Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package gnutls for openSUSE:Factory checked in at 2021-03-03 18:33:22 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/gnutls (Old) and /work/SRC/openSUSE:Factory/.gnutls.new.2378 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gnutls" Wed Mar 3 18:33:22 2021 rev:128 rq:873444 version:3.7.0 Changes: -------- --- /work/SRC/openSUSE:Factory/gnutls/gnutls.changes 2020-10-15 13:45:00.629167283 +0200 +++ /work/SRC/openSUSE:Factory/.gnutls.new.2378/gnutls.changes 2021-03-03 18:33:47.843330743 +0100 @@ -1,0 +2,67 @@ +Wed Feb 10 12:08:05 UTC 2021 - Pedro Monreal <pmonr...@suse.com> + +- Fix the test suite for tests/gnutls-cli-debug.sh [bsc#1171565] + * Don't unset system priority settings in gnutls-cli-debug.sh + * Upstream: gitlab.com/gnutls/gnutls/merge_requests/1387 +- Add gnutls-gnutls-cli-debug.patch + +------------------------------------------------------------------- +Wed Feb 10 11:17:51 UTC 2021 - Pedro Monreal <pmonr...@suse.com> + +- Fix: Test certificates in tests/testpkcs11-certs have expired + * Upstream bug: gitlab.com/gnutls/gnutls/issues/1135 +- Add gnutls-test-fixes.patch + +------------------------------------------------------------------- +Mon Feb 8 18:05:56 UTC 2021 - Pedro Monreal <pmonr...@suse.com> + +- gnutls_x509_trust_list_verify_crt2: ignore duplicate certificates + * Upstream bug: https://gitlab.com/gnutls/gnutls/issues/1131 +- Add gnutls-ignore-duplicate-certificates.patch + +------------------------------------------------------------------- +Wed Jan 27 23:33:15 UTC 2021 - Pedro Monreal <pmonr...@suse.com> + +- Update to 3.7.0 + * Depend on nettle 3.6 + * Added a new API that provides a callback function to retrieve + missing certificates from incomplete certificate chains + * Added a new API that provides a callback function to output the + complete path to the trusted root during certificate chain + verification + * OIDs exposed as gnutls_datum_t no longer account for the + terminating null bytes, while the data field is null terminated. + The affected API functions are: gnutls_ocsp_req_get_extension, + gnutls_ocsp_resp_get_response, and gnutls_ocsp_resp_get_extension + * Added a new set of API to enable QUIC implementation + * The crypto implementation override APIs deprecated in 3.6.9 are + now no-op + * Added MAGMA/KUZNYECHIK CTR-ACPKM and CMAC support + * Support for padlock has been fixed to make it work with Zhaoxin CPU + * The maximum PIN length for PKCS #11 has been increased from 31 + bytes to 255 bytes +- Remove patch fixed upstream: + * gnutls-FIPS-use_2048_bit_prime_in_DH_selftest.patch +- Add version guards for the crypto-policies package +- Fix threading bug in libgnutls [bsc#1173434] + * Upstream bug: gitlab.com/gnutls/gnutls/issues/1044 + +------------------------------------------------------------------- +Thu Dec 17 17:16:08 UTC 2020 - Pedro Monreal <pmonr...@suse.com> + +- Require the crypto-policies package [bsc#1180051] + +------------------------------------------------------------------- +Tue Nov 24 15:43:02 UTC 2020 - V??t??zslav ??????ek <vci...