| Age | Commit message (Collapse) | Author |
|---|
|
-Upgrade from gnutls_3.6.7.bb to gnutls_3.6.8.bb.
Signed-off-by: Zang Ruochen <zangrc.fnst@cn.fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Philippe Normand <philn@igalia.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Since version 2.58 the glib-networking TLS database relies on GnuTLS's system
trust store, so not enabling it leads to TLS errors in applications depending on
glib-networking. The raised runtime warning is:
process:500): GLib-Net-WARNING **: 09:14:09.321: Failed to load TLS database: Failed to load system trust store: GnuTLS was not configured with a system trust
(app:490): ... TLS Error: TLS certificate has unknown CA.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This is a new upstream release from the same stable branch
bringing new features and bugfixes (including CVE fixes).
COPYING changed http -> https.
configure no longer has a --without-libunistring-prefix option.
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Bug fix only release
Full details:
https://lists.gnupg.org/pipermail/gnutls-help/2018-December/004465.html
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This recipe doesn't ship a *-config binary, so don't inherit binconfig.
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
This recipe doesn't ship a *-config binary, so don't inherit binconfig.
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Notable change:
libgnutls: Added the final (RFC8446) version numbering of the TLS1.3 protocol.
see: https://lists.gnupg.org/pipermail/gnutls-help/2018-September/004457.html
Signed-off-by: Armin Kuster <akuster808@gmail.com>
--
[v2]
Fix typo in version in subject
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
By including PACKAGECONFIG options, the recipe takes responsibility
for defining the default state of these options. Although the recipe
currently aligns with the gnutls defaults (ie both disabled) tracking
new gnutls releases will be a maintenance effort. Unless there's a
clear reason to do otherwise, it seems safer to leave the choice of
which SSL/TLS versions to enable by default up to the gnutls
developers.
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
>From gnutls 3.5.8 onwards, the code in configure.ac has been passing
"basename $i" to sed, rather than "echo $i". Since the full ${srcdir}
path is not being processed, there's no risk of unexpected matches.
https://gitlab.com/armcc/gnutls/commit/478179316bc815e1ad518ae318f46e94a13b0e1f
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
[v2]
Fix new config options form with to disable.
[v1]
release notes: https://lists.gnupg.org/pipermail/gnutls-devel/2018-July/008584.html
add ssl3 and tls1.3 config options now supported.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This causes regression on build machines where libunistring is installed
on host. It is also because gnuts is using non standard AC macro called
AC_LIB_HAVE_LINKFLAGS to detect this library and it confusing cross builds.
This reverts commit 60fef4940de7f0440f1216eb2ea0ea683b3e8fdd.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
gnutls only works with libidn2, so update the build dependency.
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
No need to pass --without-libunistring-prefix, and it looks a lot like we're
trying to disable it.
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
HTTP is in general more reliable so use that in the SRC_URI.
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The patch tool will apply patches by default with "fuzz", which is where if the
hunk context isn't present but what is there is close enough, it will force the
patch in.
Whilst this is useful when there's just whitespace changes, when applied to
source it is possible for a patch applied with fuzz to produce broken code which
still compiles (see #10450). This is obviously bad.
We'd like to eventually have do_patch() rejecting any fuzz on these grounds. For
that to be realistic the existing patches with fuzz need to be rebased and
reviewed.
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Remove backported patch:
CVE-2017-10790.patch
Signed-off-by: Maxin B. John <maxin.john@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
zlib configure.ac support removed in 3.6.1
drop patch
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
This is a bug fix release on the
current stable branch. Note that, I've also switched the release
cadence to bi-monthly as less and less bug fixes/updates accumulate
each month on this branch.
** API and ABI modifications:
No changes since last version.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The _asn1_check_identifier function in GNU Libtasn1 through 4.12 causes
a NULL pointer dereference and crash when reading crafted input that
triggers assignment of a NULL value within an asn1_node structure. It
may lead to a remote denial of service attack.
References:
https://nvd.nist.gov/vuln/detail/CVE-2017-10790
http://git.savannah.gnu.org/gitweb/?p=libtasn1.git;a=commit;
h=d8d805e1f2e6799bb2dff4871a8598dc83088a39
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Some of these are clearly dead, e.g. one binutils patch reverts the effects
of the earlier one.
This also removes the uclibc site files. We now have mechanisms to allow these
to be extended from another layer should someone ever wish to do that.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
uclibc support was removed a while ago and musl works much better. Start to
remove the various overrides and patches related to uclibc which are no longer
needed.
uclibc support in a layer would still be possible. I have strong reasons to
believe nobody is still using uclibc since patches are missing and I doubt
the metadata even parses anymore.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
1. Upgrade gnutls from 3.5.9 to 3.5.13
2. Rebase the following patch file.
use-pkg-config-to-locate-zlib.patch
Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Noteworthy changes:
1. Introduced the ASN1_TIME_ENCODING_ERROR error code to indicate an invalid
encoding in the DER time fields.
2. Introduced flag ASN1_DECODE_FLAG_ALLOW_INCORRECT_TIME. This flag allows
decoding errors in time fields even when in strict DER mode.
3. Added safety check in asn1_find_node(). That prevents a crash when a very
long variable name is provided by the developer.
Signed-off-by: Maxin B. John <maxin.john@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
There may be alternative gnutls recipes outside oe-core which include
gnutls.inc but which don't want BBCLASSEXTEND = "native nativesdk".
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Drop 0001-Do-not-add-cli-args.h-to-cli-args.stamp-Makefile-tar.patch, it's merged upstream.
