rpms
/
gnutls
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Update to 3.6.2-1 

- Update to upstream 3.6.2 release
This commit is contained in:
Nikos Mavrogiannopoulos 2018-02-16 12:58:33 +01:00
parent 68b93da7fa
commit 8e77a600be
8 changed files with 32 additions and 652 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.gitignore vendored
View File

@ -89,3 +89,6 @@ gnutls-2.10.1-nosrp.tar.bz2
/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg
/gnutls-3.6.1.tar.xz.sig
/gnutls-3.6.1.tar.xz
/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg
/gnutls-3.6.2.tar.xz.sig
/gnutls-3.6.2.tar.xz

20
gnutls-3.6.1-disable-pss-tests.patch Normal file
View File

@ -0,0 +1,20 @@
diff --git a/tests/pkcs11/tls-neg-pkcs11-key.c b/tests/pkcs11/tls-neg-pkcs11-key.c
index c85d878..614fcea 100644
--- a/tests/pkcs11/tls-neg-pkcs11-key.c
+++ b/tests/pkcs11/tls-neg-pkcs11-key.c
@@ -261,6 +261,7 @@ static const test_st tests[] = {
.key = &server_ca3_key,
.exp_kx = GNUTLS_KX_ECDHE_RSA
},
+#if 0
{.name = "tls1.2: rsa-sign key with rsa-pss sigs prioritized",
.pk = GNUTLS_PK_RSA,
.prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA:-SIGN-ALL:+SIGN-RSA-PSS-SHA256:+SIGN-RSA-PSS-SHA384:+SIGN-RSA-PSS-SHA512:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:-VERS-TLS-ALL:+VERS-TLS1.2",
@@ -292,6 +293,7 @@ static const test_st tests[] = {
.exp_kx = GNUTLS_KX_ECDHE_RSA,
.exp_serv_err = GNUTLS_E_NO_CIPHER_SUITES
},
+#endif
{.name = "tls1.2: ed25519 cert, ed25519 key", /* we cannot import that key */
.pk = GNUTLS_PK_EDDSA_ED25519,
.prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA",

