diff --git a/SOURCES/ghmac-gnutls.patch b/SOURCES/ghmac-gnutls.patch index 6ba3313..3ed717f 100644 --- a/SOURCES/ghmac-gnutls.patch +++ b/SOURCES/ghmac-gnutls.patch @@ -1,7 +1,7 @@ -From 440a178c5aad19050a3d5b5d76881931138af680 Mon Sep 17 00:00:00 2001 +From 7ab93b8205093b4d176e63947039981515af1932 Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Fri, 7 Jun 2019 18:44:43 +0000 -Subject: [PATCH 1/2] ghmac: Split off wrapper functions into ghmac-utils.c +Subject: [PATCH 1/3] ghmac: Split off wrapper functions into ghmac-utils.c Prep for adding a GnuTLS HMAC implementation; these are just utility functions that call the "core" API. @@ -14,7 +14,7 @@ utility functions that call the "core" API. create mode 100644 glib/ghmac-utils.c diff --git a/glib/Makefile.am b/glib/Makefile.am -index 8da549c7f..c367b09ad 100644 +index c0c3b92f0..43fa17051 100644 --- a/glib/Makefile.am +++ b/glib/Makefile.am @@ -126,6 +126,7 @@ libglib_2_0_la_SOURCES = \ @@ -297,7 +297,7 @@ index 9b58fd81c..7db38e34a 100644 - (const guchar *) str, length); -} diff --git a/glib/meson.build b/glib/meson.build -index 9df77b6f9..c7f28b5b6 100644 +index c81e99f9c..306a67f13 100644 --- a/glib/meson.build +++ b/glib/meson.build @@ -138,6 +138,7 @@ glib_sources = files( @@ -309,13 +309,12 @@ index 9df77b6f9..c7f28b5b6 100644 'ghostutils.c', 'giochannel.c', -- -2.21.0 +2.31.1 - -From 423355787ba9133b310c0b72708024b1428d7d14 Mon Sep 17 00:00:00 2001 +From 1cc432d6e9080621e1f2822a14589b258f1f813c Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Fri, 7 Jun 2019 19:36:54 +0000 -Subject: [PATCH 2/2] Add a gnutls backend for GHmac +Subject: [PATCH 2/3] Add a gnutls backend for GHmac For RHEL we want apps to use FIPS-certified crypto libraries, and HMAC apparently counts as "keyed" and hence needs to @@ -329,26 +328,53 @@ Most distributors ship glib-networking built with GnuTLS, and most apps use glib-networking, so this isn't a net-new library in most cases. -However, a fun wrinkle is that the GnuTLS HMAC API doesn't expose -the necessary bits to implement `g_hmac_copy()`; OpenSSL does. -I chose to just make that abort for now since I didn't find -apps using it. +======================================================================= + +mcatanzaro note: + +I've updated Colin's original patch with several enhancements: + +Implement g_hmac_copy() using gnutls_hmac_copy(), which didn't exist +when Colin developed this patch. + +Removed use of GSlice + +Better error checking in g_hmac_new(). It is possible for +gnutls_hmac_init() to fail if running in FIPS mode and an MD5 digest is +requested. In this case, we should return NULL rather than returning a +broken GHmac with a NULL gnutls_hmac_hd_t. This was leading to a later +null pointer dereference inside gnutls_hmac_update(). Applications are +responsible for checking to ensure the return value of g_hmac_new() is +not NULL since it is annotated as nullable. Added documentation to +indicate this possibility. + +Properly handle length -1 in g_hmac_update(). This means we've been +given a NUL-terminated string and should use strlen(). GnuTLS doesn't +accept -1, so let's call strlen() ourselves. + +Crash the application with g_error() if gnutls_hmac() fails for any +reason. This is necessary because g_hmac_update() is not fallible, so we +have no way to indicate error. Crashing seems better than returning the +wrong result later when g_hmac_get_string() or g_hmac_get_digest() is +later called. (Those functions are also not fallible.) Fortunately, I +don't think this error should actually be hit in practice. + +https://gitlab.gnome.org/GNOME/glib/-/merge_requests/903 --- - glib/Makefile.am | 9 ++- - glib/gchecksum.c | 9 +-- - glib/gchecksumprivate.h | 32 +++++++++ - glib/ghmac-gnutls.c | 151 ++++++++++++++++++++++++++++++++++++++++ - glib/ghmac.c | 1 + + glib/Makefile.am | 8 +- + glib/gchecksum.c | 9 +- + glib/gchecksumprivate.h | 32 +++++++ + glib/ghmac-gnutls.c | 182 ++++++++++++++++++++++++++++++++++++++++ + glib/ghmac.c | 13 +++ glib/meson.build | 10 ++- - glib/tests/hmac.c | 6 ++ meson.build | 7 ++ meson_options.txt | 5 ++ - 9 files changed, 221 insertions(+), 9 deletions(-) + 8 files changed, 258 insertions(+), 8 deletions(-) create mode 100644 glib/gchecksumprivate.h create mode 100644 glib/ghmac-gnutls.c diff --git a/glib/Makefile.am b/glib/Makefile.am -index c367b09ad..b0a721ad0 100644 +index 43fa17051..1175bbe40 100644 --- a/glib/Makefile.am +++ b/glib/Makefile.am @@ -125,7 +125,7 @@ libglib_2_0_la_SOURCES = \ @@ -360,7 +386,7 @@ index c367b09ad..b0a721ad0 100644 ghmac-utils.c \ ghook.c \ ghostutils.c \ -@@ -352,11 +352,14 @@ pcre_lib = pcre/libpcre.la +@@ -352,11 +352,15 @@ pcre_lib = pcre/libpcre.la pcre_inc = endif @@ -372,8 +398,8 @@ index c367b09ad..b0a721ad0 100644 libglib_2_0_la_LIBADD = libcharset/libcharset.la $(printf_la) @GIO@ @GSPAWN@ @PLATFORMDEP@ @ICONV_LIBS@ @G_LIBS_EXTRA@ $(pcre_lib) $(G_THREAD_LIBS_EXTRA) $(G_THREAD_LIBS_FOR_GTHREAD) $(LIBSYSTEMD_LIBS) libglib_2_0_la_DEPENDENCIES = libcharset/libcharset.la $(printf_la) @GIO@ @GSPAWN@ @PLATFORMDEP@ $(glib_win32_res) $(glib_def) --libglib_2_0_la_LDFLAGS = $(GLIB_LINK_FLAGS) \ -+libglib_2_0_la_LDFLAGS = $(GLIB_LINK_FLAGS) $(gnutls_libs) \ + libglib_2_0_la_LDFLAGS = $(GLIB_LINK_FLAGS) \ ++ $(gnutls_libs) \ $(glib_win32_res_ldflag) \ -version-info $(LT_CURRENT):$(LT_REVISION):$(LT_AGE) \ -export-dynamic $(no_undefined) @@ -452,10 +478,10 @@ index 000000000..86c7a3b61 \ No newline at end of file diff --git a/glib/ghmac-gnutls.c b/glib/ghmac-gnutls.c new file mode 100644 -index 000000000..3b4dfb872 +index 000000000..522b9b302 --- /dev/null +++ b/glib/ghmac-gnutls.c -@@ -0,0 +1,160 @@ +@@ -0,0 +1,182 @@ +/* ghmac.h - data hashing functions + * + * Copyright (C) 2011 Collabora Ltd. @@ -506,9 +532,11 @@ index 000000000..3b4dfb872 + gsize key_len) +{ + gnutls_mac_algorithm_t algo; -+ GHmac *hmac = g_slice_new0 (GHmac); ++ GHmac *hmac = g_new0 (GHmac, 1); ++ int ret; ++ + hmac->ref_count = 1; -+ hmac->digest_type = digest_type; ++ hmac->digest_type = digest_type; + + switch (digest_type) + { @@ -531,7 +559,15 @@ index 000000000..3b4dfb872 + g_return_val_if_reached (NULL); + } + -+ gnutls_hmac_init (&hmac->hmac, algo, key, key_len); ++ ret = gnutls_hmac_init (&hmac->hmac, algo, key, key_len); ++ if (ret != 0) ++ { ++ /* There is no way to report an error here, but one possible cause of ++ * failure is that the requested digest may be disabled by FIPS mode. ++ */ ++ g_free (hmac->hmac); ++ return NULL; ++ } + + return hmac; +} @@ -543,11 +579,15 @@ index 000000000..3b4dfb872 + + g_return_val_if_fail (hmac != NULL, NULL); + -+ copy = g_slice_new0 (GHmac); ++ copy = g_new0 (GHmac, 1); + copy->ref_count = 1; + copy->digest_type = hmac->digest_type; + copy->hmac = gnutls_hmac_copy (hmac->hmac); + ++ /* g_hmac_copy is not allowed to fail, so we'll have to crash on error. */ ++ if (!copy->hmac) ++ g_error ("gnutls_hmac_copy failed"); ++ + return copy; +} + @@ -570,7 +610,7 @@ index 000000000..3b4dfb872 + { + gnutls_hmac_deinit (hmac->hmac, NULL); + g_free (hmac->digest_str); -+ g_slice_free (GHmac, hmac); ++ g_free (hmac); + } +} + @@ -580,10 +620,18 @@ index 000000000..3b4dfb872 + const guchar *data, + gssize length) +{ ++ int ret; ++ + g_return_if_fail (hmac != NULL); + g_return_if_fail (length == 0 || data != NULL); + -+ gnutls_hmac (hmac->hmac, data, length); ++ if (length == -1) ++ length = strlen ((const char *)data); ++ ++ /* g_hmac_update is not allowed to fail, so we'll have to crash on error. */ ++ ret = gnutls_hmac (hmac->hmac, data, length); ++ if (ret != 0) ++ g_error ("gnutls_hmac failed: %s", gnutls_strerror (ret)); +} + +const gchar * @@ -617,7 +665,7 @@ index 000000000..3b4dfb872 + *digest_len = g_checksum_type_get_length (hmac->digest_type); +} diff --git a/glib/ghmac.c b/glib/ghmac.c -index 7db38e34a..b12eb07c4 100644 +index 7db38e34a..b03a5aea7 100644 --- a/glib/ghmac.c +++ b/glib/ghmac.c @@ -33,6 +33,7 @@ @@ -628,11 +676,38 @@ index 7db38e34a..b12eb07c4 100644 /** * SECTION:hmac +@@ -84,6 +85,18 @@ struct _GHmac + * Support for digests of type %G_CHECKSUM_SHA512 has been added in GLib 2.42. + * Support for %G_CHECKSUM_SHA384 was added in GLib 2.52. + * ++ * Note that #GHmac creation may fail, in which case this function will ++ * return %NULL. Since there is no error parameter, it is not possible ++ * to indicate why. ++ * ++ * In Fedora, CentOS Stream, and Red Hat Enterprise Linux, GLib is ++ * configured to use GnuTLS to implement #GHmac in order to support FIPS ++ * compliance. This introduces additional failure possibilities that are ++ * not present in upstream GLib. For example, the creation of a #GHmac ++ * will fail if @digest_type is %G_CHECKSUM_MD5 and the system is ++ * running in FIPS mode. #GHmac creation may also fail if GLib is unable ++ * to load GnuTLS. ++ * + * Returns: the newly created #GHmac, or %NULL. + * Use g_hmac_unref() to free the memory allocated by it. + * diff --git a/glib/meson.build b/glib/meson.build -index c7f28b5b6..a2f9da81c 100644 +index 306a67f13..07d41456d 100644 --- a/glib/meson.build +++ b/glib/meson.build -@@ -137,7 +137,6 @@ glib_sources = files( +@@ -127,6 +127,7 @@ glib_sources = files( + 'gbytes.c', + 'gcharset.c', + 'gchecksum.c', ++ 'gchecksumprivate.h', + 'gconvert.c', + 'gdataset.c', + 'gdate.c', +@@ -137,7 +138,6 @@ glib_sources = files( 'gfileutils.c', 'ggettext.c', 'ghash.c', @@ -640,15 +715,7 @@ index c7f28b5b6..a2f9da81c 100644 'ghmac-utils.c', 'ghook.c', 'ghostutils.c', -@@ -185,6 +184,7 @@ glib_sources = files( - 'gunidecomp.c', - 'gurifuncs.c', - 'gutils.c', -+ 'gchecksumprivate.h', - 'guuid.c', - 'gvariant.c', - 'gvariant-core.c', -@@ -222,6 +222,12 @@ else +@@ -223,6 +223,12 @@ else glib_dtrace_hdr = [] endif @@ -661,17 +728,17 @@ index c7f28b5b6..a2f9da81c 100644 pcre_static_args = [] if use_pcre_static_flag -@@ -238,7 +244,7 @@ libglib = library('glib-2.0', +@@ -239,7 +245,7 @@ libglib = library('glib-2.0', link_args : platform_ldflags + noseh_link_args, include_directories : configinc, link_with : [charset_lib, gnulib_lib], - dependencies : [pcre, thread_dep, libintl, librt] + libiconv + platform_deps, -+ dependencies : [pcre, thread_dep, libintl, librt] + libiconv + platform_deps + libgnutls_dep, ++ dependencies : [pcre, thread_dep, libintl, librt] + libgnutls_dep + libiconv + platform_deps, c_args : ['-DG_LOG_DOMAIN="GLib"', '-DGLIB_COMPILATION'] + pcre_static_args + glib_hidden_visibility_args ) diff --git a/meson.build b/meson.build -index 0cefee51d..81b16b004 100644 +index 0cefee51d..eaf8d3900 100644 --- a/meson.build +++ b/meson.build @@ -1596,6 +1596,13 @@ if host_system == 'linux' and get_option('libmount') @@ -705,5 +772,209 @@ index 4504c6858..d18c42a36 100644 type : 'boolean', value : false, -- -2.21.0 +2.31.1 + +From 20e550351e9914e78a73b4ca0e9866f1a39dca51 Mon Sep 17 00:00:00 2001 +From: Michael Catanzaro +Date: Wed, 16 Jun 2021 20:46:24 -0500 +Subject: [PATCH 3/3] Add test for GHmac in FIPS mode + +This will test a few problems that we hit recently: + +g_hmac_copy() is broken, https://bugzilla.redhat.com/show_bug.cgi?id=1786538 + +Crash in g_hmac_update() in FIPS mode, https://bugzilla.redhat.com/show_bug.cgi?id=1971533 + +Crash when passing -1 length to g_hmac_update() (discovered in #1971533) + +We'll also test to ensure MD5 fails, and stop compiling the other MD5 +tests. +--- + glib/tests/hmac.c | 139 +++++++++++----------------------------------- + 1 file changed, 32 insertions(+), 107 deletions(-) + +diff --git a/glib/tests/hmac.c b/glib/tests/hmac.c +index 3ac3206df..31a1c77d3 100644 +--- a/glib/tests/hmac.c ++++ b/glib/tests/hmac.c +@@ -1,87 +1,9 @@ ++#include "config.h" ++ + #include + #include + #include + +-/* HMAC-MD5 test vectors as per RFC 2202 */ +- +-/* Test 1 */ +-guint8 key_md5_test1[] = { +- 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, +- 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b }; +-guint8 result_md5_test1[] = { +- 0x92, 0x94, 0x72, 0x7a, 0x36, 0x38, 0xbb, 0x1c, 0x13, 0xf4, +- 0x8e, 0xf8, 0x15, 0x8b, 0xfc, 0x9d }; +- +-/* Test 2 */ +-guint8 result_md5_test2[] = { +- 0x75, 0x0c, 0x78, 0x3e, 0x6a, 0xb0, 0xb5, 0x03, 0xea, 0xa8, +- 0x6e, 0x31, 0x0a, 0x5d, 0xb7, 0x38 }; +- +-/* Test 3 */ +-guint8 key_md5_test3[] = { +- 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, +- 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa }; +-guint8 data_md5_test3[] = { +- 