Browse Source

gnutls package update

Signed-off-by: basebuilder_pel7ppc64lebuilder0 <basebuilder@powerel.org>
master
basebuilder_pel7ppc64lebuilder0 5 years ago
parent
commit
3c69daab72
  1. 62
      SOURCES/gnutls-3.3.29-bring-back-hmac-sha256.patch
  2. 28
      SOURCES/gnutls-3.3.29-cbc-mac-verify-ssl3-min-pad.patch
  3. 37
      SOURCES/gnutls-3.3.29-cli-sni-hostname.patch
  4. 59
      SOURCES/gnutls-3.3.29-disable-failing-tests.patch
  5. 47
      SOURCES/gnutls-3.3.29-do-not-mark-object-as-private.patch
  6. 20
      SOURCES/gnutls-3.3.29-do-not-run-sni-hostname-windows.patch
  7. 52
      SOURCES/gnutls-3.3.29-dummy-wait-account-len-field.patch
  8. 90
      SOURCES/gnutls-3.3.29-dummy-wait-hash-same-amount-of-blocks.patch
  9. 70
      SOURCES/gnutls-3.3.29-fips140-fix-ecdsa-kat-selftest.patch
  10. 82
      SOURCES/gnutls-3.3.29-pkcs11-retrieve-pin-from-uri-once.patch
  11. 29
      SOURCES/gnutls-3.3.29-re-enable-check-cert-write.patch
  12. 69
      SOURCES/gnutls-3.3.29-remove-hmac-sha384-sha256-from-default.patch
  13. 11
      SOURCES/gnutls-3.3.29-serv-large-key-resumption.patch
  14. 157
      SOURCES/gnutls-3.3.29-serv-sni-hostname.patch
  15. 41
      SOURCES/gnutls-3.3.29-serv-unrec-name.patch
  16. 1916
      SOURCES/gnutls-3.3.29-testpkcs11.patch
  17. 48
      SOURCES/gnutls-3.3.29-tests-pkcs11-increase-RSA-gen-size.patch
  18. 88
      SOURCES/gnutls-3.3.29-tests-sni-hostname.patch
  19. 104
      SPECS/gnutls.spec

62
SOURCES/gnutls-3.3.29-bring-back-hmac-sha256.patch

@ -0,0 +1,62 @@
diff --git a/lib/gnutls_priority.c b/lib/gnutls_priority.c
index f3e19105f..ff13d3720 100644
--- a/lib/gnutls_priority.c
+++ b/lib/gnutls_priority.c
@@ -492,6 +492,7 @@ static const int sign_priority_secure192[] = {
static const int mac_priority_normal_default[] = {
GNUTLS_MAC_SHA1,
GNUTLS_MAC_AEAD,
+ GNUTLS_MAC_SHA256,
GNUTLS_MAC_MD5,
0
};
@@ -499,6 +500,7 @@ static const int mac_priority_normal_default[] = {
static const int mac_priority_normal_fips[] = {
GNUTLS_MAC_SHA1,
GNUTLS_MAC_AEAD,
+ GNUTLS_MAC_SHA256,
0
};
@@ -527,11 +529,13 @@ static const int mac_priority_suiteb192[] = {
static const int mac_priority_secure128[] = {
GNUTLS_MAC_SHA1,
GNUTLS_MAC_AEAD,
+ GNUTLS_MAC_SHA256,
0
};
static const int mac_priority_secure192[] = {
GNUTLS_MAC_AEAD,
+ GNUTLS_MAC_SHA256,
0
};
diff --git a/tests/priorities.c b/tests/priorities.c
index 46221fcc0..0593279de 100644
--- a/tests/priorities.c
+++ b/tests/priorities.c
@@ -100,18 +100,18 @@ try_prio(const char *prio, unsigned expected_cs, unsigned expected_ciphers)
void doit(void)
{
- const int normal = 41;
- const int null = 4;
- const int sec128 = 36;
+ const int normal = 57;
+ const int null = 5;
+ const int sec128 = 52;
try_prio("NORMAL", normal, 9);
try_prio("NORMAL:-MAC-ALL:+MD5:+MAC-ALL", normal, 9);
try_prio("NORMAL:+CIPHER-ALL", normal, 9); /* all (except null) */
try_prio("NORMAL:-CIPHER-ALL:+NULL", null, 1); /* null */
try_prio("NORMAL:-CIPHER-ALL:+NULL:+CIPHER-ALL", normal + null, 10); /* should be null + all */
- try_prio("NORMAL:-CIPHER-ALL:+NULL:+CIPHER-ALL:-CIPHER-ALL:+AES-128-CBC", 5, 1);
+ try_prio("NORMAL:-CIPHER-ALL:+NULL:+CIPHER-ALL:-CIPHER-ALL:+AES-128-CBC", 10, 1);
try_prio("PERFORMANCE", normal, 9);
- try_prio("SECURE256", 10, 4);
+ try_prio("SECURE256", 16, 4);
try_prio("SECURE128", sec128, 8);
try_prio("SECURE128:+SECURE256", sec128, 8); /* should be the same as SECURE128 */
try_prio("SECURE128:+SECURE256:+NORMAL", normal, 9); /* should be the same as NORMAL */

28
SOURCES/gnutls-3.3.29-cbc-mac-verify-ssl3-min-pad.patch

@ -0,0 +1,28 @@
diff --git a/lib/gnutls_cipher.c b/lib/gnutls_cipher.c
index 65dde6899..8b34472b7 100644
--- a/lib/gnutls_cipher.c
+++ b/lib/gnutls_cipher.c
@@ -659,7 +659,11 @@ ciphertext_to_compressed(gnutls_session_t session,
* Note that we access all 256 bytes of ciphertext for padding check
* because there is a timing channel in that memory access (in certain CPUs).
*/
- if (ver->id != GNUTLS_SSL3)
+ if (ver->id == GNUTLS_SSL3) {
+ if (pad >= blocksize)
+ pad_failed = 1;
+ } else
+ {
for (i = 2; i <= MIN(256, ciphertext->size); i++) {
tmp_pad_failed |=
(compressed->
@@ -667,6 +671,7 @@ ciphertext_to_compressed(gnutls_session_t session,
pad_failed |=
((i <= (1 + pad)) & (tmp_pad_failed));
}
+ }
if (unlikely
(pad_failed != 0
--
2.14.3

