From b1e657b45b002cedb1c70c9093d06ffbe333c66a63f31d8986432ed39892497b Mon Sep 17 00:00:00 2001
From: Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
Date: Fri, 18 Mar 2022 20:01:46 +0000
Subject: [PATCH 1/2] Accepting request 962891 from
 home:pmonrealgonzalez:branches:security:tls

- Update to 3.7.4:
  * libgnutls: Added support for certificate compression as defined
    in RFC8879.
  * certtool: Added option --compress-cert that allows user to
    specify compression  methods for certificate compression.
  * libgnutls: GnuTLS can now be compiled with --enable-strict-x509
    configure option to enforce stricter certificate sanity checks
    that are compliant with RFC5280.
  * libgnutls: Removed IA5String type from DirectoryString within
    issuer and subject name to make DirectoryString RFC5280 compliant.
  * libgnutls: Added function to retrieve the name of current
    ciphersuite from session.
  * Bump libgnutlsxx soname due to ABI break
  * API and ABI modifications:
    - GNUTLS_COMP_BROTLI: New gnutls_compression_method_t enum member
    - GNUTLS_COMP_ZSTD: New gnutls_compression_method_t enum member
    - gnutls_compress_certificate_get_selected_method: Added
    - gnutls_compress_certificate_set_methods: Added
  * Update gnutls.keyring

OBS-URL: https://build.opensuse.org/request/show/962891
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=60
---
 gnutls-3.7.3.tar.xz     |   3 ---
 gnutls-3.7.3.tar.xz.sig | Bin 566 -> 0 bytes
 gnutls-3.7.4.tar.xz     |   3 +++
 gnutls-3.7.4.tar.xz.sig | Bin 0 -> 685 bytes
 gnutls.changes          |  23 +++++++++++++++++++++++
 gnutls.keyring          |  14 ++++++++++++++
 gnutls.spec             |   6 ++----
 7 files changed, 42 insertions(+), 7 deletions(-)
 delete mode 100644 gnutls-3.7.3.tar.xz
 delete mode 100644 gnutls-3.7.3.tar.xz.sig
 create mode 100644 gnutls-3.7.4.tar.xz
 create mode 100644 gnutls-3.7.4.tar.xz.sig

diff --git a/gnutls-3.7.3.tar.xz b/gnutls-3.7.3.tar.xz
deleted file mode 100644
index f61b132..0000000
--- a/gnutls-3.7.3.tar.xz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:fc59c43bc31ab20a6977ff083029277a31935b8355ce387b634fa433f8f6c49a
-size 6119292
diff --git a/gnutls-3.7.3.tar.xz.sig b/gnutls-3.7.3.tar.xz.sig
deleted file mode 100644
index 3c4ea1bc82152b255d538c1f2aaca76a53bf67646ec56a4b903a284ed804009c..0000000000000000000000000000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 566
zcmV-60?GY}0y6{v0SEvc79j*iA|=DLZ#0LW$VqJ01%!^*=9qB>0%7KBq5ujB5Y`2R
zj@RaxaSE~z{yP2vaX~Ts@<sjL+iP%|t1_onK!^Ke9v$sXcq(wcQKwmYm_rulUM(JQ
z`?|kE#>YeYGm8s~jQ3MG(BmbYJ<ul{qvrgU#>Vd`vI6^@xZ4fvE9k9%=k#*AmP4V{
z*58_`(-T7C*q59OI(ltVv$@1cew<^O8LA{rIs%?cw-exO)tMxP=rUdSr7oJ4(-HH}
zY(^s|TU40x0u3|Ei(NA0Iw&rJe)Rx_qC<>!ZG9!VM5=+*N3%!}G`?xh49J0%sIiX1
zcenm8q3#**ocPw+bGv%B7_{AO+BvLYy};cvF&}6ewsa5o3(Jrr`y_QlL{;!lMw!KD
zIjQ+$i)@JjD>@NrSFB>wna!gmh)rzb1O%&U_QhJK;IvWXyKzS<JD8Md&o4euB#02^
zw=;Tc3L$}W6AUA<WPAt0gLYUhHO?H(*^hEnML+9}2HH;A8^ak7mQnzUO63mHP`e%D
zG_8tTgeUOcPUWec<6nHmFp~&rkcy9rN}hFC=7f1|_}DU3&~RnB8CF(_&e83f7)5}{
z5zgf|N<5sN!RK9|mz}_)^fX;;TDB@wxm={QRdlDjM#sw0K+4D0sxU@AHEfH_k8jI?
zvW>C=)>LOi)K=8aQLLc<AyvkZm3?=*<x?6F&u$LJ!kLvMi4bJI!e%G<;Pk=C4rY^b
Eaxc6Vvj6}9

