diff --git a/.gitignore b/.gitignore index 2f0aa7d..a1fb9dd 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/gnutls-3.3.24-hobbled.tar.xz +SOURCES/gnutls-3.3.26-hobbled.tar.xz diff --git a/.gnutls.metadata b/.gnutls.metadata index 70743da..695a36c 100644 --- a/.gnutls.metadata +++ b/.gnutls.metadata @@ -1 +1 @@ -8e6860e7208db4b695e28c0389df1965161015b9 SOURCES/gnutls-3.3.24-hobbled.tar.xz +d3ec13b080bd01c7705e81f5a5e80284e571115c SOURCES/gnutls-3.3.26-hobbled.tar.xz diff --git a/SOURCES/gnutls-3.3.26-cve-2017-7869.patch b/SOURCES/gnutls-3.3.26-cve-2017-7869.patch new file mode 100644 index 0000000..d2ddc38 --- /dev/null +++ b/SOURCES/gnutls-3.3.26-cve-2017-7869.patch @@ -0,0 +1,235 @@ +diff --git a/lib/opencdk/kbnode.c b/lib/opencdk/kbnode.c +index c28cb34..f865b16 100644 +--- a/lib/opencdk/kbnode.c ++++ b/lib/opencdk/kbnode.c +@@ -369,12 +369,14 @@ cdk_packet_t cdk_kbnode_get_packet(cdk_kbnode_t node) + * @armor: whether base64 or not + * @buf: the buffer which stores the key sequence + * @buflen: the length of the buffer ++ * @public: non-zero if reading a public key + * + * Tries to read a key node from the memory buffer @buf. + **/ + cdk_error_t + cdk_kbnode_read_from_mem(cdk_kbnode_t * ret_node, +- int armor, const byte * buf, size_t buflen) ++ int armor, const byte * buf, size_t buflen, ++ unsigned public) + { + cdk_stream_t inp; + cdk_error_t rc; +@@ -393,7 +395,7 @@ cdk_kbnode_read_from_mem(cdk_kbnode_t * ret_node, + if (armor) + cdk_stream_set_armor_flag(inp, 0); + +- rc = cdk_keydb_get_keyblock(inp, ret_node); ++ rc = cdk_keydb_get_keyblock(inp, ret_node, public); + if (rc) + gnutls_assert(); + cdk_stream_close(inp); +diff --git a/lib/opencdk/keydb.c b/lib/opencdk/keydb.c +index 64eebf0..9112d9a 100644 +--- a/lib/opencdk/keydb.c ++++ b/lib/opencdk/keydb.c +@@ -108,7 +108,7 @@ static cdk_error_t keydb_idx_build(const char *file) + while (!cdk_stream_eof(inp)) { + off_t pos = cdk_stream_tell(inp); + +- rc = cdk_pkt_read(inp, pkt); ++ rc = cdk_pkt_read(inp, pkt, 1); + if (rc) { + _cdk_log_debug + ("index build failed packet off=%lu\n", +@@ -816,7 +816,7 @@ cdk_keydb_search(cdk_keydb_search_t st, cdk_keydb_hd_t hd, + + pos = cdk_stream_tell(kr); + +- rc = cdk_keydb_get_keyblock(kr, &knode); ++ rc = cdk_keydb_get_keyblock(kr, &knode, 1); + + if (rc) { + if (rc == CDK_EOF) +@@ -1679,7 +1679,7 @@ add_key_usage(cdk_kbnode_t knode, u32 keyid[2], unsigned int usage) + } + + cdk_error_t +-cdk_keydb_get_keyblock(cdk_stream_t inp, cdk_kbnode_t * r_knode) ++cdk_keydb_get_keyblock(cdk_stream_t inp, cdk_kbnode_t * r_knode, unsigned public) + { + cdk_packet_t pkt; + cdk_kbnode_t knode, node; +@@ -1706,7 +1706,7 @@ cdk_keydb_get_keyblock(cdk_stream_t inp, cdk_kbnode_t * r_knode) + while (!cdk_stream_eof(inp)) { + cdk_pkt_new(&pkt); + old_off = cdk_stream_tell(inp); +- rc = cdk_pkt_read(inp, pkt); ++ rc = cdk_pkt_read(inp, pkt, public); + if (rc) { + cdk_pkt_release(pkt); + if (rc == CDK_EOF) +@@ -2126,7 +2126,7 @@ cdk_error_t cdk_keydb_check_sk(cdk_keydb_hd_t hd, u32 * keyid) + return rc; + } + cdk_pkt_new(&pkt); +- while (!cdk_pkt_read(db, pkt)) { ++ while (!cdk_pkt_read(db, pkt, 0)) { + if (pkt->pkttype != CDK_PKT_SECRET_KEY && + pkt->pkttype != CDK_PKT_SECRET_SUBKEY) { + cdk_pkt_free(pkt); +@@ -2241,14 +2241,14 @@ cdk_error_t cdk_listkey_next(cdk_listkey_t ctx, cdk_kbnode_t * ret_key) + } + + if (ctx->type && ctx->u.patt[0] == '*') +- return cdk_keydb_get_keyblock(ctx->inp, ret_key); ++ return cdk_keydb_get_keyblock(ctx->inp, ret_key, 1); + else if (ctx->type) { + cdk_kbnode_t node; + struct cdk_keydb_search_s ks; + cdk_error_t rc; + + for (;;) { +- rc = cdk_keydb_get_keyblock(ctx->inp, &node); ++ rc = cdk_keydb_get_keyblock(ctx->inp, &node, 1); + if (rc) { + gnutls_assert(); + return rc; +diff --git a/lib/opencdk/literal.c b/lib/opencdk/literal.c +index 7b4baec..6996774 100644 +--- a/lib/opencdk/literal.c ++++ b/lib/opencdk/literal.c +@@ -67,7 +67,7 @@ static cdk_error_t literal_decode(void *data, FILE * in, FILE * out) + return rc; + + cdk_pkt_new(&pkt); +- rc = cdk_pkt_read(si, pkt); ++ rc = cdk_pkt_read(si, pkt, 1); + if (rc || pkt->pkttype != CDK_PKT_LITERAL) { + cdk_pkt_release(pkt); + cdk_stream_close(si); +diff --git a/lib/opencdk/opencdk.h b/lib/opencdk/opencdk.h +index c06b749..d95cc32 100644 +--- a/lib/opencdk/opencdk.h ++++ b/lib/opencdk/opencdk.h +@@ -553,7 +553,7 @@ extern "C" { + void cdk_pkt_release(cdk_packet_t pkt); + + /* Read or write the given output from or to the stream. */ +- cdk_error_t cdk_pkt_read(cdk_stream_t inp, cdk_packet_t pkt); ++ cdk_error_t cdk_pkt_read(cdk_stream_t inp, cdk_packet_t pkt, unsigned public); + cdk_error_t cdk_pkt_write(cdk_stream_t out, cdk_packet_t pkt); + + /* Sub packet routines */ +@@ -814,7 +814,8 @@ extern "C" { + /* Try to read the next key block from the given input stream. + The key will be returned in @RET_KEY on success. */ + cdk_error_t cdk_keydb_get_keyblock(cdk_stream_t inp, +- cdk_kbnode_t * ret_key); ++ cdk_kbnode_t * ret_key, ++ unsigned public); + + /* Rebuild the key db index if possible. */ + cdk_error_t cdk_keydb_idx_rebuild(cdk_keydb_hd_t db, +@@ -848,7 +849,7 @@ extern "C" { + cdk_error_t cdk_kbnode_read_from_mem(cdk_kbnode_t * ret_node, + int armor, + const unsigned char *buf, +- size_t buflen); ++ size_t buflen, unsigned public); + cdk_error_t cdk_kbnode_write_to_mem(cdk_kbnode_t node, + unsigned char *buf, + size_t * r_nbytes); +diff --git a/lib/opencdk/read-packet.c b/lib/opencdk/read-packet.c +index 7a474ff..72624d0 100644 +--- a/lib/opencdk/read-packet.c ++++ b/lib/opencdk/read-packet.c +@@ -571,6 +571,9 @@ read_user_id(cdk_stream_t inp, size_t pktlen, cdk_pkt_userid_t user_id) + } + + ++#define MAX_PACKET_LEN (1<<24) ++ ++ + static cdk_error_t + read_subpkt(cdk_stream_t inp, cdk_subpkt_t * r_ctx, size_t * r_nbytes) + { +@@ -610,6 +613,10 @@ read_subpkt(cdk_stream_t inp, cdk_subpkt_t * r_ctx, size_t * r_nbytes) + else + return CDK_Inv_Packet; + ++ if (size >= MAX_PACKET_LEN) { ++ return