pool/gnutls
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 878624 from home:pmonrealgonzalez:branches:security:tls

Browse Source 
- Update to 3.7.1:
    [bsc#1183456, CVE-2021-20232] [bsc#1183457, CVE-2021-20231]
  * Fixed potential use-after-free in sending "key_share" and
    "pre_shared_key" extensions.
  * Fixed a regression in handling duplicated certs in a chain.
  * Fixed sending of session ID in TLS 1.3 middlebox compatibility
    mode. In that mode the client shall always send a non-zero
    session ID to make the handshake resemble the TLS 1.2
    resumption; this was not true in the previous versions.
  * Removed dependency on the external 'fipscheck' package,
    when compiled with --enable-fips140-mode.
  * Added padlock acceleration for AES-192-CBC.
- Remove patches upstream:
  * gnutls-gnutls-cli-debug.patch
  * gnutls-ignore-duplicate-certificates.patch
  * gnutls-test-fixes.patch

OBS-URL: https://build.opensuse.org/request/show/878624
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=49
This commit is contained in:
Pedro Monreal Gonzalez 2021-03-15 09:13:41 +00:00 committed by Git OBS Bridge
parent ae52194a46
commit 505327d4f8
9 changed files with 24 additions and 569 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
gnutls-3.7.0.tar.xz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:49e2a22691d252c9f24a9829b293a8f359095bc5a818351f05f1c0a5188a1df8
size 6129176

BIN
gnutls-3.7.0.tar.xz.sig
View File

Binary file not shown.

3
gnutls-3.7.1.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:3777d7963eca5e06eb315686163b7b3f5045e2baac5e54e038ace9835e5cac6f
size 6038388

BIN
gnutls-3.7.1.tar.xz.sig Normal file
View File

Binary file not shown.

39
gnutls-gnutls-cli-debug.patch
View File

@ -1,39 +0,0 @@
From 5a64e896a56ef602bb86242bbac01e4319f12cbe Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Tue, 9 Feb 2021 15:26:07 +0100
Subject: [PATCH] tests/gnutls-cli-debug.sh: don't unset system priority
settings
When the test is exercised, GNUTLS_SYSTEM_PRIORITY_FILE is set in many
places, such as TESTS_ENVIRONMENT tests/Makefile.am or a packaging
system that runs the test in a restricted environment. Unsetting it
after a temporary use forces the remaining part of the test to use the
default system priority, which might not be the intention of the user.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
tests/gnutls-cli-debug.sh | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/tests/gnutls-cli-debug.sh b/tests/gnutls-cli-debug.sh
index a73910dea6..3c3e2214e5 100755
--- a/tests/gnutls-cli-debug.sh
+++ b/tests/gnutls-cli-debug.sh
@@ -184,13 +184,11 @@ cat <<_EOF_ > ${TMPFILE}
tls-disabled-cipher = CAMELLIA-128-CBC
tls-disabled-cipher = CAMELLIA-256-CBC
_EOF_
-export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}"
+GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}" \
timeout 1800 datefudge "2017-08-9" \
"${DCLI}" -p "${PORT}" localhost >$OUTFILE 2>&1 || fail ${PID} "gnutls-cli-debug run should have succeeded!"
-unset GNUTLS_SYSTEM_PRIORITY_FILE
-
kill ${PID}
wait
--
GitLab

