From bb2c5903d1bfd05f8fc973bb425383ae3c190d3b Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Thu, 16 Aug 2018 09:16:02 +0200 Subject: [PATCH] Further patches for TLS1.3 deployment --- gnutls-3.6.3-gnutls-cli-fix.patch | 12 ++++++ gnutls-3.6.3-rollback-fix.patch | 65 +++++++++++++++++++++++++++++++ gnutls.spec | 11 +++++- 3 files changed, 87 insertions(+), 1 deletion(-) create mode 100644 gnutls-3.6.3-gnutls-cli-fix.patch create mode 100644 gnutls-3.6.3-rollback-fix.patch diff --git a/gnutls-3.6.3-gnutls-cli-fix.patch b/gnutls-3.6.3-gnutls-cli-fix.patch new file mode 100644 index 0000000..fbad690 --- /dev/null +++ b/gnutls-3.6.3-gnutls-cli-fix.patch @@ -0,0 +1,12 @@ +diff --git a/src/cli.c b/src/cli.c +index 21be015dc..42d027736 100644 +--- a/src/cli.c ++++ b/src/cli.c +@@ -1273,7 +1273,6 @@ int main(int argc, char **argv) + } + continue; + } +- bytes=strlen(buffer); + buffer[bytes] = 0; + + if (crlf != 0) { diff --git a/gnutls-3.6.3-rollback-fix.patch b/gnutls-3.6.3-rollback-fix.patch new file mode 100644 index 0000000..925382f --- /dev/null +++ b/gnutls-3.6.3-rollback-fix.patch @@ -0,0 +1,65 @@ +diff --git a/lib/handshake.c b/lib/handshake.c +index ebea926aa..8dce170fe 100644 +--- a/lib/handshake.c ++++ b/lib/handshake.c +@@ -248,6 +248,7 @@ int _gnutls_set_server_random(gnutls_session_t session, const version_entry_st * + memcpy(session->security_parameters.server_random, rnd, + GNUTLS_RANDOM_SIZE); + ++#if 0 /* This was not supposed to be checked in draft-versions */ + /* check whether the server random value is set according to + * to TLS 1.3. p4.1.3 requirements */ + if (!IS_DTLS(session) && vers->id <= GNUTLS_TLS1_2 && have_creds_for_tls13(session)) { +@@ -272,6 +273,7 @@ int _gnutls_set_server_random(gnutls_session_t session, const version_entry_st * + return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); + } + } ++#endif + + return 0; + } +@@ -291,6 +293,7 @@ int _gnutls_gen_server_random(gnutls_session_t session, int version) + + max = _gnutls_version_max(session); + ++#if 0 + if (!IS_DTLS(session) && max->id >= GNUTLS_TLS1_3 && + version <= GNUTLS_TLS1_2) { + if (version == GNUTLS_TLS1_2) { +@@ -303,7 +306,9 @@ int _gnutls_gen_server_random(gnutls_session_t session, int version) + ret = + gnutls_rnd(GNUTLS_RND_NONCE, session->security_parameters.server_random, GNUTLS_RANDOM_SIZE-8); + +- } else { ++ } else ++#endif ++ { + ret = + gnutls_rnd(GNUTLS_RND_NONCE, session->security_parameters.server_random, GNUTLS_RANDOM_SIZE); + } +diff --git a/tests/tls13/rnd-check-rollback-val.c b/tests/tls13/rnd-check-rollback-val.c +index f573596c5..6934b2507 100644 +--- a/tests/tls13/rnd-check-rollback-val.c ++++ b/tests/tls13/rnd-check-rollback-val.c +@@ -222,6 +222,8 @@ void doit(void) + int ret; + pid_t child; + ++ exit(77); ++ + signal(SIGCHLD, ch_handler); + signal(SIGPIPE, SIG_IGN); + +diff --git a/tests/tls13/rnd-rollback-detection.c b/tests/tls13/rnd-rollback-detection.c +index 0d1ef0149..8cbb658cf 100644 +--- a/tests/tls13/rnd-rollback-detection.c ++++ b/tests/tls13/rnd-rollback-detection.c +@@ -206,6 +206,8 @@ void doit(void) + int ret; + pid_t child; + ++ exit(77); ++ + signal(SIGCHLD, ch_handler); + signal(SIGPIPE, SIG_IGN); + diff --git a/gnutls.spec b/gnutls.spec index efe9d5d..e916416 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,11 +1,13 @@ # This spec file has been automatically updated Version: 3.6.3 -Release: 3%{?dist} +Release: 4%{?dist} Patch1: gnutls-3.2.7-rpath.patch Patch2: gnutls-3.4.2-no-now-guile.patch Patch3: gnutls-3.6.3-skip-new-priority-funcs-err-pos.patch Patch4: gnutls-3.6.3-backport-upstream-fixes.patch Patch5: gnutls-3.6.3-fix-ecdsa.patch +Patch6: gnutls-3.6.3-gnutls-cli-fix.patch +Patch7: gnutls-3.6.3-rollback-fix.patch %bcond_without dane %if 0%{?rhel} %bcond_with guile @@ -156,6 +158,8 @@ gpgv2 --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0} %patch3 -p1 %patch4 -p1 %patch5 -p1 +%patch6 -p1 +%patch7 -p1 sed -i -e 's|sys_lib_dlsearch_path_spec="/lib /usr/lib|sys_lib_dlsearch_path_spec="/lib /usr/lib %{_libdir}|g' configure rm -f lib/minitasn1/*.c lib/minitasn1/*.h @@ -311,6 +315,11 @@ fi %endif %changelog +* Thu Aug 16 2018 Nikos Mavrogiannopoulos - 3.6.3-4 +- Fixed gnutls-cli input reading +- Ensure that we do not cause issues with version rollback detection + and TLS1.3. + * Tue Aug 07 2018 Nikos Mavrogiannopoulos - 3.6.3-3 - Fixed ECDSA public key import (#1612803)