diff --git a/gnutls-3.7.4.tar.xz b/gnutls-3.7.4.tar.xz
new file mode 100644
index 0000000..2a5a64d
--- /dev/null
+++ b/gnutls-3.7.4.tar.xz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e6adbebcfbc95867de01060d93c789938cf89cc1d1f6ef9ef661890f6217451f
+size 6131772
diff --git a/gnutls-3.7.4.tar.xz.sig b/gnutls-3.7.4.tar.xz.sig
new file mode 100644
index 0000000000000000000000000000000000000000000000000000000000000000..5cd81fca7ec0c74f4565bbc97198bdb80ee1f7f57ef75721b263627155d02df1
GIT binary patch
literal 685
zcmV;e0#f~mbp!ww3IH7zAp~7U%MW%m1*ZiyR`hyxrbx5-A`ArrVlyr80162ZdUd8q
zv-u(n1fT%@6p|Gjsi!d%jZayHA(`cQ<>+~sy4$WtrhapJo4T(K0RXwd%q}q}Ybf;b
z%vd1>kQOV+LR^s~^WXqaLUuumtqh3*GXwwu2ml=xAp}MuCBw9DG>4zaNo>{ygpSwd
zm~jOHVlz7C0162Z)&+!)*XEdUbkz_26y8?IDiWQ~yL{S3<@MyX0J#&?!B!Hmkuqjr
zVjSXJ<K;)`kex9WWWscqFT{g<1gUP6`xNrmnuo6^Pk2(HK9S;+1fi?yK(c!Bc%Yr6
z&m!fpsXh=h>p&OyeF&uRa*1-ZjIZQ|HW5c4yp=uLm>WYU-Ib4Irr?CgoL7fZ1l$y6
z!bx4F4Jylhe5XS-;?wZ38V=L4I0Z)<b{x=+bb(OiD@0iAUkK*}Lloqn8I?Gh%oV5X
z_`D4cZtk|ZdifWn{H){nLP*3LXaLoCx0b0$jriTR&BJAKExBdbyPc+1c~yk95OIW&
z7TvuOun1M7AsL61tWuS{Q+#;{!fmI}rRNRdS`pf4S2TJTwx$F2og3oNqnya|=lyZg
za(4V20DRY6c6}2iL<JFCvLk-378hXMk|&@_&kXefN4PZUlR42dS9WuK6H0H+;4^e)
zo_WdaG%A;dcya3p#YMa2Emwv4y}P8aSAHf630I~w`E$T*dq6T0BK{ubv9}jb06zh=
zgftabG~4Zf`QTL$tE4c^t$p!ag~`IzLV5YEdj~z4^4q?0OI?x2!GB1Q)eQ@gbz>%$
zmHdQpnRXGHNa_UoPKj_Kdd5(Pc!UPKU8^0qG>GF{yJD%H&W;gP{`zG7$PG;qSKAr;
Ty-KhOFJ<0WcXPu(BNiKNz}7%A

