Further patches for TLS1.3 deployment

gnutls-3.6.3-gnutls-cli-fix.patch

@@ -0,0 +1,12 @@
+diff --git a/src/cli.c b/src/cli.c
+index 21be015dc..42d027736 100644
+--- a/src/cli.c
++++ b/src/cli.c
+@@ -1273,7 +1273,6 @@ int main(int argc, char **argv)
+ 				}
+ 				continue;
+ 			}
+-			bytes=strlen(buffer);
+ 			buffer[bytes] = 0;
+ 
+ 			if (crlf != 0) {

gnutls-3.6.3-rollback-fix.patch

@@ -0,0 +1,65 @@
+diff --git a/lib/handshake.c b/lib/handshake.c
+index ebea926aa..8dce170fe 100644
+--- a/lib/handshake.c
++++ b/lib/handshake.c
+@@ -248,6 +248,7 @@ int _gnutls_set_server_random(gnutls_session_t session, const version_entry_st *
+ 	memcpy(session->security_parameters.server_random, rnd,
+ 	       GNUTLS_RANDOM_SIZE);
+ 
++#if 0 /* This was not supposed to be checked in draft-versions */
+ 	/* check whether the server random value is set according to
+ 	 * to TLS 1.3. p4.1.3 requirements */
+ 	if (!IS_DTLS(session) && vers->id <= GNUTLS_TLS1_2 && have_creds_for_tls13(session)) {
+@@ -272,6 +273,7 @@ int _gnutls_set_server_random(gnutls_session_t session, const version_entry_st *
+ 			return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
+ 		}
+ 	}
++#endif
+ 
+ 	return 0;
+ }
+@@ -291,6 +293,7 @@ int _gnutls_gen_server_random(gnutls_session_t session, int version)
+ 
+ 	max = _gnutls_version_max(session);
+ 
++#if 0
+ 	if (!IS_DTLS(session) && max->id >= GNUTLS_TLS1_3 &&
+ 	    version <= GNUTLS_TLS1_2) {
+ 		if (version == GNUTLS_TLS1_2) {
+@@ -303,7 +306,9 @@ int _gnutls_gen_server_random(gnutls_session_t session, int version)
+ 		ret =
+ 		    gnutls_rnd(GNUTLS_RND_NONCE, session->security_parameters.server_random, GNUTLS_RANDOM_SIZE-8);
+ 
+-	} else {
++	} else
++#endif
++	{
+ 		ret =
+ 		    gnutls_rnd(GNUTLS_RND_NONCE, session->security_parameters.server_random, GNUTLS_RANDOM_SIZE);
+ 	}
+diff --git a/tests/tls13/rnd-check-rollback-val.c b/tests/tls13/rnd-check-rollback-val.c
+index f573596c5..6934b2507 100644
+--- a/tests/tls13/rnd-check-rollback-val.c
++++ b/tests/tls13/rnd-check-rollback-val.c
+@@ -222,6 +222,8 @@ void doit(void)
+ 	int ret;
+ 	pid_t child;
+ 
++	exit(77);
++
+ 	signal(SIGCHLD, ch_handler);
+ 	signal(SIGPIPE, SIG_IGN);
+ 
+diff --git a/tests/tls13/rnd-rollback-detection.c b/tests/tls13/rnd-rollback-detection.c
+index 0d1ef0149..8cbb658cf 100644
+--- a/tests/tls13/rnd-rollback-detection.c
++++ b/tests/tls13/rnd-rollback-detection.c
+@@ -206,6 +206,8 @@ void doit(void)
+ 	int ret;
+ 	pid_t child;
+ 
++	exit(77);
++
+ 	signal(SIGCHLD, ch_handler);
+ 	signal(SIGPIPE, SIG_IGN);
+ 

gnutls.spec

@@ -1,11 +1,13 @@
 # This spec file has been automatically updated
 Version:	3.6.3
-Release: 3%{?dist}
+Release: 4%{?dist}
 Patch1:	gnutls-3.2.7-rpath.patch
 Patch2:	gnutls-3.4.2-no-now-guile.patch
 Patch3:	gnutls-3.6.3-skip-new-priority-funcs-err-pos.patch
 Patch4: gnutls-3.6.3-backport-upstream-fixes.patch
 Patch5: gnutls-3.6.3-fix-ecdsa.patch
+Patch6: gnutls-3.6.3-gnutls-cli-fix.patch
+Patch7: gnutls-3.6.3-rollback-fix.patch
 %bcond_without dane
 %if 0%{?rhel}
 %bcond_with guile
@@ -156,6 +158,8 @@ gpgv2 --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0}
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
+%patch6 -p1
+%patch7 -p1
 
 sed -i -e 's|sys_lib_dlsearch_path_spec="/lib /usr/lib|sys_lib_dlsearch_path_spec="/lib /usr/lib %{_libdir}|g' configure
 rm -f lib/minitasn1/*.c lib/minitasn1/*.h
@@ -311,6 +315,11 @@ fi
 %endif
 
 %changelog
+* Thu Aug 16 2018 Nikos Mavrogiannopoulos <nmav@redhat.com> - 3.6.3-4
+- Fixed gnutls-cli input reading
+- Ensure that we do not cause issues with version rollback detection
+  and TLS1.3.
+
 * Tue Aug 07 2018 Nikos Mavrogiannopoulos <nmav@redhat.com> - 3.6.3-3
 - Fixed ECDSA public key import (#1612803)