diff --git a/.gitignore b/.gitignore index b67cb46..35f93b3 100644 --- a/.gitignore +++ b/.gitignore @@ -148,3 +148,5 @@ gnutls-2.10.1-nosrp.tar.bz2 /gnutls-3.8.1.tar.xz.sig /gnutls-3.8.2.tar.xz /gnutls-3.8.2.tar.xz.sig +/gnutls-3.8.3.tar.xz +/gnutls-3.8.3.tar.xz.sig diff --git a/README.packit b/README.packit index 5998f60..8c508a5 100644 --- a/README.packit +++ b/README.packit @@ -1,3 +1,3 @@ This repository is maintained by packit. https://packit.dev/ -The file was generated using packit 0.85.0. +The file was generated using packit 0.88.0. diff --git a/gnutls-3.8.2-revert-pkcs11-ed448.patch b/gnutls-3.8.2-revert-pkcs11-ed448.patch deleted file mode 100644 index 33a9b09..0000000 --- a/gnutls-3.8.2-revert-pkcs11-ed448.patch +++ /dev/null @@ -1,701 +0,0 @@ -From 8b7065ed5c72d34d3bf3e0bb803d81fb3abdcb8b Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Fri, 1 Dec 2023 17:42:09 +0900 -Subject: [PATCH] Revert "pkcs11: support Ed448 keys" - -This reverts commit 8cd6e84edaad4a826e481ae045548587f98bd9f7. ---- - lib/pkcs11.c | 23 +--- - lib/pkcs11_int.h | 23 +++- - lib/pkcs11_privkey.c | 67 +--------- - lib/pkcs11_write.c | 9 +- - lib/pubkey.c | 1 - - tests/cert-common.h | 47 +------ - tests/pkcs11/pkcs11-eddsa-privkey-test.c | 160 +++++++++++------------ - tests/pkcs11/pkcs11-privkey-generate.c | 17 +-- - tests/tls13/ocsp-client.c | 4 +- - 9 files changed, 114 insertions(+), 237 deletions(-) - -diff --git a/lib/pkcs11.c b/lib/pkcs11.c -index c46d1f7e61..a96605da60 100644 ---- a/lib/pkcs11.c -+++ b/lib/pkcs11.c -@@ -1796,7 +1796,6 @@ int pkcs11_read_pubkey(struct ck_function_list *module, ck_session_handle_t pks, - pobj->pubkey[1].size = a[1].value_len; - - pobj->pubkey_size = 2; -- pobj->pk_algorithm = GNUTLS_PK_RSA; - } else { - gnutls_assert(); - ret = GNUTLS_E_PKCS11_ERROR; -@@ -1852,7 +1851,6 @@ int pkcs11_read_pubkey(struct ck_function_list *module, ck_session_handle_t pks, - pobj->pubkey[3].size = a[1].value_len; - - pobj->pubkey_size = 4; -- pobj->pk_algorithm = GNUTLS_PK_DSA; - } else { - gnutls_assert(); - ret = pkcs11_rv_to_err(rv); -@@ -1877,7 +1875,6 @@ int pkcs11_read_pubkey(struct ck_function_list *module, ck_session_handle_t pks, - pobj->pubkey[1].size = a[1].value_len; - - pobj->pubkey_size = 2; -- pobj->pk_algorithm = GNUTLS_PK_EC; - } else { - gnutls_assert(); - -@@ -1898,9 +1895,6 @@ int pkcs11_read_pubkey(struct ck_function_list *module, ck_session_handle_t pks, - - if ((rv = pkcs11_get_attribute_value(module, pks, ctx, a, 2)) == - CKR_OK) { -- gnutls_ecc_curve_t curve; -- const gnutls_ecc_curve_entry_st *ce; -- - pobj->pubkey[0].data = a[0].value; - pobj->pubkey[0].size = a[0].value_len; - -@@ -1908,26 +1902,13 @@ int pkcs11_read_pubkey(struct ck_function_list *module, ck_session_handle_t pks, - pobj->pubkey[1].size = a[1].value_len; - - pobj->pubkey_size = 2; -- -- ret = _gnutls_x509_read_ecc_params(pobj->pubkey[0].data, -- pobj->pubkey[0].size, -- &curve); -- if (ret < 0) { -- ret = GNUTLS_E_INVALID_REQUEST; -- goto cleanup; -- } -- ce = _gnutls_ecc_curve_get_params(curve); -- if (unlikely(ce == NULL)) { -- ret = GNUTLS_E_INVALID_REQUEST; -- goto cleanup; -- } -- pobj->pk_algorithm = ce->pk; - } else { - gnutls_assert(); - - ret = pkcs11_rv_to_err(rv); - goto cleanup; - } -+ - break; - #endif - default: -@@ -1964,6 +1945,8 @@ pkcs11_obj_import_pubkey(struct ck_function_list *module, - a[0].value_len = sizeof(key_type); - - if (pkcs11_get_attribute_value(module, pks, ctx, a, 1) == CKR_OK) { -+ pobj->pk_algorithm = key_type_to_pk(key_type); -+ - ret = pkcs11_read_pubkey(module, pks, ctx, key_type, pobj); - if (ret < 0) - return gnutls_assert_val(ret); -diff --git a/lib/pkcs11_int.h b/lib/pkcs11_int.h -index 891e98f962..9a3380f9cc 100644 ---- a/lib/pkcs11_int.h -+++ b/lib/pkcs11_int.h -@@ -247,7 +247,7 @@ static inline int pk_to_mech(gnutls_pk_algorithm_t pk) - else if (pk == GNUTLS_PK_RSA_PSS) - return CKM_RSA_PKCS_PSS; - #ifdef HAVE_PKCS11_EDDSA -- else if (pk == GNUTLS_PK_EDDSA_ED25519 || pk == GNUTLS_PK_EDDSA_ED448) -+ else if (pk == GNUTLS_PK_EDDSA_ED25519) - return CKM_EDDSA; - #endif - else -@@ -263,13 +263,29 @@ static inline int pk_to_key_type(gnutls_pk_algorithm_t pk) - else if (pk == GNUTLS_PK_RSA_PSS || pk == GNUTLS_PK_RSA) - return CKK_RSA; - #ifdef HAVE_PKCS11_EDDSA -- else if (pk == GNUTLS_PK_EDDSA_ED25519 || pk == GNUTLS_PK_EDDSA_ED448) -+ else if (pk == GNUTLS_PK_EDDSA_ED25519) - return CKK_EC_EDWARDS; - #endif - else - return -1; - } - -+static inline gnutls_pk_algorithm_t key_type_to_pk(ck_key_type_t m) -+{ -+ if (m == CKK_RSA) -+ return GNUTLS_PK_RSA; -+ else if (m == CKK_DSA) -+ return GNUTLS_PK_DSA; -+ else if (m == CKK_ECDSA) -+ return GNUTLS_PK_EC; -+#ifdef HAVE_PKCS11_EDDSA -+ else if (m == CKK_EC_EDWARDS) -+ return GNUTLS_PK_EDDSA_ED25519; -+#endif -+ else -+ return GNUTLS_PK_UNKNOWN; -+} -+ - static inline int pk_to_genmech(gnutls_pk_algorithm_t pk, ck_key_type_t *type) - { - if (pk == GNUTLS_PK_DSA) { -@@ -282,8 +298,7 @@ static inline int pk_to_genmech(gnutls_pk_algorithm_t pk, ck_key_type_t *type) - *type = CKK_RSA; - return CKM_RSA_PKCS_KEY_PAIR_GEN; - #ifdef HAVE_PKCS11_EDDSA -- } else if (pk == GNUTLS_PK_EDDSA_ED25519 || -- pk == GNUTLS_PK_EDDSA_ED448) { -+ } else if (pk == GNUTLS_PK_EDDSA_ED25519) { - *type = CKK_EC_EDWARDS; - return CKM_EC_EDWARDS_KEY_PAIR_GEN; - #endif -diff --git a/lib/pkcs11_privkey.c b/lib/pkcs11_privkey.c -index b9f36c0a62..a30e44084c 100644 ---- a/lib/pkcs11_privkey.c -+++ b/lib/pkcs11_privkey.c -@@ -486,61 +486,6 @@ cleanup: - return ret; - } - --static inline gnutls_pk_algorithm_t --key_type_to_pk(struct ck_function_list *module, ck_session_handle_t pks, -- ck_object_handle_t ctx, ck_key_type_t m) --{ -- switch (m) { -- case CKK_RSA: -- return GNUTLS_PK_RSA; -- case CKK_DSA: -- return GNUTLS_PK_DSA; -- case CKK_ECDSA: -- return GNUTLS_PK_EC; --#ifdef HAVE_PKCS11_EDDSA -- case CKK_EC_EDWARDS: { -- struct ck_attribute a[1]; -- uint8_t *tmp1; -- size_t tmp1_size; -- gnutls_pk_algorithm_t pk = GNUTLS_PK_UNKNOWN; -- -- tmp1_size = MAX_PK_PARAM_SIZE; -- tmp1 = gnutls_calloc(1, tmp1_size); -- if (tmp1 == NULL) -- return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); -- -- a[0].type = CKA_EC_PARAMS; -- a[0].value = tmp1; -- a[0].value_len = tmp1_size; -- -- if (pkcs11_get_attribute_value(module, pks, ctx, a, 1) == -- CKR_OK) { -- gnutls_ecc_curve_t curve; -- const gnutls_ecc_curve_entry_st *ce; -- int ret; -- -- ret = _gnutls_x509_read_ecc_params( -- a[0].value, a[0].value_len, &curve); -- if (ret < 0) { -- goto edwards_cleanup; -- } -- ce = _gnutls_ecc_curve_get_params(curve); -- if (unlikely(ce == NULL)) { -- goto edwards_cleanup; -- } -- pk = ce->pk; -- } -- -- edwards_cleanup: -- gnutls_free(tmp1); -- return pk; -- } --#endif -- default: -- return