Remove most gnutls patches after the update
authorAndre Heinecke <aheinecke@intevation.de>
Thu, 6 Jul 2017 08:52:02 +0000 (10:52 +0200)
committerAndre Heinecke <aheinecke@intevation.de>
Thu, 6 Jul 2017 08:52:02 +0000 (10:52 +0200)
* patches/gnutls-2.12.24/02-cve-2013-2116.patch,
patches/gnutls-2.12.24/03-cve-2014-1959.patch,
patches/gnutls-2.12.24/04-cve-2014-0092.patch,
patches/gnutls-2.12.24/05-cve-2014-3466.patch,
patches/gnutls-2.12.24/06-cve-2015-0282.patch,
patches/gnutls-2.12.24/07-cve-2015-0294.patch,
patches/gnutls-2.12.24/25_updatedgdocfrommaster.patch,
patches/gnutls-2.12.24/fix-gcrypt-private-api-usage.patch: Removed.

--
These issues have been addressed in the 2.12.24 release.

Makefile.am
patches/gnutls-2.12.24/02-cve-2013-2116.patch [deleted file]
patches/gnutls-2.12.24/03-cve-2014-1959.patch [deleted file]
patches/gnutls-2.12.24/04-cve-2014-0092.patch [deleted file]
patches/gnutls-2.12.24/05-cve-2014-3466.patch [deleted file]
patches/gnutls-2.12.24/06-cve-2015-0282.patch [deleted file]
patches/gnutls-2.12.24/07-cve-2015-0294.patch [deleted file]
patches/gnutls-2.12.24/25_updatedgdocfrommaster.patch [deleted file]
patches/gnutls-2.12.24/fix-gcrypt-private-api-usage.patch [deleted file]

index 7482a24..3e5c4bc 100644 (file)
@@ -37,15 +37,7 @@ EXTRA_DIST = autogen.sh README.GIT ONEWS \
         patches/gnupg2/01-version.patch \
         patches/gnupg2/01-version.patch.in \
         patches/gnutls-2.12.24/01-openssl-wincrypt.patch \
-        patches/gnutls-2.12.24/02-cve-2013-2116.patch \
-        patches/gnutls-2.12.24/03-cve-2014-1959.patch \
-        patches/gnutls-2.12.24/04-cve-2014-0092.patch \
-        patches/gnutls-2.12.24/05-cve-2014-3466.patch \
-        patches/gnutls-2.12.24/06-cve-2015-0282.patch \
-        patches/gnutls-2.12.24/07-cve-2015-0294.patch \
-        patches/gnutls-2.12.24/fix-gcrypt-private-api-usage.patch \
         patches/gnutls-2.12.24/gnulib-mingw-w64-fix.patch \
-        patches/gnutls-2.12.24/25_updatedgdocfrommaster.patch \
         patches/libtasn1-2.14/gnulib-mingw-w64-fix.patch \
         patches/w32pth-2.0.5/workaround-broken-libtool.patch \
         patches/scute-1.4.0/workaround-broken-libtool.patch \
diff --git a/patches/gnutls-2.12.24/02-cve-2013-2116.patch b/patches/gnutls-2.12.24/02-cve-2013-2116.patch
deleted file mode 100755 (executable)
index 432f2ac..0000000
+++ /dev/null
@@ -1,28 +0,0 @@
-#! /bin/sh
-patch -p1 -l -f $* < $0
-exit $?
-
-From 5164d5a1d57cd0372a5dd074382ca960ca18b27d Mon Sep 17 00:00:00 2001
-From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
-Date: Thu, 23 May 2013 09:54:37 +0200
-Subject: [PATCH 3/3] re-applied sanity check patch
-
----
- lib/gnutls_cipher.c |    2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/lib/gnutls_cipher.c b/lib/gnutls_cipher.c
-index 2835121..71f5a98 100644
---- a/lib/gnutls_cipher.c
-+++ b/lib/gnutls_cipher.c
-@@ -561,6 +561,8 @@ _gnutls_ciphertext2compressed (gnutls_session_t session,
-           return GNUTLS_E_DECRYPTION_FAILED;
-         }
-       pad = ciphertext.data[ciphertext.size - 1];   /* pad */
-+      if (pad+1 > ciphertext.size-hash_size)
-+        pad_failed = GNUTLS_E_DECRYPTION_FAILED;
-
-       /* Check the pading bytes (TLS 1.x).
-        * Note that we access all 256 bytes of ciphertext for padding check
---
-1.7.10.4
diff --git a/patches/gnutls-2.12.24/03-cve-2014-1959.patch b/patches/gnutls-2.12.24/03-cve-2014-1959.patch
deleted file mode 100755 (executable)
index cb2e6e2..0000000
+++ /dev/null
@@ -1,39 +0,0 @@
-#! /bin/sh
-patch -p1 -l -f $* < $0
-exit $?
-
-From b1abfe3d182d68539900092eb42fc62cf1bb7e7c Mon Sep 17 00:00:00 2001
-From: Nikos Mavrogiannopoulos <nmav@redhat.com>
-Date: Wed, 12 Feb 2014 16:11:58 +0100
-Subject: [PATCH] Fix bug that prevented the rejection of v1 intermediate CA
- certificates.
-
-Reported by Suman Jana.
-
-
-Description: fix rejection of v1 intermediate CA
- Fix bug that prevented the rejection of v1 intermediate CA
- certificates.
- Reported by Suman Jana.
- This is b1abfe3d182d68539900092eb42fc62cf1bb7e7c from upstream git,
- unfuzzed for 2.12.x by Andreas Metzler.
-Author: Nikos Mavrogiannopoulos <nmav@redhat.com>
-Origin: upstream
-Bug: http://www.gnutls.org/security.html#GNUTLS-SA-2014-1
-Forwarded: not-needed
-Last-Update: 2014-02-15
-
---- gnutls26-2.12.23.orig/lib/x509/verify.c
-+++ gnutls26-2.12.23/lib/x509/verify.c
-@@ -644,8 +644,10 @@ _gnutls_x509_verify_certificate (const g
-       /* note that here we disable this V1 CA flag. So that no version 1
-        * certificates can exist in a supplied chain.
-        */
--      if (!(flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT))
-+      if (!(flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT)) {
-         flags &= ~(GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
-+      flags |= GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT;
-+      }
-       if ((ret =
-            _gnutls_verify_certificate2 (certificate_list[i - 1],
-                                         &certificate_list[i], 1, flags,
diff --git a/patches/gnutls-2.12.24/04-cve-2014-0092.patch b/patches/gnutls-2.12.24/04-cve-2014-0092.patch
deleted file mode 100755 (executable)
index e0bd8ee..0000000
+++ /dev/null
@@ -1,105 +0,0 @@
-#! /bin/sh
-patch -p1 -l -f $* < $0
-exit $?
