diff --git a/0001-crypto-api-always-allocate-memory-when-serializing-i.patch b/0001-crypto-api-always-allocate-memory-when-serializing-i.patch deleted file mode 100644 index be608e8..0000000 --- a/0001-crypto-api-always-allocate-memory-when-serializing-i.patch +++ /dev/null @@ -1,152 +0,0 @@ -From 6fbff7fc8aabeee2254405f254220bbe8c05c67d Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Fri, 5 Jun 2020 16:26:33 +0200 -Subject: [PATCH] crypto-api: always allocate memory when serializing iovec_t - -The AEAD iov interface falls back to serializing the input buffers if -the low-level cipher doesn't support scatter/gather encryption. -However, there was a bug in the functions used for the serialization, -which causes memory leaks under a certain condition (i.e. the number -of input buffers is 1). - -This patch makes the logic of the functions simpler, by removing a -micro-optimization that tries to minimize the number of calls to -malloc/free. - -The original problem was reported by Marius Steffen in: -https://bugzilla.samba.org/show_bug.cgi?id=14399 -and the cause was investigated by Alexander Haase in: -https://gitlab.com/gnutls/gnutls/-/merge_requests/1277 - -Signed-off-by: Daiki Ueno ---- - lib/crypto-api.c | 36 +++++++++++------------------------- - tests/aead-cipher-vec.c | 33 ++++++++++++++++++--------------- - 2 files changed, 29 insertions(+), 40 deletions(-) - -diff --git a/lib/crypto-api.c b/lib/crypto-api.c -index 45be64ed1f..8524f5ed4f 100644 ---- a/lib/crypto-api.c -+++ b/lib/crypto-api.c -@@ -891,32 +891,23 @@ gnutls_aead_cipher_encrypt(gnutls_aead_cipher_hd_t handle, - struct iov_store_st { - void *data; - size_t size; -- unsigned allocated; - }; - - static void iov_store_free(struct iov_store_st *s) - { -- if (s->allocated) { -- gnutls_free(s->data); -- s->allocated = 0; -- } -+ gnutls_free(s->data); - } - - static int iov_store_grow(struct iov_store_st *s, size_t length) - { -- if (s->allocated || s->data == NULL) { -- s->size += length; -- s->data = gnutls_realloc(s->data, s->size); -- if (s->data == NULL) -- return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); -- s->allocated = 1; -- } else { -- void *data = s->data; -- size_t size = s->size + length; -- s->data = gnutls_malloc(size); -- memcpy(s->data, data, s->size); -- s->size += length; -- } -+ void *data; -+ -+ s->size += length; -+ data = gnutls_realloc(s->data, s->size); -+ if (data == NULL) -+ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); -+ -+ s->data = data; - return 0; - } - -@@ -926,11 +917,6 @@ copy_from_iov(struct iov_store_st *dst, const giovec_t *iov, int iovcnt) - memset(dst, 0, sizeof(*dst)); - if (iovcnt == 0) { - return 0; -- } else if (iovcnt == 1) { -- dst->data = iov[0].iov_base; -- dst->size = iov[0].iov_len; -- /* implies: dst->allocated = 0; */ -- return 0; - } else { - int i; - uint8_t *p; -@@ -944,11 +930,11 @@ copy_from_iov(struct iov_store_st *dst, const giovec_t *iov, int iovcnt) - - p = dst->data; - for (i=0;i 0) -+ memcpy(p, iov[i].iov_base, iov[i].iov_len); - p += iov[i].iov_len; - } - -- dst->allocated = 1; - return 0; - } - } -diff --git a/tests/aead-cipher-vec.c b/tests/aead-cipher-vec.c -index fba9010d9e..6a30a35f7b 100644 ---- a/tests/aead-cipher-vec.c -+++ b/tests/aead-cipher-vec.c -@@ -49,6 +49,7 @@ static void start(const char *name, int algo) - giovec_t auth_iov[2]; - uint8_t tag[64]; - size_t tag_size = 0; -+ size_t i; - - key.data = key16; - key.size = gnutls_cipher_get_key_size(algo); -@@ -82,21 +83,23 @@ static void start(const char *name, int algo) - if (ret < 0) - fail("gnutls_cipher_init: %s\n", gnutls_strerror(ret)); - -- ret = gnutls_aead_cipher_encryptv2(ch, -- iv.data, iv.size, -- auth_iov, 2, -- iov, 3, -- tag, &tag_size); -- if (ret < 0) -- fail("could not encrypt data: %s\n", gnutls_strerror(ret)); -- -- ret = gnutls_aead_cipher_decryptv2(ch, -- iv.data, iv.size, -- auth_iov, 2, -- iov, 3, -- tag, tag_size); -- if (ret < 0) -- fail("could not decrypt data: %s\n", gnutls_strerror(ret)); -+ for (i = 0; i < 2; i++) { -+ ret = gnutls_aead_cipher_encryptv2(ch, -+ iv.data, iv.size, -+ auth_iov, 2, -+ iov, i + 1, -+ tag, &tag_size); -+ if (ret < 0) -+ fail("could not encrypt data: %s\n", gnutls_strerror(ret)); -+ -+ ret = gnutls_aead_cipher_decryptv2(ch, -+ iv.data, iv.size, -+ auth_iov, 2, -+ iov, i + 1, -+ tag, tag_size); -+ if (ret < 0) -+ fail("could not decrypt data: %s\n", gnutls_strerror(ret)); -+ } - - gnutls_aead_cipher_deinit(ch); - } --- -2.25.0 - diff --git a/gnutls-3.5.11-skip-trust-store-tests.patch b/gnutls-3.5.11-skip-trust-store-tests.patch index 987e250..cc0cd77 100644 --- a/gnutls-3.5.11-skip-trust-store-tests.patch +++ b/gnutls-3.5.11-skip-trust-store-tests.patch @@ -15,10 +15,10 @@ need ca-certificates-mozilla to run. But this would create a build cycle. Skip test. -Index: gnutls-3.5.11/tests/trust-store.c +Index: gnutls-3.6.15/tests/trust-store.c =================================================================== ---- gnutls-3.5.11.orig/tests/trust-store.c 2017-04-07 07:52:07.000000000 +0200 -+++ gnutls-3.5.11/tests/trust-store.c 2017-05-18 10:33:53.537598763 +0200 +--- gnutls-3.6.15.orig/tests/trust-store.c 2020-09-08 10:24:24.018094247 +0200 ++++ gnutls-3.6.15/tests/trust-store.c 2020-09-08 10:24:25.534104346 +0200 @@ -44,6 +44,9 @@ static void tls_log_func(int level, cons void doit(void) diff --git a/gnutls-3.6.14.tar.xz b/gnutls-3.6.14.tar.xz deleted file mode 100644 index d7ebcb5..0000000 --- a/gnutls-3.6.14.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:5630751adec7025b8ef955af4d141d00d252a985769f51b4059e5affa3d39d63 -size 6069088 diff --git a/gnutls-3.6.14.tar.xz.sig b/gnutls-3.6.14.tar.xz.sig deleted file mode 100644 index f3b956e..0000000 Binary files a/gnutls-3.6.14.tar.xz.sig and /dev/null differ diff --git a/gnutls-3.6.15.tar.xz b/gnutls-3.6.15.tar.xz new file mode 100644 index 0000000..8190b58 --- /dev/null +++ b/gnutls-3.6.15.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0ea8c3283de8d8335d7ae338ef27c53a916f15f382753b174c18b45ffd481558 +size 6081656 diff --git a/gnutls-3.6.15.tar.xz.sig b/gnutls-3.6.15.tar.xz.sig new file mode 100644 index 0000000..4aeddf6 Binary files /dev/null and b/gnutls-3.6.15.tar.xz.sig differ diff --git a/gnutls-3.6.6-set_guile_site_dir.patch b/gnutls-3.6.6-set_guile_site_dir.patch index f6b07e1..3b61a9b 100644 --- a/gnutls-3.6.6-set_guile_site_dir.patch +++ b/gnutls-3.6.6-set_guile_site_dir.patch @@ -1,8 +1,8 @@ -Index: gnutls-3.6.6/configure +Index: gnutls-3.6.15/configure =================================================================== ---- gnutls-3.6.6.orig/configure -+++ gnutls-3.6.6/configure -@@ -62868,7 +62868,7 @@ +--- gnutls-3.6.15.orig/configure 2020-09-08 10:24:22.362083215 +0200 ++++ gnutls-3.6.15/configure 2020-09-08 10:24:28.510124171 +0200 +@@ -69365,7 +69365,7 @@ fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking for Guile site directory" >&5 $as_echo_n "checking for Guile site directory... " >&6; } diff --git a/gnutls-detect_nettle_so.patch b/gnutls-detect_nettle_so.patch deleted file mode 100644 index c766b03..0000000 --- a/gnutls-detect_nettle_so.patch +++ /dev/null @@ -1,52 +0,0 @@ -Index: gnutls-3.6.14/configure -=================================================================== ---- gnutls-3.6.14.orig/configure 2020-06-09 11:01:15.306654318 +0200 -+++ gnutls-3.6.14/configure 2020-06-09 12:40:08.262985909 +0200 -@@ -66054,12 +66054,12 @@ LIBS="$LIBS $GMP_LIBS" - $as_echo_n "checking gmp soname... " >&6; } - cat confdefs.h - <<_ACEOF >conftest.$ac_ext - /* end confdefs.h. */ -- -+#include - int - main () - { -- -- ; -+ mpz_t n; -+ mpz_init(n); - return 0; - } - _ACEOF -@@ -66088,12 +66088,12 @@ LIBS="$LIBS $NETTLE_LIBS" - $as_echo_n "checking nettle soname... " >&6; } - cat confdefs.h - <<_ACEOF >conftest.