From 17c662c18a7bce2ae574e8e3f1dcf92653834028 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Oct 30 2018 04:49:12 +0000 Subject: import gnutls-3.3.29-8.el7 --- diff --git a/.gitignore b/.gitignore index a1fb9dd..79f696e 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/gnutls-3.3.26-hobbled.tar.xz +SOURCES/gnutls-3.3.29-hobbled.tar.xz diff --git a/.gnutls.metadata b/.gnutls.metadata index 695a36c..17b46e5 100644 --- a/.gnutls.metadata +++ b/.gnutls.metadata @@ -1 +1 @@ -d3ec13b080bd01c7705e81f5a5e80284e571115c SOURCES/gnutls-3.3.26-hobbled.tar.xz +0827e9992678c32b78364e83066062ebe1e6bdd0 SOURCES/gnutls-3.3.29-hobbled.tar.xz diff --git a/SOURCES/gnutls-3.3.26-cve-2017-7869.patch b/SOURCES/gnutls-3.3.26-cve-2017-7869.patch deleted file mode 100644 index d2ddc38..0000000 --- a/SOURCES/gnutls-3.3.26-cve-2017-7869.patch +++ /dev/null @@ -1,235 +0,0 @@ -diff --git a/lib/opencdk/kbnode.c b/lib/opencdk/kbnode.c -index c28cb34..f865b16 100644 ---- a/lib/opencdk/kbnode.c -+++ b/lib/opencdk/kbnode.c -@@ -369,12 +369,14 @@ cdk_packet_t cdk_kbnode_get_packet(cdk_kbnode_t node) - * @armor: whether base64 or not - * @buf: the buffer which stores the key sequence - * @buflen: the length of the buffer -+ * @public: non-zero if reading a public key - * - * Tries to read a key node from the memory buffer @buf. - **/ - cdk_error_t - cdk_kbnode_read_from_mem(cdk_kbnode_t * ret_node, -- int armor, const byte * buf, size_t buflen) -+ int armor, const byte * buf, size_t buflen, -+ unsigned public) - { - cdk_stream_t inp; - cdk_error_t rc; -@@ -393,7 +395,7 @@ cdk_kbnode_read_from_mem(cdk_kbnode_t * ret_node, - if (armor) - cdk_stream_set_armor_flag(inp, 0); - -- rc = cdk_keydb_get_keyblock(inp, ret_node); -+ rc = cdk_keydb_get_keyblock(inp, ret_node, public); - if (rc) - gnutls_assert(); - cdk_stream_close(inp); -diff --git a/lib/opencdk/keydb.c b/lib/opencdk/keydb.c -index 64eebf0..9112d9a 100644 ---- a/lib/opencdk/keydb.c -+++ b/lib/opencdk/keydb.c -@@ -108,7 +108,7 @@ static cdk_error_t keydb_idx_build(const char *file) - while (!cdk_stream_eof(inp)) { - off_t pos = cdk_stream_tell(inp); - -- rc = cdk_pkt_read(inp, pkt); -+ rc = cdk_pkt_read(inp, pkt, 1); - if (rc) { - _cdk_log_debug - ("index build failed packet off=%lu\n", -@@ -816,7 +816,7 @@ cdk_keydb_search(cdk_keydb_search_t st, cdk_keydb_hd_t hd, - - pos = cdk_stream_tell(kr); - -- rc = cdk_keydb_get_keyblock(kr, &knode); -+ rc = cdk_keydb_get_keyblock(kr, &knode, 1); - - if (rc) { - if (rc == CDK_EOF) -@@ -1679,7 +1679,7 @@ add_key_usage(cdk_kbnode_t knode, u32 keyid[2], unsigned int usage) - } - - cdk_error_t --cdk_keydb_get_keyblock(cdk_stream_t inp, cdk_kbnode_t * r_knode) -+cdk_keydb_get_keyblock(cdk_stream_t inp, cdk_kbnode_t * r_knode, unsigned public) - { - cdk_packet_t pkt; - cdk_kbnode_t knode, node; -@@ -1706,7 +1706,7 @@ cdk_keydb_get_keyblock(cdk_stream_t inp, cdk_kbnode_t * r_knode) - while (!cdk_stream_eof(inp)) { - cdk_pkt_new(&pkt); - old_off = cdk_stream_tell(inp); -- rc = cdk_pkt_read(inp, pkt); -+ rc = cdk_pkt_read(inp, pkt, public); - if (rc) { - cdk_pkt_release(pkt); - if (rc == CDK_EOF) -@@ -2126,7 +2126,7 @@ cdk_error_t cdk_keydb_check_sk(cdk_keydb_hd_t hd, u32 * keyid) - return rc; - } - cdk_pkt_new(&pkt); -- while (!cdk_pkt_read(db, pkt)) { -+ while (!cdk_pkt_read(db, pkt, 0)) { - if (pkt->pkttype != CDK_PKT_SECRET_KEY && - pkt->pkttype != CDK_PKT_SECRET_SUBKEY) { - cdk_pkt_free(pkt); -@@ -2241,14 +2241,14 @@ cdk_error_t cdk_listkey_next(cdk_listkey_t ctx, cdk_kbnode_t * ret_key) - } - - if (ctx->type && ctx->u.patt[0] == '*') -- return cdk_keydb_get_keyblock(ctx->inp, ret_key); -+ return cdk_keydb_get_keyblock(ctx->inp, ret_key, 1); - else if (ctx->type) { - cdk_kbnode_t node; - struct cdk_keydb_search_s ks; - cdk_error_t rc; - - for (;;) { -- rc = cdk_keydb_get_keyblock(ctx->inp, &node); -+ rc = cdk_keydb_get_keyblock(ctx->inp, &node, 1); - if (rc) { - gnutls_assert(); - return rc; -diff --git a/lib/opencdk/literal.c b/lib/opencdk/literal.c -index 7b4baec..6996774 100644 ---- a/lib/opencdk/literal.c -+++ b/lib/opencdk/literal.c -@@ -67,7 +67,7 @@ static cdk_error_t literal_decode(void *data, FILE * in, FILE * out) - return rc; - - cdk_pkt_new(&pkt); -- rc = cdk_pkt_read(si, pkt); -+ rc = cdk_pkt_read(si, pkt, 1); - if (rc || pkt->pkttype != CDK_PKT_LITERAL) { - cdk_pkt_release(pkt); - cdk_stream_close(si); -diff --git a/lib/opencdk/opencdk.h b/lib/opencdk/opencdk.h -index c06b749..d95cc32 100644 ---- a/lib/opencdk/opencdk.h -+++ b/lib/opencdk/opencdk.h -@@ -553,7 +553,7 @@ extern "C" { - void cdk_pkt_release(cdk_packet_t pkt); - - /* Read or write the given output from or to the stream. */ -- cdk_error_t cdk_pkt_read(cdk_stream_t inp, cdk_packet_t pkt); -+ cdk_error_t cdk_pkt_read(cdk_stream_t inp, cdk_packet_t pkt, unsigned public); - cdk_error_t cdk_pkt_write(cdk_stream_t out, cdk_packet_t pkt); - - /* Sub packet routines */ -@@ -814,7 +814,8 @@ extern "C" { - /* Try to read the next key block from the given input stream. - The key will be returned in @RET_KEY on success. */ - cdk_error_t cdk_keydb_get_keyblock(cdk_stream_t inp, -- cdk_kbnode_t * ret_key); -+ cdk_kbnode_t * ret_key, -+ unsigned public); - - /* Rebuild the key db index if possible. */ - cdk_error_t cdk_keydb_idx_rebuild(cdk_keydb_hd_t db, -@@ -848,7 +849,7 @@ extern "C" { - cdk_error_t cdk_kbnode_read_from_mem(cdk_kbnode_t * ret_node, - int armor, - const unsigned char *buf, -- size_t buflen); -+ size_t buflen, unsigned public); - cdk_error_t cdk_kbnode_write_to_mem(cdk_kbnode_t node, - unsigned char *buf, - size_t * r_nbytes); -diff --git a/lib/opencdk/read-packet.c b/lib/opencdk/read-packet.c -index 7a474ff..72624d0 100644 ---- a/lib/opencdk/read-packet.c -+++ b/lib/opencdk/read-packet.c -@@ -571,6 +571,9 @@ read_user_id(cdk_stream_t inp, size_t pktlen, cdk_pkt_userid_t user_id) - } - - -+#define MAX_PACKET_LEN (1<<24) -+ -+ - static cdk_error_t - read_subpkt(cdk_stream_t inp, cdk_subpkt_t * r_ctx, size_t * r_nbytes) - { -@@ -610,6 +613,10 @@ read_subpkt(cdk_stream_t inp, cdk_subpkt_t * r_ctx, size_t * r_nbytes) - else - return CDK_Inv_Packet; - -+ if (size >= MAX_PACKET_LEN) { -+ return CDK_Inv_Packet; -+ } -+ - node = cdk_subpkt_new(size); - if (!node) - return CDK_Out_Of_Core; -@@ -958,7 +965,7 @@ static cdk_error_t skip_packet(cdk_stream_t inp, size_t pktlen) - * - * Parse the next packet on the @inp stream and return its contents in @pkt. - **/ --cdk_error_t cdk_pkt_read(cdk_stream_t inp, cdk_packet_t pkt) -+cdk_error_t cdk_pkt_read(cdk_stream_t inp, cdk_packet_t pkt, unsigned public) - { - int ctb, is_newctb; - int pkttype; -@@ -1058,6 +1065,10 @@ cdk_error_t cdk_pkt_read(cdk_stream_t inp, cdk_packet_t pkt) - break; - - case CDK_PKT_SECRET_KEY: -+ if (public) { -+ /* read secret key when expecting public */ -+ return gnutls_assert_val(CDK_Inv_Packet); -+ } - pkt->pkt.secret_key = - cdk_calloc(1, sizeof *pkt->pkt.secret_key); - if (!pkt->pkt.secret_key) -@@ -1073,6 +1084,10 @@ cdk_error_t cdk_pkt_read(cdk_stream_t inp, cdk_packet_t pkt) - break; - - case CDK_PKT_SECRET_SUBKEY: -+ if (public) { -+ /* read secret key when expecting public */ -+ return gnutls_assert_val(CDK_Inv_Packet); -+ } - pkt->pkt.secret_key = - cdk_calloc(1, sizeof *pkt->pkt.secret_key); - if (!pkt->pkt.secret_key) -diff --git a/lib/openpgp/gnutls_openpgp.c b/lib/openpgp/gnutls_openpgp.c -index 7c05e1f..192737f 100644 ---- a/lib/openpgp/gnutls_openpgp.c -+++ b/lib/openpgp/gnutls_openpgp.c -@@ -479,7 +479,7 @@ int gnutls_openpgp_count_key_names(const gnutls_datum_t * cert) - return 0; - } - -- if (cdk_kbnode_read_from_mem(&knode, 0, cert->data, cert->size)) { -+ if (cdk_kbnode_read_from_mem(&knode, 0, cert->data, cert->size, 1)) { - gnutls_assert(); - return 0; - } -diff --git a/lib/openpgp/pgp.c b/lib/openpgp/pgp.c -index d5ef272..77e57ab 100644 ---- a/lib/openpgp/pgp.c -+++ b/lib/openpgp/pgp.c -@@ -99,7 +99,7 @@ gnutls_openpgp_crt_import(gnutls_openpgp_crt_t key, - armor = 1; - - rc = cdk_kbnode_read_from_mem(&key->knode, armor, data->data, -- data->size); -+ data->size, 1); - if (rc) { - rc = _gnutls_map_cdk_rc(rc); - gnutls_assert(); -diff --git a/lib/openpgp/privkey.c b/lib/openpgp/privkey.c -index 6aa6fb5..81ec3ab 100644 ---- a/lib/openpgp/privkey.c -+++ b/lib/openpgp/privkey.c -@@ -186,7 +186,7 @@ gnutls_openpgp_privkey_import(gnutls_openpgp_privkey_t key, - armor = 1; - - rc = cdk_kbnode_read_from_mem(&key->knode, armor, data->data, -- data->size); -+ data->size, 0); - if (rc != 0) { - rc = _gnutls_map_cdk_rc(rc); - gnutls_assert(); diff --git a/SOURCES/gnutls-3.3.26-fips-rsa-keygen.patch b/SOURCES/gnutls-3.3.26-fips-rsa-keygen.patch deleted file mode 100644 index 4093066..0000000 --- a/SOURCES/gnutls-3.3.26-fips-rsa-keygen.patch +++ /dev/null @@ -1,56 +0,0 @@ -diff --git a/lib/nettle/int/rsa-keygen-fips186.c b/lib/nettle/int/rsa-keygen-fips186.c -index 624aa36..b064b45 100644 ---- a/lib/nettle/int/rsa-keygen-fips186.c -+++ b/lib/nettle/int/rsa-keygen-fips186.c -@@ -27,7 +27,6 @@ - #include "config.h" - #endif - --#include - #include - #include - #include -@@ -337,10 +336,16 @@ _rsa_generate_fips186_4_keypair(struct rsa_public_key *pub, - - mpz_mul(pub->n, key->p, key->q); - -- assert(mpz_sizeinbase(pub->n, 2) == n_size); -+ if (mpz_sizeinbase(pub->n, 2) != n_size) { -+ ret = 0; -+ goto cleanup; -+ } - - /* c = q^{-1} (mod p) */ -- assert(mpz_invert(key->c, key->q, key->p) != 0); -+ if (mpz_invert(key->c, key->q, key->p) == 0) { -+ ret = 0; -+ goto cleanup; -+ } - - mpz_sub_ui(p1, key->p, 1); - mpz_sub_ui(q1, key->q, 1); -@@ -352,6 +357,12 @@ _rsa_generate_fips186_4_keypair(struct rsa_public_key *pub, - goto cleanup; - } - -+ /* check whether d > 2^(nlen/2) -- FIPS186-4 5.3.1 */ -+ if (mpz_sizeinbase(key->d, 2) < n_size/2) { -+ ret = 0; -+ goto cleanup; -+ } -+ - /* Done! Almost, we must compute the auxillary private values. */ - /* a = d % (p-1) */ - mpz_fdiv_r(key->a, key->d, p1); -@@ -362,7 +373,10 @@ _rsa_generate_fips186_4_keypair(struct rsa_public_key *pub, - /* c was computed earlier */ - - pub->size = key->size = (n_size + 7) / 8; -- assert(pub->size >= RSA_MINIMUM_N_OCTETS); -+ if (pub->size < RSA_MINIMUM_N_OCTETS) { -+ ret = 0; -+ goto cleanup; -+ } - - ret = 1; - cleanup: diff --git a/SOURCES/gnutls-3.3.26-fix-coverity-issues.patch b/SOURCES/gnutls-3.3.26-fix-coverity-issues.patch deleted file mode 100644 index fa27c05..0000000 --- a/SOURCES/gnutls-3.3.26-fix-coverity-issues.patch +++ /dev/null @@ -1,15 +0,0 @@ -diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c -index 56c0163..368598b 100644 ---- a/lib/nettle/pk.c -+++ b/lib/nettle/pk.c -@@ -2021,7 +2021,9 @@ static int wrap_nettle_hash_algorithm(gnutls_pk_algorithm_t pk, - break; - } - -- _rsa_params_to_pubkey(issuer_params, &pub); -+ ret = _rsa_params_to_pubkey(issuer_params, &pub); -+ if (ret < 0) -+ return gnutls_assert_val(ret); - - digest_size = sizeof(digest); - diff --git a/SOURCES/gnutls-3.3.26-fix-uninitialized.patch b/SOURCES/gnutls-3.3.26-fix-uninitialized.patch deleted file mode 100644 index 1242a1d..0000000 --- a/SOURCES/gnutls-3.3.26-fix-uninitialized.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff --git a/lib/pkcs11.c b/lib/pkcs11.c -index d99dedf..f5cf99d 100644 ---- a/lib/pkcs11.c -+++ b/lib/pkcs11.c -@@ -3019,6 +3019,7 @@ gnutls_pkcs11_obj_list_import_url2(gnutls_pkcs11_obj_t ** p_list, - if (ret < 0) { - gnutls_assert(); - if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { -+ *p_list = NULL; - *n_list = 0; - ret = 0; - } diff --git a/SOURCES/gnutls-3.3.26-pin-value.patch b/SOURCES/gnutls-3.3.26-pin-value.patch deleted file mode 100644 index 794ba48..0000000 --- a/SOURCES/gnutls-3.3.26-pin-value.patch +++ /dev/null @@ -1,662 +0,0 @@ -diff --git a/configure.ac b/configure.ac -index 0840042..c9c9fdc 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -447,6 +447,9 @@ if test "$with_p11_kit" != "no"; then - if ! $PKG_CONFIG --atleast-version=0.22.0 p11-kit-1; then - with_buggy_p11_kit=yes - fi -+ if $PKG_CONFIG --atleast-version=0.23.1 p11-kit-1; then -+ AC_DEFINE([P11_KIT_HAS_PIN_VALUE], 1, [p11-kit supports p11_kit_uri_get_pin_value()]) -+ fi - else - with_p11_kit=no - AC_MSG_WARN([[ -diff --git a/lib/pkcs11.c b/lib/pkcs11.c -index f5cf99d..26d88e5 100644 ---- a/lib/pkcs11.c -+++ b/lib/pkcs11.c -@@ -2367,6 +2367,25 @@ retrieve_pin(struct pin_info_st *pin_info, struct p11_kit_uri *info, - - *pin = NULL; - -+#ifdef P11_KIT_HAS_PIN_VALUE -+ /* First check for pin-value field */ -+ pinfile = p11_kit_uri_get_pin_value(info); -+ if (pinfile != NULL) { -+ _gnutls_debug_log("p11: Using pin-value to retrieve PIN\n"); -+ *pin = p11_kit_pin_new_for_string(pinfile); -+ if (*pin != NULL) -+ ret = 0; -+ } else { /* try pin-source */ -+ /* Check if a pinfile is specified, and use that if possible */ -+ pinfile = p11_kit_uri_get_pin_source(info); -+ if (pinfile != NULL) { -+ _gnutls_debug_log("p11: Using pin-source to retrieve PIN\n"); -+ ret = -+ retrieve_pin_from_source(pinfile, token_info, attempts, -+ user_type, pin); -+ } -+ } -+#else - /* Check if a pinfile is specified, and use that if possible */ - pinfile = p11_kit_uri_get_pinfile(info); - if (pinfile != NULL) { -@@ -2375,6 +2394,7 @@ retrieve_pin(struct pin_info_st *pin_info, struct p11_kit_uri *info, - retrieve_pin_from_source(pinfile, token_info, attempts, - user_type, pin); - } -+#endif - - /* The global gnutls pin callback */ - if (ret < 0) -diff --git a/tests/Makefile.am b/tests/Makefile.am -index 5b60899..20ed79c 100644 ---- a/tests/Makefile.am -+++ b/tests/Makefile.am -@@ -36,7 +36,7 @@ EXTRA_DIST = suppressions.valgrind eagain-common.h test-chains.h \ - certs/cert-rsa-2432.pem certs/ecc384.pem certs/ecc.pem \ - certs/ca-ecc.pem certs/cert-ecc384.pem certs/cert-ecc.pem certs/ecc256.pem \ - certs/ecc521.pem certs/rsa-2432.pem x509cert-dir/ca.pem \ -- cert-common.h pkcs11/softhsm.h -+ cert-common.h pkcs11/softhsm.h pkcs11/pkcs11-pubkey-import.c - - AM_CFLAGS = $(WARN_CFLAGS) $(WERROR_CFLAGS) - AM_CPPFLAGS = \ -@@ -113,7 +113,8 @@ pkcs11_import_url_privkey_LDADD = $(LDADD) $(LIBDL) - - ctests += pkcs11-cert-import-url-exts pkcs11-get-exts pkcs11-get-raw-issuer-exts \ - pkcs11/pkcs11-chainverify pkcs11/pkcs11-get-issuer pkcs11/pkcs11-is-known \ -- pkcs11/pkcs11-combo pkcs11-import-url-privkey -+ pkcs11/pkcs11-combo pkcs11-import-url-privkey pkcs11/pkcs11-pubkey-import-rsa \ -+ pkcs11/pkcs11-import-with-pin - - endif - endif -diff --git a/tests/pkcs11/pkcs11-import-with-pin.c b/tests/pkcs11/pkcs11-import-with-pin.c -new file mode 100644 -index 0000000..e435919 ---- /dev/null -+++ b/tests/pkcs11/pkcs11-import-with-pin.c -@@ -0,0 +1,198 @@ -+/* -+ * Copyright (C) 2017 Red Hat, Inc. -+ * -+ * Author: Nikos Mavrogiannopoulos -+ * -+ * This file is part of GnuTLS. -+ * -+ * GnuTLS is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License as published by -+ * the Free Software Foundation; either version 3 of the License, or -+ * (at your option) any later version. -+ * -+ * GnuTLS is distributed in the hope that it will be useful, but -+ * WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ * General Public License for more details. -+ * -+ * You should have received a copy of the GNU General Public License -+ * along with GnuTLS; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA -+ */ -+ -+#ifdef HAVE_CONFIG_H -+#include -+#endif -+ -+#include -+#include -+#include -+#include -+#include -+ -+#include -+#include -+#include -+ -+#include "../utils.h" -+#include "softhsm.h" -+ -+/* Tests whether a protected object is imported with PIN obtained using -+ * pin-value or pin-source. */ -+ -+#define CONFIG_NAME "softhsm-import-with-pin" -+#define CONFIG CONFIG_NAME".config" -+ -+#include "../cert-common.h" -+ -+#define PIN "1234" -+ -+static const gnutls_datum_t testdata = {(void*)"test test", 9}; -+ -+static void tls_log_func(int level, const char *str) -+{ -+ fprintf(stderr, "|<%d>| %s", level, str); -+} -+ -+static -+int pin_func(void* userdata, int attempt, const char* url, const char *label, -+ unsigned flags, char *pin, size_t pin_max) -+{ -+ if (attempt == 0) { -+ strcpy(pin, PIN); -+ return 0; -+ } -+ return -1; -+} -+ -+static void write_pin(const char *file, const char *pin) -+{ -+ FILE *fp = fopen(file, "w"); -+ assert(fp != NULL); -+ fputs(pin, fp); -+ fclose(fp); -+} -+ -+void doit() -+{ -+ char buf[512]; -+ int ret, pk; -+ const char *lib, *bin; -+ gnutls_x509_privkey_t key; -+ gnutls_datum_t tmp, sig; -+ gnutls_privkey_t pkey; -+ char file[TMPNAME_SIZE]; -+ -+#ifndef P11_KIT_HAS_PIN_VALUE -+ exit(77); -+#endif -+ -+ bin = softhsm_bin(); -+ -+ lib = softhsm_lib(); -+ -+ ret = global_init(); -+ if (ret != 0) { -+ fail("%d: %s\n", ret, gnutls_strerror(ret)); -+ exit(1); -+ } -+ -+ gnutls_pkcs11_set_pin_function(pin_func, NULL); -+ gnutls_global_set_log_function(tls_log_func); -+ if (debug) -+ gnutls_global_set_log_level(4711); -+ -+ set_softhsm_conf(CONFIG); -+ snprintf(buf, sizeof(buf), "%s --init-token --slot 0 --label test --so-pin "PIN" --pin "PIN, bin); -+ system(buf); -+ -+ ret = gnutls_pkcs11_add_provider(lib, "trusted"); -+ if (ret < 0) { -+ fprintf(stderr, "add_provider: %s\n", -+ gnutls_strerror(ret)); -+ exit(1); -+ } -+ -+ ret = gnutls_x509_privkey_init(&key); -+ if (ret < 0) { -+ fprintf(stderr, -+ "gnutls_x509_privkey_init: %s\n", -+ gnutls_strerror(ret)); -+ exit(1); -+ } -+ -+ ret = -+ gnutls_x509_privkey_import(key, &server_key, -+ GNUTLS_X509_FMT_PEM); -+ if (ret < 0) { -+ fprintf(stderr, -+ "gnutls_x509_privkey_import: %s\n", -+ gnutls_strerror(ret)); -+ exit(1); -+ } -+ -+ /* initialize softhsm token */ -+ ret = gnutls_pkcs11_token_init(SOFTHSM_URL, PIN, "test"); -+ if (ret < 0) { -+ fail("gnutls_pkcs11_token_init: %s\n", gnutls_strerror(ret)); -+ exit(1); -+ } -+ -+ ret = gnutls_pkcs11_token_set_pin(SOFTHSM_URL, NULL, PIN, GNUTLS_PIN_USER); -+ if (ret < 0) { -+ fail("gnutls_pkcs11_token_set_pin: %s\n", gnutls_strerror(ret)); -+ exit(1); -+ } -+ -+ ret = gnutls_pkcs11_copy_x509_privkey(SOFTHSM_URL, key, "cert", GNUTLS_KEY_DIGITAL_SIGNATURE|GNUTLS_KEY_KEY_ENCIPHERMENT, -+ GNUTLS_PKCS11_OBJ_FLAG_MARK_PRIVATE|GNUTLS_PKCS11_OBJ_FLAG_MARK_SENSITIVE|GNUTLS_PKCS11_OBJ_FLAG_LOGIN); -+ if (ret < 0) { -+ fail("gnutls_pkcs11_copy_x509_privkey: %s\n", gnutls_strerror(ret)); -+ exit(1); -+ } -+ -+ gnutls_x509_privkey_deinit(key); -+ gnutls_pkcs11_set_pin_function(NULL, NULL); -+ -+ assert(gnutls_privkey_init(&pkey) == 0); -+ -+ /* Test 1 -+ * Try importing with pin-value */ -+ ret = gnutls_privkey_import_pkcs11_url(pkey, SOFTHSM_URL";object=cert;object-type=private;pin-value="PIN); -+ if (ret < 0) { -+ fprintf(stderr, "error in %d: %s\n", __LINE__, gnutls_strerror(ret)); -+ exit(1); -+ } -+ -+ /* check whether privkey is operational by signing */ -+ assert(gnutls_privkey_sign_data(pkey, GNUTLS_DIG_SHA256, 0, &testdata, &sig) == 0); -+ gnutls_free(sig.data); -+ gnutls_privkey_deinit(pkey); -+ -+ /* Test 2 -+ * Try importing with pin-source */ -+ track_temp_files(); -+ get_tmpname(file); -+ -+ write_pin(file, PIN); -+ -+ -+ assert(gnutls_privkey_init(&pkey) == 0); -+ snprintf(buf, sizeof(buf), "%s;object=cert;object-type=private;pin-source=%s", SOFTHSM_URL, file); -+ ret = gnutls_privkey_import_pkcs11_url(pkey, buf); -+ if (ret < 0) { -+ fprintf(stderr, "error in %d: %s\n", __LINE__, gnutls_strerror(ret)); -+ exit(1); -+ } -+ -+ /* check whether privkey is operational by signing */ -+ assert(gnutls_privkey_sign_data(pkey, GNUTLS_DIG_SHA256, 0, &testdata, &sig) == 0); -+ gnutls_free(sig.data); -+ gnutls_privkey_deinit(pkey); -+ -+ gnutls_global_deinit(); -+ delete_temp_files(); -+ -+ remove(CONFIG); -+} -+ -diff --git a/tests/pkcs11/pkcs11-pubkey-import-rsa.c b/tests/pkcs11/pkcs11-pubkey-import-rsa.c -new file mode 100644 -index 0000000..d304c4f ---- /dev/null -+++ b/tests/pkcs11/pkcs11-pubkey-import-rsa.c -@@ -0,0 +1,41 @@ -+/* -+ * Copyright (C) 2015 Nikos Mavrogiannopoulos -+ * -+ * Author: Nikos Mavrogiannopoulos -+ * -+ * This file is part of GnuTLS. -+ * -+ * GnuTLS is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License as published by -+ * the Free Software Foundation; either version 3 of the License, or -+ * (at your option) any later version. -+ * -+ * GnuTLS is distributed in the hope that it will be useful, but -+ * WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ * General Public License for more details. -+ * -+ * You should have received a copy of the GNU General Public License -+ * along with GnuTLS; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA -+ */ -+ -+#ifdef HAVE_CONFIG_H -+#include -+#endif -+ -+#include -+#include -+#include -+#include -+ -+#define CONFIG_NAME "softhsm-pubkey-import-rsa" -+#define CONFIG CONFIG_NAME".config" -+ -+#include "pkcs11-pubkey-import.c" -+ -+void doit(void) -+{ -+ success("Testing RSA key\n"); -+ try(1); -+} -diff --git a/tests/pkcs11/pkcs11-pubkey-import.c b/tests/pkcs11/pkcs11-pubkey-import.c -new file mode 100644 -index 0000000..7513aad ---- /dev/null -+++ b/tests/pkcs11/pkcs11-pubkey-import.c -@@ -0,0 +1,220 @@ -+/* -+ * Copyright (C) 2015 Nikos Mavrogiannopoulos -+ * -+ * Author: Nikos Mavrogiannopoulos -+ * -+ * This file is part of GnuTLS. -+ * -+ * GnuTLS is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License as published by -+ * the Free Software Foundation; either version 3 of the License, or -+ * (at your option) any later version. -+ * -+ * GnuTLS is distributed in the hope that it will be useful, but -+ * WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ * General Public License for more details. -+ * -+ * You should have received a copy of the GNU General Public License -+ * along with GnuTLS; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA -+ */ -+ -+#ifdef HAVE_CONFIG_H -+#include -+#endif -+ -+#include -+#include -+#include -+#include -+#include -+ -+#include -+#include -+#include -+ -+#include "../utils.h" -+#include "softhsm.h" -+ -+/* Tests whether gnutls_pubkey_import_privkey works well for -+ * RSA keys under PKCS #11 */ -+ -+ -+#include "../cert-common.h" -+ -+#define PIN "1234" -+ -+static const gnutls_datum_t testdata = {(void*)"test test", 9}; -+ -+static void tls_log_func(int level, const char *str) -+{ -+ fprintf(stderr, "|<%d>| %s", level, str); -+} -+ -+static -+int pin_func(void* userdata, int attempt, const char* url, const char *label, -+ unsigned flags, char *pin, size_t pin_max) -+{ -+ if (attempt == 0) { -+ strcpy(pin, PIN); -+ return 0; -+ } -+ return -1; -+} -+ -+static void try(int rsa) -+{ -+ char buf[128]; -+ int ret, pk; -+ const char *lib, *bin; -+ gnutls_x509_crt_t crt; -+ gnutls_x509_privkey_t key; -+ gnutls_datum_t tmp, sig; -+ gnutls_privkey_t pkey; -+ gnutls_pubkey_t pubkey; -+ gnutls_pubkey_t pubkey2; -+ -+#ifndef P11_KIT_HAS_PIN_VALUE -+ exit(77); -+#endif -+ -+ bin = softhsm_bin(); -+ -+ lib = softhsm_lib(); -+ -+ ret = global_init(); -+ if (ret != 0) { -+ fail("%d: %s\n", ret, gnutls_strerror(ret)); -+ exit(1); -+ } -+ -+ gnutls_pkcs11_set_pin_function(pin_func, NULL); -+ gnutls_global_set_log_function(tls_log_func); -+ if (debug) -+ gnutls_global_set_log_level(4711); -+ -+ set_softhsm_conf(CONFIG); -+ snprintf(buf, sizeof(buf), "%s --init-token --slot 0 --label test --so-pin "PIN" --pin "PIN, bin); -+ system(buf); -+ -+ ret = gnutls_pkcs11_add_provider(lib, "trusted"); -+ if (ret < 0) { -+ fprintf(stderr, "gnutls_x509_crt_init: %s\n", -+ gnutls_strerror(ret)); -+ exit(1); -+ } -+ -+ ret = gnutls_x509_crt_init(&crt); -+ if (ret < 0) { -+ fprintf(stderr, -+ "gnutls_x509_crt_init: %s\n", -+ gnutls_strerror(ret)); -+ exit(1); -+ } -+ -+ ret = -+ gnutls_x509_crt_import(crt, rsa?&server_cert:&server_ecc_cert, -+ GNUTLS_X509_FMT_PEM); -+ if (ret < 0) { -+ fprintf(stderr, -+ "gnutls_x509_crt_import: %s\n", -+ gnutls_strerror(ret)); -+ exit(1); -+ } -+ -+ if (debug) { -+ gnutls_x509_crt_print(crt, -+ GNUTLS_CRT_PRINT_ONELINE, -+ &tmp); -+ -+ printf("\tCertificate: %.*s\n", -+ tmp.size, tmp.data); -+ gnutls_free(tmp.data); -+ } -+ -+ ret = gnutls_x509_privkey_init(&key); -+ if (ret < 0) { -+ fprintf(stderr, -+ "gnutls_x509_privkey_init: %s\n", -+ gnutls_strerror(ret)); -+ exit(1); -+ } -+ -+ ret = -+ gnutls_x509_privkey_import(key, rsa?&server_key:&server_ecc_key, -+ GNUTLS_X509_FMT_PEM); -+ if (ret < 0) { -+ fprintf(stderr, -+ "gnutls_x509_privkey_import: %s\n", -+ gnutls_strerror(ret)); -+ exit(1); -+ } -+ -+ /* initialize softhsm token */ -+ ret = gnutls_pkcs11_token_init(SOFTHSM_URL, PIN, "test"); -+ if (ret < 0) { -+ fail("gnutls_pkcs11_token_init: %s\n", gnutls_strerror(ret)); -+ exit(1); -+ } -+ -+ ret = gnutls_pkcs11_token_set_pin(SOFTHSM_URL, NULL, PIN, GNUTLS_PIN_USER); -+ if (ret < 0) { -+ fail("gnutls_pkcs11_token_set_pin: %s\n", gnutls_strerror(ret)); -+ exit(1); -+ } -+ -+ ret = gnutls_pkcs11_copy_x509_crt(SOFTHSM_URL, crt, "cert", -+ GNUTLS_PKCS11_OBJ_FLAG_MARK_PRIVATE|GNUTLS_PKCS11_OBJ_FLAG_LOGIN); -+ if (ret < 0) { -+ fail("gnutls_pkcs11_copy_x509_crt: %s\n", gnutls_strerror(ret)); -+ exit(1); -+ } -+ -+ ret = gnutls_pkcs11_copy_x509_privkey(SOFTHSM_URL, key, "cert", GNUTLS_KEY_DIGITAL_SIGNATURE|GNUTLS_KEY_KEY_ENCIPHERMENT, -+ GNUTLS_PKCS11_OBJ_FLAG_MARK_PRIVATE|GNUTLS_PKCS11_OBJ_FLAG_MARK_SENSITIVE|GNUTLS_PKCS11_OBJ_FLAG_LOGIN); -+ if (ret < 0) { -+ fail("gnutls_pkcs11_copy_x509_privkey: %s\n", gnutls_strerror(ret)); -+ exit(1); -+ } -+ -+ gnutls_x509_crt_deinit(crt); -+ gnutls_x509_privkey_deinit(key); -+ gnutls_pkcs11_set_pin_function(NULL, NULL); -+ -+ assert(gnutls_privkey_init(&pkey) == 0); -+ -+ ret = gnutls_privkey_import_pkcs11_url(pkey, SOFTHSM_URL";object=cert;object-type=private;pin-value="PIN); -+ if (ret < 0) { -+ fprintf(stderr, "error in %d: %s\n", __LINE__, gnutls_strerror(ret)); -+ exit(1); -+ } -+ -+ assert(gnutls_pubkey_init(&pubkey) == 0); -+ assert(gnutls_pubkey_import_privkey(pubkey, pkey, 0, 0) == 0); -+ -+ pk = gnutls_pubkey_get_pk_algorithm(pubkey, NULL); -+ -+ /* check whether privkey and pubkey are operational -+ * by signing and verifying */ -+ assert(gnutls_privkey_sign_data(pkey, GNUTLS_DIG_SHA256, 0, &testdata, &sig) == 0); -+ -+ /* verify against the raw pubkey */ -+ assert(gnutls_pubkey_init(&pubkey2) == 0); -+ assert(gnutls_pubkey_import_x509_raw(pubkey2, rsa?&server_cert:&server_ecc_cert, GNUTLS_X509_FMT_PEM, 0) == 0); -+ assert(gnutls_pubkey_verify_data2(pubkey2, gnutls_pk_to_sign(pk, GNUTLS_DIG_SHA256), 0, &testdata, &sig) >= 0); -+ -+ /* verify against the pubkey in PKCS #11 */ -+ assert(gnutls_pubkey_verify_data2(pubkey, gnutls_pk_to_sign(pk, GNUTLS_DIG_SHA256), 0, &testdata, &sig) >= 0); -+ -+ gnutls_free(sig.data); -+ -+ gnutls_pubkey_deinit(pubkey2); -+ gnutls_pubkey_deinit(pubkey); -+ gnutls_privkey_deinit(pkey); -+ -+ gnutls_global_deinit(); -+ -+ remove(CONFIG); -+} -+ -diff --git a/tests/utils.c b/tests/utils.c -index 65ceafd..37345a6 100644 ---- a/tests/utils.c -+++ b/tests/utils.c -@@ -30,6 +30,7 @@ - #include - #include - #include -+#include - #ifndef _WIN32 - # include - # include -@@ -39,6 +40,8 @@ - # include - #endif - #endif -+#include -+#include - - #include "utils.h" - -@@ -183,3 +186,74 @@ int main(int argc, char *argv[]) - - return error_count ? 1 : 0; - } -+ -+struct tmp_file_st { -+ char file[TMPNAME_SIZE]; -+ struct tmp_file_st *next; -+}; -+ -+static struct tmp_file_st *temp_files = (void*)-1; -+ -+static void append(const char *file) -+{ -+ struct tmp_file_st *p; -+ -+ if (temp_files == (void*)-1) -+ return; -+ -+ p = calloc(1, sizeof(*p)); -+ -+ assert(p != NULL); -+ strcpy(p->file, file); -+ p->next = temp_files; -+ temp_files = p; -+} -+ -+char *get_tmpname(char s[TMPNAME_SIZE]) -+{ -+ unsigned char rnd[6]; -+ static char _s[TMPNAME_SIZE]; -+ int ret; -+ char *p; -+ const char *path; -+ -+ ret = gnutls_rnd(GNUTLS_RND_NONCE, rnd, sizeof(rnd)); -+ if (ret < 0) -+ return NULL; -+ -+ path = getenv("builddir"); -+ if (path == NULL) -+ path = "."; -+ -+ if (s == NULL) -+ p = _s; -+ else -+ p = s; -+ -+ snprintf(p, TMPNAME_SIZE, "%s/tmpfile-%02x%02x%02x%02x%02x%02x.tmp", path, (unsigned)rnd[0], (unsigned)rnd[1], -+ (unsigned)rnd[2], (unsigned)rnd[3], (unsigned)rnd[4], (unsigned)rnd[5]); -+ -+ append(p); -+ -+ return p; -+} -+ -+void track_temp_files(void) -+{ -+ temp_files = NULL; -+} -+ -+void delete_temp_files(void) -+{ -+ struct tmp_file_st *p = temp_files; -+ struct tmp_file_st *next; -+ -+ if (p == (void*)-1) -+ return; -+ -+ while(p != NULL) { -+ next = p->next; -+ free(p); -+ p = next; -+ } -+} -diff --git a/tests/utils.h b/tests/utils.h -index 8f3ac3f..5c0afe7 100644 ---- a/tests/utils.h -+++ b/tests/utils.h -@@ -61,4 +61,9 @@ extern void binprint(const void *str, size_t len); - extern void doit(void); - void sec_sleep(int sec); - -+#define TMPNAME_SIZE 128 -+char *get_tmpname(char s[TMPNAME_SIZE]); -+void track_temp_files(void); -+void delete_temp_files(void); -+ - #endif /* UTILS_H */ diff --git a/SOURCES/gnutls-3.3.26-remove-status-req-ext-parsing.patch b/SOURCES/gnutls-3.3.26-remove-status-req-ext-parsing.patch deleted file mode 100644 index 8c00d63..0000000 --- a/SOURCES/gnutls-3.3.26-remove-status-req-ext-parsing.patch +++ /dev/null @@ -1,110 +0,0 @@ -diff --git a/lib/ext/status_request.c b/lib/ext/status_request.c -index 8cefc61..c7c065e 100644 ---- a/lib/ext/status_request.c -+++ b/lib/ext/status_request.c -@@ -1,5 +1,6 @@ - /* -- * Copyright (C) 2012 Free Software Foundation, Inc. -+ * Copyright (C) 2012-2017 Free Software Foundation, Inc. -+ * Copyright (C) 2017 Red Hat, Inc. - * - * Author: Simon Josefsson, Nikos Mavrogiannopoulos - * -@@ -66,18 +67,6 @@ typedef struct { - opaque Extensions<0..2^16-1>; - */ - --static void deinit_responder_id(status_request_ext_st *priv) --{ --unsigned i; -- -- for (i = 0; i < priv->responder_id_size; i++) -- gnutls_free(priv->responder_id[i].data); -- -- gnutls_free(priv->responder_id); -- priv->responder_id = NULL; -- priv->responder_id_size = 0; --} -- - - static int - client_send(gnutls_session_t session, -@@ -132,8 +121,8 @@ server_recv(gnutls_session_t session, - status_request_ext_st * priv, - const uint8_t * data, size_t size) - { -- size_t i; - ssize_t data_size = size; -+ unsigned rid_bytes = 0; - - /* minimum message is type (1) + responder_id_list (2) + - request_extension (2) = 5 */ -@@ -152,43 +141,17 @@ server_recv(gnutls_session_t session, - DECR_LEN(data_size, 1); - data++; - -- priv->responder_id_size = _gnutls_read_uint16(data); -+ rid_bytes = _gnutls_read_uint16(data); - - DECR_LEN(data_size, 2); -- data += 2; -+ /*data += 2;*/ - -- if (data_size <= (ssize_t) (priv->responder_id_size * 2)) -+ /* sanity check only, we don't use any of the data below */ -+ -+ if (data_size < (ssize_t)rid_bytes) - return - gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); - -- if (priv->responder_id != NULL) -- deinit_responder_id(priv); -- -- priv->responder_id = gnutls_calloc(1, priv->responder_id_size -- * sizeof(*priv->responder_id)); -- if (priv->responder_id == NULL) -- return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); -- -- for (i = 0; i < priv->responder_id_size; i++) { -- size_t l; -- -- DECR_LEN(data_size, 2); -- -- l = _gnutls_read_uint16(data); -- data += 2; -- -- DECR_LEN(data_size, l); -- -- priv->responder_id[i].data = gnutls_malloc(l); -- if (priv->responder_id[i].data == NULL) -- return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); -- -- memcpy(priv->responder_id[i].data, data, l); -- priv->responder_id[i].size = l; -- -- data += l; -- } -- - return 0; - } - -@@ -472,11 +435,18 @@ gnutls_certificate_set_ocsp_status_request_file - static void _gnutls_status_request_deinit_data(extension_priv_data_t epriv) - { - status_request_ext_st *priv = epriv.ptr; -+ unsigned i; - - if (priv == NULL) - return; - -- deinit_responder_id(priv); -+ if (priv->responder_id != NULL) { -+ for (i = 0; i < priv->responder_id_size; i++) -+ gnutls_free(priv->responder_id[i].data); -+ -+ gnutls_free(priv->responder_id); -+ } -+ - gnutls_free(priv->request_extensions.data); - gnutls_free(priv->response.data); - gnutls_free(priv); diff --git a/SOURCES/gnutls-3.3.26-set-unique-id-tests.patch b/SOURCES/gnutls-3.3.26-set-unique-id-tests.patch deleted file mode 100644 index 6d3d65f..0000000 --- a/SOURCES/gnutls-3.3.26-set-unique-id-tests.patch +++ /dev/null @@ -1,316 +0,0 @@ -diff --git a/tests/Makefile.am b/tests/Makefile.am -index 20ed79c..0d72707 100644 ---- a/tests/Makefile.am -+++ b/tests/Makefile.am -@@ -88,7 +88,7 @@ ctests = mini-record-2 simple gc set_pkcs12_cred certder certuniqueid \ - long-session-id mini-x509-callbacks-intr \ - crlverify init_fds mini-rehandshake-2 sign-md5-rep global-init-override \ - version-checks mini-server-name naked-alerts multi-alerts \ -- pkcs8-key-decode-encrypted pkcs8-key-decode -+ pkcs8-key-decode-encrypted pkcs8-key-decode crt_apis - - if ENABLE_PKCS11 - if !HAVE_BUGGY_P11_KIT -diff --git a/tests/crt_apis.c b/tests/crt_apis.c -new file mode 100644 -index 0000000..ad183d7 ---- /dev/null -+++ b/tests/crt_apis.c -@@ -0,0 +1,297 @@ -+/* -+ * Copyright (C) 2008-2016 Free Software Foundation, Inc. -+ * Copyright (C) 2016 Red Hat, Inc. -+ * -+ * Author: Nikos Mavrogiannopoulos -+ * -+ * This file is part of GnuTLS. -+ * -+ * GnuTLS is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License as published by -+ * the Free Software Foundation; either version 3 of the License, or -+ * (at your option) any later version. -+ * -+ * GnuTLS is distributed in the hope that it will be useful, but -+ * WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ * General Public License for more details. -+ * -+ * You should have received a copy of the GNU General Public License -+ * along with GnuTLS; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA -+ */ -+ -+#ifdef HAVE_CONFIG_H -+#include -+#endif -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#include "utils.h" -+ -+#include "cert-common.h" -+ -+static unsigned char saved_crt_pem[] = -+ "-----BEGIN CERTIFICATE-----\n" -+ "MIICMTCCAZqgAwIBAgIDChEAMA0GCSqGSIb3DQEBCwUAMCsxDjAMBgNVBAMTBW5p\n" -+ "a29zMRkwFwYDVQQKExBub25lIHRvLCBtZW50aW9uMCAXDTA4MDMzMTIyMDAwMFoY\n" -+ "Dzk5OTkxMjMxMjM1OTU5WjArMQ4wDAYDVQQDEwVuaWtvczEZMBcGA1UEChMQbm9u\n" -+ "ZSB0bywgbWVudGlvbjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAu2ZD9fLF\n" -+ "17aMzMXf9Yg7sclLag6hrSBQQAiAoU9co9D4bM/mPPfsBHYTF4tkiSJbwN1TfDvt\n" -+ "fAS7gLkovo6bxo6gpRLL9Vceoue7tzNJn+O7Sq5qTWj/yRHiMo3OPYALjXXv2ACB\n" -+ "jygEA6AijWEEB/q2N30hB0nSCWFpmJCjWKkCAwEAAYEFAAABAgOCBQAEAwIBo1Mw\n" -+ "UTAMBgNVHRMBAf8EAjAAMA8GA1UdDwEB/wQFAwMHgAAwDgYDVR0RBAcwBYIDYXBh\n" -+ "MCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsF\n" -+ "AAOBgQAFhjKULYgLWW9TmfqIdyKf+kr5zFaQnIlF0tuUcE9lq4am9NKUVuxn4yo2\n" -+ "AFePiZWksrLN8PvujOK+duJ5nljF3xXwF0Z/J83NzNa1buMafuBonTJTFQQQkoGK\n" -+ "6sN+hxb6qWBjZcyQflMeG5eMJC2b57Lao4IDLSHx+mo91fvKuw==\n" -+ "-----END CERTIFICATE-----\n"; -+ -+const gnutls_datum_t saved_crt = { saved_crt_pem, sizeof(saved_crt_pem)-1 }; -+ -+static void tls_log_func(int level, const char *str) -+{ -+ fprintf(stderr, "|<%d>| %s", level, str); -+} -+ -+static time_t mytime(time_t * t) -+{ -+ time_t then = 1207000800; -+ -+ if (t) -+ *t = then; -+ -+ return then; -+} -+ -+void doit(void) -+{ -+ gnutls_x509_privkey_t pkey; -+ gnutls_x509_crt_t crt; -+ gnutls_x509_crt_t crt2; -+ const char *err = NULL; -+ unsigned char buf[64]; -+ gnutls_datum_t out; -+ size_t s = 0; -+ int ret; -+ -+ ret = global_init(); -+ if (ret < 0) -+ fail("global_init\n"); -+ -+ gnutls_global_set_time_function(mytime); -+ gnutls_global_set_log_function(tls_log_func); -+ if (debug) -+ gnutls_global_set_log_level(4711); -+ -+ ret = gnutls_x509_crt_init(&crt); -+ if (ret != 0) -+ fail("gnutls_x509_crt_init\n"); -+ -+ ret = gnutls_x509_crt_init(&crt2); -+ if (ret != 0) -+ fail("gnutls_x509_crt_init\n"); -+ -+ ret = gnutls_x509_crt_import(crt2, &server_ecc_cert, GNUTLS_X509_FMT_PEM); -+ if (ret != 0) -+ fail("gnutls_x509_crt_import\n"); -+ -+ ret = gnutls_x509_privkey_init(&pkey); -+ if (ret != 0) -+ fail("gnutls_x509_privkey_init\n"); -+ -+ ret = gnutls_x509_privkey_import(pkey, &key_dat, GNUTLS_X509_FMT_PEM); -+ if (ret != 0) -+ fail("gnutls_x509_privkey_import\n"); -+ -+ /* Setup CRT */ -+ -+ ret = gnutls_x509_crt_set_version(crt, 3); -+ if (ret != 0) -+ fail("gnutls_x509_crt_set_version\n"); -+ -+ ret = gnutls_x509_crt_set_serial(crt, "\x0a\x11\x00", 3); -+ if (ret != 0) -+ fail("gnutls_x509_crt_set_serial\n"); -+ -+ ret = gnutls_x509_crt_set_expiration_time(crt, -1); -+ if (ret != 0) -+ fail("error\n"); -+ -+ ret = gnutls_x509_crt_set_activation_time(crt, mytime(0)); -+ if (ret != 0) -+ fail("error\n"); -+ -+ ret = gnutls_x509_crt_set_key(crt, pkey); -+ if (ret != 0) -+ fail("gnutls_x509_crt_set_key\n"); -+ -+ ret = gnutls_x509_crt_set_basic_constraints(crt, 0, -1); -+ if (ret < 0) { -+ fail("error\n"); -+ } -+ -+ ret = gnutls_x509_crt_set_key_usage(crt, GNUTLS_KEY_DIGITAL_SIGNATURE); -+ if (ret != 0) -+ fail("gnutls_x509_crt_set_key_usage %d\n", ret); -+ -+ ret = gnutls_x509_crt_set_dn(crt, "cn = nikos,o = none to\\, mention", &err); -+ if (ret < 0) { -+ fail("gnutls_x509_crt_set_dn: %s, %s\n", gnutls_strerror(ret), err); -+ } -+ -+ -+ ret = gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_DNSNAME, -+ "foo", 3, 1); -+ if (ret != 0) -+ fail("gnutls_x509_crt_set_subject_alt_name\n"); -+ -+ ret = gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_RFC822NAME, -+ "foo@bar.org", strlen("foo@bar.org"), 1); -+ if (ret != 0) -+ fail("gnutls_x509_crt_set_subject_alt_name\n"); -+ -+ ret = gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_IPADDRESS, -+ "\xc1\x5c\x96\x3", 4, 1); -+ if (ret != 0) -+ fail("gnutls_x509_crt_set_subject_alt_name\n"); -+ -+ ret = gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_IPADDRESS, -+ "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01", 16, 1); -+ if (ret != 0) -+ fail("gnutls_x509_crt_set_subject_alt_name\n"); -+ -+ ret = gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_DNSNAME, -+ "apa", 3, 0); -+ if (ret != 0) -+ fail("gnutls_x509_crt_set_subject_alt_name\n"); -+ -+ s = 0; -+ ret = gnutls_x509_crt_get_key_purpose_oid(crt, 0, NULL, &s, NULL); -+ if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) -+ fail("gnutls_x509_crt_get_key_purpose_oid %d\n", ret); -+ -+ s = 0; -+ ret = -+ gnutls_x509_crt_set_key_purpose_oid(crt, -+ GNUTLS_KP_TLS_WWW_SERVER, -+ 0); -+ if (ret != 0) -+ fail("gnutls_x509_crt_set_key_purpose_oid %d\n", ret); -+ -+ s = 0; -+ ret = gnutls_x509_crt_get_key_purpose_oid(crt, 0, NULL, &s, NULL); -+ if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER) -+ fail("gnutls_x509_crt_get_key_purpose_oid %d\n", ret); -+ -+ s = 0; -+ ret = -+ gnutls_x509_crt_set_key_purpose_oid(crt, -+ GNUTLS_KP_TLS_WWW_CLIENT, -+ 1); -+ if (ret != 0) -+ fail("gnutls_x509_crt_set_key_purpose_oid2 %d\n", ret); -+ -+ /* in the end this will be ignored as the issuer will be set -+ * by gnutls_x509_crt_sign2() */ -+ ret = gnutls_x509_crt_set_issuer_dn(crt, "o = big\\, and one, cn = my CA", &err); -+ if (ret < 0) { -+ fail("gnutls_x509_crt_set_issuer_dn: %s, %s\n", gnutls_strerror(ret), err); -+ } -+ -+#define ISSUER_UNIQUE_ID "\x00\x01\x02\x03" -+#define SUBJECT_UNIQUE_ID "\x04\x03\x02\x01" -+ ret = gnutls_x509_crt_set_issuer_unique_id(crt, ISSUER_UNIQUE_ID, sizeof(ISSUER_UNIQUE_ID)-1); -+ if (ret < 0) -+ fail("error: %s\n", gnutls_strerror(ret)); -+ -+ ret = gnutls_x509_crt_set_subject_unique_id(crt, SUBJECT_UNIQUE_ID, sizeof(SUBJECT_UNIQUE_ID)-1); -+ if (ret < 0) -+ fail("error: %s\n", gnutls_strerror(ret)); -+ -+ /* Sign and finalize the certificate */ -+ ret = gnutls_x509_crt_sign2(crt, crt, pkey, GNUTLS_DIG_SHA256, 0); -+ if (ret < 0) -+ fail("gnutls_x509_crt_sign2: %s\n", gnutls_strerror(ret)); -+ -+ -+ ret = gnutls_x509_crt_print(crt, GNUTLS_CRT_PRINT_FULL, &out); -+ if (ret != 0) -+ fail("gnutls_x509_crt_print\n"); -+ if (debug) -+ printf("crt: %.*s\n", out.size, out.data); -+ gnutls_free(out.data); -+ -+ /* Verify whether selected input is present */ -+ s = 0; -+ ret = gnutls_x509_crt_get_extension_info(crt, 0, NULL, &s, NULL); -+ if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER) -+ fail("gnutls_x509_crt_get_extension_info2: %s\n", strerror(ret)); -+ -+ s = 0; -+ ret = gnutls_x509_crt_get_extension_data(crt, 0, NULL, &s); -+ if (ret != 0) -+ fail("gnutls_x509_crt_get_extension_data: %s\n", strerror(ret)); -+ -+ ret = gnutls_x509_crt_get_raw_issuer_dn(crt, &out); -+ if (ret < 0 || out.size == 0) -+ fail("gnutls_x509_crt_get_raw_issuer_dn: %s\n", gnutls_strerror(ret)); -+ -+ if (out.size != 45 || -+ memcmp(out.data, "\x30\x2b\x31\x0e\x30\x0c\x06\x03\x55\x04\x03\x13\x05\x6e\x69\x6b\x6f\x73\x31\x19\x30\x17\x06\x03\x55\x04\x0a\x13\x10\x6e\x6f\x6e\x65\x20\x74\x6f\x2c\x20\x6d\x65\x6e\x74\x69\x6f\x6e", 45) != 0) { -+ hexprint(out.data, out.size); -+ fail("issuer DN comparison failed\n"); -+ } -+ gnutls_free(out.data); -+ -+ s = sizeof(buf); -+ ret = gnutls_x509_crt_get_issuer_unique_id(crt, (void*)buf, &s); -+ if (ret < 0) -+ fail("error: %s\n", gnutls_strerror(ret)); -+ -+ if (s != sizeof(ISSUER_UNIQUE_ID)-1 || -+ memcmp(buf, ISSUER_UNIQUE_ID, s) != 0) { -+ fail("issuer unique id comparison failed\n"); -+ } -+ -+ s = sizeof(buf); -+ ret = gnutls_x509_crt_get_subject_unique_id(crt, (void*)buf, &s); -+ if (ret < 0) -+ fail("error: %s\n", gnutls_strerror(ret)); -+ -+ if (s != sizeof(SUBJECT_UNIQUE_ID)-1 || -+ memcmp(buf, SUBJECT_UNIQUE_ID, s) != 0) { -+ fail("subject unique id comparison failed\n"); -+ } -+ -+ ret = gnutls_x509_crt_get_raw_dn(crt, &out); -+ if (ret < 0 || out.size == 0) -+ fail("gnutls_x509_crt_get_raw_dn: %s\n", gnutls_strerror(ret)); -+ -+ if (out.size != 45 || -+ memcmp(out.data, "\x30\x2b\x31\x0e\x30\x0c\x06\x03\x55\x04\x03\x13\x05\x6e\x69\x6b\x6f\x73\x31\x19\x30\x17\x06\x03\x55\x04\x0a\x13\x10\x6e\x6f\x6e\x65\x20\x74\x6f\x2c\x20\x6d\x65\x6e\x74\x69\x6f\x6e", 45) != 0) { -+ fail("DN comparison failed\n"); -+ } -+ gnutls_free(out.data); -+ -+ assert(gnutls_x509_crt_export2(crt, GNUTLS_X509_FMT_PEM, &out) >= 0); -+ -+ if (debug) -+ fprintf(stderr, "%s\n", out.data); -+ assert(out.size == saved_crt.size); -+ assert(memcmp(out.data, saved_crt.data, out.size)==0); -+ -+ gnutls_free(out.data); -+ -+ gnutls_x509_crt_deinit(crt); -+ gnutls_x509_crt_deinit(crt2); -+ gnutls_x509_privkey_deinit(pkey); -+ -+ gnutls_global_deinit(); -+} diff --git a/SOURCES/gnutls-3.3.29-bring-back-hmac-sha256.patch b/SOURCES/gnutls-3.3.29-bring-back-hmac-sha256.patch new file mode 100644 index 0000000..1708a23 --- /dev/null +++ b/SOURCES/gnutls-3.3.29-bring-back-hmac-sha256.patch @@ -0,0 +1,62 @@ +diff --git a/lib/gnutls_priority.c b/lib/gnutls_priority.c +index f3e19105f..ff13d3720 100644 +--- a/lib/gnutls_priority.c ++++ b/lib/gnutls_priority.c +@@ -492,6 +492,7 @@ static const int sign_priority_secure192[] = { + static const int mac_priority_normal_default[] = { + GNUTLS_MAC_SHA1, + GNUTLS_MAC_AEAD, ++ GNUTLS_MAC_SHA256, + GNUTLS_MAC_MD5, + 0 + }; +@@ -499,6 +500,7 @@ static const int mac_priority_normal_default[] = { + static const int mac_priority_normal_fips[] = { + GNUTLS_MAC_SHA1, + GNUTLS_MAC_AEAD, ++ GNUTLS_MAC_SHA256, + 0 + }; + +@@ -527,11 +529,13 @@ static const int mac_priority_suiteb192[] = { + static const int mac_priority_secure128[] = { + GNUTLS_MAC_SHA1, + GNUTLS_MAC_AEAD, ++ GNUTLS_MAC_SHA256, + 0 + }; + + static const int mac_priority_secure192[] = { + GNUTLS_MAC_AEAD, ++ GNUTLS_MAC_SHA256, + 0 + }; + +diff --git a/tests/priorities.c b/tests/priorities.c +index 46221fcc0..0593279de 100644 +--- a/tests/priorities.c ++++ b/tests/priorities.c +@@ -100,18 +100,18 @@ try_prio(const char *prio, unsigned expected_cs, unsigned expected_ciphers) + + void doit(void) + { +- const int normal = 41; +- const int null = 4; +- const int sec128 = 36; ++ const int normal = 57; ++ const int null = 5; ++ const int sec128 = 52; + + try_prio("NORMAL", normal, 9); + try_prio("NORMAL:-MAC-ALL:+MD5:+MAC-ALL", normal, 9); + try_prio("NORMAL:+CIPHER-ALL", normal, 9); /* all (except null) */ + try_prio("NORMAL:-CIPHER-ALL:+NULL", null, 1); /* null */ + try_prio("NORMAL:-CIPHER-ALL:+NULL:+CIPHER-ALL", normal + null, 10); /* should be null + all */ +- try_prio("NORMAL:-CIPHER-ALL:+NULL:+CIPHER-ALL:-CIPHER-ALL:+AES-128-CBC", 5, 1); ++ try_prio("NORMAL:-CIPHER-ALL:+NULL:+CIPHER-ALL:-CIPHER-ALL:+AES-128-CBC", 10, 1); + try_prio("PERFORMANCE", normal, 9); +- try_prio("SECURE256", 10, 4); ++ try_prio("SECURE256", 16, 4); + try_prio("SECURE128", sec128, 8); + try_prio("SECURE128:+SECURE256", sec128, 8); /* should be the same as SECURE128 */ + try_prio("SECURE128:+SECURE256:+NORMAL", normal, 9); /* should be the same as NORMAL */ diff --git a/SOURCES/gnutls-3.3.29-cbc-mac-verify-ssl3-min-pad.patch b/SOURCES/gnutls-3.3.29-cbc-mac-verify-ssl3-min-pad.patch new file mode 100644 index 0000000..67fe0d1 --- /dev/null +++ b/SOURCES/gnutls-3.3.29-cbc-mac-verify-ssl3-min-pad.patch @@ -0,0 +1,28 @@ +diff --git a/lib/gnutls_cipher.c b/lib/gnutls_cipher.c +index 65dde6899..8b34472b7 100644 +--- a/lib/gnutls_cipher.c ++++ b/lib/gnutls_cipher.c +@@ -659,7 +659,11 @@ ciphertext_to_compressed(gnutls_session_t session, + * Note that we access all 256 bytes of ciphertext for padding check + * because there is a timing channel in that memory access (in certain CPUs). + */ +- if (ver->id != GNUTLS_SSL3) ++ if (ver->id == GNUTLS_SSL3) { ++ if (pad >= blocksize) ++ pad_failed = 1; ++ } else ++ { + for (i = 2; i <= MIN(256, ciphertext->size); i++) { + tmp_pad_failed |= + (compressed-> +@@ -667,6 +671,7 @@ ciphertext_to_compressed(gnutls_session_t session, + pad_failed |= + ((i <= (1 + pad)) & (tmp_pad_failed)); + } ++ } + + if (unlikely + (pad_failed != 0 +-- +2.14.3 + diff --git a/SOURCES/gnutls-3.3.29-cli-sni-hostname.patch b/SOURCES/gnutls-3.3.29-cli-sni-hostname.patch new file mode 100644 index 0000000..5fb1f31 --- /dev/null +++ b/SOURCES/gnutls-3.3.29-cli-sni-hostname.patch @@ -0,0 +1,37 @@ +diff --git a/src/cli-args.def b/src/cli-args.def +index c661f458b..11d66ae8a 100644 +--- a/src/cli-args.def ++++ b/src/cli-args.def +@@ -80,6 +80,13 @@ flag = { + doc = "Connect, establish a session and rehandshake immediately."; + }; + ++flag = { ++ name = sni-hostname; ++ descrip = "Server's hostname for server name indication extension"; ++ arg-type = string; ++ doc = "Set explicitly the server name used in the TLS server name indication extension. That is useful when testing with servers setup on different DNS name than the intended. If not specified, the provided hostname is used."; ++}; ++ + flag = { + name = starttls; + value = s; +diff --git a/src/cli.c b/src/cli.c +index 82d8e1166..f3d159a29 100644 +--- a/src/cli.c ++++ b/src/cli.c +@@ -638,7 +638,10 @@ static gnutls_session_t init_tls_session(const char *hostname) + /* allow the use of private ciphersuites. + */ + if (disable_extensions == 0 && disable_sni == 0) { +- if (hostname != NULL && is_ip(hostname) == 0) ++ if (HAVE_OPT(SNI_HOSTNAME)) { ++ gnutls_server_name_set(session, GNUTLS_NAME_DNS, ++ OPT_ARG(SNI_HOSTNAME), strlen(OPT_ARG(SNI_HOSTNAME))); ++ } else if (hostname != NULL && is_ip(hostname) == 0) + gnutls_server_name_set(session, GNUTLS_NAME_DNS, + hostname, strlen(hostname)); + } +-- +2.14.3 + diff --git a/SOURCES/gnutls-3.3.29-disable-failing-tests.patch b/SOURCES/gnutls-3.3.29-disable-failing-tests.patch new file mode 100644 index 0000000..0e60891 --- /dev/null +++ b/SOURCES/gnutls-3.3.29-disable-failing-tests.patch @@ -0,0 +1,59 @@ +diff --git a/tests/testpkcs11.sh b/tests/testpkcs11.sh +index e8cdcd30d..039d6cc1c 100755 +--- a/tests/testpkcs11.sh ++++ b/tests/testpkcs11.sh +@@ -887,8 +887,9 @@ write_privkey "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/client.key" + generate_temp_ecc_privkey "${TOKEN}" "${GNUTLS_PIN}" 256 + delete_temp_privkey "${TOKEN}" "${GNUTLS_PIN}" ecc-256 + +-generate_temp_ecc_privkey_no_login "${TOKEN}" "${GNUTLS_PIN}" 256 +-delete_temp_privkey "${TOKEN}" "${GNUTLS_PIN}" ecc-no-256 ++# Disabled: generation of ECC key without login is not supported in gnutls_3_3_x ++#generate_temp_ecc_privkey_no_login "${TOKEN}" "${GNUTLS_PIN}" 256 ++#delete_temp_privkey "${TOKEN}" "${GNUTLS_PIN}" ecc-no-256 + + generate_temp_ecc_privkey "${TOKEN}" "${GNUTLS_PIN}" 384 + delete_temp_privkey "${TOKEN}" "${GNUTLS_PIN}" ecc-384 +@@ -911,24 +912,30 @@ change_id_of_privkey "${TOKEN}" "${GNUTLS_PIN}" + export_pubkey_of_privkey "${TOKEN}" "${GNUTLS_PIN}" + change_label_of_privkey "${TOKEN}" "${GNUTLS_PIN}" + +-write_certificate_test "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/ca.key" "${srcdir}/testpkcs11-certs/ca.crt" tmp-client.pub ++# Disabled: certificates are marked as private in gnutls_3_3_x ++#write_certificate_test "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/ca.key" "${srcdir}/testpkcs11-certs/ca.crt" tmp-client.pub + write_serv_privkey "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/server.key" + write_serv_cert "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/server.crt" + +-write_serv_pubkey "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/server.crt" +-test_sign "${TOKEN}" "${GNUTLS_PIN}" ++# Disabled: --load-pubkey is not supported in gnutls_3_3_x ++#write_serv_pubkey "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/server.crt" + +-use_certificate_test "${TOKEN}" "${GNUTLS_PIN}" "${TOKEN};object=serv-cert;object-type=cert" "${TOKEN};object=serv-key;object-type=private" "${srcdir}/testpkcs11-certs/ca.crt" "full URLs" ++# Disabled: --test-sign is not supported in gnutls_3_3_x ++#test_sign "${TOKEN}" "${GNUTLS_PIN}" + +-use_certificate_test "${TOKEN}" "${GNUTLS_PIN}" "${TOKEN};object=serv-cert" "${TOKEN};object=serv-key" "${srcdir}/testpkcs11-certs/ca.crt" "abbrv URLs" ++# Disabled: Cannot test without written certificates (write_certificate_test) ++#use_certificate_test "${TOKEN}" "${GNUTLS_PIN}" "${TOKEN};object=serv-cert;object-type=cert" "${TOKEN};object=serv-key;object-type=private" "${srcdir}/testpkcs11-certs/ca.crt" "full URLs" ++#use_certificate_test "${TOKEN}" "${GNUTLS_PIN}" "${TOKEN};object=serv-cert" "${TOKEN};object=serv-key" "${srcdir}/testpkcs11-certs/ca.crt" "abbrv URLs" + +-write_certificate_id_test_rsa "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/ca.key" "${srcdir}/testpkcs11-certs/ca.crt" +-write_certificate_id_test_rsa2 "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/ca.key" "${srcdir}/testpkcs11-certs/ca.crt" +-write_certificate_id_test_ecdsa "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/ca.key" "${srcdir}/testpkcs11-certs/ca.crt" ++# Disabled: certificates do not inherit its ID from privkey in gnutls_3_3_x ++#write_certificate_id_test_rsa "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/ca.key" "${srcdir}/testpkcs11-certs/ca.crt" ++#write_certificate_id_test_rsa2 "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/ca.key" "${srcdir}/testpkcs11-certs/ca.crt" ++#write_certificate_id_test_ecdsa "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/ca.key" "${srcdir}/testpkcs11-certs/ca.crt" + + test_delete_cert "${TOKEN}" "${GNUTLS_PIN}" + +-test_sign_set_pin "${TOKEN}" "${GNUTLS_PIN}" ++# Disabled: --test-sign is not supported in gnutls_3_3_x ++#test_sign_set_pin "${TOKEN}" "${GNUTLS_PIN}" + + if test ${RETCODE} = 0; then + echo "* All smart cards tests succeeded" +-- +2.14.3 + diff --git a/SOURCES/gnutls-3.3.29-do-not-mark-object-as-private.patch b/SOURCES/gnutls-3.3.29-do-not-mark-object-as-private.patch new file mode 100644 index 0000000..21cdc68 --- /dev/null +++ b/SOURCES/gnutls-3.3.29-do-not-mark-object-as-private.patch @@ -0,0 +1,47 @@ +diff --git a/src/p11tool.c b/src/p11tool.c +index 2abf23a27..a6fce78e3 100644 +--- a/src/p11tool.c ++++ b/src/p11tool.c +@@ -68,7 +68,7 @@ int main(int argc, char **argv) + } + + static +-unsigned opt_to_flags(void) ++unsigned opt_to_flags(common_info_st *cinfo) + { + unsigned flags = 0; + +@@ -78,6 +78,12 @@ unsigned opt_to_flags(void) + } else { + flags |= GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_PRIVATE; + } ++ } else { /* if not given mark as private the private objects, and public the public ones */ ++ if (cinfo->privkey) ++ flags |= GNUTLS_PKCS11_OBJ_FLAG_MARK_PRIVATE; ++ else if (cinfo->pubkey || cinfo->cert) ++ flags |= GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_PRIVATE; ++ /* else set the defaults of the token */ + } + + if (ENABLED_OPT(MARK_TRUSTED)) +@@ -166,8 +172,6 @@ static void cmd_parser(int argc, char **argv) + + memset(&cinfo, 0, sizeof(cinfo)); + +- flags = opt_to_flags(); +- + if (HAVE_OPT(SECRET_KEY)) + cinfo.secret_key = OPT_ARG(SECRET_KEY); + +@@ -227,6 +231,8 @@ static void cmd_parser(int argc, char **argv) + sec_param = OPT_ARG(SEC_PARAM); + } + ++ flags = opt_to_flags(&cinfo); ++ + if (debug > 4) { + if (HAVE_OPT(MARK_PRIVATE)) + fprintf(stderr, "Private: %s\n", +-- +2.14.3 + diff --git a/SOURCES/gnutls-3.3.29-do-not-run-sni-hostname-windows.patch b/SOURCES/gnutls-3.3.29-do-not-run-sni-hostname-windows.patch new file mode 100644 index 0000000..08a35ae --- /dev/null +++ b/SOURCES/gnutls-3.3.29-do-not-run-sni-hostname-windows.patch @@ -0,0 +1,20 @@ +diff --git a/tests/Makefile.am b/tests/Makefile.am +index d249d405f..6dc63758d 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -156,7 +156,11 @@ endif + endif + + check_PROGRAMS = $(ctests) +-dist_check_SCRIPTS = rfc2253-escape-test sni-hostname.sh ++dist_check_SCRIPTS = rfc2253-escape-test ++ ++if !WINDOWS ++dist_check_SCRIPTS += sni-hostname.sh ++endif + + TESTS = $(ctests) $(dist_check_SCRIPTS) + +-- +2.14.3 + diff --git a/SOURCES/gnutls-3.3.29-dummy-wait-account-len-field.patch