-
-From 6aa26f78150ccbdf0aec1878a41c17c41d358a3b Mon Sep 17 00:00:00 2001
-From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
-Date: Thu, 27 Feb 2014 19:42:26 +0100
-Subject: [PATCH] corrected return codes
-
----
- lib/x509/verify.c |   16 ++++++++++------
- 1 files changed, 10 insertions(+), 6 deletions(-)
-
-diff --git a/lib/x509/verify.c b/lib/x509/verify.c
-index c9a6b0d..eef85a8 100644
---- a/lib/x509/verify.c
-+++ b/lib/x509/verify.c
-@@ -141,7 +141,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer,
-   if (result < 0)
-     {
-       gnutls_assert ();
--      goto cleanup;
-+      goto fail;
-     }
-
-   result =
-@@ -150,7 +150,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer,
-   if (result < 0)
-     {
-       gnutls_assert ();
--      goto cleanup;
-+      goto fail;
-     }
-
-   result =
-@@ -158,7 +158,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer,
-   if (result < 0)
-     {
-       gnutls_assert ();
--      goto cleanup;
-+      goto fail;
-     }
-
-   result =
-@@ -166,7 +166,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer,
-   if (result < 0)
-     {
-       gnutls_assert ();
--      goto cleanup;
-+      goto fail;
-     }
-
-   /* If the subject certificate is the same as the issuer
-@@ -206,6 +206,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer,
-   else
-     gnutls_assert ();
-
-+fail:
-   result = 0;
-
- cleanup:
-@@ -330,7 +331,7 @@ _gnutls_verify_certificate2 (gnutls_x509_crt_t cert,
-   gnutls_datum_t cert_signed_data = { NULL, 0 };
-   gnutls_datum_t cert_signature = { NULL, 0 };
-   gnutls_x509_crt_t issuer = NULL;
--  int issuer_version, result;
-+  int issuer_version, result = 0;
-
-   if (output)
-     *output = 0;
-@@ -363,7 +364,7 @@ _gnutls_verify_certificate2 (gnutls_x509_crt_t cert,
-   if (issuer_version < 0)
-     {
-       gnutls_assert ();
--      return issuer_version;
-+      return 0;
-     }
-
-   if (!(flags & GNUTLS_VERIFY_DISABLE_CA_SIGN) &&
-@@ -385,6 +386,7 @@ _gnutls_verify_certificate2 (gnutls_x509_crt_t cert,
-   if (result < 0)
-     {
-       gnutls_assert ();
-+      result = 0;
-       goto cleanup;
-     }
-
-@@ -393,6 +395,7 @@ _gnutls_verify_certificate2 (gnutls_x509_crt_t cert,
-   if (result < 0)
-     {
-       gnutls_assert ();
-+      result = 0;
-       goto cleanup;
-     }
-
-@@ -410,6 +413,7 @@ _gnutls_verify_certificate2 (gnutls_x509_crt_t cert,
-   else if (result < 0)
-     {
-       gnutls_assert();
-+      result = 0;
-       goto cleanup;
-     }
-
---
-1.7.1
diff --git a/patches/gnutls-2.12.24/05-cve-2014-3466.patch b/patches/gnutls-2.12.24/05-cve-2014-3466.patch
deleted file mode 100755 (executable)
index 58af165..0000000
+++ /dev/null
@@ -1,29 +0,0 @@
-#! /bin/sh
-patch -p1 -l -f $* < $0
-exit $?
-
-From 89238044ade02c4d80e334ab74056ef28599663d Mon Sep 17 00:00:00 2001
-From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
-Date: Fri, 23 May 2014 19:53:03 +0200
-Subject: [PATCH] Prevent memory corruption due to server hello parsing.
-
-Issue discovered by Joonas Kuorilehto of Codenomicon.
----
- lib/gnutls_handshake.c |    2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
-
-diff --git a/lib/gnutls_handshake.c b/lib/gnutls_handshake.c
-index e4a63e4..e652528 100644
---- a/lib/gnutls_handshake.c
-+++ b/lib/gnutls_handshake.c
-@@ -1797,7 +1797,7 @@ _gnutls_read_server_hello (gnutls_session_t session,
-   DECR_LEN (len, 1);
-   session_id_len = data[pos++];
-
--  if (len < session_id_len)
-+  if (len < session_id_len || session_id_len > TLS_MAX_SESSION_ID_SIZE)
-     {
-       gnutls_assert ();
-       return GNUTLS_E_UNSUPPORTED_VERSION_PACKET;
---
-1.7.1
diff --git a/patches/gnutls-2.12.24/06-cve-2015-0282.patch b/patches/gnutls-2.12.24/06-cve-2015-0282.patch
deleted file mode 100755 (executable)
index a12dd6a..0000000
+++ /dev/null
@@ -1,484 +0,0 @@
-#! /bin/sh
-patch -p1 -l -f $* < $0
-exit $?
-
-From d326f81daed5a1a06476d66a81584f8c7b71141d Mon Sep 17 00:00:00 2001
-From: Nikos Mavrogiannopoulos <nmav@redhat.com>
-Date: Mon, 23 Feb 2015 10:03:47 +0100
-Subject: [PATCH] Added fix for GNUTLS-SA-2015-1
-
----
- lib/gnutls_algorithms.c |  8 ++++++++
- lib/gnutls_algorithms.h |  1 +
- lib/gnutls_pubkey.c     |  4 ++--
- lib/gnutls_sig.c        | 14 ++++++++------
- lib/x509/common.h       |  2 +-
- lib/x509/crq.c          | 49 ++++++++++++++++++++++++++++++++++++++++++++++++-
- lib/x509/privkey.c      |  3 ++-
- lib/x509/verify.c       | 77 +++++++++++++++++++++++++++++++++++++++++++++++++++--------------------------
- lib/x509/x509.c         |  4 ++--
- lib/x509/x509_int.h     |  7 ++++---
- 10 files changed, 127 insertions(+), 42 deletions(-)
-
-Index: gnutls26-2.12.23/lib/gnutls_algorithms.c
-===================================================================
---- gnutls26-2.12.23.orig/lib/gnutls_algorithms.c      2015-03-20 09:07:52.587827857 -0400
-+++ gnutls26-2.12.23/lib/gnutls_algorithms.c   2015-03-20 09:07:52.579827744 -0400
-@@ -2056,6 +2056,14 @@
-   return ret;
- }
-
-+int
-+_gnutls_sign_get_hash (gnutls_sign_algorithm_t algorithm)
-+{
-+  GNUTLS_SIGN_LOOP (if (p->id == algorithm) return p->mac);
-+
-+  return GNUTLS_MAC_UNKNOWN;
-+}
-+
- gnutls_sign_algorithm_t
- _gnutls_x509_oid2sign_algorithm (const char *oid)
- {
-Index: gnutls26-2.12.23/lib/gnutls_algorithms.h
-===================================================================
---- gnutls26-2.12.23.orig/lib/gnutls_algorithms.h      2015-03-20 09:07:52.587827857 -0400
-+++ gnutls26-2.12.23/lib/gnutls_algorithms.h   2015-03-20 09:07:52.583827801 -0400
-@@ -105,6 +105,7 @@
- enum encipher_type _gnutls_kx_encipher_type (gnutls_kx_algorithm_t algorithm);
-
- /* Functions for sign algorithms. */
-+int _gnutls_sign_get_hash (gnutls_sign_algorithm_t algorithm);
- gnutls_sign_algorithm_t _gnutls_x509_oid2sign_algorithm (const char *oid);
- gnutls_sign_algorithm_t _gnutls_x509_pk_to_sign (gnutls_pk_algorithm_t pk,
-                                                  gnutls_mac_algorithm_t mac);
-Index: gnutls26-2.12.23/lib/gnutls_pubkey.c
-===================================================================
---- gnutls26-2.12.23.orig/lib/gnutls_pubkey.c  2015-03-20 09:07:52.587827857 -0400
-+++ gnutls26-2.12.23/lib/gnutls_pubkey.c       2015-03-20 09:07:52.583827801 -0400
-@@ -1048,7 +1048,7 @@
-       return GNUTLS_E_INVALID_REQUEST;
-     }
-
--  ret = pubkey_verify_sig( data, NULL, signature, pubkey->pk_algorithm,
-+  ret = pubkey_verify_sig(GNUTLS_MAC_UNKNOWN, data, NULL, signature, pubkey->pk_algorithm,
-     pubkey->params, pubkey->params_size);
-   if (ret < 0)
-     {
-@@ -1086,7 +1086,7 @@
-     }
-
-   ret =
--    pubkey_verify_sig (NULL, hash, signature, key->pk_algorithm,
-+    pubkey_verify_sig (GNUTLS_MAC_UNKNOWN, NULL, hash, signature, key->pk_algorithm,
-                        key->params, key->params_size);
-
-   return ret;
-Index: gnutls26-2.12.23/lib/gnutls_sig.c
-===================================================================
---- gnutls26-2.12.23.orig/lib/gnutls_sig.c     2015-03-20 09:07:52.587827857 -0400
-+++ gnutls26-2.12.23/lib/gnutls_sig.c  2015-03-20 09:07:52.583827801 -0400
-@@ -273,7 +273,8 @@
- verify_tls_hash (gnutls_session_t session, gnutls_protocol_t ver, gnutls_cert * cert,
-                     const gnutls_datum_t * hash_concat,
-                     gnutls_datum_t * signature, size_t sha1pos,
--                    gnutls_pk_algorithm_t pk_algo)
-+                    gnutls_pk_algorithm_t pk_algo,
-+                    int hashalg)
- {
-   int ret;
-   gnutls_datum_t vdata;
-@@ -309,7 +310,7 @@
-         ret = _gnutls_rsa_verify (&vdata, signature, cert->params,
-                                      cert->params_size, 1);
-       else
