diff options
author | Simone Weiß <simone.p.weiss@posteo.com> | 2024-04-14 18:06:11 +0000 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2024-04-22 22:05:57 +0100 |
commit | 1686d6c45f1510619f8a0ab1dda9977b9ac3525d (patch) | |
tree | e73fa0b187be54094c4d35361f4a008e3cde1ca0 | |
parent | c2c0bfb0d7241549199dc8ab56525ff34a3f6f11 (diff) | |
download | poky-1686d6c45f1510619f8a0ab1dda9977b9ac3525d.tar.gz |
gnutls: Fix failing ptests
When upgrading gnutls to the newest version 3.8.5, some ptest failed.
Backported a patch from upstream gnutls(not in any release yet) to
fix this issue.
(From OE-Core rev: 33b203b422dcc2fe2ce991192d6ec0f83cf3c701)
Signed-off-by: Simone Weiß <simone.p.weiss@posteo.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/recipes-support/gnutls/gnutls/0001-Fix-RSAES-PKCS1-v1_5-system-wide-configuration.patch | 269 | ||||
-rw-r--r-- | meta/recipes-support/gnutls/gnutls_3.8.5.bb | 1 |
2 files changed, 270 insertions, 0 deletions
diff --git a/meta/recipes-support/gnutls/gnutls/0001-Fix-RSAES-PKCS1-v1_5-system-wide-configuration.patch b/meta/recipes-support/gnutls/gnutls/0001-Fix-RSAES-PKCS1-v1_5-system-wide-configuration.patch new file mode 100644 index 0000000000..cc39f5c9a5 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/0001-Fix-RSAES-PKCS1-v1_5-system-wide-configuration.patch | |||
@@ -0,0 +1,269 @@ | |||
1 | From 2d73d945c4b1dfcf8d2328c4d23187d62ffaab2d Mon Sep 17 00:00:00 2001 | ||
2 | From: Zoltan Fridrich <zfridric@redhat.com> | ||
3 | Date: Wed, 10 Apr 2024 12:51:33 +0200 | ||
4 | Subject: [PATCH] Fix RSAES-PKCS1-v1_5 system-wide configuration | ||
5 | |||
6 | Upstream-Status: Backport [expected for 3.8.6 https://gitlab.com/gnutls/gnutls/-/merge_requests/1830?commit_id=2d73d945c4b1dfcf8d2328c4d23187d62ffaab2d] | ||
7 | |||
8 | Signed-off-by: Simone Weiß <simone.p.weiss@posteo.com> | ||
9 | Signed-off-by: Zoltan Fridrich <zfridric@redhat.com> | ||
10 | --- | ||
11 | lib/priority.c | 125 +++++++++++------- | ||
12 | ...system-override-allow-rsa-pkcs1-encrypt.sh | 27 +++- | ||
13 | 2 files changed, 96 insertions(+), 56 deletions(-) | ||
14 | |||
15 | diff --git a/lib/priority.c b/lib/priority.c | ||
16 | index 8abe00d1ff..3434619aad 100644 | ||
17 | --- a/lib/priority.c | ||
18 | +++ b/lib/priority.c | ||
19 | @@ -1018,6 +1018,12 @@ struct cfg { | ||
20 | bool force_ext_master_secret_set; | ||
21 | }; | ||
22 | |||
23 | +static inline void cfg_init(struct cfg *cfg) | ||
24 | +{ | ||
25 | + memset(cfg, 0, sizeof(*cfg)); | ||
26 | + cfg->allow_rsa_pkcs1_encrypt = true; | ||
27 | +} | ||
28 | + | ||
29 | static inline void cfg_deinit(struct cfg *cfg) | ||
30 | { | ||
31 | if (cfg->priority_strings) { | ||
32 | @@ -1095,6 +1101,12 @@ struct ini_ctx { | ||
33 | size_t curves_size; | ||
34 | }; | ||
35 | |||
36 | +static inline void ini_ctx_init(struct ini_ctx *ctx) | ||
37 | +{ | ||
38 | + memset(ctx, 0, sizeof(*ctx)); | ||
39 | + cfg_init(&ctx->cfg); | ||
40 | +} | ||
41 | + | ||
42 | static inline void ini_ctx_deinit(struct ini_ctx *ctx) | ||
43 | { | ||
44 | cfg_deinit(&ctx->cfg); | ||
45 | @@ -1423,9 +1435,6 @@ static inline int cfg_apply(struct cfg *cfg, struct ini_ctx *ctx) | ||
