Hello community, here is the log from the commit of package gnutls for openSUSE:Factory checked in at 2013-07-01 15:54:42 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/gnutls (Old) and /work/SRC/openSUSE:Factory/.gnutls.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "gnutls" Changes: -------- --- /work/SRC/openSUSE:Factory/gnutls/gnutls.changes 2013-04-26 15:50:27.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.gnutls.new/gnutls.changes 2013-07-01 15:54:45.000000000 +0200 @@ -1,0 +2,279 @@ +Thu Jun 27 13:44:12 UTC 2013 - meissner@suse.com + +- Disable all ECC algorithms. + +- gnutls-32bit.patch: upstream patch to make test + work with 32bit time_t. + +- gnutls-implement-trust-store-dir.diff + + currently not yet forward ported. + +- Updated to GnuTLS 3.2.1 + ** libgnutls: Allow ECC when in SSL 3.0 to work-around a bug in certain + openssl versions. + ** libgnutls: Fixes in interrupted function resumption. Report + and patch by Tim Kosse. + ** libgnutls: Corrected issue when receiving client hello verify + requests in DTLS. + ** libgnutls: Fixes in DTLS record overhead size calculations. + ** libgnutls: gnutls_handshake_get_last_in() was fixed. Reported by + Mann Ern Kang. +- Updated to GnuTLS 3.2.0 + ** libgnutls: Use nettle's elliptic curve implementation. + ** libgnutls: Added Salsa20 cipher + ** libgnutls: Added UMAC-96 and UMAC-128 + ** libgnutls: Added ciphersuites involving Salsa20 and UMAC-96. + As they are not standardized they are defined using private ciphersuite numbers. + ** libgnutls: Added support for DTLS 1.2. + ** libgnutls: Added support for the Application Layer Protocol + Negotiation (ALPN) extension. + ** libgnutls: Removed support for the RSA-EXPORT ciphersuites. + ** libgnutls: Avoid linking to librt (that also avoids unnecessary + linking to pthreads if p11-kit isn't used). + +- Updated to GnuTLS 3.1.10 (released 2013-03-22) + ** certtool: When generating PKCS #12 files use by default the + ARCFOUR (RC4) cipher to be compatible with devices that don't + support AES with PKCS #12. + ** libgnutls: Load CA certificates in android 4.x systems. + ** libgnutls: Optimized CA certificate loading. + ** libgnutls: Private keys are overwritten on deinitialization. + ** libgnutls: PKCS #11 slots are scanned only when needed, not + on initialization. This speeds up gnutls initialization when smart + cards are present. + ** libgnutls: Corrected issue in the (deprecated) external key + signing interface, when used with TLS 1.2. Reported by Bjorn H. Christensen. + ** libgnutls: Fixes in openpgp handshake with fingerprints. Reported by + Joke de Buhr. + ** libgnutls-dane: Updated DANE verification options. + ** configure: Trust store file must be explicitly set or unset when + cross compiling. +- Updated to GnuTLS 3.1.9 (released 2013-02-27) + ** certtool: Option --to-p12 will now ask for a password to generate + a PKCS #12 file from an encrypted key file. Reported by Yan Fiz. + ** libgnutls: Corrected issue in gnutls_pubkey_verify_data(). + ** libgnutls: Corrected parsing issue in XMPP within a subject + alternative name. Reported by James Cloos. + ** libgnutls: gnutls_pkcs11_reinit() will reinitialize all PKCS #11 + modules, and not only the ones loaded via p11-kit. + ** libgnutls: Added function to check whether the private key is + still available (inserted). + ** libgnutls: Try to detect fork even during nonce generation. + +- Updated to GnuTLS 3.1.8 (released 2013-02-10) + ** libgnutls: Fixed issue in gnutls_x509_privkey_import2() which didn't return + GNUTLS_E_DECRYPTION_FAILED in all cases, and affect certtool operation + with encrypted keys. Reported by Yan Fiz. + ** libgnutls: The minimum DH bits accepted by priorities NORMAL and + PERFORMANCE was set to previous defaults 727 bits. Reported by Diego + Elio Petteno. + ** libgnutls: Corrected issue which prevented gnutls_pubkey_verify_hash() + to operate with long keys. Reported by Erik A Jensen. + +- Updated to GnuTLS 3.1.7 (released 2013-02-04) + ** certtool: Added option "dn" which allows to directly set the DN + in a template from an RFC4514 string. + ** danetool: Added options: --dlv and --insecure. Suggested by Paul Wouters. + ** libgnutls-xssl: Added a new library to simplify GnuTLS usage. + ** libgnutls-dane: Added function to specify a DLV file. + ** libgnutls: Heartbeat code was made optional. + ** libgnutls: Fixes in server side of DTLS-0.9. + ** libgnutls: DN variable 'T' was expanded to 'title'. + ** libgnutls: Fixes in record padding parsing to prevent a timing attack. + Issue reported by Kenny Paterson and Nadhem Alfardan. + ** libgnutls: Added functions to directly set the DN in a certificate + or request from an RFC4514 string. + ** libgnutls: Optimizations in the random generator. The re-seeding of + it is now explicitly done on every session deinit. + ** libgnutls: Simplified the DTLS sliding window implementation. + ** libgnutls: The minimum DH bits accepted by a client are now set + by the specified priority string. The current values correspond to the + previous defaults (727 bits), except for the SECURE128 and SECURE192 + strings which increase the minimum to 1248 and 1776 respectively. + ** libgnutls: Added the gnutls_record_cork() and uncork API to enable + buffering in sending application data. + ** libgnutls: Removed default random padding, and added a length-hiding interface + instead. Both the server and the client must support this extension. Whether + length-hiding can be used on a given session can be checked using + gnutls_record_can_use_length_hiding(). Contributed by Alfredo Pironti. + ** libgnutls: Added the experimental %NEW_PADDING priority string. It enables + a new padding mechanism in TLS allowing arbitrary padding in TLS records + in all ciphersuites, which makes length-hiding more efficient and solves + the issues with timing attacks on CBC ciphersuites. + ** libgnutls: Corrected gnutls_cipher_decrypt2() when used with AEAD + ciphers (i.e., AES-GCM). Reported by William McGovern. + +- Updated to GnuTLS 3.1.6 (released 2013-01-02) + ** libgnutls: Fixed record padding parsing issue. Reported by Kenny + Patterson and Nadhem Alfardan. + ** libgnutls: Several updates in the ASN.1 string handling subsystem. + ** libgnutls: gnutls_x509_crt_get_policy() allows for a list of zero + policy qualifiers. + ** libgnutls: Ignore heartbeat messages when received out-of-order, + instead of issuing an error. + ** libgnutls: Stricter RSA PKCS #1 1.5 encoding and decoding. Reported + by Kikuchi Masashi. + ** libgnutls: TPM support is disabled by default because GPL programs + cannot link with it. Use --with-tpm to enable it. + ** libgnutls-guile: Fixed parallel compilation issue. + ** gnutls-cli: It will try to connect to all possible returned addresses + before failing. + +- Updated to GnuTLS 3.1.5 (released 2012-11-24) + ** libgnutls: Added functions to parse the certificates policies + extension. + ** libgnutls: Handle BMPString (UCS-2) encoding in the Distinguished + Name by translating it to UTF-8 (works on windows or systems with + iconv). + ** libgnutls: Added PKCS #11 key generation function that returns the + public key on generation. + ** libgnutls: Corrected bug in priority string parsing, that mostly + affected combined levels. Patch by Tim Kosse. + ** certtool: The --pubkey-info option can be combined with the + --load-privkey or --load-request to print the corresponding public keys. + ** certtool: It is able to set certificate policies via a template. + ** certtool: Added --hex-numbers option which prints big numbers in + an easier to parse format. + ** p11tool: After key generation, outputs the public