e9d2cd62653558417f7cfbc3305b21b3a68c Mon Sep 17 00:00:00 2001 From: Alexander Sosedkin Date: Wed, 8 Jun 2022 17:45:26 +0200 Subject: [PATCH 066/152] Drop fipscheck build dependency since we use internal tool --- gnutls.spec | 3 --- 1 file changed, 3 deletions(-) diff --git a/gnutls.spec b/gnutls.spec index 9f920a5..8500e79 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -32,9 +32,6 @@ BuildRequires: libidn2-devel BuildRequires: libunistring-devel BuildRequires: net-tools, datefudge, softhsm, gcc, gcc-c++ BuildRequires: gnupg2 -%if %{with fips} -BuildRequires: fipscheck -%endif # for a sanity check on cert loading BuildRequires: p11-kit-trust, ca-certificates From f9ad674ef45aa0d8e5b0aa97ba401e157b8a1a79 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Wed, 22 Jun 2022 09:20:12 +0900 Subject: [PATCH 067/152] rebuild with nettle 3.8 for fipshmac From 388fbfd3818192394b17c5a50f6dd6a46e54eb34 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 21 Jul 2022 07:12:43 +0000 Subject: [PATCH 068/152] Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild Signed-off-by: Fedora Release Engineering From bde9494b1be45f67a187600f2f3095f91af27a07 Mon Sep 17 00:00:00 2001 From: Frantisek Krenzelok Date: Mon, 25 Jul 2022 11:31:19 +0200 Subject: [PATCH 069/152] KTLS supported by default config KTLS is now supported/included by default. gnutls-3.7.6-ktls-disabled-by-default.patch: KTLS is disabled by default and can be enabled by adding `ktls = true` in [global] section of system-wide configuration file. gnutls-3.7.6-ktls-minor-fixes.patch: minor fixes Signed-off-by: Frantisek Krenzelok --- gnutls-3.7.6-ktls-disabled-by-default.patch | 124 +++++++++++ gnutls-3.7.6-ktls-minor-fixes.patch | 230 ++++++++++++++++++++ gnutls.spec | 10 +- 3 files changed, 361 insertions(+), 3 deletions(-) create mode 100644 gnutls-3.7.6-ktls-disabled-by-default.patch create mode 100644 gnutls-3.7.6-ktls-minor-fixes.patch diff --git a/gnutls-3.7.6-ktls-disabled-by-default.patch b/gnutls-3.7.6-ktls-disabled-by-default.patch new file mode 100644 index 0000000..76728dc --- /dev/null +++ b/gnutls-3.7.6-ktls-disabled-by-default.patch @@ -0,0 +1,124 @@ +From f41151c8a218f255af08362b74cd6ee0dfd45c00 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Franti=C5=A1ek=20Kren=C5=BEelok?= + +Date: Tue, 14 Jun 2022 16:16:11 +0200 +Subject: [PATCH] KTLS: disable by default enable by config + +KTLS will be disabled by default when build with `--enable-ktls` to +enable it, use config file option `ktls = true` in [global] section. + +Signed-off-by: Frantisek Krenzelok +--- + doc/cha-config.texi | 18 ++++++++---------- + lib/gnutls_int.h | 2 +- + lib/handshake.c | 2 +- + lib/priority.c | 12 ++++++------ + 4 files changed, 16 insertions(+), 18 deletions(-) + +diff --git a/doc/cha-config.texi b/doc/cha-config.texi +index e550f2e4b1..eaab7fd799 100644 +--- a/doc/cha-config.texi ++++ b/doc/cha-config.texi +@@ -26,7 +26,7 @@ used can be queried using @funcref{gnutls_get_system_config_file}. + * Querying for disabled algorithms and protocols:: + * Overriding the parameter verification profile:: + * Overriding the default priority string:: +-* Disabling system/acceleration protocols:: ++* Enabling/Disabling system/acceleration protocols:: + @end menu + + @node Application-specific priority strings +@@ -253,16 +253,14 @@ default-priority-string = SECURE128:-VERS-TLS-ALL:+VERS-TLS1.3 + @end example + + +-@node Disabling system/acceleration protocols +-@section Disabling system/acceleration protocols +-When system/acceleration protocol is enabled during build, it is usually +-enabled by default. The following options can overwrite this behavior +-system-wide. ++@node Enabling/Disabling system/acceleration protocols ++@section Enabling/Disabling system/acceleration protocols ++The following options can overwrite default behavior of protocols system-wide. + @example + [global] +-ktls = false ++ktls = true + + @end example +-@subsection Disabling KTLS +-When GnuTLS is build with -–enable-ktls configuration, it uses KTLS by default. +-This can be overwritten by setting @code{ktls = false} in @code{[global]} section. ++@subsection Enabling KTLS ++When GnuTLS is build with -–enable-ktls configuration, KTLS is disabled by default. ++This can be enabled by setting @code{ktls = true} in @code{[global]} section. +diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h +index 872188696b..8c7bdaa1db 100644 +--- a/lib/gnutls_int.h ++++ b/lib/gnutls_int.h +@@ -1649,6 +1649,6 @@ get_certificate_type(gnutls_session_t session, + + extern unsigned int _gnutls_global_version; + +-bool _gnutls_config_is_ktls_disabled(void); ++bool _gnutls_config_is_ktls_enabled(void); + + #endif /* GNUTLS_LIB_GNUTLS_INT_H */ +diff --git a/lib/handshake.c b/lib/handshake.c +index f3edbbdacb..4dd457bf22 100644 +--- a/lib/handshake.c ++++ b/lib/handshake.c +@@ -2815,7 +2815,7 @@ int gnutls_handshake(gnutls_session_t session) + + session->internals.ktls_enabled = 0; + #ifdef ENABLE_KTLS +- if (_gnutls_config_is_ktls_disabled() == false) ++ if (_gnutls_config_is_ktls_enabled() == true) + _gnutls_ktls_enable(session); + #endif + +diff --git a/lib/priority.c b/lib/priority.c +index 7279c03c88..d163d8169f 100644 +--- a/lib/priority.c ++++ b/lib/priority.c +@@ -1027,7 +1027,7 @@ static void dummy_func(gnutls_priority_t c) + + struct cfg { + bool allowlisting; +- bool ktls_disabled; ++ bool ktls_enabled; + + name_val_array_t priority_strings; + char *priority_string; +@@ -1140,7 +1140,7 @@ cfg_steal(struct cfg *dst, struct cfg *src) + src->default_priority_string = NULL; + + dst->allowlisting = src->allowlisting; +- dst->ktls_disabled = src->ktls_disabled; ++ dst->ktls_enabled = src->ktls_enabled; + memcpy(dst->ciphers, src->ciphers, sizeof(src->ciphers)); + memcpy(dst->macs, src->macs, sizeof(src->macs)); + memcpy(dst->groups, src->groups, sizeof(src->groups)); +@@ -1268,8 +1268,8 @@ static int global_ini_handler(void *ctx, const char *section, const char *name, + } + } else if (c_strcasecmp(name, "ktls") == 0) { + p = clear_spaces(value, str); +- if (c_strcasecmp(p, "false") == 0) { +- cfg->ktls_disabled = true; ++ if (c_strcasecmp(p, "true") == 0) { ++ cfg->ktls_enabled = true; + } else { + _gnutls_debug_log("cfg: unknown ktls mode %s\n", + p); +@@ -3490,6 +3490,6 @@ gnutls_priority_string_list(unsigned iter, unsigned int flags) + return NULL; + } + +-bool _gnutls_config_is_ktls_disabled(void){ +- return system_wide_config.ktls_disabled; ++bool _gnutls_config_is_ktls_enabled(void){ ++ return system_wide_config.ktls_enabled; + } +-- +2.37.1 + diff --git a/gnutls-3.7.6-ktls-minor-fixes.patch b/gnutls-3.7.6-ktls-minor-fixes.patch new file mode 100644 index 0000000..a4f5716 --- /dev/null +++ b/gnutls-3.7.6-ktls-minor-fixes.patch @@ -0,0 +1,230 @@ +From 7b700dbcd5907944a7dd2f74cd26ad8586cd4bac Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Tue, 28 Jun 2022 09:37:22 +0900 +Subject: [PATCH 1/3] tests: enable KTLS config while running gnutls_ktls test + +Signed-off-by: Daiki Ueno +--- + tests/Makefile.am | 9 +++++---- + tests/gnutls_ktls.c | 4 ++-- + tests/ktls.sh | 46 +++++++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 53 insertions(+), 6 deletions(-) + create mode 100755 tests/ktls.sh + +diff --git a/tests/Makefile.am b/tests/Makefile.am +index 4deeb6462b..cba67e8db8 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -441,10 +441,6 @@ ctests += x509self x509dn anonself pskself pskself2 dhepskself \ + resume-with-record-size-limit + endif + +-if ENABLE_KTLS +-ctests += gnutls_ktls +-endif +- + ctests += record-sendfile + + gc_CPPFLAGS = $(AM_CPPFLAGS) \ +@@ -500,6 +496,11 @@ if ENABLE_TPM2 + dist_check_SCRIPTS += tpm2.sh + endif + ++if ENABLE_KTLS ++indirect_tests += gnutls_ktls ++dist_check_SCRIPTS += ktls.sh ++endif ++ + if !WINDOWS + + # +diff --git a/tests/gnutls_ktls.c b/tests/gnutls_ktls.c +index 3966e2b10a..8f9c5fa36e 100644 +--- a/tests/gnutls_ktls.c ++++ b/tests/gnutls_ktls.c +@@ -84,7 +84,7 @@ static void client(int fd, const char *prio) + + ret = gnutls_transport_is_ktls_enabled(session); + if (!(ret & GNUTLS_KTLS_RECV)){ +- fail("client: KTLS was not properly inicialized\n"); ++ fail("client: KTLS was not properly initialized\n"); + goto end; + } + +@@ -208,7 +208,7 @@ static void server(int fd, const char *prio) + + ret = gnutls_transport_is_ktls_enabled(session); + if (!(ret & GNUTLS_KTLS_SEND)){ +- fail("server: KTLS was not properly inicialized\n"); ++ fail("server: KTLS was not properly initialized\n"); + goto end; + } + do { +diff --git a/tests/ktls.sh b/tests/ktls.sh +new file mode 100755 +index 0000000000..ba52bd5775 +--- /dev/null ++++ b/tests/ktls.sh +@@ -0,0 +1,46 @@ ++#!/bin/sh ++ ++# Copyright (C) 2022 Red Hat, Inc. ++# ++# Author: Daiki Ueno ++# ++# This file is part of GnuTLS. ++# ++# GnuTLS is free software; you can redistribute it and/or modify it ++# under the terms of the GNU General Public License as published by the ++# Free Software Foundation; either version 3 of the License, or (at ++# your option) any later version. ++# ++# GnuTLS is distributed in the hope that it will be useful, but ++# WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++# General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with GnuTLS; if not, write to the Free Software Foundation, ++# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. ++ ++: ${builddir=.} ++ ++. "$srcdir/scripts/common.sh" ++ ++if ! grep '^tls ' /proc/modules 2>1 >& /dev/null; then ++ exit 77 ++fi ++ ++testdir=`create_testdir ktls` ++ ++cfg="$testdir/config" ++ ++cat < "$cfg" ++[global] ++ktls = true ++EOF ++ ++GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1 \ ++GNUTLS_SYSTEM_PRIORITY_FILE="$cfg" \ ++"$builddir/gnutls_ktls" "$@" ++rc=$? ++ ++rm -rf "$testdir" ++exit $rc +-- +2.37.1 + + +From 4a492462535a7f3a831685d3cf420b50ef219511 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Tue, 28 Jun 2022 10:23:33 +0900 +Subject: [PATCH 2/3] handshake: do not reset KTLS enablement in + gnutls_handshake + +As gnutls_handshake can be repeatedly called upon non-blocking setup, +we shouldn't try to call setsockopt for KTLS upon every call. + +Signed-off-by: Daiki Ueno +--- + lib/handshake.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/lib/handshake.c b/lib/handshake.c +index 4dd457bf22..3886306eb4 100644 +--- a/lib/handshake.c ++++ b/lib/handshake.c +@@ -2813,12 +2813,6 @@ int gnutls_handshake(gnutls_session_t session) + const version_entry_st *vers = get_version(session); + int ret; + +- session->internals.ktls_enabled = 0; +-#ifdef ENABLE_KTLS +- if (_gnutls_config_is_ktls_enabled() == true) +- _gnutls_ktls_enable(session); +-#endif +- + if (unlikely(session->internals.initial_negotiation_completed)) { + if (vers->tls13_sem) { + if (session->security_parameters.entity == GNUTLS_CLIENT) { +@@ -2864,6 +2858,12 @@ int gnutls_handshake(gnutls_session_t session) + end->tv_nsec = + (start->tv_nsec + tmo_ms * 1000000LL) % 1000000000LL; + } ++ ++#ifdef ENABLE_KTLS ++ if (_gnutls_config_is_ktls_enabled()) { ++ _gnutls_ktls_enable(session); ++ } ++#endif + } + + if (session->internals.recv_state == RECV_STATE_FALSE_START) { +-- +2.37.1 + + +From ce13208e13b5dec73993c583d4c64ab7714e4a7a Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Tue, 28 Jun 2022 10:53:55 +0900 +Subject: [PATCH 3/3] ktls: _gnutls_ktls_enable: fix GNUTLS_KTLS_SEND + calculation + +Previously, if the first setsockopt for GNUTLS_KTLS_RECV fails and the +same socket is used for both sending and receiving, GNUTLS_KTLS_SEND +was unconditionally set. This fixes the conditions and also adds more +logging. + +Signed-off-by: Daiki Ueno +--- + lib/system/ktls.c | 21 ++++++++++++++++----- + 1 file changed, 16 insertions(+), 5 deletions(-) + +diff --git a/lib/system/ktls.c b/lib/system/ktls.c +index b9f7a73fb5..ddf27fac76 100644 +--- a/lib/system/ktls.c ++++ b/lib/system/ktls.c +@@ -47,7 +47,7 @@ + gnutls_transport_ktls_enable_flags_t + gnutls_transport_is_ktls_enabled(gnutls_session_t session){ + if (unlikely(!session->internals.initial_negotiation_completed)){ +- _gnutls_debug_log("Initial negotiation is not yet complete"); ++ _gnutls_debug_log("Initial negotiation is not yet complete\n"); + return 0; + } + +@@ -57,16 +57,27 @@ gnutls_transport_is_ktls_enabled(gnutls_session_t session){ + void _gnutls_ktls_enable(gnutls_session_t session) + { + int sockin, sockout; ++ + gnutls_transport_get_int2(session, &sockin, &sockout); + +- if (setsockopt(sockin, SOL_TCP, TCP_ULP, "tls", sizeof ("tls")) == 0) ++ if (setsockopt(sockin, SOL_TCP, TCP_ULP, "tls", sizeof ("tls")) == 0) { + session->internals.ktls_enabled |= GNUTLS_KTLS_RECV; ++ if (sockin == sockout) { ++ session->internals.ktls_enabled |= GNUTLS_KTLS_SEND; ++ } ++ } else { ++ _gnutls_record_log("Unable to set TCP_ULP for read socket: %d\n", ++ errno); ++ } + + if (sockin != sockout) { +- if (setsockopt(sockout, SOL_TCP, TCP_ULP, "tls", sizeof ("tls")) == 0) ++ if (setsockopt(sockout, SOL_TCP, TCP_ULP, "tls", sizeof ("tls")) == 0) { + session->internals.ktls_enabled |= GNUTLS_KTLS_SEND; +- } else +- session->internals.ktls_enabled |= GNUTLS_KTLS_SEND; ++ } else { ++ _gnutls_record_log("Unable to set TCP_ULP for write socket: %d\n", ++ errno); ++ } ++ } + } + + int _gnutls_ktls_set_keys(gnutls_session_t session) +-- +2.37.1 + diff --git a/gnutls.spec b/gnutls.spec index 8500e79..38ad2ae 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -3,7 +3,10 @@ Version: 3.7.6 Release: %{?autorelease}%{!?autorelease:1%{?dist}} Patch1: gnutls-3.6.7-no-now-guile.patch Patch2: gnutls-3.2.7-rpath.patch -%bcond_with bootstrap +Patch3: gnutls-3.7.6-ktls-disabled-by-default.patch +Patch4: gnutls-3.7.6-ktls-minor-fixes.patch + +%bcond_without bootstrap %bcond_without dane %if 0%{?rhel} %bcond_with guile @@ -49,7 +52,7 @@ BuildRequires: unbound-devel unbound-libs %if %{with guile} BuildRequires: guile22-devel %endif -BuildRequires: make +BuildRequires: make gtk-doc URL: http://www.gnutls.org/ %define short_version %(echo %{version} | grep -m1 -o "[0-9]*\.[0-9]*" | head -1) Source0: https://www.gnupg.org/ftp/gcrypt/gnutls/v%{short_version}/%{name}-%{version}.tar.xz @@ -212,7 +215,8 @@ export GUILD --disable-libdane \ %endif --disable-rpath \ - --with-default-priority-string="@SYSTEM" + --with-default-priority-string="@SYSTEM" \ + --enable-ktls make %{?_smp_mflags} V=1 From 9936110449737349355c5b4a513c24fba2cd61f3 Mon Sep 17 00:00:00 2001 From: Zoltan Fridrich Date: Fri, 29 Jul 2022 10:15:46 +0200 Subject: [PATCH 070/152] [packit] 3.7.7 upstream release Upstream tag: 3.7.7 Upstream commit: 6231f181 Signed-off-by: Zoltan Fridrich --- .gitignore | 1 + README.packit | 2 +- gnutls-3.7.6-ktls-disabled-by-default.patch | 124 ----------- gnutls-3.7.6-ktls-minor-fixes.patch | 230 -------------------- gnutls-3.7.7-fix-ktls.patch | 13 ++ gnutls-3.7.7.tar.xz.sig | Bin 0 -> 685 bytes gnutls.spec | 5 +- sources | 2 +- 8 files changed, 18 insertions(+), 359 deletions(-) delete mode 100644 gnutls-3.7.6-ktls-disabled-by-default.patch delete mode 100644 gnutls-3.7.6-ktls-minor-fixes.patch create mode 100644 gnutls-3.7.7-fix-ktls.patch create mode 100644 gnutls-3.7.7.tar.xz.sig diff --git a/.gitignore b/.gitignore index 28bf8cc..aedb544 100644 --- a/.gitignore +++ b/.gitignore @@ -139,3 +139,4 @@ gnutls-2.10.1-nosrp.tar.bz2 /gnutls-3.7.4.tar.xz /gnutls-3.7.5.tar.xz /gnutls-3.7.6.tar.xz +/gnutls-3.7.7.tar.xz diff --git a/README.packit b/README.packit index c242324..2c8f8d9 100644 --- a/README.packit +++ b/README.packit @@ -1,3 +1,3 @@ This repository is maintained by packit. https://packit.dev/ -The file was generated using packit 0.51.0. +The file was generated using packit 0.55.0. diff --git a/gnutls-3.7.6-ktls-disabled-by-default.patch b/gnutls-3.7.6-ktls-disabled-by-default.patch deleted file mode 100644 index 76728dc..0000000 --- a/gnutls-3.7.6-ktls-disabled-by-default.patch +++ /dev/null @@ -1,124 +0,0 @@ -From f41151c8a218f255af08362b74cd6ee0dfd45c00 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Franti=C5=A1ek=20Kren=C5=BEelok?= - -Date: Tue, 14 Jun 2022 16:16:11 +0200 -Subject: [PATCH] KTLS: disable by default enable by config - -KTLS will be disabled by default when build with `--enable-ktls` to -enable it, use config file option `ktls = true` in [global] section. - -Signed-off-by: Frantisek Krenzelok ---- - doc/cha-config.texi | 18 ++++++++---------- - lib/gnutls_int.h | 2 +- - lib/handshake.c | 2 +- - lib/priority.c | 12 ++++++------ - 4 files changed, 16 insertions(+), 18 deletions(-) - -diff --git a/doc/cha-config.texi b/doc/cha-config.texi -index e550f2e4b1..eaab7fd799 100644 ---- a/doc/cha-config.texi -+++ b/doc/cha-config.texi -@@ -26,7 +26,7 @@ used can be queried using @funcref{gnutls_get_system_config_file}. - * Querying for disabled algorithms and protocols:: - * Overriding the parameter verification profile:: - * Overriding the default priority string:: --* Disabling system/acceleration protocols:: -+* Enabling/Disabling system/acceleration protocols:: - @end menu - - @node Application-specific priority strings -@@ -253,16 +253,14 @@ default-priority-string = SECURE128:-VERS-TLS-ALL:+VERS-TLS1.3 - @end example - - --@node Disabling system/acceleration protocols --@section Disabling system/acceleration protocols --When system/acceleration protocol is enabled during build, it is usually --enabled by default. The following options can overwrite this behavior --system-wide. -+@node Enabling/Disabling system/acceleration protocols -+@section Enabling/Disabling system/acceleration protocols -+The following options can overwrite default behavior of protocols system-wide. - @example - [global] --ktls = false -+ktls = true - - @end example --@subsection Disabling KTLS --When GnuTLS is build with -–enable-ktls configuration, it uses KTLS by default. --This can be overwritten by setting @code{ktls = false} in @code{[global]} section. -+@subsection Enabling KTLS -+When GnuTLS is build with -–enable-ktls configuration, KTLS is disabled by default. -+This can be enabled by setting @code{ktls = true} in @code{[global]} section. -diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h -index 872188696b..8c7bdaa1db 100644 ---- a/lib/gnutls_int.h -+++ b/lib/gnutls_int.h -@@ -1649,6 +1649,6 @@ get_certificate_type(gnutls_session_t session, - - extern unsigned int _gnutls_global_version; - --bool _gnutls_config_is_ktls_disabled(void); -+bool _gnutls_config_is_ktls_enabled(void); - - #endif /* GNUTLS_LIB_GNUTLS_INT_H */ -diff --git a/lib/handshake.c b/lib/handshake.c -index f3edbbdacb..4dd457bf22 100644 ---- a/lib/handshake.c -+++ b/lib/handshake.c -@@ -2815,7 +2815,7 @@ int gnutls_handshake(gnutls_session_t session) - - session->internals.ktls_enabled = 0; - #ifdef ENABLE_KTLS -- if (_gnutls_config_is_ktls_disabled() == false) -+ if (_gnutls_config_is_ktls_enabled() == true) - _gnutls_ktls_enable(session); - #endif - -diff --git a/lib/priority.c b/lib/priority.c -index 7279c03c88..d163d8169f 100644 ---- a/lib/priority.c -+++ b/lib/priority.c -@@ -1027,7 +1027,7 @@ static void dummy_func(gnutls_priority_t c) - - struct cfg { - bool allowlisting; -- bool ktls_disabled; -+ bool ktls_enabled; - - name_val_array_t priority_strings; - char *priority_string; -@@ -1140,7 +1140,7 @@ cfg_steal(struct cfg *dst, struct cfg *src) - src->default_priority_string = NULL; - - dst->allowlisting = src->allowlisting; -- dst->ktls_disabled = src->ktls_disabled; -+ dst->ktls_enabled = src->ktls_enabled; - memcpy(dst->ciphers, src->ciphers, sizeof(src->ciphers)); - memcpy(dst->macs, src->macs, sizeof(src->macs)); - memcpy(dst->groups, src->groups, sizeof(src->groups)); -@@ -1268,8 +1268,8 @@ static int global_ini_handler(void *ctx, const char *section, const char *name, - } - } else if (c_strcasecmp(name, "ktls") == 0) { - p = clear_spaces(value, str); -- if (c_strcasecmp(p, "false") == 0) { -- cfg->ktls_disabled = true; -+ if (c_strcasecmp(p, "true") == 0) { -+ cfg->ktls_enabled = true; - } else { - _gnutls_debug_log("cfg: unknown ktls mode %s\n", - p); -@@ -3490,6 +3490,6 @@ gnutls_priority_string_list(unsigned iter, unsigned int flags) - return NULL; - } - --bool _gnutls_config_is_ktls_disabled(void){ -- return system_wide_config.ktls_disabled; -+bool _gnutls_config_is_ktls_enabled(void){ -+ return system_wide_config.ktls_enabled; - } --- -2.37.1 - diff --git a/gnutls-3.7.6-ktls-minor-fixes.patch b/gnutls-3.7.6-ktls-minor-fixes.patch deleted file mode 100644 index a4f5716..0000000 --- a/gnutls-3.7.6-ktls-minor-fixes.patch +++ /dev/null @@ -1,230 +0,0 @@ -From 7b700dbcd5907944a7dd2f74cd26ad8586cd4bac Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Tue, 28 Jun 2022 09:37:22 +0900 -Subject: [PATCH 1/3] tests: enable KTLS config while running gnutls_ktls test - -Signed-off-by: Daiki Ueno ---- - tests/Makefile.am | 9 +++++---- - tests/gnutls_ktls.c | 4 ++-- - tests/ktls.sh | 46 +++++++++++++++++++++++++++++++++++++++++++++ - 3 files changed, 53 insertions(+), 6 deletions(-) - create mode 100755 tests/ktls.sh - -diff --git a/tests/Makefile.am b/tests/Makefile.am -index 4deeb6462b..cba67e8db8 100644 ---- a/tests/Makefile.am -+++ b/tests/Makefile.am -@@ -441,10 +441,6 @@ ctests += x509self x509dn anonself pskself pskself2 dhepskself \ - resume-with-record-size-limit - endif - --if ENABLE_KTLS --ctests += gnutls_ktls --endif -- - ctests += record-sendfile - - gc_CPPFLAGS = $(AM_CPPFLAGS) \ -@@ -500,6 +496,11 @@ if ENABLE_TPM2 - dist_check_SCRIPTS += tpm2.sh - endif - -+if ENABLE_KTLS -+indirect_tests += gnutls_ktls -+dist_check_SCRIPTS += ktls.sh -+endif -+ - if !WINDOWS - - # -diff --git a/tests/gnutls_ktls.c b/tests/gnutls_ktls.c -index 3966e2b10a..8f9c5fa36e 100644 ---- a/tests/gnutls_ktls.c -+++ b/tests/gnutls_ktls.c -@@ -84,7 +84,7 @@ static void client(int fd, const char *prio) - - ret = gnutls_transport_is_ktls_enabled(session); - if (!(ret & GNUTLS_KTLS_RECV)){ -- fail("client: KTLS was not properly inicialized\n"); -+ fail("client: KTLS was not properly initialized\n"); - goto end; - } - -@@ -208,7 +208,7 @@ static void server(int fd, const char *prio) - - ret = gnutls_transport_is_ktls_enabled(session); - if (!(ret & GNUTLS_KTLS_SEND)){ -- fail("server: KTLS was not properly inicialized\n"); -+ fail("server: KTLS was not properly initialized\n"); - goto end; - } - do { -diff --git a/tests/ktls.sh b/tests/ktls.sh -new file mode 100755 -index 0000000000..ba52bd5775 ---- /dev/null -+++ b/tests/ktls.sh -@@ -0,0 +1,46 @@ -+#!/bin/sh -+ -+# Copyright (C) 2022 Red Hat, Inc. -+# -+# Author: Daiki Ueno -+# -+# This file is part of GnuTLS. -+# -+# GnuTLS is free software; you can redistribute it and/or modify it -+# under the terms of the GNU General Public License as published by the -+# Free Software Foundation; either version 3 of the License, or (at -+# your option) any later version. -+# -+# GnuTLS is distributed in the hope that it will be useful, but -+# WITHOUT ANY WARRANTY; without even the implied warranty of -+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+# General Public License for more details. -+# -+# You should have received a copy of the GNU General Public License -+# along with GnuTLS; if not, write to the Free Software Foundation, -+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -+ -+: ${builddir=.} -+ -+. "$srcdir/scripts/common.sh" -+ -+if ! grep '^tls ' /proc/modules 2>1 >& /dev/null; then -+ exit 77 -+fi -+ -+testdir=`create_testdir ktls` -+ -+cfg="$testdir/config" -+ -+cat < "$cfg" -+[global] -+ktls = true -+EOF -+ -+GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1 \ -+GNUTLS_SYSTEM_PRIORITY_FILE="$cfg" \ -+"$builddir/gnutls_ktls" "$@" -+rc=$? -+ -+rm -rf "$testdir" -+exit $rc --- -2.37.1 - - -From 4a492462535a7f3a831685d3cf420b50ef219511 Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Tue, 28 Jun 2022 10:23:33 +0900 -Subject: [PATCH 2/3] handshake: do not reset KTLS enablement in - gnutls_handshake - -As gnutls_handshake can be repeatedly called upon non-blocking setup, -we shouldn't try to call setsockopt for KTLS upon every call. - -Signed-off-by: Daiki Ueno ---- - lib/handshake.c | 12 ++++++------ - 1 file changed, 6 insertions(+), 6 deletions(-) - -diff --git a/lib/handshake.c b/lib/handshake.c -index 4dd457bf22..3886306eb4 100644 ---- a/lib/handshake.c -+++ b/lib/handshake.c -@@ -2813,12 +2813,6 @@ int gnutls_handshake(gnutls_session_t session) - const version_entry_st *vers = get_version(session); - int ret; - -- session->internals.ktls_enabled = 0; --#ifdef ENABLE_KTLS -- if (_gnutls_config_is_ktls_enabled() == true) -- _gnutls_ktls_enable(session); --#endif -- - if (unlikely(session->internals.initial_negotiation_completed)) { - if (vers->tls13_sem) { - if (session->security_parameters.entity == GNUTLS_CLIENT) { -@@ -2864,6 +2858,12 @@ int gnutls_handshake(gnutls_session_t session) - end->tv_nsec = - (start->tv_nsec + tmo_ms * 1000000LL) % 1000000000LL; - } -+ -+#ifdef ENABLE_KTLS -+ if (_gnutls_config_is_ktls_enabled()) { -+ _gnutls_ktls_enable(session); -+ } -+#endif - } - - if (session->internals.recv_state == RECV_STATE_FALSE_START) { --- -2.37.1 - - -From ce13208e13b5dec73993c583d4c64ab7714e4a7a Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Tue, 28 Jun 2022 10:53:55 +0900 -Subject: [PATCH 3/3] ktls: _gnutls_ktls_enable: fix GNUTLS_KTLS_SEND - calculation - -Previously, if the first setsockopt for GNUTLS_KTLS_RECV fails and the -same socket is used for both sending and receiving, GNUTLS_KTLS_SEND -was unconditionally set. This fixes the conditions and also adds more -logging. - -Signed-off-by: Daiki Ueno ---- - lib/system/ktls.c | 21 ++++++++++++++++----- - 1 file changed, 16 insertions(+), 5 deletions(-) - -diff --git a/lib/system/ktls.c b/lib/system/ktls.c -index b9f7a73fb5..ddf27fac76 100644 ---- a/lib/system/ktls.c -+++ b/lib/system/ktls.c -@@ -47,7 +47,7 @@ - gnutls_transport_ktls_enable_flags_t - gnutls_transport_is_ktls_enabled(gnutls_session_t session){ - if (unlikely(!session->internals.initial_negotiation_completed)){ -- _gnutls_debug_log("Initial negotiation is not yet complete"); -+ _gnutls_debug_log("Initial negotiation is not yet complete\n"); - return 0; - } - -@@ -57,16 +57,27 @@ gnutls_transport_is_ktls_enabled(gnutls_session_t session){ - void _gnutls_ktls_enable(gnutls_session_t session) - { - int sockin, sockout; -+ - gnutls_transport_get_int2(session, &sockin, &sockout); - -- if (setsockopt(sockin, SOL_TCP, TCP_ULP, "tls", sizeof ("tls")) == 0) -+ if (setsockopt(sockin, SOL_TCP, TCP_ULP, "tls", sizeof ("tls")) == 0) { - session->internals.ktls_enabled |= GNUTLS_KTLS_RECV; -+ if (sockin == sockout) { -+ session->internals.ktls_enabled |= GNUTLS_KTLS_SEND; -+ } -+ } else { -+ _gnutls_record_log("Unable to set TCP_ULP for read socket: %d\n", -+ errno); -+ } - - if (sockin != sockout) { -- if (setsockopt(sockout, SOL_TCP, TCP_ULP, "tls", sizeof ("tls")) == 0) -+ if (setsockopt(sockout, SOL_TCP, TCP_ULP, "tls", sizeof ("tls")) == 0) { - session->internals.ktls_enabled |= GNUTLS_KTLS_SEND; -- } else -- session->internals.ktls_enabled |= GNUTLS_KTLS_SEND; -+ } else { -+ _gnutls_record_log("Unable to set TCP_ULP for write socket: %d\n", -+ errno); -+ } -+ } - } - - int _gnutls_ktls_set_keys(gnutls_session_t session) --- -2.37.1 - diff --git a/gnutls-3.7.7-fix-ktls.patch b/gnutls-3.7.7-fix-ktls.patch new file mode 100644 index 0000000..e3e19e3 --- /dev/null +++ b/gnutls-3.7.7-fix-ktls.patch @@ -0,0 +1,13 @@ +diff --color -rup a/lib/handshake.c b/lib/handshake.c +--- a/lib/handshake.c 2022-07-28 12:44:40.000000000 +0200 ++++ b/lib/handshake.c 2022-07-29 12:30:00.110002282 +0200 +@@ -2861,7 +2861,8 @@ int gnutls_handshake(gnutls_session_t se + + #ifdef ENABLE_KTLS + if (_gnutls_config_is_ktls_enabled()) { +- if (session->internals.pull_func || ++ if ((session->internals.pull_func && ++ session->internals.pull_func != system_read) || + session->internals.push_func) { + _gnutls_audit_log(session, + "Not enabling KTLS with " diff --git a/gnutls-3.7.7.tar.xz.sig b/gnutls-3.7.7.tar.xz.sig new file mode 100644 index 0000000000000000000000000000000000000000..32aa43931a027e6f41ee151bb773fe1e11cd62a5 GIT binary patch literal 685 zcmV;e0#f~n0y6{v0SEvc79j*iA|=DLZ#0LW$VqJ01%!^*=9qB>0%GEs`~V6G5Y`2R zj@RaxaZp+h{w0(&Lqs0#=Rr`Yltw6^=~Xpll_pmFJ(@;wkR?#JYkkc~;cUN{tg>e!cdumtUZiZw9Id-cm35L+ zH1GE`Lk5jGZa3H7uNj$CH1wT~#8IIa_5w0R31S{&SbZ|OcDns3sud2R0OS?H`Lb;$FF)6!eIf&o79oY?B4`J7 za^EV}QKHK1W2;|IOGN#3Z+(>8&LX_VRDl#K9>7P&Q>;nYhMZky8MSOP$qMDmWX9mT zz&&~Jf;uSxZMMIA4&B*Qu)ek{k-=PcyT`!+6GL+iHm{D3iMU84N&*xq z+-iI))|KI`Xfw)#dc2@nQ9GOlH;XWb2oFt5NKO*Fn! Date: Fri, 26 Aug 2022 20:55:49 +0900 Subject: [PATCH 071/152] Port packaging changes from CentOS Stream 9 This adds the following cleanups: - Conditionalize features with bcond: tpm2, certificate_compression, and tests - Remove leftover libopts cleanup - Move autoreconf invocation from %prep to %build, to speed up fedpkg prep - Switch to using %autosetup -S git - Ignore errors in gpgverify to work around build under FIPS - Support FIPS module version Signed-off-by: Daiki Ueno --- gnutls.spec | 74 +++++++++++++++++++++++++++++++++++++++++------------ 1 file changed, 58 insertions(+), 16 deletions(-) diff --git a/gnutls.spec b/gnutls.spec index 4f866be..ef080fb 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,9 +1,22 @@ -# This spec file has been automatically updated +%define srpmhash() %{lua: +local files = rpm.expand("%_specdir/gnutls.spec") +for i, p in ipairs(patches) do + files = files.." "..p +end +for i, p in ipairs(sources) do + files = files.." "..p +end +local sha256sum = assert(io.popen("cat "..files.."| sha256sum")) +local hash = sha256sum:read("*a") +sha256sum:close() +print(string.sub(hash, 0, 16)) +} + Version: 3.7.7 Release: %{?autorelease}%{!?autorelease:1%{?dist}} -Patch1: gnutls-3.6.7-no-now-guile.patch -Patch2: gnutls-3.2.7-rpath.patch -Patch3: gnutls-3.7.7-fix-ktls.patch +Patch: gnutls-3.6.7-no-now-guile.patch +Patch: gnutls-3.2.7-rpath.patch +Patch: gnutls-3.7.7-fix-ktls.patch %bcond_without bootstrap %bcond_without dane @@ -15,14 +28,20 @@ Patch3: gnutls-3.7.7-fix-ktls.patch %bcond_without fips %endif %bcond_with tpm12 +%bcond_without tpm2 %bcond_without gost +%bcond_with certificate_compression +%bcond_without tests Summary: A TLS protocol implementation Name: gnutls # The libraries are LGPLv2.1+, utilities are GPLv3+ License: GPLv3+ and LGPLv2+ BuildRequires: p11-kit-devel >= 0.21.3, gettext-devel -BuildRequires: zlib-devel, readline-devel, libtasn1-devel >= 4.3 +BuildRequires: readline-devel, libtasn1-devel >= 4.3 +%if %{with certificate_compression} +BuildRequires: zlib-devel, brotli-devel, libzstd-devel +%endif %if %{with bootstrap} BuildRequires: automake, autoconf, gperf, libtool, texinfo %endif @@ -30,10 +49,14 @@ BuildRequires: nettle-devel >= 3.5.1 %if %{with tpm12} BuildRequires: trousers-devel >= 0.3.11.2 %endif +%if %{with tpm2} +BuildRequires: tpm2-tss-devel >= 3.0.3 +%endif BuildRequires: libidn2-devel BuildRequires: libunistring-devel BuildRequires: net-tools, datefudge, softhsm, gcc, gcc-c++ BuildRequires: gnupg2 +BuildRequires: git-core # for a sanity check on cert loading BuildRequires: p11-kit-trust, ca-certificates @@ -149,11 +172,17 @@ This package contains Guile bindings for the library. %endif %prep -%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' +# Workaround: to allow building the package under FIPS, do not treat +# errors in the GPG check as fatal, where EdDSA signature verification +# is not allowed: +%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' || : + +%autosetup -p1 -S git + +%build +%define _lto_cflags %{nil} -%autosetup -p1 %if %{with bootstrap} -rm -f src/libopts/*.c src/libopts/*.h src/libopts/compat/*.c src/libopts/compat/*.h autoreconf -fi %endif @@ -162,12 +191,6 @@ rm -f lib/minitasn1/*.c lib/minitasn1/*.h echo "SYSTEM=NORMAL" >> tests/system.prio -# Note that we explicitly enable SHA1, as SHA1 deprecation is handled -# via the crypto policies - -%build -%define _lto_cflags %{nil} - CCASFLAGS="$CCASFLAGS -Wa,--generate-missing-build-notes=yes" export CCASFLAGS @@ -180,9 +203,16 @@ GUILD=%{_bindir}/guild2.2 export GUILD %endif +%if %{with fips} +eval $(sed -n 's/^\(\(NAME\|VERSION_ID\)=.*\)/OS_\1/p' /etc/os-release) +export FIPS_MODULE_NAME="$OS_NAME ${OS_VERSION_ID%%.*} %name" +%endif + %configure \ %if %{with fips} --enable-fips140-mode \ + --with-fips140-module-name="$FIPS_MODULE_NAME" \ + --with-fips140-module-version=%{version}-%{srpmhash} \ %endif %if %{with gost} --enable-gost \ @@ -200,6 +230,12 @@ export GUILD %else --without-tpm \ %endif +%if %{with tpm2} + --with-tpm2 \ +%else + --without-tpm2 \ +%endif + --enable-ktls \ --htmldir=%{_docdir}/manual \ %if %{with guile} --enable-guile \ @@ -212,10 +248,14 @@ export GUILD --enable-libdane \ %else --disable-libdane \ +%endif +%if %{with certificate_compression} + --with-zlib --with-brotli --with-zstd \ +%else + --without-zlib --without-brotli --without-zstd \ %endif --disable-rpath \ - --with-default-priority-string="@SYSTEM" \ - --enable-ktls + --with-default-priority-string="@SYSTEM" make %{?_smp_mflags} V=1 @@ -249,7 +289,9 @@ sed -i "s^$RPM_BUILD_ROOT/usr^^" $RPM_BUILD_ROOT%{_libdir}/.gnutls.hmac %find_lang gnutls %check +%if %{with tests} make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null +%endif %files -f gnutls.lang %{_libdir}/libgnutls.so.30* From 9f78d04c90b4fc7d392c5850ca25417bb24cfd8b Mon Sep 17 00:00:00 2001 From: Michael Cronenworth Date: Tue, 6 Sep 2022 15:59:39 -0500 Subject: [PATCH 072/152] Initial MinGW package support Merge the mingw-gnutls package into the native one. --- gnutls.spec | 129 +++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 127 insertions(+), 2 deletions(-) diff --git a/gnutls.spec b/gnutls.spec index 4f866be..6752551 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -52,6 +52,22 @@ BuildRequires: unbound-devel unbound-libs BuildRequires: guile22-devel %endif BuildRequires: make gtk-doc +BuildRequires: mingw32-filesystem >= 95 +BuildRequires: mingw32-gcc +BuildRequires: mingw32-gcc-c++ +BuildRequires: mingw32-libtasn1 >= 4.3 +BuildRequires: mingw32-readline +BuildRequires: mingw32-zlib +BuildRequires: mingw32-p11-kit >= 0.23.1 +BuildRequires: mingw32-nettle >= 3.6 +BuildRequires: mingw64-filesystem >= 95 +BuildRequires: mingw64-gcc +BuildRequires: mingw64-gcc-c++ +BuildRequires: mingw64-libtasn1 >= 4.3 +BuildRequires: mingw64-readline +BuildRequires: mingw64-zlib +BuildRequires: mingw64-p11-kit >= 0.23.1 +BuildRequires: mingw64-nettle >= 3.6 URL: http://www.gnutls.org/ %define short_version %(echo %{version} | grep -m1 -o "[0-9]*\.[0-9]*" | head -1) Source0: https://www.gnupg.org/ftp/gcrypt/gnutls/v%{short_version}/%{name}-%{version}.tar.xz @@ -148,6 +164,28 @@ other required structures. This package contains Guile bindings for the library. %endif +# Win32 +%package -n mingw32-%{name} +Summary: MinGW GnuTLS TLS/SSL encryption library +Requires: pkgconfig +Requires: mingw32-libtasn1 >= 4.3 + +%description -n mingw32-gnutls +GnuTLS TLS/SSL encryption library. This library is cross-compiled +for MinGW. + +# Win64 +%package -n mingw64-%{name} +Summary: MinGW GnuTLS TLS/SSL encryption library +Requires: pkgconfig +Requires: mingw64-libtasn1 >= 4.3 + +%description -n mingw64-gnutls +GnuTLS TLS/SSL encryption library. This library is cross-compiled +for MinGW. + +%{?mingw_debug_package} + %prep %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' @@ -180,6 +218,9 @@ GUILD=%{_bindir}/guild2.2 export GUILD %endif +mkdir native_build +pushd native_build +%global _configure ../configure %configure \ %if %{with fips} --enable-fips140-mode \ @@ -218,9 +259,31 @@ export GUILD --enable-ktls make %{?_smp_mflags} V=1 +popd + +# MinGW does not support CCASFLAGS +export CCASFLAGS="" +%mingw_configure \ + --enable-sha1-support \ + --disable-static \ + --disable-openssl-compatibility \ + --disable-non-suiteb-curves \ + --disable-guile \ + --disable-libdane \ + --disable-rpath \ + --disable-nls \ + --disable-cxx \ + --enable-local-libopts \ + --enable-shared \ + --without-tpm \ + --with-included-unistring \ + --disable-doc \ + --with-default-priority-string="@SYSTEM" +%mingw_make %{?_smp_mflags} %install -make install DESTDIR=$RPM_BUILD_ROOT +%make_install -C native_build +pushd native_build make -C doc install-html DESTDIR=$RPM_BUILD_ROOT rm -f $RPM_BUILD_ROOT%{_infodir}/dir rm -f $RPM_BUILD_ROOT%{_libdir}/*.la @@ -247,11 +310,41 @@ sed -i "s^$RPM_BUILD_ROOT/usr^^" $RPM_BUILD_ROOT%{_libdir}/.gnutls.hmac %endif %find_lang gnutls +popd + +%mingw_make_install + +# Remove .la files +rm -f $RPM_BUILD_ROOT%{mingw32_libdir}/*.la +rm -f $RPM_BUILD_ROOT%{mingw64_libdir}/*.la + +# The .def files aren't interesting for other binaries +rm -f $RPM_BUILD_ROOT%{mingw32_bindir}/*.def +rm -f $RPM_BUILD_ROOT%{mingw64_bindir}/*.def + +# Remove info and man pages which duplicate stuff in Fedora already. +rm -rf $RPM_BUILD_ROOT%{mingw32_infodir} +rm -rf $RPM_BUILD_ROOT%{mingw32_mandir} +rm -rf $RPM_BUILD_ROOT%{mingw32_docdir}/gnutls + +rm -rf $RPM_BUILD_ROOT%{mingw64_infodir} +rm -rf $RPM_BUILD_ROOT%{mingw64_mandir} +rm -rf $RPM_BUILD_ROOT%{mingw64_docdir}/gnutls + +# Remove test libraries +rm -f $RPM_BUILD_ROOT%{mingw32_libdir}/crypt32.dll* +rm -f $RPM_BUILD_ROOT%{mingw32_libdir}/ncrypt.dll* +rm -f $RPM_BUILD_ROOT%{mingw64_libdir}/crypt32.dll* +rm -f $RPM_BUILD_ROOT%{mingw64_libdir}/ncrypt.dll* + +%mingw_debug_install_post %check +pushd native_build make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null +popd -%files -f gnutls.lang +%files -f native_build/gnutls.lang %{_libdir}/libgnutls.so.30* %if %{with fips} %{_libdir}/.gnutls.hmac @@ -302,5 +395,37 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null %{_datadir}/guile/site/2.2/gnutls/extra.scm %endif +%files -n mingw32-%{name} +%license LICENSE doc/COPYING doc/COPYING.LESSER +%{mingw32_bindir}/certtool.exe +%{mingw32_bindir}/gnutls-cli-debug.exe +%{mingw32_bindir}/gnutls-cli.exe +%{mingw32_bindir}/gnutls-serv.exe +%{mingw32_bindir}/libgnutls-30.dll +%{mingw32_bindir}/ocsptool.exe +%{mingw32_bindir}/p11tool.exe +%{mingw32_bindir}/psktool.exe +%{mingw32_bindir}/srptool.exe +%{mingw32_libdir}/libgnutls.dll.a +%{mingw32_libdir}/libgnutls-30.def +%{mingw32_libdir}/pkgconfig/gnutls.pc +%{mingw32_includedir}/gnutls/ + +%files -n mingw64-%{name} +%license LICENSE doc/COPYING doc/COPYING.LESSER +%{mingw64_bindir}/certtool.exe +%{mingw64_bindir}/gnutls-cli-debug.exe +%{mingw64_bindir}/gnutls-cli.exe +%{mingw64_bindir}/gnutls-serv.exe +%{mingw64_bindir}/libgnutls-30.dll +%{mingw64_bindir}/ocsptool.exe +%{mingw64_bindir}/p11tool.exe +%{mingw64_bindir}/psktool.exe +%{mingw64_bindir}/srptool.exe +%{mingw64_libdir}/libgnutls.dll.a +%{mingw64_libdir}/libgnutls-30.def +%{mingw64_libdir}/pkgconfig/gnutls.pc +%{mingw64_includedir}/gnutls/ + %changelog %autochangelog From 2d72c1273b7e5a0bdf91c3919390cba382e4ea8c Mon Sep 17 00:00:00 2001 From: Zoltan Fridrich Date: Tue, 18 Oct 2022 13:53:34 +0200 Subject: [PATCH 073/152] [packit] 3.7.8 upstream release Upstream tag: 3.7.8 Upstream commit: f527ed0e Signed-off-by: Zoltan Fridrich --- .gitignore | 1 + README.packit | 2 +- gnutls-3.7.7-fix-ktls.patch | 13 ------------- gnutls-3.7.8.tar.xz.sig | Bin 0 -> 1250 bytes gnutls.spec | 3 +-- sources | 2 +- 6 files changed, 4 insertions(+), 17 deletions(-) delete mode 100644 gnutls-3.7.7-fix-ktls.patch create mode 100644 gnutls-3.7.8.tar.xz.sig diff --git a/.gitignore b/.gitignore index aedb544..1d6ef56 100644 --- a/.gitignore +++ b/.gitignore @@ -140,3 +140,4 @@ gnutls-2.10.1-nosrp.tar.bz2 /gnutls-3.7.5.tar.xz /gnutls-3.7.6.tar.xz /gnutls-3.7.7.tar.xz +/gnutls-3.7.8.tar.xz diff --git a/README.packit b/README.packit index 2c8f8d9..44d1757 100644 --- a/README.packit +++ b/README.packit @@ -1,3 +1,3 @@ This repository is maintained by packit. https://packit.dev/ -The file was generated using packit 0.55.0. +The file was generated using packit 0.60.0. diff --git a/gnutls-3.7.7-fix-ktls.patch b/gnutls-3.7.7-fix-ktls.patch deleted file mode 100644 index e3e19e3..0000000 --- a/gnutls-3.7.7-fix-ktls.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --color -rup a/lib/handshake.c b/lib/handshake.c ---- a/lib/handshake.c 2022-07-28 12:44:40.000000000 +0200 -+++ b/lib/handshake.c 2022-07-29 12:30:00.110002282 +0200 -@@ -2861,7 +2861,8 @@ int gnutls_handshake(gnutls_session_t se - - #ifdef ENABLE_KTLS - if (_gnutls_config_is_ktls_enabled()) { -- if (session->internals.pull_func || -+ if ((session->internals.pull_func && -+ session->internals.pull_func != system_read) || - session->internals.push_func) { - _gnutls_audit_log(session, - "Not enabling KTLS with " diff --git a/gnutls-3.7.8.tar.xz.sig b/gnutls-3.7.8.tar.xz.sig new file mode 100644 index 0000000000000000000000000000000000000000..21bc993ef81c346ee4dfb572401f03df938d3d10 GIT binary patch literal 1250 zcmV<81ReW{0y6{v0SEvc79j+tt5cvIBYKqi?!?eRCrG3U{KESM0%J1+i2w=-5J4wM zqze4P`yfpa0Dx5&C}kCp576>9^ES_R<3t^OoM|~pFh~#;>9!IXG45!^IPF15x{Z z%>9$1luWy0Fl>TsjLAAoCJ+>G4l#H#>6faS0^Y;D6)r2R4L$@`I@YLf1 z%7S7ItwE2fYrflloNaOjRw-0Tj=8sU3rpk-2e*%^xD|QuDd*7-arm&kfuo4e^<7cr z^Ur@)_v?cm1;+TDpw4#`Dz0cY-J!Z@&OI(2jbgyqLJXZd=8lgl1lPiV!LL|!(TOlF zjTnd_B?7y&eWj?id8RCDS7vX{{rtM6aksH6l?s#KWk9muyI0v;07er&2x@f;nKW>6 z+}8Vbn@f%eHY(N|One3Zi;!(9e_C1z-1>IVA)v`I-q8+9l6)V2^?ClN)-7Bo zHiz^OD<`br{(ypMrt-TQb)@*Y?MG0itV*mbvkM_w_rx7Y-n-e zJBb1^1ONdD038+~1V$ny!?bTSho8tvY}N&Yj@RaxaRmZnGZRMu3JDO_1%!^*=9qDE zhY$83)3ChQHl^|CKPU9>Lm(>d!#gZ(IH%6kih4DDU^-vk&n@&$`B>uj!}LZfcYetU z%$Uu%yqU!Bn6XRM6JD($xMUgAVw$R&d709h&&zOI3~G|GT&K`Lc8lN9#auCwn?B)O z1M618Xn5?sU9!uftSyb4pT3-bLJH>nykGzIT>O0@88rHof-K$?TzRV{s76zMds z-!bm_R;18`(HE|=fI-^kZb{|yvw3*B8)neHeacnW1K-qkXAgv6kQ~lFaEl=xrG9-3 z=nl?HGI-DWU1xs=W8u%D7!=;Yo$-fkZ}Q+xxeyKupD|AeYf{xG5%FWfkc*`?|Hpaz z$JJu)=Ct~|kB23p^)C>&8N-^Uo6KE%JE}Ka9&)8g$FjQ2sZg+a1vb z>tNw^N@Y~Y7 zLM`u~8315bRytW>m%39$@zCO}?b+d>9O^Cr{T}_sk% Date: Fri, 7 Oct 2022 17:46:56 +0900 Subject: [PATCH 074/152] Revert to not ignore errors in gpgverify Signed-off-by: Daiki Ueno --- gnutls.spec | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/gnutls.spec b/gnutls.spec index 506ee01..a400364 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -171,10 +171,7 @@ This package contains Guile bindings for the library. %endif %prep -# Workaround: to allow building the package under FIPS, do not treat -# errors in the GPG check as fatal, where EdDSA signature verification -# is not allowed: -%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' || : +%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' %autosetup -p1 -S git From b9c750507f5a3dc8473416083983a698b9de37bb Mon Sep 17 00:00:00 2001 From: Anderson Toshiyuki Sasaki Date: Mon, 8 Jun 2020 15:45:21 +0200 Subject: [PATCH 075/152] Enable gating and add FIPS smoke test --- gating.yml | 14 ++++++++++++++ tests/tests.yml | 13 +++++++++++++ 2 files changed, 27 insertions(+) create mode 100644 gating.yml create mode 100644 tests/tests.yml diff --git a/gating.yml b/gating.yml new file mode 100644 index 0000000..0bd5927 --- /dev/null +++ b/gating.yml @@ -0,0 +1,14 @@ +--- !Policy +product_versions: + - fedora-* +decision_context: bodhi_update_push_testing +subject_type: koji_build +rules: + - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional} +--- !Policy +product_versions: + - fedora-* +decision_context: bodhi_update_push_stable +subject_type: koji_build +rules: + - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional} diff --git a/tests/tests.yml b/tests/tests.yml new file mode 100644 index 0000000..b32f8a2 --- /dev/null +++ b/tests/tests.yml @@ -0,0 +1,13 @@ +--- +- hosts: localhost + roles: + - role: standard-test-basic + tags: + - classic + tests: + - smoke-fips: + dir: . + run: if [[ $(GNUTLS_DEBUG_LEVEL=99 GNUTLS_FORCE_FIPS_MODE=1 certtool 2>&1 | grep "Error") ]]; then exit 1; else exit 0; fi; + required_packages: + - gnutls + - gnutls-utils From 30a64d92731569e890733a8e9e99a10fc1050037 Mon Sep 17 00:00:00 2001 From: Zoltan Fridrich Date: Tue, 18 Oct 2022 17:12:26 +0200 Subject: [PATCH 076/152] Update release keyring Signed-off-by: Zoltan Fridrich --- gnutls-release-keyring.gpg | Bin 20850 -> 26256 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/gnutls-release-keyring.gpg b/gnutls-release-keyring.gpg index e33ee430307d77bbf4ea2b05e65a1bb9ac795769..c2d26f6cbee508b909f705bc6ce51d1108a0e5f4 100644 GIT binary patch delta 5458 zcma) zg2U7~_g39AGc{GS9=@kv?QidwwbwpDgObNU^`6?OEHD9v;hsZ z*^Ghu?d4AL#Oh|XWhWyhi=>CaypM0>!m!~|rsYZCH>u>6-aK?MW1(Myun#^}JJb2_ zwX{8npxYB@mx4r2 z9*Zj$dTrB4hPx$k3Uv9O4|2RRX5p0IxH{QJxxTMsy)ETDO^MFN`&DTD1TW92GW~Iq zpFX_rsxHIqG*4ORgA2A^bQl{H-yd0*u@@=P*7zkZzjr?P&$w97p!<`;G}o8v)0{_7 zatv|pbDS>{X8T8L?7OvR+N0Cd`@gWY-K%w^)~NHTw~+NJ`!!B_7cgX!|MMY)x0 zP@#A)JNfl7^2W2bb0-aXf}fb5Z!Jlg3-S~7XtbDUO|nbCar=Nu0Xv|f)V*}Afxt2>8z zg^;h~*$(fvn)EBbVlW$%=+KcBrBwQJBx(U^4_86s?3Wh~1>F&F0>mHy)XXZ4wDYre zv$gZ2*LC-@vvqNDqnB`XcXN??;b!CRgtW8ec5<_Ke;NxG#&`h20T{q=2$&WGCJ)5~ z8}12vW8y(^upyYFxKJECOfoP81OT{DSpDu2ePh8xz7Q>azVn6`9|8r@aw&>!}xF#f#A0oB_F0rn^x_2Znh38euU-6cMZo{J!;op zB6-@!AsVLM@%t0EIsP|0QPF{`Z}yh4!$qHOk5NKXZ~8kLxf6l~9!~8s^(<}do~k$D z5lFhFlJ9nfvHBdIw%j^lJw_eA)KPgC9Jzrre^Jhc;Fy!rYP7X;43~7?Nxf|CW!MJS z0FTXHs%Z|glYJ&B6IidpxebUyRE>E1M;+~+y&R!UZRTOBAP!yX!BksPMTc4cQBZ0O zW@|{%tk(>{k9-{XS!q;nAiRp1+G==;I)_hGIpV|K!E0{<*G()jRsvL@4deo|?nL7B zdyRy$duROWROrn3vDeP|1!0Z}-!#$-L&ezKBO`x#+>A^#F-Wi{F__HL&L=RkrOW97 zxoYXG;>?N4dW`2QO*!QgX4Q}sr`$Zr0}8GoX%X=ciqi#2Q3?F|r@b>zoTkl)ZPSD^ z#toP5j7w3&4&1AW1IZ|*n}E7b7nc^%FwXnQ1ZM)Ov3E0gZI;a{Q6F-|g4Q|87H!RM z7IRpiKEuxI3~>!G3KM?PiGhtQx|D1O5$e0>DsmTVZ$~cNRt%2wx@1Sv9#0#kAC5=F z4UkAoR*#O5b!1wWCEEroq#p#c*GIDa6mUI_m^eA@x2c}|%=sC`4uSz75bzJ(&)u&A zFck%51povB0~UY<0Nj5EWB~~HFa7mGAP@)!7RFz~!NS7Cg5u!fLUEu_Tzn#YTs%TN zD3pMhfRG3VBZlGPlRO}SJs^U?VD}#YJRBet2nB(Nf%{&78UO((Fa-3^@3EmEOe_cv z_`Vn5g8?822on<<0}T0hdmu0b3j-5M%qt-1;TeXFL&ES#+WG-0<69=}hc>V87XX~U zYDof>g#dO-{*YkFGQ~or8}hWK(g0nh*N0ATk(<$T&JL7Map6yIS|(C3*D}!C$!QEY0xr+7^46HKuk>9@TPcOb6TfX`zFIb`rTT$ z;caq1gHnM_S4Ubk)s$i~sY$`G{-x+D007?JiPOtWxAKl(BJ-{H+udnxd1DOL{{qEk zB=V&MeWtrLya529p~ zX!5JLj)zPL`ZVdkk$-_L{{w{o3yg0XMYIuYj7IU|E*kpsrN^2$-W5X(T{YIdLID8S z*(InDc`KQJK>jFx$!06VsZvW(d2Gdsu+dB0>^~ad@r1Vif z(+8{~000n1rC4sUk_4kqsupScB{U~F5LF4zfwHpkUY@my`ydG zrcz-ff*4)EF>9DZopgq>CD%onq_~)%xkK#J005xP@LzIBXL8L6Ya!*qSk8k>$uW<1o5HnQ9Z6Rrz`g?V!mqxHY5s1ONb{McpC1ZZ*%hP2uQP znJmBQ(KDJx+mZhFr?cu3P2zow>6%Xf?ECruzB5q&-=)DWPjmx~;xqarwLt3c+X%xR z$PRBD*sfn>l#MzT?aUDoFHEoUG$AkQsd7OLdrbP{@`kXFyc=DXtEqhlIF#s(@n?m-mQwOm%F`* zq?o&6SN6r2%!O`#9={OnCe_|i?~(QSytRC8P!yiNB_9**Nx%V@FpK>gwkpI$ySYxr z4m}B@MsCGNE^IQI<<4L=fv95NABd|l1EeN5jxe=*%t9Lk(bvP z+agIx8S?mzCB7kBD~Zz>CIa{gXo>`z9+XwAR3k#*t@i#PTa-JeI*foga6QmiEZNR| z@hja{TXW`?fDZKwPofEvnr_c)Z(=JlSvgycUE$Tc`^}F3FQT^7V0-l`ox z4^>5}8uM3%uNE;wybWXv5{V&3U7-&Hs21aAhBzoAL~sa*MxM11zufeUlcIX$Tm6iN zx^I@LZRy+W)V_xW$FK5K273dnz7ovWzU6+be$jh-S{iP`DCv{8j@l*ue(gFWmR``A zBz5cEiC4yQ2?(mIyZ$9vab&I#Yd9sGPRZlPOY3Qv4k*36^Bbz1e68@eg3;M=4>2Y%fKYdTAYY4alN$iz6igHz7+7Xb;L zg!Ls8M6D!@{(1ZIh=E+wVBt)n46@{p7GK+u!T#m(sn3e$Cp3F3@V^ame>_5*a3!#! z;-s@3BOjO3If^GZ4)V2S!XT;|3d`n4m~7-;Rn|mDK1@3 zH%f_0$Vv6-w|C5zElQMlfg6|pgXz1dGdWVRMFCqfRA7p~7S()gICmrc8v~kH1ou&Y zjTBAu1?Qu85*shu9%QJi2{v1cX0$5qGUM<@)M5wXHBM9wRkgGIaS<;&S zz4d+9Kr>RsBJ0k)!FN&rLlK?!i*rf3jBn&?k2KXW@_(tA+%*nzOQg-=Qc$M&Jd}&| z{yj$B-%G8ITC__x+^>4nFgo(wX-)*!-3gl;CRE=pQOLpdg*4aHvLrC%5xPj)W@Ui; z_tQMHSPepoThBQmb%v$Fm@(X4icR5(#AsprWj4S z{hEM|uF9*X4vUovalQc^D=vV2Us6QeVq%W|s5qRueV$HkS)O86@haW!V@N|9oQLBg&WhE z!6P=G>#2zTIR>YORAd(v)Hq3!I_X*#ZXpQGM| zStnez?(6i(2=o!e??o=02deT;H|9(Tq49ks5QsP|(FCH#cuJYXc!@`(iD`XH7HYI_ zE{vHz{-$zMS5^RpR9hiRZ<-tV%uE!fdfaKNNvtEEsjpf5Y+)GXCHEq`YKp?l7wRK8@%Q5Z zDV#&sy!Iy{kKz3m+&o+6ZNJ6uHdw!9%n`7>0`1Lmq2k9de^rx?vDKgY0_M%D7m4M>{mF=SGC%q#j{gi)g0;)%(4 z(bqrM^0k`g{LW6awar`y67>>4q85j&SvqZp^B`7a8x~#3Ia&hpyTO+Ccv+c|=WV)m zge$0Q&#SbpkL~xH1n+ilW+h2vbQ`U*kg}MarrOxw@hv;AY<#^F3UXgMG(<-Ju`Yr= zAB~t*U`7XzcGm^D1!207rqlx?v(;{@a>-Yv_!;*m_ziYAbn;K75Imt&C@ML6vOC;3 z`P=T5ifhES3HKhFx|iN+i)%wC_K!qoO-wZRHq!RQFJsM=Y>O`~_Zhq5j|9`uLJIq{ z0PYcRZnFB0x#Az?TJP0f=Au3Ici%3!>WG0(TlGUmbgg5W@{GV&j!P*IP6au5aW<~+ z#iv!b3#vYI9VJVhw4A{ev#{zeVRd#kzTQz;>b zXZMzs%|diNShUx4|GPd`=(ymxa}QxX931OXayxg_C9`2Wp*EzD!))KDwpzt(Mlep4 zh#-|bbp2Go?-Fc^2$cAJCH&y05&g1Q85!x>S%XjDQ@`&O2JV#psDf%YBU>r^KO>Au z{LK;dclexq4TAdnGjd+iQg){% z#>v`*0eS1bUzt-#Eid|8nuAjzZ}SGFNaTA8fQCf&w zG6u$o3J0{iwZxg0Lm2&*N;?)~Jj%h_~#r?`?!Neq7WMBX$fT!DEdWN_zZn)-)~ zs4=-EUnMWGq#<7*w3Z?gqe5MSKwDJVpvaCXvE)!L5Agst>#LN>=8I=_()Pmem9zE_ z-mPJUDN}wl?4ZK)g<#i?Tok!GHQ&JOHB-%8XXu(DyF#rMs!=lQQn?3uom=pH{d|#e zhO;>?y-YXbm5fIj+AkbmrHDqGVVA42PORB=k?Z=D@cP$#HR_48q1*VJ6IcctYGygs zO;?8%`Gct4vNS>4KeowcvTdtod&j_a4dZMZ6elYOKC9(g?R0*&INn#%lbA--#6g3m zFTO)$rGiFK47EX%=EKot9`Q+WAN`H*r|)Es+IU_sH06f95|??g%UAp1%G|KG;0^sX zgDt_ARQAxQsNtO{dIamL1|{qdwS+!0_(wcj(huOUH-=EE$$O_6j{ucibr`SUX|cBd zXqpMQiWisLjM9?*cA&mn8L#X?fS#v+HLkn!)^a^g=^|nJeEKH5jRGtu?)10>f&fmE z?yudw)WM+Es(eEP+_ljN-(ZPWS-82tA5~J$6OUFmQ*DWYLJ~!I!X^|;)XT5z`maC! E7iHk`@&Et; delta 9 QcmbPmmhsaf#tlV*02ikOX8-^I From 9ba1f58c0f4ba0a6a717b78c078408829434dfac Mon Sep 17 00:00:00 2001 From: Zoltan Fridrich Date: Tue, 18 Oct 2022 16:46:19 +0200 Subject: [PATCH 077/152] Use make macros Co-authored-by: Tom Stellard Signed-off-by: Zoltan Fridrich --- gnutls.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/gnutls.spec b/gnutls.spec index a400364..21fa3ff 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -253,10 +253,10 @@ export FIPS_MODULE_NAME="$OS_NAME ${OS_VERSION_ID%%.*} %name" --disable-rpath \ --with-default-priority-string="@SYSTEM" -make %{?_smp_mflags} V=1 +%make_build %install -make install DESTDIR=$RPM_BUILD_ROOT +%make_install make -C doc install-html DESTDIR=$RPM_BUILD_ROOT rm -f $RPM_BUILD_ROOT%{_infodir}/dir rm -f $RPM_BUILD_ROOT%{_libdir}/*.la From 86c02ce9dc970a0e92ca4193f00cdbfbbc76454b Mon Sep 17 00:00:00 2001 From: Michael Cronenworth Date: Tue, 6 Sep 2022 15:59:39 -0500 Subject: [PATCH 078/152] Initial MinGW package support Merge the mingw-gnutls package into the native one. --- gnutls.spec | 129 +++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 127 insertions(+), 2 deletions(-) diff --git a/gnutls.spec b/gnutls.spec index 21fa3ff..06eb471 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -74,6 +74,22 @@ BuildRequires: unbound-devel unbound-libs BuildRequires: guile22-devel %endif BuildRequires: make gtk-doc +BuildRequires: mingw32-filesystem >= 95 +BuildRequires: mingw32-gcc +BuildRequires: mingw32-gcc-c++ +BuildRequires: mingw32-libtasn1 >= 4.3 +BuildRequires: mingw32-readline +BuildRequires: mingw32-zlib +BuildRequires: mingw32-p11-kit >= 0.23.1 +BuildRequires: mingw32-nettle >= 3.6 +BuildRequires: mingw64-filesystem >= 95 +BuildRequires: mingw64-gcc +BuildRequires: mingw64-gcc-c++ +BuildRequires: mingw64-libtasn1 >= 4.3 +BuildRequires: mingw64-readline +BuildRequires: mingw64-zlib +BuildRequires: mingw64-p11-kit >= 0.23.1 +BuildRequires: mingw64-nettle >= 3.6 URL: http://www.gnutls.org/ %define short_version %(echo %{version} | grep -m1 -o "[0-9]*\.[0-9]*" | head -1) Source0: https://www.gnupg.org/ftp/gcrypt/gnutls/v%{short_version}/%{name}-%{version}.tar.xz @@ -170,6 +186,28 @@ other required structures. This package contains Guile bindings for the library. %endif +# Win32 +%package -n mingw32-%{name} +Summary: MinGW GnuTLS TLS/SSL encryption library +Requires: pkgconfig +Requires: mingw32-libtasn1 >= 4.3 + +%description -n mingw32-gnutls +GnuTLS TLS/SSL encryption library. This library is cross-compiled +for MinGW. + +# Win64 +%package -n mingw64-%{name} +Summary: MinGW GnuTLS TLS/SSL encryption library +Requires: pkgconfig +Requires: mingw64-libtasn1 >= 4.3 + +%description -n mingw64-gnutls +GnuTLS TLS/SSL encryption library. This library is cross-compiled +for MinGW. + +%{?mingw_debug_package} + %prep %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' @@ -204,6 +242,9 @@ eval $(sed -n 's/^\(\(NAME\|VERSION_ID\)=.*\)/OS_\1/p' /etc/os-release) export FIPS_MODULE_NAME="$OS_NAME ${OS_VERSION_ID%%.*} %name" %endif +mkdir native_build +pushd native_build +%global _configure ../configure %configure \ %if %{with fips} --enable-fips140-mode \ @@ -254,9 +295,31 @@ export FIPS_MODULE_NAME="$OS_NAME ${OS_VERSION_ID%%.*} %name" --with-default-priority-string="@SYSTEM" %make_build +popd + +# MinGW does not support CCASFLAGS +export CCASFLAGS="" +%mingw_configure \ + --enable-sha1-support \ + --disable-static \ + --disable-openssl-compatibility \ + --disable-non-suiteb-curves \ + --disable-guile \ + --disable-libdane \ + --disable-rpath \ + --disable-nls \ + --disable-cxx \ + --enable-local-libopts \ + --enable-shared \ + --without-tpm \ + --with-included-unistring \ + --disable-doc \ + --with-default-priority-string="@SYSTEM" +%mingw_make %{?_smp_mflags} %install -%make_install +%make_install -C native_build +pushd native_build make -C doc install-html DESTDIR=$RPM_BUILD_ROOT rm -f $RPM_BUILD_ROOT%{_infodir}/dir rm -f $RPM_BUILD_ROOT%{_libdir}/*.la @@ -283,13 +346,43 @@ sed -i "s^$RPM_BUILD_ROOT/usr^^" $RPM_BUILD_ROOT%{_libdir}/.gnutls.hmac %endif %find_lang gnutls +popd + +%mingw_make_install + +# Remove .la files +rm -f $RPM_BUILD_ROOT%{mingw32_libdir}/*.la +rm -f $RPM_BUILD_ROOT%{mingw64_libdir}/*.la + +# The .def files aren't interesting for other binaries +rm -f $RPM_BUILD_ROOT%{mingw32_bindir}/*.def +rm -f $RPM_BUILD_ROOT%{mingw64_bindir}/*.def + +# Remove info and man pages which duplicate stuff in Fedora already. +rm -rf $RPM_BUILD_ROOT%{mingw32_infodir} +rm -rf $RPM_BUILD_ROOT%{mingw32_mandir} +rm -rf $RPM_BUILD_ROOT%{mingw32_docdir}/gnutls + +rm -rf $RPM_BUILD_ROOT%{mingw64_infodir} +rm -rf $RPM_BUILD_ROOT%{mingw64_mandir} +rm -rf $RPM_BUILD_ROOT%{mingw64_docdir}/gnutls + +# Remove test libraries +rm -f $RPM_BUILD_ROOT%{mingw32_libdir}/crypt32.dll* +rm -f $RPM_BUILD_ROOT%{mingw32_libdir}/ncrypt.dll* +rm -f $RPM_BUILD_ROOT%{mingw64_libdir}/crypt32.dll* +rm -f $RPM_BUILD_ROOT%{mingw64_libdir}/ncrypt.dll* + +%mingw_debug_install_post %check %if %{with tests} +pushd native_build make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null +popd %endif -%files -f gnutls.lang +%files -f native_build/gnutls.lang %{_libdir}/libgnutls.so.30* %if %{with fips} %{_libdir}/.gnutls.hmac @@ -340,5 +433,37 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null %{_datadir}/guile/site/2.2/gnutls/extra.scm %endif +%files -n mingw32-%{name} +%license LICENSE doc/COPYING doc/COPYING.LESSER +%{mingw32_bindir}/certtool.exe +%{mingw32_bindir}/gnutls-cli-debug.exe +%{mingw32_bindir}/gnutls-cli.exe +%{mingw32_bindir}/gnutls-serv.exe +%{mingw32_bindir}/libgnutls-30.dll +%{mingw32_bindir}/ocsptool.exe +%{mingw32_bindir}/p11tool.exe +%{mingw32_bindir}/psktool.exe +%{mingw32_bindir}/srptool.exe +%{mingw32_libdir}/libgnutls.dll.a +%{mingw32_libdir}/libgnutls-30.def +%{mingw32_libdir}/pkgconfig/gnutls.pc +%{mingw32_includedir}/gnutls/ + +%files -n mingw64-%{name} +%license LICENSE doc/COPYING doc/COPYING.LESSER +%{mingw64_bindir}/certtool.exe +%{mingw64_bindir}/gnutls-cli-debug.exe +%{mingw64_bindir}/gnutls-cli.exe +%{mingw64_bindir}/gnutls-serv.exe +%{mingw64_bindir}/libgnutls-30.dll +%{mingw64_bindir}/ocsptool.exe +%{mingw64_bindir}/p11tool.exe +%{mingw64_bindir}/psktool.exe +%{mingw64_bindir}/srptool.exe +%{mingw64_libdir}/libgnutls.dll.a +%{mingw64_libdir}/libgnutls-30.def +%{mingw64_libdir}/pkgconfig/gnutls.pc +%{mingw64_includedir}/gnutls/ + %changelog %autochangelog From ccfb815fcff157a72dbc7393712479ba1b3a7ef0 Mon Sep 17 00:00:00 2001 From: Zoltan Fridrich Date: Wed, 19 Oct 2022 10:23:40 +0200 Subject: [PATCH 079/152] Add conditions for mingw Signed-off-by: Zoltan Fridrich --- gnutls.spec | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/gnutls.spec b/gnutls.spec index 06eb471..9fb0f84 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -12,6 +12,11 @@ sha256sum:close() print(string.sub(hash, 0, 16)) } +%global with_mingw 0 +%if 0%{?fedora} +%global with_mingw 0%{!?_without_mingw:1} +%endif + Version: 3.7.8 Release: %{?autorelease}%{!?autorelease:1%{?dist}} Patch: gnutls-3.6.7-no-now-guile.patch @@ -74,6 +79,8 @@ BuildRequires: unbound-devel unbound-libs BuildRequires: guile22-devel %endif BuildRequires: make gtk-doc + +%if %{with_mingw} BuildRequires: mingw32-filesystem >= 95 BuildRequires: mingw32-gcc BuildRequires: mingw32-gcc-c++ @@ -90,6 +97,8 @@ BuildRequires: mingw64-readline BuildRequires: mingw64-zlib BuildRequires: mingw64-p11-kit >= 0.23.1 BuildRequires: mingw64-nettle >= 3.6 +%endif + URL: http://www.gnutls.org/ %define short_version %(echo %{version} | grep -m1 -o "[0-9]*\.[0-9]*" | head -1) Source0: https://www.gnupg.org/ftp/gcrypt/gnutls/v%{short_version}/%{name}-%{version}.tar.xz @@ -186,7 +195,7 @@ other required structures. This package contains Guile bindings for the library. %endif -# Win32 +%if %{with_mingw} %package -n mingw32-%{name} Summary: MinGW GnuTLS TLS/SSL encryption library Requires: pkgconfig @@ -196,7 +205,6 @@ Requires: mingw32-libtasn1 >= 4.3 GnuTLS TLS/SSL encryption library. This library is cross-compiled for MinGW. -# Win64 %package -n mingw64-%{name} Summary: MinGW GnuTLS TLS/SSL encryption library Requires: pkgconfig @@ -207,6 +215,7 @@ GnuTLS TLS/SSL encryption library. This library is cross-compiled for MinGW. %{?mingw_debug_package} +%endif %prep %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' @@ -297,6 +306,7 @@ pushd native_build %make_build popd +%if %{with_mingw} # MinGW does not support CCASFLAGS export CCASFLAGS="" %mingw_configure \ @@ -316,6 +326,7 @@ export CCASFLAGS="" --disable-doc \ --with-default-priority-string="@SYSTEM" %mingw_make %{?_smp_mflags} +%endif %install %make_install -C native_build @@ -348,6 +359,7 @@ sed -i "s^$RPM_BUILD_ROOT/usr^^" $RPM_BUILD_ROOT%{_libdir}/.gnutls.hmac %find_lang gnutls popd +%if %{with_mingw} %mingw_make_install # Remove .la files @@ -374,6 +386,7 @@ rm -f $RPM_BUILD_ROOT%{mingw64_libdir}/crypt32.dll* rm -f $RPM_BUILD_ROOT%{mingw64_libdir}/ncrypt.dll* %mingw_debug_install_post +%endif %check %if %{with tests} @@ -433,6 +446,7 @@ popd %{_datadir}/guile/site/2.2/gnutls/extra.scm %endif +%if %{with_mingw} %files -n mingw32-%{name} %license LICENSE doc/COPYING doc/COPYING.LESSER %{mingw32_bindir}/certtool.exe @@ -464,6 +478,7 @@ popd %{mingw64_libdir}/libgnutls-30.def %{mingw64_libdir}/pkgconfig/gnutls.pc %{mingw64_includedir}/gnutls/ +%endif %changelog %autochangelog From 5aa020da73fba722d93aabee920a081bac1cd4b5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Thu, 27 Oct 2022 16:52:20 +0100 Subject: [PATCH 080/152] Cross-compiled mingw sub-RPMs should be 'noarch' MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Their contents should be identical (bar timestamps) regardless of which host build arch is used, since we're cross compiling. Signed-off-by: Daniel P. Berrangé --- gnutls.spec | 2 ++ 1 file changed, 2 insertions(+) diff --git a/gnutls.spec b/gnutls.spec index 9fb0f84..34370bf 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -200,6 +200,7 @@ This package contains Guile bindings for the library. Summary: MinGW GnuTLS TLS/SSL encryption library Requires: pkgconfig Requires: mingw32-libtasn1 >= 4.3 +BuildArch: noarch %description -n mingw32-gnutls GnuTLS TLS/SSL encryption library. This library is cross-compiled @@ -209,6 +210,7 @@ for MinGW. Summary: MinGW GnuTLS TLS/SSL encryption library Requires: pkgconfig Requires: mingw64-libtasn1 >= 4.3 +BuildArch: noarch %description -n mingw64-gnutls GnuTLS TLS/SSL encryption library. This library is cross-compiled From 0596993205a25194da3c001264b4c97d78a26b56 Mon Sep 17 00:00:00 2001 From: Frantisek Krenzelok Date: Wed, 14 Dec 2022 13:55:32 +0100 Subject: [PATCH 081/152] gcc-analyzer: suppress warnings gcc analyzer causes issues in CI, this commit from upstream should fix it Signed-off-by: Frantisek Krenzelok --- ...3.7.8-gcc_analyzer-suppress_warnings.patch | 132 ++++++++++++++++++ gnutls.spec | 1 + 2 files changed, 133 insertions(+) create mode 100644 gnutls-3.7.8-gcc_analyzer-suppress_warnings.patch diff --git a/gnutls-3.7.8-gcc_analyzer-suppress_warnings.patch b/gnutls-3.7.8-gcc_analyzer-suppress_warnings.patch new file mode 100644 index 0000000..d8a6f4a --- /dev/null +++ b/gnutls-3.7.8-gcc_analyzer-suppress_warnings.patch @@ -0,0 +1,132 @@ +From 7fa942e08e64b761b19753ae74503de43cc1ff91 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Thu, 6 Oct 2022 18:44:48 +0900 +Subject: build: suppress GCC analyzer warnings + +Signed-off-by: Daiki Ueno + +diff --git a/lib/auth/cert.c b/lib/auth/cert.c +index 228d98468..f122049e1 100644 +--- a/lib/auth/cert.c ++++ b/lib/auth/cert.c +@@ -1636,6 +1636,10 @@ _gnutls_select_server_cert(gnutls_session_t session, const gnutls_cipher_suite_e + if (session->internals.selected_cert_list_length == 0) + return gnutls_assert_val(GNUTLS_E_INSUFFICIENT_CREDENTIALS); + ++ if (unlikely(session->internals.selected_cert_list == NULL)) { ++ return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); ++ } ++ + _gnutls_debug_log("Selected (%s) cert\n", + gnutls_pk_get_name(session->internals.selected_cert_list[0].pubkey->params.algo)); + } +diff --git a/lib/nettle/int/provable-prime.c b/lib/nettle/int/provable-prime.c +index 585cd031e..3a626a2c8 100644 +--- a/lib/nettle/int/provable-prime.c ++++ b/lib/nettle/int/provable-prime.c +@@ -1173,7 +1173,7 @@ st_provable_prime(mpz_t p, + if (iterations > 0) { + storage_length = iterations * DIGEST_SIZE; + +- storage = malloc(storage_length); ++ storage = gnutls_malloc(storage_length); + if (storage == NULL) + goto fail; + +@@ -1307,7 +1307,7 @@ st_provable_prime(mpz_t p, + mpz_clear(t); + mpz_clear(tmp); + mpz_clear(c); +- free(pseed); +- free(storage); ++ gnutls_free(pseed); ++ gnutls_free(storage); + return ret; + } +diff --git a/lib/pk.c b/lib/pk.c +index c5600a32a..753cecd18 100644 +--- a/lib/pk.c ++++ b/lib/pk.c +@@ -93,6 +93,7 @@ _gnutls_encode_ber_rs_raw(gnutls_datum_t * sig_value, + } + + if (r->data[0] >= 0x80) { ++ assert(tmp); + tmp[0] = 0; + memcpy(&tmp[1], r->data, r->size); + result = asn1_write_value(sig, "r", tmp, 1+r->size); +@@ -108,6 +109,7 @@ _gnutls_encode_ber_rs_raw(gnutls_datum_t * sig_value, + + + if (s->data[0] >= 0x80) { ++ assert(tmp); + tmp[0] = 0; + memcpy(&tmp[1], s->data, s->size); + result = asn1_write_value(sig, "s", tmp, 1+s->size); +@@ -598,6 +600,10 @@ encode_ber_digest_info(const mac_entry_st * e, + uint8_t *tmp_output; + int tmp_output_size; + ++ if (unlikely(e == NULL)) { ++ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); ++ } ++ + /* prevent asn1_write_value() treating input as string */ + if (digest->size == 0) + return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); +diff --git a/lib/x509/pkcs7-crypt.c b/lib/x509/pkcs7-crypt.c +index 59eddcd2a..6f528a911 100644 +--- a/lib/x509/pkcs7-crypt.c ++++ b/lib/x509/pkcs7-crypt.c +@@ -1211,6 +1211,10 @@ _gnutls_pkcs_raw_decrypt_data(schema_id schema, asn1_node pkcs8_asn, + } + + ce = cipher_to_entry(enc_params->cipher); ++ if (unlikely(ce == NULL)) { ++ ret = gnutls_assert_val(GNUTLS_E_UNKNOWN_CIPHER_TYPE); ++ goto error; ++ } + block_size = _gnutls_cipher_get_block_size(ce); + + if (ce->type == CIPHER_BLOCK) { +diff --git a/src/tests.c b/src/tests.c +index 85c4b6699..8526b6943 100644 +--- a/src/tests.c ++++ b/src/tests.c +@@ -1613,7 +1613,9 @@ test_code_t test_chain_order(gnutls_session_t session) + + gnutls_free(t.data); + } +- *pos = 0; ++ if (pos) { ++ *pos = 0; ++ } + + t.size = p_size; + t.data = (void*)p; +diff --git a/src/tpmtool.c b/src/tpmtool.c +index 171b7fd41..1b230c2ff 100644 +--- a/src/tpmtool.c ++++ b/src/tpmtool.c +@@ -263,15 +263,15 @@ static void tpm_generate(FILE * out, unsigned int key_type, + gnutls_datum_t privkey, pubkey; + + if (!srk_well_known) { +- srk_pass = getpass("Enter SRK password: "); +- if (srk_pass != NULL) +- srk_pass = strdup(srk_pass); ++ char *pass = getpass("Enter SRK password: "); ++ if (pass != NULL) ++ srk_pass = strdup(pass); + } + + if (!(flags & GNUTLS_TPM_REGISTER_KEY)) { +- key_pass = getpass("Enter key password: "); +- if (key_pass != NULL) +- key_pass = strdup(key_pass); ++ char *pass = getpass("Enter key password: "); ++ if (pass != NULL) ++ key_pass = strdup(pass); + } + + ret = diff --git a/gnutls.spec b/gnutls.spec index 34370bf..b515648 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -19,6 +19,7 @@ print(string.sub(hash, 0, 16)) Version: 3.7.8 Release: %{?autorelease}%{!?autorelease:1%{?dist}} +Patch: gnutls-3.7.8-gcc_analyzer-suppress_warnings.patch Patch: gnutls-3.6.7-no-now-guile.patch Patch: gnutls-3.2.7-rpath.patch From d401f95817d49b6dd80bf1fe3f49474cd220af13 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 19 Jan 2023 05:48:39 +0000 Subject: [PATCH 082/152] Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild Signed-off-by: Fedora Release Engineering From c1f8e66db2fe6753da67a3b3dbd241ebdb85b7d9 Mon Sep 17 00:00:00 2001 From: Frantisek Krenzelok Date: Thu, 8 Dec 2022 16:57:23 +0100 Subject: [PATCH 083/152] KTLS additional ciphersuites Key update supported for patched kernels [1] Configuration option `ktls = false` [2] following ciphersuites are now supported: [3] * TLS_AES_128_CCM_SHA256 * TLS_CHACHA20_POLY1305_SHA256 Ivalidate session on KTLS error as there is no way to recover and new sockets as well as session have to be created. [4] [1] https://gitlab.com/gnutls/gnutls/-/merge_requests/1625 [2] https://gitlab.com/gnutls/gnutls/-/merge_requests/1673/diffs?commit_id=aefd7319c0b7b2410d06238246b7755b289e4837 [3] https://gitlab.com/gnutls/gnutls/-/merge_requests/1676 [4] https://gitlab.com/gnutls/gnutls/-/merge_requests/1664 Signed-off-by: Frantisek Krenzelok --- gnutls-3.7.8-ktls_add_ciphersuites.patch | 273 ++++++ gnutls-3.7.8-ktls_invalidate_session.patch | 62 ++ gnutls-3.7.8-ktls_key_update.patch | 957 +++++++++++++++++++++ gnutls-3.7.8-ktls_minor_fixes.patch | 155 ++++ gnutls.spec | 7 +- 5 files changed, 1453 insertions(+), 1 deletion(-) create mode 100644 gnutls-3.7.8-ktls_add_ciphersuites.patch create mode 100644 gnutls-3.7.8-ktls_invalidate_session.patch create mode 100644 gnutls-3.7.8-ktls_key_update.patch create mode 100644 gnutls-3.7.8-ktls_minor_fixes.patch diff --git a/gnutls-3.7.8-ktls_add_ciphersuites.patch b/gnutls-3.7.8-ktls_add_ciphersuites.patch new file mode 100644 index 0000000..88ae1aa --- /dev/null +++ b/gnutls-3.7.8-ktls_add_ciphersuites.patch @@ -0,0 +1,273 @@ +From 4380f347b2fff4af10537930400b68df61bee442 Mon Sep 17 00:00:00 2001 +From: Frantisek Krenzelok +Date: Thu, 1 Dec 2022 15:37:33 +0100 +Subject: [PATCH 1/2] KTLS: add ciphersuites + +* TLS_AES_128_CCM_SHA256 +* TLS_CHACHA20_POLY1305_SHA256 + +Signed-off-by: Frantisek Krenzelok +--- + lib/system/ktls.c | 159 ++++++++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 153 insertions(+), 6 deletions(-) + +diff --git a/lib/system/ktls.c b/lib/system/ktls.c +index 703775960..792d09ccf 100644 +--- a/lib/system/ktls.c ++++ b/lib/system/ktls.c +@@ -86,7 +86,7 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable + gnutls_datum_t mac_key; + gnutls_datum_t iv; + gnutls_datum_t cipher_key; +- unsigned char seq_number[8]; ++ unsigned char seq_number[12]; + int sockin, sockout; + int ret; + +@@ -97,7 +97,9 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable + int version = gnutls_protocol_get_version(session); + if ((version != GNUTLS_TLS1_3 && version != GNUTLS_TLS1_2) || + (gnutls_cipher_get(session) != GNUTLS_CIPHER_AES_128_GCM && +- gnutls_cipher_get(session) != GNUTLS_CIPHER_AES_256_GCM)) { ++ gnutls_cipher_get(session) != GNUTLS_CIPHER_AES_256_GCM && ++ gnutls_cipher_get(session) != GNUTLS_CIPHER_AES_128_CCM && ++ gnutls_cipher_get(session) != GNUTLS_CIPHER_CHACHA20_POLY1305)) { + return GNUTLS_E_UNIMPLEMENTED_FEATURE; + } + +@@ -114,7 +116,7 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable + case GNUTLS_CIPHER_AES_128_GCM: + { + struct tls12_crypto_info_aes_gcm_128 crypto_info; +- memset(&crypto_info, 0, sizeof(crypto_info)); ++ memset(&crypto_info, 0, sizeof (crypto_info)); + + crypto_info.info.cipher_type = TLS_CIPHER_AES_GCM_128; + assert(cipher_key.size == TLS_CIPHER_AES_GCM_128_KEY_SIZE); +@@ -150,7 +152,7 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable + case GNUTLS_CIPHER_AES_256_GCM: + { + struct tls12_crypto_info_aes_gcm_256 crypto_info; +- memset(&crypto_info, 0, sizeof(crypto_info)); ++ memset(&crypto_info, 0, sizeof (crypto_info)); + + crypto_info.info.cipher_type = TLS_CIPHER_AES_GCM_256; + assert (cipher_key.size == TLS_CIPHER_AES_GCM_256_KEY_SIZE); +@@ -182,9 +184,83 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable + } + } + break; ++ case GNUTLS_CIPHER_AES_128_CCM: ++ { ++ struct tls12_crypto_info_aes_ccm_128 crypto_info; ++ memset(&crypto_info, 0, sizeof (crypto_info)); ++ ++ crypto_info.info.cipher_type = TLS_CIPHER_AES_CCM_128; ++ assert(cipher_key.size == TLS_CIPHER_AES_CCM_128_KEY_SIZE); ++ ++ /* for TLS 1.2 IV is generated in kernel */ ++ if (version == GNUTLS_TLS1_2) { ++ crypto_info.info.version = TLS_1_2_VERSION; ++ memcpy(crypto_info.iv, seq_number, TLS_CIPHER_AES_CCM_128_IV_SIZE); ++ } else { ++ crypto_info.info.version = TLS_1_3_VERSION; ++ assert(iv.size == TLS_CIPHER_AES_CCM_128_SALT_SIZE ++ + TLS_CIPHER_AES_CCM_128_IV_SIZE); ++ ++ memcpy(crypto_info.iv, iv.data + ++ TLS_CIPHER_AES_CCM_128_SALT_SIZE, ++ TLS_CIPHER_AES_CCM_128_IV_SIZE); ++ } ++ ++ memcpy(crypto_info.salt, iv.data, ++ TLS_CIPHER_AES_CCM_128_SALT_SIZE); ++ memcpy(crypto_info.rec_seq, seq_number, ++ TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE); ++ memcpy(crypto_info.key, cipher_key.data, ++ TLS_CIPHER_AES_CCM_128_KEY_SIZE); ++ ++ if (setsockopt (sockin, SOL_TLS, TLS_RX, ++ &crypto_info, sizeof (crypto_info))) { ++ session->internals.ktls_enabled &= ~GNUTLS_KTLS_RECV; ++ return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); ++ } ++ } ++ break; ++ case GNUTLS_CIPHER_CHACHA20_POLY1305: ++ { ++ struct tls12_crypto_info_chacha20_poly1305 crypto_info; ++ memset(&crypto_info, 0, sizeof (crypto_info)); ++ ++ crypto_info.info.cipher_type = TLS_CIPHER_CHACHA20_POLY1305; ++ assert(cipher_key.size == TLS_CIPHER_CHACHA20_POLY1305_KEY_SIZE); ++ ++ /* for TLS 1.2 IV is generated in kernel */ ++ if (version == GNUTLS_TLS1_2) { ++ crypto_info.info.version = TLS_1_2_VERSION; ++ memcpy(crypto_info.iv, seq_number, TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE); ++ } else { ++ crypto_info.info.version = TLS_1_3_VERSION; ++ assert(iv.size == TLS_CIPHER_CHACHA20_POLY1305_SALT_SIZE ++ + TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE); ++ ++ memcpy(crypto_info.iv, iv.data + ++ TLS_CIPHER_CHACHA20_POLY1305_SALT_SIZE, ++ TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE); ++ } ++ ++ memcpy(crypto_info.salt, iv.data, ++ TLS_CIPHER_CHACHA20_POLY1305_SALT_SIZE); ++ memcpy(crypto_info.rec_seq, seq_number, ++ TLS_CIPHER_CHACHA20_POLY1305_REC_SEQ_SIZE); ++ memcpy(crypto_info.key, cipher_key.data, ++ TLS_CIPHER_CHACHA20_POLY1305_KEY_SIZE); ++ ++ if (setsockopt (sockin, SOL_TLS, TLS_RX, ++ &crypto_info, sizeof (crypto_info))) { ++ session->internals.ktls_enabled &= ~GNUTLS_KTLS_RECV; ++ return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); ++ } ++ } ++ break; + default: + assert(0); + } ++ ++ + } + + ret = gnutls_record_get_state (session, 0, &mac_key, &iv, &cipher_key, +@@ -198,7 +274,7 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable + case GNUTLS_CIPHER_AES_128_GCM: + { + struct tls12_crypto_info_aes_gcm_128 crypto_info; +- memset(&crypto_info, 0, sizeof(crypto_info)); ++ memset(&crypto_info, 0, sizeof (crypto_info)); + + crypto_info.info.cipher_type = TLS_CIPHER_AES_GCM_128; + +@@ -234,7 +310,7 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable + case GNUTLS_CIPHER_AES_256_GCM: + { + struct tls12_crypto_info_aes_gcm_256 crypto_info; +- memset(&crypto_info, 0, sizeof(crypto_info)); ++ memset(&crypto_info, 0, sizeof (crypto_info)); + + crypto_info.info.cipher_type = TLS_CIPHER_AES_GCM_256; + assert (cipher_key.size == TLS_CIPHER_AES_GCM_256_KEY_SIZE); +@@ -266,10 +342,81 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable + } + } + break; ++ case GNUTLS_CIPHER_AES_128_CCM: ++ { ++ struct tls12_crypto_info_aes_ccm_128 crypto_info; ++ memset(&crypto_info, 0, sizeof (crypto_info)); ++ ++ crypto_info.info.cipher_type = TLS_CIPHER_AES_CCM_128; ++ assert (cipher_key.size == TLS_CIPHER_AES_CCM_128_KEY_SIZE); ++ ++ /* for TLS 1.2 IV is generated in kernel */ ++ if (version == GNUTLS_TLS1_2) { ++ crypto_info.info.version = TLS_1_2_VERSION; ++ memcpy(crypto_info.iv, seq_number, TLS_CIPHER_AES_CCM_128_IV_SIZE); ++ } else { ++ crypto_info.info.version = TLS_1_3_VERSION; ++ assert (iv.size == TLS_CIPHER_AES_CCM_128_SALT_SIZE + ++ TLS_CIPHER_AES_CCM_128_IV_SIZE); ++ ++ memcpy (crypto_info.iv, iv.data + TLS_CIPHER_AES_CCM_128_SALT_SIZE, ++ TLS_CIPHER_AES_CCM_128_IV_SIZE); ++ } ++ ++ memcpy (crypto_info.salt, iv.data, ++ TLS_CIPHER_AES_CCM_128_SALT_SIZE); ++ memcpy (crypto_info.rec_seq, seq_number, ++ TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE); ++ memcpy (crypto_info.key, cipher_key.data, ++ TLS_CIPHER_AES_CCM_128_KEY_SIZE); ++ ++ if (setsockopt (sockout, SOL_TLS, TLS_TX, ++ &crypto_info, sizeof (crypto_info))) { ++ session->internals.ktls_enabled &= ~GNUTLS_KTLS_SEND; ++ return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); ++ } ++ } ++ break; ++ case GNUTLS_CIPHER_CHACHA20_POLY1305: ++ { ++ struct tls12_crypto_info_chacha20_poly1305 crypto_info; ++ memset(&crypto_info, 0, sizeof (crypto_info)); ++ ++ crypto_info.info.cipher_type = TLS_CIPHER_CHACHA20_POLY1305; ++ assert (cipher_key.size == TLS_CIPHER_CHACHA20_POLY1305_KEY_SIZE); ++ ++ /* for TLS 1.2 IV is generated in kernel */ ++ if (version == GNUTLS_TLS1_2) { ++ crypto_info.info.version = TLS_1_2_VERSION; ++ memcpy(crypto_info.iv, seq_number, TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE); ++ } else { ++ crypto_info.info.version = TLS_1_3_VERSION; ++ assert (iv.size == TLS_CIPHER_CHACHA20_POLY1305_SALT_SIZE + ++ TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE); ++ ++ memcpy (crypto_info.iv, iv.data + TLS_CIPHER_CHACHA20_POLY1305_SALT_SIZE, ++ TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE); ++ } ++ ++ memcpy (crypto_info.salt, iv.data, ++ TLS_CIPHER_CHACHA20_POLY1305_SALT_SIZE); ++ memcpy (crypto_info.rec_seq, seq_number, ++ TLS_CIPHER_CHACHA20_POLY1305_REC_SEQ_SIZE); ++ memcpy (crypto_info.key, cipher_key.data, ++ TLS_CIPHER_CHACHA20_POLY1305_KEY_SIZE); ++ ++ if (setsockopt (sockout, SOL_TLS, TLS_TX, ++ &crypto_info, sizeof (crypto_info))) { ++ session->internals.ktls_enabled &= ~GNUTLS_KTLS_SEND; ++ return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); ++ } ++ } ++ break; + default: + assert(0); + } + ++ + // set callback for sending handshake messages + gnutls_handshake_set_read_function(session, + _gnutls_ktls_send_handshake_msg); +-- +2.38.1 + + +From 24bd0559302f8a7adf9f072f61f2aa03efa664f6 Mon Sep 17 00:00:00 2001 +From: Frantisek Krenzelok +Date: Fri, 2 Dec 2022 11:07:48 +0100 +Subject: [PATCH 2/2] KTLS: add ciphersuites (tests) + +Signed-off-by: Frantisek Krenzelok +--- + tests/gnutls_ktls.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/tests/gnutls_ktls.c b/tests/gnutls_ktls.c +index 8f9c5fa36..919270778 100644 +--- a/tests/gnutls_ktls.c ++++ b/tests/gnutls_ktls.c +@@ -350,8 +350,12 @@ void doit(void) + { + run("NORMAL:-VERS-ALL:+VERS-TLS1.2:-CIPHER-ALL:+AES-128-GCM"); + run("NORMAL:-VERS-ALL:+VERS-TLS1.2:-CIPHER-ALL:+AES-256-GCM"); ++ run("NORMAL:-VERS-ALL:+VERS-TLS1.2:-CIPHER-ALL:+AES-128-CCM"); ++ run("NORMAL:-VERS-ALL:+VERS-TLS1.2:-CIPHER-ALL:+CHACHA20-POLY1305"); + run("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-128-GCM"); + run("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-256-GCM"); ++ run("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-128-CCM"); ++ run("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+CHACHA20-POLY1305"); + } + + #endif /* _WIN32 */ +-- +2.38.1 + diff --git a/gnutls-3.7.8-ktls_invalidate_session.patch b/gnutls-3.7.8-ktls_invalidate_session.patch new file mode 100644 index 0000000..aaa4793 --- /dev/null +++ b/gnutls-3.7.8-ktls_invalidate_session.patch @@ -0,0 +1,62 @@ +From 9533fcbacdb5532425568e3874cfea9f0a9b55d5 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Mon, 28 Nov 2022 11:10:58 +0900 +Subject: [PATCH 1/2] src: fix memory leak in print_rawpk_info + +Signed-off-by: Daiki Ueno +--- + src/common.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/common.c b/src/common.c +index 6d2056f95..20327b41c 100644 +--- a/src/common.c ++++ b/src/common.c +@@ -222,7 +222,7 @@ print_rawpk_info(gnutls_session_t session, FILE *out, int flag, int print_cert, + if (ret < 0) { + fprintf(stderr, "Encoding error: %s\n", + gnutls_strerror(ret)); +- return; ++ goto cleanup; + } + + log_msg(out, "\n%s\n", (char*)pem.data); +@@ -230,6 +230,8 @@ print_rawpk_info(gnutls_session_t session, FILE *out, int flag, int print_cert, + gnutls_free(pem.data); + } + ++ cleanup: ++ gnutls_pcert_deinit(&pk_cert); + } + + /* returns false (0) if not verified, or true (1) otherwise +-- +2.38.1 + + +From ceac5211c073ba8dc86fe7cfb25504db33729fa9 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Mon, 28 Nov 2022 11:14:53 +0900 +Subject: [PATCH 2/2] tests: fix memory leak in resume-with-previous-stek + +Signed-off-by: Daiki Ueno +--- + tests/resume-with-previous-stek.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tests/resume-with-previous-stek.c b/tests/resume-with-previous-stek.c +index 94f165627..98aba8d84 100644 +--- a/tests/resume-with-previous-stek.c ++++ b/tests/resume-with-previous-stek.c +@@ -127,6 +127,8 @@ static void client(int fd, int *resume, unsigned rounds, const char *prio) + + gnutls_deinit(session); + } ++ ++ gnutls_free(session_data.data); + } + + typedef void (* gnutls_stek_rotation_callback_t) (const gnutls_datum_t *prev_key, +-- +2.38.1 + diff --git a/gnutls-3.7.8-ktls_key_update.patch b/gnutls-3.7.8-ktls_key_update.patch new file mode 100644 index 0000000..5ca8a37 --- /dev/null +++ b/gnutls-3.7.8-ktls_key_update.patch @@ -0,0 +1,957 @@ +From c83b9ecbe8e7e5442867281236d8c9e1bd227204 Mon Sep 17 00:00:00 2001 +From: Frantisek Krenzelok +Date: Tue, 2 Aug 2022 15:00:50 +0200 +Subject: [PATCH 1/7] KTLS: set key on specific interfaces + +It is now possible to set key on specific interface. +If interface given is not ktls enabled then it will be ignored. + +Signed-off-by: Frantisek Krenzelok +--- + lib/handshake.c | 2 +- + lib/system/ktls.c | 12 +++++++----- + lib/system/ktls.h | 7 ++++++- + 3 files changed, 14 insertions(+), 7 deletions(-) + +diff --git a/lib/handshake.c b/lib/handshake.c +index 21edc5ece..cb2bc3ae9 100644 +--- a/lib/handshake.c ++++ b/lib/handshake.c +@@ -2924,7 +2924,7 @@ int gnutls_handshake(gnutls_session_t session) + + #ifdef ENABLE_KTLS + if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_DUPLEX)) { +- _gnutls_ktls_set_keys(session); ++ _gnutls_ktls_set_keys(session, GNUTLS_KTLS_DUPLEX); + } + #endif + +diff --git a/lib/system/ktls.c b/lib/system/ktls.c +index ddf27fac7..70b9b9b3a 100644 +--- a/lib/system/ktls.c ++++ b/lib/system/ktls.c +@@ -80,7 +80,7 @@ void _gnutls_ktls_enable(gnutls_session_t session) + } + } + +-int _gnutls_ktls_set_keys(gnutls_session_t session) ++int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable_flags_t in) + { + gnutls_cipher_algorithm_t cipher = gnutls_cipher_get(session); + gnutls_datum_t mac_key; +@@ -107,7 +107,9 @@ int _gnutls_ktls_set_keys(gnutls_session_t session) + return ret; + } + +- if(session->internals.ktls_enabled & GNUTLS_KTLS_RECV){ ++ in &= session->internals.ktls_enabled; ++ ++ if(in & GNUTLS_KTLS_RECV){ + switch (cipher) { + case GNUTLS_CIPHER_AES_128_GCM: + { +@@ -191,7 +193,7 @@ int _gnutls_ktls_set_keys(gnutls_session_t session) + return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); + } + +- if(session->internals.ktls_enabled & GNUTLS_KTLS_SEND){ ++ if(in & GNUTLS_KTLS_SEND){ + switch (cipher) { + case GNUTLS_CIPHER_AES_128_GCM: + { +@@ -269,7 +271,7 @@ int _gnutls_ktls_set_keys(gnutls_session_t session) + } + } + +- return 0; ++ return in; + } + + ssize_t _gnutls_ktls_send_file(gnutls_session_t session, int fd, +@@ -465,7 +467,7 @@ gnutls_transport_is_ktls_enabled(gnutls_session_t session) { + void _gnutls_ktls_enable(gnutls_session_t session) { + } + +-int _gnutls_ktls_set_keys(gnutls_session_t session) { ++int _gnutls_ktls_set_keys(gnutls_session_t sessioni, gnutls_transport_ktls_enable_flags_t in) { + return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE); + } + +diff --git a/lib/system/ktls.h b/lib/system/ktls.h +index 8a98a8eb8..c8059092d 100644 +--- a/lib/system/ktls.h ++++ b/lib/system/ktls.h +@@ -4,14 +4,19 @@ + #include "gnutls_int.h" + + void _gnutls_ktls_enable(gnutls_session_t session); +-int _gnutls_ktls_set_keys(gnutls_session_t session); ++ ++int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable_flags_t in); ++ + ssize_t _gnutls_ktls_send_file(gnutls_session_t session, int fd, + off_t *offset, size_t count); ++ + int _gnutls_ktls_send_control_msg(gnutls_session_t session, unsigned char record_type, + const void *data, size_t data_size); + #define _gnutls_ktls_send(x, y, z) _gnutls_ktls_send_control_msg(x, GNUTLS_APPLICATION_DATA, y, z); ++ + int _gnutls_ktls_recv_control_msg(gnutls_session_t session, unsigned char *record_type, + void *data, size_t data_size); ++ + int _gnutls_ktls_recv_int(gnutls_session_t session, content_type_t type, void *data, size_t data_size); + #define _gnutls_ktls_recv(x, y, z) _gnutls_ktls_recv_int(x, GNUTLS_APPLICATION_DATA, y, z) + +-- +2.39.0 + + +From f8c71030151e3a0d397e9712541236f1a76434a3 Mon Sep 17 00:00:00 2001 +From: Frantisek Krenzelok +Date: Tue, 2 Aug 2022 13:35:39 +0200 +Subject: [PATCH 2/7] KTLS: set new keys for keyupdate + +set new keys durring gnutls_session_key_update() +setting keys + +Signed-off-by: Frantisek Krenzelok +--- + lib/tls13/key_update.