46 | _gnutls_default_priority_string = cfg->default_priority_string; | ||
47 | } | ||
48 | |||
49 | - /* enable RSA-PKCS1-V1_5 by default */ | ||
50 | - cfg->allow_rsa_pkcs1_encrypt = true; | ||
51 | - | ||
52 | if (cfg->allowlisting) { | ||
53 | /* also updates `flags` of global `hash_algorithms[]` */ | ||
54 | ret = cfg_hashes_set_array(cfg, ctx->hashes, ctx->hashes_size); | ||
55 | @@ -2217,22 +2226,73 @@ update_system_wide_priority_string(void) | ||
56 | return 0; | ||
57 | } | ||
58 | |||
59 | +/* Returns false on parse error, otherwise true. | ||
60 | + * The system_wide_config must be locked for writing. | ||
61 | + */ | ||
62 | +static inline bool load_system_priority_file(void) | ||
63 | +{ | ||
64 | + int err; | ||
65 | + FILE *fp; | ||
66 | + struct ini_ctx ctx; | ||
67 | + | ||
68 | + cfg_init(&system_wide_config); | ||
69 | + | ||
70 | + fp = fopen(system_priority_file, "re"); | ||
71 | + if (fp == NULL) { | ||
72 | + _gnutls_debug_log("cfg: unable to open: %s: %d\n", | ||
73 | + system_priority_file, errno); | ||
74 | + return true; | ||
75 | + } | ||
76 | + | ||
77 | + /* Parsing the configuration file needs to be done in 2 phases: | ||
78 | + * first parsing the [global] section | ||
79 | + * and then the other sections, | ||
80 | + * because the [global] section modifies the parsing behavior. | ||
81 | + */ | ||
82 | + ini_ctx_init(&ctx); | ||
83 | + err = ini_parse_file(fp, global_ini_handler, &ctx); | ||
84 | + if (!err) { | ||
85 | + if (fseek(fp, 0L, SEEK_SET) < 0) { | ||
86 | + _gnutls_debug_log("cfg: unable to rewind: %s\n", | ||
87 | + system_priority_file); | ||
88 | + if (fail_on_invalid_config) | ||
89 | + exit(1); | ||
90 | + } | ||
91 | + err = ini_parse_file(fp, cfg_ini_handler, &ctx); | ||
92 | + } | ||
93 | + fclose(fp); | ||
94 | + if (err) { | ||
95 | + ini_ctx_deinit(&ctx); | ||
96 | + _gnutls_debug_log("cfg: unable to parse: %s: %d\n", | ||
97 | + system_priority_file, err); | ||
98 | + return false; | ||
99 | + } | ||
100 | + cfg_apply(&system_wide_config, &ctx); | ||
101 | + ini_ctx_deinit(&ctx); | ||
102 | + return true; | ||
103 | +} | ||
104 | + | ||
105 | static int _gnutls_update_system_priorities(bool defer_system_wide) | ||
106 | { | ||
107 | - int ret, err = 0; | ||
108 | + int ret; | ||
109 | + bool config_parse_error = false; | ||
110 | struct stat sb; | ||
111 | - FILE *fp; | ||
112 | gnutls_buffer_st buf; | ||
113 | - struct ini_ctx ctx; | ||
114 | |||
115 | ret = gnutls_rwlock_rdlock(&system_wide_config_rwlock); | ||
116 | - if (ret < 0) { | ||
117 | + if (ret < 0) | ||
118 | return gnutls_assert_val(ret); | ||
119 | - } | ||
120 | |||
121 | if (stat(system_priority_file, &sb) < 0) { | ||
122 | _gnutls_debug_log("cfg: unable to access: %s: %d\n", | ||
123 | system_priority_file, errno); | ||
124 | + | ||
125 | + (void)gnutls_rwlock_unlock(&system_wide_config_rwlock); | ||
126 | + ret = gnutls_rwlock_wrlock(&system_wide_config_rwlock); | ||
127 | + if (ret < 0) | ||
128 | + goto out; | ||
129 | + /* If system-wide config is unavailable, apply the defaults */ | ||
130 | + cfg_init(&system_wide_config); | ||
