Accepting request 1034572 from home:pmonrealgonzalez:branches:security:tls
- Verify only the libgnutls library HMAC [bsc#1199881]
* Do not use the brp-50-generate-fips-hmac script as this
is now calculated with the internal fipshmac tool.
* Add gnutls-verify-library-HMAC.patch
- Disable flaky test that fails in s390x architecture:
* Add gnutls-disable-flaky-test-dtls-resume.patch
- Consolidate the FIPS hmac files [bsc#1203245]
* Use the gnutls fipshmac tool instead of the brp-check-suse
and rename it to reflect on the library version.
- Add a gnutls.rpmlintrc file to remove a hidden-file-or-dir false
positive for the FIPS hmac calculation.
OBS-URL: https://build.opensuse.org/request/show/1034572
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=80
This commit is contained in:
Git OBS Bridge
parent
eccec72a4b
commit
7d40b4ffcc
13
gnutls-disable-flaky-test-dtls-resume.patch
Normal file
13
gnutls-disable-flaky-test-dtls-resume.patch
Normal file
@ -0,0 +1,13 @@
|
||||
Index: gnutls-3.7.8/tests/Makefile.am
|
||||
===================================================================
|
||||
--- gnutls-3.7.8.orig/tests/Makefile.am
|
||||
+++ gnutls-3.7.8/tests/Makefile.am
|
||||
@@ -508,7 +508,7 @@ if !WINDOWS
|
||||
# List of tests not available/functional under windows
|
||||
#
|
||||
|
||||
-dist_check_SCRIPTS += dtls/dtls.sh dtls/dtls-resume.sh #dtls/dtls-nb
|
||||
+dist_check_SCRIPTS += dtls/dtls.sh #dtls/dtls-resume.sh #dtls/dtls-nb
|
||||
|
||||
indirect_tests += dtls-stress
|
||||
|
||||
21
gnutls-verify-library-HMAC.patch
Normal file
21
gnutls-verify-library-HMAC.patch
Normal file
@ -0,0 +1,21 @@
|
||||
Index: gnutls-3.7.8/lib/fips.c
|
||||
===================================================================
|
||||
--- gnutls-3.7.8.orig/lib/fips.c
|
||||
+++ gnutls-3.7.8/lib/fips.c
|
||||
@@ -402,6 +402,8 @@ static int check_binary_integrity(void)
|
||||
ret = check_lib_hmac(&file.gnutls, GNUTLS_LIBRARY_NAME, "gnutls_global_init");
|
||||
if (ret < 0)
|
||||
return ret;
|
||||
+ /* Check only the binary integrity of the libgnutls library */
|
||||
+#if 0
|
||||
ret = check_lib_hmac(&file.nettle, NETTLE_LIBRARY_NAME, "nettle_aes_set_encrypt_key");
|
||||
if (ret < 0)
|
||||
return ret;
|
||||
@@ -411,6 +413,7 @@ static int check_binary_integrity(void)
|
||||
ret = check_lib_hmac(&file.gmp, GMP_LIBRARY_NAME, "__gmpz_init");
|
||||
if (ret < 0)
|
||||
return ret;
|
||||
+#endif
|
||||
|
||||
return 0;
|
||||
}
|
||||
@ -1,15 +1,28 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue Nov 8 12:52:18 UTC 2022 - Pedro Monreal <pmonreal@suse.com>
|
||||
|
||||
- Verify only the libgnutls library HMAC [bsc#1199881]
|
||||
* Do not use the brp-50-generate-fips-hmac script as this
|
||||
is now calculated with the internal fipshmac tool.
|
||||
* Add gnutls-verify-library-HMAC.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Nov 2 20:51:43 UTC 2022 - Pedro Monreal <pmonreal@suse.com>
|
||||
|
||||
- Temporarily revert the jitterentropy patches in s390 and s390x
|
||||
architectures until a fix is provided [bsc#1204937]
|
||||
- Disable flaky test that fails in s390x architecture:
|
||||
* Add gnutls-disable-flaky-test-dtls-resume.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Oct 14 11:35:33 UTC 2022 - Pedro Monreal <pmonreal@suse.com>
|
||||
|
||||
- Consolidate the FIPS .hmac files [bsc#1199881, bsc#1203245]
|
||||
* Package the FIPS .hmac files
|
||||
- Consolidate the FIPS hmac files [bsc#1203245]
|
||||
* Use the gnutls fipshmac tool instead of the brp-check-suse
|
||||
and rename it to reflect on the library version.
|
||||
* Remove not needed gnutls-FIPS-Run-CFB8-without-offset.patch
|
||||
- Add a gnutls.rpmlintrc file to remove a hidden-file-or-dir false
|
||||
positive for the FIPS hmac calculation.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Sun Oct 9 12:53:27 UTC 2022 - Pedro Monreal <pmonreal@suse.com>
|
||||
|
||||
1
gnutls.rpmlintrc
Normal file
1
gnutls.rpmlintrc
Normal file
@ -0,0 +1 @@
|
||||
addFilter("hidden-file-or-dir /usr/lib64/.libgnutls.so.30.hmac")
|
||||
33
gnutls.spec
33
gnutls.spec
@ -47,6 +47,8 @@ Source1: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.7/%{name}-%{version}.
