From 3c69daab72a98e01086d79d73ff72f2551899fac Mon Sep 17 00:00:00 2001 From: basebuilder_pel7ppc64lebuilder0 Date: Sun, 31 May 2020 16:39:52 +0200 Subject: [PATCH] gnutls package update Signed-off-by: basebuilder_pel7ppc64lebuilder0 --- ...gnutls-3.3.29-bring-back-hmac-sha256.patch | 62 + ...s-3.3.29-cbc-mac-verify-ssl3-min-pad.patch | 28 + SOURCES/gnutls-3.3.29-cli-sni-hostname.patch | 37 + .../gnutls-3.3.29-disable-failing-tests.patch | 59 + ...3.3.29-do-not-mark-object-as-private.patch | 47 + ...3.29-do-not-run-sni-hostname-windows.patch | 20 + ...-3.3.29-dummy-wait-account-len-field.patch | 52 + ...ummy-wait-hash-same-amount-of-blocks.patch | 90 + ....3.29-fips140-fix-ecdsa-kat-selftest.patch | 70 + ...29-pkcs11-retrieve-pin-from-uri-once.patch | 82 + ...ls-3.3.29-re-enable-check-cert-write.patch | 29 + ...move-hmac-sha384-sha256-from-default.patch | 69 + ...tls-3.3.29-serv-large-key-resumption.patch | 11 + SOURCES/gnutls-3.3.29-serv-sni-hostname.patch | 157 ++ SOURCES/gnutls-3.3.29-serv-unrec-name.patch | 41 + SOURCES/gnutls-3.3.29-testpkcs11.patch | 1916 +++++++++++++++++ ...9-tests-pkcs11-increase-RSA-gen-size.patch | 48 + .../gnutls-3.3.29-tests-sni-hostname.patch | 88 + SPECS/gnutls.spec | 104 +- 19 files changed, 2994 insertions(+), 16 deletions(-) create mode 100644 SOURCES/gnutls-3.3.29-bring-back-hmac-sha256.patch create mode 100644 SOURCES/gnutls-3.3.29-cbc-mac-verify-ssl3-min-pad.patch create mode 100644 SOURCES/gnutls-3.3.29-cli-sni-hostname.patch create mode 100644 SOURCES/gnutls-3.3.29-disable-failing-tests.patch create mode 100644 SOURCES/gnutls-3.3.29-do-not-mark-object-as-private.patch create mode 100644 SOURCES/gnutls-3.3.29-do-not-run-sni-hostname-windows.patch create mode 100644 SOURCES/gnutls-3.3.29-dummy-wait-account-len-field.patch create mode 100644 SOURCES/gnutls-3.3.29-dummy-wait-hash-same-amount-of-blocks.patch create mode 100644 SOURCES/gnutls-3.3.29-fips140-fix-ecdsa-kat-selftest.patch create mode 100644 SOURCES/gnutls-3.3.29-pkcs11-retrieve-pin-from-uri-once.patch create mode 100644 SOURCES/gnutls-3.3.29-re-enable-check-cert-write.patch create mode 100644 SOURCES/gnutls-3.3.29-remove-hmac-sha384-sha256-from-default.patch create mode 100644 SOURCES/gnutls-3.3.29-serv-large-key-resumption.patch create mode 100644 SOURCES/gnutls-3.3.29-serv-sni-hostname.patch create mode 100644 SOURCES/gnutls-3.3.29-serv-unrec-name.patch create mode 100644 SOURCES/gnutls-3.3.29-testpkcs11.patch create mode 100644 SOURCES/gnutls-3.3.29-tests-pkcs11-increase-RSA-gen-size.patch create mode 100644 SOURCES/gnutls-3.3.29-tests-sni-hostname.patch diff --git a/SOURCES/gnutls-3.3.29-bring-back-hmac-sha256.patch b/SOURCES/gnutls-3.3.29-bring-back-hmac-sha256.patch new file mode 100644 index 00000000..1708a234 --- /dev/null +++ b/SOURCES/gnutls-3.3.29-bring-back-hmac-sha256.patch @@ -0,0 +1,62 @@ +diff --git a/lib/gnutls_priority.c b/lib/gnutls_priority.c +index f3e19105f..ff13d3720 100644 +--- a/lib/gnutls_priority.c ++++ b/lib/gnutls_priority.c +@@ -492,6 +492,7 @@ static const int sign_priority_secure192[] = { + static const int mac_priority_normal_default[] = { + GNUTLS_MAC_SHA1, + GNUTLS_MAC_AEAD, ++ GNUTLS_MAC_SHA256, + GNUTLS_MAC_MD5, + 0 + }; +@@ -499,6 +500,7 @@ static const int mac_priority_normal_default[] = { + static const int mac_priority_normal_fips[] = { + GNUTLS_MAC_SHA1, + GNUTLS_MAC_AEAD, ++ GNUTLS_MAC_SHA256, + 0 + }; + +@@ -527,11 +529,13 @@ static const int mac_priority_suiteb192[] = { + static const int mac_priority_secure128[] = { + GNUTLS_MAC_SHA1, + GNUTLS_MAC_AEAD, ++ GNUTLS_MAC_SHA256, + 0 + }; + + static const int mac_priority_secure192[] = { + GNUTLS_MAC_AEAD, ++ GNUTLS_MAC_SHA256, + 0 + }; + +diff --git a/tests/priorities.c b/tests/priorities.c +index 46221fcc0..0593279de 100644 +--- a/tests/priorities.c ++++ b/tests/priorities.c +@@ -100,18 +100,18 @@ try_prio(const char *prio, unsigned expected_cs, unsigned expected_ciphers) + + void doit(void) + { +- const int normal = 41; +- const int null = 4; +- const int sec128 = 36; ++ const int normal = 57; ++ const int null = 5; ++ const int sec128 = 52; + + try_prio("NORMAL", normal, 9); + try_prio("NORMAL:-MAC-ALL:+MD5:+MAC-ALL", normal, 9); + try_prio("NORMAL:+CIPHER-ALL", normal, 9); /* all (except null) */ + try_prio("NORMAL:-CIPHER-ALL:+NULL", null, 1); /* null */ + try_prio("NORMAL:-CIPHER-ALL:+NULL:+CIPHER-ALL", normal + null, 10); /* should be null + all */ +- try_prio("NORMAL:-CIPHER-ALL:+NULL:+CIPHER-ALL:-CIPHER-ALL:+AES-128-CBC", 5, 1); ++ try_prio("NORMAL:-CIPHER-ALL:+NULL:+CIPHER-ALL:-CIPHER-ALL:+AES-128-CBC", 10, 1); + try_prio("PERFORMANCE", normal, 9); +- try_prio("SECURE256", 10, 4); ++ try_prio("SECURE256", 16, 4); + try_prio("SECURE128", sec128, 8); + try_prio("SECURE128:+SECURE256", sec128, 8); /* should be the same as SECURE128 */ + try_prio("SECURE128:+SECURE256:+NORMAL", normal, 9); /* should be the same as NORMAL */ diff --git a/SOURCES/gnutls-3.3.29-cbc-mac-verify-ssl3-min-pad.patch b/SOURCES/gnutls-3.3.29-cbc-mac-verify-ssl3-min-pad.patch new file mode 100644 index 00000000..67fe0d1b --- /dev/null +++ b/SOURCES/gnutls-3.3.29-cbc-mac-verify-ssl3-min-pad.patch @@ -0,0 +1,28 @@ +diff --git a/lib/gnutls_cipher.c b/lib/gnutls_cipher.c +index 65dde6899..8b34472b7 100644 +--- a/lib/gnutls_cipher.c ++++ b/lib/gnutls_cipher.c +@@ -659,7 +659,11 @@ ciphertext_to_compressed(gnutls_session_t session, + * Note that we access all 256 bytes of ciphertext for padding check + * because there is a timing channel in that memory access (in certain CPUs). + */ +- if (ver->id != GNUTLS_SSL3) ++ if (ver->id == GNUTLS_SSL3) { ++ if (pad >= blocksize) ++ pad_failed = 1; ++ } else ++ { + for (i = 2; i <= MIN(256, ciphertext->size); i++) { + tmp_pad_failed |= + (compressed-> +@@ -667,6 +671,7 @@ ciphertext_to_compressed(gnutls_session_t session, + pad_failed |= + ((i <= (1 + pad)) & (tmp_pad_failed)); + } ++ } + + if (unlikely + (pad_failed != 0 +-- +2.14.3 + diff --git a/SOURCES/gnutls-3.3.29-cli-sni-hostname.patch b/SOURCES/gnutls-3.3.29-cli-sni-hostname.patch new file mode 100644 index 00000000..5fb1f318 --- /dev/null +++ b/SOURCES/gnutls-3.3.29-cli-sni-hostname.patch @@ -0,0 +1,37 @@ +diff --git a/src/cli-args.def b/src/cli-args.def +index c661f458b..11d66ae8a 100644 +--- a/src/cli-args.def ++++ b/src/cli-args.def +@@ -80,6 +80,13 @@ flag = { + doc = "Connect, establish a session and rehandshake immediately."; + }; + ++flag = { ++ name = sni-hostname; ++ descrip = "Server's hostname for server name indication extension"; ++ arg-type = string; ++ doc = "Set explicitly the server name used in the TLS server name indication extension. That is useful when testing with servers setup on different DNS name than the intended. If not specified, the provided hostname is used."; ++}; ++ + flag = { + name = starttls; + value = s; +diff --git a/src/cli.c b/src/cli.c +index 82d8e1166..f3d159a29 100644 +--- a/src/cli.c ++++ b/src/cli.c +@@ -638,7 +638,10 @@ static gnutls_session_t init_tls_session(const char *hostname) + /* allow the use of private ciphersuites. + */ + if (disable_extensions == 0 && disable_sni == 0) { +- if (hostname != NULL && is_ip(hostname) == 0) ++ if (HAVE_OPT(SNI_HOSTNAME)) { ++ gnutls_server_name_set(session, GNUTLS_NAME_DNS, ++ OPT_ARG(SNI_HOSTNAME), strlen(OPT_ARG(SNI_HOSTNAME))); ++ } else if (hostname != NULL && is_ip(hostname) == 0) + gnutls_server_name_set(session, GNUTLS_NAME_DNS, + hostname, strlen(hostname)); + } +-- +2.14.3 + diff --git a/SOURCES/gnutls-3.3.29-disable-failing-tests.patch b/SOURCES/gnutls-3.3.29-disable-failing-tests.patch new file mode 100644 index 00000000..0e608915 --- /dev/null +++ b/SOURCES/gnutls-3.3.29-disable-failing-tests.patch @@ -0,0 +1,59 @@ +diff --git a/tests/testpkcs11.sh b/tests/testpkcs11.sh +index e8cdcd30d..039d6cc1c 100755 +--- a/tests/testpkcs11.sh ++++ b/tests/testpkcs11.sh +@@ -887,8 +887,9 @@ write_privkey "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/client.key" + generate_temp_ecc_privkey "${TOKEN}" "${GNUTLS_PIN}" 256 + delete_temp_privkey "${TOKEN}" "${GNUTLS_PIN}" ecc-256 + +-generate_temp_ecc_privkey_no_login "${TOKEN}" "${GNUTLS_PIN}" 256 +-delete_temp_privkey "${TOKEN}" "${GNUTLS_PIN}" ecc-no-256 ++# Disabled: generation of ECC key without login is not supported in gnutls_3_3_x ++#generate_temp_ecc_privkey_no_login "${TOKEN}" "${GNUTLS_PIN}" 256 ++#delete_temp_privkey "${TOKEN}" "${GNUTLS_PIN}" ecc-no-256 + + generate_temp_ecc_privkey "${TOKEN}" "${GNUTLS_PIN}" 384 + delete_temp_privkey "${TOKEN}" "${GNUTLS_PIN}" ecc-384 +@@ -911,24 +912,30 @@ change_id_of_privkey "${TOKEN}" "${GNUTLS_PIN}" + export_pubkey_of_privkey "${TOKEN}" "${GNUTLS_PIN}" + change_label_of_privkey "${TOKEN}" "${GNUTLS_PIN}" + +-write_certificate_test "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/ca.key" "${srcdir}/testpkcs11-certs/ca.crt" tmp-client.pub ++# Disabled: certificates are marked as private in gnutls_3_3_x ++#write_certificate_test "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/ca.key" "${srcdir}/testpkcs11-certs/ca.crt" tmp-client.pub + write_serv_privkey "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/server.key" + write_serv_cert "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/server.crt" + +-write_serv_pubkey "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/server.crt" +-test_sign "${TOKEN}" "${GNUTLS_PIN}" ++# Disabled: --load-pubkey is not supported in gnutls_3_3_x ++#write_serv_pubkey "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/server.crt" + +-use_certificate_test "${TOKEN}" "${GNUTLS_PIN}" "${TOKEN};object=serv-cert;object-type=cert" "${TOKEN};object=serv-key;object-type=private" "${srcdir}/testpkcs11-certs/ca.crt" "full URLs" ++# Disabled: --test-sign is not supported in gnutls_3_3_x ++#test_sign "${TOKEN}" "${GNUTLS_PIN}" + +-use_certificate_test "${TOKEN}" "${GNUTLS_PIN}" "${TOKEN};object=serv-cert" "${TOKEN};object=serv-key" "${srcdir}/testpkcs11-certs/ca.crt" "abbrv URLs" ++# Disabled: Cannot test without written certificates (write_certificate_test) ++#use_certificate_test "${TOKEN}" "${GNUTLS_PIN}" "${TOKEN};object=serv-cert;object-type=cert" "${TOKEN};object=serv-key;object-type=private" "${srcdir}/testpkcs11-certs/ca.crt" "full URLs" ++#use_certificate_test "${TOKEN}" "${GNUTLS_PIN}" "${TOKEN};object=serv-cert" "${TOKEN};object=serv-key" "${srcdir}/testpkcs11-certs/ca.crt" "abbrv URLs" + +-write_certificate_id_test_rsa "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/ca.key" "${srcdir}/testpkcs11-certs/ca.crt" +-write_certificate_id_test_rsa2 "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/ca.key" "${srcdir}/testpkcs11-certs/ca.crt" +-write_certificate_id_test_ecdsa "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/ca.key" "${srcdir}/testpkcs11-certs/ca.crt" ++# Disabled: certificates do not inherit its ID from privkey in gnutls_3_3_x ++#write_certificate_id_test_rsa "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/ca.key" "${srcdir}/testpkcs11-certs/ca.crt" ++#write_certificate_id_test_rsa2 "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/ca.key" "${srcdir}/testpkcs11-certs/ca.crt" ++#write_certificate_id_test_ecdsa "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/ca.key" "${srcdir}/testpkcs11-certs/ca.crt" + + test_delete_cert "${TOKEN}" "${GNUTLS_PIN}" + +-test_sign_set_pin "${TOKEN}" "${GNUTLS_PIN}" ++# Disabled: --test-sign is not supported in gnutls_3_3_x ++#test_sign_set_pin "${TOKEN}" "${GNUTLS_PIN}" + + if test ${RETCODE} = 0; then + echo "* All smart cards tests succeeded" +-- +2.14.3 + diff --git a/SOURCES/gnutls-3.3.29-do-not-mark-object-as-private.patch b/SOURCES/gnutls-3.3.29-do-not-mark-object-as-private.patch new file mode 100644 index 00000000..21cdc68c --- /dev/null +++ b/SOURCES/gnutls-3.3.29-do-not-mark-object-as-private.patch @@ -0,0 +1,47 @@ +diff --git a/src/p11tool.c b/src/p11tool.c +index 2abf23a27..a6fce78e3 100644 +--- a/src/p11tool.c ++++ b/src/p11tool.c +@@ -68,7 +68,7 @@ int main(int argc, char **argv) + } + + static +-unsigned opt_to_flags(void) ++unsigned opt_to_flags(common_info_st *cinfo) + { + unsigned flags = 0; + +@@ -78,6 +78,12 @@ unsigned opt_to_flags(void) + } else { + flags |= GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_PRIVATE; + } ++ } else { /* if not given mark as private the private objects, and public the public ones */ ++ if (cinfo->privkey) ++ flags |= GNUTLS_PKCS11_OBJ_FLAG_MARK_PRIVATE; ++ else if (cinfo->pubkey || cinfo->cert) ++ flags |= GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_PRIVATE; ++ /* else set the defaults of the token */ + } + + if (ENABLED_OPT(MARK_TRUSTED)) +@@ -166,8 +172,6 @@ static void cmd_parser(int argc, char **argv) + + memset(&cinfo, 0, sizeof(cinfo)); + +- flags = opt_to_flags(); +- + if (HAVE_OPT(SECRET_KEY)) + cinfo.secret_key = OPT_ARG(SECRET_KEY); + +@@ -227,6 +231,8 @@ static void cmd_parser(int argc, char **argv) + sec_param = OPT_ARG(SEC_PARAM); + } + ++ flags = opt_to_flags(&cinfo); ++ + if (debug > 4) { + if (HAVE_OPT(MARK_PRIVATE)) + fprintf(stderr, "Private: %s\n", +-- +2.14.3 + diff --git a/SOURCES/gnutls-3.3.29-do-not-run-sni-hostname-windows.patch