From 6e5080fb38b3ee5186adef53032cf1c5f7d6ca59cd8b3fdbd68264eca49aa7f6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Chv=C3=A1tal?= Date: Fri, 4 Jan 2019 13:39:42 +0000 Subject: [PATCH 1/2] Accepting request 662795 from home:vitezslav_cizek:branches:security:tls - Update to 3.6.5 ** libgnutls: Provide the option of transparent re-handshake/reauthentication when the GNUTLS_AUTO_REAUTH flag is specified in gnutls_init() (#571). ** libgnutls: Added support for TLS 1.3 zero round-trip (0-RTT) mode (#127) ** libgnutls: The priority functions will ignore and not enable TLS1.3 if requested with legacy TLS versions enabled but not TLS1.2. That is because if such a priority string is used in the client side (e.g., TLS1.3+TLS1.0 enabled) servers which do not support TLS1.3 will negotiate TLS1.2 which will be rejected by the client as disabled (#621). ** libgnutls: Change RSA decryption to use a new side-channel silent function. This addresses a security issue where memory access patterns as well as timing on the underlying Nettle rsa-decrypt function could lead to new Bleichenbacher attacks. Side-channel resistant code is slower due to the need to mask access and timings. When used in TLS the new functions cause RSA based handshakes to be between 13% and 28% slower on average (Numbers are indicative, the tests where performed on a relatively modern Intel CPU, results vary depending on the CPU and architecture used). This change makes nettle 3.4.1 the minimum requirement of gnutls (#630). [CVSS: medium] ** libgnutls: gnutls_priority_init() and friends, allow the CTYPE-OPENPGP keyword in the priority string. It is only accepted as legacy option and is ignored. ** libgnutls: Added support for EdDSA under PKCS#11 (#417) ** libgnutls: Added support for AES-CFB8 cipher (#357) ** libgnutls: Added support for AES-CMAC MAC (#351) ** libgnutls: In two previous versions GNUTLS_CIPHER_GOST28147_CPB/CPC/CPD_CFB ciphers have incorrectly used CryptoPro-A S-BOX instead of proper (CryptoPro-B/-C/-D S-BOXes). They are fixed now. ** libgnutls: Added support for GOST key unmasking and unwrapped GOST private keys parsing, as specified in R 50.1.112-2016. ** gnutls-serv: It applies the default settings when no --priority option is given, using gnutls_set_default_priority(). OBS-URL: https://build.opensuse.org/request/show/662795 OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=16 --- disable-psk-file-test.patch | 78 ++++++++---------- ...3.6.0-disable-flaky-dtls_resume-test.patch | 22 ++--- gnutls-3.6.4.tar.xz | 3 - gnutls-3.6.4.tar.xz.sig | Bin 310 -> 0 bytes gnutls-3.6.5.tar.xz | 3 + gnutls-3.6.5.tar.xz.sig | Bin 0 -> 310 bytes gnutls.changes | 42 ++++++++++ gnutls.spec | 6 +- 8 files changed, 92 insertions(+), 62 deletions(-) delete mode 100644 gnutls-3.6.4.tar.xz delete mode 100644 gnutls-3.6.4.tar.xz.sig create mode 100644 gnutls-3.6.5.tar.xz create mode 100644 gnutls-3.6.5.tar.xz.sig diff --git a/disable-psk-file-test.patch b/disable-psk-file-test.patch index 78b3273..421d5a9 100644 --- a/disable-psk-file-test.patch +++ b/disable-psk-file-test.patch @@ -1,17 +1,17 @@ -diff --git a/tests/Makefile.in b/tests/Makefile.in -index 07433e0..4ecd431 100644 ---- a/tests/Makefile.in -+++ b/tests/Makefile.in -@@ -457,7 +457,7 @@ am__EXEEXT_10 = tls13/supported_versions$(EXEEXT) \ +Index: gnutls-3.6.5/tests/Makefile.in +=================================================================== +--- gnutls-3.6.5.orig/tests/Makefile.in 2018-12-01 06:24:17.000000000 +0100 ++++ gnutls-3.6.5/tests/Makefile.in 2019-01-02 16:00:09.649032368 +0100 +@@ -474,7 +474,7 @@ am__EXEEXT_11 = tls13/supported_versions pkcs7-gen$(EXEEXT) dtls-etm$(EXEEXT) \ x509sign-verify-rsa$(EXEEXT) x509sign-verify-ecdsa$(EXEEXT) \ x509sign-verify-gost$(EXEEXT) mini-alignment$(EXEEXT) \ - oids$(EXEEXT) atfork$(EXEEXT) prf$(EXEEXT) psk-file$(EXEEXT) \ + oids$(EXEEXT) atfork$(EXEEXT) prf$(EXEEXT) \ - priority-init2$(EXEEXT) status-request$(EXEEXT) \ - status-request-ok$(EXEEXT) status-request-missing$(EXEEXT) \ - sign-verify-ext$(EXEEXT) fallback-scsv$(EXEEXT) \ -@@ -1590,8 +1590,6 @@ privkey_verify_broken_OBJECTS = privkey-verify-broken.