Hello community,
here is the log from the commit of package gnutls.2618 for openSUSE:13.1:Update checked in at 2014-03-05 07:27:53
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:13.1:Update/gnutls.2618 (Old)
and /work/SRC/openSUSE:13.1:Update/.gnutls.2618.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gnutls.2618"
Changes:
--------
New Changes file:
--- /dev/null 2014-02-13 01:09:38.344032506 +0100
+++ /work/SRC/openSUSE:13.1:Update/.gnutls.2618.new/gnutls.changes 2014-03-05 07:27:55.000000000 +0100
@@ -0,0 +1,1653 @@
+-------------------------------------------------------------------
+Mon Mar 3 14:04:31 UTC 2014 - shchang@suse.com
+
+- Fixed bug [ bnc#865804] gnutls: CVE-2014-0092, insufficient X.509 certificate verification
+ Add patch file: CVE-2014-0092.patch
+
+ Enable elliptic curve and so ECDH support again to meet modern
+ cryptographic requirements, removed gnutls-3.2.4-noecc.patch.
+
+-------------------------------------------------------------------
+Thu Feb 6 10:18:09 UTC 2014 - stbuehler@web.de
+
+- Fix bug[ bnc#861907]: COMP-DEFLATE broken (internal buffer for inflate too
+ small, skipping input)
+ Add patch file: revert-simplified-decrypted-data-allocation.patch
+
+-------------------------------------------------------------------
+Tue Nov 5 04:44:25 UTC 2013 - shchang@suse.com
+
+- Fix bug[ bnc#848510], CVE-2013-4487( off-by-one security fix in libdane)
+ Add patch file: CVE-2013-4487.patch
+
+-------------------------------------------------------------------
+Fri Oct 25 04:22:30 UTC 2013 - shchang@suse.com
+
+- Fix bug[ bnc#847484], CVE-2013-4466 ( DoS in libdane)
+ Add patch file: CVE-2013-4466.patch
+
+-------------------------------------------------------------------
+Mon Sep 2 16:23:59 UTC 2013 - schwab@linux-m68k.org
+
+- Don't run install-info on images
+
+-------------------------------------------------------------------
+Mon Sep 2 07:43:21 UTC 2013 - shchang@suse.com
+
+- Update to 3.2.4
+** libgnutls: Fixes when session tickets and session DB are used.
+Report and initial patch by Stefan Buehler.
+
+** libgnutls: Added the RSA-PSK key exchange. Patch by by Frank Morgner,
+based on previous patch by Bardenheuer GmbH and Bundesdruckerei GmbH.
+
+** libgnutls: Added ciphersuites that use ARCFOUR with ECDHE. Patch
+by Stefan Buehler.
+
+** libgnutls: Added the PFS priority string option.
+
+** libgnutls: Gnulib included files are strictly LGPLv2.
+
+** libgnutls: Corrected gnutls_certificate_server_set_request().
+Reported by Petr Pisar.
+
+** API and ABI modifications:
+gnutls_record_set_timeout: Exported
+
+Add files:gnutls-3.2.4.tar.xz.sig, gnutls-3.2.4.tar.xz, gnutls-3.2.4-noecc.patch
+Delete file: gnutls-3.2.3-noecc.patch
+
+-------------------------------------------------------------------
+Fri Aug 30 00:31:19 CEST 2013 - ro@suse.de
+
+- buildrequire valgrind on the same arch list that valgrind builds
+
+-------------------------------------------------------------------
+Thu Aug 1 13:42:11 UTC 2013 - meissner@suse.com
+
+- Updated to 3.2.3
+ ** libgnutls: Fixes in parsing of priority strings. Patch by Stefan
+ Buehler.
+
+ ** libgnutls: Solve issue with received TLS packets that exceed 2^14.
+ (this fixes a bug that was accidentally introduced in 3.2.2)
+
+ ** libgnutls: Removed gnulib modules under LGPLv3 that could possibly
+ be used by the library.
+
+ ** libgnutls: Fixes in gnutls_record_send_range(). Report and initial
+ fix by Alfredo Pironti.
+
+- Updated to 3.2.2
+ ** libgnutls: Several optimizations in the related to packet processing
+ subsystems.