131 | goto out; | ||
132 | } | ||
133 | |||
134 | @@ -2240,63 +2300,27 @@ static int _gnutls_update_system_priorities(bool defer_system_wide) | ||
135 | system_priority_last_mod == sb.st_mtime) { | ||
136 | _gnutls_debug_log("cfg: system priority %s has not changed\n", | ||
137 | system_priority_file); | ||
138 | - if (system_wide_config.priority_string) { | ||
139 | + if (system_wide_config.priority_string) | ||
140 | goto out; /* nothing to do */ | ||
141 | - } | ||
142 | } | ||
143 | |||
144 | (void)gnutls_rwlock_unlock(&system_wide_config_rwlock); | ||
145 | |||
146 | ret = gnutls_rwlock_wrlock(&system_wide_config_rwlock); | ||
147 | - if (ret < 0) { | ||
148 | + if (ret < 0) | ||
149 | return gnutls_assert_val(ret); | ||
150 | - } | ||
151 | |||
152 | /* Another thread could have successfully re-read system-wide config, | ||
153 | * skip re-reading if the mtime it has used is exactly the same. | ||
154 | */ | ||
155 | - if (system_priority_file_loaded) { | ||
156 | + if (system_priority_file_loaded) | ||
157 | system_priority_file_loaded = | ||
158 | (system_priority_last_mod == sb.st_mtime); | ||
159 | - } | ||
160 | |||
161 | if (!system_priority_file_loaded) { | ||
162 | - _name_val_array_clear(&system_wide_config.priority_strings); | ||
163 | - | ||
164 | - gnutls_free(system_wide_config.priority_string); | ||
165 | - system_wide_config.priority_string = NULL; | ||
166 | - | ||
167 | - fp = fopen(system_priority_file, "re"); | ||
168 | - if (fp == NULL) { | ||
169 | - _gnutls_debug_log("cfg: unable to open: %s: %d\n", | ||
170 | - system_priority_file, errno); | ||
171 | + config_parse_error = !load_system_priority_file(); | ||
172 | + if (config_parse_error) | ||
173 | goto out; | ||
174 | - } | ||
175 | - /* Parsing the configuration file needs to be done in 2 phases: | ||
176 | - * first parsing the [global] section | ||
177 | - * and then the other sections, | ||
178 | - * because the [global] section modifies the parsing behavior. | ||
179 | - */ | ||
180 | - memset(&ctx, 0, sizeof(ctx)); | ||
181 | - err = ini_parse_file(fp, global_ini_handler, &ctx); | ||
182 | - if (!err) { | ||
183 | - if (fseek(fp, 0L, SEEK_SET) < 0) { | ||
184 | - _gnutls_debug_log("cfg: unable to rewind: %s\n", | ||
185 | - system_priority_file); | ||
186 | - if (fail_on_invalid_config) | ||
187 | - exit(1); | ||
188 | - } | ||
189 | - err = ini_parse_file(fp, cfg_ini_handler, &ctx); | ||
190 | - } | ||
191 | - fclose(fp); | ||
192 | - if (err) { | ||
193 | - ini_ctx_deinit(&ctx); | ||
194 | - _gnutls_debug_log("cfg: unable to parse: %s: %d\n", | ||
195 | - system_priority_file, err); | ||
196 | - goto out; | ||
197 | - } | ||
198 | - cfg_apply(&system_wide_config, &ctx); | ||
199 | - ini_ctx_deinit(&ctx); | ||
200 | _gnutls_debug_log("cfg: loaded system config %s mtime %lld\n", | ||
201 | system_priority_file, | ||
202 | (unsigned long long)sb.st_mtime); | ||
203 | @@ -2332,9 +2356,8 @@ static int _gnutls_update_system_priorities(bool defer_system_wide) | ||
204 | out: | ||
205 | (void)gnutls_rwlock_unlock(&system_wide_config_rwlock); | ||
206 | |||
207 | - if (err && fail_on_invalid_config) { | ||
