From 3036ffa05fc5c287941b1d0f70ba4e7c0d4dd4724f7ba8855217edeba0500bf0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Chv=C3=A1tal?= <tchvatal@suse.com>
Date: Fri, 14 Sep 2018 13:30:28 +0000
Subject: [PATCH 1/3] Accepting request 635768 from
 home:henrix:branches:security:tls

- Backport of upstream fixes (boo#1108450)
  Fixes taken from upstream commits:
  ** 3df5b7bc8a64 ("cert-cred: fix possible segfault when resetting cert retrieval function")
  ** 42945a7aab6d ("allow no certificates to be reported by the gnutls_certificate_retrieve_function callbacks")
  ** 10f83e36ed92 ("hello_ext_parse: apply the test for pre-shared key ext being last on client hello")
  The patch was taken from https://github.com/weechat/weechat/issues/1231

OBS-URL: https://build.opensuse.org/request/show/635768
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=6
---
 gnutls-3.6.3-backport-upstream-fixes.patch | 55 ++++++++++++++++++++++
 gnutls.changes                             | 10 ++++
 gnutls.spec                                |  4 +-
 3 files changed, 68 insertions(+), 1 deletion(-)
 create mode 100644 gnutls-3.6.3-backport-upstream-fixes.patch

diff --git a/gnutls-3.6.3-backport-upstream-fixes.patch b/gnutls-3.6.3-backport-upstream-fixes.patch
new file mode 100644
index 0000000..c75d88e
--- /dev/null
+++ b/gnutls-3.6.3-backport-upstream-fixes.patch
@@ -0,0 +1,55 @@
+diff --git a/lib/cert-cred.c b/lib/cert-cred.c
+index d3777e51f..2150e903f 100644
+--- a/lib/cert-cred.c
++++ b/lib/cert-cred.c
+@@ -387,6 +387,13 @@ static int call_legacy_cert_cb1(gnutls_session_t session,
+ 	if (ret < 0)
+ 		return gnutls_assert_val(ret);
+ 
++	if (st2.ncerts == 0) {
++		*pcert_length = 0;
++		*ocsp_length = 0;
++		*privkey = NULL;
++		return 0;
++	}
++
+ 	if (st2.cert_type != GNUTLS_CRT_X509) {
+ 		gnutls_assert();
+ 		ret = GNUTLS_E_INVALID_REQUEST;
+@@ -503,7 +510,10 @@ void gnutls_certificate_set_retrieve_function
+      gnutls_certificate_retrieve_function * func)
+ {
+ 	cred->legacy_cert_cb1 = func;
+-	cred->get_cert_callback3 = call_legacy_cert_cb1;
++	if (!func)
++		cred->get_cert_callback3 = NULL;
++	else
++		cred->get_cert_callback3 = call_legacy_cert_cb1;
+ }
+ 
+ static int call_legacy_cert_cb2(gnutls_session_t session,
+@@ -578,7 +588,10 @@ void gnutls_certificate_set_retrieve_function2
+      gnutls_certificate_retrieve_function2 * func) 
+ {
+ 	cred->legacy_cert_cb2 = func;
+-	cred->get_cert_callback3 = call_legacy_cert_cb2;
++	if (!func)
++		cred->get_cert_callback3 = NULL;
++	else
++		cred->get_cert_callback3 = call_legacy_cert_cb2;
+ }
+ 
+ /**
+diff --git a/lib/hello_ext.c b/lib/hello_ext.c
+index a3027130a..f72afe77f 100644
+--- a/lib/hello_ext.c
++++ b/lib/hello_ext.c
+@@ -208,7 +208,7 @@ int hello_ext_parse(void *_ctx, unsigned tls_id, const uint8_t *data, unsigned d
+ 
+ 	if (tls_id == PRE_SHARED_KEY_TLS_ID) {
+ 		ctx->seen_pre_shared_key = 1;
+-	} else if (ctx->seen_pre_shared_key) {
++	} else if (ctx->seen_pre_shared_key && session->security_parameters.entity == GNUTLS_SERVER) {
+ 		/* the pre-shared key extension must always be the last one,
+ 		 * draft-ietf-tls-tls13-28: 4.2.11 */
+ 		return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
diff --git a/gnutls.changes b/gnutls.changes
index 2bc1754..ad50d83 100644
--- a/gnutls.changes
+++ b/gnutls.changes
@@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Fri Sep 14 13:07:41 UTC 2018 - Luis Henriques <lhenriques@suse.com>
+
+- Backport of upstream fixes (boo#1108450)
+  Fixes taken from upstream commits:
+  ** 3df5b7bc8a64 ("cert-cred: fix possible segfault when resetting cert retrieval function")
+  ** 42945a7aab6d ("allow no certificates to be reported by the gnutls_certificate_retrieve_function callbacks")
+  ** 10f83e36ed92 ("hello_ext_parse: apply the test for pre-shared key ext being last on client hello")
+  The patch was taken from https://github.com/weechat/weechat/issues/1231
+
 -------------------------------------------------------------------
 Wed Aug 22 15:40:33 UTC 2018 - vcizek@suse.com
 
