From 6cf715c8207a1b25b373c8dccd0cb424783524d6 Mon Sep 17 00:00:00 2001 From: basebuilder_pel7x64builder0 Date: Mon, 29 Oct 2018 15:07:38 +0100 Subject: [PATCH] gnutls package update Signed-off-by: basebuilder_pel7x64builder0 --- SOURCES/gnutls-3.1.11-nosrp.patch | 12 + SOURCES/gnutls-3.2.7-rpath.patch | 12 + SOURCES/gnutls-3.3.22-eapp-data.patch | 27 + SOURCES/gnutls-3.3.26-cve-2017-7869.patch | 235 ++++++ SOURCES/gnutls-3.3.26-dh-params-1024.patch | 31 + SOURCES/gnutls-3.3.26-fips-rsa-keygen.patch | 56 ++ .../gnutls-3.3.26-fix-coverity-issues.patch | 15 + SOURCES/gnutls-3.3.26-fix-uninitialized.patch | 12 + SOURCES/gnutls-3.3.26-pin-value.patch | 662 +++++++++++++++ ...3.3.26-remove-status-req-ext-parsing.patch | 110 +++ .../gnutls-3.3.26-set-unique-id-tests.patch | 316 +++++++ SOURCES/gnutls-3.3.8-fips-key.patch | 12 + SOURCES/gnutls-3.3.8-padlock-disable.patch | 22 + SOURCES/hobble-gnutls | 15 + SOURCES/libgnutls-config | 91 ++ SPECS/gnutls.spec | 790 ++++++++++++++++++ 16 files changed, 2418 insertions(+) create mode 100644 SOURCES/gnutls-3.1.11-nosrp.patch create mode 100644 SOURCES/gnutls-3.2.7-rpath.patch create mode 100644 SOURCES/gnutls-3.3.22-eapp-data.patch create mode 100644 SOURCES/gnutls-3.3.26-cve-2017-7869.patch create mode 100644 SOURCES/gnutls-3.3.26-dh-params-1024.patch create mode 100644 SOURCES/gnutls-3.3.26-fips-rsa-keygen.patch create mode 100644 SOURCES/gnutls-3.3.26-fix-coverity-issues.patch create mode 100644 SOURCES/gnutls-3.3.26-fix-uninitialized.patch create mode 100644 SOURCES/gnutls-3.3.26-pin-value.patch create mode 100644 SOURCES/gnutls-3.3.26-remove-status-req-ext-parsing.patch create mode 100644 SOURCES/gnutls-3.3.26-set-unique-id-tests.patch create mode 100644 SOURCES/gnutls-3.3.8-fips-key.patch create mode 100644 SOURCES/gnutls-3.3.8-padlock-disable.patch create mode 100755 SOURCES/hobble-gnutls create mode 100755 SOURCES/libgnutls-config create mode 100644 SPECS/gnutls.spec diff --git a/SOURCES/gnutls-3.1.11-nosrp.patch b/SOURCES/gnutls-3.1.11-nosrp.patch new file mode 100644 index 00000000..29227c08 --- /dev/null +++ b/SOURCES/gnutls-3.1.11-nosrp.patch @@ -0,0 +1,12 @@ +diff -up gnutls-3.1.10/tests/srp/mini-srp.c.noecc gnutls-3.1.10/tests/srp/mini-srp.c +--- gnutls-3.1.10/tests/srp/mini-srp.c.noecc 2013-03-21 21:42:28.000000000 +0100 ++++ gnutls-3.1.10/tests/srp/mini-srp.c 2013-03-25 13:42:20.753422209 +0100 +@@ -27,7 +27,7 @@ + #include + #include + +-#if defined(_WIN32) ++#if defined(_WIN32) || !defined(ENABLE_SRP) + + int main() + { diff --git a/SOURCES/gnutls-3.2.7-rpath.patch b/SOURCES/gnutls-3.2.7-rpath.patch new file mode 100644 index 00000000..4e6aed37 --- /dev/null +++ b/SOURCES/gnutls-3.2.7-rpath.patch @@ -0,0 +1,12 @@ +diff -ur gnutls-3.2.7.orig/configure gnutls-3.2.7/configure +--- gnutls-3.2.7.orig/configure 2013-11-23 11:09:49.000000000 +0100 ++++ gnutls-3.2.7/configure 2013-11-25 16:53:05.559440656 +0100 +@@ -39652,7 +39652,7 @@ + shlibpath_overrides_runpath=unknown + version_type=none + dynamic_linker="$host_os ld.so" +-sys_lib_dlsearch_path_spec="/lib /usr/lib" ++sys_lib_dlsearch_path_spec="/lib /usr/lib /lib64 /usr/lib64" + need_lib_prefix=unknown + hardcode_into_libs=no + diff --git a/SOURCES/gnutls-3.3.22-eapp-data.patch b/SOURCES/gnutls-3.3.22-eapp-data.patch new file mode 100644 index 00000000..74bb4868 --- /dev/null +++ b/SOURCES/gnutls-3.3.22-eapp-data.patch @@ -0,0 +1,27 @@ +diff --git b/lib/gnutls_handshake.c a/lib/gnutls_handshake.c +index 5930941..e904f2e 100644 +--- b/lib/gnutls_handshake.c ++++ a/lib/gnutls_handshake.c +@@ -2510,7 +2510,8 @@ static int _gnutls_recv_supplemental(gnutls_session_t session) + * are non fatal errors, only in the specific case of a rehandshake. + * Their meaning is that the client rejected the rehandshake request or + * in the case of %GNUTLS_E_GOT_APPLICATION_DATA it could also mean that +- * some data were pending. ++ * some data were pending. A client may receive that error code if ++ * it initiates the handshake and the server doesn't agreed. + * + * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code. + **/ +diff --git b/lib/gnutls_record.c a/lib/gnutls_record.c +index 157d12a..40c20fe 100644 +--- b/lib/gnutls_record.c ++++ a/lib/gnutls_record.c +@@ -837,7 +837,7 @@ record_add_to_buffers(gnutls_session_t session, + * reasons). Otherwise it is an unexpected packet + */ + if (type == GNUTLS_ALERT +- || (htype == GNUTLS_HANDSHAKE_CLIENT_HELLO ++ || ((htype == GNUTLS_HANDSHAKE_SERVER_HELLO || htype == GNUTLS_HANDSHAKE_CLIENT_HELLO) + && type == GNUTLS_HANDSHAKE)) { + /* even if data is unexpected put it into the buffer */ + _gnutls_record_buffer_put(session, recv->type, diff --git a/SOURCES/gnutls-3.3.26-cve-2017-7869.patch b/SOURCES/gnutls-3.3.26-cve-2017-7869.patch new file mode 100644 index 00000000..d2ddc38b --- /dev/null +++ b/SOURCES/gnutls-3.3.26-cve-2017-7869.patch @@ -0,0 +1,235 @@ +diff --git a/lib/opencdk/kbnode.c b/lib/opencdk/kbnode.c +index c28cb34..f865b16 100644 +--- a/lib/opencdk/kbnode.c ++++ b/lib/opencdk/kbnode.c +@@ -369,12 +369,14 @@ cdk_packet_t cdk_kbnode_get_packet(cdk_kbnode_t node) + * @armor: whether base64 or not + * @buf: the buffer which stores the key sequence + * @buflen: the length of the buffer ++ * @public: non-zero if reading a public key + * + * Tries to read a key node from the memory buffer @buf. + **/ + cdk_error_t + cdk_kbnode_read_from_mem(cdk_kbnode_t * ret_node, +- int armor, const byte * buf, size_t buflen) ++ int armor, const byte * buf, size_t buflen, ++ unsigned public) + { + cdk_stream_t inp; + cdk_error_t rc; +@@ -393,7 +395,7 @@ cdk_kbnode_read_from_mem(cdk_kbnode_t * ret_node, + if (armor) + cdk_stream_set_armor_flag(inp, 0); + +- rc = cdk_keydb_get_keyblock(inp, ret_node); ++ rc = cdk_keydb_get_keyblock(inp, ret_node, public); + if (rc) + gnutls_assert(); + cdk_stream_close(inp); +diff --git a/lib/opencdk/keydb.c b/lib/opencdk/keydb.c +index 64eebf0..9112d9a 100644 +--- a/lib/opencdk/keydb.c ++++ b/lib/opencdk/keydb.c +@@ -108,7 +108,7 @@ static cdk_error_t keydb_idx_build(const char *file) + while (!cdk_stream_eof(inp)) { + off_t pos = cdk_stream_tell(inp); + +- rc = cdk_pkt_read(inp, pkt); ++ rc = cdk_pkt_read(inp, pkt, 1); + if (rc) { + _cdk_log_debug + ("index build failed packet off=%lu\n", +@@ -816,7 +816,7 @@ cdk_keydb_search(cdk_keydb_search_t st, cdk_keydb_hd_t hd, + + pos = cdk_stream_tell(kr); + +- rc = cdk_keydb_get_keyblock(kr, &knode); ++ rc = cdk_keydb_get_keyblock(kr, &knode, 1); + + if (rc) { + if (rc == CDK_EOF) +@@ -1679,7 +1679,7 @@ add_key_usage(cdk_kbnode_t knode, u32 keyid[2], unsigned int usage) + } + + cdk_error_t +-cdk_keydb_get_keyblock(cdk_stream_t inp, cdk_kbnode_t * r_knode) ++cdk_keydb_get_keyblock(cdk_stream_t inp, cdk_kbnode_t * r_knode, unsigned public) + { + cdk_packet_t pkt; + cdk_kbnode_t knode, node; +@@ -1706,7 +1706,7 @@ cdk_keydb_get_keyblock(cdk_stream_t inp, cdk_kbnode_t * r_knode) + while (!cdk_stream_eof(inp)) { + cdk_pkt_new(&pkt); + old_off = cdk_stream_tell(inp); +- rc = cdk_pkt_read(inp, pkt); ++ rc = cdk_pkt_read(inp, pkt, public); + if (rc) { + cdk_pkt_release(pkt); + if (rc == CDK_EOF) +@@ -2126,7 +2126,7 @@ cdk_error_t cdk_keydb_check_sk(cdk_keydb_hd_t hd, u32 * keyid) + return rc; + } + cdk_pkt_new(&pkt); +- while (!cdk_pkt_read(db, pkt)) { ++ while (!cdk_pkt_read(db, pkt, 0)) { + if (pkt->pkttype != CDK_PKT_SECRET_KEY && + pkt->pkttype != CDK_PKT_SECRET_SUBKEY) { + cdk_pkt_free(pkt); +@@ -2241,14 +2241,14 @@ cdk_error_t cdk_listkey_next(cdk_listkey_t ctx, cdk_kbnode_t * ret_key) + } + + if (ctx->type && ctx->u.patt[0] == '*') +- return cdk_keydb_get_keyblock(ctx->inp, ret_key); ++ return cdk_keydb_get_keyblock(ctx->inp, ret_key, 1); + else if (ctx->type) { + cdk_kbnode_t node; + struct cdk_keydb_search_s ks; + cdk_error_t rc; + + for (;;) { +- rc = cdk_keydb_get_keyblock(ctx->inp, &node); ++ rc = cdk_keydb_get_keyblock(ctx->inp, &node, 1); + if (rc) { + gnutls_assert(); + return rc; +diff --git a/lib/opencdk/literal.c b/lib/opencdk/literal.c +index 7b4baec..6996774 100644 +--- a/lib/opencdk/literal.c ++++ b/lib/opencdk/literal.c +@@ -67,7 +67,7 @@ static cdk_error_t literal_decode(void *data, FILE * in, FILE * out) + return rc; + + cdk_pkt_new(&pkt); +- rc = cdk_pkt_read(si, pkt); ++ rc = cdk_pkt_read(si, pkt, 1); + if (rc || pkt->pkttype != CDK_PKT_LITERAL) { + cdk_pkt_release(pkt); + cdk_stream_close(si); +diff --git a/lib/opencdk/opencdk.h b/lib/opencdk/opencdk.h +index c06b749..d95cc32 100644 +--- a/lib/opencdk/opencdk.h ++++ b/lib/opencdk/opencdk.h +@@ -553,7 +553,7 @@ extern "C" { + void cdk_pkt_release(cdk_packet_t pkt); + + /* Read or write the given output from or to the stream. */ +- cdk_error_t cdk_pkt_read(cdk_stream_t inp, cdk_packet_t pkt); ++ cdk_error_t cdk_pkt_read(cdk_stream_t inp, cdk_packet_t pkt, unsigned public); + cdk_error_t cdk_pkt_write(cdk_stream_t out, cdk_packet_t pkt); + + /* Sub packet routines */ +@@ -814,7 +814,8 @@ extern "C" { + /* Try to read the next key block from the given input stream. + The key will be returned in @RET_KEY on success. */ + cdk_error_t cdk_keydb_get_keyblock(cdk_stream_t inp, +- cdk_kbnode_t * ret_key); ++ cdk_kbnode_t * ret_key, ++ unsigned public); + + /* Rebuild the key db index if possible. */ + cdk_error_t cdk_keydb_idx_rebuild(cdk_keydb_hd_t db, +@@ -848,7 +849,7 @@ extern "C" { + cdk_error_t cdk_kbnode_read_from_mem(cdk_kbnode_t * ret_node, + int armor, + const unsigned char *buf, +- size_t buflen); ++ size_t buflen, unsigned public); + cdk_error_t cdk_kbnode_write_to_mem(cdk_kbnode_t node, + unsigned char *buf, + size_t * r_nbytes); +diff --git a/lib/opencdk/read-packet.c b/lib/opencdk/read-packet.c +index 7a474ff..72624d0 100644 +--- a/lib/opencdk/read-packet.c ++++ b/lib/opencdk/read-packet.c +@@ -571,6 +571,9 @@ read_user_id(cdk_stream_t inp, size_t pktlen, cdk_pkt_userid_t user_id) + } + + ++#define MAX_PACKET_LEN (1<<24) ++ ++ + static cdk_error_t + read_subpkt(cdk_stream_t inp, cdk_subpkt_t * r_ctx, size_t * r_nbytes) + { +@@ -610,6 +613,10 @@ read_subpkt(cdk_stream_t inp, cdk_subpkt_t * r_ctx, size_t * r_nbytes) + else + return CDK_Inv_Packet; + ++ if (size >= MAX_PACKET_LEN) { ++ return CDK_Inv_Packet; ++ } ++ + node = cdk_subpkt_new(size); + if (!node) + return CDK_Out_Of_Core; +@@ -958,7 +965,7 @@ static cdk_error_t skip_packet(cdk_stream_t inp, size_t pktlen) + * + * Parse the next packet on the @inp stream and return its contents in @pkt. + **/ +-cdk_error_t cdk_pkt_read(cdk_stream_t inp, cdk_packet_t pkt) ++cdk_error_t cdk_pkt_read(cdk_stream_t inp, cdk_packet_t pkt, unsigned public) + { + int ctb, is_newctb; + int pkttype; +@@ -1058,6 +1065,10 @@ cdk_error_t cdk_pkt_read(cdk_stream_t inp, cdk_packet_t pkt) + break; + + case CDK_PKT_SECRET_KEY: ++ if (public) { ++ /* read secret key when expecting public */ ++ return gnutls_assert_val(CDK_Inv_Packet); ++ } + pkt->pkt.secret_key = + cdk_calloc(1, sizeof *pkt->pkt.secret_key); + if (!pkt->pkt.secret_key) +@@ -1073,6 +1084,10 @@ cdk_error_t cdk_pkt_read(cdk_stream_t inp, cdk_packet_t pkt) + break; + + case CDK_PKT_SECRET_SUBKEY: ++ if (public) { ++ /* read secret key when expecting public */ ++ return gnutls_assert_val(CDK_Inv_Packet); ++ } + pkt->pkt.secret_key = + cdk_calloc(1, sizeof *pkt->pkt.secret_key); + if (!pkt->pkt.secret_key) +diff --git a/lib/openpgp/gnutls_openpgp.c b/lib/openpgp/gnutls_openpgp.c +index 7c05e1f..192737f 100644 +--- a/lib/openpgp/gnutls_openpgp.c ++++ b/lib/openpgp/gnutls_openpgp.c +@@ -479,7 +479,7 @@ int gnutls_openpgp_count_key_names(const gnutls_datum_t * cert) + return 0; + } + +- if (cdk_kbnode_read_from_mem(&knode, 0, cert->data, cert->size)) { ++ if (cdk_kbnode_read_from_mem(&knode, 0, cert->data, cert->size, 1)) { + gnutls_assert(); + return 0; + } +diff --git a/lib/openpgp/pgp.c b/lib/openpgp/pgp.c +index d5ef272..77e57ab 100644 +--- a/lib/openpgp/pgp.c ++++ b/lib/openpgp/pgp.c +@@ -99,7 +99,7 @@ gnutls_openpgp_crt_import(gnutls_openpgp_crt_t key, + armor = 1; + + rc = cdk_kbnode_read_from_mem(&key->knode, armor, data->data, +- data->size); ++ data->size, 1); + if (rc) { + rc = _gnutls_map_cdk_rc(rc); + gnutls_assert(); +diff --git a/lib/openpgp/privkey.c b/lib/openpgp/privkey.c +index 6aa6fb5..81ec3ab 100644 +--- a/lib/openpgp/privkey.c ++++ b/lib/openpgp/privkey.c +@@ -186,7 +186,7 @@ gnutls_openpgp_privkey_import(gnutls_openpgp_privkey_t key, + armor = 1; + + rc = cdk_kbnode_read_from_mem(&key->knode, armor, data->data, +- data->size); ++ data->size, 0); + if (rc != 0) { + rc = _gnutls_map_cdk_rc(rc); + gnutls_assert(); diff --git a/SOURCES/gnutls-3.3.26-dh-params-1024.patch b/SOURCES/gnutls-3.3.26-dh-params-1024.patch new file mode 100644 index 00000000..ce91678b --- /dev/null +++ b/SOURCES/gnutls-3.3.26-dh-params-1024.patch @@ -0,0 +1,31 @@ +diff --git a/lib/gnutls_priority.c b/lib/gnutls_priority.c +index c5998ab..ffefce1 100644 +--- a/lib/gnutls_priority.c ++++ b/lib/gnutls_priority.c +@@ -684,7 +684,7 @@ int check_level(const char *level, gnutls_priority_t priority_cache, + func(&priority_cache->supported_ecc, supported_ecc_normal); + + SET_PROFILE(GNUTLS_PROFILE_LOW); /* set certificate level */ +- SET_LEVEL(GNUTLS_SEC_PARAM_WEAK); /* set DH params level */ ++ SET_LEVEL(GNUTLS_SEC_PARAM_LOW); /* set DH params level */ + return 1; + } else if (strcasecmp(level, LEVEL_NORMAL) == 0) { + func(&priority_cache->cipher, cipher_priority_normal); +@@ -694,7 +694,7 @@ int check_level(const char *level, gnutls_priority_t priority_cache, + func(&priority_cache->supported_ecc, supported_ecc_normal); + + SET_PROFILE(GNUTLS_PROFILE_LOW); +- SET_LEVEL(GNUTLS_SEC_PARAM_WEAK); ++ SET_LEVEL(GNUTLS_SEC_PARAM_LOW); + return 1; + } else if (strcasecmp(level, LEVEL_PFS) == 0) { + func(&priority_cache->cipher, cipher_priority_normal); +@@ -704,7 +704,7 @@ int check_level(const char *level, gnutls_priority_t priority_cache, + func(&priority_cache->supported_ecc, supported_ecc_normal); + + SET_PROFILE(GNUTLS_PROFILE_LOW); +- SET_LEVEL(GNUTLS_SEC_PARAM_WEAK); ++ SET_LEVEL(GNUTLS_SEC_PARAM_LOW); + return 1; + } else if (strcasecmp(level, LEVEL_SECURE256) == 0 + || strcasecmp(level, LEVEL_SECURE192) == 0) { diff --git a/SOURCES/gnutls-3.3.26-fips-rsa-keygen.patch b/SOURCES/gnutls-3.3.26-fips-rsa-keygen.patch new file mode 100644 index 00000000..4093066f --- /dev/null +++ b/SOURCES/gnutls-3.3.26-fips-rsa-keygen.patch @@ -0,0 +1,56 @@ +diff --git a/lib/nettle/int/rsa-keygen-fips186.c b/lib/nettle/int/rsa-keygen-fips186.c +index 624aa36..b064b45 100644 +--- a/lib/nettle/int/rsa-keygen-fips186.c ++++ b/lib/nettle/int/rsa-keygen-fips186.c +@@ -27,7 +27,6 @@ + #include "config.h" + #endif + +-#include + #include + #include + #include +@@ -337,10 +336,16 @@ _rsa_generate_fips186_4_keypair(struct rsa_public_key *pub, + + mpz_mul(pub->n, key->p, key->q); + +- assert(mpz_sizeinbase(pub->n, 2) == n_size); ++ if (mpz_sizeinbase(pub->n, 2) != n_size) { ++ ret = 0; ++ goto cleanup; ++ } + + /* c = q^{-1} (mod p) */ +- assert(mpz_invert(key->c, key->q, key->p) != 0); ++ if (mpz_invert(key->c, key->q, key->p) == 0) { ++ ret = 0; ++ goto cleanup; ++ } + + mpz_sub_ui(p1, key->p, 1); + mpz_sub_ui(q1, key->q, 1); +@@ -352,6 +357,12 @@ _rsa_generate_fips186_4_keypair(struct rsa_public_key *pub, + goto cleanup; + } + ++ /* check whether d > 2^(nlen/2) -- FIPS186-4 5.3.1 */ ++ if (mpz_sizeinbase(key->d, 2) < n_size/2) { ++ ret = 0; ++ goto cleanup; ++ } ++ + /* Done! Almost, we must compute the auxillary private values. */ + /* a = d % (p-1) */ + mpz_fdiv_r(key->a, key->d, p1); +@@ -362,7 +373,10 @@ _rsa_generate_fips186_4_keypair(struct rsa_public_key *pub, + /* c was computed earlier */ + + pub->size = key->size = (n_size + 7) / 8; +- assert(pub->size >= RSA_MINIMUM_N_OCTETS); ++ if (pub->size < RSA_MINIMUM_N_OCTETS) { ++ ret = 0; ++ goto cleanup; ++ } + + ret = 1; + cleanup: diff --git a/SOURCES/gnutls-3.3.26-fix-coverity-issues.patch b/SOURCES/gnutls-3.3.26-fix-coverity-issues.patch new file mode 100644 index 00000000..fa27c05a --- /dev/null +++ b/SOURCES/gnutls-3.3.26-fix-coverity-issues.patch @@ -0,0 +1,15 @@ +diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c +index 56c0163..368598b 100644 +--- a/lib/nettle/pk.c ++++ b/lib/nettle/pk.c +@@ -2021,7 +2021,9 @@ static int wrap_nettle_hash_algorithm(gnutls_pk_algorithm_t pk, + break; + } + +- _rsa_params_to_pubkey(issuer_params, &pub); ++ ret = _rsa_params_to_pubkey(issuer_params, &pub); ++ if (ret < 0) ++ return gnutls_assert_val(ret); + + digest_size = sizeof(digest); + diff --git a/SOURCES/gnutls-3.3.26-fix-uninitialized.patch b/SOURCES/gnutls-3.3.26-fix-uninitialized.patch new file mode 100644 index 00000000..1242a1d2 --- /dev/null +++ b/SOURCES/gnutls-3.3.26-fix-uninitialized.patch @@ -0,0 +1,12 @@ +diff --git a/lib/pkcs11.c b/lib/pkcs11.c +index d99dedf..f5cf99d 100644 +--- a/lib/pkcs11.c ++++ b/lib/pkcs11.c +@@ -3019,6 +3019,7 @@ gnutls_pkcs11_obj_list_import_url2(gnutls_pkcs11_obj_t ** p_list, + if (ret < 0) { + gnutls_assert(); + if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { ++ *p_list = NULL; + *n_list = 0; + ret = 0; + } diff --git a/SOURCES/gnutls-3.3.26-pin-value.patch b/SOURCES/gnutls-3.3.26-pin-value.patch new file mode 100644 index 00000000..794ba487 --- /dev/null +++ b/SOURCES/gnutls-3.3.26-pin-value.patch @@ -0,0 +1,662 @@ +diff --git a/configure.ac b/configure.ac +index 0840042..c9c9fdc 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -447,6 +447,9 @@ if test "$with_p11_kit" != "no"; then + if ! $PKG_CONFIG --atleast-version=0.22.0 p11-kit-1; then + with_buggy_p11_kit=yes + fi ++ if $PKG_CONFIG --atleast-version=0.23.1 p11-kit-1; then ++ AC_DEFINE([P11_KIT_HAS_PIN_VALUE], 1, [p11-kit supports p11_kit_uri_get_pin_value()]) ++ fi + else + with_p11_kit=no + AC_MSG_WARN([[ +diff --git a/lib/pkcs11.c b/lib/pkcs11.c +index f5cf99d..26d88e5 100644 +--- a/lib/pkcs11.c ++++ b/lib/pkcs11.c +@@ -2367,6 +2367,25 @@ retrieve_pin(struct pin_info_st *pin_info, struct p11_kit_uri *info, + + *pin = NULL; + ++#ifdef P11_KIT_HAS_PIN_VALUE ++ /* First check for pin-value field */ ++ pinfile = p11_kit_uri_get_pin_value(info); ++ if (pinfile != NULL) { ++ _gnutls_debug_log("p11: Using pin-value to retrieve PIN\n"); ++ *pin = p11_kit_pin_new_for_string(pinfile); ++ if (*pin != NULL) ++ ret = 0; ++ } else { /* try pin-source */ ++ /* Check if a pinfile is specified, and use that if possible */ ++ pinfile = p11_kit_uri_get_pin_source(info); ++ if (pinfile != NULL) { ++ _gnutls_debug_log("p11: Using pin-source to retrieve PIN\n"); ++ ret = ++ retrieve_pin_from_source(pinfile, token_info, attempts, ++ user_type, pin); ++ } ++ } ++#else + /* Check if a pinfile is specified, and use that if possible */ + pinfile = p11_kit_uri_get_pinfile(info); + if (pinfile != NULL) { +@@ -2375,6 +2394,7 @@ retrieve_pin(struct pin_info_st *pin_info, struct p11_kit_uri *info, + retrieve_pin_from_source(pinfile, token_info, attempts, + user_type, pin); + } ++#endif + + /* The global gnutls pin callback */ + if (ret < 0) +diff --git a/tests/Makefile.am b/tests/Makefile.am +index 5b60899..20ed79c 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -36,7 +36,7 @@ EXTRA_DIST = suppressions.valgrind eagain-common.h test-chains.h \ + certs/cert-rsa-2432.pem certs/ecc384.pem certs/ecc.pem \ + certs/ca-ecc.pem certs/cert-ecc384.pem certs/cert-ecc.pem certs/ecc256.pem \ + certs/ecc521.pem certs/rsa-2432.pem x509cert-dir/ca.pem \ +- cert-common.h pkcs11/softhsm.h ++ cert-common.h pkcs11/softhsm.h pkcs11/pkcs11-pubkey-import.c + + AM_CFLAGS = $(WARN_CFLAGS) $(WERROR_CFLAGS) + AM_CPPFLAGS = \ +@@ -113,7 +113,8 @@ pkcs11_import_url_privkey_LDADD = $(LDADD) $(LIBDL) + + ctests += pkcs11-cert-import-url-exts pkcs11-get-exts pkcs11-get-raw-issuer-exts \ + pkcs11/pkcs11-chainverify pkcs11/pkcs11-get-issuer pkcs11/pkcs11-is-known \ +- pkcs11/pkcs11-combo pkcs11-import-url-privkey ++ pkcs11/pkcs11-combo pkcs11-import-url-privkey pkcs11/pkcs11-pubkey-import-rsa \ ++ pkcs11/pkcs11-import-with-pin + + endif + endif +diff --git a/tests/pkcs11/pkcs11-import-with-pin.c b/tests/pkcs11/pkcs11-import-with-pin.c +new file mode 100644 +index 0000000..e435919 +--- /dev/null ++++ b/tests/pkcs11/pkcs11-import-with-pin.c +@@ -0,0 +1,198 @@ ++/* ++ * Copyright (C) 2017 Red Hat, Inc. ++ * ++ * Author: Nikos Mavrogiannopoulos ++ * ++ * This file is part of GnuTLS. ++ * ++ * GnuTLS is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; either version 3 of the License, or ++ * (at your option) any later version. ++ * ++ * GnuTLS is distributed in the hope that it will be useful, but ++ * WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with GnuTLS; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA ++ */ ++ ++#ifdef HAVE_CONFIG_H ++#include ++#endif ++ ++#include ++#include ++#include ++#include ++#include ++ ++#include ++#include ++#include ++ ++#include "../utils.h" ++#include "softhsm.h" ++ ++/* Tests whether a protected object is imported with PIN obtained using ++ * pin-value or pin-source. */ ++ ++#define CONFIG_NAME "softhsm-import-with-pin" ++#define CONFIG CONFIG_NAME".config" ++ ++#include "../cert-common.h" ++ ++#define PIN "1234" ++ ++static const gnutls_datum_t testdata = {(void*)"test test", 9}; ++ ++static void tls_log_func(int level, const char *str) ++{ ++ fprintf(stderr, "|<%d>| %s", level, str); ++} ++ ++static ++int pin_func(void* userdata, int attempt, const char* url, const char *label, ++ unsigned flags, char *pin, size_t pin_max) ++{ ++ if (attempt == 0) { ++ strcpy(pin, PIN); ++ return 0; ++ } ++ return -1; ++} ++ ++static void write_pin(const char *file, const char *pin) ++{ ++ FILE *fp = fopen(file, "w"); ++ assert(fp != NULL); ++ fputs(pin, fp); ++ fclose(fp); ++} ++ ++void doit() ++{ ++ char buf[512]; ++ int ret, pk; ++ const char *lib, *bin; ++ gnutls_x509_privkey_t key; ++ gnutls_datum_t tmp, sig; ++ gnutls_privkey_t pkey; ++ char file[TMPNAME_SIZE]; ++ ++#ifndef P11_KIT_HAS_PIN_VALUE ++ exit(77); ++#endif ++ ++ bin = softhsm_bin(); ++ ++ lib = softhsm_lib(); ++ ++ ret = global_init(); ++ if (ret != 0) { ++ fail("%d: %s\n", ret, gnutls_strerror(ret)); ++ exit(1); ++ } ++ ++ gnutls_pkcs11_set_pin_function(pin_func, NULL); ++ gnutls_global_set_log_function(tls_log_func); ++ if (debug) ++ gnutls_global_set_log_level(4711); ++ ++ set_softhsm_conf(CONFIG); ++ snprintf(buf, sizeof(buf), "%s --init-token --slot 0 --label test --so-pin "PIN" --pin "PIN, bin); ++ system(buf); ++ ++ ret = gnutls_pkcs11_add_provider(lib, "trusted"); ++ if (ret < 0) { ++ fprintf(stderr, "add_provider: %s\n", ++ gnutls_strerror(ret)); ++ exit(1); ++ } ++ ++ ret = gnutls_x509_privkey_init(&key); ++ if (ret < 0) { ++ fprintf(stderr, ++ "gnutls_x509_privkey_init: %s\n", ++ gnutls_strerror(ret)); ++ exit(1); ++ } ++ ++ ret = ++ gnutls_x509_privkey_import(key, &server_key, ++ GNUTLS_X509_FMT_PEM); ++ if (ret < 0) { ++ fprintf(stderr, ++ "gnutls_x509_privkey_import: %s\n", ++ gnutls_strerror(ret)); ++ exit(1); ++ } ++ ++ /* initialize softhsm token */ ++ ret = gnutls_pkcs11_token_init(SOFTHSM_URL, PIN, "test"); ++ if (ret < 0) { ++ fail("gnutls_pkcs11_token_init: %s\n", gnutls_strerror(ret)); ++ exit(1); ++ } ++ ++ ret = gnutls_pkcs11_token_set_pin(SOFTHSM_URL, NULL, PIN, GNUTLS_PIN_USER); ++ if (ret < 0) { ++ fail("gnutls_pkcs11_token_set_pin: %s\n", gnutls_strerror(ret)); ++ exit(1); ++ } ++ ++ ret = gnutls_pkcs11_copy_x509_privkey(SOFTHSM_URL, key, "cert", GNUTLS_KEY_DIGITAL_SIGNATURE|GNUTLS_KEY_KEY_ENCIPHERMENT, ++ GNUTLS_PKCS11_OBJ_FLAG_MARK_PRIVATE|GNUTLS_PKCS11_OBJ_FLAG_MARK_SENSITIVE|GNUTLS_PKCS11_OBJ_FLAG_LOGIN); ++ if (ret < 0) { ++ fail("gnutls_pkcs11_copy_x509_privkey: %s\n", gnutls_strerror(ret)); ++ exit(1); ++ } ++ ++ gnutls_x509_privkey_deinit(key); ++ gnutls_pkcs11_set_pin_function(NULL, NULL); ++ ++ assert(gnutls_privkey_init(&pkey) == 0); ++ ++ /* Test 1 ++ * Try importing with pin-value */ ++ ret = gnutls_privkey_import_pkcs11_url(pkey, SOFTHSM_URL";object=cert;object-type=private;pin-value="PIN); ++ if (ret < 0) { ++ fprintf(stderr, "error in %d: %s\n", __LINE__, gnutls_strerror(ret)); ++ exit(1); ++ } ++ ++ /* check whether privkey is operational by signing */ ++ assert(gnutls_privkey_sign_data(pkey, GNUTLS_DIG_SHA256, 0, &testdata, &sig) == 0); ++ gnutls_free(sig.data); ++ gnutls_privkey_deinit(pkey); ++ ++ /* Test 2 ++ * Try importing with pin-source */ ++ track_temp_files(); ++ get_tmpname(file); ++ ++ write_pin(file, PIN); ++ ++ ++ assert(gnutls_privkey_init(&pkey) == 0); ++ snprintf(buf, sizeof(buf), "%s;object=cert;object-type=private;pin-source=%s", SOFTHSM_URL, file); ++ ret = gnutls_privkey_import_pkcs11_url(pkey, buf); ++ if (ret < 0) { ++ fprintf(stderr, "error in %d: %s\n", __LINE__, gnutls_strerror(ret)); ++ exit(1); ++ } ++ ++ /* check whether privkey is operational by signing */ ++ assert(gnutls_privkey_sign_data(pkey, GNUTLS_DIG_SHA256, 0, &testdata, &sig) == 0); ++ gnutls_free(sig.data); ++ gnutls_privkey_deinit(pkey); ++ ++ gnutls_global_deinit(); ++ delete_temp_files(); ++ ++ remove(CONFIG); ++} ++ +diff --git a/tests/pkcs11/pkcs11-pubkey-import-rsa.c b/tests/pkcs11/pkcs11-pubkey-import-rsa.c +new file mode 100644 +index 0000000..d304c4f +--- /dev/null ++++ b/tests/pkcs11/pkcs11-pubkey-import-rsa.c +@@ -0,0 +1,41 @@ ++/* ++ * Copyright (C) 2015 Nikos Mavrogiannopoulos ++ * ++ * Author: Nikos Mavrogiannopoulos ++ * ++ * This file is part of GnuTLS. ++ * ++ * GnuTLS is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; either version 3 of the License, or ++ * (at your option) any later version. ++ * ++ * GnuTLS is distributed in the hope that it will be useful, but ++ * WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with GnuTLS; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA ++ */ ++ ++#ifdef HAVE_CONFIG_H ++#include ++#endif ++ ++#include ++#include ++#include ++#include ++ ++#define CONFIG_NAME "softhsm-pubkey-import-rsa" ++#define CONFIG CONFIG_NAME".config" ++ ++#include "pkcs11-pubkey-import.c" ++ ++void doit(void) ++{ ++ success("Testing RSA key\n"); ++ try(1); ++} +diff --git a/tests/pkcs11/pkcs11-pubkey-import.c b/tests/pkcs11/pkcs11-pubkey-import.c +new file mode 100644 +index 0000000..7513aad +--- /dev/null ++++ b/tests/pkcs11/pkcs11-pubkey-import.c +@@ -0,0 +1,220 @@ ++/* ++ * Copyright (C) 2015 Nikos Mavrogiannopoulos ++ * ++ * Author: Nikos Mavrogiannopoulos ++ * ++ * This file is part of GnuTLS. ++ * ++ * GnuTLS is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; either version 3 of the License, or ++ * (at your option) any later version. ++ * ++ * GnuTLS is distributed in the hope that it will be useful, but ++ * WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with GnuTLS; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA ++ */ ++ ++#ifdef HAVE_CONFIG_H ++#include ++#endif ++ ++#include ++#include ++#include ++#include ++#include ++ ++#include ++#include ++#include ++ ++#include "../utils.h" ++#include "softhsm.h" ++ ++/* Tests whether gnutls_pubkey_import_privkey works well for ++ * RSA keys under PKCS #11 */ ++ ++ ++#include "../cert-common.h" ++ ++#define PIN "1234" ++ ++static const gnutls_datum_t testdata = {(void*)"test test", 9}; ++ ++static void tls_log_func(int level, const char *str) ++{ ++ fprintf(stderr, "|<%d>| %s", level, str); ++} ++ ++static ++int pin_func(void* userdata, int attempt, const char* url, const char *label, ++ unsigned flags, char *pin, size_t pin_max) ++{ ++ if (attempt == 0) { ++ strcpy(pin, PIN); ++ return 0; ++ } ++ return -1; ++} ++ ++static void try(int rsa) ++{ ++ char buf[128]; ++ int ret, pk; ++ const char *lib, *bin; ++ gnutls_x509_crt_t crt; ++ gnutls_x509_privkey_t key; ++ gnutls_datum_t tmp, sig; ++ gnutls_privkey_t pkey; ++ gnutls_pubkey_t pubkey; ++ gnutls_pubkey_t pubkey2; ++ ++#ifndef P11_KIT_HAS_PIN_VALUE ++ exit(77); ++#endif ++ ++ bin = softhsm_bin(); ++ ++ lib = softhsm_lib(); ++ ++ ret = global_init(); ++ if (ret != 0) { ++ fail("%d: %s\n", ret, gnutls_strerror(ret)); ++ exit(1); ++ } ++ ++ gnutls_pkcs11_set_pin_function(pin_func, NULL); ++ gnutls_global_set_log_function(tls_log_func); ++ if (debug) ++ gnutls_global_set_log_level(4711); ++ ++ set_softhsm_conf(CONFIG); ++ snprintf(buf, sizeof(buf), "%s --init-token --slot 0 --label test --so-pin "PIN" --pin "PIN, bin); ++ system(buf); ++ ++ ret = gnutls_pkcs11_add_provider(lib, "trusted"); ++ if (ret < 0) { ++ fprintf(stderr, "gnutls_x509_crt_init: %s\n", ++ gnutls_strerror(ret)); ++ exit(1); ++ } ++ ++ ret = gnutls_x509_crt_init(&crt); ++ if (ret < 0) { ++ fprintf(stderr, ++ "gnutls_x509_crt_init: %s\n", ++ gnutls_strerror(ret)); ++ exit(1); ++ } ++ ++ ret = ++ gnutls_x509_crt_import(crt, rsa?