Hello community, here is the log from the commit of package gnutls.3951 for openSUSE:13.1:Update checked in at 2015-08-12 14:12:17 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:13.1:Update/gnutls.3951 (Old) and /work/SRC/openSUSE:13.1:Update/.gnutls.3951.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gnutls.3951" Changes: -------- New Changes file: --- /dev/null 2015-07-22 21:25:44.928025004 +0200 +++ /work/SRC/openSUSE:13.1:Update/.gnutls.3951.new/gnutls.changes 2015-08-12 14:12:19.000000000 +0200 @@ -0,0 +1,1696 @@ +------------------------------------------------------------------- +Mon Aug 3 09:45:29 UTC 2015 - [email protected] + +- fix for CVE-2015-3622 in bundled libtasn1 (bsc#929414) + * invalid read in octet string + * added gnutls-CVE-2015-3622.patch +- fix for GNUTLS-SA-2015-2 (bsc#929690) + * ServerKeyExchange signature issue + * added gnutls-GNUTLS-SA-2015-2.patch + +------------------------------------------------------------------- +Wed Mar 18 13:30:50 UTC 2015 - [email protected] + +- fix for CVE-2015-0294 (bnc#919938) + * certificate algorithm consistency checking issue + * added gnutls-CVE-2015-0294.patch + +------------------------------------------------------------------- +Wed Nov 12 17:26:21 UTC 2014 - [email protected] + +- gnutls-CVE-2014-8564.patch: Fixed parsing problem in elliptic + curve blobs over TLS that could lead to remote crashes. + (bnc#904603 CVE-2014-8564) + +------------------------------------------------------------------- +Tue Jun 3 05:12:37 UTC 2014 - [email protected] + +- Fixed bug[ bnc#880910], gnutls affected by libtasn1 vulnerabilities + Add patch files: CVE-2014-3467.patch, CVE-2014-3468.patch, CVE-2014-3469.patch + +------------------------------------------------------------------- +Mon Jun 2 05:17:53 UTC 2014 - [email protected] + +- Fixed bug[ bnc#880730], CVE-2014-3466: gnutls: Possible memory corruption during connect +- Fixed bug[ bnc#880733], CVE-2014-3465: gnutls: gnutls_x509_dn_oid_name NULL pointer dereference + Add patch files: CVE-2014-3466.patch, CVE-2014-3465.patch + +------------------------------------------------------------------- +Mon Mar 31 09:54:14 UTC 2014 - [email protected] + +- Fix bug [ bnc#870551] 870551 - gnutls cannot access www.bsi.de + Add patch file: gnutls-3.2.10-supported-ecc.patch + +------------------------------------------------------------------- +Mon Mar 3 14:04:31 UTC 2014 - [email protected] + +- Fixed bug [ bnc#865804] gnutls: CVE-2014-0092, insufficient X.509 certificate verification + Add patch file: CVE-2014-0092.patch + + Enable elliptic curve and so ECDH support again to meet modern + cryptographic requirements, removed gnutls-3.2.4-noecc.patch. + +------------------------------------------------------------------- +Thu Feb 6 10:18:09 UTC 2014 - [email protected] + +- Fix bug[ bnc#861907]: COMP-DEFLATE broken (internal buffer for inflate too + small, skipping input) + Add patch file: revert-simplified-decrypted-data-allocation.patch + +------------------------------------------------------------------- +Tue Nov 5 04:44:25 UTC 2013 - [email protected] + +- Fix bug[ bnc#848510], CVE-2013-4487( off-by-one security fix in libdane) + Add patch file: CVE-2013-4487.patch + +------------------------------------------------------------------- +Fri Oct 25 04:22:30 UTC 2013 - [email protected] + +- Fix bug[ bnc#847484], CVE-2013-4466 ( DoS in libdane) + Add patch file: CVE-2013-4466.patch + +------------------------------------------------------------------- +Mon Sep 2 16:23:59 UTC 2013 - [email protected] + +- Don't run install-info on images + +------------------------------------------------------------------- +Mon Sep 2 07:43:21 UTC 2013 - [email protected] + +- Update to 3.2.4 +** libgnutls: Fixes when session tickets and session DB are used. +Report and initial patch by Stefan Buehler. + +** libgnutls: Added the RSA-PSK key exchange. Patch by by Frank Morgner, +based on previous patch by Bardenheuer GmbH and Bundesdruckerei GmbH. + +** libgnutls: Added ciphersuites that use ARCFOUR with ECDHE. Patch +by Stefan Buehler. + +** libgnutls: Added the PFS priority string option. + +** libgnutls: Gnulib included files are strictly LGPLv2. + +** libgnutls: Corrected gnutls_certificate_server_set_request(). +Reported by Petr Pisar. + +** API and ABI modifications: +gnutls_record_set_timeout: Exported + +Add files:gnutls-3.2.4.tar.xz.sig, gnutls-3.2.4.tar.xz, gnutls-3.2.4-noecc.patch +Delete file: gnutls-3.2.3-noecc.patch + +------------------------------------------------------------------- +Fri Aug 30 00:31:19 CEST 2013 - [email protected] + +- buildrequire valgrind on the same arch list that valgrind builds + +------------------------------------------------------------------- +Thu Aug 1 13:42:11 UTC 2013 - [email protected] + +- Updated to 3.2.3 + ** libgnutls: Fixes in parsing of priority strings. Patch by Stefan + Buehler. + + ** libgnutls: Solve issue with received TLS packets that exceed 2^14. + (this fixes a bug that was accidentally introduced in 3.2.2) + + ** libgnutls: Removed gnulib modules under LGPLv3 that could possibly + be used by the library. + + ** libgnutls: Fixes in gnutls_record_send_range(). Report and initial + fix by Alfredo Pironti. + +- Updated to 3.2.2 + ** libgnutls: Several optimizations in the related to packet processing + subsystems. + + ** libgnutls: DTLS replay detection can now be disabled (to be used + in certain transport layers like SCTP). + + ** libgnutls: Fixes in SRTP extension generation when MKI is being used. + + ** libgnutls: Added ability to set hooks before or + after sending or receiving any handshake message with + gnutls_handshake_set_hook_function(). + +- gnutls-3.2.3-noecc.patch: updated to disable ECC. +- automake-1.12.patch: upstream, dropped +- gnutls-32bit.patch: upstream, dropped +- gnutls-3.2.1-pkcs11.diff: upstream, dropped + +------------------------------------------------------------------- +Fri Jul 26 12:45:45 UTC 2013 - [email protected] + +- revert to using certificate directory again until gnutls + understands the trust bits in pkcs11. Otherwise it would use + blacklisted certificates. + +------------------------------------------------------------------- +Mon Jul 8 15:12:59 UTC 2013 - [email protected] + +- Override broken configure checks + +------------------------------------------------------------------- +Thu Jul 4 16:15:14 UTC 2013 - [email protected] + +- use pkcs11 interface to fetch the system's CA certificates + (fate#314991). Add patch gnutls-3.2.1-pkcs11.diff to fix doing + that, obsoletes gnutls-implement-trust-store-dir.diff. + +------------------------------------------------------------------- +Thu Jun 27 13:44:12 UTC 2013 - [email protected] + +- Disable all ECC algorithms. + +- gnutls-32bit.patch: upstream patch to make test + work with 32bit time_t. + +- gnutls-implement-trust-store-dir.diff + + currently not yet forward ported. + +- Updated to GnuTLS 3.2.1 + ** libgnutls: Allow ECC when in SSL 3.0 to work-around a bug in certain + openssl versions. + ** libgnutls: Fixes in interrupted function resumption. Report + and patch by Tim Kosse. + ** libgnutls: Corrected issue when receiving client hello verify + requests in DTLS. + ** libgnutls: Fixes in DTLS record overhead size calculations. + ** libgnutls: gnutls_handshake_get_last_in() was fixed. Reported by + Mann Ern Kang. +- Updated to GnuTLS 3.2.0 + ** libgnutls: Use nettle's elliptic curve implementation. + ** libgnutls: Added Salsa20 cipher + ** libgnutls: Added UMAC-96 and UMAC-128 + ** libgnutls: Added ciphersuites involving Salsa20 and UMAC-96. + As they are not standardized they are defined using private ciphersuite numbers. + ** libgnutls: Added support for DTLS 1.2. + ** libgnutls: Added support for the Application Layer Protocol + Negotiation (ALPN) extension. + ** libgnutls: Removed support for the RSA-EXPORT ciphersuites. + ** libgnutls: Avoid linking to librt (that also avoids unnecessary + linking to pthreads if p11-kit isn't used). + +- Updated to GnuTLS 3.1.10 (released 2013-03-22) + ** certtool: When generating PKCS #12 files use by default the ++++ 1499 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:13.1:Update/.gnutls.3951.new/gnutls.changes New: ---- CVE-2013-4466.patch CVE-2013-4487.patch CVE-2014-0092.patch CVE-2014-3465.patch CVE-2014-3466.patch CVE-2014-3467.patch CVE-2014-3468.patch CVE-2014-3469.patch baselibs.conf gnutls-3.0.26-skip-test-fwrite.patch gnutls-3.2.10-supported-ecc.patch gnutls-3.2.4.tar.xz gnutls-3.2.4.tar.xz.sig gnutls-CVE-2014-8564.patch gnutls-CVE-2015-0294.patch gnutls-CVE-2015-3622.patch gnutls-GNUTLS-SA-2015-2.patch gnutls-implement-trust-store-dir.diff gnutls.changes gnutls.keyring gnutls.spec make-obs-happy-with-gnutls_3.2.4.patch revert-simplified-decrypted-data-allocation.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gnutls.spec ++++++ # # spec file for package gnutls # # Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # %define gnutls_sover 28 %define gnutlsxx_sover 28 %define gnutls_ossl_sover 27 Name: gnutls Version: 3.2.4 Release: 0 Summary: The GNU Transport Layer Security Library License: LGPL-2.1+ and GPL-3.0+ Group: Productivity/Networking/Security Url: http://www.gnutls.org/ Source0: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/%{name}-%{version}.tar.xz # signature is checked by source services. Source1: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/%{name}-%{version}.tar.xz.sig Source2: %name.keyring Source3: baselibs.conf # PATCH-FIX-OPENSUSE gnutls-3.0.26-skip-test-fwrite.patch [email protected] -- skip a failing test Patch3: gnutls-3.0.26-skip-test-fwrite.patch Patch6: gnutls-implement-trust-store-dir.diff Patch7: make-obs-happy-with-gnutls_3.2.4.patch Patch8: CVE-2013-4466.patch Patch9: CVE-2013-4487.patch # fix COMP-DEFLATE (allocated buffer too small), fixed upstream in 3.2.7 - stbuehler Patch10: revert-simplified-decrypted-data-allocation.patch Patch11: CVE-2014-0092.patch Patch12: gnutls-3.2.10-supported-ecc.patch Patch13: CVE-2014-3466.patch Patch14: CVE-2014-3465.patch Patch15: CVE-2014-3467.patch Patch16: CVE-2014-3468.patch Patch17: CVE-2014-3469.patch Patch18: gnutls-CVE-2014-8564.patch Patch19: gnutls-CVE-2015-0294.patch Patch20: gnutls-CVE-2015-3622.patch Patch21: gnutls-GNUTLS-SA-2015-2.patch BuildRequires: automake BuildRequires: gcc-c++ BuildRequires: libidn-devel BuildRequires: libnettle-devel >= 2.7 BuildRequires: libtasn1-devel >= 2.14 BuildRequires: libtool %ifarch %ix86 x86_64 ppc ppc64 s390x armv7l armv7hl BuildRequires: valgrind %endif %if %suse_version >= 1230 BuildRequires: makeinfo %endif BuildRequires: p11-kit-devel >= 0.11 BuildRequires: pkg-config BuildRequires: xz BuildRequires: zlib-devel BuildRoot: %{_tmppath}/%{name}-%{version}-build # bug437293 %ifarch ppc64 Obsoletes: gnutls-64bit %endif %description The GnuTLS project aims to develop a library that provides a secure layer over a reliable transport layer. Currently the GnuTLS library implements the proposed standards of the IETF's TLS working group. %package -n libgnutls%{gnutls_sover} Summary: The GNU Transport Layer Security Library License: LGPL-2.1+ Group: Productivity/Networking/Security %description -n libgnutls%{gnutls_sover} The GnuTLS project aims to develop a library that provides a secure layer over a reliable transport layer. Currently the GnuTLS library implements the proposed standards of the IETF's TLS working group. %package -n libgnutlsxx%{gnutlsxx_sover} Summary: The GNU Transport Layer Security Library License: LGPL-2.1+ Group: Productivity/Networking/Security %description -n libgnutlsxx%{gnutlsxx_sover} The GnuTLS project aims to develop a library