Compare commits
10 Commits
1654484226
...
cf5965cc35
| Author | SHA1 | Date | |
|---|---|---|---|
|
cf5965cc35 | ||
|
|
291a761138 | ||
|
|
15327fd85b | ||
|
|
0e937aebb6 | ||
|
|
1d94fab1f0 | ||
|
|
2b1df55edf | ||
|
|
60acd7a2d9 | ||
|
|
2fe58eeb4a | ||
|
|
6e171cdfa9 | ||
|
|
8779103abb |
105
backport-allow-tls-unique-channel-binding-test-to-fail.patch
Normal file
105
backport-allow-tls-unique-channel-binding-test-to-fail.patch
Normal file
@ -0,0 +1,105 @@
|
||||
From 5b1dfa43c3dbc97e04d2fd0ce60f897d95a587ca Mon Sep 17 00:00:00 2001
|
||||
From: Michael Catanzaro <mcatanzaro@redhat.com>
|
||||
Date: Tue, 22 Jun 2021 20:15:32 -0500
|
||||
Subject: [PATCH] Allow tls-unique channel binding test to fail
|
||||
|
||||
The tls-unique channel binding type is not supported under TLS 1.3.
|
||||
Since GnuTLS 3.7.2, this now fails differently than before. Previously,
|
||||
the call to g_tls_connection_get_channel_binding_data() would succeed
|
||||
but return no data. That was a bug. Now it fails, as expected.
|
||||
|
||||
Since our tests are not supposed to have different behavior depending on
|
||||
TLS backend or TLS version, let's just rewrite this test to allow
|
||||
tls-unique to fail.
|
||||
|
||||
Fixes #164
|
||||
---
|
||||
tls/tests/connection.c | 63 ++++++++++++++++++++++++++------------------------
|
||||
1 file changed, 33 insertions(+), 30 deletions(-)
|
||||
|
||||
diff --git a/tls/tests/connection.c b/tls/tests/connection.c
|
||||
index 475285d..b0dd9d8 100644
|
||||
--- a/tls/tests/connection.c
|
||||
+++ b/tls/tests/connection.c
|
||||
@@ -2562,6 +2562,8 @@ test_connection_binding_match_tls_unique (TestConnection *test,
|
||||
GIOStream *connection;
|
||||
GByteArray *client_cb, *server_cb;
|
||||
gchar *client_b64, *server_b64;
|
||||
+ gboolean client_supports_tls_unique;
|
||||
+ gboolean server_supports_tls_unique;
|
||||
GError *error = NULL;
|
||||
|
||||
test->database = g_tls_file_database_new (tls_test_file_path ("ca-roots.pem"), &error);
|
||||
@@ -2590,38 +2592,39 @@ test_connection_binding_match_tls_unique (TestConnection *test,
|
||||
read_test_data_async (test);
|
||||
g_main_loop_run (test->loop);
|
||||
|
||||
- /* Smoke test: ensure both sides support tls-unique */
|
||||
- g_assert_true (g_tls_connection_get_channel_binding_data (G_TLS_CONNECTION (test->client_connection),
|
||||
- G_TLS_CHANNEL_BINDING_TLS_UNIQUE, NULL, NULL));
|
||||
- g_assert_true (g_tls_connection_get_channel_binding_data (G_TLS_CONNECTION (test->server_connection),
|
||||
- G_TLS_CHANNEL_BINDING_TLS_UNIQUE, NULL, NULL));
|
||||
+ /* tls-unique is supported by the OpenSSL backend always. It's supported by
|
||||
+ * the GnuTLS backend only with TLS 1.2 or older. Since the test needs to be
|
||||
+ * independent of backend and TLS version, this is allowed to fail....
