Hello community, here is the log from the commit of package gnutls.2618 for openSUSE:13.1:Update checked in at 2014-03-05 07:27:53 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:13.1:Update/gnutls.2618 (Old) and /work/SRC/openSUSE:13.1:Update/.gnutls.2618.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gnutls.2618" Changes: -------- New Changes file: --- /dev/null 2014-02-13 01:09:38.344032506 +0100 +++ /work/SRC/openSUSE:13.1:Update/.gnutls.2618.new/gnutls.changes 2014-03-05 07:27:55.000000000 +0100 @@ -0,0 +1,1653 @@ +------------------------------------------------------------------- +Mon Mar 3 14:04:31 UTC 2014 - [email protected] + +- Fixed bug [ bnc#865804] gnutls: CVE-2014-0092, insufficient X.509 certificate verification + Add patch file: CVE-2014-0092.patch + + Enable elliptic curve and so ECDH support again to meet modern + cryptographic requirements, removed gnutls-3.2.4-noecc.patch. + +------------------------------------------------------------------- +Thu Feb 6 10:18:09 UTC 2014 - [email protected] + +- Fix bug[ bnc#861907]: COMP-DEFLATE broken (internal buffer for inflate too + small, skipping input) + Add patch file: revert-simplified-decrypted-data-allocation.patch + +------------------------------------------------------------------- +Tue Nov 5 04:44:25 UTC 2013 - [email protected] + +- Fix bug[ bnc#848510], CVE-2013-4487( off-by-one security fix in libdane) + Add patch file: CVE-2013-4487.patch + +------------------------------------------------------------------- +Fri Oct 25 04:22:30 UTC 2013 - [email protected] + +- Fix bug[ bnc#847484], CVE-2013-4466 ( DoS in libdane) + Add patch file: CVE-2013-4466.patch + +------------------------------------------------------------------- +Mon Sep 2 16:23:59 UTC 2013 - [email protected] + +- Don't run install-info on images + +------------------------------------------------------------------- +Mon Sep 2 07:43:21 UTC 2013 - [email protected] + +- Update to 3.2.4 +** libgnutls: Fixes when session tickets and session DB are used. +Report and initial patch by Stefan Buehler. + +** libgnutls: Added the RSA-PSK key exchange. Patch by by Frank Morgner, +based on previous patch by Bardenheuer GmbH and Bundesdruckerei GmbH. + +** libgnutls: Added ciphersuites that use ARCFOUR with ECDHE. Patch +by Stefan Buehler. + +** libgnutls: Added the PFS priority string option. + +** libgnutls: Gnulib included files are strictly LGPLv2. + +** libgnutls: Corrected gnutls_certificate_server_set_request(). +Reported by Petr Pisar. + +** API and ABI modifications: +gnutls_record_set_timeout: Exported + +Add files:gnutls-3.2.4.tar.xz.sig, gnutls-3.2.4.tar.xz, gnutls-3.2.4-noecc.patch +Delete file: gnutls-3.2.3-noecc.patch + +------------------------------------------------------------------- +Fri Aug 30 00:31:19 CEST 2013 - [email protected] + +- buildrequire valgrind on the same arch list that valgrind builds + +------------------------------------------------------------------- +Thu Aug 1 13:42:11 UTC 2013 - [email protected] + +- Updated to 3.2.3 + ** libgnutls: Fixes in parsing of priority strings. Patch by Stefan + Buehler. + + ** libgnutls: Solve issue with received TLS packets that exceed 2^14. + (this fixes a bug that was accidentally introduced in 3.2.2) + + ** libgnutls: Removed gnulib modules under LGPLv3 that could possibly + be used by the library. + + ** libgnutls: Fixes in gnutls_record_send_range(). Report and initial + fix by Alfredo Pironti. + +- Updated to 3.2.2 + ** libgnutls: Several optimizations in the related to packet processing + subsystems. + + ** libgnutls: DTLS replay detection can now be disabled (to be used + in certain transport layers like SCTP). + + ** libgnutls: Fixes in SRTP extension generation when MKI is being used. + + ** libgnutls: Added ability to set hooks before or + after sending or receiving any handshake message with + gnutls_handshake_set_hook_function(). + +- gnutls-3.2.3-noecc.patch: updated to disable ECC. +- automake-1.12.patch: upstream, dropped +- gnutls-32bit.patch: upstream, dropped +- gnutls-3.2.1-pkcs11.diff: upstream, dropped + +------------------------------------------------------------------- +Fri Jul 26 12:45:45 UTC 2013 - [email protected] + +- revert to using certificate directory again until gnutls + understands the trust bits in