Backported PKCS#11 loading improvements

- Update to upstream 3.5.18 release

.gitignore

@@ -72,3 +72,26 @@ gnutls-2.10.1-nosrp.tar.bz2
 /gnutls-3.5.7-hobbled.tar.xz
 /gnutls-3.5.8-hobbled.tar.xz
 /gnutls-3.5.9-hobbled.tar.xz
+/gnutls-3.5.10-hobbled.tar.xz
+/gnutls-3.5.11-hobbled.tar.xz
+/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg
+/gnutls-3.5.12.tar.xz.sig
+/gnutls-3.5.12.tar.xz
+/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg
+/gnutls-3.5.13.tar.xz.sig
+/gnutls-3.5.13.tar.xz
+/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg
+/gnutls-3.5.14.tar.xz.sig
+/gnutls-3.5.14.tar.xz
+/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg
+/gnutls-3.5.15.tar.xz.sig
+/gnutls-3.5.15.tar.xz
+/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg
+/gnutls-3.5.16.tar.xz.sig
+/gnutls-3.5.16.tar.xz
+/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg
+/gnutls-3.5.17.tar.xz.sig
+/gnutls-3.5.17.tar.xz
+/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg
+/gnutls-3.5.18.tar.xz.sig
+/gnutls-3.5.18.tar.xz

