!11 update gnutls to 3.6.14
Merge pull request !11 from wangchen/wangchen
This commit is contained in:
openeuler-ci-bot
Gitee
commit
be82632434
@ -1,30 +0,0 @@
|
||||
From 495aa9b57a3ce3ee546a0498ef232b4aa47d0f51 Mon Sep 17 00:00:00 2001
|
||||
From: Dmitry Baryshkov <dbaryshkov@gmail.com>
|
||||
Date: Tue, 28 Jan 2020 13:05:14 +0300
|
||||
Subject: [PATCH] pkcs12: do not go try calculating pbkdf2 with 0 iterations
|
||||
|
||||
Nettle will abort on a call to pbkdf2 if iterations is 0. Add check to
|
||||
GnuTLS PKCS12 GOST code to check that iter is not 0.
|
||||
|
||||
Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
|
||||
---
|
||||
.../dcbb6c7d385ddf87823849890768b022dc9e1eff | Bin 0 -> 1011 bytes
|
||||
lib/x509/pkcs12.c | 3 +++
|
||||
2 files changed, 3 insertions(+)
|
||||
|
||||
diff --git a/lib/x509/pkcs12.c b/lib/x509/pkcs12.c
|
||||
index 8c3310d066..6324fb25a3 100644
|
||||
--- a/lib/x509/pkcs12.c
|
||||
+++ b/lib/x509/pkcs12.c
|
||||
@@ -867,6 +867,9 @@ _gnutls_pkcs12_gost_string_to_key(gnutls_mac_algorithm_t algo,
|
||||
size_t temp_len = sizeof(temp);
|
||||
unsigned int pass_len = 0;
|
||||
|
||||
+ if (iter == 0)
|
||||
+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
|
||||
+
|
||||
if (pass)
|
||||
pass_len = strlen(pass);
|
||||
|
||||
--
|
||||
2.26.2
|
||||
@ -1,34 +0,0 @@
|
||||
From 283af4cd77058ba7fea8cff59c83d3f3f0231f9f Mon Sep 17 00:00:00 2001
|
||||
From: Dmitry Baryshkov <dbaryshkov@gmail.com>
|
||||
Date: Tue, 10 Mar 2020 22:41:54 +0300
|
||||
Subject: [PATCH] x509: apply same fix to print_crl
|
||||
|
||||
Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
|
||||
---
|
||||
lib/x509/output.c | 7 +++----
|
||||
1 file changed, 3 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/lib/x509/output.c b/lib/x509/output.c
|
||||
index 6f829b06ac..c54902fe4d 100644
|
||||
--- a/lib/x509/output.c
|
||||
+++ b/lib/x509/output.c
|
||||
@@ -2290,14 +2290,13 @@ print_crl(gnutls_buffer_st * str, gnutls_x509_crl_t crl, int notsigned)
|
||||
oid,
|
||||
&sizeof_oid,
|
||||
&critical);
|
||||
+ if (err == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
|
||||
+ break;
|
||||
if (err < 0) {
|
||||
- if (err ==
|
||||
- GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
|
||||
- break;
|
||||
addf(str,
|
||||
"error: get_extension_info: %s\n",
|
||||
gnutls_strerror(err));
|
||||
- continue;
|
||||
+ break;
|
||||
}
|
||||
|
||||
if (i == 0)
|
||||
--
|
||||
2.26.2
|
||||
@ -1,34 +0,0 @@
|
||||
From 12609f4f97fb9a60d663f81571c07f7d297da0b3 Mon Sep 17 00:00:00 2001
|
||||
From: Dmitry Baryshkov <dbaryshkov@gmail.com>
|
||||
Date: Tue, 10 Mar 2020 22:42:02 +0300
|
||||
Subject: [PATCH] x509: apply same fix to print_crq
|
||||
|
||||
Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
|
||||
---
|
||||
lib/x509/output.c | 7 +++----
|
||||
1 file changed, 3 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/lib/x509/output.c b/lib/x509/output.c
|
||||
index c54902fe4d..be179f5f39 100644
|
||||
--- a/lib/x509/output.c
|
||||
+++ b/lib/x509/output.c
|
||||
@@ -2660,14 +2660,13 @@ print_crq(gnutls_buffer_st * str, gnutls_x509_crq_t cert,
|
||||
gnutls_x509_crq_get_attribute_info(cert, i,
|
||||
oid,
|
||||
&sizeof_oid);
|
||||
+ if (err == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
|
||||
+ break;
|
||||
if (err < 0) {
|
||||
- if (err ==
|
||||
- GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
|
||||
- break;
|
||||
addf(str,
|
||||
"error: get_extension_info: %s\n",
|
||||
gnutls_strerror(err));
|
||||
- continue;
|
||||
+ break;
|
||||
}
|
||||
|
||||
if (i == 0)
|
||||
--
|
||||
2.26.2
|
||||
@ -1,38 +0,0 @@
|
||||
From e04f45d0283a80c990a9e1d7537ab871b769fdaf Mon Sep 17 00:00:00 2001
|
||||
From: Dmitry Baryshkov <dbaryshkov@gmail.com>
|
||||
Date: Tue, 10 Mar 2020 12:12:36 +0300
|
||||
Subject: [PATCH] x509: drop endless loop in print_extensions
|
||||
|
||||
If crq is malformed in extensions part, print_extensions() might loop
|
||||
endlessly because gnutls_x509_crq_get_extension_info would return
|
||||
unhandled GNUTLS_ASN1_DER_ERROR looping over extension index, rather
|
||||
than bailing out. Fix this by handling this error code properly. Found
|
||||
thanks to oss-fuzz.
