net-libs/gnutls: ugraded to version 3.8.5
BUG=b/338178385
TEST=presubmit
RELEASE_NOTE=Updated net-libs/gnutls to version 3.8.5. This fixed CVE-2024-28834.
cos-patch: security-high
Change-Id: Ib73c9ce5024ed12a70409f34346c75d13a5b893c
Reviewed-on: https://cos-review.googlesource.com/c/third_party/overlays/portage-stable/+/71174
Reviewed-by: Kevin Berry <kpberry@google.com>
Tested-by: Cusky Presubmit Bot <presubmit@cos-infra-prod.iam.gserviceaccount.com>
Main-Branch-Verified: Cusky Presubmit Bot <presubmit@cos-infra-prod.iam.gserviceaccount.com>
Reviewed-by: Michael Kochera <kochera@google.com>
diff --git a/net-libs/gnutls/Manifest b/net-libs/gnutls/Manifest
index de811b1..38ec0c0 100644
--- a/net-libs/gnutls/Manifest
+++ b/net-libs/gnutls/Manifest
@@ -1,16 +1,2 @@
-DIST gnutls-3.7.6.tar.xz 6338276 BLAKE2B 9f3cce8dfc0b88f2c42d1d2633417dac649a265407b620b6d15967e5210debb99d287ef31d2b9dc37a527ac1e5b9db4c240b98a63293078fbd2e26ac694bf3d3 SHA512 f872339df80ec31d292821ff00eaafbe50e0bd4cdbb86e21e4f78541cd0a26d843596d5e69c91de4db8ce7d027fc639ae6462b57d89fb116162ae63c5a97486a
-DIST gnutls-3.7.6.tar.xz.sig 685 BLAKE2B eae022d6cb0d772e465257411381afd97f3dfd19d6f794a1c3e0f8c3c1232a8a1b91269ca7252a5662782183b11ca393c31efe3f88171a526884400fd0534528 SHA512 c969da9a938b9d29a70cea3b00cce337f9a4c4304aae7f501ef6263894f81a420395ddbe1b005f35dff2e900d3fac75e288f10bbfde0ebea034f7e257bb16d0e
-DIST gnutls-3.7.7.tar.xz 6351664 BLAKE2B a66037ecc6da660ff12949f50012840263c2e0b174079e41b62a2d884f060cee56f0c64a2815d07321a54b08cce016d2b4c8f0e059636c1ab5f7db9c8d64c7c6 SHA512 ba00b20126379ec7e96c6bfa606cfb7bb0d9a5853318b29b5278a42a85ae40d39d8442778938e1f165debcdb1adaf9c63bcec59a4eb3387dd1ac99b08bcc5c08
-DIST gnutls-3.7.7.tar.xz.sig 685 BLAKE2B 53d76a06ed5a74664d6c193459eb310f06e87dd3db97aca9e9fa78837677df58d8de66f187c182b9375786ee0308c5da55f08414183c959c7acb4527c38cd7c7 SHA512 6463bc4661e20051ff9f31c1a557cece34d06b748f4e24f98e807ddc72a3daa9348aa9f0afa83a0f9cd226421c575210eec1936fbeb9a55849e2c397ace9d03d
-DIST gnutls-3.7.8.tar.xz 6029220 BLAKE2B 0a21e63c7cb0ba4eeff23593c7282e0b4d704fa2d2a1cd5289998fd04b58ea36fc343f872225ad05478e278b1cdebbcd0fd376459abcb58547f8fa1488485530 SHA512 4199bcf7c9e3aab2f52266aadceefc563dfe2d938d0ea1f3ec3be95d66f4a8c8e5494d3a800c03dd02ad386dec1738bd63e1fe0d8b394a2ccfc7d6c6a0cc9359
-DIST gnutls-3.7.8.tar.xz.sig 1250 BLAKE2B 66c6a335c3b2290a4e44ffa6ae715ad71d2bcd7df485c1d2d9490985d9dcd445768d6eb021ad3a61614431183c6652254c63ebd8abd0f0a03d3164a6193b6192 SHA512 cecf9843e8683a278d065b663dc98ac2b5fcad1905ee25333038c93c2289b518c974629367e77e66552ac1c9d122d551616edba35cb0c4204202ec676f1a2db7
