Compare commits
28 Commits
Author | SHA1 | Date |
---|---|---|
Nikos Mavrogiannopoulos | 8ef388887b | |
Nikos Mavrogiannopoulos | a958e663ae | |
Nikos Mavrogiannopoulos | 56b33a1b88 | |
Nikos Mavrogiannopoulos | 9699591430 | |
Nikos Mavrogiannopoulos | 2dbd14bcfa | |
Nikos Mavrogiannopoulos | c3cc9685de | |
Nikos Mavrogiannopoulos | 78edc6e054 | |
Nikos Mavrogiannopoulos | 2d6eca6703 | |
Nikos Mavrogiannopoulos | 8f6c041f1a | |
Nikos Mavrogiannopoulos | 5c493b94aa | |
Nikos Mavrogiannopoulos | 4ea868df36 | |
Nikos Mavrogiannopoulos | 5b6a2d9f99 | |
Nikos Mavrogiannopoulos | 04f2e8d7a1 | |
Nikos Mavrogiannopoulos | c7a8b70e9e | |
Nikos Mavrogiannopoulos | 57d4957db8 | |
Nikos Mavrogiannopoulos | aa2c065b07 | |
Nikos Mavrogiannopoulos | eb5540a0da | |
Nikos Mavrogiannopoulos | 808ab76a93 | |
Nikos Mavrogiannopoulos | 78a556e2af | |
Nikos Mavrogiannopoulos | ca46c5e0e0 | |
Nikos Mavrogiannopoulos | 676d9f6148 | |
Nikos Mavrogiannopoulos | 758382b4b0 | |
Nikos Mavrogiannopoulos | fe0ad5ae3e | |
Nikos Mavrogiannopoulos | a6f727a862 | |
Nikos Mavrogiannopoulos | 2c4b690674 | |
Nikos Mavrogiannopoulos | 3bdf90ec87 | |
Nikos Mavrogiannopoulos | 3ccbc93eb7 | |
Nikos Mavrogiannopoulos | 965b0c9231 |
|
@ -28,3 +28,12 @@ gnutls-2.10.1-nosrp.tar.bz2
|
|||
/gnutls-3.1.13-hobbled-el.tar.xz
|
||||
/gnutls-3.1.15-hobbled.tar.xz
|
||||
/gnutls-3.1.16-hobbled.tar.xz
|
||||
/gnutls-3.1.17-hobbled.tar.xz
|
||||
/gnutls-3.1.18-hobbled.tar.xz
|
||||
/gnutls-3.1.20-hobbled.tar.xz
|
||||
/gnutls-3.1.23-hobbled.tar.xz
|
||||
/gnutls-3.1.24-hobbled.tar.xz
|
||||
/gnutls-3.1.25-hobbled.tar.xz
|
||||
/gnutls-3.1.26-hobbled.tar.xz
|
||||
/gnutls-3.1.27-hobbled.tar.xz
|
||||
/gnutls-3.1.28-hobbled.tar.xz
|
||||
|
|
13
ecc.c
13
ecc.c
|
@ -56,6 +56,19 @@ static const gnutls_ecc_curve_entry_st ecc_curves[] = {
|
|||
.Gx = "AA87CA22BE8B05378EB1C71EF320AD746E1D3B628BA79B9859F741E082542A385502F25DBF55296C3A545E3872760AB7",
|
||||
.Gy = "3617DE4A96262C6F5D9E98BF9292DC29F8F41DBD289A147CE9DA3113B5F0B8C00A60B1CE1D7E819D7A431D7C90EA0E5F"
|
||||
},
|
||||
{
|
||||
.name = "SECP521R1",
|
||||
.oid = "1.3.132.0.35",
|
||||
.id = GNUTLS_ECC_CURVE_SECP521R1,
|
||||
.tls_id = 25,
|
||||
.size = 66,
|
||||
.prime = "01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
|
||||
.A = "01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC",
|
||||
.B = "0051953EB9618E1C9A1F929A21A0B68540EEA2DA725B99B315F3B8B489918EF109E156193951EC7E937B1652C0BD3BB1BF073573DF883D2C34F1EF451FD46B503F00",
|
||||
.order = "01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148F709A5D03BB5C9B8899C47AEBB6FB71E91386409",
|
||||
.Gx = "00C6858E06B70404E9CD9E3ECB662395B4429C648139053FB521F828AF606B4D3DBAA14B5E77EFE75928FE1DC127A2FFA8DE3348B3C1856A429BF97E7E31C2E5BD66",
|
||||
.Gy = "011839296A789A3BC0045C8A5FB42C7D1BD998F54449579B446817AFBD17273E662C97EE72995EF42640C550B9013FAD0761353C7086A272C24088BE94769FD16650",
|
||||
},
|
||||
{0, 0, 0}
|
||||
};
|
||||
|
||||
|
|
|
@ -1,209 +0,0 @@
|
|||
diff -up gnutls-2.12.21/lib/gcrypt/init.c.fips gnutls-2.12.21/lib/gcrypt/init.c
|
||||
--- gnutls-2.12.21/lib/gcrypt/init.c.fips 2012-01-06 20:06:23.000000000 +0100
|
||||
+++ gnutls-2.12.21/lib/gcrypt/init.c 2012-11-09 19:57:54.651624659 +0100
|
||||
@@ -43,6 +43,8 @@ static struct gcry_thread_cbs gct = {
|
||||
.recvmsg = NULL,
|
||||
};
|
||||
|
||||
+int gnutls_gcrypt_fips;
|
||||
+
|
||||
int
|
||||
gnutls_crypto_init (void)
|
||||
{
|
||||
@@ -72,6 +74,8 @@ gnutls_crypto_init (void)
|
||||
return GNUTLS_E_INCOMPATIBLE_GCRYPT_LIBRARY;
|
||||
}
|
||||
|
||||
+ gnutls_gcrypt_fips = gcry_fips_mode_active();
|
||||
+
|
||||
/* for gcrypt in order to be able to allocate memory */
|
||||
gcry_control (GCRYCTL_DISABLE_SECMEM, NULL, 0);
|
||||
|
||||
diff -up gnutls-2.12.21/lib/gnutls_algorithms.c.fips gnutls-2.12.21/lib/gnutls_algorithms.c