37
SOURCES/gnutls-3.3.29-cli-sni-hostname.patch

@ -0,0 +1,37 @@
diff --git a/src/cli-args.def b/src/cli-args.def
index c661f458b..11d66ae8a 100644
--- a/src/cli-args.def
+++ b/src/cli-args.def
@@ -80,6 +80,13 @@ flag = {
doc = "Connect, establish a session and rehandshake immediately.";
};
+flag = {
+ name = sni-hostname;
+ descrip = "Server's hostname for server name indication extension";
+ arg-type = string;
+ doc = "Set explicitly the server name used in the TLS server name indication extension. That is useful when testing with servers setup on different DNS name than the intended. If not specified, the provided hostname is used.";
+};
+
flag = {
name = starttls;
value = s;
diff --git a/src/cli.c b/src/cli.c
index 82d8e1166..f3d159a29 100644
--- a/src/cli.c
+++ b/src/cli.c
@@ -638,7 +638,10 @@ static gnutls_session_t init_tls_session(const char *hostname)
/* allow the use of private ciphersuites.
*/
if (disable_extensions == 0 && disable_sni == 0) {
- if (hostname != NULL && is_ip(hostname) == 0)
+ if (HAVE_OPT(SNI_HOSTNAME)) {
+ gnutls_server_name_set(session, GNUTLS_NAME_DNS,
+ OPT_ARG(SNI_HOSTNAME), strlen(OPT_ARG(SNI_HOSTNAME)));
+ } else if (hostname != NULL && is_ip(hostname) == 0)
gnutls_server_name_set(session, GNUTLS_NAME_DNS,
hostname, strlen(hostname));
}
--
2.14.3

59
SOURCES/gnutls-3.3.29-disable-failing-tests.patch

@ -0,0 +1,59 @@
diff --git a/tests/testpkcs11.sh b/tests/testpkcs11.sh
index e8cdcd30d..039d6cc1c 100755
--- a/tests/testpkcs11.sh
+++ b/tests/testpkcs11.sh
@@ -887,8 +887,9 @@ write_privkey "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/client.key"
generate_temp_ecc_privkey "${TOKEN}" "${GNUTLS_PIN}" 256
delete_temp_privkey "${TOKEN}" "${GNUTLS_PIN}" ecc-256
-generate_temp_ecc_privkey_no_login "${TOKEN}" "${GNUTLS_PIN}" 256
-delete_temp_privkey "${TOKEN}" "${GNUTLS_PIN}" ecc-no-256
+# Disabled: generation of ECC key without login is not supported in gnutls_3_3_x
+#generate_temp_ecc_privkey_no_login "${TOKEN}" "${GNUTLS_PIN}" 256
+#delete_temp_privkey "${TOKEN}" "${GNUTLS_PIN}" ecc-no-256
generate_temp_ecc_privkey "${TOKEN}" "${GNUTLS_PIN}" 384
delete_temp_privkey "${TOKEN}" "${GNUTLS_PIN}" ecc-384
@@ -911,24 +912,30 @@ change_id_of_privkey "${TOKEN}" "${GNUTLS_PIN}"
export_pubkey_of_privkey "${TOKEN}" "${GNUTLS_PIN}"
change_label_of_privkey "${TOKEN}" "${GNUTLS_PIN}"
-write_certificate_test "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/ca.key" "${srcdir}/testpkcs11-certs/ca.crt" tmp-client.pub
+# Disabled: certificates are marked as private in gnutls_3_3_x
+#write_certificate_test "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/ca.key" "${srcdir}/testpkcs11-certs/ca.crt" tmp-client.pub
write_serv_privkey "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/server.key"
write_serv_cert "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/server.crt"
-write_serv_pubkey "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/server.crt"
-test_sign "${TOKEN}" "${GNUTLS_PIN}"
+# Disabled: --load-pubkey is not supported in gnutls_3_3_x
+#write_serv_pubkey "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/server.crt"
-use_certificate_test "${TOKEN}" "${GNUTLS_PIN}" "${TOKEN};object=serv-cert;object-type=cert" "${TOKEN};object=serv-key;object-type=private" "${srcdir}/testpkcs11-certs/ca.crt" "full URLs"
+# Disabled: --test-sign is not supported in gnutls_3_3_x
+#test_sign "${TOKEN}" "${GNUTLS_PIN}"
-use_certificate_test "${TOKEN}" "${GNUTLS_PIN}" "${TOKEN};object=serv-cert" "${TOKEN};object=serv-key" "${srcdir}/testpkcs11-certs/ca.crt" "abbrv URLs"
+# Disabled: Cannot test without written certificates (write_certificate_test)
+#use_certificate_test "${TOKEN}" "${GNUTLS_PIN}" "${TOKEN};object=serv-cert;object-type=cert" "${TOKEN};object=serv-key;object-type=private" "${srcdir}/testpkcs11-certs/ca.crt" "full URLs"
+#use_certificate_test "${TOKEN}" "${GNUTLS_PIN}" "${TOKEN};object=serv-cert" "${TOKEN};object=serv-key" "${srcdir}/testpkcs11-certs/ca.crt" "abbrv URLs"
-write_certificate_id_test_rsa "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/ca.key" "${srcdir}/testpkcs11-certs/ca.crt"
-write_certificate_id_test_rsa2 "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/ca.key" "${srcdir}/testpkcs11-certs/ca.crt"
-write_certificate_id_test_ecdsa "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/ca.key" "${srcdir}/testpkcs11-certs/ca.crt"
+# Disabled: certificates do not inherit its ID from privkey in gnutls_3_3_x
+#write_certificate_id_test_rsa "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/ca.key" "${srcdir}/testpkcs11-certs/ca.crt"
+#write_certificate_id_test_rsa2 "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/ca.key" "${srcdir}/testpkcs11-certs/ca.crt"
+#write_certificate_id_test_ecdsa "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/ca.key" "${srcdir}/testpkcs11-certs/ca.crt"
test_delete_cert "${TOKEN}" "${GNUTLS_PIN}"
-test_sign_set_pin "${TOKEN}" "${GNUTLS_PIN}"
+# Disabled: --test-sign is not supported in gnutls_3_3_x
+#test_sign_set_pin "${TOKEN}" "${GNUTLS_PIN}"
if test ${RETCODE} = 0; then
echo "* All smart cards tests succeeded"
--
2.14.3

47
SOURCES/gnutls-3.3.29-do-not-mark-object-as-private.patch

@ -0,0 +1,47 @@
diff --git a/src/p11tool.c b/src/p11tool.c
index 2abf23a27..a6fce78e3 100644
--- a/src/p11tool.c
+++ b/src/p11tool.c
@@ -68,7 +68,7 @@ int main(int argc, char **argv)
}
static
-unsigned opt_to_flags(void)
+unsigned opt_to_flags(common_info_st *cinfo)
{
unsigned flags = 0;
@@ -78,6 +78,12 @@ unsigned opt_to_flags(void)
} else {
flags |= GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_PRIVATE;
}
+ } else { /* if not given mark as private the private objects, and public the public ones */
+ if (cinfo->privkey)
+ flags |= GNUTLS_PKCS11_OBJ_FLAG_MARK_PRIVATE;
+ else if (cinfo->pubkey || cinfo->cert)
+ flags |= GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_PRIVATE;
+ /* else set the defaults of the token */
}
if (ENABLED_OPT(MARK_TRUSTED))
@@ -166,8 +172,6 @@ static void cmd_parser(int argc, char **argv)
memset(&cinfo, 0, sizeof(cinfo));
- flags = opt_to_flags();
-
if (HAVE_OPT(SECRET_KEY))
cinfo.secret_key = OPT_ARG(SECRET_KEY);
@@ -227,6 +231,8 @@ static void cmd_parser(int argc, char **argv)
sec_param = OPT_ARG(SEC_PARAM);
}
+ flags = opt_to_flags(&cinfo);
+
if (debug > 4) {
if (HAVE_OPT(MARK_PRIVATE))
fprintf(stderr, "Private: %s\n",
--
2.14.3

