gnutls: upgrade 3.8.5 -> 3.8.6

Changelog: ** libgnutls: PBMAC1 is now supported as a MAC mechanism for PKCS#12 To be compliant with FIPS 140-3, PKCS#12 files with MAC based on PBKDF2 (PBMAC1) is now supported, according to the specification proposed in draft-ietf-lamps-pkcs12-pbmac1. ** libgnutls: SHA3 extendable output functions (XOF) are now supported SHA3 XOF, SHAKE128 and SHAKE256, are now usable through a new public API gnutls_hash_squeeze. ** API and ABI modifications: gnutls_pkcs12_generate_mac3: New function gnutls_pkcs12_flags_t: New enum gnutls_hash_squeeze: New function (From OE-Core rev: 61e7888c8e31ac2adee9eb75ee2393125ef9b433) Signed-off-by: Simone Weiß <simone.p.weiss@posteo.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2026-04-23 09:32:17 +02:00 · 2024-07-20 20:59:13 +00:00
parent 83e68a5f47
commit c64e1b0dc5
5 changed files with 8 additions and 278 deletions
--- a/meta/recipes-support/gnutls/gnutls/0001-Creating-.hmac-file-should-be-excuted-in-target-envi.patch
+++ b/meta/recipes-support/gnutls/gnutls/0001-Creating-.hmac-file-should-be-excuted-in-target-envi.patch
@@ -1,4 +1,4 @@
-From 7be8ec59a53e93c2bd453b3ba2d63d1b300ef11f Mon Sep 17 00:00:00 2001
+From c4f6cb380471b5e5478ae6f7f8c5604a6a64ec1c Mon Sep 17 00:00:00 2001
 From: Lei Maohui <leimaohui@fujitsu.com>
 Date: Mon, 23 May 2022 10:44:43 +0900
 Subject: [PATCH] Creating .hmac file should be excuted in target environment,
--- a/meta/recipes-support/gnutls/gnutls/0001-Fix-RSAES-PKCS1-v1_5-system-wide-configuration.patch
+++ b/meta/recipes-support/gnutls/gnutls/0001-Fix-RSAES-PKCS1-v1_5-system-wide-configuration.patch
@@ -1,269 +0,0 @@
-From 2d73d945c4b1dfcf8d2328c4d23187d62ffaab2d Mon Sep 17 00:00:00 2001
-From: Zoltan Fridrich <zfridric@redhat.com>
-Date: Wed, 10 Apr 2024 12:51:33 +0200
-Subject: [PATCH] Fix RSAES-PKCS1-v1_5 system-wide configuration
-
-Upstream-Status: Backport [expected for  3.8.6 https://gitlab.com/gnutls/gnutls/-/merge_requests/1830?commit_id=2d73d945c4b1dfcf8d2328c4d23187d62ffaab2d]
-
-Signed-off-by: Simone Weiß <simone.p.weiss@posteo.com>
-Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
---
- lib/priority.c                                | 125 +++++++++++-------
- ...system-override-allow-rsa-pkcs1-encrypt.sh |  27 +++-
- 2 files changed, 96 insertions(+), 56 deletions(-)
-
-diff --git a/lib/priority.c b/lib/priority.c
-index 8abe00d1ff..3434619aad 100644
--- a/lib/priority.c
-+++ b/lib/priority.c
-@@ -1018,6 +1018,12 @@ struct cfg {
- 	bool force_ext_master_secret_set;
- };
- 
-+static inline void cfg_init(struct cfg *cfg)
-+{
-+	memset(cfg, 0, sizeof(*cfg));
-+	cfg->allow_rsa_pkcs1_encrypt = true;
-+}
-+
- static inline void cfg_deinit(struct cfg *cfg)
- {
- 	if (cfg->priority_strings) {
-@@ -1095,6 +1101,12 @@ struct ini_ctx {
- 	size_t curves_size;
- };
- 
-+static inline void ini_ctx_init(struct ini_ctx *ctx)
-+{
-+	memset(ctx, 0, sizeof(*ctx));
-+	cfg_init(&ctx->cfg);
-+}
-+
- static inline void ini_ctx_deinit(struct ini_ctx *ctx)
- {
- 	cfg_deinit(&ctx->cfg);
-@@ -1423,9 +1435,6 @@ static inline int cfg_apply(struct cfg *cfg, struct ini_ctx *ctx)
- 		_gnutls_default_priority_string = cfg->default_priority_string;
- 	}
- 
-	/* enable RSA-PKCS1-V1_5 by default */
-	cfg->allow_rsa_pkcs1_encrypt = true;
-
- 	if (cfg->allowlisting) {
- 		/* also updates `flags` of global `hash_algorithms[]` */
