diff --git a/baselibs.conf b/baselibs.conf index efa44dc..b378ce3 100644 --- a/baselibs.conf +++ b/baselibs.conf @@ -1,5 +1,5 @@ -libgnutls28 +libgnutls30 obsoletes "gnutls-" libgnutls-devel requires -libgnutls- - requires "libgnutls28- = " + requires "libgnutls30- = " diff --git a/gnutls-3.0.26-skip-test-fwrite.patch b/gnutls-3.0.26-skip-test-fwrite.patch deleted file mode 100644 index d38aa3c..0000000 --- a/gnutls-3.0.26-skip-test-fwrite.patch +++ /dev/null @@ -1,21 +0,0 @@ -Index: gl/tests/test-fwrite.c -=================================================================== ---- gl/tests/test-fwrite.c.orig 2012-04-12 21:05:11.000000000 +0100 -+++ gl/tests/test-fwrite.c 2012-11-23 22:51:17.000000000 +0000 -@@ -32,6 +32,8 @@ SIGNATURE_CHECK (fwrite, size_t, (const - int - main (int argc, char **argv) - { -+ // skip test-fwrite -+ return 77; - const char *filename = "test-fwrite.txt"; - - /* We don't have an fwrite() function that installs an invalid parameter -@@ -50,6 +52,7 @@ main (int argc, char **argv) - setvbuf (fp, NULL, _IONBF, 0); - ASSERT (close (fileno (fp)) == 0); - errno = 0; -+ // this fwrite returns 5 == sizeof (buf) in openSUSE Factory - ASSERT (fwrite (buf, 1, sizeof (buf), fp) == 0); - ASSERT (errno == EBADF); - ASSERT (ferror (fp)); diff --git a/gnutls-3.3.14.tar.xz b/gnutls-3.3.14.tar.xz deleted file mode 100644 index bdae208..0000000 --- a/gnutls-3.3.14.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:0dfa0030faad8909c1e904105198232d6bc0123cae8cf4933b2bac85ee7cec52 -size 6286196 diff --git a/gnutls-3.3.14.tar.xz.sig b/gnutls-3.3.14.tar.xz.sig deleted file mode 100644 index 92222b8..0000000 Binary files a/gnutls-3.3.14.tar.xz.sig and /dev/null differ diff --git a/gnutls-3.4.0.tar.xz b/gnutls-3.4.0.tar.xz new file mode 100644 index 0000000..45a78c6 --- /dev/null +++ b/gnutls-3.4.0.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b422544431bfb5c4e24a605b6c793ee34792cc791c1060562ab46eaf77f3472e +size 6453932 diff --git a/gnutls-3.4.0.tar.xz.sig b/gnutls-3.4.0.tar.xz.sig new file mode 100644 index 0000000..2f28209 Binary files /dev/null and b/gnutls-3.4.0.tar.xz.sig differ diff --git a/gnutls-fix-double-mans.patch b/gnutls-fix-double-mans.patch new file mode 100644 index 0000000..d2161cc --- /dev/null +++ b/gnutls-fix-double-mans.patch @@ -0,0 +1,16 @@ +Index: gnutls-3.4.0/doc/manpages/Makefile.am +=================================================================== +--- gnutls-3.4.0.orig/doc/manpages/Makefile.am ++++ gnutls-3.4.0/doc/manpages/Makefile.am +@@ -134,11 +134,8 @@ APIMANS += gnutls_certificate_get_peers. + APIMANS += gnutls_certificate_get_peers_subkey_id.3 + APIMANS += gnutls_certificate_get_trust_list.3 + APIMANS += gnutls_certificate_get_verify_flags.3 +-APIMANS += gnutls_certificate_get_verify_flags.3 +-APIMANS += gnutls_certificate_get_x509_crt.3 + APIMANS += gnutls_certificate_get_x509_crt.3 + APIMANS += gnutls_certificate_get_x509_key.3 +-APIMANS += gnutls_certificate_get_x509_key.3 + APIMANS += gnutls_certificate_send_x509_rdn_sequence.3 + APIMANS += gnutls_certificate_server_set_request.3 + APIMANS += gnutls_certificate_set_dh_params.3 diff --git a/gnutls.changes b/gnutls.changes index 11dc4c8..ec594b0 100644 --- a/gnutls.changes +++ b/gnutls.changes @@ -1,3 +1,140 @@ + +------------------------------------------------------------------- +Sun Apr 12 10:16:33 UTC 2015 - meissner@suse.com + +- updated to 3.4.0 (released 2015-04-08) + + ** libgnutls: Added support for AES-CCM and AES-CCM-8 (RFC6655 and RFC7251) + ciphersuites. The former are enabled by default, the latter need to be + explicitly enabled, since they reduce the overall security level. + + ** libgnutls: Added support for Chacha20-Poly1305 