@suse.com> + +- Use the centralized crypto policy profile (jsc#SLE-15832) + +------------------------------------------------------------------- +Tue Nov 10 11:25:02 UTC 2020 - V??t??zslav ??????ek <vci...@suse.com> + +- FIPS: Use 2048 bit prime in DH selftest (bsc#1176086) + * add gnutls-FIPS-use_2048_bit_prime_in_DH_selftest.patch +- FIPS: Add TLS KDF selftest (bsc#1176671) + * add gnutls-FIPS-TLS_KDF_selftest.patch + +------------------------------------------------------------------- Old: ---- gnutls-3.6.15.tar.xz gnutls-3.6.15.tar.xz.sig New: ---- gnutls-3.7.0.tar.xz gnutls-3.7.0.tar.xz.sig gnutls-FIPS-TLS_KDF_selftest.patch gnutls-gnutls-cli-debug.patch gnutls-ignore-duplicate-certificates.patch gnutls-test-fixes.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gnutls.spec ++++++ --- /var/tmp/diff_new_pack.CwNtjf/_old 2021-03-03 18:33:48.511331227 +0100 +++ /var/tmp/diff_new_pack.CwNtjf/_new 2021-03-03 18:33:48.511331227 +0100 @@ -1,7 +1,7 @@ # # spec file for package gnutls # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -28,19 +28,26 @@ %bcond_with tpm %bcond_without guile Name: gnutls -Version: 3.6.15 +Version: 3.7.0 Release: 0 Summary: The GNU Transport Layer Security Library License: LGPL-2.1-or-later AND GPL-3.0-or-later Group: Productivity/Networking/Security URL: https://www.gnutls.org/ -Source0: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.6/%{name}-%{version}.tar.xz -Source1: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.6/%{name}-%{version}.tar.xz.sig -Source2: %{name}.keyring +Source0: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.7/%{name}-%{version}.tar.xz +Source1: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.7/%{name}-%{version}.tar.xz.sig +Source2: gnutls.keyring Source3: baselibs.conf -Patch1: gnutls-3.5.11-skip-trust-store-tests.patch -Patch4: gnutls-3.6.6-set_guile_site_dir.patch -Patch6: gnutls-temporarily_disable_broken_guile_reauth_test.patch +Patch0: gnutls-3.5.11-skip-trust-store-tests.patch +Patch1: gnutls-3.6.6-set_guile_site_dir.patch +Patch2: gnutls-temporarily_disable_broken_guile_reauth_test.patch +Patch3: gnutls-FIPS-TLS_KDF_selftest.patch +#PATCH-FIX-UPSTREAM gitlab.com/gnutls/gnutls/issues/1131 +Patch4: gnutls-ignore-duplicate-certificates.patch +#PATCH-FIX-UPSTREAM gitlab.com/gnutls/gnutls/issues/1135 +Patch5: gnutls-test-fixes.patch +#PATCH-FIX-UPSTREAM bsc#1171565 gitlab.com/gnutls/gnutls/merge_requests/1387 +Patch6: gnutls-gnutls-cli-debug.patch BuildRequires: autogen BuildRequires: automake BuildRequires: datefudge @@ -50,7 +57,7 @@ # The test suite calls /usr/bin/ss from iproute2. It's our own duty to ensure we have it present BuildRequires: iproute2 BuildRequires: libidn2-devel -BuildRequires: libnettle-devel >= 3.4.1 +BuildRequires: libnettle-devel >= 3.6 BuildRequires: libtasn1-devel >= 4.9 BuildRequires: libtool BuildRequires: libunistring-devel @@ -79,6 +86,9 @@ %if %{with guile} BuildRequires: guile-devel %endif +%if 0%{?suse_version} && ! 