that provides a secure layer over a reliable transport layer. Currently the GnuTLS library implements the proposed standards of the IETF's TLS working group. %package -n libgnutls-openssl%{gnutls_ossl_sover} Summary: The GNU Transport Layer Security Library License: GPL-3.0+ Group: Productivity/Networking/Security %description -n libgnutls-openssl%{gnutls_ossl_sover} The GnuTLS project aims to develop a library that provides a secure layer over a reliable transport layer. Currently the GnuTLS library implements the proposed standards of the IETF's TLS working group. %package -n libgnutls-devel Summary: Development package for gnutls License: LGPL-2.1+ Group: Development/Libraries/C and C++ PreReq: %install_info_prereq Requires: glibc-devel Requires: libgnutls%{gnutls_sover} = %{version} Provides: gnutls-devel = %{version}-%{release} %description -n libgnutls-devel Files needed for software development using gnutls. %package -n libgnutlsxx-devel Summary: Development package for gnutls License: LGPL-2.1+ Group: Development/Libraries/C and C++ PreReq: %install_info_prereq Requires: libgnutls-devel = %{version} Requires: libgnutlsxx%{gnutlsxx_sover} = %{version} Requires: libstdc++-devel %description -n libgnutlsxx-devel Files needed for software development using gnutls. %package -n libgnutls-openssl-devel Summary: Development package for gnutls License: GPL-3.0+ Group: Development/Libraries/C and C++ Requires: libgnutls-devel = %{version} Requires: libgnutls-openssl%{gnutls_ossl_sover} = %{version} %description -n libgnutls-openssl-devel Files needed for software development using gnutls. %prep %setup -q %patch3 %patch6 -p1 %patch7 -p1 %patch8 -p1 %patch9 -p1 %patch10 -p1 %patch11 -p1 %patch12 -p1 %patch13 -p1 %patch14 -p1 %patch15 -p1 %patch16 -p1 %patch17 -p1 %patch18 -p1 %patch19 -p1 %patch20 -p1 %patch21 -p1 %build autoreconf -if # echde explicitly disabled - meissner&cfarrell %configure \ gl_cv_func_printf_directive_n=yes \ gl_cv_func_printf_infinite_long_double=yes \ --disable-static \ --with-pic \ --disable-rpath \ --disable-silent-rules \ --with-default-trust-store-dir=/var/lib/ca-certificates/pem \ --enable-ecdhe \ --with-sysroot=/%{?_sysroot} %__make %{?_smp_mflags} %install %make_install rm -rf %{buildroot}%{_datadir}/locale/en@{,bold}quot # Do not package static libs and libtool files rm -f %{buildroot}%{_libdir}/*.la # install docs %__mkdir -p %{buildroot}%{_docdir}/libgnutls-devel/ %__cp doc/gnutls.html doc/*.png doc/gnutls.pdf %{buildroot}%{_docdir}/libgnutls-devel/ %__mkdir -p %{buildroot}%{_docdir}/libgnutls-devel/reference %__cp doc/reference/html/* %{buildroot}%{_docdir}/libgnutls-devel/reference/ %__mkdir -p %{buildroot}%{_docdir}/libgnutls-devel/examples %__cp doc/examples/*.{c,h} %{buildroot}%{_docdir}/libgnutls-devel/examples/ %find_lang libgnutls --all-name %check %if ! 0%{?qemu_user_space_build} %__make check %endif %clean rm -rf %{buildroot} %post -n libgnutls%{gnutls_sover} -p /sbin/ldconfig %postun -n libgnutls%{gnutls_sover} -p /sbin/ldconfig %post -n libgnutlsxx%{gnutlsxx_sover} -p /sbin/ldconfig %postun -n libgnutlsxx%{gnutlsxx_sover} -p /sbin/ldconfig %post -n libgnutls-openssl%{gnutls_ossl_sover} -p /sbin/ldconfig %postun -n libgnutls-openssl%{gnutls_ossl_sover} -p /sbin/ldconfig %post -n libgnutls-devel %install_info --info-dir=%{_infodir} %{_infodir}/gnutls.info.gz %postun -n libgnutls-devel %install_info_delete --info-dir=%{_infodir} %{_infodir}/gnutls.info.gz %files -f libgnutls.lang %defattr(-, root, root) %doc THANKS README NEWS ChangeLog COPYING COPYING.LESSER AUTHORS doc/TODO %{_bindir}/certtool %{_bindir}/crywrap %{_bindir}/gnutls-cli %{_bindir}/gnutls-cli-debug %{_bindir}/gnutls-serv %{_bindir}/ocsptool %{_bindir}/psktool %{_bindir}/p11tool %{_bindir}/srptool %{_bindir}/danetool %{_mandir}/man1/* %files -n libgnutls%{gnutls_sover} %defattr(-,root,root) %{_libdir}/libgnutls.so.%{gnutls_sover}* %{_libdir}/libgnutls-xssl.so.* %files -n libgnutls-openssl%{gnutls_ossl_sover} %defattr(-,root,root) %{_libdir}/libgnutls-openssl.so.%{gnutls_ossl_sover}* %files -n libgnutlsxx%{gnutlsxx_sover} %defattr(-,root,root) %{_libdir}/libgnutlsxx.so.%{gnutlsxx_sover}* %files -n libgnutls-devel %defattr(-, root, root) %dir %{_includedir}/%{name} %{_includedir}/%{name}/abstract.h %{_includedir}/%{name}/crypto.h %{_includedir}/%{name}/compat.h %{_includedir}/%{name}/dtls.h %{_includedir}/%{name}/gnutls.h %{_includedir}/%{name}/openpgp.h %{_includedir}/%{name}/ocsp.h %{_includedir}/%{name}/pkcs11.h %{_includedir}/%{name}/pkcs12.h %{_includedir}/%{name}/x509.h %{_includedir}/%{name}/tpm.h %{_includedir}/%{name}/xssl.h %{_libdir}/libgnutls.so %{_libdir}/libgnutls-xssl.so %{_libdir}/pkgconfig/gnutls.pc %{_mandir}/man3/* %{_infodir}/*.* %doc %{_docdir}/libgnutls-devel %files -n libgnutlsxx-devel %defattr(-, root, root) %{_libdir}/libgnutlsxx.so %dir %{_includedir}/%{name} %{_includedir}/%{name}/gnutlsxx.h %files -n libgnutls-openssl-devel %defattr(-, root, root) %{_libdir}/libgnutls-openssl.so %dir %{_includedir}/%{name} %{_includedir}/%{name}/openssl.h %changelog ++++++ CVE-2013-4466.patch ++++++ Index: gnutls-3.2.4/libdane/dane.c =================================================================== --- gnutls-3.2.4.orig/libdane/dane.c +++ gnutls-3.2.4/libdane/dane.c @@ -233,77 +233,71 @@ int ret; **/ void dane_query_deinit(dane_query_t q) { - ub_resolve_free(q->result); + if (q->result) + ub_resolve_free(q->result); free(q); } /** - * dane_query_tlsa: + * dane_raw_tlsa: * @s: The DANE state structure * @r: A structure to place the result - * @host: The host name to resolve. - * @proto: The protocol type (tcp, udp, etc.) - * @port: The service port number (eg. 443). + * @dane_data: array of DNS rdata items, terminated with a NULL pointer; + * caller must guarantee that the referenced data remains + * valid until dane_query_deinit() is