Accepting request 528289 from Base:System

1

OBS-URL: https://build.opensuse.org/request/show/528289
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=104

gnutls-3.5.15.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:046081108b8b1fe455a13a4c5a4eaa0368e185b678f1670fe09a11a2d7ecfad5
-size 7238928

gnutls-3.6.0-disable-flaky-dtls_resume-test.patch

@@ -0,0 +1,22 @@
+Index: gnutls-3.6.0/tests/dtls/Makefile.am
+===================================================================
+--- gnutls-3.6.0.orig/tests/dtls/Makefile.am	2017-04-19 21:49:27.000000000 +0200
++++ gnutls-3.6.0/tests/dtls/Makefile.am	2017-09-20 14:33:56.763416427 +0200
+@@ -19,7 +19,7 @@
+ # along with this file; if not, write to the Free Software Foundation,
+ # Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+ 
+-dist_check_SCRIPTS = dtls dtls-nb dtls-resume
++dist_check_SCRIPTS = dtls dtls-nb
+ 
+ AM_CFLAGS = $(WARN_CFLAGS) $(WERROR_CFLAGS)
+ AM_CPPFLAGS = \
+@@ -41,7 +41,7 @@ LDADD = ../../lib/libgnutls.la \
+ if !WINDOWS
+ 
+ check_PROGRAMS = dtls-stress
+-TESTS = dtls dtls-resume
++TESTS = dtls
+ 
+ endif
+ 

gnutls-3.6.0.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2ab9e3c0131fcd9142382f37ba9c6d20022b76cba83560cbcaa8e4002d71fb72
+size 8024972

gnutls-broken-openpgp-tests.patch

@@ -1,39 +0,0 @@
-Index: gnutls-3.5.13/tests/Makefile.am
-===================================================================
---- gnutls-3.5.13.orig/tests/Makefile.am	2017-06-07 07:17:11.000000000 +0200
-+++ gnutls-3.5.13/tests/Makefile.am	2017-06-08 16:53:59.125158222 +0200
-@@ -19,7 +19,7 @@
- # along with this file; if not, write to the Free Software Foundation,
- # Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
- 
--SUBDIRS = . cert-tests ocsp-tests key-tests slow dtls windows
-+SUBDIRS = . cert-tests ocsp-tests key-tests slow windows
- 
- if WANT_TEST_SUITE
- SUBDIRS += suite
-@@ -91,7 +91,7 @@ ctests = mini-record-2 simple gc set_pkc
- 	 crlverify mini-dtls-discard init_fds mini-record-failure \
- 	 tls-rehandshake-cert-2 custom-urls set_x509_key_mem set_x509_key_file \
- 	 mini-chain-unsorted x509-verify-with-crl mini-dtls-mtu privkey-verify-broken \
--	 mini-dtls-record-asym openpgp-callback key-import-export \
-+	 mini-dtls-record-asym key-import-export \
- 	 mini-dtls-fork mini-dtls-pthread mini-key-material x509cert-invalid \
- 	 tls-ext-register tls-supplemental mini-dtls0-9 \
- 	 mini-record-retvals mini-server-name tls-etm x509-cert-callback \
-@@ -236,6 +236,7 @@ endif
- endif
- 
- if ENABLE_OPENPGP
-+SUBDIRS += dtls
- ctests += openpgp-auth openpgp-auth2 openpgp-keyring pgps2kgnu
- endif
- 
-@@ -244,7 +245,7 @@ ctests += x509self x509dn anonself pskse
- 	setcredcrash resume-x509 resume-psk resume-anon
- 
- if ENABLE_OPENPGP
--ctests += openpgpself 
-+ctests += openpgpself openpgp-callback
- endif
- 
- endif