|
||||
--- gnutls-2.12.21/lib/gnutls_algorithms.c.fips 2012-01-06 20:06:23.000000000 +0100
|
||||
+++ gnutls-2.12.21/lib/gnutls_algorithms.c 2012-11-28 14:19:34.507948036 +0100
|
||||
@@ -44,11 +44,11 @@ typedef struct
|
||||
} gnutls_sec_params_entry;
|
||||
|
||||
static const gnutls_sec_params_entry sec_params[] = {
|
||||
- {"Weak", GNUTLS_SEC_PARAM_WEAK, 64, 816, 1024, 128, 128},
|
||||
- {"Low", GNUTLS_SEC_PARAM_LOW, 80, 1248, 2048, 160, 160},
|
||||
- {"Normal", GNUTLS_SEC_PARAM_NORMAL, 112, 2432, 3072, 224, 224},
|
||||
- {"High", GNUTLS_SEC_PARAM_HIGH, 128, 3248, 3072, 256, 256},
|
||||
- {"Ultra", GNUTLS_SEC_PARAM_ULTRA, 256, 15424, 3072, 512, 512},
|
||||
+ {"Weak", GNUTLS_SEC_PARAM_WEAK, 64, 1024, 1024, 128, 128},
|
||||
+ {"Low", GNUTLS_SEC_PARAM_LOW, 80, 1280, 2048, 160, 160},
|
||||
+ {"Normal", GNUTLS_SEC_PARAM_NORMAL, 112, 2560, 3072, 224, 224},
|
||||
+ {"High", GNUTLS_SEC_PARAM_HIGH, 128, 3328, 3072, 256, 256},
|
||||
+ {"Ultra", GNUTLS_SEC_PARAM_ULTRA, 256, 15616, 3072, 512, 512},
|
||||
{NULL, 0, 0, 0, 0, 0}
|
||||
};
|
||||
|
||||
diff -up gnutls-2.12.21/lib/gnutls_priority.c.fips gnutls-2.12.21/lib/gnutls_priority.c
|
||||
--- gnutls-2.12.21/lib/gnutls_priority.c.fips 2012-11-08 17:11:11.000000000 +0100
|
||||
+++ gnutls-2.12.21/lib/gnutls_priority.c 2012-11-09 19:57:54.651624659 +0100
|
||||
@@ -30,6 +30,7 @@
|
||||
#include "gnutls_algorithms.h"
|
||||
#include "gnutls_errors.h"
|
||||
#include <gnutls_num.h>
|
||||
+#include <gcrypt.h>
|
||||
|
||||
static void
|
||||
break_comma_list (char *etag,
|
||||
@@ -223,6 +224,13 @@ static const int protocol_priority[] = {
|
||||
0
|
||||
};
|
||||
|
||||
+static const int protocol_priority_fips[] = {
|
||||
+ GNUTLS_TLS1_2,
|
||||
+ GNUTLS_TLS1_1,
|
||||
+ GNUTLS_TLS1_0,
|
||||
+ 0
|
||||
+};
|
||||
+
|
||||
static const int kx_priority_performance[] = {
|
||||
GNUTLS_KX_RSA,
|
||||
GNUTLS_KX_DHE_RSA,
|
||||
@@ -269,6 +277,13 @@ static const int cipher_priority_perform
|
||||
0
|
||||
};
|
||||
|
||||
+static const int cipher_priority_performance_fips[] = {
|
||||
+ GNUTLS_CIPHER_AES_128_CBC,
|
||||
+ GNUTLS_CIPHER_3DES_CBC,
|
||||
+ GNUTLS_CIPHER_AES_256_CBC,
|
||||
+ 0
|
||||
+};
|
||||
+
|
||||
static const int cipher_priority_normal[] = {
|
||||
GNUTLS_CIPHER_AES_128_CBC,
|
||||
#ifdef ENABLE_CAMELLIA
|
||||
@@ -284,6 +299,13 @@ static const int cipher_priority_normal[
|
||||
0
|
||||
};
|
||||
|
||||
+static const int cipher_priority_normal_fips[] = {
|
||||
+ GNUTLS_CIPHER_AES_128_CBC,
|
||||
+ GNUTLS_CIPHER_AES_256_CBC,
|
||||
+ GNUTLS_CIPHER_3DES_CBC,
|
||||
+ 0
|
||||
+};
|
||||
+
|
||||
static const int cipher_priority_secure128[] = {
|
||||
GNUTLS_CIPHER_AES_128_CBC,
|
||||
#ifdef ENABLE_CAMELLIA
|
||||
@@ -295,6 +317,11 @@ static const int cipher_priority_secure1
|
||||
0
|
||||
};
|
||||
|
||||
+static const int cipher_priority_secure128_fips[] = {
|
||||
+ GNUTLS_CIPHER_AES_128_CBC,
|
||||
+ GNUTLS_CIPHER_3DES_CBC,
|
||||
+ 0
|
||||
+};
|
||||
|
||||
static const int cipher_priority_secure256[] = {
|
||||
GNUTLS_CIPHER_AES_256_CBC,
|
||||
@@ -311,6 +338,13 @@ static const int cipher_priority_secure2
|
||||
0
|
||||
};
|
||||
|
||||
+static const int cipher_priority_secure256_fips[] = {
|
||||
+ GNUTLS_CIPHER_AES_256_CBC,
|
||||
+ GNUTLS_CIPHER_AES_128_CBC,
|
||||
+ GNUTLS_CIPHER_3DES_CBC,
|
||||
+ 0
|
||||
+};
|
||||
+
|
||||
/* The same as cipher_priority_security_normal + arcfour-40. */
|
||||
static const int cipher_priority_export[] = {
|
||||
GNUTLS_CIPHER_AES_128_CBC,
|
||||
@@ -362,6 +396,12 @@ static const int mac_priority_normal[] =
|
||||
0
|
||||
};
|
||||
|
||||
+static const int mac_priority_normal_fips[] = {
|
||||
+ GNUTLS_MAC_SHA1,
|
||||
+ GNUTLS_MAC_SHA256,
|
||||
+ 0
|
||||
+};
|
||||
+
|
||||
|
||||
static const int mac_priority_secure[] = {
|
||||
