pool/gnutls
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 1165545 from security:tls

Browse Source 
OBS-URL: https://build.opensuse.org/request/show/1165545
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=155
This commit is contained in:
Ana Guerrero 2024-04-08 15:37:29 +00:00 committed by Git OBS Bridge
commit 5f0bfcd373
8 changed files with 234 additions and 178 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
gnutls-3.8.4.tar.xz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:2bea4e154794f3f00180fa2a5c51fe8b005ac7a31cd58bd44cdfa7f36ebc3a9b
size 6487520

BIN
gnutls-3.8.4.tar.xz.sig
View File

Binary file not shown.

3
gnutls-3.8.5.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:66269a2cfe0e1c2dabec87bdbbd8ab656f396edd9a40dd006978e003cfa52bfc
size 6491504

BIN
gnutls-3.8.5.tar.xz.sig Normal file
View File

Binary file not shown.

365
gnutls-FIPS-140-3-references.patch
View File

@ -1,7 +1,7 @@
Index: gnutls-3.8.4/configure.ac
Index: gnutls-3.8.5/configure.ac
===================================================================
--- gnutls-3.8.4.orig/configure.ac
+++ gnutls-3.8.4/configure.ac
--- gnutls-3.8.5.orig/configure.ac
+++ gnutls-3.8.5/configure.ac
@@ -623,19 +623,19 @@ LT_INIT([disable-static,win32-dll,shared
AC_LIB_HAVE_LINKFLAGS(dl,, [#include <dlfcn.h>], [dladdr (0, 0);])
@ -25,10 +25,10 @@ Index: gnutls-3.8.4/configure.ac
AC_ARG_WITH(fips140-module-name, AS_HELP_STRING([--with-fips140-module-name],
[specify the FIPS140 module name]),
Index: gnutls-3.8.4/doc/cha-gtls-app.texi
Index: gnutls-3.8.5/doc/cha-gtls-app.texi
===================================================================
--- gnutls-3.8.4.orig/doc/cha-gtls-app.texi
+++ gnutls-3.8.4/doc/cha-gtls-app.texi
--- gnutls-3.8.5.orig/doc/cha-gtls-app.texi
+++ gnutls-3.8.5/doc/cha-gtls-app.texi
@@ -222,7 +222,7 @@ CPU. The currently available options are
@end itemize
@ -38,10 +38,10 @@ Index: gnutls-3.8.4/doc/cha-gtls-app.texi
if set to one it will force the FIPS mode enablement.
@end multitable
Index: gnutls-3.8.4/doc/cha-internals.texi
Index: gnutls-3.8.5/doc/cha-internals.texi
===================================================================
--- gnutls-3.8.4.orig/doc/cha-internals.texi
+++ gnutls-3.8.4/doc/cha-internals.texi
--- gnutls-3.8.5.orig/doc/cha-internals.texi
+++ gnutls-3.8.5/doc/cha-internals.texi
@@ -14,7 +14,7 @@ happens inside the black box.
* TLS Hello Extension Handling::
* Cryptographic Backend::
@ -162,10 +162,10 @@ Index: gnutls-3.8.4/doc/cha-internals.texi
operation. It can be attached to the current execution thread with
@funcref{gnutls_fips140_push_context} and its internal state will be
updated until it is detached with
Index: gnutls-3.8.4/doc/enums.texi
Index: gnutls-3.8.5/doc/enums.texi
===================================================================
--- gnutls-3.8.4.orig/doc/enums.texi
+++ gnutls-3.8.4/doc/enums.texi
--- gnutls-3.8.5.orig/doc/enums.texi
+++ gnutls-3.8.5/doc/enums.texi
@@ -1190,7 +1190,7 @@ application traffic secret is installed
@c gnutls_fips_mode_t
@table @code
@ -186,10 +186,10 @@ Index: gnutls-3.8.4/doc/enums.texi
application is aware of the followed security policy, and needs
to utilize disallowed operations for other reasons (e.g., compatibility).
@item GNUTLS_@-FIPS140_@-LOG
Index: gnutls-3.8.4/doc/functions/gnutls_fips140_set_mode
Index: gnutls-3.8.5/doc/functions/gnutls_fips140_set_mode
===================================================================
--- gnutls-3.8.4.orig/doc/functions/gnutls_fips140_set_mode
+++ gnutls-3.8.4/doc/functions/gnutls_fips140_set_mode
--- gnutls-3.8.5.orig/doc/functions/gnutls_fips140_set_mode
+++ gnutls-3.8.5/doc/functions/gnutls_fips140_set_mode
@@ -3,7 +3,7 @@
@ -215,11 +215,11 @@ Index: gnutls-3.8.4/doc/functions/gnutls_fips140_set_mode
values for @code{mode} or to @code{GNUTLS_FIPS140_SELFTESTS} mode, the library
switches to @code{GNUTLS_FIPS140_STRICT} mode.
Index: gnutls-3.8.4/doc/gnutls.html
Index: gnutls-3.8.5/doc/gnutls.html
===================================================================
--- gnutls-3.8.4.orig/doc/gnutls.html
+++ gnutls-3.8.4/doc/gnutls.html
@@ -484,7 +484,7 @@ Documentation License&rdquo;.
--- gnutls-3.8.5.orig/doc/gnutls.html
+++ gnutls-3.8.5/doc/gnutls.html
@@ -485,7 +485,7 @@ Documentation License&rdquo;.
<li><a id="toc-TLS-Extension-Handling" href="#TLS-Hello-Extension-Handling">11.4 TLS Extension Handling</a></li>
<li><a id="toc-Cryptographic-Backend-1" href="#Cryptographic-Backend">11.5 Cryptographic Backend</a></li>
<li><a id="toc-Random-Number-Generators" href="#Random-Number-Generators_002dinternals">11.6 Random Number Generators</a></li>
@ -228,7 +228,7 @@ Index: gnutls-3.8.4/doc/gnutls.html
</ul></li>
<li><a id="toc-Upgrading-from-previous-versions-1" href="#Upgrading-from-previous-versions">Appendix A Upgrading from previous versions</a></li>
<li><a id="toc-Support-1" href="#Support">Appendix B Support</a>
@@ -9041,7 +9041,7 @@ CPU. The currently available options are
@@ -9045,7 +9045,7 @@ CPU. The currently available options are
</li><li>0x200000: Enable VIA PHE
</li><li>0x400000: Enable VIA PHE SHA512
</li></ul></td></tr>
@ -237,7 +237,7 @@ Index: gnutls-3.8.4/doc/gnutls.html
if set to one it will force the FIPS mode enablement.</td></tr>
</tbody>
</table>
@@ -18452,7 +18452,7 @@ None:
@@ -18477,7 +18477,7 @@ None:
--inline-commands-prefix=str Change the default delimiter for inline commands
--provider=file Specify the PKCS #11 provider library
- file must pre-exist
@ -246,7 +246,7 @@ Index: gnutls-3.8.4/doc/gnutls.html
--list-config Reports the configuration of the library
--logfile=str Redirect informational messages to a specific file
--keymatexport=str Label used for exporting keying material
@@ -19474,7 +19474,7 @@ happens inside the black box.
@@ -19499,7 +19499,7 @@ happens inside the black box.
<li><a href="#TLS-Hello-Extension-Handling" accesskey="4">TLS Extension Handling</a></li>
<li><a href="#Cryptographic-Backend" accesskey="5">Cryptographic Backend</a></li>
<li><a href="#Random-Number-Generators_002dinternals" accesskey="6">Random Number Generators</a></li>
@ -255,7 +255,7 @@ Index: gnutls-3.8.4/doc/gnutls.html
</ul>
<hr>
<div class="section-level-extent" id="The-TLS-Protocol">
@@ -20003,7 +20003,7 @@ For more information see <a class="ref"
@@ -20028,7 +20028,7 @@ For more information see <a class="ref"
<div class="section-level-extent" id="Random-Number-Generators_002dinternals">
<div class="nav-panel">
<p>
@ -264,7 +264,7 @@ Index: gnutls-3.8.4/doc/gnutls.html
</div>
<h3 class="section" id="Random-Number-Generators">11.6 Random Number Generators</h3>
@@ -20011,7 +20011,7 @@ Next: <a href="#FIPS140_002d2-mode" acce
@@ -20036,7 +20036,7 @@ Next: <a href="#FIPS140_002d2-mode" acce
<p>GnuTLS provides two random generators. The default, and the AES-DRBG random
generator which is only used when the library is compiled with support for
@ -273,7 +273,7 @@ Index: gnutls-3.8.4/doc/gnutls.html
</p>
<h4 class="subheading" id="The-default-generator-_002d-inner-workings">The default generator - inner workings</h4>
@@ -20148,22 +20148,22 @@ on the above paragraph, all levels are i
@@ -20173,22 +20173,22 @@ on the above paragraph, all levels are i
<p>
Previous: <a href="#Random-Number-Generators_002dinternals" accesskey="p" rel="prev">Random Number Generators</a>, Up: <a href="#Internal-architecture-of-GnuTLS" accesskey="u" rel="up">Internal Architecture of GnuTLS</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Function-and-Data-Index" title="Index" rel="index">Index</a>]</p>
</div>
@ -302,7 +302,7 @@ Index: gnutls-3.8.4/doc/gnutls.html
as follows.
</p>
<ul class="itemize mark-bullet">
@@ -20172,12 +20172,12 @@ as follows.
@@ -20197,12 +20197,12 @@ as follows.
</li><li>Algorithm self-tests are run on library load
</li></ul>
@ -318,7 +318,7 @@ Index: gnutls-3.8.4/doc/gnutls.html
