Accepting request 720091 from home:AndreasStieger:branches:security:tls

gnutls 3.6.9 OBS-URL: https://build.opensuse.org/request/show/720091 OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=22
2019-07-31 17:35:10 +00:00 · 2019-07-31 17:35:10 +00:00 · ef95c81a37
commit ef95c81a37
parent f11f79c7ae
8 changed files with 34 additions and 157 deletions
--- a/disable-psk-file-test.patch
+++ b/disable-psk-file-test.patch
@ -1,107 +0,0 @@
-Index: gnutls-3.6.6/tests/Makefile.in
-===================================================================
--- gnutls-3.6.6.orig/tests/Makefile.in	2019-01-25 08:26:36.000000000 +0100
-+++ gnutls-3.6.6/tests/Makefile.in	2019-02-04 09:02:38.627539105 +0100
-@@ -480,7 +480,7 @@ am__EXEEXT_12 = tls13/supported_versions
- 	pkcs7-gen$(EXEEXT) dtls-etm$(EXEEXT) \
- 	x509sign-verify-rsa$(EXEEXT) x509sign-verify-ecdsa$(EXEEXT) \
- 	x509sign-verify-gost$(EXEEXT) mini-alignment$(EXEEXT) \
-	oids$(EXEEXT) atfork$(EXEEXT) prf$(EXEEXT) psk-file$(EXEEXT) \
-+	oids$(EXEEXT) atfork$(EXEEXT) prf$(EXEEXT) \
- 	priority-init2$(EXEEXT) post-client-hello-change-prio$(EXEEXT) \
- 	status-request$(EXEEXT) status-request-ok$(EXEEXT) \
- 	status-request-missing$(EXEEXT) sign-verify-ext$(EXEEXT) \
-@@ -1652,8 +1652,6 @@ privkey_verify_broken_OBJECTS = privkey-
- privkey_verify_broken_LDADD = $(LDADD)
- privkey_verify_broken_DEPENDENCIES = $(COMMON_GNUTLS_LDADD) \
- 	libutils.la $(am__DEPENDENCIES_2)
-psk_file_SOURCES = psk-file.c
-psk_file_OBJECTS = psk-file.$(OBJEXT)
- psk_file_LDADD = $(LDADD)
- psk_file_DEPENDENCIES = $(COMMON_GNUTLS_LDADD) libutils.la \
- 	$(am__DEPENDENCIES_2)
-@@ -2841,7 +2839,7 @@ am__depfiles_remade = ./$(DEPDIR)/alerts
- 	./$(DEPDIR)/priorities.Po ./$(DEPDIR)/priority-init2.Po \
- 	./$(DEPDIR)/priority-mix.Po ./$(DEPDIR)/priority-set.Po \
- 	./$(DEPDIR)/priority-set2.Po ./$(DEPDIR)/privkey-keygen.Po \
-	./$(DEPDIR)/privkey-verify-broken.Po ./$(DEPDIR)/psk-file.Po \
-+	./$(DEPDIR)/privkey-verify-broken.Po \
- 	./$(DEPDIR)/pskself.Po ./$(DEPDIR)/pubkey-import-export.Po \
- 	./$(DEPDIR)/random-art.Po ./$(DEPDIR)/rawpk-api.Po \
- 	./$(DEPDIR)/record-pad.Po ./$(DEPDIR)/record-retvals.Po \
-@@ -3153,7 +3151,7 @@ SOURCES = $(libpkcs11mock1_la_SOURCES) $
- 	post-client-hello-change-prio.c prf.c priorities.c \
- 	priorities-groups.c priority-init2.c priority-mix.c \
- 	priority-set.c priority-set2.c privkey-keygen.c \
-	privkey-verify-broken.c psk-file.c pskself.c \
-+	privkey-verify-broken.c pskself.c \
- 	pubkey-import-export.c random-art.c rawpk-api.c record-pad.c \
- 	record-retvals.c record-sizes.c record-sizes-range.c \
- 	record-timeouts.c recv-data-before-handshake.c \
-@@ -3323,7 +3321,7 @@ DIST_SOURCES = $(am__libpkcs11mock1_la_S
- 	post-client-hello-change-prio.c prf.c priorities.c \
- 	priorities-groups.c priority-init2.c priority-mix.c \
- 	priority-set.c priority-set2.c privkey-keygen.c \
-	privkey-verify-broken.c psk-file.c pskself.c \
-+	privkey-verify-broken.c pskself.c \
- 	pubkey-import-export.c random-art.c rawpk-api.c record-pad.c \
- 	record-retvals.c record-sizes.c record-sizes-range.c \