GNUTLS_MAC_SHA256,
|
||||
@@ -462,6 +502,8 @@ gnutls_priority_set (gnutls_session_t se
|
||||
|
||||
#define MAX_ELEMENTS 48
|
||||
|
||||
+extern int gnutls_gcrypt_fips;
|
||||
+
|
||||
/**
|
||||
* gnutls_priority_init:
|
||||
* @priority_cache: is a #gnutls_prioritity_t structure.
|
||||
@@ -561,7 +603,7 @@ gnutls_priority_init (gnutls_priority_t
|
||||
*/
|
||||
if (strcasecmp (broken_list[0], "NONE") != 0)
|
||||
{
|
||||
- _set_priority (&(*priority_cache)->protocol, protocol_priority);
|
||||
+ _set_priority (&(*priority_cache)->protocol, gnutls_gcrypt_fips?protocol_priority_fips:protocol_priority);
|
||||
_set_priority (&(*priority_cache)->compression, comp_priority);
|
||||
_set_priority (&(*priority_cache)->cert_type, cert_type_priority_default);
|
||||
_set_priority (&(*priority_cache)->sign_algo, sign_priority_default);
|
||||
@@ -577,17 +619,17 @@ gnutls_priority_init (gnutls_priority_t
|
||||
if (strcasecmp (broken_list[i], "PERFORMANCE") == 0)
|
||||
{
|
||||
_set_priority (&(*priority_cache)->cipher,
|
||||
- cipher_priority_performance);
|
||||
+ gnutls_gcrypt_fips?cipher_priority_performance_fips:cipher_priority_performance);
|
||||
_set_priority (&(*priority_cache)->kx, kx_priority_performance);
|
||||
- _set_priority (&(*priority_cache)->mac, mac_priority_normal);
|
||||
+ _set_priority (&(*priority_cache)->mac, gnutls_gcrypt_fips?mac_priority_normal_fips:mac_priority_normal);
|
||||
_set_priority (&(*priority_cache)->sign_algo,
|
||||
sign_priority_default);
|
||||
}
|
||||
else if (strcasecmp (broken_list[i], "NORMAL") == 0)
|
||||
{
|
||||
- _set_priority (&(*priority_cache)->cipher, cipher_priority_normal);
|
||||
+ _set_priority (&(*priority_cache)->cipher, gnutls_gcrypt_fips?cipher_priority_normal_fips:cipher_priority_normal);
|
||||
_set_priority (&(*priority_cache)->kx, kx_priority_secure);
|
||||
- _set_priority (&(*priority_cache)->mac, mac_priority_normal);
|
||||
+ _set_priority (&(*priority_cache)->mac, gnutls_gcrypt_fips?mac_priority_normal_fips:mac_priority_normal);
|
||||
_set_priority (&(*priority_cache)->sign_algo,
|
||||
sign_priority_default);
|
||||
}
|
||||
@@ -595,7 +637,7 @@ gnutls_priority_init (gnutls_priority_t
|
||||
|| strcasecmp (broken_list[i], "SECURE") == 0)
|
||||
{
|
||||
_set_priority (&(*priority_cache)->cipher,
|
||||
- cipher_priority_secure256);
|
||||
+ gnutls_gcrypt_fips?cipher_priority_secure256_fips:cipher_priority_secure256);
|
||||
_set_priority (&(*priority_cache)->kx, kx_priority_secure);
|
||||
_set_priority (&(*priority_cache)->mac, mac_priority_secure);
|
||||
_set_priority (&(*priority_cache)->sign_algo,
|
||||
@@ -604,7 +646,7 @@ gnutls_priority_init (gnutls_priority_t
|
||||
else if (strcasecmp (broken_list[i], "SECURE128") == 0)
|
||||
{
|
||||
_set_priority (&(*priority_cache)->cipher,
|
||||
- cipher_priority_secure128);
|
||||
+ gnutls_gcrypt_fips?cipher_priority_secure128_fips:cipher_priority_secure128);
|
||||
_set_priority (&(*priority_cache)->kx, kx_priority_secure);
|
||||
_set_priority (&(*priority_cache)->mac, mac_priority_secure);
|
||||
_set_priority (&(*priority_cache)->sign_algo,
|
||||
@@ -646,7 +688,7 @@ gnutls_priority_init (gnutls_priority_t
|
||||
if (strncasecmp (&broken_list[i][1], "VERS-TLS-ALL", 12) == 0)
|
||||
{
|
||||
bulk_fn (&(*priority_cache)->protocol,
|
||||
- protocol_priority);
|
||||
+ gnutls_gcrypt_fips?protocol_priority_fips:protocol_priority);
|
||||
}
|
||||
else
|
||||
{
|
||||
@@ -718,7 +760,7 @@ gnutls_priority_init (gnutls_priority_t
|
||||
else if (strncasecmp (&broken_list[i][1], "CIPHER-ALL", 7) == 0)
|
||||
{
|
||||
bulk_fn (&(*priority_cache)->cipher,
|
||||
- cipher_priority_normal);
|
||||
+ gnutls_gcrypt_fips?cipher_priority_normal_fips:cipher_priority_normal);
|
||||
}
|
||||
else
|
||||
goto error;
|
|
@ -0,0 +1,29 @@
|
|||
