From 519d7df72f647b48bdd09cafcf293d7490a0e286 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 02 2019 22:11:35 +0000 Subject: import gnutls-3.3.29-9.el7_6 --- diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..79f696e --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/gnutls-3.3.29-hobbled.tar.xz diff --git a/.gnutls.metadata b/.gnutls.metadata new file mode 100644 index 0000000..17b46e5 --- /dev/null +++ b/.gnutls.metadata @@ -0,0 +1 @@ +0827e9992678c32b78364e83066062ebe1e6bdd0 SOURCES/gnutls-3.3.29-hobbled.tar.xz diff --git a/SOURCES/gnutls-3.1.11-nosrp.patch b/SOURCES/gnutls-3.1.11-nosrp.patch new file mode 100644 index 0000000..29227c0 --- /dev/null +++ b/SOURCES/gnutls-3.1.11-nosrp.patch @@ -0,0 +1,12 @@ +diff -up gnutls-3.1.10/tests/srp/mini-srp.c.noecc gnutls-3.1.10/tests/srp/mini-srp.c +--- gnutls-3.1.10/tests/srp/mini-srp.c.noecc 2013-03-21 21:42:28.000000000 +0100 ++++ gnutls-3.1.10/tests/srp/mini-srp.c 2013-03-25 13:42:20.753422209 +0100 +@@ -27,7 +27,7 @@ + #include + #include + +-#if defined(_WIN32) ++#if defined(_WIN32) || !defined(ENABLE_SRP) + + int main() + { diff --git a/SOURCES/gnutls-3.2.7-rpath.patch b/SOURCES/gnutls-3.2.7-rpath.patch new file mode 100644 index 0000000..4e6aed3 --- /dev/null +++ b/SOURCES/gnutls-3.2.7-rpath.patch @@ -0,0 +1,12 @@ +diff -ur gnutls-3.2.7.orig/configure gnutls-3.2.7/configure +--- gnutls-3.2.7.orig/configure 2013-11-23 11:09:49.000000000 +0100 ++++ gnutls-3.2.7/configure 2013-11-25 16:53:05.559440656 +0100 +@@ -39652,7 +39652,7 @@ + shlibpath_overrides_runpath=unknown + version_type=none + dynamic_linker="$host_os ld.so" +-sys_lib_dlsearch_path_spec="/lib /usr/lib" ++sys_lib_dlsearch_path_spec="/lib /usr/lib /lib64 /usr/lib64" + need_lib_prefix=unknown + hardcode_into_libs=no + diff --git a/SOURCES/gnutls-3.3.22-eapp-data.patch b/SOURCES/gnutls-3.3.22-eapp-data.patch new file mode 100644 index 0000000..74bb486 --- /dev/null +++ b/SOURCES/gnutls-3.3.22-eapp-data.patch @@ -0,0 +1,27 @@ +diff --git b/lib/gnutls_handshake.c a/lib/gnutls_handshake.c +index 5930941..e904f2e 100644 +--- b/lib/gnutls_handshake.c ++++ a/lib/gnutls_handshake.c +@@ -2510,7 +2510,8 @@ static int _gnutls_recv_supplemental(gnutls_session_t session) + * are non fatal errors, only in the specific case of a rehandshake. + * Their meaning is that the client rejected the rehandshake request or + * in the case of %GNUTLS_E_GOT_APPLICATION_DATA it could also mean that +- * some data were pending. ++ * some data were pending. A client may receive that error code if ++ * it initiates the handshake and the server doesn't agreed. + * + * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code. + **/ +diff --git b/lib/gnutls_record.c a/lib/gnutls_record.c +index 157d12a..40c20fe 100644 +--- b/lib/gnutls_record.c ++++ a/lib/gnutls_record.c +@@ -837,7 +837,7 @@ record_add_to_buffers(gnutls_session_t session, + * reasons). Otherwise it is an unexpected packet + */ + if (type == GNUTLS_ALERT +- || (htype == GNUTLS_HANDSHAKE_CLIENT_HELLO ++ || ((htype == GNUTLS_HANDSHAKE_SERVER_HELLO || htype == GNUTLS_HANDSHAKE_CLIENT_HELLO) + && type == GNUTLS_HANDSHAKE)) { + /* even if data is unexpected put it into the buffer */ + _gnutls_record_buffer_put(session, recv->type, diff --git a/SOURCES/gnutls-3.3.26-dh-params-1024.patch b/SOURCES/gnutls-3.3.26-dh-params-1024.patch new file mode 100644 index 0000000..ce91678 --- /dev/null +++ b/SOURCES/gnutls-3.3.26-dh-params-1024.patch @@ -0,0 +1,31 @@ +diff --git a/lib/gnutls_priority.c b/lib/gnutls_priority.c +index c5998ab..ffefce1 100644 +--- a/lib/gnutls_priority.c ++++ b/lib/gnutls_priority.c +@@ -684,7 +684,7 @@ int check_level(const char *level, gnutls_priority_t priority_cache, + func(&priority_cache->supported_ecc, supported_ecc_normal); + + SET_PROFILE(GNUTLS_PROFILE_LOW); /* set certificate level */ +- SET_LEVEL(GNUTLS_SEC_PARAM_WEAK); /* set DH params level */ ++ SET_LEVEL(GNUTLS_SEC_PARAM_LOW); /* set DH params level */ + return 1; + } else if (strcasecmp(level, LEVEL_NORMAL) == 0) { + func(&priority_cache->cipher, cipher_priority_normal); +@@ -694,7 +694,7 @@ int check_level(const char *level, gnutls_priority_t priority_cache, + func(&priority_cache->supported_ecc, supported_ecc_normal); + + SET_PROFILE(GNUTLS_PROFILE_LOW); +- SET_LEVEL(GNUTLS_SEC_PARAM_WEAK); ++ SET_LEVEL(GNUTLS_SEC_PARAM_LOW); + return 1; + } else if (strcasecmp(level, LEVEL_PFS) == 0) { + func(&priority_cache->cipher, cipher_priority_normal); +@@ -704,7 +704,7 @@ int check_level(const char *level, gnutls_priority_t priority_cache, + func(&priority_cache->supported_ecc, supported_ecc_normal); + + SET_PROFILE(GNUTLS_PROFILE_LOW); +- SET_LEVEL(GNUTLS_SEC_PARAM_WEAK); ++ SET_LEVEL(GNUTLS_SEC_PARAM_LOW); + return 1; + } else if (strcasecmp(level, LEVEL_SECURE256) == 0 + || strcasecmp(level, LEVEL_SECURE192) == 0) { diff --git a/SOURCES/gnutls-3.3.29-bring-back-hmac-sha256.patch b/SOURCES/gnutls-3.3.29-bring-back-hmac-sha256.patch new file mode 100644 index 0000000..1708a23 --- /dev/null +++ b/SOURCES/gnutls-3.3.29-bring-back-hmac-sha256.patch @@ -0,0 +1,62 @@ +diff --git a/lib/gnutls_priority.c b/lib/gnutls_priority.c +index f3e19105f..ff13d3720 100644 +--- a/lib/gnutls_priority.c ++++ b/lib/gnutls_priority.c +@@ -492,6 +492,7 @@ static const int sign_priority_secure192[] = { + static const int mac_priority_normal_default[] = { + GNUTLS_MAC_SHA1, + GNUTLS_MAC_AEAD, ++ GNUTLS_MAC_SHA256, + GNUTLS_MAC_MD5, + 0 + }; +@@ -499,6 +500,7 @@ static const int mac_priority_normal_default[] = { + static const int mac_priority_normal_fips[] = { + GNUTLS_MAC_SHA1, + GNUTLS_MAC_AEAD, ++ GNUTLS_MAC_SHA256, + 0 + }; + +@@ -527,11 +529,13 @@ static const int mac_priority_suiteb192[] = { + static const int mac_priority_secure128[] = { + GNUTLS_MAC_SHA1, + GNUTLS_MAC_AEAD, ++ GNUTLS_MAC_SHA256, + 0 + }; + + static const int mac_priority_secure192[] = { + GNUTLS_MAC_AEAD, ++ GNUTLS_MAC_SHA256, + 0 + }; + +diff --git a/tests/priorities.c b/tests/priorities.c +index 46221fcc0..0593279de 100644 +--- a/tests/priorities.c ++++ b/tests/priorities.c +@@ -100,18 +100,18 @@ try_prio(const char *prio, unsigned expected_cs, unsigned expected_ciphers) + + void doit(void) + { +- const int normal = 41; +- const int null = 4; +- const int sec128 = 36; ++ const int normal = 57; ++ const int null = 5; ++ const int sec128 = 52; + + try_prio("NORMAL", normal, 9); + try_prio("NORMAL:-MAC-ALL:+MD5:+MAC-ALL", normal, 9); + try_prio("NORMAL:+CIPHER-ALL", normal, 9); /* all (except null) */ + try_prio("NORMAL:-CIPHER-ALL:+NULL", null, 1); /* null */ + try_prio("NORMAL:-CIPHER-ALL:+NULL:+CIPHER-ALL", normal + null, 10); /* should be null + all */ +- try_prio("NORMAL:-CIPHER-ALL:+NULL:+CIPHER-ALL:-CIPHER-ALL:+AES-128-CBC", 5, 1); ++ try_prio("NORMAL:-CIPHER-ALL:+NULL:+CIPHER-ALL:-CIPHER-ALL:+AES-128-CBC", 10, 1); + try_prio("PERFORMANCE", normal, 9); +- try_prio("SECURE256", 10, 4); ++ try_prio("SECURE256", 16, 4); + try_prio("SECURE128", sec128, 8); + try_prio("SECURE128:+SECURE256", sec128, 8); /* should be the same as SECURE128 */ + try_prio("SECURE128:+SECURE256:+NORMAL", normal, 9); /* should be the same as NORMAL */ diff --git a/SOURCES/gnutls-3.3.29-cbc-mac-verify-ssl3-min-pad.patch b/SOURCES/gnutls-3.3.29-cbc-mac-verify-ssl3-min-pad.patch new file mode 100644 index 0000000..67fe0d1 --- /dev/null +++ b/SOURCES/gnutls-3.3.29-cbc-mac-verify-ssl3-min-pad.patch @@ -0,0 +1,28 @@ +diff --git a/lib/gnutls_cipher.c b/lib/gnutls_cipher.c +index 65dde6899..8b34472b7 100644 +--- a/lib/gnutls_cipher.c ++++ b/lib/gnutls_cipher.c +@@ -659,7 +659,11 @@ ciphertext_to_compressed(gnutls_session_t session, + * Note that we access all 256 bytes of ciphertext for padding check + * because there is a timing channel in that memory access (in certain CPUs). + */ +- if (ver->id != GNUTLS_SSL3) ++ if (ver->id == GNUTLS_SSL3) { ++ if (pad >= blocksize) ++ pad_failed = 1; ++ } else ++ { + for (i = 2; i <= MIN(256, ciphertext->size); i++) { + tmp_pad_failed |= + (compressed-> +@@ -667,6 +671,7 @@ ciphertext_to_compressed(gnutls_session_t session, + pad_failed |= + ((i <= (1 + pad)) & (tmp_pad_failed)); + } ++ } + + if (unlikely + (pad_failed != 0 +-- +2.14.3 + diff --git a/SOURCES/gnutls-3.3.29-cli-sni-hostname.patch b/SOURCES/gnutls-3.3.29-cli-sni-hostname.patch new file mode 100644 index 0000000..5fb1f31 --- /dev/null +++ b/SOURCES/gnutls-3.3.29-cli-sni-hostname.patch @@ -0,0 +1,37 @@ +diff --git a/src/cli-args.def b/src/cli-args.def +index c661f458b..11d66ae8a 100644 +--- a/src/cli-args.def ++++ b/src/cli-args.def +@@ -80,6 +80,13 @@ flag = { + doc = "Connect, establish a session and rehandshake immediately."; + }; + ++flag = { ++ name = sni-hostname; ++ descrip = "Server's hostname for server name indication extension"; ++ arg-type = string; ++ doc = "Set explicitly the server name used in the TLS server name indication extension. That is useful when testing with servers setup on different DNS name than the intended. If not specified, the provided hostname is used."; ++}; ++ + flag = { + name = starttls; + value = s; +diff --git a/src/cli.c b/src/cli.c +index 82d8e1166..f3d159a29 100644 +--- a/src/cli.c ++++ b/src/cli.c +@@ -638,7 +638,10 @@ static gnutls_session_t init_tls_session(const char *hostname) + /* allow the use of private ciphersuites. + */ + if (disable_extensions == 0 && disable_sni == 0) { +- if (hostname != NULL && is_ip(hostname) == 0) ++ if (HAVE_OPT(SNI_HOSTNAME)) { ++ gnutls_server_name_set(session, GNUTLS_NAME_DNS, ++ OPT_ARG(SNI_HOSTNAME), strlen(OPT_ARG(SNI_HOSTNAME))); ++ } else if (hostname != NULL && is_ip(hostname) == 0) + gnutls_server_name_set(session, GNUTLS_NAME_DNS, + hostname, strlen(hostname)); + } +-- +2.14.3 + diff --git a/SOURCES/gnutls-3.3.29-disable-failing-tests.patch b/SOURCES/gnutls-3.3.29-disable-failing-tests.patch new file mode 100644 index 0000000..0e60891 --- /dev/null +++ b/SOURCES/gnutls-3.3.29-disable-failing-tests.patch @@ -0,0 +1,59 @@ +diff --git a/tests/testpkcs11.sh b/tests/testpkcs11.sh +index e8cdcd30d..039d6cc1c 100755 +--- a/tests/testpkcs11.sh ++++ b/tests/testpkcs11.sh +@@ -887,8 +887,9 @@ write_privkey "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/client.key" + generate_temp_ecc_privkey "${TOKEN}" "${GNUTLS_PIN}" 256 + delete_temp_privkey "${TOKEN}" "${GNUTLS_PIN}" ecc-256 + +-generate_temp_ecc_privkey_no_login "${TOKEN}" "${GNUTLS_PIN}" 256 +-delete_temp_privkey "${TOKEN}" "${GNUTLS_PIN}" ecc-no-256 ++# Disabled: generation of ECC key without login is not supported in gnutls_3_3_x ++#generate_temp_ecc_privkey_no_login "${TOKEN}" "${GNUTLS_PIN}" 256 ++#delete_temp_privkey "${TOKEN}" "${GNUTLS_PIN}" ecc-no-256 + + generate_temp_ecc_privkey "${TOKEN}" "${GNUTLS_PIN}" 384 + delete_temp_privkey "${TOKEN}" "${GNUTLS_PIN}" ecc-384 +@@ -911,24 +912,30 @@ change_id_of_privkey "${TOKEN}" "${GNUTLS_PIN}" + export_pubkey_of_privkey "${TOKEN}" "${GNUTLS_PIN}" + change_label_of_privkey "${TOKEN}" "${GNUTLS_PIN}" + +-write_certificate_test "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/ca.key" "${srcdir}/testpkcs11-certs/ca.crt" tmp-client.pub ++# Disabled: certificates are marked as private in gnutls_3_3_x ++#write_certificate_test "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/ca.key" "${srcdir}/testpkcs11-certs/ca.crt" tmp-client.pub + write_serv_privkey "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/server.key" + write_serv_cert "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/server.crt" + +-write_serv_pubkey "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/server.crt" +-test_sign "${TOKEN}" "${GNUTLS_PIN}" ++# Disabled: --load-pubkey is not supported in gnutls_3_3_x ++#write_serv_pubkey "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/server.crt" + +-use_certificate_test "${TOKEN}" "${GNUTLS_PIN}" "${TOKEN};object=serv-cert;object-type=cert" "${TOKEN};object=serv-key;object-type=private" "${srcdir}/testpkcs11-certs/ca.crt" "full URLs" ++# Disabled: --test-sign is not supported in gnutls_3_3_x ++#test_sign "${TOKEN}" "${GNUTLS_PIN}" + +-use_certificate_test "${TOKEN}" "${GNUTLS_PIN}" "${TOKEN};object=serv-cert" "${TOKEN};object=serv-key" "${srcdir}/testpkcs11-certs/ca.crt" "abbrv URLs" ++# Disabled: Cannot test without written certificates (write_certificate_test) ++#use_certificate_test "${TOKEN}" "${GNUTLS_PIN}" "${TOKEN};object=serv-cert;object-type=cert" "${TOKEN};object=serv-key;object-type=private" "${srcdir}/testpkcs11-certs/ca.crt" "full URLs" ++#use_certificate_test "${TOKEN}" "${GNUTLS_PIN}" "${TOKEN};object=serv-cert" "${TOKEN};object=serv-key" "${srcdir}/testpkcs11-certs/ca.crt" "abbrv URLs" + +-write_certificate_id_test_rsa "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/ca.key" "${srcdir}/testpkcs11-certs/ca.crt" +-write_certificate_id_test_rsa2 "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/ca.key" "${srcdir}/testpkcs11-certs/ca.crt" +-write_certificate_id_test_ecdsa "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/ca.key" "${srcdir}/testpkcs11-certs/ca.crt" ++# Disabled: certificates do not inherit its ID from privkey in gnutls_3_3_x ++#write_certificate_id_test_rsa "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/ca.key" "${srcdir}/testpkcs11-certs/ca.crt" ++#write_certificate_id_test_rsa2 "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/ca.key" "${srcdir}/testpkcs11-certs/ca.crt" ++#write_certificate_id_test_ecdsa "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/ca.key" "${srcdir}/testpkcs11-certs/ca.crt" + + test_delete_cert "${TOKEN}" "${GNUTLS_PIN}" + +-test_sign_set_pin "${TOKEN}" "${GNUTLS_PIN}" ++# Disabled: --test-sign is not supported in gnutls_3_3_x ++#test_sign_set_pin "${TOKEN}" "${GNUTLS_PIN}" + + if test ${RETCODE} = 0; then + echo "* All smart cards tests succeeded" +-- +2.14.3 + diff --git a/SOURCES/gnutls-3.3.29-do-not-mark-object-as-private.patch b/SOURCES/gnutls-3.3.29-do-not-mark-object-as-private.patch new file mode 100644 index 0000000..21cdc68 --- /dev/null +++ b/SOURCES/gnutls-3.3.29-do-not-mark-object-as-private.patch @@ -0,0 +1,47 @@ +diff --git a/src/p11tool.c b/src/p11tool.c +index 2abf23a27..a6fce78e3 100644 +--- a/src/p11tool.c ++++ b/src/p11tool.c +@@ -68,7 +68,7 @@ int main(int argc, char **argv) + } + + static +-unsigned opt_to_flags(void) ++unsigned opt_to_flags(common_info_st *cinfo) + { + unsigned flags = 0; + +@@ -78,6 +78,12 @@ unsigned opt_to_flags(void) + } else { + flags |= GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_PRIVATE; + } ++ } else { /* if not given mark as private the private objects, and public the public ones */ ++ if (cinfo->privkey) ++ flags |= GNUTLS_PKCS11_OBJ_FLAG_MARK_PRIVATE; ++ else if (cinfo->pubkey || cinfo->cert) ++ flags |= GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_PRIVATE; ++ /* else set the defaults of the token */ + } + + if (ENABLED_OPT(MARK_TRUSTED)) +@@ -166,8 +172,6 @@ static void cmd_parser(int argc, char **argv) + + memset(&cinfo, 0, sizeof(cinfo)); + +- flags = opt_to_flags(); +- + if (HAVE_OPT(SECRET_KEY)) + cinfo.secret_key = OPT_ARG(SECRET_KEY); + +@@ -227,6 +231,8 @@ static void cmd_parser(int argc, char **argv) + sec_param = OPT_ARG(SEC_PARAM); + } + ++ flags = opt_to_flags(&cinfo); ++ + if (debug > 4) { + if (HAVE_OPT(MARK_PRIVATE)) + fprintf(stderr, "Private: %s\n", +-- +2.14.3 + diff --git a/SOURCES/gnutls-3.3.29-do-not-run-sni-hostname-windows.patch b/SOURCES/gnutls-3.3.29-do-not-run-sni-hostname-windows.patch new file mode 100644 index 0000000..08a35ae --- /dev/null +++ b/SOURCES/gnutls-3.3.29-do-not-run-sni-hostname-windows.patch @@ -0,0 +1,20 @@ +diff --git a/tests/Makefile.am b/tests/Makefile.am +index d249d405f..6dc63758d 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -156,7 +156,11 @@ endif + endif + + check_PROGRAMS = $(ctests) +-dist_check_SCRIPTS = rfc2253-escape-test sni-hostname.sh ++dist_check_SCRIPTS = rfc2253-escape-test ++ ++if !WINDOWS ++dist_check_SCRIPTS += sni-hostname.sh ++endif + + TESTS = $(ctests) $(dist_check_SCRIPTS) + +-- +2.14.3 + diff --git a/SOURCES/gnutls-3.3.29-dummy-wait-account-len-field.patch b/SOURCES/gnutls-3.3.29-dummy-wait-account-len-field.patch new file mode 100644 index 0000000..7a60fe4 --- /dev/null +++ b/SOURCES/gnutls-3.3.29-dummy-wait-account-len-field.patch @@ -0,0 +1,52 @@ +diff --git a/lib/algorithms/mac.c b/lib/algorithms/mac.c +index 0527ca4f1..a39acd49f 100644 +--- a/lib/algorithms/mac.c ++++ b/lib/algorithms/mac.c +@@ -37,9 +37,9 @@ static const mac_entry_st hash_algorithms[] = { + {"SHA256", HASH_OID_SHA256, MAC_OID_SHA256, GNUTLS_MAC_SHA256, 32, 32, 0, 0, 1, + 64}, + {"SHA384", HASH_OID_SHA384, MAC_OID_SHA384, GNUTLS_MAC_SHA384, 48, 48, 