Hello community, here is the log from the commit of package gnutls for openSUSE:Factory checked in at 2015-04-18 10:38:18 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/gnutls (Old) and /work/SRC/openSUSE:Factory/.gnutls.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gnutls" Changes: -------- --- /work/SRC/openSUSE:Factory/gnutls/gnutls.changes 2015-04-07 09:28:39.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.gnutls.new/gnutls.changes 2015-04-18 10:38:19.000000000 +0200 @@ -0,0 +1,137 @@ + +------------------------------------------------------------------- +Sun Apr 12 10:16:33 UTC 2015 - meiss...@suse.com + +- updated to 3.4.0 (released 2015-04-08) + + ** libgnutls: Added support for AES-CCM and AES-CCM-8 (RFC6655 and RFC7251) + ciphersuites. The former are enabled by default, the latter need to be + explicitly enabled, since they reduce the overall security level. + + ** libgnutls: Added support for Chacha20-Poly1305 ciphersuites following + draft-mavrogiannopoulos-chacha-tls-05 and draft-irtf-cfrg-chacha20-poly1305-10. + That is currently provided as technology preview and is not enabled by + default, since there are no assigned ciphersuite points by IETF and there + is no guarrantee of compatibility between draft versions. The ciphersuite + priority string to enable it is "+CHACHA20-POLY1305". + + ** libgnutls: Added support for encrypt-then-authenticate in CBC + ciphersuites (RFC7366 -taking into account its errata text). This is + enabled by default and can be disabled using the %NO_ETM priority + string. + + ** libgnutls: Added support for the extended master secret + (triple-handshake fix) following draft-ietf-tls-session-hash-02. + + ** libgnutls: Added a new simple and hard to misuse AEAD API (crypto.h). + + ** libgnutls: SSL 3.0 is no longer included in the default priorities + list. It has to be explicitly enabled, e.g., with a string like + "NORMAL:+VERS-SSL3.0". + + ** libgnutls: ARCFOUR (RC4) is no longer included in the default priorities + list. It has to be explicitly enabled, e.g., with a string like + "NORMAL:+ARCFOUR-128". + + ** libgnutls: DSA signatures and DHE-DSS are no longer included in the + default priorities list. They have to be explicitly enabled, e.g., with + a string like "NORMAL:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1". The + DSA ciphersuites were dropped because they had no deployment at all + on the internet, to justify their inclusion. + + ** libgnutls: The priority string EXPORT was completely removed. The string + was already defunc as support for the EXPORT ciphersuites was removed in + GnuTLS 3.2.0. + + ** libgnutls: Added API to utilize system specific private keys in + "gnutls/system-keys.h". It is currently provided as technology preview + and is restricted to windows CNG keys. + + ** libgnutls: gnutls_x509_crt_check_hostname() and friends will use + RFC6125 comparison of hostnames. That introduces a dependency on libidn. + + ** libgnutls: Depend on p11-kit 0.23.1 to comply with the final + PKCS #11 URLs draft (draft-pechanec-pkcs11uri-21). + + ** libgnutls: Depend on nettle 3.1. + + ** libgnutls: Use getrandom() or getentropy() when available. That + avoids the complexity of file descriptor handling and issues with + applications closing all open file descriptors on startup. + + ** libgnutls: Use pthread_atfork() to detect fork when available. + + ** libgnutls: The gnutls_handshake() process will enforce a timeout by + default. + + ** libgnutls: If a key purpose (extended key usage) is specified for verification, + it is applied into intermediate certificates. The verification result + GNUTLS_CERT_PURPOSE_MISMATCH is also introduced. + + ** libgnutls: When gnutls_certificate_set_x509_key_file2() is used in + combination with PKCS #11, or TPM URLs, it will utilize the provided + password as PIN if required. That removes the requirement for the + application to set a callback for PINs in that case. + + ** libgnutls: priority strings VERS-TLS-ALL and VERS-DTLS-ALL are + restricted to the corresponding protocols only, and the VERS-ALL + string is introduced to catch all possible protocols. + + ** libgnutls: Added helper functions to obtain information on PKCS #8 + structures. + + ** libgnutls: Certificate chains which are provided to gnutls_certificate_credentials_t + will