From 2d2be530a7eb10997721619ba782bffdc0677b05e235c7eecafa38e85d090494 Mon Sep 17 00:00:00 2001 From: Marcus Meissner Date: Sat, 5 Dec 2020 17:16:13 +0000 Subject: [PATCH 1/5] Accepting request 850542 from home:vitezslav_cizek:branches:security:tls - Don't forward to Factory yet, the policy needs more testing. - Use the centralized crypto policy profile (jsc#SLE-15832) - FIPS: Use 2048 bit prime in DH selftest (bsc#1176086) * add gnutls-FIPS-use_2048_bit_prime_in_DH_selftest.patch - FIPS: Add TLS KDF selftest (bsc#1176671) * add gnutls-FIPS-TLS_KDF_selftest.patch OBS-URL: https://build.opensuse.org/request/show/850542 OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=43 --- gnutls-FIPS-TLS_KDF_selftest.patch | 33 ++++++ ...PS-use_2048_bit_prime_in_DH_selftest.patch | 106 ++++++++++++++++++ gnutls.changes | 13 +++ gnutls.spec | 16 ++- 4 files changed, 164 insertions(+), 4 deletions(-) create mode 100644 gnutls-FIPS-TLS_KDF_selftest.patch create mode 100644 gnutls-FIPS-use_2048_bit_prime_in_DH_selftest.patch diff --git a/gnutls-FIPS-TLS_KDF_selftest.patch b/gnutls-FIPS-TLS_KDF_selftest.patch new file mode 100644 index 0000000..baa8106 --- /dev/null +++ b/gnutls-FIPS-TLS_KDF_selftest.patch @@ -0,0 +1,33 @@ +Index: gnutls-3.6.15/lib/fips.c +=================================================================== +--- gnutls-3.6.15.orig/lib/fips.c 2020-09-03 16:59:05.000000000 +0200 ++++ gnutls-3.6.15/lib/fips.c 2020-11-10 12:51:40.420071675 +0100 +@@ -398,6 +398,28 @@ int _gnutls_fips_perform_self_checks2(vo + goto error; + } + ++ /* KDF */ ++ ++ char derived[512]; ++ ++ gnutls_datum_t secret = { (void *)"\x04\x50\xb0\xea\x9e\xcd\x36\x02\xee\x0d\x76\xc5\xc3\xc8\x6f\x4a", 16 }; ++ gnutls_datum_t seed = { (void *)"\x20\x7a\xcc\x02\x54\xb8\x67\xf5\xb9\x25\xb4\x5a\x33\x60\x1d\x8b", 16 }; ++ gnutls_datum_t label = { (void *)"test label", 10 }; ++ gnutls_datum_t expected = { (void *)"\xae\x67\x9e\x0e\x71\x4f\x59\x75\x76\x37\x68\xb1\x66\x97\x9e\x1d", 16 }; ++ ++ ret = _gnutls_prf_raw(GNUTLS_MAC_SHA256, secret.size, secret.data, ++ label.size, (char*)label.data, seed.size, seed.data, expected.size, derived); ++ if (ret < 0) { ++ gnutls_assert(); ++ goto error; ++ } ++ ++ ret = memcmp(derived, expected.data, expected.size); ++ if (ret != 0) { ++ gnutls_assert(); ++ goto error; ++ } ++ + /* PK */ + ret = gnutls_pk_self_test(0, GNUTLS_PK_RSA); + if (ret < 0) { diff --git a/gnutls-FIPS-use_2048_bit_prime_in_DH_selftest.patch b/gnutls-FIPS-use_2048_bit_prime_in_DH_selftest.patch new file mode 100644 index 0000000..e722a08 --- /dev/null +++ b/gnutls-FIPS-use_2048_bit_prime_in_DH_selftest.patch @@ -0,0 +1,106 @@ +Index: gnutls-3.6.15/lib/crypto-selftests-pk.c +=================================================================== +--- gnutls-3.6.15.orig/lib/crypto-selftests-pk.c 2020-09-04 07:36:34.000000000 +0200 ++++ gnutls-3.6.15/lib/crypto-selftests-pk.c 2020-11-10 12:51:40.432071735 +0100 +@@ -614,18 +614,93 @@ static int test_dh(void) + gnutls_pk_params_st pub; + gnutls_datum_t out = {NULL, 0}; + static const uint8_t known_dh_k[] = { +- 0x10, 0x25, 0x04, 0xb5, 0xc6, 0xc2, 0xcb, +- 0x0c, 0xe9, 0xc5, 0x58, 0x0d, 0x22, 0x62}; ++ 0x62, 0x68, 0x15, 0xbd, 0xc4, 0x9a, 0x3c, 0xfc, ++ 0xda, 0x5d, 0xc5, 0x81, 0xc9, 0xe7, 0x1b, 0xbb, ++ 0x94, 0x19, 0xb0, 0x5d, 0x95, 0xc3, 0x98, 0xd0, ++ 0xc6, 0x8b, 0x05, 0x34, 0xa5, 0xe2, 0xe4, 0xa8, ++ 0x7c, 0x4b, 0x7c, 0x41, 0xf9, 0x6d, 0xc1, 0xcc, ++ 0x6e, 0xb6, 0x34, 0xe1, 0x71, 0xc3, 0x00, 0x03, ++ 0x06, 0x08, 0x1d, 0x90, 0x88, 0x3c, 0x5d, 0x14, ++ 0x2d, 