Rebuilt to address incompatibility with new nettle
Added patch to allow PKCS#11 testsuite to pass with new softhsm.
This commit is contained in:
Nikos Mavrogiannopoulos
parent
044b95c01a
commit
b75661390d
69
gnutls-3.6.1-pkcs11-tests.patch
Normal file
69
gnutls-3.6.1-pkcs11-tests.patch
Normal file
@ -0,0 +1,69 @@
|
||||
diff --git a/tests/pkcs11/tls-neg-pkcs11-key.c b/tests/pkcs11/tls-neg-pkcs11-key.c
|
||||
index ca16600130..c85d8789df 100644
|
||||
--- a/tests/pkcs11/tls-neg-pkcs11-key.c
|
||||
+++ b/tests/pkcs11/tls-neg-pkcs11-key.c
|
||||
@@ -247,45 +247,52 @@ typedef struct test_st {
|
||||
} test_st;
|
||||
|
||||
static const test_st tests[] = {
|
||||
- {.name = "ecc key",
|
||||
+ {.name = "tls1.2: ecc key",
|
||||
.pk = GNUTLS_PK_ECDSA,
|
||||
- .prio = "NORMAL:-KX-ALL:+ECDHE-RSA:+ECDHE-ECDSA",
|
||||
+ .prio = "NORMAL:-KX-ALL:+ECDHE-RSA:+ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.2",
|
||||
.cert = &server_ca3_localhost_ecc_cert,
|
||||
.key = &server_ca3_ecc_key,
|
||||
.exp_kx = GNUTLS_KX_ECDHE_ECDSA
|
||||
},
|
||||
- {.name = "rsa-sign key",
|
||||
+ {.name = "tls1.2: rsa-sign key",
|
||||
.pk = GNUTLS_PK_RSA,
|
||||
- .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA",
|
||||
+ .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.2",
|
||||
.cert = &server_ca3_localhost_cert,
|
||||
.key = &server_ca3_key,
|
||||
.exp_kx = GNUTLS_KX_ECDHE_RSA
|
||||
},
|
||||
- {.name = "rsa-sign key with rsa-pss sigs prioritized",
|
||||
+ {.name = "tls1.2: rsa-sign key with rsa-pss sigs prioritized",
|
||||
.pk = GNUTLS_PK_RSA,
|
||||
- .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA:-SIGN-ALL:+SIGN-RSA-PSS-SHA256:+SIGN-RSA-PSS-SHA384:+SIGN-RSA-PSS-SHA512:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512",
|
||||
+ .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA:-SIGN-ALL:+SIGN-RSA-PSS-SHA256:+SIGN-RSA-PSS-SHA384:+SIGN-RSA-PSS-SHA512:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:-VERS-TLS-ALL:+VERS-TLS1.2",
|
||||
.cert = &server_ca3_localhost_cert,
|
||||
.key = &server_ca3_key,
|
||||
.exp_kx = GNUTLS_KX_ECDHE_RSA
|
||||
},
|
||||
- {.name = "rsa-pss-sign key",
|
||||
+ {.name = "tls1.2: rsa-pss-sign key",
|
||||
.pk = GNUTLS_PK_RSA_PSS,
|
||||
- .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA",
|
||||
+ .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.2",
|
||||
.cert = &server_ca3_rsa_pss2_cert,
|
||||
.key = &server_ca3_rsa_pss2_key,
|
||||
.exp_kx = GNUTLS_KX_ECDHE_RSA,
|
||||
.requires_pkcs11_pss = 1,
|
||||
- .exp_serv_err = GNUTLS_E_NO_CIPHER_SUITES
|
||||
},
|
||||
- {.name = "rsa-pss cert, rsa-sign key", /* we expect the server to refuse negotiating */
|
||||
+ {.name = "tls1.2: rsa-pss cert, rsa-sign key",
|
||||
.pk = GNUTLS_PK_RSA,
|
||||
- .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA",
|
||||
+ .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.2",
|
||||
+ .cert = &server_ca3_rsa_pss_cert,
|
||||
+ .key = &server_ca3_rsa_pss_key,
|
||||
+ .exp_kx = GNUTLS_KX_ECDHE_RSA,
|
||||
+ .requires_pkcs11_pss = 1,
|
||||
+ },
|
||||
+ {.name = "tls1.2: rsa-pss cert, rsa-sign key no PSS signatures",
|
||||
+ .pk = GNUTLS_PK_RSA,
|
||||
+ .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.2:-SIGN-RSA-PSS-SHA256:-SIGN-RSA-PSS-SHA384:-SIGN-RSA-PSS-SHA512",
|
||||
.cert = &server_ca3_rsa_pss_cert,
|
||||
.key = &server_ca3_rsa_pss_key,
|
||||
.exp_kx = GNUTLS_KX_ECDHE_RSA,
|
||||
.exp_serv_err = GNUTLS_E_NO_CIPHER_SUITES
|
||||
},
|
||||
- {.name = "ed25519 cert, ed25519 key", /* we cannot import that key */
|
||||
+ {.name = "tls1.2: ed25519 cert, ed25519 key", /* we cannot import that key */
|
||||
.pk = GNUTLS_PK_EDDSA_ED25519,
|
||||
.prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA",
|
||||
.cert = &server_ca3_eddsa_cert,
|
||||
@ -1,10 +1,11 @@
|
||||
# This spec file has been automatically updated
|
||||
Version: 3.6.1
|
||||
Release: 3%{?dist}
|
||||
Release: 4%{?dist}
|
||||
Patch1: gnutls-3.2.7-rpath.patch
|
||||
Patch2: gnutls-3.4.2-no-now-guile.patch
|
||||
Patch3: gnutls-3.6.1-pkcs11-loading.patch
|
||||
Patch4: gnutls-3.6.1-pkcs11-loading2.patch
|
||||
Patch5: gnutls-3.6.1-pkcs11-tests.patch
|
||||
%bcond_without dane
|
||||
%bcond_without guile
|
||||
Summary: A TLS protocol implementation
|
||||
@ -142,6 +143,7 @@ gpgv2 --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0}
|
||||
%patch2 -p1
|
||||
%patch3 -p1
|
||||
%patch4 -p1
|
||||
%patch5 -p1
|
||||
|
||||
sed -i -e 's|sys_lib_dlsearch_path_spec="/lib /usr/lib|sys_lib_dlsearch_path_spec="/lib /usr/lib %{_libdir}|g' configure
|
||||
rm -f lib/minitasn1/*.c lib/minitasn1/*.h
|
||||
@ -272,6 +274,9 @@ fi
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Fri Feb 2 2018 Nikos Mavrogiannopoulos <nmav@redhat.com> - 3.6.1-4
|
||||
- Rebuilt to address incompatibility with new nettle
|
||||
|
||||
* Thu Nov 30 2017 Nikos Mavrogiannopoulos <nmav@redhat.com> - 3.6.1-3
|
||||
- Corrected regression from 3.6.1-2 which prevented the loading of
|
||||
arbitrary p11-kit modules (#1507402)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user