b/SOURCES/gnutls-3.3.29-dummy-wait-account-len-field.patch new file mode 100644 index 0000000..7a60fe4 --- /dev/null +++ b/SOURCES/gnutls-3.3.29-dummy-wait-account-len-field.patch @@ -0,0 +1,52 @@ +diff --git a/lib/algorithms/mac.c b/lib/algorithms/mac.c +index 0527ca4f1..a39acd49f 100644 +--- a/lib/algorithms/mac.c ++++ b/lib/algorithms/mac.c +@@ -37,9 +37,9 @@ static const mac_entry_st hash_algorithms[] = { + {"SHA256", HASH_OID_SHA256, MAC_OID_SHA256, GNUTLS_MAC_SHA256, 32, 32, 0, 0, 1, + 64}, + {"SHA384", HASH_OID_SHA384, MAC_OID_SHA384, GNUTLS_MAC_SHA384, 48, 48, 0, 0, 1, +- 64}, ++ 128}, + {"SHA512", HASH_OID_SHA512, MAC_OID_SHA512, GNUTLS_MAC_SHA512, 64, 64, 0, 0, 1, +- 64}, ++ 128}, + {"SHA224", HASH_OID_SHA224, MAC_OID_SHA224, GNUTLS_MAC_SHA224, 28, 28, 0, 0, 1, + 64}, + {"UMAC-96", NULL, NULL, GNUTLS_MAC_UMAC_96, 12, 16, 8, 0, 1, 0}, +diff --git a/lib/gnutls_cipher.c b/lib/gnutls_cipher.c +index 58ce79775..37478a4c3 100644 +--- a/lib/gnutls_cipher.c ++++ b/lib/gnutls_cipher.c +@@ -440,7 +440,7 @@ static void dummy_wait(record_parameters_st * params, + { + /* this hack is only needed on CBC ciphers */ + if (_gnutls_cipher_is_block(params->cipher) == CIPHER_BLOCK) { +- unsigned len; ++ unsigned len, v; + + /* force an additional hash compression function evaluation to prevent timing + * attacks that distinguish between wrong-mac + correct pad, from wrong-mac + incorrect pad. +@@ -448,11 +448,14 @@ static void dummy_wait(record_parameters_st * params, + if (pad_failed == 0 && pad > 0) { + len = _gnutls_mac_block_size(params->mac); + if (len > 0) { +- /* This is really specific to the current hash functions. +- * It should be removed once a protocol fix is in place. +- */ +- if ((pad + total) % len > len - 9 +- && total % len <= len - 9) { ++ if (params->mac && params->mac->id == GNUTLS_MAC_SHA384) ++ /* v = 1 for the hash function padding + 16 for message length */ ++ v = 17; ++ else /* v = 1 for the hash function padding + 8 for message length */ ++ v = 9; ++ ++ if ((pad + total) % len > len - v ++ && total % len <= len - v) { + if (len < plaintext->size) + _gnutls_auth_cipher_add_auth + (¶ms->read. +-- +2.14.3 + diff --git a/SOURCES/gnutls-3.3.29-dummy-wait-hash-same-amount-of-blocks.patch b/SOURCES/gnutls-3.3.29-dummy-wait-hash-same-amount-of-blocks.patch new file mode 100644 index 0000000..9044547 --- /dev/null +++ b/SOURCES/gnutls-3.3.29-dummy-wait-hash-same-amount-of-blocks.patch @@ -0,0 +1,90 @@ +diff --git a/lib/gnutls_cipher.c b/lib/gnutls_cipher.c +index 37478a4c3..65dde6899 100644 +--- a/lib/gnutls_cipher.c ++++ b/lib/gnutls_cipher.c +@@ -434,40 +434,41 @@ compressed_to_ciphertext(gnutls_session_t session, + return length; + } + +-static void dummy_wait(record_parameters_st * params, +- gnutls_datum_t * plaintext, unsigned pad_failed, +- unsigned int pad, unsigned total) ++static void dummy_wait(record_parameters_st *params, ++ gnutls_datum_t *plaintext, ++ unsigned int mac_data, unsigned int max_mac_data) + { + /* this hack is only needed on CBC ciphers */ + if (_gnutls_cipher_is_block(params->cipher) == CIPHER_BLOCK) { +- unsigned len, v; ++ unsigned v; ++ unsigned int tag_size = ++ _gnutls_auth_cipher_tag_len(¶ms->read.cipher_state); ++ unsigned hash_block = _gnutls_mac_block_size(params->mac); + +- /* force an additional hash compression function evaluation to prevent timing ++ /* force additional hash compression function evaluations to prevent timing + * attacks that distinguish between wrong-mac + correct pad, from wrong-mac + incorrect pad. + */ +- if (pad_failed == 0 && pad > 0) { +- len = _gnutls_mac_block_size(params->mac); +- if (len > 0) { +- if (params->mac && params->mac->id == GNUTLS_MAC_SHA384) +- /* v = 1 for the hash function padding + 16 for message length */ +- v = 17; +- else /* v = 1 for the hash function padding + 8 for message length */ +- v = 9; +- +- if ((pad + total) % len > len - v +- && total % len <= len - v) { +- if (len < plaintext->size) +- _gnutls_auth_cipher_add_auth +- (¶ms->read. +- cipher_state, +- plaintext->data, len); +- else +- _gnutls_auth_cipher_add_auth +- (¶ms->read. +- cipher_state, +- plaintext->data, +- plaintext->size); +- } ++ if (params->mac && params->mac->id == GNUTLS_MAC_SHA384) ++ /* v = 1 for the hash function padding + 16 for message length */ ++ v = 17; ++ else /* v = 1 for the hash function padding + 8 for message length */ ++ v = 9; ++ ++ if (hash_block > 0) { ++ int max_blocks = (max_mac_data+v+hash_block-1)/hash_block; ++ int hashed_blocks = (mac_data+v+hash_block-1)/hash_block; ++ unsigned to_hash; ++ ++ max_blocks -= hashed_blocks; ++ if (max_blocks < 1) ++ return; ++ ++ to_hash = max_blocks * hash_block; ++ if ((unsigned)to_hash+1+tag_size < plaintext->size) { ++ _gnutls_auth_cipher_add_auth ++ (¶ms->read.cipher_state, ++ plaintext->data+plaintext->size-tag_size-to_hash-1, ++ to_hash); + } + } + } +@@ -725,8 +726,10 @@ ciphertext_to_compressed(gnutls_session_t session, + if (unlikely + (memcmp(tag, tag_ptr, tag_size) != 0 || pad_failed != 0)) { + /* HMAC was not the same. */ +- dummy_wait(params, compressed, pad_failed, pad, +- length + preamble_size); ++ gnutls_datum_t data = {compressed->data, ciphertext->size}; ++ ++ dummy_wait(params, &data, length + preamble_size, ++ preamble_size + ciphertext->size - tag_size - 1); + + return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); + } +-- +2.14.3 + diff --git a/SOURCES/gnutls-3.3.29-pkcs11-retrieve-pin-from-uri-once.patch b/SOURCES/gnutls-3.3.29-pkcs11-retrieve-pin-from-uri-once.patch new file mode 100644 index 0000000..11087f4 --- /dev/null +++ b/SOURCES/gnutls-3.3.29-pkcs11-retrieve-pin-from-uri-once.patch @@ -0,0 +1,82 @@ +diff --git a/lib/pkcs11.c b/lib/pkcs11.c +index 4fdd58f39..68ee2960a 100644 +--- a/lib/pkcs11.c ++++ b/lib/pkcs11.c +@@ -2368,6 +2368,11 @@ retrieve_pin(struct pin_info_st *pin_info, struct p11_kit_uri *info, + /* First check for pin-value field */ + pinfile = p11_kit_uri_get_pin_value(info); + if (pinfile != NULL) { ++ if (attempts > 0) { ++ _gnutls_debug_log("p11: refusing more than a single attempts with pin-value\n"); ++ return gnutls_assert_val(GNUTLS_E_PKCS11_PIN_ERROR); ++ } ++ + _gnutls_debug_log("p11: Using pin-value to retrieve PIN\n"); + *pin = p11_kit_pin_new_for_string(pinfile); + if (*pin != NULL) +@@ -2376,6 +2381,11 @@ retrieve_pin(struct pin_info_st *pin_info, struct p11_kit_uri *info, + /* Check if a pinfile is specified, and use that if possible */ + pinfile = p11_kit_uri_get_pin_source(info); + if (pinfile != NULL) { ++ if (attempts > 0) { ++ _gnutls_debug_log("p11: refusing more than a single attempts with pin-source\n"); ++ return gnutls_assert_val(GNUTLS_E_PKCS11_PIN_ERROR); ++ } ++ + _gnutls_debug_log("p11: Using pin-source to retrieve PIN\n"); + ret = + retrieve_pin_from_source(pinfile, token_info, attempts, +diff --git a/tests/pkcs11/pkcs11-import-with-pin.c b/tests/pkcs11/pkcs11-import-with-pin.c +index e43591927..ecc98175d 100644 +--- a/tests/pkcs11/pkcs11-import-with-pin.c ++++ b/tests/pkcs11/pkcs11-import-with-pin.c +@@ -157,6 +157,16 @@ void doit() + assert(gnutls_privkey_init(&pkey) == 0); + + /* Test 1 ++ * Try importing with wrong pin-value */ ++ ret = gnutls_privkey_import_pkcs11_url(pkey, SOFTHSM_URL";object=cert;object-type=private;pin-value=XXXX"); ++ if (ret != GNUTLS_E_PKCS11_PIN_ERROR) { ++ fprintf(stderr, "unexpected error in %d: %s\n", __LINE__, gnutls_strerror(ret)); ++ exit(1); ++ } ++ gnutls_privkey_deinit(pkey); ++ assert(gnutls_privkey_init(&pkey) == 0); ++ ++ /* Test 2 + * Try importing with pin-value */ + ret = gnutls_privkey_import_pkcs11_url(pkey, SOFTHSM_URL";object=cert;object-type=private;pin-value="PIN); + if (ret < 0) { +@@ -169,13 +179,26 @@ void doit() + gnutls_free(sig.data); + gnutls_privkey_deinit(pkey); + +- /* Test 2 +- * Try importing with pin-source */ ++ /* Test 3 ++ * Try importing with wrong pin-source */ + track_temp_files(); + get_tmpname(file); + +- write_pin(file, PIN); ++ write_pin(file, "XXXX"); ++ ++ assert(gnutls_privkey_init(&pkey) == 0); ++ snprintf(buf, sizeof(buf), "%s;object=cert;object-type=private;pin-source=%s", SOFTHSM_URL, file); ++ ret = gnutls_privkey_import_pkcs11_url(pkey, buf); ++ if (ret != GNUTLS_E_PKCS11_PIN_ERROR) { ++ fprintf(stderr, "error in %d: %s\n", __LINE__, gnutls_strerror(ret)); ++ exit(1); ++ } ++ ++ gnutls_privkey_deinit(pkey); + ++ /* Test 4 ++ * Try importing with pin-source */ ++ write_pin(file, PIN); + + assert(gnutls_privkey_init(&pkey) == 0); + snprintf(buf, sizeof(buf), "%s;object=cert;object-type=private;pin-source=%s", SOFTHSM_URL, file); +-- +2.14.3 + diff --git a/SOURCES/gnutls-3.3.29-re-enable-check-cert-write.patch b/SOURCES/gnutls-3.3.29-re-enable-check-cert-write.patch new file mode 100644 index 0000000..21f5c00 --- /dev/null +++ b/SOURCES/gnutls-3.3.29-re-enable-check-cert-write.patch @@ -0,0 +1,29 @@ +diff --git a/tests/testpkcs11.sh b/tests/testpkcs11.sh +index 039d6cc1c..7c2776760 100755 +--- a/tests/testpkcs11.sh ++++ b/tests/testpkcs11.sh +@@ -912,8 +912,7 @@ change_id_of_privkey "${TOKEN}" "${GNUTLS_PIN}" + export_pubkey_of_privkey "${TOKEN}" "${GNUTLS_PIN}" + change_label_of_privkey "${TOKEN}" "${GNUTLS_PIN}" + +-# Disabled: certificates are marked as private in gnutls_3_3_x +-#write_certificate_test "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/ca.key" "${srcdir}/testpkcs11-certs/ca.crt" tmp-client.pub ++write_certificate_test "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/ca.key" "${srcdir}/testpkcs11-certs/ca.crt" tmp-client.pub + write_serv_privkey "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/server.key" + write_serv_cert "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/server.crt" + +@@ -923,9 +922,8 @@ write_serv_cert "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/server.cr + # Disabled: --test-sign is not supported in gnutls_3_3_x + #test_sign "${TOKEN}" "${GNUTLS_PIN}" + +-# Disabled: Cannot test without written certificates (write_certificate_test) +-#use_certificate_test "${TOKEN}" "${GNUTLS_PIN}" "${TOKEN};object=serv-cert;object-type=cert" "${TOKEN};object=serv-key;object-type=private" "${srcdir}/testpkcs11-certs/ca.crt" "full URLs" +-#use_certificate_test "${TOKEN}" "${GNUTLS_PIN}" "${TOKEN};object=serv-cert" "${TOKEN};object=serv-key" "${srcdir}/testpkcs11-certs/ca.crt" "abbrv URLs" ++use_certificate_test "${TOKEN}" "${GNUTLS_PIN}" "${TOKEN};object=serv-cert;object-type=cert" "${TOKEN};object=serv-key;object-type=private" "${srcdir}/testpkcs11-certs/ca.crt" "full URLs" ++use_certificate_test "${TOKEN}" "${GNUTLS_PIN}" "${TOKEN};object=serv-cert" "${TOKEN};object=serv-key" "${srcdir}/testpkcs11-certs/ca.crt" "abbrv URLs" + + # Disabled: certificates do not inherit its ID from privkey in gnutls_3_3_x + #write_certificate_id_test_rsa "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/ca.key" "${srcdir}/testpkcs11-certs/ca.crt" +-- +2.14.3 + diff --git a/SOURCES/gnutls-3.3.29-remove-hmac-sha384-sha256-from-default.patch b/SOURCES/gnutls-3.3.29-remove-hmac-sha384-sha256-from-default.patch new file mode 100644 index 0000000..21c7c8d --- /dev/null +++ b/SOURCES/gnutls-3.3.29-remove-hmac-sha384-sha256-from-default.patch @@ -0,0 +1,69 @@ +diff --git a/lib/gnutls_priority.c b/lib/gnutls_priority.c +index c5998abe6..f3e19105f 100644 +--- a/lib/gnutls_priority.c ++++ b/lib/gnutls_priority.c +@@ -491,8 +491,6 @@ static const int sign_priority_secure192[] = { + + static const int mac_priority_normal_default[] = { + GNUTLS_MAC_SHA1, +- GNUTLS_MAC_SHA256, +- GNUTLS_MAC_SHA384, + GNUTLS_MAC_AEAD, + GNUTLS_MAC_MD5, + 0 +@@ -500,8 +498,6 @@ static const int mac_priority_normal_default[] = { + + static const int mac_priority_normal_fips[] = { + GNUTLS_MAC_SHA1, +- GNUTLS_MAC_SHA256, +- GNUTLS_MAC_SHA384, + GNUTLS_MAC_AEAD, + 0 + }; +@@ -530,15 +526,11 @@ static const int mac_priority_suiteb192[] = { + + static const int mac_priority_secure128[] = { + GNUTLS_MAC_SHA1, +- GNUTLS_MAC_SHA256, +- GNUTLS_MAC_SHA384, + GNUTLS_MAC_AEAD, + 0 + }; + + static const int mac_priority_secure192[] = { +- GNUTLS_MAC_SHA256, +- GNUTLS_MAC_SHA384, + GNUTLS_MAC_AEAD, + 0 + }; +diff --git a/tests/priorities.c b/tests/priorities.c +index f22b08b62..46221fcc0 100644 +--- a/tests/priorities.c ++++ b/tests/priorities.c +@@ -100,18 +100,18 @@ try_prio(const char *prio, unsigned expected_cs, unsigned expected_ciphers) + + void doit(void) + { +- const int normal = 61; +- const int null = 5; +- const int sec128 = 56; ++ const int normal = 41; ++ const int null = 4; ++ const int sec128 = 36; + + try_prio("NORMAL", normal, 9); + try_prio("NORMAL:-MAC-ALL:+MD5:+MAC-ALL", normal, 9); + try_prio("NORMAL:+CIPHER-ALL", normal, 9); /* all (except null) */ + try_prio("NORMAL:-CIPHER-ALL:+NULL", null, 1); /* null */ + try_prio("NORMAL:-CIPHER-ALL:+NULL:+CIPHER-ALL", normal + null, 10); /* should be null + all */ +- try_prio("NORMAL:-CIPHER-ALL:+NULL:+CIPHER-ALL:-CIPHER-ALL:+AES-128-CBC", 10, 1); /* should be null + all */ ++ try_prio("NORMAL:-CIPHER-ALL:+NULL:+CIPHER-ALL:-CIPHER-ALL:+AES-128-CBC", 5, 1); + try_prio("PERFORMANCE", normal, 9); +- try_prio("SECURE256", 20, 4); ++ try_prio("SECURE256", 10, 4); + try_prio("SECURE128", sec128, 8); + try_prio("SECURE128:+SECURE256", sec128, 8); /* should be the same as SECURE128 */ + try_prio("SECURE128:+SECURE256:+NORMAL", normal, 9); /* should be the same as NORMAL */ +-- +2.14.3 + diff --git a/SOURCES/gnutls-3.3.29-serv-large-key-resumption.patch b/SOURCES/gnutls-3.3.29-serv-large-key-resumption.patch new file mode 100644 index 0000000..63d1f7b --- /dev/null +++ b/SOURCES/gnutls-3.3.29-serv-large-key-resumption.patch @@ -0,0 +1,11 @@ +--- a/src/serv.c ++++ b/src/serv.c +@@ -1734,7 +1734,7 @@ + /* session resuming support */ + + #define SESSION_ID_SIZE 32 +-#define SESSION_DATA_SIZE 1024 ++#define SESSION_DATA_SIZE (16*1024) + + typedef struct { + char session_id[SESSION_ID_SIZE]; diff --git a/SOURCES/gnutls-3.3.29-serv-sni-hostname.patch b/SOURCES/gnutls-3.3.29-serv-sni-hostname.patch new file mode 100644 index 0000000..2722790 --- /dev/null +++ b/SOURCES/gnutls-3.3.29-serv-sni-hostname.patch @@ -0,0 +1,157 @@ +diff --git a/src/serv-args.def b/src/serv-args.def +index 44b67f1ab..027737772 100644 +--- a/src/serv-args.def ++++ b/src/serv-args.def +@@ -8,6 +8,19 @@ detail = "Server program that listens to incoming TLS connections."; + + #include args-std.def + ++flag = { ++ name = sni-hostname; ++ descrip = "Server's hostname for server name extension"; ++ arg-type = string; ++ doc = "Server name of type host_name that the server will recognise as its own. If the server receives client hello with different name, it will send a warning-level unrecognized_name alert."; ++}; ++ ++flag = { ++ name = sni-hostname-fatal; ++ descrip = "Send fatal alert on sni-hostname mismatch"; ++ doc = ""; ++}; ++ + flag = { + name = noticket; + descrip = "Don't accept session tickets"; +diff --git a/src/serv.c b/src/serv.c +index a1f9adfa8..f5ff48786 100644 +--- a/src/serv.c ++++ b/src/serv.c +@@ -49,6 +49,8 @@ + #include "sockets.h" + #include "udp-serv.h" + ++#define _GNUTLS_E_UNRECOGNIZED_NAME -294 ++ + /* konqueror cannot handle sending the page in multiple + * pieces. + */ +@@ -81,6 +83,8 @@ const char *dh_params_file = NULL; + const char *x509_crlfile = NULL; + const char *priorities = NULL; + const char *status_response_ocsp = NULL; ++const char *sni_hostname = NULL; ++int sni_hostname_fatal = 0; + + gnutls_datum_t session_ticket_key; + static void tcp_server(const char *name, int port); +@@ -312,6 +316,83 @@ int ret; + return 0; + } + ++/* callback used to verify if the host name advertised in client hello matches ++ * the one configured in server ++ */ ++static int ++post_client_hello(gnutls_session_t session) ++{ ++ int ret; ++ /* DNS names (only type supported) may be at most 256 byte long */ ++ char *name; ++ size_t len = 256; ++ unsigned int type; ++ int i; ++ ++ name = malloc(len); ++ if (name == NULL) ++ return GNUTLS_E_MEMORY_ERROR; ++ ++ for (i=0; ; ) { ++ ret = gnutls_server_name_get(session, name, &len, &type, i); ++ if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) { ++ char *new_name; ++ new_name = realloc(name, len); ++ if (new_name == NULL) { ++ ret = GNUTLS_E_MEMORY_ERROR; ++ goto end; ++ } ++ name = new_name; ++ continue; /* retry call with same index */ ++ } ++ ++ /* check if it is the last entry in list */ ++ if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) ++ break; ++ i++; ++ if (ret != GNUTLS_E_SUCCESS) ++ goto end; ++ /* unknown types need to be ignored */ ++ if (type != GNUTLS_NAME_DNS) ++ continue; ++ ++ if (strlen(sni_hostname) != len) ++ continue; ++ /* API guarantees that the name of type DNS will be null terminated */ ++ if (!strncmp(name, sni_hostname, len)) { ++ ret = GNUTLS_E_SUCCESS; ++ goto end; ++ } ++ }; ++ /* when there is no extension, we can't send the extension specific alert */ ++ if (i == 0) { ++ fprintf(stderr, "Warning: client did not include SNI extension, using default host\n"); ++ ret = GNUTLS_E_SUCCESS; ++ goto end; ++ } ++ ++ if (sni_hostname_fatal == 1) { ++ /* abort the connection, propagate error up the stack */ ++ ret = _GNUTLS_E_UNRECOGNIZED_NAME; ++ goto end; ++ } ++ ++ fprintf(stderr, "Warning: client provided unrecognized host name\n"); ++ /* since we just want to send an alert, not abort the connection, we ++ * need to send it ourselves ++ */ ++ do { ++ ret = gnutls_alert_send(session, ++ GNUTLS_AL_WARNING, ++ GNUTLS_A_UNRECOGNIZED_NAME); ++ } while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED); ++ ++ /* continue handshake, fall through */ ++end: ++ free(name); ++ return ret; ++} ++ + gnutls_session_t initialize_session(int dtls) + { + gnutls_session_t session; +@@ -343,6 +424,10 @@ gnutls_session_t initialize_session(int dtls) + &session_ticket_key); + #endif + ++ if (sni_hostname != NULL) ++ gnutls_handshake_set_post_client_hello_function(session, ++ &post_client_hello); ++ + if (gnutls_priority_set_direct(session, priorities, &err) < 0) { + fprintf(stderr, "Syntax error at: %s\n", err); + exit(1); +@@ -1629,6 +1714,12 @@ static void cmd_parser(int argc, char **argv) + if (HAVE_OPT(OCSP_RESPONSE)) + status_response_ocsp = OPT_ARG(OCSP_RESPONSE); + ++ if (HAVE_OPT(SNI_HOSTNAME)) ++ sni_hostname = OPT_ARG(SNI_HOSTNAME); ++ ++ if (HAVE_OPT(SNI_HOSTNAME_FATAL)) ++ sni_hostname_fatal = 1; ++ + } + + /* session resuming support */ +-- +2.14.3 + diff --git a/SOURCES/gnutls-3.3.29-serv-unrec-name.patch b/SOURCES/gnutls-3.3.29-serv-unrec-name.patch new file mode 100644 index 0000000..6991d66 --- /dev/null +++ b/SOURCES/gnutls-3.3.29-serv-unrec-name.patch @@ -0,0 +1,41 @@ +diff --git a/src/serv.c b/src/serv.c +index f5ff48786..8c7c92a92 100644 +--- a/src/serv.c ++++ b/src/serv.c +@@ -1278,6 +1278,15 @@ int main(int argc, char **argv) + return 0; + } + ++int _gnutls_alert_send_appropriate (gnutls_session_t session, int err) ++{ ++ if (err == _GNUTLS_E_UNRECOGNIZED_NAME) ++ return gnutls_alert_send(session, ++ GNUTLS_AL_FATAL, ++ GNUTLS_A_UNRECOGNIZED_NAME); ++ return gnutls_alert_send_appropriate(session, err); ++} ++ + static void retry_handshake(listener_item *j) + { + int r, ret; +@@ -1293,7 +1302,7 @@ static void retry_handshake(listener_item *j) + GERR(r); + + do { +- ret = gnutls_alert_send_appropriate(j->tls_session, r); ++ ret = _gnutls_alert_send_appropriate(j->tls_session, r); + } while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED); + } else if (r == 0) { + if (gnutls_session_is_resumed(j->tls_session) != 0 && verbose != 0) +@@ -1326,7 +1335,7 @@ int r, ret; + + if (r < 0) { + do { +- ret = gnutls_alert_send_appropriate(j->tls_session, r); ++ ret = _gnutls_alert_send_appropriate(j->tls_session, r); + } while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED); + GERR(r); + j->http_state = HTTP_STATE_CLOSING; +-- +2.14.3 + diff --git a/SOURCES/gnutls-3.3.29-testpkcs11.patch b/SOURCES/gnutls-3.3.29-testpkcs11.patch new file mode 100644 index 0000000..e98f53f --- /dev/null +++ b/SOURCES/gnutls-3.3.29-testpkcs11.patch @@ -0,0 +1,1916 @@ +diff --git a/tests/Makefile.am b/tests/Makefile.am +index 6dc63758d..e0d86abfd 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -36,7 +36,13 @@ EXTRA_DIST = suppressions.valgrind eagain-common.h test-chains.h \ + certs/cert-rsa-2432.pem certs/ecc384.pem certs/ecc.pem \ + certs/ca-ecc.pem certs/cert-ecc384.pem certs/cert-ecc.pem certs/ecc256.pem \ + certs/ecc521.pem certs/rsa-2432.pem x509cert-dir/ca.pem \ +- cert-common.h pkcs11/softhsm.h pkcs11/pkcs11-pubkey-import.c ++ cert-common.h pkcs11/softhsm.h pkcs11/pkcs11-pubkey-import.c \ ++ testpkcs11.pkcs15 testpkcs11.softhsm testpkcs11.sc-hsm \ ++ testpkcs11-certs/ca.crt testpkcs11-certs/ca-tmpl \ ++ testpkcs11-certs/client.key testpkcs11-certs/server.crt \ ++ testpkcs11-certs/server-tmpl testpkcs11-certs/ca.key \ ++ testpkcs11-certs/client.crt testpkcs11-certs/client-tmpl \ ++ testpkcs11-certs/server.key + + AM_CFLAGS = $(WARN_CFLAGS) $(WERROR_CFLAGS) + AM_CPPFLAGS = \ +@@ -160,6 +166,9 @@ dist_check_SCRIPTS = rfc2253-escape-test + + if !WINDOWS + dist_check_SCRIPTS += sni-hostname.sh ++if ENABLE_PKCS11 ++dist_check_SCRIPTS += testpkcs11.sh ++endif + endif + + TESTS = $(ctests) $(dist_check_SCRIPTS) +diff --git a/tests/scripts/common.sh b/tests/scripts/common.sh +index 9c9c3fb3a..4615770f6 100644 +--- a/tests/scripts/common.sh ++++ b/tests/scripts/common.sh +@@ -19,11 +19,61 @@ + # along with this file; if not, write to the Free Software Foundation, + # Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +-# due to the use of $RANDOM, this script requires bash ++export TZ="UTC" ++ ++# Check for a utility to list ports. Both ss and netstat will list ++# ports for normal users, and have similar semantics, so put the ++# command in the caller's PFCMD, or exit, indicating an unsupported ++# test. Prefer ss from iproute2 over the older netstat. ++have_port_finder() { ++ for file in $(which ss 2> /dev/null) /*bin/ss /usr/*bin/ss /usr/local/*bin/ss;do ++ if test -x "$file";then ++ PFCMD="$file";return 0 ++ fi ++ done ++ ++ if test -z "$PFCMD";then ++ for file in $(which netstat 2> /dev/null) /bin/netstat /usr/bin/netstat /usr/local/bin/netstat;do ++ if test -x "$file";then ++ PFCMD="$file";return 0 ++ fi ++ done ++ fi ++ ++ if test -z "$PFCMD";then ++ echo "neither ss nor netstat found" ++ exit 1 ++ fi ++} ++ ++check_if_port_in_use() { ++ local PORT="$1" ++ local PFCMD; have_port_finder ++ $PFCMD -an|grep "[\:\.]$PORT" >/dev/null 2>&1 ++} ++ ++check_if_port_listening() { ++ local PORT="$1" ++ local PFCMD; have_port_finder ++ $PFCMD -anl|grep "[\:\.]$PORT"|grep LISTEN >/dev/null 2>&1 ++} + +-GETPORT='rc=0;while test $rc = 0;do PORT="$(((($$<<15)|RANDOM) % 63001 + 2000))"; +- netstat -anl|grep "[\:\.]$PORT" >/dev/null 2>&1; +- rc=$?;done;' ++# Find a port number not currently in use. ++GETPORT='rc=0; myrandom=$(date +%N | sed s/^0*//) ++ while test $rc = 0;do ++ PORT="$(((($$<<15)|$myrandom) % 63001 + 2000))" ++ check_if_port_in_use $PORT;rc=$? ++ done ++' ++ ++check_for_datefudge() { ++ TSTAMP=`datefudge -s "2006-09-23" date -u +%s || true` ++ if test "$TSTAMP" != "1158969600" || test "$WINDOWS" = 1; then ++ echo $TSTAMP ++ echo "You need datefudge to run this test" ++ exit 77 ++ fi ++} + + fail() { + PID="$1" +@@ -33,6 +83,30 @@ fail() { + exit 1 + } + ++exit_if_non_x86() ++{ ++which lscpu >/dev/null 2>&1 ++if test $? = 0;then ++ $(which lscpu)|grep Architecture|grep x86 ++ if test $? != 0;then ++ echo "non-x86 CPU detected" ++ exit 0 ++ fi ++fi ++} ++ ++exit_if_non_padlock() ++{ ++which lscpu >/dev/null 2>&1 ++if test $? = 0;then ++ $(which lscpu)|grep Flags|grep phe ++ if test $? != 0;then ++ echo "non-Via padlock CPU detected" ++ exit 0 ++ fi ++fi ++} ++ + wait_for_port() + { + local ret +@@ -40,10 +114,10 @@ wait_for_port() + sleep 4 + + for i in 1 2 3 4 5 6;do +- netstat -anl|grep "[\:\.]$PORT"|grep LISTEN >/dev/null 2>&1 ++ check_if_port_listening ${PORT} + ret=$? + if test $ret != 0;then +- netstat -anl|grep "[\:\.]$PORT" ++ check_if_port_in_use ${PORT} + echo try $i + sleep 2 + else +@@ -59,7 +133,7 @@ wait_for_free_port() + local PORT="$1" + + for i in 1 2 3 4 5 6;do +- netstat -anl|grep "[\:\.]$PORT" >/dev/null 2>&1 ++ check_if_port_in_use ${PORT} + ret=$? + if test $ret != 0;then + break +@@ -75,7 +149,7 @@ launch_server() { + shift + + wait_for_free_port ${PORT} +- ${SERV} ${DEBUG} -p "${PORT}" $* >/dev/null 2>&1 & ++ ${SERV} ${DEBUG} -p "${PORT}" $* >/dev/null & + } + + launch_pkcs11_server() { +@@ -94,7 +168,7 @@ launch_bare_server() { + shift + + wait_for_free_port ${PORT} +- ${SERV} $* >/dev/null 2>&1 & ++ ${SERV} $* >/dev/null & + } + + wait_server() { +@@ -114,3 +188,10 @@ wait_udp_server() { + sleep 4 + } + ++if test -x /usr/bin/lockfile-create;then ++LOCKFILE="lockfile-create global" ++UNLOCKFILE="lockfile-remove global" ++else ++LOCKFILE="lockfile global.lock" ++UNLOCKFILE="rm -f global.lock" ++fi +diff --git a/tests/suite/Makefile.am b/tests/suite/Makefile.am +index 794a4bace..dae42a7ef 100644 +--- a/tests/suite/Makefile.am ++++ b/tests/suite/Makefile.am +@@ -86,11 +86,10 @@ nodist_libecore_la_SOURCES = ecore/src/lib/ecore_anim.c \ + + + nodist_check_SCRIPTS = eagain testsrn testcompat chain invalid-cert testrandom \ +- testpkcs11 testpkcs11.pkcs15 testpkcs11.softhsm testpkcs11.sc-hsm \ + testrng test-ciphersuite-names + + TESTS = test-ciphersuite-names eagain testsrn testcompat chain invalid-cert \ +- testpkcs11 testrng test-ciphersuite-names ++ testrng test-ciphersuite-names + + if ENABLE_PKCS11 + TESTS += crl-test +diff --git a/tests/testpkcs11-certs/ca-tmpl b/tests/testpkcs11-certs/ca-tmpl +new file mode 100644 +index 000000000..5bf462d1e +--- /dev/null ++++ b/tests/testpkcs11-certs/ca-tmpl +@@ -0,0 +1,67 @@ ++# X.509 Certificate options ++# ++# DN options ++ ++dn = "cn=CA,C=CZ" ++ ++# The serial number of the certificate ++serial = 1 ++ ++# In how many days, counting from today, this certificate will expire. ++expiration_days = 2590 ++ ++# X.509 v3 extensions ++ ++# A dnsname in case of a WWW server. ++#dns_name = "localhost" ++#dns_name = "www.morethanone.org" ++ ++# An IP address in case of a server. ++#ip_address = "192.168.1.1" ++ ++#dns_name = "www.evenmorethanone.org" ++ ++# An email in case of a person ++email = "none@none.org" ++ ++# An URL that has CRLs (certificate revocation lists) ++# available. Needed in CA certificates. ++crl_dist_points = "http://www.getcrl.crl/getcrl/" ++ ++#email = "where@none.org" ++ ++# Whether this is a CA certificate or not ++ca ++ ++# Whether this certificate will be used for a TLS client ++#tls_www_client ++ ++# Whether this certificate will be used for a TLS server ++#tls_www_server ++ ++# Whether this certificate will be used to sign data (needed ++# in TLS DHE ciphersuites). ++signing_key ++ ++# Whether this certificate will be used to encrypt data (needed ++# in TLS RSA ciphersuites). Note that it is preferred to use different ++# keys for encryption and signing. ++#encryption_key ++ ++# Whether this key will be used to sign other certificates. ++cert_signing_key ++ ++# Whether this key will be used to sign CRLs. ++crl_signing_key ++ ++# Whether this key will be used to sign code. ++#code_signing_key ++ ++# Whether this key will be used to sign OCSP data. ++ocsp_signing_key ++ ++# Whether this key will be used for time stamping. ++#time_stamping_key ++ ++# Whether this key will be used for IPsec IKE operations. ++#ipsec_ike_key +diff --git a/tests/testpkcs11-certs/ca.crt b/tests/testpkcs11-certs/ca.crt +new file mode 100644 +index 000000000..e39ee41f7 +--- /dev/null ++++ b/tests/testpkcs11-certs/ca.crt +@@ -0,0 +1,15 @@ ++-----BEGIN CERTIFICATE----- ++MIICUjCCAbugAwIBAgIBATANBgkqhkiG9w0BAQsFADAaMQswCQYDVQQDEwJDQTEL ++MAkGA1UEBhMCQ1owIhgPMjAxMzExMTAwODI0NTRaGA8yMDIwMTIxMzA4MjQ1NFow ++GjELMAkGA1UEAxMCQ0ExCzAJBgNVBAYTAkNaMIGfMA0GCSqGSIb3DQEBAQUAA4GN ++ADCBiQKBgQCoomr+kiRtx+/doF2FRSOxqBuuLbcpK5KwxtYk82L8MQzzJijfjS88 ++4kCijlR6dqD0oDS70ngNogg2uIgn1SfLTTgXw/v6w/nMnMIYZ+ePrF5WD1qGeOAu ++R+qts4Y4rfb9Yb8sXIPdui7HelqimJaVeMxAYJsqRBSixDSpYbkEhwIDAQABo4Gj ++MIGgMA8GA1UdEwEB/wQFMAMBAf8wGAYDVR0RBBEwD4ENbm9uZUBub25lLm9yZzAT ++BgNVHSUEDDAKBggrBgEFBQcDCTAPBgNVHQ8BAf8EBQMDBwYAMB0GA1UdDgQWBBQS ++DtpREkBWrvQcbcyhsD0oYX4zATAuBgNVHR8EJzAlMCOgIaAfhh1odHRwOi8vd3d3 ++LmdldGNybC5jcmwvZ2V0Y3JsLzANBgkqhkiG9w0BAQsFAAOBgQBzRzkYVGhl0ltc ++iVvXModMh9cb1TcUrc2nhfEh63u5ZF1/8MJPaMMLw3FZmGc5B8lNYOoWiSqK/Ark ++iO9chPwqRKWY8n52USgGDcUNRxbwCa2vOQg9cdSWIcdt18W5mtJ3hz+CDaT8ZH8t ++sVW/i5eG6O7o3rZGSwbcC1pgIWZqCw== ++-----END CERTIFICATE----- +diff --git a/tests/testpkcs11-certs/ca.key b/tests/testpkcs11-certs/ca.key +new file mode 100644 +index 000000000..62f5bfae3 +--- /dev/null ++++ b/tests/testpkcs11-certs/ca.key +@@ -0,0 +1,94 @@ ++Public Key Info: ++ Public Key Algorithm: RSA ++ Key Security Level: Weak (1024 bits) ++ ++modulus: ++ 00:a8:a2:6a:fe:92:24:6d:c7:ef:dd:a0:5d:85:45: ++ 23:b1:a8:1b:ae:2d:b7:29:2b:92:b0:c6:d6:24:f3: ++ 62:fc:31:0c:f3:26:28:df:8d:2f:3c:e2:40:a2:8e: ++ 54:7a:76:a0:f4:a0:34:bb:d2:78:0d:a2:08:36:b8: ++ 88:27:d5:27:cb:4d:38:17:c3:fb:fa:c3:f9:cc:9c: ++ c2:18:67:e7:8f:ac:5e:56:0f:5a:86:78:e0:2e:47: ++ ea:ad:b3:86:38:ad:f6:fd:61:bf:2c:5c:83:dd:ba: ++ 2e:c7:7a:5a:a2:98:96:95:78:cc:40:60:9b:2a:44: ++ 14:a2:c4:34:a9:61:b9:04:87: ++ ++public exponent: ++ 01:00:01: ++ ++private exponent: ++ 08:f8:4a:b4:ab:d5:60:39:88:5a:c3:92:f5:e9:cd: ++ 92:3f:9c:e9:50:e9:33:39:6c:1e:17:15:80:f5:a9: ++ 48:3c:db:b1:7b:50:25:43:ff:45:3f:cb:ac:59:e1: ++ c8:79:d2:e9:f0:33:9d:e1:fe:1c:cb:87:a0:51:84: ++ 7c:89:ec:09:e0:3d:c9:df:ca:43:d9:c1:79:3c:47: ++ f7:8e:71:bf:a5:6e:11:87:0d:d9:2e:5a:5d:a0:d3: ++ ba:5b:9c:23:db:33:54:5f:a2:2f:db:28:05:9d:07: ++ a4:d4:76:0e:ef:d1:f9:c3:f9:21:01:ad:06:4c:9d: ++ 59:14:09:37:91:df:86:01: ++ ++prime1: ++ 00:d6:e8:07:49:7f:a6:6a:d7:f3:76:84:4b:a9:cb: ++ 91:66:8a:c8:07:54:29:25:1d:e4:70:dd:2c:fd:ff: ++ dc:c6:0c:24:75:4f:a0:ca:82:e2:b6:3b:8b:f0:7b: ++ 37:c3:97:be:6c:b3:5f:91:a6:c0:56:48:aa:aa:3a: ++ d9:12:24:b7:81: ++ ++prime2: ++ 00:c8:e1:50:40:9b:7e:34:9c:44:88:1e:16:4b:bf: ++ 04:0f:a6:b0:2b:9d:2f:a2:84:29:96:54:35:69:68: ++ 6f:a2:a7:2b:8a:de:e9:9e:0e:6f:b3:cf:d8:af:68: ++ 33:52:a6:e4:b5:d1:21:d0:6b:d2:d2:a6:af:97:62: ++ 44:fe:b8:00:07: ++ ++coefficient: ++ 75:16:b8:48:0b:61:9a:a9:78:b1:72:93:94:51:54: ++ c1:07:69:b8:b1:dc:61:4a:f5:ef:b7:9c:f5:07:74: ++ 0d:8e:1a:a2:51:ea:00:91:ef:05:75:42:53:4d:6a: ++ e3:f5:de:07:a5:55:5f:8b:37:58:55:2b:43:ef:b2: ++ d0:38:a8:89: ++ ++exp1: ++ 00:c9:b9:60:e5:b7:e1:b1:56:e5:dc:70:d0:49:20: ++ a1:6a:3c:89:08:80:12:63:19:cd:0d:b8:3e:fc:69: ++ 48:85:ca:6e:0a:83:e5:2d:52:70:96:98:0c:82:7e: ++ 56:d8:cd:3e:5c:f0:7e:9b:cc:87:ac:36:67:a4:84: ++ ba:af:92:31:81: ++ ++exp2: ++ 65:0a:d8:78:36:fe:8b:6e:13:16:b8:b3:94:54:37: ++ b1:bb:b1:9f:ae:88:18:62:0c:1d:1e:ac:63:21:f2: ++ 0d:49:b3:20:3e:32:1a:9b:be:5a:1e:f1:2a:81:ea: ++ 56:e7:b5:e1:32:99:a4:a1:a7:c0:e7:b1:29:1f:77: ++ fe:fc:04:9f: ++ ++ ++Public Key ID: 12:0E:DA:51:12:40:56:AE:F4:1C:6D:CC:A1:B0:3D:28:61:7E:33:01 ++Public key's random art: +++--[ RSA 1024]----+ ++|.E*++.o | ++|oo *.B . | ++|..++O * | ++| o.*oB . | ++| o + o S | ++| . | ++| | ++| | ++| | +++-----------------+ ++ ++-----BEGIN RSA PRIVATE KEY----- ++MIICXAIBAAKBgQCoomr+kiRtx+/doF2FRSOxqBuuLbcpK5KwxtYk82L8MQzzJijf ++jS884kCijlR6dqD0oDS70ngNogg2uIgn1SfLTTgXw/v6w/nMnMIYZ+ePrF5WD1qG ++eOAuR+qts4Y4rfb9Yb8sXIPdui7HelqimJaVeMxAYJsqRBSixDSpYbkEhwIDAQAB ++AoGACPhKtKvVYDmIWsOS9enNkj+c6VDpMzlsHhcVgPWpSDzbsXtQJUP/RT/LrFnh ++yHnS6fAzneH+HMuHoFGEfInsCeA9yd/KQ9nBeTxH945xv6VuEYcN2S5aXaDTuluc ++I9szVF+iL9soBZ0HpNR2Du/R+cP5IQGtBkydWRQJN5HfhgECQQDW6AdJf6Zq1/N2 ++hEupy5FmisgHVCklHeRw3Sz9/9zGDCR1T6DKguK2O4vwezfDl75ss1+RpsBWSKqq ++OtkSJLeBAkEAyOFQQJt+NJxEiB4WS78ED6awK50vooQpllQ1aWhvoqcrit7png5v ++s8/Yr2gzUqbktdEh0GvS0qavl2JE/rgABwJBAMm5YOW34bFW5dxw0EkgoWo8iQiA ++EmMZzQ24PvxpSIXKbgqD5S1ScJaYDIJ+VtjNPlzwfpvMh6w2Z6SEuq+SMYECQGUK ++2Hg2/otuExa4s5RUN7G7sZ+uiBhiDB0erGMh8g1JsyA+Mhqbvloe8SqB6lbnteEy ++maShp8DnsSkfd/78BJ8CQHUWuEgLYZqpeLFyk5RRVMEHabix3GFK9e+3nPUHdA2O ++GqJR6gCR7wV1QlNNauP13gelVV+LN1hVK0PvstA4qIk= ++-----END RSA PRIVATE KEY----- +diff --git a/tests/testpkcs11-certs/client-tmpl b/tests/testpkcs11-certs/client-tmpl +new file mode 100644 +index 000000000..a22eef84b +--- /dev/null ++++ b/tests/testpkcs11-certs/client-tmpl +@@ -0,0 +1,67 @@ ++# X.509 Certificate options ++# ++# DN options ++ ++dn = "cn=Client,C=CZ" ++ ++# The serial number of the certificate ++serial = 3 ++ ++# In how many days, counting from today, this certificate will expire. ++expiration_days = 2590 ++ ++# X.509 v3 extensions ++ ++# A dnsname in case of a WWW server. ++#dns_name = "localhost" ++#dns_name = "www.morethanone.org" ++ ++# An IP address in case of a server. ++#ip_address = "192.168.1.1" ++ ++#dns_name = "www.evenmorethanone.org" ++ ++# An email in case of a person ++email = "none@none.org" ++ ++# An URL that has CRLs (certificate revocation lists) ++# available. Needed in CA certificates. ++#crl_dist_points = "http://www.getcrl.crl/getcrl/" ++ ++#email = "where@none.org" ++ ++# Whether this is a CA certificate or not ++#ca ++ ++# Whether this certificate will be used for a TLS client ++tls_www_client ++ ++# Whether this certificate will be used for a TLS server ++#tls_www_server ++ ++# Whether this certificate will be used to sign data (needed ++# in TLS DHE ciphersuites). ++signing_key ++ ++# Whether this certificate will be used to encrypt data (needed ++# in TLS RSA ciphersuites). Note that it is preferred to use different ++# keys for encryption and signing. ++#encryption_key ++ ++# Whether this key will be used to sign other certificates. ++#cert_signing_key ++ ++# Whether this key will be used to sign CRLs. ++#crl_signing_key ++ ++# Whether this key will be used to sign code. ++#code_signing_key ++ ++# Whether this key will be used to sign OCSP data. ++#ocsp_signing_key ++ ++# Whether this key will be used for time stamping. ++#time_stamping_key ++ ++# Whether this key will be used for IPsec IKE operations. ++#ipsec_ike_key +diff --git a/tests/testpkcs11-certs/client.crt b/tests/testpkcs11-certs/client.crt +new file mode 100644 +index 000000000..6f75590d2 +--- /dev/null ++++ b/tests/testpkcs11-certs/client.crt +@@ -0,0 +1,16 @@ ++-----BEGIN CERTIFICATE----- ++MIICdDCCAd2gAwIBAgIBAzANBgkqhkiG9w0BAQsFADAaMQswCQYDVQQDEwJDQTEL ++MAkGA1UEBhMCQ1owIhgPMjAxMzExMTAwODI1MjdaGA8yMDIwMTIxMzA4MjUyN1ow ++HjEPMA0GA1UEAxMGQ2xpZW50MQswCQYDVQQGEwJDWjCBnzANBgkqhkiG9w0BAQEF ++AAOBjQAwgYkCgYEAvQRIzvKyhr3tqmB4Pe+91DWSFayaNtcrDIT597bhxugVYW8o ++jB206kx5aknAMA3PQGYcGqkLrt+nsJcmOIXDZsC6P4zeOSsF1PPhDAoX3bkUr2lF ++MEt374eKdg1yvyhRxt4DOR6aD4gkC7fVtaYdgV6yXpJGMHV05LBIgQ7QtykCAwEA ++AaOBwTCBvjAMBgNVHRMBAf8EAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMCMBgGA1Ud ++EQQRMA+BDW5vbmVAbm9uZS5vcmcwDwYDVR0PAQH/BAUDAweAADAdBgNVHQ4EFgQU ++Dbinh11GaaJcTyOpmxPYuttsiGowHwYDVR0jBBgwFoAUEg7aURJAVq70HG3MobA9 ++KGF+MwEwLgYDVR0fBCcwJTAjoCGgH4YdaHR0cDovL3d3dy5nZXRjcmwuY3JsL2dl ++dGNybC8wDQYJKoZIhvcNAQELBQADgYEAN/Henso+5zzuFQWTpJXlUsWtRQAFhRY3 ++WVt3xtnyPs4pF/LKBp3Ov0GLGBkz5YlyJGFNESSyUviMsH7g7rJM8i7Bph6BQTE9 ++XdqbZPc0opfms4EHjmlXj5HQ0f0yoxHnLk43CR+vmbn0JPuurnEKAwjznAJR8GxI ++R2MRyMxdGqs= ++-----END CERTIFICATE----- +diff --git a/tests/testpkcs11-certs/client.key b/tests/testpkcs11-certs/client.key +new file mode 100644 +index 000000000..9277bdfd8 +--- /dev/null ++++ b/tests/testpkcs11-certs/client.key +@@ -0,0 +1,94 @@ ++Public Key Info: ++ Public Key Algorithm: RSA ++ Key Security Level: Weak (1024 bits) ++ ++modulus: ++ 00:bd:04:48:ce:f2:b2:86:bd:ed:aa:60:78:3d:ef: ++ bd:d4:35:92:15:ac:9a:36:d7:2b:0c:84:f9:f7:b6: ++ e1:c6:e8:15:61:6f:28:8c:1d:b4:ea:4c:79:6a:49: ++ c0:30:0d:cf:40:66:1c:1a:a9:0b:ae:df:a7:b0:97: ++ 26:38:85:c3:66:c0:ba:3f:8c:de:39:2b:05:d4:f3: ++ e1:0c:0a:17:dd:b9:14:af:69:45:30:4b:77:ef:87: ++ 8a:76:0d:72:bf:28:51:c6:de:03:39:1e:9a:0f:88: ++ 24:0b:b7:d5:b5:a6:1d:81:5e:b2:5e:92:46:30:75: ++ 74:e4:b0:48:81:0e:d0:b7:29: ++ ++public exponent: ++ 01:00:01: ++ ++private exponent: ++ 00:a5:eb:b1:e2:00:07:98:e1:f6:53:de:35:0e:e1: ++ 79:78:63:c2:25:c6:8a:e4:e3:02:46:0e:20:c3:43: ++ 45:73:ee:5c:7e:58:2e:76:b8:c9:0b:f7:2f:89:8e: ++ cd:e7:20:e8:32:36:b0:2a:f3:03:6f:71:a2:e9:0f: ++ f5:9c:1e:47:84:54:2b:67:12:e3:f4:20:80:7f:54: ++ 81:63:f4:41:4a:6f:8f:89:e8:83:24:64:87:b5:2b: ++ 5b:25:55:c5:b6:e8:1d:c9:a0:a9:68:0d:2d:1f:06: ++ ac:46:6a:96:93:96:16:24:fe:7f:e4:00:c7:bf:37: ++ fe:48:6f:3f:94:0b:36:9e:81: ++ ++prime1: ++ 00:dd:8b:ef:a9:f3:e9:7a:97:6f:50:2f:d4:93:ff: ++ 0b:6d:52:b4:2c:64:d2:bb:6c:a7:ca:5d:5f:31:ba: ++ 2c:f6:59:09:34:57:5f:3c:cd:f5:2b:a0:c7:7a:ac: ++ e2:20:64:a8:58:24:a3:02:c3:7f:7b:c5:7b:31:4e: ++ de:81:6b:48:f9: ++ ++prime2: ++ 00:da:69:4a:53:be:3d:36:07:58:a7:8e:58:4e:cd: ++ 90:cd:72:54:7c:40:89:ab:fd:3a:8b:6d:d0:9c:b0: ++ 00:7f:11:6a:b7:f2:4e:e0:81:8b:23:09:3f:c4:6f: ++ f7:6d:06:b1:c8:83:63:87:72:c7:43:01:24:5d:2d: ++ 88:7f:b9:1b:b1: ++ ++coefficient: ++ 30:19:e0:d7:bd:0f:0d:96:b0:65:64:00:82:2a:9d: ++ 6c:52:a6:89:a6:db:89:e3:7f:10:c3:3b:5b:97:73: ++ ea:13:af:fc:4c:3e:72:5e:da:cb:b7:d4:b6:2c:d0: ++ 05:c3:58:bb:2d:59:2c:50:1f:08:6d:03:53:ba:ec: ++ 15:ec:b6:08: ++ ++exp1: ++ 00:d0:6d:4e:54:3d:bc:72:30:f5:f0:22:8f:83:8c: ++ 76:5b:ab:6b:06:38:f4:68:8f:98:6b:b1:dc:55:14: ++ 2a:28:b9:2b:07:ab:0b:56:51:0d:4e:b6:3b:f5:15: ++ a0:c7:88:eb:37:c1:7f:fa:a1:a1:d5:f7:bc:26:6f: ++ 64:b5:ad:11:41: ++ ++exp2: ++ 2a:a6:b1:0b:15:75:62:9d:a0:a4:67:d9:ba:d9:cd: ++ d3:30:e6:6a:b5:37:ad:4c:70:28:56:33:8c:c5:99: ++ f3:36:75:7e:a2:64:e0:d6:ab:53:16:35:4b:a9:09: ++ ca:52:aa:59:1b:bf:4d:ee:0e:17:79:9b:9e:4e:8b: ++ ff:55:28:a1: ++ ++ ++Public Key ID: 0D:B8:A7:87:5D:46:69:A2:5C:4F:23:A9:9B:13:D8:BA:DB:6C:88:6A ++Public key's random art: +++--[ RSA 1024]----+ ++| | ++| . . . | ++| . * * | ++| + = X . | ++| . B S = | ++| . O o | ++| ...