0x56, 0xac, 0x78, 0x83, 0xd6, 0xe9, 0x7c, ++ 0x6c, 0x34, 0xdf, 0xe0, 0x98, 0x14, 0xaa, 0xbe, ++ 0x3b, 0x83, 0xc5, 0xd1, 0xac, 0xec, 0xa6, 0x0b, ++ 0xc1, 0x94, 0x8d, 0x42, 0x3f, 0xb8, 0x63, 0xef, ++ 0xb1, 0x1b, 0x60, 0x4f, 0xfa, 0xfa, 0xbb, 0x57, ++ 0x28, 0x27, 0x4d, 0x78, 0xa4, 0x3d, 0x7a, 0xd8, ++ 0xab, 0x2e, 0x7d, 0x8b, 0xd3, 0xa9, 0x78, 0x74, ++ 0xfe, 0x3a, 0x08, 0x5f, 0xe3, 0xf5, 0x5a, 0xfa, ++ 0xa6, 0x93, 0x67, 0xea, 0xae, 0x5e, 0xd6, 0xc5, ++ 0xa1, 0xab, 0x0a, 0x1e, 0x78, 0xe7, 0xdd, 0xbc, ++ 0xae, 0xb7, 0x3e, 0x7d, 0x8b, 0xd8, 0x66, 0x92, ++ 0x38, 0x1b, 0x96, 0xeb, 0xcb, 0xcb, 0x6a, 0xcc, ++ 0xd8, 0x42, 0x80, 0x66, 0xa9, 0xa2, 0x75, 0xeb, ++ 0xe4, 0x79, 0x11, 0x7a, 0xca, 0x84, 0x77, 0x7a, ++ 0xe6, 0xe2, 0x13, 0xb1, 0x90, 0xd3, 0x0f, 0x87, ++ 0x2a, 0x0f, 0xf5, 0x17, 0x61, 0x15, 0x05, 0x31, ++ 0x5f, 0xdf, 0xb4, 0x8e, 0xf3, 0x21, 0x27, 0x6a, ++ 0x69, 0xdc, 0x52, 0x79, 0x64, 0x51, 0x1f, 0xc0, ++ 0xed, 0x55, 0x57, 0xd9, 0x5c, 0x6f, 0xdb, 0xaa, ++ 0x08, 0x44, 0xb9, 0x71, 0x71, 0x15, 0x27, 0xe8, ++ 0xe9, 0x42, 0x78, 0xc1, 0xc4, 0xc0, 0xbd, 0x28, ++ 0x23, 0xa1, 0x30, 0x57, 0xf0, 0x2e, 0x24, 0xf0, ++ 0x34, 0x17, 0x97, 0x1c, 0x4c, 0x2a, 0x98, 0x76, ++ 0x3d, 0x50, 0x7f, 0x32, 0xa2, 0x25, 0x94, 0x9e, ++ 0x1e, 0xbc, 0x97, 0x96, 0xd6, 0x14, 0x61, 0x5b ++ }; + static const uint8_t test_p[] = { +- 0x24, 0x85, 0xdd, 0x3a, 0x74, 0x42, 0xe4, +- 0xb3, 0xf1, 0x0b, 0x13, 0xf9, 0x17, 0x4d }; ++ 0xAE, 0xEC, 0xEE, 0x22, 0xFA, 0x3A, 0xA5, 0x22, 0xC0, 0xDE, 0x0F, 0x09, ++ 0x7E, 0x17, 0xC0, 0x05, 0xF9, 0xF1, 0xE7, 0xC6, 0x87, 0x14, 0x6D, 0x11, ++ 0xE7, 0xAE, 0xED, 0x2F, 0x72, 0x59, 0xC5, 0xA9, 0x9B, 0xB8, 0x02, 0xA5, ++ 0xF3, 0x69, 0x70, 0xD6, 0xDD, 0x90, 0xF9, 0x19, 0x79, 0xBE, 0x60, 0x8F, ++ 0x25, 0x92, 0x30, 0x1C, 0x51, 0x51, 0x38, 0x26, 0x82, 0x25, 0xE6, 0xFC, ++ 0xED, 0x65, 0x96, 0x8F, 0x57, 0xE5, 0x53, 0x8B, 0x38, 0x63, 0xC7, 0xCE, ++ 0xBC, 0x1B, 0x4D, 0x18, 0x2A, 0x5B, 0x04, 0x3F, 0x6A, 0x3C, 0x94, 0x39, ++ 0xAE, 0x36, 0xD6, 0x5E, 0x0F, 0xA2, 0xCC, 0xD0, 0xD4, 0xD5, 0xC6, 0x1E, ++ 0xF6, 0xA0, 0xF5, 0x89, 0x4E, 0xB4, 0x0B, 0xA4, 0xB3, 0x2B, 0x3D, 0xE2, ++ 0x4E, 0xE1, 0x49, 0x25, 0x99, 0x5F, 0x32, 0x16, 0x33, 0x32, 0x1B, 0x7A, ++ 0xA5, 0x5C, 0x6B, 0x34, 0x0D, 0x39, 0x99, 0xDC, 0xF0, 0x76, 0xE5, 0x5A, ++ 0xD4, 0x71, 0x00, 0xED, 0x5A, 0x73, 0xFB, 0xC8, 0x01, 0xAD, 0x99, 0xCF, ++ 0x99, 0x52, 0x7C, 0x9C, 0x64, 0xC6, 0x76, 0x40, 0x57, 0xAF, 0x59, 0xD7, ++ 0x38, 0x0B, 0x40, 0xDE, 0x33, 0x0D, 0xB8, 0x76, 0xEC, 0xA9, 0xD8, 0x73, ++ 0xF8, 0xEF, 0x26, 0x66, 0x06, 0x27, 0xDD, 0x7C, 0xA4, 0x10, 0x9C, 0xA6, ++ 0xAA, 0xF9, 0x53, 0x62, 0x73, 0x1D, 0xBA, 0x1C, 0xF1, 0x67, 0xF4, 0x35, ++ 0xED, 0x6F, 0x37, 0x92, 0xE8, 0x4F, 0x6C, 0xBA, 0x52, 0x6E, 0xA1, 0xED, ++ 0xDA, 0x9F, 0x85, 0x11, 0x82, 0x52, 0x62, 0x08, 0x44, 0xF1, 0x30, 0x03, ++ 0xC3, 0x38, 0x2C, 0x79, 0xBD, 0xD4, 0x43, 0x45, 0xEE, 0x8E, 0x50, 0xFC, ++ 0x29, 0x46, 0x9A, 0xFE, 0x54, 0x1A, 0x19, 0x8F, 0x4B, 0x84, 0x08, 0xDE, ++ 0x20, 0x62, 0x73, 0xCC, 0xDD, 0x7E, 0xF0, 0xEF, 0xA2, 0xFD, 0x86, 0x58, ++ 0x4B, 0xD8, 0x37, 0xEB ++ }; + static const uint8_t test_g[] = { 0x02 }; + static const uint8_t test_x[] = { +- 0x06, 0x2c, 0x96, 0xae, 0x0e, 0x9e, 0x9b, +- 0xbb, 0x41, 0x51, 0x7a, 0xa7, 0xc5, 0xfe }; ++ 0x0C, 0x4B, 0x30, 0x89, 0xD1, 0xB8, 0x62, 0xCB, 0x3C, 0x43, 0x64, 0x91, ++ 0xF0, 0x91, 0x54, 0x70, 0xC5, 0x27, 0x96, 0xE3, 0xAC, 0xBE, 0xE8, 0x00, ++ 0xEC, 0x55, 0xF6, 0xCC ++ }; + static const uint8_t test_y[] = { /* y=g^x mod p */ +- 0x1e, 0xca, 0x23, 0x2a, 0xfd, 0x34, 0xe1, +- 0x10, 0x7a, 0xff, 0xaf, 0x2d, 0xaa, 0x53 }; ++ 0xA0, 0x39, 0x11, 