20
SOURCES/gnutls-3.3.29-do-not-run-sni-hostname-windows.patch

@ -0,0 +1,20 @@
diff --git a/tests/Makefile.am b/tests/Makefile.am
index d249d405f..6dc63758d 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -156,7 +156,11 @@ endif
endif
check_PROGRAMS = $(ctests)
-dist_check_SCRIPTS = rfc2253-escape-test sni-hostname.sh
+dist_check_SCRIPTS = rfc2253-escape-test
+
+if !WINDOWS
+dist_check_SCRIPTS += sni-hostname.sh
+endif
TESTS = $(ctests) $(dist_check_SCRIPTS)
--
2.14.3

52
SOURCES/gnutls-3.3.29-dummy-wait-account-len-field.patch

@ -0,0 +1,52 @@
diff --git a/lib/algorithms/mac.c b/lib/algorithms/mac.c
index 0527ca4f1..a39acd49f 100644
--- a/lib/algorithms/mac.c
+++ b/lib/algorithms/mac.c
@@ -37,9 +37,9 @@ static const mac_entry_st hash_algorithms[] = {
{"SHA256", HASH_OID_SHA256, MAC_OID_SHA256, GNUTLS_MAC_SHA256, 32, 32, 0, 0, 1,
64},
{"SHA384", HASH_OID_SHA384, MAC_OID_SHA384, GNUTLS_MAC_SHA384, 48, 48, 0, 0, 1,
- 64},
+ 128},
{"SHA512", HASH_OID_SHA512, MAC_OID_SHA512, GNUTLS_MAC_SHA512, 64, 64, 0, 0, 1,
- 64},
+ 128},
{"SHA224", HASH_OID_SHA224, MAC_OID_SHA224, GNUTLS_MAC_SHA224, 28, 28, 0, 0, 1,
64},
{"UMAC-96", NULL, NULL, GNUTLS_MAC_UMAC_96, 12, 16, 8, 0, 1, 0},
diff --git a/lib/gnutls_cipher.c b/lib/gnutls_cipher.c
index 58ce79775..37478a4c3 100644
--- a/lib/gnutls_cipher.c
+++ b/lib/gnutls_cipher.c
@@ -440,7 +440,7 @@ static void dummy_wait(record_parameters_st * params,
{
/* this hack is only needed on CBC ciphers */
if (_gnutls_cipher_is_block(params->cipher) == CIPHER_BLOCK) {
- unsigned len;
+ unsigned len, v;
/* force an additional hash compression function evaluation to prevent timing
* attacks that distinguish between wrong-mac + correct pad, from wrong-mac + incorrect pad.
@@ -448,11 +448,14 @@ static void dummy_wait(record_parameters_st * params,
if (pad_failed == 0 && pad > 0) {
len = _gnutls_mac_block_size(params->mac);
if (len > 0) {
- /* This is really specific to the current hash functions.
- * It should be removed once a protocol fix is in place.
- */
- if ((pad + total) % len > len - 9
- && total % len <= len - 9) {
+ if (params->mac && params->mac->id == GNUTLS_MAC_SHA384)
+ /* v = 1 for the hash function padding + 16 for message length */
+ v = 17;
+ else /* v = 1 for the hash function padding + 8 for message length */
+ v = 9;
+
+ if ((pad + total) % len > len - v
+ && total % len <= len - v) {
if (len < plaintext->size)
_gnutls_auth_cipher_add_auth
(&params->read.
--
2.14.3

90
SOURCES/gnutls-3.3.29-dummy-wait-hash-same-amount-of-blocks.patch

@ -0,0 +1,90 @@
diff --git a/lib/gnutls_cipher.c b/lib/gnutls_cipher.c
index 37478a4c3..65dde6899 100644
--- a/lib/gnutls_cipher.c
+++ b/lib/gnutls_cipher.c
@@ -434,40 +434,41 @@ compressed_to_ciphertext(gnutls_session_t session,
return length;
}
-static void dummy_wait(record_parameters_st * params,
- gnutls_datum_t * plaintext, unsigned pad_failed,
- unsigned int pad, unsigned total)
+static void dummy_wait(record_parameters_st *params,
+ gnutls_datum_t *plaintext,
+ unsigned int mac_data, unsigned int max_mac_data)
{
/* this hack is only needed on CBC ciphers */
if (_gnutls_cipher_is_block(params->cipher) == CIPHER_BLOCK) {
- unsigned len, v;
+ unsigned v;
+ unsigned int tag_size =
+ _gnutls_auth_cipher_tag_len(&params->read.cipher_state);
+ unsigned hash_block = _gnutls_mac_block_size(params->mac);
- /* force an additional hash compression function evaluation to prevent timing
+ /* force additional hash compression function evaluations to prevent timing
* attacks that distinguish between wrong-mac + correct pad, from wrong-mac + incorrect pad.
*/
- if (pad_failed == 0 && pad > 0) {
- len = _gnutls_mac_block_size(params->mac);
- if (len > 0) {
- if (params->mac && params->mac->id == GNUTLS_MAC_SHA384)
- /* v = 1 for the hash function padding + 16 for message length */
- v = 17;
- else /* v = 1 for the hash function padding + 8 for message length */
- v = 9;
-
- if ((pad + total) % len > len - v
- && total % len <= len - v) {
- if (len < plaintext->size)
- _gnutls_auth_cipher_add_auth
- (&params->read.
- cipher_state,
- plaintext->data, len);
- else
- _gnutls_auth_cipher_add_auth
- (&params->read.
- cipher_state,
- plaintext->data,
- plaintext->size);
- }
+ if (params->mac && params->mac->id == GNUTLS_MAC_SHA384)
+ /* v = 1 for the hash function padding + 16 for message length */
+ v = 17;
+ else /* v = 1 for the hash function padding + 8 for message length */
+ v = 9;
+
+ if (hash_block > 0) {
+ int max_blocks = (max_mac_data+v+hash_block-1)/hash_block;
+ int hashed_blocks = (mac_data+v+hash_block-1)/hash_block;
+ unsigned to_hash;
+
+ max_blocks -= hashed_blocks;
+ if (max_blocks < 1)
+ return;
+
+ to_hash = max_blocks * hash_block;
+ if ((unsigned)to_hash+1+tag_size < plaintext->size) {
+ _gnutls_auth_cipher_add_auth
+ (&params->read.cipher_state,
+ plaintext->data+plaintext->size-tag_size-to_hash-1,
+ to_hash);
}
}
}
@@ -725,8 +726,10 @@ ciphertext_to_compressed(gnutls_session_t session,
if (unlikely
(memcmp(tag, tag_ptr, tag_size) != 0 || pad_failed != 0)) {
/* HMAC was not the same. */
- dummy_wait(params, compressed, pad_failed, pad,
- length + preamble_size);
+ gnutls_datum_t data = {compressed->data, ciphertext->size};
+
+ dummy_wait(params, &data, length + preamble_size,
+ preamble_size + ciphertext->size - tag_size - 1);
return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
}
--
2.14.3

