diff --git a/.gnutls.metadata b/.gnutls.metadata
index 3939140..d808294 100644
--- a/.gnutls.metadata
+++ b/.gnutls.metadata
@@ -1 +1 @@
-4855db9457aff5c00d35827097171d51f367237f SOURCES/gnutls-3.1.16-hobbled.tar.xz
+928dac9a2ea7b2de57bf9fdb62194aac22117df9 SOURCES/gnutls-3.1.18-hobbled.tar.xz
diff --git a/SOURCES/ecc.c b/SOURCES/ecc.c
index 7ca1776..f4869b0 100644
--- a/SOURCES/ecc.c
+++ b/SOURCES/ecc.c
@@ -56,6 +56,19 @@ static const gnutls_ecc_curve_entry_st ecc_curves[] = {
.Gx = "AA87CA22BE8B05378EB1C71EF320AD746E1D3B628BA79B9859F741E082542A385502F25DBF55296C3A545E3872760AB7",
.Gy = "3617DE4A96262C6F5D9E98BF9292DC29F8F41DBD289A147CE9DA3113B5F0B8C00A60B1CE1D7E819D7A431D7C90EA0E5F"
},
+ {
+ .name = "SECP521R1",
+ .oid = "1.3.132.0.35",
+ .id = GNUTLS_ECC_CURVE_SECP521R1,
+ .tls_id = 25,
+ .size = 66,
+ .prime = "01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
+ .A = "01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC",
+ .B = "0051953EB9618E1C9A1F929A21A0B68540EEA2DA725B99B315F3B8B489918EF109E156193951EC7E937B1652C0BD3BB1BF073573DF883D2C34F1EF451FD46B503F00",
+ .order = "01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148F709A5D03BB5C9B8899C47AEBB6FB71E91386409",
+ .Gx = "00C6858E06B70404E9CD9E3ECB662395B4429C648139053FB521F828AF606B4D3DBAA14B5E77EFE75928FE1DC127A2FFA8DE3348B3C1856A429BF97E7E31C2E5BD66",
+ .Gy = "011839296A789A3BC0045C8A5FB42C7D1BD998F54449579B446817AFBD17273E662C97EE72995EF42640C550B9013FAD0761353C7086A272C24088BE94769FD16650",
+ },
{0, 0, 0}
};
diff --git a/SOURCES/gnutls-3.1.11-suiteb.patch b/SOURCES/gnutls-3.1.11-suiteb.patch
deleted file mode 100644
index c4dd390..0000000
--- a/SOURCES/gnutls-3.1.11-suiteb.patch
+++ /dev/null
@@ -1,119 +0,0 @@
-diff -up gnutls-3.1.11/lib/gnutls_ecc.c.suiteb gnutls-3.1.11/lib/gnutls_ecc.c
---- gnutls-3.1.11/lib/gnutls_ecc.c.suiteb 2013-04-27 10:04:48.000000000 +0200
-+++ gnutls-3.1.11/lib/gnutls_ecc.c 2013-05-23 10:08:45.331883555 +0200
-@@ -129,6 +129,12 @@ int ret;
- goto cleanup;
- }
- params->params_nr++;
-+
-+ if (_gnutls_mpi_get_nbits(params->params[ECC_PRIME]) < 256)
-+ {
-+ ret = gnutls_assert_val(GNUTLS_E_ECC_UNSUPPORTED_CURVE);
-+ goto cleanup;
-+ }
-
- val_size = sizeof(val);
- ret = _gnutls_hex2bin(st->order, strlen(st->order), val, &val_size);
-diff -up gnutls-3.1.11/lib/nettle/ecc_mulmod_cached.c.suiteb gnutls-3.1.11/lib/nettle/ecc_mulmod_cached.c
---- gnutls-3.1.11/lib/nettle/ecc_mulmod_cached.c.suiteb 2013-04-27 10:04:48.000000000 +0200
-+++ gnutls-3.1.11/lib/nettle/ecc_mulmod_cached.c 2013-05-23 10:24:56.575967312 +0200
-@@ -42,6 +42,7 @@ typedef struct
-
- /* global cache */
- static gnutls_ecc_curve_cache_entry_t *ecc_wmnaf_cache = NULL;
-+static gnutls_ecc_curve_cache_entry_t *ecc_wmnaf_cache_last = NULL;
-
- /* free single cache entry */
- static void
-@@ -63,9 +64,10 @@ ecc_wmnaf_cache_free (void)
- gnutls_ecc_curve_cache_entry_t *p = ecc_wmnaf_cache;
- if (p)
- {
-- for (; p->id != GNUTLS_ECC_CURVE_INVALID; ++p)
-+ for (; p <= ecc_wmnaf_cache_last; ++p)
- {
-- _ecc_wmnaf_cache_entry_free (p);
-+ if (p->id != GNUTLS_ECC_CURVE_INVALID)
-+ _ecc_wmnaf_cache_entry_free (p);
- }
-
