diff --git a/gnutls-3.7.2.tar.xz b/gnutls-3.7.2.tar.xz deleted file mode 100644 index 9d64f36..0000000 --- a/gnutls-3.7.2.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:646e6c5a9a185faa4cea796d378a1ba8e1148dbb197ca6605f95986a25af2752 -size 6091508 diff --git a/gnutls-3.7.2.tar.xz.sig b/gnutls-3.7.2.tar.xz.sig deleted file mode 100644 index b824c33..0000000 Binary files a/gnutls-3.7.2.tar.xz.sig and /dev/null differ diff --git a/gnutls-3.7.3.tar.xz b/gnutls-3.7.3.tar.xz new file mode 100644 index 0000000..f61b132 --- /dev/null +++ b/gnutls-3.7.3.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:fc59c43bc31ab20a6977ff083029277a31935b8355ce387b634fa433f8f6c49a +size 6119292 diff --git a/gnutls-3.7.3.tar.xz.sig b/gnutls-3.7.3.tar.xz.sig new file mode 100644 index 0000000..3c4ea1b Binary files /dev/null and b/gnutls-3.7.3.tar.xz.sig differ diff --git a/gnutls-temporarily_disable_broken_guile_reauth_test.patch b/gnutls-temporarily_disable_broken_guile_reauth_test.patch deleted file mode 100644 index 8bca393..0000000 --- a/gnutls-temporarily_disable_broken_guile_reauth_test.patch +++ /dev/null @@ -1,13 +0,0 @@ -Index: gnutls-3.6.15/guile/Makefile.in -=================================================================== ---- gnutls-3.6.15.orig/guile/Makefile.in 2020-09-08 10:24:09.581998087 +0200 -+++ gnutls-3.6.15/guile/Makefile.in 2020-09-08 10:24:30.046134403 +0200 -@@ -1857,7 +1857,7 @@ CLEANFILES = modules/gnutls.scm $(am__ap - TESTS = tests/anonymous-auth.scm tests/session-record-port.scm \ - tests/pkcs-import-export.scm tests/errors.scm \ - tests/x509-certificates.scm tests/x509-auth.scm \ -- tests/reauth.scm tests/priorities.scm $(am__append_2) -+ tests/priorities.scm $(am__append_2) - TESTS_ENVIRONMENT = \ - GUILE_AUTO_COMPILE=0 \ - GUILE_WARN_DEPRECATED=detailed diff --git a/gnutls.changes b/gnutls.changes index fedfca6..4725527 100644 --- a/gnutls.changes +++ b/gnutls.changes @@ -1,3 +1,125 @@ +------------------------------------------------------------------- +Tue Jan 18 15:59:11 UTC 2022 - Pedro Monreal + +- Update to 3.7.3: [bsc#1190698, bsc#1190796] + * libgnutls: The allowlisting configuration mode has been added + to the system-wide settings. In this mode, all the algorithms + are initially marked as insecure or disabled, while the + applications can re-enable them either through the [overrides] + section of the configuration file or the new API (#1172). + * The build infrastructure no longer depends on GNU AutoGen for + generating command-line option handling, template file parsing + in certtool, and documentation generation (#773, #774). This + change also removes run-time or bundled dependency on the + libopts library, and requires Python 3.6 or later to regenerate + the distribution tarball. Note that this brings in known backward + incompatibility in command-line tools, such as long options are + now case sensitive, while previously they were treated in a case + insensitive manner: for example --RSA is no longer a valid option + of certtool. The existing scripts using GnuTLS tools may need + adjustment for this change. + * libgnutls: The tpm2-tss-engine compatible private blobs can be loaded + and used as a gnutls_privkey_t (#594). The code was originally written + for the OpenConnect VPN project by David Woodhouse. To generate such + blobs, use the tpm2tss-genkey tool from tpm2-tss-engine: + https://github.com/tpm2-software/tpm2-tss-engine/#rsa-operations + or the tpm2_encodeobject tool from unreleased tpm2-tools. + * libgnutls: The library now transparently enables Linux KTLS (kernel + TLS) when the feature is compiled in with --enable-ktls configuration + option (#1113). If the KTLS initialization fails it automatically falls + back to the user space implementation. + * certtool: The certtool command can now read the Certificate Transparency + (RFC 6962) SCT extension (#232). New API functions are also provided to + access and manipulate the extension values. + * certtool: The certtool command can now generate, manipulate, and evaluate + x25519 and x448 public keys, private keys, and certificates. + * libgnutls: Disabling a hashing algorithm through "insecure-hash" + configuration directive now also disables TLS ciphersuites that use it + as a PRF algorithm. + * libgnutls: PKCS#12 files are now created with modern algorithms by default + (!1499). Previously certtool used