wok-current rev 25064

openvas-libraries, openvas-client: update gnutls calls
author Pascal Bellard <pascal.bellard@slitaz.org>
date Wed Jun 08 16:46:37 2022 +0000 (2022-06-08)
parents 2b38bdfd12b2
children 85fc2431322f
files openvas-client/receipt openvas-client/stuff/gnutls.2.2.u openvas-libraries/receipt openvas-libraries/stuff/gnutls.2.2.u
line diff
     1.1 --- a/openvas-client/receipt	Tue Jun 07 20:10:22 2022 +0000
     1.2 +++ b/openvas-client/receipt	Wed Jun 08 16:46:37 2022 +0000
     1.3 @@ -18,7 +18,9 @@
     1.4  # Rules to configure and make the package.
     1.5  compile_rules()
     1.6  {
     1.7 -	cd $src
     1.8 +	# Update for gnutls
     1.9 +	patch -p1 -i $stuff/gnutls.2.2.u 
    1.10 +
    1.11  	./configure --prefix=/usr --sysconfdir=/etc \
    1.12  	--mandir=/usr/share/man \
    1.13  	$CONFIGURE_ARGS || return 1
     2.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     2.2 +++ b/openvas-client/stuff/gnutls.2.2.u	Wed Jun 08 16:46:37 2022 +0000
     2.3 @@ -0,0 +1,118 @@
     2.4 +--- openvas-client-3.0.1/openvas/openvas-client.c
     2.5 ++++ openvas-client-3.0.1/openvas/openvas-client.c
     2.6 +@@ -466,89 +466,26 @@
     2.7 + static void
     2.8 + set_gnutls_sslv23 (gnutls_session_t session)
     2.9 + {
    2.10 +-  static int protocol_priority[] = {GNUTLS_TLS1,
    2.11 +-				    GNUTLS_SSL3,
    2.12 +-				    0};
    2.13 +-  static int cipher_priority[] = {GNUTLS_CIPHER_AES_128_CBC,
    2.14 +-				  GNUTLS_CIPHER_3DES_CBC,
    2.15 +-				  GNUTLS_CIPHER_AES_256_CBC,
    2.16 +-				  GNUTLS_CIPHER_ARCFOUR_128,
    2.17 +-				  0};
    2.18 +-  static int comp_priority[] = {GNUTLS_COMP_ZLIB,
    2.19 +-				GNUTLS_COMP_NULL,
    2.20 +-				0};
    2.21 +-  static int kx_priority[] = {GNUTLS_KX_DHE_RSA,
    2.22 +-			      GNUTLS_KX_RSA,
    2.23 +-			      GNUTLS_KX_DHE_DSS,
    2.24 +-			      0};
    2.25 +-  static int mac_priority[] = {GNUTLS_MAC_SHA1,
    2.26 +-			       GNUTLS_MAC_MD5,
    2.27 +-			       0};
    2.28 +-
    2.29 +-  gnutls_protocol_set_priority(session, protocol_priority);
    2.30 +-  gnutls_cipher_set_priority(session, cipher_priority);
    2.31 +-  gnutls_compression_set_priority(session, comp_priority);
    2.32 +-  gnutls_kx_set_priority (session, kx_priority);
    2.33 +-  gnutls_mac_set_priority(session, mac_priority);
    2.34 ++  // gnutls 2.2.0+
    2.35 ++  return gnutls_priority_set_direct(session, 
    2.36 ++	"NONE:+VERS-TLS1:+VERS-SSL3:+AES_128_CBC:+3DES_CBC:+AES_256_CBC:+ARCFOUR_128:+COMP_ZLIB:+COMP_NULL:+DHE_RSA:+RSA:+DHE_DSS:+SHA1:+MD5", NULL);
    2.37 + }
    2.38 + 
    2.39 + 
    2.40 + static void
    2.41 + set_gnutls_sslv3(gnutls_session_t session)
    2.42 + {
    2.43 +-  static int protocol_priority[] = {GNUTLS_SSL3,
    2.44 +-				    0};
    2.45 +-  static int cipher_priority[] = {GNUTLS_CIPHER_3DES_CBC,
    2.46 +-				  GNUTLS_CIPHER_ARCFOUR_128,
    2.47 +-				  0};
    2.48 +-  static int comp_priority[] = {GNUTLS_COMP_ZLIB,
    2.49 +-				GNUTLS_COMP_NULL,
    2.50 +-				0};
    2.51 +-
    2.52 +-  static int kx_priority[] = {GNUTLS_KX_DHE_RSA,
    2.53 +-			      GNUTLS_KX_RSA,
    2.54 +-			      GNUTLS_KX_DHE_DSS,