- 		ret = cfg_hashes_set_array(cfg, ctx->hashes, ctx->hashes_size);
-@@ -2217,22 +2226,73 @@ update_system_wide_priority_string(void)
- 	return 0;
- }
- 
-+/* Returns false on parse error, otherwise true.
-+ * The system_wide_config must be locked for writing.
-+ */
-+static inline bool load_system_priority_file(void)
-+{
-+	int err;
-+	FILE *fp;
-+	struct ini_ctx ctx;
-+
-+	cfg_init(&system_wide_config);
-+
-+	fp = fopen(system_priority_file, "re");
-+	if (fp == NULL) {
-+		_gnutls_debug_log("cfg: unable to open: %s: %d\n",
-+				  system_priority_file, errno);
-+		return true;
-+	}
-+
-+	/* Parsing the configuration file needs to be done in 2 phases:
-+	 * first parsing the [global] section
-+	 * and then the other sections,
-+	 * because the [global] section modifies the parsing behavior.
-+	 */
-+	ini_ctx_init(&ctx);
-+	err = ini_parse_file(fp, global_ini_handler, &ctx);
-+	if (!err) {
-+		if (fseek(fp, 0L, SEEK_SET) < 0) {
-+			_gnutls_debug_log("cfg: unable to rewind: %s\n",
-+					  system_priority_file);
-+			if (fail_on_invalid_config)
-+				exit(1);
-+		}
-+		err = ini_parse_file(fp, cfg_ini_handler, &ctx);
-+	}
-+	fclose(fp);
-+	if (err) {
-+		ini_ctx_deinit(&ctx);
-+		_gnutls_debug_log("cfg: unable to parse: %s: %d\n",
-+				  system_priority_file, err);
-+		return false;
-+	}
-+	cfg_apply(&system_wide_config, &ctx);
-+	ini_ctx_deinit(&ctx);
-+	return true;
-+}
-+
- static int _gnutls_update_system_priorities(bool defer_system_wide)
- {
-	int ret, err = 0;
-+	int ret;
-+	bool config_parse_error = false;
- 	struct stat sb;
-	FILE *fp;
- 	gnutls_buffer_st buf;
-	struct ini_ctx ctx;
- 
- 	ret = gnutls_rwlock_rdlock(&system_wide_config_rwlock);
-	if (ret < 0) {
-+	if (ret < 0)
- 		return gnutls_assert_val(ret);
-	}
- 
- 	if (stat(system_priority_file, &sb) < 0) {
- 		_gnutls_debug_log("cfg: unable to access: %s: %d\n",
- 				  system_priority_file, errno);
-+
-+		(void)gnutls_rwlock_unlock(&system_wide_config_rwlock);
-+		ret = gnutls_rwlock_wrlock(&system_wide_config_rwlock);
-+		if (ret < 0)
-+			goto out;
-+		/* If system-wide config is unavailable, apply the defaults */
-+		cfg_init(&system_wide_config);
- 		goto out;
- 	}
- 
-@@ -2240,63 +2300,27 @@ static int _gnutls_update_system_priorities(bool defer_system_wide)
- 	    system_priority_last_mod == sb.st_mtime) {
- 		_gnutls_debug_log("cfg: system priority %s has not changed\n",
- 				  system_priority_file);
-		if (system_wide_config.priority_string) {
-+		if (system_wide_config.priority_string)
- 			goto out; /* nothing to do */
-		}
- 	}
- 
- 	(void)gnutls_rwlock_unlock(&system_wide_config_rwlock);
- 
- 	ret = gnutls_rwlock_wrlock(&system_wide_config_rwlock);
-	if (ret < 0) {
-+	if (ret < 0)
- 		return gnutls_assert_val(ret);
-	}
- 
- 	/* Another thread could have successfully re-read system-wide config,
- 	 * skip re-reading if the mtime it has used is exactly the same.
- 	 */
-	if (system_priority_file_loaded) {
-+	if (system_priority_file_loaded)
- 		system_priority_file_loaded =
- 			(system_priority_last_mod == sb.st_mtime);
-	}
- 
- 	if (!system_priority_file_loaded) {
-		_name_val_array_clear(&system_wide_config.priority_strings);
-
-		gnutls_free(system_wide_config.priority_string);
-		system_wide_config.priority_string = NULL;
-
-		fp = fopen(system_priority_file, "re");
-		if (fp == NULL) {
-			_gnutls_debug_log("cfg: unable to open: %s: %d\n",
