Update to gnutls 3.7.3
Resolves: #2033220 Signed-off-by: Daiki Ueno <dueno@redhat.com>
This commit is contained in:
parent
7089af2e2d
commit
4030e24b19
2
.gitignore
vendored
2
.gitignore
vendored
@ -135,3 +135,5 @@ gnutls-2.10.1-nosrp.tar.bz2
|
|||||||
/gnutls-3.7.1.tar.xz.sig
|
/gnutls-3.7.1.tar.xz.sig
|
||||||
/gnutls-3.7.2.tar.xz
|
/gnutls-3.7.2.tar.xz
|
||||||
/gnutls-3.7.2.tar.xz.sig
|
/gnutls-3.7.2.tar.xz.sig
|
||||||
|
/gnutls-3.7.3.tar.xz
|
||||||
|
/gnutls-3.7.3.tar.xz.sig
|
||||||
|
@ -1,84 +0,0 @@
|
|||||||
From e1cf5b8694b23cdc88f4a4a344f8262aa8ab0f8e Mon Sep 17 00:00:00 2001
|
|
||||||
From: Daiki Ueno <ueno@gnu.org>
|
|
||||||
Date: Wed, 10 Mar 2021 16:11:29 +0100
|
|
||||||
Subject: [PATCH 1/2] _gnutls_buffer_resize: account for unused area if
|
|
||||||
AGGRESSIVE_REALLOC
|
|
||||||
|
|
||||||
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
||||||
---
|
|
||||||
lib/str.c | 4 ++--
|
|
||||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/lib/str.c b/lib/str.c
|
|
||||||
index 506fe1721..bc20ebb04 100644
|
|
||||||
--- a/lib/str.c
|
|
||||||
+++ b/lib/str.c
|
|
||||||
@@ -155,12 +155,12 @@ int _gnutls_buffer_resize(gnutls_buffer_st * dest, size_t new_size)
|
|
||||||
|
|
||||||
unused = MEMSUB(dest->data, dest->allocd);
|
|
||||||
dest->allocd =
|
|
||||||
- gnutls_realloc_fast(dest->allocd, new_size);
|
|
||||||
+ gnutls_realloc_fast(dest->allocd, new_size + unused);
|
|
||||||
if (dest->allocd == NULL) {
|
|
||||||
gnutls_assert();
|
|
||||||
return GNUTLS_E_MEMORY_ERROR;
|
|
||||||
}
|
|
||||||
- dest->max_length = new_size;
|
|
||||||
+ dest->max_length = new_size + unused;
|
|
||||||
dest->data = dest->allocd + unused;
|
|
||||||
|
|
||||||
return 0;
|
|
||||||
--
|
|
||||||
2.30.2
|
|
||||||
|
|
||||||
|
|
||||||
From 78691bfe4555c4d610b405173987ed7515515d20 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Daiki Ueno <ueno@gnu.org>
|
|
||||||
Date: Wed, 10 Mar 2021 16:12:23 +0100
|
|
||||||
Subject: [PATCH 2/2] str: suppress -Wunused-function if AGGRESSIVE_REALLOC is
|
|
||||||
defined
|
|
||||||
|
|
||||||
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
||||||
---
|
|
||||||
lib/str.c | 18 +++++++++---------
|
|
||||||
1 file changed, 9 insertions(+), 9 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/lib/str.c b/lib/str.c
|
|
||||||
index bc20ebb04..8007340f1 100644
|
|
||||||
--- a/lib/str.c
|
|
||||||
+++ b/lib/str.c
|
|
||||||
@@ -87,15 +87,6 @@ void _gnutls_buffer_clear(gnutls_buffer_st * str)
|
|
||||||
|
|
||||||
#define MIN_CHUNK 1024
|
|
||||||
|
|
||||||
-static void align_allocd_with_data(gnutls_buffer_st * dest)
|
|
||||||
-{
|
|
||||||
- assert(dest->allocd != NULL);
|
|
||||||
- assert(dest->data != NULL);
|
|
||||||
- if (dest->length)
|
|
||||||
- memmove(dest->allocd, dest->data, dest->length);
|
|
||||||
- dest->data = dest->allocd;
|
|
||||||
-}
|
|
||||||
-
|
|
||||||
/**
|
|
||||||
* gnutls_buffer_append_data:
|
|
||||||
* @dest: the buffer to append to
|
|
||||||
@@ -168,6 +159,15 @@ int _gnutls_buffer_resize(gnutls_buffer_st * dest, size_t new_size)
|
|
||||||
|
|
||||||
#else
|
|
||||||
|
|
||||||
+static void align_allocd_with_data(gnutls_buffer_st * dest)
|
|
||||||
+{
|
|
||||||
+ assert(dest->allocd != NULL);
|
|
||||||
+ assert(dest->data != NULL);
|
|
||||||
+ if (dest->length)
|
|
||||||
+ memmove(dest->allocd, dest->data, dest->length);
|
|
||||||
+ dest->data = dest->allocd;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
int _gnutls_buffer_resize(gnutls_buffer_st * dest, size_t new_size)
|
|
||||||
{
|
|
||||||
if (unlikely(dest->data != NULL && dest->allocd == NULL))
|
|
||||||
--
|
|
||||||
2.30.2
|
|
||||||
|
|
@ -1,254 +0,0 @@
|
|||||||