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/lib/tls13/key_update.c b/lib/tls13/key_update.c +index c6f6e0aa1..10c0a9110 100644 +--- a/lib/tls13/key_update.c ++++ b/lib/tls13/key_update.c +@@ -27,6 +27,7 @@ + #include "mem.h" + #include "mbuffers.h" + #include "secrets.h" ++#include "system/ktls.h" + + #define KEY_UPDATES_WINDOW 1000 + #define KEY_UPDATES_PER_WINDOW 8 +@@ -49,8 +50,16 @@ static int update_keys(gnutls_session_t session, hs_stage_t stage) + * write keys */ + if (session->internals.recv_state == RECV_STATE_EARLY_START) { + ret = _tls13_write_connection_state_init(session, stage); ++ if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_SEND)) ++ ret = _gnutls_ktls_set_keys(session, GNUTLS_KTLS_SEND); + } else { + ret = _tls13_connection_state_init(session, stage); ++ ++ if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_SEND) && stage == STAGE_UPD_OURS) ++ ret = _gnutls_ktls_set_keys(session, GNUTLS_KTLS_SEND); ++ else if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_RECV) && stage == STAGE_UPD_PEERS) ++ ret = _gnutls_ktls_set_keys(session, GNUTLS_KTLS_RECV); ++ + } + if (ret < 0) + return gnutls_assert_val(ret); +-- +2.39.0 + + +From b93af37d972e02b095e14d4209bf5d5520a4893c Mon Sep 17 00:00:00 2001 +From: Frantisek Krenzelok +Date: Wed, 3 Aug 2022 14:20:35 +0200 +Subject: [PATCH 3/7] KTLS: send update key request + +Set hanshake send function after interface initialization +TODO: handel setting function differently + +Signed-off-by: Frantisek Krenzelok +--- + lib/record.c | 23 ++++++++++++++++------- + lib/system/ktls.c | 21 +++++++++++++++++++++ + lib/system/ktls.h | 5 +++++ + 3 files changed, 42 insertions(+), 7 deletions(-) + +diff --git a/lib/record.c b/lib/record.c +index fd24acaf1..aad128e1f 100644 +--- a/lib/record.c ++++ b/lib/record.c +@@ -2065,11 +2065,17 @@ gnutls_record_send2(gnutls_session_t session, const void *data, + session->internals.rsend_state = RECORD_SEND_KEY_UPDATE_3; + FALLTHROUGH; + case RECORD_SEND_KEY_UPDATE_3: +- ret = _gnutls_send_int(session, GNUTLS_APPLICATION_DATA, +- -1, EPOCH_WRITE_CURRENT, +- session->internals.record_key_update_buffer.data, +- session->internals.record_key_update_buffer.length, +- MBUFFER_FLUSH); ++ if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_SEND)) { ++ return _gnutls_ktls_send(session, ++ session->internals.record_key_update_buffer.data, ++ session->internals.record_key_update_buffer.length); ++ } else { ++ ret = _gnutls_send_int(session, GNUTLS_APPLICATION_DATA, ++ -1, EPOCH_WRITE_CURRENT, ++ session->internals.record_key_update_buffer.data, ++ session->internals.record_key_update_buffer.length, ++ MBUFFER_FLUSH); ++ } + _gnutls_buffer_clear(&session->internals.record_key_update_buffer); + session->internals.rsend_state = RECORD_SEND_NORMAL; + if (ret < 0) +@@ -2494,8 +2500,11 @@ gnutls_handshake_write(gnutls_session_t session, + return gnutls_assert_val(0); + + /* When using this, the outgoing handshake messages should +- * also be handled manually */ +- if (!session->internals.h_read_func) ++ * also be handled manually unless KTLS is enabled exclusively ++ * in GNUTLS_KTLS_RECV mode in which case the outgoing messages ++ * are handled by GnuTLS. ++ */ ++ if (!session->internals.h_read_func && !IS_KTLS_ENABLED(session, GNUTLS_KTLS_RECV)) + return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); + + if (session->internals.initial_negotiation_completed) { +diff --git a/lib/system/ktls.c b/lib/system/ktls.c +index 70b9b9b3a..5da0a8069 100644 +--- a/lib/system/ktls.c ++++ b/lib/system/ktls.c +@@ -269,6 +269,9 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable + default: + assert(0); + } ++ // set callback for sending handshake messages ++ gnutls_handshake_set_read_function(session, ++ _gnutls_ktls_send_handshake_msg); + } + + return in; +@@ -355,6 +358,15 @@ int _gnutls_ktls_send_control_msg(gnutls_session_t session, + return data_size; + } + ++int _gnutls_ktls_send_handshake_msg(gnutls_session_t session, ++ gnutls_record_encryption_level_t level, ++ gnutls_handshake_description_t htype, ++ const void *data, size_t data_size) ++{ ++ return _gnutls_ktls_send_control_msg(session, GNUTLS_HANDSHAKE, ++ data, data_size); ++} ++ + int _gnutls_ktls_recv_control_msg(gnutls_session_t session, + unsigned char *record_type, void *data, size_t data_size) + { +@@ -481,6 +493,15 @@ int _gnutls_ktls_send_control_msg(gnutls_session_t session, + return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE); + } + ++int _gnutls_ktls_send_handshake_msg(gnutls_session_t session, ++ gnutls_record_encryption_level_t level, ++ gnutls_handshake_description_t htype, ++ const void *data, size_t data_size) ++{ ++ (void)level; ++ return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE); ++} ++ + int _gnutls_ktls_recv_int(gnutls_session_t session, content_type_t type, + void *data, size_t data_size) { + return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE); +diff --git a/lib/system/ktls.h b/lib/system/ktls.h +index c8059092d..8d61a49df 100644 +--- a/lib/system/ktls.h ++++ b/lib/system/ktls.h +@@ -10,6 +10,11 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable + ssize_t _gnutls_ktls_send_file(gnutls_session_t session, int fd, + off_t *offset, size_t count); + ++int _gnutls_ktls_send_handshake_msg(gnutls_session_t session, ++ gnutls_record_encryption_level_t level, ++ gnutls_handshake_description_t htype, ++ const void *data, size_t data_size); ++ + int _gnutls_ktls_send_control_msg(gnutls_session_t session, unsigned char record_type, + const void *data, size_t data_size); + #define _gnutls_ktls_send(x, y, z) _gnutls_ktls_send_control_msg(x, GNUTLS_APPLICATION_DATA, y, z); +-- +2.39.0 + + +From 7128338208d092275ac72785f85019d16951fab9 Mon Sep 17 00:00:00 2001 +From: Frantisek Krenzelok +Date: Mon, 22 Aug 2022 10:50:37 +0200 +Subject: [PATCH 4/7] KTLS: receive key update + +handle received GNUTLS_HANDSHAKE_KEY_UPDATE set keys accordingly + +Signed-off-by: Frantisek Krenzelok +--- + lib/system/ktls.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/lib/system/ktls.c b/lib/system/ktls.c +index 5da0a8069..f3cb343ae 100644 +--- a/lib/system/ktls.c ++++ b/lib/system/ktls.c +@@ -452,7 +452,13 @@ int _gnutls_ktls_recv_int(gnutls_session_t session, content_type_t type, + ret = 0; + break; + case GNUTLS_HANDSHAKE: +- // ignore post-handshake messages ++ ret = gnutls_handshake_write(session, ++ GNUTLS_ENCRYPTION_LEVEL_APPLICATION, ++ data, ret); ++ ++ if (ret < 0) ++ return gnutls_assert_val(ret); ++ + if (type != record_type) + return GNUTLS_E_AGAIN; + break; +-- +2.39.0 + + +From 14eadde1f2cdfaf858dc2029dac5503e48a49935 Mon Sep 17 00:00:00 2001 +From: Frantisek Krenzelok +Date: Fri, 5 Aug 2022 16:38:02 +0200 +Subject: [PATCH 5/7] KTLS: set write alert callback + +Use callback for sending alerts. + +Signed-off-by: Frantisek Krenzelok +--- + lib/alert.c | 13 ++++--------- + lib/system/ktls.c | 15 +++++++++++++++ + lib/system/ktls.h | 5 +++++ + 3 files changed, 24 insertions(+), 9 deletions(-) + +diff --git a/lib/alert.c b/lib/alert.c +index 50bd1d3de..fda8cd79f 100644 +--- a/lib/alert.c ++++ b/lib/alert.c +@@ -182,15 +182,10 @@ gnutls_alert_send(gnutls_session_t session, gnutls_alert_level_t level, + return ret; + } + +- if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_SEND)) { +- ret = +- _gnutls_ktls_send_control_msg(session, GNUTLS_ALERT, data, 2); +- } else { +- ret = +- _gnutls_send_int(session, GNUTLS_ALERT, -1, +- EPOCH_WRITE_CURRENT, data, 2, +- MBUFFER_FLUSH); +- } ++ ret = _gnutls_send_int(session, GNUTLS_ALERT, -1, ++ EPOCH_WRITE_CURRENT, data, 2, ++ MBUFFER_FLUSH); ++ + return (ret < 0) ? ret : 0; + } + +diff --git a/lib/system/ktls.c b/lib/system/ktls.c +index f3cb343ae..703775960 100644 +--- a/lib/system/ktls.c ++++ b/lib/system/ktls.c +@@ -269,9 +269,13 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable + default: + assert(0); + } ++ + // set callback for sending handshake messages + gnutls_handshake_set_read_function(session, + _gnutls_ktls_send_handshake_msg); ++ ++ // set callback for sending alert messages ++ gnutls_alert_set_read_function(session, _gnutls_ktls_send_alert_msg); + } + + return in; +@@ -367,6 +371,17 @@ int _gnutls_ktls_send_handshake_msg(gnutls_session_t session, + data, data_size); + } + ++int _gnutls_ktls_send_alert_msg(gnutls_session_t session, ++ gnutls_record_encryption_level_t level, ++ gnutls_alert_level_t alert_level, ++ gnutls_alert_description_t alert_desc) ++{ ++ uint8_t data[2]; ++ data[0] = (uint8_t) alert_level; ++ data[1] = (uint8_t) alert_desc; ++ return _gnutls_ktls_send_control_msg(session, GNUTLS_ALERT, data, 2); ++} ++ + int _gnutls_ktls_recv_control_msg(gnutls_session_t session, + unsigned char *record_type, void *data, size_t data_size) + { +diff --git a/lib/system/ktls.h b/lib/system/ktls.h +index 8d61a49df..64e1c9c1c 100644 +--- a/lib/system/ktls.h ++++ b/lib/system/ktls.h +@@ -15,6 +15,11 @@ int _gnutls_ktls_send_handshake_msg(gnutls_session_t session, + gnutls_handshake_description_t htype, + const void *data, size_t data_size); + ++int _gnutls_ktls_send_alert_msg(gnutls_session_t session, ++ gnutls_record_encryption_level_t level, ++ gnutls_alert_level_t alert_level, ++ gnutls_alert_description_t alert_desc); ++ + int _gnutls_ktls_send_control_msg(gnutls_session_t session, unsigned char record_type, + const void *data, size_t data_size); + #define _gnutls_ktls_send(x, y, z) _gnutls_ktls_send_control_msg(x, GNUTLS_APPLICATION_DATA, y, z); +-- +2.39.0 + + +From 38b8708d66e592c09edf2745c921436f56607a96 Mon Sep 17 00:00:00 2001 +From: Frantisek Krenzelok +Date: Tue, 9 Aug 2022 12:11:16 +0200 +Subject: [PATCH 6/7] KTLS: rekey test + +Signed-off-by: Frantisek Krenzelok +--- + tests/Makefile.am | 2 + + tests/ktls_keyupdate.c | 381 ++++++++++++++++++++++++++++++++++++++++ + tests/ktls_keyupdate.sh | 46 +++++ + 3 files changed, 429 insertions(+) + create mode 100644 tests/ktls_keyupdate.c + create mode 100755 tests/ktls_keyupdate.sh + +diff --git a/tests/Makefile.am b/tests/Makefile.am +index 1122886b3..2d345d478 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -500,6 +500,8 @@ endif + if ENABLE_KTLS + indirect_tests += gnutls_ktls + dist_check_SCRIPTS += ktls.sh ++indirect_tests += ktls_keyupdate ++dist_check_SCRIPTS += ktls_keyupdate.sh + endif + + if !WINDOWS +diff --git a/tests/ktls_keyupdate.c b/tests/ktls_keyupdate.c +new file mode 100644 +index 000000000..9fbff38ae +--- /dev/null ++++ b/tests/ktls_keyupdate.c +@@ -0,0 +1,381 @@ ++// Copyright (C) 2022 Red Hat, Inc. ++// ++// Author: Frantisek Krenzelok ++// ++// This file is part of GnuTLS. ++// ++// GnuTLS is free software; you can redistribute it and/or modify it ++// under the terms of the GNU General Public License as published by the ++// Free Software Foundation; either version 3 of the License, or (at ++// your option) any later version. ++// ++// GnuTLS is distributed in the hope that it will be useful, but ++// WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++// General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License ++// along with GnuTLS; if not, write to the Free Software Foundation, ++// Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. ++ ++#ifdef HAVE_CONFIG_H ++#include ++#endif ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include "cert-common.h" ++#include "utils.h" ++ ++#if defined(_WIN32) ++ ++int main(void) ++{ ++ exit(77); ++} ++ ++#else ++ ++ ++#define MAX_BUF 1024 ++#define MSG "Hello world!" ++ ++#define HANDSHAKE(session, name, ret)\ ++{\ ++ do {\ ++ ret = gnutls_handshake(session);\ ++ }\ ++ while (ret < 0 && gnutls_error_is_fatal(ret) == 0);\ ++ if (ret < 0) {\ ++ fail("%s: Handshake failed\n", name);\ ++ goto end;\ ++ }\ ++} ++ ++#define SEND_MSG(session, name, ret)\ ++{\ ++ do {\ ++ ret = gnutls_record_send(session, MSG, strlen(MSG)+1);\ ++ } while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);\ ++ if (ret < 0) {\ ++ fail("%s: data sending has failed (%s)\n",name,\ ++ gnutls_strerror(ret));\ ++ goto end;\ ++ }\ ++} ++ ++#define RECV_MSG(session, name, buffer, buffer_len, ret)\ ++{\ ++ memset(buffer, 0, sizeof(buffer));\ ++ do{\ ++ ret = gnutls_record_recv(session, buffer, sizeof(buffer));\ ++ }\ ++ while(ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);\ ++ if (ret == 0) {\ ++ success("%s: Peer has closed the TLS connection\n", name);\ ++ goto end;\ ++ } else if (ret < 0) {\ ++ fail("%s: Error -> %s\n", name, gnutls_strerror(ret));\ ++ goto end;\ ++ }\ ++ if(strncmp(buffer, MSG, ret)){\ ++ fail("%s: Message doesn't match\n", name);\ ++ goto end;\ ++ }\ ++} ++ ++#define KEY_UPDATE(session, name, peer_req, ret)\ ++{\ ++ do {\ ++ ret = gnutls_session_key_update(session, peer_req);\ ++ } while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);\ ++ if (ret < 0) {\ ++ fail("%s: key update has failed (%s)\n", name, \ ++ gnutls_strerror(ret));\ ++ goto end;\ ++ }\ ++} ++ ++#define CHECK_KTLS_ENABLED(session, ret)\ ++{\ ++ ret = gnutls_transport_is_ktls_enabled(session);\ ++ if (!(ret & GNUTLS_KTLS_RECV)){\ ++ fail("client: KTLS was not properly initialized\n");\ ++ goto end;\ ++ }\ ++} ++ ++static void server_log_func(int level, const char *str) ++{ ++ fprintf(stderr, "server|<%d>| %s", level, str); ++} ++ ++static void client_log_func(int level, const char *str) ++{ ++ fprintf(stderr, "client|<%d>| %s", level, str); ++} ++ ++ ++static void client(int fd, const char *prio, int pipe) ++{ ++ const char *name = "client"; ++ int ret; ++ char foo; ++ char buffer[MAX_BUF + 1]; ++ gnutls_certificate_credentials_t x509_cred; ++ gnutls_session_t session; ++ ++ global_init(); ++ ++ if (debug) { ++ gnutls_global_set_log_function(client_log_func); ++ gnutls_global_set_log_level(7); ++ } ++ ++ gnutls_certificate_allocate_credentials(&x509_cred); ++ ++ gnutls_init(&session, GNUTLS_CLIENT); ++ gnutls_handshake_set_timeout(session, 0); ++ ++ assert(gnutls_priority_set_direct(session, prio, NULL) >= 0); ++ ++ gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred); ++ ++ gnutls_transport_set_int(session, fd); ++ ++ HANDSHAKE(session, name, ret); ++ ++ CHECK_KTLS_ENABLED(session, ret) ++ ++ // Test 0: Try sending/receiving data ++ RECV_MSG(session, name, buffer, MAX_BUF+1, ret) ++ SEND_MSG(session, name, ret) ++ ++ CHECK_KTLS_ENABLED(session, ret) ++ ++ // Test 1: Servers does key update ++ read(pipe, &foo, 1); ++ RECV_MSG(session, name, buffer, MAX_BUF+1, ret) ++ SEND_MSG(session, name, ret) ++ ++ CHECK_KTLS_ENABLED(session, ret) ++ ++ // Test 2: Does key update witch request ++ read(pipe, &foo, 1); ++ RECV_MSG(session, name, buffer, MAX_BUF+1, ret) ++ SEND_MSG(session, name, ret) ++ ++ CHECK_KTLS_ENABLED(session, ret) ++ ++ ret = gnutls_bye(session, GNUTLS_SHUT_RDWR); ++ if (ret < 0) { ++ fail("client: error in closing session: %s\n", gnutls_strerror(ret)); ++ } ++ ++ ret = 0; ++ end: ++ ++ close(fd); ++ ++ gnutls_deinit(session); ++ ++ gnutls_certificate_free_credentials(x509_cred); ++ ++ gnutls_global_deinit(); ++ ++ if (ret != 0) ++ exit(1); ++} ++ ++pid_t child; ++static void terminate(void) ++{ ++ assert(child); ++ kill(child, SIGTERM); ++ exit(1); ++} ++ ++static void server(int fd, const char *prio, int pipe) ++{ ++ const char *name = "server"; ++ int ret; ++ char bar = 0; ++ char buffer[MAX_BUF + 1]; ++ gnutls_certificate_credentials_t x509_cred; ++ gnutls_session_t session; ++ ++ global_init(); ++ ++ if (debug) { ++ gnutls_global_set_log_function(server_log_func); ++ gnutls_global_set_log_level(7); ++ } ++ ++ gnutls_certificate_allocate_credentials(&x509_cred); ++ ret = gnutls_certificate_set_x509_key_mem(x509_cred, &server_cert, ++ &server_key, ++ GNUTLS_X509_FMT_PEM); ++ if (ret < 0) ++ exit(1); ++ ++ gnutls_init(&session, GNUTLS_SERVER); ++ gnutls_handshake_set_timeout(session, 0); ++ ++ assert(gnutls_priority_set_direct(session, prio, NULL)>=0); ++ ++ gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred); ++ ++ gnutls_transport_set_int(session, fd); ++ ++ HANDSHAKE(session, name, ret) ++ ++ CHECK_KTLS_ENABLED(session, ret) ++ ++ success("Test 0: sending/receiving data\n"); ++ SEND_MSG(session, name, ret) ++ RECV_MSG(session, name, buffer, MAX_BUF+1, ret) ++ ++ CHECK_KTLS_ENABLED(session, ret) ++ ++ success("Test 1: server key update without request\n"); ++ KEY_UPDATE(session, name, 0, ret) ++ write(pipe, &bar, 1); ++ SEND_MSG(session, name, ret) ++ RECV_MSG(session, name, buffer, MAX_BUF+1, ret) ++ ++ CHECK_KTLS_ENABLED(session, ret) ++ ++ success("Test 2: server key update with request\n"); ++ KEY_UPDATE(session, name, GNUTLS_KU_PEER, ret) ++ write(pipe, &bar, 1); ++ SEND_MSG(session, name, ret) ++ RECV_MSG(session, name, buffer, MAX_BUF+1, ret) ++ ++ CHECK_KTLS_ENABLED(session, ret) ++ ++ ret = gnutls_bye(session, GNUTLS_SHUT_RDWR); ++ if (ret < 0) { ++ fail("server: error in closing session: %s\n", gnutls_strerror(ret)); ++ } ++ ++ ret = 0; ++end: ++ close(fd); ++ gnutls_deinit(session); ++ ++ gnutls_certificate_free_credentials(x509_cred); ++ ++ gnutls_global_deinit(); ++ ++ if (ret){ ++ terminate(); ++ } ++ ++ if (debug) ++ success("server: finished\n"); ++} ++ ++static void ch_handler(int sig) ++{ ++ return; ++} ++ ++static void run(const char *prio) ++{ ++ int ret; ++ struct sockaddr_in saddr; ++ socklen_t addrlen; ++ int listener; ++ int fd; ++ ++ int sync_pipe[2]; //used for synchronization ++ pipe(sync_pipe); ++ ++ success("running ktls test with %s\n", prio); ++ ++ signal(SIGCHLD, ch_handler); ++ signal(SIGPIPE, SIG_IGN); ++ ++ listener = socket(AF_INET, SOCK_STREAM, 0); ++ if (listener == -1){ ++ fail("error in listener(): %s\n", strerror(errno)); ++ } ++ ++ memset(&saddr, 0, sizeof(saddr)); ++ saddr.sin_family = AF_INET; ++ saddr.sin_addr.s_addr = htonl(INADDR_LOOPBACK); ++ saddr.sin_port = 0; ++ ++ ret = bind(listener, (struct sockaddr*)&saddr, sizeof(saddr)); ++ if (ret == -1){ ++ fail("error in bind(): %s\n", strerror(errno)); ++ } ++ ++ addrlen = sizeof(saddr); ++ ret = getsockname(listener, (struct sockaddr*)&saddr, &addrlen); ++ if (ret == -1){ ++ fail("error in getsockname(): %s\n", strerror(errno)); ++ } ++ ++ child = fork(); ++ if (child < 0) { ++ fail("error in fork(): %s\n", strerror(errno)); ++ exit(1); ++ } ++ ++ if (child) { ++ int status; ++ /* parent */ ++ ret = listen(listener, 1); ++ if (ret == -1) { ++ fail("error in listen(): %s\n", strerror(errno)); ++ } ++ ++ fd = accept(listener, NULL, NULL); ++ if (fd == -1) { ++ fail("error in accept(): %s\n", strerror(errno)); ++ } ++ ++ close(sync_pipe[0]); ++ server(fd, prio, sync_pipe[1]); ++ ++ wait(&status); ++ check_wait_status(status); ++ } else { ++ fd = socket(AF_INET, SOCK_STREAM, 0); ++ if (fd == -1){ ++ fail("error in socket(): %s\n", strerror(errno)); ++ exit(1); ++ } ++ ++ usleep(1000000); ++ connect(fd, (struct sockaddr*)&saddr, addrlen); ++ ++ close(sync_pipe[1]); ++ client(fd, prio, sync_pipe[0]); ++ exit(0); ++ } ++} ++ ++void doit(void) ++{ ++ run("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-128-GCM"); ++ run("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-256-GCM"); ++} ++ ++#endif /* _WIN32 */ +diff --git a/tests/ktls_keyupdate.sh b/tests/ktls_keyupdate.sh +new file mode 100755 +index 000000000..d072acafc +--- /dev/null ++++ b/tests/ktls_keyupdate.sh +@@ -0,0 +1,46 @@ ++#!/bin/sh ++ ++# Copyright (C) 2022 Red Hat, Inc. ++# ++# Author: Daiki Ueno ++# ++# This file is part of GnuTLS. ++# ++# GnuTLS is free software; you can redistribute it and/or modify it ++# under the terms of the GNU General Public License as published by the ++# Free Software Foundation; either version 3 of the License, or (at ++# your option) any later version. ++# ++# GnuTLS is distributed in the hope that it will be useful, but ++# WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++# General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with GnuTLS; if not, write to the Free Software Foundation, ++# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. ++ ++: ${builddir=.} ++ ++. "$srcdir/scripts/common.sh" ++ ++if ! grep '^tls ' /proc/modules 2>&1 /dev/null; then ++ exit 77 ++fi ++ ++testdir=`create_testdir ktls_keyupdate` ++ ++cfg="$testdir/config" ++ ++cat < "$cfg" ++[global] ++ktls = true ++EOF ++ ++GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1 \ ++GNUTLS_SYSTEM_PRIORITY_FILE="$cfg" \ ++"$builddir/ktls_keyupdate" "$@" ++rc=$? ++ ++rm -rf "$testdir" ++exit $rc +-- +2.39.0 + + +From 67843b3a8e28e4c74296caea2d1019065c87afb3 Mon Sep 17 00:00:00 2001 +From: Frantisek Krenzelok +Date: Mon, 5 Sep 2022 13:05:17 +0200 +Subject: [PATCH 7/7] KTLS: fallback to default + +If an error occurs during setting of keys either initial or key update +then fallback to default mode of operation (disable ktls) and let the +user know + +Signed-off-by: Frantisek Krenzelok +--- + lib/handshake.c | 7 ++++++- + lib/tls13/key_update.c | 23 +++++++++++++++++++---- + 2 files changed, 25 insertions(+), 5 deletions(-) + +diff --git a/lib/handshake.c b/lib/handshake.c +index cb2bc3ae9..14bcdea56 100644 +--- a/lib/handshake.c ++++ b/lib/handshake.c +@@ -2924,7 +2924,12 @@ int gnutls_handshake(gnutls_session_t session) + + #ifdef ENABLE_KTLS + if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_DUPLEX)) { +- _gnutls_ktls_set_keys(session, GNUTLS_KTLS_DUPLEX); ++ ret = _gnutls_ktls_set_keys(session, GNUTLS_KTLS_DUPLEX); ++ if (ret < 0) { ++ session->internals.ktls_enabled = 0; ++ _gnutls_audit_log(session, ++ "disabling KTLS: failed to set keys\n"); ++ } + } + #endif + +diff --git a/lib/tls13/key_update.c b/lib/tls13/key_update.c +index 10c0a9110..acfda4129 100644 +--- a/lib/tls13/key_update.c ++++ b/lib/tls13/key_update.c +@@ -32,6 +32,20 @@ + #define KEY_UPDATES_WINDOW 1000 + #define KEY_UPDATES_PER_WINDOW 8 + ++/* ++ * Sets kTLS keys if enabled. ++ * If this operation fails with GNUTLS_E_INTERNAL_ERROR, KTLS is disabled ++ * because KTLS most likely doesn't support key update. ++ */ ++#define SET_KTLS_KEYS(session, interface)\ ++{\ ++ if(_gnutls_ktls_set_keys(session, interface) < 0) {\ ++ session->internals.ktls_enabled = 0;\ ++ _gnutls_audit_log(session, \ ++ "disabling KTLS: couldn't update keys\n");\ ++ }\ ++} ++ + static int update_keys(gnutls_session_t session, hs_stage_t stage) + { + int ret; +@@ -51,15 +65,16 @@ static int update_keys(gnutls_session_t session, hs_stage_t stage) + if (session->internals.recv_state == RECV_STATE_EARLY_START) { + ret = _tls13_write_connection_state_init(session, stage); + if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_SEND)) +- ret = _gnutls_ktls_set_keys(session, GNUTLS_KTLS_SEND); ++ SET_KTLS_KEYS(session, GNUTLS_KTLS_SEND) + } else { + ret = _tls13_connection_state_init(session, stage); ++ if (ret < 0) ++ return gnutls_assert_val(ret); + + if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_SEND) && stage == STAGE_UPD_OURS) +- ret = _gnutls_ktls_set_keys(session, GNUTLS_KTLS_SEND); ++ SET_KTLS_KEYS(session, GNUTLS_KTLS_SEND) + else if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_RECV) && stage == STAGE_UPD_PEERS) +- ret = _gnutls_ktls_set_keys(session, GNUTLS_KTLS_RECV); +- ++ SET_KTLS_KEYS(session, GNUTLS_KTLS_RECV) + } + if (ret < 0) + return gnutls_assert_val(ret); +-- +2.39.0 + diff --git a/gnutls-3.7.8-ktls_minor_fixes.patch b/gnutls-3.7.8-ktls_minor_fixes.patch new file mode 100644 index 0000000..99749a1 --- /dev/null +++ b/gnutls-3.7.8-ktls_minor_fixes.patch @@ -0,0 +1,155 @@ +From ccf4463f343a9394a22833ee1de7886e459d3c91 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Mon, 28 Nov 2022 12:17:12 +0900 +Subject: [PATCH 1/3] includes: move KTLS function definition out of + + + is meant for the functions that depend on +, which is not available on Windows platforms. + +As the KTLS API doesn't rely on , move the function and +enum to . + +Signed-off-by: Daiki Ueno +--- + lib/includes/gnutls/gnutls.h.in | 21 +++++++++++++++++++++ + lib/includes/gnutls/socket.h | 21 --------------------- + 2 files changed, 21 insertions(+), 21 deletions(-) + +diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in +index 394d465e3..830ce5f95 100644 +--- a/lib/includes/gnutls/gnutls.h.in ++++ b/lib/includes/gnutls/gnutls.h.in +@@ -3421,6 +3421,27 @@ int gnutls_fips140_pop_context(void); + + int gnutls_fips140_run_self_tests(void); + ++/** ++ * gnutls_transport_ktls_enable_flags_t: ++ * @GNUTLS_KTLS_RECV: ktls enabled for recv function. ++ * @GNUTLS_KTLS_SEND: ktls enabled for send function. ++ * @GNUTLS_KTLS_DUPLEX: ktls enabled for both recv and send functions. ++ * ++ * Flag enumeration of ktls enable status for recv and send functions. ++ * This is used by gnutls_transport_is_ktls_enabled(). ++ * ++ * Since: 3.7.3 ++ */ ++typedef enum { ++ GNUTLS_KTLS_RECV = 1 << 0, ++ GNUTLS_KTLS_SEND = 1 << 1, ++ GNUTLS_KTLS_DUPLEX = GNUTLS_KTLS_RECV | GNUTLS_KTLS_SEND, ++} gnutls_transport_ktls_enable_flags_t; ++ ++ ++gnutls_transport_ktls_enable_flags_t ++gnutls_transport_is_ktls_enabled(gnutls_session_t session); ++ + /* Gnutls error codes. The mapping to a TLS alert is also shown in + * comments. + */ +diff --git a/lib/includes/gnutls/socket.h b/lib/includes/gnutls/socket.h +index 4df7bb2e0..64eb19f89 100644 +--- a/lib/includes/gnutls/socket.h ++++ b/lib/includes/gnutls/socket.h +@@ -37,27 +37,6 @@ extern "C" { + #endif + /* *INDENT-ON* */ + +-/** +- * gnutls_transport_ktls_enable_flags_t: +- * @GNUTLS_KTLS_RECV: ktls enabled for recv function. +- * @GNUTLS_KTLS_SEND: ktls enabled for send function. +- * @GNUTLS_KTLS_DUPLEX: ktls enabled for both recv and send functions. +- * +- * Flag enumeration of ktls enable status for recv and send functions. +- * This is used by gnutls_transport_is_ktls_enabled(). +- * +- * Since: 3.7.3 +- */ +-typedef enum { +- GNUTLS_KTLS_RECV = 1 << 0, +- GNUTLS_KTLS_SEND = 1 << 1, +- GNUTLS_KTLS_DUPLEX = GNUTLS_KTLS_RECV | GNUTLS_KTLS_SEND, +-} gnutls_transport_ktls_enable_flags_t; +- +- +-gnutls_transport_ktls_enable_flags_t +-gnutls_transport_is_ktls_enabled(gnutls_session_t session); +- + void gnutls_transport_set_fastopen(gnutls_session_t session, + int fd, + struct sockaddr *connect_addr, +-- +2.38.1 + + +From 90b036e82a95f9379d99d5cabd0e33905d1e3ddc Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Mon, 28 Nov 2022 12:13:31 +0900 +Subject: [PATCH 2/3] src: print KTLS enablement status in + gnutls-serv/gnutls-cli + +Signed-off-by: Daiki Ueno +--- + src/common.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/src/common.c b/src/common.c +index 6d2056f95..d357c7fb8 100644 +--- a/src/common.c ++++ b/src/common.c +@@ -498,6 +498,7 @@ int print_info(gnutls_session_t session, int verbose, int flags) + gnutls_datum_t p; + char *desc; + gnutls_protocol_t version; ++ gnutls_transport_ktls_enable_flags_t ktls_flags; + int rc; + + desc = gnutls_session_get_desc(session); +@@ -646,6 +647,15 @@ int print_info(gnutls_session_t session, int verbose, int flags) + + print_channel_bindings(session, verbose); + ++ ktls_flags = gnutls_transport_is_ktls_enabled(session); ++ if (ktls_flags != 0) { ++ log_msg(stdout, "- KTLS: %s\n", ++ (ktls_flags & GNUTLS_KTLS_DUPLEX) == GNUTLS_KTLS_DUPLEX ? "send, recv" : ++ (ktls_flags & GNUTLS_KTLS_SEND) == GNUTLS_KTLS_SEND ? "send" : ++ (ktls_flags & GNUTLS_KTLS_RECV) == GNUTLS_KTLS_RECV ? "recv" : ++ "unknown"); ++ } ++ + fflush(stdout); + + return 0; +-- +2.38.1 + + +From aefd7319c0b7b2410d06238246b7755b289e4837 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Mon, 28 Nov 2022 12:15:26 +0900 +Subject: [PATCH 3/3] priority: accept "ktls = false" in configuration file + +Signed-off-by: Daiki Ueno +--- + lib/priority.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/lib/priority.c b/lib/priority.c +index 97831e63b..6266bb571 100644 +--- a/lib/priority.c ++++ b/lib/priority.c +@@ -1548,6 +1548,8 @@ static int global_ini_handler(void *ctx, const char *section, const char *name, + p = clear_spaces(value, str); + if (c_strcasecmp(p, "true") == 0) { + cfg->ktls_enabled = true; ++ } else if (c_strcasecmp(p, "false") == 0) { ++ cfg->ktls_enabled = false; + } else { + _gnutls_debug_log("cfg: unknown ktls mode %s\n", + p); +-- +2.38.1 + diff --git a/gnutls.spec b/gnutls.spec index b515648..22040f8 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -20,8 +20,13 @@ print(string.sub(hash, 0, 16)) Version: 3.7.8 Release: %{?autorelease}%{!?autorelease:1%{?dist}} Patch: gnutls-3.7.8-gcc_analyzer-suppress_warnings.patch -Patch: gnutls-3.6.7-no-now-guile.patch Patch: gnutls-3.2.7-rpath.patch +Patch: gnutls-3.6.7-no-now-guile.patch + +Patch: gnutls-3.7.8-ktls_key_update.patch +Patch: gnutls-3.7.8-ktls_add_ciphersuites.patch +Patch: gnutls-3.7.8-ktls_minor_fixes.patch +Patch: gnutls-3.7.8-ktls_invalidate_session.patch %bcond_without bootstrap %bcond_without dane From a9d1c50f1a8a293b72fcdae952c6bb5e2b14a259 Mon Sep 17 00:00:00 2001 From: Frantisek Krenzelok Date: Fri, 20 Jan 2023 16:49:47 +0100 Subject: [PATCH 084/152] KTLS: disable ktls_keyupdate & tls1.2 chachapoly tests There seems to be a kernel specific issues with CHACHA20-POLY1305 for TLS 1.2 [1] The test fails without a needed kernel patch [1] https://gitlab.com/gnutls/gnutls/-/issues/1443 Signed-off-by: Frantisek Krenzelok --- gnutls-3.7.8-ktls_disable_keyupdate_test.patch | 13 +++++++++++++ gnutls-3.7.8-ktls_skip_tls12_chachapoly_test.patch | 12 ++++++++++++ gnutls.spec | 6 ++++++ 3 files changed, 31 insertions(+) create mode 100644 gnutls-3.7.8-ktls_disable_keyupdate_test.patch create mode 100644 gnutls-3.7.8-ktls_skip_tls12_chachapoly_test.patch diff --git a/gnutls-3.7.8-ktls_disable_keyupdate_test.patch b/gnutls-3.7.8-ktls_disable_keyupdate_test.patch new file mode 100644 index 0000000..cab7547 --- /dev/null +++ b/gnutls-3.7.8-ktls_disable_keyupdate_test.patch @@ -0,0 +1,13 @@ +diff --git a/tests/Makefile.am b/tests/Makefile.am +index 2872cb1aa..247dfd3d8 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -504,8 +504,6 @@ endif + if ENABLE_KTLS + indirect_tests += gnutls_ktls + dist_check_SCRIPTS += ktls.sh +-indirect_tests += ktls_keyupdate +-dist_check_SCRIPTS += ktls_keyupdate.sh + endif + + if !WINDOWS diff --git a/gnutls-3.7.8-ktls_skip_tls12_chachapoly_test.patch b/gnutls-3.7.8-ktls_skip_tls12_chachapoly_test.patch new file mode 100644 index 0000000..d986a36 --- /dev/null +++ b/gnutls-3.7.8-ktls_skip_tls12_chachapoly_test.patch @@ -0,0 +1,12 @@ +diff --git a/tests/gnutls_ktls.c b/tests/gnutls_ktls.c +index 919270778..778a2f94a 100644 +--- a/tests/gnutls_ktls.c ++++ b/tests/gnutls_ktls.c +@@ -351,7 +351,6 @@ void doit(void) + run("NORMAL:-VERS-ALL:+VERS-TLS1.2:-CIPHER-ALL:+AES-128-GCM"); + run("NORMAL:-VERS-ALL:+VERS-TLS1.2:-CIPHER-ALL:+AES-256-GCM"); + run("NORMAL:-VERS-ALL:+VERS-TLS1.2:-CIPHER-ALL:+AES-128-CCM"); +- run("NORMAL:-VERS-ALL:+VERS-TLS1.2:-CIPHER-ALL:+CHACHA20-POLY1305"); + run("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-128-GCM"); + run("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-256-GCM"); + run("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-128-CCM"); diff --git a/gnutls.spec b/gnutls.spec index 22040f8..f264ae2 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -28,6 +28,12 @@ Patch: gnutls-3.7.8-ktls_add_ciphersuites.patch Patch: gnutls-3.7.8-ktls_minor_fixes.patch Patch: gnutls-3.7.8-ktls_invalidate_session.patch +# Delete only after the kernel has been patched for thested systems +Patch: gnutls-3.7.8-ktls_disable_keyupdate_test.patch + +# follow https://gitlab.com/gnutls/gnutls/-/issues/1443 +Patch: gnutls-3.7.8-ktls_skip_tls12_chachapoly_test.patch + %bcond_without bootstrap %bcond_without dane %if 0%{?rhel} From 9df43c9df7625f3797999eb088bf53dc71883ee9 Mon Sep 17 00:00:00 2001 From: Zoltan Fridrich Date: Tue, 14 Feb 2023 13:59:28 +0100 Subject: [PATCH 085/152] Prepare for release Signed-off-by: Zoltan Fridrich --- gnutls-3.7.4.tar.xz.sig | Bin 685 -> 0 bytes gnutls-3.7.5.tar.xz.sig | Bin 685 -> 0 bytes gnutls-3.7.6.tar.xz.sig | Bin 685 -> 0 bytes gnutls-3.7.7.tar.xz.sig | Bin 685 -> 0 bytes gnutls-3.7.8.tar.xz.sig | Bin 1250 -> 0 bytes gnutls-release-keyring.gpg | Bin 26256 -> 0 bytes gnutls.spec | 2 +- sources | 2 ++ 8 files changed, 3 insertions(+), 1 deletion(-) delete mode 100644 gnutls-3.7.4.tar.xz.sig delete mode 100644 gnutls-3.7.5.tar.xz.sig delete mode 100644 gnutls-3.7.6.tar.xz.sig delete mode 100644 gnutls-3.7.7.tar.xz.sig delete mode 100644 gnutls-3.7.8.tar.xz.sig delete mode 100644 gnutls-release-keyring.gpg diff --git a/gnutls-3.7.4.tar.xz.sig b/gnutls-3.7.4.tar.xz.sig deleted file mode 100644 index b9c03b613433c41a237be8218cedfb14bbb47c87..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 685 zcmV;e0#f~mbp!ww3IH7zAp~7U%MW%m1*ZiyR`hyxrbx5-A`ArrVlyr80162ZdUd8q zv-u(n1fT%@6p|Gjsi!d%jZayHA(`cQ<>+~sy4$WtrhapJo4T(K0RXwd%q}q}Ybf;b z%vd1>kQOV+LR^s~^WXqaLUuumtqh3*GXwwu2ml=xAp}MuCBw9DG>4zaNo>{ygpSwd zm~jOHVlz7C0162Z)&+!)*XEdUbkz_26y8?IDiWQ~yL{S3<@MyX0J#&?!B!Hmkuqjr zVjSXJp&OyeF&uRa*1-ZjIZQ|HW5c4yp=uLm>WYU-Ib4Irr?CgoL7fZ1l$y6 z!bx4F4Jylhe5XS-;?wZ38V=L4I0Z)%$ zmHdQpnRXGHNa_UoPKj_Kdd5(Pc!UPKU8^0qG>GF{yJD%H&W;gP{`zG7$PG;qSKAr; Ty-KhOFJ<0WcXPu(BNiKNz}7%A diff --git a/gnutls-3.7.5.tar.xz.sig b/gnutls-3.7.5.tar.xz.sig deleted file mode 100644 index b1e591f3f7c26af957334d33efb4ff3085501d1b..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 685 zcmV;e0#f~mbp!ww3IH7zAp~7U%MW%m1*ZiyR`hyxrbx5-A`ArrVtojB0162ZdUd8q zv-u(nw*>(IQVa%7W49>fM5KR_wVg;cFShzNT&Y1NDK&B`xlr5W0RL^^JLh<|DKQ|4 z8}_{OUkD!EFGKQ54zaNo>{ygpSwd zm~jOHVtpTt0162Z)&+!)*XEdUsZ0<5K?NGDVyp9oAj!B=TrD?H!L(8*Fxq>^>+_!( zX?Ub3u#)1@-RqY>v88qw`^m_WEG1$14ofMBfgIz_MmE~pVIAV4$rQ@*RrX*D!`I~a!kAQ(04)dm?K94|16jz}> zv1Z;%Vph$#iMI-N{M`_yC1hz*#vMYUnlMTYmy4bktI6P3Mr)yVC+g%CeKykz{>=HV zND_ePY5}YAhh(x1+mAF^k=^mrDC$^YNHeZrP0JvfqT1%*6w;kw_ zR>R%#rt)OQ;Vb*ELgr&6HSR6|X#6dJvJQ16z>W?Tk(Q1ystr(LRrw!>!4qNj;~>G{y)@OgqHv11 Tgh%PbJ8f@0Zcx^u-OUEF diff --git a/gnutls-3.7.6.tar.xz.sig b/gnutls-3.7.6.tar.xz.sig deleted file mode 100644 index 70cb359cfa200e21bbf41fbe8a97062d6596949b..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 685 zcmV;e0#f~n0y6{v0SEvc79j*iA|=DLZ#0LW$VqJ01%!^*=9qB>0%DM=asUbm5Y`2R zj@Raxag~S<|6D@l3C3#|Jf^=OwKKysslXB+p;!Ex&05zgiTPH4f-KUI^0rO|%5HLC zcqlZLJfI{ft90^YHlVmsW)tiIu5|vOl1A3=r=NDpLbuo^P5iV~Z+iBr#DLYG_l^-N z+@%p;65TrGX*i(k0ncB=DN2|=SdBdZ{z}TT7YJzgd1Gl)R-71t9Q>nrlmFsxeI4)7 z>|q#*M2D~Y380*5)@$X#B`lg0oraC@$tlt)#8EE*=!619mLQo7xciwU-KDl|G~PmX zY_{lGs%M0eh}D7x4UyAoekX+{eM$g-=HuV9rmaV_{JKfa+Z~^qu|4^2?Jp0oi>E#I zKXKXFg;k#?1p~(g-e*Y1yN6xR1Hruv@nk8NM7n`s3rV{Hw(j&apnj*?g(n&OGf0Cy zt$0!7N0u;x={}M;VX>uG_`zH0vX4YYSf8wj_pC&#>tiUL{%EMrFH8<(>LG!Ha_@i- z4Fo0C@#5uqcs zZL4w_X10cGjIq8Gs_rimDBxqByOUO7eR~O!%%s8ni;$kT5P65+Hn#qFy(#!8gF{|f z{fKo002T@W9Tp)3T}I0fb~FX21vOUmdUd8qv-u(n1p;D_l4Sr22@ra9rbx5-A`I}} z0RA~Yf@MX8iwd_>M6_sh73C=7B7}?+21`rW9!3W-oTC8%yxSB_;^bY^-$zRA&RE{( THJM||bc2D~!02dd{0%GEs`~V6G5Y`2R zj@RaxaZp+h{w0(&Lqs0#=Rr`Yltw6^=~Xpll_pmFJ(@;wkR?#JYkkc~;cUN{tg>e!cdumtUZiZw9Id-cm35L+ zH1GE`Lk5jGZa3H7uNj$CH1wT~#8IIa_5w0R31S{&SbZ|OcDns3sud2R0OS?H`Lb;$FF)6!eIf&o79oY?B4`J7 za^EV}QKHK1W2;|IOGN#3Z+(>8&LX_VRDl#K9>7P&Q>;nYhMZky8MSOP$qMDmWX9mT zz&&~Jf;uSxZMMIA4&B*Qu)ek{k-=PcyT`!+6GL+iHm{D3iMU84N&*xq z+-iI))|KI`Xfw)#dc2@nQ9GOlH;XWb2oFt5NKO*Fn!9^ES_R<3t^OoM|~pFh~#;>9!IXG45!^IPF15x{Z z%>9$1luWy0Fl>TsjLAAoCJ+>G4l#H#>6faS0^Y;D6)r2R4L$@`I@YLf1 z%7S7ItwE2fYrflloNaOjRw-0Tj=8sU3rpk-2e*%^xD|QuDd*7-arm&kfuo4e^<7cr z^Ur@)_v?cm1;+TDpw4#`Dz0cY-J!Z@&OI(2jbgyqLJXZd=8lgl1lPiV!LL|!(TOlF zjTnd_B?7y&eWj?id8RCDS7vX{{rtM6aksH6l?s#KWk9muyI0v;07er&2x@f;nKW>6 z+}8Vbn@f%eHY(N|One3Zi;!(9e_C1z-1>IVA)v`I-q8+9l6)V2^?ClN)-7Bo zHiz^OD<`br{(ypMrt-TQb)@*Y?MG0itV*mbvkM_w_rx7Y-n-e zJBb1^1ONdD038+~1V$ny!?bTSho8tvY}N&Yj@RaxaRmZnGZRMu3JDO_1%!^*=9qDE zhY$83)3ChQHl^|CKPU9>Lm(>d!#gZ(IH%6kih4DDU^-vk&n@&$`B>uj!}LZfcYetU z%$Uu%yqU!Bn6XRM6JD($xMUgAVw$R&d709h&&zOI3~G|GT&K`Lc8lN9#auCwn?B)O z1M618Xn5?sU9!uftSyb4pT3-bLJH>nykGzIT>O0@88rHof-K$?TzRV{s76zMds z-!bm_R;18`(HE|=fI-^kZb{|yvw3*B8)neHeacnW1K-qkXAgv6kQ~lFaEl=xrG9-3 z=nl?HGI-DWU1xs=W8u%D7!=;Yo$-fkZ}Q+xxeyKupD|AeYf{xG5%FWfkc*`?|Hpaz z$JJu)=Ct~|kB23p^)C>&8N-^Uo6KE%JE}Ka9&)8g$FjQ2sZg+a1vb z>tNw^N@Y~Y7 zLM`u~8315bRytW>m%39$@zCO}?b+d>9O^Cr{T}_sk%m<)aMb!~?OH*MTy=b|$8pw{O8qqV648KF=<`DM}1PB*UCBV(v-^b4)k6oKwI zG*j7G`Vf!=^M@HC3hTN&nLw_9i+h==(notz3Ui+g46_-the2yBAu?Ao%@T*?xcM-F z`7+Z~%~1W+PNYRM-zWt*b!Ka-YjBcvy?Oa5yxdRyr(cKNAL->>2@qj{(3_V$JuLh> z`HkmdtkL7c__b3q5B}9!s`@58 z7SORIUF+@n{A4j`1O1RS_!AOz7F+9S?=afWAzZzo2sA>(I(dJh2Nl5!(pzP8J*ytM zFp)}SDox>#K+i`32n6j-({L_B!cR7vocg-=$6?ir^)(XuY-bayGvqrQENhbFYqAM4 zbT>noXMdyZz|slCD%Svb<~5le%N)!oQ`=K?y?3NPYDmyu`pqCn!0OW7%zNjtA+zaf zIwTc7N4T%_AQ?mcS|>dG)o~O+xhZH#2(&K{tCVPd67cXL<)`3;rlzRZtWl zU;sZb4hS$l5HLm{7z`971PB-!G!!HZ7&xW$1rB7Z{4b`>l%e(faF z2@F`L8oL_|3cHdX4gd{>`0w%SGK5b&fdX2%*crOo15t)nHc0RUgi%@Uo@4YEP8xhG z@;Wv85R@`K<7C*9j|LoejdXWdVdQ!6fDj#$jk`(xs0brQELxa=yA^7Drwg$L(Wy$Q zcsXZaTcKZ&Ma(LTXYIHkjvP1_jzL2WuflQUQ&H=n$p&-Sq)`b^!~zdd$GIRC6+GeX z?oXa*9Vn1ggNg<;#CRWl95<>$jlUhLijzB%Ou;?L`V#4TAb(CpbB36#FG;r}JponG zj*_{<`%dpdNDyJGZG(=}TsUwks}>?5!1#EncUy=`xIOKNY-l{Th2x&X~FO28qd zSTFYPBQIfktZV`Tj?oxn3<4@8pzXi7+i)LVXgVX8kkBy|yQ>!y{UByPlkmR(oi(k&HXP`aa{=jg zJkO)ItPWwMx7w{NA}jkf#ZmhJQa25?m8z1|z#Z7^d>SIZ{P8@NL(kv>lcwZ4q9IK5 zHI13H}u?hJ@OURIghM!&Ho0IoUAob@wRj|A(T$ z6MP*M!h_JCSRz()afSmwQXCW!2^atl1}tsysP>l*P<*a>r|9TWK`#*RR{uR2W2gU&b{|8TC zP&8mj5YWGP{)^iG1kipE;ak>RwXpSD&m@Hmp13XQh_LcW+sF|1s~BICI|C|`UPS%* zcMJxFeRC>jUzk@vQYUK}zsa>3^$(-%wbCI(HW?!5xQf(tES(Vy`c%mlC-n>%xJYeg z17v$8HInx(vR~)d@^)WuD6?Log-Gz>qn$fJPzPG3M%a1v-U4!A($HdHCwrqg(aHnt3B} zoYb~N&{N-?e#jSN`0c)ABK5pMp%243Jcq=hqrN_k3QS~*lzPaR91W96=dk<<(&QtyLt z)t-c^!R7c0x^h%t##L!JEZBQZ65TPqsF^iaLnr9Dt)d!;lV&W*)$k{*B}D#c5ee(3 z86@=^kbz=Vh<``1VSAIhrEqk@6#W?Jg8;IWc{T>??5VD2Sl@|FB*`G%96N-Bk>;RWtco!m_lIagnBkXKku|H?xZS|EYsP@mI$gr?$@uNs&~X z6Oiwul~V1JF=Qy%>T1IO2NP%6|J@jnM`dv>okg9hT+)gSY@GCIY^oh36{!x2hy?R@ zV*NX=``WM?eBovb(K5iEFD^SplGoU!-Q5A1I&unI10}&VoBJW$(V+?^U{C10S%!M5 zs#OZ{iud8sHg~UwZw!&xCmPSbLj0fi1^JI|VfWGB=UYDhT{D2nN2g*6$oG*+!F!-K zi}|{56rL+6A6^Yn%L5ej4?RA%uvIq*9S)G+3n7M@iI{st0po%q0{vU)>#tA*gCnh+ zJy}JKIKmg3#Ck%9WigMdB~?dgchFCwd4^8hqxj}zGCvIRVZL|jnLjJ!-e;TDQ#{%k zL9*VILdghKg2P(^Le#uPS`6k>;;;O+R~6*q-s}1rKd$2KbTF>A!SWb9xQnfvAkmHr zZ3GX?a)t@n)!i;`Kq+;?xycj39p7WxznNT1KEA3B^GopG&*rI( zHLs-sPJ>^-+y39y3doh<-YW$s8RsCTdc_S2o%G>IUSy)HVy}KK{9VXrE{`!Fb@{WV zY_H%P2oH)tPt<6vUG31gy`?jIQ?hU6mZ!Qf?`C1Q%`sqe7F@y30pZ2o6;DO zRp-EQ6!M}v>dx_Y?kqp3kvwr(y0tDLbV9{y^444D)}f3;(neZHc6aT&C668flj*kN zNzvH^{r(+e${Lc_|n!ws&oxln42@Roo%I6yGU3H7Omku$uPHxLP+n<_;As(ebvP$dh^~$lf+dotwr>rD9F)BNWTNV}ZEk z5f6zO}k zUYt+wU#N%H`N! zb_72*A#GQpedm4qFV4Mt9T9olLQw_mvuk!{X?tQ1DKxy+FD)!snx=P22*t#yrU!58 z4IZq?b(>Qce;PoC^w(yBbpjjSw~N_4!5nRyn-?)YBYvW;hxr}r+iQ8{x3Xk z3IF0zw?$-X5CSjlQiJfVlJs2WAL^sb?B#aZDb{d>T$@th4_WTYx;MssF%>F8dO-98 zCWKYIt+ODWQ{7&!8fNfqaWOZ6!!Xg`JHctf=$OZLrUO$~RrQh_A6KJ8sZ@Ym%nkPE zBg1g9%teVGNmExD5S(SHH9@{*U(6vq{gL~wxQ8qhKSW;(!23ah1}+}@)q6B4Oh+*~ z7~V|*nWF&;bQU6mZSj;X*b`ZXhG}7JUlt)a*OyayYW}tl-84l*nzL} zjrwRAp1I}^a>tL5CY3>fTge@;2f>pHRuzK93-WYcM)dlJ^Dn>9Sfho^O=XuccJ-3w zG(kSl@KM0<_{E4EC&)^5Jfa`h!kjG zSD28AHaA4WacT*>)z6tpvf{1D7Ae*}#<}d{Bbxn4Y2~q68*GlrA|;~qUW|j423nnV zME)cZ!*z1uGDb3d=cvuxsED`P!Zk4)w7yC1X1YBWu9aBFcCYF-*s>@e*x!G=VEz(& zj0#65zwx1SLl(BdZ{(d{)BOZ0R)`X><*~Q&IgSnBJihzL9B)z{zuYgl=ENIK3&t4u{a<)I`~Stm&!Ip4N{CQo=NaLP120z!9ae?#VZKGwszlKi%`LVYveCaw z?YJma-S$*WZ!SEU>7Q#)(x~p%E^t72YG$Zn?3nZ(g%8BOu z1egZ}YuQ*TuZd7dh{#$pso1Jus9UN(FD^iAd%tEc4+=9^h%{w<8bk+p0)`rIjU~E2T4y|7H@Hejiyyd z#n-E-lON=FQ?`B%OkpACwW|Yse|Feu+VSL4?>Zrpnn*A<^*40;1HaCH@#-ZYTFvbD z=`e#Z)C)K)g?u6;bs0gZrU<*r59?qDrTWuH3h0rnaH*;h)0_qykR96U?A!B^^=;23 zoq5y3r4LIZb>Cg^w2Y=`bVt)B94|+G!gxCcC%u&zY!d@j_VMF z1glMhC9Yomtoc_s0SFhOp7@0cmzLXkp-WCh-!_L=rJlr__C%!6iba)r5!v0dF^-6t zLO6?sC&f$$J5NEOiL(_HHi%E=GNH3`xA2JvF*zwQ4rKpO)K5) zr67o&E4Q!cYAREYw@;bP(+DbLl@tuZ3!VebVDNr~$C=+XMr{OE3PrqVlp9TEF#wEy zF5QfD0Vp%l^jw^2-fLvUlj3z!D8cS9X4HZq)+dt*c8(8SNpnHTYZ|Hus^Rj(G;hjYdJ8wMY>voxhXbobI1b-1dk~hQ zzD(nBzb!yPEo{=i8lx+siU&@7;l$m(+G)Q0<&SObWlP{D;&uDZlk9zLCjr`$;7qc> znXm62E&5Y}_A$o2%^-iO_MeXHO{E#{OU;sIL>x%uo=#? zX`TpwRrIin-S82PoCEZ}b$;p3OwcjkA!FbLda}zy&_m$*iOeXqi~kYF<;zaPNJ|`o zD-`w-$-)S7d~=2?+v!Zzi%h`Q~Y>M;QAQXSWRtPoxrR3ecW_-UvA(=EPKvn!& zT^2vRzxSdI>Nq#)Iwvf?k5Y1Eky6)(qXh|@^8G3#lIhDCZx-J2jZz@zNt zDRrhk4Qo&sa14u_e0burnN+^VGD%@Xpv$7P;k6C>F!?M2A;WGXK_|hxzLQWdJ(A-F zSk@MExt)@s>P<4HxZhdbv4S^#Pc`EtWnAfaP!1w5oV>}7Tm~UnpJwOFZR>;}%(6ce zU+3k&Q2w+Sn>(roQh}}4EbqN5X;7#GZns7yQ1=cNa4%}z>*LVX)Cw6iMgB8;6n$F# z#baNIJBwiUl(aPx5fImn{KbWv5MwhGif0a#w&_ecKr)(zR-`QB1biRgaq>uP+qIf^ zaDQ%4ZSoAp^Ue_QV@o1c3X)x+fYvi_*tNX6b)80wJ$6Yg9bBf82iTyJ+}Mx8`+iOT z7$fFSueGcI(Q{G+cQB3};F^(3z15NsNIIOLBqvI1wFm3 z#+X_63LgZndYjfvrR+l?)gN<`_YJs9@G6QpG`ssf>{AnTSD1O$pr)YCQ_{79g3M#I z$X(4@n*(ZSlpAZN=^TBmSmeFWv;>dO7oS{z{wNKUz}{#|`1_vsim3SRs8IoS8Slqr#R@%mUn!EXuVUWl7r7 zL^Tb4VwpoPzaDW}1~ct&@#D-Cv2P5{SP;w@nb4S-29}KlLFJv-so8X9vsY4}?=fN~uoE%INNo;s%~)dosuLKz$@XF|Dg2`5 zzxXw$ZV`?!#%{j?B%EmH(ubkMIThJ7SIv#eS z$qT$&iqo6h=-@Rxa+Z9GfDu;LG6dd6P%F5m2R-wIs)JZu1=C>WGA;Lb1@HSNR-k_+ zQUhLpTJ)LyrWG~H%fQ9}6!i7B!hlsBipL*Lj;Zze*Re%6k6H}?WPW)mT04cVy;mV? zb{XhOmH20%+ZJVak?t-Z*Ajc8mNc5KRK)1Sp&j~jTA9YOcA?-+@7VRpIC=x7l|N3+ z3^n)}+0m#i<&_hKsMIXng;(QZ2JAN$rC5e`;mTI9tb(f3;B&^0!e{V7f$>shD9jaO z`8K+CQ(JT_i>TutgPTfwaf?o^%V}o2em-Ls8D%geV`51|>Q~^LiQCv8wH-Wh(jojJJ z$}zuU9NhslAdhuyR{jOEaqh?|sm;u#G#tj0mG3_>E1ie@D^zq@x6t+qEF^`D@QIJl zT@%M@6!#Nd#lLYyd)v_$R*CAQ94l2zDPQLCgqkCL&HzMRJ3Ps9j!ryS<}H#I460aj zPG(d^M}fU%ZW*pw9EOB#XBktn)AlpJG)0@{dDq&G= zz-`qAPqmO(5=LFh8wsLyzYBd(q4HEr?;`=)ZS=~|WhiQ>artu)K^|jEzWk!xG|X{1 zR){xW^sMM%B0?#&Fp*1|JDyvgEiDkIa3#wL<*WI(4c_8ypkIw$XVnVpl=0+t#_YE# zEuJn*6Mb^R6TLdYd6Fcdmq>)E|?agj^IILi8f{^k@n1cR@f6xaV!@D3Rx`IBL z)wEHicg~aPH530O9U*mmx9sAt57mz{d|s+8GK#5tbk$q%Q&H1x22uS0J`$=g^&GLN zUIGe&f+4~GqJ`};oF+=Z1lW!OEA4$n04pT4eQ0m#gQ-XNmWCN##2*56aPr;FOyy!{<>yJei zu%~Kq@tiCc@b6??WHhOj?l^?f$-z5a-Ctc~M0ojl{4HXZ=9L$F(g}|+D=J9S77kRJ z4Z9v@-((=|b$cOVx^qFF0%!>_#fRb~s!Yw$1lbss3!&#EbKegL2%O5>E@t>o^E}u{FL~>rdfI3Lfo=5?npUQgZd@5OhHtLd ziy}R4vKqqLuVwy}2n6X_)5v5q#8M7~tuOJ#4-#vTyGqX^Q5H%v>ppB~cMaX}C zKL0}53D-n`4B(v%+R*qn?)mSuU~XORAxObgl&vYRq{q zZ?Sl`#E*hlSn`OS;Kfr>DmIxOL7GoB7_yMaJab*c5M&@Ut!p`gQ(caVpS)AI>rV)Luy%-^#bkvjTU5s$0 z^V4Tvy;s5qbUM}m?^oI%YEeIjCXb=9U~BN?2_D}>pMH2uj%lun7Oagevj=jRR^3$u z;7%zPt2}S^Nh4G%F4H0ZtPD}}W7&{jb+i(*nmm7?h+}@mPYHY|dG4Hy-rTk)w7@Oo zS=em5EZ%+z>^>LmKd!oI()EWEt8g<-;WkC+8r+G8z&Hv-+IhV!a$rC4YT3}gk7RQ< zgJy~EDtuQhgHbLWRG#&f1y*Lp9XwGP;v&!rg6${tV(+xnS77UfRj6l&*OKvRKGI{Z zkj6m09N!~S6XGPvt#%u>$9vyYY%KgJ6$6nOCn$~Oz5sjv1bLGV#+1LGPK|>uiriP? z*t#~A)_SL$+Q^?EInT6~*NX!B@0x?^b*jr>JOC~Fy|U$9eb4d`Z@^WFli@Ob1U&tn zHD*x$q6zBZ9Vy{j~ULYD&=IRlK9DyeWztJ^s_Yq-^( z2?eiVD_qLo2AuBgTwgS;f#QE}Rk6g09i4w|R2&hn`Nw3!OtfJA9~J-$d$<3p{;T~{ zUKRMC!YVi#Brp^-%zu`-_eM1pKpiSkj$x%a*reII;@@F_lN4%EB#qC+$)8Gpz~GHJ zJIV|ShfeCK9CqO56*+8Q86pVI%_ltM*+!&w9o`UXIRD>FZ8x#3B&l;s4T_LT+sPlEA1`aGE&g2D;w*$ux*0M3+R6$!$n$+fC zYblG<+|Y%gFRbwR#Y|Pw1?D=2VUlr{85L(y7Rg&8D=09XU2X$(;rGV=u-c)u1v8v= zm7ynVglC+5(GS$gLl9`~g6kErhGYLF!_bg~KQHPW622b~3A31Kq zw~ch!X;pH;k-~%i$yq$dvn3fW*hwSA&_=1zi&p!CAV(R@LN2C?2G1iYvOkycU@5f7 ziYD_yiqYy={Ls=}%%GzRTvmU*b_Kpg<@PZ?^+Rp(R<;AyBuq2dmYlBdW#7JN>it<7 zYIrkmK;&)pogq4b4=aYT@{WvIl{sLg4L$pklLg0;*HS!g9?L*Boc-sf(;d=tphIt? zAFFi?>1U!;D49H+fRJwZ!T%*;>y99Nizro(9JijHh(o=@K+X1FQ}t915X`Cchmv`8 zRoL5rPLWvM)I+yK=ei?id+j*IGxSjl?eV;?YLljpypNyTbMx;=qa6tG-RG1{qIV{# zgiw-|CZgH^bBpU*; zg`q>(t?kbH`Rg_$1OQLiAe~h$q^I!(_cmQ* zY)A`+^)uGz$vU3KzFJ&8HcFHRKXs16YA-m-_Jx#m)$l6o7f_280+Q)7UNGnfTV0?{ z#K?tVO(ZAEVl(iqfV?ENg3)hU#5{wmR#)B7W;DyGDF(lljV>+8c(~R`DM8z{tGkt^ zFDOIA45)pjP+&*eo@8GW4mb}%XdL+Xg$jpv^oQX3;}GtX!MkkC+F$dX#mP)+P``V_ z;~UxYF&5)t#tVw36&gUD6qk%c%^4`tVs4k)2Ek;tCz2TJ`-O+PcttSs>8W4NWqA#? z%Jz$##NO_ZAt|T^EZu9}qX!m|l;MEUMmt30AZ)FG8dS{R=bsCrWqTzjy#5?iHYd8Zd$S&{r%Hcnh=siZA9BdLvgNg z7)=Q|F_?WuXee)vI9|Dqhmg9*bJsDe?m1gmNex$3*0Xbmn$)jfv#Uc5za4%24w(u6 z0gtdDer^78jpybhQuYU>lX_#Cn4%$Jb`MF=DmX~I$18^ZuXm0iI_IPYT% z?l6;oK*eq9ct*Wk@PetROdX7{iYG%m8IzD=QfOEBB6pwHLDh2s=4_sfyEJ2x1SR*^ zA8h3nN?R*a=D@s~zev5bo!sE;A^rl7(=_+!gd$UZ2&{qs;7`=JBL46%2N~hV~i%lv%&gRxY z5(_9Bx0qT{M;mO!TV-WMNcz0S_aWU6!l*r(Yk8l)p7Q(#P#b91?~J;yialqtfEtZx z7o$VbfCGU7ZAu^j0YL~JD*!u$%NkN%1J%`5Eapg{Jxq?YMRw23SP|PAKKos_kZC*E zx*FLNiaT4GI$N1o67qVR|LaiD+04|^$d%s2!Hz#N8x#c{8X$~L1ga-Kjo{7-Ru0Cd z{^;#iCfWQ-3=0PQ_s+mLAYf1+Ll%I4+@ruC#K1t{|2Rm2|7#%$0gUmFNAKU4S*-&B zid1$5JY%RVc<(gy&!^Oz05Z?Jv-Z@l;>9XtYoyhtK!7{AY5<|R8@H-|SUauVPtrKD z6_=O9L3&L_W0qNvP2djBf8s`l{wMAXH6XCRfsa&hPX}^8m%O`&p2o~QP#-i2mX2_t zt3Ym>I{Uu3d4m8!LPYw5VxmI>$p3$$g8f%if9Ko3pL}iv@QKDTyE<5m%K@%C6#@Q1 zU~p(4S;WM2Bl5r)D3tm_2MqX@c+1X&vIqu%%$m0H68XNHbs@L&eBgjHqHDf+J zN3QK8O|?3{4~ASp`Mg3|M5eu67{9~1TA5gEY&k4ErO1@nEi$}!T`q{`E*x-8bW>C5 zNYuLs2If|f4pi&pSI;EWCf3W2y#0swxNv`ue;x=jvPC}_9*gkw6_ueZqkqlY2wb4e zZ br3mjnvaYXfYvewcG^Fk=qVN7@G@ z4>qUIU<0ZhXmGMfJN{#}VD5QM4pCZC;W_q)4jbwdi-C9ot0O#%>yZO+9Sje^EQfuwQFsiTBDgwNd3E7EB9pZ7 zrQsFHtBr+zV7K)%q~OIQhyw~}fCrO2uNo}G(7>~%lkA^E_ZW)w{M z6o1+Imrt8e)yj@gdAP^Y#mt_N*VW37-r3FU?}?y=ohQAi8GjToA1DeCG=KsO_%AsB zd&d1QzxMw)Vj&sn+KMbdDK(rB0j-Dc5F?(dA`LF|$2uiJLqZab?;p(>Gk+v6*tE7 zc#r(O$5ZE1|Kr2Hv_{I8kdN3M#{pX~4yh0|W@_LW8S0i>K?+e~O*j*iaVRiXW-qjSV<|FxnUwG(pxT>WON~`y8I#Z_K@Bkf#+6c(D z<4Dy&{ZAu!cz%ch@|$$2mp9oz9~A~q_isjn()Sqk`e_!<+T>vX`;$2(Z)Ft* znT`x8o#LYf$QN{f+PG#QMVXAJt3T`Djr}p)8TYTf-G2#f?fez`0*TjBY%LbaB1HIN zs4IE&9{^>PtklJA5`%P+d3%6UW+8z^_WfYcFTzp0`BWb|?P;O(^07=I(wxrCCwL2u zs1c~iOUqqcGh_SDtz zqtz>&4L zZr{q`6>Uh`AdeTwnV$+tG-o1JeWzhF-i`tLey@4Qk3R?et33n+VgGbc@Q=lvDWmaF z#1gafEoFO98>fR|=lmvzr8Ta7xw2xmmivnJ0%H~Ewrn1ws%8w_#+WPiUkxSD|1^~R zpRFYSN=@iQptwzbJ()%_beck@cK^;&V8FWW+vQ+TuyKqSf3f=a_!&3C2c!=W#*Z}% zZxHw!=9?M29ef{9y5kSBUT@3-uga91G=7w=LUG2nbg)(|m!{gDn5OmCMJx$(RDIc4 zyL!!B&PBdoS2S7LpZ2~&>w230y$XSZtxIrIyQbpg*kP9`&55i`z+k)+OU@P6TXni# zy5C(^q~BZCE2{~IPno}(kTmzJNPnRap4{OfrK?Pxg?r&HeO|ND$}Ui>@oFDwq(v}5 z%GBPmexAxDCV`X%t3^jLbXS1QZs^Cu2z|SF#cS79Qtw6M4<5e?fjbDYvJ9bbw$mI$ zUD|9UbX7O72;?j1WH2O`CJlYeg71des%Y&R*%rIdN8GlxTMfp?zb5jVF3 zE;+U(Y_QGN&wCBVXz%-Ia*xBfVGm5V7Ya_$k8kI2S{v_0SRo7XClH3>j!Bam*0DeN zptH9Dj>+d384V3Rci9J`c9CgP)*q1Jok^J1YYj;8!rDs#KtGg6yO)HeO|gsK$^2s! zb7yhdVAv{;*ox8)+zu#Vrs4~&1a=Q#KY!$p>WGy_EsLMJFywSbHP9dNyo z&nbXT|7j#D&NWE|v z)&^-yD1z@i__7kCeUVtm%V@T#KGjYlR7{5RlY*Bths^1RZtaAk&JaS9`H#ubf%Mmq zVJ00~cq;+!eaDrSci*LvdPyur?>$e=pa^>yWqz#81I{_f3+N!9jk(>~FiUOb?XFxj zo=J$WbH*)S1ZK@?dP<$^`x(U}NnBf%x>i!5Qs9-?pI9wB^Qj8SG2b?eRrRj|Cx%)} z1XwMr6=3~-*uTIfFaKQ6V)>jkU0f(zvzpVCh#xzyo?QeEPP2=HI>b@L&G}p8`hego zPYkKQ9Zj@j5|exKBh3=)Ced%pSKGQy8lf9PG^EliNe>Ci?cYu3&V6#;(q=w6k3(K` z{s$f!Gh0r7@z}ca_9k4uJRHD8`1Ts^uq{MeG!}Y%0_MDATp^Y%FZqoy6-35r;e<&W z6G5oZy62C^>`V^{VDI5sJXktBZG?#U8TaTDa8@b#OkW0iq?2#q zeR&o!8)3CL0OkeH!N<|5y*}!am3d|vc1@xra8nHOjg&7;yE>OJfm5@qu(JH&SuUu~ zIel~*u_%v}p8eV0dhWC;kKk3;W!n{poq0n@EV{b1D_067kh?nmnYPk7#OU%%X>2=X zKzTsc40kIhy?qmpVBH{Qa+^Pt5P$DxVMBN1X(w>~-8g!-$nK4*pAC*Bg_*g^B{oezkv^2==2QJ~V89ZWhHYZky zJk1Z%Z`TcVZT$n1|5*44V`s5daxSs`c-!Ydw8J+Cj^x z6#J}WxaWzDW#Cq9r;BD^hdwMm;pNc=?OPlUTJeTSio+alhs4ol;075b2|{L-MH%eX z;CjV1^SnFr^2JO>{FD89$7_KG&>*iGRI=YeM(au8S+JW*Nh}IR*r-TGc z3q?ux$#ny#GEf4slOXi#C17^)GkFB{IR31;G`xr~GY7?}dtN{XS4UaROU%yu?u2UR z{zGdXIn5z2ebzEj*`%7ntjO6l6LKjk(vsGeHIU3}Ows6N=Z$RW5OXzk#`hgO_EiD+ z1FYwY8hH+f8sS!Y1uo?A;SoX$aG|=Y8Gg>H8=(cq96OWP@7zJLNrCPCwe478OVYKk zf6=J#^u^TOA7MPK5k9n!96gDvSYALaev$+&Da7(zWXY`c{Z1DWfXEzH8U}CJqN<=u zJtCjq5MI83*r56`z3If%`C3`y^z#m$u&oKw#_7%g(%A0Y=eL0lISO#tdo(8;*oXEd zio~GFd$n9yGM;pEd8Z9d!ek$sX@^97#P!1kogCPCCCT#8Pg}82!lL36O3|X|KMmi@ zGF~3gtE{boo((x!b|nWn#LVlHwh-Agd>27JdWi<9@2!f4A$V12! zUE>I2y;9dT33l5nAEE4feu7weuFcfrp1fxC0rx~tBSnTA4U}Pk;zBbnZ@IaVaQ{&1 z21|18YB9lL?BRKDFQck{`V*ex6Eo?dq9T(J-Cv^7o;-RteK{^PjXSV6Qm^vn2zzUj z(x{yyV2t%>I2xyNx8d%ATM3-HeCSt;40{k|Q)c!Vp5Q5$8-9&1aI9Z4w>E!T7tToK zGuwV0b~Ec;FI24jWe6-2&CW_WA@muQ`1@SF^Lh*Er{X>~GK2l51qZ@n_7Cj?!&?zm6oDVdobj(6eOjW(elH{Xt7sFLV0u|KBB znaX$X6ED_bQUjRryuj}?K^aMKq1DTa=H#Rcq>|$JC;er`xmWf5H}29n+54VLh&~%l z=qS=#*}0LV#{M7~VKp;daVlawFS#2qiQi}9dzWnW^5)=Fry}$j`V>#P``NgTYCsSZ zLN*u}wSyeL+bLsabs;xVekm?qo%7Ib9Vu1~q`odNG$qkNvZh|0He3Y8#B4Z%t_N?Vh!l#q$L)gWQlg07FxB0}Ecqp01Q9Yl~BR}E^{&Bo9Vb^U4 zZKw_BV2zt}%mD7GCS|<3^m8D*Ag?d4YeKuX{UFsfeKf9jWQRK%)SVM0Zg)L%GqFHU z)qI()u59tssF&Vo5HdO-(Vnea zkPsK3NGnRiy=Pz6Oj=_M&!XIBp@`fo5R&Wj$3*swc*t&5P!d_ZBu8x-M`T$mo26!@ zNHOCgrJ*5T9xBqMn`o>py`zBzrLC)QiEY#fn;DYOKD@9E&NO7R1AmsYJN}E-I%->0^fIsA_>D{Ipy#VLfi5VA;-@q@X8(NaMEln@!1p zj7z}nDdU^u?dLlg9*VGk>;6ZbIYpp0)es)8$ET7hc%jR@y{5W96RjaAk_}7C!`8;- zO<1)UeHXIg*bfnMIt1>W-?1#=grLC04bKrW--PH}yfJG?o3TGBXJR1+`12^?n)Jy@ z#Y?9?8FOE3{+k~#V3qEc|F{1<7D|YK8mw(8f}2x%R0Tg{X&$OaI`h{=LX?3G{&D%Q zCY3O2sz0@1B+rcFo$O}Q!bM8L`~);!qMVAICRaFVGdGZE^wgyjK3X(eQO5YG>34D0 zu+lu674p`5r2C3>c@;C6YDFe+NCX9yn@hK`c|ble%siRaLmVAD@n}~vMBf67ac3>o z;IM1t@_21dZske>YLZt~A5@m?PV%sexP6uv$@l+%kH>M2V%| zLa8SQ4O|0a5Kv*}8}@a$=MgD#xeS?#|G!ecDyR-+X?L-3mjrjW1P|_R3wL*S2=2k% zgUiAR?(XgccPF?L9RAAL``okZo~r-h-hP;euCAV$s;RGiN>YU*mv?nk362wj5>47R z&@?_L8a_9rn6JPRv)U7VNN6VNCuG@!no>`5r5W)H)jkl>2)kMG+gM~=cYTgOTrEI1 zwN?o4bSJ!2upS|q)h2N}RX0W)!HGGrn!jxp&XWi@?dkfK(Bd5@-Aq%q{F>CPCts5; znrGL1;O>;t)|E4QyUlrtpRblSt%u97278+v!hk3~ko$MqZw9=K|!{eoO z&Em!w7n%`mIo)P_!W`<~NdE1%x7m?Q%F}`DK1>hl!(VwG&9ZU1Kj>01o+82f*c6y6 z0(jRlMx8}*H?QZ6??Ugm@&p6~?cGCMYT*Lj+vhisq0qi0a>^&tvXwg*WQqnq>Pix zu*%j)n(2Tn0v=Q8HQ`3vcVdVPd z<d67uB&ifd3#n5|;`R$&(NlWkD(0E#ep z;Xt`wj5>aMxq8Zky)Z8F3%oBz#9xDVOP>f&DOKkh9;mD#Q?V`VnZ&C&B^;N!I^>ue z?LzaUs}~!Pkp_YMsY>+Ea)PwP_Ng!+oVz)wgq0UzowBoG@Gaq^iyoyKnL-c(2hhe z=@}VR78XsD?Stmxcf1pQhj8Zc{oVHSnSi8Q87C$$&dVK|a<{Id64jjy@RSs!hx|tK z*xW3BF0Iu@McHX5tSx7UfQ-Gs#We&Wcbhl|ce&rB{&_QNo|mg;jaFlJj3#Ad8m2F*J0E%>q)h*Yd!MN~SLK?r zpD5NPW>!Fa@2HzGpu+x~lR-(Wy9ZXrM{>E)KAIO%#0izul_GPs391$W>kGa|^^4=Bt5neriDk0<|o5+HzTR)BHwgUn-a}NHu=~`t*EW!PBJu6TpQtHmO$$KQ;oH!1Uqb6XOLw zgil^{j67DMM+pkZSWe~atS|xC=|*AO=m0G)T`)6pu%92emFhQZjA_9Wv4NKg2WrPZ z>CvSEhFeGuDXo58OsJrf1X>~fMa*=!Vit)z}_eX(g){w#U@a3^RCEqI%%(~J%BeF zrU2ekaz}|OO_y_rnd0@V<@AMEQ(l2b@`&lKjWnEp24E@1rVS4J6kmBdYr%p24bT_X zykgKm9ebeCpMC$$nFpc1AXXt{B>(uuv;EQzzKfL5oDbrUgKPg3Sulst*e!S?k~T0i znVZU`XI|!s9x8>qTiq}FWxXf4*kby#kidG`M}m?UzeLnnIf+X`i{98nMgc^^>+h%$ z$poYZKHuJMsr^bklr;~ysUHfh<+Q&dPcio(p5BRySrx5GCBW)-e)x66nP$qa%PMBN zcUklxnPDK}AnR6uBz>%abCS?aB_}l>!}p~8SS8WeS>(DX*(bGfDa|hhWN8KzwU{W1E-ne}=v#my zYQZUr6dp#F^G$Eqm&jLC6~~!jIk~9zEiq7|1beuf?1`_y=M!$Y$5Fa7oGZ(e`GB80 zWVPe0M&Fpt*k*1soXW;Quv5LPfrE~xjn45y%k39w%UUmXPvK#tY~JN?_QM7YVg-UUs1c)NkEBFtm3hB%j^niQ7UPTqmpcSnE_Ge(=nw?f zpxxOuPInWSn<@Xla>-hcMr;0v)I@j+r6(Faq9n;Zpm9GfN`3Q#f!&uXc8q3qpV_PhEuodA_~WXG#~0anug+2z0>PA`bu-y~ zXp5-#8+P`BUUjB|m#c!fW`1^wZkEG{)VD9S`aNovyypoup~%@M7P}N@kdrk6*|9SY zQML)R+Ag*0X!wV*&KpvON2o?P?$G8@;kW0armC@N1nTEU`f$HD&&i_=c*Im7x|&uF zSIiuYX7wDgymN7eWEc%kv2JEighimY!wp+^^PlhJd)PJQznZnL&fm`V>3G({UQp{b zshl{2d{ze)Oig-3NuPfd6~DfZj$KvU9k+O|%_`C3oeUIndm{!l(d6%UwFk)ygL2!Y z!<6&X`|mBCB=g?aE-L$FGUQv~+TzE`WnM$BEY2h1P*!%0MyB7g6e##PQ~M#$Pi_}e zo5hVDMY^mm>IYH4}BaP??H zCi|nH_E?f>r?IsUK@o%nN!Twwa)(>xOjFB(Nxb86-)%?&z3#aJhPfXxWU3b$5Ln0s zeW2%E?Xt$5H@rp}F~?dU+6kyX?%All^JR=OQ{<-aTS;a1$eu?K4L56DNEO%EkI^h` zRPOmPX6yyTefsEZPYKf-1h=E&?$Zv3jg+b#Pon|-dTA+6*+&x#{oM&YBV&N{`YG36 z3YuiI)opoCd9gKHU&Z7#QNj>L;o*j9destB&BUZ|%n={fZCDP1b@NojV|2@#9(J=s z-^6O5nzc^=5${&?;_18^hmSD7J?>k~d!2FXbQP7*Am6nTc5{c`rA{7#iEN-4U%6e8 z+$@}OG7{395ivU}tJTe1vRACjV%M)0?@?+O|Hg2hes;{7uP5PQ)aj9tXYZNFZtAJE z%zTNSpGui%yZkCZ0{0)zyFNDlVoC_)%)Pk{MxU!VK|H+=Ka%#1cQSR1Oa{#@HIwuk z2>Wj9#YaGJ$sSU0EbC1}CA#hyio*ZhU&RB31Azdb0^%e6Z>6c8f0d?~{|P5mfvES6 z6OGlP5#8zC&P~KI1d@7Bu{Aq_*`Pw2w%CEI`tb->qz}^`YtI0(p`XAIQ=5UEBE?U5 z{k}TmFNFh*5;8$E+#h&-=6%`kwyLuwJ9}QTkplV`!0d zTJz`qpNZomEi-^)7={EzzRe&=u^WpazrMsD25Uo8pV*yiHm;UaKm20bkCiy>-Tuks zR3MuC%ffp*+CBI=K-^3|s@frCbq(XF3SetDDxNu*K4e@On3j&nYY0E1rh!8fNV|$l z&O#u1mMq0(XTOa7L5tXdjo6;)yMY$XuLMT^>CTy%{Fu2S#Q}@S?3iR33$fm_q}nsT zeMhovT{6`wFkfqz(fVPUY2V&@ee<`*AhUwlXQrE$^@#;VHwOPNaf#bjy93tfZ+WhR zWMbC8*TF4r!%ewI@CoMVk-_ zk+K#S18hUl@5?$qhtpUJ2HRza9AOIgi?(7G5#w)A`GTUa{&y8=OuHR_I(gKO*}p@e z0ScpZ^qHN*Y*w83<@Cy5p?3OIU;K@PCs%_CnlY7%$F5r9hSqK8^i~V+gg9QPsxa3y z*oEahG})BA=ky;T$?4}efl&0p7U&a031QzwXzt4?vD7{&>?X`3^qTL)|#rV=x)KY&9IFgr#A0km?Swj6JB=JPJ23c`XXYZT4q@3&?Zb zqd8oW@R}*^N1uhvFa&OIwO=@9Py?j8K(Mjnzp|KdtVP$1AQmY%K6<9?VfLX(PKZ1?H!w>7LvXaEg7l7~%I%5gAnQ|)AAcK@=^?Yc40Qyv46BFeg~9O(vv$S#=FlY2;3Q4cyKGBh1&9UIfYmSMUJE;*EWD)& zB+gdkVvwrvNBq{xstT1gm41*pqt58Vq?!ak^NQ9DH_vmDa5e~jug)z>s ztol=X2IVFSON;R#^MR~TgnI#yhJtJ4(g0U5*}-PT#tdH?40l$NJL3I@O#fFW54Dhu zsk@<_iK!Ebvc0pZiM6F239qfaoweXsJ0p8b8&eYoOFJ`r{%|12ztYR3|M_|msD8}h z^503rKZsL(v`$i+^O40@0rg#rv#o%!9nT*!DB@~s3qE((yVN#{>v4tGo$^IUOa13N zhxycKEb^DdFiBU6GNVStPCFBGX?K*8tGAjfg$~(gXU;6eD_=Qnm#DMp*9?!B!;ny~ zt<>WU*g!6ag9%*t#FxRAT83yJwvV&N6dmikN4KClL}UTGMC_xs0BYBZ+lE(5n9mpA zl%zX-f_LGTA4+KW=#~T(YE4Wn0tKuN6CWG--wy?Tc5 z{TOrc2)R7E`!+_DSkFjNitfMO0WG^O0}e3!EiPH>LsOF=UoG#66#Ut%PjXykDDVd* zfx+l3K?Vz#R8aTvdAtjs#GDQm#^ViZlVNMb9qEgqCGQJ6x znOOqoIG;v@IC;7y=5k^~qFGgM`{$V~=XB6bk~mVP)YsoMi~L5-8Mb1E;v`=@t6HtC z8@K}K-)Ew&kntuu=MkIq>!m}wGq}BX=!(}&bYIposQHayvs!&^Jv9P2m|CG=ZSo%l znjuhBt(7Gh3KS25S6)kprleqF_=qQ;`_NVg zQ=PEc-Udxy-wqm;&-Bsv(L$gBARqw$p!cQsEdZLdxRf{m0s;uo1Ly$&@2db203`4a z{aGO)At9k)p#BgX3=A|3JRAZ7JRCec0um|`0wM|`JUlWwG72gh8af&R62=D%v=69g zXlU=<07N)|KfoUX0v+()4#78 z&Zz1m*A@T(aB+#5+n{(AvzQFdHau&#Co*9UQ``9?$UV=SE%?QCu3gRr000mYk~eUK z3n+TB=9#B@+2IeRAsJydSDu^FqcqOEN+MLQWcB|7000m(KY5fKg?+)dvHvC5@P7&7 z|0NhzH_q3DygMGkjIgHe#*!SaW${)3sctK`O-PKN^c2xw`+pNv1+hNeB7ie+$O>mz|Za$vOP*H);4O{11I9F>{$x zPmwzDIk;F}p^e+^9&v-D+7agmO4TQ-6BNgSs;+bA)SLhS03{?rf1et|2Yee1Eug*6OG`SlrM^&=us(g#ZBsb@a;38ggpaiFe(3^X!$NGeOt~rQAw+nj zcELPWqq!!=mP)*|*fM1e-vMz#9L`28bHnOd4i?-<hLu9L-wAI-akPMa$P~U3;E?;-E51rTM}4(5$PJa!5i9yJV%6;{?Tr?;gx`9dyV_`5m%23ET1a z2d8-KGwW}b*%i{nBSVMo^7lfuIkRPUx_FU8Qz%?qO9)yFJPU-R9OH#VoK5%xLW!+w z9oL5XuAD%zc%UC<4%L_|&G zjySg7-uM0lx_`T-{ZQnPoQ;WJerbJu8ipr}W~2DYZ*6Jz{A@y7S@uRAq8%kjrEkzM)KQACB*+DOhnmdOw?O zd^}2`5{>hhr{z2JkQRp-dM^2{KSfhV3Z+{Fe=Z@m;EA>vW@-A41}P&azM*>wO@rAe3&b9B zTSg`<)&SCRarzn5MY;rcgZZ_d9QXFbi)4(X%?xNR?~PKwK@u0yYxmJ(IQi&K6q9?6 z%>>KOE5SnnZ#g`Wp_U|7jWC>#;c~D-kg)!No~)C1_gmA46p-wfdPA<1Mv3EW^DT4* z6_M9#{vIUyw`V!CkNS#nB+VgV&hAJpNmGF}5ijl=l}^GSQ3{ij<29!baNn5k3V)xRT2L%+*5_ZG;S?nwY^B-#plCchRW8yn zf+Ba!_yvAYT(nGcb6sKiW`FfaO+Hv!FYQgY#%)ctJD*tb>%9PR$|CkQnLG$8`&3%% zt#+7!H)#n02RFg>qiDFx%>=<Qoh(ktR`N@`k2$COvuSG55i z$VuI5X%*pSToG2=N`%^QkVHD?`n0R>b%z5?x zltv_5y>HQ7r^9{^U7sJKF_Yd80t>a-m*mRz_T>@d+gF3UQ_f|2sR*;!!=|~CoODZe zNa`O)l`yHxaY?h5o#4XPp?2vuZl-f~B+lXC?3Dzq1EM}|7|Om38xSu^oc8*sVd`fb zJFp#b#bp zFJuneGT4)GHaOO)h0xj|6lhks)0N(EFH+?OzGOLEvw~H9)+#vq{HGAbnnI86umhrr6I@x|7&(BHH}{ zHZ@HqYJVldK#n>NUb**@VVVa;QfR+11GB+Ve6E3o1=v zX$|$>^r@~X046@2vTo%G3Zwe_KED0P7=tLjUvTrw@glVOW_(TOR#p%)f!Mr6Xt`Gl zd)k0NuUCy3f_jWD@CoJ0g7wvz zZZGZl^EwVx#bTw#kf~7eC7J5D`hI6u>y=@`l|fP9|C4s{IYZO5Jn8V{w zm?}gqS%C1;`waVr21us8QRJOeKJ|KeBNo8*VQrGp>fa=*J)RMfE@icyK_SsO8=YBd?nf;7O|)oY8(P+$`~^3i`s zO#2>u-=tiHvgw!Z^pv#U)BL`N+=Yy~^9p8`>H(p&Br@P;Mt98uwI$l=7~HRAUN9EXFU$$LNoT zCrX0#h7c+C+P+!(%y*#0a118sCo$Onw5t^Uo42(hER^BE#^l;PWm_9-pCu{Nm{#If zw6=dPj@g|j!x%6#4s@t1@ms3WWvibu{}|M{`0%L;9nfk5x*!KvS|mx$v;Cxd6m+B) z7sW3~M{s-ST_9kLOi}~xzQR!5J>hS_6sW29t7f`NJCv0ZMgwP2#H7E39d*6P0nVf?4QOj&iHRO17~tqWh5F5856O{Qf>#4{+(24uH> zQ0gF0p~moG3S8Ls=CE4(X!CjT-aK)9IME>4;4a3(yt}J$_2PG5EmgC}^~fo=(=ZV< z`#nY;%UT~){f0!(@`2Y~5B6hSHWke@e}088Ac=S7)Z%hG5@qm&on6BjW}qgGTf=Hy zLCT&09WHGT4Uo0t_LDLJQ~zPGq24DEGB0ab5JRjZ2T;?Cm`{zr$48gT)OcBMVNWww z9JHIXD6FQ*S85KnH{_iWy>|FMMy(HN+BGw3eK(if$|GrA7>1NSoi#^~FHX7XJAC*u zNAOFSOA}k4rHmO}K%K=4z7i)GsuU!LtjHy$mTyWCQ+Oeo#rFYi!A3%=@F_v)Zg+wDVG@uV2~@MMJRd30Q^}o+&DpTK%^rXvHfHY6a3Br8?lBGjkkv z?$^lY>FXnti2!B0dsqB8zRqxM9 zC3z+_L7q&c^$!UdJ)9-squ!FkMf**_t7_x(D~cxe7vQ2l3`MZc<**(R*)Q(LMU=Rc z-u4;U90lMhibr%WL_uWn9CTC`CFO_=UM7i{Qa;Sn--&#Pp1YrW32edvit<=~E`;O* zT*tmY+dG4R5RE^w)%oykYc-J6)`_Gz>T^8&3QHKHz#tu&h7fqj7*583X^BEm$&=~e HbI<<(@*qUZ diff --git a/gnutls.spec b/gnutls.spec index f264ae2..4277ccd 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -115,7 +115,7 @@ URL: http://www.gnutls.org/ %define short_version %(echo %{version} | grep -m1 -o "[0-9]*\.[0-9]*" | head -1) Source0: https://www.gnupg.org/ftp/gcrypt/gnutls/v%{short_version}/%{name}-%{version}.tar.xz Source1: https://www.gnupg.org/ftp/gcrypt/gnutls/v%{short_version}/%{name}-%{version}.tar.xz.sig -Source2: gnutls-release-keyring.gpg +Source2: https://gnutls.org/gnutls-release-keyring.gpg # Wildcard bundling exception https://fedorahosted.org/fpc/ticket/174 Provides: bundled(gnulib) = 20130424 diff --git a/sources b/sources index ee8a251..0ceeebf 100644 --- a/sources +++ b/sources @@ -1 +1,3 @@ SHA512 (gnutls-3.7.8.tar.xz) = 4199bcf7c9e3aab2f52266aadceefc563dfe2d938d0ea1f3ec3be95d66f4a8c8e5494d3a800c03dd02ad386dec1738bd63e1fe0d8b394a2ccfc7d6c6a0cc9359 +SHA512 (gnutls-3.7.8.tar.xz.sig) = cecf9843e8683a278d065b663dc98ac2b5fcad1905ee25333038c93c2289b518c974629367e77e66552ac1c9d122d551616edba35cb0c4204202ec676f1a2db7 +SHA512 (gnutls-release-keyring.gpg) = 5c14d83f4f37bd319c652db0d76fc5bb04752fb461bbe853e25b20ffe41d6d14faae6c0bdd0193ac6242975bf1205ce606a9d0082261cc4581fd680abfcdbd4d From b08c1d3cb5cba2ab8d2592274bc28c105395956a Mon Sep 17 00:00:00 2001 From: Zoltan Fridrich Date: Wed, 15 Feb 2023 09:04:29 +0100 Subject: [PATCH 086/152] [packit] 3.8.0 upstream release Upstream tag: 3.8.0 Upstream commit: 516e466b Signed-off-by: Zoltan Fridrich --- .gitignore | 3 + .packit.yaml | 1 - README.packit | 2 +- gnutls-3.6.7-no-now-guile.patch | 11 - ...3.7.8-gcc_analyzer-suppress_warnings.patch | 132 --- gnutls-3.7.8-ktls_add_ciphersuites.patch | 273 ----- gnutls-3.7.8-ktls_invalidate_session.patch | 62 -- gnutls-3.7.8-ktls_key_update.patch | 957 ------------------ gnutls-3.7.8-ktls_minor_fixes.patch | 155 --- gnutls.spec | 84 +- sources | 4 +- 11 files changed, 26 insertions(+), 1658 deletions(-) delete mode 100644 gnutls-3.6.7-no-now-guile.patch delete mode 100644 gnutls-3.7.8-gcc_analyzer-suppress_warnings.patch delete mode 100644 gnutls-3.7.8-ktls_add_ciphersuites.patch delete mode 100644 gnutls-3.7.8-ktls_invalidate_session.patch delete mode 100644 gnutls-3.7.8-ktls_key_update.patch delete mode 100644 gnutls-3.7.8-ktls_minor_fixes.patch diff --git a/.gitignore b/.gitignore index 1d6ef56..690d3fe 100644 --- a/.gitignore +++ b/.gitignore @@ -141,3 +141,6 @@ gnutls-2.10.1-nosrp.tar.bz2 /gnutls-3.7.6.tar.xz /gnutls-3.7.7.tar.xz /gnutls-3.7.8.tar.xz +/gnutls-3.8.0.tar.xz +/gnutls-3.8.0.tar.xz.sig +/gnutls-release-keyring.gpg diff --git a/.packit.yaml b/.packit.yaml index a27df63..2a7dee2 100644 --- a/.packit.yaml +++ b/.packit.yaml @@ -15,7 +15,6 @@ actions: post-upstream-clone: - "wget https://src.fedoraproject.org/rpms/gnutls/raw/main/f/gnutls.spec" - "wget https://src.fedoraproject.org/rpms/gnutls/raw/main/f/gnutls-3.2.7-rpath.patch" - - "wget https://src.fedoraproject.org/rpms/gnutls/raw/main/f/gnutls-3.6.7-no-now-guile.patch" get-current-version: - "git describe --abbrev=0" create-archive: diff --git a/README.packit b/README.packit index 44d1757..c83811d 100644 --- a/README.packit +++ b/README.packit @@ -1,3 +1,3 @@ This repository is maintained by packit. https://packit.dev/ -The file was generated using packit 0.60.0. +The file was generated using packit 0.67.0. diff --git a/gnutls-3.6.7-no-now-guile.patch b/gnutls-3.6.7-no-now-guile.patch deleted file mode 100644 index d14e8df..0000000 --- a/gnutls-3.6.7-no-now-guile.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- a/guile/src/Makefile.in 2019-03-27 11:51:55.984398001 +0100 -+++ b/guile/src/Makefile.in 2019-03-27 11:52:27.259626076 +0100 -@@ -1472,7 +1472,7 @@ - # Use '-module' to build a "dlopenable module", in Libtool terms. - # Use '-undefined' to placate Libtool on Windows; see - # . --guile_gnutls_v_2_la_LDFLAGS = -module -no-undefined -+guile_gnutls_v_2_la_LDFLAGS = -module -no-undefined -Wl,-z,lazy - - # Linking against GnuTLS. - GNUTLS_CORE_LIBS = $(top_builddir)/lib/libgnutls.la diff --git a/gnutls-3.7.8-gcc_analyzer-suppress_warnings.patch b/gnutls-3.7.8-gcc_analyzer-suppress_warnings.patch deleted file mode 100644 index d8a6f4a..0000000 --- a/gnutls-3.7.8-gcc_analyzer-suppress_warnings.patch +++ /dev/null @@ -1,132 +0,0 @@ -From 7fa942e08e64b761b19753ae74503de43cc1ff91 Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Thu, 6 Oct 2022 18:44:48 +0900 -Subject: build: suppress GCC analyzer warnings - -Signed-off-by: Daiki Ueno - -diff --git a/lib/auth/cert.c b/lib/auth/cert.c -index 228d98468..f122049e1 100644 ---- a/lib/auth/cert.c -+++ b/lib/auth/cert.c -@@ -1636,6 +1636,10 @@ _gnutls_select_server_cert(gnutls_session_t session, const gnutls_cipher_suite_e - if (session->internals.selected_cert_list_length == 0) - return gnutls_assert_val(GNUTLS_E_INSUFFICIENT_CREDENTIALS); - -+ if (unlikely(session->internals.selected_cert_list == NULL)) { -+ return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); -+ } -+ - _gnutls_debug_log("Selected (%s) cert\n", - gnutls_pk_get_name(session->internals.selected_cert_list[0].pubkey->params.algo)); - } -diff --git a/lib/nettle/int/provable-prime.c b/lib/nettle/int/provable-prime.c -index 585cd031e..3a626a2c8 100644 ---- a/lib/nettle/int/provable-prime.c -+++ b/lib/nettle/int/provable-prime.c -@@ -1173,7 +1173,7 @@ st_provable_prime(mpz_t p, - if (iterations > 0) { - storage_length = iterations * DIGEST_SIZE; - -- storage = malloc(storage_length); -+ storage = gnutls_malloc(storage_length); - if (storage == NULL) - goto fail; - -@@ -1307,7 +1307,7 @@ st_provable_prime(mpz_t p, - mpz_clear(t); - mpz_clear(tmp); - mpz_clear(c); -- free(pseed); -- free(storage); -+ gnutls_free(pseed); -+ gnutls_free(storage); - return ret; - } -diff --git a/lib/pk.c b/lib/pk.c -index c5600a32a..753cecd18 100644 ---- a/lib/pk.c -+++ b/lib/pk.c -@@ -93,6 +93,7 @@ _gnutls_encode_ber_rs_raw(gnutls_datum_t * sig_value, - } - - if (r->data[0] >= 0x80) { -+ assert(tmp); - tmp[0] = 0; - memcpy(&tmp[1], r->data, r->size); - result = asn1_write_value(sig, "r", tmp, 1+r->size); -@@ -108,6 +109,7 @@ _gnutls_encode_ber_rs_raw(gnutls_datum_t * sig_value, - - - if (s->data[0] >= 0x80) { -+ assert(tmp); - tmp[0] = 0; - memcpy(&tmp[1], s->data, s->size); - result = asn1_write_value(sig, "s", tmp, 1+s->size); -@@ -598,6 +600,10 @@ encode_ber_digest_info(const mac_entry_st * e, - uint8_t *tmp_output; - int tmp_output_size; - -+ if (unlikely(e == NULL)) { -+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); -+ } -+ - /* prevent asn1_write_value() treating input as string */ - if (digest->size == 0) - return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); -diff --git a/lib/x509/pkcs7-crypt.c b/lib/x509/pkcs7-crypt.c -index 59eddcd2a..6f528a911 100644 ---- a/lib/x509/pkcs7-crypt.c -+++ b/lib/x509/pkcs7-crypt.c -@@ -1211,6 +1211,10 @@ _gnutls_pkcs_raw_decrypt_data(schema_id schema, asn1_node pkcs8_asn, - } - - ce = cipher_to_entry(enc_params->cipher); -+ if (unlikely(ce == NULL)) { -+ ret = gnutls_assert_val(GNUTLS_E_UNKNOWN_CIPHER_TYPE); -+ goto error; -+ } - block_size = _gnutls_cipher_get_block_size(ce); - - if (ce->type == CIPHER_BLOCK) { -diff --git a/src/tests.c b/src/tests.c -index 85c4b6699..8526b6943 100644 ---- a/src/tests.c -+++ b/src/tests.c -@@ -1613,7 +1613,9 @@ test_code_t test_chain_order(gnutls_session_t session) - - gnutls_free(t.data); - } -- *pos = 0; -+ if (pos) { -+ *pos = 0; -+ } - - t.size = p_size; - t.data = (void*)p; -diff --git a/src/tpmtool.c b/src/tpmtool.c -index 171b7fd41..1b230c2ff 100644 ---- a/src/tpmtool.c -+++ b/src/tpmtool.c -@@ -263,15 +263,15 @@ static void tpm_generate(FILE * out, unsigned int key_type, - gnutls_datum_t privkey, pubkey; - - if (!srk_well_known) { -- srk_pass = getpass("Enter SRK password: "); -- if (srk_pass != NULL) -- srk_pass = strdup(srk_pass); -+ char *pass = getpass("Enter SRK password: "); -+ if (pass != NULL) -+ srk_pass = strdup(pass); - } - - if (!(flags & GNUTLS_TPM_REGISTER_KEY)) { -- key_pass = getpass("Enter key password: "); -- if (key_pass != NULL) -- key_pass = strdup(key_pass); -+ char *pass = getpass("Enter key password: "); -+ if (pass != NULL) -+ key_pass = strdup(pass); - } - - ret = diff --git a/gnutls-3.7.8-ktls_add_ciphersuites.patch b/gnutls-3.7.8-ktls_add_ciphersuites.patch deleted file mode 100644 index 88ae1aa..0000000 --- a/gnutls-3.7.8-ktls_add_ciphersuites.patch +++ /dev/null @@ -1,273 +0,0 @@ -From 4380f347b2fff4af10537930400b68df61bee442 Mon Sep 17 00:00:00 2001 -From: Frantisek Krenzelok -Date: Thu, 1 Dec 2022 15:37:33 +0100 -Subject: [PATCH 1/2] KTLS: add ciphersuites - -* TLS_AES_128_CCM_SHA256 -* TLS_CHACHA20_POLY1305_SHA256 - -Signed-off-by: Frantisek Krenzelok ---- - lib/system/ktls.c | 159 ++++++++++++++++++++++++++++++++++++++++++++-- - 1 file changed, 153 insertions(+), 6 deletions(-) - -diff --git a/lib/system/ktls.c b/lib/system/ktls.c -index 703775960..792d09ccf 100644 ---- a/lib/system/ktls.c -+++ b/lib/system/ktls.c -@@ -86,7 +86,7 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable - gnutls_datum_t mac_key; - gnutls_datum_t iv; - gnutls_datum_t cipher_key; -- unsigned char seq_number[8]; -+ unsigned char seq_number[12]; - int sockin, sockout; - int ret; - -@@ -97,7 +97,9 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable - int version = gnutls_protocol_get_version(session); - if ((version != GNUTLS_TLS1_3 && version != GNUTLS_TLS1_2) || - (gnutls_cipher_get(session) != GNUTLS_CIPHER_AES_128_GCM && -- gnutls_cipher_get(session) != GNUTLS_CIPHER_AES_256_GCM)) { -+ gnutls_cipher_get(session) != GNUTLS_CIPHER_AES_256_GCM && -+ gnutls_cipher_get(session) != GNUTLS_CIPHER_AES_128_CCM && -+ gnutls_cipher_get(session) != GNUTLS_CIPHER_CHACHA20_POLY1305)) { - return GNUTLS_E_UNIMPLEMENTED_FEATURE; - } - -@@ -114,7 +116,7 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable - case GNUTLS_CIPHER_AES_128_GCM: - { - struct tls12_crypto_info_aes_gcm_128 crypto_info; -- memset(&crypto_info, 0, sizeof(crypto_info)); -+ memset(&crypto_info, 0, sizeof (crypto_info)); - - crypto_info.info.cipher_type = TLS_CIPHER_AES_GCM_128; - assert(cipher_key.size == TLS_CIPHER_AES_GCM_128_KEY_SIZE); -@@ -150,7 +152,7 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable - case GNUTLS_CIPHER_AES_256_GCM: - { - struct tls12_crypto_info_aes_gcm_256 crypto_info; -- memset(&crypto_info, 0, sizeof(crypto_info)); -+ memset(&crypto_info, 0, sizeof (crypto_info)); - - crypto_info.info.cipher_type = TLS_CIPHER_AES_GCM_256; - assert (cipher_key.size == TLS_CIPHER_AES_GCM_256_KEY_SIZE); -@@ -182,9 +184,83 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable - } - } - break; -+ case GNUTLS_CIPHER_AES_128_CCM: -+ { -+ struct tls12_crypto_info_aes_ccm_128 crypto_info; -+ memset(&crypto_info, 0, sizeof (crypto_info)); -+ -+ crypto_info.info.cipher_type = TLS_CIPHER_AES_CCM_128; -+ assert(cipher_key.size == TLS_CIPHER_AES_CCM_128_KEY_SIZE); -+ -+ /* for TLS 1.2 IV is generated in kernel */ -+ if (version == GNUTLS_TLS1_2) { -+ crypto_info.info.version = TLS_1_2_VERSION; -+ memcpy(crypto_info.iv, seq_number, TLS_CIPHER_AES_CCM_128_IV_SIZE); -+ } else { -+ crypto_info.info.version = TLS_1_3_VERSION; -+ assert(iv.size == TLS_CIPHER_AES_CCM_128_SALT_SIZE -+ + TLS_CIPHER_AES_CCM_128_IV_SIZE); -+ -+ memcpy(crypto_info.iv, iv.data + -+ TLS_CIPHER_AES_CCM_128_SALT_SIZE, -+ TLS_CIPHER_AES_CCM_128_IV_SIZE); -+ } -+ -+ memcpy(crypto_info.salt, iv.data, -+ TLS_CIPHER_AES_CCM_128_SALT_SIZE); -+ memcpy(crypto_info.rec_seq, seq_number, -+ TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE); -+ memcpy(crypto_info.key, cipher_key.data, -+ TLS_CIPHER_AES_CCM_128_KEY_SIZE); -+ -+ if (setsockopt (sockin, SOL_TLS, TLS_RX, -+ &crypto_info, sizeof (crypto_info))) { -+ session->internals.ktls_enabled &= ~GNUTLS_KTLS_RECV; -+ return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); -+ } -+ } -+ break; -+ case GNUTLS_CIPHER_CHACHA20_POLY1305: -+ { -+ struct tls12_crypto_info_chacha20_poly1305 crypto_info; -+ memset(&crypto_info, 0, sizeof (crypto_info)); -+ -+ crypto_info.info.cipher_type = TLS_CIPHER_CHACHA20_POLY1305; -+ assert(cipher_key.size == TLS_CIPHER_CHACHA20_POLY1305_KEY_SIZE); -+ -+ /* for TLS 1.2 IV is generated in kernel */ -+ if (version == GNUTLS_TLS1_2) { -+ crypto_info.info.version = TLS_1_2_VERSION; -+ memcpy(crypto_info.iv, seq_number, TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE); -+ } else { -+ crypto_info.info.version = TLS_1_3_VERSION; -+ assert(iv.size == TLS_CIPHER_CHACHA20_POLY1305_SALT_SIZE -+ + TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE); -+ -+ memcpy(crypto_info.iv, iv.data + -+ TLS_CIPHER_CHACHA20_POLY1305_SALT_SIZE, -+ TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE); -+ } -+ -+ memcpy(crypto_info.salt, iv.data, -+ TLS_CIPHER_CHACHA20_POLY1305_SALT_SIZE); -+ memcpy(crypto_info.rec_seq, seq_number, -+ TLS_CIPHER_CHACHA20_POLY1305_REC_SEQ_SIZE); -+ memcpy(crypto_info.key, cipher_key.data, -+ TLS_CIPHER_CHACHA20_POLY1305_KEY_SIZE); -+ -+ if (setsockopt (sockin, SOL_TLS, TLS_RX, -+ &crypto_info, sizeof (crypto_info))) { -+ session->internals.ktls_enabled &= ~GNUTLS_KTLS_RECV; -+ return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); -+ } -+ } -+ break; - default: - assert(0); - } -+ -+ - } - - ret = gnutls_record_get_state (session, 0, &mac_key, &iv, &cipher_key, -@@ -198,7 +274,7 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable - case GNUTLS_CIPHER_AES_128_GCM: - { - struct tls12_crypto_info_aes_gcm_128 crypto_info; -- memset(&crypto_info, 0, sizeof(crypto_info)); -+ memset(&crypto_info, 0, sizeof (crypto_info)); - - crypto_info.info.cipher_type = TLS_CIPHER_AES_GCM_128; - -@@ -234,7 +310,7 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable - case GNUTLS_CIPHER_AES_256_GCM: - { - struct tls12_crypto_info_aes_gcm_256 crypto_info; -- memset(&crypto_info, 0, sizeof(crypto_info)); -+ memset(&crypto_info, 0, sizeof (crypto_info)); - - crypto_info.info.cipher_type = TLS_CIPHER_AES_GCM_256; - assert (cipher_key.size == TLS_CIPHER_AES_GCM_256_KEY_SIZE); -@@ -266,10 +342,81 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable - } - } - break; -+ case GNUTLS_CIPHER_AES_128_CCM: -+ { -+ struct tls12_crypto_info_aes_ccm_128 crypto_info; -+ memset(&crypto_info, 0, sizeof (crypto_info)); -+ -+ crypto_info.info.cipher_type = TLS_CIPHER_AES_CCM_128; -+ assert (cipher_key.size == TLS_CIPHER_AES_CCM_128_KEY_SIZE); -+ -+ /* for TLS 1.2 IV is generated in kernel */ -+ if (version == GNUTLS_TLS1_2) { -+ crypto_info.info.version = TLS_1_2_VERSION; -+ memcpy(crypto_info.iv, seq_number, TLS_CIPHER_AES_CCM_128_IV_SIZE); -+ } else { -+ crypto_info.info.version = TLS_1_3_VERSION; -+ assert (iv.size == TLS_CIPHER_AES_CCM_128_SALT_SIZE + -+ TLS_CIPHER_AES_CCM_128_IV_SIZE); -+ -+ memcpy (crypto_info.iv, iv.data + TLS_CIPHER_AES_CCM_128_SALT_SIZE, -+ TLS_CIPHER_AES_CCM_128_IV_SIZE); -+ } -+ -+ memcpy (crypto_info.salt, iv.data, -+ TLS_CIPHER_AES_CCM_128_SALT_SIZE); -+ memcpy (crypto_info.rec_seq, seq_number, -+ TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE); -+ memcpy (crypto_info.key, cipher_key.data, -+ TLS_CIPHER_AES_CCM_128_KEY_SIZE); -+ -+ if (setsockopt (sockout, SOL_TLS, TLS_TX, -+ &crypto_info, sizeof (crypto_info))) { -+ session->internals.ktls_enabled &= ~GNUTLS_KTLS_SEND; -+ return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); -+ } -+ } -+ break; -+ case GNUTLS_CIPHER_CHACHA20_POLY1305: -+ { -+ struct tls12_crypto_info_chacha20_poly1305 crypto_info; -+ memset(&crypto_info, 0, sizeof (crypto_info)); -+ -+ crypto_info.info.cipher_type = TLS_CIPHER_CHACHA20_POLY1305; -+ assert (cipher_key.size == TLS_CIPHER_CHACHA20_POLY1305_KEY_SIZE); -+ -+ /* for TLS 1.2 IV is generated in kernel */ -+ if (version == GNUTLS_TLS1_2) { -+ crypto_info.info.version = TLS_1_2_VERSION; -+ memcpy(crypto_info.iv, seq_number, TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE); -+ } else { -+ crypto_info.info.version = TLS_1_3_VERSION; -+ assert (iv.size == TLS_CIPHER_CHACHA20_POLY1305_SALT_SIZE + -+ TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE); -+ -+ memcpy (crypto_info.iv, iv.data + TLS_CIPHER_CHACHA20_POLY1305_SALT_SIZE, -+ TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE); -+ } -+ -+ memcpy (crypto_info.salt, iv.data, -+ TLS_CIPHER_CHACHA20_POLY1305_SALT_SIZE); -+ memcpy (crypto_info.rec_seq, seq_number, -+ TLS_CIPHER_CHACHA20_POLY1305_REC_SEQ_SIZE); -+ memcpy (crypto_info.key, cipher_key.data, -+ TLS_CIPHER_CHACHA20_POLY1305_KEY_SIZE); -+ -+ if (setsockopt (sockout, SOL_TLS, TLS_TX, -+ &crypto_info, sizeof (crypto_info))) { -+ session->internals.ktls_enabled &= ~GNUTLS_KTLS_SEND; -+ return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); -+ } -+ } -+ break; - default: - assert(0); - } - -+ - // set callback for sending handshake messages - gnutls_handshake_set_read_function(session, - _gnutls_ktls_send_handshake_msg); --- -2.38.1 - - -From 24bd0559302f8a7adf9f072f61f2aa03efa664f6 Mon Sep 17 00:00:00 2001 -From: Frantisek Krenzelok -Date: Fri, 2 Dec 2022 11:07:48 +0100 -Subject: [PATCH 2/2] KTLS: add ciphersuites (tests) - -Signed-off-by: Frantisek Krenzelok ---- - tests/gnutls_ktls.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/tests/gnutls_ktls.c b/tests/gnutls_ktls.c -index 8f9c5fa36..919270778 100644 ---- a/tests/gnutls_ktls.c -+++ b/tests/gnutls_ktls.c -@@ -350,8 +350,12 @@ void doit(void) - { - run("NORMAL:-VERS-ALL:+VERS-TLS1.2:-CIPHER-ALL:+AES-128-GCM"); - run("NORMAL:-VERS-ALL:+VERS-TLS1.2:-CIPHER-ALL:+AES-256-GCM"); -+ run("NORMAL:-VERS-ALL:+VERS-TLS1.2:-CIPHER-ALL:+AES-128-CCM"); -+ run("NORMAL:-VERS-ALL:+VERS-TLS1.2:-CIPHER-ALL:+CHACHA20-POLY1305"); - run("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-128-GCM"); - run("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-256-GCM"); -+ run("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-128-CCM"); -+ run("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+CHACHA20-POLY1305"); - } - - #endif /* _WIN32 */ --- -2.38.1 - diff --git a/gnutls-3.7.8-ktls_invalidate_session.patch b/gnutls-3.7.8-ktls_invalidate_session.patch deleted file mode 100644 index aaa4793..0000000 --- a/gnutls-3.7.8-ktls_invalidate_session.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 9533fcbacdb5532425568e3874cfea9f0a9b55d5 Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Mon, 28 Nov 2022 11:10:58 +0900 -Subject: [PATCH 1/2] src: fix memory leak in print_rawpk_info - -Signed-off-by: Daiki Ueno ---- - src/common.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/src/common.c b/src/common.c -index 6d2056f95..20327b41c 100644 ---- a/src/common.c -+++ b/src/common.c -@@ -222,7 +222,7 @@ print_rawpk_info(gnutls_session_t session, FILE *out, int flag, int print_cert, - if (ret < 0) { - fprintf(stderr, "Encoding error: %s\n", - gnutls_strerror(ret)); -- return; -+ goto cleanup; - } - - log_msg(out, "\n%s\n", (char*)pem.data); -@@ -230,6 +230,8 @@ print_rawpk_info(gnutls_session_t session, FILE *out, int flag, int print_cert, - gnutls_free(pem.data); - } - -+ cleanup: -+ gnutls_pcert_deinit(&pk_cert); - } - - /* returns false (0) if not verified, or true (1) otherwise --- -2.38.1 - - -From ceac5211c073ba8dc86fe7cfb25504db33729fa9 Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Mon, 28 Nov 2022 11:14:53 +0900 -Subject: [PATCH 2/2] tests: fix memory leak in resume-with-previous-stek - -Signed-off-by: Daiki Ueno ---- - tests/resume-with-previous-stek.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/tests/resume-with-previous-stek.c b/tests/resume-with-previous-stek.c -index 94f165627..98aba8d84 100644 ---- a/tests/resume-with-previous-stek.c -+++ b/tests/resume-with-previous-stek.c -@@ -127,6 +127,8 @@ static void client(int fd, int *resume, unsigned rounds, const char *prio) - - gnutls_deinit(session); - } -+ -+ gnutls_free(session_data.data); - } - - typedef void (* gnutls_stek_rotation_callback_t) (const gnutls_datum_t *prev_key, --- -2.38.1 - diff --git a/gnutls-3.7.8-ktls_key_update.patch b/gnutls-3.7.8-ktls_key_update.patch deleted file mode 100644 index 5ca8a37..0000000 --- a/gnutls-3.7.8-ktls_key_update.patch +++ /dev/null @@ -1,957 +0,0 @@ -From c83b9ecbe8e7e5442867281236d8c9e1bd227204 Mon Sep 17 00:00:00 2001 -From: Frantisek Krenzelok -Date: Tue, 2 Aug 2022 15:00:50 +0200 -Subject: [PATCH 1/7] KTLS: set key on specific interfaces - -It is now possible to set key on specific interface. -If interface given is not ktls enabled then it will be ignored. - -Signed-off-by: Frantisek Krenzelok ---- - lib/handshake.c | 2 +- - lib/system/ktls.c | 12 +++++++----- - lib/system/ktls.h | 7 ++++++- - 3 files changed, 14 insertions(+), 7 deletions(-) - -diff --git a/lib/handshake.c b/lib/handshake.c -index 21edc5ece..cb2bc3ae9 100644 ---- a/lib/handshake.c -+++ b/lib/handshake.c -@@ -2924,7 +2924,7 @@ int gnutls_handshake(gnutls_session_t session) - - #ifdef ENABLE_KTLS - if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_DUPLEX)) { -- _gnutls_ktls_set_keys(session); -+ _gnutls_ktls_set_keys(session, GNUTLS_KTLS_DUPLEX); - } - #endif - -diff --git a/lib/system/ktls.c b/lib/system/ktls.c -index ddf27fac7..70b9b9b3a 100644 ---- a/lib/system/ktls.c -+++ b/lib/system/ktls.c -@@ -80,7 +80,7 @@ void _gnutls_ktls_enable(gnutls_session_t session) - } - } - --int _gnutls_ktls_set_keys(gnutls_session_t session) -+int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable_flags_t in) - { - gnutls_cipher_algorithm_t cipher = gnutls_cipher_get(session); - gnutls_datum_t mac_key; -@@ -107,7 +107,9 @@ int _gnutls_ktls_set_keys(gnutls_session_t session) - return ret; - } - -- if(session->internals.ktls_enabled & GNUTLS_KTLS_RECV){ -+ in &= session->internals.ktls_enabled; -+ -+ if(in & GNUTLS_KTLS_RECV){ - switch (cipher) { - case GNUTLS_CIPHER_AES_128_GCM: - { -@@ -191,7 +193,7 @@ int _gnutls_ktls_set_keys(gnutls_session_t session) - return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); - } - -- if(session->internals.ktls_enabled & GNUTLS_KTLS_SEND){ -+ if(in & GNUTLS_KTLS_SEND){ - switch (cipher) { - case GNUTLS_CIPHER_AES_128_GCM: - { -@@ -269,7 +271,7 @@ int _gnutls_ktls_set_keys(gnutls_session_t session) - } - } - -- return 0; -+ return in; - } - - ssize_t _gnutls_ktls_send_file(gnutls_session_t session, int fd, -@@ -465,7 +467,7 @@ gnutls_transport_is_ktls_enabled(gnutls_session_t session) { - void _gnutls_ktls_enable(gnutls_session_t session) { - } - --int _gnutls_ktls_set_keys(gnutls_session_t session) { -+int _gnutls_ktls_set_keys(gnutls_session_t sessioni, gnutls_transport_ktls_enable_flags_t in) { - return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE); - } - -diff --git a/lib/system/ktls.h b/lib/system/ktls.h -index 8a98a8eb8..c8059092d 100644 ---- a/lib/system/ktls.h -+++ b/lib/system/ktls.h -@@ -4,14 +4,19 @@ - #include "gnutls_int.h" - - void _gnutls_ktls_enable(gnutls_session_t session); --int _gnutls_ktls_set_keys(gnutls_session_t session); -+ -+int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable_flags_t in); -+ - ssize_t _gnutls_ktls_send_file(gnutls_session_t session, int fd, - off_t *offset, size_t count); -+ - int _gnutls_ktls_send_control_msg(gnutls_session_t session, unsigned char record_type, - const void *data, size_t data_size); - #define _gnutls_ktls_send(x, y, z) _gnutls_ktls_send_control_msg(x, GNUTLS_APPLICATION_DATA, y, z); -+ - int _gnutls_ktls_recv_control_msg(gnutls_session_t session, unsigned char *record_type, - void *data, size_t data_size); -+ - int _gnutls_ktls_recv_int(gnutls_session_t session, content_type_t type, void *data, size_t data_size); - #define _gnutls_ktls_recv(x, y, z) _gnutls_ktls_recv_int(x, GNUTLS_APPLICATION_DATA, y, z) - --- -2.39.0 - - -From f8c71030151e3a0d397e9712541236f1a76434a3 Mon Sep 17 00:00:00 2001 -From: Frantisek Krenzelok -Date: Tue, 2 Aug 2022 13:35:39 +0200 -Subject: [PATCH 2/7] KTLS: set new keys for keyupdate - -set new keys durring gnutls_session_key_update() -setting keys - -Signed-off-by: Frantisek Krenzelok ---- - lib/tls13/key_update.c | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/lib/tls13/key_update.c b/lib/tls13/key_update.c -index c6f6e0aa1..10c0a9110 100644 ---- a/lib/tls13/key_update.c -+++ b/lib/tls13/key_update.c -@@ -27,6 +27,7 @@ - #include "mem.h" - #include "mbuffers.h" - #include "secrets.h" -+#include "system/ktls.h" - - #define KEY_UPDATES_WINDOW 1000 - #define KEY_UPDATES_PER_WINDOW 8 -@@ -49,8 +50,16 @@ static int update_keys(gnutls_session_t session, hs_stage_t stage) - * write keys */ - if (session->internals.recv_state == RECV_STATE_EARLY_START) { - ret = _tls13_write_connection_state_init(session, stage); -+ if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_SEND)) -+ ret = _gnutls_ktls_set_keys(session, GNUTLS_KTLS_SEND); - } else { - ret = _tls13_connection_state_init(session, stage); -+ -+ if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_SEND) && stage == STAGE_UPD_OURS) -+ ret = _gnutls_ktls_set_keys(session, GNUTLS_KTLS_SEND); -+ else if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_RECV) && stage == STAGE_UPD_PEERS) -+ ret = _gnutls_ktls_set_keys(session, GNUTLS_KTLS_RECV); -+ - } - if (ret < 0) - return gnutls_assert_val(ret); --- -2.39.0 - - -From b93af37d972e02b095e14d4209bf5d5520a4893c Mon Sep 17 00:00:00 2001 -From: Frantisek Krenzelok -Date: Wed, 3 Aug 2022 14:20:35 +0200 -Subject: [PATCH 3/7] KTLS: send update key request - -Set hanshake send function after interface initialization -TODO: handel setting function differently - -Signed-off-by: Frantisek Krenzelok ---- - lib/record.c | 23 ++++++++++++++++------- - lib/system/ktls.c | 21 +++++++++++++++++++++ - lib/system/ktls.h | 5 +++++ - 3 files changed, 42 insertions(+), 7 deletions(-) - -diff --git a/lib/record.c b/lib/record.c -index fd24acaf1..aad128e1f 100644 ---- a/lib/record.c -+++ b/lib/record.c -@@ -2065,11 +2065,17 @@ gnutls_record_send2(gnutls_session_t session, const void *data, - session->internals.rsend_state = RECORD_SEND_KEY_UPDATE_3; - FALLTHROUGH; - case RECORD_SEND_KEY_UPDATE_3: -- ret = _gnutls_send_int(session, GNUTLS_APPLICATION_DATA, -- -1, EPOCH_WRITE_CURRENT, -- session->internals.record_key_update_buffer.data, -- session->internals.record_key_update_buffer.length, -- MBUFFER_FLUSH); -+ if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_SEND)) { -+ return _gnutls_ktls_send(session, -+ session->internals.record_key_update_buffer.data, -+ session->internals.record_key_update_buffer.length); -+ } else { -+ ret = _gnutls_send_int(session, GNUTLS_APPLICATION_DATA, -+ -1, EPOCH_WRITE_CURRENT, -+ session->internals.record_key_update_buffer.data, -+ session->internals.record_key_update_buffer.length, -+ MBUFFER_FLUSH); -+ } - _gnutls_buffer_clear(&session->internals.record_key_update_buffer); - session->internals.rsend_state = RECORD_SEND_NORMAL; - if (ret < 0) -@@ -2494,8 +2500,11 @@ gnutls_handshake_write(gnutls_session_t session, - return gnutls_assert_val(0); - - /* When using this, the outgoing handshake messages should -- * also be handled manually */ -- if (!session->internals.h_read_func) -+ * also be handled manually unless KTLS is enabled exclusively -+ * in GNUTLS_KTLS_RECV mode in which case the outgoing messages -+ * are handled by GnuTLS. -+ */ -+ if (!session->internals.h_read_func && !IS_KTLS_ENABLED(session, GNUTLS_KTLS_RECV)) - return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); - - if (session->internals.initial_negotiation_completed) { -diff --git a/lib/system/ktls.c b/lib/system/ktls.c -index 70b9b9b3a..5da0a8069 100644 ---- a/lib/system/ktls.c -+++ b/lib/system/ktls.c -@@ -269,6 +269,9 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable - default: - assert(0); - } -+ // set callback for sending handshake messages -+ gnutls_handshake_set_read_function(session, -+ _gnutls_ktls_send_handshake_msg); - } - - return in; -@@ -355,6 +358,15 @@ int _gnutls_ktls_send_control_msg(gnutls_session_t session, - return data_size; - } - -+int _gnutls_ktls_send_handshake_msg(gnutls_session_t session, -+ gnutls_record_encryption_level_t level, -+ gnutls_handshake_description_t htype, -+ const void *data, size_t data_size) -+{ -+ return _gnutls_ktls_send_control_msg(session, GNUTLS_HANDSHAKE, -+ data, data_size); -+} -+ - int _gnutls_ktls_recv_control_msg(gnutls_session_t session, - unsigned char *record_type, void *data, size_t data_size) - { -@@ -481,6 +493,15 @@ int _gnutls_ktls_send_control_msg(gnutls_session_t session, - return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE); - } - -+int _gnutls_ktls_send_handshake_msg(gnutls_session_t session, -+ gnutls_record_encryption_level_t level, -+ gnutls_handshake_description_t htype, -+ const void *data, size_t data_size) -+{ -+ (void)level; -+ return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE); -+} -+ - int _gnutls_ktls_recv_int(gnutls_session_t session, content_type_t type, - void *data, size_t data_size) { - return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE); -diff --git a/lib/system/ktls.h b/lib/system/ktls.h -index c8059092d..8d61a49df 100644 ---- a/lib/system/ktls.h -+++ b/lib/system/ktls.h -@@ -10,6 +10,11 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable - ssize_t _gnutls_ktls_send_file(gnutls_session_t session, int fd, - off_t *offset, size_t count); - -+int _gnutls_ktls_send_handshake_msg(gnutls_session_t session, -+ gnutls_record_encryption_level_t level, -+ gnutls_handshake_description_t htype, -+ const void *data, size_t data_size); -+ - int _gnutls_ktls_send_control_msg(gnutls_session_t session, unsigned char record_type, - const void *data, size_t data_size); - #define _gnutls_ktls_send(x, y, z) _gnutls_ktls_send_control_msg(x, GNUTLS_APPLICATION_DATA, y, z); --- -2.39.0 - - -From 7128338208d092275ac72785f85019d16951fab9 Mon Sep 17 00:00:00 2001 -From: Frantisek Krenzelok -Date: Mon, 22 Aug 2022 10:50:37 +0200 -Subject: [PATCH 4/7] KTLS: receive key update - -handle received GNUTLS_HANDSHAKE_KEY_UPDATE set keys accordingly - -Signed-off-by: Frantisek Krenzelok ---- - lib/system/ktls.