- free (ecc_wmnaf_cache);
-@@ -198,7 +200,7 @@ ecc_wmnaf_cache_init (void)
- const gnutls_ecc_curve_t *p;
-
- ret = (gnutls_ecc_curve_cache_entry_t *)
-- malloc (MAX_ALGOS * sizeof (gnutls_ecc_curve_cache_entry_t));
-+ calloc (MAX_ALGOS, sizeof (gnutls_ecc_curve_cache_entry_t));
- if (ret == NULL)
- return GNUTLS_E_MEMORY_ERROR;
-
-@@ -207,12 +209,16 @@ ecc_wmnaf_cache_init (void)
-
- for (j = 0; *p; ++p, ++j)
- {
-- if ((err = _ecc_wmnaf_cache_entry_init (ret + *p - 1, *p)) != 0)
-+ gnutls_ecc_curve_cache_entry_t *entry;
-+
-+ entry = ret + *p - 1;
-+ if ((err = _ecc_wmnaf_cache_entry_init (entry, *p)) != 0)
- goto done;
-+ if (ecc_wmnaf_cache_last < entry)
-+ ecc_wmnaf_cache_last = entry;
- }
-
-- /* nullify last cache entry id */
-- ret[j].id = GNUTLS_ECC_CURVE_INVALID;
-+ /* no need to nullify last cache entry id, done by calloc */
-
- err = GNUTLS_E_SUCCESS;
-
-@@ -223,7 +229,8 @@ done:
- int i;
- for (i = 0; i < j; ++i)
- {
-- _ecc_wmnaf_cache_entry_free (ret + i);
-+ --p;
-+ _ecc_wmnaf_cache_entry_free (ret + *p - 1);
- }
-
- free (ret);
-@@ -445,9 +452,11 @@ ecc_mulmod_cached_lookup (mpz_t k, ecc_p
- if (k == NULL || G == NULL || R == NULL || modulus == NULL)
- return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
-
-- for (i = 0; (id = ecc_wmnaf_cache[i].id); ++i)
-+ for (i = 0; ecc_wmnaf_cache + i <= ecc_wmnaf_cache_last; ++i)
- {
-- if (!(mpz_cmp (G->x, ecc_wmnaf_cache[i].pos[0]->x)) &&
-+ id = ecc_wmnaf_cache[i].id;
-+ if (id &&
-+ !(mpz_cmp (G->x, ecc_wmnaf_cache[i].pos[0]->x)) &&
- !(mpz_cmp (G->y, ecc_wmnaf_cache[i].pos[0]->y)))
- {
- break;
-diff -up gnutls-3.1.11/tests/mini-xssl.c.suiteb gnutls-3.1.11/tests/mini-xssl.c
---- gnutls-3.1.11/tests/mini-xssl.c.suiteb 2013-05-10 10:10:27.000000000 +0200
-+++ gnutls-3.1.11/tests/mini-xssl.c 2013-05-23 11:58:22.670298910 +0200
-@@ -27,7 +27,8 @@
- #include <stdio.h>
- #include <stdlib.h>
-
--#if defined(_WIN32)
-+/* uses unsupported curves */
-+#if 1
-
- int main()
- {
-diff -up gnutls-3.1.11/tests/pkcs12_simple.c.suiteb gnutls-3.1.11/tests/pkcs12_simple.c
---- gnutls-3.1.11/tests/pkcs12_simple.c.suiteb 2013-05-10 10:10:27.000000000 +0200
-+++ gnutls-3.1.11/tests/pkcs12_simple.c 2013-05-23 11:57:59.776799848 +0200
-@@ -50,6 +50,9 @@ doit (void)
- gnutls_x509_privkey_t pkey;
- int ret;
-
-+ /* uses unsupported curves */
-+ exit(77);
-+
- ret = global_init ();
- if (ret < 0)
- fail ("global_init failed %d\n", ret);
diff --git a/SOURCES/gnutls-3.1.17-rpath.patch b/SOURCES/gnutls-3.1.17-rpath.patch
new file mode 100644
index 0000000..bac0981
--- /dev/null
+++ b/SOURCES/gnutls-3.1.17-rpath.patch
@@ -0,0 +1,29 @@
+diff -ur gnutls-3.1.17.orig/configure gnutls-3.1.17/configure
+--- gnutls-3.1.17.orig/configure 2013-11-23 10:55:26.000000000 +0100
++++ gnutls-3.1.17/configure 2013-11-26 11:33:04.865342480 +0100
+@@ -49103,7 +49103,7 @@
+ shlibpath_overrides_runpath=unknown
+ version_type=none
+ dynamic_linker="$host_os ld.so"
+-sys_lib_dlsearch_path_spec="/lib /usr/lib"
++sys_lib_dlsearch_path_spec="/lib /usr/lib /lib64 /usr/lib64"
+ need_lib_prefix=unknown
+ hardcode_into_libs=no
+
+@@ -52940,7 +52940,7 @@
+ shlibpath_overrides_runpath=unknown
