diff --git a/gnutls-3.2.21.tar.xz b/gnutls-3.2.21.tar.xz deleted file mode 100644 index 444f710..0000000 --- a/gnutls-3.2.21.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:824196254cf9162b9ff841677f292d108ca1efa6cf8ae1c02b9a8682a3d7087f -size 5162040 diff --git a/gnutls-3.2.21.tar.xz.sig b/gnutls-3.2.21.tar.xz.sig deleted file mode 100644 index 3186ed5..0000000 Binary files a/gnutls-3.2.21.tar.xz.sig and /dev/null differ diff --git a/gnutls-3.3.13.tar.xz b/gnutls-3.3.13.tar.xz new file mode 100644 index 0000000..9408114 --- /dev/null +++ b/gnutls-3.3.13.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:91bf1ef5c159b7f2176f972184545b287af6507ab55a543f6007d31406b97a99 +size 6189164 diff --git a/gnutls-3.3.13.tar.xz.sig b/gnutls-3.3.13.tar.xz.sig new file mode 100644 index 0000000..14f6d32 Binary files /dev/null and b/gnutls-3.3.13.tar.xz.sig differ diff --git a/gnutls-implement-trust-store-dir-3.2.8.diff b/gnutls-implement-trust-store-dir-3.2.8.diff deleted file mode 100644 index d989908..0000000 --- a/gnutls-implement-trust-store-dir-3.2.8.diff +++ /dev/null @@ -1,156 +0,0 @@ -Index: gnutls-3.2.13/configure.ac -=================================================================== ---- gnutls-3.2.13.orig/configure.ac -+++ gnutls-3.2.13/configure.ac -@@ -466,6 +466,25 @@ if test "$with_default_trust_store_file" - with_default_trust_store_file="" - fi - -+AC_ARG_WITH([default-trust-store-dir], -+ [AS_HELP_STRING([--with-default-trust-store-dir=DIRECTORY], -+ [use the given directory as default trust store])], with_default_trust_store_dir="$withval", -+ [if test "$build" = "$host" ; then -+ for i in \ -+ /etc/ssl/certs/ -+ do -+ if test -e $i ; then -+ with_default_trust_store_dir="$i" -+ break -+ fi -+ done -+ fi] -+) -+ -+if test "$with_default_trust_store_dir" = "no";then -+ with_default_trust_store_dir="" -+fi -+ - AC_ARG_WITH([default-crl-file], - [AS_HELP_STRING([--with-default-crl-file=FILE], - [use the given CRL file as default])]) -@@ -479,6 +498,11 @@ if test "x$with_default_trust_store_file - ["$with_default_trust_store_file"], [use the given file default trust store]) - fi - -+if test "x$with_default_trust_store_dir" != x; then -+ AC_DEFINE_UNQUOTED([DEFAULT_TRUST_STORE_DIR], -+ ["$with_default_trust_store_dir"], [use the given directory default trust store]) -+fi -+ - if test "x$with_default_crl_file" != x; then - AC_DEFINE_UNQUOTED([DEFAULT_CRL_FILE], - ["$with_default_crl_file"], [use the given CRL file]) -@@ -769,6 +793,7 @@ AC_MSG_NOTICE([System files: - - Trust store pkcs11: $with_default_trust_store_pkcs11 - Trust store file: $with_default_trust_store_file -+ Trust store dir: $with_default_trust_store_dir - Blacklist file: $with_default_blacklist_file - CRL file: $with_default_crl_file - DNSSEC root key file: $unbound_root_key_file -Index: gnutls-3.2.13/lib/system.c -=================================================================== ---- gnutls-3.2.13.orig/lib/system.c -+++ gnutls-3.2.13/lib/system.c -@@ -364,7 +364,45 @@ int _gnutls_find_config_path(char *path, - return 0; - } - --#if defined(DEFAULT_TRUST_STORE_FILE) || (defined(DEFAULT_TRUST_STORE_PKCS11) && defined(ENABLE_PKCS11)) -+/* Used by both Android code and by Linux TRUST_STORE_DIR /etc/ssl/certs code */ -+#if defined(DEFAULT_TRUST_STORE_DIR) || defined(ANDROID) || defined(__ANDROID__) -+# include -+# include -+static int load_dir_certs(const char* dirname, gnutls_x509_trust_list_t list, -+ unsigned int tl_flags, unsigned int tl_vflags, unsigned type) -+{ -+DIR * dirp; -+struct dirent *d; -+int ret; -+int r = 0; -+char path[GNUTLS_PATH_MAX]; -+ -+ dirp = opendir(dirname); -+ if (dirp != NULL) -+ { -+ do -+ { -+ d = readdir(dirp); -+ if (d != NULL && d->d_type == DT_REG) -+ { -+ snprintf(path, sizeof(path), "%s/%s", dirname, d->d_name); -+ -+ ret = gnutls_x509_trust_list_add_trust_file(list, path, NULL, type, tl_flags, tl_vflags); -+ if (ret >= 0) -+ r += ret; -+ } -+ } -+ while(d != NULL); -+ closedir(dirp); -+ } -+ -+ return r; -+} -+#endif -+ -+ -+#if defined(DEFAULT_TRUST_STORE_FILE) || (defined(DEFAULT_TRUST_STORE_PKCS11) && defined(ENABLE_PKCS11)) || defined(DEFAULT_TRUST_STORE_DIR) -+ - static - int - add_system_trust(gnutls_x509_trust_list_t list, -@@ -400,6 +438,12 @@ add_system_trust(gnutls_x509_trust_list_ - r += ret; - #endif - -+# ifdef DEFAULT_TRUST_STORE_DIR -+ ret = load_dir_certs(DEFAULT_TRUST_STORE_DIR, list, tl_flags, tl_vflags, GNUTLS_X509_FMT_PEM); -+ if (ret > 0) -+ r += ret; -+# endif -+ - #ifdef DEFAULT_BLACKLIST_FILE - ret = gnutls_x509_trust_list_remove_trust_file(list, DEFAULT_BLACKLIST_FILE, GNUTLS_X509_FMT_PEM); - if (ret < 0) { -@@ -474,41 +518,6 @@ int add_system_trust(gnutls_x509_trust_l - return r; - } - #elif defined(ANDROID) || defined(__ANDROID__) --#include --#include --static int load_dir_certs(const char *dirname, -- gnutls_x509_trust_list_t list, -- unsigned int tl_flags, unsigned int tl_vflags, -- unsigned type) --{ -- DIR *dirp; -- struct dirent *d; -- int ret; -- int r = 0; -- char path[GNUTLS_PATH_MAX]; -- -- dirp = opendir(dirname); -- if (dirp != NULL) { -- do { -- d = readdir(dirp); -- if (d != NULL && d->d_type == DT_REG) { -- snprintf(path, sizeof(path), "%s/%s", -- dirname, d->d_name); -- -- ret = -- gnutls_x509_trust_list_add_trust_file -- (list, path, NULL, type, tl_flags, -- tl_vflags); -- if (ret >= 0) -- r += ret; -- } -- } -- while (d != NULL); -- closedir(dirp); -- } -- -- return r; --} - - static int load_revoked_certs(gnutls_x509_trust_list_t list, unsigned type) - { diff --git a/gnutls.changes b/gnutls.changes index f913b0c..07cbf45 100644 --- a/gnutls.changes +++ b/gnutls.changes @@ -1,3 +1,502 @@ +------------------------------------------------------------------- +Wed Mar 25 20:52:43 UTC 2015 - astieger@suse.com + +- for DANE support, use bcond_with +- for tpm support, same +- note p11-kit >= 0.20.7 requirement +- note libtasn1 3.9 requirement (built-in lib used otherwise) + +------------------------------------------------------------------- +Mon Mar 23 08:51:12 UTC 2015 - meissner@suse.com + +- disable trousers and unbound again for now, as it causes too long + build cycles. + +------------------------------------------------------------------- +Sat Mar 21 07:17:50 UTC 2015 - meissner@suse.com + +- added unbound-devel (for DANE) and trousers-devel (for TPM support) +- removed now upstreamed gnutls-implement-trust-store-dir-3.2.8.diff +- libgnutls-dane0 new library added + +- updated to 3.3.13 (released 2015-02-25) + ** libgnutls: Enable AESNI in GCM on x86 + ** libgnutls: Fixes in DTLS message handling + ** libgnutls: Check certificate algorithm consistency, i.e., + check whether the signatureAlgorithm field matches the signature + field inside TBSCertificate. + ** gnutls-cli: Fixes in OCSP verification. + +- Version 3.3.12 (released 2015-01-17) + + ** libgnutls: When negotiating TLS use the lowest enabled version in + the client hello, rather than the lowest supported. In addition, do + not use SSL 3.0 as a version in the TLS record layer, unless SSL 3.0 + is the only protocol supported. That addresses issues with servers that + immediately drop the connection when the encounter SSL 3.0 as the record + version number. See: + http://lists.gnutls.org/pipermail/gnutls-help/2014-November/003673.html + + ** libgnutls: Corrected encoding and decoding of ANSI X9.62 parameters. + + ** libgnutls: Handle zero length plaintext for VIA PadLock functions. + This solves a potential crash on AES encryption for small size plaintext. + Patch by Matthias-Christian Ott. + + ** libgnutls: In DTLS don't combine multiple packets which exceed MTU. + Reported by Andreas Schultz. https://savannah.gnu.org/support/?108715 + + ** libgnutls: In DTLS decode all handshake packets present in a record + packet, in a single pass. Reported by Andreas Schultz. + https://savannah.gnu.org/support/?108712 + + ** libgnutls: When importing a CA file with a PKCS #11 