Package: gnutls28 / 3.7.1-4

Metadata

Package Version Patches format
gnutls28 3.7.1-4 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
14_version_gettextcat.diff | (download)

configure.ac | 3 3 + 0 - 0 !
lib/global.c | 2 1 + 1 - 0 !
lib/str.h | 2 1 + 1 - 0 !
libdane/errors.c | 2 1 + 1 - 0 !
po/Makevars | 2 1 + 1 - 0 !
5 files changed, 7 insertions(+), 4 deletions(-)

 version filename of locale data (gnutls30.mo instead of
 gnutls.mo) This is necessary to make e.g. libgnutls26 and libgnutls28
 co-installable.
30_guile snarf.diff | (download)

guile/src/Makefile.am | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 work around guile-snarf hardcoding the at-build default compiler
 which breaks when it changes ion Debian.
40_fix_ipv6only_testsuite_AI_ADDRCONFIG.diff | (download)

src/serv.c | 6 1 + 5 - 0 !
1 file changed, 1 insertion(+), 5 deletions(-)

 fix testsuite errors on ipv6 only hosts
 Do not set AI_ADDRCONFIG flag on getaddrinfo since it breaks the
 testsuite on hosts with no IPv4 addresses except for the loopback interface.
 With that flag present gnutls-Serv would on listen on IPv6 interfaces, but
 the testsuite talks to 127.0.0.1.
55_01 _gnutls_buffer_resize account for unused area if AGG.patch | (download)

lib/str.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 [patch 1/2] _gnutls_buffer_resize: account for unused area if
 AGGRESSIVE_REALLOC

Signed-off-by: Daiki Ueno <ueno@gnu.org>

55_02 str suppress Wunused function if AGGRESSIVE_REALLOC .patch | (download)

lib/str.c | 18 9 + 9 - 0 !
1 file changed, 9 insertions(+), 9 deletions(-)

 [patch 2/2] str: suppress -wunused-function if aggressive_realloc is
 defined

Signed-off-by: Daiki Ueno <ueno@gnu.org>

56_01 srptool avoid FILE pointer leak on error.patch | (download)

src/srptool.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 [patch 1/5] srptool: avoid file pointer leak on error

Signed-off-by: Daiki Ueno <ueno@gnu.org>

56_02 gnutls cli debug avoid resource leak in saving DHE p.patch | (download)

src/tests.c | 15 12 + 3 - 0 !
1 file changed, 12 insertions(+), 3 deletions(-)

 [patch 2/5] gnutls-cli-debug: avoid resource leak in saving dhe
 params

Signed-off-by: Daiki Ueno <ueno@gnu.org>

56_03 src avoid file descriptor leak in socket_open2.patch | (download)

src/socket.c | 9 8 + 1 - 0 !
1 file changed, 8 insertions(+), 1 deletion(-)

 [patch 3/5] src: avoid file descriptor leak in socket_open2

Signed-off-by: Daiki Ueno <ueno@gnu.org>

56_04 examples avoid memory leak in tlsproxy.patch | (download)

doc/examples/tlsproxy/tlsproxy.c | 8 8 + 0 - 0 !
1 file changed, 8 insertions(+)

 [patch 4/5] examples: avoid memory leak in tlsproxy

Signed-off-by: Daiki Ueno <ueno@gnu.org>

56_05 examples avoid memory leak in ex verify.patch | (download)

doc/examples/ex-verify.c | 7 6 + 1 - 0 !
1 file changed, 6 insertions(+), 1 deletion(-)

 [patch 5/5] examples: avoid memory leak in ex-verify

Signed-off-by: Daiki Ueno <ueno@gnu.org>

56_10 build doc install missing image file gnutls crypto l.patch | (download)

doc/Makefile.am | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 [patch] build: doc: install missing image file
 gnutls-crypto-layers.png

Signed-off-by: Andreas Metzler <ametzler@bebt.de>

56_15 mem add _gnutls_reallocarray and _gnutls_reallocarra.patch | (download)

lib/mem.c | 24 24 + 0 - 0 !
lib/mem.h | 7 5 + 2 - 0 !
2 files changed, 29 insertions(+), 2 deletions(-)

 [patch 1/5] mem: add _gnutls_reallocarray and
 _gnutls_reallocarray_fast

Signed-off-by: Daiki Ueno <ueno@gnu.org>

56_16 pkcs11x find_ext_cb fix error propagation.patch | (download)

lib/pkcs11x.c | 3 1 + 2 - 0 !
1 file changed, 1 insertion(+), 2 deletions(-)

 [patch 2/5] pkcs11x: find_ext_cb: fix error propagation

Use explicit error value, as rv is not set in this code path.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

