diff options
Diffstat (limited to 'patches/source/gnutls')
| -rw-r--r-- | patches/source/gnutls/gnutls-2.10.5_CVE-2011-4128.diff | 36 | ||||
| -rw-r--r-- | patches/source/gnutls/gnutls-2.10.5_CVE-2012-1569.diff | 62 | ||||
| -rw-r--r-- | patches/source/gnutls/gnutls-2.10.5_CVE-2012-1573.diff | 39 | ||||
| -rw-r--r-- | patches/source/gnutls/gnutls-2.10.5_CVE-2013-1619_CVE-2013-2116.diff | 186 | ||||
| -rw-r--r-- | patches/source/gnutls/gnutls-2.10.5_CVE-2014-0092.diff | 108 | ||||
| -rw-r--r-- | patches/source/gnutls/gnutls-2.10.5_CVE-2014-3466.diff | 311 | ||||
| -rw-r--r-- | patches/source/gnutls/gnutls-2.10.5_CVE-2014-3467.diff | 45 | ||||
| -rw-r--r-- | patches/source/gnutls/gnutls-2.10.5_CVE-2014-3468.diff | 45 | ||||
| -rw-r--r-- | patches/source/gnutls/gnutls-2.10.5_CVE-2014-3469.diff | 122 | ||||
| -rw-r--r-- | patches/source/gnutls/gnutls-2.10.5_ipv6.diff | 51 | ||||
| -rw-r--r-- | patches/source/gnutls/gnutls-2.10.5_libgcrypt150-fix.diff | 162 | ||||
| -rwxr-xr-x | patches/source/gnutls/gnutls.SlackBuild | 144 | ||||
| -rw-r--r-- | patches/source/gnutls/slack-desc | 19 |
13 files changed, 1330 insertions, 0 deletions
diff --git a/patches/source/gnutls/gnutls-2.10.5_CVE-2011-4128.diff b/patches/source/gnutls/gnutls-2.10.5_CVE-2011-4128.diff new file mode 100644 index 000000000..6ab68469e --- /dev/null +++ b/patches/source/gnutls/gnutls-2.10.5_CVE-2011-4128.diff @@ -0,0 +1,36 @@ +From d9f1638a89524a780dfd132b18113bdfd6275b2c Mon Sep 17 00:00:00 2001 +From: mancha <mancha1@hush.com> +Date: Sun, 29 Sep 2013 +Subject: CVE-2011-4128 [GNUTLS-SA-2011-2] + +gnutls_session_get_data: fix possible buffer overflow + +This is a backport adaptation for use with GnuTLS 2.10.5. + +Relevant upstream commits: +-------------------------- +https://gitorious.org/gnutls/gnutls/commit/190cef6eed37d0 +https://gitorious.org/gnutls/gnutls/commit/e82ef4545e9e98 + +--- + gnutls_session.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/lib/gnutls_session.c 2013-09-27 ++++ b/lib/gnutls_session.c 2013-09-27 +@@ -65,13 +65,14 @@ gnutls_session_get_data (gnutls_session_ + gnutls_assert (); + return ret; + } +- *session_data_size = psession.size; + + if (psession.size > *session_data_size) + { ++ *session_data_size = psession.size; + ret = GNUTLS_E_SHORT_MEMORY_BUFFER; + goto error; + } ++ *session_data_size = psession.size; + + if (session_data != NULL) + memcpy (session_data, psession.data, psession.size); diff --git a/patches/source/gnutls/gnutls-2.10.5_CVE-2012-1569.diff b/patches/source/gnutls/gnutls-2.10.5_CVE-2012-1569.diff new file mode 100644 index 000000000..483491806 --- /dev/null +++ b/patches/source/gnutls/gnutls-2.10.5_CVE-2012-1569.diff @@ -0,0 +1,62 @@ +From 28daf52d3502dbe55a229b4a1a0ad9a1a4589bd7 Mon Sep 17 00:00:00 2001 +From: mancha <mancha1@hush.com> +Date: Thu, 3 Oct 2013 +Subject: CVE-2012-1569 [GNUTLS-SA-2012-3] + +asn1_get_length_der() in decoding.c in GNU Libtasn1 before 2.12 +does not properly handle certain large length values. This can be +exploited by attackers to cause a DoS or other impacts via a +crafted ASN.1 structure. + +Fix adapted for use with libtasn1 embedded in GnuTLS 2.10.5. + +Relevant upstream patch: +------------------------ +http://article.gmane.org/gmane.comp.gnu.libtasn1.general/54 + +--- + decoding.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/lib/minitasn1/decoding.c ++++ b/lib/minitasn1/decoding.c +@@ -55,12 +55,13 @@ _asn1_error_description_tag_error (ASN1_TYPE node, char *ErrorDescription) + * Extract a length field from DER data. + * + * Returns: Return the decoded length value, or -1 on indefinite +- * length, or -2 when the value was too big. ++ * length, or -2 when the value was too big to fit in a int, or -4 ++ * when the decoded length value plus @len would exceed @der_len. + **/ + signed long + asn1_get_length_der (const unsigned char *der, int der_len, int *len) + { +- unsigned long ans; ++ int ans; + int k, punt; + + *len = 0; +@@ -83,7 +84,7 @@ asn1_get_length_der (const unsigned char *der, int der_len, int *len) + ans = 0; + while (punt <= k && punt < der_len) + { +- unsigned long last = ans; ++ int last = ans; + + ans = ans * 256 + der[punt++]; + if (ans < last) +@@ -93,10 +94,13 @@ asn1_get_length_der (const unsigned char *der, int der_len, int *len) + } + else + { /* indefinite length method */ +- ans = -1; ++ *len = punt; ++ return -1; + } + + *len = punt; ++ if (ans + *len < ans || ans + *len > der_len) ++ return -4; + return ans; + } + } diff --git a/patches/source/gnutls/gnutls-2.10.5_CVE-2012-1573.diff b/patches/source/gnutls/gnutls-2.10.5_CVE-2012-1573.diff new file mode 100644 index 000000000..b9c690275 --- /dev/null +++ b/patches/source/gnutls/gnutls-2.10.5_CVE-2012-1573.diff @@ -0,0 +1,39 @@ +From 0a3c3fde11ade01aad1bc4341b8dac9bad2412d1 Mon Sep 17 00:00:00 2001 +From: mancha <mancha1@hush.com> +Date: Sun, 29 Sep 2013 +Subject: CVE-2012-1573 [GNUTLS-SA-2012-2] + +Address a TLS record handling vulnerability in GnuTLS. + +This is a backport adaptation for use with GnuTLS 2.10.5. + +Relevant upstream commit: +------------------------- +https://gitorious.org/gnutls/gnutls/commit/42221486806137 + +--- + gnutls_cipher.