b/SOURCES/gnutls-3.3.29-do-not-run-sni-hostname-windows.patch new file mode 100644 index 00000000..08a35ae6 --- /dev/null +++ b/SOURCES/gnutls-3.3.29-do-not-run-sni-hostname-windows.patch @@ -0,0 +1,20 @@ +diff --git a/tests/Makefile.am b/tests/Makefile.am +index d249d405f..6dc63758d 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -156,7 +156,11 @@ endif + endif + + check_PROGRAMS = $(ctests) +-dist_check_SCRIPTS = rfc2253-escape-test sni-hostname.sh ++dist_check_SCRIPTS = rfc2253-escape-test ++ ++if !WINDOWS ++dist_check_SCRIPTS += sni-hostname.sh ++endif + + TESTS = $(ctests) $(dist_check_SCRIPTS) + +-- +2.14.3 + diff --git a/SOURCES/gnutls-3.3.29-dummy-wait-account-len-field.patch b/SOURCES/gnutls-3.3.29-dummy-wait-account-len-field.patch new file mode 100644 index 00000000..7a60fe4f --- /dev/null +++ b/SOURCES/gnutls-3.3.29-dummy-wait-account-len-field.patch @@ -0,0 +1,52 @@ +diff --git a/lib/algorithms/mac.c b/lib/algorithms/mac.c +index 0527ca4f1..a39acd49f 100644 +--- a/lib/algorithms/mac.c ++++ b/lib/algorithms/mac.c +@@ -37,9 +37,9 @@ static const mac_entry_st hash_algorithms[] = { + {"SHA256", HASH_OID_SHA256, MAC_OID_SHA256, GNUTLS_MAC_SHA256, 32, 32, 0, 0, 1, + 64}, + {"SHA384", HASH_OID_SHA384, MAC_OID_SHA384, GNUTLS_MAC_SHA384, 48, 48, 0, 0, 1, +- 64}, ++ 128}, + {"SHA512", HASH_OID_SHA512, MAC_OID_SHA512, GNUTLS_MAC_SHA512, 64, 64, 0, 0, 1, +- 64}, ++ 128}, + {"SHA224", HASH_OID_SHA224, MAC_OID_SHA224, GNUTLS_MAC_SHA224, 28, 28, 0, 0, 1, + 64}, + {"UMAC-96", NULL, NULL, GNUTLS_MAC_UMAC_96, 12, 16, 8, 0, 1, 0}, +diff --git a/lib/gnutls_cipher.c b/lib/gnutls_cipher.c +index 58ce79775..37478a4c3 100644 +--- a/lib/gnutls_cipher.c ++++ b/lib/gnutls_cipher.c +@@ -440,7 +440,7 @@ static void dummy_wait(record_parameters_st * params, + { + /* this hack is only needed on CBC ciphers */ + if (_gnutls_cipher_is_block(params->cipher) == CIPHER_BLOCK) { +- unsigned len; ++ unsigned len, v; + + /* force an additional hash compression function evaluation to prevent timing + * attacks that distinguish between wrong-mac + correct pad, from wrong-mac + incorrect pad. +@@ -448,11 +448,14 @@ static void dummy_wait(record_parameters_st * params, + if (pad_failed == 0 && pad > 0) { + len = _gnutls_mac_block_size(params->mac); + if (len > 0) { +- /* This is really specific to the current hash functions. +- * It should be removed once a protocol fix is in place. +- */ +- if ((pad + total) % len > len - 9 +- && total % len <= len - 9) { ++ if (params->mac && params->mac->id == GNUTLS_MAC_SHA384) ++ /* v = 1 for the hash function padding + 16 for message length */ ++ v = 17; ++ else /* v = 1 for the hash function padding + 8 for message length */ ++ v = 9; ++ ++ if ((pad + total) % len > len - v ++ && total % len <= len - v) { + if (len < plaintext->size) + _gnutls_auth_cipher_add_auth + (¶ms->read. +-- +2.14.3 + diff --git a/SOURCES/gnutls-3.3.29-dummy-wait-hash-same-amount-of-blocks.patch b/SOURCES/gnutls-3.3.29-dummy-wait-hash-same-amount-of-blocks.patch new file mode 100644 index 00000000..9044547a --- /dev/null +++ b/SOURCES/gnutls-3.3.29-dummy-wait-hash-same-amount-of-blocks.patch @@ -0,0 +1,90 @@ +diff --git a/lib/gnutls_cipher.c b/lib/gnutls_cipher.c +index 37478a4c3..65dde6899 100644 +--- a/lib/gnutls_cipher.c ++++ b/lib/gnutls_cipher.c +@@ -434,40 +434,41 @@ compressed_to_ciphertext(gnutls_session_t session, + return length; + } + +-static void dummy_wait(record_parameters_st * params, +- gnutls_datum_t * plaintext, unsigned pad_failed, +- unsigned int pad, unsigned total) ++static void dummy_wait(record_parameters_st *params, ++ gnutls_datum_t *plaintext, ++ unsigned int mac_data, unsigned int max_mac_data) + { + /* this hack is only needed on CBC ciphers */ + if (_gnutls_cipher_is_block(params->cipher) == CIPHER_BLOCK) { +- unsigned len, v; ++ unsigned v; ++ unsigned int tag_size = ++ _gnutls_auth_cipher_tag_len(¶ms->read.cipher_state); ++ unsigned hash_block = _gnutls_mac_block_size(params->mac); + +- /* force an additional hash compression function evaluation to prevent timing ++ /* force additional hash compression function evaluations to prevent timing + * attacks that distinguish between wrong-mac + correct pad, from wrong-mac + incorrect pad. + */ +- if (pad_failed == 0 && pad > 0) { +- len = _gnutls_mac_block_size(params->mac); +- if (len > 0) { +- if (params->mac && params->mac->id == GNUTLS_MAC_SHA384) +- /* v = 1 for the hash function padding + 16 for message length */ +- v = 17; +- else /* v = 1 for the hash function padding + 8 for message length */ +- v = 9; +- +- if ((pad + total) % len > len - v +- && total % len <= len - v) { +- if (len < plaintext->size) +- _gnutls_auth_cipher_add_auth +- (¶ms->read. +- cipher_state, +- plaintext->data, len); +- else +- _gnutls_auth_cipher_add_auth +- (¶ms->read. +- cipher_state, +- plaintext->data, +- plaintext->size); +- } ++ if (params->mac && params->mac->id == GNUTLS_MAC_SHA384) ++ /* v = 1 for the hash function padding + 16 for message length */ ++ v = 17; ++ else /* v = 1 for the hash function padding + 8 for message length */ ++ v = 9; ++ ++ if (hash_block > 0) { ++ int max_blocks = (max_mac_data+v+hash_block-1)/hash_block; ++ int hashed_blocks = (mac_data+v+hash_block-1)/hash_block; ++ unsigned to_hash; ++ ++ max_blocks -= hashed_blocks; ++ if (max_blocks < 1) ++ return; ++ ++ to_hash = max_blocks * hash_block; ++ if ((unsigned)to_hash+1+tag_size < plaintext->size) { ++ _gnutls_auth_cipher_add_auth ++ (¶ms->read.cipher_state, ++ plaintext->data+plaintext->size-tag_size-to_hash-1, ++ to_hash); + } + } + } +@@ -725,8 +726,10 @@ ciphertext_to_compressed(gnutls_session_t session, + if (unlikely + (memcmp(tag, tag_ptr, tag_size) != 0 || pad_failed != 0)) { + /* HMAC was not the same. */ +- dummy_wait(params, compressed, pad_failed, pad, +- length + preamble_size); ++ gnutls_datum_t data = {compressed->data, ciphertext->size}; ++ ++ dummy_wait(params, &data, length + preamble_size, ++ preamble_size + ciphertext->size - tag_size - 1); + + return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); + } +-- +2.14.3 + diff --git a/SOURCES/gnutls-3.3.29-fips140-fix-ecdsa-kat-selftest.patch b/SOURCES/gnutls-3.3.29-fips140-fix-ecdsa-kat-selftest.patch new file mode 100644 index 00000000..02be442f --- /dev/null +++ b/SOURCES/gnutls-3.3.29-fips140-fix-ecdsa-kat-selftest.patch @@ -0,0 +1,70 @@ +--- a/lib/crypto-selftests-pk.c 2019-02-06 14:49:44.807422315 +0100 ++++ b/lib/crypto-selftests-pk.c 2019-02-06 14:56:40.311049707 +0100 +@@ -731,30 +731,9 @@ + goto cleanup; + } + +- if (all == 0) +- return 0; + #endif + + /* Test ECDSA */ +-#ifdef ENABLE_NON_SUITEB_CURVES +- PK_KNOWN_TEST(GNUTLS_PK_EC, 0, +- GNUTLS_CURVE_TO_BITS +- (GNUTLS_ECC_CURVE_SECP192R1), +- GNUTLS_DIG_SHA256, ecdsa_secp192r1_privkey, +- ecdsa_secp192r1_sig); +- PK_TEST(GNUTLS_PK_EC, test_sig, +- GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP192R1), +- GNUTLS_DIG_SHA256); +- +- PK_KNOWN_TEST(GNUTLS_PK_EC, 0, +- GNUTLS_CURVE_TO_BITS +- (GNUTLS_ECC_CURVE_SECP224R1), +- GNUTLS_DIG_SHA256, ecdsa_secp224r1_privkey, +- ecdsa_secp224r1_sig); +- PK_TEST(GNUTLS_PK_EC, test_sig, +- GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP224R1), +- GNUTLS_DIG_SHA256); +-#endif + PK_KNOWN_TEST(GNUTLS_PK_EC, 0, + GNUTLS_CURVE_TO_BITS + (GNUTLS_ECC_CURVE_SECP256R1), +@@ -764,6 +743,9 @@ + GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP256R1), + GNUTLS_DIG_SHA256); + ++ if (all == 0) ++ return 0; ++ + PK_KNOWN_TEST(GNUTLS_PK_EC, 0, + GNUTLS_CURVE_TO_BITS + (GNUTLS_ECC_CURVE_SECP384R1), +@@ -782,6 +764,26 @@ + GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP521R1), + GNUTLS_DIG_SHA512); + ++#ifdef ENABLE_NON_SUITEB_CURVES ++ PK_KNOWN_TEST(GNUTLS_PK_EC, 0, ++ GNUTLS_CURVE_TO_BITS ++ (GNUTLS_ECC_CURVE_SECP192R1), ++ GNUTLS_DIG_SHA256, ecdsa_secp192r1_privkey, ++ ecdsa_secp192r1_sig); ++ PK_TEST(GNUTLS_PK_EC, test_sig, ++ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP192R1), ++ GNUTLS_DIG_SHA256); ++ ++ PK_KNOWN_TEST(GNUTLS_PK_EC, 0, ++ GNUTLS_CURVE_TO_BITS ++ (GNUTLS_ECC_CURVE_SECP224R1), ++ GNUTLS_DIG_SHA256, ecdsa_secp224r1_privkey, ++ ecdsa_secp224r1_sig); ++ PK_TEST(GNUTLS_PK_EC, test_sig, ++ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP224R1), ++ GNUTLS_DIG_SHA256); ++#endif ++ + break; + + default: diff --git a/SOURCES/gnutls-3.3.29-pkcs11-retrieve-pin-from-uri-once.patch b/SOURCES/gnutls-3.3.29-pkcs11-retrieve-pin-from-uri-once.patch new file mode 100644 index 00000000..11087f4b --- /dev/null +++ b/SOURCES/gnutls-3.3.29-pkcs11-retrieve-pin-from-uri-once.patch @@ -0,0 +1,82 @@ +diff --git a/lib/pkcs11.c b/lib/pkcs11.c +index 4fdd58f39..68ee2960a 100644 +--- a/lib/pkcs11.c ++++ b/lib/pkcs11.c +@@ -2368,6 +2368,11 @@ retrieve_pin(struct pin_info_st *pin_info, struct p11_kit_uri *info, + /* First check for pin-value field */ + pinfile = p11_kit_uri_get_pin_value(info); + if (pinfile != NULL) { ++ if (attempts > 0) { ++ _gnutls_debug_log("p11: refusing more than a single attempts with pin-value\n"); ++ return gnutls_assert_val(GNUTLS_E_PKCS11_PIN_ERROR); ++ } ++ + _gnutls_debug_log("p11: Using pin-value to retrieve PIN\n"); + *pin = p11_kit_pin_new_for_string(pinfile); + if (*pin != NULL) +@@ -2376,6 +2381,11 @@ retrieve_pin(struct pin_info_st *pin_info, struct p11_kit_uri *info, + /* Check if a pinfile is specified, and use that if possible */ + pinfile = p11_kit_uri_get_pin_source(info); + if (pinfile != NULL) { ++ if (attempts > 0) { ++ _gnutls_debug_log("p11: refusing more than a single attempts with pin-source\n"); ++ return gnutls_assert_val(GNUTLS_E_PKCS11_PIN_ERROR); ++ } ++ + _gnutls_debug_log("p11: Using pin-source to retrieve PIN\n"); + ret = + retrieve_pin_from_source(pinfile, token_info, attempts, +diff --git a/tests/pkcs11/pkcs11-import-with-pin.c b/tests/pkcs11/pkcs11-import-with-pin.c +index e43591927..ecc98175d 100644 +--- a/tests/pkcs11/pkcs11-import-with-pin.c ++++ b/tests/pkcs11/pkcs11-import-with-pin.c +@@ -157,6 +157,16 @@ void doit() + assert(gnutls_privkey_init(&pkey) == 0); + + /* Test 1 ++ * Try importing with wrong pin-value */ ++ ret = gnutls_privkey_import_pkcs11_url(pkey, SOFTHSM_URL";object=cert;object-type=private;pin-value=XXXX"); ++ if (ret != GNUTLS_E_PKCS11_PIN_ERROR) { ++ fprintf(stderr, "unexpected error in %d: %s\n", __LINE__, gnutls_strerror(ret)); ++ exit(1); ++ } ++ gnutls_privkey_deinit(pkey); ++ assert(gnutls_privkey_init(&pkey) == 0); ++ ++ /* Test 2 + * Try importing with pin-value */ + ret = gnutls_privkey_import_pkcs11_url(pkey, SOFTHSM_URL";object=cert;object-type=private;pin-value="PIN); + if (ret < 0) { +@@ -169,13 +179,26 @@ void doit() + gnutls_free(sig.data); + gnutls_privkey_deinit(pkey); + +- /* Test 2 +- * Try importing with pin-source */ ++ /* Test 3 ++ * Try importing with wrong pin-source */ + track_temp_files(); + get_tmpname(file); + +- write_pin(file, PIN); ++ write_pin(file, "XXXX"); ++ ++ assert(gnutls_privkey_init(&pkey) == 0); ++ snprintf(buf, sizeof(buf), "%s;object=cert;object-type=private;pin-source=%s", SOFTHSM_URL, file); ++ ret = gnutls_privkey_import_pkcs11_url(pkey, buf); ++ if (ret != GNUTLS_E_PKCS11_PIN_ERROR) { ++ fprintf(stderr, "error in %d: %s\n", __LINE__, gnutls_strerror(ret)); ++ exit(1); ++ } ++ ++ gnutls_privkey_deinit(pkey); + ++ /* Test 4 ++ * Try importing with pin-source */ ++ write_pin(file, PIN); + + assert(gnutls_privkey_init(&pkey) == 0); + snprintf(buf, sizeof(buf), "%s;object=cert;object-type=private;pin-source=%s", SOFTHSM_URL, file); +-- +2.14.3 + diff --git a/SOURCES/gnutls-3.3.29-re-enable-check-cert-write.patch b/SOURCES/gnutls-3.3.29-re-enable-check-cert-write.patch new file mode 100644 index 00000000..21f5c003 --- /dev/null +++ b/SOURCES/gnutls-3.3.29-re-enable-check-cert-write.patch @@ -0,0 +1,29 @@ +diff --git a/tests/testpkcs11.sh b/tests/testpkcs11.sh +index 039d6cc1c..7c2776760 100755 +--- a/tests/testpkcs11.sh ++++ b/tests/testpkcs11.sh +@@ -912,8 +912,7 @@ change_id_of_privkey "${TOKEN}" "${GNUTLS_PIN}" + export_pubkey_of_privkey "${TOKEN}" "${GNUTLS_PIN}" + change_label_of_privkey "${TOKEN}" "${GNUTLS_PIN}" + +-# Disabled: certificates are marked as private in gnutls_3_3_x +-#write_certificate_test "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/ca.key" "${srcdir}/testpkcs11-certs/ca.crt" tmp-client.pub ++write_certificate_test "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/ca.key" "${srcdir}/testpkcs11-certs/ca.crt" tmp-client.pub + write_serv_privkey "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/server.key" + write_serv_cert "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/server.crt" + +@@ -923,9 +922,8 @@ write_serv_cert "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/server.cr + # Disabled: --test-sign is not supported in gnutls_3_3_x + #test_sign "${TOKEN}" "${GNUTLS_PIN}" + +-# Disabled: Cannot test without written certificates (write_certificate_test) +-#use_certificate_test "${TOKEN}" "${GNUTLS_PIN}" "${TOKEN};object=serv-cert;object-type=cert" "${TOKEN};object=serv-key;object-type=private" "${srcdir}/testpkcs11-certs/ca.crt" "full URLs" +-#use_certificate_test "${TOKEN}" "${GNUTLS_PIN}" "${TOKEN};object=serv-cert" "${TOKEN};object=serv-key" "${srcdir}/testpkcs11-certs/ca.crt" "abbrv