CDK_Inv_Packet; ++ } ++ + node = cdk_subpkt_new(size); + if (!node) + return CDK_Out_Of_Core; +@@ -958,7 +965,7 @@ static cdk_error_t skip_packet(cdk_stream_t inp, size_t pktlen) + * + * Parse the next packet on the @inp stream and return its contents in @pkt. + **/ +-cdk_error_t cdk_pkt_read(cdk_stream_t inp, cdk_packet_t pkt) ++cdk_error_t cdk_pkt_read(cdk_stream_t inp, cdk_packet_t pkt, unsigned public) + { + int ctb, is_newctb; + int pkttype; +@@ -1058,6 +1065,10 @@ cdk_error_t cdk_pkt_read(cdk_stream_t inp, cdk_packet_t pkt) + break; + + case CDK_PKT_SECRET_KEY: ++ if (public) { ++ /* read secret key when expecting public */ ++ return gnutls_assert_val(CDK_Inv_Packet); ++ } + pkt->pkt.secret_key = + cdk_calloc(1, sizeof *pkt->pkt.secret_key); + if (!pkt->pkt.secret_key) +@@ -1073,6 +1084,10 @@ cdk_error_t cdk_pkt_read(cdk_stream_t inp, cdk_packet_t pkt) + break; + + case CDK_PKT_SECRET_SUBKEY: ++ if (public) { ++ /* read secret key when expecting public */ ++ return gnutls_assert_val(CDK_Inv_Packet); ++ } + pkt->pkt.secret_key = + cdk_calloc(1, sizeof *pkt->pkt.secret_key); + if (!pkt->pkt.secret_key) +diff --git a/lib/openpgp/gnutls_openpgp.c b/lib/openpgp/gnutls_openpgp.c +index 7c05e1f..192737f 100644 +--- a/lib/openpgp/gnutls_openpgp.c ++++ b/lib/openpgp/gnutls_openpgp.c +@@ -479,7 +479,7 @@ int gnutls_openpgp_count_key_names(const gnutls_datum_t * cert) + return 0; + } + +- if (cdk_kbnode_read_from_mem(&knode, 0, cert->data, cert->size)) { ++ if (cdk_kbnode_read_from_mem(&knode, 0, cert->data, cert->size, 1)) { + gnutls_assert(); + return 0; + } +diff --git a/lib/openpgp/pgp.c b/lib/openpgp/pgp.c +index d5ef272..77e57ab 100644 +--- a/lib/openpgp/pgp.c ++++ b/lib/openpgp/pgp.c +@@ -99,7 +99,7 @@ gnutls_openpgp_crt_import(gnutls_openpgp_crt_t key, + armor = 1; + + rc = cdk_kbnode_read_from_mem(&key->knode, armor, data->data, +- data->size); ++ data->size, 1); + if (rc) { + rc = _gnutls_map_cdk_rc(rc); + gnutls_assert(); +diff --git a/lib/openpgp/privkey.c b/lib/openpgp/privkey.c +index 6aa6fb5..81ec3ab 100644 +--- a/lib/openpgp/privkey.c ++++ b/lib/openpgp/privkey.c +@@ -186,7 +186,7 @@ gnutls_openpgp_privkey_import(gnutls_openpgp_privkey_t key, + armor = 1; + + rc = cdk_kbnode_read_from_mem(&key->knode, armor, data->data, +- data->size); ++ data->size, 0); + if (rc != 0) { + rc = _gnutls_map_cdk_rc(rc); + gnutls_assert(); diff --git a/SOURCES/gnutls-3.3.26-dh-params-1024.patch b/SOURCES/gnutls-3.3.26-dh-params-1024.patch new file mode 100644 index 0000000..ce91678 --- /dev/null +++ b/SOURCES/gnutls-3.3.26-dh-params-1024.patch @@ -0,0 +1,31 @@ +diff --git a/lib/gnutls_priority.c b/lib/gnutls_priority.c +index c5998ab..ffefce1 100644 +--- a/lib/gnutls_priority.c ++++ b/lib/gnutls_priority.c +@@ -684,7 +684,7 @@ int check_level(const char *level, gnutls_priority_t priority_cache, + func(&priority_cache->supported_ecc, supported_ecc_normal); + + SET_PROFILE(GNUTLS_PROFILE_LOW); /* set certificate level */ +- SET_LEVEL(GNUTLS_SEC_PARAM_WEAK); /* set DH params level */ ++ SET_LEVEL(GNUTLS_SEC_PARAM_LOW); /* set DH params level */ + return 1; + } else if (strcasecmp(level, LEVEL_NORMAL) == 0) { + func(&priority_cache->cipher, cipher_priority_normal); +@@ -694,7 +694,7 @@ int check_level(const char *level, gnutls_priority_t priority_cache, + func(&priority_cache->supported_ecc, supported_ecc_normal); + + SET_PROFILE(GNUTLS_PROFILE_LOW); +- SET_LEVEL(GNUTLS_SEC_PARAM_WEAK); ++ SET_LEVEL(GNUTLS_SEC_PARAM_LOW); + return 1; + } else if (strcasecmp(level, LEVEL_PFS) == 0) { + func(&priority_cache->cipher, cipher_priority_normal); +@@ -704,7 +704,7 @@ int check_level(const char *level, gnutls_priority_t priority_cache, + func(&priority_cache->supported_ecc, supported_ecc_normal); + + SET_PROFILE(GNUTLS_PROFILE_LOW); +- SET_LEVEL(GNUTLS_SEC_PARAM_WEAK); ++ SET_LEVEL(GNUTLS_SEC_PARAM_LOW); + return 1; + } else if (strcasecmp(level, LEVEL_SECURE256) == 0 + || strcasecmp(level, LEVEL_SECURE192) == 0) { diff --git a/SOURCES/gnutls-3.3.26-fips-rsa-keygen.patch b/SOURCES/gnutls-3.3.26-fips-rsa-keygen.patch new file mode 100644 index 0000000..4093066 --- /dev/null +++ b/SOURCES/gnutls-3.3.26-fips-rsa-keygen.patch @@ -0,0 +1,56 @@ +diff --git a/lib/nettle/int/rsa-keygen-fips186.c b/lib/nettle/int/rsa-keygen-fips186.c +index 624aa36..b064b45 100644 +--- a/lib/nettle/int/rsa-keygen-fips186.c ++++ b/lib/nettle/int/rsa-keygen-fips186.c +@@ -27,7 +27,6 @@ + #include "config.h" + #endif + +-#include + #include + #include + #include +@@ -337,10 +336,16 @@ _rsa_generate_fips186_4_keypair(struct rsa_public_key *pub, + + mpz_mul(pub->n, key->p, key->q); + +- assert(mpz_sizeinbase(pub->n, 2) == n_size); ++ if (mpz_sizeinbase(pub->n, 2) != n_size) { ++ ret = 0; ++ goto cleanup; ++ } + + /* c = q^{-1} (mod p) */ +- assert(mpz_invert(key->c, key->q, key->p) != 0); ++ if (mpz_invert(key->c, key->q, key->p) == 0) { ++ ret = 0; ++ goto cleanup; ++ } + + mpz_sub_ui(p1, key->p, 1); + mpz_sub_ui(q1, key->q, 1); +@@ -352,6 +357,12 @@ _rsa_generate_fips186_4_keypair(struct rsa_public_key *pub, + goto cleanup; + } + ++ /* check whether d > 2^(nlen/2) -- FIPS186-4 5.3.1 */ ++ if (mpz_sizeinbase(key->d, 2) < n_size/2) { ++ ret = 0; ++ goto cleanup; ++ } ++ + /* Done! Almost, we must compute the auxillary private values. */ + /* a = d % (p-1) */ + mpz_fdiv_r(key->a, key->d, p1); +@@ -362,7 +373,10 @@ _rsa_generate_fips186_4_keypair(struct rsa_public_key *pub, + /* c was computed earlier */ + + pub->size = key->size = (n_size + 7) / 8; +- assert(pub->size >= RSA_MINIMUM_N_OCTETS); ++ if (pub->size < RSA_MINIMUM_N_OCTETS) { ++ ret = 0; ++ goto cleanup; ++ } + + ret = 1; + cleanup: diff --git a/SOURCES/gnutls-3.3.26-fix-coverity-issues.patch b/SOURCES/gnutls-3.3.26-fix-coverity-issues.patch new file mode 100644 index 0000000..fa27c05 --- /dev/null +++ b/SOURCES/gnutls-3.3.26-fix-coverity-issues.patch @@ -0,0 +1,15 @@ +diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c +index 56c0163..368598b 100644 +--- a/lib/nettle/pk.c ++++ b/lib/nettle/pk.c +@@ -2021,7 +2021,9 @@ static int wrap_nettle_hash_algorithm(gnutls_pk_algorithm_t pk, + break; + } + +- _rsa_params_to_pubkey(issuer_params, &pub); ++ ret = _rsa_params_to_pubkey(issuer_params, &pub); ++ if (ret < 0) ++ return gnutls_assert_val(ret); + + digest_size = sizeof(digest); + diff --git a/SOURCES/gnutls-3.3.26-fix-uninitialized.patch b/SOURCES/gnutls-3.3.26-fix-uninitialized.patch new file mode 100644 index 0000000..1242a1d --- /dev/null +++ b/SOURCES/gnutls-3.3.26-fix-uninitialized.patch @@ -0,0 +1,12 @@ +diff --git a/lib/pkcs11.c b/lib/pkcs11.c +index d99dedf..f5cf99d 100644 +--- a/lib/pkcs11.c ++++ b/lib/pkcs11.c +@@ -3019,6 +3019,7 @@ gnutls_pkcs11_obj_list_import_url2(gnutls_pkcs11_obj_t ** p_list, + if (ret < 0) { + gnutls_assert(); + if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { ++ *p_list = NULL; + *n_list = 0; + ret = 0; + } diff --git a/SOURCES/gnutls-3.3.26-pin-value.patch b/SOURCES/gnutls-3.3.26-pin-value.patch new file mode 100644 index 0000000..794ba48 --- /dev/null +++ b/SOURCES/gnutls-3.3.26-pin-value.patch @@ -0,0 +1,662 @@ +diff --git a/configure.ac b/configure.ac +index 0840042..c9c9fdc 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -447,6 +447,9 @@ if test "$with_p11_kit" != "no"; then + if ! $PKG_CONFIG --atleast-version=0.22.0 p11-kit-1; then + with_buggy_p11_kit=yes + fi ++ if $PKG_CONFIG --atleast-version=0.23.1 p11-kit-1; then ++ AC_DEFINE([P11_KIT_HAS_PIN_VALUE], 1, [p11-kit supports p11_kit_uri_get_pin_value()]) ++ fi + else + with_p11_kit=no + AC_MSG_WARN([[ +diff --git a/lib/pkcs11.c b/lib/pkcs11.c +index f5cf99d..26d88e5 100644 +--- a/lib/pkcs11.c ++++ b/lib/pkcs11.c +@@ -2367,6 +2367,25 @@ retrieve_pin(struct pin_info_st *pin_info, struct p11_kit_uri *info, + + *pin = NULL; + ++#ifdef P11_KIT_HAS_PIN_VALUE ++ /* First check for pin-value field */ ++ pinfile = p11_kit_uri_get_pin_value(info); ++ if (pinfile != NULL) { ++ _gnutls_debug_log("p11: Using pin-value to retrieve PIN\n"); ++ *pin = p11_kit_pin_new_for_string(pinfile); ++ if (*pin != NULL) ++ ret = 0; ++ } else { /* try pin-source */ ++ /* Check if a pinfile is specified, and use that if possible */ ++ pinfile = p11_kit_uri_get_pin_source(info); ++ if (pinfile != NULL) { ++ _gnutls_debug_log("p11: Using pin-source to retrieve PIN\n"); ++ ret = ++ retrieve_pin_from_source(pinfile, token_info, attempts, ++ user_type, pin); ++ } ++ } ++#else + /* Check if a pinfile is specified, and use that if possible */ + pinfile = p11_kit_uri_get_pinfile(info); + if (pinfile != NULL) { +@@ -2375,6 +2394,7 @@ retrieve_pin(struct pin_info_st *pin_info, struct p11_kit_uri *info, + retrieve_pin_from_source(pinfile, token_info, attempts, + user_type, pin); + } ++#endif + + /* The global gnutls pin callback */ + if (ret < 0) +diff --git a/tests/Makefile.am b/tests/Makefile.am +index 5b60899..20ed79c 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -36,7 +36,7 @@ EXTRA_DIST = suppressions.valgrind eagain-common.h test-chains.h \ + certs/cert-rsa-2432.pem certs/ecc384.pem certs/ecc.pem \ + certs/ca-ecc.pem certs/cert-ecc384.pem certs/cert-ecc.pem certs/ecc256.pem \ + certs/ecc521.pem certs/rsa-2432.pem x509cert-dir/ca.pem \ +- cert-common.h pkcs11/softhsm.h ++ cert-common.h pkcs11/softhsm.h pkcs11/pkcs11-pubkey-import.c + + AM_CFLAGS = $(WARN_CFLAGS) $(WERROR_CFLAGS) + AM_CPPFLAGS = \ +@@ -113,7 +113,8 @@ pkcs11_import_url_privkey_LDADD = $(LDADD) $(LIBDL) + + ctests += pkcs11-cert-import-url-exts pkcs11-get-exts pkcs11-get-raw-issuer-exts \ + pkcs11/pkcs11-chainverify pkcs11/pkcs11-get-issuer pkcs11/pkcs11-is-known \ +- pkcs11/pkcs11-combo pkcs11-import-url-privkey ++ pkcs11/pkcs11-combo pkcs11-import-url-privkey pkcs11/pkcs11-pubkey-import-rsa \ ++ pkcs11/pkcs11-import-with-pin + + endif + endif +diff --git a/tests/pkcs11/pkcs11-import-with-pin.c b/tests/pkcs11/pkcs11-import-with-pin.c +new file mode 100644 +index 0000000..e435919 +--- /dev/null ++++ b/tests/pkcs11/pkcs11-import-with-pin.c +@@ -0,0 +1,198 @@ ++/* ++ * Copyright (C) 2017 Red Hat, Inc. ++ * ++ * Author: Nikos Mavrogiannopoulos ++ * ++ * This file is part of GnuTLS. ++ * ++ * GnuTLS is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; either version 3 of the License, or ++ * (at your option) any later version. ++ * ++ * GnuTLS is distributed in the hope that it will be useful, but ++ * WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with GnuTLS; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA ++ */ ++ ++#ifdef HAVE_CONFIG_H ++#include ++#endif ++ ++#include ++#include ++#include ++#include ++#include ++ ++#include ++#include ++#include ++ ++#include "../utils.h" ++#include "softhsm.h" ++ ++/* Tests whether a protected object is imported with PIN obtained using ++ * pin-value or pin-source. */ ++ ++#define CONFIG_NAME "softhsm-import-with-pin" ++#define CONFIG CONFIG_NAME".config" ++ ++#include "../cert-common.h" ++ ++#define PIN "1234" ++ ++static const gnutls_datum_t testdata = {(void*)"test test", 9}; ++ ++static void tls_log_func(int level, const char *str) ++{ ++ fprintf(stderr, "|<%d>| %s", level, str); ++} ++ ++static ++int pin_func(void* userdata, int attempt, const char* url, const char *label, ++ unsigned flags, char *pin, size_t pin_max) ++{ ++ if (attempt == 0) { ++ strcpy(pin, PIN); ++ return 0; ++ } ++ return -1; ++} ++ ++static void write_pin(const char *file, const char *pin) ++{ ++ FILE *fp = fopen(file, "w"); ++ assert(fp != NULL); ++ fputs(pin, fp); ++ fclose(fp); ++} ++ ++void doit() ++{ ++ char buf[512]; ++ int ret, pk; ++ const char *lib, *bin; ++ gnutls_x509_privkey_t key; ++ gnutls_datum_t tmp, sig; ++ gnutls_privkey_t pkey; ++ char file[TMPNAME_SIZE]; ++ ++#ifndef P11_KIT_HAS_PIN_VALUE ++ exit(77); ++#endif ++ ++ bin = softhsm_bin(); ++ ++ lib = softhsm_lib(); ++ ++ ret = global_init(); ++ if (ret != 0) { ++ fail("%d: %s\n", ret, gnutls_strerror(ret)); ++ exit(1); ++ } ++ ++ gnutls_pkcs11_set_pin_function(pin_func, NULL); ++ gnutls_global_set_log_function(tls_log_func); ++ if (debug) ++ gnutls_global_set_log_level(4711); ++ ++ set_softhsm_conf(CONFIG); ++ snprintf(buf, sizeof(buf), "%s --init-token --slot 0 --label test --so-pin "PIN" --pin "PIN, bin); ++ system(buf); ++ ++ ret = gnutls_pkcs11_add_provider(lib, "trusted"); ++ if (ret < 0) { ++ fprintf(stderr, "add_provider: %s\n", ++ gnutls_strerror(ret)); ++ exit(1); ++ } ++ ++ ret = gnutls_x509_privkey_init(&key); ++ if (ret < 0) { ++ fprintf(stderr, ++ "gnutls_x509_privkey_init: %s\n", ++ gnutls_strerror(ret)); ++ exit(1); ++ } ++ ++ ret = ++ gnutls_x509_privkey_import(key, &server_key, ++ GNUTLS_X509_FMT_PEM); ++ if (ret < 0) { ++ fprintf(stderr, ++ "gnutls_x509_privkey_import: %s\n", ++ gnutls_strerror(ret)); ++ exit(1); ++ } ++ ++ /* initialize softhsm token */ ++ ret = gnutls_pkcs11_token_init(SOFTHSM_URL, PIN, "test"); ++ if (ret < 0) { ++ fail("gnutls_pkcs11_token_init: %s\n", gnutls_strerror(ret)); ++ exit(1); ++ } ++ ++ ret = gnutls_pkcs11_token_set_pin(SOFTHSM_URL, NULL, PIN, GNUTLS_PIN_USER); ++ if (ret < 0) { ++ fail("gnutls_pkcs11_token_set_pin: %s\n", gnutls_strerror(ret)); ++ exit(1); ++ } ++ ++ ret = gnutls_pkcs11_copy_x509_privkey(SOFTHSM_URL, key, "cert", GNUTLS_KEY_DIGITAL_SIGNATURE|GNUTLS_KEY_KEY_ENCIPHERMENT, ++ GNUTLS_PKCS11_OBJ_FLAG_MARK_PRIVATE|GNUTLS_PKCS11_OBJ_FLAG_MARK_SENSITIVE|GNUTLS_PKCS11_OBJ_FLAG_LOGIN); ++ if (ret < 0) { ++ fail("gnutls_pkcs11_copy_x509_privkey: %s\n", gnutls_strerror(ret)); ++ exit(1); ++ } ++ ++ gnutls_x509_privkey_deinit(key); ++ gnutls_pkcs11_set_pin_function(NULL, NULL); ++ ++ assert(gnutls_privkey_init(&pkey) == 0); ++ ++ /* Test 1 ++ * Try importing with pin-value */ ++ ret = gnutls_privkey_import_pkcs11_url(pkey, SOFTHSM_URL";object=cert;object-type=private;pin-value="PIN); ++ if (ret < 0) { ++ fprintf(stderr, "error in %d: %s\n", __LINE__, gnutls_strerror(ret)); ++ exit(1); ++ } ++ ++ /* check whether privkey is operational by signing */ ++ assert(gnutls_privkey_sign_data(pkey, GNUTLS_DIG_SHA256, 0, &testdata, &sig) == 0); ++ gnutls_free(sig.data); ++ gnutls_privkey_deinit(pkey); ++ ++ /* Test 2 ++ * Try importing with pin-source */ ++ track_temp_files(); ++ get_tmpname(file); ++ ++ write_pin(file, PIN); ++ ++ ++ assert(gnutls_privkey_init(&pkey) == 0); ++ snprintf(buf, sizeof(buf), "%s;object=cert;object-type=private;pin-source=%s", SOFTHSM_URL, file); ++ ret = gnutls_privkey_import_pkcs11_url(pkey, buf); ++ if (ret < 0) { ++ fprintf(stderr, "error in %d: %s\n", __LINE__, gnutls_strerror(ret)); ++ exit(1); ++ } ++ ++ /* check whether privkey is operational by signing */ ++ assert(gnutls_privkey_sign_data(pkey, GNUTLS_DIG_SHA256, 0, &testdata, &sig) == 0); ++ gnutls_free(sig.data); ++ gnutls_privkey_deinit(pkey); ++ ++ gnutls_global_deinit(); ++ delete_temp_files(); ++ ++ remove(CONFIG); ++} ++ +diff --git a/tests/pkcs11/pkcs11-pubkey-import-rsa.c b/tests/pkcs11/pkcs11-pubkey-import-rsa.c +new file mode 100644 +index 0000000..d304c4f +--- /dev/null ++++ b/tests/pkcs11/pkcs11-pubkey-import-rsa.c +@@ -0,0 +1,41 @@ ++/* ++ * Copyright (C) 2015 Nikos Mavrogiannopoulos ++ * ++ * Author: Nikos Mavrogiannopoulos ++ * ++ * This file is part of GnuTLS. ++ * ++ * GnuTLS is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; either version 3 of the License, or ++ * (at your option) any later version. ++ * ++ * GnuTLS is distributed in the hope that it will be useful, but ++ * WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with GnuTLS; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA ++ */ ++ ++#ifdef HAVE_CONFIG_H ++#include ++#endif ++ ++#include ++#include ++#include ++#include ++ ++#define CONFIG_NAME "softhsm-pubkey-import-rsa" ++#define CONFIG CONFIG_NAME".config" ++ ++#include "pkcs11-pubkey-import.c" ++ ++void doit(void) ++{ ++ success("Testing RSA key\n"); ++ try(1); ++} +diff --git a/tests/pkcs11/pkcs11-pubkey-import.c b/tests/pkcs11/pkcs11-pubkey-import.c +new file mode 100644 +index 0000000..7513aad +--- /dev/null ++++ b/tests/pkcs11/pkcs11-pubkey-import.c +@@ -0,0 +1,220 @@ ++/* ++ * Copyright (C) 2015 Nikos Mavrogiannopoulos ++ * ++ * Author: Nikos Mavrogiannopoulos ++ * ++ * This file is part of GnuTLS. ++ * ++ * GnuTLS is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; either version 3 of the License, or ++ * (at your option) any later version. ++ * ++ * GnuTLS is distributed in the hope that it will be useful, but ++ * WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with GnuTLS; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA ++ */ ++ ++#ifdef HAVE_CONFIG_H ++#include ++#endif ++ ++#include ++#include ++#include ++#include ++#include ++ ++#include ++#include ++#include ++ ++#include "../utils.h" ++#include "softhsm.h" ++ ++/* Tests whether gnutls_pubkey_import_privkey works well for ++ * RSA keys under PKCS #11 */ ++ ++ ++#include "../cert-common.h" ++ ++#define PIN "1234" ++ ++static const gnutls_datum_t testdata = {(void*)"test test", 9}; ++ ++static void tls_log_func(int level, const char *str) ++{ ++ fprintf(stderr, "|<%d>| %s", level, str); ++} ++ ++static ++int pin_func(void* userdata, int attempt, const char* url, const char *label, ++ unsigned flags, char *pin, size_t pin_max) ++{ ++ if (attempt == 0) { ++ strcpy(pin, PIN); ++ return 0; ++ } ++ return -1; ++} ++ ++static void try(int rsa) ++{ ++ char buf[128]; ++ int ret, pk; ++ const char *lib, *bin; ++ gnutls_x509_crt_t crt; ++ gnutls_x509_privkey_t key; ++ gnutls_datum_t tmp, sig; ++ gnutls_privkey_t pkey; ++ gnutls_pubkey_t pubkey; ++ gnutls_pubkey_t pubkey2; ++ ++#ifndef P11_KIT_HAS_PIN_VALUE ++ exit(77); ++#endif ++ ++ bin = softhsm_bin(); ++ ++ lib = softhsm_lib(); ++ ++ ret = global_init(); ++ if (ret != 0) { ++ fail("%d: %s\n", ret, gnutls_strerror(ret)); ++ exit(1); ++ } ++ ++ gnutls_pkcs11_set_pin_function(pin_func, NULL); ++ gnutls_global_set_log_function(tls_log_func); ++ if (debug) ++ gnutls_global_set_log_level(4711); ++ ++ set_softhsm_conf(CONFIG); ++ snprintf(buf, sizeof(buf), "%s --init-token --slot 0 --label test --so-pin "PIN" --pin "PIN, bin); ++ system(buf); ++ ++ ret = gnutls_pkcs11_add_provider(lib, "trusted"); ++ if (ret < 0) { ++ fprintf(stderr, "gnutls_x509_crt_init: %s\n", ++ gnutls_strerror(ret)); ++ exit(1); ++ } ++ ++ ret = gnutls_x509_crt_init(&crt); ++ if (ret < 0) { ++ fprintf(stderr, ++ "gnutls_x509_crt_init: %s\n", ++ gnutls_strerror(ret)); ++ exit(1); ++ } ++ ++ ret = ++ gnutls_x509_crt_import(crt, rsa?