rpms/gnutls/F-12 gnutls-2.8.5-rpath.patch, NONE, 1.1 gnutls-2.8.6-link-libgcrypt.patch, NONE, 1.1 gnutls-2.8.6-safe-renegotiation.patch, NONE, 1.1 .cvsignore, 1.26, 1.27 gnutls.spec, 1.49, 1.50 sources, 1.26, 1.27
Tomáš Mráz
tmraz at fedoraproject.org
Wed Jun 2 16:03:44 UTC 2010
Author: tmraz
Update of /cvs/pkgs/rpms/gnutls/F-12
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv12186
Modified Files:
.cvsignore gnutls.spec sources
Added Files:
gnutls-2.8.5-rpath.patch gnutls-2.8.6-link-libgcrypt.patch
gnutls-2.8.6-safe-renegotiation.patch
Log Message:
* Wed Jun 2 2010 Tomas Mraz <tmraz at redhat.com> 2.8.6-2
- add support for safe renegotiation CVE-2009-3555 (#533125)
gnutls-2.8.5-rpath.patch:
configure | 9 +++++----
lib/configure | 10 ++++++----
libextra/configure | 4 ++--
3 files changed, 13 insertions(+), 10 deletions(-)
--- NEW FILE gnutls-2.8.5-rpath.patch ---
diff -up gnutls-2.8.5/build-aux/config.rpath gnutls-2.8.5/build-aux/config
diff -up gnutls-2.8.5/configure.rpath gnutls-2.8.5/configure
--- gnutls-2.8.5/configure.rpath 2009-11-02 11:35:57.000000000 +0100
+++ gnutls-2.8.5/configure 2010-01-28 22:12:20.000000000 +0100
@@ -15141,7 +15141,7 @@ shlibpath_var=
shlibpath_overrides_runpath=unknown
version_type=none
dynamic_linker="$host_os ld.so"
-sys_lib_dlsearch_path_spec="/lib /usr/lib"
+sys_lib_dlsearch_path_spec="/lib /usr/lib /lib64 /usr/lib64"
need_lib_prefix=unknown
hardcode_into_libs=no
@@ -15526,7 +15526,7 @@ rm -f core conftest.err conftest.$ac_obj
# Append ld.so.conf contents to the search path
if test -f /etc/ld.so.conf; then
lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '`
- sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
+ sys_lib_dlsearch_path_spec="/lib /usr/lib /lib64 /usr/lib64 $lt_ld_extra"
fi
# We used to test for /lib/ld.so.1 and disable shared libraries on
@@ -18610,7 +18610,7 @@ shlibpath_var=
shlibpath_overrides_runpath=unknown
version_type=none
dynamic_linker="$host_os ld.so"
-sys_lib_dlsearch_path_spec="/lib /usr/lib"
+sys_lib_dlsearch_path_spec="/lib /usr/lib /lib64 /usr/lib64"
need_lib_prefix=unknown
hardcode_into_libs=no
@@ -18994,7 +18994,7 @@ rm -f core conftest.err conftest.$ac_obj
# Append ld.so.conf contents to the search path
if test -f /etc/ld.so.conf; then
lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '`
- sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
+ sys_lib_dlsearch_path_spec="/lib /usr/lib /lib64 /usr/lib64 $lt_ld_extra"
fi
# We used to test for /lib/ld.so.1 and disable shared libraries on
@@ -29278,6 +29278,7 @@ finish_cmds='`$ECHO "X$finish_cmds" | $X
finish_eval='`$ECHO "X$finish_eval" | $Xsed -e "$delay_single_quote_subst"`'
hardcode_into_libs='`$ECHO "X$hardcode_into_libs" | $Xsed -e "$delay_single_quote_subst"`'
sys_lib_search_path_spec='`$ECHO "X$sys_lib_search_path_spec" | $Xsed -e "$delay_single_quote_subst"`'
+
sys_lib_dlsearch_path_spec='`$ECHO "X$sys_lib_dlsearch_path_spec" | $Xsed -e "$delay_single_quote_subst"`'
hardcode_action='`$ECHO "X$hardcode_action" | $Xsed -e "$delay_single_quote_subst"`'
enable_dlopen='`$ECHO "X$enable_dlopen" | $Xsed -e "$delay_single_quote_subst"`'
diff -up gnutls-2.8.5/lib/build-aux/config.rpath gnutls-2.8.5/lib/build-aux/config
diff -up gnutls-2.8.5/lib/configure.rpath gnutls-2.8.5/lib/configure
--- gnutls-2.8.5/lib/configure.rpath 2009-11-02 11:35:18.000000000 +0100
+++ gnutls-2.8.5/lib/configure 2010-01-28 22:14:03.000000000 +0100
@@ -10465,7 +10465,8 @@ shlibpath_var=
shlibpath_overrides_runpath=unknown
version_type=none
dynamic_linker="$host_os ld.so"
-sys_lib_dlsearch_path_spec="/lib /usr/lib"
+
+sys_lib_dlsearch_path_spec="/lib /usr/lib /lib64 /usr/lib64"
need_lib_prefix=unknown
hardcode_into_libs=no
