pool/gnutls
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 121255 from Base:System

Browse Source 
- Update to version 3.0.19:
  + libgnutls:
    - When decoding a PKCS #11 URL the pin-source field
      is assumed to be a file that stores the pin. Based on patch
      by David Smith.
    - gnutls_record_check_pending() no longer
      returns unprocessed data, and thus ensure the non-blocking
      of the next call to gnutls_record_recv().
    - Added strict tests in Diffie-Hellman and
      SRP key exchange public keys.
    - in ECDSA and DSA TLS 1.2 authentication be less
      strict in hash selection, and allow a stronger hash to
      be used than the appropriate, to improve interoperability
      with openssl.
  + tests:
    - Disabled floating point test, and corrections
      in pkcs12 decoding tests.
  + API and ABI modifications:
    - No changes since last version.
- Changes from version 3.0.18:
  + certtool:
    - Avoid a Y2K38 bug when generating certificates.
      Patch by Robert Millan.
  + libgnutls:
    - Make sure that GNUTLS_E_PREMATURE_TERMINATION
    - is returned on premature termination (and added unit test).
    - Fixes for W64 API. Patch by B. Scott Michel.
    - Corrected VIA padlock detection for old
      VIA processors. Reported by Kris Karas.
    - Updated assembler files.

OBS-URL: https://build.opensuse.org/request/show/121255
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=44
This commit is contained in:
Stephan Kulow 2012-05-21 08:25:22 +00:00 committed by Git OBS Bridge
parent 2d16d00bea
commit f13278bad7
10 changed files with 390 additions and 1061 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
CVE-2011-4128.patch
View File

@ -1,20 +0,0 @@
Index: gnutls-3.0.3/lib/gnutls_session.c
===================================================================
--- gnutls-3.0.3.orig/lib/gnutls_session.c
+++ gnutls-3.0.3/lib/gnutls_session.c
@@ -63,13 +63,14 @@ gnutls_session_get_data (gnutls_session_
gnutls_assert ();
return ret;
}
- *session_data_size = psession.size;
if (psession.size > *session_data_size)
{
+ *session_data_size = psession.size;
ret = GNUTLS_E_SHORT_MEMORY_BUFFER;
goto error;
}
+ *session_data_size = psession.size;
if (session_data != NULL)
memcpy (session_data, psession.data, psession.size);

18
CVE-2012-0390.patch
View File

@ -1,18 +0,0 @@
Index: gnutls-3.0.3/lib/gnutls_cipher.c
===================================================================
--- gnutls-3.0.3.orig/lib/gnutls_cipher.c
+++ gnutls-3.0.3/lib/gnutls_cipher.c
@@ -559,7 +559,12 @@ ciphertext_to_compressed (gnutls_session
}
if (length < 0)
- length = 0;
+ {
+ /* Setting a proper length to prevent timing differences in
+ * processing of records with invalid encryption.
+ */
+ length = ciphertext->size - tag_size;
+ }
/* Pass the type, version, length and compressed through
* MAC.

44
CVE-2012-1569.patch
View File

@ -1,44 +0,0 @@
Index: gnutls-3.0.3/lib/minitasn1/decoding.c
===================================================================
--- gnutls-3.0.3.orig/lib/minitasn1/decoding.c
+++ gnutls-3.0.3/lib/minitasn1/decoding.c
@@ -55,12 +55,13 @@ _asn1_error_description_tag_error (ASN1_
* Extract a length field from DER data.
*
* Returns: Return the decoded length value, or -1 on indefinite
- * length, or -2 when the value was too big.
+ * length, or -2 when the value was too big to fit in a int, or -4
+ * when the decoded length value plus @len would exceed @der_len.
**/
signed long
asn1_get_length_der (const unsigned char *der, int der_len, int *len)
{
- unsigned long ans;
+ int ans;
int k, punt;
*len = 0;
@@ -83,7 +84,7 @@ asn1_get_length_der (const unsigned char
ans = 0;
while (punt <= k && punt < der_len)
{
- unsigned long last = ans;
+ int last = ans;
ans = ans * 256 + der[punt++];
if (ans < last)
@@ -93,10 +94,13 @@ asn1_get_length_der (const unsigned char
}
else
{ /* indefinite length method */
- ans = -1;
+ *len = punt;
+ return -1;
}
*len = punt;
+ if (ans + *len < ans || ans + *len > der_len)
+ return -4;
return ans;
}
}

31
CVE-2012-1573.patch
View File

@ -1,31 +0,0 @@
Index: gnutls-3.0.3/lib/gnutls_cipher.c
===================================================================
--- gnutls-3.0.3.orig/lib/gnutls_cipher.c
+++ gnutls-3.0.3/lib/gnutls_cipher.c
@@ -502,7 +502,7 @@ ciphertext_to_compressed (gnutls_session
break;
case CIPHER_BLOCK:
- if (ciphertext->size < MAX(blocksize, tag_size) || (ciphertext->size % blocksize != 0))
+ if (ciphertext->size < blocksize || (ciphertext->size % blocksize != 0))
return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
/* ignore the IV in TLS 1.1+
@@ -514,14 +514,11 @@ ciphertext_to_compressed (gnutls_session
ciphertext->size -= blocksize;
ciphertext->data += blocksize;
-
- if (ciphertext->size == 0)
- {
- gnutls_assert ();
- return GNUTLS_E_DECRYPTION_FAILED;
- }
}
+ if (ciphertext->size < tag_size)
+ return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
+
/* we don't use the auth_cipher interface here, since
* TLS with block ciphers is impossible to be used under such
* an API. (the length of plaintext is required to calculate

3
gnutls-3.0.19.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:d9a436ea8718c38a564812e465c883f4f37ddc8c80c6f8bee54819e6e4089c37
size 5035160

3
gnutls-3.0.3.tar.xz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:1c9f7e5e22b30cc7e558b00aa0a78388852b62b241c68c4f5dce1cb39ca6298b
size 4281044

