From 2f38d5c97abbc84a55ad22dcd328f627380e79a8 Mon Sep 17 00:00:00 2001 From: Alexander Kanavin Date: Wed, 28 Oct 2020 22:05:47 +0100 Subject: gnutls: update 3.16.4 -> 3.16.5 Signed-off-by: Alexander Kanavin Signed-off-by: Richard Purdie --- ...license-to-GPLv2.1-to-keep-with-LICENSE-f.patch | 90 ---------------- .../gnutls/gnutls/CVE-2020-24659.patch | 117 --------------------- meta/recipes-support/gnutls/gnutls_3.6.14.bb | 68 ------------ meta/recipes-support/gnutls/gnutls_3.6.15.bb | 66 ++++++++++++ 4 files changed, 66 insertions(+), 275 deletions(-) delete mode 100644 meta/recipes-support/gnutls/gnutls/0001-Modied-the-license-to-GPLv2.1-to-keep-with-LICENSE-f.patch delete mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2020-24659.patch delete mode 100644 meta/recipes-support/gnutls/gnutls_3.6.14.bb create mode 100644 meta/recipes-support/gnutls/gnutls_3.6.15.bb (limited to 'meta/recipes-support/gnutls') diff --git a/meta/recipes-support/gnutls/gnutls/0001-Modied-the-license-to-GPLv2.1-to-keep-with-LICENSE-f.patch b/meta/recipes-support/gnutls/gnutls/0001-Modied-the-license-to-GPLv2.1-to-keep-with-LICENSE-f.patch deleted file mode 100644 index a610abf9b5..0000000000 --- a/meta/recipes-support/gnutls/gnutls/0001-Modied-the-license-to-GPLv2.1-to-keep-with-LICENSE-f.patch +++ /dev/null @@ -1,90 +0,0 @@ -From c0ae3f659c6c130d151378ba4d7d861e3b7b970f Mon Sep 17 00:00:00 2001 -From: Lei Maohui -Date: Wed, 8 Jul 2020 14:50:27 +0900 -Subject: [PATCH] Modied the license to GPLv2.1+ to keep with LICENSE file. - -Signed-off-by: Lei Maohui -Please reference to https://gitlab.com/gnutls/gnutls/-/issues/1018. -Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/merge_requests/1285]. ---- - lib/x509/krb5.c | 20 +++++++++++--------- - lib/x509/krb5.h | 20 +++++++++++--------- - 2 files changed, 22 insertions(+), 18 deletions(-) - -diff --git a/lib/x509/krb5.c b/lib/x509/krb5.c -index 7fe84e6..d68c737 100644 ---- a/lib/x509/krb5.c -+++ b/lib/x509/krb5.c -@@ -1,21 +1,23 @@ - /* - * Copyright (C) 2015 Red Hat, Inc. - * -+ * Author: Nikos Mavrogiannopoulos -+ * - * This file is part of GnuTLS. - * -- * GnuTLS is free software: you can redistribute it and/or modify it -- * under the terms of the GNU General Public License as published by -- * the Free Software Foundation, either version 3 of the License, or -- * (at your option) any later version. -+ * The GnuTLS is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU Lesser General Public License -+ * as published by the Free Software Foundation; either version 2.1 of -+ * the License, or (at your option) any later version. - * -- * GnuTLS is distributed in the hope that it will be useful, but -+ * This library is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -- * General Public License for more details. -+ * Lesser General Public License for more details. -+ * -+ * You should have received a copy of the GNU Lesser General Public License -+ * along with this program. If not, see - * -- * You should have received a copy of the GNU General Public License -- * along with this program. If not, see -- * . - */ - - #include -diff --git a/lib/x509/krb5.h b/lib/x509/krb5.h -index d8926af..815bb28 100644 ---- a/lib/x509/krb5.h -+++ b/lib/x509/krb5.h -@@ -1,21 +1,23 @@ - /* - * Copyright (C) 2015 Red Hat, Inc. - * -+ * Author: Nikos Mavrogiannopoulos -+ * - * This file is part of GnuTLS. - * -- * GnuTLS