URLs" ++use_certificate_test "${TOKEN}" "${GNUTLS_PIN}" "${TOKEN};object=serv-cert;object-type=cert" "${TOKEN};object=serv-key;object-type=private" "${srcdir}/testpkcs11-certs/ca.crt" "full URLs" ++use_certificate_test "${TOKEN}" "${GNUTLS_PIN}" "${TOKEN};object=serv-cert" "${TOKEN};object=serv-key" "${srcdir}/testpkcs11-certs/ca.crt" "abbrv URLs" + + # Disabled: certificates do not inherit its ID from privkey in gnutls_3_3_x + #write_certificate_id_test_rsa "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/ca.key" "${srcdir}/testpkcs11-certs/ca.crt" +-- +2.14.3 + diff --git a/SOURCES/gnutls-3.3.29-remove-hmac-sha384-sha256-from-default.patch b/SOURCES/gnutls-3.3.29-remove-hmac-sha384-sha256-from-default.patch new file mode 100644 index 00000000..21c7c8dc --- /dev/null +++ b/SOURCES/gnutls-3.3.29-remove-hmac-sha384-sha256-from-default.patch @@ -0,0 +1,69 @@ +diff --git a/lib/gnutls_priority.c b/lib/gnutls_priority.c +index c5998abe6..f3e19105f 100644 +--- a/lib/gnutls_priority.c ++++ b/lib/gnutls_priority.c +@@ -491,8 +491,6 @@ static const int sign_priority_secure192[] = { + + static const int mac_priority_normal_default[] = { + GNUTLS_MAC_SHA1, +- GNUTLS_MAC_SHA256, +- GNUTLS_MAC_SHA384, + GNUTLS_MAC_AEAD, + GNUTLS_MAC_MD5, + 0 +@@ -500,8 +498,6 @@ static const int mac_priority_normal_default[] = { + + static const int mac_priority_normal_fips[] = { + GNUTLS_MAC_SHA1, +- GNUTLS_MAC_SHA256, +- GNUTLS_MAC_SHA384, + GNUTLS_MAC_AEAD, + 0 + }; +@@ -530,15 +526,11 @@ static const int mac_priority_suiteb192[] = { + + static const int mac_priority_secure128[] = { + GNUTLS_MAC_SHA1, +- GNUTLS_MAC_SHA256, +- GNUTLS_MAC_SHA384, + GNUTLS_MAC_AEAD, + 0 + }; + + static const int mac_priority_secure192[] = { +- GNUTLS_MAC_SHA256, +- GNUTLS_MAC_SHA384, + GNUTLS_MAC_AEAD, + 0 + }; +diff --git a/tests/priorities.c b/tests/priorities.c +index f22b08b62..46221fcc0 100644 +--- a/tests/priorities.c ++++ b/tests/priorities.c +@@ -100,18 +100,18 @@ try_prio(const char *prio, unsigned expected_cs, unsigned expected_ciphers) + + void doit(void) + { +- const int normal = 61; +- const int null = 5; +- const int sec128 = 56; ++ const int normal = 41; ++ const int null = 4; ++ const int sec128 = 36; + + try_prio("NORMAL", normal, 9); + try_prio("NORMAL:-MAC-ALL:+MD5:+MAC-ALL", normal, 9); + try_prio("NORMAL:+CIPHER-ALL", normal, 9); /* all (except null) */ + try_prio("NORMAL:-CIPHER-ALL:+NULL", null, 1); /* null */ + try_prio("NORMAL:-CIPHER-ALL:+NULL:+CIPHER-ALL", normal + null, 10); /* should be null + all */ +- try_prio("NORMAL:-CIPHER-ALL:+NULL:+CIPHER-ALL:-CIPHER-ALL:+AES-128-CBC", 10, 1); /* should be null + all */ ++ try_prio("NORMAL:-CIPHER-ALL:+NULL:+CIPHER-ALL:-CIPHER-ALL:+AES-128-CBC", 5, 1); + try_prio("PERFORMANCE", normal, 9); +- try_prio("SECURE256", 20, 4); ++ try_prio("SECURE256", 10, 4); + try_prio("SECURE128", sec128, 8); + try_prio("SECURE128:+SECURE256", sec128, 8); /* should be the same as SECURE128 */ + try_prio("SECURE128:+SECURE256:+NORMAL", normal, 9); /* should be the same as NORMAL */ +-- +2.14.3 + diff --git a/SOURCES/gnutls-3.3.29-serv-large-key-resumption.patch b/SOURCES/gnutls-3.3.29-serv-large-key-resumption.patch new file mode 100644 index 00000000..63d1f7b4 --- /dev/null +++ b/SOURCES/gnutls-3.3.29-serv-large-key-resumption.patch @@ -0,0 +1,11 @@ +--- a/src/serv.c ++++ b/src/serv.c +@@ -1734,7 +1734,7 @@ + /* session resuming support */ + + #define SESSION_ID_SIZE 32 +-#define SESSION_DATA_SIZE 1024 ++#define SESSION_DATA_SIZE (16*1024) + + typedef struct { + char session_id[SESSION_ID_SIZE]; diff --git a/SOURCES/gnutls-3.3.29-serv-sni-hostname.patch b/SOURCES/gnutls-3.3.29-serv-sni-hostname.patch new file mode 100644 index 00000000..27227900 --- /dev/null +++ b/SOURCES/gnutls-3.3.29-serv-sni-hostname.patch @@ -0,0 +1,157 @@ +diff --git a/src/serv-args.def b/src/serv-args.def +index 44b67f1ab..027737772 100644 +--- a/src/serv-args.def ++++ b/src/serv-args.def +@@ -8,6 +8,19 @@ detail = "Server program that listens to incoming TLS connections."; + + #include args-std.def + ++flag = { ++ name = sni-hostname; ++ descrip = "Server's hostname for server name extension"; ++ arg-type = string; ++ doc = "Server name of type host_name that the server will recognise as its own. If the server receives client hello with different name, it will send a warning-level unrecognized_name alert."; ++}; ++ ++flag = { ++ name = sni-hostname-fatal; ++ descrip = "Send fatal alert on sni-hostname mismatch"; ++ doc = ""; ++}; ++ + flag = { + name = noticket; + descrip = "Don't accept session tickets"; +diff --git a/src/serv.c b/src/serv.c +index a1f9adfa8..f5ff48786 100644 +--- a/src/serv.c ++++ b/src/serv.c +@@ -49,6 +49,8 @@ + #include "sockets.h" + #include "udp-serv.h" + ++#define _GNUTLS_E_UNRECOGNIZED_NAME -294 ++ + /* konqueror cannot handle sending the page in multiple + * pieces. + */ +@@ -81,6 +83,8 @@ const char *dh_params_file = NULL; + const char *x509_crlfile = NULL; + const char *priorities = NULL; + const char *status_response_ocsp = NULL; ++const char *sni_hostname = NULL; ++int sni_hostname_fatal = 0; + + gnutls_datum_t session_ticket_key; + static void tcp_server(const char *name, int port); +@@ -312,6 +316,83 @@ int ret; + return 0; + } + ++/* callback used to verify if the host name advertised in client hello matches ++ * the one configured in server ++ */ ++static int ++post_client_hello(gnutls_session_t session) ++{ ++ int ret; ++ /* DNS names (only type supported) may be at most 256 byte long */ ++ char *name; ++ size_t len = 256; ++ unsigned int type; ++ int i; ++ ++ name = malloc(len); ++ if (name == NULL) ++ return GNUTLS_E_MEMORY_ERROR; ++ ++ for (i=0; ; ) { ++ ret = gnutls_server_name_get(session, name, &len, &type, i); ++ if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) { ++ char *new_name; ++ new_name = realloc(name, len); ++ if (new_name == NULL) { ++ ret = GNUTLS_E_MEMORY_ERROR; ++ goto end; ++ } ++ name = new_name; ++ continue; /* retry call with same index */ ++ } ++ ++ /* check if it is the last entry in list */ ++ if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) ++ break; ++ i++; ++ if (ret != GNUTLS_E_SUCCESS) ++ goto end; ++ /* unknown types need to be ignored */ ++ if (type != GNUTLS_NAME_DNS) ++ continue; ++ ++ if (strlen(sni_hostname) != len) ++ continue; ++ /* API guarantees that the name of type DNS will be null terminated */ ++ if (!strncmp(name, sni_hostname, len)) { ++ ret = GNUTLS_E_SUCCESS; ++ goto end; ++ } ++ }; ++ /* when there is no extension, we can't send the extension specific alert */ ++ if (i == 0) { ++ fprintf(stderr, "Warning: client did not include SNI extension, using default host\n"); ++ ret = GNUTLS_E_SUCCESS; ++ goto end; ++ } ++ ++ if (sni_hostname_fatal == 1) { ++ /* abort the connection, propagate error up the stack */ ++ ret = _GNUTLS_E_UNRECOGNIZED_NAME; ++ goto end; ++ } ++ ++ fprintf(stderr, "Warning: client provided unrecognized host name\n"); ++ /* since we just want to send an alert, not abort the connection, we ++ * need to send it ourselves ++ */ ++ do { ++ ret = gnutls_alert_send(session, ++ GNUTLS_AL_WARNING, ++ GNUTLS_A_UNRECOGNIZED_NAME); ++ } while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED); ++ ++ /* continue handshake, fall through */ ++end: ++ free(name); ++ return ret; ++} ++ + gnutls_session_t initialize_session(int dtls) + { + gnutls_session_t session; +@@ -343,6 +424,10 @@ gnutls_session_t initialize_session(int dtls) + &session_ticket_key); + #endif + ++ if (sni_hostname != NULL) ++ gnutls_handshake_set_post_client_hello_function(session, ++ &post_client_hello); ++ + if (gnutls_priority_set_direct(session, priorities, &err) < 0) { + fprintf(stderr, "Syntax error at: %s\n", err); + exit(1); +@@ -1629,6 +1714,12 @@ static void cmd_parser(int argc, char **argv) + if (HAVE_OPT(OCSP_RESPONSE)) + status_response_ocsp = OPT_ARG(OCSP_RESPONSE); + ++ if (HAVE_OPT(SNI_HOSTNAME)) ++ sni_hostname = OPT_ARG(SNI_HOSTNAME); ++ ++ if (HAVE_OPT(SNI_HOSTNAME_FATAL)) ++ sni_hostname_fatal = 1; ++ + } + + /* session resuming support */ +-- +2.14.3 + diff --git a/SOURCES/gnutls-3.3.29-serv-unrec-name.patch b/SOURCES/gnutls-3.3.29-serv-unrec-name.patch new file mode 100644 index 00000000..6991d666 --- /dev/null +++ b/SOURCES/gnutls-3.3.29-serv-unrec-name.patch @@ -0,0 +1,41 @@ +diff --git a/src/serv.c b/src/serv.c +index f5ff48786..8c7c92a92 100644 +--- a/src/serv.c ++++ b/src/serv.c +@@ -1278,6 +1278,15 @@ int main(int argc, char **argv) + return 0; + } + ++int _gnutls_alert_send_appropriate (gnutls_session_t session, int err) ++{ ++ if (err == _GNUTLS_E_UNRECOGNIZED_NAME) ++ return gnutls_alert_send(session, ++ GNUTLS_AL_FATAL, ++ GNUTLS_A_UNRECOGNIZED_NAME); ++ return gnutls_alert_send_appropriate(session, err); ++} ++ + static void retry_handshake(listener_item *j) + { + int r, ret; +@@ -1293,7 +1302,7 @@ static void retry_handshake(listener_item *j) + GERR(r); + + do { +- ret = gnutls_alert_send_appropriate(j->tls_session, r); ++ ret = _gnutls_alert_send_appropriate(j->tls_session, r); + } while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED); + } else if (r == 0) { + if (gnutls_session_is_resumed(j->tls_session) != 0 && verbose != 0) +@@ -1326,7 +1335,7 @@ int r, ret; + + if (r < 0) { + do { +- ret = gnutls_alert_send_appropriate(j->tls_session, r); ++ ret = _gnutls_alert_send_appropriate(j->tls_session, r); + } while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED); + GERR(r); + j->http_state = HTTP_STATE_CLOSING; +-- +2.14.3 + diff --git a/SOURCES/gnutls-3.3.29-testpkcs11.patch b/SOURCES/gnutls-3.3.29-testpkcs11.patch new file mode 100644 index 00000000..e98f53fc --- /dev/null +++ b/SOURCES/gnutls-3.3.29-testpkcs11.patch @@ -0,0 +1,1916 @@ +diff --git a/tests/Makefile.am b/tests/Makefile.am +index 6dc63758d..e0d86abfd 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -36,7 +36,13 @@ EXTRA_DIST = suppressions.valgrind eagain-common.h test-chains.h \ + certs/cert-rsa-2432.pem certs/ecc384.pem certs/ecc.pem \ + certs/ca-ecc.pem certs/cert-ecc384.pem certs/cert-ecc.pem certs/ecc256.pem \ + certs/ecc521.pem certs/rsa-2432.pem x509cert-dir/ca.pem \ +- cert-common.h pkcs11/softhsm.h pkcs11/pkcs11-pubkey-import.c ++ cert-common.h pkcs11/softhsm.h pkcs11/pkcs11-pubkey-import.c \ ++ testpkcs11.pkcs15 testpkcs11.softhsm testpkcs11.sc-hsm \ ++ testpkcs11-certs/ca.crt testpkcs11-certs/ca-tmpl \ ++ testpkcs11-certs/client.key testpkcs11-certs/server.crt \ ++ testpkcs11-certs/server-tmpl testpkcs11-certs/ca.key \ ++ testpkcs11-certs/client.crt testpkcs11-certs/client-tmpl \ ++ testpkcs11-certs/server.key + + AM_CFLAGS = $(WARN_CFLAGS) $(WERROR_CFLAGS) + AM_CPPFLAGS = \ +@@ -160,6 +166,9 @@ dist_check_SCRIPTS = rfc2253-escape-test + + if !WINDOWS + dist_check_SCRIPTS += sni-hostname.sh ++if ENABLE_PKCS11 ++dist_check_SCRIPTS += testpkcs11.sh ++endif + endif + + TESTS = $(ctests) $(dist_check_SCRIPTS) +diff --git a/tests/scripts/common.sh b/tests/scripts/common.sh +index 9c9c3fb3a..4615770f6 100644 +--- a/tests/scripts/common.sh ++++ b/tests/scripts/common.sh +@@ -19,11 +19,61 @@ + # along with this file; if not, write to the Free Software Foundation, + # Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +-# due to the use of $RANDOM, this script requires bash ++export TZ="UTC" ++ ++# Check for a utility to list ports. Both ss and netstat will list ++# ports for normal users, and have similar semantics, so put the ++# command in the caller's PFCMD, or exit, indicating an unsupported ++# test. Prefer ss from iproute2 over the older netstat. ++have_port_finder() { ++ for file in $(which ss 2> /dev/null) /*bin/ss /usr/*bin/ss /usr/local/*bin/ss;do ++ if test -x "$file";then ++ PFCMD="$file";return 0 ++ fi ++ done ++ ++ if test -z "$PFCMD";then ++ for file in $(which netstat 2> /dev/null) /bin/netstat /usr/bin/netstat /usr/local/bin/netstat;do ++ if test -x "$file";then ++ PFCMD="$file";return 0 ++ fi ++ done ++ fi ++ ++ if test -z "$PFCMD";then ++ echo "neither ss nor netstat found" ++ exit 1 ++ fi ++} ++ ++check_if_port_in_use() { ++ local PORT="$1" ++ local PFCMD; have_port_finder ++ $PFCMD -an|grep "[\:\.]$PORT" >/dev/null 2>&1 ++} ++ ++check_if_port_listening() { ++ local PORT="$1" ++ local PFCMD; have_port_finder ++ $PFCMD -anl|grep "[\:\.]$PORT"|grep LISTEN >/dev/null 2>&1 ++} + +-GETPORT='rc=0;while test $rc = 0;do PORT="$(((($$<<15)|RANDOM) % 63001 + 2000))"; +- netstat -anl|grep "[\:\.]$PORT" >/dev/null 2>&1; +- rc=$?;done;' ++# Find a port number not currently in use. ++GETPORT='rc=0; myrandom=$(date +%N | sed s/^0*//) ++ while test $rc = 0;do ++ PORT="$(((($$<<15)|$myrandom) % 63001 + 2000))" ++ check_if_port_in_use $PORT;rc=$? ++ done ++' ++ ++check_for_datefudge() { ++ TSTAMP=`datefudge -s "2006-09-23" date -u +%s || true` ++ if test "$TSTAMP" != "1158969600" || test "$WINDOWS" = 1; then ++ echo $TSTAMP ++ echo "You need datefudge to run this test" ++ exit 77 ++ fi ++} + + fail() { + PID="$1" +@@ -33,6 +83,30 @@ fail() { + exit 1 + } + ++exit_if_non_x86() ++{ ++which lscpu >/dev/null 2>&1 ++if test $? = 0;then ++ $(which lscpu)|grep Architecture|grep x86 ++ if test $? != 0;then ++ echo "non-x86 CPU detected" ++ exit 0 ++ fi ++fi ++} ++ ++exit_if_non_padlock() ++{ ++which lscpu >/dev/null 2>&1 ++if test $? = 0;then ++ $(which lscpu)|grep Flags|grep phe ++ if test $? != 0;then ++ echo "non-Via padlock CPU detected" ++ exit 0 ++ fi ++fi ++} ++ + wait_for_port() + { + local ret +@@ -40,10 +114,10 @@ wait_for_port() + sleep 4 + + for i in 1 2 3 4 5 6;do +- netstat -anl|grep "[\:\.]