0%{?sle_version} +Requires: crypto-policies +%endif %description The GnuTLS library provides a secure layer over a reliable transport @@ -159,6 +169,7 @@ %description -n libgnutlsxx-devel Files needed for software development using gnutls. +%if %{with guile} %package guile Summary: Guile wrappers for gnutls License: LGPL-2.1-or-later @@ -167,11 +178,15 @@ %description guile GnuTLS Wrappers for GNU Guile, a dialect of Scheme. +%endif %prep %autosetup -p1 +echo "SYSTEM=NORMAL" >> tests/system.prio + %build +%define _lto_cflags %{nil} export LDFLAGS="-pie" export CFLAGS="%{optflags} -fPIE" export CXXFLAGS="%{optflags} -fPIE" @@ -183,6 +198,8 @@ --disable-rpath \ --disable-silent-rules \ --with-default-trust-store-dir=%{_localstatedir}/lib/ca-certificates/pem \ + --with-system-priority-file=%{_sysconfdir}/crypto-policies/back-ends/gnutls.config \ + --with-default-priority-string="@SYSTEM" \ --with-sysroot=/%{?_sysroot} \ %if %{without tpm} --without-tpm \ @@ -194,6 +211,7 @@ %endif --enable-fips140-mode \ %{nil} + make %{?_smp_mflags} # the hmac hashes: @@ -235,7 +253,8 @@ %check %if ! 0%{?qemu_user_space_build} -make %{?_smp_mflags} check || { +#make %%{?_smp_mflags} check || { +make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null || { find -name test-suite.log -print -exec cat {} + exit 1 } @@ -330,8 +349,19 @@ %if %{with guile} %files guile +%if 0%{?suse_version} > 1550 +%{_libdir}/guile/3.0/guile-gnutls*.so* +%{_libdir}/guile/3.0/site-ccache +%{_libdir}/guile/3.0/site-ccache/gnutls +%{_libdir}/guile/3.0/site-ccache/gnutls.go +%{_libdir}/guile/3.0/site-ccache/gnutls/extra.go +%{_datadir}/guile/gnutls +%{_datadir}/guile/gnutls.scm +%{_datadir}/guile/gnutls/extra.scm +%else %{_libdir}/guile/* %{_datadir}/guile/gnutls* %endif +%endif %changelog ++++++ gnutls-3.6.15.tar.xz -> gnutls-3.7.0.tar.xz ++++++ ++++ 282464 lines of diff (skipped) ++++++ gnutls-FIPS-TLS_KDF_selftest.patch ++++++ Index: gnutls-3.6.15/lib/fips.c =================================================================== --- gnutls-3.6.15.orig/lib/fips.c 2020-09-03 16:59:05.000000000 +0200 +++ gnutls-3.6.15/lib/fips.c 2020-11-10 12:51:40.420071675 +0100 @@ -398,6 +398,28 @@ int _gnutls_fips_perform_self_checks2(vo goto error; } + /* KDF */ + + char derived[512]; + + gnutls_datum_t secret = { (void *)"\x04\x50\xb0\xea\x9e\xcd\x36\x02\xee\x0d\x76\xc5\xc3\xc8\x6f\x4a", 16 }; + gnutls_datum_t seed = { (void *)"\x20\x7a\xcc\x02\x54\xb8\x67\xf5\xb9\x25\xb4\x5a\x33\x60\x1d\x8b", 16 }; + gnutls_datum_t label = { (void *)"test label", 10 }; + gnutls_datum_t expected = { (void *)"\xae\x67\x9e\x0e\x71\x4f\x59\x75\x76\x37\x68\xb1\x66\x97\x9e\x1d", 16 }; + + ret = _gnutls_prf_raw(GNUTLS_MAC_SHA256, secret.size, secret.data, + label.size, (char*)label.data, seed.size, seed.data, expected.size, derived); + if (ret < 0) { + gnutls_assert(); + goto error; + } + + ret = memcmp(derived, expected.data, expected.size); + if (ret != 0) { + gnutls_assert(); + goto error; + } + /* PK */ ret = gnutls_pk_self_test(0, GNUTLS_PK_RSA); if (ret < 0) { ++++++ gnutls-gnutls-cli-debug.patch ++++++ >From 5a64e896a56ef602bb86242bbac01e4319f12cbe Mon Sep 17 00:00:00 2001 From: Daiki Ueno <u...