Accepting request 991873 from home:pmonrealgonzalez:branches:security:tls

- Update to 3.7.7: * libgnutls: Fixed double free during verification of pkcs7 signatures. CVE-2022-2509 * libgnutls: gnutls_hkdf_expand now only accepts LENGTH argument less than or equal to 255 times hash digest size, to comply with RFC 5869 2.3. * libgnutls: Length limit for TLS PSK usernames has been increased from 128 to 65535 characters * libgnutls: AES-GCM encryption function now limits plaintext length to 2^39-256 bits, according to SP800-38D 5.2.1.1. * libgnutls: New block cipher functions have been added to transparently handle padding. gnutls_cipher_encrypt3 and gnutls_cipher_decrypt3 can be used in combination of GNUTLS_CIPHER_PADDING_PKCS7 flag to automatically add/remove padding if the length of the original plaintext is not a multiple of the block size. * libgnutls: New function for manual FIPS self-testing. * API and ABI modifications: - gnutls_fips140_run_self_tests: New function - gnutls_cipher_encrypt3: New function - gnutls_cipher_decrypt3: New function - gnutls_cipher_padding_flags_t: New enum * guile: Guile 1.8 is no longer supported * guile: Session record port treats premature termination as EOF Previously, a 'gnutls-error' exception with the 'error/premature-termination' value would be thrown while reading from a session record port when the underlying session was terminated prematurely. This was inconvenient since users of the port may not be prepared to handle such an exception. Reading from the session record port now returns the end-of-file object instead of throwing an exception, just like it would for a proper OBS-URL: https://build.opensuse.org/request/show/991873 OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=69
2022-08-01 08:36:39 +00:00 · 2022-08-01 08:36:39 +00:00 · 3796933089
commit 3796933089
parent d9b5f828c5
10 changed files with 88 additions and 56 deletions
--- a/gnutls-3.6.6-set_guile_site_dir.patch
+++ b/gnutls-3.6.6-set_guile_site_dir.patch
@ -1,13 +1,13 @@
-Index: gnutls-3.6.15/configure
+Index: gnutls-3.7.7/configure
 ===================================================================
--- gnutls-3.6.15.orig/configure	2020-09-08 10:24:22.362083215 +0200
-+++ gnutls-3.6.15/configure	2020-09-08 10:24:28.510124171 +0200
-@@ -69365,7 +69365,7 @@ fi
+--- gnutls-3.7.7.orig/configure
+++ gnutls-3.7.7/configure
+@@ -74223,7 +74223,7 @@ fi
 
-   { $as_echo "$as_me:${as_lineno-$LINENO}: checking for Guile site directory" >&5
- $as_echo_n "checking for Guile site directory... " >&6; }
+   { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for Guile site directory" >&5
+ printf %s "checking for Guile site directory... " >&6; }
 -  GUILE_SITE=`$PKG_CONFIG --print-errors --variable=sitedir guile-$GUILE_EFFECTIVE_VERSION`
 +  GUILE_SITE=/usr/share/guile
-   { $as_echo "$as_me:${as_lineno-$LINENO}: result: $GUILE_SITE" >&5
- $as_echo "$GUILE_SITE" >&6; }
+   { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $GUILE_SITE" >&5
+ printf "%s\n" "$GUILE_SITE" >&6; }
   if test "$GUILE_SITE" = ""; then
--- a/gnutls-3.7.6.tar.xz
+++ b/gnutls-3.7.6.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:77065719a345bfb18faa250134be4c53bef70c1bd61f6c0c23ceb8b44f0262ff
-size 6338276
--- a/gnutls-3.7.6.tar.xz.sig
+++ b/gnutls-3.7.6.tar.xz.sig
--- a/gnutls-3.7.7.tar.xz
+++ b/gnutls-3.7.7.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:be9143d0d58eab64dba9b77114aaafac529b6c0d7e81de6bdf1c9b59027d2106
+size 6351664
--- a/gnutls-3.7.7.tar.xz.sig
+++ b/gnutls-3.7.7.tar.xz.sig
--- a/gnutls-FIPS-PBKDF2-KAT-requirements.patch
+++ b/gnutls-FIPS-PBKDF2-KAT-requirements.patch
@ -1,22 +0,0 @@
-Index: gnutls-3.7.5/lib/crypto-selftests.c
-===================================================================
--- gnutls-3.7.5.orig/lib/crypto-selftests.c
-+++ gnutls-3.7.5/lib/crypto-selftests.c
-@@ -3123,6 +3123,16 @@ const struct pbkdf2_vectors_st pbkdf2_sh
- 		    "\x84\xcf\x2b\x17\x34\x7e\xbc\x18\x00\x18\x1c\x4e\x2a\x1f"
- 		    "\xb8\xdd\x53\xe1\xc6\x35\x51\x8c\x7d\xac\x47\xe9"),
- 	},
-+	/* Test vector extracted from https://dev.gnupg.org/source/libgcrypt/browse/master/cipher/kdf.c */
-+	{
-+		STR(key, key_size, "passwordPASSWORDpassword"),
-+		STR(salt, salt_size, "saltSALTsaltSALTsaltSALTsaltSALTsalt"),
-+		.iter_count = 4096,
-+		STR(output, output_size,
-+		    "\x34\x8c\x89\xdb\xcb\xd3\x2b\x2f\x32\xd8\x14\xb8\x11\x6e"
-+		    "\x84\xcf\x2b\x17\x34\x7e\xbc\x18\x00\x18\x1c\x4e\x2a\x1f"
-+		    "\xb8\xdd\x53\xe1\xc6\x35\x51\x8c\x7d\xac\x47\xe9"),
-+	},
- };
- 
- static int test_pbkdf2(gnutls_mac_algorithm_t mac,
-
--- a/gnutls-FIPS-TLS_KDF_selftest.patch
+++ b/gnutls-FIPS-TLS_KDF_selftest.patch
@ -1,9 +1,9 @@
-Index: gnutls-3.6.15/lib/fips.c
+Index: gnutls-3.7.7/lib/fips.c
 ===================================================================
--- gnutls-3.6.15.orig/lib/fips.c	2020-09-03 16:59:05.000000000 +0200
-+++ gnutls-3.6.15/lib/fips.c	2020-11-10 12:51:40.420071675 +0100
-@@ -398,6 +398,28 @@ int _gnutls_fips_perform_self_checks2(vo
- 		goto error;
+--- gnutls-3.7.7.orig/lib/fips.c
+++ gnutls-3.7.7/lib/fips.c
+@@ -517,6 +517,26 @@ int _gnutls_fips_perform_self_checks2(vo
+ 		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
 	}
 