    2.55 +-			      GNUTLS_KX_ANON_DH,
    2.56 +-			      0};
    2.57 +-
    2.58 +-  static int mac_priority[] = {GNUTLS_MAC_SHA1,
    2.59 +-			       GNUTLS_MAC_MD5,
    2.60 +-			       0};
    2.61 +-
    2.62 +-  gnutls_protocol_set_priority(session, protocol_priority);
    2.63 +-  gnutls_cipher_set_priority(session, cipher_priority);
    2.64 +-  gnutls_compression_set_priority(session, comp_priority);
    2.65 +-  gnutls_kx_set_priority (session, kx_priority);
    2.66 +-  gnutls_mac_set_priority(session, mac_priority);
    2.67 ++  // gnutls 2.2.0+
    2.68 ++  return gnutls_priority_set_direct(session, 
    2.69 ++	"NONE:+VERS-SSL3:+3DES_CBC:+ARCFOUR_128:+COMP_ZLIB:+COMP_NULL:+DHE_RSA:+RSA:+DHE_DSS:+ANON_DH:+SHA1:+MD5", NULL);
    2.70 + }
    2.71 + 
    2.72 + static void
    2.73 + set_gnutls_tlsv1(gnutls_session_t session)
    2.74 + {
    2.75 +-  static int protocol_priority[] = {GNUTLS_TLS1,
    2.76 +-				    0};
    2.77 +-  static int cipher_priority[] = {GNUTLS_CIPHER_AES_128_CBC,
    2.78 +-				  GNUTLS_CIPHER_3DES_CBC,
    2.79 +-				  GNUTLS_CIPHER_AES_256_CBC,
    2.80 +-				  GNUTLS_CIPHER_ARCFOUR_128,
    2.81 +-				  0};
    2.82 +-  static int comp_priority[] = {GNUTLS_COMP_ZLIB,
    2.83 +-				GNUTLS_COMP_NULL,
    2.84 +-				0};
    2.85 +-  static int kx_priority[] = {GNUTLS_KX_DHE_RSA,
    2.86 +-			      GNUTLS_KX_RSA,
    2.87 +-			      GNUTLS_KX_DHE_DSS,
    2.88 +-			      GNUTLS_KX_ANON_DH,
    2.89 +-			      0};
    2.90 +-  static int mac_priority[] = {GNUTLS_MAC_SHA1,
    2.91 +-			       GNUTLS_MAC_MD5,
    2.92 +-			       0};
    2.93 +-
    2.94 +-  gnutls_protocol_set_priority(session, protocol_priority);
    2.95 +-  gnutls_cipher_set_priority(session, cipher_priority);
    2.96 +-  gnutls_compression_set_priority(session, comp_priority);
    2.97 +-  gnutls_kx_set_priority (session, kx_priority);
    2.98 +-  gnutls_mac_set_priority(session, mac_priority);
    2.99 ++  // gnutls 2.2.0+
   2.100 ++  return gnutls_priority_set_direct(session, 
   2.101 ++	"NONE:+VERS-TLS1:+AES_128_CBC:+3DES_CBC:+AES_256_CBC:+ARCFOUR_128:+COMP_ZLIB:+COMP_NULL:+DHE_RSA:+RSA:+DHE_DSS:+ANON_DH:+SHA1:+MD5", NULL);
   2.102 + }
   2.103 + 
   2.104 + 
   2.105 +@@ -698,7 +635,6 @@
   2.106 + #endif
   2.107 +   gnutls_session_t ssl = NULL;
   2.108 +   gnutls_certificate_credentials_t certcred = NULL;
   2.109 +-  int certprio[2] = { GNUTLS_CRT_X509, 0 };
   2.110 + 
   2.111 +   const char *cert, *key, *client_ca, *trusted_ca, *ssl_ver;
   2.112 +   int use_client_cert = prefs_get_int(context, "use_client_cert");
   2.113 +@@ -868,7 +804,7 @@
   2.114 + 
   2.115 +       if(use_client_cert)
   2.116 + 	{
   2.117 +-	  rc = gnutls_certificate_type_set_priority (ssl, certprio);
   2.118 ++	  rc = gnutls_set_default_priority (ssl);
   2.119 + 	  if (rc)
   2.120 + 	    {
   2.121 + 	      gnutls_deinit (ssl);
     3.1 --- a/openvas-libraries/receipt	Tue Jun 07 20:10:22 2022 +0000
     3.2 +++ b/openvas-libraries/receipt	Wed Jun 08 16:46:37 2022 +0000
     3.3 @@ -27,6 +27,9 @@
     3.4  	sed -e 's|_parser$|-parser\n%parse-param {naslctxt * parm}\n%lex-param {naslctxt * parm}|' \