0, 0, 1, +- 64}, ++ 128}, + {"SHA512", HASH_OID_SHA512, MAC_OID_SHA512, GNUTLS_MAC_SHA512, 64, 64, 0, 0, 1, +- 64}, ++ 128}, + {"SHA224", HASH_OID_SHA224, MAC_OID_SHA224, GNUTLS_MAC_SHA224, 28, 28, 0, 0, 1, + 64}, + {"UMAC-96", NULL, NULL, GNUTLS_MAC_UMAC_96, 12, 16, 8, 0, 1, 0}, +diff --git a/lib/gnutls_cipher.c b/lib/gnutls_cipher.c +index 58ce79775..37478a4c3 100644 +--- a/lib/gnutls_cipher.c ++++ b/lib/gnutls_cipher.c +@@ -440,7 +440,7 @@ static void dummy_wait(record_parameters_st * params, + { + /* this hack is only needed on CBC ciphers */ + if (_gnutls_cipher_is_block(params->cipher) == CIPHER_BLOCK) { +- unsigned len; ++ unsigned len, v; + + /* force an additional hash compression function evaluation to prevent timing + * attacks that distinguish between wrong-mac + correct pad, from wrong-mac + incorrect pad. +@@ -448,11 +448,14 @@ static void dummy_wait(record_parameters_st * params, + if (pad_failed == 0 && pad > 0) { + len = _gnutls_mac_block_size(params->mac); + if (len > 0) { +- /* This is really specific to the current hash functions. +- * It should be removed once a protocol fix is in place. +- */ +- if ((pad + total) % len > len - 9 +- && total % len <= len - 9) { ++ if (params->mac && params->mac->id == GNUTLS_MAC_SHA384) ++ /* v = 1 for the hash function padding + 16 for message length */ ++ v = 17; ++ else /* v = 1 for the hash function padding + 8 for message length */ ++ v = 9; ++ ++ if ((pad + total) % len > len - v ++ && total % len <= len - v) { + if (len < plaintext->size) + _gnutls_auth_cipher_add_auth + (¶ms->read. +-- +2.14.3 + diff --git a/SOURCES/gnutls-3.3.29-dummy-wait-hash-same-amount-of-blocks.patch b/SOURCES/gnutls-3.3.29-dummy-wait-hash-same-amount-of-blocks.patch new file mode 100644 index 0000000..9044547 --- /dev/null +++ b/SOURCES/gnutls-3.3.29-dummy-wait-hash-same-amount-of-blocks.patch @@ -0,0 +1,90 @@ +diff --git a/lib/gnutls_cipher.c b/lib/gnutls_cipher.c +index 37478a4c3..65dde6899 100644 +--- a/lib/gnutls_cipher.c ++++ b/lib/gnutls_cipher.c +@@ -434,40 +434,41 @@ compressed_to_ciphertext(gnutls_session_t session, + return length; + } + +-static void dummy_wait(record_parameters_st * params, +- gnutls_datum_t * plaintext, unsigned pad_failed, +- unsigned int pad, unsigned total) ++static void dummy_wait(record_parameters_st *params, ++ gnutls_datum_t *plaintext, ++ unsigned int mac_data, unsigned int max_mac_data) + { + /* this hack is only needed on CBC ciphers */ + if (_gnutls_cipher_is_block(params->cipher) == CIPHER_BLOCK) { +- unsigned len, v; ++ unsigned v; ++ unsigned int tag_size = ++ _gnutls_auth_cipher_tag_len(¶ms->read.cipher_state); ++ unsigned hash_block = _gnutls_mac_block_size(params->mac); + +- /* force an additional hash compression function evaluation to prevent timing ++ /* force additional hash compression function evaluations to prevent timing + * attacks that distinguish between wrong-mac + correct pad, from wrong-mac + incorrect pad. + */ +- if (pad_failed == 0 && pad > 0) { +- len = _gnutls_mac_block_size(params->mac); +- if (len > 0) { +- if (params->mac && params->mac->id == GNUTLS_MAC_SHA384) +- /* v = 1 for the hash function padding + 16 for message length */ +- v = 17; +- else /* v = 1 for the hash function padding + 8 for message length */ +- v = 9; +- +- if ((pad + total) % len > len - v +- && total % len <= len - v) { +- if (len < plaintext->size) +- _gnutls_auth_cipher_add_auth +- (¶ms->read. +- cipher_state, +- plaintext->data, len); +- else +- _gnutls_auth_cipher_add_auth +- (¶ms->read. +- cipher_state, +- plaintext->data, +- plaintext->size); +- } ++ if (params->mac && params->mac->id == GNUTLS_MAC_SHA384) ++ /* v = 1 for the hash function padding + 16 for message length */ ++ v = 17; ++ else /* v = 1 for the hash function padding + 8 for message length */ ++ v = 9; ++ ++ if (hash_block > 0) { ++ int max_blocks = (max_mac_data+v+hash_block-1)/hash_block; ++ int hashed_blocks = (mac_data+v+hash_block-1)/hash_block; ++ unsigned to_hash; ++ ++ max_blocks -= hashed_blocks; ++ if (max_blocks < 1) ++ return; ++ ++ to_hash = max_blocks * hash_block; ++ if ((unsigned)to_hash+1+tag_size < plaintext->size) { ++ _gnutls_auth_cipher_add_auth ++ (¶ms->read.cipher_state, ++ plaintext->data+plaintext->size-tag_size-to_hash-1, ++ to_hash); + } + } + } +@@ -725,8 +726,10 @@ ciphertext_to_compressed(gnutls_session_t session, + if (unlikely + (memcmp(tag, tag_ptr, tag_size) != 0 || pad_failed != 0)) { + /* HMAC was not the same. */ +- dummy_wait(params, compressed, pad_failed, pad, +- length + preamble_size); ++ gnutls_datum_t data = {compressed->data, ciphertext->size}; ++ ++ dummy_wait(params, &data, length + preamble_size, ++ preamble_size + ciphertext->size - tag_size - 1); + + return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); + } +-- +2.14.3 + diff --git a/SOURCES/gnutls-3.3.29-fips140-fix-ecdsa-kat-selftest.patch b/SOURCES/gnutls-3.3.29-fips140-fix-ecdsa-kat-selftest.patch new file mode 100644 index 0000000..02be442 --- /dev/null +++ b/SOURCES/gnutls-3.3.29-fips140-fix-ecdsa-kat-selftest.patch @@ -0,0 +1,70 @@ +--- a/lib/crypto-selftests-pk.c 2019-02-06 14:49:44.807422315 +0100 ++++ b/lib/crypto-selftests-pk.c 2019-02-06 14:56:40.311049707 +0100 +@@ -731,30 +731,9 @@ + goto cleanup; + } + +- if (all == 0) +- return 0; + #endif + + /* Test ECDSA */ +-#ifdef ENABLE_NON_SUITEB_CURVES +- PK_KNOWN_TEST(GNUTLS_PK_EC, 0, +- GNUTLS_CURVE_TO_BITS +- (GNUTLS_ECC_CURVE_SECP192R1), +- GNUTLS_DIG_SHA256, ecdsa_secp192r1_privkey, +- ecdsa_secp192r1_sig); +- PK_TEST(GNUTLS_PK_EC, test_sig, +- GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP192R1), +- GNUTLS_DIG_SHA256); +- +- PK_KNOWN_TEST(GNUTLS_PK_EC, 0, +- GNUTLS_CURVE_TO_BITS +- (GNUTLS_ECC_CURVE_SECP224R1), +- GNUTLS_DIG_SHA256, ecdsa_secp224r1_privkey, +- ecdsa_secp224r1_sig); +- PK_TEST(GNUTLS_PK_EC, test_sig, +- GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP224R1), +- GNUTLS_DIG_SHA256); +-#endif + PK_KNOWN_TEST(GNUTLS_PK_EC, 0, + GNUTLS_CURVE_TO_BITS + (GNUTLS_ECC_CURVE_SECP256R1), +@@ -764,6 +743,9 @@ + GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP256R1), + GNUTLS_DIG_SHA256); + ++ if (all == 0) ++ return 0; ++ + PK_KNOWN_TEST(GNUTLS_PK_EC, 0, + GNUTLS_CURVE_TO_BITS + (GNUTLS_ECC_CURVE_SECP384R1), +@@ -782,6 +764,26 @@ + GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP521R1), + GNUTLS_DIG_SHA512); + ++#ifdef ENABLE_NON_SUITEB_CURVES ++ PK_KNOWN_TEST(GNUTLS_PK_EC, 0, ++ GNUTLS_CURVE_TO_BITS ++ (GNUTLS_ECC_CURVE_SECP192R1), ++ GNUTLS_DIG_SHA256, ecdsa_secp192r1_privkey, ++ ecdsa_secp192r1_sig); ++ PK_TEST(GNUTLS_PK_EC, test_sig, ++ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP192R1), ++ GNUTLS_DIG_SHA256); ++ ++ PK_KNOWN_TEST(GNUTLS_PK_EC, 0, ++ GNUTLS_CURVE_TO_BITS ++ (GNUTLS_ECC_CURVE_SECP224R1), ++ GNUTLS_DIG_SHA256, ecdsa_secp224r1_privkey, ++ ecdsa_secp224r1_sig); ++ PK_TEST(GNUTLS_PK_EC, test_sig, ++ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP224R1), ++ GNUTLS_DIG_SHA256); ++#endif ++ + break; + + default: diff --git a/SOURCES/gnutls-3.3.29-pkcs11-retrieve-pin-from-uri-once.patch b/SOURCES/gnutls-3.3.29-pkcs11-retrieve-pin-from-uri-once.patch new file mode 100644 index 0000000..11087f4 --- /dev/null +++ b/SOURCES/gnutls-3.3.29-pkcs11-retrieve-pin-from-uri-once.patch @@ -0,0 +1,82 @@ +diff --git a/lib/pkcs11.c b/lib/pkcs11.c +index 4fdd58f39..68ee2960a 100644 +--- a/lib/pkcs11.c ++++ b/lib/pkcs11.c +@@ -2368,6 +2368,11 @@ retrieve_pin(struct pin_info_st *pin_info, struct p11_kit_uri *info, + /* First check for pin-value field */ + pinfile = p11_kit_uri_get_pin_value(info); + if (pinfile != NULL) { ++ if (attempts > 0) { ++ _gnutls_debug_log("p11: refusing more than a single attempts with pin-value\n"); ++ return gnutls_assert_val(GNUTLS_E_PKCS11_PIN_ERROR); ++ } ++ + _gnutls_debug_log("p11: Using pin-value to retrieve PIN\n"); + *pin = p11_kit_pin_new_for_string(pinfile); + if (*pin != NULL) +@@ -2376,6 +2381,11 @@ retrieve_pin(struct pin_info_st *pin_info, struct p11_kit_uri *info, + /* Check if a pinfile is specified, and use that if possible */ + pinfile = p11_kit_uri_get_pin_source(info); + if (pinfile != NULL) { ++ if (attempts > 0) { ++ _gnutls_debug_log("p11: refusing more than a single attempts with pin-source\n"); ++ return gnutls_assert_val(GNUTLS_E_PKCS11_PIN_ERROR); ++ } ++ + _gnutls_debug_log("p11: Using pin-source to retrieve PIN\n"); + ret = + retrieve_pin_from_source(pinfile, token_info, attempts, +diff --git a/tests/pkcs11/pkcs11-import-with-pin.c b/tests/pkcs11/pkcs11-import-with-pin.c +index e43591927..ecc98175d 100644 +--- a/tests/pkcs11/pkcs11-import-with-pin.c ++++ b/tests/pkcs11/pkcs11-import-with-pin.c +@@ -157,6 +157,16 @@ void doit() + assert(gnutls_privkey_init(&pkey) == 0); + + /* Test 1 ++ * Try importing with wrong pin-value */ ++ ret = gnutls_privkey_import_pkcs11_url(pkey, SOFTHSM_URL";object=cert;object-type=private;pin-value=XXXX"); ++ if (ret != GNUTLS_E_PKCS11_PIN_ERROR) { ++ fprintf(stderr, "unexpected error in %d: %s\n", __LINE__, gnutls_strerror(ret)); ++ exit(1); ++ } ++ gnutls_privkey_deinit(pkey); ++ assert(gnutls_privkey_init(&pkey) == 0); ++ ++ /* Test 2 + * Try importing with pin-value */ + ret = gnutls_privkey_import_pkcs11_url(pkey, SOFTHSM_URL";object=cert;object-type=private;pin-value="PIN); + if (ret < 0) { +@@ -169,13 +179,26 @@ void doit() + gnutls_free(sig.data); + gnutls_privkey_deinit(pkey); + +- /* Test 2 +- * Try importing with pin-source */ ++ /* Test 3 ++ * Try importing with wrong pin-source */ + track_temp_files(); + get_tmpname(file); + +- write_pin(file, PIN); ++ write_pin(file, "XXXX"); ++ ++ assert(gnutls_privkey_init(&pkey) == 0); ++ snprintf(buf, sizeof(buf), "%s;object=cert;object-type=private;pin-source=%s", SOFTHSM_URL, file); ++ ret = gnutls_privkey_import_pkcs11_url(pkey, buf); ++ if (ret != GNUTLS_E_PKCS11_PIN_ERROR) { ++ fprintf(stderr, "error in %d: %s\n", __LINE__, gnutls_strerror(ret)); ++ exit(1); ++ } ++ ++ gnutls_privkey_deinit(pkey); + ++ /* Test 4 ++ * Try importing with pin-source */ ++ write_pin(file, PIN); + + assert(gnutls_privkey_init(&pkey) == 0); + snprintf(buf, sizeof(buf), "%s;object=cert;object-type=private;pin-source=%s", SOFTHSM_URL, file); +-- +2.14.3 + diff --git a/SOURCES/gnutls-3.3.29-re-enable-check-cert-write.patch b/SOURCES/gnutls-3.3.29-re-enable-check-cert-write.patch new file mode 100644 index 0000000..21f5c00 --- /dev/null +++ b/SOURCES/gnutls-3.3.29-re-enable-check-cert-write.patch @@ -0,0 +1,29 @@ +diff --git a/tests/testpkcs11.sh b/tests/testpkcs11.sh +index 039d6cc1c..7c2776760 100755 +--- a/tests/testpkcs11.sh ++++ b/tests/testpkcs11.sh +@@ -912,8 +912,7 @@ change_id_of_privkey "${TOKEN}" "${GNUTLS_PIN}" + export_pubkey_of_privkey "${TOKEN}" "${GNUTLS_PIN}" + change_label_of_privkey "${TOKEN}" "${GNUTLS_PIN}" + +-# Disabled: certificates are marked as private in gnutls_3_3_x +-#write_certificate_test "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/ca.key" "${srcdir}/testpkcs11-certs/ca.crt" tmp-client.pub ++write_certificate_test "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/ca.key" "${srcdir}/testpkcs11-certs/ca.crt" tmp-client.pub + write_serv_privkey "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/server.key" + write_serv_cert "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/server.crt" + +@@ -923,9 +922,8 @@ write_serv_cert "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/server.cr + # Disabled: --test-sign is not supported in gnutls_3_3_x + #test_sign "${TOKEN}" "${GNUTLS_PIN}" + +-# Disabled: Cannot test without written certificates (write_certificate_test) +-#use_certificate_test "${TOKEN}" "${GNUTLS_PIN}" "${TOKEN};object=serv-cert;object-type=cert" "${TOKEN};object=serv-key;object-type=private" "${srcdir}/testpkcs11-certs/ca.crt" "full URLs" +-#use_certificate_test "${TOKEN}" "${GNUTLS_PIN}" "${TOKEN};object=serv-cert" "${TOKEN};object=serv-key" "${srcdir}/testpkcs11-certs/ca.crt" "abbrv URLs" ++use_certificate_test "${TOKEN}" "${GNUTLS_PIN}" "${TOKEN};object=serv-cert;object-type=cert" "${TOKEN};object=serv-key;object-type=private" "${srcdir}/testpkcs11-certs/ca.crt" "full URLs" ++use_certificate_test "${TOKEN}" "${GNUTLS_PIN}" "${TOKEN};object=serv-cert" "${TOKEN};object=serv-key" "${srcdir}/testpkcs11-certs/ca.crt" "abbrv URLs" + + # Disabled: certificates do not inherit its ID from privkey in gnutls_3_3_x + #write_certificate_id_test_rsa "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/ca.key" "${srcdir}/testpkcs11-certs/ca.crt" +-- +2.14.3 + diff --git a/SOURCES/gnutls-3.3.29-remove-hmac-sha384-sha256-from-default.patch b/SOURCES/gnutls-3.3.29-remove-hmac-sha384-sha256-from-default.patch new file mode 100644 index 0000000..21c7c8d --- /dev/null +++ b/SOURCES/gnutls-3.3.29-remove-hmac-sha384-sha256-from-default.patch @@ -0,0 +1,69 @@ +diff --git a/lib/gnutls_priority.c b/lib/gnutls_priority.c +index c5998abe6..f3e19105f 100644 +--- a/lib/gnutls_priority.c ++++ b/lib/gnutls_priority.c +@@ -491,8 +491,6 @@ static const int sign_priority_secure192[] = { + + static const int mac_priority_normal_default[] = { + GNUTLS_MAC_SHA1, +- GNUTLS_MAC_SHA256, +- GNUTLS_MAC_SHA384, + GNUTLS_MAC_AEAD, + GNUTLS_MAC_MD5, + 0 +@@ -500,8 +498,6 @@ static const int mac_priority_normal_default[] = { + + static const int mac_priority_normal_fips[] = { + GNUTLS_MAC_SHA1, +- GNUTLS_MAC_SHA256, +- GNUTLS_MAC_SHA384, + GNUTLS_MAC_AEAD, + 0 + }; +@@ -530,15 +526,11 @@ static const int mac_priority_suiteb192[] = { + + static const int mac_priority_secure128[] = { + GNUTLS_MAC_SHA1, +- GNUTLS_MAC_SHA256, +- GNUTLS_MAC_SHA384, + GNUTLS_MAC_AEAD, + 0 + }; + + static const int mac_priority_secure192[] = { +- GNUTLS_MAC_SHA256, +- GNUTLS_MAC_SHA384, + GNUTLS_MAC_AEAD, + 0 + }; +diff --git a/tests/priorities.c b/tests/priorities.c +index f22b08b62..46221fcc0 100644 +--- a/tests/priorities.c ++++ b/tests/priorities.c +@@ -100,18 +100,18 @@ try_prio(const char *prio, unsigned expected_cs, unsigned expected_ciphers) + + void doit(void) + { +- const int normal = 61; +- const int null = 5; +- const int sec128 = 56; ++ const int normal = 41; ++ const int null = 4; ++ const int sec128 = 36; + + try_prio("NORMAL", normal, 9); + try_prio("NORMAL:-MAC-ALL:+MD5:+MAC-ALL", normal, 9); + try_prio("NORMAL:+CIPHER-ALL", normal, 9); /* all (except null) */ + try_prio("NORMAL:-CIPHER-ALL:+NULL", null, 1); /* null */ + try_prio("NORMAL:-CIPHER-ALL:+NULL:+CIPHER-ALL", normal + null, 10); /* should be null + all */ +- try_prio("NORMAL:-CIPHER-ALL:+NULL:+CIPHER-ALL:-CIPHER-ALL:+AES-128-CBC", 10, 1); /* should be null + all */ ++ try_prio("NORMAL:-CIPHER-ALL:+NULL:+CIPHER-ALL:-CIPHER-ALL:+AES-128-CBC", 5, 1); + try_prio("PERFORMANCE", normal, 9); +- try_prio("SECURE256", 20, 4); ++ try_prio("SECURE256", 10, 4); + try_prio("SECURE128", sec128, 8); + try_prio("SECURE128:+SECURE256", sec128, 8); /* should be the same as SECURE128 */ + try_prio("SECURE128:+SECURE256:+NORMAL", normal, 9); /* should be the same as NORMAL */ +-- +2.14.3 + diff --git a/SOURCES/gnutls-3.3.29-serv-large-key-resumption.patch b/SOURCES/gnutls-3.3.29-serv-large-key-resumption.patch new file mode 100644 index 0000000..63d1f7b --- /dev/null +++ b/SOURCES/gnutls-3.3.29-serv-large-key-resumption.patch @@ -0,0 +1,11 @@ +--- a/src/serv.c ++++ b/src/serv.c +@@ -1734,7 +1734,7 @@ + /* session resuming support */ + + #define SESSION_ID_SIZE 32 +-#define SESSION_DATA_SIZE 1024 ++#define SESSION_DATA_SIZE (16*1024) + + typedef struct { + char session_id[SESSION_ID_SIZE]; diff --git a/SOURCES/gnutls-3.3.29-serv-sni-hostname.patch b/SOURCES/gnutls-3.3.29-serv-sni-hostname.patch new file mode 100644 index 0000000..2722790 --- /dev/null +++ b/SOURCES/gnutls-3.3.29-serv-sni-hostname.patch @@ -0,0 +1,157 @@ +diff --git a/src/serv-args.def b/src/serv-args.def +index 44b67f1ab..027737772 100644 +--- a/src/serv-args.def ++++ b/src/serv-args.def +@@ -8,6 +8,19 @@ detail = "Server program that listens to incoming TLS connections."; + + #include args-std.def + ++flag = { ++ name = sni-hostname; ++ descrip = "Server's hostname for server name extension"; ++ arg-type = string; ++ doc = "Server name of type host_name that the server will recognise as its own. If the server receives client hello with different name, it will send a warning-level unrecognized_name alert."; ++}; ++ ++flag = { ++ name = sni-hostname-fatal; ++ descrip = "Send fatal alert on sni-hostname mismatch"; ++ doc = ""; ++}; ++ + flag = { + name = noticket; + descrip = "Don't accept session tickets"; +diff --git a/src/serv.c b/src/serv.c +index a1f9adfa8..f5ff48786 100644 +--- a/src/serv.c ++++ b/src/serv.c +@@ -49,6 +49,8 @@ + #include "sockets.h" + #include "udp-serv.h" + ++#define _GNUTLS_E_UNRECOGNIZED_NAME -294 ++ + /* konqueror cannot handle sending the page in multiple + * pieces. + */ +@@ -81,6 +83,8 @@ const char *dh_params_file = NULL; + const char *x509_crlfile = NULL; + const char *priorities = NULL; + const char *status_response_ocsp = NULL; ++const char *sni_hostname = NULL; ++int sni_hostname_fatal = 0; + + gnutls_datum_t session_ticket_key; + static void tcp_server(const char *name, int port); +@@ -312,6 +316,83 @@ int ret; + return 0; + } + ++/* callback used to verify if the host name advertised in client hello matches ++ * the one configured in server ++ */ ++static int ++post_client_hello(gnutls_session_t session) ++{ ++ int ret; ++ /* DNS names (only type supported) may be at most 256 byte long */ ++ char *name; ++ size_t len = 256; ++ unsigned int type; ++ int i; ++ ++ name = malloc(len); ++ if (name == NULL) ++ return GNUTLS_E_MEMORY_ERROR; ++ ++ for (i=0; ; ) { ++ ret = gnutls_server_name_get(session, name, &len, &type, i); ++ if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) { ++ char *new_name; ++ new_name = realloc(name, len); ++ if (new_name == NULL) { ++ ret = GNUTLS_E_MEMORY_ERROR; ++ goto end; ++ } ++ name = new_name; ++ continue; /* retry call with same index */ ++ } ++ ++ /* check if it is the last entry in list */ ++ if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) ++ break; ++ i++; ++ if (ret != GNUTLS_E_SUCCESS) ++ goto end; ++ /* unknown types need to be ignored */ ++ if (type != GNUTLS_NAME_DNS) ++ continue; ++ ++ if (strlen(sni_hostname) != len) ++ continue; ++ /* API guarantees that the name of type DNS will be null terminated */ ++ if (!strncmp(name, sni_hostname, len)) { ++ ret = GNUTLS_E_SUCCESS; ++ goto end; ++ } ++ }; ++ /* when there is no extension, we can't send the extension specific alert */ ++ if (i == 0) { ++ fprintf(stderr, "Warning: client did not include SNI extension, using default host\n"); ++ ret = GNUTLS_E_SUCCESS; ++ goto end; ++ } ++ ++ if (sni_hostname_fatal == 1) { ++ /* abort the connection, propagate error up the stack */ ++ ret = _GNUTLS_E_UNRECOGNIZED_NAME; ++ goto end; ++ } ++ ++ fprintf(stderr, "Warning: client provided unrecognized host name\n"); ++ /* since we just want to send an alert, not abort the connection, we ++ * need to send it ourselves ++ */ ++ do { ++ ret = gnutls_alert_send(session, ++ GNUTLS_AL_WARNING, ++ GNUTLS_A_UNRECOGNIZED_NAME); ++ } while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED); ++ ++ /* continue handshake, fall through */ ++end: ++ free(name); ++ return ret; ++} ++ + gnutls_session_t initialize_session(int dtls) + { + gnutls_session_t session; +@@ -343,6 +424,10 @@ gnutls_session_t initialize_session(int dtls) + &session_ticket_key); + #endif + ++ if (sni_hostname != NULL) ++ gnutls_handshake_set_post_client_hello_function(session, ++ &post_client_hello); ++ + if (gnutls_priority_set_direct(session, priorities, &err) < 0) { + fprintf(stderr, "Syntax error at: %s\n", err); + exit(1); +@@ -1629,6 +1714,12 @@ static void cmd_parser(int argc, char **argv) + if (HAVE_OPT(OCSP_RESPONSE)) + status_response_ocsp = OPT_ARG(OCSP_RESPONSE); + ++ if (HAVE_OPT(SNI_HOSTNAME)) ++ sni_hostname = OPT_ARG(SNI_HOSTNAME); ++ ++ if (HAVE_OPT(SNI_HOSTNAME_FATAL)) ++ sni_hostname_fatal = 1; ++ + } + + /* session resuming support */ +-- +2.14.3 + diff --git a/SOURCES/gnutls-3.3.29-serv-unrec-name.patch b/SOURCES/gnutls-3.3.29-serv-unrec-name.patch new file mode 100644 index 0000000..6991d66 --- /dev/null +++ b/SOURCES/gnutls-3.3.29-serv-unrec-name.patch @@ -0,0 +1,41 @@ +diff --git a/src/serv.c b/src/serv.c +index f5ff48786..8c7c92a92 100644 +--- a/src/serv.c ++++ b/src/serv.c +@@ -1278,6 +1278,15 @@ int main(int argc, char **argv) + return 0; + } + ++int _gnutls_alert_send_appropriate (gnutls_session_t session, int err) ++{ ++ if (err == _GNUTLS_E_UNRECOGNIZED_NAME) ++ return gnutls_alert_send(session, ++ GNUTLS_AL_FATAL, ++ GNUTLS_A_UNRECOGNIZED_NAME); ++ return gnutls_alert_send_appropriate(session, err); ++} ++ + static void retry_handshake(listener_item *j) + { + int r, ret; +@@ -1293,7 +1302,7 @@ static void retry_handshake(listener_item *j) + GERR(r); + + do { +- ret = gnutls_alert_send_appropriate(j->tls_session, r); ++ ret = _gnutls_alert_send_appropriate(j->tls_session, r); + } while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED); + } else if (r == 0) { + if (gnutls_session_is_resumed(j->tls_session) != 0 && verbose != 0) +@@ -1326,7 +1335,7 @@ int r, ret; + + if (r < 0) { + do { +- ret = gnutls_alert_send_appropriate(j->tls_session, r); ++ ret = _gnutls_alert_send_appropriate(j->tls_session, r); + } while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED); + GERR(r); + j->http_state = HTTP_STATE_CLOSING; +-- +2.14.3 + diff --git a/SOURCES/gnutls-3.3.29-testpkcs11.patch b/SOURCES/gnutls-3.3.29-testpkcs11.patch new file mode 100644 index 0000000..e98f53f --- /dev/null +++ b/SOURCES/gnutls-3.3.29-testpkcs11.patch @@ -0,0 +1,1916 @@ +diff --git a/tests/Makefile.am b/tests/Makefile.am +index 6dc63758d..e0d86abfd 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -36,7 +36,13 @@ EXTRA_DIST = suppressions.valgrind eagain-common.h test-chains.h \ + certs/cert-rsa-2432.pem certs/ecc384.pem certs/ecc.pem \ + certs/ca-ecc.pem certs/cert-ecc384.pem certs/cert-ecc.pem certs/ecc256.pem \ + certs/ecc521.pem certs/rsa-2432.pem x509cert-dir/ca.pem \ +- cert-common.h pkcs11/softhsm.h pkcs11/pkcs11-pubkey-import.c ++ cert-common.h pkcs11/softhsm.h pkcs11/pkcs11-pubkey-import.c \ ++ testpkcs11.pkcs15 testpkcs11.softhsm testpkcs11.sc-hsm \ ++ testpkcs11-certs/ca.crt testpkcs11-certs/ca-tmpl \ ++ testpkcs11-certs/client.key testpkcs11-certs/server.crt \ ++ testpkcs11-certs/server-tmpl testpkcs11-certs/ca.key \ ++ testpkcs11-certs/client.crt testpkcs11-certs/client-tmpl \ ++ testpkcs11-certs/server.key + + AM_CFLAGS = $(WARN_CFLAGS) $(WERROR_CFLAGS) + AM_CPPFLAGS = \ +@@ -160,6 +166,9 @@ dist_check_SCRIPTS = rfc2253-escape-test + + if !WINDOWS + dist_check_SCRIPTS += sni-hostname.sh ++if ENABLE_PKCS11 ++dist_check_SCRIPTS += testpkcs11.sh ++endif + endif + + TESTS = $(ctests) $(dist_check_SCRIPTS) +diff --git a/tests/scripts/common.sh b/tests/scripts/common.sh +index 9c9c3fb3a..4615770f6 100644 +--- a/tests/scripts/common.sh ++++ b/tests/scripts/common.sh +@@ -19,11 +19,61 @@ + # along with this file; if not, write to the Free Software Foundation, + # Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +-# due to the use of $RANDOM, this script requires bash ++export TZ="UTC" ++ ++# Check for a utility to list ports. Both ss and netstat will list ++# ports for normal users, and have similar semantics, so put the ++# command in the caller's PFCMD, or exit, indicating an unsupported ++# test. Prefer ss from iproute2 over the older netstat. ++have_port_finder() { ++ for file in $(which ss 2> /dev/null) /*bin/ss /usr/*bin/ss /usr/local/*bin/ss;do ++ if test -x "$file";then ++ PFCMD="$file";return 0 ++ fi ++ done ++ ++ if test -z "$PFCMD";then ++ for file in $(which netstat 2> /dev/null) /bin/netstat /usr/bin/netstat /usr/local/bin/netstat;do ++ if test -x "$file";then ++ PFCMD="$file";return 0 ++ fi ++ done ++ fi ++ ++ if test -z "$PFCMD";then ++ echo "neither ss nor netstat found" ++ exit 1 ++ fi ++} ++ ++check_if_port_in_use() { ++ local PORT="$1" ++ local PFCMD; have_port_finder ++ $PFCMD -an|grep "[\:\.]$PORT" >/dev/null 2>&1 ++} ++ ++check_if_port_listening() { ++ local PORT="$1" ++ local PFCMD; have_port_finder ++ $PFCMD -anl|grep "[\:\.]$PORT"|grep LISTEN >/dev/null 2>&1 ++} + +-GETPORT='rc=0;while test $rc = 0;do PORT="$(((($$<<15)|RANDOM) % 63001 + 2000))"; +- netstat -anl|grep "[\:\.]$PORT" >/dev/null 2>&1; +- rc=$?;done;' ++# Find a port number not currently in use. ++GETPORT='rc=0; myrandom=$(date +%N | sed s/^0*//) ++ while test $rc = 0;do ++ PORT="$(((($$<<15)|$myrandom) % 63001 + 2000))" ++ check_if_port_in_use $PORT;rc=$? ++ done ++' ++ ++check_for_datefudge() { ++ TSTAMP=`datefudge -s "2006-09-23" date -u +%s || true` ++ if test "$TSTAMP" != "1158969600" || test "$WINDOWS" = 1; then ++ echo $TSTAMP ++ echo "You need datefudge to run this test" ++ exit 77 ++ fi ++} + + fail() { + PID="$1" +@@ -33,6 +83,30 @@ fail() { + exit 1 + } + ++exit_if_non_x86() ++{ ++which lscpu >/dev/null 2>&1 ++if test $? = 0;then ++ $(which lscpu)|grep Architecture|grep x86 ++ if test $? != 0;then ++ echo "non-x86 CPU detected" ++ exit 0 ++ fi ++fi ++} ++ ++exit_if_non_padlock() ++{ ++which lscpu >/dev/null 2>&1 ++if test $? = 0;then ++ $(which lscpu)|grep Flags|grep phe ++ if test $? != 0;then ++ echo "non-Via padlock CPU detected" ++ exit 0 ++ fi ++fi ++} ++ + wait_for_port() + { + local ret +@@ -40,10 +114,10 @@ wait_for_port() + sleep 4 + + for i in 1 2 3 4 5 6;do +- netstat -anl|grep "[\:\.]$PORT"|grep LISTEN >/dev/null 2>&1 ++ check_if_port_listening ${PORT} + ret=$? + if test $ret != 0;then +- netstat -anl|grep "[\:\.]$PORT" ++ check_if_port_in_use ${PORT} + echo try $i + sleep 2 + else +@@ -59,7 +133,7 @@ wait_for_free_port() + local PORT="$1" + + for i in 1 2 3 4 5 6;do +- netstat -anl|grep "[\:\.]$PORT" >/dev/null 2>&1 ++ check_if_port_in_use ${PORT} + ret=$? + if test $ret != 0;then + break +@@ -75,7 +149,7 @@ launch_server() { + shift + + wait_for_free_port ${PORT} +- ${SERV} ${DEBUG} -p "${PORT}" $* >/dev/null 2>&1 & ++ ${SERV} ${DEBUG} -p "${PORT}" $* >/dev/null & + } + + launch_pkcs11_server() { +@@ -94,7 +168,7 @@ launch_bare_server() { + shift + + wait_for_free_port ${PORT} +- ${SERV} $* >/dev/null 2>&1 & ++ ${SERV} $* >/dev/null & + } + + wait_server() { +@@ -114,3 +188,10 @@ wait_udp_server() { + sleep 4 + } + ++if test -x /usr/bin/lockfile-create;then ++LOCKFILE="lockfile-create global" ++UNLOCKFILE="lockfile-remove global" ++else ++LOCKFILE="lockfile global.lock" ++UNLOCKFILE="rm -f global.lock" ++fi +diff --git a/tests/suite/Makefile.am b/tests/suite/Makefile.am +index 794a4bace..dae42a7ef 100644 +--- a/tests/suite/Makefile.am ++++ b/tests/suite/Makefile.am +@@ -86,11 +86,10 @@ nodist_libecore_la_SOURCES = ecore/src/lib/ecore_anim.c \ + + + nodist_check_SCRIPTS = eagain testsrn testcompat chain invalid-cert testrandom \ +- testpkcs11 testpkcs11.pkcs15 testpkcs11.softhsm testpkcs11.sc-hsm \ + testrng test-ciphersuite-names + + TESTS = test-ciphersuite-names eagain testsrn testcompat chain invalid-cert \ +- testpkcs11 testrng test-ciphersuite-names ++ testrng test-ciphersuite-names + + if ENABLE_PKCS11 + TESTS += crl-test +diff --git a/tests/testpkcs11-certs/ca-tmpl b/tests/testpkcs11-certs/ca-tmpl +new file mode 100644 +index 000000000..5bf462d1e +--- /dev/null ++++ b/tests/testpkcs11-certs/ca-tmpl +@@ -0,0 +1,67 @@ ++# X.509 Certificate options ++# ++# DN options ++ ++dn = "cn=CA,C=CZ" ++ ++# The serial number of the certificate ++serial = 1 ++ ++# In how many days, counting from today, this certificate will expire. ++expiration_days = 2590 ++ ++# X.509 v3 extensions ++ ++# A dnsname in case of a WWW server. ++#dns_name = "localhost" ++#dns_name = "www.morethanone.org" ++ ++# An IP address in case of a server. ++#ip_address = "192.168.1.1" ++ ++#dns_name = "www.evenmorethanone.org" ++ ++# An email in case of a person ++email = "none@none.org" ++ ++# An URL that has CRLs (certificate revocation lists) ++# available. Needed in CA certificates. ++crl_dist_points = "http://www.getcrl.crl/getcrl/" ++ ++#email = "where@none.org" ++ ++# Whether this is a CA certificate or not ++ca ++ ++# Whether this certificate will be used for a TLS client ++#tls_www_client ++ ++# Whether this certificate will be used for a TLS server ++#tls_www_server ++ ++# Whether this certificate will be used to sign data (needed ++# in TLS DHE ciphersuites). ++signing_key ++ ++# Whether this certificate will be used to encrypt data (needed ++# in TLS RSA ciphersuites). Note that it is preferred to use different ++# keys for encryption and signing. ++#encryption_key ++ ++# Whether this key will be used to sign other certificates. ++cert_signing_key ++ ++# Whether this key will be used to sign CRLs. ++crl_signing_key ++ ++# Whether this key will be used to sign code. ++#code_signing_key ++ ++# Whether this key will be used to sign OCSP data. ++ocsp_signing_key ++ ++# Whether this key will be used for time stamping. ++#time_stamping_key ++ ++# Whether this key will be used for IPsec IKE operations. ++#ipsec_ike_key +diff --git a/tests/testpkcs11-certs/ca.crt b/tests/testpkcs11-certs/ca.crt +new file mode 100644 +index 000000000..e39ee41f7 +--- /dev/null ++++ b/tests/testpkcs11-certs/ca.crt +@@ -0,0 +1,15 @@ ++-----BEGIN CERTIFICATE----- ++MIICUjCCAbugAwIBAgIBATANBgkqhkiG9w0BAQsFADAaMQswCQYDVQQDEwJDQTEL ++MAkGA1UEBhMCQ1owIhgPMjAxMzExMTAwODI0NTRaGA8yMDIwMTIxMzA4MjQ1NFow ++GjELMAkGA1UEAxMCQ0ExCzAJBgNVBAYTAkNaMIGfMA0GCSqGSIb3DQEBAQUAA4GN ++ADCBiQKBgQCoomr+kiRtx+/doF2FRSOxqBuuLbcpK5KwxtYk82L8MQzzJijfjS88 ++4kCijlR6dqD0oDS70ngNogg2uIgn1SfLTTgXw/v6w/nMnMIYZ+ePrF5WD1qGeOAu ++R+qts4Y4rfb9Yb8sXIPdui7HelqimJaVeMxAYJsqRBSixDSpYbkEhwIDAQABo4Gj ++MIGgMA8GA1UdEwEB/wQFMAMBAf8wGAYDVR0RBBEwD4ENbm9uZUBub25lLm9yZzAT ++BgNVHSUEDDAKBggrBgEFBQcDCTAPBgNVHQ8BAf8EBQMDBwYAMB0GA1UdDgQWBBQS ++DtpREkBWrvQcbcyhsD0oYX4zATAuBgNVHR8EJzAlMCOgIaAfhh1odHRwOi8vd3d3 ++LmdldGNybC5jcmwvZ2V0Y3JsLzANBgkqhkiG9w0BAQsFAAOBgQBzRzkYVGhl0ltc ++iVvXModMh9cb1TcUrc2nhfEh63u5ZF1/8MJPaMMLw3FZmGc5B8lNYOoWiSqK/Ark ++iO9chPwqRKWY8n52USgGDcUNRxbwCa2vOQg9cdSWIcdt18W5mtJ3hz+CDaT8ZH8t ++sVW/i5eG6O7o3rZGSwbcC1pgIWZqCw== ++-----END CERTIFICATE----- +diff --git a/tests/testpkcs11-certs/ca.key b/tests/testpkcs11-certs/ca.key +new file mode 100644 +index 000000000..62f5bfae3 +--- /dev/null ++++ b/tests/testpkcs11-certs/ca.key +@@ -0,0 +1,94 @@ ++Public Key Info: ++ Public Key Algorithm: RSA ++ Key Security Level: Weak (1024 bits) ++ ++modulus: ++ 00:a8:a2:6a:fe:92:24:6d:c7:ef:dd:a0:5d:85:45: ++ 23:b1:a8:1b:ae:2d:b7:29:2b:92:b0:c6:d6:24:f3: ++ 62:fc:31:0c:f3:26:28:df:8d:2f:3c:e2:40:a2:8e: ++ 54:7a:76:a0:f4:a0:34:bb:d2:78:0d:a2:08:36:b8: ++ 88:27:d5:27:cb:4d:38:17:c3:fb:fa:c3:f9:cc:9c: ++ c2:18:67:e7:8f:ac:5e:56:0f:5a:86:78:e0:2e:47: ++ ea:ad:b3:86:38:ad:f6:fd:61:bf:2c:5c:83:dd:ba: ++ 2e:c7:7a:5a:a2:98:96:95:78:cc:40:60:9b:2a:44: ++ 14:a2:c4:34:a9:61:b9:04:87: ++ ++public exponent: ++ 01:00:01: ++ ++private exponent: ++ 08:f8:4a:b4:ab:d5:60:39:88:5a:c3:92:f5:e9:cd: ++ 92:3f:9c:e9:50:e9:33:39:6c:1e:17:15:80:f5:a9: ++ 48:3c:db:b1:7b:50:25:43:ff:45:3f:cb:ac:59:e1: ++ c8:79:d2:e9:f0:33:9d:e1:fe:1c:cb:87:a0:51:84: ++ 7c:89:ec:09:e0:3d:c9:df:ca:43:d9:c1:79:3c:47: ++ f7:8e:71:bf:a5:6e:11:87:0d:d9:2e:5a:5d:a0:d3: ++ ba:5b:9c:23:db:33:54:5f:a2:2f:db:28:05:9d:07: ++ a4:d4:76:0e:ef:d1:f9:c3:f9:21:01:ad:06:4c:9d: ++ 59:14:09:37:91:df:86:01: ++ ++prime1: ++ 00:d6:e8:07:49:7f:a6:6a:d7:f3:76:84:4b:a9:cb: ++ 91:66:8a:c8:07:54:29:25:1d:e4:70:dd:2c:fd:ff: ++ dc:c6:0c:24:75:4f:a0:ca:82:e2:b6:3b:8b:f0:7b: ++ 37:c3:97:be:6c:b3:5f:91:a6:c0:56:48:aa:aa:3a: ++ d9:12:24:b7:81: ++ ++prime2: ++ 00:c8:e1:50:40:9b:7e:34:9c:44:88:1e:16:4b:bf: ++ 04:0f:a6:b0:2b:9d:2f:a2:84:29:96:54:35:69:68: ++ 6f:a2:a7:2b:8a:de:e9:9e:0e:6f:b3:cf:d8:af:68: ++ 33:52:a6:e4:b5:d1:21:d0:6b:d2:d2:a6:af:97:62: ++ 44:fe:b8:00:07: ++ ++coefficient: ++ 75:16:b8:48:0b:61:9a:a9:78:b1:72:93:94:51:54: ++ c1:07:69:b8:b1:dc:61:4a:f5:ef:b7:9c:f5:07:74: ++ 0d:8e:1a:a2:51:ea:00:91:ef:05:75:42:53:4d:6a: ++ e3:f5:de:07:a5:55:5f:8b:37:58:55:2b:43:ef:b2: ++ d0:38:a8:89: ++ ++exp1: ++ 00:c9:b9:60:e5:b7:e1:b1:56:e5:dc:70:d0:49:20: ++ a1:6a:3c:89:08:80:12:63:19:cd:0d:b8:3e:fc:69: ++ 48:85:ca:6e:0a:83:e5:2d:52:70:96:98:0c:82:7e: ++ 56:d8:cd:3e:5c:f0:7e:9b:cc:87:ac:36:67:a4:84: ++ ba:af:92:31:81: ++ ++exp2: ++ 65:0a:d8:78:36:fe:8b:6e:13:16:b8:b3:94:54:37: ++ b1:bb:b1:9f:ae:88:18:62:0c:1d:1e:ac:63:21:f2: ++ 0d:49:b3:20:3e:32:1a:9b:be:5a:1e:f1:2a:81:ea: ++ 56:e7:b5:e1:32:99:a4:a1:a7:c0:e7:b1:29:1f:77: ++ fe:fc:04:9f: ++ ++ ++Public Key ID: 12:0E:DA:51:12:40:56:AE:F4:1C:6D:CC:A1:B0:3D:28:61:7E:33:01 ++Public key's random art: +++--[ RSA 1024]----+ ++|.E*++.o | ++|oo *.B . | ++|..++O * | ++| o.