70
SOURCES/gnutls-3.3.29-fips140-fix-ecdsa-kat-selftest.patch

@ -0,0 +1,70 @@
--- a/lib/crypto-selftests-pk.c 2019-02-06 14:49:44.807422315 +0100
+++ b/lib/crypto-selftests-pk.c 2019-02-06 14:56:40.311049707 +0100
@@ -731,30 +731,9 @@
goto cleanup;
}
- if (all == 0)
- return 0;
#endif
/* Test ECDSA */
-#ifdef ENABLE_NON_SUITEB_CURVES
- PK_KNOWN_TEST(GNUTLS_PK_EC, 0,
- GNUTLS_CURVE_TO_BITS
- (GNUTLS_ECC_CURVE_SECP192R1),
- GNUTLS_DIG_SHA256, ecdsa_secp192r1_privkey,
- ecdsa_secp192r1_sig);
- PK_TEST(GNUTLS_PK_EC, test_sig,
- GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP192R1),
- GNUTLS_DIG_SHA256);
-
- PK_KNOWN_TEST(GNUTLS_PK_EC, 0,
- GNUTLS_CURVE_TO_BITS
- (GNUTLS_ECC_CURVE_SECP224R1),
- GNUTLS_DIG_SHA256, ecdsa_secp224r1_privkey,
- ecdsa_secp224r1_sig);
- PK_TEST(GNUTLS_PK_EC, test_sig,
- GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP224R1),
- GNUTLS_DIG_SHA256);
-#endif
PK_KNOWN_TEST(GNUTLS_PK_EC, 0,
GNUTLS_CURVE_TO_BITS
(GNUTLS_ECC_CURVE_SECP256R1),
@@ -764,6 +743,9 @@
GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP256R1),
GNUTLS_DIG_SHA256);
+ if (all == 0)
+ return 0;
+
PK_KNOWN_TEST(GNUTLS_PK_EC, 0,
GNUTLS_CURVE_TO_BITS
(GNUTLS_ECC_CURVE_SECP384R1),
@@ -782,6 +764,26 @@
GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP521R1),
GNUTLS_DIG_SHA512);
+#ifdef ENABLE_NON_SUITEB_CURVES
+ PK_KNOWN_TEST(GNUTLS_PK_EC, 0,
+ GNUTLS_CURVE_TO_BITS
+ (GNUTLS_ECC_CURVE_SECP192R1),
+ GNUTLS_DIG_SHA256, ecdsa_secp192r1_privkey,
+ ecdsa_secp192r1_sig);
+ PK_TEST(GNUTLS_PK_EC, test_sig,
+ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP192R1),
+ GNUTLS_DIG_SHA256);
+
+ PK_KNOWN_TEST(GNUTLS_PK_EC, 0,
+ GNUTLS_CURVE_TO_BITS
+ (GNUTLS_ECC_CURVE_SECP224R1),
+ GNUTLS_DIG_SHA256, ecdsa_secp224r1_privkey,
+ ecdsa_secp224r1_sig);
+ PK_TEST(GNUTLS_PK_EC, test_sig,
+ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP224R1),
+ GNUTLS_DIG_SHA256);
+#endif
+
break;
default:

82
SOURCES/gnutls-3.3.29-pkcs11-retrieve-pin-from-uri-once.patch

@ -0,0 +1,82 @@
diff --git a/lib/pkcs11.c b/lib/pkcs11.c
index 4fdd58f39..68ee2960a 100644
--- a/lib/pkcs11.c
+++ b/lib/pkcs11.c
@@ -2368,6 +2368,11 @@ retrieve_pin(struct pin_info_st *pin_info, struct p11_kit_uri *info,
/* First check for pin-value field */
pinfile = p11_kit_uri_get_pin_value(info);
if (pinfile != NULL) {
+ if (attempts > 0) {
+ _gnutls_debug_log("p11: refusing more than a single attempts with pin-value\n");
+ return gnutls_assert_val(GNUTLS_E_PKCS11_PIN_ERROR);
+ }
+
_gnutls_debug_log("p11: Using pin-value to retrieve PIN\n");
*pin = p11_kit_pin_new_for_string(pinfile);
if (*pin != NULL)
@@ -2376,6 +2381,11 @@ retrieve_pin(struct pin_info_st *pin_info, struct p11_kit_uri *info,
/* Check if a pinfile is specified, and use that if possible */
pinfile = p11_kit_uri_get_pin_source(info);
if (pinfile != NULL) {
+ if (attempts > 0) {
+ _gnutls_debug_log("p11: refusing more than a single attempts with pin-source\n");
+ return gnutls_assert_val(GNUTLS_E_PKCS11_PIN_ERROR);
+ }
+
_gnutls_debug_log("p11: Using pin-source to retrieve PIN\n");
ret =
retrieve_pin_from_source(pinfile, token_info, attempts,
diff --git a/tests/pkcs11/pkcs11-import-with-pin.c b/tests/pkcs11/pkcs11-import-with-pin.c
index e43591927..ecc98175d 100644
--- a/tests/pkcs11/pkcs11-import-with-pin.c
+++ b/tests/pkcs11/pkcs11-import-with-pin.c
@@ -157,6 +157,16 @@ void doit()
assert(gnutls_privkey_init(&pkey) == 0);
/* Test 1
+ * Try importing with wrong pin-value */
+ ret = gnutls_privkey_import_pkcs11_url(pkey, SOFTHSM_URL";object=cert;object-type=private;pin-value=XXXX");
+ if (ret != GNUTLS_E_PKCS11_PIN_ERROR) {
+ fprintf(stderr, "unexpected error in %d: %s\n", __LINE__, gnutls_strerror(ret));
+ exit(1);
+ }
+ gnutls_privkey_deinit(pkey);
+ assert(gnutls_privkey_init(&pkey) == 0);
+
+ /* Test 2
* Try importing with pin-value */
ret = gnutls_privkey_import_pkcs11_url(pkey, SOFTHSM_URL";object=cert;object-type=private;pin-value="PIN);
if (ret < 0) {
@@ -169,13 +179,26 @@ void doit()
gnutls_free(sig.data);
gnutls_privkey_deinit(pkey);
- /* Test 2
- * Try importing with pin-source */
+ /* Test 3
+ * Try importing with wrong pin-source */
track_temp_files();
get_tmpname(file);
- write_pin(file, PIN);
+ write_pin(file, "XXXX");
+
+ assert(gnutls_privkey_init(&pkey) == 0);
+ snprintf(buf, sizeof(buf), "%s;object=cert;object-type=private;pin-source=%s", SOFTHSM_URL, file);
+ ret = gnutls_privkey_import_pkcs11_url(pkey, buf);
+ if (ret != GNUTLS_E_PKCS11_PIN_ERROR) {
+ fprintf(stderr, "error in %d: %s\n", __LINE__, gnutls_strerror(ret));
+ exit(1);
+ }
+
+ gnutls_privkey_deinit(pkey);
+ /* Test 4
+ * Try importing with pin-source */
+ write_pin(file, PIN);
assert(gnutls_privkey_init(&pkey) == 0);
snprintf(buf, sizeof(buf), "%s;object=cert;object-type=private;pin-source=%s", SOFTHSM_URL, file);
--
2.14.3