&server_cert:&server_ecc_cert, ++ GNUTLS_X509_FMT_PEM); ++ if (ret < 0) { ++ fprintf(stderr, ++ "gnutls_x509_crt_import: %s\n", ++ gnutls_strerror(ret)); ++ exit(1); ++ } ++ ++ if (debug) { ++ gnutls_x509_crt_print(crt, ++ GNUTLS_CRT_PRINT_ONELINE, ++ &tmp); ++ ++ printf("\tCertificate: %.*s\n", ++ tmp.size, tmp.data); ++ gnutls_free(tmp.data); ++ } ++ ++ ret = gnutls_x509_privkey_init(&key); ++ if (ret < 0) { ++ fprintf(stderr, ++ "gnutls_x509_privkey_init: %s\n", ++ gnutls_strerror(ret)); ++ exit(1); ++ } ++ ++ ret = ++ gnutls_x509_privkey_import(key, rsa?&server_key:&server_ecc_key, ++ GNUTLS_X509_FMT_PEM); ++ if (ret < 0) { ++ fprintf(stderr, ++ "gnutls_x509_privkey_import: %s\n", ++ gnutls_strerror(ret)); ++ exit(1); ++ } ++ ++ /* initialize softhsm token */ ++ ret = gnutls_pkcs11_token_init(SOFTHSM_URL, PIN, "test"); ++ if (ret < 0) { ++ fail("gnutls_pkcs11_token_init: %s\n", gnutls_strerror(ret)); ++ exit(1); ++ } ++ ++ ret = gnutls_pkcs11_token_set_pin(SOFTHSM_URL, NULL, PIN, GNUTLS_PIN_USER); ++ if (ret < 0) { ++ fail("gnutls_pkcs11_token_set_pin: %s\n", gnutls_strerror(ret)); ++ exit(1); ++ } ++ ++ ret = gnutls_pkcs11_copy_x509_crt(SOFTHSM_URL, crt, "cert", ++ GNUTLS_PKCS11_OBJ_FLAG_MARK_PRIVATE|GNUTLS_PKCS11_OBJ_FLAG_LOGIN); ++ if (ret < 0) { ++ fail("gnutls_pkcs11_copy_x509_crt: %s\n", gnutls_strerror(ret)); ++ exit(1); ++ } ++ ++ ret = gnutls_pkcs11_copy_x509_privkey(SOFTHSM_URL, key, "cert", GNUTLS_KEY_DIGITAL_SIGNATURE|GNUTLS_KEY_KEY_ENCIPHERMENT, ++ GNUTLS_PKCS11_OBJ_FLAG_MARK_PRIVATE|GNUTLS_PKCS11_OBJ_FLAG_MARK_SENSITIVE|GNUTLS_PKCS11_OBJ_FLAG_LOGIN); ++ if (ret < 0) { ++ fail("gnutls_pkcs11_copy_x509_privkey: %s\n", gnutls_strerror(ret)); ++ exit(1); ++ } ++ ++ gnutls_x509_crt_deinit(crt); ++ gnutls_x509_privkey_deinit(key); ++ gnutls_pkcs11_set_pin_function(NULL, NULL); ++ ++ assert(gnutls_privkey_init(&pkey) == 0); ++ ++ ret = gnutls_privkey_import_pkcs11_url(pkey, SOFTHSM_URL";object=cert;object-type=private;pin-value="PIN); ++ if (ret < 0) { ++ fprintf(stderr, "error in %d: %s\n", __LINE__, gnutls_strerror(ret)); ++ exit(1); ++ } ++ ++ assert(gnutls_pubkey_init(&pubkey) == 0); ++ assert(gnutls_pubkey_import_privkey(pubkey, pkey, 0, 0) == 0); ++ ++ pk = gnutls_pubkey_get_pk_algorithm(pubkey, NULL); ++ ++ /* check whether privkey and pubkey are operational ++ * by signing and verifying */ ++ assert(gnutls_privkey_sign_data(pkey, GNUTLS_DIG_SHA256, 0, &testdata, &sig) == 0); ++ ++ /* verify against the raw pubkey */ ++ assert(gnutls_pubkey_init(&pubkey2) == 0); ++ assert(gnutls_pubkey_import_x509_raw(pubkey2, rsa?&server_cert:&server_ecc_cert, GNUTLS_X509_FMT_PEM, 0) == 0); ++ assert(gnutls_pubkey_verify_data2(pubkey2, gnutls_pk_to_sign(pk, GNUTLS_DIG_SHA256), 0, &testdata, &sig) >= 0); ++ ++ /* verify against the pubkey in PKCS #11 */ ++ assert(gnutls_pubkey_verify_data2(pubkey, gnutls_pk_to_sign(pk, GNUTLS_DIG_SHA256), 0, &testdata, &sig) >= 0); ++ ++ gnutls_free(sig.data); ++ ++ gnutls_pubkey_deinit(pubkey2); ++ gnutls_pubkey_deinit(pubkey); ++ gnutls_privkey_deinit(pkey); ++ ++ gnutls_global_deinit(); ++ ++ remove(CONFIG); ++} ++ +diff --git a/tests/utils.c b/tests/utils.c +index 65ceafd..37345a6 100644 +--- a/tests/utils.c ++++ b/tests/utils.c +@@ -30,6 +30,7 @@ + #include + #include + #include ++#include + #ifndef _WIN32 + # include + # include +@@ -39,6 +40,8 @@ + # include + #endif + #endif ++#include ++#include + + #include "utils.h" + +@@ -183,3 +186,74 @@ int main(int argc, char *argv[]) + + return error_count ? 1 : 0; + } ++ ++struct tmp_file_st { ++ char file[TMPNAME_SIZE]; ++ struct tmp_file_st *next; ++}; ++ ++static struct tmp_file_st *temp_files = (void*)-1; ++ ++static void append(const char *file) ++{ ++ struct tmp_file_st *p; ++ ++ if (temp_files == (void*)-1) ++ return; ++ ++ p = calloc(1, sizeof(*p)); ++ ++ assert(p != NULL); ++ strcpy(p->file, file); ++ p->next = temp_files; ++ temp_files = p; ++} ++ ++char *get_tmpname(char s[TMPNAME_SIZE]) ++{ ++ unsigned char rnd[6]; ++ static char _s[TMPNAME_SIZE]; ++ int ret; ++ char *p; ++ const char *path; ++ ++ ret = gnutls_rnd(GNUTLS_RND_NONCE, rnd, sizeof(rnd)); ++ if (ret < 0) ++ return NULL; ++ ++ path = getenv("builddir"); ++ if (path == NULL) ++ path = "."; ++ ++ if (s == NULL) ++ p = _s; ++ else ++ p = s; ++ ++ snprintf(p, TMPNAME_SIZE, "%s/tmpfile-%02x%02x%02x%02x%02x%02x.tmp", path, (unsigned)rnd[0], (unsigned)rnd[1], ++ (unsigned)rnd[2], (unsigned)rnd[3], (unsigned)rnd[4], (unsigned)rnd[5]); ++ ++ append(p); ++ ++ return p; ++} ++ ++void track_temp_files(void) ++{ ++ temp_files = NULL; ++} ++ ++void delete_temp_files(void) ++{ ++ struct tmp_file_st *p = temp_files; ++ struct tmp_file_st *next; ++ ++ if (p == (void*)-1) ++ return; ++ ++ while(p != NULL) { ++ next = p->next; ++ free(p); ++ p = next; ++ } ++} +diff --git a/tests/utils.h b/tests/utils.h +index 8f3ac3f..5c0afe7 100644 +--- a/tests/utils.h ++++ b/tests/utils.h +@@ -61,4 +61,9 @@ extern void binprint(const void *str, size_t len); + extern void doit(void); + void sec_sleep(int sec); + ++#define TMPNAME_SIZE 128 ++char *get_tmpname(char s[TMPNAME_SIZE]); ++void track_temp_files(void); ++void delete_temp_files(void); ++ + #endif /* UTILS_H */ diff --git a/SOURCES/gnutls-3.3.26-remove-status-req-ext-parsing.patch b/SOURCES/gnutls-3.3.26-remove-status-req-ext-parsing.patch new file mode 100644 index 00000000..8c00d639 --- /dev/null +++ b/SOURCES/gnutls-3.3.26-remove-status-req-ext-parsing.patch @@ -0,0 +1,110 @@ +diff --git a/lib/ext/status_request.c b/lib/ext/status_request.c +index 8cefc61..c7c065e 100644 +--- a/lib/ext/status_request.c ++++ b/lib/ext/status_request.c +@@ -1,5 +1,6 @@ + /* +- * Copyright (C) 2012 Free Software Foundation, Inc. ++ * Copyright (C) 2012-2017 Free Software Foundation, Inc. ++ * Copyright (C) 2017 Red Hat, Inc. + * + * Author: Simon Josefsson, Nikos Mavrogiannopoulos + * +@@ -66,18 +67,6 @@ typedef struct { + opaque Extensions<0..2^16-1>; + */ + +-static void deinit_responder_id(status_request_ext_st *priv) +-{ +-unsigned i; +- +- for (i = 0; i < priv->responder_id_size; i++) +- gnutls_free(priv->responder_id[i].data); +- +- gnutls_free(priv->responder_id); +- priv->responder_id = NULL; +- priv->responder_id_size = 0; +-} +- + + static int + client_send(gnutls_session_t session, +@@ -132,8 +121,8 @@ server_recv(gnutls_session_t session, + status_request_ext_st * priv, + const uint8_t * data, size_t size) + { +- size_t i; + ssize_t data_size = size; ++ unsigned rid_bytes = 0; + + /* minimum message is type (1) + responder_id_list (2) + + request_extension (2) = 5 */ +@@ -152,43 +141,17 @@ server_recv(gnutls_session_t session, + DECR_LEN(data_size, 1); + data++; + +- priv->responder_id_size = _gnutls_read_uint16(data); ++ rid_bytes = _gnutls_read_uint16(data); + + DECR_LEN(data_size, 2); +- data += 2; ++ /*data += 2;*/ + +- if (data_size <= (ssize_t) (priv->responder_id_size * 2)) ++ /* sanity check only, we don't use any of the data below */ ++ ++ if (data_size < (ssize_t)rid_bytes) + return + gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); + +- if (priv->responder_id != NULL) +- deinit_responder_id(priv); +- +- priv->responder_id = gnutls_calloc(1, priv->responder_id_size +- * sizeof(*priv->responder_id)); +- if (priv->responder_id == NULL) +- return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); +- +- for (i = 0; i < priv->responder_id_size; i++) { +- size_t l; +- +- DECR_LEN(data_size, 2); +- +- l = _gnutls_read_uint16(data); +- data += 2; +- +- DECR_LEN(data_size, l); +- +- priv->responder_id[i].data = gnutls_malloc(l); +- if (priv->responder_id[i].data == NULL) +- return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); +- +- memcpy(priv->responder_id[i].data, data, l); +- priv->responder_id[i].size = l; +- +- data += l; +- } +- + return 0; + } + +@@ -472,11 +435,18 @@ gnutls_certificate_set_ocsp_status_request_file + static void _gnutls_status_request_deinit_data(extension_priv_data_t epriv) + { + status_request_ext_st *priv = epriv.ptr; ++ unsigned i; + + if (priv == NULL) + return; + +- deinit_responder_id(priv); ++ if (priv->responder_id != NULL) { ++ for (i = 0; i < priv->responder_id_size; i++) ++ gnutls_free(priv->responder_id[i].data); ++ ++ gnutls_free(priv->responder_id); ++ } ++ + gnutls_free(priv->request_extensions.data); + gnutls_free(priv->response.data); + gnutls_free(priv); diff --git a/SOURCES/gnutls-3.3.26-set-unique-id-tests.patch b/SOURCES/gnutls-3.3.26-set-unique-id-tests.patch new file mode 100644 index 00000000..6d3d65f6 --- /dev/null +++ b/SOURCES/gnutls-3.3.26-set-unique-id-tests.patch @@ -0,0 +1,316 @@ +diff --git a/tests/Makefile.am b/tests/Makefile.am +index 20ed79c..0d72707 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -88,7 +88,7 @@ ctests = mini-record-2 simple gc set_pkcs12_cred certder certuniqueid \ + long-session-id mini-x509-callbacks-intr \ + crlverify init_fds mini-rehandshake-2 sign-md5-rep global-init-override \ + version-checks mini-server-name naked-alerts