On 2022-03-21 00:12:11 [+0100], To Kurt Roeckx wrote: > doesn't help here but > -cipher "ALL:@SECLEVEL=1" > > does.
Only debci is affected. The package builds because this testsuite is not part of the build process. I prepared a NMU against Buster for gnutls. I can open later today a buster-pu and do the upload unless someone objects or gnutls folks have something in their queue. Please let me know. > > Kurt Sebastian
diff -Nru gnutls28-3.6.7/debian/changelog gnutls28-3.6.7/debian/changelog --- gnutls28-3.6.7/debian/changelog 2021-05-14 13:33:38.000000000 +0200 +++ gnutls28-3.6.7/debian/changelog 2022-03-21 14:52:01.000000000 +0100 @@ -1,3 +1,11 @@ +gnutls28 (3.6.7-4+deb10u7.1) buster; urgency=medium + + * Non-maintainer upload. + * Backport testcompat-openssl-improve-testing-against-secured-O.patch to + pass testsuite with openssl 1.1.1e. + + -- Sebastian Andrzej Siewior <sebast...@breakpoint.cc> Mon, 21 Mar 2022 14:52:01 +0100 + gnutls28 (3.6.7-4+deb10u7) buster; urgency=medium * 46_handshake-reject-no_renegotiation-alert-if-handshake.patch pulled from diff -Nru gnutls28-3.6.7/debian/patches/series gnutls28-3.6.7/debian/patches/series --- gnutls28-3.6.7/debian/patches/series 2021-05-11 18:13:03.000000000 +0200 +++ gnutls28-3.6.7/debian/patches/series 2022-03-21 08:35:24.000000000 +0100 @@ -23,3 +23,4 @@ 47_rel3.6.16_04-pre_shared_key-avoid-use-after-free-around-realloc.patch 47_rel3.6.16_05-_gnutls_buffer_resize-account-for-unused-area-if-AGG.patch 47_rel3.6.16_06-str-suppress-Wunused-function-if-AGGRESSIVE_REALLOC-.patch +testcompat-openssl-improve-testing-against-secured-O.patch diff -Nru gnutls28-3.6.7/debian/patches/testcompat-openssl-improve-testing-against-secured-O.patch gnutls28-3.6.7/debian/patches/testcompat-openssl-improve-testing-against-secured-O.patch --- gnutls28-3.6.7/debian/patches/testcompat-openssl-improve-testing-against-secured-O.patch 1970-01-01 01:00:00.000000000 +0100 +++ gnutls28-3.6.7/debian/patches/testcompat-openssl-improve-testing-against-secured-O.patch 2022-03-21 08:37:07.000000000 +0100 @@ -0,0 +1,274 @@ +From: Dimitri John Ledkov <x...@ubuntu.com> +Date: Mon, 21 Mar 2022 07:44:25 +0100 +Subject: [PATCH] testcompat-openssl: improve testing against secured OpenSSL + +[bigeasy: This is backport of commit fbd3e261513d641dce6bd1b2c368ce25e79dc094 ] + +In Debian, and soon Ubuntu, OpenSSL is compiled with SECLEVEL=2 and +requiring minimum TLSv1.2. However, smaller hashes/keys/versions are +allowed if one enables SECLEVEL=1. Do so when testing pre v1.2 algos, +and thus enabling testing more compatability combinations. + +Signed-off-by: Dimitri John Ledkov <x...@ubuntu.com> +Signed-off-by: Sebastian Andrzej Siewior <sebast...@breakpoint.cc> +--- + tests/suite/testcompat-main-openssl | 67 +++++++++++++---------------- + 1 file changed, 30 insertions(+), 37 deletions(-) + +diff --git a/tests/suite/testcompat-main-openssl b/tests/suite/testcompat-main-openssl +index d2708bfa8c710..2ea762faebaca 100755 +--- a/tests/suite/testcompat-main-openssl ++++ b/tests/suite/testcompat-main-openssl +@@ -74,7 +74,6 @@ NO_TLS1_2=$? + + test $NO_TLS1_2 != 0 && echo "Disabling interop tests for TLS 1.2" + +- + ${SERV} version|grep -e '[1-9]\.[1-9]\.[0-9]' >/dev/null 2>&1 + if test $? = 0;then + NO_DH_PARAMS=0 +@@ -82,18 +81,8 @@ else + NO_DH_PARAMS=1 + fi + +-# Do not use DSS or curves <=256 bits in 1.1.1+ because these +-# are not accepted by openssl on debian. +-${SERV} version|grep -e '[1-9]\.[1-9]\.