From 3ecf24776c525dcbbbfa7376c3fa146771de218ed294e191e8abaedbea3a3050 Mon Sep 17 00:00:00 2001 From: Pedro Monreal Gonzalez Date: Wed, 19 Jan 2022 11:47:02 +0000 Subject: [PATCH] Accepting request 947389 from home:pmonrealgonzalez:branches:security:tls - Update to 3.7.3: [bsc#1190698, bsc#1190796] * libgnutls: The allowlisting configuration mode has been added to the system-wide settings. In this mode, all the algorithms are initially marked as insecure or disabled, while the applications can re-enable them either through the [overrides] section of the configuration file or the new API (#1172). * The build infrastructure no longer depends on GNU AutoGen for generating command-line option handling, template file parsing in certtool, and documentation generation (#773, #774). This change also removes run-time or bundled dependency on the libopts library, and requires Python 3.6 or later to regenerate the distribution tarball. Note that this brings in known backward incompatibility in command-line tools, such as long options are now case sensitive, while previously they were treated in a case insensitive manner: for example --RSA is no longer a valid option of certtool. The existing scripts using GnuTLS tools may need adjustment for this change. * libgnutls: The tpm2-tss-engine compatible private blobs can be loaded and used as a gnutls_privkey_t (#594). The code was originally written for the OpenConnect VPN project by David Woodhouse. To generate such blobs, use the tpm2tss-genkey tool from tpm2-tss-engine: https://github.com/tpm2-software/tpm2-tss-engine/#rsa-operations or the tpm2_encodeobject tool from unreleased tpm2-tools. * libgnutls: The library now transparently enables Linux KTLS (kernel TLS) when the feature is compiled in with --enable-ktls configuration option (#1113). If the KTLS initialization fails it automatically falls back to the user space implementation. * certtool: The certtool command can now read the Certificate Transparency (RFC 6962) SCT extension (#232). New API functions are also provided to access and manipulate the extension values. OBS-URL: https://build.opensuse.org/request/show/947389 OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=57 --- gnutls-3.7.2.tar.xz | 3 - gnutls-3.7.2.tar.xz.sig | Bin 566 -> 0 bytes gnutls-3.7.3.tar.xz | 3 + gnutls-3.7.3.tar.xz.sig | Bin 0 -> 566 bytes ...ily_disable_broken_guile_reauth_test.patch | 13 -- gnutls.changes | 134 ++++++++++++++++++ gnutls.spec | 33 +++-- 7 files changed, 159 insertions(+), 27 deletions(-) delete mode 100644 gnutls-3.7.2.tar.xz delete mode 100644 gnutls-3.7.2.tar.xz.sig create mode 100644 gnutls-3.7.3.tar.xz create mode 100644 gnutls-3.7.3.tar.xz.sig delete mode 100644 gnutls-temporarily_disable_broken_guile_reauth_test.patch diff --git a/gnutls-3.7.2.tar.xz b/gnutls-3.7.2.tar.xz deleted file mode 100644 index 9d64f36..0000000 --- a/gnutls-3.7.2.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:646e6c5a9a185faa4cea796d378a1ba8e1148dbb197ca6605f95986a25af2752 -size 6091508 diff --git a/gnutls-3.7.2.tar.xz.sig b/gnutls-3.7.2.tar.xz.sig deleted file mode 100644 index b824c33ca90bc5227d7ac2baada366f60423bdf58feeb373f7c69b922f4db8d2..0000000000000000000000000000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 566 zcmV-60?GY}0y6{v0SEvc79j*iA|=DLZ#0LW$VqJ01%!^*=9qB>0${QKqW}sC5Y`2R zj@RaxadRIK0FB*6&5Rp)tlSX`q2s+^I@4wgW!J@rNTG3!pm5Yqk&ON)bQ7Nm53Qt& z71D~Uy_&s|O#CR%ZD>3^{SoDdVs4UI$YVW&G;B9e-=2mWZ&9{Pn6Yt!oUa)Iz(J!R zzPe|cjqFrL({PUI!blr3E~Kc-p1gAE9I5w^(FU*Vp{V4}U2r>03!AWd;a#H#3m zP;hE|i{9Y==>#WSci)!2Tlf$=Jg&FoKI@CQ_38g7GSEw z6h;fy3i?h^mm=@j44V@Q`Fr`4lYVZn5rs)F`QWr&)2W)y{lKfEblG;UP%)C9+^%ba zFm_2!af@$oCaQM*n0I2j1Y++jy#dsUN6B3UuXVm|L{rar_^t!bRIr$SclUfcBkvqv z1gp}$SIEYBNpj+NeGh8Uwu-L`b5BeZD$7cn2COAA0v&y_KYR^gXeRX=)-S1JK{sXw z{s<8u6;Z>3k?Z6@-`ddv0ajKG_^1s^0RE%=#b~*i)~}zj4&o9Gjp}2B(Xdh0|EhyR E5A-Szz5oCK diff --git a/gnutls-3.7.3.tar.xz b/gnutls-3.7.3.tar.xz new file mode 100644 index 0000000..f61b132 --- /dev/null +++ b/gnutls-3.7.3.