</li><li>Any cryptographic operation will be refused if any of the self-tests failed
</li></ul>
@@ -20186,7 +20186,7 @@ modified as follows.
@@ -20211,7 +20211,7 @@ modified as follows.
environment variable <code class="code">GNUTLS_SKIP_FIPS_INTEGRITY_CHECKS</code> will disable
the library integrity tests on startup, and the variable
<code class="code">GNUTLS_FORCE_FIPS_MODE</code> can be set to force a value from
@ -327,7 +327,7 @@ Index: gnutls-3.8.4/doc/gnutls.html
mode, while &rsquo;0&rsquo; will disable it.
</p>
<p>The integrity checks for the dependent libraries and GnuTLS are performed
@@ -20194,13 +20194,13 @@ using &rsquo;.hmac&rsquo; files which ar
@@ -20219,13 +20219,13 @@ using &rsquo;.hmac&rsquo; files which ar
key for the operations can be provided on compile-time with the configure
option &rsquo;&ndash;with-fips140-key&rsquo;. The MAC algorithm used is HMAC-SHA256.
</p>
@ -344,7 +344,7 @@ Index: gnutls-3.8.4/doc/gnutls.html
the application can relax these requirements via <a class="ref" href="#gnutls_005ffips140_005fset_005fmode">gnutls_fips140_set_mode</a>
which can switch to alternative modes as in <a class="ref" href="#gnutls_005ffips_005fmode_005ft">Figure 11.5</a>.
</p>
@@ -20209,7 +20209,7 @@ which can switch to alternative modes as
@@ -20234,7 +20234,7 @@ which can switch to alternative modes as
<dl class="table">
<dt><code class="code">GNUTLS_FIPS140_DISABLED</code></dt>
@ -353,7 +353,7 @@ Index: gnutls-3.8.4/doc/gnutls.html
</p></dd>
<dt><code class="code">GNUTLS_FIPS140_STRICT</code></dt>
<dd><p>The default mode; all forbidden operations will cause an
@@ -20220,8 +20220,8 @@ operation failure via error code.
@@ -20245,8 +20245,8 @@ operation failure via error code.
cannot be set or seen by applications.
</p></dd>
<dt><code class="code">GNUTLS_FIPS140_LAX</code></dt>
@ -364,7 +364,7 @@ Index: gnutls-3.8.4/doc/gnutls.html
application is aware of the followed security policy, and needs
to utilize disallowed operations for other reasons (e.g., compatibility).
</p></dd>
@@ -20233,7 +20233,7 @@ to a message to the audit callback funct
@@ -20258,7 +20258,7 @@ to a message to the audit callback funct
<div class="caption"><p><strong class="strong">Figure 11.5: </strong>The <code class="code">gnutls_fips_mode_t</code> enumeration.</p></div></div>
<p>The intention of this API is to be used by applications which may run in
@ -373,7 +373,7 @@ Index: gnutls-3.8.4/doc/gnutls.html
e.g., for non-security related purposes. In these cases applications should
wrap the non-compliant code within blocks like the following.
</p>
@@ -20262,9 +20262,9 @@ if (gnutls_fips140_mode_enabled())
@@ -20287,9 +20287,9 @@ if (gnutls_fips140_mode_enabled())
<p>The reason of the <code class="code">GNUTLS_FIPS140_SET_MODE_THREAD</code> flag in the
previous calls is to localize the change in the mode. Note also, that
such a block has no effect when the library is not operating
@ -385,7 +385,7 @@ Index: gnutls-3.8.4/doc/gnutls.html
</p><div class="example">
<pre class="example-preformatted">gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, 0);
</pre></div>
@@ -20287,7 +20287,7 @@ performed within a given context.
@@ -20312,7 +20312,7 @@ performed within a given context.
<dt><code class="code"><var class="var">int</var> <a class="ref" href="#gnutls_005ffips140_005fpop_005fcontext">gnutls_fips140_pop_context</a> ( <var class="var">void</var>)</code></dt>
</dl>
@ -394,7 +394,7 @@ Index: gnutls-3.8.4/doc/gnutls.html
operation. It can be attached to the current execution thread with
<a class="ref" href="#gnutls_005ffips140_005fpush_005fcontext">gnutls_fips140_push_context</a> and its internal state will be
updated until it is detached with
@@ -20660,8 +20660,8 @@ Previous: <a href="#Contributing" access
@@ -20685,8 +20685,8 @@ Previous: <a href="#Contributing" access
to an auditor that the crypto component follows some best practices, such
as unit testing and reliance on well known crypto primitives.
</p>
@ -405,7 +405,7 @@ Index: gnutls-3.8.4/doc/gnutls.html
</p>
<hr>
</div>
@@ -24576,7 +24576,7 @@ unusable. This function is not thread-s
@@ -24602,7 +24602,7 @@ unusable. This function is not thread-s
<h4 class="subheading" id="gnutls_005ffips140_005fset_005fmode-1">gnutls_fips140_set_mode</h4>
<a class="anchor" id="gnutls_005ffips140_005fset_005fmode"></a><dl class="first-deftypefn first-deftypefun-alias-first-deftypefn">
<dt class="deftypefn deftypefun-alias-deftypefn" id="index-gnutls_005ffips140_005fset_005fmode"><span class="category-def">Function: </span><span><code class="def-type">void</code> <strong class="def-name">gnutls_fips140_set_mode</strong> <code class="def-code-arguments">(gnutls_fips_mode_t <var class="var">mode</var>, unsigned <var class="var">flags</var>)</code><a class="copiable-link" href='#index-gnutls_005ffips140_005fset_005fmode'> &para;</a></span></dt>
@ -414,7 +414,7 @@ Index: gnutls-3.8.4/doc/gnutls.html
</p>
<p><var class="var">flags</var>: should be zero or <code class="code">GNUTLS_FIPS140_SET_MODE_THREAD</code>
</p>
@@ -24585,13 +24585,13 @@ unusable. This function is not thread-s
@@ -24611,13 +24611,13 @@ unusable. This function is not thread-s
behavior with no flags after threads are created is undefined.
</p>
<p>When the flag <code class="code">GNUTLS_FIPS140_SET_MODE_THREAD</code> is specified
@ -430,7 +430,7 @@ Index: gnutls-3.8.4/doc/gnutls.html
values for <code class="code">mode</code> or to <code class="code">GNUTLS_FIPS140_SELFTESTS</code> mode, the library
switches to <code class="code">GNUTLS_FIPS140_STRICT</code> mode.
</p>
@@ -46970,7 +46970,7 @@ Next: <a href="#Concept-Index" accesskey
@@ -46996,7 +46996,7 @@ Next: <a href="#Concept-Index" accesskey
<tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffingerprint"><code>gnutls_fingerprint</code></a>:</td><td>&nbsp;</td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffips140_005fcontext_005fdeinit"><code>gnutls_fips140_context_deinit</code></a>:</td><td>&nbsp;</td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffips140_005fcontext_005finit"><code>gnutls_fips140_context_init</code></a>:</td><td>&nbsp;</td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
@ -439,11 +439,11 @@ Index: gnutls-3.8.4/doc/gnutls.html
<tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffips140_005fget_005foperation_005fstate-1"><code>gnutls_fips140_get_operation_state</code></a>:</td><td>&nbsp;</td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffips140_005fmode_005fenabled"><code>gnutls_fips140_mode_enabled</code></a>:</td><td>&nbsp;</td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffips140_005fpop_005fcontext"><code>gnutls_fips140_pop_context</code></a>:</td><td>&nbsp;</td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
Index: gnutls-3.8.4/doc/gnutls.info-3
Index: gnutls-3.8.5/doc/gnutls.info-3
===================================================================
--- gnutls-3.8.4.orig/doc/gnutls.info-3
+++ gnutls-3.8.4/doc/gnutls.info-3
@@ -2247,7 +2247,7 @@ to more. Both will exit with a st
--- gnutls-3.8.5.orig/doc/gnutls.info-3
+++ gnutls-3.8.5/doc/gnutls.info-3
@@ -2262,7 +2262,7 @@ to more. Both will exit with a st
--inline-commands-prefix=str Change the default delimiter for inline commands
--provider=file Specify the PKCS #11 provider library
- file must pre-exist
@ -452,7 +452,7 @@ Index: gnutls-3.8.4/doc/gnutls.info-3
--list-config Reports the configuration of the library
--logfile=str Redirect informational messages to a specific file
--keymatexport=str Label used for exporting keying material
@@ -3400,7 +3400,7 @@ to know what happens inside the black bo
@@ -3415,7 +3415,7 @@ to know what happens inside the black bo
* TLS Hello Extension Handling::
* Cryptographic Backend::
* Random Number Generators-internals::
@ -461,7 +461,7 @@ Index: gnutls-3.8.4/doc/gnutls.info-3

