From eaa875629e0525e0daa4518c8053ba422e22142a Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Fri, 9 May 2014 10:52:07 +0200
Subject: [PATCH] new upstream release.

---
 .gitignore                                    |  1 +
 ...eak-certificate-verification-profile.patch | 80 ---------------
 gnutls-3.3.1-default-policy.patch             | 31 ++++++
 gnutls-global-deinit.patch                    | 99 -------------------
 gnutls-othername.patch                        | 27 -----
 gnutls.spec                                   | 23 +++--
 sources                                       |  2 +-
 7 files changed, 44 insertions(+), 219 deletions(-)
 delete mode 100644 0001-Added-the-very-weak-certificate-verification-profile.patch
 create mode 100644 gnutls-3.3.1-default-policy.patch
 delete mode 100644 gnutls-global-deinit.patch
 delete mode 100644 gnutls-othername.patch

diff --git a/.gitignore b/.gitignore
index 0efc727..f558b80 100644
--- a/.gitignore
+++ b/.gitignore
@@ -37,3 +37,4 @@ gnutls-2.10.1-nosrp.tar.bz2
 /gnutls-3.2.13-hobbled.tar.xz
 /gnutls-3.3.0-hobbled.tar.xz
 /gnutls-3.3.1-hobbled.tar.xz
+/gnutls-3.3.2-hobbled.tar.xz
diff --git a/0001-Added-the-very-weak-certificate-verification-profile.patch b/0001-Added-the-very-weak-certificate-verification-profile.patch
deleted file mode 100644
index 52c3248..0000000
--- a/0001-Added-the-very-weak-certificate-verification-profile.patch
+++ /dev/null
@@ -1,80 +0,0 @@
-From 9f498c4e077ceabafe44f186005ca52ead6930bd Mon Sep 17 00:00:00 2001
-From: Nikos Mavrogiannopoulos <nmav@redhat.com>
-Date: Mon, 5 May 2014 11:58:25 +0200
-Subject: [PATCH] Added the 'very weak' certificate verification profile.
-
-This profile corresponds to a 64-bit security level (e.g., RSA
-parameters of 768 bits).
----
- doc/cha-gtls-app.texi      | 6 ++++++
- lib/gnutls_priority.c      | 6 ++++++
- lib/includes/gnutls/x509.h | 3 +++
- lib/priority_options.gperf | 1 +
- lib/x509/verify.c          | 1 +
- 6 files changed, 21 insertions(+), 1 deletion(-)
-
-diff --git a/lib/gnutls_priority.c b/lib/gnutls_priority.c
-index 877ee90..769eed1 100644
---- a/lib/gnutls_priority.c
-+++ b/lib/gnutls_priority.c
-@@ -790,6 +790,12 @@ static void disable_wildcards(gnutls_priority_t c)
- {
- 	c->additional_verify_flags |= GNUTLS_VERIFY_DO_NOT_ALLOW_WILDCARDS;
- }
-+static void enable_profile_very_weak(gnutls_priority_t c)
-+{
-+	c->additional_verify_flags &= 0x00ffffff;
-+	c->additional_verify_flags |= GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_VERY_WEAK);
-+	c->level = GNUTLS_SEC_PARAM_VERY_WEAK;
-+}
- static void enable_profile_low(gnutls_priority_t c)
- {
- 	c->additional_verify_flags &= 0x00ffffff;
-diff --git a/lib/includes/gnutls/x509.h b/lib/includes/gnutls/x509.h
-index b4b24b9..cad804e 100644
---- a/lib/includes/gnutls/x509.h
-+++ b/lib/includes/gnutls/x509.h
-@@ -816,6 +816,8 @@ typedef enum gnutls_certificate_verify_flags {
- 
- /**
-  * gnutls_certificate_verification_profiles_t:
-+ * @GNUTLS_PROFILE_VERY_WEAK: A verification profile that
-+ *  corresponds to @GNUTLS_SEC_PARAM_VERY_WEAK (64 bits)
-  * @GNUTLS_PROFILE_LOW: A verification profile that
-  *  corresponds to @GNUTLS_SEC_PARAM_LOW (80 bits)
-  * @GNUTLS_PROFILE_LEGACY: A verification profile that
-@@ -834,6 +836,7 @@ typedef enum gnutls_certificate_verify_flags {
-  * Enumeration of different certificate verification profiles.
-  */
- typedef enum gnutls_certificate_verification_profiles_t {
-+	GNUTLS_PROFILE_VERY_WEAK = 1,
- 	GNUTLS_PROFILE_LOW = 2,
- 	GNUTLS_PROFILE_LEGACY = 4,
- 	GNUTLS_PROFILE_MEDIUM = 5,
-diff --git a/lib/priority_options.gperf b/lib/priority_options.gperf
-index fd081c5..79f3f7d 100644
---- a/lib/priority_options.gperf
-+++ b/lib/priority_options.gperf
-@@ -21,6 +21,7 @@ PARTIAL_RENEGOTIATION, enable_partial_safe_renegotiation
- DISABLE_SAFE_RENEGOTIATION, disable_safe_renegotiation
- DISABLE_WILDCARDS, disable_wildcards
- SERVER_PRECEDENCE, enable_server_precedence
-+PROFILE_VERY_WEAK, enable_profile_very_weak
- PROFILE_LOW, enable_profile_low
- PROFILE_LEGACY, enable_profile_legacy
- PROFILE_MEDIUM, enable_profile_medium
-diff --git a/lib/x509/verify.c b/lib/x509/verify.c
-index d9b7fb7..037cd8e 100644
---- a/lib/x509/verify.c
-+++ b/lib/x509/verify.c
-@@ -433,6 +433,7 @@ int hash;
- 		return gnutls_assert_val(0);
- 
- 	switch (profile) {
-+		CASE_SEC_PARAM(GNUTLS_PROFILE_VERY_WEAK, GNUTLS_SEC_PARAM_VERY_WEAK);
- 		CASE_SEC_PARAM(GNUTLS_PROFILE_LOW, GNUTLS_SEC_PARAM_LOW);
- 		CASE_SEC_PARAM(GNUTLS_PROFILE_LEGACY, GNUTLS_SEC_PARAM_LEGACY);
- 		CASE_SEC_PARAM(GNUTLS_PROFILE_MEDIUM, GNUTLS_SEC_PARAM_MEDIUM);
--- 
-1.9.0
-
diff --git a/gnutls-3.3.1-default-policy.patch b/gnutls-3.3.1-default-policy.patch
new file mode 100644
index 0000000..631ad72
--- /dev/null
+++ b/gnutls-3.3.1-default-policy.patch
@@ -0,0 +1,31 @@
+diff --git a/lib/gnutls_priority.c b/lib/gnutls_priority.c
+index 769eed1..3a94b20 100644
+--- a/lib/gnutls_priority.c
++++ b/lib/gnutls_priority.c
+@@ -1107,6 +1107,7 @@ gnutls_priority_init(gnutls_priority_t * priority_cache,
+ 	int algo;
+ 	rmadd_func *fn;
+ 	bulk_rmadd_func *bulk_fn;
++	unsigned dset = 0;
+ 
+ 	*priority_cache =
+ 	    gnutls_calloc(1, sizeof(struct gnutls_priority_st));
+@@ -1126,10 +1127,16 @@ gnutls_priority_init(gnutls_priority_t * priority_cache,
+ 
+ 	(*priority_cache)->max_empty_records = DEFAULT_MAX_EMPTY_RECORDS;
+ 
+-	if (priorities == NULL)
+-		priorities = "NORMAL";
++	if (priorities == NULL) {
++		priorities = "@SYSTEM";
++		dset = 1;
++	}
+ 
+ 	darg = resolve_priorities(priorities);
++	if (darg == NULL && dset == 1) {
++		priorities = "NORMAL";
++		darg = resolve_priorities(priorities);
++	}
+ 	if (darg == NULL) {
+ 		gnutls_assert();
+ 		goto error;
diff --git a/gnutls-global-deinit.patch b/gnutls-global-deinit.patch
deleted file mode 100644
index 6783bdc..0000000
--- a/gnutls-global-deinit.patch
+++ /dev/null
@@ -1,99 +0,0 @@
-diff --git a/lib/gnutls_global.c b/lib/gnutls_global.c
-index 9b7047a..8cd9fd3 100644
---- a/lib/gnutls_global.c
-+++ b/lib/gnutls_global.c
-@@ -53,8 +53,8 @@ extern const ASN1_ARRAY_TYPE pkix_asn1_tab[];
- void *_gnutls_file_mutex;
- void *_gnutls_pkcs11_mutex;
- 
--ASN1_TYPE _gnutls_pkix1_asn;
--ASN1_TYPE _gnutls_gnutls_asn;
-+ASN1_TYPE _gnutls_pkix1_asn = ASN1_TYPE_EMPTY;
-+ASN1_TYPE _gnutls_gnutls_asn = ASN1_TYPE_EMPTY;
- 
- gnutls_log_func _gnutls_log_func = NULL;
- gnutls_audit_log_func _gnutls_audit_log_func = NULL;
-@@ -166,6 +166,9 @@ gnutls_global_set_mem_functions(gnutls_alloc_function alloc_func,
- GNUTLS_STATIC_MUTEX(global_init_mutex);
- static int _gnutls_init = 0;
- 
-+/* cache the return code */
-+static int _gnutls_init_ret = 0;
-+
- /**
-  * gnutls_global_init:
-  *
-@@ -186,6 +189,9 @@ static int _gnutls_init = 0;
-  * do not support library constructors and static linking. This
-  * function also became thread safe.
-  *
-+ * A subsequent call of this function if the initial has failed will
-+ * return the same error code.
-+ *
-  * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
-  *   otherwise a negative error code is returned.
-  **/
-@@ -199,7 +205,7 @@ int gnutls_global_init(void)
- 
- 	_gnutls_init++;
- 	if (_gnutls_init > 1) {
--		ret = 0;
-+		ret = _gnutls_init_ret;
- 		goto out;
- 	}
- 
-@@ -235,14 +241,17 @@ int gnutls_global_init(void)
- 		goto out;
- 	}
- 
-+	_gnutls_pkix1_asn = ASN1_TYPE_EMPTY;
- 	res = asn1_array2tree(pkix_asn1_tab, &_gnutls_pkix1_asn, NULL);
- 	if (res != ASN1_SUCCESS) {
-+		gnutls_assert();
- 		ret = _gnutls_asn2err(res);
- 		goto out;
- 	}
- 
- 	res = asn1_array2tree(gnutls_asn1_tab, &_gnutls_gnutls_asn, NULL);
- 	if (res != ASN1_SUCCESS) {
-+		gnutls_assert();
- 		ret = _gnutls_asn2err(res);
- 		goto out;
- 	}
-@@ -306,6 +315,7 @@ int gnutls_global_init(void)
- 	ret = 0;
- 
-       out:
-+	_gnutls_init_ret = ret;
- 	GNUTLS_STATIC_MUTEX_UNLOCK(global_init_mutex);
- 	return ret;
- }
-@@ -316,11 +326,19 @@ static void _gnutls_global_deinit(unsigned destructor)
- 
- 	if (_gnutls_init == 1) {
- 		_gnutls_init = 0;
-+		if (_gnutls_init_ret < 0) {
-+			/* only deinitialize if gnutls_global_init() has
-+			 * succeeded */
-+			gnutls_assert();
-+			goto fail;
-+		}
-+
- 		gnutls_crypto_deinit();
- 		_gnutls_rnd_deinit();
- 		_gnutls_ext_deinit();
- 		asn1_delete_structure(&_gnutls_gnutls_asn);
- 		asn1_delete_structure(&_gnutls_pkix1_asn);
-+
- 		_gnutls_crypto_deregister();
- 		gnutls_system_global_deinit();
- 		_gnutls_cryptodev_deinit();
-@@ -341,6 +359,8 @@ static void _gnutls_global_deinit(unsigned destructor)
- 		if (_gnutls_init > 0)
- 			_gnutls_init--;
- 	}
-+
-+ fail:
- 	GNUTLS_STATIC_MUTEX_UNLOCK(global_init_mutex);
- }
- 
diff --git a/gnutls-othername.patch b/gnutls-othername.patch
deleted file mode 100644
index abdd462..0000000
--- a/gnutls-othername.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From 9b8271f0015526f017aa70b8d1f3a8fa1f8d3a62 Mon Sep 17 00:00:00 2001
-From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
-Date: Sat, 19 Apr 2014 18:32:07 +0200
-Subject: [PATCH 01/01] Treat othername as printable (i.e., null terminate it),
- as the XMPP printing code assumes that.
-
----
- lib/x509/x509.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/lib/x509/x509.c b/lib/x509/x509.c
-index d13c231..e63f059 100644
---- a/lib/x509/x509.c
-+++ b/lib/x509/x509.c
-@@ -847,7 +847,8 @@ gnutls_x509_crt_get_subject_key_id(gnutls_x509_crt_t cert, void *ret,
- inline static int is_type_printable(int type)
- {
- 	if (type == GNUTLS_SAN_DNSNAME || type == GNUTLS_SAN_RFC822NAME ||
--	    type == GNUTLS_SAN_URI || type == GNUTLS_SAN_OTHERNAME_XMPP)
-+	    type == GNUTLS_SAN_URI || type == GNUTLS_SAN_OTHERNAME_XMPP ||
-+	    type == GNUTLS_SAN_OTHERNAME)
- 		return 1;
- 	else
- 		return 0;
--- 
-1.9.0
-
diff --git a/gnutls.spec b/gnutls.spec
index 937c71b..31ee380 100644
--- a/gnutls.spec
+++ b/gnutls.spec
@@ -2,8 +2,8 @@
 %bcond_with guile
 Summary: A TLS protocol implementation
 Name: gnutls
-Version: 3.3.1
-Release: 4%{?dist}
+Version: 3.3.2
+Release: 1%{?dist}
 # The libraries are LGPLv2.1+, utilities are GPLv3+
 License: GPLv3+ and LGPLv2+
 Group: System Environment/Libraries
@@ -30,11 +30,9 @@ Source1: libgnutls-config
 Source2: hobble-gnutls
 Patch1: gnutls-3.2.7-rpath.patch
 # Use only FIPS approved ciphers in the FIPS mode
-Patch7: gnutls-2.12.21-fips-algorithms.patch
-Patch8: gnutls-3.1.11-nosrp.patch
-Patch9: gnutls-othername.patch
-Patch10: gnutls-global-deinit.patch
-Patch11: 0001-Added-the-very-weak-certificate-verification-profile.patch
+Patch2: gnutls-2.12.21-fips-algorithms.patch
+Patch3: gnutls-3.1.11-nosrp.patch
+Patch4: gnutls-3.3.1-default-policy.patch
 
 # Wildcard bundling exception https://fedorahosted.org/fpc/ticket/174
 Provides: bundled(gnulib) = 20130424
@@ -137,11 +135,9 @@ This package contains Guile bindings for the library.
 %patch1 -p1 -b .rpath
 # This patch is not applicable as we use nettle now but some parts will be
 # later reused.
-#%patch7 -p1 -b .fips
-%patch8 -p1 -b .nosrp
-%patch9 -p1 -b .othername
-%patch10 -p1 -b .global-deinit
-%patch11 -p1 -b .very-weak
+#%patch2 -p1 -b .fips
+%patch3 -p1 -b .nosrp
+%patch4 -p1 -b .default-policy
 sed 's/gnutls_srp.c//g' -i lib/Makefile.in
 sed 's/gnutls_srp.lo//g' -i lib/Makefile.in
 
@@ -275,6 +271,9 @@ fi
 %endif
 
 %changelog
+* Fri May 09 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> 3.3.2-1
+- new upstream release
+
 * Mon May 05 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> 3.3.1-4
 - Replaced /etc/crypto-profiles/apps with /etc/crypto-policies/back-ends.
 - Added support for "very weak" profile.
diff --git a/sources b/sources
index 779f5aa..bca435d 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-14b004be63ef286edcce5d0f7aa10d6f  gnutls-3.3.1-hobbled.tar.xz
+4a729f47d5b87f484b0f16e92e5d30e5  gnutls-3.3.2-hobbled.tar.xz