Addressed regression with rehandshakes introduced in 3.1.27 (#1168942)

Resolves: rhbz#1132921

.gitignore

@@ -28,3 +28,12 @@ gnutls-2.10.1-nosrp.tar.bz2
 /gnutls-3.1.13-hobbled-el.tar.xz
 /gnutls-3.1.15-hobbled.tar.xz
 /gnutls-3.1.16-hobbled.tar.xz
+/gnutls-3.1.17-hobbled.tar.xz
+/gnutls-3.1.18-hobbled.tar.xz
+/gnutls-3.1.20-hobbled.tar.xz
+/gnutls-3.1.23-hobbled.tar.xz
+/gnutls-3.1.24-hobbled.tar.xz
+/gnutls-3.1.25-hobbled.tar.xz
+/gnutls-3.1.26-hobbled.tar.xz
+/gnutls-3.1.27-hobbled.tar.xz
+/gnutls-3.1.28-hobbled.tar.xz

ecc.c

@@ -56,6 +56,19 @@ static const gnutls_ecc_curve_entry_st ecc_curves[] = {
     .Gx = "AA87CA22BE8B05378EB1C71EF320AD746E1D3B628BA79B9859F741E082542A385502F25DBF55296C3A545E3872760AB7",
     .Gy = "3617DE4A96262C6F5D9E98BF9292DC29F8F41DBD289A147CE9DA3113B5F0B8C00A60B1CE1D7E819D7A431D7C90EA0E5F"
   },
+  {
+    .name = "SECP521R1",
+    .oid = "1.3.132.0.35",
+    .id = GNUTLS_ECC_CURVE_SECP521R1,
+    .tls_id = 25,
+    .size = 66,
+    .prime = "01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
+    .A = "01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC",
+    .B = "0051953EB9618E1C9A1F929A21A0B68540EEA2DA725B99B315F3B8B489918EF109E156193951EC7E937B1652C0BD3BB1BF073573DF883D2C34F1EF451FD46B503F00",
+    .order = "01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148F709A5D03BB5C9B8899C47AEBB6FB71E91386409",
+    .Gx =    "00C6858E06B70404E9CD9E3ECB662395B4429C648139053FB521F828AF606B4D3DBAA14B5E77EFE75928FE1DC127A2FFA8DE3348B3C1856A429BF97E7E31C2E5BD66",
+    .Gy =    "011839296A789A3BC0045C8A5FB42C7D1BD998F54449579B446817AFBD17273E662C97EE72995EF42640C550B9013FAD0761353C7086A272C24088BE94769FD16650",
+  },
   {0, 0, 0}
 };
 