$PORT"|grep LISTEN >/dev/null 2>&1 ++ check_if_port_listening ${PORT} + ret=$? + if test $ret != 0;then +- netstat -anl|grep "[\:\.]$PORT" ++ check_if_port_in_use ${PORT} + echo try $i + sleep 2 + else +@@ -59,7 +133,7 @@ wait_for_free_port() + local PORT="$1" + + for i in 1 2 3 4 5 6;do +- netstat -anl|grep "[\:\.]$PORT" >/dev/null 2>&1 ++ check_if_port_in_use ${PORT} + ret=$? + if test $ret != 0;then + break +@@ -75,7 +149,7 @@ launch_server() { + shift + + wait_for_free_port ${PORT} +- ${SERV} ${DEBUG} -p "${PORT}" $* >/dev/null 2>&1 & ++ ${SERV} ${DEBUG} -p "${PORT}" $* >/dev/null & + } + + launch_pkcs11_server() { +@@ -94,7 +168,7 @@ launch_bare_server() { + shift + + wait_for_free_port ${PORT} +- ${SERV} $* >/dev/null 2>&1 & ++ ${SERV} $* >/dev/null & + } + + wait_server() { +@@ -114,3 +188,10 @@ wait_udp_server() { + sleep 4 + } + ++if test -x /usr/bin/lockfile-create;then ++LOCKFILE="lockfile-create global" ++UNLOCKFILE="lockfile-remove global" ++else ++LOCKFILE="lockfile global.lock" ++UNLOCKFILE="rm -f global.lock" ++fi +diff --git a/tests/suite/Makefile.am b/tests/suite/Makefile.am +index 794a4bace..dae42a7ef 100644 +--- a/tests/suite/Makefile.am ++++ b/tests/suite/Makefile.am +@@ -86,11 +86,10 @@ nodist_libecore_la_SOURCES = ecore/src/lib/ecore_anim.c \ + + + nodist_check_SCRIPTS = eagain testsrn testcompat chain invalid-cert testrandom \ +- testpkcs11 testpkcs11.pkcs15 testpkcs11.softhsm testpkcs11.sc-hsm \ + testrng test-ciphersuite-names + + TESTS = test-ciphersuite-names eagain testsrn testcompat chain invalid-cert \ +- testpkcs11 testrng test-ciphersuite-names ++ testrng test-ciphersuite-names + + if ENABLE_PKCS11 + TESTS += crl-test +diff --git a/tests/testpkcs11-certs/ca-tmpl b/tests/testpkcs11-certs/ca-tmpl +new file mode 100644 +index 000000000..5bf462d1e +--- /dev/null ++++ b/tests/testpkcs11-certs/ca-tmpl +@@ -0,0 +1,67 @@ ++# X.509 Certificate options ++# ++# DN options ++ ++dn = "cn=CA,C=CZ" ++ ++# The serial number of the certificate ++serial = 1 ++ ++# In how many days, counting from today, this certificate will expire. ++expiration_days = 2590 ++ ++# X.509 v3 extensions ++ ++# A dnsname in case of a WWW server. ++#dns_name = "localhost" ++#dns_name = "www.morethanone.org" ++ ++# An IP address in case of a server. ++#ip_address = "192.168.1.1" ++ ++#dns_name = "www.evenmorethanone.org" ++ ++# An email in case of a person ++email = "none@none.org" ++ ++# An URL that has CRLs (certificate revocation lists) ++# available. Needed in CA certificates. ++crl_dist_points = "http://www.getcrl.crl/getcrl/" ++ ++#email = "where@none.org" ++ ++# Whether this is a CA certificate or not ++ca ++ ++# Whether this certificate will be used for a TLS client ++#tls_www_client ++ ++# Whether this certificate will be used for a TLS server ++#tls_www_server ++ ++# Whether this certificate will be used to sign data (needed ++# in TLS DHE ciphersuites). ++signing_key ++ ++# Whether this certificate will be used to encrypt data (needed ++# in TLS RSA ciphersuites). Note that it is preferred to use different ++# keys for encryption and signing. ++#encryption_key ++ ++# Whether this key will be used to sign other certificates. ++cert_signing_key ++ ++# Whether this key will be used to sign CRLs. ++crl_signing_key ++ ++# Whether this key will be used to sign code. ++#code_signing_key ++ ++# Whether this key will be used to sign OCSP data. ++ocsp_signing_key ++ ++# Whether this key will be used for time stamping. ++#time_stamping_key ++ ++# Whether this key will be used for IPsec IKE operations. ++#ipsec_ike_key +diff --git a/tests/testpkcs11-certs/ca.crt b/tests/testpkcs11-certs/ca.crt +new file mode 100644 +index 000000000..e39ee41f7 +--- /dev/null ++++ b/tests/testpkcs11-certs/ca.crt +@@ -0,0 +1,15 @@ ++-----BEGIN CERTIFICATE----- ++MIICUjCCAbugAwIBAgIBATANBgkqhkiG9w0BAQsFADAaMQswCQYDVQQDEwJDQTEL ++MAkGA1UEBhMCQ1owIhgPMjAxMzExMTAwODI0NTRaGA8yMDIwMTIxMzA4MjQ1NFow ++GjELMAkGA1UEAxMCQ0ExCzAJBgNVBAYTAkNaMIGfMA0GCSqGSIb3DQEBAQUAA4GN ++ADCBiQKBgQCoomr+kiRtx+/doF2FRSOxqBuuLbcpK5KwxtYk82L8MQzzJijfjS88 ++4kCijlR6dqD0oDS70ngNogg2uIgn1SfLTTgXw/v6w/nMnMIYZ+ePrF5WD1qGeOAu ++R+qts4Y4rfb9Yb8sXIPdui7HelqimJaVeMxAYJsqRBSixDSpYbkEhwIDAQABo4Gj ++MIGgMA8GA1UdEwEB/wQFMAMBAf8wGAYDVR0RBBEwD4ENbm9uZUBub25lLm9yZzAT ++BgNVHSUEDDAKBggrBgEFBQcDCTAPBgNVHQ8BAf8EBQMDBwYAMB0GA1UdDgQWBBQS ++DtpREkBWrvQcbcyhsD0oYX4zATAuBgNVHR8EJzAlMCOgIaAfhh1odHRwOi8vd3d3 ++LmdldGNybC5jcmwvZ2V0Y3JsLzANBgkqhkiG9w0BAQsFAAOBgQBzRzkYVGhl0ltc ++iVvXModMh9cb1TcUrc2nhfEh63u5ZF1/8MJPaMMLw3FZmGc5B8lNYOoWiSqK/Ark ++iO9chPwqRKWY8n52USgGDcUNRxbwCa2vOQg9cdSWIcdt18W5mtJ3hz+CDaT8ZH8t ++sVW/i5eG6O7o3rZGSwbcC1pgIWZqCw== ++-----END CERTIFICATE----- +diff --git a/tests/testpkcs11-certs/ca.key b/tests/testpkcs11-certs/ca.key +new file mode 100644 +index 000000000..62f5bfae3 +--- /dev/null ++++ b/tests/testpkcs11-certs/ca.key +@@ -0,0 +1,94 @@ ++Public Key Info: ++ Public Key Algorithm: RSA ++ Key Security Level: Weak (1024 bits) ++ ++modulus: ++ 00:a8:a2:6a:fe:92:24:6d:c7:ef:dd:a0:5d:85:45: ++ 23:b1:a8:1b:ae:2d:b7:29:2b:92:b0:c6:d6:24:f3: ++ 62:fc:31:0c:f3:26:28:df:8d:2f:3c:e2:40:a2:8e: ++ 54:7a:76:a0:f4:a0:34:bb:d2:78:0d:a2:08:36:b8: ++ 88:27:d5:27:cb:4d:38:17:c3:fb:fa:c3:f9:cc:9c: ++ c2:18:67:e7:8f:ac:5e:56:0f:5a:86:78:e0:2e:47: ++ ea:ad:b3:86:38:ad:f6:fd:61:bf:2c:5c:83:dd:ba: ++ 2e:c7:7a:5a:a2:98:96:95:78:cc:40:60:9b:2a:44: ++ 14:a2:c4:34:a9:61:b9:04:87: ++ ++public exponent: ++ 01:00:01: ++ ++private exponent: ++ 08:f8:4a:b4:ab:d5:60:39:88:5a:c3:92:f5:e9:cd: ++ 92:3f:9c:e9:50:e9:33:39:6c:1e:17:15:80:f5:a9: ++ 48:3c:db:b1:7b:50:25:43:ff:45:3f:cb:ac:59:e1: ++ c8:79:d2:e9:f0:33:9d:e1:fe:1c:cb:87:a0:51:84: ++ 7c:89:ec:09:e0:3d:c9:df:ca:43:d9:c1:79:3c:47: ++ f7:8e:71:bf:a5:6e:11:87:0d:d9:2e:5a:5d:a0:d3: ++ ba:5b:9c:23:db:33:54:5f:a2:2f:db:28:05:9d:07: ++ a4:d4:76:0e:ef:d1:f9:c3:f9:21:01:ad:06:4c:9d: ++ 59:14:09:37:91:df:86:01: ++ ++prime1: ++ 00:d6:e8:07:49:7f:a6:6a:d7:f3:76:84:4b:a9:cb: ++ 91:66:8a:c8:07:54:29:25:1d:e4:70:dd:2c:fd:ff: ++ dc:c6:0c:24:75:4f:a0:ca:82:e2:b6:3b:8b:f0:7b: ++ 37:c3:97:be:6c:b3:5f:91:a6:c0:56:48:aa:aa:3a: ++ d9:12:24:b7:81: ++ ++prime2: ++ 00:c8:e1:50:40:9b:7e:34:9c:44:88:1e:16:4b:bf: ++ 04:0f:a6:b0:2b:9d:2f:a2:84:29:96:54:35:69:68: ++ 6f:a2:a7:2b:8a:de:e9:9e:0e:6f:b3:cf:d8:af:68: ++ 33:52:a6:e4:b5:d1:21:d0:6b:d2:d2:a6:af:97:62: ++ 44:fe:b8:00:07: ++ ++coefficient: ++ 75:16:b8:48:0b:61:9a:a9:78:b1:72:93:94:51:54: ++ c1:07:69:b8:b1:dc:61:4a:f5:ef:b7:9c:f5:07:74: ++ 0d:8e:1a:a2:51:ea:00:91:ef:05:75:42:53:4d:6a: ++ e3:f5:de:07:a5:55:5f:8b:37:58:55:2b:43:ef:b2: ++ d0:38:a8:89: ++ ++exp1: ++ 00:c9:b9:60:e5:b7:e1:b1:56:e5:dc:70:d0:49:20: ++ a1:6a:3c:89:08:80:12:63:19:cd:0d:b8:3e:fc:69: ++ 48:85:ca:6e:0a:83:e5:2d:52:70:96:98:0c:82:7e: ++ 56:d8:cd:3e:5c:f0:7e:9b:cc:87:ac:36:67:a4:84: ++ ba:af:92:31:81: ++ ++exp2: ++ 65:0a:d8:78:36:fe:8b:6e:13:16:b8:b3:94:54:37: ++ b1:bb:b1:9f:ae:88:18:62:0c:1d:1e:ac:63:21:f2: ++ 0d:49:b3:20:3e:32:1a:9b:be:5a:1e:f1:2a:81:ea: ++ 56:e7:b5:e1:32:99:a4:a1:a7:c0:e7:b1:29:1f:77: ++ fe:fc:04:9f: ++ ++ ++Public Key ID: 12:0E:DA:51:12:40:56:AE:F4:1C:6D:CC:A1:B0:3D:28:61:7E:33:01 ++Public key's random art: +++--[ RSA 1024]----+ ++|.E*++.o | ++|oo *.B . | ++|..++O * | ++| o.*oB . | ++| o + o S | ++| . | ++| | ++| | ++| | +++-----------------+ ++ ++-----BEGIN RSA PRIVATE KEY----- ++MIICXAIBAAKBgQCoomr+kiRtx+/doF2FRSOxqBuuLbcpK5KwxtYk82L8MQzzJijf ++jS884kCijlR6dqD0oDS70ngNogg2uIgn1SfLTTgXw/v6w/nMnMIYZ+ePrF5WD1qG ++eOAuR+qts4Y4rfb9Yb8sXIPdui7HelqimJaVeMxAYJsqRBSixDSpYbkEhwIDAQAB ++AoGACPhKtKvVYDmIWsOS9enNkj+c6VDpMzlsHhcVgPWpSDzbsXtQJUP/RT/LrFnh ++yHnS6fAzneH+HMuHoFGEfInsCeA9yd/KQ9nBeTxH945xv6VuEYcN2S5aXaDTuluc ++I9szVF+iL9soBZ0HpNR2Du/R+cP5IQGtBkydWRQJN5HfhgECQQDW6AdJf6Zq1/N2 ++hEupy5FmisgHVCklHeRw3Sz9/9zGDCR1T6DKguK2O4vwezfDl75ss1+RpsBWSKqq ++OtkSJLeBAkEAyOFQQJt+NJxEiB4WS78ED6awK50vooQpllQ1aWhvoqcrit7png5v ++s8/Yr2gzUqbktdEh0GvS0qavl2JE/rgABwJBAMm5YOW34bFW5dxw0EkgoWo8iQiA ++EmMZzQ24PvxpSIXKbgqD5S1ScJaYDIJ+VtjNPlzwfpvMh6w2Z6SEuq+SMYECQGUK ++2Hg2/otuExa4s5RUN7G7sZ+uiBhiDB0erGMh8g1JsyA+Mhqbvloe8SqB6lbnteEy ++maShp8DnsSkfd/78BJ8CQHUWuEgLYZqpeLFyk5RRVMEHabix3GFK9e+3nPUHdA2O ++GqJR6gCR7wV1QlNNauP13gelVV+LN1hVK0PvstA4qIk= ++-----END RSA PRIVATE KEY----- +diff --git a/tests/testpkcs11-certs/client-tmpl b/tests/testpkcs11-certs/client-tmpl +new file mode 100644 +index 000000000..a22eef84b +--- /dev/null ++++ b/tests/testpkcs11-certs/client-tmpl +@@ -0,0 +1,67 @@ ++# X.509 Certificate options ++# ++# DN options ++ ++dn = "cn=Client,C=CZ" ++ ++# The serial number of the certificate ++serial = 3 ++ ++# In how many days, counting from today, this certificate will expire. ++expiration_days = 2590 ++ ++# X.509 v3 extensions ++ ++# A dnsname in case of a WWW server. ++#dns_name = "localhost" ++#dns_name = "www.morethanone.org" ++ ++# An IP address in case of a server. ++#ip_address = "192.168.1.1" ++ ++#dns_name = "www.evenmorethanone.org" ++ ++# An email in case of a person ++email = "none@none.org" ++ ++# An URL that has CRLs (certificate revocation lists) ++# available. Needed in CA certificates. ++#crl_dist_points = "http://www.getcrl.crl/getcrl/" ++ ++#email = "where@none.org" ++ ++# Whether this is a CA certificate or not ++#ca ++ ++# Whether this certificate will be used for a TLS client ++tls_www_client ++ ++# Whether this certificate will be used for a TLS server ++#tls_www_server ++ ++# Whether this certificate will be used to sign data (needed ++# in TLS DHE ciphersuites). ++signing_key ++ ++# Whether this certificate will be used to encrypt data (needed ++# in TLS RSA ciphersuites). Note that it is preferred to use different ++# keys for encryption and signing. ++#encryption_key ++ ++# Whether this key will be used to sign other certificates. ++#cert_signing_key ++ ++# Whether this key will be used to sign CRLs. ++#crl_signing_key ++ ++# Whether this key will be used to sign code. ++#code_signing_key ++ ++# Whether this key will be used to sign OCSP data. ++#ocsp_signing_key ++ ++# Whether this key will be used for time stamping. ++#time_stamping_key ++ ++# Whether this key will be used for IPsec IKE operations. ++#ipsec_ike_key +diff --git a/tests/testpkcs11-certs/client.crt b/tests/testpkcs11-certs/client.crt +new file mode 100644 +index 000000000..6f75590d2 +--- /dev/null ++++ b/tests/testpkcs11-certs/client.crt +@@ -0,0 +1,16 @@ ++-----BEGIN CERTIFICATE----- ++MIICdDCCAd2gAwIBAgIBAzANBgkqhkiG9w0BAQsFADAaMQswCQYDVQQDEwJDQTEL ++MAkGA1UEBhMCQ1owIhgPMjAxMzExMTAwODI1MjdaGA8yMDIwMTIxMzA4MjUyN1ow ++HjEPMA0GA1UEAxMGQ2xpZW50MQswCQYDVQQGEwJDWjCBnzANBgkqhkiG9w0BAQEF ++AAOBjQAwgYkCgYEAvQRIzvKyhr3tqmB4Pe+91DWSFayaNtcrDIT597bhxugVYW8o ++jB206kx5aknAMA3PQGYcGqkLrt+nsJcmOIXDZsC6P4zeOSsF1PPhDAoX3bkUr2lF ++MEt374eKdg1yvyhRxt4DOR6aD4gkC7fVtaYdgV6yXpJGMHV05LBIgQ7QtykCAwEA ++AaOBwTCBvjAMBgNVHRMBAf8EAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMCMBgGA1Ud ++EQQRMA+BDW5vbmVAbm9uZS5vcmcwDwYDVR0PAQH/BAUDAweAADAdBgNVHQ4EFgQU ++Dbinh11GaaJcTyOpmxPYuttsiGowHwYDVR0jBBgwFoAUEg7aURJAVq70HG3MobA9 ++KGF+MwEwLgYDVR0fBCcwJTAjoCGgH4YdaHR0cDovL3d3dy5nZXRjcmwuY3JsL2dl ++dGNybC8wDQYJKoZIhvcNAQELBQADgYEAN/Henso+5zzuFQWTpJXlUsWtRQAFhRY3 ++WVt3xtnyPs4pF/LKBp3Ov0GLGBkz5YlyJGFNESSyUviMsH7g7rJM8i7Bph6BQTE9 ++XdqbZPc0opfms4EHjmlXj5HQ0f0yoxHnLk43CR+vmbn0JPuurnEKAwjznAJR8GxI ++R2MRyMxdGqs= ++-----END CERTIFICATE----- +diff --git a/tests/testpkcs11-certs/client.key b/tests/testpkcs11-certs/client.key +new file mode 100644 +index 000000000..9277bdfd8 +--- /dev/null ++++ b/tests/testpkcs11-certs/client.key +@@ -0,0 +1,94 @@ ++Public Key Info: ++ Public Key Algorithm: RSA ++ Key Security Level: Weak (1024 bits) ++ ++modulus: ++ 00:bd:04:48:ce:f2:b2:86:bd:ed:aa:60:78:3d:ef: ++ bd:d4:35:92:15:ac:9a:36:d7:2b:0c:84:f9:f7:b6: ++ e1:c6:e8:15:61:6f:28:8c:1d:b4:ea:4c:79:6a:49: ++ c0:30:0d:cf:40:66:1c:1a:a9:0b:ae:df:a7:b0:97: ++ 26:38:85:c3:66:c0:ba:3f:8c:de:39:2b:05:d4:f3: ++ e1:0c:0a:17:dd:b9:14:af:69:45:30:4b:77:ef:87: ++ 8a:76:0d:72:bf:28:51:c6:de:03:39:1e:9a:0f:88: ++ 24:0b:b7:d5:b5:a6:1d:81:5e:b2:5e:92:46:30:75: ++ 74:e4:b0:48:81:0e:d0:b7:29: ++ ++public exponent: ++ 01:00:01: ++ ++private exponent: ++ 00:a5:eb:b1:e2:00:07:98:e1:f6:53:de:35:0e:e1: ++ 79:78:63:c2:25:c6:8a:e4:e3:02:46:0e:20:c3:43: ++ 45:73:ee:5c:7e:58:2e:76:b8:c9:0b:f7:2f:89:8e: ++ cd:e7:20:e8:32:36:b0:2a:f3:03:6f:71:a2:e9:0f: ++ f5:9c:1e:47:84:54:2b:67:12:e3:f4:20:80:7f:54: ++ 81:63:f4:41:4a:6f:8f:89:e8:83:24:64:87:b5:2b: ++ 5b:25:55:c5:b6:e8:1d:c9:a0:a9:68:0d:2d:1f:06: ++ ac:46:6a:96:93:96:16:24:fe:7f:e4:00:c7:bf:37: ++ fe:48:6f:3f:94:0b:36:9e:81: ++ ++prime1: ++ 00:dd:8b:ef:a9:f3:e9:7a:97:6f:50:2f:d4:93:ff: ++ 0b:6d:52:b4:2c:64:d2:bb:6c:a7:ca:5d:5f:31:ba: ++ 2c:f6:59:09:34:57:5f:3c:cd:f5:2b:a0:c7:7a:ac: ++ e2:20:64:a8:58:24:a3:02:c3:7f:7b:c5:7b:31:4e: ++ de:81:6b:48:f9: ++ ++prime2: ++ 00:da:69:4a:53:be:3d:36:07:58:a7:8e:58:4e:cd: ++ 90:cd:72:54:7c:40:89:ab:fd:3a:8b:6d:d0:9c:b0: ++ 00:7f:11:6a:b7:f2:4e:e0:81:8b:23:09:3f:c4:6f: ++ f7:6d:06:b1:c8:83:63:87:72:c7:43:01:24:5d:2d: ++ 88:7f:b9:1b:b1: ++ ++coefficient: ++ 30:19:e0:d7:bd:0f:0d:96:b0:65:64:00:82:2a:9d: ++ 6c:52:a6:89:a6:db:89:e3:7f:10:c3:3b:5b:97:73: ++ ea:13:af:fc:4c:3e:72:5e:da:cb:b7:d4:b6:2c:d0: ++ 05:c3:58:bb:2d:59:2c:50:1f:08:6d:03:53:ba:ec: ++ 15:ec:b6:08: ++ ++exp1: ++ 00:d0:6d:4e:54:3d:bc:72:30:f5:f0:22:8f:83:8c: ++ 76:5b:ab:6b:06:38:f4:68:8f:98:6b:b1:dc:55:14: ++ 2a:28:b9:2b:07:ab:0b:56:51:0d:4e:b6:3b:f5:15: ++ a0:c7:88:eb:37:c1:7f:fa:a1:a1:d5:f7:bc:26:6f: ++ 64:b5:ad:11:41: ++ ++exp2: ++ 2a:a6:b1:0b:15:75:62:9d:a0:a4:67:d9:ba:d9:cd: ++ d3:30:e6:6a:b5:37:ad:4c:70:28:56:33:8c:c5:99: ++ f3:36:75:7e:a2:64:e0:d6:ab:53:16:35:4b:a9:09: ++ ca:52:aa:59:1b:bf:4d:ee:0e:17:79:9b:9e:4e:8b: ++ ff:55:28:a1: ++ ++ ++Public Key ID: 0D:B8:A7:87:5D:46:69:A2:5C:4F:23:A9:9B:13:D8:BA:DB:6C:88:6A ++Public key's random art: +++--[ RSA 1024]----+ ++| | ++| . . . | ++| . * * | ++| + = X . | ++| . B S = | ++| . O o | ++| ...