From c0021cc5ee3ce193ce49f3e4de8a05fa011319bc Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Dec 13 2016 12:20:57 +0000 Subject: Fix PKCS#8 file loading (#1404084) --- diff --git a/gnutls-3.5.7-load-pkcs8-keys.patch b/gnutls-3.5.7-load-pkcs8-keys.patch new file mode 100644 index 0000000..e065415 --- /dev/null +++ b/gnutls-3.5.7-load-pkcs8-keys.patch @@ -0,0 +1,159 @@ +diff --git a/lib/x509/privkey_pkcs8.c b/lib/x509/privkey_pkcs8.c +index 74bb466..0094a83 100644 +--- a/lib/x509/privkey_pkcs8.c ++++ b/lib/x509/privkey_pkcs8.c +@@ -711,6 +711,7 @@ static int pkcs8_key_decrypt(const gnutls_datum_t * raw_key, + &kdf_params, &enc_params, &tmp); + if (result < 0) { + gnutls_assert(); ++ result = GNUTLS_E_DECRYPTION_FAILED; + goto error; + } + +diff --git a/tests/Makefile.am b/tests/Makefile.am +index af82633..b279cdc 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -116,7 +116,7 @@ ctests = mini-record-2 simple gc set_pkcs12_cred certder certuniqueid \ + multi-alerts naked-alerts pkcs7-cat-parse set_known_dh_params_x509 \ + set_known_dh_params_anon set_known_dh_params_psk session-tickets-ok \ + session-tickets-missing set_x509_key_file_legacy status-request-ext \ +- rng-no-onload dtls1-2-mtu-check crl_apis ++ rng-no-onload dtls1-2-mtu-check crl_apis pkcs8-key-decode-encrypted + + if HAVE_SECCOMP_TESTS + ctests += dtls-with-seccomp tls-with-seccomp dtls-client-with-seccomp tls-client-with-seccomp +diff --git a/tests/pkcs8-key-decode-encrypted.c b/tests/pkcs8-key-decode-encrypted.c +new file mode 100644 +index 0000000..48ab9b6 +--- /dev/null ++++ b/tests/pkcs8-key-decode-encrypted.c +@@ -0,0 +1,75 @@ ++/* ++ * Copyright (C) 2015 Red Hat, Inc. ++ * ++ * Author: Daniel Berrange ++ * ++ * This file is part of GnuTLS. ++ * ++ * GnuTLS is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; either version 3 of the License, or ++ * (at your option) any later version. ++ * ++ * GnuTLS is distributed in the hope that it will be useful, but ++ * WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with GnuTLS; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA ++ */ ++ ++#include ++#include ++#include ++#include ++#include ++ ++#include "utils.h" ++ ++#define PRIVATE_KEY \ ++ "-----BEGIN ENCRYPTED PRIVATE KEY-----\n" \ ++ "MIHeMEkGCSqGSIb3DQEFDTA8MBsGCSqGSIb3DQEFDDAOBAiebBrnqPv4owICCAAw\n" \ ++ "HQYJYIZIAWUDBAEqBBBykFR6i1My/DYFBYrz1lmABIGQ3XGpp3+v/ENC1S+X7Ay6\n" \ ++ "JoquYKuMw6yUmWoGFvPIPA9UWqMve2Uj4l2l96Sywd6iNFP63ow6pIq4wUP6REuY\n" \ ++ "ZhCgoAOQomeFqhAhkw6QJCygp5vw2rh9OZ5tiP/Ko6IDTA2rSas91nepHpQOb247\n" \ ++ "zta5XzXb5TRkBsVU8tAPADP+wS/vBCS05ne1wmhdD6c6\n" \ ++ "-----END ENCRYPTED PRIVATE KEY-----\n" ++ ++ ++static int test_decode(void) ++{ ++ gnutls_x509_privkey_t key; ++ const gnutls_datum_t data = { ++ (unsigned char *)PRIVATE_KEY, ++ strlen(PRIVATE_KEY) ++ }; ++ int err; ++ ++ if ((err = gnutls_x509_privkey_init(&key)) < 0) { ++ fail("Failed to init key %s\n", gnutls_strerror(err)); ++ } ++ ++ err = gnutls_x509_privkey_import_pkcs8(key, &data, ++ GNUTLS_X509_FMT_PEM, "", 0); ++ if (err != GNUTLS_E_DECRYPTION_FAILED) { ++ fail("Unexpected error code: %s/%d\n", gnutls_strerror(err), err); ++ } ++ ++ err = gnutls_x509_privkey_import_pkcs8(key, &data, ++ GNUTLS_X509_FMT_PEM, "password", 0); ++ if (err != 0) { ++ fail("Unexpected error code: %s\n", gnutls_strerror(err)); ++ } ++ ++ success("Loaded key\n%s", PRIVATE_KEY); ++ ++ gnutls_x509_privkey_deinit(key); ++ return 0; ++} ++ ++void doit(void) ++{ ++ test_decode(); ++} +diff --git a/tests/pkcs8-key-decode.c b/tests/pkcs8-key-decode.c +index 1c462ab..0f570ac 100644 +--- a/tests/pkcs8-key-decode.c ++++ b/tests/pkcs8-key-decode.c +@@ -26,6 +26,8 @@ + #include + #include + ++#include "utils.h" ++ + # define PRIVATE_KEY \ + "-----BEGIN PRIVATE KEY-----\n" \ + "MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBALVcr\n" \ +@@ -46,8 +48,8 @@ + "dcrhrkJn2sa/+O8OKvdrPSeeu/N5WwYhJf61+CPoenMp7IFci\n" \ + "-----END PRIVATE KEY-----\n" + +- +-int main(void) { ++static int test_load(void) ++{ + gnutls_x509_privkey_t key; + const gnutls_datum_t data = { + (unsigned char *)PRIVATE_KEY, +@@ -56,19 +58,23 @@ int main(void) { + int err; + + if ((err = gnutls_x509_privkey_init(&key)) < 0) { +- fprintf(stderr, "Failed to init key %s\n", gnutls_strerror(err)); ++ fail("Failed to init key %s\n", gnutls_strerror(err)); + exit(1); + } + + if ((err = gnutls_x509_privkey_import(key, &data, + GNUTLS_X509_FMT_PEM)) < 0) { +- fprintf(stderr, "Failed to import key %s\n", gnutls_strerror(err)); ++ fail("Failed to import key %s\n", gnutls_strerror(err)); + exit(1); + } + +-#if 0 +- fprintf(stderr, "Loaded key\n%s", PRIVATE_KEY); +-#endif ++ success("Loaded key\n%s", PRIVATE_KEY); ++ + gnutls_x509_privkey_deinit(key); + return 0; + } ++ ++void doit(void) ++{ ++ test_load(); ++} diff --git a/gnutls.spec b/gnutls.spec index 0197219..ea1caa5 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -3,7 +3,7 @@ Summary: A TLS protocol implementation Name: gnutls Version: 3.5.7 -Release: 1%{?dist} +Release: 2%{?dist} # The libraries are LGPLv2.1+, utilities are GPLv3+ License: GPLv3+ and LGPLv2+ Group: System Environment/Libraries @@ -36,6 +36,7 @@ Source2: hobble-gnutls Patch1: gnutls-3.2.7-rpath.patch Patch2: gnutls-3.5.1-default-policy.patch Patch3: gnutls-3.4.2-no-now-guile.patch +Patch4: gnutls-3.5.7-load-pkcs8-keys.patch # Wildcard bundling exception https://fedorahosted.org/fpc/ticket/174 Provides: bundled(gnulib) = 20130424 @@ -138,6 +139,7 @@ This package contains Guile bindings for the library. %patch1 -p1 -b .rpath %patch2 -p1 -b .default-policy %patch3 -p1 -b .guile +#%patch4 -p1 -b .pkcs8-load sed 's/gnutls_srp.c//g' -i lib/Makefile.in sed 's/gnutls_srp.lo//g' -i lib/Makefile.in @@ -268,6 +270,9 @@ fi %endif %changelog +* Tue Dec 13 2016 Nikos Mavrogiannopoulos 3.5.7-2 +- Fix PKCS#8 file loading (#1404084) + * Thu Dec 8 2016 Nikos Mavrogiannopoulos 3.5.7-1 - New upstream release