29
SOURCES/gnutls-3.3.29-re-enable-check-cert-write.patch

@ -0,0 +1,29 @@
diff --git a/tests/testpkcs11.sh b/tests/testpkcs11.sh
index 039d6cc1c..7c2776760 100755
--- a/tests/testpkcs11.sh
+++ b/tests/testpkcs11.sh
@@ -912,8 +912,7 @@ change_id_of_privkey "${TOKEN}" "${GNUTLS_PIN}"
export_pubkey_of_privkey "${TOKEN}" "${GNUTLS_PIN}"
change_label_of_privkey "${TOKEN}" "${GNUTLS_PIN}"
-# Disabled: certificates are marked as private in gnutls_3_3_x
-#write_certificate_test "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/ca.key" "${srcdir}/testpkcs11-certs/ca.crt" tmp-client.pub
+write_certificate_test "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/ca.key" "${srcdir}/testpkcs11-certs/ca.crt" tmp-client.pub
write_serv_privkey "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/server.key"
write_serv_cert "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/server.crt"
@@ -923,9 +922,8 @@ write_serv_cert "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/server.cr
# Disabled: --test-sign is not supported in gnutls_3_3_x
#test_sign "${TOKEN}" "${GNUTLS_PIN}"
-# Disabled: Cannot test without written certificates (write_certificate_test)
-#use_certificate_test "${TOKEN}" "${GNUTLS_PIN}" "${TOKEN};object=serv-cert;object-type=cert" "${TOKEN};object=serv-key;object-type=private" "${srcdir}/testpkcs11-certs/ca.crt" "full URLs"
-#use_certificate_test "${TOKEN}" "${GNUTLS_PIN}" "${TOKEN};object=serv-cert" "${TOKEN};object=serv-key" "${srcdir}/testpkcs11-certs/ca.crt" "abbrv URLs"
+use_certificate_test "${TOKEN}" "${GNUTLS_PIN}" "${TOKEN};object=serv-cert;object-type=cert" "${TOKEN};object=serv-key;object-type=private" "${srcdir}/testpkcs11-certs/ca.crt" "full URLs"
+use_certificate_test "${TOKEN}" "${GNUTLS_PIN}" "${TOKEN};object=serv-cert" "${TOKEN};object=serv-key" "${srcdir}/testpkcs11-certs/ca.crt" "abbrv URLs"
# Disabled: certificates do not inherit its ID from privkey in gnutls_3_3_x
#write_certificate_id_test_rsa "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/ca.key" "${srcdir}/testpkcs11-certs/ca.crt"
--
2.14.3

69
SOURCES/gnutls-3.3.29-remove-hmac-sha384-sha256-from-default.patch

@ -0,0 +1,69 @@
diff --git a/lib/gnutls_priority.c b/lib/gnutls_priority.c
index c5998abe6..f3e19105f 100644
--- a/lib/gnutls_priority.c
+++ b/lib/gnutls_priority.c
@@ -491,8 +491,6 @@ static const int sign_priority_secure192[] = {
static const int mac_priority_normal_default[] = {
GNUTLS_MAC_SHA1,
- GNUTLS_MAC_SHA256,
- GNUTLS_MAC_SHA384,
GNUTLS_MAC_AEAD,
GNUTLS_MAC_MD5,
0
@@ -500,8 +498,6 @@ static const int mac_priority_normal_default[] = {
static const int mac_priority_normal_fips[] = {
GNUTLS_MAC_SHA1,
- GNUTLS_MAC_SHA256,
- GNUTLS_MAC_SHA384,
GNUTLS_MAC_AEAD,
0
};
@@ -530,15 +526,11 @@ static const int mac_priority_suiteb192[] = {
static const int mac_priority_secure128[] = {
GNUTLS_MAC_SHA1,
- GNUTLS_MAC_SHA256,
- GNUTLS_MAC_SHA384,
GNUTLS_MAC_AEAD,
0
};
static const int mac_priority_secure192[] = {
- GNUTLS_MAC_SHA256,
- GNUTLS_MAC_SHA384,
GNUTLS_MAC_AEAD,
0
};
diff --git a/tests/priorities.c b/tests/priorities.c
index f22b08b62..46221fcc0 100644
--- a/tests/priorities.c
+++ b/tests/priorities.c
@@ -100,18 +100,18 @@ try_prio(const char *prio, unsigned expected_cs, unsigned expected_ciphers)
void doit(void)
{
- const int normal = 61;
- const int null = 5;
- const int sec128 = 56;
+ const int normal = 41;
+ const int null = 4;
+ const int sec128 = 36;
try_prio("NORMAL", normal, 9);
try_prio("NORMAL:-MAC-ALL:+MD5:+MAC-ALL", normal, 9);
try_prio("NORMAL:+CIPHER-ALL", normal, 9); /* all (except null) */
try_prio("NORMAL:-CIPHER-ALL:+NULL", null, 1); /* null */
try_prio("NORMAL:-CIPHER-ALL:+NULL:+CIPHER-ALL", normal + null, 10); /* should be null + all */
- try_prio("NORMAL:-CIPHER-ALL:+NULL:+CIPHER-ALL:-CIPHER-ALL:+AES-128-CBC", 10, 1); /* should be null + all */
+ try_prio("NORMAL:-CIPHER-ALL:+NULL:+CIPHER-ALL:-CIPHER-ALL:+AES-128-CBC", 5, 1);
try_prio("PERFORMANCE", normal, 9);
- try_prio("SECURE256", 20, 4);
+ try_prio("SECURE256", 10, 4);
try_prio("SECURE128", sec128, 8);
try_prio("SECURE128:+SECURE256", sec128, 8); /* should be the same as SECURE128 */
try_prio("SECURE128:+SECURE256:+NORMAL", normal, 9); /* should be the same as NORMAL */
--
2.14.3

11
SOURCES/gnutls-3.3.29-serv-large-key-resumption.patch

@ -0,0 +1,11 @@
--- a/src/serv.c
+++ b/src/serv.c
@@ -1734,7 +1734,7 @@
/* session resuming support */
#define SESSION_ID_SIZE 32
-#define SESSION_DATA_SIZE 1024
+#define SESSION_DATA_SIZE (16*1024)
typedef struct {
char session_id[SESSION_ID_SIZE];