called. + * @dane_data_len: the length n bytes of the dane_data items + * @param secure true if the result is validated securely, false if + * validation failed or the domain queried has no security info + * @param bogus if the result was not secure (secure = 0) due to a security failure, + * and the result is due to a security failure, bogus is true. * - * This function will query the DNS server for the TLSA (DANE) - * data for the given host. + * This function will fill in the TLSA (DANE) structure from + * the given raw DNS record data. * * Returns: On success, %DANE_E_SUCCESS (0) is returned, otherwise a * negative error value. **/ -int dane_query_tlsa(dane_state_t s, dane_query_t *r, const char* host, const char* proto, unsigned int port) +int dane_raw_tlsa(dane_state_t s, dane_query_t *r, char *const*dane_data, const int *dane_data_len, int secure, int bogus) { - char ns[1024]; int ret; unsigned int i; *r = calloc(1, sizeof(struct dane_query_st)); if (*r == NULL) return gnutls_assert_val(DANE_E_MEMORY_ERROR); - - snprintf(ns, sizeof(ns), "_%u._%s.%s", port, proto, host); - - /* query for webserver */ - ret = ub_resolve(s->ctx, ns, 52, 1, &(*r)->result); - if(ret != 0) { - return gnutls_assert_val(DANE_E_RESOLVING_ERROR); - } - -/* show first result */ - if(!(*r)->result->havedata) { - return gnutls_assert_val(DANE_E_NO_DANE_DATA); - } - + i = 0; do { - if ((*r)->result->len[i] > 3) + if (dane_data_len[i] > 3) ret = DANE_E_SUCCESS; else { return gnutls_assert_val(DANE_E_RECEIVED_CORRUPT_DATA); } - - (*r)->usage[i] = (*r)->result->data[i][0]; - (*r)->type[i] = (*r)->result->data[i][1]; - (*r)->match[i] = (*r)->result->data[i][2]; - (*r)->data[i].data = (void*)&(*r)->result->data[i][3]; - (*r)->data[i].size = (*r)->result->len[i] - 3; + + (*r)->usage[i] = dane_data[i][0]; + (*r)->type[i] = dane_data[i][1]; + (*r)->match[i] = dane_data[i][2]; + (*r)->data[i].data = (void*)&dane_data[i][3]; + (*r)->data[i].size = dane_data_len[i] - 3; i++; - } while((*r)->result->data[i] != NULL); - + if (i > MAX_DATA_ENTRIES) + break; + } while(dane_data[i] != NULL); + (*r)->data_entries = i; - if (!(s->flags & DANE_F_INSECURE) && !(*r)->result->secure) { - if ((*r)->result->bogus) + if (!(s->flags & DANE_F_INSECURE) && !secure) { + if (bogus) ret = gnutls_assert_val(DANE_E_INVALID_DNSSEC_SIG); else ret = gnutls_assert_val(DANE_E_NO_DNSSEC_SIG); } /* show security status */ - if ((*r)->result->secure) { + if (secure) { (*r)->status = DANE_QUERY_DNSSEC_VERIFIED; - } else if ((*r)->result->bogus) { + } else if (bogus) { gnutls_assert(); (*r)->status = DANE_QUERY_BOGUS; } else { @@ -314,8 +308,53 @@ int dane_query_tlsa(dane_state_t s, dane return ret; } -static unsigned int matches(const gnutls_datum_t *raw1, const gnutls_datum_t *raw2, - dane_match_type_t match) + +/** + * dane_query_tlsa: + * @s: The DANE state structure + * @r: A structure to place the result + * @host: The host name to resolve. + * @proto: The protocol type (tcp, udp, etc.) + * @port: The service port number (eg. 443). + * + * This function will query the DNS server for the TLSA (DANE) + * data for the given host. + * + * Returns: On success, %DANE_E_SUCCESS (0) is returned, otherwise a + * negative error value. + **/ +int dane_query_tlsa(dane_state_t s, dane_query_t *r, const char* host, const char* proto, unsigned int port) +{ + char ns[1024]; + int ret; + struct ub_result *result; + + snprintf(ns, sizeof(ns), "_%u._%s.%s", port, proto, host); + + /* query for webserver */ + ret = ub_resolve(s->ctx, ns, 52, 1, &result); + if(ret != 0) { + return gnutls_assert_val(DANE_E_RESOLVING_ERROR); + } + + /* show first result */ + if(!result->havedata) { + ub_resolve_free (result); + return gnutls_assert_val(DANE_E_NO_DANE_DATA); + } + + ret = dane_raw_tlsa (s, r, result->data, result->len, result->secure, result->bogus); + if (*r == NULL) { + ub_resolve_free (result); + return ret; + } + + (*r)->result = result; + return ret; +} + +static unsigned int matches(const gnutls_datum_t *raw1, const gnutls_datum_t *raw2, + dane_match_type_t match) { uint8_t digest[64]; int ret; Index: gnutls-3.2.4/libdane/includes/gnutls/dane.h =================================================================== --- gnutls-3.2.4.orig/libdane/includes/gnutls/dane.h +++ gnutls-3.2.4/libdane/includes/gnutls/dane.h @@ -109,6 +109,8 @@ int dane_state_init (dane_state_t* s, un int dane_state_set_dlv_file(dane_state_t s, const char* file); void dane_state_deinit (dane_state_t s); +int dane_raw_tlsa(dane_state_t s, dane_query_t *r, char *const*dane_data, const int *dane_data_len, int secure, int bogus); + int dane_query_tlsa(dane_state_t s, dane_query_t *r, const char* host, const char* proto, unsigned int port); dane_query_status_t dane_query_status(dane_query_t q); ++++++ CVE-2013-4487.patch ++++++ Index: gnutls-3.2.4/libdane/dane.c =================================================================== --- gnutls-3.2.4.orig/libdane/dane.c +++ gnutls-3.2.4/libdane/dane.c @@ -1,5 +1,7 @@ /* * Copyright (C) 2012 KU Leuven + * Copyright (C) 2013 Christian Grothoff + * Copyright (C) 2013 Nikos Mavrogiannopoulos * * Author: Nikos Mavrogiannopoulos * @@ -260,32 +262,31 @@ void dane_query_deinit(dane_query_t q) int dane_raw_tlsa(dane_state_t s, dane_query_t *r, char *const*dane_data, const int *dane_data_len, int secure, int bogus) { int ret; + int ret = DANE_E_SUCCESS; unsigned int i; *r = calloc(1, sizeof(struct dane_query_st)); if (*r == NULL) return gnutls_assert_val(DANE_E_MEMORY_ERROR); - i = 0; - do { + (*r)->data_entries = 0; - if (dane_data_len[i] > 3) - ret = DANE_E_SUCCESS; - else { - return gnutls_assert_val(DANE_E_RECEIVED_CORRUPT_DATA); - } + for (i=0;i<MAX_DATA_ENTRIES;i++) + { + if (dane_data[i] == NULL) + break; + + if (dane_data_len[i] <= 3) + return gnutls_assert_val(DANE_E_RECEIVED_CORRUPT_DATA); (*r)->usage[i] = dane_data[i][0]; (*r)->type[i] = dane_data[i][1]; (*r)->match[i] = dane_data[i][2]; (*r)->data[i].data = (void*)&dane_data[i][3]; (*r)->data[i].size = dane_data_len[i] - 3; - i++; - if (i > MAX_DATA_ENTRIES) - break; - } while(dane_data[i] != NULL); - (*r)->data_entries = i; + (*r)->data_entries++; + } if (!