Rebuilt to address incompatibility with new nettle
Added patch to allow PKCS#11 testsuite to pass with new softhsm.
This commit is contained in:
Nikos Mavrogiannopoulos
parent
044b95c01a
commit
b75661390d
69
gnutls-3.6.1-pkcs11-tests.patch
Normal file
69
gnutls-3.6.1-pkcs11-tests.patch
Normal file
@ -0,0 +1,69 @@
|
|||||||
|
diff --git a/tests/pkcs11/tls-neg-pkcs11-key.c b/tests/pkcs11/tls-neg-pkcs11-key.c
|
||||||
|
index ca16600130..c85d8789df 100644
|
||||||
|
--- a/tests/pkcs11/tls-neg-pkcs11-key.c
|
||||||
|
+++ b/tests/pkcs11/tls-neg-pkcs11-key.c
|
||||||
|
@@ -247,45 +247,52 @@ typedef struct test_st {
|
||||||
|
} test_st;
|
||||||
|
|
||||||
|
static const test_st tests[] = {
|
||||||
|
- {.name = "ecc key",
|
||||||
|
+ {.name = "tls1.2: ecc key",
|
||||||
|
.pk = GNUTLS_PK_ECDSA,
|
||||||
|
- .prio = "NORMAL:-KX-ALL:+ECDHE-RSA:+ECDHE-ECDSA",
|
||||||
|
+ .prio = "NORMAL:-KX-ALL:+ECDHE-RSA:+ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.2",
|
||||||
|
.cert = &server_ca3_localhost_ecc_cert,
|
||||||
|
.key = &server_ca3_ecc_key,
|
||||||
|
.exp_kx = GNUTLS_KX_ECDHE_ECDSA
|
||||||
|
},
|
||||||
|
- {.name = "rsa-sign key",
|
||||||
|
+ {.name = "tls1.2: rsa-sign key",
|
||||||
|
.pk = GNUTLS_PK_RSA,
|
||||||
|
- .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA",
|
||||||
|
+ .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.2",
|
||||||
|
.cert = &server_ca3_localhost_cert,
|
||||||
|
.key = &server_ca3_key,
|
||||||
|
.exp_kx = GNUTLS_KX_ECDHE_RSA
|
||||||
|
},
|
||||||
|
- {.name = "rsa-sign key with rsa-pss sigs prioritized",
|
||||||
|
+ {.name = "tls1.2: rsa-sign key with rsa-pss sigs prioritized",
|
||||||
|
.pk = GNUTLS_PK_RSA,
|
||||||
|
- .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA:-SIGN-ALL:+SIGN-RSA-PSS-SHA256:+SIGN-RSA-PSS-SHA384:+SIGN-RSA-PSS-SHA512:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512",
|
||||||
|
+ .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA:-SIGN-ALL:+SIGN-RSA-PSS-SHA256:+SIGN-RSA-PSS-SHA384:+SIGN-RSA-PSS-SHA512:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:-VERS-TLS-ALL:+VERS-TLS1.2",
|
||||||
|
.cert = &server_ca3_localhost_cert,
|
||||||
|
.key = &server_ca3_key,
|
||||||
|
.exp_kx = GNUTLS_KX_ECDHE_RSA
|
||||||
|
},
|
||||||
|
- {.name = "rsa-pss-sign key",
|
||||||
|
+ {.name = "tls1.2: rsa-pss-sign key",
|
||||||
|
.pk = GNUTLS_PK_RSA_PSS,
|
||||||
|
- .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA",
|
||||||
|
+ .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.2",
|
||||||
|
.cert = &server_ca3_rsa_pss2_cert,
|
||||||
|
.key = &server_ca3_rsa_pss2_key,
|
||||||
|
.exp_kx = GNUTLS_KX_ECDHE_RSA,
|
||||||
|
.requires_pkcs11_pss = 1,
|
||||||
|
- .exp_serv_err = GNUTLS_E_NO_CIPHER_SUITES
|
||||||
|
},
|
||||||
|
- {.name = "rsa-pss cert, rsa-sign key", /* we expect the server to refuse negotiating */
|
||||||
|
+ {.name = "tls1.2: rsa-pss cert, rsa-sign key",
|
||||||
|
.pk = GNUTLS_PK_RSA,
|
||||||
|
- .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA",
|
||||||
|