multi-alerts \ +- pkcs8-key-decode-encrypted pkcs8-key-decode ++ pkcs8-key-decode-encrypted pkcs8-key-decode crt_apis + + if ENABLE_PKCS11 + if !HAVE_BUGGY_P11_KIT +diff --git a/tests/crt_apis.c b/tests/crt_apis.c +new file mode 100644 +index 0000000..ad183d7 +--- /dev/null ++++ b/tests/crt_apis.c +@@ -0,0 +1,297 @@ ++/* ++ * Copyright (C) 2008-2016 Free Software Foundation, Inc. ++ * Copyright (C) 2016 Red Hat, Inc. ++ * ++ * Author: Nikos Mavrogiannopoulos ++ * ++ * This file is part of GnuTLS. ++ * ++ * GnuTLS is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; either version 3 of the License, or ++ * (at your option) any later version. ++ * ++ * GnuTLS is distributed in the hope that it will be useful, but ++ * WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with GnuTLS; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA ++ */ ++ ++#ifdef HAVE_CONFIG_H ++#include ++#endif ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include "utils.h" ++ ++#include "cert-common.h" ++ ++static unsigned char saved_crt_pem[] = ++ "-----BEGIN CERTIFICATE-----\n" ++ "MIICMTCCAZqgAwIBAgIDChEAMA0GCSqGSIb3DQEBCwUAMCsxDjAMBgNVBAMTBW5p\n" ++ "a29zMRkwFwYDVQQKExBub25lIHRvLCBtZW50aW9uMCAXDTA4MDMzMTIyMDAwMFoY\n" ++ "Dzk5OTkxMjMxMjM1OTU5WjArMQ4wDAYDVQQDEwVuaWtvczEZMBcGA1UEChMQbm9u\n" ++ "ZSB0bywgbWVudGlvbjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAu2ZD9fLF\n" ++ "17aMzMXf9Yg7sclLag6hrSBQQAiAoU9co9D4bM/mPPfsBHYTF4tkiSJbwN1TfDvt\n" ++ "fAS7gLkovo6bxo6gpRLL9Vceoue7tzNJn+O7Sq5qTWj/yRHiMo3OPYALjXXv2ACB\n" ++ "jygEA6AijWEEB/q2N30hB0nSCWFpmJCjWKkCAwEAAYEFAAABAgOCBQAEAwIBo1Mw\n" ++ "UTAMBgNVHRMBAf8EAjAAMA8GA1UdDwEB/wQFAwMHgAAwDgYDVR0RBAcwBYIDYXBh\n" ++ "MCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsF\n" ++ "AAOBgQAFhjKULYgLWW9TmfqIdyKf+kr5zFaQnIlF0tuUcE9lq4am9NKUVuxn4yo2\n" ++ "AFePiZWksrLN8PvujOK+duJ5nljF3xXwF0Z/J83NzNa1buMafuBonTJTFQQQkoGK\n" ++ "6sN+hxb6qWBjZcyQflMeG5eMJC2b57Lao4IDLSHx+mo91fvKuw==\n" ++ "-----END CERTIFICATE-----\n"; ++ ++const gnutls_datum_t saved_crt = { saved_crt_pem, sizeof(saved_crt_pem)-1 }; ++ ++static void tls_log_func(int level, const char *str) ++{ ++ fprintf(stderr, "|<%d>| %s", level, str); ++} ++ ++static time_t mytime(time_t * t) ++{ ++ time_t then = 1207000800; ++ ++ if (t) ++ *t = then; ++ ++ return then; ++} ++ ++void doit(void) ++{ ++ gnutls_x509_privkey_t pkey; ++ gnutls_x509_crt_t crt; ++ gnutls_x509_crt_t crt2; ++ const char *err = NULL; ++ unsigned char buf[64]; ++ gnutls_datum_t out; ++ size_t s = 0; ++ int ret; ++ ++ ret = global_init(); ++ if (ret < 0) ++ fail("global_init\n"); ++ ++ gnutls_global_set_time_function(mytime); ++ gnutls_global_set_log_function(tls_log_func); ++ if (debug) ++ gnutls_global_set_log_level(4711); ++ ++ ret = gnutls_x509_crt_init(&crt); ++ if (ret != 0) ++ fail("gnutls_x509_crt_init\n"); ++ ++ ret = gnutls_x509_crt_init(&crt2); ++ if (ret != 0) ++ fail("gnutls_x509_crt_init\n"); ++ ++ ret = gnutls_x509_crt_import(crt2, &server_ecc_cert, GNUTLS_X509_FMT_PEM); ++ if (ret != 0) ++ fail("gnutls_x509_crt_import\n"); ++ ++ ret = gnutls_x509_privkey_init(&pkey); ++ if (ret != 0) ++ fail("gnutls_x509_privkey_init\n"); ++ ++ ret = gnutls_x509_privkey_import(pkey, &key_dat, GNUTLS_X509_FMT_PEM); ++ if (ret != 0) ++ fail("gnutls_x509_privkey_import\n"); ++ ++ /* Setup CRT */ ++ ++ ret = gnutls_x509_crt_set_version(crt, 3); ++ if (ret != 0) ++ fail("gnutls_x509_crt_set_version\n"); ++ ++ ret = gnutls_x509_crt_set_serial(crt, "\x0a\x11\x00", 3); ++ if (ret != 0) ++ fail("gnutls_x509_crt_set_serial\n"); ++ ++ ret = gnutls_x509_crt_set_expiration_time(crt, -1); ++ if (ret != 0) ++ fail("error\n"); ++ ++ ret = gnutls_x509_crt_set_activation_time(crt, mytime(0)); ++ if (ret != 0) ++ fail("error\n"); ++ ++ ret = gnutls_x509_crt_set_key(crt, pkey); ++ if (ret != 0) ++ fail("gnutls_x509_crt_set_key\n"); ++ ++ ret = gnutls_x509_crt_set_basic_constraints(crt, 0, -1); ++ if (ret < 0) { ++ fail("error\n"); ++ } ++ ++ ret = gnutls_x509_crt_set_key_usage(crt, GNUTLS_KEY_DIGITAL_SIGNATURE); ++ if (ret != 0) ++ fail("gnutls_x509_crt_set_key_usage %d\n", ret); ++ ++ ret = gnutls_x509_crt_set_dn(crt, "cn = nikos,o = none to\\, mention", &err); ++ if (ret < 0) { ++ fail("gnutls_x509_crt_set_dn: %s, %s\n", gnutls_strerror(ret), err); ++ } ++ ++ ++ ret = gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_DNSNAME, ++ "foo", 3, 1); ++ if (ret != 0) ++ fail("gnutls_x509_crt_set_subject_alt_name\n"); ++ ++ ret = gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_RFC822NAME, ++ "foo@bar.org", strlen("foo@bar.org"), 1); ++ if (ret != 0) ++ fail("gnutls_x509_crt_set_subject_alt_name\n"); ++ ++ ret = gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_IPADDRESS, ++ "\xc1\x5c\x96\x3", 4, 1); ++ if (ret != 0) ++ fail("gnutls_x509_crt_set_subject_alt_name\n"); ++ ++ ret = gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_IPADDRESS, ++ "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01", 16, 1); ++ if (ret != 0) ++ fail("gnutls_x509_crt_set_subject_alt_name\n"); ++ ++ ret = gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_DNSNAME, ++ "apa", 3, 0); ++ if (ret != 0) ++ fail("gnutls_x509_crt_set_subject_alt_name\n"); ++ ++ s = 0; ++ ret = gnutls_x509_crt_get_key_purpose_oid(crt, 0, NULL, &s, NULL); ++ if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) ++ fail("gnutls_x509_crt_get_key_purpose_oid %d\n", ret); ++ ++ s = 0; ++ ret = ++ gnutls_x509_crt_set_key_purpose_oid(crt, ++ GNUTLS_KP_TLS_WWW_SERVER, ++ 0); ++ if (ret != 0) ++ fail("gnutls_x509_crt_set_key_purpose_oid %d\n", ret); ++ ++ s = 0; ++ ret = gnutls_x509_crt_get_key_purpose_oid(crt, 0, NULL, &s, NULL); ++ if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER) ++ fail("gnutls_x509_crt_get_key_purpose_oid %d\n", ret); ++ ++ s = 0; ++ ret = ++ gnutls_x509_crt_set_key_purpose_oid(crt, ++ GNUTLS_KP_TLS_WWW_CLIENT, ++ 1); ++ if (ret != 0) ++ fail("gnutls_x509_crt_set_key_purpose_oid2 %d\n", ret); ++ ++ /* in the end this will be ignored as the issuer will be set ++ * by gnutls_x509_crt_sign2() */ ++ ret = gnutls_x509_crt_set_issuer_dn(crt, "o = big\\, and one, cn = my CA", &err); ++ if (ret < 0) { ++ fail("gnutls_x509_crt_set_issuer_dn: %s, %s\n", gnutls_strerror(ret), err); ++ } ++ ++#define ISSUER_UNIQUE_ID "\x00\x01\x02\x03" ++#define SUBJECT_UNIQUE_ID "\x04\x03\x02\x01" ++ ret = gnutls_x509_crt_set_issuer_unique_id(crt, ISSUER_UNIQUE_ID, sizeof(ISSUER_UNIQUE_ID)-1); ++ if (ret < 0) ++ fail("error: %s\n", gnutls_strerror(ret)); ++ ++ ret = gnutls_x509_crt_set_subject_unique_id(crt, SUBJECT_UNIQUE_ID, sizeof(SUBJECT_UNIQUE_ID)-1); ++ if (ret < 0) ++ fail("error: %s\n", gnutls_strerror(ret)); ++ ++ /* Sign and finalize the certificate */ ++ ret = gnutls_x509_crt_sign2(crt, crt, pkey, GNUTLS_DIG_SHA256, 0); ++ if (ret < 0) ++ fail("gnutls_x509_crt_sign2: %s\n", gnutls_strerror(ret)); ++ ++ ++ ret = gnutls_x509_crt_print(crt, GNUTLS_CRT_PRINT_FULL, &out); ++ if (ret != 0) ++ fail("gnutls_x509_crt_print\n"); ++ if (debug) ++ printf("crt: %.*s\n", out.size, out.data); ++ gnutls_free(out.data); ++ ++ /* Verify whether selected input is present */ ++ s = 0; ++ ret = gnutls_x509_crt_get_extension_info(crt, 0, NULL, &s, NULL); ++ if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER) ++ fail("gnutls_x509_crt_get_extension_info2: %s\n", strerror(ret)); ++ ++ s = 0; ++ ret = gnutls_x509_crt_get_extension_data(crt, 0, NULL, &s); ++ if (ret != 0) ++ fail("gnutls_x509_crt_get_extension_data: %s\n", strerror(ret)); ++ ++ ret = gnutls_x509_crt_get_raw_issuer_dn(crt, &out); ++ if (ret < 0 || out.size == 0) ++ fail("gnutls_x509_crt_get_raw_issuer_dn: %s\n", gnutls_strerror(ret)); ++ ++ if (out.size != 45 || ++ memcmp(out.data, "\x30\x2b\x31\x0e\x30\x0c\x06\x03\x55\x04\x03\x13\x05\x6e\x69\x6b\x6f\x73\x31\x19\x30\x17\x06\x03\x55\x04\x0a\x13\x10\x6e\x6f\x6e\x65\x20\x74\x6f\x2c\x20\x6d\x65\x6e\x74\x69\x6f\x6e", 45) != 0) { ++ hexprint(out.data, out.size); ++ fail("issuer DN comparison failed\n"); ++ } ++ gnutls_free(out.data); ++ ++ s = sizeof(buf); ++ ret = gnutls_x509_crt_get_issuer_unique_id(crt, (void*)buf, &s); ++ if (ret < 0) ++ fail("error: %s\n", gnutls_strerror(ret)); ++ ++ if (s != sizeof(ISSUER_UNIQUE_ID)-1 || ++ memcmp(buf, ISSUER_UNIQUE_ID, s) != 0) { ++ fail("issuer unique id comparison failed\n"); ++ } ++ ++ s = sizeof(buf); ++ ret = gnutls_x509_crt_get_subject_unique_id(crt, (void*)buf, &s); ++ if (ret < 0) ++ fail("error: %s\n", gnutls_strerror(ret)); ++ ++ if (s != sizeof(SUBJECT_UNIQUE_ID)-1 || ++ memcmp(buf, SUBJECT_UNIQUE_ID, s) != 0) { ++ fail("subject unique id comparison failed\n"); ++ } ++ ++ ret = gnutls_x509_crt_get_raw_dn(crt, &out); ++ if (ret < 0 || out.size == 0) ++ fail("gnutls_x509_crt_get_raw_dn: %s\n", gnutls_strerror(ret)); ++ ++ if (out.size != 45 || ++ memcmp(out.data, "\x30\x2b\x31\x0e\x30\x0c\x06\x03\x55\x04\x03\x13\x05\x6e\x69\x6b\x6f\x73\x31\x19\x30\x17\x06\x03\x55\x04\x0a\x13\x10\x6e\x6f\x6e\x65\x20\x74\x6f\x2c\x20\x6d\x65\x6e\x74\x69\x6f\x6e", 45) != 0) { ++ fail("DN comparison failed\n"); ++ } ++ gnutls_free(out.data); ++ ++ assert(gnutls_x509_crt_export2(crt, GNUTLS_X509_FMT_PEM, &out) >= 0); ++ ++ if (debug) ++ fprintf(stderr, "%s\n", out.data); ++ assert(out.size == saved_crt.size); ++ assert(memcmp(out.data, saved_crt.data, out.size)==0); ++ ++ gnutls_free(out.data); ++ ++ gnutls_x509_crt_deinit(crt); ++ gnutls_x509_crt_deinit(crt2); ++ gnutls_x509_privkey_deinit(pkey); ++ ++ gnutls_global_deinit(); ++} diff --git a/SOURCES/gnutls-3.3.8-fips-key.patch b/SOURCES/gnutls-3.3.8-fips-key.patch new file mode 100644 index 00000000..b83aee99 --- /dev/null +++ b/SOURCES/gnutls-3.3.8-fips-key.patch @@ -0,0 +1,12 @@ +diff -ur gnutls-3.3.8b1.orig/lib/fips.c gnutls-3.3.8b1/lib/fips.c +--- gnutls-3.3.8b1.orig/lib/fips.c 2014-09-03 16:53:13.000000000 +0200 ++++ gnutls-3.3.8b1/lib/fips.c 2014-09-04 17:11:26.825733730 +0200 +@@ -97,7 +97,7 @@ + #define HOGWEED_LIBRARY_NAME "libhogweed.so.2" + #define GMP_LIBRARY_NAME "libgmp.so.10" + +-static const char fips_key[] = "I'd rather be skiing"; ++static const char fips_key[] = "orboDeJITITejsirpADONivirpUkvarP"; + + #define HMAC_SUFFIX ".hmac" + #define HMAC_SIZE 32 diff --git a/SOURCES/gnutls-3.3.8-padlock-disable.patch b/SOURCES/gnutls-3.3.8-padlock-disable.patch new file mode 100644 index 00000000..cd4c3b6c --- /dev/null +++ b/SOURCES/gnutls-3.3.8-padlock-disable.patch @@ -0,0 +1,22 @@ +diff --git a/lib/accelerated/x86/x86-common.c b/lib/accelerated/x86/x86-common.c +index cc67b08..e730ba0 100644 +--- a/lib/accelerated/x86/x86-common.c ++++ b/lib/accelerated/x86/x86-common.c +@@ -37,6 +37,7 @@ + # include + #endif + #include ++#include + + /* ebx, ecx, edx + * This is a format compatible with openssl's CPUID detection. +@@ -581,7 +582,8 @@ void register_x86_crypto(void) + + register_x86_intel_crypto(capabilities); + #ifdef ENABLE_PADLOCK +- register_x86_padlock_crypto(capabilities); ++ if (_gnutls_fips_mode_enabled() != 1) ++ register_x86_padlock_crypto(capabilities); + #endif + } + diff --git a/SOURCES/hobble-gnutls b/SOURCES/hobble-gnutls new file mode 100755 index 00000000..33021048 --- /dev/null +++ b/SOURCES/hobble-gnutls @@ -0,0 +1,15 @@ +#!/bin/sh +set -x + +if [ "$1" = "-e" ] ; then + CMD="cat < /dev/null >" +else + CMD="rm -f" +fi + +# SRP +for f in auth/srp_sb64.c auth/srp_passwd.c auth/srp_rsa.c \ + gnutls_srp.c auth/srp.c ext/srp.c ; do + eval "$CMD lib/$f" +done + diff --git a/SOURCES/libgnutls-config b/SOURCES/libgnutls-config new file mode 100755 index 00000000..8970bf4d --- /dev/null +++ b/SOURCES/libgnutls-config @@ -0,0 +1,91 @@ +#!/bin/sh + +prefix=/usr +exec_prefix=/usr +exec_prefix_set=no + +name=`basename $0` +name=${name#lib} +name=${name%-config} + +libs=`pkg-config --libs $name` +cflags=`pkg-config --cflags $name` +version=`pkg-config --modversion $name` + +usage() +{ + +echo Usage: lib$name-config [OPTIONS] + cat <&2 +fi + +while test $# -gt 0; do + case "$1" in + -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;; + *) optarg= ;; + esac + + case $1 in + --prefix=*) + prefix=$optarg + if test $exec_prefix_set = no ; then + exec_prefix=$optarg + fi + ;; + --prefix) + echo_prefix=yes + ;; + --exec-prefix=*) + exec_prefix=$optarg + exec_prefix_set=yes + ;; + --exec-prefix) + echo_exec_prefix=yes + ;; + --version) + echo $version + exit 0 + ;; + --cflags) + echo_cflags=yes + ;; + --libs) + echo_libs=yes + ;; + --help) + usage 0 + ;; + *) + usage 1 1>&2 + ;; + esac + shift +done + +if test "$echo_prefix" = "yes"; then + echo $prefix +fi + +if test "$echo_exec_prefix" = "yes"; then + echo $exec_prefix +fi + +if test "$echo_cflags" = "yes"; then + echo $cflags +fi + +if test "$echo_libs" = "yes"; then + echo $libs +fi diff --git a/SPECS/gnutls.spec b/SPECS/gnutls.spec new file mode 100644 index 00000000..3404620a --- /dev/null +++ b/SPECS/gnutls.spec @@ -0,0 +1,790 @@ +%bcond_without dane +%bcond_with guile +Summary: A TLS protocol implementation +Name: gnutls +Version: 3.3.26 +Release: 9%{?dist} +# The libraries are LGPLv2.1+, utilities are GPLv3+ +License: GPLv3+ and LGPLv2+ +Group: System Environment/Libraries +BuildRequires: p11-kit-devel >= 0.23.1, gettext +BuildRequires: zlib-devel, readline-devel, libtasn1-devel >= 3.8 +BuildRequires: libtool, automake, autoconf, texinfo +BuildRequires: autogen-libopts-devel >= 5.18 autogen gettext-devel +BuildRequires: nettle-devel >= 2.7.1 +BuildRequires: trousers-devel >= 0.3.11.2 +BuildRequires: libidn-devel +BuildRequires: gperf +BuildRequires: fipscheck +BuildRequires: softhsm, net-tools +Requires: p11-kit-trust +# The automatic dependency on libtasn1 and p11-kit is insufficient, +Requires: libtasn1 >= 3.9 +Requires: p11-kit >= 0.23.1 +Requires: trousers >= 0.3.11.2 +%if %{with dane} +BuildRequires: unbound-devel unbound-libs +%endif +%if %{with guile} +BuildRequires: guile-devel +%endif +URL: http://www.gnutls.org/ +#Source0: ftp://ftp.gnutls.org/gcrypt/gnutls/%{name}-%{version}.tar.xz +#Source1: ftp://ftp.gnutls.org/gcrypt/gnutls/%{name}-%{version}.tar.xz.sig +# XXX patent tainted code removed. +Source0: %{name}-%{version}-hobbled.tar.xz +Source1: libgnutls-config +Source2: hobble-gnutls +Patch1: gnutls-3.2.7-rpath.patch +Patch2: gnutls-3.1.11-nosrp.patch +Patch4: gnutls-3.3.8-fips-key.patch +Patch5: gnutls-3.3.8-padlock-disable.patch +# In 3.3.8 we were shipping an early backport of a fix in GNUTLS_E_APPLICATION_DATA +# behavior, which was using 3.4.0 semantics. We continue shipping to support +# any applications depending on that. +Patch6: gnutls-3.3.22-eapp-data.patch +Patch7: gnutls-3.3.26-dh-params-1024.patch +# Reported on the gnutls ML affecting Fedora 25 (potentially RHEL7 as well) +Patch8: gnutls-3.3.26-fix-uninitialized.patch +Patch9: gnutls-3.3.26-fix-coverity-issues.patch +Patch10: gnutls-3.3.26-pin-value.patch +Patch11: gnutls-3.3.26-set-unique-id-tests.patch +Patch12: gnutls-3.3.26-fips-rsa-keygen.patch +Patch13: gnutls-3.3.26-cve-2017-7869.patch +Patch14: gnutls-3.3.26-remove-status-req-ext-parsing.patch +# Wildcard bundling exception https://fedorahosted.org/fpc/ticket/174 +Provides: bundled(gnulib) = 20130424 + +%package c++ +Summary: The C++ interface to GnuTLS +Requires: %{name}%{?_isa} = %{version}-%{release} + +%package devel +Summary: Development files for the %{name} package +Group: Development/Libraries +Requires: %{name}%{?_isa} = %{version}-%{release} +Requires: %{name}-c++%{?_isa} = %{version}-%{release} +%if %{with dane} +Requires: %{name}-dane%{?_isa} = %{version}-%{release} +%endif +Requires: pkgconfig +Requires(post): /sbin/install-info +Requires(preun): /sbin/install-info + +%package utils +License: GPLv3+ +Summary: Command line tools for TLS protocol +Group: Applications/System +Requires: %{name}%{?_isa} = %{version}-%{release} +%if %{with dane} +Requires: %{name}-dane%{?_isa} = %{version}-%{release} +%endif + +%if %{with dane} +%package dane +Summary: A DANE protocol implementation for GnuTLS +Requires: %{name}%{?_isa} = %{version}-%{release} +%endif + +%if %{with guile} +%package guile +Summary: Guile bindings for the GNUTLS library +Group: Development/Libraries +Requires: %{name}%{?_isa} = %{version}-%{release} +Requires: guile +%endif + +%description +GnuTLS is a secure communications library implementing the SSL, TLS and DTLS +protocols and technologies around them. It provides a simple C language +application programming interface (API) to access the secure communications +protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and +other required structures. + +%description c++ +GnuTLS is a secure communications library implementing the SSL, TLS and DTLS +protocols and technologies around them. It provides a simple C language +application programming interface (API) to access the secure communications +protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and +other required structures. +This package contains the C++ interface for the GnuTLS library. + +%description devel +GnuTLS is a secure communications library implementing the SSL, TLS and DTLS +protocols and technologies around them. It provides a simple C language +application programming interface (API) to access the secure communications +protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and +other required structures. +This package contains files needed for developing applications with +the GnuTLS library. + +%description utils +GnuTLS is a secure communications library implementing the SSL, TLS and DTLS +protocols and technologies around them. It provides a simple C language +application programming interface (API) to access the secure communications +protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and +other required structures. +This package contains command line TLS client and server and certificate +manipulation tools. + +%if %{with dane} +%description dane +GnuTLS is a secure communications library implementing the SSL, TLS and DTLS +protocols and technologies around them. It provides a simple C language +application programming interface (API) to access the secure communications +protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and +other required structures. +This package contains library that implements the DANE protocol for verifying +TLS certificates through DNSSEC. +%endif + +%if %{with guile} +%description guile +GnuTLS is a secure communications library implementing the SSL, TLS and DTLS +protocols and technologies around them. It provides a simple C language +application programming interface (API) to access the secure communications +protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and +other required structures. +This package contains Guile bindings for the library. +%endif + +%prep +%setup -q + +%patch1 -p1 -b .rpath +%patch2 -p1 -b .nosrp +%patch4 -p1 -b .fips-key +%patch5 -p1 -b .padlock-disable +%patch6 -p1 -b .eapp-data +%patch7 -p1 -b .dh-1024 +%patch8 -p1 -b .fix-uninit +%patch9 -p1 -b .fix-coverity +%patch10 -p1 -b .pin-value +%patch11 -p1 -b .unique-id +%patch12 -p1 -b .rsa-keygen +%patch13 -p1 -b .openpgp-fixes +%patch14 -p1 -b .ocsp-ext-parse + +sed 's/gnutls_srp.c//g' -i lib/Makefile.in +sed 's/gnutls_srp.lo//g' -i lib/Makefile.in +rm -f lib/minitasn1/*.c lib/minitasn1/*.h +rm -f src/libopts/*.c src/libopts/*.h src/libopts/compat/*.c src/libopts/compat/*.h + +%{SOURCE2} -e +autoreconf -if + +%build +export LDFLAGS="-Wl,--no-add-needed" + +%configure --with-libtasn1-prefix=%{_prefix} \ + --with-default-trust-store-pkcs11="pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit" \ + --with-included-libcfg \ + --with-arcfour128 \ + --with-ssl3 \ + --disable-static \ + --disable-openssl-compatibility \ + --disable-srp-authentication \ + --disable-non-suiteb-curves \ + --with-trousers-lib=%{_libdir}/libtspi.so.1 \ + --enable-fips140-mode \ +%if %{with guile} + --enable-guile \ +%ifarch %{arm} + --disable-largefile \ +%endif +%else + --disable-guile \ +%endif +%if %{with dane} + --with-unbound-root-key-file=/var/lib/unbound/root.key \ + --enable-dane \ +%else + --disable-dane \ +%endif + --disable-rpath +# Note that the arm hack above is not quite right and the proper thing would +# be to compile guile with largefile support. +make %{?