pkcs11. Otherwise it would use + blacklisted certificates. + +------------------------------------------------------------------- +Mon Jul 8 15:12:59 UTC 2013 - [email protected] + +- Override broken configure checks + +------------------------------------------------------------------- +Thu Jul 4 16:15:14 UTC 2013 - [email protected] + +- use pkcs11 interface to fetch the system's CA certificates + (fate#314991). Add patch gnutls-3.2.1-pkcs11.diff to fix doing + that, obsoletes gnutls-implement-trust-store-dir.diff. + +------------------------------------------------------------------- +Thu Jun 27 13:44:12 UTC 2013 - [email protected] + +- Disable all ECC algorithms. + +- gnutls-32bit.patch: upstream patch to make test + work with 32bit time_t. + +- gnutls-implement-trust-store-dir.diff + + currently not yet forward ported. + +- Updated to GnuTLS 3.2.1 + ** libgnutls: Allow ECC when in SSL 3.0 to work-around a bug in certain + openssl versions. + ** libgnutls: Fixes in interrupted function resumption. Report + and patch by Tim Kosse. + ** libgnutls: Corrected issue when receiving client hello verify + requests in DTLS. + ** libgnutls: Fixes in DTLS record overhead size calculations. + ** libgnutls: gnutls_handshake_get_last_in() was fixed. Reported by + Mann Ern Kang. +- Updated to GnuTLS 3.2.0 + ** libgnutls: Use nettle's elliptic curve implementation. + ** libgnutls: Added Salsa20 cipher + ** libgnutls: Added UMAC-96 and UMAC-128 + ** libgnutls: Added ciphersuites involving Salsa20 and UMAC-96. + As they are not standardized they are defined using private ciphersuite numbers. + ** libgnutls: Added support for DTLS 1.2. + ** libgnutls: Added support for the Application Layer Protocol + Negotiation (ALPN) extension. + ** libgnutls: Removed support for the RSA-EXPORT ciphersuites. + ** libgnutls: Avoid linking to librt (that also avoids unnecessary + linking to pthreads if p11-kit isn't used). + +- Updated to GnuTLS 3.1.10 (released 2013-03-22) + ** certtool: When generating PKCS #12 files use by default the + ARCFOUR (RC4) cipher to be compatible with devices that don't + support AES with PKCS #12. + ** libgnutls: Load CA certificates in android 4.x systems. + ** libgnutls: Optimized CA certificate loading. + ** libgnutls: Private keys are overwritten on deinitialization. + ** libgnutls: PKCS #11 slots are scanned only when needed, not + on initialization. This speeds up gnutls initialization when smart + cards are present. + ** libgnutls: Corrected issue in the (deprecated) external key + signing interface, when used with TLS 1.2. Reported by Bjorn H. Christensen. + ** libgnutls: Fixes in openpgp handshake with fingerprints. Reported by + Joke de Buhr. + ** libgnutls-dane: Updated DANE verification options. + ** configure: Trust store file must be explicitly set or unset when + cross compiling. +- Updated to GnuTLS 3.1.9 (released 2013-02-27) + ** certtool: Option --to-p12 will now ask for a password to generate + a PKCS #12 file from an encrypted key file. Reported by Yan Fiz. + ** libgnutls: Corrected issue in gnutls_pubkey_verify_data(). + ** libgnutls: Corrected parsing issue in XMPP within a subject + alternative name. Reported by James Cloos. + ** libgnutls: gnutls_pkcs11_reinit() will reinitialize all PKCS #11 + modules, and not only the ones loaded via p11-kit. + ** libgnutls: Added function to check whether the private key is + still available (inserted). + ** libgnutls: Try to detect fork even during nonce generation. + +- Updated to GnuTLS 3.1.8 (released 2013-02-10) + ** libgnutls: Fixed issue in gnutls_x509_privkey_import2() which didn't return + GNUTLS_E_DECRYPTION_FAILED in all cases, and affect certtool operation + with encrypted keys. Reported by Yan Fiz. + ** libgnutls: The minimum DH bits accepted by priorities NORMAL and + PERFORMANCE was set to previous defaults 727 bits. Reported by Diego + Elio Petteno. + ** libgnutls: Corrected issue which prevented gnutls_pubkey_verify_hash() + to operate with long keys. Reported by Erik A Jensen. + +- Updated to GnuTLS 3.1.7 (released 2013-02-04) + ** certtool: Added option "dn" which allows to directly set the DN + in a template from an RFC4514 string. + ** danetool: Added options: --dlv and --insecure. Suggested by Paul Wouters. + ** libgnutls-xssl: Added a new library to simplify GnuTLS usage. + ** libgnutls-dane: Added function to specify a DLV file. ++++ 1456 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:13.1:Update/.gnutls.2618.new/gnutls.changes New: ---- CVE-2013-4466.patch CVE-2013-4487.patch CVE-2014-0092.patch baselibs.conf gnutls-3.0.26-skip-test-fwrite.patch gnutls-3.2.4.tar.xz gnutls-3.2.4.tar.xz.sig gnutls-implement-trust-store-dir.diff gnutls.changes gnutls.keyring gnutls.spec make-obs-happy-with-gnutls_3.2.4.patch revert-simplified-decrypted-data-allocation.