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/lib/system/ktls.c b/lib/system/ktls.c -index 5da0a8069..f3cb343ae 100644 ---- a/lib/system/ktls.c -+++ b/lib/system/ktls.c -@@ -452,7 +452,13 @@ int _gnutls_ktls_recv_int(gnutls_session_t session, content_type_t type, - ret = 0; - break; - case GNUTLS_HANDSHAKE: -- // ignore post-handshake messages -+ ret = gnutls_handshake_write(session, -+ GNUTLS_ENCRYPTION_LEVEL_APPLICATION, -+ data, ret); -+ -+ if (ret < 0) -+ return gnutls_assert_val(ret); -+ - if (type != record_type) - return GNUTLS_E_AGAIN; - break; --- -2.39.0 - - -From 14eadde1f2cdfaf858dc2029dac5503e48a49935 Mon Sep 17 00:00:00 2001 -From: Frantisek Krenzelok -Date: Fri, 5 Aug 2022 16:38:02 +0200 -Subject: [PATCH 5/7] KTLS: set write alert callback - -Use callback for sending alerts. - -Signed-off-by: Frantisek Krenzelok ---- - lib/alert.c | 13 ++++--------- - lib/system/ktls.c | 15 +++++++++++++++ - lib/system/ktls.h | 5 +++++ - 3 files changed, 24 insertions(+), 9 deletions(-) - -diff --git a/lib/alert.c b/lib/alert.c -index 50bd1d3de..fda8cd79f 100644 ---- a/lib/alert.c -+++ b/lib/alert.c -@@ -182,15 +182,10 @@ gnutls_alert_send(gnutls_session_t session, gnutls_alert_level_t level, - return ret; - } - -- if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_SEND)) { -- ret = -- _gnutls_ktls_send_control_msg(session, GNUTLS_ALERT, data, 2); -- } else { -- ret = -- _gnutls_send_int(session, GNUTLS_ALERT, -1, -- EPOCH_WRITE_CURRENT, data, 2, -- MBUFFER_FLUSH); -- } -+ ret = _gnutls_send_int(session, GNUTLS_ALERT, -1, -+ EPOCH_WRITE_CURRENT, data, 2, -+ MBUFFER_FLUSH); -+ - return (ret < 0) ? ret : 0; - } - -diff --git a/lib/system/ktls.c b/lib/system/ktls.c -index f3cb343ae..703775960 100644 ---- a/lib/system/ktls.c -+++ b/lib/system/ktls.c -@@ -269,9 +269,13 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable - default: - assert(0); - } -+ - // set callback for sending handshake messages - gnutls_handshake_set_read_function(session, - _gnutls_ktls_send_handshake_msg); -+ -+ // set callback for sending alert messages -+ gnutls_alert_set_read_function(session, _gnutls_ktls_send_alert_msg); - } - - return in; -@@ -367,6 +371,17 @@ int _gnutls_ktls_send_handshake_msg(gnutls_session_t session, - data, data_size); - } - -+int _gnutls_ktls_send_alert_msg(gnutls_session_t session, -+ gnutls_record_encryption_level_t level, -+ gnutls_alert_level_t alert_level, -+ gnutls_alert_description_t alert_desc) -+{ -+ uint8_t data[2]; -+ data[0] = (uint8_t) alert_level; -+ data[1] = (uint8_t) alert_desc; -+ return _gnutls_ktls_send_control_msg(session, GNUTLS_ALERT, data, 2); -+} -+ - int _gnutls_ktls_recv_control_msg(gnutls_session_t session, - unsigned char *record_type, void *data, size_t data_size) - { -diff --git a/lib/system/ktls.h b/lib/system/ktls.h -index 8d61a49df..64e1c9c1c 100644 ---- a/lib/system/ktls.h -+++ b/lib/system/ktls.h -@@ -15,6 +15,11 @@ int _gnutls_ktls_send_handshake_msg(gnutls_session_t session, - gnutls_handshake_description_t htype, - const void *data, size_t data_size); - -+int _gnutls_ktls_send_alert_msg(gnutls_session_t session, -+ gnutls_record_encryption_level_t level, -+ gnutls_alert_level_t alert_level, -+ gnutls_alert_description_t alert_desc); -+ - int _gnutls_ktls_send_control_msg(gnutls_session_t session, unsigned char record_type, - const void *data, size_t data_size); - #define _gnutls_ktls_send(x, y, z) _gnutls_ktls_send_control_msg(x, GNUTLS_APPLICATION_DATA, y, z); --- -2.39.0 - - -From 38b8708d66e592c09edf2745c921436f56607a96 Mon Sep 17 00:00:00 2001 -From: Frantisek Krenzelok -Date: Tue, 9 Aug 2022 12:11:16 +0200 -Subject: [PATCH 6/7] KTLS: rekey test - -Signed-off-by: Frantisek Krenzelok ---- - tests/Makefile.am | 2 + - tests/ktls_keyupdate.c | 381 ++++++++++++++++++++++++++++++++++++++++ - tests/ktls_keyupdate.sh | 46 +++++ - 3 files changed, 429 insertions(+) - create mode 100644 tests/ktls_keyupdate.c - create mode 100755 tests/ktls_keyupdate.sh - -diff --git a/tests/Makefile.am b/tests/Makefile.am -index 1122886b3..2d345d478 100644 ---- a/tests/Makefile.am -+++ b/tests/Makefile.am -@@ -500,6 +500,8 @@ endif - if ENABLE_KTLS - indirect_tests += gnutls_ktls - dist_check_SCRIPTS += ktls.sh -+indirect_tests += ktls_keyupdate -+dist_check_SCRIPTS += ktls_keyupdate.sh - endif - - if !WINDOWS -diff --git a/tests/ktls_keyupdate.c b/tests/ktls_keyupdate.c -new file mode 100644 -index 000000000..9fbff38ae ---- /dev/null -+++ b/tests/ktls_keyupdate.c -@@ -0,0 +1,381 @@ -+// Copyright (C) 2022 Red Hat, Inc. -+// -+// Author: Frantisek Krenzelok -+// -+// This file is part of GnuTLS. -+// -+// GnuTLS is free software; you can redistribute it and/or modify it -+// under the terms of the GNU General Public License as published by the -+// Free Software Foundation; either version 3 of the License, or (at -+// your option) any later version. -+// -+// GnuTLS is distributed in the hope that it will be useful, but -+// WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+// General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License -+// along with GnuTLS; if not, write to the Free Software Foundation, -+// Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -+ -+#ifdef HAVE_CONFIG_H -+#include -+#endif -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#include "cert-common.h" -+#include "utils.h" -+ -+#if defined(_WIN32) -+ -+int main(void) -+{ -+ exit(77); -+} -+ -+#else -+ -+ -+#define MAX_BUF 1024 -+#define MSG "Hello world!" -+ -+#define HANDSHAKE(session, name, ret)\ -+{\ -+ do {\ -+ ret = gnutls_handshake(session);\ -+ }\ -+ while (ret < 0 && gnutls_error_is_fatal(ret) == 0);\ -+ if (ret < 0) {\ -+ fail("%s: Handshake failed\n", name);\ -+ goto end;\ -+ }\ -+} -+ -+#define SEND_MSG(session, name, ret)\ -+{\ -+ do {\ -+ ret = gnutls_record_send(session, MSG, strlen(MSG)+1);\ -+ } while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);\ -+ if (ret < 0) {\ -+ fail("%s: data sending has failed (%s)\n",name,\ -+ gnutls_strerror(ret));\ -+ goto end;\ -+ }\ -+} -+ -+#define RECV_MSG(session, name, buffer, buffer_len, ret)\ -+{\ -+ memset(buffer, 0, sizeof(buffer));\ -+ do{\ -+ ret = gnutls_record_recv(session, buffer, sizeof(buffer));\ -+ }\ -+ while(ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);\ -+ if (ret == 0) {\ -+ success("%s: Peer has closed the TLS connection\n", name);\ -+ goto end;\ -+ } else if (ret < 0) {\ -+ fail("%s: Error -> %s\n", name, gnutls_strerror(ret));\ -+ goto end;\ -+ }\ -+ if(strncmp(buffer, MSG, ret)){\ -+ fail("%s: Message doesn't match\n", name);\ -+ goto end;\ -+ }\ -+} -+ -+#define KEY_UPDATE(session, name, peer_req, ret)\ -+{\ -+ do {\ -+ ret = gnutls_session_key_update(session, peer_req);\ -+ } while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);\ -+ if (ret < 0) {\ -+ fail("%s: key update has failed (%s)\n", name, \ -+ gnutls_strerror(ret));\ -+ goto end;\ -+ }\ -+} -+ -+#define CHECK_KTLS_ENABLED(session, ret)\ -+{\ -+ ret = gnutls_transport_is_ktls_enabled(session);\ -+ if (!(ret & GNUTLS_KTLS_RECV)){\ -+ fail("client: KTLS was not properly initialized\n");\ -+ goto end;\ -+ }\ -+} -+ -+static void server_log_func(int level, const char *str) -+{ -+ fprintf(stderr, "server|<%d>| %s", level, str); -+} -+ -+static void client_log_func(int level, const char *str) -+{ -+ fprintf(stderr, "client|<%d>| %s", level, str); -+} -+ -+ -+static void client(int fd, const char *prio, int pipe) -+{ -+ const char *name = "client"; -+ int ret; -+ char foo; -+ char buffer[MAX_BUF + 1]; -+ gnutls_certificate_credentials_t x509_cred; -+ gnutls_session_t session; -+ -+ global_init(); -+ -+ if (debug) { -+ gnutls_global_set_log_function(client_log_func); -+ gnutls_global_set_log_level(7); -+ } -+ -+ gnutls_certificate_allocate_credentials(&x509_cred); -+ -+ gnutls_init(&session, GNUTLS_CLIENT); -+ gnutls_handshake_set_timeout(session, 0); -+ -+ assert(gnutls_priority_set_direct(session, prio, NULL) >= 0); -+ -+ gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred); -+ -+ gnutls_transport_set_int(session, fd); -+ -+ HANDSHAKE(session, name, ret); -+ -+ CHECK_KTLS_ENABLED(session, ret) -+ -+ // Test 0: Try sending/receiving data -+ RECV_MSG(session, name, buffer, MAX_BUF+1, ret) -+ SEND_MSG(session, name, ret) -+ -+ CHECK_KTLS_ENABLED(session, ret) -+ -+ // Test 1: Servers does key update -+ read(pipe, &foo, 1); -+ RECV_MSG(session, name, buffer, MAX_BUF+1, ret) -+ SEND_MSG(session, name, ret) -+ -+ CHECK_KTLS_ENABLED(session, ret) -+ -+ // Test 2: Does key update witch request -+ read(pipe, &foo, 1); -+ RECV_MSG(session, name, buffer, MAX_BUF+1, ret) -+ SEND_MSG(session, name, ret) -+ -+ CHECK_KTLS_ENABLED(session, ret) -+ -+ ret = gnutls_bye(session, GNUTLS_SHUT_RDWR); -+ if (ret < 0) { -+ fail("client: error in closing session: %s\n", gnutls_strerror(ret)); -+ } -+ -+ ret = 0; -+ end: -+ -+ close(fd); -+ -+ gnutls_deinit(session); -+ -+ gnutls_certificate_free_credentials(x509_cred); -+ -+ gnutls_global_deinit(); -+ -+ if (ret != 0) -+ exit(1); -+} -+ -+pid_t child; -+static void terminate(void) -+{ -+ assert(child); -+ kill(child, SIGTERM); -+ exit(1); -+} -+ -+static void server(int fd, const char *prio, int pipe) -+{ -+ const char *name = "server"; -+ int ret; -+ char bar = 0; -+ char buffer[MAX_BUF + 1]; -+ gnutls_certificate_credentials_t x509_cred; -+ gnutls_session_t session; -+ -+ global_init(); -+ -+ if (debug) { -+ gnutls_global_set_log_function(server_log_func); -+ gnutls_global_set_log_level(7); -+ } -+ -+ gnutls_certificate_allocate_credentials(&x509_cred); -+ ret = gnutls_certificate_set_x509_key_mem(x509_cred, &server_cert, -+ &server_key, -+ GNUTLS_X509_FMT_PEM); -+ if (ret < 0) -+ exit(1); -+ -+ gnutls_init(&session, GNUTLS_SERVER); -+ gnutls_handshake_set_timeout(session, 0); -+ -+ assert(gnutls_priority_set_direct(session, prio, NULL)>=0); -+ -+ gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred); -+ -+ gnutls_transport_set_int(session, fd); -+ -+ HANDSHAKE(session, name, ret) -+ -+ CHECK_KTLS_ENABLED(session, ret) -+ -+ success("Test 0: sending/receiving data\n"); -+ SEND_MSG(session, name, ret) -+ RECV_MSG(session, name, buffer, MAX_BUF+1, ret) -+ -+ CHECK_KTLS_ENABLED(session, ret) -+ -+ success("Test 1: server key update without request\n"); -+ KEY_UPDATE(session, name, 0, ret) -+ write(pipe, &bar, 1); -+ SEND_MSG(session, name, ret) -+ RECV_MSG(session, name, buffer, MAX_BUF+1, ret) -+ -+ CHECK_KTLS_ENABLED(session, ret) -+ -+ success("Test 2: server key update with request\n"); -+ KEY_UPDATE(session, name, GNUTLS_KU_PEER, ret) -+ write(pipe, &bar, 1); -+ SEND_MSG(session, name, ret) -+ RECV_MSG(session, name, buffer, MAX_BUF+1, ret) -+ -+ CHECK_KTLS_ENABLED(session, ret) -+ -+ ret = gnutls_bye(session, GNUTLS_SHUT_RDWR); -+ if (ret < 0) { -+ fail("server: error in closing session: %s\n", gnutls_strerror(ret)); -+ } -+ -+ ret = 0; -+end: -+ close(fd); -+ gnutls_deinit(session); -+ -+ gnutls_certificate_free_credentials(x509_cred); -+ -+ gnutls_global_deinit(); -+ -+ if (ret){ -+ terminate(); -+ } -+ -+ if (debug) -+ success("server: finished\n"); -+} -+ -+static void ch_handler(int sig) -+{ -+ return; -+} -+ -+static void run(const char *prio) -+{ -+ int ret; -+ struct sockaddr_in saddr; -+ socklen_t addrlen; -+ int listener; -+ int fd; -+ -+ int sync_pipe[2]; //used for synchronization -+ pipe(sync_pipe); -+ -+ success("running ktls test with %s\n", prio); -+ -+ signal(SIGCHLD, ch_handler); -+ signal(SIGPIPE, SIG_IGN); -+ -+ listener = socket(AF_INET, SOCK_STREAM, 0); -+ if (listener == -1){ -+ fail("error in listener(): %s\n", strerror(errno)); -+ } -+ -+ memset(&saddr, 0, sizeof(saddr)); -+ saddr.sin_family = AF_INET; -+ saddr.sin_addr.s_addr = htonl(INADDR_LOOPBACK); -+ saddr.sin_port = 0; -+ -+ ret = bind(listener, (struct sockaddr*)&saddr, sizeof(saddr)); -+ if (ret == -1){ -+ fail("error in bind(): %s\n", strerror(errno)); -+ } -+ -+ addrlen = sizeof(saddr); -+ ret = getsockname(listener, (struct sockaddr*)&saddr, &addrlen); -+ if (ret == -1){ -+ fail("error in getsockname(): %s\n", strerror(errno)); -+ } -+ -+ child = fork(); -+ if (child < 0) { -+ fail("error in fork(): %s\n", strerror(errno)); -+ exit(1); -+ } -+ -+ if (child) { -+ int status; -+ /* parent */ -+ ret = listen(listener, 1); -+ if (ret == -1) { -+ fail("error in listen(): %s\n", strerror(errno)); -+ } -+ -+ fd = accept(listener, NULL, NULL); -+ if (fd == -1) { -+ fail("error in accept(): %s\n", strerror(errno)); -+ } -+ -+ close(sync_pipe[0]); -+ server(fd, prio, sync_pipe[1]); -+ -+ wait(&status); -+ check_wait_status(status); -+ } else { -+ fd = socket(AF_INET, SOCK_STREAM, 0); -+ if (fd == -1){ -+ fail("error in socket(): %s\n", strerror(errno)); -+ exit(1); -+ } -+ -+ usleep(1000000); -+ connect(fd, (struct sockaddr*)&saddr, addrlen); -+ -+ close(sync_pipe[1]); -+ client(fd, prio, sync_pipe[0]); -+ exit(0); -+ } -+} -+ -+void doit(void) -+{ -+ run("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-128-GCM"); -+ run("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-256-GCM"); -+} -+ -+#endif /* _WIN32 */ -diff --git a/tests/ktls_keyupdate.sh b/tests/ktls_keyupdate.sh -new file mode 100755 -index 000000000..d072acafc ---- /dev/null -+++ b/tests/ktls_keyupdate.sh -@@ -0,0 +1,46 @@ -+#!/bin/sh -+ -+# Copyright (C) 2022 Red Hat, Inc. -+# -+# Author: Daiki Ueno -+# -+# This file is part of GnuTLS. -+# -+# GnuTLS is free software; you can redistribute it and/or modify it -+# under the terms of the GNU General Public License as published by the -+# Free Software Foundation; either version 3 of the License, or (at -+# your option) any later version. -+# -+# GnuTLS is distributed in the hope that it will be useful, but -+# WITHOUT ANY WARRANTY; without even the implied warranty of -+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+# General Public License for more details. -+# -+# You should have received a copy of the GNU General Public License -+# along with GnuTLS; if not, write to the Free Software Foundation, -+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -+ -+: ${builddir=.} -+ -+. "$srcdir/scripts/common.sh" -+ -+if ! grep '^tls ' /proc/modules 2>&1 /dev/null; then -+ exit 77 -+fi -+ -+testdir=`create_testdir ktls_keyupdate` -+ -+cfg="$testdir/config" -+ -+cat < "$cfg" -+[global] -+ktls = true -+EOF -+ -+GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1 \ -+GNUTLS_SYSTEM_PRIORITY_FILE="$cfg" \ -+"$builddir/ktls_keyupdate" "$@" -+rc=$? -+ -+rm -rf "$testdir" -+exit $rc --- -2.39.0 - - -From 67843b3a8e28e4c74296caea2d1019065c87afb3 Mon Sep 17 00:00:00 2001 -From: Frantisek Krenzelok -Date: Mon, 5 Sep 2022 13:05:17 +0200 -Subject: [PATCH 7/7] KTLS: fallback to default - -If an error occurs during setting of keys either initial or key update -then fallback to default mode of operation (disable ktls) and let the -user know - -Signed-off-by: Frantisek Krenzelok ---- - lib/handshake.c | 7 ++++++- - lib/tls13/key_update.c | 23 +++++++++++++++++++---- - 2 files changed, 25 insertions(+), 5 deletions(-) - -diff --git a/lib/handshake.c b/lib/handshake.c -index cb2bc3ae9..14bcdea56 100644 ---- a/lib/handshake.c -+++ b/lib/handshake.c -@@ -2924,7 +2924,12 @@ int gnutls_handshake(gnutls_session_t session) - - #ifdef ENABLE_KTLS - if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_DUPLEX)) { -- _gnutls_ktls_set_keys(session, GNUTLS_KTLS_DUPLEX); -+ ret = _gnutls_ktls_set_keys(session, GNUTLS_KTLS_DUPLEX); -+ if (ret < 0) { -+ session->internals.ktls_enabled = 0; -+ _gnutls_audit_log(session, -+ "disabling KTLS: failed to set keys\n"); -+ } - } - #endif - -diff --git a/lib/tls13/key_update.c b/lib/tls13/key_update.c -index 10c0a9110..acfda4129 100644 ---- a/lib/tls13/key_update.c -+++ b/lib/tls13/key_update.c -@@ -32,6 +32,20 @@ - #define KEY_UPDATES_WINDOW 1000 - #define KEY_UPDATES_PER_WINDOW 8 - -+/* -+ * Sets kTLS keys if enabled. -+ * If this operation fails with GNUTLS_E_INTERNAL_ERROR, KTLS is disabled -+ * because KTLS most likely doesn't support key update. -+ */ -+#define SET_KTLS_KEYS(session, interface)\ -+{\ -+ if(_gnutls_ktls_set_keys(session, interface) < 0) {\ -+ session->internals.ktls_enabled = 0;\ -+ _gnutls_audit_log(session, \ -+ "disabling KTLS: couldn't update keys\n");\ -+ }\ -+} -+ - static int update_keys(gnutls_session_t session, hs_stage_t stage) - { - int ret; -@@ -51,15 +65,16 @@ static int update_keys(gnutls_session_t session, hs_stage_t stage) - if (session->internals.recv_state == RECV_STATE_EARLY_START) { - ret = _tls13_write_connection_state_init(session, stage); - if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_SEND)) -- ret = _gnutls_ktls_set_keys(session, GNUTLS_KTLS_SEND); -+ SET_KTLS_KEYS(session, GNUTLS_KTLS_SEND) - } else { - ret = _tls13_connection_state_init(session, stage); -+ if (ret < 0) -+ return gnutls_assert_val(ret); - - if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_SEND) && stage == STAGE_UPD_OURS) -- ret = _gnutls_ktls_set_keys(session, GNUTLS_KTLS_SEND); -+ SET_KTLS_KEYS(session, GNUTLS_KTLS_SEND) - else if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_RECV) && stage == STAGE_UPD_PEERS) -- ret = _gnutls_ktls_set_keys(session, GNUTLS_KTLS_RECV); -- -+ SET_KTLS_KEYS(session, GNUTLS_KTLS_RECV) - } - if (ret < 0) - return gnutls_assert_val(ret); --- -2.39.0 - diff --git a/gnutls-3.7.8-ktls_minor_fixes.patch b/gnutls-3.7.8-ktls_minor_fixes.patch deleted file mode 100644 index 99749a1..0000000 --- a/gnutls-3.7.8-ktls_minor_fixes.patch +++ /dev/null @@ -1,155 +0,0 @@ -From ccf4463f343a9394a22833ee1de7886e459d3c91 Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Mon, 28 Nov 2022 12:17:12 +0900 -Subject: [PATCH 1/3] includes: move KTLS function definition out of - - - is meant for the functions that depend on -, which is not available on Windows platforms. - -As the KTLS API doesn't rely on , move the function and -enum to . - -Signed-off-by: Daiki Ueno ---- - lib/includes/gnutls/gnutls.h.in | 21 +++++++++++++++++++++ - lib/includes/gnutls/socket.h | 21 --------------------- - 2 files changed, 21 insertions(+), 21 deletions(-) - -diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in -index 394d465e3..830ce5f95 100644 ---- a/lib/includes/gnutls/gnutls.h.in -+++ b/lib/includes/gnutls/gnutls.h.in -@@ -3421,6 +3421,27 @@ int gnutls_fips140_pop_context(void); - - int gnutls_fips140_run_self_tests(void); - -+/** -+ * gnutls_transport_ktls_enable_flags_t: -+ * @GNUTLS_KTLS_RECV: ktls enabled for recv function. -+ * @GNUTLS_KTLS_SEND: ktls enabled for send function. -+ * @GNUTLS_KTLS_DUPLEX: ktls enabled for both recv and send functions. -+ * -+ * Flag enumeration of ktls enable status for recv and send functions. -+ * This is used by gnutls_transport_is_ktls_enabled(). -+ * -+ * Since: 3.7.3 -+ */ -+typedef enum { -+ GNUTLS_KTLS_RECV = 1 << 0, -+ GNUTLS_KTLS_SEND = 1 << 1, -+ GNUTLS_KTLS_DUPLEX = GNUTLS_KTLS_RECV | GNUTLS_KTLS_SEND, -+} gnutls_transport_ktls_enable_flags_t; -+ -+ -+gnutls_transport_ktls_enable_flags_t -+gnutls_transport_is_ktls_enabled(gnutls_session_t session); -+ - /* Gnutls error codes. The mapping to a TLS alert is also shown in - * comments. - */ -diff --git a/lib/includes/gnutls/socket.h b/lib/includes/gnutls/socket.h -index 4df7bb2e0..64eb19f89 100644 ---- a/lib/includes/gnutls/socket.h -+++ b/lib/includes/gnutls/socket.h -@@ -37,27 +37,6 @@ extern "C" { - #endif - /* *INDENT-ON* */ - --/** -- * gnutls_transport_ktls_enable_flags_t: -- * @GNUTLS_KTLS_RECV: ktls enabled for recv function. -- * @GNUTLS_KTLS_SEND: ktls enabled for send function. -- * @GNUTLS_KTLS_DUPLEX: ktls enabled for both recv and send functions. -- * -- * Flag enumeration of ktls enable status for recv and send functions. -- * This is used by gnutls_transport_is_ktls_enabled(). -- * -- * Since: 3.7.3 -- */ --typedef enum { -- GNUTLS_KTLS_RECV = 1 << 0, -- GNUTLS_KTLS_SEND = 1 << 1, -- GNUTLS_KTLS_DUPLEX = GNUTLS_KTLS_RECV | GNUTLS_KTLS_SEND, --} gnutls_transport_ktls_enable_flags_t; -- -- --gnutls_transport_ktls_enable_flags_t --gnutls_transport_is_ktls_enabled(gnutls_session_t session); -- - void gnutls_transport_set_fastopen(gnutls_session_t session, - int fd, - struct sockaddr *connect_addr, --- -2.38.1 - - -From 90b036e82a95f9379d99d5cabd0e33905d1e3ddc Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Mon, 28 Nov 2022 12:13:31 +0900 -Subject: [PATCH 2/3] src: print KTLS enablement status in - gnutls-serv/gnutls-cli - -Signed-off-by: Daiki Ueno ---- - src/common.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/src/common.c b/src/common.c -index 6d2056f95..d357c7fb8 100644 ---- a/src/common.c -+++ b/src/common.c -@@ -498,6 +498,7 @@ int print_info(gnutls_session_t session, int verbose, int flags) - gnutls_datum_t p; - char *desc; - gnutls_protocol_t version; -+ gnutls_transport_ktls_enable_flags_t ktls_flags; - int rc; - - desc = gnutls_session_get_desc(session); -@@ -646,6 +647,15 @@ int print_info(gnutls_session_t session, int verbose, int flags) - - print_channel_bindings(session, verbose); - -+ ktls_flags = gnutls_transport_is_ktls_enabled(session); -+ if (ktls_flags != 0) { -+ log_msg(stdout, "- KTLS: %s\n", -+ (ktls_flags & GNUTLS_KTLS_DUPLEX) == GNUTLS_KTLS_DUPLEX ? "send, recv" : -+ (ktls_flags & GNUTLS_KTLS_SEND) == GNUTLS_KTLS_SEND ? "send" : -+ (ktls_flags & GNUTLS_KTLS_RECV) == GNUTLS_KTLS_RECV ? "recv" : -+ "unknown"); -+ } -+ - fflush(stdout); - - return 0; --- -2.38.1 - - -From aefd7319c0b7b2410d06238246b7755b289e4837 Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Mon, 28 Nov 2022 12:15:26 +0900 -Subject: [PATCH 3/3] priority: accept "ktls = false" in configuration file - -Signed-off-by: Daiki Ueno ---- - lib/priority.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/lib/priority.c b/lib/priority.c -index 97831e63b..6266bb571 100644 ---- a/lib/priority.c -+++ b/lib/priority.c -@@ -1548,6 +1548,8 @@ static int global_ini_handler(void *ctx, const char *section, const char *name, - p = clear_spaces(value, str); - if (c_strcasecmp(p, "true") == 0) { - cfg->ktls_enabled = true; -+ } else if (c_strcasecmp(p, "false") == 0) { -+ cfg->ktls_enabled = false; - } else { - _gnutls_debug_log("cfg: unknown ktls mode %s\n", - p); --- -2.38.1 - diff --git a/gnutls.spec b/gnutls.spec index 4277ccd..55c9277 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -12,21 +12,16 @@ sha256sum:close() print(string.sub(hash, 0, 16)) } +%global with_srp 0%{?fedora} < 38 + %global with_mingw 0 %if 0%{?fedora} %global with_mingw 0%{!?_without_mingw:1} %endif -Version: 3.7.8 +Version: 3.8.0 Release: %{?autorelease}%{!?autorelease:1%{?dist}} -Patch: gnutls-3.7.8-gcc_analyzer-suppress_warnings.patch Patch: gnutls-3.2.7-rpath.patch -Patch: gnutls-3.6.7-no-now-guile.patch - -Patch: gnutls-3.7.8-ktls_key_update.patch -Patch: gnutls-3.7.8-ktls_add_ciphersuites.patch -Patch: gnutls-3.7.8-ktls_minor_fixes.patch -Patch: gnutls-3.7.8-ktls_invalidate_session.patch # Delete only after the kernel has been patched for thested systems Patch: gnutls-3.7.8-ktls_disable_keyupdate_test.patch @@ -36,13 +31,7 @@ Patch: gnutls-3.7.8-ktls_skip_tls12_chachapoly_test.patch %bcond_without bootstrap %bcond_without dane -%if 0%{?rhel} -%bcond_with guile %bcond_without fips -%else -%bcond_without guile -%bcond_without fips -%endif %bcond_with tpm12 %bcond_without tpm2 %bcond_without gost @@ -87,9 +76,6 @@ Recommends: trousers >= 0.3.11.2 %if %{with dane} BuildRequires: unbound-devel unbound-libs %endif -%if %{with guile} -BuildRequires: guile22-devel -%endif BuildRequires: make gtk-doc %if %{with_mingw} @@ -147,13 +133,6 @@ Summary: A DANE protocol implementation for GnuTLS Requires: %{name}%{?_isa} = %{version}-%{release} %endif -%if %{with guile} -%package guile -Summary: Guile bindings for the GNUTLS library -Requires: %{name}%{?_isa} = %{version}-%{release} -Requires: guile22 -%endif - %description GnuTLS is a secure communications library implementing the SSL, TLS and DTLS protocols and technologies around them. It provides a simple C language @@ -197,16 +176,6 @@ This package contains library that implements the DANE protocol for verifying TLS certificates through DNSSEC. %endif -%if %{with guile} -%description guile -GnuTLS is a secure communications library implementing the SSL, TLS and DTLS -protocols and technologies around them. It provides a simple C language -application programming interface (API) to access the secure communications -protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and -other required structures. -This package contains Guile bindings for the library. -%endif - %if %{with_mingw} %package -n mingw32-%{name} Summary: MinGW GnuTLS TLS/SSL encryption library @@ -251,15 +220,6 @@ echo "SYSTEM=NORMAL" >> tests/system.prio CCASFLAGS="$CCASFLAGS -Wa,--generate-missing-build-notes=yes" export CCASFLAGS -%if %{with guile} -# These should be checked by m4/guile.m4 instead of configure.ac -# taking into account of _guile_suffix -guile_snarf=%{_bindir}/guile-snarf2.2 -export guile_snarf -GUILD=%{_bindir}/guild2.2 -export GUILD -%endif - %if %{with fips} eval $(sed -n 's/^\(\(NAME\|VERSION_ID\)=.*\)/OS_\1/p' /etc/os-release) export FIPS_MODULE_NAME="$OS_NAME ${OS_VERSION_ID%%.*} %name" @@ -278,6 +238,9 @@ pushd native_build --enable-gost \ %else --disable-gost \ +%endif +%if %{with_srp} + --enable-srp-authentication \ %endif --enable-sha1-support \ --disable-static \ @@ -297,12 +260,6 @@ pushd native_build %endif --enable-ktls \ --htmldir=%{_docdir}/manual \ -%if %{with guile} - --enable-guile \ - --with-guile-extension-dir=%{_libdir}/guile/2.2 \ -%else - --disable-guile \ -%endif %if %{with dane} --with-unbound-root-key-file=/var/lib/unbound/root.key \ --enable-libdane \ @@ -324,11 +281,13 @@ popd # MinGW does not support CCASFLAGS export CCASFLAGS="" %mingw_configure \ +%if %{with_srp} + --enable-srp-authentication \ +%endif --enable-sha1-support \ --disable-static \ --disable-openssl-compatibility \ --disable-non-suiteb-curves \ - --disable-guile \ --disable-libdane \ --disable-rpath \ --disable-nls \ @@ -348,8 +307,6 @@ pushd native_build make -C doc install-html DESTDIR=$RPM_BUILD_ROOT rm -f $RPM_BUILD_ROOT%{_infodir}/dir rm -f $RPM_BUILD_ROOT%{_libdir}/*.la -rm -f $RPM_BUILD_ROOT%{_libdir}/guile/2.2/guile-gnutls*.a -rm -f $RPM_BUILD_ROOT%{_libdir}/guile/2.2/guile-gnutls*.la %if %{without dane} rm -f $RPM_BUILD_ROOT%{_libdir}/pkgconfig/gnutls-dane.pc %endif @@ -358,8 +315,10 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/pkgconfig/gnutls-dane.pc # doing it twice should be a no-op the second time, # and this way we avoid redefining it and missing a future change %{__spec_install_post} -./lib/fipshmac "$RPM_BUILD_ROOT%{_libdir}/libgnutls.so.30" > $RPM_BUILD_ROOT%{_libdir}/.gnutls.hmac -sed -i "s^$RPM_BUILD_ROOT/usr^^" $RPM_BUILD_ROOT%{_libdir}/.gnutls.hmac +fname=`basename $RPM_BUILD_ROOT%{_libdir}/libgnutls.so.30.*.*` +./lib/fipshmac "$RPM_BUILD_ROOT%{_libdir}/libgnutls.so.30" > "$RPM_BUILD_ROOT%{_libdir}/.$fname.hmac" +sed -i "s^$RPM_BUILD_ROOT/usr^^" "$RPM_BUILD_ROOT%{_libdir}/.$fname.hmac" +ln -s ".$fname.hmac" "$RPM_BUILD_ROOT%{_libdir}/.libgnutls.so.30.hmac" %endif %if %{with fips} @@ -412,7 +371,7 @@ popd %files -f native_build/gnutls.lang %{_libdir}/libgnutls.so.30* %if %{with fips} -%{_libdir}/.gnutls.hmac +%{_libdir}/.libgnutls.so.30*.hmac %endif %doc README.md AUTHORS NEWS THANKS %license LICENSE doc/COPYING doc/COPYING.LESSER @@ -438,7 +397,9 @@ popd %{_bindir}/ocsptool %{_bindir}/psktool %{_bindir}/p11tool +%if %{with_srp} %{_bindir}/srptool +%endif %if %{with dane} %{_bindir}/danetool %endif @@ -451,15 +412,6 @@ popd %{_libdir}/libgnutls-dane.so.* %endif -%if %{with guile} -%files guile -%{_libdir}/guile/2.2/guile-gnutls*.so* -%{_libdir}/guile/2.2/site-ccache/gnutls.go -%{_libdir}/guile/2.2/site-ccache/gnutls/extra.go -%{_datadir}/guile/site/2.2/gnutls.scm -%{_datadir}/guile/site/2.2/gnutls/extra.scm -%endif - %if %{with_mingw} %files -n mingw32-%{name} %license LICENSE doc/COPYING doc/COPYING.LESSER @@ -471,7 +423,9 @@ popd %{mingw32_bindir}/ocsptool.exe %{mingw32_bindir}/p11tool.exe %{mingw32_bindir}/psktool.exe +%if %{with_srp} %{mingw32_bindir}/srptool.exe +%endif %{mingw32_libdir}/libgnutls.dll.a %{mingw32_libdir}/libgnutls-30.def %{mingw32_libdir}/pkgconfig/gnutls.pc @@ -487,7 +441,9 @@ popd %{mingw64_bindir}/ocsptool.exe %{mingw64_bindir}/p11tool.exe %{mingw64_bindir}/psktool.exe +%if %{with_srp} %{mingw64_bindir}/srptool.exe +%endif %{mingw64_libdir}/libgnutls.dll.a %{mingw64_libdir}/libgnutls-30.def %{mingw64_libdir}/pkgconfig/gnutls.pc diff --git a/sources b/sources index 0ceeebf..f6b15ed 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (gnutls-3.7.8.tar.xz) = 4199bcf7c9e3aab2f52266aadceefc563dfe2d938d0ea1f3ec3be95d66f4a8c8e5494d3a800c03dd02ad386dec1738bd63e1fe0d8b394a2ccfc7d6c6a0cc9359 -SHA512 (gnutls-3.7.8.tar.xz.sig) = cecf9843e8683a278d065b663dc98ac2b5fcad1905ee25333038c93c2289b518c974629367e77e66552ac1c9d122d551616edba35cb0c4204202ec676f1a2db7 +SHA512 (gnutls-3.8.0.tar.xz) = 2507b3133423fdaf90fbd826ccb1142e9ff6fc90fcd5531720218f19ddf0e6bbb8267d23bad35c0954860e5a4179da74823e0c8357db56a14f252e6ec9d59629 +SHA512 (gnutls-3.8.0.tar.xz.sig) = 9db8db74aa0ebd871287b07b6a8a9f4ce90188633618e669fe07cb8bb314b624c14761f6fe1970e2fbffa87f7c0d6daa4b0fa838bd05f74b8b18cd1b5325c654 SHA512 (gnutls-release-keyring.gpg) = 5c14d83f4f37bd319c652db0d76fc5bb04752fb461bbe853e25b20ffe41d6d14faae6c0bdd0193ac6242975bf1205ce606a9d0082261cc4581fd680abfcdbd4d From e361bb292d32b206faaca49ea045c4b8ea08a8c7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Thu, 2 Mar 2023 11:14:44 +0000 Subject: [PATCH 087/152] Disable GNULIB's year2038 support for 64-bit time_t MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit GNUTLS exposes time_t in its public API and thus the size of time_t is ABI relevant. It can't be changed in size without breaking ABI compatibility with applications built against GNUTLS that use the default time_t size. https://gitlab.com/gnutls/gnutls/-/issues/1466 https://bugzilla.redhat.com/show_bug.cgi?id=2174758 Signed-off-by: Daniel P. Berrangé --- gnutls.spec | 3 +++ 1 file changed, 3 insertions(+) diff --git a/gnutls.spec b/gnutls.spec index 55c9277..23c169a 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -241,6 +241,9 @@ pushd native_build %endif %if %{with_srp} --enable-srp-authentication \ +%endif +%ifarch %{ix86} + --disable-year2038 \ %endif --enable-sha1-support \ --disable-static \ From e99bcaff789941a94416996daeb423df295d5443 Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Sat, 11 Mar 2023 07:32:46 +0000 Subject: [PATCH 088/152] Fix desychronisation with kTLS: https://gitlab.com/gnutls/gnutls/-/issues/1470 --- ...rn-GNUTLS_E_INTERRUPTED-AGAIN-from-s.patch | 52 +++++++++++++++++++ gnutls.spec | 4 ++ 2 files changed, 56 insertions(+) create mode 100644 gnutls-3.8.0-ktls-Do-not-return-GNUTLS_E_INTERRUPTED-AGAIN-from-s.patch diff --git a/gnutls-3.8.0-ktls-Do-not-return-GNUTLS_E_INTERRUPTED-AGAIN-from-s.patch b/gnutls-3.8.0-ktls-Do-not-return-GNUTLS_E_INTERRUPTED-AGAIN-from-s.patch new file mode 100644 index 0000000..0390da3 --- /dev/null +++ b/gnutls-3.8.0-ktls-Do-not-return-GNUTLS_E_INTERRUPTED-AGAIN-from-s.patch @@ -0,0 +1,52 @@ +From 21c386860f1973344872eec4e4dd68644b1b48aa Mon Sep 17 00:00:00 2001 +From: "Richard W.M. Jones" +Date: Fri, 10 Mar 2023 11:15:19 +0000 +Subject: [PATCH] ktls: Do not return GNUTLS_E_INTERRUPTED/AGAIN from short + writes + +If sendmsg returns a short write, we end up going around the loop with +data_to_send being smaller. However if sendmsg then returns -EAGAIN +or -EINTR then we return an error. But we have "forgotten" that we +already sent some data. + +This causes the caller to retry gnutls_record_send with the full +buffer (ie. with a buffer that has already been partially sent), +causing desynchronization. + +Instead check if we sent some data in this case and return the number +of bytes sent. + +Fixes: https://gitlab.com/gnutls/gnutls/-/issues/1470 +Thanks: Dan Berrange for suggesting a fix +Signed-off-by: Richard W.M. Jones +--- + lib/system/ktls.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/lib/system/ktls.c b/lib/system/ktls.c +index fd57a9c30..bb59fab7c 100644 +--- a/lib/system/ktls.c ++++ b/lib/system/ktls.c +@@ -604,9 +604,17 @@ int _gnutls_ktls_send_control_msg(gnutls_session_t session, + if (ret == -1) { + switch (errno) { + case EINTR: +- return GNUTLS_E_INTERRUPTED; ++ if (data_to_send < data_size) { ++ return data_size - data_to_send; ++ } else { ++ return GNUTLS_E_INTERRUPTED; ++ } + case EAGAIN: +- return GNUTLS_E_AGAIN; ++ if (data_to_send < data_size) { ++ return data_size - data_to_send; ++ } else { ++ return GNUTLS_E_AGAIN; ++ } + default: + return GNUTLS_E_PUSH_ERROR; + } +-- +2.39.2 + diff --git a/gnutls.spec b/gnutls.spec index 23c169a..d43bcec 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -29,6 +29,10 @@ Patch: gnutls-3.7.8-ktls_disable_keyupdate_test.patch # follow https://gitlab.com/gnutls/gnutls/-/issues/1443 Patch: gnutls-3.7.8-ktls_skip_tls12_chachapoly_test.patch +# Fix desychronisation with kTLS: +# https://gitlab.com/gnutls/gnutls/-/issues/1470 +Patch: gnutls-3.8.0-ktls-Do-not-return-GNUTLS_E_INTERRUPTED-AGAIN-from-s.patch + %bcond_without bootstrap %bcond_without dane %bcond_without fips From 82e473e933dd42d5ae39e62fc97109a55ad57b9f Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Tue, 11 Apr 2023 19:37:40 +0900 Subject: [PATCH 089/152] Use %bcond instead of %global for srp and mingw support This makes it possible to build the package with/without those features, through rpmbuild --with/--without. Signed-off-by: Daiki Ueno --- gnutls.spec | 36 +++++++++++++++++++++--------------- 1 file changed, 21 insertions(+), 15 deletions(-) diff --git a/gnutls.spec b/gnutls.spec index d43bcec..2d40e58 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -12,13 +12,6 @@ sha256sum:close() print(string.sub(hash, 0, 16)) } -%global with_srp 0%{?fedora} < 38 - -%global with_mingw 0 -%if 0%{?fedora} -%global with_mingw 0%{!?_without_mingw:1} -%endif - Version: 3.8.0 Release: %{?autorelease}%{!?autorelease:1%{?dist}} Patch: gnutls-3.2.7-rpath.patch @@ -42,6 +35,19 @@ Patch: gnutls-3.8.0-ktls-Do-not-return-GNUTLS_E_INTERRUPTED-AGAIN-from-s.patch %bcond_with certificate_compression %bcond_without tests +%if 0%{?fedora} < 38 +%bcond_without srp +%else +%bcond_with srp +%endif + +%if 0%{?fedora} +%bcond_without mingw +%else +%bcond_with mingw +%endif + + Summary: A TLS protocol implementation Name: gnutls # The libraries are LGPLv2.1+, utilities are GPLv3+ @@ -243,7 +249,7 @@ pushd native_build %else --disable-gost \ %endif -%if %{with_srp} +%if %{with srp} --enable-srp-authentication \ %endif %ifarch %{ix86} @@ -284,11 +290,11 @@ pushd native_build %make_build popd -%if %{with_mingw} +%if %{with mingw} # MinGW does not support CCASFLAGS export CCASFLAGS="" %mingw_configure \ -%if %{with_srp} +%if %{with srp} --enable-srp-authentication \ %endif --enable-sha1-support \ @@ -339,7 +345,7 @@ ln -s ".$fname.hmac" "$RPM_BUILD_ROOT%{_libdir}/.libgnutls.so.30.hmac" %find_lang gnutls popd -%if %{with_mingw} +%if %{with mingw} %mingw_make_install # Remove .la files @@ -404,7 +410,7 @@ popd %{_bindir}/ocsptool %{_bindir}/psktool %{_bindir}/p11tool -%if %{with_srp} +%if %{with srp} %{_bindir}/srptool %endif %if %{with dane} @@ -419,7 +425,7 @@ popd %{_libdir}/libgnutls-dane.so.* %endif -%if %{with_mingw} +%if %{with mingw} %files -n mingw32-%{name} %license LICENSE doc/COPYING doc/COPYING.LESSER %{mingw32_bindir}/certtool.exe @@ -430,7 +436,7 @@ popd %{mingw32_bindir}/ocsptool.exe %{mingw32_bindir}/p11tool.exe %{mingw32_bindir}/psktool.exe -%if %{with_srp} +%if %{with srp} %{mingw32_bindir}/srptool.exe %endif %{mingw32_libdir}/libgnutls.dll.a @@ -448,7 +454,7 @@ popd %{mingw64_bindir}/ocsptool.exe %{mingw64_bindir}/p11tool.exe %{mingw64_bindir}/psktool.exe -%if %{with_srp} +%if %{with srp} %{mingw64_bindir}/srptool.exe %endif %{mingw64_libdir}/libgnutls.dll.a From 6a9f55ef66b1e25be8336b4672a6e02b14e3c576 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Thu, 13 Apr 2023 20:09:49 +0900 Subject: [PATCH 090/152] Fix leftover of the previous %bcond change Signed-off-by: Daiki Ueno --- gnutls.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/gnutls.spec b/gnutls.spec index 2d40e58..eea2019 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -88,7 +88,7 @@ BuildRequires: unbound-devel unbound-libs %endif BuildRequires: make gtk-doc -%if %{with_mingw} +%if %{with mingw} BuildRequires: mingw32-filesystem >= 95 BuildRequires: mingw32-gcc BuildRequires: mingw32-gcc-c++ @@ -186,7 +186,7 @@ This package contains library that implements the DANE protocol for verifying TLS certificates through DNSSEC. %endif -%if %{with_mingw} +%if %{with mingw} %package -n mingw32-%{name} Summary: MinGW GnuTLS TLS/SSL encryption library Requires: pkgconfig From 2f8c73c6318f41b97def2a4327281c77ca4e77f9 Mon Sep 17 00:00:00 2001 From: Peter Leitmann Date: Fri, 7 Apr 2023 18:01:46 +0200 Subject: [PATCH 091/152] Add TMT interop tests --- .fmf/version | 1 + ci.fmf | 1 + plans/fips-smoke.fmf | 4 ++++ plans/nss-2way.fmf | 10 ++++++++++ plans/openssl-2way.fmf | 10 ++++++++++ plans/short-interop-tests.fmf | 10 ++++++++++ tests/tests.yml | 13 ------------- 7 files changed, 36 insertions(+), 13 deletions(-) create mode 100644 .fmf/version create mode 100644 ci.fmf create mode 100644 plans/fips-smoke.fmf create mode 100644 plans/nss-2way.fmf create mode 100644 plans/openssl-2way.fmf create mode 100644 plans/short-interop-tests.fmf delete mode 100644 tests/tests.yml diff --git a/.fmf/version b/.fmf/version new file mode 100644 index 0000000..d00491f --- /dev/null +++ b/.fmf/version @@ -0,0 +1 @@ +1 diff --git a/ci.fmf b/ci.fmf new file mode 100644 index 0000000..c5aa0e0 --- /dev/null +++ b/ci.fmf @@ -0,0 +1 @@ +resultsdb-testcase: separate diff --git a/plans/fips-smoke.fmf b/plans/fips-smoke.fmf new file mode 100644 index 0000000..4fda866 --- /dev/null +++ b/plans/fips-smoke.fmf @@ -0,0 +1,4 @@ +summary: Runs FIPS library integrity checks. +name: fips-smoke +execute: + script: if [[ $(GNUTLS_DEBUG_LEVEL=99 GNUTLS_FORCE_FIPS_MODE=1 certtool 2>&1 | grep "Error") ]]; then exit 1; else exit 0; fi; diff --git a/plans/nss-2way.fmf b/plans/nss-2way.fmf new file mode 100644 index 0000000..4c6cc65 --- /dev/null +++ b/plans/nss-2way.fmf @@ -0,0 +1,10 @@ +summary: Upstreamed gnutls-openssl interop-2way tests +contact: Stanislav Zidek +discover: + # upstreamed tests (public) + - name: interop-nss-2way + how: fmf + url: https://gitlab.com/redhat-crypto/tests/interop.git + filter: 'tag: interop-gnutls & tag: interop-nss & tag: interop-2way' +execute: + how: tmt diff --git a/plans/openssl-2way.fmf b/plans/openssl-2way.fmf new file mode 100644 index 0000000..6187882 --- /dev/null +++ b/plans/openssl-2way.fmf @@ -0,0 +1,10 @@ +summary: Upstreamed gnutls-openssl interop-2way tests +contact: Stanislav Zidek +discover: + # upstreamed tests (public) + - name: interop-openssl-2way + how: fmf + url: https://gitlab.com/redhat-crypto/tests/interop.git + filter: 'tag: interop-gnutls & tag: interop-openssl & tag: interop-2way' +execute: + how: tmt diff --git a/plans/short-interop-tests.fmf b/plans/short-interop-tests.fmf new file mode 100644 index 0000000..4db38e8 --- /dev/null +++ b/plans/short-interop-tests.fmf @@ -0,0 +1,10 @@ +summary: Upstreamed gnutls interop tests - short tests which do not need to run in parallel +contact: Stanislav Zidek +discover: + # upstreamed tests (public) + - name: interop-gnutls-short + how: fmf + url: https://gitlab.com/redhat-crypto/tests/interop.git + filter: 'tag: interop-gnutls & tag: -interop-slow' +execute: + how: tmt diff --git a/tests/tests.yml b/tests/tests.yml deleted file mode 100644 index b32f8a2..0000000 --- a/tests/tests.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- -- hosts: localhost - roles: - - role: standard-test-basic - tags: - - classic - tests: - - smoke-fips: - dir: . - run: if [[ $(GNUTLS_DEBUG_LEVEL=99 GNUTLS_FORCE_FIPS_MODE=1 certtool 2>&1 | grep "Error") ]]; then exit 1; else exit 0; fi; - required_packages: - - gnutls - - gnutls-utils From e4e388800c4ae82df825a7c94bb62420667361c0 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 19 Jul 2023 23:57:26 +0000 Subject: [PATCH 092/152] Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild Signed-off-by: Fedora Release Engineering From 44afab5191567431b5af80ad26e063fcd2bf5df9 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Thu, 24 Aug 2023 10:19:38 +0900 Subject: [PATCH 093/152] Migrate License field to SPDX license identifier Signed-off-by: Daiki Ueno --- gnutls.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/gnutls.spec b/gnutls.spec index eea2019..9c06080 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -51,7 +51,7 @@ Patch: gnutls-3.8.0-ktls-Do-not-return-GNUTLS_E_INTERRUPTED-AGAIN-from-s.patch Summary: A TLS protocol implementation Name: gnutls # The libraries are LGPLv2.1+, utilities are GPLv3+ -License: GPLv3+ and LGPLv2+ +License: GPL-3.0-or-later AND LGPL-2.1-or-later BuildRequires: p11-kit-devel >= 0.21.3, gettext-devel BuildRequires: readline-devel, libtasn1-devel >= 4.3 %if %{with certificate_compression} @@ -130,7 +130,7 @@ Requires: %{name}-dane%{?_isa} = %{version}-%{release} Requires: pkgconfig %package utils -License: GPLv3+ +License: GPL-3.0-or-later Summary: Command line tools for TLS protocol Requires: %{name}%{?_isa} = %{version}-%{release} %if %{with dane} From a0ef9addb14f8c149d7a9b069e865209faf69704 Mon Sep 17 00:00:00 2001 From: Zoltan Fridrich Date: Fri, 4 Aug 2023 14:19:56 +0200 Subject: [PATCH 094/152] [packit] 3.8.1 upstream release Upstream tag: 3.8.1 Upstream commit: 513570a5 --- .gitignore | 2 + README.packit | 2 +- ...rn-GNUTLS_E_INTERRUPTED-AGAIN-from-s.patch | 52 ------------------- gnutls.spec | 8 +-- sources | 4 +- 5 files changed, 7 insertions(+), 61 deletions(-) delete mode 100644 gnutls-3.8.0-ktls-Do-not-return-GNUTLS_E_INTERRUPTED-AGAIN-from-s.patch diff --git a/.gitignore b/.gitignore index 690d3fe..fbacd72 100644 --- a/.gitignore +++ b/.gitignore @@ -144,3 +144,5 @@ gnutls-2.10.1-nosrp.tar.bz2 /gnutls-3.8.0.tar.xz /gnutls-3.8.0.tar.xz.sig /gnutls-release-keyring.gpg +/gnutls-3.8.1.tar.xz +/gnutls-3.8.1.tar.xz.sig diff --git a/README.packit b/README.packit index c83811d..7f24510 100644 --- a/README.packit +++ b/README.packit @@ -1,3 +1,3 @@ This repository is maintained by packit. https://packit.dev/ -The file was generated using packit 0.67.0. +The file was generated using packit 0.78.0. diff --git a/gnutls-3.8.0-ktls-Do-not-return-GNUTLS_E_INTERRUPTED-AGAIN-from-s.patch b/gnutls-3.8.0-ktls-Do-not-return-GNUTLS_E_INTERRUPTED-AGAIN-from-s.patch deleted file mode 100644 index 0390da3..0000000 --- a/gnutls-3.8.0-ktls-Do-not-return-GNUTLS_E_INTERRUPTED-AGAIN-from-s.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 21c386860f1973344872eec4e4dd68644b1b48aa Mon Sep 17 00:00:00 2001 -From: "Richard W.M. Jones" -Date: Fri, 10 Mar 2023 11:15:19 +0000 -Subject: [PATCH] ktls: Do not return GNUTLS_E_INTERRUPTED/AGAIN from short - writes - -If sendmsg returns a short write, we end up going around the loop with -data_to_send being smaller. However if sendmsg then returns -EAGAIN -or -EINTR then we return an error. But we have "forgotten" that we -already sent some data. - -This causes the caller to retry gnutls_record_send with the full -buffer (ie. with a buffer that has already been partially sent), -causing desynchronization. - -Instead check if we sent some data in this case and return the number -of bytes sent. - -Fixes: https://gitlab.com/gnutls/gnutls/-/issues/1470 -Thanks: Dan Berrange for suggesting a fix -Signed-off-by: Richard W.M. Jones ---- - lib/system/ktls.c | 12 ++++++++++-- - 1 file changed, 10 insertions(+), 2 deletions(-) - -diff --git a/lib/system/ktls.c b/lib/system/ktls.c -index fd57a9c30..bb59fab7c 100644 ---- a/lib/system/ktls.c -+++ b/lib/system/ktls.c -@@ -604,9 +604,17 @@ int _gnutls_ktls_send_control_msg(gnutls_session_t session, - if (ret == -1) { - switch (errno) { - case EINTR: -- return GNUTLS_E_INTERRUPTED; -+ if (data_to_send < data_size) { -+ return data_size - data_to_send; -+ } else { -+ return GNUTLS_E_INTERRUPTED; -+ } - case EAGAIN: -- return GNUTLS_E_AGAIN; -+ if (data_to_send < data_size) { -+ return data_size - data_to_send; -+ } else { -+ return GNUTLS_E_AGAIN; -+ } - default: - return GNUTLS_E_PUSH_ERROR; - } --- -2.39.2 - diff --git a/gnutls.spec b/gnutls.spec index 9c06080..2b20dac 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -12,7 +12,7 @@ sha256sum:close() print(string.sub(hash, 0, 16)) } -Version: 3.8.0 +Version: 3.8.1 Release: %{?autorelease}%{!?autorelease:1%{?dist}} Patch: gnutls-3.2.7-rpath.patch @@ -22,10 +22,6 @@ Patch: gnutls-3.7.8-ktls_disable_keyupdate_test.patch # follow https://gitlab.com/gnutls/gnutls/-/issues/1443 Patch: gnutls-3.7.8-ktls_skip_tls12_chachapoly_test.patch -# Fix desychronisation with kTLS: -# https://gitlab.com/gnutls/gnutls/-/issues/1470 -Patch: gnutls-3.8.0-ktls-Do-not-return-GNUTLS_E_INTERRUPTED-AGAIN-from-s.patch - %bcond_without bootstrap %bcond_without dane %bcond_without fips @@ -69,7 +65,7 @@ BuildRequires: tpm2-tss-devel >= 3.0.3 %endif BuildRequires: libidn2-devel BuildRequires: libunistring-devel -BuildRequires: net-tools, datefudge, softhsm, gcc, gcc-c++ +BuildRequires: net-tools, softhsm, gcc, gcc-c++ BuildRequires: gnupg2 BuildRequires: git-core diff --git a/sources b/sources index f6b15ed..05f8aa7 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (gnutls-3.8.0.tar.xz) = 2507b3133423fdaf90fbd826ccb1142e9ff6fc90fcd5531720218f19ddf0e6bbb8267d23bad35c0954860e5a4179da74823e0c8357db56a14f252e6ec9d59629 -SHA512 (gnutls-3.8.0.tar.xz.sig) = 9db8db74aa0ebd871287b07b6a8a9f4ce90188633618e669fe07cb8bb314b624c14761f6fe1970e2fbffa87f7c0d6daa4b0fa838bd05f74b8b18cd1b5325c654 +SHA512 (gnutls-3.8.1.tar.xz) = 22e78db86b835843df897d14ad633d8a553c0f9b1389daa0c2f864869c6b9ca889028d434f9552237dc4f1b37c978fbe0cce166e3768e5d4e8850ff69a6fc872 +SHA512 (gnutls-3.8.1.tar.xz.sig) = f03fde611927c83f6b57af695d5610ba3cefbb88a261cf5485c94b3fb32c7480a77c68a353a6a28185337195e30011d6b5578c53ea4180a656cf7b175156f7f1 SHA512 (gnutls-release-keyring.gpg) = 5c14d83f4f37bd319c652db0d76fc5bb04752fb461bbe853e25b20ffe41d6d14faae6c0bdd0193ac6242975bf1205ce606a9d0082261cc4581fd680abfcdbd4d From a4ef9550905c986f24b036e421f315cae01dab84 Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Tue, 29 Aug 2023 09:39:14 -0400 Subject: [PATCH 095/152] Don't build with SRP on RHEL Signed-off-by: Stephen Gallagher --- gnutls.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gnutls.spec b/gnutls.spec index 2b20dac..daf3aff 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -31,7 +31,7 @@ Patch: gnutls-3.7.8-ktls_skip_tls12_chachapoly_test.patch %bcond_with certificate_compression %bcond_without tests -%if 0%{?fedora} < 38 +%if 0%{?fedora} && 0%{?fedora} < 38 %bcond_without srp %else %bcond_with srp From d7d09eb02328ca5998b7887880b66c78edd65dff Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Fri, 10 Nov 2023 05:36:50 +0900 Subject: [PATCH 096/152] Skip KTLS test if the host kernel is older than 5.11 The ktls.sh test currently only supports kernel 5.11+. This needs to be checked at run time, as the koji builder might be using a different version of kernel on the host than the one indicated by the kernel-devel package. Resolves: #2247135 Signed-off-by: Daiki Ueno --- gnutls.spec | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/gnutls.spec b/gnutls.spec index daf3aff..c8abaa1 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -373,7 +373,21 @@ rm -f $RPM_BUILD_ROOT%{mingw64_libdir}/ncrypt.dll* %check %if %{with tests} pushd native_build -make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null + +xfail_tests= + +# The ktls.sh test currently only supports kernel 5.11+. This needs to +# be checked at run time, as the koji builder might be using a different +# version of kernel on the host than the one indicated by the +# kernel-devel package. + +case "$(uname -r)" in + 4.* | 5.[0-9].* | 5.10.* ) + xfail_tests="$xfail_tests ktls.sh" + ;; +esac + +make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null XFAIL_TESTS="$xfail_tests" popd %endif From 5e97cebf83dcc57d06ad5437a551144c89e5235a Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Wed, 22 Nov 2023 14:41:15 +0900 Subject: [PATCH 097/152] Remove patches no longer needed in 3.8.2 Also use XFAIL_TESTS envvar to skip ktls_keyupdate.sh, instead of patching the source code. Signed-off-by: Daiki Ueno --- gnutls-3.7.8-ktls_disable_keyupdate_test.patch | 13 ------------- gnutls-3.7.8-ktls_skip_tls12_chachapoly_test.patch | 12 ------------ gnutls.spec | 9 ++------- 3 files changed, 2 insertions(+), 32 deletions(-) delete mode 100644 gnutls-3.7.8-ktls_disable_keyupdate_test.patch delete mode 100644 gnutls-3.7.8-ktls_skip_tls12_chachapoly_test.patch diff --git a/gnutls-3.7.8-ktls_disable_keyupdate_test.patch b/gnutls-3.7.8-ktls_disable_keyupdate_test.patch deleted file mode 100644 index cab7547..0000000 --- a/gnutls-3.7.8-ktls_disable_keyupdate_test.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/tests/Makefile.am b/tests/Makefile.am -index 2872cb1aa..247dfd3d8 100644 ---- a/tests/Makefile.am -+++ b/tests/Makefile.am -@@ -504,8 +504,6 @@ endif - if ENABLE_KTLS - indirect_tests += gnutls_ktls - dist_check_SCRIPTS += ktls.sh --indirect_tests += ktls_keyupdate --dist_check_SCRIPTS += ktls_keyupdate.sh - endif - - if !WINDOWS diff --git a/gnutls-3.7.8-ktls_skip_tls12_chachapoly_test.patch b/gnutls-3.7.8-ktls_skip_tls12_chachapoly_test.patch deleted file mode 100644 index d986a36..0000000 --- a/gnutls-3.7.8-ktls_skip_tls12_chachapoly_test.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff --git a/tests/gnutls_ktls.c b/tests/gnutls_ktls.c -index 919270778..778a2f94a 100644 ---- a/tests/gnutls_ktls.c -+++ b/tests/gnutls_ktls.c -@@ -351,7 +351,6 @@ void doit(void) - run("NORMAL:-VERS-ALL:+VERS-TLS1.2:-CIPHER-ALL:+AES-128-GCM"); - run("NORMAL:-VERS-ALL:+VERS-TLS1.2:-CIPHER-ALL:+AES-256-GCM"); - run("NORMAL:-VERS-ALL:+VERS-TLS1.2:-CIPHER-ALL:+AES-128-CCM"); -- run("NORMAL:-VERS-ALL:+VERS-TLS1.2:-CIPHER-ALL:+CHACHA20-POLY1305"); - run("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-128-GCM"); - run("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-256-GCM"); - run("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-128-CCM"); diff --git a/gnutls.spec b/gnutls.spec index c8abaa1..0caa38b 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -16,12 +16,6 @@ Version: 3.8.1 Release: %{?autorelease}%{!?autorelease:1%{?dist}} Patch: gnutls-3.2.7-rpath.patch -# Delete only after the kernel has been patched for thested systems -Patch: gnutls-3.7.8-ktls_disable_keyupdate_test.patch - -# follow https://gitlab.com/gnutls/gnutls/-/issues/1443 -Patch: gnutls-3.7.8-ktls_skip_tls12_chachapoly_test.patch - %bcond_without bootstrap %bcond_without dane %bcond_without fips @@ -374,7 +368,8 @@ rm -f $RPM_BUILD_ROOT%{mingw64_libdir}/ncrypt.dll* %if %{with tests} pushd native_build -xfail_tests= +# KeyUpdate is not yet supported in the kernel. +xfail_tests=ktls_keyupdate.sh # The ktls.sh test currently only supports kernel 5.11+. This needs to # be checked at run time, as the koji builder might be using a different From 7543c5d148900e0fbf73c1d47cf97a01cf596f76 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Wed, 22 Nov 2023 15:09:02 +0900 Subject: [PATCH 098/152] [packit] 3.8.2 upstream release Upstream tag: 3.8.2 Upstream commit: e840a07f --- .gitignore | 2 ++ README.packit | 2 +- ....7.8-ktls_skip_tls12_chachapoly_test.patch | 25 +++++++++++++++++++ gnutls.spec | 5 +++- sources | 4 +-- 5 files changed, 34 insertions(+), 4 deletions(-) create mode 100644 gnutls-3.7.8-ktls_skip_tls12_chachapoly_test.patch diff --git a/.gitignore b/.gitignore index fbacd72..b67cb46 100644 --- a/.gitignore +++ b/.gitignore @@ -146,3 +146,5 @@ gnutls-2.10.1-nosrp.tar.bz2 /gnutls-release-keyring.gpg /gnutls-3.8.1.tar.xz /gnutls-3.8.1.tar.xz.sig +/gnutls-3.8.2.tar.xz +/gnutls-3.8.2.tar.xz.sig diff --git a/README.packit b/README.packit index 7f24510..5998f60 100644 --- a/README.packit +++ b/README.packit @@ -1,3 +1,3 @@ This repository is maintained by packit. https://packit.dev/ -The file was generated using packit 0.78.0. +The file was generated using packit 0.85.0. diff --git a/gnutls-3.7.8-ktls_skip_tls12_chachapoly_test.patch b/gnutls-3.7.8-ktls_skip_tls12_chachapoly_test.patch new file mode 100644 index 0000000..c3a5ace --- /dev/null +++ b/gnutls-3.7.8-ktls_skip_tls12_chachapoly_test.patch @@ -0,0 +1,25 @@ +From 18c555b4d2461ad202996398609552b9c4ecd43b Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Wed, 22 Nov 2023 15:21:49 +0900 +Subject: [PATCH] gnutls-3.7.8-ktls_skip_tls12_chachapoly_test.patch + +Signed-off-by: rpm-build +--- + tests/gnutls_ktls.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/tests/gnutls_ktls.c b/tests/gnutls_ktls.c +index ccbe566..049c888 100644 +--- a/tests/gnutls_ktls.c ++++ b/tests/gnutls_ktls.c +@@ -347,7 +347,6 @@ void doit(void) + { + run("NORMAL:-VERS-ALL:+VERS-TLS1.2:-CIPHER-ALL:+AES-128-GCM"); + run("NORMAL:-VERS-ALL:+VERS-TLS1.2:-CIPHER-ALL:+AES-256-GCM"); +- run("NORMAL:-VERS-ALL:+VERS-TLS1.2:-CIPHER-ALL:+CHACHA20-POLY1305"); + run("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-128-GCM"); + run("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-256-GCM"); + run("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+CHACHA20-POLY1305"); +-- +2.41.0 + diff --git a/gnutls.spec b/gnutls.spec index 0caa38b..14e0019 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -12,10 +12,13 @@ sha256sum:close() print(string.sub(hash, 0, 16)) } -Version: 3.8.1 +Version: 3.8.2 Release: %{?autorelease}%{!?autorelease:1%{?dist}} Patch: gnutls-3.2.7-rpath.patch +# follow https://gitlab.com/gnutls/gnutls/-/issues/1443 +Patch: gnutls-3.7.8-ktls_skip_tls12_chachapoly_test.patch + %bcond_without bootstrap %bcond_without dane %bcond_without fips diff --git a/sources b/sources index 05f8aa7..ea8384c 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (gnutls-3.8.1.tar.xz) = 22e78db86b835843df897d14ad633d8a553c0f9b1389daa0c2f864869c6b9ca889028d434f9552237dc4f1b37c978fbe0cce166e3768e5d4e8850ff69a6fc872 -SHA512 (gnutls-3.8.1.tar.xz.sig) = f03fde611927c83f6b57af695d5610ba3cefbb88a261cf5485c94b3fb32c7480a77c68a353a6a28185337195e30011d6b5578c53ea4180a656cf7b175156f7f1 +SHA512 (gnutls-3.8.2.tar.xz) = b3aa6e0fa7272cfca0bb0d364fe5dc9ca70cfd41878631d57271ba0a597cf6020a55a19e97a2c02f13a253455b119d296cf6f701be2b4e6880ebeeb07c93ef38 +SHA512 (gnutls-3.8.2.tar.xz.sig) = 9feb30bfccb8c83e83d3d6df009f2a61f4c48eb357c988789c93b2e5a06a34cb490f33741ad0fd4f881fcd34747b3cf9c5aa45bbb15da680ebba35e07ba602f6 SHA512 (gnutls-release-keyring.gpg) = 5c14d83f4f37bd319c652db0d76fc5bb04752fb461bbe853e25b20ffe41d6d14faae6c0bdd0193ac6242975bf1205ce606a9d0082261cc4581fd680abfcdbd4d From 23ac5676a41b18c5b516a4a8f7c82d9453e118ff Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Fri, 1 Dec 2023 17:44:03 +0900 Subject: [PATCH 099/152] Tentatively revert newly added Ed448 keys support in PKCS#11 To fix regression with Ed25519 reported in: https://gitlab.com/gnutls/gnutls/-/issues/1515 Signed-off-by: Daiki Ueno --- gnutls-3.8.2-revert-pkcs11-ed448.patch | 701 +++++++++++++++++++++++++ gnutls.spec | 3 + 2 files changed, 704 insertions(+) create mode 100644 gnutls-3.8.2-revert-pkcs11-ed448.patch diff --git a/gnutls-3.8.2-revert-pkcs11-ed448.patch b/gnutls-3.8.2-revert-pkcs11-ed448.patch new file mode 100644 index 0000000..33a9b09 --- /dev/null +++ b/gnutls-3.8.2-revert-pkcs11-ed448.patch @@ -0,0 +1,701 @@ +From 8b7065ed5c72d34d3bf3e0bb803d81fb3abdcb8b Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Fri, 1 Dec 2023 17:42:09 +0900 +Subject: [PATCH] Revert "pkcs11: support Ed448 keys" + +This reverts commit 8cd6e84edaad4a826e481ae045548587f98bd9f7. +--- + lib/pkcs11.c | 23 +--- + lib/pkcs11_int.h | 23 +++- + lib/pkcs11_privkey.c | 67 +--------- + lib/pkcs11_write.c | 9 +- + lib/pubkey.c | 1 - + tests/cert-common.h | 47 +------ + tests/pkcs11/pkcs11-eddsa-privkey-test.c | 160 +++++++++++------------ + tests/pkcs11/pkcs11-privkey-generate.c | 17 +-- + tests/tls13/ocsp-client.c | 4 +- + 9 files changed, 114 insertions(+), 237 deletions(-) + +diff --git a/lib/pkcs11.c b/lib/pkcs11.c +index c46d1f7e61..a96605da60 100644 +--- a/lib/pkcs11.c ++++ b/lib/pkcs11.c +@@ -1796,7 +1796,6 @@ int pkcs11_read_pubkey(struct ck_function_list *module, ck_session_handle_t pks, + pobj->pubkey[1].size = a[1].value_len; + + pobj->pubkey_size = 2; +- pobj->pk_algorithm = GNUTLS_PK_RSA; + } else { + gnutls_assert(); + ret = GNUTLS_E_PKCS11_ERROR; +@@ -1852,7 +1851,6 @@ int pkcs11_read_pubkey(struct ck_function_list *module, ck_session_handle_t pks, + pobj->pubkey[3].size = a[1].value_len; + + pobj->pubkey_size = 4; +- pobj->pk_algorithm = GNUTLS_PK_DSA; + } else { + gnutls_assert(); + ret = pkcs11_rv_to_err(rv); +@@ -1877,7 +1875,6 @@ int pkcs11_read_pubkey(struct ck_function_list *module, ck_session_handle_t pks, + pobj->pubkey[1].size = a[1].value_len; + + pobj->pubkey_size = 2; +- pobj->pk_algorithm = GNUTLS_PK_EC; + } else { + gnutls_assert(); + +@@ -1898,9 +1895,6 @@ int pkcs11_read_pubkey(struct ck_function_list *module, ck_session_handle_t pks, + + if ((rv = pkcs11_get_attribute_value(module, pks, ctx, a, 2)) == + CKR_OK) { +- gnutls_ecc_curve_t curve; +- const gnutls_ecc_curve_entry_st *ce; +- + pobj->pubkey[0].data = a[0].value; + pobj->pubkey[0].size = a[0].value_len; + +@@ -1908,26 +1902,13 @@ int pkcs11_read_pubkey(struct ck_function_list *module, ck_session_handle_t pks, + pobj->pubkey[1].size = a[1].value_len; + + pobj->pubkey_size = 2; +- +- ret = _gnutls_x509_read_ecc_params(pobj->pubkey[0].data, +- pobj->pubkey[0].size, +- &curve); +- if (ret < 0) { +- ret = GNUTLS_E_INVALID_REQUEST; +- goto cleanup; +- } +- ce = _gnutls_ecc_curve_get_params(curve); +- if (unlikely(ce == NULL)) { +- ret = GNUTLS_E_INVALID_REQUEST; +- goto cleanup; +- } +- pobj->pk_algorithm = ce->pk; + } else { + gnutls_assert(); + + ret = pkcs11_rv_to_err(rv); + goto cleanup; + } ++ + break; + #endif + default: +@@ -1964,6 +1945,8 @@ pkcs11_obj_import_pubkey(struct ck_function_list *module, + a[0].value_len = sizeof(key_type); + + if (pkcs11_get_attribute_value(module, pks, ctx, a, 1) == CKR_OK) { ++ pobj->pk_algorithm = key_type_to_pk(key_type); ++ + ret = pkcs11_read_pubkey(module, pks, ctx, key_type, pobj); + if (ret < 0) + return gnutls_assert_val(ret); +diff --git a/lib/pkcs11_int.h b/lib/pkcs11_int.h +index 891e98f962..9a3380f9cc 100644 +--- a/lib/pkcs11_int.h ++++ b/lib/pkcs11_int.h +@@ -247,7 +247,7 @@ static inline int pk_to_mech(gnutls_pk_algorithm_t pk) + else if (pk == GNUTLS_PK_RSA_PSS) + return CKM_RSA_PKCS_PSS; + #ifdef HAVE_PKCS11_EDDSA +- else if (pk == GNUTLS_PK_EDDSA_ED25519 || pk == GNUTLS_PK_EDDSA_ED448) ++ else if (pk == GNUTLS_PK_EDDSA_ED25519) + return CKM_EDDSA; + #endif + else +@@ -263,13 +263,29 @@ static inline int pk_to_key_type(gnutls_pk_algorithm_t pk) + else if (pk == GNUTLS_PK_RSA_PSS || pk == GNUTLS_PK_RSA) + return CKK_RSA; + #ifdef HAVE_PKCS11_EDDSA +- else if (pk == GNUTLS_PK_EDDSA_ED25519 || pk == GNUTLS_PK_EDDSA_ED448) ++ else if (pk == GNUTLS_PK_EDDSA_ED25519) + return CKK_EC_EDWARDS; + #endif + else + return -1; + } + ++static inline gnutls_pk_algorithm_t key_type_to_pk(ck_key_type_t m) ++{ ++ if (m == CKK_RSA) ++ return GNUTLS_PK_RSA; ++ else if (m == CKK_DSA) ++ return GNUTLS_PK_DSA; ++ else if (m == CKK_ECDSA) ++ return GNUTLS_PK_EC; ++#ifdef HAVE_PKCS11_EDDSA ++ else if (m == CKK_EC_EDWARDS) ++ return GNUTLS_PK_EDDSA_ED25519; ++#endif ++ else ++ return GNUTLS_PK_UNKNOWN; ++} ++ + static inline int pk_to_genmech(gnutls_pk_algorithm_t pk, ck_key_type_t *type) + { + if (pk == GNUTLS_PK_DSA) { +@@ -282,8 +298,7 @@ static inline int pk_to_genmech(gnutls_pk_algorithm_t pk, ck_key_type_t *type) + *type = CKK_RSA; + return CKM_RSA_PKCS_KEY_PAIR_GEN; + #ifdef HAVE_PKCS11_EDDSA +- } else if (pk == GNUTLS_PK_EDDSA_ED25519 || +- pk == GNUTLS_PK_EDDSA_ED448) { ++ } else if (pk == GNUTLS_PK_EDDSA_ED25519) { + *type = CKK_EC_EDWARDS; + return CKM_EC_EDWARDS_KEY_PAIR_GEN; + #endif +diff --git a/lib/pkcs11_privkey.c b/lib/pkcs11_privkey.c +index b9f36c0a62..a30e44084c 100644 +--- a/lib/pkcs11_privkey.c ++++ b/lib/pkcs11_privkey.c +@@ -486,61 +486,6 @@ cleanup: + return ret; + } + +-static inline gnutls_pk_algorithm_t +-key_type_to_pk(struct ck_function_list *module, ck_session_handle_t pks, +- ck_object_handle_t ctx, ck_key_type_t m) +-{ +- switch (m) { +- case CKK_RSA: +- return GNUTLS_PK_RSA; +- case CKK_DSA: +- return GNUTLS_PK_DSA; +- case CKK_ECDSA: +- return GNUTLS_PK_EC; +-#ifdef HAVE_PKCS11_EDDSA +- case CKK_EC_EDWARDS: { +- struct ck_attribute a[1]; +- uint8_t *tmp1; +- size_t tmp1_size; +- gnutls_pk_algorithm_t pk = GNUTLS_PK_UNKNOWN; +- +- tmp1_size = MAX_PK_PARAM_SIZE; +- tmp1 = gnutls_calloc(1, tmp1_size); +- if (tmp1 == NULL) +- return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); +- +- a[0].type = CKA_EC_PARAMS; +- a[0].value = tmp1; +- a[0].value_len = tmp1_size; +- +- if (pkcs11_get_attribute_value(module, pks, ctx, a, 1) == +- CKR_OK) { +- gnutls_ecc_curve_t curve; +- const gnutls_ecc_curve_entry_st *ce; +- int ret; +- +- ret = _gnutls_x509_read_ecc_params( +- a[0].value, a[0].value_len, &curve); +- if (ret < 0) { +- goto edwards_cleanup; +- } +- ce = _gnutls_ecc_curve_get_params(curve); +- if (unlikely(ce == NULL)) { +- goto edwards_cleanup; +- } +- pk = ce->pk; +- } +- +- edwards_cleanup: +- gnutls_free(tmp1); +- return pk; +- } +-#endif +- default: +- return GNUTLS_PK_UNKNOWN; +- } +-} +- + /** + * gnutls_pkcs11_privkey_import_url: + * @pkey: The private key +@@ -616,9 +561,7 @@ int gnutls_pkcs11_privkey_import_url(gnutls_pkcs11_privkey_t pkey, + a[0].value_len = sizeof(key_type); + if (pkcs11_get_attribute_value(pkey->sinfo.module, pkey->sinfo.pks, + pkey->ref, a, 1) == CKR_OK) { +- pkey->pk_algorithm = key_type_to_pk(pkey->sinfo.module, +- pkey->sinfo.pks, pkey->ref, +- key_type); ++ pkey->pk_algorithm = key_type_to_pk(key_type); + } + + if (pkey->pk_algorithm == GNUTLS_PK_UNKNOWN) { +@@ -1245,7 +1188,6 @@ int gnutls_pkcs11_privkey_generate3(const char *url, gnutls_pk_algorithm_t pk, + + break; + case GNUTLS_PK_EDDSA_ED25519: +- case GNUTLS_PK_EDDSA_ED448: + p[p_val].type = CKA_SIGN; + p[p_val].value = (void *)&tval; + p[p_val].value_len = sizeof(tval); +@@ -1256,11 +1198,8 @@ int gnutls_pkcs11_privkey_generate3(const char *url, gnutls_pk_algorithm_t pk, + a[a_val].value_len = sizeof(tval); + a_val++; + +- ret = _gnutls_x509_write_ecc_params( +- pk == GNUTLS_PK_EDDSA_ED25519 ? +- GNUTLS_ECC_CURVE_ED25519 : +- GNUTLS_ECC_CURVE_ED448, +- &der); ++ ret = _gnutls_x509_write_ecc_params(GNUTLS_ECC_CURVE_ED25519, ++ &der); + if (ret < 0) { + gnutls_assert(); + goto cleanup; +diff --git a/lib/pkcs11_write.c b/lib/pkcs11_write.c +index a3201ddeba..3090721db5 100644 +--- a/lib/pkcs11_write.c ++++ b/lib/pkcs11_write.c +@@ -355,8 +355,7 @@ static int add_pubkey(gnutls_pubkey_t pubkey, struct ck_attribute *a, + (*a_val)++; + break; + } +- case GNUTLS_PK_EDDSA_ED25519: +- case GNUTLS_PK_EDDSA_ED448: { ++ case GNUTLS_PK_EDDSA_ED25519: { + gnutls_datum_t params, ecpoint; + + ret = _gnutls_x509_write_ecc_params(pubkey->params.curve, +@@ -936,8 +935,7 @@ int gnutls_pkcs11_copy_x509_privkey2(const char *token_url, + break; + } + #ifdef HAVE_PKCS11_EDDSA +- case GNUTLS_PK_EDDSA_ED25519: +- case GNUTLS_PK_EDDSA_ED448: { ++ case GNUTLS_PK_EDDSA_ED25519: { + ret = _gnutls_x509_write_ecc_params(key->params.curve, &p); + if (ret < 0) { + gnutls_assert(); +@@ -1003,8 +1001,7 @@ cleanup: + break; + } + case GNUTLS_PK_EC: +- case GNUTLS_PK_EDDSA_ED25519: +- case GNUTLS_PK_EDDSA_ED448: { ++ case GNUTLS_PK_EDDSA_ED25519: { + gnutls_free(p.data); + gnutls_free(x.data); + break; +diff --git a/lib/pubkey.c b/lib/pubkey.c +index 1139ad99fc..59ca194f1a 100644 +--- a/lib/pubkey.c ++++ b/lib/pubkey.c +@@ -700,7 +700,6 @@ int gnutls_pubkey_import_pkcs11(gnutls_pubkey_t key, gnutls_pkcs11_obj_t obj, + &obj->pubkey[1]); + break; + case GNUTLS_PK_EDDSA_ED25519: +- case GNUTLS_PK_EDDSA_ED448: + ret = gnutls_pubkey_import_ecc_eddsa(key, &obj->pubkey[0], + &obj->pubkey[1]); + break; +diff --git a/tests/cert-common.h b/tests/cert-common.h +index 57cf6c0c4f..33b3ee3b68 100644 +--- a/tests/cert-common.h ++++ b/tests/cert-common.h +@@ -36,8 +36,7 @@ + * IPv4 server (SAN: IPAddr: 127.0.0.1): server_ca3_ipaddr_cert, server_ca3_key + * IPv4 server (RSA-PSS, SAN: localhost IPAddr: 127.0.0.1): server_ca3_rsa_pss_cert, server_ca3_rsa_pss_key + * IPv4 server (RSA-PSS key, SAN: localhost IPAddr: 127.0.0.1): server_ca3_rsa_pss2_cert, server_ca3_rsa_pss2_key +- * IPv4 server (Ed25519, SAN: localhost IPAddr: 127.0.0.1): server_ca3_eddsa_cert, server_ca3_eddsa_key +- * IPv4 server (Ed448, SAN: localhost IPAddr: 127.0.0.1): server_ca3_ed448_cert, server_ca3_ed448_key ++ * IPv4 server (EdDSA, SAN: localhost IPAddr: 127.0.0.1): server_ca3_eddsa_cert, server_ca3_eddsa_key + * IPv4 server (GOST R 34.10-2001, SAN: localhost): server_ca3_gost01_cert, server_ca3_gost01_key + * IPv4 server (GOST R 34.10-2012-256, SAN: localhost): server_ca3_gost12-256_cert, server_ca3_gost12-256_key + * IPv4 server (GOST R 34.10-2012-512, SAN: localhost): server_ca3_gost12-512_cert, server_ca3_gost12-512_key +@@ -350,7 +349,7 @@ static unsigned char ca2_cert_pem[] = + + const gnutls_datum_t ca2_cert = { ca2_cert_pem, sizeof(ca2_cert_pem) - 1 }; + +-static unsigned char cli_cert_pem[] = ++static unsigned char cert_pem[] = + "-----BEGIN CERTIFICATE-----\n" + "MIICHjCCAYmgAwIBAgIERiYdNzALBgkqhkiG9w0BAQUwGTEXMBUGA1UEAxMOR251\n" + "VExTIHRlc3QgQ0EwHhcNMDcwNDE4MTMyOTI3WhcNMDgwNDE3MTMyOTI3WjAdMRsw\n" +@@ -365,9 +364,9 @@ static unsigned char cli_cert_pem[] = + "U7jyOsBJ44SEQITbin2yUeJMIm1tievvdNXBDfW95AM507ShzP12sfiJkJfjjdhy\n" + "dc8Siq5JojruiMizAf0pA7in\n" + "-----END CERTIFICATE-----\n"; +-const gnutls_datum_t cli_cert = { cli_cert_pem, sizeof(cli_cert_pem) - 1 }; ++const gnutls_datum_t cli_cert = { cert_pem, sizeof(cert_pem) - 1 }; + +-static unsigned char cli_key_pem[] = ++static unsigned char key_pem[] = + "-----BEGIN RSA PRIVATE KEY-----\n" + "MIICXAIBAAKBgQC7ZkP18sXXtozMxd/1iDuxyUtqDqGtIFBACIChT1yj0Phsz+Y8\n" + "9+wEdhMXi2SJIlvA3VN8O+18BLuAuSi+jpvGjqClEsv1Vx6i57u3M0mf47tKrmpN\n" +@@ -383,7 +382,7 @@ static unsigned char cli_key_pem[] = + "/iVX2cmMTSh3w3z8MaECQEp0XJWDVKOwcTW6Ajp9SowtmiZ3YDYo1LF9igb4iaLv\n" + "sWZGfbnU3ryjvkb6YuFjgtzbZDZHWQCo8/cOtOBmPdk=\n" + "-----END RSA PRIVATE KEY-----\n"; +-const gnutls_datum_t cli_key = { cli_key_pem, sizeof(cli_key_pem) - 1 }; ++const gnutls_datum_t cli_key = { key_pem, sizeof(key_pem) - 1 }; + + static char dsa_key_pem[] = + "-----BEGIN DSA PRIVATE KEY-----\n" +@@ -1082,42 +1081,6 @@ const gnutls_datum_t server_ca3_eddsa_cert = { + sizeof(server_ca3_eddsa_cert_pem) - 1 + }; + +-/* server Ed448 key */ +-static char server_ca3_ed448_key_pem[] = +- "-----BEGIN PRIVATE KEY-----\n" +- "MEcCAQAwBQYDK2VxBDsEOXPoCtsxxy7itrHfeuQ2bG7oh3uerkBwhabkeSsNFYoS\n" +- "QYy6KKYld8lnhlYQQmMo6lx28x9GmpTiag==\n" +- "-----END PRIVATE KEY-----\n"; +- +-const gnutls_datum_t server_ca3_ed448_key = { +- (unsigned char *)server_ca3_ed448_key_pem, +- sizeof(server_ca3_ed448_key_pem) - 1 +-}; +- +-static char server_ca3_ed448_cert_pem[] = +- "-----BEGIN CERTIFICATE-----\n" +- "MIICqzCCAROgAwIBAgIUAvQ9bcei1eNZ9viV1kP7MKODp9YwDQYJKoZIhvcNAQEL\n" +- "BQAwDzENMAsGA1UEAxMEQ0EtMzAgFw0yMzA5MjgwNjU1NThaGA85OTk5MTIzMTIz\n" +- "NTk1OVowDTELMAkGA1UEBhMCR1IwQzAFBgMrZXEDOgAYxZxGeKtoWUL20zvrFClm\n" +- "irhECIIdccq6x0uZccYHfmRVkFoUI7iOFj6Mlsp5vg24XZ2tGF5MBACjYDBeMAwG\n" +- "A1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgeAMB0GA1UdDgQWBBTYq6RhA2qMWmYM\n" +- "UAEx3AlNSnhWHDAfBgNVHSMEGDAWgBT5qIYZY7akFBNgdg8BmjU27/G0rzANBgkq\n" +- "hkiG9w0BAQsFAAOCAYEAhEd0coRahGvMx8gLS8biuaqh50+9RJIjMpf+/0IQJ4DV\n" +- "FHT5E70YyaQ0YOsvyxGa04d+KyhdVLppD1pDztLGXYZWxzmowopwpgnpPNT25M+0\n" +- "aQOvCZZvRlqmwgUiRXdhSxqPsUj/73uUBPIjFknrxajoox7sOLris9ujmidqgBGa\n" +- "H1FVbQQQgDOBCKcKXTAllVKzS/ZLwlRHibbm+4UDxGk1tJv1dbnQhJk0FYSQZn3h\n" +- "ZVmSSfP4ZB+U+lsCshypBJ9qVZEqMM2b4m1wv/VAOuw0lGA2SiPub5q91hFYRdeL\n" +- "9FB78/WlrSCTbGeMzzDPXBf/Y2KvFAv3o7K0tsMg1vBsDJBARHEzo4GMRsYDZzvI\n" +- "JXb5tSmJOi/PBfup8GPiG0WbZV9nuvW8V/zmfaP3s9YBfYOtL/+nZch9VdSee2xp\n" +- "T8arukB/s2jLaXQUduD3hoFvFNgCvWJwAWQWNNyHN3ivArqNQpfl2Gtftmb6xCdW\n" +- "Xwt1/q2XKqqLpnF1N2wU\n" +- "-----END CERTIFICATE-----\n"; +- +-const gnutls_datum_t server_ca3_ed448_cert = { +- (unsigned char *)server_ca3_ed448_cert_pem, +- sizeof(server_ca3_ed448_cert_pem) - 1 +-}; +- + static char server_ca3_gost01_key_pem[] = + "-----BEGIN PRIVATE KEY-----\n" + "MEUCAQAwHAYGKoUDAgITMBIGByqFAwICJAAGByqFAwICHgEEIgQgR1lBLIr4WBpn\n" +diff --git a/tests/pkcs11/pkcs11-eddsa-privkey-test.c b/tests/pkcs11/pkcs11-eddsa-privkey-test.c +index 1b7732e884..d3cd9a97c7 100644 +--- a/tests/pkcs11/pkcs11-eddsa-privkey-test.c ++++ b/tests/pkcs11/pkcs11-eddsa-privkey-test.c +@@ -64,8 +64,8 @@ static int pin_func(void *userdata, int attempt, const char *url, + return -1; + } + +-#define myfail(fmt, ...) \ +- fail("%s (iter %zu): " fmt, gnutls_sign_get_name(sigalgo), i, \ ++#define myfail(fmt, ...) \ ++ fail("%s (iter %d): " fmt, gnutls_sign_get_name(sigalgo), i, \ + ##__VA_ARGS__) + + static unsigned verify_eddsa_presence(void) +@@ -85,10 +85,11 @@ static unsigned verify_eddsa_presence(void) + return 0; + } + +-static void test(const char *name, const gnutls_datum_t *cert_pem, +- const gnutls_datum_t *key_pem, gnutls_sign_algorithm_t sigalgo) ++void doit(void) + { ++ char buf[128]; + int ret; ++ const char *lib, *bin; + gnutls_x509_crt_t crt; + gnutls_x509_privkey_t key; + gnutls_datum_t tmp, sig; +@@ -97,16 +98,51 @@ static void test(const char *name, const gnutls_datum_t *cert_pem, + gnutls_pubkey_t pubkey2; + gnutls_pubkey_t pubkey3; + gnutls_pubkey_t pubkey4; +- char buf[256]; +- size_t i; ++ unsigned i, sigalgo; ++ ++ bin = softhsm_bin(); ++ ++ lib = softhsm_lib(); ++ ++ ret = global_init(); ++ if (ret != 0) { ++ fail("%d: %s\n", ret, gnutls_strerror(ret)); ++ } ++ ++ if (gnutls_fips140_mode_enabled()) { ++ gnutls_global_deinit(); ++ return; ++ } ++ ++ gnutls_pkcs11_set_pin_function(pin_func, NULL); ++ gnutls_global_set_log_function(tls_log_func); ++ if (debug) ++ gnutls_global_set_log_level(4711); ++ ++ set_softhsm_conf(CONFIG); ++ snprintf(buf, sizeof(buf), ++ "%s --init-token --slot 0 --label test --so-pin " PIN ++ " --pin " PIN, ++ bin); ++ system(buf); ++ ++ ret = gnutls_pkcs11_add_provider(lib, NULL); ++ if (ret < 0) { ++ fail("gnutls_x509_crt_init: %s\n", gnutls_strerror(ret)); ++ } + +- success("%s\n", name); ++ if (verify_eddsa_presence() == 0) { ++ fprintf(stderr, ++ "Skipping test as no EDDSA mech is supported\n"); ++ exit(77); ++ } + + ret = gnutls_x509_crt_init(&crt); + if (ret < 0) + fail("gnutls_x509_crt_init: %s\n", gnutls_strerror(ret)); + +- ret = gnutls_x509_crt_import(crt, cert_pem, GNUTLS_X509_FMT_PEM); ++ ret = gnutls_x509_crt_import(crt, &server_ca3_eddsa_cert, ++ GNUTLS_X509_FMT_PEM); + if (ret < 0) + fail("gnutls_x509_crt_import: %s\n", gnutls_strerror(ret)); + +@@ -122,12 +158,25 @@ static void test(const char *name, const gnutls_datum_t *cert_pem, + fail("gnutls_x509_privkey_init: %s\n", gnutls_strerror(ret)); + } + +- ret = gnutls_x509_privkey_import(key, key_pem, GNUTLS_X509_FMT_PEM); ++ ret = gnutls_x509_privkey_import(key, &server_ca3_eddsa_key, ++ GNUTLS_X509_FMT_PEM); + if (ret < 0) { + fail("gnutls_x509_privkey_import: %s\n", gnutls_strerror(ret)); + } + +- ret = gnutls_pkcs11_copy_x509_crt(SOFTHSM_URL, crt, name, ++ /* initialize softhsm token */ ++ ret = gnutls_pkcs11_token_init(SOFTHSM_URL, PIN, "test"); ++ if (ret < 0) { ++ fail("gnutls_pkcs11_token_init: %s\n", gnutls_strerror(ret)); ++ } ++ ++ ret = gnutls_pkcs11_token_set_pin(SOFTHSM_URL, NULL, PIN, ++ GNUTLS_PIN_USER); ++ if (ret < 0) { ++ fail("gnutls_pkcs11_token_set_pin: %s\n", gnutls_strerror(ret)); ++ } ++ ++ ret = gnutls_pkcs11_copy_x509_crt(SOFTHSM_URL, crt, "cert", + GNUTLS_PKCS11_OBJ_FLAG_MARK_PRIVATE | + GNUTLS_PKCS11_OBJ_FLAG_LOGIN); + if (ret < 0) { +@@ -135,7 +184,7 @@ static void test(const char *name, const gnutls_datum_t *cert_pem, + } + + ret = gnutls_pkcs11_copy_x509_privkey( +- SOFTHSM_URL, key, name, ++ SOFTHSM_URL, key, "cert", + GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, + GNUTLS_PKCS11_OBJ_FLAG_MARK_PRIVATE | + GNUTLS_PKCS11_OBJ_FLAG_MARK_SENSITIVE | +@@ -150,7 +199,7 @@ static void test(const char *name, const gnutls_datum_t *cert_pem, + assert(gnutls_pubkey_import_x509(pubkey, crt, 0) == 0); + + ret = gnutls_pkcs11_copy_pubkey( +- SOFTHSM_URL, pubkey, name, NULL, ++ SOFTHSM_URL, pubkey, "cert", NULL, + GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, 0); + if (ret < 0) { + fail("gnutls_pkcs11_copy_pubkey: %s\n", gnutls_strerror(ret)); +@@ -161,13 +210,11 @@ static void test(const char *name, const gnutls_datum_t *cert_pem, + gnutls_pubkey_deinit(pubkey); + gnutls_pkcs11_set_pin_function(NULL, NULL); + +- assert(snprintf(buf, sizeof(buf), +- "%s;object=%s;object-type=private?pin-value=" PIN, +- SOFTHSM_URL, name) < (int)sizeof(buf)); +- + assert(gnutls_privkey_init(&pkey) == 0); + +- ret = gnutls_privkey_import_pkcs11_url(pkey, buf); ++ ret = gnutls_privkey_import_pkcs11_url( ++ pkey, ++ SOFTHSM_URL ";object=cert;object-type=private;pin-value=" PIN); + if (ret < 0) { + fail("error in gnutls_privkey_import_pkcs11_url: %s\n", + gnutls_strerror(ret)); +@@ -176,7 +223,10 @@ static void test(const char *name, const gnutls_datum_t *cert_pem, + /* Try to read the public key with public key URI */ + assert(gnutls_pubkey_init(&pubkey3) == 0); + +- ret = gnutls_pubkey_import_pkcs11_url(pubkey3, buf, 0); ++ ret = gnutls_pubkey_import_pkcs11_url( ++ pubkey3, ++ SOFTHSM_URL ";object=cert;object-type=public;pin-value=" PIN, ++ 0); + if (ret < 0) { + fail("error in gnutls_pubkey_import_pkcs11_url: %s\n", + gnutls_strerror(ret)); +@@ -185,7 +235,9 @@ static void test(const char *name, const gnutls_datum_t *cert_pem, + /* Try to read the public key with certificate URI */ + assert(gnutls_pubkey_init(&pubkey4) == 0); + +- ret = gnutls_pubkey_import_pkcs11_url(pubkey4, buf, 0); ++ ret = gnutls_pubkey_import_pkcs11_url( ++ pubkey4, ++ SOFTHSM_URL ";object=cert;object-type=cert;pin-value=" PIN, 0); + if (ret < 0) { + fail("error in gnutls_pubkey_import_pkcs11_url: %s\n", + gnutls_strerror(ret)); +@@ -195,9 +247,12 @@ static void test(const char *name, const gnutls_datum_t *cert_pem, + assert(gnutls_pubkey_import_privkey(pubkey, pkey, 0, 0) == 0); + + assert(gnutls_pubkey_init(&pubkey2) == 0); +- assert(gnutls_pubkey_import_x509_raw(pubkey2, cert_pem, ++ assert(gnutls_pubkey_import_x509_raw(pubkey2, &server_ca3_eddsa_cert, + GNUTLS_X509_FMT_PEM, 0) == 0); + ++ /* this is the algorithm supported by the certificate */ ++ sigalgo = GNUTLS_SIGN_EDDSA_ED25519; ++ + for (i = 0; i < 20; i++) { + /* check whether privkey and pubkey are operational + * by signing and verifying */ +@@ -229,71 +284,6 @@ static void test(const char *name, const gnutls_datum_t *cert_pem, + gnutls_pubkey_deinit(pubkey2); + gnutls_pubkey_deinit(pubkey); + gnutls_privkey_deinit(pkey); +-} +- +-void doit(void) +-{ +- char buf[256]; +- int ret; +- const char *lib, *bin; +- +- bin = softhsm_bin(); +- +- lib = softhsm_lib(); +- +- ret = global_init(); +- if (ret != 0) { +- fail("%d: %s\n", ret, gnutls_strerror(ret)); +- } +- +- if (gnutls_fips140_mode_enabled()) { +- gnutls_global_deinit(); +- return; +- } +- +- gnutls_pkcs11_set_pin_function(pin_func, NULL); +- gnutls_global_set_log_function(tls_log_func); +- if (debug) +- gnutls_global_set_log_level(4711); +- +- set_softhsm_conf(CONFIG); +- assert(snprintf(buf, sizeof(buf), +- "%s --init-token --slot 0 --label test --so-pin " PIN +- " --pin " PIN, +- bin) < (int)sizeof(buf)); +- system(buf); +- +- ret = gnutls_pkcs11_add_provider(lib, NULL); +- if (ret < 0) { +- fail("gnutls_x509_crt_init: %s\n", gnutls_strerror(ret)); +- } +- +- if (verify_eddsa_presence() == 0) { +- fprintf(stderr, +- "Skipping test as no EDDSA mech is supported\n"); +- exit(77); +- } +- +- /* initialize softhsm token */ +- ret = gnutls_pkcs11_token_init(SOFTHSM_URL, PIN, "test"); +- if (ret < 0) { +- fail("gnutls_pkcs11_token_init: %s\n", gnutls_strerror(ret)); +- } +- +- ret = gnutls_pkcs11_token_set_pin(SOFTHSM_URL, NULL, PIN, +- GNUTLS_PIN_USER); +- if (ret < 0) { +- fail("gnutls_pkcs11_token_set_pin: %s\n", gnutls_strerror(ret)); +- } +- +- test("ed25519", &server_ca3_eddsa_cert, &server_ca3_eddsa_key, +- GNUTLS_SIGN_EDDSA_ED25519); +- +- /* test clears PIN function to check "?pin-value" works */ +- gnutls_pkcs11_set_pin_function(pin_func, NULL); +- +- test("ed448", &server_ca3_ed448_cert, &server_ca3_ed448_key, +- GNUTLS_SIGN_EDDSA_ED448); + + gnutls_global_deinit(); + +diff --git a/tests/pkcs11/pkcs11-privkey-generate.c b/tests/pkcs11/pkcs11-privkey-generate.c +index 7de0c35426..bd54fad8d2 100644 +--- a/tests/pkcs11/pkcs11-privkey-generate.c ++++ b/tests/pkcs11/pkcs11-privkey-generate.c +@@ -98,7 +98,8 @@ static void generate_keypair(gnutls_pk_algorithm_t algo, size_t bits, + fail("%d: %s\n", ret, gnutls_strerror(ret)); + } + +- success("generated %s key (%s)\n", gnutls_pk_get_name(algo), ++ success("generated %s key (%s)\n", ++ gnutls_pk_get_name(algo), + sensitive ? "sensitive" : "non sensitive"); + + assert(gnutls_pkcs11_obj_init(&obj) >= 0); +@@ -130,9 +131,6 @@ void doit(void) + char buf[128]; + int ret; + const char *lib, *bin; +-#ifdef CKM_EC_EDWARDS_KEY_PAIR_GEN +- CK_MECHANISM_INFO minfo; +-#endif + + if (gnutls_fips140_mode_enabled()) + exit(77); +@@ -176,20 +174,13 @@ void doit(void) + generate_keypair(GNUTLS_PK_RSA, 2048, "rsa-non-sensitive", false); + + #ifdef CKM_EC_EDWARDS_KEY_PAIR_GEN +- ret = gnutls_pkcs11_token_check_mechanism("pkcs11:token=test", +- CKM_EC_EDWARDS_KEY_PAIR_GEN, +- &minfo, sizeof(minfo), 0); ++ ret = gnutls_pkcs11_token_check_mechanism( ++ "pkcs11:token=test", CKM_EC_EDWARDS_KEY_PAIR_GEN, NULL, 0, 0); + if (ret != 0) { + generate_keypair(GNUTLS_PK_EDDSA_ED25519, 256, + "ed25519-sensitive", true); + generate_keypair(GNUTLS_PK_EDDSA_ED25519, 256, + "ed25519-non-sensitive", false); +- if (minfo.ulMaxKeySize >= 456) { +- generate_keypair(GNUTLS_PK_EDDSA_ED448, 456, +- "ed448-sensitive", true); +- generate_keypair(GNUTLS_PK_EDDSA_ED448, 456, +- "ed448-non-sensitive", false); +- } + } + #endif + +diff --git a/tests/tls13/ocsp-client.c b/tests/tls13/ocsp-client.c +index c7e7e2e410..1064a17752 100644 +--- a/tests/tls13/ocsp-client.c ++++ b/tests/tls13/ocsp-client.c +@@ -169,8 +169,8 @@ void doit(void) + fp = fopen(certfile3, "wb"); + if (fp == NULL) + fail("error in fopen\n"); +- assert(fwrite(cli_cert_pem, 1, strlen((char *)cli_cert_pem), fp) > 0); +- assert(fwrite(cli_key_pem, 1, strlen((char *)cli_key_pem), fp) > 0); ++ assert(fwrite(cert_pem, 1, strlen((char *)cert_pem), fp) > 0); ++ assert(fwrite(key_pem, 1, strlen((char *)key_pem), fp) > 0); + fclose(fp); + + ret = gnutls_certificate_set_x509_key_file2( +-- +2.43.0 + diff --git a/gnutls.spec b/gnutls.spec index 14e0019..abfff02 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -19,6 +19,9 @@ Patch: gnutls-3.2.7-rpath.patch # follow https://gitlab.com/gnutls/gnutls/-/issues/1443 Patch: gnutls-3.7.8-ktls_skip_tls12_chachapoly_test.patch +# tentatively reverted for https://gitlab.com/gnutls/gnutls/-/issues/1515 +Patch: gnutls-3.8.2-revert-pkcs11-ed448.patch + %bcond_without bootstrap %bcond_without dane %bcond_without fips From be817c2d2d9b92b26f3c39911dd34538b33e5f8c Mon Sep 17 00:00:00 2001 From: Simon de Vlieger Date: Mon, 11 Dec 2023 16:04:37 +0100 Subject: [PATCH 100/152] Bump Nettle dependency. GnuTLS depends on symbols from a newer version of Nettle (3.9). Signed-off-by: Simon de Vlieger --- gnutls.