5 files changed, 455 insertions, 4 deletions
diff --git a/meta/recipes-support/gnutls/gnutls/0001-Creating-.hmac-file-should-be-excuted-in-target-envi.patch b/meta/recipes-support/gnutls/gnutls/0001-Creating-.hmac-file-should-be-excuted-in-target-envi.patch
new file mode 100644
index 0000000000..d13bfee8ef
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/0001-Creating-.hmac-file-should-be-excuted-in-target-envi.patch
@@ -0,0 +1,26 @@
+From 7be8ec59a53e93c2bd453b3ba2d63d1b300ef11f Mon Sep 17 00:00:00 2001
+From: Lei Maohui <leimaohui@fujitsu.com>
+Date: Mon, 23 May 2022 10:44:43 +0900
+Subject: [PATCH] Creating .hmac file should be excuted in target environment,
+ so deleted it from build process.
+Upstream-Status: Inappropriate [https://gitlab.com/gnutls/gnutls/-/issues/1373]
+Signed-off-by: Lei Maohui <leimaohui@fujitsu.com>
+---
+ lib/Makefile.am | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+diff --git a/lib/Makefile.am b/lib/Makefile.am
+index a50d311..193ea19 100644
+--- a/lib/Makefile.am
+++ b/lib/Makefile.am
+@@ -198,8 +198,7 @@ hmac_file = .libs/.$(gnutls_so).hmac
+ 
+ all-local: $(hmac_file)
+ 
+-$(hmac_file): libgnutls.la fipshmac
+-       $(AM_V_GEN) $(builddir)/fipshmac > $@-t && mv $@-t $@
+.libs/.$(gnutls_so).hmac:
+ 
+ CLEANFILES = $(hmac_file)
+ endif
diff --git a/meta/recipes-support/gnutls/gnutls/0001-Fix-RSAES-PKCS1-v1_5-system-wide-configuration.patch b/meta/recipes-support/gnutls/gnutls/0001-Fix-RSAES-PKCS1-v1_5-system-wide-configuration.patch
new file mode 100644
index 0000000000..cc39f5c9a5
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/0001-Fix-RSAES-PKCS1-v1_5-system-wide-configuration.patch
@@ -0,0 +1,269 @@
+From 2d73d945c4b1dfcf8d2328c4d23187d62ffaab2d Mon Sep 17 00:00:00 2001
+From: Zoltan Fridrich <zfridric@redhat.com>
+Date: Wed, 10 Apr 2024 12:51:33 +0200
+Subject: [PATCH] Fix RSAES-PKCS1-v1_5 system-wide configuration
+Upstream-Status: Backport [expected for  3.8.6 https://gitlab.com/gnutls/gnutls/-/merge_requests/1830?commit_id=2d73d945c4b1dfcf8d2328c4d23187d62ffaab2d]
+Signed-off-by: Simone Weiß <simone.p.weiss@posteo.com>
+Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
+---
+ lib/priority.c                                | 125 +++++++++++-------
+ ...system-override-allow-rsa-pkcs1-encrypt.sh |  27 +++-
+ 2 files changed, 96 insertions(+), 56 deletions(-)
+diff --git a/lib/priority.c b/lib/priority.c
+index 8abe00d1ff..3434619aad 100644
+--- a/lib/priority.c
+++ b/lib/priority.c
+@@ -1018,6 +1018,12 @@ struct cfg {
+        bool force_ext_master_secret_set;
+ };
+ 
+static inline void cfg_init(struct cfg *cfg)
+{
+       memset(cfg, 0, sizeof(*cfg));
+       cfg->allow_rsa_pkcs1_encrypt = true;
+}
+
+ static inline void cfg_deinit(struct cfg *cfg)
+ {
+        if (cfg->priority_strings) {
+@@ -1095,6 +1101,12 @@ struct ini_ctx {
+        size_t curves_size;
+ };
+ 
+static inline void ini_ctx_init(struct ini_ctx *ctx)
+{
+       memset(ctx, 0, sizeof(*ctx));
+       cfg_init(&ctx->cfg);
+}
+
+ static inline void ini_ctx_deinit(struct ini_ctx *ctx)
+ {
+        cfg_deinit(&ctx->cfg);
+@@ -1423,9 +1435,6 @@ static inline int cfg_apply(struct cfg *cfg, struct ini_ctx *ctx)
+                _gnutls_default_priority_string = cfg->default_priority_string;
+        }
+ 
+-       /* enable RSA-PKCS1-V1_5 by default */
+-       cfg->allow_rsa_pkcs1_encrypt = true;
+-
+        if (cfg->allowlisting) {
+                /* also updates `flags` of global `hash_algorithms[]` */
+                ret = cfg_hashes_set_array(cfg, ctx->hashes, ctx->hashes_size);
+@@ -2217,22 +2226,73 @@ update_system_wide_priority_string(void)
+        return 0;
+ }
+ 
+/* Returns false on parse error, otherwise true.
+ * The system_wide_config must be locked for writing.
+ */
+static inline bool load_system_priority_file(void)
+{
+       int err;
+       FILE *fp;
+       struct ini_ctx ctx;
+
+       cfg_init(&system_wide_config);
+
+       fp = fopen(system_priority_file, "re");
+       if (fp == NULL) {
+               _gnutls_debug_log("cfg: unable to open: %s: %d\n",
+                                 system_priority_file, errno);
+               return true;
+       }
+
+       /* Parsing the configuration file needs to be done in 2 phases:
+        * first parsing the [global] section
+        * and then the other sections,
+        * because the [global] section modifies the parsing behavior.
