forked from pool/gnutls
Accepting request 832966 from security:tls
OBS-URL: https://build.opensuse.org/request/show/832966 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=126
This commit is contained in:
commit
cdb22d1965
@ -1,152 +0,0 @@
|
||||
From 6fbff7fc8aabeee2254405f254220bbe8c05c67d Mon Sep 17 00:00:00 2001
|
||||
From: Daiki Ueno <ueno@gnu.org>
|
||||
Date: Fri, 5 Jun 2020 16:26:33 +0200
|
||||
Subject: [PATCH] crypto-api: always allocate memory when serializing iovec_t
|
||||
|
||||
The AEAD iov interface falls back to serializing the input buffers if
|
||||
the low-level cipher doesn't support scatter/gather encryption.
|
||||
However, there was a bug in the functions used for the serialization,
|
||||
which causes memory leaks under a certain condition (i.e. the number
|
||||
of input buffers is 1).
|
||||
|
||||
This patch makes the logic of the functions simpler, by removing a
|
||||
micro-optimization that tries to minimize the number of calls to
|
||||
malloc/free.
|
||||
|
||||
The original problem was reported by Marius Steffen in:
|
||||
https://bugzilla.samba.org/show_bug.cgi?id=14399
|
||||
and the cause was investigated by Alexander Haase in:
|
||||
https://gitlab.com/gnutls/gnutls/-/merge_requests/1277
|
||||
|
||||
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
||||
---
|
||||
lib/crypto-api.c | 36 +++++++++++-------------------------
|
||||
tests/aead-cipher-vec.c | 33 ++++++++++++++++++---------------
|
||||
2 files changed, 29 insertions(+), 40 deletions(-)
|
||||
|
||||
diff --git a/lib/crypto-api.c b/lib/crypto-api.c
|
||||
index 45be64ed1f..8524f5ed4f 100644
|
||||
--- a/lib/crypto-api.c
|
||||
+++ b/lib/crypto-api.c
|
||||
@@ -891,32 +891,23 @@ gnutls_aead_cipher_encrypt(gnutls_aead_cipher_hd_t handle,
|
||||
struct iov_store_st {
|
||||
void *data;
|
||||
size_t size;
|
||||
- unsigned allocated;
|
||||
};
|
||||
|
||||
static void iov_store_free(struct iov_store_st *s)
|
||||
{
|
||||
- if (s->allocated) {
|
||||
- gnutls_free(s->data);
|
||||
- s->allocated = 0;
|
||||
- }
|
||||
+ gnutls_free(s->data);
|
||||
}
|
||||
|
||||
static int iov_store_grow(struct iov_store_st *s, size_t length)
|
||||
{
|
||||
- if (s->allocated || s->data == NULL) {
|
||||
- s->size += length;
|
||||
- s->data = gnutls_realloc(s->data, s->size);
|
||||
- if (s->data == NULL)
|
||||
- return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
|
||||
- s->allocated = 1;
|
||||
- } else {
|
||||
- void *data = s->data;
|
||||
- size_t size = s->size + length;
|
||||
- s->data = gnutls_malloc(size);
|
||||
- memcpy(s->data, data, s->size);
|
||||
- s->size += length;
|
||||
- }
|
||||
+ void *data;
|
||||
+
|
||||
+ s->size += length;
|
||||
+ data = gnutls_realloc(s->data, s->size);
|
||||
+ if (data == NULL)
|
||||
+ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
|
||||
+
|
||||
+ s->data = data;
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -926,11 +917,6 @@ copy_from_iov(struct iov_store_st *dst, const giovec_t *iov, int iovcnt)
|
||||
memset(dst, 0, sizeof(*dst));
|
||||
if (iovcnt == 0) {
|
||||
return 0;
|
||||
- } else if (iovcnt == 1) {
|
||||
- dst->data = iov[0].iov_base;
|
||||
- dst->size = iov[0].iov_len;
|
||||
- /* implies: dst->allocated = 0; */
|
||||
- return 0;
|
||||
} else {
|
||||
int i;
|
||||
uint8_t *p;
|
||||
@@ -944,11 +930,11 @@ copy_from_iov(struct iov_store_st *dst, const giovec_t *iov, int iovcnt)
|
||||
|
||||
p = dst->data;
|
||||
for (i=0;i<iovcnt;i++) {
|
||||
- memcpy(p, iov[i].iov_base, iov[i].iov_len);
|
||||
+ if (iov[i].iov_len > 0)
|
||||
+ memcpy(p, iov[i].iov_base, iov[i].iov_len);
|
||||
p += iov[i].iov_len;
|
||||
}
|
||||
|
||||
- dst->allocated = 1;
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
diff --git a/tests/aead-cipher-vec.c b/tests/aead-cipher-vec.c
|
||||
index fba9010d9e..6a30a35f7b 100644
|
||||
--- a/tests/aead-cipher-vec.c
|
||||
+++ b/tests/aead-cipher-vec.c
|
||||
@@ -49,6 +49,7 @@ static void start(const char *name, int algo)
|
||||
giovec_t auth_iov[2];
|
||||
uint8_t tag[64];
|
||||
size_t tag_size = 0;
|
||||
+ size_t i;
|
||||
|
||||
key.data = key16;
|
||||
key.size = gnutls_cipher_get_key_size(algo);
|
||||
@@ -82,21 +83,23 @@ static void start(const char *name, int algo)
|
||||
if (ret < 0)
|
||||
fail("gnutls_cipher_init: %s\n", gnutls_strerror(ret));
|
||||
|
||||
- ret = gnutls_aead_cipher_encryptv2(ch,
|
||||
- iv.data, iv.size,
|
||||
- auth_iov, 2,
|
||||
- iov, 3,
|
||||
- tag, &tag_size);
|
||||
- if (ret < 0)
|
||||
- fail("could not encrypt data: %s\n", gnutls_strerror(ret));
|
||||
-
|
||||
- ret = gnutls_aead_cipher_decryptv2(ch,
|
||||
- iv.data, iv.size,
|
||||
- auth_iov, 2,
|
||||
- iov, 3,
|
||||
- tag, tag_size);
|
||||
- if (ret < 0)
|
||||
- fail("could not decrypt data: %s\n", gnutls_strerror(ret));
|
||||
+ for (i = 0; i < 2; i++) {
|
||||
+ ret = gnutls_aead_cipher_encryptv2(ch,
|
||||
+ iv.data, iv.size,
|
||||
+ auth_iov, 2,
|
||||
+ iov, i + 1,
|
||||
+ tag, &tag_size);
|
||||
+ if (ret < 0)
|
||||
+ fail("could not encrypt data: %s\n", gnutls_strerror(ret));
|
||||
+
|
||||
+ ret = gnutls_aead_cipher_decryptv2(ch,
|
||||
+ iv.data, iv.size,
|
||||
+ auth_iov, 2,
|
||||
+ iov, i + 1,
|
||||
+ tag, tag_size);
|
||||
+ if (ret < 0)
|
||||
+ fail("could not decrypt data: %s\n", gnutls_strerror(ret));
|
||||
+ }
|
||||
|
||||
gnutls_aead_cipher_deinit(ch);
|
||||
}
|
||||
--
|
||||
2.25.0
|
||||
|
@ -15,10 +15,10 @@ need ca-certificates-mozilla to run.
|
||||
|
||||
But this would create a build cycle. Skip test.
|
||||
|
||||
Index: gnutls-3.5.11/tests/trust-store.c
|
||||
Index: gnutls-3.6.15/tests/trust-store.c
|
||||
===================================================================
|
||||
--- gnutls-3.5.11.orig/tests/trust-store.c 2017-04-07 07:52:07.000000000 +0200
|
||||
+++ gnutls-3.5.11/tests/trust-store.c 2017-05-18 10:33:53.537598763 +0200
|
||||
--- gnutls-3.6.15.orig/tests/trust-store.c 2020-09-08 10:24:24.018094247 +0200
|
||||
+++ gnutls-3.6.15/tests/trust-store.c 2020-09-08 10:24:25.534104346 +0200
|
||||
@@ -44,6 +44,9 @@ static void tls_log_func(int level, cons
|
||||
|
||||
void doit(void)
|
||||
|
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:5630751adec7025b8ef955af4d141d00d252a985769f51b4059e5affa3d39d63
|
||||
size 6069088
|
Binary file not shown.
3
gnutls-3.6.15.tar.xz
Normal file
3
gnutls-3.6.15.tar.xz
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:0ea8c3283de8d8335d7ae338ef27c53a916f15f382753b174c18b45ffd481558
|
||||
size 6081656
|
BIN
gnutls-3.6.15.tar.xz.sig
Normal file
BIN
gnutls-3.6.15.tar.xz.sig
Normal file
Binary file not shown.
@ -1,8 +1,8 @@
|
||||
Index: gnutls-3.6.6/configure
|
||||
Index: gnutls-3.6.15/configure
|
||||
===================================================================
|
||||
--- gnutls-3.6.6.orig/configure
|
||||
+++ gnutls-3.6.6/configure
|
||||
@@ -62868,7 +62868,7 @@
|
||||
--- gnutls-3.6.15.orig/configure 2020-09-08 10:24:22.362083215 +0200
|
||||
+++ gnutls-3.6.15/configure 2020-09-08 10:24:28.510124171 +0200
|
||||
@@ -69365,7 +69365,7 @@ fi
|
||||
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for Guile site directory" >&5
|
||||
$as_echo_n "checking for Guile site directory... " >&6; }
|
||||
|
@ -1,52 +0,0 @@
|
||||
Index: gnutls-3.6.14/configure
|
||||
===================================================================
|
||||
--- gnutls-3.6.14.orig/configure 2020-06-09 11:01:15.306654318 +0200
|
||||
+++ gnutls-3.6.14/configure 2020-06-09 12:40:08.262985909 +0200
|
||||
@@ -66054,12 +66054,12 @@ LIBS="$LIBS $GMP_LIBS"
|
||||
$as_echo_n "checking gmp soname... " >&6; }
|
||||
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
|
||||
/* end confdefs.h. */
|
||||
-
|
||||
+#include <gmp.h>
|
||||
int
|
||||
main ()
|
||||
{
|
||||
-
|
||||
- ;
|
||||
+ mpz_t n;
|
||||
+ mpz_init(n);
|
||||
return 0;
|
||||
}
|
||||
_ACEOF
|
||||
@@ -66088,12 +66088,12 @@ LIBS="$LIBS $NETTLE_LIBS"
|
||||
$as_echo_n "checking nettle soname... " >&6; }
|
||||
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
|
||||
/* end confdefs.h. */
|
||||
-
|
||||
+#include <nettle/sha2.h>
|
||||
int
|
||||
main ()
|
||||
{
|
||||
-
|
||||
- ;
|
||||
+ struct sha256_ctx ctx;
|
||||
+ sha256_init (&ctx);
|
||||
return 0;
|
||||
}
|
||||
_ACEOF
|
||||
@@ -66122,12 +66122,12 @@ LIBS="$LIBS $HOGWEED_LIBS"
|
||||
$as_echo_n "checking hogweed soname... " >&6; }
|
||||
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
|
||||
/* end confdefs.h. */
|
||||
-
|
||||
+#include <nettle/rsa.h>
|
||||
int
|
||||
main ()
|
||||
{
|
||||
-
|
||||
- ;
|
||||
+ struct rsa_private_key priv;
|
||||
+ nettle_rsa_private_key_init(&priv);
|
||||
return 0;
|
||||
}
|
||||
_ACEOF
|
@ -1,8 +1,8 @@
|
||||
Index: gnutls-3.6.14/guile/Makefile.in
|
||||
Index: gnutls-3.6.15/guile/Makefile.in
|
||||
===================================================================
|
||||
--- gnutls-3.6.14.orig/guile/Makefile.in 2020-06-03 15:05:54.000000000 +0200
|
||||
+++ gnutls-3.6.14/guile/Makefile.in 2020-06-09 09:03:17.267773380 +0200
|
||||
