pool/gnutls
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 293173 from Base:System

Browse Source 
some tweaks for your perusal (forwarded request 293171 from AndreasStieger)

OBS-URL: https://build.opensuse.org/request/show/293173
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=81
This commit is contained in:
Dominique Leuenberger 2015-03-30 17:32:11 +00:00 committed by Git OBS Bridge
parent a06553bba5
commit b8f9fbb1e2
7 changed files with 571 additions and 178 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
gnutls-3.2.21.tar.xz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:824196254cf9162b9ff841677f292d108ca1efa6cf8ae1c02b9a8682a3d7087f
size 5162040

BIN
gnutls-3.2.21.tar.xz.sig
View File

Binary file not shown.

3
gnutls-3.3.13.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:91bf1ef5c159b7f2176f972184545b287af6507ab55a543f6007d31406b97a99
size 6189164

BIN
gnutls-3.3.13.tar.xz.sig Normal file
View File

Binary file not shown.

156
gnutls-implement-trust-store-dir-3.2.8.diff
View File

@ -1,156 +0,0 @@
Index: gnutls-3.2.13/configure.ac
===================================================================
--- gnutls-3.2.13.orig/configure.ac
+++ gnutls-3.2.13/configure.ac
@@ -466,6 +466,25 @@ if test "$with_default_trust_store_file"
with_default_trust_store_file=""
fi
+AC_ARG_WITH([default-trust-store-dir],
+ [AS_HELP_STRING([--with-default-trust-store-dir=DIRECTORY],
+ [use the given directory as default trust store])], with_default_trust_store_dir="$withval",
+ [if test "$build" = "$host" ; then
+ for i in \
+ /etc/ssl/certs/
+ do
+ if test -e $i ; then
+ with_default_trust_store_dir="$i"
+ break
+ fi
+ done
+ fi]
+)
+
+if test "$with_default_trust_store_dir" = "no";then
+ with_default_trust_store_dir=""
+fi
+
AC_ARG_WITH([default-crl-file],
[AS_HELP_STRING([--with-default-crl-file=FILE],
[use the given CRL file as default])])
@@ -479,6 +498,11 @@ if test "x$with_default_trust_store_file
["$with_default_trust_store_file"], [use the given file default trust store])
fi
+if test "x$with_default_trust_store_dir" != x; then
+ AC_DEFINE_UNQUOTED([DEFAULT_TRUST_STORE_DIR],
+ ["$with_default_trust_store_dir"], [use the given directory default trust store])
+fi
+
if test "x$with_default_crl_file" != x; then
AC_DEFINE_UNQUOTED([DEFAULT_CRL_FILE],
["$with_default_crl_file"], [use the given CRL file])
@@ -769,6 +793,7 @@ AC_MSG_NOTICE([System files:
Trust store pkcs11: $with_default_trust_store_pkcs11
Trust store file: $with_default_trust_store_file
+ Trust store dir: $with_default_trust_store_dir
Blacklist file: $with_default_blacklist_file
CRL file: $with_default_crl_file
DNSSEC root key file: $unbound_root_key_file
Index: gnutls-3.2.13/lib/system.c
===================================================================
--- gnutls-3.2.13.orig/lib/system.c
+++ gnutls-3.2.13/lib/system.c
@@ -364,7 +364,45 @@ int _gnutls_find_config_path(char *path,
return 0;
}
-#if defined(DEFAULT_TRUST_STORE_FILE) || (defined(DEFAULT_TRUST_STORE_PKCS11) && defined(ENABLE_PKCS11))
+/* Used by both Android code and by Linux TRUST_STORE_DIR /etc/ssl/certs code */
+#if defined(DEFAULT_TRUST_STORE_DIR) || defined(ANDROID) || defined(__ANDROID__)
