Accepting request 991995 from security:tls

OBS-URL: https://build.opensuse.org/request/show/991995
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=140

gnutls-3.6.6-set_guile_site_dir.patch

@@ -1,13 +1,13 @@
-Index: gnutls-3.6.15/configure
+Index: gnutls-3.7.7/configure
 ===================================================================
---- gnutls-3.6.15.orig/configure	2020-09-08 10:24:22.362083215 +0200
+--- gnutls-3.7.7.orig/configure
-+++ gnutls-3.6.15/configure	2020-09-08 10:24:28.510124171 +0200
++++ gnutls-3.7.7/configure
-@@ -69365,7 +69365,7 @@ fi
+@@ -74223,7 +74223,7 @@ fi
  
-   { $as_echo "$as_me:${as_lineno-$LINENO}: checking for Guile site directory" >&5
+   { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for Guile site directory" >&5
- $as_echo_n "checking for Guile site directory... " >&6; }
+ printf %s "checking for Guile site directory... " >&6; }
 -  GUILE_SITE=`$PKG_CONFIG --print-errors --variable=sitedir guile-$GUILE_EFFECTIVE_VERSION`
 +  GUILE_SITE=/usr/share/guile
-   { $as_echo "$as_me:${as_lineno-$LINENO}: result: $GUILE_SITE" >&5
+   { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $GUILE_SITE" >&5
- $as_echo "$GUILE_SITE" >&6; }
+ printf "%s\n" "$GUILE_SITE" >&6; }
    if test "$GUILE_SITE" = ""; then

gnutls-3.7.6.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:77065719a345bfb18faa250134be4c53bef70c1bd61f6c0c23ceb8b44f0262ff
-size 6338276

gnutls-3.7.7.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:be9143d0d58eab64dba9b77114aaafac529b6c0d7e81de6bdf1c9b59027d2106
+size 6351664

gnutls-FIPS-PBKDF2-KAT-requirements.patch

@@ -1,22 +0,0 @@
-Index: gnutls-3.7.5/lib/crypto-selftests.c
-===================================================================
---- gnutls-3.7.5.orig/lib/crypto-selftests.c
-+++ gnutls-3.7.5/lib/crypto-selftests.c
-@@ -3123,6 +3123,16 @@ const struct pbkdf2_vectors_st pbkdf2_sh
- 		    "\x84\xcf\x2b\x17\x34\x7e\xbc\x18\x00\x18\x1c\x4e\x2a\x1f"
- 		    "\xb8\xdd\x53\xe1\xc6\x35\x51\x8c\x7d\xac\x47\xe9"),
- 	},
-+	/* Test vector extracted from https://dev.gnupg.org/source/libgcrypt/browse/master/cipher/kdf.c */
-+	{
-+		STR(key, key_size, "passwordPASSWORDpassword"),
-+		STR(salt, salt_size, "saltSALTsaltSALTsaltSALTsaltSALTsalt"),
-+		.iter_count = 4096,
-+		STR(output, output_size,
-+		    "\x34\x8c\x89\xdb\xcb\xd3\x2b\x2f\x32\xd8\x14\xb8\x11\x6e"
-+		    "\x84\xcf\x2b\x17\x34\x7e\xbc\x18\x00\x18\x1c\x4e\x2a\x1f"
-+		    "\xb8\xdd\x53\xe1\xc6\x35\x51\x8c\x7d\xac\x47\xe9"),
-+	},
- };
- 
- static int test_pbkdf2(gnutls_mac_algorithm_t mac,
-

gnutls-FIPS-TLS_KDF_selftest.patch

@@ -1,9 +1,9 @@
-Index: gnutls-3.6.15/lib/fips.c
+Index: gnutls-3.7.7/lib/fips.c
 ===================================================================
---- gnutls-3.6.15.orig/lib/fips.c	2020-09-03 16:59:05.000000000 +0200
+--- gnutls-3.7.7.orig/lib/fips.c
-+++ gnutls-3.6.15/lib/fips.c	2020-11-10 12:51:40.420071675 +0100
++++ gnutls-3.7.7/lib/fips.c
-@@ -398,6 +398,28 @@ int _gnutls_fips_perform_self_checks2(vo
+@@ -517,6 +517,26 @@ int _gnutls_fips_perform_self_checks2(vo
- 		goto error;
+ 		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
  	}
  
