Hello community, here is the log from the commit of package librelp for openSUSE:Factory checked in at 2014-03-22 09:08:35 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/librelp (Old) and /work/SRC/openSUSE:Factory/.librelp.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "librelp" Changes: -------- --- /work/SRC/openSUSE:Factory/librelp/librelp.changes 2014-03-18 14:15:07.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.librelp.new/librelp.changes 2014-03-22 09:08:36.000000000 +0100 @@ -1,0 +2,7 @@ +Thu Mar 20 16:18:03 UTC 2014 - [email protected] + +- update to 1.2.5: + - permit to use anonymous TLS on platforms where GnuTLS lacks + certificate verification function + +------------------------------------------------------------------- Old: ---- librelp-1.2.4.tar.gz New: ---- librelp-1.2.5.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ librelp.spec ++++++ --- /var/tmp/diff_new_pack.FeIkxF/_old 2014-03-22 09:08:37.000000000 +0100 +++ /var/tmp/diff_new_pack.FeIkxF/_new 2014-03-22 09:08:37.000000000 +0100 @@ -18,7 +18,7 @@ Name: librelp %define library_name librelp0 -Version: 1.2.4 +Version: 1.2.5 Release: 0 BuildRoot: %{_tmppath}/%{name}-%{version}-build Url: http://www.librelp.com/ @@ -28,9 +28,9 @@ Group: Development/Libraries/C and C++ BuildRequires: pkgconfig %if 0%{?sles_version} && 0%{?sles_version} <= 11 -BuildRequires: libgnutls-devel >= 2.9.10 +BuildRequires: libgnutls-devel >= 2.0.0 %else -BuildRequires: pkgconfig(gnutls) >= 2.9.10 +BuildRequires: pkgconfig(gnutls) >= 2.0.0 %endif %description ++++++ librelp-1.2.4.tar.gz -> librelp-1.2.5.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/librelp-1.2.4/ChangeLog new/librelp-1.2.5/ChangeLog --- old/librelp-1.2.4/ChangeLog 2014-03-15 11:21:27.000000000 +0100 +++ new/librelp-1.2.5/ChangeLog 2014-03-20 14:23:37.000000000 +0100 @@ -1,4 +1,9 @@ ---------------------------------------------------------------------- +Version 1.2.5 - 2014-03-20 +- permit to use anonymous TLS on platforms where GnuTLS misses + certificate verification function. This permits to use at least + anon TLS on platforms like RHEL and CENTOS 6. +---------------------------------------------------------------------- Version 1.2.4 - 2014-03-17 - correct API/ABI change in 1.2.3 My reasoning was flawed, and we could run into problems with diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/librelp-1.2.4/config.h.in new/librelp-1.2.5/config.h.in --- old/librelp-1.2.4/config.h.in 2014-03-15 11:21:46.000000000 +0100 +++ new/librelp-1.2.5/config.h.in 2014-03-20 14:24:45.000000000 +0100 @@ -19,6 +19,9 @@ /* Define to 1 if you have the `epoll_create1' function. */ #undef HAVE_EPOLL_CREATE1 +/* do we have gnutls_certificate_set_verify_function */ +#undef HAVE_GNUTLS_CERTIFICATE_SET_VERIFY_FUNCTION + /* Define to 1 if you have the <inttypes.h> header file. */ #undef HAVE_INTTYPES_H diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/librelp-1.2.4/configure new/librelp-1.2.5/configure --- old/librelp-1.2.4/configure 2014-03-15 11:21:40.000000000 +0100 +++ new/librelp-1.2.5/configure 2014-03-20 14:24:38.000000000 +0100 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for librelp 1.2.4. +# Generated by GNU Autoconf 2.69 for librelp 1.2.5. # # Report bugs to <[email protected]>. # @@ -590,8 +590,8 @@ # Identity of this package. PACKAGE_NAME='librelp' PACKAGE_TARNAME='librelp' -PACKAGE_VERSION='1.2.4' -PACKAGE_STRING='librelp 1.2.4' +PACKAGE_VERSION='1.2.5' +PACKAGE_STRING='librelp 1.2.5' PACKAGE_BUGREPORT='[email protected]' PACKAGE_URL='' @@ -1323,7 +1323,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures librelp 1.2.4 to adapt to many kinds of systems. +\`configure' configures librelp 1.2.5 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1393,7 +1393,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of librelp 1.2.4:";; + short | recursive ) echo "Configuration of librelp 1.2.5:";; esac cat <<\_ACEOF @@ -1508,7 +1508,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -librelp configure 1.2.4 +librelp configure 1.2.5 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2034,7 +2034,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by librelp $as_me 1.2.4, which was +It was created by librelp $as_me 1.2.5, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2897,7 +2897,7 @@ # Define the identity of the package. PACKAGE='librelp' - VERSION='1.2.4' + VERSION='1.2.5' cat >>confdefs.h <<_ACEOF @@ -2970,7 +2970,7 @@ # Define the identity of the package. PACKAGE='librelp' - VERSION='1.2.4' + VERSION='1.2.5' cat >>confdefs.h <<_ACEOF @@ -12619,12 +12619,12 @@ pkg_cv_GNUTLS_CFLAGS="$GNUTLS_CFLAGS" elif test -n "$PKG_CONFIG"; then if test -n "$PKG_CONFIG" && \ - { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"gnutls >= 2.9.10\""; } >&5 - ($PKG_CONFIG --exists --print-errors "gnutls >= 2.9.10") 2>&5 + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"gnutls >= 2.0.0\""; } >&5 + ($PKG_CONFIG --exists --print-errors "gnutls >= 2.0.0") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then - pkg_cv_GNUTLS_CFLAGS=`$PKG_CONFIG --cflags "gnutls >= 2.9.10" 2>/dev/null` + pkg_cv_GNUTLS_CFLAGS=`$PKG_CONFIG --cflags "gnutls >= 2.0.0" 2>/dev/null` test "x$?" != "x0" && pkg_failed=yes else pkg_failed=yes @@ -12636,12 +12636,12 @@ pkg_cv_GNUTLS_LIBS="$GNUTLS_LIBS" elif test -n "$PKG_CONFIG"; then if test -n "$PKG_CONFIG" && \ - { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"gnutls >= 2.9.10\""; } >&5 - ($PKG_CONFIG --exists --print-errors "gnutls >= 2.9.10") 2>&5 + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"gnutls >= 2.0.0\""; } >&5 + ($PKG_CONFIG --exists --print-errors "gnutls >= 2.0.0") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then - pkg_cv_GNUTLS_LIBS=`$PKG_CONFIG --libs "gnutls >= 2.9.10" 2>/dev/null` + pkg_cv_GNUTLS_LIBS=`$PKG_CONFIG --libs "gnutls >= 2.0.0" 2>/dev/null` test "x$?" != "x0" && pkg_failed=yes else pkg_failed=yes @@ -12662,14 +12662,14 @@ _pkg_short_errors_supported=no fi if test $_pkg_short_errors_supported = yes; then - GNUTLS_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "gnutls >= 2.9.10" 2>&1` + GNUTLS_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "gnutls >= 2.0.0" 2>&1` else - GNUTLS_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "gnutls >= 2.9.10" 2>&1` + GNUTLS_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "gnutls >= 2.0.0" 2>&1` fi # Put the nasty error message in config.log where it belongs echo "$GNUTLS_PKG_ERRORS" >&5 - as_fn_error $? "Package requirements (gnutls >= 2.9.10) were not met: + as_fn_error $? "Package requirements (gnutls >= 2.0.0) were not met: $GNUTLS_PKG_ERRORS @@ -12704,8 +12704,53 @@ $as_echo "#define ENABLE_TLS 1" >>confdefs.h + # Check if we have support for proper cert validation + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if we have gnutls_certificate_set_verify_function" >&5 +$as_echo_n "checking if we have gnutls_certificate_set_verify_function... " >&6; } + save_CFLAGS="$CFLAGS" + CFLAGS="$CFLAGS $GNUTLS_CFLAGS" + save_LIBS="$LIBS" + LIBS="$LIBS $GNUTLS_LIBS" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + + #include <gnutls/gnutls.h> + #include <gnutls/x509.h> + +int +main () +{ + + gnutls_certificate_set_verify_function(NULL, NULL); + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + +$as_echo "#define HAVE_GNUTLS_CERTIFICATE_SET_VERIFY_FUNCTION 1" >>confdefs.h + + have_gnutls_certificate_set_verify_function=yes + +else + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no; authentication