GNUTLS_PK_UNKNOWN; -- } --} -- - /** - * gnutls_pkcs11_privkey_import_url: - * @pkey: The private key -@@ -616,9 +561,7 @@ int gnutls_pkcs11_privkey_import_url(gnutls_pkcs11_privkey_t pkey, - a[0].value_len = sizeof(key_type); - if (pkcs11_get_attribute_value(pkey->sinfo.module, pkey->sinfo.pks, - pkey->ref, a, 1) == CKR_OK) { -- pkey->pk_algorithm = key_type_to_pk(pkey->sinfo.module, -- pkey->sinfo.pks, pkey->ref, -- key_type); -+ pkey->pk_algorithm = key_type_to_pk(key_type); - } - - if (pkey->pk_algorithm == GNUTLS_PK_UNKNOWN) { -@@ -1245,7 +1188,6 @@ int gnutls_pkcs11_privkey_generate3(const char *url, gnutls_pk_algorithm_t pk, - - break; - case GNUTLS_PK_EDDSA_ED25519: -- case GNUTLS_PK_EDDSA_ED448: - p[p_val].type = CKA_SIGN; - p[p_val].value = (void *)&tval; - p[p_val].value_len = sizeof(tval); -@@ -1256,11 +1198,8 @@ int gnutls_pkcs11_privkey_generate3(const char *url, gnutls_pk_algorithm_t pk, - a[a_val].value_len = sizeof(tval); - a_val++; - -- ret = _gnutls_x509_write_ecc_params( -- pk == GNUTLS_PK_EDDSA_ED25519 ? -- GNUTLS_ECC_CURVE_ED25519 : -- GNUTLS_ECC_CURVE_ED448, -- &der); -+ ret = _gnutls_x509_write_ecc_params(GNUTLS_ECC_CURVE_ED25519, -+ &der); - if (ret < 0) { - gnutls_assert(); - goto cleanup; -diff --git a/lib/pkcs11_write.c b/lib/pkcs11_write.c -index a3201ddeba..3090721db5 100644 ---- a/lib/pkcs11_write.c -+++ b/lib/pkcs11_write.c -@@ -355,8 +355,7 @@ static int add_pubkey(gnutls_pubkey_t pubkey, struct ck_attribute *a, - (*a_val)++; - break; - } -- case GNUTLS_PK_EDDSA_ED25519: -- case GNUTLS_PK_EDDSA_ED448: { -+ case GNUTLS_PK_EDDSA_ED25519: { - gnutls_datum_t params, ecpoint; - - ret = _gnutls_x509_write_ecc_params(pubkey->params.curve, -@@ -936,8 +935,7 @@ int gnutls_pkcs11_copy_x509_privkey2(const char *token_url, - break; - } - #ifdef HAVE_PKCS11_EDDSA -- case GNUTLS_PK_EDDSA_ED25519: -- case GNUTLS_PK_EDDSA_ED448: { -+ case GNUTLS_PK_EDDSA_ED25519: { - ret = _gnutls_x509_write_ecc_params(key->params.curve, &p); - if (ret < 0) { - gnutls_assert(); -@@ -1003,8 +1001,7 @@ cleanup: - break; - } - case GNUTLS_PK_EC: -- case GNUTLS_PK_EDDSA_ED25519: -- case GNUTLS_PK_EDDSA_ED448: { -+ case GNUTLS_PK_EDDSA_ED25519: { - gnutls_free(p.data); - gnutls_free(x.data); - break; -diff --git a/lib/pubkey.c b/lib/pubkey.c -index 1139ad99fc..59ca194f1a 100644 ---- a/lib/pubkey.c -+++ b/lib/pubkey.c -@@ -700,7 +700,6 @@ int gnutls_pubkey_import_pkcs11(gnutls_pubkey_t key, gnutls_pkcs11_obj_t obj, - &obj->pubkey[1]); - break; - case GNUTLS_PK_EDDSA_ED25519: -- case GNUTLS_PK_EDDSA_ED448: - ret = gnutls_pubkey_import_ecc_eddsa(key, &obj->pubkey[0], - &obj->pubkey[1]); - break; -diff --git a/tests/cert-common.h b/tests/cert-common.h -index 57cf6c0c4f..33b3ee3b68 100644 ---- a/tests/cert-common.h -+++ b/tests/cert-common.h -@@ -36,8 +36,7 @@ - * IPv4 server (SAN: IPAddr: 127.0.0.1): server_ca3_ipaddr_cert, server_ca3_key - * IPv4 server (RSA-PSS, SAN: localhost IPAddr: 127.0.0.1): server_ca3_rsa_pss_cert, server_ca3_rsa_pss_key - * IPv4 server (RSA-PSS key, SAN: localhost IPAddr: 127.0.0.1): server_ca3_rsa_pss2_cert, server_ca3_rsa_pss2_key -- * IPv4 server (Ed25519, SAN: localhost IPAddr: 127.0.0.1): server_ca3_eddsa_cert, server_ca3_eddsa_key -- * IPv4 server (Ed448, SAN: localhost IPAddr: 127.0.0.1): server_ca3_ed448_cert, server_ca3_ed448_key -+ * IPv4 server (EdDSA, SAN: localhost IPAddr: 