+ version_type=none
+ dynamic_linker="$host_os ld.so"
+-sys_lib_dlsearch_path_spec="/lib /usr/lib"
++sys_lib_dlsearch_path_spec="/lib /usr/lib /lib64 /usr/lib64"
+ need_lib_prefix=unknown
+ hardcode_into_libs=no
+
+Only in gnutls-3.1.17: configure~
+Only in gnutls-3.1.17.orig/lib/algorithms: ecc.c
+Only in gnutls-3.1.17.orig/lib/auth: srp.c
+Only in gnutls-3.1.17.orig/lib/auth: srp_passwd.c
+Only in gnutls-3.1.17.orig/lib/auth: srp_rsa.c
+Only in gnutls-3.1.17.orig/lib/auth: srp_sb64.c
+Only in gnutls-3.1.17.orig/lib/ext: srp.c
+Only in gnutls-3.1.17.orig/lib: gnutls_srp.c
diff --git a/SOURCES/gnutls-3.1.18-cve-2014-0092.patch b/SOURCES/gnutls-3.1.18-cve-2014-0092.patch
new file mode 100644
index 0000000..a0684bb
--- /dev/null
+++ b/SOURCES/gnutls-3.1.18-cve-2014-0092.patch
@@ -0,0 +1,128 @@
+From 43ad7b2ad231489b7ada46e2f34deb82d64dd54d Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@redhat.com>
+Date: Wed, 19 Feb 2014 11:10:26 +0100
+Subject: [PATCH] corrected return codes.
+
+---
+ lib/x509/verify.c | 22 ++++++++++++++--------
+ 1 file changed, 14 insertions(+), 8 deletions(-)
+
+diff --git a/lib/x509/verify.c b/lib/x509/verify.c
+index 86a901e..d3f349b 100644
+--- a/lib/x509/verify.c
++++ b/lib/x509/verify.c
+@@ -106,7 +106,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer,
+ if (result < 0)
+ {
+ gnutls_assert ();
+- goto cleanup;
++ goto fail;
+ }
+
+ result =
+@@ -115,7 +115,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer,
+ if (result < 0)
+ {
+ gnutls_assert ();
+- goto cleanup;
++ goto fail;
+ }
+
+ result =
+@@ -123,7 +123,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer,
+ if (result < 0)
+ {
+ gnutls_assert ();
+- goto cleanup;
++ goto fail;
+ }
+
+ result =
+@@ -131,7 +131,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer,
+ if (result < 0)
+ {
+ gnutls_assert ();
+- goto cleanup;
++ goto fail;
+ }
+
+ /* If the subject certificate is the same as the issuer
+@@ -183,6 +183,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer,
+ else
+ gnutls_assert ();
+
++fail:
+ result = 0;
+
+ cleanup:
+@@ -408,14 +409,15 @@ _gnutls_verify_certificate2 (gnutls_x509_crt_t cert,
+ if (issuer_version < 0)
+ {
+ gnutls_assert ();
+- return issuer_version;
++ result = 0;
++ goto cleanup;
+ }
+
+ if (!(flags & GNUTLS_VERIFY_DISABLE_CA_SIGN) &&
+ ((flags & GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT)
+ || issuer_version != 1))
+ {
+- if (check_if_ca (cert, issuer, max_path, flags) == 0)
++ if (check_if_ca (cert, issuer, max_path, flags) != 1)
+ {
+ gnutls_assert ();
+ out = GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID;
+@@ -446,6 +448,7 @@ _gnutls_verify_certificate2 (gnutls_x509_crt_t cert,
+ if (result < 0)
+ {
+ gnutls_assert ();
++ result = 0;
+ goto cleanup;
+ }
+
+@@ -454,6 +457,7 @@ _gnutls_verify_certificate2 (gnutls_x509_crt_t cert,
+ if (result < 0)
+ {
+ gnutls_assert ();
++ result = 0;
+ goto cleanup;
+ }
+
+@@ -461,6 +465,7 @@ _gnutls_verify_certificate2 (gnutls_x509_crt_t cert,
+ if (result < 0)
+ {
+ gnutls_assert ();
++ result = 0;
+ goto cleanup;
+ }
+
+@@ -481,6 +486,7 @@ _gnutls_verify_certificate2 (gnutls_x509_crt_t cert,
