pool/gnutls
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 1089038 from security:tls

Browse Source 
OBS-URL: https://build.opensuse.org/request/show/1089038
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=148
This commit is contained in:
Dominique Leuenberger 2023-05-26 18:15:10 +00:00 committed by Git OBS Bridge
commit b32aec3158
4 changed files with 44 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
baselibs.conf
View File

@ -1,7 +1,7 @@
libgnutls30 libgnutls30
obsoletes "gnutls-<targettype>" obsoletes "gnutls-<targettype>"
provides "libgnutls30-<targettype> = <version>-%release"
obsoletes "libgnutls30-<targettype> < <version>-%release"
libgnutls-devel libgnutls-devel
requires -libgnutls-<targettype> requires -libgnutls-<targettype>
requires "libgnutls30-<targettype> = <version>" requires "libgnutls30-<targettype> = <version>"
libgnutls30-hmac
requires "libgnutls30-<targettype> = <version>-%release"

24
gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch Normal file
View File

@ -0,0 +1,24 @@
Index: gnutls-3.8.0/lib/fips.c
===================================================================
--- gnutls-3.8.0.orig/lib/fips.c
+++ gnutls-3.8.0/lib/fips.c
@@ -467,6 +467,11 @@ static int check_binary_integrity(void)
ret = check_lib_hmac(&hmac.gnutls, paths.gnutls);
if (ret < 0)
return ret;
+# if 0
+ /* Disable nettle, hogweed and gpm HMAC verification as
+ * they are calculated during build of the respective
+ * packages and can differ from the ones listed here.
+ */
ret = check_lib_hmac(&hmac.nettle, paths.nettle);
if (ret < 0)
return ret;
@@ -476,6 +481,7 @@ static int check_binary_integrity(void)
ret = check_lib_hmac(&hmac.gmp, paths.gmp);
if (ret < 0)
return ret;
+# endif
return 0;
}

13
gnutls.changes
View File

@ -1,3 +1,16 @@
-------------------------------------------------------------------
Wed May 24 11:01:10 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
- FIPS: Skip the fixed HMAC verification for nettle, hogweed and
gmp libraries. These calculated HMACs change for every build of
each of these packages, we only have to verify that for gnutls.
* Add gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch [bsc#1211476]
-------------------------------------------------------------------
Mon May 22 11:32:53 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
- FIPS: Merge libgnutls30-hmac package into the library [bsc#1185116]
------------------------------------------------------------------- -------------------------------------------------------------------
Mon May 15 09:57:45 UTC 2023 - Guillaume GARDET <guillaume.gardet@opensuse.org> Mon May 15 09:57:45 UTC 2023 - Guillaume GARDET <guillaume.gardet@opensuse.org>

20
gnutls.spec
View File

@ -62,9 +62,11 @@ Patch100: gnutls-FIPS-PCT-DH.patch
Patch101: gnutls-FIPS-PCT-ECDH.patch Patch101: gnutls-FIPS-PCT-ECDH.patch
#PATCH-FIX-SUSE bsc#1207346 FIPS: Change FIPS 140-2 references to FIPS 140-3 #PATCH-FIX-SUSE bsc#1207346 FIPS: Change FIPS 140-2 references to FIPS 140-3
Patch102: gnutls-FIPS-140-3-references.patch Patch102: gnutls-FIPS-140-3-references.patch
#PATCH-FIX-SUSE bsc#1211476 FIPS: Skip fixed HMAC verification for nettle, hogweed and gmp
Patch103: gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch
%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400 %if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
#PATCH-FIX-SUSE bsc#1202146 FIPS: Port gnutls to use jitterentropy #PATCH-FIX-SUSE bsc#1202146 FIPS: Port gnutls to use jitterentropy
Patch103: gnutls-FIPS-jitterentropy.patch Patch104: gnutls-FIPS-jitterentropy.patch
%endif %endif
BuildRequires: autogen BuildRequires: autogen
BuildRequires: automake BuildRequires: automake
@ -118,10 +120,10 @@ of the IETF's TLS working group.
%package -n libgnutls%{gnutls_sover} %package -n libgnutls%{gnutls_sover}
Summary: The GNU Transport Layer Security Library Summary: The GNU Transport Layer Security Library
# install libgnutls and libgnutls-hmac close together (bsc#1090765)
License: LGPL-2.1-or-later License: LGPL-2.1-or-later
Group: System/Libraries Group: System/Libraries
Suggests: libgnutls%{gnutls_sover}-hmac = %{version}-%{release} Provides: libgnutls%{gnutls_sover}-hmac = %{version}-%{release}
Obsoletes: libgnutls%{gnutls_sover}-hmac < %{version}-%{release}
%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400 %if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
Requires: crypto-policies Requires: crypto-policies
%endif %endif
@ -131,15 +133,6 @@ The GnuTLS library provides a secure layer over a reliable transport
layer. Currently the GnuTLS library implements the proposed standards layer. Currently the GnuTLS library implements the proposed standards
of the IETF's TLS working group. of the IETF's TLS working group.
%package -n libgnutls%{gnutls_sover}-hmac
Summary: Checksums of the GNU Transport Layer Security Library
License: LGPL-2.1-or-later
Group: System/Libraries
Requires: libgnutls%{gnutls_sover} = %{version}-%{release}
%description -n libgnutls%{gnutls_sover}-hmac
FIPS SHA256 checksums of the libgnutls library.
%if %{with dane} %if %{with dane}
%package -n libgnutls-dane%{gnutls_dane_sover} %package -n libgnutls-dane%{gnutls_dane_sover}
Summary: DANE support for the GNU Transport Layer Security Library Summary: DANE support for the GNU Transport Layer Security Library
@ -339,9 +332,6 @@ GNUTLS_FORCE_FIPS_MODE=1 make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=
%files -n libgnutls%{gnutls_sover} %files -n libgnutls%{gnutls_sover}
%license LICENSE %license LICENSE
%{_libdir}/libgnutls.so.%{gnutls_sover}* %{_libdir}/libgnutls.so.%{gnutls_sover}*
%files -n libgnutls%{gnutls_sover}-hmac
%license LICENSE
%{_libdir}/.libgnutls.so.%{gnutls_sover}*.hmac %{_libdir}/.libgnutls.so.%{gnutls_sover}*.hmac
%if %{with dane} %if %{with dane}