gnutls.changes

@@ -1,3 +1,97 @@
+-------------------------------------------------------------------
+Wed Sep 20 12:36:16 UTC 2017 - vcizek@suse.com
+
+- Disable flaky dtls_resume test on Power
+  * add gnutls-3.6.0-disable-flaky-dtls_resume-test.patch
+
+-------------------------------------------------------------------
+Mon Sep 18 11:47:23 UTC 2017 - astieger@suse.com
+
+- GnuTLS 3.6.0:
+  * Introduce a lock-free random generator which operates per-
+    thread and eliminates random-generator related bottlenecks in
+    multi-threaded operation.
+  * Replace the Salsa20 random generator with one based on CHACHA.
+    The goal is to reduce code needed in cache (CHACHA is also
+    used for TLS), and the number of primitives used by the
+    library. That does not affect the AES-DRBG random generator
+    used in FIPS140-2 mode.
+  * Add support for RSA-PSS key type as well as signatures in
+    certificates, and TLS key exchange
+  * Add support for Ed25519 signing in certificates and TLS key
+     exchange following draft-ietf-tls-rfc4492bis-17
+  * Enable X25519 key exchange by default, following
+    draft-ietf-tls-rfc4492bis-17.
+  * Add support for Diffie-Hellman group negotiation following
+    RFC7919.
+  * Introduce various sanity checks on certificate import
+  * Introduce gnutls_x509_crt_set_flags(). This function can set
+    flags in the crt structure. The only flag supported at the
+    moment is GNUTLS_X509_CRT_FLAG_IGNORE_SANITY which skips the
+    certificate sanity checks on import.
+  * PKIX certificates with unknown critical extensions are rejected
+    on verification with status GNUTLS_CERT_UNKNOWN_CRIT_EXTENSIONS
+  * Refuse to generate a certificate with an illegal version, or an
+    illegal serial number. That is, gnutls_x509_crt_set_version()
+    and gnutls_x509_crt_set_serial(), will fail on input considered
+    to be invalid in RFC5280.
+  * Call to gnutls_record_send() and gnutls_record_recv() prior to
+    handshake being complete are now refused
+  * Add support for PKCS#12 files with no salt (zero length) in
+    their password encoding, and PKCS#12 files using SHA384 and
+    SHA512 as MAC.
+  * libgnutls: Exported functions to encode and decode DSA and ECDSA
+    r,s values.
+  * Add new callback setting function to gnutls_privkey_t for
+    external keys. The new function (gnutls_privkey_import_ext4),
+    allows signing in addition to previous algorithms (RSA PKCS#1
+    1.5, DSA, ECDSA), with RSA-PSS and Ed25519 keys.
+  * Introduce the %VERIFY_ALLOW_BROKEN and
+    %VERIFY_ALLOW_SIGN_WITH_SHA1 priority string options. These
+    allows enabling all broken and SHA1-based signature algorithms
+    in certificate verification, respectively.
+  * 3DES-CBC is no longer included in the default priorities list.
+    It has to be explicitly enabled, e.g., with a string like
+    "NORMAL:+3DES-CBC".
+  * SHA1 was marked as insecure for signing certificates.
+    Verification of certificates signed with SHA1 is now considered
+    insecure and will fail, unless flags intended to enable broken
+    algorithms are set. Other uses of SHA1 are still allowed.
+  * RIPEMD160 was marked as insecure for certificate signatures.
+    Verification of certificates signed with RIPEMD160 hash
+    algorithm is now considered insecure and will fail, unless
+    flags intended to enable broken algorithms are set.
+  * No longer enable SECP192R1 and SECP224R1 by default on TLS
+    handshakes. These curves were rarely used for that purpose,
+    provide no advantage over x25519 and were deprecated by TLS 1.3.
+  * Remove support for DEFLATE, or any other compression method.
+  * OpenPGP authentication was removed; the resulting library is ABI
+    compatible, with the openpgp related functions being stubs that
+    fail on invocation.
+    Drop gnutls-broken-openpgp-tests.patch, no longer required.
+  * Remove support for libidn (i.e., IDNA2003); gnutls can now be
+    compiled only with libidn2 which provides IDNA2008.
+  * certtool: The option '--load-ca-certificate' can now accept
+    PKCS#11 URLs in addition to files.
+  * certtool: The option '--load-crl' can now be used when
+    generating PKCS#12 files (i.e., in conjunction with '--to-p12' option).
+  * certtool: Keys with provable RSA and DSA parameters are now
+    only read and exported from PKCS#8 form, following 
+    draft-mavrogiannopoulos-pkcs8-validated-parameters-00.txt.
+    This removes support for the previous a non-standard key format.
+  * certtool: Added support for generating, printing and handling
+    RSA-PSS and Ed25519 keys and certificates.
+  * certtool: the parameters --rsa, --dsa and --ecdsa to
+    --generate-privkey are now deprecated, replaced by the
+    --key-type option.
+  * p11tool: The --generate-rsa, --generate-ecc and --generate-dsa
+    options were replaced by the --generate-privkey option.
+  * psktool: Generate 256-bit keys by default.
+  * gnutls-server: Increase request buffer size to 16kb, and added
+    the --alpn and --alpn-fatal options, allowing testing of ALPN
+    negotiation.
+  * Enables FIPS 140-2 mode during build
+
 -------------------------------------------------------------------
 Mon Sep 11 10:37:44 UTC 2017 - dimstar@opensuse.org
 

