Accepting request 947389 from home:pmonrealgonzalez:branches:security:tls

- Update to 3.7.3: [bsc#1190698, bsc#1190796] * libgnutls: The allowlisting configuration mode has been added to the system-wide settings. In this mode, all the algorithms are initially marked as insecure or disabled, while the applications can re-enable them either through the [overrides] section of the configuration file or the new API (#1172). * The build infrastructure no longer depends on GNU AutoGen for generating command-line option handling, template file parsing in certtool, and documentation generation (#773, #774). This change also removes run-time or bundled dependency on the libopts library, and requires Python 3.6 or later to regenerate the distribution tarball. Note that this brings in known backward incompatibility in command-line tools, such as long options are now case sensitive, while previously they were treated in a case insensitive manner: for example --RSA is no longer a valid option of certtool. The existing scripts using GnuTLS tools may need adjustment for this change. * libgnutls: The tpm2-tss-engine compatible private blobs can be loaded and used as a gnutls_privkey_t (#594). The code was originally written for the OpenConnect VPN project by David Woodhouse. To generate such blobs, use the tpm2tss-genkey tool from tpm2-tss-engine: https://github.com/tpm2-software/tpm2-tss-engine/#rsa-operations or the tpm2_encodeobject tool from unreleased tpm2-tools. * libgnutls: The library now transparently enables Linux KTLS (kernel TLS) when the feature is compiled in with --enable-ktls configuration option (#1113). If the KTLS initialization fails it automatically falls back to the user space implementation. * certtool: The certtool command can now read the Certificate Transparency (RFC 6962) SCT extension (#232). New API functions are also provided to access and manipulate the extension values. OBS-URL: https://build.opensuse.org/request/show/947389 OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=57
2022-01-19 11:47:02 +00:00 · 2022-01-19 11:47:02 +00:00 · 3ecf24776c
commit 3ecf24776c
parent 56fc836017
7 changed files with 159 additions and 27 deletions
--- a/gnutls-3.7.2.tar.xz
+++ b/gnutls-3.7.2.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:646e6c5a9a185faa4cea796d378a1ba8e1148dbb197ca6605f95986a25af2752
-size 6091508
--- a/gnutls-3.7.2.tar.xz.sig
+++ b/gnutls-3.7.2.tar.xz.sig
--- a/gnutls-3.7.3.tar.xz
+++ b/gnutls-3.7.3.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:fc59c43bc31ab20a6977ff083029277a31935b8355ce387b634fa433f8f6c49a
+size 6119292
--- a/gnutls-3.7.3.tar.xz.sig
+++ b/gnutls-3.7.3.tar.xz.sig
--- a/gnutls-temporarily_disable_broken_guile_reauth_test.patch
+++ b/gnutls-temporarily_disable_broken_guile_reauth_test.patch
@ -1,13 +0,0 @@
-Index: gnutls-3.6.15/guile/Makefile.in
-===================================================================
--- gnutls-3.6.15.orig/guile/Makefile.in	2020-09-08 10:24:09.581998087 +0200
-+++ gnutls-3.6.15/guile/Makefile.in	2020-09-08 10:24:30.046134403 +0200
-@@ -1857,7 +1857,7 @@ CLEANFILES = modules/gnutls.scm $(am__ap
- TESTS = tests/anonymous-auth.scm tests/session-record-port.scm \
- 	tests/pkcs-import-export.scm tests/errors.scm \
- 	tests/x509-certificates.scm tests/x509-auth.scm \
-	tests/reauth.scm tests/priorities.scm $(am__append_2)
-+	tests/priorities.scm $(am__append_2)
- TESTS_ENVIRONMENT = \
-   GUILE_AUTO_COMPILE=0				\
-   GUILE_WARN_DEPRECATED=detailed
--- a/gnutls.changes
+++ b/gnutls.changes
@ -1,3 +1,125 @@
+-------------------------------------------------------------------
+Tue Jan 18 15:59:11 UTC 2022 - Pedro Monreal <pmonreal@suse.com>
+
+- Update to 3.7.3: [bsc#1190698, bsc#1190796]
+  * libgnutls: The allowlisting configuration mode has been added
+    to the system-wide settings. In this mode, all the algorithms
+    are initially marked as insecure or disabled, while the
+    applications can re-enable them either through the [overrides]
+    section of the configuration file or the new API (#1172).
+  * The build infrastructure no longer depends on GNU AutoGen for
+    generating command-line option handling, template file parsing
+    in certtool, and documentation generation (#773, #774). This
+    change also removes run-time or bundled dependency on the
+    libopts library, and requires Python 3.6 or later to regenerate
+    the distribution tarball. Note that this brings in known backward
+    incompatibility in command-line tools, such as long options are
+    now case sensitive, while previously they were treated in a case
+    insensitive manner: for example --RSA is no longer a valid option
+    of certtool. The existing scripts using GnuTLS tools may need
+    adjustment for this change.
+  * libgnutls: The tpm2-tss-engine compatible private blobs can be loaded
+    and used as a gnutls_privkey_t (#594). The code was originally written
+    for the OpenConnect VPN project by David Woodhouse. To generate such
+    blobs, use the tpm2tss-genkey tool from tpm2-tss-engine:
+    https://github.com/tpm2-software/tpm2-tss-engine/#rsa-operations
+    or the tpm2_encodeobject tool from unreleased tpm2-tools.
+  * libgnutls: The library now transparently enables Linux KTLS (kernel
+    TLS) when the feature is compiled in with --enable-ktls configuration
+    option (#1113). If the KTLS initialization fails it automatically falls
+    back to the user space implementation.
+  * certtool: The certtool command can now read the Certificate Transparency
+    (RFC 6962) SCT extension (#232).  New API functions are also provided to
+    access and manipulate the extension values.
+  * certtool: The certtool command can now generate, manipulate, and evaluate
+    x25519 and x448 public keys, private keys, and certificates.
+  * libgnutls: Disabling a hashing algorithm through "insecure-hash"
+    configuration directive now also disables TLS ciphersuites that use it
+    as a PRF algorithm.
+  * libgnutls: PKCS#12 files are now created with modern algorithms by default
+    (!1499). Previously certtool used PKCS12-3DES-SHA1 for key derivation and
+    HMAC-SHA1 as an integity measure in PKCS#12.  Now it uses AES-128-CBC with
+    PBKDF2 and SHA-256 for both key derivation and MAC algorithms, and the
+    default PBKDF2 iteration count has been increased to 600000.
+  * libgnutls: PKCS#12 keys derived using GOST algorithm now uses
+    HMAC_GOSTR3411_2012_512 instead of HMAC_GOSTR3411_2012_256 for integrity,
+    to conform with the latest TC-26 requirements (#1225).
+  * libgnutls: The library now provides a means to report the status
+    of approved cryptographic operations (!1465). To adhere to the
+    FIPS140-3 IG 2.4.C., this complements the existing mechanism to
+    prohibit the use of unapproved algorithms by making the library
+    unusable state.
+  * gnutls-cli: The gnutls-cli command now provides a --list-config
+    option to print the library configuration (!1508).
+  * libgnutls: Fixed possible race condition in
+    gnutls_x509_trust_list_verify_crt2 when a single trust list object
+    is shared among multiple threads (#1277). [GNUTLS-SA-2022-01-17,
+    CVSS: low]
+  * API and ABI modifications:
+    GNUTLS_PRIVKEY_FLAG_RSA_PSS_FIXED_SALT_LENGTH: new flag in
+      gnutls_privkey_flags_t
+    GNUTLS_VERIFY_RSA_PSS_FIXED_SALT_LENGTH: new flag in
+      gnutls_certificate_verify_flags
+    gnutls_ecc_curve_set_enabled: Added.
+    gnutls_sign_set_secure: Added.
+    gnutls_sign_set_secure_for_certs: Added.
+    gnutls_digest_set_secure: Added.
+    gnutls_protocol_set_enabled: Added.
+    gnutls_fips140_context_init: New function
+    gnutls_fips140_context_deinit: New function
+    gnutls_fips140_push_context: New function
+    gnutls_fips140_pop_context: New function
+    gnutls_fips140_get_operation_state: New function
+    gnutls_fips140_operation_state_t: New enum
+    gnutls_transport_is_ktls_enabled: New function
+    gnutls_get_library_configuration: New function
+  * Remove patches fixed in the update:
+    - gnutls-FIPS-module-version.patch
+    - gnutls-FIPS-service-indicator.patch
+    - gnutls-FIPS-service-indicator-public-key.patch
+    - gnutls-FIPS-service-indicator-symmetric-key.patch
+    - gnutls-FIPS-RSA-PSS-flags.patch
+    - gnutls-FIPS-RSA-mod-sizes.patch
+
+-------------------------------------------------------------------
+Tue Jan 18 14:41:04 UTC 2022 - Pedro Monreal <pmonreal@suse.com>
+
+- FIPS: Fix regression tests in fips and non-fips mode [bsc#1194468]
+  * Remove patches:
+    - gnutls-temporarily_disable_broken_guile_reauth_test.patch
+    - disable-psk-file-test.patch
+
+-------------------------------------------------------------------
+Mon Jan 17 12:37:02 UTC 2022 - Pedro Monreal <pmonreal@suse.com>
+
+- FIPS: Provide module identifier and version [bsc#1190796]
+  * Add configurable options to output the module name/identifier
+    (--with-fips140-module-name) and the module version
+    (--with-fips140-module-version).
+  * Add the CLI option list-config that reports the configuration
+    of the library.
+  * Add gnutls-FIPS-module-version.patch
+
+-------------------------------------------------------------------
+Wed Dec 22 18:56:24 UTC 2021 - Pedro Monreal <pmonreal@suse.com>
+
+- FIPS: Provide a service-level indicator [bsc#1190698]
+  * Add support for a "service indicator" as required in
+    the FIPS140-3 Implementation Guidance in section 2.4.C
+  * Add patches:
+    - gnutls-FIPS-service-indicator.patch
+    - gnutls-FIPS-service-indicator-public-key.patch
+    - gnutls-FIPS-service-indicator-symmetric-key.patch
+    - gnutls-FIPS-RSA-PSS-flags.patch
+
+-------------------------------------------------------------------
+Thu Dec 16 12:35:46 UTC 2021 - Pedro Monreal <pmonreal@suse.com>
+
+- FIPS: RSA KeyGen/SigGen fail with 4096 bit key sizes [bsc#1192008]
+  * fips: allow more RSA modulus sizes
+  * Add gnutls-FIPS-RSA-mod-sizes.patch
+  * Delete gnutls-3.6.7-fips-rsa-4096.patch
+
 -------------------------------------------------------------------
 Fri Nov 26 08:26:19 UTC 2021 - Dominique Leuenberger <dimstar@opensuse.org>

@ -6,6 +128,18 @@ Fri Nov 26 08:26:19 UTC 2021 - Dominique Leuenberger <dimstar@opensuse.org>
  leading project (and the condition causes issues as Tumbleweed
  needs to move away from 1550 due to CODE 15 SP5 plans).

+-------------------------------------------------------------------
+Fri Oct 15 11:03:53 UTC 2021 - Pedro Monreal <pmonreal@suse.com>
+
+- Add crypto-policies support for Leap and SLE 15.4 [jsc#SLE-20287]
+- Add DANE guards
+
+-------------------------------------------------------------------
+Wed Jul 21 10:21:46 UTC 2021 - Pedro Monreal <pmonreal@suse.com>
+
+- Remove gnutls-temporarily_disable_broken_guile_reauth_test.patch
+  since its already working.
+
 -------------------------------------------------------------------
 Tue Jun  1 01:00:34 UTC 2021 - Ferdinand Thiessen <rpm@fthiessen.de>

--- a/gnutls.spec
+++ b/gnutls.spec
@ -1,7 +1,7 @@
 #
 # spec file for package gnutls
 #
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -34,7 +34,7 @@
 %bcond_with tpm
 %bcond_without guile
 Name:           gnutls
-Version:        3.7.2
+Version:        3.7.3
 Release:        0
 Summary:        The GNU Transport Layer Security Library
 License:        GPL-3.0-or-later AND LGPL-2.1-or-later
@ -46,8 +46,7 @@ Source2:        gnutls.keyring
 Source3:        baselibs.conf
 Patch0:         gnutls-3.5.11-skip-trust-store-tests.patch
 Patch1:         gnutls-3.6.6-set_guile_site_dir.patch
-Patch2:         gnutls-temporarily_disable_broken_guile_reauth_test.patch
-Patch3:         gnutls-FIPS-TLS_KDF_selftest.patch
+Patch2:         gnutls-FIPS-TLS_KDF_selftest.patch
 BuildRequires:  autogen
 BuildRequires:  automake
 BuildRequires:  datefudge
@ -89,7 +88,8 @@ BuildRequires:  libunbound-devel
 %if %{with guile}
 BuildRequires:  guile-devel
 %endif
-%if 0%{?suse_version} && ! 0%{?sle_version}
+%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
+BuildRequires:  crypto-policies
 Requires:       crypto-policies
 %endif

@ -100,13 +100,13 @@ of the IETF's TLS working group.