gnutls-2.12.21-fips-algorithms.patch

@@ -1,209 +0,0 @@
-diff -up gnutls-2.12.21/lib/gcrypt/init.c.fips gnutls-2.12.21/lib/gcrypt/init.c
---- gnutls-2.12.21/lib/gcrypt/init.c.fips	2012-01-06 20:06:23.000000000 +0100
-+++ gnutls-2.12.21/lib/gcrypt/init.c	2012-11-09 19:57:54.651624659 +0100
-@@ -43,6 +43,8 @@ static struct gcry_thread_cbs gct = {
-   .recvmsg = NULL,
- };
- 
-+int gnutls_gcrypt_fips;
-+
- int
- gnutls_crypto_init (void)
- {
-@@ -72,6 +74,8 @@ gnutls_crypto_init (void)
-           return GNUTLS_E_INCOMPATIBLE_GCRYPT_LIBRARY;
-         }
- 
-+      gnutls_gcrypt_fips = gcry_fips_mode_active();
-+
-       /* for gcrypt in order to be able to allocate memory */
-       gcry_control (GCRYCTL_DISABLE_SECMEM, NULL, 0);
- 
-diff -up gnutls-2.12.21/lib/gnutls_algorithms.c.fips gnutls-2.12.21/lib/gnutls_algorithms.c
---- gnutls-2.12.21/lib/gnutls_algorithms.c.fips	2012-01-06 20:06:23.000000000 +0100
-+++ gnutls-2.12.21/lib/gnutls_algorithms.c	2012-11-28 14:19:34.507948036 +0100
-@@ -44,11 +44,11 @@ typedef struct
- } gnutls_sec_params_entry;
- 
- static const gnutls_sec_params_entry sec_params[] = {
--  {"Weak", GNUTLS_SEC_PARAM_WEAK, 64, 816, 1024, 128, 128},
--  {"Low", GNUTLS_SEC_PARAM_LOW, 80, 1248, 2048, 160, 160},
--  {"Normal", GNUTLS_SEC_PARAM_NORMAL, 112, 2432, 3072, 224, 224},
--  {"High", GNUTLS_SEC_PARAM_HIGH, 128, 3248, 3072, 256, 256},
--  {"Ultra", GNUTLS_SEC_PARAM_ULTRA, 256, 15424, 3072, 512, 512},
-+  {"Weak", GNUTLS_SEC_PARAM_WEAK, 64, 1024, 1024, 128, 128},
-+  {"Low", GNUTLS_SEC_PARAM_LOW, 80, 1280, 2048, 160, 160},
-+  {"Normal", GNUTLS_SEC_PARAM_NORMAL, 112, 2560, 3072, 224, 224},
-+  {"High", GNUTLS_SEC_PARAM_HIGH, 128, 3328, 3072, 256, 256},
-+  {"Ultra", GNUTLS_SEC_PARAM_ULTRA, 256, 15616, 3072, 512, 512},
-   {NULL, 0, 0, 0, 0, 0}
- };
- 
-diff -up gnutls-2.12.21/lib/gnutls_priority.c.fips gnutls-2.12.21/lib/gnutls_priority.c
---- gnutls-2.12.21/lib/gnutls_priority.c.fips	2012-11-08 17:11:11.000000000 +0100
-+++ gnutls-2.12.21/lib/gnutls_priority.c	2012-11-09 19:57:54.651624659 +0100
-@@ -30,6 +30,7 @@
- #include "gnutls_algorithms.h"
- #include "gnutls_errors.h"
- #include <gnutls_num.h>
-+#include <gcrypt.h>
- 
- static void
- break_comma_list (char *etag,
-@@ -223,6 +224,13 @@ static const int protocol_priority[] = {
-   0
- };
- 
-+static const int protocol_priority_fips[] = {
-+  GNUTLS_TLS1_2,
-+  GNUTLS_TLS1_1,
-+  GNUTLS_TLS1_0,
-+  0
-+};
-+
- static const int kx_priority_performance[] = {
-   GNUTLS_KX_RSA,
-   GNUTLS_KX_DHE_RSA,
-@@ -269,6 +277,13 @@ static const int cipher_priority_perform
-   0
- };
- 
-+static const int cipher_priority_performance_fips[] = {
-+  GNUTLS_CIPHER_AES_128_CBC,
-+  GNUTLS_CIPHER_3DES_CBC,
-+  GNUTLS_CIPHER_AES_256_CBC,
-+  0
-+};
-+
- static const int cipher_priority_normal[] = {
-   GNUTLS_CIPHER_AES_128_CBC,
- #ifdef	ENABLE_CAMELLIA
-@@ -284,6 +299,13 @@ static const int cipher_priority_normal[
-   0
- };
- 
-+static const int cipher_priority_normal_fips[] = {
-+  GNUTLS_CIPHER_AES_128_CBC,
-+  GNUTLS_CIPHER_AES_256_CBC,
-+  GNUTLS_CIPHER_3DES_CBC,
-+  0
-+};
-+
- static const int cipher_priority_secure128[] = {
-   GNUTLS_CIPHER_AES_128_CBC,
- #ifdef	ENABLE_CAMELLIA
-@@ -295,6 +317,11 @@ static const int cipher_priority_secure1
-   0
- };
- 
-+static const int cipher_priority_secure128_fips[] = {
-+  GNUTLS_CIPHER_AES_128_CBC,
-+  GNUTLS_CIPHER_3DES_CBC,
-+  0
-+};
- 
- static const int cipher_priority_secure256[] = {
-   GNUTLS_CIPHER_AES_256_CBC,
-@@ -311,6 +338,13 @@ static const int cipher_priority_secure2
-   0
- };
- 
-+static const int cipher_priority_secure256_fips[] = {
-+  GNUTLS_CIPHER_AES_256_CBC,
-+  GNUTLS_CIPHER_AES_128_CBC,
-+  GNUTLS_CIPHER_3DES_CBC,
-+  0
-+};
-+
- /* The same as cipher_priority_security_normal + arcfour-40. */
- static const int cipher_priority_export[] = {
-   GNUTLS_CIPHER_AES_128_CBC,
-@@ -362,6 +396,12 @@ static const int mac_priority_normal[] =
-   0
- };
- 
-+static const int mac_priority_normal_fips[] = {
-+  GNUTLS_MAC_SHA1,
-+  GNUTLS_MAC_SHA256,
-+  0
-+};
-+
- 
- static const int mac_priority_secure[] = {
-   GNUTLS_MAC_SHA256,
-@@ -462,6 +502,8 @@ gnutls_priority_set (gnutls_session_t se
- 
- #define MAX_ELEMENTS 48
- 
-+extern int gnutls_gcrypt_fips;
-+
- /**
-  * gnutls_priority_init:
-  * @priority_cache: is a #gnutls_prioritity_t structure.
-@@ -561,7 +603,7 @@ gnutls_priority_init (gnutls_priority_t
-    */
-   if (strcasecmp (broken_list[0], "NONE") != 0)
-     {
--      _set_priority (&(*priority_cache)->protocol, protocol_priority);
-+      _set_priority (&(*priority_cache)->protocol, gnutls_gcrypt_fips?protocol_priority_fips:protocol_priority);
-       _set_priority (&(*priority_cache)->compression, comp_priority);
-       _set_priority (&(*priority_cache)->cert_type, cert_type_priority_default);
-       _set_priority (&(*priority_cache)->sign_algo, sign_priority_default);
-@@ -577,17 +619,17 @@ gnutls_priority_init (gnutls_priority_t
-       if (strcasecmp (broken_list[i], "PERFORMANCE") == 0)
-         {
-           _set_priority (&(*priority_cache)->cipher,
--                         cipher_priority_performance);
-+                         gnutls_gcrypt_fips?cipher_priority_performance_fips:cipher_priority_performance);
-           _set_priority (&(*priority_cache)->kx, kx_priority_performance);
--          _set_priority (&(*priority_cache)->mac, mac_priority_normal);
-+          _set_priority (&(*priority_cache)->mac, gnutls_gcrypt_fips?mac_priority_normal_fips:mac_priority_normal);
-           _set_priority (&(*priority_cache)->sign_algo,
-                          sign_priority_default);
-         }
-       else if (strcasecmp (broken_list[i], "NORMAL") == 0)
-         {
--          _set_priority (&(*priority_cache)->cipher, cipher_priority_normal);
-+          _set_priority (&(*priority_cache)->cipher, gnutls_gcrypt_fips?cipher_priority_normal_fips:cipher_priority_normal);
-           _set_priority (&(*priority_cache)->kx, kx_priority_secure);
--          _set_priority (&(*priority_cache)->mac, mac_priority_normal);
-+          _set_priority (&(*priority_cache)->mac, gnutls_gcrypt_fips?mac_priority_normal_fips:mac_priority_normal);
-           _set_priority (&(*priority_cache)->sign_algo,
-                          sign_priority_default);
-         }
-@@ -595,7 +637,7 @@ gnutls_priority_init (gnutls_priority_t
-                || strcasecmp (broken_list[i], "SECURE") == 0)
-         {
-           _set_priority (&(*priority_cache)->cipher,
--                         cipher_priority_secure256);
-+                         gnutls_gcrypt_fips?cipher_priority_secure256_fips:cipher_priority_secure256);
-           _set_priority (&(*priority_cache)->kx, kx_priority_secure);
-           _set_priority (&(*priority_cache)->mac, mac_priority_secure);
-           _set_priority (&(*priority_cache)->sign_algo,
-@@ -604,7 +646,7 @@ gnutls_priority_init (gnutls_priority_t
-       else if (strcasecmp (broken_list[i], "SECURE128") == 0)
-         {
-           _set_priority (&(*priority_cache)->cipher,
--                         cipher_priority_secure128);
-+                         gnutls_gcrypt_fips?cipher_priority_secure128_fips:cipher_priority_secure128);
-           _set_priority (&(*priority_cache)->kx, kx_priority_secure);
-           _set_priority (&(*priority_cache)->mac, mac_priority_secure);
-           _set_priority (&(*priority_cache)->sign_algo,
-@@ -646,7 +688,7 @@ gnutls_priority_init (gnutls_priority_t
-               if (strncasecmp (&broken_list[i][1], "VERS-TLS-ALL", 12) == 0)
-                 {
-                   bulk_fn (&(*priority_cache)->protocol,
--                                 protocol_priority);
-+                                 gnutls_gcrypt_fips?protocol_priority_fips:protocol_priority);
-                 }
-               else
-                 {
-@@ -718,7 +760,7 @@ gnutls_priority_init (gnutls_priority_t
-           else if (strncasecmp (&broken_list[i][1], "CIPHER-ALL", 7) == 0)
-             {
-                   bulk_fn (&(*priority_cache)->cipher,
--                                cipher_priority_normal);
-+                                gnutls_gcrypt_fips?cipher_priority_normal_fips:cipher_priority_normal);
-             }
-           else
-             goto error;