--        ret = pubkey_verify_sig( NULL, &vdata, signature, pk_algo,
-+        ret = pubkey_verify_sig(hashalg, NULL, &vdata, signature, pk_algo,
-           cert->params, cert->params_size);
-
-       if (ret < 0)
-@@ -324,7 +325,7 @@
-       vdata.data = &hash_concat->data[sha1pos];
-       vdata.size = hash_concat->size - sha1pos;
-
--      ret = pubkey_verify_sig( NULL, &vdata, signature, pk_algo,
-+      ret = pubkey_verify_sig(hashalg, NULL, &vdata, signature, pk_algo,
-         cert->params, cert->params_size);
-       /* verify signature */
-       if (ret < 0)
-@@ -428,7 +429,8 @@
-   ret = verify_tls_hash (session, ver, cert, &dconcat, signature,
-                             dconcat.size -
-                             _gnutls_hash_get_algo_len (hash_algo),
--                            _gnutls_sign_get_pk_algorithm (algo));
-+                            _gnutls_sign_get_pk_algorithm (algo),
-+                            hash_algo);
-   if (ret < 0)
-     {
-       gnutls_assert ();
-@@ -491,7 +493,7 @@
-
-   ret =
-     verify_tls_hash (session, ver, cert, &dconcat, signature, 0,
--                        cert->subject_pk_algorithm);
-+                        cert->subject_pk_algorithm, hash_algo);
-   if (ret < 0)
-     {
-       gnutls_assert ();
-@@ -582,7 +584,7 @@
-
-   ret =
-     verify_tls_hash (session, ver, cert, &dconcat, signature, 16,
--                        cert->subject_pk_algorithm);
-+                        cert->subject_pk_algorithm, GNUTLS_MAC_UNKNOWN);
-   if (ret < 0)
-     {
-       gnutls_assert ();
-Index: gnutls26-2.12.23/lib/x509/common.h
-===================================================================
---- gnutls26-2.12.23.orig/lib/x509/common.h    2015-03-20 09:07:52.587827857 -0400
-+++ gnutls26-2.12.23/lib/x509/common.h 2015-03-20 09:07:52.583827801 -0400
-@@ -151,7 +151,7 @@
- void _asnstr_append_name (char *name, size_t name_size, const char *part1,
-                           const char *part2);
-
--int pubkey_verify_sig (const gnutls_datum_t * tbs,
-+int pubkey_verify_sig (int hashalg, const gnutls_datum_t * tbs,
-                        const gnutls_datum_t * hash,
-                        const gnutls_datum_t * signature,
-                        gnutls_pk_algorithm_t pk, bigint_t * issuer_params,
-Index: gnutls26-2.12.23/lib/x509/crq.c
-===================================================================
---- gnutls26-2.12.23.orig/lib/x509/crq.c       2015-03-20 09:07:52.587827857 -0400
-+++ gnutls26-2.12.23/lib/x509/crq.c    2015-03-20 09:07:52.583827801 -0400
-@@ -2540,6 +2540,7 @@
- gnutls_datum signature = { NULL, 0 };
- bigint_t params[MAX_PUBLIC_PARAMS_SIZE];
- int ret, params_size = 0, i;
-+int hashalg, sigalg;
-
-   ret =
-     _gnutls_x509_get_signed_data (crq->crq, "certificationRequestInfo", &data);
-@@ -2565,7 +2566,10 @@
-       goto cleanup;
-     }
-
--  ret = pubkey_verify_sig(&data, NULL, &signature,
-+  sigalg = gnutls_x509_crq_get_signature_algorithm (crq);
-+  hashalg = _gnutls_sign_get_hash(sigalg);
-+
-+  ret = pubkey_verify_sig(hashalg, &data, NULL, &signature,
-                           gnutls_x509_crq_get_pk_algorithm (crq, NULL),
-     params, params_size);
-   if (ret < 0)
-@@ -2588,5 +2592,48 @@
-   return ret;
- }
-
-+/**
-+ * gnutls_x509_crq_get_signature_algorithm:
-+ * @crl: should contain a #gnutls_x509_crl_t structure
-+ *
-+ * This function will return a value of the #gnutls_sign_algorithm_t
-+ * enumeration that is the signature algorithm.
-+ *
-+ * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
-+ *   negative error value.
-+ **/
-+int
-+gnutls_x509_crq_get_signature_algorithm (gnutls_x509_crq_t crq)
-+{
-+  int result;
-+  gnutls_datum_t sa;
-+
-+  if (crq == NULL)
-+    {
-+      gnutls_assert ();
-+      return GNUTLS_E_INVALID_REQUEST;
-+    }
-+
-+  /* Read the signature algorithm. Note that parameters are not
-+   * read. They will be read from the issuer's certificate if needed.
-+   */
-+
-+  result =
-+    _gnutls_x509_read_value (crq->crq, "signatureAlgorithm.algorithm",
-+                             &sa, 0);
-+
-+  if (result < 0)
-+    {
-+      gnutls_assert ();
-+      return result;
-+    }
-+
-+  result = _gnutls_x509_oid2sign_algorithm ((const char *) sa.data);
-+
-+  _gnutls_free_datum (&sa);
-+
-+  return result;
-+}
-+
- #endif /* ENABLE_PKI */
-
-Index: gnutls26-2.12.23/lib/x509/privkey.c
-===================================================================
---- gnutls26-2.12.23.orig/lib/x509/privkey.c   2015-03-20 09:07:52.587827857 -0400
-+++ gnutls26-2.12.23/lib/x509/privkey.c        2015-03-20 09:07:52.583827801 -0400
-@@ -1828,7 +1828,8 @@
-       return GNUTLS_E_INVALID_REQUEST;
-     }
-
--  result = _gnutls_x509_privkey_verify_signature (data, signature, key);
-+  result = _gnutls_x509_privkey_verify_signature (GNUTLS_MAC_UNKNOWN, data, signature, key);
-+
-   if (result < 0)
-     {
-       gnutls_assert ();
-Index: gnutls26-2.12.23/lib/x509/verify.c
-===================================================================
---- gnutls26-2.12.23.orig/lib/x509/verify.c    2015-03-20 09:07:52.587827857 -0400
-+++ gnutls26-2.12.23/lib/x509/verify.c 2015-03-20 09:07:52.587827857 -0400
-@@ -332,6 +332,7 @@
-   gnutls_datum_t cert_signature = { NULL, 0 };
-   gnutls_x509_crt_t issuer = NULL;
-   int issuer_version, result = 0;
-+  int sigalg, hashalg;
-
-   if (output)
-     *output = 0;
-@@ -399,8 +400,18 @@
-       goto cleanup;
-     }
-
-+  sigalg = gnutls_x509_crt_get_signature_algorithm (cert);
-+  hashalg = _gnutls_sign_get_hash(sigalg);
-+
-+  if (hashalg == GNUTLS_MAC_UNKNOWN)
-+    {
-+      gnutls_assert();
-+      result = 0;
-+      goto cleanup;
-+    }
-+
-   result =
--    _gnutls_x509_verify_signature (&cert_signed_data, NULL, &cert_signature,
-+    _gnutls_x509_verify_signature (hashalg, &cert_signed_data, NULL, &cert_signature,
-                                    issuer);
-   if (result == GNUTLS_E_PK_SIG_VERIFY_FAILED)
-     {
-@@ -423,10 +434,6 @@
-    */
-   if (is_issuer (cert, cert) == 0)
-     {
--      int sigalg;
--
--      sigalg = gnutls_x509_crt_get_signature_algorithm (cert);
--
-       if (((sigalg == GNUTLS_SIGN_RSA_MD2) &&
-            !(flags & GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2)) ||
-           ((sigalg == GNUTLS_SIGN_RSA_MD5) &&
-@@ -749,12 +756,12 @@
-  * params[1] is public key
-  */
- static int
--_pkcs1_rsa_verify_sig (const gnutls_datum_t * text,
--                       const gnutls_datum_t * prehash,
--                       const gnutls_datum_t * signature, bigint_t * params,
--                       int params_len)
-+_pkcs1_rsa_verify_sig (gnutls_mac_algorithm_t hash, const gnutls_datum_t * text,
-+                     const gnutls_datum_t * prehash,
-+                     const gnutls_datum_t * signature, bigint_t * params,
-+                     int params_len)
- {
--  gnutls_mac_algorithm_t hash = GNUTLS_MAC_UNKNOWN;
-+  gnutls_mac_algorithm_t phash = GNUTLS_MAC_UNKNOWN;
-   int ret;
-   opaque digest[MAX_HASH_SIZE], md[MAX_HASH_SIZE], *cmp;
-   int digest_size;
-@@ -774,7 +781,7 @@
-
-   digest_size = sizeof (digest);
-   if ((ret =
--       decode_ber_digest_info (&decrypted, &hash, digest, &digest_size)) != 0)
-+       decode_ber_digest_info (&decrypted, &phash, digest, &digest_size)) != 0)
-     {
-       gnutls_assert ();
-       _gnutls_free_datum (&decrypted);
-@@ -783,6 +790,15 @@
-
-   _gnutls_free_datum (&decrypted);
-
-+  if (hash != GNUTLS_MAC_UNKNOWN && hash != phash)
-+    {
-+      gnutls_assert();
-+      return GNUTLS_E_PK_SIG_VERIFY_FAILED;
-+    }
-+  else
-+    hash = phash;
-+
-+
-   if (digest_size != _gnutls_hash_get_algo_len (hash))
-     {
-       gnutls_assert ();
-@@ -878,11 +894,11 @@
-  * not verified, or 1 otherwise.
-  */
- int
--pubkey_verify_sig (const gnutls_datum_t * tbs,
--                   const gnutls_datum_t * hash,
--                   const gnutls_datum_t * signature,
--                   gnutls_pk_algorithm_t pk, bigint_t * issuer_params,
--                   int issuer_params_size)
-+pubkey_verify_sig (int hashalg, const gnutls_datum_t * tbs,
-+          const gnutls_datum_t * hash,
-+          const gnutls_datum_t * signature,
-+          gnutls_pk_algorithm_t pk, bigint_t * issuer_params,
-+          int issuer_params_size)
- {
-
-   switch (pk)
-@@ -890,7 +906,7 @@
-     case GNUTLS_PK_RSA:
-
-       if (_pkcs1_rsa_verify_sig
--          (tbs, hash, signature, issuer_params, issuer_params_size) != 0)
-+          (hashalg, tbs, hash, signature, issuer_params, issuer_params_size) != 0)
-         {
-           gnutls_assert ();
-           return GNUTLS_E_PK_SIG_VERIFY_FAILED;
-@@ -1021,7 +1037,7 @@
-  * 'signature' is the signature!
-  */
- int
--_gnutls_x509_verify_signature (const gnutls_datum_t * tbs,
-+_gnutls_x509_verify_signature (int hashalg, const gnutls_datum_t * tbs,
-                                const gnutls_datum_t * hash,
-                                const gnutls_datum_t * signature,
-                                gnutls_x509_crt_t issuer)
-@@ -1041,7 +1057,7 @@
-     }
-
-   ret =
--    pubkey_verify_sig (tbs, hash, signature,
-+    pubkey_verify_sig (hashalg, tbs, hash, signature,
-                        gnutls_x509_crt_get_pk_algorithm (issuer, NULL),
-                        issuer_params, issuer_params_size);
-   if (ret < 0)
-@@ -1066,13 +1082,13 @@
-  * 'signature' is the signature!
-  */
- int
--_gnutls_x509_privkey_verify_signature (const gnutls_datum_t * tbs,
-+_gnutls_x509_privkey_verify_signature (int hashalg, const gnutls_datum_t * tbs,
-                                        const gnutls_datum_t * signature,
-                                        gnutls_x509_privkey_t issuer)
- {
-   int ret;
-
--  ret = pubkey_verify_sig (tbs, NULL, signature, issuer->pk_algorithm,
-+  ret = pubkey_verify_sig (hashalg, tbs, NULL, signature, issuer->pk_algorithm,
-                            issuer->params, issuer->params_size);
-   if (ret < 0)
-     {
-@@ -1293,6 +1309,7 @@
-   gnutls_datum_t crl_signature = { NULL, 0 };
-   gnutls_x509_crt_t issuer;
-   int result;
-+  int sigalg, hashalg;
-
-   if (output)
-     *output = 0;
-@@ -1334,6 +1351,7 @@
-   if (result < 0)
-     {
-       gnutls_assert ();
-+      result = 0;
-       goto cleanup;
-     }
-
-@@ -1341,11 +1359,21 @@
-   if (result < 0)
-     {
-       gnutls_assert ();
-+      result = 0;
-+      goto cleanup;
-+    }
-+
-+  sigalg = gnutls_x509_crl_get_signature_algorithm (crl);
-+  hashalg = _gnutls_sign_get_hash(sigalg);
-+  if (hashalg == GNUTLS_MAC_UNKNOWN)
-+    {
-+      gnutls_assert();
-+      result = 0;
-       goto cleanup;
-     }
-
-   result =
--    _gnutls_x509_verify_signature (&crl_signed_data, NULL, &crl_signature,
-+    _gnutls_x509_verify_signature (hashalg, &crl_signed_data, NULL, &crl_signature,
-                                    issuer);
-   if (result == GNUTLS_E_PK_SIG_VERIFY_FAILED)
-     {
-@@ -1358,14 +1386,11 @@
-   else if (result < 0)
-     {
-       gnutls_assert ();
-+      result = 0;
-       goto cleanup;
-     }
-
-   {
--    int sigalg;
--
--    sigalg = gnutls_x509_crl_get_signature_algorithm (crl);
--
-     if (((sigalg == GNUTLS_SIGN_RSA_MD2) &&
-          !(flags & GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2)) ||
-         ((sigalg == GNUTLS_SIGN_RSA_MD5) &&
-Index: gnutls26-2.12.23/lib/x509/x509.c
-===================================================================
---- gnutls26-2.12.23.orig/lib/x509/x509.c      2015-03-20 09:07:52.587827857 -0400
-+++ gnutls26-2.12.23/lib/x509/x509.c   2015-03-20 09:07:52.587827857 -0400
-@@ -2714,7 +2714,7 @@
-       return GNUTLS_E_INVALID_REQUEST;
-     }
-
--  result = _gnutls_x509_verify_signature (data, NULL, signature, crt);
-+  result = _gnutls_x509_verify_signature (GNUTLS_MAC_UNKNOWN, data, NULL, signature, crt);
-   if (result < 0)
-     {
-       gnutls_assert ();
-@@ -2752,7 +2752,7 @@
-       return GNUTLS_E_INVALID_REQUEST;
-     }
-
--  result = _gnutls_x509_verify_signature (NULL, hash, signature, crt);
-+  result = _gnutls_x509_verify_signature (GNUTLS_MAC_UNKNOWN, NULL, hash, signature, crt);
-   if (result < 0)
-     {
-       gnutls_assert ();
-Index: gnutls26-2.12.23/lib/x509/x509_int.h
-===================================================================
---- gnutls26-2.12.23.orig/lib/x509/x509_int.h  2015-03-20 09:07:52.587827857 -0400
-+++ gnutls26-2.12.23/lib/x509/x509_int.h       2015-03-20 09:07:52.587827857 -0400
-@@ -187,11 +187,11 @@
-                                bigint_t * issuer_params,
-                                unsigned int issuer_params_size);
-
--int _gnutls_x509_verify_signature (const gnutls_datum_t * tbs,
-+int _gnutls_x509_verify_signature (int sigalg, const gnutls_datum_t * tbs,
-                                    const gnutls_datum_t * hash,
-                                    const gnutls_datum_t * signature,
-                                    gnutls_x509_crt_t issuer);
--int _gnutls_x509_privkey_verify_signature (const gnutls_datum_t * tbs,
-+int _gnutls_x509_privkey_verify_signature (int sigalg, const gnutls_datum_t * tbs,
-                                            const gnutls_datum_t * signature,
-                                            gnutls_x509_privkey_t issuer);
-
-@@ -390,5 +390,6 @@
-                                     const char *ext_id,
-                                     const gnutls_datum_t * ext_data,
-                                     unsigned int critical);
--
-+int
-+gnutls_x509_crq_get_signature_algorithm (gnutls_x509_crq_t crq);
- #endif
diff --git a/patches/gnutls-2.12.24/07-cve-2015-0294.patch b/patches/gnutls-2.12.24/07-cve-2015-0294.patch
deleted file mode 100755 (executable)
index 2983fec..0000000
+++ /dev/null
@@ -1,74 +0,0 @@
-#! /bin/sh
-patch -p1 -l -f $* < $0
-exit $?
-
-From 2458d6d158fd523418e331e50abb35cd334bb795 Mon Sep 17 00:00:00 2001
-From: Nikos Mavrogiannopoulos <nmav@redhat.com>
-Date: Mon, 23 Feb 2015 10:41:56 +0100
-Subject: [PATCH] added fix for certificate algorithm consistency check
-
----
- lib/x509/x509.c | 34 +++++++++++++++++++++++++++++++++-
- 1 file changed, 33 insertions(+), 1 deletion(-)
-
-diff --git a/lib/x509/x509.c b/lib/x509/x509.c
-index 6db574c..f51ba3b 100644
---- a/lib/x509/x509.c
-+++ b/lib/x509/x509.c
-@@ -165,7 +165,7 @@ gnutls_x509_crt_import (gnutls_x509_crt_t cert,
-                         gnutls_x509_crt_fmt_t format)
- {
-   int result = 0, need_free = 0;
--  gnutls_datum_t _data;
-+  gnutls_datum_t _data, sa1 = {NULL, 0}, sa2 = {NULL, 0};
-
-   if (cert == NULL)
-     {
-@@ -233,6 +233,36 @@ gnutls_x509_crt_import (gnutls_x509_crt_t cert,
-       goto cleanup;
-     }
-
-+  result =
-+    _gnutls_x509_read_value (cert->cert, "tbsCertificate.signature.algorithm",
-+                           &sa1, 0);
-+  if (result != ASN1_SUCCESS)
-+    {
-+      result = _gnutls_asn2err (result);
-+      gnutls_assert ();
-+      goto cleanup;
-+    }
-+
-+  result =
-+    _gnutls_x509_read_value (cert->cert, "signatureAlgorithm.algorithm",
-+                           &sa2, 0);
-+  if (result != ASN1_SUCCESS)
-+    {
-+      result = _gnutls_asn2err (result);
-+      gnutls_assert ();
-+      goto cleanup;
-+    }
-+
-+  if (sa1.size != sa2.size || sa1.size == 0 || strcmp(sa1.data, sa2.data) != 0)
-+    {
-+      result = GNUTLS_E_CERTIFICATE_ERROR;
-+      gnutls_assert ();
-+      goto cleanup;
-+    }
-+
-+  _gnutls_free_datum (&sa1);
-+  _gnutls_free_datum (&sa2);
-+
-   /* Since we do not want to disable any extension
-    */
-   cert->use_extensions = 1;
-@@ -242,6 +272,8 @@ gnutls_x509_crt_import (gnutls_x509_crt_t cert,
-   return 0;
-
- cleanup:
-+  _gnutls_free_datum (&sa1);
-+  _gnutls_free_datum (&sa2);
-   if (need_free)
-     _gnutls_free_datum (&_data);
-   return result;
---
-libgit2 0.21.4
diff --git a/patches/gnutls-2.12.24/25_updatedgdocfrommaster.patch b/patches/gnutls-2.12.24/25_updatedgdocfrommaster.patch
deleted file mode 100755 (executable)
index 2f77d3b..0000000
+++ /dev/null
@@ -1,637 +0,0 @@
-#! /bin/sh
-patch -p1 -l -f $* < $0
-exit $?
-
-Description: Update gdoc script from gnutls master.
- This includes bef38b98c0536d81c0e4b2e78a9182e1df1d451c among other fixes:
- .
- [PATCH] Avoid depending on hash order in gdoc.
- .
- Previously, gdoc had a hash of regexp replacements for each output
- format, and applied the replacements in the order that "keys" returned
- for the hash. However, not all orders are safe -- and now that Perl 5.18
- randomises hash order per-process, it only worked sometimes!
-Origin: upstream
-Bug-Debian: http://bugs.debian.org/724167
-Forwarded: not-needed
-
---- gnutls26-2.12.23.orig/doc/scripts/gdoc
-+++ gnutls26-2.12.23/doc/scripts/gdoc
-@@ -1,4 +1,6 @@
--#!/usr/bin/perl
-+eval '(exit $?0)' && eval 'exec perl "$0" ${1+"$@"}'
-+  & eval 'exec perl "$0" $argv:q'
-+    if 0;
-
- ## Copyright (c) 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Simon Josefsson
- ##                    added -texinfo, -listfunc, -pkg-name
-@@ -7,6 +9,8 @@
- ## Copyright (c) 2001, 2002 Nikos Mavrogiannopoulos
- ##                    added -tex
- ## Copyright (c) 1998 Michael Zucchi
-+## Copyright (c) 2013 Adam Sampson
-+##                    made highlighting not depend on hash order, for Perl 5.18
-
- # This program is free software: you can redistribute it and/or modify
- # it under the terms of the GNU General Public License as published by
-@@ -132,57 +136,59 @@
- use POSIX qw(strftime);
-
- # match expressions used to find embedded type information
--$type_constant = "((?<!\")\\\%(\\w+))";
--$type_func = "(\\w+\\(\\))";
--$type_param = "\\\@(\\w+)";
--$type_struct = "\\\#(\\w+)";
--$type_env = "(\\\$\\w+)";
-+$type_constant = "\\\%([A-Za-z0-9_]+)";
-+$type_func = "([A-Za-z0-9_]+\\(\\))";
-+$type_param = '\@([A-Za-z0-9_]+)\s*';
-+$type_struct = "\\\#([A-Za-z0-9_]+)";
-+$type_env = "(\\\$[A-Za-z0-9_]+)";
-
-
- # Output conversion substitutions.