[1-9]' >/dev/null 2>&1 +-if test $? = 0;then +- NO_DSS=1 +- FIPS_CURVES=1 +-else +- ${SERV} ciphers -v ALL 2>&1|grep -e DHE-DSS >/dev/null 2>&1 +- NO_DSS=$? +-fi +- +-test $FIPS_CURVES = 1 && echo "Running with FIPS140-2 enabled curves enabled" ++${SERV} ciphers -v ALL 2>&1|grep -e DHE-DSS >/dev/null 2>&1 ++NO_DSS=$? + + if test $NO_DSS != 0;then + echo "Disabling interop tests for DSS ciphersuites" +@@ -121,6 +110,10 @@ NO_NULL=$? + + test $NO_NULL != 0 && echo "Disabling interop tests for NULL ciphersuites" + ++${SERV} ecparam -list_curves 2>&1|grep -e prime192v1 >/dev/null 2>&1 ++NO_PRIME192v1=$? ++ ++test $NO_PRIME192v1 != 0 && echo "Disabling interop tests for prime192v1 ecparam" + + if test "${NO_DH_PARAMS}" = 0;then + OPENSSL_DH_PARAMS_OPT="" +@@ -218,7 +211,7 @@ run_client_suite() { + + #-cipher RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA + eval "${GETPORT}" +- launch_bare_server $$ s_server -cipher "ALL" -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null ++ launch_bare_server $$ s_server -cipher "ALL:@SECLEVEL=1" -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null + PID=$! + wait_server ${PID} + +@@ -267,9 +260,9 @@ run_client_suite() { + kill ${PID} + wait + +- if test "${FIPS_CURVES}" != 1; then ++ if test "${FIPS_CURVES}" != 1 && test "${NO_PRIME192v1}" != 1; then + eval "${GETPORT}" +- launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 -key "${RSA_KEY}" -cert "${RSA_CERT}" -named_curve prime192v1 -CAfile "${CA_CERT}" >/dev/null ++ launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -cipher 'DEFAULT:@SECLEVEL=1' -tls1 -key "${RSA_KEY}" -cert "${RSA_CERT}" -named_curve prime192v1 -CAfile "${CA_CERT}" >/dev/null + PID=$! + wait_server ${PID} + +@@ -283,7 +276,7 @@ run_client_suite() { + + #-cipher ECDHE-ECDSA-AES128-SHA + eval "${GETPORT}" +- launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 -key "${ECC224_KEY}" -cert "${ECC224_CERT}" -Verify 1 -named_curve secp224r1 -CAfile "${CA_ECC_CERT}" >/dev/null ++ launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -cipher 'DEFAULT:@SECLEVEL=1' -tls1 -key "${ECC224_KEY}" -cert "${ECC224_CERT}" -Verify 1 -named_curve secp224r1 -CAfile "${CA_ECC_CERT}" >/dev/null + PID=$! + wait_server ${PID} + +@@ -298,7 +291,7 @@ run_client_suite() { + + #-cipher ECDHE-ECDSA-AES128-SHA + eval "${GETPORT}" +- launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 -key "${ECC384_KEY}" -cert "${ECC384_CERT}" -Verify 1 -named_curve secp384r1 -CAfile "${CA_ECC_CERT}" >/dev/null ++ launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -cipher 'DEFAULT:@SECLEVEL=1' -tls1 -key "${ECC384_KEY}" -cert "${ECC384_CERT}" -Verify 1 -named_curve secp384r1 -CAfile "${CA_ECC_CERT}" >/dev/null + PID=$! + wait_server ${PID} + +@@ -312,7 +305,7 @@ run_client_suite() { + + #-cipher ECDHE-ECDSA-AES128-SHA + eval "${GETPORT}" +- launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 -key "${ECC521_KEY}" -cert "${ECC521_CERT}" -Verify 1 -named_curve secp521r1 -CAfile "${CA_ECC_CERT}" >/dev/null ++ launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -cipher 'DEFAULT:@SECLEVEL=1' -tls1 -key "${ECC521_KEY}" -cert "${ECC521_CERT}" -Verify 1 -named_curve secp521r1 -CAfile "${CA_ECC_CERT}" >/dev/null + PID=$! + wait_server ${PID} + +@@ -326,7 +319,7 @@ run_client_suite() { + + #-cipher PSK + eval "${GETPORT}" +- launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -tls1 -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -cipher PSK -psk 9e32cf7786321a828ef7668f09fb35db >/dev/null ++ launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -tls1 -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -cipher 'PSK:@SECLEVEL=1' -psk 9e32cf7786321a828ef7668f09fb35db >/dev/null + PID=$! + wait_server ${PID} + +@@ -341,7 +334,7 @@ run_client_suite() { + # Tests requiring openssl 1.0.1 - TLS 1.2 + #-cipher RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA + eval "${GETPORT}" +- launch_bare_server $$ s_server -cipher ALL -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1_2 ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null ++ launch_bare_server $$ s_server -cipher 'ALL:@SECLEVEL=1' -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1_2 ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null + PID=$! + wait_server ${PID} + +@@ -442,7 +435,7 @@ run_client_suite() { + wait + + eval "${GETPORT}" +- launch_bare_server $$ s_server -cipher ALL -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null ++ launch_bare_server $$ s_server -cipher 'ALL:@SECLEVEL=1' -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null + PID=$! + wait_udp_server ${PID} + +@@ -455,7 +448,7 @@ run_client_suite() { + wait + + eval "${GETPORT}" +- launch_bare_server $$ s_server -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null ++ launch_bare_server $$ s_server -cipher 'ALL:@SECLEVEL=1' -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null + PID=$! + wait_udp_server ${PID} + +@@ -469,7 +462,7 @@ run_client_suite() { + + if test "${NO_DSS}" = 0; then + eval "${GETPORT}" +- launch_bare_server $$ s_server -cipher "ALL" -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null ++ launch_bare_server $$ s_server -cipher "ALL:@SECLEVEL=1" -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null + PID=$! + wait_udp_server ${PID} + +@@ -591,7 +584,7 @@ run_server_suite() { + PID=$! + wait_server ${PID} + +- ${OPENSSL_CLI} s_client -cipher DHE -host localhost -tls1 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ ++ ${OPENSSL_CLI} s_client -cipher DHE:@SECLEVEL=1 -host localhost -tls1 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + + kill ${PID} +@@ -604,7 +597,7 @@ run_server_suite() { + PID=$! + wait_server ${PID} + +- ${OPENSSL_CLI} s_client -host localhost -cipher ALL -tls1 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ ++ ${OPENSSL_CLI} s_client -host localhost -cipher ALL:@SECLEVEL=1 -tls1 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + + kill ${PID} +@@ -618,7 +611,7 @@ run_server_suite() { + wait_server ${PID} + + #-cipher ECDHE-RSA-AES128-SHA +- ${OPENSSL_CLI} s_client -host localhost -tls1 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ ++ ${OPENSSL_CLI} s_client -host localhost -cipher ALL:@SECLEVEL=1 -tls1 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + + kill ${PID} +@@ -632,7 +625,7 @@ run_server_suite() { + wait_server ${PID} + + #-cipher ECDHE-ECDSA-AES128-SHA +- ${OPENSSL_CLI} s_client -host localhost -tls1 -named_curve secp224r1 -port "${PORT}" -cert "${ECC224_CERT}" -key "${ECC224_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ ++ ${OPENSSL_CLI} s_client -host localhost -cipher ALL:@SECLEVEL=1 -tls1 -named_curve secp224r1 -port "${PORT}" -cert "${ECC224_CERT}" -key "${ECC224_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + + kill ${PID} +@@ -646,7 +639,7 @@ run_server_suite() { + wait_server ${PID} + + #-cipher ECDHE-ECDSA-AES128-SHA +- ${OPENSSL_CLI} s_client -host localhost -tls1 -port "${PORT}" -cert "${ECC256_CERT}" -key "${ECC256_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ ++ ${OPENSSL_CLI} s_client -host localhost -cipher ALL:@SECLEVEL=1 -tls1 -port "${PORT}" -cert "${ECC256_CERT}" -key "${ECC256_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + + kill ${PID} +@@ -659,7 +652,7 @@ run_server_suite() { + wait_server ${PID} + + #-cipher ECDHE-ECDSA-AES128-SHA +- ${OPENSSL_CLI} s_client -host localhost -tls1 -port "${PORT}" -cert "${ECC384_CERT}" -key "${ECC384_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ ++ ${OPENSSL_CLI} s_client -host localhost -cipher ALL:@SECLEVEL=1 -tls1 -port "${PORT}" -cert "${ECC384_CERT}" -key "${ECC384_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + + kill ${PID} +@@ -673,7 +666,7 @@ run_server_suite() { + wait_server ${PID} + + #-cipher ECDHE-ECDSA-AES128-SHA +- ${OPENSSL_CLI} s_client -host localhost -tls1 -port "${PORT}" -cert "${ECC521_CERT}" -key "${ECC521_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ ++ ${OPENSSL_CLI} s_client -host localhost -cipher ALL:@SECLEVEL=1 -tls1 -port "${PORT}" -cert "${ECC521_CERT}" -key "${ECC521_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + + kill ${PID} +@@ -687,7 +680,7 @@ run_server_suite() { + wait_server ${PID} + + #-cipher PSK-AES128-SHA +- ${OPENSSL_CLI} s_client -host localhost -psk_identity Client_identity -psk 9e32cf7786321a828ef7668f09fb35db -tls1 -port "${PORT}" crt_file="${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep ":error:" && \ ++ ${OPENSSL_CLI} s_client -host localhost -psk_identity Client_identity -psk 9e32cf7786321a828ef7668f09fb35db -cipher ALL:@SECLEVEL=1 -tls1 -port "${PORT}" crt_file="${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep ":error:" && \ + fail ${PID} "Failed" + + kill ${PID} +@@ -726,7 +719,7 @@ run_server_suite() { + PID=$! + wait_server ${PID} + +- ${OPENSSL_CLI} s_client -cipher DHE -host localhost -cipher ALL -tls1_2 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ ++ ${OPENSSL_CLI} s_client -cipher DHE -host localhost -cipher 'ALL:@SECLEVEL=1' -tls1_2 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + + kill ${PID} +@@ -768,7 +761,7 @@ run_server_suite() { + wait_server ${PID} + + #-cipher ECDHE-ECDSA-AES128-SHA +- ${OPENSSL_CLI} s_client -host localhost -tls1_2 -named_curve secp224r1 -port "${PORT}" -cert "${ECC224_CERT}" -key "${ECC224_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ ++ ${OPENSSL_CLI} s_client -host localhost -cipher 'ALL:@SECLEVEL=1' -tls1_2 -named_curve secp224r1 -port "${PORT}" -cert "${ECC224_CERT}" -key "${ECC224_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + + kill ${PID} +@@ -839,7 +832,7 @@ run_server_suite() { + wait_udp_server ${PID} + + +- ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -dtls1 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ ++ ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -cipher 'ALL:@SECLEVEL=1' -dtls1 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + + kill ${PID} +@@ -853,7 +846,7 @@ run_server_suite() { + wait_udp_server ${PID} + + +- ${OPENSSL_CLI} s_client -cipher DHE -host localhost -port "${PORT}" -dtls1 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ ++ ${OPENSSL_CLI} s_client -cipher DHE -host localhost -port "${PORT}" -cipher 'ALL:@SECLEVEL=1' -dtls1 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + + kill ${PID} +@@ -868,7 +861,7 @@ run_server_suite() { + wait_udp_server ${PID} + + +- ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -cipher ALL -dtls1 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ ++ ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -cipher 'ALL:@SECLEVEL=1' -dtls1 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + + kill ${PID} +-- +2.35.1 +