127.0.0.1): server_ca3_eddsa_cert, server_ca3_eddsa_key - * IPv4 server (GOST R 34.10-2001, SAN: localhost): server_ca3_gost01_cert, server_ca3_gost01_key - * IPv4 server (GOST R 34.10-2012-256, SAN: localhost): server_ca3_gost12-256_cert, server_ca3_gost12-256_key - * IPv4 server (GOST R 34.10-2012-512, SAN: localhost): server_ca3_gost12-512_cert, server_ca3_gost12-512_key -@@ -350,7 +349,7 @@ static unsigned char ca2_cert_pem[] = - - const gnutls_datum_t ca2_cert = { ca2_cert_pem, sizeof(ca2_cert_pem) - 1 }; - --static unsigned char cli_cert_pem[] = -+static unsigned char cert_pem[] = - "-----BEGIN CERTIFICATE-----\n" - "MIICHjCCAYmgAwIBAgIERiYdNzALBgkqhkiG9w0BAQUwGTEXMBUGA1UEAxMOR251\n" - "VExTIHRlc3QgQ0EwHhcNMDcwNDE4MTMyOTI3WhcNMDgwNDE3MTMyOTI3WjAdMRsw\n" -@@ -365,9 +364,9 @@ static unsigned char cli_cert_pem[] = - "U7jyOsBJ44SEQITbin2yUeJMIm1tievvdNXBDfW95AM507ShzP12sfiJkJfjjdhy\n" - "dc8Siq5JojruiMizAf0pA7in\n" - "-----END CERTIFICATE-----\n"; --const gnutls_datum_t cli_cert = { cli_cert_pem, sizeof(cli_cert_pem) - 1 }; -+const gnutls_datum_t cli_cert = { cert_pem, sizeof(cert_pem) - 1 }; - --static unsigned char cli_key_pem[] = -+static unsigned char key_pem[] = - "-----BEGIN RSA PRIVATE KEY-----\n" - "MIICXAIBAAKBgQC7ZkP18sXXtozMxd/1iDuxyUtqDqGtIFBACIChT1yj0Phsz+Y8\n" - "9+wEdhMXi2SJIlvA3VN8O+18BLuAuSi+jpvGjqClEsv1Vx6i57u3M0mf47tKrmpN\n" -@@ -383,7 +382,7 @@ static unsigned char cli_key_pem[] = - "/iVX2cmMTSh3w3z8MaECQEp0XJWDVKOwcTW6Ajp9SowtmiZ3YDYo1LF9igb4iaLv\n" - "sWZGfbnU3ryjvkb6YuFjgtzbZDZHWQCo8/cOtOBmPdk=\n" - "-----END RSA PRIVATE KEY-----\n"; --const gnutls_datum_t cli_key = { cli_key_pem, sizeof(cli_key_pem) - 1 }; -+const gnutls_datum_t cli_key = { key_pem, sizeof(key_pem) - 1 }; - - static char dsa_key_pem[] = - "-----BEGIN DSA PRIVATE KEY-----\n" -@@ -1082,42 +1081,6 @@ const gnutls_datum_t server_ca3_eddsa_cert = { - sizeof(server_ca3_eddsa_cert_pem) - 1 - }; - --/* server Ed448 key */ --static char server_ca3_ed448_key_pem[] = -- "-----BEGIN PRIVATE KEY-----\n" -- "MEcCAQAwBQYDK2VxBDsEOXPoCtsxxy7itrHfeuQ2bG7oh3uerkBwhabkeSsNFYoS\n" -- "QYy6KKYld8lnhlYQQmMo6lx28x9GmpTiag==\n" -- "-----END PRIVATE KEY-----\n"; -- --const gnutls_datum_t server_ca3_ed448_key = { -- (unsigned char *)server_ca3_ed448_key_pem, -- sizeof(server_ca3_ed448_key_pem) - 1 --}; -- --static char server_ca3_ed448_cert_pem[] = -- "-----BEGIN CERTIFICATE-----\n" -- "MIICqzCCAROgAwIBAgIUAvQ9bcei1eNZ9viV1kP7MKODp9YwDQYJKoZIhvcNAQEL\n" -- "BQAwDzENMAsGA1UEAxMEQ0EtMzAgFw0yMzA5MjgwNjU1NThaGA85OTk5MTIzMTIz\n" -- "NTk1OVowDTELMAkGA1UEBhMCR1IwQzAFBgMrZXEDOgAYxZxGeKtoWUL20zvrFClm\n" -- "irhECIIdccq6x0uZccYHfmRVkFoUI7iOFj6Mlsp5vg24XZ2tGF5MBACjYDBeMAwG\n" -- "A1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgeAMB0GA1UdDgQWBBTYq6RhA2qMWmYM\n" -- "UAEx3AlNSnhWHDAfBgNVHSMEGDAWgBT5qIYZY7akFBNgdg8BmjU27/G0rzANBgkq\n" -- "hkiG9w0BAQsFAAOCAYEAhEd0coRahGvMx8gLS8biuaqh50+9RJIjMpf+/0IQJ4DV\n" -- "FHT5E70YyaQ0YOsvyxGa04d+KyhdVLppD1pDztLGXYZWxzmowopwpgnpPNT25M+0\n" -- "aQOvCZZvRlqmwgUiRXdhSxqPsUj/73uUBPIjFknrxajoox7sOLris9ujmidqgBGa\n" -- "H1FVbQQQgDOBCKcKXTAllVKzS/ZLwlRHibbm+4UDxGk1tJv1dbnQhJk0FYSQZn3h\n" -- "ZVmSSfP4ZB+U+lsCshypBJ9qVZEqMM2b4m1wv/VAOuw0lGA2SiPub5q91hFYRdeL\n" -- "9FB78/WlrSCTbGeMzzDPXBf/Y2KvFAv3o7K0tsMg1vBsDJBARHEzo4GMRsYDZzvI\n" -- "JXb5tSmJOi/PBfup8GPiG0WbZV9nuvW8V/zmfaP3s9YBfYOtL/+nZch9VdSee2xp\n" -- "T8arukB/s2jLaXQUduD3hoFvFNgCvWJwAWQWNNyHN3ivArqNQpfl2Gtftmb6xCdW\n" -- "Xwt1/q2XKqqLpnF1N2wU\n" -- "-----END