From f4d5467eb1a2270e18b34da39c05e1122eb64d48 Mon Sep 17 00:00:00 2001 From: Liquor <1692257904@qq.com> Date: Sat, 30 Jan 2021 17:10:14 +0800 Subject: [PATCH] backport upsteam patches to fix testpkcs11.sh test failed --- ...kip_if_no_datefudge-to-testpkcs11.sh.patch | 27 ------- ...atefudge-to-trick-certificate-expiry.patch | 78 +++++++++++++++++++ ...rt-tests-remove-launch_pkcs11_server.patch | 51 ++++++++++++ gnutls.spec | 10 ++- 4 files changed, 136 insertions(+), 30 deletions(-) delete mode 100644 add-skip_if_no_datefudge-to-testpkcs11.sh.patch create mode 100644 backport-testpkcs11-use-datefudge-to-trick-certificate-expiry.patch create mode 100644 backport-tests-remove-launch_pkcs11_server.patch diff --git a/add-skip_if_no_datefudge-to-testpkcs11.sh.patch b/add-skip_if_no_datefudge-to-testpkcs11.sh.patch deleted file mode 100644 index 2f562af..0000000 --- a/add-skip_if_no_datefudge-to-testpkcs11.sh.patch +++ /dev/null @@ -1,27 +0,0 @@ -From b8a06681c876181df7a2bd812a14860afd43c490 Mon Sep 17 00:00:00 2001 -From: Liquor -Date: Fri, 18 Dec 2020 16:17:33 +0800 -Subject: [PATCH] add skip_if_no_datefudge to testpkcs11.sh - -Reason: test certificates in tests/testpkcs11-certs have expired -issue:https://gitlab.com/gnutls/gnutls/-/issues/1135 ---- - tests/testpkcs11.sh | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/tests/testpkcs11.sh b/tests/testpkcs11.sh -index 9458af2..71f4e31 100755 ---- a/tests/testpkcs11.sh -+++ b/tests/testpkcs11.sh -@@ -69,6 +69,8 @@ SERV="${SERV} -q" - - . ${srcdir}/scripts/common.sh - -+skip_if_no_datefudge -+ - rm -f "${LOGFILE}" - - exit_error () { --- -2.27.0 - diff --git a/backport-testpkcs11-use-datefudge-to-trick-certificate-expiry.patch b/backport-testpkcs11-use-datefudge-to-trick-certificate-expiry.patch new file mode 100644 index 0000000..83299ea --- /dev/null +++ b/backport-testpkcs11-use-datefudge-to-trick-certificate-expiry.patch @@ -0,0 +1,78 @@ +From 2b0f6f3a2ff13153aaa70c764ba7a8b90aef794d Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Mon, 28 Dec 2020 16:16:53 +0100 +Subject: [PATCH] testpkcs11: use datefudge to trick certificate expiry + +The certificates stored in tests/testpkcs11-certs expired on +2020-12-13. To avoid verification failure due to that, use datefudge +to set custom date when calling gnutls-cli, gnutls-serv, and certtool. + +Based on the patch by Andreas Metzler: +https://gitlab.com/gnutls/gnutls/-/issues/1135#note_469682121 + +Signed-off-by: Daiki Ueno +--- + tests/testpkcs11.sh | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/tests/testpkcs11.sh b/tests/testpkcs11.sh +index 38b9585bc..09a627477 100755 +--- a/tests/testpkcs11.sh ++++ b/tests/testpkcs11.sh +@@ -67,6 +67,8 @@ have_ed25519=0 + P11TOOL="${VALGRIND} ${P11TOOL} --batch" + SERV="${SERV} -q" + ++TESTDATE=2020-12-01 ++ + . ${srcdir}/scripts/common.sh + + rm -f "${LOGFILE}" +@@ -79,6 +81,8 @@ exit_error () { + exit 1 + } + ++skip_if_no_datefudge ++ + # $1: token + # $2: PIN + # $3: filename +@@ -523,6 +527,7 @@ write_certificate_test () { + pubkey="$5" + + echo -n "* Generating client certificate... " ++ datefudge -s "$TESTDATE" \ + "${CERTTOOL}" ${CERTTOOL_PARAM} ${ADDITIONAL_PARAM} --generate-certificate --load-ca-privkey "${cakey}" --load-ca-certificate "${cacert}" \ + --template ${srcdir}/testpkcs11-certs/client-tmpl --load-privkey "${token};object=gnutls-client;object-type=private" \ + --load-pubkey "$pubkey" --outfile tmp-client.crt >>"${LOGFILE}" 2>&1 +@@ -900,7 +905,9 @@ use_certificate_test () { + echo -n "* Using PKCS #11 with gnutls-cli (${txt})... " + # start server + eval "${GETPORT}" +- launch_server ${ADDITIONAL_PARAM} --echo --priority NORMAL --x509certfile="${certfile}" \ ++ launch_bare_server datefudge -s "$TESTDATE" \ ++ $VALGRIND $SERV $DEBUG -p "$PORT" \ ++ ${ADDITIONAL_PARAM} --debug 10 --echo --priority NORMAL --x509certfile="${certfile}" \ + --x509keyfile="$keyfile" --x509cafile="${cafile}" \ + --verify-client-cert --require-client-cert >>"${LOGFILE}" 2>&1 + +@@ -908,13 +915,16 @@ use_certificate_test () { + wait_server ${PID} + + # connect to server using SC ++ datefudge -s "$TESTDATE" \ + ${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509cafile="${cafile}" >"${LOGFILE}" 2>&1 && \ + fail ${PID} "Connection should have failed!" + ++ datefudge -s "$TESTDATE" \ + ${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509certfile="${certfile}" \ + --x509keyfile="$keyfile" --x509cafile="${cafile}" >"${LOGFILE}" 2>&1 || \ + fail ${PID} "Connection (with files) should have succeeded!" + ++ datefudge -s "$TESTDATE" \ + ${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509certfile="${token};object=gnutls-client;object-type=cert" \ + --x509keyfile="${token};object=gnutls-client;object-type=private" \ + --x509cafile="${cafile}" >"${LOGFILE}" 2>&1 || \ +-- +2.27.0 + diff --git a/backport-tests-remove-launch_pkcs11_server.patch b/backport-tests-remove-launch_pkcs11_server.patch new file mode 100644 index 0000000..ffff1e9 --- /dev/null +++ b/backport-tests-remove-launch_pkcs11_server.patch @@ -0,0 +1,51 @@ +From a7b126acd4793ced574acb68bdbf5c6a48bb4ad5 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Wed, 23 Sep 2020 09:34:09 +0200 +Subject: [PATCH] tests: remove launch_pkcs11_server + +This function is only used by testpkcs11.sh. + +Signed-off-by: Daiki Ueno +--- + tests/scripts/common.sh | 11 ----------- + tests/testpkcs11.sh | 2 +- + 2 files changed, 1 insertion(+), 12 deletions(-) + +diff --git a/tests/scripts/common.sh b/tests/scripts/common.sh +index 6ae19fa..5e6f91b 100644 +--- a/tests/scripts/common.sh ++++ b/tests/scripts/common.sh +@@ -168,17 +168,6 @@ launch_server() { + ${SERV} ${DEBUG} -p "${PORT}" $* >${LOGFILE-/dev/null} & + } + +-launch_pkcs11_server() { +- PARENT="$1" +- shift +- PROVIDER="$1" +- shift +- +- wait_for_free_port ${PORT} +- +- ${VALGRIND} ${SERV} ${PROVIDER} ${DEBUG} -p "${PORT}" $* & +-} +- + launch_bare_server() { + PARENT="$1" + shift +diff --git a/tests/testpkcs11.sh b/tests/testpkcs11.sh +index 9458af2..b69e312 100755 +--- a/tests/testpkcs11.sh ++++ b/tests/testpkcs11.sh +@@ -900,7 +900,7 @@ use_certificate_test () { + echo -n "* Using PKCS #11 with gnutls-cli (${txt})... " + # start server + eval "${GETPORT}" +- launch_pkcs11_server $$ "${ADDITIONAL_PARAM}" --echo --priority NORMAL --x509certfile="${certfile}" \ ++ launch_server ${ADDITIONAL_PARAM} --echo --priority NORMAL --x509certfile="${certfile}" \ + --x509keyfile="$keyfile" --x509cafile="${cafile}" \ + --verify-client-cert --require-client-cert >>"${LOGFILE}" 2>&1 + +-- +2.27.0 + diff --git a/gnutls.spec b/gnutls.spec index d7ec642..5f5a63b 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,15 +1,16 @@ Name: gnutls Version: 3.6.15 -Release: 1 +Release: 2 Summary: The GNU Secure Communication Protocol Library License: LGPLv2.1+ and GPLv3+ URL: https://www.gnutls.org/ Source0: https://www.gnupg.org/ftp/gcrypt/%{name}/v3.6/%{name}-%{version}.tar.xz Source1: https://www.gnupg.org/ftp/gcrypt/%{name}/v3.6/%{name}-%{version}.tar.xz.sig -Patch0: fix-ipv6-handshake-failed.patch -Patch9000: add-skip_if_no_datefudge-to-testpkcs11.sh.patch +Patch1: fix-ipv6-handshake-failed.patch +Patch2: backport-tests-remove-launch_pkcs11_server.patch +Patch3: backport-testpkcs11-use-datefudge-to-trick-certificate-expiry.patch %bcond_without dane %bcond_with guile @@ -200,6 +201,9 @@ make check %{?_smp_mflags} %endif %changelog +* Sat Jan 30 2021 lirui - 3.6.15-2 +- backport upsteam patches to fix testpkcs11.sh test failed + * Wed Jan 20 2021 wangchen - 3.6.15-1 - update to 3.6.15