842
gnutls-fix-compression.patch
View File

@ -1,842 +0,0 @@
From f3abb3c8e37dfdb0881c23499abf4fe3aa779e14 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date: Thu, 22 Sep 2011 18:48:07 +0200
Subject: [PATCH] Simplified and corrected decompression and compression.
Added test program.
---
lib/gnutls_cipher.c | 203 +++++++++++++++++++++++--------------------------
lib/gnutls_compress.c | 137 ++++-----------------------------
lib/gnutls_compress.h | 15 +---
lib/gnutls_record.c | 5 +-
tests/Makefile.am | 2 +-
tests/eagain-common.h | 5 +
tests/mini-deflate.c | 113 +++++++++++++++++++++++++++
7 files changed, 234 insertions(+), 246 deletions(-)
create mode 100644 tests/mini-deflate.c
diff --git a/lib/gnutls_cipher.c b/lib/gnutls_cipher.c
index 1629b4d..75ca6ab 100644
--- a/lib/gnutls_cipher.c
+++ b/lib/gnutls_cipher.c
@@ -41,15 +41,16 @@
#include <gnutls_state.h>
#include <random.h>
-static int _gnutls_compressed2ciphertext (gnutls_session_t session,
+static int compressed_to_ciphertext (gnutls_session_t session,
opaque * cipher_data, int cipher_size,
- gnutls_datum_t compressed,
+ gnutls_datum_t *compressed,
content_type_t _type,
record_parameters_st * params);
-static int _gnutls_ciphertext2compressed (gnutls_session_t session,
+static int ciphertext_to_compressed (gnutls_session_t session,
+ gnutls_datum_t *ciphertext,
opaque * compress_data,
int compress_size,
- gnutls_datum_t ciphertext, uint8_t type,
+ uint8_t type,
record_parameters_st * params, uint64* sequence);
inline static int
@@ -83,45 +84,47 @@ _gnutls_encrypt (gnutls_session_t session, const opaque * headers,
size_t ciphertext_size, content_type_t type,
record_parameters_st * params)
{
- gnutls_datum_t plain;
gnutls_datum_t comp;
+ int free_comp = 0;
int ret;
- int free_comp = 1;
- record_parameters_st *cur_record_params;
- ret = _gnutls_epoch_get (session, EPOCH_WRITE_CURRENT, &cur_record_params);
- if (ret < 0)
- return gnutls_assert_val(ret);
-
- plain.data = (opaque *) data;
- plain.size = data_size;
-
- if (plain.size == 0 || is_write_comp_null (cur_record_params) == 0)
+ if (data_size == 0 || is_write_comp_null (params) == 0)
{
- comp = plain;
- free_comp = 0;
+ comp.data = (opaque*)data;
+ comp.size = data_size;
}
else
{
/* Here comp is allocated and must be
* freed.
*/
- ret = _gnutls_m_plaintext2compressed (session, &comp, &plain, params);
+ free_comp = 1;
+
+ comp.size = ciphertext_size - headers_size;
+ comp.data = gnutls_malloc(comp.size);
+ if (comp.data == NULL)
+ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
+
+ ret = _gnutls_compress( params->write.compression_state, data, data_size, comp.data, comp.size);
if (ret < 0)
- return gnutls_assert_val(ret);
+ {
+ gnutls_free(comp.data);
+ return gnutls_assert_val(ret);
+ }
+
+ comp.size = ret;
}
- ret = _gnutls_compressed2ciphertext (session, &ciphertext[headers_size],
+ ret = compressed_to_ciphertext (session, &ciphertext[headers_size],
ciphertext_size - headers_size,
- comp, type, params);
+ &comp, type, params);
if (free_comp)
- _gnutls_free_datum (&comp);
+ gnutls_free(comp.data);
if (ret < 0)
return gnutls_assert_val(ret);
-
/* copy the headers */
memcpy (ciphertext, headers, headers_size);
@@ -142,14 +145,8 @@ _gnutls_decrypt (gnutls_session_t session, opaque * ciphertext,
size_t max_data_size, content_type_t type,
record_parameters_st * params, uint64 *sequence)
{
- gnutls_datum_t gtxt;
gnutls_datum_t gcipher;
- int ret;
- record_parameters_st *cur_record_params;
-
- ret = _gnutls_epoch_get (session, EPOCH_READ_CURRENT, &cur_record_params);
- if (ret < 0)
- return gnutls_assert_val(ret);
+ int ret, data_size;
if (ciphertext_size == 0)
return 0;
@@ -157,57 +154,43 @@ _gnutls_decrypt (gnutls_session_t session, opaque * ciphertext,
gcipher.size = ciphertext_size;
gcipher.data = ciphertext;
- ret =
- _gnutls_ciphertext2compressed (session, data, max_data_size,
- gcipher, type, params, sequence);
- if (ret < 0)
+ if (is_read_comp_null (params) == 0)
{
+ ret =
+ ciphertext_to_compressed (session, &gcipher, data, max_data_size,
+ type, params, sequence);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
return ret;
}
-
- if (ret == 0 || is_read_comp_null (cur_record_params) == 0)
- {
- /* ret == ret */
-
- }
else
{
- gnutls_datum_t gcomp;
-
- /* compression has this malloc overhead.
- */
-
- gcomp.data = data;
- gcomp.size = ret;
- ret = _gnutls_m_compressed2plaintext (session, &gtxt, &gcomp, params);
+ opaque* tmp_data;
+
+ tmp_data = gnutls_malloc(max_data_size);
+ if (tmp_data == NULL)
+ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
+
+ ret =
+ ciphertext_to_compressed (session, &gcipher, tmp_data, max_data_size,
+ type, params, sequence);
if (ret < 0)
+ goto leave;
+
+ data_size = ret;
+
+ if (ret != 0)
{
- return ret;
- }
-
- if (gtxt.size > MAX_RECORD_RECV_SIZE(session))
- {
- _gnutls_free_datum (&gtxt);
- /* This shouldn't have happen and
- * is a TLS fatal error.
- */
- return gnutls_assert_val(GNUTLS_E_DECOMPRESSION_FAILED);
- }
-
- /* This check is not really needed */
- if (max_data_size < MAX_RECORD_RECV_SIZE(session))
- {
- _gnutls_free_datum (&gtxt);
- return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
+ ret = _gnutls_decompress(params->read.compression_state, tmp_data, data_size, data, max_data_size);
+ if (ret < 0)
+ goto leave;
}
-
- memcpy (data, gtxt.data, gtxt.size);
- ret = gtxt.size;
-
- _gnutls_free_datum (&gtxt);
+
+leave:
+ gnutls_free(tmp_data);
+ return ret;
}
-
- return ret;
}
@@ -305,9 +288,9 @@ make_preamble (opaque * uint64_data, opaque type, int length,
* return the actual encrypted data length.
*/
static int
-_gnutls_compressed2ciphertext (gnutls_session_t session,
+compressed_to_ciphertext (gnutls_session_t session,
opaque * cipher_data, int cipher_size,
- gnutls_datum_t compressed,
+ gnutls_datum_t *compressed,
content_type_t type,
record_parameters_st * params)
{
@@ -336,15 +319,16 @@ _gnutls_compressed2ciphertext (gnutls_session_t session,
