Accepting request 295655 from Base:System

- updated to 3.4.0 (released 2015-04-08)
  ** libgnutls: Added support for AES-CCM and AES-CCM-8 (RFC6655 and RFC7251)
  ciphersuites. The former are enabled by default, the latter need to be
  explicitly enabled, since they reduce the overall security level.
  ** libgnutls: Added support for Chacha20-Poly1305 ciphersuites following
  draft-mavrogiannopoulos-chacha-tls-05 and draft-irtf-cfrg-chacha20-poly1305-10.
  That is currently provided as technology preview and is not enabled by
  default, since there are no assigned ciphersuite points by IETF and there 
  is no guarrantee of compatibility between draft versions. The ciphersuite
  priority string to enable it is "+CHACHA20-POLY1305".
  ** libgnutls: Added support for encrypt-then-authenticate in CBC
  ciphersuites (RFC7366 -taking into account its errata text). This is
  enabled by default and can be disabled using the %NO_ETM priority
  string.
  ** libgnutls: Added support for the extended master secret
  (triple-handshake fix) following draft-ietf-tls-session-hash-02.
  ** libgnutls: Added a new simple and hard to misuse AEAD API (crypto.h).
  ** libgnutls: SSL 3.0 is no longer included in the default priorities
  list. It has to be explicitly enabled, e.g., with a string like
  "NORMAL:+VERS-SSL3.0".
  ** libgnutls: ARCFOUR (RC4) is no longer included in the default priorities
  list. It has to be explicitly enabled, e.g., with a string like
  "NORMAL:+ARCFOUR-128".
  ** libgnutls: DSA signatures and DHE-DSS are no longer included in the
  default priorities list. They have to be explicitly enabled, e.g., with
  a string like "NORMAL:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1". The
  DSA ciphersuites were dropped because they had no deployment at all
  on the internet, to justify their inclusion.
  ** libgnutls: The priority string EXPORT was completely removed. The string

OBS-URL: https://build.opensuse.org/request/show/295655
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=83

baselibs.conf

@@ -1,5 +1,5 @@
-libgnutls28
+libgnutls30
   obsoletes "gnutls-<targettype>"
 libgnutls-devel
   requires -libgnutls-<targettype>
-  requires "libgnutls28-<targettype> = <version>"
+  requires "libgnutls30-<targettype> = <version>"

gnutls-3.0.26-skip-test-fwrite.patch

@@ -1,21 +0,0 @@
-Index: gl/tests/test-fwrite.c
-===================================================================
---- gl/tests/test-fwrite.c.orig	2012-04-12 21:05:11.000000000 +0100
-+++ gl/tests/test-fwrite.c	2012-11-23 22:51:17.000000000 +0000
-@@ -32,6 +32,8 @@ SIGNATURE_CHECK (fwrite, size_t, (const
- int
- main (int argc, char **argv)
- {
-+  // skip test-fwrite
-+  return 77;
-   const char *filename = "test-fwrite.txt";
- 
-   /* We don't have an fwrite() function that installs an invalid parameter
-@@ -50,6 +52,7 @@ main (int argc, char **argv)
-     setvbuf (fp, NULL, _IONBF, 0);
-     ASSERT (close (fileno (fp)) == 0);
-     errno = 0;
-+    // this fwrite returns 5 == sizeof (buf) in openSUSE Factory
-     ASSERT (fwrite (buf, 1, sizeof (buf), fp) == 0);
-     ASSERT (errno == EBADF);
-     ASSERT (ferror (fp));

gnutls-3.3.14.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:0dfa0030faad8909c1e904105198232d6bc0123cae8cf4933b2bac85ee7cec52
-size 6286196

gnutls-3.4.0.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b422544431bfb5c4e24a605b6c793ee34792cc791c1060562ab46eaf77f3472e
+size 6453932

gnutls-fix-double-mans.patch

@@ -0,0 +1,16 @@
+Index: gnutls-3.4.0/doc/manpages/Makefile.am
+===================================================================
+--- gnutls-3.4.0.orig/doc/manpages/Makefile.am
++++ gnutls-3.4.0/doc/manpages/Makefile.am
+@@ -134,11 +134,8 @@ APIMANS += gnutls_certificate_get_peers.
+ APIMANS += gnutls_certificate_get_peers_subkey_id.3
+ APIMANS += gnutls_certificate_get_trust_list.3
+ APIMANS += gnutls_certificate_get_verify_flags.3
+-APIMANS += gnutls_certificate_get_verify_flags.3
+-APIMANS += gnutls_certificate_get_x509_crt.3
+ APIMANS += gnutls_certificate_get_x509_crt.3
+ APIMANS += gnutls_certificate_get_x509_key.3
+-APIMANS += gnutls_certificate_get_x509_key.3
+ APIMANS += gnutls_certificate_send_x509_rdn_sequence.3
+ APIMANS += gnutls_certificate_server_set_request.3
+ APIMANS += gnutls_certificate_set_dh_params.3