is free software: you can redistribute it and/or modify it -- * under the terms of the GNU General Public License as published by -- * the Free Software Foundation, either version 3 of the License, or -- * (at your option) any later version. -+ * The GnuTLS is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU Lesser General Public License -+ * as published by the Free Software Foundation; either version 2.1 of -+ * the License, or (at your option) any later version. - * -- * GnuTLS is distributed in the hope that it will be useful, but -+ * This library is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -- * General Public License for more details. -+ * Lesser General Public License for more details. -+ * -+ * You should have received a copy of the GNU Lesser General Public License -+ * along with this program. If not, see - * -- * You should have received a copy of the GNU General Public License -- * along with this program. If not, see -- * . - */ - - #ifndef GNUTLS_LIB_X509_KRB5_H --- -2.17.1 - diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2020-24659.patch b/meta/recipes-support/gnutls/gnutls/CVE-2020-24659.patch deleted file mode 100644 index 1702325e66..0000000000 --- a/meta/recipes-support/gnutls/gnutls/CVE-2020-24659.patch +++ /dev/null @@ -1,117 +0,0 @@ -From 29ee67c205855e848a0a26e6d0e4f65b6b943e0a Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Sat, 22 Aug 2020 17:19:39 +0200 -Subject: [PATCH] handshake: reject no_renegotiation alert if handshake is - incomplete - -If the initial handshake is incomplete and the server sends a -no_renegotiation alert, the client should treat it as a fatal error -even if its level is warning. Otherwise the same handshake -state (e.g., DHE parameters) are reused in the next gnutls_handshake -call, if it is called in the loop idiom: - - do { - ret = gnutls_handshake(session); - } while (ret < 0 && gnutls_error_is_fatal(ret) == 0); - -Signed-off-by: Daiki Ueno -CVE: CVE-2020-24659 -Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls.git] -Signed-off-by: Zhixiong Chi ---- - lib/gnutls_int.h | 1 + - lib/handshake.c | 48 +++++++++++++----- - 2 files changed, 36 insertions(+), 13 deletions(-) - -diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h -index bb6c19713..31cec5c0c 100644 ---- a/lib/gnutls_int.h -+++ b/lib/gnutls_int.h -@@ -1370,6 +1370,7 @@ typedef struct { - #define HSK_RECORD_SIZE_LIMIT_RECEIVED (1<<26) /* server: record_size_limit extension was seen but not accepted yet */ - #define HSK_OCSP_REQUESTED (1<<27) /* server: client requested OCSP stapling */ - #define HSK_CLIENT_OCSP_REQUESTED (1<<28) /* client: server requested OCSP stapling */ -+#define HSK_SERVER_HELLO_RECEIVED (1<<29) /* client: Server Hello message has been received */ - - /* The hsk_flags are for use within the ongoing handshake; - * they are reset to zero prior to handshake start by gnutls_handshake. */ -diff --git a/lib/handshake.c b/lib/handshake.c -index b40f84b3d..ce2d160e2 100644 ---- a/lib/handshake.c -+++ b/lib/handshake.c -@@ -2051,6 +2051,8 @@ read_server_hello(gnutls_session_t session, - if (ret < 0) - return gnutls_assert_val(ret); - -+ session->internals.hsk_flags |= HSK_SERVER_HELLO_RECEIVED; -+ - return 0; - } - -@@ -2575,16 +2577,42 @@ int gnutls_rehandshake(gnutls_session_t session) - return 0; - } - -+/* This function checks whether the error code should be