- 	record-timeouts.c recv-data-before-handshake.c \
-@@ -4915,7 +4913,7 @@ ctests = tls13/supported_versions tls13/
- 	gnutls_ocsp_resp_list_import2 server-sign-md5-rep \
- 	privkey-keygen mini-tls-nonblock no-signal pkcs7-gen dtls-etm \
- 	x509sign-verify-rsa x509sign-verify-ecdsa x509sign-verify-gost \
-	mini-alignment oids atfork prf psk-file priority-init2 \
-+	mini-alignment oids atfork prf priority-init2 \
- 	post-client-hello-change-prio status-request status-request-ok \
- 	status-request-missing sign-verify-ext fallback-scsv \
- 	pkcs8-key-decode urls dtls-rehandshake-cert key-usage-rsa \
-@@ -6099,10 +6097,6 @@ privkey-verify-broken$(EXEEXT): $(privke
- 	@rm -f privkey-verify-broken$(EXEEXT)
- 	$(AM_V_CCLD)$(LINK) $(privkey_verify_broken_OBJECTS) $(privkey_verify_broken_LDADD) $(LIBS)
- 
-psk-file$(EXEEXT): $(psk_file_OBJECTS) $(psk_file_DEPENDENCIES) $(EXTRA_psk_file_DEPENDENCIES) 
-	@rm -f psk-file$(EXEEXT)
-	$(AM_V_CCLD)$(LINK) $(psk_file_OBJECTS) $(psk_file_LDADD) $(LIBS)
-
- pskself$(EXEEXT): $(pskself_OBJECTS) $(pskself_DEPENDENCIES) $(EXTRA_pskself_DEPENDENCIES) 
- 	@rm -f pskself$(EXEEXT)
- 	$(AM_V_CCLD)$(LINK) $(pskself_OBJECTS) $(pskself_LDADD) $(LIBS)
-@@ -7133,7 +7127,6 @@ distclean-compile:
- @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/priority-set2.Po@am__quote@ # am--include-marker
- @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/privkey-keygen.Po@am__quote@ # am--include-marker
- @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/privkey-verify-broken.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/psk-file.Po@am__quote@ # am--include-marker
- @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pskself.Po@am__quote@ # am--include-marker
- @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pubkey-import-export.Po@am__quote@ # am--include-marker
- @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/random-art.Po@am__quote@ # am--include-marker
-@@ -9258,13 +9251,6 @@ prf.log: prf$(EXEEXT)
- 	--log-file $$b.log --trs-file $$b.trs \
- 	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
- 	"$$tst" $(AM_TESTS_FD_REDIRECT)
-psk-file.log: psk-file$(EXEEXT)
-	@p='psk-file$(EXEEXT)'; \
-	b='psk-file'; \
-	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
-	--log-file $$b.log --trs-file $$b.trs \
-	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
-	"$$tst" $(AM_TESTS_FD_REDIRECT)
- priority-init2.log: priority-init2$(EXEEXT)
- 	@p='priority-init2$(EXEEXT)'; \
- 	b='priority-init2'; \
-@@ -11316,7 +11302,6 @@ distclean: distclean-recursive
- 	-rm -f ./$(DEPDIR)/priority-set2.Po
- 	-rm -f ./$(DEPDIR)/privkey-keygen.Po
- 	-rm -f ./$(DEPDIR)/privkey-verify-broken.Po
-	-rm -f ./$(DEPDIR)/psk-file.Po
- 	-rm -f ./$(DEPDIR)/pskself.Po
- 	-rm -f ./$(DEPDIR)/pubkey-import-export.Po
- 	-rm -f ./$(DEPDIR)/random-art.Po
-@@ -11766,7 +11751,6 @@ maintainer-clean: maintainer-clean-recur
- 	-rm -f ./$(DEPDIR)/priority-set2.Po
- 	-rm -f ./$(DEPDIR)/privkey-keygen.Po
- 	-rm -f ./$(DEPDIR)/privkey-verify-broken.Po
-	-rm -f ./$(DEPDIR)/psk-file.Po
- 	-rm -f ./$(DEPDIR)/pskself.Po
