gnutls: update 3.16.4 -> 3.16.5

(From OE-Core rev: 2f38d5c97abbc84a55ad22dcd328f627380e79a8) Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Alexander Kanavin <alex.kanavin@gmail.com> 2020-10-28 22:05:47 +0100
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2020-10-30 13:22:49 +0000
commit: 96dbd86d67617967d2ab8cef284f87e2c5131369 (patch)
tree: c81aef8c7ed16ac482de26fea82ba7236922dddc /meta/recipes-support/gnutls
parent: faee04a9cc477fcded9ddb386eaa6b90ae063932 (diff)
download: poky-96dbd86d67617967d2ab8cef284f87e2c5131369.tar.gz
3 files changed, 2 insertions, 211 deletions
diff --git a/meta/recipes-support/gnutls/gnutls/0001-Modied-the-license-to-GPLv2.1-to-keep-with-LICENSE-f.patch b/meta/recipes-support/gnutls/gnutls/0001-Modied-the-license-to-GPLv2.1-to-keep-with-LICENSE-f.patch
deleted file mode 100644
index a610abf9b5..0000000000
--- a/meta/recipes-support/gnutls/gnutls/0001-Modied-the-license-to-GPLv2.1-to-keep-with-LICENSE-f.patch
+++ /dev/null
@@ -1,90 +0,0 @@
-From c0ae3f659c6c130d151378ba4d7d861e3b7b970f Mon Sep 17 00:00:00 2001
-From: Lei Maohui <leimaohui@cn.fujitsu.com>
-Date: Wed, 8 Jul 2020 14:50:27 +0900
-Subject: [PATCH] Modied the license to GPLv2.1+ to keep with LICENSE file.
-Signed-off-by: Lei Maohui <leimaohui@cn.fujitsu.com>
-Please reference to https://gitlab.com/gnutls/gnutls/-/issues/1018.
-Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/merge_requests/1285].
---
- lib/x509/krb5.c | 20 +++++++++++---------
- lib/x509/krb5.h | 20 +++++++++++---------
- 2 files changed, 22 insertions(+), 18 deletions(-)
-diff --git a/lib/x509/krb5.c b/lib/x509/krb5.c
-index 7fe84e6..d68c737 100644
--- a/lib/x509/krb5.c
-+++ b/lib/x509/krb5.c
-@@ -1,21 +1,23 @@
- /*
-  * Copyright (C) 2015 Red Hat, Inc.
-  *
-+ * Author: Nikos Mavrogiannopoulos
-+ *
-  * This file is part of GnuTLS.
-  *
- * GnuTLS is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
-+ * The GnuTLS is free software; you can redistribute it and/or
-+ * modify it under the terms of the GNU Lesser General Public License
-+ * as published by the Free Software Foundation; either version 2.1 of
-+ * the License, or (at your option) any later version.
-  *
- * GnuTLS is distributed in the hope that it will be useful, but
-+ * This library is distributed in the hope that it will be useful, but
-  * WITHOUT ANY WARRANTY; without even the implied warranty of
-  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * General Public License for more details.
-+ * Lesser General Public License for more details.
-+ *
-+ * You should have received a copy of the GNU Lesser General Public License
-+ * along with this program.  If not, see <https://www.gnu.org/licenses/>
-  *
- * You should have received a copy of the GNU General Public License
- * along with this program.  If not, see
- * <https://www.gnu.org/licenses/>.
-  */
- 
- #include <config.h>
-diff --git a/lib/x509/krb5.h b/lib/x509/krb5.h
-index d8926af..815bb28 100644
--- a/lib/x509/krb5.h
-+++ b/lib/x509/krb5.h
-@@ -1,21 +1,23 @@
- /*
-  * Copyright (C) 2015 Red Hat, Inc.
-  *
-+ * Author: Nikos Mavrogiannopoulos
-+ *
-  * This file is part of GnuTLS.
-  *
- * GnuTLS is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
-+ * The GnuTLS is free software; you can redistribute it and/or
-+ * modify it under the terms of the GNU Lesser General Public License
-+ * as published by the Free Software Foundation; either version 2.1 of
-+ * the License, or (at your option) any later version.
-  *
- * GnuTLS is distributed in the hope that it will be useful, but
-+ * This library is distributed in the hope that it will be useful, but
-  * WITHOUT ANY WARRANTY; without even the implied warranty of
-  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * General Public License for more details.
-+ * Lesser General Public License for more details.