&server_cert:&server_ecc_cert, ++ GNUTLS_X509_FMT_PEM); ++ if (ret < 0) { ++ fprintf(stderr, ++ "gnutls_x509_crt_import: %s\n", ++ gnutls_strerror(ret)); ++ exit(1); ++ } ++ ++ if (debug) { ++ gnutls_x509_crt_print(crt, ++ GNUTLS_CRT_PRINT_ONELINE, ++ &tmp); ++ ++ printf("\tCertificate: %.*s\n", ++ tmp.size, tmp.data); ++ gnutls_free(tmp.data); ++ } ++ ++ ret = gnutls_x509_privkey_init(&key); ++ if (ret < 0) { ++ fprintf(stderr, ++ "gnutls_x509_privkey_init: %s\n", ++ gnutls_strerror(ret)); ++ exit(1); ++ } ++ ++ ret = ++ gnutls_x509_privkey_import(key, rsa?&server_key:&server_ecc_key, ++ GNUTLS_X509_FMT_PEM); ++ if (ret < 0) { ++ fprintf(stderr, ++ "gnutls_x509_privkey_import: %s\n", ++ gnutls_strerror(ret)); ++ exit(1); ++ } ++ ++ /* initialize softhsm token */ ++ ret = gnutls_pkcs11_token_init(SOFTHSM_URL, PIN, "test"); ++ if (ret < 0) { ++ fail("gnutls_pkcs11_token_init: %s\n", gnutls_strerror(ret)); ++ exit(1); ++ } ++ ++ ret = gnutls_pkcs11_token_set_pin(SOFTHSM_URL, NULL, PIN, GNUTLS_PIN_USER); ++ if (ret < 0) { ++ fail("gnutls_pkcs11_token_set_pin: %s\n", gnutls_strerror(ret)); ++ exit(1); ++ } ++ ++ ret = gnutls_pkcs11_copy_x509_crt(SOFTHSM_URL, crt, "cert", ++ GNUTLS_PKCS11_OBJ_FLAG_MARK_PRIVATE|GNUTLS_PKCS11_OBJ_FLAG_LOGIN); ++ if (ret < 0) { ++ fail("gnutls_pkcs11_copy_x509_crt: %s\n", gnutls_strerror(ret)); ++ exit(1); ++ } ++ ++ ret = gnutls_pkcs11_copy_x509_privkey(SOFTHSM_URL, key, "cert", GNUTLS_KEY_DIGITAL_SIGNATURE|GNUTLS_KEY_KEY_ENCIPHERMENT, ++ GNUTLS_PKCS11_OBJ_FLAG_MARK_PRIVATE|GNUTLS_PKCS11_OBJ_FLAG_MARK_SENSITIVE|GNUTLS_PKCS11_OBJ_FLAG_LOGIN); ++ if (ret < 0) { ++ fail("gnutls_pkcs11_copy_x509_privkey: %s\n", gnutls_strerror(ret)); ++ exit(1); ++ } ++ ++ gnutls_x509_crt_deinit(crt); ++ gnutls_x509_privkey_deinit(key); ++ gnutls_pkcs11_set_pin_function(NULL, NULL); ++ ++ assert(gnutls_privkey_init(&pkey) == 0); ++ ++ ret = gnutls_privkey_import_pkcs11_url(pkey, SOFTHSM_URL";object=cert;object-type=private;pin-value="PIN); ++ if (ret < 0) { ++ fprintf(stderr, "error in %d: %s\n", __LINE__, gnutls_strerror(ret)); ++ exit(1); ++ } ++ ++ assert(gnutls_pubkey_init(&pubkey) == 0); ++ assert(gnutls_pubkey_import_privkey(pubkey, pkey, 0, 0) == 0); ++ ++ pk = gnutls_pubkey_get_pk_algorithm(pubkey, NULL); ++ ++ /* check whether privkey and pubkey are operational ++ * by signing and verifying */ ++ assert(gnutls_privkey_sign_data(pkey, GNUTLS_DIG_SHA256, 0, &testdata, &sig) == 0); ++ ++ /* verify against the raw pubkey */ ++ assert(gnutls_pubkey_init(&pubkey2) == 0); ++ assert(gnutls_pubkey_import_x509_raw(pubkey2, rsa?&server_cert:&server_ecc_cert, GNUTLS_X509_FMT_PEM, 0) == 0); ++ assert(gnutls_pubkey_verify_data2(pubkey2, gnutls_pk_to_sign(pk, GNUTLS_DIG_SHA256), 0, &testdata, &sig) >= 0); ++ ++ /* verify against the pubkey in PKCS #11 */ ++ assert(gnutls_pubkey_verify_data2(pubkey, gnutls_pk_to_sign(pk, GNUTLS_DIG_SHA256), 0, &testdata, &sig) >= 0); ++ ++ gnutls_free(sig.data); ++ ++ gnutls_pubkey_deinit(pubkey2); ++ gnutls_pubkey_deinit(pubkey); ++ gnutls_privkey_deinit(pkey); ++ ++ gnutls_global_deinit(); ++ ++ remove(CONFIG); ++} ++ +diff --git a/tests/utils.c b/tests/utils.c +index 65ceafd..37345a6 100644 +--- a/tests/utils.c ++++ b/tests/utils.c +@@ -30,6 +30,7 @@ + #include + #include + #include ++#include + #ifndef _WIN32 + # include + # include +@@ -39,6 +40,8 @@ + # include + #endif + #endif ++#include ++#include + + #include "utils.h" + +@@ -183,3 +186,74 @@ int main(int argc, char *argv[]) + + return error_count ? 1 : 0; + } ++ ++struct tmp_file_st { ++ char file[TMPNAME_SIZE]; ++ struct tmp_file_st *next; ++}; ++ ++static struct tmp_file_st *temp_files = (void*)-1; ++ ++static void append(const char *file) ++{ ++ struct tmp_file_st *p; ++ ++ if (temp_files == (void*)-1) ++ return; ++ ++ p = calloc(1, sizeof(*p)); ++ ++ assert(p != NULL); ++ strcpy(p->file, file); ++ p->next = temp_files; ++ temp_files = p; ++} ++ ++char *get_tmpname(char s[TMPNAME_SIZE]) ++{ ++ unsigned char rnd[6]; ++ static char _s[TMPNAME_SIZE]; ++ int ret; ++ char *p; ++ const char *path; ++ ++ ret = gnutls_rnd(GNUTLS_RND_NONCE, rnd, sizeof(rnd)); ++ if (ret < 0) ++ return NULL; ++ ++ path = getenv("builddir"); ++ if (path == NULL) ++ path = "."; ++ ++ if (s == NULL) ++ p = _s; ++ else ++ p = s; ++ ++ snprintf(p, TMPNAME_SIZE, "%s/tmpfile-%02x%02x%02x%02x%02x%02x.tmp", path, (unsigned)rnd[0], (unsigned)rnd[1], ++ (unsigned)rnd[2], (unsigned)rnd[3], (unsigned)rnd[4], (unsigned)rnd[5]); ++ ++ append(p); ++ ++ return p; ++} ++ ++void track_temp_files(void) ++{ ++ temp_files = NULL; ++} ++ ++void delete_temp_files(void) ++{ ++ struct tmp_file_st *p = temp_files; ++ struct tmp_file_st *next; ++ ++ if (p == (void*)-1) ++ return; ++ ++ while(p != NULL) { ++ next = p->next; ++ free(p); ++ p = next; ++ } ++} +diff --git a/tests/utils.h b/tests/utils.h +index 8f3ac3f..5c0afe7 100644 +--- a/tests/utils.h ++++ b/tests/utils.h +@@ -61,4 +61,9 @@ extern void binprint(const void *str, size_t len); + extern void doit(void); + void sec_sleep(int sec); + ++#define TMPNAME_SIZE 128 ++char *get_tmpname(char s[TMPNAME_SIZE]); ++void track_temp_files(void); ++void delete_temp_files(void); ++ + #endif /* UTILS_H */ diff --git a/SOURCES/gnutls-3.3.26-remove-status-req-ext-parsing.patch b/SOURCES/gnutls-3.3.26-remove-status-req-ext-parsing.patch new file mode 100644 index 0000000..8c00d63 --- /dev/null +++ b/SOURCES/gnutls-3.3.26-remove-status-req-ext-parsing.patch @@ -0,0 +1,110 @@ +diff --git a/lib/ext/status_request.c b/lib/ext/status_request.c +index 8cefc61..c7c065e 