 +        /* KDF */
@ -18,14 +18,12 @@ Index: gnutls-3.6.15/lib/fips.c
 +	ret = _gnutls_prf_raw(GNUTLS_MAC_SHA256, secret.size, secret.data,
 +		label.size, (char*)label.data, seed.size, seed.data, expected.size, derived);
 +	if (ret < 0) {
-+		gnutls_assert();
-+		goto error;
+		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
 +	}
 +
 +	ret = memcmp(derived, expected.data, expected.size);
 +	if (ret != 0) {
-+		gnutls_assert();
-+		goto error;
+		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
 +	}
 +
 	/* PK */
--- a/gnutls-FIPS-disable-failing-tests.patch
+++ b/gnutls-FIPS-disable-failing-tests.patch
@ -1,8 +1,8 @@
-Index: gnutls-3.7.3/guile/Makefile.am
+Index: gnutls-3.7.7/guile/Makefile.am
 ===================================================================
--- gnutls-3.7.3.orig/guile/Makefile.am
-+++ gnutls-3.7.3/guile/Makefile.am
-@@ -102,8 +102,6 @@ endif HAVE_GUILD
+--- gnutls-3.7.7.orig/guile/Makefile.am
+++ gnutls-3.7.7/guile/Makefile.am
+@@ -102,14 +102,11 @@ endif HAVE_GUILD
 #
 
