!44 update package version to 3.7.2

From: @wcc_140409 Reviewed-by: Signed-off-by:
2021-11-26 07:57:04 +00:00 · 2021-11-26 07:57:04 +00:00 · 63617d89f0
commit 63617d89f0
parent cdca07742f 5eb7782406
10 changed files with 10 additions and 380 deletions
--- a/backport-CVE-2021-20231.patch
+++ b/backport-CVE-2021-20231.patch
@ -1,62 +0,0 @@
-From 15beb4b193b2714d88107e7dffca781798684e7e Mon Sep 17 00:00:00 2001
-From: Daiki Ueno <ueno@gnu.org>
-Date: Fri, 29 Jan 2021 14:06:32 +0100
-Subject: [PATCH] key_share: avoid use-after-free around realloc
-
-Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
- lib/ext/key_share.c | 12 +++++-------
- 1 file changed, 5 insertions(+), 7 deletions(-)
-
-diff --git a/lib/ext/key_share.c b/lib/ext/key_share.c
-index ab8abf8fe6..a8c4bb5cff 100644
--- a/lib/ext/key_share.c
-+++ b/lib/ext/key_share.c
-@@ -664,14 +664,14 @@ key_share_send_params(gnutls_session_t session,
- {
- 	unsigned i;
- 	int ret;
-	unsigned char *lengthp;
-	unsigned int cur_length;
- 	unsigned int generated = 0;
- 	const gnutls_group_entry_st *group;
- 	const version_entry_st *ver;
- 
- 	/* this extension is only being sent on client side */
- 	if (session->security_parameters.entity == GNUTLS_CLIENT) {
-+		unsigned int length_pos;
-+
- 		ver = _gnutls_version_max(session);
- 		if (unlikely(ver == NULL || ver->key_shares == 0))
- 			return 0;
-@@ -679,16 +679,13 @@ key_share_send_params(gnutls_session_t session,
- 		if (!have_creds_for_tls13(session))
- 			return 0;
- 
-		/* write the total length later */
-		lengthp = &extdata->data[extdata->length];
-+		length_pos = extdata->length;
- 
- 		ret =
- 		    _gnutls_buffer_append_prefix(extdata, 16, 0);
- 		if (ret < 0)
- 			return gnutls_assert_val(ret);
- 
-		cur_length = extdata->length;
-
- 		if (session->internals.hsk_flags & HSK_HRR_RECEIVED) { /* we know the group */
- 			group = get_group(session);
- 			if (unlikely(group == NULL))
-@@ -736,7 +733,8 @@ key_share_send_params(gnutls_session_t session,
- 		}
- 
- 		/* copy actual length */
-		_gnutls_write_uint16(extdata->length - cur_length, lengthp);
-+		_gnutls_write_uint16(extdata->length - length_pos - 2,
-+				     &extdata->data[length_pos]);
- 
- 	} else { /* server */
- 		ver = get_version(session);
-- 
-GitLab
-
--- a/backport-CVE-2021-20232.patch
+++ b/backport-CVE-2021-20232.patch
@ -1,60 +0,0 @@
-From 75a937d97f4fefc6f9b08e3791f151445f551cb3 Mon Sep 17 00:00:00 2001
-From: Daiki Ueno <ueno@gnu.org>
-Date: Fri, 29 Jan 2021 14:06:50 +0100
-Subject: [PATCH] pre_shared_key: avoid use-after-free around realloc
-
-Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
- lib/ext/pre_shared_key.c | 15 ++++++++++++---
- 1 file changed, 12 insertions(+), 3 deletions(-)
-
-diff --git a/lib/ext/pre_shared_key.c b/lib/ext/pre_shared_key.c
-index a042c6488e..380bf39ed5 100644
--- a/lib/ext/pre_shared_key.c
-+++ b/lib/ext/pre_shared_key.c
-@@ -267,7 +267,7 @@ client_send_params(gnutls_session_t session,
- 	size_t spos;
- 	gnutls_datum_t username = {NULL, 0};
- 	gnutls_datum_t user_key = {NULL, 0}, rkey = {NULL, 0};
-	gnutls_datum_t client_hello;
-+	unsigned client_hello_len;
- 	unsigned next_idx;
- 	const mac_entry_st *prf_res = NULL;
