From 629005d0936f50dd6d0c8559dbaecdf66750c81a Mon Sep 17 00:00:00 2001 From: Sebastian Kemper Date: Sun, 8 Oct 2017 10:53:54 +0200 Subject: [PATCH] iksemel: fixes and cleanups - Currently iksemel doesn't recognize gnutls anymore. Fix that by substituting the currently used patches with one that also Debian is using. It allows gnutls detection via pkgconfig. - Add another patch Debian is using to enable secure gnutls options. - Update project URL. - Remove unneeded flags and Build/Prepare customizations. - Cleanup DEPENDS. Signed-off-by: Sebastian Kemper --- libs/iksemel/Makefile | 23 +-- libs/iksemel/patches/001-missing-macros.patch | 163 ------------------ .../patches/001-pkgconfig-gnutls.patch | 28 +++ .../patches/002-secure_gnutls_options.patch | 38 ++++ ...newer-gnutls_priority_set_direct-api.patch | 65 ------- 5 files changed, 70 insertions(+), 247 deletions(-) delete mode 100644 libs/iksemel/patches/001-missing-macros.patch create mode 100644 libs/iksemel/patches/001-pkgconfig-gnutls.patch create mode 100644 libs/iksemel/patches/002-secure_gnutls_options.patch delete mode 100644 libs/iksemel/patches/002-use-of-newer-gnutls_priority_set_direct-api.patch diff --git a/libs/iksemel/Makefile b/libs/iksemel/Makefile index b763e52..56079ed 100644 --- a/libs/iksemel/Makefile +++ b/libs/iksemel/Makefile @@ -1,5 +1,5 @@ # -# Copyright (C) 2014 OpenWrt.org +# Copyright (C) 2014 - 2017 OpenWrt.org # # This is free software, licensed under the GNU General Public License v2. # See /LICENSE for more information. @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=iksemel PKG_VERSION:=1.4 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=http://iksemel.googlecode.com/files/ @@ -30,8 +30,8 @@ define Package/libiksemel SECTION:=libs CATEGORY:=Libraries TITLE:=Iksemel Jabber Library - URL:=http://code.google.com/p/iksemel/ - DEPENDS:= +libgnutls +libtasn1 +libgcrypt +libgpg-error + URL:=https://github.com/meduketto/iksemel + DEPENDS:=+libgnutls endef define Package/libiksemel/description @@ -41,21 +41,6 @@ in ANSI C except the network code (which is POSIX compatible), thus highly portable. endef -TARGET_CFLAGS += $(FPIC) -TARGET_LDFLAGS += \ - -Wl,-rpath-link,$(STAGING_DIR)/usr/lib \ - -lgnutls -lgcrypt -lgpg-error - -define Build/Configure - $(call Build/Configure/Default, \ - --enable-shared \ - --enable-static \ - --with-libgnutls-prefix="$(STAGING_DIR)/usr" \ - , \ - LIBS="$(TARGET_LDFLAGS)" \ - ) -endef - define Build/InstallDev $(INSTALL_DIR) $(1)/usr/include/ $(CP) $(PKG_INSTALL_DIR)/usr/include/iksemel.h $(1)/usr/include/ diff --git a/libs/iksemel/patches/001-missing-macros.patch b/libs/iksemel/patches/001-missing-macros.patch deleted file mode 100644 index 4563ac5..0000000 --- a/libs/iksemel/patches/001-missing-macros.patch +++ /dev/null @@ -1,163 +0,0 @@ ---- /dev/null -+++ b/gnutls.m4 -@@ -0,0 +1,160 @@ -+dnl Autoconf macros for libgnutls -+dnl $id$ -+ -+# Modified for LIBGNUTLS -- nmav -+# Configure paths