From dbdcc29ee9e31acaa8286f633a4f0c23abd09d03 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Daiki Ueno <ueno@gnu.org>
|
|
||||||
Date: Tue, 26 Oct 2021 12:56:52 +0200
|
|
||||||
Subject: [PATCH] priority: fix race condition when resolving SYSTEM in
|
|
||||||
allowlisting
|
|
||||||
|
|
||||||
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
||||||
---
|
|
||||||
lib/priority.c | 65 +++++++++++++++++++++++++++++++-------------------
|
|
||||||
1 file changed, 41 insertions(+), 24 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/lib/priority.c b/lib/priority.c
|
|
||||||
index 20230e46d1..606443f1f9 100644
|
|
||||||
--- a/lib/priority.c
|
|
||||||
+++ b/lib/priority.c
|
|
||||||
@@ -39,6 +39,7 @@
|
|
||||||
#include "profiles.h"
|
|
||||||
#include "c-strcase.h"
|
|
||||||
#include "inih/ini.h"
|
|
||||||
+#include "locks.h"
|
|
||||||
#include "profiles.h"
|
|
||||||
#include "name_val_array.h"
|
|
||||||
|
|
||||||
@@ -1001,6 +1002,7 @@ static void dummy_func(gnutls_priority_t c)
|
|
||||||
#include <priority_options.h>
|
|
||||||
|
|
||||||
static gnutls_certificate_verification_profiles_t system_wide_verification_profile = GNUTLS_PROFILE_UNKNOWN;
|
|
||||||
+GNUTLS_STATIC_MUTEX(system_wide_priority_strings_mutex);
|
|
||||||
static name_val_array_t system_wide_priority_strings = NULL;
|
|
||||||
static char *system_wide_priority_string = NULL;
|
|
||||||
static unsigned system_wide_priority_strings_init = 0;
|
|
||||||
@@ -1727,6 +1729,9 @@ static int cfg_ini_handler(void *ctx, const char *section, const char *name, con
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
+static int
|
|
||||||
+resolve_priorities_from_system_wide_allowlisting(void);
|
|
||||||
+
|
|
||||||
static void _gnutls_update_system_priorities(void)
|
|
||||||
{
|
|
||||||
int ret;
|
|
||||||
@@ -1734,17 +1739,19 @@ static void _gnutls_update_system_priorities(void)
|
|
||||||
FILE *fp;
|
|
||||||
struct cfg cfg;
|
|
||||||
|
|
||||||
+ GNUTLS_STATIC_MUTEX_LOCK(system_wide_priority_strings_mutex);
|
|
||||||
+
|
|
||||||
if (stat(system_priority_file, &sb) < 0) {
|
|
||||||
_gnutls_debug_log("cfg: unable to access: %s: %d\n",
|
|
||||||
system_priority_file, errno);
|
|
||||||
- return;
|
|
||||||
+ goto out;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (system_wide_priority_strings_init != 0 &&
|
|
||||||
sb.st_mtime == system_priority_last_mod) {
|
|
||||||
_gnutls_debug_log("cfg: system priority %s has not changed\n",
|
|
||||||
system_priority_file);
|
|
||||||
- return;
|
|
||||||
+ goto out;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (system_wide_priority_strings_init != 0)
|
|
||||||
@@ -1757,7 +1764,7 @@ static void _gnutls_update_system_priorities(void)
|
|
||||||
if (fp == NULL) {
|
|
||||||
_gnutls_debug_log("cfg: unable to open: %s: %d\n",
|
|
||||||
system_priority_file, errno);
|
|
||||||
- return;
|
|
||||||
+ goto out;
|
|
||||||
}
|
|
||||||
/* Parsing the configuration file needs to be done in 2 phases: first
|
|
||||||
* parsing the [global] section and then the other sections, because the
|
|
||||||
@@ -1781,16 +1788,30 @@ static void _gnutls_update_system_priorities(void)
|
|
||||||
system_priority_file, ret);
|
|
||||||
if (fail_on_invalid_config)
|
|
||||||
exit(1);
|
|
||||||
- return;
|
|
||||||
+ goto out;
|
|
||||||
}
|
|
||||||
cfg_apply(&cfg);
|
|
||||||
cfg_deinit(&cfg);
|
|
||||||
|
|
||||||
+ if (system_wide_allowlisting) {
|
|
||||||
+ ret = resolve_priorities_from_system_wide_allowlisting();
|
|
||||||
+ if (ret < 0) {
|
|
||||||
+ _gnutls_debug_log("cfg: unable to resolve system priority string: %s\n",
|
|
||||||
+ gnutls_strerror(ret));
|
|
||||||
+ if (fail_on_invalid_config)
|
|
||||||
+ exit(1);
|
|
||||||
+ goto out;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