+# include <dirent.h>
+# include <unistd.h>
+static int load_dir_certs(const char* dirname, gnutls_x509_trust_list_t list,
+ unsigned int tl_flags, unsigned int tl_vflags, unsigned type)
+{
+DIR * dirp;
+struct dirent *d;
+int ret;
+int r = 0;
+char path[GNUTLS_PATH_MAX];
+
+ dirp = opendir(dirname);
+ if (dirp != NULL)
+ {
+ do
+ {
+ d = readdir(dirp);
+ if (d != NULL && d->d_type == DT_REG)
+ {
+ snprintf(path, sizeof(path), "%s/%s", dirname, d->d_name);
+
+ ret = gnutls_x509_trust_list_add_trust_file(list, path, NULL, type, tl_flags, tl_vflags);
+ if (ret >= 0)
+ r += ret;
+ }
+ }
+ while(d != NULL);
+ closedir(dirp);
+ }
+
+ return r;
+}
+#endif
+
+
+#if defined(DEFAULT_TRUST_STORE_FILE) || (defined(DEFAULT_TRUST_STORE_PKCS11) && defined(ENABLE_PKCS11)) || defined(DEFAULT_TRUST_STORE_DIR)
+
static
int
add_system_trust(gnutls_x509_trust_list_t list,
@@ -400,6 +438,12 @@ add_system_trust(gnutls_x509_trust_list_
r += ret;
#endif
+# ifdef DEFAULT_TRUST_STORE_DIR
+ ret = load_dir_certs(DEFAULT_TRUST_STORE_DIR, list, tl_flags, tl_vflags, GNUTLS_X509_FMT_PEM);
+ if (ret > 0)
+ r += ret;
+# endif
+
#ifdef DEFAULT_BLACKLIST_FILE
ret = gnutls_x509_trust_list_remove_trust_file(list, DEFAULT_BLACKLIST_FILE, GNUTLS_X509_FMT_PEM);
if (ret < 0) {
@@ -474,41 +518,6 @@ int add_system_trust(gnutls_x509_trust_l
return r;
}
#elif defined(ANDROID) || defined(__ANDROID__)
-#include <dirent.h>
-#include <unistd.h>
-static int load_dir_certs(const char *dirname,
- gnutls_x509_trust_list_t list,
- unsigned int tl_flags, unsigned int tl_vflags,
- unsigned type)
-{
- DIR *dirp;
- struct dirent *d;
- int ret;
- int r = 0;
- char path[GNUTLS_PATH_MAX];
-
- dirp = opendir(dirname);
- if (dirp != NULL) {
- do {
- d = readdir(dirp);
- if (d != NULL && d->d_type == DT_REG) {
- snprintf(path, sizeof(path), "%s/%s",
- dirname, d->d_name);
-
- ret =
- gnutls_x509_trust_list_add_trust_file
- (list, path, NULL, type, tl_flags,
- tl_vflags);
- if (ret >= 0)
- r += ret;
- }
- }
- while (d != NULL);
- closedir(dirp);
- }
-
- return r;
-}
static int load_revoked_certs(gnutls_x509_trust_list_t list, unsigned type)
{

499
gnutls.changes
View File

@ -1,3 +1,502 @@
-------------------------------------------------------------------
Wed Mar 25 20:52:43 UTC 2015 - astieger@suse.com
- for DANE support, use bcond_with
- for tpm support, same
- note p11-kit >= 0.20.7 requirement
- note libtasn1 3.9 requirement (built-in lib used otherwise)
-------------------------------------------------------------------
Mon Mar 23 08:51:12 UTC 2015 - meissner@suse.com
- disable trousers and unbound again for now, as it causes too long
build cycles.
-------------------------------------------------------------------
Sat Mar 21 07:17:50 UTC 2015 - meissner@suse.com
- added unbound-devel (for DANE) and trousers-devel (for TPM support)
- removed now upstreamed gnutls-implement-trust-store-dir-3.2.8.diff
- libgnutls-dane0 new library added
- updated to 3.3.13 (released 2015-02-25)
** libgnutls: Enable AESNI in GCM on x86
** libgnutls: Fixes in DTLS message handling
** libgnutls: Check certificate algorithm consistency, i.e.,
check whether the signatureAlgorithm field matches the signature
field inside TBSCertificate.
