Skip to content

Commit

Permalink
Merge commit 'cd953cfa483801a6b71bdf920bb534fb297fdfac'
Browse files Browse the repository at this point in the history
  • Loading branch information
Sibras committed Oct 19, 2024
2 parents 43c17fb + cd953cf commit 0c572de
Show file tree
Hide file tree
Showing 160 changed files with 8,097 additions and 3,839 deletions.
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -672,6 +672,7 @@ tests/rsa-psk
tests/rsa-psk-cb
tests/rsa-rsa-oaep
tests/rsa-rsa-pss
tests/rsaes-pkcs1-v1_5
tests/safe-renegotiation/Makefile
tests/safe-renegotiation/Makefile.in
tests/safe-renegotiation/srn*
Expand Down
64 changes: 29 additions & 35 deletions .gitlab-ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,9 +12,9 @@ variables:
# name to allow expiration of old caches.
BUILD_IMAGES_PROJECT: gnutls/build-images
DEBIAN_BUILD: buildenv-debian-testing
FEDORA_BUILD: buildenv-fedora38
FEDORA_CROSS_BUILD: buildenv-cross-fedora38
MINGW_BUILD: buildenv-mingw-fedora38
FEDORA_BUILD: buildenv-fedora40
FEDORA_CROSS_BUILD: buildenv-cross-fedora40
MINGW_BUILD: buildenv-mingw-fedora40
ALPINE_BASE_BUILD: buildenv-alpine-base
COMPILER: gcc
CPPCHECK_OPTIONS: "--enable=warning --enable=performance --enable=portability --std=c99 --suppressions-list=devel/cppcheck.suppressions --template='{id}:{file}:{line},{severity},{message}'"
Expand All @@ -29,7 +29,7 @@ variables:
CHECKJOBS: 16

cache:
key: "$CI_JOB_NAME-ver32"
key: "$CI_JOB_NAME-ver39"
paths:
- cache/

Expand Down Expand Up @@ -59,8 +59,7 @@ default:
.bootstrap:
stage: bootstrap
tags:
- shared
- linux
- saas-linux-small-amd64
script:
- devel/preserve-timestamp stamp.pre-bootstrap
- SUBMODULE_NOFETCH=1 ./bootstrap --copy --skip-po
Expand All @@ -71,8 +70,7 @@ default:
.build:
stage: build
tags:
- shared
- linux
- saas-linux-small-amd64
except:
- tags # TODO
artifacts:
Expand All @@ -84,8 +82,7 @@ default:
script:
- make -j$CHECKJOBS check
tags:
- shared
- linux
- saas-linux-small-amd64
except:
- tags # TODO
artifacts:
Expand Down Expand Up @@ -114,10 +111,10 @@ default:
.mingw:
image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$MINGW_BUILD
variables:
COMPILER: "${arch_name}-w64-mingw32-gcc"
CFLAGS: "-fstack-protector"
CXXFLAGS: "-fstack-protector"
LDFLAGS: "-fstack-protector"
# COMPILER: "${arch_name}-w64-mingw32-gcc"
# CFLAGS: "-fstack-protector"
# CXXFLAGS: "-fstack-protector"
# LDFLAGS: "-fstack-protector"
WINEPATH: "/usr/${arch_name}-w64-mingw32/sys-root/mingw/bin"
before_script:
- *prepare-ccache
Expand Down Expand Up @@ -163,9 +160,9 @@ commit-check:
cache: {}
script:
# we want $ALPINE_BASE_BUILD without git, so we are adding it here
- apk add git bash grep clang16-extra-tools
- apk add git bash grep clang18-extra-tools
- devel/check_if_signed
- PATH=/usr/lib/llvm16/bin:$PATH devel/indent-gnutls
- PATH=/usr/lib/llvm18/bin:$PATH devel/indent-gnutls
- devel/check-headers.sh
- git diff --exit-code # nothing should change version controlled files
retry: 0
Expand Down Expand Up @@ -221,8 +218,7 @@ UB+ASAN-Werror.Fedora.x86_64.gcc:
# Use $BUILDJOBS since most of the job is building all tests, then just running 4 tests
- make -j$BUILDJOBS check -C tests TESTS="trust-store p11-kit-load.sh priority-init2 set-default-prio" SUBDIRS=.
tags:
- shared
- linux
- saas-linux-small-amd64
except:
- tags