* o | ++| E. .+.o | ++|o. ooo | +++-----------------+ ++ ++-----BEGIN RSA PRIVATE KEY----- ++MIICXQIBAAKBgQC9BEjO8rKGve2qYHg9773UNZIVrJo21ysMhPn3tuHG6BVhbyiM ++HbTqTHlqScAwDc9AZhwaqQuu36ewlyY4hcNmwLo/jN45KwXU8+EMChfduRSvaUUw ++S3fvh4p2DXK/KFHG3gM5HpoPiCQLt9W1ph2BXrJekkYwdXTksEiBDtC3KQIDAQAB ++AoGBAKXrseIAB5jh9lPeNQ7heXhjwiXGiuTjAkYOIMNDRXPuXH5YLna4yQv3L4mO ++zecg6DI2sCrzA29xoukP9ZweR4RUK2cS4/QggH9UgWP0QUpvj4nogyRkh7UrWyVV ++xbboHcmgqWgNLR8GrEZqlpOWFiT+f+QAx783/khvP5QLNp6BAkEA3YvvqfPpepdv ++UC/Uk/8LbVK0LGTSu2ynyl1fMbos9lkJNFdfPM31K6DHeqziIGSoWCSjAsN/e8V7 ++MU7egWtI+QJBANppSlO+PTYHWKeOWE7NkM1yVHxAiav9Oott0JywAH8RarfyTuCB ++iyMJP8Rv920GsciDY4dyx0MBJF0tiH+5G7ECQQDQbU5UPbxyMPXwIo+DjHZbq2sG ++OPRoj5hrsdxVFCoouSsHqwtWUQ1Otjv1FaDHiOs3wX/6oaHV97wmb2S1rRFBAkAq ++prELFXVinaCkZ9m62c3TMOZqtTetTHAoVjOMxZnzNnV+omTg1qtTFjVLqQnKUqpZ ++G79N7g4XeZueTov/VSihAkAwGeDXvQ8NlrBlZACCKp1sUqaJptuJ438Qwztbl3Pq ++E6/8TD5yXtrLt9S2LNAFw1i7LVksUB8IbQNTuuwV7LYI ++-----END RSA PRIVATE KEY----- +diff --git a/tests/testpkcs11-certs/server-tmpl b/tests/testpkcs11-certs/server-tmpl +new file mode 100644 +index 000000000..23103b4a9 +--- /dev/null ++++ b/tests/testpkcs11-certs/server-tmpl +@@ -0,0 +1,67 @@ ++# X.509 Certificate options ++# ++# DN options ++ ++dn = "cn=Server,C=CZ" ++ ++# The serial number of the certificate ++serial = 2 ++ ++# In how many days, counting from today, this certificate will expire. ++expiration_days = 2590 ++ ++# X.509 v3 extensions ++ ++# A dnsname in case of a WWW server. ++dns_name = "localhost" ++#dns_name = "www.morethanone.org" ++ ++# An IP address in case of a server. ++ip_address = "127.0.0.1" ++ ++#dns_name = "www.evenmorethanone.org" ++ ++# An email in case of a person ++email = "none@none.org" ++ ++# An URL that has CRLs (certificate revocation lists) ++# available. Needed in CA certificates. ++#crl_dist_points = "http://www.getcrl.crl/getcrl/" ++ ++#email = "where@none.org" ++ ++# Whether this is a CA certificate or not ++#ca ++ ++# Whether this certificate will be used for a TLS client ++#tls_www_client ++ ++# Whether this certificate will be used for a TLS server ++tls_www_server ++ ++# Whether this certificate will be used to sign data (needed ++# in TLS DHE ciphersuites). ++signing_key ++ ++# Whether this certificate will be used to encrypt data (needed ++# in TLS RSA ciphersuites). Note that it is preferred to use different ++# keys for encryption and signing. ++encryption_key ++ ++# Whether this key will be used to sign other certificates. ++#cert_signing_key ++ ++# Whether this key will be used to sign CRLs. ++#crl_signing_key ++ ++# Whether this key will be used to sign code. ++#code_signing_key ++ ++# Whether this key will be used to sign OCSP data. ++#ocsp_signing_key ++ ++# Whether this key will be used for time stamping. ++#time_stamping_key ++ ++# Whether this key will be used for IPsec IKE operations. ++#ipsec_ike_key +diff --git a/tests/testpkcs11-certs/server.crt b/tests/testpkcs11-certs/server.crt +new file mode 100644 +index 000000000..694a0101f +--- /dev/null ++++ b/tests/testpkcs11-certs/server.crt +@@ -0,0 +1,16 @@ ++-----BEGIN CERTIFICATE----- ++MIICdjCCAd+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAaMQswCQYDVQQDEwJDQTEL ++MAkGA1UEBhMCQ1owIhgPMjAxMzExMTAwODI1MDJaGA8yMDIwMTIxMzA4MjUwMlow ++HjEPMA0GA1UEAxMGU2VydmVyMQswCQYDVQQGEwJDWjCBnzANBgkqhkiG9w0BAQEF ++AAOBjQAwgYkCgYEApf9FBAZadRuU0AGrH4xgNh5V5tFDErTba2bF8b7USLRUzETm +++qBW87I6QXWDFsZlvyyzrpINmpbG3UNr3cVLgT7DLC2ct5nZFT4j25BYswcr0V5C ++00BAz6NUcuTzY0e0iN+H80H/mUr3Xu5r9wJca1LGTspBF1NOTNoAunlSm3cCAwEA ++AaOBwzCBwDAMBgNVHRMBAf8EAjAAMBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEfwAA ++ATATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHQ8BAf8EBQMDB6AAMB0GA1UdDgQW ++BBSsHXo5y3IXlGZsdERzQJFEwKBDfTAfBgNVHSMEGDAWgBQSDtpREkBWrvQcbcyh ++sD0oYX4zATAuBgNVHR8EJzAlMCOgIaAfhh1odHRwOi8vd3d3LmdldGNybC5jcmwv ++Z2V0Y3JsLzANBgkqhkiG9w0BAQsFAAOBgQBG1omwPssQQPTLd4WeCQyuM/Yj1kOO ++VwFOATVs2+XELAGg6GVrSS302+JKdW51j+11NpIMgJfgaeRdZkgBNR4uOi1okOQh ++Asm8TC3ex3v1rxZdunp0wBQ/H/ox4zMM5Ds8ITtQNeUwXqUj3tPorTWFEsNegTnY ++WmV1jslH8fZ4Fg== ++-----END CERTIFICATE----- +diff --git a/tests/testpkcs11-certs/server.key b/tests/testpkcs11-certs/server.key +new file mode 100644 +index 000000000..56e48735a +--- /dev/null ++++ b/tests/testpkcs11-certs/server.key +@@ -0,0 +1,94 @@ ++Public Key Info: ++ Public Key Algorithm: RSA ++ Key Security Level: Weak (1024 bits) ++ ++modulus: ++ 00:a5:ff:45:04:06:5a:75:1b:94:d0:01:ab:1f:8c: ++ 60:36:1e:55:e6:d1:43:12:b4:db:6b:66:c5:f1:be: ++ d4:48:b4:54:cc:44:e6:fa:a0:56:f3:b2:3a:41:75: ++ 83:16:c6:65:bf:2c:b3:ae:92:0d:9a:96:c6:dd:43: ++ 6b:dd:c5:4b:81:3e:c3:2c:2d:9c:b7:99:d9:15:3e: ++ 23:db:90:58:b3:07:2b:d1:5e:42:d3:40:40:cf:a3: ++ 54:72:e4:f3:63:47:b4:88:df:87:f3:41:ff:99:4a: ++ f7:5e:ee:6b:f7:02:5c:6b:52:c6:4e:ca:41:17:53: ++ 4e:4c:da:00:ba:79:52:9b:77: ++ ++public exponent: ++ 01:00:01: ++ ++private exponent: ++ 55:76:38:45:1b:34:45:28:9f:13:fc:57:ea:d5:2d: ++ cf:8f:0c:b0:da:3a:0b:0e:7c:0d:2e:8b:68:ab:d3: ++ c5:5e:ba:6d:b4:67:aa:cf:14:15:41:44:46:e1:46: ++ 4d:5a:75:95:d8:60:e5:d6:a2:14:5d:de:22:9a:8c: ++ 95:4f:f7:4f:cd:eb:65:a0:29:35:b1:16:b7:c2:74: ++ f1:a4:45:43:6c:77:59:37:b3:cb:43:60:80:29:5e: ++ b6:99:60:9a:12:4d:2b:54:2e:c3:3a:76:96:7d:72: ++ b1:72:24:f1:2a:2d:ff:99:92:1e:bb:55:f1:58:6e: ++ 64:08:36:26:4b:b2:c6:99: ++ ++prime1: ++ 00:c7:65:44:0f:4e:6b:51:cd:d4:0b:84:9c:a9:30: ++ 1b:7b:6d:9a:ca:f7:27:8d:8f:b5:05:81:b8:0d:d2: ++ a2:b3:e3:ab:bb:04:a1:8d:ec:dc:65:38:99:e9:e1: ++ 4f:70:47:79:8d:e6:3a:f0:9f:7b:3b:aa:bd:80:1d: ++ 4d:0d:2a:00:7d: ++ ++prime2: ++ 00:d5:1e:d4:82:40:de:a6:ce:1a:59:93:b8:51:c6: ++ 55:15:7f:83:d0:11:ac:a1:44:0a:95:f0:e5:96:03: ++ 53:5e:2c:27:eb:63:5f:b7:1c:06:64:fb:35:c9:a3: ++ a1:1a:fb:f2:3c:31:a1:51:58:40:5e:24:28:dd:ba: ++ dc:c4:14:22:03: ++ ++coefficient: ++ 00:9c:b5:66:d6:6d:93:93:da:0f:15:96:48:07:c6: ++ 4a:eb:ae:da:2a:fc:d8:b3:03:cb:5e:5e:10:9e:7f: ++ e8:49:96:db:70:6b:ef:d7:5a:4a:a4:f5:2a:da:89: ++ 39:b4:51:09:64:4c:75:92:57:ee:4f:9e:4d:55:f9: ++ d0:34:0e:6f:43: ++ ++exp1: ++ 2a:3c:5f:10:46:f2:20:9f:d2:bc:a5:d8:71:56:09: ++ 5c:39:b9:42:28:dc:2d:f6:34:c7:f7:d4:3e:c9:51: ++ 41:7d:86:50:d5:08:4b:81:d2:a5:76:39:d3:fa:af: ++ d2:fe:b0:d6:c7:df:d0:3c:57:e4:29:a4:7e:50:b6: ++ 93:85:44:19: ++ ++exp2: ++ 1a:1b:38:b4:eb:f5:5a:41:8d:00:c4:13:a4:10:c3: ++ 83:6a:a7:5e:e9:8b:58:05:d9:b6:1c:58:43:54:0c: ++ f6:50:3a:63:9f:3c:ae:55:84:83:02:32:c8:8c:7e: ++ c3:ab:71:34:e6:6f:78:63:73:1f:15:16:dc:72:73: ++ 70:a1:76:b9: ++ ++ ++Public Key ID: AC:1D:7A:39:CB:72:17:94:66:6C:74:44:73:40:91:44:C0:A0:43:7D ++Public key's random art: +++--[ RSA 1024]----+ ++| ...o.BX+. | ++| . .. E oo | ++| o + o | ++| o B | ++| S= | ++| + o. | ++| o = . | ++| .o.o. | ++| oo. | +++-----------------+ ++ ++-----BEGIN RSA PRIVATE KEY----- ++MIICXAIBAAKBgQCl/0UEBlp1G5TQAasfjGA2HlXm0UMStNtrZsXxvtRItFTMROb6 ++oFbzsjpBdYMWxmW/LLOukg2alsbdQ2vdxUuBPsMsLZy3mdkVPiPbkFizByvRXkLT ++QEDPo1Ry5PNjR7SI34fzQf+ZSvde7mv3AlxrUsZOykEXU05M2gC6eVKbdwIDAQAB ++AoGAVXY4RRs0RSifE/xX6tUtz48MsNo6Cw58DS6LaKvTxV66bbRnqs8UFUFERuFG ++TVp1ldhg5daiFF3eIpqMlU/3T83rZaApNbEWt8J08aRFQ2x3WTezy0NggCletplg ++mhJNK1Quwzp2ln1ysXIk8Sot/5mSHrtV8VhuZAg2JkuyxpkCQQDHZUQPTmtRzdQL ++hJypMBt7bZrK9yeNj7UFgbgN0qKz46u7BKGN7NxlOJnp4U9wR3mN5jrwn3s7qr2A ++HU0NKgB9AkEA1R7UgkDeps4aWZO4UcZVFX+D0BGsoUQKlfDllgNTXiwn62NftxwG ++ZPs1yaOhGvvyPDGhUVhAXiQo3brcxBQiAwJAKjxfEEbyIJ/SvKXYcVYJXDm5Qijc ++LfY0x/fUPslRQX2GUNUIS4HSpXY50/qv0v6w1sff0DxX5CmkflC2k4VEGQJAGhs4 ++tOv1WkGNAMQTpBDDg2qnXumLWAXZthxYQ1QM9lA6Y588rlWEgwIyyIx+w6txNOZv ++eGNzHxUW3HJzcKF2uQJBAJy1ZtZtk5PaDxWWSAfGSuuu2ir82LMDy15eEJ5/6EmW ++23Br79daSqT1KtqJObRRCWRMdZJX7k+eTVX50DQOb0M= ++-----END RSA PRIVATE KEY----- +diff --git a/tests/testpkcs11.pkcs15 b/tests/testpkcs11.pkcs15 +new file mode 100644 +index 000000000..565282a31 +--- /dev/null ++++ b/tests/testpkcs11.pkcs15 +@@ -0,0 +1,45 @@ ++#!/bin/sh ++ ++# Copyright (C) 2013 Nikos Mavrogiannopoulos ++# ++# This file is part of GnuTLS. ++# ++# GnuTLS is free software; you can redistribute it and/or modify it ++# under the terms of the GNU General Public License as published by the ++# Free Software Foundation; either version 3 of the License, or (at ++# your option) any later version. ++# ++# GnuTLS is distributed in the hope that it will be useful, but ++# WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++# General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with GnuTLS; if not, write to the Free Software Foundation, ++# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. ++ ++ ++init_card () { ++ PIN="$1" ++ PUK="$2" ++ ++ echo -n "* Erasing smart card... " ++ pkcs15-init -E >"${TMPFILE}" 2>&1 ++ if test $? = 0; then ++ echo ok ++ else ++ echo failed ++ cat "${TMPFILE}" ++ exit_error ++ fi ++ ++ echo -n "* Initializing smart card... " ++ pkcs15-init --create-pkcs15 --profile pkcs15+onepin --use-default-transport-key --so-pin "${PIN}" --pin "${PIN}" --puk "${PUK}" --label "GnuTLS-Test" >"${TMPFILE}" 2>&1 ++ if test $? = 0; then ++ echo ok ++ else ++ echo failed ++ cat "${TMPFILE}" ++ exit_error ++ fi ++} +diff --git a/tests/testpkcs11.sc-hsm b/tests/testpkcs11.sc-hsm +new file mode 100644 +index 000000000..f3eab685f +--- /dev/null ++++ b/tests/testpkcs11.sc-hsm +@@ -0,0 +1,50 @@ ++#!/bin/sh ++ ++# Copyright (C) 2013 Nikos Mavrogiannopoulos ++# ++# This file is part of GnuTLS. ++# ++# GnuTLS is free software; you can redistribute it and/or modify it ++# under the terms of the GNU General Public License as published by the ++# Free Software Foundation; either version 3 of the License, or (at ++# your option) any later version. ++# ++# GnuTLS is distributed in the hope that it will be useful, but ++# WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++# General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with GnuTLS; if not, write to the Free Software Foundation, ++# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. ++ ++ ++init_card () { ++ PIN="$1" ++ PUK=3537363231383830 ++ export GNUTLS_SO_PIN="${PUK}" ++ ++ echo -n "* Erasing smart card... " ++ sc-hsm-tool --initialize --so-pin "${PUK}" --pin "${PIN}" --label=GnuTLS-Test >>"${TMPFILE}" 2>&1 ++ if test $? = 0; then ++ echo ok ++ else ++ echo failed ++ exit_error ++ fi ++ ++ echo -n "* Initializing smart card... " ++ TOKEN=`${P11TOOL} ${ADDITIONAL_PARAM} --list-tokens pkcs11:token=Nikos|grep URL|grep token=GnuTLS-Test|sed 's/\s*URL\: //g'` ++ if test -z "${TOKEN}"; then ++ echo "Could not find initialized card" ++ exit_error ++ fi ++ ++ ${P11TOOL} ${ADDITIONAL_PARAM} --initialize "${TOKEN}" --set-so-pin "${PUK}" --set-pin "${PIN}" --label "GnuTLS-Test" >>"${TMPFILE}" 2>&1 ++ if test $? = 0; then ++ echo ok ++ else ++ echo failed ++ exit_error ++ fi ++} +diff --git a/tests/testpkcs11.sh b/tests/testpkcs11.sh +new file mode 100755 +index 000000000..e8cdcd30d +--- /dev/null ++++ b/tests/testpkcs11.sh +@@ -0,0 +1,938 @@ ++#!/bin/sh ++ ++# Copyright (C) 2013 Nikos Mavrogiannopoulos ++# ++# This file is part of GnuTLS. ++# ++# GnuTLS is free software; you can redistribute it and/or modify it ++# under the terms of the GNU General Public License as published by the ++# Free Software Foundation; either version 3 of the License, or (at ++# your option) any later version. ++# ++# GnuTLS is distributed in the hope that it will be useful, but ++# WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++# General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with GnuTLS; if not, write to the Free Software Foundation, ++# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. ++ ++srcdir="${srcdir:-.