* o | ++| E. .+.o | ++|o. ooo | +++-----------------+ ++ ++-----BEGIN RSA PRIVATE KEY----- ++MIICXQIBAAKBgQC9BEjO8rKGve2qYHg9773UNZIVrJo21ysMhPn3tuHG6BVhbyiM ++HbTqTHlqScAwDc9AZhwaqQuu36ewlyY4hcNmwLo/jN45KwXU8+EMChfduRSvaUUw ++S3fvh4p2DXK/KFHG3gM5HpoPiCQLt9W1ph2BXrJekkYwdXTksEiBDtC3KQIDAQAB ++AoGBAKXrseIAB5jh9lPeNQ7heXhjwiXGiuTjAkYOIMNDRXPuXH5YLna4yQv3L4mO ++zecg6DI2sCrzA29xoukP9ZweR4RUK2cS4/QggH9UgWP0QUpvj4nogyRkh7UrWyVV ++xbboHcmgqWgNLR8GrEZqlpOWFiT+f+QAx783/khvP5QLNp6BAkEA3YvvqfPpepdv ++UC/Uk/8LbVK0LGTSu2ynyl1fMbos9lkJNFdfPM31K6DHeqziIGSoWCSjAsN/e8V7 ++MU7egWtI+QJBANppSlO+PTYHWKeOWE7NkM1yVHxAiav9Oott0JywAH8RarfyTuCB ++iyMJP8Rv920GsciDY4dyx0MBJF0tiH+5G7ECQQDQbU5UPbxyMPXwIo+DjHZbq2sG ++OPRoj5hrsdxVFCoouSsHqwtWUQ1Otjv1FaDHiOs3wX/6oaHV97wmb2S1rRFBAkAq ++prELFXVinaCkZ9m62c3TMOZqtTetTHAoVjOMxZnzNnV+omTg1qtTFjVLqQnKUqpZ ++G79N7g4XeZueTov/VSihAkAwGeDXvQ8NlrBlZACCKp1sUqaJptuJ438Qwztbl3Pq ++E6/8TD5yXtrLt9S2LNAFw1i7LVksUB8IbQNTuuwV7LYI ++-----END RSA PRIVATE KEY----- +diff --git a/tests/testpkcs11-certs/server-tmpl b/tests/testpkcs11-certs/server-tmpl +new file mode 100644 +index 000000000..23103b4a9 +--- /dev/null ++++ b/tests/testpkcs11-certs/server-tmpl +@@ -0,0 +1,67 @@ ++# X.509 Certificate options ++# ++# DN options ++ ++dn = "cn=Server,C=CZ" ++ ++# The serial number of the certificate ++serial = 2 ++ ++# In how many days, counting from today, this certificate will expire. ++expiration_days = 2590 ++ ++# X.509 v3 extensions ++ ++# A dnsname in case of a WWW server. ++dns_name = "localhost" ++#dns_name = "www.morethanone.org" ++ ++# An IP address in case of a server. ++ip_address = "127.0.0.1" ++ ++#dns_name = "www.evenmorethanone.org" ++ ++# An email in case of a person ++email = "none@none.org" ++ ++# An URL that has CRLs (certificate revocation lists) ++# available. Needed in CA certificates. ++#crl_dist_points = "http://www.getcrl.crl/getcrl/" ++ ++#email = "where@none.org" ++ ++# Whether this is a CA certificate or not ++#ca ++ ++# Whether this certificate will be used for a TLS client ++#tls_www_client ++ ++# Whether this certificate will be used for a TLS server ++tls_www_server ++ ++# Whether this certificate will be used to sign data (needed ++# in TLS DHE ciphersuites). ++signing_key ++ ++# Whether this certificate will be used to encrypt data (needed ++# in TLS RSA ciphersuites). Note that it is preferred to use different ++# keys for encryption and signing. ++encryption_key ++ ++# Whether this key will be used to sign other certificates. ++#cert_signing_key ++ ++# Whether this key will be used to sign CRLs. ++#crl_signing_key ++ ++# Whether this key will be used to sign code. ++#code_signing_key ++ ++# Whether this key will be used to sign OCSP data. ++#ocsp_signing_key ++ ++# Whether this key will be used for time stamping. ++#time_stamping_key ++ ++# Whether this key will be used for IPsec IKE operations. ++#ipsec_ike_key +diff --git a/tests/testpkcs11-certs/server.crt b/tests/testpkcs11-certs/server.crt +new file mode 100644 +index 000000000..694a0101f +--- /dev/null ++++ b/tests/testpkcs11-certs/server.crt +@@ -0,0 +1,16 @@ ++-----BEGIN CERTIFICATE----- ++MIICdjCCAd+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAaMQswCQYDVQQDEwJDQTEL ++MAkGA1UEBhMCQ1owIhgPMjAxMzExMTAwODI1MDJaGA8yMDIwMTIxMzA4MjUwMlow ++HjEPMA0GA1UEAxMGU2VydmVyMQswCQYDVQQGEwJDWjCBnzANBgkqhkiG9w0BAQEF ++AAOBjQAwgYkCgYEApf9FBAZadRuU0AGrH4xgNh5V5tFDErTba2bF8b7USLRUzETm +++qBW87I6QXWDFsZlvyyzrpINmpbG3UNr3cVLgT7DLC2ct5nZFT4j25BYswcr0V5C ++00BAz6NUcuTzY0e0iN+H80H/mUr3Xu5r9wJca1LGTspBF1NOTNoAunlSm3cCAwEA ++AaOBwzCBwDAMBgNVHRMBAf8EAjAAMBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEfwAA ++ATATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHQ8BAf8EBQMDB6AAMB0GA1UdDgQW ++BBSsHXo5y3IXlGZsdERzQJFEwKBDfTAfBgNVHSMEGDAWgBQSDtpREkBWrvQcbcyh ++sD0oYX4zATAuBgNVHR8EJzAlMCOgIaAfhh1odHRwOi8vd3d3LmdldGNybC5jcmwv ++Z2V0Y3JsLzANBgkqhkiG9w0BAQsFAAOBgQBG1omwPssQQPTLd4WeCQyuM/Yj1kOO ++VwFOATVs2+XELAGg6GVrSS302+JKdW51j+11NpIMgJfgaeRdZkgBNR4uOi1okOQh ++Asm8TC3ex3v1rxZdunp0wBQ/H/ox4zMM5Ds8ITtQNeUwXqUj3tPorTWFEsNegTnY ++WmV1jslH8fZ4Fg== ++-----END CERTIFICATE----- +diff --git a/tests/testpkcs11-certs/server.key b/tests/testpkcs11-certs/server.key +new file mode 100644 +index 000000000..56e48735a +--- /dev/null ++++ b/tests/testpkcs11-certs/server.key +@@ -0,0 +1,94 @@ ++Public Key Info: ++ Public Key Algorithm: RSA ++ Key Security Level: Weak (1024 bits) ++ ++modulus: ++ 00:a5:ff:45:04:06:5a:75:1b:94:d0:01:ab:1f:8c: ++ 60:36:1e:55:e6:d1:43:12:b4:db:6b:66:c5:f1:be: ++ d4:48:b4:54:cc:44:e6:fa:a0:56:f3:b2:3a:41:75: ++ 83:16:c6:65:bf:2c:b3:ae:92:0d:9a:96:c6:dd:43: ++ 6b:dd:c5:4b:81:3e:c3:2c:2d:9c:b7:99:d9:15:3e: ++ 23:db:90:58:b3:07:2b:d1:5e:42:d3:40:40:cf:a3: ++ 54:72:e4:f3:63:47:b4:88:df:87:f3:41:ff:99:4a: ++ f7:5e:ee:6b:f7:02:5c:6b:52:c6:4e:ca:41:17:53: ++ 4e:4c:da:00:ba:79:52:9b:77: ++ ++public exponent: ++ 01:00:01: ++ ++private exponent: ++ 55:76:38:45:1b:34:45:28:9f:13:fc:57:ea:d5:2d: ++ cf:8f:0c:b0:da:3a:0b:0e:7c:0d:2e:8b:68:ab:d3: ++ c5:5e:ba:6d:b4:67:aa:cf:14:15:41:44:46:e1:46: ++ 4d:5a:75:95:d8:60:e5:d6:a2:14:5d:de:22:9a:8c: ++ 95:4f:f7:4f:cd:eb:65:a0:29:35:b1:16:b7:c2:74: ++ f1:a4:45:43:6c:77:59:37:b3:cb:43:60:80:29:5e: ++ b6:99:60:9a:12:4d:2b:54:2e:c3:3a:76:96:7d:72: ++ b1:72:24:f1:2a:2d:ff:99:92:1e:bb:55:f1:58:6e: ++ 64:08:36:26:4b:b2:c6:99: ++ ++prime1: ++ 00:c7:65:44:0f:4e:6b:51:cd:d4:0b:84:9c:a9:30: ++ 1b:7b:6d:9a:ca:f7:27:8d:8f:b5:05:81:b8:0d:d2: ++ a2:b3:e3:ab:bb:04:a1:8d:ec:dc:65:38:99:e9:e1: ++ 4f:70:47:79:8d:e6:3a:f0:9f:7b:3b:aa:bd:80:1d: ++ 4d:0d:2a:00:7d: ++ ++prime2: ++ 00:d5:1e:d4:82:40:de:a6:ce:1a:59:93:b8:51:c6: ++ 55:15:7f:83:d0:11:ac:a1:44:0a:95:f0:e5:96:03: ++ 53:5e:2c:27:eb:63:5f:b7:1c:06:64:fb:35:c9:a3: ++ a1:1a:fb:f2:3c:31:a1:51:58:40:5e:24:28:dd:ba: ++ dc:c4:14:22:03: ++ ++coefficient: ++ 00:9c:b5:66:d6:6d:93:93:da:0f:15:96:48:07:c6: ++ 4a:eb:ae:da:2a:fc:d8:b3:03:cb:5e:5e:10:9e:7f: ++ e8:49:96:db:70:6b:ef:d7:5a:4a:a4:f5:2a:da:89: ++ 39:b4:51:09:64:4c:75:92:57:ee:4f:9e:4d:55:f9: ++ d0:34:0e:6f:43: ++ ++exp1: ++ 2a:3c:5f:10:46:f2:20:9f:d2:bc:a5:d8:71:56:09: ++ 5c:39:b9:42:28:dc:2d:f6:34:c7:f7:d4:3e:c9:51: ++ 41:7d:86:50:d5:08:4b:81:d2:a5:76:39:d3:fa:af: ++ d2:fe:b0:d6:c7:df:d0:3c:57:e4:29:a4:7e:50:b6: ++ 93:85:44:19: ++ ++exp2: ++ 1a:1b:38:b4:eb:f5:5a:41:8d:00:c4:13:a4:10:c3: ++ 83:6a:a7:5e:e9:8b:58:05:d9:b6:1c:58:43:54:0c: ++ f6:50:3a:63:9f:3c:ae:55:84:83:02:32:c8:8c:7e: ++ c3:ab:71:34:e6:6f:78:63:73:1f:15:16:dc:72:73: ++ 70:a1:76:b9: ++ ++ ++Public Key ID: AC:1D:7A:39:CB:72:17:94:66:6C:74:44:73:40:91:44:C0:A0:43:7D ++Public key's random art: +++--[ RSA 1024]----+ ++| ...o.BX+. | ++| . .. E oo | ++| o + o | ++| o B | ++| S= | ++| + o. | ++| o = . | ++| .o.o. | ++| oo. | +++-----------------+ ++ ++-----BEGIN RSA PRIVATE KEY----- ++MIICXAIBAAKBgQCl/0UEBlp1G5TQAasfjGA2HlXm0UMStNtrZsXxvtRItFTMROb6 ++oFbzsjpBdYMWxmW/LLOukg2alsbdQ2vdxUuBPsMsLZy3mdkVPiPbkFizByvRXkLT ++QEDPo1Ry5PNjR7SI34fzQf+ZSvde7mv3AlxrUsZOykEXU05M2gC6eVKbdwIDAQAB ++AoGAVXY4RRs0RSifE/xX6tUtz48MsNo6Cw58DS6LaKvTxV66bbRnqs8UFUFERuFG ++TVp1ldhg5daiFF3eIpqMlU/3T83rZaApNbEWt8J08aRFQ2x3WTezy0NggCletplg ++mhJNK1Quwzp2ln1ysXIk8Sot/5mSHrtV8VhuZAg2JkuyxpkCQQDHZUQPTmtRzdQL ++hJypMBt7bZrK9yeNj7UFgbgN0qKz46u7BKGN7NxlOJnp4U9wR3mN5jrwn3s7qr2A ++HU0NKgB9AkEA1R7UgkDeps4aWZO4UcZVFX+D0BGsoUQKlfDllgNTXiwn62NftxwG ++ZPs1yaOhGvvyPDGhUVhAXiQo3brcxBQiAwJAKjxfEEbyIJ/SvKXYcVYJXDm5Qijc ++LfY0x/fUPslRQX2GUNUIS4HSpXY50/qv0v6w1sff0DxX5CmkflC2k4VEGQJAGhs4 ++tOv1WkGNAMQTpBDDg2qnXumLWAXZthxYQ1QM9lA6Y588rlWEgwIyyIx+w6txNOZv ++eGNzHxUW3HJzcKF2uQJBAJy1ZtZtk5PaDxWWSAfGSuuu2ir82LMDy15eEJ5/6EmW ++23Br79daSqT1KtqJObRRCWRMdZJX7k+eTVX50DQOb0M= ++-----END RSA PRIVATE KEY----- +diff --git a/tests/testpkcs11.pkcs15 b/tests/testpkcs11.pkcs15 +new file mode 100644 +index 000000000..565282a31 +--- /dev/null ++++ b/tests/testpkcs11.pkcs15 +@@ -0,0 +1,45 @@ ++#!/bin/sh ++ ++# Copyright (C) 2013 Nikos Mavrogiannopoulos ++# ++# This file is part of GnuTLS. ++# ++# GnuTLS is free software; you can redistribute it and/or modify it ++# under the terms of the GNU General Public License as published by the ++# Free Software Foundation; either version 3 of the License, or (at ++# your option) any later version. ++# ++# GnuTLS is distributed in the hope that it will be useful, but ++# WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++# General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with GnuTLS; if not, write to the Free Software Foundation, ++# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. ++ ++ ++init_card () { ++ PIN="$1" ++ PUK="$2" ++ ++ echo -n "* Erasing smart card... " ++ pkcs15-init -E >"${TMPFILE}" 2>&1 ++ if test $? = 0; then ++ echo ok ++ else ++ echo failed ++ cat "${TMPFILE}" ++ exit_error ++ fi ++ ++ echo -n "* Initializing smart card... " ++ pkcs15-init --create-pkcs15 --profile pkcs15+onepin --use-default-transport-key --so-pin "${PIN}" --pin "${PIN}" --puk "${PUK}" --label "GnuTLS-Test" >"${TMPFILE}" 2>&1 ++ if test $? = 0; then ++ echo ok ++ else ++ echo failed ++ cat "${TMPFILE}" ++ exit_error ++ fi ++} +diff --git a/tests/testpkcs11.sc-hsm b/tests/testpkcs11.sc-hsm +new file mode 100644 +index 000000000..f3eab685f +--- /dev/null ++++ b/tests/testpkcs11.sc-hsm +@@ -0,0 +1,50 @@ ++#!/bin/sh ++ ++# Copyright (C) 2013 Nikos Mavrogiannopoulos ++# ++# This file is part of GnuTLS. ++# ++# GnuTLS is free software; you can redistribute it and/or modify it ++# under the terms of the GNU General Public License as published by the ++# Free Software Foundation; either version 3 of the License, or (at ++# your option) any later version. ++# ++# GnuTLS is distributed in the hope that it will be useful, but ++# WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++# General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with GnuTLS; if not, write to the Free Software Foundation, ++# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. ++ ++ ++init_card () { ++ PIN="$1" ++ PUK=3537363231383830 ++ export GNUTLS_SO_PIN="${PUK}" ++ ++ echo -n "* Erasing smart card... " ++ sc-hsm-tool --initialize --so-pin "${PUK}" --pin "${PIN}" --label=GnuTLS-Test >>"${TMPFILE}" 2>&1 ++ if test $? = 0; then ++ echo ok ++ else ++ echo failed ++ exit_error ++ fi ++ ++ echo -n "* Initializing smart card... " ++ TOKEN=`${P11TOOL} ${ADDITIONAL_PARAM} --list-tokens pkcs11:token=Nikos|grep URL|grep token=GnuTLS-Test|sed 's/\s*URL\: //g'` ++ if test -z "${TOKEN}"; then ++ echo "Could not find initialized card" ++ exit_error ++ fi ++ ++ ${P11TOOL} ${ADDITIONAL_PARAM} --initialize "${TOKEN}" --set-so-pin "${PUK}" --set-pin "${PIN}" --label "GnuTLS-Test" >>"${TMPFILE}" 2>&1 ++ if test $? = 0; then ++ echo ok ++ else ++ echo failed ++ exit_error ++ fi ++} +diff --git a/tests/testpkcs11.sh b/tests/testpkcs11.sh +new file mode 100755 +index 000000000..e8cdcd30d +--- /dev/null ++++ b/tests/testpkcs11.sh +@@ -0,0 +1,938 @@ ++#!/bin/sh ++ ++# Copyright (C) 2013 Nikos Mavrogiannopoulos ++# ++# This file is part of GnuTLS. ++# ++# GnuTLS is free software; you can redistribute it and/or modify it ++# under the terms of the GNU General Public License as published by the ++# Free Software Foundation; either version 3 of the License, or (at ++# your option) any later version. ++# ++# GnuTLS is distributed in the hope that it will be useful, but ++# WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++# General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with GnuTLS; if not, write to the Free Software Foundation, ++# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. ++ ++srcdir="${srcdir:-.}" ++P11TOOL="${P11TOOL:-../src/p11tool${EXEEXT}}" ++CERTTOOL="${CERTTOOL:-../src/certtool${EXEEXT}}" ++DIFF="${DIFF:-diff -b -B}" ++SERV="${SERV:-../src/gnutls-serv${EXEEXT}}" ++CLI="${CLI:-../src/gnutls-cli${EXEEXT}}" ++RETCODE=0 ++ ++if test "${GNUTLS_FORCE_FIPS_MODE}" = 1;then ++ echo "Cannot run in FIPS140-2 mode" ++ exit 77 ++fi ++ ++if ! test -x "${P11TOOL}"; then ++ exit 77 ++fi ++ ++if ! test -x "${CERTTOOL}"; then ++ exit 77 ++fi ++ ++if ! test -x "${SERV}"; then ++ exit 77 ++fi ++ ++if ! test -x "${CLI}"; then ++ exit 77 ++fi ++ ++if ! test -z "${VALGRIND}"; then ++ VALGRIND="${LIBTOOL:-libtool} --mode=execute valgrind --leak-check=full" ++fi ++ ++TMPFILE="testpkcs11.debug.log" ++CERTTOOL_PARAM="--stdout-info" ++ ++if test "${WINDIR}" != ""; then ++ exit 77 ++fi ++ ++ASAN_OPTIONS="detect_leaks=0" ++export ASAN_OPTIONS ++ ++P11TOOL="${VALGRIND} ${P11TOOL} --batch" ++SERV="${SERV} -q" ++ ++. ${srcdir}/scripts/common.sh ++ ++rm -f "${TMPFILE}" ++ ++exit_error () { ++ echo "check ${TMPFILE} for additional debugging information" ++ echo "" ++ echo "" ++ tail "${TMPFILE}" ++ exit 1 ++} ++ ++# $1: token ++# $2: PIN ++# $3: filename ++# ${srcdir}/testpkcs11-certs/client.key ++write_privkey () { ++ export GNUTLS_PIN="$2" ++ filename="$3" ++ token="$1" ++ ++ echo -n "* Writing a client private key... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --write --label gnutls-client2 --load-privkey "${filename}" "${token}" >>"${TMPFILE}" 2>&1 ++ if test $? = 0; then ++ echo ok ++ else ++ echo failed ++ exit_error ++ fi ++ ++ echo -n "* Checking whether object was marked private... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --list-privkeys "${token};object=gnutls-client2" 2>/dev/null | grep 'Label\:' >>"${TMPFILE}" 2>&1 ++ if test $? = 0; then ++ echo "private object was public" ++ exit_error ++ fi ++ echo ok ++ ++ echo -n "* Checking whether object was marked sensitive... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --list-privkeys "${token};object=gnutls-client2" | grep "CKA_SENSITIVE" >/dev/null 2>&1 ++ if test $? != 0; then ++ echo "private object was not sensitive" ++ exit_error ++ fi ++ echo ok ++} ++ ++# $1: token ++# $2: PIN ++# $3: filename ++write_serv_privkey () { ++ export GNUTLS_PIN="$2" ++ filename="$3" ++ token="$1" ++ ++ echo -n "* Writing the server private key... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --write --label serv-key --load-privkey "${filename}" "${token}" >>"${TMPFILE}" 2>&1 ++ if test $? = 0; then ++ echo ok ++ else ++ echo failed ++ exit_error ++ fi ++ ++} ++ ++# $1: token ++# $2: PIN ++# $3: filename ++write_serv_pubkey () { ++ export GNUTLS_PIN="$2" ++ filename="$3" ++ token="$1" ++ ++ echo -n "* Writing the server public key... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --write --label serv-pubkey --load-pubkey "${filename}" "${token}" >>"${TMPFILE}" 2>&1 ++ if test $? = 0; then ++ echo ok ++ else ++ echo failed ++ exit_error ++ fi ++ ++ #verify it being written ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --list-all "${token};object=serv-pubkey;type=public" >>"${TMPFILE}" 2>&1 ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --list-all "${token};object=serv-pubkey;type=public"|grep "Public key" >/dev/null 2>&1 ++ if test $? != 0;then ++ echo "Cannot verify the existence of the written pubkey" ++ exit_error ++ fi ++} ++ ++# $1: token ++# $2: PIN ++# $3: filename ++write_serv_cert () { ++ export GNUTLS_PIN="$2" ++ filename="$3" ++ token="$1" ++ ++ echo -n "* Writing the server certificate... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --write --no-mark-private --label serv-cert --load-certificate "${filename}" "${token}" >>"${TMPFILE}" 2>&1 ++ if test $? = 0; then ++ echo ok ++ else ++ echo failed ++ exit_error ++ fi ++ ++} ++ ++# $1: token ++# $2: PIN ++test_delete_cert () { ++ export GNUTLS_PIN="$2" ++ filename="$3" ++ token="$1" ++ ++ echo -n "* Deleting the server certificate... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --delete "${token};object=serv-cert;object-type=cert" >>"${TMPFILE}" 2>&1 ++ if test $? = 0; then ++ echo ok ++ else ++ echo failed ++ exit_error ++ fi ++} ++ ++# $1: token ++# $2: PIN ++# $3: bits ++generate_rsa_privkey () { ++ export GNUTLS_PIN="$2" ++ token="$1" ++ bits="$3" ++ ++ echo -n "* Generating RSA private key ("${bits}")... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --id 000102030405 --label gnutls-client --generate-rsa --bits "${bits}" "${token}" --outfile tmp-client.pub >>"${TMPFILE}" 2>&1 ++ if test $? = 0; then ++ echo ok ++ else ++ echo failed ++ exit 1 ++ fi ++ ++ echo -n "* Checking whether generated private key was marked private... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --list-privkeys "${token};object=gnutls-client" 2>/dev/null | grep 'Label\:' >>"${TMPFILE}" 2>&1 ++ if test $? = 0; then ++ echo "private object was public" ++ exit_error ++ fi ++ echo ok ++ ++ echo -n "* Checking whether private key was marked sensitive... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --list-privkeys "${token};object=gnutls-client" | grep "CKA_SENSITIVE" >/dev/null 2>&1 ++ if test $? != 0; then ++ echo "private object was not sensitive" ++ exit_error ++ fi ++ echo ok ++} ++ ++# $1: token ++# $2: PIN ++# $3: bits ++generate_temp_rsa_privkey () { ++ export GNUTLS_PIN="$2" ++ token="$1" ++ bits="$3" ++ ++ echo -n "* Generating RSA private key ("${bits}")... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --label temp-rsa-"${bits}" --generate-rsa --bits "${bits}" "${token}" --outfile tmp-client.pub >>"${TMPFILE}" 2>&1 ++ if test $? = 0; then ++ echo ok ++ else ++ echo failed ++ exit 1 ++ fi ++ ++# if test ${RETCODE} = 0; then ++# echo -n "* Testing private key flags... " ++# ${P11TOOL} ${ADDITIONAL_PARAM} --login --list-keys "${token};object=gnutls-client2;object-type=private" >tmp-client-2.pub 2>>"${TMPFILE}" ++# if test $? != 0; then ++# echo failed ++# exit_error ++# fi ++# ++# grep CKA_WRAP tmp-client-2.pub >>"${TMPFILE}" 2>&1 ++# if test $? != 0; then ++# echo "failed (no CKA_WRAP)" ++# exit_error ++# else ++# echo ok ++# fi ++# fi ++} ++ ++generate_temp_dsa_privkey () { ++ export GNUTLS_PIN="$2" ++ token="$1" ++ bits="$3" ++ ++ echo -n "* Generating DSA private key ("${bits}")... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --label temp-dsa-"${bits}" --generate-dsa --bits "${bits}" "${token}" --outfile tmp-client.pub >>"${TMPFILE}" 2>&1 ++ if test $? = 0; then ++ echo ok ++ else ++ echo failed ++ exit 1 ++ fi ++} ++ ++# $1: token ++# $2: PIN ++delete_temp_privkey () { ++ export GNUTLS_PIN="$2" ++ token="$1" ++ type="$3" ++ ++ test "${RETCODE}" = "0" || return ++ ++ echo -n "* Deleting private key... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --delete "${token};object=temp-${type};object-type=private" >>"${TMPFILE}" 2>&1 ++ ++ if test $? != 0; then ++ echo failed ++ RETCODE=1 ++ return ++ fi ++ ++ RETCODE=0 ++ echo ok ++} ++ ++# $1: token ++# $2: PIN ++# $3: bits ++export_pubkey_of_privkey () { ++ export GNUTLS_PIN="$2" ++ token="$1" ++ bits="$3" ++ ++ echo -n "* Exporting public key of generated private key... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --export-pubkey "${token};object=gnutls-client;object-type=private" --outfile tmp-client-2.pub >>"${TMPFILE}" 2>&1 ++ if test $? != 0; then ++ echo failed ++ exit 1 ++ fi ++ ++ ${DIFF} tmp-client.pub tmp-client-2.pub ++ if test $? != 0; then ++ echo keys differ ++ exit 1 ++ fi ++ ++ echo ok ++} ++ ++# $1: token ++# $2: PIN ++change_id_of_privkey () { ++ export GNUTLS_PIN="$2" ++ token="$1" ++ ++ echo -n "* Change the CKA_ID of generated private key... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --set-id "01a1b103" "${token};object=gnutls-client;id=%00%01%02%03%04%05;object-type=private" >>"${TMPFILE}" 2>&1 ++ if test $? != 0; then ++ echo failed ++ exit_error ++ fi ++ ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --list-privkeys "${token};object=gnutls-client;object-type=private;id=%01%a1%b1%03" 2>&1 | grep 'ID: 01:a1:b1:03' >>"${TMPFILE}" 2>&1 ++ if test $? != 0; then ++ echo "ID didn't change" ++ exit_error ++ fi ++ ++ echo ok ++} ++ ++# $1: token ++# $2: PIN ++change_label_of_privkey () { ++ export GNUTLS_PIN="$2" ++ token="$1" ++ ++ echo -n "* Change the CKA_LABEL of generated private key... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --set-label "new-label" "${token};object=gnutls-client;object-type=private" >>"${TMPFILE}" 2>&1 ++ if test $? != 0; then ++ echo failed ++ exit_error ++ fi ++ ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --list-privkeys "${token};object=new-label;object-type=private" 2>&1 |grep 'Label: new-label' >>"${TMPFILE}" 2>&1 ++ if test $? != 0; then ++ echo "label didn't change" ++ exit_error ++ fi ++ ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --set-label "gnutls-client" "${token};object=new-label;object-type=private" >>"${TMPFILE}" 2>&1 ++ if test $? != 0; then ++ echo failed ++ exit_error ++ fi ++ ++ echo ok ++} ++ ++# $1: token ++# $2: PIN ++# $3: bits ++generate_temp_ecc_privkey () { ++ export GNUTLS_PIN="$2" ++ token="$1" ++ bits="$3" ++ ++ echo -n "* Generating ECC private key (${bits})... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --label "temp-ecc-${bits}" --generate-ecc --bits "${bits}" "${token}" --outfile tmp-client.pub >>"${TMPFILE}" 2>&1 ++ if test $? = 0; then ++ echo ok ++ else ++ echo failed ++ exit 1 ++ fi ++} ++ ++# $1: token ++# $2: PIN ++# $3: bits ++# The same as generate_temp_ecc_privkey but no explicit login is performed. ++# p11tool should detect that login is required for the operation. ++generate_temp_ecc_privkey_no_login () { ++ export GNUTLS_PIN="$2" ++ token="$1" ++ bits="$3" ++ ++ echo -n "* Generating ECC private key without --login (${bits})... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --label "temp-ecc-no-${bits}" --generate-ecc --bits "${bits}" "${token}" --outfile tmp-client.pub >>"${TMPFILE}" 2>&1 ++ if test $? = 0; then ++ echo ok ++ else ++ echo failed ++ exit 1 ++ fi ++} ++ ++# $1: name ++# $2: label prefix ++# $3: generate option ++# $4: token ++# $5: PIN ++# $6: bits ++import_privkey () { ++ export GNUTLS_PIN="$5" ++ name="$1" ++ prefix="$2" ++ gen_option="$3" ++ token="$4" ++ bits="$6" ++ ++ outfile="tmp-${prefix}-${bits}.pem" ++ ++ echo -n "* Importing ${name} private key (${bits})... " ++ ++ "${CERTTOOL}" ${CERTTOOL_PARAM} --generate-privkey "${gen_option}" --pkcs8 --password= --outfile "${outfile}" >>"${TMPFILE}" 2>&1 ++ if test $? != 0; then ++ echo failed ++ exit 1 ++ fi ++ ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --write --label "${prefix}-${bits}" --load-privkey "${outfile}" "${token}" >>"${TMPFILE}" 2>&1 ++ if test $? = 0; then ++ echo ok ++ else ++ echo failed ++ exit 1 ++ fi ++} ++ ++import_temp_rsa_privkey () { ++ import_privkey RSA temp-rsa --rsa $@ ++} ++ ++import_temp_ecc_privkey () { ++ import_privkey ECC temp-ecc --ecc $@ ++} ++ ++import_temp_dsa_privkey () { ++ import_privkey DSA temp-dsa --dsa $@ ++} ++ ++# $1: token ++# $2: PIN ++# $3: cakey: ${srcdir}/testpkcs11-certs/ca.key ++# $4: cacert: ${srcdir}/testpkcs11-certs/ca.crt ++# ++# Tests writing a certificate which corresponds to the given key, ++# as well as the CA certificate, and tries to export them. ++write_certificate_test () { ++ export GNUTLS_PIN="$2" ++ token="$1" ++ cakey="$3" ++ cacert="$4" ++ pubkey="$5" ++ ++ echo -n "* Generating client certificate... " ++ "${CERTTOOL}" ${CERTTOOL_PARAM} ${ADDITIONAL_PARAM} --generate-certificate --load-ca-privkey "${cakey}" --load-ca-certificate "${cacert}" \ ++ --template ${srcdir}/testpkcs11-certs/client-tmpl --load-privkey "${token};object=gnutls-client;object-type=private" \ ++ --load-pubkey "$pubkey" --outfile tmp-client.crt >>"${TMPFILE}" 2>&1 ++ ++ if test $? = 0; then ++ echo ok ++ else ++ echo failed ++ exit_error ++ fi ++ ++ echo -n "* Writing client certificate... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --write --id "01a1b103" --label gnutls-client --load-certificate tmp-client.crt "${token}" >>"${TMPFILE}" 2>&1 ++ if test $? = 0; then ++ echo ok ++ else ++ echo failed ++ exit_error ++ fi ++ ++ echo -n "* Checking whether ID was correctly set... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --list-certs "${token};object=gnutls-client;object-type=private;id=%01%a1%b1%03" 2>&1 | grep 'ID: 01:a1:b1:03' >>"${TMPFILE}" 2>&1 ++ if test $? != 0; then ++ echo "ID was not set on copy" ++ exit_error ++ fi ++ echo ok ++ ++ if test -n "${BROKEN_SOFTHSM2}";then ++ return ++ fi ++ ++ echo -n "* Checking whether object was public... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --list-all-certs "${token};object=gnutls-client;id=%01%a1%b1%03" 2>&1 | grep 'ID: 01:a1:b1:03' >>"${TMPFILE}" 2>&1 ++ if test $? != 0; then ++ echo "certificate object was not public" ++ exit_error ++ fi ++ echo ok ++ ++ if test -n "${BROKEN_SOFTHSM2}";then ++ return ++ fi ++ ++ echo -n "* Writing certificate of client's CA... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --mark-trusted --mark-ca --write --label gnutls-ca --load-certificate "${cacert}" "${token}" >>"${TMPFILE}" 2>&1 ++ ret=$? ++ if test ${ret} != 0; then ++ echo "Failed with PIN, trying to write with so PIN" >>"${TMPFILE}" ++ ${P11TOOL} ${ADDITIONAL_PARAM} --so-login --mark-ca --write --mark-trusted --label gnutls-ca --load-certificate "${cacert}" "${token}" >>"${TMPFILE}" 2>&1 ++ ret=$? ++ fi ++ ++ if test ${ret} = 0; then ++ echo ok ++ else ++ echo failed ++ exit_error ++ fi ++ ++ echo -n "* Testing certificate flags... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --list-all-certs "${token};object=gnutls-ca;object-type=cert" |grep Flags|head -n 1 >tmp-client-2.pub 2>>"${TMPFILE}" ++ if test $? != 0; then ++ echo failed ++ exit_error ++ fi ++ ++ grep CKA_TRUSTED tmp-client-2.pub >>"${TMPFILE}" 2>&1 ++ if test $? != 0; then ++ echo "failed (no CKA_TRUSTED)" ++ #exit_error ++ fi ++ ++ grep "CKA_CERTIFICATE_CATEGORY=CA" tmp-client-2.pub >>"${TMPFILE}" 2>&1 ++ if test $? != 0; then ++ echo "failed (no CKA_CERTIFICATE_CATEGORY=CA)" ++ #exit_error ++ fi ++ ++ echo ok ++ ++ ++ echo -n "* Trying to obtain back the cert... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --export "${token};object=gnutls-ca;object-type=cert" --outfile crt1.tmp >>"${TMPFILE}" 2>&1 ++ ${DIFF} crt1.tmp "${srcdir}/testpkcs11-certs/ca.crt" ++ if test $? != 0; then ++ echo "failed. Exported certificate differs (crt1.tmp)!" ++ exit_error ++ fi ++ rm -f crt1.tmp ++ if test $? = 0; then ++ echo ok ++ else ++ echo failed ++ exit_error ++ fi ++ ++ echo -n "* Trying to obtain the full chain... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --export-chain "${token};object=gnutls-client;object-type=cert"|"${CERTTOOL}" ${CERTTOOL_PARAM} -i --outfile crt1.tmp >>"${TMPFILE}" 2>&1 ++ ++ cat tmp-client.crt ${srcdir}/testpkcs11-certs/ca.crt|"${CERTTOOL}" ${CERTTOOL_PARAM} -i >crt2.tmp ++ ${DIFF} crt1.tmp crt2.tmp ++ if test $? != 0; then ++ echo "failed. Exported certificate chain differs!" ++ exit_error ++ fi ++ rm -f crt1.tmp crt2.tmp ++ if test $? = 0; then ++ echo ok ++ else ++ echo failed ++ exit_error ++ fi ++} ++ ++# $1: token ++# $2: PIN ++# $3: cakey: ${srcdir}/testpkcs11-certs/ca.key ++# $4: cacert: ${srcdir}/testpkcs11-certs/ca.crt ++# ++# Tests writing a certificate which corresponds to the given key, ++# and verifies whether the ID is the same. Should utilize the ++# ID of the public key. ++write_certificate_id_test_rsa () { ++ export GNUTLS_PIN="$2" ++ token="$1" ++ cakey="$3" ++ cacert="$4" ++ ++ echo -n "* Generating RSA private key on HSM... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --label xxx1-rsa --generate-rsa --bits 1024 "${token}" >>"${TMPFILE}" 2>&1 ++ if test $? = 0; then ++ echo ok ++ else ++ echo failed ++ exit 1 ++ fi ++ ++ echo -n "* Checking whether right ID is set on copy... " ++ "${CERTTOOL}" ${CERTTOOL_PARAM} ${ADDITIONAL_PARAM} --generate-certificate --load-ca-privkey "${cakey}" --load-ca-certificate "${cacert}" \ ++ --template ${srcdir}/testpkcs11-certs/client-tmpl --load-privkey "${token};object=xxx1-rsa;object-type=private" \ ++ --outfile tmp-client.crt >>"${TMPFILE}" 2>&1 ++ ++ if test $? != 0; then ++ echo failed ++ exit_error ++ fi ++ ++ id=$(${P11TOOL} ${ADDITIONAL_PARAM} --list-all "${token};object=xxx1-rsa;object-type=public" 2>&1 | grep 'ID: '|sed -e 's/ID://' -e 's/^[ \t]*//' -e 's/[ \t]*$//') ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --write --label tmp-xxx1-rsa --load-certificate tmp-client.crt "${token}" >>"${TMPFILE}" 2>&1 ++ if test $? != 0; then ++ echo failed ++ exit_error ++ fi ++ ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --list-certs "${token};object=tmp-xxx1-rsa;object-type=cert" 2>&1 | grep "ID: ${id}" >>"${TMPFILE}" 2>&1 ++ if test $? != 0; then ++ echo "ID '$id' was not set on copy" ++ exit_error ++ fi ++ echo ok ++} ++ ++# $1: token ++# $2: PIN ++# $3: cakey: ${srcdir}/testpkcs11-certs/ca.key ++# $4: cacert: ${srcdir}/testpkcs11-certs/ca.crt ++# ++# Tests writing a certificate which corresponds to the given key, ++# and verifies whether the ID is the same. Should utilize the ++# ID of the private key. ++write_certificate_id_test_rsa2 () { ++ export GNUTLS_PIN="$2" ++ token="$1" ++ cakey="$3" ++ cacert="$4" ++ tmpkey="key.$$.tmp" ++ ++ echo -n "* Generating RSA private key... " ++ ${CERTTOOL} ${ADDITIONAL_PARAM} --generate-privkey --bits 1024 --outfile ${tmpkey} >>"${TMPFILE}" 2>&1 ++ if test $? = 0; then ++ echo ok ++ else ++ echo failed ++ exit 1 ++ fi ++ ++ echo -n "* Checking whether right ID is set on copy... " ++ "${CERTTOOL}" ${CERTTOOL_PARAM} ${ADDITIONAL_PARAM} --generate-certificate --load-ca-privkey "${cakey}" --load-ca-certificate "${cacert}" \ ++ --template ${srcdir}/testpkcs11-certs/client-tmpl --load-privkey ${tmpkey} \ ++ --outfile tmp-client.crt >>"${TMPFILE}" 2>&1 ++ ++ if test $? != 0; then ++ echo failed ++ exit_error ++ fi ++ ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --write --label xxx2-rsa --load-privkey ${tmpkey} "${token}" >>"${TMPFILE}" 2>&1 ++ if test $? != 0; then ++ echo failed ++ exit_error ++ fi ++ ++ id=$(${P11TOOL} ${ADDITIONAL_PARAM} --login --list-all "${token};object=xxx2-rsa;object-type=private" 2>&1 | grep 'ID: '|sed -e 's/ID://' -e 's/^[ \t]*//' -e 's/[ \t]*$//') ++ ++ rm -f ${tmpkey} ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --write --label tmp-xxx2-rsa --load-certificate tmp-client.crt "${token}" >>"${TMPFILE}" 2>&1 ++ if test $? != 0; then ++ echo failed ++ exit_error ++ fi ++ ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --list-certs "${token};object=tmp-xxx2-rsa;object-type=cert" 2>&1 | grep "ID: ${id}" >>"${TMPFILE}" 2>&1 ++ if test $? != 0; then ++ echo "ID '$id' was not set on copy" ++ exit_error ++ fi ++ echo ok ++} ++ ++# $1: token ++# $2: PIN ++# $3: cakey: ${srcdir}/testpkcs11-certs/ca.key ++# $4: cacert: ${srcdir}/testpkcs11-certs/ca.crt ++# ++# Tests writing a certificate which corresponds to the given key, ++# and verifies whether the ID is the same. Should utilize the ++# ID of the private key. ++write_certificate_id_test_ecdsa () { ++ export GNUTLS_PIN="$2" ++ token="$1" ++ cakey="$3" ++ cacert="$4" ++ tmpkey="key.$$.tmp" ++ ++ echo -n "* Generating ECDSA private key... " ++ ${CERTTOOL} ${ADDITIONAL_PARAM} --generate-privkey --ecdsa --outfile ${tmpkey} >>"${TMPFILE}" 2>&1 ++ if test $? = 0; then ++ echo ok ++ else ++ echo failed ++ exit 1 ++ fi ++ ++ echo -n "* Checking whether right ID is set on copy... " ++ "${CERTTOOL}" ${CERTTOOL_PARAM} ${ADDITIONAL_PARAM} --generate-certificate --load-ca-privkey "${cakey}" --load-ca-certificate "${cacert}" \ ++ --template ${srcdir}/testpkcs11-certs/client-tmpl --load-privkey ${tmpkey} \ ++ --outfile tmp-client.crt >>"${TMPFILE}" 2>&1 ++ ++ if test $? != 0; then ++ echo failed ++ exit_error ++ fi ++ ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --write --label xxx-ecdsa --load-privkey ${tmpkey} "${token}" >>"${TMPFILE}" 2>&1 ++ if test $? != 0; then ++ echo failed ++ exit_error ++ fi ++ ++ id=$(${P11TOOL} ${ADDITIONAL_PARAM} --login --list-all "${token};object=xxx-ecdsa;object-type=private" 2>&1 | grep 'ID: '|sed -e 's/ID://' -e 's/^[ \t]*//' -e 's/[ \t]*$//') ++ ++ rm -f ${tmpkey} ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --write --label tmp-xxx-ecdsa --load-certificate tmp-client.crt "${token}" >>"${TMPFILE}" 2>&1 ++ if test $? != 0; then ++ echo failed ++ exit_error ++ fi ++ ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --list-certs "${token};object=tmp-xxx-ecdsa;object-type=cert" 2>&1 | grep "ID: ${id}" >>"${TMPFILE}" 2>&1 ++ if test $? != 0; then ++ echo "ID '$id' was not set on copy" ++ exit_error ++ fi ++ echo ok ++} ++ ++test_sign () { ++ export GNUTLS_PIN="$2" ++ token="$1" ++ ++ echo -n "* Testing signatures using the private key... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --test-sign "${token};object=serv-key" >>"${TMPFILE}" 2>&1 ++ if test $? != 0; then ++ echo "failed. Cannot test signatures." ++ exit_error ++ fi ++ echo ok ++ ++ echo -n "* Testing RSA-PSS signatures using the private key... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --sign-params rsa-pss --test-sign "${token};object=serv-key" >>"${TMPFILE}" 2>&1 ++ rc=$? ++ if test $rc != 0; then ++ if test $rc = 2; then ++ echo "failed. RSA-PSS not supported." ++ else ++ echo "failed. Cannot test signatures." ++ exit_error ++ fi ++ else ++ echo ok ++ fi ++ ++ echo -n "* Testing signatures using the private key (with ID)... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --test-sign "${token};id=%ac%1d%7a%39%cb%72%17%94%66%6c%74%44%73%40%91%44%c0%a0%43%7d" >>"${TMPFILE}" 2>&1 ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --test-sign "${token};id=%ac%1d%7a%39%cb%72%17%94%66%6c%74%44%73%40%91%44%c0%a0%43%7d" 2>&1|grep "Verifying against public key in the token..."|grep ok >>"${TMPFILE}" 2>&1 ++ if test $? != 0; then ++ echo "failed. Cannot test signatures with ID." ++ exit_error ++ fi ++ echo ok ++} ++ ++# This tests the signing operation as well as the usage of --set-pin ++test_sign_set_pin () { ++ pin="$2" ++ token="$1" ++ ++ unset GNUTLS_PIN ++ ++ echo -n "* Testing signatures using the private key and --set-pin... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --set-pin ${pin} --test-sign "${token};object=serv-key" >>"${TMPFILE}" 2>&1 ++ if test $? != 0; then ++ echo "failed. Cannot test signatures." ++ exit_error ++ fi ++ echo ok ++ ++ export GNUTLS_PIN=${pin} ++} ++ ++# $1: token ++# $2: PIN ++# $3: certfile ++# $4: keyfile ++# $5: cafile ++# ++# Tests using a certificate and key pair using gnutls-serv and gnutls-cli. ++use_certificate_test () { ++ export GNUTLS_PIN="$2" ++ token="$1" ++ certfile="$3" ++ keyfile="$4" ++ cafile="$5" ++ txt="$6" ++ ++ echo -n "* Using PKCS #11 with gnutls-cli (${txt})... " ++ # start server ++ eval "${GETPORT}" ++ launch_pkcs11_server $$ "${ADDITIONAL_PARAM}" --echo --priority NORMAL --x509certfile="${certfile}" \ ++ --x509keyfile="$keyfile" --x509cafile="${cafile}" \ ++ --verify-client-cert --require-client-cert >>"${TMPFILE}" 2>&1 ++ ++ PID=$! ++ wait_server ${PID} ++ ++ # connect to server using SC ++ ${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509cafile="${cafile}" >"${TMPFILE}" 2>&1 && \ ++ fail ${PID} "Connection should have failed!" ++ ++ ${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509certfile="${certfile}" \ ++ --x509keyfile="$keyfile" --x509cafile="${cafile}" >"${TMPFILE}" 2>&1 || \ ++ fail ${PID} "Connection (with files) should have succeeded!" ++ ++ ${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509certfile="${token};object=gnutls-client;object-type=cert" \ ++ --x509keyfile="${token};object=gnutls-client;object-type=private" \ ++ --x509cafile="${cafile}" >"${TMPFILE}" 2>&1 || \ ++ fail ${PID} "Connection (with SC) should have succeeded!" ++ ++ kill ${PID} ++ wait ++ ++ echo ok ++} ++ ++ ++ ++echo "Testing PKCS11 support" ++ ++# erase SC ++ ++type="$1" ++ ++if test -z "${type}"; then ++ echo "usage: $0: [pkcs15|softhsm|sc-hsm]" ++ if test -x "/usr/bin/softhsm" || test -x "/usr/bin/softhsm2-util"; then ++ echo "assuming 'softhsm'" ++ echo "" ++ type=softhsm ++ else ++ exit 77 ++ fi ++ ++fi ++ ++. "${srcdir}/testpkcs11.${type}" ++ ++export GNUTLS_PIN=12345678 ++export GNUTLS_SO_PIN=00000000 ++ ++init_card "${GNUTLS_PIN}" "${GNUTLS_SO_PIN}" ++ ++# find token name ++TOKEN=`${P11TOOL} ${ADDITIONAL_PARAM} --list-tokens pkcs11:token=Nikos|grep URL|grep token=GnuTLS-Test|sed 's/\s*URL\: //g'` ++ ++echo "* Token: ${TOKEN}" ++if test "x${TOKEN}" = x; then ++ echo "Could not find generated token" ++ exit_error ++fi ++ ++#write a given privkey ++write_privkey "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/client.key" ++ ++generate_temp_ecc_privkey "${TOKEN}" "${GNUTLS_PIN}" 256 ++delete_temp_privkey "${TOKEN}" "${GNUTLS_PIN}" ecc-256 ++ ++generate_temp_ecc_privkey_no_login "${TOKEN}" "${GNUTLS_PIN}" 256 ++delete_temp_privkey "${TOKEN}" "${GNUTLS_PIN}" ecc-no-256 ++ ++generate_temp_ecc_privkey "${TOKEN}" "${GNUTLS_PIN}" 384 ++delete_temp_privkey "${TOKEN}" "${GNUTLS_PIN}" ecc-384 ++ ++generate_temp_rsa_privkey "${TOKEN}" "${GNUTLS_PIN}" 2048 ++delete_temp_privkey "${TOKEN}" "${GNUTLS_PIN}" rsa-2048 ++ ++generate_temp_dsa_privkey "${TOKEN}" "${GNUTLS_PIN}" 3072 ++delete_temp_privkey "${TOKEN}" "${GNUTLS_PIN}" dsa-3072 ++ ++import_temp_rsa_privkey "${TOKEN}" "${GNUTLS_PIN}" 1024 ++delete_temp_privkey "${TOKEN}" "${GNUTLS_PIN}" rsa-1024 ++import_temp_ecc_privkey "${TOKEN}" "${GNUTLS_PIN}" 256 ++delete_temp_privkey "${TOKEN}" "${GNUTLS_PIN}" ecc-256 ++import_temp_dsa_privkey "${TOKEN}" "${GNUTLS_PIN}" 2048 ++delete_temp_privkey "${TOKEN}" "${GNUTLS_PIN}" dsa-2048 ++ ++generate_rsa_privkey "${TOKEN}" "${GNUTLS_PIN}" 1024 ++change_id_of_privkey "${TOKEN}" "${GNUTLS_PIN}" ++export_pubkey_of_privkey "${TOKEN}" "${GNUTLS_PIN}" ++change_label_of_privkey "${TOKEN}" "${GNUTLS_PIN}" ++ ++write_certificate_test "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/ca.key" "${srcdir}/testpkcs11-certs/ca.crt" tmp-client.pub ++write_serv_privkey "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/server.key" ++write_serv_cert "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/server.crt" ++ ++write_serv_pubkey "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/server.crt" ++test_sign "${TOKEN}" "${GNUTLS_PIN}" ++ ++use_certificate_test "${TOKEN}" "${GNUTLS_PIN}" "${TOKEN};object=serv-cert;object-type=cert" "${TOKEN};object=serv-key;object-type=private" "${srcdir}/testpkcs11-certs/ca.crt" "full URLs" ++ ++use_certificate_test "${TOKEN}" "${GNUTLS_PIN}" "${TOKEN};object=serv-cert" "${TOKEN};object=serv-key" "${srcdir}/testpkcs11-certs/ca.crt" "abbrv URLs" ++ ++write_certificate_id_test_rsa "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/ca.key" "${srcdir}/testpkcs11-certs/ca.crt" ++write_certificate_id_test_rsa2 "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/ca.key" "${srcdir}/testpkcs11-certs/ca.crt" ++write_certificate_id_test_ecdsa "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/ca.key" "${srcdir}/testpkcs11-certs/ca.crt" ++ ++test_delete_cert "${TOKEN}" "${GNUTLS_PIN}" ++ ++test_sign_set_pin "${TOKEN}" "${GNUTLS_PIN}" ++ ++if test ${RETCODE} = 0; then ++ echo "* All smart cards tests succeeded" ++fi ++rm -f tmp-client.crt tmp-client.pub tmp-client-2.pub "${TMPFILE}" ++ ++exit 0 +diff --git a/tests/testpkcs11.softhsm b/tests/testpkcs11.softhsm +new file mode 100755 +index 000000000..d79a8528e +--- /dev/null ++++ b/tests/testpkcs11.softhsm +@@ -0,0 +1,77 @@ ++#!/bin/sh ++ ++# Copyright (C) 2013 Nikos Mavrogiannopoulos ++# ++# This file is part of GnuTLS. ++# ++# GnuTLS is free software; you can redistribute it and/or modify it ++# under the terms of the GNU General Public License as published by the ++# Free Software Foundation; either version 3 of the License, or (at ++# your option) any later version. ++# ++# GnuTLS is distributed in the hope that it will be useful, but ++# WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++# General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with GnuTLS; if not, write to the Free Software Foundation, ++# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. ++ ++for i in /usr/lib64/pkcs11 /usr/lib/softhsm /usr/lib/x86_64-linux-gnu/softhsm /usr/lib /usr/lib64/softhsm;do ++ if test -f "$i/libsofthsm2.so"; then ++ ADDITIONAL_PARAM="--provider $i/libsofthsm2.so" ++ break ++ else ++ if test -f "$i/libsofthsm.so";then ++ ADDITIONAL_PARAM="--provider $i/libsofthsm.so" ++ break ++ fi ++ fi ++done ++ ++init_card () { ++ PIN="$1" ++ PUK="$2" ++ ++ if test -x "/usr/bin/softhsm2-util"; then ++ export SOFTHSM2_CONF="softhsm-testpkcs11.$$.config.tmp" ++ SOFTHSM_TOOL="/usr/bin/softhsm2-util" ++ ${SOFTHSM_TOOL} --version|grep "2.0.0" >/dev/null 2>&1 ++ if test $? = 0; then ++ echo "softhsm2-util 2.0.0 is broken" ++ export BROKEN_SOFTHSM2=1 ++ fi ++ fi ++ ++ if test -x "/usr/bin/softhsm"; then ++ export SOFTHSM_CONF="softhsm-testpkcs11.$$.config.tmp" ++ SOFTHSM_TOOL="/usr/bin/softhsm" ++ fi ++ ++ if test -z "${SOFTHSM_TOOL}"; then ++ echo "Could not find softhsm(2) tool" ++ exit 77 ++ fi ++ ++ if test -z "${SOFTHSM_CONF}"; then ++ rm -rf ./softhsm-testpkcs11.$$.tmp ++ mkdir -p ./softhsm-testpkcs11.$$.tmp ++ echo "objectstore.backend = file" > "${SOFTHSM2_CONF}" ++ echo "directories.tokendir = ./softhsm-testpkcs11.$$.tmp" >> "${SOFTHSM2_CONF}" ++ ++ else ++ rm -rf ./softhsm-testpkcs11.$$.tmp ++ echo "0:./softhsm-testpkcs11.$$.tmp" > "${SOFTHSM_CONF}" ++ fi ++ ++ ++ echo -n "* Initializing smart card... " ++ ${SOFTHSM_TOOL} --init-token --slot 0 --label "GnuTLS-Test" --so-pin "${PUK}" --pin "${PIN}" >/dev/null #2>&1 ++ if test $? = 0; then ++ echo ok ++ else ++ echo failed ++ exit_error ++ fi ++} diff --git a/SOURCES/gnutls-3.3.29-tests-pkcs11-increase-RSA-gen-size.patch b/SOURCES/gnutls-3.3.29-tests-pkcs11-increase-RSA-gen-size.patch new file mode 100644 index 0000000..72faadd --- /dev/null +++ b/SOURCES/gnutls-3.3.29-tests-pkcs11-increase-RSA-gen-size.patch @@ -0,0 +1,48 @@ +diff --git a/tests/testpkcs11.sh b/tests/testpkcs11.sh +index 7c2776760..cf82c4032 100755 +--- a/tests/testpkcs11.sh ++++ b/tests/testpkcs11.sh +@@ -26,11 +26,6 @@ SERV="${SERV:-../src/gnutls-serv${EXEEXT}}" + CLI="${CLI:-../src/gnutls-cli${EXEEXT}}" + RETCODE=0 + +-if test "${GNUTLS_FORCE_FIPS_MODE}" = 1;then +- echo "Cannot run in FIPS140-2 mode" +- exit 77 +-fi +- + if ! test -x "${P11TOOL}"; then + exit 77 + fi +@@ -600,7 +595,8 @@ write_certificate_id_test_rsa () { + cacert="$4" + + echo -n "* Generating RSA private key on HSM... " +- ${P11TOOL} ${ADDITIONAL_PARAM} --login --label xxx1-rsa --generate-rsa --bits 1024 "${token}" >>"${TMPFILE}" 2>&1 ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --label xxx1-rsa --generate-rsa \ ++ --bits 2048 "${token}" >>"${TMPFILE}" 2>&1 + if test $? = 0; then + echo ok + else +@@ -649,7 +645,8 @@ write_certificate_id_test_rsa2 () { + tmpkey="key.$$.tmp" + + echo -n "* Generating RSA private key... " +- ${CERTTOOL} ${ADDITIONAL_PARAM} --generate-privkey --bits 1024 --outfile ${tmpkey} >>"${TMPFILE}" 2>&1 ++ ${CERTTOOL} ${ADDITIONAL_PARAM} --generate-privkey --bits 2048 \ ++ --outfile ${tmpkey} >>"${TMPFILE}" 2>&1 + if test $? = 0; then + echo ok + else +@@ -907,7 +904,7 @@ delete_temp_privkey "${TOKEN}" "${GNUTLS_PIN}" ecc-256 + import_temp_dsa_privkey "${TOKEN}" "${GNUTLS_PIN}" 2048 + delete_temp_privkey "${TOKEN}" "${GNUTLS_PIN}" dsa-2048 + +-generate_rsa_privkey "${TOKEN}" "${GNUTLS_PIN}" 1024 ++generate_rsa_privkey "${TOKEN}" "${GNUTLS_PIN}" 2048 + change_id_of_privkey "${TOKEN}" "${GNUTLS_PIN}" + export_pubkey_of_privkey "${TOKEN}" "${GNUTLS_PIN}" + change_label_of_privkey "${TOKEN}" "${GNUTLS_PIN}" +-- +2.14.3 + diff --git a/SOURCES/gnutls-3.3.29-tests-sni-hostname.patch b/SOURCES/gnutls-3.3.29-tests-sni-hostname.patch new file mode 100644 index 0000000..6981724 --- /dev/null +++ b/SOURCES/gnutls-3.3.29-tests-sni-hostname.patch @@ -0,0 +1,88 @@ +diff --git a/tests/Makefile.am b/tests/Makefile.am +index bafb12ae0..d249d405f 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -156,7 +156,7 @@ endif + endif + + check_PROGRAMS = $(ctests) +-dist_check_SCRIPTS = rfc2253-escape-test ++dist_check_SCRIPTS = rfc2253-escape-test sni-hostname.sh + + TESTS = $(ctests) $(dist_check_SCRIPTS) + +diff --git a/tests/sni-hostname.sh b/tests/sni-hostname.sh +new file mode 100755 +index 000000000..4fb51be68 +--- /dev/null ++++ b/tests/sni-hostname.sh +@@ -0,0 +1,66 @@ ++#!/bin/sh ++ ++# Copyright (C) 2017 Nikos Mavrogiannopoulos ++# ++# Author: Nikos Mavrogiannopoulos ++# ++# This file is part of GnuTLS. ++# ++# GnuTLS is free software; you can redistribute it and/or modify it ++# under the terms of the GNU General Public License as published by the ++# Free Software Foundation; either version 3 of the License, or (at ++# your option) any later version. ++# ++# GnuTLS is distributed in the hope that it will be useful, but ++# WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++# General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with GnuTLS; if not, write to the Free Software Foundation, ++# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. ++ ++srcdir="${srcdir:-.}" ++SERV="${SERV:-../src/gnutls-serv${EXEEXT}}" ++CLI="${CLI:-../src/gnutls-cli${EXEEXT}}" ++unset RETCODE ++ ++if ! test -x "${SERV}"; then ++ exit 77 ++fi ++ ++if ! test -x "${CLI}"; then ++ exit 77 ++fi ++ ++if test "${WINDIR}" != ""; then ++ exit 77 ++fi ++ ++if ! test -z "${VALGRIND}"; then ++ VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND} --error-exitcode=15" ++fi ++ ++ ++SERV="${SERV} -q" ++ ++. "${srcdir}/scripts/common.sh" ++ ++echo "Checking SNI hostname in gnutls-cli" ++ ++eval "${GETPORT}" ++launch_server $$ --echo --priority "NORMAL:+ANON-ECDH" --sni-hostname-fatal --sni-hostname example.com ++PID=$! ++wait_server ${PID} ++ ++${VALGRIND} "${CLI}" -p "${PORT}" 127.0.0.1 --sni-hostname example.com --priority "NORMAL:+ANON-ECDH:+ANON-DH" /dev/null || \ ++ fail ${PID} "1. rehandshake should have succeeded!" ++ ++${VALGRIND} "${CLI}" -p "${PORT}" 127.0.0.1 --sni-hostname noexample.com --priority "NORMAL:+ANON-ECDH:+ANON-DH" /dev/null && \ ++ fail ${PID} "2. rehandshake should have failed!" ++ ++ ++kill ${PID} ++wait ++ ++exit 0 +-- +2.14.3 + diff --git a/SPECS/gnutls.spec b/SPECS/gnutls.spec index 3404620..a2a8f61 100644 --- a/SPECS/gnutls.spec +++ b/SPECS/gnutls.spec @@ -2,8 +2,8 @@ %bcond_with guile Summary: A TLS protocol implementation Name: gnutls -Version: 3.3.26 -Release: 9%{?dist} +Version: 3.3.29 +Release: 8%{?dist} # The libraries are LGPLv2.1+, utilities are GPLv3+ License: GPLv3+ and LGPLv2+ Group: System Environment/Libraries @@ -44,14 +44,41 @@ Patch5: gnutls-3.3.8-padlock-disable.patch # any applications depending on that. Patch6: gnutls-3.3.22-eapp-data.patch Patch7: gnutls-3.3.26-dh-params-1024.patch -# Reported on the gnutls ML affecting Fedora 25 (potentially RHEL7 as well) -Patch8: gnutls-3.3.26-fix-uninitialized.patch -Patch9: gnutls-3.3.26-fix-coverity-issues.patch -Patch10: gnutls-3.3.26-pin-value.patch -Patch11: gnutls-3.3.26-set-unique-id-tests.patch -Patch12: gnutls-3.3.26-fips-rsa-keygen.patch -Patch13: gnutls-3.3.26-cve-2017-7869.patch -Patch14: gnutls-3.3.26-remove-status-req-ext-parsing.patch +# Backport serv --sni-hostname option support (rhbz#1444792) +Patch8: gnutls-3.3.29-serv-sni-hostname.patch +Patch9: gnutls-3.3.29-serv-unrec-name.patch +Patch10: gnutls-3.3.29-cli-sni-hostname.patch +Patch11: gnutls-3.3.29-tests-sni-hostname.patch +# Do not try to retrieve PIN from URI more than once +Patch12: gnutls-3.3.29-pkcs11-retrieve-pin-from-uri-once.patch +# Backport of fixes to address CVE-2018-10844 CVE-2018-10845 CVE-2018-10846 +# (rhbz#1589708 rhbz#1589707 rhbz1589704) +Patch13: gnutls-3.3.29-dummy-wait-account-len-field.patch +Patch14: gnutls-3.3.29-dummy-wait-hash-same-amount-of-blocks.patch +Patch15: gnutls-3.3.29-cbc-mac-verify-ssl3-min-pad.patch +Patch16: gnutls-3.3.29-remove-hmac-sha384-sha256-from-default.patch +# Adjustment on tests +Patch17: gnutls-3.3.29-do-not-run-sni-hostname-windows.patch +# Backport testpkcs11 test. This test checks rhbz#1375307 +Patch18: gnutls-3.3.29-testpkcs11.patch +# Disable failing PKCS#11 tests brought from master branch. The reasons are: +# - ECC key generation without login is not supported +# - Certificates are marked as private objects +# - "--load-pubkey" option is not supported +# - "--test-sign" option is not supported +# - Certificates do not inherit its ID from the private key +Patch19: gnutls-3.3.29-disable-failing-tests.patch +# Do not mark certificates as private objects and re-enable test for this +Patch20: gnutls-3.3.29-do-not-mark-object-as-private.patch +Patch21: gnutls-3.3.29-re-enable-check-cert-write.patch +# Increase the length of the RSA keys generated in testpkcs11 to 2048 bits. +# This allows the test to run in FIPS mode +Patch22: gnutls-3.3.29-tests-pkcs11-increase-RSA-gen-size.patch +# Enlarge buffer size to support resumption with large keys (rhbz#1542461) +Patch23: gnutls-3.3.29-serv-large-key-resumption.patch +# HMAC-SHA-256 cipher suites brought back downstream for compatibility +# The priority was set below AEAD +Patch24: gnutls-3.3.29-bring-back-hmac-sha256.patch # Wildcard bundling exception https://fedorahosted.org/fpc/ticket/174 Provides: bundled(gnulib) = 20130424 @@ -157,19 +184,38 @@ This package contains Guile bindings for the library. %patch5 -p1 -b .padlock-disable %patch6 -p1 -b .eapp-data %patch7 -p1 -b .dh-1024 -%patch8 -p1 -b .fix-uninit -%patch9 -p1 -b .fix-coverity -%patch10 -p1 -b .pin-value -%patch11 -p1 -b .unique-id -%patch12 -p1 -b .rsa-keygen -%patch13 -p1 -b .openpgp-fixes -%patch14 -p1 -b .ocsp-ext-parse +%patch8 -p1 +%patch9 -p1 +%patch10 -p1 +%patch11 -p1 +%patch12 -p1 +%patch13 -p1 +%patch14 -p1 +%patch15 -p1 +%patch16 -p1 +%patch17 -p1 +%patch18 -p1 +%patch19 -p1 +%patch20 -p1 +%patch21 -p1 +%patch22 -p1 +%patch23 -p1 +%patch24 -p1 sed 's/gnutls_srp.c//g' -i lib/Makefile.in sed 's/gnutls_srp.lo//g' -i lib/Makefile.in rm -f lib/minitasn1/*.c lib/minitasn1/*.h rm -f src/libopts/*.c src/libopts/*.h src/libopts/compat/*.c src/libopts/compat/*.h +# Touch man pages to avoid them to be regenerated after patches which change +# .def files +touch doc/manpages/gnutls-serv.1 +touch doc/manpages/gnutls-cli.1 + +# Fix permissions for files brought by patches +chmod ugo+x %{_builddir}/%{name}-%{version}/tests/testpkcs11.sh +chmod ugo+x %{_builddir}/%{name}-%{version}/tests/sni-hostname.sh + %{SOURCE2} -e autoreconf -if @@ -313,6 +359,26 @@ fi %endif %changelog +* Fri Jul 20 2018 Anderson Sasaki 3.3.29-8 +- Backported --sni-hostname option which allows overriding the hostname + advertised to the peer (#1444792) +- Improved counter-measures in TLS CBC record padding for lucky13 attack + (CVE-2018-10844, #1589704, CVE-2018-10845, #1589707) +- Added counter-measures for "Just in Time" PRIME + PROBE cache-based attack + (CVE-2018-10846, #1589708) +- Address p11tool issue in object deletion in batch mode (#1375307) +- Backport PKCS#11 tests from master branch. Some tests were disabled due to + unsupported features in 3.3.x (--load-pubkey and --test-sign options, ECC key + generation without login, and certificates do not inherit ID from the private + key) +- p11tool explicitly marks certificates and public keys as NOT private objects + and private keys as private objects +- Enlarge buffer size to support resumption with large keys (#1542461) +- Legacy HMAC-SHA384 cipher suites were disabled by default +- Added DSA key generation to p11tool (#1464896) +- Address session renegotiation issue using client certificate (#1434091) +- Address issue when importing private keys into Atos HSM (#1460125) + * Fri May 26 2017 Nikos Mavrogiannopoulos 3.3.26-9 - Address crash in OCSP status request extension, by eliminating the unneeded parsing (CVE-2017-7507, #1455828)