gnutls-3.1.17-rpath.patch

@@ -0,0 +1,29 @@
+diff -ur gnutls-3.1.17.orig/configure gnutls-3.1.17/configure
+--- gnutls-3.1.17.orig/configure	2013-11-23 10:55:26.000000000 +0100
++++ gnutls-3.1.17/configure	2013-11-26 11:33:04.865342480 +0100
+@@ -49103,7 +49103,7 @@
+ shlibpath_overrides_runpath=unknown
+ version_type=none
+ dynamic_linker="$host_os ld.so"
+-sys_lib_dlsearch_path_spec="/lib /usr/lib"
++sys_lib_dlsearch_path_spec="/lib /usr/lib /lib64 /usr/lib64"
+ need_lib_prefix=unknown
+ hardcode_into_libs=no
+ 
+@@ -52940,7 +52940,7 @@
+ shlibpath_overrides_runpath=unknown
+ version_type=none
+ dynamic_linker="$host_os ld.so"
+-sys_lib_dlsearch_path_spec="/lib /usr/lib"
++sys_lib_dlsearch_path_spec="/lib /usr/lib /lib64 /usr/lib64"
+ need_lib_prefix=unknown
+ hardcode_into_libs=no
+ 
+Only in gnutls-3.1.17: configure~
+Only in gnutls-3.1.17.orig/lib/algorithms: ecc.c
+Only in gnutls-3.1.17.orig/lib/auth: srp.c
+Only in gnutls-3.1.17.orig/lib/auth: srp_passwd.c
+Only in gnutls-3.1.17.orig/lib/auth: srp_rsa.c
+Only in gnutls-3.1.17.orig/lib/auth: srp_sb64.c
+Only in gnutls-3.1.17.orig/lib/ext: srp.c
+Only in gnutls-3.1.17.orig/lib: gnutls_srp.c

gnutls-3.1.18-suiteb.patch

@@ -1,7 +1,7 @@
-diff -up gnutls-3.1.11/lib/gnutls_ecc.c.suiteb gnutls-3.1.11/lib/gnutls_ecc.c
---- gnutls-3.1.11/lib/gnutls_ecc.c.suiteb	2013-04-27 10:04:48.000000000 +0200
-+++ gnutls-3.1.11/lib/gnutls_ecc.c	2013-05-23 10:08:45.331883555 +0200
-@@ -129,6 +129,12 @@ int ret;
+diff -ur gnutls-3.1.18.orig/lib/gnutls_ecc.c gnutls-3.1.18/lib/gnutls_ecc.c
+--- gnutls-3.1.18.orig/lib/gnutls_ecc.c	2013-04-02 22:27:35.000000000 +0200
++++ gnutls-3.1.18/lib/gnutls_ecc.c	2014-01-02 09:13:27.383415863 +0100
+@@ -129,6 +129,12 @@
        goto cleanup;
      }
    params->params_nr++;
@@ -14,10 +14,22 @@ diff -up gnutls-3.1.11/lib/gnutls_ecc.c.suiteb gnutls-3.1.11/lib/gnutls_ecc.c
    
    val_size = sizeof(val);
    ret = _gnutls_hex2bin(st->order, strlen(st->order), val, &val_size);
-diff -up gnutls-3.1.11/lib/nettle/ecc_mulmod_cached.c.suiteb gnutls-3.1.11/lib/nettle/ecc_mulmod_cached.c
---- gnutls-3.1.11/lib/nettle/ecc_mulmod_cached.c.suiteb	2013-04-27 10:04:48.000000000 +0200
-+++ gnutls-3.1.11/lib/nettle/ecc_mulmod_cached.c	2013-05-23 10:24:56.575967312 +0200
-@@ -42,6 +42,7 @@ typedef struct
+diff -ur gnutls-3.1.18.orig/lib/gnutls_priority.c gnutls-3.1.18/lib/gnutls_priority.c
+--- gnutls-3.1.18.orig/lib/gnutls_priority.c	2013-11-19 18:36:38.000000000 +0100
++++ gnutls-3.1.18/lib/gnutls_priority.c	2014-01-02 09:13:27.384415875 +0100
+@@ -245,8 +245,6 @@
+ }
+ 
+ static const int supported_ecc_normal[] = {
+-  GNUTLS_ECC_CURVE_SECP192R1,
+-  GNUTLS_ECC_CURVE_SECP224R1,
+   GNUTLS_ECC_CURVE_SECP256R1,
+   GNUTLS_ECC_CURVE_SECP384R1,
+   GNUTLS_ECC_CURVE_SECP521R1,
+diff -ur gnutls-3.1.18.orig/lib/nettle/ecc_mulmod_cached.c gnutls-3.1.18/lib/nettle/ecc_mulmod_cached.c
+--- gnutls-3.1.18.orig/lib/nettle/ecc_mulmod_cached.c	2013-04-02 22:27:35.000000000 +0200
++++ gnutls-3.1.18/lib/nettle/ecc_mulmod_cached.c	2014-01-02 10:26:08.425986981 +0100
+@@ -42,6 +42,7 @@
  
  /* global cache */
  static gnutls_ecc_curve_cache_entry_t *ecc_wmnaf_cache = NULL;
@@ -25,7 +37,7 @@ diff -up gnutls-3.1.11/lib/nettle/ecc_mulmod_cached.c.suiteb gnutls-3.1.11/lib/n
  
  /* free single cache entry */
  static void
-@@ -63,9 +64,10 @@ ecc_wmnaf_cache_free (void)
+@@ -63,13 +64,15 @@
    gnutls_ecc_curve_cache_entry_t *p = ecc_wmnaf_cache;
    if (p)
      {
@@ -38,7 +50,12 @@ diff -up gnutls-3.1.11/lib/nettle/ecc_mulmod_cached.c.suiteb gnutls-3.1.11/lib/n
          }
  
        free (ecc_wmnaf_cache);
-@@ -198,7 +200,7 @@ ecc_wmnaf_cache_init (void)
+       ecc_wmnaf_cache = NULL;
++      ecc_wmnaf_cache_last = NULL;
+     }
+ }
+ 
+@@ -198,7 +201,7 @@
    const gnutls_ecc_curve_t *p;
  
    ret = (gnutls_ecc_curve_cache_entry_t *)
@@ -47,7 +64,7 @@ diff -up gnutls-3.1.11/lib/nettle/ecc_mulmod_cached.c.suiteb gnutls-3.1.11/lib/n
    if (ret == NULL)
      return GNUTLS_E_MEMORY_ERROR;
  
-@@ -207,12 +209,16 @@ ecc_wmnaf_cache_init (void)
+@@ -207,12 +210,16 @@
  
    for (j = 0; *p; ++p, ++j)
      {
@@ -67,7 +84,7 @@ diff -up gnutls-3.1.11/lib/nettle/ecc_mulmod_cached.c.suiteb gnutls-3.1.11/lib/n
  
    err = GNUTLS_E_SUCCESS;
  
-@@ -223,7 +229,8 @@ done:
+@@ -223,11 +230,13 @@
        int i;
        for (i = 0; i < j; ++i)
          {
@@ -77,7 +94,12 @@ diff -up gnutls-3.1.11/lib/nettle/ecc_mulmod_cached.c.suiteb gnutls-3.1.11/lib/n
          }
  
        free (ret);
-@@ -445,9 +452,11 @@ ecc_mulmod_cached_lookup (mpz_t k, ecc_p
+       ecc_wmnaf_cache = NULL;
++      ecc_wmnaf_cache_last = NULL;
+     }
+   return err;
+ }
+@@ -445,9 +454,11 @@
    if (k == NULL || G == NULL || R == NULL || modulus == NULL)
      return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
  
@@ -91,9 +113,9 @@ diff -up gnutls-3.1.11/lib/nettle/ecc_mulmod_cached.c.suiteb gnutls-3.1.11/lib/n
            !(mpz_cmp (G->y, ecc_wmnaf_cache[i].pos[0]->y)))
          {
            break;
-diff -up gnutls-3.1.11/tests/mini-xssl.c.suiteb gnutls-3.1.11/tests/mini-xssl.c
---- gnutls-3.1.11/tests/mini-xssl.c.suiteb	2013-05-10 10:10:27.000000000 +0200
-+++ gnutls-3.1.11/tests/mini-xssl.c	2013-05-23 11:58:22.670298910 +0200
+diff -ur gnutls-3.1.18.orig/tests/mini-xssl.c gnutls-3.1.18/tests/mini-xssl.c
+--- gnutls-3.1.18.orig/tests/mini-xssl.c	2013-05-30 08:50:22.000000000 +0200
++++ gnutls-3.1.18/tests/mini-xssl.c	2014-01-02 09:13:27.384415875 +0100
 @@ -27,7 +27,8 @@
  #include <stdio.h>
  #include <stdlib.h>
@@ -104,10 +126,10 @@ diff -up gnutls-3.1.11/tests/mini-xssl.c.suiteb gnutls-3.1.11/tests/mini-xssl.c
  
  int main()
  {
-diff -up gnutls-3.1.11/tests/pkcs12_simple.c.suiteb gnutls-3.1.11/tests/pkcs12_simple.c
---- gnutls-3.1.11/tests/pkcs12_simple.c.suiteb	2013-05-10 10:10:27.000000000 +0200
-+++ gnutls-3.1.11/tests/pkcs12_simple.c	2013-05-23 11:57:59.776799848 +0200
-@@ -50,6 +50,9 @@ doit (void)
+diff -ur gnutls-3.1.18.orig/tests/pkcs12_simple.c gnutls-3.1.18/tests/pkcs12_simple.c
+--- gnutls-3.1.18.orig/tests/pkcs12_simple.c	2013-05-21 20:27:20.000000000 +0200
++++ gnutls-3.1.18/tests/pkcs12_simple.c	2014-01-02 09:13:27.384415875 +0100
+@@ -50,6 +50,9 @@
    gnutls_x509_privkey_t pkey;
    int ret;
  