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/gnutls.spec b/gnutls.spec index abfff02..f8c6040 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -56,7 +56,7 @@ BuildRequires: zlib-devel, brotli-devel, libzstd-devel %if %{with bootstrap} BuildRequires: automake, autoconf, gperf, libtool, texinfo %endif -BuildRequires: nettle-devel >= 3.5.1 +BuildRequires: nettle-devel >= 3.9.1 %if %{with tpm12} BuildRequires: trousers-devel >= 0.3.11.2 %endif @@ -74,7 +74,7 @@ BuildRequires: p11-kit-trust, ca-certificates Requires: crypto-policies Requires: p11-kit-trust Requires: libtasn1 >= 4.3 -Requires: nettle >= 3.4.1 +Requires: nettle >= 3.9.1 %if %{with tpm12} Recommends: trousers >= 0.3.11.2 %endif From c42ee03de290243c72df22cbc7d9c92250b89c68 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Fri, 19 Jan 2024 23:15:46 +0000 Subject: [PATCH 101/152] Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild From da7f0db0fe6073451777db77dabaac7ec8d900a1 Mon Sep 17 00:00:00 2001 From: Zoltan Fridrich Date: Wed, 17 Jan 2024 09:46:07 +0100 Subject: [PATCH 102/152] [packit] 3.8.3 upstream release Upstream tag: 3.8.3 Upstream commit: 2f04c14d --- .gitignore | 2 + README.packit | 2 +- gnutls-3.8.2-revert-pkcs11-ed448.patch | 701 ------------------------ gnutls-3.8.3-kernel_version_check.patch | 36 ++ gnutls.spec | 6 +- sources | 4 +- 6 files changed, 43 insertions(+), 708 deletions(-) delete mode 100644 gnutls-3.8.2-revert-pkcs11-ed448.patch create mode 100644 gnutls-3.8.3-kernel_version_check.patch diff --git a/.gitignore b/.gitignore index b67cb46..35f93b3 100644 --- a/.gitignore +++ b/.gitignore @@ -148,3 +148,5 @@ gnutls-2.10.1-nosrp.tar.bz2 /gnutls-3.8.1.tar.xz.sig /gnutls-3.8.2.tar.xz /gnutls-3.8.2.tar.xz.sig +/gnutls-3.8.3.tar.xz +/gnutls-3.8.3.tar.xz.sig diff --git a/README.packit b/README.packit index 5998f60..8c508a5 100644 --- a/README.packit +++ b/README.packit @@ -1,3 +1,3 @@ This repository is maintained by packit. https://packit.dev/ -The file was generated using packit 0.85.0. +The file was generated using packit 0.88.0. diff --git a/gnutls-3.8.2-revert-pkcs11-ed448.patch b/gnutls-3.8.2-revert-pkcs11-ed448.patch deleted file mode 100644 index 33a9b09..0000000 --- a/gnutls-3.8.2-revert-pkcs11-ed448.patch +++ /dev/null @@ -1,701 +0,0 @@ -From 8b7065ed5c72d34d3bf3e0bb803d81fb3abdcb8b Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Fri, 1 Dec 2023 17:42:09 +0900 -Subject: [PATCH] Revert "pkcs11: support Ed448 keys" - -This reverts commit 8cd6e84edaad4a826e481ae045548587f98bd9f7. ---- - lib/pkcs11.c | 23 +--- - lib/pkcs11_int.h | 23 +++- - lib/pkcs11_privkey.c | 67 +--------- - lib/pkcs11_write.c | 9 +- - lib/pubkey.c | 1 - - tests/cert-common.h | 47 +------ - tests/pkcs11/pkcs11-eddsa-privkey-test.c | 160 +++++++++++------------ - tests/pkcs11/pkcs11-privkey-generate.c | 17 +-- - tests/tls13/ocsp-client.c | 4 +- - 9 files changed, 114 insertions(+), 237 deletions(-) - -diff --git a/lib/pkcs11.c b/lib/pkcs11.c -index c46d1f7e61..a96605da60 100644 ---- a/lib/pkcs11.c -+++ b/lib/pkcs11.c -@@ -1796,7 +1796,6 @@ int pkcs11_read_pubkey(struct ck_function_list *module, ck_session_handle_t pks, - pobj->pubkey[1].size = a[1].value_len; - - pobj->pubkey_size = 2; -- pobj->pk_algorithm = GNUTLS_PK_RSA; - } else { - gnutls_assert(); - ret = GNUTLS_E_PKCS11_ERROR; -@@ -1852,7 +1851,6 @@ int pkcs11_read_pubkey(struct ck_function_list *module, ck_session_handle_t pks, - pobj->pubkey[3].size = a[1].value_len; - - pobj->pubkey_size = 4; -- pobj->pk_algorithm = GNUTLS_PK_DSA; - } else { - gnutls_assert(); - ret = pkcs11_rv_to_err(rv); -@@ -1877,7 +1875,6 @@ int pkcs11_read_pubkey(struct ck_function_list *module, ck_session_handle_t pks, - pobj->pubkey[1].size = a[1].value_len; - - pobj->pubkey_size = 2; -- pobj->pk_algorithm = GNUTLS_PK_EC; - } else { - gnutls_assert(); - -@@ -1898,9 +1895,6 @@ int pkcs11_read_pubkey(struct ck_function_list *module, ck_session_handle_t pks, - - if ((rv = pkcs11_get_attribute_value(module, pks, ctx, a, 2)) == - CKR_OK) { -- gnutls_ecc_curve_t curve; -- const gnutls_ecc_curve_entry_st *ce; -- - pobj->pubkey[0].data = a[0].value; - pobj->pubkey[0].size = a[0].value_len; - -@@ -1908,26 +1902,13 @@ int pkcs11_read_pubkey(struct ck_function_list *module, ck_session_handle_t pks, - pobj->pubkey[1].size = a[1].value_len; - - pobj->pubkey_size = 2; -- -- ret = _gnutls_x509_read_ecc_params(pobj->pubkey[0].data, -- pobj->pubkey[0].size, -- &curve); -- if (ret < 0) { -- ret = GNUTLS_E_INVALID_REQUEST; -- goto cleanup; -- } -- ce = _gnutls_ecc_curve_get_params(curve); -- if (unlikely(ce == NULL)) { -- ret = GNUTLS_E_INVALID_REQUEST; -- goto cleanup; -- } -- pobj->pk_algorithm = ce->pk; - } else { - gnutls_assert(); - - ret = pkcs11_rv_to_err(rv); - goto cleanup; - } -+ - break; - #endif - default: -@@ -1964,6 +1945,8 @@ pkcs11_obj_import_pubkey(struct ck_function_list *module, - a[0].value_len = sizeof(key_type); - - if (pkcs11_get_attribute_value(module, pks, ctx, a, 1) == CKR_OK) { -+ pobj->pk_algorithm = key_type_to_pk(key_type); -+ - ret = pkcs11_read_pubkey(module, pks, ctx, key_type, pobj); - if (ret < 0) - return gnutls_assert_val(ret); -diff --git a/lib/pkcs11_int.h b/lib/pkcs11_int.h -index 891e98f962..9a3380f9cc 100644 ---- a/lib/pkcs11_int.h -+++ b/lib/pkcs11_int.h -@@ -247,7 +247,7 @@ static inline int pk_to_mech(gnutls_pk_algorithm_t pk) - else if (pk == GNUTLS_PK_RSA_PSS) - return CKM_RSA_PKCS_PSS; - #ifdef HAVE_PKCS11_EDDSA -- else if (pk == GNUTLS_PK_EDDSA_ED25519 || pk == GNUTLS_PK_EDDSA_ED448) -+ else if (pk == GNUTLS_PK_EDDSA_ED25519) - return CKM_EDDSA; - #endif - else -@@ -263,13 +263,29 @@ static inline int pk_to_key_type(gnutls_pk_algorithm_t pk) - else if (pk == GNUTLS_PK_RSA_PSS || pk == GNUTLS_PK_RSA) - return CKK_RSA; - #ifdef HAVE_PKCS11_EDDSA -- else if (pk == GNUTLS_PK_EDDSA_ED25519 || pk == GNUTLS_PK_EDDSA_ED448) -+ else if (pk == GNUTLS_PK_EDDSA_ED25519) - return CKK_EC_EDWARDS; - #endif - else - return -1; - } - -+static inline gnutls_pk_algorithm_t key_type_to_pk(ck_key_type_t m) -+{ -+ if (m == CKK_RSA) -+ return GNUTLS_PK_RSA; -+ else if (m == CKK_DSA) -+ return GNUTLS_PK_DSA; -+ else if (m == CKK_ECDSA) -+ return GNUTLS_PK_EC; -+#ifdef HAVE_PKCS11_EDDSA -+ else if (m == CKK_EC_EDWARDS) -+ return GNUTLS_PK_EDDSA_ED25519; -+#endif -+ else -+ return GNUTLS_PK_UNKNOWN; -+} -+ - static inline int pk_to_genmech(gnutls_pk_algorithm_t pk, ck_key_type_t *type) - { - if (pk == GNUTLS_PK_DSA) { -@@ -282,8 +298,7 @@ static inline int pk_to_genmech(gnutls_pk_algorithm_t pk, ck_key_type_t *type) - *type = CKK_RSA; - return CKM_RSA_PKCS_KEY_PAIR_GEN; - #ifdef HAVE_PKCS11_EDDSA -- } else if (pk == GNUTLS_PK_EDDSA_ED25519 || -- pk == GNUTLS_PK_EDDSA_ED448) { -+ } else if (pk == GNUTLS_PK_EDDSA_ED25519) { - *type = CKK_EC_EDWARDS; - return CKM_EC_EDWARDS_KEY_PAIR_GEN; - #endif -diff --git a/lib/pkcs11_privkey.c b/lib/pkcs11_privkey.c -index b9f36c0a62..a30e44084c 100644 ---- a/lib/pkcs11_privkey.c -+++ b/lib/pkcs11_privkey.c -@@ -486,61 +486,6 @@ cleanup: - return ret; - } - --static inline gnutls_pk_algorithm_t --key_type_to_pk(struct ck_function_list *module, ck_session_handle_t pks, -- ck_object_handle_t ctx, ck_key_type_t m) --{ -- switch (m) { -- case CKK_RSA: -- return GNUTLS_PK_RSA; -- case CKK_DSA: -- return GNUTLS_PK_DSA; -- case CKK_ECDSA: -- return GNUTLS_PK_EC; --#ifdef HAVE_PKCS11_EDDSA -- case CKK_EC_EDWARDS: { -- struct ck_attribute a[1]; -- uint8_t *tmp1; -- size_t tmp1_size; -- gnutls_pk_algorithm_t pk = GNUTLS_PK_UNKNOWN; -- -- tmp1_size = MAX_PK_PARAM_SIZE; -- tmp1 = gnutls_calloc(1, tmp1_size); -- if (tmp1 == NULL) -- return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); -- -- a[0].type = CKA_EC_PARAMS; -- a[0].value = tmp1; -- a[0].value_len = tmp1_size; -- -- if (pkcs11_get_attribute_value(module, pks, ctx, a, 1) == -- CKR_OK) { -- gnutls_ecc_curve_t curve; -- const gnutls_ecc_curve_entry_st *ce; -- int ret; -- -- ret = _gnutls_x509_read_ecc_params( -- a[0].value, a[0].value_len, &curve); -- if (ret < 0) { -- goto edwards_cleanup; -- } -- ce = _gnutls_ecc_curve_get_params(curve); -- if (unlikely(ce == NULL)) { -- goto edwards_cleanup; -- } -- pk = ce->pk; -- } -- -- edwards_cleanup: -- gnutls_free(tmp1); -- return pk; -- } --#endif -- default: -- return GNUTLS_PK_UNKNOWN; -- } --} -- - /** - * gnutls_pkcs11_privkey_import_url: - * @pkey: The private key -@@ -616,9 +561,7 @@ int gnutls_pkcs11_privkey_import_url(gnutls_pkcs11_privkey_t pkey, - a[0].value_len = sizeof(key_type); - if (pkcs11_get_attribute_value(pkey->sinfo.module, pkey->sinfo.pks, - pkey->ref, a, 1) == CKR_OK) { -- pkey->pk_algorithm = key_type_to_pk(pkey->sinfo.module, -- pkey->sinfo.pks, pkey->ref, -- key_type); -+ pkey->pk_algorithm = key_type_to_pk(key_type); - } - - if (pkey->pk_algorithm == GNUTLS_PK_UNKNOWN) { -@@ -1245,7 +1188,6 @@ int gnutls_pkcs11_privkey_generate3(const char *url, gnutls_pk_algorithm_t pk, - - break; - case GNUTLS_PK_EDDSA_ED25519: -- case GNUTLS_PK_EDDSA_ED448: - p[p_val].type = CKA_SIGN; - p[p_val].value = (void *)&tval; - p[p_val].value_len = sizeof(tval); -@@ -1256,11 +1198,8 @@ int gnutls_pkcs11_privkey_generate3(const char *url, gnutls_pk_algorithm_t pk, - a[a_val].value_len = sizeof(tval); - a_val++; - -- ret = _gnutls_x509_write_ecc_params( -- pk == GNUTLS_PK_EDDSA_ED25519 ? -- GNUTLS_ECC_CURVE_ED25519 : -- GNUTLS_ECC_CURVE_ED448, -- &der); -+ ret = _gnutls_x509_write_ecc_params(GNUTLS_ECC_CURVE_ED25519, -+ &der); - if (ret < 0) { - gnutls_assert(); - goto cleanup; -diff --git a/lib/pkcs11_write.c b/lib/pkcs11_write.c -index a3201ddeba..3090721db5 100644 ---- a/lib/pkcs11_write.c -+++ b/lib/pkcs11_write.c -@@ -355,8 +355,7 @@ static int add_pubkey(gnutls_pubkey_t pubkey, struct ck_attribute *a, - (*a_val)++; - break; - } -- case GNUTLS_PK_EDDSA_ED25519: -- case GNUTLS_PK_EDDSA_ED448: { -+ case GNUTLS_PK_EDDSA_ED25519: { - gnutls_datum_t params, ecpoint; - - ret = _gnutls_x509_write_ecc_params(pubkey->params.curve, -@@ -936,8 +935,7 @@ int gnutls_pkcs11_copy_x509_privkey2(const char *token_url, - break; - } - #ifdef HAVE_PKCS11_EDDSA -- case GNUTLS_PK_EDDSA_ED25519: -- case GNUTLS_PK_EDDSA_ED448: { -+ case GNUTLS_PK_EDDSA_ED25519: { - ret = _gnutls_x509_write_ecc_params(key->params.curve, &p); - if (ret < 0) { - gnutls_assert(); -@@ -1003,8 +1001,7 @@ cleanup: - break; - } - case GNUTLS_PK_EC: -- case GNUTLS_PK_EDDSA_ED25519: -- case GNUTLS_PK_EDDSA_ED448: { -+ case GNUTLS_PK_EDDSA_ED25519: { - gnutls_free(p.data); - gnutls_free(x.data); - break; -diff --git a/lib/pubkey.c b/lib/pubkey.c -index 1139ad99fc..59ca194f1a 100644 ---- a/lib/pubkey.c -+++ b/lib/pubkey.c -@@ -700,7 +700,6 @@ int gnutls_pubkey_import_pkcs11(gnutls_pubkey_t key, gnutls_pkcs11_obj_t obj, - &obj->pubkey[1]); - break; - case GNUTLS_PK_EDDSA_ED25519: -- case GNUTLS_PK_EDDSA_ED448: - ret = gnutls_pubkey_import_ecc_eddsa(key, &obj->pubkey[0], - &obj->pubkey[1]); - break; -diff --git a/tests/cert-common.h b/tests/cert-common.h -index 57cf6c0c4f..33b3ee3b68 100644 ---- a/tests/cert-common.h -+++ b/tests/cert-common.h -@@ -36,8 +36,7 @@ - * IPv4 server (SAN: IPAddr: 127.0.0.1): server_ca3_ipaddr_cert, server_ca3_key - * IPv4 server (RSA-PSS, SAN: localhost IPAddr: 127.0.0.1): server_ca3_rsa_pss_cert, server_ca3_rsa_pss_key - * IPv4 server (RSA-PSS key, SAN: localhost IPAddr: 127.0.0.1): server_ca3_rsa_pss2_cert, server_ca3_rsa_pss2_key -- * IPv4 server (Ed25519, SAN: localhost IPAddr: 127.0.0.1): server_ca3_eddsa_cert, server_ca3_eddsa_key -- * IPv4 server (Ed448, SAN: localhost IPAddr: 127.0.0.1): server_ca3_ed448_cert, server_ca3_ed448_key -+ * IPv4 server (EdDSA, SAN: localhost IPAddr: 127.0.0.1): server_ca3_eddsa_cert, server_ca3_eddsa_key - * IPv4 server (GOST R 34.10-2001, SAN: localhost): server_ca3_gost01_cert, server_ca3_gost01_key - * IPv4 server (GOST R 34.10-2012-256, SAN: localhost): server_ca3_gost12-256_cert, server_ca3_gost12-256_key - * IPv4 server (GOST R 34.10-2012-512, SAN: localhost): server_ca3_gost12-512_cert, server_ca3_gost12-512_key -@@ -350,7 +349,7 @@ static unsigned char ca2_cert_pem[] = - - const gnutls_datum_t ca2_cert = { ca2_cert_pem, sizeof(ca2_cert_pem) - 1 }; - --static unsigned char cli_cert_pem[] = -+static unsigned char cert_pem[] = - "-----BEGIN CERTIFICATE-----\n" - "MIICHjCCAYmgAwIBAgIERiYdNzALBgkqhkiG9w0BAQUwGTEXMBUGA1UEAxMOR251\n" - "VExTIHRlc3QgQ0EwHhcNMDcwNDE4MTMyOTI3WhcNMDgwNDE3MTMyOTI3WjAdMRsw\n" -@@ -365,9 +364,9 @@ static unsigned char cli_cert_pem[] = - "U7jyOsBJ44SEQITbin2yUeJMIm1tievvdNXBDfW95AM507ShzP12sfiJkJfjjdhy\n" - "dc8Siq5JojruiMizAf0pA7in\n" - "-----END CERTIFICATE-----\n"; --const gnutls_datum_t cli_cert = { cli_cert_pem, sizeof(cli_cert_pem) - 1 }; -+const gnutls_datum_t cli_cert = { cert_pem, sizeof(cert_pem) - 1 }; - --static unsigned char cli_key_pem[] = -+static unsigned char key_pem[] = - "-----BEGIN RSA PRIVATE KEY-----\n" - "MIICXAIBAAKBgQC7ZkP18sXXtozMxd/1iDuxyUtqDqGtIFBACIChT1yj0Phsz+Y8\n" - "9+wEdhMXi2SJIlvA3VN8O+18BLuAuSi+jpvGjqClEsv1Vx6i57u3M0mf47tKrmpN\n" -@@ -383,7 +382,7 @@ static unsigned char cli_key_pem[] = - "/iVX2cmMTSh3w3z8MaECQEp0XJWDVKOwcTW6Ajp9SowtmiZ3YDYo1LF9igb4iaLv\n" - "sWZGfbnU3ryjvkb6YuFjgtzbZDZHWQCo8/cOtOBmPdk=\n" - "-----END RSA PRIVATE KEY-----\n"; --const gnutls_datum_t cli_key = { cli_key_pem, sizeof(cli_key_pem) - 1 }; -+const gnutls_datum_t cli_key = { key_pem, sizeof(key_pem) - 1 }; - - static char dsa_key_pem[] = - "-----BEGIN DSA PRIVATE KEY-----\n" -@@ -1082,42 +1081,6 @@ const gnutls_datum_t server_ca3_eddsa_cert = { - sizeof(server_ca3_eddsa_cert_pem) - 1 - }; - --/* server Ed448 key */ --static char server_ca3_ed448_key_pem[] = -- "-----BEGIN PRIVATE KEY-----\n" -- "MEcCAQAwBQYDK2VxBDsEOXPoCtsxxy7itrHfeuQ2bG7oh3uerkBwhabkeSsNFYoS\n" -- "QYy6KKYld8lnhlYQQmMo6lx28x9GmpTiag==\n" -- "-----END PRIVATE KEY-----\n"; -- --const gnutls_datum_t server_ca3_ed448_key = { -- (unsigned char *)server_ca3_ed448_key_pem, -- sizeof(server_ca3_ed448_key_pem) - 1 --}; -- --static char server_ca3_ed448_cert_pem[] = -- "-----BEGIN CERTIFICATE-----\n" -- "MIICqzCCAROgAwIBAgIUAvQ9bcei1eNZ9viV1kP7MKODp9YwDQYJKoZIhvcNAQEL\n" -- "BQAwDzENMAsGA1UEAxMEQ0EtMzAgFw0yMzA5MjgwNjU1NThaGA85OTk5MTIzMTIz\n" -- "NTk1OVowDTELMAkGA1UEBhMCR1IwQzAFBgMrZXEDOgAYxZxGeKtoWUL20zvrFClm\n" -- "irhECIIdccq6x0uZccYHfmRVkFoUI7iOFj6Mlsp5vg24XZ2tGF5MBACjYDBeMAwG\n" -- "A1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgeAMB0GA1UdDgQWBBTYq6RhA2qMWmYM\n" -- "UAEx3AlNSnhWHDAfBgNVHSMEGDAWgBT5qIYZY7akFBNgdg8BmjU27/G0rzANBgkq\n" -- "hkiG9w0BAQsFAAOCAYEAhEd0coRahGvMx8gLS8biuaqh50+9RJIjMpf+/0IQJ4DV\n" -- "FHT5E70YyaQ0YOsvyxGa04d+KyhdVLppD1pDztLGXYZWxzmowopwpgnpPNT25M+0\n" -- "aQOvCZZvRlqmwgUiRXdhSxqPsUj/73uUBPIjFknrxajoox7sOLris9ujmidqgBGa\n" -- "H1FVbQQQgDOBCKcKXTAllVKzS/ZLwlRHibbm+4UDxGk1tJv1dbnQhJk0FYSQZn3h\n" -- "ZVmSSfP4ZB+U+lsCshypBJ9qVZEqMM2b4m1wv/VAOuw0lGA2SiPub5q91hFYRdeL\n" -- "9FB78/WlrSCTbGeMzzDPXBf/Y2KvFAv3o7K0tsMg1vBsDJBARHEzo4GMRsYDZzvI\n" -- "JXb5tSmJOi/PBfup8GPiG0WbZV9nuvW8V/zmfaP3s9YBfYOtL/+nZch9VdSee2xp\n" -- "T8arukB/s2jLaXQUduD3hoFvFNgCvWJwAWQWNNyHN3ivArqNQpfl2Gtftmb6xCdW\n" -- "Xwt1/q2XKqqLpnF1N2wU\n" -- "-----END CERTIFICATE-----\n"; -- --const gnutls_datum_t server_ca3_ed448_cert = { -- (unsigned char *)server_ca3_ed448_cert_pem, -- sizeof(server_ca3_ed448_cert_pem) - 1 --}; -- - static char server_ca3_gost01_key_pem[] = - "-----BEGIN PRIVATE KEY-----\n" - "MEUCAQAwHAYGKoUDAgITMBIGByqFAwICJAAGByqFAwICHgEEIgQgR1lBLIr4WBpn\n" -diff --git a/tests/pkcs11/pkcs11-eddsa-privkey-test.c b/tests/pkcs11/pkcs11-eddsa-privkey-test.c -index 1b7732e884..d3cd9a97c7 100644 ---- a/tests/pkcs11/pkcs11-eddsa-privkey-test.c -+++ b/tests/pkcs11/pkcs11-eddsa-privkey-test.c -@@ -64,8 +64,8 @@ static int pin_func(void *userdata, int attempt, const char *url, - return -1; - } - --#define myfail(fmt, ...) \ -- fail("%s (iter %zu): " fmt, gnutls_sign_get_name(sigalgo), i, \ -+#define myfail(fmt, ...) \ -+ fail("%s (iter %d): " fmt, gnutls_sign_get_name(sigalgo), i, \ - ##__VA_ARGS__) - - static unsigned verify_eddsa_presence(void) -@@ -85,10 +85,11 @@ static unsigned verify_eddsa_presence(void) - return 0; - } - --static void test(const char *name, const gnutls_datum_t *cert_pem, -- const gnutls_datum_t *key_pem, gnutls_sign_algorithm_t sigalgo) -+void doit(void) - { -+ char buf[128]; - int ret; -+ const char *lib, *bin; - gnutls_x509_crt_t crt; - gnutls_x509_privkey_t key; - gnutls_datum_t tmp, sig; -@@ -97,16 +98,51 @@ static void test(const char *name, const gnutls_datum_t *cert_pem, - gnutls_pubkey_t pubkey2; - gnutls_pubkey_t pubkey3; - gnutls_pubkey_t pubkey4; -- char buf[256]; -- size_t i; -+ unsigned i, sigalgo; -+ -+ bin = softhsm_bin(); -+ -+ lib = softhsm_lib(); -+ -+ ret = global_init(); -+ if (ret != 0) { -+ fail("%d: %s\n", ret, gnutls_strerror(ret)); -+ } -+ -+ if (gnutls_fips140_mode_enabled()) { -+ gnutls_global_deinit(); -+ return; -+ } -+ -+ gnutls_pkcs11_set_pin_function(pin_func, NULL); -+ gnutls_global_set_log_function(tls_log_func); -+ if (debug) -+ gnutls_global_set_log_level(4711); -+ -+ set_softhsm_conf(CONFIG); -+ snprintf(buf, sizeof(buf), -+ "%s --init-token --slot 0 --label test --so-pin " PIN -+ " --pin " PIN, -+ bin); -+ system(buf); -+ -+ ret = gnutls_pkcs11_add_provider(lib, NULL); -+ if (ret < 0) { -+ fail("gnutls_x509_crt_init: %s\n", gnutls_strerror(ret)); -+ } - -- success("%s\n", name); -+ if (verify_eddsa_presence() == 0) { -+ fprintf(stderr, -+ "Skipping test as no EDDSA mech is supported\n"); -+ exit(77); -+ } - - ret = gnutls_x509_crt_init(&crt); - if (ret < 0) - fail("gnutls_x509_crt_init: %s\n", gnutls_strerror(ret)); - -- ret = gnutls_x509_crt_import(crt, cert_pem, GNUTLS_X509_FMT_PEM); -+ ret = gnutls_x509_crt_import(crt, &server_ca3_eddsa_cert, -+ GNUTLS_X509_FMT_PEM); - if (ret < 0) - fail("gnutls_x509_crt_import: %s\n", gnutls_strerror(ret)); - -@@ -122,12 +158,25 @@ static void test(const char *name, const gnutls_datum_t *cert_pem, - fail("gnutls_x509_privkey_init: %s\n", gnutls_strerror(ret)); - } - -- ret = gnutls_x509_privkey_import(key, key_pem, GNUTLS_X509_FMT_PEM); -+ ret = gnutls_x509_privkey_import(key, &server_ca3_eddsa_key, -+ GNUTLS_X509_FMT_PEM); - if (ret < 0) { - fail("gnutls_x509_privkey_import: %s\n", gnutls_strerror(ret)); - } - -- ret = gnutls_pkcs11_copy_x509_crt(SOFTHSM_URL, crt, name, -+ /* initialize softhsm token */ -+ ret = gnutls_pkcs11_token_init(SOFTHSM_URL, PIN, "test"); -+ if (ret < 0) { -+ fail("gnutls_pkcs11_token_init: %s\n", gnutls_strerror(ret)); -+ } -+ -+ ret = gnutls_pkcs11_token_set_pin(SOFTHSM_URL, NULL, PIN, -+ GNUTLS_PIN_USER); -+ if (ret < 0) { -+ fail("gnutls_pkcs11_token_set_pin: %s\n", gnutls_strerror(ret)); -+ } -+ -+ ret = gnutls_pkcs11_copy_x509_crt(SOFTHSM_URL, crt, "cert", - GNUTLS_PKCS11_OBJ_FLAG_MARK_PRIVATE | - GNUTLS_PKCS11_OBJ_FLAG_LOGIN); - if (ret < 0) { -@@ -135,7 +184,7 @@ static void test(const char *name, const gnutls_datum_t *cert_pem, - } - - ret = gnutls_pkcs11_copy_x509_privkey( -- SOFTHSM_URL, key, name, -+ SOFTHSM_URL, key, "cert", - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, - GNUTLS_PKCS11_OBJ_FLAG_MARK_PRIVATE | - GNUTLS_PKCS11_OBJ_FLAG_MARK_SENSITIVE | -@@ -150,7 +199,7 @@ static void test(const char *name, const gnutls_datum_t *cert_pem, - assert(gnutls_pubkey_import_x509(pubkey, crt, 0) == 0); - - ret = gnutls_pkcs11_copy_pubkey( -- SOFTHSM_URL, pubkey, name, NULL, -+ SOFTHSM_URL, pubkey, "cert", NULL, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, 0); - if (ret < 0) { - fail("gnutls_pkcs11_copy_pubkey: %s\n", gnutls_strerror(ret)); -@@ -161,13 +210,11 @@ static void test(const char *name, const gnutls_datum_t *cert_pem, - gnutls_pubkey_deinit(pubkey); - gnutls_pkcs11_set_pin_function(NULL, NULL); - -- assert(snprintf(buf, sizeof(buf), -- "%s;object=%s;object-type=private?pin-value=" PIN, -- SOFTHSM_URL, name) < (int)sizeof(buf)); -- - assert(gnutls_privkey_init(&pkey) == 0); - -- ret = gnutls_privkey_import_pkcs11_url(pkey, buf); -+ ret = gnutls_privkey_import_pkcs11_url( -+ pkey, -+ SOFTHSM_URL ";object=cert;object-type=private;pin-value=" PIN); - if (ret < 0) { - fail("error in gnutls_privkey_import_pkcs11_url: %s\n", - gnutls_strerror(ret)); -@@ -176,7 +223,10 @@ static void test(const char *name, const gnutls_datum_t *cert_pem, - /* Try to read the public key with public key URI */ - assert(gnutls_pubkey_init(&pubkey3) == 0); - -- ret = gnutls_pubkey_import_pkcs11_url(pubkey3, buf, 0); -+ ret = gnutls_pubkey_import_pkcs11_url( -+ pubkey3, -+ SOFTHSM_URL ";object=cert;object-type=public;pin-value=" PIN, -+ 0); - if (ret < 0) { - fail("error in gnutls_pubkey_import_pkcs11_url: %s\n", - gnutls_strerror(ret)); -@@ -185,7 +235,9 @@ static void test(const char *name, const gnutls_datum_t *cert_pem, - /* Try to read the public key with certificate URI */ - assert(gnutls_pubkey_init(&pubkey4) == 0); - -- ret = gnutls_pubkey_import_pkcs11_url(pubkey4, buf, 0); -+ ret = gnutls_pubkey_import_pkcs11_url( -+ pubkey4, -+ SOFTHSM_URL ";object=cert;object-type=cert;pin-value=" PIN, 0); - if (ret < 0) { - fail("error in gnutls_pubkey_import_pkcs11_url: %s\n", - gnutls_strerror(ret)); -@@ -195,9 +247,12 @@ static void test(const char *name, const gnutls_datum_t *cert_pem, - assert(gnutls_pubkey_import_privkey(pubkey, pkey, 0, 0) == 0); - - assert(gnutls_pubkey_init(&pubkey2) == 0); -- assert(gnutls_pubkey_import_x509_raw(pubkey2, cert_pem, -+ assert(gnutls_pubkey_import_x509_raw(pubkey2, &server_ca3_eddsa_cert, - GNUTLS_X509_FMT_PEM, 0) == 0); - -+ /* this is the algorithm supported by the certificate */ -+ sigalgo = GNUTLS_SIGN_EDDSA_ED25519; -+ - for (i = 0; i < 20; i++) { - /* check whether privkey and pubkey are operational - * by signing and verifying */ -@@ -229,71 +284,6 @@ static void test(const char *name, const gnutls_datum_t *cert_pem, - gnutls_pubkey_deinit(pubkey2); - gnutls_pubkey_deinit(pubkey); - gnutls_privkey_deinit(pkey); --} -- --void doit(void) --{ -- char buf[256]; -- int ret; -- const char *lib, *bin; -- -- bin = softhsm_bin(); -- -- lib = softhsm_lib(); -- -- ret = global_init(); -- if (ret != 0) { -- fail("%d: %s\n", ret, gnutls_strerror(ret)); -- } -- -- if (gnutls_fips140_mode_enabled()) { -- gnutls_global_deinit(); -- return; -- } -- -- gnutls_pkcs11_set_pin_function(pin_func, NULL); -- gnutls_global_set_log_function(tls_log_func); -- if (debug) -- gnutls_global_set_log_level(4711); -- -- set_softhsm_conf(CONFIG); -- assert(snprintf(buf, sizeof(buf), -- "%s --init-token --slot 0 --label test --so-pin " PIN -- " --pin " PIN, -- bin) < (int)sizeof(buf)); -- system(buf); -- -- ret = gnutls_pkcs11_add_provider(lib, NULL); -- if (ret < 0) { -- fail("gnutls_x509_crt_init: %s\n", gnutls_strerror(ret)); -- } -- -- if (verify_eddsa_presence() == 0) { -- fprintf(stderr, -- "Skipping test as no EDDSA mech is supported\n"); -- exit(77); -- } -- -- /* initialize softhsm token */ -- ret = gnutls_pkcs11_token_init(SOFTHSM_URL, PIN, "test"); -- if (ret < 0) { -- fail("gnutls_pkcs11_token_init: %s\n", gnutls_strerror(ret)); -- } -- -- ret = gnutls_pkcs11_token_set_pin(SOFTHSM_URL, NULL, PIN, -- GNUTLS_PIN_USER); -- if (ret < 0) { -- fail("gnutls_pkcs11_token_set_pin: %s\n", gnutls_strerror(ret)); -- } -- -- test("ed25519", &server_ca3_eddsa_cert, &server_ca3_eddsa_key, -- GNUTLS_SIGN_EDDSA_ED25519); -- -- /* test clears PIN function to check "?pin-value" works */ -- gnutls_pkcs11_set_pin_function(pin_func, NULL); -- -- test("ed448", &server_ca3_ed448_cert, &server_ca3_ed448_key, -- GNUTLS_SIGN_EDDSA_ED448); - - gnutls_global_deinit(); - -diff --git a/tests/pkcs11/pkcs11-privkey-generate.c b/tests/pkcs11/pkcs11-privkey-generate.c -index 7de0c35426..bd54fad8d2 100644 ---- a/tests/pkcs11/pkcs11-privkey-generate.c -+++ b/tests/pkcs11/pkcs11-privkey-generate.c -@@ -98,7 +98,8 @@ static void generate_keypair(gnutls_pk_algorithm_t algo, size_t bits, - fail("%d: %s\n", ret, gnutls_strerror(ret)); - } - -- success("generated %s key (%s)\n", gnutls_pk_get_name(algo), -+ success("generated %s key (%s)\n", -+ gnutls_pk_get_name(algo), - sensitive ? "sensitive" : "non sensitive"); - - assert(gnutls_pkcs11_obj_init(&obj) >= 0); -@@ -130,9 +131,6 @@ void doit(void) - char buf[128]; - int ret; - const char *lib, *bin; --#ifdef CKM_EC_EDWARDS_KEY_PAIR_GEN -- CK_MECHANISM_INFO minfo; --#endif - - if (gnutls_fips140_mode_enabled()) - exit(77); -@@ -176,20 +174,13 @@ void doit(void) - generate_keypair(GNUTLS_PK_RSA, 2048, "rsa-non-sensitive", false); - - #ifdef CKM_EC_EDWARDS_KEY_PAIR_GEN -- ret = gnutls_pkcs11_token_check_mechanism("pkcs11:token=test", -- CKM_EC_EDWARDS_KEY_PAIR_GEN, -- &minfo, sizeof(minfo), 0); -+ ret = gnutls_pkcs11_token_check_mechanism( -+ "pkcs11:token=test", CKM_EC_EDWARDS_KEY_PAIR_GEN, NULL, 0, 0); - if (ret != 0) { - generate_keypair(GNUTLS_PK_EDDSA_ED25519, 256, - "ed25519-sensitive", true); - generate_keypair(GNUTLS_PK_EDDSA_ED25519, 256, - "ed25519-non-sensitive", false); -- if (minfo.ulMaxKeySize >= 456) { -- generate_keypair(GNUTLS_PK_EDDSA_ED448, 456, -- "ed448-sensitive", true); -- generate_keypair(GNUTLS_PK_EDDSA_ED448, 456, -- "ed448-non-sensitive", false); -- } - } - #endif - -diff --git a/tests/tls13/ocsp-client.c b/tests/tls13/ocsp-client.c -index c7e7e2e410..1064a17752 100644 ---- a/tests/tls13/ocsp-client.c -+++ b/tests/tls13/ocsp-client.c -@@ -169,8 +169,8 @@ void doit(void) - fp = fopen(certfile3, "wb"); - if (fp == NULL) - fail("error in fopen\n"); -- assert(fwrite(cli_cert_pem, 1, strlen((char *)cli_cert_pem), fp) > 0); -- assert(fwrite(cli_key_pem, 1, strlen((char *)cli_key_pem), fp) > 0); -+ assert(fwrite(cert_pem, 1, strlen((char *)cert_pem), fp) > 0); -+ assert(fwrite(key_pem, 1, strlen((char *)key_pem), fp) > 0); - fclose(fp); - - ret = gnutls_certificate_set_x509_key_file2( --- -2.43.0 - diff --git a/gnutls-3.8.3-kernel_version_check.patch b/gnutls-3.8.3-kernel_version_check.patch new file mode 100644 index 0000000..e4495ed --- /dev/null +++ b/gnutls-3.8.3-kernel_version_check.patch @@ -0,0 +1,36 @@ +From 945c2f10eeda441f32404d1328761e311915add0 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Tue, 23 Jan 2024 11:54:32 +0900 +Subject: [PATCH] ktls: fix kernel version checking using utsname + +Signed-off-by: Daiki Ueno +--- + lib/system/ktls.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/lib/system/ktls.c b/lib/system/ktls.c +index 8efb913cda..432c70c5a2 100644 +--- a/lib/system/ktls.c ++++ b/lib/system/ktls.c +@@ -482,7 +482,7 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, + return GNUTLS_E_INTERNAL_ERROR; + } + +- if (strcmp(utsname.sysname, "Linux") == 0) { ++ if (strcmp(utsname.sysname, "Linux") != 0) { + return GNUTLS_E_INTERNAL_ERROR; + } + +@@ -495,6 +495,9 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, + return GNUTLS_E_INTERNAL_ERROR; + } + ++ _gnutls_debug_log("Linux kernel version %lu.%lu has been detected\n", ++ major, minor); ++ + /* setsockopt(SOL_TLS, TLS_RX) support added in 5.10 */ + if (major < 5 || (major == 5 && minor < 10)) { + return GNUTLS_E_UNIMPLEMENTED_FEATURE; +-- +GitLab + diff --git a/gnutls.spec b/gnutls.spec index f8c6040..4508067 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -12,15 +12,13 @@ sha256sum:close() print(string.sub(hash, 0, 16)) } -Version: 3.8.2 +Version: 3.8.3 Release: %{?autorelease}%{!?autorelease:1%{?dist}} Patch: gnutls-3.2.7-rpath.patch # follow https://gitlab.com/gnutls/gnutls/-/issues/1443 Patch: gnutls-3.7.8-ktls_skip_tls12_chachapoly_test.patch - -# tentatively reverted for https://gitlab.com/gnutls/gnutls/-/issues/1515 -Patch: gnutls-3.8.2-revert-pkcs11-ed448.patch +Patch: gnutls-3.8.3-kernel_version_check.patch %bcond_without bootstrap %bcond_without dane diff --git a/sources b/sources index ea8384c..f74b572 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (gnutls-3.8.2.tar.xz) = b3aa6e0fa7272cfca0bb0d364fe5dc9ca70cfd41878631d57271ba0a597cf6020a55a19e97a2c02f13a253455b119d296cf6f701be2b4e6880ebeeb07c93ef38 -SHA512 (gnutls-3.8.2.tar.xz.sig) = 9feb30bfccb8c83e83d3d6df009f2a61f4c48eb357c988789c93b2e5a06a34cb490f33741ad0fd4f881fcd34747b3cf9c5aa45bbb15da680ebba35e07ba602f6 +SHA512 (gnutls-3.8.3.tar.xz) = 74eddba01ce4c2ffdca781c85db3bb52c85f1db3c09813ee2b8ceea0608f92ca3912fd9266f55deb36a8ba4d01802895ca5d5d219e7d9caec45e1a8534e45a84 +SHA512 (gnutls-3.8.3.tar.xz.sig) = 5b2ca0648ca5feeda1de933de2bbaf71fadb70e830a8f0d494d2f0380b6d0d7b79445257cc79e59bba1a7ff639ab4573da3e3e124eb80c20ac6141e29a4827ff SHA512 (gnutls-release-keyring.gpg) = 5c14d83f4f37bd319c652db0d76fc5bb04752fb461bbe853e25b20ffe41d6d14faae6c0bdd0193ac6242975bf1205ce606a9d0082261cc4581fd680abfcdbd4d From c5694f3e42480aa013664046cad30ba402d227e1 Mon Sep 17 00:00:00 2001 From: Zoltan Fridrich Date: Wed, 24 Jan 2024 10:10:45 +0100 Subject: [PATCH 103/152] Update keyring Signed-off-by: Zoltan Fridrich --- sources | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sources b/sources index f74b572..b87713f 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ SHA512 (gnutls-3.8.3.tar.xz) = 74eddba01ce4c2ffdca781c85db3bb52c85f1db3c09813ee2b8ceea0608f92ca3912fd9266f55deb36a8ba4d01802895ca5d5d219e7d9caec45e1a8534e45a84 SHA512 (gnutls-3.8.3.tar.xz.sig) = 5b2ca0648ca5feeda1de933de2bbaf71fadb70e830a8f0d494d2f0380b6d0d7b79445257cc79e59bba1a7ff639ab4573da3e3e124eb80c20ac6141e29a4827ff -SHA512 (gnutls-release-keyring.gpg) = 5c14d83f4f37bd319c652db0d76fc5bb04752fb461bbe853e25b20ffe41d6d14faae6c0bdd0193ac6242975bf1205ce606a9d0082261cc4581fd680abfcdbd4d +SHA512 (gnutls-release-keyring.gpg) = 8c2b39239d1d8c5319757fcf669f28a11de7f8ec4a726f9904c57ba8105bea80240083c0de71b747115907bab46569f10cf58004137cc7884ac5c20f8319ae0a From 25900e352d8fe7f4bbe76b69ba0a5a2e110203f4 Mon Sep 17 00:00:00 2001 From: Zoltan Fridrich Date: Thu, 22 Feb 2024 18:15:37 +0100 Subject: [PATCH 104/152] Fix mingw build failure Signed-off-by: Zoltan Fridrich --- gnutls-3.8.3-fix-mingw-build.patch | 12 ++++++++++++ gnutls.spec | 1 + 2 files changed, 13 insertions(+) create mode 100644 gnutls-3.8.3-fix-mingw-build.patch diff --git a/gnutls-3.8.3-fix-mingw-build.patch b/gnutls-3.8.3-fix-mingw-build.patch new file mode 100644 index 0000000..3e3a149 --- /dev/null +++ b/gnutls-3.8.3-fix-mingw-build.patch @@ -0,0 +1,12 @@ +diff --color -ruNp a/lib/system/sockets.c b/lib/system/sockets.c +--- a/lib/system/sockets.c 2024-01-16 03:36:04.000000000 +0100 ++++ b/lib/system/sockets.c 2024-02-22 16:20:48.900495575 +0100 +@@ -208,7 +208,7 @@ int gnutls_system_recv_timeout(gnutls_tr + } while (ret == -1 && errno == EINTR); + #else + fd_set rfds; +- struct timeval _tv, *tv = NULL; ++ TIMEVAL _tv, *tv = NULL; + + FD_ZERO(&rfds); + FD_SET(fd, &rfds); diff --git a/gnutls.spec b/gnutls.spec index 4508067..27140bf 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -19,6 +19,7 @@ Patch: gnutls-3.2.7-rpath.patch # follow https://gitlab.com/gnutls/gnutls/-/issues/1443 Patch: gnutls-3.7.8-ktls_skip_tls12_chachapoly_test.patch Patch: gnutls-3.8.3-kernel_version_check.patch +Patch: gnutls-3.8.3-fix-mingw-build.patch %bcond_without bootstrap %bcond_without dane From 510f2c8050718e62b38e37953e12454ef6a39458 Mon Sep 17 00:00:00 2001 From: Zoltan Fridrich Date: Wed, 20 Mar 2024 11:42:07 +0100 Subject: [PATCH 105/152] [packit] 3.8.4 upstream release - Resolves rhbz#2270320 Upstream tag: 3.8.4 Upstream commit: 4a4cefef --- .gitignore | 2 ++ README.packit | 2 +- gnutls-3.8.3-fix-mingw-build.patch | 12 --------- gnutls-3.8.3-kernel_version_check.patch | 36 ------------------------- gnutls.spec | 4 +-- sources | 4 +-- 6 files changed, 6 insertions(+), 54 deletions(-) delete mode 100644 gnutls-3.8.3-fix-mingw-build.patch delete mode 100644 gnutls-3.8.3-kernel_version_check.patch diff --git a/.gitignore b/.gitignore index 35f93b3..8ce4710 100644 --- a/.gitignore +++ b/.gitignore @@ -150,3 +150,5 @@ gnutls-2.10.1-nosrp.tar.bz2 /gnutls-3.8.2.tar.xz.sig /gnutls-3.8.3.tar.xz /gnutls-3.8.3.tar.xz.sig +/gnutls-3.8.4.tar.xz +/gnutls-3.8.4.tar.xz.sig diff --git a/README.packit b/README.packit index 8c508a5..31341b6 100644 --- a/README.packit +++ b/README.packit @@ -1,3 +1,3 @@ This repository is maintained by packit. https://packit.dev/ -The file was generated using packit 0.88.0. +The file was generated using packit 0.93.0. diff --git a/gnutls-3.8.3-fix-mingw-build.patch b/gnutls-3.8.3-fix-mingw-build.patch deleted file mode 100644 index 3e3a149..0000000 --- a/gnutls-3.8.3-fix-mingw-build.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff --color -ruNp a/lib/system/sockets.c b/lib/system/sockets.c ---- a/lib/system/sockets.c 2024-01-16 03:36:04.000000000 +0100 -+++ b/lib/system/sockets.c 2024-02-22 16:20:48.900495575 +0100 -@@ -208,7 +208,7 @@ int gnutls_system_recv_timeout(gnutls_tr - } while (ret == -1 && errno == EINTR); - #else - fd_set rfds; -- struct timeval _tv, *tv = NULL; -+ TIMEVAL _tv, *tv = NULL; - - FD_ZERO(&rfds); - FD_SET(fd, &rfds); diff --git a/gnutls-3.8.3-kernel_version_check.patch b/gnutls-3.8.3-kernel_version_check.patch deleted file mode 100644 index e4495ed..0000000 --- a/gnutls-3.8.3-kernel_version_check.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 945c2f10eeda441f32404d1328761e311915add0 Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Tue, 23 Jan 2024 11:54:32 +0900 -Subject: [PATCH] ktls: fix kernel version checking using utsname - -Signed-off-by: Daiki Ueno ---- - lib/system/ktls.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/lib/system/ktls.c b/lib/system/ktls.c -index 8efb913cda..432c70c5a2 100644 ---- a/lib/system/ktls.c -+++ b/lib/system/ktls.c -@@ -482,7 +482,7 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, - return GNUTLS_E_INTERNAL_ERROR; - } - -- if (strcmp(utsname.sysname, "Linux") == 0) { -+ if (strcmp(utsname.sysname, "Linux") != 0) { - return GNUTLS_E_INTERNAL_ERROR; - } - -@@ -495,6 +495,9 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, - return GNUTLS_E_INTERNAL_ERROR; - } - -+ _gnutls_debug_log("Linux kernel version %lu.%lu has been detected\n", -+ major, minor); -+ - /* setsockopt(SOL_TLS, TLS_RX) support added in 5.10 */ - if (major < 5 || (major == 5 && minor < 10)) { - return GNUTLS_E_UNIMPLEMENTED_FEATURE; --- -GitLab - diff --git a/gnutls.spec b/gnutls.spec index 27140bf..52bc74c 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -12,14 +12,12 @@ sha256sum:close() print(string.sub(hash, 0, 16)) } -Version: 3.8.3 +Version: 3.8.4 Release: %{?autorelease}%{!?autorelease:1%{?dist}} Patch: gnutls-3.2.7-rpath.patch # follow https://gitlab.com/gnutls/gnutls/-/issues/1443 Patch: gnutls-3.7.8-ktls_skip_tls12_chachapoly_test.patch -Patch: gnutls-3.8.3-kernel_version_check.patch -Patch: gnutls-3.8.3-fix-mingw-build.patch %bcond_without bootstrap %bcond_without dane diff --git a/sources b/sources index b87713f..d3294e0 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (gnutls-3.8.3.tar.xz) = 74eddba01ce4c2ffdca781c85db3bb52c85f1db3c09813ee2b8ceea0608f92ca3912fd9266f55deb36a8ba4d01802895ca5d5d219e7d9caec45e1a8534e45a84 -SHA512 (gnutls-3.8.3.tar.xz.sig) = 5b2ca0648ca5feeda1de933de2bbaf71fadb70e830a8f0d494d2f0380b6d0d7b79445257cc79e59bba1a7ff639ab4573da3e3e124eb80c20ac6141e29a4827ff +SHA512 (gnutls-3.8.4.tar.xz) = af748610392b7eec8a6294d28d088f323450207cdcda1aa2138a0fd71023994c662f7aff72b2b3cd888e7b770750611981c2cde5f2ddc45f852fc0034cdebaff +SHA512 (gnutls-3.8.4.tar.xz.sig) = 3e8ec406a0c736d8b208dd7396294a4bc6e6f0ffaf41d4ae16bc671da575fe6029de548a25fb0e824b2d6fb75b3e47e845b88d9dfa2f88397a48b8e270766d37 SHA512 (gnutls-release-keyring.gpg) = 8c2b39239d1d8c5319757fcf669f28a11de7f8ec4a726f9904c57ba8105bea80240083c0de71b747115907bab46569f10cf58004137cc7884ac5c20f8319ae0a From ab660a5e4e478eacad95ca2fb5b77b8b67a9ae1a Mon Sep 17 00:00:00 2001 From: Zoltan Fridrich Date: Thu, 4 Apr 2024 14:17:25 +0200 Subject: [PATCH 106/152] [packit] 3.8.5 upstream release Upstream tag: 3.8.5 Upstream commit: 49f4ae21 --- .gitignore | 2 ++ README.packit | 2 +- gnutls.spec | 2 +- sources | 4 ++-- 4 files changed, 6 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index 8ce4710..c639f55 100644 --- a/.gitignore +++ b/.gitignore @@ -152,3 +152,5 @@ gnutls-2.10.1-nosrp.tar.bz2 /gnutls-3.8.3.tar.xz.sig /gnutls-3.8.4.tar.xz /gnutls-3.8.4.tar.xz.sig +/gnutls-3.8.5.tar.xz +/gnutls-3.8.5.tar.xz.sig diff --git a/README.packit b/README.packit index 31341b6..8480b61 100644 --- a/README.packit +++ b/README.packit @@ -1,3 +1,3 @@ This repository is maintained by packit. https://packit.dev/ -The file was generated using packit 0.93.0. +The file was generated using packit 0.94.0. diff --git a/gnutls.spec b/gnutls.spec index 52bc74c..fed17c5 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -12,7 +12,7 @@ sha256sum:close() print(string.sub(hash, 0, 16)) } -Version: 3.8.4 +Version: 3.8.5 Release: %{?autorelease}%{!?autorelease:1%{?dist}} Patch: gnutls-3.2.7-rpath.patch diff --git a/sources b/sources index d3294e0..3f14f2f 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (gnutls-3.8.4.tar.xz) = af748610392b7eec8a6294d28d088f323450207cdcda1aa2138a0fd71023994c662f7aff72b2b3cd888e7b770750611981c2cde5f2ddc45f852fc0034cdebaff -SHA512 (gnutls-3.8.4.tar.xz.sig) = 3e8ec406a0c736d8b208dd7396294a4bc6e6f0ffaf41d4ae16bc671da575fe6029de548a25fb0e824b2d6fb75b3e47e845b88d9dfa2f88397a48b8e270766d37 +SHA512 (gnutls-3.8.5.tar.xz) = 4bac1aa7ec1dce9b3445cc515cc287a5af032d34c207399aa9722e3dc53ed652f8a57cfbc9c5e40ccc4a2631245d89ab676e3ba2be9563f60ba855aaacb8e23c +SHA512 (gnutls-3.8.5.tar.xz.sig) = b0f7a8ec348765112cac75fd732e066adaa1595bb83024cfeff6633aba35277d8aceda145c733c3d95f1e0eb4d34fead2479abdb08d6041362094a235460fa67 SHA512 (gnutls-release-keyring.gpg) = 8c2b39239d1d8c5319757fcf669f28a11de7f8ec4a726f9904c57ba8105bea80240083c0de71b747115907bab46569f10cf58004137cc7884ac5c20f8319ae0a From 42b10964b0b1e13774644d755af7b6d9bba49a2f Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Tue, 19 Jul 2022 09:10:22 +0900 Subject: [PATCH 107/152] Add virtual package to pull in nettle/gmp dependencies for FIPS This adds a new subpackage `gnutls-fips` with strict version requirements to nettle and gmp under FIPS, as gnutls now calculates library integrity (HMAC) over those libraries. Signed-off-by: Daiki Ueno --- gnutls.spec | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/gnutls.spec b/gnutls.spec index fed17c5..e5be06e 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -41,6 +41,13 @@ Patch: gnutls-3.7.8-ktls_skip_tls12_chachapoly_test.patch %endif +%define fips_requires() %{lua: +local f = assert(io.popen("rpm -q --queryformat '%{EVR}' --whatprovides "..rpm.expand("'%1%{?_isa}'"))) +local v = f:read("*all") +f:close() +print("Requires: "..rpm.expand("%1%{?_isa}").." = "..v.."\\n") +} + Summary: A TLS protocol implementation Name: gnutls # The libraries are LGPLv2.1+, utilities are GPLv3+ @@ -71,6 +78,7 @@ BuildRequires: p11-kit-trust, ca-certificates Requires: crypto-policies Requires: p11-kit-trust Requires: libtasn1 >= 4.3 +# always bump when a nettle release is packaged Requires: nettle >= 3.9.1 %if %{with tpm12} Recommends: trousers >= 0.3.11.2 @@ -136,6 +144,14 @@ Summary: A DANE protocol implementation for GnuTLS Requires: %{name}%{?_isa} = %{version}-%{release} %endif +%if %{with fips} +%package fips +Summary: Virtual package to install packages required to use %{name} under FIPS mode +Requires: %{name}%{?_isa} = %{version}-%{release} +%{fips_requires nettle} +%{fips_requires gmp} +%endif + %description GnuTLS is a secure communications library implementing the SSL, TLS and DTLS protocols and technologies around them. It provides a simple C language @@ -179,6 +195,17 @@ This package contains library that implements the DANE protocol for verifying TLS certificates through DNSSEC. %endif +%if %{with fips} +%description fips +GnuTLS is a secure communications library implementing the SSL, TLS and DTLS +protocols and technologies around them. It provides a simple C language +application programming interface (API) to access the secure communications +protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and +other required structures. +This package does not contain any file, but installs required packages +to use GnuTLS under FIPS mode. +%endif + %if %{with mingw} %package -n mingw32-%{name} Summary: MinGW GnuTLS TLS/SSL encryption library @@ -433,6 +460,10 @@ popd %{_libdir}/libgnutls-dane.so.* %endif +%if %{with fips} +%files fips +%endif + %if %{with mingw} %files -n mingw32-%{name} %license LICENSE doc/COPYING doc/COPYING.LESSER From bee7049a8a9a878031d88f7cb21e8f9afd78f129 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Fri, 10 May 2024 09:59:00 +0900 Subject: [PATCH 108/152] Add bcond to statically link to GMP In CentOS Stream 9 and RHEL 9, we link to libgmp statically to ensure zeroization of internally allocated memory areas according to FIPS 140-3. This ports the ability to Fedora, in a way it is configured with a `--with bundled_gmp` build conditional. Signed-off-by: Daiki Ueno --- gnutls.spec | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/gnutls.spec b/gnutls.spec index e5be06e..67479b8 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -40,6 +40,12 @@ Patch: gnutls-3.7.8-ktls_skip_tls12_chachapoly_test.patch %bcond_with mingw %endif +%if 0%{?rhel} >= 9 && %{with fips} +%bcond_without bundled_gmp +%else +%bcond_with bundled_gmp +%endif + %define fips_requires() %{lua: local f = assert(io.popen("rpm -q --queryformat '%{EVR}' --whatprovides "..rpm.expand("'%1%{?_isa}'"))) @@ -114,6 +120,12 @@ Source0: https://www.gnupg.org/ftp/gcrypt/gnutls/v%{short_version}/%{name}-%{ver Source1: https://www.gnupg.org/ftp/gcrypt/gnutls/v%{short_version}/%{name}-%{version}.tar.xz.sig Source2: https://gnutls.org/gnutls-release-keyring.gpg +%if %{with bundled_gmp} +Source100: gmp-6.2.1.tar.xz +# Taken from the main gmp package +Source101: gmp-6.2.1-intel-cet.patch +%endif + # Wildcard bundling exception https://fedorahosted.org/fpc/ticket/174 Provides: bundled(gnulib) = 20130424 @@ -149,8 +161,10 @@ Requires: %{name}%{?_isa} = %{version}-%{release} Summary: Virtual package to install packages required to use %{name} under FIPS mode Requires: %{name}%{?_isa} = %{version}-%{release} %{fips_requires nettle} +%if !%{with bundled_gmp} %{fips_requires gmp} %endif +%endif %description GnuTLS is a secure communications library implementing the SSL, TLS and DTLS @@ -235,9 +249,28 @@ for MinGW. %autosetup -p1 -S git +%if %{with bundled_gmp} +mkdir -p bundled_gmp +pushd bundled_gmp +tar --strip-components=1 -xf %{SOURCE100} +patch -p1 < %{SOURCE101} +popd +%endif + %build %define _lto_cflags %{nil} +%if %{with bundled_gmp} +pushd bundled_gmp +autoreconf -ifv +%configure --disable-cxx --disable-shared --enable-fat --with-pic +%make_build +popd + +export GMP_CFLAGS="-I$PWD/bundled_gmp" +export GMP_LIBS="$PWD/bundled_gmp/.libs/libgmp.a" +%endif + %if %{with bootstrap} autoreconf -fi %endif From 595be10e4d43066a4efe18030ec61540a238fdc9 Mon Sep 17 00:00:00 2001 From: Alexander Sosedkin Date: Thu, 16 May 2024 13:18:11 +0200 Subject: [PATCH 109/152] Add gmp tarball to sources file, add gmp patch --- gmp-6.2.1-intel-cet.patch | 3515 +++++++++++++++++++++++++++++++++++++ sources | 1 + 2 files changed, 3516 insertions(+) create mode 100644 gmp-6.2.1-intel-cet.patch diff --git a/gmp-6.2.1-intel-cet.patch b/gmp-6.2.1-intel-cet.patch new file mode 100644 index 0000000..137b06c --- /dev/null +++ b/gmp-6.2.1-intel-cet.patch @@ -0,0 +1,3515 @@ +From 4faa667ce4e1a318db2c55ce83084cbe4924a892 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Thu, 18 Aug 2022 15:55:31 +0900 +Subject: [PATCH] gmp-intel-cet.patch + +--- + acinclude.m4 | 100 +++++++++++++++++++++++++ + configure.ac | 1 + + mpn/x86/aors_n.asm | 5 +- + mpn/x86/aorsmul_1.asm | 1 + + mpn/x86/atom/sse2/aorsmul_1.asm | 1 + + mpn/x86/atom/sse2/mul_basecase.asm | 1 + + mpn/x86/atom/sse2/sqr_basecase.asm | 1 + + mpn/x86/bdiv_dbm1c.asm | 1 + + mpn/x86/copyd.asm | 1 + + mpn/x86/copyi.asm | 1 + + mpn/x86/divrem_1.asm | 1 + + mpn/x86/divrem_2.asm | 1 + + mpn/x86/k6/aors_n.asm | 1 + + mpn/x86/k6/aorsmul_1.asm | 1 + + mpn/x86/k6/divrem_1.asm | 1 + + mpn/x86/k6/k62mmx/copyd.asm | 1 + + mpn/x86/k6/k62mmx/lshift.asm | 1 + + mpn/x86/k6/k62mmx/rshift.asm | 1 + + mpn/x86/k6/mmx/com.asm | 1 + + mpn/x86/k6/mmx/logops_n.asm | 1 + + mpn/x86/k6/mmx/lshift.asm | 1 + + mpn/x86/k6/mmx/popham.asm | 1 + + mpn/x86/k6/mmx/rshift.asm | 1 + + mpn/x86/k6/mod_34lsub1.asm | 1 + + mpn/x86/k6/mul_1.asm | 1 + + mpn/x86/k6/mul_basecase.asm | 1 + + mpn/x86/k6/pre_mod_1.asm | 1 + + mpn/x86/k6/sqr_basecase.asm | 1 + + mpn/x86/k7/aors_n.asm | 1 + + mpn/x86/k7/mmx/com.asm | 1 + + mpn/x86/k7/mmx/copyd.asm | 1 + + mpn/x86/k7/mmx/copyi.asm | 1 + + mpn/x86/k7/mmx/divrem_1.asm | 1 + + mpn/x86/k7/mmx/lshift.asm | 1 + + mpn/x86/k7/mmx/popham.asm | 1 + + mpn/x86/k7/mmx/rshift.asm | 1 + + mpn/x86/k7/mod_1_1.asm | 1 + + mpn/x86/k7/mod_1_4.asm | 1 + + mpn/x86/k7/mod_34lsub1.asm | 1 + + mpn/x86/k7/mul_basecase.asm | 1 + + mpn/x86/k7/sqr_basecase.asm | 1 + + mpn/x86/lshift.asm | 1 + + mpn/x86/mmx/sec_tabselect.asm | 1 + + mpn/x86/mod_34lsub1.asm | 1 + + mpn/x86/mul_1.asm | 1 + + mpn/x86/mul_basecase.asm | 1 + + mpn/x86/p6/aors_n.asm | 3 +- + mpn/x86/p6/aorsmul_1.asm | 3 +- + mpn/x86/p6/copyd.asm | 1 + + mpn/x86/p6/gcd_11.asm | 1 + + mpn/x86/p6/lshsub_n.asm | 3 +- + mpn/x86/p6/mmx/divrem_1.asm | 1 + + mpn/x86/p6/mod_34lsub1.asm | 1 + + mpn/x86/p6/mul_basecase.asm | 3 +- + mpn/x86/p6/sqr_basecase.asm | 3 +- + mpn/x86/pentium/aors_n.asm | 1 + + mpn/x86/pentium/aorsmul_1.asm | 1 + + mpn/x86/pentium/com.asm | 1 + + mpn/x86/pentium/copyd.asm | 1 + + mpn/x86/pentium/copyi.asm | 1 + + mpn/x86/pentium/logops_n.asm | 1 + + mpn/x86/pentium/lshift.asm | 1 + + mpn/x86/pentium/mmx/lshift.asm | 1 + + mpn/x86/pentium/mmx/mul_1.asm | 1 + + mpn/x86/pentium/mmx/rshift.asm | 1 + + mpn/x86/pentium/mod_34lsub1.asm | 1 + + mpn/x86/pentium/mul_1.asm | 1 + + mpn/x86/pentium/mul_2.asm | 1 + + mpn/x86/pentium/mul_basecase.asm | 1 + + mpn/x86/pentium/rshift.asm | 1 + + mpn/x86/pentium/sqr_basecase.asm | 1 + + mpn/x86/pentium4/copyd.asm | 1 + + mpn/x86/pentium4/copyi.asm | 1 + + mpn/x86/pentium4/mmx/popham.asm | 1 + + mpn/x86/pentium4/sse2/add_n.asm | 1 + + mpn/x86/pentium4/sse2/addlsh1_n.asm | 1 + + mpn/x86/pentium4/sse2/addmul_1.asm | 1 + + mpn/x86/pentium4/sse2/cnd_add_n.asm | 1 + + mpn/x86/pentium4/sse2/cnd_sub_n.asm | 1 + + mpn/x86/pentium4/sse2/divrem_1.asm | 1 + + mpn/x86/pentium4/sse2/mod_1_1.asm | 1 + + mpn/x86/pentium4/sse2/mod_1_4.asm | 1 + + mpn/x86/pentium4/sse2/mod_34lsub1.asm | 1 + + mpn/x86/pentium4/sse2/mul_1.asm | 1 + + mpn/x86/pentium4/sse2/mul_basecase.asm | 1 + + mpn/x86/pentium4/sse2/rsh1add_n.asm | 1 + + mpn/x86/pentium4/sse2/sqr_basecase.asm | 1 + + mpn/x86/pentium4/sse2/sub_n.asm | 1 + + mpn/x86/pentium4/sse2/submul_1.asm | 1 + + mpn/x86/rshift.asm | 1 + + mpn/x86/sec_tabselect.asm | 1 + + mpn/x86/sqr_basecase.asm | 1 + + mpn/x86/udiv.asm | 1 + + mpn/x86/umul.asm | 1 + + mpn/x86/x86-defs.m4 | 7 +- + mpn/x86_64/addaddmul_1msb0.asm | 1 + + mpn/x86_64/aorrlsh1_n.asm | 1 + + mpn/x86_64/aorrlshC_n.asm | 1 + + mpn/x86_64/aorrlsh_n.asm | 1 + + mpn/x86_64/aors_err1_n.asm | 1 + + mpn/x86_64/aors_err2_n.asm | 1 + + mpn/x86_64/aors_err3_n.asm | 1 + + mpn/x86_64/aors_n.asm | 1 + + mpn/x86_64/aorsmul_1.asm | 1 + + mpn/x86_64/atom/addmul_2.asm | 1 + + mpn/x86_64/atom/aorrlsh1_n.asm | 1 + + mpn/x86_64/atom/aorrlsh2_n.asm | 1 + + mpn/x86_64/atom/lshift.asm | 1 + + mpn/x86_64/atom/lshiftc.asm | 1 + + mpn/x86_64/atom/mul_2.asm | 1 + + mpn/x86_64/atom/rsh1aors_n.asm | 1 + + mpn/x86_64/atom/rshift.asm | 1 + + mpn/x86_64/atom/sublsh1_n.asm | 1 + + mpn/x86_64/bd1/addmul_2.asm | 1 + + mpn/x86_64/bd1/hamdist.asm | 1 + + mpn/x86_64/bd1/mul_2.asm | 1 + + mpn/x86_64/bd1/mul_basecase.asm | 1 + + mpn/x86_64/bd1/popcount.asm | 1 + + mpn/x86_64/bd2/gcd_11.asm | 1 + + mpn/x86_64/bd2/gcd_22.asm | 1 + + mpn/x86_64/bd4/gcd_11.asm | 1 + + mpn/x86_64/bdiv_dbm1c.asm | 1 + + mpn/x86_64/bdiv_q_1.asm | 1 + + mpn/x86_64/bt1/aors_n.asm | 1 + + mpn/x86_64/bt1/aorsmul_1.asm | 1 + + mpn/x86_64/bt1/copyd.asm | 1 + + mpn/x86_64/bt1/copyi.asm | 1 + + mpn/x86_64/bt1/gcd_11.asm | 1 + + mpn/x86_64/bt1/mul_1.asm | 1 + + mpn/x86_64/bt1/mul_basecase.asm | 1 + + mpn/x86_64/bt1/sqr_basecase.asm | 1 + + mpn/x86_64/cnd_aors_n.asm | 1 + + mpn/x86_64/com.asm | 1 + + mpn/x86_64/copyd.asm | 1 + + mpn/x86_64/copyi.asm | 1 + + mpn/x86_64/core2/aors_err1_n.asm | 1 + + mpn/x86_64/core2/aors_n.asm | 1 + + mpn/x86_64/core2/aorsmul_1.asm | 1 + + mpn/x86_64/core2/divrem_1.asm | 1 + + mpn/x86_64/core2/gcd_11.asm | 1 + + mpn/x86_64/core2/gcd_22.asm | 1 + + mpn/x86_64/core2/hamdist.asm | 1 + + mpn/x86_64/core2/logops_n.asm | 1 + + mpn/x86_64/core2/lshift.asm | 1 + + mpn/x86_64/core2/lshiftc.asm | 1 + + mpn/x86_64/core2/mul_basecase.asm | 5 ++ + mpn/x86_64/core2/mullo_basecase.asm | 1 + + mpn/x86_64/core2/popcount.asm | 1 + + mpn/x86_64/core2/rsh1aors_n.asm | 1 + + mpn/x86_64/core2/rshift.asm | 1 + + mpn/x86_64/core2/sqr_basecase.asm | 1 + + mpn/x86_64/core2/sublshC_n.asm | 1 + + mpn/x86_64/coreibwl/addmul_1.asm | 24 ++++-- + mpn/x86_64/coreibwl/mul_1.asm | 24 ++++-- + mpn/x86_64/coreibwl/mul_basecase.asm | 47 ++++++++---- + mpn/x86_64/coreibwl/mullo_basecase.asm | 1 + + mpn/x86_64/coreibwl/sqr_basecase.asm | 49 ++++++++---- + mpn/x86_64/coreihwl/addmul_2.asm | 1 + + mpn/x86_64/coreihwl/aors_n.asm | 1 + + mpn/x86_64/coreihwl/aorsmul_1.asm | 1 + + mpn/x86_64/coreihwl/gcd_22.asm | 1 + + mpn/x86_64/coreihwl/mul_2.asm | 1 + + mpn/x86_64/coreihwl/mul_basecase.asm | 1 + + mpn/x86_64/coreihwl/mullo_basecase.asm | 1 + + mpn/x86_64/coreihwl/redc_1.asm | 1 + + mpn/x86_64/coreihwl/sqr_basecase.asm | 1 + + mpn/x86_64/coreinhm/aorrlsh_n.asm | 1 + + mpn/x86_64/coreinhm/hamdist.asm | 1 + + mpn/x86_64/coreinhm/popcount.asm | 1 + + mpn/x86_64/coreisbr/addmul_2.asm | 1 + + mpn/x86_64/coreisbr/aorrlshC_n.asm | 1 + + mpn/x86_64/coreisbr/aorrlsh_n.asm | 1 + + mpn/x86_64/coreisbr/aors_n.asm | 1 + + mpn/x86_64/coreisbr/cnd_add_n.asm | 1 + + mpn/x86_64/coreisbr/cnd_sub_n.asm | 1 + + mpn/x86_64/coreisbr/mul_1.asm | 1 + + mpn/x86_64/coreisbr/mul_2.asm | 1 + + mpn/x86_64/coreisbr/mul_basecase.asm | 1 + + mpn/x86_64/coreisbr/mullo_basecase.asm | 1 + + mpn/x86_64/coreisbr/rsh1aors_n.asm | 1 + + mpn/x86_64/coreisbr/sqr_basecase.asm | 1 + + mpn/x86_64/div_qr_1n_pi1.asm | 1 + + mpn/x86_64/div_qr_2n_pi1.asm | 1 + + mpn/x86_64/div_qr_2u_pi1.asm | 1 + + mpn/x86_64/dive_1.asm | 1 + + mpn/x86_64/divrem_1.asm | 1 + + mpn/x86_64/divrem_2.asm | 1 + + mpn/x86_64/fastavx/copyd.asm | 1 + + mpn/x86_64/fastavx/copyi.asm | 1 + + mpn/x86_64/fastsse/com-palignr.asm | 1 + + mpn/x86_64/fastsse/com.asm | 1 + + mpn/x86_64/fastsse/copyd-palignr.asm | 1 + + mpn/x86_64/fastsse/copyd.asm | 1 + + mpn/x86_64/fastsse/copyi-palignr.asm | 1 + + mpn/x86_64/fastsse/copyi.asm | 1 + + mpn/x86_64/fastsse/lshift-movdqu2.asm | 1 + + mpn/x86_64/fastsse/lshift.asm | 1 + + mpn/x86_64/fastsse/lshiftc-movdqu2.asm | 1 + + mpn/x86_64/fastsse/lshiftc.asm | 1 + + mpn/x86_64/fastsse/rshift-movdqu2.asm | 1 + + mpn/x86_64/fastsse/sec_tabselect.asm | 1 + + mpn/x86_64/fat/fat_entry.asm | 1 + + mpn/x86_64/gcd_11.asm | 1 + + mpn/x86_64/gcd_22.asm | 1 + + mpn/x86_64/k10/gcd_22.asm | 1 + + mpn/x86_64/k10/hamdist.asm | 1 + + mpn/x86_64/k10/popcount.asm | 5 +- + mpn/x86_64/k8/addmul_2.asm | 1 + + mpn/x86_64/k8/aorrlsh_n.asm | 1 + + mpn/x86_64/k8/bdiv_q_1.asm | 1 + + mpn/x86_64/k8/div_qr_1n_pi1.asm | 1 + + mpn/x86_64/k8/mul_basecase.asm | 8 ++ + mpn/x86_64/k8/mullo_basecase.asm | 12 ++- + mpn/x86_64/k8/mulmid_basecase.asm | 9 +++ + mpn/x86_64/k8/redc_1.asm | 18 +++-- + mpn/x86_64/k8/sqr_basecase.asm | 18 +++-- + mpn/x86_64/logops_n.asm | 1 + + mpn/x86_64/lshift.asm | 1 + + mpn/x86_64/lshiftc.asm | 1 + + mpn/x86_64/lshsub_n.asm | 1 + + mpn/x86_64/missing.asm | 1 + + mpn/x86_64/mod_1_2.asm | 1 + + mpn/x86_64/mod_1_4.asm | 1 + + mpn/x86_64/mod_34lsub1.asm | 28 ++++--- + mpn/x86_64/mode1o.asm | 1 + + mpn/x86_64/mul_1.asm | 1 + + mpn/x86_64/mul_2.asm | 1 + + mpn/x86_64/nano/dive_1.asm | 1 + + mpn/x86_64/pentium4/aors_n.asm | 1 + + mpn/x86_64/pentium4/mod_34lsub1.asm | 1 + + mpn/x86_64/pentium4/rsh1aors_n.asm | 1 + + mpn/x86_64/pentium4/rshift.asm | 1 + + mpn/x86_64/popham.asm | 1 + + mpn/x86_64/rsh1aors_n.asm | 1 + + mpn/x86_64/rshift.asm | 1 + + mpn/x86_64/sec_tabselect.asm | 1 + + mpn/x86_64/sqr_diag_addlsh1.asm | 1 + + mpn/x86_64/sublsh1_n.asm | 1 + + mpn/x86_64/x86_64-defs.m4 | 5 ++ + mpn/x86_64/zen/aorrlsh_n.asm | 25 +++++-- + mpn/x86_64/zen/mul_basecase.asm | 1 + + mpn/x86_64/zen/mullo_basecase.asm | 1 + + mpn/x86_64/zen/sbpi1_bdiv_r.asm | 1 + + mpn/x86_64/zen/sqr_basecase.asm | 1 + + 244 files changed, 537 insertions(+), 89 deletions(-) + +diff --git a/acinclude.m4 b/acinclude.m4 +index 86175ce..84e880b 100644 +--- a/acinclude.m4 ++++ b/acinclude.m4 +@@ -3135,6 +3135,106 @@ __sparc_get_pc_thunk.l7: + GMP_DEFINE_RAW(["define(,<$gmp_cv_asm_sparc_shared_thunks>)"]) + ]) + ++dnl GMP_ASM_X86_CET_MACROS(ABI) ++dnl ------------ ++dnl Define ++dnl 1. X86_ENDBR for endbr32/endbr64. ++dnl 2. X86_NOTRACK for notrack prefix. ++dnl 3. X86_GNU_PROPERTY to add a .note.gnu.property section to mark ++dnl Intel CET support if needed. ++dnl .section ".note.gnu.property", "a" ++dnl .p2align POINTER-ALIGN ++dnl .long 1f - 0f ++dnl .long 4f - 1f ++dnl .long 5 ++dnl 0: ++dnl .asciz "GNU" ++dnl 1: ++dnl .p2align POINTER-ALIGN ++dnl .long 0xc0000002 ++dnl .long 3f - 2f ++dnl 2: ++dnl .long 3 ++dnl 3: ++dnl .p2align POINTER-ALIGN ++dnl 4: ++AC_DEFUN([GMP_ASM_X86_CET_MACROS],[ ++dnl AC_REQUIRE([AC_PROG_CC]) GMP uses something else ++AC_CACHE_CHECK([if Intel CET is enabled], ++ gmp_cv_asm_x86_intel_cet, [dnl ++ cat > conftest.c </dev/null]) ++ then ++ gmp_cv_asm_x86_intel_cet=yes ++ else ++ gmp_cv_asm_x86_intel_cet=no ++ fi ++ rm -f conftest*]) ++ if test "$gmp_cv_asm_x86_intel_cet" = yes; then ++ case $1 in ++ 32) ++ endbr=endbr32 ++ p2align=2 ++ ;; ++ 64) ++ endbr=endbr64 ++ p2align=3 ++ ;; ++ x32) ++ endbr=endbr64 ++ p2align=2 ++ ;; ++ esac ++ AC_CACHE_CHECK([if .note.gnu.property section is needed], ++ gmp_cv_asm_x86_gnu_property, [dnl ++ cat > conftest.c </dev/null]) ++ then ++ gmp_cv_asm_x86_gnu_property=yes ++ else ++ gmp_cv_asm_x86_gnu_property=no ++ fi ++ rm -f conftest*]) ++ echo ["define(,<$endbr>)"] >> $gmp_tmpconfigm4 ++ echo ["define(,)"] >> $gmp_tmpconfigm4 ++ else ++ gmp_cv_asm_x86_gnu_property=no ++ echo ["define(,<>)"] >> $gmp_tmpconfigm4 ++ echo ["define(,<>)"] >> $gmp_tmpconfigm4 ++ fi ++ if test "$gmp_cv_asm_x86_gnu_property" = yes; then ++ echo ["define(, < ++ .section \".note.gnu.property\", \"a\" ++ .p2align $p2align ++ .long 1f - 0f ++ .long 4f - 1f ++ .long 5 ++0: ++ .asciz \"GNU\" ++1: ++ .p2align $p2align ++ .long 0xc0000002 ++ .long 3f - 2f ++2: ++ .long 3 ++3: ++ .p2align $p2align ++4:>)"] >> $gmp_tmpconfigm4 ++ else ++ echo ["define(,<>)"] >> $gmp_tmpconfigm4 ++ fi ++]) ++ + + dnl GMP_C_ATTRIBUTE_CONST + dnl --------------------- +diff --git a/configure.ac b/configure.ac +index cafdb3c..0fb8b21 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -3813,6 +3813,7 @@ yes + esac + ;; + esac ++ GMP_ASM_X86_CET_MACROS($ABI) + ;; + esac + fi +diff --git a/mpn/x86/aors_n.asm b/mpn/x86/aors_n.asm +index 5d359f5..7ea7814 100644 +--- a/mpn/x86/aors_n.asm ++++ b/mpn/x86/aors_n.asm +@@ -112,7 +112,7 @@ L(0a): leal (%eax,%eax,8),%eax + shrl %ebp C shift bit 0 into carry + popl %ebp FRAME_popl() + +- jmp *%eax C jump into loop ++ X86_NOTRACK jmp *%eax C jump into loop + + EPILOGUE() + +@@ -153,7 +153,7 @@ L(0b): leal (%eax,%eax,8),%eax + C Calculate start address in loop for non-PIC. + leal L(oop)-3(%eax,%eax,8),%eax + ') +- jmp *%eax C jump into loop ++ X86_NOTRACK jmp *%eax C jump into loop + + L(oopgo): + pushl %ebp FRAME_pushl() +@@ -200,3 +200,4 @@ L(oop): movl (%esi),%eax + ret + + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/aorsmul_1.asm b/mpn/x86/aorsmul_1.asm +index 54a8905..0ab1e01 100644 +--- a/mpn/x86/aorsmul_1.asm ++++ b/mpn/x86/aorsmul_1.asm +@@ -154,3 +154,4 @@ L(end): movl %ebx,%eax + ret + + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/atom/sse2/aorsmul_1.asm b/mpn/x86/atom/sse2/aorsmul_1.asm +index 969a14a..20658e1 100644 +--- a/mpn/x86/atom/sse2/aorsmul_1.asm ++++ b/mpn/x86/atom/sse2/aorsmul_1.asm +@@ -172,3 +172,4 @@ PROLOGUE(func_1c) + mov 20(%esp), %edx C carry + jmp L(ent) + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/atom/sse2/mul_basecase.asm b/mpn/x86/atom/sse2/mul_basecase.asm +index 97d3aeb..74171aa 100644 +--- a/mpn/x86/atom/sse2/mul_basecase.asm ++++ b/mpn/x86/atom/sse2/mul_basecase.asm +@@ -499,3 +499,4 @@ L(done): + pop %edi + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/atom/sse2/sqr_basecase.asm b/mpn/x86/atom/sse2/sqr_basecase.asm +index af19ed8..0031812 100644 +--- a/mpn/x86/atom/sse2/sqr_basecase.asm ++++ b/mpn/x86/atom/sse2/sqr_basecase.asm +@@ -632,3 +632,4 @@ L(one): pmuludq %mm7, %mm7 + pop %edi + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/bdiv_dbm1c.asm b/mpn/x86/bdiv_dbm1c.asm +index 0288c47..7a3b1a6 100644 +--- a/mpn/x86/bdiv_dbm1c.asm ++++ b/mpn/x86/bdiv_dbm1c.asm +@@ -127,3 +127,4 @@ L(b1): add $-4, %ebp + pop %esi + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/copyd.asm b/mpn/x86/copyd.asm +index 51fa195..0e588d9 100644 +--- a/mpn/x86/copyd.asm ++++ b/mpn/x86/copyd.asm +@@ -89,3 +89,4 @@ PROLOGUE(mpn_copyd) + ret + + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/copyi.asm b/mpn/x86/copyi.asm +index f6b0354..6efbb90 100644 +--- a/mpn/x86/copyi.asm ++++ b/mpn/x86/copyi.asm +@@ -97,3 +97,4 @@ PROLOGUE(mpn_copyi) + ret + + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/divrem_1.asm b/mpn/x86/divrem_1.asm +index 255d493..b1af920 100644 +--- a/mpn/x86/divrem_1.asm ++++ b/mpn/x86/divrem_1.asm +@@ -231,3 +231,4 @@ deflit(`FRAME',8) + popl %edi + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/divrem_2.asm b/mpn/x86/divrem_2.asm +index 4c38ad0..c2920c2 100644 +--- a/mpn/x86/divrem_2.asm ++++ b/mpn/x86/divrem_2.asm +@@ -197,3 +197,4 @@ L(35): sub 20(%esp), %ebp + movl $1, 32(%esp) + jmp L(8) + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/k6/aors_n.asm b/mpn/x86/k6/aors_n.asm +index 168f9b4..257ba59 100644 +--- a/mpn/x86/k6/aors_n.asm ++++ b/mpn/x86/k6/aors_n.asm +@@ -335,3 +335,4 @@ L(inplace_done): + ret + + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/k6/aorsmul_1.asm b/mpn/x86/k6/aorsmul_1.asm +index eaa92eb..78be9d2 100644 +--- a/mpn/x86/k6/aorsmul_1.asm ++++ b/mpn/x86/k6/aorsmul_1.asm +@@ -389,3 +389,4 @@ Zdisp( M4_inst,%ecx, disp0,(%edi)) + ret + + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/k6/divrem_1.asm b/mpn/x86/k6/divrem_1.asm +index b4cea4f..ca41a3f 100644 +--- a/mpn/x86/k6/divrem_1.asm ++++ b/mpn/x86/k6/divrem_1.asm +@@ -201,3 +201,4 @@ deflit(`FRAME',8) + popl %edi + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/k6/k62mmx/copyd.asm b/mpn/x86/k6/k62mmx/copyd.asm +index f80a5a1..fc329f5 100644 +--- a/mpn/x86/k6/k62mmx/copyd.asm ++++ b/mpn/x86/k6/k62mmx/copyd.asm +@@ -116,3 +116,4 @@ L(zero): + ret + + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/k6/k62mmx/lshift.asm b/mpn/x86/k6/k62mmx/lshift.asm +index c86575f..728fb5b 100644 +--- a/mpn/x86/k6/k62mmx/lshift.asm ++++ b/mpn/x86/k6/k62mmx/lshift.asm +@@ -292,3 +292,4 @@ deflit(`FRAME',4) + ret + + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/k6/k62mmx/rshift.asm b/mpn/x86/k6/k62mmx/rshift.asm +index f604a7b..bd673f3 100644 +--- a/mpn/x86/k6/k62mmx/rshift.asm ++++ b/mpn/x86/k6/k62mmx/rshift.asm +@@ -291,3 +291,4 @@ L(finish_even): + ret + + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/k6/mmx/com.asm b/mpn/x86/k6/mmx/com.asm +index b747454..646d16b 100644 +--- a/mpn/x86/k6/mmx/com.asm ++++ b/mpn/x86/k6/mmx/com.asm +@@ -101,3 +101,4 @@ L(no_extra): + ret + + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/k6/mmx/logops_n.asm b/mpn/x86/k6/mmx/logops_n.asm +index e17930b..acfd7df 100644 +--- a/mpn/x86/k6/mmx/logops_n.asm ++++ b/mpn/x86/k6/mmx/logops_n.asm +@@ -224,3 +224,4 @@ L(no_extra): + ret + + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/k6/mmx/lshift.asm b/mpn/x86/k6/mmx/lshift.asm +index 45be582..eee1eb8 100644 +--- a/mpn/x86/k6/mmx/lshift.asm ++++ b/mpn/x86/k6/mmx/lshift.asm +@@ -128,3 +128,4 @@ L(top): + ret + + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/k6/mmx/popham.asm b/mpn/x86/k6/mmx/popham.asm +index 2b19d0b..efeb1b4 100644 +--- a/mpn/x86/k6/mmx/popham.asm ++++ b/mpn/x86/k6/mmx/popham.asm +@@ -234,3 +234,4 @@ HAM(` nop C code alignment') + ret + + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/k6/mmx/rshift.asm b/mpn/x86/k6/mmx/rshift.asm +index cd0382f..ae53711 100644 +--- a/mpn/x86/k6/mmx/rshift.asm ++++ b/mpn/x86/k6/mmx/rshift.asm +@@ -128,3 +128,4 @@ Zdisp( movd, %mm0, 0,(%ecx,%eax,4)) + ret + + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/k6/mod_34lsub1.asm b/mpn/x86/k6/mod_34lsub1.asm +index 7e30503..05f8979 100644 +--- a/mpn/x86/k6/mod_34lsub1.asm ++++ b/mpn/x86/k6/mod_34lsub1.asm +@@ -188,3 +188,4 @@ L(combine): + ret + + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/k6/mul_1.asm b/mpn/x86/k6/mul_1.asm +index 3ef7ec2..2139f36 100644 +--- a/mpn/x86/k6/mul_1.asm ++++ b/mpn/x86/k6/mul_1.asm +@@ -290,3 +290,4 @@ L(finish_not_one): + ret + + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/k6/mul_basecase.asm b/mpn/x86/k6/mul_basecase.asm +index 7030001..ab202a2 100644 +--- a/mpn/x86/k6/mul_basecase.asm ++++ b/mpn/x86/k6/mul_basecase.asm +@@ -610,3 +610,4 @@ Zdisp( addl, %ecx, disp0,(%edi)) + ret + + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/k6/pre_mod_1.asm b/mpn/x86/k6/pre_mod_1.asm +index 34db20d..1e4cb17 100644 +--- a/mpn/x86/k6/pre_mod_1.asm ++++ b/mpn/x86/k6/pre_mod_1.asm +@@ -144,3 +144,4 @@ L(q1_ff): + + + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/k6/sqr_basecase.asm b/mpn/x86/k6/sqr_basecase.asm +index b7ecb5c..f3a101a 100644 +--- a/mpn/x86/k6/sqr_basecase.asm ++++ b/mpn/x86/k6/sqr_basecase.asm +@@ -678,3 +678,4 @@ L(pic_calc): + + + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/k7/aors_n.asm b/mpn/x86/k7/aors_n.asm +index 1a08072..bfdf3d4 100644 +--- a/mpn/x86/k7/aors_n.asm ++++ b/mpn/x86/k7/aors_n.asm +@@ -256,3 +256,4 @@ L(even): + ret + + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/k7/mmx/com.asm b/mpn/x86/k7/mmx/com.asm +index a258c22..cf48fac 100644 +--- a/mpn/x86/k7/mmx/com.asm ++++ b/mpn/x86/k7/mmx/com.asm +@@ -123,3 +123,4 @@ L(done): + ret + + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/k7/mmx/copyd.asm b/mpn/x86/k7/mmx/copyd.asm +index 59ece40..3bc9ff8 100644 +--- a/mpn/x86/k7/mmx/copyd.asm ++++ b/mpn/x86/k7/mmx/copyd.asm +@@ -142,3 +142,4 @@ L(done): + + + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/k7/mmx/copyi.asm b/mpn/x86/k7/mmx/copyi.asm +index 9a28f92..f0648fa 100644 +--- a/mpn/x86/k7/mmx/copyi.asm ++++ b/mpn/x86/k7/mmx/copyi.asm +@@ -155,3 +155,4 @@ L(done): + ret + + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/k7/mmx/divrem_1.asm b/mpn/x86/k7/mmx/divrem_1.asm +index cf34328..370bfbb 100644 +--- a/mpn/x86/k7/mmx/divrem_1.asm ++++ b/mpn/x86/k7/mmx/divrem_1.asm +@@ -830,3 +830,4 @@ L(fraction_entry): + jmp L(fraction_done) + + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/k7/mmx/lshift.asm b/mpn/x86/k7/mmx/lshift.asm +index b3383cf..4140e82 100644 +--- a/mpn/x86/k7/mmx/lshift.asm ++++ b/mpn/x86/k7/mmx/lshift.asm +@@ -479,3 +479,4 @@ L(end_even_unaligned): + ret + + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/k7/mmx/popham.asm b/mpn/x86/k7/mmx/popham.asm +index 95965b7..f29540a 100644 +--- a/mpn/x86/k7/mmx/popham.asm ++++ b/mpn/x86/k7/mmx/popham.asm +@@ -211,3 +211,4 @@ L(loaded): + ret + + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/k7/mmx/rshift.asm b/mpn/x86/k7/mmx/rshift.asm +index 345d23a..0da1f93 100644 +--- a/mpn/x86/k7/mmx/rshift.asm ++++ b/mpn/x86/k7/mmx/rshift.asm +@@ -478,3 +478,4 @@ L(end_even_unaligned): + ret + + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/k7/mod_1_1.asm b/mpn/x86/k7/mod_1_1.asm +index 1bbe6f9..8da9519 100644 +--- a/mpn/x86/k7/mod_1_1.asm ++++ b/mpn/x86/k7/mod_1_1.asm +@@ -219,3 +219,4 @@ PROLOGUE(mpn_mod_1_1p_cps) + pop %ebp + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/k7/mod_1_4.asm b/mpn/x86/k7/mod_1_4.asm +index bb7597e..fe1da5b 100644 +--- a/mpn/x86/k7/mod_1_4.asm ++++ b/mpn/x86/k7/mod_1_4.asm +@@ -258,3 +258,4 @@ C CAUTION: This is the same code as in pentium4/sse2/mod_1_4.asm + pop %ebp + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/k7/mod_34lsub1.asm b/mpn/x86/k7/mod_34lsub1.asm +index ee3ad04..0c1b8c8 100644 +--- a/mpn/x86/k7/mod_34lsub1.asm ++++ b/mpn/x86/k7/mod_34lsub1.asm +@@ -186,3 +186,4 @@ L(combine): + ret + + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/k7/mul_basecase.asm b/mpn/x86/k7/mul_basecase.asm +index 4dfb500..b96fda7 100644 +--- a/mpn/x86/k7/mul_basecase.asm ++++ b/mpn/x86/k7/mul_basecase.asm +@@ -600,3 +600,4 @@ deflit(`disp1', eval(disp0-0 + 4)) + ret + + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/k7/sqr_basecase.asm b/mpn/x86/k7/sqr_basecase.asm +index 7b6a97e..df47ee4 100644 +--- a/mpn/x86/k7/sqr_basecase.asm ++++ b/mpn/x86/k7/sqr_basecase.asm +@@ -633,3 +633,4 @@ L(diag): + ret + + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/lshift.asm b/mpn/x86/lshift.asm +index 6ee6153..95f5321 100644 +--- a/mpn/x86/lshift.asm ++++ b/mpn/x86/lshift.asm +@@ -104,3 +104,4 @@ L(end): shll %cl,%ebx C compute least significant limb + ret + + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/mmx/sec_tabselect.asm b/mpn/x86/mmx/sec_tabselect.asm +index aae158a..543dec1 100644 +--- a/mpn/x86/mmx/sec_tabselect.asm ++++ b/mpn/x86/mmx/sec_tabselect.asm +@@ -161,3 +161,4 @@ L(b00): pop %ebp + emms + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/mod_34lsub1.asm b/mpn/x86/mod_34lsub1.asm +index e09e702..df52d37 100644 +--- a/mpn/x86/mod_34lsub1.asm ++++ b/mpn/x86/mod_34lsub1.asm +@@ -181,3 +181,4 @@ L(combine): + ret + + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/mul_1.asm b/mpn/x86/mul_1.asm +index 421de62..dbbc0e3 100644 +--- a/mpn/x86/mul_1.asm ++++ b/mpn/x86/mul_1.asm +@@ -138,3 +138,4 @@ L(end): movl %ebx,%eax + ret + + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/mul_basecase.asm b/mpn/x86/mul_basecase.asm +index 8339732..c32fd7e 100644 +--- a/mpn/x86/mul_basecase.asm ++++ b/mpn/x86/mul_basecase.asm +@@ -221,3 +221,4 @@ L(done): + ret + + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/p6/aors_n.asm b/mpn/x86/p6/aors_n.asm +index df51c2e..ab172df 100644 +--- a/mpn/x86/p6/aors_n.asm ++++ b/mpn/x86/p6/aors_n.asm +@@ -90,7 +90,7 @@ L(here): + ') + + shr %edx C set cy flag +- jmp *%eax ++ X86_NOTRACK jmp *%eax + + ifdef(`PIC',` + L(pic_calc): +@@ -154,3 +154,4 @@ PROLOGUE(func_nc) + movl 20(%esp), %edx + jmp L(start) + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/p6/aorsmul_1.asm b/mpn/x86/p6/aorsmul_1.asm +index bc8c49c..2a3b122 100644 +--- a/mpn/x86/p6/aorsmul_1.asm ++++ b/mpn/x86/p6/aorsmul_1.asm +@@ -240,7 +240,7 @@ L(here): + cmovnz( %ebx, %ecx) C high,low carry other way around + cmovnz( %eax, %ebx) + +- jmp *%edx ++ X86_NOTRACK jmp *%edx + + + ifdef(`PIC',` +@@ -318,3 +318,4 @@ deflit(`disp0', eval(UNROLL_BYTES ifelse(UNROLL_BYTES,256,-128))) + ret + + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/p6/copyd.asm b/mpn/x86/p6/copyd.asm +index 1be7636..bd42da1 100644 +--- a/mpn/x86/p6/copyd.asm ++++ b/mpn/x86/p6/copyd.asm +@@ -176,3 +176,4 @@ L(zero): + ret + + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/p6/gcd_11.asm b/mpn/x86/p6/gcd_11.asm +index 80e055e..a7fc6a8 100644 +--- a/mpn/x86/p6/gcd_11.asm ++++ b/mpn/x86/p6/gcd_11.asm +@@ -81,3 +81,4 @@ L(end): mov %edx, %eax + pop %edi + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/p6/lshsub_n.asm b/mpn/x86/p6/lshsub_n.asm +index 7ada213..17db5d5 100644 +--- a/mpn/x86/p6/lshsub_n.asm ++++ b/mpn/x86/p6/lshsub_n.asm +@@ -82,7 +82,7 @@ L(here): + pxor %mm1, %mm1 + pxor %mm0, %mm0 + +- jmp *%eax ++ X86_NOTRACK jmp *%eax + + ifdef(`PIC',` + L(pic_calc): +@@ -167,3 +167,4 @@ L(ent): mov 0(up,n,4), %eax + jmp L(top) + + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/p6/mmx/divrem_1.asm b/mpn/x86/p6/mmx/divrem_1.asm +index 5300616..b6057dd 100644 +--- a/mpn/x86/p6/mmx/divrem_1.asm ++++ b/mpn/x86/p6/mmx/divrem_1.asm +@@ -765,3 +765,4 @@ L(fraction_top): + jmp L(fraction_done) + + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/p6/mod_34lsub1.asm b/mpn/x86/p6/mod_34lsub1.asm +index b88ab5d..46b3806 100644 +--- a/mpn/x86/p6/mod_34lsub1.asm ++++ b/mpn/x86/p6/mod_34lsub1.asm +@@ -188,3 +188,4 @@ L(done_0): + ret + + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/p6/mul_basecase.asm b/mpn/x86/p6/mul_basecase.asm +index d87bc12..521b31e 100644 +--- a/mpn/x86/p6/mul_basecase.asm ++++ b/mpn/x86/p6/mul_basecase.asm +@@ -524,7 +524,7 @@ L(unroll_outer_entry): + xorl %eax, %ebx C carries other way for odd index + xorl %eax, %ecx + +- jmp *%edx ++ X86_NOTRACK jmp *%edx + + + C ----------------------------------------------------------------------------- +@@ -605,3 +605,4 @@ deflit(`disp1', eval(disp0 + 4)) + ret + + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/p6/sqr_basecase.asm b/mpn/x86/p6/sqr_basecase.asm +index 8fc7fdf..f71304f 100644 +--- a/mpn/x86/p6/sqr_basecase.asm ++++ b/mpn/x86/p6/sqr_basecase.asm +@@ -447,7 +447,7 @@ define(cmovX,`ifelse(eval(UNROLL_COUNT%2),1,`cmovz($@)',`cmovnz($@)')') + cmovX( %ebx, %ecx) C high carry reverse + cmovX( %eax, %ebx) C low carry reverse + movl %edx, VAR_JMP +- jmp *%edx ++ X86_NOTRACK jmp *%edx + + + C Must be on an even address here so the low bit of the jump address +@@ -647,3 +647,4 @@ L(pic_calc): + + + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/pentium/aors_n.asm b/mpn/x86/pentium/aors_n.asm +index 01ebfb9..ca124a5 100644 +--- a/mpn/x86/pentium/aors_n.asm ++++ b/mpn/x86/pentium/aors_n.asm +@@ -201,3 +201,4 @@ L(end2): + ret + + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/pentium/aorsmul_1.asm b/mpn/x86/pentium/aorsmul_1.asm +index d83cc45..5cec8b3 100644 +--- a/mpn/x86/pentium/aorsmul_1.asm ++++ b/mpn/x86/pentium/aorsmul_1.asm +@@ -142,3 +142,4 @@ L(top): + ret + + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/pentium/com.asm b/mpn/x86/pentium/com.asm +index b080545..00064ff 100644 +--- a/mpn/x86/pentium/com.asm ++++ b/mpn/x86/pentium/com.asm +@@ -179,3 +179,4 @@ L(done): + ret + + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/pentium/copyd.asm b/mpn/x86/pentium/copyd.asm +index 72a543b..c7f74b5 100644 +--- a/mpn/x86/pentium/copyd.asm ++++ b/mpn/x86/pentium/copyd.asm +@@ -144,3 +144,4 @@ L(done): + ret + + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/pentium/copyi.asm b/mpn/x86/pentium/copyi.asm +index d983d6b..bc7744e 100644 +--- a/mpn/x86/pentium/copyi.asm ++++ b/mpn/x86/pentium/copyi.asm +@@ -162,3 +162,4 @@ L(done): + ret + + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/pentium/logops_n.asm b/mpn/x86/pentium/logops_n.asm +index 1877317..41a9477 100644 +--- a/mpn/x86/pentium/logops_n.asm ++++ b/mpn/x86/pentium/logops_n.asm +@@ -174,3 +174,4 @@ L(done): + ret + + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/pentium/lshift.asm b/mpn/x86/pentium/lshift.asm +index 2a31f36..68cba52 100644 +--- a/mpn/x86/pentium/lshift.asm ++++ b/mpn/x86/pentium/lshift.asm +@@ -241,3 +241,4 @@ L(L1): movl %edx,(%edi) C store last limb + ret + + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/pentium/mmx/lshift.asm b/mpn/x86/pentium/mmx/lshift.asm +index 04b0ddc..9e18c86 100644 +--- a/mpn/x86/pentium/mmx/lshift.asm ++++ b/mpn/x86/pentium/mmx/lshift.asm +@@ -461,3 +461,4 @@ L(finish_zero_unaligned): + ret + + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/pentium/mmx/mul_1.asm b/mpn/x86/pentium/mmx/mul_1.asm +index 4ced577..b04a718 100644 +--- a/mpn/x86/pentium/mmx/mul_1.asm ++++ b/mpn/x86/pentium/mmx/mul_1.asm +@@ -369,3 +369,4 @@ L(small_done): + ret + + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/pentium/mmx/rshift.asm b/mpn/x86/pentium/mmx/rshift.asm +index e3b274b..5493d20 100644 +--- a/mpn/x86/pentium/mmx/rshift.asm ++++ b/mpn/x86/pentium/mmx/rshift.asm +@@ -466,3 +466,4 @@ L(finish_zero_unaligned): + ret + + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/pentium/mod_34lsub1.asm b/mpn/x86/pentium/mod_34lsub1.asm +index 2d88223..0945de8 100644 +--- a/mpn/x86/pentium/mod_34lsub1.asm ++++ b/mpn/x86/pentium/mod_34lsub1.asm +@@ -190,3 +190,4 @@ L(combine): + ret + + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/pentium/mul_1.asm b/mpn/x86/pentium/mul_1.asm +index a0858af..2c49130 100644 +--- a/mpn/x86/pentium/mul_1.asm ++++ b/mpn/x86/pentium/mul_1.asm +@@ -175,3 +175,4 @@ L(top): + ret + + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/pentium/mul_2.asm b/mpn/x86/pentium/mul_2.asm +index 4c7beb5..e94e071 100644 +--- a/mpn/x86/pentium/mul_2.asm ++++ b/mpn/x86/pentium/mul_2.asm +@@ -148,3 +148,4 @@ L(done): + ret + + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/pentium/mul_basecase.asm b/mpn/x86/pentium/mul_basecase.asm +index e1d0f05..ff269bb 100644 +--- a/mpn/x86/pentium/mul_basecase.asm ++++ b/mpn/x86/pentium/mul_basecase.asm +@@ -140,3 +140,4 @@ L(done): + ret + + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/pentium/rshift.asm b/mpn/x86/pentium/rshift.asm +index 2105c4c..d98080d 100644 +--- a/mpn/x86/pentium/rshift.asm ++++ b/mpn/x86/pentium/rshift.asm +@@ -241,3 +241,4 @@ L(L1): movl %edx,(%edi) C store last limb + ret + + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/pentium/sqr_basecase.asm b/mpn/x86/pentium/sqr_basecase.asm +index b11d767..ee64eb3 100644 +--- a/mpn/x86/pentium/sqr_basecase.asm ++++ b/mpn/x86/pentium/sqr_basecase.asm +@@ -526,3 +526,4 @@ L(diag): + ret + + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/pentium4/copyd.asm b/mpn/x86/pentium4/copyd.asm +index 82af81c..bf06a05 100644 +--- a/mpn/x86/pentium4/copyd.asm ++++ b/mpn/x86/pentium4/copyd.asm +@@ -69,3 +69,4 @@ L(end): + ret + + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/pentium4/copyi.asm b/mpn/x86/pentium4/copyi.asm +index b614887..acbb3f4 100644 +--- a/mpn/x86/pentium4/copyi.asm ++++ b/mpn/x86/pentium4/copyi.asm +@@ -91,3 +91,4 @@ L(replmovs): + ret + + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/pentium4/mmx/popham.asm b/mpn/x86/pentium4/mmx/popham.asm +index 9563cb5..f7a6124 100644 +--- a/mpn/x86/pentium4/mmx/popham.asm ++++ b/mpn/x86/pentium4/mmx/popham.asm +@@ -201,3 +201,4 @@ L(loaded): + ret + + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/pentium4/sse2/add_n.asm b/mpn/x86/pentium4/sse2/add_n.asm +index 8e2380e..e329635 100644 +--- a/mpn/x86/pentium4/sse2/add_n.asm ++++ b/mpn/x86/pentium4/sse2/add_n.asm +@@ -99,3 +99,4 @@ L(top): + ret + + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/pentium4/sse2/addlsh1_n.asm b/mpn/x86/pentium4/sse2/addlsh1_n.asm +index 93b63b2..e801f7b 100644 +--- a/mpn/x86/pentium4/sse2/addlsh1_n.asm ++++ b/mpn/x86/pentium4/sse2/addlsh1_n.asm +@@ -106,3 +106,4 @@ L(top): + ret + + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/pentium4/sse2/addmul_1.asm b/mpn/x86/pentium4/sse2/addmul_1.asm +index 7810207..62a7675 100644 +--- a/mpn/x86/pentium4/sse2/addmul_1.asm ++++ b/mpn/x86/pentium4/sse2/addmul_1.asm +@@ -187,3 +187,4 @@ PROLOGUE(mpn_addmul_1c) + movd 20(%esp), %mm6 + jmp L(ent) + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/pentium4/sse2/cnd_add_n.asm b/mpn/x86/pentium4/sse2/cnd_add_n.asm +index b3f3474..7183b94 100644 +--- a/mpn/x86/pentium4/sse2/cnd_add_n.asm ++++ b/mpn/x86/pentium4/sse2/cnd_add_n.asm +@@ -93,3 +93,4 @@ L(top): movd (%ebx,%ecx,4), %mm2 + ret + + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/pentium4/sse2/cnd_sub_n.asm b/mpn/x86/pentium4/sse2/cnd_sub_n.asm +index 339a23e..ba0fc47 100644 +--- a/mpn/x86/pentium4/sse2/cnd_sub_n.asm ++++ b/mpn/x86/pentium4/sse2/cnd_sub_n.asm +@@ -112,3 +112,4 @@ L(done_mm1): + ret + + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/pentium4/sse2/divrem_1.asm b/mpn/x86/pentium4/sse2/divrem_1.asm +index 0146fab..d8619e0 100644 +--- a/mpn/x86/pentium4/sse2/divrem_1.asm ++++ b/mpn/x86/pentium4/sse2/divrem_1.asm +@@ -643,3 +643,4 @@ L(fraction_top): + jmp L(fraction_done) + + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/pentium4/sse2/mod_1_1.asm b/mpn/x86/pentium4/sse2/mod_1_1.asm +index ee88bab..2e5a514 100644 +--- a/mpn/x86/pentium4/sse2/mod_1_1.asm ++++ b/mpn/x86/pentium4/sse2/mod_1_1.asm +@@ -164,3 +164,4 @@ C CAUTION: This is the same code as in k7/mod_1_1.asm + pop %ebp + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/pentium4/sse2/mod_1_4.asm b/mpn/x86/pentium4/sse2/mod_1_4.asm +index eb2edb6..5ef3c4a 100644 +--- a/mpn/x86/pentium4/sse2/mod_1_4.asm ++++ b/mpn/x86/pentium4/sse2/mod_1_4.asm +@@ -267,3 +267,4 @@ C CAUTION: This is the same code as in k7/mod_1_4.asm + pop %ebp + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/pentium4/sse2/mod_34lsub1.asm b/mpn/x86/pentium4/sse2/mod_34lsub1.asm +index 31e25b7..5b6b9a7 100644 +--- a/mpn/x86/pentium4/sse2/mod_34lsub1.asm ++++ b/mpn/x86/pentium4/sse2/mod_34lsub1.asm +@@ -173,3 +173,4 @@ L(combine): + ret + + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/pentium4/sse2/mul_1.asm b/mpn/x86/pentium4/sse2/mul_1.asm +index 6347b8b..9e4f3fc 100644 +--- a/mpn/x86/pentium4/sse2/mul_1.asm ++++ b/mpn/x86/pentium4/sse2/mul_1.asm +@@ -162,3 +162,4 @@ PROLOGUE(mpn_mul_1c) + movd 20(%esp), %mm6 + jmp L(ent) + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/pentium4/sse2/mul_basecase.asm b/mpn/x86/pentium4/sse2/mul_basecase.asm +index 6e3775a..0bad756 100644 +--- a/mpn/x86/pentium4/sse2/mul_basecase.asm ++++ b/mpn/x86/pentium4/sse2/mul_basecase.asm +@@ -660,3 +660,4 @@ L(oel3): + pop %esi C 3 + ret C 3 + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/pentium4/sse2/rsh1add_n.asm b/mpn/x86/pentium4/sse2/rsh1add_n.asm +index f421d13..543a637 100644 +--- a/mpn/x86/pentium4/sse2/rsh1add_n.asm ++++ b/mpn/x86/pentium4/sse2/rsh1add_n.asm +@@ -124,3 +124,4 @@ L(done): + ret + + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/pentium4/sse2/sqr_basecase.asm b/mpn/x86/pentium4/sse2/sqr_basecase.asm +index 2dd57d2..9695d42 100644 +--- a/mpn/x86/pentium4/sse2/sqr_basecase.asm ++++ b/mpn/x86/pentium4/sse2/sqr_basecase.asm +@@ -703,3 +703,4 @@ L(diag): + ret + + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/pentium4/sse2/sub_n.asm b/mpn/x86/pentium4/sse2/sub_n.asm +index 5ba1c01..2cd5b22 100644 +--- a/mpn/x86/pentium4/sse2/sub_n.asm ++++ b/mpn/x86/pentium4/sse2/sub_n.asm +@@ -117,3 +117,4 @@ L(done_mm1): + ret + + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/pentium4/sse2/submul_1.asm b/mpn/x86/pentium4/sse2/submul_1.asm +index 020675b..1172f0a 100644 +--- a/mpn/x86/pentium4/sse2/submul_1.asm ++++ b/mpn/x86/pentium4/sse2/submul_1.asm +@@ -180,3 +180,4 @@ L(eod): paddq %mm6, %mm4 C add 0xFFFFFFFE00000001 + movd %mm0, 8(%edx) C result + jmp L(rt) + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/rshift.asm b/mpn/x86/rshift.asm +index a60dcaa..1cedc0d 100644 +--- a/mpn/x86/rshift.asm ++++ b/mpn/x86/rshift.asm +@@ -106,3 +106,4 @@ L(end): shrl %cl,%ebx C compute most significant limb + ret + + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/sec_tabselect.asm b/mpn/x86/sec_tabselect.asm +index c7c2e05..3a8fa17 100644 +--- a/mpn/x86/sec_tabselect.asm ++++ b/mpn/x86/sec_tabselect.asm +@@ -113,3 +113,4 @@ L(outer_end): + pop %edi + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/sqr_basecase.asm b/mpn/x86/sqr_basecase.asm +index 39f8a89..3414b05 100644 +--- a/mpn/x86/sqr_basecase.asm ++++ b/mpn/x86/sqr_basecase.asm +@@ -357,3 +357,4 @@ L(diag): + ret + + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/udiv.asm b/mpn/x86/udiv.asm +index a3ee088..2531ef7 100644 +--- a/mpn/x86/udiv.asm ++++ b/mpn/x86/udiv.asm +@@ -50,3 +50,4 @@ deflit(`FRAME',0) + movl %edx, (%ecx) + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/umul.asm b/mpn/x86/umul.asm +index 34fe434..5c1da35 100644 +--- a/mpn/x86/umul.asm ++++ b/mpn/x86/umul.asm +@@ -49,3 +49,4 @@ deflit(`FRAME',0) + movl %edx, %eax + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86/x86-defs.m4 b/mpn/x86/x86-defs.m4 +index 81309b2..b3520d2 100644 +--- a/mpn/x86/x86-defs.m4 ++++ b/mpn/x86/x86-defs.m4 +@@ -123,6 +123,7 @@ m4_assert_defined(`WANT_PROFILING') + TYPE($1,`function') + COFF_TYPE($1) + $1: ++ X86_ENDBR + ifelse(WANT_PROFILING,`prof', ` call_mcount') + ifelse(WANT_PROFILING,`gprof', ` call_mcount') + ifelse(WANT_PROFILING,`instrument',` call_instrument(enter)') +@@ -992,7 +993,11 @@ L(movl_eip_`'substr($2,1)): + + dnl ASM_END + +-define(`ASM_END',`load_eip') ++define(`ASM_END', ++`load_eip ++X86_GNU_PROPERTY ++') ++ + + define(`load_eip', `') dnl updated in LEA/LEAL + +diff --git a/mpn/x86_64/addaddmul_1msb0.asm b/mpn/x86_64/addaddmul_1msb0.asm +index 87c21b4..2d03ddb 100644 +--- a/mpn/x86_64/addaddmul_1msb0.asm ++++ b/mpn/x86_64/addaddmul_1msb0.asm +@@ -168,3 +168,4 @@ L(end): cmp $1, R32(n) + pop %r12 + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/aorrlsh1_n.asm b/mpn/x86_64/aorrlsh1_n.asm +index 6ee0872..1441a6c 100644 +--- a/mpn/x86_64/aorrlsh1_n.asm ++++ b/mpn/x86_64/aorrlsh1_n.asm +@@ -168,3 +168,4 @@ ifdef(`OPERATION_rsblsh1_n',` + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/aorrlshC_n.asm b/mpn/x86_64/aorrlshC_n.asm +index de00154..691abde 100644 +--- a/mpn/x86_64/aorrlshC_n.asm ++++ b/mpn/x86_64/aorrlshC_n.asm +@@ -170,3 +170,4 @@ ifelse(ADDSUB,add,` + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/aorrlsh_n.asm b/mpn/x86_64/aorrlsh_n.asm +index 5ca128f..57f0e77 100644 +--- a/mpn/x86_64/aorrlsh_n.asm ++++ b/mpn/x86_64/aorrlsh_n.asm +@@ -174,3 +174,4 @@ L(end): add R32(%rbx), R32(%rbx) + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/aors_err1_n.asm b/mpn/x86_64/aors_err1_n.asm +index 54d0b3f..8c42ea1 100644 +--- a/mpn/x86_64/aors_err1_n.asm ++++ b/mpn/x86_64/aors_err1_n.asm +@@ -223,3 +223,4 @@ L(end): + pop %rbx + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/aors_err2_n.asm b/mpn/x86_64/aors_err2_n.asm +index ce5c2a4..0227e5d 100644 +--- a/mpn/x86_64/aors_err2_n.asm ++++ b/mpn/x86_64/aors_err2_n.asm +@@ -170,3 +170,4 @@ L(end): + pop %rbx + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/aors_err3_n.asm b/mpn/x86_64/aors_err3_n.asm +index bb6d0c5..37047db 100644 +--- a/mpn/x86_64/aors_err3_n.asm ++++ b/mpn/x86_64/aors_err3_n.asm +@@ -154,3 +154,4 @@ L(end): + pop %rbx + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/aors_n.asm b/mpn/x86_64/aors_n.asm +index d5a314a..b516c4d 100644 +--- a/mpn/x86_64/aors_n.asm ++++ b/mpn/x86_64/aors_n.asm +@@ -176,3 +176,4 @@ L(end): lea 32(up), up + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/aorsmul_1.asm b/mpn/x86_64/aorsmul_1.asm +index dfe4dc4..e3bb2f9 100644 +--- a/mpn/x86_64/aorsmul_1.asm ++++ b/mpn/x86_64/aorsmul_1.asm +@@ -188,3 +188,4 @@ IFDOS(``pop %rdi '') + IFDOS(``pop %rsi '') + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/atom/addmul_2.asm b/mpn/x86_64/atom/addmul_2.asm +index c1dcdc4..c1d9451 100644 +--- a/mpn/x86_64/atom/addmul_2.asm ++++ b/mpn/x86_64/atom/addmul_2.asm +@@ -184,3 +184,4 @@ L(end): mul v1 + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/atom/aorrlsh1_n.asm b/mpn/x86_64/atom/aorrlsh1_n.asm +index f44de19..693a302 100644 +--- a/mpn/x86_64/atom/aorrlsh1_n.asm ++++ b/mpn/x86_64/atom/aorrlsh1_n.asm +@@ -236,3 +236,4 @@ IFDOS(` mov 56(%rsp), %r8 ') + sbb R32(%rbp), R32(%rbp) C save acy + jmp L(ent) + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/atom/aorrlsh2_n.asm b/mpn/x86_64/atom/aorrlsh2_n.asm +index 02fb29d..c6ded74 100644 +--- a/mpn/x86_64/atom/aorrlsh2_n.asm ++++ b/mpn/x86_64/atom/aorrlsh2_n.asm +@@ -189,3 +189,4 @@ ifdef(`OPERATION_rsblsh2_n',` + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/atom/lshift.asm b/mpn/x86_64/atom/lshift.asm +index 1b37d5d..894b912 100644 +--- a/mpn/x86_64/atom/lshift.asm ++++ b/mpn/x86_64/atom/lshift.asm +@@ -121,3 +121,4 @@ L(end): shl R8(%rcx), %r10 + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/atom/lshiftc.asm b/mpn/x86_64/atom/lshiftc.asm +index 7385f8f..40d8fff 100644 +--- a/mpn/x86_64/atom/lshiftc.asm ++++ b/mpn/x86_64/atom/lshiftc.asm +@@ -125,3 +125,4 @@ L(end): shl R8(%rcx), %r10 + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/atom/mul_2.asm b/mpn/x86_64/atom/mul_2.asm +index 4bc22cd..87414d9 100644 +--- a/mpn/x86_64/atom/mul_2.asm ++++ b/mpn/x86_64/atom/mul_2.asm +@@ -188,3 +188,4 @@ L(end): mul v1 + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/atom/rsh1aors_n.asm b/mpn/x86_64/atom/rsh1aors_n.asm +index 6f5f638..f3952c0 100644 +--- a/mpn/x86_64/atom/rsh1aors_n.asm ++++ b/mpn/x86_64/atom/rsh1aors_n.asm +@@ -285,3 +285,4 @@ L(cj1): pop %r15 + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/atom/rshift.asm b/mpn/x86_64/atom/rshift.asm +index 29c027d..f4c59e1 100644 +--- a/mpn/x86_64/atom/rshift.asm ++++ b/mpn/x86_64/atom/rshift.asm +@@ -119,3 +119,4 @@ L(end): shr R8(cnt), %r10 + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/atom/sublsh1_n.asm b/mpn/x86_64/atom/sublsh1_n.asm +index 1306acd..762e1ee 100644 +--- a/mpn/x86_64/atom/sublsh1_n.asm ++++ b/mpn/x86_64/atom/sublsh1_n.asm +@@ -240,3 +240,4 @@ IFDOS(` mov 56(%rsp), %r8 ') + sbb R32(%rbp), R32(%rbp) C save acy + jmp L(ent) + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/bd1/addmul_2.asm b/mpn/x86_64/bd1/addmul_2.asm +index b54e91a..b1c149b 100644 +--- a/mpn/x86_64/bd1/addmul_2.asm ++++ b/mpn/x86_64/bd1/addmul_2.asm +@@ -233,3 +233,4 @@ L(end): mul v0 + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/bd1/hamdist.asm b/mpn/x86_64/bd1/hamdist.asm +index 29e78a3..f93ce4d 100644 +--- a/mpn/x86_64/bd1/hamdist.asm ++++ b/mpn/x86_64/bd1/hamdist.asm +@@ -204,3 +204,4 @@ DEF_OBJECT(L(cnsts),16,`JUMPTABSECT') + .byte 0x0f,0x0f,0x0f,0x0f,0x0f,0x0f,0x0f,0x0f + END_OBJECT(L(cnsts)) + ') ++ASM_END() +diff --git a/mpn/x86_64/bd1/mul_2.asm b/mpn/x86_64/bd1/mul_2.asm +index 85fa7aa..e910cee 100644 +--- a/mpn/x86_64/bd1/mul_2.asm ++++ b/mpn/x86_64/bd1/mul_2.asm +@@ -193,3 +193,4 @@ L(end): mov -8(up), %rax + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/bd1/mul_basecase.asm b/mpn/x86_64/bd1/mul_basecase.asm +index e47ba58..ebae74d 100644 +--- a/mpn/x86_64/bd1/mul_basecase.asm ++++ b/mpn/x86_64/bd1/mul_basecase.asm +@@ -414,3 +414,4 @@ L(ret2):pop %rbp + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/bd1/popcount.asm b/mpn/x86_64/bd1/popcount.asm +index 28ce461..063c2cc 100644 +--- a/mpn/x86_64/bd1/popcount.asm ++++ b/mpn/x86_64/bd1/popcount.asm +@@ -189,3 +189,4 @@ DEF_OBJECT(L(cnsts),16,`JUMPTABSECT') + .byte 0x0f,0x0f,0x0f,0x0f,0x0f,0x0f,0x0f,0x0f + END_OBJECT(L(cnsts)) + ') ++ASM_END() +diff --git a/mpn/x86_64/bd2/gcd_11.asm b/mpn/x86_64/bd2/gcd_11.asm +index b167077..3d1c788 100644 +--- a/mpn/x86_64/bd2/gcd_11.asm ++++ b/mpn/x86_64/bd2/gcd_11.asm +@@ -94,3 +94,4 @@ L(end): mov v0, %rax + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/bd2/gcd_22.asm b/mpn/x86_64/bd2/gcd_22.asm +index 070cb3e..491f0d9 100644 +--- a/mpn/x86_64/bd2/gcd_22.asm ++++ b/mpn/x86_64/bd2/gcd_22.asm +@@ -140,3 +140,4 @@ L(end): C mov v0, %rax + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/bd4/gcd_11.asm b/mpn/x86_64/bd4/gcd_11.asm +index 4176b85..d172e32 100644 +--- a/mpn/x86_64/bd4/gcd_11.asm ++++ b/mpn/x86_64/bd4/gcd_11.asm +@@ -94,3 +94,4 @@ L(end): C rax = result + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/bdiv_dbm1c.asm b/mpn/x86_64/bdiv_dbm1c.asm +index a53bd52..c383ee3 100644 +--- a/mpn/x86_64/bdiv_dbm1c.asm ++++ b/mpn/x86_64/bdiv_dbm1c.asm +@@ -104,3 +104,4 @@ L(lo1): sub %rax, %r8 + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/bdiv_q_1.asm b/mpn/x86_64/bdiv_q_1.asm +index 85538c9..c983c7f 100644 +--- a/mpn/x86_64/bdiv_q_1.asm ++++ b/mpn/x86_64/bdiv_q_1.asm +@@ -193,3 +193,4 @@ L(one): shr R8(%rcx), %rax + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/bt1/aors_n.asm b/mpn/x86_64/bt1/aors_n.asm +index 9b6b5c7..04d81dd 100644 +--- a/mpn/x86_64/bt1/aors_n.asm ++++ b/mpn/x86_64/bt1/aors_n.asm +@@ -157,3 +157,4 @@ PROLOGUE(func_nc) + IFDOS(` mov 56(%rsp), %r8 ') + jmp L(ent) + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/bt1/aorsmul_1.asm b/mpn/x86_64/bt1/aorsmul_1.asm +index 41e1d8a..d309321 100644 +--- a/mpn/x86_64/bt1/aorsmul_1.asm ++++ b/mpn/x86_64/bt1/aorsmul_1.asm +@@ -189,3 +189,4 @@ IFDOS(` pop %rdi ') + IFDOS(` pop %rsi ') + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/bt1/copyd.asm b/mpn/x86_64/bt1/copyd.asm +index 877714e..23fb80b 100644 +--- a/mpn/x86_64/bt1/copyd.asm ++++ b/mpn/x86_64/bt1/copyd.asm +@@ -89,3 +89,4 @@ L(end): cmp $-4, R32(n) + L(ret): FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/bt1/copyi.asm b/mpn/x86_64/bt1/copyi.asm +index ee0f578..25718e6 100644 +--- a/mpn/x86_64/bt1/copyi.asm ++++ b/mpn/x86_64/bt1/copyi.asm +@@ -92,3 +92,4 @@ L(end): cmp $4, R32(n) + L(ret): FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/bt1/gcd_11.asm b/mpn/x86_64/bt1/gcd_11.asm +index ef53392..03bc06d 100644 +--- a/mpn/x86_64/bt1/gcd_11.asm ++++ b/mpn/x86_64/bt1/gcd_11.asm +@@ -117,3 +117,4 @@ L(count_better): + bsf u0, cnt + jmp L(shr) + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/bt1/mul_1.asm b/mpn/x86_64/bt1/mul_1.asm +index 4394d6e..634cb35 100644 +--- a/mpn/x86_64/bt1/mul_1.asm ++++ b/mpn/x86_64/bt1/mul_1.asm +@@ -239,3 +239,4 @@ IFDOS(` pop %rdi ') + IFDOS(` pop %rsi ') + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/bt1/mul_basecase.asm b/mpn/x86_64/bt1/mul_basecase.asm +index e7d46bf..1726190 100644 +--- a/mpn/x86_64/bt1/mul_basecase.asm ++++ b/mpn/x86_64/bt1/mul_basecase.asm +@@ -484,3 +484,4 @@ L(ret): pop %r13 + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/bt1/sqr_basecase.asm b/mpn/x86_64/bt1/sqr_basecase.asm +index 0e417a1..8f665d1 100644 +--- a/mpn/x86_64/bt1/sqr_basecase.asm ++++ b/mpn/x86_64/bt1/sqr_basecase.asm +@@ -563,3 +563,4 @@ L(esd): add %rbx, w0 + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/cnd_aors_n.asm b/mpn/x86_64/cnd_aors_n.asm +index 13a2ab3..b720ecb 100644 +--- a/mpn/x86_64/cnd_aors_n.asm ++++ b/mpn/x86_64/cnd_aors_n.asm +@@ -181,3 +181,4 @@ L(end): neg R32(%rax) + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/com.asm b/mpn/x86_64/com.asm +index 006acaf..ec72e19 100644 +--- a/mpn/x86_64/com.asm ++++ b/mpn/x86_64/com.asm +@@ -93,3 +93,4 @@ L(e10): movq 24(up,n,8), %r9 + L(ret): FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/copyd.asm b/mpn/x86_64/copyd.asm +index a5e6e59..02ab53f 100644 +--- a/mpn/x86_64/copyd.asm ++++ b/mpn/x86_64/copyd.asm +@@ -91,3 +91,4 @@ L(end): shr R32(n) + mov %r9, -16(rp) + 1: ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/copyi.asm b/mpn/x86_64/copyi.asm +index bafce7a..8c6dbdc 100644 +--- a/mpn/x86_64/copyi.asm ++++ b/mpn/x86_64/copyi.asm +@@ -90,3 +90,4 @@ L(end): shr R32(n) + mov %r9, 16(rp) + 1: ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/core2/aors_err1_n.asm b/mpn/x86_64/core2/aors_err1_n.asm +index 3f875ae..c9c6c36 100644 +--- a/mpn/x86_64/core2/aors_err1_n.asm ++++ b/mpn/x86_64/core2/aors_err1_n.asm +@@ -223,3 +223,4 @@ L(end): + pop %rbx + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/core2/aors_n.asm b/mpn/x86_64/core2/aors_n.asm +index f9e0039..7981b7f 100644 +--- a/mpn/x86_64/core2/aors_n.asm ++++ b/mpn/x86_64/core2/aors_n.asm +@@ -148,3 +148,4 @@ PROLOGUE(func_nc) + IFDOS(` mov 56(%rsp), %r8 ') + jmp L(start) + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/core2/aorsmul_1.asm b/mpn/x86_64/core2/aorsmul_1.asm +index a7a5d6e..b2b067a 100644 +--- a/mpn/x86_64/core2/aorsmul_1.asm ++++ b/mpn/x86_64/core2/aorsmul_1.asm +@@ -186,3 +186,4 @@ L(n1): mov 8(rp), %r10 + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/core2/divrem_1.asm b/mpn/x86_64/core2/divrem_1.asm +index 1b3f139..d41c494 100644 +--- a/mpn/x86_64/core2/divrem_1.asm ++++ b/mpn/x86_64/core2/divrem_1.asm +@@ -241,3 +241,4 @@ L(ret): pop %rbx + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/core2/gcd_11.asm b/mpn/x86_64/core2/gcd_11.asm +index b00451f..b730a55 100644 +--- a/mpn/x86_64/core2/gcd_11.asm ++++ b/mpn/x86_64/core2/gcd_11.asm +@@ -91,3 +91,4 @@ L(end): C rax = result + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/core2/gcd_22.asm b/mpn/x86_64/core2/gcd_22.asm +index b5aa73b..0ccde8a 100644 +--- a/mpn/x86_64/core2/gcd_22.asm ++++ b/mpn/x86_64/core2/gcd_22.asm +@@ -135,3 +135,4 @@ L(end): C mov v0, %rax + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/core2/hamdist.asm b/mpn/x86_64/core2/hamdist.asm +index a78753d..be451d7 100644 +--- a/mpn/x86_64/core2/hamdist.asm ++++ b/mpn/x86_64/core2/hamdist.asm +@@ -208,3 +208,4 @@ DEF_OBJECT(L(cnsts),16,`JUMPTABSECT') + .byte 0x0f,0x0f,0x0f,0x0f,0x0f,0x0f,0x0f,0x0f + .byte 0x0f,0x0f,0x0f,0x0f,0x0f,0x0f,0x0f,0x0f + END_OBJECT(L(cnsts)) ++ASM_END() +diff --git a/mpn/x86_64/core2/logops_n.asm b/mpn/x86_64/core2/logops_n.asm +index 5ff174c..451d556 100644 +--- a/mpn/x86_64/core2/logops_n.asm ++++ b/mpn/x86_64/core2/logops_n.asm +@@ -283,3 +283,4 @@ L(ret): FUNC_EXIT() + ret + EPILOGUE() + ') ++ASM_END() +diff --git a/mpn/x86_64/core2/lshift.asm b/mpn/x86_64/core2/lshift.asm +index 9016a71..62053c2 100644 +--- a/mpn/x86_64/core2/lshift.asm ++++ b/mpn/x86_64/core2/lshift.asm +@@ -143,3 +143,4 @@ L(1): shl R8(cnt), %r9 + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/core2/lshiftc.asm b/mpn/x86_64/core2/lshiftc.asm +index c428f13..cdd4e11 100644 +--- a/mpn/x86_64/core2/lshiftc.asm ++++ b/mpn/x86_64/core2/lshiftc.asm +@@ -157,3 +157,4 @@ L(1): shl R8(cnt), %r9 + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/core2/mul_basecase.asm b/mpn/x86_64/core2/mul_basecase.asm +index d16be85..0dcf0f8 100644 +--- a/mpn/x86_64/core2/mul_basecase.asm ++++ b/mpn/x86_64/core2/mul_basecase.asm +@@ -347,6 +347,7 @@ L(m2e0):mul v1 + jz L(ret2) + + L(do_am0): ++ X86_ENDBR + push %r15 + push vn_param + +@@ -520,6 +521,7 @@ L(m2e1):mul v1 + jz L(ret2) + + L(do_am1): ++ X86_ENDBR + push %r15 + push vn_param + +@@ -693,6 +695,7 @@ L(m2e2):mul v1 + jz L(ret2) + + L(do_am2): ++ X86_ENDBR + push %r15 + push vn_param + +@@ -866,6 +869,7 @@ L(m2e3):mul v1 + jz L(ret2) + + L(do_am3): ++ X86_ENDBR + push %r15 + push vn_param + +@@ -973,3 +977,4 @@ L(lo3): mul v0 + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/core2/mullo_basecase.asm b/mpn/x86_64/core2/mullo_basecase.asm +index 0f03d86..11814d5 100644 +--- a/mpn/x86_64/core2/mullo_basecase.asm ++++ b/mpn/x86_64/core2/mullo_basecase.asm +@@ -425,3 +425,4 @@ L(n3): mov (vp_param), %r9 + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/core2/popcount.asm b/mpn/x86_64/core2/popcount.asm +index 39d8c5d..5e03ef3 100644 +--- a/mpn/x86_64/core2/popcount.asm ++++ b/mpn/x86_64/core2/popcount.asm +@@ -183,3 +183,4 @@ DEF_OBJECT(L(cnsts),16,`JUMPTABSECT') + .byte 0x0f,0x0f,0x0f,0x0f,0x0f,0x0f,0x0f,0x0f + .byte 0x0f,0x0f,0x0f,0x0f,0x0f,0x0f,0x0f,0x0f + END_OBJECT(L(cnsts)) ++ASM_END() +diff --git a/mpn/x86_64/core2/rsh1aors_n.asm b/mpn/x86_64/core2/rsh1aors_n.asm +index 27eed37..5b4fe7e 100644 +--- a/mpn/x86_64/core2/rsh1aors_n.asm ++++ b/mpn/x86_64/core2/rsh1aors_n.asm +@@ -167,3 +167,4 @@ L(end): shrd $1, %rbx, %rbp + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/core2/rshift.asm b/mpn/x86_64/core2/rshift.asm +index 7578a53..86cc804 100644 +--- a/mpn/x86_64/core2/rshift.asm ++++ b/mpn/x86_64/core2/rshift.asm +@@ -141,3 +141,4 @@ L(1): shr R8(cnt), %r9 + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/core2/sqr_basecase.asm b/mpn/x86_64/core2/sqr_basecase.asm +index a112c1b..65286b0 100644 +--- a/mpn/x86_64/core2/sqr_basecase.asm ++++ b/mpn/x86_64/core2/sqr_basecase.asm +@@ -982,3 +982,4 @@ L(n3): mov %rax, %r10 + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/core2/sublshC_n.asm b/mpn/x86_64/core2/sublshC_n.asm +index 272700d..e30562b 100644 +--- a/mpn/x86_64/core2/sublshC_n.asm ++++ b/mpn/x86_64/core2/sublshC_n.asm +@@ -156,3 +156,4 @@ L(end): shr $RSH, %r11 + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/coreibwl/addmul_1.asm b/mpn/x86_64/coreibwl/addmul_1.asm +index ee7e4ee..4ea5580 100644 +--- a/mpn/x86_64/coreibwl/addmul_1.asm ++++ b/mpn/x86_64/coreibwl/addmul_1.asm +@@ -110,33 +110,39 @@ L(tab): JMPENT( L(f0), L(tab)) + JMPENT( L(f7), L(tab)) + TEXT + +-L(f0): mulx( (up), %r10, %r8) ++L(f0): X86_ENDBR ++ mulx( (up), %r10, %r8) + lea -8(up), up + lea -8(rp), rp + lea -1(n), n + jmp L(b0) + +-L(f3): mulx( (up), %r9, %rax) ++L(f3): X86_ENDBR ++ mulx( (up), %r9, %rax) + lea 16(up), up + lea -48(rp), rp + jmp L(b3) + +-L(f4): mulx( (up), %r10, %r8) ++L(f4): X86_ENDBR ++ mulx( (up), %r10, %r8) + lea 24(up), up + lea -40(rp), rp + jmp L(b4) + +-L(f5): mulx( (up), %r9, %rax) ++L(f5): X86_ENDBR ++ mulx( (up), %r9, %rax) + lea 32(up), up + lea -32(rp), rp + jmp L(b5) + +-L(f6): mulx( (up), %r10, %r8) ++L(f6): X86_ENDBR ++ mulx( (up), %r10, %r8) + lea 40(up), up + lea -24(rp), rp + jmp L(b6) + +-L(f1): mulx( (up), %r9, %rax) ++L(f1): X86_ENDBR ++ mulx( (up), %r9, %rax) + jrcxz L(1) + jmp L(b1) + L(1): add (rp), %r9 +@@ -156,7 +162,8 @@ ifdef(`PIC', + ` nop;nop;nop;nop', + ` nop;nop;nop;nop;nop;nop;nop;nop;nop;nop;nop') + +-L(f2): mulx( (up), %r10, %r8) ++L(f2): X86_ENDBR ++ mulx( (up), %r10, %r8) + lea 8(up), up + lea 8(rp), rp + mulx( (up), %r9, %rax) +@@ -200,7 +207,8 @@ L(b3): adox( 48,(rp), %r9) + mulx( (up), %r9, %rax) + jmp L(top) + +-L(f7): mulx( (up), %r9, %rax) ++L(f7): X86_ENDBR ++ mulx( (up), %r9, %rax) + lea -16(up), up + lea -16(rp), rp + jmp L(b7) +diff --git a/mpn/x86_64/coreibwl/mul_1.asm b/mpn/x86_64/coreibwl/mul_1.asm +index b7fae2f..77121a5 100644 +--- a/mpn/x86_64/coreibwl/mul_1.asm ++++ b/mpn/x86_64/coreibwl/mul_1.asm +@@ -108,48 +108,56 @@ L(tab): JMPENT( L(f0), L(tab)) + JMPENT( L(f7), L(tab)) + TEXT + +-L(f0): mulx( (up), %r10, %r8) ++L(f0): X86_ENDBR ++ mulx( (up), %r10, %r8) + lea 56(up), up + lea -8(rp), rp + jmp L(b0) + +-L(f3): mulx( (up), %r9, %rax) ++L(f3): X86_ENDBR ++ mulx( (up), %r9, %rax) + lea 16(up), up + lea 16(rp), rp + inc n + jmp L(b3) + +-L(f4): mulx( (up), %r10, %r8) ++L(f4): X86_ENDBR ++ mulx( (up), %r10, %r8) + lea 24(up), up + lea 24(rp), rp + inc n + jmp L(b4) + +-L(f5): mulx( (up), %r9, %rax) ++L(f5): X86_ENDBR ++ mulx( (up), %r9, %rax) + lea 32(up), up + lea 32(rp), rp + inc n + jmp L(b5) + +-L(f6): mulx( (up), %r10, %r8) ++L(f6): X86_ENDBR ++ mulx( (up), %r10, %r8) + lea 40(up), up + lea 40(rp), rp + inc n + jmp L(b6) + +-L(f7): mulx( (up), %r9, %rax) ++L(f7): X86_ENDBR ++ mulx( (up), %r9, %rax) + lea 48(up), up + lea 48(rp), rp + inc n + jmp L(b7) + +-L(f1): mulx( (up), %r9, %rax) ++L(f1): X86_ENDBR ++ mulx( (up), %r9, %rax) + test n, n + jnz L(b1) + L(1): mov %r9, (rp) + ret + +-L(f2): mulx( (up), %r10, %r8) ++L(f2): X86_ENDBR ++ mulx( (up), %r10, %r8) + lea 8(up), up + lea 8(rp), rp + mulx( (up), %r9, %rax) +diff --git a/mpn/x86_64/coreibwl/mul_basecase.asm b/mpn/x86_64/coreibwl/mul_basecase.asm +index 42ca976..c5e60e7 100644 +--- a/mpn/x86_64/coreibwl/mul_basecase.asm ++++ b/mpn/x86_64/coreibwl/mul_basecase.asm +@@ -157,45 +157,53 @@ ifdef(`PIC', + jmp *(%r10,%rax,8) + ') + +-L(mf0): mulx( (up), w2, w3) ++L(mf0): X86_ENDBR ++ mulx( (up), w2, w3) + lea 56(up), up + lea -8(rp), rp + jmp L(mb0) + +-L(mf3): mulx( (up), w0, w1) ++L(mf3): X86_ENDBR ++ mulx( (up), w0, w1) + lea 16(up), up + lea 16(rp), rp + inc n + jmp L(mb3) + +-L(mf4): mulx( (up), w2, w3) ++L(mf4): X86_ENDBR ++ mulx( (up), w2, w3) + lea 24(up), up + lea 24(rp), rp + inc n + jmp L(mb4) + +-L(mf5): mulx( (up), w0, w1) ++L(mf5): X86_ENDBR ++ mulx( (up), w0, w1) + lea 32(up), up + lea 32(rp), rp + inc n + jmp L(mb5) + +-L(mf6): mulx( (up), w2, w3) ++L(mf6): X86_ENDBR ++ mulx( (up), w2, w3) + lea 40(up), up + lea 40(rp), rp + inc n + jmp L(mb6) + +-L(mf7): mulx( (up), w0, w1) ++L(mf7): X86_ENDBR ++ mulx( (up), w0, w1) + lea 48(up), up + lea 48(rp), rp + inc n + jmp L(mb7) + +-L(mf1): mulx( (up), w0, w1) ++L(mf1): X86_ENDBR ++ mulx( (up), w0, w1) + jmp L(mb1) + +-L(mf2): mulx( (up), w2, w3) ++L(mf2): X86_ENDBR ++ mulx( (up), w2, w3) + lea 8(up), up + lea 8(rp), rp + mulx( (up), w0, w1) +@@ -256,32 +264,39 @@ L(outer): + lea 8(vp), vp + jmp *jaddr + +-L(f0): mulx( 8,(up), w2, w3) ++L(f0): X86_ENDBR ++ mulx( 8,(up), w2, w3) + lea 8(rp,unneg,8), rp + lea -1(n), n + jmp L(b0) + +-L(f3): mulx( -16,(up), w0, w1) ++L(f3): X86_ENDBR ++ mulx( -16,(up), w0, w1) + lea -56(rp,unneg,8), rp + jmp L(b3) + +-L(f4): mulx( -24,(up), w2, w3) ++L(f4): X86_ENDBR ++ mulx( -24,(up), w2, w3) + lea -56(rp,unneg,8), rp + jmp L(b4) + +-L(f5): mulx( -32,(up), w0, w1) ++L(f5): X86_ENDBR ++ mulx( -32,(up), w0, w1) + lea -56(rp,unneg,8), rp + jmp L(b5) + +-L(f6): mulx( -40,(up), w2, w3) ++L(f6): X86_ENDBR ++ mulx( -40,(up), w2, w3) + lea -56(rp,unneg,8), rp + jmp L(b6) + +-L(f7): mulx( 16,(up), w0, w1) ++L(f7): X86_ENDBR ++ mulx( 16,(up), w0, w1) + lea 8(rp,unneg,8), rp + jmp L(b7) + +-L(f1): mulx( (up), w0, w1) ++L(f1): X86_ENDBR ++ mulx( (up), w0, w1) + lea 8(rp,unneg,8), rp + jmp L(b1) + +@@ -303,6 +318,7 @@ L(done): + ret + + L(f2): ++ X86_ENDBR + mulx( -8,(up), w2, w3) + lea 8(rp,unneg,8), rp + mulx( (up), w0, w1) +@@ -367,3 +383,4 @@ L(atab):JMPENT( L(f0), L(atab)) + JMPENT( L(f7), L(atab)) + TEXT + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/coreibwl/mullo_basecase.asm b/mpn/x86_64/coreibwl/mullo_basecase.asm +index 5cdb209..b3e435b 100644 +--- a/mpn/x86_64/coreibwl/mullo_basecase.asm ++++ b/mpn/x86_64/coreibwl/mullo_basecase.asm +@@ -393,3 +393,4 @@ L(mtab):JMPENT( L(mf7), L(mtab)) + JMPENT( L(mf4), L(mtab)) + JMPENT( L(mf5), L(mtab)) + JMPENT( L(mf6), L(mtab)) ++ASM_END() +diff --git a/mpn/x86_64/coreibwl/sqr_basecase.asm b/mpn/x86_64/coreibwl/sqr_basecase.asm +index e81b01b..cd523cf 100644 +--- a/mpn/x86_64/coreibwl/sqr_basecase.asm ++++ b/mpn/x86_64/coreibwl/sqr_basecase.asm +@@ -181,14 +181,16 @@ ifdef(`PIC', + jmp *(%r10,%rax,8) + ') + +-L(mf0): mulx( u0, w0, w1) C up[0]^2 ++L(mf0): X86_ENDBR ++ mulx( u0, w0, w1) C up[0]^2 + add u0, u0 + mulx( 8,(up), w2, w3) + lea 64(up), up + add w1, w2 + jmp L(mb0) + +-L(mf3): mulx( u0, w2, w3) C up[0]^2 ++L(mf3): X86_ENDBR ++ mulx( u0, w2, w3) C up[0]^2 + add u0, u0 + mov w2, (rp) + mulx( 8,(up), w0, w1) +@@ -197,7 +199,8 @@ L(mf3): mulx( u0, w2, w3) C up[0]^2 + add w3, w0 + jmp L(mb3) + +-L(mf4): mulx( u0, w0, w1) C up[0]^2 ++L(mf4): X86_ENDBR ++ mulx( u0, w0, w1) C up[0]^2 + add u0, u0 + mulx( 8,(up), w2, w3) + mov w0, (rp) +@@ -206,7 +209,8 @@ L(mf4): mulx( u0, w0, w1) C up[0]^2 + add w1, w2 + jmp L(mb4) + +-L(mf5): mulx( u0, w2, w3) C up[0]^2 ++L(mf5): X86_ENDBR ++ mulx( u0, w2, w3) C up[0]^2 + add u0, u0 + mulx( 8,(up), w0, w1) + mov w2, (rp) +@@ -215,7 +219,8 @@ L(mf5): mulx( u0, w2, w3) C up[0]^2 + add w3, w0 + jmp L(mb5) + +-L(mf6): mulx( u0, w0, w1) C up[0]^2 ++L(mf6): X86_ENDBR ++ mulx( u0, w0, w1) C up[0]^2 + add u0, u0 + mulx( 8,(up), w2, w3) + mov w0, (rp) +@@ -224,7 +229,8 @@ L(mf6): mulx( u0, w0, w1) C up[0]^2 + add w1, w2 + jmp L(mb6) + +-L(mf7): mulx( u0, w2, w3) C up[0]^2 ++L(mf7): X86_ENDBR ++ mulx( u0, w2, w3) C up[0]^2 + add u0, u0 + mulx( 8,(up), w0, w1) + mov w2, (rp) +@@ -233,7 +239,8 @@ L(mf7): mulx( u0, w2, w3) C up[0]^2 + add w3, w0 + jmp L(mb7) + +-L(mf1): mulx( u0, w2, w3) C up[0]^2 ++L(mf1): X86_ENDBR ++ mulx( u0, w2, w3) C up[0]^2 + add u0, u0 + mulx( 8,(up), w0, w1) + mov w2, (rp) +@@ -242,7 +249,8 @@ L(mf1): mulx( u0, w2, w3) C up[0]^2 + add w3, w0 + jmp L(mb1) + +-L(mf2): mulx( u0, w0, w1) C up[0]^2 ++L(mf2): X86_ENDBR ++ mulx( u0, w0, w1) C up[0]^2 + add u0, u0 + mulx( 8,(up), w2, w3) + mov w0, (rp) +@@ -300,7 +308,8 @@ ifdef(`PIC', + + L(ed0): adox( (rp), w0) + adox( %rcx, w1) C relies on rcx = 0 +-L(f7): mov w0, (rp) ++L(f7): X86_ENDBR ++ mov w0, (rp) + adc %rcx, w1 C relies on rcx = 0 + mov w1, 8(rp) + lea -64(up,un_save,8), up +@@ -356,7 +365,8 @@ L(b0): mov w0, (rp) + + L(ed1): adox( (rp), w0) + adox( %rcx, w1) C relies on rcx = 0 +-L(f0): mov w0, (rp) ++L(f0): X86_ENDBR ++ mov w0, (rp) + adc %rcx, w1 C relies on rcx = 0 + mov w1, 8(rp) + lea -64(up,un_save,8), up +@@ -415,7 +425,8 @@ L(b1): mulx( 8,(up), w2, w3) + + L(ed2): adox( (rp), w0) + adox( %rcx, w1) C relies on rcx = 0 +-L(f1): mov w0, (rp) ++L(f1): X86_ENDBR ++ mov w0, (rp) + adc %rcx, w1 C relies on rcx = 0 + mov w1, 8(rp) + lea (up,un_save,8), up +@@ -477,7 +488,8 @@ L(b2): adox( 48,(rp), w0) + + L(ed3): adox( (rp), w0) + adox( %rcx, w1) C relies on rcx = 0 +-L(f2): mov w0, (rp) ++L(f2): X86_ENDBR ++ mov w0, (rp) + adc %rcx, w1 C relies on rcx = 0 + mov w1, 8(rp) + lea (up,un_save,8), up +@@ -535,7 +547,8 @@ L(b3): mulx( -16,(up), w0, w1) + + L(ed4): adox( (rp), w0) + adox( %rcx, w1) C relies on rcx = 0 +-L(f3): mov w0, (rp) ++L(f3): X86_ENDBR ++ mov w0, (rp) + adc %rcx, w1 C relies on rcx = 0 + mov w1, 8(rp) + lea (up,un_save,8), up +@@ -592,7 +605,8 @@ L(b4): mulx( -24,(up), w2, w3) + + L(ed5): adox( (rp), w0) + adox( %rcx, w1) C relies on rcx = 0 +-L(f4): mov w0, (rp) ++L(f4): X86_ENDBR ++ mov w0, (rp) + adc %rcx, w1 C relies on rcx = 0 + mov w1, 8(rp) + lea (up,un_save,8), up +@@ -649,7 +663,8 @@ L(b5): mulx( -32,(up), w0, w1) + + L(ed6): adox( (rp), w0) + adox( %rcx, w1) C relies on rcx = 0 +-L(f5): mov w0, (rp) ++L(f5): X86_ENDBR ++ mov w0, (rp) + adc %rcx, w1 C relies on rcx = 0 + mov w1, 8(rp) + lea (up,un_save,8), up +@@ -706,7 +721,8 @@ L(b6): adcx( w1, w2) + + L(ed7): adox( (rp), w0) + adox( %rcx, w1) C relies on rcx = 0 +-L(f6): mov w0, (rp) ++L(f6): X86_ENDBR ++ mov w0, (rp) + adc %rcx, w1 C relies on rcx = 0 + mov w1, 8(rp) + lea (up,un_save,8), up +@@ -837,3 +853,4 @@ L(atab):JMPENT( L(f6), L(atab)) + JMPENT( L(f5), L(atab)) + TEXT + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/coreihwl/addmul_2.asm b/mpn/x86_64/coreihwl/addmul_2.asm +index 9d1c405..322037e 100644 +--- a/mpn/x86_64/coreihwl/addmul_2.asm ++++ b/mpn/x86_64/coreihwl/addmul_2.asm +@@ -239,3 +239,4 @@ L(end): mulx( v0, %rax, w3) + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/coreihwl/aors_n.asm b/mpn/x86_64/coreihwl/aors_n.asm +index fc99627..f9d89f7 100644 +--- a/mpn/x86_64/coreihwl/aors_n.asm ++++ b/mpn/x86_64/coreihwl/aors_n.asm +@@ -259,3 +259,4 @@ L(tab): JMPENT( L(0), L(tab)) + JMPENT( L(5), L(tab)) + JMPENT( L(6), L(tab)) + JMPENT( L(7), L(tab)) ++ASM_END() +diff --git a/mpn/x86_64/coreihwl/aorsmul_1.asm b/mpn/x86_64/coreihwl/aorsmul_1.asm +index 3f43afa..d01c941 100644 +--- a/mpn/x86_64/coreihwl/aorsmul_1.asm ++++ b/mpn/x86_64/coreihwl/aorsmul_1.asm +@@ -199,3 +199,4 @@ L(ret): pop %r13 + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/coreihwl/gcd_22.asm b/mpn/x86_64/coreihwl/gcd_22.asm +index b5863b6..e41731e 100644 +--- a/mpn/x86_64/coreihwl/gcd_22.asm ++++ b/mpn/x86_64/coreihwl/gcd_22.asm +@@ -136,3 +136,4 @@ L(end): mov v0, %rax + L(ret): FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/coreihwl/mul_2.asm b/mpn/x86_64/coreihwl/mul_2.asm +index f1f044f..f48e5d8 100644 +--- a/mpn/x86_64/coreihwl/mul_2.asm ++++ b/mpn/x86_64/coreihwl/mul_2.asm +@@ -174,3 +174,4 @@ L(end): mulx( v1, %rdx, %rax) + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/coreihwl/mul_basecase.asm b/mpn/x86_64/coreihwl/mul_basecase.asm +index b2656c8..14826e8 100644 +--- a/mpn/x86_64/coreihwl/mul_basecase.asm ++++ b/mpn/x86_64/coreihwl/mul_basecase.asm +@@ -439,3 +439,4 @@ L(ret2):pop %rbp + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/coreihwl/mullo_basecase.asm b/mpn/x86_64/coreihwl/mullo_basecase.asm +index e65559b..b29352c 100644 +--- a/mpn/x86_64/coreihwl/mullo_basecase.asm ++++ b/mpn/x86_64/coreihwl/mullo_basecase.asm +@@ -420,3 +420,4 @@ L(n3): mov (vp), %r9 + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/coreihwl/redc_1.asm b/mpn/x86_64/coreihwl/redc_1.asm +index b1d6c0a..3b09a73 100644 +--- a/mpn/x86_64/coreihwl/redc_1.asm ++++ b/mpn/x86_64/coreihwl/redc_1.asm +@@ -435,3 +435,4 @@ L(ret): pop %r15 + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/coreihwl/sqr_basecase.asm b/mpn/x86_64/coreihwl/sqr_basecase.asm +index 641cdf3..b6ea890 100644 +--- a/mpn/x86_64/coreihwl/sqr_basecase.asm ++++ b/mpn/x86_64/coreihwl/sqr_basecase.asm +@@ -504,3 +504,4 @@ L(dend):adc %rbx, %rdx + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/coreinhm/aorrlsh_n.asm b/mpn/x86_64/coreinhm/aorrlsh_n.asm +index eed64e7..3f25eea 100644 +--- a/mpn/x86_64/coreinhm/aorrlsh_n.asm ++++ b/mpn/x86_64/coreinhm/aorrlsh_n.asm +@@ -198,3 +198,4 @@ IFDOS(` mov 64(%rsp), %r9 ') C cy + sbb R32(%rbx), R32(%rbx) C initialise CF save register + jmp L(ent) + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/coreinhm/hamdist.asm b/mpn/x86_64/coreinhm/hamdist.asm +index a5a63e4..a84bcbc 100644 +--- a/mpn/x86_64/coreinhm/hamdist.asm ++++ b/mpn/x86_64/coreinhm/hamdist.asm +@@ -194,3 +194,4 @@ L(tab): JMPENT( L(0), L(tab)) + JMPENT( L(1), L(tab)) + JMPENT( L(2), L(tab)) + JMPENT( L(3), L(tab)) ++ASM_END() +diff --git a/mpn/x86_64/coreinhm/popcount.asm b/mpn/x86_64/coreinhm/popcount.asm +index 0a3c867..24c4ebc 100644 +--- a/mpn/x86_64/coreinhm/popcount.asm ++++ b/mpn/x86_64/coreinhm/popcount.asm +@@ -180,3 +180,4 @@ L(tab): JMPENT( L(0), L(tab)) + JMPENT( L(5), L(tab)) + JMPENT( L(6), L(tab)) + JMPENT( L(7), L(tab)) ++ASM_END() +diff --git a/mpn/x86_64/coreisbr/addmul_2.asm b/mpn/x86_64/coreisbr/addmul_2.asm +index 21f0bf4..45c7b15 100644 +--- a/mpn/x86_64/coreisbr/addmul_2.asm ++++ b/mpn/x86_64/coreisbr/addmul_2.asm +@@ -222,3 +222,4 @@ L(end): mul v1 + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/coreisbr/aorrlshC_n.asm b/mpn/x86_64/coreisbr/aorrlshC_n.asm +index 23ace41..6af7da8 100644 +--- a/mpn/x86_64/coreisbr/aorrlshC_n.asm ++++ b/mpn/x86_64/coreisbr/aorrlshC_n.asm +@@ -171,3 +171,4 @@ L(end): shr $RSH, %rbp + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/coreisbr/aorrlsh_n.asm b/mpn/x86_64/coreisbr/aorrlsh_n.asm +index db8ee68..56ca497 100644 +--- a/mpn/x86_64/coreisbr/aorrlsh_n.asm ++++ b/mpn/x86_64/coreisbr/aorrlsh_n.asm +@@ -213,3 +213,4 @@ IFDOS(` mov 64(%rsp), %r9 ') C cy + sbb R32(%rbx), R32(%rbx) C initialise CF save register + jmp L(ent) + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/coreisbr/aors_n.asm b/mpn/x86_64/coreisbr/aors_n.asm +index 61fee3e..d466248 100644 +--- a/mpn/x86_64/coreisbr/aors_n.asm ++++ b/mpn/x86_64/coreisbr/aors_n.asm +@@ -201,3 +201,4 @@ PROLOGUE(func_nc) + IFDOS(` mov 56(%rsp), %r8 ') + jmp L(ent) + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/coreisbr/cnd_add_n.asm b/mpn/x86_64/coreisbr/cnd_add_n.asm +index 43abcc8..3d72bf8 100644 +--- a/mpn/x86_64/coreisbr/cnd_add_n.asm ++++ b/mpn/x86_64/coreisbr/cnd_add_n.asm +@@ -172,3 +172,4 @@ L(end): neg R32(%rax) + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/coreisbr/cnd_sub_n.asm b/mpn/x86_64/coreisbr/cnd_sub_n.asm +index f55492b..3371269 100644 +--- a/mpn/x86_64/coreisbr/cnd_sub_n.asm ++++ b/mpn/x86_64/coreisbr/cnd_sub_n.asm +@@ -198,3 +198,4 @@ L(end): neg R32(%rax) + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/coreisbr/mul_1.asm b/mpn/x86_64/coreisbr/mul_1.asm +index a43a117..1f17293 100644 +--- a/mpn/x86_64/coreisbr/mul_1.asm ++++ b/mpn/x86_64/coreisbr/mul_1.asm +@@ -197,3 +197,4 @@ L(00c): add cin, %r10 + mov 8(up,n,8), %rax + jmp L(L0c) + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/coreisbr/mul_2.asm b/mpn/x86_64/coreisbr/mul_2.asm +index 781534d..10f1769 100644 +--- a/mpn/x86_64/coreisbr/mul_2.asm ++++ b/mpn/x86_64/coreisbr/mul_2.asm +@@ -165,3 +165,4 @@ L(end): mul v0 + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/coreisbr/mul_basecase.asm b/mpn/x86_64/coreisbr/mul_basecase.asm +index 35fd1cc..d5c7e5b 100644 +--- a/mpn/x86_64/coreisbr/mul_basecase.asm ++++ b/mpn/x86_64/coreisbr/mul_basecase.asm +@@ -405,3 +405,4 @@ L(ret2):pop %rbp + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/coreisbr/mullo_basecase.asm b/mpn/x86_64/coreisbr/mullo_basecase.asm +index a41a8ac..acf7776 100644 +--- a/mpn/x86_64/coreisbr/mullo_basecase.asm ++++ b/mpn/x86_64/coreisbr/mullo_basecase.asm +@@ -382,3 +382,4 @@ L(n3): mov (vp_param), %r9 + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/coreisbr/rsh1aors_n.asm b/mpn/x86_64/coreisbr/rsh1aors_n.asm +index fd2eaea..eefad99 100644 +--- a/mpn/x86_64/coreisbr/rsh1aors_n.asm ++++ b/mpn/x86_64/coreisbr/rsh1aors_n.asm +@@ -191,3 +191,4 @@ L(end): shrd $1, %rbx, %rbp + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/coreisbr/sqr_basecase.asm b/mpn/x86_64/coreisbr/sqr_basecase.asm +index 46a3612..1600e25 100644 +--- a/mpn/x86_64/coreisbr/sqr_basecase.asm ++++ b/mpn/x86_64/coreisbr/sqr_basecase.asm +@@ -482,3 +482,4 @@ L(dend):add %r8, %r10 + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/div_qr_1n_pi1.asm b/mpn/x86_64/div_qr_1n_pi1.asm +index b3d45e2..9fd2633 100644 +--- a/mpn/x86_64/div_qr_1n_pi1.asm ++++ b/mpn/x86_64/div_qr_1n_pi1.asm +@@ -245,3 +245,4 @@ L(q_incr_loop): + lea 8(U1), U1 + jmp L(q_incr_loop) + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/div_qr_2n_pi1.asm b/mpn/x86_64/div_qr_2n_pi1.asm +index 5e59a0a..c189c33 100644 +--- a/mpn/x86_64/div_qr_2n_pi1.asm ++++ b/mpn/x86_64/div_qr_2n_pi1.asm +@@ -156,3 +156,4 @@ L(fix): C Unlikely update. u2 >= d1 + sbb d1, u2 + jmp L(bck) + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/div_qr_2u_pi1.asm b/mpn/x86_64/div_qr_2u_pi1.asm +index 85af96f..f2ac526 100644 +--- a/mpn/x86_64/div_qr_2u_pi1.asm ++++ b/mpn/x86_64/div_qr_2u_pi1.asm +@@ -198,3 +198,4 @@ L(fix_qh): C Unlikely update. u2 >= d1 + sbb d1, u2 + jmp L(bck_qh) + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/dive_1.asm b/mpn/x86_64/dive_1.asm +index 988bdab..1929091 100644 +--- a/mpn/x86_64/dive_1.asm ++++ b/mpn/x86_64/dive_1.asm +@@ -156,3 +156,4 @@ L(one): shr R8(%rcx), %rax + ret + + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/divrem_1.asm b/mpn/x86_64/divrem_1.asm +index d4d61ad..edfd893 100644 +--- a/mpn/x86_64/divrem_1.asm ++++ b/mpn/x86_64/divrem_1.asm +@@ -312,3 +312,4 @@ L(ret): pop %rbx + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/divrem_2.asm b/mpn/x86_64/divrem_2.asm +index 20811cc..e10f328 100644 +--- a/mpn/x86_64/divrem_2.asm ++++ b/mpn/x86_64/divrem_2.asm +@@ -190,3 +190,4 @@ L(fix): seta %dl + sbb %r11, %rbx + jmp L(bck) + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/fastavx/copyd.asm b/mpn/x86_64/fastavx/copyd.asm +index 56d472f..a69a624 100644 +--- a/mpn/x86_64/fastavx/copyd.asm ++++ b/mpn/x86_64/fastavx/copyd.asm +@@ -170,3 +170,4 @@ L(bc): test $4, R8(n) + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/fastavx/copyi.asm b/mpn/x86_64/fastavx/copyi.asm +index 7607747..f50aa47 100644 +--- a/mpn/x86_64/fastavx/copyi.asm ++++ b/mpn/x86_64/fastavx/copyi.asm +@@ -167,3 +167,4 @@ L(bc): test $4, R8(n) + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/fastsse/com-palignr.asm b/mpn/x86_64/fastsse/com-palignr.asm +index 69027bc..50cd40f 100644 +--- a/mpn/x86_64/fastsse/com-palignr.asm ++++ b/mpn/x86_64/fastsse/com-palignr.asm +@@ -309,3 +309,4 @@ L(end): test $1, R8(n) + 1: FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/fastsse/com.asm b/mpn/x86_64/fastsse/com.asm +index c867222..aec7d25 100644 +--- a/mpn/x86_64/fastsse/com.asm ++++ b/mpn/x86_64/fastsse/com.asm +@@ -173,3 +173,4 @@ IFDOS(` add $56, %rsp ') + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/fastsse/copyd-palignr.asm b/mpn/x86_64/fastsse/copyd-palignr.asm +index fac6f8a..fa1e4a4 100644 +--- a/mpn/x86_64/fastsse/copyd-palignr.asm ++++ b/mpn/x86_64/fastsse/copyd-palignr.asm +@@ -252,3 +252,4 @@ L(end): test $1, R8(n) + 1: FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/fastsse/copyd.asm b/mpn/x86_64/fastsse/copyd.asm +index b3c4706..ce820c5 100644 +--- a/mpn/x86_64/fastsse/copyd.asm ++++ b/mpn/x86_64/fastsse/copyd.asm +@@ -164,3 +164,4 @@ L(sma): test $8, R8(n) + L(don): FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/fastsse/copyi-palignr.asm b/mpn/x86_64/fastsse/copyi-palignr.asm +index 9876a47..fb4655f 100644 +--- a/mpn/x86_64/fastsse/copyi-palignr.asm ++++ b/mpn/x86_64/fastsse/copyi-palignr.asm +@@ -298,3 +298,4 @@ L(end): test $1, R8(n) + 1: FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/fastsse/copyi.asm b/mpn/x86_64/fastsse/copyi.asm +index 97f7865..826caad 100644 +--- a/mpn/x86_64/fastsse/copyi.asm ++++ b/mpn/x86_64/fastsse/copyi.asm +@@ -183,3 +183,4 @@ dnl jnc 1b + L(ret): FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/fastsse/lshift-movdqu2.asm b/mpn/x86_64/fastsse/lshift-movdqu2.asm +index a05e850..217f2cd 100644 +--- a/mpn/x86_64/fastsse/lshift-movdqu2.asm ++++ b/mpn/x86_64/fastsse/lshift-movdqu2.asm +@@ -180,3 +180,4 @@ L(end8):movq (ap), %xmm0 + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/fastsse/lshift.asm b/mpn/x86_64/fastsse/lshift.asm +index 6a17b93..79a5554 100644 +--- a/mpn/x86_64/fastsse/lshift.asm ++++ b/mpn/x86_64/fastsse/lshift.asm +@@ -171,3 +171,4 @@ L(end8):movq (ap), %xmm0 + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/fastsse/lshiftc-movdqu2.asm b/mpn/x86_64/fastsse/lshiftc-movdqu2.asm +index 8250910..9f14435 100644 +--- a/mpn/x86_64/fastsse/lshiftc-movdqu2.asm ++++ b/mpn/x86_64/fastsse/lshiftc-movdqu2.asm +@@ -191,3 +191,4 @@ L(end8):movq (ap), %xmm0 + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/fastsse/lshiftc.asm b/mpn/x86_64/fastsse/lshiftc.asm +index a616075..a6630cb 100644 +--- a/mpn/x86_64/fastsse/lshiftc.asm ++++ b/mpn/x86_64/fastsse/lshiftc.asm +@@ -181,3 +181,4 @@ L(end8):movq (ap), %xmm0 + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/fastsse/rshift-movdqu2.asm b/mpn/x86_64/fastsse/rshift-movdqu2.asm +index 1e270b1..15bcc02 100644 +--- a/mpn/x86_64/fastsse/rshift-movdqu2.asm ++++ b/mpn/x86_64/fastsse/rshift-movdqu2.asm +@@ -199,3 +199,4 @@ L(bc): dec R32(n) + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/fastsse/sec_tabselect.asm b/mpn/x86_64/fastsse/sec_tabselect.asm +index e7b7feb..f3b76eb 100644 +--- a/mpn/x86_64/fastsse/sec_tabselect.asm ++++ b/mpn/x86_64/fastsse/sec_tabselect.asm +@@ -202,3 +202,4 @@ IFDOS(` add $88, %rsp ') + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/fat/fat_entry.asm b/mpn/x86_64/fat/fat_entry.asm +index 5f244ac..2322be8 100644 +--- a/mpn/x86_64/fat/fat_entry.asm ++++ b/mpn/x86_64/fat/fat_entry.asm +@@ -207,3 +207,4 @@ PROLOGUE(__gmpn_cpuid) + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/gcd_11.asm b/mpn/x86_64/gcd_11.asm +index f9b3bcc..1e5ac68 100644 +--- a/mpn/x86_64/gcd_11.asm ++++ b/mpn/x86_64/gcd_11.asm +@@ -112,3 +112,4 @@ L(shift_alot): + mov u0, %rdx + jmp L(mid) + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/gcd_22.asm b/mpn/x86_64/gcd_22.asm +index 78f985f..c3b0b89 100644 +--- a/mpn/x86_64/gcd_22.asm ++++ b/mpn/x86_64/gcd_22.asm +@@ -161,3 +161,4 @@ L(end): C mov v0, %rax + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/k10/gcd_22.asm b/mpn/x86_64/k10/gcd_22.asm +index f58b4cc..c7fe668 100644 +--- a/mpn/x86_64/k10/gcd_22.asm ++++ b/mpn/x86_64/k10/gcd_22.asm +@@ -140,3 +140,4 @@ L(end): C mov v0, %rax + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/k10/hamdist.asm b/mpn/x86_64/k10/hamdist.asm +index f70494a..d885e2d 100644 +--- a/mpn/x86_64/k10/hamdist.asm ++++ b/mpn/x86_64/k10/hamdist.asm +@@ -107,3 +107,4 @@ L(top): mov (ap,n,8), %r8 + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/k10/popcount.asm b/mpn/x86_64/k10/popcount.asm +index 3814aea..45bcba5 100644 +--- a/mpn/x86_64/k10/popcount.asm ++++ b/mpn/x86_64/k10/popcount.asm +@@ -79,7 +79,7 @@ C neg R32(%rcx) + + lea L(top)(%rip), %rdx + lea (%rdx,%rcx,2), %rdx +- jmp *%rdx ++ X86_NOTRACK jmp *%rdx + ',` + lea (up,n,8), up + +@@ -101,7 +101,7 @@ C lea (%rcx,%rcx,4), %rcx C 10x + + lea L(top)(%rip), %rdx + add %rcx, %rdx +- jmp *%rdx ++ X86_NOTRACK jmp *%rdx + ') + + ALIGN(32) +@@ -136,3 +136,4 @@ C 1 = n mod 8 + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/k8/addmul_2.asm b/mpn/x86_64/k8/addmul_2.asm +index 78bcba1..38caa4d 100644 +--- a/mpn/x86_64/k8/addmul_2.asm ++++ b/mpn/x86_64/k8/addmul_2.asm +@@ -193,3 +193,4 @@ L(end): xor R32(w1), R32(w1) + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/k8/aorrlsh_n.asm b/mpn/x86_64/k8/aorrlsh_n.asm +index ff3a184..3ab7050 100644 +--- a/mpn/x86_64/k8/aorrlsh_n.asm ++++ b/mpn/x86_64/k8/aorrlsh_n.asm +@@ -215,3 +215,4 @@ L(cj1): mov %r9, 8(rp,n,8) + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/k8/bdiv_q_1.asm b/mpn/x86_64/k8/bdiv_q_1.asm +index 1172b0d..606d54f 100644 +--- a/mpn/x86_64/k8/bdiv_q_1.asm ++++ b/mpn/x86_64/k8/bdiv_q_1.asm +@@ -177,3 +177,4 @@ L(one): shr R8(%rcx), %rax + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/k8/div_qr_1n_pi1.asm b/mpn/x86_64/k8/div_qr_1n_pi1.asm +index 86de08c..e91b809 100644 +--- a/mpn/x86_64/k8/div_qr_1n_pi1.asm ++++ b/mpn/x86_64/k8/div_qr_1n_pi1.asm +@@ -247,3 +247,4 @@ L(q_incr_loop): + lea 8(U1), U1 + jmp L(q_incr_loop) + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/k8/mul_basecase.asm b/mpn/x86_64/k8/mul_basecase.asm +index ca2efb9..9126c2b 100644 +--- a/mpn/x86_64/k8/mul_basecase.asm ++++ b/mpn/x86_64/k8/mul_basecase.asm +@@ -335,8 +335,10 @@ C addmul_2 for remaining vp's + C adjusted value of n that is reloaded on each iteration + + L(addmul_outer_0): ++ X86_ENDBR + add $3, un + lea 0(%rip), outer_addr ++ X86_ENDBR + + mov un, n + mov -24(up,un,8), %rax +@@ -348,6 +350,7 @@ L(addmul_outer_0): + jmp L(addmul_entry_0) + + L(addmul_outer_1): ++ X86_ENDBR + mov un, n + mov (up,un,8), %rax + mul v0 +@@ -358,8 +361,10 @@ L(addmul_outer_1): + jmp L(addmul_entry_1) + + L(addmul_outer_2): ++ X86_ENDBR + add $1, un + lea 0(%rip), outer_addr ++ X86_ENDBR + + mov un, n + mov -8(up,un,8), %rax +@@ -372,8 +377,10 @@ L(addmul_outer_2): + jmp L(addmul_entry_2) + + L(addmul_outer_3): ++ X86_ENDBR + add $2, un + lea 0(%rip), outer_addr ++ X86_ENDBR + + mov un, n + mov -16(up,un,8), %rax +@@ -467,3 +474,4 @@ L(ret): pop %r15 + ret + + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/k8/mullo_basecase.asm b/mpn/x86_64/k8/mullo_basecase.asm +index fa00f42..4a931a5 100644 +--- a/mpn/x86_64/k8/mullo_basecase.asm ++++ b/mpn/x86_64/k8/mullo_basecase.asm +@@ -99,12 +99,14 @@ dnl JMPENT( L(2m4), L(tab)) C 10 + dnl JMPENT( L(3m4), L(tab)) C 11 + TEXT + +-L(1): imul %r8, %rax ++L(1): X86_ENDBR ++ imul %r8, %rax + mov %rax, (rp) + FUNC_EXIT() + ret + +-L(2): mov 8(vp_param), %r11 ++L(2): X86_ENDBR ++ mov 8(vp_param), %r11 + imul %rax, %r11 C u0 x v1 + mul %r8 C u0 x v0 + mov %rax, (rp) +@@ -115,7 +117,8 @@ L(2): mov 8(vp_param), %r11 + FUNC_EXIT() + ret + +-L(3): mov 8(vp_param), %r9 C v1 ++L(3): X86_ENDBR ++ mov 8(vp_param), %r9 C v1 + mov 16(vp_param), %r11 + mul %r8 C u0 x v0 -> + mov %rax, (rp) C r0 +@@ -335,6 +338,7 @@ L(mul_2_entry_1): + + + L(addmul_outer_1): ++ X86_ENDBR + lea -2(n), j + mov -16(up,n,8), %rax + mul v0 +@@ -346,6 +350,7 @@ L(addmul_outer_1): + jmp L(addmul_entry_1) + + L(addmul_outer_3): ++ X86_ENDBR + lea 0(n), j + mov -16(up,n,8), %rax + xor R32(w3), R32(w3) +@@ -434,3 +439,4 @@ L(ret): pop %r15 + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/k8/mulmid_basecase.asm b/mpn/x86_64/k8/mulmid_basecase.asm +index 86f1414..7d5f158 100644 +--- a/mpn/x86_64/k8/mulmid_basecase.asm ++++ b/mpn/x86_64/k8/mulmid_basecase.asm +@@ -329,6 +329,7 @@ C addmul_2 for remaining vp's + + ALIGN(16) + L(addmul_prologue_0): ++ X86_ENDBR + mov -8(up,n,8), %rax + mul v1 + mov %rax, w1 +@@ -338,6 +339,7 @@ L(addmul_prologue_0): + + ALIGN(16) + L(addmul_prologue_1): ++ X86_ENDBR + mov 16(up,n,8), %rax + mul v1 + mov %rax, w0 +@@ -348,6 +350,7 @@ L(addmul_prologue_1): + + ALIGN(16) + L(addmul_prologue_2): ++ X86_ENDBR + mov 8(up,n,8), %rax + mul v1 + mov %rax, w3 +@@ -357,6 +360,7 @@ L(addmul_prologue_2): + + ALIGN(16) + L(addmul_prologue_3): ++ X86_ENDBR + mov (up,n,8), %rax + mul v1 + mov %rax, w2 +@@ -471,6 +475,7 @@ L(diag_prologue_0): + mov vp, vp_inner + mov vn, n + lea 0(%rip), outer_addr ++ X86_ENDBR + mov -8(up,n,8), %rax + jmp L(diag_entry_0) + +@@ -480,6 +485,7 @@ L(diag_prologue_1): + add $3, vn + mov vn, n + lea 0(%rip), outer_addr ++ X86_ENDBR + mov -8(vp_inner), %rax + jmp L(diag_entry_1) + +@@ -489,6 +495,7 @@ L(diag_prologue_2): + add $2, vn + mov vn, n + lea 0(%rip), outer_addr ++ X86_ENDBR + mov 16(vp_inner), %rax + jmp L(diag_entry_2) + +@@ -507,6 +514,7 @@ L(diag_entry_0): + adc %rdx, w1 + adc $0, w2 + L(diag_entry_3): ++ X86_ENDBR + mov -16(up,n,8), %rax + mulq 8(vp_inner) + add %rax, w0 +@@ -557,3 +565,4 @@ L(ret): pop %r15 + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/k8/redc_1.asm b/mpn/x86_64/k8/redc_1.asm +index 9327b21..3e241af 100644 +--- a/mpn/x86_64/k8/redc_1.asm ++++ b/mpn/x86_64/k8/redc_1.asm +@@ -125,7 +125,8 @@ L(tab): JMPENT( L(0), L(tab)) + TEXT + + ALIGN(16) +-L(1): mov (mp_param), %rax ++L(1): X86_ENDBR ++ mov (mp_param), %rax + mul q0 + add 8(up), %rax + adc 16(up), %rdx +@@ -136,7 +137,8 @@ L(1): mov (mp_param), %rax + + + ALIGN(16) +-L(2): mov (mp_param), %rax ++L(2): X86_ENDBR ++ mov (mp_param), %rax + mul q0 + xor R32(%r14), R32(%r14) + mov %rax, %r10 +@@ -171,7 +173,8 @@ L(2): mov (mp_param), %rax + jmp L(ret) + + +-L(3): mov (mp_param), %rax ++L(3): X86_ENDBR ++ mov (mp_param), %rax + mul q0 + mov %rax, %rbx + mov %rdx, %r10 +@@ -248,7 +251,7 @@ L(3): mov (mp_param), %rax + + + ALIGN(16) +-L(2m4): ++L(2m4): X86_ENDBR + L(lo2): mov (mp,nneg,8), %rax + mul q0 + xor R32(%r14), R32(%r14) +@@ -324,7 +327,7 @@ L(le2): add %r10, (up) + + + ALIGN(16) +-L(1m4): ++L(1m4): X86_ENDBR + L(lo1): mov (mp,nneg,8), %rax + xor %r9, %r9 + xor R32(%rbx), R32(%rbx) +@@ -398,7 +401,7 @@ L(le1): add %r10, (up) + + ALIGN(16) + L(0): +-L(0m4): ++L(0m4): X86_ENDBR + L(lo0): mov (mp,nneg,8), %rax + mov nneg, i + mul q0 +@@ -463,7 +466,7 @@ L(le0): add %r10, (up) + + + ALIGN(16) +-L(3m4): ++L(3m4): X86_ENDBR + L(lo3): mov (mp,nneg,8), %rax + mul q0 + mov %rax, %rbx +@@ -589,3 +592,4 @@ L(ret): pop %r15 + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/k8/sqr_basecase.asm b/mpn/x86_64/k8/sqr_basecase.asm +index 60cf945..37858b4 100644 +--- a/mpn/x86_64/k8/sqr_basecase.asm ++++ b/mpn/x86_64/k8/sqr_basecase.asm +@@ -131,7 +131,8 @@ L(tab): JMPENT( L(4), L(tab)) + JMPENT( L(3m4), L(tab)) + TEXT + +-L(1): mov (up), %rax ++L(1): X86_ENDBR ++ mov (up), %rax + mul %rax + add $40, %rsp + mov %rax, (rp) +@@ -139,7 +140,8 @@ L(1): mov (up), %rax + FUNC_EXIT() + ret + +-L(2): mov (up), %rax ++L(2): X86_ENDBR ++ mov (up), %rax + mov %rax, %r8 + mul %rax + mov 8(up), %r11 +@@ -165,7 +167,8 @@ L(2): mov (up), %rax + FUNC_EXIT() + ret + +-L(3): mov (up), %rax ++L(3): X86_ENDBR ++ mov (up), %rax + mov %rax, %r10 + mul %rax + mov 8(up), %r11 +@@ -210,7 +213,8 @@ L(3): mov (up), %rax + FUNC_EXIT() + ret + +-L(4): mov (up), %rax ++L(4): X86_ENDBR ++ mov (up), %rax + mov %rax, %r11 + mul %rax + mov 8(up), %rbx +@@ -282,6 +286,7 @@ L(4): mov (up), %rax + + + L(0m4): ++ X86_ENDBR + lea -16(rp,n,8), tp C point tp in middle of result operand + mov (up), v0 + mov 8(up), %rax +@@ -340,6 +345,7 @@ L(L3): xor R32(w1), R32(w1) + + + L(1m4): ++ X86_ENDBR + lea 8(rp,n,8), tp C point tp in middle of result operand + mov (up), v0 C u0 + mov 8(up), %rax C u1 +@@ -418,6 +424,7 @@ L(m2x): mov (up,j,8), %rax + + + L(2m4): ++ X86_ENDBR + lea -16(rp,n,8), tp C point tp in middle of result operand + mov (up), v0 + mov 8(up), %rax +@@ -474,7 +481,7 @@ L(L1): xor R32(w0), R32(w0) + jmp L(dowhile_mid) + + +-L(3m4): ++L(3m4): X86_ENDBR + lea 8(rp,n,8), tp C point tp in middle of result operand + mov (up), v0 C u0 + mov 8(up), %rax C u1 +@@ -805,3 +812,4 @@ L(d1): mov %r11, 24(rp,j,8) + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/logops_n.asm b/mpn/x86_64/logops_n.asm +index e25854d..b3969ba 100644 +--- a/mpn/x86_64/logops_n.asm ++++ b/mpn/x86_64/logops_n.asm +@@ -258,3 +258,4 @@ L(ret): FUNC_EXIT() + ret + EPILOGUE() + ') ++ASM_END() +diff --git a/mpn/x86_64/lshift.asm b/mpn/x86_64/lshift.asm +index fff3152..4187bdc 100644 +--- a/mpn/x86_64/lshift.asm ++++ b/mpn/x86_64/lshift.asm +@@ -170,3 +170,4 @@ L(ast): mov (up), %r10 + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/lshiftc.asm b/mpn/x86_64/lshiftc.asm +index c4ba04a..f6fe4c9 100644 +--- a/mpn/x86_64/lshiftc.asm ++++ b/mpn/x86_64/lshiftc.asm +@@ -180,3 +180,4 @@ L(ast): mov (up), %r10 + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/lshsub_n.asm b/mpn/x86_64/lshsub_n.asm +index 4d428c0..62877d7 100644 +--- a/mpn/x86_64/lshsub_n.asm ++++ b/mpn/x86_64/lshsub_n.asm +@@ -170,3 +170,4 @@ L(end): + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/missing.asm b/mpn/x86_64/missing.asm +index 9b65c89..22dac17 100644 +--- a/mpn/x86_64/missing.asm ++++ b/mpn/x86_64/missing.asm +@@ -128,3 +128,4 @@ PROLOGUE(__gmp_adcx) + ret + EPILOGUE() + PROTECT(__gmp_adcx) ++ASM_END() +diff --git a/mpn/x86_64/mod_1_2.asm b/mpn/x86_64/mod_1_2.asm +index 40fcaeb..fbaae3b 100644 +--- a/mpn/x86_64/mod_1_2.asm ++++ b/mpn/x86_64/mod_1_2.asm +@@ -239,3 +239,4 @@ ifdef(`SHLD_SLOW',` + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/mod_1_4.asm b/mpn/x86_64/mod_1_4.asm +index 6cf304c..8969e42 100644 +--- a/mpn/x86_64/mod_1_4.asm ++++ b/mpn/x86_64/mod_1_4.asm +@@ -270,3 +270,4 @@ ifdef(`SHLD_SLOW',` + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/mod_34lsub1.asm b/mpn/x86_64/mod_34lsub1.asm +index 75421a6..70282b6 100644 +--- a/mpn/x86_64/mod_34lsub1.asm ++++ b/mpn/x86_64/mod_34lsub1.asm +@@ -145,46 +145,55 @@ L(tab): JMPENT( L(0), L(tab)) + JMPENT( L(8), L(tab)) + TEXT + +-L(6): add (ap), %rax ++L(6): X86_ENDBR ++ add (ap), %rax + adc 8(ap), %rcx + adc 16(ap), %rdx + adc $0, %r9 + add $24, ap +-L(3): add (ap), %rax ++L(3): X86_ENDBR ++ add (ap), %rax + adc 8(ap), %rcx + adc 16(ap), %rdx + jmp L(cj1) + +-L(7): add (ap), %rax ++L(7): X86_ENDBR ++ add (ap), %rax + adc 8(ap), %rcx + adc 16(ap), %rdx + adc $0, %r9 + add $24, ap +-L(4): add (ap), %rax ++L(4): X86_ENDBR ++ add (ap), %rax + adc 8(ap), %rcx + adc 16(ap), %rdx + adc $0, %r9 + add $24, ap +-L(1): add (ap), %rax ++L(1): X86_ENDBR ++ add (ap), %rax + adc $0, %rcx + jmp L(cj2) + +-L(8): add (ap), %rax ++L(8): X86_ENDBR ++ add (ap), %rax + adc 8(ap), %rcx + adc 16(ap), %rdx + adc $0, %r9 + add $24, ap +-L(5): add (ap), %rax ++L(5): X86_ENDBR ++ add (ap), %rax + adc 8(ap), %rcx + adc 16(ap), %rdx + adc $0, %r9 + add $24, ap +-L(2): add (ap), %rax ++L(2): X86_ENDBR ++ add (ap), %rax + adc 8(ap), %rcx + + L(cj2): adc $0, %rdx + L(cj1): adc $0, %r9 +-L(0): add %r9, %rax ++L(0): X86_ENDBR ++ add %r9, %rax + adc $0, %rcx + adc $0, %rdx + adc $0, %rax +@@ -213,3 +222,4 @@ L(0): add %r9, %rax + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/mode1o.asm b/mpn/x86_64/mode1o.asm +index 2cd2b08..3377435 100644 +--- a/mpn/x86_64/mode1o.asm ++++ b/mpn/x86_64/mode1o.asm +@@ -169,3 +169,4 @@ L(one): + + EPILOGUE(mpn_modexact_1c_odd) + EPILOGUE(mpn_modexact_1_odd) ++ASM_END() +diff --git a/mpn/x86_64/mul_1.asm b/mpn/x86_64/mul_1.asm +index e1ba89b..44764dd 100644 +--- a/mpn/x86_64/mul_1.asm ++++ b/mpn/x86_64/mul_1.asm +@@ -190,3 +190,4 @@ IFDOS(``pop %rdi '') + IFDOS(``pop %rsi '') + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/mul_2.asm b/mpn/x86_64/mul_2.asm +index d64313b..b6c6bf1 100644 +--- a/mpn/x86_64/mul_2.asm ++++ b/mpn/x86_64/mul_2.asm +@@ -202,3 +202,4 @@ L(m22): mul v1 + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/nano/dive_1.asm b/mpn/x86_64/nano/dive_1.asm +index e9a0763..aead4d5 100644 +--- a/mpn/x86_64/nano/dive_1.asm ++++ b/mpn/x86_64/nano/dive_1.asm +@@ -164,3 +164,4 @@ L(one): shr R8(%rcx), %rax + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/pentium4/aors_n.asm b/mpn/x86_64/pentium4/aors_n.asm +index 8e6ee1b..3751e38 100644 +--- a/mpn/x86_64/pentium4/aors_n.asm ++++ b/mpn/x86_64/pentium4/aors_n.asm +@@ -194,3 +194,4 @@ L(ret): mov R32(%rbx), R32(%rax) + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/pentium4/mod_34lsub1.asm b/mpn/x86_64/pentium4/mod_34lsub1.asm +index f34b3f0..bf83f62 100644 +--- a/mpn/x86_64/pentium4/mod_34lsub1.asm ++++ b/mpn/x86_64/pentium4/mod_34lsub1.asm +@@ -165,3 +165,4 @@ L(combine): + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/pentium4/rsh1aors_n.asm b/mpn/x86_64/pentium4/rsh1aors_n.asm +index 5528ce4..219a809 100644 +--- a/mpn/x86_64/pentium4/rsh1aors_n.asm ++++ b/mpn/x86_64/pentium4/rsh1aors_n.asm +@@ -332,3 +332,4 @@ L(cj1): or %r14, %rbx + L(c3): mov $1, R8(%rax) + jmp L(rc3) + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/pentium4/rshift.asm b/mpn/x86_64/pentium4/rshift.asm +index b7c1ee2..848045f 100644 +--- a/mpn/x86_64/pentium4/rshift.asm ++++ b/mpn/x86_64/pentium4/rshift.asm +@@ -167,3 +167,4 @@ L(ast): movq (up), %mm2 + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/popham.asm b/mpn/x86_64/popham.asm +index 3a29b2e..b7ceb17 100644 +--- a/mpn/x86_64/popham.asm ++++ b/mpn/x86_64/popham.asm +@@ -161,3 +161,4 @@ L(end): + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/rsh1aors_n.asm b/mpn/x86_64/rsh1aors_n.asm +index a3e9cc5..797e250 100644 +--- a/mpn/x86_64/rsh1aors_n.asm ++++ b/mpn/x86_64/rsh1aors_n.asm +@@ -187,3 +187,4 @@ L(end): mov %rbx, (rp) + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/rshift.asm b/mpn/x86_64/rshift.asm +index 3f344f1..0fc5877 100644 +--- a/mpn/x86_64/rshift.asm ++++ b/mpn/x86_64/rshift.asm +@@ -174,3 +174,4 @@ L(ast): mov (up), %r10 + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/sec_tabselect.asm b/mpn/x86_64/sec_tabselect.asm +index e8aed26..5dce3c1 100644 +--- a/mpn/x86_64/sec_tabselect.asm ++++ b/mpn/x86_64/sec_tabselect.asm +@@ -174,3 +174,4 @@ L(b00): pop %r15 + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/sqr_diag_addlsh1.asm b/mpn/x86_64/sqr_diag_addlsh1.asm +index f486125..a1d8767 100644 +--- a/mpn/x86_64/sqr_diag_addlsh1.asm ++++ b/mpn/x86_64/sqr_diag_addlsh1.asm +@@ -114,3 +114,4 @@ L(end): add %r10, %r8 + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/sublsh1_n.asm b/mpn/x86_64/sublsh1_n.asm +index c6d829f..c18f32a 100644 +--- a/mpn/x86_64/sublsh1_n.asm ++++ b/mpn/x86_64/sublsh1_n.asm +@@ -158,3 +158,4 @@ L(end): add R32(%rbp), R32(%rax) + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/x86_64-defs.m4 b/mpn/x86_64/x86_64-defs.m4 +index 4e08f2a..9fe328e 100644 +--- a/mpn/x86_64/x86_64-defs.m4 ++++ b/mpn/x86_64/x86_64-defs.m4 +@@ -95,6 +95,7 @@ m4_assert_numargs(1) + TYPE($1,`function') + COFF_TYPE($1) + $1: ++ X86_ENDBR + ') + + +@@ -167,6 +168,10 @@ ifdef(`PIC', + `lea $1(%rip), $2') + ') + ++dnl ASM_END ++ ++define(`ASM_END', `X86_GNU_PROPERTY') ++ + + define(`DEF_OBJECT', + m4_assert_numargs_range(2,3) +diff --git a/mpn/x86_64/zen/aorrlsh_n.asm b/mpn/x86_64/zen/aorrlsh_n.asm +index e049b2f..6e6783f 100644 +--- a/mpn/x86_64/zen/aorrlsh_n.asm ++++ b/mpn/x86_64/zen/aorrlsh_n.asm +@@ -102,26 +102,30 @@ ifdef(`PIC',` + jmp *(%r11,%rax,8) + ') + +-L(0): lea 32(up), up ++L(0): X86_ENDBR ++ lea 32(up), up + lea 32(vp), vp + lea 32(rp), rp + xor R32(%r11), R32(%r11) + jmp L(e0) + +-L(7): mov %r10, %r11 ++L(7): X86_ENDBRmov ++ %r10, %r11 + lea 24(up), up + lea 24(vp), vp + lea 24(rp), rp + xor R32(%r10), R32(%r10) + jmp L(e7) + +-L(6): lea 16(up), up ++L(6): X86_ENDBR ++ movlea 16(up), up + lea 16(vp), vp + lea 16(rp), rp + xor R32(%r11), R32(%r11) + jmp L(e6) + +-L(5): mov %r10, %r11 ++L(5): X86_ENDBRmov ++ mov %r10, %r11 + lea 8(up), up + lea 8(vp), vp + lea 8(rp), rp +@@ -191,23 +195,27 @@ L(e1): shlx( cnt, %r11, %rax) + lea (%r10,%rax), %rax + jmp L(top) + +-L(4): xor R32(%r11), R32(%r11) ++L(4): X86_ENDBRmov ++ xor R32(%r11), R32(%r11) + jmp L(e4) + +-L(3): mov %r10, %r11 ++L(3): X86_ENDBRmov ++ mov %r10, %r11 + lea -8(up), up + lea -8(vp), vp + lea -8(rp), rp + xor R32(%r10), R32(%r10) + jmp L(e3) + +-L(2): lea -16(up), up ++L(2): X86_ENDBRmov ++ lea -16(up), up + lea -16(vp), vp + lea -16(rp), rp + xor R32(%r11), R32(%r11) + jmp L(e2) + +-L(1): mov %r10, %r11 ++L(1): X86_ENDBRmov ++ mov %r10, %r11 + lea -24(up), up + lea 40(vp), vp + lea 40(rp), rp +@@ -224,3 +232,4 @@ L(tab): JMPENT( L(0), L(tab)) + JMPENT( L(5), L(tab)) + JMPENT( L(6), L(tab)) + JMPENT( L(7), L(tab)) ++ASM_END() +diff --git a/mpn/x86_64/zen/mul_basecase.asm b/mpn/x86_64/zen/mul_basecase.asm +index affa3b6..c70d548 100644 +--- a/mpn/x86_64/zen/mul_basecase.asm ++++ b/mpn/x86_64/zen/mul_basecase.asm +@@ -453,3 +453,4 @@ L(wd3): adc %r11, 8(rp) + jne L(3) + jmp L(end) + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/zen/mullo_basecase.asm b/mpn/x86_64/zen/mullo_basecase.asm +index 2ae729a..c081698 100644 +--- a/mpn/x86_64/zen/mullo_basecase.asm ++++ b/mpn/x86_64/zen/mullo_basecase.asm +@@ -297,3 +297,4 @@ L(lo0): .byte 0xc4,0xe2,0xe3,0xf6,0x44,0xce,0x18 C mulx 24(up,n,8), %rbx, %rax + inc %r14 + jmp L(outer) + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/zen/sbpi1_bdiv_r.asm b/mpn/x86_64/zen/sbpi1_bdiv_r.asm +index f6e8f9c..277b3c3 100644 +--- a/mpn/x86_64/zen/sbpi1_bdiv_r.asm ++++ b/mpn/x86_64/zen/sbpi1_bdiv_r.asm +@@ -505,3 +505,4 @@ L(ret): mov %rbp, %rax + pop %r15 + ret + EPILOGUE() ++ASM_END() +diff --git a/mpn/x86_64/zen/sqr_basecase.asm b/mpn/x86_64/zen/sqr_basecase.asm +index a7c6127..d185deb 100644 +--- a/mpn/x86_64/zen/sqr_basecase.asm ++++ b/mpn/x86_64/zen/sqr_basecase.asm +@@ -480,3 +480,4 @@ C pop %r14 + FUNC_EXIT() + ret + EPILOGUE() ++ASM_END() +-- +2.37.1 + diff --git a/sources b/sources index 3f14f2f..6cf30b8 100644 --- a/sources +++ b/sources @@ -1,3 +1,4 @@ +SHA512 (gmp-6.2.1.tar.xz) = c99be0950a1d05a0297d65641dd35b75b74466f7bf03c9e8a99895a3b2f9a0856cd17887738fa51cf7499781b65c049769271cbcb77d057d2e9f1ec52e07dd84 SHA512 (gnutls-3.8.5.tar.xz) = 4bac1aa7ec1dce9b3445cc515cc287a5af032d34c207399aa9722e3dc53ed652f8a57cfbc9c5e40ccc4a2631245d89ab676e3ba2be9563f60ba855aaacb8e23c SHA512 (gnutls-3.8.5.tar.xz.sig) = b0f7a8ec348765112cac75fd732e066adaa1595bb83024cfeff6633aba35277d8aceda145c733c3d95f1e0eb4d34fead2479abdb08d6041362094a235460fa67 SHA512 (gnutls-release-keyring.gpg) = 8c2b39239d1d8c5319757fcf669f28a11de7f8ec4a726f9904c57ba8105bea80240083c0de71b747115907bab46569f10cf58004137cc7884ac5c20f8319ae0a From 87c3926250cad0cfe78e198c35e05ac98aaec826 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Mon, 17 Jun 2024 12:43:43 +0900 Subject: [PATCH 110/152] Bump release to build against newer nettle Signed-off-by: Daiki Ueno From 113f49276567e35d9ee0695f5ac329ad4b6e83f7 Mon Sep 17 00:00:00 2001 From: Zoltan Fridrich Date: Mon, 17 Jun 2024 11:55:48 +0200 Subject: [PATCH 111/152] Build with certificate compression enabled Signed-off-by: Zoltan Fridrich --- gnutls.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gnutls.spec b/gnutls.spec index 67479b8..992698f 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -25,7 +25,7 @@ Patch: gnutls-3.7.8-ktls_skip_tls12_chachapoly_test.patch %bcond_with tpm12 %bcond_without tpm2 %bcond_without gost -%bcond_with certificate_compression +%bcond_without certificate_compression %bcond_without tests %if 0%{?fedora} && 0%{?fedora} < 38 From d44882c39672ec972f2c0fccdb55beee511c20fe Mon Sep 17 00:00:00 2001 From: Zoltan Fridrich Date: Wed, 3 Jul 2024 15:30:35 +0200 Subject: [PATCH 112/152] Update to 3.8.6 upstream release Upstream tag: 3.8.6 Upstream commit: cd953cfa Commit authored by Packit automation (https://packit.dev/) --- .gitignore | 3 +++ README.packit | 2 +- gnutls.spec | 2 +- sources | 6 +++--- 4 files changed, 8 insertions(+), 5 deletions(-) diff --git a/.gitignore b/.gitignore index c639f55..8a210dd 100644 --- a/.gitignore +++ b/.gitignore @@ -154,3 +154,6 @@ gnutls-2.10.1-nosrp.tar.bz2 /gnutls-3.8.4.tar.xz.sig /gnutls-3.8.5.tar.xz /gnutls-3.8.5.tar.xz.sig +/gnutls-3.8.6.tar.xz +/gnutls-3.8.6.tar.xz.sig +/gmp-6.2.1.tar.xz diff --git a/README.packit b/README.packit index 8480b61..3dfd179 100644 --- a/README.packit +++ b/README.packit @@ -1,3 +1,3 @@ This repository is maintained by packit. https://packit.dev/ -The file was generated using packit 0.94.0. +The file was generated using packit 0.97.3. diff --git a/gnutls.spec b/gnutls.spec index 992698f..5442854 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -12,7 +12,7 @@ sha256sum:close() print(string.sub(hash, 0, 16)) } -Version: 3.8.5 +Version: 3.8.6 Release: %{?autorelease}%{!?autorelease:1%{?dist}} Patch: gnutls-3.2.7-rpath.patch diff --git a/sources b/sources index 6cf30b8..cdafbdf 100644 --- a/sources +++ b/sources @@ -1,4 +1,4 @@ -SHA512 (gmp-6.2.1.tar.xz) = c99be0950a1d05a0297d65641dd35b75b74466f7bf03c9e8a99895a3b2f9a0856cd17887738fa51cf7499781b65c049769271cbcb77d057d2e9f1ec52e07dd84 -SHA512 (gnutls-3.8.5.tar.xz) = 4bac1aa7ec1dce9b3445cc515cc287a5af032d34c207399aa9722e3dc53ed652f8a57cfbc9c5e40ccc4a2631245d89ab676e3ba2be9563f60ba855aaacb8e23c -SHA512 (gnutls-3.8.5.tar.xz.sig) = b0f7a8ec348765112cac75fd732e066adaa1595bb83024cfeff6633aba35277d8aceda145c733c3d95f1e0eb4d34fead2479abdb08d6041362094a235460fa67 +SHA512 (gnutls-3.8.6.tar.xz) = 58631c456dfb43f8cb6a1703ffa91c593a33357f37dc146e808d88692e19c7ac10aeabea40bee9952205be97e00648879e9f0fa80e670e8e695f8633ba726513 +SHA512 (gnutls-3.8.6.tar.xz.sig) = 3f9552cdf5fa96184fbe394dd484fb55e6a3577d1e048aea373b82cda335ea0f174f2fb11926dc58532c1f950cd10a6a35bc36e9fe813a1259eae5c5364920b2 SHA512 (gnutls-release-keyring.gpg) = 8c2b39239d1d8c5319757fcf669f28a11de7f8ec4a726f9904c57ba8105bea80240083c0de71b747115907bab46569f10cf58004137cc7884ac5c20f8319ae0a +SHA512 (gmp-6.2.1.tar.xz) = c99be0950a1d05a0297d65641dd35b75b74466f7bf03c9e8a99895a3b2f9a0856cd17887738fa51cf7499781b65c049769271cbcb77d057d2e9f1ec52e07dd84 From e1613e89be68399ae85aa0c13b0b827b16f69e4f Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Tue, 9 Jul 2024 01:35:31 +0900 Subject: [PATCH 113/152] Bump nettle dependency to 3.10 Signed-off-by: Daiki Ueno --- gnutls.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/gnutls.spec b/gnutls.spec index 5442854..e113cef 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -66,7 +66,7 @@ BuildRequires: zlib-devel, brotli-devel, libzstd-devel %if %{with bootstrap} BuildRequires: automake, autoconf, gperf, libtool, texinfo %endif -BuildRequires: nettle-devel >= 3.9.1 +BuildRequires: nettle-devel >= 3.10 %if %{with tpm12} BuildRequires: trousers-devel >= 0.3.11.2 %endif @@ -85,7 +85,7 @@ Requires: crypto-policies Requires: p11-kit-trust Requires: libtasn1 >= 4.3 # always bump when a nettle release is packaged -Requires: nettle >= 3.9.1 +Requires: nettle >= 3.10 %if %{with tpm12} Recommends: trousers >= 0.3.11.2 %endif From 1dcd42a32e9402afa6b09361036f0d27849e15a7 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 18 Jul 2024 03:21:01 +0000 Subject: [PATCH 114/152] Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild From 7e61bcbcbdbec6ec9b4517238d471df429a47403 Mon Sep 17 00:00:00 2001 From: Yaakov Selkowitz Date: Fri, 19 Jul 2024 15:55:26 -0400 Subject: [PATCH 115/152] Fix FIPS build with RPM 4.20 The FIPS build runs *_install_post commands early during %install so that the binaries will not be modified after running fipshmac, since those commands are supposed to be no-op if re-run. However, __debug_install_post is only run if __debug_package is defined, which is triggered by the automatic creation of the debuginfo subpackage where appropriate. Previously, a hack in redhat-rpm-config caused this to be enabled by %install, but with RPM 4.20 this is no longer needed, and the hack was removed from redhat-rpm-config for F41. On Fedora builds, %mingw_debug_package triggers this and therefore it still builds, but ELN is build without mingw and therefore there now is nothing to trigger the debuginfo generation during %install. As a result, the binaries would just be stripped without any debuginfo generation during the first run, leaving nothing to detect in the second run, and the build would fail for lack of debug symbols/sources. https://github.com/rpm-software-management/rpm/issues/2204 https://src.fedoraproject.org/rpms/redhat-rpm-config/c/7a1571ee808ba13b129eab7a7ed3869e77740c3e --- gnutls.spec | 1 + 1 file changed, 1 insertion(+) diff --git a/gnutls.spec b/gnutls.spec index e113cef..3bb7052 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -380,6 +380,7 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/pkgconfig/gnutls-dane.pc %if %{with fips} # doing it twice should be a no-op the second time, # and this way we avoid redefining it and missing a future change +%global __debug_package 1 %{__spec_install_post} fname=`basename $RPM_BUILD_ROOT%{_libdir}/libgnutls.so.30.*.*` ./lib/fipshmac "$RPM_BUILD_ROOT%{_libdir}/libgnutls.so.30" > "$RPM_BUILD_ROOT%{_libdir}/.$fname.hmac" From ee639ed08504005dd02192d9a7b59d0c8f7f1005 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Mon, 22 Jul 2024 16:16:35 +0900 Subject: [PATCH 116/152] Switch to using dlwrap for loading compression libraries Signed-off-by: Daiki Ueno --- gnutls-3.8.6-compression-dlwrap.patch | 2131 +++++++++++++++++++++++++ gnutls.spec | 1 + 2 files changed, 2132 insertions(+) create mode 100644 gnutls-3.8.6-compression-dlwrap.patch diff --git a/gnutls-3.8.6-compression-dlwrap.patch b/gnutls-3.8.6-compression-dlwrap.patch new file mode 100644 index 0000000..835f151 --- /dev/null +++ b/gnutls-3.8.6-compression-dlwrap.patch @@ -0,0 +1,2131 @@ +From dd7f8c30ca44695992bbb92146e385b4b700f285 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Sat, 29 Jun 2024 09:52:55 +0900 +Subject: [PATCH 1/4] m4: factor out soname check into a separate macro + +This moves the SONAME detection from configure.ac to m4/hooks.m4 as +the LIBGNUTLS_CHECK_SONAME macro. The new macro doesn't implicitly +set *_LIBRARY_SONAME to "none", so the callers need to adjust +themselves depending on whether the macro is defined. + +Signed-off-by: Daiki Ueno +--- + configure.ac | 50 ++++++++++++-------------------------------------- + lib/fips.c | 26 ++++++++++++++------------ + lib/fipshmac.c | 14 ++++++++++++++ + lib/global.c | 6 ++++++ + m4/hooks.m4 | 20 ++++++++++++++++++++ + 5 files changed, 66 insertions(+), 50 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 1744813b79..3f001998b4 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -810,61 +810,35 @@ save_CFLAGS=$CFLAGS + CFLAGS="$CFLAGS $GMP_CFLAGS" + save_LIBS=$LIBS + LIBS="$LIBS $GMP_LIBS" +-AC_MSG_CHECKING([gmp soname]) +-AC_LINK_IFELSE([AC_LANG_PROGRAM([ ++LIBGNUTLS_CHECK_SONAME([gmp], [AC_LANG_PROGRAM([ + #include ],[ + mpz_t n; +- mpz_init(n);])], +- [gmp_so=`(eval "$LDDPROG conftest$EXEEXT $LDDPOSTPROC") | grep '^libgmp\.so'`], +- [gmp_so=none]) +-if test -z "$gmp_so"; then +- gmp_so=none +-fi +-AC_MSG_RESULT($gmp_so) +-if test "$gmp_so" != none; then +- AC_DEFINE_UNQUOTED([GMP_LIBRARY_SONAME], ["$gmp_so"], [The soname of gmp library]) +-fi +-LIBS=$save_LIBS +-CFLAGS=$save_CFLAGS ++ mpz_init(n);])]) ++LIBS="$save_LIBS" ++CFLAGS="$save_CFLAGS" + + save_CFLAGS=$CFLAGS + CFLAGS="$CFLAGS $NETTLE_CFLAGS" + save_LIBS=$LIBS + LIBS="$LIBS $NETTLE_LIBS" +-AC_MSG_CHECKING([nettle soname]) +-AC_LINK_IFELSE([AC_LANG_PROGRAM([ ++LIBGNUTLS_CHECK_SONAME([nettle], [AC_LANG_PROGRAM([ + #include ],[ + struct sha256_ctx ctx; +- sha256_init(&ctx);])], +- [nettle_so=`(eval "$LDDPROG conftest$EXEEXT $LDDPOSTPROC") | grep '^libnettle\.so'`], +- [nettle_so=none]) +-if test -z "$nettle_so"; then +- nettle_so=none +-fi +-AC_MSG_RESULT($nettle_so) +-AC_DEFINE_UNQUOTED([NETTLE_LIBRARY_SONAME], ["$nettle_so"], [The soname of nettle library]) +-LIBS=$save_LIBS +-CFLAGS=$save_CFLAGS ++ sha256_init(&ctx);])]) ++LIBS="$save_LIBS" ++CFLAGS="$save_CFLAGS" + + save_CFLAGS=$CFLAGS + # includes + CFLAGS="$CFLAGS $HOGWEED_CFLAGS $GMP_CFLAGS" + save_LIBS=$LIBS + LIBS="$LIBS $HOGWEED_LIBS" +-AC_MSG_CHECKING([hogweed soname]) +-AC_LINK_IFELSE([AC_LANG_PROGRAM([ ++LIBGNUTLS_CHECK_SONAME([hogweed], [AC_LANG_PROGRAM([ + #include ],[ + struct rsa_private_key priv; +- nettle_rsa_private_key_init(&priv);])], +- [hogweed_so=`(eval "$LDDPROG conftest$EXEEXT $LDDPOSTPROC") | grep '^libhogweed\.so'`], +- [hogweed_so=none]) +-if test -z "$hogweed_so"; then +- hogweed_so=none +-fi +-AC_MSG_RESULT($hogweed_so) +-AC_DEFINE_UNQUOTED([HOGWEED_LIBRARY_SONAME], ["$hogweed_so"], [The soname of hogweed library]) +-LIBS=$save_LIBS +-CFLAGS=$save_CFLAGS ++ nettle_rsa_private_key_init(&priv);])]) ++LIBS="$save_LIBS" ++CFLAGS="$save_CFLAGS" + + gnutls_so=libgnutls.so.`expr "$LT_CURRENT" - "$LT_AGE"` + AC_DEFINE_UNQUOTED([GNUTLS_LIBRARY_SONAME], ["$gnutls_so"], [The soname of gnutls library]) +diff --git a/lib/fips.c b/lib/fips.c +index 1611200be8..e5fce6b1b9 100644 +--- a/lib/fips.c ++++ b/lib/fips.c +@@ -152,15 +152,17 @@ void _gnutls_fips_mode_reset_zombie(void) + } + } + +-/* These only works with the platform where SONAME is part of the ABI. +- * For example, *_SONAME will be set to "none" on Windows platforms. */ +-#define GNUTLS_LIBRARY_NAME GNUTLS_LIBRARY_SONAME +-#define NETTLE_LIBRARY_NAME NETTLE_LIBRARY_SONAME +-#define HOGWEED_LIBRARY_NAME HOGWEED_LIBRARY_SONAME ++/* These only works with the platform where SONAME is part of the ABI. */ ++#ifndef GNUTLS_LIBRARY_SONAME ++#define GNUTLS_LIBRARY_SONAME "none" ++#endif + +-/* GMP can be statically linked. */ +-#ifdef GMP_LIBRARY_SONAME +-#define GMP_LIBRARY_NAME GMP_LIBRARY_SONAME ++#ifndef NETTLE_LIBRARY_SONAME ++#define NETTLE_LIBRARY_SONAME "none" ++#endif ++ ++#ifndef HOGWEED_LIBRARY_SONAME ++#define HOGWEED_LIBRARY_SONAME "none" + #endif + + #define HMAC_SIZE 32 +@@ -246,14 +248,14 @@ static int handler(void *user, const char *section, const char *name, + } else { + return 0; + } +- } else if (!strcmp(section, GNUTLS_LIBRARY_NAME)) { ++ } else if (!strcmp(section, GNUTLS_LIBRARY_SONAME)) { + return lib_handler(&p->gnutls, section, name, value); +- } else if (!strcmp(section, NETTLE_LIBRARY_NAME)) { ++ } else if (!strcmp(section, NETTLE_LIBRARY_SONAME)) { + return lib_handler(&p->nettle, section, name, value); +- } else if (!strcmp(section, HOGWEED_LIBRARY_NAME)) { ++ } else if (!strcmp(section, HOGWEED_LIBRARY_SONAME)) { + return lib_handler(&p->hogweed, section, name, value); + #ifdef GMP_LIBRARY_SONAME +- } else if (!strcmp(section, GMP_LIBRARY_NAME)) { ++ } else if (!strcmp(section, GMP_LIBRARY_SONAME)) { + return lib_handler(&p->gmp, section, name, value); + #endif + } else { +diff --git a/lib/fipshmac.c b/lib/fipshmac.c +index 6a4883a131..d3561b4c47 100644 +--- a/lib/fipshmac.c ++++ b/lib/fipshmac.c +@@ -34,6 +34,20 @@ + #include "errors.h" + + #define FORMAT_VERSION 1 ++ ++/* These only works with the platform where SONAME is part of the ABI. */ ++#ifndef GNUTLS_LIBRARY_SONAME ++#define GNUTLS_LIBRARY_SONAME "none" ++#endif ++ ++#ifndef NETTLE_LIBRARY_SONAME ++#define NETTLE_LIBRARY_SONAME "none" ++#endif ++ ++#ifndef HOGWEED_LIBRARY_SONAME ++#define HOGWEED_LIBRARY_SONAME "none" ++#endif ++ + #define HMAC_SIZE 32 + #define HMAC_ALGO GNUTLS_MAC_SHA256 + #define HMAC_STR_SIZE (2 * HMAC_SIZE + 1) +diff --git a/lib/global.c b/lib/global.c +index 718740c103..b434140bbf 100644 +--- a/lib/global.c ++++ b/lib/global.c +@@ -563,9 +563,15 @@ static const struct gnutls_library_config_st _gnutls_library_config[] = { + #ifdef FIPS_MODULE_VERSION + { "fips-module-version", FIPS_MODULE_VERSION }, + #endif ++#ifdef GNUTLS_LIBRARY_SONAME + { "libgnutls-soname", GNUTLS_LIBRARY_SONAME }, ++#endif ++#ifdef NETTLE_LIBRARY_SONAME + { "libnettle-soname", NETTLE_LIBRARY_SONAME }, ++#endif ++#ifdef HOGWEED_LIBRARY_SONAME + { "libhogweed-soname", HOGWEED_LIBRARY_SONAME }, ++#endif + #ifdef GMP_LIBRARY_SONAME + { "libgmp-soname", GMP_LIBRARY_SONAME }, + #endif +diff --git a/m4/hooks.m4 b/m4/hooks.m4 +index cf6064ca1d..a786d35150 100644 +--- a/m4/hooks.m4 ++++ b/m4/hooks.m4 +@@ -421,3 +421,23 @@ dnl #AM_ICONV + dnl m4_ifdef([gl_ICONV_MODULE_INDICATOR], + dnl [gl_ICONV_MODULE_INDICATOR([iconv])]) + ]) ++ ++AC_DEFUN([LIBGNUTLS_CHECK_SONAME], ++[ ++ m4_pushdef([soname], AS_TR_SH([$1])) ++ m4_pushdef([SONAME], AS_TR_CPP([$1])) ++ AC_MSG_CHECKING([$1 [soname]]) ++ AC_LINK_IFELSE([$2], ++ [soname[]_so=`(eval "$LDDPROG conftest$EXEEXT $LDDPOSTPROC") | grep '^lib[]$1\.so'`], ++ [soname[]_so=none]) ++ if test -z "$soname[]_so"; then ++ soname[]_so=none ++ fi ++ AC_MSG_RESULT($soname[]_so) ++ if test "$soname[]_so" != none; then ++ SONAME[]_LIBRARY_SONAME="$soname[]_so" ++ AC_DEFINE_UNQUOTED([SONAME[]_LIBRARY_SONAME], ["$soname[]_so"], [The soname of $1 library]) ++ fi ++ m4_popdef([soname]) ++ m4_popdef([SONAME]) ++]) +-- +2.45.2 + + +From 0647139f50b6c14f2f2d22d40a42a8fdfaead5d5 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Sat, 6 Jul 2024 11:59:08 +0900 +Subject: [PATCH 2/4] build: check if dlopen(SONAME) works in configure + +Signed-off-by: Daiki Ueno +--- + configure.ac | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +diff --git a/configure.ac b/configure.ac +index 3f001998b4..8d8c4038b6 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -946,6 +946,27 @@ AM_CONDITIONAL(P11KIT_0_23_11_API, $PKG_CONFIG --atleast-version=0.23.11 p11-kit + + AM_CONDITIONAL(ENABLE_PKCS11, test "$with_p11_kit" != "no") + ++save_LIBS=$LIBS ++LIBS="$LIBS -lm" ++LIBGNUTLS_CHECK_SONAME([m], [AC_LANG_PROGRAM([ ++ #include ],[ ++ trunc (0);])]) ++LIBS="$save_LIBS" ++CFLAGS="$save_CFLAGS" ++ ++AC_RUN_IFELSE( ++ [AC_LANG_PROGRAM( ++ [[#include ++ #include ++ ]], ++ [[void *handle = dlopen("$M_LIBRARY_SONAME", RTLD_LAZY | RTLD_GLOBAL); ++ return handle != NULL ? 0 : 1; ++ ]])], ++ [ac_cv_dlopen_soname_works=yes], ++ [ac_cv_dlopen_soname_works=no], ++ [ac_cv_dlopen_soname_works=cross-compiling]) ++ ++AM_CONDITIONAL([ENABLE_DLOPEN], [test "$ac_cv_dlopen_soname_works" = yes]) + need_ltlibdl=no + + AC_ARG_WITH(tpm2, +-- +2.45.2 + + +From 297c83d2830e44a675e8e52d65a66e0ba327f788 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Sat, 29 Jun 2024 13:34:36 +0900 +Subject: [PATCH 3/4] build: detect SONAME for compression libraries at + configure + +Instead of hard-coding the SONAMEs for zlib, libzstd, libbrotlienc, +and libbrotlidec, this checks the actual SONAMEs at configure time, so +the first argument of dlopen is more acurate when a SONAME is bumped. + +Signed-off-by: Daiki Ueno +--- + configure.ac | 82 +++++++++++++++++++++++++++++++++++++++----------- + lib/compress.c | 8 ++--- + 2 files changed, 68 insertions(+), 22 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 8d8c4038b6..28d6895efb 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1048,8 +1048,6 @@ AC_DEFINE_UNQUOTED([TROUSERS_LIB], ["$ac_trousers_lib"], [the location of the tr + AC_SUBST(TROUSERS_LIB) + + +-AM_CONDITIONAL(NEED_LTLIBDL, test "$need_ltlibdl" = yes) +- + # For minitasn1. + AC_CHECK_SIZEOF(unsigned long int, 4) + AC_CHECK_SIZEOF(unsigned int, 4) +@@ -1058,35 +1056,45 @@ AC_CHECK_SIZEOF(time_t, 4) + AC_ARG_WITH(zlib, AS_HELP_STRING([--without-zlib], + [disable zlib compression support]), + ac_zlib=$withval, ac_zlib=yes) +-AC_MSG_CHECKING([whether to include zlib compression support]) +-if test x$ac_zlib != xno; then +- AC_MSG_RESULT(yes) +- AC_LIB_HAVE_LINKFLAGS(z,, [#include ], [compress (0, 0, 0, 0);]) +- if test x$ac_cv_libz != xyes; then +- AC_MSG_WARN( +- *** +- *** ZLIB was not found. You will not be able to use ZLIB compression.) +-fi +-else +- AC_MSG_RESULT(no) +-fi +- +-PKG_CHECK_EXISTS(zlib, ZLIB_HAS_PKGCONFIG=y, ZLIB_HAS_PKGCONFIG=n) +- + if test x$ac_zlib != xno; then ++ PKG_CHECK_EXISTS(zlib, ZLIB_HAS_PKGCONFIG=y, ZLIB_HAS_PKGCONFIG=n) + if test "$ZLIB_HAS_PKGCONFIG" = "y" ; then ++ PKG_CHECK_MODULES(ZLIB, [zlib]) + if test "x$GNUTLS_REQUIRES_PRIVATE" = x; then + GNUTLS_REQUIRES_PRIVATE="Requires.private: zlib" + else + GNUTLS_REQUIRES_PRIVATE="$GNUTLS_REQUIRES_PRIVATE, zlib" + fi +- LIBZ_PC="" ++ ac_zlib=yes + else ++ AC_LIB_HAVE_LINKFLAGS(z,, [#include ], [compress (0, 0, 0, 0);]) ++ if test x$ac_cv_libz != xyes; then ++ AC_MSG_WARN([[ ++*** ++*** ZLIB was not found. You will not be able to use ZLIB compression. ++*** ]]) ++ fi ++ ac_zlib=$ac_cv_libz ++ ZLIB_LIBS=$LIBZ + LIBZ_PC=$LIBZ + fi + fi ++if test x$ac_zlib != xno; then ++ AC_DEFINE([HAVE_LIBZ], 1, [Define if ZLIB compression is enabled.]) ++ need_ltlibdl=yes ++fi + AC_SUBST(LIBZ_PC) + ++AS_IF([test "$ac_cv_dlopen_soname_works" = yes], [ ++ save_LIBS=$LIBS ++ LIBS="$LIBS $ZLIB_LIBS" ++ LIBGNUTLS_CHECK_SONAME([z], [AC_LANG_PROGRAM([ ++ #include ],[ ++ compress (0, 0, 0, 0);])]) ++ LIBS="$save_LIBS" ++ CFLAGS="$save_CFLAGS" ++]) ++ + AC_ARG_WITH(brotli, + AS_HELP_STRING([--without-brotli], [disable brotli compression support]), + ac_brotli=$withval, ac_brotli=yes) +@@ -1102,6 +1110,7 @@ if test x$ac_brotli != xno; then + else + GNUTLS_REQUIRES_PRIVATE="${GNUTLS_REQUIRES_PRIVATE}, libbrotlienc, libbrotlidec" + fi ++ need_ltlibdl=yes + else + AC_MSG_WARN(*** LIBBROTLI was not found. You will not be able to use BROTLI compression.) + fi +@@ -1110,6 +1119,28 @@ else + fi + AM_CONDITIONAL(HAVE_LIBBROTLI, test "$with_libbrotlienc" != "no" && test "$with_libbrotlidec" != "no") + ++AS_IF([test "$ac_cv_dlopen_soname_works" = yes], [ ++ save_CFLAGS=$CFLAGS ++ CFLAGS="$CFLAGS $LIBBROTLIENC_CFLAGS" ++ save_LIBS=$LIBS ++ LIBS="$LIBS $LIBBROTLIENC_LIBS" ++ LIBGNUTLS_CHECK_SONAME([brotlienc], [AC_LANG_PROGRAM([ ++ #include ],[ ++ BrotliEncoderVersion();])]) ++ LIBS="$save_LIBS" ++ CFLAGS="$save_CFLAGS" ++ ++ save_CFLAGS=$CFLAGS ++ CFLAGS="$CFLAGS $LIBBROTLIDEC_CFLAGS" ++ save_LIBS=$LIBS ++ LIBS="$LIBS $LIBBROTLIDEC_LIBS" ++ LIBGNUTLS_CHECK_SONAME([brotlidec], [AC_LANG_PROGRAM([ ++ #include ],[ ++ BrotliDecoderVersion();])]) ++ LIBS="$save_LIBS" ++ CFLAGS="$save_CFLAGS" ++]) ++ + AC_ARG_WITH(zstd, + AS_HELP_STRING([--without-zstd], [disable zstd compression support]), + ac_zstd=$withval, ac_zstd=yes) +@@ -1124,6 +1155,7 @@ if test x$ac_zstd != xno; then + else + GNUTLS_REQUIRES_PRIVATE="${GNUTLS_REQUIRES_PRIVATE}, libzstd" + fi ++ need_ltlibdl=yes + else + AC_MSG_WARN(*** LIBZSTD was not found. You will not be able to use ZSTD compression.) + fi +@@ -1132,6 +1164,20 @@ else + fi + AM_CONDITIONAL(HAVE_LIBZSTD, test "$with_libzstd" != "no") + ++AS_IF([test "$ac_cv_dlopen_soname_works" = yes], [ ++ save_CFLAGS=$CFLAGS ++ CFLAGS="$CFLAGS $LIBZSTD_CFLAGS" ++ save_LIBS=$LIBS ++ LIBS="$LIBS $LIBZSTD_LIBS" ++ LIBGNUTLS_CHECK_SONAME([zstd], [AC_LANG_PROGRAM([ ++ #include ],[ ++ ZSTD_versionNumber();])]) ++ LIBS="$save_LIBS" ++ CFLAGS="$save_CFLAGS" ++]) ++ ++AM_CONDITIONAL(NEED_LTLIBDL, test "$need_ltlibdl" = yes) ++ + # export for use in scripts + AC_SUBST(ac_cv_sizeof_time_t) + +diff --git a/lib/compress.c b/lib/compress.c +index a0a7c699c3..26ea2912c2 100644 +--- a/lib/compress.c ++++ b/lib/compress.c +@@ -72,7 +72,7 @@ static int zlib_init(void) + #ifndef _WIN32 + if (_zlib_handle != NULL) + return 0; +- if ((_zlib_handle = dlopen("libz.so.1", RTLD_NOW | RTLD_GLOBAL)) == ++ if ((_zlib_handle = dlopen(Z_LIBRARY_SONAME, RTLD_NOW | RTLD_GLOBAL)) == + NULL) + goto error; + if ((_gnutls_zlib_compressBound = +@@ -135,10 +135,10 @@ static int brotli_init(void) + #ifndef _WIN32 + if (_brotlienc_handle != NULL || _brotlidec_handle != NULL) + return 0; +- if ((_brotlienc_handle = dlopen("libbrotlienc.so.1", ++ if ((_brotlienc_handle = dlopen(BROTLIENC_LIBRARY_SONAME, + RTLD_NOW | RTLD_GLOBAL)) == NULL) + goto error; +- if ((_brotlidec_handle = dlopen("libbrotlidec.so.1", ++ if ((_brotlidec_handle = dlopen(BROTLIDEC_LIBRARY_SONAME, + RTLD_NOW | RTLD_GLOBAL)) == NULL) + goto error; + if ((_gnutls_BrotliEncoderMaxCompressedSize = +@@ -195,7 +195,7 @@ static int zstd_init(void) + #ifndef _WIN32 + if (_zstd_handle != NULL) + return 0; +- if ((_zstd_handle = dlopen("libzstd.so.1", RTLD_NOW | RTLD_GLOBAL)) == ++ if ((_zstd_handle = dlopen(ZSTD_LIBRARY_SONAME, RTLD_NOW | RTLD_GLOBAL)) == + NULL) + goto error; + if ((_gnutls_ZSTD_isError = dlsym(_zstd_handle, "ZSTD_isError")) == +-- +2.45.2 + + +From 3e5be1315a15ac6e1e33e08f28030b8215b6d234 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Sat, 29 Jun 2024 13:36:58 +0900 +Subject: [PATCH 4/4] build: switch to using dlwrap for loading compression + libraries + +This switches the logic to load compression libraries from the +hand-written code to the automatically generated code by the dlwrap +tool[1], which enables to select whether to use dlopen or link to the +library at build time. + +1. https://crates.io/crates/dlwrap + +Signed-off-by: Daiki Ueno +--- + cfg.mk | 2 +- + configure.ac | 1 + + devel/check-headers.sh | 4 +- + devel/dlwrap/brotli.license | 4 + + devel/dlwrap/brotlidec.syms | 1 + + devel/dlwrap/brotlienc.syms | 2 + + devel/dlwrap/z.license | 20 ++++ + devel/dlwrap/z.syms | 3 + + devel/dlwrap/zstd.license | 7 ++ + devel/dlwrap/zstd.syms | 4 + + devel/generate-dlwrap.sh | 37 ++++++ + devel/indent-gnutls | 2 +- + lib/Makefile.am | 40 ++++++- + lib/compress.c | 218 ++++++++++-------------------------- + lib/dlwrap/brotlidec.c | 182 ++++++++++++++++++++++++++++++ + lib/dlwrap/brotlidec.h | 47 ++++++++ + lib/dlwrap/brotlidecfuncs.h | 9 ++ + lib/dlwrap/brotlienc.c | 182 ++++++++++++++++++++++++++++++ + lib/dlwrap/brotlienc.h | 47 ++++++++ + lib/dlwrap/brotliencfuncs.h | 10 ++ + lib/dlwrap/zlib.c | 182 ++++++++++++++++++++++++++++++ + lib/dlwrap/zlib.h | 47 ++++++++ + lib/dlwrap/zlibfuncs.h | 27 +++++ + lib/dlwrap/zstd.c | 182 ++++++++++++++++++++++++++++++ + lib/dlwrap/zstd.h | 47 ++++++++ + lib/dlwrap/zstdfuncs.h | 15 +++ + 26 files changed, 1154 insertions(+), 168 deletions(-) + create mode 100644 devel/dlwrap/brotli.license + create mode 100644 devel/dlwrap/brotlidec.syms + create mode 100644 devel/dlwrap/brotlienc.syms + create mode 100644 devel/dlwrap/z.license + create mode 100644 devel/dlwrap/z.syms + create mode 100644 devel/dlwrap/zstd.license + create mode 100644 devel/dlwrap/zstd.syms + create mode 100755 devel/generate-dlwrap.sh + create mode 100644 lib/dlwrap/brotlidec.c + create mode 100644 lib/dlwrap/brotlidec.h + create mode 100644 lib/dlwrap/brotlidecfuncs.h + create mode 100644 lib/dlwrap/brotlienc.c + create mode 100644 lib/dlwrap/brotlienc.h + create mode 100644 lib/dlwrap/brotliencfuncs.h + create mode 100644 lib/dlwrap/zlib.c + create mode 100644 lib/dlwrap/zlib.h + create mode 100644 lib/dlwrap/zlibfuncs.h + create mode 100644 lib/dlwrap/zstd.c + create mode 100644 lib/dlwrap/zstd.h + create mode 100644 lib/dlwrap/zstdfuncs.h + +diff --git a/cfg.mk b/cfg.mk +index 5ef839a2c1..1b94279633 100644 +--- a/cfg.mk ++++ b/cfg.mk +@@ -24,7 +24,7 @@ PACKAGE ?= gnutls + + .PHONY: config glimport + +-INDENT_SOURCES = `find . -name \*.[ch] -o -name gnutls.h.in | grep -v -e ^./build-aux/ -e ^./config.h -e ^./devel/ -e ^./gnulib -e ^./lib/minitasn1/ -e ^./lib/includes/gnutls/gnutls.h -e ^./lib/nettle/backport/ -e ^./lib/priority_options.h -e ^./lib/unistring/ -e ^./lib/x509/supported_exts.h -e ^./lib/build-aux/ -e ^./gl/ -e ^./src/gl/ -e ^./src/.*-options.[ch] -e -args.[ch] -e asn1_tab.c -e ^./tests/suite/` ++INDENT_SOURCES = `find . -name \*.[ch] -o -name gnutls.h.in | grep -v -e ^./build-aux/ -e ^./config.h -e ^./devel/ -e ^./gnulib -e ^./lib/minitasn1/ -e ^./lib/includes/gnutls/gnutls.h -e ^./lib/nettle/backport/ -e ^./lib/priority_options.h -e ^./lib/unistring/ -e ^./lib/x509/supported_exts.h -e ^./lib/build-aux/ -e ^./lib/dlwrap/ -e ^./gl/ -e ^./src/gl/ -e ^./src/.*-options.[ch] -e -args.[ch] -e asn1_tab.c -e ^./tests/suite/` + + ifeq ($(.DEFAULT_GOAL),abort-due-to-no-makefile) + .DEFAULT_GOAL := bootstrap +diff --git a/configure.ac b/configure.ac +index 28d6895efb..62a7fbdf66 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1083,6 +1083,7 @@ if test x$ac_zlib != xno; then + AC_DEFINE([HAVE_LIBZ], 1, [Define if ZLIB compression is enabled.]) + need_ltlibdl=yes + fi ++AM_CONDITIONAL(HAVE_ZLIB, test "$ac_zlib" = "yes") + AC_SUBST(LIBZ_PC) + + AS_IF([test "$ac_cv_dlopen_soname_works" = yes], [ +diff --git a/devel/dlwrap/brotli.license b/devel/dlwrap/brotli.license +new file mode 100644 +index 0000000000..d65b39b1ac +--- /dev/null ++++ b/devel/dlwrap/brotli.license +@@ -0,0 +1,4 @@ ++Copyright 2013 Google Inc. All Rights Reserved. ++ ++Distributed under MIT license. ++See file LICENSE for detail or copy at https://opensource.org/licenses/MIT +diff --git a/devel/dlwrap/brotlidec.syms b/devel/dlwrap/brotlidec.syms +new file mode 100644 +index 0000000000..97edbad15e +--- /dev/null ++++ b/devel/dlwrap/brotlidec.syms +@@ -0,0 +1 @@ ++BrotliDecoderDecompress +diff --git a/devel/dlwrap/brotlienc.syms b/devel/dlwrap/brotlienc.syms +new file mode 100644 +index 0000000000..d618292047 +--- /dev/null ++++ b/devel/dlwrap/brotlienc.syms +@@ -0,0 +1,2 @@ ++BrotliEncoderMaxCompressedSize ++BrotliEncoderCompress +diff --git a/devel/dlwrap/z.license b/devel/dlwrap/z.license +new file mode 100644 +index 0000000000..94ce4ae9c9 +--- /dev/null ++++ b/devel/dlwrap/z.license +@@ -0,0 +1,20 @@ ++Copyright (C) 1995-2022 Jean-loup Gailly and Mark Adler ++ ++This software is provided 'as-is', without any express or implied ++warranty. In no event will the authors be held liable for any damages ++arising from the use of this software. ++ ++Permission is granted to anyone to use this software for any purpose, ++including commercial applications, and to alter it and redistribute it ++freely, subject to the following restrictions: ++ ++1. The origin of this software must not be misrepresented; you must not ++ claim that you wrote the original software. If you use this software ++ in a product, an acknowledgment in the product documentation would be ++ appreciated but is not required. ++2. Altered source versions must be plainly marked as such, and must not be ++ misrepresented as being the original software. ++3. This notice may not be removed or altered from any source distribution. ++ ++Jean-loup Gailly Mark Adler ++jloup@gzip.org madler@alumni.caltech.edu +diff --git a/devel/dlwrap/z.syms b/devel/dlwrap/z.syms +new file mode 100644 +index 0000000000..e3ed6c13f2 +--- /dev/null ++++ b/devel/dlwrap/z.syms +@@ -0,0 +1,3 @@ ++compressBound ++compress ++uncompress +diff --git a/devel/dlwrap/zstd.license b/devel/dlwrap/zstd.license +new file mode 100644 +index 0000000000..4b585386bf +--- /dev/null ++++ b/devel/dlwrap/zstd.license +@@ -0,0 +1,7 @@ ++Copyright (c) Meta Platforms, Inc. and affiliates. ++All rights reserved. ++ ++This source code is licensed under both the BSD-style license (found in the ++LICENSE file in the root directory of this source tree) and the GPLv2 (found ++in the COPYING file in the root directory of this source tree). ++You may select, at your option, one of the above-listed licenses. +diff --git a/devel/dlwrap/zstd.syms b/devel/dlwrap/zstd.syms +new file mode 100644 +index 0000000000..881bdc8135 +--- /dev/null ++++ b/devel/dlwrap/zstd.syms +@@ -0,0 +1,4 @@ ++ZSTD_isError ++ZSTD_compressBound ++ZSTD_compress ++ZSTD_decompress +diff --git a/devel/generate-dlwrap.sh b/devel/generate-dlwrap.sh +new file mode 100755 +index 0000000000..dbcf870612 +--- /dev/null ++++ b/devel/generate-dlwrap.sh +@@ -0,0 +1,37 @@ ++#!/bin/sh ++ ++# This script generates dlopen stubs for optional libraries using dlwrap tool: ++# https://crates.io/crates/dlwrap ++ ++# Copyright (c) 2023 Daiki Ueno ++# License: GPLv3+ ++ ++set +e ++ ++: ${srcdir=.