Package: gnutls28 / 3.6.7-4+deb10u6

Metadata

Package Version Patches format
gnutls28 3.6.7-4+deb10u6 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
14_version_gettextcat.diff | (download)

po/Makevars | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 version filename of locale data (gnutls28.mo instead of
 gnutls.mo) This is necessary to make e.g. libgnutls26 and libgnutls28
 co-installable.
30_guile snarf.diff | (download)

guile/src/Makefile.am | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 work around guile-snarf hardcoding the at-build default compiler
 which breaks when it changes ion Debian.
40_rel3.6.8_01 gnutls_srp_entry_free follow consistent behavior in.patch | (download)

NEWS | 3 3 + 0 - 0 !
lib/auth/srp_passwd.c | 12 8 + 4 - 0 !
2 files changed, 11 insertions(+), 4 deletions(-)

 [patch] _gnutls_srp_entry_free: follow consistent behavior in freeing
 data

_gnutls_srp_entry_free would previously not free any parameters that
were known to gnutls to account for documented behavior of
gnutls_srp_set_server_credentials_function(). This was not updated
when the newly added 8192 parameter was added to the library.

This introduces a safety check for generator parameters, even though
in practice they are the same pointer.

Resolves: #761

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

40_rel3.6.8_05 lib nettle fix carry flag in Streebog code.patch | (download)

NEWS | 3 3 + 0 - 0 !
lib/crypto-selftests.c | 16 16 + 0 - 0 !
lib/nettle/gost/streebog.c | 12 7 + 5 - 0 !
3 files changed, 26 insertions(+), 5 deletions(-)

 [patch] lib/nettle: fix carry flag in streebog code

Fix carry flag being calculated incorrectly in Streebog code.

Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

40_rel3.6.8_10 ext record_size_limit distinguish sending and receiv.patch | (download)

lib/constate.c | 10 4 + 6 - 0 !
lib/dtls.c | 4 2 + 2 - 0 !
lib/ext/max_record.c | 44 26 + 18 - 0 !
lib/ext/record_size_limit.c | 19 14 + 5 - 0 !
lib/gnutls_int.h | 20 13 + 7 - 0 !
lib/range.c | 4 2 + 2 - 0 !
lib/record.c | 2 1 + 1 - 0 !
lib/session_pack.c | 12 7 + 5 - 0 !
lib/state.c | 4 4 + 0 - 0 !
9 files changed, 73 insertions(+), 46 deletions(-)

 [patch] ext/record_size_limit: distinguish sending and receiving
 limits

The previous behavior was that both sending and receiving limits are
negotiated to be the same value.  It was problematic when:

- client sends a record_size_limit with a large value in CH
- server sends a record_size_limit with a smaller value in EE
- client updates the limit for both sending and receiving, upon
  receiving EE
- server sends a Certificate message larger than the limit

With this patch, each peer maintains the sending / receiving limits
separately so not to confuse with the contradicting settings.

Andreas Metzler for Debian upload:
Strip out addition of gnutls_record_set_max_recv_size() to the API from
this patchset.


40_rel3.6.8_15 Apply STD3 ASCII rules in gnutls_idna_map.patch | (download)

NEWS | 3 3 + 0 - 0 !
lib/str-idna.c | 10 7 + 3 - 0 !
tests/str-idna.c | 5 5 + 0 - 0 !
3 files changed, 15 insertions(+), 3 deletions(-)

 [patch] apply std3 ascii rules in gnutls_idna_map()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Tim R├╝hsen <tim.ruehsen@gmx.de>

40_rel3.6.8_20 pubkey remove deprecated TLS1_RSA flag check.patch | (download)

lib/pubkey.c | 6 2 + 4 - 0 !
1 file changed, 2 insertions(+), 4 deletions(-)

 [patch 1/2] pubkey: remove deprecated tls1_rsa flag check

The gnutls_certificate_verify_flags comparisons against
OLD_PUBKEY_VERIFY_FLAG_TLS1_RSA conflicts with
GNUTLS_VERIFY_DISABLE_CA_SIGN and no longer seems to be used in calls to
both gnutls_pubkey_verify_data2 and gnutls_pubkey_verify_hash2 as it
seems to have been fully replaced by GNUTLS_VERIFY_USE_TLS1_RSA.