-					  system_priority_file, errno);
-+		config_parse_error = !load_system_priority_file();
-+		if (config_parse_error)
- 			goto out;
-		}
-		/* Parsing the configuration file needs to be done in 2 phases:
-		 * first parsing the [global] section
-		 * and then the other sections,
-		 * because the [global] section modifies the parsing behavior.
-		 */
-		memset(&ctx, 0, sizeof(ctx));
-		err = ini_parse_file(fp, global_ini_handler, &ctx);
-		if (!err) {
-			if (fseek(fp, 0L, SEEK_SET) < 0) {
-				_gnutls_debug_log("cfg: unable to rewind: %s\n",
-						  system_priority_file);
-				if (fail_on_invalid_config)
-					exit(1);
-			}
-			err = ini_parse_file(fp, cfg_ini_handler, &ctx);
-		}
-		fclose(fp);
-		if (err) {
-			ini_ctx_deinit(&ctx);
-			_gnutls_debug_log("cfg: unable to parse: %s: %d\n",
-					  system_priority_file, err);
-			goto out;
-		}
-		cfg_apply(&system_wide_config, &ctx);
-		ini_ctx_deinit(&ctx);
- 		_gnutls_debug_log("cfg: loaded system config %s mtime %lld\n",
- 				  system_priority_file,
- 				  (unsigned long long)sb.st_mtime);
-@@ -2332,9 +2356,8 @@ static int _gnutls_update_system_priorities(bool defer_system_wide)
- out:
- 	(void)gnutls_rwlock_unlock(&system_wide_config_rwlock);
- 
-	if (err && fail_on_invalid_config) {
-+	if (config_parse_error && fail_on_invalid_config)
- 		exit(1);
-	}
- 
- 	return ret;
- }
-diff --git a/tests/system-override-allow-rsa-pkcs1-encrypt.sh b/tests/system-override-allow-rsa-pkcs1-encrypt.sh
-index b7d477c96e..714d0af946 100755
--- a/tests/system-override-allow-rsa-pkcs1-encrypt.sh
-+++ b/tests/system-override-allow-rsa-pkcs1-encrypt.sh
-@@ -19,9 +19,8 @@
- # You should have received a copy of the GNU Lesser General Public License
- # along with this program.  If not, see <https://www.gnu.org/licenses/>
- 
-: ${srcdir=.}
-TEST=${srcdir}/rsaes-pkcs1-v1_5
-CONF=${srcdir}/config.$$.tmp
-+TEST=${builddir}/rsaes-pkcs1-v1_5
-+CONF=config.$$.tmp
- export GNUTLS_SYSTEM_PRIORITY_FILE=${CONF}
- export GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1
- 
-@@ -38,15 +37,33 @@ cat <<_EOF_ > ${CONF}
- allow-rsa-pkcs1-encrypt = true
- _EOF_
- 
-${TEST} && fail "RSAES-PKCS1-v1_5 expected to succeed"
-+${TEST}
-+if [ $? != 0 ]; then
-+	echo "${TEST} expected to succeed"
-+	exit 1
-+fi
-+echo "RSAES-PKCS1-v1_5 successfully enabled"
- 
- cat <<_EOF_ > ${CONF}
- [overrides]
- allow-rsa-pkcs1-encrypt = false
- _EOF_
- 
-${TEST} || fail "RSAES-PKCS1-v1_5 expected to fail"
-+${TEST}
-+if [ $? = 0 ]; then
-+	echo "${TEST} expected to fail"
-+	exit 1
-+fi
-+echo "RSAES-PKCS1-v1_5 successfully disabled"
- 
- unset GNUTLS_SYSTEM_PRIORITY_FILE
- unset GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID
-+
-+${TEST}
-+if [ $? != 0 ]; then
-+	echo "${TEST} expected to succeed by default"
-+	exit 1
-+fi
-+echo "RSAES-PKCS1-v1_5 successfully enabled by default"
-+
- exit 0
-- 
-GitLab
-
-
--- a/meta/recipes-support/gnutls/gnutls/Add-ptest-support.patch
+++ b/meta/recipes-support/gnutls/gnutls/Add-ptest-support.patch
@@ -1,4 +1,4 @@
-From bfa70adcbda4e505cf2e597907852e78e0439ee2 Mon Sep 17 00:00:00 2001
+From 6abc86acecff5a30173eb78a971ec5b65f77e1de Mon Sep 17 00:00:00 2001
 From: Ravineet Singh <ravineet.a.singh@est.tech>
 Date: Tue, 10 Jan 2023 16:11:10 +0100
 Subject: [PATCH] gnutls: add ptest support
@@ -26,10 +26,10 @@ index 843193f..816b09f 100644
 