gnutls.changes

@@ -1,3 +1,140 @@
+
+-------------------------------------------------------------------
+Sun Apr 12 10:16:33 UTC 2015 - meissner@suse.com
+
+- updated to 3.4.0 (released 2015-04-08)
+
+  ** libgnutls: Added support for AES-CCM and AES-CCM-8 (RFC6655 and RFC7251)
+  ciphersuites. The former are enabled by default, the latter need to be
+  explicitly enabled, since they reduce the overall security level.
+
+  ** libgnutls: Added support for Chacha20-Poly1305 ciphersuites following
+  draft-mavrogiannopoulos-chacha-tls-05 and draft-irtf-cfrg-chacha20-poly1305-10.
+  That is currently provided as technology preview and is not enabled by
+  default, since there are no assigned ciphersuite points by IETF and there 
+  is no guarrantee of compatibility between draft versions. The ciphersuite
+  priority string to enable it is "+CHACHA20-POLY1305".
+
+  ** libgnutls: Added support for encrypt-then-authenticate in CBC
+  ciphersuites (RFC7366 -taking into account its errata text). This is
+  enabled by default and can be disabled using the %NO_ETM priority
+  string.
+
+  ** libgnutls: Added support for the extended master secret
+  (triple-handshake fix) following draft-ietf-tls-session-hash-02.
+
+  ** libgnutls: Added a new simple and hard to misuse AEAD API (crypto.h).
+
+  ** libgnutls: SSL 3.0 is no longer included in the default priorities
+  list. It has to be explicitly enabled, e.g., with a string like
+  "NORMAL:+VERS-SSL3.0".
+
+  ** libgnutls: ARCFOUR (RC4) is no longer included in the default priorities
+  list. It has to be explicitly enabled, e.g., with a string like
+  "NORMAL:+ARCFOUR-128".
+
+  ** libgnutls: DSA signatures and DHE-DSS are no longer included in the
+  default priorities list. They have to be explicitly enabled, e.g., with
+  a string like "NORMAL:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1". The
+  DSA ciphersuites were dropped because they had no deployment at all
+  on the internet, to justify their inclusion.
+
+  ** libgnutls: The priority string EXPORT was completely removed. The string
+  was already defunc as support for the EXPORT ciphersuites was removed in
+  GnuTLS 3.2.0.
+
+  ** libgnutls: Added API to utilize system specific private keys in
+  "gnutls/system-keys.h". It is currently provided as technology preview
+  and is restricted to windows CNG keys.
+
+  ** libgnutls: gnutls_x509_crt_check_hostname() and friends will use
+  RFC6125 comparison of hostnames. That introduces a dependency on libidn.
+
+  ** libgnutls: Depend on p11-kit 0.23.1 to comply with the final
+  PKCS #11 URLs draft (draft-pechanec-pkcs11uri-21).
+
+  ** libgnutls: Depend on nettle 3.1.
+
+  ** libgnutls: Use getrandom() or getentropy() when available. That
+  avoids the complexity of file descriptor handling and issues with
+  applications closing all open file descriptors on startup.
+
+  ** libgnutls: Use pthread_atfork() to detect fork when available.
+
+  ** libgnutls: The gnutls_handshake() process will enforce a timeout by
+  default.
+
+  ** libgnutls: If a key purpose (extended key usage) is specified for verification,
+  it is applied into intermediate certificates. The verification result
+  GNUTLS_CERT_PURPOSE_MISMATCH is also introduced. 
+
+  ** libgnutls: When gnutls_certificate_set_x509_key_file2() is used in
+  combination with PKCS #11, or TPM URLs, it will utilize the provided
+  password as PIN if required. That removes the requirement for the
+  application to set a callback for PINs in that case.
+
+  ** libgnutls: priority strings VERS-TLS-ALL and VERS-DTLS-ALL are 
+  restricted to the corresponding protocols only, and the VERS-ALL
+  string is introduced to catch all possible protocols.
+
+  ** libgnutls: Added helper functions to obtain information on PKCS #8
+  structures.
+
+  ** libgnutls: Certificate chains which are provided to gnutls_certificate_credentials_t
+  will automatically be sorted instead of failing with GNUTLS_E_CERTIFICATE_LIST_UNSORTED.
+
+  ** libgnutls: Added functions to export and set the record state. That
+  allows for gnutls_record_send() and recv() to be offloaded (to kernel,
+  hardware or any other subsystem).
+
+  ** libgnutls: Added the ability to register application specific URL
+  types, which express certificates and keys using gnutls_register_custom_url().
+
+  ** libgnutls: Added API to override existing ciphers, digests and MACs, e.g.,
+  to override AES-GCM using a system-specific accelerator. That is, (crypto.h)
+  gnutls_crypto_register_cipher(), gnutls_crypto_register_aead_cipher(),
+  gnutls_crypto_register_mac(), and gnutls_crypto_register_digest().
+
+  ** libgnutls: Added gnutls_ext_register() to register custom extensions.
+  Contributed by Thierry Quemerais.
+
+  ** libgnutls: Added gnutls_supplemental_register() to register custom
+  supplemental data handshake messages. Contributed by Thierry Quemerais.
+
+  ** libgnutls-openssl: it is no longer built by default.
+
+
+  ** certtool: Added --p8-info option, which will print PKCS #8 information
+  even if the password is not available.
+
+  ** certtool: --key-info option will print PKCS #8 encryption information
+  when available.
+
+  ** certtool: Added the --key-id and --fingerprint options.
+
+  ** certtool: Added the --verify-hostname, --verify-email and --verify-purpose
+  options to be used in certificate chain verification, to simulate verification
+  for specific hostname and key purpose (extended key usage).
+
+  ** certtool: --p12-info option will print PKCS #12 MAC and cipher information
+  when available.
+
+  ** certtool: it will print the A-label (ACE) names in addition to UTF-8.
+
+  ** p11tool: added options --set-id and --set-label.
+
+  ** gnutls-cli: added options --priority-list and --save-cert.
+
+  ** guile: Deprecated priority API has been removed. The old priority API, 
+  which had been deprecated for some time, is now gone; use 'set-session-priorities!'
+  instead.
+
+  ** guile: Remove RSA parameters and related procedures. This API had been 
+  deprecated.  
+
+  ** guile: Fix compilation on MinGW. Previously only the static version of the 
+  'guile-gnutls-v-2' library would be built, preventing dynamic loading from Guile.
+
 -------------------------------------------------------------------
 Wed Apr  1 14:26:31 UTC 2015 - meissner@suse.com
 