|
||||
|
||||
Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
|
||||
---
|
||||
lib/x509/output.c | 6 +++---
|
||||
1 files changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/lib/x509/output.c b/lib/x509/output.c
|
||||
index 2aa78b478..6f829b06a 100644
|
||||
--- a/lib/x509/output.c
|
||||
+++ b/lib/x509/output.c
|
||||
@@ -1281,12 +1281,12 @@ print_extensions(gnutls_buffer_st * str, const char *prefix, int type,
|
||||
return;
|
||||
}
|
||||
|
||||
+ if (err == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
|
||||
+ break;
|
||||
if (err < 0) {
|
||||
- if (err == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
|
||||
- break;
|
||||
addf(str, "error: get_extension_info: %s\n",
|
||||
gnutls_strerror(err));
|
||||
- continue;
|
||||
+ break;
|
||||
}
|
||||
|
||||
if (i == 0)
|
||||
--
|
||||
2.26.2
|
||||
@ -1,32 +0,0 @@
|
||||
From c01011c2d8533dbbbe754e49e256c109cb848d0d Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Stefan=20B=C3=BChler?= <stbuehler@web.de>
|
||||
Date: Fri, 27 Mar 2020 17:17:57 +0100
|
||||
Subject: [PATCH] dtls client hello: fix zeroed random (fixes #960)
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
This broke with bcf4de03 "handshake: treat reply to HRR as a reply to
|
||||
hello verify request", which failed to "De Morgan" properly.
|
||||
|
||||
Signed-off-by: Stefan Bühler <stbuehler@web.de>
|
||||
---
|
||||
lib/handshake.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/lib/handshake.c b/lib/handshake.c
|
||||
index 1e6164c..5c8f33a 100644
|
||||
--- a/lib/handshake.c
|
||||
+++ b/lib/handshake.c
|
||||
@@ -2164,7 +2164,7 @@ static int send_client_hello(gnutls_session_t session, int again)
|
||||
/* Generate random data
|
||||
*/
|
||||
if (!(session->internals.hsk_flags & HSK_HRR_RECEIVED) &&
|
||||
- !(IS_DTLS(session) && session->internals.dtls.hsk_hello_verify_requests == 0)) {
|
||||
+ !(IS_DTLS(session) && session->internals.dtls.hsk_hello_verify_requests != 0)) {
|
||||
ret = _gnutls_gen_client_random(session);
|
||||
if (ret < 0) {
|
||||
gnutls_assert();
|
||||
--
|
||||
1.8.3.1
|
||||
|
||||
BIN
gnutls-3.6.14.tar.xz
Normal file
BIN
gnutls-3.6.14.tar.xz
Normal file
Binary file not shown.
BIN
gnutls-3.6.14.tar.xz.sig
Normal file
BIN
gnutls-3.6.14.tar.xz.sig
Normal file
Binary file not shown.
Binary file not shown.
Binary file not shown.
12
gnutls.spec
12
gnutls.spec
@ -1,6 +1,6 @@
|
||||
Name: gnutls
|
||||
Version: 3.6.9
|
||||
Release: 7
|
||||
Version: 3.6.14
|
||||
Release: 1
|
||||
Summary: The GNU Secure Communication Protocol Library
|
||||
|
||||
License: LGPLv2.1+ and GPLv3+
|
||||
@ -8,11 +8,6 @@ URL: https://www.gnutls.org/
|
||||
Source0: https://www.gnupg.org/ftp/gcrypt/%{name}/v3.6/%{name}-%{version}.tar.xz
|
||||
Source1: https://www.gnupg.org/ftp/gcrypt/%{name}/v3.6/%{name}-%{version}.tar.xz.sig
|
||||
Patch0: fix-ipv6-handshake-failed.patch
|
||||
Patch1: fix-CVE-2020-11501-zeroed-random.patch
|
||||
Patch2: backport-x509-drop-endless-loop-in-print_extensions.patch
|
||||
Patch3: backport-x509-drop-endless-loop-in-print_crl.patch
|
||||
Patch4: backport-x509-drop-endless-loop-in-print_crq.patch
|
||||
Patch5: backport-do-not-go-try-calculating-pdkdf2-with-0-iterations.patch
|
||||
|
||||
%bcond_without dane
|
||||
%bcond_with guile
|
||||
@ -199,6 +194,9 @@ make check %{?_smp_mflags}
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Jul 27 2020 wangchen <wangchen137@huawei.com> - 3.6.14-1
|
||||
- update to 3.6.14
|
||||
|
||||
* Mon Jun 8 2020 Anakin Zhang <benjamin93@163.com> - 3.6.9-7
|
||||
- fix x509 drop endless loop and pkcs12 iterations
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user