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, +- 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, +- 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, +- 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, +- 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd }; +-guint8 result_md5_test3[] = { +- 0x56, 0xbe, 0x34, 0x52, 0x1d, 0x14, 0x4c, 0x88, 0xdb, 0xb8, +- 0xc7, 0x33, 0xf0, 0xe8, 0xb3, 0xf6 }; +- +-/* Test 4 */ +-guint8 key_md5_test4[] = { +- 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, +- 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, +- 0x15, 0x16, 0x17, 0x18, 0x19 }; +-guint8 data_md5_test4[] = { +- 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, +- 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, +- 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, +- 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, +- 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd }; +-guint8 result_md5_test4[] = { +- 0x69, 0x7e, 0xaf, 0x0a, 0xca, 0x3a, 0x3a, 0xea, 0x3a, 0x75, +- 0x16, 0x47, 0x46, 0xff, 0xaa, 0x79 }; +- +-/* Test 5 */ +-guint8 key_md5_test5[] = { +- 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, +- 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c}; +-guint8 result_md5_test5[] = { +- 0x56, 0x46, 0x1e, 0xf2, 0x34, 0x2e, 0xdc, 0x00, 0xf9, 0xba, +- 0xb9, 0x95, 0x69, 0x0e, 0xfd, 0x4c }; +- +-/* Test 6 */ +-guint8 key_md5_test6[] = { +- 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, +- 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, +- 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, +- 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, +- 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, +- 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, +- 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, +- 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa }; +-guint8 result_md5_test6[] = { +- 0x6b, 0x1a, 0xb7, 0xfe, 0x4b, 0xd7, 0xbf, 0x8f, 0x0b, 0x62, +- 0xe6, 0xce, 0x61, 0xb9, 0xd0, 0xcd }; +- +-/* Test 6 */ +-guint8 key_md5_test7[] = { +- 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, +- 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, +- 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, +- 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, +- 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, +- 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, +- 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, +- 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa }; +-guint8 result_md5_test7[] = { +- 0x6f, 0x63, 0x0f, 0xad, 0x67, 0xcd, 0xa0, 0xee, 0x1f, 0xb1, +- 0xf5, 0x62, 0xdb, 0x3a, 0xa5, 0x3e }; +- + /* HMAC-SHA1, HMAC-SHA256, HMAC-SHA384 and HMAC-SHA512 test vectors + * as per RFCs 2202 and 4868. + * +@@ -299,25 +221,6 @@ typedef struct { + gconstpointer result; + } HmacCase; + +-HmacCase hmac_md5_tests[] = { +- { G_CHECKSUM_MD5, key_md5_test1, 16, "Hi There", 8, result_md5_test1 }, +- { G_CHECKSUM_MD5, "Jefe", 4, "what do ya want for nothing?", 28, +- result_md5_test2 }, +- { G_CHECKSUM_MD5, key_md5_test3, 16, data_md5_test3, 