diff --git a/.gitignore b/.gitignore index 1d6ef56..690d3fe 100644 --- a/.gitignore +++ b/.gitignore @@ -141,3 +141,6 @@ gnutls-2.10.1-nosrp.tar.bz2 /gnutls-3.7.6.tar.xz /gnutls-3.7.7.tar.xz /gnutls-3.7.8.tar.xz +/gnutls-3.8.0.tar.xz +/gnutls-3.8.0.tar.xz.sig +/gnutls-release-keyring.gpg diff --git a/.packit.yaml b/.packit.yaml index a27df63..2a7dee2 100644 --- a/.packit.yaml +++ b/.packit.yaml @@ -15,7 +15,6 @@ actions: post-upstream-clone: - "wget https://src.fedoraproject.org/rpms/gnutls/raw/main/f/gnutls.spec" - "wget https://src.fedoraproject.org/rpms/gnutls/raw/main/f/gnutls-3.2.7-rpath.patch" - - "wget https://src.fedoraproject.org/rpms/gnutls/raw/main/f/gnutls-3.6.7-no-now-guile.patch" get-current-version: - "git describe --abbrev=0" create-archive: diff --git a/README.packit b/README.packit index 44d1757..c83811d 100644 --- a/README.packit +++ b/README.packit @@ -1,3 +1,3 @@ This repository is maintained by packit. https://packit.dev/ -The file was generated using packit 0.60.0. +The file was generated using packit 0.67.0. diff --git a/gnutls-3.6.7-no-now-guile.patch b/gnutls-3.6.7-no-now-guile.patch deleted file mode 100644 index d14e8df..0000000 --- a/gnutls-3.6.7-no-now-guile.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- a/guile/src/Makefile.in 2019-03-27 11:51:55.984398001 +0100 -+++ b/guile/src/Makefile.in 2019-03-27 11:52:27.259626076 +0100 -@@ -1472,7 +1472,7 @@ - # Use '-module' to build a "dlopenable module", in Libtool terms. - # Use '-undefined' to placate Libtool on Windows; see - # . --guile_gnutls_v_2_la_LDFLAGS = -module -no-undefined -+guile_gnutls_v_2_la_LDFLAGS = -module -no-undefined -Wl,-z,lazy - - # Linking against GnuTLS. - GNUTLS_CORE_LIBS = $(top_builddir)/lib/libgnutls.la diff --git a/gnutls-3.7.8-gcc_analyzer-suppress_warnings.patch b/gnutls-3.7.8-gcc_analyzer-suppress_warnings.patch deleted file mode 100644 index d8a6f4a..0000000 --- a/gnutls-3.7.8-gcc_analyzer-suppress_warnings.patch +++ /dev/null @@ -1,132 +0,0 @@ -From 7fa942e08e64b761b19753ae74503de43cc1ff91 Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Thu, 6 Oct 2022 18:44:48 +0900 -Subject: build: suppress GCC analyzer warnings - -Signed-off-by: Daiki Ueno - -diff --git a/lib/auth/cert.c b/lib/auth/cert.c -index 228d98468..f122049e1 100644 ---- a/lib/auth/cert.c -+++ b/lib/auth/cert.c -@@ -1636,6 +1636,10 @@ _gnutls_select_server_cert(gnutls_session_t session, const gnutls_cipher_suite_e - if (session->internals.selected_cert_list_length == 0) - return gnutls_assert_val(GNUTLS_E_INSUFFICIENT_CREDENTIALS); - -+ if (unlikely(session->internals.selected_cert_list == NULL)) { -+ return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); -+ } -+ - _gnutls_debug_log("Selected (%s) cert\n", - gnutls_pk_get_name(session->internals.selected_cert_list[0].pubkey->params.algo)); - } -diff --git a/lib/nettle/int/provable-prime.c b/lib/nettle/int/provable-prime.c -index 585cd031e..3a626a2c8 100644 ---- a/lib/nettle/int/provable-prime.c -+++ b/lib/nettle/int/provable-prime.c -@@ -1173,7 +1173,7 @@ st_provable_prime(mpz_t p, - if (iterations > 0) { - storage_length = iterations * DIGEST_SIZE; - -- storage = malloc(storage_length); -+ storage = gnutls_malloc(storage_length); - if (storage == NULL) - goto fail; - -@@ -1307,7 +1307,7 @@ st_provable_prime(mpz_t p, - mpz_clear(t); - mpz_clear(tmp); - mpz_clear(c); -- free(pseed); -- free(storage); -+ gnutls_free(pseed); -+ gnutls_free(storage); - return ret; - } -diff --git a/lib/pk.c b/lib/pk.c -index c5600a32a..753cecd18 100644 ---- a/lib/pk.c -+++ b/lib/pk.c -@@ -93,6 +93,7 @@ _gnutls_encode_ber_rs_raw(gnutls_datum_t * sig_value, - } - - if (r->data[0] >= 0x80) { -+ assert(tmp); - tmp[0] = 0; - memcpy(&tmp[1], r->data, r->size); - result = asn1_write_value(sig, "r", tmp, 1+r->size); -@@ -108,6 +109,7 @@ _gnutls_encode_ber_rs_raw(gnutls_datum_t * sig_value, - - - if (s->data[0] >= 0x80) { -+ assert(tmp); - tmp[0] = 0; - memcpy(&tmp[1], s->data, s->size); - result = asn1_write_value(sig, "s", tmp, 1+s->size); -@@ -598,6 +600,10 @@ encode_ber_digest_info(const mac_entry_st * e, - uint8_t *tmp_output; - int tmp_output_size; - -+ if (unlikely(e == NULL)) { -+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); -+ } -+ - /* prevent asn1_write_value() treating input as string */ - if (digest->size == 0) - return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); -diff --git a/lib/x509/pkcs7-crypt.c b/lib/x509/pkcs7-crypt.c -index 59eddcd2a..6f528a911 100644 ---- a/lib/x509/pkcs7-crypt.c -+++ b/lib/x509/pkcs7-crypt.c -@@ -1211,6 +1211,10 @@ _gnutls_pkcs_raw_decrypt_data(schema_id schema, asn1_node pkcs8_asn, - } - - ce = cipher_to_entry(enc_params->cipher); -+ if (unlikely(ce == NULL)) { -+ ret = gnutls_assert_val(GNUTLS_E_UNKNOWN_CIPHER_TYPE); -+ goto error; -+ } - block_size = _gnutls_cipher_get_block_size(ce); - - if (ce->type == CIPHER_BLOCK) { -diff --git a/src/tests.c b/src/tests.c -index 85c4b6699..8526b6943 100644 ---- a/src/tests.c -+++ b/src/tests.c -@@ -1613,7 +1613,9 @@ test_code_t test_chain_order(gnutls_session_t session) - - gnutls_free(t.data); - } -- *pos = 0; -+ if (pos) { -+ *pos = 0; -+ } - - t.size = p_size; - t.data = (void*)p; -diff --git a/src/tpmtool.c b/src/tpmtool.c -index 171b7fd41..1b230c2ff 100644 ---- a/src/tpmtool.c -+++ b/src/tpmtool.c -@@ -263,15 +263,15 @@ static void tpm_generate(FILE * out, unsigned int key_type, - gnutls_datum_t privkey, pubkey; - - if (!srk_well_known) { -- srk_pass = getpass("Enter SRK password: "); -- if (srk_pass != NULL) -- srk_pass = strdup(srk_pass); -+ char *pass = getpass("Enter SRK password: "); -+ if (pass != NULL) -+ srk_pass = strdup(pass); - } - - if (!(flags & GNUTLS_TPM_REGISTER_KEY)) { -- key_pass = getpass("Enter key password: "); -- if (key_pass != NULL) -- key_pass = strdup(key_pass); -+ char *pass = getpass("Enter key password: "); -+ if (pass != NULL) -+ key_pass = strdup(pass); - } - - ret = diff --git a/gnutls-3.7.8-ktls_add_ciphersuites.patch b/gnutls-3.7.8-ktls_add_ciphersuites.patch deleted file mode 100644 index 88ae1aa..0000000 --- a/gnutls-3.7.8-ktls_add_ciphersuites.patch +++ /dev/null @@ -1,273 +0,0 @@ -From 4380f347b2fff4af10537930400b68df61bee442 Mon Sep 17 00:00:00 2001 -From: Frantisek Krenzelok -Date: Thu, 1 Dec 2022 15:37:33 +0100 -Subject: [PATCH 1/2] KTLS: add ciphersuites - -* TLS_AES_128_CCM_SHA256 -* TLS_CHACHA20_POLY1305_SHA256 - -Signed-off-by: Frantisek Krenzelok ---- - lib/system/ktls.c | 159 ++++++++++++++++++++++++++++++++++++++++++++-- - 1 file changed, 153 insertions(+), 6 deletions(-) - -diff --git a/lib/system/ktls.c b/lib/system/ktls.c -index 703775960..792d09ccf 100644 ---- a/lib/system/ktls.c -+++ b/lib/system/ktls.c -@@ -86,7 +86,7 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable - gnutls_datum_t mac_key; - gnutls_datum_t iv; - gnutls_datum_t cipher_key; -- unsigned char seq_number[8]; -+ unsigned char seq_number[12]; - int sockin, sockout; - int ret; - -@@ -97,7 +97,9 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable - int version = gnutls_protocol_get_version(session); - if ((version != GNUTLS_TLS1_3 && version != GNUTLS_TLS1_2) || - (gnutls_cipher_get(session) != GNUTLS_CIPHER_AES_128_GCM && -- gnutls_cipher_get(session) != GNUTLS_CIPHER_AES_256_GCM)) { -+ gnutls_cipher_get(session) != GNUTLS_CIPHER_AES_256_GCM && -+ gnutls_cipher_get(session) != GNUTLS_CIPHER_AES_128_CCM && -+ gnutls_cipher_get(session) != GNUTLS_CIPHER_CHACHA20_POLY1305)) { - return GNUTLS_E_UNIMPLEMENTED_FEATURE; - } - -@@ -114,7 +116,7 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable - case GNUTLS_CIPHER_AES_128_GCM: - { - struct tls12_crypto_info_aes_gcm_128 crypto_info; -- memset(&crypto_info, 0, sizeof(crypto_info)); -+ memset(&crypto_info, 0, sizeof (crypto_info)); - - crypto_info.info.cipher_type = TLS_CIPHER_AES_GCM_128; - assert(cipher_key.size == TLS_CIPHER_AES_GCM_128_KEY_SIZE); -@@ -150,7 +152,7 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable - case GNUTLS_CIPHER_AES_256_GCM: - { - struct tls12_crypto_info_aes_gcm_256 crypto_info; -- memset(&crypto_info, 0, sizeof(crypto_info)); -+ memset(&crypto_info, 0, sizeof (crypto_info)); - - crypto_info.info.cipher_type = TLS_CIPHER_AES_GCM_256; - assert (cipher_key.size == TLS_CIPHER_AES_GCM_256_KEY_SIZE); -@@ -182,9 +184,83 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable - } - } - break; -+ case GNUTLS_CIPHER_AES_128_CCM: -+ { -+ struct tls12_crypto_info_aes_ccm_128 crypto_info; -+ memset(&crypto_info, 0, sizeof (crypto_info)); -+ -+ crypto_info.info.cipher_type = TLS_CIPHER_AES_CCM_128; -+ assert(cipher_key.size == TLS_CIPHER_AES_CCM_128_KEY_SIZE); -+ -+ /* for TLS 1.2 IV is generated in kernel */ -+ if (version == GNUTLS_TLS1_2) { -+ crypto_info.info.version = TLS_1_2_VERSION; -+ memcpy(crypto_info.iv, seq_number, TLS_CIPHER_AES_CCM_128_IV_SIZE); -+ } else { -+ crypto_info.info.version = TLS_1_3_VERSION; -+ assert(iv.size == TLS_CIPHER_AES_CCM_128_SALT_SIZE -+ + TLS_CIPHER_AES_CCM_128_IV_SIZE); -+ -+ memcpy(crypto_info.iv, iv.data + -+ TLS_CIPHER_AES_CCM_128_SALT_SIZE, -+ TLS_CIPHER_AES_CCM_128_IV_SIZE); -+ } -+ -+ memcpy(crypto_info.salt, iv.data, -+ TLS_CIPHER_AES_CCM_128_SALT_SIZE); -+ memcpy(crypto_info.rec_seq, seq_number, -+ TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE); -+ memcpy(crypto_info.key, cipher_key.data, -+ TLS_CIPHER_AES_CCM_128_KEY_SIZE); -+ -+ if (setsockopt (sockin, SOL_TLS, TLS_RX, -+ &crypto_info, sizeof (crypto_info))) { -+ session->internals.ktls_enabled &= ~GNUTLS_KTLS_RECV; -+ return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); -+ } -+ } -+ break; -+ case GNUTLS_CIPHER_CHACHA20_POLY1305: -+ { -+ struct tls12_crypto_info_chacha20_poly1305 crypto_info; -+ memset(&crypto_info, 0, sizeof (crypto_info)); -+ -+ crypto_info.info.cipher_type = TLS_CIPHER_CHACHA20_POLY1305; -+ assert(cipher_key.size == TLS_CIPHER_CHACHA20_POLY1305_KEY_SIZE); -+ -+ /* for TLS 1.2 IV is generated in kernel */ -+ if (version == GNUTLS_TLS1_2) { -+ crypto_info.info.version = TLS_1_2_VERSION; -+ memcpy(crypto_info.iv, seq_number, TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE); -+ } else { -+ crypto_info.info.version = TLS_1_3_VERSION; -+ assert(iv.size == TLS_CIPHER_CHACHA20_POLY1305_SALT_SIZE -+ + TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE); -+ -+ memcpy(crypto_info.iv, iv.data + -+ TLS_CIPHER_CHACHA20_POLY1305_SALT_SIZE, -+ TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE); -+ } -+ -+ memcpy(crypto_info.salt, iv.data, -+ TLS_CIPHER_CHACHA20_POLY1305_SALT_SIZE); -+ memcpy(crypto_info.rec_seq, seq_number, -+ TLS_CIPHER_CHACHA20_POLY1305_REC_SEQ_SIZE); -+ memcpy(crypto_info.key, cipher_key.data, -+ TLS_CIPHER_CHACHA20_POLY1305_KEY_SIZE); -+ -+ if (setsockopt (sockin, SOL_TLS, TLS_RX, -+ &crypto_info, sizeof (crypto_info))) { -+ session->internals.ktls_enabled &= ~GNUTLS_KTLS_RECV; -+ return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); -+ } -+ } -+ break; - default: - assert(0); - } -+ -+ - } - - ret = gnutls_record_get_state (session, 0, &mac_key, &iv, &cipher_key, -@@ -198,7 +274,7 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable - case GNUTLS_CIPHER_AES_128_GCM: - { - struct tls12_crypto_info_aes_gcm_128 crypto_info; -- memset(&crypto_info, 0, sizeof(crypto_info)); -+ memset(&crypto_info, 0, sizeof (crypto_info)); - - crypto_info.info.cipher_type = TLS_CIPHER_AES_GCM_128; - -@@ -234,7 +310,7 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable - case GNUTLS_CIPHER_AES_256_GCM: - { - struct tls12_crypto_info_aes_gcm_256 crypto_info; -- memset(&crypto_info, 0, sizeof(crypto_info)); -+ memset(&crypto_info, 0, sizeof (crypto_info)); - - crypto_info.info.cipher_type = TLS_CIPHER_AES_GCM_256; - assert (cipher_key.size == TLS_CIPHER_AES_GCM_256_KEY_SIZE); -@@ -266,10 +342,81 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable - } - } - break; -+ case GNUTLS_CIPHER_AES_128_CCM: -+ { -+ struct tls12_crypto_info_aes_ccm_128 crypto_info; -+ memset(&crypto_info, 0, sizeof (crypto_info)); -+ -+ crypto_info.info.cipher_type = TLS_CIPHER_AES_CCM_128; -+ assert (cipher_key.size == TLS_CIPHER_AES_CCM_128_KEY_SIZE); -+ -+ /* for TLS 1.2 IV is generated in kernel */ -+ if (version == GNUTLS_TLS1_2) { -+ crypto_info.info.version = TLS_1_2_VERSION; -+ memcpy(crypto_info.iv, seq_number, TLS_CIPHER_AES_CCM_128_IV_SIZE); -+ } else { -+ crypto_info.info.version = TLS_1_3_VERSION; -+ assert (iv.size == TLS_CIPHER_AES_CCM_128_SALT_SIZE + -+ TLS_CIPHER_AES_CCM_128_IV_SIZE); -+ -+ memcpy (crypto_info.iv, iv.data + TLS_CIPHER_AES_CCM_128_SALT_SIZE, -+ TLS_CIPHER_AES_CCM_128_IV_SIZE); -+ } -+ -+ memcpy (crypto_info.salt, iv.data, -+ TLS_CIPHER_AES_CCM_128_SALT_SIZE); -+ memcpy (crypto_info.rec_seq, seq_number, -+ TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE); -+ memcpy (crypto_info.key, cipher_key.data, -+ TLS_CIPHER_AES_CCM_128_KEY_SIZE); -+ -+ if (setsockopt (sockout, SOL_TLS, TLS_TX, -+ &crypto_info, sizeof (crypto_info))) { -+ session->internals.ktls_enabled &= ~GNUTLS_KTLS_SEND; -+ return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); -+ } -+ } -+ break; -+ case GNUTLS_CIPHER_CHACHA20_POLY1305: -+ { -+ struct tls12_crypto_info_chacha20_poly1305 crypto_info; -+ memset(&crypto_info, 0, sizeof (crypto_info)); -+ -+ crypto_info.info.cipher_type = TLS_CIPHER_CHACHA20_POLY1305; -+ assert (cipher_key.size == TLS_CIPHER_CHACHA20_POLY1305_KEY_SIZE); -+ -+ /* for TLS 1.2 IV is generated in kernel */ -+ if (version == GNUTLS_TLS1_2) { -+ crypto_info.info.version = TLS_1_2_VERSION; -+ memcpy(crypto_info.iv, seq_number, TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE); -+ } else { -+ crypto_info.info.version = TLS_1_3_VERSION; -+ assert (iv.size == TLS_CIPHER_CHACHA20_POLY1305_SALT_SIZE + -+ TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE); -+ -+ memcpy (crypto_info.iv, iv.data + TLS_CIPHER_CHACHA20_POLY1305_SALT_SIZE, -+ TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE); -+ } -+ -+ memcpy (crypto_info.salt, iv.data, -+ TLS_CIPHER_CHACHA20_POLY1305_SALT_SIZE); -+ memcpy (crypto_info.rec_seq, seq_number, -+ TLS_CIPHER_CHACHA20_POLY1305_REC_SEQ_SIZE); -+ memcpy (crypto_info.key, cipher_key.data, -+ TLS_CIPHER_CHACHA20_POLY1305_KEY_SIZE); -+ -+ if (setsockopt (sockout, SOL_TLS, TLS_TX, -+ &crypto_info, sizeof (crypto_info))) { -+ session->internals.ktls_enabled &= ~GNUTLS_KTLS_SEND; -+ return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); -+ } -+ } -+ break; - default: - assert(0); - } - -+ - // set callback for sending handshake messages - gnutls_handshake_set_read_function(session, - _gnutls_ktls_send_handshake_msg); --- -2.38.1 - - -From 24bd0559302f8a7adf9f072f61f2aa03efa664f6 Mon Sep 17 00:00:00 2001 -From: Frantisek Krenzelok -Date: Fri, 2 Dec 2022 11:07:48 +0100 -Subject: [PATCH 2/2] KTLS: add ciphersuites (tests) - -Signed-off-by: Frantisek Krenzelok ---- - tests/gnutls_ktls.