_gnutls_debug_log("cfg: loaded system priority %s mtime %lld\n",
|
|
||||||
system_priority_file,
|
|
||||||
(unsigned long long)sb.st_mtime);
|
|
||||||
|
|
||||||
system_priority_last_mod = sb.st_mtime;
|
|
||||||
+
|
|
||||||
+ out:
|
|
||||||
+ GNUTLS_STATIC_MUTEX_UNLOCK(system_wide_priority_strings_mutex);
|
|
||||||
}
|
|
||||||
|
|
||||||
void _gnutls_load_system_priorities(void)
|
|
||||||
@@ -1835,17 +1856,13 @@ const char *gnutls_get_system_config_file(void)
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
-static const char *
|
|
||||||
+static int
|
|
||||||
resolve_priorities_from_system_wide_allowlisting(void)
|
|
||||||
{
|
|
||||||
gnutls_buffer_st buf;
|
|
||||||
int ret;
|
|
||||||
size_t i;
|
|
||||||
|
|
||||||
- if (system_wide_priority_string) {
|
|
||||||
- return system_wide_priority_string;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
assert(system_wide_allowlisting);
|
|
||||||
|
|
||||||
_gnutls_buffer_init(&buf);
|
|
||||||
@@ -1853,21 +1870,21 @@ resolve_priorities_from_system_wide_allowlisting(void)
|
|
||||||
ret = _gnutls_buffer_append_str(&buf, "NONE");
|
|
||||||
if (ret < 0) {
|
|
||||||
_gnutls_buffer_clear(&buf);
|
|
||||||
- return NULL;
|
|
||||||
+ return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
for (i = 0; system_wide_tls_kxs[i] != 0; i++) {
|
|
||||||
ret = _gnutls_buffer_append_str(&buf, ":+");
|
|
||||||
if (ret < 0) {
|
|
||||||
_gnutls_buffer_clear(&buf);
|
|
||||||
- return NULL;
|
|
||||||
+ return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
ret = _gnutls_buffer_append_str(&buf,
|
|
||||||
gnutls_kx_get_name(system_wide_tls_kxs[i]));
|
|
||||||
if (ret < 0) {
|
|
||||||
_gnutls_buffer_clear(&buf);
|
|
||||||
- return NULL;
|
|
||||||
+ return ret;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -1875,14 +1892,14 @@ resolve_priorities_from_system_wide_allowlisting(void)
|
|
||||||
ret = _gnutls_buffer_append_str(&buf, ":+GROUP-");
|
|
||||||
if (ret < 0) {
|
|
||||||
_gnutls_buffer_clear(&buf);
|
|
||||||
- return NULL;
|
|
||||||
+ return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
ret = _gnutls_buffer_append_str(&buf,
|
|
||||||
gnutls_group_get_name(system_wide_tls_groups[i]));
|
|
||||||
if (ret < 0) {
|
|
||||||
_gnutls_buffer_clear(&buf);
|
|
||||||
- return NULL;
|
|
||||||
+ return ret;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -1890,14 +1907,14 @@ resolve_priorities_from_system_wide_allowlisting(void)
|
|
||||||
ret = _gnutls_buffer_append_str(&buf, ":+");
|
|
||||||
if (ret < 0) {
|
|
||||||
_gnutls_buffer_clear(&buf);
|
|
||||||
- return NULL;
|
|
||||||
+ return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
ret = _gnutls_buffer_append_str(&buf,
|
|
||||||
gnutls_cipher_get_name(system_wide_tls_ciphers[i]));
|
|
||||||
if (ret < 0) {
|
|
||||||
_gnutls_buffer_clear(&buf);
|
|
||||||
- return NULL;
|
|
||||||
+ return ret;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -1905,14 +1922,14 @@ resolve_priorities_from_system_wide_allowlisting(void)
|
|
||||||
ret = _gnutls_buffer_append_str(&buf, ":+");
|
|
||||||
if (ret < 0) {
|
|
||||||
_gnutls_buffer_clear(&buf);
|
|
||||||
- return NULL;
|
|
||||||
+ return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
ret = _gnutls_buffer_append_str(&buf,
|
|
||||||
gnutls_mac_get_name(system_wide_tls_macs[i]));
|
|
||||||
if (ret < 0) {
|
|
||||||
_gnutls_buffer_clear(&buf);
|
|
||||||
- return NULL;
|
|
||||||
+ return ret;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -1920,14 +1937,14 @@ resolve_priorities_from_system_wide_allowlisting(void)
|
|
||||||
ret = _gnutls_buffer_append_str(&buf, ":+SIGN-");
|
|
||||||
if (ret < 0) {
|
|
||||||
_gnutls_buffer_clear(&buf);
|
|
||||||
- return NULL;
|
|
||||||