_gnutls_hard_log("ENC[%p]: cipher: %s, MAC: %s, Epoch: %u\n",
session, gnutls_cipher_get_name(params->cipher_algorithm), gnutls_mac_get_name(params->mac_algorithm),
(unsigned int)params->epoch);
+
preamble_size =
make_preamble (UINT64DATA
(params->write.sequence_number),
- type, compressed.size, ver, preamble);
+ type, compressed->size, ver, preamble);
/* Calculate the encrypted length (padding etc.)
*/
length_to_encrypt = length =
- calc_enc_length (session, compressed.size, tag_size, &pad,
+ calc_enc_length (session, compressed->size, tag_size, &pad,
random_pad, block_algo, auth_cipher, blocksize);
if (length < 0)
{
@@ -411,8 +395,8 @@ _gnutls_compressed2ciphertext (gnutls_session_t session,
if (auth_cipher) return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
}
- memcpy (data_ptr, compressed.data, compressed.size);
- data_ptr += compressed.size;
+ memcpy (data_ptr, compressed->data, compressed->size);
+ data_ptr += compressed->size;
if (tag_size > 0)
{
@@ -431,7 +415,7 @@ _gnutls_compressed2ciphertext (gnutls_session_t session,
*/
ret =
_gnutls_auth_cipher_encrypt_tag (&params->write.cipher_state,
- cipher_data, length_to_encrypt, tag_ptr, tag_size, compressed.size);
+ cipher_data, length_to_encrypt, tag_ptr, tag_size, compressed->size);
if (ret < 0)
return gnutls_assert_val(ret);
@@ -443,11 +427,12 @@ _gnutls_compressed2ciphertext (gnutls_session_t session,
* Returns the actual compressed packet size.
*/
static int
-_gnutls_ciphertext2compressed (gnutls_session_t session,
- opaque * compress_data,
- int compress_size,
- gnutls_datum_t ciphertext, uint8_t type,
- record_parameters_st * params, uint64* sequence)
+ciphertext_to_compressed (gnutls_session_t session,
+ gnutls_datum_t *ciphertext,
+ opaque * compress_data,
+ int compress_size,
+ uint8_t type, record_parameters_st * params,
+ uint64* sequence)
{
uint8_t tag[MAX_HASH_SIZE];
uint8_t pad;
@@ -478,28 +463,28 @@ _gnutls_ciphertext2compressed (gnutls_session_t session,
if (params->read.IV.data == NULL || params->read.IV.size != 4)
return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
- if (ciphertext.size < tag_size+AEAD_EXPLICIT_DATA_SIZE)
+ if (ciphertext->size < tag_size+AEAD_EXPLICIT_DATA_SIZE)
return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
memcpy(nonce, params->read.IV.data, AEAD_IMPLICIT_DATA_SIZE);
- memcpy(&nonce[AEAD_IMPLICIT_DATA_SIZE], ciphertext.data, AEAD_EXPLICIT_DATA_SIZE);
+ memcpy(&nonce[AEAD_IMPLICIT_DATA_SIZE], ciphertext->data, AEAD_EXPLICIT_DATA_SIZE);
_gnutls_auth_cipher_setiv(&params->read.cipher_state, nonce, AEAD_EXPLICIT_DATA_SIZE+AEAD_IMPLICIT_DATA_SIZE);
- ciphertext.data += AEAD_EXPLICIT_DATA_SIZE;
- ciphertext.size -= AEAD_EXPLICIT_DATA_SIZE;
+ ciphertext->data += AEAD_EXPLICIT_DATA_SIZE;
+ ciphertext->size -= AEAD_EXPLICIT_DATA_SIZE;
- length_to_decrypt = ciphertext.size - tag_size;
+ length_to_decrypt = ciphertext->size - tag_size;
}
else
{
- if (ciphertext.size < tag_size)
+ if (ciphertext->size < tag_size)
return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
- length_to_decrypt = ciphertext.size;
+ length_to_decrypt = ciphertext->size;
}
- length = ciphertext.size - tag_size;
+ length = ciphertext->size - tag_size;
/* Pass the type, version, length and compressed through
* MAC.
@@ -512,12 +497,12 @@ _gnutls_ciphertext2compressed (gnutls_session_t session,
if ((ret =
_gnutls_auth_cipher_decrypt (&params->read.cipher_state,
- ciphertext.data, length_to_decrypt)) < 0)
+ ciphertext->data, length_to_decrypt)) < 0)
return gnutls_assert_val(ret);
break;
case CIPHER_BLOCK:
- if (ciphertext.size < MAX(blocksize, tag_size) || (ciphertext.size % blocksize != 0))
+ if (ciphertext->size < MAX(blocksize, tag_size) || (ciphertext->size % blocksize != 0))
return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
/* ignore the IV in TLS 1.1+
@@ -525,12 +510,12 @@ _gnutls_ciphertext2compressed (gnutls_session_t session,
if (explicit_iv)
{
_gnutls_auth_cipher_setiv(&params->read.cipher_state,
- ciphertext.data, blocksize);
+ ciphertext->data, blocksize);
- ciphertext.size -= blocksize;
- ciphertext.data += blocksize;
+ ciphertext->size -= blocksize;
+ ciphertext->data += blocksize;
- if (ciphertext.size == 0)
+ if (ciphertext->size == 0)
{
gnutls_assert ();
return GNUTLS_E_DECRYPTION_FAILED;
@@ -544,32 +529,32 @@ _gnutls_ciphertext2compressed (gnutls_session_t session,
*/
if ((ret =
_gnutls_cipher_decrypt (&params->read.cipher_state.cipher,
- ciphertext.data, ciphertext.size)) < 0)
+ ciphertext->data, ciphertext->size)) < 0)
return gnutls_assert_val(ret);
- pad = ciphertext.data[ciphertext.size - 1] + 1; /* pad */
+ pad = ciphertext->data[ciphertext->size - 1] + 1; /* pad */
- if ((int) pad > (int) ciphertext.size - tag_size)
+ if ((int) pad > (int) ciphertext->size - tag_size)
{
gnutls_assert ();
_gnutls_record_log
("REC[%p]: Short record length %d > %d - %d (under attack?)\n",
- session, pad, ciphertext.size, tag_size);
+ session, pad, ciphertext->size, tag_size);
/* We do not fail here. We check below for the
* the pad_failed. If zero means success.
*/
pad_failed = GNUTLS_E_DECRYPTION_FAILED;
}
- length = ciphertext.size - tag_size - pad;
+ length = ciphertext->size - tag_size - pad;
/* Check the pading bytes (TLS 1.x)
*/
if (ver != GNUTLS_SSL3 && pad_failed == 0)
for (i = 2; i < pad; i++)
{
- if (ciphertext.data[ciphertext.size - i] !=
- ciphertext.data[ciphertext.size - 1])
+ if (ciphertext->data[ciphertext->size - i] !=
+ ciphertext->data[ciphertext->size - 1])
pad_failed = GNUTLS_E_DECRYPTION_FAILED;
}
@@ -583,7 +568,7 @@ _gnutls_ciphertext2compressed (gnutls_session_t session,
make_preamble (UINT64DATA(*sequence), type,
length, ver, preamble);
_gnutls_auth_cipher_add_auth (&params->read.cipher_state, preamble, preamble_size);
- _gnutls_auth_cipher_add_auth (&params->read.cipher_state, ciphertext.data, length);
+ _gnutls_auth_cipher_add_auth (&params->read.cipher_state, ciphertext->data, length);
break;
default:
@@ -602,7 +587,7 @@ _gnutls_ciphertext2compressed (gnutls_session_t session,