** gnutls-cli: Fixes in OCSP verification.
- Version 3.3.12 (released 2015-01-17)
** libgnutls: When negotiating TLS use the lowest enabled version in
the client hello, rather than the lowest supported. In addition, do
not use SSL 3.0 as a version in the TLS record layer, unless SSL 3.0
is the only protocol supported. That addresses issues with servers that
immediately drop the connection when the encounter SSL 3.0 as the record
version number. See:
http://lists.gnutls.org/pipermail/gnutls-help/2014-November/003673.html
** libgnutls: Corrected encoding and decoding of ANSI X9.62 parameters.
** libgnutls: Handle zero length plaintext for VIA PadLock functions.
This solves a potential crash on AES encryption for small size plaintext.
Patch by Matthias-Christian Ott.
** libgnutls: In DTLS don't combine multiple packets which exceed MTU.
Reported by Andreas Schultz. https://savannah.gnu.org/support/?108715
** libgnutls: In DTLS decode all handshake packets present in a record
packet, in a single pass. Reported by Andreas Schultz.
https://savannah.gnu.org/support/?108712
** libgnutls: When importing a CA file with a PKCS #11 URL, simply
import the certificates, if the URL specifies objects, rather than
treating it as trust module.
** libgnutls: When importing a PKCS #11 URL and we know the type of
object we are importing, don't require the object type in the URL.
** libgnutls: fixed openpgp authentication when gnutls_certificate_set_retrieve_function2
was used by the server.
** certtool: --pubkey-info will also attempt to load a public key from stdin.
** gnutls-cli: Added --starttls-proto option. That allows to specify a
protocol for starttls negotiation.
- Version 3.3.11 (released 2014-12-11)
** libgnutls: Corrected regression introduced in 3.3.9 related to
session renegotiation. Reported by Dan Winship.
** libgnutls: Corrected parsing issue with OCSP responses.
- Version 3.3.10 (released 2014-11-10)
** libgnutls: Refuse to import v1 or v2 certificates that contain
extensions.
** libgnutls: Fixes in usage of PKCS #11 token callback
** libgnutls: Fixed bug in gnutls_x509_trust_list_get_issuer() when used
with a PKCS #11 trust module and without the GNUTLS_TL_GET_COPY flag.
Reported by David Woodhouse.
** libgnutls: Removed superfluous random generator refresh on every call
of gnutls_deinit(). That reduces load and usage of /dev/urandom.
** libgnutls: Corrected issue in export of ECC parameters to X9.63 format.
Reported by Sean Burford [GNUTLS-SA-2014-5].
** libgnutls: When gnutls_global_init() is called for a second time, it
will check whether the /dev/urandom fd kept is still open and matches
the original one. That behavior works around issues with servers that
close all file descriptors.
** libgnutls: Corrected behavior with PKCS #11 objects that are marked
as CKA_ALWAYS_AUTHENTICATE.
** certtool: The default cipher for PKCS #12 structures is 3des-pkcs12.
That option is more compatible than AES or RC4.
- Version 3.3.9 (released 2014-10-13)
** libgnutls: Fixes in the transparent import of PKCS #11 certificates.
Reported by Joseph Peruski.
** libgnutls: Fixed issue with unexpected non-fatal errors resetting the
handshake's hash buffer, in applications using the heartbeat extension
or DTLS. Reported by Joeri de Ruiter.
** libgnutls: When both a trust module and additional CAs are present
account the latter as well; reported by David Woodhouse.
** libgnutls: added GNUTLS_TL_GET_COPY flag for
gnutls_x509_trust_list_get_issuer(). That allows the function to be used
in a thread safe way when PKCS #11 trust modules are in use.
** libgnutls: fix issue in DTLS retransmission when session tickets
were in use; reported by Manuel Pégourié-Gonnard.
** libgnutls-dane: Do not require the CA on a ca match to be direct CA.
** libgnutls: Prevent abort() in library if getrusage() fails. Try to
detect instead which of RUSAGE_THREAD and RUSAGE_SELF would work.
** guile: new 'set-session-server-name!' procedure; see the manual for
details.
** certtool: The authority key identifier will be set in a certificate only
if the CA's subject key identifier is set.
- Version 3.3.8 (released 2014-09-18)
** libgnutls: Updates in the name constraints checks. No name constraints
will be checked for intermediate certificates. As our support for name
constraints is limited to e-mail addresses in DNS names, it is pointless
to check them on intermediate certificates.