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gnutls.spec ++++++ # # spec file for package gnutls # # Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # %define gnutls_sover 28 %define gnutlsxx_sover 28 %define gnutls_ossl_sover 27 Name: gnutls Version: 3.2.4 Release: 0 Summary: The GNU Transport Layer Security Library License: LGPL-2.1+ and GPL-3.0+ Group: Productivity/Networking/Security Url: http://www.gnutls.org/ Source0: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/%{name}-%{version}.tar.xz # signature is checked by source services. Source1: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/%{name}-%{version}.tar.xz.sig Source2: %name.keyring Source3: baselibs.conf # PATCH-FIX-OPENSUSE gnutls-3.0.26-skip-test-fwrite.patch [email protected] -- skip a failing test Patch3: gnutls-3.0.26-skip-test-fwrite.patch Patch6: gnutls-implement-trust-store-dir.diff Patch7: make-obs-happy-with-gnutls_3.2.4.patch Patch8: CVE-2013-4466.patch Patch9: CVE-2013-4487.patch # fix COMP-DEFLATE (allocated buffer too small), fixed upstream in 3.2.7 - stbuehler Patch10: revert-simplified-decrypted-data-allocation.patch Patch11: CVE-2014-0092.patch BuildRequires: automake BuildRequires: gcc-c++ BuildRequires: libidn-devel BuildRequires: libnettle-devel >= 2.7 BuildRequires: libtasn1-devel >= 2.14 BuildRequires: libtool %ifarch %ix86 x86_64 ppc ppc64 s390x armv7l armv7hl BuildRequires: valgrind %endif %if %suse_version >= 1230 BuildRequires: makeinfo %endif BuildRequires: p11-kit-devel >= 0.11 BuildRequires: pkg-config BuildRequires: xz BuildRequires: zlib-devel BuildRoot: %{_tmppath}/%{name}-%{version}-build # bug437293 %ifarch ppc64 Obsoletes: gnutls-64bit %endif %description The GnuTLS project aims to develop a library that provides a secure layer over a reliable transport layer. Currently the GnuTLS library implements the proposed standards of the IETF's TLS working group. %package -n libgnutls%{gnutls_sover} Summary: The GNU Transport Layer Security Library License: LGPL-2.1+ Group: Productivity/Networking/Security %description -n libgnutls%{gnutls_sover} The GnuTLS project aims to develop a library that provides a secure layer over a reliable transport layer. Currently the GnuTLS library implements the proposed standards of the IETF's TLS working group. %package -n libgnutlsxx%{gnutlsxx_sover} Summary: The GNU Transport Layer Security Library License: LGPL-2.1+ Group: Productivity/Networking/Security %description -n libgnutlsxx%{gnutlsxx_sover} The GnuTLS project aims to develop a library that provides a secure layer over a reliable transport layer. Currently the GnuTLS library implements the proposed standards of the IETF's TLS working group. %package -n libgnutls-openssl%{gnutls_ossl_sover} Summary: The GNU Transport Layer Security Library License: GPL-3.0+ Group: Productivity/Networking/Security %description -n libgnutls-openssl%{gnutls_ossl_sover} The GnuTLS project aims to develop a library that provides a secure layer over a reliable transport layer. Currently the GnuTLS library implements the proposed standards of the IETF's TLS working group. %package -n libgnutls-devel Summary: Development package for gnutls License: LGPL-2.1+ Group: Development/Libraries/C and C++ PreReq: %install_info_prereq Requires: glibc-devel Requires: libgnutls%{gnutls_sover} = %{version} Provides: gnutls-devel = %{version}-%{release} %description -n libgnutls-devel Files needed for software development using gnutls. %package -n libgnutlsxx-devel Summary: Development package for gnutls License: LGPL-2.1+ Group: Development/Libraries/C and C++ PreReq: %install_info_prereq Requires: libgnutls-devel = %{version} Requires: libgnutlsxx%{gnutlsxx_sover} = %{version} Requires: libstdc++-devel %description -n libgnutlsxx-devel Files needed for software development using