+ else if (result < 0)
+ {
+ gnutls_assert();
++ result = 0;
+ goto cleanup;
+ }
+
+@@ -650,7 +656,7 @@ _gnutls_x509_verify_certificate (const gnutls_x509_crt_t * certificate_list,
+ ret = _gnutls_verify_certificate2 (certificate_list[clist_size - 1],
+ trusted_cas, tcas_size, flags, &output,
+ &issuer, now, &max_path, func);
+- if (ret == 0)
++ if (ret != 1)
+ {
+ /* if the last certificate in the certificate
+ * list is invalid, then the certificate is not
+@@ -681,7 +687,7 @@ _gnutls_x509_verify_certificate (const gnutls_x509_crt_t * certificate_list,
+ if ((ret =
+ _gnutls_verify_certificate2 (certificate_list[i - 1],
+ &certificate_list[i], 1, flags,
+- &output, NULL, now, &max_path, func)) == 0)
++ &output, NULL, now, &max_path, func)) != 1)
+ {
+ status |= output;
+ status |= GNUTLS_CERT_INVALID;
+--
+1.8.5.3
+
diff --git a/SOURCES/gnutls-3.1.18-suiteb.patch b/SOURCES/gnutls-3.1.18-suiteb.patch
new file mode 100644
index 0000000..8b5974c
--- /dev/null
+++ b/SOURCES/gnutls-3.1.18-suiteb.patch
@@ -0,0 +1,141 @@
+diff -ur gnutls-3.1.18.orig/lib/gnutls_ecc.c gnutls-3.1.18/lib/gnutls_ecc.c
+--- gnutls-3.1.18.orig/lib/gnutls_ecc.c 2013-04-02 22:27:35.000000000 +0200
++++ gnutls-3.1.18/lib/gnutls_ecc.c 2014-01-02 09:13:27.383415863 +0100
+@@ -129,6 +129,12 @@
+ goto cleanup;
+ }
+ params->params_nr++;
++
++ if (_gnutls_mpi_get_nbits(params->params[ECC_PRIME]) < 256)
++ {
++ ret = gnutls_assert_val(GNUTLS_E_ECC_UNSUPPORTED_CURVE);
++ goto cleanup;
++ }
+
+ val_size = sizeof(val);
+ ret = _gnutls_hex2bin(st->order, strlen(st->order), val, &val_size);
+diff -ur gnutls-3.1.18.orig/lib/gnutls_priority.c gnutls-3.1.18/lib/gnutls_priority.c
+--- gnutls-3.1.18.orig/lib/gnutls_priority.c 2013-11-19 18:36:38.000000000 +0100
++++ gnutls-3.1.18/lib/gnutls_priority.c 2014-01-02 09:13:27.384415875 +0100
+@@ -245,8 +245,6 @@
+ }
+
+ static const int supported_ecc_normal[] = {
+- GNUTLS_ECC_CURVE_SECP192R1,
+- GNUTLS_ECC_CURVE_SECP224R1,
+ GNUTLS_ECC_CURVE_SECP256R1,
+ GNUTLS_ECC_CURVE_SECP384R1,
+ GNUTLS_ECC_CURVE_SECP521R1,
+diff -ur gnutls-3.1.18.orig/lib/nettle/ecc_mulmod_cached.c gnutls-3.1.18/lib/nettle/ecc_mulmod_cached.c
+--- gnutls-3.1.18.orig/lib/nettle/ecc_mulmod_cached.c 2013-04-02 22:27:35.000000000 +0200
++++ gnutls-3.1.18/lib/nettle/ecc_mulmod_cached.c 2014-01-02 10:26:08.425986981 +0100
+@@ -42,6 +42,7 @@
+
+ /* global cache */
+ static gnutls_ecc_curve_cache_entry_t *ecc_wmnaf_cache = NULL;
++static gnutls_ecc_curve_cache_entry_t *ecc_wmnaf_cache_last = NULL;
+
+ /* free single cache entry */
+ static void
+@@ -63,13 +64,15 @@
+ gnutls_ecc_curve_cache_entry_t *p = ecc_wmnaf_cache;
+ if (p)
+ {
+- for (; p->id != GNUTLS_ECC_CURVE_INVALID; ++p)
++ for (; p <= ecc_wmnaf_cache_last; ++p)
+ {
+- _ecc_wmnaf_cache_entry_free (p);
++ if (p->id != GNUTLS_ECC_CURVE_INVALID)
++ _ecc_wmnaf_cache_entry_free (p);
+ }
+
+ free (ecc_wmnaf_cache);
+ ecc_wmnaf_cache = NULL;
++ ecc_wmnaf_cache_last = NULL;
+ }
+ }
+
+@@ -198,7 +201,7 @@
+ const gnutls_ecc_curve_t *p;
+
+ ret = (gnutls_ecc_curve_cache_entry_t *)
+- malloc (MAX_ALGOS * sizeof (gnutls_ecc_curve_cache_entry_t));