diff --git a/gnutls.spec b/gnutls.spec
index d971435..8808756 100644
--- a/gnutls.spec
+++ b/gnutls.spec
@@ -12,7 +12,7 @@
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.
 
-# Please submit bugfixes or comments via http://bugs.opensuse.org/
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
 #
 
 
@@ -41,6 +41,7 @@ Source2:        %{name}.keyring
 Source3:        baselibs.conf
 Patch1:         gnutls-3.5.11-skip-trust-store-tests.patch
 Patch2:         gnutls-3.6.0-disable-flaky-dtls_resume-test.patch
+Patch3:         gnutls-3.6.3-backport-upstream-fixes.patch
 BuildRequires:  autogen
 BuildRequires:  automake
 BuildRequires:  datefudge
@@ -163,6 +164,7 @@ GnuTLS Wrappers for GNU Guile, a dialect of Scheme.
 %ifarch ppc64 ppc64le ppc
 %patch2 -p1
 %endif
+%patch3 -p1
 
 %build
 export LDFLAGS="-pie"

From 8fcb49658aa1793653d3c6872a8087d2b796001354aab741bbaba0d642a9d2fc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Chv=C3=A1tal?= <tchvatal@suse.com>
Date: Fri, 14 Sep 2018 13:37:02 +0000
Subject: [PATCH 2/3] * gnutls-3.6.3-backport-upstream-fixes.patch

OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=7
---
 gnutls.changes | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnutls.changes b/gnutls.changes
index ad50d83..dde82dd 100644
--- a/gnutls.changes
+++ b/gnutls.changes
@@ -2,6 +2,7 @@
 Fri Sep 14 13:07:41 UTC 2018 - Luis Henriques <lhenriques@suse.com>
 
 - Backport of upstream fixes (boo#1108450)
+  * gnutls-3.6.3-backport-upstream-fixes.patch
   Fixes taken from upstream commits:
   ** 3df5b7bc8a64 ("cert-cred: fix possible segfault when resetting cert retrieval function")
   ** 42945a7aab6d ("allow no certificates to be reported by the gnutls_certificate_retrieve_function callbacks")

From 65aedfc27d37366a990b29271b338086c981ba4b96ff20c0c69cb137d54dba6e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Chv=C3=A1tal?= <tchvatal@suse.com>
Date: Tue, 18 Sep 2018 10:23:08 +0000
Subject: [PATCH 3/3] Accepting request 636362 from home:Andreas_Schwab:Factory

- gnutls-3.6.0-disable-flaky-dtls_resume-test.patch: refresh to also patch
  test/Makefile.in as autoreconf does not work

