Compare commits

...
Sign in to create a new pull request.

14 commits

Author SHA1 Message Date
Daiki Ueno
5aacc8cd4f Port Gnulib test fixes from upstream 2020-09-04 13:58:06 +02:00
Daiki Ueno
2d25b601bf Update to the upstream 3.6.15 release 2020-09-04 13:57:52 +02:00
Anderson Toshiyuki Sasaki
02604373b4 Fix automatic libraries soname detection
Previously, the automatic soname detection were failing when the
-Wl,--as-needed option was provided in LDFLAGS, which lead the FIPS
self-tests to fail.
2020-06-10 14:51:32 +02:00
Anderson Toshiyuki Sasaki
cf8e00c764 Fix memory leak when serializing iovec_t
Resolves: #1845083
2020-06-10 14:51:29 +02:00
Daiki Ueno
7b240b0959 Update to 3.6.14-1 2020-06-04 08:58:05 +02:00
Daiki Ueno
a5bbb28088 Update gnutls-3.6.13-superseding-chain.patch 2020-05-31 15:40:58 +02:00
Daiki Ueno
a68aefef99 Fix cert chain validation behavior if the last cert has expired (#1842178) 2020-05-31 15:23:12 +02:00
Anderson Toshiyuki Sasaki
10f6e99293 Add option to gnutls-cli to wait for resumption under TLS 1.3 2020-05-25 15:43:49 +02:00
Anderson Toshiyuki Sasaki
75c72994c6 Disable RSA blinding during FIPS self-tests
Related: rhbz#1835265
2020-05-20 15:13:56 +02:00
Anderson Toshiyuki Sasaki
ee88c45f9f Bump linked libs soname to fix FIPS self-tests
Resolves: rhbz#1835265
2020-05-13 19:04:05 +02:00
Anderson Toshiyuki Sasaki
bdd006b412 Remove gpg key from sources 2020-05-13 19:03:33 +02:00
Daiki Ueno
262cc0d561 Update to 3.6.13-1
- Update to upstream 3.6.13 release
2020-03-31 11:25:12 +02:00
Anderson Toshiyuki Sasaki
36d1e2827b Fix FIPS-140 power-on self-tests
Backport upstream FIPS-140 power-on self-tests changes.  This addresses
the bug bz#1813384.  This also includes a backport of a small fix to the
gnutls-serv application to address the issue reported in rhbz#1816583.

Resolves: #1813384, #1816583
2020-03-26 16:09:02 +01:00
Daiki Ueno
341d862ca3 Remove gpgkey file from sources
The line in the sources file causing conflict with "fedpkg local" as
the gpgkey file is already tracked in the git repository.
2020-03-25 14:10:24 +01:00
7 changed files with 304 additions and 6 deletions

8
.gitignore vendored
View file

@ -121,3 +121,11 @@ gnutls-2.10.1-nosrp.tar.bz2
/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg
/gnutls-3.6.12.tar.xz.sig
/gnutls-3.6.12.tar.xz
/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg
/gnutls-3.6.13.tar.xz.sig
/gnutls-3.6.13.tar.xz
/gnutls-3.6.14.tar.xz
/gnutls-3.6.14.tar.xz.sig
/gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg
/gnutls-3.6.15.tar.xz
/gnutls-3.6.15.tar.xz.sig