++ calloc (MAX_ALGOS, sizeof (gnutls_ecc_curve_cache_entry_t));
+ if (ret == NULL)
+ return GNUTLS_E_MEMORY_ERROR;
+
+@@ -207,12 +210,16 @@
+
+ for (j = 0; *p; ++p, ++j)
+ {
+- if ((err = _ecc_wmnaf_cache_entry_init (ret + *p - 1, *p)) != 0)
++ gnutls_ecc_curve_cache_entry_t *entry;
++
++ entry = ret + *p - 1;
++ if ((err = _ecc_wmnaf_cache_entry_init (entry, *p)) != 0)
+ goto done;
++ if (ecc_wmnaf_cache_last < entry)
++ ecc_wmnaf_cache_last = entry;
+ }
+
+- /* nullify last cache entry id */
+- ret[j].id = GNUTLS_ECC_CURVE_INVALID;
++ /* no need to nullify last cache entry id, done by calloc */
+
+ err = GNUTLS_E_SUCCESS;
+
+@@ -223,11 +230,13 @@
+ int i;
+ for (i = 0; i < j; ++i)
+ {
+- _ecc_wmnaf_cache_entry_free (ret + i);
++ --p;
++ _ecc_wmnaf_cache_entry_free (ret + *p - 1);
+ }
+
+ free (ret);
+ ecc_wmnaf_cache = NULL;
++ ecc_wmnaf_cache_last = NULL;
+ }
+ return err;
+ }
+@@ -445,9 +454,11 @@
+ if (k == NULL || G == NULL || R == NULL || modulus == NULL)
+ return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
+
+- for (i = 0; (id = ecc_wmnaf_cache[i].id); ++i)
++ for (i = 0; ecc_wmnaf_cache + i <= ecc_wmnaf_cache_last; ++i)
+ {
+- if (!(mpz_cmp (G->x, ecc_wmnaf_cache[i].pos[0]->x)) &&
++ id = ecc_wmnaf_cache[i].id;
++ if (id &&
++ !(mpz_cmp (G->x, ecc_wmnaf_cache[i].pos[0]->x)) &&
+ !(mpz_cmp (G->y, ecc_wmnaf_cache[i].pos[0]->y)))
+ {
+ break;
+diff -ur gnutls-3.1.18.orig/tests/mini-xssl.c gnutls-3.1.18/tests/mini-xssl.c
+--- gnutls-3.1.18.orig/tests/mini-xssl.c 2013-05-30 08:50:22.000000000 +0200
++++ gnutls-3.1.18/tests/mini-xssl.c 2014-01-02 09:13:27.384415875 +0100
+@@ -27,7 +27,8 @@
+ #include <stdio.h>
+ #include <stdlib.h>
+
+-#if defined(_WIN32)
++/* uses unsupported curves */
++#if 1
+
+ int main()
+ {
+diff -ur gnutls-3.1.18.orig/tests/pkcs12_simple.c gnutls-3.1.18/tests/pkcs12_simple.c
+--- gnutls-3.1.18.orig/tests/pkcs12_simple.c 2013-05-21 20:27:20.000000000 +0200
++++ gnutls-3.1.18/tests/pkcs12_simple.c 2014-01-02 09:13:27.384415875 +0100
+@@ -50,6 +50,9 @@
+ gnutls_x509_privkey_t pkey;
+ int ret;
+
++ /* uses unsupported curves */
++ exit(77);
++
+ ret = global_init ();
+ if (ret < 0)
+ fail ("global_init failed %d\n", ret);
diff --git a/SOURCES/gnutls-3.1.18-v1-fix.patch b/SOURCES/gnutls-3.1.18-v1-fix.patch
new file mode 100644
index 0000000..5964af5
--- /dev/null
+++ b/SOURCES/gnutls-3.1.18-v1-fix.patch
@@ -0,0 +1,16 @@
+diff --git a/lib/x509/verify.c b/lib/x509/verify.c
+index cb8289e..86a901e 100644
+--- a/lib/x509/verify.c
++++ b/lib/x509/verify.c
+@@ -674,7 +674,10 @@ _gnutls_x509_verify_certificate (const gnutls_x509_crt_t * certificate_list,
+ * certificates can exist in a supplied chain.
+ */
+ if (!(flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT))
+- flags &= ~(GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
++ {
++ flags &= ~(GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
++ flags |= GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT;
++ }
+ if ((ret =
+ _gnutls_verify_certificate2 (certificate_list[i - 1],
+ &certificate_list[i], 1, flags,
diff --git a/SOURCES/gnutls-3.1.7-rpath.patch b/SOURCES/gnutls-3.1.7-rpath.patch