 +        /* KDF */
@@ -18,14 +18,12 @@ Index: gnutls-3.6.15/lib/fips.c
 +	ret = _gnutls_prf_raw(GNUTLS_MAC_SHA256, secret.size, secret.data,
 +		label.size, (char*)label.data, seed.size, seed.data, expected.size, derived);
 +	if (ret < 0) {
-+		gnutls_assert();
++		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
-+		goto error;
 +	}
 +
 +	ret = memcmp(derived, expected.data, expected.size);
 +	if (ret != 0) {
-+		gnutls_assert();
++		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
-+		goto error;
 +	}
 +
  	/* PK */

gnutls-FIPS-disable-failing-tests.patch

@@ -1,8 +1,8 @@
-Index: gnutls-3.7.3/guile/Makefile.am
+Index: gnutls-3.7.7/guile/Makefile.am
 ===================================================================
---- gnutls-3.7.3.orig/guile/Makefile.am
+--- gnutls-3.7.7.orig/guile/Makefile.am
-+++ gnutls-3.7.3/guile/Makefile.am
++++ gnutls-3.7.7/guile/Makefile.am
-@@ -102,8 +102,6 @@ endif HAVE_GUILD
+@@ -102,14 +102,11 @@ endif HAVE_GUILD
  #
  
  TESTS =						\
@@ -11,11 +11,17 @@ Index: gnutls-3.7.3/guile/Makefile.am
    tests/pkcs-import-export.scm			\
    tests/errors.scm				\
    tests/x509-certificates.scm			\
-Index: gnutls-3.7.3/guile/Makefile.in
+   tests/x509-auth.scm				\
+   tests/reauth.scm				\
+-  tests/premature-termination.scm		\
+   tests/priorities.scm
+ 
+ if ENABLE_SRP
+Index: gnutls-3.7.7/guile/Makefile.in
 ===================================================================
---- gnutls-3.7.3.orig/guile/Makefile.in
+--- gnutls-3.7.7.orig/guile/Makefile.in
-+++ gnutls-3.7.3/guile/Makefile.in
++++ gnutls-3.7.7/guile/Makefile.in
-@@ -2320,8 +2320,7 @@ CLEANFILES = modules/gnutls.scm $(am__ap
+@@ -2335,10 +2335,9 @@ CLEANFILES = modules/gnutls.scm $(am__ap
  #
  # Tests.
  #
@@ -23,5 +29,8 @@ Index: gnutls-3.7.3/guile/Makefile.in
 -	tests/pkcs-import-export.scm tests/errors.scm \
 +TESTS = tests/pkcs-import-export.scm tests/errors.scm \
  	tests/x509-certificates.scm tests/x509-auth.scm \
- 	tests/reauth.scm tests/priorities.scm $(am__append_2)
+-	tests/reauth.scm tests/premature-termination.scm \
++	tests/reauth.scm \
+ 	tests/priorities.scm $(am__append_2)
  TESTS_ENVIRONMENT = \
+   GUILE_AUTO_COMPILE=0				\