+        */
+       ini_ctx_init(&ctx);
+       err = ini_parse_file(fp, global_ini_handler, &ctx);
+       if (!err) {
+               if (fseek(fp, 0L, SEEK_SET) < 0) {
+                       _gnutls_debug_log("cfg: unable to rewind: %s\n",
+                                         system_priority_file);
+                       if (fail_on_invalid_config)
+                               exit(1);
+               }
+               err = ini_parse_file(fp, cfg_ini_handler, &ctx);
+       }
+       fclose(fp);
+       if (err) {
+               ini_ctx_deinit(&ctx);
+               _gnutls_debug_log("cfg: unable to parse: %s: %d\n",
+                                 system_priority_file, err);
+               return false;
+       }
+       cfg_apply(&system_wide_config, &ctx);
+       ini_ctx_deinit(&ctx);
+       return true;
+}
+
+ static int _gnutls_update_system_priorities(bool defer_system_wide)
+ {
+-       int ret, err = 0;
+       int ret;
+       bool config_parse_error = false;
+        struct stat sb;
+-       FILE *fp;
+        gnutls_buffer_st buf;
+-       struct ini_ctx ctx;
+ 
+        ret = gnutls_rwlock_rdlock(&system_wide_config_rwlock);
+-       if (ret < 0) {
+       if (ret < 0)
+                return gnutls_assert_val(ret);
+-       }
+ 
+        if (stat(system_priority_file, &sb) < 0) {
+                _gnutls_debug_log("cfg: unable to access: %s: %d\n",
+                                  system_priority_file, errno);
+
+               (void)gnutls_rwlock_unlock(&system_wide_config_rwlock);
+               ret = gnutls_rwlock_wrlock(&system_wide_config_rwlock);
+               if (ret < 0)
+                       goto out;
+               /* If system-wide config is unavailable, apply the defaults */
+               cfg_init(&system_wide_config);
+                goto out;
+        }
+ 
+@@ -2240,63 +2300,27 @@ static int _gnutls_update_system_priorities(bool defer_system_wide)
+            system_priority_last_mod == sb.st_mtime) {
+                _gnutls_debug_log("cfg: system priority %s has not changed\n",
+                                  system_priority_file);
+-               if (system_wide_config.priority_string) {
+               if (system_wide_config.priority_string)
+                        goto out; /* nothing to do */
+-               }
+        }
+ 
+        (void)gnutls_rwlock_unlock(&system_wide_config_rwlock);
+ 
+        ret = gnutls_rwlock_wrlock(&system_wide_config_rwlock);
+-       if (ret < 0) {
+       if (ret < 0)
+                return gnutls_assert_val(ret);
+-       }
+ 
+        /* Another thread could have successfully re-read system-wide config,
+         * skip re-reading if the mtime it has used is exactly the same.
+         */
+-       if (system_priority_file_loaded) {
+       if (system_priority_file_loaded)
+                system_priority_file_loaded =
+                        (system_priority_last_mod == sb.st_mtime);
+-       }
+ 
+        if (!system_priority_file_loaded) {
+-               _name_val_array_clear(&system_wide_config.priority_strings);
+-
+-               gnutls_free(system_wide_config.priority_string);
+-               system_wide_config.priority_string = NULL;
+-
+-               fp = fopen(system_priority_file, "re");
+-               if (fp == NULL) {
+-                       _gnutls_debug_log("cfg: unable to open: %s: %d\n",
+-                                         system_priority_file, errno);
+               config_parse_error = !load_system_priority_file();
+               if (config_parse_error)
+                        goto out;
+-               }
+-               /* Parsing the configuration file needs to be done in 2 phases:
+-                * first parsing the [global] section
+-                * and then the other sections,
+-                * because the [global] section modifies the parsing behavior.
+-                */
+-               memset(&ctx, 0, sizeof(ctx));
+-               err = ini_parse_file(fp, global_ini_handler, &ctx);
+-               if (!err) {
+-                       if (fseek(fp, 0L, SEEK_SET) < 0) {
+-                               _gnutls_debug_log("cfg: unable to rewind: %s\n",
+-                                                 system_priority_file);
+-                               if (fail_on_invalid_config)
+-                                       exit(1);
+-                       }
+-                       err = ini_parse_file(fp, cfg_ini_handler, &ctx);
+-               }
+-               fclose(fp);
+-               if (err) {
+-                       ini_ctx_deinit(&ctx);
+-                       _gnutls_debug_log("cfg: unable to parse: %s: %d\n",
+-                                         system_priority_file, err);
+-                       goto out;
+-               }
+-               cfg_apply(&system_wide_config, &ctx);
+-               ini_ctx_deinit(&ctx);