key (useful in + tokens that do not store the public key). + ** danetool: It is being built even without libgnutls-dane (the + --check functionality is disabled though). + +- Updated to GnuTLS 3.1.4 (released 2012-11-10) + ** libgnutls: gnutls_certificate_verify_peers2() will set flags depending on + the available revocation data validity. + ** libgnutls: Added gnutls_certificate_verification_status_print(), + a function to print the verification status code in human readable text. + ** libgnutls: Added priority string %VERIFY_DISABLE_CRL_CHECKS. + ** libgnutls: Simplified certificate verification by adding + gnutls_certificate_verify_peers3(). + ** libgnutls: Added support for extension to establish keys for SRTP. + Contributed by Martin Storsjo. + ** libgnutls: The X.509 verification functions check the key + usage bits and pathlen constraints and on failure output + GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE. + ** libgnutls: gnutls_x509_crl_verify() includes the time checks. + ** libgnutls: Added verification flag GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN + and made GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN the default. + ** libgnutls: Always tolerate key usage violation errors from the side + of the peer, but also notify via an audit message. + ** gnutls-cli: Added --local-dns option. + ** danetool: Corrected bug that prevented loading PEM files. + ** danetool: Added --check option to allow querying and verifying + a site's DANE data. + ** libgnutls-dane: Added pkg-config file for the library. + +- Updated to GnuTLS 3.1.3 (released 2012-10-12) + ** libgnutls: Added support for the OCSP Certificate Status + extension. + ** libgnutls: gnutls_certificate_verify_peers2() will use the OCSP + certificate status extension in verification. + ** libgnutls: Bug fixes in gnutls_x509_privkey_import_openssl(). + ** libgnutls: Increased maximum password length in the PKCS #12 + functions. + ** libgnutls: Fixed the receipt of session tickets during session resumption. + Reported by danblack at http://savannah.gnu.org/support/?108146 + ** libgnutls: Added functions to export structures in an allocated buffer. + ** libgnutls: Added gnutls_ocsp_resp_check_crt() to check whether the OCSP + response corresponds to the given certificate. + ** libgnutls: In client side gnutls_init() enables the session ticket and + OCSP certificate status request extensions by default. The flag + GNUTLS_NO_EXTENSIONS can be used to prevent that. + ** libgnutls: Several updates in the OpenPGP code. The generating code + is fully RFC6091 compliant and RFC5081 support is only supported in client + mode. + ** libgnutls-dane: Added. It is a library to provide DANE with DNSSEC + certificate verification. + ** gnutls-cli: Added --dane option to enable DANE certificate verification. + ** danetool: Added tool to generate DANE TLSA Resource Records (RR). + +- Updated to GnuTLS 3.1.2 (released 2012-09-26) + ** libgnutls: Fixed bug in gnutls_x509_trust_list_add_system_trust() + and gnutls_x509_trust_list_add_trust_mem() that prevented the loading + of certificates in the windows platform. + ** libgnutls: Corrected bug in OpenPGP subpacket encoding. + ** libgnutls: Added support for DTLS/TLS heartbeats by Olga Smolenchuk. + (the work was done during Google Summer of Code). ++++ 82 more lines (skipped) ++++ between /work/SRC/openSUSE:Factory/gnutls/gnutls.changes ++++ and /work/SRC/openSUSE:Factory/.gnutls.new/gnutls.changes Old: ---- gnutls-3.0.28.tar.xz New: ---- gnutls-3.2.1-noecc.patch gnutls-3.2.1.tar.xz gnutls-3.2.1.tar.xz.sig gnutls-32bit.patch gnutls.keyring ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gnutls.spec ++++++ --- /var/tmp/diff_new_pack.g3weyr/_old 2013-07-01 15:54:46.000000000 +0200 +++ /var/tmp/diff_new_pack.g3weyr/_new 2013-07-01 