284
gnutls-3.6.1-pkcs11-loading.patch
View File

@ -1,284 +0,0 @@
diff --git a/lib/includes/gnutls/pkcs11.h b/lib/includes/gnutls/pkcs11.h
index c3db2181a..52f7898b4 100644
--- a/lib/includes/gnutls/pkcs11.h
+++ b/lib/includes/gnutls/pkcs11.h
@@ -65,6 +65,7 @@ typedef struct gnutls_pkcs11_obj_st *gnutls_pkcs11_obj_t;
#define GNUTLS_PKCS11_FLAG_MANUAL 0 /* Manual loading of libraries */
#define GNUTLS_PKCS11_FLAG_AUTO 1 /* Automatically load libraries by reading /etc/gnutls/pkcs11.conf */
+#define GNUTLS_PKCS11_FLAG_AUTO_TRUSTED (1<<1) /* Automatically load trusted libraries by reading /etc/gnutls/pkcs11.conf */
/* pkcs11.conf format:
* load = /lib/xxx-pkcs11.so
diff --git a/lib/libgnutls.map b/lib/libgnutls.map
index 43a6b1321..16c582c6f 100644
--- a/lib/libgnutls.map
+++ b/lib/libgnutls.map
@@ -1241,6 +1241,7 @@ GNUTLS_PRIVATE_3_4 {
_gnutls_mpi_log;
_gnutls_mpi_release;
# Internal symbols needed by tests/:
+ _gnutls_pkcs11_token_get_url;
_gnutls_pkcs12_string_to_key;
_gnutls_bin2hex;
_gnutls_mac_to_entry;
diff --git a/lib/pkcs11.c b/lib/pkcs11.c
index e014a6b5f..e6e37c60c 100644
--- a/lib/pkcs11.c
+++ b/lib/pkcs11.c
@@ -108,7 +108,8 @@ struct find_cert_st {
static struct gnutls_pkcs11_provider_st providers[MAX_PROVIDERS];
static unsigned int active_providers = 0;
-static unsigned int providers_initialized = 0;
+
+static init_level_t providers_initialized = PROV_UNINITIALIZED;
static unsigned int pkcs11_forkid = 0;
static int _gnutls_pkcs11_reinit(void);
@@ -116,6 +117,8 @@ static int _gnutls_pkcs11_reinit(void);
gnutls_pkcs11_token_callback_t _gnutls_token_func;
void *_gnutls_token_data;
+static int auto_load(unsigned trusted);
+
int pkcs11_rv_to_err(ck_rv_t rv)
{
switch (rv) {
@@ -232,7 +235,8 @@ pkcs11_add_module(const char* name, struct ck_function_list *module, unsigned cu
/* initially check if this module is a duplicate */
for (i = 0; i < active_providers; i++) {
/* already loaded, skip the rest */
- if (module == providers[i].module) {
+ if (module == providers[i].module ||
+ memcmp(&info, &providers[i].info, sizeof(info)) == 0) {
_gnutls_debug_log("p11: module %s is already loaded.\n", name);
return GNUTLS_E_INT_RET_0;
}
@@ -261,7 +265,7 @@ pkcs11_add_module(const char* name, struct ck_function_list *module, unsigned cu
* The output value of the callback will be returned if it is
* a negative one (indicating failure).
*/
-int _gnutls_pkcs11_check_init(void *priv, pkcs11_reinit_function cb)
+int _gnutls_pkcs11_check_init(init_level_t req_level, void *priv, pkcs11_reinit_function cb)
{
int ret;
@@ -269,7 +273,7 @@ int _gnutls_pkcs11_check_init(void *priv, pkcs11_reinit_function cb)
if (ret != 0)
return gnutls_assert_val(GNUTLS_E_LOCKING_ERROR);
- if (providers_initialized != 0) {
+ if (providers_initialized >= req_level) {
ret = 0;
if (_gnutls_detect_fork(pkcs11_forkid)) {
@@ -288,10 +292,16 @@ int _gnutls_pkcs11_check_init(void *priv, pkcs11_reinit_function cb)
gnutls_mutex_unlock(&_gnutls_pkcs11_mutex);
return ret;
- }
+ } else if (providers_initialized < req_level &&
+ (req_level == PROV_INIT_TRUSTED)) {
+ _gnutls_debug_log("Initializing needed PKCS #11 modules\n");
+ ret = auto_load(1);
- _gnutls_debug_log("Initializing PKCS #11 modules\n");
- ret = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_AUTO, NULL);
+ providers_initialized = PROV_INIT_TRUSTED;
+ } else {
+ _gnutls_debug_log("Initializing all PKCS #11 modules\n");
+ ret = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_AUTO, NULL);
+ }
gnutls_mutex_unlock(&_gnutls_pkcs11_mutex);
@@ -742,13 +752,13 @@ static void compat_load(const char *configfile)
return;
}
-static int auto_load(void)
+static int auto_load(unsigned trusted)
{
struct ck_function_list **modules;
int i, ret;
char* name;
- modules = p11_kit_modules_load_and_initialize(0);
+ modules = p11_kit_modules_load_and_initialize(trusted?P11_KIT_MODULE_TRUSTED:0);
if (modules == NULL) {
gnutls_assert();
_gnutls_debug_log
@@ -817,15 +827,21 @@ gnutls_pkcs11_init(unsigned int flags, const char *deprecated_config_file)
if (flags == GNUTLS_PKCS11_FLAG_MANUAL) {
/* if manual configuration is requested then don't
* bother loading any other providers */
- providers_initialized = 1;
+ providers_initialized = PROV_INIT_MANUAL;
return 0;
} else if (flags & GNUTLS_PKCS11_FLAG_AUTO) {
if (deprecated_config_file == NULL)
- ret = auto_load();
+ ret = auto_load(0);
compat_load(deprecated_config_file);
- providers_initialized = 1;
+ providers_initialized = PROV_INIT_ALL;
+
+ return ret;
+ } else if (flags & GNUTLS_PKCS11_FLAG_AUTO_TRUSTED) {
+ ret = auto_load(1);
+
+ providers_initialized = PROV_INIT_TRUSTED;