157
SOURCES/gnutls-3.3.29-serv-sni-hostname.patch

@ -0,0 +1,157 @@
diff --git a/src/serv-args.def b/src/serv-args.def
index 44b67f1ab..027737772 100644
--- a/src/serv-args.def
+++ b/src/serv-args.def
@@ -8,6 +8,19 @@ detail = "Server program that listens to incoming TLS connections.";
#include args-std.def
+flag = {
+ name = sni-hostname;
+ descrip = "Server's hostname for server name extension";
+ arg-type = string;
+ doc = "Server name of type host_name that the server will recognise as its own. If the server receives client hello with different name, it will send a warning-level unrecognized_name alert.";
+};
+
+flag = {
+ name = sni-hostname-fatal;
+ descrip = "Send fatal alert on sni-hostname mismatch";
+ doc = "";
+};
+
flag = {
name = noticket;
descrip = "Don't accept session tickets";
diff --git a/src/serv.c b/src/serv.c
index a1f9adfa8..f5ff48786 100644
--- a/src/serv.c
+++ b/src/serv.c
@@ -49,6 +49,8 @@
#include "sockets.h"
#include "udp-serv.h"
+#define _GNUTLS_E_UNRECOGNIZED_NAME -294
+
/* konqueror cannot handle sending the page in multiple
* pieces.
*/
@@ -81,6 +83,8 @@ const char *dh_params_file = NULL;
const char *x509_crlfile = NULL;
const char *priorities = NULL;
const char *status_response_ocsp = NULL;
+const char *sni_hostname = NULL;
+int sni_hostname_fatal = 0;
gnutls_datum_t session_ticket_key;
static void tcp_server(const char *name, int port);
@@ -312,6 +316,83 @@ int ret;
return 0;
}
+/* callback used to verify if the host name advertised in client hello matches
+ * the one configured in server
+ */
+static int
+post_client_hello(gnutls_session_t session)
+{
+ int ret;
+ /* DNS names (only type supported) may be at most 256 byte long */
+ char *name;
+ size_t len = 256;
+ unsigned int type;
+ int i;
+
+ name = malloc(len);
+ if (name == NULL)
+ return GNUTLS_E_MEMORY_ERROR;
+
+ for (i=0; ; ) {
+ ret = gnutls_server_name_get(session, name, &len, &type, i);
+ if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) {
+ char *new_name;
+ new_name = realloc(name, len);
+ if (new_name == NULL) {
+ ret = GNUTLS_E_MEMORY_ERROR;
+ goto end;
+ }
+ name = new_name;
+ continue; /* retry call with same index */
+ }
+
+ /* check if it is the last entry in list */
+ if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
+ break;
+ i++;
+ if (ret != GNUTLS_E_SUCCESS)
+ goto end;
+ /* unknown types need to be ignored */
+ if (type != GNUTLS_NAME_DNS)
+ continue;
+
+ if (strlen(sni_hostname) != len)
+ continue;
+ /* API guarantees that the name of type DNS will be null terminated */
+ if (!strncmp(name, sni_hostname, len)) {
+ ret = GNUTLS_E_SUCCESS;
+ goto end;
+ }
+ };
+ /* when there is no extension, we can't send the extension specific alert */
+ if (i == 0) {
+ fprintf(stderr, "Warning: client did not include SNI extension, using default host\n");
+ ret = GNUTLS_E_SUCCESS;
+ goto end;
+ }
+
+ if (sni_hostname_fatal == 1) {
+ /* abort the connection, propagate error up the stack */
+ ret = _GNUTLS_E_UNRECOGNIZED_NAME;
+ goto end;
+ }
+
+ fprintf(stderr, "Warning: client provided unrecognized host name\n");
+ /* since we just want to send an alert, not abort the connection, we
+ * need to send it ourselves
+ */
+ do {
+ ret = gnutls_alert_send(session,
+ GNUTLS_AL_WARNING,
+ GNUTLS_A_UNRECOGNIZED_NAME);
+ } while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);
+
+ /* continue handshake, fall through */
+end:
+ free(name);
+ return ret;
+}
+
gnutls_session_t initialize_session(int dtls)
{
gnutls_session_t session;
@@ -343,6 +424,10 @@ gnutls_session_t initialize_session(int dtls)
&session_ticket_key);
#endif
+ if (sni_hostname != NULL)
+ gnutls_handshake_set_post_client_hello_function(session,
+ &post_client_hello);
+
if (gnutls_priority_set_direct(session, priorities, &err) < 0) {
fprintf(stderr, "Syntax error at: %s\n", err);
exit(1);
@@ -1629,6 +1714,12 @@ static void cmd_parser(int argc, char **argv)
if (HAVE_OPT(OCSP_RESPONSE))
status_response_ocsp = OPT_ARG(OCSP_RESPONSE);
+ if (HAVE_OPT(SNI_HOSTNAME))
+ sni_hostname = OPT_ARG(SNI_HOSTNAME);
+
+ if (HAVE_OPT(SNI_HOSTNAME_FATAL))
+ sni_hostname_fatal = 1;
+
}
/* session resuming support */
--
2.14.3

41
SOURCES/gnutls-3.3.29-serv-unrec-name.patch

@ -0,0 +1,41 @@
diff --git a/src/serv.c b/src/serv.c
index f5ff48786..8c7c92a92 100644
--- a/src/serv.c
+++ b/src/serv.c
@@ -1278,6 +1278,15 @@ int main(int argc, char **argv)
return 0;
}
+int _gnutls_alert_send_appropriate (gnutls_session_t session, int err)
+{
+ if (err == _GNUTLS_E_UNRECOGNIZED_NAME)
+ return gnutls_alert_send(session,
+ GNUTLS_AL_FATAL,
+ GNUTLS_A_UNRECOGNIZED_NAME);
+ return gnutls_alert_send_appropriate(session, err);
+}
+
static void retry_handshake(listener_item *j)
{
int r, ret;
@@ -1293,7 +1302,7 @@ static void retry_handshake(listener_item *j)
GERR(r);
do {
- ret = gnutls_alert_send_appropriate(j->tls_session, r);
+ ret = _gnutls_alert_send_appropriate(j->tls_session, r);
} while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);
} else if (r == 0) {
if (gnutls_session_is_resumed(j->tls_session) != 0 && verbose != 0)
@@ -1326,7 +1335,7 @@ int r, ret;
if (r < 0) {
do {
- ret = gnutls_alert_send_appropriate(j->tls_session, r);
+ ret = _gnutls_alert_send_appropriate(j->tls_session, r);
} while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);
GERR(r);
j->http_state = HTTP_STATE_CLOSING;
--
2.14.3