File: gnutls.info, Node: The TLS Protocol, Next: TLS Handshake Protocol, Up: Internal architecture of GnuTLS
@@ -3932,7 +3932,7 @@ and abstract key types::.
@@ -3947,7 +3947,7 @@ and abstract key types::.
kernel implementation of /dev/crypto.

@ -470,7 +470,7 @@ Index: gnutls-3.8.4/doc/gnutls.info-3
11.6 Random Number Generators
=============================
@@ -3942,7 +3942,7 @@ About the generators
@@ -3957,7 +3957,7 @@ About the generators
GnuTLS provides two random generators. The default, and the AES-DRBG
random generator which is only used when the library is compiled with
@ -479,7 +479,7 @@ Index: gnutls-3.8.4/doc/gnutls.info-3
The default generator - inner workings
--------------------------------------
@@ -4174,7 +4174,7 @@ in *note Figure 11.5: gnutls_fips_mode_t
@@ -4189,7 +4189,7 @@ in *note Figure 11.5: gnutls_fips_mode_t
Figure 11.5: The gnutls_fips_mode_t enumeration.
The intention of this API is to be used by applications which may run in
@ -488,7 +488,7 @@ Index: gnutls-3.8.4/doc/gnutls.info-3
set, e.g., for non-security related purposes. In these cases
applications should wrap the non-compliant code within blocks like the
following.
@@ -4198,10 +4198,10 @@ are macros to simplify the following seq
@@ -4213,10 +4213,10 @@ are macros to simplify the following seq
The reason of the GNUTLS_FIPS140_SET_MODE_THREAD flag in the previous
calls is to localize the change in the mode. Note also, that such a
@ -501,7 +501,7 @@ Index: gnutls-3.8.4/doc/gnutls.info-3
gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, 0);
Service indicator
@@ -4683,8 +4683,8 @@ There are certifications from national o
@@ -4698,8 +4698,8 @@ There are certifications from national o
practices, such as unit testing and reliance on well known crypto
primitives.
@ -512,7 +512,7 @@ Index: gnutls-3.8.4/doc/gnutls.info-3