+
+ ** libgnutls: DTLS replay detection can now be disabled (to be used
+ in certain transport layers like SCTP).
+
+ ** libgnutls: Fixes in SRTP extension generation when MKI is being used.
+
+ ** libgnutls: Added ability to set hooks before or
+ after sending or receiving any handshake message with
+ gnutls_handshake_set_hook_function().
+
+- gnutls-3.2.3-noecc.patch: updated to disable ECC.
+- automake-1.12.patch: upstream, dropped
+- gnutls-32bit.patch: upstream, dropped
+- gnutls-3.2.1-pkcs11.diff: upstream, dropped
+
+-------------------------------------------------------------------
+Fri Jul 26 12:45:45 UTC 2013 - lnussel@suse.de
+
+- revert to using certificate directory again until gnutls
+ understands the trust bits in pkcs11. Otherwise it would use
+ blacklisted certificates.
+
+-------------------------------------------------------------------
+Mon Jul 8 15:12:59 UTC 2013 - schwab@suse.de
+
+- Override broken configure checks
+
+-------------------------------------------------------------------
+Thu Jul 4 16:15:14 UTC 2013 - lnussel@suse.de
+
+- use pkcs11 interface to fetch the system's CA certificates
+ (fate#314991). Add patch gnutls-3.2.1-pkcs11.diff to fix doing
+ that, obsoletes gnutls-implement-trust-store-dir.diff.
+
+-------------------------------------------------------------------
+Thu Jun 27 13:44:12 UTC 2013 - meissner@suse.com
+
+- Disable all ECC algorithms.
+
+- gnutls-32bit.patch: upstream patch to make test
+ work with 32bit time_t.
+
+- gnutls-implement-trust-store-dir.diff
+
+ currently not yet forward ported.
+
+- Updated to GnuTLS 3.2.1
+ ** libgnutls: Allow ECC when in SSL 3.0 to work-around a bug in certain
+ openssl versions.
+ ** libgnutls: Fixes in interrupted function resumption. Report
+ and patch by Tim Kosse.
+ ** libgnutls: Corrected issue when receiving client hello verify
+ requests in DTLS.
+ ** libgnutls: Fixes in DTLS record overhead size calculations.
+ ** libgnutls: gnutls_handshake_get_last_in() was fixed. Reported by
+ Mann Ern Kang.
+- Updated to GnuTLS 3.2.0
+ ** libgnutls: Use nettle's elliptic curve implementation.
+ ** libgnutls: Added Salsa20 cipher
+ ** libgnutls: Added UMAC-96 and UMAC-128
+ ** libgnutls: Added ciphersuites involving Salsa20 and UMAC-96.
+ As they are not standardized they are defined using private ciphersuite numbers.
+ ** libgnutls: Added support for DTLS 1.2.
+ ** libgnutls: Added support for the Application Layer Protocol
+ Negotiation (ALPN) extension.
+ ** libgnutls: Removed support for the RSA-EXPORT ciphersuites.
+ ** libgnutls: Avoid linking to librt (that also avoids unnecessary
+ linking to pthreads if p11-kit isn't used).
+
+- Updated to GnuTLS 3.1.10 (released 2013-03-22)
+ ** certtool: When generating PKCS #12 files use by default the
+ ARCFOUR (RC4) cipher to be compatible with devices that don't
+ support AES with PKCS #12.
+ ** libgnutls: Load CA certificates in android 4.x systems.
+ ** libgnutls: Optimized CA certificate loading.
+ ** libgnutls: Private keys are overwritten on deinitialization.
+ ** libgnutls: PKCS #11 slots are scanned only when needed, not
+ on initialization. This speeds up gnutls initialization when smart
+ cards are present.
+ ** libgnutls: Corrected issue in the (deprecated) external key
+ signing interface, when used with TLS 1.2. Reported by Bjorn H. Christensen.
+ ** libgnutls: Fixes in openpgp handshake with fingerprints. Reported by
+ Joke de Buhr.
+ ** libgnutls-dane: Updated DANE verification options.
+ ** configure: Trust store file must be explicitly set or unset when
+ cross compiling.
+- Updated to GnuTLS 3.1.9 (released 2013-02-27)
+ ** certtool: Option --to-p12 will now ask for a password to generate
+ a PKCS #12 file from an encrypted key file. Reported by Yan Fiz.
