Accepting request 636363 from security:tls

OBS-URL: https://build.opensuse.org/request/show/636363
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=113

gnutls-3.6.0-disable-flaky-dtls_resume-test.patch

@@ -1,8 +1,8 @@
-Index: gnutls-3.6.2/tests/Makefile.am
+Index: gnutls-3.6.3/tests/Makefile.am
 ===================================================================
---- gnutls-3.6.2.orig/tests/Makefile.am	2018-02-16 08:27:16.000000000 +0100
+--- gnutls-3.6.3.orig/tests/Makefile.am
-+++ gnutls-3.6.2/tests/Makefile.am	2018-03-23 12:07:47.003150907 +0100
++++ gnutls-3.6.3/tests/Makefile.am
-@@ -330,7 +330,7 @@ if !WINDOWS
+@@ -406,7 +406,7 @@ if !WINDOWS
  # List of tests not available/functional under windows
  #
  
@@ -11,3 +11,25 @@ Index: gnutls-3.6.2/tests/Makefile.am
  
  indirect_tests += dtls-stress
  
+Index: gnutls-3.6.3/tests/Makefile.in
+===================================================================
+--- gnutls-3.6.3.orig/tests/Makefile.in
++++ gnutls-3.6.3/tests/Makefile.in
+@@ -161,7 +161,7 @@ host_triplet = @host@
+ #
+ # List of tests not available/functional under windows
+ #
+-@WINDOWS_FALSE@am__append_12 = dtls/dtls dtls/dtls-resume fastopen.sh \
++@WINDOWS_FALSE@am__append_12 = dtls/dtls fastopen.sh \
+ @WINDOWS_FALSE@	pkgconfig.sh starttls.sh starttls-ftp.sh \
+ @WINDOWS_FALSE@	starttls-smtp.sh starttls-lmtp.sh \
+ @WINDOWS_FALSE@	starttls-pop3.sh starttls-nntp.sh \
+@@ -2507,7 +2507,7 @@ x509sign_verify_rsa_DEPENDENCIES = $(COM
+ 	$(am__DEPENDENCIES_2)
+ am__dist_check_SCRIPTS_DIST = rfc2253-escape-test \
+ 	rsa-md5-collision/rsa-md5-collision.sh systemkey.sh dtls/dtls \
+-	dtls/dtls-resume fastopen.sh pkgconfig.sh starttls.sh \
++	fastopen.sh pkgconfig.sh starttls.sh \
+ 	starttls-ftp.sh starttls-smtp.sh starttls-lmtp.sh \
+ 	starttls-pop3.sh starttls-nntp.sh starttls-sieve.sh \
+ 	ocsp-tests/ocsp-tls-connection \

gnutls-3.6.3-backport-upstream-fixes.patch

@@ -0,0 +1,55 @@
+diff --git a/lib/cert-cred.c b/lib/cert-cred.c
+index d3777e51f..2150e903f 100644
+--- a/lib/cert-cred.c
++++ b/lib/cert-cred.c
+@@ -387,6 +387,13 @@ static int call_legacy_cert_cb1(gnutls_session_t session,
+ 	if (ret < 0)
+ 		return gnutls_assert_val(ret);
+ 
++	if (st2.ncerts == 0) {
++		*pcert_length = 0;
++		*ocsp_length = 0;
++		*privkey = NULL;
++		return 0;
++	}
++
+ 	if (st2.cert_type != GNUTLS_CRT_X509) {
+ 		gnutls_assert();
+ 		ret = GNUTLS_E_INVALID_REQUEST;
+@@ -503,7 +510,10 @@ void gnutls_certificate_set_retrieve_function
+      gnutls_certificate_retrieve_function * func)
+ {
+ 	cred->legacy_cert_cb1 = func;
+-	cred->get_cert_callback3 = call_legacy_cert_cb1;
++	if (!func)
++		cred->get_cert_callback3 = NULL;
++	else
++		cred->get_cert_callback3 = call_legacy_cert_cb1;
+ }
+ 
+ static int call_legacy_cert_cb2(gnutls_session_t session,
+@@ -578,7 +588,10 @@ void gnutls_certificate_set_retrieve_function2
+      gnutls_certificate_retrieve_function2 * func) 
+ {
+ 	cred->legacy_cert_cb2 = func;
+-	cred->get_cert_callback3 = call_legacy_cert_cb2;
++	if (!func)
++		cred->get_cert_callback3 = NULL;
++	else
++		cred->get_cert_callback3 = call_legacy_cert_cb2;
+ }
+ 
+ /**
+diff --git a/lib/hello_ext.c b/lib/hello_ext.c
+index a3027130a..f72afe77f 100644
+--- a/lib/hello_ext.c
++++ b/lib/hello_ext.c
+@@ -208,7 +208,7 @@ int hello_ext_parse(void *_ctx, unsigned tls_id, const uint8_t *data, unsigned d
+ 
+ 	if (tls_id == PRE_SHARED_KEY_TLS_ID) {
+ 		ctx->seen_pre_shared_key = 1;
+-	} else if (ctx->seen_pre_shared_key) {
++	} else if (ctx->seen_pre_shared_key && session->security_parameters.entity == GNUTLS_SERVER) {
+ 		/* the pre-shared key extension must always be the last one,
+ 		 * draft-ietf-tls-tls13-28: 4.2.11 */
+ 		return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);

gnutls.changes

@@ -1,3 +1,20 @@
+-------------------------------------------------------------------
+Tue Sep 18 08:39:56 UTC 2018 - schwab@suse.de
+
+- gnutls-3.6.0-disable-flaky-dtls_resume-test.patch: refresh to also patch
+  test/Makefile.in as autoreconf does not work
+
+-------------------------------------------------------------------
+Fri Sep 14 13:07:41 UTC 2018 - Luis Henriques <lhenriques@suse.com>
+
+- Backport of upstream fixes (boo#1108450)
+  * gnutls-3.6.3-backport-upstream-fixes.patch
+  Fixes taken from upstream commits:
+  ** 3df5b7bc8a64 ("cert-cred: fix possible segfault when resetting cert retrieval function")
+  ** 42945a7aab6d ("allow no certificates to be reported by the gnutls_certificate_retrieve_function callbacks")
+  ** 10f83e36ed92 ("hello_ext_parse: apply the test for pre-shared key ext being last on client hello")
+  The patch was taken from https://github.com/weechat/weechat/issues/1231
+
 -------------------------------------------------------------------
 Wed Aug 22 15:40:33 UTC 2018 - vcizek@suse.com
 

gnutls.spec

@@ -41,6 +41,7 @@ Source2:        %{name}.keyring
 Source3:        baselibs.conf
 Patch1:         gnutls-3.5.11-skip-trust-store-tests.patch
 Patch2:         gnutls-3.6.0-disable-flaky-dtls_resume-test.patch
+Patch3:         gnutls-3.6.3-backport-upstream-fixes.patch
 BuildRequires:  autogen
 BuildRequires:  automake
 BuildRequires:  datefudge
@@ -163,6 +164,7 @@ GnuTLS Wrappers for GNU Guile, a dialect of Scheme.
 %ifarch ppc64 ppc64le ppc
 %patch2 -p1
 %endif
+%patch3 -p1
 
 %build
 export LDFLAGS="-pie"