50, +- result_md5_test3 }, +- { G_CHECKSUM_MD5, key_md5_test4, 25, data_md5_test4, 50, +- result_md5_test4 }, +- { G_CHECKSUM_MD5, key_md5_test5, 16, "Test With Truncation", 20, +- result_md5_test5 }, +- { G_CHECKSUM_MD5, key_md5_test6, 80, +- "Test Using Larger Than Block-Size Key - Hash Key First", 54, +- result_md5_test6 }, +- { G_CHECKSUM_MD5, key_md5_test7, 80, +- "Test Using Larger Than Block-Size Key and Larger Than One Block-Size Data", +- 73, result_md5_test7 }, +- { -1, NULL, 0, NULL, 0, NULL }, +-}; +- + HmacCase hmac_sha1_tests[] = { + { G_CHECKSUM_SHA1, key_sha_test1, 20, "Hi There", 8, result_sha1_test1 }, + { G_CHECKSUM_SHA1, "Jefe", 4, "what do ya want for nothing?", 28, +@@ -493,11 +396,40 @@ test_hmac_for_bytes (void) + g_bytes_unref (data); + } + ++static void ++test_gnutls_fips_mode (void) ++{ ++ GHmac *hmac; ++ GHmac *copy; ++ ++ /* No MD5 in FIPS mode. */ ++ hmac = g_hmac_new (G_CHECKSUM_MD5, "abc123", sizeof ("abc123")); ++ g_assert_null (hmac); ++ ++ /* SHA-256 should be good. */ ++ hmac = g_hmac_new (G_CHECKSUM_SHA256, "abc123", sizeof ("abc123")); ++ g_assert_nonnull (hmac); ++ ++ /* Ensure g_hmac_update() does not crash when called with -1. */ ++ g_hmac_update (hmac, "You win again, gravity!", -1); ++ ++ /* Ensure g_hmac_copy() does not crash. */ ++ copy = g_hmac_copy (hmac); ++ g_assert_nonnull (hmac); ++ g_hmac_unref (hmac); ++ ++ g_assert_cmpstr (g_hmac_get_string (copy), ==, "795ba6900bcb22e8ce65c2ec02db4e85697da921deb960ee3143bf88a4a60f83"); ++ g_hmac_unref (copy); ++} ++ + int + main (int argc, + char **argv) + { + int i; ++ ++ g_setenv ("GNUTLS_FORCE_FIPS_MODE", "1", FALSE); ++ + g_test_init (&argc, &argv, NULL); + + for (i = 0 ; hmac_sha1_tests[i].key_len > 0 ; i++) +@@ -532,19 +464,12 @@ main (int argc, + g_free (name); + } + +- for (i = 0 ; hmac_md5_tests[i].key_len > 0 ; i++) +- { +- gchar *name = g_strdup_printf ("/hmac/md5-%d", i + 1); +- g_test_add_data_func (name, hmac_md5_tests + i, +- (void (*)(const void *)) test_hmac); +- g_free (name); +- } +- + g_test_add_func ("/hmac/ref-unref", test_hmac_ref_unref); + g_test_add_func ("/hmac/copy", test_hmac_copy); + g_test_add_func ("/hmac/for-data", test_hmac_for_data); + g_test_add_func ("/hmac/for-string", test_hmac_for_string); + g_test_add_func ("/hmac/for-bytes", test_hmac_for_bytes); ++ g_test_add_func ("/hmac/gnutls-fips-mode", test_gnutls_fips_mode); + + return g_test_run (); + } +-- +2.31.1 diff --git a/SPECS/glib2.spec b/SPECS/glib2.spec index 081ea1b..201dfdc 100644 --- a/SPECS/glib2.spec +++ b/SPECS/glib2.spec @@ -5,7 +5,7 @@ Name: glib2 Version: 2.56.4 -Release: 13%{?dist} +Release: 14%{?dist} Summary: A library of handy utility functions License: LGPLv2+ @@ -300,6 +300,10 @@ glib-compile-schemas %{_datadir}/glib-2.0/schemas &> /dev/null || : %{_datadir}/installed-tests %changelog +* Wed Jun 23 2021 Michael Catanzaro - 2.56.4-14 +- Refresh GHmac patchset +- Resolves: #1971533 + * Thu May 20 2021 Michael Catanzaro - 2.56.4-13 - Rename and consolidate existing patches for better maintainability - Refresh CVE-2021-27219 patcheset, using better-targeted fixes