update gnutls to 3.6.14

2020-07-27 10:32:54 +08:00 · 2020-07-27 10:32:54 +08:00 · 9b9db9a0b6
commit 9b9db9a0b6
parent c850002b5e
10 changed files with 5 additions and 175 deletions
--- a/backport-do-not-go-try-calculating-pdkdf2-with-0-iterations.patch
+++ b/backport-do-not-go-try-calculating-pdkdf2-with-0-iterations.patch
@ -1,30 +0,0 @@
-From 495aa9b57a3ce3ee546a0498ef232b4aa47d0f51 Mon Sep 17 00:00:00 2001
-From: Dmitry Baryshkov <dbaryshkov@gmail.com>
-Date: Tue, 28 Jan 2020 13:05:14 +0300
-Subject: [PATCH] pkcs12: do not go try calculating pbkdf2 with 0 iterations
-
-Nettle will abort on a call to pbkdf2 if iterations is 0. Add check to
-GnuTLS PKCS12 GOST code to check that iter is not 0.
-
-Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
---
- .../dcbb6c7d385ddf87823849890768b022dc9e1eff     | Bin 0 -> 1011 bytes
- lib/x509/pkcs12.c                                |   3 +++
- 2 files changed, 3 insertions(+)
-
-diff --git a/lib/x509/pkcs12.c b/lib/x509/pkcs12.c
-index 8c3310d066..6324fb25a3 100644
--- a/lib/x509/pkcs12.c
-+++ b/lib/x509/pkcs12.c
-@@ -867,6 +867,9 @@ _gnutls_pkcs12_gost_string_to_key(gnutls_mac_algorithm_t algo,
- 	size_t temp_len = sizeof(temp);
- 	unsigned int pass_len = 0;
- 
-+	if (iter == 0)
-+		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
-+
- 	if (pass)
- 		pass_len = strlen(pass);
- 
-- 
-2.26.2
--- a/backport-x509-drop-endless-loop-in-print_crl.patch
+++ b/backport-x509-drop-endless-loop-in-print_crl.patch
@ -1,34 +0,0 @@
-From 283af4cd77058ba7fea8cff59c83d3f3f0231f9f Mon Sep 17 00:00:00 2001
-From: Dmitry Baryshkov <dbaryshkov@gmail.com>
-Date: Tue, 10 Mar 2020 22:41:54 +0300
-Subject: [PATCH] x509: apply same fix to print_crl
-
-Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
---
- lib/x509/output.c | 7 +++----
- 1 file changed, 3 insertions(+), 4 deletions(-)
-
-diff --git a/lib/x509/output.c b/lib/x509/output.c
-index 6f829b06ac..c54902fe4d 100644
--- a/lib/x509/output.c
-+++ b/lib/x509/output.c
-@@ -2290,14 +2290,13 @@ print_crl(gnutls_buffer_st * str, gnutls_x509_crl_t crl, int notsigned)
- 								 oid,
- 								 &sizeof_oid,
- 								 &critical);
-+			if (err == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
-+				break;
- 			if (err < 0) {
-				if (err ==
-				    GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
-					break;
- 				addf(str,
- 				     "error: get_extension_info: %s\n",
- 				     gnutls_strerror(err));
-				continue;
-+				break;
- 			}
- 
- 			if (i == 0)
-- 
-2.26.2
--- a/backport-x509-drop-endless-loop-in-print_crq.patch
+++ b/backport-x509-drop-endless-loop-in-print_crq.patch
@ -1,34 +0,0 @@
-From 12609f4f97fb9a60d663f81571c07f7d297da0b3 Mon Sep 17 00:00:00 2001
-From: Dmitry Baryshkov <dbaryshkov@gmail.com>
-Date: Tue, 10 Mar 2020 22:42:02 +0300
-Subject: [PATCH] x509: apply same fix to print_crq
-
-Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
---
- lib/x509/output.c | 7 +++----
- 1 file changed, 3 insertions(+), 4 deletions(-)
-
-diff --git a/lib/x509/output.c b/lib/x509/output.c
-index c54902fe4d..be179f5f39 100644
--- a/lib/x509/output.c
-+++ b/lib/x509/output.c
-@@ -2660,14 +2660,13 @@ print_crq(gnutls_buffer_st * str, gnutls_x509_crq_t cert,
- 			    gnutls_x509_crq_get_attribute_info(cert, i,
- 							       oid,
- 							       &sizeof_oid);
-+			if (err == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
-+				break;
- 			if (err < 0) {
-				if (err ==
-				    GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
-					break;
- 				addf(str,
- 				     "error: get_extension_info: %s\n",
- 				     gnutls_strerror(err));
-				continue;
-+				break;
- 			}
- 
- 			if (i == 0)
-- 
-2.26.2
--- a/backport-x509-drop-endless-loop-in-print_extensions.patch
+++ b/backport-x509-drop-endless-loop-in-print_extensions.patch
@ -1,38 +0,0 @@
-From e04f45d0283a80c990a9e1d7537ab871b769fdaf Mon Sep 17 00:00:00 2001
-From: Dmitry Baryshkov <dbaryshkov@gmail.com>
-Date: Tue, 10 Mar 2020 12:12:36 +0300
-Subject: [PATCH] x509: drop endless loop in print_extensions
-
-If crq is malformed in extensions part, print_extensions() might loop
-endlessly because gnutls_x509_crq_get_extension_info would return
-unhandled GNUTLS_ASN1_DER_ERROR looping over extension index, rather
-than bailing out. Fix this by handling this error code properly. Found
-thanks to oss-fuzz.
-
-Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
---
- lib/x509/output.c                                 |   6 +++---
- 1 files changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/lib/x509/output.c b/lib/x509/output.c
-index 2aa78b478..6f829b06a 100644
--- a/lib/x509/output.c
-+++ b/lib/x509/output.c
-@@ -1281,12 +1281,12 @@ print_extensions(gnutls_buffer_st * str, const char *prefix, int type,
- 			return;
- 		}
- 
-+		if (err == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
-+			break;
- 		if (err < 0) {
-			if (err == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
-				break;
- 			addf(str, "error: get_extension_info: %s\n",
- 			     gnutls_strerror(err));
-			continue;
-+			break;
- 		}
- 
- 		if (i == 0)
-- 
-2.26.2
--- a/fix-CVE-2020-11501-zeroed-random.patch
+++ b/fix-CVE-2020-11501-zeroed-random.patch
@ -1,32 +0,0 @@
-From c01011c2d8533dbbbe754e49e256c109cb848d0d Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Stefan=20B=C3=BChler?= <stbuehler@web.de>
-Date: Fri, 27 Mar 2020 17:17:57 +0100
-Subject: [PATCH] dtls client hello: fix zeroed random (fixes #960)
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This broke with bcf4de03 "handshake: treat reply to HRR as a reply to
-hello verify request", which failed to "De Morgan" properly.
-
-Signed-off-by: Stefan Bühler <stbuehler@web.de>
---
- lib/handshake.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/lib/handshake.c b/lib/handshake.c
-index 1e6164c..5c8f33a 100644
--- a/lib/handshake.c
-+++ b/lib/handshake.c
-@@ -2164,7 +2164,7 @@ static int send_client_hello(gnutls_session_t session, int again)
- 		/* Generate random data 
- 		 */
- 		if (!(session->internals.hsk_flags & HSK_HRR_RECEIVED) &&
-		    !(IS_DTLS(session) && session->internals.dtls.hsk_hello_verify_requests == 0)) {
-+		    !(IS_DTLS(session) && session->internals.dtls.hsk_hello_verify_requests != 0)) {
- 			ret = _gnutls_gen_client_random(session);
- 			if (ret < 0) {
- 				gnutls_assert();
-- 
-1.8.3.1
-
--- a/gnutls-3.6.14.tar.xz
+++ b/gnutls-3.6.14.tar.xz
--- a/gnutls-3.6.14.tar.xz.sig
+++ b/gnutls-3.6.14.tar.xz.sig
--- a/gnutls-3.6.9.tar.xz
+++ b/gnutls-3.6.9.tar.xz
--- a/gnutls-3.6.9.tar.xz.sig
+++ b/gnutls-3.6.9.tar.xz.sig
--- a/gnutls.spec
+++ b/gnutls.spec
@ -1,6 +1,6 @@
 Name: gnutls
-Version: 3.6.9
-Release: 7
+Version: 3.6.14
+Release: 1
 Summary: The GNU Secure Communication Protocol Library