+                _gnutls_debug_log("cfg: loaded system config %s mtime %lld\n",
+                                  system_priority_file,
+                                  (unsigned long long)sb.st_mtime);
+@@ -2332,9 +2356,8 @@ static int _gnutls_update_system_priorities(bool defer_system_wide)
+ out:
+        (void)gnutls_rwlock_unlock(&system_wide_config_rwlock);
+ 
+-       if (err && fail_on_invalid_config) {
+       if (config_parse_error && fail_on_invalid_config)
+                exit(1);
+-       }
+ 
+        return ret;
+ }
+diff --git a/tests/system-override-allow-rsa-pkcs1-encrypt.sh b/tests/system-override-allow-rsa-pkcs1-encrypt.sh
+index b7d477c96e..714d0af946 100755
+--- a/tests/system-override-allow-rsa-pkcs1-encrypt.sh
+++ b/tests/system-override-allow-rsa-pkcs1-encrypt.sh
+@@ -19,9 +19,8 @@
+ # You should have received a copy of the GNU Lesser General Public License
+ # along with this program.  If not, see <https://www.gnu.org/licenses/>
+ 
+-: ${srcdir=.}
+-TEST=${srcdir}/rsaes-pkcs1-v1_5
+-CONF=${srcdir}/config.$$.tmp
+TEST=${builddir}/rsaes-pkcs1-v1_5
+CONF=config.$$.tmp
+ export GNUTLS_SYSTEM_PRIORITY_FILE=${CONF}
+ export GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1
+ 
+@@ -38,15 +37,33 @@ cat <<_EOF_ > ${CONF}
+ allow-rsa-pkcs1-encrypt = true
+ _EOF_
+ 
+-${TEST} && fail "RSAES-PKCS1-v1_5 expected to succeed"
+${TEST}
+if [ $? != 0 ]; then
+       echo "${TEST} expected to succeed"
+       exit 1
+fi
+echo "RSAES-PKCS1-v1_5 successfully enabled"
+ 
+ cat <<_EOF_ > ${CONF}
+ [overrides]
+ allow-rsa-pkcs1-encrypt = false
+ _EOF_
+ 
+-${TEST} || fail "RSAES-PKCS1-v1_5 expected to fail"
+${TEST}
+if [ $? = 0 ]; then
+       echo "${TEST} expected to fail"
+       exit 1
+fi
+echo "RSAES-PKCS1-v1_5 successfully disabled"
+ 
+ unset GNUTLS_SYSTEM_PRIORITY_FILE
+ unset GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID
+
+${TEST}
+if [ $? != 0 ]; then
+       echo "${TEST} expected to succeed by default"
+       exit 1
+fi
+echo "RSAES-PKCS1-v1_5 successfully enabled by default"
+
+ exit 0
+-- 
+GitLab
diff --git a/meta/recipes-support/gnutls/gnutls/Add-ptest-support.patch b/meta/recipes-support/gnutls/gnutls/Add-ptest-support.patch
new file mode 100644
index 0000000000..8edd31d6b9
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/Add-ptest-support.patch
@@ -0,0 +1,57 @@
+From bfa70adcbda4e505cf2e597907852e78e0439ee2 Mon Sep 17 00:00:00 2001
+From: Ravineet Singh <ravineet.a.singh@est.tech>
+Date: Tue, 10 Jan 2023 16:11:10 +0100
+Subject: [PATCH] gnutls: add ptest support
+Upstream-Status: Inappropriate [embedded specific]
+Signed-off-by: Ravineet Singh <ravineet.a.singh@est.tech>
+---
+ Makefile.am       | 3 +++
+ configure.ac      | 2 ++
+ tests/Makefile.am | 6 ++++++
+ 3 files changed, 11 insertions(+)
+diff --git a/Makefile.am b/Makefile.am
+index 843193f..816b09f 100644
+--- a/Makefile.am
+++ b/Makefile.am
+@@ -191,6 +191,9 @@ dist-hook:
+        mv ChangeLog $(distdir)
+        touch -c $(distdir)/doc/*.html $(distdir)/doc/*.pdf $(distdir)/doc/*.info
+ 
+install-ptest:
+        $(MAKE) -C tests DESTDIR=$(DESTDIR)/tests $@
+
+ .PHONY: abi-check abi-dump-versioned abi-dump-latest pic-check symbol-check local-code-coverage-output files-update AUTHORS
+ 
+ include $(top_srcdir)/cligen/cligen.mk
+diff --git a/configure.ac b/configure.ac
+index 934377e..4406eae 100644
+--- a/configure.ac
+++ b/configure.ac
+@@ -1213,6 +1213,8 @@ AC_SUBST(LIBGNUTLS_CFLAGS)
+ 
+ AM_CONDITIONAL(NEEDS_LIBRT, test "$gnutls_needs_librt" = "yes")
+ 
+AM_EXTRA_RECURSIVE_TARGETS([buildtest-TESTS])
+
+ AC_DEFINE([GNUTLS_INTERNAL_BUILD], 1, [We allow temporarily usage of deprecated functions - until they are removed.])
+ 
+ hw_features=
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index e39a3b3..861dd63 100644
+--- a/tests/Makefile.am
+++ b/tests/Makefile.am
+@@ -663,6 +663,12 @@ SH_LOG_COMPILER = $(SHELL)
+ AM_VALGRINDFLAGS = --suppressions=$(srcdir)/suppressions.valgrind
+ LOG_COMPILER = $(LOG_VALGRIND)
+ 
+install-ptest: $(check_PROGRAMS)
+       @$(INSTALL) -d $(DESTDIR)
+       @for file in $^; do \
+               $(INSTALL_PROGRAM) $$file $(DESTDIR) ; \
+       done
+
+ distclean-local:
+        rm -rf softhsm-*.db softhsm-*.config *.tmp tmp-* x509-crt-list-import-url.config.db port.lock.d
+ 
diff --git a/meta/recipes-support/gnutls/gnutls/arm_eabi.patch b/meta/recipes-support/gnutls/gnutls/arm_eabi.patch
index 6eb1edbdb1..883d0123db 100644
--- a/meta/recipes-support/gnutls/gnutls/arm_eabi.patch
+++ b/meta/recipes-support/gnutls/gnutls/arm_eabi.patch
@@ -1,4 +1,4 @@
-From 8a5c96057cf305bbeac0d6e0e59ee24fbb9497fe Mon Sep 17 00:00:00 2001
+From d17ae0ef31c3c186766a338e8c40c87d1b98820e Mon Sep 17 00:00:00 2001
 From: Joe Slater <jslater@windriver.com>
 Date: Wed, 25 Jan 2017 13:52:59 -0800
 Subject: [PATCH] gnutls: account for ARM_EABI
@@ -9,16 +9,15 @@ reference to them.