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/tests/gnutls_ktls.c b/tests/gnutls_ktls.c -index 8f9c5fa36..919270778 100644 ---- a/tests/gnutls_ktls.c -+++ b/tests/gnutls_ktls.c -@@ -350,8 +350,12 @@ void doit(void) - { - run("NORMAL:-VERS-ALL:+VERS-TLS1.2:-CIPHER-ALL:+AES-128-GCM"); - run("NORMAL:-VERS-ALL:+VERS-TLS1.2:-CIPHER-ALL:+AES-256-GCM"); -+ run("NORMAL:-VERS-ALL:+VERS-TLS1.2:-CIPHER-ALL:+AES-128-CCM"); -+ run("NORMAL:-VERS-ALL:+VERS-TLS1.2:-CIPHER-ALL:+CHACHA20-POLY1305"); - run("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-128-GCM"); - run("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-256-GCM"); -+ run("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-128-CCM"); -+ run("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+CHACHA20-POLY1305"); - } - - #endif /* _WIN32 */ --- -2.38.1 - diff --git a/gnutls-3.7.8-ktls_invalidate_session.patch b/gnutls-3.7.8-ktls_invalidate_session.patch deleted file mode 100644 index aaa4793..0000000 --- a/gnutls-3.7.8-ktls_invalidate_session.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 9533fcbacdb5532425568e3874cfea9f0a9b55d5 Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Mon, 28 Nov 2022 11:10:58 +0900 -Subject: [PATCH 1/2] src: fix memory leak in print_rawpk_info - -Signed-off-by: Daiki Ueno ---- - src/common.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/src/common.c b/src/common.c -index 6d2056f95..20327b41c 100644 ---- a/src/common.c -+++ b/src/common.c -@@ -222,7 +222,7 @@ print_rawpk_info(gnutls_session_t session, FILE *out, int flag, int print_cert, - if (ret < 0) { - fprintf(stderr, "Encoding error: %s\n", - gnutls_strerror(ret)); -- return; -+ goto cleanup; - } - - log_msg(out, "\n%s\n", (char*)pem.data); -@@ -230,6 +230,8 @@ print_rawpk_info(gnutls_session_t session, FILE *out, int flag, int print_cert, - gnutls_free(pem.data); - } - -+ cleanup: -+ gnutls_pcert_deinit(&pk_cert); - } - - /* returns false (0) if not verified, or true (1) otherwise --- -2.38.1 - - -From ceac5211c073ba8dc86fe7cfb25504db33729fa9 Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Mon, 28 Nov 2022 11:14:53 +0900 -Subject: [PATCH 2/2] tests: fix memory leak in resume-with-previous-stek - -Signed-off-by: Daiki Ueno ---- - tests/resume-with-previous-stek.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/tests/resume-with-previous-stek.c b/tests/resume-with-previous-stek.c -index 94f165627..98aba8d84 100644 ---- a/tests/resume-with-previous-stek.c -+++ b/tests/resume-with-previous-stek.c -@@ -127,6 +127,8 @@ static void client(int fd, int *resume, unsigned rounds, const char *prio) - - gnutls_deinit(session); - } -+ -+ gnutls_free(session_data.data); - } - - typedef void (* gnutls_stek_rotation_callback_t) (const gnutls_datum_t *prev_key, --- -2.38.1 - diff --git a/gnutls-3.7.8-ktls_key_update.patch b/gnutls-3.7.8-ktls_key_update.patch deleted file mode 100644 index 5ca8a37..0000000 --- a/gnutls-3.7.8-ktls_key_update.patch +++ /dev/null @@ -1,957 +0,0 @@ -From c83b9ecbe8e7e5442867281236d8c9e1bd227204 Mon Sep 17 00:00:00 2001 -From: Frantisek Krenzelok -Date: Tue, 2 Aug 2022 15:00:50 +0200 -Subject: [PATCH 1/7] KTLS: set key on specific interfaces - -It is now possible to set key on specific interface. -If interface given is not ktls enabled then it will be ignored. - -Signed-off-by: Frantisek Krenzelok ---- - lib/handshake.c | 2 +- - lib/system/ktls.c | 12 +++++++----- - lib/system/ktls.h | 7 ++++++- - 3 files changed, 14 insertions(+), 7 deletions(-) - -diff --git a/lib/handshake.c b/lib/handshake.c -index 21edc5ece..cb2bc3ae9 100644 ---- a/lib/handshake.c -+++ b/lib/handshake.c -@@ -2924,7 +2924,7 @@ int gnutls_handshake(gnutls_session_t session) - - #ifdef ENABLE_KTLS - if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_DUPLEX)) { -- _gnutls_ktls_set_keys(session); -+ _gnutls_ktls_set_keys(session, GNUTLS_KTLS_DUPLEX); - } - #endif - -diff --git a/lib/system/ktls.c b/lib/system/ktls.c -index ddf27fac7..70b9b9b3a 100644 ---- a/lib/system/ktls.c -+++ b/lib/system/ktls.c -@@ -80,7 +80,7 @@ void _gnutls_ktls_enable(gnutls_session_t session) - } - } - --int _gnutls_ktls_set_keys(gnutls_session_t session) -+int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable_flags_t in) - { - gnutls_cipher_algorithm_t cipher = gnutls_cipher_get(session); - gnutls_datum_t mac_key; -@@ -107,7 +107,9 @@ int _gnutls_ktls_set_keys(gnutls_session_t session) - return ret; - } - -- if(session->internals.ktls_enabled & GNUTLS_KTLS_RECV){ -+ in &= session->internals.ktls_enabled; -+ -+ if(in & GNUTLS_KTLS_RECV){ - switch (cipher) { - case GNUTLS_CIPHER_AES_128_GCM: - { -@@ -191,7 +193,7 @@ int _gnutls_ktls_set_keys(gnutls_session_t session) - return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); - } - -- if(session->internals.ktls_enabled & GNUTLS_KTLS_SEND){ -+ if(in & GNUTLS_KTLS_SEND){ - switch (cipher) { - case GNUTLS_CIPHER_AES_128_GCM: - { -@@ -269,7 +271,7 @@ int _gnutls_ktls_set_keys(gnutls_session_t session) - } - } - -- return 0; -+ return in; - } - - ssize_t _gnutls_ktls_send_file(gnutls_session_t session, int fd, -@@ -465,7 +467,7 @@ gnutls_transport_is_ktls_enabled(gnutls_session_t session) { - void _gnutls_ktls_enable(gnutls_session_t session) { - } - --int _gnutls_ktls_set_keys(gnutls_session_t session) { -+int _gnutls_ktls_set_keys(gnutls_session_t sessioni, gnutls_transport_ktls_enable_flags_t in) { - return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE); - } - -diff --git a/lib/system/ktls.h b/lib/system/ktls.h -index 8a98a8eb8..c8059092d 100644 ---- a/lib/system/ktls.h -+++ b/lib/system/ktls.h -@@ -4,14 +4,19 @@ - #include "gnutls_int.h" - - void _gnutls_ktls_enable(gnutls_session_t session); --int _gnutls_ktls_set_keys(gnutls_session_t session); -+ -+int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable_flags_t in); -+ - ssize_t _gnutls_ktls_send_file(gnutls_session_t session, int fd, - off_t *offset, size_t count); -+ - int _gnutls_ktls_send_control_msg(gnutls_session_t session, unsigned char record_type, - const void *data, size_t data_size); - #define _gnutls_ktls_send(x, y, z) _gnutls_ktls_send_control_msg(x, GNUTLS_APPLICATION_DATA, y, z); -+ - int _gnutls_ktls_recv_control_msg(gnutls_session_t session, unsigned char *record_type, - void *data, size_t data_size); -+ - int _gnutls_ktls_recv_int(gnutls_session_t session, content_type_t type, void *data, size_t data_size); - #define _gnutls_ktls_recv(x, y, z) _gnutls_ktls_recv_int(x, GNUTLS_APPLICATION_DATA, y, z) - --- -2.39.0 - - -From f8c71030151e3a0d397e9712541236f1a76434a3 