From patchwork Thu Mar 2 10:14:10 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 6655 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4PS7723cbnz3x6x for ; Thu, 2 Mar 2023 10:45:50 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4PS6h04lh1zbN; Thu, 2 Mar 2023 10:25:52 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4PS6h02jr1z30Jr; Thu, 2 Mar 2023 10:25:52 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4PS6gy2smGz2xR9 for ; Thu, 2 Mar 2023 10:25:50 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4PS6R81fPrz3n3; Thu, 2 Mar 2023 10:14:44 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1677752084; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=sWEw7jk9GS2xrMwr0HK9JwQ45aiLbKCHLzX8i9+cPO8=; b=W1acX8QX3MaWlh19FyRYimyrRyzyjPlR2Q537y1432gYtYYZELqIeL13DFEmk5kOC9Ofvc 4VAOJmGA+2PcLsCw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1677752084; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=sWEw7jk9GS2xrMwr0HK9JwQ45aiLbKCHLzX8i9+cPO8=; b=T+ODL7GD2b++3JKk2988Dg3CWZRYxjV2L1fe3CIuj2KvtmXOY/SUuNWQqQPCUHobtpympV zL5zXPeZ9Z1WR7PBq1FNe7II8mdlAITnkfLVh76eHQ451vtQRyCZtFVO8LFsY9bdyh8O5s MyBVxZO1pN+pB6wrkx4+xbbMcVpfUm2dh+CjOl2L3y0n07NCiotrdYKs6f72DADFEC5NJa +pBYFPw5QTbxwHiT1mo3Kn1q5xMm1T0aCJSFlY+aLpJv+BJudqVpmnRcoGS8EZi8+JeqxS sf2nYitPWsYRBFhDefdN3SeQeYcooXUXjHM8XxomEJr36YNy3AJmhLiUO5fWPA== From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH] gnutls: Update to version 3.8.0 Date: Thu, 2 Mar 2023 11:14:10 +0100 Message-Id: <20230302101419.3443689-5-adolf.belka@ipfire.org> In-Reply-To: <20230302101419.3443689-1-adolf.belka@ipfire.org> References: <20230302101419.3443689-1-adolf.belka@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" - Update from version 3.7.7 to 3.8.0 - Update of rootfile - Changelog Version 3.8.0 (unreleased 2023-02-09) -- libgnutls: Fix a Bleichenbacher oracle in the TLS RSA key exchange. Reported by Hubert Kario (#1050). Fix developed by Alexander Sosedkin. [GNUTLS-SA-2020-07-14, CVSS: medium] [CVE-2023-0361] -- libgnutls: C++ library is now header only. All definitions from gnutlsxx.c have been moved into gnutlsxx.h. Users of the C++ interface have two options: 1. include gnutlsxx.h in their application and link against the C library. (default) 2. include gnutlsxx.h in their application, compile with GNUTLS_GNUTLSXX_NO_HEADERONLY macro defined and link against the C++ library. -- libgnutls: GNUTLS_NO_STATUS_REQUEST flag and %NO_STATUS_REQUEST priority modifier have been added to allow disabling of the status_request TLS extension in the client side. -- libgnutls: TLS heartbeat is disabled by default. The heartbeat extension in TLS (RFC 6520) is not widely used given other implementations dropped support for it. To enable back support for it, supply --enable-heartbeat-support to configure script. -- libgnutls: SRP authentication is now disabled by default. It is disabled because the SRP authentication in TLS is not up to date with the latest TLS standards and its ciphersuites are based on the CBC mode and SHA-1. To enable it back, supply --enable-srp-authentication option to configure script. -- libgnutls: All code has been indented using "indent -ppi1 -linux". CI/CD has been adjusted to catch regressions. This is implemented through devel/indent-gnutls, devel/indent-maybe and .gitlab-ci.yml’s commit-check. You may run devel/indent-gnutls to fix any indentation issues if you make code modifications. -- guile: Guile-bindings removed. They have been extracted into a separate project to reduce complexity and to simplify maintenance, see . -- minitasn1: Upgraded to libtasn1 version 4.19. -- API and ABI modifications: GNUTLS_NO_STATUS_REQUEST: New flag GNUTLS_SRTP_AEAD_AES_128_GCM: New gnutls_srtp_profile_t enum member GNUTLS_SRTP_AEAD_AES_256_GCM: New gnutls_srtp_profile_t enum member Version 3.7.8 (released 2022-09-27) -- libgnutls: In FIPS140 mode, RSA