/* HMAC was not the same.
*/
- if (memcmp (tag, &ciphertext.data[length], tag_size) != 0)
+ if (memcmp (tag, &ciphertext->data[length], tag_size) != 0)
return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
/* copy the decrypted stuff to compress_data.
@@ -610,8 +595,8 @@ _gnutls_ciphertext2compressed (gnutls_session_t session,
if (compress_size < length)
return gnutls_assert_val(GNUTLS_E_DECOMPRESSION_FAILED);
- if (compress_data != ciphertext.data)
- memcpy (compress_data, ciphertext.data, length);
+ if (compress_data != ciphertext->data)
+ memcpy (compress_data, ciphertext->data, length);
return length;
}
diff --git a/lib/gnutls_compress.c b/lib/gnutls_compress.c
index 52d4a15..e7a5114 100644
--- a/lib/gnutls_compress.c
+++ b/lib/gnutls_compress.c
@@ -32,57 +32,6 @@
#include <algorithms.h>
#include <gnutls/gnutls.h>
-/* These functions allocate the return value internally
- */
-int
-_gnutls_m_plaintext2compressed (gnutls_session_t session,
- gnutls_datum_t * compressed,
- const gnutls_datum_t * plaintext,
- const record_parameters_st * params)
-{
- int size;
- opaque *data;
-
- size =
- _gnutls_compress (params->write.compression_state,
- plaintext->data, plaintext->size, &data,
- MAX_RECORD_SEND_SIZE(session) + EXTRA_COMP_SIZE);
- if (size < 0)
- {
- gnutls_assert ();
- return GNUTLS_E_COMPRESSION_FAILED;
- }
- compressed->data = data;
- compressed->size = size;
-
- return 0;
-}
-
-int
-_gnutls_m_compressed2plaintext (gnutls_session_t session,
- gnutls_datum_t * plain,
- const gnutls_datum_t * compressed,
- const record_parameters_st * params)
-{
- int size;
- opaque *data;
-
- size =
- _gnutls_decompress (params->read.compression_state,
- compressed->data, compressed->size, &data,
- MAX_RECORD_RECV_SIZE(session));
- if (size < 0)
- {
- gnutls_assert ();
- return GNUTLS_E_DECOMPRESSION_FAILED;
- }
- plain->data = data;
- plain->size = size;
-
- return 0;
-}
-
-
/* Compression Section */
#define GNUTLS_COMPRESSION_ENTRY(name, id, wb, ml, cl) \
{ #name, name, id, wb, ml, cl}
@@ -397,7 +346,7 @@ _gnutls_comp_deinit (comp_hd_t handle, int d)
int
_gnutls_compress (comp_hd_t handle, const opaque * plain,
- size_t plain_size, opaque ** compressed,
+ size_t plain_size, opaque * compressed,
size_t max_comp_size)
{
int compressed_size = GNUTLS_E_COMPRESSION_FAILED;
@@ -419,32 +368,19 @@ _gnutls_compress (comp_hd_t handle, const opaque * plain,
z_stream *zhandle;
int err;
- size = (plain_size + plain_size) + 10;
- *compressed = gnutls_malloc (size);
- if (*compressed == NULL)
- {
- gnutls_assert ();
- return GNUTLS_E_MEMORY_ERROR;
- }
-
zhandle = handle->handle;
zhandle->next_in = (Bytef *) plain;
zhandle->avail_in = plain_size;
- zhandle->next_out = (Bytef *) * compressed;
- zhandle->avail_out = size;
+ zhandle->next_out = (Bytef *) compressed;
+ zhandle->avail_out = max_comp_size;
err = deflate (zhandle, Z_SYNC_FLUSH);
-
if (err != Z_OK || zhandle->avail_in != 0)
- {
- gnutls_assert ();
- gnutls_free (*compressed);
- *compressed = NULL;
- return GNUTLS_E_COMPRESSION_FAILED;
- }
+ return gnutls_assert_val(GNUTLS_E_COMPRESSION_FAILED);
- compressed_size = size - zhandle->avail_out;
+
+ compressed_size = max_comp_size - zhandle->avail_out;
break;
}
#endif
@@ -458,13 +394,6 @@ _gnutls_compress (comp_hd_t handle, const opaque * plain,
(float) ((float) compressed_size / (float) plain_size));
#endif
- if ((size_t) compressed_size > max_comp_size)
- {
- gnutls_free (*compressed);
- *compressed = NULL;
- return GNUTLS_E_COMPRESSION_FAILED;
- }
-
return compressed_size;
}
@@ -472,12 +401,12 @@ _gnutls_compress (comp_hd_t handle, const opaque * plain,
int
_gnutls_decompress (comp_hd_t handle, opaque * compressed,
- size_t compressed_size, opaque ** plain,
- size_t max_record_size)
+ size_t compressed_size, opaque * plain,
+ size_t max_plain_size)
{
int plain_size = GNUTLS_E_DECOMPRESSION_FAILED;
- if (compressed_size > max_record_size + EXTRA_COMP_SIZE)
+ if (compressed_size > max_plain_size + EXTRA_COMP_SIZE)
{
gnutls_assert ();
return GNUTLS_E_DECOMPRESSION_FAILED;
@@ -499,51 +428,21 @@ _gnutls_decompress (comp_hd_t handle, opaque * compressed,
{
uLongf out_size;
z_stream *zhandle;
- int cur_pos;
int err;
- *plain = NULL;
- out_size = compressed_size + compressed_size;
- plain_size = 0;
-
zhandle = handle->handle;
zhandle->next_in = (Bytef *) compressed;
zhandle->avail_in = compressed_size;
- cur_pos = 0;
-
- do
- {
- out_size += 512;
- *plain = gnutls_realloc_fast (*plain, out_size);
- if (*plain == NULL)
- {
- gnutls_assert ();
- return GNUTLS_E_MEMORY_ERROR;
- }
-
- zhandle->next_out = (Bytef *) (*plain + cur_pos);
- zhandle->avail_out = out_size - cur_pos;
-
- err = inflate (zhandle, Z_SYNC_FLUSH);
-
- cur_pos = out_size - zhandle->avail_out;
-
- }
- while ((err == Z_BUF_ERROR && zhandle->avail_out == 0
- && out_size < max_record_size)
- || (err == Z_OK && zhandle->avail_in != 0));
+ zhandle->next_out = (Bytef *) plain;
+ zhandle->avail_out = max_plain_size;
+ err = inflate (zhandle, Z_SYNC_FLUSH);
if (err != Z_OK)
- {
- gnutls_assert ();
- gnutls_free (*plain);
- *plain = NULL;
- return GNUTLS_E_DECOMPRESSION_FAILED;
- }
+ return gnutls_assert_val(GNUTLS_E_DECOMPRESSION_FAILED);
- plain_size = out_size - zhandle->avail_out;
+ plain_size = max_plain_size - zhandle->avail_out;
break;
}
#endif
@@ -552,13 +451,5 @@ _gnutls_decompress (comp_hd_t handle, opaque * compressed,
return GNUTLS_E_INTERNAL_ERROR;
} /* switch */
- if ((size_t) plain_size > max_record_size)
- {
- gnutls_assert ();
- gnutls_free (*plain);
- *plain = NULL;
- return GNUTLS_E_DECOMPRESSION_FAILED;
- }
-
return plain_size;
}
diff --git a/lib/gnutls_compress.h b/lib/gnutls_compress.h
index 2bc88c5..7f3545c 100644
--- a/lib/gnutls_compress.h
+++ b/lib/gnutls_compress.h
@@ -22,15 +22,6 @@
#ifndef GNUTLS_COMPRESS_H
#define GNUTLS_COMPRESS_H
-int _gnutls_m_plaintext2compressed (gnutls_session_t session,
- gnutls_datum_t * compressed,
- const gnutls_datum_t * plaintext,
