Package: release.debian.org User: release.debian....@packages.debian.org Usertags: pu Tags: buster Severity: normal
I prepared an update to fix the debci regression caused by the openssl update. The complete analysis is in #959469. The patch affects only the testsuite which is run as part of debci. The testsuite which is run as part of the build build process is not affeccted. The runtime code of the package is also not affected by the patch. Therefore I believe the impact is minimal. I did verify this change in a local chroot. Sebastian
diff -Nru gnutls28-3.6.7/debian/changelog gnutls28-3.6.7/debian/changelog --- gnutls28-3.6.7/debian/changelog 2021-05-14 13:33:38.000000000 +0200 +++ gnutls28-3.6.7/debian/changelog 2022-03-21 14:52:01.000000000 +0100 @@ -1,3 +1,11 @@ +gnutls28 (3.6.7-4+deb10u7.1) buster; urgency=medium + + * Non-maintainer upload. + * Backport testcompat-openssl-improve-testing-against-secured-O.patch to + pass testsuite with openssl 1.1.1e. + + -- Sebastian Andrzej Siewior <sebast...@breakpoint.cc> Mon, 21 Mar 2022 14:52:01 +0100 + gnutls28 (3.6.7-4+deb10u7) buster; urgency=medium * 46_handshake-reject-no_renegotiation-alert-if-handshake.patch pulled from diff -Nru gnutls28-3.6.7/debian/patches/series gnutls28-3.6.7/debian/patches/series --- gnutls28-3.6.7/debian/patches/series 2021-05-11 18:13:03.000000000 +0200 +++ gnutls28-3.6.7/debian/patches/series 2022-03-21 08:35:24.000000000 +0100 @@ -23,3 +23,4 @@ 47_rel3.6.16_04-pre_shared_key-avoid-use-after-free-around-realloc.patch 47_rel3.6.16_05-_gnutls_buffer_resize-account-for-unused-area-if-AGG.patch 47_rel3.6.16_06-str-suppress-Wunused-function-if-AGGRESSIVE_REALLOC-.patch +testcompat-openssl-improve-testing-against-secured-O.patch diff -Nru gnutls28-3.6.7/debian/patches/testcompat-openssl-improve-testing-against-secured-O.patch gnutls28-3.6.7/debian/patches/testcompat-openssl-improve-testing-against-secured-O.patch --- gnutls28-3.6.7/debian/patches/testcompat-openssl-improve-testing-against-secured-O.patch 1970-01-01 01:00:00.000000000 +0100 +++ gnutls28-3.6.7/debian/patches/testcompat-openssl-improve-testing-against-secured-O.patch 2022-03-21 08:37:07.000000000 +0100 @@ -0,0 +1,274 @@ +From: Dimitri John Ledkov <x...@ubuntu.com> +Date: Mon, 21 Mar 2022 07:44:25 +0100 +Subject: [PATCH] testcompat-openssl: improve testing against secured OpenSSL + +[bigeasy: This is backport of commit fbd3e261513d641dce6bd1b2c368ce25e79dc094 ] + +In Debian, and soon Ubuntu, OpenSSL is compiled with SECLEVEL=2 and +requiring minimum TLSv1.2. However, smaller hashes/keys/versions are +allowed if one enables SECLEVEL=1. Do so when testing pre v1.2 algos, +and thus enabling testing more compatability combinations. + +Signed-off-by: Dimitri John Ledkov <x...@ubuntu.com> +Signed-off-by: Sebastian Andrzej Siewior <sebast...@breakpoint.cc> +--- + tests/suite/testcompat-main-openssl | 67 +++++++++++++---------------- + 1 file changed, 30 insertions(+), 37 deletions(-) + +diff --git a/tests/suite/testcompat-main-openssl b/tests/suite/testcompat-main-openssl +index d2708bfa8c710..2ea762faebaca 100755 +--- a/tests/suite/testcompat-main-openssl ++++ b/tests/suite/testcompat-main-openssl +@@ -74,7 +74,6 @@ NO_TLS1_2=$? + + test $NO_TLS1_2 != 0 && echo "Disabling interop tests for TLS 1.2" + +- + ${SERV} version|grep -e '[1-9]\.[1-9]\.[0-9]' >/dev/null 2>&1 + if test $? = 0;then + NO_DH_PARAMS=0 +@@ -82,18 +81,8 @@ else + NO_DH_PARAMS=1 + fi + +-# Do not use DSS or curves <=256 bits in 1.1.1+ because these +-# are not accepted by openssl on debian. +-${SERV} version|grep -e '[1-9]\.