Since the very beginning, libunistring was a mandatory dependency of
gnutls. However, it would use its internal copy if libunistring was not
selected. We never want that, so make libunistring an actual mandatory
dependency.
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Version 3.7.4 added compression options with brotli, zlib and zstd.
These are automatically discovered, which makes their inclusion depend
on the build order. Therefore, explicitly enable/disable them.
Note that the configure help text says "--without-brotli" and
"--without-zstd", but the options are actually --without-libbrotli and
--without-libzstd. --without-zlib is correct in the help text.
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
The option is set a few lines below depending on
BR2_PACKAGE_GNUTLS_OPENSSL.
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
[yann.morin.1998@free.fr: move it all under a single conditional block]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
The pcre/libregex dependency was removed in version 3.7.3 with upstream
commit 26578b7d02c269ff1d34ff782d84c7667734d03d, which removed the
bundled libopts. Remove the pcre dependency and the relevant CONF_OPTS
handling.
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
gnutls's configure script has a weird approach where it first searches
for dependent libraries in the path specified by --prefix, before
searching in the default search path. Since we set --prefix to /usr,
and it doesn't take into account DESTDIR (which is anyway not set at
configure time), that means it will first search /usr/lib before
searching $(STAGING_DIR)/usr/lib.
Ideally, this would be fixed in the configure script itself. However,
the m4 file that does this is pretty complex, it's not immediately clear
where to add $DESTDIR. In addition it comes from gnulib which is a
somewhat annoying upstream.
Therefore, instead, bypass the prefix lookup with
--without-libfoo-prefix. Note that we could set
--with-libfoo-prefix=$(STAGING_DIR)/usr (the latter is already done for
librt and libpthread), but that's pretty pointless -
--without-libfoo-prefix in fact reverts to what should have been done in
the first place, i.e. use the toolchain search path.
Add --without-libfoo-prefix for all options defined in configure (found
with ./configure --help | grep without-.*-prefix). Most of these are
only used in tests (e.g. libcrypto) or even not at all (e.g. libiconv),
but it's fairly hard to discover this and to be sure that they are
indeed not needed, so better pass all of them.
Remove the now-redundant arguments for librt and libpthread.
Add a comment to remind people to revisit these when bumping the
version.
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Cc: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fix the following build failure without threads raised since bump to
version 3.7.3 in commit 212b020bb4:
kx.c: In function '_gnutls_nss_keylog_write':
kx.c:164:33: error: 'keylog_mutex' undeclared (first use in this function); did you mean 'keylog_once'?
164 | if (gnutls_static_mutex_lock(&keylog_mutex) < 0) {
| ^~~~~~~~~~~~
| keylog_once
Fixes:
- http://autobuild.buildroot.org/results/e092bc11ce4b5908cb6285aa77a3594b8626eeec
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
GnuTls implements old, unsafe or unused protocols and cyphers
Secure embedded systems shall disable them in order to be certified.
This patch allows to select/deselect SSLv2 protocol and gost cipher.
Signed-off-by: Erwan GAUTRON <erwan.gautron@bertin.fr>
[Peter: default options to 'n', move next to _GNUTLS_TOOLS, explicit
--enable]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
crywrap has been dropped since version 3.6.12 and
c991b52231
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This patch adds CPE ID information for a significant number of
packages.
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
libgnutls: Fixed "no_renegotiation" alert handling at incorrect timing.
The server sending a "no_renegotiation" alert in an unexpected timing,
followed by an invalid second handshake was able to cause a TLS 1.3
client to crash via a null-pointer dereference. The crash happens in the
application's error handling path, where the gnutls_deinit function is
called after detecting a handshake failure (#1071).
[GNUTLS-SA-2020-09-04, CVSS: medium]
https://lists.gnupg.org/pipermail/gnutls-help/2020-September/004669.html
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Since v3.6.14 gnutls wants to use the 'e' flag with fopen to set the
O_CLOEXEC flags. Since this is a glibc extension, it will trigger a
gnulib override of fopen on non-glibc systems, but that override
breaks the uClibc stdio.h header.
Fixes:
http://autobuild.buildroot.org/results/02f/02f2b524add307c8f7cc1af1ed0783bb1baf029a
Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes the following security issue:
* CVE-2020-13777: It was found that GnuTLS 3.6.4 introduced a
regression in the TLS protocol implementation. This caused the TLS
server to not securely construct a session ticket encryption key
considering the application supplied secret, allowing a MitM
attacker to bypass authentication in TLS 1.3 and recover previous
conversations in TLS 1.2
Release announcement:
https://lists.gnupg.org/pipermail/gnutls-help/2020-June/004648.html
Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
[yann.morin.1998@free.fr: two spaces in hash file]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fixes the following security issue:
* CVE-2020-11501: It was found that GnuTLS 3.6.3 introduced a
regression in the DTLS protocol implementation. This caused the DTLS
client to not contribute any randomness to the DTLS negotiation
breaking the security guarantees of the DTLS protocol.
Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Now that the infra takes care of removing extraneous spaces before
commas, we can safely append to LICENSE variables.
This removes the only case where we had to use immediate assignment
to append to a variable.
Mechanical change, with:
$ sed -r -i -e 's/\<([^[:space:]]+_LICENSE) := \$\(\1\),/\1 += ,/' \
$(git grep -l -E '\<([^[:space:]]+_LICENSE) := \$\(\1\),')
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Add a BR2_PACKAGE_GNUTLS_OPENSSL option, disabled by default since it is
not used by any package that depends on gnutls.