diff -ur gnutls-3.1.17.orig/configure gnutls-3.1.17/configure
|
||||
--- gnutls-3.1.17.orig/configure 2013-11-23 10:55:26.000000000 +0100
|
||||
+++ gnutls-3.1.17/configure 2013-11-26 11:33:04.865342480 +0100
|
||||
@@ -49103,7 +49103,7 @@
|
||||
shlibpath_overrides_runpath=unknown
|
||||
version_type=none
|
||||
dynamic_linker="$host_os ld.so"
|
||||
-sys_lib_dlsearch_path_spec="/lib /usr/lib"
|
||||
+sys_lib_dlsearch_path_spec="/lib /usr/lib /lib64 /usr/lib64"
|
||||
need_lib_prefix=unknown
|
||||
hardcode_into_libs=no
|
||||
|
||||
@@ -52940,7 +52940,7 @@
|
||||
shlibpath_overrides_runpath=unknown
|
||||
version_type=none
|
||||
dynamic_linker="$host_os ld.so"
|
||||
-sys_lib_dlsearch_path_spec="/lib /usr/lib"
|
||||
+sys_lib_dlsearch_path_spec="/lib /usr/lib /lib64 /usr/lib64"
|
||||
need_lib_prefix=unknown
|
||||
hardcode_into_libs=no
|
||||
|
||||
Only in gnutls-3.1.17: configure~
|
||||
Only in gnutls-3.1.17.orig/lib/algorithms: ecc.c
|
||||
Only in gnutls-3.1.17.orig/lib/auth: srp.c
|
||||
Only in gnutls-3.1.17.orig/lib/auth: srp_passwd.c
|
||||
Only in gnutls-3.1.17.orig/lib/auth: srp_rsa.c
|
||||
Only in gnutls-3.1.17.orig/lib/auth: srp_sb64.c
|
||||
Only in gnutls-3.1.17.orig/lib/ext: srp.c
|
||||
Only in gnutls-3.1.17.orig/lib: gnutls_srp.c
|
|
@ -1,7 +1,7 @@
|
|||
diff -up gnutls-3.1.11/lib/gnutls_ecc.c.suiteb gnutls-3.1.11/lib/gnutls_ecc.c
|
||||
--- gnutls-3.1.11/lib/gnutls_ecc.c.suiteb 2013-04-27 10:04:48.000000000 +0200
|
||||
+++ gnutls-3.1.11/lib/gnutls_ecc.c 2013-05-23 10:08:45.331883555 +0200
|
||||
@@ -129,6 +129,12 @@ int ret;
|
||||
diff -ur gnutls-3.1.18.orig/lib/gnutls_ecc.c gnutls-3.1.18/lib/gnutls_ecc.c
|
||||
--- gnutls-3.1.18.orig/lib/gnutls_ecc.c 2013-04-02 22:27:35.000000000 +0200
|
||||
+++ gnutls-3.1.18/lib/gnutls_ecc.c 2014-01-02 09:13:27.383415863 +0100
|
||||
@@ -129,6 +129,12 @@
|
||||
goto cleanup;
|
||||
}
|
||||
params->params_nr++;
|
||||
|
@ -14,10 +14,22 @@ diff -up gnutls-3.1.11/lib/gnutls_ecc.c.suiteb gnutls-3.1.11/lib/gnutls_ecc.c
|
|||
|
||||
val_size = sizeof(val);
|
||||
ret = _gnutls_hex2bin(st->order, strlen(st->order), val, &val_size);
|
||||
diff -up gnutls-3.1.11/lib/nettle/ecc_mulmod_cached.c.suiteb gnutls-3.1.11/lib/nettle/ecc_mulmod_cached.c
|
||||
--- gnutls-3.1.11/lib/nettle/ecc_mulmod_cached.c.suiteb 2013-04-27 10:04:48.000000000 +0200
|
||||
+++ gnutls-3.1.11/lib/nettle/ecc_mulmod_cached.c 2013-05-23 10:24:56.575967312 +0200
|
||||
@@ -42,6 +42,7 @@ typedef struct
|
||||
diff -ur gnutls-3.1.18.orig/lib/gnutls_priority.c gnutls-3.1.18/lib/gnutls_priority.c
|
||||
--- gnutls-3.1.18.orig/lib/gnutls_priority.c 2013-11-19 18:36:38.000000000 +0100
|
||||
+++ gnutls-3.1.18/lib/gnutls_priority.c 2014-01-02 09:13:27.384415875 +0100
|
||||
@@ -245,8 +245,6 @@
|
||||
}
|
||||
|
||||
static const int supported_ecc_normal[] = {
|
||||
- GNUTLS_ECC_CURVE_SECP192R1,
|
||||
- GNUTLS_ECC_CURVE_SECP224R1,
|
||||
GNUTLS_ECC_CURVE_SECP256R1,
|
||||
GNUTLS_ECC_CURVE_SECP384R1,
|
||||
GNUTLS_ECC_CURVE_SECP521R1,
|
||||
diff -ur gnutls-3.1.18.orig/lib/nettle/ecc_mulmod_cached.c gnutls-3.1.18/lib/nettle/ecc_mulmod_cached.c
|
||||
--- gnutls-3.1.18.orig/lib/nettle/ecc_mulmod_cached.c 2013-04-02 22:27:35.000000000 +0200
|
||||
+++ gnutls-3.1.18/lib/nettle/ecc_mulmod_cached.c 2014-01-02 10:26:08.425986981 +0100
|
||||
@@ -42,6 +42,7 @@
|
||||
|
||||
/* global cache */
|
||||
static gnutls_ecc_curve_cache_entry_t *ecc_wmnaf_cache = NULL;
|
||||
|
@ -25,7 +37,7 @@ diff -up gnutls-3.1.11/lib/nettle/ecc_mulmod_cached.c.suiteb gnutls-3.1.11/lib/n
|
|||
|
||||
/* free single cache entry */
|
||||
static void
|
||||
@@ -63,9 +64,10 @@ ecc_wmnaf_cache_free (void)
|
||||
@@ -63,13 +64,15 @@
|
||||
gnutls_ecc_curve_cache_entry_t *p = ecc_wmnaf_cache;
|
||||
if (p)
|
||||
{
|
||||
|
@ -38,7 +50,12 @@ diff -up gnutls-3.1.11/lib/nettle/ecc_mulmod_cached.c.suiteb gnutls-3.1.11/lib/n
