diff --git a/CVE-2011-4128.patch b/CVE-2011-4128.patch deleted file mode 100644 index c745664..0000000 --- a/CVE-2011-4128.patch +++ /dev/null @@ -1,20 +0,0 @@ -Index: gnutls-3.0.3/lib/gnutls_session.c -=================================================================== ---- gnutls-3.0.3.orig/lib/gnutls_session.c -+++ gnutls-3.0.3/lib/gnutls_session.c -@@ -63,13 +63,14 @@ gnutls_session_get_data (gnutls_session_ - gnutls_assert (); - return ret; - } -- *session_data_size = psession.size; - - if (psession.size > *session_data_size) - { -+ *session_data_size = psession.size; - ret = GNUTLS_E_SHORT_MEMORY_BUFFER; - goto error; - } -+ *session_data_size = psession.size; - - if (session_data != NULL) - memcpy (session_data, psession.data, psession.size); diff --git a/CVE-2012-0390.patch b/CVE-2012-0390.patch deleted file mode 100644 index 5e5ba12..0000000 --- a/CVE-2012-0390.patch +++ /dev/null @@ -1,18 +0,0 @@ -Index: gnutls-3.0.3/lib/gnutls_cipher.c -=================================================================== ---- gnutls-3.0.3.orig/lib/gnutls_cipher.c -+++ gnutls-3.0.3/lib/gnutls_cipher.c -@@ -559,7 +559,12 @@ ciphertext_to_compressed (gnutls_session - } - - if (length < 0) -- length = 0; -+ { -+ /* Setting a proper length to prevent timing differences in -+ * processing of records with invalid encryption. -+ */ -+ length = ciphertext->size - tag_size; -+ } - - /* Pass the type, version, length and compressed through - * MAC. diff --git a/CVE-2012-1569.patch b/CVE-2012-1569.patch deleted file mode 100644 index 8545d68..0000000 --- a/CVE-2012-1569.patch +++ /dev/null @@ -1,44 +0,0 @@ -Index: gnutls-3.0.3/lib/minitasn1/decoding.c -=================================================================== ---- gnutls-3.0.3.orig/lib/minitasn1/decoding.c -+++ gnutls-3.0.3/lib/minitasn1/decoding.c -@@ -55,12 +55,13 @@ _asn1_error_description_tag_error (ASN1_ - * Extract a length field from DER data. - * - * Returns: Return the decoded length value, or -1 on indefinite -- * length, or -2 when the value was too big. -+ * length, or -2 when the value was too big to fit in a int, or -4 -+ * when the decoded length value plus @len would exceed @der_len. - **/ - signed long - asn1_get_length_der (const unsigned char *der, int der_len, int *len) - { -- unsigned long ans; -+ int ans; - int k, punt; - - *len = 0; -@@ -83,7 +84,7 @@ asn1_get_length_der (const unsigned char - ans = 0; - while (punt <= k && punt < der_len) - { -- unsigned long last = ans; -+ int last = ans; - - ans = ans * 256 + der[punt++]; - if (ans < last) -@@ -93,10 +94,13 @@ asn1_get_length_der (const unsigned char - } - else - { /* indefinite length method */ -- ans = -1; -+ *len = punt; -+ return -1; - } - - *len = punt; -+ if (ans + *len < ans || ans + *len > der_len) -+ return -4; - return ans; - } - } diff --git a/CVE-2012-1573.patch b/CVE-2012-1573.patch deleted file mode 100644 index fc50c04..0000000 --- a/CVE-2012-1573.patch +++ /dev/null @@ -1,31 +0,0 @@ -Index: gnutls-3.0.3/lib/gnutls_cipher.c -=================================================================== ---- gnutls-3.0.3.orig/lib/gnutls_cipher.c -+++ gnutls-3.0.3/lib/gnutls_cipher.c -@@ -502,7 +502,7 @@ ciphertext_to_compressed (gnutls_session - - break; - case CIPHER_BLOCK: -- if (ciphertext->size < MAX(blocksize, tag_size) || (ciphertext->size % blocksize != 0)) -+ if (ciphertext->size < blocksize || (ciphertext->size % blocksize != 0)) - return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH); - - /* ignore the IV in TLS 1.1+ -@@ -514,14 +514,11 @@ ciphertext_to_compressed (gnutls_session - - ciphertext->size -= blocksize; - ciphertext->data += blocksize; -- -- if (ciphertext->size == 0) -- { -- gnutls_assert (); -- return GNUTLS_E_DECRYPTION_FAILED; -- } - } - -+ if (ciphertext->size < tag_size) -+ return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); -+ - /* we don't use the auth_cipher interface here, since - * TLS with block ciphers is impossible to be used under such - * an API. (the length of plaintext is required to calculate diff --git a/gnutls-3.0.19.tar.xz b/gnutls-3.0.19.tar.xz new file mode 100644 index 0000000..1471040 --- /dev/null +++ b/gnutls-3.0.19.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d9a436ea8718c38a564812e465c883f4f37ddc8c80c6f8bee54819e6e4089c37 +size 5035160 diff --git a/gnutls-3.0.3.tar.xz b/gnutls-3.0.3.tar.xz deleted file mode 100644 index 494b537..0000000 --- a/gnutls-3.0.3.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:1c9f7e5e22b30cc7e558b00aa0a78388852b62b241c68c4f5dce1cb39ca6298b -size 4281044 diff --git a/gnutls-fix-compression.patch b/gnutls-fix-compression.patch deleted file mode 100644 index 18be79a..0000000 --- a/gnutls-fix-compression.patch +++ /dev/null @@ -1,842 +0,0 @@ -From f3abb3c8e37dfdb0881c23499abf4fe3aa779e14 Mon Sep 17 00:00:00 2001 -From: Nikos Mavrogiannopoulos -Date: Thu, 22 Sep 2011 18:48:07 +0200 -Subject: [PATCH] Simplified and corrected decompression and compression. - Added test program. - ---- - lib/gnutls_cipher.c | 203 +++++++++++++++++++++++-------------------------- - lib/gnutls_compress.c | 137 ++++----------------------------- - lib/gnutls_compress.h | 15 +--- - lib/gnutls_record.c | 5 +- - tests/Makefile.am | 2 +- - tests/eagain-common.h | 5 + - tests/mini-deflate.c | 113 +++++++++++++++++++++++++++ - 7 files changed, 234 insertions(+), 246 deletions(-) - create mode 100644 tests/mini-deflate.c - -diff --git a/lib/gnutls_cipher.c b/lib/gnutls_cipher.c -index 1629b4d..75ca6ab 100644 ---- a/lib/gnutls_cipher.c -+++ b/lib/gnutls_cipher.c -@@ -41,15 +41,16 @@ - #include - #include - --static int _gnutls_compressed2ciphertext (gnutls_session_t session, -+static int compressed_to_ciphertext (gnutls_session_t session, - opaque * cipher_data, int cipher_size, -- gnutls_datum_t compressed, -+ gnutls_datum_t *compressed, - content_type_t _type, - record_parameters_st * params); --static int _gnutls_ciphertext2compressed (gnutls_session_t session, -+static int ciphertext_to_compressed (gnutls_session_t session, -+ gnutls_datum_t *ciphertext, - opaque * compress_data, - int compress_size, -- gnutls_datum_t ciphertext, uint8_t type, -+ uint8_t type, - record_parameters_st * params, uint64* sequence); - - inline static int -@@ -83,45 +84,47 @@ _gnutls_encrypt (gnutls_session_t session, const opaque * headers, - size_t ciphertext_size, content_type_t type, - record_parameters_st * params) - { -- gnutls_datum_t plain; - gnutls_datum_t comp; -+ int free_comp = 0; - int ret; -- int free_comp = 1; -- record_parameters_st *cur_record_params; - -- ret = _gnutls_epoch_get (session, EPOCH_WRITE_CURRENT, &cur_record_params); -- if (ret < 0) -- return gnutls_assert_val(ret); -- -- plain.data = (opaque *) data; -- plain.size = data_size; -- -- if (plain.size == 0 || is_write_comp_null (cur_record_params) == 0) -+ if (data_size == 0 || is_write_comp_null (params) == 0) - { -- comp = plain; -- free_comp = 0; -+ comp.data = (opaque*)data; -+ comp.size = data_size; - } - else - { - /* Here comp is allocated and must be - * freed. - */ -- ret = _gnutls_m_plaintext2compressed (session, &comp, &plain, params); -+ free_comp = 1; -+ -+ comp.size = ciphertext_size - headers_size; -+ comp.data = gnutls_malloc(comp.size); -+ if (comp.data == NULL) -+ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); -+ -+ ret = _gnutls_compress( params->write.compression_state, data, data_size, comp.data, comp.size); - if (ret < 0) -- return gnutls_assert_val(ret); -+ { -+ gnutls_free(comp.data); -+ return gnutls_assert_val(ret); -+ } -+ -+ comp.size = ret; - } - -- ret = _gnutls_compressed2ciphertext (session, &ciphertext[headers_size], -+ ret = compressed_to_ciphertext (session, &ciphertext[headers_size], - ciphertext_size - headers_size, -- comp, type, params); -+ &comp, type, params); - - if (free_comp) -- _gnutls_free_datum (&comp); -+ gnutls_free(comp.data); - - if (ret < 0) - return gnutls_assert_val(ret); - -- - /* copy the headers */ - memcpy (ciphertext, headers, headers_size); - -@@ -142,14 +145,8 @@ _gnutls_decrypt (gnutls_session_t session, opaque * ciphertext, - size_t max_data_size, content_type_t type, - record_parameters_st * params, uint64 *sequence) - { -- gnutls_datum_t gtxt; - gnutls_datum_t gcipher; -- int ret; -- record_parameters_st *cur_record_params; -- -- ret = _gnutls_epoch_get (session, EPOCH_READ_CURRENT, &cur_record_params); -- if (ret < 0) -- return gnutls_assert_val(ret); -+ int ret, data_size; - - if (ciphertext_size == 0) - return 0; -@@ -157,57 +154,43 @@ _gnutls_decrypt (gnutls_session_t session, opaque * ciphertext, - gcipher.size = ciphertext_size; - gcipher.data = ciphertext; - -- ret = -- _gnutls_ciphertext2compressed (session, data, max_data_size, -- gcipher, type, params, sequence); -- if (ret < 0) -+ if (is_read_comp_null (params) == 0) - { -+ ret = -+ ciphertext_to_compressed (session, &gcipher, data, max_data_size, -+ type, params, sequence); -+ if (ret < 0) -+ return gnutls_assert_val(ret); -+ - return ret; - } -- -- if (ret == 0 || is_read_comp_null (cur_record_params) == 0) -- { -- /* ret == ret */ -- -- } - else - { -- gnutls_datum_t gcomp; -- -- /* compression has this malloc overhead. -- */ -- -- gcomp.data = data; -- gcomp.size = ret; -- ret = _gnutls_m_compressed2plaintext (session, >xt, &gcomp, params); -+ opaque* tmp_data; -+ -+ tmp_data = gnutls_malloc(max_data_size); -+ if (tmp_data == NULL) -+ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); -+ -+ ret = -+ ciphertext_to_compressed (session, &gcipher, tmp_data, max_data_size, -+ type, params, sequence); - if (ret < 0) -+ goto leave; -+ -+ data_size = ret; -+ -+ if (ret != 0) - { -- return ret; -- } -- -- if (gtxt.size > MAX_RECORD_RECV_SIZE(session)) -- { -- _gnutls_free_datum (>xt); -- /* This shouldn't have happen and -- * is a TLS fatal error. -- */ -- return gnutls_assert_val(GNUTLS_E_DECOMPRESSION_FAILED); -- } -- -- /* This check is not really needed */ -- if (max_data_size < MAX_RECORD_RECV_SIZE(session)) -- { -- _gnutls_free_datum (>xt); -- return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); -+ ret = _gnutls_decompress(params->read.compression_state, tmp_data, data_size, data, max_data_size); -+ if (ret < 0) -+ goto leave; - } -- -- memcpy (data, gtxt.data, gtxt.size); -- ret = gtxt.size; -- -- _gnutls_free_datum (>xt); -+ -+leave: -+ gnutls_free(tmp_data); -+ return ret; - } -- -- return ret; - } - - -@@ -305,9 +288,9 @@ make_preamble (opaque * uint64_data, opaque type, int length, - * return the actual encrypted data length. - */ - static int --_gnutls_compressed2ciphertext (gnutls_session_t session, -+compressed_to_ciphertext (gnutls_session_t session, - opaque * cipher_data, int cipher_size, -- gnutls_datum_t compressed, -+ gnutls_datum_t *compressed, - content_type_t type, - record_parameters_st * params) - { -@@ -336,15 +319,16 @@ _gnutls_compressed2ciphertext (gnutls_session_t session, - _gnutls_hard_log("ENC[%p]: cipher: %s, MAC: %s, Epoch: %u\n", - session, gnutls_cipher_get_name(params->cipher_algorithm), gnutls_mac_get_name(params->mac_algorithm), - (unsigned int)params->epoch); -+ - preamble_size = - make_preamble (UINT64DATA - (params->write.sequence_number), -- type, compressed.size, ver, preamble); -+ type, compressed->size, ver, preamble); - - /* Calculate the encrypted length (padding etc.) - */ - length_to_encrypt = length = -- calc_enc_length (session, compressed.size, tag_size, &pad, -+ calc_enc_length (session, compressed->size, tag_size, &pad, - random_pad, block_algo, auth_cipher, blocksize); - if (length < 0) - { -@@ -411,8 +395,8 @@ _gnutls_compressed2ciphertext (gnutls_session_t session, - if (auth_cipher) return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); - } - -- memcpy (data_ptr, compressed.data, compressed.size); -- data_ptr += compressed.size; -+ memcpy (data_ptr, compressed->data, compressed->size); -+ data_ptr += compressed->size; - - if (tag_size > 0) - { -@@ -431,7 +415,7 @@ _gnutls_compressed2ciphertext (gnutls_session_t session, - */ - ret = - _gnutls_auth_cipher_encrypt_tag (¶ms->write.cipher_state, -- cipher_data, length_to_encrypt, tag_ptr, tag_size, compressed.size); -+ cipher_data, length_to_encrypt, tag_ptr, tag_size, compressed->size); - if (ret < 0) - return gnutls_assert_val(ret); - -@@ -443,11 +427,12 @@ _gnutls_compressed2ciphertext (gnutls_session_t session, - * Returns the actual compressed packet size. - */ - static int --_gnutls_ciphertext2compressed (gnutls_session_t session, -- opaque * compress_data, -- int compress_size, -- gnutls_datum_t ciphertext, uint8_t type, -- record_parameters_st * params, uint64* sequence) -+ciphertext_to_compressed (gnutls_session_t session, -+ gnutls_datum_t *ciphertext, -+ opaque * compress_data, -+ int compress_size, -+ uint8_t type, record_parameters_st * params, -+ uint64* sequence) - { - uint8_t tag[MAX_HASH_SIZE]; - uint8_t pad; -@@ -478,28 +463,28 @@ _gnutls_ciphertext2compressed (gnutls_session_t session, - if (params->read.IV.data == NULL || params->read.IV.size != 4) - return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); - -- if (ciphertext.size < tag_size+AEAD_EXPLICIT_DATA_SIZE) -+ if (ciphertext->size < tag_size+AEAD_EXPLICIT_DATA_SIZE) - return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH); - - memcpy(nonce, params->read.IV.data, AEAD_IMPLICIT_DATA_SIZE); -- memcpy(&nonce[AEAD_IMPLICIT_DATA_SIZE], ciphertext.data, AEAD_EXPLICIT_DATA_SIZE); -+ memcpy(&nonce[AEAD_IMPLICIT_DATA_SIZE], ciphertext->data, AEAD_EXPLICIT_DATA_SIZE); - - _gnutls_auth_cipher_setiv(¶ms->read.cipher_state, nonce, AEAD_EXPLICIT_DATA_SIZE+AEAD_IMPLICIT_DATA_SIZE); - -- ciphertext.data += AEAD_EXPLICIT_DATA_SIZE; -- ciphertext.size -= AEAD_EXPLICIT_DATA_SIZE; -+ ciphertext->data += AEAD_EXPLICIT_DATA_SIZE; -+ ciphertext->size -= AEAD_EXPLICIT_DATA_SIZE; - -- length_to_decrypt = ciphertext.size - tag_size; -+ length_to_decrypt = ciphertext->size - tag_size; - } - else - { -- if (ciphertext.size < tag_size) -+ if (ciphertext->size < tag_size) - return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH); - -- length_to_decrypt = ciphertext.size; -+ length_to_decrypt = ciphertext->size; - } - -- length = ciphertext.size - tag_size; -+ length = ciphertext->size - tag_size; - - /* Pass the type, version, length and compressed through - * MAC. -@@ -512,12 +497,12 @@ _gnutls_ciphertext2compressed (gnutls_session_t session, - - if ((ret = - _gnutls_auth_cipher_decrypt (¶ms->read.cipher_state, -- ciphertext.data, length_to_decrypt)) < 0) -+ ciphertext->data, length_to_decrypt)) < 0) - return gnutls_assert_val(ret); - - break; - case CIPHER_BLOCK: -- if (ciphertext.size < MAX(blocksize, tag_size) || (ciphertext.size % blocksize != 0)) -+ if (ciphertext->size < MAX(blocksize, tag_size) || (ciphertext->size % blocksize != 0)) - return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH); - - /* ignore the IV in TLS 1.1+ -@@ -525,12 +510,12 @@ _gnutls_ciphertext2compressed (gnutls_session_t session, - if (explicit_iv) - { - _gnutls_auth_cipher_setiv(¶ms->read.cipher_state, -- ciphertext.data, blocksize); -+ ciphertext->data, blocksize); - -- ciphertext.size -= blocksize; -- ciphertext.data += blocksize; -+ ciphertext->size -= blocksize; -+ ciphertext->data += blocksize; - -- if (ciphertext.size == 0) -+ if (ciphertext->size == 0) - { - gnutls_assert (); - return GNUTLS_E_DECRYPTION_FAILED; -@@ -544,32 +529,32 @@ _gnutls_ciphertext2compressed (gnutls_session_t session, - */ - if ((ret = - _gnutls_cipher_decrypt (¶ms->read.cipher_state.cipher, -- ciphertext.data, ciphertext.size)) < 0) -+ ciphertext->data, ciphertext->size)) < 0) - return gnutls_assert_val(ret); - -- pad = ciphertext.data[ciphertext.size - 1] + 1; /* pad */ -+ pad = ciphertext->data[ciphertext->size - 1] + 1; /* pad */ - -- if ((int) pad > (int) ciphertext.size - tag_size) -+ if ((int) pad > (int) ciphertext->size - tag_size) - { - gnutls_assert (); - _gnutls_record_log - ("REC[%p]: Short record length %d > %d - %d (under attack?)\n", -- session, pad, ciphertext.size, tag_size); -+ session, pad, ciphertext->size, tag_size); - /* We do not fail here. We check below for the - * the pad_failed. If zero means success. - */ - pad_failed = GNUTLS_E_DECRYPTION_FAILED; - } - -- length = ciphertext.size - tag_size - pad; -+ length = ciphertext->size - tag_size - pad; - - /* Check the pading bytes (TLS 1.x) - */ - if (ver != GNUTLS_SSL3 && pad_failed == 0) - for (i = 2; i < pad; i++) - { -- if (ciphertext.data[ciphertext.size - i] != -- ciphertext.data[ciphertext.size - 1]) -+ if (ciphertext->data[ciphertext->size - i] != -+ ciphertext->data[ciphertext->size - 1]) - pad_failed = GNUTLS_E_DECRYPTION_FAILED; - } - -@@ -583,7 +568,7 @@ _gnutls_ciphertext2compressed (gnutls_session_t session, - make_preamble (UINT64DATA(*sequence), type, - length, ver, preamble); - _gnutls_auth_cipher_add_auth (¶ms->read.cipher_state, preamble, preamble_size); -- _gnutls_auth_cipher_add_auth (¶ms->read.cipher_state, ciphertext.data, length); -+ _gnutls_auth_cipher_add_auth (¶ms->read.cipher_state, ciphertext->data, length); - - break; - default: -@@ -602,7 +587,7 @@ _gnutls_ciphertext2compressed (gnutls_session_t session, - - /* HMAC was not the same. - */ -- if (memcmp (tag, &ciphertext.data[length], tag_size) != 0) -+ if (memcmp (tag, &ciphertext->data[length], tag_size) != 0) - return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); - - /* copy the decrypted stuff to compress_data. -@@ -610,8 +595,8 @@ _gnutls_ciphertext2compressed (gnutls_session_t session, - if (compress_size < length) - return gnutls_assert_val(GNUTLS_E_DECOMPRESSION_FAILED); - -- if (compress_data != ciphertext.data) -- memcpy (compress_data, ciphertext.data, length); -+ if (compress_data != ciphertext->data) -+ memcpy (compress_data, ciphertext->data, length); - - return length; - } -diff --git a/lib/gnutls_compress.c b/lib/gnutls_compress.c -index 52d4a15..e7a5114 100644 ---- a/lib/gnutls_compress.c -+++ b/lib/gnutls_compress.c -@@ -32,57 +32,6 @@ - #include - #include - --/* These functions allocate the return value internally -- */ --int --_gnutls_m_plaintext2compressed (gnutls_session_t session, -- gnutls_datum_t * compressed, -- const gnutls_datum_t * plaintext, -- const record_parameters_st * params) --{ -- int size; -- opaque *data; -- -- size = -- _gnutls_compress (params->write.compression_state, -- plaintext->data, plaintext->size, &data, -- MAX_RECORD_SEND_SIZE(session) + EXTRA_COMP_SIZE); -- if (size < 0) -- { -- gnutls_assert (); -- return GNUTLS_E_COMPRESSION_FAILED; -- } -- compressed->data = data; -- compressed->size = size; -- -- return 0; --} -- --int --_gnutls_m_compressed2plaintext (gnutls_session_t session, -- gnutls_datum_t * plain, -- const gnutls_datum_t * compressed, -- const record_parameters_st * params) --{ -- int size; -- opaque *data; -- -- size = -- _gnutls_decompress (params->read.compression_state, -- compressed->data, compressed->size, &data, -- MAX_RECORD_RECV_SIZE(session)); -- if (size < 0) -- { -- gnutls_assert (); -- return GNUTLS_E_DECOMPRESSION_FAILED; -- } -- plain->data = data; -- plain->size = size; -- -- return 0; --} -- -- - /* Compression Section */ - #define GNUTLS_COMPRESSION_ENTRY(name, id, wb, ml, cl) \ - { #name, name, id, wb, ml, cl} -@@ -397,7 +346,7 @@ _gnutls_comp_deinit (comp_hd_t handle, int d) - - int - _gnutls_compress (comp_hd_t handle, const opaque * plain, -- size_t plain_size, opaque ** compressed, -+ size_t plain_size, opaque * compressed, - size_t max_comp_size) - { - int compressed_size = GNUTLS_E_COMPRESSION_FAILED; -@@ -419,32 +368,19 @@ _gnutls_compress (comp_hd_t handle, const opaque * plain, - z_stream *zhandle; - int err; - -- size = (plain_size + plain_size) + 10; -- *compressed = gnutls_malloc (size); -- if (*compressed == NULL) -- { -- gnutls_assert (); -- return GNUTLS_E_MEMORY_ERROR; -- } -- - zhandle = handle->handle; - - zhandle->next_in = (Bytef *) plain; - zhandle->avail_in = plain_size; -- zhandle->next_out = (Bytef *) * compressed; -- zhandle->avail_out = size; -+ zhandle->next_out = (Bytef *) compressed; -+ zhandle->avail_out = max_comp_size; - - err = deflate (zhandle, Z_SYNC_FLUSH); -- - if (err != Z_OK || zhandle->avail_in != 0) -- { -- gnutls_assert (); -- gnutls_free (*compressed); -- *compressed = NULL; -- return GNUTLS_E_COMPRESSION_FAILED; -- } -+ return gnutls_assert_val(GNUTLS_E_COMPRESSION_FAILED); - -- compressed_size = size - zhandle->avail_out; -+ -+ compressed_size = max_comp_size - zhandle->avail_out; - break; - } - #endif -@@ -458,13 +394,6 @@ _gnutls_compress (comp_hd_t handle, const opaque * plain, - (float) ((float) compressed_size / (float) plain_size)); - #endif - -- if ((size_t) compressed_size > max_comp_size) -- { -- gnutls_free (*compressed); -- *compressed = NULL; -- return GNUTLS_E_COMPRESSION_FAILED; -- } -- - return compressed_size; - } - -@@ -472,12 +401,12 @@ _gnutls_compress (comp_hd_t handle, const opaque * plain, - - int - _gnutls_decompress (comp_hd_t handle, opaque * compressed, -- size_t compressed_size, opaque ** plain, -- size_t max_record_size) -+ size_t compressed_size, opaque * plain, -+ size_t max_plain_size) - { - int plain_size = GNUTLS_E_DECOMPRESSION_FAILED; - -- if (compressed_size > max_record_size + EXTRA_COMP_SIZE) -+ if (compressed_size > max_plain_size + EXTRA_COMP_SIZE) - { - gnutls_assert (); - return GNUTLS_E_DECOMPRESSION_FAILED; -@@ -499,51 +428,21 @@ _gnutls_decompress (comp_hd_t handle, opaque * compressed, - { - uLongf out_size; - z_stream *zhandle; -- int cur_pos; - int err; - -- *plain = NULL; -- out_size = compressed_size + compressed_size; -- plain_size = 0; -- - zhandle = handle->handle; - - zhandle->next_in = (Bytef *) compressed; - zhandle->avail_in = compressed_size; - -- cur_pos = 0; -- -- do -- { -- out_size += 512; -- *plain = gnutls_realloc_fast (*plain, out_size); -- if (*plain == NULL) -- { -- gnutls_assert (); -- return GNUTLS_E_MEMORY_ERROR; -- } -- -- zhandle->next_out = (Bytef *) (*plain + cur_pos); -- zhandle->avail_out = out_size - cur_pos; -- -- err = inflate (zhandle, Z_SYNC_FLUSH); -- -- cur_pos = out_size - zhandle->avail_out; -- -- } -- while ((err == Z_BUF_ERROR && zhandle->avail_out == 0 -- && out_size < max_record_size) -- || (err == Z_OK && zhandle->avail_in != 0)); -+ zhandle->next_out = (Bytef *) plain; -+ zhandle->avail_out = max_plain_size; -+ err = inflate (zhandle, Z_SYNC_FLUSH); - - if (err != Z_OK) -- { -- gnutls_assert (); -- gnutls_free (*plain); -- *plain = NULL; -- return GNUTLS_E_DECOMPRESSION_FAILED; -- } -+ return gnutls_assert_val(GNUTLS_E_DECOMPRESSION_FAILED); - -- plain_size = out_size - zhandle->avail_out; -+ plain_size = max_plain_size - zhandle->avail_out; - break; - } - #endif -@@ -552,13 +451,5 @@ _gnutls_decompress (comp_hd_t handle, opaque * compressed, - return GNUTLS_E_INTERNAL_ERROR; - } /* switch */ - -- if ((size_t) plain_size > max_record_size) -- { -- gnutls_assert (); -- gnutls_free (*plain); -- *plain = NULL; -- return GNUTLS_E_DECOMPRESSION_FAILED; -- } -- - return plain_size; - } -diff --git a/lib/gnutls_compress.h b/lib/gnutls_compress.h -index 2bc88c5..7f3545c 100644 ---- a/lib/gnutls_compress.h -+++ b/lib/gnutls_compress.h -@@ -22,15 +22,6 @@ - #ifndef GNUTLS_COMPRESS_H - #define GNUTLS_COMPRESS_H - --int _gnutls_m_plaintext2compressed (gnutls_session_t session, -- gnutls_datum_t * compressed, -- const gnutls_datum_t * plaintext, -- const record_parameters_st * params); --int _gnutls_m_compressed2plaintext (gnutls_session_t session, -- gnutls_datum_t * plain, -- const gnutls_datum_t * compressed, -- const record_parameters_st * params); -- - /* Algorithm handling. */ - int _gnutls_supported_compression_methods (gnutls_session_t session, - uint8_t * comp, size_t max_comp); -@@ -54,10 +45,10 @@ comp_hd_t _gnutls_comp_init (gnutls_compression_method_t, int d); - void _gnutls_comp_deinit (comp_hd_t handle, int d); - - int _gnutls_decompress (comp_hd_t handle, opaque * compressed, -- size_t compressed_size, opaque ** plain, -- size_t max_record_size); -+ size_t compressed_size, opaque * plain, -+ size_t max_plain_size); - int _gnutls_compress (comp_hd_t, const opaque * plain, size_t plain_size, -- opaque ** compressed, size_t max_comp_size); -+ opaque * compressed, size_t max_comp_size); - - struct gnutls_compression_entry - { -diff --git a/lib/gnutls_record.c b/lib/gnutls_record.c -index 22e4923..4ff2951 100644 ---- a/lib/gnutls_record.c -+++ b/lib/gnutls_record.c -@@ -986,7 +986,10 @@ begin: - if (bufel == NULL) - return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); - -- decrypted = _mbuffer_alloc(record.length+EXTRA_COMP_SIZE, record.length+EXTRA_COMP_SIZE); -+ /* We allocate the maximum possible to allow few compressed bytes to expand to a -+ * full record. -+ */ -+ decrypted = _mbuffer_alloc(MAX_RECORD_RECV_SIZE(session), MAX_RECORD_RECV_SIZE(session)); - if (decrypted == NULL) - return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); - -diff --git a/tests/Makefile.am b/tests/Makefile.am -index 63ae665..7ed9d25 100644 ---- a/tests/Makefile.am -+++ b/tests/Makefile.am -@@ -58,7 +58,7 @@ noinst_LTLIBRARIES = libutils.la - libutils_la_SOURCES = utils.h utils.c - - ctests = simple gc set_pkcs12_cred certder certuniqueid mpi \ -- certificate_set_x509_crl dn parse_ca moredn mini \ -+ certificate_set_x509_crl dn parse_ca moredn mini mini-deflate \ - hostname-check cve-2008-4989 pkcs12_s2k chainverify crq_key_id \ - x509sign-verify cve-2009-1415 cve-2009-1416 crq_apis \ - init_roundtrip pkcs12_s2k_pem dn2 mini-eagain \ -diff --git a/tests/eagain-common.h b/tests/eagain-common.h -index c55e97c..07d5148 100644 ---- a/tests/eagain-common.h -+++ b/tests/eagain-common.h -@@ -32,6 +32,9 @@ - ret = gnutls_record_send (c, msg, msglen); \ - } \ - while(ret == GNUTLS_E_AGAIN); \ -+ \ -+ if (ret < 0) fail ("client send error: %s\n", gnutls_strerror (ret)); \ -+ \ - do \ - { \ - do \ -@@ -54,6 +57,7 @@ - ns = gnutls_record_send (server, msg, msglen); \ - } \ - while (ns == GNUTLS_E_AGAIN); \ -+ if (ns < 0) fail ("server send error: %s\n", gnutls_strerror (ret)); \ - do \ - { \ - ret = gnutls_record_recv (client, buf, buflen); \ -@@ -81,6 +85,7 @@ - ns = gnutls_record_send (client, buf, msglen); \ - } \ - while (ns == GNUTLS_E_AGAIN); \ -+ if (ns < 0) fail ("client send error: %s\n", gnutls_strerror (ret)); \ - transferred += ret; \ - if (debug) \ - fputs (".", stdout); \ -diff --git a/tests/mini-deflate.c b/tests/mini-deflate.c -new file mode 100644 -index 