security: re-enable anonymous gnutls handshake

This patch imports a gnutls upstream patch to fix the DTLS packet re-ordering and re-enable our anonymous call feature. We bump gnutls at least on 3.4.14, even if not published yet, as the upstream patch will not be available since this version. We continue to use the 3.4.10 release to apply our local patch. We force also our contrib nettle to be build as some distributions do not compile this library as we need to. Change-Id: I3238993d56b41258f214cfaba7230dcd0538c5d2 Tuleap: #788

security: re-enable anonymous gnutls handshake
46285595 · Guillaume Roguez · 74151247 · 46285595 · 46285595 · 46285595
Commit 46285595 authored 8 years ago by Guillaume Roguez
--- a/contrib/src/gnutls/dtls-packet-reordering.patch
+++ b/contrib/src/gnutls/dtls-packet-reordering.patch
+--- a/lib/gnutls_buffers.c
+++ b/lib/gnutls_buffers.c
+@@ -1033 +1033 @@
+-		    && hsk->end_offset >=
+		    && hsk->end_offset + 1 >=
--- a/contrib/src/gnutls/rules.mak
+++ b/contrib/src/gnutls/rules.mak
@@ -4,7 +4,9 @@ GNUTLS_VERSION := 3.4.10
 GNUTLS_URL := ftp://ftp.gnutls.org/gcrypt/gnutls/v3.4/gnutls-$(GNUTLS_VERSION).tar.xz

 PKGS += gnutls
-ifeq ($(call need_pkg,"gnutls >= 3.3.19"),)
+# We need at least the 3.4.10, but DTLS handshake re-ordered packet fix is only available since 3.4.14
+# So we patch the 3.4.10 until official release of 3.4.14
+ifeq ($(call need_pkg,"gnutls >= 3.4.14"),)
 PKGS_FOUND += gnutls
 endif

@@ -32,6 +34,7 @@ ifndef HAVE_IOS
 	$(APPLY) $(SRC)/gnutls/mac-keychain-lookup.patch
 endif
 	$(APPLY) $(SRC)/gnutls/format-security.patch
+	$(APPLY) $(SRC)/gnutls/dtls-packet-reordering.patch
 	$(call pkg_static,"lib/gnutls.pc.in")
 	$(UPDATE_AUTOCONFIG)
 	$(MOVE)

--- a/contrib/src/nettle/rules.mak
+++ b/contrib/src/nettle/rules.mak
@@ -3,9 +3,14 @@
 NETTLE_VERSION := 3.1
 NETTLE_URL := $(GNU)/nettle/nettle-$(NETTLE_VERSION).tar.gz

-ifeq ($(call need_pkg,"nettle >= 3.1"),)
-PKGS_FOUND += nettle
-endif
+PKGS += nettle
+
+# TEMPORARY DISABLED
+# Force nettle contrib until gnutls major patches are upstream and released
+# See gnutls rules.mak for more information
+#ifeq ($(call need_pkg,"nettle >= 3.1"),)
+#PKGS_FOUND += nettle
+#endif

 $(TARBALLS)/nettle-$(NETTLE_VERSION).tar.gz:
 	$(call download,$(NETTLE_URL))

--- a/src/security/tls_session.h
+++ b/src/security/tls_session.h
@@ -137,7 +137,7 @@ public:
    };

    TlsSession(std::shared_ptr<IceTransport> ice, int ice_comp_id, const TlsParams& params,
-               const TlsSessionCallbacks& cbs, bool anonymous=false);
+               const TlsSessionCallbacks& cbs, bool anonymous=true);
    ~TlsSession();

    // Returns the TLS session type ('server' or 'client')