rpms/gnutls/devel gnutls-2.8.6-safe-renegotiation.patch, NONE, 1.1 gnutls.spec, 1.54, 1.55
Tomáš Mráz
tmraz at fedoraproject.org
Wed Jun 2 08:52:17 UTC 2010
Author: tmraz
Update of /cvs/pkgs/rpms/gnutls/devel
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv21391
Modified Files:
gnutls.spec
Added Files:
gnutls-2.8.6-safe-renegotiation.patch
Log Message:
* Wed Jun 2 2010 Tomas Mraz <tmraz at redhat.com> 2.8.6-2
- add support for safe renegotiation CVE-2009-3555 (#533125)
gnutls-2.8.6-safe-renegotiation.patch:
AUTHORS | 3
NEWS | 17
configure | 3
doc/gnutls-api.texi | 14
doc/gnutls.texi | 94 ++
doc/manpages/Makefile.in | 4
doc/manpages/gnutls-cli.1 | 9
doc/manpages/gnutls-serv.1 | 9
doc/manpages/gnutls_priority_init.3 | 15
doc/manpages/gnutls_safe_renegotiation_status.3 | 41 +
lib/Makefile.in | 7
lib/ext_safe_renegotiation.c | 139 +++
lib/ext_safe_renegotiation.h | 33
lib/gnutls_alert.c | 6
lib/gnutls_algorithms.c | 7
lib/gnutls_algorithms.h | 3
lib/gnutls_constate.c | 15
lib/gnutls_errors.c | 6
lib/gnutls_extensions.c | 20
lib/gnutls_extensions.h | 4
lib/gnutls_handshake.c | 382 +++++++--
lib/gnutls_int.h | 37
lib/gnutls_priority.c | 45 +
lib/gnutls_record.c | 12
lib/gnutls_state.c | 6
lib/includes/gnutls/gnutls.h.in | 10
lib/libgnutls.map | 6
src/cli-gaa.c | 19
src/cli-gaa.h | 1
src/cli.c | 25
src/cli.gaa | 5
src/serv.c | 59 +
src/tests.c | 513 ++++---------
src/tests.h | 5
src/tls_test.c | 11
tests/Makefile.in | 4
tests/resume.c | 22
tests/safe-renegotiation/Makefile.am | 24
tests/safe-renegotiation/Makefile.in | 937 ++++++++++++++++++++++++
tests/safe-renegotiation/params.dh | 35
tests/safe-renegotiation/testsrn | 103 ++
tests/simple.c | 4
42 files changed, 2233 insertions(+), 481 deletions(-)
--- NEW FILE gnutls-2.8.6-safe-renegotiation.patch ---
diff -up gnutls-2.8.6/AUTHORS.reneg gnutls-2.8.6/AUTHORS
--- gnutls-2.8.6/AUTHORS.reneg 2009-06-02 20:59:32.000000000 +0200
+++ gnutls-2.8.6/AUTHORS 2010-05-31 22:52:31.000000000 +0200
@@ -51,6 +51,9 @@ OpenPGP discussion and improvements.
David Marín Carreño <davefx at gmail.com>
Added gnutls_x509_crq_get_key_id.
+Steve Dispensa <dispensa at phonefactor.com>
+TLS safe renegotiation fix.
+
-----BEGIN PGP PUBLIC KEY BLOCK-----
URL: http://josefsson.org/key.txt (always latest version)
Comment: This 0xB565716F key is used to sign releases of GnuTLS.
