Hello community,
here is the log from the commit of package gnutls for openSUSE:Factory checked
in at 2015-04-18 10:38:18
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/gnutls (Old)
and /work/SRC/openSUSE:Factory/.gnutls.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gnutls"
Changes:
--------
--- /work/SRC/openSUSE:Factory/gnutls/gnutls.changes 2015-04-07
09:28:39.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.gnutls.new/gnutls.changes 2015-04-18
10:38:19.000000000 +0200
@@ -0,0 +1,137 @@
+
+-------------------------------------------------------------------
+Sun Apr 12 10:16:33 UTC 2015 - meiss...@suse.com
+
+- updated to 3.4.0 (released 2015-04-08)
+
+ ** libgnutls: Added support for AES-CCM and AES-CCM-8 (RFC6655 and RFC7251)
+ ciphersuites. The former are enabled by default, the latter need to be
+ explicitly enabled, since they reduce the overall security level.
+
+ ** libgnutls: Added support for Chacha20-Poly1305 ciphersuites following
+ draft-mavrogiannopoulos-chacha-tls-05 and
draft-irtf-cfrg-chacha20-poly1305-10.
+ That is currently provided as technology preview and is not enabled by
+ default, since there are no assigned ciphersuite points by IETF and there
+ is no guarrantee of compatibility between draft versions. The ciphersuite
+ priority string to enable it is "+CHACHA20-POLY1305".
+
+ ** libgnutls: Added support for encrypt-then-authenticate in CBC
+ ciphersuites (RFC7366 -taking into account its errata text). This is
+ enabled by default and can be disabled using the %NO_ETM priority
+ string.
+
+ ** libgnutls: Added support for the extended master secret
+ (triple-handshake fix) following draft-ietf-tls-session-hash-02.
+
+ ** libgnutls: Added a new simple and hard to misuse AEAD API (crypto.h).
+
+ ** libgnutls: SSL 3.0 is no longer included in the default priorities
+ list. It has to be explicitly enabled, e.g., with a string like
+ "NORMAL:+VERS-SSL3.0".
+
+ ** libgnutls: ARCFOUR (RC4) is no longer included in the default priorities
+ list. It has to be explicitly enabled, e.g., with a string like
+ "NORMAL:+ARCFOUR-128".
+
+ ** libgnutls: DSA signatures and DHE-DSS are no longer included in the
+ default priorities list. They have to be explicitly enabled, e.g., with
+ a string like "NORMAL:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1". The
+ DSA ciphersuites were dropped because they had no deployment at all
+ on the internet, to justify their inclusion.
+
+ ** libgnutls: The priority string EXPORT was completely removed. The string
+ was already defunc as support for the EXPORT ciphersuites was removed in
+ GnuTLS 3.2.0.
+
+ ** libgnutls: Added API to utilize system specific private keys in
+ "gnutls/system-keys.h". It is currently provided as technology preview
+ and is restricted to windows CNG keys.
+
+ ** libgnutls: gnutls_x509_crt_check_hostname() and friends will use
+ RFC6125 comparison of hostnames. That introduces a dependency on libidn.
+
+ ** libgnutls: Depend on p11-kit 0.23.1 to comply with the final
+ PKCS #11 URLs draft (draft-pechanec-pkcs11uri-21).
+
+ ** libgnutls: Depend on nettle 3.1.
+
+ ** libgnutls: Use getrandom() or getentropy() when available. That
+ avoids the complexity of file descriptor handling and issues with
+ applications closing all open file descriptors on startup.
+
+ ** libgnutls: Use pthread_atfork() to detect fork when available.
+
+ ** libgnutls: The gnutls_handshake() process will enforce a timeout by
+ default.
+
+ ** libgnutls: If a key purpose (extended key usage) is specified for
verification,
+ it is applied into intermediate certificates. The verification result
+ GNUTLS_CERT_PURPOSE_MISMATCH is also introduced.