|
|||
}
|
||||
|
||||
free (ecc_wmnaf_cache);
|
||||
@@ -198,7 +200,7 @@ ecc_wmnaf_cache_init (void)
|
||||
ecc_wmnaf_cache = NULL;
|
||||
+ ecc_wmnaf_cache_last = NULL;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -198,7 +201,7 @@
|
||||
const gnutls_ecc_curve_t *p;
|
||||
|
||||
ret = (gnutls_ecc_curve_cache_entry_t *)
|
||||
|
@ -47,7 +64,7 @@ diff -up gnutls-3.1.11/lib/nettle/ecc_mulmod_cached.c.suiteb gnutls-3.1.11/lib/n
|
|||
if (ret == NULL)
|
||||
return GNUTLS_E_MEMORY_ERROR;
|
||||
|
||||
@@ -207,12 +209,16 @@ ecc_wmnaf_cache_init (void)
|
||||
@@ -207,12 +210,16 @@
|
||||
|
||||
for (j = 0; *p; ++p, ++j)
|
||||
{
|
||||
|
@ -67,7 +84,7 @@ diff -up gnutls-3.1.11/lib/nettle/ecc_mulmod_cached.c.suiteb gnutls-3.1.11/lib/n
|
|||
|
||||
err = GNUTLS_E_SUCCESS;
|
||||
|
||||
@@ -223,7 +229,8 @@ done:
|
||||
@@ -223,11 +230,13 @@
|
||||
int i;
|
||||
for (i = 0; i < j; ++i)
|
||||
{
|
||||
|
@ -77,7 +94,12 @@ diff -up gnutls-3.1.11/lib/nettle/ecc_mulmod_cached.c.suiteb gnutls-3.1.11/lib/n
|
|||
}
|
||||
|
||||
free (ret);
|
||||
@@ -445,9 +452,11 @@ ecc_mulmod_cached_lookup (mpz_t k, ecc_p
|
||||
ecc_wmnaf_cache = NULL;
|
||||
+ ecc_wmnaf_cache_last = NULL;
|
||||
}
|
||||
return err;
|
||||
}
|
||||
@@ -445,9 +454,11 @@
|
||||
if (k == NULL || G == NULL || R == NULL || modulus == NULL)
|
||||
return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
|
||||
|
||||
|
@ -91,9 +113,9 @@ diff -up gnutls-3.1.11/lib/nettle/ecc_mulmod_cached.c.suiteb gnutls-3.1.11/lib/n
|
|||
!(mpz_cmp (G->y, ecc_wmnaf_cache[i].pos[0]->y)))
|
||||
{
|
||||
break;
|
||||
diff -up gnutls-3.1.11/tests/mini-xssl.c.suiteb gnutls-3.1.11/tests/mini-xssl.c
|
||||
--- gnutls-3.1.11/tests/mini-xssl.c.suiteb 2013-05-10 10:10:27.000000000 +0200
|
||||
+++ gnutls-3.1.11/tests/mini-xssl.c 2013-05-23 11:58:22.670298910 +0200
|
||||
diff -ur gnutls-3.1.18.orig/tests/mini-xssl.c gnutls-3.1.18/tests/mini-xssl.c
|
||||
--- gnutls-3.1.18.orig/tests/mini-xssl.c 2013-05-30 08:50:22.000000000 +0200
|
||||
+++ gnutls-3.1.18/tests/mini-xssl.c 2014-01-02 09:13:27.384415875 +0100
|
||||
@@ -27,7 +27,8 @@
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
|
@ -104,10 +126,10 @@ diff -up gnutls-3.1.11/tests/mini-xssl.c.suiteb gnutls-3.1.11/tests/mini-xssl.c
|
|||
|
||||
int main()
|
||||
{
|
||||
diff -up gnutls-3.1.11/tests/pkcs12_simple.c.suiteb gnutls-3.1.11/tests/pkcs12_simple.c
|
||||
--- gnutls-3.1.11/tests/pkcs12_simple.c.suiteb 2013-05-10 10:10:27.000000000 +0200
|
||||
+++ gnutls-3.1.11/tests/pkcs12_simple.c 2013-05-23 11:57:59.776799848 +0200
|
||||
@@ -50,6 +50,9 @@ doit (void)
|
||||
diff -ur gnutls-3.1.18.orig/tests/pkcs12_simple.c gnutls-3.1.18/tests/pkcs12_simple.c
|
||||
--- gnutls-3.1.18.orig/tests/pkcs12_simple.c 2013-05-21 20:27:20.000000000 +0200
|
||||
+++ gnutls-3.1.18/tests/pkcs12_simple.c 2014-01-02 09:13:27.384415875 +0100
|
||||
@@ -50,6 +50,9 @@
|
||||
gnutls_x509_privkey_t pkey;
|
||||
int ret;
|
||||
|
|
@ -0,0 +1,13 @@
|
|||
diff --git a/lib/gnutls_handshake.c b/lib/gnutls_handshake.c
|
||||
index d542f21..a0e8005 100644
|
||||
--- a/lib/gnutls_handshake.c
|
||||
+++ b/lib/gnutls_handshake.c
|
||||
@@ -2546,6 +2546,8 @@ gnutls_handshake_set_timeout (gnutls_session_t session, unsigned int ms)
|
||||
/* EAGAIN and INTERRUPTED are always non-fatal */ \
|
||||
if (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED) \
|
||||
return ret; \
|
||||
+ if (ret == GNUTLS_E_GOT_APPLICATION_DATA && session->internals.initial_negotiation_completed != 0) \
|
||||
+ return ret; \
|
||||
if (ret == GNUTLS_E_LARGE_PACKET && session->internals.handshake_large_loops < 16) { \
|
||||
session->internals.handshake_large_loops++; \
|
||||
return ret; \
|
|
@ -1,39 +0,0 @@
|
|||
diff -up gnutls-3.1.7/configure.rpath gnutls-3.1.7/configure
|