File: gnutls.info, Node: Error codes, Next: Supported ciphersuites, Prev: Support, Up: Top
@@ -9152,7 +9152,7 @@ gnutls_fips140_set_mode
@@ -9169,7 +9169,7 @@ gnutls_fips140_set_mode
-- Function: void gnutls_fips140_set_mode (gnutls_fips_mode_t MODE,
unsigned FLAGS)
@ -521,10 +521,10 @@ Index: gnutls-3.8.4/doc/gnutls.info-3
FLAGS: should be zero or GNUTLS_FIPS140_SET_MODE_THREAD
Index: gnutls-3.8.4/doc/invoke-gnutls-cli.texi
Index: gnutls-3.8.5/doc/invoke-gnutls-cli.texi
===================================================================
--- gnutls-3.8.4.orig/doc/invoke-gnutls-cli.texi
+++ gnutls-3.8.4/doc/invoke-gnutls-cli.texi
--- gnutls-3.8.5.orig/doc/invoke-gnutls-cli.texi
+++ gnutls-3.8.5/doc/invoke-gnutls-cli.texi
@@ -102,7 +102,7 @@ None:
--inline-commands-prefix=str Change the default delimiter for inline commands
--provider=file Specify the PKCS #11 provider library
@ -534,10 +534,10 @@ Index: gnutls-3.8.4/doc/invoke-gnutls-cli.texi
--list-config Reports the configuration of the library
--logfile=str Redirect informational messages to a specific file
--keymatexport=str Label used for exporting keying material
Index: gnutls-3.8.4/doc/manpages/gnutls-cli.1
Index: gnutls-3.8.5/doc/manpages/gnutls-cli.1
===================================================================
--- gnutls-3.8.4.orig/doc/manpages/gnutls-cli.1
+++ gnutls-3.8.4/doc/manpages/gnutls-cli.1
--- gnutls-3.8.5.orig/doc/manpages/gnutls-cli.1
+++ gnutls-3.8.5/doc/manpages/gnutls-cli.1
@@ -398,7 +398,7 @@ Specify the PKCS #11 provider library.
This will override the default options in /etc/gnutls/pkcs11.conf
.TP
@ -547,11 +547,11 @@ Index: gnutls-3.8.4/doc/manpages/gnutls-cli.1
.sp
.TP
.NOP \f\*[B-Font]\-\-list\-config\f[]
Index: gnutls-3.8.4/doc/reference/html/gnutls-gnutls.html
Index: gnutls-3.8.5/doc/reference/html/gnutls-gnutls.html
===================================================================
--- gnutls-3.8.4.orig/doc/reference/html/gnutls-gnutls.html
+++ gnutls-3.8.4/doc/reference/html/gnutls-gnutls.html
@@ -20866,12 +20866,12 @@ gnutls_fips140_set_mode (<em class="para
--- gnutls-3.8.5.orig/doc/reference/html/gnutls-gnutls.html
+++ gnutls-3.8.5/doc/reference/html/gnutls-gnutls.html
@@ -20870,12 +20870,12 @@ gnutls_fips140_set_mode (<em class="para
(globally), and should be called prior to creating any threads. Its
behavior with no flags after threads are created is undefined.</p>
<p>When the flag <a class="link" href="gnutls-gnutls.html#GNUTLS-FIPS140-SET-MODE-THREAD:CAPS" title="GNUTLS_FIPS140_SET_MODE_THREAD"><code class="literal">GNUTLS_FIPS140_SET_MODE_THREAD</code></a> is specified
@ -566,7 +566,7 @@ Index: gnutls-3.8.4/doc/reference/html/gnutls-gnutls.html
values for <em class="parameter"><code>mode</code></em>
or to <a class="link" href="gnutls-gnutls.html#GNUTLS-FIPS140-SELFTESTS:CAPS"><code class="literal">GNUTLS_FIPS140_SELFTESTS</code></a> mode, the library
switches to <a class="link" href="gnutls-gnutls.html#GNUTLS-FIPS140-STRICT:CAPS"><code class="literal">GNUTLS_FIPS140_STRICT</code></a> mode.</p>
@@ -20886,7 +20886,7 @@ switches to <a class="link" href="gnutls
@@ -20890,7 +20890,7 @@ switches to <a class="link" href="gnutls
<tbody>
<tr>
<td class="parameter_name"><p>mode</p></td>
@ -575,7 +575,7 @@ Index: gnutls-3.8.4/doc/reference/html/gnutls-gnutls.html
<td class="parameter_annotations"> </td>
</tr>
<tr>
@@ -25911,7 +25911,7 @@ encryption</p>
@@ -25915,7 +25915,7 @@ encryption</p>
<hr>
<div class="refsect2">
<a name="gnutls-fips-mode-t"></a><h3>enum gnutls_fips_mode_t</h3>
@ -584,7 +584,7 @@ Index: gnutls-3.8.4/doc/reference/html/gnutls-gnutls.html
<div class="refsect3">
<a name="gnutls-fips-mode-t.members"></a><h4>Members</h4>
<div class="informaltable"><table class="informaltable" width="100%" border="0">
@@ -25924,7 +25924,7 @@ encryption</p>
@@ -25928,7 +25928,7 @@ encryption</p>
<tr>
<td class="enum_member_name"><p><a name="GNUTLS-FIPS140-DISABLED:CAPS"></a>GNUTLS_FIPS140_DISABLED</p></td>
<td class="enum_member_description">
@ -593,7 +593,7 @@ Index: gnutls-3.8.4/doc/reference/html/gnutls-gnutls.html
</td>
<td class="enum_member_annotations"> </td>
</tr>
@@ -25947,8 +25947,8 @@ operation failure via error code.</p>
@@ -25951,8 +25951,8 @@ operation failure via error code.</p>
<tr>
<td class="enum_member_name"><p><a name="GNUTLS-FIPS140-LAX:CAPS"></a>GNUTLS_FIPS140_LAX</p></td>
<td class="enum_member_description">
@ -604,17 +604,17 @@ Index: gnutls-3.8.4/doc/reference/html/gnutls-gnutls.html
application is aware of the followed security policy, and needs
to utilize disallowed operations for other reasons (e.g., compatibility).</p>
</td>
@@ -27582,4 +27582,4 @@ This is used by <a class="link" href="gn
@@ -27592,4 +27592,4 @@ This is used by <a class="link" href="gn
<div class="footer">
<hr>Generated by GTK-Doc V1.33.1</div>
</body>
-</html>
\ No newline at end of file
+</html>
Index: gnutls-3.8.4/lib/fips.c
Index: gnutls-3.8.5/lib/fips.c
===================================================================
--- gnutls-3.8.4.orig/lib/fips.c
+++ gnutls-3.8.4/lib/fips.c
--- gnutls-3.8.5.orig/lib/fips.c
+++ gnutls-3.8.5/lib/fips.c
@@ -121,7 +121,7 @@ unsigned _gnutls_fips_mode_enabled(void)
}
@ -633,7 +633,7 @@ Index: gnutls-3.8.4/lib/fips.c
ret = GNUTLS_FIPS140_SELFTESTS;
goto exit;
}
@@ -710,7 +710,7 @@ unsigned gnutls_fips140_mode_enabled(voi
@@ -712,7 +712,7 @@ unsigned gnutls_fips140_mode_enabled(voi
/**
* gnutls_fips140_set_mode:
@ -642,7 +642,7 @@ Index: gnutls-3.8.4/lib/fips.c
* @flags: should be zero or %GNUTLS_FIPS140_SET_MODE_THREAD
*
* That function is not thread-safe when changing the mode with no flags
@@ -718,13 +718,13 @@ unsigned gnutls_fips140_mode_enabled(voi
@@ -720,13 +720,13 @@ unsigned gnutls_fips140_mode_enabled(voi
* behavior with no flags after threads are created is undefined.
*
* When the flag %GNUTLS_FIPS140_SET_MODE_THREAD is specified
@ -658,7 +658,7 @@ Index: gnutls-3.8.4/lib/fips.c
* values for @mode or to %GNUTLS_FIPS140_SELFTESTS mode, the library
* switches to %GNUTLS_FIPS140_STRICT mode.
*
@@ -736,10 +736,10 @@ void gnutls_fips140_set_mode(gnutls_fips
@@ -738,10 +738,10 @@ void gnutls_fips140_set_mode(gnutls_fips
gnutls_fips_mode_t prev = _gnutls_fips_mode_enabled();
if (prev == GNUTLS_FIPS140_DISABLED ||
