slackware-current/source/n/gnutls/gnutls-3.6.3-backport-upstream-fixes.patch

diff --git a/lib/cert-cred.c b/lib/cert-cred.c
index d3777e51f..2150e903f 100644
--- a/lib/cert-cred.c
+++ b/lib/cert-cred.c
@@ -387,6 +387,13 @@ static int call_legacy_cert_cb1(gnutls_session_t session,
 	if (ret < 0)
 		return gnutls_assert_val(ret);
 
+	if (st2.ncerts == 0) {
+		*pcert_length = 0;
+		*ocsp_length = 0;
+		*privkey = NULL;
+		return 0;
+	}
+
 	if (st2.cert_type != GNUTLS_CRT_X509) {
 		gnutls_assert();
 		ret = GNUTLS_E_INVALID_REQUEST;
@@ -503,7 +510,10 @@ void gnutls_certificate_set_retrieve_function
      gnutls_certificate_retrieve_function * func)
 {
 	cred->legacy_cert_cb1 = func;
-	cred->get_cert_callback3 = call_legacy_cert_cb1;
+	if (!func)
+		cred->get_cert_callback3 = NULL;
+	else
+		cred->get_cert_callback3 = call_legacy_cert_cb1;
 }
 
 static int call_legacy_cert_cb2(gnutls_session_t session,
@@ -578,7 +588,10 @@ void gnutls_certificate_set_retrieve_function2
      gnutls_certificate_retrieve_function2 * func) 
 {
 	cred->legacy_cert_cb2 = func;
-	cred->get_cert_callback3 = call_legacy_cert_cb2;
+	if (!func)
+		cred->get_cert_callback3 = NULL;
+	else
+		cred->get_cert_callback3 = call_legacy_cert_cb2;
 }
 
 /**
diff --git a/lib/hello_ext.c b/lib/hello_ext.c
index a3027130a..f72afe77f 100644
--- a/lib/hello_ext.c
+++ b/lib/hello_ext.c
@@ -208,7 +208,7 @@ int hello_ext_parse(void *_ctx, unsigned tls_id, const uint8_t *data, unsigned d
 
 	if (tls_id == PRE_SHARED_KEY_TLS_ID) {
 		ctx->seen_pre_shared_key = 1;
-	} else if (ctx->seen_pre_shared_key) {
+	} else if (ctx->seen_pre_shared_key && session->security_parameters.entity == GNUTLS_SERVER) {
 		/* the pre-shared key extension must always be the last one,
 		 * draft-ietf-tls-tls13-28: 4.2.11 */
 		return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
Tue Sep 18 19:22:30 UTC 2018 ap/dmidecode-3.2-x86_64-1.txz: Upgraded. ap/nano-3.1-x86_64-1.txz: Upgraded. ap/slackpkg-2.83.0-noarch-4.txz: Rebuilt. Merged two patches from git: Clarify that a press of "Enter" is needed to confirm kernel change Mention possible stale mirror if CHECKSUMS.md5 gpg verify fails Thanks to Mario Preksavec and Robby Workman. ap/sqlite-3.25.0-x86_64-1.txz: Upgraded. ap/xorriso-1.5.0-x86_64-1.txz: Upgraded. l/lmdb-0.9.22-x86_64-2.txz: Rebuilt. Fixed the build script to clear out the build area properly - previously it was possible for binaries of the wrong $ARCH to end up in the package. Thanks to reddog83. n/gnutls-3.6.3-x86_64-2.txz: Rebuilt. Merged backported SSL/TLS fixes. Thanks to orbea. n/samba-4.9.0-x86_64-2.txz: Rebuilt. Recompiled in case the lmdb package was broken. 2018-09-18 21:22:30 +02:00			`diff --git a/lib/cert-cred.c b/lib/cert-cred.c`
			`index d3777e51f..2150e903f 100644`
			`--- a/lib/cert-cred.c`
			`+++ b/lib/cert-cred.c`
			`@@ -387,6 +387,13 @@ static int call_legacy_cert_cb1(gnutls_session_t session,`
			`if (ret < 0)`
			`return gnutls_assert_val(ret);`

			`+ if (st2.ncerts == 0) {`
			`+ *pcert_length = 0;`
			`+ *ocsp_length = 0;`
			`+ *privkey = NULL;`
			`+ return 0;`
			`+ }`
			`+`
			`if (st2.cert_type != GNUTLS_CRT_X509) {`
			`gnutls_assert();`
			`ret = GNUTLS_E_INVALID_REQUEST;`
			`@@ -503,7 +510,10 @@ void gnutls_certificate_set_retrieve_function`
			`gnutls_certificate_retrieve_function * func)`
			`{`
			`cred->legacy_cert_cb1 = func;`
			`- cred->get_cert_callback3 = call_legacy_cert_cb1;`
			`+ if (!func)`
			`+ cred->get_cert_callback3 = NULL;`
			`+ else`
			`+ cred->get_cert_callback3 = call_legacy_cert_cb1;`
			`}`

			`static int call_legacy_cert_cb2(gnutls_session_t session,`
			`@@ -578,7 +588,10 @@ void gnutls_certificate_set_retrieve_function2`
			`gnutls_certificate_retrieve_function2 * func)`
			`{`
			`cred->legacy_cert_cb2 = func;`
			`- cred->get_cert_callback3 = call_legacy_cert_cb2;`
			`+ if (!func)`
			`+ cred->get_cert_callback3 = NULL;`
			`+ else`
			`+ cred->get_cert_callback3 = call_legacy_cert_cb2;`
			`}`

			`/**`
			`diff --git a/lib/hello_ext.c b/lib/hello_ext.c`
			`index a3027130a..f72afe77f 100644`
			`--- a/lib/hello_ext.c`
			`+++ b/lib/hello_ext.c`
			`@@ -208,7 +208,7 @@ int hello_ext_parse(void _ctx, unsigned tls_id, const uint8_t data, unsigned d`

			`if (tls_id == PRE_SHARED_KEY_TLS_ID) {`
			`ctx->seen_pre_shared_key = 1;`
			`- } else if (ctx->seen_pre_shared_key) {`
			`+ } else if (ctx->seen_pre_shared_key && session->security_parameters.entity == GNUTLS_SERVER) {`
			`/* the pre-shared key extension must always be the last one,`
			`* draft-ietf-tls-tls13-28: 4.2.11 */`
			`return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);`