From 3796933089b127db79c0a31042062b6ed8b731154cf9783fd970971c0f7f10e7 Mon Sep 17 00:00:00 2001
From: Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
Date: Mon, 1 Aug 2022 08:36:39 +0000
Subject: [PATCH 1/2] Accepting request 991873 from
 home:pmonrealgonzalez:branches:security:tls

- Update to 3.7.7:
  * libgnutls: Fixed double free during verification of pkcs7
    signatures. CVE-2022-2509
  * libgnutls: gnutls_hkdf_expand now only accepts LENGTH argument
    less than or equal to 255 times hash digest size, to comply with
    RFC 5869 2.3.
  * libgnutls: Length limit for TLS PSK usernames has been increased
    from 128 to 65535 characters
  * libgnutls: AES-GCM encryption function now limits plaintext
    length to 2^39-256 bits, according to SP800-38D 5.2.1.1.
  * libgnutls: New block cipher functions have been added to
    transparently handle padding. gnutls_cipher_encrypt3 and
    gnutls_cipher_decrypt3 can be used in combination of
    GNUTLS_CIPHER_PADDING_PKCS7 flag to automatically add/remove
    padding if the length of the original plaintext is not a multiple
    of the block size.
  * libgnutls: New function for manual FIPS self-testing.
  * API and ABI modifications:
    - gnutls_fips140_run_self_tests: New function
    - gnutls_cipher_encrypt3: New function
    - gnutls_cipher_decrypt3: New function
    - gnutls_cipher_padding_flags_t: New enum
  * guile: Guile 1.8 is no longer supported
  * guile: Session record port treats premature termination as EOF Previously,
    a 'gnutls-error' exception with the 'error/premature-termination' value
    would be thrown while reading from a session record port when the
    underlying session was terminated prematurely. This was inconvenient
    since users of the port may not be prepared to handle such an exception.
    Reading from the session record port now returns the end-of-file object
    instead of throwing an exception, just like it would for a proper

OBS-URL: https://build.opensuse.org/request/show/991873
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=69
---
 gnutls-3.6.6-set_guile_site_dir.patch     |  16 +++----
 gnutls-3.7.6.tar.xz                       |   3 --
 gnutls-3.7.6.tar.xz.sig                   | Bin 685 -> 0 bytes
 gnutls-3.7.7.tar.xz                       |   3 ++
 gnutls-3.7.7.tar.xz.sig                   | Bin 0 -> 685 bytes
 gnutls-FIPS-PBKDF2-KAT-requirements.patch |  22 ----------
 gnutls-FIPS-TLS_KDF_selftest.patch        |  16 ++++---
 gnutls-FIPS-disable-failing-tests.patch   |  27 ++++++++----
 gnutls.changes                            |  49 ++++++++++++++++++++++
 gnutls.spec                               |   8 ++--
 10 files changed, 88 insertions(+), 56 deletions(-)
 delete mode 100644 gnutls-3.7.6.tar.xz
 delete mode 100644 gnutls-3.7.6.tar.xz.sig
 create mode 100644 gnutls-3.7.7.tar.xz
 create mode 100644 gnutls-3.7.7.tar.xz.sig
 delete mode 100644 gnutls-FIPS-PBKDF2-KAT-requirements.patch

diff --git a/gnutls-3.6.6-set_guile_site_dir.patch b/gnutls-3.6.6-set_guile_site_dir.patch
index 3b61a9b..054b7f9 100644
--- a/gnutls-3.6.6-set_guile_site_dir.patch
+++ b/gnutls-3.6.6-set_guile_site_dir.patch
@@ -1,13 +1,13 @@
-Index: gnutls-3.6.15/configure
+Index: gnutls-3.7.7/configure
 ===================================================================
---- gnutls-3.6.15.orig/configure	2020-09-08 10:24:22.362083215 +0200
-+++ gnutls-3.6.15/configure	2020-09-08 10:24:28.510124171 +0200
-@@ -69365,7 +69365,7 @@ fi
+--- gnutls-3.7.7.orig/configure
++++ gnutls-3.7.7/configure
+@@ -74223,7 +74223,7 @@ fi
  
