diff --git a/.gnutls.metadata b/.gnutls.metadata index 3939140..d808294 100644 --- a/.gnutls.metadata +++ b/.gnutls.metadata @@ -1 +1 @@ -4855db9457aff5c00d35827097171d51f367237f SOURCES/gnutls-3.1.16-hobbled.tar.xz +928dac9a2ea7b2de57bf9fdb62194aac22117df9 SOURCES/gnutls-3.1.18-hobbled.tar.xz diff --git a/SOURCES/ecc.c b/SOURCES/ecc.c index 7ca1776..f4869b0 100644 --- a/SOURCES/ecc.c +++ b/SOURCES/ecc.c @@ -56,6 +56,19 @@ static const gnutls_ecc_curve_entry_st ecc_curves[] = { .Gx = "AA87CA22BE8B05378EB1C71EF320AD746E1D3B628BA79B9859F741E082542A385502F25DBF55296C3A545E3872760AB7", .Gy = "3617DE4A96262C6F5D9E98BF9292DC29F8F41DBD289A147CE9DA3113B5F0B8C00A60B1CE1D7E819D7A431D7C90EA0E5F" }, + { + .name = "SECP521R1", + .oid = "1.3.132.0.35", + .id = GNUTLS_ECC_CURVE_SECP521R1, + .tls_id = 25, + .size = 66, + .prime = "01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + .A = "01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC", + .B = "0051953EB9618E1C9A1F929A21A0B68540EEA2DA725B99B315F3B8B489918EF109E156193951EC7E937B1652C0BD3BB1BF073573DF883D2C34F1EF451FD46B503F00", + .order = "01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148F709A5D03BB5C9B8899C47AEBB6FB71E91386409", + .Gx = "00C6858E06B70404E9CD9E3ECB662395B4429C648139053FB521F828AF606B4D3DBAA14B5E77EFE75928FE1DC127A2FFA8DE3348B3C1856A429BF97E7E31C2E5BD66", + .Gy = "011839296A789A3BC0045C8A5FB42C7D1BD998F54449579B446817AFBD17273E662C97EE72995EF42640C550B9013FAD0761353C7086A272C24088BE94769FD16650", + }, {0, 0, 0} }; diff --git a/SOURCES/gnutls-3.1.11-suiteb.patch b/SOURCES/gnutls-3.1.11-suiteb.patch deleted file mode 100644 index c4dd390..0000000 --- a/SOURCES/gnutls-3.1.11-suiteb.patch +++ /dev/null @@ -1,119 +0,0 @@ -diff -up gnutls-3.1.11/lib/gnutls_ecc.c.suiteb gnutls-3.1.11/lib/gnutls_ecc.c ---- gnutls-3.1.11/lib/gnutls_ecc.c.suiteb 2013-04-27 10:04:48.000000000 +0200 -+++ gnutls-3.1.11/lib/gnutls_ecc.c 2013-05-23 10:08:45.331883555 +0200 -@@ -129,6 +129,12 @@ int ret; - goto cleanup; - } - params->params_nr++; -+ -+ if (_gnutls_mpi_get_nbits(params->params[ECC_PRIME]) < 256) -+ { -+ ret = gnutls_assert_val(GNUTLS_E_ECC_UNSUPPORTED_CURVE); -+ goto cleanup; -+ } - - val_size = sizeof(val); - ret = _gnutls_hex2bin(st->order, strlen(st->order), val, &val_size); -diff -up gnutls-3.1.11/lib/nettle/ecc_mulmod_cached.c.suiteb gnutls-3.1.11/lib/nettle/ecc_mulmod_cached.c ---- gnutls-3.1.11/lib/nettle/ecc_mulmod_cached.c.suiteb 2013-04-27 10:04:48.000000000 +0200 -+++ gnutls-3.1.11/lib/nettle/ecc_mulmod_cached.c 2013-05-23 10:24:56.575967312 +0200 -@@ -42,6 +42,7 @@ typedef struct - - /* global cache */ - static gnutls_ecc_curve_cache_entry_t *ecc_wmnaf_cache = NULL; -+static gnutls_ecc_curve_cache_entry_t *ecc_wmnaf_cache_last = NULL; - - /* free single cache entry */ - static void -@@ -63,9 +64,10 @@ ecc_wmnaf_cache_free (void) - gnutls_ecc_curve_cache_entry_t *p = ecc_wmnaf_cache; - if (p) - { -- for (; p->id != GNUTLS_ECC_CURVE_INVALID; ++p) -+ for (; p <= ecc_wmnaf_cache_last; ++p) - { -- _ecc_wmnaf_cache_entry_free (p); -+ if (p->id != GNUTLS_ECC_CURVE_INVALID) -+ _ecc_wmnaf_cache_entry_free (p); - } - - free (ecc_wmnaf_cache); -@@ -198,7 +200,7 @@ ecc_wmnaf_cache_init (void) - const gnutls_ecc_curve_t *p; - - ret = (gnutls_ecc_curve_cache_entry_t *) -- malloc (MAX_ALGOS * sizeof (gnutls_ecc_curve_cache_entry_t)); -+ calloc (MAX_ALGOS, sizeof (gnutls_ecc_curve_cache_entry_t)); - if (ret == NULL) - return GNUTLS_E_MEMORY_ERROR; - -@@ -207,12 +209,16 @@ ecc_wmnaf_cache_init (void) - - for (j = 0; *p; ++p, ++j) - { -- if ((err = _ecc_wmnaf_cache_entry_init (ret + *p - 1, *p)) != 0) -+ gnutls_ecc_curve_cache_entry_t *entry; -+ -+ entry = ret + *p - 1; -+ if ((err = _ecc_wmnaf_cache_entry_init (entry, *p)) != 0) - goto done; -+ if (ecc_wmnaf_cache_last < entry) -+ ecc_wmnaf_cache_last = entry; - } - -- /* nullify last cache entry id */ -- ret[j].id = GNUTLS_ECC_CURVE_INVALID; -+ /* no need to nullify last cache entry id, done by calloc */ - - err = GNUTLS_E_SUCCESS; - -@@ -223,7 +229,8 @@ done: - int i; - for (i = 0; i < j; ++i) - { -- _ecc_wmnaf_cache_entry_free (ret + i); -+ --p; -+ _ecc_wmnaf_cache_entry_free (ret + *p - 1); - } - - free (ret); -@@ -445,9 +452,11 @@ ecc_mulmod_cached_lookup (mpz_t k, ecc_p - if (k == NULL || G == NULL || R == NULL || modulus == NULL) - return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; - -- for (i = 0; (id = ecc_wmnaf_cache[i].id); ++i) -+ for (i = 0; ecc_wmnaf_cache + i <= ecc_wmnaf_cache_last; ++i) - { -- if (!(mpz_cmp (G->x, ecc_wmnaf_cache[i].pos[0]->x)) && -+ id = ecc_wmnaf_cache[i].id; -+ if (id && -+ !(mpz_cmp (G->x, ecc_wmnaf_cache[i].pos[0]->x)) && - !(mpz_cmp (G->y, ecc_wmnaf_cache[i].pos[0]->y))) - { - break; -diff -up gnutls-3.1.11/tests/mini-xssl.c.suiteb gnutls-3.1.11/tests/mini-xssl.c ---- gnutls-3.1.11/tests/mini-xssl.c.suiteb 2013-05-10 10:10:27.000000000 +0200 -+++ gnutls-3.1.11/tests/mini-xssl.c 2013-05-23 11:58:22.670298910 +0200 -@@ -27,7 +27,8 @@ - #include - #include - --#if defined(_WIN32) -+/* uses unsupported curves */ -+#if 1 - - int main() - { -diff -up gnutls-3.1.11/tests/pkcs12_simple.c.suiteb gnutls-3.1.11/tests/pkcs12_simple.c ---- gnutls-3.1.11/tests/pkcs12_simple.c.suiteb 2013-05-10 10:10:27.000000000 +0200 -+++ gnutls-3.1.11/tests/pkcs12_simple.c 2013-05-23 11:57:59.776799848 +0200 -@@ -50,6 +50,9 @@ doit (void) - gnutls_x509_privkey_t pkey; - int ret; - -+ /* uses unsupported curves */ -+ exit(77); -+ - ret = global_init (); - if (ret < 0) - fail ("global_init failed %d\n", ret); diff --git a/SOURCES/gnutls-3.1.17-rpath.patch b/SOURCES/gnutls-3.1.17-rpath.patch new file mode 100644 index 0000000..bac0981 --- /dev/null +++ b/SOURCES/gnutls-3.1.17-rpath.patch @@ -0,0 +1,29 @@ +diff -ur gnutls-3.1.17.orig/configure gnutls-3.1.17/configure +--- gnutls-3.1.17.orig/configure 2013-11-23 10:55:26.000000000 +0100 ++++ gnutls-3.1.17/configure 2013-11-26 11:33:04.865342480 +0100 +@@ -49103,7 +49103,7 @@ + shlibpath_overrides_runpath=unknown + version_type=none + dynamic_linker="$host_os ld.so" +-sys_lib_dlsearch_path_spec="/lib /usr/lib" ++sys_lib_dlsearch_path_spec="/lib /usr/lib /lib64 /usr/lib64" + need_lib_prefix=unknown + hardcode_into_libs=no + +@@ -52940,7 +52940,7 @@ + shlibpath_overrides_runpath=unknown + version_type=none + dynamic_linker="$host_os ld.so" +-sys_lib_dlsearch_path_spec="/lib /usr/lib" ++sys_lib_dlsearch_path_spec="/lib /usr/lib /lib64 /usr/lib64" + need_lib_prefix=unknown + hardcode_into_libs=no + +Only in gnutls-3.1.17: configure~ +Only in gnutls-3.1.17.orig/lib/algorithms: ecc.c +Only in gnutls-3.1.17.orig/lib/auth: srp.c +Only in gnutls-3.1.17.orig/lib/auth: srp_passwd.c +Only in gnutls-3.1.17.orig/lib/auth: srp_rsa.c +Only in gnutls-3.1.17.orig/lib/auth: srp_sb64.c +Only in gnutls-3.1.17.orig/lib/ext: srp.c +Only in gnutls-3.1.17.orig/lib: gnutls_srp.c diff --git a/SOURCES/gnutls-3.1.18-cve-2014-0092.patch b/SOURCES/gnutls-3.1.18-cve-2014-0092.patch new file mode 100644 index 0000000..a0684bb --- /dev/null +++ b/SOURCES/gnutls-3.1.18-cve-2014-0092.patch @@ -0,0 +1,128 @@ +From 43ad7b2ad231489b7ada46e2f34deb82d64dd54d Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos +Date: Wed, 19 Feb 2014 11:10:26 +0100 +Subject: [PATCH] corrected return codes. + +--- + lib/x509/verify.c | 22 ++++++++++++++-------- + 1 file changed, 14 insertions(+), 8 deletions(-) + +diff --git a/lib/x509/verify.c b/lib/x509/verify.c +index 86a901e..d3f349b 100644 +--- a/lib/x509/verify.c ++++ b/lib/x509/verify.c +@@ -106,7 +106,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer, + if (result < 0) + { + gnutls_assert (); +- goto cleanup; ++ goto fail; + } + + result = +@@ -115,7 +115,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer, + if (result < 0) + { + gnutls_assert (); +- goto cleanup; ++ goto fail; + } + + result = +@@ -123,7 +123,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer, + if (result < 0) + { + gnutls_assert (); +- goto cleanup; ++ goto fail; + } + + result = +@@ -131,7 +131,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer, + if (result < 0) + { + gnutls_assert (); +- goto cleanup; ++ goto fail; + } + + /* If the subject certificate is the same as the issuer +@@ -183,6 +183,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer, + else + gnutls_assert (); + ++fail: + result = 0; + + cleanup: +@@ -408,14 +409,15 @@ _gnutls_verify_certificate2 (gnutls_x509_crt_t cert, + if (issuer_version < 0) + { + gnutls_assert (); +- return issuer_version; ++ result = 0; ++ goto cleanup; + } + + if (!(flags & GNUTLS_VERIFY_DISABLE_CA_SIGN) && + ((flags & GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT) + || issuer_version != 1)) + { +- if (check_if_ca (cert, issuer, max_path, flags) == 0) ++ if (check_if_ca (cert, issuer, max_path, flags) != 1) + { + gnutls_assert (); + out = GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID; +@@ -446,6 +448,7 @@ _gnutls_verify_certificate2 (gnutls_x509_crt_t cert, + if (result < 0) + { + gnutls_assert (); ++ result = 0; + goto cleanup; + } + +@@ -454,6 +457,7 @@ _gnutls_verify_certificate2 (gnutls_x509_crt_t cert, + if (result < 0) + { + gnutls_assert (); ++ result = 0; + goto cleanup; + } + +@@ -461,6 +465,7 @@ _gnutls_verify_certificate2 (gnutls_x509_crt_t cert, + if (result < 0) + { + gnutls_assert (); ++ result = 0; + goto cleanup; + } + +@@ -481,6 +486,7 @@ _gnutls_verify_certificate2 (gnutls_x509_crt_t cert, + else if (result < 0) + { + gnutls_assert(); ++ result = 0; + goto cleanup; + } + +@@ -650,7 +656,7 @@ _gnutls_x509_verify_certificate (const gnutls_x509_crt_t * certificate_list, + ret = _gnutls_verify_certificate2 (certificate_list[clist_size - 1], + trusted_cas, tcas_size, flags, &output, + &issuer, now, &max_path, func); +- if (ret == 0) ++ if (ret != 1) + { + /* if the last certificate in the certificate + * list is invalid, then the certificate is not +@@ -681,7 +687,7 @@ _gnutls_x509_verify_certificate (const gnutls_x509_crt_t * certificate_list, + if ((ret = + _gnutls_verify_certificate2 (certificate_list[i - 1], + &certificate_list[i], 1, flags, +- &output, NULL, now, &max_path, func)) == 0) ++ &output, NULL, now, &max_path, func)) != 1) + { + status |= output; + status |= GNUTLS_CERT_INVALID; +-- +1.8.5.3 + diff --git a/SOURCES/gnutls-3.1.18-suiteb.patch b/SOURCES/gnutls-3.1.18-suiteb.patch new file mode 100644 index 0000000..8b5974c --- /dev/null +++ b/SOURCES/gnutls-3.1.18-suiteb.patch @@ -0,0 +1,141 @@ +diff -ur gnutls-3.1.18.orig/lib/gnutls_ecc.c gnutls-3.1.18/lib/gnutls_ecc.c +--- gnutls-3.1.18.orig/lib/gnutls_ecc.c 2013-04-02 22:27:35.000000000 +0200 ++++ gnutls-3.1.18/lib/gnutls_ecc.c 2014-01-02 09:13:27.383415863 +0100 +@@ -129,6 +129,12 @@ + goto cleanup; + } + params->params_nr++; ++ ++ if (_gnutls_mpi_get_nbits(params->params[ECC_PRIME]) < 256) ++ { ++ ret = gnutls_assert_val(GNUTLS_E_ECC_UNSUPPORTED_CURVE); ++ goto cleanup; ++ } + + val_size = sizeof(val); + ret = _gnutls_hex2bin(st->order, strlen(st->order), val, &val_size); +diff -ur gnutls-3.1.18.orig/lib/gnutls_priority.c gnutls-3.1.18/lib/gnutls_priority.c +--- gnutls-3.1.18.orig/lib/gnutls_priority.c 2013-11-19 18:36:38.000000000 +0100 ++++ gnutls-3.1.18/lib/gnutls_priority.c 2014-01-02 09:13:27.384415875 +0100 +@@ -245,8 +245,6 @@ + } + + static const int supported_ecc_normal[] = { +- GNUTLS_ECC_CURVE_SECP192R1, +- GNUTLS_ECC_CURVE_SECP224R1, + GNUTLS_ECC_CURVE_SECP256R1, + GNUTLS_ECC_CURVE_SECP384R1, + GNUTLS_ECC_CURVE_SECP521R1, +diff -ur gnutls-3.1.18.orig/lib/nettle/ecc_mulmod_cached.c gnutls-3.1.18/lib/nettle/ecc_mulmod_cached.c +--- gnutls-3.1.18.orig/lib/nettle/ecc_mulmod_cached.c 2013-04-02 22:27:35.000000000 +0200 ++++ gnutls-3.1.18/lib/nettle/ecc_mulmod_cached.c 2014-01-02 10:26:08.425986981 +0100 +@@ -42,6 +42,7 @@ + + /* global cache */ + static gnutls_ecc_curve_cache_entry_t *ecc_wmnaf_cache = NULL; ++static gnutls_ecc_curve_cache_entry_t *ecc_wmnaf_cache_last = NULL; + + /* free single cache entry */ + static void +@@ -63,13 +64,15 @@ + gnutls_ecc_curve_cache_entry_t *p = ecc_wmnaf_cache; + if (p) + { +- for (; p->id != GNUTLS_ECC_CURVE_INVALID; ++p) ++ for (; p <= ecc_wmnaf_cache_last; ++p) + { +- _ecc_wmnaf_cache_entry_free (p); ++ if (p->id != GNUTLS_ECC_CURVE_INVALID) ++ _ecc_wmnaf_cache_entry_free (p); + } + + free (ecc_wmnaf_cache); + ecc_wmnaf_cache = NULL; ++ ecc_wmnaf_cache_last = NULL; + } + } + +@@ -198,7 +201,7 @@ + const gnutls_ecc_curve_t *p; + + ret = (gnutls_ecc_curve_cache_entry_t *) +- malloc (MAX_ALGOS * sizeof (gnutls_ecc_curve_cache_entry_t)); ++ calloc (MAX_ALGOS, sizeof (gnutls_ecc_curve_cache_entry_t)); + if (ret == NULL) + return GNUTLS_E_MEMORY_ERROR; + +@@ -207,12 +210,16 @@ + + for (j = 0; *p; ++p, ++j) + { +- if ((err = _ecc_wmnaf_cache_entry_init (ret + *p - 1, *p)) != 