}" ++P11TOOL="${P11TOOL:-../src/p11tool${EXEEXT}}" ++CERTTOOL="${CERTTOOL:-../src/certtool${EXEEXT}}" ++DIFF="${DIFF:-diff -b -B}" ++SERV="${SERV:-../src/gnutls-serv${EXEEXT}}" ++CLI="${CLI:-../src/gnutls-cli${EXEEXT}}" ++RETCODE=0 ++ ++if test "${GNUTLS_FORCE_FIPS_MODE}" = 1;then ++ echo "Cannot run in FIPS140-2 mode" ++ exit 77 ++fi ++ ++if ! test -x "${P11TOOL}"; then ++ exit 77 ++fi ++ ++if ! test -x "${CERTTOOL}"; then ++ exit 77 ++fi ++ ++if ! test -x "${SERV}"; then ++ exit 77 ++fi ++ ++if ! test -x "${CLI}"; then ++ exit 77 ++fi ++ ++if ! test -z "${VALGRIND}"; then ++ VALGRIND="${LIBTOOL:-libtool} --mode=execute valgrind --leak-check=full" ++fi ++ ++TMPFILE="testpkcs11.debug.log" ++CERTTOOL_PARAM="--stdout-info" ++ ++if test "${WINDIR}" != ""; then ++ exit 77 ++fi ++ ++ASAN_OPTIONS="detect_leaks=0" ++export ASAN_OPTIONS ++ ++P11TOOL="${VALGRIND} ${P11TOOL} --batch" ++SERV="${SERV} -q" ++ ++. ${srcdir}/scripts/common.sh ++ ++rm -f "${TMPFILE}" ++ ++exit_error () { ++ echo "check ${TMPFILE} for additional debugging information" ++ echo "" ++ echo "" ++ tail "${TMPFILE}" ++ exit 1 ++} ++ ++# $1: token ++# $2: PIN ++# $3: filename ++# ${srcdir}/testpkcs11-certs/client.key ++write_privkey () { ++ export GNUTLS_PIN="$2" ++ filename="$3" ++ token="$1" ++ ++ echo -n "* Writing a client private key... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --write --label gnutls-client2 --load-privkey "${filename}" "${token}" >>"${TMPFILE}" 2>&1 ++ if test $? = 0; then ++ echo ok ++ else ++ echo failed ++ exit_error ++ fi ++ ++ echo -n "* Checking whether object was marked private... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --list-privkeys "${token};object=gnutls-client2" 2>/dev/null | grep 'Label\:' >>"${TMPFILE}" 2>&1 ++ if test $? = 0; then ++ echo "private object was public" ++ exit_error ++ fi ++ echo ok ++ ++ echo -n "* Checking whether object was marked sensitive... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --list-privkeys "${token};object=gnutls-client2" | grep "CKA_SENSITIVE" >/dev/null 2>&1 ++ if test $? != 0; then ++ echo "private object was not sensitive" ++ exit_error ++ fi ++ echo ok ++} ++ ++# $1: token ++# $2: PIN ++# $3: filename ++write_serv_privkey () { ++ export GNUTLS_PIN="$2" ++ filename="$3" ++ token="$1" ++ ++ echo -n "* Writing the server private key... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --write --label serv-key --load-privkey "${filename}" "${token}" >>"${TMPFILE}" 2>&1 ++ if test $? = 0; then ++ echo ok ++ else ++ echo failed ++ exit_error ++ fi ++ ++} ++ ++# $1: token ++# $2: PIN ++# $3: filename ++write_serv_pubkey () { ++ export GNUTLS_PIN="$2" ++ filename="$3" ++ token="$1" ++ ++ echo -n "* Writing the server public key... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --write --label serv-pubkey --load-pubkey "${filename}" "${token}" >>"${TMPFILE}" 2>&1 ++ if test $? = 0; then ++ echo ok ++ else ++ echo failed ++ exit_error ++ fi ++ ++ #verify it being written ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --list-all "${token};object=serv-pubkey;type=public" >>"${TMPFILE}" 2>&1 ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --list-all "${token};object=serv-pubkey;type=public"|grep "Public key" >/dev/null 2>&1 ++ if test $? != 0;then ++ echo "Cannot verify the existence of the written pubkey" ++ exit_error ++ fi ++} ++ ++# $1: token ++# $2: PIN ++# $3: filename ++write_serv_cert () { ++ export GNUTLS_PIN="$2" ++ filename="$3" ++ token="$1" ++ ++ echo -n "* Writing the server certificate... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --write --no-mark-private --label serv-cert --load-certificate "${filename}" "${token}" >>"${TMPFILE}" 2>&1 ++ if test $? = 0; then ++ echo ok ++ else ++ echo failed ++ exit_error ++ fi ++ ++} ++ ++# $1: token ++# $2: PIN ++test_delete_cert () { ++ export GNUTLS_PIN="$2" ++ filename="$3" ++ token="$1" ++ ++ echo -n "* Deleting the server certificate... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --delete "${token};object=serv-cert;object-type=cert" >>"${TMPFILE}" 2>&1 ++ if test $? = 0; then ++ echo ok ++ else ++ echo failed ++ exit_error ++ fi ++} ++ ++# $1: token ++# $2: PIN ++# $3: bits ++generate_rsa_privkey () { ++ export GNUTLS_PIN="$2" ++ token="$1" ++ bits="$3" ++ ++ echo -n "* Generating RSA private key ("${bits}")... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --id 000102030405 --label gnutls-client --generate-rsa --bits "${bits}" "${token}" --outfile tmp-client.pub >>"${TMPFILE}" 2>&1 ++ if test $? = 0; then ++ echo ok ++ else ++ echo failed ++ exit 1 ++ fi ++ ++ echo -n "* Checking whether generated private key was marked private... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --list-privkeys "${token};object=gnutls-client" 2>/dev/null | grep 'Label\:' >>"${TMPFILE}" 2>&1 ++ if test $? = 0; then ++ echo "private object was public" ++ exit_error ++ fi ++ echo ok ++ ++ echo -n "* Checking whether private key was marked sensitive... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --list-privkeys "${token};object=gnutls-client" | grep "CKA_SENSITIVE" >/dev/null 2>&1 ++ if test $? != 0; then ++ echo "private object was not sensitive" ++ exit_error ++ fi ++ echo ok ++} ++ ++# $1: token ++# $2: PIN ++# $3: bits ++generate_temp_rsa_privkey () { ++ export GNUTLS_PIN="$2" ++ token="$1" ++ bits="$3" ++ ++ echo -n "* Generating RSA private key ("${bits}")... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --label temp-rsa-"${bits}" --generate-rsa --bits "${bits}" "${token}" --outfile tmp-client.pub >>"${TMPFILE}" 2>&1 ++ if test $? = 0; then ++ echo ok ++ else ++ echo failed ++ exit 1 ++ fi ++ ++# if test ${RETCODE} = 0; then ++# echo -n "* Testing private key flags... " ++# ${P11TOOL} ${ADDITIONAL_PARAM} --login --list-keys "${token};object=gnutls-client2;object-type=private" >tmp-client-2.pub 2>>"${TMPFILE}" ++# if test $? != 0; then ++# echo failed ++# exit_error ++# fi ++# ++# grep CKA_WRAP tmp-client-2.pub >>"${TMPFILE}" 2>&1 ++# if test $? != 0; then ++# echo "failed (no CKA_WRAP)" ++# exit_error ++# else ++# echo ok ++# fi ++# fi ++} ++ ++generate_temp_dsa_privkey () { ++ export GNUTLS_PIN="$2" ++ token="$1" ++ bits="$3" ++ ++ echo -n "* Generating DSA private key ("${bits}")... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --label temp-dsa-"${bits}" --generate-dsa --bits "${bits}" "${token}" --outfile tmp-client.pub >>"${TMPFILE}" 2>&1 ++ if test $? = 0; then ++ echo ok ++ else ++ echo failed ++ exit 1 ++ fi ++} ++ ++# $1: token ++# $2: PIN ++delete_temp_privkey () { ++ export GNUTLS_PIN="$2" ++ token="$1" ++ type="$3" ++ ++ test "${RETCODE}" = "0" || return ++ ++ echo -n "* Deleting private key... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --delete "${token};object=temp-${type};object-type=private" >>"${TMPFILE}" 2>&1 ++ ++ if test $? != 0; then ++ echo failed ++ RETCODE=1 ++ return ++ fi ++ ++ RETCODE=0 ++ echo ok ++} ++ ++# $1: token ++# $2: PIN ++# $3: bits ++export_pubkey_of_privkey () { ++ export GNUTLS_PIN="$2" ++ token="$1" ++ bits="$3" ++ ++ echo -n "* Exporting public key of generated private key... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --export-pubkey "${token};object=gnutls-client;object-type=private" --outfile tmp-client-2.pub >>"${TMPFILE}" 2>&1 ++ if test $? != 0; then ++ echo failed ++ exit 1 ++ fi ++ ++ ${DIFF} tmp-client.pub tmp-client-2.pub ++ if test $? != 0; then ++ echo keys differ ++ exit 1 ++ fi ++ ++ echo ok ++} ++ ++# $1: token ++# $2: PIN ++change_id_of_privkey () { ++ export GNUTLS_PIN="$2" ++ token="$1" ++ ++ echo -n "* Change the CKA_ID of generated private key... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --set-id "01a1b103" "${token};object=gnutls-client;id=%00%01%02%03%04%05;object-type=private" >>"${TMPFILE}" 2>&1 ++ if test $? != 0; then ++ echo failed ++ exit_error ++ fi ++ ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --list-privkeys "${token};object=gnutls-client;object-type=private;id=%01%a1%b1%03" 2>&1 | grep 'ID: 01:a1:b1:03' >>"${TMPFILE}" 2>&1 ++ if test $? != 0; then ++ echo "ID didn't change" ++ exit_error ++ fi ++ ++ echo ok ++} ++ ++# $1: token ++# $2: PIN ++change_label_of_privkey () { ++ export GNUTLS_PIN="$2" ++ token="$1" ++ ++ echo -n "* Change the CKA_LABEL of generated private key... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --set-label "new-label" "${token};object=gnutls-client;object-type=private" >>"${TMPFILE}" 2>&1 ++ if test $? != 0; then ++ echo failed ++ exit_error ++ fi ++ ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --list-privkeys "${token};object=new-label;object-type=private" 2>&1 |grep 'Label: new-label' >>"${TMPFILE}" 2>&1 ++ if test $? != 0; then ++ echo "label didn't change" ++ exit_error ++ fi ++ ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --set-label "gnutls-client" "${token};object=new-label;object-type=private" >>"${TMPFILE}" 2>&1 ++ if test $? != 0; then ++ echo failed ++ exit_error ++ fi ++ ++ echo ok ++} ++ ++# $1: token ++# $2: PIN ++# $3: bits ++generate_temp_ecc_privkey () { ++ export GNUTLS_PIN="$2" ++ token="$1" ++ bits="$3" ++ ++ echo -n "* Generating ECC private key (${bits})... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --label "temp-ecc-${bits}" --generate-ecc --bits "${bits}" "${token}" --outfile tmp-client.pub >>"${TMPFILE}" 2>&1 ++ if test $? = 0; then ++ echo ok ++ else ++ echo failed ++ exit 1 ++ fi ++} ++ ++# $1: token ++# $2: PIN ++# $3: bits ++# The same as generate_temp_ecc_privkey but no explicit login is performed. ++# p11tool should detect that login is required for the operation. ++generate_temp_ecc_privkey_no_login () { ++ export GNUTLS_PIN="$2" ++ token="$1" ++ bits="$3" ++ ++ echo -n "* Generating ECC private key without --login (${bits})... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --label "temp-ecc-no-${bits}" --generate-ecc --bits "${bits}" "${token}" --outfile tmp-client.pub >>"${TMPFILE}" 2>&1 ++ if test $? = 0; then ++ echo ok ++ else ++ echo failed ++ exit 1 ++ fi ++} ++ ++# $1: name ++# $2: label prefix ++# $3: generate option ++# $4: token ++# $5: PIN ++# $6: bits ++import_privkey () { ++ export GNUTLS_PIN="$5" ++ name="$1" ++ prefix="$2" ++ gen_option="$3" ++ token="$4" ++ bits="$6" ++ ++ outfile="tmp-${prefix}-${bits}.pem" ++ ++ echo -n "* Importing ${name} private key (${bits})... " ++ ++ "${CERTTOOL}" ${CERTTOOL_PARAM} --generate-privkey "${gen_option}" --pkcs8 --password= --outfile "${outfile}" >>"${TMPFILE}" 2>&1 ++ if test $? != 0; then ++ echo failed ++ exit 1 ++ fi ++ ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --write --label "${prefix}-${bits}" --load-privkey "${outfile}" "${token}" >>"${TMPFILE}" 2>&1 ++ if test $? = 0; then ++ echo ok ++ else ++ echo failed ++ exit 1 ++ fi ++} ++ ++import_temp_rsa_privkey () { ++ import_privkey RSA temp-rsa --rsa $@ ++} ++ ++import_temp_ecc_privkey () { ++ import_privkey ECC temp-ecc --ecc $@ ++} ++ ++import_temp_dsa_privkey () { ++ import_privkey DSA temp-dsa --dsa $@ ++} ++ ++# $1: token ++# $2: PIN ++# $3: cakey: ${srcdir}/testpkcs11-certs/ca.key ++# $4: cacert: ${srcdir}/testpkcs11-certs/ca.crt ++# ++# Tests writing a certificate which corresponds to the given key, ++# as well as the CA certificate, and tries to export them. ++write_certificate_test () { ++ export GNUTLS_PIN="$2" ++ token="$1" ++ cakey="$3" ++ cacert="$4" ++ pubkey="$5" ++ ++ echo -n "* Generating client certificate... " ++ "${CERTTOOL}" ${CERTTOOL_PARAM} ${ADDITIONAL_PARAM} --generate-certificate --load-ca-privkey "${cakey}" --load-ca-certificate "${cacert}" \ ++ --template ${srcdir}/testpkcs11-certs/client-tmpl --load-privkey "${token};object=gnutls-client;object-type=private" \ ++ --load-pubkey "$pubkey" --outfile tmp-client.crt >>"${TMPFILE}" 2>&1 ++ ++ if test $? = 0; then ++ echo ok ++ else ++ echo failed ++ exit_error ++ fi ++ ++ echo -n "* Writing client certificate... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --write --id "01a1b103" --label gnutls-client --load-certificate tmp-client.crt "${token}" >>"${TMPFILE}" 2>&1 ++ if test $? = 0; then ++ echo ok ++ else ++ echo failed ++ exit_error ++ fi ++ ++ echo -n "* Checking whether ID was correctly set... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --list-certs "${token};object=gnutls-client;object-type=private;id=%01%a1%b1%03" 2>&1 | grep 'ID: 01:a1:b1:03' >>"${TMPFILE}" 2>&1 ++ if test $? != 0; then ++ echo "ID was not set on copy" ++ exit_error ++ fi ++ echo ok ++ ++ if test -n "${BROKEN_SOFTHSM2}";then ++ return ++ fi ++ ++ echo -n "* Checking whether object was public... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --list-all-certs "${token};object=gnutls-client;id=%01%a1%b1%03" 2>&1 | grep 'ID: 01:a1:b1:03' >>"${TMPFILE}" 2>&1 ++ if test $? != 0; then ++ echo "certificate object was not public" ++ exit_error ++ fi ++ echo ok ++ ++ if test -n "${BROKEN_SOFTHSM2}";then ++ return ++ fi ++ ++ echo -n "* Writing certificate of client's CA... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --mark-trusted --mark-ca --write --label gnutls-ca --load-certificate "${cacert}" "${token}" >>"${TMPFILE}" 2>&1 ++ ret=$? ++ if test ${ret} != 0; then ++ echo "Failed with PIN, trying to write with so PIN" >>"${TMPFILE}" ++ ${P11TOOL} ${ADDITIONAL_PARAM} --so-login --mark-ca --write --mark-trusted --label gnutls-ca --load-certificate "${cacert}" "${token}" >>"${TMPFILE}" 2>&1 ++ ret=$? ++ fi ++ ++ if test ${ret} = 0; then ++ echo ok ++ else ++ echo failed ++ exit_error ++ fi ++ ++ echo -n "* Testing certificate flags... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --list-all-certs "${token};object=gnutls-ca;object-type=cert" |grep Flags|head -n 1 >tmp-client-2.pub 2>>"${TMPFILE}" ++ if test $? != 0; then ++ echo failed ++ exit_error ++ fi ++ ++ grep CKA_TRUSTED tmp-client-2.pub >>"${TMPFILE}" 2>&1 ++ if test $? != 0; then ++ echo "failed (no CKA_TRUSTED)" ++ #exit_error ++ fi ++ ++ grep "CKA_CERTIFICATE_CATEGORY=CA" tmp-client-2.pub >>"${TMPFILE}" 2>&1 ++ if test $? != 0; then ++ echo "failed (no CKA_CERTIFICATE_CATEGORY=CA)" ++ #exit_error ++ fi ++ ++ echo ok ++ ++ ++ echo -n "* Trying to obtain back the cert... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --export "${token};object=gnutls-ca;object-type=cert" --outfile crt1.tmp >>"${TMPFILE}" 2>&1 ++ ${DIFF} crt1.tmp "${srcdir}/testpkcs11-certs/ca.crt" ++ if test $? != 0; then ++ echo "failed. Exported certificate differs (crt1.tmp)!" ++ exit_error ++ fi ++ rm -f crt1.tmp ++ if test $? = 0; then ++ echo ok ++ else ++ echo failed ++ exit_error ++ fi ++ ++ echo -n "* Trying to obtain the full chain... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --export-chain "${token};object=gnutls-client;object-type=cert"|"${CERTTOOL}" ${CERTTOOL_PARAM} -i --outfile crt1.tmp >>"${TMPFILE}" 2>&1 ++ ++ cat tmp-client.crt ${srcdir}/testpkcs11-certs/ca.crt|"${CERTTOOL}" ${CERTTOOL_PARAM} -i >crt2.tmp ++ ${DIFF} crt1.tmp crt2.tmp ++ if test $? != 0; then ++ echo "failed. Exported certificate chain differs!" ++ exit_error ++ fi ++ rm -f crt1.tmp crt2.tmp ++ if test $? = 0; then ++ echo ok ++ else ++ echo failed ++ exit_error ++ fi ++} ++ ++# $1: token ++# $2: PIN ++# $3: cakey: ${srcdir}/testpkcs11-certs/ca.key ++# $4: cacert: ${srcdir}/testpkcs11-certs/ca.crt ++# ++# Tests writing a certificate which corresponds to the given key, ++# and verifies whether the ID is the same. Should utilize the ++# ID of the public key. ++write_certificate_id_test_rsa () { ++ export GNUTLS_PIN="$2" ++ token="$1" ++ cakey="$3" ++ cacert="$4" ++ ++ echo -n "* Generating RSA private key on HSM... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --label xxx1-rsa --generate-rsa --bits 1024 "${token}" >>"${TMPFILE}" 2>&1 ++ if test $? = 0; then ++ echo ok ++ else ++ echo failed ++ exit 1 ++ fi ++ ++ echo -n "* Checking whether right ID is set on copy... " ++ "${CERTTOOL}" ${CERTTOOL_PARAM} ${ADDITIONAL_PARAM} --generate-certificate --load-ca-privkey "${cakey}" --load-ca-certificate "${cacert}" \ ++ --template ${srcdir}/testpkcs11-certs/client-tmpl --load-privkey "${token};object=xxx1-rsa;object-type=private" \ ++ --outfile tmp-client.crt >>"${TMPFILE}" 2>&1 ++ ++ if test $? != 0; then ++ echo failed ++ exit_error ++ fi ++ ++ id=$(${P11TOOL} ${ADDITIONAL_PARAM} --list-all "${token};object=xxx1-rsa;object-type=public" 2>&1 | grep 'ID: '|sed -e 's/ID://' -e 's/^[ \t]*//' -e 's/[ \t]*$//') ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --write --label tmp-xxx1-rsa --load-certificate tmp-client.crt "${token}" >>"${TMPFILE}" 2>&1 ++ if test $? != 0; then ++ echo failed ++ exit_error ++ fi ++ ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --list-certs "${token};object=tmp-xxx1-rsa;object-type=cert" 2>&1 | grep "ID: ${id}" >>"${TMPFILE}" 2>&1 ++ if test $? != 0; then ++ echo "ID '$id' was not set on copy" ++ exit_error ++ fi ++ echo ok ++} ++ ++# $1: token ++# $2: PIN ++# $3: cakey: ${srcdir}/testpkcs11-certs/ca.key ++# $4: cacert: ${srcdir}/testpkcs11-certs/ca.crt ++# ++# Tests writing a certificate which corresponds to the given key, ++# and verifies whether the ID is the same. Should utilize the ++# ID of the private key. ++write_certificate_id_test_rsa2 () { ++ export GNUTLS_PIN="$2" ++ token="$1" ++ cakey="$3" ++ cacert="$4" ++ tmpkey="key.$$.tmp" ++ ++ echo -n "* Generating RSA private key... " ++ ${CERTTOOL} ${ADDITIONAL_PARAM} --generate-privkey --bits 1024 --outfile ${tmpkey} >>"${TMPFILE}" 2>&1 ++ if test $? = 0; then ++ echo ok ++ else ++ echo failed ++ exit 1 ++ fi ++ ++ echo -n "* Checking whether right ID is set on copy... " ++ "${CERTTOOL}" ${CERTTOOL_PARAM} ${ADDITIONAL_PARAM} --generate-certificate --load-ca-privkey "${cakey}" --load-ca-certificate "${cacert}" \ ++ --template ${srcdir}/testpkcs11-certs/client-tmpl --load-privkey ${tmpkey} \ ++ --outfile tmp-client.crt >>"${TMPFILE}" 2>&1 ++ ++ if test $? != 0; then ++ echo failed ++ exit_error ++ fi ++ ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --write --label xxx2-rsa --load-privkey ${tmpkey} "${token}" >>"${TMPFILE}" 2>&1 ++ if test $? != 0; then ++ echo failed ++ exit_error ++ fi ++ ++ id=$(${P11TOOL} ${ADDITIONAL_PARAM} --login --list-all "${token};object=xxx2-rsa;object-type=private" 2>&1 | grep 'ID: '|sed -e 's/ID://' -e 's/^[ \t]*//' -e 's/[ \t]*$//') ++ ++ rm -f ${tmpkey} ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --write --label tmp-xxx2-rsa --load-certificate tmp-client.crt "${token}" >>"${TMPFILE}" 2>&1 ++ if test $? != 0; then ++ echo failed ++ exit_error ++ fi ++ ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --list-certs "${token};object=tmp-xxx2-rsa;object-type=cert" 2>&1 | grep "ID: ${id}" >>"${TMPFILE}" 2>&1 ++ if test $? != 0; then ++ echo "ID '$id' was not set on copy" ++ exit_error ++ fi ++ echo ok ++} ++ ++# $1: token ++# $2: PIN ++# $3: cakey: ${srcdir}/testpkcs11-certs/ca.key ++# $4: cacert: ${srcdir}/testpkcs11-certs/ca.crt ++# ++# Tests writing a certificate which corresponds to the given key, ++# and verifies whether the ID is the same. Should utilize the ++# ID of the private key. ++write_certificate_id_test_ecdsa () { ++ export GNUTLS_PIN="$2" ++ token="$1" ++ cakey="$3" ++ cacert="$4" ++ tmpkey="key.$$.tmp" ++ ++ echo -n "* Generating ECDSA private key... " ++ ${CERTTOOL} ${ADDITIONAL_PARAM} --generate-privkey --ecdsa --outfile ${tmpkey} >>"${TMPFILE}" 2>&1 ++ if test $? = 0; then ++ echo ok ++ else ++ echo failed ++ exit 1 ++ fi ++ ++ echo -n "* Checking whether right ID is set on copy... " ++ "${CERTTOOL}" ${CERTTOOL_PARAM} ${ADDITIONAL_PARAM} --generate-certificate --load-ca-privkey "${cakey}" --load-ca-certificate "${cacert}" \ ++ --template ${srcdir}/testpkcs11-certs/client-tmpl --load-privkey ${tmpkey} \ ++ --outfile tmp-client.crt >>"${TMPFILE}" 2>&1 ++ ++ if test $? != 0; then ++ echo failed ++ exit_error ++ fi ++ ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --write --label xxx-ecdsa --load-privkey ${tmpkey} "${token}" >>"${TMPFILE}" 2>&1 ++ if test $? != 0; then ++ echo failed ++ exit_error ++ fi ++ ++ id=$(${P11TOOL} ${ADDITIONAL_PARAM} --login --list-all "${token};object=xxx-ecdsa;object-type=private" 2>&1 | grep 'ID: '|sed -e 's/ID://' -e 's/^[ \t]*//' -e 's/[ \t]*$//') ++ ++ rm -f ${tmpkey} ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --write --label tmp-xxx-ecdsa --load-certificate tmp-client.crt "${token}" >>"${TMPFILE}" 2>&1 ++ if test $? != 0; then ++ echo failed ++ exit_error ++ fi ++ ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --list-certs "${token};object=tmp-xxx-ecdsa;object-type=cert" 2>&1 | grep "ID: ${id}" >>"${TMPFILE}" 2>&1 ++ if test $? != 0; then ++ echo "ID '$id' was not set on copy" ++ exit_error ++ fi ++ echo ok ++} ++ ++test_sign () { ++ export GNUTLS_PIN="$2" ++ token="$1" ++ ++ echo -n "* Testing signatures using the private key... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --test-sign "${token};object=serv-key" >>"${TMPFILE}" 2>&1 ++ if test $? != 0; then ++ echo "failed. Cannot test signatures." ++ exit_error ++ fi ++ echo ok ++ ++ echo -n "* Testing RSA-PSS signatures using the private key... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --sign-params rsa-pss --test-sign "${token};object=serv-key" >>"${TMPFILE}" 2>&1 ++ rc=$? ++ if test $rc != 0; then ++ if test $rc = 2; then ++ echo "failed. RSA-PSS not supported." ++ else ++ echo "failed. Cannot test signatures." ++ exit_error ++ fi ++ else ++ echo ok ++ fi ++ ++ echo -n "* Testing signatures using the private key (with ID)... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --test-sign "${token};id=%ac%1d%7a%39%cb%72%17%94%66%6c%74%44%73%40%91%44%c0%a0%43%7d" >>"${TMPFILE}" 2>&1 ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --test-sign "${token};id=%ac%1d%7a%39%cb%72%17%94%66%6c%74%44%73%40%91%44%c0%a0%43%7d" 2>&1|grep "Verifying against public key in the token..."|grep ok >>"${TMPFILE}" 2>&1 ++ if test $? != 0; then ++ echo "failed. Cannot test signatures with ID." ++ exit_error ++ fi ++ echo ok ++} ++ ++# This tests the signing operation as well as the usage of --set-pin ++test_sign_set_pin () { ++ pin="$2" ++ token="$1" ++ ++ unset GNUTLS_PIN ++ ++ echo -n "* Testing signatures using the private key and --set-pin... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --set-pin ${pin} --test-sign "${token};object=serv-key" >>"${TMPFILE}" 2>&1 ++ if test $? != 0; then ++ echo "failed. Cannot test signatures." ++ exit_error ++ fi ++ echo ok ++ ++ export GNUTLS_PIN=${pin} ++} ++ ++# $1: token ++# $2: PIN ++# $3: certfile ++# $4: keyfile ++# $5: cafile ++# ++# Tests using a certificate and key pair using gnutls-serv and gnutls-cli. ++use_certificate_test () { ++ export GNUTLS_PIN="$2" ++ token="$1" ++ certfile="$3" ++ keyfile="$4" ++ cafile="$5" ++ txt="$6" ++ ++ echo -n "* Using PKCS #11 with gnutls-cli (${txt})... " ++ # start server ++ eval "${GETPORT}" ++ launch_pkcs11_server $$ "${ADDITIONAL_PARAM}" --echo --priority NORMAL --x509certfile="${certfile}" \ ++ --x509keyfile="$keyfile" --x509cafile="${cafile}" \ ++ --verify-client-cert --require-client-cert >>"${TMPFILE}" 2>&1 ++ ++ PID=$! ++ wait_server ${PID} ++ ++ # connect to server using SC ++ ${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509cafile="${cafile}" >"${TMPFILE}" 2>&1 && \ ++ fail ${PID} "Connection should have failed!" ++ ++ ${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509certfile="${certfile}" \ ++ --x509keyfile="$keyfile" --x509cafile="${cafile}" >"${TMPFILE}" 2>&1 || \ ++ fail ${PID} "Connection (with files) should have succeeded!" ++ ++ ${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509certfile="${token};object=gnutls-client;object-type=cert" \ ++ --x509keyfile="${token};object=gnutls-client;object-type=private" \ ++ --x509cafile="${cafile}" >"${TMPFILE}" 2>&1 || \ ++ fail ${PID} "Connection (with SC) should have succeeded!" ++ ++ kill ${PID} ++ wait ++ ++ echo ok ++} ++ ++ ++ ++echo "Testing PKCS11 support" ++ ++# erase SC ++ ++type="$1" ++ ++if test -z "${type}"; then ++ echo "usage: $0: [pkcs15|softhsm|sc-hsm]" ++ if test -x "/usr/bin/softhsm" || test -x "/usr/bin/softhsm2-util"; then ++ echo "assuming 'softhsm'" ++ echo "" ++ type=softhsm ++ else ++ exit 77 ++ fi ++ ++fi ++ ++. "${srcdir}/testpkcs11.${type}" ++ ++export GNUTLS_PIN=12345678 ++export GNUTLS_SO_PIN=00000000 ++ ++init_card "${GNUTLS_PIN}" "${GNUTLS_SO_PIN}" ++ ++# find token name ++TOKEN=`${P11TOOL} ${ADDITIONAL_PARAM} --list-tokens pkcs11:token=Nikos|grep URL|grep token=GnuTLS-Test|sed 's/\s*URL\: //g'` ++ ++echo "* Token: ${TOKEN}" ++if test "x${TOKEN}" = x; then ++ echo "Could not find generated token" ++ exit_error ++fi ++ ++#write a given privkey ++write_privkey "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/client.key" ++ ++generate_temp_ecc_privkey "${TOKEN}" "${GNUTLS_PIN}" 256 ++delete_temp_privkey "${TOKEN}" "${GNUTLS_PIN}" ecc-256 ++ ++generate_temp_ecc_privkey_no_login "${TOKEN}" "${GNUTLS_PIN}" 256 ++delete_temp_privkey "${TOKEN}" "${GNUTLS_PIN}" ecc-no-256 ++ ++generate_temp_ecc_privkey "${TOKEN}" "${GNUTLS_PIN}" 384 ++delete_temp_privkey "${TOKEN}" "${GNUTLS_PIN}" ecc-384 ++ ++generate_temp_rsa_privkey "${TOKEN}" "${GNUTLS_PIN}" 2048 ++delete_temp_privkey "${TOKEN}" "${GNUTLS_PIN}" rsa-2048 ++ ++generate_temp_dsa_privkey "${TOKEN}" "${GNUTLS_PIN}" 3072 ++delete_temp_privkey "${TOKEN}" "${GNUTLS_PIN}" dsa-3072 ++ ++import_temp_rsa_privkey "${TOKEN}" "${GNUTLS_PIN}" 1024 ++delete_temp_privkey "${TOKEN}" "${GNUTLS_PIN}" rsa-1024 ++import_temp_ecc_privkey "${TOKEN}" "${GNUTLS_PIN}" 256 ++delete_temp_privkey "${TOKEN}" "${GNUTLS_PIN}" ecc-256 ++import_temp_dsa_privkey "${TOKEN}" "${GNUTLS_PIN}" 2048 ++delete_temp_privkey "${TOKEN}" "${GNUTLS_PIN}" dsa-2048 ++ ++generate_rsa_privkey "${TOKEN}" "${GNUTLS_PIN}" 1024 ++change_id_of_privkey "${TOKEN}" "${GNUTLS_PIN}" ++export_pubkey_of_privkey "${TOKEN}" "${GNUTLS_PIN}" ++change_label_of_privkey "${TOKEN}" "${GNUTLS_PIN}" ++ ++write_certificate_test "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/ca.key" "${srcdir}/testpkcs11-certs/ca.crt" tmp-client.pub ++write_serv_privkey "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/server.key" ++write_serv_cert "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/server.crt" ++ ++write_serv_pubkey "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/server.crt" ++test_sign "${TOKEN}" "${GNUTLS_PIN}" ++ ++use_certificate_test "${TOKEN}" "${GNUTLS_PIN}" "${TOKEN};object=serv-cert;object-type=cert" "${TOKEN};object=serv-key;object-type=private" "${srcdir}/testpkcs11-certs/ca.crt" "full URLs" ++ ++use_certificate_test "${TOKEN}" "${GNUTLS_PIN}" "${TOKEN};object=serv-cert" "${TOKEN};object=serv-key" "${srcdir}/testpkcs11-certs/ca.crt" "abbrv URLs" ++ ++write_certificate_id_test_rsa "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/ca.key" "${srcdir}/testpkcs11-certs/ca.crt" ++write_certificate_id_test_rsa2 "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/ca.key" "${srcdir}/testpkcs11-certs/ca.crt" ++write_certificate_id_test_ecdsa "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/ca.key" "${srcdir}/testpkcs11-certs/ca.crt" ++ ++test_delete_cert "${TOKEN}" "${GNUTLS_PIN}" ++ ++test_sign_set_pin "${TOKEN}" "${GNUTLS_PIN}" ++ ++if test ${RETCODE} = 0; then ++ echo "* All smart cards tests succeeded" ++fi ++rm -f tmp-client.crt tmp-client.pub tmp-client-2.pub "${TMPFILE}" ++ ++exit 0 +diff --git a/tests/testpkcs11.softhsm b/tests/testpkcs11.softhsm +new file mode 100755 +index 000000000..d79a8528e +--- /dev/null ++++ b/tests/testpkcs11.softhsm +@@ -0,0 +1,77 @@ ++#!