$(OBJEXT) + priority-init2$(EXEEXT) post-client-hello-change-prio$(EXEEXT) \ + status-request$(EXEEXT) status-request-ok$(EXEEXT) \ + status-request-missing$(EXEEXT) sign-verify-ext$(EXEEXT) \ +@@ -1640,8 +1640,6 @@ privkey_verify_broken_OBJECTS = privkey- privkey_verify_broken_LDADD = $(LDADD) privkey_verify_broken_DEPENDENCIES = $(COMMON_GNUTLS_LDADD) \ libutils.la $(am__DEPENDENCIES_2) @@ -20,43 +20,43 @@ index 07433e0..4ecd431 100644 psk_file_LDADD = $(LDADD) psk_file_DEPENDENCIES = $(COMMON_GNUTLS_LDADD) libutils.la \ $(am__DEPENDENCIES_2) -@@ -2723,7 +2721,7 @@ am__depfiles_remade = ./$(DEPDIR)/alerts.Po \ - ./$(DEPDIR)/priority-init2.Po ./$(DEPDIR)/priority-mix.Po \ - ./$(DEPDIR)/priority-set.Po ./$(DEPDIR)/priority-set2.Po \ - ./$(DEPDIR)/privkey-keygen.Po \ +@@ -2810,7 +2808,7 @@ am__depfiles_remade = ./$(DEPDIR)/alerts + ./$(DEPDIR)/priorities.Po ./$(DEPDIR)/priority-init2.Po \ + ./$(DEPDIR)/priority-mix.Po ./$(DEPDIR)/priority-set.Po \ + ./$(DEPDIR)/priority-set2.Po ./$(DEPDIR)/privkey-keygen.Po \ - ./$(DEPDIR)/privkey-verify-broken.Po ./$(DEPDIR)/psk-file.Po \ + ./$(DEPDIR)/privkey-verify-broken.Po \ ./$(DEPDIR)/pskself.Po ./$(DEPDIR)/pubkey-import-export.Po \ ./$(DEPDIR)/random-art.Po ./$(DEPDIR)/record-pad.Po \ ./$(DEPDIR)/record-retvals.Po \ -@@ -3021,7 +3019,7 @@ SOURCES = $(libpkcs11mock1_la_SOURCES) $(libutils_la_SOURCES) alerts.c \ - pkcs7-gen.c pkcs8-key-decode.c pkcs8-key-decode-encrypted.c \ - prf.c priorities.c priorities-groups.c priority-init2.c \ - priority-mix.c priority-set.c priority-set2.c privkey-keygen.c \ +@@ -3120,7 +3118,7 @@ SOURCES = $(libpkcs11mock1_la_SOURCES) $ + post-client-hello-change-prio.c prf.c priorities.c \ + priorities-groups.c priority-init2.c priority-mix.c \ + priority-set.c priority-set2.c privkey-keygen.c \ - privkey-verify-broken.c psk-file.c pskself.c \ + privkey-verify-broken.c pskself.c \ pubkey-import-export.c random-art.c record-pad.c \ record-retvals.c record-sizes.c record-sizes-range.c \ record-timeouts.c recv-data-before-handshake.c \ -@@ -3183,7 +3181,7 @@ DIST_SOURCES = $(am__libpkcs11mock1_la_SOURCES_DIST) \ - pkcs7-gen.c pkcs8-key-decode.c pkcs8-key-decode-encrypted.c \ - prf.c priorities.c priorities-groups.c priority-init2.c \ - priority-mix.c priority-set.c priority-set2.c privkey-keygen.c \ +@@ -3288,7 +3286,7 @@ DIST_SOURCES = $(am__libpkcs11mock1_la_S + post-client-hello-change-prio.c prf.c priorities.c \ + priorities-groups.c priority-init2.c priority-mix.c \ + priority-set.c priority-set2.c privkey-keygen.c \ - privkey-verify-broken.c psk-file.c pskself.c \ + privkey-verify-broken.c pskself.c \ pubkey-import-export.c random-art.c record-pad.c \ record-retvals.c record-sizes.c record-sizes-range.c \ record-timeouts.c recv-data-before-handshake.c \ -@@ -4734,7 +4732,7 @@ ctests = tls13/supported_versions tls13/tls12-no-tls13-exts \ - x509-cert-callback-ocsp gnutls_ocsp_resp_list_import2 \ - server-sign-md5-rep privkey-keygen mini-tls-nonblock no-signal \ - pkcs7-gen dtls-etm x509sign-verify-rsa x509sign-verify-ecdsa \ -- x509sign-verify-gost mini-alignment oids atfork prf psk-file \ -+ x509sign-verify-gost mini-alignment oids atfork prf \ - priority-init2 status-request status-request-ok \ +@@ -4872,7 +4870,7 @@ ctests = tls13/supported_versions tls13/ + gnutls_ocsp_resp_list_import2 server-sign-md5-rep \ + privkey-keygen mini-tls-nonblock no-signal pkcs7-gen dtls-etm \ + x509sign-verify-rsa x509sign-verify-ecdsa x509sign-verify-gost \ +- mini-alignment oids atfork prf psk-file priority-init2 \ ++ mini-alignment oids atfork prf priority-init2 \ + post-client-hello-change-prio status-request status-request-ok \ status-request-missing sign-verify-ext fallback-scsv \ pkcs8-key-decode urls dtls-rehandshake-cert key-usage-rsa \ -@@ -5872,10 +5870,6 @@ privkey-verify-broken$(EXEEXT): $(privkey_verify_broken_OBJECTS) $(privkey_verif +@@ -6049,10 +6047,6 @@ privkey-verify-broken$(EXEEXT): $(privke @rm -f privkey-verify-broken$(EXEEXT) $(AM_V_CCLD)$(LINK) $(privkey_verify_broken_OBJECTS) $(privkey_verify_broken_LDADD) $(LIBS) @@ -67,7 +67,7 @@ index 07433e0..4ecd431 100644 pskself$(EXEEXT): $(pskself_OBJECTS) $(pskself_DEPENDENCIES) $(EXTRA_pskself_DEPENDENCIES) @rm -f pskself$(EXEEXT) $(AM_V_CCLD)$(LINK) $(pskself_OBJECTS) $(pskself_LDADD) $(LIBS) -@@ -6862,7 +6856,6 @@ distclean-compile: +@@ -7070,7 +7064,6 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/priority-set2.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/privkey-keygen.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/privkey-verify-broken.Po@am__quote@ # am--include-marker @@ -75,7 +75,7 @@ index 07433e0..4ecd431 100644 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pskself.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pubkey-import-export.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/random-art.Po@am__quote@ # am--include-marker -@@ -8913,13 +8906,6 @@ prf.log: prf$(EXEEXT) +@@ -9192,13 +9185,6 @@ prf.log: prf$(EXEEXT) --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) @@ -89,7 +89,7 @@ index 07433e0..4ecd431 100644 priority-init2.log: priority-init2$(EXEEXT) @p='priority-init2$(EXEEXT)'; \ b='priority-init2'; \ -@@ -10883,7 +10869,6 @@ distclean: distclean-recursive +@@ -11214,7 +11200,6 @@ distclean: distclean-recursive -rm -f ./$(DEPDIR)/priority-set2.Po -rm -f ./$(DEPDIR)/privkey-keygen.Po -rm -f ./$(DEPDIR)/privkey-verify-broken.Po @@ -97,7 +97,7 @@ index 07433e0..4ecd431 100644 -rm -f ./$(DEPDIR)/pskself.Po -rm -f ./$(DEPDIR)/pubkey-import-export.Po -rm -f ./$(DEPDIR)/random-art.Po -@@ -11318,7 +11303,6 @@ maintainer-clean: maintainer-clean-recursive +@@ -11660,7 +11645,6 @@ maintainer-clean: maintainer-clean-recur -rm -f ./$(DEPDIR)/priority-set2.Po -rm -f ./$(DEPDIR)/privkey-keygen.Po -rm -f ./$(DEPDIR)/privkey-verify-broken.Po @@ -105,15 +105,3 @@ index 07433e0..4ecd431 100644 -rm -f ./$(DEPDIR)/pskself.Po -rm -f ./$(DEPDIR)/pubkey-import-export.Po -rm -f ./$(DEPDIR)/random-art.Po -diff --git a/tests/Makefile.am b/tests/Makefile.am ---- a/tests/Makefile.am 2018-11-21 16:31:27.871806950 +0100 -+++ b/tests/Makefile.am 2018-11-21 16:31:47.952191845 +0100 -@@ -167,7 +167,7 @@ - tls13-cert-key-exchange x509-cert-callback-ocsp gnutls_ocsp_resp_list_import2 \ - server-sign-md5-rep privkey-keygen mini-tls-nonblock no-signal pkcs7-gen dtls-etm \ - x509sign-verify-rsa x509sign-verify-ecdsa x509sign-verify-gost \ -- mini-alignment oids atfork prf psk-file priority-init2 \ -+ mini-alignment oids atfork prf priority-init2 \ - status-request status-request-ok status-request-missing sign-verify-ext \ - fallback-scsv pkcs8-key-decode urls dtls-rehandshake-cert \ - key-usage-rsa key-usage-ecdhe-rsa mini-session-verify-function auto-verify \ diff --git a/gnutls-3.6.0-disable-flaky-dtls_resume-test.patch b/gnutls-3.6.0-disable-flaky-dtls_resume-test.patch index f4b9a7b..34ea17b 100644 --- a/gnutls-3.6.0-disable-flaky-dtls_resume-test.patch +++ b/gnutls-3.6.0-disable-flaky-dtls_resume-test.patch @@ -1,8 +1,8 @@ -Index: gnutls-3.6.3/tests/Makefile.am +Index: gnutls-3.6.5/tests/Makefile.am =================================================================== ---- gnutls-3.6.3.orig/tests/Makefile.am -+++ gnutls-3.6.3/tests/Makefile.am -@@ -406,7 +406,7 @@ if !WINDOWS +--- gnutls-3.6.5.orig/tests/Makefile.am 2019-01-04 14:11:28.196622546 +0100 ++++ gnutls-3.6.5/tests/Makefile.am 2019-01-04 14:11:29.080627637 +0100 +@@ -445,7 +445,7 @@ if !WINDOWS # List of tests not available/functional under windows # @@ -11,20 +11,20 @@ Index: gnutls-3.6.3/tests/Makefile.am indirect_tests += dtls-stress -Index: gnutls-3.6.3/tests/Makefile.in +Index: gnutls-3.6.5/tests/Makefile.in =================================================================== ---- gnutls-3.6.3.orig/tests/Makefile.in -+++ gnutls-3.6.3/tests/Makefile.in -@@ -161,7 +161,7 @@ host_triplet = @host@ +--- gnutls-3.6.5.orig/tests/Makefile.in 2019-01-04 14:11:28.200622568 +0100 ++++ gnutls-3.6.5/tests/Makefile.in 2019-01-04 14:11:44.352715599 +0100 +@@ -164,7 +164,7 @@ host_triplet = @host@ # # List of tests not available/functional under windows # --@WINDOWS_FALSE@am__append_12 = dtls/dtls dtls/dtls-resume fastopen.sh \ -+@WINDOWS_FALSE@am__append_12 = dtls/dtls fastopen.sh \ +-@WINDOWS_FALSE@am__append_13 = dtls/dtls dtls/dtls-resume fastopen.sh \ ++@WINDOWS_FALSE@am__append_13 = dtls/dtls fastopen.sh \ @WINDOWS_FALSE@ pkgconfig.sh starttls.sh starttls-ftp.sh \ @WINDOWS_FALSE@ starttls-smtp.sh starttls-lmtp.sh \ @WINDOWS_FALSE@ starttls-pop3.sh starttls-nntp.sh \ -@@ -2507,7 +2507,7 @@ x509sign_verify_rsa_DEPENDENCIES = $(COM +@@ -2663,7 +2663,7 @@ x509sign_verify_rsa_DEPENDENCIES = $(COM $(am__DEPENDENCIES_2) am__dist_check_SCRIPTS_DIST = rfc2253-escape-test \ rsa-md5-collision/rsa-md5-collision.sh systemkey.sh dtls/dtls \ diff --git a/gnutls-3.6.4.tar.xz b/gnutls-3.6.4.tar.xz deleted file mode 100644 index 5759e19..0000000 --- a/gnutls-3.6.4.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:c663a792fbc84349c27c36059181f2ca86c9442e75ee8b0ad72f5f9b35deab3a -size 8076364 diff --git a/gnutls-3.6.4.tar.xz.sig b/gnutls-3.6.4.tar.xz.sig deleted file mode 100644 index 2b06d97bbc1218fe281ee7bd5254385d34d2792c8adfbbd4545250c22a2e0be0..0000000000000000000000000000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 310 zcmV-60m=S}0W$;u0SEvc79j*#`?XxB^Qfx~P&aef97u=pXPRXN0$ZsC%>W7s5ZD|@ zhw*2cWvGJ({111@?(8K06>$e>&5klzF?ykNVKD%ZO0b;hTp?b;TwE<-S7AN^RK*9D z_o#4SEIOY`TLRCKMPCk0u@<06D7-mg^c)*^(Q$~~!KCTTwNajSDf<_RUv8`?Y4N(5 z(6s(gjPMsV;|wQt=NDfhj?QATs_bwo#MPrrZC*^2gpVU) z3#@Ep|J}+C8M_RlV@#|%2LM0c9M5+eZ2YKC>7dFDrHKWFUyrQ`8vDg28U%u?I=#>p zws$j1+!>dhiU=$Qo6tO5gQF7ck6SaBkHt;bCm@}1Fd|nfY1o$h}JdYI$q3i I_5}}yX6KrWGynhq diff --git a/gnutls-3.6.5.tar.xz b/gnutls-3.6.5.tar.xz new file mode 100644 index 0000000..3b794e3 --- /dev/null +++ b/gnutls-3.6.5.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:073eced3acef49a3883e69ffd5f0f0b5f46e2760ad86eddc6c0866df4e7abb35 +size 8192888 diff --git a/gnutls-3.6.5.tar.xz.sig b/gnutls-3.6.5.tar.xz.sig new file mode 100644 index 0000000000000000000000000000000000000000000000000000000000000000..61ad45f76b58551f63ec85dc06352224c0b9978f131d3d8307c9ca8ad05a2bd7 GIT binary patch literal 310 zcmV-60m=S}0W$;u0SEvc79j*#`?XxB^Qfx~P&aef97u=pXPRXN0$c(eTL20P5ZD|@ zhw*2cWp$4S`v&R8%ZJVJv1Tjq4;f)%qh%PSzhT@5s;jK&+H0#P{fVN@(AB;|DYzgD zG-RS#SyaF8{C?Ns&b!Xf2#1e;Czme~fMK@QkJK}W5;TSr226`P;RL|rdL_?V*m2WR z`pwepkoia+*Re95Qe;iF;ZzRA3AZ!