gnutls. %package -n libgnutls-openssl-devel Summary: Development package for gnutls License: GPL-3.0+ Group: Development/Libraries/C and C++ Requires: libgnutls-devel = %{version} Requires: libgnutls-openssl%{gnutls_ossl_sover} = %{version} %description -n libgnutls-openssl-devel Files needed for software development using gnutls. %prep %setup -q %patch3 %patch6 -p1 %patch7 -p1 %patch8 -p1 %patch9 -p1 %patch10 -p1 %patch11 -p1 %build autoreconf -if # echde explicitly disabled - meissner&cfarrell %configure \ gl_cv_func_printf_directive_n=yes \ gl_cv_func_printf_infinite_long_double=yes \ --disable-static \ --with-pic \ --disable-rpath \ --disable-silent-rules \ --with-default-trust-store-dir=/var/lib/ca-certificates/pem \ --enable-ecdhe \ --with-sysroot=/%{?_sysroot} %__make %{?_smp_mflags} %install %make_install rm -rf %{buildroot}%{_datadir}/locale/en@{,bold}quot # Do not package static libs and libtool files rm -f %{buildroot}%{_libdir}/*.la # install docs %__mkdir -p %{buildroot}%{_docdir}/libgnutls-devel/ %__cp doc/gnutls.html doc/*.png doc/gnutls.pdf %{buildroot}%{_docdir}/libgnutls-devel/ %__mkdir -p %{buildroot}%{_docdir}/libgnutls-devel/reference %__cp doc/reference/html/* %{buildroot}%{_docdir}/libgnutls-devel/reference/ %__mkdir -p %{buildroot}%{_docdir}/libgnutls-devel/examples %__cp doc/examples/*.{c,h} %{buildroot}%{_docdir}/libgnutls-devel/examples/ %find_lang libgnutls --all-name %check %if ! 0%{?qemu_user_space_build} %__make check %endif %clean rm -rf %{buildroot} %post -n libgnutls%{gnutls_sover} -p /sbin/ldconfig %postun -n libgnutls%{gnutls_sover} -p /sbin/ldconfig %post -n libgnutlsxx%{gnutlsxx_sover} -p /sbin/ldconfig %postun -n libgnutlsxx%{gnutlsxx_sover} -p /sbin/ldconfig %post -n libgnutls-openssl%{gnutls_ossl_sover} -p /sbin/ldconfig %postun -n libgnutls-openssl%{gnutls_ossl_sover} -p /sbin/ldconfig %post -n libgnutls-devel %install_info --info-dir=%{_infodir} %{_infodir}/gnutls.info.gz %postun -n libgnutls-devel %install_info_delete --info-dir=%{_infodir} %{_infodir}/gnutls.info.gz %files -f libgnutls.lang %defattr(-, root, root) %doc THANKS README NEWS ChangeLog COPYING COPYING.LESSER AUTHORS doc/TODO %{_bindir}/certtool %{_bindir}/crywrap %{_bindir}/gnutls-cli %{_bindir}/gnutls-cli-debug %{_bindir}/gnutls-serv %{_bindir}/ocsptool %{_bindir}/psktool %{_bindir}/p11tool %{_bindir}/srptool %{_bindir}/danetool %{_mandir}/man1/* %files -n libgnutls%{gnutls_sover} %defattr(-,root,root) %{_libdir}/libgnutls.so.%{gnutls_sover}* %{_libdir}/libgnutls-xssl.so.* %files -n libgnutls-openssl%{gnutls_ossl_sover} %defattr(-,root,root) %{_libdir}/libgnutls-openssl.so.%{gnutls_ossl_sover}* %files -n libgnutlsxx%{gnutlsxx_sover} %defattr(-,root,root) %{_libdir}/libgnutlsxx.so.%{gnutlsxx_sover}* %files -n libgnutls-devel %defattr(-, root, root) %dir %{_includedir}/%{name} %{_includedir}/%{name}/abstract.h %{_includedir}/%{name}/crypto.h %{_includedir}/%{name}/compat.h %{_includedir}/%{name}/dtls.h %{_includedir}/%{name}/gnutls.h %{_includedir}/%{name}/openpgp.h %{_includedir}/%{name}/ocsp.h %{_includedir}/%{name}/pkcs11.h %{_includedir}/%{name}/pkcs12.h %{_includedir}/%{name}/x509.h %{_includedir}/%{name}/tpm.h %{_includedir}/%{name}/xssl.h %{_libdir}/libgnutls.so %{_libdir}/libgnutls-xssl.so %{_libdir}/pkgconfig/gnutls.pc %{_mandir}/man3/* %{_infodir}/*.* %doc %{_docdir}/libgnutls-devel %files -n libgnutlsxx-devel %defattr(-, root, root) %{_libdir}/libgnutlsxx.so %dir %{_includedir}/%{name} %{_includedir}/%{name}/gnutlsxx.h %files -n libgnutls-openssl-devel %defattr(-, root, root) %{_libdir}/libgnutls-openssl.so %dir %{_includedir}/%{name} %{_includedir}/%{name}/openssl.h %changelog ++++++ CVE-2013-4466.patch ++++++ Index: gnutls-3.2.4/libdane/dane.c =================================================================== --- gnutls-3.2.4.orig/libdane/dane.c +++ gnutls-3.2.4/libdane/dane.c @@ -233,77 +233,71 @@ int ret; **/ void dane_query_deinit(dane_query_t q) { - ub_resolve_free(q->result); + if (q->result) + ub_resolve_free(q->result); free(q); } /** - * dane_query_tlsa: + * dane_raw_tlsa: * @s: The DANE state structure * @r: A structure to place the result - * @host: The host name to resolve. - * @proto: The protocol type (tcp, udp, etc.) - * @port: The service port number (eg. 443). + * @dane_data: array of DNS rdata items, terminated with