Mon Sep 17 00:00:00 2001 -From: Frantisek Krenzelok -Date: Tue, 2 Aug 2022 13:35:39 +0200 -Subject: [PATCH 2/7] KTLS: set new keys for keyupdate - -set new keys durring gnutls_session_key_update() -setting keys - -Signed-off-by: Frantisek Krenzelok ---- - lib/tls13/key_update.c | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/lib/tls13/key_update.c b/lib/tls13/key_update.c -index c6f6e0aa1..10c0a9110 100644 ---- a/lib/tls13/key_update.c -+++ b/lib/tls13/key_update.c -@@ -27,6 +27,7 @@ - #include "mem.h" - #include "mbuffers.h" - #include "secrets.h" -+#include "system/ktls.h" - - #define KEY_UPDATES_WINDOW 1000 - #define KEY_UPDATES_PER_WINDOW 8 -@@ -49,8 +50,16 @@ static int update_keys(gnutls_session_t session, hs_stage_t stage) - * write keys */ - if (session->internals.recv_state == RECV_STATE_EARLY_START) { - ret = _tls13_write_connection_state_init(session, stage); -+ if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_SEND)) -+ ret = _gnutls_ktls_set_keys(session, GNUTLS_KTLS_SEND); - } else { - ret = _tls13_connection_state_init(session, stage); -+ -+ if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_SEND) && stage == STAGE_UPD_OURS) -+ ret = _gnutls_ktls_set_keys(session, GNUTLS_KTLS_SEND); -+ else if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_RECV) && stage == STAGE_UPD_PEERS) -+ ret = _gnutls_ktls_set_keys(session, GNUTLS_KTLS_RECV); -+ - } - if (ret < 0) - return gnutls_assert_val(ret); --- -2.39.0 - - -From b93af37d972e02b095e14d4209bf5d5520a4893c Mon Sep 17 00:00:00 2001 -From: Frantisek Krenzelok -Date: Wed, 3 Aug 2022 14:20:35 +0200 -Subject: [PATCH 3/7] KTLS: send update key request - -Set hanshake send function after interface initialization -TODO: handel setting function differently - -Signed-off-by: Frantisek Krenzelok ---- - lib/record.c | 23 ++++++++++++++++------- - lib/system/ktls.c | 21 +++++++++++++++++++++ - lib/system/ktls.h | 5 +++++ - 3 files changed, 42 insertions(+), 7 deletions(-) - -diff --git a/lib/record.c b/lib/record.c -index fd24acaf1..aad128e1f 100644 ---- a/lib/record.c -+++ b/lib/record.c -@@ -2065,11 +2065,17 @@ gnutls_record_send2(gnutls_session_t session, const void *data, - session->internals.rsend_state = RECORD_SEND_KEY_UPDATE_3; - FALLTHROUGH; - case RECORD_SEND_KEY_UPDATE_3: -- ret = _gnutls_send_int(session, GNUTLS_APPLICATION_DATA, -- -1, EPOCH_WRITE_CURRENT, -- session->internals.record_key_update_buffer.data, -- session->internals.record_key_update_buffer.length, -- MBUFFER_FLUSH); -+ if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_SEND)) { -+ return _gnutls_ktls_send(session, -+ session->internals.record_key_update_buffer.data, -+ session->internals.record_key_update_buffer.length); -+ } else { -+ ret = _gnutls_send_int(session, GNUTLS_APPLICATION_DATA, -+ -1, EPOCH_WRITE_CURRENT, -+ session->internals.record_key_update_buffer.data, -+ session->internals.record_key_update_buffer.length, -+ MBUFFER_FLUSH); -+ } - _gnutls_buffer_clear(&session->internals.record_key_update_buffer); - session->internals.rsend_state = RECORD_SEND_NORMAL; - if (ret < 0) -@@ -2494,8 +2500,11 @@ gnutls_handshake_write(gnutls_session_t session, - return gnutls_assert_val(0); - - /* When using this, the outgoing handshake messages should -- * also be handled manually */ -- if (!session->internals.h_read_func) -+ * also be handled manually unless KTLS is enabled exclusively -+ * in GNUTLS_KTLS_RECV mode in which case the outgoing messages -+ * are handled by GnuTLS. -+ */ -+ if (!session->internals.h_read_func && !IS_KTLS_ENABLED(session, GNUTLS_KTLS_RECV)) - return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); - - if (session->internals.initial_negotiation_completed) { -diff --git a/lib/system/ktls.c b/lib/system/ktls.c -index 70b9b9b3a..5da0a8069 100644 ---- a/lib/system/ktls.c -+++ b/lib/system/ktls.c -@@ -269,6 +269,9 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable - default: - assert(0); - } -+ // set callback for sending handshake messages -+ gnutls_handshake_set_read_function(session, -+ _gnutls_ktls_send_handshake_msg); - } - - return in; -@@ -355,6 +358,15 @@ int _gnutls_ktls_send_control_msg(gnutls_session_t session, - return data_size; - } - -+int _gnutls_ktls_send_handshake_msg(gnutls_session_t session, -+ gnutls_record_encryption_level_t level, -+ gnutls_handshake_description_t htype, -+ const void *data, size_t data_size) -+{ -+ return _gnutls_ktls_send_control_msg(session, GNUTLS_HANDSHAKE, -+ data, data_size); -+} -+ - int _gnutls_ktls_recv_control_msg(gnutls_session_t session, - unsigned char *record_type, void *data, size_t data_size) - { -@@ -481,6 +493,15 @@ int _gnutls_ktls_send_control_msg(gnutls_session_t session, - return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE); - } - -+int _gnutls_ktls_send_handshake_msg(gnutls_session_t session, -+ gnutls_record_encryption_level_t level, -+ gnutls_handshake_description_t htype, -+ const void *data, size_t data_size) -+{ -+ (void)level; -+ return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE); -+} -+ - int _gnutls_ktls_recv_int(gnutls_session_t session, content_type_t type, - void *data, size_t data_size) { - return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE); -diff --git a/lib/system/ktls.h b/lib/system/ktls.h -index c8059092d..8d61a49df 100644 ---- a/lib/system/ktls.h -+++ b/lib/system/ktls.h -@@ -10,6 +10,11 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable - ssize_t _gnutls_ktls_send_file(gnutls_session_t session, int fd, - off_t *offset, size_t count); - -+int _gnutls_ktls_send_handshake_msg(gnutls_session_t session, -+ gnutls_record_encryption_level_t level, -+ gnutls_handshake_description_t htype, -+ const void *data, size_t data_size); -+ - int _gnutls_ktls_send_control_msg(gnutls_session_t session, unsigned char record_type, - const void *data, size_t data_size); - #define _gnutls_ktls_send(x, y, z) _gnutls_ktls_send_control_msg(x, GNUTLS_APPLICATION_DATA, y, z); --- -2.39.0 - - -From 7128338208d092275ac72785f85019d16951fab9 Mon Sep 17 00:00:00 2001 -From: Frantisek Krenzelok -Date: Mon, 22 Aug 2022 10:50:37 +0200 -Subject: [PATCH 4/7] KTLS: receive key update - -handle received GNUTLS_HANDSHAKE_KEY_UPDATE set keys accordingly - -Signed-off-by: Frantisek Krenzelok ---- - lib/system/ktls.