From 9d4c48404bdfc95440e1a0b13395be618aa6c7078ed6609542008b60dd52ba5c Mon Sep 17 00:00:00 2001 From: Ludwig Nussel Date: Thu, 29 Dec 2016 21:41:21 +0000 Subject: [PATCH] Accepting request 447177 from Base:System 1 OBS-URL: https://build.opensuse.org/request/show/447177 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=95 --- gnutls-3.4.15.tar.xz | 3 -- gnutls-3.4.15.tar.xz.sig | Bin 287 -> 0 bytes gnutls-3.5.7.tar.xz | 3 ++ gnutls-3.5.7.tar.xz.sig | Bin 0 -> 287 bytes gnutls.changes | 56 +++++++++++++++++++++++++++ gnutls.spec | 80 +++++++++++++++++++-------------------- 6 files changed, 97 insertions(+), 45 deletions(-) delete mode 100644 gnutls-3.4.15.tar.xz delete mode 100644 gnutls-3.4.15.tar.xz.sig create mode 100644 gnutls-3.5.7.tar.xz create mode 100644 gnutls-3.5.7.tar.xz.sig diff --git a/gnutls-3.4.15.tar.xz b/gnutls-3.4.15.tar.xz deleted file mode 100644 index 227d2fa..0000000 --- a/gnutls-3.4.15.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:eb2a013905f5f2a0cbf7bcc1d20c85a50065063ee87bd33b496c4e19815e3498 -size 6676480 diff --git a/gnutls-3.4.15.tar.xz.sig b/gnutls-3.4.15.tar.xz.sig deleted file mode 100644 index a3b8384c9db8a084ff65b4f6c789b24cd77d5cffa8a5c46076aba022e5892373..0000000000000000000000000000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 287 zcmV+)0pR|L0UQJX0SEvF1p-&l{FDF+2@suLs`ii*xI(+*2meV6O3hK|41E7FoN&6O zgv4W@bhocN_P@=9(7uEOGtwd)0G^=(_#r%#j!|JsXs-;ceP0Gk(uAfAm~h`12c_k6 z=|xf=$s^9H^!}6z^cYLoN#lhb2)3Ab8Jz29V*l950|nT8d0+cu!2_bb+QO!1*%LWx z1JZxxh4O?(;T}G^oW;K%XQH#@Ym;G@3+ebNS>^}hWRf_l+L~73IlE}hz5>&OzhhLq z{SHM_vUxQEW{ZvHC_%ckpg#5jve?3^ev=Ynr`*KZ6O62kU*jz(RcAEs3oY}w(?*^U lS2Q~H^|tlG^|tKUVy&4AX5d7dt`%=GRCBT~*W?g{{tDeXjq?Bi diff --git a/gnutls-3.5.7.tar.xz b/gnutls-3.5.7.tar.xz new file mode 100644 index 0000000..53dc258 --- /dev/null +++ b/gnutls-3.5.7.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:60cbfc119e6268cfa38d712621daa473298a0c5b129c0842caec4c1ed4d7861a +size 7265264 diff --git a/gnutls-3.5.7.tar.xz.sig b/gnutls-3.5.7.tar.xz.sig new file mode 100644 index 0000000000000000000000000000000000000000000000000000000000000000..48e50f4a294707243deba24dc791dda85cf3c71a8c7e93cb6afed6ee90962371 GIT binary patch literal 287 zcmV+)0pR|L0UQJX0SEvF1p-(||NQ_82@suLs`ii*xIzfD2mgBs+@DX#i~VM9BZ;wdDa3IU3*`Jv62r=y&R;4%vrcIOZM6Q lDnn6CputM|Vkd`7j1S7*N?_LAg>VThh3<6tgsN-`*n`RZik$!e literal 0 HcmV?d00001 diff --git a/gnutls.changes b/gnutls.changes index b94f6e0..24ee85f 100644 --- a/gnutls.changes +++ b/gnutls.changes @@ -1,3 +1,59 @@ +------------------------------------------------------------------- +Sun Dec 18 16:28:51 UTC 2016 - astieger@suse.com + +- GnuTLS 3.5.7, the next stable branch, with the following + highlights: + * SHA3 as a certificate signature algorithm + * X25519 (formerly curve25519) for ephemeral EC diffie-hellman + key exchange + * TLS false start + * New APIs to access the Shawe-Taylor-based provable RSA and DSA + parameter generation + * Prevent the change of identity on rehandshakes by default + +------------------------------------------------------------------- +Sun Dec 18 12:56:15 UTC 2016 - astieger@suse.com + +- GnuTLS 3.4.17: + * libgnutls: Introduced time and constraints checks in the end + certificate in the gnutls_x509_crt_verify_data2() and + gnutls_pkcs7_verify_direct() functions. + * libgnutls: Set limits on the maximum number of alerts handled. + That is, applications using