15:54:46.000000000 +0200 @@ -21,25 +21,38 @@ %define gnutls_ossl_sover 27 Name: gnutls -Version: 3.0.28 +Version: 3.2.1 Release: 0 Summary: The GNU Transport Layer Security Library -License: LGPL-3.0+ and GPL-3.0+ +License: LGPL-2.1+ and GPL-3.0+ Group: Productivity/Networking/Security Url: http://www.gnutls.org/ -Source0: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.0/%{name}-%{version}.tar.xz -Source1: baselibs.conf -# suse specific, add support for certificate directories -- lnussel +Source0: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/%{name}-%{version}.tar.xz +# signature is checked by source services. +Source1: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/%{name}-%{version}.tar.xz.sig +Source2: %name.keyring +Source3: baselibs.conf +# suse specific, add support for certificate directories -- lnussel/meissner Patch1: gnutls-implement-trust-store-dir.diff + Patch2: automake-1.12.patch # PATCH-FIX-OPENSUSE gnutls-3.0.26-skip-test-fwrite.patch andreas.stieger@gmx.de -- skip a failing test Patch3: gnutls-3.0.26-skip-test-fwrite.patch + +# https://gitorious.org/gnutls/gnutls/commit/b12040aeab5fbaf02677571db1d8bf199... +# PATCH-UPSTREAM gnutls-32bit.patch meissner@suse.de -- avoid dates after 2037 with 32bit time_t +Patch4: gnutls-32bit.patch + +# Disable elliptic curves for reasons. - meissner&cfarrell +Patch5: gnutls-3.2.1-noecc.patch + BuildRequires: automake BuildRequires: gcc-c++ BuildRequires: libidn-devel -BuildRequires: libnettle-devel >= 2.2 +BuildRequires: libnettle-devel >= 2.7 BuildRequires: libtasn1-devel >= 2.14 BuildRequires: libtool +BuildRequires: valgrind %if %suse_version >= 1230 BuildRequires: makeinfo %endif @@ -60,7 +73,7 @@ %package -n libgnutls%{gnutls_sover} Summary: The GNU Transport Layer Security Library -License: LGPL-3.0+ +License: LGPL-2.1+ Group: Productivity/Networking/Security %description -n libgnutls%{gnutls_sover} @@ -70,7 +83,7 @@ %package -n libgnutlsxx%{gnutlsxx_sover} Summary: The GNU Transport Layer Security Library -License: LGPL-3.0+ +License: LGPL-2.1+ Group: Productivity/Networking/Security %description -n libgnutlsxx%{gnutlsxx_sover} @@ -92,7 +105,7 @@ %package -n libgnutls-devel Summary: Development package for gnutls -License: LGPL-3.0+ +License: LGPL-2.1+ Group: Development/Libraries/C and C++ PreReq: %install_info_prereq Requires: glibc-devel @@ -104,7 +117,7 @@ %package -n libgnutlsxx-devel Summary: Development package for gnutls -License: LGPL-3.0+ +License: LGPL-2.1+ Group: Development/Libraries/C and C++ PreReq: %install_info_prereq Requires: libgnutls-devel = %{version} @@ -128,19 +141,22 @@ %prep %setup -q -%patch1 +%patch1 -p1 %patch2 -p1 %patch3 -echo %{_includedir}/%{name}/abstract.h +%patch4 -p1 +%patch5 -p1 %build autoreconf -if +# echde explicitly disabled - meissner&cfarrell %configure \ --disable-static \ --with-pic \ --disable-rpath \ --disable-silent-rules \ --with-default-trust-store-dir=/etc/ssl/certs \ + --disable-ecdhe \ --with-sysroot=/%{?_sysroot} %__make %{?_smp_mflags} @@ -200,11 +216,13 @@ %{_bindir}/psktool %{_bindir}/p11tool %{_bindir}/srptool +%{_bindir}/danetool %{_mandir}/man1/* %files -n libgnutls%{gnutls_sover} %defattr(-,root,root) %{_libdir}/libgnutls.so.%{gnutls_sover}* +%{_libdir}/libgnutls-xssl.so.* %files -n libgnutls-openssl%{gnutls_ossl_sover} %defattr(-,root,root) @@ -227,7 +245,10 @@ %{_includedir}/%{name}/pkcs11.h %{_includedir}/%{name}/pkcs12.h %{_includedir}/%{name}/x509.h +%{_includedir}/%{name}/tpm.h +%{_includedir}/%{name}/xssl.h %{_libdir}/libgnutls.so +%{_libdir}/libgnutls-xssl.so %{_libdir}/pkgconfig/gnutls.pc %{_mandir}/man3/* %{_infodir}/*.