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +--- a/lib/gnutls_cipher.c 2013-09-27 ++++ b/lib/gnutls_cipher.c 2013-09-27 +@@ -515,14 +515,13 @@ _gnutls_ciphertext2compressed (gnutls_se + { + ciphertext.size -= blocksize; + ciphertext.data += blocksize; +- +- if (ciphertext.size == 0) +- { +- gnutls_assert (); +- return GNUTLS_E_DECRYPTION_FAILED; +- } + } + ++ if (ciphertext.size < hash_size) ++ { ++ gnutls_assert (); ++ return GNUTLS_E_DECRYPTION_FAILED; ++ } + pad = ciphertext.data[ciphertext.size - 1] + 1; /* pad */ + + if ((int) pad > (int) ciphertext.size - hash_size) diff --git a/patches/source/gnutls/gnutls-2.10.5_CVE-2013-1619_CVE-2013-2116.diff b/patches/source/gnutls/gnutls-2.10.5_CVE-2013-1619_CVE-2013-2116.diff new file mode 100644 index 000000000..6ec41e099 --- /dev/null +++ b/patches/source/gnutls/gnutls-2.10.5_CVE-2013-1619_CVE-2013-2116.diff @@ -0,0 +1,186 @@ +From 6c4c4baca8e4d3311501b2c8c2d32a0ccbe881ad Mon Sep 17 00:00:00 2001 +From: mancha <mancha1@hush.com> +Date: Sun, 29 Sep 2013 +Subject: CVE-2013-1619 and CVE-2013-2116 [GNUTLS-SA-2013-1,GNUTLS-SA-2013-2] + +Fix to avoid a timing attack in TLS CBC record parsing (aka Lucky 13). + +For background, see http://www.isg.rhul.ac.uk/tls/Lucky13.html + +The fix for CVE-2013-2116 is folded into this patch since it addresses +a problem introduced by the fix for CVE-2013-1619. + +This is a backport adaptation for use with GnuTLS 2.10.5. + +Relevant upstream commits: +-------------------------- +https://gitorious.org/gnutls/gnutls/commit/458c67cf98740e +https://gitorious.org/gnutls/gnutls/commit/93b7fcfa3297a9 + +--- + lib/gnutls_hash_int.h | 21 +++++++++++ + lib/gnutls_cipher.c | 90 ++++++++++++++++++++++++++++++++---------------- + 2 files changed, 81 insertions(+), 30 deletions(-) + +--- a/lib/gnutls_cipher.c ++++ b/lib/gnutls_cipher.c +@@ -447,6 +447,49 @@ _gnutls_compressed2ciphertext (gnutls_se + return length; + } + ++static void dummy_wait(gnutls_session_t session, gnutls_datum_t* plaintext, ++ unsigned pad_failed, unsigned int pad, unsigned total, int ver) ++{ ++ /* this hack is only needed on CBC ciphers */ ++ if (_gnutls_cipher_is_block (session->security_parameters.read_bulk_cipher_algorithm) == CIPHER_BLOCK) ++ { ++ uint8_t MAC[MAX_HASH_SIZE]; ++ unsigned len; ++ digest_hd_st td; ++ int ret; ++ ++ ret = mac_init (&td, session->security_parameters.read_mac_algorithm, ++ session->connection_state.read_mac_secret.data, ++ session->connection_state.read_mac_secret.size, ver); ++ ++ if (ret < 0) ++ return; ++ ++ /* force an additional hash compression function evaluation to prevent timing ++ * attacks that distinguish between wrong-mac + correct pad, from wrong-mac + incorrect pad. ++ */ ++ if (pad_failed == 0 && pad > 0) ++ { ++ len = _gnutls_get_hash_block_len(session->security_parameters.read_mac_algorithm); ++ if (len > 0) ++ { ++ /* This is really specific to the current hash functions. ++ * It should be removed once a protocol fix is in place. ++ */ ++ if ((pad+total) % len > len-9 && total % len <= len-9) ++ { ++ if (len < plaintext->size) ++ mac_hash (&td, plaintext->data, len, ver); ++ else ++ mac_hash (&td, plaintext->data, plaintext->size, ver); ++ } ++ } ++ } ++ ++ mac_deinit (&td, MAC, ver); ++ } ++} ++ + /* Deciphers the ciphertext packet, and puts the result to compress_data, of compress_size. + * Returns the actual compressed packet size. + */ +@@ -458,12 +501,12 @@ _gnutls_ciphertext2compressed (gnutls_se + { + uint8_t MAC[MAX_HASH_SIZE]; + uint16_t c_length; +- uint8_t pad; ++ unsigned int pad = 0; + int length; + uint16_t blocksize; + int ret, i, pad_failed = 0; + opaque preamble[PREAMBLE_SIZE]; +- int preamble_size; ++ int preamble_size = 0; + int ver = gnutls_protocol_get_version (session); + int hash_size = + _gnutls_hash_get_algo_len (session-> +@@ -522,31 +565,23 @@ _gnutls_ciphertext2compressed (gnutls_se + gnutls_assert (); + return GNUTLS_E_DECRYPTION_FAILED; + } +- pad = ciphertext.data[ciphertext.size - 1] + 1; /* pad */ ++ pad = ciphertext.data[ciphertext.size - 1]; /* pad */ + +- if ((int) pad > (int) ciphertext.size - hash_size) +- { +- gnutls_assert (); +- _gnutls_record_log +- ("REC[%p]: Short record length %d > %d - %d (under attack?)\n", +- session, pad, ciphertext.size, hash_size); +- /* We do not fail here. We check below for the +- * the pad_failed. If zero means success. +- */ +- pad_failed = GNUTLS_E_DECRYPTION_FAILED; +- } +- +- length = ciphertext.size - hash_size - pad; +- +- /* Check the pading bytes (TLS 1.x) ++ /* Check the pading bytes (TLS 1.x). ++ * Note that we access all 256 bytes of ciphertext for padding check ++ * because there is a timing channel in that memory access (in certain CPUs). + */ + if (_gnutls_version_has_variable_padding (ver) && pad_failed == 0) + for (i = 2; i < pad; i++) + { +- if (ciphertext.data[ciphertext.size - i] != +- ciphertext.data[ciphertext.size - 1]) ++ if (ciphertext.data[ciphertext.size - i] != pad) + pad_failed = GNUTLS_E_DECRYPTION_FAILED; + } ++ ++ if (pad_failed) ++ pad = 0; ++ length = ciphertext.size - hash_size - pad - 1; ++ + break; + default: + gnutls_assert (); +@@ -585,19 +620,14 @@ _gnutls_ciphertext2compressed (gnutls_se + mac_deinit (&td, MAC, ver); + } + +- /* This one was introduced to avoid a timing attack against the TLS +- * 1.0 protocol. +- */ +- if (pad_failed != 0) +- { +- gnutls_assert (); +- return pad_failed; +- } +- + /* HMAC was not the same. + */ +- if (memcmp (MAC, &ciphertext.data[length], hash_size) != 0) ++ if (memcmp (MAC, &ciphertext.data[length], hash_size) != 0 || pad_failed != 0) + { ++ gnutls_datum_t compressed = {compress_data, compress_size}; ++ /* HMAC was not the same. */ ++ dummy_wait(session, &compressed, pad_failed, pad, length+preamble_size, ver); ++ + gnutls_assert (); + return GNUTLS_E_DECRYPTION_FAILED; + } +--- a/lib/gnutls_hash_int.h ++++ b/lib/gnutls_hash_int.h +@@ -98,4 +98,25 @@ void _gnutls_mac_deinit_ssl3_handshake ( + + int _gnutls_hash_copy (digest_hd_st * dst_handle, digest_hd_st * src_handle); + ++/* We shouldn't need to know that, but a work-around in decoding ++ * TLS record padding requires that. ++ */ ++inline static size_t ++_gnutls_get_hash_block_len (gnutls_digest_algorithm_t algo) ++{ ++ switch (algo) ++ { ++ case GNUTLS_DIG_MD5: ++ case GNUTLS_DIG_SHA1: ++ case GNUTLS_DIG_RMD160: ++ case GNUTLS_DIG_SHA256: ++ case GNUTLS_DIG_SHA384: ++ case GNUTLS_DIG_SHA512: ++ case GNUTLS_DIG_SHA224: ++ return 64; ++ default: ++ return 0; ++ } ++} ++ + #endif /* GNUTLS_HASH_INT_H */ diff --git a/patches/source/gnutls/gnutls-2.10.5_CVE-2014-0092.diff b/patches/source/gnutls/gnutls-2.10.5_CVE-2014-0092.diff new file mode 100644 index 000000000..48fe7baaf --- /dev/null +++ b/patches/source/gnutls/gnutls-2.10.5_CVE-2014-0092.diff @@ -0,0 +1,108 @@ +From 4a09cbbeae43f8c78929838df38edf353f2f9bdc Mon Sep 17 00:00:00 2001 +From: mancha <mancha1@hush.com> +Date: Mon, 03 Mar 2014 +Subject: CVE-2014-0092 (GNUTLS-SA-2014-2) + +Fix vulnerabilities in the certificate verification code path. +The vulnerabilities can be exploited such that specially-crafted +certificates can bypass certificate validation checks. + +This is a backport adaptation for use with GnuTLS 2.10.5. + +Relevant upstream commit: +------------------------- +https://gitorious.org/gnutls/gnutls/commit/6aa26f78150ccb + +--- + lib/x509/verify.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +--- a/lib/x509/verify.c ++++ b/lib/x509/verify.c +@@ -116,7 +116,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnu + if (result < 0) + { + gnutls_assert (); +- goto cleanup; ++ goto fail; + } + + result = +@@ -125,7 +125,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnu + if (result < 0) + { + gnutls_assert (); +- goto cleanup; ++ goto fail; + } + + result = +@@ -133,7 +133,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnu + if (result < 0) + { + gnutls_assert (); +- goto cleanup; ++ goto fail; + } + + result = +@@ -141,7 +141,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnu + if (result < 0) + { + gnutls_assert (); +- goto cleanup; ++ goto fail; + } + + /* If the subject certificate is the same as the issuer +@@ -181,6 +181,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnu + else + gnutls_assert (); + ++fail: + result = 0; + + cleanup: +@@ -274,7 +275,7 @@ _gnutls_verify_certificate2 (gnutls_x509 + gnutls_datum_t cert_signed_data = { NULL, 0 }; + gnutls_datum_t cert_signature = { NULL, 0 }; + gnutls_x509_crt_t issuer = NULL; +- int ret, issuer_version, result; ++ int ret, issuer_version, result = 0; + + if (output) + *output = 0; +@@ -307,7 +308,7 @@ _gnutls_verify_certificate2 (gnutls_x509 + if (issuer_version < 0) + { + gnutls_assert (); +- return issuer_version; ++ return 0; + } + + if (!(flags & GNUTLS_VERIFY_DISABLE_CA_SIGN) && +@@ -328,6 +329,7 @@ _gnutls_verify_certificate2 (gnutls_x509 + if (result < 0) + { + gnutls_assert (); ++ result = 0; + goto cleanup; + } + +@@ -336,6 +338,7 @@ _gnutls_verify_certificate2 (gnutls_x509 + if (result < 0) + { + gnutls_assert (); ++ result = 0; + goto cleanup; + } + +@@ -345,6 +348,8 @@ _gnutls_verify_certificate2 (gnutls_x509 + if (ret < 0) + { + gnutls_assert (); ++ result = 0; ++ goto cleanup; + } + else if (ret == 0) + { diff --git a/patches/source/gnutls/gnutls-2.10.5_CVE-2014-3466.diff b/patches/source/gnutls/gnutls-2.10.5_CVE-2014-3466.diff new file mode 100644 index 000000000..5019dc701 --- /dev/null +++ b/patches/source/gnutls/gnutls-2.10.5_CVE-2014-3466.diff @@ -0,0 +1,311 @@ +From 3bec00196f7a256cad723c97f51fb067a6473d25 Mon Sep 17 00:00:00 2001 +From: mancha <mancha1@zoho.com> +Date: Mon, 2 Jun 2014 +Subject: CVE-2014-3466 + +This is a backport adaptation for use with GnuTLS 2.10.5. + +Relevant upstream commit(s): +------------------------- +https://gitorious.org/gnutls/gnutls/commit/688ea6428a432c +https://gitorious.org/gnutls/gnutls/commit/a7be326f0e33cf + +--- + lib/gnutls_handshake.c | 2 + tests/Makefile.am | 2 + tests/long-session-id.c | 268 ++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 270 insertions(+), 2 deletions(-) + +--- a/lib/gnutls_handshake.c ++++ b/lib/gnutls_handshake.c +@@ -1749,7 +1749,7 @@ _gnutls_read_server_hello (gnutls_sessio + DECR_LEN (len, 1); + session_id_len = data[pos++]; + +- if (len < session_id_len) ++ if (len < session_id_len || session_id_len > TLS_MAX_SESSION_ID_SIZE) + { + gnutls_assert (); + return GNUTLS_E_UNSUPPORTED_VERSION_PACKET; +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -60,7 +60,7 @@ + crq_key_id x509sign-verify cve-2009-1415 cve-2009-1416 \ + crq_apis init_roundtrip pkcs12_s2k_pem dn2 mini-eagain \ + nul-in-x509-names