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/lib/system/ktls.c b/lib/system/ktls.c -index 5da0a8069..f3cb343ae 100644 ---- a/lib/system/ktls.c -+++ b/lib/system/ktls.c -@@ -452,7 +452,13 @@ int _gnutls_ktls_recv_int(gnutls_session_t session, content_type_t type, - ret = 0; - break; - case GNUTLS_HANDSHAKE: -- // ignore post-handshake messages -+ ret = gnutls_handshake_write(session, -+ GNUTLS_ENCRYPTION_LEVEL_APPLICATION, -+ data, ret); -+ -+ if (ret < 0) -+ return gnutls_assert_val(ret); -+ - if (type != record_type) - return GNUTLS_E_AGAIN; - break; --- -2.39.0 - - -From 14eadde1f2cdfaf858dc2029dac5503e48a49935 Mon Sep 17 00:00:00 2001 -From: Frantisek Krenzelok -Date: Fri, 5 Aug 2022 16:38:02 +0200 -Subject: [PATCH 5/7] KTLS: set write alert callback - -Use callback for sending alerts. - -Signed-off-by: Frantisek Krenzelok ---- - lib/alert.c | 13 ++++--------- - lib/system/ktls.c | 15 +++++++++++++++ - lib/system/ktls.h | 5 +++++ - 3 files changed, 24 insertions(+), 9 deletions(-) - -diff --git a/lib/alert.c b/lib/alert.c -index 50bd1d3de..fda8cd79f 100644 ---- a/lib/alert.c -+++ b/lib/alert.c -@@ -182,15 +182,10 @@ gnutls_alert_send(gnutls_session_t session, gnutls_alert_level_t level, - return ret; - } - -- if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_SEND)) { -- ret = -- _gnutls_ktls_send_control_msg(session, GNUTLS_ALERT, data, 2); -- } else { -- ret = -- _gnutls_send_int(session, GNUTLS_ALERT, -1, -- EPOCH_WRITE_CURRENT, data, 2, -- MBUFFER_FLUSH); -- } -+ ret = _gnutls_send_int(session, GNUTLS_ALERT, -1, -+ EPOCH_WRITE_CURRENT, data, 2, -+ MBUFFER_FLUSH); -+ - return (ret < 0) ? ret : 0; - } - -diff --git a/lib/system/ktls.c b/lib/system/ktls.c -index f3cb343ae..703775960 100644 ---- a/lib/system/ktls.c -+++ b/lib/system/ktls.c -@@ -269,9 +269,13 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable - default: - assert(0); - } -+ - // set callback for sending handshake messages - gnutls_handshake_set_read_function(session, - _gnutls_ktls_send_handshake_msg); -+ -+ // set callback for sending alert messages -+ gnutls_alert_set_read_function(session, _gnutls_ktls_send_alert_msg); - } - - return in; -@@ -367,6 +371,17 @@ int _gnutls_ktls_send_handshake_msg(gnutls_session_t session, - data, data_size); - } - -+int _gnutls_ktls_send_alert_msg(gnutls_session_t session, -+ gnutls_record_encryption_level_t level, -+ gnutls_alert_level_t alert_level, -+ gnutls_alert_description_t alert_desc) -+{ -+ uint8_t data[2]; -+ data[0] = (uint8_t) alert_level; -+ data[1] = (uint8_t) alert_desc; -+ return _gnutls_ktls_send_control_msg(session, GNUTLS_ALERT, data, 2); -+} -+ - int _gnutls_ktls_recv_control_msg(gnutls_session_t session, - unsigned char *record_type, void *data, size_t data_size) - { -diff --git a/lib/system/ktls.h b/lib/system/ktls.h -index 8d61a49df..64e1c9c1c 100644 ---- a/lib/system/ktls.h -+++ b/lib/system/ktls.h -@@ -15,6 +15,11 @@ int _gnutls_ktls_send_handshake_msg(gnutls_session_t session, - gnutls_handshake_description_t htype, - const void *data, size_t data_size); - -+int _gnutls_ktls_send_alert_msg(gnutls_session_t session, -+ gnutls_record_encryption_level_t level, -+ gnutls_alert_level_t alert_level, -+ gnutls_alert_description_t alert_desc); -+ - int _gnutls_ktls_send_control_msg(gnutls_session_t session, unsigned char record_type, - const void *data, size_t data_size); - #define _gnutls_ktls_send(x, y, z) _gnutls_ktls_send_control_msg(x, GNUTLS_APPLICATION_DATA, y, z); --- -2.39.0 - - -From 38b8708d66e592c09edf2745c921436f56607a96 Mon Sep 17 00:00:00 2001 -From: Frantisek Krenzelok -Date: Tue, 9 Aug 2022 12:11:16 +0200 -Subject: [PATCH 6/7] KTLS: rekey test - -Signed-off-by: Frantisek Krenzelok ---- - tests/Makefile.am | 2 + - tests/ktls_keyupdate.c | 381 ++++++++++++++++++++++++++++++++++++++++ - tests/ktls_keyupdate.sh | 46 +++++ - 3 files changed, 429 insertions(+) - create mode 100644 tests/ktls_keyupdate.c - create mode 100755 tests/ktls_keyupdate.sh - -diff --git a/tests/Makefile.am b/tests/Makefile.am -index 1122886b3..2d345d478 100644 ---- a/tests/Makefile.am -+++ b/tests/Makefile.am -@@ -500,6 +500,8 @@ endif - if ENABLE_KTLS - indirect_tests += gnutls_ktls - dist_check_SCRIPTS += ktls.sh -+indirect_tests += ktls_keyupdate -+dist_check_SCRIPTS += ktls_keyupdate.sh - endif - - if !WINDOWS -diff --git a/tests/ktls_keyupdate.c b/tests/ktls_keyupdate.c -new file mode 100644 -index 000000000..9fbff38ae ---- /dev/null -+++ b/tests/ktls_keyupdate.c -@@ -0,0 +1,381 @@ -+// Copyright (C) 2022 Red Hat, Inc. -+// -+// Author: Frantisek Krenzelok -+// -+// This file is part of GnuTLS. -+// -+// GnuTLS is free software; you can redistribute it and/or modify it -+// under the terms of the GNU General Public License as published by the -+// Free Software Foundation; either version 3 of the License, or (at -+// your option) any later version. -+// -+// GnuTLS is distributed in the hope that it will be useful, but -+// WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+// General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License -+// along with GnuTLS; if not, write to the Free Software Foundation, -+// Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -+ -+#ifdef HAVE_CONFIG_H -+#include -+#endif -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#include "cert-common.h" -+#include "utils.h" -+ -+#if defined(_WIN32) -+ -+int main(void) -+{ -+ exit(77); -+} -+ -+#else -+ -+ -+#define MAX_BUF 1024 -+#define MSG "Hello world!" -+ -+#define HANDSHAKE(session, name, ret)\ -+{\ -+ do {\ -+ ret = gnutls_handshake(session);\ -+ }\ -+ while (ret < 0 && gnutls_error_is_fatal(ret) == 0);\ -+ if (ret < 0) {\ -+ fail("%s: Handshake failed\n", name);\ -+ goto end;\ -+ }\ -+} -+ -+#define SEND_MSG(session, name, ret)\ -+{\ -+ do {\ -+ ret = gnutls_record_send(session, MSG, strlen(MSG)+1);\ -+ } while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);\ -+ if (ret < 0) {\ -+ fail("%s: data sending has failed (%s)\n",name,\ -+ gnutls_strerror(ret));\ -+ goto end;\ -+ }\ -+} -+ -+#define RECV_MSG(session, name, buffer, buffer_len, ret)\ -+{\ -+ memset(buffer, 0, sizeof(buffer));\ -+ do{\ -+ ret = gnutls_record_recv(session, buffer, sizeof(buffer));\ -+ }\ -+ while(ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);\ -+ if (ret == 0) {\ -+ success("%s: Peer has closed the TLS connection\n", name);\ -+ goto end;\ -+ } else if (ret < 0) {\ -+ fail("%s: Error -> %s\n", name, gnutls_strerror(ret));\ -+ goto end;\ -+ }\ -+ if(strncmp(buffer, MSG, ret)){\ -+ fail("%s: Message doesn't match\n", name);\ -+ goto end;\ -+ }\ -+} -+ -+#define KEY_UPDATE(session, name, peer_req, ret)\ -+{\ -+ do {\ -+ ret = gnutls_session_key_update(session, peer_req);\ -+ } while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);\ -+ if (ret < 0) {\ -+ fail("%s: key update has failed (%s)\n", name, \ -+ gnutls_strerror(ret));\ -+ goto end;\ -+ }\ -+} -+ -+#define CHECK_KTLS_ENABLED(session, ret)\ -+{\ -+ ret = gnutls_transport_is_ktls_enabled(session);\ -+ if (!