0x77, 0x9A, 0xC1, 0x30, 0x1F, 0xBE, 0x48, 0xA7, 0xAA, ++ 0xA0, 0x84, 0x54, 0x64, 0xAD, 0x1B, 0x70, 0xFA, 0x13, 0x55, 0x63, 0xD2, ++ 0x1F, 0x62, 0x32, 0x93, 0x8E, 0xC9, 0x3E, 0x09, 0xA7, 0x64, 0xE4, 0x12, ++ 0x6E, 0x1B, 0xF2, 0x92, 0x3B, 0xB9, 0xCB, 0x56, 0xEA, 0x07, 0x88, 0xB5, ++ 0xA6, 0xBC, 0x16, 0x1F, 0x27, 0xFE, 0xD8, 0xAA, 0x40, 0xB2, 0xB0, 0x2D, ++ 0x37, 0x76, 0xA6, 0xA4, 0x82, 0x2C, 0x0E, 0x22, 0x64, 0x9D, 0xCB, 0xD1, ++ 0x00, 0xB7, 0x89, 0x14, 0x72, 0x4E, 0xBE, 0x48, 0x41, 0xF8, 0xB2, 0x51, ++ 0x11, 0x09, 0x4B, 0x22, 0x01, 0x23, 0x39, 0x96, 0xE0, 0x15, 0xD7, 0x9F, ++ 0x60, 0xD1, 0xB7, 0xAE, 0xFE, 0x5F, 0xDB, 0xE7, 0x03, 0x17, 0x97, 0xA6, ++ 0x16, 0x74, 0xBD, 0x53, 0x81, 0x19, 0xC5, 0x47, 0x5E, 0xCE, 0x8D, 0xED, ++ 0x45, 0x5D, 0x3C, 0x00, 0xA0, 0x0A, 0x68, 0x6A, 0xE0, 0x8E, 0x06, 0x46, ++ 0x6F, 0xD7, 0xF9, 0xDF, 0x31, 0x7E, 0x77, 0x44, 0x0D, 0x98, 0xE0, 0xCA, ++ 0x98, 0x09, 0x52, 0x04, 0x90, 0xEA, 0x6D, 0xF4, 0x30, 0x69, 0x8F, 0xB1, ++ 0x9B, 0xC1, 0x43, 0xDB, 0xD5, 0x8D, 0xC8, 0x8E, 0xB6, 0x0B, 0x05, 0xBE, ++ 0x0E, 0xC5, 0x99, 0xC8, 0x6E, 0x4E, 0xF3, 0xCB, 0xC3, 0x5E, 0x9B, 0x53, ++ 0xF7, 0x06, 0x1C, 0x4F, 0xC7, 0xB8, 0x6E, 0x30, 0x18, 0xCA, 0x9B, 0xB9, ++ 0xBC, 0x5F, 0x17, 0x72, 0x29, 0x5A, 0xE5, 0xD9, 0x96, 0xB7, 0x0B, 0xF3, ++ 0x2D, 0x8C, 0xF1, 0xE1, 0x0E, 0x0D, 0x74, 0xD5, 0x9D, 0xF0, 0x06, 0xA9, ++ 0xB4, 0x95, 0x63, 0x76, 0x46, 0x55, 0x48, 0x82, 0x39, 0x90, 0xEF, 0x56, ++ 0x75, 0x34, 0xB8, 0x34, 0xC3, 0x18, 0x6E, 0x1E, 0xAD, 0xE3, 0x48, 0x7E, ++ 0x93, 0x2C, 0x23, 0xE7, 0xF8, 0x90, 0x73, 0xB1, 0x77, 0x80, 0x67, 0xA9, ++ 0x36, 0x9E, 0xDA, 0xD2 ++ }; + + gnutls_pk_params_init(&priv); + gnutls_pk_params_init(&pub); diff --git a/gnutls.changes b/gnutls.changes index 424fa54..a9d8332 100644 --- a/gnutls.changes +++ b/gnutls.changes @@ -1,3 +1,16 @@ +------------------------------------------------------------------- +Tue Nov 24 15:43:02 UTC 2020 - Vítězslav Čížek + +- Use the centralized crypto policy profile (jsc#SLE-15832) + +------------------------------------------------------------------- +Tue Nov 10 11:25:02 UTC 2020 - Vítězslav Čížek + +- FIPS: Use 2048 bit prime in DH selftest (bsc#1176086) + * add gnutls-FIPS-use_2048_bit_prime_in_DH_selftest.patch +- FIPS: Add TLS KDF selftest (bsc#1176671) + * add gnutls-FIPS-TLS_KDF_selftest.patch + ------------------------------------------------------------------- Mon Oct 12 11:54:00 UTC 2020 - Dominique Leuenberger diff --git a/gnutls.spec b/gnutls.spec index f9a206a..2c0d5d1 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -38,9 +38,11 @@ Source0: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.6/%{name}-%{version}.tar.x Source1: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.6/%{name}-%{version}.tar.xz.sig Source2: %{name}.keyring Source3: baselibs.conf -Patch1: gnutls-3.5.11-skip-trust-store-tests.patch -Patch4: gnutls-3.6.6-set_guile_site_dir.patch -Patch6: gnutls-temporarily_disable_broken_guile_reauth_test.patch +Patch0: gnutls-3.5.11-skip-trust-store-tests.patch +Patch1: gnutls-3.6.6-set_guile_site_dir.patch +Patch2: gnutls-temporarily_disable_broken_guile_reauth_test.patch +Patch3: gnutls-FIPS-TLS_KDF_selftest.patch +Patch4: gnutls-FIPS-use_2048_bit_prime_in_DH_selftest.patch BuildRequires: autogen BuildRequires: automake BuildRequires: datefudge @@ -183,6 +185,8 @@ export CXXFLAGS="%{optflags} -fPIE" --disable-rpath \ --disable-silent-rules \ --with-default-trust-store-dir=%{_localstatedir}/lib/ca-certificates/pem \ + --with-system-priority-file=%{_sysconfdir}/crypto-policies/back-ends/gnutls.config \ + --with-default-priority-string="@SYSTEM" \ --with-sysroot=/%{?