diff options
4 files changed, 689 insertions, 0 deletions
diff --git a/recipes-support/gnutls/gnutls-3.5.3/0001-_gnutls_rnd_check-call-_rnd_system_entropy_check-dir.patch b/recipes-support/gnutls/gnutls-3.5.3/0001-_gnutls_rnd_check-call-_rnd_system_entropy_check-dir.patch new file mode 100644 index 0000000..91251cf --- /dev/null +++ b/recipes-support/gnutls/gnutls-3.5.3/0001-_gnutls_rnd_check-call-_rnd_system_entropy_check-dir.patch @@ -0,0 +1,105 @@ +From 4d49e06e8850ed3ffb89f6856555a2435962fedd Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos <nmav@redhat.com> +Date: Mon, 31 Oct 2016 11:40:12 +0100 +Subject: [PATCH 1/3] _gnutls_rnd_check: call _rnd_system_entropy_check + directly + +Upstream-Status: Backport + +diff --git a/lib/crypto-backend.h b/lib/crypto-backend.h +index 3d979d8..6f4b743 100644 +--- a/lib/crypto-backend.h ++++ b/lib/crypto-backend.h +@@ -73,8 +73,7 @@ typedef struct { + } gnutls_crypto_digest_st; + + typedef struct gnutls_crypto_rnd { +- int (*init) (void **ctx); +- int (*check) (void **ctx); ++ int (*init) (void **ctx); /* called prior to first usage of randomness */ + int (*rnd) (void *ctx, int level, void *data, size_t datasize); + void (*rnd_refresh) (void *ctx); + void (*deinit) (void *ctx); +diff --git a/lib/nettle/rnd-fips.c b/lib/nettle/rnd-fips.c +index ef64649..59795a9 100644 +--- a/lib/nettle/rnd-fips.c ++++ b/lib/nettle/rnd-fips.c +@@ -226,15 +226,6 @@ static void _rngfips_deinit(void *_ctx) + free(ctx); + } + +-/* This is called when gnutls_global_init() is called for second time. +- * It must check whether any resources are still available. +- * The particular problem it solves is to verify that the urandom fd is still +- * open (for applications that for some reason closed all fds */ +-static int _rndfips_check(void **ctx) +-{ +- return _rnd_system_entropy_check(); +-} +- + static void _rngfips_refresh(void *_ctx) + { + /* this is predictable RNG. Don't refresh */ +@@ -260,7 +251,6 @@ static int selftest_kat(void) + + gnutls_crypto_rnd_st _gnutls_fips_rnd_ops = { + .init = _rngfips_init, +- .check = _rndfips_check, + .deinit = _rngfips_deinit, + .rnd = _rngfips_rnd, + .rnd_refresh = _rngfips_refresh, +diff --git a/lib/nettle/rnd.c b/lib/nettle/rnd.c +index 8a5a762..39b99e1 100644 +--- a/lib/nettle/rnd.c ++++ b/lib/nettle/rnd.c +@@ -257,15 +257,6 @@ static int wrap_nettle_rnd_init(void **ctx) + return 0; + } + +-/* This is called when gnutls_global_init() is called for second time. +- * It must check whether any resources are still available. +- * The particular problem it solves is to verify that the urandom fd is still +- * open (for applications that for some reason closed all fds */ +-static int wrap_nettle_rnd_check(void **ctx) +-{ +- return _rnd_system_entropy_check(); +-} +- + static int + wrap_nettle_rnd_nonce(void *_ctx, void *data, size_t datasize) + { +@@ -373,7 +364,6 @@ int crypto_rnd_prio = INT_MAX; + + gnutls_crypto_rnd_st _gnutls_rnd_ops = { + .init = wrap_nettle_rnd_init, +- .check = wrap_nettle_rnd_check, + .deinit = wrap_nettle_rnd_deinit, + .rnd = wrap_nettle_rnd, + .rnd_refresh = wrap_nettle_rnd_refresh, +diff --git a/lib/random.h b/lib/random.h +index 59e3f3c..1538ec8 100644 +--- a/lib/random.h ++++ b/lib/random.h +@@ -25,6 +25,7 @@ + + #include <gnutls/crypto.h> + #include <crypto-backend.h> ++#include "nettle/rnd-common.h" + + extern int crypto_rnd_prio; + extern void *gnutls_rnd_ctx; +@@ -50,10 +51,7 @@ int _gnutls_rnd_init(void); + + inline static int _gnutls_rnd_check(void) + { +- if (_gnutls_rnd_ops.check) +- return _gnutls_rnd_ops.check(gnutls_rnd_ctx); +- else +- return 0; ++ return _rnd_system_entropy_check(); + } + + #ifndef _WIN32 +-- +2.6.6 + diff --git a/recipes-support/gnutls/gnutls-3.5.3/0002-rng-split-initialization-in-preinit-and-init.patch b/recipes-support/gnutls/gnutls-3.5.3/0002-rng-split-initialization-in-preinit-and-init.patch new file mode 100644 index 0000000..29bcf5f --- /dev/null +++ b/recipes-support/gnutls/gnutls-3.5.3/0002-rng-split-initialization-in-preinit-and-init.patch @@ -0,0 +1,261 @@ +From 834e8fc03cb27ae437a2044cfaf265752c3e6a26 Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos <nmav@redhat.com> +Date: Fri, 14 Oct 2016 14:16:51 +0200 +Subject: [PATCH 2/3] rng: split initialization in preinit and init + +This makes gnutls to initialize its random generator on the +first call to gnutls_rnd(). That prevents blocking due to +getrandom() on a constructor; that change allows to use gnutls-linked +applications even in early boot in systems where getrandom() blocks +waiting for entropy. + +Upstream-Status: Backport + +diff --git a/configure.ac b/configure.ac +index 0ba2230..f842e26 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -186,6 +186,7 @@ AM_SUBST_NOTMAKE([DEFINE_IOVEC_T]) + + dnl Need netinet/tcp.h for TCP_FASTOPEN + AC_CHECK_HEADERS([netinet/tcp.h]) ++AC_CHECK_HEADERS([stdatomic.h]) + + AC_ARG_ENABLE(padlock, + AS_HELP_STRING([--disable-padlock], [unconditionally disable padlock acceleration]), +diff --git a/lib/global.c b/lib/global.c +index d75cea8..bdc3c1f 100644 +--- a/lib/global.c ++++ b/lib/global.c +@@ -304,7 +304,7 @@ static int _gnutls_global_init(unsigned constructor) + } + + /* Initialize the random generator */ +- ret = _gnutls_rnd_init(); ++ ret = _gnutls_rnd_preinit(); + if (ret < 0) { + gnutls_assert(); + goto out; +diff --git a/lib/locks.h b/lib/locks.h +index 5807754..b1efbb5 100644 +--- a/lib/locks.h ++++ b/lib/locks.h +@@ -27,6 +27,10 @@ + #include "gnutls_int.h" + #include <system.h> + ++#ifdef HAVE_STDATOMIC_H ++# include <stdatomic.h> ++#endif ++ + extern mutex_init_func gnutls_mutex_init; + extern mutex_deinit_func gnutls_mutex_deinit; + extern mutex_lock_func gnutls_mutex_lock; +diff --git a/lib/nettle/rnd-fips.c b/lib/nettle/rnd-fips.c +index 59795a9..0807701 100644 +--- a/lib/nettle/rnd-fips.c ++++ b/lib/nettle/rnd-fips.c +@@ -172,10 +172,6 @@ static int _rngfips_init(void **_ctx) + struct fips_ctx *ctx; + int ret; + +- ret = _rnd_system_entropy_init(); +- if (ret < 0) +- return gnutls_assert_val(ret); +- + ctx = gnutls_calloc(1, sizeof(*ctx)); + if (ctx == NULL) + return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); +diff --git a/lib/nettle/rnd.c b/lib/nettle/rnd.c +index 39b99e1..c4fbc48 100644 +--- a/lib/nettle/rnd.c ++++ b/lib/nettle/rnd.c +@@ -218,12 +218,6 @@ static int wrap_nettle_rnd_init(void **ctx) + return ret; + } + +- ret = _rnd_system_entropy_init(); +- if (ret < 0) { +- gnutls_assert(); +- return ret; +- } +- + /* initialize the main RNG */ + yarrow256_init(&rnd_ctx.yctx, SOURCES, rnd_ctx.ysources); + +diff --git a/lib/random.c b/lib/random.c +index d7f18f2..977d7aa 100644 +--- a/lib/random.c ++++ b/lib/random.c +@@ -26,30 +26,80 @@ + #include "gnutls_int.h" + #include "errors.h" + #include <random.h> ++#include "locks.h" + #include <fips.h> + + void *gnutls_rnd_ctx; ++GNUTLS_STATIC_MUTEX(gnutls_rnd_init_mutex); + +-int _gnutls_rnd_init(void) ++#ifdef HAVE_STDATOMIC_H ++static atomic_uint rnd_initialized = 0; ++ ++inline static int _gnutls_rnd_init(void) ++{ ++ if (unlikely(!rnd_initialized)) { ++ if (_gnutls_rnd_ops.init == NULL) { ++ rnd_initialized = 1; ++ return 0; ++ } ++ ++ GNUTLS_STATIC_MUTEX_LOCK(gnutls_rnd_init_mutex); ++ if (!rnd_initialized) { ++ if (_gnutls_rnd_ops.init(&gnutls_rnd_ctx) < 0) { ++ gnutls_assert(); ++ GNUTLS_STATIC_MUTEX_UNLOCK(gnutls_rnd_init_mutex); ++ return GNUTLS_E_RANDOM_FAILED; ++ } ++ rnd_initialized = 1; ++ } ++ GNUTLS_STATIC_MUTEX_UNLOCK(gnutls_rnd_init_mutex); ++ } ++ return 0; ++} ++#else ++static unsigned rnd_initialized = 0; ++ ++inline static int _gnutls_rnd_init(void) ++{ ++ GNUTLS_STATIC_MUTEX_LOCK(gnutls_rnd_init_mutex); ++ if (unlikely(!rnd_initialized)) { ++ if (_gnutls_rnd_ops.init == NULL) { ++ rnd_initialized = 1; ++ GNUTLS_STATIC_MUTEX_UNLOCK(gnutls_rnd_init_mutex); ++ return 0; ++ } ++ ++ if (_gnutls_rnd_ops.init(&gnutls_rnd_ctx) < 0) { ++ gnutls_assert(); ++ GNUTLS_STATIC_MUTEX_UNLOCK(gnutls_rnd_init_mutex); ++ return GNUTLS_E_RANDOM_FAILED; ++ } ++ rnd_initialized = 1; ++ } ++ GNUTLS_STATIC_MUTEX_UNLOCK(gnutls_rnd_init_mutex); ++ return 0; ++} ++#endif ++ ++int _gnutls_rnd_preinit(void) + { ++ int