-+ *
-+ * You should have received a copy of the GNU Lesser General Public License
-+ * along with this program.  If not, see <https://www.gnu.org/licenses/>
-  *
- * You should have received a copy of the GNU General Public License
- * along with this program.  If not, see
- * <https://www.gnu.org/licenses/>.
-  */
- 
- #ifndef GNUTLS_LIB_X509_KRB5_H
-- 
-2.17.1
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2020-24659.patch b/meta/recipes-support/gnutls/gnutls/CVE-2020-24659.patch
deleted file mode 100644
index 1702325e66..0000000000
--- a/meta/recipes-support/gnutls/gnutls/CVE-2020-24659.patch
+++ /dev/null
@@ -1,117 +0,0 @@
-From 29ee67c205855e848a0a26e6d0e4f65b6b943e0a Mon Sep 17 00:00:00 2001
-From: Daiki Ueno <ueno@gnu.org>
-Date: Sat, 22 Aug 2020 17:19:39 +0200
-Subject: [PATCH] handshake: reject no_renegotiation alert if handshake is
- incomplete
-If the initial handshake is incomplete and the server sends a
-no_renegotiation alert, the client should treat it as a fatal error
-even if its level is warning.  Otherwise the same handshake
-state (e.g., DHE parameters) are reused in the next gnutls_handshake
-call, if it is called in the loop idiom:
-  do {
-          ret = gnutls_handshake(session);
-  } while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
-Signed-off-by: Daiki Ueno <ueno@gnu.org>
-CVE: CVE-2020-24659
-Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls.git]
-Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
---
- lib/gnutls_int.h                              |   1 +
- lib/handshake.c                               |  48 +++++++++++++-----
- 2 files changed, 36 insertions(+), 13 deletions(-)
-diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
-index bb6c19713..31cec5c0c 100644
--- a/lib/gnutls_int.h
-+++ b/lib/gnutls_int.h
-@@ -1370,6 +1370,7 @@ typedef struct {
- #define HSK_RECORD_SIZE_LIMIT_RECEIVED (1<<26) /* server: record_size_limit extension was seen but not accepted yet */
- #define HSK_OCSP_REQUESTED (1<<27) /* server: client requested OCSP stapling */
- #define HSK_CLIENT_OCSP_REQUESTED (1<<28) /* client: server requested OCSP stapling */
-+#define HSK_SERVER_HELLO_RECEIVED (1<<29) /* client: Server Hello message has been received */
- 
-        /* The hsk_flags are for use within the ongoing handshake;
-         * they are reset to zero prior to handshake start by gnutls_handshake. */
-diff --git a/lib/handshake.c b/lib/handshake.c
-index b40f84b3d..ce2d160e2 100644
--- a/lib/handshake.c
-+++ b/lib/handshake.c
-@@ -2051,6 +2051,8 @@ read_server_hello(gnutls_session_t session,
-        if (ret < 0)
-                return gnutls_assert_val(ret);
- 
-+       session->internals.hsk_flags |= HSK_SERVER_HELLO_RECEIVED;
-+
-        return 0;
- }
- 
-@@ -2575,16 +2577,42 @@ int gnutls_rehandshake(gnutls_session_t session)
-        return 0;
- }
- 
-+/* This function checks whether the error code should be treated fatal
-+ * or not, and also does the necessary state transition.  In
-+ * particular, in the case of a rehandshake abort it resets the
-+ * handshake's internal state.
-+ */
- inline static int
- _gnutls_abort_handshake(gnutls_session_t session, int ret)
- {
-       if (((ret == GNUTLS_E_WARNING_ALERT_RECEIVED) &&
-            (gnutls_alert_get(session) == GNUTLS_A_NO_RENEGOTIATION))
-           || ret == GNUTLS_E_GOT_APPLICATION_DATA)
-               return 0;
-+       switch (ret) {
-+       case GNUTLS_E_WARNING_ALERT_RECEIVED:
-+               if (gnutls_alert_get(session) == GNUTLS_A_NO_RENEGOTIATION) {
-+                       /* The server always toleretes a "no_renegotiation" alert. */
-+                       if (session->security_parameters.entity == GNUTLS_SERVER) {
-+                               STATE = STATE0;
-+                               return ret;
-+                       }
-+
-+                       /* The client should tolerete a "no_renegotiation" alert only if:
-+                        * - the initial handshake has completed, or
-+                        * - a Server Hello is not yet received
-+                        */
-+                       if (session->internals.initial_negotiation_completed ||
-+                           !(session->internals.hsk_flags & HSK_SERVER_HELLO_RECEIVED)) {
-+                               STATE = STATE0;
-+                               return ret;
-+                       }
- 
-       /* this doesn't matter */
-       return GNUTLS_E_INTERNAL_ERROR;
-+                       return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET);
-+               }
-+               return ret;
-+       case GNUTLS_E_GOT_APPLICATION_DATA:
-+               STATE = STATE0;
-+               return ret;
-+       default:
-+               return ret;
-+       }
- }
- 
- 
-@@ -2747,13 +2774,7 @@ int gnutls_handshake(gnutls_session_t session)
-        }
- 
-        if (ret < 0) {
-               /* In the case of a rehandshake abort
-                * we should reset the handshake's internal state.