@gnu.org> Date: Tue, 9 Feb 2021 15:26:07 +0100 Subject: [PATCH] tests/gnutls-cli-debug.sh: don't unset system priority settings When the test is exercised, GNUTLS_SYSTEM_PRIORITY_FILE is set in many places, such as TESTS_ENVIRONMENT tests/Makefile.am or a packaging system that runs the test in a restricted environment. Unsetting it after a temporary use forces the remaining part of the test to use the default system priority, which might not be the intention of the user. Signed-off-by: Daiki Ueno <u...@gnu.org> --- tests/gnutls-cli-debug.sh | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/tests/gnutls-cli-debug.sh b/tests/gnutls-cli-debug.sh index a73910dea6..3c3e2214e5 100755 --- a/tests/gnutls-cli-debug.sh +++ b/tests/gnutls-cli-debug.sh @@ -184,13 +184,11 @@ cat <<_EOF_ > ${TMPFILE} tls-disabled-cipher = CAMELLIA-128-CBC tls-disabled-cipher = CAMELLIA-256-CBC _EOF_ -export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}" +GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}" \ timeout 1800 datefudge "2017-08-9" \ "${DCLI}" -p "${PORT}" localhost >$OUTFILE 2>&1 || fail ${PID} "gnutls-cli-debug run should have succeeded!" -unset GNUTLS_SYSTEM_PRIORITY_FILE - kill ${PID} wait -- GitLab ++++++ gnutls-ignore-duplicate-certificates.patch ++++++ >From 09b40be6e0e0a59ba4bd764067eb353241043a70 Mon Sep 17 00:00:00 2001 From: Daiki Ueno <u...@gnu.org> Date: Mon, 28 Dec 2020 12:14:13 +0100 Subject: [PATCH] gnutls_x509_trust_list_verify_crt2: ignore duplicate certificates The commit ebb19db9165fed30d73c83bab1b1b8740c132dfd caused a regression, where duplicate certificates in a certificate chain are no longer ignored but treated as a non-contiguous segment and that results in calling the issuer callback, or a verification failure. This adds a mechanism to record certificates already seen in the chain, and skip them while still allow the caller to inject missing certificates. Signed-off-by: Daiki Ueno <u...@gnu.org> Co-authored-by: Andreas Metzler <ametz...@debian.org> --- lib/x509/common.c | 8 ++ lib/x509/verify-high.c | 157 +++++++++++++++++++++++++++++++------ tests/missingissuer.c | 2 + tests/test-chains-issuer.h | 101 +++++++++++++++++++++++- 4 files changed, 245 insertions(+), 23 deletions(-) diff --git a/lib/x509/common.c b/lib/x509/common.c index 3301aaad0c..10c8db53c0 100644 --- a/lib/x509/common.c +++ b/lib/x509/common.c @@ -1758,6 +1758,14 @@ unsigned int _gnutls_sort_clist(gnutls_x509_crt_t *clist, * increasing DEFAULT_MAX_VERIFY_DEPTH. */ for (i = 0; i < clist_size; i++) { + /* Self-signed certificate found in the chain; skip it + * as it should only appear in the trusted set. + */ + if (gnutls_x509_crt_check_issuer(clist[i], clist[i])) { + _gnutls_cert_log("self-signed cert found", clist[i]); + continue; + } + for (j = 1; j < clist_size; j++) { if (i == j) continue; diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c index 588e7ee0dc..9a16e6b42a 100644 --- a/lib/x509/verify-high.c +++ b/lib/x509/verify-high.c @@ -67,6 +67,80 @@ struct gnutls_x509_trust_list_iter { #define DEFAULT_SIZE 127 +struct cert_set_node_st { + gnutls_x509_crt_t *certs; + unsigned int size; +}; + +struct cert_set_st { + struct cert_set_node_st *node; + unsigned int size; +}; + +static int +cert_set_init(struct cert_set_st *set, unsigned int size) +{ + memset(set, 0, sizeof(*set)); + + set->size = size; + set->node = gnutls_calloc(size, sizeof(*set->node)); + if (!set->node) { + return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); + } + + return 0; +} + +static void +cert_set_deinit(struct cert_set_st *set) +{ + size_t i; + + for (i = 0; i < set->size; i++) { + gnutls_free(set->node[i].certs); + } + + gnutls_free(set->node); +} + +static bool +cert_set_contains(struct cert_set_st *set, const gnutls_x509_crt_t cert) +{ + size_t hash, i; + + hash = hash_pjw_bare(cert->raw_dn.data, cert->raw_dn.size); + hash %= set->size; + + for (i = 0; i < set->node[hash].size; i++) { + if (unlikely(gnutls_x509_crt_equals(set->node[hash].certs[i], cert))) { + return true; + } + } + + return false; +} + +static int +cert_set_add(struct cert_set_st *set, const gnutls_x509_crt_t cert) +{ + size_t hash; + + hash = hash_pjw_bare(cert->raw_dn.data, cert->raw_dn.size); + hash %= set->size; + + set->node[hash].certs = + gnutls_realloc_fast(set->node[hash].certs, + (set->node[hash].size + 1) * + sizeof(*set->node[hash].certs)); + if (!set->node[hash].certs) { + return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); + } + set->node[hash].certs[set->node[hash].size] = cert; + set->node[hash].size++; + + return 0; +} + /** * gnutls_x509_trust_list_init: * @list: A pointer to the type to be initialized @@ -1328,6 +1402,7 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, unsigned have_set_name = 0; unsigned saved_output; gnutls_datum_t ip = {NULL, 0}; + struct cert_set_st cert_set = { NULL, 0 }; if (cert_list == NULL || cert_list_size < 1) return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); @@ -1376,36 +1451,68 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, memcpy(sorted, cert_list, cert_list_size * sizeof(gnutls_x509_crt_t)); cert_list = sorted; + ret = cert_set_init(&cert_set, DEFAULT_MAX_VERIFY_DEPTH); + if (ret < 0) { + return ret; + } + for (i = 0; i < cert_list_size && - cert_list_size <= DEFAULT_MAX_VERIFY_DEPTH; i++) { - if (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN)) { - unsigned int sorted_size; + cert_list_size <= DEFAULT_MAX_VERIFY_DEPTH; ) { + unsigned int sorted_size = 1; + unsigned int j; + gnutls_x509_crt_t issuer; + if (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN)) { sorted_size = _gnutls_sort_clist(&cert_list[i], cert_list_size - i); - i += sorted_size - 1; } - if (i == cert_list_size - 1) { - gnutls_x509_crt_t issuer; - - /* If it is the last certificate and its issuer is - * known, don't need to run issuer callback. */ - if (_gnutls_trust_list_get_issuer(list, - cert_list[i], - &issuer, - 0) == 0) { + /* Remove duplicates. Start with index 1, as the first element + * may be re-checked after issuer retrieval. */ + for (j = 1; j < sorted_size; j++) { + if (cert_set_contains(&cert_set, cert_list[i + j])) { + if (i + j < cert_list_size - 1) { + memmove(&cert_list[i + j], + &cert_list[i + j + 1], + sizeof(cert_list[i])); + } + cert_list_size--; break; } - } else if (gnutls_x509_crt_check_issuer(cert_list[i], - cert_list[i + 1])) { - /* There is no gap between this and the next - * certificate. */ + } + /* Found a duplicate, try again with the same index. */ + if (j < sorted_size) { + continue; + } + + /* Record the certificates seen. */ + for (j = 0; j < sorted_size; j++, i++) { + ret = cert_set_add(&cert_set, cert_list[i]); + if (ret < 0) { + goto cleanup; + } + } + + /* If the issuer of the certificate is known, no need + * for further processing. */ + if (_gnutls_trust_list_get_issuer(list, + cert_list[i - 1], + &issuer, + 0) == 0) { + cert_list_size = i; + break; + } + + /* If there is no gap between this and the next certificate, + * proceed with the next certificate. */ + if (i < cert_list_size && + gnutls_x509_crt_check_issuer(cert_list[i - 1], + cert_list[i])) { continue; } ret = retrieve_issuers(list, - cert_list[i], + cert_list[i - 1], &retrieved[retrieved_size], DEFAULT_MAX_VERIFY_DEPTH - MAX(retrieved_size, @@ -1413,15 +1520,20 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, if (ret < 0) { break; } else if (ret > 0) { - memmove(&cert_list[i + 1 + ret], - &cert_list[i + 1], - (cert_list_size - i - 1) * + assert((unsigned int)ret <= + DEFAULT_MAX_VERIFY_DEPTH - cert_list_size); + memmove(&cert_list[i + ret], + &cert_list[i], + (cert_list_size - i) * sizeof(gnutls_x509_crt_t)); - memcpy(&cert_list[i + 1], + memcpy(&cert_list[i], &retrieved[retrieved_size], ret * sizeof(gnutls_x509_crt_t)); retrieved_size += ret; cert_list_size += ret; + + /* Start again from the end of the previous segment. */ + i--; } } @@ -1581,6 +1693,7 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, for (i = 0; i < retrieved_size; i++) { gnutls_x509_crt_deinit(retrieved[i]); } + cert_set_deinit(&cert_set); return ret; } diff --git a/tests/missingissuer.c b/tests/missingissuer.c index f21e2b6b0c..226d095929 100644 --- a/tests/missingissuer.c +++ b/tests/missingissuer.c @@ -145,6 +145,8 @@ void doit(void) printf("[%d]: Chain '%s'...\n", (int)i, chains[i].name); for (j = 0; chains[i].chain[j]; j++) { + assert(j < MAX_CHAIN); + if (debug > 2) printf("\tAdding certificate %d...", (int)j); diff --git a/tests/test-chains-issuer.h b/tests/test-chains-issuer.h index 543e2d71fb..bf1e65c956 100644 --- a/tests/test-chains-issuer.h +++ b/tests/test-chains-issuer.h @@ -24,7 +24,7 @@ #ifndef GNUTLS_TESTS_TEST_CHAINS_ISSUER_H #define GNUTLS_TESTS_TEST_CHAINS_ISSUER_H -#define MAX_CHAIN 6 +#define MAX_CHAIN 15 #define SERVER_CERT "-----BEGIN CERTIFICATE-----\n" \ "MIIDATCCAbmgAwIBAgIUQdvdegP8JFszFHLfV4+lrEdafzAwPQYJKoZIhvcNAQEK\n" \ @@ -338,11 +338,102 @@ static const char *missing_middle_unrelated_extra_insert[] = { NULL, }; +static const char *missing_middle_single_duplicate[] = { + SERVER_CERT, + SERVER_CERT, + CA_CERT_5, + CA_CERT_5, + CA_CERT_4, + CA_CERT_4, + CA_CERT_2, + CA_CERT_2, + CA_CERT_1, + CA_CERT_1, + NULL, +}; + +static const char *missing_middle_multiple_duplicate[] = { + SERVER_CERT, + SERVER_CERT, + CA_CERT_5, + CA_CERT_5, + CA_CERT_4, + CA_CERT_4, + CA_CERT_1, + CA_CERT_1, + NULL, +}; + +static const char *missing_last_single_duplicate[] = { + SERVER_CERT, + SERVER_CERT, + CA_CERT_5, + CA_CERT_5, + CA_CERT_4, + CA_CERT_4, + CA_CERT_3, + CA_CERT_3, + CA_CERT_2, + CA_CERT_2, + NULL, +}; + +static