pool/gnutls
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 1161324 from home:pmonrealgonzalez:branches:security:tls

Browse Source 
- jitterentropy: Release the memory of the entropy collector when
  using jitterentropy with phtreads as there is also a
  pre-intitization done in the main thread. [bsc#1221242]
  * Add gnutls-FIPS-jitterentropy-deinit-threads.patch

- Update to 3.8.4:
  * libgnutls: RSA-OAEP encryption scheme is now supported
    To use it with an unrestricted RSA private key, one would need to
    initialize a gnutls_x509_spki_t object with necessary parameters
    for RSA-OAEP and attach it to the private key. It is also possible
    to import restricted private keys if they are stored in PKCS#8
    format.
  * libgnutls: Fix side-channel in the deterministic ECDSA.
    Reported by George Pantelakis (#1516).
    [GNUTLS-SA-2023-12-04, CVSS: medium] [bsc#1221746, CVE-2024-28834]
  * libgnutls: Fixed a bug where certtool crashed when verifying a
    certificate chain with more than 16 certificates. Reported by
    William Woodruff (#1525) and yixiangzhike (#1527).
    [GNUTLS-SA-2024-01-23, CVSS: medium] [bsc#1221747, CVE-2024-28835]
  * libgnutls: Compression libraries are now loaded dynamically as needed
    instead of all being loaded during gnutls library initialization.
    As a result, the library initialization should be faster.
  * build: The gnutls library can now be linked with the static library
    of GMP.  Note that in order for this to work libgmp.a needs to be
    compiled with -fPIC and libhogweed in Nettle also has to be linked
    to the static library of GMP.  This can be used to prevent custom
    memory allocators from being overriden by other applications.
  * API and ABI modifications:
    - gnutls_x509_spki_get_rsa_oaep_params: New function.
    - gnutls_x509_spki_set_rsa_oaep_params: New function.

OBS-URL: https://build.opensuse.org/request/show/1161324
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=107
This commit is contained in:
Pedro Monreal Gonzalez 2024-03-27 18:58:32 +00:00 committed by Git OBS Bridge
parent 083e0fac3f
commit a4ac49a50a
9 changed files with 296 additions and 201 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
gnutls-3.8.3.tar.xz (Stored with Git LFS)
View File

Binary file not shown.

BIN
gnutls-3.8.3.tar.xz.sig
View File

Binary file not shown.

3
gnutls-3.8.4.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:2bea4e154794f3f00180fa2a5c51fe8b005ac7a31cd58bd44cdfa7f36ebc3a9b
size 6487520

BIN
gnutls-3.8.4.tar.xz.sig Normal file
View File

Binary file not shown.

