gnutls: Fix failing ptests

When upgrading gnutls to the newest version 3.8.5, some ptest failed. Backported a patch from upstream gnutls(not in any release yet) to fix this issue. (From OE-Core rev: 33b203b422dcc2fe2ce991192d6ec0f83cf3c701) Signed-off-by: Simone Weiß <simone.p.weiss@posteo.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Simone Weiß <simone.p.weiss@posteo.com> 2024-04-14 18:06:11 +0000
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2024-04-22 22:05:57 +0100
commit: 1686d6c45f1510619f8a0ab1dda9977b9ac3525d (patch)
tree: e73fa0b187be54094c4d35361f4a008e3cde1ca0
parent: c2c0bfb0d7241549199dc8ab56525ff34a3f6f11 (diff)
download: poky-1686d6c45f1510619f8a0ab1dda9977b9ac3525d.tar.gz
2 files changed, 270 insertions, 0 deletions
diff --git a/meta/recipes-support/gnutls/gnutls/0001-Fix-RSAES-PKCS1-v1_5-system-wide-configuration.patch b/meta/recipes-support/gnutls/gnutls/0001-Fix-RSAES-PKCS1-v1_5-system-wide-configuration.patch
new file mode 100644
index 0000000000..cc39f5c9a5
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/0001-Fix-RSAES-PKCS1-v1_5-system-wide-configuration.patch
@@ -0,0 +1,269 @@
+From 2d73d945c4b1dfcf8d2328c4d23187d62ffaab2d Mon Sep 17 00:00:00 2001
+From: Zoltan Fridrich <zfridric@redhat.com>
+Date: Wed, 10 Apr 2024 12:51:33 +0200
+Subject: [PATCH] Fix RSAES-PKCS1-v1_5 system-wide configuration
+Upstream-Status: Backport [expected for  3.8.6 https://gitlab.com/gnutls/gnutls/-/merge_requests/1830?commit_id=2d73d945c4b1dfcf8d2328c4d23187d62ffaab2d]
+Signed-off-by: Simone Weiß <simone.p.weiss@posteo.com>
+Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
+---
+ lib/priority.c                                | 125 +++++++++++-------
+ ...system-override-allow-rsa-pkcs1-encrypt.sh |  27 +++-
+ 2 files changed, 96 insertions(+), 56 deletions(-)
+diff --git a/lib/priority.c b/lib/priority.c
+index 8abe00d1ff..3434619aad 100644
+--- a/lib/priority.c
+++ b/lib/priority.c
+@@ -1018,6 +1018,12 @@ struct cfg {
+        bool force_ext_master_secret_set;
+ };
+ 
+static inline void cfg_init(struct cfg *cfg)
+{
+       memset(cfg, 0, sizeof(*cfg));
+       cfg->allow_rsa_pkcs1_encrypt = true;
+}
+
+ static inline void cfg_deinit(struct cfg *cfg)
+ {
+        if (cfg->priority_strings) {
+@@ -1095,6 +1101,12 @@ struct ini_ctx {
+        size_t curves_size;
+ };
+ 
+static inline void ini_ctx_init(struct ini_ctx *ctx)
+{
+       memset(ctx, 0, sizeof(*ctx));
+       cfg_init(&ctx->cfg);
+}
+
+ static inline void ini_ctx_deinit(struct ini_ctx *ctx)
+ {
+        cfg_deinit(&ctx->cfg);
+@@ -1423,9 +1435,6 @@ static inline int cfg_apply(struct cfg *cfg, struct ini_ctx *ctx)
+                _gnutls_default_priority_string = cfg->default_priority_string;
+        }
+ 
+-       /* enable RSA-PKCS1-V1_5 by default */
+-       cfg->allow_rsa_pkcs1_encrypt = true;
+-
+        if (cfg->allowlisting) {
+                /* also updates `flags` of global `hash_algorithms[]` */
+                ret = cfg_hashes_set_array(cfg, ctx->hashes, ctx->hashes_size);
+@@ -2217,22 +2226,73 @@ update_system_wide_priority_string(void)
+        return 0;
+ }
+ 
+/* Returns false on parse error, otherwise true.
+ * The system_wide_config must be locked for writing.
+ */
+static inline bool load_system_priority_file(void)
+{
+       int err;
+       FILE *fp;
+       struct ini_ctx ctx;
+
+       cfg_init(&system_wide_config);
+
+       fp = fopen(system_priority_file, "re");
+       if (fp == NULL) {
+               _gnutls_debug_log("cfg: unable to open: %s: %d\n",
+                                 system_priority_file, errno);
+               return true;
+       }
+
+       /* Parsing the configuration file needs to be done in 2 phases:
+        * first parsing the [global] section
+        * and then the other sections,
+        * because the [global] section modifies the parsing behavior.