(ret & GNUTLS_KTLS_RECV)){\ -+ fail("client: KTLS was not properly initialized\n");\ -+ goto end;\ -+ }\ -+} -+ -+static void server_log_func(int level, const char *str) -+{ -+ fprintf(stderr, "server|<%d>| %s", level, str); -+} -+ -+static void client_log_func(int level, const char *str) -+{ -+ fprintf(stderr, "client|<%d>| %s", level, str); -+} -+ -+ -+static void client(int fd, const char *prio, int pipe) -+{ -+ const char *name = "client"; -+ int ret; -+ char foo; -+ char buffer[MAX_BUF + 1]; -+ gnutls_certificate_credentials_t x509_cred; -+ gnutls_session_t session; -+ -+ global_init(); -+ -+ if (debug) { -+ gnutls_global_set_log_function(client_log_func); -+ gnutls_global_set_log_level(7); -+ } -+ -+ gnutls_certificate_allocate_credentials(&x509_cred); -+ -+ gnutls_init(&session, GNUTLS_CLIENT); -+ gnutls_handshake_set_timeout(session, 0); -+ -+ assert(gnutls_priority_set_direct(session, prio, NULL) >= 0); -+ -+ gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred); -+ -+ gnutls_transport_set_int(session, fd); -+ -+ HANDSHAKE(session, name, ret); -+ -+ CHECK_KTLS_ENABLED(session, ret) -+ -+ // Test 0: Try sending/receiving data -+ RECV_MSG(session, name, buffer, MAX_BUF+1, ret) -+ SEND_MSG(session, name, ret) -+ -+ CHECK_KTLS_ENABLED(session, ret) -+ -+ // Test 1: Servers does key update -+ read(pipe, &foo, 1); -+ RECV_MSG(session, name, buffer, MAX_BUF+1, ret) -+ SEND_MSG(session, name, ret) -+ -+ CHECK_KTLS_ENABLED(session, ret) -+ -+ // Test 2: Does key update witch request -+ read(pipe, &foo, 1); -+ RECV_MSG(session, name, buffer, MAX_BUF+1, ret) -+ SEND_MSG(session, name, ret) -+ -+ CHECK_KTLS_ENABLED(session, ret) -+ -+ ret = gnutls_bye(session, GNUTLS_SHUT_RDWR); -+ if (ret < 0) { -+ fail("client: error in closing session: %s\n", gnutls_strerror(ret)); -+ } -+ -+ ret = 0; -+ end: -+ -+ close(fd); -+ -+ gnutls_deinit(session); -+ -+ gnutls_certificate_free_credentials(x509_cred); -+ -+ gnutls_global_deinit(); -+ -+ if (ret != 0) -+ exit(1); -+} -+ -+pid_t child; -+static void terminate(void) -+{ -+ assert(child); -+ kill(child, SIGTERM); -+ exit(1); -+} -+ -+static void server(int fd, const char *prio, int pipe) -+{ -+ const char *name = "server"; -+ int ret; -+ char bar = 0; -+ char buffer[MAX_BUF + 1]; -+ gnutls_certificate_credentials_t x509_cred; -+ gnutls_session_t session; -+ -+ global_init(); -+ -+ if (debug) { -+ gnutls_global_set_log_function(server_log_func); -+ gnutls_global_set_log_level(7); -+ } -+ -+ gnutls_certificate_allocate_credentials(&x509_cred); -+ ret = gnutls_certificate_set_x509_key_mem(x509_cred, &server_cert, -+ &server_key, -+ GNUTLS_X509_FMT_PEM); -+ if (ret < 0) -+ exit(1); -+ -+ gnutls_init(&session, GNUTLS_SERVER); -+ gnutls_handshake_set_timeout(session, 0); -+ -+ assert(gnutls_priority_set_direct(session, prio, NULL)>=0); -+ -+ gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred); -+ -+ gnutls_transport_set_int(session, fd); -+ -+ HANDSHAKE(session, name, ret) -+ -+ CHECK_KTLS_ENABLED(session, ret) -+ -+ success("Test 0: sending/receiving data\n"); -+ SEND_MSG(session, name, ret) -+ RECV_MSG(session, name, buffer, MAX_BUF+1, ret) -+ -+ CHECK_KTLS_ENABLED(session, ret) -+ -+ success("Test 1: server key update without request\n"); -+ KEY_UPDATE(session, name, 0, ret) -+ write(pipe, &bar, 1); -+ SEND_MSG(session, name, ret) -+ RECV_MSG(session, name, buffer, MAX_BUF+1, ret) -+ -+ CHECK_KTLS_ENABLED(session, ret) -+ -+ success("Test 2: server key update with request\n"); -+ KEY_UPDATE(session, name, GNUTLS_KU_PEER, ret) -+ write(pipe, &bar, 1); -+ SEND_MSG(session, name, ret) -+ RECV_MSG(session, name, buffer, MAX_BUF+1, ret) -+ -+ CHECK_KTLS_ENABLED(session, ret) -+ -+ ret = gnutls_bye(session, GNUTLS_SHUT_RDWR); -+ if (ret < 0) { -+ fail("server: error in closing session: %s\n", gnutls_strerror(ret)); -+ } -+ -+ ret = 0; -+end: -+ close(fd); -+ gnutls_deinit(session); -+ -+ gnutls_certificate_free_credentials(x509_cred); -+ -+ gnutls_global_deinit(); -+ -+ if (ret){ -+ terminate(); -+ } -+ -+ if (debug) -+ success("server: finished\n"); -+} -+ -+static void ch_handler(int sig) -+{ -+ return; -+} -+ -+static void run(const char *prio) -+{ -+ int ret; -+ struct sockaddr_in saddr; -+ socklen_t addrlen; -+ int listener; -+ int fd; -+ -+ int sync_pipe[2]; //used for synchronization -+ pipe(sync_pipe); -+ -+ success("running ktls test with %s\n", prio); -+ -+ signal(SIGCHLD, ch_handler); -+ signal(SIGPIPE, SIG_IGN); -+ -+ listener = socket(AF_INET, SOCK_STREAM, 0); -+ if (listener == -1){ -+ fail("error in listener(): %s\n", strerror(errno)); -+ } -+ -+ memset(&saddr, 0, sizeof(saddr)); -+ saddr.sin_family = AF_INET; -+ saddr.sin_addr.s_addr = htonl(INADDR_LOOPBACK); -+ saddr.sin_port = 0; -+ -+ ret = bind(listener, (struct sockaddr*)&saddr, sizeof(saddr)); -+ if (ret == -1){ -+ fail("error in bind(): %s\n", strerror(errno)); -+ } -+ -+ addrlen = sizeof(saddr); -+ ret = getsockname(listener, (struct sockaddr*)&saddr, &addrlen); -+ if (ret == -1){ -+ fail("error in getsockname(): %s\n", strerror(errno)); -+ } -+ -+ child = fork(); -+ if (child < 0) { -+ fail("error in fork(): %s\n", strerror(errno)); -+ exit(1); -+ } -+ -+ if (child) { -+ int status; -+ /* parent */ -+ ret = listen(listener, 1); -+ if (ret == -1) { -+ fail("error in listen(): %s\n", strerror(errno)); -+ } -+ -+ fd = accept(listener, NULL, NULL); -+ if (fd == -1) { -+ fail("error in accept(): %s\n", strerror(errno)); -+ } -+ -+ close(sync_pipe[0]); -+ server(fd, prio, sync_pipe[1]); -+ -+ wait(&status); -+ check_wait_status(status); -+ } else { -+ fd = socket(AF_INET, SOCK_STREAM, 0); -+ if (fd == -1){ -+ fail("error in socket(): %s\n", strerror(errno)); -+ exit(1); -+ } -+ -+ usleep(1000000); -+ connect(fd, (struct sockaddr*)&saddr, addrlen); -+ -+ close(sync_pipe[1]); -+ client(fd, prio, sync_pipe[0]); -+ exit(0); -+ } -+} -+ -+void doit(void) -+{ -+ run("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-128-GCM"); -+ run("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-256-GCM"); -+} -+ -+#endif /* _WIN32 */ -diff --git a/tests/ktls_keyupdate.sh b/tests/ktls_keyupdate.sh -new file mode 100755 -index 000000000..d072acafc ---- /dev/null -+++ b/tests/ktls_keyupdate.sh -@@ -0,0 +1,46 @@ -+#!/bin/sh -+ -+# Copyright (C) 2022 Red Hat, Inc. -+# -+# Author: Daiki Ueno -+# -+# This file is part of GnuTLS. -+# -+# GnuTLS is free software; you can redistribute it and/or modify it -+# under the terms of the GNU General Public License as published by the -+# Free Software Foundation; either version 3 of the License, or (at -+# your option) any later version. -+# -+# GnuTLS is distributed in the hope that it will be useful, but -+# WITHOUT ANY WARRANTY; without even the implied warranty of -+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+# General Public License for more details. -+# -+# You should have received a copy of the GNU General Public License -+# along with GnuTLS; if not, write to the Free Software Foundation, -+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -+ -+: ${builddir=.} -+ -+. "$srcdir/scripts/common.sh" -+ -+if ! grep '^tls ' /proc/modules 2>&1 /dev/null; then -+ exit 77 -+fi -+ -+testdir=`create_testdir ktls_keyupdate` -+ -+cfg="$testdir/config" -+ -+cat < "$cfg" -+[global] -+ktls = true -+EOF -+ -+GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1 \ -+GNUTLS_SYSTEM_PRIORITY_FILE="$cfg" \ -+"$builddir/ktls_keyupdate" "$@" -+rc=$? -+ -+rm -rf "$testdir" -+exit $rc --- -2.39.0 - - -From 67843b3a8e28e4c74296caea2d1019065c87afb3 Mon Sep 17 00:00:00 2001 -From: Frantisek Krenzelok -Date: Mon, 5 Sep 2022 13:05:17 +0200 -Subject: [PATCH 7/7] KTLS: fallback to default - -If an error occurs during setting of keys either initial or key update -then fallback to default mode of operation (disable ktls) and let the -user know - -Signed-off-by: Frantisek Krenzelok ---- - lib/handshake.c | 7 ++++++- - lib/tls13/key_update.c | 23 +++++++++++++++++++---- - 2 files changed, 25 insertions(+), 5 deletions(-) - -diff --git a/lib/handshake.c b/lib/handshake.c -index cb2bc3ae9..14bcdea56 100644 ---- a/lib/handshake.c -+++ b/lib/handshake.c -@@ -2924,7 +2924,12 @@ int gnutls_handshake(gnutls_session_t session) - - #ifdef ENABLE_KTLS - if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_DUPLEX)) { -- _gnutls_ktls_set_keys(session, GNUTLS_KTLS_DUPLEX); -+ ret = _gnutls_ktls_set_keys(session, GNUTLS_KTLS_DUPLEX); -+ if (ret < 0) { -+ session->internals.ktls_enabled = 0; -+ _gnutls_audit_log(session, -+ "disabling KTLS: failed to set keys\n"); -+ } - } - #endif - -diff --git a/lib/tls13/key_update.c b/lib/tls13/key_update.c -index 10c0a9110..acfda4129 100644 ---- a/lib/tls13/key_update.c -+++ b/lib/tls13/key_update.c -@@ -32,6 +32,20 @@ - #define KEY_UPDATES_WINDOW 1000 - #define KEY_UPDATES_PER_WINDOW 8 - -+/* -+ * Sets kTLS keys if enabled. -+ * If this operation fails with GNUTLS_E_INTERNAL_ERROR, KTLS is disabled -+ * because KTLS most likely doesn't support key update. -+ */ -+#define SET_KTLS_KEYS(session, interface)\ -+{\ -+ if(_gnutls_ktls_set_keys(session, interface) < 0) {\ -+ session->internals.ktls_enabled = 0;\ -+ _gnutls_audit_log(session, \ -+ "disabling KTLS: couldn't update keys\n");\ -+ }\ -+} -+ - static int update_keys(gnutls_session_t session, hs_stage_t stage) - { - int ret; -@@ -51,15 +65,16 @@ static int update_keys(gnutls_session_t session, hs_stage_t stage) - if (session->internals.recv_state == RECV_STATE_EARLY_START) { - ret = _tls13_write_connection_state_init(session, stage); - if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_SEND)) -- ret = _gnutls_ktls_set_keys(session, GNUTLS_KTLS_SEND); -+ SET_KTLS_KEYS(session, GNUTLS_KTLS_SEND) - } else { - ret = _tls13_connection_state_init(session, stage); -+ if (ret < 0) -+ return gnutls_assert_val(ret); - - if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_SEND) && stage == STAGE_UPD_OURS) -- ret = _gnutls_ktls_set_keys(session, GNUTLS_KTLS_SEND); -+ SET_KTLS_KEYS(session, GNUTLS_KTLS_SEND) - else if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_RECV) && stage == STAGE_UPD_PEERS) -- ret = _gnutls_ktls_set_keys(session, GNUTLS_KTLS_RECV); -- -+ SET_KTLS_KEYS(session, GNUTLS_KTLS_RECV) - } - if (ret < 0) - return gnutls_assert_val(ret); --- -2.39.0 - diff --git a/gnutls-3.7.8-ktls_minor_fixes.patch b/gnutls-3.7.8-ktls_minor_fixes.patch deleted file mode 100644 index 99749a1..0000000 --- a/gnutls-3.7.8-ktls_minor_fixes.patch +++ /dev/null @@ -1,155 +0,0 @@ -From ccf4463f343a9394a22833ee1de7886e459d3c91 Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Mon, 28 Nov 2022 12:17:12 +0900 -Subject: [PATCH 1/3] includes: move KTLS function definition out of - - - is meant for the functions that depend on -, which is not available on Windows platforms. - -As the KTLS API doesn't rely on , move the function and -enum to . - -Signed-off-by: Daiki Ueno ---- - lib/includes/gnutls/gnutls.h.in | 21 +++++++++++++++++++++ - lib/includes/gnutls/socket.h | 21 --------------------- - 2 files changed, 21 insertions(+), 21 deletions(-) - -diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in -index 394d465e3..830ce5f95 100644 ---- a/lib/includes/gnutls/gnutls.h.in -+++ b/lib/includes/gnutls/gnutls.h.in -@@ -3421,6 +3421,27 @@ int gnutls_fips140_pop_context(void); - - int gnutls_fips140_run_self_tests(void); - -+/** -+ * gnutls_transport_ktls_enable_flags_t: -+ * @GNUTLS_KTLS_RECV: ktls enabled for recv function. -+ * @GNUTLS_KTLS_SEND: ktls enabled for send function. -+ * @GNUTLS_KTLS_DUPLEX: ktls enabled for both recv and send functions. -+ * -+ * Flag enumeration of ktls enable status for recv and send functions. -+ * This is used by gnutls_transport_is_ktls_enabled(). -+ * -+ * Since: 3.7.3 -+ */ -+typedef enum { -+ GNUTLS_KTLS_RECV = 1 << 0, -+ GNUTLS_KTLS_SEND = 1 << 1, -+ GNUTLS_KTLS_DUPLEX = GNUTLS_KTLS_RECV | GNUTLS_KTLS_SEND, -+} gnutls_transport_ktls_enable_flags_t; -+ -+ -+gnutls_transport_ktls_enable_flags_t -+gnutls_transport_is_ktls_enabled(gnutls_session_t session); -+ - /* Gnutls error codes. The mapping to a TLS alert is also shown in - * comments. - */ -diff --git a/lib/includes/gnutls/socket.h b/lib/includes/gnutls/socket.h -index 4df7bb2e0..64eb19f89 100644 ---- a/lib/includes/gnutls/socket.h -+++ b/lib/includes/gnutls/socket.h -@@ -37,27 +37,6 @@ extern "C" { - #endif - /* *INDENT-ON* */ - --/** -- * gnutls_transport_ktls_enable_flags_t: -- * @GNUTLS_KTLS_RECV: ktls enabled for recv function. -- * @GNUTLS_KTLS_SEND: ktls enabled for send function. -- * @GNUTLS_KTLS_DUPLEX: ktls enabled for both recv and send functions. -- * -- * Flag enumeration of ktls enable status for recv and send functions. -- * This is used by gnutls_transport_is_ktls_enabled(). -- * -- * Since: 3.7.3 -- */ --typedef enum { -- GNUTLS_KTLS_RECV = 1 << 0, -- GNUTLS_KTLS_SEND = 1 << 1, -- GNUTLS_KTLS_DUPLEX = GNUTLS_KTLS_RECV | GNUTLS_KTLS_SEND, --} gnutls_transport_ktls_enable_flags_t; -- -- --gnutls_transport_ktls_enable_flags_t --gnutls_transport_is_ktls_enabled(gnutls_session_t session); -- - void gnutls_transport_set_fastopen(gnutls_session_t session, - int fd, - struct sockaddr *connect_addr, --- -2.38.1 - - -From 90b036e82a95f9379d99d5cabd0e33905d1e3ddc Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Mon, 28 Nov 2022 12:13:31 +0900 -Subject: [PATCH 2/3] src: print KTLS enablement status in - gnutls-serv/gnutls-cli - -Signed-off-by: Daiki Ueno ---- - src/common.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/src/common.c b/src/common.c -index 6d2056f95..d357c7fb8 100644 ---- a/src/common.c -+++ b/src/common.c -@@ -498,6 +498,7 @@ int print_info(gnutls_session_t session, int verbose, int flags) - gnutls_datum_t p; - char *desc; - gnutls_protocol_t version; -+ gnutls_transport_ktls_enable_flags_t ktls_flags; - int rc; - - desc = gnutls_session_get_desc(session); -@@ -646,6 +647,15 @@ int print_info(gnutls_session_t session, int verbose, int flags) - - print_channel_bindings(session, verbose); - -+ ktls_flags = gnutls_transport_is_ktls_enabled(session); -+ if (ktls_flags != 0) { -+ log_msg(stdout, "- KTLS: %s\n", -+ (ktls_flags & GNUTLS_KTLS_DUPLEX) == GNUTLS_KTLS_DUPLEX ? "send, recv" : -+ (ktls_flags & GNUTLS_KTLS_SEND) == GNUTLS_KTLS_SEND ? "send" : -+ (ktls_flags & GNUTLS_KTLS_RECV) == GNUTLS_KTLS_RECV ? "recv" : -+ "unknown"); -+ } -+ - fflush(stdout); - - return 0; --- -2.38.1 - - -From aefd7319c0b7b2410d06238246b7755b289e4837 Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Mon, 28 Nov 2022 12:15:26 +0900 -Subject: [PATCH 3/3] priority: accept "ktls = false" in configuration file - -Signed-off-by: Daiki Ueno ---- - lib/priority.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/lib/priority.c b/lib/priority.c -index 97831e63b..6266bb571 100644 ---- a/lib/priority.c -+++ b/lib/priority.c -@@ -1548,6 +1548,8 @@ static int global_ini_handler(void *ctx, const char *section, const char *name, - p = clear_spaces(value, str); - if (c_strcasecmp(p, "true") == 0) { - cfg->ktls_enabled = true; -+ } else if (c_strcasecmp(p, "false") == 0) { -+ cfg->ktls_enabled = false; - } else { - _gnutls_debug_log("cfg: unknown ktls mode %s\n", - p); --- -2.38.1 - diff --git a/gnutls.spec b/gnutls.spec index 4277ccd..55c9277 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -12,21 +12,16 @@ sha256sum:close() print(string.sub(hash, 0, 16)) } +%global with_srp 0%{?fedora} < 38 + %global with_mingw 0 %if 0%{?fedora} %global with_mingw 0%{!?