From 1d95a2eb84bfc946a18167a44f7f76220f91038f Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Tue, 25 Sep 2018 08:58:48 +0200 Subject: [PATCH] Updated to 3.6.4 --- .gitignore | 2 + gnutls-3.6.3-backport-upstream-fixes.patch | 55 ---------------- gnutls-3.6.3-fix-ecdsa.patch | 27 -------- gnutls-3.6.3-gnutls-cli-fix.patch | 12 ---- gnutls-3.6.3-rollback-fix.patch | 65 ------------------- ....6.3-skip-new-priority-funcs-err-pos.patch | 30 --------- ...e.patch => gnutls-3.6.4-no-now-guile.patch | 9 +-- gnutls.spec | 35 ++++------ sources | 5 +- 9 files changed, 23 insertions(+), 217 deletions(-) delete mode 100644 gnutls-3.6.3-backport-upstream-fixes.patch delete mode 100644 gnutls-3.6.3-fix-ecdsa.patch delete mode 100644 gnutls-3.6.3-gnutls-cli-fix.patch delete mode 100644 gnutls-3.6.3-rollback-fix.patch delete mode 100644 gnutls-3.6.3-skip-new-priority-funcs-err-pos.patch rename gnutls-3.4.2-no-now-guile.patch => gnutls-3.6.4-no-now-guile.patch (57%) diff --git a/.gitignore b/.gitignore index ea696a1..37c5305 100644 --- a/.gitignore +++ b/.gitignore @@ -98,3 +98,5 @@ gnutls-2.10.1-nosrp.tar.bz2 /gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg /gnutls-3.6.3.tar.xz.sig /gnutls-3.6.3.tar.xz +/gnutls-3.6.4.tar.xz +/gnutls-3.6.4.tar.xz.sig diff --git a/gnutls-3.6.3-backport-upstream-fixes.patch b/gnutls-3.6.3-backport-upstream-fixes.patch deleted file mode 100644 index a7aad33..0000000 --- a/gnutls-3.6.3-backport-upstream-fixes.patch +++ /dev/null @@ -1,55 +0,0 @@ -diff --git a/lib/cert-cred.c b/lib/cert-cred.c -index d3777e51f..2150e903f 100644 ---- a/lib/cert-cred.c -+++ b/lib/cert-cred.c -@@ -387,6 +387,13 @@ static int call_legacy_cert_cb1(gnutls_session_t session, - if (ret < 0) - return gnutls_assert_val(ret); - -+ if (st2.ncerts == 0) { -+ *pcert_length = 0; -+ *ocsp_length = 0; -+ *privkey = NULL; -+ return 0; -+ } -+ - if (st2.cert_type != GNUTLS_CRT_X509) { - gnutls_assert(); - ret = GNUTLS_E_INVALID_REQUEST; -@@ -503,7 +510,10 @@ void gnutls_certificate_set_retrieve_function - gnutls_certificate_retrieve_function * func) - { - cred->legacy_cert_cb1 = func; -- cred->get_cert_callback3 = call_legacy_cert_cb1; -+ if (!func) -+ cred->get_cert_callback3 = NULL; -+ else -+ cred->get_cert_callback3 = call_legacy_cert_cb1; - } - - static int call_legacy_cert_cb2(gnutls_session_t session, -@@ -578,7 +588,10 @@ void gnutls_certificate_set_retrieve_function2 - gnutls_certificate_retrieve_function2 * func) - { - cred->legacy_cert_cb2 = func; -- cred->get_cert_callback3 = call_legacy_cert_cb2; -+ if (!func) -+ cred->get_cert_callback3 = NULL; -+ else -+ cred->get_cert_callback3 = call_legacy_cert_cb2; - } - - /** -diff --git a/lib/hello_ext.c b/lib/hello_ext.c -index a3027130a..f72afe77f 100644 ---- a/lib/hello_ext.c -+++ b/lib/hello_ext.c -@@ -208,7 +208,7 @@ int hello_ext_parse(void *_ctx, unsigned tls_id, const uint8_t *data, unsigned d - - if (tls_id == PRE_SHARED_KEY_TLS_ID) { - ctx->seen_pre_shared_key = 1; -- } else if (ctx->seen_pre_shared_key) { -+ } else if (ctx->seen_pre_shared_key && session->security_parameters.entity == GNUTLS_SERVER) { - /* the pre-shared key extension must always be the last one, - * draft-ietf-tls-tls13-28: 4.2.11 */ - return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); diff --git a/gnutls-3.6.3-fix-ecdsa.patch b/gnutls-3.6.3-fix-ecdsa.patch deleted file mode 100644 index d34efa0..0000000 --- a/gnutls-3.6.3-fix-ecdsa.patch +++ /dev/null @@ -1,27 +0,0 @@ -diff --git a/lib/pubkey.c b/lib/pubkey.c -index 162ceaa4a..8fc42b95a 100644 ---- a/lib/pubkey.c -+++ b/lib/pubkey.c -@@ -1072,7 +1072,6 @@ gnutls_pubkey_import(gnutls_pubkey_t key, - int result = 0, need_free = 0; - gnutls_datum_t _data; - ASN1_TYPE spk; -- gnutls_ecc_curve_t curve; - - if (key == NULL) { - gnutls_assert(); -@@ -1119,14 +1118,7 @@ gnutls_pubkey_import(gnutls_pubkey_t key, - goto cleanup; - } - -- /* this has already been called by get_asn_mpis() thus it cannot -- * fail. -- */ -- key->params.algo = _gnutls_x509_get_pk_algorithm(spk, "", &curve, NULL); -- -- key->params.curve = curve; - key->bits = pubkey_to_bits(&key->params); -- - result = 0; - - cleanup: diff --git a/gnutls-3.6.3-gnutls-cli-fix.patch b/gnutls-3.6.3-gnutls-cli-fix.patch deleted file mode 100644 index fbad690..0000000 --- a/gnutls-3.6.3-gnutls-cli-fix.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff --git a/src/cli.c b/src/cli.c -index 21be015dc..42d027736 100644 ---- a/src/cli.c -+++ b/src/cli.c -@@ -1273,7 +1273,6 @@ int main(int argc, char **argv) - } - continue; - } -- bytes=strlen(buffer); - buffer[bytes] = 0; - - if (crlf != 0) { diff --git a/gnutls-3.6.3-rollback-fix.patch b/gnutls-3.6.3-rollback-fix.patch deleted file mode 100644 index 925382f..0000000 --- a/gnutls-3.6.3-rollback-fix.patch +++ /dev/null @@ -1,65 +0,0 @@ -diff --git a/lib/handshake.c b/lib/handshake.c -index ebea926aa..8dce170fe 100644 ---- a/lib/handshake.c -+++ b/lib/handshake.c -@@ -248,6 +248,7 @@ int _gnutls_set_server_random(gnutls_session_t session, const version_entry_st * - memcpy(session->security_parameters.server_random, rnd, - GNUTLS_RANDOM_SIZE); - -+#if 0 /* This was not supposed to be checked in draft-versions */ - /* check whether the server random value is set according to - * to TLS 1.3. p4.1.3 requirements */ - if (!IS_DTLS(session) && vers->id <= GNUTLS_TLS1_2 && have_creds_for_tls13(session)) { -@@ -272,6 +273,7 @@ int _gnutls_set_server_random(gnutls_session_t session, const version_entry_st * - return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); - } - } -+#endif - - return 0; - } -@@ -291,6 +293,7 @@ int _gnutls_gen_server_random(gnutls_session_t session, int version) - - max = _gnutls_version_max(session); - -+#if 0 - if (!IS_DTLS(session) && max->id >= GNUTLS_TLS1_3 && - version <= GNUTLS_TLS1_2) { - if (version == GNUTLS_TLS1_2) { -@@ -303,7 +306,9 @@ int _gnutls_gen_server_random(gnutls_session_t session, int version) - ret = - gnutls_rnd(GNUTLS_RND_NONCE, session->security_parameters.server_random, GNUTLS_RANDOM_SIZE-8); - -- } else { -+ } else -+#endif -+ { - ret = - gnutls_rnd(GNUTLS_RND_NONCE, session->security_parameters.server_random, GNUTLS_RANDOM_SIZE); - } -diff --git a/tests/tls13/rnd-check-rollback-val.c b/tests/tls13/rnd-check-rollback-val.c -index f573596c5..6934b2507 100644 ---- a/tests/tls13/rnd-check-rollback-val.c -+++ b/tests/tls13/rnd-check-rollback-val.c -@@ -222,6 +222,8 @@ void doit(void) - int ret; - pid_t child; - -+ exit(77); -+ - signal(SIGCHLD, ch_handler); - signal(SIGPIPE, SIG_IGN); - -diff --git a/tests/tls13/rnd-rollback-detection.c b/tests/tls13/rnd-rollback-detection.c -index 0d1ef0149..8cbb658cf 100644 ---- a/tests/tls13/rnd-rollback-detection.c -+++ b/tests/tls13/rnd-rollback-detection.c -@@ -206,6 +206,8 @@ void doit(void) - int ret; - pid_t child; - -+ exit(77); -+ - signal(SIGCHLD, ch_handler); - signal(SIGPIPE, SIG_IGN); - diff --git a/gnutls-3.6.3-skip-new-priority-funcs-err-pos.patch b/gnutls-3.6.3-skip-new-priority-funcs-err-pos.patch deleted file mode 100644 index 326999e..0000000 --- a/gnutls-3.6.3-skip-new-priority-funcs-err-pos.patch +++ /dev/null @@ -1,30 +0,0 @@ -diff --git a/tests/priority-init2.c b/tests/priority-init2.c -index 850a6d9..d6b7659 100644 ---- a/tests/priority-init2.c -+++ b/tests/priority-init2.c -@@ -91,8 +91,8 @@ static void start(struct test_st *test) - if (test->exp_err == ret) { - if (ep-test->add_prio != test->err_pos) { - fprintf(stderr, "diff: %d\n", (int)(ep-test->add_prio)); -- fail("error expected error on different position[%d]: %s\n", -- test->err_pos, test->add_prio); -+// fail("error expected error on different position[%d]: %s\n", -+// test->err_pos, test->add_prio); - } - goto cleanup; - } -diff --git a/tests/set-default-prio.c b/tests/set-default-prio.c -index 48e8bf1..16235f8 100644 ---- a/tests/set-default-prio.c -+++ b/tests/set-default-prio.c -@@ -90,8 +90,8 @@ static void start(struct test_st *test) - if (test->exp_err == ret) { - if (ep-test->add_prio != test->err_pos) { - fprintf(stderr, "diff: %d\n", (int)(ep-test->add_prio)); -- fail("error expected error on different position[%d]: %s\n", -- test->err_pos, test->add_prio); -+// fail("error expected error on different position[%d]: %s\n", -+// test->err_pos, test->add_prio); - } - goto cleanup; - } diff --git a/gnutls-3.4.2-no-now-guile.patch b/gnutls-3.6.4-no-now-guile.patch similarity index 57% rename from gnutls-3.4.2-no-now-guile.patch rename to gnutls-3.6.4-no-now-guile.patch index 35c7699..d4edff0 100644 --- a/gnutls-3.4.2-no-now-guile.patch +++ b/gnutls-3.6.4-no-now-guile.patch @@ -1,7 +1,8 @@ -diff -up gnutls-3.4.2/guile/src/Makefile.in.jx gnutls-3.4.2/guile/src/Makefile.in ---- gnutls-3.4.2/guile/src/Makefile.in.jx 2015-06-16 12:23:31.000000000 -0400 -+++ gnutls-3.4.2/guile/src/Makefile.in 2015-07-02 14:01:19.415060204 -0400 -@@ -1316,7 +1316,7 @@ guileextension_LTLIBRARIES = guile-gnutl +diff --git a/guile/src/Makefile.in b/guile/src/Makefile.in +index 3e4f547..6ffec0e 100644 +--- a/guile/src/Makefile.in ++++ b/guile/src/Makefile.in +@@ -1430,7 +1430,7 @@ guileextension_LTLIBRARIES = guile-gnutls-v-2.la # Use '-module' to build a "dlopenable module", in Libtool terms. # Use '-undefined' to placate Libtool on Windows; see # . diff --git a/gnutls.spec b/gnutls.spec index e916416..883217e 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,13 +1,8 @@ # This spec file has been automatically updated -Version: 3.6.3 -Release: 4%{?dist} +Version: 3.6.4 +Release: 1%{?dist} Patch1: gnutls-3.2.7-rpath.patch -Patch2: gnutls-3.4.2-no-now-guile.patch -Patch3: gnutls-3.6.3-skip-new-priority-funcs-err-pos.patch -Patch4: gnutls-3.6.3-backport-upstream-fixes.patch -Patch5: gnutls-3.6.3-fix-ecdsa.patch -Patch6: gnutls-3.6.3-gnutls-cli-fix.patch -Patch7: gnutls-3.6.3-rollback-fix.patch +Patch2: gnutls-3.6.4-no-now-guile.patch %bcond_without dane %if 0%{?rhel} %bcond_with guile @@ -152,14 +147,7 @@ This package contains Guile bindings for the library. %prep gpgv2 --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0} -%setup -q -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 -%patch5 -p1 -%patch6 -p1 -%patch7 -p1 +%autosetup -p1 sed -i -e 's|sys_lib_dlsearch_path_spec="/lib /usr/lib|sys_lib_dlsearch_path_spec="/lib /usr/lib %{_libdir}|g' configure rm -f lib/minitasn1/*.c lib/minitasn1/*.h @@ -167,16 +155,15 @@ rm -f src/libopts/*.c src/libopts/*.h src/libopts/compat/*.c src/libopts/compat/ echo "SYSTEM=NORMAL" >> tests/system.prio +# Note that we explicitly enable SHA1, as SHA1 deprecation is handled +# via the crypto policies + %build %configure --with-libtasn1-prefix=%{_prefix} \ -%if (0%{?fedora} <= 28) - --enable-ssl3-support \ -%else - --enable-tls13-support \ -%endif %if %{with fips} --enable-fips140-mode \ %endif + --enable-sha1-support \ --disable-static \ --disable-openssl-compatibility \ --disable-non-suiteb-curves \ @@ -315,6 +302,12 @@ fi %endif %changelog +* Tue Sep 25 2018 Nikos Mavrogiannopoulos - 3.6.4-1 +- Updated to upstream 3.6.4 release +- Added support for the latest version of the TLS1.3 protocol +- Enabled SHA1 support as SHA1 deprecation is handled via the + fedora crypto policies. + * Thu Aug 16 2018 Nikos Mavrogiannopoulos - 3.6.3-4 - Fixed gnutls-cli input reading - Ensure that we do not cause issues with version rollback detection diff --git a/sources b/sources index 609b378..98c4199 100644 --- a/sources +++ b/sources @@ -1,3 +1,2 @@ -SHA512 (gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg) = 3b1989dc6a64d1140f83a2af0773da2adb03c50d97b6da7357cf09525050651aafa21131f1e3180baa540a8af922119a256f5ff5bcd6602996a806e8e1816bad -SHA512 (gnutls-3.6.3.tar.xz.sig) = 5377352aa239a4458b0ac6aaada438dce0336b989c4f65949fec3e469531dfb2397bb36dbe69dbc6f479f6944999937ebb4a5cb40e806d0bd4062c5647aa397b -SHA512 (gnutls-3.6.3.tar.xz) = 6238502464d229a9777e3076f4c745d16deaada83c9da756ecdcd370947576e0446bda3a7f85d5a099b745bbf8c0134ebdf6632e4b26d61daf170792fb4f5abe +SHA512 (gnutls-3.6.4.tar.xz) = f39ac09b48ebf230653cbf82b29ded39a1403313067135495b23f428b35783f9ef073993157d1f284678abedd19e2cf1fd01af843001b88320ca17b346b219ab +SHA512 (gnutls-3.6.4.tar.xz.sig) = 3f96dd3bb6f12f677b3106e6d46e93e56c501b9c4072c94f45235c35b9242ba2bddc71a22736bafe2b6532bcc498dac30869861beb8d705345b1197d3526da0e