-                */
-               if (_gnutls_abort_handshake(session, ret) == 0)
-                       STATE = STATE0;
-
-               return ret;
-+               return _gnutls_abort_handshake(session, ret);
-        }
- 
-        /* clear handshake buffer */
-- 
-2.17.0
diff --git a/meta/recipes-support/gnutls/gnutls_3.6.14.bb b/meta/recipes-support/gnutls/gnutls_3.6.15.bb
index 51578b4b3b..71118bd389 100644
--- a/meta/recipes-support/gnutls/gnutls_3.6.14.bb
+++ b/meta/recipes-support/gnutls/gnutls_3.6.15.bb
@@ -19,11 +19,9 @@ SHRT_VER = "${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}"
 SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar.xz \
           file://arm_eabi.patch \
-           file://0001-Modied-the-license-to-GPLv2.1-to-keep-with-LICENSE-f.patch \
+           "
-           file://CVE-2020-24659.patch \
-"
-SRC_URI[sha256sum] = "5630751adec7025b8ef955af4d141d00d252a985769f51b4059e5affa3d39d63"
+SRC_URI[sha256sum] = "0ea8c3283de8d8335d7ae338ef27c53a916f15f382753b174c18b45ffd481558"
 inherit autotools texinfo pkgconfig gettext lib_package gtk-doc
author	Alexander Kanavin <alex.kanavin@gmail.com>	2020-10-28 22:05:47 +0100
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2020-10-30 13:22:49 +0000
commit	96dbd86d67617967d2ab8cef284f87e2c5131369 (patch)
tree	c81aef8c7ed16ac482de26fea82ba7236922dddc /meta/recipes-support/gnutls
parent	faee04a9cc477fcded9ddb386eaa6b90ae063932 (diff)
download	poky-96dbd86d67617967d2ab8cef284f87e2c5131369.tar.gz

diff --git a/meta/recipes-support/gnutls/gnutls/0001-Modied-the-license-to-GPLv2.1-to-keep-with-LICENSE-f.patch b/meta/recipes-support/gnutls/gnutls/0001-Modied-the-license-to-GPLv2.1-to-keep-with-LICENSE-f.patch deleted file mode 100644 index a610abf9b5..0000000000 --- a/meta/recipes-support/gnutls/gnutls/0001-Modied-the-license-to-GPLv2.1-to-keep-with-LICENSE-f.patch +++ /dev/null
@@ -1,90 +0,0 @@
1	From c0ae3f659c6c130d151378ba4d7d861e3b7b970f Mon Sep 17 00:00:00 2001
2	From: Lei Maohui <leimaohui@cn.fujitsu.com>
3	Date: Wed, 8 Jul 2020 14:50:27 +0900
4	Subject: [PATCH] Modied the license to GPLv2.1+ to keep with LICENSE file.
5
6	Signed-off-by: Lei Maohui <leimaohui@cn.fujitsu.com>
7	Please reference to https://gitlab.com/gnutls/gnutls/-/issues/1018.
8	Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/merge_requests/1285].
9	---
10	lib/x509/krb5.c \| 20 +++++++++++---------
11	lib/x509/krb5.h \| 20 +++++++++++---------
12	2 files changed, 22 insertions(+), 18 deletions(-)
13
14	diff --git a/lib/x509/krb5.c b/lib/x509/krb5.c
15	index 7fe84e6..d68c737 100644
16	--- a/lib/x509/krb5.c
17	+++ b/lib/x509/krb5.c
18	@@ -1,21 +1,23 @@
19	/*
20	* Copyright (C) 2015 Red Hat, Inc.
21	*
22	+ * Author: Nikos Mavrogiannopoulos
23	+ *
24	* This file is part of GnuTLS.
25	*
26	- * GnuTLS is free software: you can redistribute it and/or modify it
27	- * under the terms of the GNU General Public License as published by
28	- * the Free Software Foundation, either version 3 of the License, or
29	- * (at your option) any later version.