@@ -10850,7 +10851,7 @@ rm -f core conftest.err conftest.$ac_obj
# Append ld.so.conf contents to the search path
if test -f /etc/ld.so.conf; then
lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '`
- sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
+ sys_lib_dlsearch_path_spec="/lib /usr/lib /lib64 /usr/lib64 $lt_ld_extra"
fi
# We used to test for /lib/ld.so.1 and disable shared libraries on
@@ -24444,7 +24445,8 @@ shlibpath_var=
shlibpath_overrides_runpath=unknown
version_type=none
dynamic_linker="$host_os ld.so"
-sys_lib_dlsearch_path_spec="/lib /usr/lib"
+
+sys_lib_dlsearch_path_spec="/lib /usr/lib /lib64 /usr/lib64"
need_lib_prefix=unknown
hardcode_into_libs=no
@@ -24828,7 +24830,7 @@ rm -f core conftest.err conftest.$ac_obj
# Append ld.so.conf contents to the search path
if test -f /etc/ld.so.conf; then
lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '`
- sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
+ sys_lib_dlsearch_path_spec="/lib /usr/lib /lib64 /usr/lib64 $lt_ld_extra"
fi
# We used to test for /lib/ld.so.1 and disable shared libraries on
diff -up gnutls-2.8.5/libextra/build-aux/config.rpath gnutls-2.8.5/libextra/build-aux/config
diff -up gnutls-2.8.5/libextra/configure.rpath gnutls-2.8.5/libextra/configure
--- gnutls-2.8.5/libextra/configure.rpath 2009-11-02 11:35:38.000000000 +0100
+++ gnutls-2.8.5/libextra/configure 2010-01-28 21:45:25.000000000 +0100
@@ -9821,7 +9821,7 @@ shlibpath_var=
shlibpath_overrides_runpath=unknown
version_type=none
dynamic_linker="$host_os ld.so"
-sys_lib_dlsearch_path_spec="/lib /usr/lib"
+sys_lib_dlsearch_path_spec="/lib /usr/lib /lib64 /usr/lib64"
need_lib_prefix=unknown
hardcode_into_libs=no
@@ -10206,7 +10206,7 @@ rm -f core conftest.err conftest.$ac_obj
# Append ld.so.conf contents to the search path
if test -f /etc/ld.so.conf; then
lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '`
- sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
+ sys_lib_dlsearch_path_spec="/lib /usr/lib /lib64 /usr/lib64 $lt_ld_extra"
fi
# We used to test for /lib/ld.so.1 and disable shared libraries on
gnutls-2.8.6-link-libgcrypt.patch:
Makefile.am | 2 +-
Makefile.in | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--- NEW FILE gnutls-2.8.6-link-libgcrypt.patch ---
diff -up gnutls-2.8.6/doc/examples/Makefile.am.link gnutls-2.8.6/doc/examples/Makefile.am
--- gnutls-2.8.6/doc/examples/Makefile.am.link 2010-01-24 11:06:21.000000000 +0100
+++ gnutls-2.8.6/doc/examples/Makefile.am 2010-05-12 21:22:51.000000000 +0200
@@ -30,7 +30,7 @@ LDADD = libexamples.la \
../../lib/libgnutls.la \
../../libextra/libgnutls-extra.la \
../../gl/libgnu.la \
- $(LIBSOCKET) $(INET_NTOP_LIB) $(INET_PTON_LIB)
+ $(LTLIBGCRYPT) $(LIBSOCKET) $(INET_NTOP_LIB) $(INET_PTON_LIB)
CXX_LDADD = $(LDADD) \
../../lib/libgnutlsxx.la
diff -up gnutls-2.8.6/doc/examples/Makefile.in.link gnutls-2.8.6/doc/examples/Makefile.in
--- gnutls-2.8.6/doc/examples/Makefile.in.link 2010-03-15 11:29:19.000000000 +0100
+++ gnutls-2.8.6/doc/examples/Makefile.in 2010-05-12 21:23:25.000000000 +0200
@@ -827,7 +827,7 @@ LDADD = libexamples.la \
../../lib/libgnutls.la \
../../libextra/libgnutls-extra.la \
../../gl/libgnu.la \
- $(LIBSOCKET) $(INET_NTOP_LIB) $(INET_PTON_LIB)
+ $(LTLIBGCRYPT) $(LIBSOCKET) $(INET_NTOP_LIB) $(INET_PTON_LIB)
CXX_LDADD = $(LDADD) \
../../lib/libgnutlsxx.la
gnutls-2.8.6-safe-renegotiation.patch:
AUTHORS | 3
NEWS | 17
configure | 3
doc/gnutls-api.texi | 14
doc/gnutls.texi | 94 ++
doc/manpages/Makefile.in | 4
doc/manpages/gnutls-cli.1 | 9
doc/manpages/gnutls-serv.1 | 9
doc/manpages/gnutls_priority_init.3 | 15
doc/manpages/gnutls_safe_renegotiation_status.3 | 41 +
lib/Makefile.in | 7