     3.5  	    -e 's|naslerror(|&naslctxt *parm, |' -i nasl/nasl_grammar.y
     3.6  
     3.7 +	# Update for gnutls
     3.8 +	patch -p1 -i $stuff/gnutls.2.2.u 
     3.9 +
    3.10  	./configure --prefix=/usr --localstatedir=/var \
    3.11  	--mandir=/usr/share/man \
    3.12  	$CONFIGURE_ARGS &&
     4.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     4.2 +++ b/openvas-libraries/stuff/gnutls.2.2.u	Wed Jun 08 16:46:37 2022 +0000
     4.3 @@ -0,0 +1,212 @@
     4.4 +--- openvas-libraries-3.1.4/misc/network.c
     4.5 ++++ openvas-libraries-3.1.4/misc/network.c
     4.6 +@@ -406,113 +406,27 @@ ovas_get_tlssession_from_connection (int
     4.7 + }
     4.8 + 
     4.9 + static int
    4.10 +-set_gnutls_priorities (gnutls_session_t session, int *protocol_priority,
    4.11 +-                       int *cipher_priority, int *comp_priority,
    4.12 +-                       int *kx_priority, int *mac_priority)
    4.13 +-{
    4.14 +-  int err;
    4.15 +-
    4.16 +-  if ((err = gnutls_protocol_set_priority (session, protocol_priority))
    4.17 +-      || (err = gnutls_cipher_set_priority (session, cipher_priority))
    4.18 +-      || (err = gnutls_compression_set_priority (session, comp_priority))
    4.19 +-      || (err = gnutls_kx_set_priority (session, kx_priority))
    4.20 +-      || (err = gnutls_mac_set_priority (session, mac_priority)))
    4.21 +-    {
    4.22 +-      tlserror ("setting session priorities", err);
    4.23 +-      return -1;
    4.24 +-    }
    4.25 +-  return 0;
    4.26 +-}
    4.27 +-
    4.28 +-static int
    4.29 + set_gnutls_sslv23 (gnutls_session_t session)
    4.30 + {
    4.31 +-  static int protocol_priority[] = { GNUTLS_TLS1,
    4.32 +-    GNUTLS_SSL3,
    4.33 +-    0
    4.34 +-  };
    4.35 +-  static int cipher_priority[] = { GNUTLS_CIPHER_AES_128_CBC,
    4.36 +-    GNUTLS_CIPHER_3DES_CBC,
    4.37 +-    GNUTLS_CIPHER_AES_256_CBC,
    4.38 +-    GNUTLS_CIPHER_ARCFOUR_128,
    4.39 +-    0
    4.40 +-  };
    4.41 +-  static int comp_priority[] = { GNUTLS_COMP_ZLIB,
    4.42 +-    GNUTLS_COMP_NULL,
    4.43 +-    0
    4.44 +-  };
    4.45 +-  static int kx_priority[] = { GNUTLS_KX_DHE_RSA,
    4.46 +-    GNUTLS_KX_RSA,
    4.47 +-    GNUTLS_KX_DHE_DSS,
    4.48 +-    0
    4.49 +-  };
    4.50 +-  static int mac_priority[] = { GNUTLS_MAC_SHA1,
    4.51 +-    GNUTLS_MAC_MD5,
    4.52 +-    0
    4.53 +-  };
    4.54 +-
    4.55 +-  return set_gnutls_priorities (session, protocol_priority, cipher_priority,
    4.56 +-                                comp_priority, kx_priority, mac_priority);
    4.57 ++  // gnutls 2.2.0+
    4.58 ++  return gnutls_priority_set_direct(session, 
    4.59 ++	"NONE:+VERS-TLS1:+VERS-SSL3:+AES_128_CBC:+3DES_CBC:+AES_256_CBC:+ARCFOUR_128:+COMP_ZLIB:+COMP_NULL:+DHE_RSA:+RSA:+DHE_DSS:+SHA1:+MD5", NULL);
    4.60 + }
    4.61 + 
    4.62 + static int
    4.63 + set_gnutls_sslv3 (gnutls_session_t session)
    4.64 + {
    4.65 +-  static int protocol_priority[] = { GNUTLS_SSL3,
    4.66 +-    0
    4.67 +-  };
    4.68 +-  static int cipher_priority[] = { GNUTLS_CIPHER_3DES_CBC,
    4.69 +-    GNUTLS_CIPHER_ARCFOUR_128,