OBS-URL: https://build.opensuse.org/request/show/636362
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=8
---
 ...3.6.0-disable-flaky-dtls_resume-test.patch | 30 ++++++++++++++++---
 gnutls.changes                                |  6 ++++
 gnutls.spec                                   |  2 +-
 3 files changed, 33 insertions(+), 5 deletions(-)

diff --git a/gnutls-3.6.0-disable-flaky-dtls_resume-test.patch b/gnutls-3.6.0-disable-flaky-dtls_resume-test.patch
index 041a549..f4b9a7b 100644
--- a/gnutls-3.6.0-disable-flaky-dtls_resume-test.patch
+++ b/gnutls-3.6.0-disable-flaky-dtls_resume-test.patch
@@ -1,8 +1,8 @@
-Index: gnutls-3.6.2/tests/Makefile.am
+Index: gnutls-3.6.3/tests/Makefile.am
 ===================================================================
---- gnutls-3.6.2.orig/tests/Makefile.am	2018-02-16 08:27:16.000000000 +0100
-+++ gnutls-3.6.2/tests/Makefile.am	2018-03-23 12:07:47.003150907 +0100
-@@ -330,7 +330,7 @@ if !WINDOWS
+--- gnutls-3.6.3.orig/tests/Makefile.am
++++ gnutls-3.6.3/tests/Makefile.am
+@@ -406,7 +406,7 @@ if !WINDOWS
  # List of tests not available/functional under windows
  #
  
@@ -11,3 +11,25 @@ Index: gnutls-3.6.2/tests/Makefile.am
  
  indirect_tests += dtls-stress
  
+Index: gnutls-3.6.3/tests/Makefile.in
+===================================================================
+--- gnutls-3.6.3.orig/tests/Makefile.in
++++ gnutls-3.6.3/tests/Makefile.in
+@@ -161,7 +161,7 @@ host_triplet = @host@
+ #
+ # List of tests not available/functional under windows
+ #
+-@WINDOWS_FALSE@am__append_12 = dtls/dtls dtls/dtls-resume fastopen.sh \
++@WINDOWS_FALSE@am__append_12 = dtls/dtls fastopen.sh \
+ @WINDOWS_FALSE@	pkgconfig.sh starttls.sh starttls-ftp.sh \
+ @WINDOWS_FALSE@	starttls-smtp.sh starttls-lmtp.sh \
+ @WINDOWS_FALSE@	starttls-pop3.sh starttls-nntp.sh \
+@@ -2507,7 +2507,7 @@ x509sign_verify_rsa_DEPENDENCIES = $(COM
+ 	$(am__DEPENDENCIES_2)
+ am__dist_check_SCRIPTS_DIST = rfc2253-escape-test \
+ 	rsa-md5-collision/rsa-md5-collision.sh systemkey.sh dtls/dtls \
+-	dtls/dtls-resume fastopen.sh pkgconfig.sh starttls.sh \
++	fastopen.sh pkgconfig.sh starttls.sh \
+ 	starttls-ftp.sh starttls-smtp.sh starttls-lmtp.sh \
+ 	starttls-pop3.sh starttls-nntp.sh starttls-sieve.sh \
+ 	ocsp-tests/ocsp-tls-connection \
diff --git a/gnutls.changes b/gnutls.changes
index dde82dd..4124eef 100644
--- a/gnutls.changes
+++ b/gnutls.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Tue Sep 18 08:39:56 UTC 2018 - schwab@suse.de
+
+- gnutls-3.6.0-disable-flaky-dtls_resume-test.patch: refresh to also patch
+  test/Makefile.in as autoreconf does not work
+
 -------------------------------------------------------------------
 Fri Sep 14 13:07:41 UTC 2018 - Luis Henriques <lhenriques@suse.com>
 
diff --git a/gnutls.spec b/gnutls.spec
index 8808756..5243e8c 100644
--- a/gnutls.spec
+++ b/gnutls.spec
@@ -12,7 +12,7 @@
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.
 
-# Please submit bugfixes or comments via https://bugs.opensuse.org/
+# Please submit bugfixes or comments via http://bugs.opensuse.org/
 #