From 05a94d73c7b96349e4d61cb83c9a3da275889a0e Mon Sep 17 00:00:00 2001 From: Zach van Rijn Date: Tue, 1 Feb 2022 17:10:05 +0000 Subject: user/glib-networking: bump { 2.62.4 --> 2.70.1 }. add patches to fix #424. --- user/glib-networking/APKBUILD | 13 ++-- user/glib-networking/disable-gnome-test.patch | 14 +++++ user/glib-networking/tls13.patch | 87 +++++++++++++++++++++++++++ 3 files changed, 110 insertions(+), 4 deletions(-) create mode 100644 user/glib-networking/disable-gnome-test.patch create mode 100644 user/glib-networking/tls13.patch diff --git a/user/glib-networking/APKBUILD b/user/glib-networking/APKBUILD index e18329b26..60e7a44f1 100644 --- a/user/glib-networking/APKBUILD +++ b/user/glib-networking/APKBUILD @@ -1,7 +1,7 @@ # Contributor: Natanael Copa -# Maintainer: +# Maintainer: Zach van Rijn pkgname=glib-networking -pkgver=2.62.4 +pkgver=2.70.1 _ver=${pkgver%.*} pkgrel=0 pkgdesc="Networking support for GLib" @@ -12,7 +12,10 @@ depends="ca-certificates" makedepends="bash glib-dev gnutls-dev gsettings-desktop-schemas-dev intltool libgcrypt-dev libproxy-dev meson ninja p11-kit-dev" subpackages="$pkgname-lang" -source="https://download.gnome.org/sources/glib-networking/$_ver/glib-networking-$pkgver.tar.xz" +source="https://download.gnome.org/sources/glib-networking/$_ver/glib-networking-$pkgver.tar.xz + tls13.patch + disable-gnome-test.patch + " build() { meson -Dprefix=/usr _build @@ -28,4 +31,6 @@ package() { rm -f "$pkgdir"/usr/lib/gio/modules/*.a } -sha512sums="cd233eeed7ffb8458f4e0316a08927713899e64ce2654aa34f267ccf09d2516e7dee79012dd9e1488d3e8c0e1795c3525523bf8dc5f82a71c1b202942c38363a glib-networking-2.62.4.tar.xz" +sha512sums="a06b4df4481f95193f9ed4be6d39bbe9ecaf4de8e11a48750f7110d4cfa71aa56b7ec5b36af70b7128150447f1a39ce3aeadf71e2ac516f61708f1212f8f855d glib-networking-2.70.1.tar.xz +b859a3053013b54e62139e6bdd4e5c0d318ff9fcbc71533d35a3fd9efccfc0cefa8b070cc1047c67549efc01623829a07d47ad73d1fb8aeb106cf57c975034ab tls13.patch +ebd90e59cfe12b993792855f6059918f13d5f7847c7db2b1b52aad868c1ba119941f319ed1b76b8fffd221734d8169356c682013c588452ee2ce0c02c3c5cbab disable-gnome-test.patch" diff --git a/user/glib-networking/disable-gnome-test.patch b/user/glib-networking/disable-gnome-test.patch new file mode 100644 index 000000000..0f7686290 --- /dev/null +++ b/user/glib-networking/disable-gnome-test.patch @@ -0,0 +1,14 @@ +diff -ur a/meson.build b/meson.build +--- a/meson.build 2022-02-01 17:05:12.520000000 +0000 ++++ b/meson.build 2022-02-01 17:05:45.080000000 +0000 +@@ -176,10 +176,6 @@ + subdir('proxy/libproxy') + endif + +- if gsettings_desktop_schemas_dep.found() +- subdir('proxy/gnome') +- endif +- + subdir('proxy/tests') + endif + diff --git a/user/glib-networking/tls13.patch b/user/glib-networking/tls13.patch new file mode 100644 index 000000000..802a692cd --- /dev/null +++ b/user/glib-networking/tls13.patch @@ -0,0 +1,87 @@ +From 72d82ee1f738355d5f76374d487d1623da57384e Mon Sep 17 00:00:00 2001 +From: "Ruslan N. Marchenko" +Date: Fri, 17 Dec 2021 08:58:37 +0100 +Subject: [PATCH] Cleanup some code around tls-unique binding in TLSv1.3 + + * The binding call should fail first of all, as tls-unique binding type + is not defined under