Expand Down Expand Up @@ -258,8 +254,7 @@ UB+ASAN-Werror-aggressive.Fedora.x86_64.gcc:
# Use $BUILDJOBS since most of the job is building all tests, then just running 4 tests
- make -j$BUILDJOBS check -C tests TESTS="trust-store p11-kit-load.sh priority-init2 set-default-prio" SUBDIRS=.
tags:
- shared
- linux
- saas-linux-small-amd64
except:
- tags

Expand Down Expand Up @@ -403,6 +398,7 @@ fedora-interop/test:
- echo "PATH=$PATH"
- which gnutls-cli gnutls-serv
- cd tests/suite/tls-interoperability/
- cp openssl/openssl.cnf /etc/pki/tls/openssl.cnf # workaround for CCM8 ciphers moved to SECLEVEL=0
- echo "Tests to run:"
- tmt run plans -n interop tests -f "tag:interop-gnutls" -f "tag:interop-$TYPE" -f "tag:interop-$COMPONENT" discover -v
- echo "Slicing SLICE_TOTAL=$SLICES SLICE_ID=$SLICEID"
Expand Down Expand Up @@ -520,10 +516,9 @@ fedora-threadsan/build:
needs:
- fedora/bootstrap
script:
- CFLAGS="-fsanitize=thread -g -O2" CXXFLAGS=$CFLAGS
dash ./configure --disable-gcc-warnings --disable-doc --cache-file $CCACHE_FILE --disable-non-suiteb-curves --enable-fips140-mode --disable-full-test-suite --with-pkcs12-iter-count=10000
- make -j$BUILDJOBS
- make -j$BUILDJOBS -C tests check SUBDIRS=. TESTS="" TSAN_OPTIONS="suppressions=$(pwd)/devel/tsan.supp" GNUTLS_SKIP_FIPS_INTEGRITY_CHECKS=1 GNUTLS_FORCE_FIPS_MODE=1
- setarch $(uname -m) -R -- dash ./configure --disable-gcc-warnings --disable-doc --cache-file $CCACHE_FILE --disable-non-suiteb-curves --enable-fips140-mode --disable-full-test-suite --with-pkcs12-iter-count=10000 CFLAGS="-fsanitize=thread -g -O2" CXXFLAGS=$CFLAGS
- setarch $(uname -m) -R -- make -j$BUILDJOBS
- setarch $(uname -m) -R -- make -j$BUILDJOBS -C tests check SUBDIRS=. TESTS="" TSAN_OPTIONS="suppressions=$(pwd)/devel/tsan.supp" GNUTLS_SKIP_FIPS_INTEGRITY_CHECKS=1 GNUTLS_FORCE_FIPS_MODE=1

fedora-threadsan/test:
extends:
Expand All @@ -534,7 +529,7 @@ fedora-threadsan/test:
needs:
- fedora-threadsan/build
script:
- make -j$CHECKJOBS -C tests check SUBDIRS=. TESTS="tls-pthread dtls-pthread fips-mode-pthread rng-pthread" TSAN_OPTIONS="suppressions=$(pwd)/devel/tsan.supp" GNUTLS_SKIP_FIPS_INTEGRITY_CHECKS=1 GNUTLS_FORCE_FIPS_MODE=1
- setarch $(uname -m) -R -- make -j$CHECKJOBS -C tests check SUBDIRS=. TESTS="tls-pthread dtls-pthread fips-mode-pthread rng-pthread" TSAN_OPTIONS="suppressions=$(pwd)/devel/tsan.supp" GNUTLS_SKIP_FIPS_INTEGRITY_CHECKS=1 GNUTLS_FORCE_FIPS_MODE=1

fedora-static-analyzers/build:
extends:
Expand Down Expand Up @@ -623,8 +618,7 @@ fedora-abicoverage/build:
- make -j$BUILDJOBS
- make -j$BUILDJOBS check TESTS=""
tags:
- shared
- linux
- saas-linux-small-amd64
except:
- tags