Resolves: #754

Signed-off-by: Kenneth J. Miller <ken@miller.ec>

41_rel3.6.9_01 Support for Generalname registeredID from RFC 5280 i.patch | (download)

NEWS | 2 2 + 0 - 0 !
lib/includes/gnutls/gnutls.h.in | 4 3 + 1 - 0 !
lib/x509/common.c | 5 5 + 0 - 0 !
lib/x509/extensions.c | 3 3 + 0 - 0 !
lib/x509/output.c | 4 4 + 0 - 0 !
lib/x509/x509.c | 9 7 + 2 - 0 !
tests/Makefile.am | 4 2 + 2 - 0 !
tests/crt_apis.c | 49 39 + 10 - 0 !
8 files changed, 65 insertions(+), 15 deletions(-)

 [patch] support for generalname registeredid from rfc 5280 in subject
 alt name

Added test certificates (cert10.der) with registered ID

Updated Makefile for inclusion of test certificates

Updated SAN unknown test certificates (cert5.der)

Signed-off-by: Karsten Ohme <k_o_@users.sourceforge.net>

42_rel3.6.10_01 gnutls_epoch_set_keys do not forbid random padding.patch | (download)

lib/constate.c | 11 9 + 2 - 0 !
lib/record.c | 4 2 + 2 - 0 !
2 files changed, 11 insertions(+), 4 deletions(-)

 [patch] _gnutls_epoch_set_keys: do not forbid random padding in
 TLS1.x CBC ciphersuites

Since some point in 3.6.x we updated the calculation of maximum record size,
however that did not include the possibility of random record padding available
for CBC ciphersuites which exceeds the maximum. This commit allows for larger
sizes for these ciphersuites to account for random padding as applied by
gnutls 2.12.x.

Resolves: #811

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

42_rel3.6.11_10 session tickets parse extension during session resum.patch | (download)

lib/ext/alpn.c | 3 2 + 1 - 0 !
lib/ext/client_cert_type.c | 3 2 + 1 - 0 !
lib/ext/cookie.c | 3 2 + 1 - 0 !
lib/ext/dumbfw.c | 3 2 + 1 - 0 !
lib/ext/early_data.c | 3 2 + 1 - 0 !
lib/ext/ec_point_formats.c | 3 2 + 1 - 0 !
lib/ext/etm.c | 3 2 + 1 - 0 !
lib/ext/ext_master_secret.c | 3 2 + 1 - 0 !
lib/ext/heartbeat.c | 3 2 + 1 - 0 !
lib/ext/key_share.c | 3 2 + 1 - 0 !
lib/ext/max_record.c | 3 2 + 1 - 0 !
lib/ext/post_handshake.c | 3 2 + 1 - 0 !
lib/ext/pre_shared_key.c | 3 2 + 1 - 0 !
lib/ext/psk_ke_modes.c | 3 2 + 1 - 0 !
lib/ext/record_size_limit.c | 3 2 + 1 - 0 !
lib/ext/safe_renegotiation.c | 3 2 + 1 - 0 !
lib/ext/server_cert_type.c | 3 2 + 1 - 0 !
lib/ext/server_name.c | 3 2 + 1 - 0 !
lib/ext/session_ticket.c | 7 6 + 1 - 0 !
lib/ext/signature.c | 3 2 + 1 - 0 !
lib/ext/srp.c | 3 2 + 1 - 0 !
lib/ext/srtp.c | 3 2 + 1 - 0 !
lib/ext/status_request.c | 3 2 + 1 - 0 !
lib/ext/supported_groups.c | 3 2 + 1 - 0 !
lib/ext/supported_versions.c | 3 2 + 1 - 0 !
lib/hello_ext.c | 36 20 + 16 - 0 !
lib/hello_ext.h | 3 2 + 1 - 0 !
lib/includes/gnutls/gnutls.h.in | 4 2 + 2 - 0 !
tests/gnutls-cli-resume.sh | 17 17 + 0 - 0 !
29 files changed, 95 insertions(+), 44 deletions(-)

 [patch] session tickets: parse extension during session resumption on
 client side

It is possible for a server to send a new session ticket during
TLS1.2 resumption. To be able to parse it as client we need to
check the extension during resumption as well.