 %package -n libgnutls%{gnutls_sover}
 Summary:        The GNU Transport Layer Security Library
-# install libopenssl and libopenssl-hmac close together (bsc#1090765)
 License:        LGPL-2.1-or-later
 Group:          System/Libraries
-%if 0%{?suse_version} && ! 0%{?sle_version}
+# install libgnutls and libgnutls-hmac close together (bsc#1090765)
+Suggests:       libgnutls%{gnutls_sover}-hmac = %{version}-%{release}
+%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
 Requires:       crypto-policies
 %endif
-Suggests:       libgnutls%{gnutls_sover}-hmac = %{version}-%{release}

 %description -n libgnutls%{gnutls_sover}
 The GnuTLS library provides a secure layer over a reliable transport
@ -122,6 +122,7 @@ Requires:       libgnutls%{gnutls_sover} = %{version}-%{release}
 %description -n libgnutls%{gnutls_sover}-hmac
 FIPS SHA256 checksums of the libgnutls library.

+%if %{with dane}
 %package -n libgnutls-dane%{gnutls_dane_sover}
 Summary:        DANE support for the GNU Transport Layer Security Library
 License:        LGPL-2.1-or-later
@ -131,12 +132,13 @@ Group:          System/Libraries
 The GnuTLS project aims to develop a library that provides a secure
 layer over a reliable transport layer.
 This package contains the "DANE" part of gnutls.
+%endif

 %package -n libgnutlsxx%{gnutlsxx_sover}
 Summary:        C++ API for the GNU Transport Layer Security Library
 License:        LGPL-2.1-or-later
 Group:          System/Libraries
-%if 0%{?suse_version} && ! 0%{?sle_version}
+%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
 Requires:       crypto-policies
 %endif

@ -149,7 +151,7 @@ of the IETF's TLS working group.
 Summary:        Development package for the GnuTLS C API
 License:        LGPL-2.1-or-later
 Group:          Development/Libraries/C and C++
-%if 0%{?suse_version} && ! 0%{?sle_version}
+%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
 Requires:       crypto-policies
 %endif
 Requires:       glibc-devel
@ -161,6 +163,7 @@ Provides:       gnutls-devel = %{version}-%{release}
 %description -n libgnutls-devel
 Files needed for software development using gnutls.

+%if %{with dane}
 %package -n libgnutls-dane-devel
 Summary:        Development package for GnuTLS DANE component
 License:        LGPL-2.1-or-later
@ -169,6 +172,7 @@ Requires:       libgnutls-dane%{gnutls_dane_sover} = %{version}

 %description -n libgnutls-dane-devel
 Files needed for software development using gnutls.
+%endif

 %package -n libgnutlsxx-devel
 Summary:        Development package for the GnuTLS C++ API
@ -222,8 +226,15 @@ export CXXFLAGS="%{optflags} -fPIE"
        --with-unbound-root-key-file=%{_localstatedir}/lib/unbound/root.key \
 %else
        --disable-libdane \
+%endif
+%if %{with guile}
+        --enable-guile \
+%else
+        --disable-guile \
 %endif
        --enable-fips140-mode \
+        --with-fips140-module-name="GnuTLS version" \
+        --with-fips140-module-version="%{version}-%{release}" \
        %{nil}

 make %{?_smp_mflags}
@ -255,7 +266,7 @@ rm -rf %{buildroot}%{_datadir}/doc/gnutls

 %check
 %if ! 0%{?qemu_user_space_build}
-#make %%{?_smp_mflags} check || {
+# export GNUTLS_FORCE_FIPS_MODE=1
 make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null || {
    find -name test-suite.log -print -exec cat {} +
    exit 1