x509_altname pkcs12_encode mini-x509 \ +- mini-x509-rehandshake ++ mini-x509-rehandshake long-session-id + + if ENABLE_OPENSSL + ctests += openssl +--- /dev/null ++++ b/tests/long-session-id.c +@@ -0,0 +1,268 @@ ++/* ++ * Copyright (C) 2012 Free Software Foundation, Inc. ++ * ++ * Author: Nikos Mavrogiannopoulos ++ * ++ * This file is part of GnuTLS. ++ * ++ * GnuTLS is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; either version 3 of the License, or ++ * (at your option) any later version. ++ * ++ * GnuTLS is distributed in the hope that it will be useful, but ++ * WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with GnuTLS; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA ++ */ ++ ++#ifdef HAVE_CONFIG_H ++#include <config.h> ++#endif ++ ++#include <stdio.h> ++#include <stdlib.h> ++ ++#if defined(_WIN32) ++ ++int main() ++{ ++ exit(77); ++} ++ ++#else ++ ++#include <string.h> ++#include <sys/types.h> ++#include <netinet/in.h> ++#include <sys/socket.h> ++#include <sys/wait.h> ++#include <arpa/inet.h> ++#include <unistd.h> ++#include <gnutls/gnutls.h> ++#include <signal.h> ++ ++static int debug = 0; ++static void terminate(int); ++ ++/* This program tests the robustness of record ++ * decoding. ++ */ ++ ++static void client_log_func(int level, const char *str) ++{ ++ fprintf(stderr, "client|<%d>| %s", level, str); ++} ++ ++static unsigned char server_cert_pem[] = ++ "-----BEGIN CERTIFICATE-----\n" ++ "MIICVjCCAcGgAwIBAgIERiYdMTALBgkqhkiG9w0BAQUwGTEXMBUGA1UEAxMOR251\n" ++ "VExTIHRlc3QgQ0EwHhcNMDcwNDE4MTMyOTIxWhcNMDgwNDE3MTMyOTIxWjA3MRsw\n" ++ "GQYDVQQKExJHbnVUTFMgdGVzdCBzZXJ2ZXIxGDAWBgNVBAMTD3Rlc3QuZ251dGxz\n" ++ "Lm9yZzCBnDALBgkqhkiG9w0BAQEDgYwAMIGIAoGA17pcr6MM8C6pJ1aqU46o63+B\n" ++ "dUxrmL5K6rce+EvDasTaDQC46kwTHzYWk95y78akXrJutsoKiFV1kJbtple8DDt2\n" ++ "DZcevensf9Op7PuFZKBroEjOd35znDET/z3IrqVgbtm2jFqab7a+n2q9p/CgMyf1\n" ++ "tx2S5Zacc1LWn9bIjrECAwEAAaOBkzCBkDAMBgNVHRMBAf8EAjAAMBoGA1UdEQQT\n" ++ "MBGCD3Rlc3QuZ251dGxzLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHQ8B\n" ++ "Af8EBQMDB6AAMB0GA1UdDgQWBBTrx0Vu5fglyoyNgw106YbU3VW0dTAfBgNVHSME\n" ++ "GDAWgBTpPBz7rZJu5gakViyi4cBTJ8jylTALBgkqhkiG9w0BAQUDgYEAaFEPTt+7\n" ++ "bzvBuOf7+QmeQcn29kT6Bsyh1RHJXf8KTk5QRfwp6ogbp94JQWcNQ/S7YDFHglD1\n" ++ "AwUNBRXwd3riUsMnsxgeSDxYBfJYbDLeohNBsqaPDJb7XailWbMQKfAbFQ8cnOxg\n" ++ "rOKLUQRWJ0K3HyXRMhbqjdLIaQiCvQLuizo=\n" "-----END CERTIFICATE-----\n"; ++ ++const gnutls_datum_t server_cert = { server_cert_pem, ++ sizeof(server_cert_pem) ++}; ++ ++static unsigned char server_key_pem[] = ++ "-----BEGIN RSA PRIVATE KEY-----\n" ++ "MIICXAIBAAKBgQDXulyvowzwLqknVqpTjqjrf4F1TGuYvkrqtx74S8NqxNoNALjq\n" ++ "TBMfNhaT3nLvxqResm62ygqIVXWQlu2mV7wMO3YNlx696ex/06ns+4VkoGugSM53\n" ++ "fnOcMRP/PciupWBu2baMWppvtr6far2n8KAzJ/W3HZLllpxzUtaf1siOsQIDAQAB\n" ++ "AoGAYAFyKkAYC/PYF8e7+X+tsVCHXppp8AoP8TEZuUqOZz/AArVlle/ROrypg5kl\n" ++ "8YunrvUdzH9R/KZ7saNZlAPLjZyFG9beL/am6Ai7q7Ma5HMqjGU8kTEGwD7K+lbG\n" ++ "iomokKMOl+kkbY/2sI5Czmbm+/PqLXOjtVc5RAsdbgvtmvkCQQDdV5QuU8jap8Hs\n" ++ "Eodv/tLJ2z4+SKCV2k/7FXSKWe0vlrq0cl2qZfoTUYRnKRBcWxc9o92DxK44wgPi\n" ++ "oMQS+O7fAkEA+YG+K9e60sj1K4NYbMPAbYILbZxORDecvP8lcphvwkOVUqbmxOGh\n" ++ "XRmTZUuhBrJhJKKf6u7gf3KWlPl6ShKEbwJASC118cF6nurTjuLf7YKARDjNTEws\n" ++ "qZEeQbdWYINAmCMj0RH2P0mvybrsXSOD5UoDAyO7aWuqkHGcCLv6FGG+qwJAOVqq\n" ++ "tXdUucl6GjOKKw5geIvRRrQMhb/m5scb+5iw8A4LEEHPgGiBaF5NtJZLALgWfo5n\n" ++ "hmC8+G8F0F78znQtPwJBANexu+Tg5KfOnzSILJMo3oXiXhf5PqXIDmbN0BKyCKAQ\n" ++ "LfkcEcUbVfmDaHpvzwY9VEaoMOKVLitETXdNSxVpvWM=\n" ++ "-----END RSA PRIVATE KEY-----\n"; ++ ++const gnutls_datum_t server_key = { server_key_pem, ++ sizeof(server_key_pem) ++}; ++ ++ ++/* A very basic TLS client, with anonymous authentication. ++ */ ++ ++static void client(int fd, const char *prio) ++{ ++ int ret; ++ gnutls_anon_client_credentials_t anoncred; ++ gnutls_certificate_credentials_t x509_cred; ++ gnutls_session_t session; ++ /* Need to enable anonymous KX specifically. */ ++ ++ gnutls_global_init(); ++ ++ if (debug) { ++ gnutls_global_set_log_function(client_log_func); ++ gnutls_global_set_log_level(7); ++ } ++ ++ gnutls_anon_allocate_client_credentials(&anoncred); ++ gnutls_certificate_allocate_credentials(&x509_cred); ++ ++ /* Initialize TLS session ++ */ ++ gnutls_init(&session, GNUTLS_CLIENT); ++ ++ /* Use default priorities */ ++ gnutls_priority_set_direct(session, prio, NULL); ++ ++ /* put the anonymous credentials to the current session ++ */ ++ gnutls_credentials_set(session, GNUTLS_CRD_ANON, anoncred); ++ gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred); ++ ++ gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) fd); ++ ++ /* Perform the TLS handshake ++ */ ++ do { ++ ret = gnutls_handshake(session); ++ } ++ while (ret < 0 && gnutls_error_is_fatal(ret) == 0); ++ ++ if (ret < 0) { ++ fprintf(stderr, "client: Handshake failed (expected)\n"); ++ gnutls_perror(ret); ++ exit(0); ++ } else { ++ if (debug) ++ fprintf(stderr, "client: Handshake was completed\n"); ++ } ++ ++ close(fd); ++ ++ gnutls_deinit(session); ++ ++ gnutls_anon_free_client_credentials(anoncred); ++ gnutls_certificate_free_credentials(x509_cred); ++ ++ gnutls_global_deinit(); ++} ++ ++ ++/* These are global */ ++pid_t child; ++ ++static void terminate(int ret) ++{ ++ kill(child, SIGTERM); ++ exit(ret); ++} ++ ++static void server(int fd, const char *prio) ++{ ++ int ret; ++ uint8_t id[255]; ++ uint8_t buffer[] = "\x16\x03\x00\x01\x25" ++ "\x02\x00\x01\x21" ++ "\x03\x00"/*Server Version */ ++ /*Random*/"\x00\x00\x00\x00\x01\x00\x00\x00\x00\x01\x00\x00\x00\x00\x01\x00\x00\x00\x00\x01\x00\x00\x00\x00\x01\x00\x00\x00\x00\x01\x00\x00" ++ /*SessionID*/"\xfe"; ++ ++ ret = read(fd, id, sizeof(id)); ++ if (ret < 0) { ++ abort(); ++ } ++ ++ ret = write(fd, buffer, sizeof(buffer)); ++ if (ret < 0) { ++ return; ++ } ++ ++ memset(id, 0xff, sizeof(id)); ++ ret = write(fd, id, sizeof(id)); ++ if (ret < 0) { ++ return; ++ } ++ ++ memset(id, 0xff, sizeof(id)); ++ ret = write(fd, id, sizeof(id)); ++ if (ret < 0) { ++ return; ++ } ++ sleep(3); ++ ++ return; ++} ++ ++static void start(const char *prio) ++{ ++ int fd[2]; ++ int ret; ++ ++ ret = socketpair(AF_UNIX, SOCK_STREAM, 0, fd); ++ if (ret < 0) { ++ perror("socketpair"); ++ exit(1); ++ } ++ ++ child = fork(); ++ if (child < 0) { ++ perror("fork"); ++ exit(1); ++ } ++ ++ if (child) { ++ /* parent */ ++ close(fd[1]); ++ server(fd[0], prio); ++ kill(child, SIGTERM); ++ } else { ++ close(fd[0]); ++ client(fd[1], prio); ++ exit(0); ++ } ++} ++ ++static void ch_handler(int sig) ++{ ++ int status, ret = 0; ++ wait(&status); ++ if (WEXITSTATUS(status) != 0 || ++ (WIFSIGNALED(status) && WTERMSIG(status) == SIGSEGV)) { ++ if (WIFSIGNALED(status)) { ++ fprintf(stderr, "Child died with sigsegv\n"); ++ ret = 1; ++ } else { ++ fprintf(stderr, "Child died with status %d\n", ++ WEXITSTATUS(status)); ++ } ++ terminate(ret); ++ } ++ return; ++} ++ ++int main(int argc, char **argv) ++{ ++ signal(SIGCHLD, ch_handler); ++ ++ if (argc > 1) ++ debug = 1; ++ ++ start("NORMAL"); ++ return 0; ++} ++ ++#endif /* _WIN32 */ diff --git a/patches/source/gnutls/gnutls-2.10.5_CVE-2014-3467.diff b/patches/source/gnutls/gnutls-2.10.5_CVE-2014-3467.diff new file mode 100644 index 000000000..f5f8d733b --- /dev/null +++ b/patches/source/gnutls/gnutls-2.10.5_CVE-2014-3467.diff @@ -0,0 +1,45 @@ +From 8498106625598a8d6a8579e23785bbeee378855c Mon Sep 17 00:00:00 2001 +From: mancha <mancha1@zoho.com> +Date: Mon, 2 Jun 2014 +Subject: CVE-2014-3467 + +This is a backport adaptation for use with GnuTLS 2.10.5. + +Relevant upstream commit(s): +------------------------- +http://git.savannah.gnu.org/cgit/libtasn1.git/commit/?id=ff3b5c68cc32e3 +http://git.savannah.gnu.org/cgit/libtasn1.git/commit/?id=51612fca32dda4 + +--- + lib/minitasn1/decoding.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/lib/minitasn1/decoding.c ++++ b/lib/minitasn1/decoding.c +@@ -134,7 +134,7 @@ asn1_get_tag_der (const unsigned char *d + /* Long form */ + punt = 1; + ris = 0; +- while (punt <= der_len && der[punt] & 128) ++ while (punt < der_len && der[punt] & 128) + { + int last = ris; + ris = ris * 128 + (der[punt++] & 0x7F); +@@ -242,7 +242,7 @@ _asn1_get_time_der (const unsigned char + if (der_len <= 0 || str == NULL) + return ASN1_DER_ERROR; + str_len = asn1_get_length_der (der, der_len, &len_len); +- if (str_len < 0 || str_size < str_len) ++ if (str_len <= 0 || str_size < str_len) + return ASN1_DER_ERROR; + memcpy (str, der + len_len, str_len); + str[str_len] = 0; +@@ -268,7 +268,7 @@ _asn1_get_objectid_der (const unsigned c + return ASN1_GENERIC_ERROR; + len = asn1_get_length_der (der, der_len, &len_len); + +- if (len < 0 || len > der_len || len_len > der_len) ++ if (len <= 0 || len > der_len || len_len > der_len) + return ASN1_DER_ERROR; + + val1 = der[len_len] / 40; diff --git a/patches/source/gnutls/gnutls-2.10.5_CVE-2014-3468.diff b/patches/source/gnutls/gnutls-2.10.5_CVE-2014-3468.diff new file mode 100644 index 000000000..bb4026948 --- /dev/null +++ b/patches/source/gnutls/gnutls-2.10.5_CVE-2014-3468.diff @@ -0,0 +1,45 @@ +From 281855ad29bfe57c8ceeed42745e56e5d4106dcd Mon Sep 17 00:00:00 2001 +From: mancha <mancha1@zoho.com> +Date: Mon, 2 Jun 2014 +Subject: CVE-2014-3468 + +This is a backport adaptation for use with GnuTLS 2.10.5. + +Relevant upstream commit(s): +------------------------- +http://git.savannah.gnu.org/cgit/libtasn1.git/commit/?id=1c3ccb3e040bf1 + +--- + lib/minitasn1/decoding.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/lib/minitasn1/decoding.c ++++ b/lib/minitasn1/decoding.c +@@ -209,7 +209,7 @@ asn1_get_octet_der (const unsigned char + int *ret_len, unsigned char *str, int str_size, + int *str_len) + { +- int len_len; ++ int len_len = 0; + + if (der_len <= 0) + return ASN1_GENERIC_ERROR; +@@ -330,7 +330,7 @@ asn1_get_bit_der (const unsigned char *d + int *ret_len, unsigned char *str, int str_size, + int *bit_len) + { +- int len_len, len_byte; ++ int len_len = 0, len_byte; + + if (der_len <= 0) + return ASN1_GENERIC_ERROR; +@@ -341,6 +341,9 @@ asn1_get_bit_der (const unsigned char *d + *ret_len = len_byte + len_len + 1; + *bit_len = len_byte * 8 - der[len_len]; + ++ if (*bit_len <= 0) ++ return ASN1_DER_ERROR; ++ + if (str_size >= len_byte) + memcpy (str, der + len_len + 1, len_byte); + else diff --git a/patches/source/gnutls/gnutls-2.10.5_CVE-2014-3469.diff b/patches/source/gnutls/gnutls-2.10.5_CVE-2014-3469.diff new file mode 100644 index 000000000..6b340794a --- /dev/null +++ b/patches/source/gnutls/gnutls-2.10.5_CVE-2014-3469.diff @@ -0,0 +1,122 @@ +From 6acc0b4de05891f0502eddfc6e4b6256404ab5fe Mon Sep 17 00:00:00 2001 +From: mancha <mancha1@zoho.com> +Date: Mon, 2 Jun 2014 +Subject: CVE-2014-3469 + +This is a backport adaptation for use with GnuTLS 2.10.5. + +Relevant upstream commit(s): +------------------------- +http://git.savannah.gnu.org/cgit/libtasn1.git/commit/?id=a8b3e14f84174e +http://git.savannah.gnu.org/cgit/libtasn1.git/commit/?id=3d6a02f19ff15a +http://git.savannah.gnu.org/cgit/libtasn1.git/commit/?id=53958290ab731c + +--- + lib/minitasn1/decoding.c | 11 ++++++++--- + lib/minitasn1/element.c | 27 ++++++++++++++++++--------- + 2 files changed, 26 insertions(+), 12 deletions(-) + +--- a/lib/minitasn1/decoding.c ++++ b/lib/minitasn1/decoding.c +@@ -214,7 +214,6 @@ asn1_get_octet_der (const unsigned char + if (der_len <= 0) + return ASN1_GENERIC_ERROR; + +- /* if(str==NULL) return ASN1_SUCCESS; */ + *str_len = asn1_get_length_der (der, der_len, &len_len); + + if (*str_len < 0) +@@ -222,7 +221,10 @@ asn1_get_octet_der (const unsigned char + + *ret_len = *str_len + len_len; + if (str_size >= *str_len) +- memcpy (str, der + len_len, *str_len); ++ { ++ if (*str_len > 0 && str != NULL) ++ memcpy (str, der + len_len, *str_len); ++ } + else + { + return ASN1_MEM_ERROR; +@@ -345,7 +347,10 @@ asn1_get_bit_der (const unsigned char *d + return ASN1_DER_ERROR; + + if (str_size >= len_byte) +- memcpy (str, der + len_len + 1, len_byte); ++ { ++ if (len_byte > 0 && str) ++ memcpy (str, der + len_len + 1, len_byte); ++ } + else + { + return ASN1_MEM_ERROR; +--- a/lib/minitasn1/element.c ++++ b/lib/minitasn1/element.c +@@ -113,8 +113,11 @@ _asn1_convert_integer (const unsigned ch + /* VALUE_OUT is too short to contain the value conversion */ + return ASN1_MEM_ERROR; + +- for (k2 = k; k2 < SIZEOF_UNSIGNED_LONG_INT; k2++) +- value_out[k2 - k] = val[k2]; ++ if (value_out != NULL) ++ { ++ for (k2 = k; k2 < SIZEOF_UNSIGNED_LONG_INT; k2++) ++ value_out[k2 - k] = val[k2]; ++ } + + #if 0 + printf ("_asn1_convert_integer: valueIn=%s, lenOut=%d", value, *len); +@@ -618,7 +621,8 @@ asn1_write_value (asn1_node node_root, c + if (ptr_size < data_size) { \ + return ASN1_MEM_ERROR; \ + } else { \ +- memcpy( ptr, data, data_size); \ ++ if (ptr && data_size > 0) \ ++ memcpy( ptr, data, data_size); \ + } + + #define PUT_STR_VALUE( ptr, ptr_size, data) \ +@@ -627,16 +621,19 @@ asn1_write_value (asn1_node node_root, c + return ASN1_MEM_ERROR; \ + } else { \ + /* this strcpy is checked */ \ +- strcpy(ptr, data); \ ++ if (ptr) { \ ++ strcpy(ptr, data); \ ++ } \ + } + + #define ADD_STR_VALUE( ptr, ptr_size, data) \ +- *len = (int) strlen(data) + 1; \ +- if (ptr_size < (int) strlen(ptr)+(*len)) { \ ++ *len += strlen(data); \ ++ if (ptr_size < (int) *len) { \ ++ (*len)++; \ + return ASN1_MEM_ERROR; \ + } else { \ + /* this strcat is checked */ \ +- strcat(ptr, data); \ ++ if (ptr) strcat (ptr, data); \ + } + + /** +@@ -793,7 +800,9 @@ asn1_read_value (asn1_node root, const c + case TYPE_OBJECT_ID: + if (node->type & CONST_ASSIGN) + { +- value[0] = 0; ++ *len = 0; ++ if (value) ++ value[0] = 0; + p = node->down; + while (p) + { +@@ -807,7 +816,7 @@ asn1_read_value (asn1_node root, const c + } + p = p->right; + } +- *len = strlen (value) + 1; ++ (*len)++; + } + else if ((node->type & CONST_DEFAULT) && (node->value == NULL)) + { diff --git a/patches/source/gnutls/gnutls-2.10.5_ipv6.diff b/patches/source/gnutls/gnutls-2.10.5_ipv6.diff new file mode 100644 index 000000000..a96b1e629 --- /dev/null +++ b/patches/source/gnutls/gnutls-2.10.5_ipv6.diff @@ -0,0 +1,51 @@ +From 769faff8029083b43e8c4949ee9d7cd988f7ec01 Mon Sep 17 00:00:00 2001 +From: mancha <mancha1@hush.com> +Date: Sun, 29 Sep 2013 +Subject: Fix binding of IPV6 address in gnutls-serv + +On Linux with /proc/sys/net/ipv6/bindv6only == 0 (which is now the +default), gnutls-serv cannot listen on ipv6. + +Fix adapted for use with GnuTLS 2.10.5. + +Relevant upstream commits: +-------------------------- +https://gitorious.org/gnutls/gnutls/commit/1c315602306afc +https://gitorious.org/gnutls/gnutls/commit/9c1536d514dd83 + +--- + serv.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +--- a/src/serv.c 2013-09-29 ++++ b/src/serv.c 2013-09-29 +@@ -701,6 +701,11 @@ listen_socket (const char *name, int lis + + for (ptr = res; ptr != NULL; ptr = ptr->ai_next) + { ++#ifndef HAVE_IPV6 ++ if (ptr->ai_family != AF_INET) ++ continue; ++#endif ++ + /* Print what we are doing. */ + { + char topbuf[512]; +@@ -717,6 +722,17 @@ listen_socket (const char *name, int lis + continue; + } + ++#if defined(HAVE_IPV6) && !defined(_WIN32) ++ if (ptr->ai_family == AF_INET6) ++ { ++ yes = 1; ++ /* avoid listen on ipv6 addresses failing ++ * because already listening on ipv4 addresses: */ ++ setsockopt (s, IPPROTO_IPV6, IPV6_V6ONLY, ++ (const void *) &yes, sizeof (yes)); ++ } ++#endif ++ + yes = 1; + if (setsockopt (s, SOL_SOCKET, SO_REUSEADDR, + (const void *) &yes, sizeof (yes)) < 0) diff --git a/patches/source/gnutls/gnutls-2.10.5_libgcrypt150-fix.diff b/patches/source/gnutls/gnutls-2.10.5_libgcrypt150-fix.diff new file mode 100644 index 000000000..3ba3ec83d --- /dev/null +++ b/patches/source/gnutls/gnutls-2.10.5_libgcrypt150-fix.diff @@ -0,0 +1,162 @@ +From d8be4a97cc18b33978df789adfc676cd5d748a10 Mon Sep 17 00:00:00 