} ++: ${DLWRAP=dlwrap} ++ ++if ! "$DLWRAP" -V >& /dev/null; then ++ echo 1>&2 "$0: "$DLWRAP" is missing" ++ exit 77 ++fi ++ ++SRC="$srcdir/devel/$DLWRAP" ++DST="$srcdir/lib/$DLWRAP" ++ ++echo "Generating $DST/zlib.h" ++ ++"$DLWRAP" --input /usr/include/zlib.h -o "$DST" --clang-resource-dir $(clang -print-resource-dir) --symbol-file "$SRC/z.syms" --license-file "$SRC/z.license" --soname Z_LIBRARY_SONAME --prefix gnutls_zlib --header-guard GNUTLS_LIB_DLWRAP_ZLIB_H_ --include "" ++ ++echo "Generating $DST/zstd.h" ++ ++"$DLWRAP" --input /usr/include/zstd.h -o "$DST" --clang-resource-dir $(clang -print-resource-dir) --symbol-file "$SRC/zstd.syms" --license-file "$SRC/zstd.license" --soname ZSTD_LIBRARY_SONAME --prefix gnutls_zstd --header-guard GNUTLS_LIB_DLWRAP_ZSTD_H_ --include "" ++ ++echo "Generating $DST/brotlienc.h" ++ ++"$DLWRAP" --input /usr/include/brotli/encode.h -o "$DST" --clang-resource-dir $(clang -print-resource-dir) --symbol-file "$SRC/brotlienc.syms" --license-file "$SRC/brotli.license" --soname BROTLIENC_LIBRARY_SONAME --prefix gnutls_brotlienc --loader-basename brotlienc --header-guard GNUTLS_LIB_DLWRAP_BROTLIENC_H_ --include "" ++ ++echo "Generating $DST/brotlidec.h" ++ ++"$DLWRAP" --input /usr/include/brotli/decode.h -o "$DST" --clang-resource-dir $(clang -print-resource-dir) --symbol-file "$SRC/brotlidec.syms" --license-file "$SRC/brotli.license" --soname BROTLIDEC_LIBRARY_SONAME --prefix gnutls_brotlidec --loader-basename brotlidec --header-guard GNUTLS_LIB_DLWRAP_BROTLIDEC_H_ --include "" ++ +diff --git a/lib/Makefile.am b/lib/Makefile.am +index a50d3114ea..d1bd07248e 100644 +--- a/lib/Makefile.am ++++ b/lib/Makefile.am +@@ -33,7 +33,7 @@ localedir = $(datadir)/locale + + include $(top_srcdir)/lib/common.mk + +-AM_CPPFLAGS = \ ++AM_CPPFLAGS = \ + -DLOCALEDIR=\"$(localedir)\" \ + -I$(srcdir)/../gl \ + -I$(builddir)/../gl \ +@@ -45,7 +45,8 @@ AM_CPPFLAGS = \ + $(LIBTASN1_CFLAGS) \ + $(P11_KIT_CFLAGS) \ + $(TSS2_CFLAGS) +- $(LIBZSTD_CFLAGS) ++ ++thirdparty_libadd = + + if !HAVE_LIBUNISTRING + SUBDIRS += unistring +@@ -85,6 +86,39 @@ COBJECTS = range.c record.c compress.c debug.c cipher.c gthreads.h handshake-tls + hello_ext_lib.c hello_ext_lib.h ocsp-api.c stek.c cert-cred-rawpk.c \ + iov.c iov.h system/ktls.c system/ktls.h pathbuf.c pathbuf.h + ++if HAVE_ZLIB ++COBJECTS += dlwrap/zlib.c dlwrap/zlibfuncs.h dlwrap/zlib.h ++ ++if ENABLE_DLOPEN ++AM_CPPFLAGS += $(ZLIB_CFLAGS) -DGNUTLS_ZLIB_ENABLE_DLOPEN=1 ++else ++thirdparty_libadd += $(ZLIB_LIBS) ++endif ++endif ++ ++if HAVE_LIBZSTD ++COBJECTS += dlwrap/zstd.c dlwrap/zstdfuncs.h dlwrap/zstd.h ++ ++if ENABLE_DLOPEN ++AM_CPPFLAGS += $(LIBZSTD_CFLAGS) -DGNUTLS_ZSTD_ENABLE_DLOPEN=1 ++else ++thirdparty_libadd += $(LIBZSTD_LIBS) ++endif ++endif ++ ++if HAVE_LIBBROTLI ++COBJECTS += dlwrap/brotlienc.c dlwrap/brotliencfuncs.h dlwrap/brotlienc.h ++COBJECTS += dlwrap/brotlidec.c dlwrap/brotlidecfuncs.h dlwrap/brotlidec.h ++ ++if ENABLE_DLOPEN ++AM_CPPFLAGS += $(LIBBROTLIENC_CFLAGS) -DGNUTLS_BROTLIENC_ENABLE_DLOPEN=1 ++AM_CPPFLAGS += $(LIBBROTLIDEC_CFLAGS) -DGNUTLS_BROTLIDEC_ENABLE_DLOPEN=1 ++else ++thirdparty_libadd += $(LIBBROTLIENC_LIBS) ++thirdparty_libadd += $(LIBBROTLIDEC_LIBS) ++endif ++endif ++ + if ENABLE_GOST + COBJECTS += vko.c + endif +@@ -156,7 +190,7 @@ libgnutls_la_LIBADD = ../gl/libgnu.la x509/libgnutls_x509.la \ + ext/libgnutls_ext.la \ + auth/libgnutls_auth.la algorithms/libgnutls_alg.la \ + extras/libgnutls_extras.la +-thirdparty_libadd = $(LTLIBINTL) $(LIBSOCKET) $(LTLIBNSL) \ ++thirdparty_libadd += $(LTLIBINTL) $(LIBSOCKET) $(LTLIBNSL) \ + $(P11_KIT_LIBS) $(LIB_SELECT) $(GNUTLS_LIBS_PRIVATE) + + if HAVE_LIBIDN2 +diff --git a/lib/compress.c b/lib/compress.c +index 26ea2912c2..936a459532 100644 +--- a/lib/compress.c ++++ b/lib/compress.c +@@ -25,198 +25,91 @@ + + #include "compress.h" + +-#ifndef _WIN32 ++#ifdef _WIN32 ++#define RTLD_NOW 0 ++#define RTLD_GLOBAL 0 ++#else + #include + #endif + ++#ifndef Z_LIBRARY_SONAME ++#define Z_LIBRARY_SONAME "none" ++#endif ++ ++#ifndef BROTLIENC_LIBRARY_SONAME ++#define BROTLIENC_LIBRARY_SONAME "none" ++#endif ++ ++#ifndef BROTLIDEC_LIBRARY_SONAME ++#define BROTLIDEC_LIBRARY_SONAME "none" ++#endif ++ ++#ifndef ZSTD_LIBRARY_SONAME ++#define ZSTD_LIBRARY_SONAME "none" ++#endif ++ + #ifdef HAVE_LIBZ +-#include ++#include "dlwrap/zlib.h" + #endif + + #ifdef HAVE_LIBBROTLI +-#include +-#include ++#include "dlwrap/brotlienc.h" ++#include "dlwrap/brotlidec.h" + #endif + + #ifdef HAVE_LIBZSTD +-#include ++#include "dlwrap/zstd.h" + #endif + + #ifdef HAVE_LIBZ +-static void *_zlib_handle; +- +-#if HAVE___TYPEOF__ +-static __typeof__(compressBound)(*_gnutls_zlib_compressBound); +-static __typeof__(compress)(*_gnutls_zlib_compress); +-static __typeof__(uncompress)(*_gnutls_zlib_uncompress); +-#else +-static uLong (*_gnutls_zlib_compressBound)(uLong sourceLen); +-static int (*_gnutls_zlib_compress)(Bytef *dest, uLongf *destLen, +- const Bytef *source, uLong sourceLen); +-static int (*_gnutls_zlib_uncompress)(Bytef *dest, uLongf *destLen, +- const Bytef *source, uLong sourceLen); +-#endif /* HAVE___TYPEOF__ */ +- + static void zlib_deinit(void) + { +-#ifndef _WIN32 +- if (_zlib_handle != NULL) { +- dlclose(_zlib_handle); +- _zlib_handle = NULL; +- } +-#endif /* _WIN32 */ ++ gnutls_zlib_unload_library(); + } + + static int zlib_init(void) + { +-#ifndef _WIN32 +- if (_zlib_handle != NULL) +- return 0; +- if ((_zlib_handle = dlopen(Z_LIBRARY_SONAME, RTLD_NOW | RTLD_GLOBAL)) == +- NULL) +- goto error; +- if ((_gnutls_zlib_compressBound = +- dlsym(_zlib_handle, "compressBound")) == NULL) +- goto error; +- if ((_gnutls_zlib_compress = dlsym(_zlib_handle, "compress")) == NULL) +- goto error; +- if ((_gnutls_zlib_uncompress = dlsym(_zlib_handle, "uncompress")) == +- NULL) +- goto error; ++ if (gnutls_zlib_ensure_library(Z_LIBRARY_SONAME, ++ RTLD_NOW | RTLD_GLOBAL) < 0) ++ return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); + return 0; +-error: +- zlib_deinit(); +- return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); +-#else +- return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE); +-#endif /* _WIN32 */ + } + #endif /* HAVE_LIBZ */ + + #ifdef HAVE_LIBBROTLI +-static void *_brotlienc_handle; +-static void *_brotlidec_handle; +- +-#if HAVE___TYPEOF__ +-static __typeof__(BrotliEncoderMaxCompressedSize)( +- *_gnutls_BrotliEncoderMaxCompressedSize); +-static __typeof__(BrotliEncoderCompress)(*_gnutls_BrotliEncoderCompress); +-static __typeof__(BrotliDecoderDecompress)(*_gnutls_BrotliDecoderDecompress); +-#else +-static size_t (*_gnutls_BrotliEncoderMaxCompressedSize)(size_t input_size); +-static BROTLI_BOOL (*_gnutls_BrotliEncoderCompress)( +- int quality, int lgwin, BrotliEncoderMode mode, size_t input_size, +- const uint8_t input_buffer[BROTLI_ARRAY_PARAM(input_size)], +- size_t *encoded_size, +- uint8_t encoded_buffer[BROTLI_ARRAY_PARAM(*encoded_size)]); +-static BrotliDecoderResult (*_gnutls_BrotliDecoderDecompress)( +- size_t encoded_size, +- const uint8_t encoded_buffer[BROTLI_ARRAY_PARAM(encoded_size)], +- size_t *decoded_size, +- uint8_t decoded_buffer[BROTLI_ARRAY_PARAM(*decoded_size)]); +-#endif /* HAVE___TYPEOF__ */ + + static void brotli_deinit(void) + { +-#ifndef _WIN32 +- if (_brotlienc_handle != NULL) { +- dlclose(_brotlienc_handle); +- _brotlienc_handle = NULL; +- } +- if (_brotlidec_handle != NULL) { +- dlclose(_brotlidec_handle); +- _brotlidec_handle = NULL; +- } +-#endif /* _WIN32 */ ++ gnutls_brotlienc_unload_library(); ++ gnutls_brotlidec_unload_library(); + } + + static int brotli_init(void) + { +-#ifndef _WIN32 +- if (_brotlienc_handle != NULL || _brotlidec_handle != NULL) +- return 0; +- if ((_brotlienc_handle = dlopen(BROTLIENC_LIBRARY_SONAME, +- RTLD_NOW | RTLD_GLOBAL)) == NULL) +- goto error; +- if ((_brotlidec_handle = dlopen(BROTLIDEC_LIBRARY_SONAME, +- RTLD_NOW | RTLD_GLOBAL)) == NULL) +- goto error; +- if ((_gnutls_BrotliEncoderMaxCompressedSize = +- dlsym(_brotlienc_handle, +- "BrotliEncoderMaxCompressedSize")) == NULL) +- goto error; +- if ((_gnutls_BrotliEncoderCompress = +- dlsym(_brotlienc_handle, "BrotliEncoderCompress")) == NULL) +- goto error; +- if ((_gnutls_BrotliDecoderDecompress = dlsym( +- _brotlidec_handle, "BrotliDecoderDecompress")) == NULL) +- goto error; ++ if (gnutls_brotlienc_ensure_library(BROTLIENC_LIBRARY_SONAME, ++ RTLD_NOW | RTLD_GLOBAL) < 0) ++ return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); ++ ++ if (gnutls_brotlidec_ensure_library(BROTLIDEC_LIBRARY_SONAME, ++ RTLD_NOW | RTLD_GLOBAL) < 0) ++ return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); + return 0; +-error: +- brotli_deinit(); +- return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); +-#else +- return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE); +-#endif /* _WIN32 */ + } + #endif /* HAVE_LIBBROTLI */ + + #ifdef HAVE_LIBZSTD +-static void *_zstd_handle; +- +-#if HAVE___TYPEOF__ +-static __typeof__(ZSTD_isError)(*_gnutls_ZSTD_isError); +-static __typeof__(ZSTD_compressBound)(*_gnutls_ZSTD_compressBound); +-static __typeof__(ZSTD_compress)(*_gnutls_ZSTD_compress); +-static __typeof__(ZSTD_decompress)(*_gnutls_ZSTD_decompress); +-#else +-static unsigned (*_gnutls_ZSTD_isError)(size_t code); +-static size_t (*_gnutls_ZSTD_compressBound)(size_t srcSize); +-static size_t (*_gnutls_ZSTD_compress)(void *dst, size_t dstCapacity, +- const void *src, size_t srcSize, +- int compressionLevel); +-static size_t (*_gnutls_ZSTD_decompress)(void *dst, size_t dstCapacity, +- const void *src, +- size_t compressedSize); +-#endif /* HAVE___TYPEOF__ */ + + static void zstd_deinit(void) + { +-#ifndef _WIN32 +- if (_zstd_handle != NULL) { +- dlclose(_zstd_handle); +- _zstd_handle = NULL; +- } +-#endif /* _WIN32 */ ++ gnutls_zstd_unload_library(); + } + + static int zstd_init(void) + { +-#ifndef _WIN32 +- if (_zstd_handle != NULL) +- return 0; +- if ((_zstd_handle = dlopen(ZSTD_LIBRARY_SONAME, RTLD_NOW | RTLD_GLOBAL)) == +- NULL) +- goto error; +- if ((_gnutls_ZSTD_isError = dlsym(_zstd_handle, "ZSTD_isError")) == +- NULL) +- goto error; +- if ((_gnutls_ZSTD_compressBound = +- dlsym(_zstd_handle, "ZSTD_compressBound")) == NULL) +- goto error; +- if ((_gnutls_ZSTD_compress = dlsym(_zstd_handle, "ZSTD_compress")) == +- NULL) +- goto error; +- if ((_gnutls_ZSTD_decompress = +- dlsym(_zstd_handle, "ZSTD_decompress")) == NULL) +- goto error; ++ if (gnutls_zstd_ensure_library(ZSTD_LIBRARY_SONAME, ++ RTLD_NOW | RTLD_GLOBAL) < 0) ++ return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); + return 0; +-error: +- zstd_deinit(); +- return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); +-#else +- return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE); +-#endif /* _WIN32 */ + } + #endif /* HAVE_LIBZSTD */ + +@@ -345,15 +238,16 @@ size_t _gnutls_compress_bound(gnutls_compression_method_t alg, size_t src_len) + switch (alg) { + #ifdef HAVE_LIBZ + case GNUTLS_COMP_ZLIB: +- return _gnutls_zlib_compressBound(src_len); ++ return GNUTLS_ZLIB_FUNC(compressBound)(src_len); + #endif + #ifdef HAVE_LIBBROTLI + case GNUTLS_COMP_BROTLI: +- return _gnutls_BrotliEncoderMaxCompressedSize(src_len); ++ return GNUTLS_BROTLIENC_FUNC(BrotliEncoderMaxCompressedSize)( ++ src_len); + #endif + #ifdef HAVE_LIBZSTD + case GNUTLS_COMP_ZSTD: +- return _gnutls_ZSTD_compressBound(src_len); ++ return GNUTLS_ZSTD_FUNC(ZSTD_compressBound)(src_len); + #endif + default: + return 0; +@@ -372,7 +266,7 @@ int _gnutls_compress(gnutls_compression_method_t alg, uint8_t *dst, + int err; + uLongf comp_len = dst_len; + +- err = _gnutls_zlib_compress(dst, &comp_len, src, src_len); ++ err = GNUTLS_ZLIB_FUNC(compress)(dst, &comp_len, src, src_len); + if (err != Z_OK) + return gnutls_assert_val(GNUTLS_E_COMPRESSION_FAILED); + ret = comp_len; +@@ -383,7 +277,7 @@ int _gnutls_compress(gnutls_compression_method_t alg, uint8_t *dst, + BROTLI_BOOL err; + size_t comp_len = dst_len; + +- err = _gnutls_BrotliEncoderCompress( ++ err = GNUTLS_BROTLIENC_FUNC(BrotliEncoderCompress)( + BROTLI_DEFAULT_QUALITY, BROTLI_DEFAULT_WINDOW, + BROTLI_DEFAULT_MODE, src_len, src, &comp_len, dst); + if (!err) +@@ -395,9 +289,9 @@ int _gnutls_compress(gnutls_compression_method_t alg, uint8_t *dst, + case GNUTLS_COMP_ZSTD: { + size_t comp_len; + +- comp_len = _gnutls_ZSTD_compress(dst, dst_len, src, src_len, +- ZSTD_CLEVEL_DEFAULT); +- if (_gnutls_ZSTD_isError(comp_len)) ++ comp_len = GNUTLS_ZSTD_FUNC(ZSTD_compress)( ++ dst, dst_len, src, src_len, ZSTD_CLEVEL_DEFAULT); ++ if (GNUTLS_ZSTD_FUNC(ZSTD_isError)(comp_len)) + return gnutls_assert_val(GNUTLS_E_COMPRESSION_FAILED); + ret = comp_len; + } break; +@@ -425,7 +319,8 @@ int _gnutls_decompress(gnutls_compression_method_t alg, uint8_t *dst, + int err; + uLongf plain_len = dst_len; + +- err = _gnutls_zlib_uncompress(dst, &plain_len, src, src_len); ++ err = GNUTLS_ZLIB_FUNC(uncompress)(dst, &plain_len, src, ++ src_len); + if (err != Z_OK) + return gnutls_assert_val(GNUTLS_E_DECOMPRESSION_FAILED); + ret = plain_len; +@@ -436,8 +331,8 @@ int _gnutls_decompress(gnutls_compression_method_t alg, uint8_t *dst, + BrotliDecoderResult err; + size_t plain_len = dst_len; + +- err = _gnutls_BrotliDecoderDecompress(src_len, src, &plain_len, +- dst); ++ err = GNUTLS_BROTLIDEC_FUNC( ++ BrotliDecoderDecompress)(src_len, src, &plain_len, dst); + if (err != BROTLI_DECODER_RESULT_SUCCESS) + return gnutls_assert_val(GNUTLS_E_DECOMPRESSION_FAILED); + ret = plain_len; +@@ -447,8 +342,9 @@ int _gnutls_decompress(gnutls_compression_method_t alg, uint8_t *dst, + case GNUTLS_COMP_ZSTD: { + size_t plain_len; + +- plain_len = _gnutls_ZSTD_decompress(dst, dst_len, src, src_len); +- if (_gnutls_ZSTD_isError(plain_len)) ++ plain_len = GNUTLS_ZSTD_FUNC(ZSTD_decompress)(dst, dst_len, src, ++ src_len); ++ if (GNUTLS_ZSTD_FUNC(ZSTD_isError)(plain_len)) + return gnutls_assert_val(GNUTLS_E_DECOMPRESSION_FAILED); + ret = plain_len; + } break; +diff --git a/lib/dlwrap/brotlidec.c b/lib/dlwrap/brotlidec.c +new file mode 100644 +index 0000000000..45c9b4b259 +--- /dev/null ++++ b/lib/dlwrap/brotlidec.c +@@ -0,0 +1,182 @@ ++/* ++ * Copying and distribution of this file, with or without modification, ++ * are permitted in any medium without royalty provided the copyright ++ * notice and this notice are preserved. This file is offered as-is, ++ * without any warranty. ++ */ ++ ++#ifdef HAVE_CONFIG_H ++#include "config.h" ++#endif ++ ++#include "brotlidec.h" ++ ++#if defined(GNUTLS_BROTLIDEC_ENABLE_DLOPEN) && GNUTLS_BROTLIDEC_ENABLE_DLOPEN ++ ++#include ++#include ++#include ++#include ++ ++/* If BROTLIDEC_LIBRARY_SONAME is defined, dlopen handle can be automatically ++ * set; otherwise, the caller needs to call ++ * gnutls_brotlidec_ensure_library with soname determined at run time. ++ */ ++#ifdef BROTLIDEC_LIBRARY_SONAME ++ ++static void ++ensure_library (void) ++{ ++ if (gnutls_brotlidec_ensure_library (BROTLIDEC_LIBRARY_SONAME, RTLD_LAZY | RTLD_LOCAL) < 0) ++ abort (); ++} ++ ++#if defined(GNUTLS_BROTLIDEC_ENABLE_PTHREAD) && GNUTLS_BROTLIDEC_ENABLE_PTHREAD ++#include ++ ++static pthread_once_t dlopen_once = PTHREAD_ONCE_INIT; ++ ++#define ENSURE_LIBRARY pthread_once(&dlopen_once, ensure_library) ++ ++#else /* GNUTLS_BROTLIDEC_ENABLE_PTHREAD */ ++ ++#define ENSURE_LIBRARY do { \ ++ if (!gnutls_brotlidec_dlhandle) \ ++ ensure_library(); \ ++ } while (0) ++ ++#endif /* !GNUTLS_BROTLIDEC_ENABLE_PTHREAD */ ++ ++#else /* BROTLIDEC_LIBRARY_SONAME */ ++ ++#define ENSURE_LIBRARY do {} while (0) ++ ++#endif /* !BROTLIDEC_LIBRARY_SONAME */ ++ ++static void *gnutls_brotlidec_dlhandle; ++ ++/* Define redirection symbols */ ++#pragma GCC diagnostic push ++#pragma GCC diagnostic ignored "-Wunused-macros" ++ ++#if (2 <= __GNUC__ || (4 <= __clang_major__)) ++#define FUNC(ret, name, args, cargs) \ ++ static __typeof__(name)(*gnutls_brotlidec_sym_##name); ++#else ++#define FUNC(ret, name, args, cargs) \ ++ static ret(*gnutls_brotlidec_sym_##name)args; ++#endif ++#define VOID_FUNC FUNC ++#include "brotlidecfuncs.h" ++#undef VOID_FUNC ++#undef FUNC ++ ++#pragma GCC diagnostic pop ++ ++/* Define redirection wrapper functions */ ++#pragma GCC diagnostic push ++#pragma GCC diagnostic ignored "-Wunused-macros" ++ ++#define FUNC(ret, name, args, cargs) \ ++ret gnutls_brotlidec_func_##name args \ ++{ \ ++ ENSURE_LIBRARY; \ ++ assert (gnutls_brotlidec_sym_##name); \ ++ return gnutls_brotlidec_sym_##name cargs; \ ++} ++#define VOID_FUNC(ret, name, args, cargs) \ ++ret gnutls_brotlidec_func_##name args \ ++{ \ ++ ENSURE_LIBRARY; \ ++ assert (gnutls_brotlidec_sym_##name); \ ++ gnutls_brotlidec_sym_##name cargs; \ ++} ++#include "brotlidecfuncs.h" ++#undef VOID_FUNC ++#undef FUNC ++ ++#pragma GCC diagnostic pop ++ ++static int ++ensure_symbol (const char *name, void **symp) ++{ ++ if (!*symp) ++ { ++ void *sym = dlsym (gnutls_brotlidec_dlhandle, name); ++ if (!sym) ++ return -errno; ++ *symp = sym; ++ } ++ return 0; ++} ++ ++int ++gnutls_brotlidec_ensure_library (const char *soname, int flags) ++{ ++ int err; ++ ++ if (!gnutls_brotlidec_dlhandle) ++ { ++ gnutls_brotlidec_dlhandle = dlopen (soname, flags); ++ if (!gnutls_brotlidec_dlhandle) ++ return -errno; ++ } ++ ++#define ENSURE_SYMBOL(name) \ ++ ensure_symbol(#name, (void **)&gnutls_brotlidec_sym_##name) ++ ++#pragma GCC diagnostic push ++#pragma GCC diagnostic ignored "-Wunused-macros" ++ ++#define FUNC(ret, name, args, cargs) \ ++ err = ENSURE_SYMBOL(name); \ ++ if (err < 0) \ ++ return err; ++#define VOID_FUNC FUNC ++#include "brotlidecfuncs.h" ++#undef VOID_FUNC ++#undef FUNC ++ ++#pragma GCC diagnostic pop ++ ++#undef ENSURE_SYMBOL ++ return 0; ++} ++ ++void ++gnutls_brotlidec_unload_library (void) ++{ ++ if (gnutls_brotlidec_dlhandle) ++ dlclose (gnutls_brotlidec_dlhandle); ++ ++#pragma GCC diagnostic push ++#pragma GCC diagnostic ignored "-Wunused-macros" ++ ++#define FUNC(ret, name, args, cargs) \ ++ gnutls_brotlidec_sym_##name = NULL; ++#define VOID_FUNC FUNC ++#include "brotlidecfuncs.h" ++#undef VOID_FUNC ++#undef FUNC ++ ++#pragma GCC diagnostic pop ++ ++#undef RESET_SYMBOL ++} ++ ++#else /* GNUTLS_BROTLIDEC_ENABLE_DLOPEN */ ++ ++int ++gnutls_brotlidec_ensure_library (const char *soname, int flags) ++{ ++ (void) soname; ++ (void) flags; ++ return 0; ++} ++ ++void ++gnutls_brotlidec_unload_library (void) ++{ ++} ++ ++#endif /* !GNUTLS_BROTLIDEC_ENABLE_DLOPEN */ +diff --git a/lib/dlwrap/brotlidec.h b/lib/dlwrap/brotlidec.h +new file mode 100644 +index 0000000000..31397f24cf +--- /dev/null ++++ b/lib/dlwrap/brotlidec.h +@@ -0,0 +1,47 @@ ++/* ++ * Copying and distribution of this file, with or without modification, ++ * are permitted in any medium without royalty provided the copyright ++ * notice and this notice are preserved. This file is offered as-is, ++ * without any warranty. ++ */ ++ ++#ifndef GNUTLS_LIB_DLWRAP_BROTLIDEC_H_ ++#define GNUTLS_LIB_DLWRAP_BROTLIDEC_H_ ++ ++#include ++ ++#if defined(GNUTLS_BROTLIDEC_ENABLE_DLOPEN) && GNUTLS_BROTLIDEC_ENABLE_DLOPEN ++ ++#define FUNC(ret, name, args, cargs) \ ++ ret gnutls_brotlidec_func_##name args; ++#define VOID_FUNC FUNC ++#include "brotlidecfuncs.h" ++#undef VOID_FUNC ++#undef FUNC ++ ++#define GNUTLS_BROTLIDEC_FUNC(name) gnutls_brotlidec_func_##name ++ ++#else ++ ++#define GNUTLS_BROTLIDEC_FUNC(name) name ++ ++#endif /* GNUTLS_BROTLIDEC_ENABLE_DLOPEN */ ++ ++/* Ensure SONAME to be loaded with dlopen FLAGS, and all the necessary ++ * symbols are resolved. ++ * ++ * Returns 0 on success; negative error code otherwise. ++ * ++ * Note that this function is NOT thread-safe; when calling it from ++ * multi-threaded programs, protect it with a locking mechanism. ++ */ ++int gnutls_brotlidec_ensure_library (const char *soname, int flags); ++ ++/* Unload library and reset symbols. ++ * ++ * Note that this function is NOT thread-safe; when calling it from ++ * multi-threaded programs, protect it with a locking mechanism. ++ */ ++void gnutls_brotlidec_unload_library (void); ++ ++#endif /* GNUTLS_LIB_DLWRAP_BROTLIDEC_H_ */ +diff --git a/lib/dlwrap/brotlidecfuncs.h b/lib/dlwrap/brotlidecfuncs.h +new file mode 100644 +index 0000000000..aa033e3a8b +--- /dev/null ++++ b/lib/dlwrap/brotlidecfuncs.h +@@ -0,0 +1,9 @@ ++/* ++ * This file was automatically generated from decode.h, ++ * which is covered by the following license: ++ * Copyright 2013 Google Inc. All Rights Reserved. ++ * ++ * Distributed under MIT license. ++ * See file LICENSE for detail or copy at https://opensource.org/licenses/MIT ++ */ ++FUNC(BrotliDecoderResult, BrotliDecoderDecompress, (size_t encoded_size, const uint8_t encoded_buffer[], size_t *decoded_size, uint8_t decoded_buffer[]), (encoded_size, encoded_buffer, decoded_size, decoded_buffer)) +diff --git a/lib/dlwrap/brotlienc.c b/lib/dlwrap/brotlienc.c +new file mode 100644 +index 0000000000..9dd8ff37c6 +--- /dev/null ++++ b/lib/dlwrap/brotlienc.c +@@ -0,0 +1,182 @@ ++/* ++ * Copying and distribution of this file, with or without modification, ++ * are permitted in any medium without royalty provided the copyright ++ * notice and this notice are preserved. This file is offered as-is, ++ * without any warranty. ++ */ ++ ++#ifdef HAVE_CONFIG_H ++#include "config.h" ++#endif ++ ++#include "brotlienc.h" ++ ++#if defined(GNUTLS_BROTLIENC_ENABLE_DLOPEN) && GNUTLS_BROTLIENC_ENABLE_DLOPEN ++ ++#include ++#include ++#include ++#include ++ ++/* If BROTLIENC_LIBRARY_SONAME is defined, dlopen handle can be automatically ++ * set; otherwise, the caller needs to call ++ * gnutls_brotlienc_ensure_library with soname determined at run time. ++ */ ++#ifdef BROTLIENC_LIBRARY_SONAME ++ ++static void ++ensure_library (void) ++{ ++ if (gnutls_brotlienc_ensure_library (BROTLIENC_LIBRARY_SONAME, RTLD_LAZY | RTLD_LOCAL) < 0) ++ abort (); ++} ++ ++#if defined(GNUTLS_BROTLIENC_ENABLE_PTHREAD) && GNUTLS_BROTLIENC_ENABLE_PTHREAD ++#include ++ ++static pthread_once_t dlopen_once = PTHREAD_ONCE_INIT; ++ ++#define ENSURE_LIBRARY pthread_once(&dlopen_once, ensure_library) ++ ++#else /* GNUTLS_BROTLIENC_ENABLE_PTHREAD */ ++ ++#define ENSURE_LIBRARY do { \ ++ if (!gnutls_brotlienc_dlhandle) \ ++ ensure_library(); \ ++ } while (0) ++ ++#endif /* !GNUTLS_BROTLIENC_ENABLE_PTHREAD */ ++ ++#else /* BROTLIENC_LIBRARY_SONAME */ ++ ++#define ENSURE_LIBRARY do {} while (0) ++ ++#endif /* !BROTLIENC_LIBRARY_SONAME */ ++ ++static void *gnutls_brotlienc_dlhandle; ++ ++/* Define redirection symbols */ ++#pragma GCC diagnostic push ++#pragma GCC diagnostic ignored "-Wunused-macros" ++ ++#if (2 <= __GNUC__ || (4 <= __clang_major__)) ++#define FUNC(ret, name, args, cargs) \ ++ static __typeof__(name)(*gnutls_brotlienc_sym_##name); ++#else ++#define FUNC(ret, name, args, cargs) \ ++ static ret(*gnutls_brotlienc_sym_##name)args; ++#endif ++#define VOID_FUNC FUNC ++#include "brotliencfuncs.h" ++#undef VOID_FUNC ++#undef FUNC ++ ++#pragma GCC diagnostic pop ++ ++/* Define redirection wrapper functions */ ++#pragma GCC diagnostic push ++#pragma GCC diagnostic ignored "-Wunused-macros" ++ ++#define FUNC(ret, name, args, cargs) \ ++ret gnutls_brotlienc_func_##name args \ ++{ \ ++ ENSURE_LIBRARY; \ ++ assert (gnutls_brotlienc_sym_##name); \ ++ return gnutls_brotlienc_sym_##name cargs; \ ++} ++#define VOID_FUNC(ret, name, args, cargs) \ ++ret gnutls_brotlienc_func_##name args \ ++{ \ ++ ENSURE_LIBRARY; \ ++ assert (gnutls_brotlienc_sym_##name); \ ++ gnutls_brotlienc_sym_##name cargs; \ ++} ++#include "brotliencfuncs.h" ++#undef VOID_FUNC ++#undef FUNC ++ ++#pragma GCC diagnostic pop ++ ++static int ++ensure_symbol (const char *name, void **symp) ++{ ++ if (!*symp) ++ { ++ void *sym = dlsym (gnutls_brotlienc_dlhandle, name); ++ if (!sym) ++ return -errno; ++ *symp = sym; ++ } ++ return 0; ++} ++ ++int ++gnutls_brotlienc_ensure_library (const char *soname, int flags) ++{ ++ int err; ++ ++ if (!gnutls_brotlienc_dlhandle) ++ { ++ gnutls_brotlienc_dlhandle = dlopen (soname, flags); ++ if (!gnutls_brotlienc_dlhandle) ++ return -errno; ++ } ++ ++#define ENSURE_SYMBOL(name) \ ++ ensure_symbol(#name, (void **)&gnutls_brotlienc_sym_##name) ++ ++#pragma GCC diagnostic push ++#pragma GCC diagnostic ignored "-Wunused-macros" ++ ++#define FUNC(ret, name, args, cargs) \ ++ err = ENSURE_SYMBOL(name); \ ++ if (err < 0) \ ++ return err; ++#define VOID_FUNC FUNC ++#include "brotliencfuncs.h" ++#undef VOID_FUNC ++#undef FUNC ++ ++#pragma GCC diagnostic pop ++ ++#undef ENSURE_SYMBOL ++ return 0; ++} ++ ++void ++gnutls_brotlienc_unload_library (void) ++{ ++ if (gnutls_brotlienc_dlhandle) ++ dlclose (gnutls_brotlienc_dlhandle); ++ ++#pragma GCC diagnostic push ++#pragma GCC diagnostic ignored "-Wunused-macros" ++ ++#define FUNC(ret, name, args, cargs) \ ++ gnutls_brotlienc_sym_##name = NULL; ++#define VOID_FUNC FUNC ++#include "brotliencfuncs.h" ++#undef VOID_FUNC ++#undef FUNC ++ ++#pragma GCC diagnostic pop ++ ++#undef RESET_SYMBOL ++} ++ ++#else /* GNUTLS_BROTLIENC_ENABLE_DLOPEN */ ++ ++int ++gnutls_brotlienc_ensure_library (const char *soname, int flags) ++{ ++ (void) soname; ++ (void) flags; ++ return 0; ++} ++ ++void ++gnutls_brotlienc_unload_library (void) ++{ ++} ++ ++#endif /* !GNUTLS_BROTLIENC_ENABLE_DLOPEN */ +diff --git a/lib/dlwrap/brotlienc.h b/lib/dlwrap/brotlienc.h +new file mode 100644 +index 0000000000..ed1af45e04 +--- /dev/null ++++ b/lib/dlwrap/brotlienc.h +@@ -0,0 +1,47 @@ ++/* ++ * Copying and distribution of this file, with or without modification, ++ * are permitted in any medium without royalty provided the copyright ++ * notice and this notice are preserved. This file is offered as-is, ++ * without any warranty. ++ */ ++ ++#ifndef GNUTLS_LIB_DLWRAP_BROTLIENC_H_ ++#define GNUTLS_LIB_DLWRAP_BROTLIENC_H_ ++ ++#include ++ ++#if defined(GNUTLS_BROTLIENC_ENABLE_DLOPEN) && GNUTLS_BROTLIENC_ENABLE_DLOPEN ++ ++#define FUNC(ret, name, args, cargs) \ ++ ret gnutls_brotlienc_func_##name args; ++#define VOID_FUNC FUNC ++#include "brotliencfuncs.h" ++#undef VOID_FUNC ++#undef FUNC ++ ++#define GNUTLS_BROTLIENC_FUNC(name) gnutls_brotlienc_func_##name ++ ++#else ++ ++#define GNUTLS_BROTLIENC_FUNC(name) name ++ ++#endif /* GNUTLS_BROTLIENC_ENABLE_DLOPEN */ ++ ++/* Ensure SONAME to be loaded with dlopen FLAGS, and all the necessary ++ * symbols are resolved. ++ * ++ * Returns 0 on success; negative error code otherwise. ++ * ++ * Note that this function is NOT thread-safe; when calling it from ++ * multi-threaded programs, protect it with a locking mechanism. ++ */ ++int gnutls_brotlienc_ensure_library (const char *soname, int flags); ++ ++/* Unload library and reset symbols. ++ * ++ * Note that this function is NOT thread-safe; when calling it from ++ * multi-threaded programs, protect it with a locking mechanism. ++ */ ++void gnutls_brotlienc_unload_library (void); ++ ++#endif /* GNUTLS_LIB_DLWRAP_BROTLIENC_H_ */ +diff --git a/lib/dlwrap/brotliencfuncs.h b/lib/dlwrap/brotliencfuncs.h +new file mode 100644 +index 0000000000..1a4f884d35 +--- /dev/null ++++ b/lib/dlwrap/brotliencfuncs.h +@@ -0,0 +1,10 @@ ++/* ++ * This file was automatically generated from encode.h, ++ * which is covered by the following license: ++ * Copyright 2013 Google Inc. All Rights Reserved. ++ * ++ * Distributed under MIT license. ++ * See file LICENSE for detail or copy at https://opensource.org/licenses/MIT ++ */ ++FUNC(size_t, BrotliEncoderMaxCompressedSize, (size_t input_size), (input_size)) ++FUNC(int, BrotliEncoderCompress, (int quality, int lgwin, BrotliEncoderMode mode, size_t input_size, const uint8_t input_buffer[], size_t *encoded_size, uint8_t encoded_buffer[]), (quality, lgwin, mode, input_size, input_buffer, encoded_size, encoded_buffer)) +diff --git a/lib/dlwrap/zlib.c b/lib/dlwrap/zlib.c +new file mode 100644 +index 0000000000..455485c63f +--- /dev/null ++++ b/lib/dlwrap/zlib.c +@@ -0,0 +1,182 @@ ++/* ++ * Copying and distribution of this file, with or without modification, ++ * are permitted in any medium without royalty provided the copyright ++ * notice and this notice are preserved. This file is offered as-is, ++ * without any warranty. ++ */ ++ ++#ifdef HAVE_CONFIG_H ++#include "config.h" ++#endif ++ ++#include "zlib.h" ++ ++#if defined(GNUTLS_ZLIB_ENABLE_DLOPEN) && GNUTLS_ZLIB_ENABLE_DLOPEN ++ ++#include ++#include ++#include ++#include ++ ++/* If Z_LIBRARY_SONAME is defined, dlopen handle can be automatically ++ * set; otherwise, the caller needs to call ++ * gnutls_zlib_ensure_library with soname determined at run time. ++ */ ++#ifdef Z_LIBRARY_SONAME ++ ++static void ++ensure_library (void) ++{ ++ if (gnutls_zlib_ensure_library (Z_LIBRARY_SONAME, RTLD_LAZY | RTLD_LOCAL) < 0) ++ abort (); ++} ++ ++#if defined(GNUTLS_ZLIB_ENABLE_PTHREAD) && GNUTLS_ZLIB_ENABLE_PTHREAD ++#include ++ ++static pthread_once_t dlopen_once = PTHREAD_ONCE_INIT; ++ ++#define ENSURE_LIBRARY pthread_once(&dlopen_once, ensure_library) ++ ++#else /* GNUTLS_ZLIB_ENABLE_PTHREAD */ ++ ++#define ENSURE_LIBRARY do { \ ++ if (!gnutls_zlib_dlhandle) \ ++ ensure_library(); \ ++ } while (0) ++ ++#endif /* !GNUTLS_ZLIB_ENABLE_PTHREAD */ ++ ++#else /* Z_LIBRARY_SONAME */ ++ ++#define ENSURE_LIBRARY do {} while (0) ++ ++#endif /* !Z_LIBRARY_SONAME */ ++ ++static void *gnutls_zlib_dlhandle; ++ ++/* Define redirection symbols */ ++#pragma GCC diagnostic push ++#pragma GCC diagnostic ignored "-Wunused-macros" ++ ++#if (2 <= __GNUC__ || (4 <= __clang_major__)) ++#define FUNC(ret, name, args, cargs) \ ++ static __typeof__(name)(*gnutls_zlib_sym_##name); ++#else ++#define FUNC(ret, name, args, cargs) \ ++ static ret(*gnutls_zlib_sym_##name)args; ++#endif ++#define VOID_FUNC FUNC ++#include "zlibfuncs.h" ++#undef VOID_FUNC ++#undef FUNC ++ ++#pragma GCC diagnostic pop ++ ++/* Define redirection wrapper functions */ ++#pragma GCC diagnostic push ++#pragma GCC diagnostic ignored "-Wunused-macros" ++ ++#define FUNC(ret, name, args, cargs) \ ++ret gnutls_zlib_func_##name args \ ++{ \ ++ ENSURE_LIBRARY; \ ++ assert (gnutls_zlib_sym_##name); \ ++ return gnutls_zlib_sym_##name cargs; \ ++} ++#define VOID_FUNC(ret, name, args, cargs) \ ++ret gnutls_zlib_func_##name args \ ++{ \ ++ ENSURE_LIBRARY; \ ++ assert (gnutls_zlib_sym_##name); \ ++ gnutls_zlib_sym_##name cargs; \ ++} ++#include "zlibfuncs.h" ++#undef VOID_FUNC ++#undef FUNC ++ ++#pragma GCC diagnostic pop ++ ++static int ++ensure_symbol (const char *name, void **symp) ++{ ++ if (!*symp) ++ { ++ void *sym = dlsym (gnutls_zlib_dlhandle, name); ++ if (!sym) ++ return -errno; ++ *symp = sym; ++ } ++ return 0; ++} ++ ++int ++gnutls_zlib_ensure_library (const char *soname, int flags) ++{ ++ int err; ++ ++ if (!gnutls_zlib_dlhandle) ++ { ++ gnutls_zlib_dlhandle = dlopen (soname, flags); ++ if (!gnutls_zlib_dlhandle) ++ return -errno; ++ } ++ ++#define ENSURE_SYMBOL(name) \ ++ ensure_symbol(#name, (void **)&gnutls_zlib_sym_##name) ++ ++#pragma GCC diagnostic push ++#pragma GCC diagnostic ignored "-Wunused-macros" ++ ++#define FUNC(ret, name, args, cargs) \ ++ err = ENSURE_SYMBOL(name); \ ++ if (err < 0) \ ++ return err; ++#define VOID_FUNC FUNC ++#include "zlibfuncs.h" ++#undef VOID_FUNC ++#undef FUNC ++ ++#pragma GCC diagnostic pop ++ ++#undef ENSURE_SYMBOL ++ return 0; ++} ++ ++void ++gnutls_zlib_unload_library (void) ++{ ++ if (gnutls_zlib_dlhandle) ++ dlclose (gnutls_zlib_dlhandle); ++ ++#pragma GCC diagnostic push ++#pragma GCC diagnostic ignored "-Wunused-macros" ++ ++#define FUNC(ret, name, args, cargs) \ ++ gnutls_zlib_sym_##name = NULL; ++#define VOID_FUNC FUNC ++#include "zlibfuncs.h" ++#undef VOID_FUNC ++#undef FUNC ++ ++#pragma GCC diagnostic pop ++ ++#undef RESET_SYMBOL ++} ++ ++#else /* GNUTLS_ZLIB_ENABLE_DLOPEN */ ++ ++int ++gnutls_zlib_ensure_library (const char *soname, int flags) ++{ ++ (void) soname; ++ (void) flags; ++ return 0; ++} ++ ++void ++gnutls_zlib_unload_library (void) ++{ ++} ++ ++#endif /* !GNUTLS_ZLIB_ENABLE_DLOPEN */ +diff --git a/lib/dlwrap/zlib.h b/lib/dlwrap/zlib.h +new file mode 100644 +index 0000000000..a9666d27f5 +--- /dev/null ++++ b/lib/dlwrap/zlib.h +@@ -0,0 +1,47 @@ ++/* ++ * Copying and distribution of this file, with or without modification, ++ * are permitted in any medium without royalty provided the copyright ++ * notice and this notice are preserved. This file is offered as-is, ++ * without any warranty. ++ */ ++ ++#ifndef GNUTLS_LIB_DLWRAP_ZLIB_H_ ++#define GNUTLS_LIB_DLWRAP_ZLIB_H_ ++ ++#include ++ ++#if defined(GNUTLS_ZLIB_ENABLE_DLOPEN) && GNUTLS_ZLIB_ENABLE_DLOPEN ++ ++#define FUNC(ret, name, args, cargs) \ ++ ret gnutls_zlib_func_##name args; ++#define VOID_FUNC FUNC ++#include "zlibfuncs.h" ++#undef VOID_FUNC ++#undef FUNC ++ ++#define GNUTLS_ZLIB_FUNC(name) gnutls_zlib_func_##name ++ ++#else ++ ++#define GNUTLS_ZLIB_FUNC(name) name ++ ++#endif /* GNUTLS_ZLIB_ENABLE_DLOPEN */ ++ ++/* Ensure SONAME to be loaded with dlopen FLAGS, and all the necessary ++ * symbols are resolved. ++ * ++ * Returns 0 on success; negative error code otherwise. ++ * ++ * Note that this function is NOT thread-safe; when calling it from ++ * multi-threaded programs, protect it with a locking mechanism. ++ */ ++int gnutls_zlib_ensure_library (const char *soname, int flags); ++ ++/* Unload library and reset symbols. ++ * ++ * Note that this function is NOT thread-safe; when calling it from ++ * multi-threaded programs, protect it with a locking mechanism. ++ */ ++void gnutls_zlib_unload_library (void); ++ ++#endif /* GNUTLS_LIB_DLWRAP_ZLIB_H_ */ +diff --git a/lib/dlwrap/zlibfuncs.h b/lib/dlwrap/zlibfuncs.h +new file mode 100644 +index 0000000000..efe01455d2 +--- /dev/null ++++ b/lib/dlwrap/zlibfuncs.h +@@ -0,0 +1,27 @@ ++/* ++ * This file was automatically generated from zlib.h, ++ * which is covered by the following license: ++ * Copyright (C) 1995-2022 Jean-loup Gailly and Mark Adler ++ * ++ * This software is provided 'as-is', without any express or implied ++ * warranty. In no event will the authors be held liable for any damages ++ * arising from the use of this software. ++ * ++ * Permission is granted to anyone to use this software for any purpose, ++ * including commercial applications, and to alter it and redistribute it ++ * freely, subject to the following restrictions: ++ * ++ * 1. The origin of this software must not be misrepresented; you must not ++ * claim that you wrote the original software. If you use this software ++ * in a product, an acknowledgment in the product documentation would be ++ * appreciated but is not required. ++ * 2. Altered source versions must be plainly marked as such, and must not be ++ * misrepresented as being the original software. ++ * 3. This notice may not be removed or altered from any source distribution. ++ * ++ * Jean-loup Gailly Mark Adler ++ * jloup@gzip.org madler@alumni.caltech.edu ++ */ ++FUNC(int, compress, (Bytef *dest, uLongf *destLen, const Bytef *source, uLong sourceLen), (dest, destLen, source, sourceLen)) ++FUNC(uLong, compressBound, (uLong sourceLen), (sourceLen)) ++FUNC(int, uncompress, (Bytef *dest, uLongf *destLen, const Bytef *source, uLong sourceLen), (dest, destLen, source, sourceLen)) +diff --git a/lib/dlwrap/zstd.c b/lib/dlwrap/zstd.c +new file mode 100644 +index 0000000000..2ea7252975 +--- /dev/null ++++ b/lib/dlwrap/zstd.c +@@ -0,0 +1,182 @@ ++/* ++ * Copying and distribution of this file, with or without modification, ++ * are permitted in any medium without royalty provided the copyright ++ * notice and this notice are preserved. This file is offered as-is, ++ * without any warranty. ++ */ ++ ++#ifdef HAVE_CONFIG_H ++#include "config.h" ++#endif ++ ++#include "zstd.h" ++ ++#if defined(GNUTLS_ZSTD_ENABLE_DLOPEN) && GNUTLS_ZSTD_ENABLE_DLOPEN ++ ++#include ++#include ++#include ++#include ++ ++/* If ZSTD_LIBRARY_SONAME is defined, dlopen handle can be automatically ++ * set; otherwise, the caller needs to call ++ * gnutls_zstd_ensure_library with soname determined at run time. ++ */ ++#ifdef ZSTD_LIBRARY_SONAME ++ ++static void ++ensure_library (void) ++{ ++ if (gnutls_zstd_ensure_library (ZSTD_LIBRARY_SONAME, RTLD_LAZY | RTLD_LOCAL) < 0) ++ abort (); ++} ++ ++#if defined(GNUTLS_ZSTD_ENABLE_PTHREAD) && GNUTLS_ZSTD_ENABLE_PTHREAD ++#include ++ ++static pthread_once_t dlopen_once = PTHREAD_ONCE_INIT; ++ ++#define ENSURE_LIBRARY pthread_once(&dlopen_once, ensure_library) ++ ++#else /* GNUTLS_ZSTD_ENABLE_PTHREAD */ ++ ++#define ENSURE_LIBRARY do { \ ++ if (!gnutls_zstd_dlhandle) \ ++ ensure_library(); \ ++ } while (0) ++ ++#endif /* !GNUTLS_ZSTD_ENABLE_PTHREAD */ ++ ++#else /* ZSTD_LIBRARY_SONAME */ ++ ++#define ENSURE_LIBRARY do {} while (0) ++ ++#endif /* !ZSTD_LIBRARY_SONAME */ ++ ++static void *gnutls_zstd_dlhandle; ++ ++/* Define redirection symbols */ ++#pragma GCC diagnostic push ++#pragma GCC diagnostic ignored "-Wunused-macros" ++ ++#if (2 <= __GNUC__ || (4 <= __clang_major__)) ++#define FUNC(ret, name, args, cargs) \ ++ static __typeof__(name)(*gnutls_zstd_sym_##name); ++#else ++#define FUNC(ret, name, args, cargs) \ ++ static ret(*gnutls_zstd_sym_##name)args; ++#endif ++#define VOID_FUNC FUNC ++#include "zstdfuncs.h" ++#undef VOID_FUNC ++#undef FUNC ++ ++#pragma GCC diagnostic pop ++ ++/* Define redirection wrapper functions */ ++#pragma GCC diagnostic push ++#pragma GCC diagnostic ignored "-Wunused-macros" ++ ++#define FUNC(ret, name, args, cargs) \ ++ret gnutls_zstd_func_##name args \ ++{ \ ++ ENSURE_LIBRARY; \ ++ assert (gnutls_zstd_sym_##name); \ ++ return gnutls_zstd_sym_##name cargs; \ ++} ++#define VOID_FUNC(ret, name, args, cargs) \ ++ret gnutls_zstd_func_##name args \ ++{ \ ++ ENSURE_LIBRARY; \ ++ assert (gnutls_zstd_sym_##name); \ ++ gnutls_zstd_sym_##name cargs; \ ++} ++#include "zstdfuncs.h" ++#undef VOID_FUNC ++#undef FUNC ++ ++#pragma GCC diagnostic pop ++ ++static int ++ensure_symbol (const char *name, void **symp) ++{ ++ if (!*symp) ++ { ++ void *sym = dlsym (gnutls_zstd_dlhandle, name); ++ if (!sym) ++ return -errno; ++ *symp = sym; ++ } ++ return 0; ++} ++ ++int ++gnutls_zstd_ensure_library (const char *soname, int flags) ++{ ++ int err; ++ ++ if (!gnutls_zstd_dlhandle) ++ { ++ gnutls_zstd_dlhandle = dlopen (soname, flags); ++ if (!gnutls_zstd_dlhandle) ++ return -errno; ++ } ++ ++#define ENSURE_SYMBOL(name) \ ++ ensure_symbol(#name, (void **)&gnutls_zstd_sym_##name) ++ ++#pragma GCC diagnostic push ++#pragma GCC diagnostic ignored "-Wunused-macros" ++ ++#define FUNC(ret, name, args, cargs) \ ++ err = ENSURE_SYMBOL(name); \ ++ if (err < 0) \ ++ return err; ++#define VOID_FUNC FUNC ++#include "zstdfuncs.h" ++#undef VOID_FUNC ++#undef FUNC ++ ++#pragma GCC diagnostic pop ++ ++#undef ENSURE_SYMBOL ++ return 0; ++} ++ ++void ++gnutls_zstd_unload_library (void) ++{ ++ if (gnutls_zstd_dlhandle) ++ dlclose (gnutls_zstd_dlhandle); ++ ++#pragma GCC diagnostic push ++#pragma GCC diagnostic ignored "-Wunused-macros" ++ ++#define FUNC(ret, name, args, cargs) \ ++ gnutls_zstd_sym_##name = NULL; ++#define VOID_FUNC FUNC ++#include "zstdfuncs.h" ++#undef VOID_FUNC ++#undef FUNC ++ ++#pragma GCC diagnostic pop ++ ++#undef RESET_SYMBOL ++} ++ ++#else /* GNUTLS_ZSTD_ENABLE_DLOPEN */ ++ ++int ++gnutls_zstd_ensure_library (const char *soname, int flags) ++{ ++ (void) soname; ++ (void) flags; ++ return 0; ++} ++ ++void ++gnutls_zstd_unload_library (void) ++{ ++} ++ ++#endif /* !GNUTLS_ZSTD_ENABLE_DLOPEN */ +diff --git a/lib/dlwrap/zstd.h b/lib/dlwrap/zstd.h +new file mode 100644 +index 0000000000..80ac2fbd46 +--- /dev/null ++++ b/lib/dlwrap/zstd.h +@@ -0,0 +1,47 @@ ++/* ++ * Copying and distribution of this file, with or without modification, ++ * are permitted in any medium without royalty provided the copyright ++ * notice and this notice are preserved. This file is offered as-is, ++ * without any warranty. ++ */ ++ ++#ifndef GNUTLS_LIB_DLWRAP_ZSTD_H_ ++#define GNUTLS_LIB_DLWRAP_ZSTD_H_ ++ ++#include ++ ++#if defined(GNUTLS_ZSTD_ENABLE_DLOPEN) && GNUTLS_ZSTD_ENABLE_DLOPEN ++ ++#define FUNC(ret, name, args, cargs) \ ++ ret gnutls_zstd_func_##name args; ++#define VOID_FUNC FUNC ++#include "zstdfuncs.h" ++#undef VOID_FUNC ++#undef FUNC ++ ++#define GNUTLS_ZSTD_FUNC(name) gnutls_zstd_func_##name ++ ++#else ++ ++#define GNUTLS_ZSTD_FUNC(name) name ++ ++#endif /* GNUTLS_ZSTD_ENABLE_DLOPEN */ ++ ++/* Ensure SONAME to be loaded with dlopen FLAGS, and all the necessary ++ * symbols are resolved. ++ * ++ * Returns 0 on success; negative error code otherwise. ++ * ++ * Note that this function is NOT thread-safe; when calling it from ++ * multi-threaded programs, protect it with a locking mechanism. ++ */ ++int gnutls_zstd_ensure_library (const char *soname, int flags); ++ ++/* Unload library and reset symbols. ++ * ++ * Note that this function is NOT thread-safe; when calling it from ++ * multi-threaded programs, protect it with a locking mechanism. ++ */ ++void gnutls_zstd_unload_library (void); ++ ++#endif /* GNUTLS_LIB_DLWRAP_ZSTD_H_ */ +diff --git a/lib/dlwrap/zstdfuncs.h b/lib/dlwrap/zstdfuncs.h +new file mode 100644 +index 0000000000..8e3eb9ff59 +--- /dev/null ++++ b/lib/dlwrap/zstdfuncs.h +@@ -0,0 +1,15 @@ ++/* ++ * This file was automatically generated from zstd.h, ++ * which is covered by the following license: ++ * Copyright (c) Meta Platforms, Inc. and affiliates. ++ * All rights reserved. ++ * ++ * This source code is licensed under both the BSD-style license (found in the ++ * LICENSE file in the root directory of this source tree) and the GPLv2 (found ++ * in the COPYING file in the root directory of this source tree). ++ * You may select, at your option, one of the above-listed licenses. ++ */ ++FUNC(size_t, ZSTD_compress, (void *dst, size_t dstCapacity, const void *src, size_t srcSize, int compressionLevel), (dst, dstCapacity, src, srcSize, compressionLevel)) ++FUNC(size_t, ZSTD_decompress, (void *dst, size_t dstCapacity, const void *src, size_t compressedSize), (dst, dstCapacity, src, compressedSize)) ++FUNC(size_t, ZSTD_compressBound, (size_t srcSize), (srcSize)) ++FUNC(unsigned int, ZSTD_isError, (size_t code), (code)) +-- +2.45.2 + diff --git a/gnutls.spec b/gnutls.spec index 3bb7052..30a0423 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -18,6 +18,7 @@ Patch: gnutls-3.2.7-rpath.patch # follow https://gitlab.com/gnutls/gnutls/-/issues/1443 Patch: gnutls-3.7.8-ktls_skip_tls12_chachapoly_test.patch +Patch: gnutls-3.8.6-compression-dlwrap.patch %bcond_without bootstrap %bcond_without dane From b07c9547bac310479a748b98ce5ae62098cc1193 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Mon, 22 Jul 2024 16:07:37 +0900 Subject: [PATCH 117/152] Enable X25519Kyber768Draft00 key exchange in TLS Signed-off-by: Daiki Ueno --- gnutls-3.8.6-liboqs-x25519-kyber768d00.patch | 3111 ++++++++++++++++++ gnutls.spec | 10 + 2 files changed, 3121 insertions(+) create mode 100644 gnutls-3.8.6-liboqs-x25519-kyber768d00.patch diff --git a/gnutls-3.8.6-liboqs-x25519-kyber768d00.patch b/gnutls-3.8.6-liboqs-x25519-kyber768d00.patch new file mode 100644 index 0000000..bae07b7 --- /dev/null +++ b/gnutls-3.8.6-liboqs-x25519-kyber768d00.patch @@ -0,0 +1,3111 @@ +From 39dad633e6acb18c3853b7cb182324ccd250ba46 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Fri, 31 May 2024 09:18:27 +0900 +Subject: [PATCH 1/2] build: plumb liboqs as an optional dependency + +This exposes OQS functions necessary to implement Kyber768 through +dlopen with stub implementation for lower-level cryptographic +primitives, such as SHA3 and DRBG. + +Signed-off-by: Daiki Ueno +--- + .gitignore | 1 + + cfg.mk | 2 +- + configure.ac | 37 ++++ + devel/dlwrap/oqs.syms | 9 + + devel/generate-dlwrap.sh | 3 + + devel/indent-gnutls | 2 +- + lib/Makefile.am | 14 ++ + lib/dlwrap/oqs.c | 182 ++++++++++++++++ + lib/dlwrap/oqs.h | 53 +++++ + lib/dlwrap/oqsfuncs.h | 14 ++ + lib/global.c | 8 + + lib/liboqs/Makefile.am | 43 ++++ + lib/liboqs/backport/sha3_ops.h | 256 ++++++++++++++++++++++ + lib/liboqs/liboqs.c | 41 ++++ + lib/liboqs/liboqs.h | 27 +++ + lib/liboqs/rand.c | 43 ++++ + lib/liboqs/rand.h | 27 +++ + lib/liboqs/sha3.c | 373 +++++++++++++++++++++++++++++++++ + lib/liboqs/sha3.h | 27 +++ + 19 files changed, 1160 insertions(+), 2 deletions(-) + create mode 100644 devel/dlwrap/oqs.syms + create mode 100644 lib/dlwrap/oqs.c + create mode 100644 lib/dlwrap/oqs.h + create mode 100644 lib/dlwrap/oqsfuncs.h + create mode 100644 lib/liboqs/Makefile.am + create mode 100644 lib/liboqs/backport/sha3_ops.h + create mode 100644 lib/liboqs/liboqs.c + create mode 100644 lib/liboqs/liboqs.h + create mode 100644 lib/liboqs/rand.c + create mode 100644 lib/liboqs/rand.h + create mode 100644 lib/liboqs/sha3.c + create mode 100644 lib/liboqs/sha3.h + +diff --git a/cfg.mk b/cfg.mk +index 1b94279633..88f6df480d 100644 +--- a/cfg.mk ++++ b/cfg.mk +@@ -24,7 +24,7 @@ PACKAGE ?= gnutls + + .PHONY: config glimport + +-INDENT_SOURCES = `find . -name \*.[ch] -o -name gnutls.h.in | grep -v -e ^./build-aux/ -e ^./config.h -e ^./devel/ -e ^./gnulib -e ^./lib/minitasn1/ -e ^./lib/includes/gnutls/gnutls.h -e ^./lib/nettle/backport/ -e ^./lib/priority_options.h -e ^./lib/unistring/ -e ^./lib/x509/supported_exts.h -e ^./lib/build-aux/ -e ^./lib/dlwrap/ -e ^./gl/ -e ^./src/gl/ -e ^./src/.*-options.[ch] -e -args.[ch] -e asn1_tab.c -e ^./tests/suite/` ++INDENT_SOURCES = `find . -name \*.[ch] -o -name gnutls.h.in | grep -v -e ^./build-aux/ -e ^./config.h -e ^./devel/ -e ^./gnulib -e ^./lib/minitasn1/ -e ^./lib/includes/gnutls/gnutls.h -e ^./lib/nettle/backport/ -e ^./lib/priority_options.h -e ^./lib/unistring/ -e ^./lib/x509/supported_exts.h -e ^./lib/build-aux/ -e ^./lib/dlwrap/ -e ^./lib/liboqs/backport/ -e ^./gl/ -e ^./src/gl/ -e ^./src/.*-options.[ch] -e -args.[ch] -e asn1_tab.c -e ^./tests/suite/` + + ifeq ($(.DEFAULT_GOAL),abort-due-to-no-makefile) + .DEFAULT_GOAL := bootstrap +diff --git a/configure.ac b/configure.ac +index fb0aefe1f4..145eada690 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1185,6 +1185,41 @@ AS_IF([test "$ac_cv_dlopen_soname_works" = yes], [ + CFLAGS="$save_CFLAGS" + ]) + ++AC_ARG_WITH(liboqs, ++ AS_HELP_STRING([--with-liboqs], ++ [Enable liboqs support.]), ++ [with_liboqs=$withval], [with_liboqs=no]) ++AS_IF([test "$with_liboqs" != "no"], [PKG_CHECK_MODULES(LIBOQS, [liboqs >= 0.10.1], [have_liboqs=yes], [have_liboqs=no])]) ++AS_IF([test "$have_liboqs" = "yes"], [AC_DEFINE([HAVE_LIBOQS], 1, [Have liboqs])], ++ [test "$with_liboqs" = "yes"], [AC_MSG_ERROR([[ ++*** ++*** liboqs support was requested but the required libraries were not found. ++*** ]])]) ++ ++save_CFLAGS=$CFLAGS ++CFLAGS="$CFLAGS $LIBOQS_CFLAGS" ++AC_CHECK_DECLS([OQS_SHA3_set_callbacks]) ++CFLAGS="$save_CFLAGS" ++ ++# liboqs 0.10.1 didn't expose OQS_SHA3_set_callbacks from the header ++# file, so extra treatment is needed: ++# https://github.com/open-quantum-safe/liboqs/pull/1832 ++AM_CONDITIONAL(NEED_LIBOQS_SHA3_OPS_H, test "$ac_cv_have_decl_OQS_SHA3_set_callbacks" != yes) ++ ++AM_CONDITIONAL(ENABLE_LIBOQS, test "$have_liboqs" = "yes") ++ ++AS_IF([test "$ac_cv_dlopen_soname_works" = yes], [ ++ save_CFLAGS=$CFLAGS ++ CFLAGS="$CFLAGS $LIBOQS_CFLAGS" ++ save_LIBS=$LIBS ++ LIBS="$LIBS $LIBOQS_LIBS" ++ LIBGNUTLS_CHECK_SONAME([oqs], [AC_LANG_PROGRAM([ ++ #include ],[ ++ OQS_version ();])]) ++ LIBS="$save_LIBS" ++ CFLAGS="$save_CFLAGS" ++]) ++ + AM_CONDITIONAL(NEED_LTLIBDL, test "$need_ltlibdl" = yes) + + # export for use in scripts +@@ -1382,6 +1417,7 @@ AC_CONFIG_FILES([ + lib/gnutls.pc + lib/includes/Makefile + lib/includes/gnutls/gnutls.h ++ lib/liboqs/Makefile + lib/minitasn1/Makefile + lib/nettle/Makefile + lib/x509/Makefile +@@ -1463,6 +1499,7 @@ if features are disabled) + Non-SuiteB curves: $enable_non_suiteb + FIPS140 mode: $enable_fips + Strict DER time: $ac_strict_der_time ++ liboqs: $have_liboqs + ]) + + AC_MSG_NOTICE([Optional libraries: +diff --git a/devel/dlwrap/oqs.syms b/devel/dlwrap/oqs.syms +new file mode 100644 +index 0000000000..8f067b2dd3 +--- /dev/null ++++ b/devel/dlwrap/oqs.syms +@@ -0,0 +1,9 @@ ++OQS_SHA3_set_callbacks ++OQS_init ++OQS_destroy ++OQS_KEM_new ++OQS_KEM_encaps ++OQS_KEM_decaps ++OQS_KEM_keypair ++OQS_KEM_free ++OQS_randombytes_custom_algorithm +\ No newline at end of file +diff --git a/devel/generate-dlwrap.sh b/devel/generate-dlwrap.sh +index dbcf870612..3e253d9228 100755 +--- a/devel/generate-dlwrap.sh ++++ b/devel/generate-dlwrap.sh +@@ -35,3 +35,6 @@ echo "Generating $DST/brotlidec.h" + + "$DLWRAP" --input /usr/include/brotli/decode.h -o "$DST" --clang-resource-dir $(clang -print-resource-dir) --symbol-file "$SRC/brotlidec.syms" --license-file "$SRC/brotli.license" --soname BROTLIDEC_LIBRARY_SONAME --prefix gnutls_brotlidec --loader-basename brotlidec --header-guard GNUTLS_LIB_DLWRAP_BROTLIDEC_H_ --include "" + ++echo "Generating $DST/oqs.h" ++ ++"$DLWRAP" --input /usr/include/oqs/oqs.h -o "$DST" --clang-resource-dir $(clang -print-resource-dir) --symbol-file "$SRC/oqs.syms" --license "SPDX-License-Identifier: MIT" --soname OQS_LIBRARY_SONAME --prefix gnutls_oqs --header-guard GNUTLS_LIB_DLWRAP_OQS_H_ --include "" +diff --git a/lib/Makefile.am b/lib/Makefile.am +index d1bd07248e..067772c322 100644 +--- a/lib/Makefile.am ++++ b/lib/Makefile.am +@@ -29,6 +29,10 @@ if ENABLE_MINITASN1 + SUBDIRS += minitasn1 + endif + ++if ENABLE_LIBOQS ++SUBDIRS += liboqs ++endif ++ + localedir = $(datadir)/locale + + include $(top_srcdir)/lib/common.mk +@@ -119,6 +123,16 @@ thirdparty_libadd += $(LIBBROTLIDEC_LIBS) + endif + endif + ++if ENABLE_LIBOQS ++COBJECTS += dlwrap/oqs.c dlwrap/oqsfuncs.h dlwrap/oqs.h ++ ++if ENABLE_DLOPEN ++AM_CPPFLAGS += $(LIBOQS_CFLAGS) -DGNUTLS_OQS_ENABLE_DLOPEN=1 ++else ++thirdparty_libadd += $(LIBOQS_LIBS) ++endif ++endif ++ + if ENABLE_GOST + COBJECTS += vko.c + endif +diff --git a/lib/dlwrap/oqs.c b/lib/dlwrap/oqs.c +new file mode 100644 +index 0000000000..d7fcc9c80c +--- /dev/null ++++ b/lib/dlwrap/oqs.c +@@ -0,0 +1,182 @@ ++/* ++ * Copying and distribution of this file, with or without modification, ++ * are permitted in any medium without royalty provided the copyright ++ * notice and this notice are preserved. This file is offered as-is, ++ * without any warranty. ++ */ ++ ++#ifdef HAVE_CONFIG_H ++#include "config.h" ++#endif ++ ++#include "oqs.h" ++ ++#if defined(GNUTLS_OQS_ENABLE_DLOPEN) && GNUTLS_OQS_ENABLE_DLOPEN ++ ++#include ++#include ++#include ++#include ++ ++/* If OQS_LIBRARY_SONAME is defined, dlopen handle can be automatically ++ * set; otherwise, the caller needs to call ++ * gnutls_oqs_ensure_library with soname determined at run time. ++ */ ++#ifdef OQS_LIBRARY_SONAME ++ ++static void ++ensure_library (void) ++{ ++ if (gnutls_oqs_ensure_library (OQS_LIBRARY_SONAME, RTLD_LAZY | RTLD_LOCAL) < 0) ++ abort (); ++} ++ ++#if defined(GNUTLS_OQS_ENABLE_PTHREAD) && GNUTLS_OQS_ENABLE_PTHREAD ++#include ++ ++static pthread_once_t dlopen_once = PTHREAD_ONCE_INIT; ++ ++#define ENSURE_LIBRARY pthread_once(&dlopen_once, ensure_library) ++ ++#else /* GNUTLS_OQS_ENABLE_PTHREAD */ ++ ++#define ENSURE_LIBRARY do { \ ++ if (!gnutls_oqs_dlhandle) \ ++ ensure_library(); \ ++ } while (0) ++ ++#endif /* !GNUTLS_OQS_ENABLE_PTHREAD */ ++ ++#else /* OQS_LIBRARY_SONAME */ ++ ++#define ENSURE_LIBRARY do {} while (0) ++ ++#endif /* !OQS_LIBRARY_SONAME */ ++ ++static void *gnutls_oqs_dlhandle; ++ ++/* Define redirection symbols */ ++#pragma GCC diagnostic push ++#pragma GCC diagnostic ignored "-Wunused-macros" ++ ++#if (2 <= __GNUC__ || (4 <= __clang_major__)) ++#define FUNC(ret, name, args, cargs) \ ++ static __typeof__(name)(*gnutls_oqs_sym_##name); ++#else ++#define FUNC(ret, name, args, cargs) \ ++ static ret(*gnutls_oqs_sym_##name)args; ++#endif ++#define VOID_FUNC FUNC ++#include "oqsfuncs.h" ++#undef VOID_FUNC ++#undef FUNC ++ ++#pragma GCC diagnostic pop ++ ++/* Define redirection wrapper functions */ ++#pragma GCC diagnostic push ++#pragma GCC diagnostic ignored "-Wunused-macros" ++ ++#define FUNC(ret, name, args, cargs) \ ++ret gnutls_oqs_func_##name args \ ++{ \ ++ ENSURE_LIBRARY; \ ++ assert (gnutls_oqs_sym_##name); \ ++ return gnutls_oqs_sym_##name cargs; \ ++} ++#define VOID_FUNC(ret, name, args, cargs) \ ++ret gnutls_oqs_func_##name args \ ++{ \ ++ ENSURE_LIBRARY; \ ++ assert (gnutls_oqs_sym_##name); \ ++ gnutls_oqs_sym_##name cargs; \ ++} ++#include "oqsfuncs.h" ++#undef VOID_FUNC ++#undef FUNC ++ ++#pragma GCC diagnostic pop ++ ++static int ++ensure_symbol (const char *name, void **symp) ++{ ++ if (!*symp) ++ { ++ void *sym = dlsym (gnutls_oqs_dlhandle, name); ++ if (!sym) ++ return -errno; ++ *symp = sym; ++ } ++ return 0; ++} ++ ++int ++gnutls_oqs_ensure_library (const char *soname, int flags) ++{ ++ int err; ++ ++ if (!gnutls_oqs_dlhandle) ++ { ++ gnutls_oqs_dlhandle = dlopen (soname, flags); ++ if (!gnutls_oqs_dlhandle) ++ return -errno; ++ } ++ ++#define ENSURE_SYMBOL(name) \ ++ ensure_symbol(#name, (void **)&gnutls_oqs_sym_##name) ++ ++#pragma GCC diagnostic push ++#pragma GCC diagnostic ignored "-Wunused-macros" ++ ++#define FUNC(ret, name, args, cargs) \ ++ err = ENSURE_SYMBOL(name); \ ++ if (err < 0) \ ++ return err; ++#define VOID_FUNC FUNC ++#include "oqsfuncs.h" ++#undef VOID_FUNC ++#undef FUNC ++ ++#pragma GCC diagnostic pop ++ ++#undef ENSURE_SYMBOL ++ return 0; ++} ++ ++void ++gnutls_oqs_unload_library (void) ++{ ++ if (gnutls_oqs_dlhandle) ++ dlclose (gnutls_oqs_dlhandle); ++ ++#pragma GCC diagnostic push ++#pragma GCC diagnostic ignored "-Wunused-macros" ++ ++#define FUNC(ret, name, args, cargs) \ ++ gnutls_oqs_sym_##name = NULL; ++#define VOID_FUNC FUNC ++#include "oqsfuncs.h" ++#undef VOID_FUNC ++#undef FUNC ++ ++#pragma GCC diagnostic pop ++ ++#undef RESET_SYMBOL ++} ++ ++#else /* GNUTLS_OQS_ENABLE_DLOPEN */ ++ ++int ++gnutls_oqs_ensure_library (const char *soname, int flags) ++{ ++ (void) soname; ++ (void) flags; ++ return 0; ++} ++ ++void ++gnutls_oqs_unload_library (void) ++{ ++} ++ ++#endif /* !GNUTLS_OQS_ENABLE_DLOPEN */ +diff --git a/lib/dlwrap/oqs.h b/lib/dlwrap/oqs.h +new file mode 100644 +index 0000000000..6a1d8e0766 +--- /dev/null ++++ b/lib/dlwrap/oqs.h +@@ -0,0 +1,53 @@ ++/* ++ * Copying and distribution of this file, with or without modification, ++ * are permitted in any medium without royalty provided the copyright ++ * notice and this notice are preserved. This file is offered as-is, ++ * without any warranty. ++ */ ++ ++#ifndef GNUTLS_LIB_DLWRAP_OQS_H_ ++#define GNUTLS_LIB_DLWRAP_OQS_H_ ++ ++/* Local modification: remove this once liboqs 0.10.2 is released */ ++#include "config.h" ++#if !HAVE_DECL_OQS_SHA3_SET_CALLBACKS ++#include "liboqs/backport/sha3_ops.h" ++#endif ++ ++#include ++ ++#if defined(GNUTLS_OQS_ENABLE_DLOPEN) && GNUTLS_OQS_ENABLE_DLOPEN ++ ++#define FUNC(ret, name, args, cargs) \ ++ ret gnutls_oqs_func_##name args; ++#define VOID_FUNC FUNC ++#include "oqsfuncs.h" ++#undef VOID_FUNC ++#undef FUNC ++ ++#define GNUTLS_OQS_FUNC(name) gnutls_oqs_func_##name ++ ++#else ++ ++#define GNUTLS_OQS_FUNC(name) name ++ ++#endif /* GNUTLS_OQS_ENABLE_DLOPEN */ ++ ++/* Ensure SONAME to be loaded with dlopen FLAGS, and all the necessary ++ * symbols are resolved. ++ * ++ * Returns 0 on success; negative error code otherwise. ++ * ++ * Note that this function is NOT thread-safe; when calling it from ++ * multi-threaded programs, protect it with a locking mechanism. ++ */ ++int gnutls_oqs_ensure_library (const char *soname, int flags); ++ ++/* Unload library and reset symbols. ++ * ++ * Note that this function is NOT thread-safe; when calling it from ++ * multi-threaded programs, protect it with a locking mechanism. ++ */ ++void gnutls_oqs_unload_library (void); ++ ++#endif /* GNUTLS_LIB_DLWRAP_OQS_H_ */ +diff --git a/lib/dlwrap/oqsfuncs.h b/lib/dlwrap/oqsfuncs.h +new file mode 100644 +index 0000000000..95c1b083dc +--- /dev/null ++++ b/lib/dlwrap/oqsfuncs.h +@@ -0,0 +1,14 @@ ++/* ++ * This file was automatically generated from oqs.h, ++ * which is covered by the following license: ++ * SPDX-License-Identifier: MIT ++ */ ++VOID_FUNC(void, OQS_init, (void), ()) ++VOID_FUNC(void, OQS_destroy, (void), ()) ++VOID_FUNC(void, OQS_SHA3_set_callbacks, (struct OQS_SHA3_callbacks *new_callbacks), (new_callbacks)) ++VOID_FUNC(void, OQS_randombytes_custom_algorithm, (void (*algorithm_ptr)(uint8_t *, size_t)), (algorithm_ptr)) ++FUNC(OQS_KEM *, OQS_KEM_new, (const char *method_name), (method_name)) ++FUNC(OQS_STATUS, OQS_KEM_keypair, (const OQS_KEM *kem, uint8_t *public_key, uint8_t *secret_key), (kem, public_key, secret_key)) ++FUNC(OQS_STATUS, OQS_KEM_encaps, (const OQS_KEM *kem, uint8_t *ciphertext, uint8_t *shared_secret, const uint8_t *public_key), (kem, ciphertext, shared_secret, public_key)) ++FUNC(OQS_STATUS, OQS_KEM_decaps, (const OQS_KEM *kem, uint8_t *shared_secret, const uint8_t *ciphertext, const uint8_t *secret_key), (kem, shared_secret, ciphertext, secret_key)) ++VOID_FUNC(void, OQS_KEM_free, (OQS_KEM *kem), (kem)) +diff --git a/lib/global.c b/lib/global.c +index b434140bbf..ae2f7f54dc 100644 +--- a/lib/global.c ++++ b/lib/global.c +@@ -41,6 +41,7 @@ + #include "system-keys.h" + #include "str.h" + #include "global.h" ++#include "liboqs/liboqs.h" + + /* Minimum library versions we accept. */ + #define GNUTLS_MIN_LIBTASN1_VERSION "0.3.4" +@@ -328,6 +329,10 @@ static int _gnutls_global_init(unsigned constructor) + goto out; + } + ++#ifdef HAVE_LIBOQS ++ _gnutls_liboqs_init(); ++#endif ++ + #ifndef _WIN32 + ret = _gnutls_register_fork_handler(); + if (ret < 0) { +@@ -444,6 +449,9 @@ static void _gnutls_global_deinit(unsigned destructor) + #ifdef HAVE_TPM2 + _gnutls_tpm2_deinit(); + #endif ++#ifdef HAVE_LIBOQS ++ _gnutls_liboqs_deinit(); ++#endif + + _gnutls_nss_keylog_deinit(); + } else { +diff --git a/lib/liboqs/Makefile.am b/lib/liboqs/Makefile.am +new file mode 100644 +index 0000000000..a20e7cbdf9 +--- /dev/null ++++ b/lib/liboqs/Makefile.am +@@ -0,0 +1,43 @@ ++## Process this file with automake to produce Makefile.in ++# Copyright (C) 2004-2012 Free Software Foundation, Inc. ++# Copyright (C) 2024 Red Hat, Inc. ++# ++# Author: Daiki Ueno ++# ++# This file is part of GNUTLS. ++# ++# The GNUTLS library is free software; you can redistribute it and/or ++# modify it under the terms of the GNU Lesser General Public License ++# as published by the Free Software Foundation; either version 3 of ++# the License, or (at your option) any later version. ++# ++# The GNUTLS library is distributed in the hope that it will be ++# useful, but WITHOUT ANY WARRANTY; without even the implied warranty ++# of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++# Lesser General Public License for more details. ++# ++# You should have received a copy of the GNU Lesser General Public License ++# along with this program. If not, see ++ ++include $(top_srcdir)/lib/common.mk ++ ++AM_CFLAGS += $(LIBOQS_CFLAGS) ++ ++AM_CPPFLAGS = \ ++ -I$(srcdir)/../../gl \ ++ -I$(builddir)/../../gl \ ++ -I$(srcdir)/../includes \ ++ -I$(builddir)/../includes \ ++ -I$(srcdir)/.. ++ ++if ENABLE_DLOPEN ++AM_CPPFLAGS += $(LIBOQS_CFLAGS) -DGNUTLS_OQS_ENABLE_DLOPEN=1 ++endif ++ ++noinst_LTLIBRARIES = libcrypto.la ++ ++libcrypto_la_SOURCES = liboqs.h liboqs.c rand.h rand.c sha3.h sha3.c ++ ++if NEED_LIBOQS_SHA3_OPS_H ++libcrypto_la_SOURCES += backport/sha3_ops.h ++endif +diff --git a/lib/liboqs/backport/sha3_ops.h b/lib/liboqs/backport/sha3_ops.h +new file mode 100644 +index 0000000000..694fc21873 +--- /dev/null ++++ b/lib/liboqs/backport/sha3_ops.h +@@ -0,0 +1,256 @@ ++/** ++ * \file sha3_ops.h ++ * \brief Header defining the callback API for OQS SHA3 and SHAKE ++ * ++ * \author John Underhill, Douglas Stebila ++ * ++ * SPDX-License-Identifier: MIT ++ */ ++ ++#ifndef OQS_SHA3_OPS_H ++#define OQS_SHA3_OPS_H ++ ++#include ++#include ++ ++#include ++ ++#if defined(__cplusplus) ++extern "C" { ++#endif ++ ++/** Data structure for the state of the incremental SHA3-256 API. */ ++typedef struct { ++ /** Internal state. */ ++ void *ctx; ++} OQS_SHA3_sha3_256_inc_ctx; ++ ++/** Data structure for the state of the incremental SHA3-384 API. */ ++typedef struct { ++ /** Internal state. */ ++ void *ctx; ++} OQS_SHA3_sha3_384_inc_ctx; ++ ++/** Data structure for the state of the incremental SHA3-512 API. */ ++typedef struct { ++ /** Internal state. */ ++ void *ctx; ++} OQS_SHA3_sha3_512_inc_ctx; ++ ++/** Data structure for the state of the incremental SHAKE-128 API. */ ++typedef struct { ++ /** Internal state. */ ++ void *ctx; ++} OQS_SHA3_shake128_inc_ctx; ++ ++/** Data structure for the state of the incremental SHAKE-256 API. */ ++typedef struct { ++ /** Internal state. */ ++ void *ctx; ++} OQS_SHA3_shake256_inc_ctx; ++ ++/** Data structure implemented by cryptographic provider for SHA-3 operations. ++ */ ++struct OQS_SHA3_callbacks { ++ /** ++ * Implementation of function OQS_SHA3_sha3_256. ++ */ ++ void (*SHA3_sha3_256)(uint8_t *output, const uint8_t *input, size_t inplen); ++ ++ /** ++ * Implementation of function OQS_SHA3_sha3_256_inc_init. ++ */ ++ void (*SHA3_sha3_256_inc_init)(OQS_SHA3_sha3_256_inc_ctx *state); ++ ++ /** ++ * Implementation of function OQS_SHA3_sha3_256_inc_absorb. ++ */ ++ void (*SHA3_sha3_256_inc_absorb)(OQS_SHA3_sha3_256_inc_ctx *state, const uint8_t *input, size_t inlen); ++ ++ /** ++ * Implementation of function OQS_SHA3_sha3_256_inc_finalize. ++ */ ++ void (*SHA3_sha3_256_inc_finalize)(uint8_t *output, OQS_SHA3_sha3_256_inc_ctx *state); ++ ++ /** ++ * Implementation of function OQS_SHA3_sha3_256_inc_ctx_release. ++ */ ++ void (*SHA3_sha3_256_inc_ctx_release)(OQS_SHA3_sha3_256_inc_ctx *state); ++ ++ /** ++ * Implementation of function OQS_SHA3_sha3_256_inc_ctx_reset. ++ */ ++ void (*SHA3_sha3_256_inc_ctx_reset)(OQS_SHA3_sha3_256_inc_ctx *state); ++ ++ /** ++ * Implementation of function OQS_SHA3_sha3_256_inc_ctx_clone. ++ */ ++ void (*SHA3_sha3_256_inc_ctx_clone)(OQS_SHA3_sha3_256_inc_ctx *dest, const OQS_SHA3_sha3_256_inc_ctx *src); ++ ++ /** ++ * Implementation of function OQS_SHA3_sha3_384. ++ */ ++ void (*SHA3_sha3_384)(uint8_t *output, const uint8_t *input, size_t inplen); ++ ++ /** ++ * Implementation of function OQS_SHA3_sha3_384_inc_init. ++ */ ++ void (*SHA3_sha3_384_inc_init)(OQS_SHA3_sha3_384_inc_ctx *state); ++ ++ /** ++ * Implementation of function OQS_SHA3_sha3_384_inc_absorb. ++ */ ++ void (*SHA3_sha3_384_inc_absorb)(OQS_SHA3_sha3_384_inc_ctx *state, const uint8_t *input, size_t inlen); ++ ++ /** ++ * Implementation of function OQS_SHA3_sha3_384_inc_finalize. ++ */ ++ void (*SHA3_sha3_384_inc_finalize)(uint8_t *output, OQS_SHA3_sha3_384_inc_ctx *state); ++ ++ /** ++ * Implementation of function OQS_SHA3_sha3_384_inc_ctx_release. ++ */ ++ void (*SHA3_sha3_384_inc_ctx_release)(OQS_SHA3_sha3_384_inc_ctx *state); ++ ++ /** ++ * Implementation of function OQS_SHA3_sha3_384_inc_ctx_reset. ++ */ ++ void (*SHA3_sha3_384_inc_ctx_reset)(OQS_SHA3_sha3_384_inc_ctx *state); ++ ++ /** ++ * Implementation of function OQS_SHA3_sha3_384_inc_ctx_clone. ++ */ ++ void (*SHA3_sha3_384_inc_ctx_clone)(OQS_SHA3_sha3_384_inc_ctx *dest, const OQS_SHA3_sha3_384_inc_ctx *src); ++ ++ /** ++ * Implementation of function OQS_SHA3_sha3_512. ++ */ ++ void (*SHA3_sha3_512)(uint8_t *output, const uint8_t *input, size_t inplen); ++ ++ /** ++ * Implementation of function OQS_SHA3_sha3_512_inc_init. ++ */ ++ void (*SHA3_sha3_512_inc_init)(OQS_SHA3_sha3_512_inc_ctx *state); ++ ++ /** ++ * Implementation of function OQS_SHA3_sha3_512_inc_absorb. ++ */ ++ void (*SHA3_sha3_512_inc_absorb)(OQS_SHA3_sha3_512_inc_ctx *state, const uint8_t *input, size_t inlen); ++ ++ /** ++ * Implementation of function OQS_SHA3_sha3_512_inc_finalize. ++ */ ++ void (*SHA3_sha3_512_inc_finalize)(uint8_t *output, OQS_SHA3_sha3_512_inc_ctx *state); ++ ++ /** ++ * Implementation of function OQS_SHA3_sha3_512_inc_ctx_release. ++ */ ++ void (*SHA3_sha3_512_inc_ctx_release)(OQS_SHA3_sha3_512_inc_ctx *state); ++ ++ /** ++ * Implementation of function OQS_SHA3_sha3_512_inc_ctx_reset. ++ */ ++ void (*SHA3_sha3_512_inc_ctx_reset)(OQS_SHA3_sha3_512_inc_ctx *state); ++ ++ /** ++ * Implementation of function OQS_SHA3_sha3_512_inc_ctx_clone. ++ */ ++ void (*SHA3_sha3_512_inc_ctx_clone)(OQS_SHA3_sha3_512_inc_ctx *dest, const OQS_SHA3_sha3_512_inc_ctx *src); ++ ++ /** ++ * Implementation of function OQS_SHA3_shake128. ++ */ ++ void (*SHA3_shake128)(uint8_t *output, size_t outlen, const uint8_t *input, size_t inplen); ++ ++ /** ++ * Implementation of function OQS_SHA3_shake128_inc_init. ++ */ ++ void (*SHA3_shake128_inc_init)(OQS_SHA3_shake128_inc_ctx *state); ++ ++ /** ++ * Implementation of function OQS_SHA3_shake128_inc_absorb. ++ */ ++ void (*SHA3_shake128_inc_absorb)(OQS_SHA3_shake128_inc_ctx *state, const uint8_t *input, size_t inlen); ++ ++ /** ++ * Implementation of function OQS_SHA3_shake128_inc_finalize. ++ */ ++ void (*SHA3_shake128_inc_finalize)(OQS_SHA3_shake128_inc_ctx *state); ++ ++ /** ++ * Implementation of function OQS_SHA3_shake128_inc_squeeze. ++ */ ++ void (*SHA3_shake128_inc_squeeze)(uint8_t *output, size_t outlen, OQS_SHA3_shake128_inc_ctx *state); ++ ++ /** ++ * Implementation of function OQS_SHA3_shake128_inc_ctx_release. ++ */ ++ void (*SHA3_shake128_inc_ctx_release)(OQS_SHA3_shake128_inc_ctx *state); ++ ++ /** ++ * Implementation of function OQS_SHA3_shake128_inc_ctx_clone. ++ */ ++ void (*SHA3_shake128_inc_ctx_clone)(OQS_SHA3_shake128_inc_ctx *dest, const OQS_SHA3_shake128_inc_ctx *src); ++ ++ /** ++ * Implementation of function OQS_SHA3_shake128_inc_ctx_reset. ++ */ ++ void (*SHA3_shake128_inc_ctx_reset)(OQS_SHA3_shake128_inc_ctx *state); ++ ++ /** ++ * Implementation of function OQS_SHA3_shake256. ++ */ ++ void (*SHA3_shake256)(uint8_t *output, size_t outlen, const uint8_t *input, size_t inplen); ++ ++ /** ++ * Implementation of function OQS_SHA3_shake256_inc_init. ++ */ ++ void (*SHA3_shake256_inc_init)(OQS_SHA3_shake256_inc_ctx *state); ++ ++ /** ++ * Implementation of function OQS_SHA3_shake256_inc_absorb. ++ */ ++ void (*SHA3_shake256_inc_absorb)(OQS_SHA3_shake256_inc_ctx *state, const uint8_t *input, size_t inlen); ++ ++ /** ++ * Implementation of function OQS_SHA3_shake256_inc_finalize. ++ */ ++ void (*SHA3_shake256_inc_finalize)(OQS_SHA3_shake256_inc_ctx *state); ++ ++ /** ++ * Implementation of function OQS_SHA3_shake256_inc_squeeze. ++ */ ++ void (*SHA3_shake256_inc_squeeze)(uint8_t *output, size_t outlen, OQS_SHA3_shake256_inc_ctx *state); ++ ++ /** ++ * Implementation of function OQS_SHA3_shake256_inc_ctx_release. ++ */ ++ void (*SHA3_shake256_inc_ctx_release)(OQS_SHA3_shake256_inc_ctx *state); ++ ++ /** ++ * Implementation of function OQS_SHA3_shake256_inc_ctx_clone. ++ */ ++ void (*SHA3_shake256_inc_ctx_clone)(OQS_SHA3_shake256_inc_ctx *dest, const OQS_SHA3_shake256_inc_ctx *src); ++ ++ /** ++ * Implementation of function OQS_SHA3_shake256_inc_ctx_reset. ++ */ ++ void (*SHA3_shake256_inc_ctx_reset)(OQS_SHA3_shake256_inc_ctx *state); ++}; ++ ++/** ++ * Set callback functions for SHA3 operations. ++ * ++ * This function may be called before OQS_init to switch the ++ * cryptographic provider for SHA3 operations. If it is not called, ++ * the default provider determined at build time will be used. ++ * ++ * @param new_callbacks Callback functions defined in OQS_SHA3_callbacks struct ++ */ ++OQS_API void OQS_SHA3_set_callbacks(struct OQS_SHA3_callbacks *new_callbacks); ++ ++#if defined(__cplusplus) ++} // extern "C" ++#endif ++ ++#endif // OQS_SHA3_OPS_H +diff --git a/lib/liboqs/liboqs.c b/lib/liboqs/liboqs.c +new file mode 100644 +index 0000000000..88f2369719 +--- /dev/null ++++ b/lib/liboqs/liboqs.c +@@ -0,0 +1,41 @@ ++/* ++ * Copyright (C) 2024 Red Hat, Inc. ++ * ++ * This file is part of GNUTLS. ++ * ++ * The GNUTLS library is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU Lesser General Public License ++ * as published by the Free Software Foundation; either version 2.1 of ++ * the License, or (at your option) any later version. ++ * ++ * This library is distributed in the hope that it will be useful, but ++ * WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * Lesser General Public License for more details. ++ * ++ * You should have received a copy of the GNU Lesser General Public License ++ * along with this program. If not, see ++ * ++ */ ++ ++#include "config.h" ++ ++#include "liboqs/liboqs.h" ++ ++#include "dlwrap/oqs.h" ++#include "liboqs/rand.h" ++#include "liboqs/sha3.h" ++ ++void _gnutls_liboqs_init(void) ++{ ++ _gnutls_liboqs_sha3_init(); ++ GNUTLS_OQS_FUNC(OQS_init)(); ++ _gnutls_liboqs_rand_init(); ++} ++ ++void _gnutls_liboqs_deinit(void) ++{ ++ _gnutls_liboqs_rand_deinit(); ++ _gnutls_liboqs_sha3_deinit(); ++ GNUTLS_OQS_FUNC(OQS_destroy)(); ++} +diff --git a/lib/liboqs/liboqs.h b/lib/liboqs/liboqs.h +new file mode 100644 +index 0000000000..b6c1659212 +--- /dev/null ++++ b/lib/liboqs/liboqs.h +@@ -0,0 +1,27 @@ ++/* ++ * Copyright (C) 2024 Red Hat, Inc. ++ * ++ * This file is part of GNUTLS. ++ * ++ * The GNUTLS library is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU Lesser General Public License ++ * as published by the Free Software Foundation; either version 2.1 of ++ * the License, or (at your option) any later version. ++ * ++ * This library is distributed in the hope that it will be useful, but ++ * WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * Lesser General Public License for more details. ++ * ++ * You should have received a copy of the GNU Lesser General Public License ++ * along with this program. If not, see ++ * ++ */ ++ ++#ifndef GNUTLS_LIB_LIBOQS_LIBOQS_H ++#define GNUTLS_LIB_LIBOQS_LIBOQS_H ++ ++void _gnutls_liboqs_init(void); ++void _gnutls_liboqs_deinit(void); ++ ++#endif /* GNUTLS_LIB_LIBOQS_LIBOQS_H */ +diff --git a/lib/liboqs/rand.c b/lib/liboqs/rand.c +new file mode 100644 +index 0000000000..40496800ad +--- /dev/null ++++ b/lib/liboqs/rand.c +@@ -0,0 +1,43 @@ ++/* ++ * Copyright (C) 2024 Red Hat, Inc. ++ * ++ * This file is part of GNUTLS. ++ * ++ * The GNUTLS library is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU Lesser General Public License ++ * as published by the Free Software Foundation; either version 2.1 of ++ * the License, or (at your option) any later version. ++ * ++ * This library is distributed in the hope that it will be useful, but ++ * WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * Lesser General Public License for more details. ++ * ++ * You should have received a copy of the GNU Lesser General Public License ++ * along with this program. If not, see ++ * ++ */ ++ ++#include "config.h" ++ ++#include "liboqs/rand.h" ++ ++#include "dlwrap/oqs.h" ++#include "fips.h" ++#include ++#include ++ ++static void rand_bytes(uint8_t *data, size_t size) ++{ ++ if (gnutls_rnd(GNUTLS_RND_RANDOM, data, size) < 0) ++ _gnutls_switch_lib_state(LIB_STATE_ERROR); ++} ++ ++void _gnutls_liboqs_rand_init(void) ++{ ++ GNUTLS_OQS_FUNC(OQS_randombytes_custom_algorithm)(rand_bytes); ++} ++ ++void _gnutls_liboqs_rand_deinit(void) ++{ ++} +diff --git a/lib/liboqs/rand.h b/lib/liboqs/rand.h +new file mode 100644 +index 0000000000..b27ac23362 +--- /dev/null ++++ b/lib/liboqs/rand.h +@@ -0,0 +1,27 @@ ++/* ++ * Copyright (C) 2024 Red Hat, Inc. ++ * ++ * This file is part of GNUTLS. ++ * ++ * The GNUTLS library is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU Lesser General Public License ++ * as published by the Free Software Foundation; either version 2.1 of ++ * the License, or (at your option) any later version. ++ * ++ * This library is distributed in the hope that it will be useful, but ++ * WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * Lesser General Public License for more details. ++ * ++ * You should have received a copy of the GNU Lesser General Public License ++ * along with this program. If not, see ++ * ++ */ ++ ++#ifndef GNUTLS_LIB_LIBOQS_RAND_H ++#define GNUTLS_LIB_LIBOQS_RAND_H ++ ++void _gnutls_liboqs_rand_init(void); ++void _gnutls_liboqs_rand_deinit(void); ++ ++#endif /* GNUTLS_LIB_LIBOQS_RAND_H */ +diff --git a/lib/liboqs/sha3.c b/lib/liboqs/sha3.c +new file mode 100644 +index 0000000000..9f5977e425 +--- /dev/null ++++ b/lib/liboqs/sha3.c +@@ -0,0 +1,373 @@ ++/* ++ * Copyright (C) 2024 Red Hat, Inc. ++ * ++ * This file is part of GNUTLS. ++ * ++ * The GNUTLS library is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU Lesser General Public License ++ * as published by the Free Software Foundation; either version 2.1 of ++ * the License, or (at your option) any later version. ++ * ++ * This library is distributed in the hope that it will be useful, but ++ * WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * Lesser General Public License for more details. ++ * ++ * You should have received a copy of the GNU Lesser General Public License ++ * along with this program. If not, see ++ * ++ */ ++ ++#include "config.h" ++ ++#include "liboqs/sha3.h" ++ ++#include "dlwrap/oqs.h" ++#include ++#include ++#include ++ ++/* SHA3-256 */ ++ ++static void SHA3_sha3_256(uint8_t *output, const uint8_t *input, size_t inplen) ++{ ++ gnutls_hash_fast(GNUTLS_DIG_SHA3_256, input, inplen, output); ++} ++ ++/* SHA3-256 incremental */ ++ ++static void SHA3_sha3_256_inc_init(OQS_SHA3_sha3_256_inc_ctx *state) ++{ ++ gnutls_hash_hd_t hd; ++ int ret; ++ ++ ret = gnutls_hash_init(&hd, GNUTLS_DIG_SHA3_256); ++ assert(ret == 0); ++ state->ctx = hd; ++} ++ ++static void SHA3_sha3_256_inc_absorb(OQS_SHA3_sha3_256_inc_ctx *state, ++ const uint8_t *input, size_t inplen) ++{ ++ int ret; ++ ++ ret = gnutls_hash((gnutls_hash_hd_t)state->ctx, input, inplen); ++ assert(ret == 0); ++} ++ ++static void SHA3_sha3_256_inc_finalize(uint8_t *output, ++ OQS_SHA3_sha3_256_inc_ctx *state) ++{ ++ gnutls_hash_output((gnutls_hash_hd_t)state->ctx, output); ++} ++ ++static void SHA3_sha3_256_inc_ctx_release(OQS_SHA3_sha3_256_inc_ctx *state) ++{ ++ gnutls_hash_deinit((gnutls_hash_hd_t)state->ctx, NULL); ++} ++ ++static void SHA3_sha3_256_inc_ctx_clone(OQS_SHA3_sha3_256_inc_ctx *dest, ++ const OQS_SHA3_sha3_256_inc_ctx *src) ++{ ++ dest->ctx = gnutls_hash_copy((gnutls_hash_hd_t)src->ctx); ++} ++ ++static void SHA3_sha3_256_inc_ctx_reset(OQS_SHA3_sha3_256_inc_ctx *state) ++{ ++ gnutls_hash_output((gnutls_hash_hd_t)state->ctx, NULL); ++} ++ ++/* SHA3-384 */ ++ ++static void SHA3_sha3_384(uint8_t *output, const uint8_t *input, size_t inplen) ++{ ++ gnutls_hash_fast(GNUTLS_DIG_SHA3_384, input, inplen, output); ++} ++ ++/* SHA3-384 incremental */ ++static void SHA3_sha3_384_inc_init(OQS_SHA3_sha3_384_inc_ctx *state) ++{ ++ gnutls_hash_hd_t hd; ++ int ret; ++ ++ ret = gnutls_hash_init(&hd, GNUTLS_DIG_SHA3_384); ++ assert(ret == 0); ++ state->ctx = hd; ++} ++ ++static void SHA3_sha3_384_inc_absorb(OQS_SHA3_sha3_384_inc_ctx *state, ++ const uint8_t *input, size_t inplen) ++{ ++ int ret; ++ ++ ret = gnutls_hash((gnutls_hash_hd_t)state->ctx, input, inplen); ++ assert(ret == 0); ++} ++ ++static void SHA3_sha3_384_inc_finalize(uint8_t *output, ++ OQS_SHA3_sha3_384_inc_ctx *state) ++{ ++ gnutls_hash_output((gnutls_hash_hd_t)state->ctx, output); ++} ++ ++static void SHA3_sha3_384_inc_ctx_release(OQS_SHA3_sha3_384_inc_ctx *state) ++{ ++ gnutls_hash_deinit((gnutls_hash_hd_t)state->ctx, NULL); ++} ++ ++static void SHA3_sha3_384_inc_ctx_clone(OQS_SHA3_sha3_384_inc_ctx *dest, ++ const OQS_SHA3_sha3_384_inc_ctx *src) ++{ ++ dest->ctx = gnutls_hash_copy((gnutls_hash_hd_t)src->ctx); ++} ++ ++static void SHA3_sha3_384_inc_ctx_reset(OQS_SHA3_sha3_384_inc_ctx *state) ++{ ++ gnutls_hash_output((gnutls_hash_hd_t)state->ctx, NULL); ++} ++ ++/* SHA3-512 */ ++ ++static void SHA3_sha3_512(uint8_t *output, const uint8_t *input, size_t inplen) ++{ ++ gnutls_hash_fast(GNUTLS_DIG_SHA3_512, input, inplen, output); ++} ++ ++/* SHA3-512 incremental */ ++ ++static void SHA3_sha3_512_inc_init(OQS_SHA3_sha3_512_inc_ctx *state) ++{ ++ gnutls_hash_hd_t hd; ++ int ret; ++ ++ ret = gnutls_hash_init(&hd, GNUTLS_DIG_SHA3_512); ++ assert(ret == 0); ++ state->ctx = hd; ++} ++ ++static void SHA3_sha3_512_inc_absorb(OQS_SHA3_sha3_512_inc_ctx *state, ++ const uint8_t *input, size_t inplen) ++{ ++ int ret; ++ ++ ret = gnutls_hash((gnutls_hash_hd_t)state->ctx, input, inplen); ++ assert(ret == 0); ++} ++ ++static void SHA3_sha3_512_inc_finalize(uint8_t *output, ++ OQS_SHA3_sha3_512_inc_ctx *state) ++{ ++ gnutls_hash_output((gnutls_hash_hd_t)state->ctx, output); ++} ++ ++static void SHA3_sha3_512_inc_ctx_release(OQS_SHA3_sha3_512_inc_ctx *state) ++{ ++ gnutls_hash_deinit((gnutls_hash_hd_t)state->ctx, NULL); ++} ++ ++static void SHA3_sha3_512_inc_ctx_clone(OQS_SHA3_sha3_512_inc_ctx *dest, ++ const OQS_SHA3_sha3_512_inc_ctx *src) ++{ ++ dest->ctx = gnutls_hash_copy((gnutls_hash_hd_t)src->ctx); ++} ++ ++static void SHA3_sha3_512_inc_ctx_reset(OQS_SHA3_sha3_512_inc_ctx *state) ++{ ++ gnutls_hash_output((gnutls_hash_hd_t)state->ctx, NULL); ++} ++ ++/* SHAKE-128 */ ++ ++static void SHA3_shake128(uint8_t *output, size_t outlen, const uint8_t *input, ++ size_t inplen) ++{ ++ gnutls_hash_hd_t hd; ++ int ret; ++ ++ ret = gnutls_hash_init(&hd, GNUTLS_DIG_SHAKE_128); ++ assert(ret == 0); ++ ++ ret = gnutls_hash(hd, input, inplen); ++ assert(ret == 0); ++ ++ ret = gnutls_hash_squeeze(hd, output, outlen); ++ assert(ret == 0); ++ ++ gnutls_hash_deinit(hd, NULL); ++} ++ ++/* SHAKE-128 incremental ++ */ ++ ++static void SHA3_shake128_inc_init(OQS_SHA3_shake128_inc_ctx *state) ++{ ++ gnutls_hash_hd_t hd; ++ int ret; ++ ++ ret = gnutls_hash_init(&hd, GNUTLS_DIG_SHAKE_128); ++ assert(ret == 0); ++ ++ state->ctx = hd; ++} ++ ++static void SHA3_shake128_inc_absorb(OQS_SHA3_shake128_inc_ctx *state, ++ const uint8_t *input, size_t inplen) ++{ ++ int ret; ++ ++ gnutls_hash_output((gnutls_hash_hd_t)state->ctx, NULL); ++ ret = gnutls_hash((gnutls_hash_hd_t)state->ctx, input, inplen); ++ assert(ret == 0); ++} ++ ++static void SHA3_shake128_inc_finalize(OQS_SHA3_shake128_inc_ctx *state) ++{ ++ (void)state; ++} ++ ++static void SHA3_shake128_inc_squeeze(uint8_t *output, size_t outlen, ++ OQS_SHA3_shake128_inc_ctx *state) ++{ ++ int ret; ++ ++ ret = gnutls_hash_squeeze((gnutls_hash_hd_t)state->ctx, output, outlen); ++ assert(ret == 0); ++} ++ ++static void SHA3_shake128_inc_ctx_release(OQS_SHA3_shake128_inc_ctx *state) ++{ ++ gnutls_hash_deinit((gnutls_hash_hd_t)state->ctx, NULL); ++} ++ ++static void SHA3_shake128_inc_ctx_clone(OQS_SHA3_shake128_inc_ctx *dest, ++ const OQS_SHA3_shake128_inc_ctx *src) ++{ ++ dest->ctx = gnutls_hash_copy((gnutls_hash_hd_t)src->ctx); ++} ++ ++static void SHA3_shake128_inc_ctx_reset(OQS_SHA3_shake128_inc_ctx *state) ++{ ++ gnutls_hash_output((gnutls_hash_hd_t)state->ctx, NULL); ++} ++ ++/* SHAKE-256 */ ++ ++static void SHA3_shake256(uint8_t *output, size_t outlen, const uint8_t *input, ++ size_t inplen) ++{ ++ gnutls_hash_hd_t hd; ++ int ret; ++ ++ ret = gnutls_hash_init(&hd, GNUTLS_DIG_SHAKE_256); ++ assert(ret == 0); ++ ++ ret = gnutls_hash(hd, input, inplen); ++ assert(ret == 0); ++ ++ ret = gnutls_hash_squeeze(hd, output, outlen); ++ assert(ret == 0); ++ ++ gnutls_hash_deinit(hd, NULL); ++} ++ ++/* SHAKE-256 incremental */ ++ ++static void SHA3_shake256_inc_init(OQS_SHA3_shake256_inc_ctx *state) ++{ ++ gnutls_hash_hd_t hd; ++ int ret; ++ ++ ret = gnutls_hash_init(&hd, GNUTLS_DIG_SHAKE_256); ++ assert(ret == 0); ++ ++ state->ctx = hd; ++} ++ ++static void SHA3_shake256_inc_absorb(OQS_SHA3_shake256_inc_ctx *state, ++ const uint8_t *input, size_t inplen) ++{ ++ int ret; ++ ++ gnutls_hash_output((gnutls_hash_hd_t)state->ctx, NULL); ++ ret = gnutls_hash((gnutls_hash_hd_t)state->ctx, input, inplen); ++ assert(ret == 0); ++} ++ ++static void SHA3_shake256_inc_finalize(OQS_SHA3_shake256_inc_ctx *state) ++{ ++ (void)state; ++} ++ ++static void SHA3_shake256_inc_squeeze(uint8_t *output, size_t outlen, ++ OQS_SHA3_shake256_inc_ctx *state) ++{ ++ int ret; ++ ++ ret = gnutls_hash_squeeze((gnutls_hash_hd_t)state->ctx, output, outlen); ++ assert(ret == 0); ++} ++ ++static void SHA3_shake256_inc_ctx_release(OQS_SHA3_shake256_inc_ctx *state) ++{ ++ gnutls_hash_deinit((gnutls_hash_hd_t)state->ctx, NULL); ++} ++ ++static void SHA3_shake256_inc_ctx_clone(OQS_SHA3_shake256_inc_ctx *dest, ++ const OQS_SHA3_shake256_inc_ctx *src) ++{ ++ dest->ctx = gnutls_hash_copy((gnutls_hash_hd_t)src->ctx); ++} ++ ++static void SHA3_shake256_inc_ctx_reset(OQS_SHA3_shake256_inc_ctx *state) ++{ ++ gnutls_hash_output((gnutls_hash_hd_t)state->ctx, NULL); ++} ++ ++static struct OQS_SHA3_callbacks sha3_callbacks = { ++ SHA3_sha3_256, ++ SHA3_sha3_256_inc_init, ++ SHA3_sha3_256_inc_absorb, ++ SHA3_sha3_256_inc_finalize, ++ SHA3_sha3_256_inc_ctx_release, ++ SHA3_sha3_256_inc_ctx_reset, ++ SHA3_sha3_256_inc_ctx_clone, ++ SHA3_sha3_384, ++ SHA3_sha3_384_inc_init, ++ SHA3_sha3_384_inc_absorb, ++ SHA3_sha3_384_inc_finalize, ++ SHA3_sha3_384_inc_ctx_release, ++ SHA3_sha3_384_inc_ctx_reset, ++ SHA3_sha3_384_inc_ctx_clone, ++ SHA3_sha3_512, ++ SHA3_sha3_512_inc_init, ++ SHA3_sha3_512_inc_absorb, ++ SHA3_sha3_512_inc_finalize, ++ SHA3_sha3_512_inc_ctx_release, ++ SHA3_sha3_512_inc_ctx_reset, ++ SHA3_sha3_512_inc_ctx_clone, ++ SHA3_shake128, ++ SHA3_shake128_inc_init, ++ SHA3_shake128_inc_absorb, ++ SHA3_shake128_inc_finalize, ++ SHA3_shake128_inc_squeeze, ++ SHA3_shake128_inc_ctx_release, ++ SHA3_shake128_inc_ctx_clone, ++ SHA3_shake128_inc_ctx_reset, ++ SHA3_shake256, ++ SHA3_shake256_inc_init, ++ SHA3_shake256_inc_absorb, ++ SHA3_shake256_inc_finalize, ++ SHA3_shake256_inc_squeeze, ++ SHA3_shake256_inc_ctx_release, ++ SHA3_shake256_inc_ctx_clone, ++ SHA3_shake256_inc_ctx_reset, ++}; ++ ++void _gnutls_liboqs_sha3_init(void) ++{ ++ GNUTLS_OQS_FUNC(OQS_SHA3_set_callbacks)(&sha3_callbacks); ++} ++ ++void _gnutls_liboqs_sha3_deinit(void) ++{ ++} +diff --git a/lib/liboqs/sha3.h b/lib/liboqs/sha3.h +new file mode 100644 +index 0000000000..8b9058aa0d +--- /dev/null ++++ b/lib/liboqs/sha3.h +@@ -0,0 +1,27 @@ ++/* ++ * Copyright (C) 2024 Red Hat, Inc. ++ * ++ * This file is part of GNUTLS. ++ * ++ * The GNUTLS library is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU Lesser General Public License ++ * as published by the Free Software Foundation; either version 2.1 of ++ * the License, or (at your option) any later version. ++ * ++ * This library is distributed in the hope that it will be useful, but ++ * WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * Lesser General Public License for more details. ++ * ++ * You should have received a copy of the GNU Lesser General Public License ++ * along with this program. If not, see ++ * ++ */ ++ ++#ifndef GNUTLS_LIB_LIBOQS_SHA3_H ++#define GNUTLS_LIB_LIBOQS_SHA3_H ++ ++void _gnutls_liboqs_sha3_init(void); ++void _gnutls_liboqs_sha3_deinit(void); ++ ++#endif /* GNUTLS_LIB_LIBOQS_SHA3_H */ +-- +2.45.2 + + +From 1bc78c387a9796e8248ffb644576074f8de4e6ad Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Sun, 2 Jun 2024 07:19:14 +0900 +Subject: [PATCH 2/2] key_share: support X25519Kyber768Draft00 + +This implements X25519Kyber768Draft00 hybrid post-quantum key exchange +in TLS 1.3, based on the draft: +https://datatracker.ietf.org/doc/draft-tls-westerbaan-xyber768d00/ + +Signed-off-by: Daiki Ueno +--- + lib/Makefile.am | 4 + + lib/algorithms/groups.c | 8 ++ + lib/algorithms/publickey.c | 