PKCS12-3DES-SHA1 for key derivation and + HMAC-SHA1 as an integity measure in PKCS#12. Now it uses AES-128-CBC with + PBKDF2 and SHA-256 for both key derivation and MAC algorithms, and the + default PBKDF2 iteration count has been increased to 600000. + * libgnutls: PKCS#12 keys derived using GOST algorithm now uses + HMAC_GOSTR3411_2012_512 instead of HMAC_GOSTR3411_2012_256 for integrity, + to conform with the latest TC-26 requirements (#1225). + * libgnutls: The library now provides a means to report the status + of approved cryptographic operations (!1465). To adhere to the + FIPS140-3 IG 2.4.C., this complements the existing mechanism to + prohibit the use of unapproved algorithms by making the library + unusable state. + * gnutls-cli: The gnutls-cli command now provides a --list-config + option to print the library configuration (!1508). + * libgnutls: Fixed possible race condition in + gnutls_x509_trust_list_verify_crt2 when a single trust list object + is shared among multiple threads (#1277). [GNUTLS-SA-2022-01-17, + CVSS: low] + * API and ABI modifications: + GNUTLS_PRIVKEY_FLAG_RSA_PSS_FIXED_SALT_LENGTH: new flag in + gnutls_privkey_flags_t + GNUTLS_VERIFY_RSA_PSS_FIXED_SALT_LENGTH: new flag in + gnutls_certificate_verify_flags + gnutls_ecc_curve_set_enabled: Added. + gnutls_sign_set_secure: Added. + gnutls_sign_set_secure_for_certs: Added. + gnutls_digest_set_secure: Added. + gnutls_protocol_set_enabled: Added. + gnutls_fips140_context_init: New function + gnutls_fips140_context_deinit: New function + gnutls_fips140_push_context: New function + gnutls_fips140_pop_context: New function + gnutls_fips140_get_operation_state: New function + gnutls_fips140_operation_state_t: New enum + gnutls_transport_is_ktls_enabled: New function + gnutls_get_library_configuration: New function + * Remove patches fixed in the update: + - gnutls-FIPS-module-version.patch + - gnutls-FIPS-service-indicator.patch + - gnutls-FIPS-service-indicator-public-key.patch + - gnutls-FIPS-service-indicator-symmetric-key.patch + - gnutls-FIPS-RSA-PSS-flags.patch + - gnutls-FIPS-RSA-mod-sizes.patch + +------------------------------------------------------------------- +Tue Jan 18 14:41:04 UTC 2022 - Pedro Monreal + +- FIPS: Fix regression tests in fips and non-fips mode [bsc#1194468] + * Remove patches: + - gnutls-temporarily_disable_broken_guile_reauth_test.patch + - disable-psk-file-test.patch + +------------------------------------------------------------------- +Mon Jan 17 12:37:02 UTC 2022 - Pedro Monreal + +- FIPS: Provide module identifier and version [bsc#1190796] + * Add configurable options to output the module name/identifier + (--with-fips140-module-name) and the module version + (--with-fips140-module-version). + * Add the CLI option list-config that reports the configuration + of the library. + * Add gnutls-FIPS-module-version.patch + +------------------------------------------------------------------- +Wed Dec 22 18:56:24 UTC 2021 - Pedro Monreal + +- FIPS: Provide a service-level indicator [bsc#1190698] + * Add support for a "service indicator" as required in + the FIPS140-3 Implementation Guidance in section 2.4.C + * Add patches: + - gnutls-FIPS-service-indicator.patch + - gnutls-FIPS-service-indicator-public-key.patch + - gnutls-FIPS-service-indicator-symmetric-key.patch + - gnutls-FIPS-RSA-PSS-flags.patch + +------------------------------------------------------------------- +Thu Dec 16 12:35:46 UTC 2021 - Pedro Monreal + +- FIPS: RSA KeyGen/SigGen fail with 4096 bit key sizes [bsc#1192008] + * fips: allow more RSA modulus sizes + * Add gnutls-FIPS-RSA-mod-sizes.patch + * Delete gnutls-3.6.7-fips-rsa-4096.patch + ------------------------------------------------------------------- Fri Nov 26 08:26:19 UTC 2021 - Dominique Leuenberger @@ -6,6 +128,18 @@ Fri Nov 26 08:26:19 UTC 2021 - Dominique Leuenberger leading project (and the condition causes issues as Tumbleweed needs to move away from 1550 due to CODE 15 SP5 plans). +------------------------------------------------------------------- +Fri Oct 15 11:03:53 UTC 2021 - Pedro Monreal + +- Add crypto-policies support for Leap and SLE 15.4 [jsc#SLE-20287] +- Add DANE guards + +------------------------------------------------------------------- +Wed Jul 21 10:21:46 UTC 2021 - Pedro Monreal + +- Remove gnutls-temporarily_disable_broken_guile_reauth_test.patch + since its already working. + ------------------------------------------------------------------- Tue Jun 1 01:00:34 UTC 2021 - Ferdinand Thiessen diff --git a/gnutls.spec b/gnutls.spec index 05e02ed..7d71f2f 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,7 +1,7 @@ # # spec file for package gnutls # -# Copyright (c) 2021 SUSE LLC +# Copyright (c) 2022 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -34,7 +34,7 @@ %bcond_with tpm %bcond_without guile Name: gnutls -Version: 3.7.2 +Version: 3.7.3 Release: 0 Summary: The GNU Transport Layer Security Library License: GPL-3.0-or-later AND LGPL-2.1-or-later @@ -46,8 +46,7 @@ Source2: gnutls.keyring Source3: baselibs.conf Patch0: gnutls-3.5.11-skip-trust-store-tests.patch Patch1: gnutls-3.6.6-set_guile_site_dir.patch -Patch2: gnutls-temporarily_disable_broken_guile_reauth_test.patch -Patch3: gnutls-FIPS-TLS_KDF_selftest.patch +Patch2: gnutls-FIPS-TLS_KDF_selftest.patch BuildRequires: autogen BuildRequires: automake BuildRequires: datefudge @@ -89,7 +88,8 @@ BuildRequires: libunbound-devel %if %{with guile} BuildRequires: guile-devel %endif -%if 0%{?suse_version} && ! 0%{?sle_version} +%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400 +BuildRequires: crypto-policies Requires: crypto-policies %endif @@ -100,13 +100,13 @@ of the IETF's TLS working group. %package -n libgnutls%{gnutls_sover} Summary: The GNU Transport Layer Security Library -# install libopenssl and libopenssl-hmac close together (bsc#1090765) License: LGPL-2.1-or-later Group: System/Libraries -%if 0%{?suse_version} && ! 0%{?sle_version} +# install libgnutls and libgnutls-hmac close together (bsc#1090765) +Suggests: libgnutls%{gnutls_sover}-hmac = %{version}-%{release} +%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400 Requires: crypto-policies %endif -Suggests: libgnutls%{gnutls_sover}-hmac = %{version}-%{release} %description -n libgnutls%{gnutls_sover} The GnuTLS library provides a secure layer over a reliable transport @@ -122,6 +122,7 @@ Requires: libgnutls%{gnutls_sover} = %{version}-%{release} %description -n libgnutls%{gnutls_sover}-hmac FIPS SHA256 checksums of the libgnutls library. +%if %{with dane} %package -n libgnutls-dane%{gnutls_dane_sover} Summary: DANE support for the GNU Transport Layer Security Library License: LGPL-2.1-or-later @@ -131,12 +132,13 @@ Group: System/Libraries The GnuTLS project aims to develop a library that provides a secure layer over a reliable transport layer. This package contains the "DANE" part of gnutls. +%endif %package -n libgnutlsxx%{gnutlsxx_sover} Summary: C++ API for the GNU Transport Layer Security Library License: LGPL-2.1-or-later Group: System/Libraries -%if 0%{?suse_version} && ! 0%{?sle_version} +%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400 Requires: crypto-policies %endif @@ -149,7 +151,7 @@ of the IETF's TLS working group. Summary: Development package for the GnuTLS C API License: LGPL-2.1-or-later Group: Development/Libraries/C and C++ -%if 0%{?suse_version} && ! 0%{?sle_version} +%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400 Requires: crypto-policies %endif Requires: glibc-devel @@ -161,6 +163,7 @@ Provides: gnutls-devel = %{version}-%{release} %description -n libgnutls-devel Files needed for software development using gnutls. +%if %{with dane} %package -n libgnutls-dane-devel Summary: Development package for GnuTLS DANE component License: LGPL-2.1-or-later @@ -169,6 +172,7 @@ Requires: libgnutls-dane%{gnutls_dane_sover} = %{version} %description -n libgnutls-dane-devel Files needed for software development using gnutls. +%endif %package -n libgnutlsxx-devel Summary: Development package for the GnuTLS C++ API @@ -222,8 +226,15 @@ export CXXFLAGS="%{optflags} -fPIE" --with-unbound-root-key-file=%{_localstatedir}/lib/unbound/root.key \ %else --disable-libdane \ +%endif +%if %{with guile} + --enable-guile \ +%else + --disable-guile \ %endif --enable-fips140-mode \ + --with-fips140-module-name="GnuTLS version" \ + --with-fips140-module-version="%{version}-%{release}" \ %{nil} make %{?_smp_mflags} @@ -255,7 +266,7 @@ rm -rf %{buildroot}%{_datadir}/doc/gnutls %check %if ! 0%{?qemu_user_space_build} -#make %%{?_smp_mflags} check || { +# export GNUTLS_FORCE_FIPS_MODE=1 make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null || { find -name test-suite.log -print -exec cat {} + exit 1