_-N47_bt>%04Grp)?tyzX9)sFCGS&mJ5IHbLQD&I{wy}V I@0OOlPx)+ + +- Update to 3.6.5 + ** libgnutls: Provide the option of transparent re-handshake/reauthentication + when the GNUTLS_AUTO_REAUTH flag is specified in gnutls_init() (#571). + ** libgnutls: Added support for TLS 1.3 zero round-trip (0-RTT) mode (#127) + ** libgnutls: The priority functions will ignore and not enable TLS1.3 if + requested with legacy TLS versions enabled but not TLS1.2. That is because + if such a priority string is used in the client side (e.g., TLS1.3+TLS1.0 enabled) + servers which do not support TLS1.3 will negotiate TLS1.2 which will be + rejected by the client as disabled (#621). + ** libgnutls: Change RSA decryption to use a new side-channel silent function. + This addresses a security issue where memory access patterns as well as timing + on the underlying Nettle rsa-decrypt function could lead to new Bleichenbacher + attacks. Side-channel resistant code is slower due to the need to mask + access and timings. When used in TLS the new functions cause RSA based + handshakes to be between 13% and 28% slower on average (Numbers are indicative, + the tests where performed on a relatively modern Intel CPU, results vary + depending on the CPU and architecture used). This change makes nettle 3.4.1 + the minimum requirement of gnutls (#630). [CVSS: medium] + ** libgnutls: gnutls_priority_init() and friends, allow the CTYPE-OPENPGP keyword + in the priority string. It is only accepted as legacy option and is ignored. + ** libgnutls: Added support for EdDSA under PKCS#11 (#417) + ** libgnutls: Added support for AES-CFB8 cipher (#357) + ** libgnutls: Added support for AES-CMAC MAC (#351) + ** libgnutls: In two previous versions GNUTLS_CIPHER_GOST28147_CPB/CPC/CPD_CFB ciphers + have incorrectly used CryptoPro-A S-BOX instead of proper (CryptoPro-B/-C/-D + S-BOXes). They are fixed now. + ** libgnutls: Added support for GOST key unmasking and unwrapped GOST private + keys parsing, as specified in R 50.1.112-2016. + ** gnutls-serv: It applies the default settings when no --priority option is given, + using gnutls_set_default_priority(). + ** p11tool: Fix initialization of security officer's PIN with the --initialize-so-pin + option (#561) + ** certtool: Add parameter --no-text that prevents certtool from outputting + text before PEM-encoded private key, public key, certificate, CRL or CSR. +- minimum required libnettle is now 3.4.1 +- refresh + * disable-psk-file-test.patch + * gnutls-3.6.0-disable-flaky-dtls_resume-test.patch + ------------------------------------------------------------------- Tue Nov 27 13:46:27 UTC 2018 - jbrielmaier@suse.de diff --git a/gnutls.spec b/gnutls.spec index a08b44b..c582300 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,7 +1,7 @@ # # spec file for package gnutls # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -29,7 +29,7 @@ %bcond_with tpm %bcond_without guile Name: gnutls -Version: 3.6.4 +Version: 3.6.5 Release: 0 Summary: The GNU Transport Layer Security Library License: LGPL-2.1-or-later AND GPL-3.0-or-later @@ -53,7 +53,7 @@ BuildRequires: pkgconfig(autoopts) # The test suite calls /usr/bin/ss from iproute2. It's our own duty to ensure we have it present BuildRequires: iproute2 BuildRequires: libidn2-devel -BuildRequires: libnettle-devel >= 3.1 +BuildRequires: libnettle-devel >= 3.4.1 BuildRequires: libtasn1-devel >= 4.9 BuildRequires: libtool BuildRequires: libunistring-devel From e793cfa4abe0fd31aea40ac0aa624fbc0339c720c60e8b809c69d595f9281fe2 Mon Sep 17 00:00:00 2001 From: Marcus Meissner Date: Mon, 4 Feb 2019 15:36:51 +0000 Subject: [PATCH 2/2] Accepting request 671127 from home:vitezslav_cizek:branches:security:tls - Update to 3.6.6 ** libgnutls: gnutls_pubkey_import_ecc_raw() was fixed to set the number bits on the public