From 653a5af202e72c9aaab590e4394e471925436afc Mon Sep 17 00:00:00 2001
From: Bastien Nocera <hadess@hadess.net>
Date: Mon, 18 Sep 2017 13:54:44 +0200
Subject: [PATCH] + libimobiledevice-1.2.0-13 GNUTLS 3.6.0 compatibility bug
 fixes

---
 ...-GnuTLS-Fix-3.6.0-SHA1-compatibility.patch | 47 +++++++++++++++++++
 ...ef-GnuTLS-Use-valid-serial-for-3.6.0.patch | 45 ++++++++++++++++++
 libimobiledevice.spec                         |  9 +++-
 3 files changed, 100 insertions(+), 1 deletion(-)
 create mode 100644 0001-userpref-GnuTLS-Fix-3.6.0-SHA1-compatibility.patch
 create mode 100644 0002-userpref-GnuTLS-Use-valid-serial-for-3.6.0.patch

diff --git a/0001-userpref-GnuTLS-Fix-3.6.0-SHA1-compatibility.patch b/0001-userpref-GnuTLS-Fix-3.6.0-SHA1-compatibility.patch
new file mode 100644
index 0000000..5404438
--- /dev/null
+++ b/0001-userpref-GnuTLS-Fix-3.6.0-SHA1-compatibility.patch
@@ -0,0 +1,47 @@
+From 0994996671d98b67d576ebe4a7b1314a61411066 Mon Sep 17 00:00:00 2001
+From: Bastien Nocera <hadess@hadess.net>
+Date: Fri, 15 Sep 2017 16:00:09 +0200
+Subject: [PATCH 1/2] userpref: [GnuTLS] Fix 3.6.0 SHA1 compatibility
+
+Verification will fail if a special flag is not passed. Use
+gnutls_x509_crt_sign2() instead of gnutls_x509_crt_sign() to make
+sure that passing this flag works in 3.6.0 and stays working with
+3.6.1.
+---
+ common/userpref.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/common/userpref.c b/common/userpref.c
+index 3ae503a..f496fee 100644
+--- a/common/userpref.c
++++ b/common/userpref.c
+@@ -603,7 +603,7 @@ userpref_error_t pair_record_generate_keys_and_certs(plist_t pair_record, key_da
+ 	gnutls_x509_crt_set_ca_status(root_cert, 1);
+ 	gnutls_x509_crt_set_activation_time(root_cert, time(NULL));
+ 	gnutls_x509_crt_set_expiration_time(root_cert, time(NULL) + (60 * 60 * 24 * 365 * 10));
+-	gnutls_x509_crt_sign(root_cert, root_cert, root_privkey);
++	gnutls_x509_crt_sign2(root_cert, root_cert, root_privkey, GNUTLS_DIG_SHA1, 0);
+ 
+ 	gnutls_x509_crt_set_key(host_cert, host_privkey);
+ 	gnutls_x509_crt_set_serial(host_cert, "\x00", 1);
+@@ -612,7 +612,7 @@ userpref_error_t pair_record_generate_keys_and_certs(plist_t pair_record, key_da
+ 	gnutls_x509_crt_set_key_usage(host_cert, GNUTLS_KEY_KEY_ENCIPHERMENT | GNUTLS_KEY_DIGITAL_SIGNATURE);
+ 	gnutls_x509_crt_set_activation_time(host_cert, time(NULL));
+ 	gnutls_x509_crt_set_expiration_time(host_cert, time(NULL) + (60 * 60 * 24 * 365 * 10));
+-	gnutls_x509_crt_sign(host_cert, root_cert, root_privkey);
++	gnutls_x509_crt_sign2(host_cert, root_cert, root_privkey, GNUTLS_DIG_SHA1, 0);
+ 
+ 	/* export to PEM format */
+ 	size_t root_key_export_size = 0;
+@@ -720,7 +720,7 @@ userpref_error_t pair_record_generate_keys_and_certs(plist_t pair_record, key_da
+ 			}
+ 
+ 			gnutls_x509_crt_set_key_usage(dev_cert, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT);
+-			gnutls_error = gnutls_x509_crt_sign(dev_cert, root_cert, root_privkey);
++			gnutls_error = gnutls_x509_crt_sign2(dev_cert, root_cert, root_privkey, GNUTLS_DIG_SHA1, 0);
+ 			if (GNUTLS_E_SUCCESS == gnutls_error) {
+ 				/* if everything went well, export in PEM format */
+ 				size_t export_size = 0;
+-- 
+2.14.1
+
diff --git a/0002-userpref-GnuTLS-Use-valid-serial-for-3.6.0.patch b/0002-userpref-GnuTLS-Use-valid-serial-for-3.6.0.patch
new file mode 100644
index 0000000..f89c2bd
--- /dev/null
+++ b/0002-userpref-GnuTLS-Use-valid-serial-for-3.6.0.patch
@@ -0,0 +1,45 @@
+From 3c1ca82ba31945de4e673525afb4774189011ce4 Mon Sep 17 00:00:00 2001
+From: Bastien Nocera <hadess@hadess.net>
+Date: Fri, 15 Sep 2017 16:02:42 +0200
+Subject: [PATCH 2/2] userpref: [GnuTLS] Use valid serial for >= 3.6.0
+
+Another change in 3.6.0 is that a serial of '\0' is not valid anymore.
+Bump it to one.
+---
+ common/userpref.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/common/userpref.c b/common/userpref.c
+index f496fee..be745cb 100644
+--- a/common/userpref.c
++++ b/common/userpref.c
+@@ -598,7 +598,7 @@ userpref_error_t pair_record_generate_keys_and_certs(plist_t pair_record, key_da
+ 
+ 	/* generate certificates */
+ 	gnutls_x509_crt_set_key(root_cert, root_privkey);
+-	gnutls_x509_crt_set_serial(root_cert, "\x00", 1);
++	gnutls_x509_crt_set_serial(root_cert, "\x01", 1);
+ 	gnutls_x509_crt_set_version(root_cert, 3);
+ 	gnutls_x509_crt_set_ca_status(root_cert, 1);
+ 	gnutls_x509_crt_set_activation_time(root_cert, time(NULL));
+@@ -606,7 +606,7 @@ userpref_error_t pair_record_generate_keys_and_certs(plist_t pair_record, key_da
+ 	gnutls_x509_crt_sign2(root_cert, root_cert, root_privkey, GNUTLS_DIG_SHA1, 0);
+ 
+ 	gnutls_x509_crt_set_key(host_cert, host_privkey);
+-	gnutls_x509_crt_set_serial(host_cert, "\x00", 1);
++	gnutls_x509_crt_set_serial(host_cert, "\x01", 1);
+ 	gnutls_x509_crt_set_version(host_cert, 3);
+ 	gnutls_x509_crt_set_ca_status(host_cert, 0);
+ 	gnutls_x509_crt_set_key_usage(host_cert, GNUTLS_KEY_KEY_ENCIPHERMENT | GNUTLS_KEY_DIGITAL_SIGNATURE);
+@@ -703,7 +703,7 @@ userpref_error_t pair_record_generate_keys_and_certs(plist_t pair_record, key_da
+ 		if (GNUTLS_E_SUCCESS == gnutls_error) {
+ 			/* now generate device certificate */
+ 			gnutls_x509_crt_set_key(dev_cert, fake_privkey);
+-			gnutls_x509_crt_set_serial(dev_cert, "\x00", 1);
++			gnutls_x509_crt_set_serial(dev_cert, "\x01", 1);
+ 			gnutls_x509_crt_set_version(dev_cert, 3);
+ 			gnutls_x509_crt_set_ca_status(dev_cert, 0);
+ 			gnutls_x509_crt_set_activation_time(dev_cert, time(NULL));
+-- 
+2.14.1
+
diff --git a/libimobiledevice.spec b/libimobiledevice.spec
index 8176380..da329da 100644
--- a/libimobiledevice.spec
+++ b/libimobiledevice.spec
@@ -7,7 +7,7 @@
 