_sysroot} \ %if %{without tpm} --without-tpm \ @@ -194,6 +198,9 @@ export CXXFLAGS="%{optflags} -fPIE" %endif --enable-fips140-mode \ %{nil} + +echo "SYSTEM=NORMAL" >> tests/system.prio + make %{?_smp_mflags} # the hmac hashes: @@ -235,7 +242,8 @@ rm -rf %{buildroot}%{_datadir}/doc/gnutls %check %if ! 0%{?qemu_user_space_build} -make %{?_smp_mflags} check || { +#make %{?_smp_mflags} check || { +make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null || { find -name test-suite.log -print -exec cat {} + exit 1 } From aa9092da4870f99e2be72df51cbbc908b427337d2c0e485c204e7452e0e100d6 Mon Sep 17 00:00:00 2001 From: Pedro Monreal Gonzalez Date: Tue, 22 Dec 2020 09:48:35 +0000 Subject: [PATCH 2/5] Accepting request 858088 from home:pmonrealgonzalez:branches:security:tls Don't forward to Factory yet, the policy needs more testing OBS-URL: https://build.opensuse.org/request/show/858088 OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=44 --- gnutls.changes | 5 +++++ gnutls.spec | 7 ++++--- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/gnutls.changes b/gnutls.changes index a9d8332..2b3e181 100644 --- a/gnutls.changes +++ b/gnutls.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Thu Dec 17 17:16:08 UTC 2020 - Pedro Monreal + +- Require the crypto-policies package [bsc#1180051] + ------------------------------------------------------------------- Tue Nov 24 15:43:02 UTC 2020 - Vítězslav Čížek diff --git a/gnutls.spec b/gnutls.spec index 2c0d5d1..ae7bf1d 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -81,6 +81,7 @@ BuildRequires: libunbound-devel %if %{with guile} BuildRequires: guile-devel %endif +Requires: crypto-policies %description The GnuTLS library provides a secure layer over a reliable transport @@ -184,7 +185,7 @@ export CXXFLAGS="%{optflags} -fPIE" --disable-static \ --disable-rpath \ --disable-silent-rules \ - --with-default-trust-store-dir=%{_localstatedir}/lib/ca-certificates/pem \ + --with-default-trust-store-dir=%{_localstatedir}/lib/ca-certificates/pem \ --with-system-priority-file=%{_sysconfdir}/crypto-policies/back-ends/gnutls.config \ --with-default-priority-string="@SYSTEM" \ --with-sysroot=/%{?_sysroot} \ @@ -197,7 +198,7 @@ export CXXFLAGS="%{optflags} -fPIE" --disable-libdane \ %endif --enable-fips140-mode \ - %{nil} + %{nil} echo "SYSTEM=NORMAL" >> tests/system.prio @@ -242,7 +243,7 @@ rm -rf %{buildroot}%{_datadir}/doc/gnutls %check %if ! 0%{?qemu_user_space_build} -#make %{?_smp_mflags} check || { +#make %%{?_smp_mflags} check || { make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null || { find -name test-suite.log -print -exec cat {} + exit 1 From 2aa820b4b737de90710714457b83be1306a527ef53a9120dd065c7c33827c62d Mon Sep 17 00:00:00 2001 From: Jason Sikes Date: Tue, 2 Feb 2021 17:34:55 +0000 Subject: [PATCH 3/5] Accepting request 868673 from home:pmonrealgonzalez:branches:security:tls - Update to 3.7.0 * Depend on nettle 3.6 * Added a new API that provides a callback function to retrieve missing certificates from incomplete certificate chains * Added a new API that provides a callback function to output the complete path to the trusted root during certificate chain verification * OIDs exposed as gnutls_datum_t no longer account for the terminating null bytes, while the data field is null terminated. The affected API functions are: gnutls_ocsp_req_get_extension, gnutls_ocsp_resp_get_response, and gnutls_ocsp_resp_get_extension * Added a new set