const char *missing_last_multiple_duplicate[] = { + SERVER_CERT, + SERVER_CERT, + CA_CERT_5, + CA_CERT_5, + CA_CERT_4, + CA_CERT_4, + CA_CERT_3, + CA_CERT_3, + NULL, +}; + +static const char *missing_skip_single_duplicate[] = { + SERVER_CERT, + SERVER_CERT, + CA_CERT_5, + CA_CERT_5, + CA_CERT_3, + CA_CERT_3, + CA_CERT_1, + CA_CERT_1, + NULL, +}; + +static const char *missing_skip_multiple_duplicate[] = { + SERVER_CERT, + SERVER_CERT, + CA_CERT_5, + CA_CERT_5, + CA_CERT_3, + CA_CERT_3, + NULL, +}; + static const char *missing_ca[] = { CA_CERT_0, NULL, }; +static const char *middle_single_duplicate_ca[] = { + SERVER_CERT, + CA_CERT_5, + CA_CERT_0, + CA_CERT_4, + CA_CERT_0, + CA_CERT_2, + CA_CERT_0, + CA_CERT_1, + NULL, +}; + +static const char *missing_middle_single_duplicate_ca_unrelated_insert[] = { + CA_CERT_0, + NULL, +}; + static struct chains { const char *name; const char **chain; @@ -377,6 +468,14 @@ static struct chains { { "skip multiple unsorted", missing_skip_multiple_unsorted, missing_skip_multiple_insert, missing_ca, 0, 0 }, { "unrelated", missing_middle_single, missing_middle_unrelated_insert, missing_ca, 0, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_NOT_FOUND }, { "unrelated extra", missing_middle_single, missing_middle_unrelated_extra_insert, missing_ca, 0, 0 }, + { "middle single duplicate", missing_middle_single_duplicate, missing_middle_single_insert, missing_ca, 0, 0 }, + { "middle multiple duplicate", missing_middle_multiple_duplicate, missing_middle_multiple_insert, missing_ca, 0, 0 }, + { "last single duplicate", missing_last_single_duplicate, missing_last_single_insert, missing_ca, 0, 0 }, + { "last multiple duplicate", missing_last_multiple_duplicate, missing_last_multiple_insert, missing_ca, 0, 0 }, + { "skip single duplicate", missing_skip_single_duplicate, missing_skip_single_insert, missing_ca, 0, 0 }, + { "skip multiple duplicate", missing_skip_multiple_duplicate, missing_skip_multiple_insert, missing_ca, 0, 0 }, + { "middle single duplicate ca", middle_single_duplicate_ca, missing_middle_single_insert, missing_ca, 0, 0 }, + { "middle single duplicate ca - insert unrelated", middle_single_duplicate_ca, missing_middle_single_duplicate_ca_unrelated_insert, missing_ca, 0, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_NOT_FOUND }, { NULL, NULL, NULL, NULL }, }; -- GitLab ++++++ gnutls-test-fixes.patch ++++++ diff --git a/tests/testpkcs11.sh b/tests/testpkcs11.sh index 38b9585bc002ac9d32003ec7127153f9950ad1b1..09a6274776935f07f91a5be1eb79a573165ded93 100755 --- a/tests/testpkcs11.sh +++ b/tests/testpkcs11.sh @@ -67,6 +67,8 @@ have_ed25519=0 P11TOOL="${VALGRIND} ${P11TOOL} --batch" SERV="${SERV} -q" +TESTDATE=2020-12-01 + . ${srcdir}/scripts/common.sh rm -f "${LOGFILE}" @@ -79,6 +81,8 @@ exit_error () { exit 1 } +skip_if_no_datefudge + # $1: token # $2: PIN # $3: filename @@ -523,6 +527,7 @@ write_certificate_test () { pubkey="$5" echo -n "* Generating client certificate... " + datefudge -s "$TESTDATE" \ "${CERTTOOL}" ${CERTTOOL_PARAM} ${ADDITIONAL_PARAM} --generate-certificate --load-ca-privkey "${cakey}" --load-ca-certificate "${cacert}" \ --template ${srcdir}/testpkcs11-certs/client-tmpl --load-privkey "${token};object=gnutls-client;object-type=private" \ --load-pubkey "$pubkey" --outfile tmp-client.crt >>"${LOGFILE}" 2>&1 @@ -900,7 +905,9 @@ use_certificate_test () { echo -n "* Using PKCS #11 with gnutls-cli (${txt})... " # start server eval "${GETPORT}" - launch_server ${ADDITIONAL_PARAM} --echo --priority NORMAL --x509certfile="${certfile}" \ + launch_bare_server datefudge -s "$TESTDATE" \ + $VALGRIND $SERV $DEBUG -p "$PORT" \ + ${ADDITIONAL_PARAM} --debug 10 --echo --priority NORMAL --x509certfile="${certfile}" \ --x509keyfile="$keyfile" --x509cafile="${cafile}" \ --verify-client-cert --require-client-cert >>"${LOGFILE}" 2>&1 @@ -908,13 +915,16 @@ use_certificate_test () { wait_server ${PID} # connect to server using SC + datefudge -s "$TESTDATE" \ ${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509cafile="${cafile}" </dev/null >>"${LOGFILE}" 2>&1 && \ fail ${PID} "Connection should have failed!" + datefudge -s "$TESTDATE" \ ${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509certfile="${certfile}" \ --x509keyfile="$keyfile" --x509cafile="${cafile}" </dev/null >>"${LOGFILE}" 2>&1 || \ fail ${PID} "Connection (with files) should have succeeded!" + datefudge -s "$TESTDATE" \ ${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509certfile="${token};object=gnutls-client;object-type=cert" \ --x509keyfile="${token};object=gnutls-client;object-type=private" \ --x509cafile="${cafile}" </dev/null >>"${LOGFILE}" 2>&1 || \ diff --git a/tests/tpmtool_test.sh b/tests/tpmtool_test.sh index eba502612a293eb11134a62ce749ff87e6778ab2..77fe17e59341a344590ea22f62076e4db54dd91a 100755 --- a/tests/tpmtool_test.sh +++ b/tests/tpmtool_test.sh @@ -138,6 +138,7 @@ start_tcsd() local tcsd_conf=$workdir/tcsd.conf local tcsd_system_ps_file=$workdir/system_ps_file local tcsd_pidfile=$workdir/tcsd.pid + local owner start_swtpm "$workdir" [ $? -ne 0 ] && return 1 @@ -146,20 +147,36 @@ start_tcsd() port = $TCSD_LISTEN_PORT system_ps_file = $tcsd_system_ps_file _EOF_ + # older versions of trousers require tss:tss ownership of the + # config file, later ones root:tss + for owner in tss root; do + if [ "$owner" = "tss" ]; then + chmod 0600 $tcsd_conf + else + chmod 0640 $tcsd_conf + fi + chown $owner:tss $tcsd_conf - chown tss:tss $tcsd_conf - chmod 0600 $tcsd_conf + bash -c "TCSD_USE_TCP_DEVICE=1 TCSD_TCP_DEVICE_PORT=$SWTPM_SERVER_PORT tcsd -c $tcsd_conf -e -f &>/dev/null & echo \$! > $tcsd_pidfile; wait" & + BASH_PID=$! - bash -c "TCSD_USE_TCP_DEVICE=1 TCSD_TCP_DEVICE_PORT=$SWTPM_SERVER_PORT tcsd -c $tcsd_conf -e -f &>/dev/null & echo \$! > $tcsd_pidfile; wait" & - BASH_PID=$! + if wait_for_file $tcsd_pidfile 3; then + echo "Could not get TCSD's PID file" + return 1 + fi - if wait_for_file $tcsd_pidfile 3; then - echo "Could not get TCSD's PID file" - return 1 - fi + sleep 0.5 + TCSD_PID=$(cat $tcsd_pidfile) + kill -0 "${TCSD_PID}" + if [ $? -ne 0 ]; then + # Try again with other owner + continue + fi + return 0 + done - TCSD_PID=$(cat $tcsd_pidfile) - return 0 + echo "TCSD could not be started" + return 1 } stop_tcsd()