gnutls-3.5.18-pkcs11-loading.patch

@@ -0,0 +1,289 @@
+diff --git a/lib/pkcs11.c b/lib/pkcs11.c
+index ec5754e89..c8b2c71f2 100644
+--- a/lib/pkcs11.c
++++ b/lib/pkcs11.c
+@@ -264,20 +264,20 @@ pkcs11_add_module(const char* name, struct ck_function_list *module, const char
+ */
+ int _gnutls_pkcs11_check_init(init_level_t req_level, void *priv, pkcs11_reinit_function cb)
+ {
+-	int ret;
++	int ret, sret = 0;
+ 
+ 	ret = gnutls_mutex_lock(&_gnutls_pkcs11_mutex);
+ 	if (ret != 0)
+ 		return gnutls_assert_val(GNUTLS_E_LOCKING_ERROR);
+ 
+-	if (providers_initialized >= req_level) {
++	if (providers_initialized > PROV_UNINITIALIZED) {
+ 		ret = 0;
+ 
+ 		if (_gnutls_detect_fork(pkcs11_forkid)) {
+ 			/* if we are initialized but a fork is detected */
+ 			ret = _gnutls_pkcs11_reinit();
+ 			if (ret == 0) {
+-				ret = 1;
++				sret = 1;
+ 				if (cb) {
+ 					int ret2 = cb(priv);
+ 					if (ret2 < 0)
+@@ -287,25 +287,60 @@ int _gnutls_pkcs11_check_init(init_level_t req_level, void *priv, pkcs11_reinit_
+ 			}
+ 		}
+ 
+-		gnutls_mutex_unlock(&_gnutls_pkcs11_mutex);
+-		return ret;
+-	} else if (providers_initialized < req_level &&
+-		   (req_level == PROV_INIT_TRUSTED)) {
+-		_gnutls_debug_log("Initializing needed PKCS #11 modules\n");
+-		ret = auto_load(1);
++		if (ret < 0) {
++			gnutls_assert();
++			goto cleanup;
++		}
++	}
+ 
+-		providers_initialized = PROV_INIT_TRUSTED;
+-	} else {
+-		_gnutls_debug_log("Initializing all PKCS #11 modules\n");
+-		ret = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_AUTO, NULL);
++	/* Possible Transitions: PROV_UNINITIALIZED -> PROV_INIT_MANUAL -> PROV_INIT_MANUAL_TRUSTED
++	 * PROV_UNINITIALIZED -> PROV_INIT_TRUSTED -> PROV_INIT_ALL
++	 *
++	 * request for PROV_INIT_TRUSTED may result to PROV_INIT_MANUAL_TRUSTED
++	 * request for PROV_INIT_ALL may result to PROV_INIT_MANUAL or PROV_INIT_MANUAL_TRUSTED
++	 */
++	switch(req_level) {
++		case PROV_UNINITIALIZED:
++		case PROV_INIT_MANUAL:
++			break;
++		case PROV_INIT_TRUSTED:
++		case PROV_INIT_MANUAL_TRUSTED:
++			if (providers_initialized < PROV_INIT_MANUAL_TRUSTED) {
++				_gnutls_debug_log("Initializing needed PKCS #11 modules\n");
++				ret = auto_load(1);
++				if (ret < 0) {
++					gnutls_assert();
++				}
++
++				if (providers_initialized == PROV_INIT_MANUAL)
++					providers_initialized = PROV_INIT_MANUAL_TRUSTED;
++				else
++					providers_initialized = PROV_INIT_TRUSTED;
++
++				goto cleanup;
++			}
++			break;
++		case PROV_INIT_ALL:
++			if (providers_initialized == PROV_INIT_TRUSTED ||
++			    providers_initialized == PROV_UNINITIALIZED) {
++				_gnutls_debug_log("Initializing all PKCS #11 modules\n");
++				ret = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_AUTO, NULL);
++				if (ret < 0) {
++					gnutls_assert();
++				}
++
++				providers_initialized = PROV_INIT_ALL;
++				goto cleanup;
++			}
++			break;
+ 	}
+ 
+-	gnutls_mutex_unlock(&_gnutls_pkcs11_mutex);
++	ret = sret;
+ 
+-	if (ret < 0)
+-		return gnutls_assert_val(ret);
++ cleanup:
++	gnutls_mutex_unlock(&_gnutls_pkcs11_mutex);
+ 
+-	return 0;
++	return ret;
+ }
+ 
+ 
+@@ -3149,11 +3184,7 @@ gnutls_pkcs11_obj_list_import_url4(gnutls_pkcs11_obj_t ** p_list,
+ 	int ret;
+ 	struct find_obj_data_st priv;
+ 
+-	if (flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED) {
+-		PKCS11_CHECK_INIT_TRUSTED;
+-	} else {
+-		PKCS11_CHECK_INIT;
+-	}
++	PKCS11_CHECK_INIT_FLAGS(flags);
+ 
+ 	memset(&priv, 0, sizeof(priv));
+ 
+@@ -3790,7 +3821,7 @@ int gnutls_pkcs11_get_raw_issuer(const char *url, gnutls_x509_crt_t cert,
+ 	size_t id_size;