|
||||
+ */
|
||||
+ client_supports_tls_unique = g_tls_connection_get_channel_binding_data (G_TLS_CONNECTION (test->client_connection),
|
||||
+ G_TLS_CHANNEL_BINDING_TLS_UNIQUE, NULL, NULL);
|
||||
+ server_supports_tls_unique = g_tls_connection_get_channel_binding_data (G_TLS_CONNECTION (test->server_connection),
|
||||
+ G_TLS_CHANNEL_BINDING_TLS_UNIQUE, NULL, NULL);
|
||||
+ g_assert_cmpint (client_supports_tls_unique, ==, server_supports_tls_unique);
|
||||
|
||||
/* Real test: retrieve bindings and compare */
|
||||
- client_cb = g_byte_array_new ();
|
||||
- server_cb = g_byte_array_new ();
|
||||
- g_assert_true (g_tls_connection_get_channel_binding_data (G_TLS_CONNECTION (test->client_connection),
|
||||
- G_TLS_CHANNEL_BINDING_TLS_UNIQUE, client_cb, NULL));
|
||||
- g_assert_true (g_tls_connection_get_channel_binding_data (G_TLS_CONNECTION (test->server_connection),
|
||||
- G_TLS_CHANNEL_BINDING_TLS_UNIQUE, server_cb, NULL));
|
||||
-
|
||||
-#ifdef BACKEND_IS_OPENSSL
|
||||
- g_assert_cmpint (client_cb->len, >, 0);
|
||||
- g_assert_cmpint (server_cb->len, >, 0);
|
||||
-#else
|
||||
- /* GnuTLS returns empty binding for TLS1.3, let's pretend it didn't happen
|
||||
- * see https://gitlab.com/gnutls/gnutls/-/issues/1041 */
|
||||
- if (client_cb->len == 0 && server_cb->len == 0)
|
||||
- g_test_skip ("GnuTLS missing support for tls-unique over TLS1.3");
|
||||
-#endif
|
||||
-
|
||||
- client_b64 = g_base64_encode (client_cb->data, client_cb->len);
|
||||
- server_b64 = g_base64_encode (server_cb->data, server_cb->len);
|
||||
- g_assert_cmpstr (client_b64, ==, server_b64);
|
||||
-
|
||||
- g_free (client_b64);
|
||||
- g_free (server_b64);
|
||||
- g_byte_array_unref (client_cb);
|
||||
- g_byte_array_unref (server_cb);
|
||||
+ if (client_supports_tls_unique)
|
||||
+ {
|
||||
+ client_cb = g_byte_array_new ();
|
||||
+ server_cb = g_byte_array_new ();
|
||||
+ g_assert_true (g_tls_connection_get_channel_binding_data (G_TLS_CONNECTION (test->client_connection),
|
||||
+ G_TLS_CHANNEL_BINDING_TLS_UNIQUE, client_cb, NULL));
|
||||
+ g_assert_true (g_tls_connection_get_channel_binding_data (G_TLS_CONNECTION (test->server_connection),
|
||||
+ G_TLS_CHANNEL_BINDING_TLS_UNIQUE, server_cb, NULL));
|
||||
+ g_assert_cmpint (client_cb->len, >, 0);
|
||||
+ g_assert_cmpint (server_cb->len, >, 0);
|
||||
+
|
||||
+ client_b64 = g_base64_encode (client_cb->data, client_cb->len);
|
||||
+ server_b64 = g_base64_encode (server_cb->data, server_cb->len);
|
||||
+ g_assert_cmpstr (client_b64, ==, server_b64);
|
||||
+
|
||||
+ g_free (client_b64);
|
||||
+ g_free (server_b64);
|
||||
+ g_byte_array_unref (client_cb);
|
||||
+ g_byte_array_unref (server_cb);
|
||||
+ }
|
||||
+ else
|
||||
+ g_test_skip ("tls-unique is not supported");
|
||||
|
||||
/* drop the mic */
|
||||
close_server_connection (test);
|
||||
--
|
||||
1.8.3.1
|
||||
|
||||
84
backport-tls-implement-get_negotiated_protocol-vfunc.patch
Normal file
84
backport-tls-implement-get_negotiated_protocol-vfunc.patch
Normal file
@ -0,0 +1,84 @@
|
||||
From e07302e9183e20c999ad924334527795728ab016 Mon Sep 17 00:00:00 2001
|
||||
From: Michael Catanzaro <mcatanzaro@gnome.org>
|
||||
Date: Thu, 29 Apr 2021 13:59:03 -0500
|
||||
Subject: [PATCH 41/74] tls: implement get_negotiated_protocol vfunc
|
||||
|
||||
This allows GLib to remove some API-level caching that is not
|
||||
threadsafe.