literal 0
HcmV?d00001

diff --git a/gnutls.changes b/gnutls.changes
index eaf571a..568e233 100644
--- a/gnutls.changes
+++ b/gnutls.changes
@@ -1,3 +1,26 @@
+-------------------------------------------------------------------
+Fri Mar 18 08:59:49 UTC 2022 - Pedro Monreal <pmonreal@suse.com>
+
+- Update to 3.7.4:
+  * libgnutls: Added support for certificate compression as defined
+    in RFC8879.
+  * certtool: Added option --compress-cert that allows user to
+    specify compression  methods for certificate compression.
+  * libgnutls: GnuTLS can now be compiled with --enable-strict-x509
+    configure option to enforce stricter certificate sanity checks
+    that are compliant with RFC5280.
+  * libgnutls: Removed IA5String type from DirectoryString within
+    issuer and subject name to make DirectoryString RFC5280 compliant.
+  * libgnutls: Added function to retrieve the name of current
+    ciphersuite from session.
+  * Bump libgnutlsxx soname due to ABI break
+  * API and ABI modifications:
+    - GNUTLS_COMP_BROTLI: New gnutls_compression_method_t enum member
+    - GNUTLS_COMP_ZSTD: New gnutls_compression_method_t enum member
+    - gnutls_compress_certificate_get_selected_method: Added
+    - gnutls_compress_certificate_set_methods: Added
+  * Update gnutls.keyring
+
 -------------------------------------------------------------------
 Sun Feb 27 07:52:30 UTC 2022 - Dirk Müller <dmueller@suse.com>
 
diff --git a/gnutls.keyring b/gnutls.keyring
index d2a618a..7e498f6 100644
--- a/gnutls.keyring
+++ b/gnutls.keyring
@@ -1684,3 +1684,17 @@ EIO6onUt+miSB15Qg7DF7/rvFPnDIZYr3t+MkaPlmjpXEUV/psdnytVWFcGxHdY0
 NA+R/e4eeyThgRet5M+0+9Duynj/ACpfWq/dxXbWRfY=
 =Q7yu
 -----END PGP PUBLIC KEY BLOCK-----
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mDMEYcRaoxYJKwYBBAHaRw8BAQdA5U8Cb4ZMYCjuAa6tqNKbRxXzycS2iLvNzWki
+bGD2fe60JVpvbHRhbiBGcmlkcmljaCA8emZyaWRyaWNAcmVkaGF0LmNvbT6ImgQT
+FgoAQhYhBF1Gyw92NAWnBTVW9Hp1pkiz+SIMBQJhxFqjAhsDBQkDwmcABQsJCAcC
+AyICAQYVCgkICwIEFgIDAQIeBwIXgAAKCRB6daZIs/kiDGnYAQCiU94/eIspZzzx
+V17pylayAEv23s5uKvlGo1Ml1ySrZAEA8Q2rACBmdTpUfoW3LG3MJI0l1XP3kMEu
+WDBiM84D2gK4OARhxFqjEgorBgEEAZdVAQUBAQdAxKg6y4A69qT7doTni8/zKuKy
+QKXEORZTCNxkcnz3dXoDAQgHiH4EGBYKACYWIQRdRssPdjQFpwU1VvR6daZIs/ki
+DAUCYcRaowIbDAUJA8JnAAAKCRB6daZIs/kiDM/EAP0VN87WwaMcNwZcyocG/B9f
+419IojEx70PzMIBBlPctAgD/R/qamAlnggADzmS1PCF8+2W6Erc+HV2W/u2+wVJu
+7w0=
+=6FAm
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/gnutls.spec b/gnutls.spec
index 52ecc6b..72f535a 100644
--- a/gnutls.spec
+++ b/gnutls.spec
@@ -17,7 +17,7 @@
 
 
 %define gnutls_sover 30
-%define gnutlsxx_sover 28
+%define gnutlsxx_sover 30
 %define gnutls_dane_sover 0
 # unbound isn't in SLE (bsc#1086428)
 %if 0%{?is_opensuse}
@@ -34,7 +34,7 @@
 %bcond_with tpm
 %bcond_without guile
 Name:           gnutls
-Version:        3.7.3
+Version:        3.7.4
 Release:        0
 Summary:        The GNU Transport Layer Security Library
 License:        GPL-3.0-or-later AND LGPL-2.1-or-later
@@ -250,8 +250,6 @@ export BRP_FIPSHMAC_FILES=%{buildroot}%{_libdir}/libgnutls.so.%{gnutls_sover}
 # install docs
 mkdir -p %{buildroot}%{_docdir}/libgnutls-devel/
 cp doc/gnutls.html doc/*.png %{buildroot}%{_docdir}/libgnutls-devel/
-mkdir -p %{buildroot}%{_docdir}/libgnutls-devel/reference
-cp doc/reference/html/* %{buildroot}%{_docdir}/libgnutls-devel/reference/
 mkdir -p %{buildroot}%{_docdir}/libgnutls-devel/examples
 cp doc/examples/*.{c,h} %{buildroot}%{_docdir}/libgnutls-devel/examples/
 