+        */
+       ini_ctx_init(&ctx);
+       err = ini_parse_file(fp, global_ini_handler, &ctx);
+       if (!err) {
+               if (fseek(fp, 0L, SEEK_SET) < 0) {
+                       _gnutls_debug_log("cfg: unable to rewind: %s\n",
+                                         system_priority_file);
+                       if (fail_on_invalid_config)
+                               exit(1);
+               }
+               err = ini_parse_file(fp, cfg_ini_handler, &ctx);
+       }
+       fclose(fp);
+       if (err) {
+               ini_ctx_deinit(&ctx);
+               _gnutls_debug_log("cfg: unable to parse: %s: %d\n",
+                                 system_priority_file, err);
+               return false;
+       }
+       cfg_apply(&system_wide_config, &ctx);
+       ini_ctx_deinit(&ctx);
+       return true;
+}
+
+ static int _gnutls_update_system_priorities(bool defer_system_wide)
+ {
+-       int ret, err = 0;
+       int ret;
+       bool config_parse_error = false;
+        struct stat sb;
+-       FILE *fp;
+        gnutls_buffer_st buf;
+-       struct ini_ctx ctx;
+ 
+        ret = gnutls_rwlock_rdlock(&system_wide_config_rwlock);
+-       if (ret < 0) {
+       if (ret < 0)
+                return gnutls_assert_val(ret);
+-       }
+ 
+        if (stat(system_priority_file, &sb) < 0) {
+                _gnutls_debug_log("cfg: unable to access: %s: %d\n",
+                                  system_priority_file, errno);
+
+               (void)gnutls_rwlock_unlock(&system_wide_config_rwlock);
+               ret = gnutls_rwlock_wrlock(&system_wide_config_rwlock);
+               if (ret < 0)
+                       goto out;
+               /* If system-wide config is unavailable, apply the defaults */
+               cfg_init(&system_wide_config);
+                goto out;
+        }
+ 
+@@ -2240,63 +2300,27 @@ static int _gnutls_update_system_priorities(bool defer_system_wide)
+            system_priority_last_mod == sb.st_mtime) {
+                _gnutls_debug_log("cfg: system priority %s has not changed\n",
+                                  system_priority_file);
+-               if (system_wide_config.priority_string) {
+               if (system_wide_config.priority_string)
+                        goto out; /* nothing to do */
+-               }
+        }
+ 
+        (void)gnutls_rwlock_unlock(&system_wide_config_rwlock);
+ 
+        ret = gnutls_rwlock_wrlock(&system_wide_config_rwlock);
+-       if (ret < 0) {
+       if (ret < 0)
+                return gnutls_assert_val(ret);
+-       }
+ 
+        /* Another thread could have successfully re-read system-wide config,
+         * skip re-reading if the mtime it has used is exactly the same.
+         */
+-       if (system_priority_file_loaded) {
+       if (system_priority_file_loaded)
+                system_priority_file_loaded =
+                        (system_priority_last_mod == sb.st_mtime);
+-       }
+ 
+        if (!system_priority_file_loaded) {
+-               _name_val_array_clear(&system_wide_config.priority_strings);
+-
+-               gnutls_free(system_wide_config.priority_string);
+-               system_wide_config.priority_string = NULL;
+-
+-               fp = fopen(system_priority_file, "re");
+-               if (fp == NULL) {
+-                       _gnutls_debug_log("cfg: unable to open: %s: %d\n",
+-                                         system_priority_file, errno);
+               config_parse_error = !load_system_priority_file();
+               if (config_parse_error)
+                        goto out;
+-               }
+-               /* Parsing the configuration file needs to be done in 2 phases:
+-                * first parsing the [global] section
+-                * and then the other sections,
+-                * because the [global] section modifies the parsing behavior.