|
||||
|
||||
Fixes glib#2393
|
||||
|
||||
Conflict: NA
|
||||
Reference:https://gitlab.gnome.org/GNOME/glib-networking/-/commit/e07302e9183e20c999ad924334527795728ab016
|
||||
---
|
||||
tls/base/gtlsconnection-base.c | 40 +++++++++++++++++++++++-----------
|
||||
1 file changed, 27 insertions(+), 13 deletions(-)
|
||||
|
||||
diff --git a/tls/base/gtlsconnection-base.c b/tls/base/gtlsconnection-base.c
|
||||
index 72551dc..f6b2460 100644
|
||||
--- a/tls/base/gtlsconnection-base.c
|
||||
+++ b/tls/base/gtlsconnection-base.c
|
||||
@@ -1447,6 +1447,26 @@ g_tls_connection_base_dtls_get_binding_data (GDtlsConnection *conn,
|
||||
type, data, error);
|
||||
}
|
||||
|
||||
+#if GLIB_CHECK_VERSION(2, 69, 0)
|
||||
+static const gchar *
|
||||
+g_tls_connection_base_get_negotiated_protocol (GTlsConnection *conn)
|
||||
+{
|
||||
+ GTlsConnectionBase *tls = G_TLS_CONNECTION_BASE (conn);
|
||||
+ GTlsConnectionBasePrivate *priv = g_tls_connection_base_get_instance_private (tls);
|
||||
+
|
||||
+ return priv->negotiated_protocol;
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
+static const gchar *
|
||||
+g_tls_connection_base_dtls_get_negotiated_protocol (GDtlsConnection *conn)
|
||||
+{
|
||||
+ GTlsConnectionBase *tls = G_TLS_CONNECTION_BASE (conn);
|
||||
+ GTlsConnectionBasePrivate *priv = g_tls_connection_base_get_instance_private (tls);
|
||||
+
|
||||
+ return priv->negotiated_protocol;
|
||||
+}
|
||||
+
|
||||
static void
|
||||
handshake_thread (GTask *task,
|
||||
gpointer object,
|
||||
@@ -2542,15 +2562,6 @@ g_tls_connection_base_dtls_set_advertised_protocols (GDtlsConnection *conn,
|
||||
g_object_set (conn, "advertised-protocols", protocols, NULL);
|
||||
}
|
||||
|
||||
-const gchar *
|
||||
-g_tls_connection_base_dtls_get_negotiated_protocol (GDtlsConnection *conn)
|
||||
-{
|
||||
- GTlsConnectionBase *tls = G_TLS_CONNECTION_BASE (conn);
|
||||
- GTlsConnectionBasePrivate *priv = g_tls_connection_base_get_instance_private (tls);
|
||||
-
|
||||
- return priv->negotiated_protocol;
|
||||
-}
|
||||
-
|
||||
GDatagramBased *
|
||||
g_tls_connection_base_get_base_socket (GTlsConnectionBase *tls)
|
||||
{
|
||||
@@ -2733,10 +2744,13 @@ g_tls_connection_base_class_init (GTlsConnectionBaseClass *klass)
|
||||
gobject_class->set_property = g_tls_connection_base_set_property;
|
||||
gobject_class->finalize = g_tls_connection_base_finalize;
|
||||
|
||||
- connection_class->handshake = g_tls_connection_base_handshake;
|
||||
- connection_class->handshake_async = g_tls_connection_base_handshake_async;
|
||||
- connection_class->handshake_finish = g_tls_connection_base_handshake_finish;
|
||||
- connection_class->get_binding_data = g_tls_connection_base_get_binding_data;
|
||||
+ connection_class->handshake = g_tls_connection_base_handshake;
|
||||
+ connection_class->handshake_async = g_tls_connection_base_handshake_async;
|
||||
+ connection_class->handshake_finish = g_tls_connection_base_handshake_finish;
|
||||
+ connection_class->get_binding_data = g_tls_connection_base_get_binding_data;
|
||||
+#if GLIB_CHECK_VERSION(2, 69, 0)
|
||||
+ connection_class->get_negotiated_protocol = g_tls_connection_base_get_negotiated_protocol;
|
||||
+#endif
|
||||
|
||||
iostream_class->get_input_stream = g_tls_connection_base_get_input_stream;
|
||||
iostream_class->get_output_stream = g_tls_connection_base_get_output_stream;
|
||||
--
|
||||
2.33.0
|
||||
|
||||
Binary file not shown.