-   { $as_echo "$as_me:${as_lineno-$LINENO}: checking for Guile site directory" >&5
- $as_echo_n "checking for Guile site directory... " >&6; }
+   { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for Guile site directory" >&5
+ printf %s "checking for Guile site directory... " >&6; }
 -  GUILE_SITE=`$PKG_CONFIG --print-errors --variable=sitedir guile-$GUILE_EFFECTIVE_VERSION`
 +  GUILE_SITE=/usr/share/guile
-   { $as_echo "$as_me:${as_lineno-$LINENO}: result: $GUILE_SITE" >&5
- $as_echo "$GUILE_SITE" >&6; }
+   { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $GUILE_SITE" >&5
+ printf "%s\n" "$GUILE_SITE" >&6; }
    if test "$GUILE_SITE" = ""; then
diff --git a/gnutls-3.7.6.tar.xz b/gnutls-3.7.6.tar.xz
deleted file mode 100644
index 1a101d8..0000000
--- a/gnutls-3.7.6.tar.xz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:77065719a345bfb18faa250134be4c53bef70c1bd61f6c0c23ceb8b44f0262ff
-size 6338276
diff --git a/gnutls-3.7.6.tar.xz.sig b/gnutls-3.7.6.tar.xz.sig
deleted file mode 100644
index 4c6fdb836161a808310b1c9451acd3f4c00f78bd951f13efdbb42287dc9f7fbb..0000000000000000000000000000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 685
zcmV;e0#f~n0y6{v0SEvc79j*iA|=DLZ#0LW$VqJ01%!^*=9qB>0%DM=asUbm5Y`2R
zj@Raxag~S<|6D@l3C3#|Jf^=OwKKysslXB+p;!Ex&05zgiTPH4f-KUI^0rO|%5HLC
zcqlZLJfI{ft90^YHlVmsW)tiIu5|vOl1A3=r=NDpLbuo^P5iV~Z+iBr#DLYG_l^-N
z+@%p;65TrGX*i(k0ncB=DN2|=SdBdZ{z}TT7YJzgd1Gl)R-71t9Q>nrlmFsxeI4)7
z>|q#*M2D~Y380*5)@$X#B`lg0oraC@$tlt)#8EE*=!619mLQo7xciwU-KDl|G~PmX
zY_{lGs%M0eh}D7x4UyAoekX+{eM$g-=HuV9rmaV_{JKfa+Z~^qu|4^2?Jp0oi>E#I
zKXKXFg;k#?1p~(g-e*Y1yN6xR1Hruv@nk8NM7n`s3rV{Hw(j&apnj*?g(n&OGf0Cy
zt$0!7N0u;x={}M;VX>uG_`zH0vX4YYSf8wj_pC&#>tiUL{%EMrFH8<(>LG!Ha_@i-
z4Fo<So`;xH!J6sXZYB|{g+`c3lqCoN_#<p75_xWyXgg{FMb)<?NE|Pyr&FsNy1-N*
z%E67?u~)xbQA!)FWhl#dg_#-p{vRY-_YdUNlmFZ@%T%T3vYkt5+Qcu)>0C@#5uqcs
zZL4w_X10cGjIq8Gs_rimDBxqByOUO7eR~O!%%s8ni;$kT5P65+Hn#qFy(#!8gF{|f
z{fKo002T@W9Tp)3T}I0fb~FX21vOUmdUd8qv-u(n1p;D_l4Sr22@ra9rbx5-A`I}}
z0RA~Yf@MX8iwd_>M6_sh73C=7B7}?+21`rW9!3W-oTC8%yxSB_;^bY^-$zRA&RE{(
THJM||bc2D~!02dd{<MP)NO(ox