 Upstream-Status: Pending
 Signed-off-by: Joe Slater <jslater@windriver.com>
 ---
 tests/seccomp.c | 2 ++
 1 file changed, 2 insertions(+)
 diff --git a/tests/seccomp.c b/tests/seccomp.c
-index ed14d00..3c5b726 100644
+index 881f0bb..5f9204a 100644
 --- a/tests/seccomp.c
 +++ b/tests/seccomp.c
-@@ -53,7 +53,9 @@ int disable_system_calls(void)
+@@ -55,7 +55,9 @@ int disable_system_calls(void)
 
        ADD_SYSCALL(nanosleep, 0);
        ADD_SYSCALL(clock_nanosleep, 0);
diff --git a/meta/recipes-support/gnutls/gnutls/run-ptest b/meta/recipes-support/gnutls/gnutls/run-ptest
new file mode 100644
index 0000000000..17e26eae70
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/run-ptest
@@ -0,0 +1,100 @@
+#!/bin/sh
+rjob() {
+    local job=$1
+    local log=$2
+    # TODO: Output will be garbled
+    ./${job} >> ${log} 2>&1
+    ret=$?
+    case $ret in
+    0)
+        echo "PASS: $t" >> ${log}
+        echo "PASS: $t"
+        ;;
+    77)
+        echo "SKIP: $t" >> ${log}
+        echo "SKIP: $t"
+        ;;
+    *)
+        echo "FAIL: $t" >> ${log}
+        echo "FAIL: $t"
+        ;;
+    esac
+}
+is_disallowed() {
+    local key=$1
+    $(echo ${test_disallowlist} | grep -w -q ${key})
+    return $?
+}
+# TODO
+# This list should probably be in a external file
+# Testcases defined here either take very long time (dtls-stress)
+# or are dependent on local files (certs, etc) in local file system
+# currently not exported to target.
+test_disallowlist=""
+test_disallowlist="${test_disallowlist} dtls-stress"
+test_disallowlist="${test_disallowlist} handshake-large-cert"
+test_disallowlist="${test_disallowlist} id-on-xmppAddr"
+test_disallowlist="${test_disallowlist} mini-x509-cas"
+test_disallowlist="${test_disallowlist} pkcs12_simple"
+test_disallowlist="${test_disallowlist} protocol-set-allowlist"
+test_disallowlist="${test_disallowlist} psk-file"
+test_disallowlist="${test_disallowlist} rawpk-api"
+test_disallowlist="${test_disallowlist} set_pkcs12_cred"
+test_disallowlist="${test_disallowlist} system-override-curves-allowlist"
+test_disallowlist="${test_disallowlist} system-override-hash"
+test_disallowlist="${test_disallowlist} system-override-sig"
+test_disallowlist="${test_disallowlist} system-override-sig-tls"
+test_disallowlist="${test_disallowlist} system-prio-file"
+test_disallowlist="${test_disallowlist} x509cert-tl"
+LOG=${PWD}/tests.log
+cd tests
+max_njobs=$(grep -c ^processor /proc/cpuinfo)
+njobs=0
+set +e
+for t in *; do
+    [ -x $t ] || continue
+    [ -f $t ] || continue
+    is_disallowed ${t}
+    [ $? -eq 0 ] && continue
+    rjob ${t} ${LOG} &
+    one=1
+    njobs=$(expr ${njobs} + ${one})
+    if [ ${njobs} -eq ${max_njobs} ]; then
+        wait
+        njobs=0
+    fi
+done
+wait
+skipped=$(grep -c SKIP ${LOG})
+passed=$(grep -c PASS ${LOG})
+failed=$(grep -c FAIL ${LOG})
+total=$(expr ${passed} + ${failed} + ${skipped})
+if [ ${failed} -ne 0 ]; then
+    echo
+    echo "Tests failed for gnutls, log is:"
+    echo "--------------------"
+    cat ${LOG}
+    echo
+fi
+echo
+echo "gnutls test summary:"
+echo "--------------------"
+echo "total: ${total}"
+echo "pass : ${passed}"
+echo "fail : ${failed}"
+echo "skip : ${skipped}"
+echo

diff --git a/meta/recipes-support/gnutls/gnutls/0001-Creating-.hmac-file-should-be-excuted-in-target-envi.patch b/meta/recipes-support/gnutls/gnutls/0001-Creating-.hmac-file-should-be-excuted-in-target-envi.patch new file mode 100644 index 0000000000..d13bfee8ef --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/0001-Creating-.hmac-file-should-be-excuted-in-target-envi.patch
@@ -0,0 +1,26 @@
		1	From 7be8ec59a53e93c2bd453b3ba2d63d1b300ef11f Mon Sep 17 00:00:00 2001
		2	From: Lei Maohui <leimaohui@fujitsu.com>
		3	Date: Mon, 23 May 2022 10:44:43 +0900
		4	Subject: [PATCH] Creating .hmac file should be excuted in target environment,
		5	so deleted it from build process.