- const record_parameters_st * params);
-int _gnutls_m_compressed2plaintext (gnutls_session_t session,
- gnutls_datum_t * plain,
- const gnutls_datum_t * compressed,
- const record_parameters_st * params);
-
/* Algorithm handling. */
int _gnutls_supported_compression_methods (gnutls_session_t session,
uint8_t * comp, size_t max_comp);
@@ -54,10 +45,10 @@ comp_hd_t _gnutls_comp_init (gnutls_compression_method_t, int d);
void _gnutls_comp_deinit (comp_hd_t handle, int d);
int _gnutls_decompress (comp_hd_t handle, opaque * compressed,
- size_t compressed_size, opaque ** plain,
- size_t max_record_size);
+ size_t compressed_size, opaque * plain,
+ size_t max_plain_size);
int _gnutls_compress (comp_hd_t, const opaque * plain, size_t plain_size,
- opaque ** compressed, size_t max_comp_size);
+ opaque * compressed, size_t max_comp_size);
struct gnutls_compression_entry
{
diff --git a/lib/gnutls_record.c b/lib/gnutls_record.c
index 22e4923..4ff2951 100644
--- a/lib/gnutls_record.c
+++ b/lib/gnutls_record.c
@@ -986,7 +986,10 @@ begin:
if (bufel == NULL)
return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
- decrypted = _mbuffer_alloc(record.length+EXTRA_COMP_SIZE, record.length+EXTRA_COMP_SIZE);
+ /* We allocate the maximum possible to allow few compressed bytes to expand to a
+ * full record.
+ */
+ decrypted = _mbuffer_alloc(MAX_RECORD_RECV_SIZE(session), MAX_RECORD_RECV_SIZE(session));
if (decrypted == NULL)
return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 63ae665..7ed9d25 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -58,7 +58,7 @@ noinst_LTLIBRARIES = libutils.la
libutils_la_SOURCES = utils.h utils.c
ctests = simple gc set_pkcs12_cred certder certuniqueid mpi \
- certificate_set_x509_crl dn parse_ca moredn mini \
+ certificate_set_x509_crl dn parse_ca moredn mini mini-deflate \
hostname-check cve-2008-4989 pkcs12_s2k chainverify crq_key_id \
x509sign-verify cve-2009-1415 cve-2009-1416 crq_apis \
init_roundtrip pkcs12_s2k_pem dn2 mini-eagain \
diff --git a/tests/eagain-common.h b/tests/eagain-common.h
index c55e97c..07d5148 100644
--- a/tests/eagain-common.h
+++ b/tests/eagain-common.h
@@ -32,6 +32,9 @@
ret = gnutls_record_send (c, msg, msglen); \
} \
while(ret == GNUTLS_E_AGAIN); \
+ \
+ if (ret < 0) fail ("client send error: %s\n", gnutls_strerror (ret)); \
+ \
do \
{ \
do \
@@ -54,6 +57,7 @@
ns = gnutls_record_send (server, msg, msglen); \
} \
while (ns == GNUTLS_E_AGAIN); \
+ if (ns < 0) fail ("server send error: %s\n", gnutls_strerror (ret)); \
do \
{ \
ret = gnutls_record_recv (client, buf, buflen); \
@@ -81,6 +85,7 @@
ns = gnutls_record_send (client, buf, msglen); \
} \
while (ns == GNUTLS_E_AGAIN); \
+ if (ns < 0) fail ("client send error: %s\n", gnutls_strerror (ret)); \
transferred += ret; \
if (debug) \
fputs (".", stdout); \
diff --git a/tests/mini-deflate.c b/tests/mini-deflate.c
new file mode 100644
index 0000000..4edd4db
--- /dev/null
+++ b/tests/mini-deflate.c
@@ -0,0 +1,113 @@
+/*
+ * Copyright (C) 2008, 2010 Free Software Foundation, Inc.
+ *
+ * Author: Simon Josefsson
+ *
+ * This file is part of GnuTLS.
+ *
+ * GnuTLS is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GnuTLS is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with GnuTLS; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <gnutls/gnutls.h>
+#include "eagain-common.h"
+
+#include "utils.h"
+
+static void
+tls_log_func (int level, const char *str)
+{
+ fprintf (stderr, "|<%d>| %s", level, str);
+}
+
+#define MAX_BUF 6*1024
+#define MSG "Hello TLS, and Hello and Hello and Hello"
+
+void
+doit (void)
+{
+ /* Server stuff. */
+ gnutls_anon_server_credentials_t s_anoncred;
+ const gnutls_datum_t p3 = { (char *) pkcs3, strlen (pkcs3) };
+ static gnutls_dh_params_t dh_params;
+ gnutls_session_t server;
+ int sret = GNUTLS_E_AGAIN;
+ /* Client stuff. */
+ gnutls_anon_client_credentials_t c_anoncred;
+ gnutls_session_t client;
+ int cret = GNUTLS_E_AGAIN;
+ /* Need to enable anonymous KX specifically. */
+ char buffer[MAX_BUF + 1];
+ ssize_t ns;
+ int ret, transferred = 0, msglen;
+
+ /* General init. */
+ gnutls_global_init ();
+ gnutls_global_set_log_function (tls_log_func);
+ if (debug)
+ gnutls_global_set_log_level (4711);
+
+ /* Init server */
+ gnutls_anon_allocate_server_credentials (&s_anoncred);
+ gnutls_dh_params_init (&dh_params);
+ gnutls_dh_params_import_pkcs3 (dh_params, &p3, GNUTLS_X509_FMT_PEM);
+ gnutls_anon_set_server_dh_params (s_anoncred, dh_params);
+ gnutls_init (&server, GNUTLS_SERVER);
+ gnutls_priority_set_direct (server, "NONE:+VERS-TLS-ALL:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-DEFLATE:+ANON-DH", NULL);
+ gnutls_credentials_set (server, GNUTLS_CRD_ANON, s_anoncred);
+ gnutls_dh_set_prime_bits (server, 1024);
+ gnutls_transport_set_push_function (server, server_push);
+ gnutls_transport_set_pull_function (server, server_pull);
+ gnutls_transport_set_ptr (server, (gnutls_transport_ptr_t)server);
+
+ /* Init client */
+ gnutls_anon_allocate_client_credentials (&c_anoncred);
+ gnutls_init (&client, GNUTLS_CLIENT);
+ gnutls_priority_set_direct (client, "NONE:+VERS-TLS-ALL:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-DEFLATE:+ANON-DH", NULL);
+ gnutls_credentials_set (client, GNUTLS_CRD_ANON, c_anoncred);
+ gnutls_transport_set_push_function (client, client_push);
+ gnutls_transport_set_pull_function (client, client_pull);
+ gnutls_transport_set_ptr (client, (gnutls_transport_ptr_t)client);
+
+ HANDSHAKE(client, server);
+
+ if (debug)
+ success ("Handshake established\n");
+
+ msglen = strlen(MSG);
+ TRANSFER(client, server, MSG, msglen, buffer, MAX_BUF);
+ if (debug)
+ fputs ("\n", stdout);
+
+ gnutls_bye (client, GNUTLS_SHUT_RDWR);
+ gnutls_bye (server, GNUTLS_SHUT_RDWR);
+
+ gnutls_deinit (client);
+ gnutls_deinit (server);
+
+ gnutls_anon_free_client_credentials (c_anoncred);
+ gnutls_anon_free_server_credentials (s_anoncred);
+
+ gnutls_dh_params_deinit (dh_params);
+
+ gnutls_global_deinit ();
+}
--
1.7.2.5

