Accepting request 671127 from home:vitezslav_cizek:branches:security:tls

- Update to 3.6.6
  ** libgnutls: gnutls_pubkey_import_ecc_raw() was fixed to set the number bits
       on the public key (#640).
  ** libgnutls: Added support for raw public-key authentication as defined in RFC7250.
     Raw public-keys can be negotiated by enabling the corresponding certificate
     types via the priority strings. The raw public-key mechanism must be explicitly
     enabled via the GNUTLS_ENABLE_RAWPK init flag (#26, #280).
  ** libgnutls: When on server or client side we are sending no extensions we do
     not set an empty extensions field but we rather remove that field competely.
     This solves a regression since 3.5.x and improves compatibility of the server
     side with certain clients.
  ** libgnutls: We no longer mark RSA keys in PKCS#11 tokens as RSA-PSS capable if
       the CKA_SIGN is not set (#667).
  ** libgnutls: The priority string option %NO_EXTENSIONS was improved to completely
     disable extensions at all cases, while providing a functional session. This
     also implies that when specified, TLS1.3 is disabled.
  ** libgnutls: GNUTLS_X509_NO_WELL_DEFINED_EXPIRATION was marked as deprecated.
     The previous definition was non-functional (#609).
- drop no longer needed gnutls-enbale-guile-2.2.patch
- refresh disable-psk-file-test.patch

OBS-URL: https://build.opensuse.org/request/show/671127
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=17

disable-psk-file-test.patch

@@ -1,8 +1,8 @@
-Index: gnutls-3.6.5/tests/Makefile.in
+Index: gnutls-3.6.6/tests/Makefile.in
 ===================================================================
---- gnutls-3.6.5.orig/tests/Makefile.in	2018-12-01 06:24:17.000000000 +0100
-+++ gnutls-3.6.5/tests/Makefile.in	2019-01-02 16:00:09.649032368 +0100
-@@ -474,7 +474,7 @@ am__EXEEXT_11 = tls13/supported_versions
+--- gnutls-3.6.6.orig/tests/Makefile.in	2019-01-25 08:26:36.000000000 +0100
++++ gnutls-3.6.6/tests/Makefile.in	2019-02-04 09:02:38.627539105 +0100
+@@ -480,7 +480,7 @@ am__EXEEXT_12 = tls13/supported_versions
  	pkcs7-gen$(EXEEXT) dtls-etm$(EXEEXT) \
  	x509sign-verify-rsa$(EXEEXT) x509sign-verify-ecdsa$(EXEEXT) \
  	x509sign-verify-gost$(EXEEXT) mini-alignment$(EXEEXT) \
@@ -11,7 +11,7 @@ Index: gnutls-3.6.5/tests/Makefile.in
  	priority-init2$(EXEEXT) post-client-hello-change-prio$(EXEEXT) \
  	status-request$(EXEEXT) status-request-ok$(EXEEXT) \
  	status-request-missing$(EXEEXT) sign-verify-ext$(EXEEXT) \
-@@ -1640,8 +1640,6 @@ privkey_verify_broken_OBJECTS = privkey-
+@@ -1652,8 +1652,6 @@ privkey_verify_broken_OBJECTS = privkey-
  privkey_verify_broken_LDADD = $(LDADD)
  privkey_verify_broken_DEPENDENCIES = $(COMMON_GNUTLS_LDADD) \
  	libutils.la $(am__DEPENDENCIES_2)
@@ -20,34 +20,34 @@ Index: gnutls-3.6.5/tests/Makefile.in
  psk_file_LDADD = $(LDADD)
  psk_file_DEPENDENCIES = $(COMMON_GNUTLS_LDADD) libutils.la \
  	$(am__DEPENDENCIES_2)
-@@ -2810,7 +2808,7 @@ am__depfiles_remade = ./$(DEPDIR)/alerts
+@@ -2841,7 +2839,7 @@ am__depfiles_remade = ./$(DEPDIR)/alerts
  	./$(DEPDIR)/priorities.Po ./$(DEPDIR)/priority-init2.Po \
  	./$(DEPDIR)/priority-mix.Po ./$(DEPDIR)/priority-set.Po \
  	./$(DEPDIR)/priority-set2.Po ./$(DEPDIR)/privkey-keygen.Po \
 -	./$(DEPDIR)/privkey-verify-broken.Po ./$(DEPDIR)/psk-file.Po \
 +	./$(DEPDIR)/privkey-verify-broken.Po \
  	./$(DEPDIR)/pskself.Po ./$(DEPDIR)/pubkey-import-export.Po \
- 	./$(DEPDIR)/random-art.Po ./$(DEPDIR)/record-pad.Po \
- 	./$(DEPDIR)/record-retvals.Po \
-@@ -3120,7 +3118,7 @@ SOURCES = $(libpkcs11mock1_la_SOURCES) $
+ 	./$(DEPDIR)/random-art.Po ./$(DEPDIR)/rawpk-api.Po \
+ 	./$(DEPDIR)/record-pad.Po ./$(DEPDIR)/record-retvals.Po \
+@@ -3153,7 +3151,7 @@ SOURCES = $(libpkcs11mock1_la_SOURCES) $
  	post-client-hello-change-prio.c prf.c priorities.c \
  	priorities-groups.c priority-init2.c priority-mix.c \
  	priority-set.c priority-set2.c privkey-keygen.c \
 -	privkey-verify-broken.c psk-file.c pskself.c \
 +	privkey-verify-broken.c pskself.c \
- 	pubkey-import-export.c random-art.c record-pad.c \
+ 	pubkey-import-export.c random-art.c rawpk-api.c record-pad.c \
  	record-retvals.c record-sizes.c record-sizes-range.c \
  	record-timeouts.c recv-data-before-handshake.c \
-@@ -3288,7 +3286,7 @@ DIST_SOURCES = $(am__libpkcs11mock1_la_S
+@@ -3323,7 +3321,7 @@ DIST_SOURCES = $(am__libpkcs11mock1_la_S
  	post-client-hello-change-prio.c prf.c priorities.c \
  	priorities-groups.c priority-init2.c priority-mix.c \
  	priority-set.c priority-set2.c privkey-keygen.c \
 -	privkey-verify-broken.c psk-file.c pskself.c \
 +	privkey-verify-broken.c pskself.c \
- 	pubkey-import-export.c random-art.c record-pad.c \
+ 	pubkey-import-export.c random-art.c rawpk-api.c record-pad.c \
  	record-retvals.c record-sizes.c record-sizes-range.c \
  	record-timeouts.c recv-data-before-handshake.c \
-@@ -4872,7 +4870,7 @@ ctests = tls13/supported_versions tls13/
+@@ -4915,7 +4913,7 @@ ctests = tls13/supported_versions tls13/
  	gnutls_ocsp_resp_list_import2 server-sign-md5-rep \
  	privkey-keygen mini-tls-nonblock no-signal pkcs7-gen dtls-etm \
  	x509sign-verify-rsa x509sign-verify-ecdsa x509sign-verify-gost \
@@ -56,7 +56,7 @@ Index: gnutls-3.6.5/tests/Makefile.in
  	post-client-hello-change-prio status-request status-request-ok \
  	status-request-missing sign-verify-ext fallback-scsv \
  	pkcs8-key-decode urls dtls-rehandshake-cert key-usage-rsa \
-@@ -6049,10 +6047,6 @@ privkey-verify-broken$(EXEEXT): $(privke
+@@ -6099,10 +6097,6 @@ privkey-verify-broken$(EXEEXT): $(privke
  	@rm -f privkey-verify-broken$(EXEEXT)
  	$(AM_V_CCLD)$(LINK) $(privkey_verify_broken_OBJECTS) $(privkey_verify_broken_LDADD) $(LIBS)
  