automatically be sorted instead of failing with GNUTLS_E_CERTIFICATE_LIST_UNSORTED. + + ** libgnutls: Added functions to export and set the record state. That + allows for gnutls_record_send() and recv() to be offloaded (to kernel, + hardware or any other subsystem). + + ** libgnutls: Added the ability to register application specific URL + types, which express certificates and keys using gnutls_register_custom_url(). + + ** libgnutls: Added API to override existing ciphers, digests and MACs, e.g., + to override AES-GCM using a system-specific accelerator. That is, (crypto.h) + gnutls_crypto_register_cipher(), gnutls_crypto_register_aead_cipher(), + gnutls_crypto_register_mac(), and gnutls_crypto_register_digest(). + + ** libgnutls: Added gnutls_ext_register() to register custom extensions. + Contributed by Thierry Quemerais. + + ** libgnutls: Added gnutls_supplemental_register() to register custom + supplemental data handshake messages. Contributed by Thierry Quemerais. + + ** libgnutls-openssl: it is no longer built by default. + + + ** certtool: Added --p8-info option, which will print PKCS #8 information + even if the password is not available. + + ** certtool: --key-info option will print PKCS #8 encryption information + when available. + + ** certtool: Added the --key-id and --fingerprint options. + + ** certtool: Added the --verify-hostname, --verify-email and --verify-purpose + options to be used in certificate chain verification, to simulate verification + for specific hostname and key purpose (extended key usage). + + ** certtool: --p12-info option will print PKCS #12 MAC and cipher information + when available. + + ** certtool: it will print the A-label (ACE) names in addition to UTF-8. + + ** p11tool: added options --set-id and --set-label. + + ** gnutls-cli: added options --priority-list and --save-cert. + + ** guile: Deprecated priority API has been removed. The old priority API, + which had been deprecated for some time, is now gone; use 'set-session-priorities!' + instead. + + ** guile: Remove RSA parameters and related procedures. This API had been + deprecated. + + ** guile: Fix compilation on MinGW. Previously only the static version of the + 'guile-gnutls-v-2' library would be built, preventing dynamic loading from Guile. + @@ -32,0 +170,8 @@ + +- new main library major version .so.30 +- requires new libnettle >= 3.1, p11-kit-devel >= 0.23.1 +- Now need to configure --enable-openssl-compatibility (might go away) +- added gnutls-fix-double-mans.patch: avoid double installing manpages +- dropped gnutls-3.0.26-skip-test-fwrite.patch: does not seem to be needed + anymore +- install_info_delete moved from %postun to %preun Old: ---- gnutls-3.0.26-skip-test-fwrite.patch gnutls-3.3.14.tar.xz gnutls-3.3.14.tar.xz.sig New: ---- gnutls-3.4.0.tar.xz gnutls-3.4.0.tar.xz.sig gnutls-fix-double-mans.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gnutls.spec ++++++ --- /var/tmp/diff_new_pack.LdwcH5/_old 2015-04-18 10:38:20.000000000 +0200 +++ /var/tmp/diff_new_pack.LdwcH5/_new 2015-04-18 10:38:20.000000000 +0200 @@ -16,9 +16,12 @@ # -%define gnutls_sover 28 +%define gnutls_sover 30 %define gnutlsxx_sover 28 +%bcond_without gnutls_openssl_compat +%if %{with gnutls_openssl_compat} %define gnutls_ossl_sover 27 +%endif %bcond_with dane %if %{with dane} %define gnutls_dane_sover 0 @@ -26,25 +29,25 @@ %bcond_with tpm Name: gnutls -Version: 3.3.14 +Version: 3.4.0 Release: 0 Summary: The GNU Transport Layer Security Library License: LGPL-2.1+ and GPL-3.0+ Group: Productivity/Networking/Security Url: http://www.gnutls.org/ -Source0: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/%{name}-%{version}.tar.xz +Source0: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.4/%{name}-%{version}.tar.xz # signature is checked by source services. -Source1: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/%{name}-%{version}.tar.xz.sig +Source1: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.4/%{name}-%{version}.tar.xz.sig Source2: %name.keyring Source3: baselibs.conf -# PATCH-FIX-OPENSUSE gnutls-3.0.26-skip-test-fwrite.patch andreas.stie...@gmx.de -- skip a failing test -Patch3: gnutls-3.0.26-skip-test-fwrite.patch +# PATCH-FIX-UPSTREM gnutls-fix-double-mans.patch meiss...