diff -up gnutls-2.8.6/configure.reneg gnutls-2.8.6/configure
--- gnutls-2.8.6/configure.reneg 2010-05-31 22:52:31.000000000 +0200
+++ gnutls-2.8.6/configure 2010-05-31 22:52:31.000000000 +0200
@@ -28559,7 +28559,7 @@ subdirs="$subdirs libextra"
ac_config_files="$ac_config_files guile/pre-inst-guile"
-ac_config_files="$ac_config_files Makefile doc/Makefile doc/credentials/Makefile doc/credentials/openpgp/Makefile doc/credentials/srp/Makefile doc/credentials/x509/Makefile doc/cyclo/Makefile doc/doxygen/Doxyfile doc/examples/Makefile doc/manpages/Makefile doc/reference/Makefile doc/scripts/Makefile gl/Makefile gl/tests/Makefile guile/Makefile guile/modules/Makefile guile/src/Makefile guile/tests/Makefile src/Makefile src/cfg/Makefile src/cfg/platon/Makefile src/cfg/platon/str/Makefile tests/Makefile tests/key-id/Makefile tests/openpgp-certs/Makefile tests/pathlen/Makefile tests/pkcs1-padding/Makefile tests/pkcs12-decode/Makefile tests/pkcs8-decode/Makefile tests/rsa-md5-collision/Makefile tests/sha2/Makefile tests/userid/Makefile"
+ac_config_files="$ac_config_files Makefile doc/Makefile doc/credentials/Makefile doc/credentials/openpgp/Makefile doc/credentials/srp/Makefile doc/credentials/x509/Makefile doc/cyclo/Makefile doc/doxygen/Doxyfile doc/examples/Makefile doc/manpages/Makefile doc/reference/Makefile doc/scripts/Makefile gl/Makefile gl/tests/Makefile guile/Makefile guile/modules/Makefile guile/src/Makefile guile/tests/Makefile src/Makefile src/cfg/Makefile src/cfg/platon/Makefile src/cfg/platon/str/Makefile tests/Makefile tests/key-id/Makefile tests/openpgp-certs/Makefile tests/safe-renegotiation/Makefile tests/pathlen/Makefile tests/pkcs1-padding/Makefile tests/pkcs12-decode/Makefile tests/pkcs8-decode/Makefile tests/rsa-md5-collision/Makefile tests/sha2/Makefile tests/userid/Makefile"
cat >confcache <<\_ACEOF
# This file is a shell script that caches the results of configure
@@ -29783,6 +29783,7 @@ do
"tests/Makefile") CONFIG_FILES="$CONFIG_FILES tests/Makefile" ;;
"tests/key-id/Makefile") CONFIG_FILES="$CONFIG_FILES tests/key-id/Makefile" ;;
"tests/openpgp-certs/Makefile") CONFIG_FILES="$CONFIG_FILES tests/openpgp-certs/Makefile" ;;
+ "tests/safe-renegotiation/Makefile") CONFIG_FILES="$CONFIG_FILES tests/safe-renegotiation/Makefile" ;;
"tests/pathlen/Makefile") CONFIG_FILES="$CONFIG_FILES tests/pathlen/Makefile" ;;
"tests/pkcs1-padding/Makefile") CONFIG_FILES="$CONFIG_FILES tests/pkcs1-padding/Makefile" ;;
"tests/pkcs12-decode/Makefile") CONFIG_FILES="$CONFIG_FILES tests/pkcs12-decode/Makefile" ;;
diff -up gnutls-2.8.6/doc/gnutls-api.texi.reneg gnutls-2.8.6/doc/gnutls-api.texi
--- gnutls-2.8.6/doc/gnutls-api.texi.reneg 2010-03-15 11:35:23.000000000 +0100
+++ gnutls-2.8.6/doc/gnutls-api.texi 2010-05-31 22:52:31.000000000 +0200
@@ -3307,6 +3307,20 @@ This function will initialize the tempor
@strong{Returns:} @code{GNUTLS_E_SUCCESS} on success, or an negative error code.
@end deftypefun
+ at subheading gnutls_safe_renegotiation_status
+ at anchor{gnutls_safe_renegotiation_status}
+ at deftypefun {int} {gnutls_safe_renegotiation_status} (gnutls_session_t @var{session})
+ at var{session}: is a @code{gnutls_session_t} structure.