/bin/sh ++ ++# Copyright (C) 2013 Nikos Mavrogiannopoulos ++# ++# This file is part of GnuTLS. ++# ++# GnuTLS is free software; you can redistribute it and/or modify it ++# under the terms of the GNU General Public License as published by the ++# Free Software Foundation; either version 3 of the License, or (at ++# your option) any later version. ++# ++# GnuTLS is distributed in the hope that it will be useful, but ++# WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++# General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with GnuTLS; if not, write to the Free Software Foundation, ++# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. ++ ++for i in /usr/lib64/pkcs11 /usr/lib/softhsm /usr/lib/x86_64-linux-gnu/softhsm /usr/lib /usr/lib64/softhsm;do ++ if test -f "$i/libsofthsm2.so"; then ++ ADDITIONAL_PARAM="--provider $i/libsofthsm2.so" ++ break ++ else ++ if test -f "$i/libsofthsm.so";then ++ ADDITIONAL_PARAM="--provider $i/libsofthsm.so" ++ break ++ fi ++ fi ++done ++ ++init_card () { ++ PIN="$1" ++ PUK="$2" ++ ++ if test -x "/usr/bin/softhsm2-util"; then ++ export SOFTHSM2_CONF="softhsm-testpkcs11.$$.config.tmp" ++ SOFTHSM_TOOL="/usr/bin/softhsm2-util" ++ ${SOFTHSM_TOOL} --version|grep "2.0.0" >/dev/null 2>&1 ++ if test $? = 0; then ++ echo "softhsm2-util 2.0.0 is broken" ++ export BROKEN_SOFTHSM2=1 ++ fi ++ fi ++ ++ if test -x "/usr/bin/softhsm"; then ++ export SOFTHSM_CONF="softhsm-testpkcs11.$$.config.tmp" ++ SOFTHSM_TOOL="/usr/bin/softhsm" ++ fi ++ ++ if test -z "${SOFTHSM_TOOL}"; then ++ echo "Could not find softhsm(2) tool" ++ exit 77 ++ fi ++ ++ if test -z "${SOFTHSM_CONF}"; then ++ rm -rf ./softhsm-testpkcs11.$$.tmp ++ mkdir -p ./softhsm-testpkcs11.$$.tmp ++ echo "objectstore.backend = file" > "${SOFTHSM2_CONF}" ++ echo "directories.tokendir = ./softhsm-testpkcs11.$$.tmp" >> "${SOFTHSM2_CONF}" ++ ++ else ++ rm -rf ./softhsm-testpkcs11.$$.tmp ++ echo "0:./softhsm-testpkcs11.$$.tmp" > "${SOFTHSM_CONF}" ++ fi ++ ++ ++ echo -n "* Initializing smart card... " ++ ${SOFTHSM_TOOL} --init-token --slot 0 --label "GnuTLS-Test" --so-pin "${PUK}" --pin "${PIN}" >/dev/null #2>&1 ++ if test $? = 0; then ++ echo ok ++ else ++ echo failed ++ exit_error ++ fi ++} diff --git a/SOURCES/gnutls-3.3.29-tests-pkcs11-increase-RSA-gen-size.patch b/SOURCES/gnutls-3.3.29-tests-pkcs11-increase-RSA-gen-size.patch new file mode 100644 index 00000000..72faaddb --- /dev/null +++ b/SOURCES/gnutls-3.3.29-tests-pkcs11-increase-RSA-gen-size.patch @@ -0,0 +1,48 @@ +diff --git a/tests/testpkcs11.sh b/tests/testpkcs11.sh +index 7c2776760..cf82c4032 100755 +--- a/tests/testpkcs11.sh ++++ b/tests/testpkcs11.sh +@@ -26,11 +26,6 @@ SERV="${SERV:-../src/gnutls-serv${EXEEXT}}" + CLI="${CLI:-../src/gnutls-cli${EXEEXT}}" + RETCODE=0 + +-if test "${GNUTLS_FORCE_FIPS_MODE}" = 1;then +- echo "Cannot run in FIPS140-2 mode" +- exit 77 +-fi +- + if ! test -x "${P11TOOL}"; then + exit 77 + fi +@@ -600,7 +595,8 @@ write_certificate_id_test_rsa () { + cacert="$4" + + echo -n "* Generating RSA private key on HSM... " +- ${P11TOOL} ${ADDITIONAL_PARAM} --login --label xxx1-rsa --generate-rsa --bits 1024 "${token}" >>"${TMPFILE}" 2>&1 ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --label xxx1-rsa --generate-rsa \ ++ --bits 2048 "${token}" >>"${TMPFILE}" 2>&1 + if test $? = 0; then + echo ok + else +@@ -649,7 +645,8 @@ write_certificate_id_test_rsa2 () { + tmpkey="key.$$.tmp" + + echo -n "* Generating RSA private key... " +- ${CERTTOOL} ${ADDITIONAL_PARAM} --generate-privkey --bits 1024 --outfile ${tmpkey} >>"${TMPFILE}" 2>&1 ++ ${CERTTOOL} ${ADDITIONAL_PARAM} --generate-privkey --bits 2048 \ ++ --outfile ${tmpkey} >>"${TMPFILE}" 2>&1 + if test $? = 0; then + echo ok + else +@@ -907,7 +904,7 @@ delete_temp_privkey "${TOKEN}" "${GNUTLS_PIN}" ecc-256 + import_temp_dsa_privkey "${TOKEN}" "${GNUTLS_PIN}" 2048 + delete_temp_privkey "${TOKEN}" "${GNUTLS_PIN}" dsa-2048 + +-generate_rsa_privkey "${TOKEN}" "${GNUTLS_PIN}" 1024 ++generate_rsa_privkey "${TOKEN}" "${GNUTLS_PIN}" 2048 + change_id_of_privkey "${TOKEN}" "${GNUTLS_PIN}" + export_pubkey_of_privkey "${TOKEN}" "${GNUTLS_PIN}" + change_label_of_privkey "${TOKEN}" "${GNUTLS_PIN}" +-- +2.14.3 + diff --git a/SOURCES/gnutls-3.3.29-tests-sni-hostname.patch b/SOURCES/gnutls-3.3.29-tests-sni-hostname.patch new file mode 100644 index 00000000..6981724d --- /dev/null +++ b/SOURCES/gnutls-3.3.29-tests-sni-hostname.patch @@ -0,0 +1,88 @@ +diff --git a/tests/Makefile.am b/tests/Makefile.am +index bafb12ae0..d249d405f 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -156,7 +156,7 @@ endif + endif + + check_PROGRAMS = $(ctests) +-dist_check_SCRIPTS = rfc2253-escape-test ++dist_check_SCRIPTS = rfc2253-escape-test sni-hostname.sh + + TESTS = $(ctests) $(dist_check_SCRIPTS) + +diff --git a/tests/sni-hostname.sh b/tests/sni-hostname.sh +new file mode 100755 +index 000000000..4fb51be68 +--- /dev/null ++++ b/tests/sni-hostname.sh +@@ -0,0 +1,66 @@ ++#!/bin/sh ++ ++# Copyright (C) 2017 Nikos Mavrogiannopoulos ++# ++# Author: Nikos Mavrogiannopoulos ++# ++# This file is part of GnuTLS. ++# ++# GnuTLS is free software; you can redistribute it and/or modify it ++# under the terms of the GNU General Public License as published by the ++# Free Software Foundation; either version 3 of the License, or (at ++# your option) any later version. ++# ++# GnuTLS is distributed in the hope that it will be useful, but ++# WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++# General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with GnuTLS; if not, write to the Free Software Foundation, ++# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. ++ ++srcdir="${srcdir:-.}" ++SERV="${SERV:-../src/gnutls-serv${EXEEXT}}" ++CLI="${CLI:-../src/gnutls-cli${EXEEXT}}" ++unset RETCODE ++ ++if ! test -x "${SERV}"; then ++ exit 77 ++fi ++ ++if ! test -x "${CLI}"; then ++ exit 77 ++fi ++ ++if test "${WINDIR}" != ""; then ++ exit 77 ++fi ++ ++if ! test -z "${VALGRIND}"; then ++ VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND} --error-exitcode=15" ++fi ++ ++ ++SERV="${SERV} -q" ++ ++. "${srcdir}/scripts/common.sh" ++ ++echo "Checking SNI hostname in gnutls-cli" ++ ++eval "${GETPORT}" ++launch_server $$ --echo --priority "NORMAL:+ANON-ECDH" --sni-hostname-fatal --sni-hostname example.com ++PID=$! ++wait_server ${PID} ++ ++${VALGRIND} "${CLI}" -p "${PORT}" 127.0.0.1 --sni-hostname example.com --priority "NORMAL:+ANON-ECDH:+ANON-DH" /dev/null || \ ++ fail ${PID} "1. rehandshake should have succeeded!" ++ ++${VALGRIND} "${CLI}" -p "${PORT}" 127.0.0.1 --sni-hostname noexample.com --priority "NORMAL:+ANON-ECDH:+ANON-DH" /dev/null && \ ++ fail ${PID} "2. rehandshake should have failed!" ++ ++ ++kill ${PID} ++wait ++ ++exit 0 +-- +2.14.3 + diff --git a/SPECS/gnutls.spec b/SPECS/gnutls.spec index 3404620a..bf614f1b 100644 --- a/SPECS/gnutls.spec +++ b/SPECS/gnutls.spec @@ -2,7 +2,7 @@ %bcond_with guile Summary: A TLS protocol implementation Name: gnutls -Version: 3.3.26 +Version: 3.3.29 Release: 9%{?dist} # The libraries are LGPLv2.1+, utilities are GPLv3+ License: GPLv3+ and LGPLv2+ @@ -44,14 +44,43 @@ Patch5: gnutls-3.3.8-padlock-disable.patch # any applications depending on that. Patch6: gnutls-3.3.22-eapp-data.patch Patch7: gnutls-3.3.26-dh-params-1024.patch -# Reported on the gnutls ML affecting Fedora 25 (potentially RHEL7 as well) -Patch8: gnutls-3.3.26-fix-uninitialized.patch -Patch9: gnutls-3.3.26-fix-coverity-issues.patch -Patch10: gnutls-3.3.26-pin-value.patch -Patch11: gnutls-3.3.26-set-unique-id-tests.patch -Patch12: gnutls-3.3.26-fips-rsa-keygen.patch -Patch13: gnutls-3.3.26-cve-2017-7869.patch -Patch14: gnutls-3.3.26-remove-status-req-ext-parsing.patch +# Backport serv --sni-hostname option support (rhbz#1444792) +Patch8: gnutls-3.3.29-serv-sni-hostname.patch +Patch9: gnutls-3.3.29-serv-unrec-name.patch +Patch10: gnutls-3.3.29-cli-sni-hostname.patch +Patch11: gnutls-3.3.29-tests-sni-hostname.patch +# Do not try to retrieve PIN from URI more than once +Patch12: gnutls-3.3.29-pkcs11-retrieve-pin-from-uri-once.patch +# Backport of fixes to address CVE-2018-10844 CVE-2018-10845 CVE-2018-10846 +# (rhbz#1589708 rhbz#1589707 rhbz1589704) +Patch13: gnutls-3.3.29-dummy-wait-account-len-field.patch +Patch14: gnutls-3.3.29-dummy-wait-hash-same-amount-of-blocks.patch +Patch15: gnutls-3.3.29-cbc-mac-verify-ssl3-min-pad.patch +Patch16: gnutls-3.3.29-remove-hmac-sha384-sha256-from-default.patch +# Adjustment on tests +Patch17: gnutls-3.3.29-do-not-run-sni-hostname-windows.patch +# Backport testpkcs11 test. This test checks rhbz#1375307 +Patch18: gnutls-3.3.29-testpkcs11.patch +# Disable failing PKCS#11 tests brought from master branch. The reasons are: +# - ECC key generation without login is not supported +# - Certificates are marked as private objects +# - "--load-pubkey" option is not supported +# - "--test-sign" option is not supported +# - Certificates do not inherit its ID from the private key +Patch19: gnutls-3.3.29-disable-failing-tests.patch +# Do not mark certificates as private objects and re-enable test for this +Patch20: gnutls-3.3.29-do-not-mark-object-as-private.patch +Patch21: gnutls-3.3.29-re-enable-check-cert-write.patch +# Increase the length of the RSA keys generated in testpkcs11 to 2048 bits. +# This allows the test to run in FIPS mode +Patch22: gnutls-3.3.29-tests-pkcs11-increase-RSA-gen-size.patch +# Enlarge buffer size to support resumption with large keys (rhbz#1542461) +Patch23: gnutls-3.3.29-serv-large-key-resumption.patch +# HMAC-SHA-256 cipher suites brought back downstream for compatibility +# The priority was set below AEAD +Patch24: gnutls-3.3.29-bring-back-hmac-sha256.patch +# Run KAT startup test for ECDSA (using secp256r1 curve) (rhbz#1673919) +Patch25: gnutls-3.3.29-fips140-fix-ecdsa-kat-selftest.patch # Wildcard bundling exception https://fedorahosted.org/fpc/ticket/174 Provides: bundled(gnulib) = 20130424 @@ -157,19 +186,39 @@ This package contains Guile bindings for the library. %patch5 -p1 -b .padlock-disable %patch6 -p1 -b .eapp-data %patch7 -p1 -b .dh-1024 -%patch8 -p1 -b .fix-uninit -%patch9 -p1 -b .fix-coverity -%patch10 -p1 -b .pin-value -%patch11 -p1 -b .unique-id -%patch12 -p1 -b .rsa-keygen -%patch13 -p1 -b .openpgp-fixes -%patch14 -p1 -b .ocsp-ext-parse +%patch8 -p1 +%patch9 -p1 +%patch10 -p1 +%patch11 -p1 +%patch12 -p1 +%patch13 -p1 +%patch14 -p1 +%patch15 -p1 +%patch16 -p1 +%patch17 -p1 +%patch18 -p1 +%patch19 -p1 +%patch20 -p1 +%patch21 -p1 +%patch22 -p1 +%patch23 -p1 +%patch24 -p1 +%patch25 -p1 sed 's/gnutls_srp.c//g' -i lib/Makefile.in sed 's/gnutls_srp.lo//g' -i lib/Makefile.in rm -f lib/minitasn1/*.c lib/minitasn1/*.h rm -f src/libopts/*.c src/libopts/*.h src/libopts/compat/*.c src/libopts/compat/*.h +# Touch man pages to avoid them to be regenerated after patches which change +# .def files +touch doc/manpages/gnutls-serv.1 +touch doc/manpages/gnutls-cli.1 + +# Fix permissions for files brought by patches +chmod ugo+x %{_builddir}/%{name}-%{version}/tests/testpkcs11.sh +chmod ugo+x %{_builddir}/%{name}-%{version}/tests/sni-hostname.sh + %{SOURCE2} -e autoreconf -if @@ -313,6 +362,29 @@ fi %endif %changelog +* Tue Feb 12 2019 Anderson Sasaki 3.3.29-9 +- Make sure the FIPS startup KAT selftest run for ECDSA (#1673919) + +* Fri Jul 20 2018 Anderson Sasaki 3.3.29-8 +- Backported --sni-hostname option which allows overriding the hostname + advertised to the peer (#1444792) +- Improved counter-measures in TLS CBC record padding for lucky13 attack + (CVE-2018-10844, #1589704, CVE-2018-10845, #1589707) +- Added counter-measures for "Just in Time" PRIME + PROBE cache-based attack + (CVE-2018-10846, #1589708) +- Address p11tool issue in object deletion in batch mode (#1375307) +- Backport PKCS#11 tests from master branch. Some tests were disabled due to + unsupported features in 3.3.x (--load-pubkey and --test-sign options, ECC key + generation without login, and certificates do not inherit ID from the private + key) +- p11tool explicitly marks certificates and public keys as NOT private objects + and private keys as private objects +- Enlarge buffer size to support resumption with large keys (#1542461) +- Legacy HMAC-SHA384 cipher suites were disabled by default +- Added DSA key generation to p11tool (#1464896) +- Address session renegotiation issue using client certificate (#1434091) +- Address issue when importing private keys into Atos HSM (#1460125) + * Fri May 26 2017 Nikos Mavrogiannopoulos 3.3.26-9 - Address crash in OCSP status request extension, by eliminating the unneeded parsing (CVE-2017-7507, #1455828)