signature verification is an approved operation if the key has modulus with known sizes (1024, 1280, 1536, and 1792 bits), in addition to any modulus sizes larger than 2048 bits, according to SP800-131A rev2. -- libgnutls: gnutls_session_channel_binding performs additional checks when GNUTLS_CB_TLS_EXPORTER is requested. According to RFC9622 4.2, the "tls-exporter" channel binding is only usable when the handshake is bound to a unique master secret (i.e., either TLS 1.3 or extended master secret extension is negotiated). Otherwise the function now returns error. -- libgnutls: usage of the following functions, which are designed to loosen restrictions imposed by allowlisting mode of configuration, has been additionally restricted. Invoking them is now only allowed if system-wide TLS priority string has not been initialized yet: gnutls_digest_set_secure gnutls_sign_set_secure gnutls_sign_set_secure_for_certs gnutls_protocol_set_enabled -- API and ABI modifications: No changes since last version. Signed-off-by: Adolf Belka --- config/rootfiles/common/gnutls | 8 +++----- lfs/gnutls | 6 +++--- 2 files changed, 6 insertions(+), 8 deletions(-) diff --git a/config/rootfiles/common/gnutls b/config/rootfiles/common/gnutls index 77ce36c88..508596906 100644 --- a/config/rootfiles/common/gnutls +++ b/config/rootfiles/common/gnutls @@ -5,7 +5,6 @@ usr/bin/gnutls-cli-debug usr/bin/gnutls-serv usr/bin/ocsptool usr/bin/psktool -usr/bin/srptool #usr/include/gnutls #usr/include/gnutls/abstract.h #usr/include/gnutls/compat.h @@ -33,7 +32,7 @@ usr/lib/libgnutls-dane.so.0.4.1 #usr/lib/libgnutls.la #usr/lib/libgnutls.so usr/lib/libgnutls.so.30 -usr/lib/libgnutls.so.30.34.1 +usr/lib/libgnutls.so.30.35.0 #usr/lib/libgnutlsxx.la #usr/lib/libgnutlsxx.so usr/lib/libgnutlsxx.so.30 @@ -53,7 +52,6 @@ usr/lib/libgnutlsxx.so.30.0.0 #usr/share/doc/gnutls/pkcs11-vision.png #usr/share/info/gnutls-client-server-use-case.png #usr/share/info/gnutls-crypto-layers.png -#usr/share/info/gnutls-guile.info #usr/share/info/gnutls-handshake-sequence.png #usr/share/info/gnutls-handshake-state.png #usr/share/info/gnutls-internals.png @@ -77,10 +75,12 @@ usr/lib/libgnutlsxx.so.30.0.0 #usr/share/locale/fi/LC_MESSAGES/gnutls.mo #usr/share/locale/fr/LC_MESSAGES/gnutls.mo #usr/share/locale/it/LC_MESSAGES/gnutls.mo +#usr/share/locale/ka/LC_MESSAGES/gnutls.mo #usr/share/locale/ms/LC_MESSAGES/gnutls.mo #usr/share/locale/nl/LC_MESSAGES/gnutls.mo #usr/share/locale/pl/LC_MESSAGES/gnutls.mo #usr/share/locale/pt_BR/LC_MESSAGES/gnutls.mo +#usr/share/locale/ro/LC_MESSAGES/gnutls.mo #usr/share/locale/sr/LC_MESSAGES/gnutls.mo #usr/share/locale/sv/LC_MESSAGES/gnutls.mo #usr/share/locale/uk/LC_MESSAGES/gnutls.mo @@ -94,7 +94,6 @@ usr/lib/libgnutlsxx.so.30.0.0 #usr/share/man/man1/ocsptool.1 #usr/share/man/man1/p11tool.1 #usr/share/man/man1/psktool.1 -#usr/share/man/man1/srptool.1 #usr/share/man/man1/tpmtool.1 #usr/share/man/man3/dane_cert_type_name.3 #usr/share/man/man3/dane_cert_usage_name.3 @@ -1280,4 +1279,3 @@ usr/lib/libgnutlsxx.so.30.0.0 #usr/share/man/man3/gnutls_x509_trust_list_verify_crt.3 #usr/share/man/man3/gnutls_x509_trust_list_verify_crt2.3 #usr/share/man/man3/gnutls_x509_trust_list_verify_named_crt.3 - diff --git a/lfs/gnutls b/lfs/gnutls index 089b37719..7336528f6 100644 --- a/lfs/gnutls +++ b/lfs/gnutls @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2022 IPFire Team # +# Copyright (C) 2007-2023 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@ include Config -VER = 3.7.7 +VER = 3.8.0 THISAPP = gnutls-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = a66037ecc6da660ff12949f50012840263c2e0b174079e41b62a2d884f060cee56f0c64a2815d07321a54b08cce016d2b4c8f0e059636c1ab5f7db9c8d64c7c6 +$(DL_FILE)_BLAKE2 = 64784e9c0ac4dcab2c9e90d7d17d0bd8a0021224be285c12a53673f3a52aa3f189152b1b0b4aaae5a8fb41951361af1fd04a5b535774c4a26c26eb895519af40 install : $(TARGET)