30	+ * The GnuTLS is free software; you can redistribute it and/or
31	+ * modify it under the terms of the GNU Lesser General Public License
32	+ * as published by the Free Software Foundation; either version 2.1 of
33	+ * the License, or (at your option) any later version.
34	*
35	- * GnuTLS is distributed in the hope that it will be useful, but
36	+ * This library is distributed in the hope that it will be useful, but
37	* WITHOUT ANY WARRANTY; without even the implied warranty of
38	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
39	- * General Public License for more details.
40	+ * Lesser General Public License for more details.
41	+ *
42	+ * You should have received a copy of the GNU Lesser General Public License
43	+ * along with this program. If not, see <https://www.gnu.org/licenses/>
44	*
45	- * You should have received a copy of the GNU General Public License
46	- * along with this program. If not, see
47	- * <https://www.gnu.org/licenses/>.
48	*/
49
50	#include <config.h>
51	diff --git a/lib/x509/krb5.h b/lib/x509/krb5.h
52	index d8926af..815bb28 100644
53	--- a/lib/x509/krb5.h
54	+++ b/lib/x509/krb5.h
55	@@ -1,21 +1,23 @@
56	/*
57	* Copyright (C) 2015 Red Hat, Inc.
58	*
59	+ * Author: Nikos Mavrogiannopoulos
60	+ *
61	* This file is part of GnuTLS.
62	*
63	- * GnuTLS is free software: you can redistribute it and/or modify it
64	- * under the terms of the GNU General Public License as published by
65	- * the Free Software Foundation, either version 3 of the License, or
66	- * (at your option) any later version.
67	+ * The GnuTLS is free software; you can redistribute it and/or
68	+ * modify it under the terms of the GNU Lesser General Public License
69	+ * as published by the Free Software Foundation; either version 2.1 of
70	+ * the License, or (at your option) any later version.
71	*
72	- * GnuTLS is distributed in the hope that it will be useful, but
73	+ * This library is distributed in the hope that it will be useful, but
74	* WITHOUT ANY WARRANTY; without even the implied warranty of
75	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
76	- * General Public License for more details.
77	+ * Lesser General Public License for more details.
78	+ *
79	+ * You should have received a copy of the GNU Lesser General Public License
80	+ * along with this program. If not, see <https://www.gnu.org/licenses/>
81	*
82	- * You should have received a copy of the GNU General Public License
83	- * along with this program. If not, see
84	- * <https://www.gnu.org/licenses/>.
85	*/
86
87	#ifndef GNUTLS_LIB_X509_KRB5_H
88	--
89	2.17.1
90


diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2020-24659.patch b/meta/recipes-support/gnutls/gnutls/CVE-2020-24659.patch deleted file mode 100644 index 1702325e66..0000000000 --- a/meta/recipes-support/gnutls/gnutls/CVE-2020-24659.patch +++ /dev/null
@@ -1,117 +0,0 @@
1	From 29ee67c205855e848a0a26e6d0e4f65b6b943e0a Mon Sep 17 00:00:00 2001
2	From: Daiki Ueno <ueno@gnu.org>
3	Date: Sat, 22 Aug 2020 17:19:39 +0200
4	Subject: [PATCH] handshake: reject no_renegotiation alert if handshake is
5	incomplete
6
7	If the initial handshake is incomplete and the server sends a
8	no_renegotiation alert, the client should treat it as a fatal error
9	even if its level is warning. Otherwise the same handshake
10	state (e.g., DHE parameters) are reused in the next gnutls_handshake
11	call, if it is called in the loop idiom:
12
13	do {
14	ret = gnutls_handshake(session);
15	} while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
16
17	Signed-off-by: Daiki Ueno <ueno@gnu.org>
18	CVE: CVE-2020-24659
19	Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls.git]
20	Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
21	---
22	lib/gnutls_int.h \| 1 +
23	lib/handshake.c \| 48 +++++++++++++-----
24	2 files changed, 36 insertions(+), 13 deletions(-)
25
26	diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
27	index bb6c19713..31cec5c0c 100644
28	--- a/lib/gnutls_int.h
29	+++ b/lib/gnutls_int.h
30	@@ -1370,6 +1370,7 @@ typedef struct {
31	#define HSK_RECORD_SIZE_LIMIT_RECEIVED (1<<26) /* server: record_size_limit extension was seen but not accepted yet */
32	#define HSK_OCSP_REQUESTED (1<<27) /* server: client requested OCSP stapling */
33	#define HSK_CLIENT_OCSP_REQUESTED (1<<28) /* client: server requested OCSP stapling */
34	+#define HSK_SERVER_HELLO_RECEIVED (1<<29) /* client: Server Hello message has been received */
35
36	/* The hsk_flags are for use within the ongoing handshake;
37	* they are reset to zero prior to handshake start by gnutls_handshake. */
38	diff --git a/lib/handshake.c b/lib/handshake.c
39	index b40f84b3d..ce2d160e2 100644
40	--- a/lib/handshake.c
41	+++ b/lib/handshake.c
42	@@ -2051,6 +2051,8 @@ read_server_hello(gnutls_session_t session,
43	if (ret < 0)
44	return gnutls_assert_val(ret);
45
46	+ session->internals.hsk_flags \|= HSK_SERVER_HELLO_RECEIVED;
47	+
48	return 0;
49	}
50
51	@@ -2575,16 +2577,42 @@ int gnutls_rehandshake(gnutls_session_t session)
52	return 0;
53	}
54
55	+/* This function checks whether the error code should be treated fatal
56	+ * or not, and also does the necessary state transition. In
57	+ * particular, in the case of a rehandshake abort it resets the
58	+ * handshake's internal state.