337
gnutls-FIPS-140-3-references.patch
View File

@ -1,7 +1,7 @@
Index: gnutls-3.8.3/configure.ac Index: gnutls-3.8.4/configure.ac
=================================================================== ===================================================================
--- gnutls-3.8.3.orig/configure.ac --- gnutls-3.8.4.orig/configure.ac
+++ gnutls-3.8.3/configure.ac +++ gnutls-3.8.4/configure.ac
@@ -623,19 +623,19 @@ LT_INIT([disable-static,win32-dll,shared @@ -623,19 +623,19 @@ LT_INIT([disable-static,win32-dll,shared
AC_LIB_HAVE_LINKFLAGS(dl,, [#include <dlfcn.h>], [dladdr (0, 0);]) AC_LIB_HAVE_LINKFLAGS(dl,, [#include <dlfcn.h>], [dladdr (0, 0);])
@ -25,10 +25,10 @@ Index: gnutls-3.8.3/configure.ac
AC_ARG_WITH(fips140-module-name, AS_HELP_STRING([--with-fips140-module-name], AC_ARG_WITH(fips140-module-name, AS_HELP_STRING([--with-fips140-module-name],
[specify the FIPS140 module name]), [specify the FIPS140 module name]),
Index: gnutls-3.8.3/doc/cha-gtls-app.texi Index: gnutls-3.8.4/doc/cha-gtls-app.texi
=================================================================== ===================================================================
--- gnutls-3.8.3.orig/doc/cha-gtls-app.texi --- gnutls-3.8.4.orig/doc/cha-gtls-app.texi
+++ gnutls-3.8.3/doc/cha-gtls-app.texi +++ gnutls-3.8.4/doc/cha-gtls-app.texi
@@ -222,7 +222,7 @@ CPU. The currently available options are @@ -222,7 +222,7 @@ CPU. The currently available options are
@end itemize @end itemize
@ -38,10 +38,10 @@ Index: gnutls-3.8.3/doc/cha-gtls-app.texi
if set to one it will force the FIPS mode enablement. if set to one it will force the FIPS mode enablement.
@end multitable @end multitable
Index: gnutls-3.8.3/doc/cha-internals.texi Index: gnutls-3.8.4/doc/cha-internals.texi
=================================================================== ===================================================================
--- gnutls-3.8.3.orig/doc/cha-internals.texi --- gnutls-3.8.4.orig/doc/cha-internals.texi
+++ gnutls-3.8.3/doc/cha-internals.texi +++ gnutls-3.8.4/doc/cha-internals.texi
@@ -14,7 +14,7 @@ happens inside the black box. @@ -14,7 +14,7 @@ happens inside the black box.
* TLS Hello Extension Handling:: * TLS Hello Extension Handling::
* Cryptographic Backend:: * Cryptographic Backend::
@ -162,11 +162,11 @@ Index: gnutls-3.8.3/doc/cha-internals.texi
operation. It can be attached to the current execution thread with operation. It can be attached to the current execution thread with
@funcref{gnutls_fips140_push_context} and its internal state will be @funcref{gnutls_fips140_push_context} and its internal state will be
updated until it is detached with updated until it is detached with
Index: gnutls-3.8.3/doc/enums.texi Index: gnutls-3.8.4/doc/enums.texi
=================================================================== ===================================================================
--- gnutls-3.8.3.orig/doc/enums.texi --- gnutls-3.8.4.orig/doc/enums.texi
+++ gnutls-3.8.3/doc/enums.texi +++ gnutls-3.8.4/doc/enums.texi
@@ -1188,7 +1188,7 @@ application traffic secret is installed @@ -1190,7 +1190,7 @@ application traffic secret is installed
@c gnutls_fips_mode_t @c gnutls_fips_mode_t
@table @code @table @code
@item GNUTLS_@-FIPS140_@-DISABLED @item GNUTLS_@-FIPS140_@-DISABLED
@ -175,7 +175,7 @@ Index: gnutls-3.8.3/doc/enums.texi
@item GNUTLS_@-FIPS140_@-STRICT @item GNUTLS_@-FIPS140_@-STRICT
The default mode; all forbidden operations will cause an The default mode; all forbidden operations will cause an
operation failure via error code. operation failure via error code.
@@ -1196,8 +1196,8 @@ operation failure via error code. @@ -1198,8 +1198,8 @@ operation failure via error code.
A transient state during library initialization. That state A transient state during library initialization. That state
cannot be set or seen by applications. cannot be set or seen by applications.
@item GNUTLS_@-FIPS140_@-LAX @item GNUTLS_@-FIPS140_@-LAX
@ -186,10 +186,10 @@ Index: gnutls-3.8.3/doc/enums.texi
application is aware of the followed security policy, and needs application is aware of the followed security policy, and needs
to utilize disallowed operations for other reasons (e.g., compatibility). to utilize disallowed operations for other reasons (e.g., compatibility).
@item GNUTLS_@-FIPS140_@-LOG @item GNUTLS_@-FIPS140_@-LOG
Index: gnutls-3.8.3/doc/functions/gnutls_fips140_set_mode Index: gnutls-3.8.4/doc/functions/gnutls_fips140_set_mode
=================================================================== ===================================================================
--- gnutls-3.8.3.orig/doc/functions/gnutls_fips140_set_mode --- gnutls-3.8.4.orig/doc/functions/gnutls_fips140_set_mode
+++ gnutls-3.8.3/doc/functions/gnutls_fips140_set_mode +++ gnutls-3.8.4/doc/functions/gnutls_fips140_set_mode
@@ -3,7 +3,7 @@ @@ -3,7 +3,7 @@
@ -215,10 +215,10 @@ Index: gnutls-3.8.3/doc/functions/gnutls_fips140_set_mode
values for @code{mode} or to @code{GNUTLS_FIPS140_SELFTESTS} mode, the library values for @code{mode} or to @code{GNUTLS_FIPS140_SELFTESTS} mode, the library
switches to @code{GNUTLS_FIPS140_STRICT} mode. switches to @code{GNUTLS_FIPS140_STRICT} mode.
Index: gnutls-3.8.3/doc/gnutls.html Index: gnutls-3.8.4/doc/gnutls.html
=================================================================== ===================================================================
--- gnutls-3.8.3.orig/doc/gnutls.html --- gnutls-3.8.4.orig/doc/gnutls.html
+++ gnutls-3.8.3/doc/gnutls.html +++ gnutls-3.8.4/doc/gnutls.html
@@ -484,7 +484,7 @@ Documentation License&rdquo;. @@ -484,7 +484,7 @@ Documentation License&rdquo;.
<li><a id="toc-TLS-Extension-Handling" href="#TLS-Hello-Extension-Handling">11.4 TLS Extension Handling</a></li> <li><a id="toc-TLS-Extension-Handling" href="#TLS-Hello-Extension-Handling">11.4 TLS Extension Handling</a></li>
<li><a id="toc-Cryptographic-Backend-1" href="#Cryptographic-Backend">11.5 Cryptographic Backend</a></li> <li><a id="toc-Cryptographic-Backend-1" href="#Cryptographic-Backend">11.5 Cryptographic Backend</a></li>
@ -228,7 +228,7 @@ Index: gnutls-3.8.3/doc/gnutls.html
</ul></li> </ul></li>
<li><a id="toc-Upgrading-from-previous-versions-1" href="#Upgrading-from-previous-versions">Appendix A Upgrading from previous versions</a></li> <li><a id="toc-Upgrading-from-previous-versions-1" href="#Upgrading-from-previous-versions">Appendix A Upgrading from previous versions</a></li>
<li><a id="toc-Support-1" href="#Support">Appendix B Support</a> <li><a id="toc-Support-1" href="#Support">Appendix B Support</a>
@@ -9035,7 +9035,7 @@ CPU. The currently available options are @@ -9041,7 +9041,7 @@ CPU. The currently available options are
</li><li>0x200000: Enable VIA PHE </li><li>0x200000: Enable VIA PHE
</li><li>0x400000: Enable VIA PHE SHA512 </li><li>0x400000: Enable VIA PHE SHA512
</li></ul></td></tr> </li></ul></td></tr>
@ -237,7 +237,7 @@ Index: gnutls-3.8.3/doc/gnutls.html
if set to one it will force the FIPS mode enablement.</td></tr> if set to one it will force the FIPS mode enablement.</td></tr>
</tbody> </tbody>
</table> </table>
@@ -18446,7 +18446,7 @@ None: @@ -18452,7 +18452,7 @@ None:
--inline-commands-prefix=str Change the default delimiter for inline commands --inline-commands-prefix=str Change the default delimiter for inline commands
--provider=file Specify the PKCS #11 provider library --provider=file Specify the PKCS #11 provider library
- file must pre-exist - file must pre-exist
@ -246,7 +246,7 @@ Index: gnutls-3.8.3/doc/gnutls.html
--list-config Reports the configuration of the library --list-config Reports the configuration of the library
--logfile=str Redirect informational messages to a specific file --logfile=str Redirect informational messages to a specific file
--keymatexport=str Label used for exporting keying material --keymatexport=str Label used for exporting keying material
@@ -19468,7 +19468,7 @@ happens inside the black box. @@ -19474,7 +19474,7 @@ happens inside the black box.
<li><a href="#TLS-Hello-Extension-Handling" accesskey="4">TLS Extension Handling</a></li> <li><a href="#TLS-Hello-Extension-Handling" accesskey="4">TLS Extension Handling</a></li>
<li><a href="#Cryptographic-Backend" accesskey="5">Cryptographic Backend</a></li> <li><a href="#Cryptographic-Backend" accesskey="5">Cryptographic Backend</a></li>
<li><a href="#Random-Number-Generators_002dinternals" accesskey="6">Random Number Generators</a></li> <li><a href="#Random-Number-Generators_002dinternals" accesskey="6">Random Number Generators</a></li>
@ -255,7 +255,7 @@ Index: gnutls-3.8.3/doc/gnutls.html
</ul> </ul>
<hr> <hr>
<div class="section-level-extent" id="The-TLS-Protocol"> <div class="section-level-extent" id="The-TLS-Protocol">
@@ -19997,7 +19997,7 @@ For more information see <a class="ref" @@ -20003,7 +20003,7 @@ For more information see <a class="ref"
<div class="section-level-extent" id="Random-Number-Generators_002dinternals"> <div class="section-level-extent" id="Random-Number-Generators_002dinternals">
<div class="nav-panel"> <div class="nav-panel">
<p> <p>
@ -264,7 +264,7 @@ Index: gnutls-3.8.3/doc/gnutls.html
</div> </div>
<h3 class="section" id="Random-Number-Generators">11.6 Random Number Generators</h3> <h3 class="section" id="Random-Number-Generators">11.6 Random Number Generators</h3>
@@ -20005,7 +20005,7 @@ Next: <a href="#FIPS140_002d2-mode" acce @@ -20011,7 +20011,7 @@ Next: <a href="#FIPS140_002d2-mode" acce
<p>GnuTLS provides two random generators. The default, and the AES-DRBG random <p>GnuTLS provides two random generators. The default, and the AES-DRBG random
generator which is only used when the library is compiled with support for generator which is only used when the library is compiled with support for
@ -273,7 +273,7 @@ Index: gnutls-3.8.3/doc/gnutls.html
</p> </p>
<h4 class="subheading" id="The-default-generator-_002d-inner-workings">The default generator - inner workings</h4> <h4 class="subheading" id="The-default-generator-_002d-inner-workings">The default generator - inner workings</h4>
@@ -20142,22 +20142,22 @@ on the above paragraph, all levels are i @@ -20148,22 +20148,22 @@ on the above paragraph, all levels are i
<p> <p>
Previous: <a href="#Random-Number-Generators_002dinternals" accesskey="p" rel="prev">Random Number Generators</a>, Up: <a href="#Internal-architecture-of-GnuTLS" accesskey="u" rel="up">Internal Architecture of GnuTLS</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Function-and-Data-Index" title="Index" rel="index">Index</a>]</p> Previous: <a href="#Random-Number-Generators_002dinternals" accesskey="p" rel="prev">Random Number Generators</a>, Up: <a href="#Internal-architecture-of-GnuTLS" accesskey="u" rel="up">Internal Architecture of GnuTLS</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Function-and-Data-Index" title="Index" rel="index">Index</a>]</p>
</div> </div>
@ -302,7 +302,7 @@ Index: gnutls-3.8.3/doc/gnutls.html
as follows. as follows.
</p> </p>
<ul class="itemize mark-bullet"> <ul class="itemize mark-bullet">
@@ -20166,12 +20166,12 @@ as follows. @@ -20172,12 +20172,12 @@ as follows.
</li><li>Algorithm self-tests are run on library load </li><li>Algorithm self-tests are run on library load
</li></ul> </li></ul>
@ -318,7 +318,7 @@ Index: gnutls-3.8.3/doc/gnutls.html
</li><li>Any cryptographic operation will be refused if any of the self-tests failed </li><li>Any cryptographic operation will be refused if any of the self-tests failed
</li></ul> </li></ul>
@@ -20180,7 +20180,7 @@ modified as follows. @@ -20186,7 +20186,7 @@ modified as follows.
environment variable <code class="code">GNUTLS_SKIP_FIPS_INTEGRITY_CHECKS</code> will disable environment variable <code class="code">GNUTLS_SKIP_FIPS_INTEGRITY_CHECKS</code> will disable
the library integrity tests on startup, and the variable the library integrity tests on startup, and the variable