208 | + if (config_parse_error && fail_on_invalid_config) | ||
209 | exit(1); | ||
210 | - } | ||
211 | |||
212 | return ret; | ||
213 | } | ||
214 | diff --git a/tests/system-override-allow-rsa-pkcs1-encrypt.sh b/tests/system-override-allow-rsa-pkcs1-encrypt.sh | ||
215 | index b7d477c96e..714d0af946 100755 | ||
216 | --- a/tests/system-override-allow-rsa-pkcs1-encrypt.sh | ||
217 | +++ b/tests/system-override-allow-rsa-pkcs1-encrypt.sh | ||
218 | @@ -19,9 +19,8 @@ | ||
219 | # You should have received a copy of the GNU Lesser General Public License | ||
220 | # along with this program. If not, see <https://www.gnu.org/licenses/> | ||
221 | |||
222 | -: ${srcdir=.} | ||
223 | -TEST=${srcdir}/rsaes-pkcs1-v1_5 | ||
224 | -CONF=${srcdir}/config.$$.tmp | ||
225 | +TEST=${builddir}/rsaes-pkcs1-v1_5 | ||
226 | +CONF=config.$$.tmp | ||
227 | export GNUTLS_SYSTEM_PRIORITY_FILE=${CONF} | ||
228 | export GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1 | ||
229 | |||
230 | @@ -38,15 +37,33 @@ cat <<_EOF_ > ${CONF} | ||
231 | allow-rsa-pkcs1-encrypt = true | ||
232 | _EOF_ | ||
233 | |||
234 | -${TEST} && fail "RSAES-PKCS1-v1_5 expected to succeed" | ||
235 | +${TEST} | ||
236 | +if [ $? != 0 ]; then | ||
237 | + echo "${TEST} expected to succeed" | ||
238 | + exit 1 | ||
239 | +fi | ||
240 | +echo "RSAES-PKCS1-v1_5 successfully enabled" | ||
241 | |||
242 | cat <<_EOF_ > ${CONF} | ||
243 | [overrides] | ||
244 | allow-rsa-pkcs1-encrypt = false | ||
245 | _EOF_ | ||
246 | |||
247 | -${TEST} || fail "RSAES-PKCS1-v1_5 expected to fail" | ||
248 | +${TEST} | ||
249 | +if [ $? = 0 ]; then | ||
250 | + echo "${TEST} expected to fail" | ||
251 | + exit 1 | ||
252 | +fi | ||
253 | +echo "RSAES-PKCS1-v1_5 successfully disabled" | ||
254 | |||
255 | unset GNUTLS_SYSTEM_PRIORITY_FILE | ||
256 | unset GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID | ||
257 | + | ||
258 | +${TEST} | ||
259 | +if [ $? != 0 ]; then | ||
260 | + echo "${TEST} expected to succeed by default" | ||
261 | + exit 1 | ||
262 | +fi | ||
263 | +echo "RSAES-PKCS1-v1_5 successfully enabled by default" | ||
264 | + | ||
265 | exit 0 | ||
266 | -- | ||
267 | GitLab | ||
268 | |||
269 | |||
diff --git a/meta/recipes-support/gnutls/gnutls_3.8.5.bb b/meta/recipes-support/gnutls/gnutls_3.8.5.bb index 21506a04dc..52a1c00c4a 100644 --- a/meta/recipes-support/gnutls/gnutls_3.8.5.bb +++ b/meta/recipes-support/gnutls/gnutls_3.8.5.bb | |||
@@ -21,6 +21,7 @@ SHRT_VER = "${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}" | |||
21 | SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar.xz \ | 21 | SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar.xz \ |
22 | file://arm_eabi.patch \ | 22 | file://arm_eabi.patch \ |
23 | file://0001-Creating-.hmac-file-should-be-excuted-in-target-envi.patch \ | 23 | file://0001-Creating-.hmac-file-should-be-excuted-in-target-envi.patch \ |
24 | file://0001-Fix-RSAES-PKCS1-v1_5-system-wide-configuration.patch \ | ||
24 | file://run-ptest \ | 25 | file://run-ptest \ |
25 | file://Add-ptest-support.patch \ | 26 | file://Add-ptest-support.patch \ |
26 | " | 27 | " |