gnutls-3.1.28-app-data.patch

@@ -0,0 +1,13 @@
+diff --git a/lib/gnutls_handshake.c b/lib/gnutls_handshake.c
+index d542f21..a0e8005 100644
+--- a/lib/gnutls_handshake.c
++++ b/lib/gnutls_handshake.c
+@@ -2546,6 +2546,8 @@ gnutls_handshake_set_timeout (gnutls_session_t session, unsigned int ms)
+ 		/* EAGAIN and INTERRUPTED are always non-fatal */ \
+ 		if (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED) \
+ 			return ret; \
++		if (ret == GNUTLS_E_GOT_APPLICATION_DATA && session->internals.initial_negotiation_completed != 0) \
++			return ret; \
+ 		if (ret == GNUTLS_E_LARGE_PACKET && session->internals.handshake_large_loops < 16) { \
+ 			session->internals.handshake_large_loops++; \
+ 			return ret; \

gnutls-3.1.7-rpath.patch

@@ -1,39 +0,0 @@
-diff -up gnutls-3.1.7/configure.rpath gnutls-3.1.7/configure
---- gnutls-3.1.7/configure.rpath	2013-02-04 02:40:23.000000000 +0100
-+++ gnutls-3.1.7/configure	2013-02-05 21:04:57.128932440 +0100
-@@ -48519,7 +48519,7 @@ shlibpath_var=
- shlibpath_overrides_runpath=unknown
- version_type=none
- dynamic_linker="$host_os ld.so"
--sys_lib_dlsearch_path_spec="/lib /usr/lib"
-+sys_lib_dlsearch_path_spec="/lib /usr/lib /lib64 /usr/lib64"
- need_lib_prefix=unknown
- hardcode_into_libs=no
- 
-@@ -48962,7 +48962,7 @@ fi
-   # Append ld.so.conf contents to the search path
-   if test -f /etc/ld.so.conf; then
-     lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[	 ]*hwcap[	 ]/d;s/[:,	]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '`
--    sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
-+    sys_lib_dlsearch_path_spec="/lib /usr/lib /lib64 /usr/lib64 $lt_ld_extra"
-   fi
- 
-   # We used to test for /lib/ld.so.1 and disable shared libraries on
-@@ -52353,7 +52353,7 @@ shlibpath_var=
- shlibpath_overrides_runpath=unknown
- version_type=none
- dynamic_linker="$host_os ld.so"
--sys_lib_dlsearch_path_spec="/lib /usr/lib"
-+sys_lib_dlsearch_path_spec="/lib /usr/lib /lib64 /usr/lib64"
- need_lib_prefix=unknown
- hardcode_into_libs=no
- 
-@@ -52794,7 +52794,7 @@ fi
-   # Append ld.so.conf contents to the search path
-   if test -f /etc/ld.so.conf; then
-     lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[	 ]*hwcap[	 ]/d;s/[:,	]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '`
--    sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
-+    sys_lib_dlsearch_path_spec="/lib /usr/lib /lib64 /usr/lib64 $lt_ld_extra"
-   fi
- 
-   # We used to test for /lib/ld.so.1 and disable shared libraries on

gnutls.spec

@@ -2,18 +2,20 @@
 %bcond_with guile
 Summary: A TLS protocol implementation
 Name: gnutls
-Version: 3.1.16
-Release: 1%{?dist}
+Version: 3.1.28
+Release: 2%{?dist}
 # The libraries are LGPLv2.1+, utilities are GPLv3+, however
 # the bundled gnulib is LGPLv3+
 License: GPLv3+ and LGPLv2+ and LGPLv3+
 Group: System Environment/Libraries
 BuildRequires: p11-kit-devel >= 0.11, gettext
 BuildRequires: zlib-devel, readline-devel, libtasn1-devel >= 3.1
-BuildRequires: lzo-devel, libtool, automake, autoconf, texinfo
+BuildRequires: libtool, automake, autoconf, texinfo
 BuildRequires: nettle-devel >= 2.5
+BuildRequires: autogen-libopts-devel >= 5.18 autogen
+BuildRequires: trousers-devel >= 0.3.11.2
 %if %{with dane}
-BuildRequires: unbound-devel
+BuildRequires: unbound-devel unbound-libs
 %endif
 %if %{with guile}
 BuildRequires: guile-devel
@@ -26,13 +28,13 @@ Source0: %{name}-%{version}-hobbled.tar.xz
 Source1: libgnutls-config
 Source2: hobble-gnutls
 Source3: ecc.c
-Patch1: gnutls-3.1.7-rpath.patch
+Patch1: gnutls-3.1.17-rpath.patch
 # Use only FIPS approved ciphers in the FIPS mode
-Patch7: gnutls-2.12.21-fips-algorithms.patch
 Patch8: gnutls-3.1.11-nosrp.patch
 # Use random port in some tests to avoid conflicts during simultaneous builds on the same machine
 Patch9: gnutls-3.1.10-tests-rndport.patch
-Patch10: gnutls-3.1.11-suiteb.patch
+Patch10: gnutls-3.1.18-suiteb.patch
+Patch11: gnutls-3.1.28-app-data.patch
 