56_17 build avoid potential integer overflow in array allo.patch | (download)

lib/cert-cred-x509.c | 23 15 + 8 - 0 !
lib/cert-cred.c | 18 10 + 8 - 0 !
lib/hello_ext.c | 4 3 + 1 - 0 !
lib/pcert.c | 3 2 + 1 - 0 !
lib/pkcs11.c | 11 7 + 4 - 0 !
lib/pkcs11x.c | 5 4 + 1 - 0 !
lib/supplemental.c | 4 2 + 2 - 0 !
lib/x509/crl.c | 7 3 + 4 - 0 !
lib/x509/ocsp.c | 11 6 + 5 - 0 !
lib/x509/pkcs12.c | 15 6 + 9 - 0 !
lib/x509/verify-high.c | 43 18 + 25 - 0 !
lib/x509/verify-high2.c | 6 4 + 2 - 0 !
lib/x509/x509.c | 9 4 + 5 - 0 !
lib/x509/x509_ext.c | 12 6 + 6 - 0 !
14 files changed, 90 insertions(+), 81 deletions(-)

 [patch 3/5] build: avoid potential integer overflow in array
 allocation

This relies on _gnutls_reallocarray for all occasions of array
allocations, so that they can benefit from the built-in overflow
checks.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

56_18 build avoid integer overflow in additions.patch | (download)

lib/cert-cred.c | 5 5 + 0 - 0 !
lib/hello_ext.c | 5 5 + 0 - 0 !
lib/pkcs11.c | 6 6 + 0 - 0 !
lib/pkcs11x.c | 6 6 + 0 - 0 !
lib/supplemental.c | 5 5 + 0 - 0 !
lib/x509/ocsp.c | 11 11 + 0 - 0 !
lib/x509/pkcs12.c | 10 10 + 0 - 0 !
lib/x509/verify-high.c | 40 35 + 5 - 0 !
lib/x509/x509_ext.c | 16 16 + 0 - 0 !
9 files changed, 99 insertions(+), 5 deletions(-)

 [patch 4/5] build: avoid integer overflow in additions

Signed-off-by: Daiki Ueno <ueno@gnu.org>

56_19 _gnutls_calloc remove unused function.patch | (download)

lib/mem.c | 11 0 + 11 - 0 !
lib/mem.h | 1 0 + 1 - 0 !
2 files changed, 12 deletions(-)

 [patch 5/5] _gnutls_calloc: remove unused function

Signed-off-by: Daiki Ueno <ueno@gnu.org>

56_20 priority add option to disable TLS 1.3 middlebox com.patch | (download)

NEWS | 5 5 + 0 - 0 !
doc/cha-gtls-app.texi | 4 4 + 0 - 0 !
lib/gnutls_int.h | 1 1 + 0 - 0 !
lib/handshake-tls13.c | 23 14 + 9 - 0 !
lib/handshake.c | 4 3 + 1 - 0 !
lib/priority.c | 9 9 + 0 - 0 !
lib/priority_options.gperf | 1 1 + 0 - 0 !
tests/Makefile.am | 2 1 + 1 - 0 !
tests/tls13-compat-mode.c | 140 140 + 0 - 0 !
9 files changed, 178 insertions(+), 11 deletions(-)

 [patch] priority: add option to disable tls 1.3 middlebox
 compatibility mode

This adds a new option %DISABLE_TLS13_COMPAT_MODE to disable TLS 1.3
compatibility mode at run-time.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

56_24 handshake don t regenerate legacy_session_id in seco.patch | (download)

lib/handshake.c | 20 11 + 9 - 0 !
tests/tls13/hello_retry_request.c | 20 20 + 0 - 0 !
2 files changed, 31 insertions(+), 9 deletions(-)

 [patch] handshake: don't regenerate legacy_session_id in second ch
 after HRR

According to RFC 8446 4.1.2, the client must send the same Client
Hello after Hello Retry Request, except for the certain extensions,
and thus legacy_session_id must be preserved.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

56_28 handshake fix timing of sending early data.patch | (download)

NEWS | 5 5 + 0 - 0 !
lib/cipher.c | 6 5 + 1 - 0 !
lib/constate.c | 46 39 + 7 - 0 !
lib/handshake-tls13.c | 92 33 + 59 - 0 !
lib/handshake.c | 70 70 + 0 - 0 !
lib/record.c | 2 1 + 1 - 0 !
lib/session_pack.c | 14 7 + 7 - 0 !
tests/tls13-early-data.c | 16 12 + 4 - 0 !
tests/tls13/prf-early.c | 8 4 + 4 - 0 !
9 files changed, 176 insertions(+), 83 deletions(-)

 [patch] handshake: fix timing of sending early data

Previously, the client was sending early data after receiving a Server
Hello message, which not only negates the benefit of 0-RTT, but also
was a logic error as it can only be decrypted by the server when the
initial handshake and the resuming handshake agree on the same
ciphersuites.  This fixes that behavior in the following ways:

- extend the session data format to include the selected ciphersuites,
  even in TLS 1.3
- setup the epoch for early data, right before the client sending
  early data (also right after the server deciding to accept early
  data).