1916
SOURCES/gnutls-3.3.29-testpkcs11.patch

File diff suppressed because it is too large Load Diff

48
SOURCES/gnutls-3.3.29-tests-pkcs11-increase-RSA-gen-size.patch

@ -0,0 +1,48 @@
diff --git a/tests/testpkcs11.sh b/tests/testpkcs11.sh
index 7c2776760..cf82c4032 100755
--- a/tests/testpkcs11.sh
+++ b/tests/testpkcs11.sh
@@ -26,11 +26,6 @@ SERV="${SERV:-../src/gnutls-serv${EXEEXT}}"
CLI="${CLI:-../src/gnutls-cli${EXEEXT}}"
RETCODE=0
-if test "${GNUTLS_FORCE_FIPS_MODE}" = 1;then
- echo "Cannot run in FIPS140-2 mode"
- exit 77
-fi
-
if ! test -x "${P11TOOL}"; then
exit 77
fi
@@ -600,7 +595,8 @@ write_certificate_id_test_rsa () {
cacert="$4"
echo -n "* Generating RSA private key on HSM... "
- ${P11TOOL} ${ADDITIONAL_PARAM} --login --label xxx1-rsa --generate-rsa --bits 1024 "${token}" >>"${TMPFILE}" 2>&1
+ ${P11TOOL} ${ADDITIONAL_PARAM} --login --label xxx1-rsa --generate-rsa \
+ --bits 2048 "${token}" >>"${TMPFILE}" 2>&1
if test $? = 0; then
echo ok
else
@@ -649,7 +645,8 @@ write_certificate_id_test_rsa2 () {
tmpkey="key.$$.tmp"
echo -n "* Generating RSA private key... "
- ${CERTTOOL} ${ADDITIONAL_PARAM} --generate-privkey --bits 1024 --outfile ${tmpkey} >>"${TMPFILE}" 2>&1
+ ${CERTTOOL} ${ADDITIONAL_PARAM} --generate-privkey --bits 2048 \
+ --outfile ${tmpkey} >>"${TMPFILE}" 2>&1
if test $? = 0; then
echo ok
else
@@ -907,7 +904,7 @@ delete_temp_privkey "${TOKEN}" "${GNUTLS_PIN}" ecc-256
import_temp_dsa_privkey "${TOKEN}" "${GNUTLS_PIN}" 2048
delete_temp_privkey "${TOKEN}" "${GNUTLS_PIN}" dsa-2048
-generate_rsa_privkey "${TOKEN}" "${GNUTLS_PIN}" 1024
+generate_rsa_privkey "${TOKEN}" "${GNUTLS_PIN}" 2048
change_id_of_privkey "${TOKEN}" "${GNUTLS_PIN}"
export_pubkey_of_privkey "${TOKEN}" "${GNUTLS_PIN}"
change_label_of_privkey "${TOKEN}" "${GNUTLS_PIN}"
--
2.14.3

88
SOURCES/gnutls-3.3.29-tests-sni-hostname.patch

@ -0,0 +1,88 @@
diff --git a/tests/Makefile.am b/tests/Makefile.am
index bafb12ae0..d249d405f 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -156,7 +156,7 @@ endif
endif
check_PROGRAMS = $(ctests)
-dist_check_SCRIPTS = rfc2253-escape-test
+dist_check_SCRIPTS = rfc2253-escape-test sni-hostname.sh
TESTS = $(ctests) $(dist_check_SCRIPTS)
diff --git a/tests/sni-hostname.sh b/tests/sni-hostname.sh
new file mode 100755
index 000000000..4fb51be68
--- /dev/null
+++ b/tests/sni-hostname.sh
@@ -0,0 +1,66 @@
+#!/bin/sh
+
+# Copyright (C) 2017 Nikos Mavrogiannopoulos
+#
+# Author: Nikos Mavrogiannopoulos
+#
+# This file is part of GnuTLS.
+#
+# GnuTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GnuTLS; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+srcdir="${srcdir:-.}"
+SERV="${SERV:-../src/gnutls-serv${EXEEXT}}"
+CLI="${CLI:-../src/gnutls-cli${EXEEXT}}"
+unset RETCODE
+
+if ! test -x "${SERV}"; then
+ exit 77
+fi
+
+if ! test -x "${CLI}"; then
+ exit 77
+fi
+
+if test "${WINDIR}" != ""; then
+ exit 77
+fi
+
+if ! test -z "${VALGRIND}"; then
+ VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND} --error-exitcode=15"
+fi
+
+
+SERV="${SERV} -q"
+
+. "${srcdir}/scripts/common.sh"
+
+echo "Checking SNI hostname in gnutls-cli"
+
+eval "${GETPORT}"
+launch_server $$ --echo --priority "NORMAL:+ANON-ECDH" --sni-hostname-fatal --sni-hostname example.com
+PID=$!
+wait_server ${PID}
+
+${VALGRIND} "${CLI}" -p "${PORT}" 127.0.0.1 --sni-hostname example.com --priority "NORMAL:+ANON-ECDH:+ANON-DH" </dev/null >/dev/null || \
+ fail ${PID} "1. rehandshake should have succeeded!"
+
+${VALGRIND} "${CLI}" -p "${PORT}" 127.0.0.1 --sni-hostname noexample.com --priority "NORMAL:+ANON-ECDH:+ANON-DH" </dev/null >/dev/null && \
+ fail ${PID} "2. rehandshake should have failed!"
+
+
+kill ${PID}
+wait
+
+exit 0
--
2.14.3