diff --git a/gnutls-3.7.7.tar.xz b/gnutls-3.7.7.tar.xz
new file mode 100644
index 0000000..a9bf40a
--- /dev/null
+++ b/gnutls-3.7.7.tar.xz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:be9143d0d58eab64dba9b77114aaafac529b6c0d7e81de6bdf1c9b59027d2106
+size 6351664
diff --git a/gnutls-3.7.7.tar.xz.sig b/gnutls-3.7.7.tar.xz.sig
new file mode 100644
index 0000000000000000000000000000000000000000000000000000000000000000..5406f222c7fd3d1f93d1e5bbecee86420124637bada1c4b877080375fdcc4c4f
GIT binary patch
literal 685
zcmV;e0#f~n0y6{v0SEvc79j*iA|=DLZ#0LW$VqJ01%!^*=9qB>0%GEs`~V6G5Y`2R
zj@RaxaZp+h{w0(&Lqs0#=Rr`Yltw6^=~Xpll_pmFJ(@;wkR?#JYkkc~;cUN<FVG@n
z)lGe&44d}Gp$t%YcmMM+aHK_OK55-JGIxN9K}2whJ%cMHw|@xe%B4n}a(?TdRO|tm
zWsk#P2F4kdh8!4FwgA-=4~MO2pigd{QYz3!wTJ>{tg>e!cdumtUZiZw9Id-cm35L+
zH1GE`Lk5jGZa3H7uNj$CH1wT~#8IIa_5w0R<W*@mTDzjYyk;5DG$wu9vU8eS$$ZO7
zvaJ+@<8@uUQa(DGSV6ISiU_`j!v%E|iK#MEzVKM*^!GSdzeKH}2*a1ZRu&Y|tjCG|
zgLlikZINpQ4$|yDcnWzHz+T@7_EL}w{M@;QcM+x!a#OY??Wd3w_cb6L+~ePDI;KzW
z#G@*m^#@qIxCi+>31S{&SbZ|OcDns3sud2R0OS?H`Lb;$FF)6!eIf&o79oY?B4`J7
za^EV}QKHK1W2;|IOGN#3Z+(>8&LX_VRDl#K9>7P&Q>;nYhMZky8MSOP$qMDmWX9mT
zz&&~Jf;uSxZMMIA4&B*Qu)ek{k-=PcyT`!+6GL+i<w5l%16}9>Hm{D3iMU84N&*xq
z+-iI))|KI`Xfw)#dc2@nQ9GOlH;XWb2oFt5NK<tOfUQFFF0pKm6^6^EVTSml(qT%P
zZHRRQ02T@W9Tp)3T}I0fb~FX21vOUmdUd8qv-u(n1p;E?fmQ$t2@ra9rbx5-A`CJG
z0RX;Z<9n2Fwfjj&myJ0lWKgIlATBen<$>O*Fn!<J<Gld@l_bOmg~}VPiou(11Hn!^
TOKg}e<QWHDZ5(|Oz9vZqvJ5l@

literal 0
HcmV?d00001

diff --git a/gnutls-FIPS-PBKDF2-KAT-requirements.patch b/gnutls-FIPS-PBKDF2-KAT-requirements.patch
deleted file mode 100644
index 669eeca..0000000
--- a/gnutls-FIPS-PBKDF2-KAT-requirements.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-Index: gnutls-3.7.5/lib/crypto-selftests.c
-===================================================================
---- gnutls-3.7.5.orig/lib/crypto-selftests.c
-+++ gnutls-3.7.5/lib/crypto-selftests.c
-@@ -3123,6 +3123,16 @@ const struct pbkdf2_vectors_st pbkdf2_sh
- 		    "\x84\xcf\x2b\x17\x34\x7e\xbc\x18\x00\x18\x1c\x4e\x2a\x1f"
- 		    "\xb8\xdd\x53\xe1\xc6\x35\x51\x8c\x7d\xac\x47\xe9"),
- 	},
-+	/* Test vector extracted from https://dev.gnupg.org/source/libgcrypt/browse/master/cipher/kdf.c */
-+	{
-+		STR(key, key_size, "passwordPASSWORDpassword"),
-+		STR(salt, salt_size, "saltSALTsaltSALTsaltSALTsaltSALTsalt"),
-+		.iter_count = 4096,
-+		STR(output, output_size,
-+		    "\x34\x8c\x89\xdb\xcb\xd3\x2b\x2f\x32\xd8\x14\xb8\x11\x6e"
-+		    "\x84\xcf\x2b\x17\x34\x7e\xbc\x18\x00\x18\x1c\x4e\x2a\x1f"
-+		    "\xb8\xdd\x53\xe1\xc6\x35\x51\x8c\x7d\xac\x47\xe9"),
-+	},
- };
- 
- static int test_pbkdf2(gnutls_mac_algorithm_t mac,
-
diff --git a/gnutls-FIPS-TLS_KDF_selftest.patch b/gnutls-FIPS-TLS_KDF_selftest.patch
index baa8106..38a8c0a 100644
--- a/gnutls-FIPS-TLS_KDF_selftest.patch
+++ b/gnutls-FIPS-TLS_KDF_selftest.patch
@@ -1,9 +1,9 @@
-Index: gnutls-3.6.15/lib/fips.c
+Index: gnutls-3.7.7/lib/fips.c
 ===================================================================
---- gnutls-3.6.15.orig/lib/fips.c	2020-09-03 16:59:05.000000000 +0200
-+++ gnutls-3.6.15/lib/fips.c	2020-11-10 12:51:40.420071675 +0100
-@@ -398,6 +398,28 @@ int _gnutls_fips_perform_self_checks2(vo
- 		goto error;
+--- gnutls-3.7.7.orig/lib/fips.c
++++ gnutls-3.7.7/lib/fips.c
+@@ -517,6 +517,26 @@ int _gnutls_fips_perform_self_checks2(vo
+ 		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
  	}
  