+
+Can be used to check whether safe renegotiation is being used
+in the current session.
+
+ at strong{Returns:} 0 when safe renegotiation is not used and non zero when
+safe renegotiation is used.
+
+ at strong{Since:} 2.10.0
+ at end deftypefun
+
@subheading gnutls_server_name_get
@anchor{gnutls_server_name_get}
@deftypefun {int} {gnutls_server_name_get} (gnutls_session_t @var{session}, void * @var{data}, size_t * @var{data_length}, unsigned int * @var{type}, unsigned int @var{indx})
diff -up gnutls-2.8.6/doc/gnutls.texi.reneg gnutls-2.8.6/doc/gnutls.texi
--- gnutls-2.8.6/doc/gnutls.texi.reneg 2009-06-02 21:07:14.000000000 +0200
+++ gnutls-2.8.6/doc/gnutls.texi 2010-06-02 10:23:27.000000000 +0200
@@ -565,6 +565,7 @@ also supports @acronym{X.509} and @acron
* Selecting cryptographic key sizes::
* On SSL 2 and older protocols::
* On Record Padding::
+* Safe Renegotiation::
@end menu
@node TLS layers
@@ -1202,6 +1203,94 @@ here are some links:
@url{http://thread.gmane.org/gmane.ietf.tls/3079}
+ at node Safe Renegotiation
+ at section Safe Renegotiation
+ at cindex renegotiation
+
+Some application protocols and implementations uses the TLS
+renegotiation feature in a manner that enables attackers to insert
+content of his choice in the beginning of a TLS session.
+
+One easy to understand vulnerability is HTTPS when servers request
+client certificates optionally for certain parts of a web site. The
+attack works by having the attacker simulate a client and connect to a
+server, with server-only authentication, and send some data intended
+to cause harm. When the proper client attempts to contact the server,
+the attacker hijacks that connection and uses the TLS renegotiation
+feature with the server and splices in the client connection to the
+already established connection between the attacker and server. The
+attacker will not be able to read the data exchanged between the
+client and the server. However, the server will (incorrectly) assume
+that the data sent by the attacker was sent by the now authenticated
+client. The result is a prefix plain-text injection attack.
+
+The above is just one example. Other vulnerabilities exists that do
+not rely on the TLS renegotiation to change the client's authenticated
+status (either TLS or application layer).
+
+While fixing these application protocols and implementations would be
+one natural reaction, an extension to TLS has been designed that
+cryptographically binds together any renegotiated handshakes with the
+initial negotiation. When the extension is used, the attack is
+detected and the session can be terminated. The extension is
+specified in @xcite{RFC5746}.
+
+GnuTLS supports the safe renegotiation extension. The default
+behavior is as follows. Clients will attempt to negotiate the safe
+renegotiation extension when talking to servers. Servers will accept
+the extension when presented by clients. Clients and servers will
+permit an initial handshake to complete even when the other side does
+not support the safe renegotiation extension. Clients and servers
+will refuse renegotiation attempts when the extension has not been
+negotiated.
+
+Note that permitting clients to connect to servers even when the safe
+renegotiation extension is not negotiated open up for some attacks.
+Changing this default behaviour would prevent interoperability against
+the majority of deployed servers out there. We will reconsider this
+default behaviour in the future when more servers have been upgraded.
+Note that it is easy to configure clients to always require the safe
+renegotiation extension from servers (see below on the
+%SAFE_RENEGOTIATION priority string).
+
+To modify the default behaviour, we have introduced some new priority
+strings. The priority strings can be used by applications
+(@pxref{gnutls_priority_set}) and end users (e.g., @code{--priority}
+parameter to @code{gnutls-cli} and @code{gnutls-serv}).