for LIBGCRYPT -+# Shamelessly stolen from the one of XDELTA by Owen Taylor -+# Werner Koch 99-12-09 -+ -+dnl AM_PATH_LIBGNUTLS([MINIMUM-VERSION, [ACTION-IF-FOUND [, ACTION-IF-NOT-FOUND ]]]) -+dnl Test for libgnutls, and define LIBGNUTLS_CFLAGS and LIBGNUTLS_LIBS -+dnl -+AC_DEFUN([AM_PATH_LIBGNUTLS], -+[dnl -+dnl Get the cflags and libraries from the libgnutls-config script -+dnl -+AC_ARG_WITH(libgnutls-prefix, -+ [ --with-libgnutls-prefix=PFX Prefix where libgnutls is installed (optional)], -+ libgnutls_config_prefix="$withval", libgnutls_config_prefix="") -+ -+ if test x$libgnutls_config_prefix != x ; then -+ if test x${LIBGNUTLS_CONFIG+set} != xset ; then -+ LIBGNUTLS_CONFIG=$libgnutls_config_prefix/bin/libgnutls-config -+ fi -+ fi -+ -+ AC_PATH_PROG(LIBGNUTLS_CONFIG, libgnutls-config, no) -+ min_libgnutls_version=ifelse([$1], ,0.1.0,$1) -+ AC_MSG_CHECKING(for libgnutls - version >= $min_libgnutls_version) -+ no_libgnutls="" -+ if test "$LIBGNUTLS_CONFIG" = "no" ; then -+ no_libgnutls=yes -+ else -+ LIBGNUTLS_CFLAGS=`$LIBGNUTLS_CONFIG $libgnutls_config_args --cflags` -+ LIBGNUTLS_LIBS=`$LIBGNUTLS_CONFIG $libgnutls_config_args --libs` -+ libgnutls_config_version=`$LIBGNUTLS_CONFIG $libgnutls_config_args --version` -+ -+ -+ ac_save_CFLAGS="$CFLAGS" -+ ac_save_LIBS="$LIBS" -+ CFLAGS="$CFLAGS $LIBGNUTLS_CFLAGS" -+ LIBS="$LIBS $LIBGNUTLS_LIBS" -+dnl -+dnl Now check if the installed libgnutls is sufficiently new. Also sanity -+dnl checks the results of libgnutls-config to some extent -+dnl -+ rm -f conf.libgnutlstest -+ AC_TRY_RUN([ -+#include -+#include -+#include -+#include -+ -+int -+main () -+{ -+ system ("touch conf.libgnutlstest"); -+ -+ if( strcmp( gnutls_check_version(NULL), "$libgnutls_config_version" ) ) -+ { -+ printf("\n*** 'libgnutls-config --version' returned %s, but LIBGNUTLS (%s)\n", -+ "$libgnutls_config_version", gnutls_check_version(NULL) ); -+ printf("*** was found! If libgnutls-config was correct, then it is best\n"); -+ printf("*** to remove the old version of LIBGNUTLS. You may also be able to fix the error\n"); -+ printf("*** by modifying your LD_LIBRARY_PATH enviroment variable, or by editing\n"); -+ printf("*** /etc/ld.so.conf. Make sure you have run ldconfig if that is\n"); -+ printf("*** required on your system.\n"); -+ printf("*** If libgnutls-config was wrong, set the environment variable LIBGNUTLS_CONFIG\n"); -+ printf("*** to point to the correct copy of libgnutls-config, and remove the file config.cache\n"); -+ printf("*** before re-running configure\n"); -+ } -+ else if ( strcmp(gnutls_check_version(NULL), LIBGNUTLS_VERSION ) ) -+ { -+ printf("\n*** LIBGNUTLS header file (version %s) does not match\n", LIBGNUTLS_VERSION); -+ printf("*** library (version %s)\n", gnutls_check_version(NULL) ); -+ } -+ else -+ { -+ if ( gnutls_check_version( "$min_libgnutls_version" ) ) -+ { -+ return 0; -+ } -+ else -+ { -+ printf("no\n*** An old version of LIBGNUTLS (%s) was found.