r29710 - in /desktop/unstable/glib-networking/debian: ./ patches/
joss at users.alioth.debian.org
joss at users.alioth.debian.org
Fri Sep 23 18:30:27 UTC 2011
Author: joss
Date: Fri Sep 23 18:30:26 2011
New Revision: 29710
URL: http://svn.debian.org/wsvn/pkg-gnome/?sc=1&rev=29710
Log:
* Include a handful of changes from upstream git to improve TLS
support.
+ 01_tls_small_keys.patch: allow small TLS keys that some embedded
servers use.
+ 02_gerror_crash.patch: fix a crash when passed a NULL GError.
+ 03_tls_compat.patch: use %COMPAT in the protocol lists to handle
some broken servers.
+ 04_rehandshake.patch: handle rehandshake requests.
+ 05_virtualhosts.patch: don’t reuse sessions for different virtual
hosts on the same IP, some broken servers don’t like that.
+ 06_gnutls3.patch: support GnuTLS 3.x, in case the transition
starts soon.
Added:
desktop/unstable/glib-networking/debian/patches/
desktop/unstable/glib-networking/debian/patches/01_tls_small_keys.patch
desktop/unstable/glib-networking/debian/patches/02_gerror_crash.patch
desktop/unstable/glib-networking/debian/patches/03_tls_compat.patch
desktop/unstable/glib-networking/debian/patches/04_rehandshake.patch
desktop/unstable/glib-networking/debian/patches/05_virtualhosts.patch
desktop/unstable/glib-networking/debian/patches/06_gnutls3.patch
desktop/unstable/glib-networking/debian/patches/series
Modified:
desktop/unstable/glib-networking/debian/changelog
Modified: desktop/unstable/glib-networking/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-gnome/desktop/unstable/glib-networking/debian/changelog?rev=29710&op=diff
==============================================================================
--- desktop/unstable/glib-networking/debian/changelog [utf-8] (original)
+++ desktop/unstable/glib-networking/debian/changelog [utf-8] Fri Sep 23 18:30:26 2011
@@ -1,3 +1,20 @@
+glib-networking (2.28.7-2) unstable; urgency=low
+
+ * Include a handful of changes from upstream git to improve TLS
+ support.
+ + 01_tls_small_keys.patch: allow small TLS keys that some embedded
+ servers use.
+ + 02_gerror_crash.patch: fix a crash when passed a NULL GError.
+ + 03_tls_compat.patch: use %COMPAT in the protocol lists to handle
+ some broken servers.
+ + 04_rehandshake.patch: handle rehandshake requests.
+ + 05_virtualhosts.patch: don’t reuse sessions for different virtual
+ hosts on the same IP, some broken servers don’t like that.
+ + 06_gnutls3.patch: support GnuTLS 3.x, in case the transition
+ starts soon.
+
+ -- Josselin Mouette <joss at debian.org> Fri, 23 Sep 2011 20:30:16 +0200
+
glib-networking (2.28.7-1) unstable; urgency=low
* New upstream release.
Added: desktop/unstable/glib-networking/debian/patches/01_tls_small_keys.patch
URL: http://svn.debian.org/wsvn/pkg-gnome/desktop/unstable/glib-networking/debian/patches/01_tls_small_keys.patch?rev=29710&op=file
==============================================================================
--- desktop/unstable/glib-networking/debian/patches/01_tls_small_keys.patch (added)
+++ desktop/unstable/glib-networking/debian/patches/01_tls_small_keys.patch [utf-8] Fri Sep 23 18:30:26 2011
@@ -1,0 +1,31 @@
+From cbe4ab7294afc4afca0d8d1f9562e973ca8a1810 Mon Sep 17 00:00:00 2001
+From: Dan Winship <danw at gnome.org>
+Date: Sat, 06 Aug 2011 00:04:03 +0000
+Subject: gnutls: override minimum key length
+
+By default, gnutls requires server keys to be a reasonable size and
+will return an error rather than connecting to a server with an
+insecurely small key. But other TLS libraries don't do this, and some
+web servers (especially embedded ones) use small keys. So bump down
+the limit.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=652284
+---
+diff --git a/tls/gnutls/gtlsconnection-gnutls.c b/tls/gnutls/gtlsconnection-gnutls.c
+index 48e05d6..da3f76e 100644
+--- a/tls/gnutls/gtlsconnection-gnutls.c
++++ b/tls/gnutls/gtlsconnection-gnutls.c
+@@ -253,6 +253,11 @@ g_tls_connection_gnutls_initable_init (GInitable *initable,
+ return FALSE;
+ }
+
++ /* Some servers (especially on embedded devices) use tiny keys that
++ * gnutls will reject by default. We want it to accept them.