gnutls could be tricked into an + busy loop if the peer sends continuously alert messages. + Applications which set a maximum handshake time (via + gnutls_handshake_set_timeout) will eventually recover but + others may remain in a busy loops indefinitely. This is related + but not identical to CVE-2016-8610, due to the difference in + alert handling of the libraries (gnutls delegates that handling + to applications). boo#1005879 + * libgnutls: Enhanced the PKCS#7 parser to allow decoding old + (pre-rfc5652) structures with arbitrary encapsulated content. + * libgnutls: Backported cipher priorities order from 3.5.x branch + That adds CHACHA20-POLY1305 ciphersuite to SECURE priority + strings. + * certtool: When exporting a CRQ in DER format ensure no text data + are intermixed. + * API and ABI modifications: + gnutls_pkcs7_get_embedded_data_oid: Added +- includes changes from 3.4.16: + * libgnutls: Ensure proper cleanups on + gnutls_certificate_set_*key() failures due to key mismatch. + This prevents leaks or double freeing on such failures. + * libgnutls: Increased the maximum size of the handshake message + hash. This will allow the library to cope better with larger + packets, as the ones offered by current TLS 1.3 drafts. + * libgnutls: Allow to use client certificates despite them + containing disallowed algorithms for a session. That allows for + example a client to use DSA-SHA1 due to his old DSA + certificate, without requiring him to enable DSA-SHA1 (and thus + make it acceptable for the server's certificate). + * guile: Backported all improvements from 3.5.x branch. + * guile: Update code to the I/O port API of Guile >= 2.1.4 + This makes sure the GnuTLS bindings will work with the + forthcoming 2.2 stable series of Guile, of which 2.1 is a + preview. + ------------------------------------------------------------------- Sun Oct 2 16:13:59 UTC 2016 - ecsos@opensuse.org diff --git a/gnutls.spec b/gnutls.spec index e820da8..2c40e52 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -19,29 +19,27 @@ %define gnutls_sover 30 %define gnutlsxx_sover 28 %bcond_without gnutls_openssl_compat +%bcond_without dane +%bcond_with tpm +%bcond_without guile %if %{with gnutls_openssl_compat} %define gnutls_ossl_sover 27 %endif -%bcond_without dane %if %{with dane} %define gnutls_dane_sover 0 %endif -%bcond_with tpm -%bcond_without guile - Name: gnutls -Version: 3.4.15 +Version: 3.5.7 Release: 0 Summary: The GNU Transport Layer Security Library License: LGPL-2.1+ and GPL-3.0+ Group: Productivity/Networking/Security Url: http://www.gnutls.org/ -Source0: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.4/%{name}-%{version}.tar.xz +Source0: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.5/%{name}-%{version}.tar.xz # signature is checked by source services. -Source1: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.4/%{name}-%{version}.tar.xz.sig -Source2: %name.keyring +Source1: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.5/%{name}-%{version}.tar.xz.sig +Source2: %{name}.keyring Source3: baselibs.conf - BuildRequires: autogen BuildRequires: automake BuildRequires: datefudge @@ -49,8 +47,14 @@ BuildRequires: fdupes BuildRequires: gcc-c++ BuildRequires: libidn-devel BuildRequires: libnettle-devel >= 3.1 -BuildRequires: libtasn1-devel >= 4.3 +BuildRequires: libtasn1-devel >= 4.9 BuildRequires: libtool +BuildRequires: libunistring-devel +BuildRequires: p11-kit-devel >= 0.23.1 +BuildRequires: pkgconfig +BuildRequires: xz +BuildRequires: zlib-devel +BuildRoot: %{_tmppath}/%{name}-%{version}-build %if 0%{?suse_version} <= 1320 BuildRequires: net-tools %else @@ -60,12 +64,12 @@ BuildRequires: net-tools-deprecated BuildRequires: trousers-devel %endif %if %{with dane} +Requires: libgnutls-dane%{gnutls_dane_sover} = %{version} %if 0%{?suse_version} <= 1320 BuildRequires: unbound-devel %else BuildRequires: libunbound-devel %endif -Requires: libgnutls-dane%{gnutls_dane_sover} = %{version} %endif %if %{with guile} BuildRequires: guile-devel @@ -73,18 +77,13 @@ BuildRequires: guile-devel # disabled ppc - valgrind crashes on email cert tests currently. Marcus 20150413 # disabled armv7l - valgrind appears to mishandle some insns # disabled aarch64 - valgrind mishandles exclusive load/store causing deadlocks -%ifarch %ix86 x86_64 ppc64 s390x ppc64le +%ifarch %{ix86} x86_64 ppc64 s390x ppc64le # disabled all, valgrind breaks tests in 3.4.4 #BuildRequires: valgrind %endif -%if %suse_version >= 1230 +%if 0%{?suse_version} >= 1230 BuildRequires: makeinfo %endif -BuildRequires: p11-kit-devel >= 0.23.1 -BuildRequires: pkg-config -BuildRequires: xz -BuildRequires: zlib-devel -BuildRoot: %{_tmppath}/%{name}-%{version}-build %description The GnuTLS project aims to develop a library that provides a secure @@ -109,7 +108,7 @@ Group: Productivity/Networking/Security %description -n libgnutls-dane%{gnutls_dane_sover} The GnuTLS project aims to develop a library that provides a secure -layer over a reliable transport layer. +layer over a reliable transport layer. This package contains the "DANE" part of gnutls. %endif @@ -124,7 +123,6 @@ layer over a reliable transport layer. Currently the GnuTLS library implements the proposed standards of the IETF's TLS working group. %if %{with gnutls_openssl_compat} - %package -n libgnutls-openssl%{gnutls_ossl_sover} Summary: The GNU Transport Layer Security Library License: GPL-3.0+ @@ -141,9 +139,10 @@ implements the proposed standards of the IETF's TLS working group. Summary: Development package for gnutls License: LGPL-2.1+ Group: Development/Libraries/C and C++ -PreReq: %install_info_prereq Requires: glibc-devel Requires: libgnutls%{gnutls_sover} = %{version} +# FIXME: use proper Requires(pre/post/preun/...) +PreReq: %{install_info_prereq} Provides: gnutls-devel = %{version}-%{release} %description -n libgnutls-devel @@ -164,15 +163,15 @@ Files needed for software development using gnutls. Summary: Development package for gnutls License: LGPL-2.1+ Group: Development/Libraries/C and C++ -PreReq: %install_info_prereq Requires: libgnutls-devel = %{version} Requires: libgnutlsxx%{gnutlsxx_sover} = %{version} Requires: libstdc++-devel +# FIXME: use proper Requires(pre/post/preun/...) +PreReq: %{install_info_prereq} %description -n libgnutlsxx-devel Files needed for software development using gnutls. - %package -n libgnutls-openssl-devel Summary: Development package for gnutls License: GPL-3.0+ @@ -201,8 +200,8 @@ GnuTLS Wrappers for GNU Guile - dialect of scheme. %build export LDFLAGS="-pie" -export CFLAGS="$RPM_OPT_FLAGS -fPIE" -export CXXFLAGS="$RPM_OPT_FLAGS -fPIE" +export CFLAGS="%{optflags} -fPIE" +export CXXFLAGS="%{optflags} -fPIE" autoreconf -if %configure \ gl_cv_func_printf_directive_n=yes \ @@ -212,14 +211,14 @@ autoreconf -if --disable-rpath \ --disable-srp \ --disable-silent-rules \ - --with-default-trust-store-dir=/var/lib/ca-certificates/pem \ + --with-default-trust-store-dir=%{_localstatedir}/lib/ca-certificates/pem \ --with-sysroot=/%{?