+ ** libgnutls: Corrected issue in gnutls_pubkey_verify_data().
+ ** libgnutls: Corrected parsing issue in XMPP within a subject
+ alternative name. Reported by James Cloos.
+ ** libgnutls: gnutls_pkcs11_reinit() will reinitialize all PKCS #11
+ modules, and not only the ones loaded via p11-kit.
+ ** libgnutls: Added function to check whether the private key is
+ still available (inserted).
+ ** libgnutls: Try to detect fork even during nonce generation.
+
+- Updated to GnuTLS 3.1.8 (released 2013-02-10)
+ ** libgnutls: Fixed issue in gnutls_x509_privkey_import2() which didn't return
+ GNUTLS_E_DECRYPTION_FAILED in all cases, and affect certtool operation
+ with encrypted keys. Reported by Yan Fiz.
+ ** libgnutls: The minimum DH bits accepted by priorities NORMAL and
+ PERFORMANCE was set to previous defaults 727 bits. Reported by Diego
+ Elio Petteno.
+ ** libgnutls: Corrected issue which prevented gnutls_pubkey_verify_hash()
+ to operate with long keys. Reported by Erik A Jensen.
+
+- Updated to GnuTLS 3.1.7 (released 2013-02-04)
+ ** certtool: Added option "dn" which allows to directly set the DN
+ in a template from an RFC4514 string.
+ ** danetool: Added options: --dlv and --insecure. Suggested by Paul Wouters.
+ ** libgnutls-xssl: Added a new library to simplify GnuTLS usage.
+ ** libgnutls-dane: Added function to specify a DLV file.
++++ 1456 more lines (skipped)
++++ between /dev/null
++++ and /work/SRC/openSUSE:13.1:Update/.gnutls.2618.new/gnutls.changes
New:
----
CVE-2013-4466.patch
CVE-2013-4487.patch
CVE-2014-0092.patch
baselibs.conf
gnutls-3.0.26-skip-test-fwrite.patch
gnutls-3.2.4.tar.xz
gnutls-3.2.4.tar.xz.sig
gnutls-implement-trust-store-dir.diff
gnutls.changes
gnutls.keyring
gnutls.spec
make-obs-happy-with-gnutls_3.2.4.patch
revert-simplified-decrypted-data-allocation.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ gnutls.spec ++++++
#
# spec file for package gnutls
#
# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
%define gnutls_sover 28
%define gnutlsxx_sover 28
%define gnutls_ossl_sover 27
Name: gnutls
Version: 3.2.4
Release: 0
Summary: The GNU Transport Layer Security Library
License: LGPL-2.1+ and GPL-3.0+
Group: Productivity/Networking/Security
Url: http://www.gnutls.org/
Source0: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/%{name}-%{version}.tar.xz
# signature is checked by source services.
Source1: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/%{name}-%{version}.tar.xz.sig
Source2: %name.keyring
Source3: baselibs.conf
# PATCH-FIX-OPENSUSE gnutls-3.0.26-skip-test-fwrite.patch andreas.stieger@gmx.de -- skip a failing test
Patch3: gnutls-3.0.26-skip-test-fwrite.patch
Patch6: gnutls-implement-trust-store-dir.diff
Patch7: make-obs-happy-with-gnutls_3.2.4.patch
Patch8: CVE-2013-4466.patch
Patch9: CVE-2013-4487.patch
# fix COMP-DEFLATE (allocated buffer too small), fixed upstream in 3.2.7 - stbuehler
Patch10: revert-simplified-decrypted-data-allocation.patch
Patch11: CVE-2014-0092.patch
BuildRequires: automake
BuildRequires: gcc-c++
BuildRequires: libidn-devel
BuildRequires: libnettle-devel >= 2.7
BuildRequires: libtasn1-devel >= 2.14
BuildRequires: libtool
%ifarch %ix86 x86_64 ppc ppc64 s390x armv7l armv7hl
BuildRequires: valgrind
%endif
%if %suse_version >= 1230
BuildRequires: makeinfo
%endif
BuildRequires: p11-kit-devel >= 0.11
BuildRequires: pkg-config
BuildRequires: xz
BuildRequires: zlib-devel
BuildRoot: %{_tmppath}/%{name}-%{version}-build
# bug437293
%ifarch ppc64
Obsoletes: gnutls-64bit
%endif
%description
The GnuTLS project aims to develop a library that provides a secure
layer over a reliable transport layer. Currently the GnuTLS library
implements the proposed standards of the IETF's TLS working group.