@@ -67,7 +67,7 @@ Index: gnutls-3.6.5/tests/Makefile.in
  pskself$(EXEEXT): $(pskself_OBJECTS) $(pskself_DEPENDENCIES) $(EXTRA_pskself_DEPENDENCIES) 
  	@rm -f pskself$(EXEEXT)
  	$(AM_V_CCLD)$(LINK) $(pskself_OBJECTS) $(pskself_LDADD) $(LIBS)
-@@ -7070,7 +7064,6 @@ distclean-compile:
+@@ -7133,7 +7127,6 @@ distclean-compile:
  @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/priority-set2.Po@am__quote@ # am--include-marker
  @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/privkey-keygen.Po@am__quote@ # am--include-marker
  @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/privkey-verify-broken.Po@am__quote@ # am--include-marker
@@ -75,7 +75,7 @@ Index: gnutls-3.6.5/tests/Makefile.in
  @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pskself.Po@am__quote@ # am--include-marker
  @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pubkey-import-export.Po@am__quote@ # am--include-marker
  @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/random-art.Po@am__quote@ # am--include-marker
-@@ -9192,13 +9185,6 @@ prf.log: prf$(EXEEXT)
+@@ -9258,13 +9251,6 @@ prf.log: prf$(EXEEXT)
  	--log-file $$b.log --trs-file $$b.trs \
  	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
  	"$$tst" $(AM_TESTS_FD_REDIRECT)
@@ -89,7 +89,7 @@ Index: gnutls-3.6.5/tests/Makefile.in
  priority-init2.log: priority-init2$(EXEEXT)
  	@p='priority-init2$(EXEEXT)'; \
  	b='priority-init2'; \
-@@ -11214,7 +11200,6 @@ distclean: distclean-recursive
+@@ -11316,7 +11302,6 @@ distclean: distclean-recursive
  	-rm -f ./$(DEPDIR)/priority-set2.Po
  	-rm -f ./$(DEPDIR)/privkey-keygen.Po
  	-rm -f ./$(DEPDIR)/privkey-verify-broken.Po
@@ -97,7 +97,7 @@ Index: gnutls-3.6.5/tests/Makefile.in
  	-rm -f ./$(DEPDIR)/pskself.Po
  	-rm -f ./$(DEPDIR)/pubkey-import-export.Po
  	-rm -f ./$(DEPDIR)/random-art.Po
-@@ -11660,7 +11645,6 @@ maintainer-clean: maintainer-clean-recur
+@@ -11766,7 +11751,6 @@ maintainer-clean: maintainer-clean-recur
  	-rm -f ./$(DEPDIR)/priority-set2.Po
  	-rm -f ./$(DEPDIR)/privkey-keygen.Po
  	-rm -f ./$(DEPDIR)/privkey-verify-broken.Po

