[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#979074: marked as done (buster-pu: package gnutls28/3.6.7-4+deb10u6)

Your message dated Sat, 06 Feb 2021 10:39:26 +0000
with message-id <6425525e38201ecf9a2d3e0f1e63c0d3b08e0fc0.camel@adam-barratt.org.uk>
and subject line Closing p-u bugs for updates in 10.8
has caused the Debian Bug report #979074,
regarding buster-pu: package gnutls28/3.6.7-4+deb10u6
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
979074: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=979074
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

[ Reason ]
The gnutls28 test tests/testpkcs11.sh uses a test certificate that
expired in December 2020, which now causes a testsuite error and FTBFS.
If this is not approved the patch will need to be included in case of
another DSA for GnuTLS or a stable update. I would rather fix this now
to make debian-security's life easier.

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
The patch uses datefudge to avoid the timebomb. It is cherrypicked and
adapted (older helper function) from upstream master.

TIA, cu Andreas


diff -Nru gnutls28-3.6.7/debian/changelog gnutls28-3.6.7/debian/changelog
--- gnutls28-3.6.7/debian/changelog	2020-06-07 07:45:55.000000000 +0200
+++ gnutls28-3.6.7/debian/changelog	2021-01-02 14:15:36.000000000 +0100
@@ -1,3 +1,11 @@
+gnutls28 (3.6.7-4+deb10u6) UNRELEASED; urgency=medium
+
+  * 45_4.7.0plus-01_testpkcs11-use-datefudge-to-trick-certificate-expiry.patch
+    Fix test suite error caused by expired certificate.
+    Closes: #977552
+
+ -- Andreas Metzler <ametzler@debian.org>  Sat, 02 Jan 2021 14:15:36 +0100
+
 gnutls28 (3.6.7-4+deb10u5) buster; urgency=medium
 
   * 42_rel3.6.11_10-session-tickets-parse-extension-during-session-resum.patch
diff -Nru gnutls28-3.6.7/debian/patches/45_4.7.0plus-01_testpkcs11-use-datefudge-to-trick-certificate-expiry.patch gnutls28-3.6.7/debian/patches/45_4.7.0plus-01_testpkcs11-use-datefudge-to-trick-certificate-expiry.patch
--- gnutls28-3.6.7/debian/patches/45_4.7.0plus-01_testpkcs11-use-datefudge-to-trick-certificate-expiry.patch	1970-01-01 01:00:00.000000000 +0100
+++ gnutls28-3.6.7/debian/patches/45_4.7.0plus-01_testpkcs11-use-datefudge-to-trick-certificate-expiry.patch	2021-01-02 14:15:36.000000000 +0100
@@ -0,0 +1,73 @@
+From 2b0f6f3a2ff13153aaa70c764ba7a8b90aef794d Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Mon, 28 Dec 2020 16:16:53 +0100
+Subject: [PATCH 3/6] testpkcs11: use datefudge to trick certificate expiry
+Origin: https://gitlab.com/gnutls/gnutls/-/commit/2b0f6f3a2ff13153aaa70c764ba7a8b90aef794d
+Bug: https://gitlab.com/gnutls/gnutls/-/issues/1135
+Bug-Debian: https://bugs.debian.org/977552
+
+The certificates stored in tests/testpkcs11-certs expired on
+2020-12-13.  To avoid verification failure due to that, use datefudge
+to set custom date when calling gnutls-cli, gnutls-serv, and certtool.
+
+Based on the patch by Andreas Metzler:
+https://gitlab.com/gnutls/gnutls/-/issues/1135#note_469682121
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ tests/testpkcs11.sh | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/tests/testpkcs11.sh
++++ b/tests/testpkcs11.sh
+@@ -67,6 +67,8 @@ have_ed25519=0
+ P11TOOL="${VALGRIND} ${P11TOOL} --batch"
+ SERV="${SERV} -q"
+ 
++TESTDATE=2020-12-01
++
+ . ${srcdir}/scripts/common.sh
+ 
+ rm -f "${LOGFILE}"
+@@ -79,6 +81,8 @@ exit_error () {
+ 	exit 1
+ }
+ 
++skip_if_no_datefudge
++
+ # $1: token
+ # $2: PIN
+ # $3: filename
+@@ -510,6 +514,7 @@ write_certificate_test () {
+ 	pubkey="$5"
+ 
+ 	echo -n "* Generating client certificate... "
++	datefudge -s "$TESTDATE" \
+ 	"${CERTTOOL}" ${CERTTOOL_PARAM} ${ADDITIONAL_PARAM}  --generate-certificate --load-ca-privkey "${cakey}"  --load-ca-certificate "${cacert}"  \
+ 	--template ${srcdir}/testpkcs11-certs/client-tmpl --load-privkey "${token};object=gnutls-client;object-type=private" \
+ 	--load-pubkey "$pubkey" --outfile tmp-client.crt >>"${LOGFILE}" 2>&1
+@@ -887,6 +892,7 @@ use_certificate_test () {
+ 	echo -n "* Using PKCS #11 with gnutls-cli (${txt})... "
+ 	# start server
+ 	eval "${GETPORT}"
++	SERV="datefudge -s $TESTDATE $SERV" \
+ 	launch_pkcs11_server $$ "${ADDITIONAL_PARAM}" --echo --priority NORMAL --x509certfile="${certfile}" \
+ 		--x509keyfile="$keyfile" --x509cafile="${cafile}" \
+ 		--verify-client-cert --require-client-cert >>"${LOGFILE}" 2>&1
+@@ -895,13 +901,16 @@ use_certificate_test () {
+ 	wait_server ${PID}
+ 
+ 	# connect to server using SC
++	datefudge -s "$TESTDATE" \
+ 	${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509cafile="${cafile}" </dev/null >>"${LOGFILE}" 2>&1 && \
+ 		fail ${PID} "Connection should have failed!"
+ 
++	datefudge -s "$TESTDATE" \
+ 	${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509certfile="${certfile}" \
+ 	--x509keyfile="$keyfile" --x509cafile="${cafile}" </dev/null >>"${LOGFILE}" 2>&1 || \
+ 		fail ${PID} "Connection (with files) should have succeeded!"
+ 
++	datefudge -s "$TESTDATE" \
+ 	${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509certfile="${token};object=gnutls-client;object-type=cert" \
+ 		--x509keyfile="${token};object=gnutls-client;object-type=private" \
+ 		--x509cafile="${cafile}" </dev/null >>"${LOGFILE}" 2>&1 || \
diff -Nru gnutls28-3.6.7/debian/patches/series gnutls28-3.6.7/debian/patches/series
--- gnutls28-3.6.7/debian/patches/series	2020-06-07 07:34:21.000000000 +0200
+++ gnutls28-3.6.7/debian/patches/series	2021-01-02 14:15:36.000000000 +0100
@@ -15,3 +15,4 @@
 44_rel3.6.14_16-x509-trigger-fallback-verification-path-when-cert-is.patch
 44_rel3.6.14_17-tests-add-test-case-for-certificate-chain-supersedin.patch
 44_rel3.6.14_90-stek-differentiate-initial-state-from-valid-time-win.patch
+45_4.7.0plus-01_testpkcs11-use-datefudge-to-trick-certificate-expiry.patch

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.8

Hi,

Each of the updates referenced by these bugs was included in today's
10.8 point release.

Regards,

Adam

--- End Message ---
Reply to: