diff --git a/.gnutls.metadata b/.gnutls.metadata new file mode 100644 index 0000000..3939140 --- /dev/null +++ b/.gnutls.metadata @@ -0,0 +1 @@ +4855db9457aff5c00d35827097171d51f367237f SOURCES/gnutls-3.1.16-hobbled.tar.xz diff --git a/README.md b/README.md deleted file mode 100644 index 0e7897f..0000000 --- a/README.md +++ /dev/null @@ -1,5 +0,0 @@ -The master branch has no content - -Look at the c7 branch if you are working with CentOS-7, or the c4/c5/c6 branch for CentOS-4, 5 or 6 - -If you find this file in a distro specific branch, it means that no content has been checked in yet diff --git a/SOURCES/ecc.c b/SOURCES/ecc.c new file mode 100644 index 0000000..7ca1776 --- /dev/null +++ b/SOURCES/ecc.c @@ -0,0 +1,301 @@ +/* + * Copyright (C) 2011-2012 Free Software Foundation, Inc. + * + * Author: Nikos Mavrogiannopoulos + * + * This file is part of GnuTLS. + * + * The GnuTLS is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public License + * as published by the Free Software Foundation; either version 2.1 of + * the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see + * + */ + +#include +#include +#include +#include + + +/* Supported ECC curves + */ + +static const gnutls_ecc_curve_entry_st ecc_curves[] = { + { + .name = "SECP256R1", + .oid = "1.2.840.10045.3.1.7", + .id = GNUTLS_ECC_CURVE_SECP256R1, + .tls_id = 23, + .size = 32, + .prime = "FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF", + .A = "FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC", + .B = "5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B", + .order = "FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551", + .Gx = "6B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C296", + .Gy = "4FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5", + }, + { + .name = "SECP384R1", + .oid = "1.3.132.0.34", + .id = GNUTLS_ECC_CURVE_SECP384R1, + .tls_id = 24, + .size = 48, + .prime = "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFF", + .A = "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFC", + .B = "B3312FA7E23EE7E4988E056BE3F82D19181D9C6EFE8141120314088F5013875AC656398D8A2ED19D2A85C8EDD3EC2AEF", + .order = "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC7634D81F4372DDF581A0DB248B0A77AECEC196ACCC52973", + .Gx = "AA87CA22BE8B05378EB1C71EF320AD746E1D3B628BA79B9859F741E082542A385502F25DBF55296C3A545E3872760AB7", + .Gy = "3617DE4A96262C6F5D9E98BF9292DC29F8F41DBD289A147CE9DA3113B5F0B8C00A60B1CE1D7E819D7A431D7C90EA0E5F" + }, + {0, 0, 0} +}; + +#define GNUTLS_ECC_CURVE_LOOP(b) \ + { const gnutls_ecc_curve_entry_st *p; \ + for(p = ecc_curves; p->name != NULL; p++) { b ; } } + + +/* Returns the TLS id of the given curve + */ +int +_gnutls_tls_id_to_ecc_curve (int num) +{ + gnutls_ecc_curve_t ret = GNUTLS_ECC_CURVE_INVALID; + + GNUTLS_ECC_CURVE_LOOP ( + if (p->tls_id == num) + { + ret = p->id; + break; + } + ); + + return ret; +} + +/** + * gnutls_ecc_curve_list: + * + * Get the list of supported elliptic curves. + * + * This function is not thread safe. + * + * Returns: Return a (0)-terminated list of #gnutls_ecc_curve_t + * integers indicating the available curves. + **/ +const gnutls_ecc_curve_t * +gnutls_ecc_curve_list (void) +{ +static gnutls_ecc_curve_t supported_curves[MAX_ALGOS] = { 0 }; + + if (supported_curves[0] == 0) + { + int i = 0; + + GNUTLS_ECC_CURVE_LOOP ( + supported_curves[i++]=p->id; + ); + supported_curves[i++]=0; + } + + return supported_curves; +} + +/* Maps numbers to TLS NamedCurve IDs (RFC4492). + * Returns a negative number on error. + */ +int +_gnutls_ecc_curve_get_tls_id (gnutls_ecc_curve_t supported_ecc) +{ + int ret = GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; + + GNUTLS_ECC_CURVE_LOOP ( + if (p->id == supported_ecc) + { + ret = p->tls_id; + break; + } + ); + + return ret; +} + +/*- + * _gnutls_oid_to_ecc_curve: + * @oid: is a curve's OID + * + * Returns: return a #gnutls_ecc_curve_t value corresponding to + * the specified OID, or %GNUTLS_ECC_CURVE_INVALID on error. + -*/ +gnutls_ecc_curve_t _gnutls_oid_to_ecc_curve (const char* oid) +{ + gnutls_ecc_curve_t ret = GNUTLS_ECC_CURVE_INVALID; + + GNUTLS_ECC_CURVE_LOOP ( + if (strcasecmp (p->oid, oid) == 0) + { + ret = p->id; + break; + } + ); + + return ret; +} + +/*- + * _gnutls_ecc_curve_get_id: + * @name: is a curve name + * + * The names are compared in a case insensitive way. + * + * Returns: return a #gnutls_ecc_curve_t value corresponding to + * the specified curve, or %GNUTLS_ECC_CURVE_INVALID on error. + -*/ +gnutls_ecc_curve_t +_gnutls_ecc_curve_get_id (const char *name) +{ + gnutls_ecc_curve_t ret = GNUTLS_ECC_CURVE_INVALID; + + GNUTLS_ECC_CURVE_LOOP ( + if (strcasecmp (p->name, name) == 0) + { + ret = p->id; + break; + } + ); + + return ret; +} + +/*- + * _gnutls_ecc_bits_to_curve: + * @bits: is a security parameter in bits + * + * Returns: return a #gnutls_ecc_curve_t value corresponding to + * the specified bit length, or %GNUTLS_ECC_CURVE_INVALID on error. + -*/ +gnutls_ecc_curve_t +_gnutls_ecc_bits_to_curve (int bits) +{ + gnutls_ecc_curve_t ret = GNUTLS_ECC_CURVE_SECP224R1; + + GNUTLS_ECC_CURVE_LOOP ( + if (8*p->size >= bits) + { + ret = p->id; + break; + } + ); + + return ret; +} + +/** + * gnutls_ecc_curve_get_name: + * @curve: is an ECC curve + * + * Convert a #gnutls_ecc_curve_t value to a string. + * + * Returns: a string that contains the name of the specified + * curve or %NULL. + * + * Since: 3.0 + **/ +const char * +gnutls_ecc_curve_get_name (gnutls_ecc_curve_t curve) +{ + const char *ret = NULL; + + GNUTLS_ECC_CURVE_LOOP( + if (p->id == curve) + { + ret = p->name; + break; + } + ); + + return ret; +} + +/*- + * _gnutls_ecc_curve_get_oid: + * @curve: is an ECC curve + * + * Convert a #gnutls_ecc_curve_t value to a string. + * + * Returns: a string that contains the name of the specified + * curve or %NULL. + -*/ +const char * +_gnutls_ecc_curve_get_oid (gnutls_ecc_curve_t curve) +{ + const char *ret = NULL; + + GNUTLS_ECC_CURVE_LOOP( + if (p->id == curve) + { + ret = p->oid; + break; + } + ); + + return ret; +} + +/*- + * _gnutls_ecc_curve_get_params: + * @curve: is an ECC curve + * + * Returns the information on a curve. + * + * Returns: a pointer to #gnutls_ecc_curve_entry_st or %NULL. + -*/ +const gnutls_ecc_curve_entry_st * +_gnutls_ecc_curve_get_params (gnutls_ecc_curve_t curve) +{ + const gnutls_ecc_curve_entry_st *ret = NULL; + + GNUTLS_ECC_CURVE_LOOP( + if (p->id == curve) + { + ret = p; + break; + } + ); + + return ret; +} + +/** + * gnutls_ecc_curve_get_size: + * @curve: is an ECC curve + * + * Returns the size in bytes of the curve. + * + * Returns: a the size or (0). + * + * Since: 3.0 + **/ +int gnutls_ecc_curve_get_size (gnutls_ecc_curve_t curve) +{ + int ret = 0; + + GNUTLS_ECC_CURVE_LOOP( + if (p->id == curve) + { + ret = p->size; + break; + } + ); + + return ret; +} diff --git a/SOURCES/gnutls-2.12.21-fips-algorithms.patch b/SOURCES/gnutls-2.12.21-fips-algorithms.patch new file mode 100644 index 0000000..f40af01 --- /dev/null +++ b/SOURCES/gnutls-2.12.21-fips-algorithms.patch @@ -0,0 +1,209 @@ +diff -up gnutls-2.12.21/lib/gcrypt/init.c.fips gnutls-2.12.21/lib/gcrypt/init.c +--- gnutls-2.12.21/lib/gcrypt/init.c.fips 2012-01-06 20:06:23.000000000 +0100 ++++ gnutls-2.12.21/lib/gcrypt/init.c 2012-11-09 19:57:54.651624659 +0100 +@@ -43,6 +43,8 @@ static struct gcry_thread_cbs gct = { + .recvmsg = NULL, + }; + ++int gnutls_gcrypt_fips; ++ + int + gnutls_crypto_init (void) + { +@@ -72,6 +74,8 @@ gnutls_crypto_init (void) + return GNUTLS_E_INCOMPATIBLE_GCRYPT_LIBRARY; + } + ++ gnutls_gcrypt_fips = gcry_fips_mode_active(); ++ + /* for gcrypt in order to be able to allocate memory */ + gcry_control (GCRYCTL_DISABLE_SECMEM, NULL, 0); + +diff -up gnutls-2.12.21/lib/gnutls_algorithms.c.fips gnutls-2.12.21/lib/gnutls_algorithms.c +--- gnutls-2.12.21/lib/gnutls_algorithms.c.fips 2012-01-06 20:06:23.000000000 +0100 ++++ gnutls-2.12.21/lib/gnutls_algorithms.c 2012-11-28 14:19:34.507948036 +0100 +@@ -44,11 +44,11 @@ typedef struct + } gnutls_sec_params_entry; + + static const gnutls_sec_params_entry sec_params[] = { +- {"Weak", GNUTLS_SEC_PARAM_WEAK, 64, 816, 1024, 128, 128}, +- {"Low", GNUTLS_SEC_PARAM_LOW, 80, 1248, 2048, 160, 160}, +- {"Normal", GNUTLS_SEC_PARAM_NORMAL, 112, 2432, 3072, 224, 224}, +- {"High", GNUTLS_SEC_PARAM_HIGH, 128, 3248, 3072, 256, 256}, +- {"Ultra", GNUTLS_SEC_PARAM_ULTRA, 256, 15424, 3072, 512, 512}, ++ {"Weak", GNUTLS_SEC_PARAM_WEAK, 64, 1024, 1024, 128, 128}, ++ {"Low", GNUTLS_SEC_PARAM_LOW, 80, 1280, 2048, 160, 160}, ++ {"Normal", GNUTLS_SEC_PARAM_NORMAL, 112, 2560, 3072, 224, 224}, ++ {"High", GNUTLS_SEC_PARAM_HIGH, 128, 3328, 3072, 256, 256}, ++ {"Ultra", GNUTLS_SEC_PARAM_ULTRA, 256, 15616, 3072, 512, 512}, + {NULL, 0, 0, 0, 0, 0} + }; + +diff -up gnutls-2.12.21/lib/gnutls_priority.c.fips gnutls-2.12.21/lib/gnutls_priority.c +--- gnutls-2.12.21/lib/gnutls_priority.c.fips 2012-11-08 17:11:11.000000000 +0100 ++++ gnutls-2.12.21/lib/gnutls_priority.c 2012-11-09 19:57:54.651624659 +0100 +@@ -30,6 +30,7 @@ + #include "gnutls_algorithms.h" + #include "gnutls_errors.h" + #include ++#include + + static void + break_comma_list (char *etag, +@@ -223,6 +224,13 @@ static const int protocol_priority[] = { + 0 + }; + ++static const int protocol_priority_fips[] = { ++ GNUTLS_TLS1_2, ++ GNUTLS_TLS1_1, ++ GNUTLS_TLS1_0, ++ 0 ++}; ++ + static const int kx_priority_performance[] = { + GNUTLS_KX_RSA, + GNUTLS_KX_DHE_RSA, +@@ -269,6 +277,13 @@ static const int cipher_priority_perform + 0 + }; + ++static const int cipher_priority_performance_fips[] = { ++ GNUTLS_CIPHER_AES_128_CBC, ++ GNUTLS_CIPHER_3DES_CBC, ++ GNUTLS_CIPHER_AES_256_CBC, ++ 0 ++}; ++ + static const int cipher_priority_normal[] = { + GNUTLS_CIPHER_AES_128_CBC, + #ifdef ENABLE_CAMELLIA +@@ -284,6 +299,13 @@ static const int cipher_priority_normal[ + 0 + }; + ++static const int cipher_priority_normal_fips[] = { ++ GNUTLS_CIPHER_AES_128_CBC, ++ GNUTLS_CIPHER_AES_256_CBC, ++ GNUTLS_CIPHER_3DES_CBC, ++ 0 ++}; ++ + static const int cipher_priority_secure128[] = { + GNUTLS_CIPHER_AES_128_CBC, + #ifdef ENABLE_CAMELLIA +@@ -295,6 +317,11 @@ static const int cipher_priority_secure1 + 0 + }; + ++static const int cipher_priority_secure128_fips[] = { ++ GNUTLS_CIPHER_AES_128_CBC, ++ GNUTLS_CIPHER_3DES_CBC, ++ 0 ++}; + + static const int cipher_priority_secure256[] = { + GNUTLS_CIPHER_AES_256_CBC, +@@ -311,6 +338,13 @@ static const int cipher_priority_secure2 + 0 + }; + ++static const int cipher_priority_secure256_fips[] = { ++ GNUTLS_CIPHER_AES_256_CBC, ++ GNUTLS_CIPHER_AES_128_CBC, ++ GNUTLS_CIPHER_3DES_CBC, ++ 0 ++}; ++ + /* The same as cipher_priority_security_normal + arcfour-40. */ + static const int cipher_priority_export[] = { + GNUTLS_CIPHER_AES_128_CBC, +@@ -362,6 +396,12 @@ static const int mac_priority_normal[] = + 0 + }; + ++static const int mac_priority_normal_fips[] = { ++ GNUTLS_MAC_SHA1, ++ GNUTLS_MAC_SHA256, ++ 0 ++}; ++ + + static const int mac_priority_secure[] = { + GNUTLS_MAC_SHA256, +@@ -462,6 +502,8 @@ gnutls_priority_set (gnutls_session_t se + + #define MAX_ELEMENTS 48 + ++extern int gnutls_gcrypt_fips; ++ + /** + * gnutls_priority_init: + * @priority_cache: is a #gnutls_prioritity_t structure. +@@ -561,7 +603,7 @@ gnutls_priority_init (gnutls_priority_t + */ + if (strcasecmp (broken_list[0], "NONE") != 0) + { +- _set_priority (&(*priority_cache)->protocol, protocol_priority); ++ _set_priority (&(*priority_cache)->protocol, gnutls_gcrypt_fips?protocol_priority_fips:protocol_priority); + _set_priority (&(*priority_cache)->compression, comp_priority); + _set_priority (&(*priority_cache)->cert_type, cert_type_priority_default); + _set_priority (&(*priority_cache)->sign_algo, sign_priority_default); +@@ -577,17 +619,17 @@ gnutls_priority_init (gnutls_priority_t + if (strcasecmp (broken_list[i], "PERFORMANCE") == 0) + { + _set_priority (&(*priority_cache)->cipher, +- cipher_priority_performance); ++ gnutls_gcrypt_fips?cipher_priority_performance_fips:cipher_priority_performance); + _set_priority (&(*priority_cache)->kx, kx_priority_performance); +- _set_priority (&(*priority_cache)->mac, mac_priority_normal); ++ _set_priority (&(*priority_cache)->mac, gnutls_gcrypt_fips?mac_priority_normal_fips:mac_priority_normal); + _set_priority (&(*priority_cache)->sign_algo, + sign_priority_default); + } + else if (strcasecmp (broken_list[i], "NORMAL") == 0) + { +- _set_priority (&(*priority_cache)->cipher, cipher_priority_normal); ++ _set_priority (&(*priority_cache)->cipher, gnutls_gcrypt_fips?cipher_priority_normal_fips:cipher_priority_normal); + _set_priority (&(*priority_cache)->kx, kx_priority_secure); +- _set_priority (&(*priority_cache)->mac, mac_priority_normal); ++ _set_priority (&(*priority_cache)->mac, gnutls_gcrypt_fips?mac_priority_normal_fips:mac_priority_normal); + _set_priority (&(*priority_cache)->sign_algo, + sign_priority_default); + } +@@ -595,7 +637,7 @@ gnutls_priority_init (gnutls_priority_t + || strcasecmp (broken_list[i], "SECURE") == 0) + { + _set_priority (&(*priority_cache)->cipher, +- cipher_priority_secure256); ++ gnutls_gcrypt_fips?cipher_priority_secure256_fips:cipher_priority_secure256); + _set_priority (&(*priority_cache)->kx, kx_priority_secure); + _set_priority (&(*priority_cache)->mac, mac_priority_secure); + _set_priority (&(*priority_cache)->sign_algo, +@@ -604,7 +646,7 @@ gnutls_priority_init (gnutls_priority_t + else if (strcasecmp (broken_list[i], "SECURE128") == 0) + { + _set_priority (&(*priority_cache)->cipher, +- cipher_priority_secure128); ++ gnutls_gcrypt_fips?cipher_priority_secure128_fips:cipher_priority_secure128); + _set_priority (&(*priority_cache)->kx, kx_priority_secure); + _set_priority (&(*priority_cache)->mac, mac_priority_secure); + _set_priority (&(*priority_cache)->sign_algo, +@@ -646,7 +688,7 @@ gnutls_priority_init (gnutls_priority_t + if (strncasecmp (&broken_list[i][1], "VERS-TLS-ALL", 12) == 0) + { + bulk_fn (&(*priority_cache)->protocol, +- protocol_priority); ++ gnutls_gcrypt_fips?protocol_priority_fips:protocol_priority); + } + else + { +@@ -718,7 +760,7 @@ gnutls_priority_init (gnutls_priority_t + else if (strncasecmp (&broken_list[i][1], "CIPHER-ALL", 7) == 0) + { + bulk_fn (&(*priority_cache)->cipher, +- cipher_priority_normal); ++ gnutls_gcrypt_fips?cipher_priority_normal_fips:cipher_priority_normal); + } + else + goto error; diff --git a/SOURCES/gnutls-3.1.10-tests-rndport.patch b/SOURCES/gnutls-3.1.10-tests-rndport.patch new file mode 100644 index 0000000..6fe2236 --- /dev/null +++ b/SOURCES/gnutls-3.1.10-tests-rndport.patch @@ -0,0 +1,24 @@ +diff -up gnutls-3.1.10/tests/dsa/testdsa.rndport gnutls-3.1.10/tests/dsa/testdsa +--- gnutls-3.1.10/tests/dsa/testdsa.rndport 2013-03-21 21:42:28.000000000 +0100 ++++ gnutls-3.1.10/tests/dsa/testdsa 2013-03-26 15:50:38.973561603 +0100 +@@ -23,7 +23,7 @@ + srcdir="${srcdir:-.}" + SERV="${SERV:-../../src/gnutls-serv} -q" + CLI="${CLI:-../../src/gnutls-cli}" +-PORT="${PORT:-5559}" ++PORT="${PORT:-$((RANDOM+5000))}" + DEBUG="" + unset RETCODE + +diff -up gnutls-3.1.10/tests/openpgp-certs/testcerts.rndport gnutls-3.1.10/tests/openpgp-certs/testcerts +--- gnutls-3.1.10/tests/openpgp-certs/testcerts.rndport 2013-03-21 21:42:28.000000000 +0100 ++++ gnutls-3.1.10/tests/openpgp-certs/testcerts 2013-03-26 15:52:33.207007952 +0100 +@@ -23,7 +23,7 @@ + srcdir="${srcdir:-.}" + SERV="${SERV:-../../src/gnutls-serv} -q" + CLI="${CLI:-../../src/gnutls-cli}" +-PORT="${PORT:-5557}" ++PORT="${PORT:-$((RANDOM+5000))}" + DEBUG="" + + if test "${WINDIR}" != "";then diff --git a/SOURCES/gnutls-3.1.11-nosrp.patch b/SOURCES/gnutls-3.1.11-nosrp.patch new file mode 100644 index 0000000..29227c0 --- /dev/null +++ b/SOURCES/gnutls-3.1.11-nosrp.patch @@ -0,0 +1,12 @@ +diff -up gnutls-3.1.10/tests/srp/mini-srp.c.noecc gnutls-3.1.10/tests/srp/mini-srp.c +--- gnutls-3.1.10/tests/srp/mini-srp.c.noecc 2013-03-21 21:42:28.000000000 +0100 ++++ gnutls-3.1.10/tests/srp/mini-srp.c 2013-03-25 13:42:20.753422209 +0100 +@@ -27,7 +27,7 @@ + #include + #include + +-#if defined(_WIN32) ++#if defined(_WIN32) || !defined(ENABLE_SRP) + + int main() + { diff --git a/SOURCES/gnutls-3.1.11-suiteb.patch b/SOURCES/gnutls-3.1.11-suiteb.patch new file mode 100644 index 0000000..c4dd390 --- /dev/null +++ b/SOURCES/gnutls-3.1.11-suiteb.patch @@ -0,0 +1,119 @@ +diff -up gnutls-3.1.11/lib/gnutls_ecc.c.suiteb gnutls-3.1.11/lib/gnutls_ecc.c +--- gnutls-3.1.11/lib/gnutls_ecc.c.suiteb 2013-04-27 10:04:48.000000000 +0200 ++++ gnutls-3.1.11/lib/gnutls_ecc.c 2013-05-23 10:08:45.331883555 +0200 +@@ -129,6 +129,12 @@ int ret; + goto cleanup; + } + params->params_nr++; ++ ++ if (_gnutls_mpi_get_nbits(params->params[ECC_PRIME]) < 256) ++ { ++ ret = gnutls_assert_val(GNUTLS_E_ECC_UNSUPPORTED_CURVE); ++ goto cleanup; ++ } + + val_size = sizeof(val); + ret = _gnutls_hex2bin(st->order, strlen(st->order), val, &val_size); +diff -up gnutls-3.1.11/lib/nettle/ecc_mulmod_cached.c.suiteb gnutls-3.1.11/lib/nettle/ecc_mulmod_cached.c +--- gnutls-3.1.11/lib/nettle/ecc_mulmod_cached.c.suiteb 2013-04-27 10:04:48.000000000 +0200 ++++ gnutls-3.1.11/lib/nettle/ecc_mulmod_cached.c 2013-05-23 10:24:56.575967312 +0200 +@@ -42,6 +42,7 @@ typedef struct + + /* global cache */ + static gnutls_ecc_curve_cache_entry_t *ecc_wmnaf_cache = NULL; ++static gnutls_ecc_curve_cache_entry_t *ecc_wmnaf_cache_last = NULL; + + /* free single cache entry */ + static void +@@ -63,9 +64,10 @@ ecc_wmnaf_cache_free (void) + gnutls_ecc_curve_cache_entry_t *p = ecc_wmnaf_cache; + if (p) + { +- for (; p->id != GNUTLS_ECC_CURVE_INVALID; ++p) ++ for (; p <= ecc_wmnaf_cache_last; ++p) + { +- _ecc_wmnaf_cache_entry_free (p); ++ if (p->id != GNUTLS_ECC_CURVE_INVALID) ++ _ecc_wmnaf_cache_entry_free (p); + } + + free (ecc_wmnaf_cache); +@@ -198,7 +200,7 @@ ecc_wmnaf_cache_init (void) + const gnutls_ecc_curve_t *p; + + ret = (gnutls_ecc_curve_cache_entry_t *) +- malloc (MAX_ALGOS * sizeof (gnutls_ecc_curve_cache_entry_t)); ++ calloc (MAX_ALGOS, sizeof (gnutls_ecc_curve_cache_entry_t)); + if (ret == NULL) + return GNUTLS_E_MEMORY_ERROR; + +@@ -207,12 +209,16 @@ ecc_wmnaf_cache_init (void) + + for (j = 0; *p; ++p, ++j) + { +- if ((err = _ecc_wmnaf_cache_entry_init (ret + *p - 1, *p)) != 0) ++ gnutls_ecc_curve_cache_entry_t *entry; ++ ++ entry = ret + *p - 1; ++ if ((err = _ecc_wmnaf_cache_entry_init (entry, *p)) != 0) + goto done; ++ if (ecc_wmnaf_cache_last < entry) ++ ecc_wmnaf_cache_last = entry; + } + +- /* nullify last cache entry id */ +- ret[j].id = GNUTLS_ECC_CURVE_INVALID; ++ /* no need to nullify last cache entry id, done by calloc */ + + err = GNUTLS_E_SUCCESS; + +@@ -223,7 +229,8 @@ done: + int i; + for (i = 0; i < j; ++i) + { +- _ecc_wmnaf_cache_entry_free (ret + i); ++ --p; ++ _ecc_wmnaf_cache_entry_free (ret + *p - 1); + } + + free (ret); +@@ -445,9 +452,11 @@ ecc_mulmod_cached_lookup (mpz_t k, ecc_p + if (k == NULL || G == NULL || R == NULL || modulus == NULL) + return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; + +- for (i = 0; (id = ecc_wmnaf_cache[i].id); ++i) ++ for (i = 0; ecc_wmnaf_cache + i <= ecc_wmnaf_cache_last; ++i) + { +- if (!(mpz_cmp (G->x, ecc_wmnaf_cache[i].pos[0]->x)) && ++ id = ecc_wmnaf_cache[i].id; ++ if (id && ++ !(mpz_cmp (G->x, ecc_wmnaf_cache[i].pos[0]->x)) && + !(mpz_cmp (G->y, ecc_wmnaf_cache[i].pos[0]->y))) + { + break; +diff -up gnutls-3.1.11/tests/mini-xssl.c.suiteb gnutls-3.1.11/tests/mini-xssl.c +--- gnutls-3.1.11/tests/mini-xssl.c.suiteb 2013-05-10 10:10:27.000000000 +0200 ++++ gnutls-3.1.11/tests/mini-xssl.c 2013-05-23 11:58:22.670298910 +0200 +@@ -27,7 +27,8 @@ + #include + #include + +-#if defined(_WIN32) ++/* uses unsupported curves */ ++#if 1 + + int main() + { +diff -up gnutls-3.1.11/tests/pkcs12_simple.c.suiteb gnutls-3.1.11/tests/pkcs12_simple.c +--- gnutls-3.1.11/tests/pkcs12_simple.c.suiteb 2013-05-10 10:10:27.000000000 +0200 ++++ gnutls-3.1.11/tests/pkcs12_simple.c 2013-05-23 11:57:59.776799848 +0200 +@@ -50,6 +50,9 @@ doit (void) + gnutls_x509_privkey_t pkey; + int ret; + ++ /* uses unsupported curves */ ++ exit(77); ++ + ret = global_init (); + if (ret < 0) + fail ("global_init failed %d\n", ret); diff --git a/SOURCES/gnutls-3.1.7-rpath.patch b/SOURCES/gnutls-3.1.7-rpath.patch new file mode 100644 index 0000000..d087db9 --- /dev/null +++ b/SOURCES/gnutls-3.1.7-rpath.patch @@ -0,0 +1,39 @@ +diff -up gnutls-3.1.7/configure.rpath gnutls-3.1.7/configure +--- gnutls-3.1.7/configure.rpath 2013-02-04 02:40:23.000000000 +0100 ++++ gnutls-3.1.7/configure 2013-02-05 21:04:57.128932440 +0100 +@@ -48519,7 +48519,7 @@ shlibpath_var= + shlibpath_overrides_runpath=unknown + version_type=none + dynamic_linker="$host_os ld.so" +-sys_lib_dlsearch_path_spec="/lib /usr/lib" ++sys_lib_dlsearch_path_spec="/lib /usr/lib /lib64 /usr/lib64" + need_lib_prefix=unknown + hardcode_into_libs=no + +@@ -48962,7 +48962,7 @@ fi + # Append ld.so.conf contents to the search path + if test -f /etc/ld.so.conf; then + lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '` +- sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra" ++ sys_lib_dlsearch_path_spec="/lib /usr/lib /lib64 /usr/lib64 $lt_ld_extra" + fi + + # We used to test for /lib/ld.so.1 and disable shared libraries on +@@ -52353,7 +52353,7 @@ shlibpath_var= + shlibpath_overrides_runpath=unknown + version_type=none + dynamic_linker="$host_os ld.so" +-sys_lib_dlsearch_path_spec="/lib /usr/lib" ++sys_lib_dlsearch_path_spec="/lib /usr/lib /lib64 /usr/lib64" + need_lib_prefix=unknown + hardcode_into_libs=no + +@@ -52794,7 +52794,7 @@ fi + # Append ld.so.conf contents to the search path + if test -f /etc/ld.so.conf; then + lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '` +- sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra" ++ sys_lib_dlsearch_path_spec="/lib /usr/lib /lib64 /usr/lib64 $lt_ld_extra" + fi + + # We used to test for /lib/ld.so.1 and disable shared libraries on diff --git a/SOURCES/hobble-gnutls b/SOURCES/hobble-gnutls new file mode 100755 index 0000000..8b9633d --- /dev/null +++ b/SOURCES/hobble-gnutls @@ -0,0 +1,19 @@ +#!/bin/sh +set -x + +if [ "$1" = "-e" ] ; then + CMD="cat < /dev/null >" +else + CMD="rm -f" +fi + +# SRP +for f in auth_srp_sb64.c auth_srp_passwd.c auth_srp_rsa.c \ + gnutls_srp.c auth_srp.c ext_srp.c ; do + eval "$CMD lib/$f" +done + +# ECC +for f in ecc.c ; do + eval "$CMD lib/algorithms/$f" +done diff --git a/SOURCES/libgnutls-config b/SOURCES/libgnutls-config new file mode 100755 index 0000000..8970bf4 --- /dev/null +++ b/SOURCES/libgnutls-config @@ -0,0 +1,91 @@ +#!/bin/sh + +prefix=/usr +exec_prefix=/usr +exec_prefix_set=no + +name=`basename $0` +name=${name#lib} +name=${name%-config} + +libs=`pkg-config --libs $name` +cflags=`pkg-config --cflags $name` +version=`pkg-config --modversion $name` + +usage() +{ + +echo Usage: lib$name-config [OPTIONS] + cat <&2 +fi + +while test $# -gt 0; do + case "$1" in + -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;; + *) optarg= ;; + esac + + case $1 in + --prefix=*) + prefix=$optarg + if test $exec_prefix_set = no ; then + exec_prefix=$optarg + fi + ;; + --prefix) + echo_prefix=yes + ;; + --exec-prefix=*) + exec_prefix=$optarg + exec_prefix_set=yes + ;; + --exec-prefix) + echo_exec_prefix=yes + ;; + --version) + echo $version + exit 0 + ;; + --cflags) + echo_cflags=yes + ;; + --libs) + echo_libs=yes + ;; + --help) + usage 0 + ;; + *) + usage 1 1>&2 + ;; + esac + shift +done + +if test "$echo_prefix" = "yes"; then + echo $prefix +fi + +if test "$echo_exec_prefix" = "yes"; then + echo $exec_prefix +fi + +if test "$echo_cflags" = "yes"; then + echo $cflags +fi + +if test "$echo_libs" = "yes"; then + echo $libs +fi diff --git a/SPECS/gnutls.spec b/SPECS/gnutls.spec new file mode 100644 index 0000000..01b1542 --- /dev/null +++ b/SPECS/gnutls.spec @@ -0,0 +1,600 @@ +%bcond_without dane +%bcond_with guile +Summary: A TLS protocol implementation +Name: gnutls +Version: 3.1.16 +Release: 1%{?dist} +# The libraries are LGPLv2.1+, utilities are GPLv3+, however +# the bundled gnulib is LGPLv3+ +License: GPLv3+ and LGPLv2+ and LGPLv3+ +Group: System Environment/Libraries +BuildRequires: p11-kit-devel >= 0.11, gettext +BuildRequires: zlib-devel, readline-devel, libtasn1-devel >= 3.1 +BuildRequires: lzo-devel, libtool, automake, autoconf, texinfo +BuildRequires: nettle-devel >= 2.5 +%if %{with dane} +BuildRequires: unbound-devel +%endif +%if %{with guile} +BuildRequires: guile-devel +%endif +URL: http://www.gnutls.org/ +#Source0: ftp://ftp.gnutls.org/gcrypt/gnutls/%{name}-%{version}.tar.xz +#Source1: ftp://ftp.gnutls.org/gcrypt/gnutls/%{name}-%{version}.tar.xz.sig +# XXX patent tainted code removed. +Source0: %{name}-%{version}-hobbled.tar.xz +Source1: libgnutls-config +Source2: hobble-gnutls +Source3: ecc.c +Patch1: gnutls-3.1.7-rpath.patch +# Use only FIPS approved ciphers in the FIPS mode +Patch7: gnutls-2.12.21-fips-algorithms.patch +Patch8: gnutls-3.1.11-nosrp.patch +# Use random port in some tests to avoid conflicts during simultaneous builds on the same machine +Patch9: gnutls-3.1.10-tests-rndport.patch +Patch10: gnutls-3.1.11-suiteb.patch + +# Wildcard bundling exception https://fedorahosted.org/fpc/ticket/174 +Provides: bundled(gnulib) = 20130424 + +%package c++ +Summary: The C++ interface to GnuTLS +Requires: %{name}%{?_isa} = %{version}-%{release} + +%package devel +Summary: Development files for the %{name} package +Group: Development/Libraries +Requires: %{name}%{?_isa} = %{version}-%{release} +Requires: %{name}-c++%{?_isa} = %{version}-%{release} +%if %{with dane} +Requires: %{name}-dane%{?_isa} = %{version}-%{release} +%endif +Requires: pkgconfig +Requires(post): /sbin/install-info +Requires(preun): /sbin/install-info + +%package utils +License: GPLv3+ +Summary: Command line tools for TLS protocol +Group: Applications/System +Requires: %{name}%{?_isa} = %{version}-%{release} +%if %{with dane} +Requires: %{name}-dane%{?_isa} = %{version}-%{release} +%endif + +%if %{with dane} +%package dane +Summary: A DANE protocol implementation for GnuTLS +Requires: %{name}%{?_isa} = %{version}-%{release} +%endif + +%if %{with guile} +%package guile +Summary: Guile bindings for the GNUTLS library +Group: Development/Libraries +Requires: %{name}%{?_isa} = %{version}-%{release} +Requires: guile +%endif + +%description +GnuTLS is a project that aims to develop a library which provides a secure +layer, over a reliable transport layer. Currently the GnuTLS library implements +the proposed standards by the IETF's TLS working group. + +%description c++ +GnuTLS is a project that aims to develop a library which provides a secure +layer, over a reliable transport layer. Currently the GnuTLS library implements +the proposed standards by the IETF's TLS working group. +This package contains the C++ interface for the GnuTLS library. + +%description devel +GnuTLS is a project that aims to develop a library which provides a secure +layer, over a reliable transport layer. Currently the GnuTLS library implements +the proposed standards by the IETF's TLS working group. +This package contains files needed for developing applications with +the GnuTLS library. + +%description utils +GnuTLS is a project that aims to develop a library which provides a secure +layer, over a reliable transport layer. Currently the GnuTLS library implements +the proposed standards by the IETF's TLS working group. +This package contains command line TLS client and server and certificate +manipulation tools. + +%if %{with dane} +%description dane +GnuTLS is a project that aims to develop a library which provides a secure +layer, over a reliable transport layer. Currently the GnuTLS library implements +the proposed standards by the IETF's TLS working group. +This package contains library that implements the DANE protocol for verifying +TLS certificates through DNSSEC. +%endif + +%if %{with guile} +%description guile +GnuTLS is a project that aims to develop a library which provides a secure +layer, over a reliable transport layer. Currently the GnuTLS library implements +the proposed standards by the IETF's TLS working group. +This package contains Guile bindings for the library. +%endif + +%prep +%setup -q + +%patch1 -p1 -b .rpath +# This patch is not applicable as we use nettle now but some parts will be +# later reused. +#%patch7 -p1 -b .fips +%patch8 -p1 -b .nosrp +%patch9 -p1 -b .rndport +%patch10 -p1 -b .suiteb + +%{SOURCE2} -e + +cp -f %{SOURCE3} lib/algorithms + +%build + +export LDFLAGS="-Wl,--no-add-needed" + +%configure --with-libtasn1-prefix=%{_prefix} \ + --with-included-libcfg \ + --disable-static \ + --disable-openssl-compatibility \ + --disable-srp-authentication \ +%if %{with guile} + --enable-guile \ +%ifarch %{arm} + --disable-largefile \ +%endif +%else + --disable-guile \ +%endif +%if %{with dane} + --enable-dane \ +%else + --disable-dane \ +%endif + --disable-rpath +# Note that the arm hack above is not quite right and the proper thing would +# be to compile guile with largefile support. +make + +%install +make install DESTDIR=$RPM_BUILD_ROOT +rm -f $RPM_BUILD_ROOT%{_bindir}/srptool +rm -f $RPM_BUILD_ROOT%{_bindir}/gnutls-srpcrypt +cp -f %{SOURCE1} $RPM_BUILD_ROOT%{_bindir}/libgnutls-config +cp -f %{SOURCE1} $RPM_BUILD_ROOT%{_bindir}/libgnutls-extra-config +rm -f $RPM_BUILD_ROOT%{_mandir}/man1/srptool.1 +rm -f $RPM_BUILD_ROOT%{_mandir}/man3/*srp* +rm -f $RPM_BUILD_ROOT%{_infodir}/dir +rm -f $RPM_BUILD_ROOT%{_libdir}/*.la +rm -f $RPM_BUILD_ROOT%{_libdir}/libguile*.a +%if %{without dane} +rm -f $RPM_BUILD_ROOT%{_libdir}/pkgconfig/gnutls-dane.pc +%endif + +%find_lang gnutls + +%check +make check + +%post -p /sbin/ldconfig + +%postun -p /sbin/ldconfig + +%post c++ -p /sbin/ldconfig + +%postun c++ -p /sbin/ldconfig + +%post devel +if [ -f %{_infodir}/gnutls.info.gz ]; then + /sbin/install-info %{_infodir}/gnutls.info.gz %{_infodir}/dir || : +fi + +%preun devel +if [ $1 = 0 -a -f %{_infodir}/gnutls.info.gz ]; then + /sbin/install-info --delete %{_infodir}/gnutls.info.gz %{_infodir}/dir || : +fi + +%if %{with dane} +%post dane -p /sbin/ldconfig + +%postun dane -p /sbin/ldconfig +%endif + +%if %{with guile} +%post guile -p /sbin/ldconfig + +%postun guile -p /sbin/ldconfig +%endif + +%files -f gnutls.lang +%defattr(-,root,root,-) +%{_libdir}/libgnutls.so.28* +%{_libdir}/libgnutls-xssl.so.0* +%doc COPYING COPYING.LESSER README AUTHORS NEWS THANKS + +%files c++ +%{_libdir}/libgnutlsxx.so.* + +%files devel +%defattr(-,root,root,-) +%{_bindir}/libgnutls*-config +%{_includedir}/* +%{_libdir}/libgnutls*.so +%{_libdir}/pkgconfig/*.pc +%{_mandir}/man3/* +%{_infodir}/gnutls* +%{_infodir}/pkcs11-vision* + +%files utils +%defattr(-,root,root,-) +%{_bindir}/certtool +%{_bindir}/ocsptool +%{_bindir}/psktool +%{_bindir}/p11tool +%if %{with dane} +%{_bindir}/danetool +%endif +%{_bindir}/gnutls* +%{_mandir}/man1/* +%doc doc/certtool.cfg + +%if %{with dane} +%files dane +%defattr(-,root,root,-) +%{_libdir}/libgnutls-dane.so.* +%endif + +%if %{with guile} +%files guile +%defattr(-,root,root,-) +%{_libdir}/libguile*.so* +%{_datadir}/guile/site/gnutls +%{_datadir}/guile/site/gnutls.scm +%endif + +%changelog +* Tue Nov 5 2013 Tomáš Mráz 3.1.16-1 +- new upstream release +- fixes CVE-2013-4466 off-by-one in dane_query_tlsa() + +* Tue Oct 29 2013 Tomáš Mráz 3.1.15-1 +- new upstream release +- fixes CVE-2013-4466 buffer overflow in handling DANE entries + +* Mon Jul 15 2013 Tomáš Mráz 3.1.13-1 +- new upstream release + +* Thu May 23 2013 Tomáš Mráz 3.1.11-1 +- new upstream release +- enable ECC NIST Suite B curves + +* Mon Mar 25 2013 Tomas Mraz 3.1.10-1 +- new upstream release +- license of the library is back to LGPLv2.1+ + +* Fri Mar 15 2013 Tomas Mraz 3.1.9-1 +- new upstream release + +* Thu Mar 7 2013 Tomas Mraz 3.1.8-3 +- drop the temporary old library + +* Tue Feb 26 2013 Tomas Mraz 3.1.8-2 +- don't send ECC algos as supported (#913797) + +* Thu Feb 21 2013 Tomas Mraz 3.1.8-1 +- new upstream version + +* Wed Feb 6 2013 Tomas Mraz 3.1.7-1 +- new upstream version, requires rebuild of dependencies +- this release temporarily includes old compatibility .so + +* Tue Feb 5 2013 Tomas Mraz 2.12.22-2 +- rebuilt with new libtasn1 +- make guile bindings optional - breaks i686 build and there is + no dependent package + +* Tue Jan 8 2013 Tomas Mraz 2.12.22-1 +- new upstream version + +* Wed Nov 28 2012 Tomas Mraz 2.12.21-2 +- use RSA bit sizes supported by libgcrypt in FIPS mode for security + levels (#879643) + +* Fri Nov 9 2012 Tomas Mraz 2.12.21-1 +- new upstream version + +* Thu Nov 1 2012 Tomas Mraz 2.12.20-4 +- negotiate only FIPS approved algorithms in the FIPS mode (#871826) + +* Wed Aug 8 2012 Tomas Mraz 2.12.20-3 +- fix the gnutls-cli-debug manpage - patch by Peter Schiffer + +* Thu Jul 19 2012 Fedora Release Engineering - 2.12.20-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Mon Jun 18 2012 Tomas Mraz 2.12.20-1 +- new upstream version + +* Fri May 18 2012 Tomas Mraz 2.12.19-1 +- new upstream version + +* Thu Mar 29 2012 Tomas Mraz 2.12.18-1 +- new upstream version + +* Thu Mar 8 2012 Tomas Mraz 2.12.17-1 +- new upstream version +- fix leaks in key generation (#796302) + +* Fri Feb 03 2012 Kevin Fenzi - 2.12.14-3 +- Disable largefile on arm arch. (#787287) + +* Fri Jan 13 2012 Fedora Release Engineering - 2.12.14-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Tue Nov 8 2011 Tomas Mraz 2.12.14-1 +- new upstream version + +* Mon Oct 24 2011 Tomas Mraz 2.12.12-1 +- new upstream version + +* Thu Sep 29 2011 Tomas Mraz 2.12.11-1 +- new upstream version + +* Fri Aug 26 2011 Tomas Mraz 2.12.9-1 +- new upstream version + +* Tue Aug 16 2011 Tomas Mraz 2.12.8-1 +- new upstream version + +* Mon Jul 25 2011 Tomas Mraz 2.12.7-2 +- fix problem when using new libgcrypt +- split libgnutlsxx to a subpackage (#455146) +- drop libgnutls-openssl (#460310) + +* Tue Jun 21 2011 Tomas Mraz 2.12.7-1 +- new upstream version + +* Mon May 9 2011 Tomas Mraz 2.12.4-1 +- new upstream version + +* Tue Apr 26 2011 Tomas Mraz 2.12.3-1 +- new upstream version + +* Mon Apr 18 2011 Tomas Mraz 2.12.2-1 +- new upstream version + +* Thu Mar 3 2011 Tomas Mraz 2.10.5-1 +- new upstream version + +* Tue Feb 08 2011 Fedora Release Engineering - 2.10.4-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Wed Dec 8 2010 Tomas Mraz 2.10.4-1 +- new upstream version + +* Thu Dec 2 2010 Tomas Mraz 2.10.3-2 +- fix buffer overflow in gnutls-serv (#659259) + +* Fri Nov 19 2010 Tomas Mraz 2.10.3-1 +- new upstream version + +* Thu Sep 30 2010 Tomas Mraz 2.10.2-1 +- new upstream version + +* Wed Sep 29 2010 jkeating - 2.10.1-4 +- Rebuilt for gcc bug 634757 + +* Thu Sep 23 2010 Tomas Mraz 2.10.1-3 +- more patching for internal errors regression (#629858) + patch by Vivek Dasmohapatra + +* Tue Sep 21 2010 Tomas Mraz 2.10.1-2 +- backported patch from upstream git hopefully fixing internal errors + (#629858) + +* Wed Aug 4 2010 Tomas Mraz 2.10.1-1 +- new upstream version + +* Wed Jun 2 2010 Tomas Mraz 2.8.6-2 +- add support for safe renegotiation CVE-2009-3555 (#533125) + +* Wed May 12 2010 Tomas Mraz 2.8.6-1 +- upgrade to a new upstream version + +* Mon Feb 15 2010 Rex Dieter 2.8.5-4 +- FTBFS gnutls-2.8.5-3.fc13: ImplicitDSOLinking (#564624) + +* Thu Jan 28 2010 Tomas Mraz 2.8.5-3 +- drop superfluous rpath from binaries +- do not call autoreconf during build +- specify the license on utils subpackage + +* Mon Jan 18 2010 Tomas Mraz 2.8.5-2 +- do not create static libraries (#556052) + +* Mon Nov 2 2009 Tomas Mraz 2.8.5-1 +- upgrade to a new upstream version + +* Wed Sep 23 2009 Tomas Mraz 2.8.4-1 +- upgrade to a new upstream version + +* Fri Aug 14 2009 Tomas Mraz 2.8.3-1 +- upgrade to a new upstream version + +* Fri Jul 24 2009 Fedora Release Engineering - 2.8.