Hello community, here is the log from the commit of package gnutls for openSUSE:Factory checked in at 2019-02-04 21:25:11 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/gnutls (Old) and /work/SRC/openSUSE:Factory/.gnutls.new.28833 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gnutls" Mon Feb 4 21:25:11 2019 rev:116 rq:671140 version:3.6.6 Changes: -------- --- /work/SRC/openSUSE:Factory/gnutls/gnutls.changes 2018-12-03 10:09:16.167771081 +0100 +++ /work/SRC/openSUSE:Factory/.gnutls.new.28833/gnutls.changes 2019-02-04 21:25:14.943597851 +0100 @@ -1,0 +2,66 @@ +Mon Feb 4 12:41:43 UTC 2019 - Vítězslav Čížek <[email protected]> + +- Update to 3.6.6 + ** libgnutls: gnutls_pubkey_import_ecc_raw() was fixed to set the number bits + on the public key (#640). + ** libgnutls: Added support for raw public-key authentication as defined in RFC7250. + Raw public-keys can be negotiated by enabling the corresponding certificate + types via the priority strings. The raw public-key mechanism must be explicitly + enabled via the GNUTLS_ENABLE_RAWPK init flag (#26, #280). + ** libgnutls: When on server or client side we are sending no extensions we do + not set an empty extensions field but we rather remove that field competely. + This solves a regression since 3.5.x and improves compatibility of the server + side with certain clients. + ** libgnutls: We no longer mark RSA keys in PKCS#11 tokens as RSA-PSS capable if + the CKA_SIGN is not set (#667). + ** libgnutls: The priority string option %NO_EXTENSIONS was improved to completely + disable extensions at all cases, while providing a functional session. This + also implies that when specified, TLS1.3 is disabled. + ** libgnutls: GNUTLS_X509_NO_WELL_DEFINED_EXPIRATION was marked as deprecated. + The previous definition was non-functional (#609). +- drop no longer needed gnutls-enbale-guile-2.2.patch +- refresh disable-psk-file-test.patch + +------------------------------------------------------------------- +Wed Jan 2 13:36:26 UTC 2019 - Vítězslav Čížek <[email protected]> + +- Update to 3.6.5 + ** libgnutls: Provide the option of transparent re-handshake/reauthentication + when the GNUTLS_AUTO_REAUTH flag is specified in gnutls_init() (#571). + ** libgnutls: Added support for TLS 1.3 zero round-trip (0-RTT) mode (#127) + ** libgnutls: The priority functions will ignore and not enable TLS1.3 if + requested with legacy TLS versions enabled but not TLS1.2. That is because + if such a priority string is used in the client side (e.g., TLS1.3+TLS1.0 enabled) + servers which do not support TLS1.3 will negotiate TLS1.2 which will be + rejected by the client as disabled (#621). + ** libgnutls: Change RSA decryption to use a new side-channel silent function. + This addresses a security issue where memory access patterns as well as timing + on the underlying Nettle rsa-decrypt function could lead to new Bleichenbacher + attacks. Side-channel resistant code is slower due to the need to mask + access and timings. When used in TLS the new functions cause RSA based + handshakes to be between 13% and 28% slower on average (Numbers are indicative, + the tests where performed on a relatively modern Intel CPU, results vary + depending on the CPU and architecture used). This