prev == GNUTLS_FIPS140_SELFTESTS) {
@ -671,7 +671,7 @@ Index: gnutls-3.8.4/lib/fips.c
return;
}
@@ -752,7 +752,7 @@ void gnutls_fips140_set_mode(gnutls_fips
@@ -754,7 +754,7 @@ void gnutls_fips140_set_mode(gnutls_fips
case GNUTLS_FIPS140_SELFTESTS:
_gnutls_audit_log(
NULL,
@ -680,7 +680,7 @@ Index: gnutls-3.8.4/lib/fips.c
mode = GNUTLS_FIPS140_STRICT;
break;
default:
@@ -928,7 +928,7 @@ void _gnutls_switch_fips_state(gnutls_fi
@@ -930,7 +930,7 @@ void _gnutls_switch_fips_state(gnutls_fi
}
if (!_tfips_context) {
@ -689,7 +689,7 @@ Index: gnutls-3.8.4/lib/fips.c
return;
}
@@ -942,7 +942,7 @@ void _gnutls_switch_fips_state(gnutls_fi
@@ -944,7 +944,7 @@ void _gnutls_switch_fips_state(gnutls_fi
if (mode != GNUTLS_FIPS140_LAX) {
_gnutls_audit_log(
NULL,
@ -698,7 +698,7 @@ Index: gnutls-3.8.4/lib/fips.c
operation_state_to_string(state));
}
_tfips_context->state = state;
@@ -953,7 +953,7 @@ void _gnutls_switch_fips_state(gnutls_fi
@@ -955,7 +955,7 @@ void _gnutls_switch_fips_state(gnutls_fi
if (mode != GNUTLS_FIPS140_LAX) {
_gnutls_audit_log(
NULL,
@ -707,7 +707,7 @@ Index: gnutls-3.8.4/lib/fips.c
operation_state_to_string(state));
}
_tfips_context->state = state;
@@ -965,7 +965,7 @@ void _gnutls_switch_fips_state(gnutls_fi
@@ -967,7 +967,7 @@ void _gnutls_switch_fips_state(gnutls_fi
if (mode != GNUTLS_FIPS140_LAX) {
_gnutls_audit_log(
NULL,
@ -716,7 +716,7 @@ Index: gnutls-3.8.4/lib/fips.c
operation_state_to_string(
_tfips_context->state),
operation_state_to_string(state));
@@ -1027,7 +1027,7 @@ int gnutls_fips140_run_self_tests(void)
@@ -1029,7 +1029,7 @@ int gnutls_fips140_run_self_tests(void)
ret < 0) {
_gnutls_switch_lib_state(LIB_STATE_ERROR);
_gnutls_audit_log(NULL,
@ -725,7 +725,7 @@ Index: gnutls-3.8.4/lib/fips.c
} else {
/* Restore the previous library state */
_gnutls_switch_lib_state(prev_lib_state);
@@ -1039,7 +1039,7 @@ int gnutls_fips140_run_self_tests(void)
@@ -1041,7 +1041,7 @@ int gnutls_fips140_run_self_tests(void)
if (gnutls_fips140_pop_context() < 0) {
_gnutls_switch_lib_state(LIB_STATE_ERROR);
_gnutls_audit_log(
@ -734,10 +734,10 @@ Index: gnutls-3.8.4/lib/fips.c
}
gnutls_fips140_context_deinit(fips_context);
}
Index: gnutls-3.8.4/lib/fips.h
Index: gnutls-3.8.5/lib/fips.h
===================================================================
--- gnutls-3.8.4.orig/lib/fips.h
+++ gnutls-3.8.4/lib/fips.h
--- gnutls-3.8.5.orig/lib/fips.h
+++ gnutls-3.8.5/lib/fips.h
@@ -160,7 +160,7 @@ is_cipher_algo_allowed_in_fips(gnutls_ci
}
@ -778,10 +778,10 @@ Index: gnutls-3.8.4/lib/fips.h
gnutls_cipher_get_name(algo));
FALLTHROUGH;
case GNUTLS_FIPS140_DISABLED:
Index: gnutls-3.8.4/lib/global.c
Index: gnutls-3.8.5/lib/global.c
===================================================================
--- gnutls-3.8.4.orig/lib/global.c
+++ gnutls-3.8.4/lib/global.c
--- gnutls-3.8.5.orig/lib/global.c
+++ gnutls-3.8.5/lib/global.c
@@ -338,12 +338,12 @@ static int _gnutls_global_init(unsigned
#ifdef ENABLE_FIPS140
@ -815,10 +815,10 @@ Index: gnutls-3.8.4/lib/global.c
if (res != 2) {
gnutls_assert();
goto out;
Index: gnutls-3.8.4/lib/includes/gnutls/gnutls.h.in
Index: gnutls-3.8.5/lib/includes/gnutls/gnutls.h.in
===================================================================
--- gnutls-3.8.4.orig/lib/includes/gnutls/gnutls.h.in
+++ gnutls-3.8.4/lib/includes/gnutls/gnutls.h.in
--- gnutls-3.8.5.orig/lib/includes/gnutls/gnutls.h.in
+++ gnutls-3.8.5/lib/includes/gnutls/gnutls.h.in
@@ -3201,16 +3201,16 @@ typedef int (*gnutls_alert_read_func)(gn
void gnutls_alert_set_read_function(gnutls_session_t session,
gnutls_alert_read_func func);
@ -849,10 +849,10 @@ Index: gnutls-3.8.4/lib/includes/gnutls/gnutls.h.in
*/
typedef enum gnutls_fips_mode_t {
GNUTLS_FIPS140_DISABLED = 0,
Index: gnutls-3.8.4/src/cli.c
Index: gnutls-3.8.5/src/cli.c
===================================================================
--- gnutls-3.8.4.orig/src/cli.c
+++ gnutls-3.8.4/src/cli.c
--- gnutls-3.8.5.orig/src/cli.c
+++ gnutls-3.8.5/src/cli.c
@@ -1635,10 +1635,10 @@ static void cmd_parser(int argc, char **
if (HAVE_OPT(FIPS140_MODE)) {
@ -866,10 +866,10 @@ Index: gnutls-3.8.4/src/cli.c
exit(1);
}
Index: gnutls-3.8.4/src/gnutls-cli-options.c
Index: gnutls-3.8.5/src/gnutls-cli-options.c
===================================================================
--- gnutls-3.8.4.orig/src/gnutls-cli-options.c
+++ gnutls-3.8.4/src/gnutls-cli-options.c
--- gnutls-3.8.5.orig/src/gnutls-cli-options.c
+++ gnutls-3.8.5/src/gnutls-cli-options.c
@@ -810,7 +810,7 @@ usage (FILE *out, int status)
" --inline-commands-prefix=str Change the default delimiter for inline commands\n"
" --provider=file Specify the PKCS #11 provider library\n"
@ -879,10 +879,10 @@ Index: gnutls-3.8.4/src/gnutls-cli-options.c
" --list-config Reports the configuration of the library\n"
" --logfile=str Redirect informational messages to a specific file\n"
" --keymatexport=str Label used for exporting keying material\n"
Index: gnutls-3.8.4/tests/cert-tests/gost.sh
Index: gnutls-3.8.5/tests/cert-tests/gost.sh
===================================================================
--- gnutls-3.8.4.orig/tests/cert-tests/gost.sh
+++ gnutls-3.8.4/tests/cert-tests/gost.sh
--- gnutls-3.8.5.orig/tests/cert-tests/gost.sh
+++ gnutls-3.8.5/tests/cert-tests/gost.sh
@@ -38,7 +38,7 @@ if ! test -x "${CERTTOOL}"; then
fi
@ -892,10 +892,10 @@ Index: gnutls-3.8.4/tests/cert-tests/gost.sh
exit 77
fi
Index: gnutls-3.8.4/tests/cert-tests/pkcs12-corner-cases.sh
Index: gnutls-3.8.5/tests/cert-tests/pkcs12-corner-cases.sh
===================================================================
--- gnutls-3.8.4.orig/tests/cert-tests/pkcs12-corner-cases.sh
+++ gnutls-3.8.4/tests/cert-tests/pkcs12-corner-cases.sh
--- gnutls-3.8.5.orig/tests/cert-tests/pkcs12-corner-cases.sh
+++ gnutls-3.8.5/tests/cert-tests/pkcs12-corner-cases.sh
@@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then
fi
@ -905,10 +905,10 @@ Index: gnutls-3.8.4/tests/cert-tests/pkcs12-corner-cases.sh
exit 77
fi
Index: gnutls-3.8.4/tests/cert-tests/pkcs12-encode.sh
Index: gnutls-3.8.5/tests/cert-tests/pkcs12-encode.sh
===================================================================
--- gnutls-3.8.4.orig/tests/cert-tests/pkcs12-encode.sh
+++ gnutls-3.8.4/tests/cert-tests/pkcs12-encode.sh