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:fc59c43bc31ab20a6977ff083029277a31935b8355ce387b634fa433f8f6c49a +size 6119292 diff --git a/gnutls-3.7.3.tar.xz.sig b/gnutls-3.7.3.tar.xz.sig new file mode 100644 index 0000000000000000000000000000000000000000000000000000000000000000..3c4ea1bc82152b255d538c1f2aaca76a53bf67646ec56a4b903a284ed804009c GIT binary patch literal 566 zcmV-60?GY}0y6{v0SEvc79j*iA|=DLZ#0LW$VqJ01%!^*=9qB>0%7KBq5ujB5Y`2R zj@RaxaSE~z{yP2vaX~Ts@YeYGm8s~jQ3MG(BmbYJVd`vI6^@xZ4fvE9k9%=k#*AmP4V{ z*58_`(-T7C*q59OI(ltVv$@1cew<^O8LA{rIs%?cw-exO)tMxP=rUdSr7oJ4(-HH} zY(^s|TU40x0u3|Ei(NA0Iw&rJe)Rx_qC<>!ZG9!VM5=+*N3%!}G`?xh49J0%sIiX1 zcenm8q3#**ocPw+bGv%B7_{AO+BvLYy};cvF&}6ewsa5o3(Jrr`y_QlL{;!lMw!KD zIjQ+$i)@JjD>@NrSFB>wna!gmh)rzb1O%&U_QhJK;IvWXyKzSC=)>LOi)K=8aQLLc + +- Update to 3.7.3: [bsc#1190698, bsc#1190796] + * libgnutls: The allowlisting configuration mode has been added + to the system-wide settings. In this mode, all the algorithms + are initially marked as insecure or disabled, while the + applications can re-enable them either through the [overrides] + section of the configuration file or the new API (#1172). + * The build infrastructure no longer depends on GNU AutoGen for + generating command-line option handling, template file parsing + in certtool, and documentation generation (#773, #774). This + change also removes run-time or bundled dependency on the + libopts library, and requires Python 3.6 or later to regenerate + the distribution tarball. Note that this brings in known backward + incompatibility in command-line tools, such as long options are + now case sensitive, while previously they were treated in a case + insensitive manner: for example --RSA is no longer a valid option + of certtool. The existing scripts using GnuTLS tools may need + adjustment for this change. + * libgnutls: The tpm2-tss-engine compatible private blobs can be loaded + and used as a gnutls_privkey_t (#594). The code was originally written + for the OpenConnect VPN project by David Woodhouse. To generate such + blobs, use the tpm2tss-genkey tool from tpm2-tss-engine: + https://github.com/tpm2-software/tpm2-tss-engine/#rsa-operations + or the tpm2_encodeobject tool from unreleased tpm2-tools. + * libgnutls: The library now transparently enables Linux KTLS (kernel + TLS) when the feature is compiled in with --enable-ktls configuration + option (#1113). If the KTLS initialization fails it automatically falls + back to the user space implementation. + * certtool: The certtool command can now read the Certificate Transparency + (RFC 6962) SCT extension (#232). New API functions are also provided to + access and manipulate the extension values. + * certtool: The certtool command can now generate, manipulate, and evaluate + x25519 and x448 public keys, private keys, and certificates. + * libgnutls: Disabling a hashing algorithm through "insecure-hash" + configuration directive now also disables TLS ciphersuites that use it + as a PRF algorithm. + * libgnutls: PKCS#12 files are now created with modern algorithms by default + (!1499). Previously certtool used PKCS12-3DES-SHA1 for key derivation and + HMAC-SHA1 as an integity measure in PKCS#12. Now it uses AES-128-CBC with + PBKDF2 and SHA-256 for both key derivation and MAC algorithms, and the + default PBKDF2 iteration count has been increased to 600000. + * libgnutls: PKCS#12 keys derived using GOST algorithm now uses + HMAC_GOSTR3411_2012_512 instead of HMAC_GOSTR3411_2012_256 for integrity, + to conform with the latest TC-26 requirements (#1225). + * libgnutls: The library now provides a means to report the status + of approved cryptographic operations (!1465). To adhere to the + FIPS140-3 IG 2.4.C., this complements the existing mechanism to + prohibit the use of unapproved algorithms by making the library + unusable state. + * gnutls-cli: The gnutls-cli command now provides a --list-config + option to print the