59	+ */
60	inline static int
61	_gnutls_abort_handshake(gnutls_session_t session, int ret)
62	{
63	- if (((ret == GNUTLS_E_WARNING_ALERT_RECEIVED) &&
64	- (gnutls_alert_get(session) == GNUTLS_A_NO_RENEGOTIATION))
65	- \|\| ret == GNUTLS_E_GOT_APPLICATION_DATA)
66	- return 0;
67	+ switch (ret) {
68	+ case GNUTLS_E_WARNING_ALERT_RECEIVED:
69	+ if (gnutls_alert_get(session) == GNUTLS_A_NO_RENEGOTIATION) {
70	+ /* The server always toleretes a "no_renegotiation" alert. */
71	+ if (session->security_parameters.entity == GNUTLS_SERVER) {
72	+ STATE = STATE0;
73	+ return ret;
74	+ }
75	+
76	+ /* The client should tolerete a "no_renegotiation" alert only if:
77	+ * - the initial handshake has completed, or
78	+ * - a Server Hello is not yet received
79	+ */
80	+ if (session->internals.initial_negotiation_completed \|\|
81	+ !(session->internals.hsk_flags & HSK_SERVER_HELLO_RECEIVED)) {
82	+ STATE = STATE0;
83	+ return ret;
84	+ }
85
86	- /* this doesn't matter */
87	- return GNUTLS_E_INTERNAL_ERROR;
88	+ return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET);
89	+ }
90	+ return ret;
91	+ case GNUTLS_E_GOT_APPLICATION_DATA:
92	+ STATE = STATE0;
93	+ return ret;
94	+ default:
95	+ return ret;
96	+ }
97	}
98
99
100	@@ -2747,13 +2774,7 @@ int gnutls_handshake(gnutls_session_t session)
101	}
102
103	if (ret < 0) {
104	- /* In the case of a rehandshake abort
105	- * we should reset the handshake's internal state.
106	- */
107	- if (_gnutls_abort_handshake(session, ret) == 0)
108	- STATE = STATE0;
109	-
110	- return ret;
111	+ return _gnutls_abort_handshake(session, ret);
112	}
113
114	/* clear handshake buffer */
115	--
116	2.17.0
117


diff --git a/meta/recipes-support/gnutls/gnutls_3.6.14.bb b/meta/recipes-support/gnutls/gnutls_3.6.15.bb index 51578b4b3b..71118bd389 100644 --- a/meta/recipes-support/gnutls/gnutls_3.6.14.bb +++ b/meta/recipes-support/gnutls/gnutls_3.6.15.bb
@@ -19,11 +19,9 @@ SHRT_VER = "${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}"
19		19
20	SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar.xz \	20	SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar.xz \
21	file://arm_eabi.patch \	21	file://arm_eabi.patch \
22	file://0001-Modied-the-license-to-GPLv2.1-to-keep-with-LICENSE-f.patch \	22	"
23	file://CVE-2020-24659.patch \
24	"
25		23
26	SRC_URI[sha256sum] = "5630751adec7025b8ef955af4d141d00d252a985769f51b4059e5affa3d39d63"	24	SRC_URI[sha256sum] = "0ea8c3283de8d8335d7ae338ef27c53a916f15f382753b174c18b45ffd481558"
27		25
28	inherit autotools texinfo pkgconfig gettext lib_package gtk-doc	26	inherit autotools texinfo pkgconfig gettext lib_package gtk-doc
29		27