100644 +--- a/lib/ext/status_request.c ++++ b/lib/ext/status_request.c +@@ -1,5 +1,6 @@ + /* +- * Copyright (C) 2012 Free Software Foundation, Inc. ++ * Copyright (C) 2012-2017 Free Software Foundation, Inc. ++ * Copyright (C) 2017 Red Hat, Inc. + * + * Author: Simon Josefsson, Nikos Mavrogiannopoulos + * +@@ -66,18 +67,6 @@ typedef struct { + opaque Extensions<0..2^16-1>; + */ + +-static void deinit_responder_id(status_request_ext_st *priv) +-{ +-unsigned i; +- +- for (i = 0; i < priv->responder_id_size; i++) +- gnutls_free(priv->responder_id[i].data); +- +- gnutls_free(priv->responder_id); +- priv->responder_id = NULL; +- priv->responder_id_size = 0; +-} +- + + static int + client_send(gnutls_session_t session, +@@ -132,8 +121,8 @@ server_recv(gnutls_session_t session, + status_request_ext_st * priv, + const uint8_t * data, size_t size) + { +- size_t i; + ssize_t data_size = size; ++ unsigned rid_bytes = 0; + + /* minimum message is type (1) + responder_id_list (2) + + request_extension (2) = 5 */ +@@ -152,43 +141,17 @@ server_recv(gnutls_session_t session, + DECR_LEN(data_size, 1); + data++; + +- priv->responder_id_size = _gnutls_read_uint16(data); ++ rid_bytes = _gnutls_read_uint16(data); + + DECR_LEN(data_size, 2); +- data += 2; ++ /*data += 2;*/ + +- if (data_size <= (ssize_t) (priv->responder_id_size * 2)) ++ /* sanity check only, we don't use any of the data below */ ++ ++ if (data_size < (ssize_t)rid_bytes) + return + gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); + +- if (priv->responder_id != NULL) +- deinit_responder_id(priv); +- +- priv->responder_id = gnutls_calloc(1, priv->responder_id_size +- * sizeof(*priv->responder_id)); +- if (priv->responder_id == NULL) +- return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); +- +- for (i = 0; i < priv->responder_id_size; i++) { +- size_t l; +- +- DECR_LEN(data_size, 2); +- +- l = _gnutls_read_uint16(data); +- data += 2; +- +- DECR_LEN(data_size, l); +- +- priv->responder_id[i].data = gnutls_malloc(l); +- if (priv->responder_id[i].data == NULL) +- return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); +- +- memcpy(priv->responder_id[i].data, data, l); +- priv->responder_id[i].size = l; +- +- data += l; +- } +- + return 0; + } + +@@ -472,11 +435,18 @@ gnutls_certificate_set_ocsp_status_request_file + static void _gnutls_status_request_deinit_data(extension_priv_data_t epriv) + { + status_request_ext_st *priv = epriv.ptr; ++ unsigned i; + + if (priv == NULL) + return; + +- deinit_responder_id(priv); ++ if (priv->responder_id != NULL) { ++ for (i = 0; i < priv->responder_id_size; i++) ++ gnutls_free(priv->responder_id[i].data); ++ ++ gnutls_free(priv->responder_id); ++ } ++ + gnutls_free(priv->request_extensions.data); + gnutls_free(priv->response.data); + gnutls_free(priv); diff --git a/SOURCES/gnutls-3.3.26-set-unique-id-tests.patch b/SOURCES/gnutls-3.3.26-set-unique-id-tests.patch new file mode 100644 index 0000000..6d3d65f --- /dev/null +++ b/SOURCES/gnutls-3.3.26-set-unique-id-tests.patch @@ -0,0 +1,316 @@ +diff --git a/tests/Makefile.am b/tests/Makefile.am +index 20ed79c..0d72707 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -88,7 +88,7 @@ ctests = mini-record-2 simple gc set_pkcs12_cred certder certuniqueid \ + long-session-id mini-x509-callbacks-intr \ + crlverify init_fds mini-rehandshake-2 sign-md5-rep global-init-override \ + version-checks mini-server-name naked-alerts multi-alerts \ +- pkcs8-key-decode-encrypted pkcs8-key-decode ++ pkcs8-key-decode-encrypted pkcs8-key-decode crt_apis + + if ENABLE_PKCS11 + if !HAVE_BUGGY_P11_KIT +diff --git a/tests/crt_apis.c b/tests/crt_apis.c +new file mode 100644 +index 0000000..ad183d7 +--- /dev/null ++++ b/tests/crt_apis.c +@@ -0,0 +1,297 @@ ++/* ++ * Copyright (C) 2008-2016 Free Software Foundation, Inc. ++ * Copyright (C) 2016 Red Hat, Inc. ++ * ++ * Author: Nikos Mavrogiannopoulos ++ * ++ * This file is part of GnuTLS. ++ * ++ * GnuTLS is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; either version 3 of the License, or ++ * (at your option) any later version. ++ * ++ * GnuTLS is distributed in the hope that it will be useful, but ++ * WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with GnuTLS; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA ++ */ ++ ++#ifdef HAVE_CONFIG_H ++#include ++#endif ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include "utils.h" ++ ++#include "cert-common.h" ++ ++static unsigned char saved_crt_pem[] = ++ "-----BEGIN CERTIFICATE-----\n" ++ "MIICMTCCAZqgAwIBAgIDChEAMA0GCSqGSIb3DQEBCwUAMCsxDjAMBgNVBAMTBW5p\n" ++ "a29zMRkwFwYDVQQKExBub25lIHRvLCBtZW50aW9uMCAXDTA4MDMzMTIyMDAwMFoY\n" ++ "Dzk5OTkxMjMxMjM1OTU5WjArMQ4wDAYDVQQDEwVuaWtvczEZMBcGA1UEChMQbm9u\n" ++ "ZSB0bywgbWVudGlvbjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAu2ZD9fLF\n" ++ "17aMzMXf9Yg7sclLag6hrSBQQAiAoU9co9D4bM/mPPfsBHYTF4tkiSJbwN1TfDvt\n" ++ "fAS7gLkovo6bxo6gpRLL9Vceoue7tzNJn+O7Sq5qTWj/yRHiMo3OPYALjXXv2ACB\n" ++ "jygEA6AijWEEB/q2N30hB0nSCWFpmJCjWKkCAwEAAYEFAAABAgOCBQAEAwIBo1Mw\n" ++ "UTAMBgNVHRMBAf8EAjAAMA8GA1UdDwEB/wQFAwMHgAAwDgYDVR0RBAcwBYIDYXBh\n" ++ "MCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsF\n" ++ "AAOBgQAFhjKULYgLWW9TmfqIdyKf+kr5zFaQnIlF0tuUcE9lq4am9NKUVuxn4yo2\n" ++ "AFePiZWksrLN8PvujOK+duJ5nljF3xXwF0Z/J83NzNa1buMafuBonTJTFQQQkoGK\n" ++ "6sN+hxb6qWBjZcyQflMeG5eMJC2b57Lao4IDLSHx+mo91fvKuw==\n" ++ "-----END CERTIFICATE-----\n"; ++ ++const gnutls_datum_t saved_crt = { saved_crt_pem, sizeof(saved_crt_pem)-1 }; ++ ++static void tls_log_func(int level, const char *str) ++{ ++ fprintf(stderr, "|<%d>| %s", level, str); ++} ++ ++static time_t mytime(time_t * t) ++{ ++ time_t then = 1207000800; ++ ++ if (t) ++ *t = then; ++ ++ return then; ++} ++ ++void doit(void) ++{ ++ gnutls_x509_privkey_t pkey; ++ gnutls_x509_crt_t crt; ++ gnutls_x509_crt_t crt2; ++ const char *err = NULL; ++ unsigned char buf[64]; ++ gnutls_datum_t out; ++ size_t s = 0; ++ int ret; ++ ++ ret = global_init(); ++ if (ret < 0) ++ fail("global_init\n"); ++ ++ gnutls_global_set_time_function(mytime); ++ gnutls_global_set_log_function(tls_log_func); ++ if (debug) ++ gnutls_global_set_log_level(4711); ++ ++ ret = gnutls_x509_crt_init(&crt); ++ if (ret != 0) ++ fail("gnutls_x509_crt_init\n"); ++ ++ ret = gnutls_x509_crt_init(&crt2); ++ if (ret != 0) ++ fail("gnutls_x509_crt_init\n"); ++ ++ ret = gnutls_x509_crt_import(crt2, &server_ecc_cert, GNUTLS_X509_FMT_PEM); ++ if (ret != 0) ++ fail("gnutls_x509_crt_import\n"); ++ ++ ret = gnutls_x509_privkey_init(&pkey); ++ if (ret != 0) ++ fail("gnutls_x509_privkey_init\n"); ++ ++ ret = gnutls_x509_privkey_import(pkey, &key_dat, GNUTLS_X509_FMT_PEM); ++ if (ret != 0) ++ fail("gnutls_x509_privkey_import\n"); ++ ++ /* Setup CRT */ ++ ++ ret = gnutls_x509_crt_set_version(crt, 3); ++ if (ret != 0) ++ fail("gnutls_x509_crt_set_version\n"); ++ ++ ret = gnutls_x509_crt_set_serial(crt, "\x0a\x11\x00", 3); ++ if (ret != 0) ++ fail("gnutls_x509_crt_set_serial\n"); ++ ++ ret = gnutls_x509_crt_set_expiration_time(crt, -1); ++ if (ret != 0) ++ fail("error\n"); ++ ++ ret = gnutls_x509_crt_set_activation_time(crt, mytime(0)); ++ if (ret != 0) ++ fail("error\n"); ++ ++ ret = gnutls_x509_crt_set_key(crt, pkey); ++ if (ret != 0) ++ fail("gnutls_x509_crt_set_key\n"); ++ ++ ret = gnutls_x509_crt_set_basic_constraints(crt, 0, -1); ++ if (ret < 0) { ++ fail("error\n"); ++ } ++ ++ ret = gnutls_x509_crt_set_key_usage(crt, GNUTLS_KEY_DIGITAL_SIGNATURE); ++ if (ret != 0) ++ fail("gnutls_x509_crt_set_key_usage %d\n", ret); ++ ++ ret = gnutls_x509_crt_set_dn(crt, "cn = nikos,o = none to\\, mention", &err); ++ if (ret < 0) { ++ fail("gnutls_x509_crt_set_dn: %s, %s\n", gnutls_strerror(ret), err); ++ } ++ ++ ++ ret = gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_DNSNAME, ++ "foo", 3, 1); ++ if (ret != 0) ++ fail("gnutls_x509_crt_set_subject_alt_name\n"); ++ ++ ret = gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_RFC822NAME, ++ "foo@bar.org", strlen("foo@bar.org"), 1); ++ if (ret != 0) ++ fail("gnutls_x509_crt_set_subject_alt_name\n"); ++ ++ ret = gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_IPADDRESS, ++ "\xc1\x5c\x96\x3", 4, 1); ++ if (ret != 0) ++ fail("gnutls_x509_crt_set_subject_alt_name\n"); ++ ++ ret = gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_IPADDRESS, ++ "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01", 16, 1); ++ if (ret != 0) ++ fail("gnutls_x509_crt_set_subject_alt_name\n"); ++ ++ ret = gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_DNSNAME, ++ "apa", 3, 0); ++ if (ret != 0) ++ fail("gnutls_x509_crt_set_subject_alt_name\n"); ++ ++ s = 0; ++ ret = gnutls_x509_crt_get_key_purpose_oid(crt, 0, NULL, &s, NULL); ++ if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) ++ fail("gnutls_x509_crt_get_key_purpose_oid %d\n", ret); ++ ++ s = 0; ++ ret = ++ gnutls_x509_crt_set_key_purpose_oid(crt, ++ GNUTLS_KP_TLS_WWW_SERVER, ++ 0); ++ if (ret != 0) ++ fail("gnutls_x509_crt_set_key_purpose_oid %d\n", ret); ++ ++ s = 0; ++ ret = gnutls_x509_crt_get_key_purpose_oid(crt, 0, NULL, &s, NULL); ++ if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER) ++ fail("gnutls_x509_crt_get_key_purpose_oid %d\n", ret); ++ ++ s = 0; ++ ret = ++ gnutls_x509_crt_set_key_purpose_oid(crt, ++ GNUTLS_KP_TLS_WWW_CLIENT, ++ 1); ++ if (ret != 0) ++ fail("gnutls_x509_crt_set_key_purpose_oid2 %d\n", ret); ++ ++ /* in the end this will be ignored as the issuer will be set ++ * by gnutls_x509_crt_sign2() */ ++ ret = gnutls_x509_crt_set_issuer_dn(crt, "o = big\\, and one, cn = my CA", &err); ++ if (ret < 0) { ++ fail("gnutls_x509_crt_set_issuer_dn: %s, %s\n", gnutls_strerror(ret), err); ++ } ++ ++#define ISSUER_UNIQUE_ID "\x00\x01\x02\x03" ++#define SUBJECT_UNIQUE_ID "\x04\x03\x02\x01" ++ ret = gnutls_x509_crt_set_issuer_unique_id(crt, ISSUER_UNIQUE_ID, sizeof(ISSUER_UNIQUE_ID)-1); ++ if (ret < 0) ++ fail("error: %s\n", gnutls_strerror(ret)); ++ ++ ret = gnutls_x509_crt_set_subject_unique_id(crt, SUBJECT_UNIQUE_ID, sizeof(SUBJECT_UNIQUE_ID)-1); ++ if (ret < 0) ++ fail("error: %s\n", gnutls_strerror(ret)); ++ ++ /* Sign and finalize the certificate */ ++ ret = gnutls_x509_crt_sign2(crt, crt, pkey, GNUTLS_DIG_SHA256, 0); ++ if (ret < 0) ++ fail("gnutls_x509_crt_sign2: %s\n", gnutls_strerror(ret)); ++ ++ ++ ret = gnutls_x509_crt_print(crt, GNUTLS_CRT_PRINT_FULL, &out); ++ if (ret != 0) ++ fail("gnutls_x509_crt_print\n"); ++ if (debug) ++ printf("crt: %.*s\n", out.size, out.data); ++ gnutls_free(out.data); ++ ++ /* Verify whether selected input is present */ ++ s = 0; ++ ret = gnutls_x509_crt_get_extension_info(crt, 0, NULL, &s, NULL); ++ if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER) ++ fail("gnutls_x509_crt_get_extension_info2: %s\n", strerror(ret)); ++ ++ s = 0; ++ ret = gnutls_x509_crt_get_extension_data(crt, 0, NULL, &s); ++ if (ret != 0) ++ fail("gnutls_x509_crt_get_extension_data: %s\n", strerror(ret)); ++ ++ ret = gnutls_x509_crt_get_raw_issuer_dn(crt, &out); ++ if (ret < 0 || out.size == 0) ++ fail("gnutls_x509_crt_get_raw_issuer_dn: %s\n", gnutls_strerror(ret)); ++ ++ if (out.size != 45 || ++ memcmp(out.data, "\x30\x2b\x31\x0e\x30\x0c\x06\x03\x55\x04\x03\x13\x05\x6e\x69\x6b\x6f\x73\x31\x19\x30\x17\x06\x03\x55\x04\x0a\x13\x10\x6e\x6f\x6e\x65\x20\x74\x6f\x2c\x20\x6d\x65\x6e\x74\x69\x6f\x6e", 45) != 0) { ++ hexprint(out.data, out.size); ++ fail("issuer DN comparison failed\n"); ++ } ++ gnutls_free(out.data); ++ ++ s = sizeof(buf); ++ ret = gnutls_x509_crt_get_issuer_unique_id(crt, (void*)buf, &s); ++ if (ret < 0) ++ fail("error: %s\n", gnutls_strerror(ret)); ++ ++ if (s != sizeof(ISSUER_UNIQUE_ID)-1 || ++ memcmp(buf, ISSUER_UNIQUE_ID, s) != 0) { ++ fail("issuer unique id comparison failed\n"); ++ } ++ ++ s = sizeof(buf); ++ ret = gnutls_x509_crt_get_subject_unique_id(crt, (void*)buf, &s); ++ if (ret < 0) ++ fail("error: %s\n", gnutls_strerror(ret)); ++ ++ if (s != sizeof(SUBJECT_UNIQUE_ID)-1 || ++ memcmp(buf, SUBJECT_UNIQUE_ID, s) != 0) { ++ fail("subject