deleted file mode 100644
index d087db9..0000000
--- a/SOURCES/gnutls-3.1.7-rpath.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-diff -up gnutls-3.1.7/configure.rpath gnutls-3.1.7/configure
---- gnutls-3.1.7/configure.rpath 2013-02-04 02:40:23.000000000 +0100
-+++ gnutls-3.1.7/configure 2013-02-05 21:04:57.128932440 +0100
-@@ -48519,7 +48519,7 @@ shlibpath_var=
- shlibpath_overrides_runpath=unknown
- version_type=none
- dynamic_linker="$host_os ld.so"
--sys_lib_dlsearch_path_spec="/lib /usr/lib"
-+sys_lib_dlsearch_path_spec="/lib /usr/lib /lib64 /usr/lib64"
- need_lib_prefix=unknown
- hardcode_into_libs=no
-
-@@ -48962,7 +48962,7 @@ fi
- # Append ld.so.conf contents to the search path
- if test -f /etc/ld.so.conf; then
- lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '`
-- sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
-+ sys_lib_dlsearch_path_spec="/lib /usr/lib /lib64 /usr/lib64 $lt_ld_extra"
- fi
-
- # We used to test for /lib/ld.so.1 and disable shared libraries on
-@@ -52353,7 +52353,7 @@ shlibpath_var=
- shlibpath_overrides_runpath=unknown
- version_type=none
- dynamic_linker="$host_os ld.so"
--sys_lib_dlsearch_path_spec="/lib /usr/lib"
-+sys_lib_dlsearch_path_spec="/lib /usr/lib /lib64 /usr/lib64"
- need_lib_prefix=unknown
- hardcode_into_libs=no
-
-@@ -52794,7 +52794,7 @@ fi
- # Append ld.so.conf contents to the search path
- if test -f /etc/ld.so.conf; then
- lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '`
-- sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
-+ sys_lib_dlsearch_path_spec="/lib /usr/lib /lib64 /usr/lib64 $lt_ld_extra"
- fi
-
- # We used to test for /lib/ld.so.1 and disable shared libraries on
diff --git a/SOURCES/hobble-gnutls b/SOURCES/hobble-gnutls
index 8b9633d..9fd507e 100755
--- a/SOURCES/hobble-gnutls
+++ b/SOURCES/hobble-gnutls
@@ -8,8 +8,8 @@ else
fi
# SRP
-for f in auth_srp_sb64.c auth_srp_passwd.c auth_srp_rsa.c \
- gnutls_srp.c auth_srp.c ext_srp.c ; do
+for f in auth/srp_sb64.c auth/srp_passwd.c auth/srp_rsa.c \
+ gnutls_srp.c auth/srp.c ext/srp.c ; do
eval "$CMD lib/$f"
done
diff --git a/SPECS/gnutls.spec b/SPECS/gnutls.spec
index 01b1542..4505bb1 100644
--- a/SPECS/gnutls.spec
+++ b/SPECS/gnutls.spec
@@ -2,18 +2,21 @@
%bcond_with guile
Summary: A TLS protocol implementation
Name: gnutls
-Version: 3.1.16
-Release: 1%{?dist}
+Version: 3.1.18
+Release: 8%{?dist}
# The libraries are LGPLv2.1+, utilities are GPLv3+, however
# the bundled gnulib is LGPLv3+
License: GPLv3+ and LGPLv2+ and LGPLv3+
Group: System Environment/Libraries
BuildRequires: p11-kit-devel >= 0.11, gettext
BuildRequires: zlib-devel, readline-devel, libtasn1-devel >= 3.1
-BuildRequires: lzo-devel, libtool, automake, autoconf, texinfo
+BuildRequires: libtool, automake, autoconf, texinfo
BuildRequires: nettle-devel >= 2.5
+BuildRequires: libidn-devel
+BuildRequires: autogen-libopts-devel >= 5.18 autogen
+#BuildRequires: trousers-devel >= 0.3.11.2
%if %{with dane}
-BuildRequires: unbound-devel
+BuildRequires: unbound-devel unbound-libs
%endif
%if %{with guile}
BuildRequires: guile-devel
@@ -26,13 +29,15 @@ Source0: %{name}-%{version}-hobbled.tar.xz