2001 +From: mancha <mancha1@hush.com> +Date: Sun, 29 Sep 2013 +Subject: Fix problem when using libgcrypt 1.5.0+ + +Fix GnuTLS to not rely on a bug present in libgcrypt before 1.5.0 +in gcry_sexp_nth_mpi(). + +Relevant discussion: +-------------------- +https://lists.gnu.org/archive/html/gnutls-devel/2011-07/msg00006.html + +--- + pk-libgcrypt.c | 32 ++++++++++++++++---------------- + 1 file changed, 16 insertions(+), 16 deletions(-) + +--- a/lib/pk-libgcrypt.c 2013-09-27 ++++ b/lib/pk-libgcrypt.c 2013-09-27 +@@ -112,7 +112,7 @@ _wrap_gcry_pk_encrypt (gnutls_pk_algorit + goto cleanup; + } + +- res = gcry_sexp_nth_mpi (list, 1, 0); ++ res = gcry_sexp_nth_mpi (list, 1, GCRYMPI_FMT_USG); + gcry_sexp_release (list); + if (res == NULL) + { +@@ -202,7 +202,7 @@ _wrap_gcry_pk_decrypt (gnutls_pk_algorit + goto cleanup; + } + +- res = gcry_sexp_nth_mpi (s_plain, 0, 0); ++ res = gcry_sexp_nth_mpi (s_plain, 0, GCRYMPI_FMT_USG); + if (res == NULL) + { + gnutls_assert (); +@@ -327,7 +327,7 @@ _wrap_gcry_pk_sign (gnutls_pk_algorithm_ + goto cleanup; + } + +- res[0] = gcry_sexp_nth_mpi (list, 1, 0); ++ res[0] = gcry_sexp_nth_mpi (list, 1, GCRYMPI_FMT_USG); + gcry_sexp_release (list); + + list = gcry_sexp_find_token (s_sig, "s", 0); +@@ -338,7 +338,7 @@ _wrap_gcry_pk_sign (gnutls_pk_algorithm_ + goto cleanup; + } + +- res[1] = gcry_sexp_nth_mpi (list, 1, 0); ++ res[1] = gcry_sexp_nth_mpi (list, 1, GCRYMPI_FMT_USG); + gcry_sexp_release (list); + + ret = _gnutls_encode_ber_rs (signature, res[0], res[1]); +@@ -360,7 +360,7 @@ _wrap_gcry_pk_sign (gnutls_pk_algorithm_ + goto cleanup; + } + +- res[0] = gcry_sexp_nth_mpi (list, 1, 0); ++ res[0] = gcry_sexp_nth_mpi (list, 1, GCRYMPI_FMT_USG); + gcry_sexp_release (list); + + ret = _gnutls_mpi_dprint (res[0], signature); +@@ -559,7 +559,7 @@ _dsa_generate_params (bigint_t * resarr, + return GNUTLS_E_INTERNAL_ERROR; + } + +- resarr[0] = gcry_sexp_nth_mpi (list, 1, 0); ++ resarr[0] = gcry_sexp_nth_mpi (list, 1, GCRYMPI_FMT_USG); + gcry_sexp_release (list); + + list = gcry_sexp_find_token (key, "q", 0); +@@ -570,7 +570,7 @@ _dsa_generate_params (bigint_t * resarr, + return GNUTLS_E_INTERNAL_ERROR; + } + +- resarr[1] = gcry_sexp_nth_mpi (list, 1, 0); ++ resarr[1] = gcry_sexp_nth_mpi (list, 1, GCRYMPI_FMT_USG); + gcry_sexp_release (list); + + list = gcry_sexp_find_token (key, "g", 0); +@@ -581,7 +581,7 @@ _dsa_generate_params (bigint_t * resarr, + return GNUTLS_E_INTERNAL_ERROR; + } + +- resarr[2] = gcry_sexp_nth_mpi (list, 1, 0); ++ resarr[2] = gcry_sexp_nth_mpi (list, 1, GCRYMPI_FMT_USG); + gcry_sexp_release (list); + + list = gcry_sexp_find_token (key, "y", 0); +@@ -592,7 +592,7 @@ _dsa_generate_params (bigint_t * resarr, + return GNUTLS_E_INTERNAL_ERROR; + } + +- resarr[3] = gcry_sexp_nth_mpi (list, 1, 0); ++ resarr[3] = gcry_sexp_nth_mpi (list, 1, GCRYMPI_FMT_USG); + gcry_sexp_release (list); + + +@@ -604,7 +604,7 @@ _dsa_generate_params (bigint_t * resarr, + return GNUTLS_E_INTERNAL_ERROR; + } + +- resarr[4] = gcry_sexp_nth_mpi (list, 1, 0); ++ resarr[4] = gcry_sexp_nth_mpi (list, 1, GCRYMPI_FMT_USG); + + gcry_sexp_release (list); + gcry_sexp_release (key); +@@ -653,7 +653,7 @@ _rsa_generate_params (bigint_t * resarr, + return GNUTLS_E_INTERNAL_ERROR; + } + +- resarr[0] = gcry_sexp_nth_mpi (list, 1, 0); ++ resarr[0] = gcry_sexp_nth_mpi (list, 1, GCRYMPI_FMT_USG); + gcry_sexp_release (list); + + list = gcry_sexp_find_token (key, "e", 0); +@@ -664,7 +664,7 @@ _rsa_generate_params (bigint_t * resarr, + return GNUTLS_E_INTERNAL_ERROR; + } + +- resarr[1] = gcry_sexp_nth_mpi (list, 1, 0); ++ resarr[1] = gcry_sexp_nth_mpi (list, 1, GCRYMPI_FMT_USG); + gcry_sexp_release (list); + + list = gcry_sexp_find_token (key, "d", 0); +@@ -675,7 +675,7 @@ _rsa_generate_params (bigint_t * resarr, + return GNUTLS_E_INTERNAL_ERROR; + } + +- resarr[2] = gcry_sexp_nth_mpi (list, 1, 0); ++ resarr[2] = gcry_sexp_nth_mpi (list, 1, GCRYMPI_FMT_USG); + gcry_sexp_release (list); + + list = gcry_sexp_find_token (key, "p", 0); +@@ -686,7 +686,7 @@ _rsa_generate_params (bigint_t * resarr, + return GNUTLS_E_INTERNAL_ERROR; + } + +- resarr[3] = gcry_sexp_nth_mpi (list, 1, 0); ++ resarr[3] = gcry_sexp_nth_mpi (list, 1, GCRYMPI_FMT_USG); + gcry_sexp_release (list); + + +@@ -698,7 +698,7 @@ _rsa_generate_params (bigint_t * resarr, + return GNUTLS_E_INTERNAL_ERROR; + } + +- resarr[4] = gcry_sexp_nth_mpi (list, 1, 0); ++ resarr[4] = gcry_sexp_nth_mpi (list, 1, GCRYMPI_FMT_USG); + gcry_sexp_release (list); + + +@@ -710,7 +710,7 @@ _rsa_generate_params (bigint_t * resarr, + return GNUTLS_E_INTERNAL_ERROR; + } + +- resarr[5] = gcry_sexp_nth_mpi (list, 1, 0); ++ resarr[5] = gcry_sexp_nth_mpi (list, 1, GCRYMPI_FMT_USG); + + gcry_sexp_release (list); + gcry_sexp_release (key); diff --git a/patches/source/gnutls/gnutls.SlackBuild b/patches/source/gnutls/gnutls.SlackBuild new file mode 100755 index 000000000..4216d1479 --- /dev/null +++ b/patches/source/gnutls/gnutls.SlackBuild @@ -0,0 +1,144 @@ +#!