CERTIFICATE-----\n"; -- --const gnutls_datum_t server_ca3_ed448_cert = { -- (unsigned char *)server_ca3_ed448_cert_pem, -- sizeof(server_ca3_ed448_cert_pem) - 1 --}; -- - static char server_ca3_gost01_key_pem[] = - "-----BEGIN PRIVATE KEY-----\n" - "MEUCAQAwHAYGKoUDAgITMBIGByqFAwICJAAGByqFAwICHgEEIgQgR1lBLIr4WBpn\n" -diff --git a/tests/pkcs11/pkcs11-eddsa-privkey-test.c b/tests/pkcs11/pkcs11-eddsa-privkey-test.c -index 1b7732e884..d3cd9a97c7 100644 ---- a/tests/pkcs11/pkcs11-eddsa-privkey-test.c -+++ b/tests/pkcs11/pkcs11-eddsa-privkey-test.c -@@ -64,8 +64,8 @@ static int pin_func(void *userdata, int attempt, const char *url, - return -1; - } - --#define myfail(fmt, ...) \ -- fail("%s (iter %zu): " fmt, gnutls_sign_get_name(sigalgo), i, \ -+#define myfail(fmt, ...) \ -+ fail("%s (iter %d): " fmt, gnutls_sign_get_name(sigalgo), i, \ - ##__VA_ARGS__) - - static unsigned verify_eddsa_presence(void) -@@ -85,10 +85,11 @@ static unsigned verify_eddsa_presence(void) - return 0; - } - --static void test(const char *name, const gnutls_datum_t *cert_pem, -- const gnutls_datum_t *key_pem, gnutls_sign_algorithm_t sigalgo) -+void doit(void) - { -+ char buf[128]; - int ret; -+ const char *lib, *bin; - gnutls_x509_crt_t crt; - gnutls_x509_privkey_t key; - gnutls_datum_t tmp, sig; -@@ -97,16 +98,51 @@ static void test(const char *name, const gnutls_datum_t *cert_pem, - gnutls_pubkey_t pubkey2; - gnutls_pubkey_t pubkey3; - gnutls_pubkey_t pubkey4; -- char buf[256]; -- size_t i; -+ unsigned i, sigalgo; -+ -+ bin = softhsm_bin(); -+ -+ lib = softhsm_lib(); -+ -+ ret = global_init(); -+ if (ret != 0) { -+ fail("%d: %s\n", ret, gnutls_strerror(ret)); -+ } -+ -+ if (gnutls_fips140_mode_enabled()) { -+ gnutls_global_deinit(); -+ return; -+ } -+ -+ gnutls_pkcs11_set_pin_function(pin_func, NULL); -+ gnutls_global_set_log_function(tls_log_func); -+ if (debug) -+ gnutls_global_set_log_level(4711); -+ -+ set_softhsm_conf(CONFIG); -+ snprintf(buf, sizeof(buf), -+ "%s --init-token --slot 0 --label test --so-pin " PIN -+ " --pin " PIN, -+ bin); -+ system(buf); -+ -+ ret = gnutls_pkcs11_add_provider(lib, NULL); -+ if (ret < 0) { -+ fail("gnutls_x509_crt_init: %s\n", gnutls_strerror(ret)); -+ } - -- success("%s\n", name); -+ if (verify_eddsa_presence() == 0) { -+ fprintf(stderr, -+ "Skipping test as no EDDSA mech is supported\n"); -+ exit(77); -+ } - - ret = gnutls_x509_crt_init(&crt); - if (ret < 0) - fail("gnutls_x509_crt_init: %s\n", gnutls_strerror(ret)); - -- ret = gnutls_x509_crt_import(crt, cert_pem, GNUTLS_X509_FMT_PEM); -+ ret = gnutls_x509_crt_import(crt, &server_ca3_eddsa_cert, -+ GNUTLS_X509_FMT_PEM); - if (ret < 0) - fail("gnutls_x509_crt_import: %s\n", gnutls_strerror(ret)); - -@@ -122,12 +158,25 @@ static void test(const char *name, const gnutls_datum_t *cert_pem, - fail("gnutls_x509_privkey_init: %s\n", gnutls_strerror(ret)); - } - -- ret = gnutls_x509_privkey_import(key, key_pem, GNUTLS_X509_FMT_PEM); -+ ret = gnutls_x509_privkey_import(key, &server_ca3_eddsa_key, -+ GNUTLS_X509_FMT_PEM); - if (ret < 0) { - fail("gnutls_x509_privkey_import: %s\n", gnutls_strerror(ret)); - } - -- ret = gnutls_pkcs11_copy_x509_crt(SOFTHSM_URL, crt, name, -+ /* initialize softhsm token */ -+ ret = gnutls_pkcs11_token_init(SOFTHSM_URL, PIN, "test"); -+ if (ret < 0) { -+ fail("gnutls_pkcs11_token_init: %s\n", gnutls_strerror(ret)); -+ } -+ -+ ret = gnutls_pkcs11_token_set_pin(SOFTHSM_URL, NULL, PIN, -+ GNUTLS_PIN_USER); -+ if (ret < 0) { -+ fail("gnutls_pkcs11_token_set_pin: %s\n", gnutls_strerror(ret)); -+ } -+ -+ ret = gnutls_pkcs11_copy_x509_crt(SOFTHSM_URL, crt, "cert", - GNUTLS_PKCS11_OBJ_FLAG_MARK_PRIVATE | - GNUTLS_PKCS11_OBJ_FLAG_LOGIN); - if (ret < 0) { -@@ -135,7 +184,7 @@ static void test(const char *name, const gnutls_datum_t *cert_pem, - } - - ret = gnutls_pkcs11_copy_x509_privkey( -- SOFTHSM_URL, key, name, -+ SOFTHSM_URL, key, "cert", - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, - GNUTLS_PKCS11_OBJ_FLAG_MARK_PRIVATE | - GNUTLS_PKCS11_OBJ_FLAG_MARK_SENSITIVE | -@@ -150,7 +199,7 @@ static void test(const char *name, const gnutls_datum_t *cert_pem, - assert(gnutls_pubkey_import_x509(pubkey, crt, 0) == 0); - - ret = gnutls_pkcs11_copy_pubkey( -- SOFTHSM_URL, pubkey, name, NULL, -+ SOFTHSM_URL, pubkey, "cert", NULL, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, 0); - if (ret < 0) { - fail("gnutls_pkcs11_copy_pubkey: %s\n", gnutls_strerror(ret)); -@@ -161,13 +210,11 @@ static void test(const char *name, const gnutls_datum_t *cert_pem, - gnutls_pubkey_deinit(pubkey); - gnutls_pkcs11_set_pin_function(NULL, NULL); - -- assert(snprintf(buf, sizeof(buf), -- "%s;object=%s;object-type=private?pin-value=" PIN, -- SOFTHSM_URL, name) < (int)sizeof(buf)); -- - assert(gnutls_privkey_init(&pkey) == 0); - -- ret = gnutls_privkey_import_pkcs11_url(pkey, buf); -+ ret = gnutls_privkey_import_pkcs11_url( -+ pkey, -+ SOFTHSM_URL ";object=cert;object-type=private;pin-value=" PIN); - if (ret < 0) { - fail("error in gnutls_privkey_import_pkcs11_url: %s\n", - gnutls_strerror(ret)); -@@ -176,7 +223,10 @@ static void test(const char *name, const gnutls_datum_t *cert_pem, - /* Try to read the public key with public key URI */ - assert(gnutls_pubkey_init(&pubkey3) == 0); - -- ret = gnutls_pubkey_import_pkcs11_url(pubkey3, buf, 0); -+ ret = gnutls_pubkey_import_pkcs11_url( -+ pubkey3, -+ SOFTHSM_URL ";object=cert;object-type=public;pin-value=" PIN, -+ 0); - if (ret < 0) { - fail("error in gnutls_pubkey_import_pkcs11_url: %s\n", - gnutls_strerror(ret)); -@@ -185,7 +235,9 @@ static void test(const char *name, const gnutls_datum_t *cert_pem, - /* Try to read the public key with certificate URI */ - assert(gnutls_pubkey_init(&pubkey4) == 0); - -- ret = gnutls_pubkey_import_pkcs11_url(pubkey4, buf, 0); -+ ret = gnutls_pubkey_import_pkcs11_url( -+ pubkey4, -+ SOFTHSM_URL ";object=cert;object-type=cert;pin-value=" PIN, 0); - if (ret < 0) { - fail("error in gnutls_pubkey_import_pkcs11_url: %s\n", - gnutls_strerror(ret)); -@@ -195,9 +247,12 @@ static void test(const char *name, const gnutls_datum_t *cert_pem, - assert(gnutls_pubkey_import_privkey(pubkey, pkey, 0, 0) == 0); - - assert(gnutls_pubkey_init(&pubkey2) == 0); -- assert(gnutls_pubkey_import_x509_raw(pubkey2, cert_pem, -+ assert(gnutls_pubkey_import_x509_raw(pubkey2, &server_ca3_eddsa_cert, - GNUTLS_X509_FMT_PEM, 0) == 0); - -+ /* this is the algorithm supported by the certificate */ -+ sigalgo = GNUTLS_SIGN_EDDSA_ED25519; -+ - for (i = 0; i < 20; i++) { - /* check whether privkey and pubkey are operational - * by signing and verifying */ -@@ -229,71 +284,6 @@ static void test(const char *name, const gnutls_datum_t *cert_pem, - gnutls_pubkey_deinit(pubkey2); - gnutls_pubkey_deinit(pubkey); - gnutls_privkey_deinit(pkey); --} -- --void doit(void) --{ -- char buf[256]; -- int ret; -- const char *lib, *bin; -- -- bin = softhsm_bin(); -- -- lib = softhsm_lib(); -- -- ret = global_init(); -- if (ret != 0) { -- fail("%d: %s\n", ret, gnutls_strerror(ret)); -- } -- -- if (gnutls_fips140_mode_enabled()) { -- gnutls_global_deinit(); -- return; -- } -- -- gnutls_pkcs11_set_pin_function(pin_func, NULL); -- gnutls_global_set_log_function(tls_log_func); -- if (debug) -- gnutls_global_set_log_level(4711); -- -- set_softhsm_conf(CONFIG); -- assert(snprintf(buf, sizeof(buf), -- "%s --init-token --slot 0 --label test --so-pin " PIN -- " --pin " PIN, -- bin) < (int)sizeof(buf)); -- system(buf); -- -- ret = gnutls_pkcs11_add_provider(lib, NULL); -- if (ret < 0) { -- fail("gnutls_x509_crt_init: %s\n", gnutls_strerror(ret)); -- } -- -- if (verify_eddsa_presence() == 0) { -- fprintf(stderr, -- "Skipping test as no EDDSA mech is supported\n"); -- exit(77); -- } -- -- /* initialize softhsm token */ -- ret = gnutls_pkcs11_token_init(SOFTHSM_URL, PIN, "test"); -- if (ret < 0) { -- fail("gnutls_pkcs11_token_init: %s\n", gnutls_strerror(ret)); -- } -- -- ret = gnutls_pkcs11_token_set_pin(SOFTHSM_URL, NULL, PIN, -- GNUTLS_PIN_USER); -- if (ret < 0) { -- fail("gnutls_pkcs11_token_set_pin: %s\n", gnutls_strerror(ret)); -- } -- -- test("ed25519", &server_ca3_eddsa_cert, &server_ca3_eddsa_key, -- GNUTLS_SIGN_EDDSA_ED25519); -- -- /* test clears PIN function to check "?pin-value" works */ -- gnutls_pkcs11_set_pin_function(pin_func, NULL); -- -- test("ed448", &server_ca3_ed448_cert, &server_ca3_ed448_key, -- GNUTLS_SIGN_EDDSA_ED448); - - gnutls_global_deinit(); - -diff --git a/tests/pkcs11/pkcs11-privkey-generate.c b/tests/pkcs11/pkcs11-privkey-generate.c -index 7de0c35426..bd54fad8d2 100644 ---- a/tests/pkcs11/pkcs11-privkey-generate.c -+++ b/tests/pkcs11/pkcs11-privkey-generate.c -@@ -98,7 +98,8 @@ static void generate_keypair(gnutls_pk_algorithm_t algo, size_t bits, - fail("%d: %s\n", ret, gnutls_strerror(ret)); - } - -- success("generated %s key (%s)\n", gnutls_pk_get_name(algo), -+ success("generated %s key (%s)\n", -+ gnutls_pk_get_name(algo), - sensitive ? "sensitive" : "non sensitive"); - - assert(gnutls_pkcs11_obj_init(&obj) >= 0); -@@ -130,9 +131,6 @@ void doit(void) - char buf[128]; - int ret; - const char *lib, *bin; --#ifdef CKM_EC_EDWARDS_KEY_PAIR_GEN -- CK_MECHANISM_INFO minfo; --#endif - - if (gnutls_fips140_mode_enabled()) - exit(77); -@@ -176,20 +174,13 @@ void doit(void) - generate_keypair(GNUTLS_PK_RSA, 2048, "rsa-non-sensitive", false); - - #ifdef CKM_EC_EDWARDS_KEY_PAIR_GEN -- ret = gnutls_pkcs11_token_check_mechanism("pkcs11:token=test", -- CKM_EC_EDWARDS_KEY_PAIR_GEN, -- &minfo, sizeof(minfo), 0); -+ ret = gnutls_pkcs11_token_check_mechanism( -+ "pkcs11:token=test", CKM_EC_EDWARDS_KEY_PAIR_GEN, NULL, 0, 0); - if (ret != 0) { - generate_keypair(GNUTLS_PK_EDDSA_ED25519, 256, - "ed25519-sensitive", true); - generate_keypair(GNUTLS_PK_EDDSA_ED25519, 256, - "ed25519-non-sensitive", false); -- if (minfo.ulMaxKeySize >= 456) { -- generate_keypair(GNUTLS_PK_EDDSA_ED448, 456, -- "ed448-sensitive", true); -- generate_keypair(GNUTLS_PK_EDDSA_ED448, 456, -- "ed448-non-sensitive", false); -- } - } - #endif - -diff --git a/tests/tls13/ocsp-client.c b/tests/tls13/ocsp-client.c -index c7e7e2e410..1064a17752 100644 ---- a/tests/tls13/ocsp-client.c -+++ b/tests/tls13/ocsp-client.c -@@ -169,8 +169,8 @@ void doit(void) - fp = fopen(certfile3, "wb"); - if (fp == NULL) - fail("error in fopen\n"); -- assert(fwrite(cli_cert_pem, 1, strlen((char *)cli_cert_pem), fp) > 0); -- assert(fwrite(cli_key_pem, 1, strlen((char *)cli_key_pem), fp) > 0); -+ assert(fwrite(cert_pem, 1, strlen((char *)cert_pem), fp) > 0); -+ assert(fwrite(key_pem, 1, strlen((char *)key_pem), fp) > 0); - fclose(fp); - - ret = gnutls_certificate_set_x509_key_file2( --- -2.43.0 - diff --git a/gnutls-3.8.3-kernel_version_check.patch b/gnutls-3.8.3-kernel_version_check.patch new file mode 100644 index 0000000..e4495ed --- /dev/null +++ b/gnutls-3.8.3-kernel_version_check.patch @@ -0,0 +1,36 @@ +From 945c2f10eeda441f32404d1328761e311915add0 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Tue, 23 Jan 2024 11:54:32 +0900 +Subject: [PATCH] ktls: fix kernel version checking using utsname + +Signed-off-by: Daiki Ueno +--- + lib/system/ktls.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/lib/system/ktls.c b/lib/system/ktls.c +index 8efb913cda..432c70c5a2 100644 +--- a/lib/system/ktls.c ++++ b/lib/system/ktls.c +@@ -482,7 +482,7 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, + return GNUTLS_E_INTERNAL_ERROR; + } + +- if (strcmp(utsname.sysname, "Linux") == 0) { ++ if (strcmp(utsname.sysname, "Linux") != 0) { + return GNUTLS_E_INTERNAL_ERROR; + } + +@@ -495,6 +495,9 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, + return GNUTLS_E_INTERNAL_ERROR; + } + ++ _gnutls_debug_log("Linux kernel version %lu.%lu has been detected\n", ++ major, minor); ++ + /* setsockopt(SOL_TLS, TLS_RX) support added in 5.10 */ + if (major < 5 || (major == 5 && minor < 10)) { + return GNUTLS_E_UNIMPLEMENTED_FEATURE; +-- +GitLab + diff --git a/gnutls.spec b/gnutls.spec index f8c6040..4508067 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -12,15 +12,13 @@ sha256sum:close() print(string.sub(hash, 0, 16)) } -Version: 3.8.2 +Version: 3.8.3 Release: %{?autorelease}%{!?autorelease:1%{?dist}} Patch: gnutls-3.2.7-rpath.patch # follow https://gitlab.com/gnutls/gnutls/-/issues/1443 Patch: gnutls-3.7.8-ktls_skip_tls12_chachapoly_test.patch - -# tentatively reverted for https://gitlab.com/gnutls/gnutls/-/issues/1515 -Patch: gnutls-3.8.2-revert-pkcs11-ed448.patch +Patch: gnutls-3.8.3-kernel_version_check.patch %bcond_without bootstrap %bcond_without dane diff --git a/sources b/sources index ea8384c..f74b572 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (gnutls-3.8.2.tar.xz) = b3aa6e0fa7272cfca0bb0d364fe5dc9ca70cfd41878631d57271ba0a597cf6020a55a19e97a2c02f13a253455b119d296cf6f701be2b4e6880ebeeb07c93ef38 -SHA512 (gnutls-3.8.2.tar.xz.sig) = 9feb30bfccb8c83e83d3d6df009f2a61f4c48eb357c988789c93b2e5a06a34cb490f33741ad0fd4f881fcd34747b3cf9c5aa45bbb15da680ebba35e07ba602f6 +SHA512 (gnutls-3.8.3.tar.xz) = 74eddba01ce4c2ffdca781c85db3bb52c85f1db3c09813ee2b8ceea0608f92ca3912fd9266f55deb36a8ba4d01802895ca5d5d219e7d9caec45e1a8534e45a84 +SHA512 (gnutls-3.8.3.tar.xz.sig) = 5b2ca0648ca5feeda1de933de2bbaf71fadb70e830a8f0d494d2f0380b6d0d7b79445257cc79e59bba1a7ff639ab4573da3e3e124eb80c20ac6141e29a4827ff SHA512 (gnutls-release-keyring.gpg) = 5c14d83f4f37bd319c652db0d76fc5bb04752fb461bbe853e25b20ffe41d6d14faae6c0bdd0193ac6242975bf1205ce606a9d0082261cc4581fd680abfcdbd4d