403
gnutls-ignore-duplicate-certificates.patch
View File

@ -1,403 +0,0 @@
From 09b40be6e0e0a59ba4bd764067eb353241043a70 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Mon, 28 Dec 2020 12:14:13 +0100
Subject: [PATCH] gnutls_x509_trust_list_verify_crt2: ignore duplicate
certificates
The commit ebb19db9165fed30d73c83bab1b1b8740c132dfd caused a
regression, where duplicate certificates in a certificate chain are no
longer ignored but treated as a non-contiguous segment and that
results in calling the issuer callback, or a verification failure.
This adds a mechanism to record certificates already seen in the
chain, and skip them while still allow the caller to inject missing
certificates.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
Co-authored-by: Andreas Metzler <ametzler@debian.org>
---
lib/x509/common.c | 8 ++
lib/x509/verify-high.c | 157 +++++++++++++++++++++++++++++++------
tests/missingissuer.c | 2 +
tests/test-chains-issuer.h | 101 +++++++++++++++++++++++-
4 files changed, 245 insertions(+), 23 deletions(-)
diff --git a/lib/x509/common.c b/lib/x509/common.c
index 3301aaad0c..10c8db53c0 100644
--- a/lib/x509/common.c
+++ b/lib/x509/common.c
@@ -1758,6 +1758,14 @@ unsigned int _gnutls_sort_clist(gnutls_x509_crt_t *clist,
* increasing DEFAULT_MAX_VERIFY_DEPTH.
*/
for (i = 0; i < clist_size; i++) {
+ /* Self-signed certificate found in the chain; skip it
+ * as it should only appear in the trusted set.
+ */
+ if (gnutls_x509_crt_check_issuer(clist[i], clist[i])) {
+ _gnutls_cert_log("self-signed cert found", clist[i]);
+ continue;
+ }
+
for (j = 1; j < clist_size; j++) {
if (i == j)
continue;
diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c
index 588e7ee0dc..9a16e6b42a 100644
--- a/lib/x509/verify-high.c
+++ b/lib/x509/verify-high.c
@@ -67,6 +67,80 @@ struct gnutls_x509_trust_list_iter {
#define DEFAULT_SIZE 127
+struct cert_set_node_st {
+ gnutls_x509_crt_t *certs;
+ unsigned int size;
+};
+
+struct cert_set_st {
+ struct cert_set_node_st *node;
+ unsigned int size;
+};
+
+static int
+cert_set_init(struct cert_set_st *set, unsigned int size)
+{
+ memset(set, 0, sizeof(*set));
+
+ set->size = size;
+ set->node = gnutls_calloc(size, sizeof(*set->node));
+ if (!set->node) {
+ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
+ }
+
+ return 0;
+}
+
+static void
+cert_set_deinit(struct cert_set_st *set)
+{
+ size_t i;
+
+ for (i = 0; i < set->size; i++) {
+ gnutls_free(set->node[i].certs);
+ }
+
+ gnutls_free(set->node);
+}
+
+static bool
+cert_set_contains(struct cert_set_st *set, const gnutls_x509_crt_t cert)
+{
+ size_t hash, i;
+
+ hash = hash_pjw_bare(cert->raw_dn.data, cert->raw_dn.size);
+ hash %= set->size;
+
+ for (i = 0; i < set->node[hash].size; i++) {
+ if (unlikely(gnutls_x509_crt_equals(set->node[hash].certs[i], cert))) {
+ return true;
+ }
+ }
+
+ return false;
+}
+
+static int
+cert_set_add(struct cert_set_st *set, const gnutls_x509_crt_t cert)
+{
+ size_t hash;
+
+ hash = hash_pjw_bare(cert->raw_dn.data, cert->raw_dn.size);
+ hash %= set->size;
+
+ set->node[hash].certs =
+ gnutls_realloc_fast(set->node[hash].certs,
+ (set->node[hash].size + 1) *
+ sizeof(*set->node[hash].certs));
+ if (!set->node[hash].certs) {
+ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
+ }
+ set->node[hash].certs[set->node[hash].size] = cert;
+ set->node[hash].size++;
+
+ return 0;
+}
+
/**
* gnutls_x509_trust_list_init:
* @list: A pointer to the type to be initialized
@@ -1328,6 +1402,7 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
unsigned have_set_name = 0;
unsigned saved_output;