+
+The @code{%UNSAFE_RENEGOTIATION} priority string permits
+(re-)handshakes even when the safe renegotiation extension was not
+negotiated. The default behavior is @code{%PARTIAL_RENEGOTIATION} that will
+prevent renegotiation with clients and servers not supporting the
+extension. This is secure for servers but leaves clients vulnerable
+to some attacks, but this is a tradeoff between security and compatibility
+with old servers. The @code{%SAFE_RENEGOTIATION} priority string makes
+clients and servers require the extension for every handshake. The latter
+is the most secure option for clients, at the cost of not being able
+to connect to legacy servers. Servers will also deny clients that
+do not support the extension from connecting.
+
+It is possible to disable use of the extension completely, in both
+clients and servers, by using the @code{%DISABLE_SAFE_RENEGOTIATION}
+priority string however we strongly recommend you to only do this for
+debugging and test purposes.
+
+The default values if the flags above are not specified are:
+ at table @code
+
+ at item Server:
+%PARTIAL_RENEGOTIATION
+
+ at item Client:
+%PARTIAL_RENEGOTIATION
+
+ at end table
+
+For applications we have introduced a new API related to safe
+renegotiation. The @ref{gnutls_safe_renegotiation_status} function is
+used to check if the extension has been negotiated on a session, and
+can be used both by clients and servers.
+
@node Authentication methods
@chapter Authentication Methods
@@ -4179,6 +4268,11 @@ Pasi Eronen and Hannes Tschofenig, "Pre-
TLS", December 2005, Available from
@url{http://www.ietf.org/rfc/rfc4279.txt}.
+ at item @anchor{RFC5746}[RFC5746]
+E. Rescorla, M. Ray, S. Dispensa, and N. Oskov, "Transport Layer
+Security (TLS) Renegotiation Indication Extension", February 2010,
+available from @url{http://www.ietf.org/rfc/rfc5746}.
+
@item @anchor{TOMSRP}[TOMSRP]
Tom Wu, "The Stanford SRP Authentication Project", Available at
@url{http://srp.stanford.edu/}.
diff -up gnutls-2.8.6/doc/manpages/gnutls-cli.1.reneg gnutls-2.8.6/doc/manpages/gnutls-cli.1
--- gnutls-2.8.6/doc/manpages/gnutls-cli.1.reneg 2009-06-02 20:59:32.000000000 +0200
+++ gnutls-2.8.6/doc/manpages/gnutls-cli.1 2010-06-02 10:23:27.000000000 +0200
@@ -75,6 +75,15 @@ Special keywords:
"%SSL3_RECORD_VERSION" force SSL3.0 record version in the first client
hello. This is to avoid buggy servers from terminating connection.
.IP
+"%UNSAFE_RENEGOTIATION" Permits (re-)handshakes even unsafe ones.
+.IP
+"%PARTIAL_RENEGOTIATION" Prevents renegotiation with clients and servers not
+supporting the safe renegotiation extension. (default)
+.IP
+"%SAFE_RENEGOTIATION" will enable safe renegotiation. This is the most
+secure and recommended option for clients. However this will prevent from
+connecting to legacy servers.
+.IP
To avoid collisions in order to specify a compression algorithm in
this string you have to prefix it with "COMP-", protocol versions
with "VERS-" and certificate types with "CTYPE-". All other
diff -up gnutls-2.8.6/doc/manpages/gnutls_priority_init.3.reneg gnutls-2.8.6/doc/manpages/gnutls_priority_init.3
--- gnutls-2.8.6/doc/manpages/gnutls_priority_init.3.reneg 2010-03-15 11:32:37.000000000 +0100
+++ gnutls-2.8.6/doc/manpages/gnutls_priority_init.3 2010-05-31 22:52:31.000000000 +0200
@@ -67,6 +67,21 @@ compression methods.
[...3631 lines suppressed...]
