Accepting request 635768 from home:henrix:branches:security:tls

- Backport of upstream fixes (boo#1108450)
  Fixes taken from upstream commits:
  ** 3df5b7bc8a64 ("cert-cred: fix possible segfault when resetting cert retrieval function")
  ** 42945a7aab6d ("allow no certificates to be reported by the gnutls_certificate_retrieve_function callbacks")
  ** 10f83e36ed92 ("hello_ext_parse: apply the test for pre-shared key ext being last on client hello")
  The patch was taken from https://github.com/weechat/weechat/issues/1231

OBS-URL: https://build.opensuse.org/request/show/635768
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=6
This commit is contained in:
Tomáš Chvátal 2018-09-14 13:30:28 +00:00 committed by Git OBS Bridge
parent a081367f85
commit 3036ffa05f
3 changed files with 68 additions and 1 deletions

View File

@ -0,0 +1,55 @@
diff --git a/lib/cert-cred.c b/lib/cert-cred.c
index d3777e51f..2150e903f 100644
--- a/lib/cert-cred.c
+++ b/lib/cert-cred.c
@@ -387,6 +387,13 @@ static int call_legacy_cert_cb1(gnutls_session_t session,
if (ret < 0)
return gnutls_assert_val(ret);
+ if (st2.ncerts == 0) {
+ *pcert_length = 0;
+ *ocsp_length = 0;
+ *privkey = NULL;
+ return 0;
+ }
+
if (st2.cert_type != GNUTLS_CRT_X509) {
gnutls_assert();
ret = GNUTLS_E_INVALID_REQUEST;
@@ -503,7 +510,10 @@ void gnutls_certificate_set_retrieve_function
gnutls_certificate_retrieve_function * func)
{
cred->legacy_cert_cb1 = func;
- cred->get_cert_callback3 = call_legacy_cert_cb1;
+ if (!func)
+ cred->get_cert_callback3 = NULL;
+ else
+ cred->get_cert_callback3 = call_legacy_cert_cb1;
}
static int call_legacy_cert_cb2(gnutls_session_t session,
@@ -578,7 +588,10 @@ void gnutls_certificate_set_retrieve_function2
gnutls_certificate_retrieve_function2 * func)
{
cred->legacy_cert_cb2 = func;
- cred->get_cert_callback3 = call_legacy_cert_cb2;
+ if (!func)
+ cred->get_cert_callback3 = NULL;
+ else
+ cred->get_cert_callback3 = call_legacy_cert_cb2;
}
/**
diff --git a/lib/hello_ext.c b/lib/hello_ext.c
index a3027130a..f72afe77f 100644
--- a/lib/hello_ext.c
+++ b/lib/hello_ext.c
@@ -208,7 +208,7 @@ int hello_ext_parse(void *_ctx, unsigned tls_id, const uint8_t *data, unsigned d
if (tls_id == PRE_SHARED_KEY_TLS_ID) {
ctx->seen_pre_shared_key = 1;
- } else if (ctx->seen_pre_shared_key) {
+ } else if (ctx->seen_pre_shared_key && session->security_parameters.entity == GNUTLS_SERVER) {
/* the pre-shared key extension must always be the last one,
* draft-ietf-tls-tls13-28: 4.2.11 */
return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);

View File

@ -1,3 +1,13 @@
-------------------------------------------------------------------
Fri Sep 14 13:07:41 UTC 2018 - Luis Henriques <lhenriques@suse.com>
- Backport of upstream fixes (boo#1108450)
Fixes taken from upstream commits:
** 3df5b7bc8a64 ("cert-cred: fix possible segfault when resetting cert retrieval function")
** 42945a7aab6d ("allow no certificates to be reported by the gnutls_certificate_retrieve_function callbacks")
** 10f83e36ed92 ("hello_ext_parse: apply the test for pre-shared key ext being last on client hello")
The patch was taken from https://github.com/weechat/weechat/issues/1231
------------------------------------------------------------------- -------------------------------------------------------------------
Wed Aug 22 15:40:33 UTC 2018 - vcizek@suse.com Wed Aug 22 15:40:33 UTC 2018 - vcizek@suse.com

View File

@ -12,7 +12,7 @@
# license that conforms to the Open Source Definition (Version 1.9) # license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative. # published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/ # Please submit bugfixes or comments via https://bugs.opensuse.org/
# #
@ -41,6 +41,7 @@ Source2: %{name}.keyring
Source3: baselibs.conf Source3: baselibs.conf
Patch1: gnutls-3.5.11-skip-trust-store-tests.patch Patch1: gnutls-3.5.11-skip-trust-store-tests.patch
Patch2: gnutls-3.6.0-disable-flaky-dtls_resume-test.patch Patch2: gnutls-3.6.0-disable-flaky-dtls_resume-test.patch
Patch3: gnutls-3.6.3-backport-upstream-fixes.patch
BuildRequires: autogen BuildRequires: autogen
BuildRequires: automake BuildRequires: automake
BuildRequires: datefudge BuildRequires: datefudge
@ -163,6 +164,7 @@ GnuTLS Wrappers for GNU Guile, a dialect of Scheme.
%ifarch ppc64 ppc64le ppc %ifarch ppc64 ppc64le ppc
%patch2 -p1 %patch2 -p1
%endif %endif
%patch3 -p1
%build %build
export LDFLAGS="-pie" export LDFLAGS="-pie"