*oB . | ++| o + o S | ++| . | ++| | ++| | ++| | +++-----------------+ ++ ++-----BEGIN RSA PRIVATE KEY----- ++MIICXAIBAAKBgQCoomr+kiRtx+/doF2FRSOxqBuuLbcpK5KwxtYk82L8MQzzJijf ++jS884kCijlR6dqD0oDS70ngNogg2uIgn1SfLTTgXw/v6w/nMnMIYZ+ePrF5WD1qG ++eOAuR+qts4Y4rfb9Yb8sXIPdui7HelqimJaVeMxAYJsqRBSixDSpYbkEhwIDAQAB ++AoGACPhKtKvVYDmIWsOS9enNkj+c6VDpMzlsHhcVgPWpSDzbsXtQJUP/RT/LrFnh ++yHnS6fAzneH+HMuHoFGEfInsCeA9yd/KQ9nBeTxH945xv6VuEYcN2S5aXaDTuluc ++I9szVF+iL9soBZ0HpNR2Du/R+cP5IQGtBkydWRQJN5HfhgECQQDW6AdJf6Zq1/N2 ++hEupy5FmisgHVCklHeRw3Sz9/9zGDCR1T6DKguK2O4vwezfDl75ss1+RpsBWSKqq ++OtkSJLeBAkEAyOFQQJt+NJxEiB4WS78ED6awK50vooQpllQ1aWhvoqcrit7png5v ++s8/Yr2gzUqbktdEh0GvS0qavl2JE/rgABwJBAMm5YOW34bFW5dxw0EkgoWo8iQiA ++EmMZzQ24PvxpSIXKbgqD5S1ScJaYDIJ+VtjNPlzwfpvMh6w2Z6SEuq+SMYECQGUK ++2Hg2/otuExa4s5RUN7G7sZ+uiBhiDB0erGMh8g1JsyA+Mhqbvloe8SqB6lbnteEy ++maShp8DnsSkfd/78BJ8CQHUWuEgLYZqpeLFyk5RRVMEHabix3GFK9e+3nPUHdA2O ++GqJR6gCR7wV1QlNNauP13gelVV+LN1hVK0PvstA4qIk= ++-----END RSA PRIVATE KEY----- +diff --git a/tests/testpkcs11-certs/client-tmpl b/tests/testpkcs11-certs/client-tmpl +new file mode 100644 +index 000000000..a22eef84b +--- /dev/null ++++ b/tests/testpkcs11-certs/client-tmpl +@@ -0,0 +1,67 @@ ++# X.509 Certificate options ++# ++# DN options ++ ++dn = "cn=Client,C=CZ" ++ ++# The serial number of the certificate ++serial = 3 ++ ++# In how many days, counting from today, this certificate will expire. ++expiration_days = 2590 ++ ++# X.509 v3 extensions ++ ++# A dnsname in case of a WWW server. ++#dns_name = "localhost" ++#dns_name = "www.morethanone.org" ++ ++# An IP address in case of a server. ++#ip_address = "192.168.1.1" ++ ++#dns_name = "www.evenmorethanone.org" ++ ++# An email in case of a person ++email = "none@none.org" ++ ++# An URL that has CRLs (certificate revocation lists) ++# available. Needed in CA certificates. ++#crl_dist_points = "http://www.getcrl.crl/getcrl/" ++ ++#email = "where@none.org" ++ ++# Whether this is a CA certificate or not ++#ca ++ ++# Whether this certificate will be used for a TLS client ++tls_www_client ++ ++# Whether this certificate will be used for a TLS server ++#tls_www_server ++ ++# Whether this certificate will be used to sign data (needed ++# in TLS DHE ciphersuites). ++signing_key ++ ++# Whether this certificate will be used to encrypt data (needed ++# in TLS RSA ciphersuites). Note that it is preferred to use different ++# keys for encryption and signing. ++#encryption_key ++ ++# Whether this key will be used to sign other certificates. ++#cert_signing_key ++ ++# Whether this key will be used to sign CRLs. ++#crl_signing_key ++ ++# Whether this key will be used to sign code. ++#code_signing_key ++ ++# Whether this key will be used to sign OCSP data. ++#ocsp_signing_key ++ ++# Whether this key will be used for time stamping. ++#time_stamping_key ++ ++# Whether this key will be used for IPsec IKE operations. ++#ipsec_ike_key +diff --git a/tests/testpkcs11-certs/client.crt b/tests/testpkcs11-certs/client.crt +new file mode 100644 +index 000000000..6f75590d2 +--- /dev/null ++++ b/tests/testpkcs11-certs/client.crt +@@ -0,0 +1,16 @@ ++-----BEGIN CERTIFICATE----- ++MIICdDCCAd2gAwIBAgIBAzANBgkqhkiG9w0BAQsFADAaMQswCQYDVQQDEwJDQTEL ++MAkGA1UEBhMCQ1owIhgPMjAxMzExMTAwODI1MjdaGA8yMDIwMTIxMzA4MjUyN1ow ++HjEPMA0GA1UEAxMGQ2xpZW50MQswCQYDVQQGEwJDWjCBnzANBgkqhkiG9w0BAQEF ++AAOBjQAwgYkCgYEAvQRIzvKyhr3tqmB4Pe+91DWSFayaNtcrDIT597bhxugVYW8o ++jB206kx5aknAMA3PQGYcGqkLrt+nsJcmOIXDZsC6P4zeOSsF1PPhDAoX3bkUr2lF ++MEt374eKdg1yvyhRxt4DOR6aD4gkC7fVtaYdgV6yXpJGMHV05LBIgQ7QtykCAwEA ++AaOBwTCBvjAMBgNVHRMBAf8EAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMCMBgGA1Ud ++EQQRMA+BDW5vbmVAbm9uZS5vcmcwDwYDVR0PAQH/BAUDAweAADAdBgNVHQ4EFgQU ++Dbinh11GaaJcTyOpmxPYuttsiGowHwYDVR0jBBgwFoAUEg7aURJAVq70HG3MobA9 ++KGF+MwEwLgYDVR0fBCcwJTAjoCGgH4YdaHR0cDovL3d3dy5nZXRjcmwuY3JsL2dl ++dGNybC8wDQYJKoZIhvcNAQELBQADgYEAN/Henso+5zzuFQWTpJXlUsWtRQAFhRY3 ++WVt3xtnyPs4pF/LKBp3Ov0GLGBkz5YlyJGFNESSyUviMsH7g7rJM8i7Bph6BQTE9 ++XdqbZPc0opfms4EHjmlXj5HQ0f0yoxHnLk43CR+vmbn0JPuurnEKAwjznAJR8GxI ++R2MRyMxdGqs= ++-----END CERTIFICATE----- +diff --git a/tests/testpkcs11-certs/client.key b/tests/testpkcs11-certs/client.key +new file mode 100644 +index 000000000..9277bdfd8 +--- /dev/null ++++ b/tests/testpkcs11-certs/client.key +@@ -0,0 +1,94 @@ ++Public Key Info: ++ Public Key Algorithm: RSA ++ Key Security Level: Weak (1024 bits) ++ ++modulus: ++ 00:bd:04:48:ce:f2:b2:86:bd:ed:aa:60:78:3d:ef: ++ bd:d4:35:92:15:ac:9a:36:d7:2b:0c:84:f9:f7:b6: ++ e1:c6:e8:15:61:6f:28:8c:1d:b4:ea:4c:79:6a:49: ++ c0:30:0d:cf:40:66:1c:1a:a9:0b:ae:df:a7:b0:97: ++ 26:38:85:c3:66:c0:ba:3f:8c:de:39:2b:05:d4:f3: ++ e1:0c:0a:17:dd:b9:14:af:69:45:30:4b:77:ef:87: ++ 8a:76:0d:72:bf:28:51:c6:de:03:39:1e:9a:0f:88: ++ 24:0b:b7:d5:b5:a6:1d:81:5e:b2:5e:92:46:30:75: ++ 74:e4:b0:48:81:0e:d0:b7:29: ++ ++public exponent: ++ 01:00:01: ++ ++private exponent: ++ 00:a5:eb:b1:e2:00:07:98:e1:f6:53:de:35:0e:e1: ++ 79:78:63:c2:25:c6:8a:e4:e3:02:46:0e:20:c3:43: ++ 45:73:ee:5c:7e:58:2e:76:b8:c9:0b:f7:2f:89:8e: ++ cd:e7:20:e8:32:36:b0:2a:f3:03:6f:71:a2:e9:0f: ++ f5:9c:1e:47:84:54:2b:67:12:e3:f4:20:80:7f:54: ++ 81:63:f4:41:4a:6f:8f:89:e8:83:24:64:87:b5:2b: ++ 5b:25:55:c5:b6:e8:1d:c9:a0:a9:68:0d:2d:1f:06: ++ ac:46:6a:96:93:96:16:24:fe:7f:e4:00:c7:bf:37: ++ fe:48:6f:3f:94:0b:36:9e:81: ++ ++prime1: ++ 00:dd:8b:ef:a9:f3:e9:7a:97:6f:50:2f:d4:93:ff: ++ 0b:6d:52:b4:2c:64:d2:bb:6c:a7:ca:5d:5f:31:ba: ++ 2c:f6:59:09:34:57:5f:3c:cd:f5:2b:a0:c7:7a:ac: ++ e2:20:64:a8:58:24:a3:02:c3:7f:7b:c5:7b:31:4e: ++ de:81:6b:48:f9: ++ ++prime2: ++ 00:da:69:4a:53:be:3d:36:07:58:a7:8e:58:4e:cd: ++ 90:cd:72:54:7c:40:89:ab:fd:3a:8b:6d:d0:9c:b0: ++ 00:7f:11:6a:b7:f2:4e:e0:81:8b:23:09:3f:c4:6f: ++ f7:6d:06:b1:c8:83:63:87:72:c7:43:01:24:5d:2d: ++ 88:7f:b9:1b:b1: ++ ++coefficient: ++ 30:19:e0:d7:bd:0f:0d:96:b0:65:64:00:82:2a:9d: ++ 6c:52:a6:89:a6:db:89:e3:7f:10:c3:3b:5b:97:73: ++ ea:13:af:fc:4c:3e:72:5e:da:cb:b7:d4:b6:2c:d0: ++ 05:c3:58:bb:2d:59:2c:50:1f:08:6d:03:53:ba:ec: ++ 15:ec:b6:08: ++ ++exp1: ++ 00:d0:6d:4e:54:3d:bc:72:30:f5:f0:22:8f:83:8c: ++ 76:5b:ab:6b:06:38:f4:68:8f:98:6b:b1:dc:55:14: ++ 2a:28:b9:2b:07:ab:0b:56:51:0d:4e:b6:3b:f5:15: ++ a0:c7:88:eb:37:c1:7f:fa:a1:a1:d5:f7:bc:26:6f: ++ 64:b5:ad:11:41: ++ ++exp2: ++ 2a:a6:b1:0b:15:75:62:9d:a0:a4:67:d9:ba:d9:cd: ++ d3:30:e6:6a:b5:37:ad:4c:70:28:56:33:8c:c5:99: ++ f3:36:75:7e:a2:64:e0:d6:ab:53:16:35:4b:a9:09: ++ ca:52:aa:59:1b:bf:4d:ee:0e:17:79:9b:9e:4e:8b: ++ ff:55:28:a1: ++ ++ ++Public Key ID: 0D:B8:A7:87:5D:46:69:A2:5C:4F:23:A9:9B:13:D8:BA:DB:6C:88:6A ++Public key's random art: +++--[ RSA 1024]----+ ++| | ++| . . . | ++| . * * | ++| + = X . | ++| . B S = | ++| . O o | ++| ...* o | ++| E. .+.o | ++|o. ooo | +++-----------------+ ++ ++-----BEGIN RSA PRIVATE KEY----- ++MIICXQIBAAKBgQC9BEjO8rKGve2qYHg9773UNZIVrJo21ysMhPn3tuHG6BVhbyiM ++HbTqTHlqScAwDc9AZhwaqQuu36ewlyY4hcNmwLo/jN45KwXU8+EMChfduRSvaUUw ++S3fvh4p2DXK/KFHG3gM5HpoPiCQLt9W1ph2BXrJekkYwdXTksEiBDtC3KQIDAQAB ++AoGBAKXrseIAB5jh9lPeNQ7heXhjwiXGiuTjAkYOIMNDRXPuXH5YLna4yQv3L4mO ++zecg6DI2sCrzA29xoukP9ZweR4RUK2cS4/QggH9UgWP0QUpvj4nogyRkh7UrWyVV ++xbboHcmgqWgNLR8GrEZqlpOWFiT+f+QAx783/khvP5QLNp6BAkEA3YvvqfPpepdv ++UC/Uk/8LbVK0LGTSu2ynyl1fMbos9lkJNFdfPM31K6DHeqziIGSoWCSjAsN/e8V7 ++MU7egWtI+QJBANppSlO+PTYHWKeOWE7NkM1yVHxAiav9Oott0JywAH8RarfyTuCB ++iyMJP8Rv920GsciDY4dyx0MBJF0tiH+5G7ECQQDQbU5UPbxyMPXwIo+DjHZbq2sG ++OPRoj5hrsdxVFCoouSsHqwtWUQ1Otjv1FaDHiOs3wX/6oaHV97wmb2S1rRFBAkAq ++prELFXVinaCkZ9m62c3TMOZqtTetTHAoVjOMxZnzNnV+omTg1qtTFjVLqQnKUqpZ ++G79N7g4XeZueTov/VSihAkAwGeDXvQ8NlrBlZACCKp1sUqaJptuJ438Qwztbl3Pq ++E6/8TD5yXtrLt9S2LNAFw1i7LVksUB8IbQNTuuwV7LYI ++-----END RSA PRIVATE KEY----- +diff --git a/tests/testpkcs11-certs/server-tmpl b/tests/testpkcs11-certs/server-tmpl +new file mode 100644 +index 000000000..23103b4a9 +--- /dev/null ++++ b/tests/testpkcs11-certs/server-tmpl +@@ -0,0 +1,67 @@ ++# X.509 Certificate options ++# ++# DN options ++ ++dn = "cn=Server,C=CZ" ++ ++# The serial number of the certificate ++serial = 2 ++ ++# In how many days, counting from today, this certificate will expire. ++expiration_days = 2590 ++ ++# X.509 v3 extensions ++ ++# A dnsname in case of a WWW server. ++dns_name = "localhost" ++#dns_name = "www.morethanone.org" ++ ++# An IP address in case of a server. ++ip_address = "127.0.0.1" ++ ++#dns_name = "www.evenmorethanone.org" ++ ++# An email in case of a person ++email = "none@none.org" ++ ++# An URL that has CRLs (certificate revocation lists) ++# available. Needed in CA certificates. ++#crl_dist_points = "http://www.getcrl.crl/getcrl/" ++ ++#email = "where@none.org" ++ ++# Whether this is a CA certificate or not ++#ca ++ ++# Whether this certificate will be used for a TLS client ++#tls_www_client ++ ++# Whether this certificate will be used for a TLS server ++tls_www_server ++ ++# Whether this certificate will be used to sign data (needed ++# in TLS DHE ciphersuites). ++signing_key ++ ++# Whether this certificate will be used to encrypt data (needed ++# in TLS RSA ciphersuites). Note that it is preferred to use different ++# keys for encryption and signing. ++encryption_key ++ ++# Whether this key will be used to sign other certificates. ++#cert_signing_key ++ ++# Whether this key will be used to sign CRLs. ++#crl_signing_key ++ ++# Whether this key will be used to sign code. ++#code_signing_key ++ ++# Whether this key will be used to sign OCSP data. ++#ocsp_signing_key ++ ++# Whether this key will be used for time stamping. ++#time_stamping_key ++ ++# Whether this key will be used for IPsec IKE operations. ++#ipsec_ike_key +diff --git a/tests/testpkcs11-certs/server.crt b/tests/testpkcs11-certs/server.crt +new file mode 100644 +index 000000000..694a0101f +--- /dev/null ++++ b/tests/testpkcs11-certs/server.crt +@@ -0,0 +1,16 @@ ++-----BEGIN CERTIFICATE----- ++MIICdjCCAd+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAaMQswCQYDVQQDEwJDQTEL ++MAkGA1UEBhMCQ1owIhgPMjAxMzExMTAwODI1MDJaGA8yMDIwMTIxMzA4MjUwMlow ++HjEPMA0GA1UEAxMGU2VydmVyMQswCQYDVQQGEwJDWjCBnzANBgkqhkiG9w0BAQEF ++AAOBjQAwgYkCgYEApf9FBAZadRuU0AGrH4xgNh5V5tFDErTba2bF8b7USLRUzETm +++qBW87I6QXWDFsZlvyyzrpINmpbG3UNr3cVLgT7DLC2ct5nZFT4j25BYswcr0V5C ++00BAz6NUcuTzY0e0iN+H80H/mUr3Xu5r9wJca1LGTspBF1NOTNoAunlSm3cCAwEA ++AaOBwzCBwDAMBgNVHRMBAf8EAjAAMBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEfwAA ++ATATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHQ8BAf8EBQMDB6AAMB0GA1UdDgQW ++BBSsHXo5y3IXlGZsdERzQJFEwKBDfTAfBgNVHSMEGDAWgBQSDtpREkBWrvQcbcyh ++sD0oYX4zATAuBgNVHR8EJzAlMCOgIaAfhh1odHRwOi8vd3d3LmdldGNybC5jcmwv ++Z2V0Y3JsLzANBgkqhkiG9w0BAQsFAAOBgQBG1omwPssQQPTLd4WeCQyuM/Yj1kOO ++VwFOATVs2+XELAGg6GVrSS302+JKdW51j+11NpIMgJfgaeRdZkgBNR4uOi1okOQh ++Asm8TC3ex3v1rxZdunp0wBQ/H/ox4zMM5Ds8ITtQNeUwXqUj3tPorTWFEsNegTnY ++WmV1jslH8fZ4Fg== ++-----END CERTIFICATE----- +diff --git a/tests/testpkcs11-certs/server.key b/tests/testpkcs11-certs/server.key +new file mode 100644 +index 000000000..56e48735a +--- /dev/null ++++ b/tests/testpkcs11-certs/server.key +@@ -0,0 +1,94 @@ ++Public Key Info: ++ Public Key Algorithm: RSA ++ Key Security Level: Weak (1024 bits) ++ ++modulus: ++ 00:a5:ff:45:04:06:5a:75:1b:94:d0:01:ab:1f:8c: ++ 60:36:1e:55:e6:d1:43:12:b4:db:6b:66:c5:f1:be: ++ d4:48:b4:54:cc:44:e6:fa:a0:56:f3:b2:3a:41:75: ++ 83:16:c6:65:bf:2c:b3:ae:92:0d:9a:96:c6:dd:43: ++ 6b:dd:c5:4b:81:3e:c3:2c:2d:9c:b7:99:d9:15:3e: ++ 23:db:90:58:b3:07:2b:d1:5e:42:d3:40:40:cf:a3: ++ 54:72:e4:f3:63:47:b4:88:df:87:f3:41:ff:99:4a: ++ f7:5e:ee:6b:f7:02:5c:6b:52:c6:4e:ca:41:17:53: ++ 4e:4c:da:00:ba:79:52:9b:77: ++ ++public exponent: ++ 01:00:01: ++ ++private exponent: ++ 55:76:38:45:1b:34:45:28:9f:13:fc:57:ea:d5:2d: ++ cf:8f:0c:b0:da:3a:0b:0e:7c:0d:2e:8b:68:ab:d3: ++ c5:5e:ba:6d:b4:67:aa:cf:14:15:41:44:46:e1:46: ++ 4d:5a:75:95:d8:60:e5:d6:a2:14:5d:de:22:9a:8c: ++ 95:4f:f7:4f:cd:eb:65:a0:29:35:b1:16:b7:c2:74: ++ f1:a4:45:43:6c:77:59:37:b3:cb:43:60:80:29:5e: ++ b6:99:60:9a:12:4d:2b:54:2e:c3:3a:76:96:7d:72: ++ b1:72:24:f1:2a:2d:ff:99:92:1e:bb:55:f1:58:6e: ++ 64:08:36:26:4b:b2:c6:99: ++ ++prime1: ++ 00:c7:65:44:0f:4e:6b:51:cd:d4:0b:84:9c:a9:30: ++ 1b:7b:6d:9a:ca:f7:27:8d:8f:b5:05:81:b8:0d:d2: ++ a2:b3:e3:ab:bb:04:a1:8d:ec:dc:65:38:99:e9:e1: ++ 4f:70:47:79:8d:e6:3a:f0:9f:7b:3b:aa:bd:80:1d: ++ 4d:0d:2a:00:7d: ++ ++prime2: ++ 00:d5:1e:d4:82:40:de:a6:ce:1a:59:93:b8:51:c6: ++ 55:15:7f:83:d0:11:ac:a1:44:0a:95:f0:e5:96:03: ++ 53:5e:2c:27:eb:63:5f:b7:1c:06:64:fb:35:c9:a3: ++ a1:1a:fb:f2:3c:31:a1:51:58:40:5e:24:28:dd:ba: ++ dc:c4:14:22:03: ++ ++coefficient: ++ 00:9c:b5:66:d6:6d:93:93:da:0f:15:96:48:07:c6: ++ 4a:eb:ae:da:2a:fc:d8:b3:03:cb:5e:5e:10:9e:7f: ++ e8:49:96:db:70:6b:ef:d7:5a:4a:a4:f5:2a:da:89: ++ 39:b4:51:09:64:4c:75:92:57:ee:4f:9e:4d:55:f9: ++ d0:34:0e:6f:43: ++ ++exp1: ++ 2a:3c:5f:10:46:f2:20:9f:d2:bc:a5:d8:71:56:09: ++ 5c:39:b9:42:28:dc:2d:f6:34:c7:f7:d4:3e:c9:51: ++ 41:7d:86:50:d5:08:4b:81:d2:a5:76:39:d3:fa:af: ++ d2:fe:b0:d6:c7:df:d0:3c:57:e4:29:a4:7e:50:b6: ++ 93:85:44:19: ++ ++exp2: ++ 1a:1b:38:b4:eb:f5:5a:41:8d:00:c4:13:a4:10:c3: ++ 83:6a:a7:5e:e9:8b:58:05:d9:b6:1c:58:43:54:0c: ++ f6:50:3a:63:9f:3c:ae:55:84:83:02:32:c8:8c:7e: ++ c3:ab:71:34:e6:6f:78:63:73:1f:15:16:dc:72:73: ++ 70:a1:76:b9: ++ ++ ++Public Key ID: AC:1D:7A:39:CB:72:17:94:66:6C:74:44:73:40:91:44:C0:A0:43:7D ++Public key's random art: +++--[ RSA 1024]----+ ++| ...o.BX+. | ++| . .. E oo | ++| o + o | ++| o B | ++| S= | ++| + o. | ++| o = . | ++| .o.o. | ++| oo. | +++-----------------+ ++ ++-----BEGIN RSA PRIVATE KEY----- ++MIICXAIBAAKBgQCl/0UEBlp1G5TQAasfjGA2HlXm0UMStNtrZsXxvtRItFTMROb6 ++oFbzsjpBdYMWxmW/LLOukg2alsbdQ2vdxUuBPsMsLZy3mdkVPiPbkFizByvRXkLT ++QEDPo1Ry5PNjR7SI34fzQf+ZSvde7mv3AlxrUsZOykEXU05M2gC6eVKbdwIDAQAB ++AoGAVXY4RRs0RSifE/xX6tUtz48MsNo6Cw58DS6LaKvTxV66bbRnqs8UFUFERuFG ++TVp1ldhg5daiFF3eIpqMlU/3T83rZaApNbEWt8J08aRFQ2x3WTezy0NggCletplg ++mhJNK1Quwzp2ln1ysXIk8Sot/5mSHrtV8VhuZAg2JkuyxpkCQQDHZUQPTmtRzdQL ++hJypMBt7bZrK9yeNj7UFgbgN0qKz46u7BKGN7NxlOJnp4U9wR3mN5jrwn3s7qr2A ++HU0NKgB9AkEA1R7UgkDeps4aWZO4UcZVFX+D0BGsoUQKlfDllgNTXiwn62NftxwG ++ZPs1yaOhGvvyPDGhUVhAXiQo3brcxBQiAwJAKjxfEEbyIJ/SvKXYcVYJXDm5Qijc ++LfY0x/fUPslRQX2GUNUIS4HSpXY50/qv0v6w1sff0DxX5CmkflC2k4VEGQJAGhs4 ++tOv1WkGNAMQTpBDDg2qnXumLWAXZthxYQ1QM9lA6Y588rlWEgwIyyIx+w6txNOZv ++eGNzHxUW3HJzcKF2uQJBAJy1ZtZtk5PaDxWWSAfGSuuu2ir82LMDy15eEJ5/6EmW ++23Br79daSqT1KtqJObRRCWRMdZJX7k+eTVX50DQOb0M= ++-----END RSA PRIVATE KEY----- +diff --git a/tests/testpkcs11.pkcs15 b/tests/testpkcs11.pkcs15 +new file mode 100644 +index 000000000..565282a31 +--- /dev/null ++++ b/tests/testpkcs11.pkcs15 +@@ -0,0 +1,45 @@ ++#!/bin/sh ++ ++# Copyright (C) 2013 Nikos Mavrogiannopoulos ++# ++# This file is part of GnuTLS. ++# ++# GnuTLS is free software; you can redistribute it and/or modify it ++# under the terms of the GNU General Public License as published by the ++# Free Software Foundation; either version 3 of the License, or (at ++# your option) any later version. ++# ++# GnuTLS is distributed in the hope that it will be useful, but ++# WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++# General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with GnuTLS; if not, write to the Free Software Foundation, ++# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. ++ ++ ++init_card () { ++ PIN="$1" ++ PUK="$2" ++ ++ echo -n "* Erasing smart card... " ++ pkcs15-init -E >"${TMPFILE}" 2>&1 ++ if test $? = 0; then ++ echo ok ++ else ++ echo failed ++ cat "${TMPFILE}" ++ exit_error ++ fi ++ ++ echo -n "* Initializing smart card... " ++ pkcs15-init --create-pkcs15 --profile pkcs15+onepin --use-default-transport-key --so-pin "${PIN}" --pin "${PIN}" --puk "${PUK}" --label "GnuTLS-Test" >"${TMPFILE}" 2>&1 ++ if test $? = 0; then ++ echo ok ++ else ++ echo failed ++ cat "${TMPFILE}" ++ exit_error ++ fi ++} +diff --git a/tests/testpkcs11.sc-hsm b/tests/testpkcs11.sc-hsm +new file mode 100644 +index 000000000..f3eab685f +--- /dev/null ++++ b/tests/testpkcs11.sc-hsm +@@ -0,0 +1,50 @@ ++#!/bin/sh ++ ++# Copyright (C) 2013 Nikos Mavrogiannopoulos ++# ++# This file is part of GnuTLS. ++# ++# GnuTLS is free software; you can redistribute it and/or modify it ++# under the terms of the GNU General Public License as published by the ++# Free Software Foundation; either version 3 of the License, or (at ++# your option) any later version. ++# ++# GnuTLS is distributed in the hope that it will be useful, but ++# WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++# General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with GnuTLS; if not, write to the Free Software Foundation, ++# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. ++ ++ ++init_card () { ++ PIN="$1" ++ PUK=3537363231383830 ++ export GNUTLS_SO_PIN="${PUK}" ++ ++ echo -n "* Erasing smart card... " ++ sc-hsm-tool --initialize --so-pin "${PUK}" --pin "${PIN}" --label=GnuTLS-Test >>"${TMPFILE}" 2>&1 ++ if test $? = 0; then ++ echo ok ++ else ++ echo failed ++ exit_error ++ fi ++ ++ echo -n "* Initializing smart card... " ++ TOKEN=`${P11TOOL} ${ADDITIONAL_PARAM} --list-tokens pkcs11:token=Nikos|grep URL|grep token=GnuTLS-Test|sed 's/\s*URL\: //g'` ++ if test -z "${TOKEN}"; then ++ echo "Could not find initialized card" ++ exit_error ++ fi ++ ++ ${P11TOOL} ${ADDITIONAL_PARAM} --initialize "${TOKEN}" --set-so-pin "${PUK}" --set-pin "${PIN}" --label "GnuTLS-Test" >>"${TMPFILE}" 2>&1 ++ if test $? = 0; then ++ echo ok ++ else ++ echo failed ++ exit_error ++ fi ++} +diff --git a/tests/testpkcs11.sh b/tests/testpkcs11.sh +new file mode 100755 +index 000000000..e8cdcd30d +--- /dev/null ++++ b/tests/testpkcs11.sh +@@ -0,0 +1,938 @@ ++#!