BIN
glib-networking-2.68.1.tar.xz
Normal file
BIN
glib-networking-2.68.1.tar.xz
Normal file
Binary file not shown.
@ -1,17 +1,20 @@
|
||||
Name: glib-networking
|
||||
Version: 2.66.0
|
||||
Release: 2
|
||||
Version: 2.68.1
|
||||
Release: 5
|
||||
Summary: Network-related modules for glib
|
||||
License: LGPLv2+
|
||||
URL: http://www.gnome.org
|
||||
Source0: http://download.gnome.org/sources/glib-networking/2.66/%{name}-%{version}.tar.xz
|
||||
Source0: http://download.gnome.org/sources/glib-networking/2.68/%{name}-%{version}.tar.xz
|
||||
|
||||
Patch0: backport-tls-implement-get_negotiated_protocol-vfunc.patch
|
||||
Patch1: backport-allow-tls-unique-channel-binding-test-to-fail.patch
|
||||
|
||||
BuildRequires: meson gcc ca-certificates gettext systemd
|
||||
BuildRequires: pkgconfig(glib-2.0) >= 2.63.0 pkgconfig(gnutls)
|
||||
BuildRequires: pkgconfig(glib-2.0) >= 2.67.0 pkgconfig(gnutls)
|
||||
BuildRequires: pkgconfig(gio-2.0) pkgconfig(gsettings-desktop-schemas)
|
||||
BuildRequires: pkgconfig(libproxy-1.0) pkgconfig(p11-kit-1)
|
||||
|
||||
Requires: ca-certificates gsettings-desktop-schemas glib2 >= 2.63.0
|
||||
Requires: ca-certificates gsettings-desktop-schemas glib2 >= 2.67.0
|
||||
|
||||
%description
|
||||
glib-networking contains the implementations of certain GLib networking features
|
||||
@ -54,6 +57,33 @@ verify the Usability of the glib-networking package.
|
||||
%{_datadir}/installed-tests
|
||||
|
||||
%changelog
|
||||
* Tue Dec 06 2022 yanglu <yanglu72@h-partners.com> - 2.68.1-5
|
||||
- Type:bugfix
|
||||
- ID:NA
|
||||
- SUG:NA
|
||||
- DESC:implement get_negotiated_protocol vfunc to fix test error
|
||||
|
||||
* Fri Nov 11 2022 Wenlong Ding <wenlong.ding@turbolinux.com.cn> - 2.68.1-4
|
||||
- Skip check error in 22.03-LTS-Next
|
||||
|
||||
* Mon Apr 25 2022 yanglu <yanglu72@h-partners.com> - 2.68.1-3
|
||||
- Type:bugfix
|
||||
- ID:NA
|
||||
- SUG:NA
|
||||
- DESC:fix source0
|
||||
|
||||
* Fri Jan 07 2022 xingwei <xingwei14@huawei.com> - 2.68.1-2
|
||||
- Type:bugfix
|
||||
- ID:NA
|
||||
- SUG:NA
|
||||
- DESC:allow tls-unique channel binding test to fail
|
||||
|
||||
* Fri Dec 03 2021 xihaochen <xihaochen@huawei.com> - 2.68.1-1
|
||||
- Type:requirement
|
||||
- ID:NA
|
||||
- SUG:NA
|
||||
- DESC:update glib-networking to 2.68.1
|
||||
|
||||
* Mon Jul 19 2021 lijingyuan <lijingyuan3@huawei.com> - 2.62.4-2
|
||||
- Type:requirement
|
||||
- ID:NA
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user