/bin/sh + +# Copyright 2007 Robby Workman (http://rlworkman.net) +# Copyright 2007, 2008, 2009, 2010, 2014 Patrick Volkerding, Sebeka, MN, USA +# All rights reserved. +# +# Redistribution and use of this script, with or without modification, is +# permitted provided that the following conditions are met: +# +# 1. Redistributions of this script must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO +# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, +# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; +# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR +# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF +# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + + +PKGNAM=gnutls +VERSION=${VERSION:-$(echo $PKGNAM-*.tar.?z* | rev | cut -f 3- -d . | cut -f 1 -d - | rev)} +BUILD=${BUILD:-4_slack13.37} + +# Automatically determine the architecture we're building on: +if [ -z "$ARCH" ]; then + case "$( uname -m )" in + i?86) export ARCH=i486 ;; + arm*) export ARCH=arm ;; + # Unless $ARCH is already set, use uname -m for all other archs: + *) export ARCH=$( uname -m ) ;; + esac +fi + +NUMJOBS=${NUMJOBS:-" -j7 "} + +if [ "$ARCH" = "i486" ]; then + SLKCFLAGS="-O2 -march=i486 -mtune=i686" + LIBDIRSUFFIX="" +elif [ "$ARCH" = "s390" ]; then + SLKCFLAGS="-O2" + LIBDIRSUFFIX="" +elif [ "$ARCH" = "x86_64" ]; then + SLKCFLAGS="-O2 -fPIC" + LIBDIRSUFFIX="64" +else + SLKCFLAGS="-O2" + LIBDIRSUFFIX="" +fi + +CWD=$(pwd) +TMP=${TMP:-/tmp} +PKG=$TMP/package-$PKGNAM +rm -rf $PKG +mkdir -p $TMP $PKG + +cd $TMP + +rm -rf $PKGNAM-$VERSION +if [ -r $CWD/$PKGNAM-$VERSION.tar.gz ]; then + tar xf $CWD/$PKGNAM-$VERSION.tar.gz || exit 1 +elif [ -r $CWD/$PKGNAM-$VERSION.tar.bz2 ]; then + tar xf $CWD/$PKGNAM-$VERSION.tar.bz2 || exit 1 +elif [ -r $CWD/$PKGNAM-$VERSION.tar.xz ]; then + tar xf $CWD/$PKGNAM-$VERSION.tar.xz || exit 1 +elif [ -r $CWD/$PKGNAM-$VERSION.tar.lzma ]; then + tar xf $CWD/$PKGNAM-$VERSION.tar.lzma || exit 1 +else + exit 1 +fi + + +cd $PKGNAM-$VERSION +chown -R root:root . +find . \ + \( -perm 777 -o -perm 775 -o -perm 711 -o -perm 555 -o -perm 511 \) \ + -exec chmod 755 {} \; -o \ + \( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \ + -exec chmod 644 {} \; + +zcat $CWD/gnutls-2.10.5_CVE-2011-4128.diff.gz | patch -p1 --verbose || exit 1 +zcat $CWD/gnutls-2.10.5_CVE-2012-1569.diff.gz | patch -p1 --verbose || exit 1 +zcat $CWD/gnutls-2.10.5_CVE-2012-1573.diff.gz | patch -p1 --verbose || exit 1 +zcat $CWD/gnutls-2.10.5_CVE-2013-1619_CVE-2013-2116.diff.gz | patch -p1 --verbose || exit 1 +zcat $CWD/gnutls-2.10.5_libgcrypt150-fix.diff.gz | patch -p1 --verbose || exit 1 +zcat $CWD/gnutls-2.10.5_ipv6.diff.gz | patch -p1 --verbose || exit 1 +zcat $CWD/gnutls-2.10.5_CVE-2014-0092.diff.gz | patch -p1 --verbose || exit 1 +zcat $CWD/gnutls-2.10.5_CVE-2014-3466.diff.gz | patch -p1 --verbose || exit 1 +zcat $CWD/gnutls-2.10.5_CVE-2014-3467.diff.gz | patch -p1 --verbose || exit 1 +zcat $CWD/gnutls-2.10.5_CVE-2014-3468.diff.gz | patch -p1 --verbose || exit 1 +zcat $CWD/gnutls-2.10.5_CVE-2014-3469.diff.gz | patch -p1 --verbose || exit 1 + +CFLAGS="$SLKCFLAGS" \ +CXXFLAGS="$SLKCFLAGS" \ +./configure \ + --prefix=/usr \ + --libdir=/usr/lib${LIBDIRSUFFIX} \ + --sysconfdir=/etc \ + --localstatedir=/var \ + --infodir=/usr/info \ + --mandir=/usr/man \ + --enable-static=no \ + --build=$ARCH-slackware-linux \ + --host=$ARCH-slackware-linux + +make $NUMJOBS || make || exit 1 +make install DESTDIR=$PKG || exit 1 + +find $PKG | xargs file | grep -e "executable" -e "shared object" | grep ELF \ + | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null + +( cd $PKG/usr/man + find . -type f -exec gzip -9 {} \; + for i in $(find . -type l) ; do ln -s $( readlink $i ).gz $i.gz ; rm $i ; done +) + +( cd $PKG/usr/info + rm -f dir + gzip -9 *.info* +) + +mkdir -p $PKG/usr/doc/$PKGNAM-$VERSION +cp -a \ + ABOUT-NLS AUTHORS COPYING* INSTALL NEWS README* THANKS \ + $PKG/usr/doc/$PKGNAM-$VERSION + +# If there's a ChangeLog, installing at least part of the recent history +# is useful, but don't let it get totally out of control: +if [ -r ChangeLog ]; then + DOCSDIR=$(echo $PKG/usr/doc/${PKGNAM}-$VERSION) + cat ChangeLog | head -n 1000 > $DOCSDIR/ChangeLog + touch -r ChangeLog $DOCSDIR/ChangeLog +fi + +mkdir -p $PKG/install +cat $CWD/slack-desc > $PKG/install/slack-desc + +cd $PKG +/sbin/makepkg -l y -c n -p $TMP/$PKGNAM-$VERSION-$ARCH-$BUILD.txz + diff --git a/patches/source/gnutls/slack-desc b/patches/source/gnutls/slack-desc new file mode 100644 index 000000000..49fdb9f0c --- /dev/null +++ b/patches/source/gnutls/slack-desc @@ -0,0 +1,19 @@ +# HOW TO EDIT THIS FILE: +# The "handy ruler" below makes it easier to edit a package description. Line +# up the first '|' above the ':' following the base package name, and the '|' +# on the right side marks the last column you can put a character in. You must +# make exactly 11 lines for the formatting to be correct. It's also +# customary to leave one space after the ':'. + + |-----handy-ruler------------------------------------------------------| +gnutls: gnutls (GNU TLS library) +gnutls: +gnutls: This is a TLS (Transport Layer Security) 1.0 and SSL (Secure Sockets +gnutls: Layer) 3.0 implementation. In brief, GnuTLS can be described as a +gnutls: library which offers an API to access secure communication protocols. +gnutls: These protocols provide privacy over insecure lines, and were designed +gnutls: to prevent eavesdropping, tampering, or message forgery. +gnutls: +gnutls: Homepage: http://www.gnu.org/software/gnutls/ +gnutls: +gnutls: |