%package -n libgnutls%{gnutls_sover}
Summary: The GNU Transport Layer Security Library
License: LGPL-2.1+
Group: Productivity/Networking/Security
%description -n libgnutls%{gnutls_sover}
The GnuTLS project aims to develop a library that provides a secure
layer over a reliable transport layer. Currently the GnuTLS library
implements the proposed standards of the IETF's TLS working group.
%package -n libgnutlsxx%{gnutlsxx_sover}
Summary: The GNU Transport Layer Security Library
License: LGPL-2.1+
Group: Productivity/Networking/Security
%description -n libgnutlsxx%{gnutlsxx_sover}
The GnuTLS project aims to develop a library that provides a secure
layer over a reliable transport layer. Currently the GnuTLS library
implements the proposed standards of the IETF's TLS working group.
%package -n libgnutls-openssl%{gnutls_ossl_sover}
Summary: The GNU Transport Layer Security Library
License: GPL-3.0+
Group: Productivity/Networking/Security
%description -n libgnutls-openssl%{gnutls_ossl_sover}
The GnuTLS project aims to develop a library that provides a secure
layer over a reliable transport layer. Currently the GnuTLS library
implements the proposed standards of the IETF's TLS working group.
%package -n libgnutls-devel
Summary: Development package for gnutls
License: LGPL-2.1+
Group: Development/Libraries/C and C++
PreReq: %install_info_prereq
Requires: glibc-devel
Requires: libgnutls%{gnutls_sover} = %{version}
Provides: gnutls-devel = %{version}-%{release}
%description -n libgnutls-devel
Files needed for software development using gnutls.
%package -n libgnutlsxx-devel
Summary: Development package for gnutls
License: LGPL-2.1+
Group: Development/Libraries/C and C++
PreReq: %install_info_prereq
Requires: libgnutls-devel = %{version}
Requires: libgnutlsxx%{gnutlsxx_sover} = %{version}
Requires: libstdc++-devel
%description -n libgnutlsxx-devel
Files needed for software development using gnutls.
%package -n libgnutls-openssl-devel
Summary: Development package for gnutls
License: GPL-3.0+
Group: Development/Libraries/C and C++
Requires: libgnutls-devel = %{version}
Requires: libgnutls-openssl%{gnutls_ossl_sover} = %{version}
%description -n libgnutls-openssl-devel
Files needed for software development using gnutls.
%prep
%setup -q
%patch3
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
%build
autoreconf -if
# echde explicitly disabled - meissner&cfarrell
%configure \
gl_cv_func_printf_directive_n=yes \
gl_cv_func_printf_infinite_long_double=yes \
--disable-static \
--with-pic \
--disable-rpath \
--disable-silent-rules \
--with-default-trust-store-dir=/var/lib/ca-certificates/pem \
--enable-ecdhe \
--with-sysroot=/%{?_sysroot}
%__make %{?_smp_mflags}
%install
%make_install
rm -rf %{buildroot}%{_datadir}/locale/en@{,bold}quot
# Do not package static libs and libtool files
rm -f %{buildroot}%{_libdir}/*.la
# install docs
%__mkdir -p %{buildroot}%{_docdir}/libgnutls-devel/
%__cp doc/gnutls.html doc/*.png doc/gnutls.pdf %{buildroot}%{_docdir}/libgnutls-devel/
%__mkdir -p %{buildroot}%{_docdir}/libgnutls-devel/reference
%__cp doc/reference/html/* %{buildroot}%{_docdir}/libgnutls-devel/reference/
%__mkdir -p %{buildroot}%{_docdir}/libgnutls-devel/examples