6 ++ + lib/crypto-backend.h | 7 ++ + lib/ext/key_share.c | 148 ++++++++++++++++++++++++++-- + lib/gnutls_int.h | 2 + + lib/includes/gnutls/gnutls.h.in | 12 ++- + lib/nettle/Makefile.am | 4 + + lib/nettle/pk.c | 164 ++++++++++++++++++++++++++++++++ + lib/pk.h | 4 + + lib/state.c | 1 + + tests/Makefile.am | 4 + + tests/pqc-hybrid-kx.sh | 54 +++++++++++ + 13 files changed, 409 insertions(+), 9 deletions(-) + create mode 100644 tests/pqc-hybrid-kx.sh + +diff --git a/lib/Makefile.am b/lib/Makefile.am +index 067772c322..0e89fdf184 100644 +--- a/lib/Makefile.am ++++ b/lib/Makefile.am +@@ -273,6 +273,10 @@ thirdparty_libadd += $(NETTLE_LIBS) $(HOGWEED_LIBS) $(GMP_LIBS) + libgnutls_la_LIBADD += nettle/libcrypto.la + endif + ++if ENABLE_LIBOQS ++libgnutls_la_LIBADD += liboqs/libcrypto.la ++endif ++ + if HAVE_LD_OUTPUT_DEF + libgnutls_la_LDFLAGS += -Wl,--output-def,libgnutls-$(DLL_VERSION).def + libgnutls-$(DLL_VERSION).def: libgnutls.la +diff --git a/lib/algorithms/groups.c b/lib/algorithms/groups.c +index 9093de6eb2..a329c746e9 100644 +--- a/lib/algorithms/groups.c ++++ b/lib/algorithms/groups.c +@@ -169,6 +169,14 @@ static const gnutls_group_entry_st supported_groups[] = { + .q_bits = &gnutls_ffdhe_8192_key_bits, + .pk = GNUTLS_PK_DH, + .tls_id = 0x104 }, ++#endif ++#ifdef HAVE_LIBOQS ++ { .name = "X25519-KYBER768", ++ .id = GNUTLS_GROUP_EXP_X25519_KYBER768, ++ .curve = GNUTLS_ECC_CURVE_X25519, ++ .pk = GNUTLS_PK_ECDH_X25519, ++ .pk2 = GNUTLS_PK_EXP_KYBER768, ++ .tls_id = 0x6399 }, + #endif + { 0, 0, 0 } + }; +diff --git a/lib/algorithms/publickey.c b/lib/algorithms/publickey.c +index 0ef0834933..10938bce0e 100644 +--- a/lib/algorithms/publickey.c ++++ b/lib/algorithms/publickey.c +@@ -202,6 +202,12 @@ static const gnutls_pk_entry pk_algorithms[] = { + .oid = ECDH_X448_OID, + .id = GNUTLS_PK_ECDH_X448, + .curve = GNUTLS_ECC_CURVE_X448 }, ++#ifdef HAVE_LIBOQS ++ { .name = "KYBER768", ++ .oid = NULL, ++ .id = GNUTLS_PK_EXP_KYBER768, ++ .curve = GNUTLS_ECC_CURVE_INVALID }, ++#endif + { .name = "UNKNOWN", + .oid = NULL, + .id = GNUTLS_PK_UNKNOWN, +diff --git a/lib/crypto-backend.h b/lib/crypto-backend.h +index fd8ee0c728..5c0630adaa 100644 +--- a/lib/crypto-backend.h ++++ b/lib/crypto-backend.h +@@ -411,6 +411,13 @@ typedef struct gnutls_crypto_pk { + const gnutls_pk_params_st *pub, + const gnutls_datum_t *nonce, unsigned int flags); + ++ int (*encaps)(gnutls_pk_algorithm_t, gnutls_datum_t *ciphertext, ++ gnutls_datum_t *shared_secret, const gnutls_datum_t *pub); ++ ++ int (*decaps)(gnutls_pk_algorithm_t, gnutls_datum_t *shared_secret, ++ const gnutls_datum_t *ciphertext, ++ const gnutls_datum_t *priv); ++ + int (*curve_exists)(gnutls_ecc_curve_t); /* true/false */ + int (*pk_exists)(gnutls_pk_algorithm_t); /* true/false */ + int (*sign_exists)(gnutls_sign_algorithm_t); /* true/false */ +diff --git a/lib/ext/key_share.c b/lib/ext/key_share.c +index 575ffaf8f2..6926cdd00e 100644 +--- a/lib/ext/key_share.c ++++ b/lib/ext/key_share.c +@@ -120,6 +120,8 @@ static int client_gen_key_share(gnutls_session_t session, + + } else if (group->pk == GNUTLS_PK_ECDH_X25519 || + group->pk == GNUTLS_PK_ECDH_X448) { ++ unsigned int length_pos; ++ + gnutls_pk_params_release(&session->key.kshare.ecdhx_params); + gnutls_pk_params_init(&session->key.kshare.ecdhx_params); + +@@ -129,6 +131,8 @@ static int client_gen_key_share(gnutls_session_t session, + if (ret < 0) + return gnutls_assert_val(ret); + ++ length_pos = extdata->length; ++ + ret = _gnutls_buffer_append_data_prefix( + extdata, 16, + session->key.kshare.ecdhx_params.raw_pub.data, +@@ -141,6 +145,33 @@ static int client_gen_key_share(gnutls_session_t session, + session->key.kshare.ecdhx_params.algo = group->pk; + session->key.kshare.ecdhx_params.curve = group->curve; + ++ if (group->pk2 != GNUTLS_PK_UNKNOWN) { ++ gnutls_pk_params_release( ++ &session->key.kshare.kem_params); ++ gnutls_pk_params_init(&session->key.kshare.kem_params); ++ ++ ret = _gnutls_pk_generate_keys( ++ group->pk2, 0, &session->key.kshare.kem_params, ++ 1); ++ if (ret < 0) { ++ gnutls_assert(); ++ goto cleanup; ++ } ++ ++ ret = _gnutls_buffer_append_data( ++ extdata, ++ session->key.kshare.kem_params.raw_pub.data, ++ session->key.kshare.kem_params.raw_pub.size); ++ if (ret < 0) { ++ gnutls_assert(); ++ goto cleanup; ++ } ++ ++ /* copy actual length */ ++ _gnutls_write_uint16(extdata->length - length_pos - 2, ++ &extdata->data[length_pos]); ++ } ++ + ret = 0; + + } else if (group->pk == GNUTLS_PK_DH) { +@@ -243,6 +274,10 @@ static int server_gen_key_share(gnutls_session_t session, + + } else if (group->pk == GNUTLS_PK_ECDH_X25519 || + group->pk == GNUTLS_PK_ECDH_X448) { ++ unsigned int length_pos; ++ ++ length_pos = extdata->length; ++ + ret = _gnutls_buffer_append_data_prefix( + extdata, 16, + session->key.kshare.ecdhx_params.raw_pub.data, +@@ -250,8 +285,22 @@ static int server_gen_key_share(gnutls_session_t session, + if (ret < 0) + return gnutls_assert_val(ret); + +- ret = 0; ++ if (group->pk2 != GNUTLS_PK_UNKNOWN) { ++ ret = _gnutls_buffer_append_data( ++ extdata, ++ session->key.kshare.kem_params.raw_pub.data, ++ session->key.kshare.kem_params.raw_pub.size); ++ if (ret < 0) { ++ gnutls_assert(); ++ goto cleanup; ++ } + ++ /* copy actual length */ ++ _gnutls_write_uint16(extdata->length - length_pos - 2, ++ &extdata->data[length_pos]); ++ } ++ ++ ret = 0; + } else if (group->pk == GNUTLS_PK_DH) { + ret = _gnutls_buffer_append_prefix(extdata, 16, + group->prime->size); +@@ -333,9 +382,15 @@ static int server_use_key_share(gnutls_session_t session, + + curve = _gnutls_ecc_curve_get_params(group->curve); + +- if (curve->size != data_size) +- return gnutls_assert_val( +- GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); ++ if (group->pk2 != GNUTLS_PK_UNKNOWN) { ++ if (curve->size > data_size) ++ return gnutls_assert_val( ++ GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); ++ } else { ++ if (curve->size != data_size) ++ return gnutls_assert_val( ++ GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); ++ } + + /* generate our key */ + ret = _gnutls_pk_generate_keys( +@@ -351,7 +406,7 @@ static int server_use_key_share(gnutls_session_t session, + pub.curve = curve->id; + + pub.raw_pub.data = (void *)data; +- pub.raw_pub.size = data_size; ++ pub.raw_pub.size = curve->size; + + /* We don't mask the MSB in the final byte as required + * by RFC7748. This will be done internally by nettle 3.3 or later. +@@ -363,6 +418,50 @@ static int server_use_key_share(gnutls_session_t session, + return gnutls_assert_val(ret); + } + ++ if (group->pk2 != GNUTLS_PK_UNKNOWN) { ++ gnutls_datum_t key; ++ gnutls_datum_t peer_pub; ++ ++ gnutls_pk_params_release( ++ &session->key.kshare.kem_params); ++ gnutls_pk_params_init(&session->key.kshare.kem_params); ++ ++ /* generate our key */ ++ ret = _gnutls_pk_generate_keys( ++ group->pk2, 0, &session->key.kshare.kem_params, ++ 1); ++ if (ret < 0) ++ return gnutls_assert_val(ret); ++ ++ /* server's public key is unused, but the raw_pub field ++ * is used to store ciphertext */ ++ gnutls_free( ++ session->key.kshare.kem_params.raw_pub.data); ++ ++ peer_pub.data = (uint8_t *)data + curve->size; ++ peer_pub.size = data_size - curve->size; ++ ++ ret = _gnutls_pk_encaps( ++ group->pk2, ++ &session->key.kshare.kem_params.raw_pub, &key, ++ &peer_pub); ++ if (ret < 0) ++ return gnutls_assert_val(ret); ++ ++ session->key.key.data = gnutls_realloc_fast( ++ session->key.key.data, ++ session->key.key.size + key.size); ++ if (!session->key.key.data) { ++ _gnutls_free_datum(&key); ++ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); ++ } ++ ++ memcpy(session->key.key.data + session->key.key.size, ++ key.data, key.size); ++ session->key.key.size += key.size; ++ _gnutls_free_datum(&key); ++ } ++ + ret = 0; + + } else if (group->pk == GNUTLS_PK_DH) { +@@ -496,9 +595,15 @@ static int client_use_key_share(gnutls_session_t session, + return gnutls_assert_val( + GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); + +- if (curve->size != data_size) +- return gnutls_assert_val( +- GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); ++ if (group->pk2 != GNUTLS_PK_UNKNOWN) { ++ if (curve->size > data_size) ++ return gnutls_assert_val( ++ GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); ++ } else { ++ if (curve->size != data_size) ++ return gnutls_assert_val( ++ GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); ++ } + + /* read the public key and generate shared */ + gnutls_pk_params_init(&pub); +@@ -519,6 +624,33 @@ static int client_use_key_share(gnutls_session_t session, + return gnutls_assert_val(ret); + } + ++ if (group->pk2 != GNUTLS_PK_UNKNOWN) { ++ gnutls_datum_t key; ++ gnutls_datum_t ciphertext; ++ ++ ciphertext.data = (uint8_t *)data + curve->size; ++ ciphertext.size = data_size - curve->size; ++ ++ ret = _gnutls_pk_decaps( ++ group->pk2, &key, &ciphertext, ++ &session->key.kshare.kem_params.raw_priv); ++ if (ret < 0) ++ return gnutls_assert_val(ret); ++ ++ session->key.key.data = gnutls_realloc_fast( ++ session->key.key.data, ++ session->key.key.size + key.size); ++ if (!session->key.key.data) { ++ _gnutls_free_datum(&key); ++ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); ++ } ++ ++ memcpy(session->key.key.data + session->key.key.size, ++ key.data, key.size); ++ session->key.key.size += key.size; ++ _gnutls_free_datum(&key); ++ } ++ + ret = 0; + + } else if (group->pk == GNUTLS_PK_DH) { +diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h +index 258a08c842..5727739bdc 100644 +--- a/lib/gnutls_int.h ++++ b/lib/gnutls_int.h +@@ -594,6 +594,7 @@ struct gnutls_key_st { + gnutls_pk_params_st ecdh_params; + gnutls_pk_params_st ecdhx_params; + gnutls_pk_params_st dh_params; ++ gnutls_pk_params_st kem_params; + } kshare; + + /* The union contents depend on the negotiated protocol. +@@ -764,6 +765,7 @@ typedef struct gnutls_group_entry_st { + const unsigned *q_bits; + gnutls_ecc_curve_t curve; + gnutls_pk_algorithm_t pk; ++ gnutls_pk_algorithm_t pk2; + unsigned tls_id; /* The RFC4492 namedCurve ID or TLS 1.3 group ID */ + } gnutls_group_entry_st; + +diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in +index 6b87610c44..790406e4df 100644 +--- a/lib/includes/gnutls/gnutls.h.in ++++ b/lib/includes/gnutls/gnutls.h.in +@@ -908,7 +908,12 @@ typedef enum { + GNUTLS_PK_ECDH_X448 = 11, + GNUTLS_PK_EDDSA_ED448 = 12, + GNUTLS_PK_RSA_OAEP = 13, +- GNUTLS_PK_MAX = GNUTLS_PK_RSA_OAEP ++ GNUTLS_PK_MAX = GNUTLS_PK_RSA_OAEP, ++ ++ /* Experimental algorithms */ ++ GNUTLS_PK_EXP_MIN = 256, ++ GNUTLS_PK_EXP_KYBER768 = GNUTLS_PK_EXP_MIN, ++ GNUTLS_PK_EXP_MAX = GNUTLS_PK_EXP_KYBER768 + } gnutls_pk_algorithm_t; + + const char *gnutls_pk_algorithm_get_name(gnutls_pk_algorithm_t algorithm); +@@ -1136,6 +1141,11 @@ typedef enum { + GNUTLS_GROUP_FFDHE8192, + GNUTLS_GROUP_FFDHE6144, + GNUTLS_GROUP_MAX = GNUTLS_GROUP_FFDHE6144, ++ ++ /* Experimental algorithms */ ++ GNUTLS_GROUP_EXP_MIN = 512, ++ GNUTLS_GROUP_EXP_X25519_KYBER768 = GNUTLS_GROUP_EXP_MIN, ++ GNUTLS_GROUP_EXP_MAX = GNUTLS_GROUP_EXP_X25519_KYBER768 + } gnutls_group_t; + + /* macros to allow specifying a specific curve in gnutls_privkey_generate() +diff --git a/lib/nettle/Makefile.am b/lib/nettle/Makefile.am +index b855c8c193..0f21823cb4 100644 +--- a/lib/nettle/Makefile.am ++++ b/lib/nettle/Makefile.am +@@ -36,6 +36,10 @@ if ENABLE_MINITASN1 + AM_CPPFLAGS += -I$(srcdir)/../minitasn1 + endif + ++if ENABLE_DLOPEN ++AM_CPPFLAGS += $(LIBOQS_CFLAGS) -DGNUTLS_OQS_ENABLE_DLOPEN=1 ++endif ++ + noinst_LTLIBRARIES = libcrypto.la + + libcrypto_la_SOURCES = pk.c mpi.c mac.c cipher.c init.c \ +diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c +index b317b790d7..4155a540ed 100644 +--- a/lib/nettle/pk.c ++++ b/lib/nettle/pk.c +@@ -70,6 +70,9 @@ + #include "gnettle.h" + #include "fips.h" + #include "dh.h" ++#ifdef HAVE_LIBOQS ++#include "dlwrap/oqs.h" ++#endif + + static inline const struct ecc_curve *get_supported_nist_curve(int curve); + static inline const struct ecc_curve *get_supported_gost_curve(int curve); +@@ -687,6 +690,111 @@ cleanup: + return ret; + } + ++static int _wrap_nettle_pk_encaps(gnutls_pk_algorithm_t algo, ++ gnutls_datum_t *ciphertext, ++ gnutls_datum_t *shared_secret, ++ const gnutls_datum_t *pub) ++{ ++ int ret; ++ ++ switch (algo) { ++#ifdef HAVE_LIBOQS ++ case GNUTLS_PK_EXP_KYBER768: { ++ OQS_KEM *kem = NULL; ++ OQS_STATUS rc; ++ ++ kem = GNUTLS_OQS_FUNC(OQS_KEM_new)(OQS_KEM_alg_kyber_768); ++ if (kem == NULL) ++ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); ++ ++ ciphertext->data = gnutls_malloc(kem->length_ciphertext); ++ if (ciphertext->data == NULL) { ++ GNUTLS_OQS_FUNC(OQS_KEM_free)(kem); ++ ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); ++ goto cleanup; ++ } ++ ciphertext->size = kem->length_ciphertext; ++ ++ shared_secret->data = gnutls_malloc(kem->length_shared_secret); ++ if (shared_secret->data == NULL) { ++ GNUTLS_OQS_FUNC(OQS_KEM_free)(kem); ++ ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); ++ goto cleanup; ++ } ++ shared_secret->size = kem->length_shared_secret; ++ ++ rc = GNUTLS_OQS_FUNC(OQS_KEM_encaps)( ++ kem, ciphertext->data, shared_secret->data, pub->data); ++ if (rc != OQS_SUCCESS) { ++ GNUTLS_OQS_FUNC(OQS_KEM_free)(kem); ++ ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); ++ goto cleanup; ++ } ++ ++ GNUTLS_OQS_FUNC(OQS_KEM_free)(kem); ++ ret = 0; ++ } break; ++#endif ++ default: ++ ret = gnutls_assert_val(GNUTLS_E_UNKNOWN_ALGORITHM); ++ goto cleanup; ++ } ++ ++cleanup: ++ if (ret < 0) { ++ gnutls_free(ciphertext->data); ++ gnutls_free(shared_secret->data); ++ } ++ return ret; ++} ++ ++static int _wrap_nettle_pk_decaps(gnutls_pk_algorithm_t algo, ++ gnutls_datum_t *shared_secret, ++ const gnutls_datum_t *ciphertext, ++ const gnutls_datum_t *priv) ++{ ++ int ret; ++ ++ switch (algo) { ++#ifdef HAVE_LIBOQS ++ case GNUTLS_PK_EXP_KYBER768: { ++ OQS_KEM *kem = NULL; ++ OQS_STATUS rc; ++ ++ kem = GNUTLS_OQS_FUNC(OQS_KEM_new)(OQS_KEM_alg_kyber_768); ++ if (kem == NULL) ++ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); ++ ++ shared_secret->data = gnutls_malloc(kem->length_shared_secret); ++ if (shared_secret->data == NULL) { ++ GNUTLS_OQS_FUNC(OQS_KEM_free)(kem); ++ ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); ++ goto cleanup; ++ } ++ shared_secret->size = kem->length_shared_secret; ++ ++ rc = GNUTLS_OQS_FUNC(OQS_KEM_decaps)( ++ kem, shared_secret->data, ciphertext->data, priv->data); ++ if (rc != OQS_SUCCESS) { ++ GNUTLS_OQS_FUNC(OQS_KEM_free)(kem); ++ ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); ++ goto cleanup; ++ } ++ ++ GNUTLS_OQS_FUNC(OQS_KEM_free)(kem); ++ ret = 0; ++ } break; ++#endif ++ default: ++ ret = gnutls_assert_val(GNUTLS_E_UNKNOWN_ALGORITHM); ++ goto cleanup; ++ } ++cleanup: ++ if (ret < 0) ++ gnutls_free(shared_secret->data); ++ return ret; ++} ++ + /* This wraps nettle_rsa_encrypt so it returns ciphertext as a byte + * array instead of a mpz_t value. Returns 1 on success; 0 otherwise. + */ +@@ -2234,6 +2342,9 @@ static int _wrap_nettle_pk_exists(gnutls_pk_algorithm_t pk) + case GNUTLS_PK_RSA_PSS: + case GNUTLS_PK_RSA_OAEP: + case GNUTLS_PK_EDDSA_ED25519: ++#ifdef HAVE_LIBOQS ++ case GNUTLS_PK_EXP_KYBER768: ++#endif + #if ENABLE_GOST + case GNUTLS_PK_GOST_01: + case GNUTLS_PK_GOST_12_256: +@@ -2875,6 +2986,9 @@ static int pct_test(gnutls_pk_algorithm_t algo, + } + case GNUTLS_PK_ECDH_X25519: + case GNUTLS_PK_ECDH_X448: ++#ifdef HAVE_LIBOQS ++ case GNUTLS_PK_EXP_KYBER768: ++#endif + ret = 0; + goto cleanup; + default: +@@ -3605,6 +3719,49 @@ wrap_nettle_pk_generate_keys(gnutls_pk_algorithm_t algo, + goto cleanup; + break; + } ++#ifdef HAVE_LIBOQS ++ case GNUTLS_PK_EXP_KYBER768: { ++ OQS_KEM *kem = NULL; ++ OQS_STATUS rc; ++ ++ not_approved = true; ++ ++ kem = GNUTLS_OQS_FUNC(OQS_KEM_new)(OQS_KEM_alg_kyber_768); ++ if (kem == NULL) { ++ ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); ++ goto cleanup; ++ } ++ ++ params->raw_priv.size = kem->length_secret_key; ++ params->raw_priv.data = gnutls_malloc(params->raw_priv.size); ++ if (params->raw_priv.data == NULL) { ++ GNUTLS_OQS_FUNC(OQS_KEM_free)(kem); ++ ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); ++ goto cleanup; ++ } ++ ++ params->raw_pub.size = kem->length_public_key; ++ params->raw_pub.data = gnutls_malloc(params->raw_pub.size); ++ if (params->raw_pub.data == NULL) { ++ GNUTLS_OQS_FUNC(OQS_KEM_free)(kem); ++ ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); ++ goto cleanup; ++ } ++ ++ rc = GNUTLS_OQS_FUNC(OQS_KEM_keypair)(kem, params->raw_pub.data, ++ params->raw_priv.data); ++ if (rc != OQS_SUCCESS) { ++ GNUTLS_OQS_FUNC(OQS_KEM_free)(kem); ++ ret = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER); ++ goto cleanup; ++ } ++ ++ GNUTLS_OQS_FUNC(OQS_KEM_free)(kem); ++ ++ ret = 0; ++ break; ++ } ++#endif + default: + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; +@@ -3858,6 +4015,11 @@ static int wrap_nettle_pk_verify_priv_params(gnutls_pk_algorithm_t algo, + ret = 0; + break; + } ++#ifdef HAVE_LIBOQS ++ case GNUTLS_PK_EXP_KYBER768: ++ ret = 0; ++ break; ++#endif + #if ENABLE_GOST + case GNUTLS_PK_GOST_01: + case GNUTLS_PK_GOST_12_256: +@@ -4307,6 +4469,8 @@ gnutls_crypto_pk_st _gnutls_pk_ops = { + .generate_keys = wrap_nettle_pk_generate_keys, + .pk_fixup_private_params = wrap_nettle_pk_fixup, + .derive = _wrap_nettle_pk_derive, ++ .encaps = _wrap_nettle_pk_encaps, ++ .decaps = _wrap_nettle_pk_decaps, + .curve_exists = _wrap_nettle_pk_curve_exists, + .pk_exists = _wrap_nettle_pk_exists, + .sign_exists = _wrap_nettle_pk_sign_exists +diff --git a/lib/pk.h b/lib/pk.h +index 20fe314f94..eca4e02d73 100644 +--- a/lib/pk.h ++++ b/lib/pk.h +@@ -46,6 +46,10 @@ extern gnutls_crypto_pk_st _gnutls_pk_ops; + _gnutls_pk_ops.derive(algo, out, pub, priv, nonce, 0) + #define _gnutls_pk_derive_tls13(algo, out, pub, priv) \ + _gnutls_pk_ops.derive(algo, out, pub, priv, NULL, PK_DERIVE_TLS13) ++#define _gnutls_pk_encaps(algo, ciphertext, shared_secret, pub) \ ++ _gnutls_pk_ops.encaps(algo, ciphertext, shared_secret, pub) ++#define _gnutls_pk_decaps(algo, shared_secret, ciphertext, priv) \ ++ _gnutls_pk_ops.decaps(algo, shared_secret, ciphertext, priv) + #define _gnutls_pk_generate_keys(algo, bits, params, temporal) \ + _gnutls_pk_ops.generate_keys(algo, bits, params, temporal) + #define _gnutls_pk_generate_params(algo, bits, priv) \ +diff --git a/lib/state.c b/lib/state.c +index ec514c0cd2..f2c74d97d0 100644 +--- a/lib/state.c ++++ b/lib/state.c +@@ -459,6 +459,7 @@ static void deinit_keys(gnutls_session_t session) + gnutls_pk_params_release(&session->key.kshare.ecdhx_params); + gnutls_pk_params_release(&session->key.kshare.ecdh_params); + gnutls_pk_params_release(&session->key.kshare.dh_params); ++ gnutls_pk_params_release(&session->key.kshare.kem_params); + + if (!vers->tls13_sem && session->key.binders[0].prf == NULL) { + gnutls_pk_params_release(&session->key.proto.tls12.ecdh.params); +diff --git a/tests/Makefile.am b/tests/Makefile.am +index c674835c1f..ca76736d2e 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -600,6 +600,10 @@ ctests += win32-certopenstore + + endif + ++if ENABLE_LIBOQS ++dist_check_SCRIPTS += pqc-hybrid-kx.sh ++endif ++ + cpptests = + if ENABLE_CXX + if HAVE_CMOCKA +diff --git a/tests/pqc-hybrid-kx.sh b/tests/pqc-hybrid-kx.sh +new file mode 100644 +index 0000000000..b9302b43b1 +--- /dev/null ++++ b/tests/pqc-hybrid-kx.sh +@@ -0,0 +1,54 @@ ++#!/bin/sh ++ ++# Copyright (C) 2022 Red Hat, Inc. ++# ++# Author: Daiki Ueno ++# ++# This file is part of GnuTLS. ++# ++# GnuTLS is free software; you can redistribute it and/or modify it ++# under the terms of the GNU General Public License as published by the ++# Free Software Foundation; either version 3 of the License, or (at ++# your option) any later version. ++# ++# GnuTLS is distributed in the hope that it will be useful, but ++# WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++# General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with GnuTLS. If not, see . ++ ++: ${srcdir=.} ++: ${SERV=../src/gnutls-serv${EXEEXT}} ++: ${CLI=../src/gnutls-cli${EXEEXT}} ++ ++if ! test -x "${SERV}"; then ++ exit 77 ++fi ++ ++if ! test -x "${CLI}"; then ++ exit 77 ++fi ++ ++. "${srcdir}/scripts/common.sh" ++testdir=`create_testdir pqc-hybrid-kx` ++ ++KEY="$srcdir/../doc/credentials/x509/key-ed25519.pem" ++CERT="$srcdir/../doc/credentials/x509/cert-ed25519.pem" ++CACERT="$srcdir/../doc/credentials/x509/ca.pem" ++ ++eval "${GETPORT}" ++launch_server --echo --priority NORMAL:-GROUP-ALL:+GROUP-X25519-KYBER768 --x509keyfile="$KEY" --x509certfile="$CERT" ++PID=$! ++wait_server ${PID} ++ ++${VALGRIND} "${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:-GROUP-ALL:+GROUP-X25519-KYBER768 --x509cafile="$CACERT" --logfile="$testdir/cli.log" +Date: Tue, 23 Jul 2024 11:25:18 +0900 +Subject: [PATCH 1/3] dlwrap: use different macro for library soname in + generated code + +As GnuTLS opt in for manual initialization of dlopen'ed libraries, +config.h shouldn't define the SONAME macro used in the generated code. + +Signed-off-by: Daiki Ueno +--- + devel/generate-dlwrap.sh | 18 +++++++++++++----- + lib/dlwrap/brotlidec.c | 17 +++++++++-------- + lib/dlwrap/brotlienc.c | 17 +++++++++-------- + lib/dlwrap/oqs.c | 17 +++++++++-------- + lib/dlwrap/zlib.c | 17 +++++++++-------- + lib/dlwrap/zstd.c | 17 +++++++++-------- + 6 files changed, 58 insertions(+), 45 deletions(-) + +diff --git a/devel/generate-dlwrap.sh b/devel/generate-dlwrap.sh +index 3e253d9228..0394655bbf 100755 +--- a/devel/generate-dlwrap.sh ++++ b/devel/generate-dlwrap.sh +@@ -21,20 +21,28 @@ DST="$srcdir/lib/$DLWRAP" + + echo "Generating $DST/zlib.h" + +-"$DLWRAP" --input /usr/include/zlib.h -o "$DST" --clang-resource-dir $(clang -print-resource-dir) --symbol-file "$SRC/z.syms" --license-file "$SRC/z.license" --soname Z_LIBRARY_SONAME --prefix gnutls_zlib --header-guard GNUTLS_LIB_DLWRAP_ZLIB_H_ --include "" ++"$DLWRAP" --input /usr/include/zlib.h -o "$DST" --clang-resource-dir $(clang -print-resource-dir) --symbol-file "$SRC/z.syms" --license-file "$SRC/z.license" --soname Z_LIBRARY_SONAME_UNUSED --prefix gnutls_zlib --header-guard GNUTLS_LIB_DLWRAP_ZLIB_H_ --include "" + + echo "Generating $DST/zstd.h" + +-"$DLWRAP" --input /usr/include/zstd.h -o "$DST" --clang-resource-dir $(clang -print-resource-dir) --symbol-file "$SRC/zstd.syms" --license-file "$SRC/zstd.license" --soname ZSTD_LIBRARY_SONAME --prefix gnutls_zstd --header-guard GNUTLS_LIB_DLWRAP_ZSTD_H_ --include "" ++"$DLWRAP" --input /usr/include/zstd.h -o "$DST" --clang-resource-dir $(clang -print-resource-dir) --symbol-file "$SRC/zstd.syms" --license-file "$SRC/zstd.license" --soname ZSTD_LIBRARY_SONAME_UNUSED --prefix gnutls_zstd --header-guard GNUTLS_LIB_DLWRAP_ZSTD_H_ --include "" + + echo "Generating $DST/brotlienc.h" + +-"$DLWRAP" --input /usr/include/brotli/encode.h -o "$DST" --clang-resource-dir $(clang -print-resource-dir) --symbol-file "$SRC/brotlienc.syms" --license-file "$SRC/brotli.license" --soname BROTLIENC_LIBRARY_SONAME --prefix gnutls_brotlienc --loader-basename brotlienc --header-guard GNUTLS_LIB_DLWRAP_BROTLIENC_H_ --include "" ++"$DLWRAP" --input /usr/include/brotli/encode.h -o "$DST" --clang-resource-dir $(clang -print-resource-dir) --symbol-file "$SRC/brotlienc.syms" --license-file "$SRC/brotli.license" --soname BROTLIENC_LIBRARY_SONAME_UNUSED --prefix gnutls_brotlienc --loader-basename brotlienc --header-guard GNUTLS_LIB_DLWRAP_BROTLIENC_H_ --include "" + + echo "Generating $DST/brotlidec.h" + +-"$DLWRAP" --input /usr/include/brotli/decode.h -o "$DST" --clang-resource-dir $(clang -print-resource-dir) --symbol-file "$SRC/brotlidec.syms" --license-file "$SRC/brotli.license" --soname BROTLIDEC_LIBRARY_SONAME --prefix gnutls_brotlidec --loader-basename brotlidec --header-guard GNUTLS_LIB_DLWRAP_BROTLIDEC_H_ --include "" ++"$DLWRAP" --input /usr/include/brotli/decode.h -o "$DST" --clang-resource-dir $(clang -print-resource-dir) --symbol-file "$SRC/brotlidec.syms" --license-file "$SRC/brotli.license" --soname BROTLIDEC_LIBRARY_SONAME_UNUSED --prefix gnutls_brotlidec --loader-basename brotlidec --header-guard GNUTLS_LIB_DLWRAP_BROTLIDEC_H_ --include "" + + echo "Generating $DST/oqs.h" + +-"$DLWRAP" --input /usr/include/oqs/oqs.h -o "$DST" --clang-resource-dir $(clang -print-resource-dir) --symbol-file "$SRC/oqs.syms" --license "SPDX-License-Identifier: MIT" --soname OQS_LIBRARY_SONAME --prefix gnutls_oqs --header-guard GNUTLS_LIB_DLWRAP_OQS_H_ --include "" ++"$DLWRAP" --input /usr/include/oqs/oqs.h -o "$DST" --clang-resource-dir $(clang -print-resource-dir) --symbol-file "$SRC/oqs.syms" --license "SPDX-License-Identifier: MIT" --soname OQS_LIBRARY_SONAME_UNUSED --prefix gnutls_oqs --header-guard GNUTLS_LIB_DLWRAP_OQS_H_ --include "" ++ ++sed -i '/^#include /i\ ++/* Local modification: remove this once liboqs 0.10.2 is released */\ ++#include "config.h"\ ++#if !HAVE_DECL_OQS_SHA3_SET_CALLBACKS\ ++#include "liboqs/backport/sha3_ops.h"\ ++#endif\ ++' "$DST/oqs.h" +diff --git a/lib/dlwrap/brotlidec.c b/lib/dlwrap/brotlidec.c +index 45c9b4b259..15cee63bd6 100644 +--- a/lib/dlwrap/brotlidec.c ++++ b/lib/dlwrap/brotlidec.c +@@ -18,16 +18,16 @@ + #include + #include + +-/* If BROTLIDEC_LIBRARY_SONAME is defined, dlopen handle can be automatically ++/* If BROTLIDEC_LIBRARY_SONAME_UNUSED is defined, dlopen handle can be automatically + * set; otherwise, the caller needs to call + * gnutls_brotlidec_ensure_library with soname determined at run time. + */ +-#ifdef BROTLIDEC_LIBRARY_SONAME ++#ifdef BROTLIDEC_LIBRARY_SONAME_UNUSED + + static void + ensure_library (void) + { +- if (gnutls_brotlidec_ensure_library (BROTLIDEC_LIBRARY_SONAME, RTLD_LAZY | RTLD_LOCAL) < 0) ++ if (gnutls_brotlidec_ensure_library (BROTLIDEC_LIBRARY_SONAME_UNUSED, RTLD_LAZY | RTLD_LOCAL) < 0) + abort (); + } + +@@ -47,11 +47,11 @@ static pthread_once_t dlopen_once = PTHREAD_ONCE_INIT; + + #endif /* !GNUTLS_BROTLIDEC_ENABLE_PTHREAD */ + +-#else /* BROTLIDEC_LIBRARY_SONAME */ ++#else /* BROTLIDEC_LIBRARY_SONAME_UNUSED */ + + #define ENSURE_LIBRARY do {} while (0) + +-#endif /* !BROTLIDEC_LIBRARY_SONAME */ ++#endif /* !BROTLIDEC_LIBRARY_SONAME_UNUSED */ + + static void *gnutls_brotlidec_dlhandle; + +@@ -147,7 +147,10 @@ void + gnutls_brotlidec_unload_library (void) + { + if (gnutls_brotlidec_dlhandle) +- dlclose (gnutls_brotlidec_dlhandle); ++ { ++ dlclose (gnutls_brotlidec_dlhandle); ++ gnutls_brotlidec_dlhandle = NULL; ++ } + + #pragma GCC diagnostic push + #pragma GCC diagnostic ignored "-Wunused-macros" +@@ -160,8 +163,6 @@ gnutls_brotlidec_unload_library (void) + #undef FUNC + + #pragma GCC diagnostic pop +- +-#undef RESET_SYMBOL + } + + #else /* GNUTLS_BROTLIDEC_ENABLE_DLOPEN */ +diff --git a/lib/dlwrap/brotlienc.c b/lib/dlwrap/brotlienc.c +index 9dd8ff37c6..1deff747e2 100644 +--- a/lib/dlwrap/brotlienc.c ++++ b/lib/dlwrap/brotlienc.c +@@ -18,16 +18,16 @@ + #include + #include + +-/* If BROTLIENC_LIBRARY_SONAME is defined, dlopen handle can be automatically ++/* If BROTLIENC_LIBRARY_SONAME_UNUSED is defined, dlopen handle can be automatically + * set; otherwise, the caller needs to call + * gnutls_brotlienc_ensure_library with soname determined at run time. + */ +-#ifdef BROTLIENC_LIBRARY_SONAME ++#ifdef BROTLIENC_LIBRARY_SONAME_UNUSED + + static void + ensure_library (void) + { +- if (gnutls_brotlienc_ensure_library (BROTLIENC_LIBRARY_SONAME, RTLD_LAZY | RTLD_LOCAL) < 0) ++ if (gnutls_brotlienc_ensure_library (BROTLIENC_LIBRARY_SONAME_UNUSED, RTLD_LAZY | RTLD_LOCAL) < 0) + abort (); + } + +@@ -47,11 +47,11 @@ static pthread_once_t dlopen_once = PTHREAD_ONCE_INIT; + + #endif /* !GNUTLS_BROTLIENC_ENABLE_PTHREAD */ + +-#else /* BROTLIENC_LIBRARY_SONAME */ ++#else /* BROTLIENC_LIBRARY_SONAME_UNUSED */ + + #define ENSURE_LIBRARY do {} while (0) + +-#endif /* !BROTLIENC_LIBRARY_SONAME */ ++#endif /* !BROTLIENC_LIBRARY_SONAME_UNUSED */ + + static void *gnutls_brotlienc_dlhandle; + +@@ -147,7 +147,10 @@ void + gnutls_brotlienc_unload_library (void) + { + if (gnutls_brotlienc_dlhandle) +- dlclose (gnutls_brotlienc_dlhandle); ++ { ++ dlclose (gnutls_brotlienc_dlhandle); ++ gnutls_brotlienc_dlhandle = NULL; ++ } + + #pragma GCC diagnostic push + #pragma GCC diagnostic ignored "-Wunused-macros" +@@ -160,8 +163,6 @@ gnutls_brotlienc_unload_library (void) + #undef FUNC + + #pragma GCC diagnostic pop +- +-#undef RESET_SYMBOL + } + + #else /* GNUTLS_BROTLIENC_ENABLE_DLOPEN */ +diff --git a/lib/dlwrap/oqs.c b/lib/dlwrap/oqs.c +index d7fcc9c80c..c05f883127 100644 +--- a/lib/dlwrap/oqs.c ++++ b/lib/dlwrap/oqs.c +@@ -18,16 +18,16 @@ + #include + #include + +-/* If OQS_LIBRARY_SONAME is defined, dlopen handle can be automatically ++/* If OQS_LIBRARY_SONAME_UNUSED is defined, dlopen handle can be automatically + * set; otherwise, the caller needs to call + * gnutls_oqs_ensure_library with soname determined at run time. + */ +-#ifdef OQS_LIBRARY_SONAME ++#ifdef OQS_LIBRARY_SONAME_UNUSED + + static void + ensure_library (void) + { +- if (gnutls_oqs_ensure_library (OQS_LIBRARY_SONAME, RTLD_LAZY | RTLD_LOCAL) < 0) ++ if (gnutls_oqs_ensure_library (OQS_LIBRARY_SONAME_UNUSED, RTLD_LAZY | RTLD_LOCAL) < 0) + abort (); + } + +@@ -47,11 +47,11 @@ static pthread_once_t dlopen_once = PTHREAD_ONCE_INIT; + + #endif /* !GNUTLS_OQS_ENABLE_PTHREAD */ + +-#else /* OQS_LIBRARY_SONAME */ ++#else /* OQS_LIBRARY_SONAME_UNUSED */ + + #define ENSURE_LIBRARY do {} while (0) + +-#endif /* !OQS_LIBRARY_SONAME */ ++#endif /* !OQS_LIBRARY_SONAME_UNUSED */ + + static void *gnutls_oqs_dlhandle; + +@@ -147,7 +147,10 @@ void + gnutls_oqs_unload_library (void) + { + if (gnutls_oqs_dlhandle) +- dlclose (gnutls_oqs_dlhandle); ++ { ++ dlclose (gnutls_oqs_dlhandle); ++ gnutls_oqs_dlhandle = NULL; ++ } + + #pragma GCC diagnostic push + #pragma GCC diagnostic ignored "-Wunused-macros" +@@ -160,8 +163,6 @@ gnutls_oqs_unload_library (void) + #undef FUNC + + #pragma GCC diagnostic pop +- +-#undef RESET_SYMBOL + } + + #else /* GNUTLS_OQS_ENABLE_DLOPEN */ +diff --git a/lib/dlwrap/zlib.c b/lib/dlwrap/zlib.c +index 455485c63f..878070c0a4 100644 +--- a/lib/dlwrap/zlib.c ++++ b/lib/dlwrap/zlib.c +@@ -18,16 +18,16 @@ + #include + #include + +-/* If Z_LIBRARY_SONAME is defined, dlopen handle can be automatically ++/* If Z_LIBRARY_SONAME_UNUSED is defined, dlopen handle can be automatically + * set; otherwise, the caller needs to call + * gnutls_zlib_ensure_library with soname determined at run time. + */ +-#ifdef Z_LIBRARY_SONAME ++#ifdef Z_LIBRARY_SONAME_UNUSED + + static void + ensure_library (void) + { +- if (gnutls_zlib_ensure_library (Z_LIBRARY_SONAME, RTLD_LAZY | RTLD_LOCAL) < 0) ++ if (gnutls_zlib_ensure_library (Z_LIBRARY_SONAME_UNUSED, RTLD_LAZY | RTLD_LOCAL) < 0) + abort (); + } + +@@ -47,11 +47,11 @@ static pthread_once_t dlopen_once = PTHREAD_ONCE_INIT; + + #endif /* !GNUTLS_ZLIB_ENABLE_PTHREAD */ + +-#else /* Z_LIBRARY_SONAME */ ++#else /* Z_LIBRARY_SONAME_UNUSED */ + + #define ENSURE_LIBRARY do {} while (0) + +-#endif /* !Z_LIBRARY_SONAME */ ++#endif /* !Z_LIBRARY_SONAME_UNUSED */ + + static void *gnutls_zlib_dlhandle; + +@@ -147,7 +147,10 @@ void + gnutls_zlib_unload_library (void) + { + if (gnutls_zlib_dlhandle) +- dlclose (gnutls_zlib_dlhandle); ++ { ++ dlclose (gnutls_zlib_dlhandle); ++ gnutls_zlib_dlhandle = NULL; ++ } + + #pragma GCC diagnostic push + #pragma GCC diagnostic ignored "-Wunused-macros" +@@ -160,8 +163,6 @@ gnutls_zlib_unload_library (void) + #undef FUNC + + #pragma GCC diagnostic pop +- +-#undef RESET_SYMBOL + } + + #else /* GNUTLS_ZLIB_ENABLE_DLOPEN */ +diff --git a/lib/dlwrap/zstd.c b/lib/dlwrap/zstd.c +index 2ea7252975..532c80b610 100644 +--- a/lib/dlwrap/zstd.c ++++ b/lib/dlwrap/zstd.c +@@ -18,16 +18,16 @@ + #include + #include + +-/* If ZSTD_LIBRARY_SONAME is defined, dlopen handle can be automatically ++/* If ZSTD_LIBRARY_SONAME_UNUSED is defined, dlopen handle can be automatically + * set; otherwise, the caller needs to call + * gnutls_zstd_ensure_library with soname determined at run time. + */ +-#ifdef ZSTD_LIBRARY_SONAME ++#ifdef ZSTD_LIBRARY_SONAME_UNUSED + + static void + ensure_library (void) + { +- if (gnutls_zstd_ensure_library (ZSTD_LIBRARY_SONAME, RTLD_LAZY | RTLD_LOCAL) < 0) ++ if (gnutls_zstd_ensure_library (ZSTD_LIBRARY_SONAME_UNUSED, RTLD_LAZY | RTLD_LOCAL) < 0) + abort (); + } + +@@ -47,11 +47,11 @@ static pthread_once_t dlopen_once = PTHREAD_ONCE_INIT; + + #endif /* !GNUTLS_ZSTD_ENABLE_PTHREAD */ + +-#else /* ZSTD_LIBRARY_SONAME */ ++#else /* ZSTD_LIBRARY_SONAME_UNUSED */ + + #define ENSURE_LIBRARY do {} while (0) + +-#endif /* !ZSTD_LIBRARY_SONAME */ ++#endif /* !ZSTD_LIBRARY_SONAME_UNUSED */ + + static void *gnutls_zstd_dlhandle; + +@@ -147,7 +147,10 @@ void + gnutls_zstd_unload_library (void) + { + if (gnutls_zstd_dlhandle) +- dlclose (gnutls_zstd_dlhandle); ++ { ++ dlclose (gnutls_zstd_dlhandle); ++ gnutls_zstd_dlhandle = NULL; ++ } + + #pragma GCC diagnostic push + #pragma GCC diagnostic ignored "-Wunused-macros" +@@ -160,8 +163,6 @@ gnutls_zstd_unload_library (void) + #undef FUNC + + #pragma GCC diagnostic pop +- +-#undef RESET_SYMBOL + } + + #else /* GNUTLS_ZSTD_ENABLE_DLOPEN */ +-- +2.45.2 + + +From ec65c64e6c904d5a408e2afb31ecacc2b52ed7dc Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Tue, 23 Jul 2024 15:12:11 +0900 +Subject: [PATCH 2/3] liboqs: manually load liboqs.so at startup + +Signed-off-by: Daiki Ueno +--- + lib/global.c | 6 +++++- + lib/liboqs/liboqs.c | 21 ++++++++++++++++++++- + lib/liboqs/liboqs.h | 2 +- + 3 files changed, 26 insertions(+), 3 deletions(-) + +diff --git a/lib/global.c b/lib/global.c +index ae2f7f54dc..4aaf79a768 100644 +--- a/lib/global.c ++++ b/lib/global.c +@@ -330,7 +330,11 @@ static int _gnutls_global_init(unsigned constructor) + } + + #ifdef HAVE_LIBOQS +- _gnutls_liboqs_init(); ++ ret = _gnutls_liboqs_init(); ++ if (ret < 0) { ++ gnutls_assert(); ++ goto out; ++ } + #endif + + #ifndef _WIN32 +diff --git a/lib/liboqs/liboqs.c b/lib/liboqs/liboqs.c +index 88f2369719..c5531d4796 100644 +--- a/lib/liboqs/liboqs.c ++++ b/lib/liboqs/liboqs.c +@@ -22,15 +22,33 @@ + + #include "liboqs/liboqs.h" + ++#ifdef _WIN32 ++#define RTLD_NOW 0 ++#define RTLD_GLOBAL 0 ++#else ++#include ++#endif ++ ++#ifndef OQS_LIBRARY_SONAME ++#define OQS_LIBRARY_SONAME "none" ++#endif ++ ++#include "errors.h" ++ + #include "dlwrap/oqs.h" + #include "liboqs/rand.h" + #include "liboqs/sha3.h" + +-void _gnutls_liboqs_init(void) ++int _gnutls_liboqs_init(void) + { ++ if (gnutls_oqs_ensure_library(OQS_LIBRARY_SONAME, ++ RTLD_NOW | RTLD_GLOBAL) < 0) ++ return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); ++ + _gnutls_liboqs_sha3_init(); + GNUTLS_OQS_FUNC(OQS_init)(); + _gnutls_liboqs_rand_init(); ++ return 0; + } + + void _gnutls_liboqs_deinit(void) +@@ -38,4 +56,5 @@ void _gnutls_liboqs_deinit(void) + _gnutls_liboqs_rand_deinit(); + _gnutls_liboqs_sha3_deinit(); + GNUTLS_OQS_FUNC(OQS_destroy)(); ++ gnutls_oqs_unload_library(); + } +diff --git a/lib/liboqs/liboqs.h b/lib/liboqs/liboqs.h +index b6c1659212..50206fa77c 100644 +--- a/lib/liboqs/liboqs.h ++++ b/lib/liboqs/liboqs.h +@@ -21,7 +21,7 @@ + #ifndef GNUTLS_LIB_LIBOQS_LIBOQS_H + #define GNUTLS_LIB_LIBOQS_LIBOQS_H + +-void _gnutls_liboqs_init(void); ++int _gnutls_liboqs_init(void); + void _gnutls_liboqs_deinit(void); + + #endif /* GNUTLS_LIB_LIBOQS_LIBOQS_H */ +-- +2.45.2 + + +From ecc41197f2233494d066114e2747b17b24d24543 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Tue, 23 Jul 2024 09:50:04 +0900 +Subject: [PATCH 3/3] tests: pqc-hybrid-kx: use key and certificate in + distribution + +The Ed25519 key and certificate in doc/credentials/x509/ are currently +not included in the distribution. Use the ECDSA ones in the test to +make the test work. + +Signed-off-by: Daiki Ueno +--- + tests/pqc-hybrid-kx.sh | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/tests/pqc-hybrid-kx.sh b/tests/pqc-hybrid-kx.sh +index b9302b43b1..b587587bd2 100644 +--- a/tests/pqc-hybrid-kx.sh ++++ b/tests/pqc-hybrid-kx.sh +@@ -34,8 +34,8 @@ fi + . "${srcdir}/scripts/common.sh" + testdir=`create_testdir pqc-hybrid-kx` + +-KEY="$srcdir/../doc/credentials/x509/key-ed25519.pem" +-CERT="$srcdir/../doc/credentials/x509/cert-ed25519.pem" ++KEY="$srcdir/../doc/credentials/x509/key-ecc.pem" ++CERT="$srcdir/../doc/credentials/x509/cert-ecc.pem" + CACERT="$srcdir/../doc/credentials/x509/ca.pem" + + eval "${GETPORT}" +@@ -43,12 +43,12 @@ launch_server --echo --priority NORMAL:-GROUP-ALL:+GROUP-X25519-KYBER768 --x509k + PID=$! + wait_server ${PID} + +-${VALGRIND} "${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:-GROUP-ALL:+GROUP-X25519-KYBER768 --x509cafile="$CACERT" --logfile="$testdir/cli.log" +Date: Tue, 23 Jul 2024 20:48:26 +0900 +Subject: [PATCH] liboqs: defer loading of liboqs at run-time + +Instead of loading liboqs at startup, this defers it until the liboqs +functions are actually used. + +Signed-off-by: Daiki Ueno +--- + lib/dlwrap/brotlidec.c | 24 ++++++++++++++++++---- + lib/dlwrap/brotlidec.h | 7 +++++++ + lib/dlwrap/brotlienc.c | 24 ++++++++++++++++++---- + lib/dlwrap/brotlienc.h | 7 +++++++ + lib/dlwrap/oqs.c | 24 ++++++++++++++++++---- + lib/dlwrap/oqs.h | 7 +++++++ + lib/dlwrap/zlib.c | 24 ++++++++++++++++++---- + lib/dlwrap/zlib.h | 7 +++++++ + lib/dlwrap/zstd.c | 24 ++++++++++++++++++---- + lib/dlwrap/zstd.h | 7 +++++++ + lib/global.c | 8 -------- + lib/liboqs/liboqs.c | 46 +++++++++++++++++++++++++++++++++++------- + lib/liboqs/liboqs.h | 2 +- + lib/nettle/pk.c | 33 ++++++++++++++++++++++++------ + 14 files changed, 202 insertions(+), 42 deletions(-) + +diff --git a/lib/dlwrap/brotlidec.c b/lib/dlwrap/brotlidec.c +index 15cee63bd6..7e4546a8e7 100644 +--- a/lib/dlwrap/brotlidec.c ++++ b/lib/dlwrap/brotlidec.c +@@ -128,10 +128,13 @@ gnutls_brotlidec_ensure_library (const char *soname, int flags) + #pragma GCC diagnostic push + #pragma GCC diagnostic ignored "-Wunused-macros" + +-#define FUNC(ret, name, args, cargs) \ +- err = ENSURE_SYMBOL(name); \ +- if (err < 0) \ +- return err; ++#define FUNC(ret, name, args, cargs) \ ++ err = ENSURE_SYMBOL(name); \ ++ if (err < 0) \ ++ { \ ++ gnutls_brotlidec_dlhandle = NULL; \ ++ return err; \ ++ } + #define VOID_FUNC FUNC + #include "brotlidecfuncs.h" + #undef VOID_FUNC +@@ -165,6 +168,12 @@ gnutls_brotlidec_unload_library (void) + #pragma GCC diagnostic pop + } + ++unsigned ++gnutls_brotlidec_is_usable (void) ++{ ++ return gnutls_brotlidec_dlhandle != NULL; ++} ++ + #else /* GNUTLS_BROTLIDEC_ENABLE_DLOPEN */ + + int +@@ -180,4 +189,11 @@ gnutls_brotlidec_unload_library (void) + { + } + ++unsigned ++gnutls_brotlidec_is_usable (void) ++{ ++ /* The library is linked at build time, thus always usable */ ++ return 1; ++} ++ + #endif /* !GNUTLS_BROTLIDEC_ENABLE_DLOPEN */ +diff --git a/lib/dlwrap/brotlidec.h b/lib/dlwrap/brotlidec.h +index 31397f24cf..f7d97eed35 100644 +--- a/lib/dlwrap/brotlidec.h ++++ b/lib/dlwrap/brotlidec.h +@@ -44,4 +44,11 @@ int gnutls_brotlidec_ensure_library (const char *soname, int flags); + */ + void gnutls_brotlidec_unload_library (void); + ++/* Return 1 if the library is loaded and usable. ++ * ++ * Note that this function is NOT thread-safe; when calling it from ++ * multi-threaded programs, protect it with a locking mechanism. ++ */ ++unsigned gnutls_brotlidec_is_usable (void); ++ + #endif /* GNUTLS_LIB_DLWRAP_BROTLIDEC_H_ */ +diff --git a/lib/dlwrap/brotlienc.c b/lib/dlwrap/brotlienc.c +index 1deff747e2..fae13ed313 100644 +--- a/lib/dlwrap/brotlienc.c ++++ b/lib/dlwrap/brotlienc.c +@@ -128,10 +128,13 @@ gnutls_brotlienc_ensure_library (const char *soname, int flags) + #pragma GCC diagnostic push + #pragma GCC diagnostic ignored "-Wunused-macros" + +-#define FUNC(ret, name, args, cargs) \ +- err = ENSURE_SYMBOL(name); \ +- if (err < 0) \ +- return err; ++#define FUNC(ret, name, args, cargs) \ ++ err = ENSURE_SYMBOL(name); \ ++ if (err < 0) \ ++ { \ ++ gnutls_brotlienc_dlhandle = NULL; \ ++ return err; \ ++ } + #define VOID_FUNC FUNC + #include "brotliencfuncs.h" + #undef VOID_FUNC +@@ -165,6 +168,12 @@ gnutls_brotlienc_unload_library (void) + #pragma GCC diagnostic pop + } + ++unsigned ++gnutls_brotlienc_is_usable (void) ++{ ++ return gnutls_brotlienc_dlhandle != NULL; ++} ++ + #else /* GNUTLS_BROTLIENC_ENABLE_DLOPEN */ + + int +@@ -180,4 +189,11 @@ gnutls_brotlienc_unload_library (void) + { + } + ++unsigned ++gnutls_brotlienc_is_usable (void) ++{ ++ /* The library is linked at build time, thus always usable */ ++ return 1; ++} ++ + #endif /* !GNUTLS_BROTLIENC_ENABLE_DLOPEN */ +diff --git a/lib/dlwrap/brotlienc.h b/lib/dlwrap/brotlienc.h +index ed1af45e04..4dfbf3b838 100644 +--- a/lib/dlwrap/brotlienc.h ++++ b/lib/dlwrap/brotlienc.h +@@ -44,4 +44,11 @@ int gnutls_brotlienc_ensure_library (const char *soname, int flags); + */ + void gnutls_brotlienc_unload_library (void); + ++/* Return 1 if the library is loaded and usable. ++ * ++ * Note that this function is NOT thread-safe; when calling it from ++ * multi-threaded programs, protect it with a locking mechanism. ++ */ ++unsigned gnutls_brotlienc_is_usable (void); ++ + #endif /* GNUTLS_LIB_DLWRAP_BROTLIENC_H_ */ +diff --git a/lib/dlwrap/oqs.c b/lib/dlwrap/oqs.c +index c05f883127..f9ae269faa 100644 +--- a/lib/dlwrap/oqs.c ++++ b/lib/dlwrap/oqs.c +@@ -128,10 +128,13 @@ gnutls_oqs_ensure_library (const char *soname, int flags) + #pragma GCC diagnostic push + #pragma GCC diagnostic ignored "-Wunused-macros" + +-#define FUNC(ret, name, args, cargs) \ +- err = ENSURE_SYMBOL(name); \ +- if (err < 0) \ +- return err; ++#define FUNC(ret, name, args, cargs) \ ++ err = ENSURE_SYMBOL(name); \ ++ if (err < 0) \ ++ { \ ++ gnutls_oqs_dlhandle = NULL; \ ++ return err; \ ++ } + #define VOID_FUNC FUNC + #include "oqsfuncs.h" + #undef VOID_FUNC +@@ -165,6 +168,12 @@ gnutls_oqs_unload_library (void) + #pragma GCC diagnostic pop + } + ++unsigned ++gnutls_oqs_is_usable (void) ++{ ++ return gnutls_oqs_dlhandle != NULL; ++} ++ + #else /* GNUTLS_OQS_ENABLE_DLOPEN */ + + int +@@ -180,4 +189,11 @@ gnutls_oqs_unload_library (void) + { + } + ++unsigned ++gnutls_oqs_is_usable (void) ++{ ++ /* The library is linked at build time, thus always usable */ ++ return 1; ++} ++ + #endif /* !GNUTLS_OQS_ENABLE_DLOPEN */ +diff --git a/lib/dlwrap/oqs.h b/lib/dlwrap/oqs.h +index 6a1d8e0766..1cf5d015a5 100644 +--- a/lib/dlwrap/oqs.h ++++ b/lib/dlwrap/oqs.h +@@ -50,4 +50,11 @@ int gnutls_oqs_ensure_library (const char *soname, int flags); + */ + void gnutls_oqs_unload_library (void); + ++/* Return 1 if the library is loaded and usable. ++ * ++ * Note that this function is NOT thread-safe; when calling it from ++ * multi-threaded programs, protect it with a locking mechanism. ++ */ ++unsigned gnutls_oqs_is_usable (void); ++ + #endif /* GNUTLS_LIB_DLWRAP_OQS_H_ */ +diff --git a/lib/dlwrap/zlib.c b/lib/dlwrap/zlib.c +index 878070c0a4..19851513a9 100644 +--- a/lib/dlwrap/zlib.c ++++ b/lib/dlwrap/zlib.c +@@ -128,10 +128,13 @@ gnutls_zlib_ensure_library (const char *soname, int flags) + #pragma GCC diagnostic push + #pragma GCC diagnostic ignored "-Wunused-macros" + +-#define FUNC(ret, name, args, cargs) \ +- err = ENSURE_SYMBOL(name); \ +- if (err < 0) \ +- return err; ++#define FUNC(ret, name, args, cargs) \ ++ err = ENSURE_SYMBOL(name); \ ++ if (err < 0) \ ++ { \ ++ gnutls_zlib_dlhandle = NULL; \ ++ return err; \ ++ } + #define VOID_FUNC FUNC + #include "zlibfuncs.h" + #undef VOID_FUNC +@@ -165,6 +168,12 @@ gnutls_zlib_unload_library (void) + #pragma GCC diagnostic pop + } + ++unsigned ++gnutls_zlib_is_usable (void) ++{ ++ return gnutls_zlib_dlhandle != NULL; ++} ++ + #else /* GNUTLS_ZLIB_ENABLE_DLOPEN */ + + int +@@ -180,4 +189,11 @@ gnutls_zlib_unload_library (void) + { + } + ++unsigned ++gnutls_zlib_is_usable (void) ++{ ++ /* The library is linked at build time, thus always usable */ ++ return 1; ++} ++ + #endif /* !GNUTLS_ZLIB_ENABLE_DLOPEN */ +diff --git a/lib/dlwrap/zlib.h b/lib/dlwrap/zlib.h +index a9666d27f5..0d7113febf 100644 +--- a/lib/dlwrap/zlib.h ++++ b/lib/dlwrap/zlib.h +@@ -44,4 +44,11 @@ int gnutls_zlib_ensure_library (const char *soname, int flags); + */ + void gnutls_zlib_unload_library (void); + ++/* Return 1 if the library is loaded and usable. ++ * ++ * Note that this function is NOT thread-safe; when calling it from ++ * multi-threaded programs, protect it with a locking mechanism. ++ */ ++unsigned gnutls_zlib_is_usable (void); ++ + #endif /* GNUTLS_LIB_DLWRAP_ZLIB_H_ */ +diff --git a/lib/dlwrap/zstd.c b/lib/dlwrap/zstd.c +index 532c80b610..bd5153e464 100644 +--- a/lib/dlwrap/zstd.c ++++ b/lib/dlwrap/zstd.c +@@ -128,10 +128,13 @@ gnutls_zstd_ensure_library (const char *soname, int flags) + #pragma GCC diagnostic push + #pragma GCC diagnostic ignored "-Wunused-macros" + +-#define FUNC(ret, name, args, cargs) \ +- err = ENSURE_SYMBOL(name); \ +- if (err < 0) \ +- return err; ++#define FUNC(ret, name, args, cargs) \ ++ err = ENSURE_SYMBOL(name); \ ++ if (err < 0) \ ++ { \ ++ gnutls_zstd_dlhandle = NULL; \ ++ return err; \ ++ } + #define VOID_FUNC FUNC + #include "zstdfuncs.h" + #undef VOID_FUNC +@@ -165,6 +168,12 @@ gnutls_zstd_unload_library (void) + #pragma GCC diagnostic pop + } + ++unsigned ++gnutls_zstd_is_usable (void) ++{ ++ return gnutls_zstd_dlhandle != NULL; ++} ++ + #else /* GNUTLS_ZSTD_ENABLE_DLOPEN */ + + int +@@ -180,4 +189,11 @@ gnutls_zstd_unload_library (void) + { + } + ++unsigned ++gnutls_zstd_is_usable (void) ++{ ++ /* The library is linked at build time, thus always usable */ ++ return 1; ++} ++ + #endif /* !GNUTLS_ZSTD_ENABLE_DLOPEN */ +diff --git a/lib/dlwrap/zstd.h b/lib/dlwrap/zstd.h +index 80ac2fbd46..4a68a45e37 100644 +--- a/lib/dlwrap/zstd.h ++++ b/lib/dlwrap/zstd.h +@@ -44,4 +44,11 @@ int gnutls_zstd_ensure_library (const char *soname, int flags); + */ + void gnutls_zstd_unload_library (void); + ++/* Return 1 if the library is loaded and usable. ++ * ++ * Note that this function is NOT thread-safe; when calling it from ++ * multi-threaded programs, protect it with a locking mechanism. ++ */ ++unsigned gnutls_zstd_is_usable (void); ++ + #endif /* GNUTLS_LIB_DLWRAP_ZSTD_H_ */ +diff --git a/lib/global.c b/lib/global.c +index 4aaf79a768..42d90ee9d5 100644 +--- a/lib/global.c ++++ b/lib/global.c +@@ -329,14 +329,6 @@ static int _gnutls_global_init(unsigned constructor) + goto out; + } + +-#ifdef HAVE_LIBOQS +- ret = _gnutls_liboqs_init(); +- if (ret < 0) { +- gnutls_assert(); +- goto out; +- } +-#endif +- + #ifndef _WIN32 + ret = _gnutls_register_fork_handler(); + if (ret < 0) { +diff --git a/lib/liboqs/liboqs.c b/lib/liboqs/liboqs.c +index c5531d4796..3c0df56644 100644 +--- a/lib/liboqs/liboqs.c ++++ b/lib/liboqs/liboqs.c +@@ -34,27 +34,59 @@ + #endif + + #include "errors.h" ++#include "locks.h" + + #include "dlwrap/oqs.h" + #include "liboqs/rand.h" + #include "liboqs/sha3.h" + +-int _gnutls_liboqs_init(void) ++/* We can't use GNUTLS_ONCE here, as it wouldn't allow manual unloading */ ++GNUTLS_STATIC_MUTEX(liboqs_init_mutex); ++static int _liboqs_init = 0; ++ ++int _gnutls_liboqs_ensure(void) + { ++ int ret; ++ ++ if (_liboqs_init) ++ return GNUTLS_E_SUCCESS; ++ ++ ret = gnutls_static_mutex_lock(&liboqs_init_mutex); ++ if (unlikely(ret < 0)) ++ return gnutls_assert_val(ret); ++ + if (gnutls_oqs_ensure_library(OQS_LIBRARY_SONAME, +- RTLD_NOW | RTLD_GLOBAL) < 0) +- return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); ++ RTLD_NOW | RTLD_GLOBAL) < 0) { ++ _gnutls_debug_log( ++ "liboqs: unable to initialize liboqs functions\n"); ++ ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); ++ goto out; ++ } + + _gnutls_liboqs_sha3_init(); + GNUTLS_OQS_FUNC(OQS_init)(); + _gnutls_liboqs_rand_init(); +- return 0; ++ ++ _liboqs_init = 1; ++ ret = GNUTLS_E_SUCCESS; ++ ++out: ++ (void)gnutls_static_mutex_unlock(&liboqs_init_mutex); ++ ++ return ret; + } + ++/* This is not thread-safe: call this function only from ++ * gnutls_global_deinit, which has a proper protection. ++ */ + void _gnutls_liboqs_deinit(void) + { +- _gnutls_liboqs_rand_deinit(); +- _gnutls_liboqs_sha3_deinit(); +- GNUTLS_OQS_FUNC(OQS_destroy)(); ++ if (_liboqs_init) { ++ _gnutls_liboqs_rand_deinit(); ++ _gnutls_liboqs_sha3_deinit(); ++ GNUTLS_OQS_FUNC(OQS_destroy)(); ++ } ++ + gnutls_oqs_unload_library(); ++ _liboqs_init = 0; + } +diff --git a/lib/liboqs/liboqs.h b/lib/liboqs/liboqs.h +index 50206fa77c..3717454275 100644 +--- a/lib/liboqs/liboqs.h ++++ b/lib/liboqs/liboqs.h +@@ -21,7 +21,7 @@ + #ifndef GNUTLS_LIB_LIBOQS_LIBOQS_H + #define GNUTLS_LIB_LIBOQS_LIBOQS_H + +-int _gnutls_liboqs_init(void); ++int _gnutls_liboqs_ensure(void); + void _gnutls_liboqs_deinit(void); + + #endif /* GNUTLS_LIB_LIBOQS_LIBOQS_H */ +diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c +index 4155a540ed..79f7988d50 100644 +--- a/lib/nettle/pk.c ++++ b/lib/nettle/pk.c +@@ -72,6 +72,7 @@ + #include "dh.h" + #ifdef HAVE_LIBOQS + #include "dlwrap/oqs.h" ++#include "liboqs/liboqs.h" + #endif + + static inline const struct ecc_curve *get_supported_nist_curve(int curve); +@@ -703,6 +704,9 @@ static int _wrap_nettle_pk_encaps(gnutls_pk_algorithm_t algo, + OQS_KEM *kem = NULL; + OQS_STATUS rc; + ++ if (_gnutls_liboqs_ensure() < 0) ++ return gnutls_assert_val(GNUTLS_E_UNKNOWN_PK_ALGORITHM); ++ + kem = GNUTLS_OQS_FUNC(OQS_KEM_new)(OQS_KEM_alg_kyber_768); + if (kem == NULL) + return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); +@@ -761,6 +765,9 @@ static int _wrap_nettle_pk_decaps(gnutls_pk_algorithm_t algo, + OQS_KEM *kem = NULL; + OQS_STATUS rc; + ++ if (_gnutls_liboqs_ensure() < 0) ++ return gnutls_assert_val(GNUTLS_E_UNKNOWN_PK_ALGORITHM); ++ + kem = GNUTLS_OQS_FUNC(OQS_KEM_new)(OQS_KEM_alg_kyber_768); + if (kem == NULL) + return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); +@@ -2342,9 +2349,6 @@ static int _wrap_nettle_pk_exists(gnutls_pk_algorithm_t pk) + case GNUTLS_PK_RSA_PSS: + case GNUTLS_PK_RSA_OAEP: + case GNUTLS_PK_EDDSA_ED25519: +-#ifdef HAVE_LIBOQS +- case GNUTLS_PK_EXP_KYBER768: +-#endif + #if ENABLE_GOST + case GNUTLS_PK_GOST_01: + case GNUTLS_PK_GOST_12_256: +@@ -2353,6 +2357,10 @@ static int _wrap_nettle_pk_exists(gnutls_pk_algorithm_t pk) + case GNUTLS_PK_ECDH_X448: + case GNUTLS_PK_EDDSA_ED448: + return 1; ++#ifdef HAVE_LIBOQS ++ case GNUTLS_PK_EXP_KYBER768: ++ return _gnutls_liboqs_ensure() == 0; ++#endif + default: + return 0; + } +@@ -2986,11 +2994,15 @@ static int pct_test(gnutls_pk_algorithm_t algo, + } + case GNUTLS_PK_ECDH_X25519: + case GNUTLS_PK_ECDH_X448: ++ break; + #ifdef HAVE_LIBOQS + case GNUTLS_PK_EXP_KYBER768: ++ if (_gnutls_liboqs_ensure() < 0) { ++ ret = gnutls_assert_val(GNUTLS_E_UNKNOWN_PK_ALGORITHM); ++ goto cleanup; ++ } + #endif +- ret = 0; +- goto cleanup; ++ break; + default: + ret = gnutls_assert_val(GNUTLS_E_UNKNOWN_PK_ALGORITHM); + goto cleanup; +@@ -3724,6 +3736,13 @@ wrap_nettle_pk_generate_keys(gnutls_pk_algorithm_t algo, + OQS_KEM *kem = NULL; + OQS_STATUS rc; + ++#ifdef HAVE_LIBOQS ++ if (_gnutls_liboqs_ensure() < 0) { ++ ret = gnutls_assert_val(GNUTLS_E_UNKNOWN_PK_ALGORITHM); ++ goto cleanup; ++ } ++#endif ++ + not_approved = true; + + kem = GNUTLS_OQS_FUNC(OQS_KEM_new)(OQS_KEM_alg_kyber_768); +@@ -4017,7 +4036,9 @@ static int wrap_nettle_pk_verify_priv_params(gnutls_pk_algorithm_t algo, + } + #ifdef HAVE_LIBOQS + case GNUTLS_PK_EXP_KYBER768: +- ret = 0; ++ ret = _gnutls_liboqs_ensure(); ++ if (ret < 0) ++ ret = gnutls_assert_val(GNUTLS_E_UNKNOWN_PK_ALGORITHM); + break; + #endif + #if ENABLE_GOST +-- +2.45.2 + diff --git a/gnutls.spec b/gnutls.spec index 30a0423..9c80631 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -19,6 +19,7 @@ Patch: gnutls-3.2.7-rpath.patch # follow https://gitlab.com/gnutls/gnutls/-/issues/1443 Patch: gnutls-3.7.8-ktls_skip_tls12_chachapoly_test.patch Patch: gnutls-3.8.6-compression-dlwrap.patch +Patch: gnutls-3.8.6-liboqs-x25519-kyber768d00.patch %bcond_without bootstrap %bcond_without dane @@ -27,6 +28,7 @@ Patch: gnutls-3.8.6-compression-dlwrap.patch %bcond_without tpm2 %bcond_without gost %bcond_without certificate_compression +%bcond_without liboqs %bcond_without tests %if 0%{?fedora} && 0%{?fedora} < 38 @@ -64,6 +66,9 @@ BuildRequires: readline-devel, libtasn1-devel >= 4.3 %if %{with certificate_compression} BuildRequires: zlib-devel, brotli-devel, libzstd-devel %endif +%if %{with liboqs} +BuildRequires: liboqs-devel +%endif %if %{with bootstrap} BuildRequires: automake, autoconf, gperf, libtool, texinfo %endif @@ -337,6 +342,11 @@ pushd native_build --with-zlib --with-brotli --with-zstd \ %else --without-zlib --without-brotli --without-zstd \ +%endif +%if %{with liboqs} + --with-liboqs \ +%else + --without-liboqs \ %endif --disable-rpath \ --with-default-priority-string="@SYSTEM" From 37c03f77393aff5ee49ef9cd07a92c9b1b38491f Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Fri, 26 Jul 2024 15:49:32 +0900 Subject: [PATCH 118/152] Fix configure check on nettle_rsa_oaep_* functions Signed-off-by: Daiki Ueno --- gnutls-3.8.6-nettle-rsa-oaep.patch | 27 +++++++++++++++++++++++++++ gnutls.spec | 1 + 2 files changed, 28 insertions(+) create mode 100644 gnutls-3.8.6-nettle-rsa-oaep.patch diff --git a/gnutls-3.8.6-nettle-rsa-oaep.patch b/gnutls-3.8.6-nettle-rsa-oaep.patch new file mode 100644 index 0000000..d8f0b4b --- /dev/null +++ b/gnutls-3.8.6-nettle-rsa-oaep.patch @@ -0,0 +1,27 @@ +From a9800309197fe5aef913944b2fc77164946f0689 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Tue, 23 Jul 2024 16:04:56 +0900 +Subject: [PATCH] build: link against libhogweed when checking + nettle_rsa_oaep_* + +Signed-off-by: Daiki Ueno +--- + configure.ac | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/configure.ac b/configure.ac +index fb0aefe1f4..8b55808bd7 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -795,7 +795,7 @@ AM_CONDITIONAL([NEED_SIV_GCM], [test "$ac_cv_func_nettle_siv_gcm_encrypt_message + + # Check for RSA-OAEP + save_LIBS=$LIBS +-LIBS="$LIBS $NETTLE_LIBS" ++LIBS="$LIBS $HOGWEED_LIBS $NETTLE_LIBS $GMP_LIBS" + AC_CHECK_FUNCS(nettle_rsa_oaep_sha256_encrypt) + LIBS=$save_LIBS + AM_CONDITIONAL([NEED_RSA_OAEP], [test "$ac_cv_func_nettle_rsa_oaep_sha256_encrypt" != yes]) +-- +2.45.2 + diff --git a/gnutls.spec b/gnutls.spec index 9c80631..a29f3c1 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -20,6 +20,7 @@ Patch: gnutls-3.2.7-rpath.patch Patch: gnutls-3.7.8-ktls_skip_tls12_chachapoly_test.patch Patch: gnutls-3.8.6-compression-dlwrap.patch Patch: gnutls-3.8.6-liboqs-x25519-kyber768d00.patch +Patch: gnutls-3.8.6-nettle-rsa-oaep.patch %bcond_without bootstrap %bcond_without dane From e8ce92f749861e6505899ae32382508c945920d6 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Mon, 29 Jul 2024 08:54:00 +0900 Subject: [PATCH 119/152] liboqs: check whether Kyber768 is compiled in Signed-off-by: Daiki Ueno --- gnutls-3.8.6-liboqs-x25519-kyber768d00.patch | 135 +++++++++++++++++++ 1 file changed, 135 insertions(+) diff --git a/gnutls-3.8.6-liboqs-x25519-kyber768d00.patch b/gnutls-3.8.6-liboqs-x25519-kyber768d00.patch index bae07b7..d807f76 100644 --- a/gnutls-3.8.6-liboqs-x25519-kyber768d00.patch +++ b/gnutls-3.8.6-liboqs-x25519-kyber768d00.patch @@ -3109,3 +3109,138 @@ index 4155a540ed..79f7988d50 100644 -- 2.45.2 +From dfac4bb0d96507a409e3c3434c04bd8f79ac479f Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Mon, 29 Jul 2024 08:40:34 +0900 +Subject: [PATCH 1/2] liboqs: check whether Kyber768 is compiled in + +In the default build configuration of liboqs 0.10.1, Kyber768 is +disabled. This adds a guard against it and skip tests if not +available. + +Signed-off-by: Daiki Ueno +--- + devel/dlwrap/oqs.syms | 1 + + lib/dlwrap/oqsfuncs.h | 1 + + lib/nettle/pk.c | 27 ++++++++++++++++++--------- + tests/pqc-hybrid-kx.sh | 4 ++++ + 4 files changed, 24 insertions(+), 9 deletions(-) + +diff --git a/devel/dlwrap/oqs.syms b/devel/dlwrap/oqs.syms +index 8f067b2dd3..413f887598 100644 +--- a/devel/dlwrap/oqs.syms ++++ b/devel/dlwrap/oqs.syms +@@ -1,6 +1,7 @@ + OQS_SHA3_set_callbacks + OQS_init + OQS_destroy ++OQS_KEM_alg_is_enabled + OQS_KEM_new + OQS_KEM_encaps + OQS_KEM_decaps +diff --git a/lib/dlwrap/oqsfuncs.h b/lib/dlwrap/oqsfuncs.h +index 95c1b083dc..4aa0ba4ab4 100644 +--- a/lib/dlwrap/oqsfuncs.h ++++ b/lib/dlwrap/oqsfuncs.h +@@ -7,6 +7,7 @@ VOID_FUNC(void, OQS_init, (void), ()) + VOID_FUNC(void, OQS_destroy, (void), ()) + VOID_FUNC(void, OQS_SHA3_set_callbacks, (struct OQS_SHA3_callbacks *new_callbacks), (new_callbacks)) + VOID_FUNC(void, OQS_randombytes_custom_algorithm, (void (*algorithm_ptr)(uint8_t *, size_t)), (algorithm_ptr)) ++FUNC(int, OQS_KEM_alg_is_enabled, (const char *method_name), (method_name)) + FUNC(OQS_KEM *, OQS_KEM_new, (const char *method_name), (method_name)) + FUNC(OQS_STATUS, OQS_KEM_keypair, (const OQS_KEM *kem, uint8_t *public_key, uint8_t *secret_key), (kem, public_key, secret_key)) + FUNC(OQS_STATUS, OQS_KEM_encaps, (const OQS_KEM *kem, uint8_t *ciphertext, uint8_t *shared_secret, const uint8_t *public_key), (kem, ciphertext, shared_secret, public_key)) +diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c +index eb8c44459d..8a987ed121 100644 +--- a/lib/nettle/pk.c ++++ b/lib/nettle/pk.c +@@ -704,7 +704,9 @@ static int _wrap_nettle_pk_encaps(gnutls_pk_algorithm_t algo, + OQS_KEM *kem = NULL; + OQS_STATUS rc; + +- if (_gnutls_liboqs_ensure() < 0) ++ if (_gnutls_liboqs_ensure() < 0 || ++ !GNUTLS_OQS_FUNC(OQS_KEM_alg_is_enabled)( ++ OQS_KEM_alg_kyber_768)) + return gnutls_assert_val(GNUTLS_E_UNKNOWN_PK_ALGORITHM); + + kem = GNUTLS_OQS_FUNC(OQS_KEM_new)(OQS_KEM_alg_kyber_768); +@@ -765,7 +767,9 @@ static int _wrap_nettle_pk_decaps(gnutls_pk_algorithm_t algo, + OQS_KEM *kem = NULL; + OQS_STATUS rc; + +- if (_gnutls_liboqs_ensure() < 0) ++ if (_gnutls_liboqs_ensure() < 0 || ++ !GNUTLS_OQS_FUNC(OQS_KEM_alg_is_enabled)( ++ OQS_KEM_alg_kyber_768)) + return gnutls_assert_val(GNUTLS_E_UNKNOWN_PK_ALGORITHM); + + kem = GNUTLS_OQS_FUNC(OQS_KEM_new)(OQS_KEM_alg_kyber_768); +@@ -2359,7 +2363,9 @@ static int _wrap_nettle_pk_exists(gnutls_pk_algorithm_t pk) + return 1; + #ifdef HAVE_LIBOQS + case GNUTLS_PK_EXP_KYBER768: +- return _gnutls_liboqs_ensure() == 0; ++ return _gnutls_liboqs_ensure() == 0 && ++ GNUTLS_OQS_FUNC(OQS_KEM_alg_is_enabled)( ++ OQS_KEM_alg_kyber_768); + #endif + default: + return 0; +@@ -2997,7 +3003,9 @@ static int pct_test(gnutls_pk_algorithm_t algo, + break; + #ifdef HAVE_LIBOQS + case GNUTLS_PK_EXP_KYBER768: +- if (_gnutls_liboqs_ensure() < 0) { ++ if (_gnutls_liboqs_ensure() < 0 || ++ !GNUTLS_OQS_FUNC(OQS_KEM_alg_is_enabled)( ++ OQS_KEM_alg_kyber_768)) { + ret = gnutls_assert_val(GNUTLS_E_UNKNOWN_PK_ALGORITHM); + goto cleanup; + } +@@ -3736,12 +3744,12 @@ wrap_nettle_pk_generate_keys(gnutls_pk_algorithm_t algo, + OQS_KEM *kem = NULL; + OQS_STATUS rc; + +-#ifdef HAVE_LIBOQS +- if (_gnutls_liboqs_ensure() < 0) { ++ if (_gnutls_liboqs_ensure() < 0 || ++ !GNUTLS_OQS_FUNC(OQS_KEM_alg_is_enabled)( ++ OQS_KEM_alg_kyber_768)) { + ret = gnutls_assert_val(GNUTLS_E_UNKNOWN_PK_ALGORITHM); + goto cleanup; + } +-#endif + + not_approved = true; + +@@ -4038,8 +4046,9 @@ static int wrap_nettle_pk_verify_priv_params(gnutls_pk_algorithm_t algo, + } + #ifdef HAVE_LIBOQS + case GNUTLS_PK_EXP_KYBER768: +- ret = _gnutls_liboqs_ensure(); +- if (ret < 0) ++ if (_gnutls_liboqs_ensure() < 0 || ++ !GNUTLS_OQS_FUNC(OQS_KEM_alg_is_enabled)( ++ OQS_KEM_alg_kyber_768)) + ret = gnutls_assert_val(GNUTLS_E_UNKNOWN_PK_ALGORITHM); + break; + #endif +diff --git a/tests/pqc-hybrid-kx.sh b/tests/pqc-hybrid-kx.sh +index b587587bd2..6d47105fa0 100644 +--- a/tests/pqc-hybrid-kx.sh ++++ b/tests/pqc-hybrid-kx.sh +@@ -31,6 +31,10 @@ if ! test -x "${CLI}"; then + exit 77 + fi + ++if ! "${CLI}" --list | grep '^Public Key Systems: .*Kyber768.*' >/dev/null; then ++ exit 77 ++fi ++ + . "${srcdir}/scripts/common.sh" + testdir=`create_testdir pqc-hybrid-kx` + +-- +2.45.2 + From 39c1bd20e294b5820c075b124592dfd8260d93fe Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Thu, 15 Aug 2024 16:56:19 +0900 Subject: [PATCH 120/152] Remove upstreamed patches before updating to 3.8.7 Signed-off-by: Daiki Ueno --- gnutls.spec | 3 --- 1 file changed, 3 deletions(-) diff --git a/gnutls.spec b/gnutls.spec index a29f3c1..db2d993 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -18,9 +18,6 @@ Patch: gnutls-3.2.7-rpath.patch # follow https://gitlab.com/gnutls/gnutls/-/issues/1443 Patch: gnutls-3.7.8-ktls_skip_tls12_chachapoly_test.patch -Patch: gnutls-3.8.6-compression-dlwrap.patch -Patch: gnutls-3.8.6-liboqs-x25519-kyber768d00.patch -Patch: gnutls-3.8.6-nettle-rsa-oaep.patch %bcond_without bootstrap %bcond_without dane From e9fcd3123757e2a2b903928d8bf0b3cf26d35933 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Thu, 15 Aug 2024 17:04:08 +0900 Subject: [PATCH 121/152] Update to 3.8.7 upstream release - Resolves: rhbz#2305086 Upstream tag: 3.8.7 Upstream commit: 994d9392 Commit authored by Packit automation (https://packit.dev/) --- .gitignore | 4 ++++ README.packit | 2 +- gnutls.spec | 6 +++--- sources | 4 ++-- 4 files changed, 10 insertions(+), 6 deletions(-) diff --git a/.gitignore b/.gitignore index 8a210dd..86f1a4b 100644 --- a/.gitignore +++ b/.gitignore @@ -157,3 +157,7 @@ gnutls-2.10.1-nosrp.tar.bz2 /gnutls-3.8.6.tar.xz /gnutls-3.8.6.tar.xz.sig /gmp-6.2.1.tar.xz +/gnutls-3.8.7.tar.xz +/gnutls-3.8.7.tar.xz.sig +/gnutls-3.8.7.1.tar.xz +/gnutls-3.8.7.1.tar.xz.sig diff --git a/README.packit b/README.packit index 3dfd179..ced1079 100644 --- a/README.packit +++ b/README.packit @@ -1,3 +1,3 @@ This repository is maintained by packit. https://packit.dev/ -The file was generated using packit 0.97.3. +The file was generated using packit 0.100.0. diff --git a/gnutls.spec b/gnutls.spec index db2d993..0107983 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -12,7 +12,7 @@ sha256sum:close() print(string.sub(hash, 0, 16)) } -Version: 3.8.6 +Version: 3.8.7 Release: %{?autorelease}%{!?autorelease:1%{?dist}} Patch: gnutls-3.2.7-rpath.patch @@ -120,8 +120,8 @@ BuildRequires: mingw64-nettle >= 3.6 URL: http://www.gnutls.org/ %define short_version %(echo %{version} | grep -m1 -o "[0-9]*\.[0-9]*" | head -1) -Source0: https://www.gnupg.org/ftp/gcrypt/gnutls/v%{short_version}/%{name}-%{version}.tar.xz -Source1: https://www.gnupg.org/ftp/gcrypt/gnutls/v%{short_version}/%{name}-%{version}.tar.xz.sig +Source0: https://www.gnupg.org/ftp/gcrypt/gnutls/v%{short_version}/%{name}-%{version}.1.tar.xz +Source1: https://www.gnupg.org/ftp/gcrypt/gnutls/v%{short_version}/%{name}-%{version}.1.tar.xz.sig Source2: https://gnutls.org/gnutls-release-keyring.gpg %if %{with bundled_gmp} diff --git a/sources b/sources index cdafbdf..5fcce01 100644 --- a/sources +++ b/sources @@ -1,4 +1,4 @@ -SHA512 (gnutls-3.8.6.tar.xz) = 58631c456dfb43f8cb6a1703ffa91c593a33357f37dc146e808d88692e19c7ac10aeabea40bee9952205be97e00648879e9f0fa80e670e8e695f8633ba726513 -SHA512 (gnutls-3.8.6.tar.xz.sig) = 3f9552cdf5fa96184fbe394dd484fb55e6a3577d1e048aea373b82cda335ea0f174f2fb11926dc58532c1f950cd10a6a35bc36e9fe813a1259eae5c5364920b2 +SHA512 (gnutls-3.8.7.1.tar.xz) = 429cea78e227d838105791b28a18270c3d2418bfb951c322771e6323d5f712204d63d66a6606ce9604a92d236a8dd07d651232c717264472d27eb6de26ddc733 +SHA512 (gnutls-3.8.7.1.tar.xz.sig) = 53ebdaa9775ae22f7eb5e7d6f5411ec667c9c880cea84e23651b6d1994fb1398c09d8efa39b21c96f8be29fa09c2436bdd732a061308956ca1650e3e1878ed57 SHA512 (gnutls-release-keyring.gpg) = 8c2b39239d1d8c5319757fcf669f28a11de7f8ec4a726f9904c57ba8105bea80240083c0de71b747115907bab46569f10cf58004137cc7884ac5c20f8319ae0a SHA512 (gmp-6.2.1.tar.xz) = c99be0950a1d05a0297d65641dd35b75b74466f7bf03c9e8a99895a3b2f9a0856cd17887738fa51cf7499781b65c049769271cbcb77d057d2e9f1ec52e07dd84 From 7d85f316547ff2c84f6458f4a146600f7edb7e76 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Fri, 16 Aug 2024 10:52:52 +0900 Subject: [PATCH 122/152] Stop pulling in compression libraries through gnutls.pc Signed-off-by: Daiki Ueno --- gnutls-3.8.7-pkgconf-dlopen.patch | 135 ++++++++++++++++++++++++++++++ gnutls.spec | 3 + 2 files changed, 138 insertions(+) create mode 100644 gnutls-3.8.7-pkgconf-dlopen.patch diff --git a/gnutls-3.8.7-pkgconf-dlopen.patch b/gnutls-3.8.7-pkgconf-dlopen.patch new file mode 100644 index 0000000..4c5b4d4 --- /dev/null +++ b/gnutls-3.8.7-pkgconf-dlopen.patch @@ -0,0 +1,135 @@ +From 292f96f26d7ce80e4a165c903c4fd569b85c1c1f Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Fri, 16 Aug 2024 09:42:15 +0900 +Subject: [PATCH 1/2] build: fix setting AM_CONDITIONAL for brotli and zstd + +As the with_{libbrotli,libzsttd} variables are unset if configured +with --without-{brotli,zstd}, check the unequality to "no" doesn't +work; use explicit matching with "yes" instead. + +Signed-off-by: Daiki Ueno +--- + configure.ac | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 95ec4c1515..a476176800 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1158,7 +1158,7 @@ if test x$ac_brotli != xno; then + else + AC_MSG_RESULT(no) + fi +-AM_CONDITIONAL(HAVE_LIBBROTLI, test "$with_libbrotlienc" != "no" && test "$with_libbrotlidec" != "no") ++AM_CONDITIONAL(HAVE_LIBBROTLI, test "$with_libbrotlienc" = yes && test "$with_libbrotlidec" = yes) + + AS_IF([test "$ac_cv_dlopen_soname_works" = yes], [ + save_CFLAGS=$CFLAGS +@@ -1203,7 +1203,7 @@ if test x$ac_zstd != xno; then + else + AC_MSG_RESULT(no) + fi +-AM_CONDITIONAL(HAVE_LIBZSTD, test "$with_libzstd" != "no") ++AM_CONDITIONAL(HAVE_LIBZSTD, test "$with_libzstd" = yes) + + AS_IF([test "$ac_cv_dlopen_soname_works" = yes], [ + save_CFLAGS=$CFLAGS +-- +2.46.0 + + +From 546153198d2fb8fc4902f23de6254bb7988de534 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Fri, 16 Aug 2024 09:48:31 +0900 +Subject: [PATCH 2/2] build: don't emit Requires.private for dlopened libraries + +Signed-off-by: Daiki Ueno +--- + configure.ac | 36 +++++++++++++++++++++--------------- + 1 file changed, 21 insertions(+), 15 deletions(-) + +diff --git a/configure.ac b/configure.ac +index a476176800..f3e7a3aeae 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1100,11 +1100,6 @@ if test x$ac_zlib != xno; then + PKG_CHECK_EXISTS(zlib, ZLIB_HAS_PKGCONFIG=y, ZLIB_HAS_PKGCONFIG=n) + if test "$ZLIB_HAS_PKGCONFIG" = "y" ; then + PKG_CHECK_MODULES(ZLIB, [zlib]) +- if test "x$GNUTLS_REQUIRES_PRIVATE" = x; then +- GNUTLS_REQUIRES_PRIVATE="Requires.private: zlib" +- else +- GNUTLS_REQUIRES_PRIVATE="$GNUTLS_REQUIRES_PRIVATE, zlib" +- fi + ac_zlib=yes + else + AC_LIB_HAVE_LINKFLAGS(z,, [#include ], [compress (0, 0, 0, 0);]) +@@ -1134,6 +1129,13 @@ AS_IF([test "$ac_cv_dlopen_soname_works" = yes], [ + compress (0, 0, 0, 0);])]) + LIBS="$save_LIBS" + CFLAGS="$save_CFLAGS" ++], ++ [test "$ZLIB_HAS_PKGCONFIG" = y && test "$ac_zlib" = yes], [ ++ if test "x$GNUTLS_REQUIRES_PRIVATE" = x; then ++ GNUTLS_REQUIRES_PRIVATE="Requires.private: zlib" ++ else ++ GNUTLS_REQUIRES_PRIVATE="$GNUTLS_REQUIRES_PRIVATE, zlib" ++ fi + ]) + + AC_ARG_WITH(brotli, +@@ -1146,11 +1148,6 @@ if test x$ac_brotli != xno; then + PKG_CHECK_MODULES(LIBBROTLIDEC, [libbrotlidec >= 1.0.0], [with_libbrotlidec=yes], [with_libbrotlidec=no]) + if test "${with_libbrotlienc}" = "yes" && test "${with_libbrotlidec}" = "yes"; then + AC_DEFINE([HAVE_LIBBROTLI], 1, [Define if BROTLI compression is enabled.]) +- if test "x$GNUTLS_REQUIRES_PRIVATE" = "x"; then +- GNUTLS_REQUIRES_PRIVATE="Requires.private: libbrotlienc, libbrotlidec" +- else +- GNUTLS_REQUIRES_PRIVATE="${GNUTLS_REQUIRES_PRIVATE}, libbrotlienc, libbrotlidec" +- fi + need_ltlibdl=yes + else + AC_MSG_WARN(*** LIBBROTLI was not found. You will not be able to use BROTLI compression.) +@@ -1180,6 +1177,13 @@ AS_IF([test "$ac_cv_dlopen_soname_works" = yes], [ + BrotliDecoderVersion();])]) + LIBS="$save_LIBS" + CFLAGS="$save_CFLAGS" ++], ++ [test "$with_libbrotlienc" = yes && test "$with_libbrotlidec" = yes], [ ++ if test "x$GNUTLS_REQUIRES_PRIVATE" = "x"; then ++ GNUTLS_REQUIRES_PRIVATE="Requires.private: libbrotlienc, libbrotlidec" ++ else ++ GNUTLS_REQUIRES_PRIVATE="${GNUTLS_REQUIRES_PRIVATE}, libbrotlienc, libbrotlidec" ++ fi + ]) + + AC_ARG_WITH(zstd, +@@ -1191,11 +1195,6 @@ if test x$ac_zstd != xno; then + PKG_CHECK_MODULES(LIBZSTD, [libzstd >= 1.3.0], [with_libzstd=yes], [with_libzstd=no]) + if test "${with_libzstd}" = "yes"; then + AC_DEFINE([HAVE_LIBZSTD], 1, [Define if ZSTD compression is enabled.]) +- if test "x$GNUTLS_REQUIRES_PRIVATE" = "x"; then +- GNUTLS_REQUIRES_PRIVATE="Requires.private: libzstd" +- else +- GNUTLS_REQUIRES_PRIVATE="${GNUTLS_REQUIRES_PRIVATE}, libzstd" +- fi + need_ltlibdl=yes + else + AC_MSG_WARN(*** LIBZSTD was not found. You will not be able to use ZSTD compression.) +@@ -1215,6 +1214,13 @@ AS_IF([test "$ac_cv_dlopen_soname_works" = yes], [ + ZSTD_versionNumber();])]) + LIBS="$save_LIBS" + CFLAGS="$save_CFLAGS" ++], ++ [test "$with_libzstd" = yes], [ ++ if test "x$GNUTLS_REQUIRES_PRIVATE" = "x"; then ++ GNUTLS_REQUIRES_PRIVATE="Requires.private: libzstd" ++ else ++ GNUTLS_REQUIRES_PRIVATE="${GNUTLS_REQUIRES_PRIVATE}, libzstd" ++ fi + ]) + + AC_ARG_WITH(liboqs, +-- +2.46.0 + diff --git a/gnutls.spec b/gnutls.spec index 0107983..41c271c 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -19,6 +19,9 @@ Patch: gnutls-3.2.7-rpath.patch # follow https://gitlab.com/gnutls/gnutls/-/issues/1443 Patch: gnutls-3.7.8-ktls_skip_tls12_chachapoly_test.patch +# https://gitlab.com/gnutls/gnutls/-/merge_requests/1867 +Patch: gnutls-3.8.7-pkgconf-dlopen.patch + %bcond_without bootstrap %bcond_without dane %bcond_without fips From 9ca47ed49e4e6af30b6b2dd9ee8ece43e009dcd5 Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Thu, 12 Sep 2024 22:02:10 +0100 Subject: [PATCH 123/152] Remove mingw-p11-kit dependency (RHBZ#2312031) --- gnutls.spec | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/gnutls.spec b/gnutls.spec index 41c271c..d3d504e 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -109,7 +109,6 @@ BuildRequires: mingw32-gcc-c++ BuildRequires: mingw32-libtasn1 >= 4.3 BuildRequires: mingw32-readline BuildRequires: mingw32-zlib -BuildRequires: mingw32-p11-kit >= 0.23.1 BuildRequires: mingw32-nettle >= 3.6 BuildRequires: mingw64-filesystem >= 95 BuildRequires: mingw64-gcc @@ -117,7 +116,6 @@ BuildRequires: mingw64-gcc-c++ BuildRequires: mingw64-libtasn1 >= 4.3 BuildRequires: mingw64-readline BuildRequires: mingw64-zlib -BuildRequires: mingw64-p11-kit >= 0.23.1 BuildRequires: mingw64-nettle >= 3.6 %endif @@ -375,7 +373,8 @@ export CCASFLAGS="" --without-tpm \ --with-included-unistring \ --disable-doc \ - --with-default-priority-string="@SYSTEM" + --with-default-priority-string="@SYSTEM" \ + --without-p11-kit %mingw_make %{?_smp_mflags} %endif From 760d4e32b2c756d77773a90daee6971f70ef2cb7 Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Fri, 13 Sep 2024 08:34:18 +0100 Subject: [PATCH 124/152] Remove mingw p11tool.exe Without mingw-p11-kit we don't build this. --- gnutls.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/gnutls.spec b/gnutls.spec index d3d504e..289e884 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -518,7 +518,7 @@ popd %{mingw32_bindir}/gnutls-serv.exe %{mingw32_bindir}/libgnutls-30.dll %{mingw32_bindir}/ocsptool.exe -%{mingw32_bindir}/p11tool.exe +#%%{mingw32_bindir}/p11tool.exe %{mingw32_bindir}/psktool.exe %if %{with srp} %{mingw32_bindir}/srptool.exe @@ -536,7 +536,7 @@ popd %{mingw64_bindir}/gnutls-serv.exe %{mingw64_bindir}/libgnutls-30.dll %{mingw64_bindir}/ocsptool.exe -%{mingw64_bindir}/p11tool.exe +#%%{mingw64_bindir}/p11tool.exe %{mingw64_bindir}/psktool.exe %if %{with srp} %{mingw64_bindir}/srptool.exe From f89c924634f3689c2ef07f93b0b9290989335dfb Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Tue, 5 Nov 2024 14:20:20 +0900 Subject: [PATCH 125/152] Remove distribution suffix before updating to 3.8.8 Signed-off-by: Daiki Ueno --- gnutls.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/gnutls.spec b/gnutls.spec index 289e884..b1955c0 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -121,8 +121,8 @@ BuildRequires: mingw64-nettle >= 3.6 URL: http://www.gnutls.org/ %define short_version %(echo %{version} | grep -m1 -o "[0-9]*\.[0-9]*" | head -1) -Source0: https://www.gnupg.org/ftp/gcrypt/gnutls/v%{short_version}/%{name}-%{version}.1.tar.xz -Source1: https://www.gnupg.org/ftp/gcrypt/gnutls/v%{short_version}/%{name}-%{version}.1.tar.xz.sig +Source0: https://www.gnupg.org/ftp/gcrypt/gnutls/v%{short_version}/%{name}-%{version}.tar.xz +Source1: https://www.gnupg.org/ftp/gcrypt/gnutls/v%{short_version}/%{name}-%{version}.tar.xz.sig Source2: https://gnutls.org/gnutls-release-keyring.gpg %if %{with bundled_gmp} From a9b00cffccdf189fe8731846f6e460c53a9e8289 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Tue, 5 Nov 2024 14:50:55 +0900 Subject: [PATCH 126/152] Update downstream patches for 3.8.8 Signed-off-by: Daiki Ueno --- ....7.8-ktls_skip_tls12_chachapoly_test.patch | 25 ---- gnutls-3.8.7-pkgconf-dlopen.patch | 135 ------------------ ...8.8-tests-ktls-skip-tls12-chachapoly.patch | 29 ++++ gnutls.spec | 5 +- 4 files changed, 30 insertions(+), 164 deletions(-) delete mode 100644 gnutls-3.7.8-ktls_skip_tls12_chachapoly_test.patch delete mode 100644 gnutls-3.8.7-pkgconf-dlopen.patch create mode 100644 gnutls-3.8.8-tests-ktls-skip-tls12-chachapoly.patch diff --git a/gnutls-3.7.8-ktls_skip_tls12_chachapoly_test.patch b/gnutls-3.7.8-ktls_skip_tls12_chachapoly_test.patch deleted file mode 100644 index c3a5ace..0000000 --- a/gnutls-3.7.8-ktls_skip_tls12_chachapoly_test.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 18c555b4d2461ad202996398609552b9c4ecd43b Mon Sep 17 00:00:00 2001 -From: rpm-build -Date: Wed, 22 Nov 2023 15:21:49 +0900 -Subject: [PATCH] gnutls-3.7.8-ktls_skip_tls12_chachapoly_test.patch - -Signed-off-by: rpm-build ---- - tests/gnutls_ktls.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/tests/gnutls_ktls.c b/tests/gnutls_ktls.c -index ccbe566..049c888 100644 ---- a/tests/gnutls_ktls.c -+++ b/tests/gnutls_ktls.c -@@ -347,7 +347,6 @@ void doit(void) - { - run("NORMAL:-VERS-ALL:+VERS-TLS1.2:-CIPHER-ALL:+AES-128-GCM"); - run("NORMAL:-VERS-ALL:+VERS-TLS1.2:-CIPHER-ALL:+AES-256-GCM"); -- run("NORMAL:-VERS-ALL:+VERS-TLS1.2:-CIPHER-ALL:+CHACHA20-POLY1305"); - run("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-128-GCM"); - run("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-256-GCM"); - run("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+CHACHA20-POLY1305"); --- -2.41.0 - diff --git a/gnutls-3.8.7-pkgconf-dlopen.patch b/gnutls-3.8.7-pkgconf-dlopen.patch deleted file mode 100644 index 4c5b4d4..0000000 --- a/gnutls-3.8.7-pkgconf-dlopen.patch +++ /dev/null @@ -1,135 +0,0 @@ -From 292f96f26d7ce80e4a165c903c4fd569b85c1c1f Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Fri, 16 Aug 2024 09:42:15 +0900 -Subject: [PATCH 1/2] build: fix setting AM_CONDITIONAL for brotli and zstd - -As the with_{libbrotli,libzsttd} variables are unset if configured -with --without-{brotli,zstd}, check the unequality to "no" doesn't -work; use explicit matching with "yes" instead. - -Signed-off-by: Daiki Ueno ---- - configure.ac | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/configure.ac b/configure.ac -index 95ec4c1515..a476176800 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -1158,7 +1158,7 @@ if test x$ac_brotli != xno; then - else - AC_MSG_RESULT(no) - fi --AM_CONDITIONAL(HAVE_LIBBROTLI, test "$with_libbrotlienc" != "no" && test "$with_libbrotlidec" != "no") -+AM_CONDITIONAL(HAVE_LIBBROTLI, test "$with_libbrotlienc" = yes && test "$with_libbrotlidec" = yes) - - AS_IF([test "$ac_cv_dlopen_soname_works" = yes], [ - save_CFLAGS=$CFLAGS -@@ -1203,7 +1203,7 @@ if test x$ac_zstd != xno; then - else - AC_MSG_RESULT(no) - fi --AM_CONDITIONAL(HAVE_LIBZSTD, test "$with_libzstd" != "no") -+AM_CONDITIONAL(HAVE_LIBZSTD, test "$with_libzstd" = yes) - - AS_IF([test "$ac_cv_dlopen_soname_works" = yes], [ - save_CFLAGS=$CFLAGS --- -2.46.0 - - -From 546153198d2fb8fc4902f23de6254bb7988de534 Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Fri, 16 Aug 2024 09:48:31 +0900 -Subject: [PATCH 2/2] build: don't emit Requires.private for dlopened libraries - -Signed-off-by: Daiki Ueno ---- - configure.ac | 36 +++++++++++++++++++++--------------- - 1 file changed, 21 insertions(+), 15 deletions(-) - -diff --git a/configure.ac b/configure.ac -index a476176800..f3e7a3aeae 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -1100,11 +1100,6 @@ if test x$ac_zlib != xno; then - PKG_CHECK_EXISTS(zlib, ZLIB_HAS_PKGCONFIG=y, ZLIB_HAS_PKGCONFIG=n) - if test "$ZLIB_HAS_PKGCONFIG" = "y" ; then - PKG_CHECK_MODULES(ZLIB, [zlib]) -- if test "x$GNUTLS_REQUIRES_PRIVATE" = x; then -- GNUTLS_REQUIRES_PRIVATE="Requires.private: zlib" -- else -- GNUTLS_REQUIRES_PRIVATE="$GNUTLS_REQUIRES_PRIVATE, zlib" -- fi - ac_zlib=yes - else - AC_LIB_HAVE_LINKFLAGS(z,, [#include ], [compress (0, 0, 0, 0);]) -@@ -1134,6 +1129,13 @@ AS_IF([test "$ac_cv_dlopen_soname_works" = yes], [ - compress (0, 0, 0, 0);])]) - LIBS="$save_LIBS" - CFLAGS="$save_CFLAGS" -+], -+ [test "$ZLIB_HAS_PKGCONFIG" = y && test "$ac_zlib" = yes], [ -+ if test "x$GNUTLS_REQUIRES_PRIVATE" = x; then -+ GNUTLS_REQUIRES_PRIVATE="Requires.private: zlib" -+ else -+ GNUTLS_REQUIRES_PRIVATE="$GNUTLS_REQUIRES_PRIVATE, zlib" -+ fi - ]) - - AC_ARG_WITH(brotli, -@@ -1146,11 +1148,6 @@ if test x$ac_brotli != xno; then - PKG_CHECK_MODULES(LIBBROTLIDEC, [libbrotlidec >= 1.0.0], [with_libbrotlidec=yes], [with_libbrotlidec=no]) - if test "${with_libbrotlienc}" = "yes" && test "${with_libbrotlidec}" = "yes"; then - AC_DEFINE([HAVE_LIBBROTLI], 1, [Define if BROTLI compression is enabled.]) -- if test "x$GNUTLS_REQUIRES_PRIVATE" = "x"; then -- GNUTLS_REQUIRES_PRIVATE="Requires.private: libbrotlienc, libbrotlidec" -- else -- GNUTLS_REQUIRES_PRIVATE="${GNUTLS_REQUIRES_PRIVATE}, libbrotlienc, libbrotlidec" -- fi - need_ltlibdl=yes - else - AC_MSG_WARN(*** LIBBROTLI was not found. You will not be able to use BROTLI compression.) -@@ -1180,6 +1177,13 @@ AS_IF([test "$ac_cv_dlopen_soname_works" = yes], [ - BrotliDecoderVersion();])]) - LIBS="$save_LIBS" - CFLAGS="$save_CFLAGS" -+], -+ [test "$with_libbrotlienc" = yes && test "$with_libbrotlidec" = yes], [ -+ if test "x$GNUTLS_REQUIRES_PRIVATE" = "x"; then -+ GNUTLS_REQUIRES_PRIVATE="Requires.private: libbrotlienc, libbrotlidec" -+ else -+ GNUTLS_REQUIRES_PRIVATE="${GNUTLS_REQUIRES_PRIVATE}, libbrotlienc, libbrotlidec" -+ fi - ]) - - AC_ARG_WITH(zstd, -@@ -1191,11 +1195,6 @@ if test x$ac_zstd != xno; then - PKG_CHECK_MODULES(LIBZSTD, [libzstd >= 1.3.0], [with_libzstd=yes], [with_libzstd=no]) - if test "${with_libzstd}" = "yes"; then - AC_DEFINE([HAVE_LIBZSTD], 1, [Define if ZSTD compression is enabled.]) -- if test "x$GNUTLS_REQUIRES_PRIVATE" = "x"; then -- GNUTLS_REQUIRES_PRIVATE="Requires.private: libzstd" -- else -- GNUTLS_REQUIRES_PRIVATE="${GNUTLS_REQUIRES_PRIVATE}, libzstd" -- fi - need_ltlibdl=yes - else - AC_MSG_WARN(*** LIBZSTD was not found. You will not be able to use ZSTD compression.) -@@ -1215,6 +1214,13 @@ AS_IF([test "$ac_cv_dlopen_soname_works" = yes], [ - ZSTD_versionNumber();])]) - LIBS="$save_LIBS" - CFLAGS="$save_CFLAGS" -+], -+ [test "$with_libzstd" = yes], [ -+ if test "x$GNUTLS_REQUIRES_PRIVATE" = "x"; then -+ GNUTLS_REQUIRES_PRIVATE="Requires.private: libzstd" -+ else -+ GNUTLS_REQUIRES_PRIVATE="${GNUTLS_REQUIRES_PRIVATE}, libzstd" -+ fi - ]) - - AC_ARG_WITH(liboqs, --- -2.46.0 - diff --git a/gnutls-3.8.8-tests-ktls-skip-tls12-chachapoly.patch b/gnutls-3.8.8-tests-ktls-skip-tls12-chachapoly.patch new file mode 100644 index 0000000..d93dd28 --- /dev/null +++ b/gnutls-3.8.8-tests-ktls-skip-tls12-chachapoly.patch @@ -0,0 +1,29 @@ +From a36b73a21e4b5b6e051b23192a645dea34c9d6af Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Tue, 5 Nov 2024 14:45:46 +0900 +Subject: [PATCH] tests: skip CHACHA20-POLY1305 in TLS 1.2 when KTLS is enabled + +Signed-off-by: Daiki Ueno +--- + tests/gnutls_ktls.