Accepting request 947394 from security:tls

OBS-URL: https://build.opensuse.org/request/show/947394
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=133

gnutls-3.7.2.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:646e6c5a9a185faa4cea796d378a1ba8e1148dbb197ca6605f95986a25af2752
-size 6091508

gnutls-3.7.3.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:fc59c43bc31ab20a6977ff083029277a31935b8355ce387b634fa433f8f6c49a
+size 6119292

gnutls-temporarily_disable_broken_guile_reauth_test.patch

@@ -1,13 +0,0 @@
-Index: gnutls-3.6.15/guile/Makefile.in
-===================================================================
---- gnutls-3.6.15.orig/guile/Makefile.in	2020-09-08 10:24:09.581998087 +0200
-+++ gnutls-3.6.15/guile/Makefile.in	2020-09-08 10:24:30.046134403 +0200
-@@ -1857,7 +1857,7 @@ CLEANFILES = modules/gnutls.scm $(am__ap
- TESTS = tests/anonymous-auth.scm tests/session-record-port.scm \
- 	tests/pkcs-import-export.scm tests/errors.scm \
- 	tests/x509-certificates.scm tests/x509-auth.scm \
--	tests/reauth.scm tests/priorities.scm $(am__append_2)
-+	tests/priorities.scm $(am__append_2)
- TESTS_ENVIRONMENT = \
-   GUILE_AUTO_COMPILE=0				\
-   GUILE_WARN_DEPRECATED=detailed