a NULL pointer; + * caller must guarantee that the referenced data remains + * valid until dane_query_deinit() is called. + * @dane_data_len: the length n bytes of the dane_data items + * @param secure true if the result is validated securely, false if + * validation failed or the domain queried has no security info + * @param bogus if the result was not secure (secure = 0) due to a security failure, + * and the result is due to a security failure, bogus is true. * - * This function will query the DNS server for the TLSA (DANE) - * data for the given host. + * This function will fill in the TLSA (DANE) structure from + * the given raw DNS record data. * * Returns: On success, %DANE_E_SUCCESS (0) is returned, otherwise a * negative error value. **/ -int dane_query_tlsa(dane_state_t s, dane_query_t *r, const char* host, const char* proto, unsigned int port) +int dane_raw_tlsa(dane_state_t s, dane_query_t *r, char *const*dane_data, const int *dane_data_len, int secure, int bogus) { - char ns[1024]; int ret; unsigned int i; *r = calloc(1, sizeof(struct dane_query_st)); if (*r == NULL) return gnutls_assert_val(DANE_E_MEMORY_ERROR); - - snprintf(ns, sizeof(ns), "_%u._%s.%s", port, proto, host); - - /* query for webserver */ - ret = ub_resolve(s->ctx, ns, 52, 1, &(*r)->result); - if(ret != 0) { - return gnutls_assert_val(DANE_E_RESOLVING_ERROR); - } - -/* show first result */ - if(!(*r)->result->havedata) { - return gnutls_assert_val(DANE_E_NO_DANE_DATA); - } - + i = 0; do { - if ((*r)->result->len[i] > 3) + if (dane_data_len[i] > 3) ret = DANE_E_SUCCESS; else { return gnutls_assert_val(DANE_E_RECEIVED_CORRUPT_DATA); } - - (*r)->usage[i] = (*r)->result->data[i][0]; - (*r)->type[i] = (*r)->result->data[i][1]; - (*r)->match[i] = (*r)->result->data[i][2]; - (*r)->data[i].data = (void*)&(*r)->result->data[i][3]; - (*r)->data[i].size = (*r)->result->len[i] - 3; + + (*r)->usage[i] = dane_data[i][0]; + (*r)->type[i] = dane_data[i][1]; + (*r)->match[i] = dane_data[i][2]; + (*r)->data[i].data = (void*)&dane_data[i][3]; + (*r)->data[i].size = dane_data_len[i] - 3; i++; - } while((*r)->result->data[i] != NULL); - + if (i > MAX_DATA_ENTRIES) + break; + } while(dane_data[i] != NULL); + (*r)->data_entries = i; - if (!(s->flags & DANE_F_INSECURE) && !(*r)->result->secure) { - if ((*r)->result->bogus) + if (!(s->flags & DANE_F_INSECURE) && !secure) { + if (bogus) ret = gnutls_assert_val(DANE_E_INVALID_DNSSEC_SIG); else ret = gnutls_assert_val(DANE_E_NO_DNSSEC_SIG); } /* show security status */ - if ((*r)->result->secure) { + if (secure) { (*r)->status = DANE_QUERY_DNSSEC_VERIFIED; - } else if ((*r)->result->bogus) { + } else if (bogus) { gnutls_assert(); (*r)->status = DANE_QUERY_BOGUS; } else { @@ -314,8 +308,53 @@ int dane_query_tlsa(dane_state_t s, dane return ret; } -static unsigned int matches(const gnutls_datum_t *raw1, const gnutls_datum_t *raw2, - dane_match_type_t match) + +/** + * dane_query_tlsa: + * @s: The DANE state structure + * @r: A structure to place the result + * @host: The host name to resolve. + * @proto: The protocol type (tcp, udp, etc.) + * @port: The service port number (eg. 443). + * + * This function will query the DNS server for the TLSA (DANE) + * data for the given host. + * + * Returns: On success, %DANE_E_SUCCESS (0) is returned, otherwise a + * negative error value. + **/ +int dane_query_tlsa(dane_state_t s, dane_query_t *r, const char* host, const char* proto, unsigned int port) +{ + char ns[1024]; + int ret; + struct ub_result *result; + + snprintf(ns, sizeof(ns), "_%u._%s.%s", port, proto, host); + + /* query for webserver */ + ret = ub_resolve(s->ctx, ns, 52, 1, &result); + if(ret != 0) { + return gnutls_assert_val(DANE_E_RESOLVING_ERROR); + } + + /* show first result */ + if(!result->havedata) { + ub_resolve_free (result); + return gnutls_assert_val(DANE_E_NO_DANE_DATA); + } + + ret = dane_raw_tlsa (s, r, result->data, result->len, result->secure, result->bogus); + if (*r == NULL) { + ub_resolve_free (result); + return ret; + } + + (*r)->result = result; + return ret; +} + +static unsigned int matches(const gnutls_datum_t *raw1, const gnutls_datum_t *raw2, + dane_match_type_t match) { uint8_t digest[64]; int ret; Index: gnutls-3.2.4/libdane/includes/gnutls/dane.h =================================================================== --- gnutls-3.2.4.orig/libdane/includes/gnutls/dane.h +++ gnutls-3.2.4/libdane/includes/gnutls/dane.h @@ -109,6 +109,8 @@ int dane_state_init (dane_state_t* s, un int dane_state_set_dlv_file(dane_state_t s, const char* file); void dane_state_deinit (dane_state_t s); +int dane_raw_tlsa(dane_state_t s, dane_query_t *r, char *const*dane_data, const int *dane_data_len, int secure, int bogus); + int dane_query_tlsa(dane_state_t s, dane_query_t *r, const char* host, const char* proto, unsigned int port); dane_query_status_t dane_query_status(dane_query_t q); ++++++ CVE-2013-4487.patch ++++++ Index: gnutls-3.2.4/libdane/dane.c =================================================================== --- gnutls-3.2.4.orig/libdane/dane.c +++ gnutls-3.2.4/libdane/dane.c @@ -1,5 +1,7 @@ /* * Copyright (C) 2012 KU Leuven + * Copyright (C) 2013 Christian Grothoff + * Copyright (C) 2013 Nikos Mavrogiannopoulos * * Author: Nikos Mavrogiannopoulos * @@ -260,32 +262,31 @@ void dane_query_deinit(dane_query_t q) int dane_raw_tlsa(dane_state_t s, dane_query_t *r, char *const*dane_data, const int *dane_data_len, int secure, int bogus) { int ret; + int ret = DANE_E_SUCCESS; unsigned int i; *r = calloc(1, sizeof(struct dane_query_st)); if (*r == NULL) return gnutls_assert_val(DANE_E_MEMORY_ERROR); - i = 0; - do { + (*r)->data_entries = 0; - if (dane_data_len[i] > 3) - ret = DANE_E_SUCCESS; - else { - return gnutls_assert_val(DANE_E_RECEIVED_CORRUPT_DATA); - } + for (i=0;i<MAX_DATA_ENTRIES;i++) + { + if (dane_data[i] == NULL) + break; + + if (dane_data_len[i] <= 3) + return gnutls_assert_val(DANE_E_RECEIVED_CORRUPT_DATA); (*r)->usage[i] = dane_data[i][0]; (*r)->type[i] = dane_data[i][1]; (*r)->match[i] = dane_data[i][2]; (*r)->data[i].data = (void*)&dane_data[i][3]; (*r)->data[i].size = dane_data_len[i] - 3; - i++; - if (i > MAX_DATA_ENTRIES) - break; - } while(dane_data[i] != NULL); - (*r)->data_entries = i; + (*r)->data_entries++; + } if (!(s->flags & DANE_F_INSECURE) && !secure) { if (bogus) ++++++ CVE-2014-0092.patch ++++++ Index: gnutls-3.2.4/lib/x509/verify.c =================================================================== --- gnutls-3.2.4.orig/lib/x509/verify.c +++ gnutls-3.2.4/lib/x509/verify.c @@ -106,7 +106,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnu if (result < 0) { gnutls_assert (); - goto cleanup; + goto fail; } result = @@ -115,7 +115,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnu if (result < 0) { gnutls_assert (); - goto cleanup; + goto fail; } result = @@ -123,7 +123,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnu if (result < 0) { gnutls_assert (); - goto cleanup; + goto fail; } result = @@ -131,7 +131,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnu if (result < 0) { gnutls_assert (); - goto cleanup; + goto fail; } /* If the subject certificate is the same as the issuer @@ -183,6 +183,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnu else gnutls_assert (); +fail: result = 0; cleanup: @@ -368,8 +369,9 @@ _gnutls_verify_certificate2 (gnutls_x509 gnutls_datum_t cert_signed_data = { NULL, 0 }; gnutls_datum_t cert_signature = { NULL, 0 }; gnutls_x509_crt_t issuer = NULL; - int issuer_version, result, hash_algo; + int issuer_version, result = 0, hash_algo; unsigned int out = 0, usage; + const mac_entry_st * me; if (output) *output = 0; @@ -408,14 +410,15 @@ _gnutls_verify_certificate2 (gnutls_x509 if (issuer_version < 0) { gnutls_assert (); - return issuer_version; + result = 0; + goto cleanup; } if (!(flags & GNUTLS_VERIFY_DISABLE_CA_SIGN) && ((flags & GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT) || issuer_version != 1)) { - if (check_if_ca (cert, issuer, max_path, flags) == 0) + if (check_if_ca (cert, issuer, max_path, flags) != 1) { gnutls_assert (); out = GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID; @@ -446,6 +449,7 @@ _gnutls_verify_certificate2 (gnutls_x509 if (result < 0) { gnutls_assert (); + result = 0; goto cleanup; } @@ -454,6 +458,7 @@ _gnutls_verify_certificate2 (gnutls_x509 if (result < 0) { gnutls_assert (); + result = 0; goto cleanup; } @@ -461,13 +466,20 @@ _gnutls_verify_certificate2 (gnutls_x509 if (result < 0) { gnutls_assert (); + result = 0; goto cleanup; } hash_algo = gnutls_sign_get_hash_algorithm(result); + me = mac_to_entry(hash_algo); + if (me == NULL) { + gnutls_assert(); + result = 0; + goto cleanup; + } result = - _gnutls_x509_verify_data (mac_to_entry(hash_algo), &cert_signed_data, &cert_signature, + _gnutls_x509_verify_data (me, &cert_signed_data, &cert_signature, issuer); if (result == GNUTLS_E_PK_SIG_VERIFY_FAILED) { @@ -481,6 +493,7 @@ _gnutls_verify_certificate2 (gnutls_x509 else if (result < 0) { gnutls_assert(); + result = 0; goto cleanup; } @@ -650,7 +663,7 @@ _gnutls_x509_verify_certificate (const g ret = _gnutls_verify_certificate2 (certificate_list[clist_size - 1], trusted_cas, tcas_size, flags, &output, &issuer, now, &max_path, func); - if (ret == 0) + if (ret != 1) { /* if the last certificate in the certificate * list is invalid, then the certificate is not @@ -678,7 +691,7 @@ _gnutls_x509_verify_certificate (const g if ((ret = _gnutls_verify_certificate2 (certificate_list[i - 1], &certificate_list[i], 1, flags, - &output, NULL, now, &max_path, func)) == 0) + &output, NULL, now, &max_path, func)) != 1) { status |= output; status |= GNUTLS_CERT_INVALID; ++++++ baselibs.conf ++++++ libgnutls28 obsoletes "gnutls-<targettype>" libgnutls-devel requires -libgnutls-<targettype> requires "libgnutls28-<targettype> = <version>" ++++++ gnutls-3.0.26-skip-test-fwrite.patch ++++++ Index: gl/tests/test-fwrite.c =================================================================== --- gl/tests/test-fwrite.c.orig 2012-04-12 21:05:11.000000000 +0100 +++ gl/tests/test-fwrite.c 2012-11-23 22:51:17.000000000 +0000 @@ -32,6 +32,8 @@ SIGNATURE_CHECK (fwrite, size_t, (const int main (int argc, char **argv) { + // skip test-fwrite + return 77; const char *filename = "test-fwrite.txt"; /* We don't have an fwrite() function that installs an invalid parameter @@ -50,6 +52,7 @@ main (int argc, char **argv) setvbuf (fp, NULL, _IONBF, 0); ASSERT (close (fileno (fp)) == 0); errno = 0; + // this fwrite returns 5 == sizeof (buf) in openSUSE Factory ASSERT (fwrite (buf, 1, sizeof (buf), fp) == 0); ASSERT (errno == EBADF); ASSERT (ferror (fp)); ++++++ gnutls-implement-trust-store-dir.diff ++++++ Index: gnutls-3.2.3/configure.ac =================================================================== --- gnutls-3.2.3.orig/configure.ac +++ gnutls-3.2.3/configure.ac @@ -418,6 +418,25 @@ if test "$with_default_trust_store_file" with_default_trust_store_file="" fi +AC_ARG_WITH([default-trust-store-dir], + [AS_HELP_STRING([--with-default-trust-store-dir=DIRECTORY], + [use the given directory as default trust store])], with_default_trust_store_dir="$withval", + [if test "$build" = "$host" ; then + for i in \ + /etc/ssl/certs/ + do + if test -e $i ; then + with_default_trust_store_dir="$i" + break + fi + done + fi] +) + +if test "$with_default_trust_store_dir" = "no";then + with_default_trust_store_dir="" +fi + AC_ARG_WITH([default-crl-file], [AS_HELP_STRING([--with-default-crl-file=FILE], [use the given CRL file as default])]) @@ -427,6 +446,11 @@ if test "x$with_default_trust_store_file ["$with_default_trust_store_file"], [use the given file default trust store]) fi +if test "x$with_default_trust_store_dir" != x; then + AC_DEFINE_UNQUOTED([DEFAULT_TRUST_STORE_DIR], + ["$with_default_trust_store_dir"], [use the given directory default trust store]) +fi + if test "x$with_default_crl_file" != x; then AC_DEFINE_UNQUOTED([DEFAULT_CRL_FILE], ["$with_default_crl_file"], [use the given CRL file]) @@ -704,6 +728,7 @@ AC_MSG_NOTICE([System files: Trust store pkcs: $with_default_trust_store_pkcs11 Trust store file: $with_default_trust_store_file + Trust store dir: $with_default_trust_store_dir CRL file: $with_default_crl_file DNSSEC root key file: $unbound_root_key_file ]) Index: gnutls-3.2.3/lib/system.c =================================================================== --- gnutls-3.2.3.orig/lib/system.c +++ gnutls-3.2.3/lib/system.c @@ -385,7 +385,45 @@ const char *home_dir = getenv ("HOME"); return 0; } -#if defined(DEFAULT_TRUST_STORE_FILE) || (defined(DEFAULT_TRUST_STORE_PKCS11) && defined(ENABLE_PKCS11)) +/* Used by both Android code and by Linux TRUST_STORE_DIR /etc/ssl/certs code */ +#if defined(DEFAULT_TRUST_STORE_DIR) || defined(ANDROID) || defined(__ANDROID__) +# include <dirent.h> +# include <unistd.h> +static int load_dir_certs(const char* dirname, gnutls_x509_trust_list_t list, + unsigned int tl_flags, unsigned int tl_vflags, unsigned