unique id comparison failed\n"); ++ } ++ ++ ret = gnutls_x509_crt_get_raw_dn(crt, &out); ++ if (ret < 0 || out.size == 0) ++ fail("gnutls_x509_crt_get_raw_dn: %s\n", gnutls_strerror(ret)); ++ ++ if (out.size != 45 || ++ memcmp(out.data, "\x30\x2b\x31\x0e\x30\x0c\x06\x03\x55\x04\x03\x13\x05\x6e\x69\x6b\x6f\x73\x31\x19\x30\x17\x06\x03\x55\x04\x0a\x13\x10\x6e\x6f\x6e\x65\x20\x74\x6f\x2c\x20\x6d\x65\x6e\x74\x69\x6f\x6e", 45) != 0) { ++ fail("DN comparison failed\n"); ++ } ++ gnutls_free(out.data); ++ ++ assert(gnutls_x509_crt_export2(crt, GNUTLS_X509_FMT_PEM, &out) >= 0); ++ ++ if (debug) ++ fprintf(stderr, "%s\n", out.data); ++ assert(out.size == saved_crt.size); ++ assert(memcmp(out.data, saved_crt.data, out.size)==0); ++ ++ gnutls_free(out.data); ++ ++ gnutls_x509_crt_deinit(crt); ++ gnutls_x509_crt_deinit(crt2); ++ gnutls_x509_privkey_deinit(pkey); ++ ++ gnutls_global_deinit(); ++} diff --git a/SOURCES/gnutls-3.3.8-no-libtasn1-check.patch b/SOURCES/gnutls-3.3.8-no-libtasn1-check.patch deleted file mode 100644 index 993cfc6..0000000 --- a/SOURCES/gnutls-3.3.8-no-libtasn1-check.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff -ur gnutls-3.3.8-orig/m4/hooks.m4 gnutls-3.3.8/m4/hooks.m4 ---- gnutls-3.3.8-orig/m4/hooks.m4 2014-09-18 07:54:45.000000000 +0200 -+++ gnutls-3.3.8/m4/hooks.m4 2014-09-18 19:08:19.223172863 +0200 -@@ -104,7 +104,7 @@ - included_libtasn1=$withval, - included_libtasn1=no) - if test "$included_libtasn1" = "no"; then -- PKG_CHECK_MODULES(LIBTASN1, [libtasn1 >= 3.9], [], [included_libtasn1=yes]) -+ PKG_CHECK_MODULES(LIBTASN1, [libtasn1 >= 3.8], [], [included_libtasn1=yes]) - if test "$included_libtasn1" = yes; then - AC_MSG_WARN([[ - *** -Only in gnutls-3.3.8/m4: hooks.m4~ diff --git a/SPECS/gnutls.spec b/SPECS/gnutls.spec index 2934d88..3404620 100644 --- a/SPECS/gnutls.spec +++ b/SPECS/gnutls.spec @@ -2,12 +2,12 @@ %bcond_with guile Summary: A TLS protocol implementation Name: gnutls -Version: 3.3.24 -Release: 1%{?dist} +Version: 3.3.26 +Release: 9%{?dist} # The libraries are LGPLv2.1+, utilities are GPLv3+ License: GPLv3+ and LGPLv2+ Group: System Environment/Libraries -BuildRequires: p11-kit-devel >= 0.20.7, gettext +BuildRequires: p11-kit-devel >= 0.23.1, gettext BuildRequires: zlib-devel, readline-devel, libtasn1-devel >= 3.8 BuildRequires: libtool, automake, autoconf, texinfo BuildRequires: autogen-libopts-devel >= 5.18 autogen gettext-devel @@ -19,8 +19,9 @@ BuildRequires: fipscheck BuildRequires: softhsm, net-tools Requires: p11-kit-trust # The automatic dependency on libtasn1 and p11-kit is insufficient, -Requires: libtasn1 >= 3.8 -Requires: p11-kit >= 0.20.7 +Requires: libtasn1 >= 3.9 +Requires: p11-kit >= 0.23.1 +Requires: trousers >= 0.3.11.2 %if %{with dane} BuildRequires: unbound-devel unbound-libs %endif @@ -36,13 +37,21 @@ Source1: libgnutls-config Source2: hobble-gnutls Patch1: gnutls-3.2.7-rpath.patch Patch2: gnutls-3.1.11-nosrp.patch -Patch3: gnutls-3.3.8-no-libtasn1-check.patch Patch4: gnutls-3.3.8-fips-key.patch Patch5: gnutls-3.3.8-padlock-disable.patch # In 3.3.8 we were shipping an early backport of a fix in GNUTLS_E_APPLICATION_DATA # behavior, which was using 3.4.0 semantics. We continue shipping to support # any applications depending on that. Patch6: gnutls-3.3.22-eapp-data.patch +Patch7: gnutls-3.3.26-dh-params-1024.patch +# Reported on the gnutls ML affecting Fedora 25 (potentially RHEL7 as well) +Patch8: gnutls-3.3.26-fix-uninitialized.patch +Patch9: gnutls-3.3.26-fix-coverity-issues.patch +Patch10: gnutls-3.3.26-pin-value.patch +Patch11: gnutls-3.3.26-set-unique-id-tests.patch +Patch12: gnutls-3.3.26-fips-rsa-keygen.patch +Patch13: gnutls-3.3.26-cve-2017-7869.patch +Patch14: gnutls-3.3.26-remove-status-req-ext-parsing.patch # Wildcard bundling exception https://fedorahosted.org/fpc/ticket/174 Provides: bundled(gnulib) = 20130424 @@ -144,10 +153,17 @@ This package contains Guile bindings for the library. %patch1 -p1 -b .rpath %patch2 -p1 -b .nosrp -%patch3 -p1 -b .libtasn1 %patch4 -p1 -b .fips-key %patch5 -p1 -b .padlock-disable %patch6 -p1 -b .eapp-data +%patch7 -p1 -b .dh-1024 +%patch8 -p1 -b .fix-uninit +%patch9 -p1 -b .fix-coverity +%patch10 -p1 -b .pin-value +%patch11 -p1 -b .unique-id +%patch12 -p1 -b .rsa-keygen +%patch13 -p1 -b .openpgp-fixes +%patch14 -p1 -b .ocsp-ext-parse sed 's/gnutls_srp.c//g' -i lib/Makefile.in sed 's/gnutls_srp.lo//g' -i lib/Makefile.in @@ -169,6 +185,7 @@ export LDFLAGS="-Wl,--no-add-needed" --disable-openssl-compatibility \ --disable-srp-authentication \ --disable-non-suiteb-curves \ + --with-trousers-lib=%{_libdir}/libtspi.so.1 \ --enable-fips140-mode \ %if %{with guile} --enable-guile \ @@ -296,6 +313,26 @@ fi %endif %changelog +* Fri May 26 2017 Nikos Mavrogiannopoulos 3.3.26-9 +- Address crash in OCSP status request extension, by eliminating the + unneeded parsing (CVE-2017-7507, #1455828) + +* Wed Apr 26 2017 Nikos Mavrogiannopoulos 3.3.26-7 +- Address interoperability issue with 3.5.x (#1388932) +- Reject CAs which are both trusted and blacklisted in trust module (#1375303) +- Added new functions to set issuer and subject ID in certificates (#1378373) +- Reject connections with less than 1024-bit DH parameters (#1335931) +- Fix issue that made GnuTLS parse only the first 32 extensions (#1383748) +- Mention limitations of certtool in manpage (#1375463) +- Read PKCS#8 files with HMAC-SHA256 -as generated by openssl 1.1 (#1380642) +- Do not link directly to trousers but instead use dlopen (#1379739) +- Fix incorrect OCSP validation (#1377569) +- Added support for pin-value in PKCS#11 URIs (#1379283) +- Added the --id option to p11tool (#1399232) +- Improved sanity checks in RSA key generation (#1444780) +- Addressed CVE-2017-5334, CVE-2017-5335, CVE-2017-5336, CVE-2017-5337, + CVE-2017-7869 + * Tue Jul 12 2016 Nikos Mavrogiannopoulos 3.3.24-1 - Addressed issue with DSA public keys smaller than 2^1024 (#1238279) - Addressed two-byte buffer overflow in the DTLS-0.9 protocol (#1209365)