- 	const mac_entry_st *prf_psk = NULL;
-@@ -428,8 +428,7 @@ client_send_params(gnutls_session_t session,
- 	assert(extdata->length >= sizeof(mbuffer_st));
- 	assert(ext_offset >= (ssize_t)sizeof(mbuffer_st));
- 	ext_offset -= sizeof(mbuffer_st);
-	client_hello.data = extdata->data+sizeof(mbuffer_st);
-	client_hello.size = extdata->length-sizeof(mbuffer_st);
-+	client_hello_len = extdata->length-sizeof(mbuffer_st);
- 
- 	next_idx = 0;
- 
-@@ -440,6 +439,11 @@ client_send_params(gnutls_session_t session,
- 	}
- 
- 	if (prf_res && rkey.size > 0) {
-+		gnutls_datum_t client_hello;
-+
-+		client_hello.data = extdata->data+sizeof(mbuffer_st);
-+		client_hello.size = client_hello_len;
-+
- 		ret = compute_psk_binder(session, prf_res,
- 					 binders_len, binders_pos,
- 					 ext_offset, &rkey, &client_hello, 1,
-@@ -474,6 +478,11 @@ client_send_params(gnutls_session_t session,
- 	}
- 
- 	if (prf_psk && user_key.size > 0 && info) {
-+		gnutls_datum_t client_hello;
-+
-+		client_hello.data = extdata->data+sizeof(mbuffer_st);
-+		client_hello.size = client_hello_len;
-+
- 		ret = compute_psk_binder(session, prf_psk,
- 					 binders_len, binders_pos,
- 					 ext_offset, &user_key, &client_hello, 0,
-- 
-GitLab
-
--- a/backport-remove-init_fds-test.patch
+++ b/backport-remove-init_fds-test.patch
@ -1,117 +0,0 @@
-From 5589765593b8af88e4fc3acb3b06ded0122da006 Mon Sep 17 00:00:00 2001
-From: Daiki Ueno <ueno@gnu.org>
-Date: Sun, 24 Jan 2021 07:49:34 +0100
-Subject: [PATCH] tests: remove init_fds test
-
-This test does nothing to expose the original problem linked in the comment:
-https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=760476
-
-Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
- tests/Makefile.am |  2 +-
- tests/init_fds.c  | 80 -----------------------------------------------
- 2 files changed, 1 insertion(+), 81 deletions(-)
- delete mode 100644 tests/init_fds.c
-
-diff --git a/tests/Makefile.am b/tests/Makefile.am
-index b04cb08..e6e908c 100644
--- a/tests/Makefile.am
-+++ b/tests/Makefile.am
-@@ -164,7 +164,7 @@ ctests += mini-record-2 simple gnutls_hmac_fast set_pkcs12_cred cert certuniquei
- 	 cert-status fips-mode-pthread rsa-psk global-init sec-params sign-verify-data \
- 	 fips-test fips-override-test mini-global-load name-constraints x509-extensions \
- 	 long-session-id mini-x509-callbacks-intr mini-dtls-lowmtu set_x509_key_file-late \
-	 crlverify mini-dtls-discard init_fds mini-record-failure openconnect-dtls12 \
-+	 crlverify mini-dtls-discard mini-record-failure openconnect-dtls12 \
- 	 tls12-rehandshake-cert-2 custom-urls set_x509_key_mem set_x509_key_file \
- 	 tls12-rehandshake-cert-auto tls12-rehandshake-set-prio \
- 	 mini-chain-unsorted x509-verify-with-crl mini-dtls-mtu privkey-verify-broken \
-diff --git a/tests/init_fds.c b/tests/init_fds.c
-deleted file mode 100644
-index bf7a5de..0000000
--- a/tests/init_fds.c
-+++ /dev/null
-@@ -1,80 +0,0 @@
-/*
- * Copyright (C) 2014 Nikos Mavrogiannopoulos
- *
- * Author: Nikos Mavrogiannopoulos
- *
- * This file is part of GnuTLS.
- *
- * GnuTLS is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 3 of the License, or
- * (at your option) any later version.
- *