gnutls.changes

@@ -1,3 +1,52 @@
+-------------------------------------------------------------------
+Fri Jul 29 14:29:17 UTC 2022 - Pedro Monreal <pmonreal@suse.com>
+
+- Update to 3.7.7: [bsc#1202020, CVE-2022-2509]
+  * libgnutls: Fixed double free during verification of pkcs7
+    signatures. CVE-2022-2509
+  * libgnutls: gnutls_hkdf_expand now only accepts LENGTH argument
+    less than or equal to 255 times hash digest size, to comply with
+    RFC 5869 2.3.
+  * libgnutls: Length limit for TLS PSK usernames has been increased
+    from 128 to 65535 characters
+  * libgnutls: AES-GCM encryption function now limits plaintext
+    length to 2^39-256 bits, according to SP800-38D 5.2.1.1.
+  * libgnutls: New block cipher functions have been added to
+    transparently handle padding. gnutls_cipher_encrypt3 and
+    gnutls_cipher_decrypt3 can be used in combination of
+    GNUTLS_CIPHER_PADDING_PKCS7 flag to automatically add/remove
+    padding if the length of the original plaintext is not a multiple
+    of the block size.
+  * libgnutls: New function for manual FIPS self-testing.
+  * API and ABI modifications:
+    - gnutls_fips140_run_self_tests: New function
+    - gnutls_cipher_encrypt3: New function
+    - gnutls_cipher_decrypt3: New function
+    - gnutls_cipher_padding_flags_t: New enum
+  * guile: Guile 1.8 is no longer supported
+  * guile: Session record port treats premature termination as EOF Previously,
+    a 'gnutls-error' exception with the 'error/premature-termination' value
+    would be thrown while reading from a session record port when the
+    underlying session was terminated prematurely. This was inconvenient
+    since users of the port may not be prepared to handle such an exception.
+    Reading from the session record port now returns the end-of-file object
+    instead of throwing an exception, just like it would for a proper
+    session termination.
+  * guile: Session record ports can have a 'close' procedure. The
+    'session-record-port' procedure now takes an optional second parameter,
+    and a new 'set-session-record-port-close!' procedure is provided to
+    specify a 'close' procedure for a session record port. This 'close'
+    procedure lets users specify cleanup operations for when the port is
+    closed, such as closing the file descriptor or port that backs the
+    underlying session.
+  * Rebase patches:
+    - gnutls-3.6.6-set_guile_site_dir.patch
+    - gnutls-FIPS-TLS_KDF_selftest.patch
+    - gnutls-FIPS-disable-failing-tests.patch
+  * Remove patch merged upstream:
+    - gnutls-FIPS-PBKDF2-KAT-requirements.patch
+    - https://gitlab.com/gnutls/gnutls/merge_requests/1561
+
 -------------------------------------------------------------------
 Fri May 27 16:56:26 UTC 2022 - Antoine Belvire <antoine.belvire@opensuse.org>
 

gnutls.spec

@@ -36,7 +36,7 @@
 %bcond_with tpm
 %bcond_without guile
 Name:           gnutls
-Version:        3.7.6
+Version:        3.7.7
 Release:        0
 Summary:        The GNU Transport Layer Security Library
 License:        GPL-3.0-or-later AND LGPL-2.1-or-later
@@ -50,8 +50,6 @@ Patch0:         gnutls-3.5.11-skip-trust-store-tests.patch
 Patch1:         gnutls-3.6.6-set_guile_site_dir.patch
 Patch2:         gnutls-FIPS-TLS_KDF_selftest.patch
 Patch3:         gnutls-FIPS-disable-failing-tests.patch
-#PATCH-FIX-SUSE bsc#1184669 FIPS: Additional PBKDF2 requirements for KAT
-Patch4:         gnutls-FIPS-PBKDF2-KAT-requirements.patch
 BuildRequires:  autogen
 BuildRequires:  automake
 BuildRequires:  datefudge
@@ -91,7 +89,7 @@ BuildRequires:  libunbound-devel
 %endif
 %endif
 %if %{with guile}
-BuildRequires:  guile-devel
+BuildRequires:  guile-devel > 1.8
 %endif
 %if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
 BuildRequires:  crypto-policies
@@ -194,7 +192,7 @@ Files needed for software development using gnutls.
 Summary:        Guile wrappers for gnutls
 License:        LGPL-2.1-or-later
 Group:          Development/Libraries/Other
-Requires:       guile
+Requires:       guile > 1.8
 
 %description guile
 GnuTLS Wrappers for GNU Guile, a dialect of Scheme.