** libgnutls: Fixed issues in PKCS #11 object listing. Previously multiple
object listing would fail completely if a single object could not be exported.
** libgnutls: Improved the performance of PKCS #11 object listing/retrieving,
by retrieving them in large batches. Report and suggestion by David
Woodhouse.
** libgnutls: Fixed issue with certificates being sanitized by gnutls prior
to signature verification. That resulted to certain non-DER compliant modifications
of valid certificates, being corrected by libtasn1's parser and restructured as
the original. Issue found and reported by Antti Karjalainen and Matti Kamunen from
Codenomicon.
** libgnutls: Fixes in gnutls_x509_crt_set_dn() and friends to properly handle
strings with embedded spaces and escaped commas.
** libgnutls: when comparing a CA certificate with the trusted list compare
the name and key only instead of the whole certificate. That is to handle
cases where a CA certificate was superceded by a different one with the same
name and the same key.
** libgnutls: when verifying a certificate against a p11-kit trusted
module, use the attached extensions in the module to override the CA's
extensions (that requires p11-kit 0.20.7).
** libgnutls: In DTLS prevent sending zero-size fragments in certain cases
of MTU split. Reported by Manuel Pégourié-Gonnard.
** libgnutls: Added gnutls_x509_trust_list_verify_crt2() which allows
verifying using a hostname and a purpose (extended key usage). That
enhances PKCS #11 trust module verification, as it can now check the purpose
when this function is used.
** libgnutls: Corrected gnutls_x509_crl_verify() which would always report
a CRL signature as invalid. Reported by Armin Burgmeier.
** libgnutls: added option --disable-padlock to allow disabling the padlock
CPU acceleration.
** p11tool: when listing tokens, list their type as well.
** p11tool: when listing objects from a trust module print any attached
extensions on certificates.
- Version 3.3.7 (released 2014-08-24)
** libgnutls: Added function to export the public key of a PKCS #11
private key. Contributed by Wolfgang Meyer zu Bergsten.
** libgnutls: Explicitly set the exponent in PKCS #11 key generation.
That improves compatibility with certain PKCS #11 modules. Contributed by
Wolfgang Meyer zu Bergsten.
** libgnutls: When generating a PKCS #11 private key allow setting
the WRAP/UNWRAP flags. Contributed by Wolfgang Meyer zu Bergsten.
** libgnutls: gnutls_pkcs11_privkey_t will always hold an open session
to the key.
** libgnutls: bundle replacements of inet_pton and inet_aton if not
available.
** libgnutls: initialize parameters variable on PKCS #8 decryption.
** libgnutls: gnutls_pkcs12_verify_mac() will not fail in other than SHA1
algorithms.
** libgnutls: gnutls_x509_crt_check_hostname() will follow the RFC6125
requirement of checking the Common Name (CN) part of DN only if there is
a single CN present in the certificate.
** libgnutls: The environment variable GNUTLS_FORCE_FIPS_MODE can be used
to force the FIPS mode, when set to 1.
** libgnutls: In DTLS ignore only errors that relate to unexpected packets
and decryption failures.
** p11tool: Added --info parameter.
** certtool: Added --mark-wrap parameter.
** danetool: --check will attempt to retrieve the server's certificate
chain and verify against it.
** danetool/gnutls-cli-debug: Added --app-proto parameters which can
be used to enforce starttls (currently only SMTP and IMAP) on the connection.
** danetool: Added openssl linking exception, to allow linking
with libunbound.
- Version 3.3.6 (released 2014-07-23)
** libgnutls: Use inet_ntop to print IP addresses when available
** libgnutls: gnutls_x509_crt_check_hostname and friends will also check
IP addresses, and match documented behavior. Reported by David Woodhouse.
** libgnutls: DSA key generation in FIPS140-2 mode doesn't allow 1024
bit parameters.
** libgnutls: fixed issue in gnutls_pkcs11_reinit() which prevented tokens
being usable after a reinitialization.