_smp_mflags} + +%define __spec_install_post \ + %{?__debug_package:%{__debug_install_post}} \ + %{__arch_install_post} \ + %{__os_install_post} \ + fipshmac -d $RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_libdir}/libgnutls.so.28.*.* \ + file=`basename $RPM_BUILD_ROOT%{_libdir}/libgnutls.so.28.*.hmac` && mv $RPM_BUILD_ROOT%{_libdir}/$file $RPM_BUILD_ROOT%{_libdir}/.$file && ln -s .$file $RPM_BUILD_ROOT%{_libdir}/.libgnutls.so.28.hmac \ +%{nil} + +%install +make install DESTDIR=$RPM_BUILD_ROOT +rm -f $RPM_BUILD_ROOT%{_bindir}/srptool +rm -f $RPM_BUILD_ROOT%{_bindir}/gnutls-srpcrypt +cp -f %{SOURCE1} $RPM_BUILD_ROOT%{_bindir}/libgnutls-config +rm -f $RPM_BUILD_ROOT%{_mandir}/man1/srptool.1 +rm -f $RPM_BUILD_ROOT%{_mandir}/man3/*srp* +rm -f $RPM_BUILD_ROOT%{_infodir}/dir +rm -f $RPM_BUILD_ROOT%{_libdir}/*.la +rm -f $RPM_BUILD_ROOT%{_libdir}/libguile*.a +%if %{without dane} +rm -f $RPM_BUILD_ROOT%{_libdir}/pkgconfig/gnutls-dane.pc +%endif + +%find_lang gnutls + +%check +make check %{?_smp_mflags} + +%post -p /sbin/ldconfig + +%postun -p /sbin/ldconfig + +%post c++ -p /sbin/ldconfig + +%postun c++ -p /sbin/ldconfig + +%post devel +if [ -f %{_infodir}/gnutls.info.gz ]; then + /sbin/install-info %{_infodir}/gnutls.info.gz %{_infodir}/dir || : +fi + +%preun devel +if [ $1 = 0 -a -f %{_infodir}/gnutls.info.gz ]; then + /sbin/install-info --delete %{_infodir}/gnutls.info.gz %{_infodir}/dir || : +fi + +%if %{with dane} +%post dane -p /sbin/ldconfig + +%postun dane -p /sbin/ldconfig +%endif + +%if %{with guile} +%post guile -p /sbin/ldconfig + +%postun guile -p /sbin/ldconfig +%endif + +%files -f gnutls.lang +%defattr(-,root,root,-) +%{_libdir}/libgnutls.so.28* +%{_libdir}/.libgnutls.so.28*.hmac +%doc COPYING COPYING.LESSER README AUTHORS NEWS THANKS + +%files c++ +%{_libdir}/libgnutlsxx.so.* + +%files devel +%defattr(-,root,root,-) +%{_bindir}/libgnutls*-config +%{_includedir}/* +%{_libdir}/libgnutls*.so +%{_libdir}/.libgnutls.so.*.hmac +%{_libdir}/pkgconfig/*.pc +%{_mandir}/man3/* +%{_infodir}/gnutls* +%{_infodir}/pkcs11-vision* + +%files utils +%defattr(-,root,root,-) +%{_bindir}/certtool +%{_bindir}/tpmtool +%{_bindir}/ocsptool +%{_bindir}/psktool +%{_bindir}/p11tool +%{_bindir}/crywrap +%if %{with dane} +%{_bindir}/danetool +%endif +%{_bindir}/gnutls* +%{_mandir}/man1/* +%doc doc/certtool.cfg + +%if %{with dane} +%files dane +%defattr(-,root,root,-) +%{_libdir}/libgnutls-dane.so.* +%endif + +%if %{with guile} +%files guile +%defattr(-,root,root,-) +%{_libdir}/libguile*.so* +%{_datadir}/guile/site/gnutls +%{_datadir}/guile/site/gnutls.scm +%endif + +%changelog +* Fri May 26 2017 Nikos Mavrogiannopoulos 3.3.26-9 +- Address crash in OCSP status request extension, by eliminating the + unneeded parsing (CVE-2017-7507, #1455828) + +* Wed Apr 26 2017 Nikos Mavrogiannopoulos 3.3.26-7 +- Address interoperability issue with 3.5.x (#1388932) +- Reject CAs which are both trusted and blacklisted in trust module (#1375303) +- Added new functions to set issuer and subject ID in certificates (#1378373) +- Reject connections with less than 1024-bit DH parameters (#1335931) +- Fix issue that made GnuTLS parse only the first 32 extensions (#1383748) +- Mention limitations of certtool in manpage (#1375463) +- Read PKCS#8 files with HMAC-SHA256 -as generated by openssl 1.1 (#1380642) +- Do not link directly to trousers but instead use dlopen (#1379739) +- Fix incorrect OCSP validation (#1377569) +- Added support for pin-value in PKCS#11 URIs (#1379283) +- Added the --id option to p11tool (#1399232) +- Improved sanity checks in RSA key generation (#1444780) +- Addressed CVE-2017-5334, CVE-2017-5335, CVE-2017-5336, CVE-2017-5337, + CVE-2017-7869 + +* Tue Jul 12 2016 Nikos Mavrogiannopoulos 3.3.24-1 +- Addressed issue with DSA public keys smaller than 2^1024 (#1238279) +- Addressed two-byte buffer overflow in the DTLS-0.9 protocol (#1209365) +- When writing certificates to smart cards write the CKA_ISSUER and + CKA_SERIAL_NUMBER fields to allow NSS reading them (#1272179) +- Use the shared system certificate store (#1110750) +- Address MD5 transcript collision attacks in TLS key exchange (#1289888, + CVE-2015-7575) +- Allow hashing data over 2^32 bytes (#1306953) +- Ensure written PKCS#11 public keys are not marked as private (#1339453) +- Ensure secure_getenv() is called on all uses of environment variables + (#1344591). +- Fix issues related to PKCS #11 private key listing on certain HSMs + (#1351389) + +* Fri Jun 5 2015 Nikos Mavrogiannopoulos 3.3.8-13 +- Corrected reseed and respect of max_number_of_bits_per_request in + FIPS140-2 mode. Also enhanced the initial tests. (#1228199) + +* Mon Jan 5 2015 Nikos Mavrogiannopoulos 3.3.8-12 +- corrected fix of handshake buffer resets (#1153106) + +* Thu Dec 11 2014 Nikos Mavrogiannopoulos 3.3.8-11 +- Applied fix for urandom FD in FIPS140 mode (#1165047) +- Applied fix for FIPS140-2 related regression (#1110696) + +* Tue Dec 2 2014 Nikos Mavrogiannopoulos 3.3.8-10 +- Amended fix for urandom FD to avoid regression in FIPS140 mode (#1165047) + +* Tue Nov 18 2014 Nikos Mavrogiannopoulos 3.3.8-9 +- Amended fix for FIPS enforcement issue (#1163848) +- Fixed issue with applications that close all file descriptors (#1165047) + +* Thu Nov 13 2014 Nikos Mavrogiannopoulos 3.3.8-8 +- Applied fix for FIPS enforcement issue when only /etc/system-fips + existed (#1163848) + +* Fri Nov 7 2014 Nikos Mavrogiannopoulos 3.3.8-7 +- Applied fix for CVE-2014-8564 (#1161473) + +* Wed Oct 29 2014 Nikos Mavrogiannopoulos 3.3.8-6 +- when generating test DH keys, enforce the q_bits. + +* Tue Oct 21 2014 Nikos Mavrogiannopoulos 3.3.8-5 +- do not enforce FIPS140-2 policies in non-FIPS140 mode (#1154774) + +* Thu Oct 16 2014 Nikos Mavrogiannopoulos 3.3.8-4 +- reverted change to use the p11-kit certificate storage (#1110750) +- added functions to test DH/ECDH in FIPS-140-2 mode and fixed + RSA key generation (#1110696) +- added manual dependencies on libtasn1 3.8 as well as p11-kit 0.20.7 +- fixed SHA224 in SSSE3 optimized code +- fixed issue with handshake buffer resets (#1153106) +- fixed issue in RSA key generation with specific seeds in FIPS140-2 mode + +* Wed Oct 01 2014 Nikos Mavrogiannopoulos 3.3.8-3 +- added dependency on libtasn1 3.8 (#1110696) + +* Thu Sep 18 2014 Nikos Mavrogiannopoulos 3.3.8-2 +- disabled padlock CPU support in FIPS140-2 mode + +* Thu Sep 18 2014 Nikos Mavrogiannopoulos 3.3.8-1 +- updated to latest stable release + +* Fri Sep 05 2014 Nikos Mavrogiannopoulos 3.3.8-1.b2 +- updated with latest bug fixes for 3.3.x branch +- delete bundled files + +* Thu Sep 04 2014 Nikos Mavrogiannopoulos 3.3.8b1-1 +- updated with latest bug fixes for 3.3.x branch + +* Fri Aug 22 2014 Nikos Mavrogiannopoulos 3.3.7-1 +- new upstream release (#1110696) +- allow DSA/DH key generation with 1024 when not in FIPS140-2 mode (#1132705) + +* Fri Aug 15 2014 Nikos Mavrogiannopoulos 3.3.7b1-1 +- updated with latest bug fixes for 3.3.x branch +- utilize the p11-kit trust store (#1110750) + +* Tue Jul 29 2014 Nikos Mavrogiannopoulos 3.3.6-2 +- correct path of fipscheck links + +* Wed Jul 23 2014 Nikos Mavrogiannopoulos 3.3.6-1 +- rebased to 3.3.6 and enabled fips mode (#1110696) + +* Wed May 28 2014 Nikos Mavrogiannopoulos - 3.1.18-9 +- fix session ID length check (#1102027) +- fixes null pointer dereference (#1101727) + +* Tue Feb 25 2014 Nikos Mavrogiannopoulos - 3.1.18-8 +- fixes CVE-2014-0092 (#1071815) + +* Fri Feb 14 2014 Nikos Mavrogiannopoulos - 3.1.18-7 +- fixes CVE-2014-1959 + +* Fri Jan 24 2014 Daniel Mach - 3.1.18-6 +- Mass rebuild 2014-01-24 + +* Tue Jan 14 2014 Nikos Mavrogiannopoulos 3.1.18-5 +- Fixed issue with gnutls.info not being available (#1053487) + +* Tue Jan 14 2014 Tomáš Mráz 3.1.18-4 +- build the crywrap tool + +* Thu Jan 02 2014 Nikos Mavrogiannopoulos - 3.1.18-3 +- fixes crash in gnutls_global_deinit (#1047037) + +* Fri Dec 27 2013 Daniel Mach - 3.1.18-2 +- Mass rebuild 2013-12-27 + +* Mon Dec 23 2013 Nikos Mavrogiannopoulos 3.1.18-1 +- new upstream release (#1040886) +- Use the correct root key for unbound + +* Tue Nov 5 2013 Tomáš Mráz 3.1.16-1 +- new upstream release +- fixes CVE-2013-4466 off-by-one in dane_query_tlsa() + +* Tue Oct 29 2013 Tomáš Mráz 3.1.15-1 +- new upstream release +- fixes CVE-2013-4466 buffer overflow in handling DANE entries + +* Mon Jul 15 2013 Tomáš Mráz 3.1.13-1 +- new upstream release + +* Thu May 23 2013 Tomáš Mráz 3.1.11-1 +- new upstream release +- enable ECC NIST Suite B curves + +* Mon Mar 25 2013 Tomas Mraz 3.1.10-1 +- new upstream release +- license of the library is back to LGPLv2.1+ + +* Fri Mar 15 2013 Tomas Mraz 3.1.9-1 +- new upstream release + +* Thu Mar 7 2013 Tomas Mraz 3.1.8-3 +- drop the temporary old library + +* Tue Feb 26 2013 Tomas Mraz 3.1.8-2 +- don't send ECC algos as supported (#913797) + +* Thu Feb 21 2013 Tomas Mraz 3.1.8-1 +- new upstream version + +* Wed Feb 6 2013 Tomas Mraz 3.1.7-1 +- new upstream version, requires rebuild of dependencies +- this release temporarily includes old compatibility .so + +* Tue Feb 5 2013 Tomas Mraz 2.12.22-2 +- rebuilt with new libtasn1 +- make guile bindings optional - breaks i686 build and there is + no dependent package + +* Tue Jan 8 2013 Tomas Mraz 2.12.22-1 +- new upstream version + +* Wed Nov 28 2012 Tomas Mraz 2.12.21-2 +- use RSA bit sizes supported by libgcrypt in FIPS mode for security + levels (#879643) + +* Fri Nov 9 2012 Tomas Mraz 2.12.21-1 +- new upstream version + +* Thu Nov 1 2012 Tomas Mraz 2.12.20-4 +- negotiate only FIPS approved algorithms in the FIPS mode (#871826) + +* Wed Aug 8 2012 Tomas Mraz 2.12.20-3 +- fix the gnutls-cli-debug manpage - patch by Peter Schiffer + +* Thu Jul 19 2012 Fedora Release Engineering - 2.12.20-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Mon Jun 18 2012 Tomas Mraz 2.12.20-1 +- new upstream version + +* Fri May 18 2012 Tomas Mraz 2.12.19-1 +- new upstream version + +* Thu Mar 29 2012 Tomas Mraz 2.12.18-1 +- new upstream version + +* Thu Mar 8 2012 Tomas Mraz 2.12.17-1 +- new upstream version +- fix leaks in key generation (#796302) + +* Fri Feb 03 2012 Kevin Fenzi - 2.12.14-3 +- Disable largefile on arm arch. (#787287) + +* Fri Jan 13 2012 Fedora Release Engineering - 2.12.14-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Tue Nov 8 2011 Tomas Mraz 2.12.14-1 +- new upstream version + +* Mon Oct 24 2011 Tomas Mraz 2.12.12-1 +- new upstream version + +* Thu Sep 29 2011 Tomas Mraz 2.12.11-1 +- new upstream version + +* Fri Aug 26 2011 Tomas Mraz 2.12.9-1 +- new upstream version + +* Tue Aug 16 2011 Tomas Mraz 2.12.8-1 +- new upstream version + +* Mon Jul 25 2011 Tomas Mraz 2.12.7-2 +- fix problem when using new libgcrypt +- split libgnutlsxx to a subpackage (#455146) +- drop libgnutls-openssl (#460310) + +* Tue Jun 21 2011 Tomas Mraz 2.12.7-1 +- new upstream version + +* Mon May 9 2011 Tomas Mraz 2.12.4-1 +- new upstream version + +* Tue Apr 26 2011 Tomas Mraz 2.12.3-1 +- new upstream version + +* Mon Apr 18 2011 Tomas Mraz 2.12.2-1 +- new upstream version + +* Thu Mar 3 2011 Tomas Mraz 2.10.5-1 +- new upstream version + +* Tue Feb 08 2011 Fedora Release Engineering - 2.10.4-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Wed Dec 8 2010 Tomas Mraz 2.10.4-1 +- new upstream version + +* Thu Dec 2 2010 Tomas Mraz 2.10.3-2 +- fix buffer overflow in gnutls-serv (#659259) + +* Fri Nov 19 2010 Tomas Mraz 2.10.3-1 +- new upstream version + +* Thu Sep 30 2010 Tomas Mraz 2.10.2-1 +- new upstream version + +* Wed Sep 29 2010 jkeating - 2.10.1-4 +- Rebuilt for gcc bug 634757 + +* Thu Sep 23 2010 Tomas Mraz 2.10.1-3 +- more patching for internal errors regression (#629858) + patch by Vivek Dasmohapatra + +* Tue Sep 21 2010 Tomas Mraz 2.10.1-2 +- backported patch from upstream git hopefully fixing internal errors + (#629858) + +* Wed Aug 4 2010 Tomas Mraz 2.10.1-1 +- new upstream version + +* Wed Jun 2 2010 Tomas Mraz 2.8.6-2 +- add support for safe renegotiation CVE-2009-3555 (#533125) + +* Wed May 12 2010 Tomas Mraz 2.8.6-1 +- upgrade to a new upstream version + +* Mon Feb 15 2010 Rex Dieter 2.8.5-4 +- FTBFS gnutls-2.8.5-3.fc13: ImplicitDSOLinking (#564624) + +* Thu Jan 28 2010 Tomas Mraz 2.8.5-3 +- drop superfluous rpath from binaries +- do not call autoreconf during build +- specify the license on utils subpackage + +* Mon Jan 18 2010 Tomas Mraz 2.8.5-2 +- do not create static libraries (#556052) + +* Mon Nov 2 2009 Tomas Mraz 2.8.5-1 +- upgrade to a new upstream version + +* Wed Sep 23 2009 Tomas Mraz 2.8.4-1 +- upgrade to a new upstream version + +* Fri Aug 14 2009 Tomas Mraz 2.8.3-1 +- upgrade to a new upstream version + +* Fri Jul 24 2009 Fedora Release Engineering - 2.8.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Wed Jun 10 2009 Tomas Mraz 2.8.1-1 +- upgrade to a new upstream version + +* Wed Jun 3 2009 Tomas Mraz 2.8.0-1 +- upgrade to a new upstream version + +* Mon May 4 2009 Tomas Mraz 2.6.6-1 +- upgrade to a new upstream version - security fixes + +* Tue Apr 14 2009 Tomas Mraz 2.6.5-1 +- upgrade to a new upstream version, minor bugfixes only + +* Fri Mar 6 2009 Tomas Mraz 2.6.4-1 +- upgrade to a new upstream version + +* Tue Feb 24 2009 Fedora Release Engineering - 2.6.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Mon Dec 15 2008 Tomas Mraz 2.6.3-1 +- upgrade to a new upstream version + +* Thu Dec 4 2008 Tomas Mraz 2.6.2-1 +- upgrade to a new upstream version + +* Tue Nov 11 2008 Tomas Mraz 2.4.2-3 +- fix chain verification issue CVE-2008-4989 (#470079) + +* Thu Sep 25 2008 Tomas Mraz 2.4.2-2 +- add guile subpackage (#463735) +- force new libtool through autoreconf to drop unnecessary rpaths + +* Tue Sep 23 2008 Tomas Mraz 2.4.2-1 +- new upstream version + +* Tue Jul 1 2008 Tomas Mraz 2.4.1-1 +- new upstream version +- correct the license tag +- explicit --with-included-opencdk not needed +- use external lzo library, internal not included anymore + +* Tue Jun 24 2008 Tomas Mraz 2.4.0-1 +- upgrade to latest upstream + +* Tue May 20 2008 Tomas Mraz 2.0.4-3 +- fix three security issues in gnutls handshake - GNUTLS-SA-2008-1 + (#447461, #447462, #447463) + +* Mon Feb 4 2008 Joe Orton 2.0.4-2 +- use system libtasn1 + +* Tue Dec 4 2007 Tomas Mraz 2.0.4-1 +- upgrade to latest upstream + +* Tue Aug 21 2007 Tomas Mraz 1.6.3-2 +- license tag fix + +* Wed Jun 6 2007 Tomas Mraz 1.6.3-1 +- upgrade to latest upstream (#232445) + +* Tue Apr 10 2007 Tomas Mraz 1.4.5-2 +- properly require install-info (patch by Ville Skyttä) +- standard buildroot and use dist tag +- add COPYING and README to doc + +* Wed Feb 7 2007 Tomas Mraz 1.4.5-1 +- new upstream version +- drop libtermcap-devel from buildrequires + +* Thu Sep 14 2006 Tomas Mraz 1.4.1-2 +- detect forged signatures - CVE-2006-4790 (#206411), patch + from upstream + +* Tue Jul 18 2006 Tomas Mraz - 1.4.1-1 +- upgrade to new upstream version, only minor changes + +* Wed Jul 12 2006 Jesse Keating - 1.4.0-1.1 +- rebuild + +* Wed Jun 14 2006 Tomas Mraz - 1.4.0-1 +- upgrade to new upstream version (#192070), rebuild + of dependent packages required + +* Tue May 16 2006 Tomas Mraz - 1.2.10-2 +- added missing buildrequires + +* Mon Feb 13 2006 Tomas Mraz - 1.2.10-1 +- updated to new version (fixes CVE-2006-0645) + +* Fri Feb 10 2006 Jesse Keating - 1.2.9-3.2 +- bump again for double-long bug on ppc(64) + +* Tue Feb 07 2006 Jesse Keating - 1.2.9-3.1 +- rebuilt for new gcc4.1 snapshot and glibc changes + +* Tue Jan 3 2006 Jesse Keating 1.2.9-3 +- rebuilt + +* Fri Dec 9 2005 Tomas Mraz 1.2.9-2 +- replaced *-config scripts with calls to pkg-config to + solve multilib conflicts + +* Wed Nov 23 2005 Tomas Mraz 1.2.9-1 +- upgrade to newest upstream +- removed .la files (#172635) + +* Sun Aug 7 2005 Tomas Mraz 1.2.6-1 +- upgrade to newest upstream (rebuild of dependencies necessary) + +* Mon Jul 4 2005 Tomas Mraz 1.0.25-2 +- split the command line tools to utils subpackage + +* Sat Apr 30 2005 Tomas Mraz 1.0.25-1 +- new upstream version fixes potential DOS attack + +* Sat Apr 23 2005 Tomas Mraz 1.0.24-2 +- readd the version script dropped by upstream + +* Fri Apr 22 2005 Tomas Mraz 1.0.24-1 +- update to the latest upstream version on the 1.0 branch + +* Wed Mar 2 2005 Warren Togami 1.0.20-6 +- gcc4 rebuild + +* Tue Jan 4 2005 Ivana Varekova 1.0.20-5 +- add gnutls Requires zlib-devel (#144069) + +* Mon Nov 08 2004 Colin Walters 1.0.20-4 +- Make gnutls-devel Require libgcrypt-devel + +* Tue Sep 21 2004 Jeff Johnson 1.0.20-3 +- rebuild with release++, otherwise unchanged. + +* Tue Sep 7 2004 Jeff Johnson 1.0.20-2 +- patent tainted SRP code removed. + +* Sun Sep 5 2004 Jeff Johnson 1.0.20-1 +- update to 1.0.20. +- add --with-included-opencdk --with-included-libtasn1 +- add --with-included-libcfg --with-included-lzo +- add --disable-srp-authentication. +- do "make check" after build. + +* Fri Mar 21 2003 Jeff Johnson 0.9.2-1 +- upgrade to 0.9.2 + +* Tue Jun 25 2002 Jeff Johnson 0.4.4-1 +- update to 0.4.4. + +* Fri Jun 21 2002 Tim Powers +- automated rebuild + +* Sat May 25 2002 Jeff Johnson 0.4.3-1 +- update to 0.4.3. + +* Tue May 21 2002 Jeff Johnson 0.4.2-1 +- update to 0.4.2. +- change license to LGPL. +- include splint annotations patch. + +* Tue Apr 2 2002 Nalin Dahyabhai 0.4.0-1 +- update to 0.4.0 + +* Thu Jan 17 2002 Nalin Dahyabhai 0.3.2-1 +- update to 0.3.2 + +* Thu Jan 10 2002 Nalin Dahyabhai 0.3.0-1 +- add a URL + +* Thu Dec 20 2001 Nalin Dahyabhai +- initial package