Dear GnuTLS maintainers, with the new gnutls v3.4 in unstable we hit some old deprecated marked function now as errors while building the libvmime package. ;) libvmime is a reverse dependency for the zarafa groupware we have packaged and is currently waiting in the new queue. The upstream maintainer of libvmime doesn't released a newer version than 0.9.1 and so we have to fight with this old version (released 2010-11-16).
Peter Green has submitted a debdiff with a possibly solution that's seen below. I'm not a security expert on those used functions inside libvmime and found a another solution based on suggestions for upgrading to 3.4 [1] and created a patch that's appended. Can you give us a suggestion how to handle this issues? I've seen a similar solution like mine on the samba package upstream [5]. The zarafa suite isn't using this parts of the libvmime package as they connect locally to localhost. But the we have to provide a secure libvmime package. The full FTBFS log can be found here [2] for amd64. The source can be found on [3] and the file that holds the deprecated functions can be viewd on [4]. Thanks and regards Carsten [1] http://www.gnutls.org/manual/html_node/Upgrading-from-previous-versions.html#Upgrading-from-previous-versions [2] https://buildd.debian.org/status/fetch.php?pkg=libvmime&arch=amd64&ver=0.9.1-4%2Bb1&stamp=1453493127 [3] https://anonscm.debian.org/cgit/pkg-giraffe/libvmime.git/tree/ [4] https://anonscm.debian.org/cgit/pkg-giraffe/libvmime.git/tree/src/net/tls/TLSSession.cpp [5] https://lists.samba.org/archive/samba-technical/2015-April/107008.html On Sun, Jan 31, 2016 at 11:33:16PM +0000, peter green wrote: > > > > net_tls_TLSSession.cpp:120:38: error: > > 'gnutls_certificate_type_set_priority' was not declared in this scope > > (*m_gnutlsSession, certTypePriority); > > ^ > > net_tls_TLSSession.cpp:131:68: error: 'gnutls_protocol_set_priority' was > > not declared in this scope > > res = gnutls_protocol_set_priority(*m_gnutlsSession, protoPriority); > > ^ > > net_tls_TLSSession.cpp:152:61: error: 'gnutls_cipher_set_priority' was > > not declared in this scope > > gnutls_cipher_set_priority(*m_gnutlsSession, cipherPriority); > > ^ > > net_tls_TLSSession.cpp:157:55: error: 'gnutls_mac_set_priority' was not > > declared in this scope > > gnutls_mac_set_priority(*m_gnutlsSession, macPriority); > > ^ > > net_tls_TLSSession.cpp:173:53: error: 'gnutls_kx_set_priority' was not > > declared in this scope > > gnutls_kx_set_priority(*m_gnutlsSession, kxPriority); > > ^ > > net_tls_TLSSession.cpp:184:71: error: 'gnutls_compression_set_priority' > > was not declared in this scope > > gnutls_compression_set_priority(*m_gnutlsSession, compressionPriority); > > > The gnutls_*_set_priority functions have been removed. According to. > http://www.gnutls.org/manual/html_node/Upgrading-from-previous-versions.html > the replacement is gnutls_priority_set_direct but in this case the settings > used seem > rather outdated anyway, so rather than converting I just removed them. > (so gnutls will use it's defaults). > > I have uploaded my changes to raspbian stretch-staging. Debdiff attached, no > intent to NMU in Debian. > > diff -Nru libvmime-0.9.1/debian/changelog libvmime-0.9.1/debian/changelog > --- libvmime-0.9.1/debian/changelog 2015-09-22 17:33:22.000000000 +0000 > +++ libvmime-0.9.1/debian/changelog 2016-01-31 18:41:26.000000000 +0000 > @@ -1,3 +1,9 @@ > +libvmime (0.9.1-4+rpi1) stretch-staging; urgency=medium > + > + * Remove calls to gnutls_*_set_priority > + > + -- Peter Michael Green <[email protected]> Sun, 31 Jan 2016 18:41:14 > +0000 > + > libvmime (0.9.1-4) unstable; urgency=medium > > [ Carsten Schoenert ] > diff -Nru