diff --git a/.gitignore b/.gitignore index 0efc727..f558b80 100644 --- a/.gitignore +++ b/.gitignore @@ -37,3 +37,4 @@ gnutls-2.10.1-nosrp.tar.bz2 /gnutls-3.2.13-hobbled.tar.xz /gnutls-3.3.0-hobbled.tar.xz /gnutls-3.3.1-hobbled.tar.xz +/gnutls-3.3.2-hobbled.tar.xz diff --git a/0001-Added-the-very-weak-certificate-verification-profile.patch b/0001-Added-the-very-weak-certificate-verification-profile.patch deleted file mode 100644 index 52c3248..0000000 --- a/0001-Added-the-very-weak-certificate-verification-profile.patch +++ /dev/null @@ -1,80 +0,0 @@ -From 9f498c4e077ceabafe44f186005ca52ead6930bd Mon Sep 17 00:00:00 2001 -From: Nikos Mavrogiannopoulos -Date: Mon, 5 May 2014 11:58:25 +0200 -Subject: [PATCH] Added the 'very weak' certificate verification profile. - -This profile corresponds to a 64-bit security level (e.g., RSA -parameters of 768 bits). ---- - doc/cha-gtls-app.texi | 6 ++++++ - lib/gnutls_priority.c | 6 ++++++ - lib/includes/gnutls/x509.h | 3 +++ - lib/priority_options.gperf | 1 + - lib/x509/verify.c | 1 + - 6 files changed, 21 insertions(+), 1 deletion(-) - -diff --git a/lib/gnutls_priority.c b/lib/gnutls_priority.c -index 877ee90..769eed1 100644 ---- a/lib/gnutls_priority.c -+++ b/lib/gnutls_priority.c -@@ -790,6 +790,12 @@ static void disable_wildcards(gnutls_priority_t c) - { - c->additional_verify_flags |= GNUTLS_VERIFY_DO_NOT_ALLOW_WILDCARDS; - } -+static void enable_profile_very_weak(gnutls_priority_t c) -+{ -+ c->additional_verify_flags &= 0x00ffffff; -+ c->additional_verify_flags |= GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_VERY_WEAK); -+ c->level = GNUTLS_SEC_PARAM_VERY_WEAK; -+} - static void enable_profile_low(gnutls_priority_t c) - { - c->additional_verify_flags &= 0x00ffffff; -diff --git a/lib/includes/gnutls/x509.h b/lib/includes/gnutls/x509.h -index b4b24b9..cad804e 100644 ---- a/lib/includes/gnutls/x509.h -+++ b/lib/includes/gnutls/x509.h -@@ -816,6 +816,8 @@ typedef enum gnutls_certificate_verify_flags { - - /** - * gnutls_certificate_verification_profiles_t: -+ * @GNUTLS_PROFILE_VERY_WEAK: A verification profile that -+ * corresponds to @GNUTLS_SEC_PARAM_VERY_WEAK (64 bits) - * @GNUTLS_PROFILE_LOW: A verification profile that - * corresponds to @GNUTLS_SEC_PARAM_LOW (80 bits) - * @GNUTLS_PROFILE_LEGACY: A verification profile that -@@ -834,6 +836,7 @@ typedef enum gnutls_certificate_verify_flags { - * Enumeration of different certificate verification profiles. - */ - typedef enum gnutls_certificate_verification_profiles_t { -+ GNUTLS_PROFILE_VERY_WEAK = 1, - GNUTLS_PROFILE_LOW = 2, - GNUTLS_PROFILE_LEGACY = 4, - GNUTLS_PROFILE_MEDIUM = 5, -diff --git a/lib/priority_options.gperf b/lib/priority_options.gperf -index fd081c5..79f3f7d 100644 ---- a/lib/priority_options.gperf -+++ b/lib/priority_options.gperf -@@ -21,6 +21,7 @@ PARTIAL_RENEGOTIATION, enable_partial_safe_renegotiation - DISABLE_SAFE_RENEGOTIATION, disable_safe_renegotiation - DISABLE_WILDCARDS, disable_wildcards - SERVER_PRECEDENCE, enable_server_precedence -+PROFILE_VERY_WEAK, enable_profile_very_weak - PROFILE_LOW, enable_profile_low - PROFILE_LEGACY, enable_profile_legacy - PROFILE_MEDIUM, enable_profile_medium -diff --git a/lib/x509/verify.c b/lib/x509/verify.c -index d9b7fb7..037cd8e 100644 ---- a/lib/x509/verify.c -+++ b/lib/x509/verify.c -@@ -433,6 +433,7 @@ int hash; - return gnutls_assert_val(0); - - switch (profile) { -+ CASE_SEC_PARAM(GNUTLS_PROFILE_VERY_WEAK, GNUTLS_SEC_PARAM_VERY_WEAK); - CASE_SEC_PARAM(GNUTLS_PROFILE_LOW, GNUTLS_SEC_PARAM_LOW); - CASE_SEC_PARAM(GNUTLS_PROFILE_LEGACY, GNUTLS_SEC_PARAM_LEGACY); - CASE_SEC_PARAM(GNUTLS_PROFILE_MEDIUM, GNUTLS_SEC_PARAM_MEDIUM); --- -1.9.0 - diff --git a/gnutls-3.3.1-default-policy.patch b/gnutls-3.3.1-default-policy.patch new file mode 100644 index 0000000..631ad72 --- /dev/null +++ b/gnutls-3.3.1-default-policy.patch @@ -0,0 +1,31 @@ +diff --git a/lib/gnutls_priority.c b/lib/gnutls_priority.c +index 769eed1..3a94b20 100644 +--- a/lib/gnutls_priority.c ++++ b/lib/gnutls_priority.c +@@ -1107,6 +1107,7 @@ gnutls_priority_init(gnutls_priority_t * priority_cache, + int algo; + rmadd_func *fn; + bulk_rmadd_func *bulk_fn; ++ unsigned dset = 0; + + *priority_cache = + gnutls_calloc(1, sizeof(struct gnutls_priority_st)); +@@ -1126,10 +1127,16 @@ gnutls_priority_init(gnutls_priority_t * priority_cache, + + (*priority_cache)->max_empty_records = DEFAULT_MAX_EMPTY_RECORDS; + +- if (priorities == NULL) +- priorities = "NORMAL"; ++ if (priorities == NULL) { ++ priorities = "@SYSTEM"; ++ dset = 1; ++ } + + darg = resolve_priorities(priorities); ++ if (darg == NULL && dset == 1) { ++ priorities = "NORMAL"; ++ darg = resolve_priorities(priorities); ++ } + if (darg == NULL) { + gnutls_assert(); + goto error; diff --git a/gnutls-global-deinit.patch b/gnutls-global-deinit.patch deleted file mode 100644 index 6783bdc..0000000 --- a/gnutls-global-deinit.patch +++ /dev/null @@ -1,99 +0,0 @@ -diff --git a/lib/gnutls_global.c b/lib/gnutls_global.c -index 9b7047a..8cd9fd3 100644 ---- a/lib/gnutls_global.c -+++ b/lib/gnutls_global.c -@@ -53,8 +53,8 @@ extern const ASN1_ARRAY_TYPE pkix_asn1_tab[]; - void *_gnutls_file_mutex; - void *_gnutls_pkcs11_mutex; - --ASN1_TYPE _gnutls_pkix1_asn; --ASN1_TYPE _gnutls_gnutls_asn; -+ASN1_TYPE _gnutls_pkix1_asn = ASN1_TYPE_EMPTY; -+ASN1_TYPE _gnutls_gnutls_asn = ASN1_TYPE_EMPTY; - - gnutls_log_func _gnutls_log_func = NULL; - gnutls_audit_log_func _gnutls_audit_log_func = NULL; -@@ -166,6 +166,9 @@ gnutls_global_set_mem_functions(gnutls_alloc_function alloc_func, - GNUTLS_STATIC_MUTEX(global_init_mutex); - static int _gnutls_init = 0; - -+/* cache the return code */ -+static int _gnutls_init_ret = 0; -+ - /** - * gnutls_global_init: - * -@@ -186,6 +189,9 @@ static int _gnutls_init = 0; - * do not support library constructors and static linking. This - * function also became thread safe. - * -+ * A subsequent call of this function if the initial has failed will -+ * return the same error code. -+ * - * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, - * otherwise a negative error code is returned. - **/ -@@ -199,7 +205,7 @@ int gnutls_global_init(void) - - _gnutls_init++; - if (_gnutls_init > 1) { -- ret = 0; -+ ret = _gnutls_init_ret; - goto out; - } - -@@ -235,14 +241,17 @@ int gnutls_global_init(void) - goto out; - } - -+ _gnutls_pkix1_asn = ASN1_TYPE_EMPTY; - res = asn1_array2tree(pkix_asn1_tab, &_gnutls_pkix1_asn, NULL); - if (res != ASN1_SUCCESS) { -+ gnutls_assert(); - ret = _gnutls_asn2err(res); - goto out; - } - - res = asn1_array2tree(gnutls_asn1_tab, &_gnutls_gnutls_asn, NULL); - if (res != ASN1_SUCCESS) { -+ gnutls_assert(); - ret = _gnutls_asn2err(res); - goto out; - } -@@ -306,6 +315,7 @@ int gnutls_global_init(void) - ret = 0; - - out: -+ _gnutls_init_ret = ret; - GNUTLS_STATIC_MUTEX_UNLOCK(global_init_mutex); - return ret; - } -@@ -316,11 +326,19 @@ static void _gnutls_global_deinit(unsigned destructor) - - if (_gnutls_init == 1) { - _gnutls_init = 0; -+ if (_gnutls_init_ret < 0) { -+ /* only deinitialize if gnutls_global_init() has -+ * succeeded */ -+ gnutls_assert(); -+ goto fail; -+ } -+ - gnutls_crypto_deinit(); - _gnutls_rnd_deinit(); - _gnutls_ext_deinit(); - asn1_delete_structure(&_gnutls_gnutls_asn); - asn1_delete_structure(&_gnutls_pkix1_asn); -+ - _gnutls_crypto_deregister(); - gnutls_system_global_deinit(); - _gnutls_cryptodev_deinit(); -@@ -341,6 +359,8 @@ static void _gnutls_global_deinit(unsigned destructor) - if (_gnutls_init > 0) - _gnutls_init--; - } -+ -+ fail: - GNUTLS_STATIC_MUTEX_UNLOCK(global_init_mutex); - } - diff --git a/gnutls-othername.patch b/gnutls-othername.patch deleted file mode 100644 index abdd462..0000000 --- a/gnutls-othername.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 9b8271f0015526f017aa70b8d1f3a8fa1f8d3a62 Mon Sep 17 00:00:00 2001 -From: Nikos Mavrogiannopoulos -Date: Sat, 19 Apr 2014 18:32:07 +0200 -Subject: [PATCH 01/01] Treat othername as printable (i.e., null terminate it), - as the XMPP printing code assumes that. - ---- - lib/x509/x509.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/lib/x509/x509.c b/lib/x509/x509.c -index d13c231..e63f059 100644 ---- a/lib/x509/x509.c -+++ b/lib/x509/x509.c -@@ -847,7 +847,8 @@ gnutls_x509_crt_get_subject_key_id(gnutls_x509_crt_t cert, void *ret, - inline static int is_type_printable(int type) - { - if (type == GNUTLS_SAN_DNSNAME || type == GNUTLS_SAN_RFC822NAME || -- type == GNUTLS_SAN_URI || type == GNUTLS_SAN_OTHERNAME_XMPP) -+ type == GNUTLS_SAN_URI || type == GNUTLS_SAN_OTHERNAME_XMPP || -+ type == GNUTLS_SAN_OTHERNAME) - return 1; - else - return 0; --- -1.9.0 - diff --git a/gnutls.spec b/gnutls.spec index 937c71b..31ee380 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -2,8 +2,8 @@ %bcond_with guile Summary: A TLS protocol implementation Name: gnutls -Version: 3.3.1 -Release: 4%{?dist} +Version: 3.3.2 +Release: 1%{?dist} # The libraries are LGPLv2.1+, utilities are GPLv3+ License: GPLv3+ and LGPLv2+ Group: System Environment/Libraries @@ -30,11 +30,9 @@ Source1: libgnutls-config Source2: hobble-gnutls Patch1: gnutls-3.2.7-rpath.patch # Use only FIPS approved ciphers in the FIPS mode -Patch7: gnutls-2.12.21-fips-algorithms.patch -Patch8: gnutls-3.1.11-nosrp.patch -Patch9: gnutls-othername.patch -Patch10: gnutls-global-deinit.patch -Patch11: 0001-Added-the-very-weak-certificate-verification-profile.patch +Patch2: gnutls-2.12.21-fips-algorithms.patch +Patch3: gnutls-3.1.11-nosrp.patch +Patch4: gnutls-3.3.1-default-policy.patch # Wildcard bundling exception https://fedorahosted.org/fpc/ticket/174 Provides: bundled(gnulib) = 20130424 @@ -137,11 +135,9 @@ This package contains Guile bindings for the library. %patch1 -p1 -b .rpath # This patch is not applicable as we use nettle now but some parts will be # later reused. -#%patch7 -p1 -b .fips -%patch8 -p1 -b .nosrp -%patch9 -p1 -b .othername -%patch10 -p1 -b .global-deinit -%patch11 -p1 -b .very-weak +#%patch2 -p1 -b .fips +%patch3 -p1 -b .nosrp +%patch4 -p1 -b .default-policy sed 's/gnutls_srp.c//g' -i lib/Makefile.in sed 's/gnutls_srp.lo//g' -i lib/Makefile.in @@ -275,6 +271,9 @@ fi %endif %changelog +* Fri May 09 2014 Nikos Mavrogiannopoulos 3.3.2-1 +- new upstream release + * Mon May 05 2014 Nikos Mavrogiannopoulos 3.3.1-4 - Replaced /etc/crypto-profiles/apps with /etc/crypto-policies/back-ends. - Added support for "very weak" profile. diff --git a/sources b/sources index 779f5aa..bca435d 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -14b004be63ef286edcce5d0f7aa10d6f gnutls-3.3.1-hobbled.tar.xz +4a729f47d5b87f484b0f16e92e5d30e5 gnutls-3.3.2-hobbled.tar.xz