** libgnutls: fixed PKCS #11 private key operations after a fork.
** libgnutls: fixed PKCS #11 ECDSA key generation.
** libgnutls: The GNUTLS_CPUID_OVERRIDE environment variable can be used to
explicitly enable/disable the use of certain CPU capabilities. Note that CPU
detection cannot be overriden, i.e., VIA options cannot be enabled on an Intel
CPU. The currently available options are:
0x1: Disable all run-time detected optimizations
0x2: Enable AES-NI
0x4: Enable SSSE3
0x8: Enable PCLMUL
0x100000: Enable VIA padlock
0x200000: Enable VIA PHE
0x400000: Enable VIA PHE SHA512
** libdane: added dane_query_to_raw_tlsa(); patch by Simon Arlott.
** p11tool: use GNUTLS_SO_PIN to read the security officer's PIN if set.
** p11tool: ask for label when one isn't provided.
** p11tool: added --batch parameter to disable any interactivity.
** p11tool: will not implicitly enable so-login for certain types of
objects. That avoids issues with tokens that require different login
types.
** certtool/p11tool: Added the --curve parameter which allows to explicitly
specify the curve to use.
- Version 3.3.5 (released 2014-06-26)
** libgnutls: Added gnutls_record_recv_packet() and gnutls_packet_deinit().
These functions provide a variant of gnutls_record_recv() that avoids
the final memcpy of data.
** libgnutls: gnutls_x509_crl_iter_crt_serial() was added as a
faster variant of gnutls_x509_crl_get_crt_serial() when coping with
very large structures.
** libgnutls: When the decoding of a printable DN element fails, then treat
it as unknown and print its hex value rather than failing. That works around
an issue in a TURKTRST root certificate which improperly encodes the
X520countryName element.
** libgnutls: gnutls_x509_trust_list_add_trust_file() will return the number
of certificates present in a PKCS #11 token when loading it.
** libgnutls: Allow the post client hello callback to put the handshake on
hold, by returning GNUTLS_E_AGAIN or GNUTLS_E_INTERRUPTED.
** certtool: option --to-p12 will now consider --load-ca-certificate
** certtol: Added option to specify the PKCS #12 friendly name on command line.
** p11tool: Allow marking a certificate copied to a token as a CA.
- Version 3.3.4 (released 2014-05-31)
** libgnutls: Updated Andy Polyakov's assembly code. That prevents a
crash on certain CPUs.
- Version 3.3.3 (released 2014-05-30)
** libgnutls: Eliminated memory corruption issue in Server Hello parsing.
Issue reported by Joonas Kuorilehto of Codenomicon.
** libgnutls: gnutls_global_set_mutex() was modified to operate with the
new initialization process.
** libgnutls: Increased the maximum certificate size buffer
in the PKCS #11 subsystem.
** libgnutls: Check the return code of getpwuid_r() instead of relying
on the result value. That avoids issue in certain systems, when using
tofu authentication and the home path cannot be determined. Issue reported
by Viktor Dukhovni.
** libgnutls-dane: Improved dane_verify_session_crt(), which now attempts to
create a full chain. This addresses points from https://savannah.gnu.org/support/index.php?108552
** gnutls-cli: --dane will only check the end certificate if PKIX validation
has been disabled.
** gnutls-cli: --benchmark-soft-ciphers has been removed. That option cannot
be emulated with the implicit initialization of gnutls.
** certtool: Allow multiple organizations and organizational unit names to
be specified in a template.
** certtool: Warn when invalid configuration options are set to a template.
** ocsptool: Include path in ocsp request. This resolves #108582
(https://savannah.gnu.org/support/?108582), reported by Matt McCutchen.
- Version 3.3.2 (released 2014-05-06)
** libgnutls: Added the 'very weak' certificate verification profile
that corresponds to 64-bit security level.
** libgnutls: Corrected file descriptor leak on random generator
initialization.
** libgnutls: Corrected file descriptor leak on PSK password file
reading. Issue identified using the Codenomicon TLS test suite.
** libgnutls: Avoid deinitialization if initialization has failed.
** libgnutls: null-terminate othername alternative names.
** libgnutls: gnutls_x509_trust_list_get_issuer() will operate correctly
on a PKCS #11 trust list.
** libgnutls: Several small bug fixes identified using valgrind and
the Codenomicon TLS test suite.
** libgnutls-dane: Accept a certificate using DANE if there is at least one
entry that matches the certificate. Patch by simon [at] arlott.org.