<code class="code">GNUTLS_FORCE_FIPS_MODE</code> can be set to force a value from <code class="code">GNUTLS_FORCE_FIPS_MODE</code> can be set to force a value from
@ -327,7 +327,7 @@ Index: gnutls-3.8.3/doc/gnutls.html
mode, while &rsquo;0&rsquo; will disable it. mode, while &rsquo;0&rsquo; will disable it.
</p> </p>
<p>The integrity checks for the dependent libraries and GnuTLS are performed <p>The integrity checks for the dependent libraries and GnuTLS are performed
@@ -20188,13 +20188,13 @@ using &rsquo;.hmac&rsquo; files which ar @@ -20194,13 +20194,13 @@ using &rsquo;.hmac&rsquo; files which ar
key for the operations can be provided on compile-time with the configure key for the operations can be provided on compile-time with the configure
option &rsquo;&ndash;with-fips140-key&rsquo;. The MAC algorithm used is HMAC-SHA256. option &rsquo;&ndash;with-fips140-key&rsquo;. The MAC algorithm used is HMAC-SHA256.
</p> </p>
@ -344,7 +344,7 @@ Index: gnutls-3.8.3/doc/gnutls.html
the application can relax these requirements via <a class="ref" href="#gnutls_005ffips140_005fset_005fmode">gnutls_fips140_set_mode</a> the application can relax these requirements via <a class="ref" href="#gnutls_005ffips140_005fset_005fmode">gnutls_fips140_set_mode</a>
which can switch to alternative modes as in <a class="ref" href="#gnutls_005ffips_005fmode_005ft">Figure 11.5</a>. which can switch to alternative modes as in <a class="ref" href="#gnutls_005ffips_005fmode_005ft">Figure 11.5</a>.
</p> </p>
@@ -20203,7 +20203,7 @@ which can switch to alternative modes as @@ -20209,7 +20209,7 @@ which can switch to alternative modes as
<dl class="table"> <dl class="table">
<dt><code class="code">GNUTLS_FIPS140_DISABLED</code></dt> <dt><code class="code">GNUTLS_FIPS140_DISABLED</code></dt>
@ -353,7 +353,7 @@ Index: gnutls-3.8.3/doc/gnutls.html
</p></dd> </p></dd>
<dt><code class="code">GNUTLS_FIPS140_STRICT</code></dt> <dt><code class="code">GNUTLS_FIPS140_STRICT</code></dt>
<dd><p>The default mode; all forbidden operations will cause an <dd><p>The default mode; all forbidden operations will cause an
@@ -20214,8 +20214,8 @@ operation failure via error code. @@ -20220,8 +20220,8 @@ operation failure via error code.
cannot be set or seen by applications. cannot be set or seen by applications.
</p></dd> </p></dd>
<dt><code class="code">GNUTLS_FIPS140_LAX</code></dt> <dt><code class="code">GNUTLS_FIPS140_LAX</code></dt>
@ -364,7 +364,7 @@ Index: gnutls-3.8.3/doc/gnutls.html
application is aware of the followed security policy, and needs application is aware of the followed security policy, and needs
to utilize disallowed operations for other reasons (e.g., compatibility). to utilize disallowed operations for other reasons (e.g., compatibility).
</p></dd> </p></dd>
@@ -20227,7 +20227,7 @@ to a message to the audit callback funct @@ -20233,7 +20233,7 @@ to a message to the audit callback funct
<div class="caption"><p><strong class="strong">Figure 11.5: </strong>The <code class="code">gnutls_fips_mode_t</code> enumeration.</p></div></div> <div class="caption"><p><strong class="strong">Figure 11.5: </strong>The <code class="code">gnutls_fips_mode_t</code> enumeration.</p></div></div>
<p>The intention of this API is to be used by applications which may run in <p>The intention of this API is to be used by applications which may run in
@ -373,7 +373,7 @@ Index: gnutls-3.8.3/doc/gnutls.html
e.g., for non-security related purposes. In these cases applications should e.g., for non-security related purposes. In these cases applications should
wrap the non-compliant code within blocks like the following. wrap the non-compliant code within blocks like the following.
</p> </p>
@@ -20256,9 +20256,9 @@ if (gnutls_fips140_mode_enabled()) @@ -20262,9 +20262,9 @@ if (gnutls_fips140_mode_enabled())
<p>The reason of the <code class="code">GNUTLS_FIPS140_SET_MODE_THREAD</code> flag in the <p>The reason of the <code class="code">GNUTLS_FIPS140_SET_MODE_THREAD</code> flag in the
previous calls is to localize the change in the mode. Note also, that previous calls is to localize the change in the mode. Note also, that
such a block has no effect when the library is not operating such a block has no effect when the library is not operating
@ -385,7 +385,7 @@ Index: gnutls-3.8.3/doc/gnutls.html
</p><div class="example"> </p><div class="example">
<pre class="example-preformatted">gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, 0); <pre class="example-preformatted">gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, 0);
</pre></div> </pre></div>
@@ -20281,7 +20281,7 @@ performed within a given context. @@ -20287,7 +20287,7 @@ performed within a given context.
<dt><code class="code"><var class="var">int</var> <a class="ref" href="#gnutls_005ffips140_005fpop_005fcontext">gnutls_fips140_pop_context</a> ( <var class="var">void</var>)</code></dt> <dt><code class="code"><var class="var">int</var> <a class="ref" href="#gnutls_005ffips140_005fpop_005fcontext">gnutls_fips140_pop_context</a> ( <var class="var">void</var>)</code></dt>
</dl> </dl>
@ -394,7 +394,7 @@ Index: gnutls-3.8.3/doc/gnutls.html
operation. It can be attached to the current execution thread with operation. It can be attached to the current execution thread with
<a class="ref" href="#gnutls_005ffips140_005fpush_005fcontext">gnutls_fips140_push_context</a> and its internal state will be <a class="ref" href="#gnutls_005ffips140_005fpush_005fcontext">gnutls_fips140_push_context</a> and its internal state will be
updated until it is detached with updated until it is detached with
@@ -20654,8 +20654,8 @@ Previous: <a href="#Contributing" access @@ -20660,8 +20660,8 @@ Previous: <a href="#Contributing" access
to an auditor that the crypto component follows some best practices, such to an auditor that the crypto component follows some best practices, such
as unit testing and reliance on well known crypto primitives. as unit testing and reliance on well known crypto primitives.
</p> </p>
@ -405,7 +405,7 @@ Index: gnutls-3.8.3/doc/gnutls.html
</p> </p>
<hr> <hr>
</div> </div>
@@ -24569,7 +24569,7 @@ unusable. This function is not thread-s @@ -24576,7 +24576,7 @@ unusable. This function is not thread-s
<h4 class="subheading" id="gnutls_005ffips140_005fset_005fmode-1">gnutls_fips140_set_mode</h4> <h4 class="subheading" id="gnutls_005ffips140_005fset_005fmode-1">gnutls_fips140_set_mode</h4>
<a class="anchor" id="gnutls_005ffips140_005fset_005fmode"></a><dl class="first-deftypefn first-deftypefun-alias-first-deftypefn"> <a class="anchor" id="gnutls_005ffips140_005fset_005fmode"></a><dl class="first-deftypefn first-deftypefun-alias-first-deftypefn">
<dt class="deftypefn deftypefun-alias-deftypefn" id="index-gnutls_005ffips140_005fset_005fmode"><span class="category-def">Function: </span><span><code class="def-type">void</code> <strong class="def-name">gnutls_fips140_set_mode</strong> <code class="def-code-arguments">(gnutls_fips_mode_t <var class="var">mode</var>, unsigned <var class="var">flags</var>)</code><a class="copiable-link" href='#index-gnutls_005ffips140_005fset_005fmode'> &para;</a></span></dt> <dt class="deftypefn deftypefun-alias-deftypefn" id="index-gnutls_005ffips140_005fset_005fmode"><span class="category-def">Function: </span><span><code class="def-type">void</code> <strong class="def-name">gnutls_fips140_set_mode</strong> <code class="def-code-arguments">(gnutls_fips_mode_t <var class="var">mode</var>, unsigned <var class="var">flags</var>)</code><a class="copiable-link" href='#index-gnutls_005ffips140_005fset_005fmode'> &para;</a></span></dt>
@ -414,7 +414,7 @@ Index: gnutls-3.8.3/doc/gnutls.html
</p> </p>
<p><var class="var">flags</var>: should be zero or <code class="code">GNUTLS_FIPS140_SET_MODE_THREAD</code> <p><var class="var">flags</var>: should be zero or <code class="code">GNUTLS_FIPS140_SET_MODE_THREAD</code>
</p> </p>
@@ -24578,13 +24578,13 @@ unusable. This function is not thread-s @@ -24585,13 +24585,13 @@ unusable. This function is not thread-s
behavior with no flags after threads are created is undefined. behavior with no flags after threads are created is undefined.
</p> </p>
<p>When the flag <code class="code">GNUTLS_FIPS140_SET_MODE_THREAD</code> is specified <p>When the flag <code class="code">GNUTLS_FIPS140_SET_MODE_THREAD</code> is specified
@ -430,7 +430,7 @@ Index: gnutls-3.8.3/doc/gnutls.html
values for <code class="code">mode</code> or to <code class="code">GNUTLS_FIPS140_SELFTESTS</code> mode, the library values for <code class="code">mode</code> or to <code class="code">GNUTLS_FIPS140_SELFTESTS</code> mode, the library
switches to <code class="code">GNUTLS_FIPS140_STRICT</code> mode. switches to <code class="code">GNUTLS_FIPS140_STRICT</code> mode.
</p> </p>
@@ -46927,7 +46927,7 @@ Next: <a href="#Concept-Index" accesskey @@ -46970,7 +46970,7 @@ Next: <a href="#Concept-Index" accesskey
<tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffingerprint"><code>gnutls_fingerprint</code></a>:</td><td>&nbsp;</td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr> <tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffingerprint"><code>gnutls_fingerprint</code></a>:</td><td>&nbsp;</td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffips140_005fcontext_005fdeinit"><code>gnutls_fips140_context_deinit</code></a>:</td><td>&nbsp;</td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr> <tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffips140_005fcontext_005fdeinit"><code>gnutls_fips140_context_deinit</code></a>:</td><td>&nbsp;</td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffips140_005fcontext_005finit"><code>gnutls_fips140_context_init</code></a>:</td><td>&nbsp;</td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr> <tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffips140_005fcontext_005finit"><code>gnutls_fips140_context_init</code></a>:</td><td>&nbsp;</td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
@ -439,10 +439,10 @@ Index: gnutls-3.8.3/doc/gnutls.html
<tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffips140_005fget_005foperation_005fstate-1"><code>gnutls_fips140_get_operation_state</code></a>:</td><td>&nbsp;</td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr> <tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffips140_005fget_005foperation_005fstate-1"><code>gnutls_fips140_get_operation_state</code></a>:</td><td>&nbsp;</td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffips140_005fmode_005fenabled"><code>gnutls_fips140_mode_enabled</code></a>:</td><td>&nbsp;</td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr> <tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffips140_005fmode_005fenabled"><code>gnutls_fips140_mode_enabled</code></a>:</td><td>&nbsp;</td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffips140_005fpop_005fcontext"><code>gnutls_fips140_pop_context</code></a>:</td><td>&nbsp;</td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr> <tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffips140_005fpop_005fcontext"><code>gnutls_fips140_pop_context</code></a>:</td><td>&nbsp;</td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
Index: gnutls-3.8.3/doc/gnutls.info-3 Index: gnutls-3.8.4/doc/gnutls.info-3
=================================================================== ===================================================================
--- gnutls-3.8.3.orig/doc/gnutls.info-3 --- gnutls-3.8.4.orig/doc/gnutls.info-3
+++ gnutls-3.8.3/doc/gnutls.info-3 +++ gnutls-3.8.4/doc/gnutls.info-3
@@ -2247,7 +2247,7 @@ to more. Both will exit with a st @@ -2247,7 +2247,7 @@ to more. Both will exit with a st
--inline-commands-prefix=str Change the default delimiter for inline commands --inline-commands-prefix=str Change the default delimiter for inline commands
--provider=file Specify the PKCS #11 provider library --provider=file Specify the PKCS #11 provider library
@ -512,7 +512,7 @@ Index: gnutls-3.8.3/doc/gnutls.info-3
 