/bin/sh ++ ++# Copyright (C) 2013 Nikos Mavrogiannopoulos ++# ++# This file is part of GnuTLS. ++# ++# GnuTLS is free software; you can redistribute it and/or modify it ++# under the terms of the GNU General Public License as published by the ++# Free Software Foundation; either version 3 of the License, or (at ++# your option) any later version. ++# ++# GnuTLS is distributed in the hope that it will be useful, but ++# WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++# General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with GnuTLS; if not, write to the Free Software Foundation, ++# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. ++ ++srcdir="${srcdir:-.}" ++P11TOOL="${P11TOOL:-../src/p11tool${EXEEXT}}" ++CERTTOOL="${CERTTOOL:-../src/certtool${EXEEXT}}" ++DIFF="${DIFF:-diff -b -B}" ++SERV="${SERV:-../src/gnutls-serv${EXEEXT}}" ++CLI="${CLI:-../src/gnutls-cli${EXEEXT}}" ++RETCODE=0 ++ ++if test "${GNUTLS_FORCE_FIPS_MODE}" = 1;then ++ echo "Cannot run in FIPS140-2 mode" ++ exit 77 ++fi ++ ++if ! test -x "${P11TOOL}"; then ++ exit 77 ++fi ++ ++if ! test -x "${CERTTOOL}"; then ++ exit 77 ++fi ++ ++if ! test -x "${SERV}"; then ++ exit 77 ++fi ++ ++if ! test -x "${CLI}"; then ++ exit 77 ++fi ++ ++if ! test -z "${VALGRIND}"; then ++ VALGRIND="${LIBTOOL:-libtool} --mode=execute valgrind --leak-check=full" ++fi ++ ++TMPFILE="testpkcs11.debug.log" ++CERTTOOL_PARAM="--stdout-info" ++ ++if test "${WINDIR}" != ""; then ++ exit 77 ++fi ++ ++ASAN_OPTIONS="detect_leaks=0" ++export ASAN_OPTIONS ++ ++P11TOOL="${VALGRIND} ${P11TOOL} --batch" ++SERV="${SERV} -q" ++ ++. ${srcdir}/scripts/common.sh ++ ++rm -f "${TMPFILE}" ++ ++exit_error () { ++ echo "check ${TMPFILE} for additional debugging information" ++ echo "" ++ echo "" ++ tail "${TMPFILE}" ++ exit 1 ++} ++ ++# $1: token ++# $2: PIN ++# $3: filename ++# ${srcdir}/testpkcs11-certs/client.key ++write_privkey () { ++ export GNUTLS_PIN="$2" ++ filename="$3" ++ token="$1" ++ ++ echo -n "* Writing a client private key... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --write --label gnutls-client2 --load-privkey "${filename}" "${token}" >>"${TMPFILE}" 2>&1 ++ if test $? = 0; then ++ echo ok ++ else ++ echo failed ++ exit_error ++ fi ++ ++ echo -n "* Checking whether object was marked private... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --list-privkeys "${token};object=gnutls-client2" 2>/dev/null | grep 'Label\:' >>"${TMPFILE}" 2>&1 ++ if test $? = 0; then ++ echo "private object was public" ++ exit_error ++ fi ++ echo ok ++ ++ echo -n "* Checking whether object was marked sensitive... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --list-privkeys "${token};object=gnutls-client2" | grep "CKA_SENSITIVE" >/dev/null 2>&1 ++ if test $? != 0; then ++ echo "private object was not sensitive" ++ exit_error ++ fi ++ echo ok ++} ++ ++# $1: token ++# $2: PIN ++# $3: filename ++write_serv_privkey () { ++ export GNUTLS_PIN="$2" ++ filename="$3" ++ token="$1" ++ ++ echo -n "* Writing the server private key... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --write --label serv-key --load-privkey "${filename}" "${token}" >>"${TMPFILE}" 2>&1 ++ if test $? = 0; then ++ echo ok ++ else ++ echo failed ++ exit_error ++ fi ++ ++} ++ ++# $1: token ++# $2: PIN ++# $3: filename ++write_serv_pubkey () { ++ export GNUTLS_PIN="$2" ++ filename="$3" ++ token="$1" ++ ++ echo -n "* Writing the server public key... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --write --label serv-pubkey --load-pubkey "${filename}" "${token}" >>"${TMPFILE}" 2>&1 ++ if test $? = 0; then ++ echo ok ++ else ++ echo failed ++ exit_error ++ fi ++ ++ #verify it being written ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --list-all "${token};object=serv-pubkey;type=public" >>"${TMPFILE}" 2>&1 ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --list-all "${token};object=serv-pubkey;type=public"|grep "Public key" >/dev/null 2>&1 ++ if test $? != 0;then ++ echo "Cannot verify the existence of the written pubkey" ++ exit_error ++ fi ++} ++ ++# $1: token ++# $2: PIN ++# $3: filename ++write_serv_cert () { ++ export GNUTLS_PIN="$2" ++ filename="$3" ++ token="$1" ++ ++ echo -n "* Writing the server certificate... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --write --no-mark-private --label serv-cert --load-certificate "${filename}" "${token}" >>"${TMPFILE}" 2>&1 ++ if test $? = 0; then ++ echo ok ++ else ++ echo failed ++ exit_error ++ fi ++ ++} ++ ++# $1: token ++# $2: PIN ++test_delete_cert () { ++ export GNUTLS_PIN="$2" ++ filename="$3" ++ token="$1" ++ ++ echo -n "* Deleting the server certificate... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --delete "${token};object=serv-cert;object-type=cert" >>"${TMPFILE}" 2>&1 ++ if test $? = 0; then ++ echo ok ++ else ++ echo failed ++ exit_error ++ fi ++} ++ ++# $1: token ++# $2: PIN ++# $3: bits ++generate_rsa_privkey () { ++ export GNUTLS_PIN="$2" ++ token="$1" ++ bits="$3" ++ ++ echo -n "* Generating RSA private key ("${bits}")... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --id 000102030405 --label gnutls-client --generate-rsa --bits "${bits}" "${token}" --outfile tmp-client.pub >>"${TMPFILE}" 2>&1 ++ if test $? = 0; then ++ echo ok ++ else ++ echo failed ++ exit 1 ++ fi ++ ++ echo -n "* Checking whether generated private key was marked private... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --list-privkeys "${token};object=gnutls-client" 2>/dev/null | grep 'Label\:' >>"${TMPFILE}" 2>&1 ++ if test $? = 0; then ++ echo "private object was public" ++ exit_error ++ fi ++ echo ok ++ ++ echo -n "* Checking whether private key was marked sensitive... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --list-privkeys "${token};object=gnutls-client" | grep "CKA_SENSITIVE" >/dev/null 2>&1 ++ if test $? != 0; then ++ echo "private object was not sensitive" ++ exit_error ++ fi ++ echo ok ++} ++ ++# $1: token ++# $2: PIN ++# $3: bits ++generate_temp_rsa_privkey () { ++ export GNUTLS_PIN="$2" ++ token="$1" ++ bits="$3" ++ ++ echo -n "* Generating RSA private key ("${bits}")... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --label temp-rsa-"${bits}" --generate-rsa --bits "${bits}" "${token}" --outfile tmp-client.pub >>"${TMPFILE}" 2>&1 ++ if test $? = 0; then ++ echo ok ++ else ++ echo failed ++ exit 1 ++ fi ++ ++# if test ${RETCODE} = 0; then ++# echo -n "* Testing private key flags... " ++# ${P11TOOL} ${ADDITIONAL_PARAM} --login --list-keys "${token};object=gnutls-client2;object-type=private" >tmp-client-2.pub 2>>"${TMPFILE}" ++# if test $? != 0; then ++# echo failed ++# exit_error ++# fi ++# ++# grep CKA_WRAP tmp-client-2.pub >>"${TMPFILE}" 2>&1 ++# if test $? != 0; then ++# echo "failed (no CKA_WRAP)" ++# exit_error ++# else ++# echo ok ++# fi ++# fi ++} ++ ++generate_temp_dsa_privkey () { ++ export GNUTLS_PIN="$2" ++ token="$1" ++ bits="$3" ++ ++ echo -n "* Generating DSA private key ("${bits}")... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --label temp-dsa-"${bits}" --generate-dsa --bits "${bits}" "${token}" --outfile tmp-client.pub >>"${TMPFILE}" 2>&1 ++ if test $? = 0; then ++ echo ok ++ else ++ echo failed ++ exit 1 ++ fi ++} ++ ++# $1: token ++# $2: PIN ++delete_temp_privkey () { ++ export GNUTLS_PIN="$2" ++ token="$1" ++ type="$3" ++ ++ test "${RETCODE}" = "0" || return ++ ++ echo -n "* Deleting private key... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --delete "${token};object=temp-${type};object-type=private" >>"${TMPFILE}" 2>&1 ++ ++ if test $? != 0; then ++ echo failed ++ RETCODE=1 ++ return ++ fi ++ ++ RETCODE=0 ++ echo ok ++} ++ ++# $1: token ++# $2: PIN ++# $3: bits ++export_pubkey_of_privkey () { ++ export GNUTLS_PIN="$2" ++ token="$1" ++ bits="$3" ++ ++ echo -n "* Exporting public key of generated private key... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --export-pubkey "${token};object=gnutls-client;object-type=private" --outfile tmp-client-2.pub >>"${TMPFILE}" 2>&1 ++ if test $? != 0; then ++ echo failed ++ exit 1 ++ fi ++ ++ ${DIFF} tmp-client.pub tmp-client-2.pub ++ if test $? != 0; then ++ echo keys differ ++ exit 1 ++ fi ++ ++ echo ok ++} ++ ++# $1: token ++# $2: PIN ++change_id_of_privkey () { ++ export GNUTLS_PIN="$2" ++ token="$1" ++ ++ echo -n "* Change the CKA_ID of generated private key... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --set-id "01a1b103" "${token};object=gnutls-client;id=%00%01%02%03%04%05;object-type=private" >>"${TMPFILE}" 2>&1 ++ if test $? != 0; then ++ echo failed ++ exit_error ++ fi ++ ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --list-privkeys "${token};object=gnutls-client;object-type=private;id=%01%a1%b1%03" 2>&1 | grep 'ID: 01:a1:b1:03' >>"${TMPFILE}" 2>&1 ++ if test $? != 0; then ++ echo "ID didn't change" ++ exit_error ++ fi ++ ++ echo ok ++} ++ ++# $1: token ++# $2: PIN ++change_label_of_privkey () { ++ export GNUTLS_PIN="$2" ++ token="$1" ++ ++ echo -n "* Change the CKA_LABEL of generated private key... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --set-label "new-label" "${token};object=gnutls-client;object-type=private" >>"${TMPFILE}" 2>&1 ++ if test $? != 0; then ++ echo failed ++ exit_error ++ fi ++ ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --list-privkeys "${token};object=new-label;object-type=private" 2>&1 |grep 'Label: new-label' >>"${TMPFILE}" 2>&1 ++ if test $? != 0; then ++ echo "label didn't change" ++ exit_error ++ fi ++ ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --set-label "gnutls-client" "${token};object=new-label;object-type=private" >>"${TMPFILE}" 2>&1 ++ if test $? != 0; then ++ echo failed ++ exit_error ++ fi ++ ++ echo ok ++} ++ ++# $1: token ++# $2: PIN ++# $3: bits ++generate_temp_ecc_privkey () { ++ export GNUTLS_PIN="$2" ++ token="$1" ++ bits="$3" ++ ++ echo -n "* Generating ECC private key (${bits})... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --label "temp-ecc-${bits}" --generate-ecc --bits "${bits}" "${token}" --outfile tmp-client.pub >>"${TMPFILE}" 2>&1 ++ if test $? = 0; then ++ echo ok ++ else ++ echo failed ++ exit 1 ++ fi ++} ++ ++# $1: token ++# $2: PIN ++# $3: bits ++# The same as generate_temp_ecc_privkey but no explicit login is performed. ++# p11tool should detect that login is required for the operation. ++generate_temp_ecc_privkey_no_login () { ++ export GNUTLS_PIN="$2" ++ token="$1" ++ bits="$3" ++ ++ echo -n "* Generating ECC private key without --login (${bits})... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --label "temp-ecc-no-${bits}" --generate-ecc --bits "${bits}" "${token}" --outfile tmp-client.pub >>"${TMPFILE}" 2>&1 ++ if test $? = 0; then ++ echo ok ++ else ++ echo failed ++ exit 1 ++ fi ++} ++ ++# $1: name ++# $2: label prefix ++# $3: generate option ++# $4: token ++# $5: PIN ++# $6: bits ++import_privkey () { ++ export GNUTLS_PIN="$5" ++ name="$1" ++ prefix="$2" ++ gen_option="$3" ++ token="$4" ++ bits="$6" ++ ++ outfile="tmp-${prefix}-${bits}.pem" ++ ++ echo -n "* Importing ${name} private key (${bits})... " ++ ++ "${CERTTOOL}" ${CERTTOOL_PARAM} --generate-privkey "${gen_option}" --pkcs8 --password= --outfile "${outfile}" >>"${TMPFILE}" 2>&1 ++ if test $? != 0; then ++ echo failed ++ exit 1 ++ fi ++ ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --write --label "${prefix}-${bits}" --load-privkey "${outfile}" "${token}" >>"${TMPFILE}" 2>&1 ++ if test $? = 0; then ++ echo ok ++ else ++ echo failed ++ exit 1 ++ fi ++} ++ ++import_temp_rsa_privkey () { ++ import_privkey RSA temp-rsa --rsa $@ ++} ++ ++import_temp_ecc_privkey () { ++ import_privkey ECC temp-ecc --ecc $@ ++} ++ ++import_temp_dsa_privkey () { ++ import_privkey DSA temp-dsa --dsa $@ ++} ++ ++# $1: token ++# $2: PIN ++# $3: cakey: ${srcdir}/testpkcs11-certs/ca.key ++# $4: cacert: ${srcdir}/testpkcs11-certs/ca.crt ++# ++# Tests writing a certificate which corresponds to the given key, ++# as well as the CA certificate, and tries to export them. ++write_certificate_test () { ++ export GNUTLS_PIN="$2" ++ token="$1" ++ cakey="$3" ++ cacert="$4" ++ pubkey="$5" ++ ++ echo -n "* Generating client certificate... " ++ "${CERTTOOL}" ${CERTTOOL_PARAM} ${ADDITIONAL_PARAM} --generate-certificate --load-ca-privkey "${cakey}" --load-ca-certificate "${cacert}" \ ++ --template ${srcdir}/testpkcs11-certs/client-tmpl --load-privkey "${token};object=gnutls-client;object-type=private" \ ++ --load-pubkey "$pubkey" --outfile tmp-client.crt >>"${TMPFILE}" 2>&1 ++ ++ if test $? = 0; then ++ echo ok ++ else ++ echo failed ++ exit_error ++ fi ++ ++ echo -n "* Writing client certificate... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --write --id "01a1b103" --label gnutls-client --load-certificate tmp-client.crt "${token}" >>"${TMPFILE}" 2>&1 ++ if test $? = 0; then ++ echo ok ++ else ++ echo failed ++ exit_error ++ fi ++ ++ echo -n "* Checking whether ID was correctly set... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --list-certs "${token};object=gnutls-client;object-type=private;id=%01%a1%b1%03" 2>&1 | grep 'ID: 01:a1:b1:03' >>"${TMPFILE}" 2>&1 ++ if test $? != 0; then ++ echo "ID was not set on copy" ++ exit_error ++ fi ++ echo ok ++ ++ if test -n "${BROKEN_SOFTHSM2}";then ++ return ++ fi ++ ++ echo -n "* Checking whether object was public... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --list-all-certs "${token};object=gnutls-client;id=%01%a1%b1%03" 2>&1 | grep 'ID: 01:a1:b1:03' >>"${TMPFILE}" 2>&1 ++ if test $? != 0; then ++ echo "certificate object was not public" ++ exit_error ++ fi ++ echo ok ++ ++ if test -n "${BROKEN_SOFTHSM2}";then ++ return ++ fi ++ ++ echo -n "* Writing certificate of client's CA... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --mark-trusted --mark-ca --write --label gnutls-ca --load-certificate "${cacert}" "${token}" >>"${TMPFILE}" 2>&1 ++ ret=$? ++ if test ${ret} != 0; then ++ echo "Failed with PIN, trying to write with so PIN" >>"${TMPFILE}" ++ ${P11TOOL} ${ADDITIONAL_PARAM} --so-login --mark-ca --write --mark-trusted --label gnutls-ca --load-certificate "${cacert}" "${token}" >>"${TMPFILE}" 2>&1 ++ ret=$? ++ fi ++ ++ if test ${ret} = 0; then ++ echo ok ++ else ++ echo failed ++ exit_error ++ fi ++ ++ echo -n "* Testing certificate flags... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --list-all-certs "${token};object=gnutls-ca;object-type=cert" |grep Flags|head -n 1 >tmp-client-2.pub 2>>"${TMPFILE}" ++ if test $? != 0; then ++ echo failed ++ exit_error ++ fi ++ ++ grep CKA_TRUSTED tmp-client-2.pub >>"${TMPFILE}" 2>&1 ++ if test $? != 0; then ++ echo "failed (no CKA_TRUSTED)" ++ #exit_error ++ fi ++ ++ grep "CKA_CERTIFICATE_CATEGORY=CA" tmp-client-2.pub >>"${TMPFILE}" 2>&1 ++ if test $? != 0; then ++ echo "failed (no CKA_CERTIFICATE_CATEGORY=CA)" ++ #exit_error ++ fi ++ ++ echo ok ++ ++ ++ echo -n "* Trying to obtain back the cert... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --export "${token};object=gnutls-ca;object-type=cert" --outfile crt1.tmp >>"${TMPFILE}" 2>&1 ++ ${DIFF} crt1.tmp "${srcdir}/testpkcs11-certs/ca.crt" ++ if test $? != 0; then ++ echo "failed. Exported certificate differs (crt1.tmp)!" ++ exit_error ++ fi ++ rm -f crt1.tmp ++ if test $? = 0; then ++ echo ok ++ else ++ echo failed ++ exit_error ++ fi ++ ++ echo -n "* Trying to obtain the full chain... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --export-chain "${token};object=gnutls-client;object-type=cert"|"${CERTTOOL}" ${CERTTOOL_PARAM} -i --outfile crt1.tmp >>"${TMPFILE}" 2>&1 ++ ++ cat tmp-client.crt ${srcdir}/testpkcs11-certs/ca.crt|"${CERTTOOL}" ${CERTTOOL_PARAM} -i >crt2.tmp ++ ${DIFF} crt1.tmp crt2.tmp ++ if test $? != 0; then ++ echo "failed. Exported certificate chain differs!" ++ exit_error ++ fi ++ rm -f crt1.tmp crt2.tmp ++ if test $? = 0; then ++ echo ok ++ else ++ echo failed ++ exit_error ++ fi ++} ++ ++# $1: token ++# $2: PIN ++# $3: cakey: ${srcdir}/testpkcs11-certs/ca.key ++# $4: cacert: ${srcdir}/testpkcs11-certs/ca.crt ++# ++# Tests writing a certificate which corresponds to the given key, ++# and verifies whether the ID is the same. Should utilize the ++# ID of the public key. ++write_certificate_id_test_rsa () { ++ export GNUTLS_PIN="$2" ++ token="$1" ++ cakey="$3" ++ cacert="$4" ++ ++ echo -n "* Generating RSA private key on HSM... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --label xxx1-rsa --generate-rsa --bits 1024 "${token}" >>"${TMPFILE}" 2>&1 ++ if test $? = 0; then ++ echo ok ++ else ++ echo failed ++ exit 1 ++ fi ++ ++ echo -n "* Checking whether right ID is set on copy... " ++ "${CERTTOOL}" ${CERTTOOL_PARAM} ${ADDITIONAL_PARAM} --generate-certificate --load-ca-privkey "${cakey}" --load-ca-certificate "${cacert}" \ ++ --template ${srcdir}/testpkcs11-certs/client-tmpl --load-privkey "${token};object=xxx1-rsa;object-type=private" \ ++ --outfile tmp-client.crt >>"${TMPFILE}" 2>&1 ++ ++ if test $? != 0; then ++ echo failed ++ exit_error ++ fi ++ ++ id=$(${P11TOOL} ${ADDITIONAL_PARAM} --list-all "${token};object=xxx1-rsa;object-type=public" 2>&1 | grep 'ID: '|sed -e 's/ID://' -e 's/^[ \t]*//' -e 's/[ \t]*$//') ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --write --label tmp-xxx1-rsa --load-certificate tmp-client.crt "${token}" >>"${TMPFILE}" 2>&1 ++ if test $? != 0; then ++ echo failed ++ exit_error ++ fi ++ ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --list-certs "${token};object=tmp-xxx1-rsa;object-type=cert" 2>&1 | grep "ID: ${id}" >>"${TMPFILE}" 2>&1 ++ if test $? != 0; then ++ echo "ID '$id' was not set on copy" ++ exit_error ++ fi ++ echo ok ++} ++ ++# $1: token ++# $2: PIN ++# $3: cakey: ${srcdir}/testpkcs11-certs/ca.key ++# $4: cacert: ${srcdir}/testpkcs11-certs/ca.crt ++# ++# Tests writing a certificate which corresponds to the given key, ++# and verifies whether the ID is the same. Should utilize the ++# ID of the private key. ++write_certificate_id_test_rsa2 () { ++ export GNUTLS_PIN="$2" ++ token="$1" ++ cakey="$3" ++ cacert="$4" ++ tmpkey="key.$$.tmp" ++ ++ echo -n "* Generating RSA private key... " ++ ${CERTTOOL} ${ADDITIONAL_PARAM} --generate-privkey --bits 1024 --outfile ${tmpkey} >>"${TMPFILE}" 2>&1 ++ if test $? = 0; then ++ echo ok ++ else ++ echo failed ++ exit 1 ++ fi ++ ++ echo -n "* Checking whether right ID is set on copy... " ++ "${CERTTOOL}" ${CERTTOOL_PARAM} ${ADDITIONAL_PARAM} --generate-certificate --load-ca-privkey "${cakey}" --load-ca-certificate "${cacert}" \ ++ --template ${srcdir}/testpkcs11-certs/client-tmpl --load-privkey ${tmpkey} \ ++ --outfile tmp-client.crt >>"${TMPFILE}" 2>&1 ++ ++ if test $? != 0; then ++ echo failed ++ exit_error ++ fi ++ ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --write --label xxx2-rsa --load-privkey ${tmpkey} "${token}" >>"${TMPFILE}" 2>&1 ++ if test $? != 0; then ++ echo failed ++ exit_error ++ fi ++ ++ id=$(${P11TOOL} ${ADDITIONAL_PARAM} --login --list-all "${token};object=xxx2-rsa;object-type=private" 2>&1 | grep 'ID: '|sed -e 's/ID://' -e 's/^[ \t]*//' -e 's/[ \t]*$//') ++ ++ rm -f ${tmpkey} ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --write --label tmp-xxx2-rsa --load-certificate tmp-client.crt "${token}" >>"${TMPFILE}" 2>&1 ++ if test $? != 0; then ++ echo failed ++ exit_error ++ fi ++ ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --list-certs "${token};object=tmp-xxx2-rsa;object-type=cert" 2>&1 | grep "ID: ${id}" >>"${TMPFILE}" 2>&1 ++ if test $? != 0; then ++ echo "ID '$id' was not set on copy" ++ exit_error ++ fi ++ echo ok ++} ++ ++# $1: token ++# $2: PIN ++# $3: cakey: ${srcdir}/testpkcs11-certs/ca.key ++# $4: cacert: ${srcdir}/testpkcs11-certs/ca.crt ++# ++# Tests writing a certificate which corresponds to the given key, ++# and verifies whether the ID is the same. Should utilize the ++# ID of the private key. ++write_certificate_id_test_ecdsa () { ++ export GNUTLS_PIN="$2" ++ token="$1" ++ cakey="$3" ++ cacert="$4" ++ tmpkey="key.$$.tmp" ++ ++ echo -n "* Generating ECDSA private key... " ++ ${CERTTOOL} ${ADDITIONAL_PARAM} --generate-privkey --ecdsa --outfile ${tmpkey} >>"${TMPFILE}" 2>&1 ++ if test $? = 0; then ++ echo ok ++ else ++ echo failed ++ exit 1 ++ fi ++ ++ echo -n "* Checking whether right ID is set on copy... " ++ "${CERTTOOL}" ${CERTTOOL_PARAM} ${ADDITIONAL_PARAM} --generate-certificate --load-ca-privkey "${cakey}" --load-ca-certificate "${cacert}" \ ++ --template ${srcdir}/testpkcs11-certs/client-tmpl --load-privkey ${tmpkey} \ ++ --outfile tmp-client.crt >>"${TMPFILE}" 2>&1 ++ ++ if test $? != 0; then ++ echo failed ++ exit_error ++ fi ++ ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --write --label xxx-ecdsa --load-privkey ${tmpkey} "${token}" >>"${TMPFILE}" 2>&1 ++ if test $? != 0; then ++ echo failed ++ exit_error ++ fi ++ ++ id=$(${P11TOOL} ${ADDITIONAL_PARAM} --login --list-all "${token};object=xxx-ecdsa;object-type=private" 2>&1 | grep 'ID: '|sed -e 's/ID://' -e 's/^[ \t]*//' -e 's/[ \t]*$//') ++ ++ rm -f ${tmpkey} ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --write --label tmp-xxx-ecdsa --load-certificate tmp-client.crt "${token}" >>"${TMPFILE}" 2>&1 ++ if test $? != 0; then ++ echo failed ++ exit_error ++ fi ++ ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --list-certs "${token};object=tmp-xxx-ecdsa;object-type=cert" 2>&1 | grep "ID: ${id}" >>"${TMPFILE}" 2>&1 ++ if test $? != 0; then ++ echo "ID '$id' was not set on copy" ++ exit_error ++ fi ++ echo ok ++} ++ ++test_sign () { ++ export GNUTLS_PIN="$2" ++ token="$1" ++ ++ echo -n "* Testing signatures using the private key... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --test-sign "${token};object=serv-key" >>"${TMPFILE}" 2>&1 ++ if test $? != 0; then ++ echo "failed. Cannot test signatures." ++ exit_error ++ fi ++ echo ok ++ ++ echo -n "* Testing RSA-PSS signatures using the private key... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --sign-params rsa-pss --test-sign "${token};object=serv-key" >>"${TMPFILE}" 2>&1 ++ rc=$? ++ if test $rc != 0; then ++ if test $rc = 2; then ++ echo "failed. RSA-PSS not supported." ++ else ++ echo "failed. Cannot test signatures." ++ exit_error ++ fi ++ else ++ echo ok ++ fi ++ ++ echo -n "* Testing signatures using the private key (with ID)... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --test-sign "${token};id=%ac%1d%7a%39%cb%72%17%94%66%6c%74%44%73%40%91%44%c0%a0%43%7d" >>"${TMPFILE}" 2>&1 ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --test-sign "${token};id=%ac%1d%7a%39%cb%72%17%94%66%6c%74%44%73%40%91%44%c0%a0%43%7d" 2>&1|grep "Verifying against public key in the token..."|grep ok >>"${TMPFILE}" 2>&1 ++ if test $? != 0; then ++ echo "failed. Cannot test signatures with ID." ++ exit_error ++ fi ++ echo ok ++} ++ ++# This tests the signing operation as well as the usage of --set-pin ++test_sign_set_pin () { ++ pin="$2" ++ token="$1" ++ ++ unset GNUTLS_PIN ++ ++ echo -n "* Testing signatures using the private key and --set-pin... " ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --set-pin ${pin} --test-sign "${token};object=serv-key" >>"${TMPFILE}" 2>&1 ++ if test $? != 0; then ++ echo "failed. Cannot test signatures." ++ exit_error ++ fi ++ echo ok ++ ++ export GNUTLS_PIN=${pin} ++} ++ ++# $1: token ++# $2: PIN ++# $3: certfile ++# $4: keyfile ++# $5: cafile ++# ++# Tests using a certificate and key pair using gnutls-serv and gnutls-cli. ++use_certificate_test () { ++ export GNUTLS_PIN="$2" ++ token="$1" ++ certfile="$3" ++ keyfile="$4" ++ cafile="$5" ++ txt="$6" ++ ++ echo -n "* Using PKCS #11 with gnutls-cli (${txt})... " ++ # start server ++ eval "${GETPORT}" ++ launch_pkcs11_server $$ "${ADDITIONAL_PARAM}" --echo --priority NORMAL --x509certfile="${certfile}" \ ++ --x509keyfile="$keyfile" --x509cafile="${cafile}" \ ++ --verify-client-cert --require-client-cert >>"${TMPFILE}" 2>&1 ++ ++ PID=$! ++ wait_server ${PID} ++ ++ # connect to server using SC ++ ${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509cafile="${cafile}" >"${TMPFILE}" 2>&1 && \ ++ fail ${PID} "Connection should have failed!" ++ ++ ${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509certfile="${certfile}" \ ++ --x509keyfile="$keyfile" --x509cafile="${cafile}" >"${TMPFILE}" 2>&1 || \ ++ fail ${PID} "Connection (with files) should have succeeded!" ++ ++ ${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509certfile="${token};object=gnutls-client;object-type=cert" \ ++ --x509keyfile="${token};object=gnutls-client;object-type=private" \ ++ --x509cafile="${cafile}" >"${TMPFILE}" 2>&1 || \ ++ fail ${PID} "Connection (with SC) should have succeeded!" ++ ++ kill ${PID} ++ wait ++ ++ echo ok ++} ++ ++ ++ ++echo "Testing PKCS11 support" ++ ++# erase SC ++ ++type="$1" ++ ++if test -z "${type}"; then ++ echo "usage: $0: [pkcs15|softhsm|sc-hsm]" ++ if test -x "/usr/bin/softhsm" || test -x "/usr/bin/softhsm2-util"; then ++ echo "assuming 'softhsm'" ++ echo "" ++ type=softhsm ++ else ++ exit 77 ++ fi ++ ++fi ++ ++. "${srcdir}/testpkcs11.${type}" ++ ++export GNUTLS_PIN=12345678 ++export GNUTLS_SO_PIN=00000000 ++ ++init_card "${GNUTLS_PIN}" "${GNUTLS_SO_PIN}" ++ ++# find token name ++TOKEN=`${P11TOOL} ${ADDITIONAL_PARAM} --list-tokens pkcs11:token=Nikos|grep URL|grep token=GnuTLS-Test|sed 's/\s*URL\: //g'` ++ ++echo "* Token: ${TOKEN}" ++if test "x${TOKEN}" = x; then ++ echo "Could not find generated token" ++ exit_error ++fi ++ ++#write a given privkey ++write_privkey "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/client.key" ++ ++generate_temp_ecc_privkey "${TOKEN}" "${GNUTLS_PIN}" 256 ++delete_temp_privkey "${TOKEN}" "${GNUTLS_PIN}" ecc-256 ++ ++generate_temp_ecc_privkey_no_login "${TOKEN}" "${GNUTLS_PIN}" 256 ++delete_temp_privkey "${TOKEN}" "${GNUTLS_PIN}" ecc-no-256 ++ ++generate_temp_ecc_privkey "${TOKEN}" "${GNUTLS_PIN}" 384 ++delete_temp_privkey "${TOKEN}" "${GNUTLS_PIN}" ecc-384 ++ ++generate_temp_rsa_privkey "${TOKEN}" "${GNUTLS_PIN}" 2048 ++delete_temp_privkey "${TOKEN}" "${GNUTLS_PIN}" rsa-2048 ++ ++generate_temp_dsa_privkey "${TOKEN}" "${GNUTLS_PIN}" 3072 ++delete_temp_privkey "${TOKEN}" "${GNUTLS_PIN}" dsa-3072 ++ ++import_temp_rsa_privkey "${TOKEN}" "${GNUTLS_PIN}" 1024 ++delete_temp_privkey "${TOKEN}" "${GNUTLS_PIN}" rsa-1024 ++import_temp_ecc_privkey "${TOKEN}" "${GNUTLS_PIN}" 256 ++delete_temp_privkey "${TOKEN}" "${GNUTLS_PIN}" ecc-256 ++import_temp_dsa_privkey "${TOKEN}" "${GNUTLS_PIN}" 2048 ++delete_temp_privkey "${TOKEN}" "${GNUTLS_PIN}" dsa-2048 ++ ++generate_rsa_privkey "${TOKEN}" "${GNUTLS_PIN}" 1024 ++change_id_of_privkey "${TOKEN}" "${GNUTLS_PIN}" ++export_pubkey_of_privkey "${TOKEN}" "${GNUTLS_PIN}" ++change_label_of_privkey "${TOKEN}" "${GNUTLS_PIN}" ++ ++write_certificate_test "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/ca.key" "${srcdir}/testpkcs11-certs/ca.crt" tmp-client.pub ++write_serv_privkey "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/server.key" ++write_serv_cert "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/server.crt" ++ ++write_serv_pubkey "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/server.crt" ++test_sign "${TOKEN}" "${GNUTLS_PIN}" ++ ++use_certificate_test "${TOKEN}" "${GNUTLS_PIN}" "${TOKEN};object=serv-cert;object-type=cert" "${TOKEN};object=serv-key;object-type=private" "${srcdir}/testpkcs11-certs/ca.crt" "full URLs" ++ ++use_certificate_test "${TOKEN}" "${GNUTLS_PIN}" "${TOKEN};object=serv-cert" "${TOKEN};object=serv-key" "${srcdir}/testpkcs11-certs/ca.crt" "abbrv URLs" ++ ++write_certificate_id_test_rsa "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/ca.key" "${srcdir}/testpkcs11-certs/ca.crt" ++write_certificate_id_test_rsa2 "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/ca.key" "${srcdir}/testpkcs11-certs/ca.crt" ++write_certificate_id_test_ecdsa "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/ca.key" "${srcdir}/testpkcs11-certs/ca.crt" ++ ++test_delete_cert "${TOKEN}" "${GNUTLS_PIN}" ++ ++test_sign_set_pin "${TOKEN}" "${GNUTLS_PIN}" ++ ++if test ${RETCODE} = 0; then ++ echo "* All smart cards tests succeeded" ++fi ++rm -f tmp-client.crt tmp-client.pub tmp-client-2.pub "${TMPFILE}" ++ ++exit 0 +diff --git a/tests/testpkcs11.softhsm b/tests/testpkcs11.softhsm +new file mode 100755 +index 000000000..d79a8528e +--- /dev/null ++++ b/tests/testpkcs11.softhsm +@@ -0,0 +1,77 @@ ++#!/bin/sh ++ ++# Copyright (C) 2013 Nikos Mavrogiannopoulos ++# ++# This file is part of GnuTLS. ++# ++# GnuTLS is free software; you can redistribute it and/or modify it ++# under the terms of the GNU General Public License as published by the ++# Free Software Foundation; either version 3 of the License, or (at ++# your option) any later version. ++# ++# GnuTLS is distributed in the hope that it will be useful, but ++# WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++# General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with GnuTLS; if not, write to the Free Software Foundation, ++# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. ++ ++for i in /usr/lib64/pkcs11 /usr/lib/softhsm /usr/lib/x86_64-linux-gnu/softhsm /usr/lib /usr/lib64/softhsm;do ++ if test -f "$i/libsofthsm2.so"; then ++ ADDITIONAL_PARAM="--provider $i/libsofthsm2.so" ++ break ++ else ++ if test -f "$i/libsofthsm.so";then ++ ADDITIONAL_PARAM="--provider $i/libsofthsm.so" ++ break ++ fi ++ fi ++done ++ ++init_card () { ++ PIN="$1" ++ PUK="$2" ++ ++ if test -x "/usr/bin/softhsm2-util"; then ++ export SOFTHSM2_CONF="softhsm-testpkcs11.$$.config.tmp" ++ SOFTHSM_TOOL="/usr/bin/softhsm2-util" ++ ${SOFTHSM_TOOL} --version|grep "2.0.0" >/dev/null 2>&1 ++ if test $? = 0; then ++ echo "softhsm2-util 2.0.0 is broken" ++ export BROKEN_SOFTHSM2=1 ++ fi ++ fi ++ ++ if test -x "/usr/bin/softhsm"; then ++ export SOFTHSM_CONF="softhsm-testpkcs11.$$.config.tmp" ++ SOFTHSM_TOOL="/usr/bin/softhsm" ++ fi ++ ++ if test -z "${SOFTHSM_TOOL}"; then ++ echo "Could not find softhsm(2) tool" ++ exit 77 ++ fi ++ ++ if test -z "${SOFTHSM_CONF}"; then ++ rm -rf ./softhsm-testpkcs11.$$.tmp ++ mkdir -p ./softhsm-testpkcs11.$$.tmp ++ echo "objectstore.backend = file" > "${SOFTHSM2_CONF}" ++ echo "directories.tokendir = ./softhsm-testpkcs11.$$.tmp" >> "${SOFTHSM2_CONF}" ++ ++ else ++ rm -rf ./softhsm-testpkcs11.$$.tmp ++ echo "0:./softhsm-testpkcs11.$$.tmp" > "${SOFTHSM_CONF}" ++ fi ++ ++ ++ echo -n "* Initializing smart card... " ++ ${SOFTHSM_TOOL} --init-token --slot 0 --label "GnuTLS-Test" --so-pin "${PUK}" --pin "${PIN}" >/dev/null #2>&1 ++ if test $? = 0; then ++ echo ok ++ else ++ echo failed ++ exit_error ++ fi ++} diff --git a/SOURCES/gnutls-3.3.29-tests-pkcs11-increase-RSA-gen-size.patch b/SOURCES/gnutls-3.3.29-tests-pkcs11-increase-RSA-gen-size.patch new file mode 100644 index 0000000..72faadd --- /dev/null +++ b/SOURCES/gnutls-3.3.29-tests-pkcs11-increase-RSA-gen-size.patch @@ -0,0 +1,48 @@ +diff --git a/tests/testpkcs11.sh b/tests/testpkcs11.sh +index 7c2776760..cf82c4032 100755 +--- a/tests/testpkcs11.sh ++++ b/tests/testpkcs11.sh +@@ -26,11 +26,6 @@ SERV="${SERV:-../src/gnutls-serv${EXEEXT}}" + CLI="${CLI:-../src/gnutls-cli${EXEEXT}}" + RETCODE=0 + +-if test "${GNUTLS_FORCE_FIPS_MODE}" = 1;then +- echo "Cannot run in FIPS140-2 mode" +- exit 77 +-fi +- + if ! test -x "${P11TOOL}"; then + exit 77 + fi +@@ -600,7 +595,8 @@ write_certificate_id_test_rsa () { + cacert="$4" + + echo -n "* Generating RSA private key on HSM... " +- ${P11TOOL} ${ADDITIONAL_PARAM} --login --label xxx1-rsa --generate-rsa --bits 1024 "${token}" >>"${TMPFILE}" 2>&1 ++ ${P11TOOL} ${ADDITIONAL_PARAM} --login --label xxx1-rsa --generate-rsa \ ++ --bits 2048 "${token}" >>"${TMPFILE}" 2>&1 + if test $? = 0; then + echo ok + else +@@ -649,7 +645,8 @@ write_certificate_id_test_rsa2 () { + tmpkey="key.$$.tmp" + + echo -n "* Generating RSA private key... " +- ${CERTTOOL} ${ADDITIONAL_PARAM} --generate-privkey --bits 1024 --outfile ${tmpkey} >>"${TMPFILE}" 2>&1 ++ ${CERTTOOL} ${ADDITIONAL_PARAM} --generate-privkey --bits 2048 \ ++ --outfile ${tmpkey} >>"${TMPFILE}" 2>&1 + if test $? = 0; then + echo ok + else +@@ -907,7 +904,7 @@ delete_temp_privkey "${TOKEN}" "${GNUTLS_PIN}" ecc-256 + import_temp_dsa_privkey "${TOKEN}" "${GNUTLS_PIN}" 2048 + delete_temp_privkey "${TOKEN}" "${GNUTLS_PIN}" dsa-2048 + +-generate_rsa_privkey "${TOKEN}" "${GNUTLS_PIN}" 1024 ++generate_rsa_privkey "${TOKEN}" "${GNUTLS_PIN}" 2048 + change_id_of_privkey "${TOKEN}" "${GNUTLS_PIN}" + export_pubkey_of_privkey "${TOKEN}" "${GNUTLS_PIN}" + change_label_of_privkey "${TOKEN}" "${GNUTLS_PIN}" +-- +2.14.3 + diff --git a/SOURCES/gnutls-3.3.29-tests-sni-hostname.patch b/SOURCES/gnutls-3.3.29-tests-sni-hostname.patch new file mode 100644 index 0000000..6981724 --- /dev/null +++ b/SOURCES/gnutls-3.3.29-tests-sni-hostname.patch @@ -0,0 +1,88 @@ +diff --git a/tests/Makefile.am b/tests/Makefile.am +index bafb12ae0..d249d405f 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -156,7 +156,7 @@ endif + endif + + check_PROGRAMS = $(ctests) +-dist_check_SCRIPTS = rfc2253-escape-test ++dist_check_SCRIPTS = rfc2253-escape-test sni-hostname.sh + + TESTS = $(ctests) $(dist_check_SCRIPTS) + +diff --git a/tests/sni-hostname.sh b/tests/sni-hostname.sh +new file mode 100755 +index 000000000..4fb51be68 +--- /dev/null ++++ b/tests/sni-hostname.sh +@@ -0,0 +1,66 @@ ++#!