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tests/gnutls_ktls.c b/tests/gnutls_ktls.c +index 90d3e9af91..d5ac4efecc 100644 +--- a/tests/gnutls_ktls.c ++++ b/tests/gnutls_ktls.c +@@ -347,9 +347,11 @@ void doit(void) + { + run("NORMAL:-VERS-ALL:+VERS-TLS1.2:-CIPHER-ALL:+AES-128-GCM"); + run("NORMAL:-VERS-ALL:+VERS-TLS1.2:-CIPHER-ALL:+AES-256-GCM"); ++#if 0 + if (!gnutls_fips140_mode_enabled()) { + run("NORMAL:-VERS-ALL:+VERS-TLS1.2:-CIPHER-ALL:+CHACHA20-POLY1305"); + } ++#endif + run("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-128-GCM"); + run("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-256-GCM"); + if (!gnutls_fips140_mode_enabled()) { +-- +2.47.0 + diff --git a/gnutls.spec b/gnutls.spec index b1955c0..417b27b 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -17,10 +17,7 @@ Release: %{?autorelease}%{!?autorelease:1%{?dist}} Patch: gnutls-3.2.7-rpath.patch # follow https://gitlab.com/gnutls/gnutls/-/issues/1443 -Patch: gnutls-3.7.8-ktls_skip_tls12_chachapoly_test.patch - -# https://gitlab.com/gnutls/gnutls/-/merge_requests/1867 -Patch: gnutls-3.8.7-pkgconf-dlopen.patch +Patch: gnutls-3.8.8-tests-ktls-skip-tls12-chachapoly.patch %bcond_without bootstrap %bcond_without dane From db84cc7c55e66874e660346ade8db6d92ce9f8b4 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Tue, 5 Nov 2024 16:40:46 +0900 Subject: [PATCH 127/152] Fix build with latest mingw-gcc mingw{32,64}-cpp are not installed by default, and --enable-local-libopts should be unnecessary, as we have switched away from autogen. Signed-off-by: Daiki Ueno --- gnutls.spec | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/gnutls.spec b/gnutls.spec index 417b27b..705c58d 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -100,6 +100,7 @@ BuildRequires: unbound-devel unbound-libs BuildRequires: make gtk-doc %if %{with mingw} +BuildRequires: mingw32-cpp BuildRequires: mingw32-filesystem >= 95 BuildRequires: mingw32-gcc BuildRequires: mingw32-gcc-c++ @@ -107,6 +108,7 @@ BuildRequires: mingw32-libtasn1 >= 4.3 BuildRequires: mingw32-readline BuildRequires: mingw32-zlib BuildRequires: mingw32-nettle >= 3.6 +BuildRequires: mingw64-cpp BuildRequires: mingw64-filesystem >= 95 BuildRequires: mingw64-gcc BuildRequires: mingw64-gcc-c++ @@ -365,7 +367,6 @@ export CCASFLAGS="" --disable-rpath \ --disable-nls \ --disable-cxx \ - --enable-local-libopts \ --enable-shared \ --without-tpm \ --with-included-unistring \ From abb8fe2e0b307d5ea246fd6ab699f55693947fa1 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Tue, 5 Nov 2024 14:53:27 +0900 Subject: [PATCH 128/152] Update to 3.8.8 upstream release - Resolves: rhbz#2323786 Upstream tag: 3.8.8 Upstream commit: 40267b5e Commit authored by Packit automation (https://packit.dev/) --- .gitignore | 2 ++ README.packit | 2 +- gnutls.spec | 2 +- sources | 4 ++-- 4 files changed, 6 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index 86f1a4b..21644a1 100644 --- a/.gitignore +++ b/.gitignore @@ -161,3 +161,5 @@ gnutls-2.10.1-nosrp.tar.bz2 /gnutls-3.8.7.tar.xz.sig /gnutls-3.8.7.1.tar.xz /gnutls-3.8.7.1.tar.xz.sig +/gnutls-3.8.8.tar.xz +/gnutls-3.8.8.tar.xz.sig diff --git a/README.packit b/README.packit index ced1079..72e3769 100644 --- a/README.packit +++ b/README.packit @@ -1,3 +1,3 @@ This repository is maintained by packit. https://packit.dev/ -The file was generated using packit 0.100.0. +The file was generated using packit 0.102.2. diff --git a/gnutls.spec b/gnutls.spec index 705c58d..01cb70a 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -12,7 +12,7 @@ sha256sum:close() print(string.sub(hash, 0, 16)) } -Version: 3.8.7 +Version: 3.8.8 Release: %{?autorelease}%{!?autorelease:1%{?dist}} Patch: gnutls-3.2.7-rpath.patch diff --git a/sources b/sources index 5fcce01..a8d7df8 100644 --- a/sources +++ b/sources @@ -1,4 +1,4 @@ -SHA512 (gnutls-3.8.7.1.tar.xz) = 429cea78e227d838105791b28a18270c3d2418bfb951c322771e6323d5f712204d63d66a6606ce9604a92d236a8dd07d651232c717264472d27eb6de26ddc733 -SHA512 (gnutls-3.8.7.1.tar.xz.sig) = 53ebdaa9775ae22f7eb5e7d6f5411ec667c9c880cea84e23651b6d1994fb1398c09d8efa39b21c96f8be29fa09c2436bdd732a061308956ca1650e3e1878ed57 +SHA512 (gnutls-3.8.8.tar.xz) = 4f617c63e8e8392e400d72c9e39989fcd782268b4a4c4e36bbfb0444a4b5bcb0f53054f04a6dce99ab89c0f38f57430c95aaaec6eb9209b8e9329140abf230c3 +SHA512 (gnutls-3.8.8.tar.xz.sig) = fdff792511e9e5de203a1dfd66bf521c12fb74a19de651ffa1f7359dafdd1dad59ae57d0f95fa363c4167f798e6b624b4ae1f84d4e0737ff690c2fb0e5a5bdce SHA512 (gnutls-release-keyring.gpg) = 8c2b39239d1d8c5319757fcf669f28a11de7f8ec4a726f9904c57ba8105bea80240083c0de71b747115907bab46569f10cf58004137cc7884ac5c20f8319ae0a SHA512 (gmp-6.2.1.tar.xz) = c99be0950a1d05a0297d65641dd35b75b74466f7bf03c9e8a99895a3b2f9a0856cd17887738fa51cf7499781b65c049769271cbcb77d057d2e9f1ec52e07dd84 From 8d60243b00a1bfd66bcc751a713657949aee1baf Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 16 Jan 2025 23:06:20 +0000 Subject: [PATCH 129/152] Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild From c25fdb6fa9c1a08a7ef3aff73cf81d56f920cbdf Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Tue, 8 Oct 2024 20:21:45 +0900 Subject: [PATCH 130/152] Disable GOST in RHEL-9 or later Resolves: RHEL-56919 Signed-off-by: Daiki Ueno --- gnutls.spec | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/gnutls.spec b/gnutls.spec index 01cb70a..bde24a2 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -24,7 +24,11 @@ Patch: gnutls-3.8.8-tests-ktls-skip-tls12-chachapoly.patch %bcond_without fips %bcond_with tpm12 %bcond_without tpm2 +%if 0%{?rhel} >= 9 +%bcond_with gost +%else %bcond_without gost +%endif %bcond_without certificate_compression %bcond_without liboqs %bcond_without tests From e026bdad11c3d3879f420cf15ed0421f5fde08c9 Mon Sep 17 00:00:00 2001 From: Yaakov Selkowitz Date: Wed, 22 Jan 2025 23:19:24 -0500 Subject: [PATCH 131/152] Fix ELN build The bundled gmp (for RHEL builds) needs a C23 fix for a configure test: https://src.fedoraproject.org/rpms/gmp/pull-request/8 Also, one test needs to be modified as the DEFAULT crypto policy rejects TLS ciphers with RSA key exchange in RHEL 10: https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/10-beta/html/considerations_in_adopting_rhel_10/security#security --- gmp-6.2.1-c23.patch | 13 +++++++++++++ gnutls-3.8.8-tests-rsa-default.patch | 22 ++++++++++++++++++++++ gnutls.spec | 10 ++++++++++ 3 files changed, 45 insertions(+) create mode 100644 gmp-6.2.1-c23.patch create mode 100644 gnutls-3.8.8-tests-rsa-default.patch diff --git a/gmp-6.2.1-c23.patch b/gmp-6.2.1-c23.patch new file mode 100644 index 0000000..778c62f --- /dev/null +++ b/gmp-6.2.1-c23.patch @@ -0,0 +1,13 @@ +diff --git a/acinclude.m4 b/acinclude.m4 +index 906071c..a466b7c 100644 +--- a/acinclude.m4 ++++ b/acinclude.m4 +@@ -609,7 +609,7 @@ GMP_PROG_CC_WORKS_PART([$1], [long long reliability test 1], + + #if defined (__GNUC__) && ! defined (__cplusplus) + typedef unsigned long long t1;typedef t1*t2; +-void g(){} ++void g(int, t2, t1, t2, t2, int){} + void h(){} + static __inline__ t1 e(t2 rp,t2 up,int n,t1 v0) + {t1 c,x,r;int i;if(v0){c=1;for(i=1;i= 10 +Source201: gnutls-3.8.8-tests-rsa-default.patch %endif # Wildcard bundling exception https://fedorahosted.org/fpc/ticket/174 @@ -262,9 +267,14 @@ mkdir -p bundled_gmp pushd bundled_gmp tar --strip-components=1 -xf %{SOURCE100} patch -p1 < %{SOURCE101} +patch -p1 < %{SOURCE102} popd %endif +%if 0%{?rhel} >= 10 +patch -p1 < %{SOURCE201} +%endif + %build %define _lto_cflags %{nil} From 6c3a0c118e8123f02f4a280c3ee773299a59f45f Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Mon, 10 Feb 2025 11:04:35 +0900 Subject: [PATCH 132/152] Update to gnutls 3.8.9 release Signed-off-by: Daiki Ueno --- .gitignore | 2 ++ gnutls.spec | 8 ++++---- sources | 4 ++-- 3 files changed, 8 insertions(+), 6 deletions(-) diff --git a/.gitignore b/.gitignore index 21644a1..368ba7b 100644 --- a/.gitignore +++ b/.gitignore @@ -163,3 +163,5 @@ gnutls-2.10.1-nosrp.tar.bz2 /gnutls-3.8.7.1.tar.xz.sig /gnutls-3.8.8.tar.xz /gnutls-3.8.8.tar.xz.sig +/gnutls-3.8.9.tar.xz +/gnutls-3.8.9.tar.xz.sig diff --git a/gnutls.spec b/gnutls.spec index d9569a3..206028f 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -12,7 +12,7 @@ sha256sum:close() print(string.sub(hash, 0, 16)) } -Version: 3.8.8 +Version: 3.8.9 Release: %{?autorelease}%{!?autorelease:1%{?dist}} Patch: gnutls-3.2.7-rpath.patch @@ -479,7 +479,7 @@ popd %{_libdir}/.libgnutls.so.30*.hmac %endif %doc README.md AUTHORS NEWS THANKS -%license LICENSE doc/COPYING doc/COPYING.LESSER +%license COPYING COPYING.LESSERv2 %files c++ %{_libdir}/libgnutlsxx.so.* @@ -523,7 +523,7 @@ popd %if %{with mingw} %files -n mingw32-%{name} -%license LICENSE doc/COPYING doc/COPYING.LESSER +%license COPYING COPYING.LESSERv2 %{mingw32_bindir}/certtool.exe %{mingw32_bindir}/gnutls-cli-debug.exe %{mingw32_bindir}/gnutls-cli.exe @@ -541,7 +541,7 @@ popd %{mingw32_includedir}/gnutls/ %files -n mingw64-%{name} -%license LICENSE doc/COPYING doc/COPYING.LESSER +%license COPYING COPYING.LESSERv2 %{mingw64_bindir}/certtool.exe %{mingw64_bindir}/gnutls-cli-debug.exe %{mingw64_bindir}/gnutls-cli.exe diff --git a/sources b/sources index a8d7df8..347a95e 100644 --- a/sources +++ b/sources @@ -1,4 +1,4 @@ -SHA512 (gnutls-3.8.8.tar.xz) = 4f617c63e8e8392e400d72c9e39989fcd782268b4a4c4e36bbfb0444a4b5bcb0f53054f04a6dce99ab89c0f38f57430c95aaaec6eb9209b8e9329140abf230c3 -SHA512 (gnutls-3.8.8.tar.xz.sig) = fdff792511e9e5de203a1dfd66bf521c12fb74a19de651ffa1f7359dafdd1dad59ae57d0f95fa363c4167f798e6b624b4ae1f84d4e0737ff690c2fb0e5a5bdce +SHA512 (gnutls-3.8.9.tar.xz) = b3b201671bf4e75325610a0291d4cd36a669718e22b3685246b64bde97b5bd94f463ab376ed817869869714115f4ff11bdc53c32604bb04a8ff8e10daa6d1fc7 +SHA512 (gnutls-3.8.9.tar.xz.sig) = 5a47a519ef35f21b59e2122528246d6109dd95667bfe5d01713b9a7efa2931f8523bf325b8824433f3117d63e0e50d66f8c467a7ee4bd2068ae039601a28441e SHA512 (gnutls-release-keyring.gpg) = 8c2b39239d1d8c5319757fcf669f28a11de7f8ec4a726f9904c57ba8105bea80240083c0de71b747115907bab46569f10cf58004137cc7884ac5c20f8319ae0a SHA512 (gmp-6.2.1.tar.xz) = c99be0950a1d05a0297d65641dd35b75b74466f7bf03c9e8a99895a3b2f9a0856cd17887738fa51cf7499781b65c049769271cbcb77d057d2e9f1ec52e07dd84 From 9c5597be5c890549cb445c80c6f51cdb82421b0a Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Mon, 10 Feb 2025 17:53:01 +0900 Subject: [PATCH 133/152] Switch from liboqs to leancrypto Signed-off-by: Daiki Ueno --- .gitignore | 1 + gnutls.spec | 62 +++++++++++++++++++++++++++++++++++++++++++++++------ sources | 1 + 3 files changed, 57 insertions(+), 7 deletions(-) diff --git a/.gitignore b/.gitignore index 368ba7b..ce0bef6 100644 --- a/.gitignore +++ b/.gitignore @@ -165,3 +165,4 @@ gnutls-2.10.1-nosrp.tar.bz2 /gnutls-3.8.8.tar.xz.sig /gnutls-3.8.9.tar.xz /gnutls-3.8.9.tar.xz.sig +/leancrypto-1.2.0.tar.gz diff --git a/gnutls.spec b/gnutls.spec index 206028f..763ee39 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -30,7 +30,7 @@ Patch: gnutls-3.8.8-tests-ktls-skip-tls12-chachapoly.patch %bcond_without gost %endif %bcond_without certificate_compression -%bcond_without liboqs +%bcond_without leancrypto %bcond_without tests %if 0%{?fedora} && 0%{?fedora} < 38 @@ -68,13 +68,13 @@ BuildRequires: readline-devel, libtasn1-devel >= 4.3 %if %{with certificate_compression} BuildRequires: zlib-devel, brotli-devel, libzstd-devel %endif -%if %{with liboqs} -BuildRequires: liboqs-devel -%endif %if %{with bootstrap} BuildRequires: automake, autoconf, gperf, libtool, texinfo %endif BuildRequires: nettle-devel >= 3.10 +%if %{with leancrypto} +BuildRequires: meson +%endif %if %{with tpm12} BuildRequires: trousers-devel >= 0.3.11.2 %endif @@ -139,6 +139,10 @@ Source102: gmp-6.2.1-c23.patch Source201: gnutls-3.8.8-tests-rsa-default.patch %endif +%if %{with leancrypto} +Source300: leancrypto-1.2.0.tar.gz +%endif + # Wildcard bundling exception https://fedorahosted.org/fpc/ticket/174 Provides: bundled(gnulib) = 20130424 @@ -278,6 +282,13 @@ patch -p1 < %{SOURCE201} %build %define _lto_cflags %{nil} +%if %{with leancrypto} +mkdir -p bundled_leancrypto +pushd bundled_leancrypto +tar --strip-components=1 -xf %{SOURCE300} +popd +%endif + %if %{with bundled_gmp} pushd bundled_gmp autoreconf -ifv @@ -289,6 +300,39 @@ export GMP_CFLAGS="-I$PWD/bundled_gmp" export GMP_LIBS="$PWD/bundled_gmp/.libs/libgmp.a" %endif +%if %{with leancrypto} +pushd bundled_leancrypto +%set_build_flags +meson setup -Dprefix="$PWD/install" -Dlibdir="$PWD/install/lib" \ + -Ddefault_library=static \ + -Dascon=disabled -Dascon_keccak=disabled \ + -Dbike_5=disabled -Dbike_3=disabled -Dbike_1=disabled \ + -Dkyber_x25519=disabled -Ddilithium_ed25519=disabled \ + -Dx509_parser=disabled -Dx509_generator=disabled \ + -Dpkcs7_parser=disabled -Dpkcs7_generator=disabled \ + -Dsha2-256=disabled \ + -Dchacha20=disabled -Dchacha20_drng=disabled \ + -Ddrbg_hash=disabled -Ddrbg_hmac=disabled \ + -Dhash_crypt=disabled \ + -Dhmac=disabled -Dhkdf=disabled \ + -Dkdf_ctr=disabled -Dkdf_fb=disabled -Dkdf_dpi=disabled \ + -Dpbkdf2=disabled \ + -Dkmac_drng=disabled -Dcshake_drng=disabled \ + -Dhotp=disabled -Dtotp=disabled \ + -Daes_block=disabled -Daes_cbc=disabled -Daes_ctr=disabled \ + -Daes_kw=disabled -Dapps=disabled \ + _build +meson compile -C _build +meson install -C _build + +popd + +export LEANCRYPTO_DIR="$PWD/bundled_leancrypto/install" + +export LEANCRYPTO_CFLAGS="-I$LEANCRYPTO_DIR/include" +export LEANCRYPTO_LIBS="$LEANCRYPTO_DIR/lib/libleancrypto.a" +%endif + %if %{with bootstrap} autoreconf -fi %endif @@ -308,6 +352,7 @@ export FIPS_MODULE_NAME="$OS_NAME ${OS_VERSION_ID%%.*} %name" mkdir native_build pushd native_build + %global _configure ../configure %configure \ %if %{with fips} @@ -355,15 +400,18 @@ pushd native_build %else --without-zlib --without-brotli --without-zstd \ %endif -%if %{with liboqs} - --with-liboqs \ +%if %{with leancrypto} + --with-leancrypto \ %else - --without-liboqs \ + --without-leancrypto \ %endif --disable-rpath \ --with-default-priority-string="@SYSTEM" %make_build +%if %{with leancrypto} +sed -i '/^Requires.private:/s/leancrypto[ ,]*//g' lib/gnutls.pc +%endif popd %if %{with mingw} diff --git a/sources b/sources index 347a95e..5becf65 100644 --- a/sources +++ b/sources @@ -2,3 +2,4 @@ SHA512 (gnutls-3.8.9.tar.xz) = b3b201671bf4e75325610a0291d4cd36a669718e22b368524 SHA512 (gnutls-3.8.9.tar.xz.sig) = 5a47a519ef35f21b59e2122528246d6109dd95667bfe5d01713b9a7efa2931f8523bf325b8824433f3117d63e0e50d66f8c467a7ee4bd2068ae039601a28441e SHA512 (gnutls-release-keyring.gpg) = 8c2b39239d1d8c5319757fcf669f28a11de7f8ec4a726f9904c57ba8105bea80240083c0de71b747115907bab46569f10cf58004137cc7884ac5c20f8319ae0a SHA512 (gmp-6.2.1.tar.xz) = c99be0950a1d05a0297d65641dd35b75b74466f7bf03c9e8a99895a3b2f9a0856cd17887738fa51cf7499781b65c049769271cbcb77d057d2e9f1ec52e07dd84 +SHA512 (leancrypto-1.2.0.tar.gz) = 0b58644e3362bd512dd2a19a291ef58ba310d688c8d7c5fb2b7b3ac48ec51122311b998786a23cafa3127f3e4c75425babbc61d287e44fe3318ce584cbc87df7 From b5e51ef2d281ecd970a5ee19a10fdb7a2e6b1691 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Fri, 14 Feb 2025 14:58:10 +0900 Subject: [PATCH 134/152] Rebuild against nettle 3.10.1 Signed-off-by: Daiki Ueno --- gnutls.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gnutls.spec b/gnutls.spec index 763ee39..9f31750 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -71,7 +71,7 @@ BuildRequires: zlib-devel, brotli-devel, libzstd-devel %if %{with bootstrap} BuildRequires: automake, autoconf, gperf, libtool, texinfo %endif -BuildRequires: nettle-devel >= 3.10 +BuildRequires: nettle-devel >= 3.10.1 %if %{with leancrypto} BuildRequires: meson %endif From 6ea0d5328d2fea85ec19328e45143ada8228bcde Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Mon, 17 Feb 2025 10:32:20 +0900 Subject: [PATCH 135/152] Bump nettle dependency to 3.10.1 Signed-off-by: Daiki Ueno --- gnutls.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gnutls.spec b/gnutls.spec index 9f31750..0f3649e 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -93,7 +93,7 @@ Requires: crypto-policies Requires: p11-kit-trust Requires: libtasn1 >= 4.3 # always bump when a nettle release is packaged -Requires: nettle >= 3.10 +Requires: nettle >= 3.10.1 %if %{with tpm12} Recommends: trousers >= 0.3.11.2 %endif From 63494651c6d5db52377755e7af9c2639c3edf1c4 Mon Sep 17 00:00:00 2001 From: Zoltan Fridrich Date: Mon, 3 Mar 2025 11:17:54 +0100 Subject: [PATCH 136/152] Rebuild GnuTLS Signed-off-by: Zoltan Fridrich From c3aaff5c62ba6e16531dbbcc9f9bdc6cbb590f29 Mon Sep 17 00:00:00 2001 From: Peter Robinson Date: Sun, 30 Mar 2025 11:46:20 +0100 Subject: [PATCH 137/152] Bump for gmp build From 5bef1c86aa2acb669cd5bcb89b4e69800c2b93c6 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Wed, 2 Apr 2025 17:34:52 +0900 Subject: [PATCH 138/152] Update leancrypto to 1.3.0 Signed-off-by: Daiki Ueno --- .gitignore | 1 + gnutls.spec | 2 +- sources | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index ce0bef6..45589ae 100644 --- a/.gitignore +++ b/.gitignore @@ -166,3 +166,4 @@ gnutls-2.10.1-nosrp.tar.bz2 /gnutls-3.8.9.tar.xz /gnutls-3.8.9.tar.xz.sig /leancrypto-1.2.0.tar.gz +/leancrypto-1.3.0.tar.gz diff --git a/gnutls.spec b/gnutls.spec index 0f3649e..5131886 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -140,7 +140,7 @@ Source201: gnutls-3.8.8-tests-rsa-default.patch %endif %if %{with leancrypto} -Source300: leancrypto-1.2.0.tar.gz +Source300: leancrypto-1.3.0.tar.gz %endif # Wildcard bundling exception https://fedorahosted.org/fpc/ticket/174 diff --git a/sources b/sources index 5becf65..5043ca2 100644 --- a/sources +++ b/sources @@ -2,4 +2,4 @@ SHA512 (gnutls-3.8.9.tar.xz) = b3b201671bf4e75325610a0291d4cd36a669718e22b368524 SHA512 (gnutls-3.8.9.tar.xz.sig) = 5a47a519ef35f21b59e2122528246d6109dd95667bfe5d01713b9a7efa2931f8523bf325b8824433f3117d63e0e50d66f8c467a7ee4bd2068ae039601a28441e SHA512 (gnutls-release-keyring.gpg) = 8c2b39239d1d8c5319757fcf669f28a11de7f8ec4a726f9904c57ba8105bea80240083c0de71b747115907bab46569f10cf58004137cc7884ac5c20f8319ae0a SHA512 (gmp-6.2.1.tar.xz) = c99be0950a1d05a0297d65641dd35b75b74466f7bf03c9e8a99895a3b2f9a0856cd17887738fa51cf7499781b65c049769271cbcb77d057d2e9f1ec52e07dd84 -SHA512 (leancrypto-1.2.0.tar.gz) = 0b58644e3362bd512dd2a19a291ef58ba310d688c8d7c5fb2b7b3ac48ec51122311b998786a23cafa3127f3e4c75425babbc61d287e44fe3318ce584cbc87df7 +SHA512 (leancrypto-1.3.0.tar.gz) = 8e0348d09b37fd6eb770505f1e98efdbf9d6f721aa2617d1f32d42ba89709bf374eb9d06aa2266bc7d7b5c56ab3168f12925fd4ec1d2d78951080f74f4a1a085 From 25f7cc5fadff07aeab61a1f2c7a13a2dd5f6bc03 Mon Sep 17 00:00:00 2001 From: Yaakov Selkowitz Date: Sun, 22 Jun 2025 15:07:25 -0400 Subject: [PATCH 139/152] Fix build on kernel 6.14+ kTLS KeyUpdate is supported as of this version, leading to the ktls_keyupdate.sh being able to pass thereon, and therefore the builder's kernel must now be checked here too. https://gitlab.com/gnutls/gnutls/-/merge_requests/1934 --- gnutls-3.8.9-ktls-kernel-check.patch | 1310 ++++++++++++++++++++++++++ gnutls.spec | 17 +- 2 files changed, 1312 insertions(+), 15 deletions(-) create mode 100644 gnutls-3.8.9-ktls-kernel-check.patch diff --git a/gnutls-3.8.9-ktls-kernel-check.patch b/gnutls-3.8.9-ktls-kernel-check.patch new file mode 100644 index 0000000..0299beb --- /dev/null +++ b/gnutls-3.8.9-ktls-kernel-check.patch @@ -0,0 +1,1310 @@ +From 633bea37176f3fe16dd431ccb35112aa970c7db1 Mon Sep 17 00:00:00 2001 +From: Frantisek Krenzelok +Date: Tue, 11 Feb 2025 12:45:44 +0100 +Subject: [PATCH 1/7] kTLS: keyupdate_test improvements + +- ktls_utils.h has helper funtion to create standard sockets required + for ktls support testing. +- key_update test for kTLS is now a flavourt of the tls13/key_update + test instead of being standalone(broadens the testing cases). +- gnutls_ktls.c now uses the aformentioned ktls_utils.h + +Signed-off-by: Frantisek Krenzelok +--- + tests/Makefile.am | 16 +- + tests/gnutls_ktls.c | 60 ++----- + tests/ktls_keyupdate.c | 368 --------------------------------------- + tests/ktls_utils.h | 94 ++++++++++ + tests/tls13/key_update.c | 115 +++++++++++- + 5 files changed, 228 insertions(+), 425 deletions(-) + delete mode 100644 tests/ktls_keyupdate.c + create mode 100644 tests/ktls_utils.h + +diff --git a/tests/Makefile.am b/tests/Makefile.am +index 72926e9da4..9990ee21cc 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -517,12 +517,6 @@ if ENABLE_TPM2 + dist_check_SCRIPTS += tpm2.sh + endif + +-if ENABLE_KTLS +-indirect_tests += gnutls_ktls +-dist_check_SCRIPTS += ktls.sh +-indirect_tests += ktls_keyupdate +-dist_check_SCRIPTS += ktls_keyupdate.sh +-endif + + if !WINDOWS + +@@ -530,6 +524,16 @@ if !WINDOWS + # List of tests not available/functional under windows + # + ++if ENABLE_KTLS ++indirect_tests += gnutls_ktls ++dist_check_SCRIPTS += ktls.sh ++ ++indirect_tests += ktls_keyupdate ++ktls_keyupdate_SOURCES = tls13/key_update.c ++ktls_keyupdate_CFLAGS = -DUSE_KTLS ++dist_check_SCRIPTS += ktls_keyupdate.sh ++endif ++ + dist_check_SCRIPTS += dtls/dtls.sh dtls/dtls-resume.sh #dtls/dtls-nb + + indirect_tests += dtls-stress +diff --git a/tests/gnutls_ktls.c b/tests/gnutls_ktls.c +index 90d3e9af91..ca576d42aa 100644 +--- a/tests/gnutls_ktls.c ++++ b/tests/gnutls_ktls.c +@@ -31,6 +31,7 @@ int main(void) + + #include "cert-common.h" + #include "utils.h" ++#include "ktls_utils.h" + + static void server_log_func(int level, const char *str) + { +@@ -94,7 +95,8 @@ static void client(int fd, const char *prio) + } while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED); + + if (ret == 0) { +- success("client: Peer has closed the TLS connection\n"); ++ if (debug) ++ success("client: Peer has closed the TLS connection\n"); + goto end; + } else if (ret < 0) { + fail("client: Error: %s\n", gnutls_strerror(ret)); +@@ -116,7 +118,8 @@ static void client(int fd, const char *prio) + } while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED); + + if (ret == 0) { +- success("client: Peer has closed the TLS connection\n"); ++ if (debug) ++ success("client: Peer has closed the TLS connection\n"); + goto end; + } else if (ret < 0) { + fail("client: Error: %s\n", gnutls_strerror(ret)); +@@ -277,35 +280,16 @@ static void ch_handler(int sig) + static void run(const char *prio) + { + int ret; +- struct sockaddr_in saddr; +- socklen_t addrlen; +- int listener; +- int fd; ++ int client_fd, server_fd; + + success("running ktls test with %s\n", prio); + + signal(SIGCHLD, ch_handler); + signal(SIGPIPE, SIG_IGN); + +- listener = socket(AF_INET, SOCK_STREAM, 0); +- if (listener == -1) { +- fail("error in listener(): %s\n", strerror(errno)); +- } +- +- memset(&saddr, 0, sizeof(saddr)); +- saddr.sin_family = AF_INET; +- saddr.sin_addr.s_addr = htonl(INADDR_LOOPBACK); +- saddr.sin_port = 0; +- +- ret = bind(listener, (struct sockaddr *)&saddr, sizeof(saddr)); +- if (ret == -1) { +- fail("error in bind(): %s\n", strerror(errno)); +- } +- +- addrlen = sizeof(saddr); +- ret = getsockname(listener, (struct sockaddr *)&saddr, &addrlen); +- if (ret == -1) { +- fail("error in getsockname(): %s\n", strerror(errno)); ++ if ((ret = create_socket_pair(&client_fd, &server_fd))) { ++ fail("Error in socket creation: %d\n", ret); ++ exit(1); + } + + child = fork(); +@@ -315,30 +299,20 @@ static void run(const char *prio) + } + + if (child) { +- int status; + /* parent */ +- ret = listen(listener, 1); +- if (ret == -1) { +- fail("error in listen(): %s\n", strerror(errno)); +- } ++ int status; ++ close(client_fd); + +- fd = accept(listener, NULL, NULL); +- if (fd == -1) { +- fail("error in accept(): %s\n", strerror(errno)); +- } +- server(fd, prio); ++ server(server_fd, prio); + + wait(&status); + check_wait_status(status); + } else { +- fd = socket(AF_INET, SOCK_STREAM, 0); +- if (fd == -1) { +- fail("error in socket(): %s\n", strerror(errno)); +- exit(1); +- } +- usleep(1000000); +- connect(fd, (struct sockaddr *)&saddr, addrlen); +- client(fd, prio); ++ close(server_fd); ++ sleep(1); ++ ++ client(client_fd, prio); ++ + exit(0); + } + } +diff --git a/tests/ktls_keyupdate.c b/tests/ktls_keyupdate.c +deleted file mode 100644 +index b439b7df21..0000000000 +--- a/tests/ktls_keyupdate.c ++++ /dev/null +@@ -1,368 +0,0 @@ +-// Copyright (C) 2022 Red Hat, Inc. +-// +-// Author: Frantisek Krenzelok +-// +-// This file is part of GnuTLS. +-// +-// GnuTLS is free software; you can redistribute it and/or modify it +-// under the terms of the GNU General Public License as published by the +-// Free Software Foundation; either version 3 of the License, or (at +-// your option) any later version. +-// +-// GnuTLS is distributed in the hope that it will be useful, but +-// WITHOUT ANY WARRANTY; without even the implied warranty of +-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +-// General Public License for more details. +-// +-// You should have received a copy of the GNU General Public License +-// along with GnuTLS. If not, see . +- +-#ifdef HAVE_CONFIG_H +-#include "config.h" +-#endif +- +-#include +-#include +-#include +-#include +-#include +-#include +-#include +-#include +-#include +-#include +-#include +-#include +-#include +-#include +-#include +-#include +- +-#include "cert-common.h" +-#include "utils.h" +- +-#if defined(_WIN32) +- +-int main(void) +-{ +- exit(77); +-} +- +-#else +- +-#define MAX_BUF 1024 +-#define MSG "Hello world!" +- +-#define HANDSHAKE(session, name, ret) \ +- { \ +- do { \ +- ret = gnutls_handshake(session); \ +- } while (ret < 0 && gnutls_error_is_fatal(ret) == 0); \ +- if (ret < 0) { \ +- fail("%s: Handshake failed\n", name); \ +- goto end; \ +- } \ +- } +- +-#define SEND_MSG(session, name, ret) \ +- { \ +- do { \ +- ret = gnutls_record_send(session, MSG, \ +- strlen(MSG) + 1); \ +- } while (ret == GNUTLS_E_AGAIN || \ +- ret == GNUTLS_E_INTERRUPTED); \ +- if (ret < 0) { \ +- fail("%s: data sending has failed (%s)\n", name, \ +- gnutls_strerror(ret)); \ +- goto end; \ +- } \ +- } +- +-#define RECV_MSG(session, name, buffer, buffer_len, ret) \ +- { \ +- memset(buffer, 0, sizeof(buffer)); \ +- do { \ +- ret = gnutls_record_recv(session, buffer, \ +- sizeof(buffer)); \ +- } while (ret == GNUTLS_E_AGAIN || \ +- ret == GNUTLS_E_INTERRUPTED); \ +- if (ret == 0) { \ +- success("%s: Peer has closed the TLS connection\n", \ +- name); \ +- goto end; \ +- } else if (ret < 0) { \ +- fail("%s: Error -> %s\n", name, gnutls_strerror(ret)); \ +- goto end; \ +- } \ +- if (strncmp(buffer, MSG, ret)) { \ +- fail("%s: Message doesn't match\n", name); \ +- goto end; \ +- } \ +- } +- +-#define KEY_UPDATE(session, name, peer_req, ret) \ +- { \ +- do { \ +- ret = gnutls_session_key_update(session, peer_req); \ +- } while (ret == GNUTLS_E_AGAIN || \ +- ret == GNUTLS_E_INTERRUPTED); \ +- if (ret < 0) { \ +- fail("%s: key update has failed (%s)\n", name, \ +- gnutls_strerror(ret)); \ +- goto end; \ +- } \ +- } +- +-#define CHECK_KTLS_ENABLED(session, ret) \ +- { \ +- ret = gnutls_transport_is_ktls_enabled(session); \ +- if (!(ret & GNUTLS_KTLS_RECV)) { \ +- fail("client: KTLS was not properly initialized\n"); \ +- goto end; \ +- } \ +- } +- +-static void server_log_func(int level, const char *str) +-{ +- fprintf(stderr, "server|<%d>| %s", level, str); +-} +- +-static void client_log_func(int level, const char *str) +-{ +- fprintf(stderr, "client|<%d>| %s", level, str); +-} +- +-static void client(int fd, const char *prio, int pipe) +-{ +- const char *name = "client"; +- int ret; +- char foo; +- char buffer[MAX_BUF + 1]; +- gnutls_certificate_credentials_t x509_cred; +- gnutls_session_t session; +- +- global_init(); +- +- if (debug) { +- gnutls_global_set_log_function(client_log_func); +- gnutls_global_set_log_level(7); +- } +- +- gnutls_certificate_allocate_credentials(&x509_cred); +- +- gnutls_init(&session, GNUTLS_CLIENT); +- gnutls_handshake_set_timeout(session, 0); +- +- assert(gnutls_priority_set_direct(session, prio, NULL) >= 0); +- +- gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred); +- +- gnutls_transport_set_int(session, fd); +- +- HANDSHAKE(session, name, ret); +- +- CHECK_KTLS_ENABLED(session, ret) +- // Test 0: Try sending/receiving data +- RECV_MSG(session, name, buffer, MAX_BUF + 1, ret) +- SEND_MSG(session, name, ret) +- CHECK_KTLS_ENABLED(session, ret) +- // Test 1: Servers does key update +- read(pipe, &foo, 1); +- RECV_MSG(session, name, buffer, MAX_BUF + 1, ret) +- SEND_MSG(session, name, ret) +- CHECK_KTLS_ENABLED(session, ret) +- // Test 2: Does key update witch request +- read(pipe, &foo, 1); +- RECV_MSG(session, name, buffer, MAX_BUF + 1, ret) +- SEND_MSG(session, name, ret) +- CHECK_KTLS_ENABLED(session, ret) +- ret = gnutls_bye(session, GNUTLS_SHUT_RDWR); +- if (ret < 0) { +- fail("client: error in closing session: %s\n", +- gnutls_strerror(ret)); +- } +- +- ret = 0; +-end: +- +- close(fd); +- +- gnutls_deinit(session); +- +- gnutls_certificate_free_credentials(x509_cred); +- +- gnutls_global_deinit(); +- +- if (ret != 0) +- exit(1); +-} +- +-pid_t child; +-static void terminate(void) +-{ +- assert(child); +- kill(child, SIGTERM); +- exit(1); +-} +- +-static void server(int fd, const char *prio, int pipe) +-{ +- const char *name = "server"; +- int ret; +- char bar = 0; +- char buffer[MAX_BUF + 1]; +- gnutls_certificate_credentials_t x509_cred; +- gnutls_session_t session; +- +- global_init(); +- +- if (debug) { +- gnutls_global_set_log_function(server_log_func); +- gnutls_global_set_log_level(7); +- } +- +- gnutls_certificate_allocate_credentials(&x509_cred); +- ret = gnutls_certificate_set_x509_key_mem( +- x509_cred, &server_cert, &server_key, GNUTLS_X509_FMT_PEM); +- if (ret < 0) +- exit(1); +- +- gnutls_init(&session, GNUTLS_SERVER); +- gnutls_handshake_set_timeout(session, 0); +- +- assert(gnutls_priority_set_direct(session, prio, NULL) >= 0); +- +- gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred); +- +- gnutls_transport_set_int(session, fd); +- +- HANDSHAKE(session, name, ret) +- CHECK_KTLS_ENABLED(session, ret) +- success("Test 0: sending/receiving data\n"); +- SEND_MSG(session, name, ret) +- RECV_MSG(session, name, buffer, MAX_BUF + 1, ret) +- CHECK_KTLS_ENABLED(session, ret) +- success("Test 1: server key update without request\n"); +- KEY_UPDATE(session, name, 0, ret) +- write(pipe, &bar, 1); +- SEND_MSG(session, name, ret) +- RECV_MSG(session, name, buffer, MAX_BUF + 1, ret) +- CHECK_KTLS_ENABLED(session, ret) +- success("Test 2: server key update with request\n"); +- KEY_UPDATE(session, name, GNUTLS_KU_PEER, ret) +- write(pipe, &bar, 1); +- SEND_MSG(session, name, ret) +- RECV_MSG(session, name, buffer, MAX_BUF + 1, ret) +- CHECK_KTLS_ENABLED(session, ret) +- ret = gnutls_bye(session, GNUTLS_SHUT_RDWR); +- if (ret < 0) { +- fail("server: error in closing session: %s\n", +- gnutls_strerror(ret)); +- } +- +- ret = 0; +-end: +- close(fd); +- gnutls_deinit(session); +- +- gnutls_certificate_free_credentials(x509_cred); +- +- gnutls_global_deinit(); +- +- if (ret) { +- terminate(); +- } +- +- if (debug) +- success("server: finished\n"); +-} +- +-static void ch_handler(int sig) +-{ +- return; +-} +- +-static void run(const char *prio) +-{ +- int ret; +- struct sockaddr_in saddr; +- socklen_t addrlen; +- int listener; +- int fd; +- +- int sync_pipe[2]; //used for synchronization +- pipe(sync_pipe); +- +- success("running ktls test with %s\n", prio); +- +- signal(SIGCHLD, ch_handler); +- signal(SIGPIPE, SIG_IGN); +- +- listener = socket(AF_INET, SOCK_STREAM, 0); +- if (listener == -1) { +- fail("error in listener(): %s\n", strerror(errno)); +- } +- +- memset(&saddr, 0, sizeof(saddr)); +- saddr.sin_family = AF_INET; +- saddr.sin_addr.s_addr = htonl(INADDR_LOOPBACK); +- saddr.sin_port = 0; +- +- ret = bind(listener, (struct sockaddr *)&saddr, sizeof(saddr)); +- if (ret == -1) { +- fail("error in bind(): %s\n", strerror(errno)); +- } +- +- addrlen = sizeof(saddr); +- ret = getsockname(listener, (struct sockaddr *)&saddr, &addrlen); +- if (ret == -1) { +- fail("error in getsockname(): %s\n", strerror(errno)); +- } +- +- child = fork(); +- if (child < 0) { +- fail("error in fork(): %s\n", strerror(errno)); +- exit(1); +- } +- +- if (child) { +- int status; +- /* parent */ +- ret = listen(listener, 1); +- if (ret == -1) { +- fail("error in listen(): %s\n", strerror(errno)); +- } +- +- fd = accept(listener, NULL, NULL); +- if (fd == -1) { +- fail("error in accept(): %s\n", strerror(errno)); +- } +- +- close(sync_pipe[0]); +- server(fd, prio, sync_pipe[1]); +- +- wait(&status); +- check_wait_status(status); +- } else { +- fd = socket(AF_INET, SOCK_STREAM, 0); +- if (fd == -1) { +- fail("error in socket(): %s\n", strerror(errno)); +- exit(1); +- } +- +- usleep(1000000); +- connect(fd, (struct sockaddr *)&saddr, addrlen); +- +- close(sync_pipe[1]); +- client(fd, prio, sync_pipe[0]); +- exit(0); +- } +-} +- +-void doit(void) +-{ +- run("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-128-GCM"); +- run("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-256-GCM"); +-} +- +-#endif /* _WIN32 */ +diff --git a/tests/ktls_utils.h b/tests/ktls_utils.h +new file mode 100644 +index 0000000000..231618d615 +--- /dev/null ++++ b/tests/ktls_utils.h +@@ -0,0 +1,94 @@ ++#ifndef GNUTLS_TESTS_KTLS_UTILS_H ++#define GNUTLS_TESTS_KTLS_UTILS_H ++ ++#include ++#include ++ ++#include ++ ++#include ++#include ++ ++/* Sets the NONBLOCK flag on the socket(fd) */ ++inline static int set_nonblocking(int fd) ++{ ++ int flags = fcntl(fd, F_GETFL, 0); ++ if (flags == -1) { ++ return 1; ++ } ++ ++ if (fcntl(fd, F_SETFL, flags | O_NONBLOCK) == -1) { ++ return 2; ++ } ++ ++ return 0; ++} ++ ++/* Creates a pair of TCP connected sockets */ ++static int create_socket_pair(int *client_fd, int *server_fd) ++{ ++ int ret; ++ struct sockaddr_in saddr; ++ socklen_t addrlen; ++ int listener; ++ ++ listener = socket(AF_INET, SOCK_STREAM, 0); ++ if (listener == -1) { ++ fail("error in listener(): %s\n", strerror(errno)); ++ return 1; ++ } ++ ++ int opt = 0; ++ setsockopt(listener, SOL_SOCKET, SO_REUSEADDR, &opt, sizeof(opt)); ++ ++ memset(&saddr, 0, sizeof(saddr)); ++ saddr.sin_family = AF_INET; ++ saddr.sin_addr.s_addr = htonl(INADDR_LOOPBACK); ++ saddr.sin_port = 0; ++ ++ ret = bind(listener, (struct sockaddr *)&saddr, sizeof(saddr)); ++ if (ret == -1) { ++ fail("error in bind(): %s\n", strerror(errno)); ++ return 1; ++ } ++ ++ addrlen = sizeof(saddr); ++ ret = getsockname(listener, (struct sockaddr *)&saddr, &addrlen); ++ if (ret == -1) { ++ fail("error in getsockname(): %s\n", strerror(errno)); ++ return 1; ++ } ++ ++ ret = listen(listener, 1); ++ if (ret == -1) { ++ fail("error in listen(): %s\n", strerror(errno)); ++ close(listener); ++ return 1; ++ } ++ ++ *client_fd = socket(AF_INET, SOCK_STREAM, 0); ++ if (*client_fd < 0) { ++ fail("error in socket(): %s\n", strerror(errno)); ++ return 1; ++ } ++ ++ ret = connect(*client_fd, (struct sockaddr *)&saddr, addrlen); ++ if (ret < 0) { ++ fail("error in connect(): %s\n", strerror(errno)); ++ close(listener); ++ close(*client_fd); ++ return 1; ++ } ++ ++ *server_fd = accept(listener, NULL, NULL); ++ if (*server_fd < 0) { ++ fail("error in accept(): %s\n", strerror(errno)); ++ close(listener); ++ close(*client_fd); ++ return 1; ++ } ++ ++ return 0; ++} ++ ++#endif //GNUTLS_TESTS_KTLS_UTILS_H +diff --git a/tests/tls13/key_update.c b/tests/tls13/key_update.c +index 19bea7b9ac..9c72ee14ab 100644 +--- a/tests/tls13/key_update.c ++++ b/tests/tls13/key_update.c +@@ -47,6 +47,67 @@ static void tls_log_func(int level, const char *str) + #define MSG \ + "Hello TLS, and hi and how are you and more data here... and more... and even more and even more more data..." + ++#ifdef USE_KTLS ++/* For ktls flavour of the test, the test needs to be run with the kTLS enabled ++ * option in the GnuTLS configuration file, in the case of the GnuTLS testing, ++ * the shell script `tests/ktls_keyupdate.sh` does just that. ++ */ ++ ++#include "ktls_utils.h" ++ ++#define RUN(s, n) \ ++ { \ ++ int ret; \ ++ int cfd, sfd; \ ++ if ((ret = create_sockets(&cfd, &sfd))) { \ ++ fail("kTLS: %s\n", errors[ret]); \ ++ exit(1); \ ++ } \ ++ run(s, n, cfd, sfd); \ ++ close(cfd); \ ++ close(sfd); \ ++ } ++ ++/* We could check specificaly but given how the setting of new keys work, let's ++ * check if something had gone sideways on both the receive and sending sockets. ++ */ ++#define CHECK_KTLS_ENABLED(session) \ ++ switch (gnutls_transport_is_ktls_enabled(session)) { \ ++ case GNUTLS_KTLS_RECV: \ ++ fail("kTLS: Only recv support is initiated\n"); \ ++ break; \ ++ case GNUTLS_KTLS_SEND: \ ++ fail("kTLS: Only send support is initiated\n"); \ ++ break; \ ++ case GNUTLS_KTLS_DUPLEX: \ ++ break; \ ++ default: \ ++ fail("kTLS: dissabled\n"); \ ++ } ++ ++/* ktls needs to use real sockets */ ++char *errors[] = { "", "Failed to create the socket pair", ++ "Failed to set the socket non-blocking" }; ++ ++inline static int create_sockets(int *cfd, int *sfd) ++{ ++ int ret = create_socket_pair(cfd, sfd); ++ if (ret) ++ return 1; ++ ++ if (set_nonblocking(*cfd) || set_nonblocking(*sfd)) ++ return 2; ++ ++ return 0; ++} ++ ++#else /* non-kTLS */ ++ ++#define RUN(s, n) run(s, n, -1, -1) ++#define CHECK_KTLS_ENABLED(session) /* No-op */ ++ ++#endif /* non-kTLS */ ++ + static unsigned key_update_msg_inc = 0; + static unsigned key_update_msg_out = 0; + +@@ -68,7 +129,7 @@ static int hsk_callback(gnutls_session_t session, unsigned int htype, + return 0; + } + +-static void run(const char *name, unsigned test) ++static void run(const char *name, unsigned test, int cfd, int sfd) + { + /* Server stuff. */ + gnutls_certificate_credentials_t ccred; +@@ -100,9 +161,14 @@ static void run(const char *name, unsigned test) + exit(1); + + gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE, scred); ++#ifdef USE_KTLS ++ /* for kTLS you can't use custom push/pull functions */ ++ gnutls_transport_set_int(server, sfd); ++#else + gnutls_transport_set_push_function(server, server_push); + gnutls_transport_set_pull_function(server, server_pull); + gnutls_transport_set_ptr(server, server); ++#endif + + /* Init client */ + assert(gnutls_certificate_allocate_credentials(&ccred) >= 0); +@@ -118,14 +184,23 @@ static void run(const char *name, unsigned test) + if (ret < 0) + exit(1); + ++#ifdef USE_KTLS ++ /* for kTLS you can't use custom push/pull functions */ ++ gnutls_transport_set_int(client, cfd); ++#else + gnutls_transport_set_push_function(client, client_push); + gnutls_transport_set_pull_function(client, client_pull); + gnutls_transport_set_ptr(client, client); ++#endif + + HANDSHAKE(client, server); + if (debug) + success("Handshake established\n"); + ++ /* check kTLS initialization (both send and recv should be supported)*/ ++ CHECK_KTLS_ENABLED(client); ++ CHECK_KTLS_ENABLED(server); ++ + switch (test) { + case 0: + case 1: +@@ -134,10 +209,14 @@ static void run(const char *name, unsigned test) + ret = gnutls_session_key_update(client, 0); + } while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED); + ++ CHECK_KTLS_ENABLED(client); ++ CHECK_KTLS_ENABLED(server); ++ + /* server receives the client key update and sends data */ + TRANSFER(client, server, MSG, strlen(MSG), buffer, MAX_BUF); + TRANSFER(server, client, MSG, strlen(MSG), buffer, MAX_BUF); + EMPTY_BUF(server, client, buffer, MAX_BUF); ++ + if (test != 0) + break; + sec_sleep(2); +@@ -151,10 +230,14 @@ static void run(const char *name, unsigned test) + if (ret < 0) + fail("error in key update: %s\n", gnutls_strerror(ret)); + ++ CHECK_KTLS_ENABLED(server); ++ CHECK_KTLS_ENABLED(client); ++ + /* client receives the key update and sends data */ + TRANSFER(client, server, MSG, strlen(MSG), buffer, MAX_BUF); + TRANSFER(server, client, MSG, strlen(MSG), buffer, MAX_BUF); + EMPTY_BUF(server, client, buffer, MAX_BUF); ++ + if (test != 0) + break; + sec_sleep(2); +@@ -167,10 +250,14 @@ static void run(const char *name, unsigned test) + if (ret < 0) + fail("error in key update: %s\n", gnutls_strerror(ret)); + ++ CHECK_KTLS_ENABLED(client); ++ CHECK_KTLS_ENABLED(server); ++ + /* server receives the client key update and sends data */ + TRANSFER(client, server, MSG, strlen(MSG), buffer, MAX_BUF); + TRANSFER(server, client, MSG, strlen(MSG), buffer, MAX_BUF); + EMPTY_BUF(server, client, buffer, MAX_BUF); ++ + if (test != 0) + break; + sec_sleep(2); +@@ -183,6 +270,9 @@ static void run(const char *name, unsigned test) + if (ret < 0) + fail("error in key update: %s\n", gnutls_strerror(ret)); + ++ CHECK_KTLS_ENABLED(server); ++ CHECK_KTLS_ENABLED(client); ++ + TRANSFER(client, server, MSG, strlen(MSG), buffer, MAX_BUF); + TRANSFER(server, client, MSG, strlen(MSG), buffer, MAX_BUF); + EMPTY_BUF(server, client, buffer, MAX_BUF); +@@ -210,6 +300,9 @@ static void run(const char *name, unsigned test) + /* client receives key update */ + EMPTY_BUF(server, client, buffer, MAX_BUF); + ++ CHECK_KTLS_ENABLED(server); ++ CHECK_KTLS_ENABLED(client); ++ + /* client uncorks and sends key update */ + do { + ret = gnutls_record_uncork(client, GNUTLS_RECORD_WAIT); +@@ -217,6 +310,9 @@ static void run(const char *name, unsigned test) + if (ret < 0) + fail("cannot send: %s\n", gnutls_strerror(ret)); + ++ CHECK_KTLS_ENABLED(server); ++ CHECK_KTLS_ENABLED(client); ++ + EMPTY_BUF(server, client, buffer, MAX_BUF); + + sec_sleep(2); +@@ -238,6 +334,9 @@ static void run(const char *name, unsigned test) + if (ret < 0) + fail("error in key update: %s\n", gnutls_strerror(ret)); + ++ CHECK_KTLS_ENABLED(server); ++ CHECK_KTLS_ENABLED(client); ++ + /* server receives the client key update and sends data */ + TRANSFER(client, server, MSG, strlen(MSG), buffer, MAX_BUF); + TRANSFER(server, client, MSG, strlen(MSG), buffer, MAX_BUF); +@@ -263,11 +362,11 @@ static void run(const char *name, unsigned test) + + void doit(void) + { +- run("single", 1); +- run("single", 2); +- run("single", 3); +- run("single", 4); +- run("single", 5); +- run("single", 6); +- run("all", 0); /* all one after each other */ ++ RUN("single", 1); ++ RUN("single", 2); ++ RUN("single", 3); ++ RUN("single", 4); ++ RUN("single", 5); ++ RUN("single", 6); ++ RUN("all", 0); /* all one after each other */ + } +-- +GitLab + + +From 247640a84f6aa7dddf6e2380d7189542b5483a4a Mon Sep 17 00:00:00 2001 +From: Frantisek Krenzelok +Date: Tue, 11 Feb 2025 13:35:43 +0100 +Subject: [PATCH 2/7] kTLS: add new keyupdate error return on recv + +kTLS now returns -EKEYEXPIRED when the socket's keys aren't updated after +receiving a keyupdate (this is very unlikely). Currently when this +happens the ktls recv funtion returns GNUTLS_E_AGAIN and the receive +function is called again and again. + +Signed-off-by: Frantisek Krenzelok +--- + lib/system/ktls.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +diff --git a/lib/system/ktls.c b/lib/system/ktls.c +index 432c70c5a2..cb29c5a763 100644 +--- a/lib/system/ktls.c ++++ b/lib/system/ktls.c +@@ -59,6 +59,7 @@ gnutls_transport_is_ktls_enabled(gnutls_session_t session) + { + if (unlikely(!session->internals.initial_negotiation_completed)) { + _gnutls_debug_log("Initial negotiation is not yet complete\n"); ++ gnutls_assert(); + return 0; + } + +@@ -82,7 +83,9 @@ void _gnutls_ktls_enable(gnutls_session_t session) + } + } else { + _gnutls_record_log( +- "Unable to set TCP_ULP for read socket: %d\n", errno); ++ "kTLS: Unable to set TCP_ULP for read socket: %d\n", ++ errno); ++ gnutls_assert(); + } + + if (sockin != sockout) { +@@ -91,8 +94,9 @@ void _gnutls_ktls_enable(gnutls_session_t session) + session->internals.ktls_enabled |= GNUTLS_KTLS_SEND; + } else { + _gnutls_record_log( +- "Unable to set TCP_ULP for write socket: %d\n", ++ "kTLS: Unable to set TCP_ULP for write socket: %d\n", + errno); ++ gnutls_assert(); + } + } + #endif +@@ -1064,6 +1068,13 @@ int _gnutls_ktls_recv_control_msg(gnutls_session_t session, + default: + return GNUTLS_E_PULL_ERROR; + } ++ } else if (unlikely(ret == -EKEYEXPIRED)) { ++ /* This will be received until a keyupdate is performed on the ++ scoket. */ ++ _gnutls_debug_log("kTLS: socket(recv) has not yet received " ++ "updated keys\n"); ++ gnutls_assert(); ++ return GNUTLS_E_AGAIN; + } + + /* connection closed */ +-- +GitLab + + +From 1cf5e7d5748e0a2312b55e9c4bcf252a34765919 Mon Sep 17 00:00:00 2001 +From: Krenzelok Frantisek +Date: Mon, 17 Feb 2025 23:08:57 +0100 +Subject: [PATCH 4/7] kTLS: add rekey kernel version check (Linux) + +Signed-off-by: Krenzelok Frantisek +--- + lib/system/ktls.c | 8 ++++++++ + tests/ktls.sh | 17 ++++++++--------- + tests/ktls_keyupdate.sh | 18 ++++++++++++++---- + tests/scripts/common.sh | 26 ++++++++++++++++++++++++++ + 4 files changed, 56 insertions(+), 13 deletions(-) + +diff --git a/lib/system/ktls.c b/lib/system/ktls.c +index cb29c5a763..66ab24ec7a 100644 +--- a/lib/system/ktls.c ++++ b/lib/system/ktls.c +@@ -507,6 +507,14 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, + return GNUTLS_E_UNIMPLEMENTED_FEATURE; + } + ++ if (major < 6 || (major == 6 && minor < 14)) { ++ _gnutls_debug_log("Linux kernel version %lu.%lu doesn't yet " ++ "support kTLS keyupdate, this will result in " ++ "invalidation of the current session after a " ++ "key-update is performed\n", ++ major, minor); ++ } ++ + /* check whether or not cipher suite supports ktls + */ + switch (cipher) { +diff --git a/tests/ktls.sh b/tests/ktls.sh +index a15d6116d9..ca9ead8df0 100644 +--- a/tests/ktls.sh ++++ b/tests/ktls.sh +@@ -25,19 +25,18 @@ + + case "$host_os" in + FreeBSD) +- if ! sysctl -n kern.ipc.tls.enable | grep 1 > /dev/null; then +- exit 77 ++ if ! sysctl -n kern.ipc.tls.enable | grep 1 > /dev/null; then ++ exit 77 + fi ++ ++ kernel_version_check 13 0 || exit 77 + ;; + Linux) +- if ! grep '^tls ' /proc/modules 2>&1 /dev/null; then +- exit 77 ++ if ! grep '^tls ' /proc/modules 2>&1 /dev/null; then ++ exit 77 + fi +- case "$(uname -r)" in +- 4.* | 5.[0-9].* | 5.10.*) +- exit 77 +- ;; +- esac ++ ++ kernel_version_check 5 10 || exit 77 + ;; + esac + +diff --git a/tests/ktls_keyupdate.sh b/tests/ktls_keyupdate.sh +index ae12a2f102..54706d8d94 100755 +--- a/tests/ktls_keyupdate.sh ++++ b/tests/ktls_keyupdate.sh +@@ -19,13 +19,23 @@ + # You should have received a copy of the GNU General Public License + # along with GnuTLS. If not, see . + +-: ${builddir=.} ++: ${builddir=.} ${host_os=`uname`} + + . "$srcdir/scripts/common.sh" + +-if ! grep '^tls ' /proc/modules 2>&1 /dev/null; then +- exit 77 +-fi ++case "$host_os" in ++ FreeBSD) ++ # key update is not yet supported on FreeBSD ++ exit 77 ++ ;; ++ Linux) ++ if ! grep '^tls ' /proc/modules 2>&1 /dev/null; then ++ exit 77 ++ fi ++ ++ kernel_version_check 6 14 || exit 77 ++ ;; ++esac + + testdir=`create_testdir ktls_keyupdate` + +diff --git a/tests/scripts/common.sh b/tests/scripts/common.sh +index 47355cf025..c5f91b62c4 100644 +--- a/tests/scripts/common.sh ++++ b/tests/scripts/common.sh +@@ -267,3 +267,29 @@ check_if_equal() { + diff -b -B "$1" "$2" + return $? + } ++ ++# works for FreeBSD and Linux ++# $1: the major version to check against ++# $2: the minor version to check against ++kernel_version_check() { ++ local required_major=$1 ++ local required_minor=$2 ++ ++ kernel_version=$(uname -r | sed -E 's/^([0-9]+\.[0-9]+).*/\1/' 2>/dev/null) ++ kernel_major=$(echo $kernel_version | cut -d. -f1 2>/dev/null) ++ kernel_minor=$(echo $kernel_version | cut -d. -f2 2>/dev/null) ++ ++ if ! [[ "$kernel_major" =~ ^[0-9]+$ ]] || ! [[ "$kernel_minor" =~ ^[0-9]+$ ]]; then ++ return 1 ++ fi ++ ++ if [ "$kernel_major" -lt "$required_major" ]; then ++ return 1 ++ fi ++ ++ if [ "$kernel_major" -eq "$required_major" ] && [ "$kernel_minor" -lt "$required_minor" ]; then ++ return 1 ++ fi ++ ++ return 0 ++} +-- +GitLab + + +From 82fac5267fd74196c29e8a8b3e47e17d6ec4c20b Mon Sep 17 00:00:00 2001 +From: Krenzelok Frantisek +Date: Tue, 11 Mar 2025 11:37:33 +0100 +Subject: [PATCH 5/7] kTLS: improve alert messages + +Signed-off-by: Krenzelok Frantisek +--- + lib/system/ktls.c | 38 +++++++++++++++++++++++++++++++++++++- + 1 file changed, 37 insertions(+), 1 deletion(-) + +diff --git a/lib/system/ktls.c b/lib/system/ktls.c +index 66ab24ec7a..2983888d37 100644 +--- a/lib/system/ktls.c ++++ b/lib/system/ktls.c +@@ -1122,8 +1122,44 @@ int _gnutls_ktls_recv_int(gnutls_session_t session, content_type_t type, + GNUTLS_E_UNIMPLEMENTED_FEATURE); + break; + case GNUTLS_ALERT: ++ if (ret < 2) { ++ return gnutls_assert_val( ++ GNUTLS_E_UNEXPECTED_PACKET); ++ } ++ ++ uint8_t level = ((uint8_t *)data)[0]; ++ uint8_t desc = ((uint8_t *)data)[1]; ++ ++ _gnutls_record_log( ++ "REC[%p]: Alert[%d|%d] - %s - was received\n", ++ session, level, desc, ++ gnutls_alert_get_name((int)desc)); ++ ++ session->internals.last_alert = desc; ++ ++ /* if close notify is received and ++ * the alert is not fatal ++ */ ++ if (desc == GNUTLS_A_CLOSE_NOTIFY && ++ level != GNUTLS_AL_FATAL) { ++ /* If we have been expecting for an alert do ++ */ ++ session->internals.read_eof = 1; ++ return 0; ++ } ++ /* if the alert is FATAL or WARNING ++ * return the appropriate message ++ */ ++ gnutls_assert(); ++ if (level == GNUTLS_AL_FATAL) { ++ session->internals.resumable = false; ++ session->internals.invalid_connection = 1; ++ return gnutls_assert_val( ++ GNUTLS_E_FATAL_ALERT_RECEIVED); ++ } ++ ++ ret = GNUTLS_E_WARNING_ALERT_RECEIVED; + session_invalidate(session); +- ret = 0; + break; + case GNUTLS_HANDSHAKE: + ret = gnutls_handshake_write( +-- +GitLab + + +From 93d1fe12e52a382bd024b0db51482f0c7272bb2a Mon Sep 17 00:00:00 2001 +From: Krenzelok Frantisek +Date: Tue, 11 Mar 2025 11:38:47 +0100 +Subject: [PATCH 6/7] kTLS: fix gnutls-cli-debug - test + +Signed-off-by: Krenzelok Frantisek +--- + src/cli-debug.c | 6 ++++++ + src/tests.c | 4 +++- + tests/gnutls-cli-debug.sh | 11 ++++++----- + 3 files changed, 15 insertions(+), 6 deletions(-) + +diff --git a/src/cli-debug.c b/src/cli-debug.c +index ad8e525e30..b140cd3bc4 100644 +--- a/src/cli-debug.c ++++ b/src/cli-debug.c +@@ -67,6 +67,11 @@ static void tls_log_func(int level, const char *str) + fprintf(stderr, "|<%d>| %s", level, str); + } + ++static void tls_audit_log_func(gnutls_session_t session, const char *str) ++{ ++ fprintf(stderr, "|<%p>| %s", session, str); ++} ++ + typedef test_code_t (*TEST_FUNC)(gnutls_session_t); + + typedef struct { +@@ -277,6 +282,7 @@ int main(int argc, char **argv) + } + + gnutls_global_set_log_function(tls_log_func); ++ gnutls_global_set_audit_log_function(tls_audit_log_func); + gnutls_global_set_log_level(debug); + + /* get server name */ +diff --git a/src/tests.c b/src/tests.c +index 6544d1e2e0..2c06c8d669 100644 +--- a/src/tests.c ++++ b/src/tests.c +@@ -1770,7 +1770,9 @@ static test_code_t test_do_handshake_and_send_record(gnutls_session_t session) + return ret; + + gnutls_record_send(session, snd_buf, sizeof(snd_buf) - 1); +- ret = gnutls_record_recv(session, buf, sizeof(buf) - 1); ++ do { ++ ret = gnutls_record_recv(session, buf, sizeof(buf) - 1); ++ } while (ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN); + if (ret < 0) + return TEST_FAILED; + +diff --git a/tests/gnutls-cli-debug.sh b/tests/gnutls-cli-debug.sh +index c09e676c6a..82f4d4d111 100755 +--- a/tests/gnutls-cli-debug.sh ++++ b/tests/gnutls-cli-debug.sh +@@ -26,6 +26,7 @@ + : ${TIMEOUT=timeout} + OUTFILE=cli-debug.$$.tmp + TMPFILE=config.$$.tmp ++LOGFILE="$(basename "$0" .sh).log" + unset RETCODE + + if ! test -x "${SERV}"; then +@@ -71,7 +72,7 @@ PID=$! + wait_server ${PID} + + "$TIMEOUT" 1800 \ +-"${DCLI}" --attime "2017-08-9" -p "${PORT}" localhost >$OUTFILE 2>&1 || fail ${PID} "gnutls-cli-debug run should have succeeded!" ++"${DCLI}" --attime "2017-08-9" -p "${PORT}" localhost >$OUTFILE 2>$LOGFILE || fail ${PID} "gnutls-cli-debug run should have succeeded!" + + kill ${PID} + wait +@@ -118,7 +119,7 @@ PID=$! + wait_server ${PID} + + "$TIMEOUT" 1800 \ +-"${DCLI}" --attime "2017-08-9" -p "${PORT}" localhost >$OUTFILE 2>&1 || fail ${PID} "gnutls-cli-debug run should have succeeded!" ++"${DCLI}" --attime "2017-08-9" -p "${PORT}" localhost >$OUTFILE 2>$LOGFILE || fail ${PID} "gnutls-cli-debug run should have succeeded!" + + kill ${PID} + wait +@@ -160,7 +161,7 @@ PID=$! + wait_server ${PID} + + "$TIMEOUT" 1800 \ +-"${DCLI}" --attime "2017-08-9" -p "${PORT}" localhost >$OUTFILE 2>&1 || fail ${PID} "gnutls-cli-debug run should have succeeded!" ++"${DCLI}" --attime "2017-08-9" -p "${PORT}" localhost >$OUTFILE 2>$LOGFILE || fail ${PID} "gnutls-cli-debug run should have succeeded!" + + kill ${PID} + wait +@@ -186,7 +187,7 @@ _EOF_ + + GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}" \ + "$TIMEOUT" 1800 \ +-"${DCLI}" --attime "2017-08-9" -p "${PORT}" localhost >$OUTFILE 2>&1 || fail ${PID} "gnutls-cli-debug run should have succeeded!" ++"${DCLI}" --attime "2017-08-9" -p "${PORT}" localhost >$OUTFILE 2>$LOGFILE || fail ${PID} "gnutls-cli-debug run should have succeeded!" + + kill ${PID} + wait +@@ -209,7 +210,7 @@ if test "${ENABLE_GOST}" = "1" && test "${GNUTLS_FORCE_FIPS_MODE}" != 1 ; then + wait_server ${PID} + + "$TIMEOUT" 1800 \ +- "${DCLI}" --attime "2017-08-9" -p "${PORT}" localhost >$OUTFILE 2>&1 || fail ${PID} "gnutls-cli-debug run should have succeeded!" ++ "${DCLI}" --attime "2017-08-9" -p "${PORT}" localhost >$OUTFILE 2>$LOGFILE || fail ${PID} "gnutls-cli-debug run should have succeeded!" + + kill ${PID} + wait +-- +GitLab + + +From eaa6912f6ee6bd8ff5f1175bbd7ccedd0526695e Mon Sep 17 00:00:00 2001 +From: Krenzelok Frantisek +Date: Mon, 17 Mar 2025 12:41:24 +0100 +Subject: [PATCH 7/7] tests: add enviromental variable + +Signed-off-by: Krenzelok Frantisek +--- + tests/Makefile.am | 2 +- + tests/ktls.sh | 4 ++-- + tests/ktls_keyupdate.sh | 4 ++-- + 3 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/tests/Makefile.am b/tests/Makefile.am +index 9990ee21cc..b39a97bac3 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -21,7 +21,7 @@ + + SUBDIRS = . cert-tests slow + +-TESTS_ENVIRONMENT = ++TESTS_ENVIRONMENT = HOST_OS=$$(uname) + + if WINDOWS + SUBDIRS += windows +diff --git a/tests/ktls.sh b/tests/ktls.sh +index ca9ead8df0..c2847be833 100644 +--- a/tests/ktls.sh ++++ b/tests/ktls.sh +@@ -19,11 +19,11 @@ + # You should have received a copy of the GNU General Public License + # along with GnuTLS. If not, see . + +-: ${builddir=.} ${host_os=`uname`} ++: ${builddir=.} + + . "$srcdir/scripts/common.sh" + +-case "$host_os" in ++case "$HOST_OS" in + FreeBSD) + if ! sysctl -n kern.ipc.tls.enable | grep 1 > /dev/null; then + exit 77 +diff --git a/tests/ktls_keyupdate.sh b/tests/ktls_keyupdate.sh +index 54706d8d94..54526727e3 100755 +--- a/tests/ktls_keyupdate.sh ++++ b/tests/ktls_keyupdate.sh +@@ -19,11 +19,11 @@ + # You should have received a copy of the GNU General Public License + # along with GnuTLS. If not, see . + +-: ${builddir=.} ${host_os=`uname`} ++: ${builddir=.} + + . "$srcdir/scripts/common.sh" + +-case "$host_os" in ++case "$HOST_OS" in + FreeBSD) + # key update is not yet supported on FreeBSD + exit 77 +-- +GitLab + diff --git a/gnutls.spec b/gnutls.spec index 5131886..53af240 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -18,6 +18,8 @@ Patch: gnutls-3.2.7-rpath.patch # follow https://gitlab.com/gnutls/gnutls/-/issues/1443 Patch: gnutls-3.8.8-tests-ktls-skip-tls12-chachapoly.patch +# https://gitlab.com/gnutls/gnutls/-/merge_requests/1934 +Patch: gnutls-3.8.9-ktls-kernel-check.patch %bcond_without bootstrap %bcond_without dane @@ -502,21 +504,6 @@ rm -f $RPM_BUILD_ROOT%{mingw64_libdir}/ncrypt.dll* %check %if %{with tests} pushd native_build - -# KeyUpdate is not yet supported in the kernel. -xfail_tests=ktls_keyupdate.sh - -# The ktls.sh test currently only supports kernel 5.11+. This needs to -# be checked at run time, as the koji builder might be using a different -# version of kernel on the host than the one indicated by the -# kernel-devel package. - -case "$(uname -r)" in - 4.* | 5.[0-9].* | 5.10.* ) - xfail_tests="$xfail_tests ktls.sh" - ;; -esac - make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null XFAIL_TESTS="$xfail_tests" popd %endif From e45aaed8ab5cf2a5baae8122f3c77f0d5f015ef0 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Wed, 9 Jul 2025 18:02:24 +0900 Subject: [PATCH 140/152] Update to 3.8.10 upstream release Also update the bundled leancrypto to 1.5.0. Signed-off-by: Daiki Ueno --- .gitignore | 3 + gnutls-3.8.10-tests-ktls.patch | 114 ++++++++++++++++++++++++++++++++ gnutls-3.8.10-tests-mldsa.patch | 58 ++++++++++++++++ gnutls.spec | 12 ++-- sources | 6 +- 5 files changed, 185 insertions(+), 8 deletions(-) create mode 100644 gnutls-3.8.10-tests-ktls.patch create mode 100644 gnutls-3.8.10-tests-mldsa.patch diff --git a/.gitignore b/.gitignore index 45589ae..f859c71 100644 --- a/.gitignore +++ b/.gitignore @@ -167,3 +167,6 @@ gnutls-2.10.1-nosrp.tar.bz2 /gnutls-3.8.9.tar.xz.sig /leancrypto-1.2.0.tar.gz /leancrypto-1.3.0.tar.gz +/gnutls-3.8.10.tar.xz +/gnutls-3.8.10.tar.xz.sig +/leancrypto-1.5.0.tar.gz diff --git a/gnutls-3.8.10-tests-ktls.patch b/gnutls-3.8.10-tests-ktls.patch new file mode 100644 index 0000000..1b23124 --- /dev/null +++ b/gnutls-3.8.10-tests-ktls.patch @@ -0,0 +1,114 @@ +From e0eb2bbb212a5c9d72311c59e7235832a0075dcc Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Wed, 9 Jul 2025 18:54:48 +0900 +Subject: [PATCH] add tests/ktls_utils.h + +Signed-off-by: rpm-build +--- + tests/ktls_utils.h | 94 ++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 94 insertions(+) + create mode 100644 tests/ktls_utils.h + +diff --git a/tests/ktls_utils.h b/tests/ktls_utils.h +new file mode 100644 +index 0000000..231618d +--- /dev/null ++++ b/tests/ktls_utils.h +@@ -0,0 +1,94 @@ ++#ifndef GNUTLS_TESTS_KTLS_UTILS_H ++#define GNUTLS_TESTS_KTLS_UTILS_H ++ ++#include ++#include ++ ++#include ++ ++#include ++#include ++ ++/* Sets the NONBLOCK flag on the socket(fd) */ ++inline static int set_nonblocking(int fd) ++{ ++ int flags = fcntl(fd, F_GETFL, 0); ++ if (flags == -1) { ++ return 1; ++ } ++ ++ if (fcntl(fd, F_SETFL, flags | O_NONBLOCK) == -1) { ++ return 2; ++ } ++ ++ return 0; ++} ++ ++/* Creates a pair of TCP connected sockets */ ++static int create_socket_pair(int *client_fd, int *server_fd) ++{ ++ int ret; ++ struct sockaddr_in saddr; ++ socklen_t addrlen; ++ int listener; ++ ++ listener = socket(AF_INET, SOCK_STREAM, 0); ++ if (listener == -1) { ++ fail("error in listener(): %s\n", strerror(errno)); ++ return 1; ++ } ++ ++ int opt = 0; ++ setsockopt(listener, SOL_SOCKET, SO_REUSEADDR, &opt, sizeof(opt)); ++ ++ memset(&saddr, 0, sizeof(saddr)); ++ saddr.sin_family = AF_INET; ++ saddr.sin_addr.s_addr = htonl(INADDR_LOOPBACK); ++ saddr.sin_port = 0; ++ ++ ret = bind(listener, (struct sockaddr *)&saddr, sizeof(saddr)); ++ if (ret == -1) { ++ fail("error in bind(): %s\n", strerror(errno)); ++ return 1; ++ } ++ ++ addrlen = sizeof(saddr); ++ ret = getsockname(listener, (struct sockaddr *)&saddr, &addrlen); ++ if (ret == -1) { ++ fail("error in getsockname(): %s\n", strerror(errno)); ++ return 1; ++ } ++ ++ ret = listen(listener, 1); ++ if (ret == -1) { ++ fail("error in listen(): %s\n", strerror(errno)); ++ close(listener); ++ return 1; ++ } ++ ++ *client_fd = socket(AF_INET, SOCK_STREAM, 0); ++ if (*client_fd < 0) { ++ fail("error in socket(): %s\n", strerror(errno)); ++ return 1; ++ } ++ ++ ret = connect(*client_fd, (struct sockaddr *)&saddr, addrlen); ++ if (ret < 0) { ++ fail("error in connect(): %s\n", strerror(errno)); ++ close(listener); ++ close(*client_fd); ++ return 1; ++ } ++ ++ *server_fd = accept(listener, NULL, NULL); ++ if (*server_fd < 0) { ++ fail("error in accept(): %s\n", strerror(errno)); ++ close(listener); ++ close(*client_fd); ++ return 1; ++ } ++ ++ return 0; ++} ++ ++#endif //GNUTLS_TESTS_KTLS_UTILS_H +-- +2.49.0 + diff --git a/gnutls-3.8.10-tests-mldsa.patch b/gnutls-3.8.10-tests-mldsa.patch new file mode 100644 index 0000000..158632e --- /dev/null +++ b/gnutls-3.8.10-tests-mldsa.patch @@ -0,0 +1,58 @@ +From 15fb5ad536c375a74cc0d87859c9fc919d924c9d Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Thu, 10 Jul 2025 05:45:06 +0900 +Subject: [PATCH] support VPATH build for mldsa tests + +Signed-off-by: rpm-build +--- + tests/cert-tests/mldsa.sh | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/tests/cert-tests/mldsa.sh b/tests/cert-tests/mldsa.sh +index 7e31e11..55e31ce 100644 +--- a/tests/cert-tests/mldsa.sh ++++ b/tests/cert-tests/mldsa.sh +@@ -130,7 +130,7 @@ for variant in 44 65 87; do + # Check default + TMPKEYDEFAULT=$testdir/key-$algo-$format-default + TMPKEY=$testdir/key-$algo-$format +- ${VALGRIND} "${CERTTOOL}" -k --no-text --infile "data/key-$algo-$format.pem" >"$TMPKEYDEFAULT" ++ ${VALGRIND} "${CERTTOOL}" -k --no-text --infile "$srcdir/data/key-$algo-$format.pem" >"$TMPKEYDEFAULT" + if [ $? != 0 ]; then + cat "$TMPKEYDEFAULT" + exit 1 +@@ -138,19 +138,19 @@ for variant in 44 65 87; do + + # The "expandedKey" format doesn't have public key part + if [ "$format" = seed ] || [ "$format" = both ]; then +- if ! "${DIFF}" "$TMPKEYDEFAULT" "data/key-$algo-both.pem"; then ++ if ! "${DIFF}" "$TMPKEYDEFAULT" "$srcdir/data/key-$algo-both.pem"; then + exit 1 + fi + fi + + # Check roundtrip with --key-format +- ${VALGRIND} "${CERTTOOL}" -k --no-text --key-format "$format" --infile "data/key-$algo-$format.pem" >"$TMPKEY" ++ ${VALGRIND} "${CERTTOOL}" -k --no-text --key-format "$format" --infile "$srcdir/data/key-$algo-$format.pem" >"$TMPKEY" + if [ $? != 0 ]; then + cat "$TMPKEY" + exit 1 + fi + +- if ! "${DIFF}" "$TMPKEY" "data/key-$algo-$format.pem"; then ++ if ! "${DIFF}" "$TMPKEY" "$srcdir/data/key-$algo-$format.pem"; then + exit 1 + fi + done +@@ -164,7 +164,7 @@ for n in 1; do + fi + + echo "Testing inconsistent ML-DSA key ($n)" +- if "${CERTTOOL}" -k --infile "data/key-mldsa-inconsistent$n.pem"; then ++ if "${CERTTOOL}" -k --infile "$srcdir/data/key-mldsa-inconsistent$n.pem"; then + exit 1 + fi + done +-- +2.49.0 + diff --git a/gnutls.spec b/gnutls.spec index 53af240..4475882 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -12,14 +12,16 @@ sha256sum:close() print(string.sub(hash, 0, 16)) } -Version: 3.8.9 +Version: 3.8.10 Release: %{?autorelease}%{!?autorelease:1%{?dist}} Patch: gnutls-3.2.7-rpath.patch # follow https://gitlab.com/gnutls/gnutls/-/issues/1443 Patch: gnutls-3.8.8-tests-ktls-skip-tls12-chachapoly.patch -# https://gitlab.com/gnutls/gnutls/-/merge_requests/1934 -Patch: gnutls-3.8.9-ktls-kernel-check.patch +# add tests/ktls_utils.h missing in the distribution +Patch: gnutls-3.8.10-tests-ktls.patch +# run tests/cert-test/mldsa.sh in VPATH build +Patch: gnutls-3.8.10-tests-mldsa.patch %bcond_without bootstrap %bcond_without dane @@ -142,7 +144,7 @@ Source201: gnutls-3.8.8-tests-rsa-default.patch %endif %if %{with leancrypto} -Source300: leancrypto-1.3.0.tar.gz +Source300: leancrypto-1.5.0.tar.gz %endif # Wildcard bundling exception https://fedorahosted.org/fpc/ticket/174 @@ -504,7 +506,7 @@ rm -f $RPM_BUILD_ROOT%{mingw64_libdir}/ncrypt.dll* %check %if %{with tests} pushd native_build -make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null XFAIL_TESTS="$xfail_tests" +make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null || { cat tests/test-suite.log tests/cert-tests/test-suite.log tests/slow/test-suite.log src/gl/tests/test-suite.log; exit 1; } popd %endif diff --git a/sources b/sources index 5043ca2..6114eb9 100644 --- a/sources +++ b/sources @@ -1,5 +1,5 @@ -SHA512 (gnutls-3.8.9.tar.xz) = b3b201671bf4e75325610a0291d4cd36a669718e22b3685246b64bde97b5bd94f463ab376ed817869869714115f4ff11bdc53c32604bb04a8ff8e10daa6d1fc7 -SHA512 (gnutls-3.8.9.tar.xz.sig) = 5a47a519ef35f21b59e2122528246d6109dd95667bfe5d01713b9a7efa2931f8523bf325b8824433f3117d63e0e50d66f8c467a7ee4bd2068ae039601a28441e +SHA512 (gnutls-3.8.10.tar.xz) = d453bd4527af95cb3905ce8753ceafd969e3f442ad1d148544a233ebf13285b999930553a805a0511293cc25390bb6a040260df5544a7c55019640f920ad3d92 +SHA512 (gnutls-3.8.10.tar.xz.sig) = 72d6dd2c23f768f5041c3dca0f49b3f60cd01fc960ce77f097094a2aae6d76fddeb6295c425e3750c711d5f700957a62268aecc4873e53c31abb60eecf0fd4a8 SHA512 (gnutls-release-keyring.gpg) = 8c2b39239d1d8c5319757fcf669f28a11de7f8ec4a726f9904c57ba8105bea80240083c0de71b747115907bab46569f10cf58004137cc7884ac5c20f8319ae0a SHA512 (gmp-6.2.1.tar.xz) = c99be0950a1d05a0297d65641dd35b75b74466f7bf03c9e8a99895a3b2f9a0856cd17887738fa51cf7499781b65c049769271cbcb77d057d2e9f1ec52e07dd84 -SHA512 (leancrypto-1.3.0.tar.gz) = 8e0348d09b37fd6eb770505f1e98efdbf9d6f721aa2617d1f32d42ba89709bf374eb9d06aa2266bc7d7b5c56ab3168f12925fd4ec1d2d78951080f74f4a1a085 +SHA512 (leancrypto-1.5.0.tar.gz) = 1170a502f58c9bce424578cece64a3ebf856620adc02f390b8877981bccf0c2bf35e64b1628094a06c069ec38a3be5889be22516d45d85f4e75b40085d9001c9 From b690a9632964c0d4c743544e9599efe133b6fc37 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 23 Jul 2025 22:53:49 +0000 Subject: [PATCH 141/152] Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild From 7be798d94075dd3ec0a853dc6ce5ffe21143e01a Mon Sep 17 00:00:00 2001 From: Zoltan Fridrich Date: Tue, 29 Jul 2025 15:04:46 +0200 Subject: [PATCH 142/152] Rebuild Signed-off-by: Zoltan Fridrich From 330d52f8da47038d72f2c1ca6e9d6e5a226311eb Mon Sep 17 00:00:00 2001 From: Krenzelok Frantisek Date: Wed, 23 Jul 2025 13:19:57 +0200 Subject: [PATCH 143/152] Enable kTLS by default Resolves: rhbz#2130000 - https://fedoraproject.org/wiki/Changes/KTLSSupportForGnuTLS. - kTLS is now enabled by default if all requirements are met. - Modify the docs to reflect the change of defaults. - Picked-up a patch that fixes state transition in the KTLS code path. --- gnutls-3.8.10-ktls-enable-by-default.patch | 45 +++++++++++++++++++ gnutls-3.8.10-ktls-fix-state-transition.patch | 24 ++++++++++ gnutls.spec | 4 ++ 3 files changed, 73 insertions(+) create mode 100644 gnutls-3.8.10-ktls-enable-by-default.patch create mode 100644 gnutls-3.8.10-ktls-fix-state-transition.patch diff --git a/gnutls-3.8.10-ktls-enable-by-default.patch b/gnutls-3.8.10-ktls-enable-by-default.patch new file mode 100644 index 0000000..5fac77d --- /dev/null +++ b/gnutls-3.8.10-ktls-enable-by-default.patch @@ -0,0 +1,45 @@ +diff --git a/lib/priority.c b/lib/priority.c +index 25a2de9..e864314 100644 +--- a/lib/priority.c ++++ b/lib/priority.c +@@ -1033,6 +1033,7 @@ static inline void cfg_init(struct cfg *cfg) + { + memset(cfg, 0, sizeof(*cfg)); + cfg->allow_rsa_pkcs1_encrypt = true; ++ cfg->ktls_enabled = true; + } + + static inline void cfg_deinit(struct cfg *cfg) +diff --git a/doc/cha-config.texi b/doc/cha-config.texi +index 25ff0ed..c93dcb2 100644 +--- a/doc/cha-config.texi ++++ b/doc/cha-config.texi +@@ -282,13 +282,13 @@ cert-compression-alg = zlib + The following options can overwrite default behavior of protocols system-wide. + @example + [global] +-ktls = true ++ktls = false + + @end example +-@node Enabling kTLS +-@subsection Enabling kTLS +-When GnuTLS is build with -–enable-ktls configuration, KTLS is disabled by default. +-This can be enabled by setting @code{ktls = true} in @code{[global]} section. ++@node Enabling/Disabling kTLS ++@subsection Enabling/Disabling kTLS ++When GnuTLS is build with -–enable-ktls configuration, KTLS is enabled by default. ++This can be disabled by setting @code{ktls = false} in @code{[global]} section. + + kTLS requires that the system support kTLS @ref{kTLS (Kernel TLS)}. + +diff -up ./doc/cha-features.texi.ktls_default ./doc/cha-features.texi +--- ./doc/cha-features.texi.ktls_default 2025-08-21 17:13:57.610330316 +0200 ++++ ./doc/cha-features.texi 2025-08-21 17:14:00.806352803 +0200 +@@ -21,5 +21,5 @@ The following table shows how to enable + @caption{kTLS system enable} + @end float + +-To enable ktls in GnuTLS @ref{Enabling kTLS}. ++To enable ktls in GnuTLS @ref{Enabling/Disabling kTLS}. + diff --git a/gnutls-3.8.10-ktls-fix-state-transition.patch b/gnutls-3.8.10-ktls-fix-state-transition.patch new file mode 100644 index 0000000..fc9d490 --- /dev/null +++ b/gnutls-3.8.10-ktls-fix-state-transition.patch @@ -0,0 +1,24 @@ +From 5376a0cabf94314316005e6bf411ffcc7628b386 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Tue, 22 Jul 2025 10:49:33 +0900 +Subject: [PATCH 1/3] key_update: fix state transition in KTLS code path + +Signed-off-by: Daiki Ueno +--- + lib/record.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/record.c b/lib/record.c +index d37f79a550..ebc75addec 100644 +--- a/lib/record.c ++++ b/lib/record.c +@@ -2045,7 +2045,7 @@ ssize_t gnutls_record_send2(gnutls_session_t session, const void *data, + FALLTHROUGH; + case RECORD_SEND_KEY_UPDATE_3: + if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_SEND)) { +- return _gnutls_ktls_send( ++ ret = _gnutls_ktls_send( + session, + session->internals.record_key_update_buffer.data, + session->internals.record_key_update_buffer +-- diff --git a/gnutls.spec b/gnutls.spec index 4475882..abe6bbf 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -20,6 +20,10 @@ Patch: gnutls-3.2.7-rpath.patch Patch: gnutls-3.8.8-tests-ktls-skip-tls12-chachapoly.patch # add tests/ktls_utils.h missing in the distribution Patch: gnutls-3.8.10-tests-ktls.patch +# Enable ktls by default +Patch: gnutls-3.8.10-ktls-enable-by-default.patch +# Fix state transition in the KTLS code path. +Patch: gnutls-3.8.10-ktls-fix-state-transition.patch # run tests/cert-test/mldsa.sh in VPATH build Patch: gnutls-3.8.10-tests-mldsa.patch From 92cc61b5313a6652cf83ea1080e6c838a2596c45 Mon Sep 17 00:00:00 2001 From: Krenzelok Frantisek Date: Tue, 26 Aug 2025 17:33:12 +0200 Subject: [PATCH 144/152] Revert "Enable kTLS by default" This reverts commit 330d52f8da47038d72f2c1ca6e9d6e5a226311eb. --- gnutls-3.8.10-ktls-enable-by-default.patch | 45 ------------------- gnutls-3.8.10-ktls-fix-state-transition.patch | 24 ---------- gnutls.spec | 4 -- 3 files changed, 73 deletions(-) delete mode 100644 gnutls-3.8.10-ktls-enable-by-default.patch delete mode 100644 gnutls-3.8.10-ktls-fix-state-transition.patch diff --git a/gnutls-3.8.10-ktls-enable-by-default.patch b/gnutls-3.8.10-ktls-enable-by-default.patch deleted file mode 100644 index 5fac77d..0000000 --- a/gnutls-3.8.10-ktls-enable-by-default.patch +++ /dev/null @@ -1,45 +0,0 @@ -diff --git a/lib/priority.c b/lib/priority.c -index 25a2de9..e864314 100644 ---- a/lib/priority.c -+++ b/lib/priority.c -@@ -1033,6 +1033,7 @@ static inline void cfg_init(struct cfg *cfg) - { - memset(cfg, 0, sizeof(*cfg)); - cfg->allow_rsa_pkcs1_encrypt = true; -+ cfg->ktls_enabled = true; - } - - static inline void cfg_deinit(struct cfg *cfg) -diff --git a/doc/cha-config.texi b/doc/cha-config.texi -index 25ff0ed..c93dcb2 100644 ---- a/doc/cha-config.texi -+++ b/doc/cha-config.texi -@@ -282,13 +282,13 @@ cert-compression-alg = zlib - The following options can overwrite default behavior of protocols system-wide. - @example - [global] --ktls = true -+ktls = false - - @end example --@node Enabling kTLS --@subsection Enabling kTLS --When GnuTLS is build with -–enable-ktls configuration, KTLS is disabled by default. --This can be enabled by setting @code{ktls = true} in @code{[global]} section. -+@node Enabling/Disabling kTLS -+@subsection Enabling/Disabling kTLS -+When GnuTLS is build with -–enable-ktls configuration, KTLS is enabled by default. -+This can be disabled by setting @code{ktls = false} in @code{[global]} section. - - kTLS requires that the system support kTLS @ref{kTLS (Kernel TLS)}. - -diff -up ./doc/cha-features.texi.ktls_default ./doc/cha-features.texi ---- ./doc/cha-features.texi.ktls_default 2025-08-21 17:13:57.610330316 +0200 -+++ ./doc/cha-features.texi 2025-08-21 17:14:00.806352803 +0200 -@@ -21,5 +21,5 @@ The following table shows how to enable - @caption{kTLS system enable} - @end float - --To enable ktls in GnuTLS @ref{Enabling kTLS}. -+To enable ktls in GnuTLS @ref{Enabling/Disabling kTLS}. - diff --git a/gnutls-3.8.10-ktls-fix-state-transition.patch b/gnutls-3.8.10-ktls-fix-state-transition.patch deleted file mode 100644 index fc9d490..0000000 --- a/gnutls-3.8.10-ktls-fix-state-transition.patch +++ /dev/null @@ -1,24 +0,0 @@ -From 5376a0cabf94314316005e6bf411ffcc7628b386 Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Tue, 22 Jul 2025 10:49:33 +0900 -Subject: [PATCH 1/3] key_update: fix state transition in KTLS code path - -Signed-off-by: Daiki Ueno ---- - lib/record.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/lib/record.c b/lib/record.c -index d37f79a550..ebc75addec 100644 ---- a/lib/record.c -+++ b/lib/record.c -@@ -2045,7 +2045,7 @@ ssize_t gnutls_record_send2(gnutls_session_t session, const void *data, - FALLTHROUGH; - case RECORD_SEND_KEY_UPDATE_3: - if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_SEND)) { -- return _gnutls_ktls_send( -+ ret = _gnutls_ktls_send( - session, - session->internals.record_key_update_buffer.data, - session->internals.record_key_update_buffer --- diff --git a/gnutls.spec b/gnutls.spec index abe6bbf..4475882 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -20,10 +20,6 @@ Patch: gnutls-3.2.7-rpath.patch Patch: gnutls-3.8.8-tests-ktls-skip-tls12-chachapoly.patch # add tests/ktls_utils.h missing in the distribution Patch: gnutls-3.8.10-tests-ktls.patch -# Enable ktls by default -Patch: gnutls-3.8.10-ktls-enable-by-default.patch -# Fix state transition in the KTLS code path. -Patch: gnutls-3.8.10-ktls-fix-state-transition.patch # run tests/cert-test/mldsa.sh in VPATH build Patch: gnutls-3.8.10-tests-mldsa.patch From 000d285047d7fa5eebf2b159e3890882a51ef80e Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Thu, 20 Nov 2025 17:03:07 +0900 Subject: [PATCH 145/152] Update to 3.8.11 upstream release - Resolves: rhbz#2416041 Upstream tag: 3.8.11 Upstream commit: b841c70e Commit authored by Packit automation (https://packit.dev/) --- .gitignore | 3 +++ README.packit | 2 +- gnutls.spec | 11 ++++------- sources | 7 +++---- 4 files changed, 11 insertions(+), 12 deletions(-) diff --git a/.gitignore b/.gitignore index f859c71..1e793de 100644 --- a/.gitignore +++ b/.gitignore @@ -170,3 +170,6 @@ gnutls-2.10.1-nosrp.tar.bz2 /gnutls-3.8.10.tar.xz /gnutls-3.8.10.tar.xz.sig /leancrypto-1.5.0.tar.gz +/gnutls-3.8.11.tar.xz +/gnutls-3.8.11.tar.xz.sig +/leancrypto-1.6.0.tar.gz diff --git a/README.packit b/README.packit index 72e3769..2511bf4 100644 --- a/README.packit +++ b/README.packit @@ -1,3 +1,3 @@ This repository is maintained by packit. https://packit.dev/ -The file was generated using packit 0.102.2. +The file was generated using packit 1.12.0. diff --git a/gnutls.spec b/gnutls.spec index 4475882..c3b0d28 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -12,16 +12,12 @@ sha256sum:close() print(string.sub(hash, 0, 16)) } -Version: 3.8.10 +Version: 3.8.11 Release: %{?autorelease}%{!?autorelease:1%{?dist}} Patch: gnutls-3.2.7-rpath.patch # follow https://gitlab.com/gnutls/gnutls/-/issues/1443 Patch: gnutls-3.8.8-tests-ktls-skip-tls12-chachapoly.patch -# add tests/ktls_utils.h missing in the distribution -Patch: gnutls-3.8.10-tests-ktls.patch -# run tests/cert-test/mldsa.sh in VPATH build -Patch: gnutls-3.8.10-tests-mldsa.patch %bcond_without bootstrap %bcond_without dane @@ -144,7 +140,7 @@ Source201: gnutls-3.8.8-tests-rsa-default.patch %endif %if %{with leancrypto} -Source300: leancrypto-1.5.0.tar.gz +Source300: leancrypto-1.6.0.tar.gz %endif # Wildcard bundling exception https://fedorahosted.org/fpc/ticket/174 @@ -315,7 +311,8 @@ meson setup -Dprefix="$PWD/install" -Dlibdir="$PWD/install/lib" \ -Dx509_parser=disabled -Dx509_generator=disabled \ -Dpkcs7_parser=disabled -Dpkcs7_generator=disabled \ -Dsha2-256=disabled \ - -Dchacha20=disabled -Dchacha20_drng=disabled \ + -Daes_gcm=disabled -Daes_cbc=disabled -Daes_ctr=disabled -Daes_xts=disabled \ + -Dchacha20=disabled -Dchacha20poly1305=disabled -Dchacha20_drng=disabled \ -Ddrbg_hash=disabled -Ddrbg_hmac=disabled \ -Dhash_crypt=disabled \ -Dhmac=disabled -Dhkdf=disabled \ diff --git a/sources b/sources index 6114eb9..b7486bf 100644 --- a/sources +++ b/sources @@ -1,5 +1,4 @@ -SHA512 (gnutls-3.8.10.tar.xz) = d453bd4527af95cb3905ce8753ceafd969e3f442ad1d148544a233ebf13285b999930553a805a0511293cc25390bb6a040260df5544a7c55019640f920ad3d92 -SHA512 (gnutls-3.8.10.tar.xz.sig) = 72d6dd2c23f768f5041c3dca0f49b3f60cd01fc960ce77f097094a2aae6d76fddeb6295c425e3750c711d5f700957a62268aecc4873e53c31abb60eecf0fd4a8 +SHA512 (gnutls-3.8.11.tar.xz) = 68f9e5bec3aa6686fd3319cc9c88a5cc44e2a75144049fc9de5fb55fef2241b4e16996af4be5dd48308abbee8cfaed6c862903f6bb89aff5dfa5410075bd7386 +SHA512 (gnutls-3.8.11.tar.xz.sig) = 90883e5736299b103844ca42b85d371969ef66b50b60cb185e814ad9978598796e9ed07a590245ff28ac6ac084b1dee93fae0845576464583a5941835990957d SHA512 (gnutls-release-keyring.gpg) = 8c2b39239d1d8c5319757fcf669f28a11de7f8ec4a726f9904c57ba8105bea80240083c0de71b747115907bab46569f10cf58004137cc7884ac5c20f8319ae0a -SHA512 (gmp-6.2.1.tar.xz) = c99be0950a1d05a0297d65641dd35b75b74466f7bf03c9e8a99895a3b2f9a0856cd17887738fa51cf7499781b65c049769271cbcb77d057d2e9f1ec52e07dd84 -SHA512 (leancrypto-1.5.0.tar.gz) = 1170a502f58c9bce424578cece64a3ebf856620adc02f390b8877981bccf0c2bf35e64b1628094a06c069ec38a3be5889be22516d45d85f4e75b40085d9001c9 +SHA512 (leancrypto-1.6.0.tar.gz) = cb6ace4a1642208dd7656b62a48e99d6261f471aa7967b738057745a4534abfa11d380dd5de98a737c0c13b1e1cb37ce780e02297eefc1cf839581629d34e100 From 7441432f8caf08b73c3df007e74726a86f816fc9 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Fri, 21 Nov 2025 11:33:15 +0900 Subject: [PATCH 146/152] Minor fixes to spec file and packit configuration Signed-off-by: Daiki Ueno --- .packit.yaml | 3 +-- gnutls.spec | 3 ++- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.packit.yaml b/.packit.yaml index 2a7dee2..31a01eb 100644 --- a/.packit.yaml +++ b/.packit.yaml @@ -28,5 +28,4 @@ actions: jobs: - job: propose_downstream trigger: release - metadata: - dist_git_branches: fedora-all + dist_git_branches: fedora-all diff --git a/gnutls.spec b/gnutls.spec index c3b0d28..e1fa19b 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -311,7 +311,7 @@ meson setup -Dprefix="$PWD/install" -Dlibdir="$PWD/install/lib" \ -Dx509_parser=disabled -Dx509_generator=disabled \ -Dpkcs7_parser=disabled -Dpkcs7_generator=disabled \ -Dsha2-256=disabled \ - -Daes_gcm=disabled -Daes_cbc=disabled -Daes_ctr=disabled -Daes_xts=disabled \ + -Daes_gcm=disabled -Daes_cbc=disabled -Daes_ctr=disabled -Daes_xts=disabled \ -Dchacha20=disabled -Dchacha20poly1305=disabled -Dchacha20_drng=disabled \ -Ddrbg_hash=disabled -Ddrbg_hmac=disabled \ -Dhash_crypt=disabled \ @@ -332,6 +332,7 @@ export LEANCRYPTO_DIR="$PWD/bundled_leancrypto/install" export LEANCRYPTO_CFLAGS="-I$LEANCRYPTO_DIR/include" export LEANCRYPTO_LIBS="$LEANCRYPTO_DIR/lib/libleancrypto.a" +export PKG_CONFIG_PATH="$LEANCRYPTO_DIR/lib/pkgconfig" %endif %if %{with bootstrap} From 3078b09e4174f92151f3a3993d3c26e313c5fc13 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Fri, 21 Nov 2025 11:36:21 +0900 Subject: [PATCH 147/152] Enable crypto-auditing probes Signed-off-by: Daiki Ueno --- gnutls.spec | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/gnutls.spec b/gnutls.spec index e1fa19b..0f37dbe 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -31,6 +31,7 @@ Patch: gnutls-3.8.8-tests-ktls-skip-tls12-chachapoly.patch %endif %bcond_without certificate_compression %bcond_without leancrypto +%bcond_without crypto_auditing %bcond_without tests %if 0%{?fedora} && 0%{?fedora} < 38 @@ -86,6 +87,9 @@ BuildRequires: libunistring-devel BuildRequires: net-tools, softhsm, gcc, gcc-c++ BuildRequires: gnupg2 BuildRequires: git-core +%if %{with crypto_auditing} +BuildRequires: systemtap-sdt-devel +%endif # for a sanity check on cert loading BuildRequires: p11-kit-trust, ca-certificates @@ -406,6 +410,11 @@ pushd native_build --with-leancrypto \ %else --without-leancrypto \ +%endif +%if %{with crypto_auditing} + --enable-crypto-auditing \ +%else + --disable-crypto-auditing \ %endif --disable-rpath \ --with-default-priority-string="@SYSTEM" From 9f95ff6e693753acfb40a77e48a79ab4bd37a01b Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Fri, 21 Nov 2025 16:12:20 +0900 Subject: [PATCH 148/152] Remove unnecessary PKG_CONFIG_PATH setting Signed-off-by: Daiki Ueno --- gnutls.spec | 1 - 1 file changed, 1 deletion(-) diff --git a/gnutls.spec b/gnutls.spec index 0f37dbe..a3583a9 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -336,7 +336,6 @@ export LEANCRYPTO_DIR="$PWD/bundled_leancrypto/install" export LEANCRYPTO_CFLAGS="-I$LEANCRYPTO_DIR/include" export LEANCRYPTO_LIBS="$LEANCRYPTO_DIR/lib/libleancrypto.a" -export PKG_CONFIG_PATH="$LEANCRYPTO_DIR/lib/pkgconfig" %endif %if %{with bootstrap} From c5fcada2f38bb7e2e614fa74fb088d627b819ecb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Wed, 11 Jun 2025 10:46:40 +0000 Subject: [PATCH 149/152] Add missing Provides: bundled(..) for gmp & leancrypto MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Daniel P. Berrangé --- gnutls.spec | 2 ++ 1 file changed, 2 insertions(+) diff --git a/gnutls.spec b/gnutls.spec index a3583a9..058f0fe 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -133,6 +133,7 @@ Source1: https://www.gnupg.org/ftp/gcrypt/gnutls/v%{short_version}/%{name}-%{ver Source2: https://gnutls.org/gnutls-release-keyring.gpg %if %{with bundled_gmp} +Provides: bundled(gmp) = 6.2.1 Source100: gmp-6.2.1.tar.xz # Taken from the main gmp package Source101: gmp-6.2.1-intel-cet.patch @@ -144,6 +145,7 @@ Source201: gnutls-3.8.8-tests-rsa-default.patch %endif %if %{with leancrypto} +Provides: bundled(leancrypto) = 1.6.0 Source300: leancrypto-1.6.0.tar.gz %endif From 98206a06fe602662410bfd0eefb90790867a4b0d Mon Sep 17 00:00:00 2001 From: Alexander Sosedkin Date: Tue, 25 Nov 2025 10:30:02 +0100 Subject: [PATCH 150/152] Disable native assembly to work around bz2416812 --- gnutls.spec | 3 +++ 1 file changed, 3 insertions(+) diff --git a/gnutls.spec b/gnutls.spec index 058f0fe..77883fc 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -328,7 +328,10 @@ meson setup -Dprefix="$PWD/install" -Dlibdir="$PWD/install/lib" \ -Dhotp=disabled -Dtotp=disabled \ -Daes_block=disabled -Daes_cbc=disabled -Daes_ctr=disabled \ -Daes_kw=disabled -Dapps=disabled \ + -Ddisable-asm=true \ _build +# the reason for -Ddisable-asm=true being bz2416812 +# revert once the root cause is fixed meson compile -C _build meson install -C _build From 33160d08cb92c310e71aecf7e80b8f083fadedad Mon Sep 17 00:00:00 2001 From: Yaakov Selkowitz Date: Sun, 23 Nov 2025 23:21:09 -0500 Subject: [PATCH 151/152] Drop RHEL10-specific patch The test was fixed to be FIPS-compliant: https://gitlab.com/gnutls/gnutls/-/merge_requests/1932 --- gnutls-3.8.8-tests-rsa-default.patch | 22 ---------------------- gnutls.spec | 8 -------- 2 files changed, 30 deletions(-) delete mode 100644 gnutls-3.8.8-tests-rsa-default.patch diff --git a/gnutls-3.8.8-tests-rsa-default.patch b/gnutls-3.8.8-tests-rsa-default.patch deleted file mode 100644 index 5b32f76..0000000 --- a/gnutls-3.8.8-tests-rsa-default.patch +++ /dev/null @@ -1,22 +0,0 @@ -As of RHEL 10, DEFAULT crypto policy rejects TLS ciphers with RSA key exchange: - -https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/10-beta/html/considerations_in_adopting_rhel_10/security#security - -diff --git a/tests/system-override-allow-rsa-pkcs1-encrypt.sh b/tests/system-override-allow-rsa-pkcs1-encrypt.sh -index 714d0af..bd141f3 100755 ---- a/tests/system-override-allow-rsa-pkcs1-encrypt.sh -+++ b/tests/system-override-allow-rsa-pkcs1-encrypt.sh -@@ -60,10 +60,10 @@ unset GNUTLS_SYSTEM_PRIORITY_FILE - unset GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID - - ${TEST} --if [ $? != 0 ]; then -- echo "${TEST} expected to succeed by default" -+if [ $? = 0 ]; then -+ echo "${TEST} expected to fail by default" - exit 1 - fi --echo "RSAES-PKCS1-v1_5 successfully enabled by default" -+echo "RSAES-PKCS1-v1_5 correctly failed by default" - - exit 0 diff --git a/gnutls.spec b/gnutls.spec index 77883fc..c705e2d 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -140,10 +140,6 @@ Source101: gmp-6.2.1-intel-cet.patch Source102: gmp-6.2.1-c23.patch %endif -%if 0%{?rhel} >= 10 -Source201: gnutls-3.8.8-tests-rsa-default.patch -%endif - %if %{with leancrypto} Provides: bundled(leancrypto) = 1.6.0 Source300: leancrypto-1.6.0.tar.gz @@ -281,10 +277,6 @@ patch -p1 < %{SOURCE102} popd %endif -%if 0%{?rhel} >= 10 -patch -p1 < %{SOURCE201} -%endif - %build %define _lto_cflags %{nil} From cbe66ee3a7ed9f212234affb5c13bb6db66103f0 Mon Sep 17 00:00:00 2001 From: Yaakov Selkowitz Date: Tue, 25 Nov 2025 09:54:16 -0500 Subject: [PATCH 152/152] Restore gmp tarball to sources --- sources | 1 + 1 file changed, 1 insertion(+) diff --git a/sources b/sources index b7486bf..c383c9e 100644 --- a/sources +++ b/sources @@ -1,4 +1,5 @@ SHA512 (gnutls-3.8.11.tar.xz) = 68f9e5bec3aa6686fd3319cc9c88a5cc44e2a75144049fc9de5fb55fef2241b4e16996af4be5dd48308abbee8cfaed6c862903f6bb89aff5dfa5410075bd7386 SHA512 (gnutls-3.8.11.tar.xz.sig) = 90883e5736299b103844ca42b85d371969ef66b50b60cb185e814ad9978598796e9ed07a590245ff28ac6ac084b1dee93fae0845576464583a5941835990957d SHA512 (gnutls-release-keyring.gpg) = 8c2b39239d1d8c5319757fcf669f28a11de7f8ec4a726f9904c57ba8105bea80240083c0de71b747115907bab46569f10cf58004137cc7884ac5c20f8319ae0a +SHA512 (gmp-6.2.1.tar.xz) = c99be0950a1d05a0297d65641dd35b75b74466f7bf03c9e8a99895a3b2f9a0856cd17887738fa51cf7499781b65c049769271cbcb77d057d2e9f1ec52e07dd84 SHA512 (leancrypto-1.6.0.tar.gz) = cb6ace4a1642208dd7656b62a48e99d6261f471aa7967b738057745a4534abfa11d380dd5de98a737c0c13b1e1cb37ce780e02297eefc1cf839581629d34e100