gnutls_datum_t ip = {NULL, 0};
+ struct cert_set_st cert_set = { NULL, 0 };
if (cert_list == NULL || cert_list_size < 1)
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
@@ -1376,36 +1451,68 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
memcpy(sorted, cert_list, cert_list_size * sizeof(gnutls_x509_crt_t));
cert_list = sorted;
+ ret = cert_set_init(&cert_set, DEFAULT_MAX_VERIFY_DEPTH);
+ if (ret < 0) {
+ return ret;
+ }
+
for (i = 0; i < cert_list_size &&
- cert_list_size <= DEFAULT_MAX_VERIFY_DEPTH; i++) {
- if (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN)) {
- unsigned int sorted_size;
+ cert_list_size <= DEFAULT_MAX_VERIFY_DEPTH; ) {
+ unsigned int sorted_size = 1;
+ unsigned int j;
+ gnutls_x509_crt_t issuer;
+ if (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN)) {
sorted_size = _gnutls_sort_clist(&cert_list[i],
cert_list_size - i);
- i += sorted_size - 1;
}
- if (i == cert_list_size - 1) {
- gnutls_x509_crt_t issuer;
-
- /* If it is the last certificate and its issuer is
- * known, don't need to run issuer callback. */
- if (_gnutls_trust_list_get_issuer(list,
- cert_list[i],
- &issuer,
- 0) == 0) {
+ /* Remove duplicates. Start with index 1, as the first element
+ * may be re-checked after issuer retrieval. */
+ for (j = 1; j < sorted_size; j++) {
+ if (cert_set_contains(&cert_set, cert_list[i + j])) {
+ if (i + j < cert_list_size - 1) {
+ memmove(&cert_list[i + j],
+ &cert_list[i + j + 1],
+ sizeof(cert_list[i]));
+ }
+ cert_list_size--;
break;
}
- } else if (gnutls_x509_crt_check_issuer(cert_list[i],
- cert_list[i + 1])) {
- /* There is no gap between this and the next
- * certificate. */
+ }
+ /* Found a duplicate, try again with the same index. */
+ if (j < sorted_size) {
+ continue;
+ }
+
+ /* Record the certificates seen. */
+ for (j = 0; j < sorted_size; j++, i++) {
+ ret = cert_set_add(&cert_set, cert_list[i]);
+ if (ret < 0) {
+ goto cleanup;
+ }
+ }
+
+ /* If the issuer of the certificate is known, no need
+ * for further processing. */
+ if (_gnutls_trust_list_get_issuer(list,
+ cert_list[i - 1],
+ &issuer,
+ 0) == 0) {
+ cert_list_size = i;
+ break;
+ }
+
+ /* If there is no gap between this and the next certificate,
+ * proceed with the next certificate. */
+ if (i < cert_list_size &&
+ gnutls_x509_crt_check_issuer(cert_list[i - 1],
+ cert_list[i])) {
continue;
}
ret = retrieve_issuers(list,
- cert_list[i],
+ cert_list[i - 1],
&retrieved[retrieved_size],
DEFAULT_MAX_VERIFY_DEPTH -
MAX(retrieved_size,
@@ -1413,15 +1520,20 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
if (ret < 0) {
break;
} else if (ret > 0) {
- memmove(&cert_list[i + 1 + ret],
- &cert_list[i + 1],
- (cert_list_size - i - 1) *
+ assert((unsigned int)ret <=
+ DEFAULT_MAX_VERIFY_DEPTH - cert_list_size);
+ memmove(&cert_list[i + ret],
+ &cert_list[i],
+ (cert_list_size - i) *
sizeof(gnutls_x509_crt_t));
- memcpy(&cert_list[i + 1],
+ memcpy(&cert_list[i],
&retrieved[retrieved_size],
ret * sizeof(gnutls_x509_crt_t));
retrieved_size += ret;
cert_list_size += ret;
+
+ /* Start again from the end of the previous segment. */
+ i--;
}
}
@@ -1581,6 +1693,7 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
for (i = 0; i < retrieved_size; i++) {
gnutls_x509_crt_deinit(retrieved[i]);
}
+ cert_set_deinit(&cert_set);
return ret;
}
diff --git a/tests/missingissuer.c b/tests/missingissuer.c
index f21e2b6b0c..226d095929 100644
--- a/tests/missingissuer.c
+++ b/tests/missingissuer.c
@@ -145,6 +145,8 @@ void doit(void)
printf("[%d]: Chain '%s'...\n", (int)i, chains[i].name);
for (j = 0; chains[i].chain[j]; j++) {