library configuration (!1508). + * libgnutls: Fixed possible race condition in + gnutls_x509_trust_list_verify_crt2 when a single trust list object + is shared among multiple threads (#1277). [GNUTLS-SA-2022-01-17, + CVSS: low] + * API and ABI modifications: + GNUTLS_PRIVKEY_FLAG_RSA_PSS_FIXED_SALT_LENGTH: new flag in + gnutls_privkey_flags_t + GNUTLS_VERIFY_RSA_PSS_FIXED_SALT_LENGTH: new flag in + gnutls_certificate_verify_flags + gnutls_ecc_curve_set_enabled: Added. + gnutls_sign_set_secure: Added. + gnutls_sign_set_secure_for_certs: Added. + gnutls_digest_set_secure: Added. + gnutls_protocol_set_enabled: Added. + gnutls_fips140_context_init: New function + gnutls_fips140_context_deinit: New function + gnutls_fips140_push_context: New function + gnutls_fips140_pop_context: New function + gnutls_fips140_get_operation_state: New function + gnutls_fips140_operation_state_t: New enum + gnutls_transport_is_ktls_enabled: New function + gnutls_get_library_configuration: New function + * Remove patches fixed in the update: + - gnutls-FIPS-module-version.patch + - gnutls-FIPS-service-indicator.patch + - gnutls-FIPS-service-indicator-public-key.patch + - gnutls-FIPS-service-indicator-symmetric-key.patch + - gnutls-FIPS-RSA-PSS-flags.patch + - gnutls-FIPS-RSA-mod-sizes.patch + +------------------------------------------------------------------- +Tue Jan 18 14:41:04 UTC 2022 - Pedro Monreal + +- FIPS: Fix regression tests in fips and non-fips mode [bsc#1194468] + * Remove patches: + - gnutls-temporarily_disable_broken_guile_reauth_test.patch + - disable-psk-file-test.patch + +------------------------------------------------------------------- +Mon Jan 17 12:37:02 UTC 2022 - Pedro Monreal + +- FIPS: Provide module identifier and version [bsc#1190796] + * Add configurable options to output the module name/identifier + (--with-fips140-module-name) and the module version + (--with-fips140-module-version). + * Add the CLI option list-config that reports the configuration + of the library. + * Add gnutls-FIPS-module-version.patch + +------------------------------------------------------------------- +Wed Dec 22 18:56:24 UTC 2021 - Pedro Monreal + +- FIPS: Provide a service-level indicator [bsc#1190698] + * Add support for a "service indicator" as required in + the FIPS140-3 Implementation Guidance in section 2.4.C + * Add patches: + - gnutls-FIPS-service-indicator.patch + - gnutls-FIPS-service-indicator-public-key.patch + - gnutls-FIPS-service-indicator-symmetric-key.patch + - gnutls-FIPS-RSA-PSS-flags.patch + +------------------------------------------------------------------- +Thu Dec 16 12:35:46 UTC 2021 - Pedro Monreal + +- FIPS: RSA KeyGen/SigGen fail with 4096 bit key sizes [bsc#1192008] + * fips: allow more RSA modulus sizes + * Add gnutls-FIPS-RSA-mod-sizes.patch + * Delete gnutls-3.6.7-fips-rsa-4096.patch + ------------------------------------------------------------------- Fri Nov 26 08:26:19 UTC 2021 - Dominique Leuenberger @@ -6,6 +128,18 @@ Fri Nov 26 08:26:19 UTC 2021 - Dominique Leuenberger leading project (and the condition causes issues as Tumbleweed needs to move away from 1550 due to CODE 15 SP5 plans). +------------------------------------------------------------------- +Fri Oct 15 11:03:53 UTC 2021 - Pedro Monreal + +- Add crypto-policies support for Leap and SLE 15.4 [jsc#SLE-20287] +- Add DANE guards + +------------------------------------------------------------------- +Wed Jul 21 10:21:46 UTC 2021 - Pedro Monreal + +- Remove gnutls-temporarily_disable_broken_guile_reauth_test.patch + since its already working. + ------------------------------------------------------------------- Tue Jun 1 01:00:34 UTC 2021 - Ferdinand Thiessen diff --git a/gnutls.spec b/gnutls.spec index 05e02ed..7d71f2f 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,7 +1,7 @@ # # spec file for package gnutls # -# Copyright (c) 2021 SUSE LLC +# Copyright (c) 2022 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -34,7 +34,7 @@ %bcond_with tpm %bcond_without guile Name: gnutls -Version: 3.7.2 +Version: 3.7.3 Release: 0 Summary: The GNU Transport Layer Security Library License: GPL-3.0-or-later AND LGPL-2.1-or-later @@ -46,8 +46,7 @@ Source2: gnutls.keyring Source3: baselibs.conf Patch0: gnutls-3.5.11-skip-trust-store-tests.patch Patch1: gnutls-3.6.6-set_guile_site_dir.patch -Patch2: gnutls-temporarily_disable_broken_guile_reauth_test.patch -Patch3: gnutls-FIPS-TLS_KDF_selftest.patch +Patch2: gnutls-FIPS-TLS_KDF_selftest.patch BuildRequires: autogen BuildRequires: automake BuildRequires: datefudge @@ -89,7 +88,8 @@ BuildRequires: libunbound-devel %if %{with guile} BuildRequires: guile-devel %endif -%if 0%{?suse_version} && ! 0%{?sle_version} +%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400 +BuildRequires: crypto-policies Requires: crypto-policies %endif @@ -100,13 +100,13 @@ of the IETF's TLS working group. %package -n libgnutls%{gnutls_sover} Summary: The GNU Transport Layer Security Library -# install libopenssl and libopenssl-hmac close together (bsc#1090765) License: LGPL-2.1-or-later Group: System/Libraries -%if 0%{?suse_version} && ! 0%{?sle_version} +# install libgnutls and libgnutls-hmac close together (bsc#1090765) +Suggests: libgnutls%{gnutls_sover}-hmac = %{version}-%{release} +%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400 Requires: crypto-policies %endif -Suggests: libgnutls%{gnutls_sover}-hmac = %{version}-%{release} %description -n libgnutls%{gnutls_sover} The GnuTLS library provides a secure layer over a reliable transport @@ -122,6 +122,7 @@ Requires: libgnutls%{gnutls_sover} = %{version}-%{release} %description -n libgnutls%{gnutls_sover}-hmac FIPS SHA256 checksums of the libgnutls library. +%if %{with dane} %package -n libgnutls-dane%{gnutls_dane_sover} Summary: DANE support for the GNU Transport Layer Security Library License: LGPL-2.1-or-later @@ -131,12 +132,13 @@ Group: System/Libraries The GnuTLS project aims to develop a library that provides a secure layer over a reliable transport layer. This package contains the "DANE" part of gnutls. +%endif %package -n libgnutlsxx%{gnutlsxx_sover} Summary: C++ API for the GNU Transport Layer Security Library License: LGPL-2.1-or-later Group: System/Libraries -%if 0%{?suse_version} && ! 0%{?sle_version} +%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400 Requires: crypto-policies %endif @@ -149,7 +151,7 @@ of the IETF's TLS working group. Summary: Development package for the GnuTLS C API License: LGPL-2.1-or-later Group: Development/Libraries/C and C++ -%if 0%{?suse_version} && ! 0%{?sle_version} +%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400 Requires: crypto-policies %endif Requires: glibc-devel @@ -161,6 +163,7 @@ Provides: gnutls-devel = %{version}-%{release} %description -n libgnutls-devel Files needed for software development using gnutls. +%if %{with dane} %package -n libgnutls-dane-devel Summary: Development package for GnuTLS DANE component License: LGPL-2.1-or-later @@ -169,6 +172,7 @@ Requires: libgnutls-dane%{gnutls_dane_sover} = %{version} %description -n libgnutls-dane-devel Files needed for software development using gnutls. +%endif %package -n libgnutlsxx-devel Summary: Development package for the GnuTLS C++ API @@ -222,8 +226,15 @@ export CXXFLAGS="%{optflags} -fPIE" --with-unbound-root-key-file=%{_localstatedir}/lib/unbound/root.key \ %else --disable-libdane \ +%endif +%if %{with guile} + --enable-guile \ +%else + --disable-guile \ %endif --enable-fips140-mode \ + --with-fips140-module-name="GnuTLS version" \ + --with-fips140-module-version="%{version}-%{release}" \ %{nil} make %{?_smp_mflags} @@ -255,7 +266,7 @@ rm -rf %{buildroot}%{_datadir}/doc/gnutls %check %if ! 0%{?qemu_user_space_build} -#make %%{?_smp_mflags} check || { +# export GNUTLS_FORCE_FIPS_MODE=1 make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null || { find -name test-suite.log -print -exec cat {} + exit 1