diff --git a/.gitignore b/.gitignore index 9dec2f3..7d1a9d2 100644 --- a/.gitignore +++ b/.gitignore @@ -124,3 +124,6 @@ gnutls-2.10.1-nosrp.tar.bz2 /gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg /gnutls-3.6.13.tar.xz.sig /gnutls-3.6.13.tar.xz +/gnutls-3.6.14.tar.xz +/gnutls-3.6.14.tar.xz.sig +/gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg diff --git a/gnutls-3.6.13-bump-linked-libs-soname-f33.patch b/gnutls-3.6.13-bump-linked-libs-soname-f33.patch deleted file mode 100644 index 5888f1c..0000000 --- a/gnutls-3.6.13-bump-linked-libs-soname-f33.patch +++ /dev/null @@ -1,13 +0,0 @@ ---- a/lib/fips.c 2020-01-01 21:10:19.000000000 +0100 -+++ b/lib/fips.c 2020-05-13 17:29:43.098868100 +0200 -@@ -136,8 +136,8 @@ - } - - #define GNUTLS_LIBRARY_NAME "libgnutls.so.30" --#define NETTLE_LIBRARY_NAME "libnettle.so.6" --#define HOGWEED_LIBRARY_NAME "libhogweed.so.4" -+#define NETTLE_LIBRARY_NAME "libnettle.so.8" -+#define HOGWEED_LIBRARY_NAME "libhogweed.so.6" - #define GMP_LIBRARY_NAME "libgmp.so.10" - - #define HMAC_SUFFIX ".hmac" diff --git a/gnutls-3.6.13-cli-wait-resumption.patch b/gnutls-3.6.13-cli-wait-resumption.patch deleted file mode 100644 index 4c56344..0000000 --- a/gnutls-3.6.13-cli-wait-resumption.patch +++ /dev/null @@ -1,87 +0,0 @@ -From f27358ecba654ef931c0a761a540dc9e2d2e67f0 Mon Sep 17 00:00:00 2001 -From: Anderson Toshiyuki Sasaki -Date: Fri, 20 Mar 2020 16:37:33 +0100 -Subject: [PATCH] gnutls-cli: Add option to wait for resumption data - -This introduces the --waitresumption command line option which makes the -client to wait for the resumption data until a ticket is received under -TLS1.3. The client will block if no ticket is received. The new option -has no effect if the option --resume is not provided. - -This is useful to force the client to wait for the resumption data when -the server takes long to send the ticket, allowing the session -resumption to be tested. This is a common scenario in CI systems where -the testing machines have limited resources. - -Signed-off-by: Anderson Toshiyuki Sasaki ---- - src/cli-args.def | 6 ++++++ - src/cli.c | 21 +++++++++++++++------ - 2 files changed, 21 insertions(+), 6 deletions(-) - -diff --git a/src/cli-args.def b/src/cli-args.def -index a8760fab9..56ae77b07 100644 ---- a/src/cli-args.def -+++ b/src/cli-args.def -@@ -471,6 +471,12 @@ flag = { - doc = ""; - }; - -+flag = { -+ name = waitresumption; -+ descrip = "Block waiting for the resumption data under TLS1.3"; -+ doc = "This option makes the client to block waiting for the resumption data under TLS1.3. The option has effect only when --resume is provided."; -+}; -+ - doc-section = { - ds-type = 'SEE ALSO'; // or anything else - ds-format = 'texi'; // or texi or mdoc format -diff --git a/src/cli.c b/src/cli.c -index db072b930..c3d074f08 100644 ---- a/src/cli.c -+++ b/src/cli.c -@@ -78,7 +78,7 @@ - - /* global stuff here */ - int resume, starttls, insecure, ranges, rehandshake, udp, mtu, -- inline_commands; -+ inline_commands, waitresumption; - unsigned int global_vflags = 0; - char *hostname = NULL; - char service[32]=""; -@@ -992,11 +992,19 @@ static int try_resume(socket_st * hd) - gnutls_datum_t edata = {NULL, 0}; - - if (gnutls_session_is_resumed(hd->session) == 0) { -- /* not resumed - obtain the session data */ -- ret = gnutls_session_get_data2(hd->session, &rdata); -- if (ret < 