Resolves: #841

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

43_rel3.6.13_01 dtls client hello fix zeroed random fixes 960.patch | (download)

lib/handshake.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 dtls client hello: fix zeroed random (fixes #960)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
43_rel3.6.13_10 session_pack fix leak in error path.patch | (download)

lib/session_pack.c | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 [patch] session_pack: fix leak in error path

If called at the wrong time, it allocates the buffer sb and forgets to
clear it.

Signed-off-by: Michael Catanzaro <mcatanzaro@gnome.org>

44_rel3.6.14_10 Update session_ticket.c to add support for zero leng.patch | (download)

lib/ext/session_ticket.c | 18 10 + 8 - 0 !
1 file changed, 10 insertions(+), 8 deletions(-)

 [patch] update session_ticket.c to add support for zero length
 session tickets returned from the server

check that ticket_len > 0 prior to calling gnutls_realloc_fast

Signed-off-by: Rod Rivers <5981058-rrivers2@users.noreply.gitlab.com>

44_rel3.6.14_15 _gnutls_pkcs11_verify_crt_status check validity agai.patch | (download)

lib/pkcs11.c | 98 70 + 28 - 0 !
lib/pkcs11_int.h | 5 5 + 0 - 0 !
lib/x509/verify.c | 8 6 + 2 - 0 !
3 files changed, 81 insertions(+), 30 deletions(-)

 [patch 1/3] _gnutls_pkcs11_verify_crt_status: check validity against
 system cert

To verify a certificate chain, this function replaces known
certificates with the ones in the system trust store if possible.

However, if it is found, the function checks the validity of the
original certificate rather than the certificate found in the trust
store.  That reveals a problem in a scenario that (1) a certificate is
signed by multiple issuers and (2) one of the issuers' certificate has
expired and included in the input chain.

This patch makes it a little robuster by actually retrieving the
certificate from the trust store and perform check against it.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

44_rel3.6.14_16 x509 trigger fallback verification path when cert is.patch | (download)

lib/x509/verify-high.c | 12 7 + 5 - 0 !
1 file changed, 7 insertions(+), 5 deletions(-)

 [patch 2/3] x509: trigger fallback verification path when cert is
 expired

gnutls_x509_trust_list_verify_crt2 use the macro SIGNER_OLD_OR_UNKNOWN
to trigger the fallback verification path if the signer of the last
certificate is not in the trust store.  Previously, it doesn't take
into account of the condition where the certificate is expired.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

44_rel3.6.14_17 tests add test case for certificate chain supersedin.patch | (download)

tests/test-chains.h | 97 97 + 0 - 0 !
1 file changed, 97 insertions(+)

 [patch 3/3] tests: add test case for certificate chain superseding

Signed-off-by: Daiki Ueno <ueno@gnu.org>

44_rel3.6.14_90 stek differentiate initial state from valid time win.patch | (download)

lib/stek.c | 17 5 + 12 - 0 !
tests/resume-with-previous-stek.c | 4 2 + 2 - 0 !
2 files changed, 7 insertions(+), 14 deletions(-)

 stek: differentiate initial state from valid time window of
 TOTP
45_4.7.0plus 01_testpkcs11 use datefudge to trick certificate expiry.patch | (download)

tests/testpkcs11.sh | 9 9 + 0 - 0 !
1 file changed, 9 insertions(+)

 [patch 3/6] testpkcs11: use datefudge to trick certificate expiry