lib/ext_safe_renegotiation.c | 139 +++
lib/ext_safe_renegotiation.h | 33
lib/gnutls_alert.c | 6
lib/gnutls_algorithms.c | 7
lib/gnutls_algorithms.h | 3
lib/gnutls_constate.c | 15
lib/gnutls_errors.c | 6
lib/gnutls_extensions.c | 20
lib/gnutls_extensions.h | 4
lib/gnutls_handshake.c | 382 +++++++--
lib/gnutls_int.h | 37
lib/gnutls_priority.c | 45 +
lib/gnutls_record.c | 12
lib/gnutls_state.c | 6
lib/includes/gnutls/gnutls.h.in | 10
lib/libgnutls.map | 6
src/cli-gaa.c | 19
src/cli-gaa.h | 1
src/cli.c | 25
src/cli.gaa | 5
src/serv.c | 59 +
src/tests.c | 513 ++++---------
src/tests.h | 5
src/tls_test.c | 11
tests/Makefile.in | 4
tests/resume.c | 22
tests/safe-renegotiation/Makefile.am | 24
tests/safe-renegotiation/Makefile.in | 937 ++++++++++++++++++++++++
tests/safe-renegotiation/params.dh | 35
tests/safe-renegotiation/testsrn | 103 ++
tests/simple.c | 4
42 files changed, 2233 insertions(+), 481 deletions(-)
--- NEW FILE gnutls-2.8.6-safe-renegotiation.patch ---
diff -up gnutls-2.8.6/AUTHORS.reneg gnutls-2.8.6/AUTHORS
--- gnutls-2.8.6/AUTHORS.reneg 2009-06-02 20:59:32.000000000 +0200
+++ gnutls-2.8.6/AUTHORS 2010-05-31 22:52:31.000000000 +0200
@@ -51,6 +51,9 @@ OpenPGP discussion and improvements.
David Marín Carreño <davefx at gmail.com>
Added gnutls_x509_crq_get_key_id.
+Steve Dispensa <dispensa at phonefactor.com>
+TLS safe renegotiation fix.
+
-----BEGIN PGP PUBLIC KEY BLOCK-----
URL: http://josefsson.org/key.txt (always latest version)
Comment: This 0xB565716F key is used to sign releases of GnuTLS.
diff -up gnutls-2.8.6/configure.reneg gnutls-2.8.6/configure
--- gnutls-2.8.6/configure.reneg 2010-05-31 22:52:31.000000000 +0200
+++ gnutls-2.8.6/configure 2010-05-31 22:52:31.000000000 +0200
@@ -28559,7 +28559,7 @@ subdirs="$subdirs libextra"
ac_config_files="$ac_config_files guile/pre-inst-guile"
-ac_config_files="$ac_config_files Makefile doc/Makefile doc/credentials/Makefile doc/credentials/openpgp/Makefile doc/credentials/srp/Makefile doc/credentials/x509/Makefile doc/cyclo/Makefile doc/doxygen/Doxyfile doc/examples/Makefile doc/manpages/Makefile doc/reference/Makefile doc/scripts/Makefile gl/Makefile gl/tests/Makefile guile/Makefile guile/modules/Makefile guile/src/Makefile guile/tests/Makefile src/Makefile src/cfg/Makefile src/cfg/platon/Makefile src/cfg/platon/str/Makefile tests/Makefile tests/key-id/Makefile tests/openpgp-certs/Makefile tests/pathlen/Makefile tests/pkcs1-padding/Makefile tests/pkcs12-decode/Makefile tests/pkcs8-decode/Makefile tests/rsa-md5-collision/Makefile tests/sha2/Makefile tests/userid/Makefile"
+ac_config_files="$ac_config_files Makefile doc/Makefile doc/credentials/Makefile doc/credentials/openpgp/Makefile doc/credentials/srp/Makefile doc/credentials/x509/Makefile doc/cyclo/Makefile doc/doxygen/Doxyfile doc/examples/Makefile doc/manpages/Makefile doc/reference/Makefile doc/scripts/Makefile gl/Makefile gl/tests/Makefile guile/Makefile guile/modules/Makefile guile/src/Makefile guile/tests/Makefile src/Makefile src/cfg/Makefile src/cfg/platon/Makefile src/cfg/platon/str/Makefile tests/Makefile tests/key-id/Makefile tests/openpgp-certs/Makefile tests/safe-renegotiation/Makefile tests/pathlen/Makefile tests/pkcs1-padding/Makefile tests/pkcs12-decode/Makefile tests/pkcs8-decode/Makefile tests/rsa-md5-collision/Makefile tests/sha2/Makefile tests/userid/Makefile"
cat >confcache <<\_ACEOF
# This file is a shell script that caches the results of configure
@@ -29783,6 +29783,7 @@ do
"tests/Makefile") CONFIG_FILES="$CONFIG_FILES tests/Makefile" ;;
"tests/key-id/Makefile") CONFIG_FILES="$CONFIG_FILES tests/key-id/Makefile" ;;
"tests/openpgp-certs/Makefile") CONFIG_FILES="$CONFIG_FILES tests/openpgp-certs/Makefile" ;;