- * GnuTLS is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with GnuTLS; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
- */
-
-#ifdef HAVE_CONFIG_H
-#include <config.h>
-#endif
-
-#include <stdio.h>
-#include <unistd.h>
-#include <gnutls/gnutls.h>
-#include <gnutls/crypto.h>
-
-#include "utils.h"
-
-/* See <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=760476>. */
-
-void doit(void)
-{
-#ifndef _WIN32
-	int res;
-	unsigned i;
-	int serial = 0;
-	char buf[128];
-
-	res = read(3, buf, 16);
-	if (res == 16)
-		serial = 1;
-
-	/* close all descriptors */
-	for (i=3;i<1024;i++)
-		close(i);
-
-	res = gnutls_global_init();
-	if (res != 0)
-		fail("global_init\n");
-
-	if (serial != 0) {
-		res = read(3, buf, 16);
-		if (res != 16) {
-			fail("could not open fd, or OS doesn't assign fds in a serial way (%d)\n", res);
-		}
-	}
-
-	res = gnutls_global_init();
-	if (res != 0)
-		fail("global_init2\n");
-
-	gnutls_rnd_refresh();
-
-	res = gnutls_rnd(GNUTLS_RND_RANDOM, buf, sizeof(buf));
-	if (res != 0)
-		fail("gnutls_rnd\n");
-
-	gnutls_global_deinit();
-
-	if (debug)
-		success("init-close success\n");
-#else
-	return;
-#endif
-}
-- 
-2.27.0
-
--- a/backport-testpkcs11-use-datefudge-to-trick-certificate-expiry.patch
+++ b/backport-testpkcs11-use-datefudge-to-trick-certificate-expiry.patch
@ -1,78 +0,0 @@
-From 2b0f6f3a2ff13153aaa70c764ba7a8b90aef794d Mon Sep 17 00:00:00 2001
-From: Daiki Ueno <ueno@gnu.org>
-Date: Mon, 28 Dec 2020 16:16:53 +0100
-Subject: [PATCH] testpkcs11: use datefudge to trick certificate expiry
-
-The certificates stored in tests/testpkcs11-certs expired on
-2020-12-13.  To avoid verification failure due to that, use datefudge
-to set custom date when calling gnutls-cli, gnutls-serv, and certtool.
-
-Based on the patch by Andreas Metzler:
-https://gitlab.com/gnutls/gnutls/-/issues/1135#note_469682121
-
-Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
- tests/testpkcs11.sh | 12 +++++++++++-
- 1 file changed, 11 insertions(+), 1 deletion(-)
-
-diff --git a/tests/testpkcs11.sh b/tests/testpkcs11.sh
-index 38b9585bc..09a627477 100755
--- a/tests/testpkcs11.sh
-+++ b/tests/testpkcs11.sh
-@@ -67,6 +67,8 @@ have_ed25519=0
- P11TOOL="${VALGRIND} ${P11TOOL} --batch"
- SERV="${SERV} -q"
- 
-+TESTDATE=2020-12-01
-+
- . ${srcdir}/scripts/common.sh
- 
- rm -f "${LOGFILE}"
-@@ -79,6 +81,8 @@ exit_error () {
- 	exit 1
- }
- 
-+skip_if_no_datefudge
-+
- # $1: token
- # $2: PIN
- # $3: filename
-@@ -523,6 +527,7 @@ write_certificate_test () {
- 	pubkey="$5"
- 
- 	echo -n "* Generating client certificate... "
-+	datefudge -s "$TESTDATE" \
- 	"${CERTTOOL}" ${CERTTOOL_PARAM} ${ADDITIONAL_PARAM}  --generate-certificate --load-ca-privkey "${cakey}"  --load-ca-certificate "${cacert}"  \
- 	--template ${srcdir}/testpkcs11-certs/client-tmpl --load-privkey "${token};object=gnutls-client;object-type=private" \
- 	--load-pubkey "$pubkey" --outfile tmp-client.crt >>"${LOGFILE}" 2>&1
-@@ -900,7 +905,9 @@ use_certificate_test () {
- 	echo -n "* Using PKCS #11 with gnutls-cli (${txt})... "
- 	# start server
- 	eval "${GETPORT}"
-	launch_server ${ADDITIONAL_PARAM} --echo --priority NORMAL --x509certfile="${certfile}" \
-+	launch_bare_server datefudge -s "$TESTDATE" \