+
+ ** libgnutls: When gnutls_certificate_set_x509_key_file2() is used in
+ combination with PKCS #11, or TPM URLs, it will utilize the provided
+ password as PIN if required. That removes the requirement for the
+ application to set a callback for PINs in that case.
+
+ ** libgnutls: priority strings VERS-TLS-ALL and VERS-DTLS-ALL are
+ restricted to the corresponding protocols only, and the VERS-ALL
+ string is introduced to catch all possible protocols.
+
+ ** libgnutls: Added helper functions to obtain information on PKCS #8
+ structures.
+
+ ** libgnutls: Certificate chains which are provided to
gnutls_certificate_credentials_t
+ will automatically be sorted instead of failing with
GNUTLS_E_CERTIFICATE_LIST_UNSORTED.
+
+ ** libgnutls: Added functions to export and set the record state. That
+ allows for gnutls_record_send() and recv() to be offloaded (to kernel,
+ hardware or any other subsystem).
+
+ ** libgnutls: Added the ability to register application specific URL
+ types, which express certificates and keys using
gnutls_register_custom_url().
+
+ ** libgnutls: Added API to override existing ciphers, digests and MACs, e.g.,
+ to override AES-GCM using a system-specific accelerator. That is, (crypto.h)
+ gnutls_crypto_register_cipher(), gnutls_crypto_register_aead_cipher(),
+ gnutls_crypto_register_mac(), and gnutls_crypto_register_digest().
+
+ ** libgnutls: Added gnutls_ext_register() to register custom extensions.
+ Contributed by Thierry Quemerais.
+
+ ** libgnutls: Added gnutls_supplemental_register() to register custom
+ supplemental data handshake messages. Contributed by Thierry Quemerais.
+
+ ** libgnutls-openssl: it is no longer built by default.
+
+
+ ** certtool: Added --p8-info option, which will print PKCS #8 information
+ even if the password is not available.
+
+ ** certtool: --key-info option will print PKCS #8 encryption information
+ when available.
+
+ ** certtool: Added the --key-id and --fingerprint options.
+
+ ** certtool: Added the --verify-hostname, --verify-email and --verify-purpose
+ options to be used in certificate chain verification, to simulate
verification
+ for specific hostname and key purpose (extended key usage).
+
+ ** certtool: --p12-info option will print PKCS #12 MAC and cipher information
+ when available.
+
+ ** certtool: it will print the A-label (ACE) names in addition to UTF-8.
+
+ ** p11tool: added options --set-id and --set-label.
+
+ ** gnutls-cli: added options --priority-list and --save-cert.
+
+ ** guile: Deprecated priority API has been removed. The old priority API,
+ which had been deprecated for some time, is now gone; use
'set-session-priorities!'
+ instead.
+
+ ** guile: Remove RSA parameters and related procedures. This API had been
+ deprecated.
+
+ ** guile: Fix compilation on MinGW. Previously only the static version of
the
+ 'guile-gnutls-v-2' library would be built, preventing dynamic loading from
Guile.