ret; ++ + #ifdef ENABLE_FIPS140 + /* The FIPS140 random generator is only enabled when we are compiled + * with FIPS support, _and_ the system requires FIPS140. + */ + if (_gnutls_fips_mode_enabled() == 1) { +- int ret; +- + ret = gnutls_crypto_rnd_register(100, &_gnutls_fips_rnd_ops); + if (ret < 0) + return ret; + } + #endif + +- if (_gnutls_rnd_ops.init != NULL) { +- if (_gnutls_rnd_ops.init(&gnutls_rnd_ctx) < 0) { +- gnutls_assert(); +- return GNUTLS_E_RANDOM_FAILED; +- } ++ ret = _rnd_system_entropy_init(); ++ if (ret < 0) { ++ gnutls_assert(); ++ return GNUTLS_E_RANDOM_FAILED; + } + + return 0; +@@ -57,9 +107,12 @@ int _gnutls_rnd_init(void) + + void _gnutls_rnd_deinit(void) + { +- if (_gnutls_rnd_ops.deinit != NULL) { ++ if (rnd_initialized && _gnutls_rnd_ops.deinit != NULL) { + _gnutls_rnd_ops.deinit(gnutls_rnd_ctx); + } ++ rnd_initialized = 0; ++ ++ _rnd_system_entropy_deinit(); + + return; + } +@@ -81,8 +134,17 @@ void _gnutls_rnd_deinit(void) + **/ + int gnutls_rnd(gnutls_rnd_level_t level, void *data, size_t len) + { ++ int ret; + FAIL_IF_LIB_ERROR; +- return _gnutls_rnd(level, data, len); ++ ++ if (unlikely((ret=_gnutls_rnd_init()) < 0)) ++ return gnutls_assert_val(ret); ++ ++ if (likely(len > 0)) { ++ return _gnutls_rnd_ops.rnd(gnutls_rnd_ctx, level, data, ++ len); ++ } ++ return 0; + } + + /** +@@ -98,5 +160,6 @@ int gnutls_rnd(gnutls_rnd_level_t level, void *data, size_t len) + **/ + void gnutls_rnd_refresh(void) + { +- _gnutls_rnd_refresh(); ++ if (rnd_initialized && _gnutls_rnd_ops.rnd_refresh) ++ _gnutls_rnd_ops.rnd_refresh(gnutls_rnd_ctx); + } +diff --git a/lib/random.h b/lib/random.h +index 1538ec8..2ef7bc4 100644 +--- a/lib/random.h ++++ b/lib/random.h +@@ -31,31 +31,15 @@ extern int crypto_rnd_prio; + extern void *gnutls_rnd_ctx; + extern gnutls_crypto_rnd_st _gnutls_rnd_ops; + +-inline static int +-_gnutls_rnd(gnutls_rnd_level_t level, void *data, size_t len) +-{ +- if (len > 0) { +- return _gnutls_rnd_ops.rnd(gnutls_rnd_ctx, level, data, +- len); +- } +- return 0; +-} +- +-inline static void _gnutls_rnd_refresh(void) +-{ +- _gnutls_rnd_ops.rnd_refresh(gnutls_rnd_ctx); +-} ++#define _gnutls_rnd gnutls_rnd ++#define _gnutls_rnd_refresh gnutls_rnd_refresh + + void _gnutls_rnd_deinit(void); +-int _gnutls_rnd_init(void); ++int _gnutls_rnd_preinit(void); + + inline static int _gnutls_rnd_check(void) + { + return _rnd_system_entropy_check(); + } + +-#ifndef _WIN32 +-extern int _gnutls_urandom_fd; +-#endif +- + #endif +-- +2.6.6 + diff --git a/recipes-support/gnutls/gnutls-3.5.3/0003-deprecated-_gnutls_rnd-in-favor-of-exported-gnutls_r.patch b/recipes-support/gnutls/gnutls-3.5.3/0003-deprecated-_gnutls_rnd-in-favor-of-exported-gnutls_r.patch new file mode 