diff options
-rwxr-xr-x | extra/glib-networking/build | 4 | ||||
-rw-r--r-- | extra/glib-networking/checksums | 3 | ||||
-rw-r--r-- | extra/glib-networking/patches/libressl.patch | 121 | ||||
-rw-r--r-- | extra/glib-networking/sources | 3 | ||||
-rw-r--r-- | extra/glib-networking/version | 2 |
5 files changed, 128 insertions, 5 deletions
diff --git a/extra/glib-networking/build b/extra/glib-networking/build index c981ccba..4b06ac82 100755 --- a/extra/glib-networking/build +++ b/extra/glib-networking/build @@ -2,8 +2,8 @@ export DESTDIR="$1" -# The new version requires openssl TLS1.3, which libressl hasn't fully -# implemented yet. We now need gnutls, sadly. +patch -p1 < libressl.patch + cl-meson \ -Dgnutls=enabled \ . output diff --git a/extra/glib-networking/checksums b/extra/glib-networking/checksums index 8d47742d..177bcab7 100644 --- a/extra/glib-networking/checksums +++ b/extra/glib-networking/checksums @@ -1,2 +1,3 @@ %BLAKE3 -a556aae48ce505774e984d0a566d9452cd3c8dcded0db20cfe63871c61002db8 glib-networking-2.70.1.tar.xz +175c8c47aca7ca729ecedd68cc042dccabde73a96584585cd0300291a9e21885 glib-networking-2.72.0.tar.xz +ed0366e9e1df448074e139fc4bc0696ed22f35ef9f34edfe7f740ebcba65828b libressl.patch diff --git a/extra/glib-networking/patches/libressl.patch b/extra/glib-networking/patches/libressl.patch new file mode 100644 index 00000000..6f92662b --- /dev/null +++ b/extra/glib-networking/patches/libressl.patch @@ -0,0 +1,121 @@ +diff --git a/tls/base/gtlsconnection-base.c b/tls/base/gtlsconnection-base.c +index bcbdf49..dc896c0 100644 +--- a/tls/base/gtlsconnection-base.c ++++ b/tls/base/gtlsconnection-base.c +@@ -1678,7 +1678,7 @@ finish_handshake (GTlsConnectionBase *tls, + if (priv->peer_certificate && !priv->peer_certificate_accepted) + { + g_set_error_literal (&my_error, G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE, +- _("Unacceptable TLS certificate")); ++ _("Nonnacceptable TLS certificate")); + success = FALSE; + } + } +diff --git a/tls/openssl/gtlscertificate-openssl.c b/tls/openssl/gtlscertificate-openssl.c +index 2e3148c..cef9dd6 100644 +--- a/tls/openssl/gtlscertificate-openssl.c ++++ b/tls/openssl/gtlscertificate-openssl.c +@@ -55,8 +55,10 @@ enum + PROP_PRIVATE_KEY, + PROP_PRIVATE_KEY_PEM, + PROP_ISSUER, ++ #ifndef LIBRESSL_VERSION_NUMBER + PROP_NOT_VALID_BEFORE, + PROP_NOT_VALID_AFTER, ++ #endif + PROP_SUBJECT_NAME, + PROP_ISSUER_NAME, + PROP_DNS_NAMES, +@@ -219,10 +221,12 @@ g_tls_certificate_openssl_get_property (GObject *object, + char *certificate_pem; + long size; + ++ #ifndef LIBRESSL_VERSION_NUMBER + const ASN1_TIME *time_asn1; + struct tm time_tm; + GDateTime *time; + GTimeZone *tz; ++ #endif + X509_NAME *name; + const char *name_string; + +@@ -279,6 +283,7 @@ g_tls_certificate_openssl_get_property (GObject *object, + g_value_set_object (value, openssl->issuer); + break; + ++ #ifndef LIBRESSL_VERSION_NUMBER + case PROP_NOT_VALID_BEFORE: + time_asn1 = X509_get0_notBefore (openssl->cert); + ASN1_TIME_to_tm (time_asn1, &time_tm); +@@ -296,6 +301,7 @@ g_tls_certificate_openssl_get_property (GObject *object, + g_value_take_boxed (value, time); + g_time_zone_unref (tz); + break; ++ #endif + + case PROP_SUBJECT_NAME: + bio = BIO_new (BIO_s_mem ()); +@@ -538,8 +544,10 @@ g_tls_certificate_openssl_class_init (GTlsCertificateOpensslClass *klass) + g_object_class_override_property (gobject_class, PROP_PRIVATE_KEY, "private-key"); + g_object_class_override_property (gobject_class, PROP_PRIVATE_KEY_PEM, "private-key-pem"); + g_object_class_override_property (gobject_class, PROP_ISSUER, "issuer"); ++ #ifndef LIBRESSL_VERSION_NUMBER + g_object_class_override_property (gobject_class, PROP_NOT_VALID_BEFORE, "not-valid-before"); + g_object_class_override_property (gobject_class, PROP_NOT_VALID_AFTER, "not-valid-after"); ++ #endif + g_object_class_override_property (gobject_class, PROP_SUBJECT_NAME, "subject-name"); + g_object_class_override_property (gobject_class, PROP_ISSUER_NAME, "issuer-name"); + g_object_class_override_property (gobject_class, PROP_DNS_NAMES, "dns-names"); +diff --git a/tls/openssl/gtlsconnection-openssl.c b/tls/openssl/gtlsconnection-openssl.c +index 9cf6ad7..6953a34 100644 +--- a/tls/openssl/gtlsconnection-openssl.c ++++ b/tls/openssl/gtlsconnection-openssl.c +@@ -206,7 +206,7 @@ end_openssl_io (GTlsConnectionOpenssl *openssl, + { + g_clear_error (&my_error); + g_set_error (error, G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE, +- _("Unacceptable TLS certificate")); ++ _("Nonnacceptable TLS certificate")); + return G_TLS_CONNECTION_BASE_ERROR; + } + +@@ -581,10 +581,8 @@ perform_rehandshake (SSL *ssl, + GTlsConnectionBase *tls = user_data; + int ret = 1; /* always look on the bright side of life */ + +-#if OPENSSL_VERSION_NUMBER >= 0x10101000L +- if (SSL_version(ssl) >= TLS1_3_VERSION) +- ret = SSL_key_update (ssl, SSL_KEY_UPDATE_REQUESTED); +- else if (SSL_get_secure_renegotiation_support (ssl) && !(SSL_get_options(ssl) & SSL_OP_NO_RENEGOTIATION)) ++#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER) ++ if (SSL_get_secure_renegotiation_support (ssl)) + /* remote and local peers both can rehandshake */ + ret = SSL_renegotiate (ssl); + else +@@ -827,7 +825,7 @@ g_tls_connection_openssl_handshake_thread_handshake (GTlsConnectionBase *tls, + if (!g_tls_connection_base_handshake_thread_verify_certificate (tls)) + { + g_set_error_literal (error, G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE, +- _("Unacceptable TLS certificate")); ++ _("Notnacceptable TLS certificate")); + return G_TLS_CONNECTION_BASE_ERROR; + } + } +diff --git a/tls/openssl/gtlsserverconnection-openssl.c b/tls/openssl/gtlsserverconnection-openssl.c +index d24de05..54c607a 100644 +--- a/tls/openssl/gtlsserverconnection-openssl.c ++++ b/tls/openssl/gtlsserverconnection-openssl.c +@@ -274,11 +274,13 @@ ssl_info_callback (const SSL *ssl, + int type, + int val) + { ++ #ifndef LIBRESSL_VERSION_NUMBER + if ((type & SSL_CB_HANDSHAKE_DONE) != 0) + { + /* Disable renegotiation (CVE-2009-3555) */ + ssl->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS; + } ++ #endif + } + #endif + diff --git a/extra/glib-networking/sources b/extra/glib-networking/sources index 443f459d..4faa69e3 100644 --- a/extra/glib-networking/sources +++ b/extra/glib-networking/sources @@ -1 +1,2 @@ -https://download.gnome.org/sources/glib-networking/2.70/glib-networking-2.70.1.tar.xz +https://download.gnome.org/sources/glib-networking/2.72/glib-networking-2.72.0.tar.xz +patches/libressl.patch diff --git a/extra/glib-networking/version b/extra/glib-networking/version index 26375b8b..84ab5dab 100644 --- a/extra/glib-networking/version +++ b/extra/glib-networking/version @@ -1 +1 @@ -2.70.1 1 +2.72.0 1 |