View file

@ -0,0 +1,60 @@
From b57b820a3f0464e3151dd675af4f28ad109d683c Mon Sep 17 00:00:00 2001
From: Vitezslav Cizek <vcizek@suse.com>
Date: Tue, 9 Jun 2020 13:54:04 +0200
Subject: [PATCH] configure: improve nettle, gmp, and hogweed soname detection
Some linkers might optimize away the libraries passed on the
command line if they aren't actually needed, such as gnu ld with
--as-needed.
The ldd output then won't list the shared libraries and the
detection will fail.
Make sure nettle and others are really used.
Signed-off-by: Vitezslav Cizek <vcizek@suse.com>
---
configure.ac | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/configure.ac b/configure.ac
index e4ca66aec..ccbe4e563 100644
--- a/configure.ac
+++ b/configure.ac
@@ -741,7 +741,10 @@ LIBS=$save_LIBS
save_LIBS=$LIBS
LIBS="$LIBS $GMP_LIBS"
AC_MSG_CHECKING([gmp soname])
-AC_LINK_IFELSE([AC_LANG_PROGRAM([], [])],
+AC_LINK_IFELSE([AC_LANG_PROGRAM([
+ #include <gmp.h>],[
+ mpz_t n;
+ mpz_init(n);])],
[gmp_so=`(eval "$LDDPROG conftest$EXEEXT $LDDPOSTPROC") | grep '^libgmp\.so'`],
[gmp_so=none])
if test -z "$gmp_so"; then
@@ -754,7 +757,10 @@ LIBS=$save_LIBS
save_LIBS=$LIBS
LIBS="$LIBS $NETTLE_LIBS"
AC_MSG_CHECKING([nettle soname])
-AC_LINK_IFELSE([AC_LANG_PROGRAM([], [])],
+AC_LINK_IFELSE([AC_LANG_PROGRAM([
+ #include <nettle/sha2.h>],[
+ struct sha256_ctx ctx;
+ sha256_init(&ctx);])],
[nettle_so=`(eval "$LDDPROG conftest$EXEEXT $LDDPOSTPROC") | grep '^libnettle\.so'`],
[nettle_so=none])
if test -z "$nettle_so"; then
@@ -767,7 +773,10 @@ LIBS=$save_LIBS
save_LIBS=$LIBS
LIBS="$LIBS $HOGWEED_LIBS"
AC_MSG_CHECKING([hogweed soname])
-AC_LINK_IFELSE([AC_LANG_PROGRAM([], [])],
+AC_LINK_IFELSE([AC_LANG_PROGRAM([
+ #include <nettle/rsa.h>],[
+ struct rsa_private_key priv;
+ nettle_rsa_private_key_init(&priv);])],
[hogweed_so=`(eval "$LDDPROG conftest$EXEEXT $LDDPOSTPROC") | grep '^libhogweed\.so'`],
[hogweed_so=none])
if test -z "$hogweed_so"; then
--
2.25.4

View file

@ -0,0 +1,152 @@
From 6fbff7fc8aabeee2254405f254220bbe8c05c67d Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Fri, 5 Jun 2020 16:26:33 +0200
Subject: [PATCH] crypto-api: always allocate memory when serializing iovec_t
The AEAD iov interface falls back to serializing the input buffers if
the low-level cipher doesn't support scatter/gather encryption.
However, there was a bug in the functions used for the serialization,
which causes memory leaks under a certain condition (i.e. the number
of input buffers is 1).
This patch makes the logic of the functions simpler, by removing a
micro-optimization that tries to minimize the number of calls to
malloc/free.
The original problem was reported by Marius Steffen in:
https://bugzilla.samba.org/show_bug.cgi?id=14399
and the cause was investigated by Alexander Haase in:
https://gitlab.com/gnutls/gnutls/-/merge_requests/1277
Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
lib/crypto-api.c | 36 +++++++++++-------------------------
tests/aead-cipher-vec.c | 33 ++++++++++++++++++---------------
2 files changed, 29 insertions(+), 40 deletions(-)
diff --git a/lib/crypto-api.c b/lib/crypto-api.c
index 45be64ed1..8524f5ed4 100644
--- a/lib/crypto-api.c
+++ b/lib/crypto-api.c
@@ -891,32 +891,23 @@ gnutls_aead_cipher_encrypt(gnutls_aead_cipher_hd_t handle,
struct iov_store_st {
void *data;
size_t size;
- unsigned allocated;
};
static void iov_store_free(struct iov_store_st *s)
{
- if (s->allocated) {
- gnutls_free(s->data);
- s->allocated = 0;
- }
+ gnutls_free(s->data);
}
static int iov_store_grow(struct iov_store_st *s, size_t length)
{
- if (s->allocated || s->data == NULL) {
- s->size += length;
- s->data = gnutls_realloc(s->data, s->size);
- if (s->data == NULL)
- return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
- s->allocated = 1;
- } else {
- void *data = s->data;
- size_t size = s->size + length;
- s->data = gnutls_malloc(size);
- memcpy(s->data, data, s->size);
- s->size += length;
- }
+ void *data;
+
+ s->size += length;
+ data = gnutls_realloc(s->data, s->size);
+ if (data == NULL)
+ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
+
+ s->data = data;
return 0;
}
@@ -926,11 +917,6 @@ copy_from_iov(struct iov_store_st *dst, const giovec_t *iov, int iovcnt)
memset(dst, 0, sizeof(*dst));
if (iovcnt == 0) {
return 0;
- } else if (iovcnt == 1) {
- dst->data = iov[0].iov_base;
- dst->size = iov[0].iov_len;
- /* implies: dst->allocated = 0; */
- return 0;
} else {
int i;
uint8_t *p;
@@ -944,11 +930,11 @@ copy_from_iov(struct iov_store_st *dst, const giovec_t *iov, int iovcnt)
p = dst->data;
for (i=0;i<iovcnt;i++) {
- memcpy(p, iov[i].iov_base, iov[i].iov_len);
+ if (iov[i].iov_len > 0)
+ memcpy(p, iov[i].iov_base, iov[i].iov_len);
p += iov[i].iov_len;
}
- dst->allocated = 1;
return 0;
}
}
diff --git a/tests/aead-cipher-vec.c b/tests/aead-cipher-vec.c
index fba9010d9..6a30a35f7 100644
--- a/tests/aead-cipher-vec.c
+++ b/tests/aead-cipher-vec.c
@@ -49,6 +49,7 @@ static void start(const char *name, int algo)
giovec_t auth_iov[2];
uint8_t tag[64];
size_t tag_size = 0;
+ size_t i;
key.data = key16;
key.size = gnutls_cipher_get_key_size(algo);
@@ -82,21 +83,23 @@ static void start(const char *name, int algo)
if (ret < 0)
fail("gnutls_cipher_init: %s\n", gnutls_strerror(ret));
- ret = gnutls_aead_cipher_encryptv2(ch,
- iv.data, iv.size,
- auth_iov, 2,
- iov, 3,
- tag, &tag_size);
- if (ret < 0)
- fail("could not encrypt data: %s\n", gnutls_strerror(ret));
-
- ret = gnutls_aead_cipher_decryptv2(ch,
- iv.data, iv.size,
- auth_iov, 2,
- iov, 3,
- tag, tag_size);
- if (ret < 0)
- fail("could not decrypt data: %s\n", gnutls_strerror(ret));
+ for (i = 0; i < 2; i++) {
+ ret = gnutls_aead_cipher_encryptv2(ch,
+ iv.data, iv.size,
+ auth_iov, 2,
+ iov, i + 1,
+ tag, &tag_size);
+ if (ret < 0)
+ fail("could not encrypt data: %s\n", gnutls_strerror(ret));
+
+ ret = gnutls_aead_cipher_decryptv2(ch,
+ iv.data, iv.size,
+ auth_iov, 2,
+ iov, i + 1,
+ tag, tag_size);
+ if (ret < 0)
+ fail("could not decrypt data: %s\n", gnutls_strerror(ret));
+ }
gnutls_aead_cipher_deinit(ch);
}
--
2.25.4