libvmime-0.9.1/debian/patches/gnutls3.4.patch > libvmime-0.9.1/debian/patches/gnutls3.4.patch > --- libvmime-0.9.1/debian/patches/gnutls3.4.patch 1970-01-01 > 00:00:00.000000000 +0000 > +++ libvmime-0.9.1/debian/patches/gnutls3.4.patch 2016-01-31 > 18:41:03.000000000 +0000 > @@ -0,0 +1,102 @@ > +Description: remove calls to gnutls_*_set_priority > + The gnutls_*_set_priority functions have been removed. According to > + http://www.gnutls.org/manual/html_node/Upgrading-from-previous-versions.html > + the replacement is gnutls_priority_set_direct but the settings used seem > + rather outdated anyway, so rather than converting I just removed them. > + (so gnutls will use it's defaults). > +uthor: Peter Michael Green <[email protected]> > + > +--- > +The information above should follow the Patch Tagging Guidelines, please > +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here > +are templates for supplementary fields that you might want to add: > + > +Origin: <vendor|upstream|other>, <url of original patch> > +Bug: <url in upstream bugtracker> > +Bug-Debian: https://bugs.debian.org/<bugnumber> > +Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber> > +Forwarded: <no|not-needed|url proving that it has been forwarded> > +Reviewed-By: <name and email of someone who approved the patch> > +Last-Update: <YYYY-MM-DD> > + > +--- libvmime-0.9.1.orig/src/net/tls/TLSSession.cpp > ++++ libvmime-0.9.1/src/net/tls/TLSSession.cpp > +@@ -111,78 +111,6 @@ TLSSession::TLSSession(ref <security::ce > + // macs and compression methods. > + gnutls_set_default_priority(*m_gnutlsSession); > + > +- // Sets the priority on the certificate types supported by gnutls. > +- // Priority is higher for types specified before others. After > +- // specifying the types you want, you must append a 0. > +- const int certTypePriority[] = { GNUTLS_CRT_X509, 0 }; > +- > +- res = gnutls_certificate_type_set_priority > +- (*m_gnutlsSession, certTypePriority); > +- > +- if (res < 0) > +- { > +- throwTLSException > +- ("gnutls_certificate_type_set_priority", res); > +- } > +- > +- // Sets the priority on the protocol types > +- const int protoPriority[] = { GNUTLS_TLS1, GNUTLS_SSL3, 0 }; > +- > +- res = gnutls_protocol_set_priority(*m_gnutlsSession, protoPriority); > +- > +- if (res < 0) > +- { > +- throwTLSException > +- ("gnutls_certificate_type_set_priority", res); > +- } > +- > +- // Priority on the ciphers > +- const int cipherPriority[] = > +- { > +- GNUTLS_CIPHER_ARCFOUR_128, > +- GNUTLS_CIPHER_3DES_CBC, > +- GNUTLS_CIPHER_AES_128_CBC, > +- GNUTLS_CIPHER_AES_256_CBC, > +- GNUTLS_CIPHER_ARCFOUR_40, > +- GNUTLS_CIPHER_RC2_40_CBC, > +- GNUTLS_CIPHER_DES_CBC, > +- 0 > +- }; > +- > +- gnutls_cipher_set_priority(*m_gnutlsSession, cipherPriority); > +- > +- // Priority on MACs > +- const int macPriority[] = { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0}; > +- > +- gnutls_mac_set_priority(*m_gnutlsSession, macPriority); > +- > +- // Priority on key exchange methods > +- const int kxPriority[] = > +- { > +- GNUTLS_KX_RSA, > +- GNUTLS_KX_DHE_DSS, > +- GNUTLS_KX_DHE_RSA, > +- GNUTLS_KX_ANON_DH, > +- GNUTLS_KX_SRP, > +- GNUTLS_KX_RSA_EXPORT, > +- GNUTLS_KX_SRP_RSA, > +- GNUTLS_KX_SRP_DSS, > +- 0 > +- }; > +- > +- gnutls_kx_set_priority(*m_gnutlsSession, kxPriority); > +- > +- // Priority on compression methods > +- const int compressionPriority[] = > +- { > +- GNUTLS_COMP_ZLIB, > +- //GNUTLS_COMP_LZO, > +- GNUTLS_COMP_NULL, > +- 0 > +- }; > +- > +- gnutls_compression_set_priority(*m_gnutlsSession, compressionPriority); > +- > + // Initialize credentials > + gnutls_credentials_set(*m_gnutlsSession, > + GNUTLS_CRD_ANON, g_gnutlsGlobal.anonCred); > diff -Nru libvmime-0.9.1/debian/patches/series > libvmime-0.9.1/debian/patches/series > --- libvmime-0.9.1/debian/patches/series 2015-09-22 17:33:22.000000000 > +0000 > +++ libvmime-0.9.1/debian/patches/series 2016-01-31 18:37:47.000000000 > +0000 > @@ -17,3 +17,4 @@ > debian/Adopt-changes-required-on-update-by-gnutls28-dev.patch > debian/remove-reference-to-gcrypt.h-related-on-update-to-gn.patch > adjust-configure.in-and-Makefile.am-to-recent-autoto.patch > +gnutls3.4.patch