of API to enable QUIC implementation * The crypto implementation override APIs deprecated in 3.6.9 are now no-op * Added MAGMA/KUZNYECHIK CTR-ACPKM and CMAC support * Support for padlock has been fixed to make it work with Zhaoxin CPU * The maximum PIN length for PKCS #11 has been increased from 31 bytes to 255 bytes - Remove patch fixed upstream: * gnutls-FIPS-use_2048_bit_prime_in_DH_selftest.patch - Add version guards for the crypto-policies package OBS-URL: https://build.opensuse.org/request/show/868673 OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=45 --- gnutls-3.6.15.tar.xz | 3 - gnutls-3.6.15.tar.xz.sig | Bin 566 -> 0 bytes gnutls-3.7.0.tar.xz | 3 + gnutls-3.7.0.tar.xz.sig | Bin 0 -> 580 bytes ...PS-use_2048_bit_prime_in_DH_selftest.patch | 106 ------------------ gnutls.changes | 25 +++++ gnutls.spec | 32 ++++-- 7 files changed, 49 insertions(+), 120 deletions(-) delete mode 100644 gnutls-3.6.15.tar.xz delete mode 100644 gnutls-3.6.15.tar.xz.sig create mode 100644 gnutls-3.7.0.tar.xz create mode 100644 gnutls-3.7.0.tar.xz.sig delete mode 100644 gnutls-FIPS-use_2048_bit_prime_in_DH_selftest.patch diff --git a/gnutls-3.6.15.tar.xz b/gnutls-3.6.15.tar.xz deleted file mode 100644 index 8190b58..0000000 --- a/gnutls-3.6.15.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:0ea8c3283de8d8335d7ae338ef27c53a916f15f382753b174c18b45ffd481558 -size 6081656 diff --git a/gnutls-3.6.15.tar.xz.sig b/gnutls-3.6.15.tar.xz.sig deleted file mode 100644 index 4aeddf6af8dcf0edfb9ed63880203448efc4410eb45ddb63f59cfb9483b1e1ca..0000000000000000000000000000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 566 zcmV-60?GY}0y6{v0SEvc79j*iA|=DLZ#0LW$VqJ01%!^*=9qB>0$)+;hX4u*5Y`2R zj@RaxaUb3f{T;8H;?K!a88Wp9pMuw<&fewk-TSrgB0HJ1xk({1a#9WN;sdR_wr_3gDL>QAi=00^KiB1fDT{E(Lq>HpF+fX5uRI#xH z9#mEIglT`=zr4C|PL>J~%4SULGS%EY1(6%N6mo9tuTPU|dNA~bQAD6Jjm<5hCHd;_ z)Lt;DEw*bfJaCE2W=M`_n%%&@l6EZZSuow-VzZ#c3vN^5;7~Ca&~4H0N(29t;_;g+ zPs)_%#^wg_T&gF;Rxx^F)MXxdv~W!^O&-T-_0C zR2FJIv9w{YF4#sS3DSC~hwh~5Strzt=>!I>@Rgl-0bn98XaKkKk0zJer%-wpFyJjn zqab&BwlH@nV8BlFnz@xPEc#L=5<_M*;DvK55{~HdhMwKM2YwH(iotPHURwtLnR_IL zbDJIgg05@RgFpgi{BlQ_%C$t8or*jW;2)b|Mw689tigG=Kr}W!5tt$>5`OAy{A8dg zBL}en8EV0$;~#iVYlfWo~ak zXKr;aZ*pe<3JDO_1%!^*=9qCy#1H;CvjS_`jxhkyS@{@Kg>HUu>a0@0r^yWG3;v0) zl)V(3b!4=c>$htg-q1-l5t*jQ#UwLzN1|JsC4>__l(=k4RU~;Nl0m_{gK!-$GVp>W z$A{uNxJfyVyXb$~QfaW2&Tdd9pxgF$j9NQ0CFvVHBVD!vq$#-T)U^gyYmU3wTYQUN zPiXYgoJIMP*pBbNfb&%&O9)$dr+Tfhy3Li*4oO}gGtwEMVo@DI=S1j@K31!W^L(KZ zIgOt|@C6G*e`GgOo!wRK*SyIW)iOP8QL)7t!RlndwRv{S^wk{Q1RQoVXq>yJ=WC zDm!6od?XTsP1bp_3Vt(>A_G~c{!qJ|8)Ilqm_eKX&(DB(0nyEtLGr>rrKfWM@{O%q Scm+5B3MoF}W8AgGet+QlOA+D# literal 0 HcmV?d00001 diff --git a/gnutls-FIPS-use_2048_bit_prime_in_DH_selftest.patch b/gnutls-FIPS-use_2048_bit_prime_in_DH_selftest.patch deleted file mode 100644 index e722a08..0000000 --- a/gnutls-FIPS-use_2048_bit_prime_in_DH_selftest.patch +++ /dev/null @@ -1,106 +0,0 @@ -Index: gnutls-3.6.15/lib/crypto-selftests-pk.c -=================================================================== ---- gnutls-3.6.15.orig/lib/crypto-selftests-pk.c 2020-09-04 07:36:34.000000000 +0200 -+++ gnutls-3.6.15/lib/crypto-selftests-pk.c 2020-11-10 12:51:40.432071735 +0100 -@@ -614,18 +614,93 @@ static int test_dh(void) - gnutls_pk_params_st pub; - gnutls_datum_t out = {NULL, 0}; - static const uint8_t known_dh_k[] = { -- 0x10, 0x25, 0x04, 0xb5, 0xc6, 0xc2, 0xcb, -- 0x0c, 0xe9, 0xc5, 0x58, 0x0d, 0x22, 0x62}; -+ 0x62, 0x68, 0x15, 0xbd, 0xc4, 0x9a, 0x3c, 0xfc, -+ 0xda, 0x5d, 0xc5, 0x81, 0xc9, 0xe7, 0x1b, 