disabled" >&5 +$as_echo "no; authentication disabled" >&6; } + have_gnutls_certificate_set_verify_function=no + + +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + CFLAGS="$save_CFLAGS" + LIBS="$save_LIBS" fi + # debug mode settings # Check whether --enable-debug was given. if test "${enable_debug+set}" = set; then : @@ -13276,7 +13321,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by librelp $as_me 1.2.4, which was +This file was extended by librelp $as_me 1.2.5, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -13342,7 +13387,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -librelp config.status 1.2.4 +librelp config.status 1.2.5 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" @@ -15116,6 +15161,7 @@ echo "*****************************************************" echo "librelp will be compiled with the following settings:" echo -echo "Debug mode enabled: $enable_debug" -echo "TLS enabled: $enable_tls" +echo "Debug mode enabled: $enable_debug" +echo "TLS enabled: $enable_tls" +echo "TLS authentication supported: $have_gnutls_certificate_set_verify_function" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/librelp-1.2.4/configure.ac new/librelp-1.2.5/configure.ac --- old/librelp-1.2.4/configure.ac 2014-03-15 11:21:15.000000000 +0100 +++ new/librelp-1.2.5/configure.ac 2014-03-20 14:21:44.000000000 +0100 @@ -2,7 +2,7 @@ # Process this file with autoconf to produce a configure script. AC_PREREQ(2.61) -AC_INIT([librelp], [1.2.4], [[email protected]]) +AC_INIT([librelp], [1.2.5], [[email protected]]) AM_INIT_AUTOMAKE AM_INIT_AUTOMAKE m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])]) @@ -58,10 +58,34 @@ [enable_tls="yes"] ) if test "$enable_tls" = "yes"; then - PKG_CHECK_MODULES(GNUTLS, gnutls >= 2.9.10) + PKG_CHECK_MODULES(GNUTLS, gnutls >= 2.0.0) AC_DEFINE(ENABLE_TLS, 1, [Defined if TLS support is enabled]) + # Check if we have support for proper cert validation + AC_MSG_CHECKING(if we have gnutls_certificate_set_verify_function) + save_CFLAGS="$CFLAGS" + CFLAGS="$CFLAGS $GNUTLS_CFLAGS" + save_LIBS="$LIBS" + LIBS="$LIBS $GNUTLS_LIBS" + AC_TRY_LINK( + [ + #include <gnutls/gnutls.h> + #include <gnutls/x509.h> + ], [ + gnutls_certificate_set_verify_function(NULL, NULL); + ],[ + AC_MSG_RESULT(yes) + AC_DEFINE(HAVE_GNUTLS_CERTIFICATE_SET_VERIFY_FUNCTION, 1, [do we have gnutls_certificate_set_verify_function]) + have_gnutls_certificate_set_verify_function=yes + ],[ + AC_MSG_RESULT(no; authentication disabled) + have_gnutls_certificate_set_verify_function=no + ] + ) + CFLAGS="$save_CFLAGS" + LIBS="$save_LIBS" fi + # debug mode settings AC_ARG_ENABLE(debug, [AS_HELP_STRING([--enable-debug],[Enable debug mode @<:@default=no@:>@])], @@ -91,6 +115,7 @@ echo "*****************************************************" echo "librelp will be compiled with the following settings:" echo -echo "Debug mode enabled: $enable_debug" -echo "TLS enabled: $enable_tls" +echo "Debug mode enabled: $enable_debug" +echo "TLS enabled: $enable_tls" +echo "TLS authentication supported: $have_gnutls_certificate_set_verify_function" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/librelp-1.2.4/src/librelp.h new/librelp-1.2.5/src/librelp.h --- old/librelp-1.2.4/src/librelp.h 2014-03-14 07:51:13.000000000 +0100 +++ new/librelp-1.2.5/src/librelp.h 2014-03-20 09:02:05.000000000 +0100 @@ -151,8 +151,9 @@ #define RELP_RET_ERR_INVAL RELPERR_BASE + 41 /**< some parameter is invalid (like EINVAL) */ #define RELP_RET_ERR_EPOLL_CTL RELPERR_BASE + 42 /**< epoll_ctl() failed */ #define RELP_RET_ERR_INTERNAL RELPERR_BASE + 43 /**< internal error in librelp (bug) */ -#define RELP_RET_WRN_NO_KEEPALIVE RELPERR_BASE + 44/**< KEEPALIVE cannot be enabled */ +#define RELP_RET_WRN_NO_KEEPALIVE RELPERR_BASE + 44 /**< KEEPALIVE