return ret;
}
@@ -918,7 +934,7 @@ void gnutls_pkcs11_deinit(void)
p11_kit_module_release(providers[i].module);
}
active_providers = 0;
- providers_initialized = 0;
+ providers_initialized = PROV_UNINITIALIZED;
gnutls_pkcs11_set_pin_function(NULL, NULL);
gnutls_pkcs11_set_token_function(NULL, NULL);
@@ -2177,11 +2193,18 @@ find_token_modname_cb(struct ck_function_list *module, struct pkcs11_session_inf
return 0;
}
+/* Internal symbol used by tests */
+int
+_gnutls_pkcs11_token_get_url(unsigned int seq,
+ gnutls_pkcs11_url_type_t detailed, char **url,
+ unsigned flags);
+
/**
- * gnutls_pkcs11_token_get_url:
+ * _gnutls_pkcs11_token_get_url:
* @seq: sequence number starting from 0
* @detailed: non zero if a detailed URL is required
* @url: will contain an allocated url
+ * @flags: zero or 1. When 1 no initialization is performed.
*
* This function will return the URL for each token available
* in system. The url has to be released using gnutls_free()
@@ -2190,16 +2213,18 @@ find_token_modname_cb(struct ck_function_list *module, struct pkcs11_session_inf
* %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE if the sequence number
* exceeds the available tokens, otherwise a negative error value.
*
- * Since: 2.12.0
**/
int
-gnutls_pkcs11_token_get_url(unsigned int seq,
- gnutls_pkcs11_url_type_t detailed, char **url)
+_gnutls_pkcs11_token_get_url(unsigned int seq,
+ gnutls_pkcs11_url_type_t detailed, char **url,
+ unsigned flags)
{
int ret;
struct find_token_num tn;
- PKCS11_CHECK_INIT;
+ if (!(flags & 1)) {
+ PKCS11_CHECK_INIT;
+ }
memset(&tn, 0, sizeof(tn));
tn.seq = seq;
@@ -2224,6 +2249,28 @@ gnutls_pkcs11_token_get_url(unsigned int seq,
}
/**
+ * gnutls_pkcs11_token_get_url:
+ * @seq: sequence number starting from 0
+ * @detailed: non zero if a detailed URL is required
+ * @url: will contain an allocated url
+ *
+ * This function will return the URL for each token available
+ * in system. The url has to be released using gnutls_free()
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
+ * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE if the sequence number
+ * exceeds the available tokens, otherwise a negative error value.
+ *
+ * Since: 2.12.0
+ **/
+int
+gnutls_pkcs11_token_get_url(unsigned int seq,
+ gnutls_pkcs11_url_type_t detailed, char **url)
+{
+ return _gnutls_pkcs11_token_get_url(seq, detailed, url, 0);
+}
+
+/**
* gnutls_pkcs11_token_get_info:
* @url: should contain a PKCS 11 URL
* @ttype: Denotes the type of information requested
@@ -3173,7 +3220,11 @@ gnutls_pkcs11_obj_list_import_url4(gnutls_pkcs11_obj_t ** p_list,
int ret;
struct find_obj_data_st priv;
- PKCS11_CHECK_INIT;
+ if (flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED) {
+ PKCS11_CHECK_INIT_TRUSTED;
+ } else {
+ PKCS11_CHECK_INIT;
+ }
memset(&priv, 0, sizeof(priv));
diff --git a/lib/pkcs11_int.h b/lib/pkcs11_int.h
index 2c2de3463..de9afbdee 100644
--- a/lib/pkcs11_int.h
+++ b/lib/pkcs11_int.h
@@ -82,7 +82,15 @@ struct gnutls_pkcs11_privkey_st {
* directly. It can be provided a callback function to run when a reinitialization
* occurs. */
typedef int (*pkcs11_reinit_function)(void *priv);
-int _gnutls_pkcs11_check_init(void *priv, pkcs11_reinit_function cb);
+
+typedef enum init_level_t {
+ PROV_UNINITIALIZED = 0,
+ PROV_INIT_MANUAL,
+ PROV_INIT_TRUSTED,
+ PROV_INIT_ALL
+} init_level_t;
+
+int _gnutls_pkcs11_check_init(init_level_t req_level, void *priv, pkcs11_reinit_function cb);
#define FIX_KEY_USAGE(pk, usage) \
if (usage == 0) { \
@@ -93,12 +101,17 @@ int _gnutls_pkcs11_check_init(void *priv, pkcs11_reinit_function cb);
}
#define PKCS11_CHECK_INIT \
- ret = _gnutls_pkcs11_check_init(NULL, NULL); \
+ ret = _gnutls_pkcs11_check_init(PROV_INIT_MANUAL, NULL, NULL); \
+ if (ret < 0) \
+ return gnutls_assert_val(ret)
+
+#define PKCS11_CHECK_INIT_TRUSTED \
+ ret = _gnutls_pkcs11_check_init(PROV_INIT_TRUSTED, NULL, NULL); \
if (ret < 0) \
return gnutls_assert_val(ret)
#define PKCS11_CHECK_INIT_RET(x) \
- ret = _gnutls_pkcs11_check_init(NULL, NULL); \
+ ret = _gnutls_pkcs11_check_init(PROV_INIT_MANUAL, NULL, NULL); \
if (ret < 0) \
return gnutls_assert_val(x)
diff --git a/lib/pkcs11_privkey.c b/lib/pkcs11_privkey.c
index 34fe47a38..afe831ee9 100644
--- a/lib/pkcs11_privkey.c
+++ b/lib/pkcs11_privkey.c
@@ -36,7 +36,7 @@
/* In case of a fork, it will invalidate the open session
* in the privkey and start another */
#define PKCS11_CHECK_INIT_PRIVKEY(k) \
- ret = _gnutls_pkcs11_check_init(k, reopen_privkey_session); \
+ ret = _gnutls_pkcs11_check_init(PROV_INIT_MANUAL, k, reopen_privkey_session); \
if (ret < 0) \
return gnutls_assert_val(ret)