+-                */
+-               memset(&ctx, 0, sizeof(ctx));
+-               err = ini_parse_file(fp, global_ini_handler, &ctx);
+-               if (!err) {
+-                       if (fseek(fp, 0L, SEEK_SET) < 0) {
+-                               _gnutls_debug_log("cfg: unable to rewind: %s\n",
+-                                                 system_priority_file);
+-                               if (fail_on_invalid_config)
+-                                       exit(1);
+-                       }
+-                       err = ini_parse_file(fp, cfg_ini_handler, &ctx);
+-               }
+-               fclose(fp);
+-               if (err) {
+-                       ini_ctx_deinit(&ctx);
+-                       _gnutls_debug_log("cfg: unable to parse: %s: %d\n",
+-                                         system_priority_file, err);
+-                       goto out;
+-               }
+-               cfg_apply(&system_wide_config, &ctx);
+-               ini_ctx_deinit(&ctx);
+                _gnutls_debug_log("cfg: loaded system config %s mtime %lld\n",
+                                  system_priority_file,
+                                  (unsigned long long)sb.st_mtime);
+@@ -2332,9 +2356,8 @@ static int _gnutls_update_system_priorities(bool defer_system_wide)
+ out:
+        (void)gnutls_rwlock_unlock(&system_wide_config_rwlock);
+ 
+-       if (err && fail_on_invalid_config) {
+       if (config_parse_error && fail_on_invalid_config)
+                exit(1);
+-       }
+ 
+        return ret;
+ }
+diff --git a/tests/system-override-allow-rsa-pkcs1-encrypt.sh b/tests/system-override-allow-rsa-pkcs1-encrypt.sh
+index b7d477c96e..714d0af946 100755
+--- a/tests/system-override-allow-rsa-pkcs1-encrypt.sh
+++ b/tests/system-override-allow-rsa-pkcs1-encrypt.sh
+@@ -19,9 +19,8 @@
+ # You should have received a copy of the GNU Lesser General Public License
+ # along with this program.  If not, see <https://www.gnu.org/licenses/>
+ 
+-: ${srcdir=.}
+-TEST=${srcdir}/rsaes-pkcs1-v1_5
+-CONF=${srcdir}/config.$$.tmp
+TEST=${builddir}/rsaes-pkcs1-v1_5
+CONF=config.$$.tmp
+ export GNUTLS_SYSTEM_PRIORITY_FILE=${CONF}
+ export GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1
+ 
+@@ -38,15 +37,33 @@ cat <<_EOF_ > ${CONF}
+ allow-rsa-pkcs1-encrypt = true
+ _EOF_
+ 
+-${TEST} && fail "RSAES-PKCS1-v1_5 expected to succeed"
+${TEST}
+if [ $? != 0 ]; then
+       echo "${TEST} expected to succeed"
+       exit 1
+fi
+echo "RSAES-PKCS1-v1_5 successfully enabled"
+ 
+ cat <<_EOF_ > ${CONF}
+ [overrides]
+ allow-rsa-pkcs1-encrypt = false
+ _EOF_
+ 
+-${TEST} || fail "RSAES-PKCS1-v1_5 expected to fail"
+${TEST}
+if [ $? = 0 ]; then
+       echo "${TEST} expected to fail"
+       exit 1
+fi
+echo "RSAES-PKCS1-v1_5 successfully disabled"
+ 
+ unset GNUTLS_SYSTEM_PRIORITY_FILE
+ unset GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID
+
+${TEST}
+if [ $? != 0 ]; then
+       echo "${TEST} expected to succeed by default"
+       exit 1
+fi
+echo "RSAES-PKCS1-v1_5 successfully enabled by default"
+
+ exit 0
+-- 
+GitLab
diff --git a/meta/recipes-support/gnutls/gnutls_3.8.5.bb b/meta/recipes-support/gnutls/gnutls_3.8.5.bb
index 21506a04dc..52a1c00c4a 100644
--- a/meta/recipes-support/gnutls/gnutls_3.8.5.bb
+++ b/meta/recipes-support/gnutls/gnutls_3.8.5.bb
@@ -21,6 +21,7 @@ SHRT_VER = "${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}"
 SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar.xz \
           file://arm_eabi.patch \
           file://0001-Creating-.hmac-file-should-be-excuted-in-target-envi.patch \