* ++++++ automake-1.12.patch ++++++ --- /var/tmp/diff_new_pack.g3weyr/_old 2013-07-01 15:54:46.000000000 +0200 +++ /var/tmp/diff_new_pack.g3weyr/_new 2013-07-01 15:54:46.000000000 +0200 @@ -1,20 +1,8 @@ -Index: gnutls-3.0.20/configure.ac +Index: gnutls-3.2.1/aclocal.m4 =================================================================== ---- gnutls-3.0.20.orig/configure.ac 2012-07-01 21:50:17.000000000 +0200 -+++ gnutls-3.0.20/configure.ac 2012-07-01 21:50:17.977499968 +0200 -@@ -37,6 +37,7 @@ dnl Checks for programs. - AC_PROG_CC - AM_PROG_AS - AC_PROG_CXX -+AM_PROG_AR - gl_EARLY - - # For includes/gnutls/gnutls.h.in. -Index: gnutls-3.0.20/aclocal.m4 -=================================================================== ---- gnutls-3.0.20.orig/aclocal.m4 2012-06-05 19:10:14.000000000 +0200 -+++ gnutls-3.0.20/aclocal.m4 2012-07-01 21:53:42.821893323 +0200 -@@ -529,7 +529,7 @@ AM_MISSING_PROG(AUTOHEADER, autoheader) +--- gnutls-3.2.1.orig/aclocal.m4 ++++ gnutls-3.2.1/aclocal.m4 +@@ -517,7 +517,7 @@ AM_MISSING_PROG(AUTOHEADER, autoheader) AM_MISSING_PROG(MAKEINFO, makeinfo) AC_REQUIRE([AM_PROG_INSTALL_SH])dnl AC_REQUIRE([AM_PROG_INSTALL_STRIP])dnl @@ -23,7 +11,7 @@ # We need awk for the "check" target. The system "awk" is bad on # some platforms. AC_REQUIRE([AC_PROG_AWK])dnl -@@ -773,10 +773,10 @@ fi +@@ -761,10 +761,10 @@ fi # serial 1 @@ -36,11 +24,11 @@ [AC_PREREQ([2.60])dnl AC_REQUIRE([AC_PROG_MKDIR_P])dnl dnl Automake 1.8 to 1.9.6 used to define mkdir_p. We now use MKDIR_P, -Index: gnutls-3.0.20/gl/m4/gnulib-common.m4 +Index: gnutls-3.2.1/gl/m4/gnulib-common.m4 =================================================================== ---- gnutls-3.0.20.orig/gl/m4/gnulib-common.m4 2012-06-05 19:07:51.000000000 +0200 -+++ gnutls-3.0.20/gl/m4/gnulib-common.m4 2012-07-01 21:53:42.821893323 +0200 -@@ -301,7 +301,7 @@ m4_ifdef([AC_PROG_MKDIR_P], [ +--- gnutls-3.2.1.orig/gl/m4/gnulib-common.m4 ++++ gnutls-3.2.1/gl/m4/gnulib-common.m4 +@@ -303,7 +303,7 @@ m4_ifdef([AC_PROG_MKDIR_P], [ AC_SUBST([MKDIR_P])])], [ dnl For autoconf < 2.60: Backport of AC_PROG_MKDIR_P. AC_DEFUN_ONCE([AC_PROG_MKDIR_P], @@ -48,11 +36,11 @@ + [AC_REQUIRE([AC_PROG_MKDIR_P])dnl defined by automake MKDIR_P='$(mkdir_p)' AC_SUBST([MKDIR_P])])]) - -Index: gnutls-3.0.20/m4/po.m4 + ]) +Index: gnutls-3.2.1/m4/po.m4 =================================================================== ---- gnutls-3.0.20.orig/m4/po.m4 2011-11-08 22:07:12.000000000 +0100 -+++ gnutls-3.0.20/m4/po.m4 2012-07-01 21:53:42.822893277 +0200 +--- gnutls-3.2.1.orig/m4/po.m4 ++++ gnutls-3.2.1/m4/po.m4 @@ -24,7 +24,7 @@ AC_DEFUN([AM_PO_SUBDIRS], [ AC_REQUIRE([AC_PROG_MAKE_SET])dnl ++++++ gnutls-3.2.1-noecc.patch ++++++ ++++ 711 lines (skipped) ++++++ gnutls-3.0.28.tar.xz -> gnutls-3.2.1.tar.xz ++++++ ++++ 443978 lines of diff (skipped) ++++++ gnutls-32bit.patch ++++++
From b12040aeab5fbaf02677571db1d8bf1995bd5ee0 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos
Date: Sun, 2 Jun 2013 12:10:06 +0200 Subject: [PATCH] Avoid comparing the expiration date to prevent false positive error in 32-bit systems.
---
tests/cert-tests/pem-decoding | 6 ++++--
1 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/tests/cert-tests/pem-decoding b/tests/cert-tests/pem-decoding
index fe769ec..f8c6372 100755
--- a/tests/cert-tests/pem-decoding
+++ b/tests/cert-tests/pem-decoding
@@ -61,7 +61,9 @@ if test "$rc" != "0"; then
exit $rc
fi
-diff $srcdir/complex-cert.pem tmp-pem.pem
+cat $srcdir/complex-cert.pem |grep -v "Not After:" >tmp1
+cat $srcdir/tmp-pem.pem |grep -v "Not After:" >tmp2
+diff tmp1 tmp2
rc=$?
if test "$rc" != "0"; then
@@ -69,6 +71,6 @@ if test "$rc" != "0"; then
exit $rc
fi
-rm -f tmp-pem.pem
+rm -f tmp-pem.pem tmp1 tmp2
exit 0
--
1.7.1
++++++ gnutls-implement-trust-store-dir.diff ++++++
--- /var/tmp/diff_new_pack.g3weyr/_old 2013-07-01 15:54:50.000000000 +0200
+++ /var/tmp/diff_new_pack.g3weyr/_new 2013-07-01 15:54:50.000000000 +0200
@@ -1,33 +1,34 @@
-From a6cef9220ae251e3b8f8d663c5fa7f888e3176d8 Mon Sep 17 00:00:00 2001
-From: Ludwig Nussel