@suse.de -- fixed man instll, is in upstream git for 3.4.1 +Patch0: gnutls-fix-double-mans.patch BuildRequires: automake BuildRequires: gcc-c++ BuildRequires: libidn-devel -BuildRequires: libnettle-devel >= 2.7 +BuildRequires: libnettle-devel >= 3.1 BuildRequires: libtasn1-devel >= 4.3 BuildRequires: libtool %if %{with tpm} @@ -54,13 +57,14 @@ BuildRequires: unbound-devel Requires: libgnutls-dane%{gnutls_dane_sover} = %{version} %endif -%ifarch %ix86 x86_64 ppc ppc64 s390x ppc64le %arm aarch64 +# disabled ppc - valgrind crashes on email cert tests currently. Marcus 20150413 +%ifarch %ix86 x86_64 ppc64 s390x ppc64le %arm aarch64 BuildRequires: valgrind %endif %if %suse_version >= 1230 BuildRequires: makeinfo %endif -BuildRequires: p11-kit-devel >= 0.20.7 +BuildRequires: p11-kit-devel >= 0.23.1 BuildRequires: pkg-config BuildRequires: xz BuildRequires: zlib-devel @@ -103,6 +107,7 @@ layer over a reliable transport layer. Currently the GnuTLS library implements the proposed standards of the IETF's TLS working group. +%if %{with gnutls_openssl_compat} %package -n libgnutls-openssl%{gnutls_ossl_sover} Summary: The GNU Transport Layer Security Library @@ -114,6 +119,7 @@ layer over a reliable transport layer. Currently the GnuTLS library implements the proposed standards of the IETF's TLS working group. +%endif %package -n libgnutls-devel Summary: Development package for gnutls @@ -148,7 +154,9 @@ License: GPL-3.0+ Group: Development/Libraries/C and C++ Requires: libgnutls-devel = %{version} +%if %{with gnutls_openssl_compat} Requires: libgnutls-openssl%{gnutls_ossl_sover} = %{version} +%endif %description -n libgnutls-openssl-devel Files needed for software development using gnutls. @@ -156,7 +164,7 @@ %prep %setup -q -%patch3 +%patch0 -p1 %build export LDFLAGS="-pie" @@ -181,6 +189,9 @@ %else --disable-libdane \ %endif +%if %{with gnutls_openssl_compat} + --enable-openssl-compatibility \ +%endif %__make @@ -218,14 +229,16 @@ %postun -n libgnutlsxx%{gnutlsxx_sover} -p /sbin/ldconfig +%if %{with gnutls_openssl_compat} %post -n libgnutls-openssl%{gnutls_ossl_sover} -p /sbin/ldconfig %postun -n libgnutls-openssl%{gnutls_ossl_sover} -p /sbin/ldconfig +%endif %post -n libgnutls-devel %install_info --info-dir=%{_infodir} %{_infodir}/gnutls.info.gz -%postun -n libgnutls-devel +%preun -n libgnutls-devel %install_info_delete --info-dir=%{_infodir} %{_infodir}/gnutls.info.gz %files -f libgnutls.lang @@ -258,9 +271,11 @@ %{_libdir}/libgnutls-dane.so.%{gnutls_dane_sover}* %endif +%if %{with gnutls_openssl_compat} %files -n libgnutls-openssl%{gnutls_ossl_sover} %defattr(-,root,root) %{_libdir}/libgnutls-openssl.so.%{gnutls_ossl_sover}* +%endif %files -n libgnutlsxx%{gnutlsxx_sover} %defattr(-,root,root) @@ -285,6 +300,8 @@ %{_includedir}/%{name}/x509.h %{_includedir}/%{name}/x509-ext.h %{_includedir}/%{name}/tpm.h +%{_includedir}/%{name}/system-keys.h +%{_includedir}/%{name}/urls.h %{_libdir}/libgnutls.so %if %{with dane} %{_libdir}/libgnutls-dane.so ++++++ baselibs.conf ++++++ --- /var/tmp/diff_new_pack.LdwcH5/_old 2015-04-18 10:38:20.000000000 +0200 +++ /var/tmp/diff_new_pack.LdwcH5/_new 2015-04-18 10:38:20.000000000 +0200 @@ -1,5 +1,5 @@ -libgnutls28 +libgnutls30 obsoletes "gnutls-<targettype>" libgnutls-devel requires -libgnutls-<targettype> - requires "libgnutls28-<targettype> = <version>" + requires "libgnutls30-<targettype> = <version>" ++++++ gnutls-3.3.14.tar.xz -> gnutls-3.4.0.tar.xz ++++++ /work/SRC/openSUSE:Factory/gnutls/gnutls-3.3.14.tar.xz /work/SRC/openSUSE:Factory/.gnutls.new/gnutls-3.4.0.tar.xz differ: char 26, line 1 ++++++ gnutls-fix-double-mans.patch ++++++ Index: gnutls-3.4.0/doc/manpages/Makefile.am =================================================================== --- gnutls-3.4.0.orig/doc/manpages/Makefile.am +++ gnutls-3.4.0/doc/manpages/Makefile.am @@ -134,11 +134,8 @@ APIMANS += gnutls_certificate_get_peers. APIMANS += gnutls_certificate_get_peers_subkey_id.3 APIMANS += gnutls_certificate_get_trust_list.3 APIMANS += gnutls_certificate_get_verify_flags.3 -APIMANS += gnutls_certificate_get_verify_flags.3 -APIMANS += gnutls_certificate_get_x509_crt.3 APIMANS += gnutls_certificate_get_x509_crt.3 APIMANS += gnutls_certificate_get_x509_key.3 -APIMANS += gnutls_certificate_get_x509_key.3 APIMANS += gnutls_certificate_send_x509_rdn_sequence.3 APIMANS += gnutls_certificate_server_set_request.3 APIMANS += gnutls_certificate_set_dh_params.3