** libgnutls-guile: Fixed compilation issue.
** certtool: Allow exporting a CRL on DER format.
** certtool: The ECDSA keys generated by default use the SECP256R1 curve
which is supported more widely than the previously used SECP224R1.
- Version 3.3.1 (released 2014-04-19)
** libgnutls: Enforce more strict checks to heartbeat messages
concerning padding and payload. Suggested by Peter Dettman.
** libgnutls: Allow decoding PKCS #8 files with ECC parameters
from openssl.
** libgnutls: Several small bug fixes found by coverity.
** libgnutls: The conditionally available self-test functions
were moved to self-test.h.
** libgnutls: Fixed issue with the check of incoming data when two
different recv and send pointers have been specified. Reported and
investigated by JMRecio.
** libgnutls: Fixed issue in the RSA-PSK key exchange, which would
result to illegal memory access if a server hint was provided. Reported
by André Klitzing.
** libgnutls: Fixed client memory leak in the PSK key exchange, if a
server hint was provided.
** libgnutls: Corrected the *get_*_othername_oid() functions.
- Version 3.3.0 (released 2014-04-10)
** libgnutls: The initialization of the library was moved to a
constructor. That is, gnutls_global_init() is no longer required
unless linking with a static library or a system that does not
support library constructors.
** libgnutls: static libraries are not built by default.
** libgnutls: PKCS #11 initialization is delayed to first usage.
That avoids long delays in gnutls initialization due to broken PKCS #11
modules.
** libgnutls: The PKCS #11 subsystem is re-initialized "automatically"
on the first PKCS #11 API call after a fork.
** libgnutls: certificate verification profiles were introduced
that can be specified as flags to verification functions. They
are enumerations in gnutls_certificate_verification_profiles_t
and can be converted to flags for use in a verification function
using GNUTLS_PROFILE_TO_VFLAGS().
** libgnutls: Added the ability to read system-specific initial
keywords, if they are prefixed with '@'. That allows a compile-time
specified configuration file to be used to read pre-configured priority
strings from. That can be used to impose system specific policies.
** libgnutls: Increased the default security level of priority
strings (NORMAL and PFS strings require at minimum a 1008 DH prime),
and set a verification profile by default. The LEGACY keyword is
introduced to set the old defaults.
** libgnutls: Added support for the name constraints PKIX extension.
Currently only DNS names and e-mails are supported (no URIs, IPs
or DNs).
** libgnutls: Security parameter SEC_PARAM_NORMAL was renamed to
SEC_PARAM_MEDIUM to avoid confusion with the priority string NORMAL.
** libgnutls: Added new API in x509-ext.h to handle X.509 extensions.
This API handles the X.509 extensions in isolation, allowing to parse
similarly formatted extensions stored in other structures.
** libgnutls: When generating DSA keys the macro GNUTLS_SUBGROUP_TO_BITS
can be used to specify a particular subgroup as the number of bits in
gnutls_privkey_generate; e.g., GNUTLS_SUBGROUP_TO_BITS(2048, 256).
** libgnutls: DH parameter generation is now delegated to nettle.
That unfortunately has the side-effect that DH parameters longer than
3072 bits, cannot be generated (not without a nettle update).
** libgnutls: Separated nonce RNG from the main RNG. The nonce
random number generator is based on salsa20/12.
** libgnutls: The buffer alignment provided to crypto backend is
enforced to be 16-byte aligned, when compiled with cryptodev
support. That allows certain cryptodev drivers to operate more
efficiently.
** libgnutls: Return error when a public/private key pair that doesn't
match is set into a credentials structure.
** libgnutls: Depend on p11-kit 0.20.0 or later.
** libgnutls: The new padding (%NEW_PADDING) experimental TLS extension has
been removed. It was not approved by IETF.
** libgnutls: The experimental xssl library is removed from the gnutls
distribution.
** libgnutls: Reduced the number of gnulib modules used in the main library.
** libgnutls: Added priority string %DISABLE_WILDCARDS.
** libgnutls: Added the more extensible verification function
gnutls_certificate_verify_peers(), that allows checking, in addition
to a peer's DNS hostname, for the key purpose of the end certificate
(via PKIX extended key usage).