+ .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.2",
|
||||||
|
+ .cert = &server_ca3_rsa_pss_cert,
|
||||||
|
+ .key = &server_ca3_rsa_pss_key,
|
||||||
|
+ .exp_kx = GNUTLS_KX_ECDHE_RSA,
|
||||||
|
+ .requires_pkcs11_pss = 1,
|
||||||
|
+ },
|
||||||
|
+ {.name = "tls1.2: rsa-pss cert, rsa-sign key no PSS signatures",
|
||||||
|
+ .pk = GNUTLS_PK_RSA,
|
||||||
|
+ .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.2:-SIGN-RSA-PSS-SHA256:-SIGN-RSA-PSS-SHA384:-SIGN-RSA-PSS-SHA512",
|
||||||
|
.cert = &server_ca3_rsa_pss_cert,
|
||||||
|
.key = &server_ca3_rsa_pss_key,
|
||||||
|
.exp_kx = GNUTLS_KX_ECDHE_RSA,
|
||||||
|
.exp_serv_err = GNUTLS_E_NO_CIPHER_SUITES
|
||||||
|
},
|
||||||
|
- {.name = "ed25519 cert, ed25519 key", /* we cannot import that key */
|
||||||
|
+ {.name = "tls1.2: ed25519 cert, ed25519 key", /* we cannot import that key */
|
||||||
|
.pk = GNUTLS_PK_EDDSA_ED25519,
|
||||||
|
.prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA",
|
||||||
|
.cert = &server_ca3_eddsa_cert,
|
||||||
@ -1,10 +1,11 @@
|
|||||||
# This spec file has been automatically updated
|
# This spec file has been automatically updated
|
||||||
Version: 3.6.1
|
Version: 3.6.1
|
||||||
Release: 3%{?dist}
|
Release: 4%{?dist}
|
||||||
Patch1: gnutls-3.2.7-rpath.patch
|
Patch1: gnutls-3.2.7-rpath.patch
|
||||||
Patch2: gnutls-3.4.2-no-now-guile.patch
|
Patch2: gnutls-3.4.2-no-now-guile.patch
|
||||||
Patch3: gnutls-3.6.1-pkcs11-loading.patch
|
Patch3: gnutls-3.6.1-pkcs11-loading.patch
|
||||||
Patch4: gnutls-3.6.1-pkcs11-loading2.patch
|
Patch4: gnutls-3.6.1-pkcs11-loading2.patch
|
||||||
|
Patch5: gnutls-3.6.1-pkcs11-tests.patch
|
||||||
%bcond_without dane
|
%bcond_without dane
|
||||||
%bcond_without guile
|
%bcond_without guile
|
||||||
Summary: A TLS protocol implementation
|
Summary: A TLS protocol implementation
|
||||||
@ -142,6 +143,7 @@ gpgv2 --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0}
|
|||||||
%patch2 -p1
|
%patch2 -p1
|
||||||
%patch3 -p1
|
%patch3 -p1
|
||||||
%patch4 -p1
|
%patch4 -p1
|
||||||
|
%patch5 -p1
|
||||||
|
|
||||||
sed -i -e 's|sys_lib_dlsearch_path_spec="/lib /usr/lib|sys_lib_dlsearch_path_spec="/lib /usr/lib %{_libdir}|g' configure
|
sed -i -e 's|sys_lib_dlsearch_path_spec="/lib /usr/lib|sys_lib_dlsearch_path_spec="/lib /usr/lib %{_libdir}|g' configure
|
||||||
rm -f lib/minitasn1/*.c lib/minitasn1/*.h
|
rm -f lib/minitasn1/*.c lib/minitasn1/*.h
|
||||||
@ -272,6 +274,9 @@ fi
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Feb 2 2018 Nikos Mavrogiannopoulos <nmav@redhat.com> - 3.6.1-4
|
||||||
|
- Rebuilt to address incompatibility with new nettle
|
||||||
|
|
||||||
* Thu Nov 30 2017 Nikos Mavrogiannopoulos <nmav@redhat.com> - 3.6.1-3
|
* Thu Nov 30 2017 Nikos Mavrogiannopoulos <nmav@redhat.com> - 3.6.1-3
|
||||||
- Corrected regression from 3.6.1-2 which prevented the loading of
|
- Corrected regression from 3.6.1-2 which prevented the loading of
|
||||||
arbitrary p11-kit modules (#1507402)
|
arbitrary p11-kit modules (#1507402)
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user