-DIST gnutls-3.7.9.tar.xz 6377212 BLAKE2B c8263381132b0c96f23a580823cfaf57112056876e5f2cc21aec4eeddec641b0c01fa02ff9493ea686f49fd917190b06f89379eb448a510cf4d50fe3a0742851 SHA512 56ccbab5f214f9e3cf10a43dd90dedc1e10a38d08b8359a4305dc05c59ddb4a1d3680b282077b6446605c31675a4261cd0579c2c0d976e0b2ced02e6dba224c1
-DIST gnutls-3.7.9.tar.xz.sig 685 BLAKE2B 2e7ba793d026cf96c54c75a81160c58cf21d6d5f034a603ffe88d5fa4cbfa1d4fd590efbe81fbee7790cd4956776085b7827fead67c9b07f1d7eadd405815eb7 SHA512 906227a0d6f57878e85e9acdf754d20b7628a7a95b40aeffced398a0a0c6220f5e32191a9f988f55b8b903bf55212179dce2abcc08c2bb3397a2704dd2319438
-DIST gnutls-3.8.0.tar.xz 6378480 BLAKE2B 64784e9c0ac4dcab2c9e90d7d17d0bd8a0021224be285c12a53673f3a52aa3f189152b1b0b4aaae5a8fb41951361af1fd04a5b535774c4a26c26eb895519af40 SHA512 2507b3133423fdaf90fbd826ccb1142e9ff6fc90fcd5531720218f19ddf0e6bbb8267d23bad35c0954860e5a4179da74823e0c8357db56a14f252e6ec9d59629
-DIST gnutls-3.8.0.tar.xz.sig 684 BLAKE2B c5dbed12b8233ed8502dac16b77d6043591296f4b9ddb0445271e8fe875c2a05b9663ad6523cca6355faaa9d244cc6e6fb8ff0d65fee47b36ab6b57f57d89f64 SHA512 9db8db74aa0ebd871287b07b6a8a9f4ce90188633618e669fe07cb8bb314b624c14761f6fe1970e2fbffa87f7c0d6daa4b0fa838bd05f74b8b18cd1b5325c654
-DIST gnutls-3.8.1.tar.xz 6447056 BLAKE2B 16cb6d2dc7d67724ff45765ae3f154c8d268d8c4547df591a95ff014fc18f16f572a76e3cd00b3e13615ba41e80141cef21aa9915b467a1c452edfe314e2e0c7 SHA512 22e78db86b835843df897d14ad633d8a553c0f9b1389daa0c2f864869c6b9ca889028d434f9552237dc4f1b37c978fbe0cce166e3768e5d4e8850ff69a6fc872
-DIST gnutls-3.8.1.tar.xz.sig 685 BLAKE2B bfafa80bef81c2a24556f010f00294643ba7901eff07f055a0ebd9ca532b47b7b3d3403e9d1a1389c14e6f37f474a37afa2844f326d5ab35fa35b195f2ff1ade SHA512 f03fde611927c83f6b57af695d5610ba3cefbb88a261cf5485c94b3fb32c7480a77c68a353a6a28185337195e30011d6b5578c53ea4180a656cf7b175156f7f1
-DIST gnutls-3.8.2.tar.xz 6456540 BLAKE2B d70524f17919bc02fefc610ede948d209e50e3276fc1e2d40aaed5c208265455da220d948f4a3f21db57f9d253c103f3a1b9a6daa2229d02c7c224448acc2777 SHA512 b3aa6e0fa7272cfca0bb0d364fe5dc9ca70cfd41878631d57271ba0a597cf6020a55a19e97a2c02f13a253455b119d296cf6f701be2b4e6880ebeeb07c93ef38
-DIST gnutls-3.8.2.tar.xz.sig 685 BLAKE2B 7f82c047991d327cc1040bc38ba59e49bb1698968a833d73ec9ea8827b8d49586d5e5b6b6be313810d57ca60d09057b151264731ce5d995032a462717bcdc4ad SHA512 9feb30bfccb8c83e83d3d6df009f2a61f4c48eb357c988789c93b2e5a06a34cb490f33741ad0fd4f881fcd34747b3cf9c5aa45bbb15da680ebba35e07ba602f6