		6
		7	Upstream-Status: Inappropriate [https://gitlab.com/gnutls/gnutls/-/issues/1373]
		8	Signed-off-by: Lei Maohui <leimaohui@fujitsu.com>
		9	---
		10	lib/Makefile.am \| 3 +--
		11	1 file changed, 1 insertion(+), 2 deletions(-)
		12
		13	diff --git a/lib/Makefile.am b/lib/Makefile.am
		14	index a50d311..193ea19 100644
		15	--- a/lib/Makefile.am
		16	+++ b/lib/Makefile.am
		17	@@ -198,8 +198,7 @@ hmac_file = .libs/.$(gnutls_so).hmac
		18
		19	all-local: $(hmac_file)
		20
		21	-$(hmac_file): libgnutls.la fipshmac
		22	- $(AM_V_GEN) $(builddir)/fipshmac > $@-t && mv $@-t $@
		23	+.libs/.$(gnutls_so).hmac:
		24
		25	CLEANFILES = $(hmac_file)
		26	endif


diff --git a/meta/recipes-support/gnutls/gnutls/0001-Fix-RSAES-PKCS1-v1_5-system-wide-configuration.patch b/meta/recipes-support/gnutls/gnutls/0001-Fix-RSAES-PKCS1-v1_5-system-wide-configuration.patch new file mode 100644 index 0000000000..cc39f5c9a5 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/0001-Fix-RSAES-PKCS1-v1_5-system-wide-configuration.patch
@@ -0,0 +1,269 @@
		1	From 2d73d945c4b1dfcf8d2328c4d23187d62ffaab2d Mon Sep 17 00:00:00 2001
		2	From: Zoltan Fridrich <zfridric@redhat.com>
		3	Date: Wed, 10 Apr 2024 12:51:33 +0200
		4	Subject: [PATCH] Fix RSAES-PKCS1-v1_5 system-wide configuration
		5
		6	Upstream-Status: Backport [expected for 3.8.6 https://gitlab.com/gnutls/gnutls/-/merge_requests/1830?commit_id=2d73d945c4b1dfcf8d2328c4d23187d62ffaab2d]
		7
		8	Signed-off-by: Simone Weiß <simone.p.weiss@posteo.com>
		9	Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
		10	---
		11	lib/priority.c \| 125 +++++++++++-------
		12	...system-override-allow-rsa-pkcs1-encrypt.sh \| 27 +++-
		13	2 files changed, 96 insertions(+), 56 deletions(-)
		14
		15	diff --git a/lib/priority.c b/lib/priority.c
		16	index 8abe00d1ff..3434619aad 100644
		17	--- a/lib/priority.c
		18	+++ b/lib/priority.c
		19	@@ -1018,6 +1018,12 @@ struct cfg {
		20	bool force_ext_master_secret_set;
		21	};
		22
		23	+static inline void cfg_init(struct cfg *cfg)
		24	+{
		25	+ memset(cfg, 0, sizeof(*cfg));
		26	+ cfg->allow_rsa_pkcs1_encrypt = true;
		27	+}
		28	+
		29	static inline void cfg_deinit(struct cfg *cfg)
		30	{
		31	if (cfg->priority_strings) {
		32	@@ -1095,6 +1101,12 @@ struct ini_ctx {
		33	size_t curves_size;
		34	};
		35
		36	+static inline void ini_ctx_init(struct ini_ctx *ctx)
		37	+{
		38	+ memset(ctx, 0, sizeof(*ctx));
		39	+ cfg_init(&ctx->cfg);
		40	+}
		41	+
		42	static inline void ini_ctx_deinit(struct ini_ctx *ctx)
		43	{
		44	cfg_deinit(&ctx->cfg);
		45	@@ -1423,9 +1435,6 @@ static inline int cfg_apply(struct cfg cfg, struct ini_ctx ctx)
		46	_gnutls_default_priority_string = cfg->default_priority_string;
		47	}
		48
		49	- /* enable RSA-PKCS1-V1_5 by default */
		50	- cfg->allow_rsa_pkcs1_encrypt = true;
		51	-
		52	if (cfg->allowlisting) {
		53	/* also updates `flags` of global `hash_algorithms[]` */
		54	ret = cfg_hashes_set_array(cfg, ctx->hashes, ctx->hashes_size);
		55	@@ -2217,22 +2226,73 @@ update_system_wide_priority_string(void)
		56	return 0;
		57	}
		58
		59	+/* Returns false on parse error, otherwise true.
		60	+ * The system_wide_config must be locked for writing.
		61	+ */
		62	+static inline bool load_system_priority_file(void)
		63	+{
		64	+ int err;
		65	+ FILE *fp;
		66	+ struct ini_ctx ctx;
		67	+
		68	+ cfg_init(&system_wide_config);
		69	+
		70	+ fp = fopen(system_priority_file, "re");
		71	+ if (fp == NULL) {
		72	+ _gnutls_debug_log("cfg: unable to open: %s: %d\n",
		73	+ system_priority_file, errno);
		74	+ return true;
		75	+ }
		76	+
		77	+ /* Parsing the configuration file needs to be done in 2 phases:
		78	+ * first parsing the [global] section
		79	+ * and then the other sections,
		80	+ * because the [global] section modifies the parsing behavior.