File: gnutls.info, Node: Error codes, Next: Supported ciphersuites, Prev: Support, Up: Top File: gnutls.info, Node: Error codes, Next: Supported ciphersuites, Prev: Support, Up: Top
@@ -9151,7 +9151,7 @@ gnutls_fips140_set_mode @@ -9152,7 +9152,7 @@ gnutls_fips140_set_mode
-- Function: void gnutls_fips140_set_mode (gnutls_fips_mode_t MODE, -- Function: void gnutls_fips140_set_mode (gnutls_fips_mode_t MODE,
unsigned FLAGS) unsigned FLAGS)
@ -521,10 +521,10 @@ Index: gnutls-3.8.3/doc/gnutls.info-3
FLAGS: should be zero or GNUTLS_FIPS140_SET_MODE_THREAD FLAGS: should be zero or GNUTLS_FIPS140_SET_MODE_THREAD
Index: gnutls-3.8.3/doc/invoke-gnutls-cli.texi Index: gnutls-3.8.4/doc/invoke-gnutls-cli.texi
=================================================================== ===================================================================
--- gnutls-3.8.3.orig/doc/invoke-gnutls-cli.texi --- gnutls-3.8.4.orig/doc/invoke-gnutls-cli.texi
+++ gnutls-3.8.3/doc/invoke-gnutls-cli.texi +++ gnutls-3.8.4/doc/invoke-gnutls-cli.texi
@@ -102,7 +102,7 @@ None: @@ -102,7 +102,7 @@ None:
--inline-commands-prefix=str Change the default delimiter for inline commands --inline-commands-prefix=str Change the default delimiter for inline commands
--provider=file Specify the PKCS #11 provider library --provider=file Specify the PKCS #11 provider library
@ -534,10 +534,10 @@ Index: gnutls-3.8.3/doc/invoke-gnutls-cli.texi
--list-config Reports the configuration of the library --list-config Reports the configuration of the library
--logfile=str Redirect informational messages to a specific file --logfile=str Redirect informational messages to a specific file
--keymatexport=str Label used for exporting keying material --keymatexport=str Label used for exporting keying material
Index: gnutls-3.8.3/doc/manpages/gnutls-cli.1 Index: gnutls-3.8.4/doc/manpages/gnutls-cli.1
=================================================================== ===================================================================
--- gnutls-3.8.3.orig/doc/manpages/gnutls-cli.1 --- gnutls-3.8.4.orig/doc/manpages/gnutls-cli.1
+++ gnutls-3.8.3/doc/manpages/gnutls-cli.1 +++ gnutls-3.8.4/doc/manpages/gnutls-cli.1
@@ -398,7 +398,7 @@ Specify the PKCS #11 provider library. @@ -398,7 +398,7 @@ Specify the PKCS #11 provider library.
This will override the default options in /etc/gnutls/pkcs11.conf This will override the default options in /etc/gnutls/pkcs11.conf
.TP .TP
@ -547,10 +547,10 @@ Index: gnutls-3.8.3/doc/manpages/gnutls-cli.1
.sp .sp
.TP .TP
.NOP \f\*[B-Font]\-\-list\-config\f[] .NOP \f\*[B-Font]\-\-list\-config\f[]
Index: gnutls-3.8.3/doc/reference/html/gnutls-gnutls.html Index: gnutls-3.8.4/doc/reference/html/gnutls-gnutls.html
=================================================================== ===================================================================
--- gnutls-3.8.3.orig/doc/reference/html/gnutls-gnutls.html --- gnutls-3.8.4.orig/doc/reference/html/gnutls-gnutls.html
+++ gnutls-3.8.3/doc/reference/html/gnutls-gnutls.html +++ gnutls-3.8.4/doc/reference/html/gnutls-gnutls.html
@@ -20866,12 +20866,12 @@ gnutls_fips140_set_mode (<em class="para @@ -20866,12 +20866,12 @@ gnutls_fips140_set_mode (<em class="para
(globally), and should be called prior to creating any threads. Its (globally), and should be called prior to creating any threads. Its
behavior with no flags after threads are created is undefined.</p> behavior with no flags after threads are created is undefined.</p>
@ -575,7 +575,7 @@ Index: gnutls-3.8.3/doc/reference/html/gnutls-gnutls.html
<td class="parameter_annotations"> </td> <td class="parameter_annotations"> </td>
</tr> </tr>
<tr> <tr>
@@ -25904,7 +25904,7 @@ encryption</p> @@ -25911,7 +25911,7 @@ encryption</p>
<hr> <hr>
<div class="refsect2"> <div class="refsect2">
<a name="gnutls-fips-mode-t"></a><h3>enum gnutls_fips_mode_t</h3> <a name="gnutls-fips-mode-t"></a><h3>enum gnutls_fips_mode_t</h3>
@ -584,7 +584,7 @@ Index: gnutls-3.8.3/doc/reference/html/gnutls-gnutls.html
<div class="refsect3"> <div class="refsect3">
<a name="gnutls-fips-mode-t.members"></a><h4>Members</h4> <a name="gnutls-fips-mode-t.members"></a><h4>Members</h4>
<div class="informaltable"><table class="informaltable" width="100%" border="0"> <div class="informaltable"><table class="informaltable" width="100%" border="0">
@@ -25917,7 +25917,7 @@ encryption</p> @@ -25924,7 +25924,7 @@ encryption</p>
<tr> <tr>
<td class="enum_member_name"><p><a name="GNUTLS-FIPS140-DISABLED:CAPS"></a>GNUTLS_FIPS140_DISABLED</p></td> <td class="enum_member_name"><p><a name="GNUTLS-FIPS140-DISABLED:CAPS"></a>GNUTLS_FIPS140_DISABLED</p></td>
<td class="enum_member_description"> <td class="enum_member_description">
@ -593,7 +593,7 @@ Index: gnutls-3.8.3/doc/reference/html/gnutls-gnutls.html
</td> </td>
<td class="enum_member_annotations"> </td> <td class="enum_member_annotations"> </td>
</tr> </tr>
@@ -25940,8 +25940,8 @@ operation failure via error code.</p> @@ -25947,8 +25947,8 @@ operation failure via error code.</p>
<tr> <tr>
<td class="enum_member_name"><p><a name="GNUTLS-FIPS140-LAX:CAPS"></a>GNUTLS_FIPS140_LAX</p></td> <td class="enum_member_name"><p><a name="GNUTLS-FIPS140-LAX:CAPS"></a>GNUTLS_FIPS140_LAX</p></td>
<td class="enum_member_description"> <td class="enum_member_description">
@ -604,17 +604,17 @@ Index: gnutls-3.8.3/doc/reference/html/gnutls-gnutls.html
application is aware of the followed security policy, and needs application is aware of the followed security policy, and needs
to utilize disallowed operations for other reasons (e.g., compatibility).</p> to utilize disallowed operations for other reasons (e.g., compatibility).</p>
</td> </td>
@@ -27575,4 +27575,4 @@ This is used by <a class="link" href="gn @@ -27582,4 +27582,4 @@ This is used by <a class="link" href="gn
<div class="footer"> <div class="footer">
<hr>Generated by GTK-Doc V1.33.1</div> <hr>Generated by GTK-Doc V1.33.1</div>
</body> </body>
-</html> -</html>
\ No newline at end of file \ No newline at end of file
+</html> +</html>
Index: gnutls-3.8.3/lib/fips.c Index: gnutls-3.8.4/lib/fips.c
=================================================================== ===================================================================
--- gnutls-3.8.3.orig/lib/fips.c --- gnutls-3.8.4.orig/lib/fips.c
+++ gnutls-3.8.3/lib/fips.c +++ gnutls-3.8.4/lib/fips.c
@@ -121,7 +121,7 @@ unsigned _gnutls_fips_mode_enabled(void) @@ -121,7 +121,7 @@ unsigned _gnutls_fips_mode_enabled(void)
} }
@ -633,7 +633,7 @@ Index: gnutls-3.8.3/lib/fips.c
ret = GNUTLS_FIPS140_SELFTESTS; ret = GNUTLS_FIPS140_SELFTESTS;
goto exit; goto exit;
} }
@@ -694,7 +694,7 @@ unsigned gnutls_fips140_mode_enabled(voi @@ -710,7 +710,7 @@ unsigned gnutls_fips140_mode_enabled(voi
/** /**
* gnutls_fips140_set_mode: * gnutls_fips140_set_mode:
@ -642,7 +642,7 @@ Index: gnutls-3.8.3/lib/fips.c
* @flags: should be zero or %GNUTLS_FIPS140_SET_MODE_THREAD * @flags: should be zero or %GNUTLS_FIPS140_SET_MODE_THREAD
* *
* That function is not thread-safe when changing the mode with no flags * That function is not thread-safe when changing the mode with no flags
@@ -702,13 +702,13 @@ unsigned gnutls_fips140_mode_enabled(voi @@ -718,13 +718,13 @@ unsigned gnutls_fips140_mode_enabled(voi
* behavior with no flags after threads are created is undefined. * behavior with no flags after threads are created is undefined.
* *
* When the flag %GNUTLS_FIPS140_SET_MODE_THREAD is specified * When the flag %GNUTLS_FIPS140_SET_MODE_THREAD is specified
@ -658,7 +658,7 @@ Index: gnutls-3.8.3/lib/fips.c
* values for @mode or to %GNUTLS_FIPS140_SELFTESTS mode, the library * values for @mode or to %GNUTLS_FIPS140_SELFTESTS mode, the library
* switches to %GNUTLS_FIPS140_STRICT mode. * switches to %GNUTLS_FIPS140_STRICT mode.
* *
@@ -720,10 +720,10 @@ void gnutls_fips140_set_mode(gnutls_fips @@ -736,10 +736,10 @@ void gnutls_fips140_set_mode(gnutls_fips
gnutls_fips_mode_t prev = _gnutls_fips_mode_enabled(); gnutls_fips_mode_t prev = _gnutls_fips_mode_enabled();
if (prev == GNUTLS_FIPS140_DISABLED || if (prev == GNUTLS_FIPS140_DISABLED ||
prev == GNUTLS_FIPS140_SELFTESTS) { prev == GNUTLS_FIPS140_SELFTESTS) {
@ -671,7 +671,7 @@ Index: gnutls-3.8.3/lib/fips.c
return; return;
} }
@@ -736,7 +736,7 @@ void gnutls_fips140_set_mode(gnutls_fips @@ -752,7 +752,7 @@ void gnutls_fips140_set_mode(gnutls_fips
