Accepting request 635768 from home:henrix:branches:security:tls
- Backport of upstream fixes (boo#1108450) Fixes taken from upstream commits: ** 3df5b7bc8a64 ("cert-cred: fix possible segfault when resetting cert retrieval function") ** 42945a7aab6d ("allow no certificates to be reported by the gnutls_certificate_retrieve_function callbacks") ** 10f83e36ed92 ("hello_ext_parse: apply the test for pre-shared key ext being last on client hello") The patch was taken from https://github.com/weechat/weechat/issues/1231 OBS-URL: https://build.opensuse.org/request/show/635768 OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=6
This commit is contained in:
parent
a081367f85
commit
3036ffa05f
55
gnutls-3.6.3-backport-upstream-fixes.patch
Normal file
55
gnutls-3.6.3-backport-upstream-fixes.patch
Normal file
@ -0,0 +1,55 @@
|
|||||||
|
diff --git a/lib/cert-cred.c b/lib/cert-cred.c
|
||||||
|
index d3777e51f..2150e903f 100644
|
||||||
|
--- a/lib/cert-cred.c
|
||||||
|
+++ b/lib/cert-cred.c
|
||||||
|
@@ -387,6 +387,13 @@ static int call_legacy_cert_cb1(gnutls_session_t session,
|
||||||
|
if (ret < 0)
|
||||||
|
return gnutls_assert_val(ret);
|
||||||
|
|
||||||
|
+ if (st2.ncerts == 0) {
|
||||||
|
+ *pcert_length = 0;
|
||||||
|
+ *ocsp_length = 0;
|
||||||
|
+ *privkey = NULL;
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if (st2.cert_type != GNUTLS_CRT_X509) {
|
||||||
|
gnutls_assert();
|
||||||
|
ret = GNUTLS_E_INVALID_REQUEST;
|
||||||
|
@@ -503,7 +510,10 @@ void gnutls_certificate_set_retrieve_function
|
||||||
|
gnutls_certificate_retrieve_function * func)
|
||||||
|
{
|
||||||
|
cred->legacy_cert_cb1 = func;
|
||||||
|
- cred->get_cert_callback3 = call_legacy_cert_cb1;
|
||||||
|
+ if (!func)
|
||||||
|
+ cred->get_cert_callback3 = NULL;
|
||||||
|
+ else
|
||||||
|
+ cred->get_cert_callback3 = call_legacy_cert_cb1;
|
||||||
|
}
|
||||||
|
|
||||||
|
static int call_legacy_cert_cb2(gnutls_session_t session,
|
||||||
|
@@ -578,7 +588,10 @@ void gnutls_certificate_set_retrieve_function2
|
||||||
|
gnutls_certificate_retrieve_function2 * func)
|
||||||
|
{
|
||||||
|
cred->legacy_cert_cb2 = func;
|
||||||
|
- cred->get_cert_callback3 = call_legacy_cert_cb2;
|
||||||
|
+ if (!func)
|
||||||
|
+ cred->get_cert_callback3 = NULL;
|
||||||
|
+ else
|
||||||
|
+ cred->get_cert_callback3 = call_legacy_cert_cb2;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
diff --git a/lib/hello_ext.c b/lib/hello_ext.c
|
||||||
|
index a3027130a..f72afe77f 100644
|
||||||
|
--- a/lib/hello_ext.c
|
||||||
|
+++ b/lib/hello_ext.c
|
||||||
|
@@ -208,7 +208,7 @@ int hello_ext_parse(void *_ctx, unsigned tls_id, const uint8_t *data, unsigned d
|
||||||
|
|
||||||
|
if (tls_id == PRE_SHARED_KEY_TLS_ID) {
|
||||||
|
ctx->seen_pre_shared_key = 1;
|
||||||
|
- } else if (ctx->seen_pre_shared_key) {
|
||||||
|
+ } else if (ctx->seen_pre_shared_key && session->security_parameters.entity == GNUTLS_SERVER) {
|
||||||
|
/* the pre-shared key extension must always be the last one,
|
||||||
|
* draft-ietf-tls-tls13-28: 4.2.11 */
|
||||||
|
return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
|
@ -1,3 +1,13 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Sep 14 13:07:41 UTC 2018 - Luis Henriques <lhenriques@suse.com>
|
||||||
|
|
||||||
|
- Backport of upstream fixes (boo#1108450)
|
||||||
|
Fixes taken from upstream commits:
|
||||||
|
** 3df5b7bc8a64 ("cert-cred: fix possible segfault when resetting cert retrieval function")
|
||||||
|
** 42945a7aab6d ("allow no certificates to be reported by the gnutls_certificate_retrieve_function callbacks")
|
||||||
|
** 10f83e36ed92 ("hello_ext_parse: apply the test for pre-shared key ext being last on client hello")
|
||||||
|
The patch was taken from https://github.com/weechat/weechat/issues/1231
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Wed Aug 22 15:40:33 UTC 2018 - vcizek@suse.com
|
Wed Aug 22 15:40:33 UTC 2018 - vcizek@suse.com
|
||||||
|
|
||||||
|
@ -12,7 +12,7 @@
|
|||||||
# license that conforms to the Open Source Definition (Version 1.9)
|
# license that conforms to the Open Source Definition (Version 1.9)
|
||||||
# published by the Open Source Initiative.
|
# published by the Open Source Initiative.
|
||||||
|
|
||||||
# Please submit bugfixes or comments via http://bugs.opensuse.org/
|
# Please submit bugfixes or comments via https://bugs.opensuse.org/
|
||||||
#
|
#
|
||||||
|
|
||||||
|
|
||||||
@ -41,6 +41,7 @@ Source2: %{name}.keyring
|
|||||||
Source3: baselibs.conf
|
Source3: baselibs.conf
|
||||||
Patch1: gnutls-3.5.11-skip-trust-store-tests.patch
|
Patch1: gnutls-3.5.11-skip-trust-store-tests.patch
|
||||||
Patch2: gnutls-3.6.0-disable-flaky-dtls_resume-test.patch
|
Patch2: gnutls-3.6.0-disable-flaky-dtls_resume-test.patch
|
||||||
|
Patch3: gnutls-3.6.3-backport-upstream-fixes.patch
|
||||||
BuildRequires: autogen
|
BuildRequires: autogen
|
||||||
BuildRequires: automake
|
BuildRequires: automake
|
||||||
BuildRequires: datefudge
|
BuildRequires: datefudge
|
||||||
@ -163,6 +164,7 @@ GnuTLS Wrappers for GNU Guile, a dialect of Scheme.
|
|||||||
%ifarch ppc64 ppc64le ppc
|
%ifarch ppc64 ppc64le ppc
|
||||||
%patch2 -p1
|
%patch2 -p1
|
||||||
%endif
|
%endif
|
||||||
|
%patch3 -p1
|
||||||
|
|
||||||
%build
|
%build
|
||||||
export LDFLAGS="-pie"
|
export LDFLAGS="-pie"
|
||||||
|
Loading…
Reference in New Issue
Block a user