--- gnutls-3.8.5.orig/tests/cert-tests/pkcs12-encode.sh
+++ gnutls-3.8.5/tests/cert-tests/pkcs12-encode.sh
@@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then
fi
@ -918,10 +918,10 @@ Index: gnutls-3.8.4/tests/cert-tests/pkcs12-encode.sh
exit 77
fi
Index: gnutls-3.8.4/tests/cert-tests/pkcs12-gost.sh
Index: gnutls-3.8.5/tests/cert-tests/pkcs12-gost.sh
===================================================================
--- gnutls-3.8.4.orig/tests/cert-tests/pkcs12-gost.sh
+++ gnutls-3.8.4/tests/cert-tests/pkcs12-gost.sh
--- gnutls-3.8.5.orig/tests/cert-tests/pkcs12-gost.sh
+++ gnutls-3.8.5/tests/cert-tests/pkcs12-gost.sh
@@ -29,7 +29,7 @@ if ! test -x "${CERTTOOL}"; then
fi
@ -931,10 +931,10 @@ Index: gnutls-3.8.4/tests/cert-tests/pkcs12-gost.sh
exit 77
fi
Index: gnutls-3.8.4/tests/cert-tests/pkcs12.sh
Index: gnutls-3.8.5/tests/cert-tests/pkcs12.sh
===================================================================
--- gnutls-3.8.4.orig/tests/cert-tests/pkcs12.sh
+++ gnutls-3.8.4/tests/cert-tests/pkcs12.sh
--- gnutls-3.8.5.orig/tests/cert-tests/pkcs12.sh
+++ gnutls-3.8.5/tests/cert-tests/pkcs12.sh
@@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then
fi
@ -944,10 +944,10 @@ Index: gnutls-3.8.4/tests/cert-tests/pkcs12.sh
exit 77
fi
Index: gnutls-3.8.4/tests/cert-tests/pkcs8-decode.sh
Index: gnutls-3.8.5/tests/cert-tests/pkcs8-decode.sh
===================================================================
--- gnutls-3.8.4.orig/tests/cert-tests/pkcs8-decode.sh
+++ gnutls-3.8.4/tests/cert-tests/pkcs8-decode.sh
--- gnutls-3.8.5.orig/tests/cert-tests/pkcs8-decode.sh
+++ gnutls-3.8.5/tests/cert-tests/pkcs8-decode.sh
@@ -29,7 +29,7 @@ if ! test -x "${CERTTOOL}"; then
fi
@ -957,10 +957,10 @@ Index: gnutls-3.8.4/tests/cert-tests/pkcs8-decode.sh
exit 77
fi
Index: gnutls-3.8.4/tests/cert-tests/pkcs8-eddsa.sh
Index: gnutls-3.8.5/tests/cert-tests/pkcs8-eddsa.sh
===================================================================
--- gnutls-3.8.4.orig/tests/cert-tests/pkcs8-eddsa.sh
+++ gnutls-3.8.4/tests/cert-tests/pkcs8-eddsa.sh
--- gnutls-3.8.5.orig/tests/cert-tests/pkcs8-eddsa.sh
+++ gnutls-3.8.5/tests/cert-tests/pkcs8-eddsa.sh
@@ -29,7 +29,7 @@ if ! test -x "${CERTTOOL}"; then
fi
@ -970,10 +970,10 @@ Index: gnutls-3.8.4/tests/cert-tests/pkcs8-eddsa.sh
exit 77
fi
Index: gnutls-3.8.4/tests/cert-tests/pkcs8-gost.sh
Index: gnutls-3.8.5/tests/cert-tests/pkcs8-gost.sh
===================================================================
--- gnutls-3.8.4.orig/tests/cert-tests/pkcs8-gost.sh
+++ gnutls-3.8.4/tests/cert-tests/pkcs8-gost.sh
--- gnutls-3.8.5.orig/tests/cert-tests/pkcs8-gost.sh
+++ gnutls-3.8.5/tests/cert-tests/pkcs8-gost.sh
@@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then
fi
@ -983,10 +983,10 @@ Index: gnutls-3.8.4/tests/cert-tests/pkcs8-gost.sh
exit 77
fi
Index: gnutls-3.8.4/tests/cert-tests/pkcs8.sh
Index: gnutls-3.8.5/tests/cert-tests/pkcs8.sh
===================================================================
--- gnutls-3.8.4.orig/tests/cert-tests/pkcs8.sh
+++ gnutls-3.8.4/tests/cert-tests/pkcs8.sh
--- gnutls-3.8.5.orig/tests/cert-tests/pkcs8.sh
+++ gnutls-3.8.5/tests/cert-tests/pkcs8.sh
@@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then
fi
@ -996,10 +996,10 @@ Index: gnutls-3.8.4/tests/cert-tests/pkcs8.sh
exit 77
fi
Index: gnutls-3.8.4/tests/cipher-listings.sh
Index: gnutls-3.8.5/tests/cipher-listings.sh
===================================================================
--- gnutls-3.8.4.orig/tests/cipher-listings.sh
+++ gnutls-3.8.4/tests/cipher-listings.sh
--- gnutls-3.8.5.orig/tests/cipher-listings.sh
+++ gnutls-3.8.5/tests/cipher-listings.sh
@@ -63,7 +63,7 @@ check()
${CLI} --fips140-mode
@ -1009,10 +1009,10 @@ Index: gnutls-3.8.4/tests/cipher-listings.sh
exit 77
fi
Index: gnutls-3.8.4/tests/testpkcs11.sh
Index: gnutls-3.8.5/tests/testpkcs11.sh
===================================================================
--- gnutls-3.8.4.orig/tests/testpkcs11.sh
+++ gnutls-3.8.4/tests/testpkcs11.sh
--- gnutls-3.8.5.orig/tests/testpkcs11.sh
+++ gnutls-3.8.5/tests/testpkcs11.sh
@@ -26,7 +26,7 @@
RETCODE=0
@ -1022,10 +1022,10 @@ Index: gnutls-3.8.4/tests/testpkcs11.sh
exit 77
fi
Index: gnutls-3.8.4/doc/enums/gnutls_fips_mode_t
Index: gnutls-3.8.5/doc/enums/gnutls_fips_mode_t
===================================================================
--- gnutls-3.8.4.orig/doc/enums/gnutls_fips_mode_t
+++ gnutls-3.8.4/doc/enums/gnutls_fips_mode_t
--- gnutls-3.8.5.orig/doc/enums/gnutls_fips_mode_t
+++ gnutls-3.8.5/doc/enums/gnutls_fips_mode_t
@@ -3,7 +3,7 @@
@c gnutls_fips_mode_t
@table @code
@ -1046,10 +1046,10 @@ Index: gnutls-3.8.4/doc/enums/gnutls_fips_mode_t
application is aware of the followed security policy, and needs
to utilize disallowed operations for other reasons (e.g., compatibility).
@item GNUTLS_@-FIPS140_@-LOG
Index: gnutls-3.8.4/doc/gnutls-api.texi
Index: gnutls-3.8.5/doc/gnutls-api.texi
===================================================================
--- gnutls-3.8.4.orig/doc/gnutls-api.texi
+++ gnutls-3.8.4/doc/gnutls-api.texi
--- gnutls-3.8.5.orig/doc/gnutls-api.texi
+++ gnutls-3.8.5/doc/gnutls-api.texi
@@ -3275,7 +3275,7 @@ unusable. This function is not thread-s
@subheading gnutls_fips140_set_mode
@anchor{gnutls_fips140_set_mode}
@ -1075,10 +1075,10 @@ Index: gnutls-3.8.4/doc/gnutls-api.texi
values for @code{mode} or to @code{GNUTLS_FIPS140_SELFTESTS} mode, the library
switches to @code{GNUTLS_FIPS140_STRICT} mode.
Index: gnutls-3.8.4/lib/ext/session_ticket.c
Index: gnutls-3.8.5/lib/ext/session_ticket.c
===================================================================
--- gnutls-3.8.4.orig/lib/ext/session_ticket.c
+++ gnutls-3.8.4/lib/ext/session_ticket.c
--- gnutls-3.8.5.orig/lib/ext/session_ticket.c
+++ gnutls-3.8.5/lib/ext/session_ticket.c
@@ -517,7 +517,7 @@ int gnutls_session_ticket_key_generate(g
{
if (_gnutls_fips_mode_enabled()) {
@ -1088,10 +1088,10 @@ Index: gnutls-3.8.4/lib/ext/session_ticket.c
* some limits on allowed key size, thus it is not
* used. These limits do not affect this function as
* it does not generate a "key" but rather key material
Index: gnutls-3.8.4/lib/libgnutls.map
Index: gnutls-3.8.5/lib/libgnutls.map
===================================================================
--- gnutls-3.8.4.orig/lib/libgnutls.map