gnutls.changes

@@ -1,3 +1,125 @@
+-------------------------------------------------------------------
+Tue Jan 18 15:59:11 UTC 2022 - Pedro Monreal <pmonreal@suse.com>
+
+- Update to 3.7.3: [bsc#1190698, bsc#1190796]
+  * libgnutls: The allowlisting configuration mode has been added
+    to the system-wide settings. In this mode, all the algorithms
+    are initially marked as insecure or disabled, while the
+    applications can re-enable them either through the [overrides]
+    section of the configuration file or the new API (#1172).
+  * The build infrastructure no longer depends on GNU AutoGen for
+    generating command-line option handling, template file parsing
+    in certtool, and documentation generation (#773, #774). This
+    change also removes run-time or bundled dependency on the
+    libopts library, and requires Python 3.6 or later to regenerate
+    the distribution tarball. Note that this brings in known backward
+    incompatibility in command-line tools, such as long options are
+    now case sensitive, while previously they were treated in a case
+    insensitive manner: for example --RSA is no longer a valid option
+    of certtool. The existing scripts using GnuTLS tools may need
+    adjustment for this change.
+  * libgnutls: The tpm2-tss-engine compatible private blobs can be loaded
+    and used as a gnutls_privkey_t (#594). The code was originally written
+    for the OpenConnect VPN project by David Woodhouse. To generate such
+    blobs, use the tpm2tss-genkey tool from tpm2-tss-engine:
+    https://github.com/tpm2-software/tpm2-tss-engine/#rsa-operations
+    or the tpm2_encodeobject tool from unreleased tpm2-tools.
+  * libgnutls: The library now transparently enables Linux KTLS (kernel
+    TLS) when the feature is compiled in with --enable-ktls configuration
+    option (#1113). If the KTLS initialization fails it automatically falls
+    back to the user space implementation.
+  * certtool: The certtool command can now read the Certificate Transparency
+    (RFC 6962) SCT extension (#232).  New API functions are also provided to
+    access and manipulate the extension values.
+  * certtool: The certtool command can now generate, manipulate, and evaluate
+    x25519 and x448 public keys, private keys, and certificates.
+  * libgnutls: Disabling a hashing algorithm through "insecure-hash"
+    configuration directive now also disables TLS ciphersuites that use it
+    as a PRF algorithm.
+  * libgnutls: PKCS#12 files are now created with modern algorithms by default
+    (!1499). Previously certtool used PKCS12-3DES-SHA1 for key derivation and
+    HMAC-SHA1 as an integity measure in PKCS#12.  Now it uses AES-128-CBC with
+    PBKDF2 and SHA-256 for both key derivation and MAC algorithms, and the
+    default PBKDF2 iteration count has been increased to 600000.
+  * libgnutls: PKCS#12 keys derived using GOST algorithm now uses
+    HMAC_GOSTR3411_2012_512 instead of HMAC_GOSTR3411_2012_256 for integrity,
+    to conform with the latest TC-26 requirements (#1225).
+  * libgnutls: The library now provides a means to report the status
+    of approved cryptographic operations (!1465). To adhere to the
+    FIPS140-3 IG 2.4.C., this complements the existing mechanism to
+    prohibit the use of unapproved algorithms by making the library
+    unusable state.
+  * gnutls-cli: The gnutls-cli command now provides a --list-config
+    option to print the library configuration (!1508).
+  * libgnutls: Fixed possible race condition in
+    gnutls_x509_trust_list_verify_crt2 when a single trust list object
+    is shared among multiple threads (#1277). [GNUTLS-SA-2022-01-17,
+    CVSS: low]
+  * API and ABI modifications:
+    GNUTLS_PRIVKEY_FLAG_RSA_PSS_FIXED_SALT_LENGTH: new flag in
+      gnutls_privkey_flags_t
+    GNUTLS_VERIFY_RSA_PSS_FIXED_SALT_LENGTH: new flag in
+      gnutls_certificate_verify_flags
+    gnutls_ecc_curve_set_enabled: Added.
+    gnutls_sign_set_secure: Added.
+    gnutls_sign_set_secure_for_certs: Added.
+    gnutls_digest_set_secure: Added.
+    gnutls_protocol_set_enabled: Added.
+    gnutls_fips140_context_init: New function
+    gnutls_fips140_context_deinit: New function
+    gnutls_fips140_push_context: New function
+    gnutls_fips140_pop_context: New function
+    gnutls_fips140_get_operation_state: New function
+    gnutls_fips140_operation_state_t: New enum
+    gnutls_transport_is_ktls_enabled: New function
+    gnutls_get_library_configuration: New function
+  * Remove patches fixed in the update:
+    - gnutls-FIPS-module-version.patch
+    - gnutls-FIPS-service-indicator.patch
+    - gnutls-FIPS-service-indicator-public-key.patch
+    - gnutls-FIPS-service-indicator-symmetric-key.patch
+    - gnutls-FIPS-RSA-PSS-flags.patch
+    - gnutls-FIPS-RSA-mod-sizes.patch
+
+-------------------------------------------------------------------
+Tue Jan 18 14:41:04 UTC 2022 - Pedro Monreal <pmonreal@suse.com>
+
+- FIPS: Fix regression tests in fips and non-fips mode [bsc#1194468]
+  * Remove patches:
+    - gnutls-temporarily_disable_broken_guile_reauth_test.patch
+    - disable-psk-file-test.patch
+
+-------------------------------------------------------------------
+Mon Jan 17 12:37:02 UTC 2022 - Pedro Monreal <pmonreal@suse.com>
+
+- FIPS: Provide module identifier and version [bsc#1190796]
+  * Add configurable options to output the module name/identifier
+    (--with-fips140-module-name) and the module version
+    (--with-fips140-module-version).
+  * Add the CLI option list-config that reports the configuration
+    of the library.
+  * Add gnutls-FIPS-module-version.patch
+
+-------------------------------------------------------------------
+Wed Dec 22 18:56:24 UTC 2021 - Pedro Monreal <pmonreal@suse.com>
+
+- FIPS: Provide a service-level indicator [bsc#1190698]
+  * Add support for a "service indicator" as required in
+    the FIPS140-3 Implementation Guidance in section 2.4.C
+  * Add patches:
+    - gnutls-FIPS-service-indicator.patch
+    - gnutls-FIPS-service-indicator-public-key.patch
+    - gnutls-FIPS-service-indicator-symmetric-key.patch
+    - gnutls-FIPS-RSA-PSS-flags.patch
+
+-------------------------------------------------------------------
+Thu Dec 16 12:35:46 UTC 2021 - Pedro Monreal <pmonreal@suse.com>
+
+- FIPS: RSA KeyGen/SigGen fail with 4096 bit key sizes [bsc#1192008]
+  * fips: allow more RSA modulus sizes
+  * Add gnutls-FIPS-RSA-mod-sizes.patch
+  * Delete gnutls-3.6.7-fips-rsa-4096.patch
+
 -------------------------------------------------------------------
 Fri Nov 26 08:26:19 UTC 2021 - Dominique Leuenberger <dimstar@opensuse.org>
 
@@ -6,6 +128,18 @@ Fri Nov 26 08:26:19 UTC 2021 - Dominique Leuenberger <dimstar@opensuse.org>
   leading project (and the condition causes issues as Tumbleweed
   needs to move away from 1550 due to CODE 15 SP5 plans).
 
+-------------------------------------------------------------------
+Fri Oct 15 11:03:53 UTC 2021 - Pedro Monreal <pmonreal@suse.com>
+
+- Add crypto-policies support for Leap and SLE 15.4 [jsc#SLE-20287]
+- Add DANE guards
+
+-------------------------------------------------------------------
+Wed Jul 21 10:21:46 UTC 2021 - Pedro Monreal <pmonreal@suse.com>
+
+- Remove gnutls-temporarily_disable_broken_guile_reauth_test.patch
+  since its already working.
+
 -------------------------------------------------------------------
 Tue Jun  1 01:00:34 UTC 2021 - Ferdinand Thiessen <rpm@fthiessen.de>
 