@@ -31,6 +168,14 @@ Wed Apr  1 14:26:31 UTC 2015 - meissner@suse.com
   gnutls_server_name_set(). That will disable the Server Name Indication.
   Resolves issue with wine: https://gitlab.com/gnutls/gnutls/issues/2
 
+- new main library major version .so.30
+- requires new libnettle >= 3.1, p11-kit-devel >= 0.23.1
+- Now need to configure --enable-openssl-compatibility (might go away)
+- added gnutls-fix-double-mans.patch: avoid double installing manpages
+- dropped gnutls-3.0.26-skip-test-fwrite.patch: does not seem to be needed
+  anymore
+- install_info_delete moved from %postun to %preun
+
 -------------------------------------------------------------------
 Wed Mar 25 20:52:43 UTC 2015 - astieger@suse.com
 

gnutls.spec

@@ -16,9 +16,12 @@
 #
 
 
-%define gnutls_sover 28
+%define gnutls_sover 30
 %define gnutlsxx_sover 28
+%bcond_without gnutls_openssl_compat
+%if %{with gnutls_openssl_compat}
 %define gnutls_ossl_sover 27
+%endif
 %bcond_with dane
 %if %{with dane}
 %define gnutls_dane_sover 0
@@ -26,25 +29,25 @@
 %bcond_with tpm
 
 Name:           gnutls
-Version:        3.3.14
+Version:        3.4.0
 Release:        0
 Summary:        The GNU Transport Layer Security Library
 License:        LGPL-2.1+ and GPL-3.0+
 Group:          Productivity/Networking/Security
 Url:            http://www.gnutls.org/
-Source0:        ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/%{name}-%{version}.tar.xz
+Source0:        ftp://ftp.gnutls.org/gcrypt/gnutls/v3.4/%{name}-%{version}.tar.xz
 # signature is checked by source services.
-Source1:        ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/%{name}-%{version}.tar.xz.sig
+Source1:        ftp://ftp.gnutls.org/gcrypt/gnutls/v3.4/%{name}-%{version}.tar.xz.sig
 Source2:        %name.keyring
 Source3:        baselibs.conf
 
-# PATCH-FIX-OPENSUSE gnutls-3.0.26-skip-test-fwrite.patch andreas.stieger@gmx.de -- skip a failing test
-Patch3:         gnutls-3.0.26-skip-test-fwrite.patch
+# PATCH-FIX-UPSTREM gnutls-fix-double-mans.patch meissner@suse.de -- fixed man instll, is in upstream git for 3.4.1
+Patch0:         gnutls-fix-double-mans.patch
 