+ return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
ret = _gnutls_buffer_append_str(&buf,
|
|
||||||
gnutls_sign_get_name(system_wide_tls_sigs[i]));
|
|
||||||
if (ret < 0) {
|
|
||||||
_gnutls_buffer_clear(&buf);
|
|
||||||
- return NULL;
|
|
||||||
+ return ret;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -1935,14 +1952,14 @@ resolve_priorities_from_system_wide_allowlisting(void)
|
|
||||||
ret = _gnutls_buffer_append_str(&buf, ":+VERS-");
|
|
||||||
if (ret < 0) {
|
|
||||||
_gnutls_buffer_clear(&buf);
|
|
||||||
- return NULL;
|
|
||||||
+ return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
ret = _gnutls_buffer_append_str(&buf,
|
|
||||||
gnutls_protocol_get_name(system_wide_tls_vers[i]));
|
|
||||||
if (ret < 0) {
|
|
||||||
_gnutls_buffer_clear(&buf);
|
|
||||||
- return NULL;
|
|
||||||
+ return ret;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -1950,7 +1967,7 @@ resolve_priorities_from_system_wide_allowlisting(void)
|
|
||||||
system_wide_priority_string = gnutls_strdup((char *)buf.data);
|
|
||||||
_gnutls_buffer_clear(&buf);
|
|
||||||
|
|
||||||
- return system_wide_priority_string;
|
|
||||||
+ return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
#define S(str) ((str!=NULL)?str:"")
|
|
||||||
@@ -2010,7 +2027,7 @@ char *_gnutls_resolve_priorities(const char* priorities)
|
|
||||||
if (system_wide_allowlisting &&
|
|
||||||
ss_len == sizeof(LEVEL_SYSTEM) - 1 &&
|
|
||||||
strncmp(LEVEL_SYSTEM, ss, ss_len) == 0) {
|
|
||||||
- p = resolve_priorities_from_system_wide_allowlisting();
|
|
||||||
+ p = system_wide_priority_string;
|
|
||||||
} else {
|
|
||||||
p = _name_val_array_value(system_wide_priority_strings, ss, ss_len);
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.31.1
|
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
@ -1,75 +0,0 @@
|
|||||||
From b64c8b2aa75e6668ee9115afda8e54d48b2143ac Mon Sep 17 00:00:00 2001
|
|
||||||
From: rpm-build <rpm-build>
|
|
||||||
Date: Wed, 22 Dec 2021 17:19:27 +0100
|
|
||||||
Subject: [PATCH 2/2] gnutls-3.7.2-doc-hash-copy.patch
|
|
||||||
|
|
||||||
---
|
|
||||||
doc/functions/gnutls_hash_copy | 4 +++-
|
|
||||||
doc/functions/gnutls_hmac_copy | 4 +++-
|
|
||||||
doc/manpages/gnutls_hash_copy.3 | 4 +++-
|
|
||||||
doc/manpages/gnutls_hmac_copy.3 | 4 +++-
|
|
||||||
4 files changed, 12 insertions(+), 4 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/doc/functions/gnutls_hash_copy b/doc/functions/gnutls_hash_copy
|
|
||||||
index 600c0e7..aac7d5d 100644
|
|
||||||
--- a/doc/functions/gnutls_hash_copy
|
|
||||||
+++ b/doc/functions/gnutls_hash_copy
|
|
||||||
@@ -8,7 +8,9 @@
|
|
||||||
This function will create a copy of Message Digest context, containing all
|
|
||||||
its current state. Copying contexts for Message Digests registered using
|
|
||||||
@code{gnutls_crypto_register_digest()} is not supported and will always result in
|
|
||||||
-an error.
|
|
||||||
+an error. In addition to that, some of the Message Digest implementations do
|
|
||||||
+not support this operation. Applications should check the return value and
|
|
||||||
+provide a proper fallback.
|
|
||||||
|
|
||||||
@strong{Returns:} new Message Digest context or NULL in case of an error.
|
|
||||||
|
|
||||||
diff --git a/doc/functions/gnutls_hmac_copy b/doc/functions/gnutls_hmac_copy
|
|
||||||
index a219b21..93b20d5 100644
|
|
||||||
--- a/doc/functions/gnutls_hmac_copy
|
|
||||||
+++ b/doc/functions/gnutls_hmac_copy
|
|
||||||
@@ -8,7 +8,9 @@
|
|
||||||
This function will create a copy of MAC context, containing all its current
|
|
||||||
state. Copying contexts for MACs registered using
|
|
||||||
@code{gnutls_crypto_register_mac()} is not supported and will always result in an
|
|
||||||
-error.