gnutls.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package gnutls
 #
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -34,7 +34,7 @@
 %bcond_with tpm
 %bcond_without guile
 Name:           gnutls
-Version:        3.7.2
+Version:        3.7.3
 Release:        0
 Summary:        The GNU Transport Layer Security Library
 License:        GPL-3.0-or-later AND LGPL-2.1-or-later
@@ -46,8 +46,7 @@ Source2:        gnutls.keyring
 Source3:        baselibs.conf
 Patch0:         gnutls-3.5.11-skip-trust-store-tests.patch
 Patch1:         gnutls-3.6.6-set_guile_site_dir.patch
-Patch2:         gnutls-temporarily_disable_broken_guile_reauth_test.patch
+Patch2:         gnutls-FIPS-TLS_KDF_selftest.patch
-Patch3:         gnutls-FIPS-TLS_KDF_selftest.patch
 BuildRequires:  autogen
 BuildRequires:  automake
 BuildRequires:  datefudge
@@ -89,7 +88,8 @@ BuildRequires:  libunbound-devel
 %if %{with guile}
 BuildRequires:  guile-devel
 %endif
-%if 0%{?suse_version} && ! 0%{?sle_version}
+%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
+BuildRequires:  crypto-policies
 Requires:       crypto-policies
 %endif
 
@@ -100,13 +100,13 @@ of the IETF's TLS working group.
 
 %package -n libgnutls%{gnutls_sover}
 Summary:        The GNU Transport Layer Security Library
-# install libopenssl and libopenssl-hmac close together (bsc#1090765)
 License:        LGPL-2.1-or-later
 Group:          System/Libraries
-%if 0%{?suse_version} && ! 0%{?sle_version}
+# install libgnutls and libgnutls-hmac close together (bsc#1090765)
+Suggests:       libgnutls%{gnutls_sover}-hmac = %{version}-%{release}
+%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
 Requires:       crypto-policies
 %endif
-Suggests:       libgnutls%{gnutls_sover}-hmac = %{version}-%{release}
 
 %description -n libgnutls%{gnutls_sover}
 The GnuTLS library provides a secure layer over a reliable transport
@@ -122,6 +122,7 @@ Requires:       libgnutls%{gnutls_sover} = %{version}-%{release}
 %description -n libgnutls%{gnutls_sover}-hmac
 FIPS SHA256 checksums of the libgnutls library.
 
+%if %{with dane}
 %package -n libgnutls-dane%{gnutls_dane_sover}
 Summary:        DANE support for the GNU Transport Layer Security Library
 License:        LGPL-2.1-or-later
@@ -131,12 +132,13 @@ Group:          System/Libraries
 The GnuTLS project aims to develop a library that provides a secure
 layer over a reliable transport layer.
 This package contains the "DANE" part of gnutls.
+%endif
 
 %package -n libgnutlsxx%{gnutlsxx_sover}
 Summary:        C++ API for the GNU Transport Layer Security Library
 License:        LGPL-2.1-or-later
 Group:          System/Libraries
-%if 0%{?suse_version} && ! 0%{?sle_version}
+%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
 Requires:       crypto-policies
 %endif
 
@@ -149,7 +151,7 @@ of the IETF's TLS working group.
 Summary:        Development package for the GnuTLS C API
 License:        LGPL-2.1-or-later
 Group:          Development/Libraries/C and C++
-%if 0%{?suse_version} && ! 0%{?sle_version}
+%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
 Requires:       crypto-policies
 %endif
 Requires:       glibc-devel
@@ -161,6 +163,7 @@ Provides:       gnutls-devel = %{version}-%{release}
 %description -n libgnutls-devel
 Files needed for software development using gnutls.
 
+%if %{with dane}
 %package -n libgnutls-dane-devel
 Summary:        Development package for GnuTLS DANE component
 License:        LGPL-2.1-or-later
@@ -169,6 +172,7 @@ Requires:       libgnutls-dane%{gnutls_dane_sover} = %{version}
 
 %description -n libgnutls-dane-devel
 Files needed for software development using gnutls.
+%endif
 
 %package -n libgnutlsxx-devel
 Summary:        Development package for the GnuTLS C++ API
@@ -222,8 +226,15 @@ export CXXFLAGS="%{optflags} -fPIE"
         --with-unbound-root-key-file=%{_localstatedir}/lib/unbound/root.key \
 %else
         --disable-libdane \
+%endif
+%if %{with guile}
+        --enable-guile \
+%else
+        --disable-guile \
 %endif
         --enable-fips140-mode \
+        --with-fips140-module-name="GnuTLS version" \
+        --with-fips140-module-version="%{version}-%{release}" \
         %{nil}
 
 make %{?_smp_mflags}
@@ -255,7 +266,7 @@ rm -rf %{buildroot}%{_datadir}/doc/gnutls
 
 %check
 %if ! 0%{?qemu_user_space_build}
-#make %%{?_smp_mflags} check || {
+# export GNUTLS_FORCE_FIPS_MODE=1
 make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null || {
     find -name test-suite.log -print -exec cat {} +
     exit 1