From 2ab102c19b6ec6638aa1fe1d5c00e8ecb3a6222323c46d1e31006a128800c52f Mon Sep 17 00:00:00 2001
From: Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
Date: Thu, 24 Mar 2022 12:48:13 +0000
Subject: [PATCH 2/2] Accepting request 964661 from
 home:pmonrealgonzalez:branches:security:tls

- FIPS: Additional PBKDF2 requirements for KAT [bsc#1184669]
  * The IG 10.3.A and SP800-132 require some minimum parameters for
    the salt length, password length and iteration count. These
    parameters should be also used in the KAT.
  * Add gnutls-FIPS-PBKDF2-KAT-requirements.patch
- Enable to run the regression tests also in FIPS mode.

  * Add gnutls-FIPS-disable-failing-tests.patch

OBS-URL: https://build.opensuse.org/request/show/964661
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=61
---
 gnutls-FIPS-PBKDF2-KAT-requirements.patch | 21 ++++++++++++++++++
 gnutls-FIPS-disable-failing-tests.patch   | 27 +++++++++++++++++++++++
 gnutls.changes                            | 11 +++++++++
 gnutls.spec                               |  9 +++++++-
 4 files changed, 67 insertions(+), 1 deletion(-)
 create mode 100644 gnutls-FIPS-PBKDF2-KAT-requirements.patch
 create mode 100644 gnutls-FIPS-disable-failing-tests.patch

diff --git a/gnutls-FIPS-PBKDF2-KAT-requirements.patch b/gnutls-FIPS-PBKDF2-KAT-requirements.patch
new file mode 100644
index 0000000..21f767e
--- /dev/null
+++ b/gnutls-FIPS-PBKDF2-KAT-requirements.patch
@@ -0,0 +1,21 @@
+Index: gnutls-3.7.3/lib/crypto-selftests.c
+===================================================================
+--- gnutls-3.7.3.orig/lib/crypto-selftests.c
++++ gnutls-3.7.3/lib/crypto-selftests.c
+@@ -3112,6 +3112,16 @@ const struct pbkdf2_vectors_st pbkdf2_sh
+ 		    "\x84\x1b\x51\xc9\xb3\x17\x6a\x27\x2b\xde\xbb\xa1\xd0\x78"
+ 		    "\x47\x8f\x62\xb3\x97\xf3\x3c\x8d"),
+ 	},
++	/* Test vector extracted from https://dev.gnupg.org/source/libgcrypt/browse/master/cipher/kdf.c */
++	{
++		STR(key, key_size, "passwordPASSWORDpassword"),
++		STR(salt, salt_size, "saltSALTsaltSALTsaltSALTsaltSALTsalt"),
++		.iter_count = 4096,
++		STR(output, output_size,
++		    "\x34\x8c\x89\xdb\xcb\xd3\x2b\x2f\x32\xd8\x14\xb8\x11\x6e"
++		    "\x84\xcf\x2b\x17\x34\x7e\xbc\x18\x00\x18\x1c\x4e\x2a\x1f"
++		    "\xb8\xdd\x53\xe1\xc6\x35\x51\x8c\x7d\xac\x47\xe9"),
++	},
+ };
+ 
+ static int test_pbkdf2(gnutls_mac_algorithm_t mac,
diff --git a/gnutls-FIPS-disable-failing-tests.patch b/gnutls-FIPS-disable-failing-tests.patch
new file mode 100644
index 0000000..405813a
--- /dev/null
+++ b/gnutls-FIPS-disable-failing-tests.patch
@@ -0,0 +1,27 @@
+Index: gnutls-3.7.3/guile/Makefile.am
+===================================================================
+--- gnutls-3.7.3.orig/guile/Makefile.am
++++ gnutls-3.7.3/guile/Makefile.am
+@@ -102,8 +102,6 @@ endif HAVE_GUILD
+ #
+ 
+ TESTS =						\
+-  tests/anonymous-auth.scm			\
+-  tests/session-record-port.scm			\
+   tests/pkcs-import-export.scm			\
+   tests/errors.scm				\
+   tests/x509-certificates.scm			\
+Index: gnutls-3.7.3/guile/Makefile.in
+===================================================================
+--- gnutls-3.7.3.orig/guile/Makefile.in
++++ gnutls-3.7.3/guile/Makefile.in
+@@ -2320,8 +2320,7 @@ CLEANFILES = modules/gnutls.scm $(am__ap
+ #
+ # Tests.
+ #
+-TESTS = tests/anonymous-auth.scm tests/session-record-port.scm \
+-	tests/pkcs-import-export.scm tests/errors.scm \
++TESTS = tests/pkcs-import-export.scm tests/errors.scm \
+ 	tests/x509-certificates.scm tests/x509-auth.scm \
+ 	tests/reauth.scm tests/priorities.scm $(am__append_2)
+ TESTS_ENVIRONMENT = \
diff --git a/gnutls.changes b/gnutls.changes
index 568e233..f4748a0 100644
--- a/gnutls.changes
+++ b/gnutls.changes
@@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Fri Mar 18 18:31:06 UTC 2022 - Pedro Monreal <pmonreal@suse.com>
+
+- FIPS: Additional PBKDF2 requirements for KAT [bsc#1184669]
+  * The IG 10.3.A and SP800-132 require some minimum parameters for
+    the salt length, password length and iteration count. These
+    parameters should be also used in the KAT.
+  * Add gnutls-FIPS-PBKDF2-KAT-requirements.patch
+- Enable to run the regression tests also in FIPS mode.
+
 -------------------------------------------------------------------
 Fri Mar 18 08:59:49 UTC 2022 - Pedro Monreal <pmonreal@suse.com>
 