|
|
||||||
+error. In addition to that, some of the MAC implementations do not support
|
|
||||||
+this operation. Applications should check the return value and provide a
|
|
||||||
+proper fallback.
|
|
||||||
|
|
||||||
@strong{Returns:} new MAC context or NULL in case of an error.
|
|
||||||
|
|
||||||
diff --git a/doc/manpages/gnutls_hash_copy.3 b/doc/manpages/gnutls_hash_copy.3
|
|
||||||
index fcf0983..19bb8c4 100644
|
|
||||||
--- a/doc/manpages/gnutls_hash_copy.3
|
|
||||||
+++ b/doc/manpages/gnutls_hash_copy.3
|
|
||||||
@@ -13,7 +13,9 @@ is a \fBgnutls_hash_hd_t\fP type
|
|
||||||
This function will create a copy of Message Digest context, containing all
|
|
||||||
its current state. Copying contexts for Message Digests registered using
|
|
||||||
\fBgnutls_crypto_register_digest()\fP is not supported and will always result in
|
|
||||||
-an error.
|
|
||||||
+an error. In addition to that, some of the Message Digest implementations do
|
|
||||||
+not support this operation. Applications should check the return value and
|
|
||||||
+provide a proper fallback.
|
|
||||||
.SH "RETURNS"
|
|
||||||
new Message Digest context or NULL in case of an error.
|
|
||||||
.SH "SINCE"
|
|
||||||
diff --git a/doc/manpages/gnutls_hmac_copy.3 b/doc/manpages/gnutls_hmac_copy.3
|
|
||||||
index ba5a40d..32b0114 100644
|
|
||||||
--- a/doc/manpages/gnutls_hmac_copy.3
|
|
||||||
+++ b/doc/manpages/gnutls_hmac_copy.3
|
|
||||||
@@ -13,7 +13,9 @@ is a \fBgnutls_hmac_hd_t\fP type
|
|
||||||
This function will create a copy of MAC context, containing all its current
|
|
||||||
state. Copying contexts for MACs registered using
|
|
||||||
\fBgnutls_crypto_register_mac()\fP is not supported and will always result in an
|
|
||||||
-error.
|
|
||||||
+error. In addition to that, some of the MAC implementations do not support
|
|
||||||
+this operation. Applications should check the return value and provide a
|
|
||||||
+proper fallback.
|
|
||||||
.SH "RETURNS"
|
|
||||||
new MAC context or NULL in case of an error.
|
|
||||||
.SH "SINCE"
|
|
||||||
--
|
|
||||||
2.31.1
|
|
||||||
|
|
@ -1,92 +0,0 @@
|
|||||||
From c9e072236c4e1c290f38aee819ecaff8398e2a16 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Daiki Ueno <ueno@gnu.org>
|
|
||||||
Date: Fri, 25 Jun 2021 08:39:12 +0200
|
|
||||||
Subject: [PATCH] key_share: treat X25519 and X448 as same PK type when
|
|
||||||
advertising
|
|
||||||
|
|
||||||
Previously, if both X25519 and X448 groups were enabled in the
|
|
||||||
priority string, the client sent both algorithms in a key_share
|
|
||||||
extension, while it was only capable of handling one algorithm from
|
|
||||||
the same (Edwards curve) category. This adds an extra check so the
|
|
||||||
client should send either X25519 or X448.
|
|
||||||
|
|
||||||
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
||||||
---
|
|
||||||
lib/ext/key_share.c | 24 +++++++++++++++++++++---
|
|
||||||
tests/tls13/key_share.c | 3 +++
|
|
||||||
2 files changed, 24 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/lib/ext/key_share.c b/lib/ext/key_share.c
|
|
||||||
index a8c4bb5cf..a4db3af95 100644
|
|
||||||
--- a/lib/ext/key_share.c
|
|
||||||
+++ b/lib/ext/key_share.c
|
|
||||||
@@ -656,6 +656,18 @@ key_share_recv_params(gnutls_session_t session,
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
+static inline bool
|
|
||||||
+pk_type_is_ecdhx(gnutls_pk_algorithm_t pk)
|
|
||||||
+{
|
|
||||||
+ return pk == GNUTLS_PK_ECDH_X25519 || pk == GNUTLS_PK_ECDH_X448;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static inline bool
|
|
||||||
+pk_type_equal(gnutls_pk_algorithm_t a, gnutls_pk_algorithm_t b)
|
|
||||||
+{
|
|
||||||