100644 index 0000000..f6c4f84 --- /dev/null +++ b/recipes-support/gnutls/gnutls-3.5.3/0003-deprecated-_gnutls_rnd-in-favor-of-exported-gnutls_r.patch @@ -0,0 +1,315 @@ +From e146eedb13d94752609553bceb13c70cb7c05a4d Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos <nmav@redhat.com> +Date: Mon, 17 Oct 2016 14:10:08 +0200 +Subject: [PATCH 3/3] deprecated _gnutls_rnd() in favor of exported + gnutls_rnd() + +Conflict: +code from lib/x509/privkey_pkcs8.c refactored into lib/x509/pkcs7-crypt.c + +Upstream-Status: Backport + +diff --git a/lib/auth/psk_passwd.c b/lib/auth/psk_passwd.c +index 2ef2c9c..0412b04 100644 +--- a/lib/auth/psk_passwd.c ++++ b/lib/auth/psk_passwd.c +@@ -94,7 +94,7 @@ static int _randomize_psk(gnutls_datum_t * psk) + + psk->size = 16; + +- ret = _gnutls_rnd(GNUTLS_RND_NONCE, (char *) psk->data, 16); ++ ret = gnutls_rnd(GNUTLS_RND_NONCE, (char *) psk->data, 16); + if (ret < 0) { + gnutls_assert(); + return ret; +diff --git a/lib/auth/rsa.c b/lib/auth/rsa.c +index 505fbee..b54d415 100644 +--- a/lib/auth/rsa.c ++++ b/lib/auth/rsa.c +@@ -178,7 +178,7 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data, + + /* we do not need strong random numbers here. + */ +- ret = _gnutls_rnd(GNUTLS_RND_NONCE, rndkey.data, ++ ret = gnutls_rnd(GNUTLS_RND_NONCE, rndkey.data, + rndkey.size); + if (ret < 0) { + gnutls_assert(); +@@ -265,7 +265,7 @@ _gnutls_gen_rsa_client_kx(gnutls_session_t session, + return GNUTLS_E_MEMORY_ERROR; + } + +- ret = _gnutls_rnd(GNUTLS_RND_RANDOM, session->key.key.data, ++ ret = gnutls_rnd(GNUTLS_RND_RANDOM, session->key.key.data, + session->key.key.size); + if (ret < 0) { + gnutls_assert(); +diff --git a/lib/auth/rsa_psk.c b/lib/auth/rsa_psk.c +index a14baa1..151e88d 100644 +--- a/lib/auth/rsa_psk.c ++++ b/lib/auth/rsa_psk.c +@@ -156,7 +156,7 @@ _gnutls_gen_rsa_psk_client_kx(gnutls_session_t session, + } + + /* Generate random */ +- ret = _gnutls_rnd(GNUTLS_RND_RANDOM, premaster_secret.data, ++ ret = gnutls_rnd(GNUTLS_RND_RANDOM, premaster_secret.data, + premaster_secret.size); + if (ret < 0) { + gnutls_assert(); +@@ -370,7 +370,7 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data, + + /* we do not need strong random numbers here. + */ +- ret = _gnutls_rnd(GNUTLS_RND_NONCE, premaster_secret.data, ++ ret = gnutls_rnd(GNUTLS_RND_NONCE, premaster_secret.data, + premaster_secret.size); + if (ret < 0) { + gnutls_assert(); +diff --git a/lib/auth/srp_passwd.c b/lib/auth/srp_passwd.c +index 4e00f88..8ebcdfa 100644 +--- a/lib/auth/srp_passwd.c ++++ b/lib/auth/srp_passwd.c +@@ -400,7 +400,7 @@ static int _randomize_pwd_entry(SRP_PWD_ENTRY * entry, + return GNUTLS_E_MEMORY_ERROR; + } + +- ret = _gnutls_rnd(GNUTLS_RND_RANDOM, entry->v.data, 20); ++ ret = gnutls_rnd(GNUTLS_RND_RANDOM, entry->v.data, 20); + if (ret < 0) { + gnutls_assert(); + return ret; +diff --git a/lib/cipher.c b/lib/cipher.c +index 50096df..73e18ad 100644 +--- a/lib/cipher.c ++++ b/lib/cipher.c +@@ -323,9 +323,9 @@ compressed_to_ciphertext(gnutls_session_t session, + /* Calculate the encrypted length (padding etc.) + */ + if (algo_type == CIPHER_BLOCK) { +- /* Call _gnutls_rnd() once. Get data used for the IV ++ /* Call gnutls_rnd() once. Get data used for the IV + */ +- ret = _gnutls_rnd(GNUTLS_RND_NONCE, nonce, blocksize); ++ ret = gnutls_rnd(GNUTLS_RND_NONCE, nonce, blocksize); + if (ret < 0) + return gnutls_assert_val(ret); + +diff --git a/lib/crypto-api.c b/lib/crypto-api.c +index 7d3d5ed..71bf935 100644 +--- a/lib/crypto-api.c ++++ b/lib/crypto-api.c +@@ -608,7 +608,7 @@ int gnutls_key_generate(gnutls_datum_t * key, unsigned int key_size) + return GNUTLS_E_MEMORY_ERROR; + } + +- ret = _gnutls_rnd(GNUTLS_RND_RANDOM, key->data, key->size); ++ ret = gnutls_rnd(GNUTLS_RND_RANDOM, key->data, key->size); + if (ret < 0) { + gnutls_assert(); + _gnutls_free_datum(key); +diff --git a/lib/ext/heartbeat.c b/lib/ext/heartbeat.c +index 180d59a..26a0928 100644 +--- a/lib/ext/heartbeat.c ++++ b/lib/ext/heartbeat.c +@@ -194,7 +194,7 @@ gnutls_heartbeat_ping(gnutls_session_t session, size_t data_size, + return gnutls_assert_val(ret); + + ret = +- _gnutls_rnd(GNUTLS_RND_NONCE, ++ gnutls_rnd(GNUTLS_RND_NONCE, + session->internals.hb_local_data.data, + data_size); + if (ret < 0) +diff --git a/lib/ext/session_ticket.c b/lib/ext/session_ticket.c +index 5a957f0..feb6507 100644 +--- a/lib/ext/session_ticket.c ++++ b/lib/ext/session_ticket.c +@@ -234,7 +234,7 @@ encrypt_ticket(gnutls_session_t session, session_ticket_ext_st * priv, + + t = gnutls_time(0); + memcpy(iv, &t, 4); +- ret = _gnutls_rnd(GNUTLS_RND_NONCE, iv+4, IV_SIZE-4); ++ ret = gnutls_rnd(GNUTLS_RND_NONCE, iv+4, IV_SIZE-4); + if (ret < 0) { + gnutls_assert(); + goto cleanup; +diff --git a/lib/handshake.c b/lib/handshake.c +index 7dccae6..f8d7b2d 100644 +--- a/lib/handshake.c ++++ b/lib/handshake.c +@@ -204,7 +204,7 @@ static int create_tls_random(uint8_t * dst) + _gnutls_write_uint32(tim, dst); + + ret = +- _gnutls_rnd(GNUTLS_RND_NONCE, &dst[3], GNUTLS_RANDOM_SIZE - 3); ++ gnutls_rnd(GNUTLS_RND_NONCE, &dst[3], GNUTLS_RANDOM_SIZE - 3); + if (ret < 0) { + gnutls_assert(); + return ret; +@@ -3349,7 +3349,7 @@ int _gnutls_generate_session_id(uint8_t * session_id, uint8_t * len) + *len = GNUTLS_MAX_SESSION_ID_SIZE; + + ret = +- _gnutls_rnd(GNUTLS_RND_NONCE, session_id, ++ gnutls_rnd(GNUTLS_RND_NONCE, session_id, + GNUTLS_MAX_SESSION_ID_SIZE); + if (ret < 0) { + gnutls_assert(); +diff --git a/lib/mpi.c b/lib/mpi.c +index 828a0b8..491a8ef 100644 +--- a/lib/mpi.c ++++ b/lib/mpi.c +@@ -60,7 +60,7 @@ _gnutls_mpi_random_modp(bigint_t r, bigint_t p, + buf_release = 1; + } + +- ret = _gnutls_rnd(level, buf, size); ++ ret = gnutls_rnd(level, buf, size); + if (ret < 0) { + gnutls_assert(); + goto cleanup; +diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c +index b41ebfb..34688d2 100644 +--- a/lib/nettle/pk.c ++++ b/lib/nettle/pk.c +@@ -54,7 +54,7 @@ static inline const struct ecc_curve *get_supported_nist_curve(int curve); + + static void rnd_func(void *_ctx, size_t length, uint8_t * data) + { +- if (_gnutls_rnd(GNUTLS_RND_RANDOM, data, length) < 0) { ++ if (gnutls_rnd(GNUTLS_RND_RANDOM, data, length) < 0) { + #ifdef ENABLE_FIPS140 + _gnutls_switch_lib_state(LIB_STATE_ERROR); + #else +@@ -1454,7 +1454,7 @@ wrap_nettle_pk_generate_keys(gnutls_pk_algorithm_t algo, + goto fail; + } + +- ret = _gnutls_rnd(GNUTLS_RND_RANDOM, params->raw_priv.data, size); ++ ret = gnutls_rnd(GNUTLS_RND_RANDOM, params->raw_priv.data, size); + if (ret < 0) { + ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); + goto fail; +diff --git a/lib/opencdk/misc.c b/lib/opencdk/misc.c +index 391bd09..7c41168 100644 +--- a/lib/opencdk/misc.c ++++ b/lib/opencdk/misc.c +@@ -161,7 +161,7 @@ FILE *_cdk_tmpfile(void) + FILE *fp; + int fd, i; + +- _gnutls_rnd(GNUTLS_RND_NONCE, rnd, DIM(rnd)); ++ gnutls_rnd(GNUTLS_RND_NONCE, rnd, DIM(rnd)); + for (i = 0; i < DIM(rnd) - 1; i++) { + char c = letters[(unsigned char) rnd[i] % 26]; + rnd[i] = c; +diff --git a/lib/pkcs11_secret.c b/lib/pkcs11_secret.c +index aa3e5ce..b9a8854 100644 +--- a/lib/pkcs11_secret.c ++++ b/lib/pkcs11_secret.c +@@ -72,7 +72,7 @@ gnutls_pkcs11_copy_secret_key(const char *token_url, gnutls_datum_t * key, + } + + /* generate a unique ID */ +- ret = _gnutls_rnd(GNUTLS_RND_NONCE, id, sizeof(id)); ++ ret = gnutls_rnd(GNUTLS_RND_NONCE, id, sizeof(id)); + if (ret < 0) { + gnutls_assert(); + return ret; +diff --git a/lib/random.h b/lib/random.h +index 2ef7bc4..e89efb9 100644 +--- a/lib/random.h ++++ b/lib/random.h +@@ -31,9 +31,6 @@ extern int crypto_rnd_prio; + extern void *gnutls_rnd_ctx; + extern gnutls_crypto_rnd_st _gnutls_rnd_ops; + +-#define _gnutls_rnd gnutls_rnd +-#define _gnutls_rnd_refresh gnutls_rnd_refresh +- + void _gnutls_rnd_deinit(void); + int _gnutls_rnd_preinit(void); + +diff --git a/lib/srp.c b/lib/srp.c +index 655b4a3..6d111e5 100644 +--- a/lib/srp.c ++++ b/lib/srp.c +@@ -532,7 +532,7 @@ gnutls_srp_allocate_server_credentials(gnutls_srp_server_credentials_t * + goto cleanup; + } + +- ret = _gnutls_rnd(GNUTLS_RND_RANDOM, (*sc)->fake_salt_seed.data, ++ ret = gnutls_rnd(GNUTLS_RND_RANDOM, (*sc)->fake_salt_seed.data, + DEFAULT_FAKE_SALT_SEED_SIZE); + + if (ret < 0) { +diff --git a/lib/tpm.c b/lib/tpm.c +index 4ec9a95..5f4c851 100644 +--- a/lib/tpm.c ++++ b/lib/tpm.c +@@ -768,7 +768,7 @@ static int randomize_uuid(TSS_UUID * uuid) + uint8_t raw_uuid[16]; + int ret; + +- ret = _gnutls_rnd(GNUTLS_RND_NONCE, raw_uuid, sizeof(raw_uuid)); ++ ret = gnutls_rnd(GNUTLS_RND_NONCE, raw_uuid, sizeof(raw_uuid)); + if (ret < 0) + return gnutls_assert_val(ret); + +@@ -1391,7 +1391,7 @@ gnutls_tpm_privkey_generate(gnutls_pk_algorithm_t pk, unsigned int bits, + } + + +- ret = _gnutls_rnd(GNUTLS_RND_RANDOM, buf, sizeof(buf)); ++ ret = gnutls_rnd(GNUTLS_RND_RANDOM, buf, sizeof(buf)); + if (ret < 0) { + gnutls_assert(); + goto err_cc; +diff --git a/lib/x509/pkcs12.c b/lib/x509/pkcs12.c +index e39dcde..b3bd287 100644 +--- a/lib/x509/pkcs12.c ++++ b/lib/x509/pkcs12.c +@@ -880,7 +880,7 @@ int gnutls_pkcs12_generate_mac2(gnutls_pkcs12_t pkcs12, gnutls_mac_algorithm_t m + + /* Generate the salt. + */ +- result = _gnutls_rnd(GNUTLS_RND_NONCE, salt, sizeof(salt)); ++ result = gnutls_rnd(GNUTLS_RND_NONCE, salt, sizeof(salt)); + if (result < 0) { + gnutls_assert(); + return result; +diff --git a/lib/x509/privkey_pkcs8.c b/lib/x509/privkey_pkcs8.c +index f84d913..acacc91 100644 +--- a/lib/x509/privkey_pkcs8.c ++++ b/lib/x509/privkey_pkcs8.c +@@ -2094,7 +2094,7 @@ generate_key(schema_id schema, + if (password) + pass_len = strlen(password); + +- ret = _gnutls_rnd(GNUTLS_RND_RANDOM, rnd, 2); ++ ret = gnutls_rnd(GNUTLS_RND_RANDOM, rnd, 2); + if (ret < 0) { + gnutls_assert(); + return ret; +@@ -2116,7 +2116,7 @@ generate_key(schema_id schema, + return GNUTLS_E_INVALID_REQUEST; + } + +- ret = _gnutls_rnd(GNUTLS_RND_RANDOM, kdf_params->salt, ++ ret = gnutls_rnd(GNUTLS_RND_RANDOM, kdf_params->salt, + kdf_params->salt_size); + if (ret < 0) { + gnutls_assert(); +@@ -2145,7 +2145,7 @@ generate_key(schema_id schema, + kdf_params->key_size, key->data); + + if (enc_params->iv_size) { +- ret = _gnutls_rnd(GNUTLS_RND_NONCE, ++ ret = gnutls_rnd(GNUTLS_RND_NONCE, + enc_params->iv, + enc_params->iv_size); + if (ret < 0) { +-- +2.6.6 + diff --git a/recipes-support/gnutls/gnutls_3.5.3.bbappend b/recipes-support/gnutls/gnutls_3.5.3.bbappend new file mode 100644 index 0000000..99ff422 --- /dev/null +++ b/recipes-support/gnutls/gnutls_3.5.3.bbappend @@ -0,0 +1,8 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}-${PV}:" + +# Backport commits in 3.5.6 +# https://bugzilla.redhat.com/show_bug.cgi?id=1387141 +SRC_URI_append = "file://0001-_gnutls_rnd_check-call-_rnd_system_entropy_check-dir.patch \ + file://0002-rng-split-initialization-in-preinit-and-init.patch \ + file://0003-deprecated-_gnutls_rnd-in-favor-of-exported-gnutls_r.patch \ +"
\ No newline at end of file |