Dear GnuTLS maintainers,
with the new gnutls v3.4 in unstable we hit some old deprecated marked
function now as errors while building the libvmime package. ;)
libvmime is a reverse dependency for the zarafa groupware we have
packaged and is currently waiting in the new queue.
The upstream maintainer of libvmime doesn't released a newer version
than 0.9.1 and so we have to fight with this old version (released
2010-11-16).
Peter Green has submitted a debdiff with a possibly solution that's seen
below. I'm not a security expert on those used functions inside libvmime
and found a another solution based on suggestions for upgrading to 3.4
[1] and created a patch that's appended.
Can you give us a suggestion how to handle this issues? I've seen a
similar solution like mine on the samba package upstream [5]. The zarafa
suite isn't using this parts of the libvmime package as they connect
locally to localhost. But the we have to provide a secure libvmime
package.
The full FTBFS log can be found here [2] for amd64. The source can be
found on [3] and the file that holds the deprecated functions can be
viewd on [4].
Thanks and regards
Carsten
[1]
http://www.gnutls.org/manual/html_node/Upgrading-from-previous-versions.html#Upgrading-from-previous-versions
[2]
https://buildd.debian.org/status/fetch.php?pkg=libvmime&arch=amd64&ver=0.9.1-4%2Bb1&stamp=1453493127
[3] https://anonscm.debian.org/cgit/pkg-giraffe/libvmime.git/tree/
[4]
https://anonscm.debian.org/cgit/pkg-giraffe/libvmime.git/tree/src/net/tls/TLSSession.cpp
[5] https://lists.samba.org/archive/samba-technical/2015-April/107008.html
On Sun, Jan 31, 2016 at 11:33:16PM +0000, peter green wrote:
> >
> > net_tls_TLSSession.cpp:120:38: error:
> > 'gnutls_certificate_type_set_priority' was not declared in this scope
> > (*m_gnutlsSession, certTypePriority);
> > ^
> > net_tls_TLSSession.cpp:131:68: error: 'gnutls_protocol_set_priority' was
> > not declared in this scope
> > res = gnutls_protocol_set_priority(*m_gnutlsSession, protoPriority);
> > ^
> > net_tls_TLSSession.cpp:152:61: error: 'gnutls_cipher_set_priority' was
> > not declared in this scope
> > gnutls_cipher_set_priority(*m_gnutlsSession, cipherPriority);
> > ^
> > net_tls_TLSSession.cpp:157:55: error: 'gnutls_mac_set_priority' was not
> > declared in this scope
> > gnutls_mac_set_priority(*m_gnutlsSession, macPriority);
> > ^
> > net_tls_TLSSession.cpp:173:53: error: 'gnutls_kx_set_priority' was not
> > declared in this scope
> > gnutls_kx_set_priority(*m_gnutlsSession, kxPriority);
> > ^
> > net_tls_TLSSession.cpp:184:71: error: 'gnutls_compression_set_priority'
> > was not declared in this scope
> > gnutls_compression_set_priority(*m_gnutlsSession, compressionPriority);
>
>
> The gnutls_*_set_priority functions have been removed. According to.
> http://www.gnutls.org/manual/html_node/Upgrading-from-previous-versions.html
> the replacement is gnutls_priority_set_direct but in this case the settings
> used seem
> rather outdated anyway, so rather than converting I just removed them.
> (so gnutls will use it's defaults).
>
> I have uploaded my changes to raspbian stretch-staging. Debdiff attached, no
> intent to NMU in Debian.
>
> diff -Nru libvmime-0.9.1/debian/changelog libvmime-0.9.1/debian/changelog
> --- libvmime-0.9.1/debian/changelog 2015-09-22 17:33:22.000000000 +0000
> +++ libvmime-0.9.1/debian/changelog 2016-01-31 18:41:26.000000000 +0000
> @@ -1,3 +1,9 @@
> +libvmime (0.9.1-4+rpi1) stretch-staging; urgency=medium
> +
> + * Remove calls to gnutls_*_set_priority
> +
> + -- Peter Michael Green <plugw...@raspbian.org> Sun, 31 Jan 2016 18:41:14
> +0000
> +
> libvmime (0.9.1-4) unstable; urgency=medium
>
> [ Carsten Schoenert ]
> diff -Nru libvmime-0.9.1/debian/patches/gnutls3.4.patch
> libvmime-0.9.1/debian/patches/gnutls3.4.patch
> --- libvmime-0.9.1/debian/patches/gnutls3.4.patch 1970-01-01
> 00:00:00.000000000 +0000
> +++ libvmime-0.9.1/debian/patches/gnutls3.4.patch 2016-01-31
> 18:41:03.000000000 +0000
> @@ -0,0 +1,102 @@
> +Description: remove calls to gnutls_*_set_priority
> + The gnutls_*_set_priority functions have been removed. According to
> + http://www.gnutls.org/manual/html_node/Upgrading-from-previous-versions.html
> + the replacement is gnutls_priority_set_direct but the settings used seem
> + rather outdated anyway, so rather than converting I just removed them.