treated fatal -+ * or not, and also does the necessary state transition. In -+ * particular, in the case of a rehandshake abort it resets the -+ * handshake's internal state. -+ */ - inline static int - _gnutls_abort_handshake(gnutls_session_t session, int ret) - { -- if (((ret == GNUTLS_E_WARNING_ALERT_RECEIVED) && -- (gnutls_alert_get(session) == GNUTLS_A_NO_RENEGOTIATION)) -- || ret == GNUTLS_E_GOT_APPLICATION_DATA) -- return 0; -+ switch (ret) { -+ case GNUTLS_E_WARNING_ALERT_RECEIVED: -+ if (gnutls_alert_get(session) == GNUTLS_A_NO_RENEGOTIATION) { -+ /* The server always toleretes a "no_renegotiation" alert. */ -+ if (session->security_parameters.entity == GNUTLS_SERVER) { -+ STATE = STATE0; -+ return ret; -+ } -+ -+ /* The client should tolerete a "no_renegotiation" alert only if: -+ * - the initial handshake has completed, or -+ * - a Server Hello is not yet received -+ */ -+ if (session->internals.initial_negotiation_completed || -+ !(session->internals.hsk_flags & HSK_SERVER_HELLO_RECEIVED)) { -+ STATE = STATE0; -+ return ret; -+ } - -- /* this doesn't matter */ -- return GNUTLS_E_INTERNAL_ERROR; -+ return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET); -+ } -+ return ret; -+ case GNUTLS_E_GOT_APPLICATION_DATA: -+ STATE = STATE0; -+ return ret; -+ default: -+ return ret; -+ } - } - - -@@ -2747,13 +2774,7 @@ int gnutls_handshake(gnutls_session_t session) - } - - if (ret < 0) { -- /* In the case of a rehandshake abort -- * we should reset the handshake's internal state. -- */ -- if (_gnutls_abort_handshake(session, ret) == 0) -- STATE = STATE0; -- -- return ret; -+ return _gnutls_abort_handshake(session, ret); - } - - /* clear handshake buffer */ --- -2.17.0 - diff --git a/meta/recipes-support/gnutls/gnutls_3.6.14.bb b/meta/recipes-support/gnutls/gnutls_3.6.14.bb deleted file mode 100644 index 51578b4b3b..0000000000 --- a/meta/recipes-support/gnutls/gnutls_3.6.14.bb +++ /dev/null @@ -1,68 +0,0 @@ -SUMMARY = "GNU Transport Layer Security Library" -HOMEPAGE = "http://www.gnu.org/software/gnutls/" -BUGTRACKER = "https://savannah.gnu.org/support/?group=gnutls" - -LICENSE = "GPLv3+ & LGPLv2.1+" -LICENSE_${PN} = "LGPLv2.1+" -LICENSE_${PN}-xx = "LGPLv2.1+" -LICENSE_${PN}-bin = "GPLv3+" -LICENSE_${PN}-openssl = "GPLv3+" - -LIC_FILES_CHKSUM = "file://LICENSE;md5=71391c8e0c1cfe68077e7fce3b586283 \ - file://doc/COPYING;md5=c678957b0c8e964aa6c70fd77641a71e \ - file://doc/COPYING.LESSER;md5=a6f89e2100d9b6cdffcea4f398e37343" - -DEPENDS = "nettle gmp virtual/libiconv libunistring" -DEPENDS_append_libc-musl = " argp-standalone" - -SHRT_VER = "${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}" - -SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar.xz \ - file://arm_eabi.patch \ - file://0001-Modied-the-license-to-GPLv2.1-to-keep-with-LICENSE-f.patch \ - file://CVE-2020-24659.patch \ -" - -SRC_URI[sha256sum] = "5630751adec7025b8ef955af4d141d00d252a985769f51b4059e5affa3d39d63" - -inherit autotools texinfo pkgconfig gettext lib_package gtk-doc - -PACKAGECONFIG ??