URL, simply + import the certificates, if the URL specifies objects, rather than + treating it as trust module. + + ** libgnutls: When importing a PKCS #11 URL and we know the type of + object we are importing, don't require the object type in the URL. + + ** libgnutls: fixed openpgp authentication when gnutls_certificate_set_retrieve_function2 + was used by the server. + + ** certtool: --pubkey-info will also attempt to load a public key from stdin. + + ** gnutls-cli: Added --starttls-proto option. That allows to specify a + protocol for starttls negotiation. + +- Version 3.3.11 (released 2014-12-11) + + ** libgnutls: Corrected regression introduced in 3.3.9 related to + session renegotiation. Reported by Dan Winship. + + ** libgnutls: Corrected parsing issue with OCSP responses. + +- Version 3.3.10 (released 2014-11-10) + + ** libgnutls: Refuse to import v1 or v2 certificates that contain + extensions. + + ** libgnutls: Fixes in usage of PKCS #11 token callback + + ** libgnutls: Fixed bug in gnutls_x509_trust_list_get_issuer() when used + with a PKCS #11 trust module and without the GNUTLS_TL_GET_COPY flag. + Reported by David Woodhouse. + + ** libgnutls: Removed superfluous random generator refresh on every call + of gnutls_deinit(). That reduces load and usage of /dev/urandom. + + ** libgnutls: Corrected issue in export of ECC parameters to X9.63 format. + Reported by Sean Burford [GNUTLS-SA-2014-5]. + + ** libgnutls: When gnutls_global_init() is called for a second time, it + will check whether the /dev/urandom fd kept is still open and matches + the original one. That behavior works around issues with servers that + close all file descriptors. + + ** libgnutls: Corrected behavior with PKCS #11 objects that are marked + as CKA_ALWAYS_AUTHENTICATE. + + ** certtool: The default cipher for PKCS #12 structures is 3des-pkcs12. + That option is more compatible than AES or RC4. + +- Version 3.3.9 (released 2014-10-13) + + ** libgnutls: Fixes in the transparent import of PKCS #11 certificates. + Reported by Joseph Peruski. + + ** libgnutls: Fixed issue with unexpected non-fatal errors resetting the + handshake's hash buffer, in applications using the heartbeat extension + or DTLS. Reported by Joeri de Ruiter. + + ** libgnutls: When both a trust module and additional CAs are present + account the latter as well; reported by David Woodhouse. + + ** libgnutls: added GNUTLS_TL_GET_COPY flag for + gnutls_x509_trust_list_get_issuer(). That allows the function to be used + in a thread safe way when PKCS #11 trust modules are in use. + + ** libgnutls: fix issue in DTLS retransmission when session tickets + were in use; reported by Manuel Pégourié-Gonnard. + + ** libgnutls-dane: Do not require the CA on a ca match to be direct CA. + + ** libgnutls: Prevent abort() in library if getrusage() fails. Try to + detect instead which of RUSAGE_THREAD and RUSAGE_SELF would work. + + ** guile: new 'set-session-server-name!' procedure; see the manual for + details. + + ** certtool: The authority key identifier will be set in a certificate only + if the CA's subject key identifier is set. + +- Version 3.3.8 (released 2014-09-18) + + ** libgnutls: Updates in the name constraints checks. No name constraints + will be checked for intermediate certificates. As our support for name + constraints is limited to e-mail addresses in DNS names, it is pointless + to check them on intermediate certificates. + + ** libgnutls: Fixed issues in PKCS #11 object listing. Previously multiple + object listing would fail completely if a single object could not be exported. + + ** libgnutls: Improved the performance of PKCS #11 object listing/retrieving, + by retrieving them in large batches. Report and suggestion by David + Woodhouse. + + ** libgnutls: Fixed issue with certificates being sanitized by gnutls prior + to signature verification. That resulted to certain non-DER compliant modifications + of valid certificates, being corrected