case GNUTLS_FIPS140_SELFTESTS: case GNUTLS_FIPS140_SELFTESTS:
_gnutls_audit_log( _gnutls_audit_log(
NULL, NULL,
@ -680,7 +680,7 @@ Index: gnutls-3.8.3/lib/fips.c
mode = GNUTLS_FIPS140_STRICT; mode = GNUTLS_FIPS140_STRICT;
break; break;
default: default:
@@ -912,7 +912,7 @@ void _gnutls_switch_fips_state(gnutls_fi @@ -928,7 +928,7 @@ void _gnutls_switch_fips_state(gnutls_fi
} }
if (!_tfips_context) { if (!_tfips_context) {
@ -689,7 +689,7 @@ Index: gnutls-3.8.3/lib/fips.c
return; return;
} }
@@ -926,7 +926,7 @@ void _gnutls_switch_fips_state(gnutls_fi @@ -942,7 +942,7 @@ void _gnutls_switch_fips_state(gnutls_fi
if (mode != GNUTLS_FIPS140_LAX) { if (mode != GNUTLS_FIPS140_LAX) {
_gnutls_audit_log( _gnutls_audit_log(
NULL, NULL,
@ -698,7 +698,7 @@ Index: gnutls-3.8.3/lib/fips.c
operation_state_to_string(state)); operation_state_to_string(state));
} }
_tfips_context->state = state; _tfips_context->state = state;
@@ -937,7 +937,7 @@ void _gnutls_switch_fips_state(gnutls_fi @@ -953,7 +953,7 @@ void _gnutls_switch_fips_state(gnutls_fi
if (mode != GNUTLS_FIPS140_LAX) { if (mode != GNUTLS_FIPS140_LAX) {
_gnutls_audit_log( _gnutls_audit_log(
NULL, NULL,
@ -707,7 +707,7 @@ Index: gnutls-3.8.3/lib/fips.c
operation_state_to_string(state)); operation_state_to_string(state));
} }
_tfips_context->state = state; _tfips_context->state = state;
@@ -949,7 +949,7 @@ void _gnutls_switch_fips_state(gnutls_fi @@ -965,7 +965,7 @@ void _gnutls_switch_fips_state(gnutls_fi
if (mode != GNUTLS_FIPS140_LAX) { if (mode != GNUTLS_FIPS140_LAX) {
_gnutls_audit_log( _gnutls_audit_log(
NULL, NULL,
@ -716,7 +716,7 @@ Index: gnutls-3.8.3/lib/fips.c
operation_state_to_string( operation_state_to_string(
_tfips_context->state), _tfips_context->state),
operation_state_to_string(state)); operation_state_to_string(state));
@@ -1011,7 +1011,7 @@ int gnutls_fips140_run_self_tests(void) @@ -1027,7 +1027,7 @@ int gnutls_fips140_run_self_tests(void)
ret < 0) { ret < 0) {
_gnutls_switch_lib_state(LIB_STATE_ERROR); _gnutls_switch_lib_state(LIB_STATE_ERROR);
_gnutls_audit_log(NULL, _gnutls_audit_log(NULL,
@ -725,7 +725,7 @@ Index: gnutls-3.8.3/lib/fips.c
} else { } else {
/* Restore the previous library state */ /* Restore the previous library state */
_gnutls_switch_lib_state(prev_lib_state); _gnutls_switch_lib_state(prev_lib_state);
@@ -1023,7 +1023,7 @@ int gnutls_fips140_run_self_tests(void) @@ -1039,7 +1039,7 @@ int gnutls_fips140_run_self_tests(void)
if (gnutls_fips140_pop_context() < 0) { if (gnutls_fips140_pop_context() < 0) {
_gnutls_switch_lib_state(LIB_STATE_ERROR); _gnutls_switch_lib_state(LIB_STATE_ERROR);
_gnutls_audit_log( _gnutls_audit_log(
@ -734,10 +734,10 @@ Index: gnutls-3.8.3/lib/fips.c
} }
gnutls_fips140_context_deinit(fips_context); gnutls_fips140_context_deinit(fips_context);
} }
Index: gnutls-3.8.3/lib/fips.h Index: gnutls-3.8.4/lib/fips.h
=================================================================== ===================================================================
--- gnutls-3.8.3.orig/lib/fips.h --- gnutls-3.8.4.orig/lib/fips.h
+++ gnutls-3.8.3/lib/fips.h +++ gnutls-3.8.4/lib/fips.h
@@ -160,7 +160,7 @@ is_cipher_algo_allowed_in_fips(gnutls_ci @@ -160,7 +160,7 @@ is_cipher_algo_allowed_in_fips(gnutls_ci
} }
@ -778,11 +778,11 @@ Index: gnutls-3.8.3/lib/fips.h
gnutls_cipher_get_name(algo)); gnutls_cipher_get_name(algo));
FALLTHROUGH; FALLTHROUGH;
case GNUTLS_FIPS140_DISABLED: case GNUTLS_FIPS140_DISABLED:
Index: gnutls-3.8.3/lib/global.c Index: gnutls-3.8.4/lib/global.c
=================================================================== ===================================================================
--- gnutls-3.8.3.orig/lib/global.c --- gnutls-3.8.4.orig/lib/global.c
+++ gnutls-3.8.3/lib/global.c +++ gnutls-3.8.4/lib/global.c
@@ -337,12 +337,12 @@ static int _gnutls_global_init(unsigned @@ -338,12 +338,12 @@ static int _gnutls_global_init(unsigned
#ifdef ENABLE_FIPS140 #ifdef ENABLE_FIPS140
res = _gnutls_fips_mode_enabled(); res = _gnutls_fips_mode_enabled();
@ -797,7 +797,7 @@ Index: gnutls-3.8.3/lib/global.c
_gnutls_priority_update_fips(); _gnutls_priority_update_fips();
/* first round of self checks, these are done on the /* first round of self checks, these are done on the
@@ -352,7 +352,7 @@ static int _gnutls_global_init(unsigned @@ -353,7 +353,7 @@ static int _gnutls_global_init(unsigned
if (ret < 0) { if (ret < 0) {
_gnutls_switch_lib_state(LIB_STATE_ERROR); _gnutls_switch_lib_state(LIB_STATE_ERROR);
_gnutls_audit_log( _gnutls_audit_log(
@ -806,7 +806,7 @@ Index: gnutls-3.8.3/lib/global.c
if (res != 2) { if (res != 2) {
gnutls_assert(); gnutls_assert();
goto out; goto out;
@@ -375,7 +375,7 @@ static int _gnutls_global_init(unsigned @@ -376,7 +376,7 @@ static int _gnutls_global_init(unsigned
if (ret < 0) { if (ret < 0) {
_gnutls_switch_lib_state(LIB_STATE_ERROR); _gnutls_switch_lib_state(LIB_STATE_ERROR);
_gnutls_audit_log( _gnutls_audit_log(
@ -815,11 +815,11 @@ Index: gnutls-3.8.3/lib/global.c
if (res != 2) { if (res != 2) {
gnutls_assert(); gnutls_assert();
goto out; goto out;
Index: gnutls-3.8.3/lib/includes/gnutls/gnutls.h.in Index: gnutls-3.8.4/lib/includes/gnutls/gnutls.h.in
=================================================================== ===================================================================
--- gnutls-3.8.3.orig/lib/includes/gnutls/gnutls.h.in --- gnutls-3.8.4.orig/lib/includes/gnutls/gnutls.h.in
+++ gnutls-3.8.3/lib/includes/gnutls/gnutls.h.in +++ gnutls-3.8.4/lib/includes/gnutls/gnutls.h.in
@@ -3199,16 +3199,16 @@ typedef int (*gnutls_alert_read_func)(gn @@ -3201,16 +3201,16 @@ typedef int (*gnutls_alert_read_func)(gn
void gnutls_alert_set_read_function(gnutls_session_t session, void gnutls_alert_set_read_function(gnutls_session_t session,
gnutls_alert_read_func func); gnutls_alert_read_func func);
@ -840,7 +840,7 @@ Index: gnutls-3.8.3/lib/includes/gnutls/gnutls.h.in
* application is aware of the followed security policy, and needs * application is aware of the followed security policy, and needs
* to utilize disallowed operations for other reasons (e.g., compatibility). * to utilize disallowed operations for other reasons (e.g., compatibility).
* @GNUTLS_FIPS140_LOG: Similarly to %GNUTLS_FIPS140_LAX, it allows forbidden operations; any use of them results * @GNUTLS_FIPS140_LOG: Similarly to %GNUTLS_FIPS140_LAX, it allows forbidden operations; any use of them results
@@ -3216,7 +3216,7 @@ unsigned gnutls_fips140_mode_enabled(voi @@ -3218,7 +3218,7 @@ unsigned gnutls_fips140_mode_enabled(voi
* @GNUTLS_FIPS140_SELFTESTS: A transient state during library initialization. That state * @GNUTLS_FIPS140_SELFTESTS: A transient state during library initialization. That state
* cannot be set or seen by applications. * cannot be set or seen by applications.
* *
@ -849,10 +849,10 @@ Index: gnutls-3.8.3/lib/includes/gnutls/gnutls.h.in
*/ */
typedef enum gnutls_fips_mode_t { typedef enum gnutls_fips_mode_t {
GNUTLS_FIPS140_DISABLED = 0, GNUTLS_FIPS140_DISABLED = 0,
Index: gnutls-3.8.3/src/cli.c Index: gnutls-3.8.4/src/cli.c
=================================================================== ===================================================================
--- gnutls-3.8.3.orig/src/cli.c --- gnutls-3.8.4.orig/src/cli.c
+++ gnutls-3.8.3/src/cli.c +++ gnutls-3.8.4/src/cli.c
@@ -1635,10 +1635,10 @@ static void cmd_parser(int argc, char ** @@ -1635,10 +1635,10 @@ static void cmd_parser(int argc, char **
if (HAVE_OPT(FIPS140_MODE)) { if (HAVE_OPT(FIPS140_MODE)) {
@ -866,10 +866,10 @@ Index: gnutls-3.8.3/src/cli.c
exit(1); exit(1);
} }
Index: gnutls-3.8.3/src/gnutls-cli-options.c Index: gnutls-3.8.4/src/gnutls-cli-options.c
=================================================================== ===================================================================
--- gnutls-3.8.3.orig/src/gnutls-cli-options.c --- gnutls-3.8.4.orig/src/gnutls-cli-options.c
+++ gnutls-3.8.3/src/gnutls-cli-options.c +++ gnutls-3.8.4/src/gnutls-cli-options.c
@@ -810,7 +810,7 @@ usage (FILE *out, int status) @@ -810,7 +810,7 @@ usage (FILE *out, int status)
" --inline-commands-prefix=str Change the default delimiter for inline commands\n" " --inline-commands-prefix=str Change the default delimiter for inline commands\n"
" --provider=file Specify the PKCS #11 provider library\n" " --provider=file Specify the PKCS #11 provider library\n"