+ assert(j < MAX_CHAIN);
+
if (debug > 2)
printf("\tAdding certificate %d...", (int)j);
diff --git a/tests/test-chains-issuer.h b/tests/test-chains-issuer.h
index 543e2d71fb..bf1e65c956 100644
--- a/tests/test-chains-issuer.h
+++ b/tests/test-chains-issuer.h
@@ -24,7 +24,7 @@
#ifndef GNUTLS_TESTS_TEST_CHAINS_ISSUER_H
#define GNUTLS_TESTS_TEST_CHAINS_ISSUER_H
-#define MAX_CHAIN 6
+#define MAX_CHAIN 15
#define SERVER_CERT "-----BEGIN CERTIFICATE-----\n" \
"MIIDATCCAbmgAwIBAgIUQdvdegP8JFszFHLfV4+lrEdafzAwPQYJKoZIhvcNAQEK\n" \
@@ -338,11 +338,102 @@ static const char *missing_middle_unrelated_extra_insert[] = {
NULL,
};
+static const char *missing_middle_single_duplicate[] = {
+ SERVER_CERT,
+ SERVER_CERT,
+ CA_CERT_5,
+ CA_CERT_5,
+ CA_CERT_4,
+ CA_CERT_4,
+ CA_CERT_2,
+ CA_CERT_2,
+ CA_CERT_1,
+ CA_CERT_1,
+ NULL,
+};
+
+static const char *missing_middle_multiple_duplicate[] = {
+ SERVER_CERT,
+ SERVER_CERT,
+ CA_CERT_5,
+ CA_CERT_5,
+ CA_CERT_4,
+ CA_CERT_4,
+ CA_CERT_1,
+ CA_CERT_1,
+ NULL,
+};
+
+static const char *missing_last_single_duplicate[] = {
+ SERVER_CERT,
+ SERVER_CERT,
+ CA_CERT_5,
+ CA_CERT_5,
+ CA_CERT_4,
+ CA_CERT_4,
+ CA_CERT_3,
+ CA_CERT_3,
+ CA_CERT_2,
+ CA_CERT_2,
+ NULL,
+};
+
+static const char *missing_last_multiple_duplicate[] = {
+ SERVER_CERT,
+ SERVER_CERT,
+ CA_CERT_5,
+ CA_CERT_5,
+ CA_CERT_4,
+ CA_CERT_4,
+ CA_CERT_3,
+ CA_CERT_3,
+ NULL,
+};
+
+static const char *missing_skip_single_duplicate[] = {
+ SERVER_CERT,
+ SERVER_CERT,
+ CA_CERT_5,
+ CA_CERT_5,
+ CA_CERT_3,
+ CA_CERT_3,
+ CA_CERT_1,
+ CA_CERT_1,
+ NULL,
+};
+
+static const char *missing_skip_multiple_duplicate[] = {
+ SERVER_CERT,
+ SERVER_CERT,
+ CA_CERT_5,
+ CA_CERT_5,
+ CA_CERT_3,
+ CA_CERT_3,
+ NULL,
+};
+
static const char *missing_ca[] = {
CA_CERT_0,
NULL,
};
+static const char *middle_single_duplicate_ca[] = {
+ SERVER_CERT,
+ CA_CERT_5,
+ CA_CERT_0,
+ CA_CERT_4,
+ CA_CERT_0,
+ CA_CERT_2,
+ CA_CERT_0,
+ CA_CERT_1,
+ NULL,
+};
+
+static const char *missing_middle_single_duplicate_ca_unrelated_insert[] = {
+ CA_CERT_0,
+ NULL,
+};
+
static struct chains {
const char *name;
const char **chain;
@@ -377,6 +468,14 @@ static struct chains {
{ "skip multiple unsorted", missing_skip_multiple_unsorted, missing_skip_multiple_insert, missing_ca, 0, 0 },
{ "unrelated", missing_middle_single, missing_middle_unrelated_insert, missing_ca, 0, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_NOT_FOUND },
{ "unrelated extra", missing_middle_single, missing_middle_unrelated_extra_insert, missing_ca, 0, 0 },
+ { "middle single duplicate", missing_middle_single_duplicate, missing_middle_single_insert, missing_ca, 0, 0 },
+ { "middle multiple duplicate", missing_middle_multiple_duplicate, missing_middle_multiple_insert, missing_ca, 0, 0 },
+ { "last single duplicate", missing_last_single_duplicate, missing_last_single_insert, missing_ca, 0, 0 },
+ { "last multiple duplicate", missing_last_multiple_duplicate, missing_last_multiple_insert, missing_ca, 0, 0 },
+ { "skip single duplicate", missing_skip_single_duplicate, missing_skip_single_insert, missing_ca, 0, 0 },
+ { "skip multiple duplicate", missing_skip_multiple_duplicate, missing_skip_multiple_insert, missing_ca, 0, 0 },
+ { "middle single duplicate ca", middle_single_duplicate_ca, missing_middle_single_insert, missing_ca, 0, 0 },
+ { "middle single duplicate ca - insert unrelated", middle_single_duplicate_ca, missing_middle_single_duplicate_ca_unrelated_insert, missing_ca, 0, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_NOT_FOUND },
{ NULL, NULL, NULL, NULL },
};
--
GitLab