289
gnutls-3.6.1-pkcs11-loading2.patch
View File

@ -1,289 +0,0 @@
diff --git a/lib/pkcs11.c b/lib/pkcs11.c
index e6e37c60c..e1aa64f19 100644
--- a/lib/pkcs11.c
+++ b/lib/pkcs11.c
@@ -267,20 +267,20 @@ pkcs11_add_module(const char* name, struct ck_function_list *module, unsigned cu
*/
int _gnutls_pkcs11_check_init(init_level_t req_level, void *priv, pkcs11_reinit_function cb)
{
- int ret;
+ int ret, sret = 0;
ret = gnutls_mutex_lock(&_gnutls_pkcs11_mutex);
if (ret != 0)
return gnutls_assert_val(GNUTLS_E_LOCKING_ERROR);
- if (providers_initialized >= req_level) {
+ if (providers_initialized > PROV_UNINITIALIZED) {
ret = 0;
if (_gnutls_detect_fork(pkcs11_forkid)) {
/* if we are initialized but a fork is detected */
ret = _gnutls_pkcs11_reinit();
if (ret == 0) {
- ret = 1;
+ sret = 1;
if (cb) {
int ret2 = cb(priv);
if (ret2 < 0)
@@ -290,25 +290,60 @@ int _gnutls_pkcs11_check_init(init_level_t req_level, void *priv, pkcs11_reinit_
}
}
- gnutls_mutex_unlock(&_gnutls_pkcs11_mutex);
- return ret;
- } else if (providers_initialized < req_level &&
- (req_level == PROV_INIT_TRUSTED)) {
- _gnutls_debug_log("Initializing needed PKCS #11 modules\n");
- ret = auto_load(1);
+ if (ret < 0) {
+ gnutls_assert();
+ goto cleanup;
+ }
+ }
- providers_initialized = PROV_INIT_TRUSTED;
- } else {
- _gnutls_debug_log("Initializing all PKCS #11 modules\n");
- ret = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_AUTO, NULL);
+ /* Possible Transitions: PROV_UNINITIALIZED -> PROV_INIT_MANUAL -> PROV_INIT_MANUAL_TRUSTED
+ * PROV_UNINITIALIZED -> PROV_INIT_TRUSTED -> PROV_INIT_ALL
+ *
+ * request for PROV_INIT_TRUSTED may result to PROV_INIT_MANUAL_TRUSTED
+ * request for PROV_INIT_ALL may result to PROV_INIT_MANUAL or PROV_INIT_MANUAL_TRUSTED
+ */
+ switch(req_level) {
+ case PROV_UNINITIALIZED:
+ case PROV_INIT_MANUAL:
+ break;
+ case PROV_INIT_TRUSTED:
+ case PROV_INIT_MANUAL_TRUSTED:
+ if (providers_initialized < PROV_INIT_MANUAL_TRUSTED) {
+ _gnutls_debug_log("Initializing needed PKCS #11 modules\n");
+ ret = auto_load(1);
+ if (ret < 0) {
+ gnutls_assert();
+ }
+
+ if (providers_initialized == PROV_INIT_MANUAL)
+ providers_initialized = PROV_INIT_MANUAL_TRUSTED;
+ else
+ providers_initialized = PROV_INIT_TRUSTED;
+
+ goto cleanup;
+ }
+ break;
+ case PROV_INIT_ALL:
+ if (providers_initialized == PROV_INIT_TRUSTED ||
+ providers_initialized == PROV_UNINITIALIZED) {
+ _gnutls_debug_log("Initializing all PKCS #11 modules\n");
+ ret = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_AUTO, NULL);
+ if (ret < 0) {
+ gnutls_assert();
+ }
+
+ providers_initialized = PROV_INIT_ALL;
+ goto cleanup;
+ }
+ break;
}
- gnutls_mutex_unlock(&_gnutls_pkcs11_mutex);
+ ret = sret;
- if (ret < 0)
- return gnutls_assert_val(ret);
+ cleanup:
+ gnutls_mutex_unlock(&_gnutls_pkcs11_mutex);
- return 0;
+ return ret;
}
@@ -3220,11 +3255,7 @@ gnutls_pkcs11_obj_list_import_url4(gnutls_pkcs11_obj_t ** p_list,
int ret;
struct find_obj_data_st priv;
- if (flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED) {
- PKCS11_CHECK_INIT_TRUSTED;
- } else {
- PKCS11_CHECK_INIT;
- }
+ PKCS11_CHECK_INIT_FLAGS(flags);
memset(&priv, 0, sizeof(priv));
@@ -3965,7 +3996,7 @@ int gnutls_pkcs11_get_raw_issuer(const char *url, gnutls_x509_crt_t cert,
size_t id_size;
struct p11_kit_uri *info = NULL;
- PKCS11_CHECK_INIT;