 License: LGPLv2.1+ and GPLv3+
@ -8,11 +8,6 @@ URL: https://www.gnutls.org/
 Source0: https://www.gnupg.org/ftp/gcrypt/%{name}/v3.6/%{name}-%{version}.tar.xz
 Source1: https://www.gnupg.org/ftp/gcrypt/%{name}/v3.6/%{name}-%{version}.tar.xz.sig
 Patch0: fix-ipv6-handshake-failed.patch
-Patch1: fix-CVE-2020-11501-zeroed-random.patch
-Patch2: backport-x509-drop-endless-loop-in-print_extensions.patch
-Patch3: backport-x509-drop-endless-loop-in-print_crl.patch
-Patch4: backport-x509-drop-endless-loop-in-print_crq.patch
-Patch5: backport-do-not-go-try-calculating-pdkdf2-with-0-iterations.patch

 %bcond_without dane
 %bcond_with guile
@ -199,6 +194,9 @@ make check %{?_smp_mflags}
 %endif

 %changelog
+* Mon Jul 27 2020 wangchen <wangchen137@huawei.com> - 3.6.14-1
+- update to 3.6.14
+
 * Mon Jun 8 2020 Anakin Zhang <benjamin93@163.com> - 3.6.9-7
 - fix x509 drop endless loop and pkcs12 iterations