117
gnutls-test-fixes.patch
View File

@ -1,117 +0,0 @@
diff --git a/tests/testpkcs11.sh b/tests/testpkcs11.sh
index 38b9585bc002ac9d32003ec7127153f9950ad1b1..09a6274776935f07f91a5be1eb79a573165ded93 100755
--- a/tests/testpkcs11.sh
+++ b/tests/testpkcs11.sh
@@ -67,6 +67,8 @@ have_ed25519=0
P11TOOL="${VALGRIND} ${P11TOOL} --batch"
SERV="${SERV} -q"
+TESTDATE=2020-12-01
+
. ${srcdir}/scripts/common.sh
rm -f "${LOGFILE}"
@@ -79,6 +81,8 @@ exit_error () {
exit 1
}
+skip_if_no_datefudge
+
# $1: token
# $2: PIN
# $3: filename
@@ -523,6 +527,7 @@ write_certificate_test () {
pubkey="$5"
echo -n "* Generating client certificate... "
+ datefudge -s "$TESTDATE" \
"${CERTTOOL}" ${CERTTOOL_PARAM} ${ADDITIONAL_PARAM} --generate-certificate --load-ca-privkey "${cakey}" --load-ca-certificate "${cacert}" \
--template ${srcdir}/testpkcs11-certs/client-tmpl --load-privkey "${token};object=gnutls-client;object-type=private" \
--load-pubkey "$pubkey" --outfile tmp-client.crt >>"${LOGFILE}" 2>&1
@@ -900,7 +905,9 @@ use_certificate_test () {
echo -n "* Using PKCS #11 with gnutls-cli (${txt})... "
# start server
eval "${GETPORT}"
- launch_server ${ADDITIONAL_PARAM} --echo --priority NORMAL --x509certfile="${certfile}" \
+ launch_bare_server datefudge -s "$TESTDATE" \
+ $VALGRIND $SERV $DEBUG -p "$PORT" \
+ ${ADDITIONAL_PARAM} --debug 10 --echo --priority NORMAL --x509certfile="${certfile}" \
--x509keyfile="$keyfile" --x509cafile="${cafile}" \
--verify-client-cert --require-client-cert >>"${LOGFILE}" 2>&1
@@ -908,13 +915,16 @@ use_certificate_test () {
wait_server ${PID}
# connect to server using SC
+ datefudge -s "$TESTDATE" \
${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509cafile="${cafile}" </dev/null >>"${LOGFILE}" 2>&1 && \
fail ${PID} "Connection should have failed!"
+ datefudge -s "$TESTDATE" \
${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509certfile="${certfile}" \
--x509keyfile="$keyfile" --x509cafile="${cafile}" </dev/null >>"${LOGFILE}" 2>&1 || \
fail ${PID} "Connection (with files) should have succeeded!"
+ datefudge -s "$TESTDATE" \
${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509certfile="${token};object=gnutls-client;object-type=cert" \
--x509keyfile="${token};object=gnutls-client;object-type=private" \
--x509cafile="${cafile}" </dev/null >>"${LOGFILE}" 2>&1 || \
diff --git a/tests/tpmtool_test.sh b/tests/tpmtool_test.sh
index eba502612a293eb11134a62ce749ff87e6778ab2..77fe17e59341a344590ea22f62076e4db54dd91a 100755
--- a/tests/tpmtool_test.sh
+++ b/tests/tpmtool_test.sh
@@ -138,6 +138,7 @@ start_tcsd()
local tcsd_conf=$workdir/tcsd.conf
local tcsd_system_ps_file=$workdir/system_ps_file
local tcsd_pidfile=$workdir/tcsd.pid
+ local owner
start_swtpm "$workdir"
[ $? -ne 0 ] && return 1
@@ -146,20 +147,36 @@ start_tcsd()
port = $TCSD_LISTEN_PORT
system_ps_file = $tcsd_system_ps_file
_EOF_
+ # older versions of trousers require tss:tss ownership of the
+ # config file, later ones root:tss
+ for owner in tss root; do
+ if [ "$owner" = "tss" ]; then
+ chmod 0600 $tcsd_conf
+ else
+ chmod 0640 $tcsd_conf
+ fi
+ chown $owner:tss $tcsd_conf
- chown tss:tss $tcsd_conf
- chmod 0600 $tcsd_conf
+ bash -c "TCSD_USE_TCP_DEVICE=1 TCSD_TCP_DEVICE_PORT=$SWTPM_SERVER_PORT tcsd -c $tcsd_conf -e -f &>/dev/null & echo \$! > $tcsd_pidfile; wait" &
+ BASH_PID=$!
- bash -c "TCSD_USE_TCP_DEVICE=1 TCSD_TCP_DEVICE_PORT=$SWTPM_SERVER_PORT tcsd -c $tcsd_conf -e -f &>/dev/null & echo \$! > $tcsd_pidfile; wait" &
- BASH_PID=$!
+ if wait_for_file $tcsd_pidfile 3; then
+ echo "Could not get TCSD's PID file"
+ return 1
+ fi
- if wait_for_file $tcsd_pidfile 3; then
- echo "Could not get TCSD's PID file"
- return 1
- fi
+ sleep 0.5
+ TCSD_PID=$(cat $tcsd_pidfile)
+ kill -0 "${TCSD_PID}"
+ if [ $? -ne 0 ]; then
+ # Try again with other owner
+ continue
+ fi
+ return 0
+ done
- TCSD_PID=$(cat $tcsd_pidfile)
- return 0
+ echo "TCSD could not be started"
+ return 1
}
stop_tcsd()