+ PKCS11_CHECK_INIT_FLAGS(flags);
memset(&priv, 0, sizeof(priv));
@@ -4057,7 +4088,7 @@ int gnutls_pkcs11_get_raw_issuer_by_dn (const char *url, const gnutls_datum_t *d
struct find_cert_st priv;
struct p11_kit_uri *info = NULL;
- PKCS11_CHECK_INIT;
+ PKCS11_CHECK_INIT_FLAGS(flags);
memset(&priv, 0, sizeof(priv));
@@ -4144,7 +4175,7 @@ int gnutls_pkcs11_get_raw_issuer_by_subject_key_id (const char *url,
struct find_cert_st priv;
struct p11_kit_uri *info = NULL;
- PKCS11_CHECK_INIT;
+ PKCS11_CHECK_INIT_FLAGS(flags);
memset(&priv, 0, sizeof(priv));
@@ -4238,7 +4269,7 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,
size_t serial_size;
struct p11_kit_uri *info = NULL;
- PKCS11_CHECK_INIT_RET(0);
+ PKCS11_CHECK_INIT_FLAGS_RET(flags, 0);
memset(&priv, 0, sizeof(priv));
diff --git a/lib/pkcs11_int.h b/lib/pkcs11_int.h
index de9afbdee..3ba9c5501 100644
--- a/lib/pkcs11_int.h
+++ b/lib/pkcs11_int.h
@@ -86,10 +86,14 @@ typedef int (*pkcs11_reinit_function)(void *priv);
typedef enum init_level_t {
PROV_UNINITIALIZED = 0,
PROV_INIT_MANUAL,
+ PROV_INIT_MANUAL_TRUSTED,
PROV_INIT_TRUSTED,
PROV_INIT_ALL
} init_level_t;
+/* See _gnutls_pkcs11_check_init() for possible Transitions.
+ */
+
int _gnutls_pkcs11_check_init(init_level_t req_level, void *priv, pkcs11_reinit_function cb);
#define FIX_KEY_USAGE(pk, usage) \
@@ -101,20 +105,26 @@ int _gnutls_pkcs11_check_init(init_level_t req_level, void *priv, pkcs11_reinit_
}
#define PKCS11_CHECK_INIT \
- ret = _gnutls_pkcs11_check_init(PROV_INIT_MANUAL, NULL, NULL); \
+ ret = _gnutls_pkcs11_check_init(PROV_INIT_ALL, NULL, NULL); \
if (ret < 0) \
return gnutls_assert_val(ret)
-#define PKCS11_CHECK_INIT_TRUSTED \
- ret = _gnutls_pkcs11_check_init(PROV_INIT_TRUSTED, NULL, NULL); \
+#define PKCS11_CHECK_INIT_RET(x) \
+ ret = _gnutls_pkcs11_check_init(PROV_INIT_ALL, NULL, NULL); \
+ if (ret < 0) \
+ return gnutls_assert_val(x)
+
+#define PKCS11_CHECK_INIT_FLAGS(f) \
+ ret = _gnutls_pkcs11_check_init((f & GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE)?PROV_INIT_TRUSTED:PROV_INIT_ALL, NULL, NULL); \
if (ret < 0) \
return gnutls_assert_val(ret)
-#define PKCS11_CHECK_INIT_RET(x) \
- ret = _gnutls_pkcs11_check_init(PROV_INIT_MANUAL, NULL, NULL); \
+#define PKCS11_CHECK_INIT_FLAGS_RET(f, x) \
+ ret = _gnutls_pkcs11_check_init((f & GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE)?PROV_INIT_TRUSTED:PROV_INIT_ALL, NULL, NULL); \
if (ret < 0) \
return gnutls_assert_val(x)
+
/* thus function is called for every token in the traverse_tokens
* function. Once everything is traversed it is called with NULL tinfo.
* It should return 0 if found what it was looking for.
diff --git a/lib/pkcs11_privkey.c b/lib/pkcs11_privkey.c
index afe831ee9..fd1997c8c 100644
--- a/lib/pkcs11_privkey.c
+++ b/lib/pkcs11_privkey.c
@@ -36,7 +36,7 @@
/* In case of a fork, it will invalidate the open session
* in the privkey and start another */
#define PKCS11_CHECK_INIT_PRIVKEY(k) \
- ret = _gnutls_pkcs11_check_init(PROV_INIT_MANUAL, k, reopen_privkey_session); \
+ ret = _gnutls_pkcs11_check_init(PROV_INIT_ALL, k, reopen_privkey_session); \
if (ret < 0) \
return gnutls_assert_val(ret)
diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c
index 69fc0f2e6..7b375d61f 100644
--- a/lib/x509/verify-high.c
+++ b/lib/x509/verify-high.c
