From c7bc1d9ee76ca7729356785df9587fc8b5e998d36e5764082b5db8162cb45b7e Mon Sep 17 00:00:00 2001
From: Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
Date: Thu, 25 May 2023 13:43:53 +0000
Subject: [PATCH] Accepting request 1088822 from
 home:pmonrealgonzalez:branches:security:tls

- FIPS: Skip the fixed HMAC verification for nettle, hogweed and
  gmp libraries. These calculated HMACs change for every build of
  each of these packages, we only have to verify that for gnutls.
  * Add gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch [bsc#1211476]

- FIPS: Merge libgnutls30-hmac package into the library [bsc#1185116]

OBS-URL: https://build.opensuse.org/request/show/1088822
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=93
---
 baselibs.conf                             |  4 ++--
 gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch | 24 +++++++++++++++++++++++
 gnutls.changes                            | 13 ++++++++++++
 gnutls.spec                               | 20 +++++--------------
 4 files changed, 44 insertions(+), 17 deletions(-)
 create mode 100644 gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch

diff --git a/baselibs.conf b/baselibs.conf
index 3f783e8..b638d71 100644
--- a/baselibs.conf
+++ b/baselibs.conf
@@ -1,7 +1,7 @@
 libgnutls30
   obsoletes "gnutls-<targettype>"
+  provides "libgnutls30-<targettype> = <version>-%release"
+  obsoletes "libgnutls30-<targettype> < <version>-%release"
 libgnutls-devel
   requires -libgnutls-<targettype>
   requires "libgnutls30-<targettype> = <version>"
-libgnutls30-hmac
-  requires "libgnutls30-<targettype> = <version>-%release"
diff --git a/gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch b/gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch
new file mode 100644
index 0000000..1920514
--- /dev/null
+++ b/gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch
@@ -0,0 +1,24 @@
+Index: gnutls-3.8.0/lib/fips.c
+===================================================================
+--- gnutls-3.8.0.orig/lib/fips.c
++++ gnutls-3.8.0/lib/fips.c
+@@ -467,6 +467,11 @@ static int check_binary_integrity(void)
+ 	ret = check_lib_hmac(&hmac.gnutls, paths.gnutls);
+ 	if (ret < 0)
+ 		return ret;
++# if 0
++	/* Disable nettle, hogweed and gpm HMAC verification as
++	 * they are calculated during build of the respective
++	 * packages and can differ from the ones listed here.
++	 */
+ 	ret = check_lib_hmac(&hmac.nettle, paths.nettle);
+ 	if (ret < 0)
+ 		return ret;
+@@ -476,6 +481,7 @@ static int check_binary_integrity(void)
+ 	ret = check_lib_hmac(&hmac.gmp, paths.gmp);
+ 	if (ret < 0)
+ 		return ret;
++# endif
+ 
+ 	return 0;
+ }
diff --git a/gnutls.changes b/gnutls.changes
index ca2a1de..c6a9873 100644
--- a/gnutls.changes
+++ b/gnutls.changes
@@ -1,3 +1,16 @@
+-------------------------------------------------------------------
+Wed May 24 11:01:10 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
+
+- FIPS: Skip the fixed HMAC verification for nettle, hogweed and
+  gmp libraries. These calculated HMACs change for every build of
+  each of these packages, we only have to verify that for gnutls.
+  * Add gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch [bsc#1211476]
+
+-------------------------------------------------------------------
+Mon May 22 11:32:53 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
+
+- FIPS: Merge libgnutls30-hmac package into the library [bsc#1185116]
+
 -------------------------------------------------------------------
 Mon May 15 09:57:45 UTC 2023 - Guillaume GARDET <guillaume.gardet@opensuse.org>
 
diff --git a/gnutls.spec b/gnutls.spec
index 3451282..a8dbc1f 100644
--- a/gnutls.spec
+++ b/gnutls.spec
@@ -62,9 +62,11 @@ Patch100:       gnutls-FIPS-PCT-DH.patch
 Patch101:       gnutls-FIPS-PCT-ECDH.patch
 #PATCH-FIX-SUSE bsc#1207346 FIPS: Change FIPS 140-2 references to FIPS 140-3
 Patch102:       gnutls-FIPS-140-3-references.patch
+#PATCH-FIX-SUSE bsc#1211476 FIPS: Skip fixed HMAC verification for nettle, hogweed and gmp
+Patch103:       gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch
 %if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
 #PATCH-FIX-SUSE bsc#1202146 FIPS: Port gnutls to use jitterentropy
-Patch103:       gnutls-FIPS-jitterentropy.patch
+Patch104:       gnutls-FIPS-jitterentropy.patch
 %endif
 BuildRequires:  autogen
 BuildRequires:  automake
@@ -118,10 +120,10 @@ of the IETF's TLS working group.
 
 %package -n libgnutls%{gnutls_sover}
 Summary:        The GNU Transport Layer Security Library
-# install libgnutls and libgnutls-hmac close together (bsc#1090765)
 License:        LGPL-2.1-or-later
 Group:          System/Libraries
-Suggests:       libgnutls%{gnutls_sover}-hmac = %{version}-%{release}
+Provides:       libgnutls%{gnutls_sover}-hmac = %{version}-%{release}
+Obsoletes:      libgnutls%{gnutls_sover}-hmac < %{version}-%{release}
 %if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
 Requires:       crypto-policies
 %endif
@@ -131,15 +133,6 @@ The GnuTLS library provides a secure layer over a reliable transport
 layer. Currently the GnuTLS library implements the proposed standards
 of the IETF's TLS working group.
 
-%package -n libgnutls%{gnutls_sover}-hmac
-Summary:        Checksums of the GNU Transport Layer Security Library
-License:        LGPL-2.1-or-later
-Group:          System/Libraries
-Requires:       libgnutls%{gnutls_sover} = %{version}-%{release}
-
-%description -n libgnutls%{gnutls_sover}-hmac
-FIPS SHA256 checksums of the libgnutls library.
-
 %if %{with dane}
 %package -n libgnutls-dane%{gnutls_dane_sover}
 Summary:        DANE support for the GNU Transport Layer Security Library
@@ -339,9 +332,6 @@ GNUTLS_FORCE_FIPS_MODE=1 make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=
 %files -n libgnutls%{gnutls_sover}
 %license LICENSE
 %{_libdir}/libgnutls.so.%{gnutls_sover}*
-
-%files -n libgnutls%{gnutls_sover}-hmac
-%license LICENSE
 %{_libdir}/.libgnutls.so.%{gnutls_sover}*.hmac
 
 %if %{with dane}