commit gnutls for openSUSE:Factory
Hello community, here is the log from the commit of package gnutls for openSUSE:Factory checked in at 2015-03-30 19:32:11 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/gnutls (Old) and /work/SRC/openSUSE:Factory/.gnutls.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "gnutls" Changes: -------- --- /work/SRC/openSUSE:Factory/gnutls/gnutls.changes 2015-01-03 22:03:08.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.gnutls.new/gnutls.changes 2015-03-30 19:32:13.000000000 +0200 @@ -1,0 +2,499 @@ +Wed Mar 25 20:52:43 UTC 2015 - astieger@suse.com + +- for DANE support, use bcond_with +- for tpm support, same +- note p11-kit >= 0.20.7 requirement +- note libtasn1 3.9 requirement (built-in lib used otherwise) + +------------------------------------------------------------------- +Mon Mar 23 08:51:12 UTC 2015 - meissner@suse.com + +- disable trousers and unbound again for now, as it causes too long + build cycles. + +------------------------------------------------------------------- +Sat Mar 21 07:17:50 UTC 2015 - meissner@suse.com + +- added unbound-devel (for DANE) and trousers-devel (for TPM support) +- removed now upstreamed gnutls-implement-trust-store-dir-3.2.8.diff +- libgnutls-dane0 new library added + +- updated to 3.3.13 (released 2015-02-25) + ** libgnutls: Enable AESNI in GCM on x86 + ** libgnutls: Fixes in DTLS message handling + ** libgnutls: Check certificate algorithm consistency, i.e., + check whether the signatureAlgorithm field matches the signature + field inside TBSCertificate. + ** gnutls-cli: Fixes in OCSP verification. + +- Version 3.3.12 (released 2015-01-17) + + ** libgnutls: When negotiating TLS use the lowest enabled version in + the client hello, rather than the lowest supported. In addition, do + not use SSL 3.0 as a version in the TLS record layer, unless SSL 3.0 + is the only protocol supported. That addresses issues with servers that + immediately drop the connection when the encounter SSL 3.0 as the record + version number. See: + http://lists.gnutls.org/pipermail/gnutls-help/2014-November/003673.html + + ** libgnutls: Corrected encoding and decoding of ANSI X9.62 parameters. + + ** libgnutls: Handle zero length plaintext for VIA PadLock functions. + This solves a potential crash on AES encryption for small size plaintext. + Patch by Matthias-Christian Ott. + + ** libgnutls: In DTLS don't combine multiple packets which exceed MTU. + Reported by Andreas Schultz. https://savannah.gnu.org/support/?108715 + + ** libgnutls: In DTLS decode all handshake packets present in a record + packet, in a single pass. Reported by Andreas Schultz. + https://savannah.gnu.org/support/?108712 + + ** libgnutls: When importing a CA file with a PKCS #11 URL, simply + import the certificates, if the URL specifies objects, rather than + treating it as trust module. + + ** libgnutls: When importing a PKCS #11 URL and we know the type of + object we are importing, don't require the object type in the URL. + + ** libgnutls: fixed openpgp authentication when gnutls_certificate_set_retrieve_function2 + was used by the server. + + ** certtool: --pubkey-info will also attempt to load a public key from stdin. + + ** gnutls-cli: Added --starttls-proto option. That allows to specify a + protocol for starttls negotiation. + +- Version 3.3.11 (released 2014-12-11) + + ** libgnutls: Corrected regression introduced in 3.3.9 related to + session renegotiation. Reported by Dan Winship. + + ** libgnutls: Corrected parsing issue with OCSP responses. + +- Version 3.3.10 (released 2014-11-10) + + ** libgnutls: Refuse to import v1 or v2 certificates that contain + extensions. + + ** libgnutls: Fixes in usage of PKCS #11 token callback + + ** libgnutls: Fixed bug in gnutls_x509_trust_list_get_issuer() when used + with a PKCS #11 trust module and without the GNUTLS_TL_GET_COPY flag. + Reported by David Woodhouse. + + ** libgnutls: Removed superfluous random generator refresh on every call + of gnutls_deinit(). That reduces load and usage of /dev/urandom. + + ** libgnutls: Corrected issue in export of ECC parameters to X9.63 format. + Reported by Sean Burford [GNUTLS-SA-2014-5]. + + ** libgnutls: When gnutls_global_init() is called for a second time, it + will check whether the /dev/urandom fd kept is still open and matches + the original one. That behavior works around issues with servers that + close all file descriptors. + + ** libgnutls: Corrected behavior with PKCS #11 objects that are marked + as CKA_ALWAYS_AUTHENTICATE. + + ** certtool: The default cipher for PKCS #12 structures is 3des-pkcs12. + That option is more compatible than AES or RC4. + +- Version 3.3.9 (released 2014-10-13) + + ** libgnutls: Fixes in the transparent import of PKCS #11 certificates. + Reported by Joseph Peruski. + + ** libgnutls: Fixed issue with unexpected non-fatal errors resetting the + handshake's hash buffer, in applications using the heartbeat extension + or DTLS. Reported by Joeri de Ruiter. + + ** libgnutls: When both a trust module and additional CAs are present + account the latter as well; reported by David Woodhouse. + + ** libgnutls: added GNUTLS_TL_GET_COPY flag for + gnutls_x509_trust_list_get_issuer(). That allows the function to be used + in a thread safe way when PKCS #11 trust modules are in use. + + ** libgnutls: fix issue in DTLS retransmission when session tickets + were in use; reported by Manuel Pégourié-Gonnard. + + ** libgnutls-dane: Do not require the CA on a ca match to be direct CA. + + ** libgnutls: Prevent abort() in library if getrusage() fails. Try to + detect instead which of RUSAGE_THREAD and RUSAGE_SELF would work. + + ** guile: new 'set-session-server-name!' procedure; see the manual for + details. + + ** certtool: The authority key identifier will be set in a certificate only + if the CA's subject key identifier is set. + +- Version 3.3.8 (released 2014-09-18) + + ** libgnutls: Updates in the name constraints checks. No name constraints + will be checked for intermediate certificates. As our support for name + constraints is limited to e-mail addresses in DNS names, it is pointless + to check them on intermediate certificates. + + ** libgnutls: Fixed issues in PKCS #11 object listing. Previously multiple + object listing would fail completely if a single object could not be exported. + + ** libgnutls: Improved the performance of PKCS #11 object listing/retrieving, + by retrieving them in large batches. Report and suggestion by David + Woodhouse. + + ** libgnutls: Fixed issue with certificates being sanitized by gnutls prior + to signature verification. That resulted to certain non-DER compliant modifications + of valid certificates, being corrected by libtasn1's parser and restructured as + the original. Issue found and reported by Antti Karjalainen and Matti Kamunen from + Codenomicon. + + ** libgnutls: Fixes in gnutls_x509_crt_set_dn() and friends to properly handle + strings with embedded spaces and escaped commas. + + ** libgnutls: when comparing a CA certificate with the trusted list compare + the name and key only instead of the whole certificate. That is to handle + cases where a CA certificate was superceded by a different one with the same + name and the same key. + + ** libgnutls: when verifying a certificate against a p11-kit trusted + module, use the attached extensions in the module to override the CA's + extensions (that requires p11-kit 0.20.7). + + ** libgnutls: In DTLS prevent sending zero-size fragments in certain cases + of MTU split. Reported by Manuel Pégourié-Gonnard. + + ** libgnutls: Added gnutls_x509_trust_list_verify_crt2() which allows + verifying using a hostname and a purpose (extended key usage). That + enhances PKCS #11 trust module verification, as it can now check the purpose + when this function is used. + + ** libgnutls: Corrected gnutls_x509_crl_verify() which would always report + a CRL signature as invalid. Reported by Armin Burgmeier. + + ** libgnutls: added option --disable-padlock to allow disabling the padlock + CPU acceleration. + + ** p11tool: when listing tokens, list their type as well. + + ** p11tool: when listing objects from a trust module print any attached + extensions on certificates. + +- Version 3.3.7 (released 2014-08-24) + + ** libgnutls: Added function to export the public key of a PKCS #11 + private key. Contributed by Wolfgang Meyer zu Bergsten. + + ** libgnutls: Explicitly set the exponent in PKCS #11 key generation. + That improves compatibility with certain PKCS #11 modules. Contributed by + Wolfgang Meyer zu Bergsten. + + ** libgnutls: When generating a PKCS #11 private key allow setting + the WRAP/UNWRAP flags. Contributed by Wolfgang Meyer zu Bergsten. + + ** libgnutls: gnutls_pkcs11_privkey_t will always hold an open session + to the key. + ++++ 302 more lines (skipped) ++++ between /work/SRC/openSUSE:Factory/gnutls/gnutls.changes ++++ and /work/SRC/openSUSE:Factory/.gnutls.new/gnutls.changes Old: ---- gnutls-3.2.21.tar.xz gnutls-3.2.21.tar.xz.sig gnutls-implement-trust-store-dir-3.2.8.diff New: ---- gnutls-3.3.13.tar.xz gnutls-3.3.13.tar.xz.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gnutls.spec ++++++ --- /var/tmp/diff_new_pack.6uqvoJ/_old 2015-03-30 19:32:14.000000000 +0200 +++ /var/tmp/diff_new_pack.6uqvoJ/_new 2015-03-30 19:32:14.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package gnutls # -# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -19,46 +19,52 @@ %define gnutls_sover 28 %define gnutlsxx_sover 28 %define gnutls_ossl_sover 27 +%bcond_with dane +%if %{with dane} +%define gnutls_dane_sover 0 +%endif +%bcond_with tpm Name: gnutls -Version: 3.2.21 +Version: 3.3.13 Release: 0 Summary: The GNU Transport Layer Security Library License: LGPL-2.1+ and GPL-3.0+ Group: Productivity/Networking/Security Url: http://www.gnutls.org/ -Source0: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/%{name}-%{version}.tar.xz +Source0: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/%{name}-%{version}.tar.xz # signature is checked by source services. -Source1: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/%{name}-%{version}.tar.xz.sig +Source1: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/%{name}-%{version}.tar.xz.sig Source2: %name.keyring Source3: baselibs.conf # PATCH-FIX-OPENSUSE gnutls-3.0.26-skip-test-fwrite.patch andreas.stieger@gmx.de -- skip a failing test Patch3: gnutls-3.0.26-skip-test-fwrite.patch -Patch6: gnutls-implement-trust-store-dir-3.2.8.diff - BuildRequires: automake BuildRequires: gcc-c++ BuildRequires: libidn-devel BuildRequires: libnettle-devel >= 2.7 BuildRequires: libtasn1-devel >= 2.14 BuildRequires: libtool +%if %{with tpm} +BuildRequires: trousers-devel +%endif +%if %{with dane} +BuildRequires: unbound-devel +Requires: libgnutls-dane%{gnutls_dane_sover} = %{version} +%endif %ifarch %ix86 x86_64 ppc ppc64 s390x ppc64le %arm aarch64 BuildRequires: valgrind %endif %if %suse_version >= 1230 BuildRequires: makeinfo %endif -BuildRequires: p11-kit-devel >= 0.11 +BuildRequires: p11-kit-devel >= 0.20.7 BuildRequires: pkg-config BuildRequires: xz BuildRequires: zlib-devel BuildRoot: %{_tmppath}/%{name}-%{version}-build -# bug437293 -%ifarch ppc64 -Obsoletes: gnutls-64bit -%endif %description The GnuTLS project aims to develop a library that provides a secure @@ -75,6 +81,18 @@ layer over a reliable transport layer. Currently the GnuTLS library implements the proposed standards of the IETF's TLS working group. +%if %{with dane} +%package -n libgnutls-dane%{gnutls_dane_sover} +Summary: The GNU Transport Layer Security Library +License: LGPL-2.1+ +Group: Productivity/Networking/Security + +%description -n libgnutls-dane%{gnutls_dane_sover} +The GnuTLS project aims to develop a library that provides a secure +layer over a reliable transport layer. +This package contains the "DANE" part of gnutls. +%endif + %package -n libgnutlsxx%{gnutlsxx_sover} Summary: The GNU Transport Layer Security Library License: LGPL-2.1+ @@ -104,6 +122,9 @@ PreReq: %install_info_prereq Requires: glibc-devel Requires: libgnutls%{gnutls_sover} = %{version} +%if %{with dane} +Requires: libgnutls-dane%{gnutls_dane_sover} = %{version} +%endif Provides: gnutls-devel = %{version}-%{release} %description -n libgnutls-devel @@ -136,7 +157,6 @@ %prep %setup -q %patch3 -%patch6 -p1 %build export LDFLAGS="-pie" @@ -152,7 +172,16 @@ --disable-srp \ --disable-silent-rules \ --with-default-trust-store-dir=/var/lib/ca-certificates/pem \ - --with-sysroot=/%{?_sysroot} + --with-sysroot=/%{?_sysroot} \ +%if %{without tpm} + --without-tpm \ +%endif +%if %{with dane} + --with-unbound-root-key-file=/var/lib/unbound/root.key \ +%else + --disable-libdane \ +%endif + %__make %install @@ -176,13 +205,15 @@ %__make check %endif -%clean -rm -rf %{buildroot} - %post -n libgnutls%{gnutls_sover} -p /sbin/ldconfig %postun -n libgnutls%{gnutls_sover} -p /sbin/ldconfig +%if %{with dane} +%post -n libgnutls-dane%{gnutls_dane_sover} -p /sbin/ldconfig +%postun -n libgnutls-dane%{gnutls_dane_sover} -p /sbin/ldconfig +%endif + %post -n libgnutlsxx%{gnutlsxx_sover} -p /sbin/ldconfig %postun -n libgnutlsxx%{gnutlsxx_sover} -p /sbin/ldconfig @@ -209,13 +240,23 @@ %{_bindir}/psktool %{_bindir}/p11tool %{_bindir}/srptool +%if %{with dane} %{_bindir}/danetool +%endif +%if %{with tpm} +%{_bindir}/tpmtool +%endif %{_mandir}/man1/* %files -n libgnutls%{gnutls_sover} %defattr(-,root,root) %{_libdir}/libgnutls.so.%{gnutls_sover}* -%{_libdir}/libgnutls-xssl.so.* + +%if %{with dane} +%files -n libgnutls-dane%{gnutls_dane_sover} +%defattr(-,root,root) +%{_libdir}/libgnutls-dane.so.%{gnutls_dane_sover}* +%endif %files -n libgnutls-openssl%{gnutls_ossl_sover} %defattr(-,root,root) @@ -231,18 +272,27 @@ %{_includedir}/%{name}/abstract.h %{_includedir}/%{name}/crypto.h %{_includedir}/%{name}/compat.h +%if %{with dane} +%{_includedir}/%{name}/dane.h +%endif %{_includedir}/%{name}/dtls.h %{_includedir}/%{name}/gnutls.h %{_includedir}/%{name}/openpgp.h %{_includedir}/%{name}/ocsp.h %{_includedir}/%{name}/pkcs11.h %{_includedir}/%{name}/pkcs12.h +%{_includedir}/%{name}/self-test.h %{_includedir}/%{name}/x509.h +%{_includedir}/%{name}/x509-ext.h %{_includedir}/%{name}/tpm.h -%{_includedir}/%{name}/xssl.h %{_libdir}/libgnutls.so -%{_libdir}/libgnutls-xssl.so +%if %{with dane} +%{_libdir}/libgnutls-dane.so +%endif %{_libdir}/pkgconfig/gnutls.pc +%if %{with dane} +%{_libdir}/pkgconfig/gnutls-dane.pc +%endif %{_mandir}/man3/* %{_infodir}/*.* %doc %{_docdir}/libgnutls-devel ++++++ gnutls-3.2.21.tar.xz -> gnutls-3.3.13.tar.xz ++++++ ++++ 418153 lines of diff (skipped)
participants (1)
-
root@hilbert.suse.de