_sysroot} \ --with-guile-site-dir=no \ %if %{without tpm} --without-tpm \ %endif %if %{with dane} - --with-unbound-root-key-file=/var/lib/unbound/root.key \ + --with-unbound-root-key-file=%{_localstatedir}/lib/unbound/root.key \ %else --disable-libdane \ %endif @@ -227,21 +226,21 @@ autoreconf -if --enable-openssl-compatibility \ %endif %{nil} -%__make +make %{?_smp_mflags} %install %make_install rm -rf %{buildroot}%{_datadir}/locale/en@{,bold}quot # Do not package static libs and libtool files -rm -f %{buildroot}%{_libdir}/*.la +find %{buildroot} -type f -name "*.la" -delete -print # install docs -%__mkdir -p %{buildroot}%{_docdir}/libgnutls-devel/ -%__cp doc/gnutls.html doc/*.png doc/gnutls.pdf %{buildroot}%{_docdir}/libgnutls-devel/ -%__mkdir -p %{buildroot}%{_docdir}/libgnutls-devel/reference -%__cp doc/reference/html/* %{buildroot}%{_docdir}/libgnutls-devel/reference/ -%__mkdir -p %{buildroot}%{_docdir}/libgnutls-devel/examples -%__cp doc/examples/*.{c,h} %{buildroot}%{_docdir}/libgnutls-devel/examples/ +mkdir -p %{buildroot}%{_docdir}/libgnutls-devel/ +cp doc/gnutls.html doc/*.png doc/gnutls.pdf %{buildroot}%{_docdir}/libgnutls-devel/ +mkdir -p %{buildroot}%{_docdir}/libgnutls-devel/reference +cp doc/reference/html/* %{buildroot}%{_docdir}/libgnutls-devel/reference/ +mkdir -p %{buildroot}%{_docdir}/libgnutls-devel/examples +cp doc/examples/*.{c,h} %{buildroot}%{_docdir}/libgnutls-devel/examples/ # PNG files are replaced with the compressed files and that breaks # deduplication, this is workaround @@ -252,14 +251,13 @@ find %{buildroot}%{_datadir} -name '*.png' -exec gzip -9 {} + %check %if ! 0%{?qemu_user_space_build} -%__make check || { +make %{?_smp_mflags} check || { find -name test-suite.log -print -exec cat {} \; exit 1 } %endif %post -n libgnutls%{gnutls_sover} -p /sbin/ldconfig - %postun -n libgnutls%{gnutls_sover} -p /sbin/ldconfig %if %{with dane} @@ -268,12 +266,10 @@ find %{buildroot}%{_datadir} -name '*.png' -exec gzip -9 {} + %endif %post -n libgnutlsxx%{gnutlsxx_sover} -p /sbin/ldconfig - %postun -n libgnutlsxx%{gnutlsxx_sover} -p /sbin/ldconfig %if %{with gnutls_openssl_compat} %post -n libgnutls-openssl%{gnutls_ossl_sover} -p /sbin/ldconfig - %postun -n libgnutls-openssl%{gnutls_ossl_sover} -p /sbin/ldconfig %endif @@ -285,9 +281,8 @@ find %{buildroot}%{_datadir} -name '*.png' -exec gzip -9 {} + %files -f libgnutls.lang %defattr(-, root, root) -%doc THANKS README NEWS ChangeLog COPYING COPYING.LESSER AUTHORS doc/TODO +%doc THANKS README.md NEWS ChangeLog LICENSE AUTHORS doc/TODO %{_bindir}/certtool -%{_bindir}/crywrap %{_bindir}/gnutls-cli %{_bindir}/gnutls-cli-debug %{_bindir}/gnutls-serv @@ -337,6 +332,7 @@ find %{buildroot}%{_datadir} -name '*.png' -exec gzip -9 {} + %{_includedir}/%{name}/pkcs11.h %{_includedir}/%{name}/pkcs12.h %{_includedir}/%{name}/self-test.h +%{_includedir}/%{name}/socket.h %{_includedir}/%{name}/x509.h %{_includedir}/%{name}/x509-ext.h %{_includedir}/%{name}/tpm.h @@ -345,7 +341,7 @@ find %{buildroot}%{_datadir} -name '*.png' -exec gzip -9 {} + %{_libdir}/libgnutls.so %{_libdir}/pkgconfig/gnutls.pc %{_mandir}/man3/* -%{_infodir}/*.* +%{_infodir}/*%{ext_info} %doc %{_docdir}/libgnutls-devel %if %{with dane}