(s->flags & DANE_F_INSECURE) && !secure) { if (bogus) ++++++ CVE-2014-0092.patch ++++++ Index: gnutls-3.2.4/lib/x509/verify.c =================================================================== --- gnutls-3.2.4.orig/lib/x509/verify.c +++ gnutls-3.2.4/lib/x509/verify.c @@ -106,7 +106,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnu if (result < 0) { gnutls_assert (); - goto cleanup; + goto fail; } result = @@ -115,7 +115,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnu if (result < 0) { gnutls_assert (); - goto cleanup; + goto fail; } result = @@ -123,7 +123,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnu if (result < 0) { gnutls_assert (); - goto cleanup; + goto fail; } result = @@ -131,7 +131,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnu if (result < 0) { gnutls_assert (); - goto cleanup; + goto fail; } /* If the subject certificate is the same as the issuer @@ -183,6 +183,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnu else gnutls_assert (); +fail: result = 0; cleanup: @@ -368,8 +369,9 @@ _gnutls_verify_certificate2 (gnutls_x509 gnutls_datum_t cert_signed_data = { NULL, 0 }; gnutls_datum_t cert_signature = { NULL, 0 }; gnutls_x509_crt_t issuer = NULL; - int issuer_version, result, hash_algo; + int issuer_version, result = 0, hash_algo; unsigned int out = 0, usage; + const mac_entry_st * me; if (output) *output = 0; @@ -408,14 +410,15 @@ _gnutls_verify_certificate2 (gnutls_x509 if (issuer_version < 0) { gnutls_assert (); - return issuer_version; + result = 0; + goto cleanup; } if (!(flags & GNUTLS_VERIFY_DISABLE_CA_SIGN) && ((flags & GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT) || issuer_version != 1)) { - if (check_if_ca (cert, issuer, max_path, flags) == 0) + if (check_if_ca (cert, issuer, max_path, flags) != 1) { gnutls_assert (); out = GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID; @@ -446,6 +449,7 @@ _gnutls_verify_certificate2 (gnutls_x509 if (result < 0) { gnutls_assert (); + result = 0; goto cleanup; } @@ -454,6 +458,7 @@ _gnutls_verify_certificate2 (gnutls_x509 if (result < 0) { gnutls_assert (); + result = 0; goto cleanup; } @@ -461,13 +466,20 @@ _gnutls_verify_certificate2 (gnutls_x509 if (result < 0) { gnutls_assert (); + result = 0; goto cleanup; } hash_algo = gnutls_sign_get_hash_algorithm(result); + me = mac_to_entry(hash_algo); + if (me == NULL) { + gnutls_assert(); + result = 0; + goto cleanup; + } result = - _gnutls_x509_verify_data (mac_to_entry(hash_algo), &cert_signed_data, &cert_signature, + _gnutls_x509_verify_data (me, &cert_signed_data, &cert_signature, issuer); if (result == GNUTLS_E_PK_SIG_VERIFY_FAILED) { @@ -481,6 +493,7 @@ _gnutls_verify_certificate2 (gnutls_x509 else if (result < 0) { gnutls_assert(); + result = 0; goto cleanup; } @@ -650,7 +663,7 @@ _gnutls_x509_verify_certificate (const g ret = _gnutls_verify_certificate2 (certificate_list[clist_size - 1], trusted_cas, tcas_size, flags, &output, &issuer, now, &max_path, func); - if (ret == 0) + if (ret != 1) { /* if the last certificate in the certificate * list is invalid, then the certificate is not @@ -678,7 +691,7 @@ _gnutls_x509_verify_certificate (const g if ((ret = _gnutls_verify_certificate2 (certificate_list[i - 1], &certificate_list[i], 1, flags, - &output, NULL, now, &max_path, func)) == 0) + &output, NULL, now, &max_path, func)) != 1) { status |= output; status |= GNUTLS_CERT_INVALID; ++++++ CVE-2014-3465.patch ++++++ Index: gnutls-3.2.4/lib/x509/common.c =================================================================== --- gnutls-3.2.4.orig/lib/x509/common.c +++ gnutls-3.2.4/lib/x509/common.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2003-2012 Free Software Foundation, Inc. + * Copyright (C) 2003-2014 Free Software Foundation, Inc. * * Author: Nikos Mavrogiannopoulos * @@ -242,7 +242,7 @@ gnutls_x509_dn_oid_name (const char *oid do { - if (strcmp (_oid2str[i].oid, oid) == 0) + if (strcmp (_oid2str[i].oid, oid) == 0 && _oid2str[i].ldap_desc != NULL) return _oid2str[i].ldap_desc; i++; } ++++++ CVE-2014-3466.patch ++++++ Index: gnutls-3.2.4/lib/gnutls_handshake.c =================================================================== --- gnutls-3.2.4.orig/lib/gnutls_handshake.c +++ gnutls-3.2.4/lib/gnutls_handshake.c @@ -1741,7 +1741,7 @@ _gnutls_read_server_hello (gnutls_sessio DECR_LEN (len, 1); session_id_len = data[pos++]; - if (len < session_id_len) + if (len < session_id_len || session_id_len > TLS_MAX_SESSION_ID_SIZE) { gnutls_assert (); return GNUTLS_E_UNSUPPORTED_VERSION_PACKET; ++++++ CVE-2014-3467.patch ++++++ Index: gnutls-3.2.4/lib/minitasn1/decoding.c =================================================================== --- gnutls-3.2.4.orig/lib/minitasn1/decoding.c +++ gnutls-3.2.4/lib/minitasn1/decoding.c @@ -149,7 +149,7 @@ asn1_get_tag_der (const unsigned char *d /* Long form */ punt = 1; ris = 0; - while (punt <= der_len && der[punt] & 128) + while (punt < der_len && der[punt] & 128) { last = ris; @@ -259,7 +259,7 @@ _asn1_get_time_der (const unsigned char if (der_len <= 0 || str == NULL) return ASN1_DER_ERROR; str_len = asn1_get_length_der (der, der_len, &len_len); - if (str_len < 0 || str_size < str_len) + if (str_len <= 0 || str_size < str_len) return ASN1_DER_ERROR; memcpy (str, der + len_len, str_len); str[str_len] = 0; @@ -285,7 +285,7 @@ _asn1_get_objectid_der (const unsigned c return ASN1_GENERIC_ERROR; len = asn1_get_length_der (der, der_len, &len_len); - if (len < 0 || len > der_len || len_len > der_len) + if (len <= 0 || len > der_len || len_len > der_len) return ASN1_DER_ERROR; val1 = der[len_len] / 40; ++++++ CVE-2014-3468.patch ++++++ Index: gnutls-3.2.4/lib/minitasn1/decoding.c =================================================================== --- gnutls-3.2.4.orig/lib/minitasn1/decoding.c +++ gnutls-3.2.4/lib/minitasn1/decoding.c @@ -226,7 +226,7 @@ asn1_get_octet_der (const unsigned char int *ret_len, unsigned char *str, int str_size, int *str_len) { - int len_len; + int len_len = 0; if (der_len <= 0) return ASN1_GENERIC_ERROR; @@ -347,7 +347,7 @@ asn1_get_bit_der (const unsigned char *d int *ret_len, unsigned char *str, int str_size, int *bit_len) { - int len_len, len_byte; + int len_len = 0, len_byte; if (der_len <= 0) return ASN1_GENERIC_ERROR; @@ -358,6 +358,9 @@ asn1_get_bit_der (const unsigned char *d *ret_len = len_byte + len_len + 1; *bit_len = len_byte * 8 - der[len_len]; + if (*bit_len <= 0) + return ASN1_DER_ERROR; + if (str_size >= len_byte) memcpy (str, der + len_len + 1, len_byte); else ++++++ CVE-2014-3469.patch ++++++ Index: gnutls-3.2.4/lib/minitasn1/decoding.c =================================================================== --- gnutls-3.2.4.orig/lib/minitasn1/decoding.c +++ gnutls-3.2.4/lib/minitasn1/decoding.c @@ -231,7 +231,6 @@ asn1_get_octet_der (const unsigned char if (der_len <= 0) return ASN1_GENERIC_ERROR; - /* if(str==NULL) return ASN1_SUCCESS; */ *str_len = asn1_get_length_der (der, der_len, &len_len); if (*str_len < 0) @@ -239,7 +238,10 @@ asn1_get_octet_der (const unsigned char *ret_len = *str_len + len_len; if (str_size >= *str_len) - memcpy (str, der + len_len, *str_len); + { + if (*str_len > 0 && str != NULL) + memcpy (str, der + len_len, *str_len); + } else { return ASN1_MEM_ERROR; @@ -362,7 +364,10 @@ asn1_get_bit_der (const unsigned char *d return ASN1_DER_ERROR; if (str_size >= len_byte) - memcpy (str, der + len_len + 1, len_byte); + { + if (len_byte > 0 && str) + memcpy (str, der + len_len + 1, len_byte); + } else { return ASN1_MEM_ERROR; Index: gnutls-3.2.4/lib/minitasn1/element.c =================================================================== --- gnutls-3.2.4.orig/lib/minitasn1/element.c +++ gnutls-3.2.4/lib/minitasn1/element.c @@ -112,8 +112,11 @@ _asn1_convert_integer (const unsigned ch /* VALUE_OUT is too short to contain the value conversion */ return ASN1_MEM_ERROR; - for (k2 = k; k2 < SIZEOF_UNSIGNED_LONG_INT; k2++) - value_out[k2 - k] = val[k2]; + if (value_out != NULL) + { + for (k2 = k; k2 < SIZEOF_UNSIGNED_LONG_INT; k2++) + value_out[k2 - k] = val[k2]; + } #if 0 printf ("_asn1_convert_integer: valueIn=%s, lenOut=%d", value, *len); @@ -616,7 +619,8 @@ asn1_write_value (asn1_node node_root, c if (ptr_size < data_size) { \ return ASN1_MEM_ERROR; \ } else { \ - memcpy( ptr, data, data_size); \ + if (ptr && data_size > 0) \ + memcpy( ptr, data, data_size); \ } #define PUT_STR_VALUE( ptr, ptr_size, data) \ @@ -625,7 +629,9 @@ asn1_write_value (asn1_node node_root, c return ASN1_MEM_ERROR; \ } else { \ /* this strcpy is checked */ \ - _asn1_strcpy(ptr, data); \ + if (ptr) { \ + _asn1_strcpy(ptr, data); \ + } \ } #define PUT_AS_STR_VALUE( ptr, ptr_size, data, data_size) \ @@ -639,12 +645,13 @@ asn1_write_value (asn1_node node_root, c } #define ADD_STR_VALUE( ptr, ptr_size, data) \ - *len = (int) _asn1_strlen(data) + 1; \ - if (ptr_size < (int) _asn1_strlen(ptr)+(*len)) { \ + *len += _asn1_strlen(data); \ + if (ptr_size < (int) *len) { \ + (*len)++; \ return ASN1_MEM_ERROR; \ } else { \ /* this strcat is checked */ \ - _asn1_strcat(ptr, data); \ + if (ptr) _asn1_strcat (ptr, data); \ } /** @@ -875,7 +882,9 @@ asn1_read_value_type (asn1_node root, co case ASN1_ETYPE_OBJECT_ID: if (node->type & CONST_ASSIGN) { - value[0] = 0; + *len = 0; + if (value) + value[0] = 0; p = node->down; while (p) { @@ -889,7 +898,7 @@ asn1_read_value_type (asn1_node root, co } p = p->right; } - *len = _asn1_strlen (value) + 1; + (*len)++; } else if ((node->type & CONST_DEFAULT) && (node->value == NULL)) { ++++++ baselibs.conf ++++++ libgnutls28 obsoletes "gnutls-<targettype>" libgnutls-devel requires -libgnutls-<targettype> requires "libgnutls28-<targettype> = <version>" ++++++ gnutls-3.0.26-skip-test-fwrite.patch ++++++ Index: gl/tests/test-fwrite.c =================================================================== --- gl/tests/test-fwrite.c.orig 2012-04-12 21:05:11.000000000 +0100 +++ gl/tests/test-fwrite.c 2012-11-23 22:51:17.000000000 +0000 @@ -32,6 +32,8 @@ SIGNATURE_CHECK (fwrite, size_t, (const int main (int argc, char **argv) { + // skip test-fwrite + return 77; const char *filename = "test-fwrite.txt"; /* We don't have an fwrite() function that installs an invalid parameter @@ -50,6 +52,7 @@ main (int argc, char **argv) setvbuf (fp, NULL, _IONBF, 0); ASSERT (close (fileno (fp)) == 0); errno = 0; + // this fwrite returns 5 == sizeof (buf) in openSUSE Factory ASSERT (fwrite (buf, 1, sizeof (buf), fp) == 0); ASSERT (errno == EBADF); ASSERT (ferror (fp)); ++++++ gnutls-3.2.10-supported-ecc.patch ++++++ Index: gnutls-3.2.4/lib/ext/ecc.c =================================================================== --- gnutls-3.2.4.orig/lib/ext/ecc.c +++ gnutls-3.2.4/lib/ext/ecc.c @@ -91,8 +91,10 @@ _gnutls_supported_ecc_recv_params (gnutl if (session->security_parameters.entity == GNUTLS_CLIENT) { - /* A client shouldn't receive this extension */ - return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_EXTENSION); + /* A client shouldn't receive this extension, but of course + there are servers out there that send it. Just ignore it. */ + _gnutls_debug_log("received SUPPORTED ECC extension on client side!!!