Hello community, here is the log from the commit of package gnutls for openSUSE:Factory checked in at 2017-09-25 13:50:29 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/gnutls (Old) and /work/SRC/openSUSE:Factory/.gnutls.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gnutls" Mon Sep 25 13:50:29 2017 rev:104 rq:528289 version:3.6.0 Changes: -------- --- /work/SRC/openSUSE:Factory/gnutls/gnutls.changes 2017-09-12 19:38:09.896419331 +0200 +++ /work/SRC/openSUSE:Factory/.gnutls.new/gnutls.changes 2017-09-25 13:50:31.533889938 +0200 @@ -1,0 +2,94 @@ +Wed Sep 20 12:36:16 UTC 2017 - [email protected] + +- Disable flaky dtls_resume test on Power + * add gnutls-3.6.0-disable-flaky-dtls_resume-test.patch + +------------------------------------------------------------------- +Mon Sep 18 11:47:23 UTC 2017 - [email protected] + +- GnuTLS 3.6.0: + * Introduce a lock-free random generator which operates per- + thread and eliminates random-generator related bottlenecks in + multi-threaded operation. + * Replace the Salsa20 random generator with one based on CHACHA. + The goal is to reduce code needed in cache (CHACHA is also + used for TLS), and the number of primitives used by the + library. That does not affect the AES-DRBG random generator + used in FIPS140-2 mode. + * Add support for RSA-PSS key type as well as signatures in + certificates, and TLS key exchange + * Add support for Ed25519 signing in certificates and TLS key + exchange following draft-ietf-tls-rfc4492bis-17 + * Enable X25519 key exchange by default, following + draft-ietf-tls-rfc4492bis-17. + * Add support for Diffie-Hellman group negotiation following + RFC7919. + * Introduce various sanity checks on certificate import + * Introduce gnutls_x509_crt_set_flags(). This function can set + flags in the crt structure. The only flag supported at the + moment is GNUTLS_X509_CRT_FLAG_IGNORE_SANITY which skips the + certificate sanity checks on import. + * PKIX certificates with unknown critical extensions are rejected + on verification with status GNUTLS_CERT_UNKNOWN_CRIT_EXTENSIONS + * Refuse to generate a certificate with an illegal version, or an + illegal serial number. That is, gnutls_x509_crt_set_version() + and gnutls_x509_crt_set_serial(), will fail on input considered + to be invalid in RFC5280. + * Call to gnutls_record_send() and gnutls_record_recv() prior to + handshake being complete are now refused + * Add support for PKCS#12 files with no salt (zero length) in + their password encoding, and PKCS#12 files using SHA384 and + SHA512 as MAC. + * libgnutls: Exported functions to encode and decode DSA and ECDSA + r,s values. + * Add new callback setting function to gnutls_privkey_t for + external keys. The new function (gnutls_privkey_import_ext4), + allows signing in addition to previous algorithms (RSA PKCS#1 + 1.5, DSA, ECDSA), with RSA-PSS and Ed25519 keys. + * Introduce the %VERIFY_ALLOW_BROKEN and + %VERIFY_ALLOW_SIGN_WITH_SHA1 priority string options. These + allows enabling all broken and SHA1-based signature algorithms + in certificate verification, respectively. + * 3DES-CBC is no longer included in the default priorities list. + It has to be explicitly enabled, e.g., with a string like + "NORMAL:+3DES-CBC". + * SHA1 was marked as insecure for signing certificates. + Verification of certificates signed with SHA1 is now considered + insecure and will fail, unless flags intended to enable broken + algorithms are set. Other uses of SHA1 are still allowed. + * RIPEMD160 was marked as insecure for certificate signatures. + Verification of certificates signed with RIPEMD160 hash + algorithm is now considered insecure and will fail, unless + flags intended to enable broken algorithms are set. + * No longer enable SECP192R1 and SECP224R1 by default on TLS + handshakes. These curves were rarely used for that purpose, + provide no advantage over x25519 and were deprecated by TLS 1.3. + * Remove support for DEFLATE, or any other compression method. + * OpenPGP authentication was removed; the resulting library is ABI + compatible, with the openpgp related functions being stubs that + fail on invocation. + Drop gnutls-broken-openpgp-tests.patch, no longer required. + * Remove support for