_without_mingw:1} %endif -Version: 3.7.8 +Version: 3.8.0 Release: %{?autorelease}%{!?autorelease:1%{?dist}} -Patch: gnutls-3.7.8-gcc_analyzer-suppress_warnings.patch Patch: gnutls-3.2.7-rpath.patch -Patch: gnutls-3.6.7-no-now-guile.patch - -Patch: gnutls-3.7.8-ktls_key_update.patch -Patch: gnutls-3.7.8-ktls_add_ciphersuites.patch -Patch: gnutls-3.7.8-ktls_minor_fixes.patch -Patch: gnutls-3.7.8-ktls_invalidate_session.patch # Delete only after the kernel has been patched for thested systems Patch: gnutls-3.7.8-ktls_disable_keyupdate_test.patch @@ -36,13 +31,7 @@ Patch: gnutls-3.7.8-ktls_skip_tls12_chachapoly_test.patch %bcond_without bootstrap %bcond_without dane -%if 0%{?rhel} -%bcond_with guile -%bcond_without fips -%else -%bcond_without guile %bcond_without fips -%endif %bcond_with tpm12 %bcond_without tpm2 %bcond_without gost @@ -87,9 +76,6 @@ Recommends: trousers >= 0.3.11.2 %if %{with dane} BuildRequires: unbound-devel unbound-libs %endif -%if %{with guile} -BuildRequires: guile22-devel -%endif BuildRequires: make gtk-doc %if %{with_mingw} @@ -147,13 +133,6 @@ Summary: A DANE protocol implementation for GnuTLS Requires: %{name}%{?_isa} = %{version}-%{release} %endif -%if %{with guile} -%package guile -Summary: Guile bindings for the GNUTLS library -Requires: %{name}%{?_isa} = %{version}-%{release} -Requires: guile22 -%endif - %description GnuTLS is a secure communications library implementing the SSL, TLS and DTLS protocols and technologies around them. It provides a simple C language @@ -197,16 +176,6 @@ This package contains library that implements the DANE protocol for verifying TLS certificates through DNSSEC. %endif -%if %{with guile} -%description guile -GnuTLS is a secure communications library implementing the SSL, TLS and DTLS -protocols and technologies around them. It provides a simple C language -application programming interface (API) to access the secure communications -protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and -other required structures. -This package contains Guile bindings for the library. -%endif - %if %{with_mingw} %package -n mingw32-%{name} Summary: MinGW GnuTLS TLS/SSL encryption library @@ -251,15 +220,6 @@ echo "SYSTEM=NORMAL" >> tests/system.prio CCASFLAGS="$CCASFLAGS -Wa,--generate-missing-build-notes=yes" export CCASFLAGS -%if %{with guile} -# These should be checked by m4/guile.m4 instead of configure.ac -# taking into account of _guile_suffix -guile_snarf=%{_bindir}/guile-snarf2.2 -export guile_snarf -GUILD=%{_bindir}/guild2.2 -export GUILD -%endif - %if %{with fips} eval $(sed -n 's/^\(\(NAME\|VERSION_ID\)=.*\)/OS_\1/p' /etc/os-release) export FIPS_MODULE_NAME="$OS_NAME ${OS_VERSION_ID%%.*} %name" @@ -279,6 +239,9 @@ pushd native_build %else --disable-gost \ %endif +%if %{with_srp} + --enable-srp-authentication \ +%endif --enable-sha1-support \ --disable-static \ --disable-openssl-compatibility \ @@ -297,12 +260,6 @@ pushd native_build %endif --enable-ktls \ --htmldir=%{_docdir}/manual \ -%if %{with guile} - --enable-guile \ - --with-guile-extension-dir=%{_libdir}/guile/2.2 \ -%else - --disable-guile \ -%endif %if %{with dane} --with-unbound-root-key-file=/var/lib/unbound/root.key \ --enable-libdane \ @@ -324,11 +281,13 @@ popd # MinGW does not support CCASFLAGS export CCASFLAGS="" %mingw_configure \ +%if %{with_srp} + --enable-srp-authentication \ +%endif --enable-sha1-support \ --disable-static \ --disable-openssl-compatibility \ --disable-non-suiteb-curves \ - --disable-guile \ --disable-libdane \ --disable-rpath \ --disable-nls \ @@ -348,8 +307,6 @@ pushd native_build make -C doc install-html DESTDIR=$RPM_BUILD_ROOT rm -f $RPM_BUILD_ROOT%{_infodir}/dir rm -f $RPM_BUILD_ROOT%{_libdir}/*.la -rm -f $RPM_BUILD_ROOT%{_libdir}/guile/2.2/guile-gnutls*.a -rm -f $RPM_BUILD_ROOT%{_libdir}/guile/2.2/guile-gnutls*.la %if %{without dane} rm -f $RPM_BUILD_ROOT%{_libdir}/pkgconfig/gnutls-dane.pc %endif @@ -358,8 +315,10 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/pkgconfig/gnutls-dane.pc # doing it twice should be a no-op the second time, # and this way we avoid redefining it and missing a future change %{__spec_install_post} -./lib/fipshmac "$RPM_BUILD_ROOT%{_libdir}/libgnutls.so.30" > $RPM_BUILD_ROOT%{_libdir}/.gnutls.hmac -sed -i "s^$RPM_BUILD_ROOT/usr^^" $RPM_BUILD_ROOT%{_libdir}/.gnutls.hmac +fname=`basename $RPM_BUILD_ROOT%{_libdir}/libgnutls.so.30.*.*` +./lib/fipshmac "$RPM_BUILD_ROOT%{_libdir}/libgnutls.so.30" > "$RPM_BUILD_ROOT%{_libdir}/.$fname.hmac" +sed -i "s^$RPM_BUILD_ROOT/usr^^" "$RPM_BUILD_ROOT%{_libdir}/.$fname.hmac" +ln -s ".$fname.hmac" "$RPM_BUILD_ROOT%{_libdir}/.libgnutls.so.30.hmac" %endif %if %{with fips} @@ -412,7 +371,7 @@ popd %files -f native_build/gnutls.lang %{_libdir}/libgnutls.so.30* %if %{with fips} -%{_libdir}/.gnutls.hmac +%{_libdir}/.libgnutls.so.30*.hmac %endif %doc README.md AUTHORS NEWS THANKS %license LICENSE doc/COPYING doc/COPYING.LESSER @@ -438,7 +397,9 @@ popd %{_bindir}/ocsptool %{_bindir}/psktool %{_bindir}/p11tool +%if %{with_srp} %{_bindir}/srptool +%endif %if %{with dane} %{_bindir}/danetool %endif @@ -451,15 +412,6 @@ popd %{_libdir}/libgnutls-dane.so.* %endif -%if %{with guile} -%files guile -%{_libdir}/guile/2.2/guile-gnutls*.so* -%{_libdir}/guile/2.2/site-ccache/gnutls.go -%{_libdir}/guile/2.2/site-ccache/gnutls/extra.go -%{_datadir}/guile/site/2.2/gnutls.scm -%{_datadir}/guile/site/2.2/gnutls/extra.scm -%endif - %if %{with_mingw} %files -n mingw32-%{name} %license LICENSE doc/COPYING doc/COPYING.LESSER @@ -471,7 +423,9 @@ popd %{mingw32_bindir}/ocsptool.exe %{mingw32_bindir}/p11tool.exe %{mingw32_bindir}/psktool.exe +%if %{with_srp} %{mingw32_bindir}/srptool.exe +%endif %{mingw32_libdir}/libgnutls.dll.a %{mingw32_libdir}/libgnutls-30.def %{mingw32_libdir}/pkgconfig/gnutls.pc @@ -487,7 +441,9 @@ popd %{mingw64_bindir}/ocsptool.exe %{mingw64_bindir}/p11tool.exe %{mingw64_bindir}/psktool.exe +%if %{with_srp} %{mingw64_bindir}/srptool.exe +%endif %{mingw64_libdir}/libgnutls.dll.a %{mingw64_libdir}/libgnutls-30.def %{mingw64_libdir}/pkgconfig/gnutls.pc diff --git a/sources b/sources index 0ceeebf..f6b15ed 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (gnutls-3.7.8.tar.xz) = 4199bcf7c9e3aab2f52266aadceefc563dfe2d938d0ea1f3ec3be95d66f4a8c8e5494d3a800c03dd02ad386dec1738bd63e1fe0d8b394a2ccfc7d6c6a0cc9359 -SHA512 (gnutls-3.7.8.tar.xz.sig) = cecf9843e8683a278d065b663dc98ac2b5fcad1905ee25333038c93c2289b518c974629367e77e66552ac1c9d122d551616edba35cb0c4204202ec676f1a2db7 +SHA512 (gnutls-3.8.0.tar.xz) = 2507b3133423fdaf90fbd826ccb1142e9ff6fc90fcd5531720218f19ddf0e6bbb8267d23bad35c0954860e5a4179da74823e0c8357db56a14f252e6ec9d59629 +SHA512 (gnutls-3.8.0.tar.xz.sig) = 9db8db74aa0ebd871287b07b6a8a9f4ce90188633618e669fe07cb8bb314b624c14761f6fe1970e2fbffa87f7c0d6daa4b0fa838bd05f74b8b18cd1b5325c654 SHA512 (gnutls-release-keyring.gpg) = 5c14d83f4f37bd319c652db0d76fc5bb04752fb461bbe853e25b20ffe41d6d14faae6c0bdd0193ac6242975bf1205ce606a9d0082261cc4581fd680abfcdbd4d