104
SPECS/gnutls.spec

@ -2,7 +2,7 @@
%bcond_with guile %bcond_with guile
Summary: A TLS protocol implementation Summary: A TLS protocol implementation
Name: gnutls Name: gnutls
Version: 3.3.26 Version: 3.3.29
Release: 9%{?dist} Release: 9%{?dist}
# The libraries are LGPLv2.1+, utilities are GPLv3+ # The libraries are LGPLv2.1+, utilities are GPLv3+
License: GPLv3+ and LGPLv2+ License: GPLv3+ and LGPLv2+
@ -44,14 +44,43 @@ Patch5: gnutls-3.3.8-padlock-disable.patch
# any applications depending on that. # any applications depending on that.
Patch6: gnutls-3.3.22-eapp-data.patch Patch6: gnutls-3.3.22-eapp-data.patch
Patch7: gnutls-3.3.26-dh-params-1024.patch Patch7: gnutls-3.3.26-dh-params-1024.patch
# Reported on the gnutls ML affecting Fedora 25 (potentially RHEL7 as well) # Backport serv --sni-hostname option support (rhbz#1444792)
Patch8: gnutls-3.3.26-fix-uninitialized.patch Patch8: gnutls-3.3.29-serv-sni-hostname.patch
Patch9: gnutls-3.3.26-fix-coverity-issues.patch Patch9: gnutls-3.3.29-serv-unrec-name.patch
Patch10: gnutls-3.3.26-pin-value.patch Patch10: gnutls-3.3.29-cli-sni-hostname.patch
Patch11: gnutls-3.3.26-set-unique-id-tests.patch Patch11: gnutls-3.3.29-tests-sni-hostname.patch
Patch12: gnutls-3.3.26-fips-rsa-keygen.patch # Do not try to retrieve PIN from URI more than once
Patch13: gnutls-3.3.26-cve-2017-7869.patch Patch12: gnutls-3.3.29-pkcs11-retrieve-pin-from-uri-once.patch
Patch14: gnutls-3.3.26-remove-status-req-ext-parsing.patch # Backport of fixes to address CVE-2018-10844 CVE-2018-10845 CVE-2018-10846
# (rhbz#1589708 rhbz#1589707 rhbz1589704)
Patch13: gnutls-3.3.29-dummy-wait-account-len-field.patch
Patch14: gnutls-3.3.29-dummy-wait-hash-same-amount-of-blocks.patch
Patch15: gnutls-3.3.29-cbc-mac-verify-ssl3-min-pad.patch
Patch16: gnutls-3.3.29-remove-hmac-sha384-sha256-from-default.patch
# Adjustment on tests
Patch17: gnutls-3.3.29-do-not-run-sni-hostname-windows.patch
# Backport testpkcs11 test. This test checks rhbz#1375307
Patch18: gnutls-3.3.29-testpkcs11.patch
# Disable failing PKCS#11 tests brought from master branch. The reasons are:
# - ECC key generation without login is not supported
# - Certificates are marked as private objects
# - "--load-pubkey" option is not supported
# - "--test-sign" option is not supported
# - Certificates do not inherit its ID from the private key
Patch19: gnutls-3.3.29-disable-failing-tests.patch
# Do not mark certificates as private objects and re-enable test for this
Patch20: gnutls-3.3.29-do-not-mark-object-as-private.patch
Patch21: gnutls-3.3.29-re-enable-check-cert-write.patch
# Increase the length of the RSA keys generated in testpkcs11 to 2048 bits.
# This allows the test to run in FIPS mode
Patch22: gnutls-3.3.29-tests-pkcs11-increase-RSA-gen-size.patch
# Enlarge buffer size to support resumption with large keys (rhbz#1542461)
Patch23: gnutls-3.3.29-serv-large-key-resumption.patch
# HMAC-SHA-256 cipher suites brought back downstream for compatibility
# The priority was set below AEAD
Patch24: gnutls-3.3.29-bring-back-hmac-sha256.patch
# Run KAT startup test for ECDSA (using secp256r1 curve) (rhbz#1673919)
Patch25: gnutls-3.3.29-fips140-fix-ecdsa-kat-selftest.patch
# Wildcard bundling exception https://fedorahosted.org/fpc/ticket/174 # Wildcard bundling exception https://fedorahosted.org/fpc/ticket/174
Provides: bundled(gnulib) = 20130424 Provides: bundled(gnulib) = 20130424


@ -157,19 +186,39 @@ This package contains Guile bindings for the library.
%patch5 -p1 -b .padlock-disable %patch5 -p1 -b .padlock-disable
%patch6 -p1 -b .eapp-data %patch6 -p1 -b .eapp-data
%patch7 -p1 -b .dh-1024 %patch7 -p1 -b .dh-1024
%patch8 -p1 -b .fix-uninit %patch8 -p1
%patch9 -p1 -b .fix-coverity %patch9 -p1
%patch10 -p1 -b .pin-value %patch10 -p1
%patch11 -p1 -b .unique-id %patch11 -p1
%patch12 -p1 -b .rsa-keygen %patch12 -p1
%patch13 -p1 -b .openpgp-fixes %patch13 -p1
%patch14 -p1 -b .ocsp-ext-parse %patch14 -p1
%patch15 -p1
%patch16 -p1
%patch17 -p1
%patch18 -p1
%patch19 -p1
%patch20 -p1
%patch21 -p1
%patch22 -p1
%patch23 -p1
%patch24 -p1
%patch25 -p1


sed 's/gnutls_srp.c//g' -i lib/Makefile.in sed 's/gnutls_srp.c//g' -i lib/Makefile.in
sed 's/gnutls_srp.lo//g' -i lib/Makefile.in sed 's/gnutls_srp.lo//g' -i lib/Makefile.in
rm -f lib/minitasn1/*.c lib/minitasn1/*.h rm -f lib/minitasn1/*.c lib/minitasn1/*.h
rm -f src/libopts/*.c src/libopts/*.h src/libopts/compat/*.c src/libopts/compat/*.h rm -f src/libopts/*.c src/libopts/*.h src/libopts/compat/*.c src/libopts/compat/*.h


# Touch man pages to avoid them to be regenerated after patches which change
# .def files
touch doc/manpages/gnutls-serv.1
touch doc/manpages/gnutls-cli.1

# Fix permissions for files brought by patches
chmod ugo+x %{_builddir}/%{name}-%{version}/tests/testpkcs11.sh
chmod ugo+x %{_builddir}/%{name}-%{version}/tests/sni-hostname.sh

%{SOURCE2} -e %{SOURCE2} -e
autoreconf -if autoreconf -if


@ -313,6 +362,29 @@ fi
%endif %endif


%changelog %changelog
* Tue Feb 12 2019 Anderson Sasaki <ansasaki@redhat.com> 3.3.29-9
- Make sure the FIPS startup KAT selftest run for ECDSA (#1673919)

* Fri Jul 20 2018 Anderson Sasaki <ansasaki@redhat.com> 3.3.29-8
- Backported --sni-hostname option which allows overriding the hostname
advertised to the peer (#1444792)
- Improved counter-measures in TLS CBC record padding for lucky13 attack
(CVE-2018-10844, #1589704, CVE-2018-10845, #1589707)
- Added counter-measures for "Just in Time" PRIME + PROBE cache-based attack
(CVE-2018-10846, #1589708)
- Address p11tool issue in object deletion in batch mode (#1375307)
- Backport PKCS#11 tests from master branch. Some tests were disabled due to
unsupported features in 3.3.x (--load-pubkey and --test-sign options, ECC key
generation without login, and certificates do not inherit ID from the private
key)
- p11tool explicitly marks certificates and public keys as NOT private objects
and private keys as private objects
- Enlarge buffer size to support resumption with large keys (#1542461)
- Legacy HMAC-SHA384 cipher suites were disabled by default
- Added DSA key generation to p11tool (#1464896)
- Address session renegotiation issue using client certificate (#1434091)
- Address issue when importing private keys into Atos HSM (#1460125)

* Fri May 26 2017 Nikos Mavrogiannopoulos <nmav@redhat.com> 3.3.26-9 * Fri May 26 2017 Nikos Mavrogiannopoulos <nmav@redhat.com> 3.3.26-9
- Address crash in OCSP status request extension, by eliminating the - Address crash in OCSP status request extension, by eliminating the
unneeded parsing (CVE-2017-7507, #1455828) unneeded parsing (CVE-2017-7507, #1455828)

Loading…
Cancel
Save