+ return a == b || (pk_type_is_ecdhx(a) && pk_type_is_ecdhx(b));
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
/* returns data_size or a negative number on failure
|
|
||||||
*/
|
|
||||||
static int
|
|
||||||
@@ -710,12 +722,18 @@ key_share_send_params(gnutls_session_t session,
|
|
||||||
/* generate key shares for out top-(max_groups) groups
|
|
||||||
* if they are of different PK type. */
|
|
||||||
for (i = 0; i < session->internals.priorities->groups.size; i++) {
|
|
||||||
+ unsigned int j;
|
|
||||||
+
|
|
||||||
group = session->internals.priorities->groups.entry[i];
|
|
||||||
|
|
||||||
- if (generated == 1 && group->pk == selected_groups[0])
|
|
||||||
- continue;
|
|
||||||
- else if (generated == 2 && (group->pk == selected_groups[1] || group->pk == selected_groups[0]))
|
|
||||||
+ for (j = 0; j < generated; j++) {
|
|
||||||
+ if (pk_type_equal(group->pk, selected_groups[j])) {
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ if (j < generated) {
|
|
||||||
continue;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
selected_groups[generated] = group->pk;
|
|
||||||
|
|
||||||
diff --git a/tests/tls13/key_share.c b/tests/tls13/key_share.c
|
|
||||||
index 7f8f6295c..816a7d9b5 100644
|
|
||||||
--- a/tests/tls13/key_share.c
|
|
||||||
+++ b/tests/tls13/key_share.c
|
|
||||||
@@ -124,6 +124,7 @@ unsigned int tls_id_to_group[] = {
|
|
||||||
[23] = GNUTLS_GROUP_SECP256R1,
|
|
||||||
[24] = GNUTLS_GROUP_SECP384R1,
|
|
||||||
[29] = GNUTLS_GROUP_X25519,
|
|
||||||
+ [30] = GNUTLS_GROUP_X448,
|
|
||||||
[0x100] = GNUTLS_GROUP_FFDHE2048,
|
|
||||||
[0x101] = GNUTLS_GROUP_FFDHE3072
|
|
||||||
};
|
|
||||||
@@ -315,11 +316,13 @@ void doit(void)
|
|
||||||
start("two groups: default secp256r1", "NORMAL:-VERS-ALL:+VERS-TLS1.3", GNUTLS_KEY_SHARE_TOP2, GNUTLS_GROUP_SECP256R1, 2);
|
|
||||||
start("two groups: secp256r1", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-X25519:+GROUP-FFDHE2048", GNUTLS_KEY_SHARE_TOP2, GNUTLS_GROUP_SECP256R1, 2);
|
|
||||||
start("two groups: x25519", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-X25519:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-FFDHE2048", GNUTLS_KEY_SHARE_TOP2, GNUTLS_GROUP_X25519, 2);
|
|
||||||
+ start("two groups: x448", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-X448:+GROUP-X25519:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-FFDHE2048", GNUTLS_KEY_SHARE_TOP2, GNUTLS_GROUP_X448, 2);
|
|
||||||
start("two groups: ffdhe2048", "NORMAL:-KX-ALL:+DHE-RSA:+ECDHE-RSA:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-FFDHE2048:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-X25519:+GROUP-FFDHE3072", GNUTLS_KEY_SHARE_TOP2, GNUTLS_GROUP_FFDHE2048, 2);
|
|
||||||
|
|
||||||
start("three groups: default secp256r1", "NORMAL:-VERS-ALL:+VERS-TLS1.3", GNUTLS_KEY_SHARE_TOP3, GNUTLS_GROUP_SECP256R1, 3);
|
|
||||||
start("three groups: secp256r1", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-X25519:+GROUP-FFDHE2048", GNUTLS_KEY_SHARE_TOP3, GNUTLS_GROUP_SECP256R1, 3);
|
|
||||||
start("three groups: x25519", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-X25519:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-FFDHE2048", GNUTLS_KEY_SHARE_TOP3, GNUTLS_GROUP_X25519, 3);
|
|
||||||
+ start("three groups: x448", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-X448:+GROUP-X25519:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-FFDHE2048", GNUTLS_KEY_SHARE_TOP3, GNUTLS_GROUP_X448, 3);
|
|
||||||
start("three groups: ffdhe2048", "NORMAL:-KX-ALL:+DHE-RSA:+ECDHE-RSA:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-FFDHE2048:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-X25519:+GROUP-FFDHE3072", GNUTLS_KEY_SHARE_TOP3, GNUTLS_GROUP_FFDHE2048, 3);