@@ -1850,7 +1850,7 @@ CLEANFILES = modules/gnutls.scm $(am__ap
|
||||
--- gnutls-3.6.15.orig/guile/Makefile.in 2020-09-08 10:24:09.581998087 +0200
|
||||
+++ gnutls-3.6.15/guile/Makefile.in 2020-09-08 10:24:30.046134403 +0200
|
||||
@@ -1857,7 +1857,7 @@ CLEANFILES = modules/gnutls.scm $(am__ap
|
||||
TESTS = tests/anonymous-auth.scm tests/session-record-port.scm \
|
||||
tests/pkcs-import-export.scm tests/errors.scm \
|
||||
tests/x509-certificates.scm tests/x509-auth.scm \
|
||||
|
@ -1,3 +1,26 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue Sep 8 08:18:48 UTC 2020 - Vítězslav Čížek <vcizek@suse.com>
|
||||
|
||||
- Update to 3.6.15
|
||||
* libgnutls: Fixed "no_renegotiation" alert handling at incorrect timing.
|
||||
[GNUTLS-SA-2020-09-04, CVSS: medium]
|
||||
* libgnutls: If FIPS self-tests are failed, gnutls_fips140_mode_enabled() now
|
||||
indicates that with a false return value (!1306).
|
||||
* libgnutls: Under FIPS mode, the generated ECDH/DH public keys are checked
|
||||
accordingly to SP800-56A rev 3 (!1295, !1299).
|
||||
* libgnutls: gnutls_x509_crt_export2() now returns 0 upon success, rather than
|
||||
the size of the internal base64 blob (#1025).
|
||||
* libgnutls: Certificate verification failue due to OCSP must-stapling is not
|
||||
honered is now correctly marked with the GNUTLS_CERT_INVALID flag
|
||||
* libgnutls: The audit log message for weak hashes is no longer printed twice
|
||||
* libgnutls: Fixed version negotiation when TLS 1.3 is enabled and TLS 1.2 is
|
||||
disabled in the priority string. Previously, even when TLS 1.2 is explicitly
|
||||
disabled with "-VERS-TLS1.2", the server still offered TLS 1.2 if TLS 1.3 is
|
||||
enabled (#1054).
|
||||
- drop upstreamed patches:
|
||||
* gnutls-detect_nettle_so.patch
|
||||
* 0001-crypto-api-always-allocate-memory-when-serializing-i.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Jun 9 09:15:45 UTC 2020 - Vítězslav Čížek <vcizek@suse.com>
|
||||
|
||||
|
@ -28,7 +28,7 @@
|
||||
%bcond_with tpm
|
||||
%bcond_without guile
|
||||
Name: gnutls
|
||||
Version: 3.6.14
|
||||
Version: 3.6.15
|
||||
Release: 0
|
||||
Summary: The GNU Transport Layer Security Library
|
||||
License: LGPL-2.1-or-later AND GPL-3.0-or-later
|
||||
@ -40,9 +40,7 @@ Source2: %{name}.keyring
|
||||
Source3: baselibs.conf
|
||||
Patch1: gnutls-3.5.11-skip-trust-store-tests.patch
|
||||
Patch4: gnutls-3.6.6-set_guile_site_dir.patch
|
||||
Patch5: 0001-crypto-api-always-allocate-memory-when-serializing-i.patch
|
||||
Patch6: gnutls-temporarily_disable_broken_guile_reauth_test.patch
|
||||
Patch7: gnutls-detect_nettle_so.patch
|
||||
BuildRequires: autogen
|
||||
BuildRequires: automake
|
||||
BuildRequires: datefudge
|
||||
|
Loading…
Reference in New Issue
Block a user