-DIST gnutls-3.8.3.tar.xz 6463720 BLAKE2B 27a4bb4d8a5697e2187113351b2ad1e849bca7bcfb556c1b54fc2d02bef16e2789e7c437ac8db8fe6d2bcfc0e3e3467bbff2dd5d2fc0adb9bf8bda81cb89e452 SHA512 74eddba01ce4c2ffdca781c85db3bb52c85f1db3c09813ee2b8ceea0608f92ca3912fd9266f55deb36a8ba4d01802895ca5d5d219e7d9caec45e1a8534e45a84
-DIST gnutls-3.8.3.tar.xz.sig 580 BLAKE2B 25875eb17d9e59bf1f1b6a61dfc7657d838ac154dbb3e26c8df1995884077878ca607de62a8ce3b9287df1ea7ff523c0abc7c4548f1ca789c308eb6bda0edbaa SHA512 5b2ca0648ca5feeda1de933de2bbaf71fadb70e830a8f0d494d2f0380b6d0d7b79445257cc79e59bba1a7ff639ab4573da3e3e124eb80c20ac6141e29a4827ff
+DIST gnutls-3.8.5.tar.xz 6491504 BLAKE2B 30ea0e213b426df896af7cddfc39a7c50fd3130f99ced8386dc55e851122a37f6171722d2cb4abb68b9d2523cd3ba044b01248d740571a3bdd0cadf555894cdf SHA512 4bac1aa7ec1dce9b3445cc515cc287a5af032d34c207399aa9722e3dc53ed652f8a57cfbc9c5e40ccc4a2631245d89ab676e3ba2be9563f60ba855aaacb8e23c
+DIST gnutls-3.8.5.tar.xz.sig 119 BLAKE2B 62ff7b33fb80422774f8252f574560679b7dc4fa56fa680a4cf570320fa9692aa6f8b6a7e4683a684572287cfd22168f58679d2dc4cc507dc50269ed126990fd SHA512 b0f7a8ec348765112cac75fd732e066adaa1595bb83024cfeff6633aba35277d8aceda145c733c3d95f1e0eb4d34fead2479abdb08d6041362094a235460fa67
diff --git a/net-libs/gnutls/files/gnutls-3.8.1-fix-gnutls-header.patch b/net-libs/gnutls/files/gnutls-3.8.1-fix-gnutls-header.patch
deleted file mode 100644
index b3d10c1..0000000
--- a/net-libs/gnutls/files/gnutls-3.8.1-fix-gnutls-header.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-https://bugs.gentoo.org/911872
-https://gitlab.com/gnutls/gnutls/-/commit/abfa8634db940115a11a07596ce53c8f9c4f87d2
-
-From abfa8634db940115a11a07596ce53c8f9c4f87d2 Mon Sep 17 00:00:00 2001
-From: Adrian Bunk <bunk@debian.org>
-Date: Sun, 6 Aug 2023 22:46:22 +0300
-Subject: [PATCH] Move the GNUTLS_NO_EXTENSIONS compatibility #define to
- gnutls.h
-
-Signed-off-by: Adrian Bunk <bunk@debian.org>
---- a/lib/ext/ext_master_secret.h
-+++ b/lib/ext/ext_master_secret.h
-@@ -23,9 +23,6 @@
- #ifndef GNUTLS_LIB_EXT_EXT_MASTER_SECRET_H
- #define GNUTLS_LIB_EXT_EXT_MASTER_SECRET_H
-
--/* Keep backward compatibility */
--#define GNUTLS_NO_EXTENSIONS GNUTLS_NO_DEFAULT_EXTENSIONS
--
- #include <hello_ext.h>
-
- extern const hello_ext_entry_st ext_mod_ext_master_secret;
---- a/lib/includes/gnutls/gnutls.h.in
-+++ b/lib/includes/gnutls/gnutls.h.in
-@@ -542,6 +542,9 @@ typedef enum {
- #define GNUTLS_ENABLE_CERT_TYPE_NEG 0
- // Here for compatibility reasons
-
-+/* Keep backward compatibility */
-+#define GNUTLS_NO_EXTENSIONS GNUTLS_NO_DEFAULT_EXTENSIONS
-+
- /**
- * gnutls_alert_level_t:
- * @GNUTLS_AL_WARNING: Alert of warning severity.