||||
--- gnutls-3.1.7/configure.rpath 2013-02-04 02:40:23.000000000 +0100
|
||||
+++ gnutls-3.1.7/configure 2013-02-05 21:04:57.128932440 +0100
|
||||
@@ -48519,7 +48519,7 @@ shlibpath_var=
|
||||
shlibpath_overrides_runpath=unknown
|
||||
version_type=none
|
||||
dynamic_linker="$host_os ld.so"
|
||||
-sys_lib_dlsearch_path_spec="/lib /usr/lib"
|
||||
+sys_lib_dlsearch_path_spec="/lib /usr/lib /lib64 /usr/lib64"
|
||||
need_lib_prefix=unknown
|
||||
hardcode_into_libs=no
|
||||
|
||||
@@ -48962,7 +48962,7 @@ fi
|
||||
# Append ld.so.conf contents to the search path
|
||||
if test -f /etc/ld.so.conf; then
|
||||
lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '`
|
||||
- sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
|
||||
+ sys_lib_dlsearch_path_spec="/lib /usr/lib /lib64 /usr/lib64 $lt_ld_extra"
|
||||
fi
|
||||
|
||||
# We used to test for /lib/ld.so.1 and disable shared libraries on
|
||||
@@ -52353,7 +52353,7 @@ shlibpath_var=
|
||||
shlibpath_overrides_runpath=unknown
|
||||
version_type=none
|
||||
dynamic_linker="$host_os ld.so"
|
||||
-sys_lib_dlsearch_path_spec="/lib /usr/lib"
|
||||
+sys_lib_dlsearch_path_spec="/lib /usr/lib /lib64 /usr/lib64"
|
||||
need_lib_prefix=unknown
|
||||
hardcode_into_libs=no
|
||||
|
||||
@@ -52794,7 +52794,7 @@ fi
|
||||
# Append ld.so.conf contents to the search path
|
||||
if test -f /etc/ld.so.conf; then
|
||||
lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '`
|
||||
- sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
|
||||
+ sys_lib_dlsearch_path_spec="/lib /usr/lib /lib64 /usr/lib64 $lt_ld_extra"
|
||||
fi
|
||||
|
||||
# We used to test for /lib/ld.so.1 and disable shared libraries on
|
132
gnutls.spec
132
gnutls.spec
|
@ -2,18 +2,20 @@
|
|||
%bcond_with guile
|
||||
Summary: A TLS protocol implementation
|
||||
Name: gnutls
|
||||
Version: 3.1.16
|
||||
Release: 1%{?dist}
|
||||
Version: 3.1.28
|
||||
Release: 2%{?dist}
|
||||
# The libraries are LGPLv2.1+, utilities are GPLv3+, however
|
||||
# the bundled gnulib is LGPLv3+
|
||||
License: GPLv3+ and LGPLv2+ and LGPLv3+
|
||||
Group: System Environment/Libraries
|
||||
BuildRequires: p11-kit-devel >= 0.11, gettext
|
||||
BuildRequires: zlib-devel, readline-devel, libtasn1-devel >= 3.1
|
||||
BuildRequires: lzo-devel, libtool, automake, autoconf, texinfo
|
||||
BuildRequires: libtool, automake, autoconf, texinfo
|
||||
BuildRequires: nettle-devel >= 2.5
|
||||
BuildRequires: autogen-libopts-devel >= 5.18 autogen
|
||||
BuildRequires: trousers-devel >= 0.3.11.2
|
||||
%if %{with dane}
|
||||
BuildRequires: unbound-devel
|
||||
BuildRequires: unbound-devel unbound-libs
|
||||
%endif
|
||||
%if %{with guile}
|
||||
BuildRequires: guile-devel
|
||||
|
@ -26,13 +28,13 @@ Source0: %{name}-%{version}-hobbled.tar.xz
|
|||
Source1: libgnutls-config
|
||||
Source2: hobble-gnutls
|
||||
Source3: ecc.c
|
||||
Patch1: gnutls-3.1.7-rpath.patch
|
||||
Patch1: gnutls-3.1.17-rpath.patch
|
||||
# Use only FIPS approved ciphers in the FIPS mode
|
||||
Patch7: gnutls-2.12.21-fips-algorithms.patch
|
||||
Patch8: gnutls-3.1.11-nosrp.patch
|
||||
# Use random port in some tests to avoid conflicts during simultaneous builds on the same machine
|
||||
Patch9: gnutls-3.1.10-tests-rndport.patch
|
||||
Patch10: gnutls-3.1.11-suiteb.patch
|
||||
Patch10: gnutls-3.1.18-suiteb.patch
|
||||
Patch11: gnutls-3.1.28-app-data.patch
|
||||
|
||||
# Wildcard bundling exception https://fedorahosted.org/fpc/ticket/174
|
||||
Provides: bundled(gnulib) = 20130424
|
||||
|
@ -77,61 +79,76 @@ Requires: guile
|
|||
%endif
|
||||
|
||||
%description
|
||||
GnuTLS is a project that aims to develop a library which provides a secure
|
||||
layer, over a reliable transport layer. Currently the GnuTLS library implements
|
||||
the proposed standards by the IETF's TLS working group.