@@ -367,7 +367,7 @@ advance_iter(gnutls_x509_trust_list_t list,
if (list->pkcs11_token != NULL) {
if (iter->pkcs11_list == NULL) {
ret = gnutls_pkcs11_obj_list_import_url2(&iter->pkcs11_list, &iter->pkcs11_size,
- list->pkcs11_token, (GNUTLS_PKCS11_OBJ_FLAG_CRT|GNUTLS_PKCS11_OBJ_FLAG_MARK_CA|GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED), 0);
+ list->pkcs11_token, (GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE|GNUTLS_PKCS11_OBJ_FLAG_CRT|GNUTLS_PKCS11_OBJ_FLAG_MARK_CA|GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED), 0);
if (ret < 0)
return gnutls_assert_val(ret);
@@ -972,7 +972,7 @@ int gnutls_x509_trust_list_get_issuer(gnutls_x509_trust_list_t list,
gnutls_datum_t der = {NULL, 0};
/* use the token for verification */
ret = gnutls_pkcs11_get_raw_issuer(list->pkcs11_token, cert, &der,
- GNUTLS_X509_FMT_DER, 0);
+ GNUTLS_X509_FMT_DER, GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE);
if (ret < 0) {
gnutls_assert();
return ret;
@@ -1044,7 +1044,7 @@ int gnutls_x509_trust_list_get_issuer_by_dn(gnutls_x509_trust_list_t list,
gnutls_datum_t der = {NULL, 0};
/* use the token for verification */
ret = gnutls_pkcs11_get_raw_issuer_by_dn(list->pkcs11_token, dn, &der,
- GNUTLS_X509_FMT_DER, 0);
+ GNUTLS_X509_FMT_DER, GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE);
if (ret < 0) {
gnutls_assert();
return ret;
@@ -1105,7 +1105,7 @@ int gnutls_x509_trust_list_get_issuer_by_subject_key_id(gnutls_x509_trust_list_t
gnutls_datum_t der = {NULL, 0};
/* use the token for verification */
ret = gnutls_pkcs11_get_raw_issuer_by_subject_key_id(list->pkcs11_token, dn, spki, &der,
- GNUTLS_X509_FMT_DER, 0);
+ GNUTLS_X509_FMT_DER, GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE);
if (ret < 0) {
gnutls_assert();
return ret;
diff --git a/lib/x509/verify-high2.c b/lib/x509/verify-high2.c
index fb9f9ce10..8c75b2641 100644
--- a/lib/x509/verify-high2.c
+++ b/lib/x509/verify-high2.c
@@ -188,6 +188,10 @@ int add_trust_list_pkcs11_object_url(gnutls_x509_trust_list_t list, const char *
gnutls_pkcs11_obj_t *pcrt_list = NULL;
unsigned int pcrt_list_size = 0, i;
int ret;
+
+ /* here we don't use the flag GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE,
+ * as we want to explicitly load from any module available in the system.
+ */
ret =
gnutls_pkcs11_obj_list_import_url2(&pcrt_list, &pcrt_list_size,
url,
@@ -323,7 +327,7 @@ gnutls_x509_trust_list_add_trust_file(gnutls_x509_trust_list_t list,
*/
if (is_pkcs11_url_object(ca_file) != 0) {
return add_trust_list_pkcs11_object_url(list, ca_file, tl_flags);
- } else { /* token */
+ } else { /* trusted token */
if (list->pkcs11_token != NULL)
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
list->pkcs11_token = gnutls_strdup(ca_file);
@@ -331,7 +335,7 @@ gnutls_x509_trust_list_add_trust_file(gnutls_x509_trust_list_t list,
/* enumerate the certificates */
ret = gnutls_pkcs11_obj_list_import_url(NULL, &pcrt_list_size,
ca_file,
- (GNUTLS_PKCS11_OBJ_FLAG_CRT|GNUTLS_PKCS11_OBJ_FLAG_MARK_CA|GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED),
+ (GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE|GNUTLS_PKCS11_OBJ_FLAG_CRT|GNUTLS_PKCS11_OBJ_FLAG_MARK_CA|GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED),
0);
if (ret < 0 && ret != GNUTLS_E_SHORT_MEMORY_BUFFER)
return gnutls_assert_val(ret);