+           file://0001-Fix-RSAES-PKCS1-v1_5-system-wide-configuration.patch \
           file://run-ptest \
           file://Add-ptest-support.patch \
           "
author	Simone Weiß <simone.p.weiss@posteo.com>	2024-04-14 18:06:11 +0000
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2024-04-22 22:05:57 +0100
commit	1686d6c45f1510619f8a0ab1dda9977b9ac3525d (patch)
tree	e73fa0b187be54094c4d35361f4a008e3cde1ca0
parent	c2c0bfb0d7241549199dc8ab56525ff34a3f6f11 (diff)
download	poky-1686d6c45f1510619f8a0ab1dda9977b9ac3525d.tar.gz

diff --git a/meta/recipes-support/gnutls/gnutls/0001-Fix-RSAES-PKCS1-v1_5-system-wide-configuration.patch b/meta/recipes-support/gnutls/gnutls/0001-Fix-RSAES-PKCS1-v1_5-system-wide-configuration.patch new file mode 100644 index 0000000000..cc39f5c9a5 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/0001-Fix-RSAES-PKCS1-v1_5-system-wide-configuration.patch
@@ -0,0 +1,269 @@
		1	From 2d73d945c4b1dfcf8d2328c4d23187d62ffaab2d Mon Sep 17 00:00:00 2001
		2	From: Zoltan Fridrich <zfridric@redhat.com>
		3	Date: Wed, 10 Apr 2024 12:51:33 +0200
		4	Subject: [PATCH] Fix RSAES-PKCS1-v1_5 system-wide configuration
		5
		6	Upstream-Status: Backport [expected for 3.8.6 https://gitlab.com/gnutls/gnutls/-/merge_requests/1830?commit_id=2d73d945c4b1dfcf8d2328c4d23187d62ffaab2d]
		7
		8	Signed-off-by: Simone Weiß <simone.p.weiss@posteo.com>
		9	Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
		10	---
		11	lib/priority.c \| 125 +++++++++++-------
		12	...system-override-allow-rsa-pkcs1-encrypt.sh \| 27 +++-
		13	2 files changed, 96 insertions(+), 56 deletions(-)
		14
		15	diff --git a/lib/priority.c b/lib/priority.c
		16	index 8abe00d1ff..3434619aad 100644
		17	--- a/lib/priority.c
		18	+++ b/lib/priority.c
		19	@@ -1018,6 +1018,12 @@ struct cfg {
		20	bool force_ext_master_secret_set;
		21	};
		22
		23	+static inline void cfg_init(struct cfg *cfg)
		24	+{
		25	+ memset(cfg, 0, sizeof(*cfg));
		26	+ cfg->allow_rsa_pkcs1_encrypt = true;
		27	+}
		28	+
		29	static inline void cfg_deinit(struct cfg *cfg)
		30	{
		31	if (cfg->priority_strings) {
		32	@@ -1095,6 +1101,12 @@ struct ini_ctx {
		33	size_t curves_size;
		34	};
		35
		36	+static inline void ini_ctx_init(struct ini_ctx *ctx)
		37	+{
		38	+ memset(ctx, 0, sizeof(*ctx));
		39	+ cfg_init(&ctx->cfg);
		40	+}
		41	+
		42	static inline void ini_ctx_deinit(struct ini_ctx *ctx)
		43	{
		44	cfg_deinit(&ctx->cfg);
		45	@@ -1423,9 +1435,6 @@ static inline int cfg_apply(struct cfg cfg, struct ini_ctx ctx)
		46	_gnutls_default_priority_string = cfg->default_priority_string;
		47	}
		48
		49	- /* enable RSA-PKCS1-V1_5 by default */
		50	- cfg->allow_rsa_pkcs1_encrypt = true;
		51	-
		52	if (cfg->allowlisting) {
		53	/* also updates `flags` of global `hash_algorithms[]` */
		54	ret = cfg_hashes_set_array(cfg, ctx->hashes, ctx->hashes_size);
		55	@@ -2217,22 +2226,73 @@ update_system_wide_priority_string(void)
		56	return 0;
		57	}
		58
		59	+/* Returns false on parse error, otherwise true.
		60	+ * The system_wide_config must be locked for writing.
		61	+ */
		62	+static inline bool load_system_priority_file(void)
		63	+{
		64	+ int err;
		65	+ FILE *fp;
		66	+ struct ini_ctx ctx;
		67	+
		68	+ cfg_init(&system_wide_config);
		69	+
		70	+ fp = fopen(system_priority_file, "re");
		71	+ if (fp == NULL) {
		72	+ _gnutls_debug_log("cfg: unable to open: %s: %d\n",
		73	+ system_priority_file, errno);
		74	+ return true;
		75	+ }
		76	+
		77	+ /* Parsing the configuration file needs to be done in 2 phases:
		78	+ * first parsing the [global] section
		79	+ * and then the other sections,
		80	+ * because the [global] section modifies the parsing behavior.