|
||||
GnuTLS is a secure communications library implementing the SSL, TLS and DTLS
|
||||
protocols and technologies around them. It provides a simple C language
|
||||
application programming interface (API) to access the secure communications
|
||||
protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and
|
||||
other required structures.
|
||||
|
||||
%description c++
|
||||
GnuTLS is a project that aims to develop a library which provides a secure
|
||||
layer, over a reliable transport layer. Currently the GnuTLS library implements
|
||||
the proposed standards by the IETF's TLS working group.
|
||||
GnuTLS is a secure communications library implementing the SSL, TLS and DTLS
|
||||
protocols and technologies around them. It provides a simple C language
|
||||
application programming interface (API) to access the secure communications
|
||||
protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and
|
||||
other required structures.
|
||||
This package contains the C++ interface for the GnuTLS library.
|
||||
|
||||
%description devel
|
||||
GnuTLS is a project that aims to develop a library which provides a secure
|
||||
layer, over a reliable transport layer. Currently the GnuTLS library implements
|
||||
the proposed standards by the IETF's TLS working group.
|
||||
GnuTLS is a secure communications library implementing the SSL, TLS and DTLS
|
||||
protocols and technologies around them. It provides a simple C language
|
||||
application programming interface (API) to access the secure communications
|
||||
protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and
|
||||
other required structures.
|
||||
This package contains files needed for developing applications with
|
||||
the GnuTLS library.
|
||||
|
||||
%description utils
|
||||
GnuTLS is a project that aims to develop a library which provides a secure
|
||||
layer, over a reliable transport layer. Currently the GnuTLS library implements
|
||||
the proposed standards by the IETF's TLS working group.
|
||||
GnuTLS is a secure communications library implementing the SSL, TLS and DTLS
|
||||
protocols and technologies around them. It provides a simple C language
|
||||
application programming interface (API) to access the secure communications
|
||||
protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and
|
||||
other required structures.
|
||||
This package contains command line TLS client and server and certificate
|
||||
manipulation tools.
|
||||
|
||||
%if %{with dane}
|
||||
%description dane
|
||||
GnuTLS is a project that aims to develop a library which provides a secure
|
||||
layer, over a reliable transport layer. Currently the GnuTLS library implements
|
||||
the proposed standards by the IETF's TLS working group.
|
||||
GnuTLS is a secure communications library implementing the SSL, TLS and DTLS
|
||||
protocols and technologies around them. It provides a simple C language
|
||||
application programming interface (API) to access the secure communications
|
||||
protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and
|
||||
other required structures.
|
||||
This package contains library that implements the DANE protocol for verifying
|
||||
TLS certificates through DNSSEC.
|
||||
%endif
|
||||
|
||||
%if %{with guile}
|
||||
%description guile
|
||||
GnuTLS is a project that aims to develop a library which provides a secure
|
||||
layer, over a reliable transport layer. Currently the GnuTLS library implements
|
||||
the proposed standards by the IETF's TLS working group.
|
||||
GnuTLS is a secure communications library implementing the SSL, TLS and DTLS
|
||||
protocols and technologies around them. It provides a simple C language
|
||||
application programming interface (API) to access the secure communications
|
||||
protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and
|
||||
other required structures.
|
||||
This package contains Guile bindings for the library.