key (#640). ** libgnutls: Added support for raw public-key authentication as defined in RFC7250. Raw public-keys can be negotiated by enabling the corresponding certificate types via the priority strings. The raw public-key mechanism must be explicitly enabled via the GNUTLS_ENABLE_RAWPK init flag (#26, #280). ** libgnutls: When on server or client side we are sending no extensions we do not set an empty extensions field but we rather remove that field competely. This solves a regression since 3.5.x and improves compatibility of the server side with certain clients. ** libgnutls: We no longer mark RSA keys in PKCS#11 tokens as RSA-PSS capable if the CKA_SIGN is not set (#667). ** libgnutls: The priority string option %NO_EXTENSIONS was improved to completely disable extensions at all cases, while providing a functional session. This also implies that when specified, TLS1.3 is disabled. ** libgnutls: GNUTLS_X509_NO_WELL_DEFINED_EXPIRATION was marked as deprecated. The previous definition was non-functional (#609). - drop no longer needed gnutls-enbale-guile-2.2.patch - refresh disable-psk-file-test.patch OBS-URL: https://build.opensuse.org/request/show/671127 OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=17 --- disable-psk-file-test.patch | 36 +++++++++++++++++----------------- gnutls-3.6.5.tar.xz | 3 --- gnutls-3.6.5.tar.xz.sig | Bin 310 -> 0 bytes gnutls-3.6.6.tar.xz | 3 +++ gnutls-3.6.6.tar.xz.sig | Bin 0 -> 310 bytes gnutls-enbale-guile-2.2.patch | 22 --------------------- gnutls.changes | 24 +++++++++++++++++++++++ gnutls.spec | 5 +---- 8 files changed, 46 insertions(+), 47 deletions(-) delete mode 100644 gnutls-3.6.5.tar.xz delete mode 100644 gnutls-3.6.5.tar.xz.sig create mode 100644 gnutls-3.6.6.tar.xz create mode 100644 gnutls-3.6.6.tar.xz.sig delete mode 100644 gnutls-enbale-guile-2.2.patch diff --git a/disable-psk-file-test.patch b/disable-psk-file-test.patch index 421d5a9..bc5ee50 100644 --- a/disable-psk-file-test.patch +++ b/disable-psk-file-test.patch @@ -1,8 +1,8 @@ -Index: gnutls-3.6.5/tests/Makefile.in +Index: gnutls-3.6.6/tests/Makefile.in =================================================================== ---- gnutls-3.6.5.orig/tests/Makefile.in 2018-12-01 06:24:17.000000000 +0100 -+++ gnutls-3.6.5/tests/Makefile.in 2019-01-02 16:00:09.649032368 +0100 -@@ -474,7 +474,7 @@ am__EXEEXT_11 = tls13/supported_versions +--- gnutls-3.6.6.orig/tests/Makefile.in 2019-01-25 08:26:36.000000000 +0100 ++++ gnutls-3.6.6/tests/Makefile.in 2019-02-04 09:02:38.627539105 +0100 +@@ -480,7 +480,7 @@ am__EXEEXT_12 = tls13/supported_versions pkcs7-gen$(EXEEXT) dtls-etm$(EXEEXT) \ x509sign-verify-rsa$(EXEEXT) x509sign-verify-ecdsa$(EXEEXT) \ x509sign-verify-gost$(EXEEXT) mini-alignment$(EXEEXT) \ @@ -11,7 +11,7 @@ Index: gnutls-3.6.5/tests/Makefile.in priority-init2$(EXEEXT) post-client-hello-change-prio$(EXEEXT) \ status-request$(EXEEXT) status-request-ok$(EXEEXT) \ status-request-missing$(EXEEXT) sign-verify-ext$(EXEEXT) \ -@@ -1640,8 +1640,6 @@ privkey_verify_broken_OBJECTS = privkey- +@@ -1652,8 +1652,6 @@ privkey_verify_broken_OBJECTS = privkey- privkey_verify_broken_LDADD = $(LDADD) privkey_verify_broken_DEPENDENCIES = $(COMMON_GNUTLS_LDADD) \ libutils.la $(am__DEPENDENCIES_2) @@ -20,34 +20,34 @@ Index: gnutls-3.6.5/tests/Makefile.in psk_file_LDADD = $(LDADD) psk_file_DEPENDENCIES = $(COMMON_GNUTLS_LDADD) libutils.la \ $(am__DEPENDENCIES_2) -@@ -2810,7 +2808,7 @@ am__depfiles_remade = ./$(DEPDIR)/alerts +@@ -2841,7 +2839,7 @@ am__depfiles_remade = ./$(DEPDIR)/alerts ./$(DEPDIR)/priorities.Po ./$(DEPDIR)/priority-init2.Po \ ./$(DEPDIR)/priority-mix.Po ./$(DEPDIR)/priority-set.Po \ ./$(DEPDIR)/priority-set2.Po ./$(DEPDIR)/privkey-keygen.Po \ - ./$(DEPDIR)/privkey-verify-broken.Po ./$(DEPDIR)/psk-file.Po \ + ./$(DEPDIR)/privkey-verify-broken.Po \ ./$(DEPDIR)/pskself.Po ./$(DEPDIR)/pubkey-import-export.Po \ - ./$(DEPDIR)/random-art.Po ./$(DEPDIR)/record-pad.Po \ - ./$(DEPDIR)/record-retvals.Po \ -@@ -3120,7 +3118,7 @@ SOURCES = $(libpkcs11mock1_la_SOURCES) $ + ./$(DEPDIR)/random-art.Po ./$(DEPDIR)/rawpk-api.Po \ + ./$(DEPDIR)/record-pad.Po ./$(DEPDIR)/record-retvals.Po \ +@@ -3153,7 +3151,7 @@ SOURCES = $(libpkcs11mock1_la_SOURCES) $ post-client-hello-change-prio.c prf.c priorities.c \ priorities-groups.c priority-init2.c priority-mix.c \ priority-set.c priority-set2.c privkey-keygen.c \ - privkey-verify-broken.c psk-file.c pskself.c \ + privkey-verify-broken.c pskself.c \ - pubkey-import-export.c random-art.c record-pad.c \ + pubkey-import-export.c random-art.c rawpk-api.c record-pad.c \ record-retvals.c record-sizes.c record-sizes-range.c \ record-timeouts.c recv-data-before-handshake.c \ -@@ -3288,7 +3286,7 @@ DIST_SOURCES = $(am__libpkcs11mock1_la_S +@@ -3323,7 +3321,7 @@ DIST_SOURCES = $(am__libpkcs11mock1_la_S post-client-hello-change-prio.c prf.c priorities.c \ priorities-groups.c priority-init2.c priority-mix.c \ priority-set.c priority-set2.c privkey-keygen.c \ - privkey-verify-broken.c psk-file.c pskself.c \ + privkey-verify-broken.c pskself.c \ - pubkey-import-export.c random-art.c record-pad.c \ + pubkey-import-export.c random-art.c rawpk-api.c record-pad.c \ record-retvals.c record-sizes.c record-sizes-range.c \ record-timeouts.c recv-data-before-handshake.c \ -@@ -4872,7 +4870,7 @@ ctests = tls13/supported_versions tls13/ +@@ -4915,7 +4913,7 @@ ctests = tls13/supported_versions tls13/ gnutls_ocsp_resp_list_import2 server-sign-md5-rep \ privkey-keygen mini-tls-nonblock no-signal pkcs7-gen dtls-etm \ x509sign-verify-rsa x509sign-verify-ecdsa x509sign-verify-gost \ @@ -56,7 +56,7 @@ Index: gnutls-3.6.5/tests/Makefile.in post-client-hello-change-prio status-request status-request-ok \ status-request-missing sign-verify-ext fallback-scsv \ pkcs8-key-decode urls dtls-rehandshake-cert key-usage-rsa \ -@@ -6049,10 +6047,6 @@ privkey-verify-broken$(EXEEXT): $(privke +@@ -6099,10 +6097,6 @@ privkey-verify-broken$(EXEEXT): $(privke @rm -f privkey-verify-broken$(EXEEXT) $(AM_V_CCLD)$(LINK) $(privkey_verify_broken_OBJECTS) $(privkey_verify_broken_LDADD) $(LIBS) @@ -67,7 +67,7 @@ Index: gnutls-3.6.5/tests/Makefile.in pskself$(EXEEXT): $(pskself_OBJECTS) $(pskself_DEPENDENCIES) $(EXTRA_pskself_DEPENDENCIES) @rm -f pskself$(EXEEXT) $(AM_V_CCLD)$(LINK) $(pskself_OBJECTS) $(pskself_LDADD) $(LIBS) -@@ -7070,7 +7064,6 @@ distclean-compile: +@@ -7133,7 +7127,6 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/priority-set2.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/privkey-keygen.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/privkey-verify-broken.Po@am__quote@ # am--include-marker @@ -75,7 +75,7 @@ Index: gnutls-3.6.5/tests/Makefile.in @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pskself.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pubkey-import-export.