$ac_ext - /* end confdefs.h. */ -- -+#include - int - main () - { -- -- ; -+ struct sha256_ctx ctx; -+ sha256_init (&ctx); - return 0; - } - _ACEOF -@@ -66122,12 +66122,12 @@ LIBS="$LIBS $HOGWEED_LIBS" - $as_echo_n "checking hogweed soname... " >&6; } - cat confdefs.h - <<_ACEOF >conftest.$ac_ext - /* end confdefs.h. */ -- -+#include - int - main () - { -- -- ; -+ struct rsa_private_key priv; -+ nettle_rsa_private_key_init(&priv); - return 0; - } - _ACEOF diff --git a/gnutls-temporarily_disable_broken_guile_reauth_test.patch b/gnutls-temporarily_disable_broken_guile_reauth_test.patch index c13c5c2..8bca393 100644 --- a/gnutls-temporarily_disable_broken_guile_reauth_test.patch +++ b/gnutls-temporarily_disable_broken_guile_reauth_test.patch @@ -1,8 +1,8 @@ -Index: gnutls-3.6.14/guile/Makefile.in +Index: gnutls-3.6.15/guile/Makefile.in =================================================================== ---- gnutls-3.6.14.orig/guile/Makefile.in 2020-06-03 15:05:54.000000000 +0200 -+++ gnutls-3.6.14/guile/Makefile.in 2020-06-09 09:03:17.267773380 +0200 -@@ -1850,7 +1850,7 @@ CLEANFILES = modules/gnutls.scm $(am__ap +--- gnutls-3.6.15.orig/guile/Makefile.in 2020-09-08 10:24:09.581998087 +0200 ++++ gnutls-3.6.15/guile/Makefile.in 2020-09-08 10:24:30.046134403 +0200 +@@ -1857,7 +1857,7 @@ CLEANFILES = modules/gnutls.scm $(am__ap TESTS = tests/anonymous-auth.scm tests/session-record-port.scm \ tests/pkcs-import-export.scm tests/errors.scm \ tests/x509-certificates.scm tests/x509-auth.scm \ diff --git a/gnutls.changes b/gnutls.changes index 8973036..af2c694 100644 --- a/gnutls.changes +++ b/gnutls.changes @@ -1,3 +1,26 @@ +------------------------------------------------------------------- +Tue Sep 8 08:18:48 UTC 2020 - Vítězslav Čížek + +- Update to 3.6.15 + * libgnutls: Fixed "no_renegotiation" alert handling at incorrect timing. + [GNUTLS-SA-2020-09-04, CVSS: medium] + * libgnutls: If FIPS self-tests are failed, gnutls_fips140_mode_enabled() now + indicates that with a false return value (!1306). + * libgnutls: Under FIPS mode, the generated ECDH/DH public keys are checked + accordingly to SP800-56A rev 3 (!1295, !1299). + * libgnutls: gnutls_x509_crt_export2() now returns 0 upon success, rather than + the size of the internal base64 blob (#1025). + * libgnutls: Certificate verification failue due to OCSP must-stapling is not + honered is now correctly marked with the GNUTLS_CERT_INVALID flag + * libgnutls: The audit log message for weak hashes is no longer printed twice + * libgnutls: Fixed version negotiation when TLS 1.3 is enabled and TLS 1.2 is + disabled in the priority string. Previously, even when TLS 1.2 is explicitly + disabled with "-VERS-TLS1.2", the server still offered TLS 1.2 if TLS 1.3 is + enabled (#1054). +- drop upstreamed patches: + * gnutls-detect_nettle_so.patch + * 0001-crypto-api-always-allocate-memory-when-serializing-i.patch + ------------------------------------------------------------------- Tue Jun 9 09:15:45 UTC 2020 - Vítězslav Čížek diff --git a/gnutls.spec b/gnutls.spec index abff270..1f9bdbc 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -28,7 +28,7 @@ %bcond_with tpm %bcond_without guile Name: gnutls -Version: 3.6.14 +Version: 3.6.15 Release: 0 Summary: The GNU Transport Layer Security Library License: LGPL-2.1-or-later AND GPL-3.0-or-later @@ -40,9 +40,7 @@ Source2: %{name}.keyring Source3: baselibs.conf Patch1: gnutls-3.5.11-skip-trust-store-tests.patch Patch4: gnutls-3.6.6-set_guile_site_dir.patch -Patch5: 0001-crypto-api-always-allocate-memory-when-serializing-i.patch Patch6: gnutls-temporarily_disable_broken_guile_reauth_test.patch -Patch7: gnutls-detect_nettle_so.patch BuildRequires: autogen BuildRequires: automake BuildRequires: datefudge