SHA256
1
0
forked from pool/gnutls

Accepting request 224736 from Base:System

Upgrade to 3.2.12.1; Delete files: CVE-2014-0092.patch( upstreamed), gnutls-3.2.11.tar.xz.sig, gnutls-3.2.11.tar.xz; Add files: gnutls-3.2.12.1.tar.xz, gnutls-3.2.12.1.tar.xz.sig (forwarded request 224729 from shawn2012)

OBS-URL: https://build.opensuse.org/request/show/224736
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=71
This commit is contained in:
Stephan Kulow 2014-03-06 18:18:08 +00:00 committed by Git OBS Bridge
parent 71f2bb57a3
commit e0a2fbfd43
7 changed files with 42 additions and 152 deletions

View File

@ -1,144 +0,0 @@
index bc0d560..8cd4e2a 100644
--- a/lib/x509/verify.c
+++ b/lib/x509/verify.c
@@ -129,7 +129,7 @@ check_if_ca(gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer,
&issuer_signed_data);
if (result < 0) {
gnutls_assert();
- goto cleanup;
+ goto fail;
}
result =
@@ -137,7 +137,7 @@ check_if_ca(gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer,
&cert_signed_data);
if (result < 0) {
gnutls_assert();
- goto cleanup;
+ goto fail;
}
result =
@@ -145,7 +145,7 @@ check_if_ca(gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer,
&issuer_signature);
if (result < 0) {
gnutls_assert();
- goto cleanup;
+ goto fail;
}
result =
@@ -153,7 +153,7 @@ check_if_ca(gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer,
&cert_signature);
if (result < 0) {
gnutls_assert();
- goto cleanup;
+ goto fail;
}
/* If the subject certificate is the same as the issuer
@@ -206,9 +206,10 @@ check_if_ca(gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer,
} else
gnutls_assert();
+ fail:
result = 0;
- cleanup:
+ cleanup:
_gnutls_free_datum(&cert_signed_data);
_gnutls_free_datum(&issuer_signed_data);
_gnutls_free_datum(&cert_signature);
@@ -390,8 +391,9 @@ _gnutls_verify_certificate2(gnutls_x509_crt_t cert,
gnutls_datum_t cert_signed_data = { NULL, 0 };
gnutls_datum_t cert_signature = { NULL, 0 };
gnutls_x509_crt_t issuer = NULL;
- int issuer_version, result, hash_algo;
+ int issuer_version, result = 0, hash_algo;
unsigned int out = 0, usage;
+ const mac_entry_st * me;
if (output)
*output = 0;
@@ -429,13 +431,14 @@ _gnutls_verify_certificate2(gnutls_x509_crt_t cert,
issuer_version = gnutls_x509_crt_get_version(issuer);
if (issuer_version < 0) {
gnutls_assert();
- return issuer_version;
+ result = 0;
+ goto cleanup;
}
if (!(flags & GNUTLS_VERIFY_DISABLE_CA_SIGN) &&
((flags & GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT)
|| issuer_version != 1)) {
- if (check_if_ca(cert, issuer, max_path, flags) == 0) {
+ if (check_if_ca(cert, issuer, max_path, flags) != 1) {
gnutls_assert();
out =
GNUTLS_CERT_SIGNER_NOT_CA |
@@ -467,6 +470,7 @@ _gnutls_verify_certificate2(gnutls_x509_crt_t cert,
&cert_signed_data);
if (result < 0) {
gnutls_assert();
+ result = 0;
goto cleanup;
}
@@ -475,6 +479,7 @@ _gnutls_verify_certificate2(gnutls_x509_crt_t cert,
&cert_signature);
if (result < 0) {
gnutls_assert();
+ result = 0;
goto cleanup;
}
@@ -483,13 +488,20 @@ _gnutls_verify_certificate2(gnutls_x509_crt_t cert,
"signatureAlgorithm.algorithm");
if (result < 0) {
gnutls_assert();
+ result = 0;
goto cleanup;
}
hash_algo = gnutls_sign_get_hash_algorithm(result);
+ me = mac_to_entry(hash_algo);
+ if (me == NULL) {
+ gnutls_assert();
+ result = 0;
+ goto cleanup;
+ }
result =
- _gnutls_x509_verify_data(mac_to_entry(hash_algo),
+ _gnutls_x509_verify_data(me,
&cert_signed_data, &cert_signature,
issuer);
if (result == GNUTLS_E_PK_SIG_VERIFY_FAILED) {
@@ -501,6 +513,7 @@ _gnutls_verify_certificate2(gnutls_x509_crt_t cert,
result = 0;
} else if (result < 0) {
gnutls_assert();
+ result = 0;
goto cleanup;
}
@@ -672,7 +685,7 @@ _gnutls_x509_verify_certificate(const gnutls_x509_crt_t * certificate_list,
trusted_cas, tcas_size, flags,
&output, &issuer, now, &max_path,
func);
- if (ret == 0) {
+ if (ret != 1) {
/* if the last certificate in the certificate
* list is invalid, then the certificate is not
* trusted.
@@ -701,7 +714,7 @@ _gnutls_x509_verify_certificate(const gnutls_x509_crt_t * certificate_list,
_gnutls_verify_certificate2(certificate_list[i - 1],
&certificate_list[i], 1,
flags, &output, NULL, now,
- &max_path, func)) == 0) {
+ &max_path, func)) != 1) {
status |= output;
status |= GNUTLS_CERT_INVALID;
return status;