|
|
||||||
|
|
||||||
/* test default behavior */
|
|
||||||
--
|
|
||||||
2.31.1
|
|
||||||
|
|
@ -1,72 +0,0 @@
|
|||||||
From de11338de900f5c8840268264bceccbf76cca34f Mon Sep 17 00:00:00 2001
|
|
||||||
From: Daiki Ueno <dueno@redhat.com>
|
|
||||||
Date: Thu, 21 Oct 2021 12:19:30 +0200
|
|
||||||
Subject: [PATCH 1/2] autoopts: makeshell: use ferror before fclose
|
|
||||||
|
|
||||||
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|
||||||
---
|
|
||||||
src/libopts/makeshell.c | 3 +--
|
|
||||||
1 file changed, 1 insertion(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/libopts/makeshell.c b/src/libopts/makeshell.c
|
|
||||||
index b6cb441a..7eb17a1f 100644
|
|
||||||
--- a/src/libopts/makeshell.c
|
|
||||||
+++ b/src/libopts/makeshell.c
|
|
||||||
@@ -164,9 +164,8 @@ optionParseShell(tOptions * opts)
|
|
||||||
#ifdef HAVE_FCHMOD
|
|
||||||
fchmod(STDOUT_FILENO, 0755);
|
|
||||||
#endif
|
|
||||||
- fclose(stdout);
|
|
||||||
|
|
||||||
- if (ferror(stdout))
|
|
||||||
+ if (ferror(stdout) || fclose(stdout))
|
|
||||||
fserr_exit(opts->pzProgName, zwriting, zstdout_name);
|
|
||||||
|
|
||||||
AGFREE(script_text);
|
|
||||||
--
|
|
||||||
2.31.1
|
|
||||||
|
|
||||||
|
|
||||||
From 161097d36b608b615482e42e56a465c9fd740c26 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Daiki Ueno <dueno@redhat.com>
|
|
||||||
Date: Thu, 21 Oct 2021 12:43:07 +0200
|
|
||||||
Subject: [PATCH 2/2] autoopts: load: fix resource leak in error path
|
|
||||||
|
|
||||||
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|
||||||
---
|
|
||||||
src/libopts/load.c | 10 ++++++++--
|
|
||||||
1 file changed, 8 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/libopts/load.c b/src/libopts/load.c
|
|
||||||
index 3f1ce2e6..ad1c4584 100644
|
|
||||||
--- a/src/libopts/load.c
|
|
||||||
+++ b/src/libopts/load.c
|
|
||||||
@@ -219,8 +219,11 @@ add_prog_path(char * buf, int b_sz, char const * fname, char const * prg_path)
|
|
||||||
* IF we cannot find a directory name separator,
|
|
||||||
* THEN we do not have a path name to our executable file.
|
|
||||||
*/
|
|
||||||
- if (pz == NULL)
|
|
||||||
+ if (pz == NULL) {
|
|
||||||
+ if (path != prg_path)
|
|
||||||
+ AGFREE(path);
|
|
||||||
return false;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
fname += skip;
|
|
||||||
fname_len = strlen(fname) + 1; // + NUL byte
|
|
||||||
@@ -230,8 +233,11 @@ add_prog_path(char * buf, int b_sz, char const * fname, char const * prg_path)
|
|
||||||
* Concatenate the file name to the end of the executable path.
|
|
||||||
* The result may be either a file or a directory.
|
|
||||||
*/
|
|
||||||
- if (dir_len + fname_len > (unsigned)b_sz)
|
|
||||||
+ if (dir_len + fname_len > (unsigned)b_sz) {
|
|
||||||
+ if (path != prg_path)
|
|
||||||
+ AGFREE(path);
|
|
||||||
return false;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
memcpy(buf, path, dir_len);
|
|
||||||
memcpy(buf + dir_len, fname, fname_len);
|
|
||||||
--
|
|
||||||
2.31.1
|
|
||||||
|
|
36
gnutls.spec
36
gnutls.spec
@ -1,15 +1,9 @@
|
|||||||
# This spec file has been automatically updated
|
Version: 3.7.3
|
||||||
Version: 3.7.2
|
Release: 1%{?dist}
|
||||||
Release: 10%{?dist}
|
|
||||||
Patch1: gnutls-3.6.7-no-now-guile.patch
|
Patch1: gnutls-3.6.7-no-now-guile.patch
|
||||||
Patch2: gnutls-3.2.7-rpath.patch
|
Patch2: gnutls-3.2.7-rpath.patch
|
||||||
Patch3: gnutls-3.7.2-config-allowlisting.patch
|
Patch3: gnutls-3.7.2-enable-intel-cet.patch
|
||||||
Patch4: gnutls-3.7.2-key-share-ecdhx.patch
|
Patch4: gnutls-3.7.2-no-explicit-init.patch
|
||||||
Patch5: gnutls-3.7.2-enable-intel-cet.patch
|
|
||||||
Patch6: gnutls-3.7.2-libopts-covscan.patch
|
|
||||||
Patch7: gnutls-3.7.2-config-allowlisting-race.patch