    4.70 +-    0
    4.71 +-  };
    4.72 +-  static int comp_priority[] = { GNUTLS_COMP_ZLIB,
    4.73 +-    GNUTLS_COMP_NULL,
    4.74 +-    0
    4.75 +-  };
    4.76 +-
    4.77 +-  static int kx_priority[] = { GNUTLS_KX_DHE_RSA,
    4.78 +-    GNUTLS_KX_RSA,
    4.79 +-    GNUTLS_KX_DHE_DSS,
    4.80 +-    0
    4.81 +-  };
    4.82 +-
    4.83 +-  static int mac_priority[] = { GNUTLS_MAC_SHA1,
    4.84 +-    GNUTLS_MAC_MD5,
    4.85 +-    0
    4.86 +-  };
    4.87 +-
    4.88 +-  return set_gnutls_priorities (session, protocol_priority, cipher_priority,
    4.89 +-                                comp_priority, kx_priority, mac_priority);
    4.90 ++  // gnutls 2.2.0+
    4.91 ++  return gnutls_priority_set_direct(session, 
    4.92 ++	"NONE:+VERS-SSL3:+3DES_CBC:+ARCFOUR_128:+COMP_ZLIB:+COMP_NULL:+DHE_RSA:+RSA:+DHE_DSS:+SHA1:+MD5", NULL);
    4.93 + }
    4.94 + 
    4.95 + static int
    4.96 + set_gnutls_tlsv1 (gnutls_session_t session)
    4.97 + {
    4.98 +-  static int protocol_priority[] = { GNUTLS_TLS1,
    4.99 +-    0
   4.100 +-  };
   4.101 +-  static int cipher_priority[] = { GNUTLS_CIPHER_AES_128_CBC,
   4.102 +-    GNUTLS_CIPHER_3DES_CBC,
   4.103 +-    GNUTLS_CIPHER_AES_256_CBC,
   4.104 +-    GNUTLS_CIPHER_ARCFOUR_128,
   4.105 +-    0
   4.106 +-  };
   4.107 +-  static int comp_priority[] = { GNUTLS_COMP_ZLIB,
   4.108 +-    GNUTLS_COMP_NULL,
   4.109 +-    0
   4.110 +-  };
   4.111 +-  static int kx_priority[] = { GNUTLS_KX_DHE_RSA,
   4.112 +-    GNUTLS_KX_RSA,
   4.113 +-    GNUTLS_KX_DHE_DSS,
   4.114 +-    0
   4.115 +-  };
   4.116 +-  static int mac_priority[] = { GNUTLS_MAC_SHA1,
   4.117 +-    GNUTLS_MAC_MD5,
   4.118 +-    0
   4.119 +-  };
   4.120 +-
   4.121 +-  return set_gnutls_priorities (session, protocol_priority, cipher_priority,
   4.122 +-                                comp_priority, kx_priority, mac_priority);
   4.123 ++  // gnutls 2.2.0+
   4.124 ++  return gnutls_priority_set_direct(session, 
   4.125 ++	"NONE:+VERS-TLS1:+AES_128_CBC:+3DES_CBC:+AES_256_CBC:+ARCFOUR_128:+COMP_ZLIB:+COMP_NULL:+DHE_RSA:+RSA:+DHE_DSS:+SHA1:+MD5", NULL);
   4.126 + }
   4.127 + 
   4.128 + /**
   4.129 +--- openvas-libraries-3.1.4/misc/openvas_server.c
   4.130 ++++ openvas-libraries-3.1.4/misc/openvas_server.c
   4.131 +@@ -142,12 +142,8 @@ openvas_server_open (gnutls_session_t *
   4.132 +       return -1;
   4.133 +     }
   4.134 + 
   4.135 +-  const int kx_priority[] = { GNUTLS_KX_DHE_RSA,
   4.136 +-    GNUTLS_KX_RSA,
   4.137 +-    GNUTLS_KX_DHE_DSS,
   4.138 +-    0
   4.139 +-  };
   4.140 +-  if (gnutls_kx_set_priority (*session, kx_priority))
   4.141 ++  // gnutls 2.2.0+
   4.142 ++  if (gnutls_priority_set_direct(*session, "+DHE_RSA:+RSA:+DHE_DSS", NULL))
   4.143 +     {
   4.144 +       g_message ("Failed to set server key exchange priority.");
   4.145 +       gnutls_deinit (*session);
   4.146 +@@ -593,30 +589,6 @@ openvas_server_new (unsigned int end_typ
   4.147 +                     gnutls_session_t * server_session,
   4.148 +                     gnutls_certificate_credentials_t * server_credentials)
   4.149 + {
   4.150 +-  // FIX static vars?