Expand All @@ -640,7 +634,7 @@ fedora-abicoverage/test:
- make abi-check
- make pic-check
- make -j$CHECKJOBS check
- gcovr --xml-pretty --exclude-unreachable-branches --print-summary -o coverage.xml --root ${CI_PROJECT_DIR}
- gcovr -fprofile-update=atomic --xml-pretty --exclude-unreachable-branches --gcov-ignore-parse-errors=negative_hits.warn_once_per_file --print-summary -o coverage.xml --root ${CI_PROJECT_DIR}
- if objdump -R lib/.libs/libgnutls.so | grep INTERNAL ; then false ; fi
coverage: /^\s*lines:\s*\d+.\d+\%/
artifacts:
Expand Down Expand Up @@ -679,9 +673,7 @@ fedora-cross/bootstrap:
# build tests, but don't execute them
- make -j$BUILDJOBS -C tests check TESTS=""
tags:
- shared
- docker
- linux
- saas-linux-small-amd64

.fedora-cross/test:
extends:
Expand All @@ -695,9 +687,7 @@ fedora-cross/bootstrap:
- make pic-check
- make -j$BUILDJOBS -C tests check
tags:
- shared
- docker
- linux
- saas-linux-small-amd64

fedora-cross/aarch64-linux-gnu/build: # name is important, see .fedora-cross/build
extends:
Expand Down Expand Up @@ -820,7 +810,7 @@ debian/test:
script:
# - mount -t binfmt_misc binfmt_misc /proc/sys/fs/binfmt_misc
# - echo ':DOSWin:M::MZ::/usr/bin/wine:' > /proc/sys/fs/binfmt_misc/register
- dash ./configure --disable-gcc-warnings --host=${arch_name}-w64-mingw32 --target=${arch_name}-w64-mingw32 --cache-file $CCACHE_FILE --with-included-libtasn1 --disable-nls --with-included-unistring --without-p11-kit --disable-non-suiteb-curves --disable-full-test-suite --disable-doc --with-pkcs12-iter-count=10000
- mingw${arch_bits}-configure --disable-gcc-warnings --host=${arch_name}-w64-mingw32 --target=${arch_name}-w64-mingw32 --cache-file $CCACHE_FILE --disable-nls --with-included-unistring --disable-non-suiteb-curves --disable-full-test-suite --disable-doc --with-pkcs12-iter-count=10000
- mingw${arch_bits}-make -j$BUILDJOBS
# https://bugzilla.redhat.com/show_bug.cgi?id=2049401
- mingw${arch_bits}-make -j$BUILDJOBS -C $PWD/tests check TESTS=""
Expand Down Expand Up @@ -883,6 +873,8 @@ mingw64/test:
extends:
- .mingw/test
- .mingw64
variables:
GNUTLS_NO_IMPLICIT_INIT: 1
dependencies:
- mingw64/build
needs:
Expand Down Expand Up @@ -911,6 +903,8 @@ mingw64-vista/test:
- .mingw/test
- .mingw64
- .mingw-vista
variables:
GNUTLS_NO_IMPLICIT_INIT: 1
dependencies:
- mingw64-vista/build
needs:
Expand Down
41 changes: 41 additions & 0 deletions NEWS
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,47 @@ Copyright (C) 2000-2016 Free Software Foundation, Inc.
Copyright (C) 2013-2019 Nikos Mavrogiannopoulos
See the end for copying conditions.

* Version 3.8.6 (released 2024-07-03)

** libgnutls: PBMAC1 is now supported as a MAC mechanism for PKCS#12
To be compliant with FIPS 140-3, PKCS#12 files with MAC based on
PBKDF2 (PBMAC1) is now supported, according to the specification
proposed in draft-ietf-lamps-pkcs12-pbmac1.

** libgnutls: SHA3 extendable output functions (XOF) are now supported
SHA3 XOF, SHAKE128 and SHAKE256, are now usable through a new
public API gnutls_hash_squeeze.