0xbb, -+ 0x94, 0x19, 0xb0, 0x5d, 0x95, 0xc3, 0x98, 0xd0, -+ 0xc6, 0x8b, 0x05, 0x34, 0xa5, 0xe2, 0xe4, 0xa8, -+ 0x7c, 0x4b, 0x7c, 0x41, 0xf9, 0x6d, 0xc1, 0xcc, -+ 0x6e, 0xb6, 0x34, 0xe1, 0x71, 0xc3, 0x00, 0x03, -+ 0x06, 0x08, 0x1d, 0x90, 0x88, 0x3c, 0x5d, 0x14, -+ 0x2d, 0x56, 0xac, 0x78, 0x83, 0xd6, 0xe9, 0x7c, -+ 0x6c, 0x34, 0xdf, 0xe0, 0x98, 0x14, 0xaa, 0xbe, -+ 0x3b, 0x83, 0xc5, 0xd1, 0xac, 0xec, 0xa6, 0x0b, -+ 0xc1, 0x94, 0x8d, 0x42, 0x3f, 0xb8, 0x63, 0xef, -+ 0xb1, 0x1b, 0x60, 0x4f, 0xfa, 0xfa, 0xbb, 0x57, -+ 0x28, 0x27, 0x4d, 0x78, 0xa4, 0x3d, 0x7a, 0xd8, -+ 0xab, 0x2e, 0x7d, 0x8b, 0xd3, 0xa9, 0x78, 0x74, -+ 0xfe, 0x3a, 0x08, 0x5f, 0xe3, 0xf5, 0x5a, 0xfa, -+ 0xa6, 0x93, 0x67, 0xea, 0xae, 0x5e, 0xd6, 0xc5, -+ 0xa1, 0xab, 0x0a, 0x1e, 0x78, 0xe7, 0xdd, 0xbc, -+ 0xae, 0xb7, 0x3e, 0x7d, 0x8b, 0xd8, 0x66, 0x92, -+ 0x38, 0x1b, 0x96, 0xeb, 0xcb, 0xcb, 0x6a, 0xcc, -+ 0xd8, 0x42, 0x80, 0x66, 0xa9, 0xa2, 0x75, 0xeb, -+ 0xe4, 0x79, 0x11, 0x7a, 0xca, 0x84, 0x77, 0x7a, -+ 0xe6, 0xe2, 0x13, 0xb1, 0x90, 0xd3, 0x0f, 0x87, -+ 0x2a, 0x0f, 0xf5, 0x17, 0x61, 0x15, 0x05, 0x31, -+ 0x5f, 0xdf, 0xb4, 0x8e, 0xf3, 0x21, 0x27, 0x6a, -+ 0x69, 0xdc, 0x52, 0x79, 0x64, 0x51, 0x1f, 0xc0, -+ 0xed, 0x55, 0x57, 0xd9, 0x5c, 0x6f, 0xdb, 0xaa, -+ 0x08, 0x44, 0xb9, 0x71, 0x71, 0x15, 0x27, 0xe8, -+ 0xe9, 0x42, 0x78, 0xc1, 0xc4, 0xc0, 0xbd, 0x28, -+ 0x23, 0xa1, 0x30, 0x57, 0xf0, 0x2e, 0x24, 0xf0, -+ 0x34, 0x17, 0x97, 0x1c, 0x4c, 0x2a, 0x98, 0x76, -+ 0x3d, 0x50, 0x7f, 0x32, 0xa2, 0x25, 0x94, 0x9e, -+ 0x1e, 0xbc, 0x97, 0x96, 0xd6, 0x14, 0x61, 0x5b -+ }; - static const uint8_t test_p[] = { -- 0x24, 0x85, 0xdd, 0x3a, 0x74, 0x42, 0xe4, -- 0xb3, 0xf1, 0x0b, 0x13, 0xf9, 0x17, 0x4d }; -+ 0xAE, 0xEC, 0xEE, 0x22, 0xFA, 0x3A, 0xA5, 0x22, 0xC0, 0xDE, 0x0F, 0x09, -+ 0x7E, 0x17, 0xC0, 0x05, 0xF9, 0xF1, 0xE7, 0xC6, 0x87, 0x14, 0x6D, 0x11, -+ 0xE7, 0xAE, 0xED, 0x2F, 0x72, 0x59, 0xC5, 0xA9, 0x9B, 0xB8, 0x02, 0xA5, -+ 0xF3, 0x69, 0x70, 0xD6, 0xDD, 0x90, 0xF9, 0x19, 0x79, 0xBE, 0x60, 0x8F, -+ 0x25, 0x92, 0x30, 0x1C, 0x51, 0x51, 0x38, 0x26, 0x82, 0x25, 0xE6, 0xFC, -+ 0xED, 0x65, 0x96, 0x8F, 0x57, 0xE5, 0x53, 0x8B, 0x38, 0x63, 0xC7, 0xCE, -+ 0xBC, 0x1B, 0x4D, 0x18, 0x2A, 0x5B, 0x04, 0x3F, 0x6A, 0x3C, 0x94, 0x39, -+ 0xAE, 0x36, 0xD6, 0x5E, 0x0F, 0xA2, 0xCC, 0xD0, 0xD4, 0xD5, 0xC6, 0x1E, -+ 0xF6, 0xA0, 0xF5, 0x89, 0x4E, 0xB4, 0x0B, 0xA4, 0xB3, 0x2B, 0x3D, 0xE2, -+ 0x4E, 0xE1, 0x49, 0x25, 0x99, 0x5F, 0x32, 0x16, 0x33, 0x32, 0x1B, 0x7A, -+ 0xA5, 0x5C, 0x6B, 0x34, 0x0D, 0x39, 0x99, 0xDC, 0xF0, 0x76, 0xE5, 0x5A, -+ 0xD4, 0x71, 0x00, 0xED, 0x5A, 0x73, 0xFB, 0xC8, 0x01, 0xAD, 0x99, 0xCF, -+ 0x99, 0x52, 0x7C, 0x9C, 0x64, 0xC6, 0x76, 0x40, 0x57, 0xAF, 0x59, 0xD7, -+ 0x38, 0x0B, 0x40, 0xDE, 0x33, 0x0D, 0xB8, 0x76, 0xEC, 0xA9, 0xD8, 0x73, -+ 0xF8, 0xEF, 0x26, 0x66, 0x06, 0x27, 0xDD, 0x7C, 0xA4, 0x10, 0x9C, 0xA6, -+ 0xAA, 0xF9, 0x53, 0x62, 0x73, 0x1D, 0xBA, 0x1C, 0xF1, 0x67, 0xF4, 0x35, -+ 0xED, 0x6F, 0x37, 0x92, 0xE8, 0x4F, 0x6C, 0xBA, 0x52, 0x6E, 0xA1, 0xED, -+ 0xDA, 0x9F, 0x85, 0x11, 0x82, 0x52, 0x62, 0x08, 0x44, 0xF1, 0x30, 0x03, -+ 0xC3, 0x38, 0x2C, 0x79, 0xBD, 0xD4, 0x43, 0x45, 0xEE, 0x8E, 0x50, 0xFC, -+ 0x29, 0x46, 0x9A, 0xFE, 0x54, 0x1A, 0x19, 0x8F, 0x4B, 0x84, 0x08, 0xDE, -+ 0x20, 0x62, 0x73, 0xCC, 0xDD, 0x7E, 0xF0, 0xEF, 0xA2, 0xFD, 0x86, 0x58, -+ 0x4B, 0xD8, 0x37, 0xEB -+ }; - static const uint8_t test_g[] = { 0x02 }; - static const uint8_t test_x[] = { -- 0x06, 0x2c, 0x96, 0xae, 0x0e, 0x9e, 0x9b, -- 0xbb, 0x41, 0x51, 0x7a, 0xa7, 0xc5, 0xfe }; -+ 0x0C, 0x4B, 0x30, 0x89, 0xD1, 0xB8, 0x62, 0xCB, 0x3C, 0x43, 0x64, 0x91, -+ 