++ */
++ gnutls_dh_set_prime_bits (gnutls->priv->session, 256);
++
+ gnutls_transport_set_push_function (gnutls->priv->session,
+ g_tls_connection_gnutls_push_func);
+ gnutls_transport_set_pull_function (gnutls->priv->session,
+--
+cgit v0.9.0.2
Added: desktop/unstable/glib-networking/debian/patches/02_gerror_crash.patch
URL: http://svn.debian.org/wsvn/pkg-gnome/desktop/unstable/glib-networking/debian/patches/02_gerror_crash.patch?rev=29710&op=file
==============================================================================
--- desktop/unstable/glib-networking/debian/patches/02_gerror_crash.patch (added)
+++ desktop/unstable/glib-networking/debian/patches/02_gerror_crash.patch [utf-8] Fri Sep 23 18:30:26 2011
@@ -1,0 +1,92 @@
+From 5f1fc91746cfe4d287c46413a20d2fc90da8e86c Mon Sep 17 00:00:00 2001
+From: Dan Winship <danw at gnome.org>
+Date: Sun, 07 Aug 2011 15:52:42 +0000
+Subject: gnutls: fix a crash with a NULL GError
+
+GTlsClientConnectionGnutls's g_tls_connection_handshake()
+implementation would crash if you passed NULL for the GError**
+argument.
+---
+diff --git a/tls/gnutls/gtlsclientconnection-gnutls.c b/tls/gnutls/gtlsclientconnection-gnutls.c
+index b6fc2fb..aec001c 100644
+--- a/tls/gnutls/gtlsclientconnection-gnutls.c
++++ b/tls/gnutls/gtlsclientconnection-gnutls.c
+@@ -56,6 +56,7 @@ static gboolean g_tls_client_connection_gnutls_verify_peer (GTlsConnectionG
+ GTlsCertificate *peer_certificate,
+ GTlsCertificateFlags *errors);
+ static void g_tls_client_connection_gnutls_finish_handshake (GTlsConnectionGnutls *conn,
++ gboolean success,
+ GError **inout_error);
+
+ static void g_tls_client_connection_gnutls_client_connection_interface_init (GTlsClientConnectionInterface *iface);
+@@ -363,11 +364,13 @@ g_tls_client_connection_gnutls_verify_peer (GTlsConnectionGnutls *conn_gnutls,
+
+ static void
+ g_tls_client_connection_gnutls_finish_handshake (GTlsConnectionGnutls *conn,
++ gboolean success,
+ GError **inout_error)
+ {
+ GTlsClientConnectionGnutls *gnutls = G_TLS_CLIENT_CONNECTION_GNUTLS (conn);
+
+- if (g_error_matches (*inout_error, G_TLS_ERROR, G_TLS_ERROR_NOT_TLS) &&
++ if (inout_error &&
++ g_error_matches (*inout_error, G_TLS_ERROR, G_TLS_ERROR_NOT_TLS) &&
+ gnutls->priv->cert_requested)
+ {
+ g_clear_error (inout_error);
+@@ -379,7 +382,7 @@ g_tls_client_connection_gnutls_finish_handshake (GTlsConnectionGnutls *conn,
+ {
+ gnutls_datum session_data;
+
+- if (!*inout_error &&
++ if (success &&
+ gnutls_session_get_data2 (g_tls_connection_gnutls_get_session (conn),
+ &session_data) == 0)
+ {
+diff --git a/tls/gnutls/gtlsconnection-gnutls.c b/tls/gnutls/gtlsconnection-gnutls.c