Rebase 0001-configure.ac-fix-sed-command.patch.
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Removed the following Backported patches:
1. 0001-configure-don-t-add-Werror-to-build-flags.patch
2. 0002-ASN.y-corrected-compiler-warning.patch
3. 0003-parser_aux-corrected-potential-null-pointer-derefere.patch
4. 0004-tools-eliminated-compiler-warnings.patch
fixed the following build error with musl
...
| from ../../libtasn1-4.10/gl/getopt.c:28:
| ./stdint.h:89:5: error: #if with no expression
| #if
| ^
Signed-off-by: Maxin B. John <maxin.john@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
This fixes a potential pollution by the build host and build error
when yacc isn't installed on the build host:
| ../../libtasn1-4.9/build-aux/ylwrap: line 175: yacc: command not found
| Makefile:1116: recipe for target 'ASN1.c' failed
| make[3]: *** [ASN1.c] Error 127
Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Specify whether to use libseccomp or not. Do not
just let configure check for it.
Signed-off-by: Joe Slater <jslater@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Do not reference unavailable system calls when
building for ARM_EABI.
Signed-off-by: Joe Slater <jslater@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
when using clang, configure it poking at build host
if we do not use it then it falls back to sysroot
which is what we need here.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Add a 0001-Do-not-add-cli-args.h-to-cli-args.stamp-Makefile-tar.patch
to fix a compile issue (incorrect creation of an empty header).
Add a libunistring dependency as gnutls has gained it.
(From OE-Core rev: b2ec343ad770c26f39f3a6d335e4bb3ccbf41aec)
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
getVar() now defaults to expanding by default, thus remove the True
option from getVar() calls with a regex search and replace.
Search made with the following regex: getVar ?\(( ?[^,()]*), True\)
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Remove backported 0001-Use-correct-include-dir-with-minitasn.patch and
CVE-2016-7444.patch (which still applied silently and incorrectly:
https://bugzilla.yoctoproject.org/show_bug.cgi?id=10450).
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Previously the OCSP certificate check wouldn't verify the serial
length and could succeed in cases it shouldn't (CVE-2016-7444).
Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Current release has relocations in .text on x86. Silence the
warning for now: Upcoming release should have a real fix.
[YOCTO #10290]
Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
|
|
gtk-doc also requires --enable-doc, so that is no longer configurable.
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
|
|
Add patch to fix compile without libtasn headers.
(From OE-Core rev: b43e4499fb3bae4740660a729a900d951eab00e8)
Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
These patches are backported from master to fix issues raised by clang
compiler.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
4.8 -> 4.9
Signed-off-by: Maxin B. John <maxin.john@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Remove no longer supported --disable-crywrap option.
Add a checksum for the LICENSE file with licensing overview.
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
* Version 3.4.10 (released 2016-03-03)
** libgnutls: Eliminated issues preventing buffers more than 2^32 bytes
to be used with hashing functions.
** libgnutls: Corrected leaks and other issues in gnutls_x509_crt_list_import().
** libgnutls: Fixes in DSA key handling for PKCS #11. Report and patches
by Jan Vcelak.
** libgnutls: Several fixes to prevent relying on undefined behavior of C
(found with libubsan).
* Version 3.4.11 (released 2016-04-11)
** libgnutls: Fixes in gnutls_record_get/set_state() with DTLS. Reported
by Fridolin Pokorny.
** libgnutls: Fixes in DSA key generation under PKCS #11. Report and patches
by Jan Vcelak.
** libgnutls: Corrected behavior of ALPN extension parsing during session
resumption. Report and patches by Yuriy M. Kaminskiy.
** libgnutls: Corrected regression (since 3.4.0) in gnutls_server_name_set()
which caused it not to accept non-null-terminated hostnames. Reported
by Tim Ruehsen.
** libgnutls: Corrected printing of the IP Adress name constraints.
** ocsptool: use HTTP/1.0 for requests. This avoids issue with servers
serving chunk encoding which ocsptool doesn't support. Reported by Thomas
Klute.
** certtool: do not require a CA for OCSP signing tag. This follows the
recommendations in RFC6960 in 4.2.2.2 which allow a CA to delegate OCSP
signing to another certificate without requiring it to be a CA. Reported
by Thomas Klute.
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
4.7 -> 4.8
Signed-off-by: Maxin B. John <maxin.john@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
This version fixes bugs in the current stable branch.
* Version 3.4.9 (released 2016-02-03)
** libgnutls: Corrected ALPN protocol negotiation. Before GnuTLS would
negotiate the last commonly supported protocol, rather than the
first. Reported by Remi Denis-Courmont (#63).
** libgnutls: Tolerate empty DN fields in informational output
functions.
** libgnutls: Corrected regression causes by incorrect fix in
gnutls_x509_ext_export_key_usage() at 3.4.8 release.
** API and ABI modifications:
No changes since last version.
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
libidn (Internationalized Domain Name support library) may not be
desired in all cases, so add a PACKAGECONFIG option to control it.
Allow --enable-doc, libtasn1 internal -vs- external (still internal
by default) and p11-kit support to be controlled via PACKAGECONFIG
too.
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
GnuTLS depends on gmp. The dependency is usually satisfied indirectly
via nettle, but for correctness make it explicit in the gnutls recipe.
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
Zang Ruochen
Philippe Normand
Adrian Bunk
Armin Kuster
Ross Burton
Andre McCurdy
Khem Raj
Armin Kuster
Maxin B. John
Yue Tao
Richard Purdie
Fan Xin
Alexander Kanavin
Patrick Ohly
Joe Slater
Joshua Lock
Jussi Kukkonen