0) { -- rdata.data = NULL; -- } -+ do { -+ /* not resumed - obtain the session data */ -+ ret = gnutls_session_get_data2(hd->session, &rdata); -+ if (ret < 0) { -+ rdata.data = NULL; -+ } -+ -+ if ((gnutls_protocol_get_version(hd->session) != GNUTLS_TLS1_3) || -+ ((gnutls_session_get_flags(hd->session) & -+ GNUTLS_SFLAGS_SESSION_TICKET))) { -+ break; -+ } -+ } while (waitresumption); - } else { - /* resumed - try to reuse the previous session data */ - rdata.data = hd->rdata.data; -@@ -1688,6 +1696,7 @@ static void cmd_parser(int argc, char **argv) - rehandshake = HAVE_OPT(REHANDSHAKE); - insecure = HAVE_OPT(INSECURE); - ranges = HAVE_OPT(RANGES); -+ waitresumption = HAVE_OPT(WAITRESUMPTION); - - if (insecure || HAVE_OPT(VERIFY_ALLOW_BROKEN)) { - global_vflags |= GNUTLS_VERIFY_ALLOW_BROKEN; --- -2.25.4 - diff --git a/gnutls-3.6.13-nettle-disable-RSA-blinding-in-FIPS-selftests.patch b/gnutls-3.6.13-nettle-disable-RSA-blinding-in-FIPS-selftests.patch deleted file mode 100644 index 559ea0a..0000000 --- a/gnutls-3.6.13-nettle-disable-RSA-blinding-in-FIPS-selftests.patch +++ /dev/null @@ -1,124 +0,0 @@ -From 8f8615c4ef0b92b95e7bcb3bd1400124a203eef3 Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Fri, 16 Aug 2019 17:01:05 +0200 -Subject: [PATCH] nettle: disable RSA blinding in FIPS selftests - -Nettle's RSA signing, encryption and decryption functions still -require randomness for blinding, so fallback to use a fixed buffer in -selftests where entropy might not be available. - -Signed-off-by: Daiki Ueno ---- - lib/nettle/pk.c | 37 +++++++++++++++++++++++++++++++++---- - 1 file changed, 33 insertions(+), 4 deletions(-) - -diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c -index 15ad4b4e9..ccf403b00 100644 ---- a/lib/nettle/pk.c -+++ b/lib/nettle/pk.c -@@ -107,6 +107,15 @@ static void rnd_mpz_func(void *_ctx, size_t length, uint8_t * data) - nettle_mpz_get_str_256 (length, data, *k); - } - -+static void rnd_nonce_func_fallback(void *_ctx, size_t length, uint8_t * data) -+{ -+ if (unlikely(_gnutls_get_lib_state() != LIB_STATE_SELFTEST)) { -+ _gnutls_switch_lib_state(LIB_STATE_ERROR); -+ } -+ -+ memset(data, 0xAA, length); -+} -+ - static void - ecc_scalar_zclear (struct ecc_scalar *s) - { -@@ -526,6 +535,7 @@ _wrap_nettle_pk_encrypt(gnutls_pk_algorithm_t algo, - case GNUTLS_PK_RSA: - { - struct rsa_public_key pub; -+ nettle_random_func *random_func; - - ret = _rsa_params_to_pubkey(pk_params, &pub); - if (ret < 0) { -@@ -533,8 +543,12 @@ _wrap_nettle_pk_encrypt(gnutls_pk_algorithm_t algo, - goto cleanup; - } - -+ if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST) -+ random_func = rnd_nonce_func_fallback; -+ else -+ random_func = rnd_nonce_func; - ret = -- rsa_encrypt(&pub, NULL, rnd_nonce_func, -+ rsa_encrypt(&pub, NULL, random_func, - plaintext->size, plaintext->data, - p); - if (ret == 0 || HAVE_LIB_ERROR()) { -@@ -587,6 +601,7 @@ _wrap_nettle_pk_decrypt(gnutls_pk_algorithm_t algo, - struct rsa_public_key pub; - size_t length; - bigint_t c; -+ nettle_random_func *random_func; - - _rsa_params_to_privkey(pk_params, &priv); - ret = _rsa_params_to_pubkey(pk_params, &pub); -@@ -617,8 +632,12 @@ _wrap_nettle_pk_decrypt(gnutls_pk_algorithm_t algo, - goto cleanup; - } - -+ if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST) -+ random_func = rnd_nonce_func_fallback; -+ else -+ random_func = rnd_nonce_func; - ret = -- rsa_decrypt_tr(&pub, &priv, NULL, rnd_nonce_func, -+ rsa_decrypt_tr(&pub, &priv, NULL, random_func, - &length, plaintext->data, - TOMPZ(c)); - _gnutls_mpi_release(&c); -@@ -664,6 +683,7 @@ _wrap_nettle_pk_decrypt2(gnutls_pk_algorithm_t algo, - bigint_t c; - uint32_t is_err; - int ret; -+ nettle_random_func *random_func; - - if (algo != GNUTLS_PK_RSA || plaintext == NULL) { - gnutls_assert(); -@@ -683,7 +703,11 @@ _wrap_nettle_pk_decrypt2(gnutls_pk_algorithm_t algo, - return gnutls_assert_val (GNUTLS_E_MPI_SCAN_FAILED); - } - -- ret = rsa_sec_decrypt(&pub, &priv, NULL, rnd_nonce_func, -+ if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST) -+ random_func = rnd_nonce_func_fallback; -+ else -+ random_func = rnd_nonce_func; -+ ret = rsa_sec_decrypt(&pub, &priv, NULL, random_func, - plaintext_size, plaintext, TOMPZ(c)); - /* after this point, any conditional on failure that cause differences - * in execution may create a timing or cache access pattern side -@@ -1072,6 +1096,7 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo, - { - struct rsa_private_key priv; - struct rsa_public_key pub; -+ nettle_random_func *random_func; - mpz_t s; - - _rsa_params_to_privkey(pk_params, &priv); -@@ -1082,8 +1107,12 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo, - - mpz_init(s); - -+ if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST) -+ random_func = rnd_nonce_func_fallback; -+ else -+ random_func = rnd_nonce_func; - ret = -- rsa_pkcs1_sign_tr(&pub, &priv, NULL, rnd_nonce_func, -+ rsa_pkcs1_sign_tr(&pub, &priv, NULL, random_func, - vdata->size, vdata->data, s); - if (ret == 0 || HAVE_LIB_ERROR()) { - gnutls_assert(); --- -2.25.4 - diff --git a/gnutls-3.6.13-superseding-chain.patch b/gnutls-3.6.13-superseding-chain.patch deleted file mode 100644 index 4010c42..0000000 --- a/gnutls-3.6.13-superseding-chain.patch +++ /dev/null @@ -1,391 +0,0 @@ -From 299bd4f113d0bd39fa1577a671a04ed7899eff3c Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Sun, 31 May 2020 12:39:14 +0200 -Subject: [PATCH 1/3] _gnutls_pkcs11_verify_crt_status: check validity against - system cert - -To verify a certificate chain, this function replaces known -certificates with the ones in the system trust store if possible. - -However, if it is found, the function checks the validity of the -original certificate rather than the certificate found in the trust -store. That reveals a problem in a scenario that (1) a certificate is -signed by multiple issuers and (2) one of the issuers' certificate has -expired and included in the input chain. - -This patch makes it a little robuster by actually retrieving the -certificate from the trust store and perform check against it. - -Signed-off-by: Daiki Ueno ---- - lib/pkcs11.c | 98 +++++++++++++++++++++++++++++++++-------------- - lib/pkcs11_int.h | 5 +++ - lib/x509/verify.c | 7 +++- - 3 files changed, 80 insertions(+), 30 deletions(-) - -diff --git a/lib/pkcs11.c b/lib/pkcs11.c -index fad16aaf4..d8d4a6511 100644 ---- a/lib/pkcs11.c -+++ b/lib/pkcs11.c -@@ -4547,34 +4547,10 @@ int gnutls_pkcs11_get_raw_issuer_by_subject_key_id (const char *url, - return ret; - } - --/** -- * gnutls_pkcs11_crt_is_known: -- * @url: A PKCS 11 url identifying a token -- * @cert: is the certificate to find issuer for -- * @issuer: Will hold the issuer if any in an allocated buffer. -- * @fmt: The