+ 	struct p11_kit_uri *info = NULL;
+ 
+-	PKCS11_CHECK_INIT;
++	PKCS11_CHECK_INIT_FLAGS(flags);
+ 
+ 	memset(&priv, 0, sizeof(priv));
+ 
+@@ -3882,7 +3913,7 @@ int gnutls_pkcs11_get_raw_issuer_by_dn (const char *url, const gnutls_datum_t *d
+ 	struct find_cert_st priv;
+ 	struct p11_kit_uri *info = NULL;
+ 
+-	PKCS11_CHECK_INIT;
++	PKCS11_CHECK_INIT_FLAGS(flags);
+ 
+ 	memset(&priv, 0, sizeof(priv));
+ 
+@@ -3969,7 +4000,7 @@ int gnutls_pkcs11_get_raw_issuer_by_subject_key_id (const char *url,
+ 	struct find_cert_st priv;
+ 	struct p11_kit_uri *info = NULL;
+ 
+-	PKCS11_CHECK_INIT;
++	PKCS11_CHECK_INIT_FLAGS(flags);
+ 
+ 	memset(&priv, 0, sizeof(priv));
+ 
+@@ -4063,7 +4094,7 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,
+ 	size_t serial_size;
+ 	struct p11_kit_uri *info = NULL;
+ 
+-	PKCS11_CHECK_INIT_RET(0);
++	PKCS11_CHECK_INIT_FLAGS_RET(flags, 0);
+ 
+ 	memset(&priv, 0, sizeof(priv));
+ 
+diff --git a/lib/pkcs11_int.h b/lib/pkcs11_int.h
+index e27518e3f..168bb7807 100644
+--- a/lib/pkcs11_int.h
++++ b/lib/pkcs11_int.h
+@@ -69,10 +69,14 @@ typedef int (*pkcs11_reinit_function)(void *priv);
+ typedef enum init_level_t {
+ 	PROV_UNINITIALIZED = 0,
+ 	PROV_INIT_MANUAL,
++	PROV_INIT_MANUAL_TRUSTED,
+ 	PROV_INIT_TRUSTED,
+ 	PROV_INIT_ALL
+ } init_level_t;
+ 
++/* See _gnutls_pkcs11_check_init() for possible Transitions.
++ */
++
+ int _gnutls_pkcs11_check_init(init_level_t req_level, void *priv, pkcs11_reinit_function cb);
+ 
+ #define FIX_KEY_USAGE(pk, usage) \
+@@ -84,20 +88,26 @@ int _gnutls_pkcs11_check_init(init_level_t req_level, void *priv, pkcs11_reinit_
+ 	}
+ 
+ #define PKCS11_CHECK_INIT \
+-	ret = _gnutls_pkcs11_check_init(PROV_INIT_MANUAL, NULL, NULL); \
++	ret = _gnutls_pkcs11_check_init(PROV_INIT_ALL, NULL, NULL); \
+ 	if (ret < 0) \
+ 		return gnutls_assert_val(ret)
+ 
+-#define PKCS11_CHECK_INIT_TRUSTED \
+-	ret = _gnutls_pkcs11_check_init(PROV_INIT_TRUSTED, NULL, NULL); \
++#define PKCS11_CHECK_INIT_RET(x) \
++	ret = _gnutls_pkcs11_check_init(PROV_INIT_ALL, NULL, NULL); \
++	if (ret < 0) \
++		return gnutls_assert_val(x)
++
++#define PKCS11_CHECK_INIT_FLAGS(f) \
++	ret = _gnutls_pkcs11_check_init((f & GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE)?PROV_INIT_TRUSTED:PROV_INIT_ALL, NULL, NULL); \
+ 	if (ret < 0) \
+ 		return gnutls_assert_val(ret)
+ 
+-#define PKCS11_CHECK_INIT_RET(x) \
+-	ret = _gnutls_pkcs11_check_init(PROV_INIT_MANUAL, NULL, NULL); \
++#define PKCS11_CHECK_INIT_FLAGS_RET(f, x) \
++	ret = _gnutls_pkcs11_check_init((f & GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE)?PROV_INIT_TRUSTED:PROV_INIT_ALL, NULL, NULL); \
+ 	if (ret < 0) \
+ 		return gnutls_assert_val(x)
+ 
++
+ /* thus function is called for every token in the traverse_tokens
+  * function. Once everything is traversed it is called with NULL tinfo.
+  * It should return 0 if found what it was looking for.
+diff --git a/lib/pkcs11_privkey.c b/lib/pkcs11_privkey.c
+index 4a9d928a3..6e9027d0b 100644
+--- a/lib/pkcs11_privkey.c
++++ b/lib/pkcs11_privkey.c
+@@ -36,7 +36,7 @@
+ /* In case of a fork, it will invalidate the open session
+  * in the privkey and start another */
+ #define PKCS11_CHECK_INIT_PRIVKEY(k) \
+-	ret = _gnutls_pkcs11_check_init(PROV_INIT_MANUAL, k, reopen_privkey_session); \
++	ret = _gnutls_pkcs11_check_init(PROV_INIT_ALL, k, reopen_privkey_session); \
+ 	if (ret < 0) \
+ 		return gnutls_assert_val(ret)
+ 
+diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c
+index 1749d49b1..ec1a52ace 100644
+--- a/lib/x509/verify-high.c
++++ b/lib/x509/verify-high.c
+@@ -368,7 +368,7 @@ advance_iter(gnutls_x509_trust_list_t list,
