iksemel: address security problem

This commit removes the current patch regarding cipher selection and replaces it with a patch copied from Debian. This fixes the problem that only low-grade ciphers are available. Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
2018-01-15 19:59:11 +01:00 · 2018-01-15 19:59:11 +01:00 · 46e4a28229
commit 46e4a28229
parent 7993d884d4
2 changed files with 38 additions and 65 deletions
--- a/libs/iksemel/patches/002-secure_gnutls_options.patch
+++ b/libs/iksemel/patches/002-secure_gnutls_options.patch
@ -0,0 +1,38 @@
+Last-Update: 2015-10-28
+Bug-Upstream: https://github.com/meduketto/iksemel/issues/48
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=803204
+From: Marc Dequènes (duck) <duck@duckcorp.org>
+Description: fix security problem (and compatibility problem with servers rejecting low grade ciphers).
+
+--- a/src/stream.c
+++ b/src/stream.c
+@@ -62,13 +62,9 @@
+ 
+ static int
+ handshake (struct stream_data *data)
+ {
+-	const int protocol_priority[] = { GNUTLS_TLS1, GNUTLS_SSL3, 0 };
+-	const int kx_priority[] = { GNUTLS_KX_RSA, 0 };
+-	const int cipher_priority[] = { GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR, 0};
+-	const int comp_priority[] = { GNUTLS_COMP_ZLIB, GNUTLS_COMP_NULL, 0 };
+-	const int mac_priority[] = { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0 };
+	const char *priority_string = "SECURE256:+SECURE192:-VERS-TLS-ALL:+VERS-TLS1.2";
+ 	int ret;
+ 
+ 	if (gnutls_global_init () != 0)
+ 		return IKS_NOMEM;
+@@ -79,13 +75,9 @@
+ 	if (gnutls_init (&data->sess, GNUTLS_CLIENT) != 0) {
+ 		gnutls_certificate_free_credentials (data->cred);
+ 		return IKS_NOMEM;
+ 	}
+-	gnutls_protocol_set_priority (data->sess, protocol_priority);
+-	gnutls_cipher_set_priority(data->sess, cipher_priority);
+-	gnutls_compression_set_priority(data->sess, comp_priority);
+-	gnutls_kx_set_priority(data->sess, kx_priority);
+-	gnutls_mac_set_priority(data->sess, mac_priority);
+	gnutls_priority_set_direct(data->sess, priority_string, NULL);
+ 	gnutls_credentials_set (data->sess, GNUTLS_CRD_CERTIFICATE, data->cred);
+ 
+ 	gnutls_transport_set_push_function (data->sess, (gnutls_push_func) tls_push);
+ 	gnutls_transport_set_pull_function (data->sess, (gnutls_pull_func) tls_pull);
--- a/libs/iksemel/patches/002-use-of-newer-gnutls_priority_set_direct-api.patch
+++ b/libs/iksemel/patches/002-use-of-newer-gnutls_priority_set_direct-api.patch
@ -1,65 +0,0 @@
-From 6b213b593c5b499679506a8c169ff3f0f4d6a34f Mon Sep 17 00:00:00 2001
-From: John Papandriopoulos <jpap@users.noreply.github.com>
-Date: Thu, 20 Aug 2015 16:55:39 -0700
-Subject: [PATCH] Use of newer gnutls_priority_set_direct API
-
---
- configure.ac |  1 +
- src/stream.c | 13 +++++++++++++
- 2 files changed, 14 insertions(+)
-
-diff --git a/configure.ac b/configure.ac
-index 91e69e3..281a044 100644
--- a/configure.ac
-+++ b/configure.ac
-@@ -46,6 +46,7 @@ AC_CHECK_FUNCS(getopt_long)
- AC_CHECK_FUNCS(getaddrinfo)
- 
- AM_PATH_LIBGNUTLS(,AC_DEFINE(HAVE_GNUTLS,,"Use libgnutls"))
-+AM_PATH_LIBGNUTLS(,AC_CHECK_FUNCS(gnutls_priority_set_direct))
- 
- dnl Check -Wall flag of GCC
- if test "x$GCC" = "xyes"; then
-diff --git a/src/stream.c b/src/stream.c
-index e8a1e8c..7d19a82 100644
--- a/src/stream.c
-+++ b/src/stream.c
-@@ -63,11 +63,20 @@ tls_pull (iksparser *prs, char *buffer, size_t len)
- static int
- handshake (struct stream_data *data)
- {
-+#if HAVE_GNUTLS_PRIORITY_SET_DIRECT
-+	const char *priorities =
-+		"NONE"
-+		":+VERS-TLS1.0:+VERS-SSL3.0"
-+		":+RSA"
-+		":+3DES-CBC:+ARCFOUR-128"
-+		":+SHA1:+SHA256:+SHA384:+MD5";
-+#else
- 	const int protocol_priority[] = { GNUTLS_TLS1, GNUTLS_SSL3, 0 };
- 	const int kx_priority[] = { GNUTLS_KX_RSA, 0 };
- 	const int cipher_priority[] = { GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR, 0};
- 	const int comp_priority[] = { GNUTLS_COMP_ZLIB, GNUTLS_COMP_NULL, 0 };
- 	const int mac_priority[] = { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0 };
-+#endif
- 	int ret;
- 
- 	if (gnutls_global_init () != 0)
-@@ -80,11 +89,15 @@ handshake (struct stream_data *data)
- 		gnutls_certificate_free_credentials (data->cred);
- 		return IKS_NOMEM;
- 	}
-+#if HAVE_GNUTLS_PRIORITY_SET_DIRECT
-+	gnutls_priority_set_direct (data->sess, priorities, NULL);
-+#else
- 	gnutls_protocol_set_priority (data->sess, protocol_priority);
- 	gnutls_cipher_set_priority(data->sess, cipher_priority);
- 	gnutls_compression_set_priority(data->sess, comp_priority);
- 	gnutls_kx_set_priority(data->sess, kx_priority);
- 	gnutls_mac_set_priority(data->sess, mac_priority);
-+#endif
- 	gnutls_credentials_set (data->sess, GNUTLS_CRD_CERTIFICATE, data->cred);
- 
- 	gnutls_transport_set_push_function (data->sess, (gnutls_push_func) tls_push);
-- 
-2.1.4