** API and ABI modifications:
gnutls_pkcs12_generate_mac3: New function
gnutls_pkcs12_flags_t: New enum
gnutls_hash_squeeze: New function

* Version 3.8.5 (released 2024-04-04)

** libgnutls: Due to majority of usages and implementations of
RSA decryption with PKCS#1 v1.5 padding being incorrect,
leaving them vulnerable to Marvin attack, the RSAES-PKCS1-v1_5
is being deprecated (encryption and decryption) and will be
disabled in the future. A new option `allow-rsa-pkcs1-encrypt`
has been added into the system-wide library configuration which
allows to enable/disable the RSAES-PKCS1-v1_5. Currently, the
RSAES-PKCS1-v1_5 is enabled by default.

** libgnutls: Added support for RIPEMD160 and PBES1-DES-SHA1 for
backward compatibility with GCR.

** libgnutls: A couple of memory related issues have been fixed in RSA PKCS#1
v1.5 decryption error handling and deterministic ECDSA with earlier
versions of GMP. These were a regression introduced in the 3.8.4
release. See #1535 and !1827.

** build: Fixed a bug where building gnutls statically failed due
to a duplicate definition of nettle_rsa_compute_root_tr().

** API and ABI modifications:
GNUTLS_PKCS_PBES1_DES_SHA1: New enum member of gnutls_pkcs_encrypt_flags_t

* Version 3.8.4 (released 2024-03-18)

** libgnutls: RSA-OAEP encryption scheme is now supported
Expand Down
6 changes: 3 additions & 3 deletions cfg.mk
Original file line number Diff line number Diff line change
Expand Up @@ -254,15 +254,15 @@ lib/accelerated/x86/coff/%-x86_64.s: devel/perlasm/%-x86_64.pl .submodule.stamp
echo "" >> $@
sed -i 's/OPENSSL_ia32cap_P/GNUTLS_x86_cpuid_s/g' $@

lib/accelerated/x86/macosx/%.s: devel/perlasm/%.pl .submodule.stamp
lib/accelerated/x86/macosx/%.s: devel/perlasm/%.pl ./lib/accelerated/x86/x86-common.h .submodule.stamp
CC=gcc perl $< macosx \
$(if $(findstring $(<F),$(PL_NEEDS_FPIC)),-fPIC) \
$@.tmp
cat $<.license $@.tmp > $@ && rm -f $@.tmp
echo "" >> $@
sed -i 's/OPENSSL_ia32cap_P/GNUTLS_x86_cpuid_s/g' $@

lib/accelerated/aarch64/elf/%.s: devel/perlasm/%.pl .submodule.stamp
lib/accelerated/aarch64/elf/%.s: devel/perlasm/%.pl lib/accelerated/aarch64/aarch64-common.h .submodule.stamp
rm -f $@tmp
CC=aarch64-linux-gnu-gcc perl $< linux64 \
$(if $(findstring $(<F),$(PL_NEEDS_FPIC)),-fPIC) \
Expand All @@ -271,7 +271,7 @@ lib/accelerated/aarch64/elf/%.s: devel/perlasm/%.pl .submodule.stamp
echo "" >> $@.tmp.S
sed -i 's/OPENSSL_armcap_P/_gnutls_arm_cpuid_s/g' $@.tmp.S
sed -i 's/arm_arch.h/aarch64-common.h/g' $@.tmp.S
aarch64-linux-gnu-gcc -D__ARM_MAX_ARCH__=8 -Ilib/accelerated/aarch64 -Wa,--noexecstack -E $@.tmp.S -o $@.tmp.s
aarch64-linux-gnu-gcc $(CFLAGS) -D__ARM_MAX_ARCH__=8 -Ilib/accelerated/aarch64 -Wa,--noexecstack -E $@.tmp.S -o $@.tmp.s
cat $<.license $@.tmp.s > $@
echo ".section .note.GNU-stack,\"\",%progbits" >> $@
rm -f $@.tmp.S $@.tmp.s $@.tmp
Expand Down
19 changes: 16 additions & 3 deletions configure.ac
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ dnl Process this file with autoconf to produce a configure script.
AC_PREREQ(2.64)

dnl when updating version also update LT_REVISION in m4/hooks.m4
AC_INIT([GnuTLS], [3.8.4], [[email protected]])
AC_INIT([GnuTLS], [3.8.6], [[email protected]])
AC_CONFIG_AUX_DIR([build-aux])
AC_CONFIG_MACRO_DIRS([m4 src/gl/m4 lib/unistring/m4])
AC_CANONICAL_HOST
Expand Down Expand Up @@ -57,6 +57,8 @@ if test "$ac_cv_prog_cc_c99" = "no"; then
AC_MSG_WARN([[Compiler does not support C99. It may not be able to compile the project.]])
fi

