# HG changeset patch # User Pascal Bellard # Date 1654706797 0 # Node ID 33ed869afff254ee3dc6a85fcca6bdbf96342c9e # Parent 2b38bdfd12b22178e08f3ff84eebcd16a66721b4 openvas-libraries, openvas-client: update gnutls calls diff -r 2b38bdfd12b2 -r 33ed869afff2 openvas-client/receipt --- a/openvas-client/receipt Tue Jun 07 20:10:22 2022 +0000 +++ b/openvas-client/receipt Wed Jun 08 16:46:37 2022 +0000 @@ -18,7 +18,9 @@ # Rules to configure and make the package. compile_rules() { - cd $src + # Update for gnutls + patch -p1 -i $stuff/gnutls.2.2.u + ./configure --prefix=/usr --sysconfdir=/etc \ --mandir=/usr/share/man \ $CONFIGURE_ARGS || return 1 diff -r 2b38bdfd12b2 -r 33ed869afff2 openvas-client/stuff/gnutls.2.2.u --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/openvas-client/stuff/gnutls.2.2.u Wed Jun 08 16:46:37 2022 +0000 @@ -0,0 +1,118 @@ +--- openvas-client-3.0.1/openvas/openvas-client.c ++++ openvas-client-3.0.1/openvas/openvas-client.c +@@ -466,89 +466,26 @@ + static void + set_gnutls_sslv23 (gnutls_session_t session) + { +- static int protocol_priority[] = {GNUTLS_TLS1, +- GNUTLS_SSL3, +- 0}; +- static int cipher_priority[] = {GNUTLS_CIPHER_AES_128_CBC, +- GNUTLS_CIPHER_3DES_CBC, +- GNUTLS_CIPHER_AES_256_CBC, +- GNUTLS_CIPHER_ARCFOUR_128, +- 0}; +- static int comp_priority[] = {GNUTLS_COMP_ZLIB, +- GNUTLS_COMP_NULL, +- 0}; +- static int kx_priority[] = {GNUTLS_KX_DHE_RSA, +- GNUTLS_KX_RSA, +- GNUTLS_KX_DHE_DSS, +- 0}; +- static int mac_priority[] = {GNUTLS_MAC_SHA1, +- GNUTLS_MAC_MD5, +- 0}; +- +- gnutls_protocol_set_priority(session, protocol_priority); +- gnutls_cipher_set_priority(session, cipher_priority); +- gnutls_compression_set_priority(session, comp_priority); +- gnutls_kx_set_priority (session, kx_priority); +- gnutls_mac_set_priority(session, mac_priority); ++ // gnutls 2.2.0+ ++ return gnutls_priority_set_direct(session, ++ "NONE:+VERS-TLS1:+VERS-SSL3:+AES_128_CBC:+3DES_CBC:+AES_256_CBC:+ARCFOUR_128:+COMP_ZLIB:+COMP_NULL:+DHE_RSA:+RSA:+DHE_DSS:+SHA1:+MD5", NULL); + } + + + static void + set_gnutls_sslv3(gnutls_session_t session) + { +- static int protocol_priority[] = {GNUTLS_SSL3, +- 0}; +- static int cipher_priority[] = {GNUTLS_CIPHER_3DES_CBC, +- GNUTLS_CIPHER_ARCFOUR_128, +- 0}; +- static int comp_priority[] = {GNUTLS_COMP_ZLIB, +- GNUTLS_COMP_NULL, +- 0}; +- +- static int kx_priority[] = {GNUTLS_KX_DHE_RSA, +- GNUTLS_KX_RSA, +- GNUTLS_KX_DHE_DSS, +- GNUTLS_KX_ANON_DH, +- 0}; +- +- static int mac_priority[] = {GNUTLS_MAC_SHA1, +- GNUTLS_MAC_MD5, +- 0}; +- +- gnutls_protocol_set_priority(session, protocol_priority); +- gnutls_cipher_set_priority(session, cipher_priority); +- gnutls_compression_set_priority(session, comp_priority); +- gnutls_kx_set_priority (session, kx_priority); +- gnutls_mac_set_priority(session, mac_priority); ++ // gnutls 2.2.0+ ++ return gnutls_priority_set_direct(session, ++ "NONE:+VERS-SSL3:+3DES_CBC:+ARCFOUR_128:+COMP_ZLIB:+COMP_NULL:+DHE_RSA:+RSA:+DHE_DSS:+ANON_DH:+SHA1:+MD5", NULL); + } + + static void + set_gnutls_tlsv1(gnutls_session_t session) + { +- static int protocol_priority[] = {GNUTLS_TLS1, +- 0}; +- static int cipher_priority[] = {GNUTLS_CIPHER_AES_128_CBC, +- GNUTLS_CIPHER_3DES_CBC, +- GNUTLS_CIPHER_AES_256_CBC, +- GNUTLS_CIPHER_ARCFOUR_128, +- 0}; +- static int comp_priority[] = {GNUTLS_COMP_ZLIB, +- GNUTLS_COMP_NULL, +- 0}; +- static int kx_priority[] = {GNUTLS_KX_DHE_RSA, +- GNUTLS_KX_RSA, +- GNUTLS_KX_DHE_DSS, +- GNUTLS_KX_ANON_DH, +- 0}; +- static int mac_priority[] = {GNUTLS_MAC_SHA1, +- GNUTLS_MAC_MD5, +- 0}; +- +- gnutls_protocol_set_priority(session, protocol_priority); +- gnutls_cipher_set_priority(session, cipher_priority); +- gnutls_compression_set_priority(session, comp_priority); +- gnutls_kx_set_priority (session, kx_priority); +- gnutls_mac_set_priority(session, mac_priority); ++ // gnutls 2.2.0+ ++ return gnutls_priority_set_direct(session, ++ "NONE:+VERS-TLS1:+AES_128_CBC:+3DES_CBC:+AES_256_CBC:+ARCFOUR_128:+COMP_ZLIB:+COMP_NULL:+DHE_RSA:+RSA:+DHE_DSS:+ANON_DH:+SHA1:+MD5", NULL); + } + + +@@ -698,7 +635,6 @@ + #endif + gnutls_session_t ssl = NULL; + gnutls_certificate_credentials_t certcred = NULL; +- int certprio[2] = { GNUTLS_CRT_X509, 0 }; + + const char *cert, *key, *client_ca, *trusted_ca, *ssl_ver; + int use_client_cert = prefs_get_int(context, "use_client_cert"); +@@ -868,7 +804,7 @@ + + if(use_client_cert) + { +- rc = gnutls_certificate_type_set_priority (ssl, certprio); ++ rc = gnutls_set_default_priority (ssl); + if (rc) + { + gnutls_deinit (ssl); diff -r 2b38bdfd12b2 -r 33ed869afff2 openvas-libraries/receipt --- a/openvas-libraries/receipt Tue Jun 07 20:10:22 2022 +0000 +++ b/openvas-libraries/receipt Wed Jun 08 16:46:37 2022 +0000 @@ -27,6 +27,9 @@ sed -e 's|_parser$|-parser\n%parse-param {naslctxt * parm}\n%lex-param {naslctxt * parm}|' \ -e 's|naslerror(|&naslctxt *parm, |' -i nasl/nasl_grammar.y + # Update for gnutls + patch -p1 -i $stuff/gnutls.2.2.u + ./configure --prefix=/usr --localstatedir=/var \ --mandir=/usr/share/man \ $CONFIGURE_ARGS && diff -r 2b38bdfd12b2 -r 33ed869afff2 openvas-libraries/stuff/gnutls.2.2.u --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/openvas-libraries/stuff/gnutls.2.2.u Wed Jun 08 16:46:37 2022 +0000 @@ -0,0 +1,212 @@ +--- openvas-libraries-3.1.4/misc/network.c ++++ openvas-libraries-3.1.4/misc/network.c +@@ -406,113 +406,27 @@ ovas_get_tlssession_from_connection (int + } + + static int +-set_gnutls_priorities (gnutls_session_t session, int *protocol_priority, +- int *cipher_priority, int *comp_priority, +- int *kx_priority, int *mac_priority) +-{ +- int err; +- +- if ((err = gnutls_protocol_set_priority (session, protocol_priority)) +- || (err = gnutls_cipher_set_priority (session, cipher_priority)) +- || (err = gnutls_compression_set_priority (session, comp_priority)) +- || (err = gnutls_kx_set_priority (session, kx_priority)) +- || (err = gnutls_mac_set_priority (session, mac_priority))) +- { +- tlserror ("setting session priorities", err); +- return -1; +- } +- return 0; +-} +- +-static int + set_gnutls_sslv23 (gnutls_session_t session) + { +- static int protocol_priority[] = { GNUTLS_TLS1, +- GNUTLS_SSL3, +- 0 +- }; +- static int cipher_priority[] = { GNUTLS_CIPHER_AES_128_CBC, +- GNUTLS_CIPHER_3DES_CBC, +- GNUTLS_CIPHER_AES_256_CBC, +- GNUTLS_CIPHER_ARCFOUR_128, +- 0 +- }; +- static int comp_priority[] = { GNUTLS_COMP_ZLIB, +- GNUTLS_COMP_NULL, +- 0 +- }; +- static int kx_priority[] = { GNUTLS_KX_DHE_RSA, +- GNUTLS_KX_RSA, +- GNUTLS_KX_DHE_DSS, +- 0 +- }; +- static int mac_priority[] = { GNUTLS_MAC_SHA1, +- GNUTLS_MAC_MD5, +- 0 +- }; +- +- return set_gnutls_priorities (session, protocol_priority, cipher_priority, +- comp_priority, kx_priority, mac_priority); ++ // gnutls 2.2.0+ ++ return gnutls_priority_set_direct(session, ++ "NONE:+VERS-TLS1:+VERS-SSL3:+AES_128_CBC:+3DES_CBC:+AES_256_CBC:+ARCFOUR_128:+COMP_ZLIB:+COMP_NULL:+DHE_RSA:+RSA:+DHE_DSS:+SHA1:+MD5", NULL); + } + + static int + set_gnutls_sslv3 (gnutls_session_t session) + { +- static int protocol_priority[] = { GNUTLS_SSL3, +- 0 +- }; +- static int cipher_priority[] = { GNUTLS_CIPHER_3DES_CBC, +- GNUTLS_CIPHER_ARCFOUR_128, +- 0 +- }; +- static int comp_priority[] = { GNUTLS_COMP_ZLIB, +- GNUTLS_COMP_NULL, +- 0 +- }; +- +- static int kx_priority[] = { GNUTLS_KX_DHE_RSA, +- GNUTLS_KX_RSA, +- GNUTLS_KX_DHE_DSS, +- 0 +- }; +- +- static int mac_priority[] = { GNUTLS_MAC_SHA1, +- GNUTLS_MAC_MD5, +- 0 +- }; +- +- return set_gnutls_priorities (session, protocol_priority, cipher_priority, +- comp_priority, kx_priority, mac_priority); ++ // gnutls 2.2.0+ ++ return gnutls_priority_set_direct(session, ++ "NONE:+VERS-SSL3:+3DES_CBC:+ARCFOUR_128:+COMP_ZLIB:+COMP_NULL:+DHE_RSA:+RSA:+DHE_DSS:+SHA1:+MD5", NULL); + } + + static int + set_gnutls_tlsv1 (gnutls_session_t session) + { +- static int protocol_priority[] = { GNUTLS_TLS1, +- 0 +- }; +- static int cipher_priority[] = { GNUTLS_CIPHER_AES_128_CBC, +- GNUTLS_CIPHER_3DES_CBC, +- GNUTLS_CIPHER_AES_256_CBC, +- GNUTLS_CIPHER_ARCFOUR_128, +- 0 +- }; +- static int comp_priority[] = { GNUTLS_COMP_ZLIB, +- GNUTLS_COMP_NULL, +- 0 +- }; +- static int kx_priority[] = { GNUTLS_KX_DHE_RSA, +- GNUTLS_KX_RSA, +- GNUTLS_KX_DHE_DSS, +- 0 +- }; +- static int mac_priority[] = { GNUTLS_MAC_SHA1, +- GNUTLS_MAC_MD5, +- 0 +- }; +- +- return set_gnutls_priorities (session, protocol_priority, cipher_priority, +- comp_priority, kx_priority, mac_priority); ++ // gnutls 2.2.0+ ++ return gnutls_priority_set_direct(session, ++ "NONE:+VERS-TLS1:+AES_128_CBC:+3DES_CBC:+AES_256_CBC:+ARCFOUR_128:+COMP_ZLIB:+COMP_NULL:+DHE_RSA:+RSA:+DHE_DSS:+SHA1:+MD5", NULL); + } + + /** +--- openvas-libraries-3.1.4/misc/openvas_server.c ++++ openvas-libraries-3.1.4/misc/openvas_server.c +@@ -142,12 +142,8 @@ openvas_server_open (gnutls_session_t * + return -1; + } + +- const int kx_priority[] = { GNUTLS_KX_DHE_RSA, +- GNUTLS_KX_RSA, +- GNUTLS_KX_DHE_DSS, +- 0 +- }; +- if (gnutls_kx_set_priority (*session, kx_priority)) ++ // gnutls 2.2.0+ ++ if (gnutls_priority_set_direct(*session, "+DHE_RSA:+RSA:+DHE_DSS", NULL)) + { + g_message ("Failed to set server key exchange priority."); + gnutls_deinit (*session); +@@ -593,30 +589,6 @@ openvas_server_new (unsigned int end_typ + gnutls_session_t * server_session, + gnutls_certificate_credentials_t * server_credentials) + { +- // FIX static vars? +- const int protocol_priority[] = { GNUTLS_TLS1, +- 0 +- }; +- const int cipher_priority[] = { GNUTLS_CIPHER_AES_128_CBC, +- GNUTLS_CIPHER_3DES_CBC, +- GNUTLS_CIPHER_AES_256_CBC, +- GNUTLS_CIPHER_ARCFOUR_128, +- 0 +- }; +- const int comp_priority[] = { GNUTLS_COMP_ZLIB, +- GNUTLS_COMP_NULL, +- 0 +- }; +- const int kx_priority[] = { GNUTLS_KX_DHE_RSA, +- GNUTLS_KX_RSA, +- GNUTLS_KX_DHE_DSS, +- 0 +- }; +- const int mac_priority[] = { GNUTLS_MAC_SHA1, +- GNUTLS_MAC_MD5, +- 0 +- }; +- + /* Turn off use of /dev/random, as this can block. */ + + gcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); +@@ -664,34 +636,11 @@ openvas_server_new (unsigned int end_typ + goto server_free_fail; + } + +- if (gnutls_protocol_set_priority (*server_session, protocol_priority)) +- { +- g_warning ("%s: failed to set protocol priority\n", __FUNCTION__); +- goto server_fail; +- } +- +- if (gnutls_cipher_set_priority (*server_session, cipher_priority)) +- { +- g_warning ("%s: failed to set cipher priority\n", __FUNCTION__); +- goto server_fail; +- } +- +- if (gnutls_compression_set_priority (*server_session, comp_priority)) +- { +- g_warning ("%s: failed to set compression priority\n", __FUNCTION__); +- goto server_fail; +- } +- +- if (gnutls_kx_set_priority (*server_session, kx_priority)) +- { +- g_warning ("%s: failed to set server key exchange priority\n", +- __FUNCTION__); +- goto server_fail; +- } +- +- if (gnutls_mac_set_priority (*server_session, mac_priority)) ++ // gnutls 2.2.0+ ++ if (gnutls_priority_set_direct(*server_session, ++ "NONE:+VERS-TLS1:+AES_128_CBC:+3DES_CBC:+AES_256_CBC:+ARCFOUR_128:+COMP_ZLIB:+COMP_NULL:+DHE_RSA:+RSA:+DHE_DSS:+MD5", NULL)) + { +- g_warning ("%s: failed to set mac priority\n", __FUNCTION__); ++ g_warning ("%s: failed to set priority\n", __FUNCTION__); + goto server_fail; + } +