by libtasn1's parser and restructured as + the original. Issue found and reported by Antti Karjalainen and Matti Kamunen from + Codenomicon. + + ** libgnutls: Fixes in gnutls_x509_crt_set_dn() and friends to properly handle + strings with embedded spaces and escaped commas. + + ** libgnutls: when comparing a CA certificate with the trusted list compare + the name and key only instead of the whole certificate. That is to handle + cases where a CA certificate was superceded by a different one with the same + name and the same key. + + ** libgnutls: when verifying a certificate against a p11-kit trusted + module, use the attached extensions in the module to override the CA's + extensions (that requires p11-kit 0.20.7). + + ** libgnutls: In DTLS prevent sending zero-size fragments in certain cases + of MTU split. Reported by Manuel Pégourié-Gonnard. + + ** libgnutls: Added gnutls_x509_trust_list_verify_crt2() which allows + verifying using a hostname and a purpose (extended key usage). That + enhances PKCS #11 trust module verification, as it can now check the purpose + when this function is used. + + ** libgnutls: Corrected gnutls_x509_crl_verify() which would always report + a CRL signature as invalid. Reported by Armin Burgmeier. + + ** libgnutls: added option --disable-padlock to allow disabling the padlock + CPU acceleration. + + ** p11tool: when listing tokens, list their type as well. + + ** p11tool: when listing objects from a trust module print any attached + extensions on certificates. + +- Version 3.3.7 (released 2014-08-24) + + ** libgnutls: Added function to export the public key of a PKCS #11 + private key. Contributed by Wolfgang Meyer zu Bergsten. + + ** libgnutls: Explicitly set the exponent in PKCS #11 key generation. + That improves compatibility with certain PKCS #11 modules. Contributed by + Wolfgang Meyer zu Bergsten. + + ** libgnutls: When generating a PKCS #11 private key allow setting + the WRAP/UNWRAP flags. Contributed by Wolfgang Meyer zu Bergsten. + + ** libgnutls: gnutls_pkcs11_privkey_t will always hold an open session + to the key. + + ** libgnutls: bundle replacements of inet_pton and inet_aton if not + available. + + ** libgnutls: initialize parameters variable on PKCS #8 decryption. + + ** libgnutls: gnutls_pkcs12_verify_mac() will not fail in other than SHA1 + algorithms. + + ** libgnutls: gnutls_x509_crt_check_hostname() will follow the RFC6125 + requirement of checking the Common Name (CN) part of DN only if there is + a single CN present in the certificate. + + ** libgnutls: The environment variable GNUTLS_FORCE_FIPS_MODE can be used + to force the FIPS mode, when set to 1. + + ** libgnutls: In DTLS ignore only errors that relate to unexpected packets + and decryption failures. + + ** p11tool: Added --info parameter. + + ** certtool: Added --mark-wrap parameter. + + ** danetool: --check will attempt to retrieve the server's certificate + chain and verify against it. + + ** danetool/gnutls-cli-debug: Added --app-proto parameters which can + be used to enforce starttls (currently only SMTP and IMAP) on the connection. + + ** danetool: Added openssl linking exception, to allow linking + with libunbound. + +- Version 3.3.6 (released 2014-07-23) + + ** libgnutls: Use inet_ntop to print IP addresses when available + + ** libgnutls: gnutls_x509_crt_check_hostname and friends will also check + IP addresses, and match documented behavior. Reported by David Woodhouse. + + ** libgnutls: DSA key generation in FIPS140-2 mode doesn't allow 1024 + bit parameters. + + ** libgnutls: fixed issue in gnutls_pkcs11_reinit() which prevented tokens + being usable after a reinitialization. + + ** libgnutls: fixed PKCS #11 private key operations after a fork. + + ** libgnutls: fixed PKCS #11 ECDSA key generation. + + ** libgnutls: The GNUTLS_CPUID_OVERRIDE environment variable can be used to + explicitly enable/disable the use of certain CPU capabilities. Note that CPU + detection