20
gnutls.changes
View File

@ -1,3 +1,23 @@
-------------------------------------------------------------------
Fri Mar 12 18:45:38 UTC 2021 - Pedro Monreal <pmonreal@suse.com>
- Update to 3.7.1:
[bsc#1183456, CVE-2021-20232] [bsc#1183457, CVE-2021-20231]
* Fixed potential use-after-free in sending "key_share" and
"pre_shared_key" extensions.
* Fixed a regression in handling duplicated certs in a chain.
* Fixed sending of session ID in TLS 1.3 middlebox compatibility
mode. In that mode the client shall always send a non-zero
session ID to make the handshake resemble the TLS 1.2
resumption; this was not true in the previous versions.
* Removed dependency on the external 'fipscheck' package,
when compiled with --enable-fips140-mode.
* Added padlock acceleration for AES-192-CBC.
- Remove patches upstream:
* gnutls-gnutls-cli-debug.patch
* gnutls-ignore-duplicate-certificates.patch
* gnutls-test-fixes.patch
-------------------------------------------------------------------
Wed Feb 10 12:08:05 UTC 2021 - Pedro Monreal <pmonreal@suse.com>

8
gnutls.spec
View File

@ -28,7 +28,7 @@
%bcond_with tpm
%bcond_without guile
Name: gnutls
Version: 3.7.0
Version: 3.7.1
Release: 0
Summary: The GNU Transport Layer Security Library
License: LGPL-2.1-or-later AND GPL-3.0-or-later
@ -42,12 +42,6 @@ Patch0: gnutls-3.5.11-skip-trust-store-tests.patch
Patch1: gnutls-3.6.6-set_guile_site_dir.patch
Patch2: gnutls-temporarily_disable_broken_guile_reauth_test.patch
Patch3: gnutls-FIPS-TLS_KDF_selftest.patch
#PATCH-FIX-UPSTREAM gitlab.com/gnutls/gnutls/issues/1131
Patch4: gnutls-ignore-duplicate-certificates.patch
#PATCH-FIX-UPSTREAM gitlab.com/gnutls/gnutls/issues/1135
Patch5: gnutls-test-fixes.patch
#PATCH-FIX-UPSTREAM bsc#1171565 gitlab.com/gnutls/gnutls/merge_requests/1387
Patch6: gnutls-gnutls-cli-debug.patch
BuildRequires: autogen
BuildRequires: automake
BuildRequires: datefudge