 # Wildcard bundling exception https://fedorahosted.org/fpc/ticket/174
 Provides: bundled(gnulib) = 20130424
@@ -77,61 +79,76 @@ Requires: guile
 %endif
 
 %description
-GnuTLS is a project that aims to develop a library which provides a secure 
-layer, over a reliable transport layer. Currently the GnuTLS library implements
-the proposed standards by the IETF's TLS working group.
+GnuTLS is a secure communications library implementing the SSL, TLS and DTLS 
+protocols and technologies around them. It provides a simple C language 
+application programming interface (API) to access the secure communications 
+protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and 
+other required structures. 
 
 %description c++
-GnuTLS is a project that aims to develop a library which provides a secure
-layer, over a reliable transport layer. Currently the GnuTLS library implements
-the proposed standards by the IETF's TLS working group.
+GnuTLS is a secure communications library implementing the SSL, TLS and DTLS 
+protocols and technologies around them. It provides a simple C language 
+application programming interface (API) to access the secure communications 
+protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and 
+other required structures. 
 This package contains the C++ interface for the GnuTLS library.
 
 %description devel
-GnuTLS is a project that aims to develop a library which provides a secure
-layer, over a reliable transport layer. Currently the GnuTLS library implements
-the proposed standards by the IETF's TLS working group.
+GnuTLS is a secure communications library implementing the SSL, TLS and DTLS 
+protocols and technologies around them. It provides a simple C language 
+application programming interface (API) to access the secure communications 
+protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and 
+other required structures. 
 This package contains files needed for developing applications with
 the GnuTLS library.
 
 %description utils
-GnuTLS is a project that aims to develop a library which provides a secure
-layer, over a reliable transport layer. Currently the GnuTLS library implements
-the proposed standards by the IETF's TLS working group.
+GnuTLS is a secure communications library implementing the SSL, TLS and DTLS 
+protocols and technologies around them. It provides a simple C language 
+application programming interface (API) to access the secure communications 
+protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and 
+other required structures. 
 This package contains command line TLS client and server and certificate
 manipulation tools.
 
 %if %{with dane}
 %description dane
-GnuTLS is a project that aims to develop a library which provides a secure
-layer, over a reliable transport layer. Currently the GnuTLS library implements
-the proposed standards by the IETF's TLS working group.
+GnuTLS is a secure communications library implementing the SSL, TLS and DTLS 
+protocols and technologies around them. It provides a simple C language 
+application programming interface (API) to access the secure communications 
+protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and 
+other required structures. 
 This package contains library that implements the DANE protocol for verifying
 TLS certificates through DNSSEC.
 %endif
 
 %if %{with guile}
 %description guile
-GnuTLS is a project that aims to develop a library which provides a secure
-layer, over a reliable transport layer. Currently the GnuTLS library implements
-the proposed standards by the IETF's TLS working group.
+GnuTLS is a secure communications library implementing the SSL, TLS and DTLS 
+protocols and technologies around them. It provides a simple C language 
+application programming interface (API) to access the secure communications 
+protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and 
+other required structures. 
 This package contains Guile bindings for the library.
 %endif
 
 %prep
 %setup -q
+sed 's/4331/5556/g' -i tests/*.c
 
 %patch1 -p1 -b .rpath
 # This patch is not applicable as we use nettle now but some parts will be
 # later reused.
-#%patch7 -p1 -b .fips
 %patch8 -p1 -b .nosrp
 %patch9 -p1 -b .rndport
 %patch10 -p1 -b .suiteb
+%patch11 -p1 -b .app-data
+sed -i -e 's|sys_lib_dlsearch_path_spec="/lib /usr/lib|sys_lib_dlsearch_path_spec="/lib /usr/lib %{_libdir}|g' configure
 