cannot be overriden, i.e., VIA options cannot be enabled on an Intel + CPU. The currently available options are: + 0x1: Disable all run-time detected optimizations + 0x2: Enable AES-NI + 0x4: Enable SSSE3 + 0x8: Enable PCLMUL + 0x100000: Enable VIA padlock + 0x200000: Enable VIA PHE + 0x400000: Enable VIA PHE SHA512 + + ** libdane: added dane_query_to_raw_tlsa(); patch by Simon Arlott. + + ** p11tool: use GNUTLS_SO_PIN to read the security officer's PIN if set. + + ** p11tool: ask for label when one isn't provided. + + ** p11tool: added --batch parameter to disable any interactivity. + + ** p11tool: will not implicitly enable so-login for certain types of + objects. That avoids issues with tokens that require different login + types. + + ** certtool/p11tool: Added the --curve parameter which allows to explicitly + specify the curve to use. + +- Version 3.3.5 (released 2014-06-26) + + ** libgnutls: Added gnutls_record_recv_packet() and gnutls_packet_deinit(). + These functions provide a variant of gnutls_record_recv() that avoids + the final memcpy of data. + + ** libgnutls: gnutls_x509_crl_iter_crt_serial() was added as a + faster variant of gnutls_x509_crl_get_crt_serial() when coping with + very large structures. + + ** libgnutls: When the decoding of a printable DN element fails, then treat + it as unknown and print its hex value rather than failing. That works around + an issue in a TURKTRST root certificate which improperly encodes the + X520countryName element. + + ** libgnutls: gnutls_x509_trust_list_add_trust_file() will return the number + of certificates present in a PKCS #11 token when loading it. + + ** libgnutls: Allow the post client hello callback to put the handshake on + hold, by returning GNUTLS_E_AGAIN or GNUTLS_E_INTERRUPTED. + + ** certtool: option --to-p12 will now consider --load-ca-certificate + + ** certtol: Added option to specify the PKCS #12 friendly name on command line. + + ** p11tool: Allow marking a certificate copied to a token as a CA. + +- Version 3.3.4 (released 2014-05-31) + + ** libgnutls: Updated Andy Polyakov's assembly code. That prevents a + crash on certain CPUs. + +- Version 3.3.3 (released 2014-05-30) + + ** libgnutls: Eliminated memory corruption issue in Server Hello parsing. + Issue reported by Joonas Kuorilehto of Codenomicon. + + ** libgnutls: gnutls_global_set_mutex() was modified to operate with the + new initialization process. + + ** libgnutls: Increased the maximum certificate size buffer + in the PKCS #11 subsystem. + + ** libgnutls: Check the return code of getpwuid_r() instead of relying + on the result value. That avoids issue in certain systems, when using + tofu authentication and the home path cannot be determined. Issue reported + by Viktor Dukhovni. + + ** libgnutls-dane: Improved dane_verify_session_crt(), which now attempts to + create a full chain. This addresses points from https://savannah.gnu.org/support/index.php?108552 + + ** gnutls-cli: --dane will only check the end certificate if PKIX validation + has been disabled. + + ** gnutls-cli: --benchmark-soft-ciphers has been removed. That option cannot + be emulated with the implicit initialization of gnutls. + + ** certtool: Allow multiple organizations and organizational unit names to + be specified in a template. + + ** certtool: Warn when invalid configuration options are set to a template. + + ** ocsptool: Include path in ocsp request. This resolves #108582 + (https://savannah.gnu.org/support/?108582), reported by Matt McCutchen. + +- Version 3.3.2 (released 2014-05-06) + + ** libgnutls: Added the 'very weak' certificate verification profile + that corresponds to 64-bit security level. + + ** libgnutls: Corrected file descriptor leak on random generator + initialization. + + ** libgnutls: Corrected file descriptor leak on PSK password file + reading. Issue identified using the Codenomicon TLS test suite. + + ** libgnutls: Avoid deinitialization if initialization has