diff --git a/wget-1.24.5-no-nettle.patch b/wget-1.24.5-no-nettle.patch new file mode 100644 index 0000000..8d25624 --- /dev/null +++ b/wget-1.24.5-no-nettle.patch @@ -0,0 +1,153 @@ +From 9476ce232a3dcadc205e963eb69a567f478fde95 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Wed, 11 Dec 2024 17:14:58 +0900 +Subject: [PATCH] wget-1.24.5-no-nettle.patch + +--- + src/http-ntlm.c | 91 ++++++++++++++++++++++++++++++++++++------------- + 1 file changed, 68 insertions(+), 23 deletions(-) + +diff --git a/src/http-ntlm.c b/src/http-ntlm.c +index ee054e0..9f5b50e 100644 +--- a/src/http-ntlm.c ++++ b/src/http-ntlm.c +@@ -44,13 +44,14 @@ as that of the covered work. */ + + #include "utils.h" + #include "http-ntlm.h" ++#include "md4.h" + +-#ifdef HAVE_NETTLE +-# include ++#ifdef HAVE_LIBGNUTLS ++# include ++#elif defined HAVE_NETTLE + # include + #else + # include +-# include + # include + + # if OPENSSL_VERSION_NUMBER < 0x00907001L +@@ -164,7 +165,31 @@ ntlm_input (struct ntlmdata *ntlm, const char *header) + * Turns a 56 bit key into the 64 bit, odd parity key and sets the key. The + * key schedule ks is also set. + */ +-#ifdef HAVE_NETTLE ++#ifdef HAVE_LIBGNUTLS ++static void ++setup_des_key(unsigned char *key_56, ++ gnutls_cipher_hd_t *des) ++{ ++ unsigned char key[8]; ++ gnutls_datum_t _key; ++ int ret; ++ ++ key[0] = key_56[0]; ++ key[1] = ((key_56[0] << 7) & 0xFF) | (key_56[1] >> 1); ++ key[2] = ((key_56[1] << 6) & 0xFF) | (key_56[2] >> 2); ++ key[3] = ((key_56[2] << 5) & 0xFF) | (key_56[3] >> 3); ++ key[4] = ((key_56[3] << 4) & 0xFF) | (key_56[4] >> 4); ++ key[5] = ((key_56[4] << 3) & 0xFF) | (key_56[5] >> 5); ++ key[6] = ((key_56[5] << 2) & 0xFF) | (key_56[6] >> 6); ++ key[7] = (key_56[6] << 1) & 0xFF; ++ ++ _key.data = key; ++ _key.size = sizeof(key); ++ ret = gnutls_cipher_init(des, GNUTLS_CIPHER_DES_CBC, &_key, NULL); ++ if (ret < 0) ++ abort (); ++} ++#elif defined HAVE_NETTLE + static void + setup_des_key(unsigned char *key_56, + struct des_ctx *des) +@@ -211,7 +236,28 @@ setup_des_key(unsigned char *key_56, + static void + calc_resp(unsigned char *keys, unsigned char *plaintext, unsigned char *results) + { +-#ifdef HAVE_NETTLE ++#ifdef HAVE_LIBGNUTLS ++ gnutls_cipher_hd_t des; ++ int ret; ++ ++ setup_des_key(keys, &des); ++ ret = gnutls_cipher_encrypt2(des, plaintext, 8, results, 8); ++ if (ret < 0) ++ abort (); ++ gnutls_cipher_deinit(des); ++ ++ setup_des_key(keys + 7, &des); ++ ret = gnutls_cipher_encrypt2(des, plaintext, 8, results + 8, 8); ++ if (ret < 0) ++ abort (); ++ gnutls_cipher_deinit(des); ++ ++ setup_des_key(keys + 14, &des); ++ ret = gnutls_cipher_encrypt2(des, plaintext, 8, results + 16, 8); ++ if (ret < 0) ++ abort (); ++ gnutls_cipher_deinit(des); ++#elif defined HAVE_NETTLE + struct des_ctx des; + + setup_des_key(keys, &des); +@@ -274,7 +320,22 @@ mkhash(const char *password, + + { + /* create LanManager hashed password */ +-#ifdef HAVE_NETTLE ++#ifdef HAVE_LIBGNUTLS ++ gnutls_cipher_hd_t des; ++ int ret; ++ ++ setup_des_key(pw, &des); ++ ret = gnutls_cipher_encrypt2(des, magic, 8, lmbuffer, 8); ++ if (ret < 0) ++ abort (); ++ gnutls_cipher_deinit(des); ++ ++ setup_des_key(pw + 7, &des); ++ ret = gnutls_cipher_encrypt2(des, magic, 8, lmbuffer + 8, 8); ++ if (ret < 0) ++ abort (); ++ gnutls_cipher_deinit(des); ++#elif defined HAVE_NETTLE + struct des_ctx des; + + setup_des_key(pw, &des); +@@ -301,12 +362,6 @@ mkhash(const char *password, + + #ifdef USE_NTRESPONSES + { +-#ifdef HAVE_NETTLE +- struct md4_ctx MD4; +-#else +- MD4_CTX MD4; +-#endif +- + unsigned char pw4[64]; + + len = strlen (password); +@@ -319,17 +374,7 @@ mkhash(const char *password, + pw4[2 * i + 1] = 0; + } + +-#ifdef HAVE_NETTLE +- nettle_md4_init(&MD4); +- nettle_md4_update(&MD4, (unsigned) (2 * len), pw4); +- nettle_md4_digest(&MD4, MD4_DIGEST_SIZE, ntbuffer); +-#else +- /* create NT hashed password */ +- MD4_Init(&MD4); +- MD4_Update(&MD4, pw4, 2 * len); +- MD4_Final(ntbuffer, &MD4); +-#endif +- ++ md4_buffer((const char *) pw4, (unsigned) (2 * len), ntbuffer); + memset(ntbuffer + 16, 0, 5); + } + +-- +2.47.0 + diff --git a/wget.spec b/wget.spec index 7b7604c..4b30087 100644 --- a/wget.spec +++ b/wget.spec @@ -1,7 +1,7 @@ Summary: A utility for retrieving files using the HTTP or FTP protocols Name: wget Version: 1.24.5 -Release: 4%{?dist} +Release: 5%{?dist} License: GPL-3.0-or-later AND LGPL-2.1-or-later AND GFDL-1.3-or-later Url: http://www.gnu.org/software/wget/ Source: ftp://ftp.gnu.org/gnu/wget/wget-%{version}.tar.gz @@ -9,6 +9,7 @@ Source: ftp://ftp.gnu.org/gnu/wget/wget-%{version}.tar.gz Patch1: wget-1.17-path.patch Patch3: wget-1.21-metalink-man.patch Patch5: wget-1.21-CVE-2024-38428.patch +Patch6: wget-1.24.5-no-nettle.patch Provides: webclient Provides: bundled(gnulib) @@ -18,7 +19,7 @@ BuildRequires: perl(lib) BuildRequires: perl(English) BuildRequires: perl(HTTP::Daemon) BuildRequires: python3 -BuildRequires: openssl-devel +BuildRequires: gnutls-devel BuildRequires: pkgconfig BuildRequires: texinfo BuildRequires: gettext @@ -31,6 +32,7 @@ BuildRequires: gpgme-devel BuildRequires: gcc BuildRequires: zlib-devel BuildRequires: git-core +BuildRequires: nettle-devel %description GNU Wget is a file retrieval utility which can use either the HTTP or @@ -50,11 +52,12 @@ grep "PACKAGE_STRING='wget .* (Red Hat modified)'" configure || exit 1 %build %configure \ - --with-ssl=openssl \ + --with-ssl=gnutls \ --with-libpsl \ --enable-largefile \ --enable-opie \ --enable-digest \ + --enable-ntlm \ --enable-nls \ --enable-ipv6 \ --disable-rpath @@ -80,6 +83,11 @@ make check %{_infodir}/* %changelog +* Wed Dec 11 2024 Daiki Ueno - 1.24.5-5 +- Revert back to using GnuTLS as the TLS backend +- Use bundled implementation of MD4 for NTLM + Resolves: RHEL-69748 - wget cannot open pkcs11 uri + * Thu Nov 07 2024 Michal Ruprich - 1.24.5-4 - Resolves: RHEL-59862 - Avoid direct usage of nettle functions