cannot be enabled */ #define RELP_RET_ERR_NO_TLS RELPERR_BASE + 45 /**< librelp compiled without TLS support */ +#define RELP_RET_ERR_NO_TLS_AUTH RELPERR_BASE + 46 /**< platform does not provide TLS auth support */ /* some macros to work with librelp error codes */ #define CHKRet(code) if((iRet = code) != RELP_RET_OK) goto finalize_it diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/librelp-1.2.4/src/tcp.c new/librelp-1.2.5/src/tcp.c --- old/librelp-1.2.4/src/tcp.c 2014-03-12 17:59:22.000000000 +0100 +++ new/librelp-1.2.5/src/tcp.c 2014-03-20 09:02:05.000000000 +0100 @@ -4,6 +4,10 @@ * * This file is part of librelp. * + * Note: gnutls_certificate_set_verify_function is problematic, as it + * is not available in old GnuTLS versions, but rather important + * for verifying certificates correctly. + * * Librelp is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation, either version 3 of the License, or @@ -62,7 +66,9 @@ #ifdef ENABLE_TLS /* forward definitions */ +#ifdef HAVE_GNUTLS_CERTIFICATE_SET_VERIFY_FUNCTION static int relpTcpVerifyCertificateCallback(gnutls_session_t session); +#endif /* #ifdef HAVE_GNUTLS_CERTIFICATE_SET_VERIFY_FUNCTION */ static relpRetVal relpTcpPermittedPeerWildcardCompile(tcpPermittedPeerEntry_t *pEtry); /* helper to free permittedPeer structure */ @@ -751,6 +757,7 @@ } #ifdef ENABLE_TLS +#ifdef HAVE_GNUTLS_CERTIFICATE_SET_VERIFY_FUNCTION /* Convert a fingerprint to printable data. The function must be provided a * sufficiently large buffer. 512 bytes shall always do. */ @@ -805,6 +812,7 @@ } return r; } +#endif /* #ifdef HAVE_GNUTLS_CERTIFICATE_SET_VERIFY_FUNCTION */ /* add a wildcard entry to this permitted peer. Entries are always * added at the tail of the list. pszStr and lenStr identify the wildcard @@ -932,6 +940,7 @@ LEAVE_RELPFUNC; } +#ifdef HAVE_GNUTLS_CERTIFICATE_SET_VERIFY_FUNCTION /* check a peer against a wildcard entry. This is a more lengthy * operation. */ @@ -1233,6 +1242,7 @@ gnutls_x509_crt_deinit(cert); return r; } +#endif /* #ifdef HAVE_GNUTLS_CERTIFICATE_SET_VERIFY_FUNCTION */ #if 0 /* enable if needed for debugging */ static void logFunction(int level, const char *msg) @@ -1271,6 +1281,7 @@ } gnutls_anon_set_server_dh_params(pThis->anoncredSrv, pThis->dh_params); } else { +# ifdef HAVE_GNUTLS_CERTIFICATE_SET_VERIFY_FUNCTION r = gnutls_certificate_allocate_credentials(&pThis->xcred); if(chkGnutlsCode(pThis, "Failed to allocate certificate credentials", RELP_RET_ERR_TLS_SETUP, r)) { ABORT_FINALIZE(RELP_RET_ERR_TLS_SETUP); @@ -1292,6 +1303,9 @@ if(pThis->authmode == eRelpAuthMode_None) pThis->authmode = eRelpAuthMode_Fingerprint; gnutls_certificate_set_verify_function(pThis->xcred, relpTcpVerifyCertificateCallback); +# else /* #ifdef HAVE_GNUTLS_CERTIFICATE_SET_VERIFY_FUNCTION */ + ABORT_FINALIZE(RELP_RET_ERR_NO_TLS_AUTH); +# endif /* #ifdef HAVE_GNUTLS_CERTIFICATE_SET_VERIFY_FUNCTION */ } finalize_it: LEAVE_RELPFUNC; @@ -1606,6 +1620,7 @@ ABORT_FINALIZE(RELP_RET_ERR_TLS_SETUP); } } else { +# ifdef HAVE_GNUTLS_CERTIFICATE_SET_VERIFY_FUNCTION r = gnutls_certificate_allocate_credentials(&pThis->xcred); if(chkGnutlsCode(pThis, "Failed to allocate certificate credentials", RELP_RET_ERR_TLS_SETUP, r)) { ABORT_FINALIZE(RELP_RET_ERR_TLS_SETUP); @@ -1633,6 +1648,9 @@ if(pThis->authmode == eRelpAuthMode_None) pThis->authmode = eRelpAuthMode_Fingerprint; gnutls_certificate_set_verify_function(pThis->xcred, relpTcpVerifyCertificateCallback); +# else /* #ifdef HAVE_GNUTLS_CERTIFICATE_SET_VERIFY_FUNCTION */ + ABORT_FINALIZE(RELP_RET_ERR_NO_TLS_AUTH); +# endif /* #ifdef HAVE_GNUTLS_CERTIFICATE_SET_VERIFY_FUNCTION */ } gnutls_transport_set_ptr(pThis->session, (gnutls_transport_ptr_t) pThis->sock); -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