** certtool: Timestamps for serial numbers were increased to 8 bytes,
and in batch mode to 12 (appended with 4 random bytes).
** certtool: When no CRL number is provided (or value set to -1), then
a time-based number will be used, similarly to the serial generation
number in certificates.
** certtool: Print the SHA256 fingerprint of a certificate in addition
to SHA1.
** libgnutls: Added --enable-fips140-mode configuration option (unsupported).
That option enables (when running on FIPS140-enabled system):
o RSA, DSA and DH key generation as in FIPS-186-4 (using provable primes)
o The DRBG-CTR-AES256 deterministic random generator from SP800-90A.
o Self-tests on initialization on ciphers/MACs, public key algorithms
and the random generator.
o HMAC-SHA256 verification of the library on load.
o MD5 is included for TLS purposes but cannot be used by the high level
hashing functions.
o All ciphers except AES are disabled.
o All MACs and hashes except GCM and SHA are disabled (e.g., HMAC-MD5).
o All keys (temporal and long term) are zeroized after use.
o Security levels are adjusted to the FIPS140-2 recommendations (rather
than ECRYPT).
-------------------------------------------------------------------
Wed Dec 31 09:19:19 UTC 2014 - meissner@suse.com

88
gnutls.spec
View File

@ -1,7 +1,7 @@
#
# spec file for package gnutls
#
# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -19,46 +19,52 @@
%define gnutls_sover 28
%define gnutlsxx_sover 28
%define gnutls_ossl_sover 27
%bcond_with dane
%if %{with dane}
%define gnutls_dane_sover 0
%endif
%bcond_with tpm
Name: gnutls
Version: 3.2.21
Version: 3.3.13
Release: 0
Summary: The GNU Transport Layer Security Library
License: LGPL-2.1+ and GPL-3.0+
Group: Productivity/Networking/Security
Url: http://www.gnutls.org/
Source0: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/%{name}-%{version}.tar.xz
Source0: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/%{name}-%{version}.tar.xz
# signature is checked by source services.
Source1: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/%{name}-%{version}.tar.xz.sig
Source1: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/%{name}-%{version}.tar.xz.sig
Source2: %name.keyring
Source3: baselibs.conf
# PATCH-FIX-OPENSUSE gnutls-3.0.26-skip-test-fwrite.patch andreas.stieger@gmx.de -- skip a failing test
Patch3: gnutls-3.0.26-skip-test-fwrite.patch
Patch6: gnutls-implement-trust-store-dir-3.2.8.diff
BuildRequires: automake
BuildRequires: gcc-c++
BuildRequires: libidn-devel
BuildRequires: libnettle-devel >= 2.7
BuildRequires: libtasn1-devel >= 2.14
BuildRequires: libtool
%if %{with tpm}
BuildRequires: trousers-devel
%endif
%if %{with dane}
BuildRequires: unbound-devel
Requires: libgnutls-dane%{gnutls_dane_sover} = %{version}
%endif
%ifarch %ix86 x86_64 ppc ppc64 s390x ppc64le %arm aarch64
BuildRequires: valgrind
%endif
%if %suse_version >= 1230
BuildRequires: makeinfo
%endif
BuildRequires: p11-kit-devel >= 0.11
BuildRequires: p11-kit-devel >= 0.20.7
BuildRequires: pkg-config
BuildRequires: xz
BuildRequires: zlib-devel
BuildRoot: %{_tmppath}/%{name}-%{version}-build
# bug437293
%ifarch ppc64
Obsoletes: gnutls-64bit
%endif
%description
The GnuTLS project aims to develop a library that provides a secure
@ -75,6 +81,18 @@ The GnuTLS project aims to develop a library that provides a secure
layer over a reliable transport layer. Currently the GnuTLS library
implements the proposed standards of the IETF's TLS working group.
%if %{with dane}
%package -n libgnutls-dane%{gnutls_dane_sover}
Summary: The GNU Transport Layer Security Library
License: LGPL-2.1+
Group: Productivity/Networking/Security
%description -n libgnutls-dane%{gnutls_dane_sover}
The GnuTLS project aims to develop a library that provides a secure
layer over a reliable transport layer.