0) ++ gnutls_ecc_curve_cache_entry_t *entry; ++ ++ entry = ret + *p - 1; ++ if ((err = _ecc_wmnaf_cache_entry_init (entry, *p)) != 0) + goto done; ++ if (ecc_wmnaf_cache_last < entry) ++ ecc_wmnaf_cache_last = entry; + } + +- /* nullify last cache entry id */ +- ret[j].id = GNUTLS_ECC_CURVE_INVALID; ++ /* no need to nullify last cache entry id, done by calloc */ + + err = GNUTLS_E_SUCCESS; + +@@ -223,11 +230,13 @@ + int i; + for (i = 0; i < j; ++i) + { +- _ecc_wmnaf_cache_entry_free (ret + i); ++ --p; ++ _ecc_wmnaf_cache_entry_free (ret + *p - 1); + } + + free (ret); + ecc_wmnaf_cache = NULL; ++ ecc_wmnaf_cache_last = NULL; + } + return err; + } +@@ -445,9 +454,11 @@ + if (k == NULL || G == NULL || R == NULL || modulus == NULL) + return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; + +- for (i = 0; (id = ecc_wmnaf_cache[i].id); ++i) ++ for (i = 0; ecc_wmnaf_cache + i <= ecc_wmnaf_cache_last; ++i) + { +- if (!(mpz_cmp (G->x, ecc_wmnaf_cache[i].pos[0]->x)) && ++ id = ecc_wmnaf_cache[i].id; ++ if (id && ++ !(mpz_cmp (G->x, ecc_wmnaf_cache[i].pos[0]->x)) && + !(mpz_cmp (G->y, ecc_wmnaf_cache[i].pos[0]->y))) + { + break; +diff -ur gnutls-3.1.18.orig/tests/mini-xssl.c gnutls-3.1.18/tests/mini-xssl.c +--- gnutls-3.1.18.orig/tests/mini-xssl.c 2013-05-30 08:50:22.000000000 +0200 ++++ gnutls-3.1.18/tests/mini-xssl.c 2014-01-02 09:13:27.384415875 +0100 +@@ -27,7 +27,8 @@ + #include + #include + +-#if defined(_WIN32) ++/* uses unsupported curves */ ++#if 1 + + int main() + { +diff -ur gnutls-3.1.18.orig/tests/pkcs12_simple.c gnutls-3.1.18/tests/pkcs12_simple.c +--- gnutls-3.1.18.orig/tests/pkcs12_simple.c 2013-05-21 20:27:20.000000000 +0200 ++++ gnutls-3.1.18/tests/pkcs12_simple.c 2014-01-02 09:13:27.384415875 +0100 +@@ -50,6 +50,9 @@ + gnutls_x509_privkey_t pkey; + int ret; + ++ /* uses unsupported curves */ ++ exit(77); ++ + ret = global_init (); + if (ret < 0) + fail ("global_init failed %d\n", ret); diff --git a/SOURCES/gnutls-3.1.18-v1-fix.patch b/SOURCES/gnutls-3.1.18-v1-fix.patch new file mode 100644 index 0000000..5964af5 --- /dev/null +++ b/SOURCES/gnutls-3.1.18-v1-fix.patch @@ -0,0 +1,16 @@ +diff --git a/lib/x509/verify.c b/lib/x509/verify.c +index cb8289e..86a901e 100644 +--- a/lib/x509/verify.c ++++ b/lib/x509/verify.c +@@ -674,7 +674,10 @@ _gnutls_x509_verify_certificate (const gnutls_x509_crt_t * certificate_list, + * certificates can exist in a supplied chain. + */ + if (!(flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT)) +- flags &= ~(GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT); ++ { ++ flags &= ~(GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT); ++ flags |= GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT; ++ } + if ((ret = + _gnutls_verify_certificate2 (certificate_list[i - 1], + &certificate_list[i], 1, flags, diff --git a/SOURCES/gnutls-3.1.7-rpath.patch b/SOURCES/gnutls-3.1.7-rpath.patch deleted file mode 100644 index d087db9..0000000 --- a/SOURCES/gnutls-3.1.7-rpath.patch +++ /dev/null @@ -1,39 +0,0 @@ -diff -up gnutls-3.1.7/configure.rpath gnutls-3.1.7/configure ---- gnutls-3.1.7/configure.rpath 2013-02-04 02:40:23.000000000 +0100 -+++ gnutls-3.1.7/configure 2013-02-05 