-+	        $VALGRIND $SERV $DEBUG -p "$PORT" \
-+		${ADDITIONAL_PARAM} --debug 10 --echo --priority NORMAL --x509certfile="${certfile}" \
- 		--x509keyfile="$keyfile" --x509cafile="${cafile}" \
- 		--verify-client-cert --require-client-cert >>"${LOGFILE}" 2>&1
- 
-@@ -908,13 +915,16 @@ use_certificate_test () {
- 	wait_server ${PID}
- 
- 	# connect to server using SC
-+	datefudge -s "$TESTDATE" \
- 	${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509cafile="${cafile}" </dev/null >>"${LOGFILE}" 2>&1 && \
- 		fail ${PID} "Connection should have failed!"
- 
-+	datefudge -s "$TESTDATE" \
- 	${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509certfile="${certfile}" \
- 	--x509keyfile="$keyfile" --x509cafile="${cafile}" </dev/null >>"${LOGFILE}" 2>&1 || \
- 		fail ${PID} "Connection (with files) should have succeeded!"
- 
-+	datefudge -s "$TESTDATE" \
- 	${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509certfile="${token};object=gnutls-client;object-type=cert" \
- 		--x509keyfile="${token};object=gnutls-client;object-type=private" \
- 		--x509cafile="${cafile}" </dev/null >>"${LOGFILE}" 2>&1 || \
-- 
-2.27.0
-
--- a/backport-tests-remove-launch_pkcs11_server.patch
+++ b/backport-tests-remove-launch_pkcs11_server.patch
@ -1,51 +0,0 @@
-From a7b126acd4793ced574acb68bdbf5c6a48bb4ad5 Mon Sep 17 00:00:00 2001
-From: Daiki Ueno <ueno@gnu.org>
-Date: Wed, 23 Sep 2020 09:34:09 +0200
-Subject: [PATCH] tests: remove launch_pkcs11_server
-
-This function is only used by testpkcs11.sh.
-
-Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
- tests/scripts/common.sh | 11 -----------
- tests/testpkcs11.sh     |  2 +-
- 2 files changed, 1 insertion(+), 12 deletions(-)
-
-diff --git a/tests/scripts/common.sh b/tests/scripts/common.sh
-index 6ae19fa..5e6f91b 100644
--- a/tests/scripts/common.sh
-+++ b/tests/scripts/common.sh
-@@ -168,17 +168,6 @@ launch_server() {
- 	${SERV} ${DEBUG} -p "${PORT}" $* >${LOGFILE-/dev/null} &
- }
- 
-launch_pkcs11_server() {
-	PARENT="$1"
-	shift
-	PROVIDER="$1"
-	shift
-
-	wait_for_free_port ${PORT}
-
-	${VALGRIND} ${SERV} ${PROVIDER} ${DEBUG} -p "${PORT}" $* &
-}
-
- launch_bare_server() {
- 	PARENT="$1"
- 	shift
-diff --git a/tests/testpkcs11.sh b/tests/testpkcs11.sh
-index 9458af2..b69e312 100755
--- a/tests/testpkcs11.sh
-+++ b/tests/testpkcs11.sh
-@@ -900,7 +900,7 @@ use_certificate_test () {
- 	echo -n "* Using PKCS #11 with gnutls-cli (${txt})... "
- 	# start server
- 	eval "${GETPORT}"
-	launch_pkcs11_server $$ "${ADDITIONAL_PARAM}" --echo --priority NORMAL --x509certfile="${certfile}" \
-+	launch_server ${ADDITIONAL_PARAM} --echo --priority NORMAL --x509certfile="${certfile}" \
- 		--x509keyfile="$keyfile" --x509cafile="${cafile}" \
- 		--verify-client-cert --require-client-cert >>"${LOGFILE}" 2>&1
- 
-- 
-2.27.0
-
--- a/gnutls-3.6.15.tar.xz
+++ b/gnutls-3.6.15.tar.xz
--- a/gnutls-3.6.15.tar.xz.sig
+++ b/gnutls-3.6.15.tar.xz.sig
--- a/gnutls-3.7.2.tar.xz
+++ b/gnutls-3.7.2.tar.xz
--- a/gnutls-3.7.2.tar.xz.sig
+++ b/gnutls-3.7.2.tar.xz.sig
--- a/gnutls.spec
+++ b/gnutls.spec
@ -1,19 +1,14 @@
 Name: gnutls
-Version: 3.6.15
-Release: 4
+Version: 3.7.2
+Release: 1
 Summary: The GNU Secure Communication Protocol Library