> + (so gnutls will use it's defaults).
> +uthor: Peter Michael Green <plugw...@raspbian.org>
> +
> +---
> +The information above should follow the Patch Tagging Guidelines, please
> +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
> +are templates for supplementary fields that you might want to add:
> +
> +Origin: <vendor|upstream|other>, <url of original patch>
> +Bug: <url in upstream bugtracker>
> +Bug-Debian: https://bugs.debian.org/<bugnumber>
> +Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber>
> +Forwarded: <no|not-needed|url proving that it has been forwarded>
> +Reviewed-By: <name and email of someone who approved the patch>
> +Last-Update: <YYYY-MM-DD>
> +
> +--- libvmime-0.9.1.orig/src/net/tls/TLSSession.cpp
> ++++ libvmime-0.9.1/src/net/tls/TLSSession.cpp
> +@@ -111,78 +111,6 @@ TLSSession::TLSSession(ref <security::ce
> + // macs and compression methods.
> + gnutls_set_default_priority(*m_gnutlsSession);
> +
> +- // Sets the priority on the certificate types supported by gnutls.
> +- // Priority is higher for types specified before others. After
> +- // specifying the types you want, you must append a 0.
> +- const int certTypePriority[] = { GNUTLS_CRT_X509, 0 };
> +-
> +- res = gnutls_certificate_type_set_priority
> +- (*m_gnutlsSession, certTypePriority);
> +-
> +- if (res < 0)
> +- {
> +- throwTLSException
> +- ("gnutls_certificate_type_set_priority", res);
> +- }
> +-
> +- // Sets the priority on the protocol types
> +- const int protoPriority[] = { GNUTLS_TLS1, GNUTLS_SSL3, 0 };
> +-
> +- res = gnutls_protocol_set_priority(*m_gnutlsSession, protoPriority);
> +-
> +- if (res < 0)
> +- {
> +- throwTLSException
> +- ("gnutls_certificate_type_set_priority", res);
> +- }
> +-
> +- // Priority on the ciphers
> +- const int cipherPriority[] =
> +- {
> +- GNUTLS_CIPHER_ARCFOUR_128,
> +- GNUTLS_CIPHER_3DES_CBC,
> +- GNUTLS_CIPHER_AES_128_CBC,
> +- GNUTLS_CIPHER_AES_256_CBC,
> +- GNUTLS_CIPHER_ARCFOUR_40,
> +- GNUTLS_CIPHER_RC2_40_CBC,
> +- GNUTLS_CIPHER_DES_CBC,
> +- 0
> +- };
> +-
> +- gnutls_cipher_set_priority(*m_gnutlsSession, cipherPriority);
> +-
> +- // Priority on MACs
> +- const int macPriority[] = { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0};
> +-
> +- gnutls_mac_set_priority(*m_gnutlsSession, macPriority);
> +-
> +- // Priority on key exchange methods
> +- const int kxPriority[] =
> +- {
> +- GNUTLS_KX_RSA,
> +- GNUTLS_KX_DHE_DSS,
> +- GNUTLS_KX_DHE_RSA,
> +- GNUTLS_KX_ANON_DH,
> +- GNUTLS_KX_SRP,
> +- GNUTLS_KX_RSA_EXPORT,
> +- GNUTLS_KX_SRP_RSA,
> +- GNUTLS_KX_SRP_DSS,
> +- 0
> +- };
> +-
> +- gnutls_kx_set_priority(*m_gnutlsSession, kxPriority);
> +-
> +- // Priority on compression methods
> +- const int compressionPriority[] =
> +- {
> +- GNUTLS_COMP_ZLIB,
> +- //GNUTLS_COMP_LZO,
> +- GNUTLS_COMP_NULL,
> +- 0
> +- };
> +-
> +- gnutls_compression_set_priority(*m_gnutlsSession, compressionPriority);
> +-
> + // Initialize credentials
> + gnutls_credentials_set(*m_gnutlsSession,
> + GNUTLS_CRD_ANON, g_gnutlsGlobal.anonCred);
> diff -Nru libvmime-0.9.1/debian/patches/series
> libvmime-0.9.1/debian/patches/series
> --- libvmime-0.9.1/debian/patches/series 2015-09-22 17:33:22.000000000
> +0000
> +++ libvmime-0.9.1/debian/patches/series 2016-01-31 18:37:47.000000000
> +0000
> @@ -17,3 +17,4 @@
> debian/Adopt-changes-required-on-update-by-gnutls28-dev.patch
> debian/remove-reference-to-gcrypt.h-related-on-update-to-gn.patch
> adjust-configure.in-and-Makefile.am-to-recent-autoto.patch
> +gnutls3.4.patch
From: Carsten Schoenert <c.schoen...@t-online.de>
Date: Thu, 28 Jan 2016 17:21:08 +0100
Subject: replace deprecated gnutls function after v3.4.0
Replacing various longer marked deprecated function with
gnutls_priority_set_direct().