ciphersuites following + draft-mavrogiannopoulos-chacha-tls-05 and draft-irtf-cfrg-chacha20-poly1305-10. + That is currently provided as technology preview and is not enabled by + default, since there are no assigned ciphersuite points by IETF and there + is no guarrantee of compatibility between draft versions. The ciphersuite + priority string to enable it is "+CHACHA20-POLY1305". + + ** libgnutls: Added support for encrypt-then-authenticate in CBC + ciphersuites (RFC7366 -taking into account its errata text). This is + enabled by default and can be disabled using the %NO_ETM priority + string. + + ** libgnutls: Added support for the extended master secret + (triple-handshake fix) following draft-ietf-tls-session-hash-02. + + ** libgnutls: Added a new simple and hard to misuse AEAD API (crypto.h). + + ** libgnutls: SSL 3.0 is no longer included in the default priorities + list. It has to be explicitly enabled, e.g., with a string like + "NORMAL:+VERS-SSL3.0". + + ** libgnutls: ARCFOUR (RC4) is no longer included in the default priorities + list. It has to be explicitly enabled, e.g., with a string like + "NORMAL:+ARCFOUR-128". + + ** libgnutls: DSA signatures and DHE-DSS are no longer included in the + default priorities list. They have to be explicitly enabled, e.g., with + a string like "NORMAL:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1". The + DSA ciphersuites were dropped because they had no deployment at all + on the internet, to justify their inclusion. + + ** libgnutls: The priority string EXPORT was completely removed. The string + was already defunc as support for the EXPORT ciphersuites was removed in + GnuTLS 3.2.0. + + ** libgnutls: Added API to utilize system specific private keys in + "gnutls/system-keys.h". It is currently provided as technology preview + and is restricted to windows CNG keys. + + ** libgnutls: gnutls_x509_crt_check_hostname() and friends will use + RFC6125 comparison of hostnames. That introduces a dependency on libidn. + + ** libgnutls: Depend on p11-kit 0.23.1 to comply with the final + PKCS #11 URLs draft (draft-pechanec-pkcs11uri-21). + + ** libgnutls: Depend on nettle 3.1. + + ** libgnutls: Use getrandom() or getentropy() when available. That + avoids the complexity of file descriptor handling and issues with + applications closing all open file descriptors on startup. + + ** libgnutls: Use pthread_atfork() to detect fork when available. + + ** libgnutls: The gnutls_handshake() process will enforce a timeout by + default. + + ** libgnutls: If a key purpose (extended key usage) is specified for verification, + it is applied into intermediate certificates. The verification result + GNUTLS_CERT_PURPOSE_MISMATCH is also introduced. + + ** libgnutls: When gnutls_certificate_set_x509_key_file2() is used in + combination with PKCS #11, or TPM URLs, it will utilize the provided + password as PIN if required. That removes the requirement for the + application to set a callback for PINs in that case. + + ** libgnutls: priority strings VERS-TLS-ALL and VERS-DTLS-ALL are + restricted to the corresponding protocols only, and the VERS-ALL + string is introduced to catch all possible protocols. + + ** libgnutls: Added helper functions to obtain information on PKCS #8 + structures. + + ** libgnutls: Certificate chains which are provided to gnutls_certificate_credentials_t + will automatically be sorted instead of failing with GNUTLS_E_CERTIFICATE_LIST_UNSORTED. + + ** libgnutls: Added functions to export and set the record state. That + allows for gnutls_record_send() and recv() to be offloaded (to kernel, + hardware or any other subsystem). + + ** libgnutls: Added the ability to register application specific