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-generic mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am:
+
+.MAKE: check-am install-am install-strip
+
+.PHONY: all all-am check check-TESTS check-am clean clean-generic \
+ clean-libtool distclean distclean-generic distclean-libtool \
+ distdir dvi dvi-am html html-am info info-am install \
+ install-am install-data install-data-am install-dvi \
+ install-dvi-am install-exec install-exec-am install-html \
+ install-html-am install-info install-info-am install-man \
+ install-pdf install-pdf-am install-ps install-ps-am \
+ install-strip installcheck installcheck-am installdirs \
+ maintainer-clean maintainer-clean-generic mostlyclean \
+ mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+ uninstall uninstall-am
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff -up gnutls-2.8.6/tests/safe-renegotiation/params.dh.reneg gnutls-2.8.6/tests/safe-renegotiation/params.dh
--- gnutls-2.8.6/tests/safe-renegotiation/params.dh.reneg 2010-05-31 22:52:31.000000000 +0200
+++ gnutls-2.8.6/tests/safe-renegotiation/params.dh 2010-05-31 22:52:31.000000000 +0200
@@ -0,0 +1,35 @@
+
+Generator: 05
+
+Prime: c9:e9:2d:fc:94:15:1a:10:4f:3c:b5:16
+ 7e:34:10:7d:eb:3d:d5:7d:61:ff:b0:ce
+ da:7f:6e:0c:ea:db:b4:87:f6:c6:34:a8
+ 3c:f8:84:52:14:59:ab:17:5c:d0:f0:86
+ c4:02:93:dc:09:83:57:16:98:21:d0:42
+ 8e:33:fc:48:69:e6:04:0d:4e:50:09:33
+ 2e:28:60:4f:05:08:7c:ce:2f:a6:1a:4c
+ 41:d1:a3:dd:f6:37:56:44:1d:b0:54:af
+ f7:4a:a0:c2:19:5d:ce:62:b0:7a:1b:e1
+ 5c:7f:bb:4d:7e:9e:28:48:00:a4:9a:86
+ 3e:6e:6e:9c:57:41:c7:ec:bf:7f:09:fc
+ da:25:c2:1e:e0:52:dc:65:8c:40:a3:6e
+ bd:99:4e:0b:1a:04:e0:23:20:46:5a:d0
+ 3f:b3:a4:d6:76:73:b7:cc:61:33:11:54
+ a6:32:ff:94:08:d5:66:36:fd:99:69:21
+ cc:28:5d:11:52:32:48:b6:a5:b5:c3:b0
+ 21:3f:f9:69:25:83:b1:3d:79:a6:ed:ae
+ db:95:62:fc:72:ca:ad:46:fc:b6:b1:ea
+ 98:68:97:ba:f2:54:aa:86:ed:62:b1:78
+ 5f:d5:19:80:ce:41:ee:98:a1:71:9f:fa
+ 5b:6b:d8:5e:7e:b3:18:0a:f0:4c:96:76
+ 6c:0c:b0:a3
+
+
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEAyekt/JQVGhBPPLUWfjQQfes91X1h/7DO2n9uDOrbtIf2xjSoPPiE
+UhRZqxdc0PCGxAKT3AmDVxaYIdBCjjP8SGnmBA1OUAkzLihgTwUIfM4vphpMQdGj
+3fY3VkQdsFSv90qgwhldzmKwehvhXH+7TX6eKEgApJqGPm5unFdBx+y/fwn82iXC
+HuBS3GWMQKNuvZlOCxoE4CMgRlrQP7Ok1nZzt8xhMxFUpjL/lAjVZjb9mWkhzChd
+EVIySLaltcOwIT/5aSWDsT15pu2u25Vi/HLKrUb8trHqmGiXuvJUqobtYrF4X9UZ
+gM5B7pihcZ/6W2vYXn6zGArwTJZ2bAywowIBBQ==
+-----END DH PARAMETERS-----
diff -up gnutls-2.8.6/tests/safe-renegotiation/testsrn.reneg gnutls-2.8.6/tests/safe-renegotiation/testsrn
--- gnutls-2.8.6/tests/safe-renegotiation/testsrn.reneg 2010-05-31 22:52:31.000000000 +0200
+++ gnutls-2.8.6/tests/safe-renegotiation/testsrn 2010-06-02 10:23:35.000000000 +0200
@@ -0,0 +1,103 @@
+#!/bin/sh
+
+# Copyright (C) 2010 Free Software Foundation
+#
+# Author: Nikos Mavrogiannopoulos
+#
+# This file is part of GNUTLS.