---- a/lib/state.h
-+++ b/lib/state.h
-@@ -110,7 +110,4 @@ inline static int _gnutls_PRF(gnutls_session_t session, const uint8_t *secret,
-
- #define DEFAULT_CERT_TYPE GNUTLS_CRT_X509
-
--/* Keep backward compatibility */
--#define GNUTLS_NO_EXTENSIONS GNUTLS_NO_DEFAULT_EXTENSIONS
--
- #endif /* GNUTLS_LIB_STATE_H */
---
-GitLab
diff --git a/net-libs/gnutls/files/gnutls-3.8.5-fix-rsaes-pkcs1-systemd-wide-config.patch b/net-libs/gnutls/files/gnutls-3.8.5-fix-rsaes-pkcs1-systemd-wide-config.patch
new file mode 100644
index 0000000..6905f79
--- /dev/null
+++ b/net-libs/gnutls/files/gnutls-3.8.5-fix-rsaes-pkcs1-systemd-wide-config.patch
@@ -0,0 +1,261 @@
+https://bugs.gentoo.org/930752
+https://bugs.gentoo.org/930529
+https://gitlab.com/gnutls/gnutls/-/issues/1540
+https://gitlab.com/gnutls/gnutls/-/merge_requests/1830
+https://gitlab.com/gnutls/gnutls/-/commit/2d73d945c4b1dfcf8d2328c4d23187d62ffaab2d
+
+From 2d73d945c4b1dfcf8d2328c4d23187d62ffaab2d Mon Sep 17 00:00:00 2001
+From: Zoltan Fridrich <zfridric@redhat.com>
+Date: Wed, 10 Apr 2024 12:51:33 +0200
+Subject: [PATCH] Fix RSAES-PKCS1-v1_5 system-wide configuration
+
+Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
+--- a/lib/priority.c
++++ b/lib/priority.c
+@@ -1018,6 +1018,12 @@ struct cfg {
+ bool force_ext_master_secret_set;
+ };
+
++static inline void cfg_init(struct cfg *cfg)
++{
++ memset(cfg, 0, sizeof(*cfg));
++ cfg->allow_rsa_pkcs1_encrypt = true;
++}
++
+ static inline void cfg_deinit(struct cfg *cfg)
+ {
+ if (cfg->priority_strings) {
+@@ -1095,6 +1101,12 @@ struct ini_ctx {
+ size_t curves_size;
+ };
+
++static inline void ini_ctx_init(struct ini_ctx *ctx)
++{
++ memset(ctx, 0, sizeof(*ctx));
++ cfg_init(&ctx->cfg);
++}
++
+ static inline void ini_ctx_deinit(struct ini_ctx *ctx)
+ {
+ cfg_deinit(&ctx->cfg);
+@@ -1423,9 +1435,6 @@ static inline int cfg_apply(struct cfg *cfg, struct ini_ctx *ctx)
+ _gnutls_default_priority_string = cfg->default_priority_string;
+ }
+
+- /* enable RSA-PKCS1-V1_5 by default */
+- cfg->allow_rsa_pkcs1_encrypt = true;
+-
+ if (cfg->allowlisting) {
+ /* also updates `flags` of global `hash_algorithms[]` */
+ ret = cfg_hashes_set_array(cfg, ctx->hashes, ctx->hashes_size);
+@@ -2217,22 +2226,73 @@ update_system_wide_priority_string(void)
+ return 0;
+ }
+
++/* Returns false on parse error, otherwise true.
++ * The system_wide_config must be locked for writing.
++ */
++static inline bool load_system_priority_file(void)
++{
++ int err;
++ FILE *fp;
++ struct ini_ctx ctx;
++
++ cfg_init(&system_wide_config);
++
++ fp = fopen(system_priority_file, "re");
++ if (fp == NULL) {
++ _gnutls_debug_log("cfg: unable to open: %s: %d\n",
++ system_priority_file, errno);
++ return true;
++ }
++
++ /* Parsing the configuration file needs to be done in 2 phases:
++ * first parsing the [global] section
++ * and then the other sections,
++ * because the [global] section modifies the parsing behavior.
