From 29d5d57d6ac4318eb81be215f9cfe6be2f7e6fb7 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Mon, 3 Feb 2014 09:41:43 +0100
Subject: [PATCH] Updated to gnutls 3.2.10

---
 .gitignore                        |  1 +
 gnutls-3.2.10-init-keyword.patch  | 36 +++++++++++++++++++++++++++++++
 gnutls-3.2.10-supported-ecc.patch | 34 +++++++++++++++++++++++++++++
 gnutls.spec                       | 11 ++++++++--
 sources                           |  2 +-
 5 files changed, 81 insertions(+), 3 deletions(-)
 create mode 100644 gnutls-3.2.10-init-keyword.patch
 create mode 100644 gnutls-3.2.10-supported-ecc.patch

diff --git a/.gitignore b/.gitignore
index 92fedcd..0a5f789 100644
--- a/.gitignore
+++ b/.gitignore
@@ -30,3 +30,4 @@ gnutls-2.10.1-nosrp.tar.bz2
 /gnutls-3.1.16-hobbled.tar.xz
 /gnutls-3.2.7-hobbled.tar.xz
 /gnutls-3.2.8-hobbled.tar.xz
+/gnutls-3.2.10-hobbled.tar.xz
diff --git a/gnutls-3.2.10-init-keyword.patch b/gnutls-3.2.10-init-keyword.patch
new file mode 100644
index 0000000..cb1b05b
--- /dev/null
+++ b/gnutls-3.2.10-init-keyword.patch
@@ -0,0 +1,36 @@
+From 46139267e1e9eaab46364357e9447ca75f29b4f1 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+Date: Sun, 2 Feb 2014 08:50:14 +0100
+Subject: [PATCH 4/8] When two initial keywords are specified then treat the
+ second as having the '+' modifier.
+
+This will handle SECURE256:SECURE128 the same way as SECURE256:+SECURE128.
+---
+ lib/gnutls_priority.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/lib/gnutls_priority.c b/lib/gnutls_priority.c
+index 875f9b0..6bb02e2 100644
+--- a/lib/gnutls_priority.c
++++ b/lib/gnutls_priority.c
+@@ -788,6 +788,7 @@ gnutls_priority_init(gnutls_priority_t * priority_cache,
+ 	char *broken_list[MAX_ELEMENTS];
+ 	int broken_list_size = 0, i = 0, j;
+ 	char *darg = NULL;
++	unsigned ikeyword_set = 0;
+ 	int algo;
+ 	rmadd_func *fn;
+ 	bulk_rmadd_func *bulk_fn;
+@@ -842,7 +843,8 @@ gnutls_priority_init(gnutls_priority_t * priority_cache,
+ 	}
+ 
+ 	for (; i < broken_list_size; i++) {
+-		if (check_level(broken_list[i], *priority_cache, 0) != 0) {
++		if (check_level(broken_list[i], *priority_cache, ikeyword_set) != 0) {
++			ikeyword_set = 1;
+ 			continue;
+ 		} else if (broken_list[i][0] == '!'
+ 			   || broken_list[i][0] == '+'
+-- 
+1.8.5.3
+
diff --git a/gnutls-3.2.10-supported-ecc.patch b/gnutls-3.2.10-supported-ecc.patch
new file mode 100644
index 0000000..0934025
--- /dev/null
+++ b/gnutls-3.2.10-supported-ecc.patch
@@ -0,0 +1,34 @@
+From 45ec742d6db94b8a5aa2f4f1b3f560d948230e3b Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+Date: Sat, 1 Feb 2014 20:24:40 +0100
+Subject: [PATCH 1/8] tolerate servers that included the SUPPORTED ECC
+ extension.
+
+This is an extension that is defined to be sent by the client but there
+are servers that include it as well. Most other implementations tolerate
+this behavior so we do.
+---
+ lib/ext/ecc.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/lib/ext/ecc.c b/lib/ext/ecc.c
+index b913cb0..a851ddd 100644
+--- a/lib/ext/ecc.c
++++ b/lib/ext/ecc.c
+@@ -91,9 +91,10 @@ _gnutls_supported_ecc_recv_params(gnutls_session_t session,
+ 	const uint8_t *p = data;
+ 
+ 	if (session->security_parameters.entity == GNUTLS_CLIENT) {
+-		/* A client shouldn't receive this extension */
+-		return
+-		    gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_EXTENSION);
++		/* A client shouldn't receive this extension, but of course
++		 * there are servers out there that send it. Just ignore it. */
++		_gnutls_debug_log("received SUPPORTED ECC extension on client side!!!\n");
++		return 0;
+ 	} else {		/* SERVER SIDE - we must check if the sent supported ecc type is the right one 
+ 				 */
+ 		if (data_size < 2)
+-- 
+1.8.5.3
+
diff --git a/gnutls.spec b/gnutls.spec
index 364f4bf..e121731 100644
--- a/gnutls.spec
+++ b/gnutls.spec
@@ -2,8 +2,8 @@
 %bcond_with guile
 Summary: A TLS protocol implementation
 Name: gnutls
-Version: 3.2.8
-Release: 2%{?dist}
+Version: 3.2.10
+Release: 1%{?dist}
 # The libraries are LGPLv2.1+, utilities are GPLv3+
 License: GPLv3+ and LGPLv2+
 Group: System Environment/Libraries
@@ -29,6 +29,8 @@ Source1: libgnutls-config
 Source2: hobble-gnutls
 Patch1: gnutls-3.2.7-rpath.patch
 # Use only FIPS approved ciphers in the FIPS mode
+Patch2: gnutls-3.2.10-init-keyword.patch
+Patch3: gnutls-3.2.10-supported-ecc.patch
 Patch7: gnutls-2.12.21-fips-algorithms.patch
 Patch8: gnutls-3.1.11-nosrp.patch
 
@@ -131,6 +133,8 @@ This package contains Guile bindings for the library.
 %setup -q
 
 %patch1 -p1 -b .rpath
+%patch2 -p1 -b .ikeyword
+%patch3 -p1 -b .secc
 # This patch is not applicable as we use nettle now but some parts will be
 # later reused.
 #%patch7 -p1 -b .fips
@@ -267,6 +271,9 @@ fi
 %endif
 
 %changelog
+* Mon Feb 03 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> 3.2.10-1
+- new upstream release
+
 * Tue Jan 14 2014 Tomáš Mráz <tmraz@redhat.com> 3.2.8-2
 - build the crywrap tool
 
diff --git a/sources b/sources
index e78e6fc..6d325d8 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-0e2a2769b2d6f51fd919e5f0c4c7e9a0  gnutls-3.2.8-hobbled.tar.xz
+35c6925f73eba02b12ddb0ad76dd537e  gnutls-3.2.10-hobbled.tar.xz