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Wed Jun 10 2009 Tomas Mraz 2.8.1-1 +- upgrade to a new upstream version + +* Wed Jun 3 2009 Tomas Mraz 2.8.0-1 +- upgrade to a new upstream version + +* Mon May 4 2009 Tomas Mraz 2.6.6-1 +- upgrade to a new upstream version - security fixes + +* Tue Apr 14 2009 Tomas Mraz 2.6.5-1 +- upgrade to a new upstream version, minor bugfixes only + +* Fri Mar 6 2009 Tomas Mraz 2.6.4-1 +- upgrade to a new upstream version + +* Tue Feb 24 2009 Fedora Release Engineering - 2.6.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Mon Dec 15 2008 Tomas Mraz 2.6.3-1 +- upgrade to a new upstream version + +* Thu Dec 4 2008 Tomas Mraz 2.6.2-1 +- upgrade to a new upstream version + +* Tue Nov 11 2008 Tomas Mraz 2.4.2-3 +- fix chain verification issue CVE-2008-4989 (#470079) + +* Thu Sep 25 2008 Tomas Mraz 2.4.2-2 +- add guile subpackage (#463735) +- force new libtool through autoreconf to drop unnecessary rpaths + +* Tue Sep 23 2008 Tomas Mraz 2.4.2-1 +- new upstream version + +* Tue Jul 1 2008 Tomas Mraz 2.4.1-1 +- new upstream version +- correct the license tag +- explicit --with-included-opencdk not needed +- use external lzo library, internal not included anymore + +* Tue Jun 24 2008 Tomas Mraz 2.4.0-1 +- upgrade to latest upstream + +* Tue May 20 2008 Tomas Mraz 2.0.4-3 +- fix three security issues in gnutls handshake - GNUTLS-SA-2008-1 + (#447461, #447462, #447463) + +* Mon Feb 4 2008 Joe Orton 2.0.4-2 +- use system libtasn1 + +* Tue Dec 4 2007 Tomas Mraz 2.0.4-1 +- upgrade to latest upstream + +* Tue Aug 21 2007 Tomas Mraz 1.6.3-2 +- license tag fix + +* Wed Jun 6 2007 Tomas Mraz 1.6.3-1 +- upgrade to latest upstream (#232445) + +* Tue Apr 10 2007 Tomas Mraz 1.4.5-2 +- properly require install-info (patch by Ville Skyttä) +- standard buildroot and use dist tag +- add COPYING and README to doc + +* Wed Feb 7 2007 Tomas Mraz 1.4.5-1 +- new upstream version +- drop libtermcap-devel from buildrequires + +* Thu Sep 14 2006 Tomas Mraz 1.4.1-2 +- detect forged signatures - CVE-2006-4790 (#206411), patch + from upstream + +* Tue Jul 18 2006 Tomas Mraz - 1.4.1-1 +- upgrade to new upstream version, only minor changes + +* Wed Jul 12 2006 Jesse Keating - 1.4.0-1.1 +- rebuild + +* Wed Jun 14 2006 Tomas Mraz - 1.4.0-1 +- upgrade to new upstream version (#192070), rebuild + of dependent packages required + +* Tue May 16 2006 Tomas Mraz - 1.2.10-2 +- added missing buildrequires + +* Mon Feb 13 2006 Tomas Mraz - 1.2.10-1 +- updated to new version (fixes CVE-2006-0645) + +* Fri Feb 10 2006 Jesse Keating - 1.2.9-3.2 +- bump again for double-long bug on ppc(64) + +* Tue Feb 07 2006 Jesse Keating - 1.2.9-3.1 +- rebuilt for new gcc4.1 snapshot and glibc changes + +* Tue Jan 3 2006 Jesse Keating 1.2.9-3 +- rebuilt + +* Fri Dec 9 2005 Tomas Mraz 1.2.9-2 +- replaced *-config scripts with calls to pkg-config to + solve multilib conflicts + +* Wed Nov 23 2005 Tomas Mraz 1.2.9-1 +- upgrade to newest upstream +- removed .la files (#172635) + +* Sun Aug 7 2005 Tomas Mraz 1.2.6-1 +- upgrade to newest upstream (rebuild of dependencies necessary) + +* Mon Jul 4 2005 Tomas Mraz 1.0.25-2 +- split the command line tools to utils subpackage + +* Sat Apr 30 2005 Tomas Mraz 1.0.25-1 +- new upstream version fixes potential DOS attack + +* Sat Apr 23 2005 Tomas Mraz 1.0.24-2 +- readd the version script dropped by upstream + +* Fri Apr 22 2005 Tomas Mraz 1.0.24-1 +- update to the latest upstream version on the 1.0 branch + +* Wed Mar 2 2005 Warren Togami 1.0.20-6 +- gcc4 rebuild + +* Tue Jan 4 2005 Ivana Varekova 1.0.20-5 +- add gnutls Requires zlib-devel (#144069) + +* Mon Nov 08 2004 Colin Walters 1.0.20-4 +- Make gnutls-devel Require libgcrypt-devel + +* Tue Sep 21 2004 Jeff Johnson 1.0.20-3 +- rebuild with release++, otherwise unchanged. + +* Tue Sep 7 2004 Jeff Johnson 1.0.20-2 +- patent tainted SRP code removed. + +* Sun Sep 5 2004 Jeff Johnson 1.0.20-1 +- update to 1.0.20. +- add --with-included-opencdk --with-included-libtasn1 +- add --with-included-libcfg --with-included-lzo +- add --disable-srp-authentication. +- do "make check" after build. + +* Fri Mar 21 2003 Jeff Johnson 0.9.2-1 +- upgrade to 0.9.2 + +* Tue Jun 25 2002 Jeff Johnson 0.4.4-1 +- update to 0.4.4. + +* Fri Jun 21 2002 Tim Powers +- automated rebuild + +* Sat May 25 2002 Jeff Johnson 0.4.3-1 +- update to 0.4.3. + +* Tue May 21 2002 Jeff Johnson 0.4.2-1 +- update to 0.4.2. +- change license to LGPL. +- include splint annotations patch. + +* Tue Apr 2 2002 Nalin Dahyabhai 0.4.0-1 +- update to 0.4.0 + +* Thu Jan 17 2002 Nalin Dahyabhai 0.3.2-1 +- update to 0.3.2 + +* Thu Jan 10 2002 Nalin Dahyabhai 0.3.0-1 +- add a URL + +* Thu Dec 20 2001 Nalin Dahyabhai +- initial package