%__cp doc/examples/*.{c,h} %{buildroot}%{_docdir}/libgnutls-devel/examples/
%find_lang libgnutls --all-name
%check
%if ! 0%{?qemu_user_space_build}
%__make check
%endif
%clean
rm -rf %{buildroot}
%post -n libgnutls%{gnutls_sover} -p /sbin/ldconfig
%postun -n libgnutls%{gnutls_sover} -p /sbin/ldconfig
%post -n libgnutlsxx%{gnutlsxx_sover} -p /sbin/ldconfig
%postun -n libgnutlsxx%{gnutlsxx_sover} -p /sbin/ldconfig
%post -n libgnutls-openssl%{gnutls_ossl_sover} -p /sbin/ldconfig
%postun -n libgnutls-openssl%{gnutls_ossl_sover} -p /sbin/ldconfig
%post -n libgnutls-devel
%install_info --info-dir=%{_infodir} %{_infodir}/gnutls.info.gz
%postun -n libgnutls-devel
%install_info_delete --info-dir=%{_infodir} %{_infodir}/gnutls.info.gz
%files -f libgnutls.lang
%defattr(-, root, root)
%doc THANKS README NEWS ChangeLog COPYING COPYING.LESSER AUTHORS doc/TODO
%{_bindir}/certtool
%{_bindir}/crywrap
%{_bindir}/gnutls-cli
%{_bindir}/gnutls-cli-debug
%{_bindir}/gnutls-serv
%{_bindir}/ocsptool
%{_bindir}/psktool
%{_bindir}/p11tool
%{_bindir}/srptool
%{_bindir}/danetool
%{_mandir}/man1/*
%files -n libgnutls%{gnutls_sover}
%defattr(-,root,root)
%{_libdir}/libgnutls.so.%{gnutls_sover}*
%{_libdir}/libgnutls-xssl.so.*
%files -n libgnutls-openssl%{gnutls_ossl_sover}
%defattr(-,root,root)
%{_libdir}/libgnutls-openssl.so.%{gnutls_ossl_sover}*
%files -n libgnutlsxx%{gnutlsxx_sover}
%defattr(-,root,root)
%{_libdir}/libgnutlsxx.so.%{gnutlsxx_sover}*
%files -n libgnutls-devel
%defattr(-, root, root)
%dir %{_includedir}/%{name}
%{_includedir}/%{name}/abstract.h
%{_includedir}/%{name}/crypto.h
%{_includedir}/%{name}/compat.h
%{_includedir}/%{name}/dtls.h
%{_includedir}/%{name}/gnutls.h
%{_includedir}/%{name}/openpgp.h
%{_includedir}/%{name}/ocsp.h
%{_includedir}/%{name}/pkcs11.h
%{_includedir}/%{name}/pkcs12.h
%{_includedir}/%{name}/x509.h
%{_includedir}/%{name}/tpm.h
%{_includedir}/%{name}/xssl.h
%{_libdir}/libgnutls.so
%{_libdir}/libgnutls-xssl.so
%{_libdir}/pkgconfig/gnutls.pc
%{_mandir}/man3/*
%{_infodir}/*.*
%doc %{_docdir}/libgnutls-devel
%files -n libgnutlsxx-devel
%defattr(-, root, root)
%{_libdir}/libgnutlsxx.so
%dir %{_includedir}/%{name}
%{_includedir}/%{name}/gnutlsxx.h
%files -n libgnutls-openssl-devel
%defattr(-, root, root)
%{_libdir}/libgnutls-openssl.so
%dir %{_includedir}/%{name}
%{_includedir}/%{name}/openssl.h
%changelog
++++++ CVE-2013-4466.patch ++++++
Index: gnutls-3.2.4/libdane/dane.c
===================================================================
--- gnutls-3.2.4.orig/libdane/dane.c
+++ gnutls-3.2.4/libdane/dane.c
@@ -233,77 +233,71 @@ int ret;
**/
void dane_query_deinit(dane_query_t q)
{
- ub_resolve_free(q->result);
+ if (q->result)
+ ub_resolve_free(q->result);
free(q);
}
/**
- * dane_query_tlsa:
+ * dane_raw_tlsa:
* @s: The DANE state structure
* @r: A structure to place the result
- * @host: The host name to resolve.
- * @proto: The protocol type (tcp, udp, etc.)
- * @port: The service port number (eg. 443).
+ * @dane_data: array of DNS rdata items, terminated with a NULL pointer;
+ * caller must guarantee that the referenced data remains
+ * valid until dane_query_deinit() is called.