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/random-art.Po@am__quote@ # am--include-marker -@@ -9192,13 +9185,6 @@ prf.log: prf$(EXEEXT) +@@ -9258,13 +9251,6 @@ prf.log: prf$(EXEEXT) --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) @@ -89,7 +89,7 @@ Index: gnutls-3.6.5/tests/Makefile.in priority-init2.log: priority-init2$(EXEEXT) @p='priority-init2$(EXEEXT)'; \ b='priority-init2'; \ -@@ -11214,7 +11200,6 @@ distclean: distclean-recursive +@@ -11316,7 +11302,6 @@ distclean: distclean-recursive -rm -f ./$(DEPDIR)/priority-set2.Po -rm -f ./$(DEPDIR)/privkey-keygen.Po -rm -f ./$(DEPDIR)/privkey-verify-broken.Po @@ -97,7 +97,7 @@ Index: gnutls-3.6.5/tests/Makefile.in -rm -f ./$(DEPDIR)/pskself.Po -rm -f ./$(DEPDIR)/pubkey-import-export.Po -rm -f ./$(DEPDIR)/random-art.Po -@@ -11660,7 +11645,6 @@ maintainer-clean: maintainer-clean-recur +@@ -11766,7 +11751,6 @@ maintainer-clean: maintainer-clean-recur -rm -f ./$(DEPDIR)/priority-set2.Po -rm -f ./$(DEPDIR)/privkey-keygen.Po -rm -f ./$(DEPDIR)/privkey-verify-broken.Po diff --git a/gnutls-3.6.5.tar.xz b/gnutls-3.6.5.tar.xz deleted file mode 100644 index 3b794e3..0000000 --- a/gnutls-3.6.5.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:073eced3acef49a3883e69ffd5f0f0b5f46e2760ad86eddc6c0866df4e7abb35 -size 8192888 diff --git a/gnutls-3.6.5.tar.xz.sig b/gnutls-3.6.5.tar.xz.sig deleted file mode 100644 index 61ad45f76b58551f63ec85dc06352224c0b9978f131d3d8307c9ca8ad05a2bd7..0000000000000000000000000000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 310 zcmV-60m=S}0W$;u0SEvc79j*#`?XxB^Qfx~P&aef97u=pXPRXN0$c(eTL20P5ZD|@ zhw*2cWp$4S`v&R8%ZJVJv1Tjq4;f)%qh%PSzhT@5s;jK&+H0#P{fVN@(AB;|DYzgD zG-RS#SyaF8{C?Ns&b!Xf2#1e;Czme~fMK@QkJK}W5;TSr226`P;RL|rdL_?V*m2WR z`pwepkoia+*Re95Qe;iF;ZzRA3AZ!_-N47_bt>%04Grp)?tyzX9)sFCGS&mJ5IHbLQD&I{wy}V I@0OOlPx)+C<+;-4aMlfujFgS!?sJfgI$$C%PfG@%Ei-C=qi2Kb`Ky|&*pCX$pi?# z4qym0pHpdsC$0M*1d^wJlpp$5L<#KWD+gQWM}=fi~HIPErDI6``|K5&k zSjnAeF>=>O8YLgM{iW0HgTZ4 + +- Update to 3.6.6 + ** libgnutls: gnutls_pubkey_import_ecc_raw() was fixed to set the number bits + on the public key (#640). + ** libgnutls: Added support for raw public-key authentication as defined in RFC7250. + Raw public-keys can be negotiated by enabling the corresponding certificate + types via the priority strings. The raw public-key mechanism must be explicitly + enabled via the GNUTLS_ENABLE_RAWPK init flag (#26, #280). + ** libgnutls: When on server or client side we are sending no extensions we do + not set an empty extensions field but we rather remove that field competely. + This solves a regression since 3.5.x and improves compatibility of the server + side with certain clients. + ** libgnutls: We no longer mark RSA keys in PKCS#11 tokens as RSA-PSS capable if + the CKA_SIGN is not set (#667). + ** libgnutls: The priority string option %NO_EXTENSIONS was improved to completely + disable extensions at all cases, while providing a functional session. This + also implies that when specified, TLS1.3 is disabled. + ** libgnutls: GNUTLS_X509_NO_WELL_DEFINED_EXPIRATION was marked as deprecated. + The previous definition was non-functional (#609). +- drop no longer needed gnutls-enbale-guile-2.2.patch +- refresh disable-psk-file-test.patch + ------------------------------------------------------------------- Wed Jan 2 13:36:26 UTC 2019 - Vítězslav Čížek diff --git a/gnutls.spec b/gnutls.spec index c582300..22a6772 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -29,7 +29,7 @@ %bcond_with tpm %bcond_without guile Name: gnutls -Version: 3.6.5 +Version: 3.6.6 Release: 0 Summary: The GNU Transport Layer Security Library License: LGPL-2.1-or-later AND GPL-3.0-or-later @@ -42,8 +42,6 @@ Source3: baselibs.conf Patch1: gnutls-3.5.11-skip-trust-store-tests.patch Patch2: gnutls-3.6.0-disable-flaky-dtls_resume-test.patch Patch3: disable-psk-file-test.patch -# Search for guile-2.2, which is supported since 3.5.5 -Patch4: gnutls-enbale-guile-2.2.patch BuildRequires: autogen BuildRequires: automake BuildRequires: datefudge @@ -163,7 +161,6 @@ GnuTLS Wrappers for GNU Guile, a dialect of Scheme. %setup -q %patch1 -p1 %patch3 -p1 -%patch4 -p1 # dtls-resume test fails on PPC %ifarch ppc64 ppc64le ppc %patch2 -p1