@ -879,10 +879,10 @@ Index: gnutls-3.8.3/src/gnutls-cli-options.c
" --list-config Reports the configuration of the library\n" " --list-config Reports the configuration of the library\n"
" --logfile=str Redirect informational messages to a specific file\n" " --logfile=str Redirect informational messages to a specific file\n"
" --keymatexport=str Label used for exporting keying material\n" " --keymatexport=str Label used for exporting keying material\n"
Index: gnutls-3.8.3/tests/cert-tests/gost.sh Index: gnutls-3.8.4/tests/cert-tests/gost.sh
=================================================================== ===================================================================
--- gnutls-3.8.3.orig/tests/cert-tests/gost.sh --- gnutls-3.8.4.orig/tests/cert-tests/gost.sh
+++ gnutls-3.8.3/tests/cert-tests/gost.sh +++ gnutls-3.8.4/tests/cert-tests/gost.sh
@@ -38,7 +38,7 @@ if ! test -x "${CERTTOOL}"; then @@ -38,7 +38,7 @@ if ! test -x "${CERTTOOL}"; then
fi fi
@ -892,10 +892,10 @@ Index: gnutls-3.8.3/tests/cert-tests/gost.sh
exit 77 exit 77
fi fi
Index: gnutls-3.8.3/tests/cert-tests/pkcs12-corner-cases.sh Index: gnutls-3.8.4/tests/cert-tests/pkcs12-corner-cases.sh
=================================================================== ===================================================================
--- gnutls-3.8.3.orig/tests/cert-tests/pkcs12-corner-cases.sh --- gnutls-3.8.4.orig/tests/cert-tests/pkcs12-corner-cases.sh
+++ gnutls-3.8.3/tests/cert-tests/pkcs12-corner-cases.sh +++ gnutls-3.8.4/tests/cert-tests/pkcs12-corner-cases.sh
@@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then @@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then
fi fi
@ -905,10 +905,10 @@ Index: gnutls-3.8.3/tests/cert-tests/pkcs12-corner-cases.sh
exit 77 exit 77
fi fi
Index: gnutls-3.8.3/tests/cert-tests/pkcs12-encode.sh Index: gnutls-3.8.4/tests/cert-tests/pkcs12-encode.sh
=================================================================== ===================================================================
--- gnutls-3.8.3.orig/tests/cert-tests/pkcs12-encode.sh --- gnutls-3.8.4.orig/tests/cert-tests/pkcs12-encode.sh
+++ gnutls-3.8.3/tests/cert-tests/pkcs12-encode.sh +++ gnutls-3.8.4/tests/cert-tests/pkcs12-encode.sh
@@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then @@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then
fi fi
@ -918,10 +918,10 @@ Index: gnutls-3.8.3/tests/cert-tests/pkcs12-encode.sh
exit 77 exit 77
fi fi
Index: gnutls-3.8.3/tests/cert-tests/pkcs12-gost.sh Index: gnutls-3.8.4/tests/cert-tests/pkcs12-gost.sh
=================================================================== ===================================================================
--- gnutls-3.8.3.orig/tests/cert-tests/pkcs12-gost.sh --- gnutls-3.8.4.orig/tests/cert-tests/pkcs12-gost.sh
+++ gnutls-3.8.3/tests/cert-tests/pkcs12-gost.sh +++ gnutls-3.8.4/tests/cert-tests/pkcs12-gost.sh
@@ -29,7 +29,7 @@ if ! test -x "${CERTTOOL}"; then @@ -29,7 +29,7 @@ if ! test -x "${CERTTOOL}"; then
fi fi
@ -931,10 +931,10 @@ Index: gnutls-3.8.3/tests/cert-tests/pkcs12-gost.sh
exit 77 exit 77
fi fi
Index: gnutls-3.8.3/tests/cert-tests/pkcs12.sh Index: gnutls-3.8.4/tests/cert-tests/pkcs12.sh
=================================================================== ===================================================================
--- gnutls-3.8.3.orig/tests/cert-tests/pkcs12.sh --- gnutls-3.8.4.orig/tests/cert-tests/pkcs12.sh
+++ gnutls-3.8.3/tests/cert-tests/pkcs12.sh +++ gnutls-3.8.4/tests/cert-tests/pkcs12.sh
@@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then @@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then
fi fi
@ -944,10 +944,10 @@ Index: gnutls-3.8.3/tests/cert-tests/pkcs12.sh
exit 77 exit 77
fi fi
Index: gnutls-3.8.3/tests/cert-tests/pkcs8-decode.sh Index: gnutls-3.8.4/tests/cert-tests/pkcs8-decode.sh
=================================================================== ===================================================================
--- gnutls-3.8.3.orig/tests/cert-tests/pkcs8-decode.sh --- gnutls-3.8.4.orig/tests/cert-tests/pkcs8-decode.sh
+++ gnutls-3.8.3/tests/cert-tests/pkcs8-decode.sh +++ gnutls-3.8.4/tests/cert-tests/pkcs8-decode.sh
@@ -29,7 +29,7 @@ if ! test -x "${CERTTOOL}"; then @@ -29,7 +29,7 @@ if ! test -x "${CERTTOOL}"; then
fi fi
@ -957,10 +957,10 @@ Index: gnutls-3.8.3/tests/cert-tests/pkcs8-decode.sh
exit 77 exit 77
fi fi
Index: gnutls-3.8.3/tests/cert-tests/pkcs8-eddsa.sh Index: gnutls-3.8.4/tests/cert-tests/pkcs8-eddsa.sh
=================================================================== ===================================================================
--- gnutls-3.8.3.orig/tests/cert-tests/pkcs8-eddsa.sh --- gnutls-3.8.4.orig/tests/cert-tests/pkcs8-eddsa.sh
+++ gnutls-3.8.3/tests/cert-tests/pkcs8-eddsa.sh +++ gnutls-3.8.4/tests/cert-tests/pkcs8-eddsa.sh
@@ -29,7 +29,7 @@ if ! test -x "${CERTTOOL}"; then @@ -29,7 +29,7 @@ if ! test -x "${CERTTOOL}"; then
fi fi
@ -970,10 +970,10 @@ Index: gnutls-3.8.3/tests/cert-tests/pkcs8-eddsa.sh
exit 77 exit 77
fi fi
Index: gnutls-3.8.3/tests/cert-tests/pkcs8-gost.sh Index: gnutls-3.8.4/tests/cert-tests/pkcs8-gost.sh
=================================================================== ===================================================================
--- gnutls-3.8.3.orig/tests/cert-tests/pkcs8-gost.sh --- gnutls-3.8.4.orig/tests/cert-tests/pkcs8-gost.sh
+++ gnutls-3.8.3/tests/cert-tests/pkcs8-gost.sh +++ gnutls-3.8.4/tests/cert-tests/pkcs8-gost.sh
@@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then @@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then
fi fi
@ -983,10 +983,10 @@ Index: gnutls-3.8.3/tests/cert-tests/pkcs8-gost.sh
exit 77 exit 77
fi fi
Index: gnutls-3.8.3/tests/cert-tests/pkcs8.sh Index: gnutls-3.8.4/tests/cert-tests/pkcs8.sh
=================================================================== ===================================================================
--- gnutls-3.8.3.orig/tests/cert-tests/pkcs8.sh --- gnutls-3.8.4.orig/tests/cert-tests/pkcs8.sh
+++ gnutls-3.8.3/tests/cert-tests/pkcs8.sh +++ gnutls-3.8.4/tests/cert-tests/pkcs8.sh
@@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then @@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then
fi fi
@ -996,10 +996,10 @@ Index: gnutls-3.8.3/tests/cert-tests/pkcs8.sh
exit 77 exit 77
fi fi
Index: gnutls-3.8.3/tests/cipher-listings.sh Index: gnutls-3.8.4/tests/cipher-listings.sh
=================================================================== ===================================================================
--- gnutls-3.8.3.orig/tests/cipher-listings.sh --- gnutls-3.8.4.orig/tests/cipher-listings.sh
+++ gnutls-3.8.3/tests/cipher-listings.sh +++ gnutls-3.8.4/tests/cipher-listings.sh
@@ -63,7 +63,7 @@ check() @@ -63,7 +63,7 @@ check()
${CLI} --fips140-mode ${CLI} --fips140-mode
@ -1009,10 +1009,10 @@ Index: gnutls-3.8.3/tests/cipher-listings.sh
exit 77 exit 77
fi fi
Index: gnutls-3.8.3/tests/testpkcs11.sh Index: gnutls-3.8.4/tests/testpkcs11.sh
=================================================================== ===================================================================
--- gnutls-3.8.3.orig/tests/testpkcs11.sh --- gnutls-3.8.4.orig/tests/testpkcs11.sh
+++ gnutls-3.8.3/tests/testpkcs11.sh +++ gnutls-3.8.4/tests/testpkcs11.sh
@@ -26,7 +26,7 @@ @@ -26,7 +26,7 @@
RETCODE=0 RETCODE=0
@ -1022,10 +1022,10 @@ Index: gnutls-3.8.3/tests/testpkcs11.sh
exit 77 exit 77
fi fi
Index: gnutls-3.8.3/doc/enums/gnutls_fips_mode_t Index: gnutls-3.8.4/doc/enums/gnutls_fips_mode_t
=================================================================== ===================================================================
--- gnutls-3.8.3.orig/doc/enums/gnutls_fips_mode_t --- gnutls-3.8.4.orig/doc/enums/gnutls_fips_mode_t
+++ gnutls-3.8.3/doc/enums/gnutls_fips_mode_t +++ gnutls-3.8.4/doc/enums/gnutls_fips_mode_t
@@ -3,7 +3,7 @@ @@ -3,7 +3,7 @@
@c gnutls_fips_mode_t @c gnutls_fips_mode_t
@table @code @table @code
@ -1046,10 +1046,10 @@ Index: gnutls-3.8.3/doc/enums/gnutls_fips_mode_t
application is aware of the followed security policy, and needs application is aware of the followed security policy, and needs
to utilize disallowed operations for other reasons (e.g., compatibility). to utilize disallowed operations for other reasons (e.g., compatibility).
@item GNUTLS_@-FIPS140_@-LOG @item GNUTLS_@-FIPS140_@-LOG