AM_CONDITIONAL(CROSS_COMPILING, test "$cross_compiling" = yes)

AX_CODE_COVERAGE

AM_MAINTAINER_MODE([enable])
Expand Down Expand Up @@ -269,8 +271,6 @@ AC_ARG_ENABLE(tls13-interop,
AS_HELP_STRING([--disable-tls13-interop], [disable TLS1.3 interoperability testing with openssl]),
enable_tls13_interop=$enableval, enable_tls13_interop=yes)

AM_CONDITIONAL(ENABLE_TLS13_INTEROP, test "$enable_tls13_interop" != "no")

dnl Check for iovec type
AC_CHECK_MEMBERS([struct iovec.iov_base],
[
Expand Down Expand Up @@ -792,6 +792,19 @@ AC_CHECK_FUNCS(nettle_rsa_oaep_sha256_encrypt)
LIBS=$save_LIBS
AM_CONDITIONAL([NEED_RSA_OAEP], [test "$ac_cv_func_nettle_rsa_oaep_sha256_encrypt" != yes])

# Check for specialized AES-CBC encryption
save_LIBS=$LIBS
LIBS="$LIBS $NETTLE_LIBS"
AC_CHECK_FUNCS(nettle_cbc_aes128_encrypt)
LIBS=$save_LIBS

# Check for incremental SHAKE
save_LIBS=$LIBS
LIBS="$LIBS $NETTLE_LIBS"
AC_CHECK_FUNCS(nettle_sha3_128_shake_output)
LIBS=$save_LIBS
AM_CONDITIONAL([NEED_SHAKE_OUTPUT], [test "$ac_cv_func_nettle_sha3_128_shake_output" != yes])

# Check sonames of the linked libraries needed for FIPS selftests.
save_CFLAGS=$CFLAGS
CFLAGS="$CFLAGS $GMP_CFLAGS"
Expand Down
2 changes: 1 addition & 1 deletion devel/abi-dump
Submodule abi-dump updated from 3ffceb to dea49c
27 changes: 27 additions & 0 deletions devel/import-from-nettle.sh
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,8 @@ ghash-set-key.c
ghash-update.c
gmp-glue.c
gmp-glue.h
md-internal.h
nettle-write.h
oaep.c
oaep.h
pss-mgf1.h
Expand All @@ -35,6 +37,12 @@ siv-gcm.c
siv-gcm.h
siv-ghash-set-key.c
siv-ghash-update.c
sha3.c
sha3-internal.h
sha3-shake.c
shake128.c
shake256.c
write-le64.c
"

PUBLIC="
Expand All @@ -54,6 +62,7 @@ nettle-types.h
rsa.h
sha1.h
sha2.h
sha3.h
"

test -d $DST || mkdir $DST
Expand Down Expand Up @@ -108,6 +117,15 @@ for f in $IMPORTS; do
sed \
-e '/^#include <nettle\/nettle-types\.h>/a\
#include "block8.h"
' \
$dst > $dst-t && mv $dst-t $dst
;;
esac
case $dst in
*/rsa-sign-tr.c)
sed \
-e '/^#include <nettle\/rsa\.h>/i\
#define nettle_rsa_compute_root_tr _gnutls_nettle_backport_rsa_compute_root_tr\
' \
$dst > $dst-t && mv $dst-t $dst
;;
Expand All @@ -117,6 +135,15 @@ for f in $IMPORTS; do
sed \
-e '/^#include <nettle\/rsa\.h>/a\
#include "int/rsa-oaep.h"
' \
$dst > $dst-t && mv $dst-t $dst
;;
esac
case $dst in
*/shake*.c)
sed \
-e '/^#include <nettle\/sha3\.h>/a\
#include "int/sha3-shake.h"
' \
$dst > $dst-t && mv $dst-t $dst
;;
Expand Down
Loading

0 comments on commit 0c572de

Please sign in to comment.