+#
+# GNUTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GNUTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GNUTLS; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+srcdir="${srcdir:-.}"
+SERV="${SERV:-../../src/gnutls-serv$EXEEXT} -q"
+CLI="${CLI:-../../src/gnutls-cli$EXEEXT}"
+PORT="${PORT:-5558}"
+unset RETCODE
+
+fail() {
+ echo "Failure: $1" >&2
+ RETCODE=${RETCODE:-${2:-1}}
+}
+
+echo "Checking Safe renegotiation"
+
+$SERV -p $PORT --echo --priority NORMAL:+ANON-DH:%PARTIAL_RENEGOTIATION --dhparams $srcdir/params.dh >/dev/null 2>&1 &
+pid=$!
+
+# give the server a chance to initialize
+sleep 2
+
+$CLI -p $PORT 127.0.0.1 --rehandshake --priority NONE:+AES-128-CBC:+MD5:+SHA1:+VERS-SSL3.0:+ANON-DH:+COMP-NULL:%SAFE_RENEGOTIATION </dev/null >/dev/null 2>&1 || \
+ fail "0. Renegotiation should have succeeded!"
+
+$CLI -p $PORT 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%SAFE_RENEGOTIATION </dev/null >/dev/null 2>&1 || \
+ fail "1. Safe rehandshake should have succeeded!"
+
+$CLI -p $PORT 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%UNSAFE_RENEGOTIATION </dev/null >/dev/null 2>&1 || \
+ fail "2. Unsafe rehandshake should have succeeded!"
+
+$CLI -p $PORT 127.0.0.1 --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION </dev/null >/dev/null 2>&1 || \
+ fail "3. Unsafe negotiation should have succeeded!"
+
+$CLI -p $PORT 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION </dev/null >/dev/null 2>&1 && \
+ fail "4. Unsafe renegotiation should have failed!"
+
+
+kill $pid
+wait
+
+$SERV -p $PORT --echo --priority NORMAL:+ANON-DH:%SAFE_RENEGOTIATION --dhparams $srcdir/params.dh >/dev/null 2>&1 &
+pid=$!
+
+# give the server a chance to initialize
+sleep 2
+
+$CLI -p $PORT 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%SAFE_RENEGOTIATION </dev/null >/dev/null 2>&1 || \
+ fail "5. Safe rehandshake should have succeeded!"
+
+$CLI -p $PORT 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%UNSAFE_RENEGOTIATION </dev/null >/dev/null 2>&1 || \
+ fail "6. Unsafe rehandshake should have succeeded!"
+
+$CLI -p $PORT 127.0.0.1 --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION </dev/null >/dev/null 2>&1 && \
+ fail "7. Unsafe negotiation should have failed!"
+
+$CLI -p $PORT 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION </dev/null >/dev/null 2>&1 && \
+ fail "8. Unsafe renegotiation should have failed!"
+
+kill $pid
+wait
+
+$SERV -p $PORT --echo --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION --dhparams $srcdir/params.dh >/dev/null 2>&1 &
+pid=$!
+
+# give the server a chance to initialize
+sleep 2
+
+$CLI -p $PORT 127.0.0.1 --priority NORMAL:+ANON-DH:%SAFE_RENEGOTIATION </dev/null >/dev/null 2>&1 && \
+ fail "9. Initial connection should have failed!"
+
+$CLI -p $PORT 127.0.0.1 --priority NORMAL:+ANON-DH:%UNSAFE_RENEGOTIATION </dev/null >/dev/null 2>&1 || \
+ fail "10. Unsafe connection should have succeeded!"