+index da3f76e..71c8a2f 100644
+--- a/tls/gnutls/gtlsconnection-gnutls.c
++++ b/tls/gnutls/gtlsconnection-gnutls.c
+@@ -917,7 +917,7 @@ handshake_internal (GTlsConnectionGnutls *gnutls,
+ }
+ }
+
+- G_TLS_CONNECTION_GNUTLS_GET_CLASS (gnutls)->finish_handshake (gnutls, error);
++ G_TLS_CONNECTION_GNUTLS_GET_CLASS (gnutls)->finish_handshake (gnutls, ret == 0, error);
+
+ if (ret == 0)
+ {
+diff --git a/tls/gnutls/gtlsconnection-gnutls.h b/tls/gnutls/gtlsconnection-gnutls.h
+index fff49af..dd061c4 100644
+--- a/tls/gnutls/gtlsconnection-gnutls.h
++++ b/tls/gnutls/gtlsconnection-gnutls.h
+@@ -38,6 +38,7 @@ struct _GTlsConnectionGnutlsClass
+ GTlsCertificate *peer_certificate,
+ GTlsCertificateFlags *errors);
+ void (*finish_handshake) (GTlsConnectionGnutls *gnutls,
++ gboolean success,
+ GError **inout_error);
+ };
+
+diff --git a/tls/gnutls/gtlsserverconnection-gnutls.c b/tls/gnutls/gtlsserverconnection-gnutls.c
+index b9565ae..2b688f0 100644
+--- a/tls/gnutls/gtlsserverconnection-gnutls.c
++++ b/tls/gnutls/gtlsserverconnection-gnutls.c
+@@ -49,6 +49,7 @@ static gboolean g_tls_server_connection_gnutls_verify_peer (GTlsConnectionG
+ GTlsCertificate *peer_certificate,
+ GTlsCertificateFlags *errors);
+ static void g_tls_server_connection_gnutls_finish_handshake (GTlsConnectionGnutls *conn,
++ gboolean success,
+ GError **inout_error);
+
+ static void g_tls_server_connection_gnutls_server_connection_interface_init (GTlsServerConnectionInterface *iface);
+@@ -204,6 +205,7 @@ g_tls_server_connection_gnutls_verify_peer (GTlsConnectionGnutls *gnutls,
+
+ static void
+ g_tls_server_connection_gnutls_finish_handshake (GTlsConnectionGnutls *gnutls,
++ gboolean success,
+ GError **inout_error)
+ {
+ }
+--
+cgit v0.9.0.2
Added: desktop/unstable/glib-networking/debian/patches/03_tls_compat.patch
URL: http://svn.debian.org/wsvn/pkg-gnome/desktop/unstable/glib-networking/debian/patches/03_tls_compat.patch?rev=29710&op=file
==============================================================================
--- desktop/unstable/glib-networking/debian/patches/03_tls_compat.patch (added)
+++ desktop/unstable/glib-networking/debian/patches/03_tls_compat.patch [utf-8] Fri Sep 23 18:30:26 2011
@@ -1,0 +1,40 @@
+From 0fdfbc1cbecd0e883376ebe5b4c063b2ae8fd7f8 Mon Sep 17 00:00:00 2001
+From: Dan Winship <danw at gnome.org>
+Date: Sun, 07 Aug 2011 16:29:42 +0000
+Subject: gnutls: add %COMPAT to the gnutls priority strings
+
+%COMPAT enables certain compatibility behavior. In particular, it
+disables padding of records, which other TLS libraries don't do even
+though it's good for security, because some broken servers can't cope
+with it.
