Accepting request 587401 from Base:System

- gnutls.keyring: Nikos key refreshed to be unexpired

- GnuTLS 3.6.2:
  * libgnutls: When verifying against a self signed certificate ignore issuer.
    That is, ignore issuer when checking the issuer's parameters strength,
    resolving issue #347 which caused self signed certificates to be
    additionally marked as of insufficient security level.
  * libgnutls: Corrected MTU calculation for the CBC ciphersuites. The data
    MTU calculation now, it correctly accounts for the fixed overhead due to
    padding (as 1 byte), while at the same time considers the rest of the
    padding as part of data MTU.
  * libgnutls: Address issue of loading of all PKCS#11 modules on startup
    on systems with a PKCS#11 trust store (as opposed to a file trust store).
    Introduced a multi-stage initialization which loads the trust modules, and
    other modules are deferred for the first pure PKCS#11 request.
  * libgnutls: The SRP authentication will reject any parameters outside
    RFC5054. This protects any client from potential MitM due to insecure
    parameters. That also brings SRP in par with the RFC7919 changes to
    Diffie-Hellman.
  * libgnutls: Added the 8192-bit parameters of SRP to the accepted parameters
    for SRP authentication.
  * libgnutls: Addressed issue in the accelerated code affecting
    interoperability with versions of nettle >= 3.4.
  * libgnutls: Addressed issue in the AES-GCM acceleration under aarch64.
  * libgnutls: Addressed issue in the AES-CBC acceleration under ssse3 (patch by
    Vitezslav Cizek).
  * srptool: the --create-conf option no longer includes 1024-bit parameters.
  * p11tool: Fixed the deletion of objects in batch mode.
- Dropped gnutls-check_aes_keysize.patch as it is included upstream now.

OBS-URL: https://build.opensuse.org/request/show/587401
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=108

gnutls-3.6.1.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:20b10d2c9994bc032824314714d0e84c0f19bdb3d715d8ed55beb7364a8ebaed
-size 8064408

gnutls-3.6.2.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:bcd5db7b234e02267f36b5d13cf5214baac232b7056a506252b7574ea7738d1f
+size 8093304

gnutls-check_aes_keysize.patch

@@ -1,14 +0,0 @@
-Index: gnutls-3.6.1/lib/accelerated/x86/aes-cbc-x86-ssse3.c
-===================================================================
---- gnutls-3.6.1.orig/lib/accelerated/x86/aes-cbc-x86-ssse3.c	2018-02-06 14:03:54.986532959 +0100
-+++ gnutls-3.6.1/lib/accelerated/x86/aes-cbc-x86-ssse3.c	2018-02-06 14:04:06.022686653 +0100
-@@ -65,6 +65,9 @@ aes_ssse3_cipher_setkey(void *_ctx, cons
- 	struct aes_ctx *ctx = _ctx;
- 	int ret;
- 
-+	if (keysize != 16 && keysize != 24 && keysize != 32)
-+		return GNUTLS_E_INVALID_REQUEST;
-+
- 	if (ctx->enc)
- 		ret =
- 		    vpaes_set_encrypt_key(userkey, keysize * 8,

gnutls.changes

@@ -1,4 +1,39 @@
 -------------------------------------------------------------------
+Thu Mar 15 06:52:49 UTC 2018 - meissner@suse.com
+
+- gnutls.keyring: Nikos key refreshed to be unexpired
+
+-------------------------------------------------------------------
+Tue Mar 13 14:48:56 UTC 2018 - kbabioch@suse.com
+
+- GnuTLS 3.6.2:
+  * libgnutls: When verifying against a self signed certificate ignore issuer.
+    That is, ignore issuer when checking the issuer's parameters strength,
+    resolving issue #347 which caused self signed certificates to be
+    additionally marked as of insufficient security level.
+  * libgnutls: Corrected MTU calculation for the CBC ciphersuites. The data
+    MTU calculation now, it correctly accounts for the fixed overhead due to
+    padding (as 1 byte), while at the same time considers the rest of the
+    padding as part of data MTU.
+  * libgnutls: Address issue of loading of all PKCS#11 modules on startup
+    on systems with a PKCS#11 trust store (as opposed to a file trust store).
+    Introduced a multi-stage initialization which loads the trust modules, and
+    other modules are deferred for the first pure PKCS#11 request.
+  * libgnutls: The SRP authentication will reject any parameters outside
+    RFC5054. This protects any client from potential MitM due to insecure
+    parameters. That also brings SRP in par with the RFC7919 changes to
+    Diffie-Hellman.
+  * libgnutls: Added the 8192-bit parameters of SRP to the accepted parameters
+    for SRP authentication.
+  * libgnutls: Addressed issue in the accelerated code affecting
+    interoperability with versions of nettle >= 3.4.
+  * libgnutls: Addressed issue in the AES-GCM acceleration under aarch64.
+  * libgnutls: Addressed issue in the AES-CBC acceleration under ssse3 (patch by
+    Vitezslav Cizek).
+  * srptool: the --create-conf option no longer includes 1024-bit parameters.
+  * p11tool: Fixed the deletion of objects in batch mode.
+- Dropped gnutls-check_aes_keysize.patch as it is included upstream now.
+-------------------------------------------------------------------
 Thu Feb 22 15:10:33 UTC 2018 - fvogt@suse.com
 
 - Use %license (boo#1082318)

gnutls.spec

@@ -23,7 +23,7 @@
 %bcond_with tpm
 %bcond_without guile
 Name:           gnutls
-Version:        3.6.1
+Version:        3.6.2
 Release:        0
 Summary:        The GNU Transport Layer Security Library
 License:        LGPL-2.1+ AND GPL-3.0+
@@ -35,8 +35,6 @@ Source2:        %{name}.keyring
 Source3:        baselibs.conf
 Patch1:         gnutls-3.5.11-skip-trust-store-tests.patch
 Patch2:         gnutls-3.6.0-disable-flaky-dtls_resume-test.patch
-# PATCH-FIX-UPSTREAM https://gitlab.com/gnutls/gnutls/merge_requests/592
-Patch3:         gnutls-check_aes_keysize.patch
 BuildRequires:  autogen
 BuildRequires:  automake
 BuildRequires:  datefudge
@@ -160,7 +158,6 @@ GnuTLS Wrappers for GNU Guile, a dialect of Scheme.
 %prep
 %setup -q
 %patch1 -p1
-%patch3 -p1
 # dtls-resume test fails on PPC
 %ifarch ppc64 ppc64le ppc
 %patch2 -p1