From a8c6008b7d5b49c0f9c4654bed9d3836184aeed0 Mon Sep 17 00:00:00 2001 From: "Daniel P. Berrange" Date: Thu, 12 Oct 2017 09:26:40 +0100 Subject: [PATCH] Add patches from git master to fix TLS test suite with new GNUTLS Signed-off-by: Daniel P. Berrange --- ...cert-generation-to-not-use-SHA1-algo.patch | 34 +++++++++++++++++++ ...for-handshake-completion-in-TLS-test.patch | 34 +++++++++++++++++++ ...ctory-used-by-test-io-channel-tls-te.patch | 34 +++++++++++++++++++ qemu.spec | 3 ++ 4 files changed, 105 insertions(+) create mode 100644 1016-crypto-fix-test-cert-generation-to-not-use-SHA1-algo.patch create mode 100644 1017-io-fix-check-for-handshake-completion-in-TLS-test.patch create mode 100644 1018-io-fix-temp-directory-used-by-test-io-channel-tls-te.patch diff --git a/1016-crypto-fix-test-cert-generation-to-not-use-SHA1-algo.patch b/1016-crypto-fix-test-cert-generation-to-not-use-SHA1-algo.patch new file mode 100644 index 0000000..7815618 --- /dev/null +++ b/1016-crypto-fix-test-cert-generation-to-not-use-SHA1-algo.patch @@ -0,0 +1,34 @@ +From 23c1595b0297e6ca8f37559af6f0b8533aa1fd99 Mon Sep 17 00:00:00 2001 +From: "Daniel P. Berrange" +Date: Tue, 29 Aug 2017 17:03:30 +0100 +Subject: [PATCH] crypto: fix test cert generation to not use SHA1 algorithm + +GNUTLS 3.6.0 marked SHA1 as untrusted for certificates. +Unfortunately the gnutls_x509_crt_sign() method we are +using to create certificates in the test suite is fixed +to always use SHA1. We must switch to a different method +and explicitly ask for SHA256. + +Reviewed-by: Eric Blake +Signed-off-by: Daniel P. Berrange +--- + tests/crypto-tls-x509-helpers.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/tests/crypto-tls-x509-helpers.c b/tests/crypto-tls-x509-helpers.c +index 64073d3bd3..173d4e28fb 100644 +--- a/tests/crypto-tls-x509-helpers.c ++++ b/tests/crypto-tls-x509-helpers.c +@@ -406,7 +406,8 @@ test_tls_generate_cert(QCryptoTLSTestCertReq *req, + * If no 'ca' is set then we are self signing + * the cert. This is done for the root CA certs + */ +- err = gnutls_x509_crt_sign(crt, ca ? ca : crt, privkey); ++ err = gnutls_x509_crt_sign2(crt, ca ? ca : crt, privkey, ++ GNUTLS_DIG_SHA256, 0); + if (err < 0) { + g_critical("Failed to sign certificate %s", + gnutls_strerror(err)); +-- +2.13.5 + diff --git a/1017-io-fix-check-for-handshake-completion-in-TLS-test.patch b/1017-io-fix-check-for-handshake-completion-in-TLS-test.patch new file mode 100644 index 0000000..536119d --- /dev/null +++ b/1017-io-fix-check-for-handshake-completion-in-TLS-test.patch @@ -0,0 +1,34 @@ +From 689ed13e73bdb5a5ca3366524475e3065fae854a Mon Sep 17 00:00:00 2001 +From: "Daniel P. Berrange" +Date: Tue, 29 Aug 2017 17:04:52 +0100 +Subject: [PATCH] io: fix check for handshake completion in TLS test + +The TLS I/O channel test had mistakenly used && instead +of || when checking for handshake completion. As a +result it could terminate the handshake process before +it had actually completed. This was harmless before but +changes in GNUTLS 3.6.0 exposed this bug and caused the +test suite to fail. + +Reviewed-by: Eric Blake +Signed-off-by: Daniel P. Berrange +--- + tests/test-io-channel-tls.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/test-io-channel-tls.c b/tests/test-io-channel-tls.c +index ff96877323..a210d01ba5 100644 +--- a/tests/test-io-channel-tls.c ++++ b/tests/test-io-channel-tls.c +@@ -218,7 +218,7 @@ static void test_io_channel_tls(const void *opaque) + mainloop = g_main_context_default(); + do { + g_main_context_iteration(mainloop, TRUE); +- } while (!clientHandshake.finished && ++ } while (!clientHandshake.finished || + !serverHandshake.finished); + + g_assert(clientHandshake.failed == data->expectClientFail); +-- +2.13.5 + diff --git a/1018-io-fix-temp-directory-used-by-test-io-channel-tls-te.patch b/1018-io-fix-temp-directory-used-by-test-io-channel-tls-te.patch new file mode 100644 index 0000000..d4718ea --- /dev/null +++ b/1018-io-fix-temp-directory-used-by-test-io-channel-tls-te.patch @@ -0,0 +1,34 @@ +From d4adf9675801cd90e66ecfcd6a54ca1abc5a6698 Mon Sep 17 00:00:00 2001 +From: "Daniel P. Berrange" +Date: Fri, 21 Jul 2017 12:47:39 +0100 +Subject: [PATCH] io: fix temp directory used by test-io-channel-tls test + +The test-io-channel-tls test was mistakenly using two of the +same directories as test-crypto-tlssession. This causes a +sporadic failure when using make -j$BIGNUM. + +Reported-by: Dr. David Alan Gilbert +Reviewed-by: Dr. David Alan Gilbert +Signed-off-by: Daniel P. Berrange +--- + tests/test-io-channel-tls.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tests/test-io-channel-tls.c b/tests/test-io-channel-tls.c +index 8eaa208e1b..ff96877323 100644 +--- a/tests/test-io-channel-tls.c ++++ b/tests/test-io-channel-tls.c +@@ -127,8 +127,8 @@ static void test_io_channel_tls(const void *opaque) + /* We'll use this for our fake client-server connection */ + g_assert(socketpair(AF_UNIX, SOCK_STREAM, 0, channel) == 0); + +-#define CLIENT_CERT_DIR "tests/test-crypto-tlssession-client/" +-#define SERVER_CERT_DIR "tests/test-crypto-tlssession-server/" ++#define CLIENT_CERT_DIR "tests/test-io-channel-tls-client/" ++#define SERVER_CERT_DIR "tests/test-io-channel-tls-server/" + mkdir(CLIENT_CERT_DIR, 0700); + mkdir(SERVER_CERT_DIR, 0700); + +-- +2.13.5 + diff --git a/qemu.spec b/qemu.spec index f2bdef4..ab5f7b6 100644 --- a/qemu.spec +++ b/qemu.spec @@ -157,6 +157,9 @@ Patch1012: 1012-scsi-file-posix-add-support-for-persistent-reservati.patch Patch1013: 1013-scsi-build-qemu-pr-helper.patch Patch1014: 1014-scsi-add-multipath-support-to-qemu-pr-helper.patch Patch1015: 1015-scsi-add-persistent-reservation-manager-using-qemu-p.patch +Patch1016: 1016-crypto-fix-test-cert-generation-to-not-use-SHA1-algo.patch +Patch1017: 1017-io-fix-check-for-handshake-completion-in-TLS-test.patch +Patch1018: 1018-io-fix-temp-directory-used-by-test-io-channel-tls-te.patch # documentation deps BuildRequires: texinfo