View file

@ -0,0 +1,46 @@
From 175e0bc72808d564074c4adcc72aeadb74adfcc6 Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@cs.ucla.edu>
Date: Thu, 27 Aug 2020 17:52:58 -0700
Subject: [PATCH] perror, strerror_r: remove unportable tests
Problem reported by Florian Weimer in:
https://lists.gnu.org/r/bug-gnulib/2020-08/msg00220.html
* tests/test-perror2.c (main):
* tests/test-strerror_r.c (main): Omit unportable tests.
---
ChangeLog | 8 ++++++++
tests/test-perror2.c | 3 ---
tests/test-strerror_r.c | 3 ---
3 files changed, 8 insertions(+), 6 deletions(-)
diff --git a/gl/tests/test-perror2.c b/gl/tests/test-perror2.c
index 1d14eda7b..c6214dd25 100644
--- a/gl/tests/test-perror2.c
+++ b/gl/tests/test-perror2.c
@@ -79,9 +79,6 @@ main (void)
errno = -5;
perror ("");
ASSERT (!ferror (stderr));
- ASSERT (msg1 == msg2 || msg1 == msg4 || STREQ (msg1, str1));
- ASSERT (msg2 == msg4 || STREQ (msg2, str2));
- ASSERT (msg3 == msg4 || STREQ (msg3, str3));
ASSERT (STREQ (msg4, str4));
free (str1);
diff --git a/gl/tests/test-strerror_r.c b/gl/tests/test-strerror_r.c
index b11d6fd9f..c1dbcf837 100644
--- a/gl/tests/test-strerror_r.c
+++ b/gl/tests/test-strerror_r.c
@@ -165,9 +165,6 @@ main (void)
strerror_r (EACCES, buf, sizeof buf);
strerror_r (-5, buf, sizeof buf);
- ASSERT (msg1 == msg2 || msg1 == msg4 || STREQ (msg1, str1));
- ASSERT (msg2 == msg4 || STREQ (msg2, str2));
- ASSERT (msg3 == msg4 || STREQ (msg3, str3));
ASSERT (STREQ (msg4, str4));
free (str1);
--
2.26.2