++ */
++ ini_ctx_init(&ctx);
++ err = ini_parse_file(fp, global_ini_handler, &ctx);
++ if (!err) {
++ if (fseek(fp, 0L, SEEK_SET) < 0) {
++ _gnutls_debug_log("cfg: unable to rewind: %s\n",
++ system_priority_file);
++ if (fail_on_invalid_config)
++ exit(1);
++ }
++ err = ini_parse_file(fp, cfg_ini_handler, &ctx);
++ }
++ fclose(fp);
++ if (err) {
++ ini_ctx_deinit(&ctx);
++ _gnutls_debug_log("cfg: unable to parse: %s: %d\n",
++ system_priority_file, err);
++ return false;
++ }
++ cfg_apply(&system_wide_config, &ctx);
++ ini_ctx_deinit(&ctx);
++ return true;
++}
++
+ static int _gnutls_update_system_priorities(bool defer_system_wide)
+ {
+- int ret, err = 0;
++ int ret;
++ bool config_parse_error = false;
+ struct stat sb;
+- FILE *fp;
+ gnutls_buffer_st buf;
+- struct ini_ctx ctx;
+
+ ret = gnutls_rwlock_rdlock(&system_wide_config_rwlock);
+- if (ret < 0) {
++ if (ret < 0)
+ return gnutls_assert_val(ret);
+- }
+
+ if (stat(system_priority_file, &sb) < 0) {
+ _gnutls_debug_log("cfg: unable to access: %s: %d\n",
+ system_priority_file, errno);
++
++ (void)gnutls_rwlock_unlock(&system_wide_config_rwlock);
++ ret = gnutls_rwlock_wrlock(&system_wide_config_rwlock);
++ if (ret < 0)
++ goto out;
++ /* If system-wide config is unavailable, apply the defaults */
++ cfg_init(&system_wide_config);
+ goto out;
+ }
+
+@@ -2240,63 +2300,27 @@ static int _gnutls_update_system_priorities(bool defer_system_wide)
+ system_priority_last_mod == sb.st_mtime) {
+ _gnutls_debug_log("cfg: system priority %s has not changed\n",
+ system_priority_file);
+- if (system_wide_config.priority_string) {
++ if (system_wide_config.priority_string)
+ goto out; /* nothing to do */
+- }
+ }
+
+ (void)gnutls_rwlock_unlock(&system_wide_config_rwlock);
+
+ ret = gnutls_rwlock_wrlock(&system_wide_config_rwlock);
+- if (ret < 0) {
++ if (ret < 0)
+ return gnutls_assert_val(ret);
+- }
+
+ /* Another thread could have successfully re-read system-wide config,
+ * skip re-reading if the mtime it has used is exactly the same.
+ */
+- if (system_priority_file_loaded) {
++ if (system_priority_file_loaded)
+ system_priority_file_loaded =
+ (system_priority_last_mod == sb.st_mtime);
+- }
+
+ if (!system_priority_file_loaded) {
+- _name_val_array_clear(&system_wide_config.priority_strings);
+-
+- gnutls_free(system_wide_config.priority_string);
+- system_wide_config.priority_string = NULL;
+-
+- fp = fopen(system_priority_file, "re");
+- if (fp == NULL) {
+- _gnutls_debug_log("cfg: unable to open: %s: %d\n",
+- system_priority_file, errno);
++ config_parse_error = !load_system_priority_file();
++ if (config_parse_error)
+ goto out;
+- }
+- /* Parsing the configuration file needs to be done in 2 phases:
+- * first parsing the [global] section
+- * and then the other sections,
+- * because the [global] section modifies the parsing behavior.
