5eee309aeb
Fixes the following security issues:
* CVE-2019-3836: It was discovered in gnutls before version 3.6.7 upstream
that there is an uninitialized pointer access in gnutls versions 3.6.3 or
later which can be triggered by certain post-handshake messages
* CVE-2019-3829: A vulnerability was found in gnutls versions from 3.5.8
before 3.6.7. A memory corruption (double free) vulnerability in the
certificate verification API. Any client or server application that
verifies X.509 certificates with GnuTLS 3.5.8 or later is affected.
3.6.7.1 is identical to 3.6.7, but fixes a packaging issue in the release
tarball:
https://lists.gnutls.org/pipermail/gnutls-devel/2019-April/013086.html
HTTP URLs changed to HTTPS in COPYING, so update license hash.
Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 1dd5576ccb)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
90 lines
2.9 KiB
Makefile
90 lines
2.9 KiB
Makefile
################################################################################
|
|
#
|
|
# gnutls
|
|
#
|
|
################################################################################
|
|
|
|
GNUTLS_VERSION_MAJOR = 3.6
|
|
GNUTLS_VERSION = $(GNUTLS_VERSION_MAJOR).7.1
|
|
GNUTLS_SOURCE = gnutls-$(GNUTLS_VERSION).tar.xz
|
|
GNUTLS_SITE = https://www.gnupg.org/ftp/gcrypt/gnutls/v$(GNUTLS_VERSION_MAJOR)
|
|
GNUTLS_LICENSE = LGPL-2.1+ (core library), GPL-3.0+ (gnutls-openssl library)
|
|
GNUTLS_LICENSE_FILES = doc/COPYING doc/COPYING.LESSER
|
|
GNUTLS_DEPENDENCIES = host-pkgconf libtasn1 nettle pcre
|
|
GNUTLS_CONF_OPTS = \
|
|
--disable-doc \
|
|
--disable-guile \
|
|
--disable-libdane \
|
|
--disable-rpath \
|
|
--enable-local-libopts \
|
|
--enable-openssl-compatibility \
|
|
--with-librt-prefix=$(STAGING_DIR) \
|
|
--without-tpm \
|
|
$(if $(BR2_PACKAGE_GNUTLS_TOOLS),--enable-tools,--disable-tools)
|
|
GNUTLS_CONF_ENV = gl_cv_socket_ipv6=yes \
|
|
ac_cv_header_wchar_h=$(if $(BR2_USE_WCHAR),yes,no) \
|
|
gt_cv_c_wchar_t=$(if $(BR2_USE_WCHAR),yes,no) \
|
|
gt_cv_c_wint_t=$(if $(BR2_USE_WCHAR),yes,no) \
|
|
gl_cv_func_gettimeofday_clobber=no
|
|
GNUTLS_INSTALL_STAGING = YES
|
|
|
|
# libpthread autodetection poison the linkpath
|
|
GNUTLS_CONF_OPTS += $(if $(BR2_TOOLCHAIN_HAS_THREADS),--with-libpthread-prefix=$(STAGING_DIR)/usr)
|
|
|
|
# gnutls needs libregex, but pcre can be used too
|
|
# The check isn't cross-compile friendly
|
|
GNUTLS_CONF_ENV += libopts_cv_with_libregex=yes
|
|
GNUTLS_CONF_OPTS += \
|
|
--with-regex-header=pcreposix.h \
|
|
--with-libregex-cflags="`$(PKG_CONFIG_HOST_BINARY) libpcreposix --cflags`" \
|
|
--with-libregex-libs="`$(PKG_CONFIG_HOST_BINARY) libpcreposix --libs`"
|
|
|
|
# Consider crywrap as part of tools because it needs WCHAR, and it's so too
|
|
ifeq ($(BR2_PACKAGE_GNUTLS_TOOLS),)
|
|
GNUTLS_CONF_OPTS += --disable-crywrap
|
|
endif
|
|
|
|
# Prerequisite for crywrap
|
|
ifeq ($(BR2_PACKAGE_ARGP_STANDALONE),y)
|
|
GNUTLS_CONF_ENV += LIBS="-largp"
|
|
GNUTLS_DEPENDENCIES += argp-standalone
|
|
endif
|
|
|
|
# libidn support for nommu must exclude the crywrap wrapper (uses fork)
|
|
GNUTLS_CONF_OPTS += $(if $(BR2_USE_MMU),,--disable-crywrap)
|
|
|
|
ifeq ($(BR2_PACKAGE_CRYPTODEV_LINUX),y)
|
|
GNUTLS_CONF_OPTS += --enable-cryptodev
|
|
GNUTLS_DEPENDENCIES += cryptodev-linux
|
|
endif
|
|
|
|
ifeq ($(BR2_PACKAGE_LIBIDN2),y)
|
|
GNUTLS_CONF_OPTS += --with-idn
|
|
GNUTLS_DEPENDENCIES += libidn2
|
|
else
|
|
GNUTLS_CONF_OPTS += --without-idn
|
|
endif
|
|
|
|
ifeq ($(BR2_PACKAGE_P11_KIT),y)
|
|
GNUTLS_CONF_OPTS += --with-p11-kit
|
|
GNUTLS_DEPENDENCIES += p11-kit
|
|
else
|
|
GNUTLS_CONF_OPTS += --without-p11-kit
|
|
endif
|
|
|
|
ifeq ($(BR2_PACKAGE_LIBUNISTRING),y)
|
|
GNUTLS_CONF_OPTS += --with-libunistring-prefix=$(STAGING_DIR)/usr
|
|
GNUTLS_DEPENDENCIES += libunistring
|
|
else
|
|
GNUTLS_CONF_OPTS += --with-included-unistring
|
|
endif
|
|
|
|
# Provide a default CA cert location
|
|
ifeq ($(BR2_PACKAGE_P11_KIT),y)
|
|
GNUTLS_CONF_OPTS += --with-default-trust-store-pkcs11=pkcs11:model=p11-kit-trust
|
|
else ifeq ($(BR2_PACKAGE_CA_CERTIFICATES),y)
|
|
GNUTLS_CONF_OPTS += --with-default-trust-store-file=/etc/ssl/certs/ca-certificates.crt
|
|
endif
|
|
|
|
$(eval $(autotools-package))
|