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:b844c58a72d6930abbda42129f4051dbf97f91754bea3514931173e3d01cf3c1
size 5135168

Binary file not shown.

3
gnutls-3.2.12.1.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:29069907546f6b9e134aafcaa52a030f517835c83de9ffc38b51ab33c31adf12
size 5137552

BIN
gnutls-3.2.12.1.tar.xz.sig Normal file

Binary file not shown.

View File

@ -1,3 +1,39 @@
-------------------------------------------------------------------
Wed Mar 5 15:30:54 UTC 2014 - shchang@suse.com
- Upgrade to 3.2.12.1;
** libgnutls: Reverted change that broke ABI. Reported by Andreas
Metzler.
** libgnutls: Corrected certificate verification issue (GNUTLS-SA-2014-2)
** libgnutls: Corrected issue in gnutls_pcert_list_import_x509_raw
when provided with invalid data. Reported by Dmitriy Anisimkov.
** libgnutls: Corrected timeout issue in subsequent to the first
DTLS handshakes.
** libgnutls: Removed unconditional not-trusted message in
gnutls_certificate_verification_status_print() when used with
OpenPGP certificates. Reported by Michel Briand.
** libgnutls: All ciphersuites that were available in TLS1.0 or
later are now made available in SSL3.0 or later to prevent
any incompatibilities with servers that negotiate them in SSL 3.0.
** ocsptool: When verifying a response and a signer isn't provided
assume that the signer is the issuer.
** ocsptool: When sending a nonce, verify that the nonce exists
in the OCSP response.
** gnutls-cli: Added --strict-tofu option; contributed by Jens
Lechtenboerger.
Delete files: CVE-2014-0092.patch( upstreamed), gnutls-3.2.11.tar.xz.sig, gnutls-3.2.11.tar.xz;
Add files: gnutls-3.2.12.1.tar.xz, gnutls-3.2.12.1.tar.xz.sig
-------------------------------------------------------------------
Mon Mar 3 09:04:31 UTC 2014 - shchang@suse.com

View File

@ -21,15 +21,15 @@
%define gnutls_ossl_sover 27
Name: gnutls
Version: 3.2.11
Version: 3.2.12
Release: 0
Summary: The GNU Transport Layer Security Library
License: LGPL-2.1+ and GPL-3.0+
Group: Productivity/Networking/Security
Url: http://www.gnutls.org/
Source0: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/%{name}-%{version}.tar.xz
Source0: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/%{name}-%{version}.1.tar.xz
# signature is checked by source services.
Source1: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/%{name}-%{version}.tar.xz.sig
Source1: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/%{name}-%{version}.1.tar.xz.sig
Source2: %name.keyring
Source3: baselibs.conf
@ -37,7 +37,6 @@ Source3: baselibs.conf
Patch3: gnutls-3.0.26-skip-test-fwrite.patch
Patch6: gnutls-implement-trust-store-dir-3.2.8.diff
Patch7: CVE-2014-0092.patch
BuildRequires: automake
BuildRequires: gcc-c++
@ -138,7 +137,6 @@ Files needed for software development using gnutls.
%setup -q
%patch3
%patch6 -p1
%patch7 -p1
%build
autoreconf -if