 TESTS =						\
@ -11,11 +11,17 @@ Index: gnutls-3.7.3/guile/Makefile.am
   tests/pkcs-import-export.scm			\
   tests/errors.scm				\
   tests/x509-certificates.scm			\
-Index: gnutls-3.7.3/guile/Makefile.in
+   tests/x509-auth.scm				\
+   tests/reauth.scm				\
+-  tests/premature-termination.scm		\
+   tests/priorities.scm
+ 
+ if ENABLE_SRP
+Index: gnutls-3.7.7/guile/Makefile.in
 ===================================================================
--- gnutls-3.7.3.orig/guile/Makefile.in
-+++ gnutls-3.7.3/guile/Makefile.in
-@@ -2320,8 +2320,7 @@ CLEANFILES = modules/gnutls.scm $(am__ap
+--- gnutls-3.7.7.orig/guile/Makefile.in
+++ gnutls-3.7.7/guile/Makefile.in
+@@ -2335,10 +2335,9 @@ CLEANFILES = modules/gnutls.scm $(am__ap
 #
 # Tests.
 #
@ -23,5 +29,8 @@ Index: gnutls-3.7.3/guile/Makefile.in
 -	tests/pkcs-import-export.scm tests/errors.scm \
 +TESTS = tests/pkcs-import-export.scm tests/errors.scm \
 	tests/x509-certificates.scm tests/x509-auth.scm \
- 	tests/reauth.scm tests/priorities.scm $(am__append_2)
+-	tests/reauth.scm tests/premature-termination.scm \
+	tests/reauth.scm \
+ 	tests/priorities.scm $(am__append_2)
 TESTS_ENVIRONMENT = \
+   GUILE_AUTO_COMPILE=0				\
--- a/gnutls.changes
+++ b/gnutls.changes
@ -1,3 +1,52 @@
+-------------------------------------------------------------------
+Fri Jul 29 14:29:17 UTC 2022 - Pedro Monreal <pmonreal@suse.com>
+
+- Update to 3.7.7:
+  * libgnutls: Fixed double free during verification of pkcs7
+    signatures. CVE-2022-2509
+  * libgnutls: gnutls_hkdf_expand now only accepts LENGTH argument
+    less than or equal to 255 times hash digest size, to comply with
+    RFC 5869 2.3.
+  * libgnutls: Length limit for TLS PSK usernames has been increased
+    from 128 to 65535 characters
+  * libgnutls: AES-GCM encryption function now limits plaintext
+    length to 2^39-256 bits, according to SP800-38D 5.2.1.1.
+  * libgnutls: New block cipher functions have been added to
+    transparently handle padding. gnutls_cipher_encrypt3 and
+    gnutls_cipher_decrypt3 can be used in combination of
+    GNUTLS_CIPHER_PADDING_PKCS7 flag to automatically add/remove
+    padding if the length of the original plaintext is not a multiple
+    of the block size.
+  * libgnutls: New function for manual FIPS self-testing.
+  * API and ABI modifications:
+    - gnutls_fips140_run_self_tests: New function
+    - gnutls_cipher_encrypt3: New function
+    - gnutls_cipher_decrypt3: New function
+    - gnutls_cipher_padding_flags_t: New enum
+  * guile: Guile 1.8 is no longer supported
+  * guile: Session record port treats premature termination as EOF Previously,
+    a 'gnutls-error' exception with the 'error/premature-termination' value
+    would be thrown while reading from a session record port when the
+    underlying session was terminated prematurely. This was inconvenient
+    since users of the port may not be prepared to handle such an exception.
+    Reading from the session record port now returns the end-of-file object
+    instead of throwing an exception, just like it would for a proper
+    session termination.
+  * guile: Session record ports can have a 'close' procedure. The
+    'session-record-port' procedure now takes an optional second parameter,
+    and a new 'set-session-record-port-close!' procedure is provided to
+    specify a 'close' procedure for a session record port. This 'close'
+    procedure lets users specify cleanup operations for when the port is
+    closed, such as closing the file descriptor or port that backs the
+    underlying session.
+  * Rebase patches:
+    - gnutls-3.6.6-set_guile_site_dir.patch
+    - gnutls-FIPS-TLS_KDF_selftest.patch
+    - gnutls-FIPS-disable-failing-tests.patch
+  * Remove patch merged upstream:
+    - gnutls-FIPS-PBKDF2-KAT-requirements.patch
+    - https://gitlab.com/gnutls/gnutls/merge_requests/1561
+
 -------------------------------------------------------------------
 Fri May 27 16:56:26 UTC 2022 - Antoine Belvire <antoine.belvire@opensuse.org>

--- a/gnutls.spec
+++ b/gnutls.spec
@ -36,7 +36,7 @@
 %bcond_with tpm
 %bcond_without guile
 Name:           gnutls
-Version:        3.7.6
+Version:        3.7.7
 Release:        0
 Summary:        The GNU Transport Layer Security Library
 License:        GPL-3.0-or-later AND LGPL-2.1-or-later
@ -50,8 +50,6 @@ Patch0:         gnutls-3.5.11-skip-trust-store-tests.patch
 Patch1:         gnutls-3.6.6-set_guile_site_dir.patch
 Patch2:         gnutls-FIPS-TLS_KDF_selftest.patch
 Patch3:         gnutls-FIPS-disable-failing-tests.patch
-#PATCH-FIX-SUSE bsc#1184669 FIPS: Additional PBKDF2 requirements for KAT
-Patch4:         gnutls-FIPS-PBKDF2-KAT-requirements.patch
 BuildRequires:  autogen
 BuildRequires:  automake
 BuildRequires:  datefudge
@ -91,7 +89,7 @@ BuildRequires:  libunbound-devel
 %endif
 %endif
 %if %{with guile}
-BuildRequires:  guile-devel
+BuildRequires:  guile-devel > 1.8
 %endif
 %if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
 BuildRequires:  crypto-policies
@ -194,7 +192,7 @@ Files needed for software development using gnutls.
 Summary:        Guile wrappers for gnutls
 License:        LGPL-2.1-or-later
 Group:          Development/Libraries/Other
-Requires:       guile
+Requires:       guile > 1.8

 %description guile
 GnuTLS Wrappers for GNU Guile, a dialect of Scheme.