+ "tests/safe-renegotiation/Makefile") CONFIG_FILES="$CONFIG_FILES tests/safe-renegotiation/Makefile" ;;
"tests/pathlen/Makefile") CONFIG_FILES="$CONFIG_FILES tests/pathlen/Makefile" ;;
"tests/pkcs1-padding/Makefile") CONFIG_FILES="$CONFIG_FILES tests/pkcs1-padding/Makefile" ;;
"tests/pkcs12-decode/Makefile") CONFIG_FILES="$CONFIG_FILES tests/pkcs12-decode/Makefile" ;;
diff -up gnutls-2.8.6/doc/gnutls-api.texi.reneg gnutls-2.8.6/doc/gnutls-api.texi
--- gnutls-2.8.6/doc/gnutls-api.texi.reneg 2010-03-15 11:35:23.000000000 +0100
+++ gnutls-2.8.6/doc/gnutls-api.texi 2010-05-31 22:52:31.000000000 +0200
@@ -3307,6 +3307,20 @@ This function will initialize the tempor
@strong{Returns:} @code{GNUTLS_E_SUCCESS} on success, or an negative error code.
@end deftypefun
+ at subheading gnutls_safe_renegotiation_status
+ at anchor{gnutls_safe_renegotiation_status}
+ at deftypefun {int} {gnutls_safe_renegotiation_status} (gnutls_session_t @var{session})
+ at var{session}: is a @code{gnutls_session_t} structure.
+
+Can be used to check whether safe renegotiation is being used
+in the current session.
+
+ at strong{Returns:} 0 when safe renegotiation is not used and non zero when
+safe renegotiation is used.
+
+ at strong{Since:} 2.10.0
+ at end deftypefun
+
@subheading gnutls_server_name_get
@anchor{gnutls_server_name_get}
@deftypefun {int} {gnutls_server_name_get} (gnutls_session_t @var{session}, void * @var{data}, size_t * @var{data_length}, unsigned int * @var{type}, unsigned int @var{indx})
diff -up gnutls-2.8.6/doc/gnutls.texi.reneg gnutls-2.8.6/doc/gnutls.texi
--- gnutls-2.8.6/doc/gnutls.texi.reneg 2009-06-02 21:07:14.000000000 +0200
+++ gnutls-2.8.6/doc/gnutls.texi 2010-06-02 10:23:27.000000000 +0200
@@ -565,6 +565,7 @@ also supports @acronym{X.509} and @acron
* Selecting cryptographic key sizes::
* On SSL 2 and older protocols::
* On Record Padding::
+* Safe Renegotiation::
@end menu
@node TLS layers
@@ -1202,6 +1203,94 @@ here are some links:
@url{http://thread.gmane.org/gmane.ietf.tls/3079}
+ at node Safe Renegotiation
+ at section Safe Renegotiation
+ at cindex renegotiation
+
+Some application protocols and implementations uses the TLS
+renegotiation feature in a manner that enables attackers to insert
+content of his choice in the beginning of a TLS session.
+
+One easy to understand vulnerability is HTTPS when servers request
+client certificates optionally for certain parts of a web site. The
+attack works by having the attacker simulate a client and connect to a
+server, with server-only authentication, and send some data intended
+to cause harm. When the proper client attempts to contact the server,
+the attacker hijacks that connection and uses the TLS renegotiation
+feature with the server and splices in the client connection to the
+already established connection between the attacker and server. The
+attacker will not be able to read the data exchanged between the
+client and the server. However, the server will (incorrectly) assume
+that the data sent by the attacker was sent by the now authenticated
+client. The result is a prefix plain-text injection attack.
+
+The above is just one example. Other vulnerabilities exists that do
+not rely on the TLS renegotiation to change the client's authenticated
+status (either TLS or application layer).
+
+While fixing these application protocols and implementations would be
+one natural reaction, an extension to TLS has been designed that
+cryptographically binds together any renegotiated handshakes with the
+initial negotiation. When the extension is used, the attack is
+detected and the session can be terminated. The extension is
+specified in @xcite{RFC5746}.
