Add a BR2_PACKAGE_GNUTLS_OPENSSL option, disabled by default since it is
not used by any package that depends on gnutls.
The library is licensed under GPLv3, which can be a problem for embedded
systems due to the so-called anti-tivoization clause.
Signed-off-by: Carlos Santos <unixmania@gmail.com>
[Thomas: don't repeat the license details for the gnutls-openssl case,
simply append to them]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes the following security issues:
* CVE-2019-3836: It was discovered in gnutls before version 3.6.7 upstream
that there is an uninitialized pointer access in gnutls versions 3.6.3 or
later which can be triggered by certain post-handshake messages
* CVE-2019-3829: A vulnerability was found in gnutls versions from 3.5.8
before 3.6.7. A memory corruption (double free) vulnerability in the
certificate verification API. Any client or server application that
verifies X.509 certificates with GnuTLS 3.5.8 or later is affected.
3.6.7.1 is identical to 3.6.7, but fixes a packaging issue in the release
tarball:
https://lists.gnutls.org/pipermail/gnutls-devel/2019-April/013086.html
HTTP URLs changed to HTTPS in COPYING, so update license hash.
Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
gnutls source code uses the C++11 <atomic> functionality since
7978a73346,
which internally is implemented using the __atomic_*() gcc built-ins
On certain architectures, the __atomic_*() built-ins are implemented in
the libatomic library that comes with the rest of the gcc runtime. Due
to this, code using <atomic> might need to link against libatomic,
otherwise one hits build issues such as:
../lib/.libs/libgnutls.so: undefined reference to `__atomic_fetch_sub_4'
on an architecture like SPARC.
To solve this, a configure.ac check is added to know if we need to
link against libatomic or not. The library is also added to gnutls.pc.
Fixes:
- http://autobuild.buildroot.org/results/6c749bd592ceffeacadd2ab570d127936cce64b2
- http://autobuild.buildroot.org/results/30aa83d3cf3482af8a59250c196c85f4a278d343
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Tested-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Gnutls is building with no default location to look for CA certs. Since
there are buildroot packages to provide these, configure it to use them
by default.
Configure gnutls to find them using the bundle file which contains all
certs, rather than looking in the cert directory. When gnutls is told
to use the directory, it loads *every* file in it. This means it loads
the bundle with all certs, then loads each cert a second time using the
individual pem files, and then loads them all the third time via the
hash symlinks to the pem files.
When p11-kit is enabled, use its trust module instead of the bundle
file. p11-kit can be configured to use the bundle (the default), but it
can do other things too, such as integrate with the "trust" command for
adding and removing trust anchors.
Signed-off-by: Trent Piepho <tpiepho@impinj.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Use the included copy of libunistring unless BR2_PACKAGE_LIBUNISTRING
is already selected.
The resulting gnutls library with libunistring included is about 1.2 MB
smaller than the sum of libgnutls and libunistring.
Signed-off-by: Sven Neumann <neumann@teufel.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Add link to tarball signature.
Add license hashes.
Cc: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
HTTPS works better behind certain corporate firewalls.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2017-7507: decoding a status request TLS extension that has a
non-empty responder IDs list could lead to a crash due to a null pointer
dereference.
https://lists.gnupg.org/pipermail/gnutls-devel/2017-June/008446.html
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
We want to use SPDX identifier for license string as much as possible.
SPDX short identifier for LGPLv2.1/LGPLv2.1+ is LGPL-2.1/LGPL-2.1+.
This change is done using following command.
find . -name "*.mk" | xargs sed -ri '/LICENSE( )?[\+:]?=/s/LGPLv2.1(\+)?/LGPL-2.1\1/g'
Signed-off-by: Rahul Bedarkar <rahulbedarkar89@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
We want to use SPDX identifier for license string as much as possible.
SPDX short identifier for GPLv3/GPLv3+ is GPL-3.0/GPL-3.0+.
This change is done using following command.
find . -name "*.mk" | xargs sed -ri '/LICENSE( )?[\+:]?=/s/\<GPLv3\>/GPL-3.0/g'
Signed-off-by: Rahul Bedarkar <rahulbedarkar89@gmail.com>
Acked-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes:
GNUTLS-SA-2017-3A - Addressed integer overflow resulting to invalid
memory write in OpenPGP certificate parsing.
GNUTLS-SA-2017-3B - Addressed crashes in OpenPGP certificate parsing,
related to private key parser. No longer allow OpenPGP certificates
(public keys) to contain private key sub-packets.
GNUTLS-SA-2017-3C - Addressed large allocation in OpenPGP certificate
parsing, that could lead in out-of-memory condition.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
The 3.5.x has been promoted to stable, hence 3.4.x is deprecated and
3.3.x kept as old-stable.
libdane now specifies LGPLv2.1+ so drop the README kludge (which is also
gone regarding licensing).
libunistring is a new dependency, even though gnutls ships a builtin version
we prefer to use unbundled to avoid duplication with other users and target
size growth.
Fixes:
GNUTLS-SA-2017-01 - It was found using the OSS-FUZZ fuzzer
infrastructure that decoding a specially crafted X.509 certificate with
Proxy Certificate Information extension present could lead to a double
free.
GNUTLS-SA-2017-02 - It was found using the OSS-FUZZ fuzzer
infrastructure that decoding a specially crafted OpenPGP certificate
could lead to heap and stack overflows.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes:
GNUTLS-SA-2016-2 - vulnerability that affects certificate verification
when GnuTLS is used in combination with the p11-kit trust module.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
GnuTLS core library is licensed under LGPLv2.1+ while gnutls-openssl
library is licensed under GPLv3+. Annotate the license with components.
Reviewed-by: Marcin Nowakowski <marcin.nowakowski@imgtec.com>
Signed-off-by: Rahul Bedarkar <rahul.bedarkar@imgtec.com>
[Thomas:
- add comment about the license of the "core library" since some files
seems to be mistakenly under LGPLv3+ even though the library is
licensed under LGPLv2.1+.
- add the README file in the license information, since it contains a
lot of useful details.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Patch now upstream, so drop it along autoreconf and gettextize.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
It's no longer required, tools are guarded by ENABLE_TOOLS in
Makefile.am and excluded accordingly.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
It's no longer required, SUBDIRS += doc is guarded by ENABLE_DOC in
Makefile.am and the only place where it's used regardless is in
dist-hook which isn't used by buildroot.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
The 3.4 series has been promoted to stable.
Handle autodeps more concisely (idn, p11-kit, zlib).
libtasn1 is now mandatory, since otherwise gnutls uses the bundled
version it makes no sense to try that because of target duplication.
Disable tpm support since we've got no trousers package.
Disable libdane support since we've got no dane package.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Now that IPv6 is mandatory remove package dependencies and conditionals
for it.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>