+
@@ -32,0 +170,8 @@
+
+- new main library major version .so.30
+- requires new libnettle >= 3.1, p11-kit-devel >= 0.23.1
+- Now need to configure --enable-openssl-compatibility (might go away)
+- added gnutls-fix-double-mans.patch: avoid double installing manpages
+- dropped gnutls-3.0.26-skip-test-fwrite.patch: does not seem to be needed
+ anymore
+- install_info_delete moved from %postun to %preun
Old:
----
gnutls-3.0.26-skip-test-fwrite.patch
gnutls-3.3.14.tar.xz
gnutls-3.3.14.tar.xz.sig
New:
----
gnutls-3.4.0.tar.xz
gnutls-3.4.0.tar.xz.sig
gnutls-fix-double-mans.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ gnutls.spec ++++++
--- /var/tmp/diff_new_pack.LdwcH5/_old 2015-04-18 10:38:20.000000000 +0200
+++ /var/tmp/diff_new_pack.LdwcH5/_new 2015-04-18 10:38:20.000000000 +0200
@@ -16,9 +16,12 @@
#
-%define gnutls_sover 28
+%define gnutls_sover 30
%define gnutlsxx_sover 28
+%bcond_without gnutls_openssl_compat
+%if %{with gnutls_openssl_compat}
%define gnutls_ossl_sover 27
+%endif
%bcond_with dane
%if %{with dane}
%define gnutls_dane_sover 0
@@ -26,25 +29,25 @@
%bcond_with tpm
Name: gnutls
-Version: 3.3.14
+Version: 3.4.0
Release: 0
Summary: The GNU Transport Layer Security Library
License: LGPL-2.1+ and GPL-3.0+
Group: Productivity/Networking/Security
Url: http://www.gnutls.org/
-Source0:
ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/%{name}-%{version}.tar.xz
+Source0:
ftp://ftp.gnutls.org/gcrypt/gnutls/v3.4/%{name}-%{version}.tar.xz
# signature is checked by source services.
-Source1:
ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/%{name}-%{version}.tar.xz.sig
+Source1:
ftp://ftp.gnutls.org/gcrypt/gnutls/v3.4/%{name}-%{version}.tar.xz.sig
Source2: %name.keyring
Source3: baselibs.conf
-# PATCH-FIX-OPENSUSE gnutls-3.0.26-skip-test-fwrite.patch
andreas.stie...@gmx.de -- skip a failing test
-Patch3: gnutls-3.0.26-skip-test-fwrite.patch
+# PATCH-FIX-UPSTREM gnutls-fix-double-mans.patch meiss...@suse.de -- fixed man
instll, is in upstream git for 3.4.1
+Patch0: gnutls-fix-double-mans.patch
BuildRequires: automake
BuildRequires: gcc-c++
BuildRequires: libidn-devel
-BuildRequires: libnettle-devel >= 2.7
+BuildRequires: libnettle-devel >= 3.1
BuildRequires: libtasn1-devel >= 4.3
BuildRequires: libtool
%if %{with tpm}
@@ -54,13 +57,14 @@
BuildRequires: unbound-devel
Requires: libgnutls-dane%{gnutls_dane_sover} = %{version}
%endif
-%ifarch %ix86 x86_64 ppc ppc64 s390x ppc64le %arm aarch64
+# disabled ppc - valgrind crashes on email cert tests currently. Marcus
20150413
+%ifarch %ix86 x86_64 ppc64 s390x ppc64le %arm aarch64
BuildRequires: valgrind
%endif
%if %suse_version >= 1230
BuildRequires: makeinfo
%endif
-BuildRequires: p11-kit-devel >= 0.20.7
+BuildRequires: p11-kit-devel >= 0.23.1
BuildRequires: pkg-config
BuildRequires: xz
BuildRequires: zlib-devel
@@ -103,6 +107,7 @@
layer over a reliable transport layer. Currently the GnuTLS library
implements the proposed standards of the IETF's TLS working group.
+%if %{with gnutls_openssl_compat}
%package -n libgnutls-openssl%{gnutls_ossl_sover}
Summary: The GNU Transport Layer Security Library
@@ -114,6 +119,7 @@
layer over a reliable transport layer. Currently the GnuTLS library
implements the proposed standards of the IETF's TLS working group.
+%endif
%package -n libgnutls-devel
Summary: Development package for gnutls
@@ -148,7 +154,9 @@
License: GPL-3.0+
Group: Development/Libraries/C and C++
Requires: libgnutls-devel = %{version}
+%if %{with gnutls_openssl_compat}
Requires: libgnutls-openssl%{gnutls_ossl_sover} = %{version}
+%endif
%description -n libgnutls-openssl-devel
Files needed for software development using gnutls.