|
||||
%endif
|
||||
|
||||
%prep
|
||||
%setup -q
|
||||
sed 's/4331/5556/g' -i tests/*.c
|
||||
|
||||
%patch1 -p1 -b .rpath
|
||||
# This patch is not applicable as we use nettle now but some parts will be
|
||||
# later reused.
|
||||
#%patch7 -p1 -b .fips
|
||||
%patch8 -p1 -b .nosrp
|
||||
%patch9 -p1 -b .rndport
|
||||
%patch10 -p1 -b .suiteb
|
||||
%patch11 -p1 -b .app-data
|
||||
sed -i -e 's|sys_lib_dlsearch_path_spec="/lib /usr/lib|sys_lib_dlsearch_path_spec="/lib /usr/lib %{_libdir}|g' configure
|
||||
|
||||
%{SOURCE2} -e
|
||||
|
||||
cp -f %{SOURCE3} lib/algorithms
|
||||
rm -f doc/gnutls.info*
|
||||
|
||||
%build
|
||||
|
||||
|
@ -142,6 +159,7 @@ export LDFLAGS="-Wl,--no-add-needed"
|
|||
--disable-static \
|
||||
--disable-openssl-compatibility \
|
||||
--disable-srp-authentication \
|
||||
--disable-non-suiteb-curves \
|
||||
%if %{with guile}
|
||||
--enable-guile \
|
||||
%ifarch %{arm}
|
||||
|
@ -151,6 +169,7 @@ export LDFLAGS="-Wl,--no-add-needed"
|
|||
--disable-guile \
|
||||
%endif
|
||||
%if %{with dane}
|
||||
--with-unbound-root-key-file=/var/lib/unbound/root.key \
|
||||
--enable-dane \
|
||||
%else
|
||||
--disable-dane \
|
||||
|
@ -234,6 +253,7 @@ fi
|
|||
%{_bindir}/certtool
|
||||
%{_bindir}/ocsptool
|
||||
%{_bindir}/psktool
|
||||
%{_bindir}/tpmtool
|
||||
%{_bindir}/p11tool
|
||||
%if %{with dane}
|
||||
%{_bindir}/danetool
|
||||
|
@ -257,6 +277,66 @@ fi
|
|||
%endif
|
||||
|
||||
%changelog
|
||||
* Fri Nov 28 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 3.1.28-2
|
||||
- Addresses regression with rehandshakes introduced in 3.1.27 (#1168942)
|
||||
|
||||
* Mon Nov 10 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 3.1.28-1
|
||||
- new upstream release
|
||||
|
||||
* Mon Oct 13 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 3.1.27-1
|
||||
- new upstream release
|
||||
|
||||
* Fri Sep 19 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 3.1.26-2
|
||||
- removed rpath (#1132921)
|
||||
|
||||
* Mon Aug 25 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 3.1.26-1
|
||||
- new upstream release (#1088563)
|
||||
|
||||
* Fri May 30 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 3.1.25-1
|
||||
- new upstream release (#1103046)
|
||||
|
||||
* Wed May 14 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 3.1.24-1
|
||||
- new upstream release
|
||||
|
||||
* Tue Apr 8 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 3.1.23-1
|
||||
- fixes liberal wildcard expansion (#1085264)
|
||||
- fixes certtool generation of encrypted keys even without password (#1085272)
|
||||
|
||||
* Thu Feb 27 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 3.1.20-4
|
||||
- fixes CVE-2014-0092 (#1071795)
|
||||
|
||||
* Fri Feb 14 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> 3.1.20-3
|
||||
- Fix CVE-2014-1959 (#1065094)
|
||||
|
||||
* Mon Feb 03 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> 3.1.20-1
|
||||
- new upstream release
|
||||
- Fixed issue with gnutls.info not being available
|
||||
- Compile with trousers
|
||||
- Pulled fix from upstream for illegal supported-ecc extension (#1060411)
|
||||
|
||||
* Thu Jan 02 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> 3.1.18-3
|
||||
- Applied complete patch from (#1046672)
|
||||
|
||||
* Thu Jan 02 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> 3.1.18-2
|
||||
- Applied fix in suiteb patch to prevent crash in multiple
|
||||
deinitializations (#1046672)
|
||||
|
||||
* Mon Dec 23 2013 Nikos Mavrogiannopoulos <nmav@redhat.com> 3.1.18-1
|
||||
- new upstream release
|
||||
|
||||
* Thu Dec 5 2013 Nikos Mavrogiannopoulos <nmav@redhat.com> 3.1.17-3
|
||||
- Use the correct root key for unbound (#1012494)
|
||||
- Pull asm fixes from upstream (#973210)
|
||||
- tpmtool manpage is no longer installed (#1036363)
|
||||
|
||||
* Tue Nov 26 2013 Nikos Mavrogiannopoulos <nmav@redhat.com> 3.1.17-2
|
||||
- Avoid linking with trousers to prevent introducing new features in f20
|
||||
|
||||
* Tue Nov 26 2013 Nikos Mavrogiannopoulos <nmav@redhat.com> 3.1.17-1
|
||||
- new upstream release
|
||||
- links against the system libopts
|
||||
- links against trousers
|
||||
|
||||
* Mon Nov 4 2013 Tomáš Mráz <tmraz@redhat.com> 3.1.16-1
|
||||
- new upstream release
|
||||
- fixes CVE-2013-4466 off-by-one in dane_query_tlsa()
|
||||
|
|
|
@ -8,8 +8,8 @@ else
|
|||
fi
|
||||
|
||||
# SRP
|
||||
for f in auth_srp_sb64.c auth_srp_passwd.c auth_srp_rsa.c \
|
||||
gnutls_srp.c auth_srp.c ext_srp.c ; do
|
||||
for f in auth/srp_sb64.c auth/srp_passwd.c auth/srp_rsa.c \
|
||||
gnutls_srp.c auth/srp.c ext/srp.c ; do
|
||||
eval "$CMD lib/$f"
|
||||
done
|
||||
|
||||
|
|
|
@ -4,7 +4,7 @@ prefix=/usr
|
|||
exec_prefix=/usr
|
||||
exec_prefix_set=no
|
||||
|
||||
name=`basename $0`
|
||||
name=gnutls
|
||||
name=${name#lib}
|
||||
name=${name%-config}
|
||||
|
||||
|
|
Loading…
Reference in New Issue