+
+GnuTLS supports the safe renegotiation extension. The default
+behavior is as follows. Clients will attempt to negotiate the safe
+renegotiation extension when talking to servers. Servers will accept
+the extension when presented by clients. Clients and servers will
+permit an initial handshake to complete even when the other side does
+not support the safe renegotiation extension. Clients and servers
+will refuse renegotiation attempts when the extension has not been
+negotiated.
+
+Note that permitting clients to connect to servers even when the safe
+renegotiation extension is not negotiated open up for some attacks.
+Changing this default behaviour would prevent interoperability against
+the majority of deployed servers out there. We will reconsider this
+default behaviour in the future when more servers have been upgraded.
+Note that it is easy to configure clients to always require the safe
+renegotiation extension from servers (see below on the
+%SAFE_RENEGOTIATION priority string).
+
+To modify the default behaviour, we have introduced some new priority
+strings. The priority strings can be used by applications
+(@pxref{gnutls_priority_set}) and end users (e.g., @code{--priority}
+parameter to @code{gnutls-cli} and @code{gnutls-serv}).
+
+The @code{%UNSAFE_RENEGOTIATION} priority string permits
+(re-)handshakes even when the safe renegotiation extension was not
+negotiated. The default behavior is @code{%PARTIAL_RENEGOTIATION} that will
+prevent renegotiation with clients and servers not supporting the
+extension. This is secure for servers but leaves clients vulnerable
+to some attacks, but this is a tradeoff between security and compatibility
+with old servers. The @code{%SAFE_RENEGOTIATION} priority string makes
+clients and servers require the extension for every handshake. The latter
+is the most secure option for clients, at the cost of not being able
+to connect to legacy servers. Servers will also deny clients that
+do not support the extension from connecting.
+
+It is possible to disable use of the extension completely, in both
+clients and servers, by using the @code{%DISABLE_SAFE_RENEGOTIATION}
+priority string however we strongly recommend you to only do this for
+debugging and test purposes.
+
+The default values if the flags above are not specified are:
+ at table @code
+
+ at item Server:
+%PARTIAL_RENEGOTIATION
+
+ at item Client:
+%PARTIAL_RENEGOTIATION
+
+ at end table
+
+For applications we have introduced a new API related to safe
+renegotiation. The @ref{gnutls_safe_renegotiation_status} function is
+used to check if the extension has been negotiated on a session, and
+can be used both by clients and servers.
+
@node Authentication methods
@chapter Authentication Methods
@@ -4179,6 +4268,11 @@ Pasi Eronen and Hannes Tschofenig, "Pre-
TLS", December 2005, Available from
@url{http://www.ietf.org/rfc/rfc4279.txt}.
+ at item @anchor{RFC5746}[RFC5746]
+E. Rescorla, M. Ray, S. Dispensa, and N. Oskov, "Transport Layer
+Security (TLS) Renegotiation Indication Extension", February 2010,
+available from @url{http://www.ietf.org/rfc/rfc5746}.
+
@item @anchor{TOMSRP}[TOMSRP]
Tom Wu, "The Stanford SRP Authentication Project", Available at
@url{http://srp.stanford.edu/}.
diff -up gnutls-2.8.6/doc/manpages/gnutls-cli.1.reneg gnutls-2.8.6/doc/manpages/gnutls-cli.1
--- gnutls-2.8.6/doc/manpages/gnutls-cli.1.reneg 2009-06-02 20:59:32.000000000 +0200
+++ gnutls-2.8.6/doc/manpages/gnutls-cli.1 2010-06-02 10:23:27.000000000 +0200
@@ -75,6 +75,15 @@ Special keywords:
"%SSL3_RECORD_VERSION" force SSL3.0 record version in the first client
hello. This is to avoid buggy servers from terminating connection.
.IP
+"%UNSAFE_RENEGOTIATION" Permits (re-)handshakes even unsafe ones.
+.IP
+"%PARTIAL_RENEGOTIATION" Prevents renegotiation with clients and servers not
+supporting the safe renegotiation extension. (default)
+.IP
+"%SAFE_RENEGOTIATION" will enable safe renegotiation. This is the most
+secure and recommended option for clients. However this will prevent from
+connecting to legacy servers.
+.IP
To avoid collisions in order to specify a compression algorithm in
this string you have to prefix it with "COMP-", protocol versions
with "VERS-" and certificate types with "CTYPE-". All other
diff -up gnutls-2.8.6/doc/manpages/gnutls_priority_init.3.reneg gnutls-2.8.6/doc/manpages/gnutls_priority_init.3
--- gnutls-2.8.6/doc/manpages/gnutls_priority_init.3.reneg 2010-03-15 11:32:37.000000000 +0100
+++ gnutls-2.8.6/doc/manpages/gnutls_priority_init.3 2010-05-31 22:52:31.000000000 +0200
@@ -67,6 +67,21 @@ compression methods.
[...3631 lines suppressed...]