Index: gnutls-3.8.3/doc/gnutls-api.texi Index: gnutls-3.8.4/doc/gnutls-api.texi
=================================================================== ===================================================================
--- gnutls-3.8.3.orig/doc/gnutls-api.texi --- gnutls-3.8.4.orig/doc/gnutls-api.texi
+++ gnutls-3.8.3/doc/gnutls-api.texi +++ gnutls-3.8.4/doc/gnutls-api.texi
@@ -3275,7 +3275,7 @@ unusable. This function is not thread-s @@ -3275,7 +3275,7 @@ unusable. This function is not thread-s
@subheading gnutls_fips140_set_mode @subheading gnutls_fips140_set_mode
@anchor{gnutls_fips140_set_mode} @anchor{gnutls_fips140_set_mode}
@ -1075,10 +1075,10 @@ Index: gnutls-3.8.3/doc/gnutls-api.texi
values for @code{mode} or to @code{GNUTLS_FIPS140_SELFTESTS} mode, the library values for @code{mode} or to @code{GNUTLS_FIPS140_SELFTESTS} mode, the library
switches to @code{GNUTLS_FIPS140_STRICT} mode. switches to @code{GNUTLS_FIPS140_STRICT} mode.
Index: gnutls-3.8.3/lib/ext/session_ticket.c Index: gnutls-3.8.4/lib/ext/session_ticket.c
=================================================================== ===================================================================
--- gnutls-3.8.3.orig/lib/ext/session_ticket.c --- gnutls-3.8.4.orig/lib/ext/session_ticket.c
+++ gnutls-3.8.3/lib/ext/session_ticket.c +++ gnutls-3.8.4/lib/ext/session_ticket.c
@@ -517,7 +517,7 @@ int gnutls_session_ticket_key_generate(g @@ -517,7 +517,7 @@ int gnutls_session_ticket_key_generate(g
{ {
if (_gnutls_fips_mode_enabled()) { if (_gnutls_fips_mode_enabled()) {
@ -1088,11 +1088,11 @@ Index: gnutls-3.8.3/lib/ext/session_ticket.c
* some limits on allowed key size, thus it is not * some limits on allowed key size, thus it is not
* used. These limits do not affect this function as * used. These limits do not affect this function as
* it does not generate a "key" but rather key material * it does not generate a "key" but rather key material
Index: gnutls-3.8.3/lib/libgnutls.map Index: gnutls-3.8.4/lib/libgnutls.map
=================================================================== ===================================================================
--- gnutls-3.8.3.orig/lib/libgnutls.map --- gnutls-3.8.4.orig/lib/libgnutls.map
+++ gnutls-3.8.3/lib/libgnutls.map +++ gnutls-3.8.4/lib/libgnutls.map
@@ -1441,7 +1441,7 @@ GNUTLS_FIPS140_3_4 { @@ -1450,7 +1450,7 @@ GNUTLS_FIPS140_3_4 {
gnutls_hkdf_self_test; gnutls_hkdf_self_test;
gnutls_pbkdf2_self_test; gnutls_pbkdf2_self_test;
gnutls_tlsprf_self_test; gnutls_tlsprf_self_test;
@ -1101,10 +1101,10 @@ Index: gnutls-3.8.3/lib/libgnutls.map
drbg_aes_reseed; drbg_aes_reseed;
drbg_aes_init; drbg_aes_init;
drbg_aes_generate; drbg_aes_generate;
Index: gnutls-3.8.3/lib/nettle/mac.c Index: gnutls-3.8.4/lib/nettle/mac.c
=================================================================== ===================================================================
--- gnutls-3.8.3.orig/lib/nettle/mac.c --- gnutls-3.8.4.orig/lib/nettle/mac.c
+++ gnutls-3.8.3/lib/nettle/mac.c +++ gnutls-3.8.4/lib/nettle/mac.c
@@ -262,7 +262,7 @@ static void _wrap_gmac_digest(void *_ctx @@ -262,7 +262,7 @@ static void _wrap_gmac_digest(void *_ctx
static int _mac_ctx_init(gnutls_mac_algorithm_t algo, static int _mac_ctx_init(gnutls_mac_algorithm_t algo,
struct nettle_mac_ctx *ctx) struct nettle_mac_ctx *ctx)
@ -1123,10 +1123,10 @@ Index: gnutls-3.8.3/lib/nettle/mac.c
* gnutls_hash_init() and gnutls_hmac_init() */ * gnutls_hash_init() and gnutls_hmac_init() */
switch (algo) { switch (algo) {
case GNUTLS_DIG_MD5: case GNUTLS_DIG_MD5:
Index: gnutls-3.8.3/config.h.in Index: gnutls-3.8.4/config.h.in
=================================================================== ===================================================================
--- gnutls-3.8.3.orig/config.h.in --- gnutls-3.8.4.orig/config.h.in
+++ gnutls-3.8.3/config.h.in +++ gnutls-3.8.4/config.h.in
@@ -82,7 +82,7 @@ @@ -82,7 +82,7 @@
/* enable DHE */ /* enable DHE */
#undef ENABLE_ECDHE #undef ENABLE_ECDHE
@ -1145,11 +1145,11 @@ Index: gnutls-3.8.3/config.h.in
#undef FIPS_KEY #undef FIPS_KEY
/* The FIPS140 module name */ /* The FIPS140 module name */
Index: gnutls-3.8.3/configure Index: gnutls-3.8.4/configure
=================================================================== ===================================================================
--- gnutls-3.8.3.orig/configure --- gnutls-3.8.4.orig/configure
+++ gnutls-3.8.3/configure +++ gnutls-3.8.4/configure
@@ -3830,7 +3830,7 @@ Optional Features: @@ -3832,7 +3832,7 @@ Optional Features:
--enable-fast-install[=PKGS] --enable-fast-install[=PKGS]
optimize for fast installation [default=yes] optimize for fast installation [default=yes]
--disable-libtool-lock avoid locking (might break parallel builds) --disable-libtool-lock avoid locking (might break parallel builds)
@ -1158,10 +1158,10 @@ Index: gnutls-3.8.3/configure
--enable-strict-x509 enable stricter sanity checks for x509 certificates --enable-strict-x509 enable stricter sanity checks for x509 certificates
--disable-non-suiteb-curves --disable-non-suiteb-curves
disable curves not in SuiteB disable curves not in SuiteB
Index: gnutls-3.8.3/doc/cha-support.texi Index: gnutls-3.8.4/doc/cha-support.texi
=================================================================== ===================================================================
--- gnutls-3.8.3.orig/doc/cha-support.texi --- gnutls-3.8.4.orig/doc/cha-support.texi
+++ gnutls-3.8.3/doc/cha-support.texi +++ gnutls-3.8.4/doc/cha-support.texi
@@ -134,5 +134,5 @@ There are certifications from national o @@ -134,5 +134,5 @@ There are certifications from national o
to an auditor that the crypto component follows some best practices, such to an auditor that the crypto component follows some best practices, such
as unit testing and reliance on well known crypto primitives. as unit testing and reliance on well known crypto primitives.
@ -1170,23 +1170,23 @@ Index: gnutls-3.8.3/doc/cha-support.texi
-See @ref{FIPS140-2 mode} for more information. -See @ref{FIPS140-2 mode} for more information.
+GnuTLS has support for the FIPS 140-3 certification under Red Hat Enterprise Linux. +GnuTLS has support for the FIPS 140-3 certification under Red Hat Enterprise Linux.
+See @ref{FIPS140-3 mode} for more information. +See @ref{FIPS140-3 mode} for more information.
Index: gnutls-3.8.3/doc/gnutls.info Index: gnutls-3.8.4/doc/gnutls.info
=================================================================== ===================================================================
--- gnutls-3.8.3.orig/doc/gnutls.info --- gnutls-3.8.4.orig/doc/gnutls.info
+++ gnutls-3.8.3/doc/gnutls.info +++ gnutls-3.8.4/doc/gnutls.info
@@ -618,7 +618,7 @@ Ref: fig-crypto-layers744471 @@ -619,7 +619,7 @@ Ref: fig-crypto-layers744797
Ref: Cryptographic Backend-Footnote-1747783 Ref: Cryptographic Backend-Footnote-1748109
Ref: Cryptographic Backend-Footnote-2747868 Ref: Cryptographic Backend-Footnote-2748194
Node: Random Number Generators-internals747980 Node: Random Number Generators-internals748306
-Node: FIPS140-2 mode755450 -Node: FIPS140-2 mode755776
+Node: FIPS140-3 mode755450 +Node: FIPS140-3 mode755776
Ref: gnutls_fips_mode_t758148 Ref: gnutls_fips_mode_t758474
Node: Upgrading from previous versions761817 Node: Upgrading from previous versions762143
Node: Support776059 Node: Support776385
Index: gnutls-3.8.3/src/gnutls-cli-options.json Index: gnutls-3.8.4/src/gnutls-cli-options.json
=================================================================== ===================================================================
--- gnutls-3.8.3.orig/src/gnutls-cli-options.json --- gnutls-3.8.4.orig/src/gnutls-cli-options.json
+++ gnutls-3.8.3/src/gnutls-cli-options.json +++ gnutls-3.8.4/src/gnutls-cli-options.json
@@ -384,7 +384,7 @@ @@ -384,7 +384,7 @@
}, },
{ {
@ -1196,3 +1196,16 @@ Index: gnutls-3.8.3/src/gnutls-cli-options.json
}, },
{ {
"long-option": "list-config", "long-option": "list-config",
Index: gnutls-3.8.4/tests/pkcs11-tool.sh
===================================================================
--- gnutls-3.8.4.orig/tests/pkcs11-tool.sh
+++ gnutls-3.8.4/tests/pkcs11-tool.sh
@@ -30,7 +30,7 @@ set -x
: ${DIFF=diff}
if test "${GNUTLS_FORCE_FIPS_MODE}" = 1;then
- echo "Cannot run in FIPS140-2 mode"
+ echo "Cannot run in FIPS140-3 mode"
exit 77
fi