/bin/sh ++ ++# Copyright (C) 2017 Nikos Mavrogiannopoulos ++# ++# Author: Nikos Mavrogiannopoulos ++# ++# This file is part of GnuTLS. ++# ++# GnuTLS is free software; you can redistribute it and/or modify it ++# under the terms of the GNU General Public License as published by the ++# Free Software Foundation; either version 3 of the License, or (at ++# your option) any later version. ++# ++# GnuTLS is distributed in the hope that it will be useful, but ++# WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++# General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with GnuTLS; if not, write to the Free Software Foundation, ++# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. ++ ++srcdir="${srcdir:-.}" ++SERV="${SERV:-../src/gnutls-serv${EXEEXT}}" ++CLI="${CLI:-../src/gnutls-cli${EXEEXT}}" ++unset RETCODE ++ ++if ! test -x "${SERV}"; then ++ exit 77 ++fi ++ ++if ! test -x "${CLI}"; then ++ exit 77 ++fi ++ ++if test "${WINDIR}" != ""; then ++ exit 77 ++fi ++ ++if ! test -z "${VALGRIND}"; then ++ VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND} --error-exitcode=15" ++fi ++ ++ ++SERV="${SERV} -q" ++ ++. "${srcdir}/scripts/common.sh" ++ ++echo "Checking SNI hostname in gnutls-cli" ++ ++eval "${GETPORT}" ++launch_server $$ --echo --priority "NORMAL:+ANON-ECDH" --sni-hostname-fatal --sni-hostname example.com ++PID=$! ++wait_server ${PID} ++ ++${VALGRIND} "${CLI}" -p "${PORT}" 127.0.0.1 --sni-hostname example.com --priority "NORMAL:+ANON-ECDH:+ANON-DH" /dev/null || \ ++ fail ${PID} "1. rehandshake should have succeeded!" ++ ++${VALGRIND} "${CLI}" -p "${PORT}" 127.0.0.1 --sni-hostname noexample.com --priority "NORMAL:+ANON-ECDH:+ANON-DH" /dev/null && \ ++ fail ${PID} "2. rehandshake should have failed!" ++ ++ ++kill ${PID} ++wait ++ ++exit 0 +-- +2.14.3 + diff --git a/SOURCES/gnutls-3.3.8-fips-key.patch b/SOURCES/gnutls-3.3.8-fips-key.patch new file mode 100644 index 0000000..b83aee9 --- /dev/null +++ b/SOURCES/gnutls-3.3.8-fips-key.patch @@ -0,0 +1,12 @@ +diff -ur gnutls-3.3.8b1.orig/lib/fips.c gnutls-3.3.8b1/lib/fips.c +--- gnutls-3.3.8b1.orig/lib/fips.c 2014-09-03 16:53:13.000000000 +0200 ++++ gnutls-3.3.8b1/lib/fips.c 2014-09-04 17:11:26.825733730 +0200 +@@ -97,7 +97,7 @@ + #define HOGWEED_LIBRARY_NAME "libhogweed.so.2" + #define GMP_LIBRARY_NAME "libgmp.so.10" + +-static const char fips_key[] = "I'd rather be skiing"; ++static const char fips_key[] = "orboDeJITITejsirpADONivirpUkvarP"; + + #define HMAC_SUFFIX ".hmac" + #define HMAC_SIZE 32 diff --git a/SOURCES/gnutls-3.3.8-padlock-disable.patch b/SOURCES/gnutls-3.3.8-padlock-disable.patch new file mode 100644 index 0000000..cd4c3b6 --- /dev/null +++ b/SOURCES/gnutls-3.3.8-padlock-disable.patch @@ -0,0 +1,22 @@ +diff --git a/lib/accelerated/x86/x86-common.c b/lib/accelerated/x86/x86-common.c +index cc67b08..e730ba0 100644 +--- a/lib/accelerated/x86/x86-common.c ++++ b/lib/accelerated/x86/x86-common.c +@@ -37,6 +37,7 @@ + # include + #endif + #include ++#include + + /* ebx, ecx, edx + * This is a format compatible with openssl's CPUID detection. +@@ -581,7 +582,8 @@ void register_x86_crypto(void) + + register_x86_intel_crypto(capabilities); + #ifdef ENABLE_PADLOCK +- register_x86_padlock_crypto(capabilities); ++ if (_gnutls_fips_mode_enabled() != 1) ++ register_x86_padlock_crypto(capabilities); + #endif + } + diff --git a/SOURCES/hobble-gnutls b/SOURCES/hobble-gnutls new file mode 100755 index 0000000..3302104 --- /dev/null +++ b/SOURCES/hobble-gnutls @@ -0,0 +1,15 @@ +#!/bin/sh +set -x + +if [ "$1" = "-e" ] ; then + CMD="cat < /dev/null >" +else + CMD="rm -f" +fi + +# SRP +for f in auth/srp_sb64.c auth/srp_passwd.c auth/srp_rsa.c \ + gnutls_srp.c auth/srp.c ext/srp.c ; do + eval "$CMD lib/$f" +done + diff --git a/SOURCES/libgnutls-config b/SOURCES/libgnutls-config new file mode 100755 index 0000000..8970bf4 --- /dev/null +++ b/SOURCES/libgnutls-config @@ -0,0 +1,91 @@ +#!/bin/sh + +prefix=/usr +exec_prefix=/usr +exec_prefix_set=no + +name=`basename $0` +name=${name#lib} +name=${name%-config} + +libs=`pkg-config --libs $name` +cflags=`pkg-config --cflags $name` +version=`pkg-config --modversion $name` + +usage() +{ + +echo Usage: lib$name-config [OPTIONS] + cat <&2 +fi + +while test $# -gt 0; do + case "$1" in + -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;; + *) optarg= ;; + esac + + case $1 in + --prefix=*) + prefix=$optarg + if test $exec_prefix_set = no ; then + exec_prefix=$optarg + fi + ;; + --prefix) + echo_prefix=yes + ;; + --exec-prefix=*) + exec_prefix=$optarg + exec_prefix_set=yes + ;; + --exec-prefix) + echo_exec_prefix=yes + ;; + --version) + echo $version + exit 0 + ;; + --cflags) + echo_cflags=yes + ;; + --libs) + echo_libs=yes + ;; + --help) + usage 0 + ;; + *) + usage 1 1>&2 + ;; + esac + shift +done + +if test "$echo_prefix" = "yes"; then + echo $prefix +fi + +if test "$echo_exec_prefix" = "yes"; then + echo $exec_prefix +fi + +if test "$echo_cflags" = "yes"; then + echo $cflags +fi + +if test "$echo_libs" = "yes"; then + echo $libs +fi diff --git a/SPECS/gnutls.spec b/SPECS/gnutls.spec new file mode 100644 index 0000000..bf614f1 --- /dev/null +++ b/SPECS/gnutls.spec @@ -0,0 +1,862 @@ +%bcond_without dane +%bcond_with guile +Summary: A TLS protocol implementation +Name: gnutls +Version: 3.3.29 +Release: 9%{?dist} +# The libraries are LGPLv2.1+, utilities are GPLv3+ +License: GPLv3+ and LGPLv2+ +Group: System Environment/Libraries +BuildRequires: p11-kit-devel >= 0.23.1, gettext +BuildRequires: zlib-devel, readline-devel, libtasn1-devel >= 3.8 +BuildRequires: libtool, automake, autoconf, texinfo +BuildRequires: autogen-libopts-devel >= 5.18 autogen gettext-devel +BuildRequires: nettle-devel >= 2.7.1 +BuildRequires: trousers-devel >= 0.3.11.2 +BuildRequires: libidn-devel +BuildRequires: gperf +BuildRequires: fipscheck +BuildRequires: softhsm, net-tools +Requires: p11-kit-trust +# The automatic dependency on libtasn1 and p11-kit is insufficient, +Requires: libtasn1 >= 3.9 +Requires: p11-kit >= 0.23.1 +Requires: trousers >= 0.3.11.2 +%if %{with dane} +BuildRequires: unbound-devel unbound-libs +%endif +%if %{with guile} +BuildRequires: guile-devel +%endif +URL: http://www.gnutls.org/ +#Source0: ftp://ftp.gnutls.org/gcrypt/gnutls/%{name}-%{version}.tar.xz +#Source1: ftp://ftp.gnutls.org/gcrypt/gnutls/%{name}-%{version}.tar.xz.sig +# XXX patent tainted code removed. +Source0: %{name}-%{version}-hobbled.tar.xz +Source1: libgnutls-config +Source2: hobble-gnutls +Patch1: gnutls-3.2.7-rpath.patch +Patch2: gnutls-3.1.11-nosrp.patch +Patch4: gnutls-3.3.8-fips-key.patch +Patch5: gnutls-3.3.8-padlock-disable.patch +# In 3.3.8 we were shipping an early backport of a fix in GNUTLS_E_APPLICATION_DATA +# behavior, which was using 3.4.0 semantics. We continue shipping to support +# any applications depending on that. +Patch6: gnutls-3.3.22-eapp-data.patch +Patch7: gnutls-3.3.26-dh-params-1024.patch +# Backport serv --sni-hostname option support (rhbz#1444792) +Patch8: gnutls-3.3.29-serv-sni-hostname.patch +Patch9: gnutls-3.3.29-serv-unrec-name.patch +Patch10: gnutls-3.3.29-cli-sni-hostname.patch +Patch11: gnutls-3.3.29-tests-sni-hostname.patch +# Do not try to retrieve PIN from URI more than once +Patch12: gnutls-3.3.29-pkcs11-retrieve-pin-from-uri-once.patch +# Backport of fixes to address CVE-2018-10844 CVE-2018-10845 CVE-2018-10846 +# (rhbz#1589708 rhbz#1589707 rhbz1589704) +Patch13: gnutls-3.3.29-dummy-wait-account-len-field.patch +Patch14: gnutls-3.3.29-dummy-wait-hash-same-amount-of-blocks.patch +Patch15: gnutls-3.3.29-cbc-mac-verify-ssl3-min-pad.patch +Patch16: gnutls-3.3.29-remove-hmac-sha384-sha256-from-default.patch +# Adjustment on tests +Patch17: gnutls-3.3.29-do-not-run-sni-hostname-windows.patch +# Backport testpkcs11 test. This test checks rhbz#1375307 +Patch18: gnutls-3.3.29-testpkcs11.patch +# Disable failing PKCS#11 tests brought from master branch. The reasons are: +# - ECC key generation without login is not supported +# - Certificates are marked as private objects +# - "--load-pubkey" option is not supported +# - "--test-sign" option is not supported +# - Certificates do not inherit its ID from the private key +Patch19: gnutls-3.3.29-disable-failing-tests.patch +# Do not mark certificates as private objects and re-enable test for this +Patch20: gnutls-3.3.29-do-not-mark-object-as-private.patch +Patch21: gnutls-3.3.29-re-enable-check-cert-write.patch +# Increase the length of the RSA keys generated in testpkcs11 to 2048 bits. +# This allows the test to run in FIPS mode +Patch22: gnutls-3.3.29-tests-pkcs11-increase-RSA-gen-size.patch +# Enlarge buffer size to support resumption with large keys (rhbz#1542461) +Patch23: gnutls-3.3.29-serv-large-key-resumption.patch +# HMAC-SHA-256 cipher suites brought back downstream for compatibility +# The priority was set below AEAD +Patch24: gnutls-3.3.29-bring-back-hmac-sha256.patch +# Run KAT startup test for ECDSA (using secp256r1 curve) (rhbz#1673919) +Patch25: gnutls-3.3.29-fips140-fix-ecdsa-kat-selftest.patch +# Wildcard bundling exception https://fedorahosted.org/fpc/ticket/174 +Provides: bundled(gnulib) = 20130424 + +%package c++ +Summary: The C++ interface to GnuTLS +Requires: %{name}%{?_isa} = %{version}-%{release} + +%package devel +Summary: Development files for the %{name} package +Group: Development/Libraries +Requires: %{name}%{?_isa} = %{version}-%{release} +Requires: %{name}-c++%{?_isa} = %{version}-%{release} +%if %{with dane} +Requires: %{name}-dane%{?_isa} = %{version}-%{release} +%endif +Requires: pkgconfig +Requires(post): /sbin/install-info +Requires(preun): /sbin/install-info + +%package utils +License: GPLv3+ +Summary: Command line tools for TLS protocol +Group: Applications/System +Requires: %{name}%{?_isa} = %{version}-%{release} +%if %{with dane} +Requires: %{name}-dane%{?_isa} = %{version}-%{release} +%endif + +%if %{with dane} +%package dane +Summary: A DANE protocol implementation for GnuTLS +Requires: %{name}%{?_isa} = %{version}-%{release} +%endif + +%if %{with guile} +%package guile +Summary: Guile bindings for the GNUTLS library +Group: Development/Libraries +Requires: %{name}%{?_isa} = %{version}-%{release} +Requires: guile +%endif + +%description +GnuTLS is a secure communications library implementing the SSL, TLS and DTLS +protocols and technologies around them. It provides a simple C language +application programming interface (API) to access the secure communications +protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and +other required structures. + +%description c++ +GnuTLS is a secure communications library implementing the SSL, TLS and DTLS +protocols and technologies around them. It provides a simple C language +application programming interface (API) to access the secure communications +protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and +other required structures. +This package contains the C++ interface for the GnuTLS library. + +%description devel +GnuTLS is a secure communications library implementing the SSL, TLS and DTLS +protocols and technologies around them. It provides a simple C language +application programming interface (API) to access the secure communications +protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and +other required structures. +This package contains files needed for developing applications with +the GnuTLS library. + +%description utils +GnuTLS is a secure communications library implementing the SSL, TLS and DTLS +protocols and technologies around them. It provides a simple C language +application programming interface (API) to access the secure communications +protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and +other required structures. +This package contains command line TLS client and server and certificate +manipulation tools. + +%if %{with dane} +%description dane +GnuTLS is a secure communications library implementing the SSL, TLS and DTLS +protocols and technologies around them. It provides a simple C language +application programming interface (API) to access the secure communications +protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and +other required structures. +This package contains library that implements the DANE protocol for verifying +TLS certificates through DNSSEC. +%endif + +%if %{with guile} +%description guile +GnuTLS is a secure communications library implementing the SSL, TLS and DTLS +protocols and technologies around them. It provides a simple C language +application programming interface (API) to access the secure communications +protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and +other required structures. +This package contains Guile bindings for the library. +%endif + +%prep +%setup -q + +%patch1 -p1 -b .rpath +%patch2 -p1 -b .nosrp +%patch4 -p1 -b .fips-key +%patch5 -p1 -b .padlock-disable +%patch6 -p1 -b .eapp-data +%patch7 -p1 -b .dh-1024 +%patch8 -p1 +%patch9 -p1 +%patch10 -p1 +%patch11 -p1 +%patch12 -p1 +%patch13 -p1 +%patch14 -p1 +%patch15 -p1 +%patch16 -p1 +%patch17 -p1 +%patch18 -p1 +%patch19 -p1 +%patch20 -p1 +%patch21 -p1 +%patch22 -p1 +%patch23 -p1 +%patch24 -p1 +%patch25 -p1 + +sed 's/gnutls_srp.c//g' -i lib/Makefile.in +sed 's/gnutls_srp.lo//g' -i lib/Makefile.in +rm -f lib/minitasn1/*.c lib/minitasn1/*.h +rm -f src/libopts/*.c src/libopts/*.h src/libopts/compat/*.c src/libopts/compat/*.h + +# Touch man pages to avoid them to be regenerated after patches which change +# .def files +touch doc/manpages/gnutls-serv.1 +touch doc/manpages/gnutls-cli.1 + +# Fix permissions for files brought by patches +chmod ugo+x %{_builddir}/%{name}-%{version}/tests/testpkcs11.sh +chmod ugo+x %{_builddir}/%{name}-%{version}/tests/sni-hostname.sh + +%{SOURCE2} -e +autoreconf -if + +%build +export LDFLAGS="-Wl,--no-add-needed" + +%configure --with-libtasn1-prefix=%{_prefix} \ + --with-default-trust-store-pkcs11="pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit" \ + --with-included-libcfg \ + --with-arcfour128 \ + --with-ssl3 \ + --disable-static \ + --disable-openssl-compatibility \ + --disable-srp-authentication \ + --disable-non-suiteb-curves \ + --with-trousers-lib=%{_libdir}/libtspi.so.1 \ + --enable-fips140-mode \ +%if %{with guile} + --enable-guile \ +%ifarch %{arm} + --disable-largefile \ +%endif +%else + --disable-guile \ +%endif +%if %{with dane} + --with-unbound-root-key-file=/var/lib/unbound/root.key \ + --enable-dane \ +%else + --disable-dane \ +%endif + --disable-rpath +# Note that the arm hack above is not quite right and the proper thing would +# be to compile guile with largefile support. +make %{?_smp_mflags} + +%define __spec_install_post \ + %{?__debug_package:%{__debug_install_post}} \ + %{__arch_install_post} \ + %{__os_install_post} \ + fipshmac -d $RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_libdir}/libgnutls.so.28.*.* \ + file=`basename $RPM_BUILD_ROOT%{_libdir}/libgnutls.so.28.*.hmac` && mv $RPM_BUILD_ROOT%{_libdir}/$file $RPM_BUILD_ROOT%{_libdir}/.$file && ln -s .$file $RPM_BUILD_ROOT%{_libdir}/.libgnutls.so.28.hmac \ +%{nil} + +%install +make install DESTDIR=$RPM_BUILD_ROOT +rm -f $RPM_BUILD_ROOT%{_bindir}/srptool +rm -f $RPM_BUILD_ROOT%{_bindir}/gnutls-srpcrypt +cp -f %{SOURCE1} $RPM_BUILD_ROOT%{_bindir}/libgnutls-config +rm -f $RPM_BUILD_ROOT%{_mandir}/man1/srptool.1 +rm -f $RPM_BUILD_ROOT%{_mandir}/man3/*srp* +rm -f $RPM_BUILD_ROOT%{_infodir}/dir +rm -f $RPM_BUILD_ROOT%{_libdir}/*.la +rm -f $RPM_BUILD_ROOT%{_libdir}/libguile*.a +%if %{without dane} +rm -f $RPM_BUILD_ROOT%{_libdir}/pkgconfig/gnutls-dane.pc +%endif + +%find_lang gnutls + +%check +make check %{?_smp_mflags} + +%post -p /sbin/ldconfig + +%postun -p /sbin/ldconfig + +%post c++ -p /sbin/ldconfig + +%postun c++ -p /sbin/ldconfig + +%post devel +if [ -f %{_infodir}/gnutls.info.gz ]; then + /sbin/install-info %{_infodir}/gnutls.info.gz %{_infodir}/dir || : +fi + +%preun devel +if [ $1 = 0 -a -f %{_infodir}/gnutls.info.gz ]; then + /sbin/install-info --delete %{_infodir}/gnutls.info.gz %{_infodir}/dir || : +fi + +%if %{with dane} +%post dane -p /sbin/ldconfig + +%postun dane -p /sbin/ldconfig +%endif + +%if %{with guile} +%post guile -p /sbin/ldconfig + +%postun guile -p /sbin/ldconfig +%endif + +%files -f gnutls.lang +%defattr(-,root,root,-) +%{_libdir}/libgnutls.so.28* +%{_libdir}/.libgnutls.so.28*.hmac +%doc COPYING COPYING.LESSER README AUTHORS NEWS THANKS + +%files c++ +%{_libdir}/libgnutlsxx.so.* + +%files devel +%defattr(-,root,root,-) +%{_bindir}/libgnutls*-config +%{_includedir}/* +%{_libdir}/libgnutls*.so +%{_libdir}/.libgnutls.so.