27
gnutls-fix-crash-on-strcat.patch
View File

@ -1,27 +0,0 @@
From 7043a8e9e314b0c2eb7ac5c2278a0b103f6a758a Mon Sep 17 00:00:00 2001
From: Vincent Untz <vuntz@gnome.org>
Date: Mon, 17 Oct 2011 15:15:46 +0200
Subject: [PATCH] Correctly terminate a string with \0 before concatenating to
it
Fix a potential crash:
https://bugzilla.novell.com/show_bug.cgi?id=724421
---
lib/x509/common.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/lib/x509/common.c b/lib/x509/common.c
index 6bb4746..0651d2e 100644
--- a/lib/x509/common.c
+++ b/lib/x509/common.c
@@ -390,6 +390,7 @@ _gnutls_x509_data2hex (const opaque * data, size_t data_size,
if (out)
{
out[0] = '#';
+ out[1] = '\0';
_gnutls_str_cat (out, *sizeof_out, res);
}
--
1.7.7

369
gnutls.changes
View File

@ -1,3 +1,372 @@
-------------------------------------------------------------------
Sun May 13 02:44:30 UTC 2012 - Nico.Laus.2001@gmx.de
- Update to version 3.0.19:
+ libgnutls:
- When decoding a PKCS #11 URL the pin-source field
is assumed to be a file that stores the pin. Based on patch
by David Smith.
- gnutls_record_check_pending() no longer
returns unprocessed data, and thus ensure the non-blocking
of the next call to gnutls_record_recv().
- Added strict tests in Diffie-Hellman and
SRP key exchange public keys.
- in ECDSA and DSA TLS 1.2 authentication be less
strict in hash selection, and allow a stronger hash to
be used than the appropriate, to improve interoperability
with openssl.
+ tests:
- Disabled floating point test, and corrections
in pkcs12 decoding tests.
+ API and ABI modifications:
- No changes since last version.
- Changes from version 3.0.18:
+ certtool:
- Avoid a Y2K38 bug when generating certificates.
Patch by Robert Millan.
+ libgnutls:
- Make sure that GNUTLS_E_PREMATURE_TERMINATION
- is returned on premature termination (and added unit test).
- Fixes for W64 API. Patch by B. Scott Michel.
- Corrected VIA padlock detection for old
VIA processors. Reported by Kris Karas.
- Updated assembler files.
- Time in generated certificates is stored
as GeneralizedTime instead of UTCTime (which only stores
2 digits of a year).
+ minitasn1:
- Upgraded to libtasn1 version 2.13 (pre-release).
+ API and ABI modifications:
- gnutls_x509_crt_set_private_key_usage_period: Added
- gnutls_x509_crt_get_private_key_usage_period: Added
- gnutls_x509_crq_set_private_key_usage_period: Added
- gnutls_x509_crq_get_private_key_usage_period: Added
- gnutls_session_get_random: Added
- Changes from version 3.0.17:
+ command line apps:
- Always link with local libopts.
+ API and ABI modifications:
- No changes since last version.
- Changes from version 3.0.16:
+ minitasn1:
- Upgraded to libtasn1 version 2.12 (pre-release).
+ libgnutls:
- Corrected SRP-RSA ciphersuites when used under TLS 1.2.
- included assembler files for MacOSX.
+ p11tool:
- Small fixes in handling of the --private command
line option.
+ certtool:
- The template option allows for setting the domain
component (DC) option of the distinguished name, and the ocsp_uri
as well as the ca_issuers_uri options.
+ API and ABI modifications:
- gnutls_x509_crt_set_authority_info_access: Added
- Changes from version 3.0.15:
+ test suite:
- Only run under valgrind in the development
system (the full git repository)
+ command line apps:
- Link with local libopts if the installed is an old one.
+ libgnutls:
- Eliminate double free during SRP
authentication. Reported by Peter Penzov.
- Corrections in record packet parsing.
Reported by Matthew Hall.
- Cryptodev updates and fixes.
- Corrected issue with select() that affected
FreeBSD. This prevented establishing DTLS sessions.
Reported by Andreas Metzler.
- Corrected rehandshake and resumption
operations in DTLS. Reported by Sean Buckheister.
- PKCS #11 objects that do not have ID
no longer crash listing. Reported by Sven Geggus.
+ API and ABI modifications:
- No changes since last version.
- Changes from version 3.0.14:
+ command line apps:
- Included libopts doesn't get installed by default.
+ libgnutls:
- Eliminate double free on wrongly formatted
certificate list. Reported by Remi Gacogne.
- cryptodev code corrected, updated to account
for hashes and GCM mode.
Eliminated memory leak in PCKS #11 initialization.
Report and fix by Sam Varshavchik.
+ API and ABI modifications:
- No changes since last version.
- Changes from version 3.0.13:
+ gnutls-cli:
- added the --ocsp option which will verify
the peer's certificate with OCSP.
- added the --tofu and if specified, gnutls-cli
will use an ssh-style authentication method.
- if no --x509cafile is provided a default is
assumed (/etc/ssl/certs/ca-certificates.crt), if it exists.
+ ocsptool:
- Added --ask parameter, to verify a certificate's
status from an ocsp server.
+ command line apps:
- Use gnu autogen (libopts) to parse command
line arguments and template files.
+ tests:
- Added stress test for DTLS packet losses and
out-of-order receival. Contributed by Sean Buckheister.
+ libgnutls:
- Several updates and corrections in the DTLS
DTLS lost packet handling and retransmission timeouts.
Report and patches by Sean Buckheister.
- Added new functions to easily allow the usage of
a trust on first use (SSH-style) authentication.
- SUITEB128 and SUITEB192 priority strings account
for the RFC6460 requirements.
- Added new security parameter GNUTLS_SEC_PARAM_LEGACY
to account for security level of 96-bits.
- In client side if server does not advertise any
known CAs and only a single certificate is set in the credentials,
sent that one.
- Added functions to parse authority key identifiers
when stored as a 'general name' and serial combo.
- Added function to force explicit reinitialization
of PKCS #11 modules. This is required on the child process after
a fork (if PKCS #11 functionality is desirable).
- Depend on p11-kit 0.11.
+ API and ABI modifications:
- gnutls_dtls_get_timeout: Added
- gnutls_verify_stored_pubkey: Added
- gnutls_store_pubkey: Added
- gnutls_store_commitment: Added
- gnutls_x509_crt_get_authority_key_gn_serial: Added
- gnutls_x509_crl_get_authority_key_gn_serial: Added
- gnutls_pkcs11_reinit: Added
- gnutls_ecc_curve_list: Added
- gnutls_priority_certificate_type_list: Added
- gnutls_priority_sign_list: Added
- gnutls_priority_protocol_list: Added
- gnutls_priority_compression_list: Added
- gnutls_priority_ecc_curve_list: Added
- gnutls_tdb_init: Added
- gnutls_tdb_set_store_func: Added
- gnutls_tdb_set_store_commitment_func: Added
- gnutls_tdb_set_verify_func: Added
- gnutls_tdb_deinit: Added
- Changes from version 3.0.12:
+ libgnutls:
- Added OCSP support.
There is a new header file gnutls/ocsp.h and a set of new functions
under the gnutls_ocsp namespace. Currently the functionality provided
is to parse and extract information from OCSP requests/responses, to
generate OCSP requests and to verify OCSP responses. See the manual
for more information. Run ./configure with --disable-ocsp to build
GnuTLS without OCSP support.
This work was sponsored by Smoothwall <http://smoothwall.net/>.
+ ocsptool:
- Added new command line tool.
The tool can parse OCSP request/responses, generate OCSP requests and
verify OCSP responses. See the manual for more information.
+ certtool:
- --outder option now works for private
and public keys as well.
+ libgnutls:
- Added error code GNUTLS_E_NO_PRIORITIES_WERE_SET
to warn when no or insufficient priorities were set.
- Corrected an alignment issue in ECDH
key generation which prevented some keys from being
correctly aligned in rare circumstances.
- Corrected memory leaks in DH parameter
generation and ecc_projective_check_point().
- Added gnutls_x509_dn_oid_name() to
return a descriptive name of a DN OID.