 BuildRequires:  automake
 BuildRequires:  gcc-c++
 BuildRequires:  libidn-devel
-BuildRequires:  libnettle-devel >= 2.7
+BuildRequires:  libnettle-devel >= 3.1
 BuildRequires:  libtasn1-devel >= 4.3
 BuildRequires:  libtool
 %if %{with tpm}
@@ -54,13 +57,14 @@ BuildRequires:  trousers-devel
 BuildRequires:  unbound-devel
 Requires:       libgnutls-dane%{gnutls_dane_sover} = %{version}
 %endif
-%ifarch %ix86 x86_64 ppc ppc64 s390x ppc64le %arm aarch64
+# disabled ppc - valgrind crashes on email cert tests currently. Marcus 20150413
+%ifarch %ix86 x86_64 ppc64 s390x ppc64le %arm aarch64
 BuildRequires:  valgrind
 %endif
 %if %suse_version >= 1230
 BuildRequires:  makeinfo
 %endif
-BuildRequires:  p11-kit-devel >= 0.20.7
+BuildRequires:  p11-kit-devel >= 0.23.1
 BuildRequires:  pkg-config
 BuildRequires:  xz
 BuildRequires:  zlib-devel
@@ -103,6 +107,7 @@ The GnuTLS project aims to develop a library that provides a secure
 layer over a reliable transport layer. Currently the GnuTLS library
 implements the proposed standards of the IETF's TLS working group.
 
+%if %{with gnutls_openssl_compat}
 
 %package -n libgnutls-openssl%{gnutls_ossl_sover}
 Summary:        The GNU Transport Layer Security Library
@@ -114,6 +119,7 @@ The GnuTLS project aims to develop a library that provides a secure
 layer over a reliable transport layer. Currently the GnuTLS library
 implements the proposed standards of the IETF's TLS working group.
 
+%endif
 
 %package -n libgnutls-devel
 Summary:        Development package for gnutls
@@ -148,7 +154,9 @@ Summary:        Development package for gnutls
 License:        GPL-3.0+
 Group:          Development/Libraries/C and C++
 Requires:       libgnutls-devel = %{version}
+%if %{with gnutls_openssl_compat}
 Requires:       libgnutls-openssl%{gnutls_ossl_sover} = %{version}
+%endif
 
 %description -n libgnutls-openssl-devel
 Files needed for software development using gnutls.
@@ -156,7 +164,7 @@ Files needed for software development using gnutls.
 
 %prep
 %setup -q
-%patch3
+%patch0 -p1
 
 %build
 export LDFLAGS="-pie"
@@ -181,6 +189,9 @@ autoreconf -if
 %else
         --disable-libdane \
 %endif
+%if %{with gnutls_openssl_compat}
+	--enable-openssl-compatibility \
+%endif
 
 %__make
 
@@ -218,14 +229,16 @@ rm -f %{buildroot}%{_libdir}/*.la
 
 %postun -n libgnutlsxx%{gnutlsxx_sover} -p /sbin/ldconfig
 
+%if %{with gnutls_openssl_compat}
 %post -n libgnutls-openssl%{gnutls_ossl_sover} -p /sbin/ldconfig
 
 %postun -n libgnutls-openssl%{gnutls_ossl_sover} -p /sbin/ldconfig
+%endif
 
 %post -n libgnutls-devel
 %install_info --info-dir=%{_infodir} %{_infodir}/gnutls.info.gz
 
-%postun -n libgnutls-devel
+%preun -n libgnutls-devel
 %install_info_delete --info-dir=%{_infodir} %{_infodir}/gnutls.info.gz
 
 %files -f libgnutls.lang
@@ -258,9 +271,11 @@ rm -f %{buildroot}%{_libdir}/*.la
 %{_libdir}/libgnutls-dane.so.%{gnutls_dane_sover}*
 %endif
 
+%if %{with gnutls_openssl_compat}
 %files -n libgnutls-openssl%{gnutls_ossl_sover}
 %defattr(-,root,root)
 %{_libdir}/libgnutls-openssl.so.%{gnutls_ossl_sover}*
+%endif
 
 %files -n libgnutlsxx%{gnutlsxx_sover}
 %defattr(-,root,root)
@@ -285,6 +300,8 @@ rm -f %{buildroot}%{_libdir}/*.la
 %{_includedir}/%{name}/x509.h
 %{_includedir}/%{name}/x509-ext.h
 %{_includedir}/%{name}/tpm.h
+%{_includedir}/%{name}/system-keys.h
+%{_includedir}/%{name}/urls.h
 %{_libdir}/libgnutls.so
 %if %{with dane}
 %{_libdir}/libgnutls-dane.so