   4.151 +-  const int protocol_priority[] = { GNUTLS_TLS1,
   4.152 +-    0
   4.153 +-  };
   4.154 +-  const int cipher_priority[] = { GNUTLS_CIPHER_AES_128_CBC,
   4.155 +-    GNUTLS_CIPHER_3DES_CBC,
   4.156 +-    GNUTLS_CIPHER_AES_256_CBC,
   4.157 +-    GNUTLS_CIPHER_ARCFOUR_128,
   4.158 +-    0
   4.159 +-  };
   4.160 +-  const int comp_priority[] = { GNUTLS_COMP_ZLIB,
   4.161 +-    GNUTLS_COMP_NULL,
   4.162 +-    0
   4.163 +-  };
   4.164 +-  const int kx_priority[] = { GNUTLS_KX_DHE_RSA,
   4.165 +-    GNUTLS_KX_RSA,
   4.166 +-    GNUTLS_KX_DHE_DSS,
   4.167 +-    0
   4.168 +-  };
   4.169 +-  const int mac_priority[] = { GNUTLS_MAC_SHA1,
   4.170 +-    GNUTLS_MAC_MD5,
   4.171 +-    0
   4.172 +-  };
   4.173 +-
   4.174 +   /* Turn off use of /dev/random, as this can block. */
   4.175 + 
   4.176 +   gcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0);
   4.177 +@@ -664,34 +636,11 @@ openvas_server_new (unsigned int end_typ
   4.178 +       goto server_free_fail;
   4.179 +     }
   4.180 + 
   4.181 +-  if (gnutls_protocol_set_priority (*server_session, protocol_priority))
   4.182 +-    {
   4.183 +-      g_warning ("%s: failed to set protocol priority\n", __FUNCTION__);
   4.184 +-      goto server_fail;
   4.185 +-    }
   4.186 +-
   4.187 +-  if (gnutls_cipher_set_priority (*server_session, cipher_priority))
   4.188 +-    {
   4.189 +-      g_warning ("%s: failed to set cipher priority\n", __FUNCTION__);
   4.190 +-      goto server_fail;
   4.191 +-    }
   4.192 +-
   4.193 +-  if (gnutls_compression_set_priority (*server_session, comp_priority))
   4.194 +-    {
   4.195 +-      g_warning ("%s: failed to set compression priority\n", __FUNCTION__);
   4.196 +-      goto server_fail;
   4.197 +-    }
   4.198 +-
   4.199 +-  if (gnutls_kx_set_priority (*server_session, kx_priority))
   4.200 +-    {
   4.201 +-      g_warning ("%s: failed to set server key exchange priority\n",
   4.202 +-                 __FUNCTION__);
   4.203 +-      goto server_fail;
   4.204 +-    }
   4.205 +-
   4.206 +-  if (gnutls_mac_set_priority (*server_session, mac_priority))
   4.207 ++  // gnutls 2.2.0+
   4.208 ++  if (gnutls_priority_set_direct(*server_session, 
   4.209 ++	"NONE:+VERS-TLS1:+AES_128_CBC:+3DES_CBC:+AES_256_CBC:+ARCFOUR_128:+COMP_ZLIB:+COMP_NULL:+DHE_RSA:+RSA:+DHE_DSS:+MD5", NULL))
   4.210 +     {
   4.211 +-      g_warning ("%s: failed to set mac priority\n", __FUNCTION__);
   4.212 ++      g_warning ("%s: failed to set priority\n", __FUNCTION__);
   4.213 +       goto server_fail;
   4.214 +     }
   4.215 +