+ API and ABI modifications:
- gnutls_pubkey_encrypt_data: Added
- gnutls_x509_dn_oid_name: Added
- gnutls_session_resumption_requested: Added
- gnutls/ocsp.h: Added new header file.
- gnutls_ocsp_print_formats_t: Added new type.
- gnutls_ocsp_resp_status_t: Added new type.
- gnutls_ocsp_cert_status_t: Added new type.
- gnutls_x509_crl_reason_t: Added new type.
- gnutls_ocsp_req_add_cert: Added.
- gnutls_ocsp_req_add_cert_id: Added.
- gnutls_ocsp_req_deinit: Added.
- gnutls_ocsp_req_export: Added.
- gnutls_ocsp_req_get_cert_id: Added.
- gnutls_ocsp_req_get_extension: Added.
- gnutls_ocsp_req_get_nonce: Added.
- gnutls_ocsp_req_get_version: Added.
- gnutls_ocsp_req_import: Added.
- gnutls_ocsp_req_init: Added.
- gnutls_ocsp_req_print: Added.
- gnutls_ocsp_req_randomize_nonce: Added.
- gnutls_ocsp_req_set_extension: Added.
- gnutls_ocsp_req_set_nonce: Added.
- gnutls_ocsp_resp_deinit: Added.
- gnutls_ocsp_resp_export: Added.
- gnutls_ocsp_resp_get_certs: Added.
- gnutls_ocsp_resp_get_extension: Added.
- gnutls_ocsp_resp_get_nonce: Added.
- gnutls_ocsp_resp_get_produced: Added.
- gnutls_ocsp_resp_get_responder: Added.
- gnutls_ocsp_resp_get_response: Added.
- gnutls_ocsp_resp_get_signature: Added.
- gnutls_ocsp_resp_get_signature_algorithm: Added.
- gnutls_ocsp_resp_get_single: Added.
- gnutls_ocsp_resp_get_status: Added.
- gnutls_ocsp_resp_get_version: Added.
- gnutls_ocsp_resp_import: Added.
- gnutls_ocsp_resp_init: Added.
- gnutls_ocsp_resp_print: Added.
- gnutls_ocsp_resp_verify: Added.
- Changes from version 3.0.11:
+ libgnutls:
- Corrected functionality of
gnutls_record_get_direction(). Reported by Philip Allison.
- Provide less timing information when decoding
TLS/DTLS record packets. Patch by Nadhem Alfardan.
+ API and ABI modifications:
- No changes since last version.
- Changes from version 3.0.10:
+ gnutls-cli/serv:
- Set don't fragment bit in DTLS sessions
in Linux as well as in BSD.
+ gnutls-cli:
- Fixed reading from windows terminals.
+ libgnutls:
- When GNUTLS_OPENPGP_FMT_BASE64 is specified
the stream is assumed to be base64 encoded (previously
the encoding was auto-detected). This avoids a decoding
issue in windows systems.
- Corrected ciphersuite GNUTLS_ECDHE_PSK_AES_256_CBC_SHA384
- Added ciphersuites: GNUTLS_PSK_WITH_AES_256_GCM_SHA384
and GNUTLS_DHE_PSK_WITH_AES_256_GCM_SHA384.
- Added function gnutls_random_art() to convert
fingerprints to images (currently ascii-art).
- Corrected bug in DSA private key parsing, which
prevented the verification of the key.
+ API and ABI modifications:
- gnutls_random_art: Added
- Changes from version 3.0.09:
+ certtool:
- Added new parameter --dh-info.
- -l option was overloaded so if combined with --priority
it will only list the ciphersuites that are enabled by the given
priority string.
+ libgnutls:
- Added new priority string %SERVER_PRECEDENCE, which
changes the ciphersuite selection procedure. If specified the server
priorities will be used for selection instead of the client's.
- Optimizations in Diffie-Hellman parameters generation
and key exchange.
- When session tickets are negotiated and used in a
session, a server will not store that session data into its cache.
- Added the SECP192R1 curve.
- Added gnutls_priority_get_cipher_suite_index() to
allow listing the ciphersuites enabled in a priority structure.
It outputs an index to be used in gnutls_get_cipher_suite_info().
- Optimizations in the elliptic curve code --timing
attacks resistant code is only used in ECDSA private key operations.
+ doc:
- man pages for API functions generation was fixed and are
now added again in the distribution.
+ API and ABI modifications:
- GNUTLS_ECC_CURVE_SECP192R1: New curve definition
- gnutls_priority_get_cipher_suite_index: Added
- Changes from version 3.0.08:
+ certtool:
- Certtool -e returns error code on verification failure.
- Verifies parameters of generated keys.
+ libgnutls:
- Corrected ECC key generation (introduced in 3.0.6)
- Provide less timing information when decoding
TLS/DTLS record packets.
+ doc:
- man pages for API functions were removed.
The reason was that the code that auto-generated the man pages missed
many APIs and we couldn't fix it (volunteers welcome). See the info
manual or the GTK-DOC manual instead.
+ API and ABI modifications:
- gnutls_x509_privkey_verify_params: Added
- Changes from version 3.0.07:
+ libgnutls:
- Corrected fix in gnutls_session_get_data()
to report the actual session size when the provided buffer
is not enough.
- Fixed ciphersuite GNUTLS_ECDHE_RSA_AES_128_CBC_SHA256,
which was using a wrong MAC algorithm. Reported by Fabrice Gautier.
+ API and ABI modifications:
- No changes since last version.
- Changes from version 3.0.06:
+ gnutls-guile:
- Compilation fixes.
+ libgnutls:
- Fixed possible buffer overflow in
gnutls_session_get_data(). Reported and fix by Alban Crequy.
- Bug fixes in the ciphersuites with NULL cipher.
Reported by Fabrice Gautier.
- Bug fixes in ECC code for 64-bit MIPS systems.
Thanks to Joseph Graham for providing access to such a system.
- Correctly report ECC private key parsing errors.
Reported by Fabrice Gautier.
- In ECDHE verify that the received point lies on
the selected curve. The ECDHE ciphersuites now take precendence
to plain DHE.
+ API and ABI modifications:
- No changes since last version.
- Changes from version 3.0.05:
+ libgnutls-extra:
- is no more
+ libgnutls:
- Corrections in order to compile with mingw32.
- Corrections in VIA padlock code for VIA C5 processor
and new detection of PHE with support for partial hashing.
- Corrected bug in gnutls_x509_data2hex. Report and fix
by Vincent Untz.
+ minitasn1:
- Upgraded to libtasn1 version 2.10.
+ API and ABI modifications:
- No changes since last version.
- Changes from version 3.0.04:
+ gnutls-cli-debug:
- Added more tests including AES-GCM, SHA256 and elliptic curves.
+ gnutls-cli:
- Added --benchmark-soft-ciphers to benchmark
the software version of the ciphers instead of hw accelerated
(where available)
+ libgnutls:
- Public key ID calculation is consistent among
all structures. It uses a SHA-1 hash of the subjectPublicKeyInfo.
- gnutls_privkey_t allows setting external callback
to perform signing or decryption. Can be set using
gnutls_privkey_import_ext()
- A certificate credentials structure can be
used with a gnutls_privkey_t and a gnutls_pcert_st
structure using gnutls_certificate_set_key().
- Fixes to enable external signing callback to
operate with TLS 1.2.
- Fixed crash when printing ECDSA certificate key
ID. Reported by Erik Jensen.
- Corrected VIA padlock code for C3. In C3 benchmarks
show a 2x increase in AES speed and a 14x increase in VIA nano. Added
support for hashes and HMACs.
- Compilation fixed when p11-kit is not detected.
- Fixed the deflate compression code.
- Added gnutls_x509_crt_get_authority_info_access.
Used to get the PKIX Authority Information Access (AIA) field.
- gnutls_x509_crt_print supports printing AIA fields.
- Added ability to gnutls_privkey_t to operate with
signing callback function.
+ API and ABI modifications:
- gnutls_x509_crt_get_authority_info_access (x509.h): Added function.
- gnutls_privkey_import_ext: Added function.
- gnutls_certificate_set_key: Added function.
- gnutls_info_access_what_t (x509.h): Added enum.
- GNUTLS_OID_AIA (x509.h): Added symbol.
- GNUTLS_OID_AD_OCSP (x509.h): Added symbol.
- GNUTLS_OID_AD_CAISSUERS (x509.h): Added symbol.
- Drop CVE-2011-4128.patch, CVE-2012-0390.patch, CVE-2012-1569.patch,
CVE-2012-1573.patch, gnutls-fix-compression.patch,
gnutls-fix-crash-on-strcat.patch: all fixed upstream.
-------------------------------------------------------------------
Thu Apr 12 05:17:04 UTC 2012 - gjhe@suse.com