\n"); + return 0; } else { /* SERVER SIDE - we must check if the sent supported ecc type is the right one ++++++ gnutls-CVE-2014-8564.patch ++++++ commit a737abecf1affa08469ca2e9804eb3b6e95027e9 Author: Nikos Mavrogiannopoulos <[email protected]> Date: Mon Nov 10 07:44:11 2014 +0100 when exporting curve coordinates to X9.63 format, perform additional sanity checks on input Reported by Sean Burford. Index: gnutls-3.2.4/lib/gnutls_ecc.c =================================================================== --- gnutls-3.2.4.orig/lib/gnutls_ecc.c +++ gnutls-3.2.4/lib/gnutls_ecc.c @@ -53,20 +53,36 @@ _gnutls_ecc_ansi_x963_export (gnutls_ecc /* pad and store x */ byte_size = (_gnutls_mpi_get_nbits (x) + 7) / 8; + if (numlen < byte_size) { + ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); + goto cleanup; + } + size = out->size - (1 + (numlen - byte_size)); ret = _gnutls_mpi_print (x, &out->data[1 + (numlen - byte_size)], &size); - if (ret < 0) - return gnutls_assert_val (ret); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } byte_size = (_gnutls_mpi_get_nbits (y) + 7) / 8; + if (numlen < byte_size) { + ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); + goto cleanup; + } size = out->size - (1 + (numlen + numlen - byte_size)); ret = _gnutls_mpi_print (y, &out->data[1 + numlen + numlen - byte_size], &size); - if (ret < 0) - return gnutls_assert_val (ret); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } /* pad and store y */ return 0; +cleanup: + _gnutls_free_datum(out); + return ret; } ++++++ gnutls-CVE-2015-0294.patch ++++++ >From 6e76e9b9fa845b76b0b9a45f05f4b54a052578ff Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos <[email protected]> Date: Mon, 19 Jan 2015 09:29:31 +0100 Subject: [PATCH] on certificate import check whether the two signature algorithms match --- lib/x509/x509.c | 19 ++++++++++++++++++- 1 files changed, 18 insertions(+), 1 deletions(-) Index: gnutls-3.2.4/lib/x509/x509.c =================================================================== --- gnutls-3.2.4.orig/lib/x509/x509.c 2015-03-20 19:26:28.623144079 +0100 +++ gnutls-3.2.4/lib/x509/x509.c 2015-03-20 19:27:25.328957294 +0100 @@ -165,6 +165,7 @@ gnutls_x509_crt_import (gnutls_x509_crt_ { int result = 0, need_free = 0; gnutls_datum_t _data; + int s2; if (cert == NULL) { @@ -227,6 +228,23 @@ gnutls_x509_crt_import (gnutls_x509_crt_ goto cleanup; } + result = _gnutls_x509_get_signature_algorithm(cert->cert, + "signatureAlgorithm.algorithm"); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + s2 = _gnutls_x509_get_signature_algorithm(cert->cert, + "tbsCertificate.signature.algorithm"); + if (result != s2) { + _gnutls_debug_log("signatureAlgorithm.algorithm differs from tbsCertificate.signature.algorithm: %s, %s\n", + gnutls_sign_get_name(result), gnutls_sign_get_name(s2)); + gnutls_assert(); + result = GNUTLS_E_CERTIFICATE_ERROR; + goto cleanup; + } + result = _gnutls_x509_get_raw_dn2 (cert->cert, &_data, "tbsCertificate.issuer.rdnSequence", &cert->raw_issuer_dn); ++++++ gnutls-CVE-2015-3622.patch ++++++ From: Nikos Mavrogiannopoulos <[email protected]> Date: Mon, 20 Apr 2015 14:56:27 +0200 Subject: [PATCH 1/1] _asn1_extract_der_octet: prevent past of boundary access This version backported to 3.7 branch. --- lib/decoding.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) Index: gnutls-3.2.4/lib/minitasn1/decoding.c =================================================================== --- gnutls-3.2.4.orig/lib/minitasn1/decoding.c 2015-08-03 15:08:47.167115688 +0200 +++ gnutls-3.2.4/lib/minitasn1/decoding.c 2015-08-03 15:10:22.844263539 +0200 @@ -618,6 +618,7 @@ _asn1_extract_der_octet (asn1_node node, return ASN1_DER_ERROR; counter2 = len3 + 1; + DECR_LEN(der_len, len3); if (len2 == -1) counter_end = der_len - 2; @@ -626,6 +627,7 @@ _asn1_extract_der_octet (asn1_node node, while (counter2 < counter_end) { + DECR_LEN(der_len, 1); len2 = asn1_get_length_der (der + counter2, der_len - counter2, &len3); if (len2 < -1) ++++++ gnutls-GNUTLS-SA-2015-2.patch ++++++ >From 7d9d5c61f8445dc9e9ca47bb575c77cef17da17a Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos <[email protected]> Date: Sat, 25 Apr 2015 19:14:07 +0200 Subject: [PATCH] _gnutls_session_sign_algo_enabled: do not consider any values from the extension data to decide acceptable algorithms --- lib/ext/signature.c | 18 +----------------- 1 file changed, 1 insertion(+), 17 deletions(-) Index: gnutls-3.2.4/lib/ext/signature.c =================================================================== --- gnutls-3.2.4.orig/lib/ext/signature.c 2015-08-03 15:29:10.642802878 +0200 +++ gnutls-3.2.4/lib/ext/signature.c 2015-08-03 15:30:20.678657092 +0200 @@ -300,29 +300,12 @@ _gnutls_session_sign_algo_enabled (gnutl gnutls_sign_algorithm_t sig) { unsigned i; - int ret; const version_entry_st* ver = get_version (session); - sig_ext_st *priv; - extension_priv_data_t epriv; if (unlikely(ver == NULL)) return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); - ret = - _gnutls_ext_get_session_data (session, - GNUTLS_EXTENSION_SIGNATURE_ALGORITHMS, - &epriv); - if (ret < 0) - { - gnutls_assert (); - return 0; - } - priv = epriv.ptr; - - if (!_gnutls_version_has_selectable_sighash (ver) - || priv->sign_algorithms_size == 0) - /* none set, allow all */ - { + if (!