URL + types, which express certificates and keys using gnutls_register_custom_url(). + + ** libgnutls: Added API to override existing ciphers, digests and MACs, e.g., + to override AES-GCM using a system-specific accelerator. That is, (crypto.h) + gnutls_crypto_register_cipher(), gnutls_crypto_register_aead_cipher(), + gnutls_crypto_register_mac(), and gnutls_crypto_register_digest(). + + ** libgnutls: Added gnutls_ext_register() to register custom extensions. + Contributed by Thierry Quemerais. + + ** libgnutls: Added gnutls_supplemental_register() to register custom + supplemental data handshake messages. Contributed by Thierry Quemerais. + + ** libgnutls-openssl: it is no longer built by default. + + + ** certtool: Added --p8-info option, which will print PKCS #8 information + even if the password is not available. + + ** certtool: --key-info option will print PKCS #8 encryption information + when available. + + ** certtool: Added the --key-id and --fingerprint options. + + ** certtool: Added the --verify-hostname, --verify-email and --verify-purpose + options to be used in certificate chain verification, to simulate verification + for specific hostname and key purpose (extended key usage). + + ** certtool: --p12-info option will print PKCS #12 MAC and cipher information + when available. + + ** certtool: it will print the A-label (ACE) names in addition to UTF-8. + + ** p11tool: added options --set-id and --set-label. + + ** gnutls-cli: added options --priority-list and --save-cert. + + ** guile: Deprecated priority API has been removed. The old priority API, + which had been deprecated for some time, is now gone; use 'set-session-priorities!' + instead. + + ** guile: Remove RSA parameters and related procedures. This API had been + deprecated. + + ** guile: Fix compilation on MinGW. Previously only the static version of the + 'guile-gnutls-v-2' library would be built, preventing dynamic loading from Guile. + ------------------------------------------------------------------- Wed Apr 1 14:26:31 UTC 2015 - meissner@suse.com @@ -31,6 +168,14 @@ Wed Apr 1 14:26:31 UTC 2015 - meissner@suse.com gnutls_server_name_set(). That will disable the Server Name Indication. Resolves issue with wine: https://gitlab.com/gnutls/gnutls/issues/2 +- new main library major version .so.30 +- requires new libnettle >= 3.1, p11-kit-devel >= 0.23.1 +- Now need to configure --enable-openssl-compatibility (might go away) +- added gnutls-fix-double-mans.patch: avoid double installing manpages +- dropped gnutls-3.0.26-skip-test-fwrite.patch: does not seem to be needed + anymore +- install_info_delete moved from %postun to %preun + ------------------------------------------------------------------- Wed Mar 25 20:52:43 UTC 2015 - astieger@suse.com diff --git a/gnutls.spec b/gnutls.spec index feb6fca..aa27614 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -16,9 +16,12 @@ # -%define gnutls_sover 28 +%define gnutls_sover 30 %define gnutlsxx_sover 28 +%bcond_without gnutls_openssl_compat +%if %{with gnutls_openssl_compat} %define gnutls_ossl_sover 27 +%endif %bcond_with dane %if %{with dane} %define gnutls_dane_sover 0 @@ -26,25 +29,25 @@ %bcond_with tpm Name: gnutls -Version: 3.3.14 +Version: 3.4.0 Release: 0 Summary: The GNU Transport Layer Security Library License: LGPL-2.1+ and GPL-3.0+ Group: Productivity/Networking/Security Url: http://www.gnutls.org/ -Source0: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/%{name}-%{version}.tar.xz +Source0: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.4/%{name}-%{version}.tar.xz # signature is checked by source services. -Source1: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/%{name}-%{version}.tar.xz.sig +Source1: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.4/%{name}-%{version}.tar.xz.sig Source2: %name.keyring Source3: baselibs.conf -# PATCH-FIX-OPENSUSE gnutls-3.0.26-skip-test-fwrite.patch andreas.stieger@gmx.de -- skip a failing test -Patch3: gnutls-3.0.26-skip-test-fwrite.patch +# PATCH-FIX-UPSTREM gnutls-fix-double-mans.patch meissner@suse.de -- fixed man instll, is in upstream git for 3.4.1 +Patch0: gnutls-fix-double-mans.patch BuildRequires: automake BuildRequires: gcc-c++ BuildRequires: libidn-devel -BuildRequires: libnettle-devel >= 2.7 +BuildRequires: libnettle-devel >= 3.1 BuildRequires: libtasn1-devel >= 4.3 BuildRequires: libtool %if %{with tpm} @@ -54,13 +57,14 @@ BuildRequires: trousers-devel BuildRequires: unbound-devel Requires: libgnutls-dane%{gnutls_dane_sover} = %{version} %endif -%ifarch %ix86 x86_64 ppc ppc64 s390x ppc64le %arm aarch64 +# disabled ppc - valgrind crashes on email cert tests currently. Marcus 20150413 +%ifarch %ix86 x86_64 ppc64 s390x ppc64le %arm aarch64 BuildRequires: valgrind %endif %if %suse_version >= 1230 BuildRequires: makeinfo %endif -BuildRequires: p11-kit-devel >= 0.20.7 +BuildRequires: p11-kit-devel >= 0.23.1 BuildRequires: pkg-config BuildRequires: xz BuildRequires: zlib-devel @@ -103,6 +107,7 @@ The GnuTLS project aims to develop a library that provides a secure layer over a reliable transport layer. Currently the GnuTLS library implements the proposed standards of the IETF's TLS working group. +%if %{with gnutls_openssl_compat} %package -n libgnutls-openssl%{gnutls_ossl_sover} Summary: The GNU Transport Layer Security Library @@ -114,6 +119,7 @@ The GnuTLS project aims to develop a library that provides a secure layer over a reliable transport layer. Currently the GnuTLS library implements the proposed standards of the IETF's TLS working group. +%endif %package -n libgnutls-devel Summary: Development package for gnutls @@ -148,7 +154,9 @@ Summary: Development package for gnutls License: GPL-3.0+ Group: Development/Libraries/C and C++ Requires: libgnutls-devel = %{version} +%if %{with gnutls_openssl_compat} Requires: libgnutls-openssl%{gnutls_ossl_sover} = %{version} +%endif %description -n libgnutls-openssl-devel Files needed for software development using gnutls. @@ -156,7 +164,7 @@ Files needed for software development using gnutls. %prep %setup -q -%patch3 +%patch0 -p1 %build export LDFLAGS="-pie" @@ -181,6 +189,9 @@ autoreconf -if %else --disable-libdane \ %endif +%if %{with gnutls_openssl_compat} + --enable-openssl-compatibility \ +%endif %__make @@ -218,14 +229,16 @@ rm -f %{buildroot}%{_libdir}/*.la %postun -n libgnutlsxx%{gnutlsxx_sover} -p /sbin/ldconfig +%if %{with gnutls_openssl_compat} %post -n libgnutls-openssl%{gnutls_ossl_sover} -p /sbin/ldconfig %postun -n libgnutls-openssl%{gnutls_ossl_sover} -p /sbin/ldconfig +%endif %post -n libgnutls-devel %install_info --info-dir=%{_infodir} %{_infodir}/gnutls.info.gz -%postun -n libgnutls-devel +%preun -n libgnutls-devel %install_info_delete --info-dir=%{_infodir} %{_infodir}/gnutls.info.gz %files -f libgnutls.lang @@ -258,9 +271,11 @@ rm -f %{buildroot}%{_libdir}/*.la %{_libdir}/libgnutls-dane.so.%{gnutls_dane_sover}* %endif +%if %{with gnutls_openssl_compat} %files -n libgnutls-openssl%{gnutls_ossl_sover} %defattr(-,root,root) %{_libdir}/libgnutls-openssl.so.%{gnutls_ossl_sover}* +%endif %files -n libgnutlsxx%{gnutlsxx_sover} %defattr(-,root,root) @@ -285,6 +300,8 @@ rm -f %{buildroot}%{_libdir}/*.la %{_includedir}/%{name}/x509.h %{_includedir}/%{name}/x509-ext.h %{_includedir}/%{name}/tpm.h +%{_includedir}/%{name}/system-keys.h +%{_includedir}/%{name}/urls.h %{_libdir}/libgnutls.so %if %{with dane} %{_libdir}/libgnutls-dane.so