change makes nettle 3.4.1 + the minimum requirement of gnutls (#630). [CVSS: medium] + ** libgnutls: gnutls_priority_init() and friends, allow the CTYPE-OPENPGP keyword + in the priority string. It is only accepted as legacy option and is ignored. + ** libgnutls: Added support for EdDSA under PKCS#11 (#417) + ** libgnutls: Added support for AES-CFB8 cipher (#357) + ** libgnutls: Added support for AES-CMAC MAC (#351) + ** libgnutls: In two previous versions GNUTLS_CIPHER_GOST28147_CPB/CPC/CPD_CFB ciphers + have incorrectly used CryptoPro-A S-BOX instead of proper (CryptoPro-B/-C/-D + S-BOXes). They are fixed now. + ** libgnutls: Added support for GOST key unmasking and unwrapped GOST private + keys parsing, as specified in R 50.1.112-2016. + ** gnutls-serv: It applies the default settings when no --priority option is given, + using gnutls_set_default_priority(). + ** p11tool: Fix initialization of security officer's PIN with the --initialize-so-pin + option (#561) + ** certtool: Add parameter --no-text that prevents certtool from outputting + text before PEM-encoded private key, public key, certificate, CRL or CSR. +- minimum required libnettle is now 3.4.1 +- refresh + * disable-psk-file-test.patch + * gnutls-3.6.0-disable-flaky-dtls_resume-test.patch + +------------------------------------------------------------------- Old: ---- gnutls-3.6.4.tar.xz gnutls-3.6.4.tar.xz.sig gnutls-enbale-guile-2.2.patch New: ---- gnutls-3.6.6.tar.xz gnutls-3.6.6.tar.xz.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gnutls.spec ++++++ --- /var/tmp/diff_new_pack.F9K2ql/_old 2019-02-04 21:25:15.727597655 +0100 +++ /var/tmp/diff_new_pack.F9K2ql/_new 2019-02-04 21:25:15.731597654 +0100 @@ -1,7 +1,7 @@ # # spec file for package gnutls # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -29,7 +29,7 @@ %bcond_with tpm %bcond_without guile Name: gnutls -Version: 3.6.4 +Version: 3.6.6 Release: 0 Summary: The GNU Transport Layer Security Library License: LGPL-2.1-or-later AND GPL-3.0-or-later @@ -42,8 +42,6 @@ Patch1: gnutls-3.5.11-skip-trust-store-tests.patch Patch2: gnutls-3.6.0-disable-flaky-dtls_resume-test.patch Patch3: disable-psk-file-test.patch -# Search for guile-2.2, which is supported since 3.5.5 -Patch4: gnutls-enbale-guile-2.2.patch BuildRequires: autogen BuildRequires: automake BuildRequires: datefudge @@ -53,7 +51,7 @@ # The test suite calls /usr/bin/ss from iproute2. It's our own duty to ensure we have it present BuildRequires: iproute2 BuildRequires: libidn2-devel -BuildRequires: libnettle-devel >= 3.1 +BuildRequires: libnettle-devel >= 3.4.1 BuildRequires: libtasn1-devel >= 4.9 BuildRequires: libtool BuildRequires: libunistring-devel @@ -163,7 +161,6 @@ %setup -q %patch1 -p1 %patch3 -p1 -%patch4 -p1 # dtls-resume test fails on PPC %ifarch ppc64 ppc64le ppc %patch2 -p1 ++++++ disable-psk-file-test.patch ++++++ --- /var/tmp/diff_new_pack.F9K2ql/_old 2019-02-04 21:25:15.751597649 +0100 +++ /var/tmp/diff_new_pack.F9K2ql/_new 2019-02-04 21:25:15.751597649 +0100 @@ -1,17 +1,17 @@ -diff --git a/tests/Makefile.in b/tests/Makefile.in -index 07433e0..4ecd431 100644 ---- a/tests/Makefile.in -+++ b/tests/Makefile.in -@@ -457,7 +457,7 @@ am__EXEEXT_10 = tls13/supported_versions$(EXEEXT) \ +Index: gnutls-3.6.6/tests/Makefile.in +=================================================================== +--- gnutls-3.6.6.orig/tests/Makefile.in 2019-01-25 08:26:36.000000000 +0100 ++++ gnutls-3.6.6/tests/Makefile.in 2019-02-04 09:02:38.627539105 +0100 +@@ -480,7 +480,7 @@ am__EXEEXT_12 = tls13/supported_versions pkcs7-gen$(EXEEXT) dtls-etm$(EXEEXT) \ x509sign-verify-rsa$(EXEEXT) x509sign-verify-ecdsa$(EXEEXT) \ x509sign-verify-gost$(EXEEXT) mini-alignment$(EXEEXT) \ - oids$(EXEEXT) atfork$(EXEEXT) prf$(EXEEXT) psk-file$(EXEEXT) \ + oids$(EXEEXT) atfork$(EXEEXT) prf$(EXEEXT) \ - priority-init2$(EXEEXT) status-request$(EXEEXT) \ - status-request-ok$(EXEEXT) status-request-missing$(EXEEXT) \ - sign-verify-ext$(EXEEXT) fallback-scsv$(EXEEXT) \ -@@ -1590,8 +1590,6 @@ privkey_verify_broken_OBJECTS = privkey-verify-broken.$(OBJEXT) + priority-init2$(EXEEXT) post-client-hello-change-prio$(EXEEXT) \ + status-request$(EXEEXT) status-request-ok$(EXEEXT) \ + status-request-missing$(EXEEXT) sign-verify-ext$(EXEEXT) \ +@@ -1652,8 +1652,6 @@ privkey_verify_broken_OBJECTS = privkey- privkey_verify_broken_LDADD = $(LDADD) privkey_verify_broken_DEPENDENCIES = $(COMMON_GNUTLS_LDADD) \ libutils.la $(am__DEPENDENCIES_2) @@ -20,43 +20,43 @@ psk_file_LDADD = $(LDADD) psk_file_DEPENDENCIES = $(COMMON_GNUTLS_LDADD) libutils.la \ $(am__DEPENDENCIES_2) -@@ -2723,7 +2721,7 @@ am__depfiles_remade = ./$(DEPDIR)/alerts.Po \ - ./$(DEPDIR)/priority-init2.Po ./$(DEPDIR)/priority-mix.Po \ - ./$(DEPDIR)/priority-set.Po ./$(DEPDIR)/priority-set2.Po \ - ./$(DEPDIR)/privkey-keygen.Po \ +@@ -2841,7 +2839,7 @@ am__depfiles_remade = ./$(DEPDIR)/alerts + ./$(DEPDIR)/priorities.Po ./$(DEPDIR)/priority-init2.Po \ + ./$(DEPDIR)/priority-mix.Po ./$(DEPDIR)/priority-set.Po \ + ./$(DEPDIR)/priority-set2.Po ./$(DEPDIR)/privkey-keygen.Po \ - ./$(DEPDIR)/privkey-verify-broken.Po ./$(DEPDIR)/psk-file.Po \ + ./$(DEPDIR)/privkey-verify-broken.Po \ ./$(DEPDIR)/pskself.Po ./$(DEPDIR)/pubkey-import-export.Po \ - ./$(DEPDIR)/random-art.Po ./$(DEPDIR)/record-pad.Po \ - ./$(DEPDIR)/record-retvals.Po \ -@@ -3021,7 +3019,7 @@ SOURCES = $(libpkcs11mock1_la_SOURCES) $(libutils_la_SOURCES) alerts.c \ - pkcs7-gen.c pkcs8-key-decode.c pkcs8-key-decode-encrypted.c \ - prf.c priorities.c priorities-groups.c priority-init2.c \ - priority-mix.c priority-set.c priority-set2.c privkey-keygen.c \ + ./$(DEPDIR)/random-art.Po ./$(DEPDIR)/rawpk-api.Po \ + ./$(DEPDIR)/record-pad.Po ./$(DEPDIR)/record-retvals.Po \ +@@ -3153,7 +3151,7 @@ SOURCES = $(libpkcs11mock1_la_SOURCES) $ + post-client-hello-change-prio.c prf.c priorities.c \ + priorities-groups.c priority-init2.c priority-mix.c \ + priority-set.c priority-set2.c privkey-keygen.c \ - privkey-verify-broken.c psk-file.c pskself.c \ + privkey-verify-broken.c pskself.c \ - pubkey-import-export.c random-art.c record-pad.c \ + pubkey-import-export.c random-art.c rawpk-api.c record-pad.c \ record-retvals.c record-sizes.c record-sizes-range.c \ record-timeouts.c recv-data-before-handshake.c \ -@@ -3183,7 +3181,7 @@ DIST_SOURCES = $(am__libpkcs11mock1_la_SOURCES_DIST) \ - pkcs7-gen.c pkcs8-key-decode.c pkcs8-key-decode-encrypted.c \ - prf.c priorities.c priorities-groups.c priority-init2.c \ - priority-mix.c priority-set.c priority-set2.c privkey-keygen.c \ +@@ -3323,7 +3321,7 @@ DIST_SOURCES = $(am__libpkcs11mock1_la_S + post-client-hello-change-prio.c prf.c priorities.c \ + priorities-groups.c priority-init2.c priority-mix.c \ + priority-set.c priority-set2.c privkey-keygen.c \ - privkey-verify-broken.c psk-file.c pskself.c \ + privkey-verify-broken.c pskself.c \ - pubkey-import-export.c random-art.c record-pad.c \ + pubkey-import-export.c random-art.c rawpk-api.c record-pad.c \ record-retvals.c record-sizes.c record-sizes-range.c \ record-timeouts.c recv-data-before-handshake.c \ -@@ -4734,7 +4732,7 @@ ctests = tls13/supported_versions tls13/tls12-no-tls13-exts \ - x509-cert-callback-ocsp gnutls_ocsp_resp_list_import2 \ - server-sign-md5-rep privkey-keygen mini-tls-nonblock no-signal \ - pkcs7-gen dtls-etm x509sign-verify-rsa x509sign-verify-ecdsa \ -- x509sign-verify-gost mini-alignment oids atfork prf psk-file \ -+ x509sign-verify-gost mini-alignment oids atfork prf \ - priority-init2 status-request status-request-ok \ +@@ -4915,7 +4913,7 @@ ctests = tls13/supported_versions tls13/ + gnutls_ocsp_resp_list_import2 server-sign-md5-rep \ + privkey-keygen mini-tls-nonblock no-signal pkcs7-gen dtls-etm \ + x509sign-verify-rsa x509sign-verify-ecdsa x509sign-verify-gost \ +- mini-alignment oids atfork prf psk-file priority-init2 \ ++ mini-alignment oids atfork prf priority-init2 \ + post-client-hello-change-prio status-request status-request-ok \ status-request-missing sign-verify-ext fallback-scsv \ pkcs8-key-decode urls dtls-rehandshake-cert key-usage-rsa \ -@@ -5872,10 +5870,6 @@ privkey-verify-broken$(EXEEXT): $(privkey_verify_broken_OBJECTS) $(privkey_verif +@@ -6099,10 +6097,6 @@ privkey-verify-broken$(EXEEXT): $(privke @rm -f privkey-verify-broken$(EXEEXT) $(AM_V_CCLD)$(LINK) $(privkey_verify_broken_OBJECTS) $(privkey_verify_broken_LDADD) $(LIBS) @@ -67,7 +67,7 @@ pskself$(EXEEXT): $(pskself_OBJECTS) $(pskself_DEPENDENCIES) $(EXTRA_pskself_DEPENDENCIES) @rm -f pskself$(EXEEXT) $(AM_V_CCLD)$(LINK) $(pskself_OBJECTS) $(pskself_LDADD) $(LIBS) -@@ -6862,7 +6856,6 @@ distclean-compile: +@@ -7133,7 +7127,6 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/priority-set2.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/privkey-keygen.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/privkey-verify-broken.Po@am__quote@ # am--include-marker @@ -75,7 +75,7 @@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pskself.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pubkey-import-export.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/random-art.Po@am__quote@ # am--include-marker -@@ -8913,13 +8906,6 @@ prf.log: prf$(EXEEXT) +@@ -9258,13 +9251,6 @@ prf.log: prf$(EXEEXT) --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) @@ -89,7 +89,7 @@ priority-init2.log: priority-init2$(EXEEXT) @p='priority-init2$(EXEEXT)'; \ b='priority-init2'; \ -@@ -10883,7 +10869,6 @@ distclean: distclean-recursive +@@ -11316,7 +11302,6 @@ distclean: distclean-recursive -rm -f ./$(DEPDIR)/priority-set2.Po -rm -f ./$(DEPDIR)/privkey-keygen.Po -rm -f ./$(DEPDIR)/privkey-verify-broken.Po @@ -97,7 +97,7 @@ -rm -f ./$(DEPDIR)/pskself.Po -rm -f ./$(DEPDIR)/pubkey-import-export.Po -rm -f ./$(DEPDIR)/random-art.Po -@@ -11318,7 +11303,6 @@ maintainer-clean: maintainer-clean-recursive +@@ -11766,7 +11751,6 @@ maintainer-clean: maintainer-clean-recur -rm -f ./$(DEPDIR)/priority-set2.Po -rm -f ./$(DEPDIR)/privkey-keygen.Po -rm -f ./$(DEPDIR)/privkey-verify-broken.Po @@ -105,15 +105,3 @@ -rm -f ./$(DEPDIR)/pskself.Po -rm -f ./$(DEPDIR)/pubkey-import-export.Po -rm -f ./$(DEPDIR)/random-art.Po -diff --git a/tests/Makefile.am b/tests/Makefile.am ---- a/tests/Makefile.am 2018-11-21 16:31:27.871806950 +0100 -+++ b/tests/Makefile.am 2018-11-21 16:31:47.952191845 +0100 -@@ -167,7 +167,7 @@ - tls13-cert-key-exchange x509-cert-callback-ocsp gnutls_ocsp_resp_list_import2 \ - server-sign-md5-rep privkey-keygen mini-tls-nonblock no-signal pkcs7-gen dtls-etm \ - x509sign-verify-rsa x509sign-verify-ecdsa x509sign-verify-gost \ -- mini-alignment oids atfork prf psk-file priority-init2 \ -+ mini-alignment oids atfork prf priority-init2 \ - status-request status-request-ok status-request-missing sign-verify-ext \ - fallback-scsv pkcs8-key-decode urls dtls-rehandshake-cert \ - key-usage-rsa key-usage-ecdhe-rsa mini-session-verify-function auto-verify \ ++++++ gnutls-3.6.0-disable-flaky-dtls_resume-test.patch ++++++ --- /var/tmp/diff_new_pack.F9K2ql/_old 2019-02-04 21:25:15.763597646 +0100 +++ /var/tmp/diff_new_pack.F9K2ql/_new 2019-02-04 21:25:15.767597645 +0100 @@ -1,8 +1,8 @@ -Index: gnutls-3.6.3/tests/Makefile.am +Index: gnutls-3.6.5/tests/Makefile.am =================================================================== ---- gnutls-3.6.3.orig/tests/Makefile.am -+++ gnutls-3.6.3/tests/Makefile.am -@@ -406,7 +406,7 @@ if !WINDOWS +--- gnutls-3.6.5.orig/tests/Makefile.am 2019-01-04 14:11:28.196622546 +0100 ++++ gnutls-3.6.5/tests/Makefile.am 2019-01-04 14:11:29.080627637 +0100 +@@ -445,7 +445,7 @@ if !WINDOWS # List of tests not available/functional under windows # @@ -11,20 +11,20 @@ indirect_tests += dtls-stress -Index: gnutls-3.6.3/tests/Makefile.in +Index: gnutls-3.6.5/tests/Makefile.in =================================================================== ---- gnutls-3.6.3.orig/tests/Makefile.in -+++ gnutls-3.6.3/tests/Makefile.in -@@ -161,7 +161,7 @@ host_triplet = @host@ +--- gnutls-3.6.5.orig/tests/Makefile.in 2019-01-04 14:11:28.200622568 +0100 ++++ gnutls-3.6.5/tests/Makefile.in 2019-01-04 14:11:44.352715599 +0100 +@@ -164,7 +164,7 @@ host_triplet = @host@ # # List of tests not available/functional under windows # --@WINDOWS_FALSE@am__append_12 = dtls/dtls dtls/dtls-resume fastopen.sh \ -+@WINDOWS_FALSE@am__append_12 = dtls/dtls fastopen.sh \ +-@WINDOWS_FALSE@am__append_13 = dtls/dtls dtls/dtls-resume fastopen.sh \ ++@WINDOWS_FALSE@am__append_13 = dtls/dtls fastopen.sh \ @WINDOWS_FALSE@ pkgconfig.sh starttls.sh starttls-ftp.sh \ @WINDOWS_FALSE@ starttls-smtp.sh starttls-lmtp.sh \ @WINDOWS_FALSE@ starttls-pop3.sh starttls-nntp.sh \ -@@ -2507,7 +2507,7 @@ x509sign_verify_rsa_DEPENDENCIES = $(COM +@@ -2663,7 +2663,7 @@ x509sign_verify_rsa_DEPENDENCIES = $(COM $(am__DEPENDENCIES_2) am__dist_check_SCRIPTS_DIST = rfc2253-escape-test \ rsa-md5-collision/rsa-md5-collision.sh systemkey.sh dtls/dtls \ ++++++ gnutls-3.6.4.tar.xz -> gnutls-3.6.6.tar.xz ++++++ /work/SRC/openSUSE:Factory/gnutls/gnutls-3.6.4.tar.xz /work/SRC/openSUSE:Factory/.gnutls.new.28833/gnutls-3.6.6.tar.xz differ: char 26, line 1