		81	+ */
		82	+ ini_ctx_init(&ctx);
		83	+ err = ini_parse_file(fp, global_ini_handler, &ctx);
		84	+ if (!err) {
		85	+ if (fseek(fp, 0L, SEEK_SET) < 0) {
		86	+ _gnutls_debug_log("cfg: unable to rewind: %s\n",
		87	+ system_priority_file);
		88	+ if (fail_on_invalid_config)
		89	+ exit(1);
		90	+ }
		91	+ err = ini_parse_file(fp, cfg_ini_handler, &ctx);
		92	+ }
		93	+ fclose(fp);
		94	+ if (err) {
		95	+ ini_ctx_deinit(&ctx);
		96	+ _gnutls_debug_log("cfg: unable to parse: %s: %d\n",
		97	+ system_priority_file, err);
		98	+ return false;
		99	+ }
		100	+ cfg_apply(&system_wide_config, &ctx);
		101	+ ini_ctx_deinit(&ctx);
		102	+ return true;
		103	+}
		104	+
		105	static int _gnutls_update_system_priorities(bool defer_system_wide)
		106	{
		107	- int ret, err = 0;
		108	+ int ret;
		109	+ bool config_parse_error = false;
		110	struct stat sb;
		111	- FILE *fp;
		112	gnutls_buffer_st buf;
		113	- struct ini_ctx ctx;
		114
		115	ret = gnutls_rwlock_rdlock(&system_wide_config_rwlock);
		116	- if (ret < 0) {
		117	+ if (ret < 0)
		118	return gnutls_assert_val(ret);
		119	- }
		120
		121	if (stat(system_priority_file, &sb) < 0) {
		122	_gnutls_debug_log("cfg: unable to access: %s: %d\n",
		123	system_priority_file, errno);
		124	+
		125	+ (void)gnutls_rwlock_unlock(&system_wide_config_rwlock);
		126	+ ret = gnutls_rwlock_wrlock(&system_wide_config_rwlock);
		127	+ if (ret < 0)
		128	+ goto out;
		129	+ /* If system-wide config is unavailable, apply the defaults */
		130	+ cfg_init(&system_wide_config);
		131	goto out;
		132	}
		133
		134	@@ -2240,63 +2300,27 @@ static int _gnutls_update_system_priorities(bool defer_system_wide)
		135	system_priority_last_mod == sb.st_mtime) {
		136	_gnutls_debug_log("cfg: system priority %s has not changed\n",
		137	system_priority_file);
		138	- if (system_wide_config.priority_string) {
		139	+ if (system_wide_config.priority_string)
		140	goto out; /* nothing to do */
		141	- }
		142	}
		143
		144	(void)gnutls_rwlock_unlock(&system_wide_config_rwlock);
		145
		146	ret = gnutls_rwlock_wrlock(&system_wide_config_rwlock);
		147	- if (ret < 0) {
		148	+ if (ret < 0)
		149	return gnutls_assert_val(ret);
		150	- }
		151
		152	/* Another thread could have successfully re-read system-wide config,
		153	* skip re-reading if the mtime it has used is exactly the same.
		154	*/
		155	- if (system_priority_file_loaded) {
		156	+ if (system_priority_file_loaded)
		157	system_priority_file_loaded =
		158	(system_priority_last_mod == sb.st_mtime);
		159	- }
		160
		161	if (!system_priority_file_loaded) {
		162	- _name_val_array_clear(&system_wide_config.priority_strings);
		163	-
		164	- gnutls_free(system_wide_config.priority_string);
		165	- system_wide_config.priority_string = NULL;
		166	-
		167	- fp = fopen(system_priority_file, "re");
		168	- if (fp == NULL) {
		169	- _gnutls_debug_log("cfg: unable to open: %s: %d\n",
		170	- system_priority_file, errno);
		171	+ config_parse_error = !load_system_priority_file();
		172	+ if (config_parse_error)
		173	goto out;
		174	- }
		175	- /* Parsing the configuration file needs to be done in 2 phases:
		176	- * first parsing the [global] section
		177	- * and then the other sections,
		178	- * because the [global] section modifies the parsing behavior.
		179	- */
		180	- memset(&ctx, 0, sizeof(ctx));
		181	- err = ini_parse_file(fp, global_ini_handler, &ctx);
		182	- if (!err) {
		183	- if (fseek(fp, 0L, SEEK_SET) < 0) {
		184	- _gnutls_debug_log("cfg: unable to rewind: %s\n",
		185	- system_priority_file);
		186	- if (fail_on_invalid_config)
		187	- exit(1);
		188	- }
		189	- err = ini_parse_file(fp, cfg_ini_handler, &ctx);
		190	- }
		191	- fclose(fp);
		192	- if (err) {
		193	- ini_ctx_deinit(&ctx);
		194	- _gnutls_debug_log("cfg: unable to parse: %s: %d\n",
		195	- system_priority_file, err);
		196	- goto out;
		197	- }
		198	- cfg_apply(&system_wide_config, &ctx);
		199	- ini_ctx_deinit(&ctx);
		200	_gnutls_debug_log("cfg: loaded system config %s mtime %lld\n",
		201	system_priority_file,
		202	(unsigned long long)sb.st_mtime);
		203	@@ -2332,9 +2356,8 @@ static int _gnutls_update_system_priorities(bool defer_system_wide)
		204	out:
		205	(void)gnutls_rwlock_unlock(&system_wide_config_rwlock);
		206
		207	- if (err && fail_on_invalid_config) {
		208	+ if (config_parse_error && fail_on_invalid_config)
		209	exit(1);
		210	- }
		211
		212	return ret;
		213	}
		214	diff --git a/tests/system-override-allow-rsa-pkcs1-encrypt.sh b/tests/system-override-allow-rsa-pkcs1-encrypt.sh
		215	index b7d477c96e..714d0af946 100755
		216	--- a/tests/system-override-allow-rsa-pkcs1-encrypt.sh