 %{SOURCE2} -e
 
 cp -f %{SOURCE3} lib/algorithms
+rm -f doc/gnutls.info*
 
 %build
 
@@ -142,6 +159,7 @@ export LDFLAGS="-Wl,--no-add-needed"
            --disable-static \
            --disable-openssl-compatibility \
            --disable-srp-authentication \
+	   --disable-non-suiteb-curves \
 %if %{with guile}
            --enable-guile \
 %ifarch %{arm}
@@ -151,6 +169,7 @@ export LDFLAGS="-Wl,--no-add-needed"
            --disable-guile \
 %endif
 %if %{with dane}
+	   --with-unbound-root-key-file=/var/lib/unbound/root.key \
            --enable-dane \
 %else
            --disable-dane \
@@ -234,6 +253,7 @@ fi
 %{_bindir}/certtool
 %{_bindir}/ocsptool
 %{_bindir}/psktool
+%{_bindir}/tpmtool
 %{_bindir}/p11tool
 %if %{with dane}
 %{_bindir}/danetool
@@ -257,6 +277,66 @@ fi
 %endif
 
 %changelog
+* Fri Nov 28 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 3.1.28-2
+- Addresses regression with rehandshakes introduced in 3.1.27 (#1168942)
+
+* Mon Nov 10 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 3.1.28-1
+- new upstream release
+
+* Mon Oct 13 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 3.1.27-1
+- new upstream release
+
+* Fri Sep 19 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 3.1.26-2
+- removed rpath (#1132921)
+
+* Mon Aug 25 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 3.1.26-1
+- new upstream release (#1088563)
+
+* Fri May 30 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 3.1.25-1
+- new upstream release (#1103046)
+
+* Wed May 14 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 3.1.24-1
+- new upstream release
+
+* Tue Apr  8 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 3.1.23-1
+- fixes liberal wildcard expansion (#1085264)
+- fixes certtool generation of encrypted keys even without password (#1085272)
+
+* Thu Feb 27 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 3.1.20-4
+- fixes CVE-2014-0092 (#1071795)
+
+* Fri Feb 14 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> 3.1.20-3
+- Fix CVE-2014-1959 (#1065094)
+
+* Mon Feb 03 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> 3.1.20-1
+- new upstream release
+- Fixed issue with gnutls.info not being available
+- Compile with trousers
+- Pulled fix from upstream for illegal supported-ecc extension (#1060411)
+
+* Thu Jan 02 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> 3.1.18-3
+- Applied complete patch from (#1046672)
+
+* Thu Jan 02 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> 3.1.18-2
+- Applied fix in suiteb patch to prevent crash in multiple 
+  deinitializations (#1046672)
+
+* Mon Dec 23 2013 Nikos Mavrogiannopoulos <nmav@redhat.com> 3.1.18-1
+- new upstream release
+
+* Thu Dec  5 2013 Nikos Mavrogiannopoulos <nmav@redhat.com> 3.1.17-3
+- Use the correct root key for unbound (#1012494)
+- Pull asm fixes from upstream (#973210)
+- tpmtool manpage is no longer installed (#1036363)
+
+* Tue Nov 26 2013 Nikos Mavrogiannopoulos <nmav@redhat.com> 3.1.17-2
+- Avoid linking with trousers to prevent introducing new features in f20
+
+* Tue Nov 26 2013 Nikos Mavrogiannopoulos <nmav@redhat.com> 3.1.17-1
+- new upstream release
+- links against the system libopts
+- links against trousers
+
 * Mon Nov  4 2013 Tomáš Mráz <tmraz@redhat.com> 3.1.16-1
 - new upstream release
 - fixes CVE-2013-4466 off-by-one in dane_query_tlsa()

hobble-gnutls

@@ -8,8 +8,8 @@ else
 fi
 
 # SRP
-for f in auth_srp_sb64.c auth_srp_passwd.c auth_srp_rsa.c \
-    gnutls_srp.c auth_srp.c ext_srp.c ; do
+for f in auth/srp_sb64.c auth/srp_passwd.c auth/srp_rsa.c \
+    gnutls_srp.c auth/srp.c ext/srp.c ; do
     eval "$CMD lib/$f"
 done
 

libgnutls-config

@@ -4,7 +4,7 @@ prefix=/usr
 exec_prefix=/usr
 exec_prefix_set=no
 
-name=`basename $0`
+name=gnutls
 name=${name#lib}
 name=${name%-config}
 

sources

@@ -1 +1 @@
-6cb95ec4498c302197239e4dfd17b8d4  gnutls-3.1.16-hobbled.tar.xz
+fa787597f04f72af5f8b38d8a89248b4  gnutls-3.1.28-hobbled.tar.xz