failed. + + ** libgnutls: null-terminate othername alternative names. + + ** libgnutls: gnutls_x509_trust_list_get_issuer() will operate correctly + on a PKCS #11 trust list. + + ** libgnutls: Several small bug fixes identified using valgrind and + the Codenomicon TLS test suite. + + ** libgnutls-dane: Accept a certificate using DANE if there is at least one + entry that matches the certificate. Patch by simon [at] arlott.org. + + ** libgnutls-guile: Fixed compilation issue. + + ** certtool: Allow exporting a CRL on DER format. + + ** certtool: The ECDSA keys generated by default use the SECP256R1 curve + which is supported more widely than the previously used SECP224R1. + +- Version 3.3.1 (released 2014-04-19) + + ** libgnutls: Enforce more strict checks to heartbeat messages + concerning padding and payload. Suggested by Peter Dettman. + + ** libgnutls: Allow decoding PKCS #8 files with ECC parameters + from openssl. + + ** libgnutls: Several small bug fixes found by coverity. + + ** libgnutls: The conditionally available self-test functions + were moved to self-test.h. + + ** libgnutls: Fixed issue with the check of incoming data when two + different recv and send pointers have been specified. Reported and + investigated by JMRecio. + + ** libgnutls: Fixed issue in the RSA-PSK key exchange, which would + result to illegal memory access if a server hint was provided. Reported + by André Klitzing. + + ** libgnutls: Fixed client memory leak in the PSK key exchange, if a + server hint was provided. + + ** libgnutls: Corrected the *get_*_othername_oid() functions. + +- Version 3.3.0 (released 2014-04-10) + + ** libgnutls: The initialization of the library was moved to a + constructor. That is, gnutls_global_init() is no longer required + unless linking with a static library or a system that does not + support library constructors. + + ** libgnutls: static libraries are not built by default. + + ** libgnutls: PKCS #11 initialization is delayed to first usage. + That avoids long delays in gnutls initialization due to broken PKCS #11 + modules. + + ** libgnutls: The PKCS #11 subsystem is re-initialized "automatically" + on the first PKCS #11 API call after a fork. + + ** libgnutls: certificate verification profiles were introduced + that can be specified as flags to verification functions. They + are enumerations in gnutls_certificate_verification_profiles_t + and can be converted to flags for use in a verification function + using GNUTLS_PROFILE_TO_VFLAGS(). + + ** libgnutls: Added the ability to read system-specific initial + keywords, if they are prefixed with '@'. That allows a compile-time + specified configuration file to be used to read pre-configured priority + strings from. That can be used to impose system specific policies. + + ** libgnutls: Increased the default security level of priority + strings (NORMAL and PFS strings require at minimum a 1008 DH prime), + and set a verification profile by default. The LEGACY keyword is + introduced to set the old defaults. + + ** libgnutls: Added support for the name constraints PKIX extension. + Currently only DNS names and e-mails are supported (no URIs, IPs + or DNs). + + ** libgnutls: Security parameter SEC_PARAM_NORMAL was renamed to + SEC_PARAM_MEDIUM to avoid confusion with the priority string NORMAL. + + ** libgnutls: Added new API in x509-ext.h to handle X.509 extensions. + This API handles the X.509 extensions in isolation, allowing to parse + similarly formatted extensions stored in other structures. + + ** libgnutls: When generating DSA keys the macro GNUTLS_SUBGROUP_TO_BITS + can be used to specify a particular subgroup as the number of bits in + gnutls_privkey_generate; e.g., GNUTLS_SUBGROUP_TO_BITS(2048, 256). + + ** libgnutls: DH parameter generation is now delegated to nettle. + That unfortunately has the side-effect that DH parameters longer than + 3072 bits, cannot be generated (not without a nettle update). + + ** libgnutls: Separated nonce RNG from the main RNG. The nonce + random number generator is based on salsa20/12. + + ** libgnutls: The buffer alignment provided to crypto backend is + enforced to be 16-byte aligned, when compiled with cryptodev + support. That allows certain cryptodev drivers to operate more + efficiently. + + ** libgnutls: Return error when a public/private key pair that doesn't + match is set into a credentials structure. + + ** libgnutls: Depend on p11-kit 0.20.0 or later. + + ** libgnutls: The new padding (%NEW_PADDING) experimental TLS extension has + been removed. It was not approved by IETF. + + ** libgnutls: The experimental xssl library is removed from the gnutls + distribution. + + ** libgnutls: Reduced the number of gnulib modules used in the main library. + + ** libgnutls: Added priority string %DISABLE_WILDCARDS. + + ** libgnutls: Added the more extensible verification function + gnutls_certificate_verify_peers(), that allows checking, in addition + to a peer's DNS hostname, for the key purpose of the end certificate + (via PKIX extended key usage). + + ** certtool: Timestamps for serial numbers were increased to 8 bytes, + and in batch mode to 12 (appended with 4 random bytes). + + ** certtool: When no CRL number is provided (or value set to -1), then + a time-based number will be used, similarly to the serial generation + number in certificates. + + ** certtool: Print the SHA256 fingerprint of a certificate in addition + to SHA1. + + ** libgnutls: Added --enable-fips140-mode configuration option (unsupported). + That option enables (when running on FIPS140-enabled system): + o RSA, DSA and DH key generation as in FIPS-186-4 (using provable primes) + o The DRBG-CTR-AES256 deterministic random generator from SP800-90A. + o Self-tests on initialization on ciphers/MACs, public key algorithms + and the random generator. + o HMAC-SHA256 verification of the library on load. + o MD5 is included for TLS purposes but cannot be used by the high level + hashing functions. + o All ciphers except AES are disabled. + o All MACs and hashes except GCM and SHA are disabled (e.g., HMAC-MD5). + o All keys (temporal and long term) are zeroized after use. + o Security levels are adjusted to the FIPS140-2 recommendations (rather + than ECRYPT). + ------------------------------------------------------------------- Wed Dec 31 09:19:19 UTC 2014 - meissner@suse.com diff --git a/gnutls.spec b/gnutls.spec index 114949e..addbd65 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,7 +1,7 @@ # # spec file for package gnutls # -# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -19,46 +19,52 @@ %define gnutls_sover 28 %define gnutlsxx_sover 28 %define gnutls_ossl_sover 27 +%bcond_with dane +%if %{with dane} +%define gnutls_dane_sover 0 +%endif +%bcond_with tpm Name: gnutls -Version: 3.2.21 +Version: 3.3.13 Release: 0 Summary: The GNU Transport Layer Security Library License: LGPL-2.1+ and GPL-3.0+ Group: Productivity/Networking/Security Url: http://www.gnutls.org/ -Source0: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/%{name}-%{version}.tar.xz +Source0: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/%{name}-%{version}.tar.xz # signature is checked by source services. -Source1: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/%{name}-%{version}.tar.xz.sig +Source1: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/%{name}-%{version}.tar.xz.sig Source2: %name.keyring Source3: baselibs.conf # PATCH-FIX-OPENSUSE gnutls-3.0.26-skip-test-fwrite.patch andreas.stieger@gmx.de -- skip a failing test Patch3: gnutls-3.0.26-skip-test-fwrite.patch -Patch6: gnutls-implement-trust-store-dir-3.2.8.diff - BuildRequires: automake BuildRequires: gcc-c++ BuildRequires: libidn-devel BuildRequires: libnettle-devel >= 2.7 BuildRequires: libtasn1-devel >= 2.14 BuildRequires: libtool +%if %{with tpm} +BuildRequires: trousers-devel +%endif +%if %{with dane} +BuildRequires: unbound-devel +Requires: libgnutls-dane%{gnutls_dane_sover} = %{version} +%endif %ifarch %ix86 x86_64 ppc ppc64 s390x ppc64le %arm aarch64 BuildRequires: valgrind %endif %if %suse_version >= 1230 BuildRequires: makeinfo %endif -BuildRequires: p11-kit-devel >= 0.11 +BuildRequires: p11-kit-devel >= 0.20.7 BuildRequires: pkg-config BuildRequires: xz BuildRequires: zlib-devel BuildRoot: %{_tmppath}/%{name}-%{version}-build -# bug437293 -%ifarch ppc64 -Obsoletes: gnutls-64bit -%endif %description The GnuTLS project aims to develop a library that provides a secure @@ -75,6 +81,18 @@ The GnuTLS project aims to develop a library that provides a secure layer over a reliable transport layer. Currently the GnuTLS library implements the proposed standards of the IETF's TLS working group. +%if %{with dane} +%package -n libgnutls-dane%{gnutls_dane_sover} +Summary: The GNU Transport Layer Security Library +License: LGPL-2.1+ +Group: Productivity/Networking/Security + +%description -n libgnutls-dane%{gnutls_dane_sover} +The GnuTLS project aims to develop a library that provides a secure +layer over a reliable transport layer. +This package contains the "DANE" part of gnutls. +%endif + %package -n libgnutlsxx%{gnutlsxx_sover} Summary: The GNU Transport Layer Security Library License: LGPL-2.1+ @@ -104,6 +122,9 @@ Group: Development/Libraries/C and C++ PreReq: %install_info_prereq Requires: glibc-devel Requires: libgnutls%{gnutls_sover} = %{version} +%if %{with dane} +Requires: libgnutls-dane%{gnutls_dane_sover} = %{version} +%endif Provides: gnutls-devel = %{version}-%{release} %description -n libgnutls-devel @@ -136,7 +157,6 @@ Files needed for software development using gnutls. %prep %setup -q %patch3 -%patch6 -p1 %build export LDFLAGS="-pie" @@ -152,7 +172,16 @@ autoreconf -if --disable-srp \ --disable-silent-rules \ --with-default-trust-store-dir=/var/lib/ca-certificates/pem \ - --with-sysroot=/%{?_sysroot} + --with-sysroot=/%{?_sysroot} \ +%if %{without tpm} + --without-tpm \ +%endif +%if %{with dane} + --with-unbound-root-key-file=/var/lib/unbound/root.key \ +%else + --disable-libdane \ +%endif + %__make %install @@ -176,13 +205,15 @@ rm -f %{buildroot}%{_libdir}/*.la %__make check %endif -%clean -rm -rf %{buildroot} - %post -n libgnutls%{gnutls_sover} -p /sbin/ldconfig %postun -n libgnutls%{gnutls_sover} -p /sbin/ldconfig +%if %{with dane} +%post -n libgnutls-dane%{gnutls_dane_sover} -p /sbin/ldconfig +%postun -n libgnutls-dane%{gnutls_dane_sover} -p /sbin/ldconfig +%endif + %post -n libgnutlsxx%{gnutlsxx_sover} -p /sbin/ldconfig %postun -n libgnutlsxx%{gnutlsxx_sover} -p /sbin/ldconfig @@ -209,13 +240,23 @@ rm -rf %{buildroot} %{_bindir}/psktool %{_bindir}/p11tool %{_bindir}/srptool +%if %{with dane} %{_bindir}/danetool +%endif +%if %{with tpm} +%{_bindir}/tpmtool +%endif %{_mandir}/man1/* %files -n libgnutls%{gnutls_sover} %defattr(-,root,root) %{_libdir}/libgnutls.so.%{gnutls_sover}* -%{_libdir}/libgnutls-xssl.so.* + +%if %{with dane} +%files -n libgnutls-dane%{gnutls_dane_sover} +%defattr(-,root,root) +%{_libdir}/libgnutls-dane.so.%{gnutls_dane_sover}* +%endif %files -n libgnutls-openssl%{gnutls_ossl_sover} %defattr(-,root,root) @@ -231,18 +272,27 @@ rm -rf %{buildroot} %{_includedir}/%{name}/abstract.h %{_includedir}/%{name}/crypto.h %{_includedir}/%{name}/compat.h +%if %{with dane} +%{_includedir}/%{name}/dane.h +%endif %{_includedir}/%{name}/dtls.h %{_includedir}/%{name}/gnutls.h %{_includedir}/%{name}/openpgp.h %{_includedir}/%{name}/ocsp.h %{_includedir}/%{name}/pkcs11.h %{_includedir}/%{name}/pkcs12.h +%{_includedir}/%{name}/self-test.h %{_includedir}/%{name}/x509.h +%{_includedir}/%{name}/x509-ext.h %{_includedir}/%{name}/tpm.h -%{_includedir}/%{name}/xssl.h %{_libdir}/libgnutls.so -%{_libdir}/libgnutls-xssl.so +%if %{with dane} +%{_libdir}/libgnutls-dane.so +%endif %{_libdir}/pkgconfig/gnutls.pc +%if %{with dane} +%{_libdir}/pkgconfig/gnutls-dane.pc +%endif %{_mandir}/man3/* %{_infodir}/*.* %doc %{_docdir}/libgnutls-devel