 +        /* KDF */
@@ -18,14 +18,12 @@ Index: gnutls-3.6.15/lib/fips.c
 +	ret = _gnutls_prf_raw(GNUTLS_MAC_SHA256, secret.size, secret.data,
 +		label.size, (char*)label.data, seed.size, seed.data, expected.size, derived);
 +	if (ret < 0) {
-+		gnutls_assert();
-+		goto error;
++		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
 +	}
 +
 +	ret = memcmp(derived, expected.data, expected.size);
 +	if (ret != 0) {
-+		gnutls_assert();
-+		goto error;
++		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
 +	}
 +
  	/* PK */
diff --git a/gnutls-FIPS-disable-failing-tests.patch b/gnutls-FIPS-disable-failing-tests.patch
index 405813a..d4fefa7 100644
--- a/gnutls-FIPS-disable-failing-tests.patch
+++ b/gnutls-FIPS-disable-failing-tests.patch
@@ -1,8 +1,8 @@
-Index: gnutls-3.7.3/guile/Makefile.am
+Index: gnutls-3.7.7/guile/Makefile.am
 ===================================================================
---- gnutls-3.7.3.orig/guile/Makefile.am
-+++ gnutls-3.7.3/guile/Makefile.am
-@@ -102,8 +102,6 @@ endif HAVE_GUILD
+--- gnutls-3.7.7.orig/guile/Makefile.am
++++ gnutls-3.7.7/guile/Makefile.am
+@@ -102,14 +102,11 @@ endif HAVE_GUILD
  #
  
  TESTS =						\
@@ -11,11 +11,17 @@ Index: gnutls-3.7.3/guile/Makefile.am
    tests/pkcs-import-export.scm			\
    tests/errors.scm				\
    tests/x509-certificates.scm			\
-Index: gnutls-3.7.3/guile/Makefile.in
+   tests/x509-auth.scm				\
+   tests/reauth.scm				\
+-  tests/premature-termination.scm		\
+   tests/priorities.scm
+ 
+ if ENABLE_SRP
+Index: gnutls-3.7.7/guile/Makefile.in
 ===================================================================
---- gnutls-3.7.3.orig/guile/Makefile.in
-+++ gnutls-3.7.3/guile/Makefile.in
-@@ -2320,8 +2320,7 @@ CLEANFILES = modules/gnutls.scm $(am__ap
+--- gnutls-3.7.7.orig/guile/Makefile.in
++++ gnutls-3.7.7/guile/Makefile.in
+@@ -2335,10 +2335,9 @@ CLEANFILES = modules/gnutls.scm $(am__ap
  #
  # Tests.
  #
@@ -23,5 +29,8 @@ Index: gnutls-3.7.3/guile/Makefile.in
 -	tests/pkcs-import-export.scm tests/errors.scm \
 +TESTS = tests/pkcs-import-export.scm tests/errors.scm \
  	tests/x509-certificates.scm tests/x509-auth.scm \
- 	tests/reauth.scm tests/priorities.scm $(am__append_2)
+-	tests/reauth.scm tests/premature-termination.scm \
++	tests/reauth.scm \
+ 	tests/priorities.scm $(am__append_2)
  TESTS_ENVIRONMENT = \
+   GUILE_AUTO_COMPILE=0				\
diff --git a/gnutls.changes b/gnutls.changes
index 65cb7c7..aa07157 100644
--- a/gnutls.changes
+++ b/gnutls.changes
@@ -1,3 +1,52 @@
+-------------------------------------------------------------------
+Fri Jul 29 14:29:17 UTC 2022 - Pedro Monreal <pmonreal@suse.com>
+
+- Update to 3.7.7:
+  * libgnutls: Fixed double free during verification of pkcs7
+    signatures. CVE-2022-2509
+  * libgnutls: gnutls_hkdf_expand now only accepts LENGTH argument
+    less than or equal to 255 times hash digest size, to comply with
+    RFC 5869 2.3.
+  * libgnutls: Length limit for TLS PSK usernames has been increased
+    from 128 to 65535 characters
+  * libgnutls: AES-GCM encryption function now limits plaintext
+    length to 2^39-256 bits, according to SP800-38D 5.2.1.1.
+  * libgnutls: New block cipher functions have been added to
+    transparently handle padding. gnutls_cipher_encrypt3 and
+    gnutls_cipher_decrypt3 can be used in combination of
+    GNUTLS_CIPHER_PADDING_PKCS7 flag to automatically add/remove
+    padding if the length of the original plaintext is not a multiple
+    of the block size.
+  * libgnutls: New function for manual FIPS self-testing.
+  * API and ABI modifications:
+    - gnutls_fips140_run_self_tests: New function
+    - gnutls_cipher_encrypt3: New function
+    - gnutls_cipher_decrypt3: New function
+    - gnutls_cipher_padding_flags_t: New enum
+  * guile: Guile 1.8 is no longer supported
+  * guile: Session record port treats premature termination as EOF Previously,
+    a 'gnutls-error' exception with the 'error/premature-termination' value
+    would be thrown while reading from a session record port when the
+    underlying session was terminated prematurely. This was inconvenient
+    since users of the port may not be prepared to handle such an exception.
+    Reading from the session record port now returns the end-of-file object
+    instead of throwing an exception, just like it would for a proper
+    session termination.
+  * guile: Session record ports can have a 'close' procedure. The
+    'session-record-port' procedure now takes an optional second parameter,
+    and a new 'set-session-record-port-close!' procedure is provided to
+    specify a 'close' procedure for a session record port. This 'close'
+    procedure lets users specify cleanup operations for when the port is
+    closed, such as closing the file descriptor or port that backs the
+    underlying session.
+  * Rebase patches:
+    - gnutls-3.6.6-set_guile_site_dir.patch
+    - gnutls-FIPS-TLS_KDF_selftest.patch
+    - gnutls-FIPS-disable-failing-tests.patch
+  * Remove patch merged upstream:
+    - gnutls-FIPS-PBKDF2-KAT-requirements.patch
+    - https://gitlab.com/gnutls/gnutls/merge_requests/1561
+
 -------------------------------------------------------------------
 Fri May 27 16:56:26 UTC 2022 - Antoine Belvire <antoine.belvire@opensuse.org>
 