- #  One for each output format
-
- # these work fairly well
--%highlights_html = ( $type_constant, "<i>\$2</i>",
--                   $type_func, "<b>\$1</b>",
--                   $type_struct, "<i>\$1</i>",
--                   $type_param, "<tt><b>\$1</b></tt>" );
-+@highlights_html = ( [$type_constant, '"<i>$1</i>"'],
-+                   [$type_func, '"<b>$1</b>"'],
-+                   [$type_struct, '"<i>$1</i>"'],
-+                   [$type_param, '" <tt><b>$1</b></tt> "'] );
- $blankline_html = "<p>";
-
--%highlights_texinfo = ( $type_constant, "\\\@code{\$2}",
--                      $type_func, "\\\@code{\$1}",
--                      $type_struct, "\\\@code{\$1}",
--                      $type_param, "\\\@code{\$1}" );
-+@highlights_texinfo = ( [$type_param, '" \@code{$1} "'],
-+                      [$type_constant, '"\@code{$1} "'],
-+                      [$type_func, '"\@code{$1} "'],
-+                      [$type_struct, '"\@code{$1} "'],
-+                       );
- $blankline_texinfo = "";
-
--%highlights_tex = ( $type_constant, "{\\\\it \$2}",
--                   $type_func, "{\\\\bf \$1}",
--                   $type_struct, "{\\\\it \$1}",
--                   $type_param, "{\\\\bf \$1}" );
-+@highlights_tex = ( [$type_param, '" {\\\bf $1} "'],
-+              [$type_constant, '"{\\\it $1}"'],
-+              [$type_func, '"{\\\bf $1}"'],
-+              [$type_struct, '"{\\\it $1}"'],
-+                    );
- $blankline_tex = "\\\\";
-
- # sgml, docbook format
--%highlights_sgml = ( $type_constant, "<replaceable class=\"option\">\$2</replaceable>",
--                   $type_func, "<function>\$1</function>",
--                   $type_struct, "<structname>\$1</structname>",
--                   $type_env, "<envar>\$1</envar>",
--                   $type_param, "<parameter>\$1</parameter>" );
-+@highlights_sgml = ( [$type_constant, '"<replaceable class=\"option\">$1</replaceable>"'],
-+                   [$type_func, '"<function>$1</function>"'],
-+                   [$type_struct, '"<structname>$1</structname>"'],
-+                   [$type_env, '"<envar>$1</envar>"'],
-+                   [$type_param, '" <parameter>$1</parameter> "'] );
- $blankline_sgml = "</para><para>\n";
-
- # these are pretty rough
--%highlights_man = ( $type_constant, "\\\\fB\$2\\\\fP",
--                  $type_func, "\\\\fB\$1\\\\fP",
--                  $type_struct, "\\\\fB\$1\\\\fP",
--                  $type_param, "\\\\fI\$1\\\\fP" );
-+@highlights_man = ( [$type_constant, '"\\\fB$1\\\fP"'],
-+                  [$type_func, '"\\\fB$1\\\fP"'],
-+                  [$type_struct, '"\\\fB$1\\\fP"'],
-+                  [$type_param, '" \\\fI$1\\\fP "'] );
- $blankline_man = "";
-
- # text-mode
--%highlights_text = ( $type_constant, "\$2",
--                   $type_func, "\$1",
--                   $type_struct, "\$1",
--                   $type_param, "\$1" );
-+@highlights_text = ( [$type_constant, '"$1"'],
-+                   [$type_func, '"$1"'],
-+                   [$type_struct, '"$1"'],
-+                   [$type_param, '"$1 "'] );
- $blankline_text = "";
--
-+my $lineprefix = "";
-
- sub usage {
-     print "Usage: $0 [ -v ] [ -docbook | -html | -text | -man | -tex | -texinfo  -listfunc ]\n";
-@@ -201,7 +207,7 @@ if ($#ARGV==-1) {
-
- $verbose = 0;
- $output_mode = "man";
--%highlights = %highlights_man;
-+@highlights = @highlights_man;
- $blankline = $blankline_man;
- $modulename = "API Documentation";
- $sourceversion = strftime "%Y-%m-%d", localtime;
-@@ -210,27 +216,27 @@ while ($ARGV[0] =~ m/^-(.*)/) {
-     $cmd = shift @ARGV;
-     if ($cmd eq "-html") {
-       $output_mode = "html";
--      %highlights = %highlights_html;
-+      @highlights = @highlights_html;
-       $blankline = $blankline_html;
-     } elsif ($cmd eq "-man") {
-       $output_mode = "man";
--      %highlights = %highlights_man;
-+      @highlights = @highlights_man;
-       $blankline = $blankline_man;
-     } elsif ($cmd eq "-tex") {
-       $output_mode = "tex";
--      %highlights = %highlights_tex;
-+      @highlights = @highlights_tex;
-       $blankline = $blankline_tex;
-     } elsif ($cmd eq "-texinfo") {
-       $output_mode = "texinfo";
--      %highlights = %highlights_texinfo;
-+      @highlights = @highlights_texinfo;
-       $blankline = $blankline_texinfo;
-     } elsif ($cmd eq "-text") {
-       $output_mode = "text";
--      %highlights = %highlights_text;
-+      @highlights = @highlights_text;
-       $blankline = $blankline_text;
-     } elsif ($cmd eq "-docbook") {
-       $output_mode = "sgml";
--      %highlights = %highlights_sgml;
-+      @highlights = @highlights_sgml;
-       $blankline = $blankline_sgml;
-     } elsif ($cmd eq "-listfunc") {
-       $output_mode = "listfunc";
-@@ -270,6 +276,8 @@ sub dump_section {
-     my $name = shift @_;
-     my $contents = join "\n", @_;
-
-+    $name = " $name";
-+
-     if ($name =~ m/$type_constant/) {
-       $name = $1;
- #     print STDERR "constant section '$1' = '$contents'\n";
-@@ -280,6 +288,7 @@ sub dump_section {
-       $parameters{$name} = $contents;
-     } else {
- #     print STDERR "other section '$name' = '$contents'\n";
-+      $name =~ tr/ //d;
-       $sections{$name} = $contents;
-       push @sectionlist, $name;
-     }
-@@ -296,35 +305,15 @@ sub dump_section {
- #  sections => %descriont descriptions
- #
-
--sub repstr {
--    $pattern = shift;
--    $repl = shift;
--    $match1 = shift;
--    $match2 = shift;
--    $match3 = shift;
--    $match4 = shift;
--
--    $output = $repl;
--    $output =~ s,\$1,$match1,g;
--    $output =~ s,\$2,$match2,g;
--    $output =~ s,\$3,$match3,g;
--    $output =~ s,\$4,$match4,g;
--
--    eval "\$return = qq/$output/";
--
--#    print "pattern $pattern matched 1=$match1 2=$match2 3=$match3 4=$match4 replace $repl yielded $output interpolated $return\n";
--
--    $return;
--}
--
- sub just_highlight {
-     my $contents = join "\n", @_;
-     my $line;
-     my $ret = "";
-
--    foreach $pattern (keys %highlights) {
--#     print "scanning pattern $pattern ($highlights{$pattern})\n";
--      $contents =~ s:$pattern:repstr($pattern, $highlights{$pattern}, $1, $2, $3, $4):gse;
-+    foreach $highlight (@highlights) {
-+      my ($pattern, $replace) = @$highlight;
-+      #print "scanning pattern $pattern ($replace)\n";
-+      $contents =~ s/$pattern/$replace/gees;
-     }
-     foreach $line (split "\n", $contents) {
-       if ($line eq ""){
-@@ -370,13 +359,45 @@ sub output_texinfo {
-       }
-     }
-     foreach $section (@{$args{'sectionlist'}}) {
-+      $section =~ s/\@//g;
-       print "\n\@strong{$section:} " if $section ne $section_default;
--      $args{'sections'}{$section} =~ s:([{}]):\@\1:gs;
-+      $args{'sections'}{$section} =~ s:([{}]):\@$1:gs;
-       output_highlight($args{'sections'}{$section});
-     }
-     print "\@end deftypefun\n\n";
- }
-
-+sub output_enum_texinfo {
-+    my %args = %{$_[0]};
-+    my ($parameter, $section);
-+    my $count;
-+    my $name = $args{'enum'};
-+    my $param;
-+    my $param2;
-+    my $sec;
-+    my $check;
-+    my $type;
-+