View file

@ -1,8 +1,9 @@
# This spec file has been automatically updated
Version: 3.6.12
Version: 3.6.15
Release: 1%{?dist}
Patch1: gnutls-3.6.7-no-now-guile.patch
Patch2: gnutls-3.2.7-rpath.patch
Patch3: gnutls-3.6.15-gnulib-perror-tests.patch
%bcond_without dane
%if 0%{?rhel}
%bcond_with guile
@ -47,7 +48,7 @@ BuildRequires: guile22-devel
URL: http://www.gnutls.org/
Source0: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.6/%{name}-%{version}.tar.xz
Source1: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.6/%{name}-%{version}.tar.xz.sig
Source2: gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg
Source2: gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg
# Wildcard bundling exception https://fedorahosted.org/fpc/ticket/174
Provides: bundled(gnulib) = 20130424
@ -143,7 +144,6 @@ This package contains Guile bindings for the library.
gpgv2 --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0}
%autosetup -p1
autoreconf
sed -i -e 's|sys_lib_dlsearch_path_spec="/lib /usr/lib|sys_lib_dlsearch_path_spec="/lib /usr/lib %{_libdir}|g' configure
rm -f lib/minitasn1/*.c lib/minitasn1/*.h
@ -279,6 +279,38 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null
%endif
%changelog
* Fri Sep 4 2020 Daiki Ueno <dueno@redhat.com> - 3.6.15-1
- Update to upstream 3.6.15 release
* Tue Jun 09 2020 Anderson Sasaki <ansasaki@redhat.com> - 3.6.14-2
- Fix memory leak when serializing iovec_t (#1845083)
- Fix automatic libraries sonames detection (#1845806)
* Thu Jun 4 2020 Daiki Ueno <dueno@redhat.com> - 3.6.14-1
- Update to upstream 3.6.14 release
* Sun May 31 2020 Daiki Ueno <dueno@redhat.com> - 3.6.13-6
- Update gnutls-3.6.13-superseding-chain.patch
* Sun May 31 2020 Daiki Ueno <dueno@redhat.com> - 3.6.13-5
- Fix cert chain validation behavior if the last cert has expired (#1842178)
* Mon May 25 2020 Anderson Sasaki <ansasaki@redhat.com> - 3.6.13-4
- Add option to gnutls-cli to wait for resumption under TLS 1.3
* Tue May 19 2020 Anderson Sasaki <ansasaki@redhat.com> - 3.6.13-3
- Disable RSA blinding during FIPS self-tests
* Wed May 13 2020 Anderson Sasaki <ansasaki@redhat.com> - 3.6.13-2
- Bump linked libraries soname to fix FIPS selftests (#1835265)
* Tue Mar 31 2020 Daiki Ueno <dueno@redhat.com> - 3.6.13-1
- Update to upstream 3.6.13 release
* Thu Mar 26 2020 Anderson Sasaki <ansasaki@redhat.com> - 3.6.12-2
- Fix FIPS POST (#1813384)
- Fix gnutls-serv --echo to not exit when a message is received (#1816583)
* Sun Feb 02 2020 Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com> - 3.6.12-1
- Update to upstream 3.6.12 release

View file

@ -1,3 +1,3 @@
SHA512 (gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg) = 3b1989dc6a64d1140f83a2af0773da2adb03c50d97b6da7357cf09525050651aafa21131f1e3180baa540a8af922119a256f5ff5bcd6602996a806e8e1816bad
SHA512 (gnutls-3.6.12.tar.xz.sig) = fee2a330c047303b683824176ed2e14dba38ad22cddb548d6259bc8639e0c5dab7a1c93af84860193335271c9cb3810c046bb89b73d8c8a8cf61307108e957b5
SHA512 (gnutls-3.6.12.tar.xz) = e1031fd1239d8b0f056a6b736e4c72c9268fb635f273527f310771c608b841cad7b6631401382ec3040d9b539180bf421882bf43427ad3549a5787d2864c2fa5
SHA512 (gnutls-3.6.15.tar.xz) = f757d1532198f44bcad7b73856ce6a05bab43f6fb77fcc81c59607f146202f73023d0796d3e1e7471709cf792c8ee7d436e19407e0601bc0bda2f21512b3b01c
SHA512 (gnutls-3.6.15.tar.xz.sig) = a6dbb6093fefddce4c76ce0015d1e0ff7bb712985007c5c6bd5ed6a8cd7529ab250bcbc98b70beeb9dc1b43dcfc65495c77b9abb43e690f24eb7bf0042af1f68
SHA512 (gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg) = a74b92826fd0e5388c9f6d9231959e38b26aeef83138648fab66df951d8e1a4db5302b569d08515d4d6443e5e4f6c466f98319f330c820790260d22a9b9f7173