+
+$CLI -p $PORT 127.0.0.1 --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION </dev/null >/dev/null 2>&1 || \
+ fail "11. Unsafe negotiation should have succeeded!"
+
+$CLI -p $PORT 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION </dev/null >/dev/null 2>&1 || \
+ fail "12. Unsafe renegotiation should have succeeded!"
+
+kill $pid
+wait
+
+exit ${RETCODE:-0}
diff -up gnutls-2.8.6/tests/simple.c.reneg gnutls-2.8.6/tests/simple.c
--- gnutls-2.8.6/tests/simple.c.reneg 2009-06-02 20:59:32.000000000 +0200
+++ gnutls-2.8.6/tests/simple.c 2010-05-31 22:52:31.000000000 +0200
@@ -50,7 +50,7 @@ doit (void)
for (i = 0; algs[i]; i++)
{
- printf ("pk_list[%d] = %d = %s = %d\n", i, algs[i],
+ printf ("pk_list[%d] = %d = %s = %d\n", (int)i, algs[i],
gnutls_pk_algorithm_get_name (algs[i]),
gnutls_pk_get_id (gnutls_pk_algorithm_get_name (algs[i])));
if (gnutls_pk_get_id (gnutls_pk_algorithm_get_name (algs[i]))
@@ -76,7 +76,7 @@ doit (void)
for (i = 0; algs[i]; i++)
{
- printf ("sign_list[%d] = %d = %s = %d\n", i, algs[i],
+ printf ("sign_list[%d] = %d = %s = %d\n", (int)i, algs[i],
gnutls_sign_algorithm_get_name (algs[i]),
gnutls_sign_get_id (gnutls_sign_algorithm_get_name
(algs[i])));
Index: gnutls.spec
===================================================================
RCS file: /cvs/pkgs/rpms/gnutls/devel/gnutls.spec,v
retrieving revision 1.54
retrieving revision 1.55
diff -u -p -r1.54 -r1.55
--- gnutls.spec 12 May 2010 19:25:56 -0000 1.54
+++ gnutls.spec 2 Jun 2010 08:52:17 -0000 1.55
@@ -1,7 +1,7 @@
Summary: A TLS protocol implementation
Name: gnutls
Version: 2.8.6
-Release: 1%{?dist}
+Release: 2%{?dist}
# The libgnutls library is LGPLv2+, utilities and remaining libraries are GPLv3+
License: GPLv3+ and LGPLv2+
Group: System Environment/Libraries
@@ -17,6 +17,7 @@ Source0: %{name}-%{version}-nosrp.tar.bz
Source1: libgnutls-config
Patch1: gnutls-2.8.5-rpath.patch
Patch2: gnutls-2.8.6-link-libgcrypt.patch
+Patch3: gnutls-2.8.6-safe-renegotiation.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Requires: libgcrypt >= 1.2.2
@@ -71,11 +72,14 @@ This package contains Guile bindings for
%setup -q
%patch1 -p1 -b .rpath
%patch2 -p1 -b .link
+%patch3 -p1 -b .reneg
for i in auth_srp_rsa.c auth_srp_sb64.c auth_srp_passwd.c auth_srp.c gnutls_srp.c ext_srp.c; do
touch lib/$i
done
+chmod a+x tests/safe-renegotiation/testsrn
+
%build
export LDFLAGS="-Wl,--no-add-needed"
@@ -154,6 +158,9 @@ fi
%{_datadir}/guile/site/gnutls.scm
%changelog
+* Wed Jun 2 2010 Tomas Mraz <tmraz at redhat.com> 2.8.6-2
+- add support for safe renegotiation CVE-2009-3555 (#533125)
+
* Wed May 12 2010 Tomas Mraz <tmraz at redhat.com> 2.8.6-1
- upgrade to a new upstream version
More information about the scm-commits
mailing list