Source1: libgnutls-config
Source2: hobble-gnutls
Source3: ecc.c
-Patch1: gnutls-3.1.7-rpath.patch
+Patch1: gnutls-3.1.17-rpath.patch
+Patch2: gnutls-3.1.18-v1-fix.patch
# Use only FIPS approved ciphers in the FIPS mode
Patch7: gnutls-2.12.21-fips-algorithms.patch
Patch8: gnutls-3.1.11-nosrp.patch
# Use random port in some tests to avoid conflicts during simultaneous builds on the same machine
Patch9: gnutls-3.1.10-tests-rndport.patch
-Patch10: gnutls-3.1.11-suiteb.patch
+Patch10: gnutls-3.1.18-suiteb.patch
+Patch11: gnutls-3.1.18-cve-2014-0092.patch
# Wildcard bundling exception https://fedorahosted.org/fpc/ticket/174
Provides: bundled(gnulib) = 20130424
@@ -77,44 +82,56 @@ Requires: guile
%endif
%description
-GnuTLS is a project that aims to develop a library which provides a secure
-layer, over a reliable transport layer. Currently the GnuTLS library implements
-the proposed standards by the IETF's TLS working group.
+GnuTLS is a secure communications library implementing the SSL, TLS and DTLS
+protocols and technologies around them. It provides a simple C language
+application programming interface (API) to access the secure communications
+protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and
+other required structures.
%description c++
-GnuTLS is a project that aims to develop a library which provides a secure
-layer, over a reliable transport layer. Currently the GnuTLS library implements
-the proposed standards by the IETF's TLS working group.
+GnuTLS is a secure communications library implementing the SSL, TLS and DTLS
+protocols and technologies around them. It provides a simple C language
+application programming interface (API) to access the secure communications
+protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and
+other required structures.
This package contains the C++ interface for the GnuTLS library.
%description devel
-GnuTLS is a project that aims to develop a library which provides a secure
-layer, over a reliable transport layer. Currently the GnuTLS library implements
-the proposed standards by the IETF's TLS working group.
+GnuTLS is a secure communications library implementing the SSL, TLS and DTLS
+protocols and technologies around them. It provides a simple C language
+application programming interface (API) to access the secure communications
+protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and
+other required structures.
This package contains files needed for developing applications with
the GnuTLS library.
%description utils
-GnuTLS is a project that aims to develop a library which provides a secure
-layer, over a reliable transport layer. Currently the GnuTLS library implements
-the proposed standards by the IETF's TLS working group.
+GnuTLS is a secure communications library implementing the SSL, TLS and DTLS
+protocols and technologies around them. It provides a simple C language
+application programming interface (API) to access the secure communications
+protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and
+other required structures.
This package contains command line TLS client and server and certificate
manipulation tools.