+ 	if (list->pkcs11_token != NULL) {
+ 		if (iter->pkcs11_list == NULL) {
+ 			ret = gnutls_pkcs11_obj_list_import_url2(&iter->pkcs11_list, &iter->pkcs11_size,
+-			    list->pkcs11_token, (GNUTLS_PKCS11_OBJ_FLAG_CRT|GNUTLS_PKCS11_OBJ_FLAG_MARK_CA|GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED), 0);
++			    list->pkcs11_token, (GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE|GNUTLS_PKCS11_OBJ_FLAG_CRT|GNUTLS_PKCS11_OBJ_FLAG_MARK_CA|GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED), 0);
+ 			if (ret < 0)
+ 				return gnutls_assert_val(ret);
+ 
+@@ -964,7 +964,7 @@ int gnutls_x509_trust_list_get_issuer(gnutls_x509_trust_list_t list,
+ 		gnutls_datum_t der = {NULL, 0};
+ 		/* use the token for verification */
+ 		ret = gnutls_pkcs11_get_raw_issuer(list->pkcs11_token, cert, &der,
+-			GNUTLS_X509_FMT_DER, 0);
++			GNUTLS_X509_FMT_DER, GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE);
+ 		if (ret < 0) {
+ 			gnutls_assert();
+ 			return ret;
+@@ -1036,7 +1036,7 @@ int gnutls_x509_trust_list_get_issuer_by_dn(gnutls_x509_trust_list_t list,
+ 		gnutls_datum_t der = {NULL, 0};
+ 		/* use the token for verification */
+ 		ret = gnutls_pkcs11_get_raw_issuer_by_dn(list->pkcs11_token, dn, &der,
+-			GNUTLS_X509_FMT_DER, 0);
++			GNUTLS_X509_FMT_DER, GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE);
+ 		if (ret < 0) {
+ 			gnutls_assert();
+ 			return ret;
+@@ -1097,7 +1097,7 @@ int gnutls_x509_trust_list_get_issuer_by_subject_key_id(gnutls_x509_trust_list_t
+ 		gnutls_datum_t der = {NULL, 0};
+ 		/* use the token for verification */
+ 		ret = gnutls_pkcs11_get_raw_issuer_by_subject_key_id(list->pkcs11_token, dn, spki, &der,
+-			GNUTLS_X509_FMT_DER, 0);
++			GNUTLS_X509_FMT_DER, GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE);
+ 		if (ret < 0) {
+ 			gnutls_assert();
+ 			return ret;
+diff --git a/lib/x509/verify-high2.c b/lib/x509/verify-high2.c
+index fb9f9ce10..8c75b2641 100644
+--- a/lib/x509/verify-high2.c
++++ b/lib/x509/verify-high2.c
+@@ -188,6 +188,10 @@ int add_trust_list_pkcs11_object_url(gnutls_x509_trust_list_t list, const char *
+ 	gnutls_pkcs11_obj_t *pcrt_list = NULL;
+ 	unsigned int pcrt_list_size = 0, i;
+ 	int ret;
++
++	/* here we don't use the flag GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE,
++	 * as we want to explicitly load from any module available in the system.
++	 */
+ 	ret =
+ 	    gnutls_pkcs11_obj_list_import_url2(&pcrt_list, &pcrt_list_size,
+ 					       url,
+@@ -323,7 +327,7 @@ gnutls_x509_trust_list_add_trust_file(gnutls_x509_trust_list_t list,
+ 			 */
+ 			if (is_pkcs11_url_object(ca_file) != 0) {
+ 				return add_trust_list_pkcs11_object_url(list, ca_file, tl_flags);
+-			} else { /* token */
++			} else { /* trusted token */
+ 				if (list->pkcs11_token != NULL)
+ 					return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+ 				list->pkcs11_token = gnutls_strdup(ca_file);
+@@ -331,7 +335,7 @@ gnutls_x509_trust_list_add_trust_file(gnutls_x509_trust_list_t list,
+ 				/* enumerate the certificates */
+ 				ret = gnutls_pkcs11_obj_list_import_url(NULL, &pcrt_list_size,
+ 					ca_file, 
+-					(GNUTLS_PKCS11_OBJ_FLAG_CRT|GNUTLS_PKCS11_OBJ_FLAG_MARK_CA|GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED),
++					(GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE|GNUTLS_PKCS11_OBJ_FLAG_CRT|GNUTLS_PKCS11_OBJ_FLAG_MARK_CA|GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED),
+ 					0);
+ 				if (ret < 0 && ret != GNUTLS_E_SHORT_MEMORY_BUFFER)
+ 					return gnutls_assert_val(ret);