+
+Part of
+https://bugzilla.gnome.org/show_bug.cgi?id=581342
+---
+diff --git a/tls/gnutls/gtlsconnection-gnutls.c b/tls/gnutls/gtlsconnection-gnutls.c
+index 71c8a2f..7cb7f9c 100644
+--- a/tls/gnutls/gtlsconnection-gnutls.c
++++ b/tls/gnutls/gtlsconnection-gnutls.c
+@@ -199,16 +199,16 @@ g_tls_connection_gnutls_init_priorities (void)
+ /* First field is "ssl3 only", second is "allow unsafe rehandshaking" */
+
+ gnutls_priority_init (&priorities[FALSE][FALSE],
+- "NORMAL",
++ "NORMAL:%COMPAT",
+ NULL);
+ gnutls_priority_init (&priorities[TRUE][FALSE],
+- "NORMAL:!VERS-TLS1.2:!VERS-TLS1.1:!VERS-TLS1.0",
++ "NORMAL:%COMPAT:!VERS-TLS1.2:!VERS-TLS1.1:!VERS-TLS1.0",
+ NULL);
+ gnutls_priority_init (&priorities[FALSE][TRUE],
+- "NORMAL:%UNSAFE_RENEGOTIATION",
++ "NORMAL:%COMPAT:%UNSAFE_RENEGOTIATION",
+ NULL);
+ gnutls_priority_init (&priorities[TRUE][TRUE],
+- "NORMAL:!VERS-TLS1.2:!VERS-TLS1.1:!VERS-TLS1.0:%UNSAFE_RENEGOTIATION",
++ "NORMAL:%COMPAT:!VERS-TLS1.2:!VERS-TLS1.1:!VERS-TLS1.0:%UNSAFE_RENEGOTIATION",
+ NULL);
+ }
+
+--
+cgit v0.9.0.2
Added: desktop/unstable/glib-networking/debian/patches/04_rehandshake.patch
URL: http://svn.debian.org/wsvn/pkg-gnome/desktop/unstable/glib-networking/debian/patches/04_rehandshake.patch?rev=29710&op=file
==============================================================================
--- desktop/unstable/glib-networking/debian/patches/04_rehandshake.patch (added)
+++ desktop/unstable/glib-networking/debian/patches/04_rehandshake.patch [utf-8] Fri Sep 23 18:30:26 2011
@@ -1,0 +1,24 @@
+From ce16e682c97afb05741c5e37924685c2a1c1ef80 Mon Sep 17 00:00:00 2001
+From: Dan Winship <danw at gnome.org>
+Date: Thu, 25 Aug 2011 22:53:42 +0000
+Subject: gnutls: handle rehandshake request correctly
+
+Based on a patch from Igor Makarov
+
+https://bugzilla.gnome.org/show_bug.cgi?id=653645
+---
+diff --git a/tls/gnutls/gtlsconnection-gnutls.c b/tls/gnutls/gtlsconnection-gnutls.c
+index 7cb7f9c..0882852 100644
+--- a/tls/gnutls/gtlsconnection-gnutls.c
++++ b/tls/gnutls/gtlsconnection-gnutls.c
+@@ -575,7 +575,7 @@ end_gnutls_io (GTlsConnectionGnutls *gnutls,
+ ret == GNUTLS_E_WARNING_ALERT_RECEIVED) && \
+ !gnutls->priv->error); \
+ ret = end_gnutls_io (gnutls, ret, error); \
+- if (ret < 0 && error && !*error) \
++ if (ret < 0 && ret != GNUTLS_E_REHANDSHAKE && error && !*error) \
+ { \
+ g_set_error (error, G_TLS_ERROR, G_TLS_ERROR_MISC,\
+ errmsg, gnutls_strerror (ret)); \
+--
+cgit v0.9.0.2
Added: desktop/unstable/glib-networking/debian/patches/05_virtualhosts.patch
URL: http://svn.debian.org/wsvn/pkg-gnome/desktop/unstable/glib-networking/debian/patches/05_virtualhosts.patch?rev=29710&op=file
==============================================================================
--- desktop/unstable/glib-networking/debian/patches/05_virtualhosts.patch (added)
+++ desktop/unstable/glib-networking/debian/patches/05_virtualhosts.patch [utf-8] Fri Sep 23 18:30:26 2011
@@ -1,0 +1,93 @@
+From 4175fd4718bfd247420fe20af492c944edf9b598 Mon Sep 17 00:00:00 2001
+From: Dan Winship <danw at gnome.org>
+Date: Sun, 28 Aug 2011 16:51:30 +0000
+Subject: gnutls: don't try to reuse a TLS session with a different SNI
+
+Use the Server Name Indication as part of the session ID so that we
+don't try to share sessions between different virtual hosts on the
+same machine. This causes problems on some servers, which I think is a
+server bug, but...