TLSv1.3. The test unit is updated accordingly. + * New GnuTLS backend is handling it properly but old returns success/empty + data - handle empty data and return error. + * OpenSSL returns success (or rather Finished packet, as it is asked for) + hence catch this condition before the call and return error. +--- + tls/gnutls/gtlsconnection-gnutls.c | 10 ++++++++++ + tls/openssl/gtlsconnection-openssl.c | 9 +++++++++ + tls/tests/connection.c | 8 +++++++- + 3 files changed, 26 insertions(+), 1 deletion(-) + +diff --git a/tls/gnutls/gtlsconnection-gnutls.c b/tls/gnutls/gtlsconnection-gnutls.c +index 1b607408..387f14d3 100644 +--- a/tls/gnutls/gtlsconnection-gnutls.c ++++ b/tls/gnutls/gtlsconnection-gnutls.c +@@ -1172,6 +1172,16 @@ gnutls_get_binding (GTlsConnectionGnutls *gnutls, + + if (ret == GNUTLS_E_SUCCESS) + { ++ /* Older GnuTLS versions are known to return SUCCESS and empty data for TLSv1.3 tls-unique binding. ++ * While it may look prudent to catch here that specific corner case, the empty binding data is ++ * definitely not a SUCCESS, regardless of the version and type. */ ++ if (cb.size == 0) ++ { ++ g_set_error (error, G_TLS_CHANNEL_BINDING_ERROR, G_TLS_CHANNEL_BINDING_ERROR_GENERAL_ERROR, ++ _("Empty channel binding data indicates a bug in the TLS library implementation")); ++ return FALSE; ++ } ++ + if (data != NULL) + { + g_tls_log_debug (gnutls, "binding size %d", cb.size); +diff --git a/tls/openssl/gtlsconnection-openssl.c b/tls/openssl/gtlsconnection-openssl.c +index 9cf6ad74..265845ee 100644 +--- a/tls/openssl/gtlsconnection-openssl.c ++++ b/tls/openssl/gtlsconnection-openssl.c +@@ -653,6 +653,15 @@ openssl_get_binding_tls_unique (GTlsConnectionOpenssl *tls, + gboolean resumed = SSL_session_reused (ssl); + size_t len = 64; + ++#if OPENSSL_VERSION_NUMBER >= 0x10101000L ++ if (SSL_version (ssl) >= TLS1_3_VERSION) ++ { ++ g_set_error (error, G_TLS_CHANNEL_BINDING_ERROR, G_TLS_CHANNEL_BINDING_ERROR_GENERAL_ERROR, ++ _("The request is invalid.")); ++ return FALSE; ++ } ++#endif ++ + /* This is a drill */ + if (!data) + return TRUE; +diff --git a/tls/tests/connection.c b/tls/tests/connection.c +index f9940986..f6f1cf87 100644 +--- a/tls/tests/connection.c ++++ b/tls/tests/connection.c +@@ -2605,6 +2605,8 @@ test_connection_binding_match_tls_unique (TestConnection *test, + /* Real test: retrieve bindings and compare */ + if (client_supports_tls_unique) + { ++ g_assert_false (g_tls_connection_get_protocol_version ( ++ G_TLS_CONNECTION (test->client_connection)) == G_TLS_PROTOCOL_VERSION_TLS_1_3); + client_cb = g_byte_array_new (); + server_cb = g_byte_array_new (); + g_assert_true (g_tls_connection_get_channel_binding_data (G_TLS_CONNECTION (test->client_connection), +@@ -2624,7 +2626,11 @@ test_connection_binding_match_tls_unique (TestConnection *test, + g_byte_array_unref (server_cb); + } + else +- g_test_skip ("tls-unique is not supported"); ++ { ++ g_assert_true (g_tls_connection_get_protocol_version ( ++ G_TLS_CONNECTION (test->client_connection)) == G_TLS_PROTOCOL_VERSION_TLS_1_3); ++ g_test_skip ("tls-unique is not supported"); ++ } + + /* drop the mic */ + close_server_connection (test); +-- +GitLab + -- cgit v1.2.3-70-g09d2