- libgnutls: Fixed double free during verification of pkcs7 signatures.
Reported by Jaak Ristioja (#1383). [GNUTLS-SA-2022-07-07, CVSS: medium]
[CVE-2022-2509]
- libgnutls: gnutls_hkdf_expand now only accepts LENGTH argument less than or
equal to 255 times hash digest size, to comply with RFC 5869 2.3.
- libgnutls: Length limit for TLS PSK usernames has been increased
from 128 to 65535 characters (#1323).
- libgnutls: AES-GCM encryption function now limits plaintext
length to 2^39-256 bits, according to SP800-38D 5.2.1.1.
- libgnutls: New block cipher functions have been added to transparently
handle padding. gnutls_cipher_encrypt3 and gnutls_cipher_decrypt3 can be
used in combination of GNUTLS_CIPHER_PADDING_PKCS7 flag to automatically
add/remove padding if the length of the original plaintext is not a multiple
of the block size.
- libgnutls: New function for manual FIPS self-testing.
API and ABI modifications:
- gnutls_fips140_run_self_tests: New function
- gnutls_cipher_encrypt3: New function
- gnutls_cipher_decrypt3: New function
- gnutls_cipher_padding_flags_t: New enum
Signed-off-by: Nick Hainke <vincent@systemli.org>
Bump to latest upstream release. Rebased existing patches.
This version introduces certificate compression support, and with that,
optional dependencies on zlib and zstd. When configure picks them up,
build will fail due to missing dependencies:
Package libgnutls is missing dependencies for the following libraries:
libz.so.1
libzstd.so.1
Disable zlib and zstd support to avoid that.
Signed-off-by: John Audia <graysky@archlinux.us>
[disable zlib and zstd]
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
The gnutls package uses the gettext-version fixup, which is only
available if gettext-full/host has been built. Add the missing build
dependency to fix these errors:
bash: line 1: /home/stijn/Development/OpenWrt/openwrt/staging_dir/hostpkg/bin/gettext: No such file or directory
bash: line 1: /home/stijn/Development/OpenWrt/openwrt/staging_dir/hostpkg/bin/autopoint: No such file or directory
It also prevents configure from using host gettext:
checking for msgfmt... /usr/bin/msgfmt
checking for gmsgfmt... /usr/bin/gmsgfmt
checking for xgettext... /usr/bin/xgettext
checking for msgmerge... /usr/bin/msgmerge
vs:
checking for msgfmt... /home/stijn/Development/OpenWrt/openwrt/staging_dir/hostpkg/bin/msgfmt
checking for gmsgfmt... /home/stijn/Development/OpenWrt/openwrt/staging_dir/hostpkg/bin/gmsgfmt
checking for xgettext... /home/stijn/Development/OpenWrt/openwrt/staging_dir/hostpkg/bin/xgettext
checking for msgmerge... /home/stijn/Development/OpenWrt/openwrt/staging_dir/hostpkg/bin/msgmerge
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Enable AUTORELEASE in a separate commit so that the next commit can be
reverted without having to manually re-introduce it.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Remove the --install parameter when running aclocal. The --install
argument is used to copy third-party files to the first -I directory.
gnutls has -I m4 first, which would copy files to its local build
directory. However, openwrt prepends the staging dir m4 directory,
causing aclocal --install to copy an old definition of
ax_code_coverage.m4 into the staging dir.
If strace is built after gnutls, compilation will fail:
Makefile:9303: *** missing separator. Stop.
The version of ax_code_coverage.m4 that gets installed does not define
@CODE_COVERAGE_RULES@.
Removing the --install parameter in gnutls solves the issue.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
The CONTRIBUTING.md requests an (or multiple) SPDX identifier for GPL
licenses. But a lot of packages did use a different, non-SPDX style with a
"+" at the end instead of "-or-later".
Signed-off-by: Sven Eckelmann <sven@narfation.org>
It was causing regressions in systems without some particular
development tools (see #8129)
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
Cleaned up configure arguments (alphabetized and sorted) and added some
new ones to help speed up compilation.
Disabled SSL support by default. SSLv2 and 3 have long been deprecated as
they are both insecure variants that currently hold less than 10% of total
encrypted traffic on the web.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
While recently building asterisk, the make system stalled on gnutls. On my install of Ubuntu 16.04 on WSL, it seems curl can't download from ftp and doesn't even time out properly. Easiest solution is to switch the gnutls Makefile to use HTTPS instead.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Add option that allows you to explicitly disable use of the tpm
otherwise if a tss stack such as trousers is found by gnutls build
system then it will use it which will cause a build failure when
PKCS11 support is not enabled.
Signed-off-by: Ian Pozella <Ian.Pozella@imgtec.com>