%if %{with dane}
%description dane
-GnuTLS is a project that aims to develop a library which provides a secure
-layer, over a reliable transport layer. Currently the GnuTLS library implements
-the proposed standards by the IETF's TLS working group.
+GnuTLS is a secure communications library implementing the SSL, TLS and DTLS
+protocols and technologies around them. It provides a simple C language
+application programming interface (API) to access the secure communications
+protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and
+other required structures.
This package contains library that implements the DANE protocol for verifying
TLS certificates through DNSSEC.
%endif
%if %{with guile}
%description guile
-GnuTLS is a project that aims to develop a library which provides a secure
-layer, over a reliable transport layer. Currently the GnuTLS library implements
-the proposed standards by the IETF's TLS working group.
+GnuTLS is a secure communications library implementing the SSL, TLS and DTLS
+protocols and technologies around them. It provides a simple C language
+application programming interface (API) to access the secure communications
+protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and
+other required structures.
This package contains Guile bindings for the library.
%endif
@@ -122,16 +139,19 @@ This package contains Guile bindings for the library.
%setup -q
%patch1 -p1 -b .rpath
+%patch2 -p1 -b .v1-fix
# This patch is not applicable as we use nettle now but some parts will be
# later reused.
#%patch7 -p1 -b .fips
%patch8 -p1 -b .nosrp
%patch9 -p1 -b .rndport
%patch10 -p1 -b .suiteb
+%patch11 -p1 -b .cve-2014-0092
%{SOURCE2} -e
cp -f %{SOURCE3} lib/algorithms
+rm -f doc/gnutls.info*
%build
@@ -141,6 +161,7 @@ export LDFLAGS="-Wl,--no-add-needed"
--with-included-libcfg \
--disable-static \
--disable-openssl-compatibility \
+ --without-tpm \
--disable-srp-authentication \
%if %{with guile}
--enable-guile \
@@ -151,6 +172,7 @@ export LDFLAGS="-Wl,--no-add-needed"
--disable-guile \
%endif
%if %{with dane}
+ --with-unbound-root-key-file=/var/lib/unbound/root.key \
--enable-dane \
%else
--disable-dane \
@@ -167,6 +189,7 @@ rm -f $RPM_BUILD_ROOT%{_bindir}/gnutls-srpcrypt
cp -f %{SOURCE1} $RPM_BUILD_ROOT%{_bindir}/libgnutls-config
cp -f %{SOURCE1} $RPM_BUILD_ROOT%{_bindir}/libgnutls-extra-config
rm -f $RPM_BUILD_ROOT%{_mandir}/man1/srptool.1
+rm -f $RPM_BUILD_ROOT%{_mandir}/man1/tpmtool.1
rm -f $RPM_BUILD_ROOT%{_mandir}/man3/*srp*
rm -f $RPM_BUILD_ROOT%{_infodir}/dir
rm -f $RPM_BUILD_ROOT%{_libdir}/*.la
@@ -235,6 +258,7 @@ fi
%{_bindir}/ocsptool
%{_bindir}/psktool
%{_bindir}/p11tool
+%{_bindir}/crywrap
%if %{with dane}
%{_bindir}/danetool
%endif
@@ -257,6 +281,31 @@ fi
%endif
%changelog
+* Tue Feb 25 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 3.1.18-8
+- fixes CVE-2014-0092 (#1071815)
+
+* Fri Feb 14 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 3.1.18-7
+- fixes CVE-2014-1959
+
+* Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 3.1.18-6
+- Mass rebuild 2014-01-24
+
+* Tue Jan 14 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> 3.1.18-5
+- Fixed issue with gnutls.info not being available (#1053487)
+
+* Tue Jan 14 2014 Tomáš Mráz <tmraz@redhat.com> 3.1.18-4
+- build the crywrap tool
+
+* Thu Jan 02 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 3.1.18-3
+- fixes crash in gnutls_global_deinit (#1047037)
+
+* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 3.1.18-2
+- Mass rebuild 2013-12-27
+
+* Mon Dec 23 2013 Nikos Mavrogiannopoulos <nmav@redhat.com> 3.1.18-1
+- new upstream release (#1040886)
+- Use the correct root key for unbound
+
* Tue Nov 5 2013 Tomáš Mráz <tmraz@redhat.com> 3.1.16-1
- new upstream release
- fixes CVE-2013-4466 off-by-one in dane_query_tlsa()