From: Carsten Schoenert <[email protected]> Date: Thu, 28 Jan 2016 17:21:08 +0100 Subject: replace deprecated gnutls function after v3.4.0 Replacing various longer marked deprecated function with gnutls_priority_set_direct(). In detail replacing the functions: gnutls_certificate_type_set_priority() gnutls_cipher_set_priority() gnutls_mac_set_priority() gnutls_kx_set_priority() gnutls_compression_set_priority() --- src/net/tls/TLSSession.cpp | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/src/net/tls/TLSSession.cpp b/src/net/tls/TLSSession.cpp index 18fc622..e61d7d7 100644 --- a/src/net/tls/TLSSession.cpp +++ b/src/net/tls/TLSSession.cpp @@ -114,30 +114,30 @@ TLSSession::TLSSession(ref <security::cert::certificateVerifier> cv) // Sets the priority on the certificate types supported by gnutls. // Priority is higher for types specified before others. After // specifying the types you want, you must append a 0. - const int certTypePriority[] = { GNUTLS_CRT_X509, 0 }; + const char certTypePriority[] = { GNUTLS_CRT_X509, 0 }; - res = gnutls_certificate_type_set_priority - (*m_gnutlsSession, certTypePriority); + res = gnutls_priority_set_direct + (*m_gnutlsSession, certTypePriority, NULL); if (res < 0) { throwTLSException - ("gnutls_certificate_type_set_priority", res); + ("gnutls_priority_set_direct", res); } // Sets the priority on the protocol types - const int protoPriority[] = { GNUTLS_TLS1, GNUTLS_SSL3, 0 }; + const char protoPriority[] = { GNUTLS_TLS1, GNUTLS_SSL3, 0 }; - res = gnutls_protocol_set_priority(*m_gnutlsSession, protoPriority); + res = gnutls_priority_set_direct(*m_gnutlsSession, protoPriority, NULL); if (res < 0) { throwTLSException - ("gnutls_certificate_type_set_priority", res); + ("gnutls_priority_set_direct", res); } // Priority on the ciphers - const int cipherPriority[] = + const char cipherPriority[] = { GNUTLS_CIPHER_ARCFOUR_128, GNUTLS_CIPHER_3DES_CBC, @@ -149,15 +149,15 @@ TLSSession::TLSSession(ref <security::cert::certificateVerifier> cv) 0 }; - gnutls_cipher_set_priority(*m_gnutlsSession, cipherPriority); + gnutls_priority_set_direct(*m_gnutlsSession, cipherPriority, NULL); // Priority on MACs - const int macPriority[] = { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0}; + const char macPriority[] = { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0}; - gnutls_mac_set_priority(*m_gnutlsSession, macPriority); + gnutls_priority_set_direct(*m_gnutlsSession, macPriority, NULL); // Priority on key exchange methods - const int kxPriority[] = + const char kxPriority[] = { GNUTLS_KX_RSA, GNUTLS_KX_DHE_DSS, @@ -170,10 +170,10 @@ TLSSession::TLSSession(ref <security::cert::certificateVerifier> cv) 0 }; - gnutls_kx_set_priority(*m_gnutlsSession, kxPriority); + gnutls_priority_set_direct(*m_gnutlsSession, kxPriority, NULL); // Priority on compression methods - const int compressionPriority[] = + const char compressionPriority[] = { GNUTLS_COMP_ZLIB, //GNUTLS_COMP_LZO, @@ -181,7 +181,7 @@ TLSSession::TLSSession(ref <security::cert::certificateVerifier> cv) 0 }; - gnutls_compression_set_priority(*m_gnutlsSession, compressionPriority); + gnutls_priority_set_direct(*m_gnutlsSession, compressionPriority, NULL); // Initialize credentials gnutls_credentials_set(*m_gnutlsSession,