This package contains the "DANE" part of gnutls.
%endif
%package -n libgnutlsxx%{gnutlsxx_sover}
Summary: The GNU Transport Layer Security Library
License: LGPL-2.1+
@ -104,6 +122,9 @@ Group: Development/Libraries/C and C++
PreReq: %install_info_prereq
Requires: glibc-devel
Requires: libgnutls%{gnutls_sover} = %{version}
%if %{with dane}
Requires: libgnutls-dane%{gnutls_dane_sover} = %{version}
%endif
Provides: gnutls-devel = %{version}-%{release}
%description -n libgnutls-devel
@ -136,7 +157,6 @@ Files needed for software development using gnutls.
%prep
%setup -q
%patch3
%patch6 -p1
%build
export LDFLAGS="-pie"
@ -152,7 +172,16 @@ autoreconf -if
--disable-srp \
--disable-silent-rules \
--with-default-trust-store-dir=/var/lib/ca-certificates/pem \
--with-sysroot=/%{?_sysroot}
--with-sysroot=/%{?_sysroot} \
%if %{without tpm}
--without-tpm \
%endif
%if %{with dane}
--with-unbound-root-key-file=/var/lib/unbound/root.key \
%else
--disable-libdane \
%endif
%__make
%install
@ -176,13 +205,15 @@ rm -f %{buildroot}%{_libdir}/*.la
%__make check
%endif
%clean
rm -rf %{buildroot}
%post -n libgnutls%{gnutls_sover} -p /sbin/ldconfig
%postun -n libgnutls%{gnutls_sover} -p /sbin/ldconfig
%if %{with dane}
%post -n libgnutls-dane%{gnutls_dane_sover} -p /sbin/ldconfig
%postun -n libgnutls-dane%{gnutls_dane_sover} -p /sbin/ldconfig
%endif
%post -n libgnutlsxx%{gnutlsxx_sover} -p /sbin/ldconfig
%postun -n libgnutlsxx%{gnutlsxx_sover} -p /sbin/ldconfig
@ -209,13 +240,23 @@ rm -rf %{buildroot}
%{_bindir}/psktool
%{_bindir}/p11tool
%{_bindir}/srptool
%if %{with dane}
%{_bindir}/danetool
%endif
%if %{with tpm}
%{_bindir}/tpmtool
%endif
%{_mandir}/man1/*
%files -n libgnutls%{gnutls_sover}
%defattr(-,root,root)
%{_libdir}/libgnutls.so.%{gnutls_sover}*
%{_libdir}/libgnutls-xssl.so.*
%if %{with dane}
%files -n libgnutls-dane%{gnutls_dane_sover}
%defattr(-,root,root)
%{_libdir}/libgnutls-dane.so.%{gnutls_dane_sover}*
%endif
%files -n libgnutls-openssl%{gnutls_ossl_sover}
%defattr(-,root,root)
@ -231,18 +272,27 @@ rm -rf %{buildroot}
%{_includedir}/%{name}/abstract.h
%{_includedir}/%{name}/crypto.h
%{_includedir}/%{name}/compat.h
%if %{with dane}
%{_includedir}/%{name}/dane.h
%endif
%{_includedir}/%{name}/dtls.h
%{_includedir}/%{name}/gnutls.h
%{_includedir}/%{name}/openpgp.h
%{_includedir}/%{name}/ocsp.h
%{_includedir}/%{name}/pkcs11.h
%{_includedir}/%{name}/pkcs12.h
%{_includedir}/%{name}/self-test.h
%{_includedir}/%{name}/x509.h
%{_includedir}/%{name}/x509-ext.h
%{_includedir}/%{name}/tpm.h
%{_includedir}/%{name}/xssl.h
%{_libdir}/libgnutls.so
%{_libdir}/libgnutls-xssl.so
%if %{with dane}
%{_libdir}/libgnutls-dane.so
%endif
%{_libdir}/pkgconfig/gnutls.pc
%if %{with dane}
%{_libdir}/pkgconfig/gnutls-dane.pc
%endif
%{_mandir}/man3/*
%{_infodir}/*.*
%doc %{_docdir}/libgnutls-devel