_gnutls_version_has_selectable_sighash(ver)) { return 0; } ++++++ gnutls-implement-trust-store-dir.diff ++++++ Index: gnutls-3.2.3/configure.ac =================================================================== --- gnutls-3.2.3.orig/configure.ac +++ gnutls-3.2.3/configure.ac @@ -418,6 +418,25 @@ if test "$with_default_trust_store_file" with_default_trust_store_file="" fi +AC_ARG_WITH([default-trust-store-dir], + [AS_HELP_STRING([--with-default-trust-store-dir=DIRECTORY], + [use the given directory as default trust store])], with_default_trust_store_dir="$withval", + [if test "$build" = "$host" ; then + for i in \ + /etc/ssl/certs/ + do + if test -e $i ; then + with_default_trust_store_dir="$i" + break + fi + done + fi] +) + +if test "$with_default_trust_store_dir" = "no";then + with_default_trust_store_dir="" +fi + AC_ARG_WITH([default-crl-file], [AS_HELP_STRING([--with-default-crl-file=FILE], [use the given CRL file as default])]) @@ -427,6 +446,11 @@ if test "x$with_default_trust_store_file ["$with_default_trust_store_file"], [use the given file default trust store]) fi +if test "x$with_default_trust_store_dir" != x; then + AC_DEFINE_UNQUOTED([DEFAULT_TRUST_STORE_DIR], + ["$with_default_trust_store_dir"], [use the given directory default trust store]) +fi + if test "x$with_default_crl_file" != x; then AC_DEFINE_UNQUOTED([DEFAULT_CRL_FILE], ["$with_default_crl_file"], [use the given CRL file]) @@ -704,6 +728,7 @@ AC_MSG_NOTICE([System files: Trust store pkcs: $with_default_trust_store_pkcs11 Trust store file: $with_default_trust_store_file + Trust store dir: $with_default_trust_store_dir CRL file: $with_default_crl_file DNSSEC root key file: $unbound_root_key_file ]) Index: gnutls-3.2.3/lib/system.c =================================================================== --- gnutls-3.2.3.orig/lib/system.c +++ gnutls-3.2.3/lib/system.c @@ -385,7 +385,45 @@ const char *home_dir = getenv ("HOME"); return 0; } -#if defined(DEFAULT_TRUST_STORE_FILE) || (defined(DEFAULT_TRUST_STORE_PKCS11) && defined(ENABLE_PKCS11)) +/* Used by both Android code and by Linux TRUST_STORE_DIR /etc/ssl/certs code */ +#if defined(DEFAULT_TRUST_STORE_DIR) || defined(ANDROID) || defined(__ANDROID__) +# include <dirent.h> +# include <unistd.h> +static int load_dir_certs(const char* dirname, gnutls_x509_trust_list_t list, + unsigned int tl_flags, unsigned int tl_vflags, unsigned type) +{ +DIR * dirp; +struct dirent *d; +int ret; +int r = 0; +char path[GNUTLS_PATH_MAX]; + + dirp = opendir(dirname); + if (dirp != NULL) + { + do + { + d = readdir(dirp); + if (d != NULL && d->d_type == DT_REG) + { + snprintf(path, sizeof(path), "%s/%s", dirname, d->d_name); + + ret = gnutls_x509_trust_list_add_trust_file(list, path, NULL, type, tl_flags, tl_vflags); + if (ret >= 0) + r += ret; + } + } + while(d != NULL); + closedir(dirp); + } + + return r; +} +#endif + + +#if defined(DEFAULT_TRUST_STORE_FILE) || (defined(DEFAULT_TRUST_STORE_PKCS11) && defined(ENABLE_PKCS11)) || defined(DEFAULT_TRUST_STORE_DIR) + static int add_system_trust(gnutls_x509_trust_list_t list, @@ -413,6 +451,12 @@ add_system_trust(gnutls_x509_trust_list_ r += ret; # endif +# ifdef DEFAULT_TRUST_STORE_DIR + ret = load_dir_certs(DEFAULT_TRUST_STORE_DIR, list, tl_flags, tl_vflags, GNUTLS_X509_FMT_PEM); + if (ret > 0) + r += ret; +# endif + return r; } #elif defined(_WIN32) @@ -466,39 +510,6 @@ int add_system_trust(gnutls_x509_trust_l return r; } #elif defined(ANDROID) || defined(__ANDROID__) -# include <dirent.h> -# include <unistd.h> -static int load_dir_certs(const char* dirname, gnutls_x509_trust_list_t list, - unsigned int tl_flags, unsigned int tl_vflags, unsigned type) -{ -DIR * dirp; -struct dirent *d; -int ret; -int r = 0; -char path[GNUTLS_PATH_MAX]; - - dirp = opendir(dirname); - if (dirp != NULL) - { - do - { - d = readdir(dirp); - if (d != NULL && d->d_type == DT_REG) - { - snprintf(path, sizeof(path), "%s/%s", dirname, d->d_name); - - ret = gnutls_x509_trust_list_add_trust_file(list, path, NULL, type, tl_flags, tl_vflags); - if (ret >= 0) - r += ret; - } - } - while(d != NULL); - closedir(dirp); - } - - return r; -} - static int load_revoked_certs(gnutls_x509_trust_list_t list, unsigned type) { DIR * dirp; ++++++ make-obs-happy-with-gnutls_3.2.4.patch ++++++ Index: gnutls-3.2.4/doc/examples/ex-client-xssl1.c =================================================================== --- gnutls-3.2.4.orig/doc/examples/ex-client-xssl1.c +++ gnutls-3.2.4/doc/examples/ex-client-xssl1.c @@ -80,6 +80,8 @@ int main (void) xssl_cred_deinit (cred); gnutls_global_deinit (); + + return 0; } Index: gnutls-3.2.4/doc/examples/ex-client-xssl2.c =================================================================== --- gnutls-3.2.4.orig/doc/examples/ex-client-xssl2.c +++ gnutls-3.2.4/doc/examples/ex-client-xssl2.c @@ -95,4 +95,6 @@ int main (void) xssl_cred_deinit (cred); gnutls_global_deinit (); + + return 0; } Index: gnutls-3.2.4/doc/examples/print-ciphersuites.c =================================================================== --- gnutls-3.2.4.orig/doc/examples/print-ciphersuites.c +++ gnutls-3.2.4/doc/examples/print-ciphersuites.c @@ -51,4 +51,5 @@ int main(int argc, char** argv) { if (argc > 1) print_cipher_suite_list (argv[1]); + return 0; } Index: gnutls-3.2.4/src/serv.c =================================================================== --- gnutls-3.2.4.orig/src/serv.c +++ gnutls-3.2.4/src/serv.c @@ -1216,6 +1216,8 @@ main (int argc, char **argv) udp_server (name, port, mtu); else tcp_server (name, port); + + return 0; } static void ++++++ revert-simplified-decrypted-data-allocation.patch ++++++ >From c3b39817df8b45f48edd89b6e652201e986770dc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Stefan=20B=C3=BChler?= <[email protected]> Date: Thu, 6 Feb 2014 11:13:53 +0100 Subject: [PATCH 1/1] Revert "simplified decrypted data allocation." This reverts commit 1667d2eecd4094a239db9f5ae54990d4c270c52a. It breaks COMP-DEFLATE as the allocated buffer is too small for the inflated content. Fixed upstream in 3.2.7 with commit 172ae00887559fa5ba9a3bdc41d9eccb4844b077. --- lib/gnutls_record.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/gnutls_record.c b/lib/gnutls_record.c index d261585..65d5786 100644 --- a/lib/gnutls_record.c +++ b/lib/gnutls_record.c @@ -1189,7 +1189,8 @@ begin: /* We allocate the maximum possible to allow few compressed bytes to expand to a * full record. */ - decrypted = _mbuffer_alloc(record.length, record.length); + t.size = get_max_decrypted_data(session); + decrypted = _mbuffer_alloc(t.size, t.size); if (decrypted == NULL) return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); -- 1.8.5.3