94
gnutls.spec
View File

@ -19,31 +19,22 @@
%define gnutls_sover 28
%define gnutlsxx_sover 28
%define gnutls_ossl_sover 27
%define gnutls_extra_sover 28
Name: gnutls
Version: 3.0.3
Release: 1
License: LGPL-3.0+ ; GPL-3.0+
Version: 3.0.19
Release: 0
Summary: The GNU Transport Layer Security Library
Url: http://www.gnutls.org/
License: LGPL-3.0+ ; GPL-3.0+
Group: Productivity/Networking/Security
Source0: %{name}-%{version}.tar.xz
Url: http://www.gnutls.org/
Source0: http://ftp.gnu.org/gnu/gnutls/%{name}-%{version}.tar.xz
Source1: baselibs.conf
# PATCH-FIX-UPSTREAM gnutls-fix-compression.patch vuntz@opensuse.org -- Taken from git, fix decompression/compression
Patch0: gnutls-fix-compression.patch
# PATCH-FIX-UPSTREAM gnutls-fix-crash-on-strcat.patch bnc#724421 vuntz@opensuse.org -- Fix a crash because of badly used strcat, sent upstream by mail on 2011-10-17
Patch1: gnutls-fix-crash-on-strcat.patch
Patch2: CVE-2011-4128.patch
Patch3: CVE-2012-0390.patch
Patch4: CVE-2012-1569.patch
Patch5: CVE-2012-1573.patch
BuildRequires: automake
BuildRequires: gcc-c++
BuildRequires: libnettle-devel >= 2.2
BuildRequires: p11-kit-devel
BuildRequires: libidn-devel
BuildRequires: libnettle-devel >= 2.2
BuildRequires: libtasn1-devel
BuildRequires: p11-kit-devel >= 0.11
BuildRequires: pkg-config
BuildRequires: xz
BuildRequires: zlib-devel
@ -59,8 +50,8 @@ layer over a reliable transport layer. Currently the GnuTLS library
implements the proposed standards of the IETF's TLS working group.
%package -n libgnutls%{gnutls_sover}
License: LGPL-3.0+
Summary: The GNU Transport Layer Security Library
License: LGPL-3.0+
Group: Productivity/Networking/Security
%description -n libgnutls%{gnutls_sover}
@ -69,8 +60,8 @@ layer over a reliable transport layer. Currently the GnuTLS library
implements the proposed standards of the IETF's TLS working group.
%package -n libgnutlsxx%{gnutlsxx_sover}
License: LGPL-3.0+
Summary: The GNU Transport Layer Security Library
License: LGPL-3.0+
Group: Productivity/Networking/Security
%description -n libgnutlsxx%{gnutlsxx_sover}
@ -79,20 +70,9 @@ layer over a reliable transport layer. Currently the GnuTLS library
implements the proposed standards of the IETF's TLS working group.
%package -n libgnutls-extra%{gnutls_extra_sover}
License: GPL-3.0+
Summary: The GNU Transport Layer Security Library
Group: Productivity/Networking/Security
%description -n libgnutls-extra%{gnutls_extra_sover}
The GnuTLS project aims to develop a library that provides a secure
layer over a reliable transport layer. Currently the GnuTLS library
implements the proposed standards of the IETF's TLS working group.
%package -n libgnutls-openssl%{gnutls_ossl_sover}
License: GPL-3.0+
Summary: The GNU Transport Layer Security Library
License: GPL-3.0+
Group: Productivity/Networking/Security
%description -n libgnutls-openssl%{gnutls_ossl_sover}
@ -102,8 +82,8 @@ implements the proposed standards of the IETF's TLS working group.
%package -n libgnutls-devel
License: LGPL-3.0+
Summary: Development package for gnutls
License: LGPL-3.0+
Group: Development/Libraries/C and C++
PreReq: %install_info_prereq
Requires: glibc-devel
@ -113,12 +93,12 @@ Requires: libgnutls%{gnutls_sover} = %{version}
Files needed for software development using gnutls.
%package -n libgnutlsxx-devel
License: LGPL-3.0+
Summary: Development package for gnutls
License: LGPL-3.0+
Group: Development/Libraries/C and C++
PreReq: %install_info_prereq
Requires: libgnutlsxx%{gnutlsxx_sover} = %{version}
Requires: libgnutls-devel = %{version}
Requires: libgnutlsxx%{gnutlsxx_sover} = %{version}
Requires: libstdc++-devel
%description -n libgnutlsxx-devel
@ -126,44 +106,19 @@ Files needed for software development using gnutls.
%package -n libgnutls-openssl-devel
License: GPL-3.0+
Summary: Development package for gnutls
License: GPL-3.0+
Group: Development/Libraries/C and C++
Requires: libgnutls-openssl%{gnutls_ossl_sover} = %{version}
Requires: libgnutls-devel = %{version}
Requires: libgnutls-openssl%{gnutls_ossl_sover} = %{version}
%description -n libgnutls-openssl-devel
Files needed for software development using gnutls.
%package -n libgnutls-extra-devel
License: GPL-3.0+
Summary: The GNU Transport Layer Security Library
Group: Development/Libraries/C and C++
Requires: libgnutls-devel = %{version}
Requires: libgnutls-extra%{gnutls_extra_sover} = %{version}
# gnutls-devel last used in 10.3
Obsoletes: gnutls-devel < %{version}
Provides: gnutls-devel = %{version}
# bug437293
%ifarch ppc64
Obsoletes: gnutls-devel-64bit
%endif
#
%description -n libgnutls-extra-devel
The GnuTLS project aims to develop a library that provides a secure
layer over a reliable transport layer. Currently the GnuTLS library
implements the proposed standards of the IETF's TLS working group.
%prep
%setup -q
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
echo %{_includedir}/%{name}/abstract.h
%build
%configure \
@ -195,10 +150,6 @@ rm -rf %{buildroot}
%postun -n libgnutls%{gnutls_sover} -p /sbin/ldconfig
%post -n libgnutls-extra%{gnutls_extra_sover} -p /sbin/ldconfig
%postun -n libgnutls-extra%{gnutls_extra_sover} -p /sbin/ldconfig
%post -n libgnutlsxx%{gnutlsxx_sover} -p /sbin/ldconfig
%postun -n libgnutlsxx%{gnutlsxx_sover} -p /sbin/ldconfig
@ -223,6 +174,7 @@ rm -rf %{buildroot}
%{_bindir}/gnutls-cli
%{_bindir}/gnutls-cli-debug
%{_bindir}/gnutls-serv
%{_bindir}/ocsptool
%{_bindir}/psktool
%{_bindir}/p11tool
%{_bindir}/srptool
@ -232,10 +184,6 @@ rm -rf %{buildroot}
%defattr(-,root,root)
%{_libdir}/libgnutls.so.%{gnutls_sover}*
%files -n libgnutls-extra%{gnutls_extra_sover}
%defattr(-,root,root)
%{_libdir}/libgnutls-extra.so.%{gnutls_extra_sover}*
%files -n libgnutls-openssl%{gnutls_ossl_sover}
%defattr(-,root,root)
%{_libdir}/libgnutls-openssl.so.%{gnutls_ossl_sover}*
@ -253,6 +201,7 @@ rm -rf %{buildroot}
%{_includedir}/%{name}/dtls.h
%{_includedir}/%{name}/gnutls.h
%{_includedir}/%{name}/openpgp.h
%{_includedir}/%{name}/ocsp.h
%{_includedir}/%{name}/pkcs11.h
%{_includedir}/%{name}/pkcs12.h
%{_includedir}/%{name}/x509.h
@ -274,11 +223,4 @@ rm -rf %{buildroot}
%dir %{_includedir}/%{name}
%{_includedir}/%{name}/openssl.h
%files -n libgnutls-extra-devel
%defattr(-, root, root)
%dir %{_includedir}/%{name}
%{_includedir}/%{name}/extra.h
%{_libdir}/libgnutls-extra.so
%{_libdir}/pkgconfig/gnutls-extra.pc
%changelog