gnutls.spec

@@ -1,8 +1,9 @@
 # This spec file has been automatically updated
-Version:	3.5.9
+Version:	3.5.18
 Release: 2%{?dist}
 Patch1:	gnutls-3.2.7-rpath.patch
 Patch2:	gnutls-3.4.2-no-now-guile.patch
+Patch3:	gnutls-3.5.18-pkcs11-loading.patch
 %bcond_without dane
 %bcond_without guile
 Summary: A TLS protocol implementation
@@ -19,6 +20,8 @@ BuildRequires: trousers-devel >= 0.3.11.2
 BuildRequires: libidn2-devel
 BuildRequires: libunistring-devel
 BuildRequires: gperf, net-tools, datefudge, softhsm
+# for a sanity check on cert loading
+BuildRequires: p11-kit-trust, ca-certificates
 Requires: crypto-policies
 Requires: p11-kit-trust
 Requires: libtasn1 >= 4.3
@@ -31,10 +34,9 @@ BuildRequires: unbound-devel unbound-libs
 BuildRequires: guile-devel
 %endif
 URL: http://www.gnutls.org/
-#Source0: ftp://ftp.gnutls.org/gcrypt/gnutls/%{name}-%{version}.tar.xz
-#Source1: ftp://ftp.gnutls.org/gcrypt/gnutls/%{name}-%{version}.tar.xz.sig
-# XXX patent tainted code removed.
-Source0: %{name}-%{version}-hobbled.tar.xz
+Source0: ftp://ftp.gnutls.org/gcrypt/gnutls/%{name}-%{version}.tar.xz
+Source1: ftp://ftp.gnutls.org/gcrypt/gnutls/%{name}-%{version}.tar.xz.sig
+Source2: gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg
 
 # Wildcard bundling exception https://fedorahosted.org/fpc/ticket/174
 Provides: bundled(gnulib) = 20130424
@@ -132,12 +134,13 @@ This package contains Guile bindings for the library.
 %endif
 
 %prep
+gpgv2 --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0}
+
 %setup -q
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1
 
-sed 's/gnutls_srp.c//g' -i lib/Makefile.in
-sed 's/gnutls_srp.lo//g' -i lib/Makefile.in
 sed -i -e 's|sys_lib_dlsearch_path_spec="/lib /usr/lib|sys_lib_dlsearch_path_spec="/lib /usr/lib %{_libdir}|g' configure
 rm -f lib/minitasn1/*.c lib/minitasn1/*.h
 rm -f src/libopts/*.c src/libopts/*.h src/libopts/compat/*.c src/libopts/compat/*.h 
@@ -148,11 +151,11 @@ echo "SYSTEM=NORMAL" >> tests/system.prio
 %configure --with-libtasn1-prefix=%{_prefix} \
            --disable-static \
            --disable-openssl-compatibility \
-           --disable-srp-authentication \
            --disable-non-suiteb-curves \
            --with-system-priority-file=%{_sysconfdir}/crypto-policies/back-ends/gnutls.config \
-           --with-default-trust-store-pkcs11="pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit" \
+           --with-default-trust-store-pkcs11="pkcs11:" \
            --with-trousers-lib=%{_libdir}/libtspi.so.1 \
+           --htmldir=%{_docdir}/manual \
 %if %{with guile}
            --enable-guile \
 %else
@@ -171,9 +174,7 @@ make %{?_smp_mflags} V=1
 
 %install
 make install DESTDIR=$RPM_BUILD_ROOT
-rm -f $RPM_BUILD_ROOT%{_bindir}/srptool
-rm -f $RPM_BUILD_ROOT%{_mandir}/man1/srptool.1
-rm -f $RPM_BUILD_ROOT%{_mandir}/man3/*srp*
+make -C doc install-html DESTDIR=$RPM_BUILD_ROOT
 rm -f $RPM_BUILD_ROOT%{_infodir}/dir
 rm -f $RPM_BUILD_ROOT%{_libdir}/*.la
 rm -f $RPM_BUILD_ROOT%{_libdir}/guile/2.0/guile-gnutls*.a
@@ -182,9 +183,6 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/gnutls/libpkcs11mock1.*
 %if %{without dane}
 rm -f $RPM_BUILD_ROOT%{_libdir}/pkgconfig/gnutls-dane.pc
 %endif
-# Temporary work around for #1422256
-sed -i 's/libidn2,//g' $RPM_BUILD_ROOT%{_libdir}/pkgconfig/gnutls.pc
-sed -i 's/-lunistring/-lunistring -lidn2/' $RPM_BUILD_ROOT%{_libdir}/pkgconfig/gnutls.pc
 
 %find_lang gnutls
 
@@ -238,6 +236,7 @@ fi
 %{_mandir}/man3/*
 %{_infodir}/gnutls*
 %{_infodir}/pkcs11-vision*
+%{_docdir}/manual/*
 