75
gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch
View File

@ -1,112 +1,117 @@
Index: gnutls-3.8.0/lib/fips.c Index: gnutls-3.8.4/lib/fips.c
=================================================================== ===================================================================
--- gnutls-3.8.0.orig/lib/fips.c --- gnutls-3.8.4.orig/lib/fips.c
+++ gnutls-3.8.0/lib/fips.c +++ gnutls-3.8.4/lib/fips.c
@@ -171,16 +171,28 @@ struct hmac_entry { @@ -175,20 +175,32 @@ struct hmac_entry {
struct hmac_file { struct hmac_file {
int version; int version;
struct hmac_entry gnutls; struct hmac_entry gnutls;
+#if 0 +#if 0
+ /* Disable nettle, hogweed and gpm HMAC verification as + /* Disable nettle, hogweed and gmp HMAC verification as
+ * they are calculated during build of the respective + * they are calculated during build of the respective
+ * packages and can differ from the ones listed here. + * packages and can differ from the ones listed here.
+ */ + */
struct hmac_entry nettle; struct hmac_entry nettle;
struct hmac_entry hogweed; struct hmac_entry hogweed;
#ifdef GMP_LIBRARY_SONAME
struct hmac_entry gmp; struct hmac_entry gmp;
#endif
+#endif +#endif
}; };
struct lib_paths { struct lib_paths {
char gnutls[GNUTLS_PATH_MAX]; char gnutls[GNUTLS_PATH_MAX];
+#if 0 +#if 0
+ /* Disable nettle, hogweed and gpm HMAC verification as + /* Disable nettle, hogweed and gmp HMAC verification as
+ * they are calculated during build of the respective + * they are calculated during build of the respective
+ * packages and can differ from the ones listed here. + * packages and can differ from the ones listed here.
+ */ + */
char nettle[GNUTLS_PATH_MAX]; char nettle[GNUTLS_PATH_MAX];
char hogweed[GNUTLS_PATH_MAX]; char hogweed[GNUTLS_PATH_MAX];
#ifdef GMP_LIBRARY_SONAME
char gmp[GNUTLS_PATH_MAX]; char gmp[GNUTLS_PATH_MAX];
#endif
+#endif +#endif
}; };
/* /*
@@ -241,12 +253,18 @@ static int handler(void *user, const cha @@ -248,6 +252,11 @@ static int handler(void *user, const cha
} }
} else if (!strcmp(section, GNUTLS_LIBRARY_NAME)) { } else if (!strcmp(section, GNUTLS_LIBRARY_NAME)) {
return lib_handler(&p->gnutls, section, name, value); return lib_handler(&p->gnutls, section, name, value);
+#if 0 +#if 0
+ /* Disable nettle, hogweed and gpm HMAC verification as + /* Disable nettle, hogweed and gmp HMAC verification as
+ * they are calculated during build of the respective + * they are calculated during build of the respective
+ * packages and can differ from the ones listed here. + * packages and can differ from the ones listed here.
+ */ + */
} else if (!strcmp(section, NETTLE_LIBRARY_NAME)) { } else if (!strcmp(section, NETTLE_LIBRARY_NAME)) {
return lib_handler(&p->nettle, section, name, value); return lib_handler(&p->nettle, section, name, value);
} else if (!strcmp(section, HOGWEED_LIBRARY_NAME)) { } else if (!strcmp(section, HOGWEED_LIBRARY_NAME)) {
return lib_handler(&p->hogweed, section, name, value); @@ -256,6 +265,7 @@ static int handler(void *user, const cha
} else if (!strcmp(section, GMP_LIBRARY_NAME)) { } else if (!strcmp(section, GMP_LIBRARY_NAME)) {
return lib_handler(&p->gmp, section, name, value); return lib_handler(&p->gmp, section, name, value);
#endif
+#endif +#endif
} else { } else {
return 0; return 0;
} }
@@ -391,12 +409,18 @@ static int callback(struct dl_phdr_info @@ -401,6 +411,11 @@ static int callback(struct dl_phdr_info
if (!strcmp(soname, GNUTLS_LIBRARY_SONAME)) if (!strcmp(soname, GNUTLS_LIBRARY_SONAME))
_gnutls_str_cpy(paths->gnutls, GNUTLS_PATH_MAX, path); _gnutls_str_cpy(paths->gnutls, GNUTLS_PATH_MAX, path);
+#if 0 +#if 0
+ /* Disable nettle, hogweed and gpm HMAC verification as + /* Disable nettle, hogweed and gmp HMAC verification as
+ * they are calculated during build of the respective + * they are calculated during build of the respective
+ * packages and can differ from the ones listed here. + * packages and can differ from the ones listed here.
+ */ + */
else if (!strcmp(soname, NETTLE_LIBRARY_SONAME)) else if (!strcmp(soname, NETTLE_LIBRARY_SONAME))
_gnutls_str_cpy(paths->nettle, GNUTLS_PATH_MAX, path); _gnutls_str_cpy(paths->nettle, GNUTLS_PATH_MAX, path);
else if (!strcmp(soname, HOGWEED_LIBRARY_SONAME)) else if (!strcmp(soname, HOGWEED_LIBRARY_SONAME))
_gnutls_str_cpy(paths->hogweed, GNUTLS_PATH_MAX, path); @@ -409,6 +424,7 @@ static int callback(struct dl_phdr_info
else if (!strcmp(soname, GMP_LIBRARY_SONAME)) else if (!strcmp(soname, GMP_LIBRARY_SONAME))
_gnutls_str_cpy(paths->gmp, GNUTLS_PATH_MAX, path); _gnutls_str_cpy(paths->gmp, GNUTLS_PATH_MAX, path);
#endif
+#endif +#endif
return 0; return 0;
} }
@@ -409,6 +433,11 @@ static int load_lib_paths(struct lib_pat @@ -421,6 +437,11 @@ static int load_lib_paths(struct lib_pat
_gnutls_debug_log("Gnutls library path was not found\n"); _gnutls_debug_log("Gnutls library path was not found\n");
return gnutls_assert_val(GNUTLS_E_FILE_ERROR); return gnutls_assert_val(GNUTLS_E_FILE_ERROR);
} }
+#if 0 +#if 0
+ /* Disable nettle, hogweed and gpm HMAC verification as + /* Disable nettle, hogweed and gmp HMAC verification as
+ * they are calculated during build of the respective + * they are calculated during build of the respective
+ * packages and can differ from the ones listed here. + * packages and can differ from the ones listed here.
+ */ + */
if (paths->nettle[0] == '\0') { if (paths->nettle[0] == '\0') {
_gnutls_debug_log("Nettle library path was not found\n"); _gnutls_debug_log("Nettle library path was not found\n");
return gnutls_assert_val(GNUTLS_E_FILE_ERROR); return gnutls_assert_val(GNUTLS_E_FILE_ERROR);
@@ -421,7 +450,7 @@ static int load_lib_paths(struct lib_pat @@ -435,6 +456,7 @@ static int load_lib_paths(struct lib_pat
_gnutls_debug_log("Gmp library path was not found\n");
return gnutls_assert_val(GNUTLS_E_FILE_ERROR); return gnutls_assert_val(GNUTLS_E_FILE_ERROR);
} }
- #endif
+#endif +#endif
return GNUTLS_E_SUCCESS; return GNUTLS_E_SUCCESS;
} }
@@ -481,6 +503,11 @@ static int check_binary_integrity(void)
@@ -467,6 +496,11 @@ static int check_binary_integrity(void)
ret = check_lib_hmac(&hmac.gnutls, paths.gnutls); ret = check_lib_hmac(&hmac.gnutls, paths.gnutls);
if (ret < 0) if (ret < 0)
return ret; return ret;
+# if 0 +# if 0
+ /* Disable nettle, hogweed and gpm HMAC verification as + /* Disable nettle, hogweed and gmp HMAC verification as
+ * they are calculated during build of the respective + * they are calculated during build of the respective
+ * packages and can differ from the ones listed here. + * packages and can differ from the ones listed here.
+ */ + */
ret = check_lib_hmac(&hmac.nettle, paths.nettle); ret = check_lib_hmac(&hmac.nettle, paths.nettle);
if (ret < 0) if (ret < 0)
return ret; return ret;
@@ -476,6 +510,7 @@ static int check_binary_integrity(void) @@ -492,6 +519,7 @@ static int check_binary_integrity(void)
ret = check_lib_hmac(&hmac.gmp, paths.gmp);
if (ret < 0) if (ret < 0)
return ret; return ret;
+# endif #endif
+#endif
return 0; return 0;
} }

34
gnutls-FIPS-jitterentropy-deinit-threads.patch Normal file
View File

@ -0,0 +1,34 @@
Index: gnutls-3.8.4/lib/state.c
===================================================================
--- gnutls-3.8.4.orig/lib/state.c
+++ gnutls-3.8.4/lib/state.c
@@ -830,6 +830,12 @@ void gnutls_deinit(gnutls_session_t sess
gnutls_mutex_deinit(&session->internals.post_negotiation_lock);
gnutls_mutex_deinit(&session->internals.epoch_lock);
+#if defined(__linux__)
+# if defined(ENABLE_FIPS140)
+ _rnd_system_entropy_deinit();
+# endif
+#endif
+
gnutls_free(session);
}
Index: gnutls-3.8.4/lib/nettle/rnd.c
===================================================================
--- gnutls-3.8.4.orig/lib/nettle/rnd.c
+++ gnutls-3.8.4/lib/nettle/rnd.c
@@ -79,6 +79,12 @@ struct generators_ctx_st {
static void wrap_nettle_rnd_deinit(void *_ctx)
{
+#if defined(__linux__)
+# if defined(ENABLE_FIPS140)
+ _rnd_system_entropy_deinit();
+# endif
+#endif
+
gnutls_free(_ctx);
}

41
gnutls.changes
View File

@ -1,3 +1,44 @@
-------------------------------------------------------------------
Wed Mar 20 12:08:50 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
- jitterentropy: Release the memory of the entropy collector when
using jitterentropy with phtreads as there is also a
pre-intitization done in the main thread. [bsc#1221242]
* Add gnutls-FIPS-jitterentropy-deinit-threads.patch
-------------------------------------------------------------------
Wed Mar 20 09:26:32 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
- Update to 3.8.4:
* libgnutls: RSA-OAEP encryption scheme is now supported
To use it with an unrestricted RSA private key, one would need to
initialize a gnutls_x509_spki_t object with necessary parameters
for RSA-OAEP and attach it to the private key. It is also possible
to import restricted private keys if they are stored in PKCS#8
format.
* libgnutls: Fix side-channel in the deterministic ECDSA.
Reported by George Pantelakis (#1516).
[GNUTLS-SA-2023-12-04, CVSS: medium] [bsc#1221746, CVE-2024-28834]
* libgnutls: Fixed a bug where certtool crashed when verifying a
certificate chain with more than 16 certificates. Reported by
William Woodruff (#1525) and yixiangzhike (#1527).
[GNUTLS-SA-2024-01-23, CVSS: medium] [bsc#1221747, CVE-2024-28835]
* libgnutls: Compression libraries are now loaded dynamically as needed
instead of all being loaded during gnutls library initialization.
As a result, the library initialization should be faster.
* build: The gnutls library can now be linked with the static library
of GMP. Note that in order for this to work libgmp.a needs to be
compiled with -fPIC and libhogweed in Nettle also has to be linked
to the static library of GMP. This can be used to prevent custom
memory allocators from being overriden by other applications.
* API and ABI modifications:
- gnutls_x509_spki_get_rsa_oaep_params: New function.
- gnutls_x509_spki_set_rsa_oaep_params: New function.
- GNUTLS_PK_RSA_OAEP: New enum member of gnutls_pk_algorithm_t.
* Rebase patches:
- gnutls-FIPS-140-3-references.patch
- gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Wed Feb 21 18:04:48 UTC 2024 - Jan Engelhardt <jengelh@inai.de> Wed Feb 21 18:04:48 UTC 2024 - Jan Engelhardt <jengelh@inai.de>

4
gnutls.spec
View File

@ -40,7 +40,7 @@
%endif %endif
%bcond_with tpm %bcond_with tpm
Name: gnutls Name: gnutls
Version: 3.8.3 Version: 3.8.4
Release: 0 Release: 0
Summary: The GNU Transport Layer Security Library Summary: The GNU Transport Layer Security Library
License: GPL-3.0-or-later AND LGPL-2.1-or-later License: GPL-3.0-or-later AND LGPL-2.1-or-later
@ -66,6 +66,8 @@ Patch101: gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch
%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400 %if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
#PATCH-FIX-SUSE bsc#1202146 FIPS: Port gnutls to use jitterentropy #PATCH-FIX-SUSE bsc#1202146 FIPS: Port gnutls to use jitterentropy
Patch102: gnutls-FIPS-jitterentropy.patch Patch102: gnutls-FIPS-jitterentropy.patch
#PATCH-FIX-SUSE bsc#1221242 Fix memleak in gnutls' jitterentropy collector
Patch103: gnutls-FIPS-jitterentropy-deinit-threads.patch
%endif %endif
BuildRequires: autogen BuildRequires: autogen
BuildRequires: automake BuildRequires: automake