From bf79a01618f316e196ee8f3f9119197b53c4d585 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Feb 14 2014 09:14:35 +0000
Subject: Merge branch 'f20' into f19


Conflicts:
	gnutls.spec

---

diff --git a/.gitignore b/.gitignore
index dfa0c90..fc3ea84 100644
--- a/.gitignore
+++ b/.gitignore
@@ -30,3 +30,4 @@ gnutls-2.10.1-nosrp.tar.bz2
 /gnutls-3.1.16-hobbled.tar.xz
 /gnutls-3.1.17-hobbled.tar.xz
 /gnutls-3.1.18-hobbled.tar.xz
+/gnutls-3.1.20-hobbled.tar.xz
diff --git a/gnutls-3.1.20-init-keyword.patch b/gnutls-3.1.20-init-keyword.patch
new file mode 100644
index 0000000..114ffd5
--- /dev/null
+++ b/gnutls-3.1.20-init-keyword.patch
@@ -0,0 +1,42 @@
+From 3209f21e7dda37fc4af610951044a3f467db6bce Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+Date: Sun, 2 Feb 2014 08:58:25 +0100
+Subject: [PATCH 3/4] When two initial keywords are specified then treat the
+ second as having the '+' modifier.
+
+This will handle SECURE256:SECURE128 the same way as SECURE256:+SECURE128.
+---
+ lib/gnutls_priority.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/lib/gnutls_priority.c b/lib/gnutls_priority.c
+index 7eff609..1ec6f28 100644
+--- a/lib/gnutls_priority.c
++++ b/lib/gnutls_priority.c
+@@ -838,6 +838,7 @@ gnutls_priority_init (gnutls_priority_t * priority_cache,
+   int broken_list_size = 0, i = 0, j;
+   char *darg = NULL;
+   int algo;
++  unsigned ikeyword_set = 0;
+   rmadd_func *fn;
+   bulk_rmadd_func *bulk_fn;
+ 
+@@ -886,12 +887,14 @@ gnutls_priority_init (gnutls_priority_t * priority_cache,
+   else
+     {
+       i = 1;
++      ikeyword_set = 1;
+     }
+ 
+   for (; i < broken_list_size; i++)
+     {
+-      if (check_level(broken_list[i], *priority_cache, 0) != 0)
++      if (check_level(broken_list[i], *priority_cache, ikeyword_set) != 0)
+         {
++          ikeyword_set = 1;
+           continue;
+         }
+       else if (broken_list[i][0] == '!' || broken_list[i][0] == '+'
+-- 
+1.8.5.3
+
diff --git a/gnutls-3.1.20-supported-ecc.patch b/gnutls-3.1.20-supported-ecc.patch
new file mode 100644
index 0000000..3b6fd8e
--- /dev/null
+++ b/gnutls-3.1.20-supported-ecc.patch
@@ -0,0 +1,33 @@
+From 88c5fb27646b3b3c130dda716be3ff257e3ef210 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+Date: Sat, 1 Feb 2014 20:24:40 +0100
+Subject: [PATCH 1/4] tolerate servers that included the SUPPORTED ECC
+ extension.
+
+This is an extension that is defined to be sent by the client but there
+are servers that include it as well. Most other implementations tolerate
+this behavior so we do.
+
+Conflicts:
+	lib/ext/ecc.c
+---
+ lib/ext/ecc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/lib/ext/ecc.c b/lib/ext/ecc.c
+index 8f9eddb..814f6d8 100644
+--- a/lib/ext/ecc.c
++++ b/lib/ext/ecc.c
+@@ -92,7 +92,8 @@ _gnutls_supported_ecc_recv_params (gnutls_session_t session,
+   if (session->security_parameters.entity == GNUTLS_CLIENT)
+     {
+       /* A client shouldn't receive this extension */
+-      return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_EXTENSION);
++	_gnutls_debug_log("received SUPPORTED ECC extension on client side!!!\n");
++	return 0;
+     }
+   else
+     { /* SERVER SIDE - we must check if the sent supported ecc type is the right one 
+-- 
+1.8.5.3
+
diff --git a/gnutls-3.1.20-v1-fix.patch b/gnutls-3.1.20-v1-fix.patch
new file mode 100644
index 0000000..5964af5
--- /dev/null
+++ b/gnutls-3.1.20-v1-fix.patch
@@ -0,0 +1,16 @@
+diff --git a/lib/x509/verify.c b/lib/x509/verify.c
+index cb8289e..86a901e 100644
+--- a/lib/x509/verify.c
++++ b/lib/x509/verify.c
+@@ -674,7 +674,10 @@ _gnutls_x509_verify_certificate (const gnutls_x509_crt_t * certificate_list,
+        * certificates can exist in a supplied chain.
+        */
+       if (!(flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT))
+-        flags &= ~(GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
++        {
++          flags &= ~(GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
++          flags |= GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT;
++        }
+       if ((ret =
+            _gnutls_verify_certificate2 (certificate_list[i - 1],
+                                         &certificate_list[i], 1, flags,
diff --git a/gnutls.spec b/gnutls.spec
index 08af26d..a9293dd 100644
--- a/gnutls.spec
+++ b/gnutls.spec
@@ -2,7 +2,7 @@
 %bcond_with guile
 Summary: A TLS protocol implementation
 Name: gnutls
-Version: 3.1.18
+Version: 3.1.20
 Release: 3%{?dist}
 # The libraries are LGPLv2.1+, utilities are GPLv3+, however
 # the bundled gnulib is LGPLv3+
@@ -33,12 +33,15 @@ Source1: libgnutls-config
 Source2: hobble-gnutls
 Source3: ecc.c
 Patch1: gnutls-3.1.17-rpath.patch
+Patch2: gnutls-3.1.20-init-keyword.patch
+Patch3: gnutls-3.1.20-supported-ecc.patch
 # Use only FIPS approved ciphers in the FIPS mode
 Patch7: gnutls-2.12.21-fips-algorithms.patch
 Patch8: gnutls-3.1.11-nosrp.patch
 # Use random port in some tests to avoid conflicts during simultaneous builds on the same machine
 Patch9: gnutls-3.1.10-tests-rndport.patch
 Patch10: gnutls-3.1.18-suiteb.patch
+Patch11: gnutls-3.1.20-v1-fix.patch
 