-+    print "\n\@c $name\n";
-+    print "\@table \@code\n";
-+
-+    $check=0;
-+    foreach $parameter (@{$args{'parameterlist'}}) {
-+        $param1 = $parameter;
-+      $param1 =~ s/_/_\@-/g;
-+
-+      $check = 1;
-+      print "\@item ".$param1."\n";
-+#     print "\n";
-+
-+        $param2 = $args{'parameters'}{$parameter};
-+      $out = just_highlight($param2);
-+      chomp $out;
-+      print $out . "\n";
-+    }
-+    print "\@end table\n";
-+}
-+
- # output in html
- sub output_html {
-     my %args = %{$_[0]};
-@@ -428,7 +449,9 @@ sub output_tex {
-
-     $func =~ s/_/\\_/g;
-
--    print "\n\n\\subsection{". $func . "}\n\\label{" . $args{'function'} . "}\n";
-+    print "\n\n\\begin{function}\n";
-+    print "\\functionTitle{". $func . "}\n";
-+    print "\\index{". $func . "}\n";
-
-     $type = $args{'functiontype'};
-     $type =~ s/_/\\_/g;
-@@ -451,9 +474,8 @@ sub output_tex {
-     }
-     print ")\n";
-
--    print "\n{\\large{Arguments}}\n";
-+    print "\n\\begin{functionArguments}\n";
-
--    print "\\begin{itemize}\n";
-     $check=0;
-     foreach $parameter (@{$args{'parameterlist'}}) {
-         $param1 = $args{'parametertypes'}{$parameter};
-@@ -462,11 +484,12 @@ sub output_tex {
-       $param2 =~ s/_/\\_/g;
-
-       $check = 1;
--      print "\\item {\\it ".$param1."} {\\bf ".$param2."}: \n";
-+      print "\\functionArgument {\\it ".$param1."} {\\bf ".$param2."}: \n";
- #     print "\n";
-
-       $param3 = $args{'parameters'}{$parameter};
--      $param3 =~ s/#([a-zA-Z\_]+)/{\\it \1}/g;
-+      $param3 =~ s/\#([a-zA-Z\_]+)/{\\it $1}/g;
-+      $param3 =~ s/\%([a-zA-Z\_]+)/{\\bf $1}/g;
-
-       $out = just_highlight($param3);
-       $out =~ s/_/\\_/g;
-@@ -475,31 +498,72 @@ sub output_tex {
-     if ($check==0) {
-       print "\\item void\n";
-     }
--    print "\\end{itemize}\n";
-+    print "\\end{functionArguments}\n";
-
-     foreach $section (@{$args{'sectionlist'}}) {
-       $sec = $section;
-       $sec =~ s/_/\\_/g;
--      $sec =~ s/#([a-zA-Z\_]+)/{\\it \1}/g;
-+      $sec =~ s/#([a-zA-Z\_]+)/{\\it $1}/g;
-
--      print "\n{\\large{$sec}}\\\\\n";
--      print "\\begin{rmfamily}\n";
-+      print "\n\\begin{function${sec}}\n";
-+      $out = $args{'sections'}{$section};
-
--      $sec = $args{'sections'}{$section};
--      $sec =~ s/\\:/:/g;
--      $sec =~ s/#([a-zA-Z\_]+)/{\\it \1}/g;
--      $sec =~ s/->/\$\\rightarrow\$/g;
--      $sec =~ s/([0-9]+)\^([0-9]+)/\$\{\1\}\^\{\2\}\$/g;
--
--      $out = just_highlight($sec);
--      $out =~ s/_/\\_/g;
-+      $out =~ s/\#([a-zA-Z\_]+)/{\\it $1}/g;
-+      $out =~ s/\%([a-zA-Z\_]+)/{\\bf $1}/g;
-+      $out =~ s/\@([a-zA-Z\_]+)/{\\bf $1}/g;
-+      $out =~ s/_/\\_\\-/g;
-+        $out =~ s/\$/\\\$/g;
-+      $out =~ s/#/\\#/g;
-+      $out =~ s/\n\n/\n/g;
-+      $out =~ s/\\:/:/g;
-+      $out =~ s/\-\>/\$\\rightarrow\$/g;
-+      $out =~ s/([0-9]+)\^([0-9]+)/\$\{$1\}\^\{$2\}\$/g;
-
-       print $out;
--      print "\\end{rmfamily}\n";
-+      print "\\end{function${sec}}\n";
-     }
--    print "\n";
-+    print "\\end{function}\n\n";
- }
-
-+sub output_enum_tex {
-+    my %args = %{$_[0]};
-+    my ($parameter, $section);
-+    my $count;
-+    my $name = $args{'enum'};
-+    my $param;
-+    my $param2;
-+    my $sec;
-+    my $check;
-+    my $type;
-+
-+    print "\n\n\\begin{enum}\n";
-+    $name =~ s/_/\\_/g;
-+    print "\\enumTitle{". $name . "}\n";
-+    print "\\index{". $name . "}\n";
-+
-+    print "\n\\begin{enumList}\n";
-+
-+    $check=0;
-+    foreach $parameter (@{$args{'parameterlist'}}) {
-+        $param1 = $parameter;
-+      $param1 =~ s/_/\\_\\-/g;
-+
-+      $check = 1;
-+      print "\\enumElement{".$param1."}{";
-+#     print "\n";
-+
-+        $param2 = $args{'parameters'}{$parameter};
-+      $param2 =~ s/\#([a-zA-Z\_]+)/{\\it $1}/g;
-+      $param2 =~ s/\%([a-zA-Z\_]+)/{\\bf $1}/g;
-+      $out = just_highlight($param2);
-+      $out =~ s/_/\\_/g;
-+      chomp $out;
-+      print $out . "}\n";
-+    }
-+    print "\\end{enumList}\n";
-+
-+    print "\\end{enum}\n\n";
-+}
-
- # output in sgml DocBook
- sub output_sgml {
-@@ -639,11 +703,14 @@ sub output_man {
-     if ($args{'bugsto'}) {
-       print ".SH \"REPORTING BUGS\"\n";
-       print "Report bugs to <". $args{'bugsto'} . ">.\n";
-+        print ".br\n";
-+      print "General guidelines for reporting bugs: http://www.gnu.org/gethelp/\n";
-+        print ".br\n";
-       if ($args{'pkgname'}) {
-           print $args{'pkgname'} . " home page: " .
-               "http://www.gnu.org/software/" . $args{'module'} . "/\n";
-       }
--      print "General help using GNU software: http://www.gnu.org/gethelp/\n";
-+      print "\n";
-     }
-
-     if ($args{'copyright'}) {
-@@ -670,6 +737,10 @@ sub output_man {
-       print ".B info " . $args{'seeinfo'} . "\n";
-       print ".PP\n";
-       print "should give you access to the complete manual.\n";
-+      print "As an alternative you may obtain the manual from:\n";
-+      print ".IP\n";
-+      print ".B http://www.gnu.org/software/" . $args{'module'} . "/manual/\n";
-+      print ".PP\n";
-     }
- }
-
-@@ -705,6 +776,10 @@ sub output_function {
-     eval "output_".$output_mode."(\@_);";
- }
-
-+sub output_enum {
-+    eval "output_enum_".$output_mode."(\@_);";
-+}
-+
-
- ##
- # takes a function prototype and spits out all the details
-@@ -744,7 +819,7 @@ sub dump_function {
- #         print STDERR " :> @args\n";
-           $type = join " ", @args;
-
--          if ($parameters{$param} eq "" && $param != "void") {
-+          if ((!defined($parameters{$param}) || $parameters{$param} eq "") && $param ne "void") {
-               $parameters{$param} = "-- undescribed --";
-               print STDERR "warning: $lineno: Function parameter '$param' not described in '$function_name'\n";
-           }
-@@ -781,6 +856,56 @@ sub dump_function {
-     }
- }
-
-+sub dump_enum {
-+    my $prototype = shift @_;
-+
-+    if (($prototype =~ m/^\s*typedef\s+enum\s*[a-zA-Z0-9_~:]*\s*\{([\-a-zA-Z0-9_~=,:\s\(\)\<]+)\s*\}\s*([a-zA-Z0-9_]+);.*/)) {
-+#        || $prototype =~ m/^\s*enum\s+([a-zA-Z0-9_~:]+).*/) {
-+        $args = $1;
-+      $name = $2;
-+
-+      foreach $arg (split ',', $args) {
-+          # strip leading/trailing spaces
-+          $arg =~ s/^\s*//;
-+          $arg =~ s/\s*$//;
-+          $arg =~ s/([A-Za-z0-9_]+)\s*=.*/$1/g;
-+#         print STDERR "SCAN ARG: '$arg'\n";
-+
-+            next if $arg eq '';
-+          if ((!defined($parameters{$arg}) || $parameters{$arg} eq "")) {
-+              $parameters{$arg} = "-- undescribed --";
-+              print STDERR "warning: $lineno: Enumeration parameter '$arg' not described in '$name'\n";
-+          }
-+
-+          push @parameterlist, $arg;
-+
-+#         print STDERR "param = '$arg'\n";
-+      }
-+    } else {
-+#     print STDERR "warning: $lineno: Cannot understand enumeration: '$prototype'\n";
-+      return;
-+    }
-+
-+    output_enum({'enum' => $name,
-+                       'module' => $modulename,
-+                       'sourceversion' => $sourceversion,
-+                       'include' => $include,