 License: LGPLv2.1+ and GPLv3+
 URL: https://www.gnutls.org/
-Source0: https://www.gnupg.org/ftp/gcrypt/%{name}/v3.6/%{name}-%{version}.tar.xz
-Source1: https://www.gnupg.org/ftp/gcrypt/%{name}/v3.6/%{name}-%{version}.tar.xz.sig
+Source0: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.7/%{name}-%{version}.tar.xz
+Source1: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.7/%{name}-%{version}.tar.xz.sig

 Patch1: fix-ipv6-handshake-failed.patch
-Patch2: backport-tests-remove-launch_pkcs11_server.patch
-Patch3: backport-testpkcs11-use-datefudge-to-trick-certificate-expiry.patch
-Patch4: backport-CVE-2021-20231.patch
-Patch5: backport-CVE-2021-20232.patch
-Patch6: backport-remove-init_fds-test.patch

 %bcond_without dane
 %bcond_with guile
@ -21,7 +16,7 @@ Patch6: backport-remove-init_fds-test.patch

 BuildRequires: p11-kit-devel, gettext-devel, zlib-devel, readline-devel
 BuildRequires: libtasn1-devel, libtool, automake, autoconf, texinfo
-BuildRequires: autogen-libopts-devel, autogen, gperf, gnupg2, gcc, gcc-c++
+BuildRequires: autogen-libopts-devel,  gperf, gnupg2, gcc, gcc-c++
 BuildRequires: nettle-devel, trousers-devel, libidn2-devel
 BuildRequires: libunistring-devel, net-tools, softhsm
 BuildRequires: p11-kit-trust, ca-certificates
@ -77,15 +72,15 @@ Requires: guile
 This package contains Guile bindings for the library.
 %endif

-
 %prep
 %autosetup -n %{name}-%{version} -p1
-autoreconf

 sed -i -e 's|sys_lib_dlsearch_path_spec="/lib /usr/lib|sys_lib_dlsearch_path_spec="/lib /usr/lib %{_libdir}|g' configure
 rm -f lib/minitasn1/*.c lib/minitasn1/*.h
 rm -f src/libopts/*.c src/libopts/*.h src/libopts/compat/*.c src/libopts/compat/*.h

+autoreconf
+
 echo "SYSTEM=NORMAL" >> tests/system.prio

 # Note that we explicitly enable SHA1, as SHA1 deprecation is handled
@ -204,6 +199,9 @@ make check %{?_smp_mflags}
 %endif

 %changelog
+* Fri Sep 17 2021 wuchaochao <wuchaochao4@huawei.com> - 3.7.2-1
+- update package version to 3.7.2  and remove BuildRequires autogen 
+
 * Fri Jul 30 2021 shangyibin <shangyibin1@huawei.com> - 3.6.15-4
 - remove init_fds test