 # Wildcard bundling exception https://fedorahosted.org/fpc/ticket/174
 Provides: bundled(gnulib) = 20130424
@@ -140,16 +143,20 @@ This package contains Guile bindings for the library.
 %setup -q
 
 %patch1 -p1 -b .rpath
+%patch2 -p1 -b .ikeyword
+%patch3 -p1 -b .supported-ecc
 # This patch is not applicable as we use nettle now but some parts will be
 # later reused.
 #%patch7 -p1 -b .fips
 %patch8 -p1 -b .nosrp
 %patch9 -p1 -b .rndport
 %patch10 -p1 -b .suiteb
+%patch11 -p1 -b .v1-fix
 
 %{SOURCE2} -e
 
 cp -f %{SOURCE3} lib/algorithms
+rm -f doc/gnutls.info*
 
 %build
 
@@ -159,7 +166,6 @@ export LDFLAGS="-Wl,--no-add-needed"
            --with-included-libcfg \
            --disable-static \
            --disable-openssl-compatibility \
-	   --without-tpm \
            --disable-srp-authentication \
 	   --without-tpm \
 	   --enable-local-libopts \
@@ -281,6 +287,15 @@ fi
 %endif
 
 %changelog
+* Fri Feb 14 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> 3.1.20-3
+- Fix CVE-2014-1959 (#1065094)
+
+* Mon Feb 03 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> 3.1.20-1
+- new upstream release
+- Fixed issue with gnutls.info not being available
+- Compile with trousers
+- Pulled fix from upstream for illegal supported-ecc extension (#1060411)
+
 * Thu Jan 02 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> 3.1.18-3
 - Applied fix in suiteb patch to prevent crash in multiple 
   deinitializations (#1046672)
diff --git a/sources b/sources
index 434eb4a..e702ad0 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-1250e5821798bf92bdc3a6a3fb5ca82b  gnutls-3.1.18-hobbled.tar.xz
+77a71225d23f825c655e0b57011ce1e1  gnutls-3.1.20-hobbled.tar.xz