+++ gnutls-3.8.4/lib/libgnutls.map
--- gnutls-3.8.5.orig/lib/libgnutls.map
+++ gnutls-3.8.5/lib/libgnutls.map
@@ -1450,7 +1450,7 @@ GNUTLS_FIPS140_3_4 {
gnutls_hkdf_self_test;
gnutls_pbkdf2_self_test;
@ -1101,11 +1101,11 @@ Index: gnutls-3.8.4/lib/libgnutls.map
drbg_aes_reseed;
drbg_aes_init;
drbg_aes_generate;
Index: gnutls-3.8.4/lib/nettle/mac.c
Index: gnutls-3.8.5/lib/nettle/mac.c
===================================================================
--- gnutls-3.8.4.orig/lib/nettle/mac.c
+++ gnutls-3.8.4/lib/nettle/mac.c
@@ -262,7 +262,7 @@ static void _wrap_gmac_digest(void *_ctx
--- gnutls-3.8.5.orig/lib/nettle/mac.c
+++ gnutls-3.8.5/lib/nettle/mac.c
@@ -264,7 +264,7 @@ static void _wrap_gmac_digest(void *_ctx
static int _mac_ctx_init(gnutls_mac_algorithm_t algo,
struct nettle_mac_ctx *ctx)
{
@ -1114,7 +1114,7 @@ Index: gnutls-3.8.4/lib/nettle/mac.c
* gnutls_hash_init() and gnutls_hmac_init() */
ctx->set_nonce = NULL;
@@ -648,7 +648,7 @@ static void _md5_sha1_digest(void *_ctx,
@@ -650,7 +650,7 @@ static void _md5_sha1_digest(void *_ctx,
static int _ctx_init(gnutls_digest_algorithm_t algo,
struct nettle_hash_ctx *ctx)
{
@ -1123,10 +1123,10 @@ Index: gnutls-3.8.4/lib/nettle/mac.c
* gnutls_hash_init() and gnutls_hmac_init() */
switch (algo) {
case GNUTLS_DIG_MD5:
Index: gnutls-3.8.4/config.h.in
Index: gnutls-3.8.5/config.h.in
===================================================================
--- gnutls-3.8.4.orig/config.h.in
+++ gnutls-3.8.4/config.h.in
--- gnutls-3.8.5.orig/config.h.in
+++ gnutls-3.8.5/config.h.in
@@ -82,7 +82,7 @@
/* enable DHE */
#undef ENABLE_ECDHE
@ -1145,10 +1145,10 @@ Index: gnutls-3.8.4/config.h.in
#undef FIPS_KEY
/* The FIPS140 module name */
Index: gnutls-3.8.4/configure
Index: gnutls-3.8.5/configure
===================================================================
--- gnutls-3.8.4.orig/configure
+++ gnutls-3.8.4/configure
--- gnutls-3.8.5.orig/configure
+++ gnutls-3.8.5/configure
@@ -3832,7 +3832,7 @@ Optional Features:
--enable-fast-install[=PKGS]
optimize for fast installation [default=yes]
@ -1158,10 +1158,10 @@ Index: gnutls-3.8.4/configure
--enable-strict-x509 enable stricter sanity checks for x509 certificates
--disable-non-suiteb-curves
disable curves not in SuiteB
Index: gnutls-3.8.4/doc/cha-support.texi
Index: gnutls-3.8.5/doc/cha-support.texi
===================================================================
--- gnutls-3.8.4.orig/doc/cha-support.texi
+++ gnutls-3.8.4/doc/cha-support.texi
--- gnutls-3.8.5.orig/doc/cha-support.texi
+++ gnutls-3.8.5/doc/cha-support.texi
@@ -134,5 +134,5 @@ There are certifications from national o
to an auditor that the crypto component follows some best practices, such
as unit testing and reliance on well known crypto primitives.
@ -1170,23 +1170,23 @@ Index: gnutls-3.8.4/doc/cha-support.texi
-See @ref{FIPS140-2 mode} for more information.
+GnuTLS has support for the FIPS 140-3 certification under Red Hat Enterprise Linux.
+See @ref{FIPS140-3 mode} for more information.
Index: gnutls-3.8.4/doc/gnutls.info
Index: gnutls-3.8.5/doc/gnutls.info
===================================================================
--- gnutls-3.8.4.orig/doc/gnutls.info
+++ gnutls-3.8.4/doc/gnutls.info
@@ -619,7 +619,7 @@ Ref: fig-crypto-layers744797
Ref: Cryptographic Backend-Footnote-1748109
Ref: Cryptographic Backend-Footnote-2748194
Node: Random Number Generators-internals748306
-Node: FIPS140-2 mode755776
+Node: FIPS140-3 mode755776
Ref: gnutls_fips_mode_t758474
Node: Upgrading from previous versions762143
Node: Support776385
Index: gnutls-3.8.4/src/gnutls-cli-options.json
--- gnutls-3.8.5.orig/doc/gnutls.info
+++ gnutls-3.8.5/doc/gnutls.info
@@ -620,7 +620,7 @@ Ref: fig-crypto-layers745475
Ref: Cryptographic Backend-Footnote-1748787
Ref: Cryptographic Backend-Footnote-2748872
Node: Random Number Generators-internals748984
-Node: FIPS140-2 mode756454
+Node: FIPS140-3 mode756454
Ref: gnutls_fips_mode_t759152
Node: Upgrading from previous versions762821
Node: Support777063
Index: gnutls-3.8.5/src/gnutls-cli-options.json
===================================================================
--- gnutls-3.8.4.orig/src/gnutls-cli-options.json
+++ gnutls-3.8.4/src/gnutls-cli-options.json
--- gnutls-3.8.5.orig/src/gnutls-cli-options.json
+++ gnutls-3.8.5/src/gnutls-cli-options.json
@@ -384,7 +384,7 @@
},
{
@ -1196,10 +1196,10 @@ Index: gnutls-3.8.4/src/gnutls-cli-options.json
},
{
"long-option": "list-config",
Index: gnutls-3.8.4/tests/pkcs11-tool.sh
Index: gnutls-3.8.5/tests/pkcs11-tool.sh
===================================================================
--- gnutls-3.8.4.orig/tests/pkcs11-tool.sh
+++ gnutls-3.8.4/tests/pkcs11-tool.sh
--- gnutls-3.8.5.orig/tests/pkcs11-tool.sh
+++ gnutls-3.8.5/tests/pkcs11-tool.sh
@@ -30,7 +30,7 @@ set -x
: ${DIFF=diff}
@ -1209,3 +1209,32 @@ Index: gnutls-3.8.4/tests/pkcs11-tool.sh
exit 77
fi
Index: gnutls-3.8.5/doc/manpages/gnutls_fips140_set_mode.3
===================================================================
--- gnutls-3.8.5.orig/doc/manpages/gnutls_fips140_set_mode.3
+++ gnutls-3.8.5/doc/manpages/gnutls_fips140_set_mode.3
@@ -8,7 +8,7 @@ gnutls_fips140_set_mode \- API function
.BI "void gnutls_fips140_set_mode(gnutls_fips_mode_t " mode ", unsigned " flags ");"
.SH ARGUMENTS
.IP "gnutls_fips_mode_t mode" 12
-the FIPS140\-2 mode to switch to
+the FIPS140\-3 mode to switch to
.IP "unsigned flags" 12
should be zero or \fBGNUTLS_FIPS140_SET_MODE_THREAD\fP
.SH "DESCRIPTION"
@@ -17,13 +17,13 @@ That function is not thread\-safe when c
behavior with no flags after threads are created is undefined.
When the flag \fBGNUTLS_FIPS140_SET_MODE_THREAD\fP is specified
-then this call will change the FIPS140\-2 mode for this particular
+then this call will change the FIPS140\-3 mode for this particular
thread and not for the whole process. That way an application
can utilize this function to set and reset mode for specific
operations.
This function never fails but will be a no\-op if used when
-the library is not in FIPS140\-2 mode. When asked to switch to unknown
+the library is not in FIPS140\-3 mode. When asked to switch to unknown
values for \fImode\fP or to \fBGNUTLS_FIPS140_SELFTESTS\fP mode, the library
switches to \fBGNUTLS_FIPS140_STRICT\fP mode.
.SH "SINCE"