format of the exported issuer. -- * @flags: Use zero or flags from %GNUTLS_PKCS11_OBJ_FLAG. -- * -- * This function will check whether the provided certificate is stored -- * in the specified token. This is useful in combination with -- * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED or -- * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED, -- * to check whether a CA is present or a certificate is blacklisted in -- * a trust PKCS #11 module. -- * -- * This function can be used with a @url of "pkcs11:", and in that case all modules -- * will be searched. To restrict the modules to the marked as trusted in p11-kit -- * use the %GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE flag. -- * -- * Note that the flag %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED is -- * specific to p11-kit trust modules. -- * -- * Returns: If the certificate exists non-zero is returned, otherwise zero. -- * -- * Since: 3.3.0 -- **/ --unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, -- unsigned int flags) -+unsigned -+_gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, -+ unsigned int flags, -+ gnutls_x509_crt_t *trusted_cert) - { - int ret; - struct find_cert_st priv; -@@ -4586,6 +4562,15 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, - - memset(&priv, 0, sizeof(priv)); - -+ if (trusted_cert) { -+ ret = gnutls_pkcs11_obj_init(&priv.obj); -+ if (ret < 0) { -+ gnutls_assert(); -+ goto cleanup; -+ } -+ priv.need_import = 1; -+ } -+ - if (url == NULL || url[0] == 0) { - url = "pkcs11:"; - } -@@ -4632,8 +4617,18 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, - _gnutls_debug_log("crt_is_known: did not find cert, using issuer DN + serial, using DN only\n"); - /* attempt searching with the subject DN only */ - gnutls_assert(); -+ if (priv.obj) -+ gnutls_pkcs11_obj_deinit(priv.obj); - gnutls_free(priv.serial.data); - memset(&priv, 0, sizeof(priv)); -+ if (trusted_cert) { -+ ret = gnutls_pkcs11_obj_init(&priv.obj); -+ if (ret < 0) { -+ gnutls_assert(); -+ goto cleanup; -+ } -+ priv.need_import = 1; -+ } - priv.crt = cert; - priv.flags = flags; - -@@ -4650,9 +4645,26 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, - goto cleanup; - } - -+ if (trusted_cert) { -+ ret = gnutls_x509_crt_init(trusted_cert); -+ if (ret < 0) { -+ gnutls_assert(); -+ ret = 0; -+ goto cleanup; -+ } -+ ret = gnutls_x509_crt_import_pkcs11(*trusted_cert, priv.obj); -+ if (ret < 0) { -+ gnutls_assert(); -+ gnutls_x509_crt_deinit(*trusted_cert); -+ ret = 0; -+ goto cleanup; -+ } -+ } - ret = 1; - - cleanup: -+ if (priv.obj) -+ gnutls_pkcs11_obj_deinit(priv.obj); - if (info) - p11_kit_uri_free(info); - gnutls_free(priv.serial.data); -@@ -4660,6 +4672,36 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, - return ret; - } - -+/** -+ * gnutls_pkcs11_crt_is_known: -+ * @url: A PKCS 11 url identifying a token -+ * @cert: is the certificate to find issuer for -+ * @flags: Use zero or flags from %GNUTLS_PKCS11_OBJ_FLAG. -+ * -+ * This function will check whether the provided certificate is stored -+ * in the specified token. This is useful in combination with -+ * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED or -+ * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED, -+ * to check whether a CA is present or a certificate is blacklisted in -+ * a trust PKCS #11 module. -+ * -+ * This function can be