21:04:57.128932440 +0100 -@@ -48519,7 +48519,7 @@ shlibpath_var= - shlibpath_overrides_runpath=unknown - version_type=none - dynamic_linker="$host_os ld.so" --sys_lib_dlsearch_path_spec="/lib /usr/lib" -+sys_lib_dlsearch_path_spec="/lib /usr/lib /lib64 /usr/lib64" - need_lib_prefix=unknown - hardcode_into_libs=no - -@@ -48962,7 +48962,7 @@ fi - # Append ld.so.conf contents to the search path - if test -f /etc/ld.so.conf; then - lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '` -- sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra" -+ sys_lib_dlsearch_path_spec="/lib /usr/lib /lib64 /usr/lib64 $lt_ld_extra" - fi - - # We used to test for /lib/ld.so.1 and disable shared libraries on -@@ -52353,7 +52353,7 @@ shlibpath_var= - shlibpath_overrides_runpath=unknown - version_type=none - dynamic_linker="$host_os ld.so" --sys_lib_dlsearch_path_spec="/lib /usr/lib" -+sys_lib_dlsearch_path_spec="/lib /usr/lib /lib64 /usr/lib64" - need_lib_prefix=unknown - hardcode_into_libs=no - -@@ -52794,7 +52794,7 @@ fi - # Append ld.so.conf contents to the search path - if test -f /etc/ld.so.conf; then - lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '` -- sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra" -+ sys_lib_dlsearch_path_spec="/lib /usr/lib /lib64 /usr/lib64 $lt_ld_extra" - fi - - # We used to test for /lib/ld.so.1 and disable shared libraries on diff --git a/SOURCES/hobble-gnutls b/SOURCES/hobble-gnutls index 8b9633d..9fd507e 100755 --- a/SOURCES/hobble-gnutls +++ b/SOURCES/hobble-gnutls @@ -8,8 +8,8 @@ else fi # SRP -for f in auth_srp_sb64.c auth_srp_passwd.c auth_srp_rsa.c \ - gnutls_srp.c auth_srp.c ext_srp.c ; do +for f in auth/srp_sb64.c auth/srp_passwd.c auth/srp_rsa.c \ + gnutls_srp.c auth/srp.c ext/srp.c ; do eval "$CMD lib/$f" done diff --git a/SPECS/gnutls.spec b/SPECS/gnutls.spec index 01b1542..4505bb1 100644 --- a/SPECS/gnutls.spec +++ b/SPECS/gnutls.spec @@ -2,18 +2,21 @@ %bcond_with guile Summary: A TLS protocol implementation Name: gnutls -Version: 3.1.16 -Release: 1%{?dist} +Version: 3.1.18 +Release: 8%{?dist} # The libraries are LGPLv2.1+, utilities are GPLv3+, however # the bundled gnulib is LGPLv3+ License: GPLv3+ and LGPLv2+ and LGPLv3+ Group: System Environment/Libraries BuildRequires: p11-kit-devel >= 0.11, gettext BuildRequires: zlib-devel, readline-devel, libtasn1-devel >= 3.1 -BuildRequires: lzo-devel, libtool, automake, autoconf, texinfo +BuildRequires: libtool, automake, autoconf, texinfo BuildRequires: nettle-devel >= 2.5 +BuildRequires: libidn-devel +BuildRequires: autogen-libopts-devel >= 5.18 autogen +#BuildRequires: trousers-devel >= 0.3.11.2 %if %{with dane} -BuildRequires: unbound-devel +BuildRequires: unbound-devel unbound-libs %endif %if %{with guile} BuildRequires: guile-devel @@ -26,13 +29,15 @@ Source0: %{name}-%{version}-hobbled.tar.xz Source1: libgnutls-config Source2: hobble-gnutls Source3: ecc.c -Patch1: gnutls-3.1.7-rpath.patch +Patch1: gnutls-3.1.17-rpath.patch +Patch2: gnutls-3.1.18-v1-fix.patch # Use only FIPS approved ciphers in the FIPS mode Patch7: gnutls-2.12.21-fips-algorithms.patch Patch8: gnutls-3.1.11-nosrp.patch # Use random port in some tests to avoid conflicts during