type) +{ +DIR * dirp; +struct dirent *d; +int ret; +int r = 0; +char path[GNUTLS_PATH_MAX]; + + dirp = opendir(dirname); + if (dirp != NULL) + { + do + { + d = readdir(dirp); + if (d != NULL && d->d_type == DT_REG) + { + snprintf(path, sizeof(path), "%s/%s", dirname, d->d_name); + + ret = gnutls_x509_trust_list_add_trust_file(list, path, NULL, type, tl_flags, tl_vflags); + if (ret >= 0) + r += ret; + } + } + while(d != NULL); + closedir(dirp); + } + + return r; +} +#endif + + +#if defined(DEFAULT_TRUST_STORE_FILE) || (defined(DEFAULT_TRUST_STORE_PKCS11) && defined(ENABLE_PKCS11)) || defined(DEFAULT_TRUST_STORE_DIR) + static int add_system_trust(gnutls_x509_trust_list_t list, @@ -413,6 +451,12 @@ add_system_trust(gnutls_x509_trust_list_ r += ret; # endif +# ifdef DEFAULT_TRUST_STORE_DIR + ret = load_dir_certs(DEFAULT_TRUST_STORE_DIR, list, tl_flags, tl_vflags, GNUTLS_X509_FMT_PEM); + if (ret > 0) + r += ret; +# endif + return r; } #elif defined(_WIN32) @@ -466,39 +510,6 @@ int add_system_trust(gnutls_x509_trust_l return r; } #elif defined(ANDROID) || defined(__ANDROID__) -# include <dirent.h> -# include <unistd.h> -static int load_dir_certs(const char* dirname, gnutls_x509_trust_list_t list, - unsigned int tl_flags, unsigned int tl_vflags, unsigned type) -{ -DIR * dirp; -struct dirent *d; -int ret; -int r = 0; -char path[GNUTLS_PATH_MAX]; - - dirp = opendir(dirname); - if (dirp != NULL) - { - do - { - d = readdir(dirp); - if (d != NULL && d->d_type == DT_REG) - { - snprintf(path, sizeof(path), "%s/%s", dirname, d->d_name); - - ret = gnutls_x509_trust_list_add_trust_file(list, path, NULL, type, tl_flags, tl_vflags); - if (ret >= 0) - r += ret; - } - } - while(d != NULL); - closedir(dirp); - } - - return r; -} - static int load_revoked_certs(gnutls_x509_trust_list_t list, unsigned type) { DIR * dirp; ++++++ make-obs-happy-with-gnutls_3.2.4.patch ++++++ Index: gnutls-3.2.4/doc/examples/ex-client-xssl1.c =================================================================== --- gnutls-3.2.4.orig/doc/examples/ex-client-xssl1.c +++ gnutls-3.2.4/doc/examples/ex-client-xssl1.c @@ -80,6 +80,8 @@ int main (void) xssl_cred_deinit (cred); gnutls_global_deinit (); + + return 0; } Index: gnutls-3.2.4/doc/examples/ex-client-xssl2.c =================================================================== --- gnutls-3.2.4.orig/doc/examples/ex-client-xssl2.c +++ gnutls-3.2.4/doc/examples/ex-client-xssl2.c @@ -95,4 +95,6 @@ int main (void) xssl_cred_deinit (cred); gnutls_global_deinit (); + + return 0; } Index: gnutls-3.2.4/doc/examples/print-ciphersuites.c =================================================================== --- gnutls-3.2.4.orig/doc/examples/print-ciphersuites.c +++ gnutls-3.2.4/doc/examples/print-ciphersuites.c @@ -51,4 +51,5 @@ int main(int argc, char** argv) { if (argc > 1) print_cipher_suite_list (argv[1]); + return 0; } Index: gnutls-3.2.4/src/serv.c =================================================================== --- gnutls-3.2.4.orig/src/serv.c +++ gnutls-3.2.4/src/serv.c @@ -1216,6 +1216,8 @@ main (int argc, char **argv) udp_server (name, port, mtu); else tcp_server (name, port); + + return 0; } static void ++++++ revert-simplified-decrypted-data-allocation.patch ++++++ >From c3b39817df8b45f48edd89b6e652201e986770dc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Stefan=20B=C3=BChler?= <[email protected]> Date: Thu, 6 Feb 2014 11:13:53 +0100 Subject: [PATCH 1/1] Revert "simplified decrypted data allocation." This reverts commit 1667d2eecd4094a239db9f5ae54990d4c270c52a. It breaks COMP-DEFLATE as the allocated buffer is too small for the inflated content. Fixed upstream in 3.2.7 with commit 172ae00887559fa5ba9a3bdc41d9eccb4844b077. --- lib/gnutls_record.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/gnutls_record.c b/lib/gnutls_record.c index d261585..65d5786 100644 --- a/lib/gnutls_record.c +++ b/lib/gnutls_record.c @@ -1189,7 +1189,8 @@ begin: /* We allocate the maximum possible to allow few compressed bytes to expand to a * full record. */ - decrypted = _mbuffer_alloc(record.length, record.length); + t.size = get_max_decrypted_data(session); + decrypted = _mbuffer_alloc(t.size, t.size); if (decrypted == NULL) return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); -- 1.8.5.3 -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