In detail replacing the functions:
gnutls_certificate_type_set_priority()
gnutls_cipher_set_priority()
gnutls_mac_set_priority()
gnutls_kx_set_priority()
gnutls_compression_set_priority()
---
src/net/tls/TLSSession.cpp | 30 +++++++++++++++---------------
1 file changed, 15 insertions(+), 15 deletions(-)
diff --git a/src/net/tls/TLSSession.cpp b/src/net/tls/TLSSession.cpp
index 18fc622..e61d7d7 100644
--- a/src/net/tls/TLSSession.cpp
+++ b/src/net/tls/TLSSession.cpp
@@ -114,30 +114,30 @@ TLSSession::TLSSession(ref <security::cert::certificateVerifier> cv)
// Sets the priority on the certificate types supported by gnutls.
// Priority is higher for types specified before others. After
// specifying the types you want, you must append a 0.
- const int certTypePriority[] = { GNUTLS_CRT_X509, 0 };
+ const char certTypePriority[] = { GNUTLS_CRT_X509, 0 };
- res = gnutls_certificate_type_set_priority
- (*m_gnutlsSession, certTypePriority);
+ res = gnutls_priority_set_direct
+ (*m_gnutlsSession, certTypePriority, NULL);
if (res < 0)
{
throwTLSException
- ("gnutls_certificate_type_set_priority", res);
+ ("gnutls_priority_set_direct", res);
}
// Sets the priority on the protocol types
- const int protoPriority[] = { GNUTLS_TLS1, GNUTLS_SSL3, 0 };
+ const char protoPriority[] = { GNUTLS_TLS1, GNUTLS_SSL3, 0 };
- res = gnutls_protocol_set_priority(*m_gnutlsSession, protoPriority);
+ res = gnutls_priority_set_direct(*m_gnutlsSession, protoPriority, NULL);
if (res < 0)
{
throwTLSException
- ("gnutls_certificate_type_set_priority", res);
+ ("gnutls_priority_set_direct", res);
}
// Priority on the ciphers
- const int cipherPriority[] =
+ const char cipherPriority[] =
{
GNUTLS_CIPHER_ARCFOUR_128,
GNUTLS_CIPHER_3DES_CBC,
@@ -149,15 +149,15 @@ TLSSession::TLSSession(ref <security::cert::certificateVerifier> cv)
0
};
- gnutls_cipher_set_priority(*m_gnutlsSession, cipherPriority);
+ gnutls_priority_set_direct(*m_gnutlsSession, cipherPriority, NULL);
// Priority on MACs
- const int macPriority[] = { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0};
+ const char macPriority[] = { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0};
- gnutls_mac_set_priority(*m_gnutlsSession, macPriority);
+ gnutls_priority_set_direct(*m_gnutlsSession, macPriority, NULL);
// Priority on key exchange methods
- const int kxPriority[] =
+ const char kxPriority[] =
{
GNUTLS_KX_RSA,
GNUTLS_KX_DHE_DSS,
@@ -170,10 +170,10 @@ TLSSession::TLSSession(ref <security::cert::certificateVerifier> cv)
0
};
- gnutls_kx_set_priority(*m_gnutlsSession, kxPriority);
+ gnutls_priority_set_direct(*m_gnutlsSession, kxPriority, NULL);
// Priority on compression methods
- const int compressionPriority[] =
+ const char compressionPriority[] =
{
GNUTLS_COMP_ZLIB,
//GNUTLS_COMP_LZO,
@@ -181,7 +181,7 @@ TLSSession::TLSSession(ref <security::cert::certificateVerifier> cv)
0
};
- gnutls_compression_set_priority(*m_gnutlsSession, compressionPriority);
+ gnutls_priority_set_direct(*m_gnutlsSession, compressionPriority, NULL);
// Initialize credentials
gnutls_credentials_set(*m_gnutlsSession,