+ * @dane_data_len: the length n bytes of the dane_data items
+ * @param secure true if the result is validated securely, false if
+ * validation failed or the domain queried has no security info
+ * @param bogus if the result was not secure (secure = 0) due to a security failure,
+ * and the result is due to a security failure, bogus is true.
*
- * This function will query the DNS server for the TLSA (DANE)
- * data for the given host.
+ * This function will fill in the TLSA (DANE) structure from
+ * the given raw DNS record data.
*
* Returns: On success, %DANE_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
-int dane_query_tlsa(dane_state_t s, dane_query_t *r, const char* host, const char* proto, unsigned int port)
+int dane_raw_tlsa(dane_state_t s, dane_query_t *r, char *const*dane_data, const int *dane_data_len, int secure, int bogus)
{
- char ns[1024];
int ret;
unsigned int i;
*r = calloc(1, sizeof(struct dane_query_st));
if (*r == NULL)
return gnutls_assert_val(DANE_E_MEMORY_ERROR);
-
- snprintf(ns, sizeof(ns), "_%u._%s.%s", port, proto, host);
-
- /* query for webserver */
- ret = ub_resolve(s->ctx, ns, 52, 1, &(*r)->result);
- if(ret != 0) {
- return gnutls_assert_val(DANE_E_RESOLVING_ERROR);
- }
-
-/* show first result */
- if(!(*r)->result->havedata) {
- return gnutls_assert_val(DANE_E_NO_DANE_DATA);
- }
-
+
i = 0;
do {
- if ((*r)->result->len[i] > 3)
+ if (dane_data_len[i] > 3)
ret = DANE_E_SUCCESS;
else {
return gnutls_assert_val(DANE_E_RECEIVED_CORRUPT_DATA);
}
-
- (*r)->usage[i] = (*r)->result->data[i][0];
- (*r)->type[i] = (*r)->result->data[i][1];
- (*r)->match[i] = (*r)->result->data[i][2];
- (*r)->data[i].data = (void*)&(*r)->result->data[i][3];
- (*r)->data[i].size = (*r)->result->len[i] - 3;
+
+ (*r)->usage[i] = dane_data[i][0];
+ (*r)->type[i] = dane_data[i][1];
+ (*r)->match[i] = dane_data[i][2];
+ (*r)->data[i].data = (void*)&dane_data[i][3];
+ (*r)->data[i].size = dane_data_len[i] - 3;
i++;
- } while((*r)->result->data[i] != NULL);
-
+ if (i > MAX_DATA_ENTRIES)
+ break;
+ } while(dane_data[i] != NULL);
+
(*r)->data_entries = i;
- if (!(s->flags & DANE_F_INSECURE) && !(*r)->result->secure) {
- if ((*r)->result->bogus)
+ if (!(s->flags & DANE_F_INSECURE) && !secure) {
+ if (bogus)
ret = gnutls_assert_val(DANE_E_INVALID_DNSSEC_SIG);
else
ret = gnutls_assert_val(DANE_E_NO_DNSSEC_SIG);
}
/* show security status */
- if ((*r)->result->secure) {
+ if (secure) {
(*r)->status = DANE_QUERY_DNSSEC_VERIFIED;
- } else if ((*r)->result->bogus) {
+ } else if (bogus) {
gnutls_assert();
(*r)->status = DANE_QUERY_BOGUS;
} else {
@@ -314,8 +308,53 @@ int dane_query_tlsa(dane_state_t s, dane
return ret;
}
-static unsigned int matches(const gnutls_datum_t *raw1, const gnutls_datum_t *raw2,
- dane_match_type_t match)
+
+/**
+ * dane_query_tlsa:
+ * @s: The DANE state structure
+ * @r: A structure to place the result
+ * @host: The host name to resolve.
+ * @proto: The protocol type (tcp, udp, etc.)
+ * @port: The service port number (eg. 443).
+ *
+ * This function will query the DNS server for the TLSA (DANE)
+ * data for the given host.
+ *
+ * Returns: On success, %DANE_E_SUCCESS (0) is returned, otherwise a
+ * negative error value.