		81	+ */
		82	+ ini_ctx_init(&ctx);
		83	+ err = ini_parse_file(fp, global_ini_handler, &ctx);
		84	+ if (!err) {
		85	+ if (fseek(fp, 0L, SEEK_SET) < 0) {
		86	+ _gnutls_debug_log("cfg: unable to rewind: %s\n",
		87	+ system_priority_file);
		88	+ if (fail_on_invalid_config)
		89	+ exit(1);
		90	+ }
		91	+ err = ini_parse_file(fp, cfg_ini_handler, &ctx);
		92	+ }
		93	+ fclose(fp);
		94	+ if (err) {
		95	+ ini_ctx_deinit(&ctx);
		96	+ _gnutls_debug_log("cfg: unable to parse: %s: %d\n",
		97	+ system_priority_file, err);
		98	+ return false;
		99	+ }
		100	+ cfg_apply(&system_wide_config, &ctx);
		101	+ ini_ctx_deinit(&ctx);
		102	+ return true;
		103	+}
		104	+
		105	static int _gnutls_update_system_priorities(bool defer_system_wide)
		106	{
		107	- int ret, err = 0;
		108	+ int ret;
		109	+ bool config_parse_error = false;
		110	struct stat sb;
		111	- FILE *fp;
		112	gnutls_buffer_st buf;
		113	- struct ini_ctx ctx;
		114
		115	ret = gnutls_rwlock_rdlock(&system_wide_config_rwlock);
		116	- if (ret < 0) {
		117	+ if (ret < 0)
		118	return gnutls_assert_val(ret);
		119	- }
		120
		121	if (stat(system_priority_file, &sb) < 0) {
		122	_gnutls_debug_log("cfg: unable to access: %s: %d\n",
		123	system_priority_file, errno);
		124	+
		125	+ (void)gnutls_rwlock_unlock(&system_wide_config_rwlock);
		126	+ ret = gnutls_rwlock_wrlock(&system_wide_config_rwlock);
		127	+ if (ret < 0)
		128	+ goto out;
		129	+ /* If system-wide config is unavailable, apply the defaults */
		130	+ cfg_init(&system_wide_config);
		131	goto out;
		132	}
		133
		134	@@ -2240,63 +2300,27 @@ static int _gnutls_update_system_priorities(bool defer_system_wide)
		135	system_priority_last_mod == sb.st_mtime) {
		136	_gnutls_debug_log("cfg: system priority %s has not changed\n",
		137	system_priority_file);
		138	- if (system_wide_config.priority_string) {
		139	+ if (system_wide_config.priority_string)
		140	goto out; /* nothing to do */
		141	- }
		142	}
		143
		144	(void)gnutls_rwlock_unlock(&system_wide_config_rwlock);
		145
		146	ret = gnutls_rwlock_wrlock(&system_wide_config_rwlock);
		147	- if (ret < 0) {
		148	+ if (ret < 0)
		149	return gnutls_assert_val(ret);
		150	- }
		151
		152	/* Another thread could have successfully re-read system-wide config,
		153	* skip re-reading if the mtime it has used is exactly the same.
		154	*/
		155	- if (system_priority_file_loaded) {
		156	+ if (system_priority_file_loaded)
		157	system_priority_file_loaded =
		158	(system_priority_last_mod == sb.st_mtime);
		159	- }
		160
		161	if (!system_priority_file_loaded) {
		162	- _name_val_array_clear(&system_wide_config.priority_strings);
		163	-
		164	- gnutls_free(system_wide_config.priority_string);
		165	- system_wide_config.priority_string = NULL;
		166	-
		167	- fp = fopen(system_priority_file, "re");
		168	- if (fp == NULL) {
		169	- _gnutls_debug_log("cfg: unable to open: %s: %d\n",
		170	- system_priority_file, errno);
		171	+ config_parse_error = !load_system_priority_file();
		172	+ if (config_parse_error)
		173	goto out;
		174	- }
		175	- /* Parsing the configuration file needs to be done in 2 phases:
		176	- * first parsing the [global] section
		177	- * and then the other sections,
		178	- * because the [global] section modifies the parsing behavior.