diff --git a/gnutls.spec b/gnutls.spec
index e829ab0..a6cb5c6 100644
--- a/gnutls.spec
+++ b/gnutls.spec
@@ -36,7 +36,7 @@
 %bcond_with tpm
 %bcond_without guile
 Name:           gnutls
-Version:        3.7.6
+Version:        3.7.7
 Release:        0
 Summary:        The GNU Transport Layer Security Library
 License:        GPL-3.0-or-later AND LGPL-2.1-or-later
@@ -50,8 +50,6 @@ Patch0:         gnutls-3.5.11-skip-trust-store-tests.patch
 Patch1:         gnutls-3.6.6-set_guile_site_dir.patch
 Patch2:         gnutls-FIPS-TLS_KDF_selftest.patch
 Patch3:         gnutls-FIPS-disable-failing-tests.patch
-#PATCH-FIX-SUSE bsc#1184669 FIPS: Additional PBKDF2 requirements for KAT
-Patch4:         gnutls-FIPS-PBKDF2-KAT-requirements.patch
 BuildRequires:  autogen
 BuildRequires:  automake
 BuildRequires:  datefudge
@@ -91,7 +89,7 @@ BuildRequires:  libunbound-devel
 %endif
 %endif
 %if %{with guile}
-BuildRequires:  guile-devel
+BuildRequires:  guile-devel > 1.8
 %endif
 %if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
 BuildRequires:  crypto-policies
@@ -194,7 +192,7 @@ Files needed for software development using gnutls.
 Summary:        Guile wrappers for gnutls
 License:        LGPL-2.1-or-later
 Group:          Development/Libraries/Other
-Requires:       guile
+Requires:       guile > 1.8
 
 %description guile
 GnuTLS Wrappers for GNU Guile, a dialect of Scheme.

From caa2421fca3d35a6c8831e7cc7d9ac03f2c430a6598fd2b42d1c8ee2c41772c0 Mon Sep 17 00:00:00 2001
From: Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
Date: Mon, 1 Aug 2022 10:36:16 +0000
Subject: [PATCH 2/2] Accepting request 991994 from
 home:pmonrealgonzalez:branches:security:tls

adding the new CVE number

OBS-URL: https://build.opensuse.org/request/show/991994
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=70
---
 gnutls.changes | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gnutls.changes b/gnutls.changes
index aa07157..fe82799 100644
--- a/gnutls.changes
+++ b/gnutls.changes
@@ -1,7 +1,7 @@
 -------------------------------------------------------------------
 Fri Jul 29 14:29:17 UTC 2022 - Pedro Monreal <pmonreal@suse.com>
 
-- Update to 3.7.7:
+- Update to 3.7.7: [bsc#1202020, CVE-2022-2509]
   * libgnutls: Fixed double free during verification of pkcs7
     signatures. CVE-2022-2509
   * libgnutls: gnutls_hkdf_expand now only accepts LENGTH argument