0000000..4edd4db ---- /dev/null -+++ b/tests/mini-deflate.c -@@ -0,0 +1,113 @@ -+/* -+ * Copyright (C) 2008, 2010 Free Software Foundation, Inc. -+ * -+ * Author: Simon Josefsson -+ * -+ * This file is part of GnuTLS. -+ * -+ * GnuTLS is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License as published by -+ * the Free Software Foundation; either version 3 of the License, or -+ * (at your option) any later version. -+ * -+ * GnuTLS is distributed in the hope that it will be useful, but -+ * WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ * General Public License for more details. -+ * -+ * You should have received a copy of the GNU General Public License -+ * along with GnuTLS; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA -+ */ -+ -+#ifdef HAVE_CONFIG_H -+#include -+#endif -+ -+#include -+#include -+#include -+#include -+#include -+#include "eagain-common.h" -+ -+#include "utils.h" -+ -+static void -+tls_log_func (int level, const char *str) -+{ -+ fprintf (stderr, "|<%d>| %s", level, str); -+} -+ -+#define MAX_BUF 6*1024 -+#define MSG "Hello TLS, and Hello and Hello and Hello" -+ -+void -+doit (void) -+{ -+ /* Server stuff. */ -+ gnutls_anon_server_credentials_t s_anoncred; -+ const gnutls_datum_t p3 = { (char *) pkcs3, strlen (pkcs3) }; -+ static gnutls_dh_params_t dh_params; -+ gnutls_session_t server; -+ int sret = GNUTLS_E_AGAIN; -+ /* Client stuff. */ -+ gnutls_anon_client_credentials_t c_anoncred; -+ gnutls_session_t client; -+ int cret = GNUTLS_E_AGAIN; -+ /* Need to enable anonymous KX specifically. */ -+ char buffer[MAX_BUF + 1]; -+ ssize_t ns; -+ int ret, transferred = 0, msglen; -+ -+ /* General init. */ -+ gnutls_global_init (); -+ gnutls_global_set_log_function (tls_log_func); -+ if (debug) -+ gnutls_global_set_log_level (4711); -+ -+ /* Init server */ -+ gnutls_anon_allocate_server_credentials (&s_anoncred); -+ gnutls_dh_params_init (&dh_params); -+ gnutls_dh_params_import_pkcs3 (dh_params, &p3, GNUTLS_X509_FMT_PEM); -+ gnutls_anon_set_server_dh_params (s_anoncred, dh_params); -+ gnutls_init (&server, GNUTLS_SERVER); -+ gnutls_priority_set_direct (server, "NONE:+VERS-TLS-ALL:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-DEFLATE:+ANON-DH", NULL); -+ gnutls_credentials_set (server, GNUTLS_CRD_ANON, s_anoncred); -+ gnutls_dh_set_prime_bits (server, 1024); -+ gnutls_transport_set_push_function (server, server_push); -+ gnutls_transport_set_pull_function (server, server_pull); -+ gnutls_transport_set_ptr (server, (gnutls_transport_ptr_t)server); -+ -+ /* Init client */ -+ gnutls_anon_allocate_client_credentials (&c_anoncred); -+ gnutls_init (&client, GNUTLS_CLIENT); -+ gnutls_priority_set_direct (client, "NONE:+VERS-TLS-ALL:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-DEFLATE:+ANON-DH", NULL); -+ gnutls_credentials_set (client, GNUTLS_CRD_ANON, c_anoncred); -+ gnutls_transport_set_push_function (client, client_push); -+ gnutls_transport_set_pull_function (client, client_pull); -+ gnutls_transport_set_ptr (client, (gnutls_transport_ptr_t)client); -+ -+ HANDSHAKE(client, server); -+ -+ if (debug) -+ success ("Handshake established\n"); -+ -+ msglen = strlen(MSG); -+ TRANSFER(client, server, MSG, msglen, buffer, MAX_BUF); -+ if (debug) -+ fputs ("\n", stdout); -+ -+ gnutls_bye (client, GNUTLS_SHUT_RDWR); -+ gnutls_bye (server, GNUTLS_SHUT_RDWR); -+ -+ gnutls_deinit (client); -+ gnutls_deinit (server); -+ -+ gnutls_anon_free_client_credentials (c_anoncred); -+ gnutls_anon_free_server_credentials (s_anoncred); -+ -+ gnutls_dh_params_deinit (dh_params); -+ -+ gnutls_global_deinit (); -+} --- -1.7.2.5 diff --git a/gnutls-fix-crash-on-strcat.patch b/gnutls-fix-crash-on-strcat.patch deleted file mode 100644 index 4c2e623..0000000 --- a/gnutls-fix-crash-on-strcat.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 7043a8e9e314b0c2eb7ac5c2278a0b103f6a758a Mon Sep 17 00:00:00 2001 -From: Vincent Untz -Date: Mon, 17 Oct 2011 15:15:46 +0200 -Subject: [PATCH] Correctly terminate a string with \0 before concatenating to - it - -Fix a potential crash: -https://bugzilla.novell.com/show_bug.cgi?id=724421 ---- - lib/x509/common.c | 1 + - 1 files changed, 1 insertions(+), 0 deletions(-) - -diff --git a/lib/x509/common.c b/lib/x509/common.c -index 6bb4746..0651d2e 100644 ---- a/lib/x509/common.c -+++ b/lib/x509/common.c -@@ -390,6 +390,7 @@ _gnutls_x509_data2hex (const opaque * data, size_t data_size, - if (out) - { - out[0] = '#'; -+ out[1] = '\0'; - _gnutls_str_cat (out, *sizeof_out, res); - } - --- -1.7.7 - diff --git a/gnutls.changes b/gnutls.changes index 1890708..310c4f7 100644 --- a/gnutls.changes +++ b/gnutls.changes @@ -1,3 +1,372 @@ +------------------------------------------------------------------- +Sun May 13 02:44:30 UTC 2012 - Nico.Laus.2001@gmx.de + +- Update to version 3.0.19: + + libgnutls: + - When decoding a PKCS #11 URL the pin-source field + is assumed to be a file that stores the pin. Based on patch + by David Smith. + - gnutls_record_check_pending() no longer + returns unprocessed data, and thus ensure the non-blocking + of the next call to gnutls_record_recv(). + - Added strict tests in Diffie-Hellman and + SRP key exchange public keys. + - in ECDSA and DSA TLS 1.2 authentication be less + strict in hash selection, and allow a stronger hash to + be used than the appropriate, to improve interoperability + with openssl. + + tests: + - Disabled floating point test, and corrections + in pkcs12 decoding tests. + + API and ABI modifications: + - No changes since last version. +- Changes from version 3.0.18: + + certtool: + - Avoid a Y2K38 bug when generating certificates. + Patch by Robert Millan. + + libgnutls: + - Make sure that GNUTLS_E_PREMATURE_TERMINATION + - is returned on premature termination (and added unit test). + - Fixes for W64 API. Patch by B. Scott Michel. + - Corrected VIA padlock detection for old + VIA processors. Reported by Kris Karas. + - Updated assembler files. + - Time in generated certificates is stored + as GeneralizedTime instead of UTCTime (which only stores + 2 digits of a year). + + minitasn1: + - Upgraded to libtasn1 version 2.13 (pre-release). + + API and ABI modifications: + - gnutls_x509_crt_set_private_key_usage_period: Added + - gnutls_x509_crt_get_private_key_usage_period: Added + - gnutls_x509_crq_set_private_key_usage_period: Added + - gnutls_x509_crq_get_private_key_usage_period: Added + - gnutls_session_get_random: Added +- Changes from version 3.0.17: + + command line apps: + - Always link with local libopts. + + API and ABI modifications: + - No changes since last version. +- Changes from version 3.0.16: + + minitasn1: + - Upgraded to libtasn1 version 2.12 (pre-release). + + libgnutls: + - Corrected SRP-RSA ciphersuites when used under TLS 1.2. + - included assembler files for MacOSX. + + p11tool: + - Small fixes in handling of the --private command + line option. + + certtool: + - The template option allows for setting the domain + component (DC) option of the distinguished name, and the ocsp_uri + as well as the ca_issuers_uri options. + + API and ABI modifications: + - gnutls_x509_crt_set_authority_info_access: Added +- Changes from version 3.0.15: + + test suite: + - Only run under valgrind in the development + system (the full git repository) + + command line apps: + - Link with local libopts if the installed is an old one. + + libgnutls: + - Eliminate double free during SRP + authentication. Reported by Peter Penzov. + - Corrections in record packet parsing. + Reported by Matthew Hall. + - Cryptodev updates and fixes. + - Corrected issue with select() that affected + FreeBSD. This prevented establishing DTLS sessions. + Reported by Andreas Metzler. + - Corrected rehandshake and resumption + operations in DTLS. Reported by Sean Buckheister. + - PKCS #11 objects that do not have ID + no longer crash listing. Reported by Sven Geggus. + + API and ABI modifications: + - No changes since last version. +- Changes from version 3.0.14: + + command line apps: + - Included libopts doesn't get installed by default. + + libgnutls: + - Eliminate double free on wrongly formatted + certificate list. Reported by Remi Gacogne. + - cryptodev code corrected, updated to account + for hashes and GCM mode. + Eliminated memory leak in PCKS #11 initialization. + Report and fix by Sam Varshavchik. + + API and ABI modifications: + - No changes since last version. +- Changes from version 3.0.13: + + gnutls-cli: + - added the --ocsp option which will verify + the peer's certificate with OCSP. + - added the --tofu and if specified, gnutls-cli + will use an ssh-style authentication method. + - if no --x509cafile is provided a default is + assumed (/etc/ssl/certs/ca-certificates.crt), if it exists. + + ocsptool: + - Added --ask parameter, to verify a certificate's + status from an ocsp server. + + command line apps: + - Use gnu autogen (libopts) to parse command + line arguments and template files. + + tests: + - Added stress test for DTLS packet losses and + out-of-order receival. Contributed by Sean Buckheister. + + libgnutls: + - Several updates and corrections in the DTLS + DTLS lost packet handling and retransmission timeouts. + Report and patches by Sean Buckheister. + - Added new functions to easily allow the usage of + a trust on first use (SSH-style) authentication. + - SUITEB128 and SUITEB192 priority strings account + for the RFC6460 requirements. + - Added new security parameter GNUTLS_SEC_PARAM_LEGACY + to account for security level of 96-bits. + - In client side if server does not advertise any + known CAs and only a single certificate is set in the credentials, + sent that one. + - Added functions to parse authority key identifiers + when stored as a 'general name' and serial combo. + - Added function to force explicit reinitialization + of PKCS #11 modules. This is required on the child process after + a fork (if PKCS #11 functionality is desirable). + - Depend on p11-kit 0.11. + + API and ABI modifications: + - gnutls_dtls_get_timeout: Added + - gnutls_verify_stored_pubkey: Added + - gnutls_store_pubkey: Added + - gnutls_store_commitment: Added + - gnutls_x509_crt_get_authority_key_gn_serial: Added + - gnutls_x509_crl_get_authority_key_gn_serial: Added + - gnutls_pkcs11_reinit: Added + - gnutls_ecc_curve_list: Added + - gnutls_priority_certificate_type_list: Added + - gnutls_priority_sign_list: Added + - gnutls_priority_protocol_list: Added + - gnutls_priority_compression_list: Added + - gnutls_priority_ecc_curve_list: Added + - gnutls_tdb_init: Added + - gnutls_tdb_set_store_func: Added + - gnutls_tdb_set_store_commitment_func: Added + - gnutls_tdb_set_verify_func: Added + - gnutls_tdb_deinit: Added +- Changes from version 3.0.12: + + libgnutls: + - Added OCSP support. + There is a new header file gnutls/ocsp.h and a set of new functions + under the gnutls_ocsp namespace. Currently the functionality provided + is to parse and extract information from OCSP requests/responses, to + generate OCSP requests and to verify OCSP responses. See the manual + for more information. Run ./configure with --disable-ocsp to build + GnuTLS without OCSP support. + This work was sponsored by Smoothwall . + + ocsptool: + - Added new command line tool. + The tool can parse OCSP request/responses, generate OCSP requests and + verify OCSP responses. See the manual for more information. + + certtool: + - --outder option now works for private + and public keys as well. + + libgnutls: + - Added error code GNUTLS_E_NO_PRIORITIES_WERE_SET + to warn when no or insufficient priorities were set. + - Corrected an alignment issue in ECDH + key generation which prevented some keys from being + correctly aligned in rare circumstances. + - Corrected memory leaks in DH parameter + generation and ecc_projective_check_point(). + - Added gnutls_x509_dn_oid_name() to + return a descriptive name of a DN OID. + + API and ABI modifications: + - gnutls_pubkey_encrypt_data: Added + - gnutls_x509_dn_oid_name: Added + - gnutls_session_resumption_requested: Added + - gnutls/ocsp.h: Added new header file. + - gnutls_ocsp_print_formats_t: Added new type. + - gnutls_ocsp_resp_status_t: Added new type. + - gnutls_ocsp_cert_status_t: Added new type. + - gnutls_x509_crl_reason_t: Added new type. + - gnutls_ocsp_req_add_cert: Added. + - gnutls_ocsp_req_add_cert_id: Added. + - gnutls_ocsp_req_deinit: Added. + - gnutls_ocsp_req_export: Added. + - gnutls_ocsp_req_get_cert_id: Added. + - gnutls_ocsp_req_get_extension: Added. + - gnutls_ocsp_req_get_nonce: Added. + - gnutls_ocsp_req_get_version: Added. + - gnutls_ocsp_req_import: Added. + - gnutls_ocsp_req_init: Added. + - gnutls_ocsp_req_print: Added. + - gnutls_ocsp_req_randomize_nonce: Added. + - gnutls_ocsp_req_set_extension: Added. + - gnutls_ocsp_req_set_nonce: Added. + - gnutls_ocsp_resp_deinit: Added. + - gnutls_ocsp_resp_export: Added. + - gnutls_ocsp_resp_get_certs: Added. + - gnutls_ocsp_resp_get_extension: Added. + - gnutls_ocsp_resp_get_nonce: Added. + - gnutls_ocsp_resp_get_produced: Added. + - gnutls_ocsp_resp_get_responder: Added. + - gnutls_ocsp_resp_get_response: Added. + - gnutls_ocsp_resp_get_signature: Added. + - gnutls_ocsp_resp_get_signature_algorithm: Added. + - gnutls_ocsp_resp_get_single: Added. + - gnutls_ocsp_resp_get_status: Added. + - gnutls_ocsp_resp_get_version: Added. + - gnutls_ocsp_resp_import: Added. + - gnutls_ocsp_resp_init: Added. + - gnutls_ocsp_resp_print: Added. + - gnutls_ocsp_resp_verify: Added. +- Changes from version 3.0.11: + + libgnutls: + - Corrected functionality of + gnutls_record_get_direction(). Reported by Philip Allison. + - Provide less timing information when decoding +TLS/DTLS record packets. Patch by Nadhem Alfardan. + + API and ABI modifications: + - No changes since last version. +- Changes from version 3.0.10: + + gnutls-cli/serv: + - Set don't fragment bit in DTLS sessions +in Linux as well as in BSD. + + gnutls-cli: + - Fixed reading from windows terminals. + + libgnutls: + - When GNUTLS_OPENPGP_FMT_BASE64 is specified + the stream is assumed to be base64 encoded (previously + the encoding was auto-detected). This avoids a decoding + issue in windows systems. + - Corrected ciphersuite GNUTLS_ECDHE_PSK_AES_256_CBC_SHA384 + - Added ciphersuites: GNUTLS_PSK_WITH_AES_256_GCM_SHA384 + and GNUTLS_DHE_PSK_WITH_AES_256_GCM_SHA384. + - Added function gnutls_random_art() to convert + fingerprints to images (currently ascii-art). + - Corrected bug in DSA private key parsing, which + prevented the verification of the key. + + API and ABI modifications: + - gnutls_random_art: Added +- Changes from version 3.0.09: + + certtool: + - Added new parameter --dh-info. + - -l option was overloaded so if combined with --priority + it will only list the ciphersuites that are enabled by the given + priority string. + + libgnutls: + - Added new priority string %SERVER_PRECEDENCE, which + changes the ciphersuite selection procedure. If specified the server + priorities will be used for selection instead of the client's. + - Optimizations in Diffie-Hellman parameters generation + and key exchange. + - When session tickets are negotiated and used in a + session, a server will not store that session data into its cache. + - Added the SECP192R1 curve. + - Added gnutls_priority_get_cipher_suite_index() to + allow listing the ciphersuites enabled in a priority structure. + It outputs an index to be used in gnutls_get_cipher_suite_info(). + - Optimizations in the elliptic curve code --timing + attacks resistant code is only used in ECDSA private key operations. + + doc: + - man pages for API functions generation was fixed and are + now added again in the distribution. + + API and ABI modifications: + - GNUTLS_ECC_CURVE_SECP192R1: New curve definition + - gnutls_priority_get_cipher_suite_index: Added +- Changes from version 3.0.08: + + certtool: + - Certtool -e returns error code on verification failure. + - Verifies parameters of generated keys. + + libgnutls: + - Corrected ECC key generation (introduced in 3.0.6) + - Provide less timing information when decoding + TLS/DTLS record packets. + + doc: + - man pages for API functions were removed. + The reason was that the code that auto-generated the man pages missed + many APIs and we couldn't fix it (volunteers welcome). See the info + manual or the GTK-DOC manual instead. + + API and ABI modifications: + - gnutls_x509_privkey_verify_params: Added +- Changes from version 3.0.07: + + libgnutls: + - Corrected fix in gnutls_session_get_data() + to report the actual session size when the provided buffer + is not enough. + - Fixed ciphersuite GNUTLS_ECDHE_RSA_AES_128_CBC_SHA256, + which was using a wrong MAC algorithm. Reported by Fabrice Gautier. + + API and ABI modifications: + - No changes since last version. +- Changes from version 3.0.06: + + gnutls-guile: + - Compilation fixes. + + libgnutls: + - Fixed possible buffer overflow in + gnutls_session_get_data(). Reported and fix by Alban Crequy. + - Bug fixes in the ciphersuites with NULL cipher. + Reported by Fabrice Gautier. + - Bug fixes in ECC code for 64-bit MIPS systems. + Thanks to Joseph Graham for providing access to such a system. + - Correctly report ECC private key parsing errors. + Reported by Fabrice Gautier. + - In ECDHE verify that the received point lies on + the selected curve. The ECDHE ciphersuites now take precendence + to plain DHE. + + API and ABI modifications: + - No changes since last version. +- Changes from version 3.0.05: + + libgnutls-extra: + - is no more + + libgnutls: + - Corrections in order to compile with mingw32. + - Corrections in VIA padlock code for VIA C5 processor + and new detection of PHE with support for partial hashing. + - Corrected bug in gnutls_x509_data2hex. Report and fix + by Vincent Untz. + + minitasn1: + - Upgraded to libtasn1 version 2.10. + + API and ABI modifications: + - No changes since last version. +- Changes from version 3.0.04: + + gnutls-cli-debug: + - Added more tests including AES-GCM, SHA256 and elliptic curves. + + gnutls-cli: + - Added --benchmark-soft-ciphers to benchmark + the software version of the ciphers instead of hw accelerated + (where available) + + libgnutls: + - Public key ID calculation is consistent among + all structures. It uses a SHA-1 hash of the subjectPublicKeyInfo. + - gnutls_privkey_t allows setting external callback + to perform signing or decryption. Can be set using + gnutls_privkey_import_ext() + - A certificate credentials structure can be + used with a gnutls_privkey_t and a gnutls_pcert_st + structure using gnutls_certificate_set_key(). + - Fixes to enable external signing callback to + operate with TLS 1.2. + - Fixed crash when printing ECDSA certificate key + ID. Reported by Erik Jensen. + - Corrected VIA padlock code for C3. In C3 benchmarks + show a 2x increase in AES speed and a 14x increase in VIA nano. Added + support for hashes and HMACs. + - Compilation fixed when p11-kit is not detected. + - Fixed the deflate compression code. + - Added gnutls_x509_crt_get_authority_info_access. + Used to get the PKIX Authority Information Access (AIA) field. + - gnutls_x509_crt_print supports printing AIA fields. + - Added ability to gnutls_privkey_t to operate with + signing callback function. + + API and ABI modifications: + - gnutls_x509_crt_get_authority_info_access (x509.h): Added function. + - gnutls_privkey_import_ext: Added function. + - gnutls_certificate_set_key: Added function. + - gnutls_info_access_what_t (x509.h): Added enum. + - GNUTLS_OID_AIA (x509.h): Added symbol. + - GNUTLS_OID_AD_OCSP (x509.h): Added symbol. + - GNUTLS_OID_AD_CAISSUERS (x509.h): Added symbol. +- Drop CVE-2011-4128.patch, CVE-2012-0390.patch, CVE-2012-1569.patch, + CVE-2012-1573.patch, gnutls-fix-compression.patch, + gnutls-fix-crash-on-strcat.patch: all fixed upstream. + ------------------------------------------------------------------- Thu