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-generic mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am:
+
+.MAKE: check-am install-am install-strip
+
+.PHONY: all all-am check check-TESTS check-am clean clean-generic \
+ clean-libtool distclean distclean-generic distclean-libtool \
+ distdir dvi dvi-am html html-am info info-am install \
+ install-am install-data install-data-am install-dvi \
+ install-dvi-am install-exec install-exec-am install-html \
+ install-html-am install-info install-info-am install-man \
+ install-pdf install-pdf-am install-ps install-ps-am \
+ install-strip installcheck installcheck-am installdirs \
+ maintainer-clean maintainer-clean-generic mostlyclean \
+ mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+ uninstall uninstall-am
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff -up gnutls-2.8.6/tests/safe-renegotiation/params.dh.reneg gnutls-2.8.6/tests/safe-renegotiation/params.dh
--- gnutls-2.8.6/tests/safe-renegotiation/params.dh.reneg 2010-05-31 22:52:31.000000000 +0200
+++ gnutls-2.8.6/tests/safe-renegotiation/params.dh 2010-05-31 22:52:31.000000000 +0200
@@ -0,0 +1,35 @@
+
+Generator: 05
+
+Prime: c9:e9:2d:fc:94:15:1a:10:4f:3c:b5:16
+ 7e:34:10:7d:eb:3d:d5:7d:61:ff:b0:ce
+ da:7f:6e:0c:ea:db:b4:87:f6:c6:34:a8
+ 3c:f8:84:52:14:59:ab:17:5c:d0:f0:86
+ c4:02:93:dc:09:83:57:16:98:21:d0:42
+ 8e:33:fc:48:69:e6:04:0d:4e:50:09:33
+ 2e:28:60:4f:05:08:7c:ce:2f:a6:1a:4c
+ 41:d1:a3:dd:f6:37:56:44:1d:b0:54:af
+ f7:4a:a0:c2:19:5d:ce:62:b0:7a:1b:e1
+ 5c:7f:bb:4d:7e:9e:28:48:00:a4:9a:86
+ 3e:6e:6e:9c:57:41:c7:ec:bf:7f:09:fc
+ da:25:c2:1e:e0:52:dc:65:8c:40:a3:6e
+ bd:99:4e:0b:1a:04:e0:23:20:46:5a:d0
+ 3f:b3:a4:d6:76:73:b7:cc:61:33:11:54
+ a6:32:ff:94:08:d5:66:36:fd:99:69:21
+ cc:28:5d:11:52:32:48:b6:a5:b5:c3:b0
+ 21:3f:f9:69:25:83:b1:3d:79:a6:ed:ae
+ db:95:62:fc:72:ca:ad:46:fc:b6:b1:ea
+ 98:68:97:ba:f2:54:aa:86:ed:62:b1:78
+ 5f:d5:19:80:ce:41:ee:98:a1:71:9f:fa
+ 5b:6b:d8:5e:7e:b3:18:0a:f0:4c:96:76
+ 6c:0c:b0:a3
+
+
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEAyekt/JQVGhBPPLUWfjQQfes91X1h/7DO2n9uDOrbtIf2xjSoPPiE
+UhRZqxdc0PCGxAKT3AmDVxaYIdBCjjP8SGnmBA1OUAkzLihgTwUIfM4vphpMQdGj
+3fY3VkQdsFSv90qgwhldzmKwehvhXH+7TX6eKEgApJqGPm5unFdBx+y/fwn82iXC
+HuBS3GWMQKNuvZlOCxoE4CMgRlrQP7Ok1nZzt8xhMxFUpjL/lAjVZjb9mWkhzChd
+EVIySLaltcOwIT/5aSWDsT15pu2u25Vi/HLKrUb8trHqmGiXuvJUqobtYrF4X9UZ
+gM5B7pihcZ/6W2vYXn6zGArwTJZ2bAywowIBBQ==
+-----END DH PARAMETERS-----
diff -up gnutls-2.8.6/tests/safe-renegotiation/testsrn.reneg gnutls-2.8.6/tests/safe-renegotiation/testsrn
--- gnutls-2.8.6/tests/safe-renegotiation/testsrn.reneg 2010-05-31 22:52:31.000000000 +0200
+++ gnutls-2.8.6/tests/safe-renegotiation/testsrn 2010-06-02 10:23:35.000000000 +0200
@@ -0,0 +1,103 @@
+#!/bin/sh
+
+# Copyright (C) 2010 Free Software Foundation
+#
+# Author: Nikos Mavrogiannopoulos
+#
+# This file is part of GNUTLS.
+#
+# GNUTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GNUTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GNUTLS; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+srcdir="${srcdir:-.}"
+SERV="${SERV:-../../src/gnutls-serv$EXEEXT} -q"
+CLI="${CLI:-../../src/gnutls-cli$EXEEXT}"
+PORT="${PORT:-5558}"
+unset RETCODE
+
+fail() {
+ echo "Failure: $1" >&2
+ RETCODE=${RETCODE:-${2:-1}}
+}
+
+echo "Checking Safe renegotiation"
+
+$SERV -p $PORT --echo --priority NORMAL:+ANON-DH:%PARTIAL_RENEGOTIATION --dhparams $srcdir/params.dh >/dev/null 2>&1 &
+pid=$!