+ **/
+int dane_query_tlsa(dane_state_t s, dane_query_t *r, const char* host, const char* proto, unsigned int port)
+{
+ char ns[1024];
+ int ret;
+ struct ub_result *result;
+
+ snprintf(ns, sizeof(ns), "_%u._%s.%s", port, proto, host);
+
+ /* query for webserver */
+ ret = ub_resolve(s->ctx, ns, 52, 1, &result);
+ if(ret != 0) {
+ return gnutls_assert_val(DANE_E_RESOLVING_ERROR);
+ }
+
+ /* show first result */
+ if(!result->havedata) {
+ ub_resolve_free (result);
+ return gnutls_assert_val(DANE_E_NO_DANE_DATA);
+ }
+
+ ret = dane_raw_tlsa (s, r, result->data, result->len, result->secure, result->bogus);
+ if (*r == NULL) {
+ ub_resolve_free (result);
+ return ret;
+ }
+
+ (*r)->result = result;
+ return ret;
+}
+
+static unsigned int matches(const gnutls_datum_t *raw1, const gnutls_datum_t *raw2,
+ dane_match_type_t match)
{
uint8_t digest[64];
int ret;
Index: gnutls-3.2.4/libdane/includes/gnutls/dane.h
===================================================================
--- gnutls-3.2.4.orig/libdane/includes/gnutls/dane.h
+++ gnutls-3.2.4/libdane/includes/gnutls/dane.h
@@ -109,6 +109,8 @@ int dane_state_init (dane_state_t* s, un
int dane_state_set_dlv_file(dane_state_t s, const char* file);
void dane_state_deinit (dane_state_t s);
+int dane_raw_tlsa(dane_state_t s, dane_query_t *r, char *const*dane_data, const int *dane_data_len, int secure, int bogus);
+
int dane_query_tlsa(dane_state_t s, dane_query_t *r, const char* host, const char* proto, unsigned int port);
dane_query_status_t dane_query_status(dane_query_t q);
++++++ CVE-2013-4487.patch ++++++
Index: gnutls-3.2.4/libdane/dane.c
===================================================================
--- gnutls-3.2.4.orig/libdane/dane.c
+++ gnutls-3.2.4/libdane/dane.c
@@ -1,5 +1,7 @@
/*
* Copyright (C) 2012 KU Leuven
+ * Copyright (C) 2013 Christian Grothoff
+ * Copyright (C) 2013 Nikos Mavrogiannopoulos
*
* Author: Nikos Mavrogiannopoulos
*
@@ -260,32 +262,31 @@ void dane_query_deinit(dane_query_t q)
int dane_raw_tlsa(dane_state_t s, dane_query_t *r, char *const*dane_data, const int *dane_data_len, int secure, int bogus)
{
int ret;
+ int ret = DANE_E_SUCCESS;
unsigned int i;
*r = calloc(1, sizeof(struct dane_query_st));
if (*r == NULL)
return gnutls_assert_val(DANE_E_MEMORY_ERROR);
- i = 0;
- do {
+ (*r)->data_entries = 0;
- if (dane_data_len[i] > 3)
- ret = DANE_E_SUCCESS;
- else {
- return gnutls_assert_val(DANE_E_RECEIVED_CORRUPT_DATA);
- }
+ for (i=0;i
From c3b39817df8b45f48edd89b6e652201e986770dc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Stefan=20B=C3=BChler?=
Date: Thu, 6 Feb 2014 11:13:53 +0100 Subject: [PATCH 1/1] Revert "simplified decrypted data allocation."
This reverts commit 1667d2eecd4094a239db9f5ae54990d4c270c52a. It breaks COMP-DEFLATE as the allocated buffer is too small for the inflated content. Fixed upstream in 3.2.7 with commit 172ae00887559fa5ba9a3bdc41d9eccb4844b077. --- lib/gnutls_record.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/gnutls_record.c b/lib/gnutls_record.c index d261585..65d5786 100644 --- a/lib/gnutls_record.c +++ b/lib/gnutls_record.c @@ -1189,7 +1189,8 @@ begin: /* We allocate the maximum possible to allow few compressed bytes to expand to a * full record. */ - decrypted = _mbuffer_alloc(record.length, record.length); + t.size = get_max_decrypted_data(session); + decrypted = _mbuffer_alloc(t.size, t.size); if (decrypted == NULL) return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); -- 1.8.5.3 -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org