- 	-rm -f ./$(DEPDIR)/pubkey-import-export.Po
- 	-rm -f ./$(DEPDIR)/random-art.Po
--- a/gnutls-3.6.0-disable-flaky-dtls_resume-test.patch
+++ b/gnutls-3.6.0-disable-flaky-dtls_resume-test.patch
@ -1,35 +0,0 @@
-Index: gnutls-3.6.7/tests/Makefile.am
-===================================================================
--- gnutls-3.6.7.orig/tests/Makefile.am
-+++ gnutls-3.6.7/tests/Makefile.am
-@@ -453,7 +453,7 @@ if !WINDOWS
- # List of tests not available/functional under windows
- #
- 
-dist_check_SCRIPTS += dtls/dtls dtls/dtls-resume #dtls/dtls-nb
-+dist_check_SCRIPTS += dtls/dtls #dtls/dtls-resume #dtls/dtls-nb
- 
- indirect_tests += dtls-stress
- 
-Index: gnutls-3.6.7/tests/Makefile.in
-===================================================================
--- gnutls-3.6.7.orig/tests/Makefile.in
-+++ gnutls-3.6.7/tests/Makefile.in
-@@ -165,7 +165,7 @@ host_triplet = @host@
- #
- # List of tests not available/functional under windows
- #
-@WINDOWS_FALSE@am__append_13 = dtls/dtls dtls/dtls-resume fastopen.sh \
-+@WINDOWS_FALSE@am__append_13 = dtls/dtls fastopen.sh \
- @WINDOWS_FALSE@	pkgconfig.sh starttls.sh starttls-ftp.sh \
- @WINDOWS_FALSE@	starttls-smtp.sh starttls-lmtp.sh \
- @WINDOWS_FALSE@	starttls-pop3.sh starttls-xmpp.sh \
-@@ -2703,7 +2703,7 @@ x509sign_verify_rsa_DEPENDENCIES = $(COM
- 	$(am__DEPENDENCIES_2)
- am__dist_check_SCRIPTS_DIST = rfc2253-escape-test \
- 	rsa-md5-collision/rsa-md5-collision.sh systemkey.sh dtls/dtls \
-	dtls/dtls-resume fastopen.sh pkgconfig.sh starttls.sh \
-+	fastopen.sh pkgconfig.sh starttls.sh \
- 	starttls-ftp.sh starttls-smtp.sh starttls-lmtp.sh \
- 	starttls-pop3.sh starttls-xmpp.sh starttls-nntp.sh \
- 	starttls-sieve.sh ocsp-tests/ocsp-tls-connection \
--- a/gnutls-3.6.7.tar.xz
+++ b/gnutls-3.6.7.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:5b3409ad5aaf239808730d1ee12fdcd148c0be00262c7edf157af655a8a188e2
-size 8153728
--- a/gnutls-3.6.7.tar.xz.sig
+++ b/gnutls-3.6.7.tar.xz.sig
--- a/gnutls-3.6.9.tar.xz
+++ b/gnutls-3.6.9.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:4331fca55817ecdd74450b908a6c29b4f05bb24dd13144c6284aa34d872e1fcb
+size 5773928
--- a/gnutls-3.6.9.tar.xz.sig
+++ b/gnutls-3.6.9.tar.xz.sig
--- a/gnutls.changes
+++ b/gnutls.changes
@ -1,3 +1,30 @@
+-------------------------------------------------------------------
+Wed Jul 31 17:05:53 UTC 2019 - Andreas Stieger <andreas.stieger@gmx.de>
+
+- gnutls 3.6.9:
+  * add support for copying digest or MAC contexts
+  * Mark the crypto implementation override APIs as deprecated
+  * Add support for AES-GMAC, as a separate to GCM, MAC algorithm
+  * Add support for Generalname registeredID
+  * The priority configuration was enhanced to allow more elaborate
+    system-wide configuration of the library
+- includes changes from 3.6.8:
+  * Add support for AES-XTS cipher
+  * Fix calculation of Streebog digests
+  * During Diffie-Hellman operations in TLS, verify that the peer's
+    public key is on the right subgroup (y^q=1 mod p), when q is
+    available (under TLS 1.3 and under earlier versions when RFC7919
+    parameters are used).