+
+https://bugs.launchpad.net/bugs/823325 and the end of
+https://bugzilla.gnome.org/show_bug.cgi?id=581342
+---
+diff --git a/tls/gnutls/gtlsclientconnection-gnutls.c b/tls/gnutls/gtlsclientconnection-gnutls.c
+index aec001c..119f194 100644
+--- a/tls/gnutls/gtlsclientconnection-gnutls.c
++++ b/tls/gnutls/gtlsclientconnection-gnutls.c
+@@ -123,6 +123,17 @@ g_tls_client_connection_gnutls_init (GTlsClientConnectionGnutls *gnutls)
+ gnutls_certificate_client_set_retrieve_function (creds, g_tls_client_connection_gnutls_retrieve_function);
+ }
+
++static const gchar *
++get_server_identity (GTlsClientConnectionGnutls *gnutls)
++{
++ if (G_IS_NETWORK_ADDRESS (gnutls->priv->server_identity))
++ return g_network_address_get_hostname (G_NETWORK_ADDRESS (gnutls->priv->server_identity));
++ else if (G_IS_NETWORK_SERVICE (gnutls->priv->server_identity))
++ return g_network_service_get_domain (G_NETWORK_SERVICE (gnutls->priv->server_identity));
++ else
++ return NULL;
++}
++
+ static void
+ g_tls_client_connection_gnutls_constructed (GObject *object)
+ {
+@@ -132,14 +143,12 @@ g_tls_client_connection_gnutls_constructed (GObject *object)
+ GInetAddress *iaddr;
+ guint port;
+
+- /* We base the session ID on the IP address rather than on
+- * server-identity, because it's likely that different virtual
+- * servers on the same host will have access to the same session
+- * cache, whereas different hosts serving the same hostname/service
+- * likely won't. Note that session IDs are opaque, and transmitted
+- * in the clear anyway, so there are no security issues if we send
+- * one to the "wrong" server; we'll just fail to get a resumed
+- * session.
++ /* Create a TLS session ID. We base it on the IP address since
++ * different hosts serving the same hostname/service will probably
++ * not share the same session cache. We base it on the
++ * server-identity because at least some servers will fail (rather
++ * than just failing to resume the session) if we don't.
++ * (https://bugs.launchpad.net/bugs/823325)
+ */
+ g_object_get (G_OBJECT (gnutls), "base-io-stream", &base_conn, NULL);
+ if (G_IS_SOCKET_CONNECTION (base_conn))
+@@ -148,13 +157,18 @@ g_tls_client_connection_gnutls_constructed (GObject *object)
+ if (G_IS_INET_SOCKET_ADDRESS (remote_addr))
+ {
+ GInetSocketAddress *isaddr = G_INET_SOCKET_ADDRESS (remote_addr);
++ const gchar *server_hostname;
+ gchar *addrstr;
+
+ iaddr = g_inet_socket_address_get_address (isaddr);
+ port = g_inet_socket_address_get_port (isaddr);
+
+ addrstr = g_inet_address_to_string (iaddr);
+- gnutls->priv->session_id = g_strdup_printf ("%s/%d", addrstr, port);
++ server_hostname = get_server_identity (gnutls);
++ gnutls->priv->session_id =
++ g_strdup_printf ("%s/%s/%d", addrstr,
++ server_hostname ? server_hostname : "",
++ port);
+ g_free (addrstr);
+ }
+ g_object_unref (remote_addr);
+@@ -243,13 +257,7 @@ g_tls_client_connection_gnutls_set_property (GObject *object,
+ g_object_unref (gnutls->priv->server_identity);
+ gnutls->priv->server_identity = g_value_dup_object (value);
+
+- if (G_IS_NETWORK_ADDRESS (gnutls->priv->server_identity))
+- hostname = g_network_address_get_hostname (G_NETWORK_ADDRESS (gnutls->priv->server_identity));
+- else if (G_IS_NETWORK_SERVICE (gnutls->priv->server_identity))
+- hostname = g_network_service_get_domain (G_NETWORK_SERVICE (gnutls->priv->server_identity));