 %files utils
 %defattr(-,root,root,-)
@@ -246,6 +245,7 @@ fi
 %{_bindir}/ocsptool
 %{_bindir}/psktool
 %{_bindir}/p11tool
+%{_bindir}/srptool
 %if %{with dane}
 %{_bindir}/danetool
 %endif
@@ -270,6 +270,50 @@ fi
 %endif
 
 %changelog
+* Fri Feb 16 2018 Nikos Mavrogiannopoulos <nmav@redhat.com> - 3.5.18-2
+- Backported PKCS#11 loading improvements.
+
+* Fri Feb 16 2018 Nikos Mavrogiannopoulos <nmav@redhat.com> - 3.5.18-1
+- Update to upstream 3.5.18 release
+
+* Wed Jan 17 2018 Nikos Mavrogiannopoulos <nmav@redhat.com> - 3.5.17-1
+- Update to upstream 3.5.17 release
+
+* Thu Nov 30 2017 Nikos Mavrogiannopoulos <nmav@redhat.com> - 3.5.17-4
+- Corrected regression from 3.5.17-3 which prevented the loading of
+  arbitrary p11-kit modules (#1507402)
+
+* Wed Nov 22 2017 Nikos Mavrogiannopoulos <nmav@redhat.com> - 3.5.17-3
+- Apply missing patch (#1507402)
+
+* Mon Nov  6 2017 Nikos Mavrogiannopoulos <nmav@redhat.com> - 3.5.17-2
+- Prevent the loading of all PKCS#11 modules on certificate verification
+  but only restrict to p11-kit trust module (#1507402)
+
+* Sat Oct 21 2017 Nikos Mavrogiannopoulos <nmav@redhat.com> - 3.5.16-1
+- Update to upstream 3.5.16 release
+
+* Mon Aug 21 2017 Nikos Mavrogiannopoulos <nmav@redhat.com> - 3.5.15-1
+- Update to upstream 3.5.15 release
+
+* Tue Jul 04 2017 Nikos Mavrogiannopoulos <nmav@redhat.com> - 3.5.14-1
+- Update to upstream 3.5.14 release
+
+* Wed Jun 07 2017 Nikos Mavrogiannopoulos <nmav@redhat.com> - 3.5.13-1
+- Update to upstream 3.5.13 release
+
+* Thu May 11 2017 Nikos Mavrogiannopoulos <nmav@redhat.com> - 3.5.12-2
+- Fix issue with p11-kit-trust arch dependency
+
+* Thu May 11 2017 Nikos Mavrogiannopoulos <nmav@redhat.com> - 3.5.12-1
+- Update to upstream 3.5.12 release
+
+* Fri Apr 07 2017 Nikos Mavrogiannopoulos <nmav@redhat.com> - 3.5.11-1
+- Update to upstream 3.5.11 release
+
+* Mon Mar 06 2017 Nikos Mavrogiannopoulos <nmav@redhat.com> - 3.5.10-1
+- Update to upstream 3.5.10 release
+
 * Wed Feb 15 2017 Nikos Mavrogiannopoulos <nmav@redhat.com> - 3.5.9-2
 - Work around missing pkg-config file (#1422256)
 

sources

@@ -1 +1,3 @@
-SHA512 (gnutls-3.5.9-hobbled.tar.xz) = a8e308cafe6103ca613e113e6409d9fe73ad84db8c199680b437dacdecb7af0593ae8659d789dcb033c8a51d00e3d567e2a90585dfcd7008f9f49bb6e125d826
+SHA512 (gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg) = 3b1989dc6a64d1140f83a2af0773da2adb03c50d97b6da7357cf09525050651aafa21131f1e3180baa540a8af922119a256f5ff5bcd6602996a806e8e1816bad
+SHA512 (gnutls-3.5.18.tar.xz.sig) = 2eb6c668dba7d814ce1432cdaf11688c7f57d8c4fc50510739e137204b82db4add21986dbdb8a24b221a42a26cb7cd9a8244a24b07fdebd97e66f985172c4c37
+SHA512 (gnutls-3.5.18.tar.xz) = 434cf33a4221fe2edce1b531cb53690d14a0991cb2056006021f625fb018987351f8ec917c3a7803e5e64179cf1647a3002ae783736ffca3188d2d294b76df52