+  * Apply STD3 ASCII rules in gnutls_idna_map() to prevent
+    hostname/domain crafting via IDNA conversion
+  * certtool: allow the digital signature key usage flag in CA
+    certificates
+  * gnutls-cli/serv: add the --keymatexport and --keymatexportsize
+    options. These allow testing the RFC5705 using these tools
+- drop patches to re-enable tests:
+  * disable-psk-file-test.patch
+  * gnutls-3.6.0-disable-flaky-dtls_resume-test.patch
+
 -------------------------------------------------------------------
 Thu Apr  4 20:31:19 UTC 2019 - Jan Engelhardt <jengelh@inai.de>

--- a/gnutls.spec
+++ b/gnutls.spec
@ -19,7 +19,6 @@
 %define gnutls_sover 30
 %define gnutlsxx_sover 28
 %define gnutls_dane_sover 0
-
 # unbound isn't in SLE (bsc#1086428)
 %if 0%{?is_opensuse}
 %bcond_without dane
@ -29,26 +28,23 @@
 %bcond_with tpm
 %bcond_without guile
 Name:           gnutls
-Version:        3.6.7
+Version:        3.6.9
 Release:        0
 Summary:        The GNU Transport Layer Security Library
 License:        LGPL-2.1-or-later AND GPL-3.0-or-later
 Group:          Productivity/Networking/Security
-Url:            http://www.gnutls.org/
+URL:            https://www.gnutls.org/
 Source0:        ftp://ftp.gnutls.org/gcrypt/gnutls/v3.6/%{name}-%{version}.tar.xz
 Source1:        ftp://ftp.gnutls.org/gcrypt/gnutls/v3.6/%{name}-%{version}.tar.xz.sig
 Source2:        %{name}.keyring
 Source3:        baselibs.conf
 Patch1:         gnutls-3.5.11-skip-trust-store-tests.patch
-Patch2:         gnutls-3.6.0-disable-flaky-dtls_resume-test.patch
-Patch3:         disable-psk-file-test.patch
 Patch4:         gnutls-3.6.6-set_guile_site_dir.patch
 BuildRequires:  autogen
 BuildRequires:  automake
 BuildRequires:  datefudge
 BuildRequires:  fdupes
 BuildRequires:  gcc-c++
-BuildRequires:  pkgconfig(autoopts)
 # The test suite calls /usr/bin/ss from iproute2. It's our own duty to ensure we have it present
 BuildRequires:  iproute2
 BuildRequires:  libidn2-devel
@ -61,6 +57,7 @@ BuildRequires:  p11-kit-devel >= 0.23.1
 BuildRequires:  pkgconfig
 BuildRequires:  xz
 BuildRequires:  zlib-devel
+BuildRequires:  pkgconfig(autoopts)
 %if 0%{?suse_version} <= 1320
 BuildRequires:  net-tools
 %else
@ -161,12 +158,7 @@ GnuTLS Wrappers for GNU Guile, a dialect of Scheme.
 %prep
 %setup -q
 %patch1 -p1
-%patch3 -p1
 %patch4 -p1
-# dtls-resume test fails on PPC
-%ifarch ppc64 ppc64le ppc
-%patch2 -p1
-%endif

 %build
 export LDFLAGS="-pie"
@ -201,7 +193,7 @@ find %{buildroot} -type f -name "*.la" -delete -print

 # install docs
 mkdir -p %{buildroot}%{_docdir}/libgnutls-devel/
-cp doc/gnutls.html doc/*.png doc/gnutls.pdf %{buildroot}%{_docdir}/libgnutls-devel/
+cp doc/gnutls.html doc/*.png %{buildroot}%{_docdir}/libgnutls-devel/
 mkdir -p %{buildroot}%{_docdir}/libgnutls-devel/reference
 cp doc/reference/html/* %{buildroot}%{_docdir}/libgnutls-devel/reference/
 mkdir -p %{buildroot}%{_docdir}/libgnutls-devel/examples