= "libidn" - -# You must also have CONFIG_SECCOMP enabled in the kernel for -# seccomp to work. -PACKAGECONFIG[seccomp] = "ac_cv_libseccomp=yes,ac_cv_libseccomp=no,libseccomp" -PACKAGECONFIG[libidn] = "--with-idn,--without-idn,libidn2" -PACKAGECONFIG[libtasn1] = "--with-included-libtasn1=no,--with-included-libtasn1,libtasn1" -PACKAGECONFIG[p11-kit] = "--with-p11-kit,--without-p11-kit,p11-kit" -PACKAGECONFIG[tpm] = "--with-tpm,--without-tpm,trousers" - -EXTRA_OECONF = " \ - --enable-doc \ - --disable-libdane \ - --disable-guile \ - --disable-rpath \ - --enable-local-libopts \ - --enable-openssl-compatibility \ - --with-libpthread-prefix=${STAGING_DIR_HOST}${prefix} \ - --with-default-trust-store-file=${sysconfdir}/ssl/certs/ca-certificates.crt \ -" - -# Otherwise the tools try and use HOSTTOOLS_DIR/bash as a shell. -export POSIX_SHELL="${base_bindir}/sh" - -LDFLAGS_append_libc-musl = " -largp" - -do_configure_prepend() { - for dir in . lib; do - rm -f ${dir}/aclocal.m4 ${dir}/m4/libtool.m4 ${dir}/m4/lt*.m4 - done -} - -PACKAGES =+ "${PN}-openssl ${PN}-xx" - -FILES_${PN}-dev += "${bindir}/gnutls-cli-debug" -FILES_${PN}-openssl = "${libdir}/libgnutls-openssl.so.*" -FILES_${PN}-xx = "${libdir}/libgnutlsxx.so.*" - -BBCLASSEXTEND = "native nativesdk" diff --git a/meta/recipes-support/gnutls/gnutls_3.6.15.bb b/meta/recipes-support/gnutls/gnutls_3.6.15.bb new file mode 100644 index 0000000000..71118bd389 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls_3.6.15.bb @@ -0,0 +1,66 @@ +SUMMARY = "GNU Transport Layer Security Library" +HOMEPAGE = "http://www.gnu.org/software/gnutls/" +BUGTRACKER = "https://savannah.gnu.org/support/?group=gnutls" + +LICENSE = "GPLv3+ & LGPLv2.1+" +LICENSE_${PN} = "LGPLv2.1+" +LICENSE_${PN}-xx = "LGPLv2.1+" +LICENSE_${PN}-bin = "GPLv3+" +LICENSE_${PN}-openssl = "GPLv3+" + +LIC_FILES_CHKSUM = "file://LICENSE;md5=71391c8e0c1cfe68077e7fce3b586283 \ + file://doc/COPYING;md5=c678957b0c8e964aa6c70fd77641a71e \ + file://doc/COPYING.LESSER;md5=a6f89e2100d9b6cdffcea4f398e37343" + +DEPENDS = "nettle gmp virtual/libiconv libunistring" +DEPENDS_append_libc-musl = " argp-standalone" + +SHRT_VER = "${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}" + +SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar.xz \ + file://arm_eabi.patch \ + " + +SRC_URI[sha256sum] = "0ea8c3283de8d8335d7ae338ef27c53a916f15f382753b174c18b45ffd481558" + +inherit autotools texinfo pkgconfig gettext lib_package gtk-doc + +PACKAGECONFIG ??= "libidn" + +# You must also have CONFIG_SECCOMP enabled in the kernel for +# seccomp to work. +PACKAGECONFIG[seccomp] = "ac_cv_libseccomp=yes,ac_cv_libseccomp=no,libseccomp" +PACKAGECONFIG[libidn] = "--with-idn,--without-idn,libidn2" +PACKAGECONFIG[libtasn1] = "--with-included-libtasn1=no,--with-included-libtasn1,libtasn1" +PACKAGECONFIG[p11-kit] = "--with-p11-kit,--without-p11-kit,p11-kit" +PACKAGECONFIG[tpm] = "--with-tpm,--without-tpm,trousers" + +EXTRA_OECONF = " \ + --enable-doc \ + --disable-libdane \ + --disable-guile \ + --disable-rpath \ + --enable-local-libopts \ + --enable-openssl-compatibility \ + --with-libpthread-prefix=${STAGING_DIR_HOST}${prefix} \ + --with-default-trust-store-file=${sysconfdir}/ssl/certs/ca-certificates.crt \ +" + +# Otherwise the tools try and use HOSTTOOLS_DIR/bash as a shell. +export POSIX_SHELL="${base_bindir}/sh" + +LDFLAGS_append_libc-musl = " -largp" + +do_configure_prepend() { + for dir in . lib; do + rm -f ${dir}/aclocal.m4 ${dir}/m4/libtool.m4 ${dir}/m4/lt*.m4 + done +} + +PACKAGES =+ "${PN}-openssl ${PN}-xx" + +FILES_${PN}-dev += "${bindir}/gnutls-cli-debug" +FILES_${PN}-openssl = "${libdir}/libgnutls-openssl.so.*" +FILES_${PN}-xx = "${libdir}/libgnutlsxx.so.*" + +BBCLASSEXTEND = "native nativesdk" -- cgit 1.2.3-korg