69
gnutls-3.6.1-pkcs11-tests.patch
View File

@ -1,69 +0,0 @@
diff --git a/tests/pkcs11/tls-neg-pkcs11-key.c b/tests/pkcs11/tls-neg-pkcs11-key.c
index ca16600130..c85d8789df 100644
--- a/tests/pkcs11/tls-neg-pkcs11-key.c
+++ b/tests/pkcs11/tls-neg-pkcs11-key.c
@@ -247,45 +247,52 @@ typedef struct test_st {
} test_st;
static const test_st tests[] = {
- {.name = "ecc key",
+ {.name = "tls1.2: ecc key",
.pk = GNUTLS_PK_ECDSA,
- .prio = "NORMAL:-KX-ALL:+ECDHE-RSA:+ECDHE-ECDSA",
+ .prio = "NORMAL:-KX-ALL:+ECDHE-RSA:+ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.2",
.cert = &server_ca3_localhost_ecc_cert,
.key = &server_ca3_ecc_key,
.exp_kx = GNUTLS_KX_ECDHE_ECDSA
},
- {.name = "rsa-sign key",
+ {.name = "tls1.2: rsa-sign key",
.pk = GNUTLS_PK_RSA,
- .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA",
+ .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.2",
.cert = &server_ca3_localhost_cert,
.key = &server_ca3_key,
.exp_kx = GNUTLS_KX_ECDHE_RSA
},
- {.name = "rsa-sign key with rsa-pss sigs prioritized",
+ {.name = "tls1.2: rsa-sign key with rsa-pss sigs prioritized",
.pk = GNUTLS_PK_RSA,
- .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA:-SIGN-ALL:+SIGN-RSA-PSS-SHA256:+SIGN-RSA-PSS-SHA384:+SIGN-RSA-PSS-SHA512:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512",
+ .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA:-SIGN-ALL:+SIGN-RSA-PSS-SHA256:+SIGN-RSA-PSS-SHA384:+SIGN-RSA-PSS-SHA512:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:-VERS-TLS-ALL:+VERS-TLS1.2",
.cert = &server_ca3_localhost_cert,
.key = &server_ca3_key,
.exp_kx = GNUTLS_KX_ECDHE_RSA
},
- {.name = "rsa-pss-sign key",
+ {.name = "tls1.2: rsa-pss-sign key",
.pk = GNUTLS_PK_RSA_PSS,
- .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA",
+ .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.2",
.cert = &server_ca3_rsa_pss2_cert,
.key = &server_ca3_rsa_pss2_key,
.exp_kx = GNUTLS_KX_ECDHE_RSA,
.requires_pkcs11_pss = 1,
- .exp_serv_err = GNUTLS_E_NO_CIPHER_SUITES
},
- {.name = "rsa-pss cert, rsa-sign key", /* we expect the server to refuse negotiating */
+ {.name = "tls1.2: rsa-pss cert, rsa-sign key",
.pk = GNUTLS_PK_RSA,
- .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA",
+ .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.2",
+ .cert = &server_ca3_rsa_pss_cert,
+ .key = &server_ca3_rsa_pss_key,
+ .exp_kx = GNUTLS_KX_ECDHE_RSA,
+ .requires_pkcs11_pss = 1,
+ },
+ {.name = "tls1.2: rsa-pss cert, rsa-sign key no PSS signatures",
+ .pk = GNUTLS_PK_RSA,
+ .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.2:-SIGN-RSA-PSS-SHA256:-SIGN-RSA-PSS-SHA384:-SIGN-RSA-PSS-SHA512",
.cert = &server_ca3_rsa_pss_cert,
.key = &server_ca3_rsa_pss_key,
.exp_kx = GNUTLS_KX_ECDHE_RSA,
.exp_serv_err = GNUTLS_E_NO_CIPHER_SUITES
},
- {.name = "ed25519 cert, ed25519 key", /* we cannot import that key */
+ {.name = "tls1.2: ed25519 cert, ed25519 key", /* we cannot import that key */
.pk = GNUTLS_PK_EDDSA_ED25519,
.prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA",
.cert = &server_ca3_eddsa_cert,