-+                       'includefuncprefix' => $includefuncprefix,
-+                       'bugsto' => $bugsto,
-+                       'pkgname' => $pkgname,
-+                       'copyright' => $copyright,
-+                       'verbatimcopying' => $verbatimcopying,
-+                       'seeinfo' => $seeinfo,
-+                       'functiontype' => $return_type,
-+                       'parameterlist' => \@parameterlist,
-+                       'parameters' => \%parameters,
-+                       'parametertypes' => \%parametertypes,
-+                       'sectionlist' => \@sectionlist,
-+                       'sections' => \%sections,
-+                       'purpose' => $function_purpose
-+                       });
-+}
-+
- ######################################################################
- # main
- # states
-@@ -797,7 +922,7 @@ $doc_start = "^/\\*\\*\$";
- $doc_end = "\\*/";
- $doc_com = "\\s*\\*\\s*";
- $doc_func = $doc_com."(\\w+):?";
--$doc_sect = $doc_com."([".$doc_special."[:upper:]][\\w ]+):\\s*(.*)";
-+$doc_sect = $doc_com."([".$doc_special."[:upper:]][\\w]+):\\s*(.*)";
- $doc_content = $doc_com."(.*)";
-
- %constants = ();
-@@ -809,6 +934,7 @@ $doc_content = $doc_com."(.*)";
- $contents = "";
- $section_default = "Description";     # default section
- $section = $section_default;
-+$enum = 0;
-
- $lineno = 0;
- foreach $file (@ARGV) {
-@@ -816,18 +942,21 @@ foreach $file (@ARGV) {
-       print STDERR "Error: Cannot open file $file\n";
-       next;
-     }
--    while (<IN>) {
-+    while ($line = <IN>) {
-       $lineno++;
-
-       if ($state == 0) {
--          if (/$doc_start/o) {
-+          if ($line =~ /$doc_start/o) {
-               $state = 1;             # next line is always the function name
-+#         print STDERR "XXX: start of doc comment\n";
-           }
-       } elsif ($state == 1) { # this line is the function name (always)
--          if (/$doc_func/o) {
-+          if ($line =~ /$doc_func/o) {
-               $function = $1;
-               $state = 2;
--              if (/-\s*(.*)/) {
-+#         print STDERR "XXX: start of doc comment, looking for prototype\n";
-+
-+              if ($line =~ /-\s*(.*)/) {
-                   $function_purpose = $1;
-               } else {
-                   $function_purpose = "";
-@@ -841,11 +970,11 @@ foreach $file (@ARGV) {
-               $state = 0;
-           }
-       } elsif ($state == 2) { # look for head: lines, and include content
--          if (/$doc_sect/o) {
-+          if ($line =~ /$doc_sect/o) {
-               $newsection = $1;
-               $newcontents = $2;
-
--              if ($contents ne "") {
-+              if ($contents ne '') {
-                   dump_section($section, $contents);
-                   $section = $section_default;
-               }
-@@ -855,7 +984,7 @@ foreach $file (@ARGV) {
-                   $contents .= "\n";
-               }
-               $section = $newsection;
--          } elsif (/$doc_end/) {
-+          } elsif ($line =~ /$doc_end/) {
-
-               if ($contents ne "") {
-                   dump_section($section, $contents);
-@@ -863,13 +992,12 @@ foreach $file (@ARGV) {
-                   $contents = "";
-               }
-
--#         print STDERR "end of doc comment, looking for prototype\n";
-               $prototype = "";
-               $state = 3;
--          } elsif (/$doc_content/) {
-+          } elsif ($line =~ /$doc_content/) {
-               # miguel-style comment kludge, look for blank lines after
-               # @parameter line to signify start of description
--              if ($1 eq "" && $section =~ m/^@/) {
-+              if ($1 eq '' && $section =~ m/^@/) {
-                   dump_section($section, $contents);
-                   $section = $section_default;
-                   $contents = "";
-@@ -881,13 +1009,16 @@ foreach $file (@ARGV) {
-               print STDERR "warning: $lineno: Bad line: $_";
-           }
-       } elsif ($state == 3) { # scanning for function { (end of prototype)
--          if (m#\s*/\*\s+MACDOC\s*#io) {
-+          if ($line =~ m#\s*/\*\s+MACDOC\s*#io) {
-             # do nothing
-           }
--          elsif (/([^\{]*)/) {
-+          elsif ($enum == 1 && $line =~ /(^\s*\{).*/) {
-+              $prototype .= "{";
-+          }
-+          elsif ($line =~ /([^\{]*)/) {
-               $prototype .= $1;
-           }
--          if (/\{/) {
-+          if ($enum == 0 && $line =~ /\{/) {
-               $prototype =~ s@/\*.*?\*/@@gos; # strip comments.
-               $prototype =~ s@[\r\n]+@ @gos; # strip newlines/cr's.
-               $prototype =~ s@^ +@@gos; # strip leading spaces
-@@ -901,9 +1032,32 @@ foreach $file (@ARGV) {
-               %sections = ();
-               @sectionlist = ();
-               $prototype = "";
-+              $enum = 0;
-
-               $state = 0;
-           }
-+          elsif ($enum == 1 && $line =~ /\}/) {
-+              $prototype =~ s@/\*.*?\*/@@gos; # strip comments.
-+              $prototype =~ s@[\r\n]+@ @gos; # strip newlines/cr's.
-+              $prototype =~ s@^ +@@gos; # strip leading spaces
-+              dump_enum($prototype);
-+
-+              $function = "";
-+              %constants = ();
-+              %parameters = ();
-+              %parametertypes = ();
-+              @parameterlist = ();
-+              %sections = ();
-+              @sectionlist = ();
-+              $prototype = "";
-+              $enum = 0;
-+
-+              $state = 0;
-+          }
-+          elsif ($line =~ /([a-zA-Z\s]+)enum(.*)$/) {
-+              $enum = 1;
-+          }
-+
-       }
-     }
- }
diff --git a/patches/gnutls-2.12.24/fix-gcrypt-private-api-usage.patch b/patches/gnutls-2.12.24/fix-gcrypt-private-api-usage.patch
deleted file mode 100755 (executable)
index c4efe34..0000000
+++ /dev/null
@@ -1,44 +0,0 @@
-#! /bin/sh
-patch -p0 -l -f $* < $0
-exit $?
-
-2014-08-06  Andre Heinecke  <aheinecke@intevation.de>
-
-       * lib/gcrypt/init.c: Use GCRY_THREAD_OPTION_PTHREAD_IMPL macro
-       instead of defining the gcry_thread_cbs structure itself.
-
---- lib/gcrypt/init.c.oirg     2014-08-06 11:52:26.858064946 +0000
-+++ lib/gcrypt/init.c  2014-08-06 12:10:31.121726144 +0000
-@@ -32,16 +32,9 @@
- /* Functions that refer to the initialization of the libgcrypt library.
-  */
-
--static struct gcry_thread_cbs gct = {
--  .option = (GCRY_THREAD_OPTION_PTHREAD | (GCRY_THREAD_OPTION_VERSION << 8)),
--  .init = NULL,
--  .select = NULL,
--  .waitpid = NULL,
--  .accept = NULL,
--  .connect = NULL,
--  .sendmsg = NULL,
--  .recvmsg = NULL,
--};
-+GCRY_THREAD_OPTION_PTHREAD_IMPL;
-+
-+static struct gcry_thread_cbs gct;
-
- int
- gnutls_crypto_init (void)
-@@ -53,11 +46,12 @@
-
-       if (gnutls_mutex_init != NULL)
-         {
-+#if GCRYPT_VERSION_NUMBER < 0x010600
-           gct.mutex_init = gnutls_mutex_init;
-           gct.mutex_destroy = gnutls_mutex_deinit;
-           gct.mutex_lock = gnutls_mutex_lock;
-           gct.mutex_unlock = gnutls_mutex_unlock;
--
-+#endif
-           gcry_control (GCRYCTL_SET_THREAD_CBS, &gct);
-         }