+- */
+- memset(&ctx, 0, sizeof(ctx));
+- err = ini_parse_file(fp, global_ini_handler, &ctx);
+- if (!err) {
+- if (fseek(fp, 0L, SEEK_SET) < 0) {
+- _gnutls_debug_log("cfg: unable to rewind: %s\n",
+- system_priority_file);
+- if (fail_on_invalid_config)
+- exit(1);
+- }
+- err = ini_parse_file(fp, cfg_ini_handler, &ctx);
+- }
+- fclose(fp);
+- if (err) {
+- ini_ctx_deinit(&ctx);
+- _gnutls_debug_log("cfg: unable to parse: %s: %d\n",
+- system_priority_file, err);
+- goto out;
+- }
+- cfg_apply(&system_wide_config, &ctx);
+- ini_ctx_deinit(&ctx);
+ _gnutls_debug_log("cfg: loaded system config %s mtime %lld\n",
+ system_priority_file,
+ (unsigned long long)sb.st_mtime);
+@@ -2332,9 +2356,8 @@ static int _gnutls_update_system_priorities(bool defer_system_wide)
+ out:
+ (void)gnutls_rwlock_unlock(&system_wide_config_rwlock);
+
+- if (err && fail_on_invalid_config) {
++ if (config_parse_error && fail_on_invalid_config)
+ exit(1);
+- }
+
+ return ret;
+ }
+--- a/tests/system-override-allow-rsa-pkcs1-encrypt.sh
++++ b/tests/system-override-allow-rsa-pkcs1-encrypt.sh
+@@ -19,9 +19,8 @@
+ # You should have received a copy of the GNU Lesser General Public License
+ # along with this program. If not, see <https://www.gnu.org/licenses/>
+
+-: ${srcdir=.}
+-TEST=${srcdir}/rsaes-pkcs1-v1_5
+-CONF=${srcdir}/config.$$.tmp
++TEST=${builddir}/rsaes-pkcs1-v1_5
++CONF=config.$$.tmp
+ export GNUTLS_SYSTEM_PRIORITY_FILE=${CONF}
+ export GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1
+
+@@ -38,15 +37,33 @@ cat <<_EOF_ > ${CONF}
+ allow-rsa-pkcs1-encrypt = true
+ _EOF_
+
+-${TEST} && fail "RSAES-PKCS1-v1_5 expected to succeed"
++${TEST}
++if [ $? != 0 ]; then
++ echo "${TEST} expected to succeed"
++ exit 1
++fi
++echo "RSAES-PKCS1-v1_5 successfully enabled"
+
+ cat <<_EOF_ > ${CONF}
+ [overrides]
+ allow-rsa-pkcs1-encrypt = false
+ _EOF_
+
+-${TEST} || fail "RSAES-PKCS1-v1_5 expected to fail"
++${TEST}
++if [ $? = 0 ]; then
++ echo "${TEST} expected to fail"
++ exit 1
++fi
++echo "RSAES-PKCS1-v1_5 successfully disabled"
+
+ unset GNUTLS_SYSTEM_PRIORITY_FILE
+ unset GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID
++
++${TEST}
++if [ $? != 0 ]; then
++ echo "${TEST} expected to succeed by default"
++ exit 1
++fi
++echo "RSAES-PKCS1-v1_5 successfully enabled by default"
++
+ exit 0
+--
+GitLab
diff --git a/net-libs/gnutls/gnutls-3.8.3.ebuild b/net-libs/gnutls/gnutls-3.8.5-r1.ebuild
similarity index 95%
rename from net-libs/gnutls/gnutls-3.8.3.ebuild
rename to net-libs/gnutls/gnutls-3.8.5-r1.ebuild
index b6b1f91..c5638a6 100644
--- a/net-libs/gnutls/gnutls-3.8.3.ebuild
+++ b/net-libs/gnutls/gnutls-3.8.5-r1.ebuild
@@ -52,7 +52,7 @@
net-dialup/ppp
net-misc/socat
)
- verify-sig? ( >=sec-keys/openpgp-keys-gnutls-20231129 )
+ verify-sig? ( >=sec-keys/openpgp-keys-gnutls-20240415 )
"
DOCS=( README.md doc/certtool.cfg )
@@ -66,6 +66,12 @@
static_assert
)
+PATCHES=(
+ # Should no longer be needed for the next release
+ # bug #930529
+ "${FILESDIR}"/${PN}-3.8.5-fix-rsaes-pkcs1-systemd-wide-config.patch
+)
+
src_prepare() {
default