used with a @url of "pkcs11:", and in that case all modules -+ * will be searched. To restrict the modules to the marked as trusted in p11-kit -+ * use the %GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE flag. -+ * -+ * Note that the flag %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED is -+ * specific to p11-kit trust modules. -+ * -+ * Returns: If the certificate exists non-zero is returned, otherwise zero. -+ * -+ * Since: 3.3.0 -+ **/ -+unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, -+ unsigned int flags) -+{ -+ return _gnutls_pkcs11_crt_is_known(url, cert, flags, NULL); -+} -+ - /** - * gnutls_pkcs11_obj_get_flags: - * @obj: The pkcs11 object -diff --git a/lib/pkcs11_int.h b/lib/pkcs11_int.h -index 9d8880709..86cce0dee 100644 ---- a/lib/pkcs11_int.h -+++ b/lib/pkcs11_int.h -@@ -460,6 +460,11 @@ inline static bool is_pkcs11_url_object(const char *url) - return 0; - } - -+unsigned -+_gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, -+ unsigned int flags, -+ gnutls_x509_crt_t *trusted_cert); -+ - #endif /* ENABLE_PKCS11 */ - - #endif /* GNUTLS_LIB_PKCS11_INT_H */ -diff --git a/lib/x509/verify.c b/lib/x509/verify.c -index d20267019..fd7c6a164 100644 ---- a/lib/x509/verify.c -+++ b/lib/x509/verify.c -@@ -34,6 +34,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -1188,6 +1189,7 @@ _gnutls_pkcs11_verify_crt_status(const char* url, - - for (; i < clist_size; i++) { - unsigned vflags; -+ gnutls_x509_crt_t trusted_cert; - - if (i == 0) /* in the end certificate do full comparison */ - vflags = GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE| -@@ -1196,9 +1198,10 @@ _gnutls_pkcs11_verify_crt_status(const char* url, - vflags = GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE| - GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY|GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED; - -- if (gnutls_pkcs11_crt_is_known (url, certificate_list[i], vflags) != 0) { -+ if (_gnutls_pkcs11_crt_is_known (url, certificate_list[i], vflags, &trusted_cert) != 0) { - -- status |= check_ca_sanity(certificate_list[i], now, flags); -+ status |= check_ca_sanity(trusted_cert, now, flags); -+ gnutls_x509_crt_deinit(trusted_cert); - - if (func) - func(certificate_list[i], --- -2.26.2 - - -From cdf075e7f54cb77f046ef3e7c2147f159941faca Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Sun, 31 May 2020 13:59:53 +0200 -Subject: [PATCH 2/3] x509: trigger fallback verification path when cert is - expired - -gnutls_x509_trust_list_verify_crt2 use the macro SIGNER_OLD_OR_UNKNOWN -to trigger the fallback verification path if the signer of the last -certificate is not in the trust store. Previously, it doesn't take -into account of the condition where the certificate is expired. - -Signed-off-by: Daiki Ueno ---- - lib/x509/verify-high.c | 12 +++++++----- - 1 file changed, 7 insertions(+), 5 deletions(-) - -diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c -index b1421ef17..40638ad3a 100644 ---- a/lib/x509/verify-high.c -+++ b/lib/x509/verify-high.c -@@ -1192,11 +1192,13 @@ gnutls_x509_trust_list_verify_crt(gnutls_x509_trust_list_t list, - - #define LAST_DN cert_list[cert_list_size-1]->raw_dn - #define LAST_IDN cert_list[cert_list_size-1]->raw_issuer_dn --/* This macro is introduced to detect a verification output -- * which indicates an unknown signer, or a signer which uses -- * an insecure algorithm (e.g., sha1), something that indicates -- * a superseded signer */ --#define SIGNER_OLD_OR_UNKNOWN(output) ((output & GNUTLS_CERT_SIGNER_NOT_FOUND) || (output & GNUTLS_CERT_INSECURE_ALGORITHM)) -+/* This macro is introduced to detect a verification output which -+ * indicates an unknown signer, a signer which uses an insecure -+ * algorithm (e.g., sha1), a signer has expired, or something that -+ * indicates a superseded signer */ -+#define SIGNER_OLD_OR_UNKNOWN(output) ((output & GNUTLS_CERT_SIGNER_NOT_FOUND) || \ -+ (output & GNUTLS_CERT_EXPIRED) || \ -+ (output & GNUTLS_CERT_INSECURE_ALGORITHM)) - #define SIGNER_WAS_KNOWN(output) (!(output & GNUTLS_CERT_SIGNER_NOT_FOUND)) - - /** --- -2.26.2 - - -From 9067bcbee8ff18badff1e829d22e63590dbd7a5c Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Sun, 31 May 2020 14:28:48 +0200 -Subject: [PATCH 3/3] tests: add test case for certificate chain superseding - -Signed-off-by: Daiki Ueno ---- - tests/test-chains.h | 97 +++++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 97 insertions(+) - -diff --git a/tests/test-chains.h b/tests/test-chains.h -index dd19e6a81..9b06b85f5 100644 ---- a/tests/test-chains.h -+++ b/tests/test-chains.h -@@ -4010,6 +4010,102 @@ static const char *ed448[] = { - NULL - }; - -+/* This contains an expired intermediate CA, which should be superseded. */ -+static const char *superseding[] = { -+ "-----BEGIN CERTIFICATE-----" -+ "MIIDrzCCAmegAwIBAgIUcozIBhMJvM/rd1PVI7LOq7Kscs8wDQYJKoZIhvcNAQEL" -+ "BQAwJjEkMCIGA1UEAxMbR251VExTIHRlc3QgaW50ZXJtZWRpYXRlIENBMCAXDTIw" -+ "MDUzMTEyMTczN1oYDzk5OTkxMjMxMjM1OTU5WjA3MRgwFgYDVQQDEw90ZXN0Lmdu" -+ "dXRscy5vcmcxGzAZBgNVBAoTEkdudVRMUyB0ZXN0IHNlcnZlcjCCASAwCwYJKoZI" -+ "hvcNAQEKA4IBDwAwggEKAoIBAQCd2PBnWn+b0FsIMbG+f/K+og2iK/BoLCsJD3j9" -+ "yRNSHD6wTifYwNTbe1LF/8BzxcwVRCD0zpbpFQawbjxbmBSzrXqQlUFFG11DvNBa" -+ "w58rgHGo3TYCrtFIBfLbziyB1w/vWeX0xHvv8MMJ1iRSdY+7Y36a2cV+s85PdO4B" -+ "TpZlLfy8LPP6p6+dgVoC+9tTu2H1wARYOVog+jt9A3Hx0L1xxVWTedFoiK2sVouz" -+ "fLRjfp5cOwuRHSD2qbpGOAeNVVaOE88Bv3pIGPguMw0qAdEDo20hRYH23LIyvBwB" -+ "oCnyFNnAViMtLa2QlXSliV9a9BKOXYjWzAeso2SF4pdHcvd5AgMBAAGjgZMwgZAw" -+ "DAYDVR0TAQH/BAIwADAaBgNVHREEEzARgg90ZXN0LmdudXRscy5vcmcwEwYDVR0l" -+ "BAwwCgYIKwYBBQUHAwEwDwYDVR0PAQH/BAUDAweAADAdBgNVHQ4EFgQUan6mlccq" -+ "Uy1Z64wvRv3xxg4h2ykwHwYDVR0jBBgwFoAUSCM0UwqJMThKWurKttKm3s4dKxgw" -+ "DQYJKoZIhvcNAQELBQADggExAKAOMyMLpk0u2UTwwFWtr1hfx7evo2J7dgco410I" -+ "DN/QWoe2Xlcxcp1h5R9rX1I3KU2WGFtdXqiMsllCLnrDEKZmlks0uz76bCpKmM99" -+ "/1MDlY7mGCr/2PPx53USK5J5JTiqgp6r7qAcDAnpYvrPH45kk7iqwh02DhAxRnGR" -+ "CW7KWK8h7uu0Az9iBT2YfV372g4fRDK3fqYzJofQwbhSiUuJ7wyZCRhGOoxMMmDb" -+ "KBbc1wAYXW+tlv2cSbfzRvSxMR+CzkyH2tGDxeN//aZUfGmQ8IzWUQ7UtK5z+Q0E" -+ "fL6fZtm2SdGabGpV1UYoGpwOtOngK+m0i9SqrMD7g5+SMhc1VuvVuTtxjr5Cha8l" -+ "X0HEZtxgFrkdfMD4yLAqiguaCBngtbRmELF5VpebmJbiLVU=" -+ "-----END CERTIFICATE-----", -+ "-----BEGIN CERTIFICATE-----" -+ "MIIDkTCCAkmgAwIBAgIUY9cJ4NLNFEaojJHdP1I4Q7OHNJwwDQYJKoZIhvcNAQEL" -+ "BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwHhcNMTgxMjMxMjMwMDAwWhcN" -+ "MjAwNTMwMjIwMDAwWjAmMSQwIgYDVQQDExtHbnVUTFMgdGVzdCBpbnRlcm1lZGlh" -+ "dGUgQ0EwggFSMA0GCSqGSIb3DQEBAQUAA4IBPwAwggE6AoIBMQC0ayeYJa/B/x7K" -+ "sH702LztQ4ZnVF3atB7CkF+DPAIR/BNyhbKIpGVBC3ZfI76Kn/55S3M7LsdLPL8W" -+ "yZdVNRfzoXJLMMLgJ5QS81YA5s6CSxFdpB6b+vq5GypNGLW6peYMx6iooW2qiITc" -+ "lg6ybBw1qufHlD351cfCog1Ls2569whfxQnNFZMa95jfKkxmiSTtH9AWY4FlpVg7" -+ "oc0lYpuZgVQIFxjsfC8IojsoVzKdF0cKhvtisUGZ5vveqOogfvMb7rrqmiFkKZLy" -+ "rXPlGQWdN1PiEZ8YXyK64osNAIyeL6eHPUC+SqKlkggMLmHAWHyameHWrIM5Jc8+" -+ "G+3ro22dy8U43sHHbps0FL4wPoKQHrlKmnbk7zMMRqIxcvbDYQv4qmeJ9KXldjeh" -+ "KZ+Aeap1AgMBAAGjZDBiMA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0PAQH/BAUDAwcE" -+ "ADAdBgNVHQ4EFgQUSCM0UwqJMThKWurKttKm3s4dKxgwHwYDVR0jBBgwFoAUHncj" -+ "bWcxH5EHm5Yv7PzIRv6M4QMwDQYJKoZIhvcNAQELBQADggExAHP1UAQ/nvuQtRZF" -+ "Q4b96yxVwCjMjn7knLyLNtyYGE3466xvE/ofvx5lgaR06ez/G17XP+Ok5SLJNUVc" -+ "mplTERCv5CgnX7R5VdGJkkD1repaYxaTtwyJz0AfYEMRUj3jfaeLaiUKJvEW5RRs" -+ "I3solY18sy/m/xGrH2X0GTNfKM9BURENABsppt07jxH719nF9m9SynV/Z2hE5hlv" -+ "5e5vyPt4wyRPIJLUI3TKAlvb1s40zz3ua7ZTgQL/cOxfY4f9pRKW9CMB3uF69OP9" -+ "COAxrmHVZsImmDZ6qO1qQrbY1KN/cX5kG4pKg7Ium723aOlwcWzEDXKumD960fN1" -+ "5g+HrjNs6kW+r9Q5QS8qV5s8maZNcxTrMvQ1fF2AKBNI3Z3U7vmtrSeqxIXp3rGH" -+ "iJwOKIk=" -+ "-----END CERTIFICATE-----", -+ NULL -+}; -+ -+static const char *superseding_ca[] = { -+ "-----BEGIN CERTIFICATE-----" -+ "MIIDkzCCAkugAwIBAgIUIs7jB4Q4sFcdCmzWVHbJLESC3T4wDQYJKoZIhvcNAQEL" -+ "BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwIBcNMjAwNTMxMTIxMzEwWhgP" -+ "OTk5OTEyMzEyMzU5NTlaMCYxJDAiBgNVBAMTG0dudVRMUyB0ZXN0IGludGVybWVk" -+ "aWF0ZSBDQTCCAVIwDQYJKoZIhvcNAQEBBQADggE/ADCCAToCggExALRrJ5glr8H/" -+ "HsqwfvTYvO1DhmdUXdq0HsKQX4M8AhH8E3KFsoikZUELdl8jvoqf/nlLczsux0s8" -+ "vxbJl1U1F/OhckswwuAnlBLzVgDmzoJLEV2kHpv6+rkbKk0Ytbql5gzHqKihbaqI" -+ "hNyWDrJsHDWq58eUPfnVx8KiDUuzbnr3CF/FCc0Vkxr3mN8qTGaJJO0f0BZjgWWl" -+ "WDuhzSVim5mBVAgXGOx8LwiiOyhXMp0XRwqG+2KxQZnm+96o6iB+8xvuuuqaIWQp" -+ "kvKtc+UZBZ03U+IRnxhfIrriiw0AjJ4vp4c9QL5KoqWSCAwuYcBYfJqZ4dasgzkl" -+ "zz4b7eujbZ3LxTjewcdumzQUvjA+gpAeuUqaduTvMwxGojFy9sNhC/iqZ4n0peV2" -+ "N6Epn4B5qnUCAwEAAaNkMGIwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMD" -+ "BwQAMB0GA1UdDgQWBBRIIzRTCokxOEpa6sq20qbezh0rGDAfBgNVHSMEGDAWgBQe" -+ "dyNtZzEfkQebli/s/MhG/ozhAzANBgkqhkiG9w0BAQsFAAOCATEAcF9R9VGQxTwW" -+ "aOjeIeQ9ZJxybaj0BaXC8xR4b9uZloS9d/RBFTjgRbQ82yqaj7f80mgUtabKRfTA" -+ "ltV2MgTbJdOjwGzEDtKGhClBbovnEGrYTbPBT9rgfYPt0q7SMBr6AzGAPt+ltwI7" -+ "9yntV81qvTxvW5MEEo0j2MuA3NT3oqe+w1rUKNQCWhnN2TUhJGkTlaaMozcgNFaE" -+ "Dplop4dtvCGtupxOjC3Nf6FWq1k7iZQxX70AFBYVMpuF7qGh6qDp+T1hmTCSVzxP" -+ "SfDQIBjhKgy4clhkuR5SRxhN74RX+/5eiQyVLxzr+eIhqzJhPqUCmVnCLcqYdNRi" -+ "hpHic4uJm0wGOKYTI7EG8rb4ZP4Jz6k4iN9CnL/+kiiW5otSl3YyCAuao5VKdDq9" -+ "izchzb9eow==" -+ "-----END CERTIFICATE-----", -+ "-----BEGIN CERTIFICATE-----" -+ "MIIDZTCCAh2gAwIBAgIULcrECQOBgPaePBfBHXcyZiU0IiYwDQYJKoZIhvcNAQEL" -+ "BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwIBcNMjAwNTMxMTIxMTQzWhgP" -+ "OTk5OTEyMzEyMzU5NTlaMBkxFzAVBgNVBAMTDkdudVRMUyB0ZXN0IENBMIIBUjAN" -+ "BgkqhkiG9w0BAQEFAAOCAT8AMIIBOgKCATEAnORCsX1unl//fy2d1054XduIg/3C" -+ "qVBaT3Hca65SEoDwh0KiPtQoOgZLdKY2cobGs/ojYtOjcs0KnlPYdmtjEh6WEhuJ" -+ "U95v4TQdC4OLMiE56eIGq252hZAbHoTL84Q14DxQWGuzQK830iml7fbw2WcIcRQ8" -+ "vFGs8SzfXw63+MI6Fq6iMAQIqP08WzGmRRzL5wvCiPhCVkrPmwbXoABub6AAsYwW" -+ "PJB91M9/lx5gFH5k9/iPfi3s2Kg3F8MOcppqFYjxDSnsfiz6eMh1+bYVIAo367vG" -+ "VYHigXMEZC2FezlwIHaZzpEoFlY3a7LFJ00yrjQ910r8UE+CEMTYzE40D0olCMo7" -+ "FA9RCjeO3bUIoYaIdVTUGWEGHWSeoxGei9Gkm6u+ASj8f+i0jxdD2qXsewIDAQAB" -+ "o0MwQTAPBgNVHRMBAf8EBTADAQH/MA8GA1UdDwEB/wQFAwMHBAAwHQYDVR0OBBYE" -+ "FB53I21nMR+RB5uWL+z8yEb+jOEDMA0GCSqGSIb3DQEBCwUAA4IBMQAeMSzMyuTy" -+ "FjXTjxAUv010bsr6e6fI9txq/S1tXmWWJV/8aeARthuOFZO5Jjy3C5aMbac2HDV4" -+ "Otu0+JLaoEMSXvorAhValVuq06i5cmaPzvJBcxMWzlEAXfavSwHv5Q+kqNU3z81S" -+ "WnjEpMHcl9OyER7o9IhF55Xom2BXY5XL83QOzQ4C3bpKrNevZC7i7zS8NoYRGP+8" -+ "w21JseXkWQW4o2hkFqbCcRE1dlMW02iJE28RZ5aBFDIm2Y6zuLaXZIkaO7E41CAw" -+ "IUyhowm/S1HcmQnhruAGKJvQtB6jvnhZb7pgnuSkhIvAQgw93CLE985KEua1ifY2" -+ "p1d/6ho2TWotHHqDnDkB8pC0Wzai8R+63z18Kt0gROX2QItCyFksjNJqYPbgwZgt" -+ "eh1COrLsOJo+" -+ "-----END CERTIFICATE-----", -+ NULL -+}; -+ - #if defined __clang__ || __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 5) - # pragma GCC diagnostic push - # pragma GCC diagnostic ignored "-Wunused-variable" -@@ -4178,6 +4274,7 @@ static struct - GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID, NULL, 1576759855, 1}, - { "ed448 - ok", ed448, &ed448[0], GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_ULTRA), - 0, NULL, 1584352960, 1}, -+ { "superseding - ok", superseding, superseding_ca, 0, 0, 0, 1590928011 }, - { NULL, NULL, NULL, 0, 0} - }; - --- -2.26.2 - diff --git a/gnutls.spec b/gnutls.spec index 4d445ec..c41ac17 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,12 +1,8 @@ # This spec file has been automatically updated -Version: 3.6.13 -Release: 6%{?dist} +Version: 3.6.14 +Release: 1%{?dist} Patch1: gnutls-3.6.7-no-now-guile.patch Patch2: gnutls-3.2.7-rpath.patch -Patch3: gnutls-3.6.13-bump-linked-libs-soname-f33.patch -Patch4: gnutls-3.6.13-nettle-disable-RSA-blinding-in-FIPS-selftests.patch -Patch5: gnutls-3.6.13-cli-wait-resumption.patch -Patch6: gnutls-3.6.13-superseding-chain.patch %bcond_without dane %if 0%{?rhel} %bcond_with guile @@ -51,7 +47,7 @@ BuildRequires: guile22-devel URL: http://www.gnutls.org/ Source0: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.6/%{name}-%{version}.tar.xz Source1: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.6/%{name}-%{version}.tar.xz.sig -Source2: gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg +Source2: gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg # Wildcard bundling exception https://fedorahosted.org/fpc/ticket/174 Provides: bundled(gnulib) = 20130424 @@ -147,7 +143,6 @@ This package contains Guile bindings for the library. gpgv2 --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0} %autosetup -p1 -autoreconf sed -i -e 's|sys_lib_dlsearch_path_spec="/lib /usr/lib|sys_lib_dlsearch_path_spec="/lib /usr/lib %{_libdir}|g' configure rm -f lib/minitasn1/*.c lib/minitasn1/*.h diff --git a/sources b/sources index 08912b9..322ad17 100644 --- a/sources +++ b/sources @@ -1,2 +1,3 @@ -SHA512 (gnutls-3.6.13.tar.xz.sig) = 130d6ee78da87087de0070a5a5ecb62dd0a2919c838796b3e4273d74b10c4c537b72e017f55b69df69ee7cc11257ebe392e3bd0ff25b35484ed78bb9bf9d3856 -SHA512 (gnutls-3.6.13.tar.xz) = 23581952cb72c9a34f378c002bb62413d5a1243b74b48ad8dc49eaea4020d33c550f8dc1dd374cf7fbfa4187b0ca1c5698c8a0430398268a8b8a863f8633305c +SHA512 (gnutls-3.6.14.tar.xz) = b2d427b5542a4679117c011dffa8efb0e0bffa3ce9cebc319f8998d03f80f4168d08f9fda35df18dbeaaada59e479d325a6c1c77d5ca7f8ce221b44e42bfe604 +SHA512 (gnutls-3.6.14.tar.xz.sig) = 88e31d484ab2e2e9a6a080d1bb0e2219aa0ec85af9ea4abe8292bc8ae2d6784273414227142a2ebe0142b907a5ac6aa4d407388357f13d96b96eca8f8c61103a +SHA512 (gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg) = a74b92826fd0e5388c9f6d9231959e38b26aeef83138648fab66df951d8e1a4db5302b569d08515d4d6443e5e4f6c466f98319f330c820790260d22a9b9f7173