[1-9]\.[1-9]' >/dev/null 2>&1 +-if test $? = 0;then +- NO_DSS=1 +- FIPS_CURVES=1 +-else +- ${SERV} ciphers -v ALL 2>&1|grep -e DHE-DSS >/dev/null 2>&1 +- NO_DSS=$? +-fi +- +-test $FIPS_CURVES = 1 && echo "Running with FIPS140-2 enabled curves enabled" ++${SERV} ciphers -v ALL 2>&1|grep -e DHE-DSS >/dev/null 2>&1 ++NO_DSS=$? + + if test $NO_DSS != 0;then + echo "Disabling interop tests for DSS ciphersuites" +@@ -121,6 +110,10 @@ NO_NULL=$? + + test $NO_NULL != 0 && echo "Disabling interop tests for NULL ciphersuites" + ++${SERV} ecparam -list_curves 2>&1|grep -e prime192v1 >/dev/null 2>&1 ++NO_PRIME192v1=$? ++ ++test $NO_PRIME192v1 != 0 && echo "Disabling interop tests for prime192v1 ecparam" + + if test "${NO_DH_PARAMS}" = 0;then + OPENSSL_DH_PARAMS_OPT="" +@@ -218,7 +211,7 @@ run_client_suite() { + + #-cipher RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA + eval "${GETPORT}" +- launch_bare_server $$ s_server -cipher "ALL" -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null ++ launch_bare_server $$ s_server -cipher "ALL:@SECLEVEL=1" -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null + PID=$! + wait_server ${PID} + +@@ -267,9 +260,9 @@ run_client_suite() { + kill ${PID} + wait + +- if test "${FIPS_CURVES}" != 1; then ++ if test "${FIPS_CURVES}" != 1 && test "${NO_PRIME192v1}" != 1; then + eval "${GETPORT}" +- launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 -key "${RSA_KEY}" -cert "${RSA_CERT}" -named_curve prime192v1 -CAfile "${CA_CERT}" >/dev/null ++ launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -cipher 'DEFAULT:@SECLEVEL=1' -tls1 -key "${RSA_KEY}" -cert "${RSA_CERT}" -named_curve prime192v1 -CAfile "${CA_CERT}" >/dev/null + PID=$! + wait_server ${PID} + +@@ -283,7 +276,7 @@ run_client_suite() { + + #-cipher ECDHE-ECDSA-AES128-SHA + eval "${GETPORT}" +- launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 -key "${ECC224_KEY}" -cert "${ECC224_CERT}" -Verify 1 -named_curve secp224r1 -CAfile "${CA_ECC_CERT}" >/dev/null ++ launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -cipher 'DEFAULT:@SECLEVEL=1' -tls1 -key "${ECC224_KEY}" -cert "${ECC224_CERT}" -Verify 1 -named_curve secp224r1 -CAfile "${CA_ECC_CERT}" >/dev/null + PID=$! + wait_server ${PID} + +@@ -298,7 +291,7 @@ run_client_suite() { + + #-cipher ECDHE-ECDSA-AES128-SHA + eval "${GETPORT}" +- launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 -key "${ECC384_KEY}" -cert "${ECC384_CERT}" -Verify 1 -named_curve secp384r1 -CAfile "${CA_ECC_CERT}" >/dev/null ++ launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -cipher 'DEFAULT:@SECLEVEL=1' -tls1 -key "${ECC384_KEY}" -cert "${ECC384_CERT}" -Verify 1 -named_curve secp384r1 -CAfile "${CA_ECC_CERT}" >/dev/null + PID=$! + wait_server ${PID} + +@@ -312,7 +305,7 @@ run_client_suite() { + + #-cipher ECDHE-ECDSA-AES128-SHA + eval "${GETPORT}" +- launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 -key "${ECC521_KEY}" -cert "${ECC521_CERT}" -Verify 1 -named_curve secp521r1 -CAfile "${CA_ECC_CERT}" >/dev/null ++ launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -cipher 'DEFAULT:@SECLEVEL=1' -tls1 -key "${ECC521_KEY}" -cert "${ECC521_CERT}" -Verify 1 -named_curve secp521r1 -CAfile "${CA_ECC_CERT}" >/dev/null + PID=$! + wait_server ${PID} + +@@ -326,7 +319,7 @@ run_client_suite() { + + #-cipher PSK + eval "${GETPORT}" +- launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -tls1 -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -cipher PSK -psk 9e32cf7786321a828ef7668f09fb35db >/dev/null ++ launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -tls1 -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -cipher 'PSK:@SECLEVEL=1' -psk 9e32cf7786321a828ef7668f09fb35db >/dev/null + PID=$! + wait_server ${PID} + +@@ -341,7 +334,7 @@ run_client_suite() { + # Tests requiring openssl 1.0.1 - TLS 1.2 + #-cipher RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA + eval "${GETPORT}" +- launch_bare_server $$ s_server -cipher ALL -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1_2 ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null ++ launch_bare_server $$ s_server -cipher 'ALL:@SECLEVEL=1' -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1_2 ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null + PID=$! + wait_server ${PID} + +@@ -442,7 +435,7 @@ run_client_suite() { + wait + + eval "${GETPORT}" +- launch_bare_server $$ s_server -cipher ALL -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null ++ launch_bare_server $$ s_server -cipher 'ALL:@SECLEVEL=1' -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null + PID=$! + wait_udp_server ${PID} + +@@ -455,7 +448,7 @@ run_client_suite() { + wait + + eval "${GETPORT}" +- launch_bare_server $$ s_server -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null ++ launch_bare_server $$ s_server -cipher 'ALL:@SECLEVEL=1' -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null + PID=$! + wait_udp_server ${PID} + +@@ -469,7 +462,7 @@ run_client_suite() { + + if test "${NO_DSS}" = 0; then + eval "${GETPORT}" +- launch_bare_server $$ s_server -cipher "ALL" -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null ++ launch_bare_server $$ s_server -cipher "ALL:@SECLEVEL=1" -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null + PID=$! + wait_udp_server ${PID} + +@@ -591,7 +584,7 @@ run_server_suite() { + PID=$! + wait_server ${PID} + +- ${OPENSSL_CLI} s_client -cipher DHE -host localhost -tls1 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ ++ ${OPENSSL_CLI} s_client -cipher DHE:@SECLEVEL=1 -host localhost -tls1 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + + kill ${PID} +@@ -604,7 +597,7 @@ run_server_suite() { + PID=$! + wait_server ${PID} + +- ${OPENSSL_CLI} s_client -host localhost -cipher ALL -tls1 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ ++ ${OPENSSL_CLI} s_client -host localhost -cipher ALL:@SECLEVEL=1 -tls1 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + + kill ${PID} +@@ -618,7 +611,7 @@ run_server_suite() { + wait_server ${PID} + + #-cipher ECDHE-RSA-AES128-SHA +- ${OPENSSL_CLI} s_client -host localhost -tls1 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ ++ ${OPENSSL_CLI} s_client -host localhost -cipher ALL:@SECLEVEL=1 -tls1 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + + kill ${PID} +@@ -632,7 +625,7 @@ run_server_suite() { + wait_server ${PID} + + #-cipher ECDHE-ECDSA-AES128-SHA +- ${OPENSSL_CLI} s_client -host localhost -tls1 -named_curve secp224r1 -port "${PORT}" -cert "${ECC224_CERT}" -key "${ECC224_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ ++ ${OPENSSL_CLI} s_client -host localhost -cipher ALL:@SECLEVEL=1 -tls1 -named_curve secp224r1 -port "${PORT}" -cert "${ECC224_CERT}" -key "${ECC224_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + + kill ${PID} +@@ -646,7 +639,7 @@ run_server_suite() { + wait_server ${PID} + + #-cipher ECDHE-ECDSA-AES128-SHA +- ${OPENSSL_CLI} s_client -host localhost -tls1 -port "${PORT}" -cert "${ECC256_CERT}" -key "${ECC256_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ ++ ${OPENSSL_CLI} s_client -host localhost -cipher ALL:@SECLEVEL=1 -tls1 -port "${PORT}" -cert "${ECC256_CERT}" -key "${ECC256_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + + kill ${PID} +@@ -659,7 +652,7 @@ run_server_suite() { + wait_server ${PID} + + #-cipher ECDHE-ECDSA-AES128-SHA +- ${OPENSSL_CLI} s_client -host localhost -tls1 -port "${PORT}" -cert "${ECC384_CERT}" -key "${ECC384_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ ++ ${OPENSSL_CLI} s_client -host localhost -cipher ALL:@SECLEVEL=1 -tls1 -port "${PORT}" -cert "${ECC384_CERT}" -key "${ECC384_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + + kill ${PID} +@@ -673,7 +666,7 @@ run_server_suite() { + wait_server ${PID} + + #-cipher ECDHE-ECDSA-AES128-SHA +- ${OPENSSL_CLI} s_client -host localhost -tls1 -port "${PORT}" -cert "${ECC521_CERT}" -key "${ECC521_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ ++ ${OPENSSL_CLI} s_client -host localhost -cipher ALL:@SECLEVEL=1 -tls1 -port "${PORT}" -cert "${ECC521_CERT}" -key "${ECC521_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + + kill ${PID} +@@ -687,7 +680,7 @@ run_server_suite() { + wait_server ${PID} + + #-cipher PSK-AES128-SHA +- ${OPENSSL_CLI} s_client -host localhost -psk_identity Client_identity -psk 9e32cf7786321a828ef7668f09fb35db -tls1 -port "${PORT}" crt_file="${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep ":error:" && \ ++ ${OPENSSL_CLI} s_client -host localhost -psk_identity Client_identity -psk 9e32cf7786321a828ef7668f09fb35db -cipher ALL:@SECLEVEL=1 -tls1 -port "${PORT}" crt_file="${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep ":error:" && \ + fail ${PID} "Failed" + + kill ${PID} +@@ -726,7 +719,7 @@ run_server_suite() { + PID=$! + wait_server ${PID} + +- ${OPENSSL_CLI} s_client -cipher DHE -host localhost -cipher ALL -tls1_2 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ ++ ${OPENSSL_CLI} s_client -cipher DHE -host localhost -cipher 'ALL:@SECLEVEL=1' -tls1_2 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + + kill ${PID} +@@ -768,7 +761,7 @@ run_server_suite() { + wait_server ${PID} + + #-cipher ECDHE-ECDSA-AES128-SHA +- ${OPENSSL_CLI} s_client -host localhost -tls1_2 -named_curve secp224r1 -port "${PORT}" -cert "${ECC224_CERT}" -key "${ECC224_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ ++ ${OPENSSL_CLI} s_client -host localhost -cipher 'ALL:@SECLEVEL=1' -tls1_2 -named_curve secp224r1 -port "${PORT}" -cert "${ECC224_CERT}" -key "${ECC224_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + + kill ${PID} +@@ -839,7 +832,7 @@ run_server_suite() { + wait_udp_server ${PID} + + +- ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -dtls1 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ ++ ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -cipher 'ALL:@SECLEVEL=1' -dtls1 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + + kill ${PID} +@@ -853,7 +846,7 @@ run_server_suite() { + wait_udp_server ${PID} + + +- ${OPENSSL_CLI} s_client -cipher DHE -host localhost -port "${PORT}" -dtls1 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ ++ ${OPENSSL_CLI} s_client -cipher DHE -host localhost -port "${PORT}" -cipher 'ALL:@SECLEVEL=1' -dtls1 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + + kill ${PID} +@@ -868,7 +861,7 @@ run_server_suite() { + wait_udp_server ${PID} + + +- ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -cipher ALL -dtls1 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ ++ ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -cipher 'ALL:@SECLEVEL=1' -dtls1 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + + kill ${PID} +-- +2.35.1 +