@@ -115,6 +125,7 @@ Tue Jan 18 15:59:11 UTC 2022 - Pedro Monreal <pmonreal@suse.com>
 Tue Jan 18 14:41:04 UTC 2022 - Pedro Monreal <pmonreal@suse.com>
 
 - FIPS: Fix regression tests in fips and non-fips mode [bsc#1194468]
+  * Add gnutls-FIPS-disable-failing-tests.patch
   * Remove patches:
     - gnutls-temporarily_disable_broken_guile_reauth_test.patch
     - disable-psk-file-test.patch
diff --git a/gnutls.spec b/gnutls.spec
index 72f535a..a7975d2 100644
--- a/gnutls.spec
+++ b/gnutls.spec
@@ -47,6 +47,9 @@ Source3:        baselibs.conf
 Patch0:         gnutls-3.5.11-skip-trust-store-tests.patch
 Patch1:         gnutls-3.6.6-set_guile_site_dir.patch
 Patch2:         gnutls-FIPS-TLS_KDF_selftest.patch
+Patch3:         gnutls-FIPS-disable-failing-tests.patch
+#PATCH-FIX-SUSE bsc#1184669 FIPS: Additional PBKDF2 requirements for KAT
+Patch4:         gnutls-FIPS-PBKDF2-KAT-requirements.patch
 BuildRequires:  autogen
 BuildRequires:  automake
 BuildRequires:  datefudge
@@ -263,11 +266,15 @@ rm -rf %{buildroot}%{_datadir}/doc/gnutls
 
 %check
 %if ! 0%{?qemu_user_space_build}
-# export GNUTLS_FORCE_FIPS_MODE=1
 make %{?_smp_mflags} check GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null || {
     find -name test-suite.log -print -exec cat {} +
     exit 1
 }
+#Run the regression tests also in FIPS mode
+GNUTLS_FORCE_FIPS_MODE=1 make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null || {
+    find -name test-suite.log -print -exec cat {} +
+    exit 1
+}
 %endif
 
 %post -n libgnutls%{gnutls_sover} -p /sbin/ldconfig