+- else
+- hostname = NULL;
+-
++ hostname = get_server_identity (gnutls);
+ if (hostname)
+ {
+ gnutls_session_t session = g_tls_connection_gnutls_get_session (G_TLS_CONNECTION_GNUTLS (gnutls));
+--
+cgit v0.9.0.2
Added: desktop/unstable/glib-networking/debian/patches/06_gnutls3.patch
URL: http://svn.debian.org/wsvn/pkg-gnome/desktop/unstable/glib-networking/debian/patches/06_gnutls3.patch?rev=29710&op=file
==============================================================================
--- desktop/unstable/glib-networking/debian/patches/06_gnutls3.patch (added)
+++ desktop/unstable/glib-networking/debian/patches/06_gnutls3.patch [utf-8] Fri Sep 23 18:30:26 2011
@@ -1,0 +1,73 @@
+From 9e2aaacafb45d51cff57dc033f4b5ad5bc1a1762 Mon Sep 17 00:00:00 2001
+From: Dan Winship <danw at gnome.org>
+Date: Fri, 16 Sep 2011 15:29:29 +0000
+Subject: gnutls: fix G_TLS_ERROR_EOF handling with gnutls 3.0
+
+gnutls 3.0 has a new error code for "peer closed connection without
+sending a Close packet", so add some #ifdefs to do the right thing
+with either 2.x or 3.x.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=659233
+---
+diff --git a/tls/gnutls/gtlsconnection-gnutls.c b/tls/gnutls/gtlsconnection-gnutls.c
+index c1ede79..0f792bb 100644
+--- a/tls/gnutls/gtlsconnection-gnutls.c
++++ b/tls/gnutls/gtlsconnection-gnutls.c
+@@ -132,7 +132,10 @@ struct _GTlsConnectionGnutlsPrivate
+
+ GError *error;
+ GCancellable *cancellable;
+- gboolean blocking, eof;
++ gboolean blocking;
++#ifndef GNUTLS_E_PREMATURE_TERMINATION
++ gboolean eof;
++#endif
+ GIOCondition internal_direction;
+ };
+
+@@ -548,19 +551,22 @@ end_gnutls_io (GTlsConnectionGnutls *gnutls,
+ gnutls->priv->need_handshake = TRUE;
+ return status;
+ }
+- else if (status == GNUTLS_E_UNEXPECTED_PACKET_LENGTH)
++ else if (
++#ifdef GNUTLS_E_PREMATURE_TERMINATION
++ status == GNUTLS_E_PREMATURE_TERMINATION
++#else
++ status == GNUTLS_E_UNEXPECTED_PACKET_LENGTH && gnutls->priv->eof
++#endif
++ )
+ {
+- if (gnutls->priv->eof)
++ if (gnutls->priv->require_close_notify)
+ {
+- if (gnutls->priv->require_close_notify)
+- {
+- g_set_error_literal (error, G_TLS_ERROR, G_TLS_ERROR_EOF,
+- _("TLS connection closed unexpectedly"));
+- return status;
+- }
+- else
+- return 0;
++ g_set_error_literal (error, G_TLS_ERROR, G_TLS_ERROR_EOF,
++ _("TLS connection closed unexpectedly"));
++ return status;
+ }
++ else
++ return 0;
+ }
+
+ return status;
+@@ -795,8 +801,10 @@ g_tls_connection_gnutls_pull_func (gnutls_transport_ptr_t transport_data,
+
+ if (ret < 0)
+ set_gnutls_error (gnutls, G_IO_IN);
++#ifndef GNUTLS_E_PREMATURE_TERMINATION
+ else if (ret == 0)
+ gnutls->priv->eof = TRUE;
++#endif
+
+ return ret;
+ }
+--
+cgit v0.9.0.2
Added: desktop/unstable/glib-networking/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-gnome/desktop/unstable/glib-networking/debian/patches/series?rev=29710&op=file
==============================================================================
--- desktop/unstable/glib-networking/debian/patches/series (added)
+++ desktop/unstable/glib-networking/debian/patches/series [utf-8] Fri Sep 23 18:30:26 2011
@@ -1,0 +1,6 @@
+01_tls_small_keys.patch
+02_gerror_crash.patch
+03_tls_compat.patch
+04_rehandshake.patch
+05_virtualhosts.patch
+06_gnutls3.patch
More information about the pkg-gnome-commits
mailing list