 Name:          libimobiledevice
 Version:       1.2.0
-Release:       12%{?dist}
+Release:       13%{?dist}
 Summary:       Library for connecting to mobile devices
 
 Group:         System Environment/Libraries
@@ -18,6 +18,9 @@ Source0:       http://www.libimobiledevice.org/downloads/%{name}-%{version}.tar.
 # git format-patch --stdout  344409e1d1ad917d377b256214c5411dda82e6b0...5a85432719fb3d18027d528f87d2a44b76fd3e12
 # b5a70e9aaf538dad0aba0b800b122955e8ac494b was manually removed
 Patch0:        344409e1d1ad917d377b256214c5411dda82e6b0...5a85432719fb3d18027d528f87d2a44b76fd3e12.patch
+# GNUTLS 3.6.0 bug fixes
+Patch1:        0001-userpref-GnuTLS-Fix-3.6.0-SHA1-compatibility.patch
+Patch2:        0002-userpref-GnuTLS-Use-valid-serial-for-3.6.0.patch
 
 BuildRequires: glib2-devel
 BuildRequires: gnutls-devel
@@ -116,6 +119,10 @@ find %{buildroot} -type f -name "*.la" -delete
 %endif
 
 %changelog
+* Fri Sep 15 2017 Bastien Nocera <bnocera@redhat.com> - 1.2.0-13
++ libimobiledevice-1.2.0-13
+- GNUTLS 3.6.0 compatibility bug fixes
+
 * Fri Sep 15 2017 Bastien Nocera <bnocera@redhat.com> - 1.2.0-12
 + libimobiledevice-1.2.0-12
 - Replace patches with a single mega-patch