|
||||
# https://gnutls.org/gnutls-release-keyring.gpg
|
||||
Source2: gnutls.keyring
|
||||
Source3: baselibs.conf
|
||||
# Suppress a false positive on the .hmac file
|
||||
Source4: gnutls.rpmlintrc
|
||||
Patch0: gnutls-3.5.11-skip-trust-store-tests.patch
|
||||
Patch1: gnutls-FIPS-TLS_KDF_selftest.patch
|
||||
Patch2: gnutls-FIPS-disable-failing-tests.patch
|
||||
@ -63,6 +65,9 @@ Patch5: gnutls-FIPS-Set-error-state-when-jent-init-failed.patch
|
||||
Patch6: gnutls-FIPS-SLI-pbkdf2-verify-keylengths-only-SHA.patch
|
||||
#PATCH-FIX-UPSTREAM bsc#1203779 Make XTS key check failure not fatal
|
||||
Patch7: gnutls-Make-XTS-key-check-failure-not-fatal.patch
|
||||
Patch8: gnutls-disable-flaky-test-dtls-resume.patch
|
||||
#PATCH-FIX-OPENSUSE bsc#1199881 Verify only the libgnutls library HMAC
|
||||
Patch9: gnutls-verify-library-HMAC.patch
|
||||
BuildRequires: autogen
|
||||
BuildRequires: automake
|
||||
BuildRequires: datefudge
|
||||
@ -224,6 +229,10 @@ export LDFLAGS="-pie -Wl,-z,now -Wl,-z,relro"
|
||||
export CFLAGS="%{optflags} -fPIE"
|
||||
export CXXFLAGS="%{optflags} -fPIE"
|
||||
autoreconf -fiv
|
||||
|
||||
# Rename the internal .hmac file to include the so library version
|
||||
sed -i "s/\.gnutls\.hmac/\.libgnutls\.so\.%{gnutls_sover}\.hmac/g" lib/Makefile.am lib/Makefile.in lib/fips.c
|
||||
|
||||
%configure \
|
||||
gl_cv_func_printf_directive_n=yes \
|
||||
gl_cv_func_printf_infinite_long_double=yes \
|
||||
@ -259,11 +268,26 @@ autoreconf -fiv
|
||||
%install
|
||||
%make_install
|
||||
|
||||
# Compute FIPS hmac using the brp-50-generate-fips-hmac script
|
||||
export BRP_FIPSHMAC_FILES=%{buildroot}%{_libdir}/libgnutls.so.%{gnutls_sover}
|
||||
# Compute the FIPS hmac using the brp-50-generate-fips-hmac script
|
||||
# export BRP_FIPSHMAC_FILES=%%{buildroot}%%{_libdir}/libgnutls.so.%%{gnutls_sover}
|
||||
|
||||
./lib/fipshmac "%{buildroot}%{_libdir}/libgnutls.so.%{gnutls_sover}" > %{buildroot}%{_libdir}/.gnutls.hmac
|
||||
sed -i "s^%{buildroot}/usr^^" %{buildroot}%{_libdir}/.gnutls.hmac
|
||||
# the hmac hashes:
|
||||
#
|
||||
# this is a hack that re-defines the __os_install_post macro
|
||||
# for a simple reason: the macro strips the binaries and thereby
|
||||
# invalidates a HMAC that may have been created earlier.
|
||||
# solution: create the hashes _after_ the macro runs.
|
||||
#
|
||||
# this shows up earlier because otherwise the %%expand of
|
||||
# the macro is too late.
|
||||
# remark: This is the same as running
|
||||
# openssl dgst -sha256 -hmac 'orboDeJITITejsirpADONivirpUkvarP'
|
||||
# note: The FIPS hmac is now calculated with an internal tool since
|
||||
# commit a86c8e87189e23920ae622da5e572cb4e1a6e0ed
|
||||
%{expand:%%global __os_install_post {%__os_install_post
|
||||
./lib/fipshmac "%{buildroot}%{_libdir}/libgnutls.so.%{gnutls_sover}" > %{buildroot}%{_libdir}/.libgnutls.so.%{gnutls_sover}.hmac
|
||||
sed -i "s^%{buildroot}/usr^^" %{buildroot}%{_libdir}/.libgnutls.so.%{gnutls_sover}.hmac
|
||||
}}
|
||||
|
||||
rm -rf %{buildroot}%{_datadir}/locale/en@{,bold}quot
|
||||
# Do not package static libs and libtool files
|
||||
@ -333,7 +357,6 @@ GNUTLS_FORCE_FIPS_MODE=1 make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=
|
||||
%files -n libgnutls%{gnutls_sover}-hmac
|
||||
%license LICENSE
|
||||
%{_libdir}/.libgnutls.so.%{gnutls_sover}*.hmac
|
||||
%{_libdir}/.gnutls.hmac
|
||||
|
||||
%if %{with dane}
|
||||
%files -n libgnutls-dane%{gnutls_dane_sover}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user