		217	+++ b/tests/system-override-allow-rsa-pkcs1-encrypt.sh
		218	@@ -19,9 +19,8 @@
		219	# You should have received a copy of the GNU Lesser General Public License
		220	# along with this program. If not, see <https://www.gnu.org/licenses/>
		221
		222	-: ${srcdir=.}
		223	-TEST=${srcdir}/rsaes-pkcs1-v1_5
		224	-CONF=${srcdir}/config.$$.tmp
		225	+TEST=${builddir}/rsaes-pkcs1-v1_5
		226	+CONF=config.$$.tmp
		227	export GNUTLS_SYSTEM_PRIORITY_FILE=${CONF}
		228	export GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1
		229
		230	@@ -38,15 +37,33 @@ cat <<_EOF_ > ${CONF}
		231	allow-rsa-pkcs1-encrypt = true
		232	_EOF_
		233
		234	-${TEST} && fail "RSAES-PKCS1-v1_5 expected to succeed"
		235	+${TEST}
		236	+if [ $? != 0 ]; then
		237	+ echo "${TEST} expected to succeed"
		238	+ exit 1
		239	+fi
		240	+echo "RSAES-PKCS1-v1_5 successfully enabled"
		241
		242	cat <<_EOF_ > ${CONF}
		243	[overrides]
		244	allow-rsa-pkcs1-encrypt = false
		245	_EOF_
		246
		247	-${TEST} \|\| fail "RSAES-PKCS1-v1_5 expected to fail"
		248	+${TEST}
		249	+if [ $? = 0 ]; then
		250	+ echo "${TEST} expected to fail"
		251	+ exit 1
		252	+fi
		253	+echo "RSAES-PKCS1-v1_5 successfully disabled"
		254
		255	unset GNUTLS_SYSTEM_PRIORITY_FILE
		256	unset GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID
		257	+
		258	+${TEST}
		259	+if [ $? != 0 ]; then
		260	+ echo "${TEST} expected to succeed by default"
		261	+ exit 1
		262	+fi
		263	+echo "RSAES-PKCS1-v1_5 successfully enabled by default"
		264	+
		265	exit 0
		266	--
		267	GitLab
		268
		269


diff --git a/meta/recipes-support/gnutls/gnutls/Add-ptest-support.patch b/meta/recipes-support/gnutls/gnutls/Add-ptest-support.patch new file mode 100644 index 0000000000..8edd31d6b9 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/Add-ptest-support.patch
@@ -0,0 +1,57 @@
		1	From bfa70adcbda4e505cf2e597907852e78e0439ee2 Mon Sep 17 00:00:00 2001
		2	From: Ravineet Singh <ravineet.a.singh@est.tech>
		3	Date: Tue, 10 Jan 2023 16:11:10 +0100
		4	Subject: [PATCH] gnutls: add ptest support
		5
		6	Upstream-Status: Inappropriate [embedded specific]
		7	Signed-off-by: Ravineet Singh <ravineet.a.singh@est.tech>
		8	---
		9	Makefile.am \| 3 +++
		10	configure.ac \| 2 ++
		11	tests/Makefile.am \| 6 ++++++
		12	3 files changed, 11 insertions(+)
		13
		14	diff --git a/Makefile.am b/Makefile.am
		15	index 843193f..816b09f 100644
		16	--- a/Makefile.am
		17	+++ b/Makefile.am
		18	@@ -191,6 +191,9 @@ dist-hook:
		19	mv ChangeLog $(distdir)
		20	touch -c $(distdir)/doc/.html $(distdir)/doc/.pdf $(distdir)/doc/*.info
		21
		22	+install-ptest:
		23	+ $(MAKE) -C tests DESTDIR=$(DESTDIR)/tests $@
		24	+
		25	.PHONY: abi-check abi-dump-versioned abi-dump-latest pic-check symbol-check local-code-coverage-output files-update AUTHORS
		26
		27	include $(top_srcdir)/cligen/cligen.mk
		28	diff --git a/configure.ac b/configure.ac
		29	index 934377e..4406eae 100644
		30	--- a/configure.ac
		31	+++ b/configure.ac
		32	@@ -1213,6 +1213,8 @@ AC_SUBST(LIBGNUTLS_CFLAGS)
		33
		34	AM_CONDITIONAL(NEEDS_LIBRT, test "$gnutls_needs_librt" = "yes")
		35
		36	+AM_EXTRA_RECURSIVE_TARGETS([buildtest-TESTS])
		37	+
		38	AC_DEFINE([GNUTLS_INTERNAL_BUILD], 1, [We allow temporarily usage of deprecated functions - until they are removed.])
		39
		40	hw_features=
		41	diff --git a/tests/Makefile.am b/tests/Makefile.am
		42	index e39a3b3..861dd63 100644
		43	--- a/tests/Makefile.am
		44	+++ b/tests/Makefile.am
		45	@@ -663,6 +663,12 @@ SH_LOG_COMPILER = $(SHELL)
		46	AM_VALGRINDFLAGS = --suppressions=$(srcdir)/suppressions.valgrind
		47	LOG_COMPILER = $(LOG_VALGRIND)
		48
		49	+install-ptest: $(check_PROGRAMS)
		50	+ @$(INSTALL) -d $(DESTDIR)
		51	+ @for file in $^; do \
		52	+ $(INSTALL_PROGRAM) $$file $(DESTDIR) ; \
		53	+ done
		54	+
		55	distclean-local:
		56	rm -rf softhsm-.db softhsm-.config .tmp tmp- x509-crt-list-import-url.config.db port.lock.d
		57


diff --git a/meta/recipes-support/gnutls/gnutls/arm_eabi.patch b/meta/recipes-support/gnutls/gnutls/arm_eabi.patch index 6eb1edbdb1..883d0123db 100644 --- a/meta/recipes-support/gnutls/gnutls/arm_eabi.patch +++ b/meta/recipes-support/gnutls/gnutls/arm_eabi.patch
@@ -1,4 +1,4 @@
1	From 8a5c96057cf305bbeac0d6e0e59ee24fbb9497fe Mon Sep 17 00:00:00 2001	1	From d17ae0ef31c3c186766a338e8c40c87d1b98820e Mon Sep 17 00:00:00 2001
2	From: Joe Slater <jslater@windriver.com>	2	From: Joe Slater <jslater@windriver.com>
3	Date: Wed, 25 Jan 2017 13:52:59 -0800	3	Date: Wed, 25 Jan 2017 13:52:59 -0800
4	Subject: [PATCH] gnutls: account for ARM_EABI	4	Subject: [PATCH] gnutls: account for ARM_EABI
@@ -9,16 +9,15 @@ reference to them.