\n", -+ gnutls_check_version(NULL) ); -+ printf("*** You need a version of LIBGNUTLS newer than %s. The latest version of\n", -+ "$min_libgnutls_version" ); -+ printf("*** LIBGNUTLS is always available from ftp://gnutls.hellug.gr/pub/gnutls.\n"); -+ printf("*** \n"); -+ printf("*** If you have already installed a sufficiently new version, this error\n"); -+ printf("*** probably means that the wrong copy of the libgnutls-config shell script is\n"); -+ printf("*** being found. The easiest way to fix this is to remove the old version\n"); -+ printf("*** of LIBGNUTLS, but you can also set the LIBGNUTLS_CONFIG environment to point to the\n"); -+ printf("*** correct copy of libgnutls-config. (In this case, you will have to\n"); -+ printf("*** modify your LD_LIBRARY_PATH enviroment variable, or edit /etc/ld.so.conf\n"); -+ printf("*** so that the correct libraries are found at run-time))\n"); -+ } -+ } -+ return 1; -+} -+],, no_libgnutls=yes,[echo $ac_n "cross compiling; assumed OK... $ac_c"]) -+ CFLAGS="$ac_save_CFLAGS" -+ LIBS="$ac_save_LIBS" -+ fi -+ -+ if test "x$no_libgnutls" = x ; then -+ AC_MSG_RESULT(yes) -+ ifelse([$2], , :, [$2]) -+ else -+ if test -f conf.libgnutlstest ; then -+ : -+ else -+ AC_MSG_RESULT(no) -+ fi -+ if test "$LIBGNUTLS_CONFIG" = "no" ; then -+ echo "*** The libgnutls-config script installed by LIBGNUTLS could not be found" -+ echo "*** If LIBGNUTLS was installed in PREFIX, make sure PREFIX/bin is in" -+ echo "*** your path, or set the LIBGNUTLS_CONFIG environment variable to the" -+ echo "*** full path to libgnutls-config." -+ else -+ if test -f conf.libgnutlstest ; then -+ : -+ else -+ echo "*** Could not run libgnutls test program, checking why..." -+ CFLAGS="$CFLAGS $LIBGNUTLS_CFLAGS" -+ LIBS="$LIBS $LIBGNUTLS_LIBS" -+ AC_TRY_LINK([ -+#include -+#include -+#include -+#include -+], [ return !!gnutls_check_version(NULL); ], -+ [ echo "*** The test program compiled, but did not run. This usually means" -+ echo "*** that the run-time linker is not finding LIBGNUTLS or finding the wrong" -+ echo "*** version of LIBGNUTLS. If it is not finding LIBGNUTLS, you'll need to set your" -+ echo "*** LD_LIBRARY_PATH environment variable, or edit /etc/ld.so.conf to point" -+ echo "*** to the installed location Also, make sure you have run ldconfig if that" -+ echo "*** is required on your system" -+ echo "***" -+ echo "*** If you have an old version installed, it is best to remove it, although" -+ echo "*** you may also be able to get things to work by modifying LD_LIBRARY_PATH" -+ echo "***" ], -+ [ echo "*** The test program failed to compile or link. See the file config.log for the" -+ echo "*** exact error that occured. This usually means LIBGNUTLS was incorrectly installed" -+ echo "*** or that you have moved LIBGNUTLS since it was installed. In the latter case, you" -+ echo "*** may want to edit the libgnutls-config script: $LIBGNUTLS_CONFIG" ]) -+ CFLAGS="$ac_save_CFLAGS" -+ LIBS="$ac_save_LIBS" -+ fi -+ fi -+ LIBGNUTLS_CFLAGS="" -+ LIBGNUTLS_LIBS="" -+ ifelse([$3], , :, [$3]) -+ fi -+ rm -f conf.libgnutlstest -+ AC_SUBST(LIBGNUTLS_CFLAGS) -+ AC_SUBST(LIBGNUTLS_LIBS) -+]) -+ -+dnl *-*wedit:notab*-* Please keep this as the last line. diff --git a/libs/iksemel/patches/001-pkgconfig-gnutls.patch b/libs/iksemel/patches/001-pkgconfig-gnutls.patch new file mode 100644 index 0000000..ebc870d --- /dev/null +++ b/libs/iksemel/patches/001-pkgconfig-gnutls.patch @@ -0,0 +1,28 @@ +Last-Update: 2013-07-29 +Forwarded: not-needed +Origin: upstream, commit:4652af9cf119145af3a90c632f8a6db215946784 +Bug-Iksemel: https://code.google.com/p/iksemel/issues/detail?id=20 +Author: Dmitry Smirnov +Description: use pkgconfig for checking gnutls + +--- a/configure.ac ++++ b/configure.ac +@@ -44,9 +44,17 @@ + AC_SEARCH_LIBS(recv,socket) + AC_CHECK_FUNCS(getopt_long) + AC_CHECK_FUNCS(getaddrinfo) + +-AM_PATH_LIBGNUTLS(,AC_DEFINE(HAVE_GNUTLS,,"Use libgnutls")) ++dnl Check GNU TLS ++PKG_CHECK_MODULES(GNUTLS, gnutls >= 2.0.0, have_gnutls=yes, have_gnutls=no) ++if test "x$have_gnutls" = "xyes"; then ++ LIBGNUTLS_CFLAGS="$GNUTLS_CFLAGS" ++ LIBGNUTLS_LIBS="$GNUTLS_LIBS" ++ AC_SUBST(LIBGNUTLS_CFLAGS) ++ AC_SUBST(LIBGNUTLS_LIBS) ++ AC_DEFINE(HAVE_GNUTLS, 1, [whether to use GnuTSL support.]) ++fi + + dnl Check -Wall flag of GCC + if test "x$GCC" = "xyes"; then + if test -z "`echo "$CFLAGS" | grep "\-Wall" 2> /dev/null`" ; then diff --git a/libs/iksemel/patches/002-secure_gnutls_options.patch b/libs/iksemel/patches/002-secure_gnutls_options.patch new file mode 100644 index 0000000..bf09e17 --- /dev/null +++ b/libs/iksemel/patches/002-secure_gnutls_options.patch @@ -0,0 +1,38 @@ +Last-Update: 2015-10-28 +Bug-Upstream: https://github.com/meduketto/iksemel/issues/48 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=803204 +From: Marc Dequènes (duck) +Description: fix security problem (and compatibility problem with servers rejecting low grade ciphers). + +--- a/src/stream.c ++++ b/src/stream.c +@@ -62,13 +62,9 @@ + + static int + handshake (struct stream_data *data) + { +- const int protocol_priority[] = { GNUTLS_TLS1, GNUTLS_SSL3, 0 }; +- const int kx_priority[] = { GNUTLS_KX_RSA, 0 }; +- const int cipher_priority[] = { GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR, 0}; +- const int comp_priority[] = { GNUTLS_COMP_ZLIB, GNUTLS_COMP_NULL, 0 }; +- const int mac_priority[] = { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0 }; ++ const char *priority_string = "SECURE256:+SECURE192:-VERS-TLS-ALL:+VERS-TLS1.2"; + int ret; + + if (gnutls_global_init () != 0) + return IKS_NOMEM; +@@ -79,13 +75,9 @@ + if (gnutls_init (&data->sess, GNUTLS_CLIENT) != 0) { + gnutls_certificate_free_credentials (data->cred); + return IKS_NOMEM; + } +- gnutls_protocol_set_priority (data->sess, protocol_priority); +- gnutls_cipher_set_priority(data->sess, cipher_priority); +- gnutls_compression_set_priority(data->sess, comp_priority); +- gnutls_kx_set_priority(data->sess, kx_priority); +- gnutls_mac_set_priority(data->sess, mac_priority); ++ gnutls_priority_set_direct(data->sess, priority_string, NULL); + gnutls_credentials_set (data->sess, GNUTLS_CRD_CERTIFICATE, data->cred); + + gnutls_transport_set_push_function (data->sess, (gnutls_push_func) tls_push); + gnutls_transport_set_pull_function (data->sess, (gnutls_pull_func) tls_pull); diff --git a/libs/iksemel/patches/002-use-of-newer-gnutls_priority_set_direct-api.patch b/libs/iksemel/patches/002-use-of-newer-gnutls_priority_set_direct-api.patch deleted file mode 100644 index 8f91d10..0000000 --- a/libs/iksemel/patches/002-use-of-newer-gnutls_priority_set_direct-api.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 6b213b593c5b499679506a8c169ff3f0f4d6a34f Mon Sep 17 00:00:00 2001 -From: John Papandriopoulos -Date: Thu, 20 Aug 2015 16:55:39 -0700 -Subject: [PATCH] Use of newer gnutls_priority_set_direct API - ---- - configure.ac | 1 + - src/stream.c | 13 +++++++++++++ - 2 files changed, 14 insertions(+) - -diff --git a/configure.ac b/configure.ac -index 91e69e3..281a044 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -46,6 +46,7 @@ AC_CHECK_FUNCS(getopt_long) - AC_CHECK_FUNCS(getaddrinfo) - - AM_PATH_LIBGNUTLS(,AC_DEFINE(HAVE_GNUTLS,,"Use libgnutls")) -+AM_PATH_LIBGNUTLS(,AC_CHECK_FUNCS(gnutls_priority_set_direct)) - - dnl Check -Wall flag of GCC - if test "x$GCC" = "xyes"; then -diff --git a/src/stream.c b/src/stream.c -index e8a1e8c..7d19a82 100644 ---- a/src/stream.c -+++ b/src/stream.c -@@ -63,11 +63,20 @@ tls_pull (iksparser *prs, char *buffer, size_t len) - static int - handshake (struct stream_data *data) - { -+#if HAVE_GNUTLS_PRIORITY_SET_DIRECT -+ const char *priorities = -+ "NONE" -+ ":+VERS-TLS1.0:+VERS-SSL3.0" -+ ":+RSA" -+ ":+3DES-CBC:+ARCFOUR-128" -+ ":+SHA1:+SHA256:+SHA384:+MD5"; -+#else - const int protocol_priority[] = { GNUTLS_TLS1, GNUTLS_SSL3, 0 }; - const int kx_priority[] = { GNUTLS_KX_RSA, 0 }; - const int cipher_priority[] = { GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR, 0}; - const int comp_priority[] = { GNUTLS_COMP_ZLIB, GNUTLS_COMP_NULL, 0 }; - const int mac_priority[] = { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0 }; -+#endif - int ret; - - if (gnutls_global_init () != 0) -@@ -80,11 +89,15 @@ handshake (struct stream_data *data) - gnutls_certificate_free_credentials (data->cred); - return IKS_NOMEM; - } -+#if HAVE_GNUTLS_PRIORITY_SET_DIRECT -+ gnutls_priority_set_direct (data->sess, priorities, NULL); -+#else - gnutls_protocol_set_priority (data->sess, protocol_priority); - gnutls_cipher_set_priority(data->sess, cipher_priority); - gnutls_compression_set_priority(data->sess, comp_priority); - gnutls_kx_set_priority(data->sess, kx_priority); - gnutls_mac_set_priority(data->sess, mac_priority); -+#endif - gnutls_credentials_set (data->sess, GNUTLS_CRD_CERTIFICATE, data->cred); - - gnutls_transport_set_push_function (data->sess, (gnutls_push_func) tls_push); --- -2.1.4 -- 2.30.2