|
|
||||||
Patch8: gnutls-3.7.2-no-explicit-init.patch
|
|
||||||
Patch9: gnutls-3.7.2-doc-hash-copy.patch
|
|
||||||
%bcond_with bootstrap
|
%bcond_with bootstrap
|
||||||
%bcond_without dane
|
%bcond_without dane
|
||||||
%if 0%{?rhel}
|
%if 0%{?rhel}
|
||||||
@ -30,7 +24,6 @@ BuildRequires: p11-kit-devel >= 0.21.3, gettext-devel
|
|||||||
BuildRequires: zlib-devel, readline-devel, libtasn1-devel >= 4.3
|
BuildRequires: zlib-devel, readline-devel, libtasn1-devel >= 4.3
|
||||||
%if %{with bootstrap}
|
%if %{with bootstrap}
|
||||||
BuildRequires: automake, autoconf, gperf, libtool, texinfo
|
BuildRequires: automake, autoconf, gperf, libtool, texinfo
|
||||||
BuildRequires: autogen-libopts-devel >= 5.18, autogen
|
|
||||||
%endif
|
%endif
|
||||||
BuildRequires: nettle-devel >= 3.5.1
|
BuildRequires: nettle-devel >= 3.5.1
|
||||||
%if %{with tpm12}
|
%if %{with tpm12}
|
||||||
@ -170,24 +163,6 @@ rm -f lib/minitasn1/*.c lib/minitasn1/*.h
|
|||||||
|
|
||||||
echo "SYSTEM=NORMAL" >> tests/system.prio
|
echo "SYSTEM=NORMAL" >> tests/system.prio
|
||||||
|
|
||||||
%if !%{with bootstrap}
|
|
||||||
# These are ordered by dependency:
|
|
||||||
touch doc/functions/* doc/enums/*
|
|
||||||
touch doc/enums.texi doc/gnutls-api.texi
|
|
||||||
touch doc/invoke-gnutls-cli.texi
|
|
||||||
touch doc/invoke-gnutls-cli-debug.texi
|
|
||||||
touch doc/invoke-gnutls-serv.texi
|
|
||||||
touch doc/invoke-certtool.texi
|
|
||||||
touch doc/invoke-ocsptool.texi
|
|
||||||
touch doc/invoke-danetool.texi
|
|
||||||
touch doc/invoke-srptool.texi
|
|
||||||
touch doc/invoke-psktool.texi
|
|
||||||
touch doc/invoke-p11tool.texi
|
|
||||||
touch doc/invoke-tpmtool.texi
|
|
||||||
touch doc/stamp_functions doc/stamp_enums
|
|
||||||
touch doc/gnutls.info doc/gnutls.html doc/manpages/stamp_mans
|
|
||||||
%endif
|
|
||||||
|
|
||||||
# Note that we explicitly enable SHA1, as SHA1 deprecation is handled
|
# Note that we explicitly enable SHA1, as SHA1 deprecation is handled
|
||||||
# via the crypto policies
|
# via the crypto policies
|
||||||
|
|
||||||
@ -325,6 +300,9 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Jan 18 2022 Daiki Ueno <dueno@redhat.com> - 3.7.3-1
|
||||||
|
- Update to gnutls 3.7.3 (#2033220)
|
||||||
|
|
||||||
* Wed Dec 22 2021 Daiki Ueno <dueno@redhat.com> - 3.7.2-10
|
* Wed Dec 22 2021 Daiki Ueno <dueno@redhat.com> - 3.7.2-10
|
||||||
- Update gnutls_{hash,hmac}_copy man-pages as well (#1999639)
|
- Update gnutls_{hash,hmac}_copy man-pages as well (#1999639)
|
||||||
|
|
||||||
|
4
sources
4
sources
@ -1,3 +1,3 @@
|
|||||||
SHA512 (gnutls-3.7.2.tar.xz) = 5d01d561a05379da71e4847e30ba13c2abe09f7a5c4359fd539d8bd19abad0ce87120f82ee7b6264e787bd3edbc5ae16beffa892983cbc3d59f11a1811c10329
|
SHA512 (gnutls-3.7.3.tar.xz) = 3ace744affe23e284342658d6d2d2de49dd50065489cbc8be18fc7d38187253e5268ca54027ce5cd517056c249ac039a7481e4548cec04325de37ae85617d077
|
||||||
SHA512 (gnutls-3.7.2.tar.xz.sig) = fc3314c0ce5fb608352fcd8e19efd14435e4cfa5c0eb843d86febb6053fec7d46774b637037b96c5a621a7001f89d6c110f75bff96f94c2a77caf5d9c3aa9447
|
SHA512 (gnutls-3.7.3.tar.xz.sig) = 93e62730570a6f65ec98538e812ed9c0bd35c25f0906b22f2ae3e762981b0e01bfb7ffcb747c64b42c586d6f0d5c90a7c3abfdc39088cc05f9975b865c309d50
|
||||||
SHA512 (gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg) = a74b92826fd0e5388c9f6d9231959e38b26aeef83138648fab66df951d8e1a4db5302b569d08515d4d6443e5e4f6c466f98319f330c820790260d22a9b9f7173
|
SHA512 (gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg) = a74b92826fd0e5388c9f6d9231959e38b26aeef83138648fab66df951d8e1a4db5302b569d08515d4d6443e5e4f6c466f98319f330c820790260d22a9b9f7173
|
||||||
|
Loading…
Reference in New Issue
Block a user