gnutls.spec

@@ -23,18 +23,18 @@
 %bcond_with tpm
 %bcond_without guile
 Name:           gnutls
-Version:        3.5.15
+Version:        3.6.0
 Release:        0
 Summary:        The GNU Transport Layer Security Library
 License:        LGPL-2.1+ AND GPL-3.0+
 Group:          Productivity/Networking/Security
 Url:            http://www.gnutls.org/
-Source0:        ftp://ftp.gnutls.org/gcrypt/gnutls/v3.5/%{name}-%{version}.tar.xz
-Source1:        ftp://ftp.gnutls.org/gcrypt/gnutls/v3.5/%{name}-%{version}.tar.xz.sig
+Source0:        ftp://ftp.gnutls.org/gcrypt/gnutls/v3.6/%{name}-%{version}.tar.xz
+Source1:        ftp://ftp.gnutls.org/gcrypt/gnutls/v3.6/%{name}-%{version}.tar.xz.sig
 Source2:        %{name}.keyring
 Source3:        baselibs.conf
-Patch0:         gnutls-broken-openpgp-tests.patch
 Patch1:         gnutls-3.5.11-skip-trust-store-tests.patch
+Patch2:         gnutls-3.6.0-disable-flaky-dtls_resume-test.patch
 BuildRequires:  autogen
 BuildRequires:  automake
 BuildRequires:  datefudge
@@ -157,14 +157,17 @@ GnuTLS Wrappers for GNU Guile, a dialect of Scheme.
 
 %prep
 %setup -q
-%patch0 -p1
 %patch1 -p1
+# dtls-resume test fails on PPC
+%ifarch ppc64 ppc64le ppc
+%patch2 -p1
+%endif
 
 %build
 export LDFLAGS="-pie"
 export CFLAGS="%{optflags} -fPIE"
 export CXXFLAGS="%{optflags} -fPIE"
-autoreconf -fvi
+autoreconf -fiv
 %configure \
         gl_cv_func_printf_directive_n=yes \
         gl_cv_func_printf_infinite_long_double=yes \
@@ -174,7 +177,6 @@ autoreconf -fvi
 	--with-default-trust-store-dir=%{_localstatedir}/lib/ca-certificates/pem \
         --with-sysroot=/%{?_sysroot} \
         --with-guile-site-dir=no \
-        --disable-openpgp-authentication \
 %if %{without tpm}
         --without-tpm \
 %endif
@@ -183,6 +185,7 @@ autoreconf -fvi
 %else
         --disable-libdane \
 %endif
+        --enable-fips140-mode \
 	%{nil}
 make %{?_smp_mflags}