*.hmac +%{_libdir}/pkgconfig/*.pc +%{_mandir}/man3/* +%{_infodir}/gnutls* +%{_infodir}/pkcs11-vision* + +%files utils +%defattr(-,root,root,-) +%{_bindir}/certtool +%{_bindir}/tpmtool +%{_bindir}/ocsptool +%{_bindir}/psktool +%{_bindir}/p11tool +%{_bindir}/crywrap +%if %{with dane} +%{_bindir}/danetool +%endif +%{_bindir}/gnutls* +%{_mandir}/man1/* +%doc doc/certtool.cfg + +%if %{with dane} +%files dane +%defattr(-,root,root,-) +%{_libdir}/libgnutls-dane.so.* +%endif + +%if %{with guile} +%files guile +%defattr(-,root,root,-) +%{_libdir}/libguile*.so* +%{_datadir}/guile/site/gnutls +%{_datadir}/guile/site/gnutls.scm +%endif + +%changelog +* Tue Feb 12 2019 Anderson Sasaki 3.3.29-9 +- Make sure the FIPS startup KAT selftest run for ECDSA (#1673919) + +* Fri Jul 20 2018 Anderson Sasaki 3.3.29-8 +- Backported --sni-hostname option which allows overriding the hostname + advertised to the peer (#1444792) +- Improved counter-measures in TLS CBC record padding for lucky13 attack + (CVE-2018-10844, #1589704, CVE-2018-10845, #1589707) +- Added counter-measures for "Just in Time" PRIME + PROBE cache-based attack + (CVE-2018-10846, #1589708) +- Address p11tool issue in object deletion in batch mode (#1375307) +- Backport PKCS#11 tests from master branch. Some tests were disabled due to + unsupported features in 3.3.x (--load-pubkey and --test-sign options, ECC key + generation without login, and certificates do not inherit ID from the private + key) +- p11tool explicitly marks certificates and public keys as NOT private objects + and private keys as private objects +- Enlarge buffer size to support resumption with large keys (#1542461) +- Legacy HMAC-SHA384 cipher suites were disabled by default +- Added DSA key generation to p11tool (#1464896) +- Address session renegotiation issue using client certificate (#1434091) +- Address issue when importing private keys into Atos HSM (#1460125) + +* Fri May 26 2017 Nikos Mavrogiannopoulos 3.3.26-9 +- Address crash in OCSP status request extension, by eliminating the + unneeded parsing (CVE-2017-7507, #1455828) + +* Wed Apr 26 2017 Nikos Mavrogiannopoulos 3.3.26-7 +- Address interoperability issue with 3.5.x (#1388932) +- Reject CAs which are both trusted and blacklisted in trust module (#1375303) +- Added new functions to set issuer and subject ID in certificates (#1378373) +- Reject connections with less than 1024-bit DH parameters (#1335931) +- Fix issue that made GnuTLS parse only the first 32 extensions (#1383748) +- Mention limitations of certtool in manpage (#1375463) +- Read PKCS#8 files with HMAC-SHA256 -as generated by openssl 1.1 (#1380642) +- Do not link directly to trousers but instead use dlopen (#1379739) +- Fix incorrect OCSP validation (#1377569) +- Added support for pin-value in PKCS#11 URIs (#1379283) +- Added the --id option to p11tool (#1399232) +- Improved sanity checks in RSA key generation (#1444780) +- Addressed CVE-2017-5334, CVE-2017-5335, CVE-2017-5336, CVE-2017-5337, + CVE-2017-7869 + +* Tue Jul 12 2016 Nikos Mavrogiannopoulos 3.3.24-1 +- Addressed issue with DSA public keys smaller than 2^1024 (#1238279) +- Addressed two-byte buffer overflow in the DTLS-0.9 protocol (#1209365) +- When writing certificates to smart cards write the CKA_ISSUER and + CKA_SERIAL_NUMBER fields to allow NSS reading them (#1272179) +- Use the shared system certificate store (#1110750) +- Address MD5 transcript collision attacks in TLS key exchange (#1289888, + CVE-2015-7575) +- Allow hashing data over 2^32 bytes (#1306953) +- Ensure written PKCS#11 public keys are not marked as private (#1339453) +- Ensure secure_getenv() is called on all uses of environment variables + (#1344591). +- Fix issues related to PKCS #11 private key listing on certain HSMs + (#1351389) + +* Fri Jun 5 2015 Nikos Mavrogiannopoulos 3.3.8-13 +- Corrected reseed and respect of max_number_of_bits_per_request in + FIPS140-2 mode. Also enhanced the initial tests. (#1228199) + +* Mon Jan 5 2015 Nikos Mavrogiannopoulos 3.3.8-12 +- corrected fix of handshake buffer resets (#1153106) + +* Thu Dec 11 2014 Nikos Mavrogiannopoulos 3.3.8-11 +- Applied fix for urandom FD in FIPS140 mode (#1165047) +- Applied fix for FIPS140-2 related regression (#1110696) + +* Tue Dec 2 2014 Nikos Mavrogiannopoulos 3.3.8-10 +- Amended fix for urandom FD to avoid regression in FIPS140 mode (#1165047) + +* Tue Nov 18 2014 Nikos Mavrogiannopoulos 3.3.8-9 +- Amended fix for FIPS enforcement issue (#1163848) +- Fixed issue with applications that close all file descriptors (#1165047) + +* Thu Nov 13 2014 Nikos Mavrogiannopoulos 3.3.8-8 +- Applied fix for FIPS enforcement issue when only /etc/system-fips + existed (#1163848) + +* Fri Nov 7 2014 Nikos Mavrogiannopoulos 3.3.8-7 +- Applied fix for CVE-2014-8564 (#1161473) + +* Wed Oct 29 2014 Nikos Mavrogiannopoulos 3.3.8-6 +- when generating test DH keys, enforce the q_bits. + +* Tue Oct 21 2014 Nikos Mavrogiannopoulos 3.3.8-5 +- do not enforce FIPS140-2 policies in non-FIPS140 mode (#1154774) + +* Thu Oct 16 2014 Nikos Mavrogiannopoulos 3.3.8-4 +- reverted change to use the p11-kit certificate storage (#1110750) +- added functions to test DH/ECDH in FIPS-140-2 mode and fixed + RSA key generation (#1110696) +- added manual dependencies on libtasn1 3.8 as well as p11-kit 0.20.7 +- fixed SHA224 in SSSE3 optimized code +- fixed issue with handshake buffer resets (#1153106) +- fixed issue in RSA key generation with specific seeds in FIPS140-2 mode + +* Wed Oct 01 2014 Nikos Mavrogiannopoulos 3.3.8-3 +- added dependency on libtasn1 3.8 (#1110696) + +* Thu Sep 18 2014 Nikos Mavrogiannopoulos 3.3.8-2 +- disabled padlock CPU support in FIPS140-2 mode + +* Thu Sep 18 2014 Nikos Mavrogiannopoulos 3.3.8-1 +- updated to latest stable release + +* Fri Sep 05 2014 Nikos Mavrogiannopoulos 3.3.8-1.b2 +- updated with latest bug fixes for 3.3.x branch +- delete bundled files + +* Thu Sep 04 2014 Nikos Mavrogiannopoulos 3.3.8b1-1 +- updated with latest bug fixes for 3.3.x branch + +* Fri Aug 22 2014 Nikos Mavrogiannopoulos 3.3.7-1 +- new upstream release (#1110696) +- allow DSA/DH key generation with 1024 when not in FIPS140-2 mode (#1132705) + +* Fri Aug 15 2014 Nikos Mavrogiannopoulos 3.3.7b1-1 +- updated with latest bug fixes for 3.3.x branch +- utilize the p11-kit trust store (#1110750) + +* Tue Jul 29 2014 Nikos Mavrogiannopoulos 3.3.6-2 +- correct path of fipscheck links + +* Wed Jul 23 2014 Nikos Mavrogiannopoulos 3.3.6-1 +- rebased to 3.3.6 and enabled fips mode (#1110696) + +* Wed May 28 2014 Nikos Mavrogiannopoulos - 3.1.18-9 +- fix session ID length check (#1102027) +- fixes null pointer dereference (#1101727) + +* Tue Feb 25 2014 Nikos Mavrogiannopoulos - 3.1.18-8 +- fixes CVE-2014-0092 (#1071815) + +* Fri Feb 14 2014 Nikos Mavrogiannopoulos - 3.1.18-7 +- fixes CVE-2014-1959 + +* Fri Jan 24 2014 Daniel Mach - 3.1.18-6 +- Mass rebuild 2014-01-24 + +* Tue Jan 14 2014 Nikos Mavrogiannopoulos 3.1.18-5 +- Fixed issue with gnutls.info not being available (#1053487) + +* Tue Jan 14 2014 Tomáš Mráz 3.1.18-4 +- build the crywrap tool + +* Thu Jan 02 2014 Nikos Mavrogiannopoulos - 3.1.18-3 +- fixes crash in gnutls_global_deinit (#1047037) + +* Fri Dec 27 2013 Daniel Mach - 3.1.18-2 +- Mass rebuild 2013-12-27 + +* Mon Dec 23 2013 Nikos Mavrogiannopoulos 3.1.18-1 +- new upstream release (#1040886) +- Use the correct root key for unbound + +* Tue Nov 5 2013 Tomáš Mráz 3.1.16-1 +- new upstream release +- fixes CVE-2013-4466 off-by-one in dane_query_tlsa() + +* Tue Oct 29 2013 Tomáš Mráz 3.1.15-1 +- new upstream release +- fixes CVE-2013-4466 buffer overflow in handling DANE entries + +* Mon Jul 15 2013 Tomáš Mráz 3.1.13-1 +- new upstream release + +* Thu May 23 2013 Tomáš Mráz 3.1.11-1 +- new upstream release +- enable ECC NIST Suite B curves + +* Mon Mar 25 2013 Tomas Mraz 3.1.10-1 +- new upstream release +- license of the library is back to LGPLv2.1+ + +* Fri Mar 15 2013 Tomas Mraz 3.1.9-1 +- new upstream release + +* Thu Mar 7 2013 Tomas Mraz 3.1.8-3 +- drop the temporary old library + +* Tue Feb 26 2013 Tomas Mraz 3.1.8-2 +- don't send ECC algos as supported (#913797) + +* Thu Feb 21 2013 Tomas Mraz 3.1.8-1 +- new upstream version + +* Wed Feb 6 2013 Tomas Mraz 3.1.7-1 +- new upstream version, requires rebuild of dependencies +- this release temporarily includes old compatibility .so + +* Tue Feb 5 2013 Tomas Mraz 2.12.22-2 +- rebuilt with new libtasn1 +- make guile bindings optional - breaks i686 build and there is + no dependent package + +* Tue Jan 8 2013 Tomas Mraz 2.12.22-1 +- new upstream version + +* Wed Nov 28 2012 Tomas Mraz 2.12.21-2 +- use RSA bit sizes supported by libgcrypt in FIPS mode for security + levels (#879643) + +* Fri Nov 9 2012 Tomas Mraz 2.12.21-1 +- new upstream version + +* Thu Nov 1 2012 Tomas Mraz 2.12.20-4 +- negotiate only FIPS approved algorithms in the FIPS mode (#871826) + +* Wed Aug 8 2012 Tomas Mraz 2.12.20-3 +- fix the gnutls-cli-debug manpage - patch by Peter Schiffer + +* Thu Jul 19 2012 Fedora Release Engineering - 2.12.20-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Mon Jun 18 2012 Tomas Mraz 2.12.20-1 +- new upstream version + +* Fri May 18 2012 Tomas Mraz 2.12.19-1 +- new upstream version + +* Thu Mar 29 2012 Tomas Mraz 2.12.18-1 +- new upstream version + +* Thu Mar 8 2012 Tomas Mraz 2.12.17-1 +- new upstream version +- fix leaks in key generation (#796302) + +* Fri Feb 03 2012 Kevin Fenzi - 2.12.14-3 +- Disable largefile on arm arch. (#787287) + +* Fri Jan 13 2012 Fedora Release Engineering - 2.12.14-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Tue Nov 8 2011 Tomas Mraz 2.12.14-1 +- new upstream version + +* Mon Oct 24 2011 Tomas Mraz 2.12.12-1 +- new upstream version + +* Thu Sep 29 2011 Tomas Mraz 2.12.11-1 +- new upstream version + +* Fri Aug 26 2011 Tomas Mraz 2.12.9-1 +- new upstream version + +* Tue Aug 16 2011 Tomas Mraz 2.12.8-1 +- new upstream version + +* Mon Jul 25 2011 Tomas Mraz 2.12.7-2 +- fix problem when using new libgcrypt +- split libgnutlsxx to a subpackage (#455146) +- drop libgnutls-openssl (#460310) + +* Tue Jun 21 2011 Tomas Mraz 2.12.7-1 +- new upstream version + +* Mon May 9 2011 Tomas Mraz 2.12.4-1 +- new upstream version + +* Tue Apr 26 2011 Tomas Mraz 2.12.3-1 +- new upstream version + +* Mon Apr 18 2011 Tomas Mraz 2.12.2-1 +- new upstream version + +* Thu Mar 3 2011 Tomas Mraz 2.10.5-1 +- new upstream version + +* Tue Feb 08 2011 Fedora Release Engineering - 2.10.4-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Wed Dec 8 2010 Tomas Mraz 2.10.4-1 +- new upstream version + +* Thu Dec 2 2010 Tomas Mraz 2.10.3-2 +- fix buffer overflow in gnutls-serv (#659259) + +* Fri Nov 19 2010 Tomas Mraz 2.10.3-1 +- new upstream version + +* Thu Sep 30 2010 Tomas Mraz 2.10.2-1 +- new upstream version + +* Wed Sep 29 2010 jkeating - 2.10.1-4 +- Rebuilt for gcc bug 634757 + +* Thu Sep 23 2010 Tomas Mraz 2.10.1-3 +- more patching for internal errors regression (#629858) + patch by Vivek Dasmohapatra + +* Tue Sep 21 2010 Tomas Mraz 2.10.1-2 +- backported patch from upstream git hopefully fixing internal errors + (#629858) + +* Wed Aug 4 2010 Tomas Mraz 2.10.1-1 +- new upstream version + +* Wed Jun 2 2010 Tomas Mraz 2.8.6-2 +- add support for safe renegotiation CVE-2009-3555 (#533125) + +* Wed May 12 2010 Tomas Mraz 2.8.6-1 +- upgrade to a new upstream version + +* Mon Feb 15 2010 Rex Dieter 2.8.5-4 +- FTBFS gnutls-2.8.5-3.fc13: ImplicitDSOLinking (#564624) + +* Thu Jan 28 2010 Tomas Mraz 2.8.5-3 +- drop superfluous rpath from binaries +- do not call autoreconf during build +- specify the license on utils subpackage + +* Mon Jan 18 2010 Tomas Mraz 2.8.5-2 +- do not create static libraries (#556052) + +* Mon Nov 2 2009 Tomas Mraz 2.8.5-1 +- upgrade to a new upstream version + +* Wed Sep 23 2009 Tomas Mraz 2.8.4-1 +- upgrade to a new upstream version + +* Fri Aug 14 2009 Tomas Mraz 2.8.3-1 +- upgrade to a new upstream version + +* Fri Jul 24 2009 Fedora Release Engineering - 2.8.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Wed Jun 10 2009 Tomas Mraz 2.8.1-1 +- upgrade to a new upstream version + +* Wed Jun 3 2009 Tomas Mraz 2.8.0-1 +- upgrade to a new upstream version + +* Mon May 4 2009 Tomas Mraz 2.6.6-1 +- upgrade to a new upstream version - security fixes + +* Tue Apr 14 2009 Tomas Mraz 2.6.5-1 +- upgrade to a new upstream version, minor bugfixes only + +* Fri Mar 6 2009 Tomas Mraz 2.6.4-1 +- upgrade to a new upstream version + +* Tue Feb 24 2009 Fedora Release Engineering - 2.6.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Mon Dec 15 2008 Tomas Mraz 2.6.3-1 +- upgrade to a new upstream version + +* Thu Dec 4 2008 Tomas Mraz 2.6.2-1 +- upgrade to a new upstream version + +* Tue Nov 11 2008 Tomas Mraz 2.4.2-3 +- fix chain verification issue CVE-2008-4989 (#470079) + +* Thu Sep 25 2008 Tomas Mraz 2.4.2-2 +- add guile subpackage (#463735) +- force new libtool through autoreconf to drop unnecessary rpaths + +* Tue Sep 23 2008 Tomas Mraz 2.4.2-1 +- new upstream version + +* Tue Jul 1 2008 Tomas Mraz 2.4.1-1 +- new upstream version +- correct the license tag +- explicit --with-included-opencdk not needed +- use external lzo library, internal not included anymore + +* Tue Jun 24 2008 Tomas Mraz 2.4.0-1 +- upgrade to latest upstream + +* Tue May 20 2008 Tomas Mraz 2.0.4-3 +- fix three security issues in gnutls handshake - GNUTLS-SA-2008-1 + (#447461, #447462, #447463) + +* Mon Feb 4 2008 Joe Orton 2.0.4-2 +- use system libtasn1 + +* Tue Dec 4 2007 Tomas Mraz 2.0.4-1 +- upgrade to latest upstream + +* Tue Aug 21 2007 Tomas Mraz 1.6.3-2 +- license tag fix + +* Wed Jun 6 2007 Tomas Mraz 1.6.3-1 +- upgrade to latest upstream (#232445) + +* Tue Apr 10 2007 Tomas Mraz 1.4.5-2 +- properly require install-info (patch by Ville Skyttä) +- standard buildroot and use dist tag +- add COPYING and README to doc + +* Wed Feb 7 2007 Tomas Mraz 1.4.5-1 +- new upstream version +- drop libtermcap-devel from buildrequires + +* Thu Sep 14 2006 Tomas Mraz 1.4.1-2 +- detect forged signatures - CVE-2006-4790 (#206411), patch + from upstream + +* Tue Jul 18 2006 Tomas Mraz - 1.4.1-1 +- upgrade to new upstream version, only minor changes + +* Wed Jul 12 2006 Jesse Keating - 1.4.0-1.1 +- rebuild + +* Wed Jun 14 2006 Tomas Mraz - 1.4.0-1 +- upgrade to new upstream version (#192070), rebuild + of dependent packages required + +* Tue May 16 2006 Tomas Mraz - 1.2.10-2 +- added missing buildrequires + +* Mon Feb 13 2006 Tomas Mraz - 1.2.10-1 +- updated to new version (fixes CVE-2006-0645) + +* Fri Feb 10 2006 Jesse Keating - 1.2.9-3.2 +- bump again for double-long bug on ppc(64) + +* Tue Feb 07 2006 Jesse Keating - 1.2.9-3.1 +- rebuilt for new gcc4.1 snapshot and glibc changes + +* Tue Jan 3 2006 Jesse Keating 1.2.9-3 +- rebuilt + +* Fri Dec 9 2005 Tomas Mraz 1.2.9-2 +- replaced *-config scripts with calls to pkg-config to + solve multilib conflicts + +* Wed Nov 23 2005 Tomas Mraz 1.2.9-1 +- upgrade to newest upstream +- removed .la files (#172635) + +* Sun Aug 7 2005 Tomas Mraz 1.2.6-1 +- upgrade to newest upstream (rebuild of dependencies necessary) + +* Mon Jul 4 2005 Tomas Mraz 1.0.25-2 +- split the command line tools to utils subpackage + +* Sat Apr 30 2005 Tomas Mraz 1.0.25-1 +- new upstream version fixes potential DOS attack + +* Sat Apr 23 2005 Tomas Mraz 1.0.24-2 +- readd the version script dropped by upstream + +* Fri Apr 22 2005 Tomas Mraz 1.0.24-1 +- update to the latest upstream version on the 1.0 branch + +* Wed Mar 2 2005 Warren Togami 1.0.20-6 +- gcc4 rebuild + +* Tue Jan 4 2005 Ivana Varekova 1.0.20-5 +- add gnutls Requires zlib-devel (#144069) + +* Mon Nov 08 2004 Colin Walters 1.0.20-4 +- Make gnutls-devel Require libgcrypt-devel + +* Tue Sep 21 2004 Jeff Johnson 1.0.20-3 +- rebuild with release++, otherwise unchanged. + +* Tue Sep 7 2004 Jeff Johnson 1.0.20-2 +- patent tainted SRP code removed. + +* Sun Sep 5 2004 Jeff Johnson 1.0.20-1 +- update to 1.0.20. +- add --with-included-opencdk --with-included-libtasn1 +- add --with-included-libcfg --with-included-lzo +- add --disable-srp-authentication. +- do "make check" after build. + +* Fri Mar 21 2003 Jeff Johnson 0.9.2-1 +- upgrade to 0.9.2 + +* Tue Jun 25 2002 Jeff Johnson 0.4.4-1 +- update to 0.4.4. + +* Fri Jun 21 2002 Tim Powers +- automated rebuild + +* Sat May 25 2002 Jeff Johnson 0.4.3-1 +- update to 0.4.3. + +* Tue May 21 2002 Jeff Johnson 0.4.2-1 +- update to 0.4.2. +- change license to LGPL. +- include splint annotations patch. + +* Tue Apr 2 2002 Nalin Dahyabhai 0.4.0-1 +- update to 0.4.0 + +* Thu Jan 17 2002 Nalin Dahyabhai 0.3.2-1 +- update to 0.3.2 + +* Thu Jan 10 2002 Nalin Dahyabhai 0.3.0-1 +- add a URL + +* Thu Dec 20 2001 Nalin Dahyabhai +- initial package