13
gnutls.spec
View File

@ -1,11 +1,9 @@
# This spec file has been automatically updated
Version: 3.6.1
Release: 5%{?dist}
Version: 3.6.2
Release: 1%{?dist}
Patch1: gnutls-3.2.7-rpath.patch
Patch2: gnutls-3.4.2-no-now-guile.patch
Patch3: gnutls-3.6.1-pkcs11-loading.patch
Patch4: gnutls-3.6.1-pkcs11-loading2.patch
Patch5: gnutls-3.6.1-pkcs11-tests.patch
Patch3: gnutls-3.6.1-disable-pss-tests.patch
%bcond_without dane
%bcond_without guile
Summary: A TLS protocol implementation
@ -142,8 +140,6 @@ gpgv2 --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0}
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
sed -i -e 's|sys_lib_dlsearch_path_spec="/lib /usr/lib|sys_lib_dlsearch_path_spec="/lib /usr/lib %{_libdir}|g' configure
rm -f lib/minitasn1/*.c lib/minitasn1/*.h
@ -274,6 +270,9 @@ fi
%endif
%changelog
* Fri Feb 16 2018 Nikos Mavrogiannopoulos <nmav@redhat.com> - 3.6.2-1
- Update to upstream 3.6.2 release
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 3.6.1-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild

BIN
gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg
View File

Binary file not shown.

6
sources
View File

@ -1,3 +1,3 @@
SHA512 (gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg) = 7eccc70fb763cf8a6525228230c1f537224809cf553efb3ad6bc88ad96f01122c30a5cd9d8328fa3a97b242d59e00bc9966589a24b1e65dd4a27eb71393f097c
SHA512 (gnutls-3.6.1.tar.xz.sig) = 6639c1a43202786345a0ac0daa47c5b0fb5c49c25d0d853a718d22dc4234c31201b5052508af7203751792426d949d7b3617064665bd2bd3b6a132c2cec36878
SHA512 (gnutls-3.6.1.tar.xz) = 1f2bd3203ea96844c531be700b44623b79f46743143edf97011aab07895ca18d62f1659c7fafc5e1c4b0686fde490836f00358bdd60d6ac0b842526db002da23
SHA512 (gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg) = 3b1989dc6a64d1140f83a2af0773da2adb03c50d97b6da7357cf09525050651aafa21131f1e3180baa540a8af922119a256f5ff5bcd6602996a806e8e1816bad
SHA512 (gnutls-3.6.2.tar.xz.sig) = a1fc8acd0b48d046eda505b774e5e1a85dce8c8b2122069e6d257a50436e989cfdbc68aa294d14f98e3fec1ade129e8bd9b67b1d02f93a7a3fde5f5acb4b70d3
SHA512 (gnutls-3.6.2.tar.xz) = 6a574d355226bdff6198ab3f70633ff2a3cff4b5d06793bdaf19d007063bd4dd515d1bd3f331a9eb1a9ad01f83007801cfa55e5fd16c1cd3461ac33d1813fb06