@@ -156,7 +164,7 @@
%prep
%setup -q
-%patch3
+%patch0 -p1
%build
export LDFLAGS="-pie"
@@ -181,6 +189,9 @@
%else
--disable-libdane \
%endif
+%if %{with gnutls_openssl_compat}
+ --enable-openssl-compatibility \
+%endif
%__make
@@ -218,14 +229,16 @@
%postun -n libgnutlsxx%{gnutlsxx_sover} -p /sbin/ldconfig
+%if %{with gnutls_openssl_compat}
%post -n libgnutls-openssl%{gnutls_ossl_sover} -p /sbin/ldconfig
%postun -n libgnutls-openssl%{gnutls_ossl_sover} -p /sbin/ldconfig
+%endif
%post -n libgnutls-devel
%install_info --info-dir=%{_infodir} %{_infodir}/gnutls.info.gz
-%postun -n libgnutls-devel
+%preun -n libgnutls-devel
%install_info_delete --info-dir=%{_infodir} %{_infodir}/gnutls.info.gz
%files -f libgnutls.lang
@@ -258,9 +271,11 @@
%{_libdir}/libgnutls-dane.so.%{gnutls_dane_sover}*
%endif
+%if %{with gnutls_openssl_compat}
%files -n libgnutls-openssl%{gnutls_ossl_sover}
%defattr(-,root,root)
%{_libdir}/libgnutls-openssl.so.%{gnutls_ossl_sover}*
+%endif
%files -n libgnutlsxx%{gnutlsxx_sover}
%defattr(-,root,root)
@@ -285,6 +300,8 @@
%{_includedir}/%{name}/x509.h
%{_includedir}/%{name}/x509-ext.h
%{_includedir}/%{name}/tpm.h
+%{_includedir}/%{name}/system-keys.h
+%{_includedir}/%{name}/urls.h
%{_libdir}/libgnutls.so
%if %{with dane}
%{_libdir}/libgnutls-dane.so
++++++ baselibs.conf ++++++
--- /var/tmp/diff_new_pack.LdwcH5/_old 2015-04-18 10:38:20.000000000 +0200
+++ /var/tmp/diff_new_pack.LdwcH5/_new 2015-04-18 10:38:20.000000000 +0200
@@ -1,5 +1,5 @@
-libgnutls28
+libgnutls30
obsoletes "gnutls-<targettype>"
libgnutls-devel
requires -libgnutls-<targettype>
- requires "libgnutls28-<targettype> = <version>"
+ requires "libgnutls30-<targettype> = <version>"
++++++ gnutls-3.3.14.tar.xz -> gnutls-3.4.0.tar.xz ++++++
/work/SRC/openSUSE:Factory/gnutls/gnutls-3.3.14.tar.xz
/work/SRC/openSUSE:Factory/.gnutls.new/gnutls-3.4.0.tar.xz differ: char 26,
line 1
++++++ gnutls-fix-double-mans.patch ++++++
Index: gnutls-3.4.0/doc/manpages/Makefile.am
===================================================================
--- gnutls-3.4.0.orig/doc/manpages/Makefile.am
+++ gnutls-3.4.0/doc/manpages/Makefile.am
@@ -134,11 +134,8 @@ APIMANS += gnutls_certificate_get_peers.
APIMANS += gnutls_certificate_get_peers_subkey_id.3
APIMANS += gnutls_certificate_get_trust_list.3
APIMANS += gnutls_certificate_get_verify_flags.3
-APIMANS += gnutls_certificate_get_verify_flags.3
-APIMANS += gnutls_certificate_get_x509_crt.3
APIMANS += gnutls_certificate_get_x509_crt.3
APIMANS += gnutls_certificate_get_x509_key.3
-APIMANS += gnutls_certificate_get_x509_key.3
APIMANS += gnutls_certificate_send_x509_rdn_sequence.3
APIMANS += gnutls_certificate_server_set_request.3
APIMANS += gnutls_certificate_set_dh_params.3