12
gnutls-FIPS-TLS_KDF_selftest.patch
View File

@ -1,8 +1,8 @@
Index: gnutls-3.7.7/lib/fips.c
Index: gnutls-3.8.5/lib/fips.c
===================================================================
--- gnutls-3.7.7.orig/lib/fips.c
+++ gnutls-3.7.7/lib/fips.c
@@ -517,6 +517,26 @@ int _gnutls_fips_perform_self_checks2(vo
--- gnutls-3.8.5.orig/lib/fips.c
+++ gnutls-3.8.5/lib/fips.c
@@ -593,6 +593,26 @@ int _gnutls_fips_perform_self_checks2(vo
return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
}
@ -27,5 +27,5 @@ Index: gnutls-3.7.7/lib/fips.c
+ }
+
/* PK */
ret = gnutls_pk_self_test(0, GNUTLS_PK_RSA);
if (ret < 0) {
if (_gnutls_config_is_rsa_pkcs1_encrypt_allowed()) {
ret = gnutls_pk_self_test(0, GNUTLS_PK_RSA);

27
gnutls.changes
View File

@ -1,3 +1,30 @@
-------------------------------------------------------------------
Fri Apr 5 07:28:14 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
- Update to 3.8.5:
* libgnutls: Due to majority of usages and implementations of
RSA decryption with PKCS#1 v1.5 padding being incorrect,
leaving them vulnerable to Marvin attack, the RSAES-PKCS1-v1_5
is being deprecated (encryption and decryption) and will be
disabled in the future. A new option 'allow-rsa-pkcs1-encrypt'
has been added into the system-wide library configuration which
allows to enable/disable the RSAES-PKCS1-v1_5. Currently, the
RSAES-PKCS1-v1_5 is enabled by default.
* libgnutls: Added support for RIPEMD160 and PBES1-DES-SHA1 for
backward compatibility with GCR.
* libgnutls: A couple of memory related issues have been fixed in
RSA PKCS#1 v1.5 decryption error handling and deterministic ECDSA
with earlier versions of GMP. These were a regression introduced
in the 3.8.4 release. See #1535 and !1827.
* build: Fixed a bug where building gnutls statically failed due
to a duplicate definition of nettle_rsa_compute_root_tr().
* API and ABI modifications:
- GNUTLS_PKCS_PBES1_DES_SHA1: New enum member of
gnutls_pkcs_encrypt_flags_t
* Rebase patches:
- gnutls-FIPS-TLS_KDF_selftest.patch
- gnutls-FIPS-140-3-references.patch
-------------------------------------------------------------------
Wed Mar 20 12:08:50 UTC 2024 - Pedro Monreal <pmonreal@suse.com>

2
gnutls.spec
View File

@ -40,7 +40,7 @@
%endif
%bcond_with tpm
Name: gnutls
Version: 3.8.4
Version: 3.8.5
Release: 0
Summary: The GNU Transport Layer Security Library
License: GPL-3.0-or-later AND LGPL-2.1-or-later