simultaneous builds on the same machine Patch9: gnutls-3.1.10-tests-rndport.patch -Patch10: gnutls-3.1.11-suiteb.patch +Patch10: gnutls-3.1.18-suiteb.patch +Patch11: gnutls-3.1.18-cve-2014-0092.patch # Wildcard bundling exception https://fedorahosted.org/fpc/ticket/174 Provides: bundled(gnulib) = 20130424 @@ -77,44 +82,56 @@ Requires: guile %endif %description -GnuTLS is a project that aims to develop a library which provides a secure -layer, over a reliable transport layer. Currently the GnuTLS library implements -the proposed standards by the IETF's TLS working group. +GnuTLS is a secure communications library implementing the SSL, TLS and DTLS +protocols and technologies around them. It provides a simple C language +application programming interface (API) to access the secure communications +protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and +other required structures. %description c++ -GnuTLS is a project that aims to develop a library which provides a secure -layer, over a reliable transport layer. Currently the GnuTLS library implements -the proposed standards by the IETF's TLS working group. +GnuTLS is a secure communications library implementing the SSL, TLS and DTLS +protocols and technologies around them. It provides a simple C language +application programming interface (API) to access the secure communications +protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and +other required structures. This package contains the C++ interface for the GnuTLS library. %description devel -GnuTLS is a project that aims to develop a library which provides a secure -layer, over a reliable transport layer. Currently the GnuTLS library implements -the proposed standards by the IETF's TLS working group. +GnuTLS is a secure communications library implementing the SSL, TLS and DTLS +protocols and technologies around them. It provides a simple C language +application programming interface (API) to access the secure communications +protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and +other required structures. This package contains files needed for developing applications with the GnuTLS library. %description utils -GnuTLS is a project that aims to develop a library which provides a secure -layer, over a reliable transport layer. Currently the GnuTLS library implements -the proposed standards by the IETF's TLS working group. +GnuTLS is a secure communications library implementing the SSL, TLS and DTLS +protocols and technologies around them. It provides a simple C language +application programming interface (API) to access the secure communications +protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and +other required structures. This package contains command line TLS client and server and certificate manipulation tools. %if %{with dane} %description dane -GnuTLS is a project that aims to develop a library which provides a secure -layer, over a reliable transport layer. Currently the GnuTLS library implements -the proposed standards by the IETF's TLS working group. +GnuTLS is a secure communications library implementing the SSL, TLS and DTLS +protocols and technologies around them. It provides a simple C language +application programming interface (API) to access the secure communications +protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and +other required structures. This package contains library that implements the DANE protocol for verifying TLS certificates through DNSSEC. %endif %if %{with guile} %description guile -GnuTLS is a project that aims to develop a library which provides a secure -layer, over a reliable transport layer. Currently the GnuTLS library implements -the proposed standards by the IETF's TLS working group. +GnuTLS is a secure communications library implementing the SSL, TLS and DTLS +protocols and technologies around them. It provides a simple C language +application programming interface (API) to access the secure communications +protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and +other required structures. This package contains Guile bindings for the library. %endif @@ -122,16 +139,19 @@ This package contains Guile bindings for the library. %setup -q %patch1 -p1 -b .rpath +%patch2 -p1 -b .v1-fix # This patch is not applicable as we use nettle now but some parts will be # later reused. #%patch7 -p1 -b .fips %patch8 -p1 -b .nosrp %patch9 -p1 -b .rndport %patch10 -p1 -b .suiteb +%patch11 -p1 -b .cve-2014-0092 %{SOURCE2} -e cp -f %{SOURCE3} lib/algorithms +rm -f doc/gnutls.info* %build @@ -141,6 +161,7 @@ export LDFLAGS="-Wl,--no-add-needed" --with-included-libcfg \ --disable-static \ --disable-openssl-compatibility \ + --without-tpm \ --disable-srp-authentication \ %if %{with guile} --enable-guile \ @@ -151,6 +172,7 @@ export LDFLAGS="-Wl,--no-add-needed" --disable-guile \ %endif %if %{with dane} + --with-unbound-root-key-file=/var/lib/unbound/root.key \ --enable-dane \ %else --disable-dane \ @@ -167,6 +189,7 @@ rm -f $RPM_BUILD_ROOT%{_bindir}/gnutls-srpcrypt cp -f %{SOURCE1} $RPM_BUILD_ROOT%{_bindir}/libgnutls-config cp -f %{SOURCE1} $RPM_BUILD_ROOT%{_bindir}/libgnutls-extra-config rm -f $RPM_BUILD_ROOT%{_mandir}/man1/srptool.1 +rm -f $RPM_BUILD_ROOT%{_mandir}/man1/tpmtool.1 rm -f $RPM_BUILD_ROOT%{_mandir}/man3/*srp* rm -f $RPM_BUILD_ROOT%{_infodir}/dir rm -f $RPM_BUILD_ROOT%{_libdir}/*.la @@ -235,6 +258,7 @@ fi %{_bindir}/ocsptool %{_bindir}/psktool %{_bindir}/p11tool +%{_bindir}/crywrap %if %{with dane} %{_bindir}/danetool %endif @@ -257,6 +281,31 @@ fi %endif %changelog +* Tue Feb 25 2014 Nikos Mavrogiannopoulos - 3.1.18-8 +- fixes CVE-2014-0092 (#1071815) + +* Fri Feb 14 2014 Nikos Mavrogiannopoulos - 3.1.18-7 +- fixes CVE-2014-1959 + +* Fri Jan 24 2014 Daniel Mach - 3.1.18-6 +- Mass rebuild 2014-01-24 + +* Tue Jan 14 2014 Nikos Mavrogiannopoulos 3.1.18-5 +- Fixed issue with gnutls.info not being available (#1053487) + +* Tue Jan 14 2014 Tomáš Mráz 3.1.18-4 +- build the crywrap tool + +* Thu Jan 02 2014 Nikos Mavrogiannopoulos - 3.1.18-3 +- fixes crash in gnutls_global_deinit (#1047037) + +* Fri Dec 27 2013 Daniel Mach - 3.1.18-2 +- Mass rebuild 2013-12-27 + +* Mon Dec 23 2013 Nikos Mavrogiannopoulos 3.1.18-1 +- new upstream release (#1040886) +- Use the correct root key for unbound + * Tue Nov 5 2013 Tomáš Mráz 3.1.16-1 - new upstream release - fixes CVE-2013-4466 off-by-one in dane_query_tlsa()