		179	- */
		180	- memset(&ctx, 0, sizeof(ctx));
		181	- err = ini_parse_file(fp, global_ini_handler, &ctx);
		182	- if (!err) {
		183	- if (fseek(fp, 0L, SEEK_SET) < 0) {
		184	- _gnutls_debug_log("cfg: unable to rewind: %s\n",
		185	- system_priority_file);
		186	- if (fail_on_invalid_config)
		187	- exit(1);
		188	- }
		189	- err = ini_parse_file(fp, cfg_ini_handler, &ctx);
		190	- }
		191	- fclose(fp);
		192	- if (err) {
		193	- ini_ctx_deinit(&ctx);
		194	- _gnutls_debug_log("cfg: unable to parse: %s: %d\n",
		195	- system_priority_file, err);
		196	- goto out;
		197	- }
		198	- cfg_apply(&system_wide_config, &ctx);
		199	- ini_ctx_deinit(&ctx);
		200	_gnutls_debug_log("cfg: loaded system config %s mtime %lld\n",
		201	system_priority_file,
		202	(unsigned long long)sb.st_mtime);
		203	@@ -2332,9 +2356,8 @@ static int _gnutls_update_system_priorities(bool defer_system_wide)
		204	out:
		205	(void)gnutls_rwlock_unlock(&system_wide_config_rwlock);
		206
		207	- if (err && fail_on_invalid_config) {
		208	+ if (config_parse_error && fail_on_invalid_config)
		209	exit(1);
		210	- }
		211
		212	return ret;
		213	}
		214	diff --git a/tests/system-override-allow-rsa-pkcs1-encrypt.sh b/tests/system-override-allow-rsa-pkcs1-encrypt.sh
		215	index b7d477c96e..714d0af946 100755
		216	--- a/tests/system-override-allow-rsa-pkcs1-encrypt.sh
		217	+++ b/tests/system-override-allow-rsa-pkcs1-encrypt.sh
		218	@@ -19,9 +19,8 @@
		219	# You should have received a copy of the GNU Lesser General Public License
		220	# along with this program. If not, see <https://www.gnu.org/licenses/>
		221
		222	-: ${srcdir=.}
		223	-TEST=${srcdir}/rsaes-pkcs1-v1_5
		224	-CONF=${srcdir}/config.$$.tmp
		225	+TEST=${builddir}/rsaes-pkcs1-v1_5
		226	+CONF=config.$$.tmp
		227	export GNUTLS_SYSTEM_PRIORITY_FILE=${CONF}
		228	export GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1
		229
		230	@@ -38,15 +37,33 @@ cat <<_EOF_ > ${CONF}
		231	allow-rsa-pkcs1-encrypt = true
		232	_EOF_
		233
		234	-${TEST} && fail "RSAES-PKCS1-v1_5 expected to succeed"
		235	+${TEST}
		236	+if [ $? != 0 ]; then
		237	+ echo "${TEST} expected to succeed"
		238	+ exit 1
		239	+fi
		240	+echo "RSAES-PKCS1-v1_5 successfully enabled"
		241
		242	cat <<_EOF_ > ${CONF}
		243	[overrides]
		244	allow-rsa-pkcs1-encrypt = false
		245	_EOF_
		246
		247	-${TEST} \|\| fail "RSAES-PKCS1-v1_5 expected to fail"
		248	+${TEST}
		249	+if [ $? = 0 ]; then
		250	+ echo "${TEST} expected to fail"
		251	+ exit 1
		252	+fi
		253	+echo "RSAES-PKCS1-v1_5 successfully disabled"
		254
		255	unset GNUTLS_SYSTEM_PRIORITY_FILE
		256	unset GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID
		257	+
		258	+${TEST}
		259	+if [ $? != 0 ]; then
		260	+ echo "${TEST} expected to succeed by default"
		261	+ exit 1
		262	+fi
		263	+echo "RSAES-PKCS1-v1_5 successfully enabled by default"
		264	+
		265	exit 0
		266	--
		267	GitLab
		268
		269


diff --git a/meta/recipes-support/gnutls/gnutls_3.8.5.bb b/meta/recipes-support/gnutls/gnutls_3.8.5.bb index 21506a04dc..52a1c00c4a 100644 --- a/meta/recipes-support/gnutls/gnutls_3.8.5.bb +++ b/meta/recipes-support/gnutls/gnutls_3.8.5.bb
@@ -21,6 +21,7 @@ SHRT_VER = "${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}"
21	SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar.xz \	21	SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar.xz \
22	file://arm_eabi.patch \	22	file://arm_eabi.patch \
23	file://0001-Creating-.hmac-file-should-be-excuted-in-target-envi.patch \	23	file://0001-Creating-.hmac-file-should-be-excuted-in-target-envi.patch \
		24	file://0001-Fix-RSAES-PKCS1-v1_5-system-wide-configuration.patch \
24	file://run-ptest \	25	file://run-ptest \
25	file://Add-ptest-support.patch \	26	file://Add-ptest-support.patch \
26	"	27	"