9	Upstream-Status: Pending	9	Upstream-Status: Pending
10		10
11	Signed-off-by: Joe Slater <jslater@windriver.com>	11	Signed-off-by: Joe Slater <jslater@windriver.com>
12
13	---	12	---
14	tests/seccomp.c \| 2 ++	13	tests/seccomp.c \| 2 ++
15	1 file changed, 2 insertions(+)	14	1 file changed, 2 insertions(+)
16		15
17	diff --git a/tests/seccomp.c b/tests/seccomp.c	16	diff --git a/tests/seccomp.c b/tests/seccomp.c
18	index ed14d00..3c5b726 100644	17	index 881f0bb..5f9204a 100644
19	--- a/tests/seccomp.c	18	--- a/tests/seccomp.c
20	+++ b/tests/seccomp.c	19	+++ b/tests/seccomp.c
21	@@ -53,7 +53,9 @@ int disable_system_calls(void)	20	@@ -55,7 +55,9 @@ int disable_system_calls(void)
22		21
23	ADD_SYSCALL(nanosleep, 0);	22	ADD_SYSCALL(nanosleep, 0);
24	ADD_SYSCALL(clock_nanosleep, 0);	23	ADD_SYSCALL(clock_nanosleep, 0);


diff --git a/meta/recipes-support/gnutls/gnutls/run-ptest b/meta/recipes-support/gnutls/gnutls/run-ptest new file mode 100644 index 0000000000..17e26eae70 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/run-ptest
@@ -0,0 +1,100 @@
		1	#!/bin/sh
		2
		3	rjob() {
		4	local job=$1
		5	local log=$2
		6
		7	# TODO: Output will be garbled
		8	./${job} >> ${log} 2>&1
		9
		10	ret=$?
		11	case $ret in
		12	0)
		13	echo "PASS: $t" >> ${log}
		14	echo "PASS: $t"
		15	;;
		16	77)
		17	echo "SKIP: $t" >> ${log}
		18	echo "SKIP: $t"
		19	;;
		20	*)
		21	echo "FAIL: $t" >> ${log}
		22	echo "FAIL: $t"
		23	;;
		24	esac
		25	}
		26
		27	is_disallowed() {
		28	local key=$1
		29	$(echo ${test_disallowlist} \| grep -w -q ${key})
		30	return $?
		31	}
		32
		33	# TODO
		34	# This list should probably be in a external file
		35	# Testcases defined here either take very long time (dtls-stress)
		36	# or are dependent on local files (certs, etc) in local file system
		37	# currently not exported to target.
		38
		39	test_disallowlist=""
		40	test_disallowlist="${test_disallowlist} dtls-stress"
		41	test_disallowlist="${test_disallowlist} handshake-large-cert"
		42	test_disallowlist="${test_disallowlist} id-on-xmppAddr"
		43	test_disallowlist="${test_disallowlist} mini-x509-cas"
		44	test_disallowlist="${test_disallowlist} pkcs12_simple"
		45	test_disallowlist="${test_disallowlist} protocol-set-allowlist"
		46	test_disallowlist="${test_disallowlist} psk-file"
		47	test_disallowlist="${test_disallowlist} rawpk-api"
		48	test_disallowlist="${test_disallowlist} set_pkcs12_cred"
		49	test_disallowlist="${test_disallowlist} system-override-curves-allowlist"
		50	test_disallowlist="${test_disallowlist} system-override-hash"
		51	test_disallowlist="${test_disallowlist} system-override-sig"
		52	test_disallowlist="${test_disallowlist} system-override-sig-tls"
		53	test_disallowlist="${test_disallowlist} system-prio-file"
		54	test_disallowlist="${test_disallowlist} x509cert-tl"
		55
		56	LOG=${PWD}/tests.log
		57	cd tests
		58	max_njobs=$(grep -c ^processor /proc/cpuinfo)
		59	njobs=0
		60
		61	set +e
		62
		63	for t in *; do
		64	[ -x $t ] \|\| continue
		65	[ -f $t ] \|\| continue
		66
		67	is_disallowed ${t}
		68	[ $? -eq 0 ] && continue
		69
		70	rjob ${t} ${LOG} &
		71	one=1
		72	njobs=$(expr ${njobs} + ${one})
		73	if [ ${njobs} -eq ${max_njobs} ]; then
		74	wait
		75	njobs=0
		76	fi
		77	done
		78	wait
		79
		80	skipped=$(grep -c SKIP ${LOG})
		81	passed=$(grep -c PASS ${LOG})
		82	failed=$(grep -c FAIL ${LOG})
		83	total=$(expr ${passed} + ${failed} + ${skipped})
		84
		85	if [ ${failed} -ne 0 ]; then
		86	echo
		87	echo "Tests failed for gnutls, log is:"
		88	echo "--------------------"
		89	cat ${LOG}
		90	echo
		91	fi
		92
		93	echo
		94	echo "gnutls test summary:"
		95	echo "--------------------"
		96	echo "total: ${total}"
		97	echo "pass : ${passed}"
		98	echo "fail : ${failed}"
		99	echo "skip : ${skipped}"
		100	echo