libidn (i.e., IDNA2003); gnutls can now be + compiled only with libidn2 which provides IDNA2008. + * certtool: The option '--load-ca-certificate' can now accept + PKCS#11 URLs in addition to files. + * certtool: The option '--load-crl' can now be used when + generating PKCS#12 files (i.e., in conjunction with '--to-p12' option). + * certtool: Keys with provable RSA and DSA parameters are now + only read and exported from PKCS#8 form, following + draft-mavrogiannopoulos-pkcs8-validated-parameters-00.txt. + This removes support for the previous a non-standard key format. + * certtool: Added support for generating, printing and handling + RSA-PSS and Ed25519 keys and certificates. + * certtool: the parameters --rsa, --dsa and --ecdsa to + --generate-privkey are now deprecated, replaced by the + --key-type option. + * p11tool: The --generate-rsa, --generate-ecc and --generate-dsa + options were replaced by the --generate-privkey option. + * psktool: Generate 256-bit keys by default. + * gnutls-server: Increase request buffer size to 16kb, and added + the --alpn and --alpn-fatal options, allowing testing of ALPN + negotiation. + * Enables FIPS 140-2 mode during build + +------------------------------------------------------------------- Old: ---- gnutls-3.5.15.tar.xz gnutls-3.5.15.tar.xz.sig gnutls-broken-openpgp-tests.patch New: ---- gnutls-3.6.0-disable-flaky-dtls_resume-test.patch gnutls-3.6.0.tar.xz gnutls-3.6.0.tar.xz.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gnutls.spec ++++++ --- /var/tmp/diff_new_pack.9m6c14/_old 2017-09-25 13:50:32.889699178 +0200 +++ /var/tmp/diff_new_pack.9m6c14/_new 2017-09-25 13:50:32.889699178 +0200 @@ -23,18 +23,18 @@ %bcond_with tpm %bcond_without guile Name: gnutls -Version: 3.5.15 +Version: 3.6.0 Release: 0 Summary: The GNU Transport Layer Security Library License: LGPL-2.1+ AND GPL-3.0+ Group: Productivity/Networking/Security Url: http://www.gnutls.org/ -Source0: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.5/%{name}-%{version}.tar.xz -Source1: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.5/%{name}-%{version}.tar.xz.sig +Source0: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.6/%{name}-%{version}.tar.xz +Source1: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.6/%{name}-%{version}.tar.xz.sig Source2: %{name}.keyring Source3: baselibs.conf -Patch0: gnutls-broken-openpgp-tests.patch Patch1: gnutls-3.5.11-skip-trust-store-tests.patch +Patch2: gnutls-3.6.0-disable-flaky-dtls_resume-test.patch BuildRequires: autogen BuildRequires: automake BuildRequires: datefudge @@ -157,14 +157,17 @@ %prep %setup -q -%patch0 -p1 %patch1 -p1 +# dtls-resume test fails on PPC +%ifarch ppc64 ppc64le ppc +%patch2 -p1 +%endif %build export LDFLAGS="-pie" export CFLAGS="%{optflags} -fPIE" export CXXFLAGS="%{optflags} -fPIE" -autoreconf -fvi +autoreconf -fiv %configure \ gl_cv_func_printf_directive_n=yes \ gl_cv_func_printf_infinite_long_double=yes \ @@ -174,7 +177,6 @@ --with-default-trust-store-dir=%{_localstatedir}/lib/ca-certificates/pem \ --with-sysroot=/%{?_sysroot} \ --with-guile-site-dir=no \ - --disable-openpgp-authentication \ %if %{without tpm} --without-tpm \ %endif @@ -183,6 +185,7 @@ %else --disable-libdane \ %endif + --enable-fips140-mode \ %{nil} make %{?_smp_mflags} ++++++ gnutls-3.6.0-disable-flaky-dtls_resume-test.patch ++++++ Index: gnutls-3.6.0/tests/dtls/Makefile.am =================================================================== --- gnutls-3.6.0.orig/tests/dtls/Makefile.am 2017-04-19 21:49:27.000000000 +0200 +++ gnutls-3.6.0/tests/dtls/Makefile.am 2017-09-20 14:33:56.763416427 +0200 @@ -19,7 +19,7 @@ # along with this file; if not, write to the Free Software Foundation, # Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -dist_check_SCRIPTS = dtls dtls-nb dtls-resume +dist_check_SCRIPTS = dtls dtls-nb AM_CFLAGS = $(WARN_CFLAGS) $(WERROR_CFLAGS) AM_CPPFLAGS = \ @@ -41,7 +41,7 @@ LDADD = ../../lib/libgnutls.la \ if !WINDOWS check_PROGRAMS = dtls-stress -TESTS = dtls dtls-resume +TESTS = dtls endif ++++++ gnutls-3.5.15.tar.xz -> gnutls-3.6.0.tar.xz ++++++ /work/SRC/openSUSE:Factory/gnutls/gnutls-3.5.15.tar.xz /work/SRC/openSUSE:Factory/.gnutls.new/gnutls-3.6.0.tar.xz differ: char 26, line 1