Apr 12 05:17:04 UTC 2012 - gjhe@suse.com diff --git a/gnutls.spec b/gnutls.spec index d2a7f22..cbac564 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -19,31 +19,22 @@ %define gnutls_sover 28 %define gnutlsxx_sover 28 %define gnutls_ossl_sover 27 -%define gnutls_extra_sover 28 Name: gnutls -Version: 3.0.3 -Release: 1 -License: LGPL-3.0+ ; GPL-3.0+ +Version: 3.0.19 +Release: 0 Summary: The GNU Transport Layer Security Library -Url: http://www.gnutls.org/ +License: LGPL-3.0+ ; GPL-3.0+ Group: Productivity/Networking/Security -Source0: %{name}-%{version}.tar.xz +Url: http://www.gnutls.org/ +Source0: http://ftp.gnu.org/gnu/gnutls/%{name}-%{version}.tar.xz Source1: baselibs.conf -# PATCH-FIX-UPSTREAM gnutls-fix-compression.patch vuntz@opensuse.org -- Taken from git, fix decompression/compression -Patch0: gnutls-fix-compression.patch -# PATCH-FIX-UPSTREAM gnutls-fix-crash-on-strcat.patch bnc#724421 vuntz@opensuse.org -- Fix a crash because of badly used strcat, sent upstream by mail on 2011-10-17 -Patch1: gnutls-fix-crash-on-strcat.patch -Patch2: CVE-2011-4128.patch -Patch3: CVE-2012-0390.patch -Patch4: CVE-2012-1569.patch -Patch5: CVE-2012-1573.patch BuildRequires: automake BuildRequires: gcc-c++ -BuildRequires: libnettle-devel >= 2.2 -BuildRequires: p11-kit-devel BuildRequires: libidn-devel +BuildRequires: libnettle-devel >= 2.2 BuildRequires: libtasn1-devel +BuildRequires: p11-kit-devel >= 0.11 BuildRequires: pkg-config BuildRequires: xz BuildRequires: zlib-devel @@ -59,8 +50,8 @@ layer over a reliable transport layer. Currently the GnuTLS library implements the proposed standards of the IETF's TLS working group. %package -n libgnutls%{gnutls_sover} -License: LGPL-3.0+ Summary: The GNU Transport Layer Security Library +License: LGPL-3.0+ Group: Productivity/Networking/Security %description -n libgnutls%{gnutls_sover} @@ -69,8 +60,8 @@ layer over a reliable transport layer. Currently the GnuTLS library implements the proposed standards of the IETF's TLS working group. %package -n libgnutlsxx%{gnutlsxx_sover} -License: LGPL-3.0+ Summary: The GNU Transport Layer Security Library +License: LGPL-3.0+ Group: Productivity/Networking/Security %description -n libgnutlsxx%{gnutlsxx_sover} @@ -79,20 +70,9 @@ layer over a reliable transport layer. Currently the GnuTLS library implements the proposed standards of the IETF's TLS working group. -%package -n libgnutls-extra%{gnutls_extra_sover} -License: GPL-3.0+ -Summary: The GNU Transport Layer Security Library -Group: Productivity/Networking/Security - -%description -n libgnutls-extra%{gnutls_extra_sover} -The GnuTLS project aims to develop a library that provides a secure -layer over a reliable transport layer. Currently the GnuTLS library -implements the proposed standards of the IETF's TLS working group. - - %package -n libgnutls-openssl%{gnutls_ossl_sover} -License: GPL-3.0+ Summary: The GNU Transport Layer Security Library +License: GPL-3.0+ Group: Productivity/Networking/Security %description -n libgnutls-openssl%{gnutls_ossl_sover} @@ -102,8 +82,8 @@ implements the proposed standards of the IETF's TLS working group. %package -n libgnutls-devel -License: LGPL-3.0+ Summary: Development package for gnutls +License: LGPL-3.0+ Group: Development/Libraries/C and C++ PreReq: %install_info_prereq Requires: glibc-devel @@ -113,12 +93,12 @@ Requires: libgnutls%{gnutls_sover} = %{version} Files needed for software development using gnutls. %package -n libgnutlsxx-devel -License: LGPL-3.0+ Summary: Development package for gnutls +License: LGPL-3.0+ Group: Development/Libraries/C and C++ PreReq: %install_info_prereq -Requires: libgnutlsxx%{gnutlsxx_sover} = %{version} Requires: libgnutls-devel = %{version} +Requires: libgnutlsxx%{gnutlsxx_sover} = %{version} Requires: libstdc++-devel %description -n libgnutlsxx-devel @@ -126,44 +106,19 @@ Files needed for software development using gnutls. %package -n libgnutls-openssl-devel -License: GPL-3.0+ Summary: Development package for gnutls +License: GPL-3.0+ Group: Development/Libraries/C and C++ -Requires: libgnutls-openssl%{gnutls_ossl_sover} = %{version} Requires: libgnutls-devel = %{version} +Requires: libgnutls-openssl%{gnutls_ossl_sover} = %{version} %description -n libgnutls-openssl-devel Files needed for software development using gnutls. -%package -n libgnutls-extra-devel -License: GPL-3.0+ -Summary: The GNU Transport Layer Security Library -Group: Development/Libraries/C and C++ -Requires: libgnutls-devel = %{version} -Requires: libgnutls-extra%{gnutls_extra_sover} = %{version} -# gnutls-devel last used in 10.3 -Obsoletes: gnutls-devel < %{version} -Provides: gnutls-devel = %{version} -# bug437293 -%ifarch ppc64 -Obsoletes: gnutls-devel-64bit -%endif -# - -%description -n libgnutls-extra-devel -The GnuTLS project aims to develop a library that provides a secure -layer over a reliable transport layer. Currently the GnuTLS library -implements the proposed standards of the IETF's TLS working group. - %prep %setup -q -%patch0 -p1 -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 -%patch5 -p1 +echo %{_includedir}/%{name}/abstract.h %build %configure \ @@ -195,10 +150,6 @@ rm -rf %{buildroot} %postun -n libgnutls%{gnutls_sover} -p /sbin/ldconfig -%post -n libgnutls-extra%{gnutls_extra_sover} -p /sbin/ldconfig - -%postun -n libgnutls-extra%{gnutls_extra_sover} -p /sbin/ldconfig - %post -n libgnutlsxx%{gnutlsxx_sover} -p /sbin/ldconfig %postun -n libgnutlsxx%{gnutlsxx_sover} -p /sbin/ldconfig @@ -223,6 +174,7 @@ rm -rf %{buildroot} %{_bindir}/gnutls-cli %{_bindir}/gnutls-cli-debug %{_bindir}/gnutls-serv +%{_bindir}/ocsptool %{_bindir}/psktool %{_bindir}/p11tool %{_bindir}/srptool @@ -232,10 +184,6 @@ rm -rf %{buildroot} %defattr(-,root,root) %{_libdir}/libgnutls.so.%{gnutls_sover}* -%files -n libgnutls-extra%{gnutls_extra_sover} -%defattr(-,root,root) -%{_libdir}/libgnutls-extra.so.%{gnutls_extra_sover}* - %files -n libgnutls-openssl%{gnutls_ossl_sover} %defattr(-,root,root) %{_libdir}/libgnutls-openssl.so.%{gnutls_ossl_sover}* @@ -253,6 +201,7 @@ rm -rf %{buildroot} %{_includedir}/%{name}/dtls.h %{_includedir}/%{name}/gnutls.h %{_includedir}/%{name}/openpgp.h +%{_includedir}/%{name}/ocsp.h %{_includedir}/%{name}/pkcs11.h %{_includedir}/%{name}/pkcs12.h %{_includedir}/%{name}/x509.h @@ -274,11 +223,4 @@ rm -rf %{buildroot} %dir %{_includedir}/%{name} %{_includedir}/%{name}/openssl.h -%files -n libgnutls-extra-devel -%defattr(-, root, root) -%dir %{_includedir}/%{name} -%{_includedir}/%{name}/extra.h -%{_libdir}/libgnutls-extra.so -%{_libdir}/pkgconfig/gnutls-extra.pc - %changelog