gnutls-3.6.5.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:073eced3acef49a3883e69ffd5f0f0b5f46e2760ad86eddc6c0866df4e7abb35
-size 8192888

gnutls-3.6.6.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:bb9acab8af2ac430edf45faaaa4ed2c51f86e57cb57689be6701aceef4732ca7
+size 8257612

gnutls-enbale-guile-2.2.patch

@@ -1,22 +0,0 @@
---- gnutls-3.6.4/aclocal.m4.orig	2018-10-16 17:52:16.972960988 +0200
-+++ gnutls-3.6.4/aclocal.m4	2018-10-16 17:52:32.797099492 +0200
-@@ -162,7 +162,7 @@
- #
- AC_DEFUN([GUILE_PKG],
-  [PKG_PROG_PKG_CONFIG
--  _guile_versions_to_search="m4_default([$1], [2.0 1.8])"
-+  _guile_versions_to_search="m4_default([$1], [2.2 2.0 1.8])"
-   if test -n "$GUILE_EFFECTIVE_VERSION"; then
-     _guile_tmp=""
-     for v in $_guile_versions_to_search; do
---- gnutls-3.6.4/configure.orig	2018-10-16 18:00:13.661141247 +0200
-+++ gnutls-3.6.4/configure	2018-10-16 18:00:29.857283556 +0200
-@@ -62704,7 +62704,7 @@
- 		PKG_CONFIG=""
- 	fi
- fi
--  _guile_versions_to_search="2.0 1.8"
-+  _guile_versions_to_search="2.2 2.0 1.8"
-   if test -n "$GUILE_EFFECTIVE_VERSION"; then
-     _guile_tmp=""
-     for v in $_guile_versions_to_search; do

gnutls.changes

@@ -1,3 +1,27 @@
+-------------------------------------------------------------------
+Mon Feb  4 12:41:43 UTC 2019 - Vítězslav Čížek <vcizek@suse.com>
+
+- Update to 3.6.6
+  ** libgnutls: gnutls_pubkey_import_ecc_raw() was fixed to set the number bits
+       on the public key (#640).
+  ** libgnutls: Added support for raw public-key authentication as defined in RFC7250.
+     Raw public-keys can be negotiated by enabling the corresponding certificate
+     types via the priority strings. The raw public-key mechanism must be explicitly
+     enabled via the GNUTLS_ENABLE_RAWPK init flag (#26, #280).
+  ** libgnutls: When on server or client side we are sending no extensions we do
+     not set an empty extensions field but we rather remove that field competely.
+     This solves a regression since 3.5.x and improves compatibility of the server
+     side with certain clients.
+  ** libgnutls: We no longer mark RSA keys in PKCS#11 tokens as RSA-PSS capable if
+       the CKA_SIGN is not set (#667).
+  ** libgnutls: The priority string option %NO_EXTENSIONS was improved to completely
+     disable extensions at all cases, while providing a functional session. This
+     also implies that when specified, TLS1.3 is disabled.
+  ** libgnutls: GNUTLS_X509_NO_WELL_DEFINED_EXPIRATION was marked as deprecated.
+     The previous definition was non-functional (#609).
+- drop no longer needed gnutls-enbale-guile-2.2.patch
+- refresh disable-psk-file-test.patch
+
 -------------------------------------------------------------------
 Wed Jan  2 13:36:26 UTC 2019 - Vítězslav Čížek <vcizek@suse.com>
 

gnutls.spec

@@ -29,7 +29,7 @@
 %bcond_with tpm
 %bcond_without guile
 Name:           gnutls
-Version:        3.6.5
+Version:        3.6.6
 Release:        0
 Summary:        The GNU Transport Layer Security Library
 License:        LGPL-2.1-or-later AND GPL-3.0-or-later
@@ -42,8 +42,6 @@ Source3:        baselibs.conf
 Patch1:         gnutls-3.5.11-skip-trust-store-tests.patch
 Patch2:         gnutls-3.6.0-disable-flaky-dtls_resume-test.patch
 Patch3:         disable-psk-file-test.patch
-# Search for guile-2.2, which is supported since 3.5.5
-Patch4:         gnutls-enbale-guile-2.2.patch
 BuildRequires:  autogen
 BuildRequires:  automake
 BuildRequires:  datefudge
@@ -163,7 +161,6 @@ GnuTLS Wrappers for GNU Guile, a dialect of Scheme.
 %setup -q
 %patch1 -p1
 %patch3 -p1
-%patch4 -p1
 # dtls-resume test fails on PPC
 %ifarch ppc64 ppc64le ppc
 %patch2 -p1