+
+# give the server a chance to initialize
+sleep 2
+
+$CLI -p $PORT 127.0.0.1 --rehandshake --priority NONE:+AES-128-CBC:+MD5:+SHA1:+VERS-SSL3.0:+ANON-DH:+COMP-NULL:%SAFE_RENEGOTIATION </dev/null >/dev/null 2>&1 || \
+ fail "0. Renegotiation should have succeeded!"
+
+$CLI -p $PORT 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%SAFE_RENEGOTIATION </dev/null >/dev/null 2>&1 || \
+ fail "1. Safe rehandshake should have succeeded!"
+
+$CLI -p $PORT 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%UNSAFE_RENEGOTIATION </dev/null >/dev/null 2>&1 || \
+ fail "2. Unsafe rehandshake should have succeeded!"
+
+$CLI -p $PORT 127.0.0.1 --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION </dev/null >/dev/null 2>&1 || \
+ fail "3. Unsafe negotiation should have succeeded!"
+
+$CLI -p $PORT 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION </dev/null >/dev/null 2>&1 && \
+ fail "4. Unsafe renegotiation should have failed!"
+
+
+kill $pid
+wait
+
+$SERV -p $PORT --echo --priority NORMAL:+ANON-DH:%SAFE_RENEGOTIATION --dhparams $srcdir/params.dh >/dev/null 2>&1 &
+pid=$!
+
+# give the server a chance to initialize
+sleep 2
+
+$CLI -p $PORT 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%SAFE_RENEGOTIATION </dev/null >/dev/null 2>&1 || \
+ fail "5. Safe rehandshake should have succeeded!"
+
+$CLI -p $PORT 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%UNSAFE_RENEGOTIATION </dev/null >/dev/null 2>&1 || \
+ fail "6. Unsafe rehandshake should have succeeded!"
+
+$CLI -p $PORT 127.0.0.1 --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION </dev/null >/dev/null 2>&1 && \
+ fail "7. Unsafe negotiation should have failed!"
+
+$CLI -p $PORT 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION </dev/null >/dev/null 2>&1 && \
+ fail "8. Unsafe renegotiation should have failed!"
+
+kill $pid
+wait
+
+$SERV -p $PORT --echo --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION --dhparams $srcdir/params.dh >/dev/null 2>&1 &
+pid=$!
+
+# give the server a chance to initialize
+sleep 2
+
+$CLI -p $PORT 127.0.0.1 --priority NORMAL:+ANON-DH:%SAFE_RENEGOTIATION </dev/null >/dev/null 2>&1 && \
+ fail "9. Initial connection should have failed!"
+
+$CLI -p $PORT 127.0.0.1 --priority NORMAL:+ANON-DH:%UNSAFE_RENEGOTIATION </dev/null >/dev/null 2>&1 || \
+ fail "10. Unsafe connection should have succeeded!"
+
+$CLI -p $PORT 127.0.0.1 --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION </dev/null >/dev/null 2>&1 || \
+ fail "11. Unsafe negotiation should have succeeded!"
+
+$CLI -p $PORT 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION </dev/null >/dev/null 2>&1 || \
+ fail "12. Unsafe renegotiation should have succeeded!"
+
+kill $pid
+wait
+
+exit ${RETCODE:-0}
diff -up gnutls-2.8.6/tests/simple.c.reneg gnutls-2.8.6/tests/simple.c
--- gnutls-2.8.6/tests/simple.c.reneg 2009-06-02 20:59:32.000000000 +0200
+++ gnutls-2.8.6/tests/simple.c 2010-05-31 22:52:31.000000000 +0200
@@ -50,7 +50,7 @@ doit (void)
for (i = 0; algs[i]; i++)
{
- printf ("pk_list[%d] = %d = %s = %d\n", i, algs[i],
+ printf ("pk_list[%d] = %d = %s = %d\n", (int)i, algs[i],
gnutls_pk_algorithm_get_name (algs[i]),
gnutls_pk_get_id (gnutls_pk_algorithm_get_name (algs[i])));
if (gnutls_pk_get_id (gnutls_pk_algorithm_get_name (algs[i]))
@@ -76,7 +76,7 @@ doit (void)
for (i = 0; algs[i]; i++)
{
- printf ("sign_list[%d] = %d = %s = %d\n", i, algs[i],
+ printf ("sign_list[%d] = %d = %s = %d\n", (int)i, algs[i],
gnutls_sign_algorithm_get_name (algs[i]),
gnutls_sign_get_id (gnutls_sign_algorithm_get_name
(algs[i])));
Index: .cvsignore
===================================================================
RCS file: /cvs/pkgs/rpms/gnutls/F-12/.cvsignore,v
retrieving revision 1.26
retrieving revision 1.27
diff -u -p -r1.26 -r1.27
--- .cvsignore 2 Nov 2009 22:29:13 -0000 1.26
+++ .cvsignore 2 Jun 2010 16:03:43 -0000 1.27
@@ -1 +1 @@
-gnutls-2.8.5-nosrp.tar.bz2
+gnutls-2.8.6-nosrp.tar.bz2
Index: gnutls.spec
===================================================================
RCS file: /cvs/pkgs/rpms/gnutls/F-12/gnutls.spec,v
retrieving revision 1.49
retrieving revision 1.50
diff -u -p -r1.49 -r1.50
--- gnutls.spec 2 Nov 2009 22:29:13 -0000 1.49
+++ gnutls.spec 2 Jun 2010 16:03:44 -0000 1.50
@@ -1,7 +1,7 @@
Summary: A TLS protocol implementation
Name: gnutls
-Version: 2.8.5
-Release: 1%{?dist}
+Version: 2.8.6
+Release: 2%{?dist}
# The libgnutls library is LGPLv2+, utilities and remaining libraries are GPLv3+
License: GPLv3+ and LGPLv2+
Group: System Environment/Libraries
@@ -15,6 +15,9 @@ URL: http://www.gnutls.org/
# XXX patent tainted SRP code removed.
Source0: %{name}-%{version}-nosrp.tar.bz2
Source1: libgnutls-config
+Patch1: gnutls-2.8.5-rpath.patch
+Patch2: gnutls-2.8.6-link-libgcrypt.patch
+Patch3: gnutls-2.8.6-safe-renegotiation.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Requires: libgcrypt >= 1.2.2
@@ -29,6 +32,7 @@ Requires(post): /sbin/install-info
Requires(preun): /sbin/install-info
%package utils
+License: GPLv3+
Summary: Command line tools for TLS protocol
Group: Applications/System
Requires: %{name} = %{version}-%{release}
@@ -66,15 +70,23 @@ This package contains Guile bindings for
%prep
%setup -q
+%patch1 -p1 -b .rpath
+%patch2 -p1 -b .link
+%patch3 -p1 -b .reneg
for i in auth_srp_rsa.c auth_srp_sb64.c auth_srp_passwd.c auth_srp.c gnutls_srp.c ext_srp.c; do
touch lib/$i
done
+chmod a+x tests/safe-renegotiation/testsrn
+
%build
-autoreconf
+
+export LDFLAGS="-Wl,--no-add-needed"
+
%configure --with-libtasn1-prefix=%{_prefix} \
--with-included-libcfg \
+ --disable-static \
--disable-srp-authentication
make
cp lib/COPYING COPYING.LIB
@@ -126,7 +138,6 @@ fi
%defattr(-,root,root,-)
%{_bindir}/libgnutls*-config
%{_includedir}/*
-%{_libdir}/libgnutls*.a
%{_libdir}/libgnutls*.so
%{_libdir}/pkgconfig/*.pc
%{_mandir}/man3/*
@@ -147,6 +158,23 @@ fi
%{_datadir}/guile/site/gnutls.scm
%changelog
+* Wed Jun 2 2010 Tomas Mraz <tmraz at redhat.com> 2.8.6-2
+- add support for safe renegotiation CVE-2009-3555 (#533125)
+
+* Wed May 12 2010 Tomas Mraz <tmraz at redhat.com> 2.8.6-1
+- upgrade to a new upstream version
+
+* Mon Feb 15 2010 Rex Dieter <rdieter at fedoraproject.org> 2.8.5-4
+- FTBFS gnutls-2.8.5-3.fc13: ImplicitDSOLinking (#564624)
+
+* Thu Jan 28 2010 Tomas Mraz <tmraz at redhat.com> 2.8.5-3
+- drop superfluous rpath from binaries
+- do not call autoreconf during build
+- specify the license on utils subpackage
+
+* Mon Jan 18 2010 Tomas Mraz <tmraz at redhat.com> 2.8.5-2
+- do not create static libraries (#556052)
+
* Mon Nov 2 2009 Tomas Mraz <tmraz at redhat.com> 2.8.5-1
- upgrade to a new upstream version
Index: sources
===================================================================
RCS file: /cvs/pkgs/rpms/gnutls/F-12/sources,v
retrieving revision 1.26
retrieving revision 1.27
diff -u -p -r1.26 -r1.27
--- sources 2 Nov 2009 22:29:13 -0000 1.26
+++ sources 2 Jun 2010 16:03:44 -0000 1.27
@@ -1 +1 @@
-21b5caa451af00f9a9dd680a0430c00b gnutls-2.8.5-nosrp.tar.bz2
+23f98683d03f6aa332216c55fe288956 gnutls-2.8.6-nosrp.tar.bz2
More information about the scm-commits
mailing list