 include $(top_srcdir)/cligen/cligen.mk
 diff --git a/configure.ac b/configure.ac
-index 934377e..4406eae 100644
+index 1744813..efb9e34 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -1213,6 +1213,8 @@ AC_SUBST(LIBGNUTLS_CFLAGS)
+@@ -1226,6 +1226,8 @@ AC_SUBST(LIBGNUTLS_CFLAGS)
 
 AM_CONDITIONAL(NEEDS_LIBRT, test "$gnutls_needs_librt" = "yes")
 
@@ -39,10 +39,10 @@ index 934377e..4406eae 100644
 
 hw_features=
 diff --git a/tests/Makefile.am b/tests/Makefile.am
-index e39a3b3..861dd63 100644
+index 189d068..8430b05 100644
 --- a/tests/Makefile.am
 +++ b/tests/Makefile.am
-@@ -663,6 +663,12 @@ SH_LOG_COMPILER = $(SHELL)
+@@ -668,6 +668,12 @@ SH_LOG_COMPILER = $(SHELL)
 AM_VALGRINDFLAGS = --suppressions=$(srcdir)/suppressions.valgrind
 LOG_COMPILER = $(LOG_VALGRIND)
 
--- a/meta/recipes-support/gnutls/gnutls/arm_eabi.patch
+++ b/meta/recipes-support/gnutls/gnutls/arm_eabi.patch
@@ -1,4 +1,4 @@
-From d17ae0ef31c3c186766a338e8c40c87d1b98820e Mon Sep 17 00:00:00 2001
+From 46b3079095c5ceb0dc742785853bbaf288f325c6 Mon Sep 17 00:00:00 2001
 From: Joe Slater <jslater@windriver.com>
 Date: Wed, 25 Jan 2017 13:52:59 -0800
 Subject: [PATCH] gnutls: account for ARM_EABI
--- a/meta/recipes-support/gnutls/gnutls_3.8.6.bb
+++ b/meta/recipes-support/gnutls/gnutls_3.8.6.bb
@@ -21,12 +21,11 @@ SHRT_VER = "${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}"
 SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar.xz \
           file://arm_eabi.patch \
           file://0001-Creating-.hmac-file-should-be-excuted-in-target-envi.patch \
-           file://0001-Fix-RSAES-PKCS1-v1_5-system-wide-configuration.patch \
           file://run-ptest \
           file://Add-ptest-support.patch \
           "

-SRC_URI[sha256sum] = "66269a2cfe0e1c2dabec87bdbbd8ab656f396edd9a40dd006978e003cfa52bfc"
+SRC_URI[sha256sum] = "2e1588aae53cb32d43937f1f4eca28febd9c0c7aa1734fc5dd61a7e81e0ebcdd"

 inherit autotools texinfo pkgconfig gettext lib_package gtk-doc ptest