The library is licensed under GPLv3, which can be a problem for embedded
systems due to the so-called anti-tivoization clause.
Signed-off-by: Carlos Santos <unixmania@gmail.com>
[Thomas: don't repeat the license details for the gnutls-openssl case,
simply append to them]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes the following security issues:
* CVE-2019-3836: It was discovered in gnutls before version 3.6.7 upstream
that there is an uninitialized pointer access in gnutls versions 3.6.3 or
later which can be triggered by certain post-handshake messages
* CVE-2019-3829: A vulnerability was found in gnutls versions from 3.5.8
before 3.6.7. A memory corruption (double free) vulnerability in the
certificate verification API. Any client or server application that
verifies X.509 certificates with GnuTLS 3.5.8 or later is affected.
3.6.7.1 is identical to 3.6.7, but fixes a packaging issue in the release
tarball:
https://lists.gnutls.org/pipermail/gnutls-devel/2019-April/013086.html
HTTP URLs changed to HTTPS in COPYING, so update license hash.
Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
gnutls source code uses the C++11 <atomic> functionality since
7978a73346,
which internally is implemented using the __atomic_*() gcc built-ins
On certain architectures, the __atomic_*() built-ins are implemented in
the libatomic library that comes with the rest of the gcc runtime. Due
to this, code using <atomic> might need to link against libatomic,
otherwise one hits build issues such as:
../lib/.libs/libgnutls.so: undefined reference to `__atomic_fetch_sub_4'
on an architecture like SPARC.
To solve this, a configure.ac check is added to know if we need to
link against libatomic or not. The library is also added to gnutls.pc.
Fixes:
- http://autobuild.buildroot.org/results/6c749bd592ceffeacadd2ab570d127936cce64b2
- http://autobuild.buildroot.org/results/30aa83d3cf3482af8a59250c196c85f4a278d343
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Tested-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Gnutls is building with no default location to look for CA certs. Since
there are buildroot packages to provide these, configure it to use them
by default.
Configure gnutls to find them using the bundle file which contains all
certs, rather than looking in the cert directory. When gnutls is told
to use the directory, it loads *every* file in it. This means it loads
the bundle with all certs, then loads each cert a second time using the
individual pem files, and then loads them all the third time via the
hash symlinks to the pem files.
When p11-kit is enabled, use its trust module instead of the bundle
file. p11-kit can be configured to use the bundle (the default), but it
can do other things too, such as integrate with the "trust" command for
adding and removing trust anchors.
Signed-off-by: Trent Piepho <tpiepho@impinj.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Commit 19448f40a0 (gnutls: use included unistring unless libunistring is
selected) made libunistring an optional dependency. So now gnutls no longer
depend on wchar.
Drop wchar dependency of libmicrohttpd and libsoup, which are gnutls
reverse dependencies that do not depend themselves on wchar.
Update the comments in libsoup and taskd; the wchar dependency is now
not due to gnutls.
Cc: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Use the included copy of libunistring unless BR2_PACKAGE_LIBUNISTRING
is already selected.
The resulting gnutls library with libunistring included is about 1.2 MB
smaller than the sum of libgnutls and libunistring.
Signed-off-by: Sven Neumann <neumann@teufel.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Add link to tarball signature.
Add license hashes.
Cc: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The check-package script when ran gives warnings on text wrapping
on all of these Config files. This patch cleans up all warnings
related to the text wrapping for the Config files starting with
the letter g in the package directory.
The appropriate indentation is: <tab><2 spaces><62 chars>
See http://nightly.buildroot.org/#writing-rules-config-in for more
information.
Signed-off-by: Adam Duskett <aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
HTTPS works better behind certain corporate firewalls.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2017-7507: decoding a status request TLS extension that has a
non-empty responder IDs list could lead to a crash due to a null pointer
dereference.
https://lists.gnupg.org/pipermail/gnutls-devel/2017-June/008446.html
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The gnutils code uses __attribute__((constructor)) and
__attribute__((destructor)) to call constructor/desctructor when a
shared library is loaded.
Constructor/desctructor are not used when a static library is used
(except when if -Wl,--whole-archive -lgnutls -Wno-whole-archive is
used, not tested).
Even if gnutls initialization (_gnutls_global_init()) may be
called manually, the gnutls maintainer said it's not supported [1].
"Note that static linking applications with gnutls is not something
supported. gnutls relies on library constructors and destructors
which are not loaded when linking statically."
Now the gnutls script warns about static linking [2].
So disable gnutls statically by adding "depends on !BR2_STATIC_LIBS"
at Kconfig level and --disable-static in GNUTLS_CONF_OPTS.
Fixes:
[taskd] http://autobuild.buildroot.net/results/c2d/c2dd5c1c9dc87d2943c15e58ee56e67d7375368c
[ffmpeg] http://autobuild.buildroot.net/results/892/8926d319d6d1cd1ee72239ad7d9ca869d2355628
[sngrep] http://autobuild.buildroot.net/results/f7f/f7fb42d3742f6f01000a0d181e0c785640284405
[1] https://gitlab.com/gnutls/gnutls/issues/203
[2] 6b74888679
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
[Romain: merge our two patches together
add some option comment
disable static libgnutls.a
add sngrep autobuilder reference]
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Tested-by: Bernd Kuhls <bernd.kuhls@t-online.de>
[Thomas: do not disable libgnutls.a]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