0xF0, 0x91, 0x54, 0x70, 0xC5, 0x27, 0x96, 0xE3, 0xAC, 0xBE, 0xE8, 0x00, -+ 0xEC, 0x55, 0xF6, 0xCC -+ }; - static const uint8_t test_y[] = { /* y=g^x mod p */ -- 0x1e, 0xca, 0x23, 0x2a, 0xfd, 0x34, 0xe1, -- 0x10, 0x7a, 0xff, 0xaf, 0x2d, 0xaa, 0x53 }; -+ 0xA0, 0x39, 0x11, 0x77, 0x9A, 0xC1, 0x30, 0x1F, 0xBE, 0x48, 0xA7, 0xAA, -+ 0xA0, 0x84, 0x54, 0x64, 0xAD, 0x1B, 0x70, 0xFA, 0x13, 0x55, 0x63, 0xD2, -+ 0x1F, 0x62, 0x32, 0x93, 0x8E, 0xC9, 0x3E, 0x09, 0xA7, 0x64, 0xE4, 0x12, -+ 0x6E, 0x1B, 0xF2, 0x92, 0x3B, 0xB9, 0xCB, 0x56, 0xEA, 0x07, 0x88, 0xB5, -+ 0xA6, 0xBC, 0x16, 0x1F, 0x27, 0xFE, 0xD8, 0xAA, 0x40, 0xB2, 0xB0, 0x2D, -+ 0x37, 0x76, 0xA6, 0xA4, 0x82, 0x2C, 0x0E, 0x22, 0x64, 0x9D, 0xCB, 0xD1, -+ 0x00, 0xB7, 0x89, 0x14, 0x72, 0x4E, 0xBE, 0x48, 0x41, 0xF8, 0xB2, 0x51, -+ 0x11, 0x09, 0x4B, 0x22, 0x01, 0x23, 0x39, 0x96, 0xE0, 0x15, 0xD7, 0x9F, -+ 0x60, 0xD1, 0xB7, 0xAE, 0xFE, 0x5F, 0xDB, 0xE7, 0x03, 0x17, 0x97, 0xA6, -+ 0x16, 0x74, 0xBD, 0x53, 0x81, 0x19, 0xC5, 0x47, 0x5E, 0xCE, 0x8D, 0xED, -+ 0x45, 0x5D, 0x3C, 0x00, 0xA0, 0x0A, 0x68, 0x6A, 0xE0, 0x8E, 0x06, 0x46, -+ 0x6F, 0xD7, 0xF9, 0xDF, 0x31, 0x7E, 0x77, 0x44, 0x0D, 0x98, 0xE0, 0xCA, -+ 0x98, 0x09, 0x52, 0x04, 0x90, 0xEA, 0x6D, 0xF4, 0x30, 0x69, 0x8F, 0xB1, -+ 0x9B, 0xC1, 0x43, 0xDB, 0xD5, 0x8D, 0xC8, 0x8E, 0xB6, 0x0B, 0x05, 0xBE, -+ 0x0E, 0xC5, 0x99, 0xC8, 0x6E, 0x4E, 0xF3, 0xCB, 0xC3, 0x5E, 0x9B, 0x53, -+ 0xF7, 0x06, 0x1C, 0x4F, 0xC7, 0xB8, 0x6E, 0x30, 0x18, 0xCA, 0x9B, 0xB9, -+ 0xBC, 0x5F, 0x17, 0x72, 0x29, 0x5A, 0xE5, 0xD9, 0x96, 0xB7, 0x0B, 0xF3, -+ 0x2D, 0x8C, 0xF1, 0xE1, 0x0E, 0x0D, 0x74, 0xD5, 0x9D, 0xF0, 0x06, 0xA9, -+ 0xB4, 0x95, 0x63, 0x76, 0x46, 0x55, 0x48, 0x82, 0x39, 0x90, 0xEF, 0x56, -+ 0x75, 0x34, 0xB8, 0x34, 0xC3, 0x18, 0x6E, 0x1E, 0xAD, 0xE3, 0x48, 0x7E, -+ 0x93, 0x2C, 0x23, 0xE7, 0xF8, 0x90, 0x73, 0xB1, 0x77, 0x80, 0x67, 0xA9, -+ 0x36, 0x9E, 0xDA, 0xD2 -+ }; - - gnutls_pk_params_init(&priv); - gnutls_pk_params_init(&pub); diff --git a/gnutls.changes b/gnutls.changes index 2b3e181..c555ffe 100644 --- a/gnutls.changes +++ b/gnutls.changes @@ -1,3 +1,28 @@ +------------------------------------------------------------------- +Wed Jan 27 23:33:15 UTC 2021 - Pedro Monreal + +- Update to 3.7.0 + * Depend on nettle 3.6 + * Added a new API that provides a callback function to retrieve + missing certificates from incomplete certificate chains + * Added a new API that provides a callback function to output the + complete path to the trusted root during certificate chain + verification + * OIDs exposed as gnutls_datum_t no longer account for the + terminating null bytes, while the data field is null terminated. + The affected API functions are: gnutls_ocsp_req_get_extension, + gnutls_ocsp_resp_get_response, and gnutls_ocsp_resp_get_extension + * Added a new set of API to enable QUIC implementation + * The crypto implementation override APIs deprecated in 3.6.9 are + now no-op + * Added MAGMA/KUZNYECHIK CTR-ACPKM and CMAC support + * Support for padlock has been fixed to make it work with Zhaoxin CPU + * The maximum PIN length for PKCS #11 has been increased from 31 + bytes to 255 bytes +- Remove patch fixed upstream: + * gnutls-FIPS-use_2048_bit_prime_in_DH_selftest.patch +- Add version guards for the crypto-policies package + ------------------------------------------------------------------- Thu Dec 17 17:16:08 UTC 2020 - Pedro Monreal diff --git a/gnutls.spec b/gnutls.spec index ae7bf1d..cc02241 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,7 +1,7 @@ # # spec file for package gnutls # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -28,21 +28,20 @@ %bcond_with tpm %bcond_without guile Name: gnutls -Version: 3.6.15 +Version: 3.7.0 Release: 0 Summary: The GNU Transport Layer Security Library License: LGPL-2.1-or-later AND GPL-3.0-or-later Group: Productivity/Networking/Security URL: https://www.gnutls.org/ -Source0: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.6/%{name}-%{version}.tar.xz -Source1: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.6/%{name}-%{version}.tar.xz.sig -Source2: %{name}.keyring +Source0: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.7/%{name}-%{version}.tar.xz +Source1: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.7/%{name}-%{version}.tar.xz.sig +Source2: gnutls.keyring Source3: baselibs.conf Patch0: gnutls-3.5.11-skip-trust-store-tests.patch Patch1: gnutls-3.6.6-set_guile_site_dir.patch Patch2: gnutls-temporarily_disable_broken_guile_reauth_test.patch Patch3: gnutls-FIPS-TLS_KDF_selftest.patch -Patch4: gnutls-FIPS-use_2048_bit_prime_in_DH_selftest.patch BuildRequires: autogen BuildRequires: automake BuildRequires: datefudge @@ -52,7 +51,7 @@ BuildRequires: gcc-c++ # The test suite calls /usr/bin/ss from iproute2. It's our own duty to ensure we have it present BuildRequires: iproute2 BuildRequires: libidn2-devel -BuildRequires: libnettle-devel >= 3.4.1 +BuildRequires: libnettle-devel >= 3.6 BuildRequires: libtasn1-devel >= 4.9 BuildRequires: libtool BuildRequires: libunistring-devel @@ -81,7 +80,9 @@ BuildRequires: libunbound-devel %if %{with guile} BuildRequires: guile-devel %endif +%if 0%{?suse_version} && ! 0%{?sle_version} Requires: crypto-policies +%endif %description The GnuTLS library provides a secure layer over a reliable transport @@ -162,6 +163,7 @@ Requires(pre): %{install_info_prereq} %description -n libgnutlsxx-devel Files needed for software development using gnutls. +%if %{with guile} %package guile Summary: Guile wrappers for gnutls License: LGPL-2.1-or-later @@ -170,11 +172,15 @@ Requires: guile %description guile GnuTLS Wrappers for GNU Guile, a dialect of Scheme. +%endif %prep %autosetup -p1 +echo "SYSTEM=NORMAL" >> tests/system.prio + %build +%define _lto_cflags %{nil} export LDFLAGS="-pie" export CFLAGS="%{optflags} -fPIE" export CXXFLAGS="%{optflags} -fPIE" @@ -200,8 +206,6 @@ export CXXFLAGS="%{optflags} -fPIE" --enable-fips140-mode \ %{nil} -echo "SYSTEM=NORMAL" >> tests/system.prio - make %{?_smp_mflags} # the hmac hashes: @@ -339,8 +343,14 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null || { %if %{with guile} %files guile -%{_libdir}/guile/* -%{_datadir}/guile/gnutls* +%{_libdir}/guile/3.0/site-ccache +%{_libdir}/guile/3.0/site-ccache/gnutls +%{_libdir}/guile/3.0/extensions/guile-gnutls-v-2.so* +%{_libdir}/guile/3.0/site-ccache/gnutls.go +%{_libdir}/guile/3.0/site-ccache/gnutls/extra.go +%{_datadir}/guile/gnutls +%{_datadir}/guile/gnutls.scm +%{_datadir}/guile/gnutls/extra.scm %endif %changelog From 3ef6ac322f0a8ba743db765c29f470f4bb34266becabeff53598f6fafd251e53 Mon Sep 17 00:00:00 2001 From: Jason Sikes Date: Wed, 10 Feb 2021 16:11:35 +0000 Subject: [PATCH 4/5] Accepting request 870946 from home:pmonrealgonzalez:branches:security:tls Fix multiple build problems OBS-URL: https://build.opensuse.org/request/show/870946 OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=46 --- gnutls-gnutls-cli-debug.patch | 39 ++ gnutls-ignore-duplicate-certificates.patch | 403 +++++++++++++++++++++ gnutls-test-fixes.patch | 117 ++++++ gnutls.changes | 24 ++ gnutls.spec | 13 +- 5 files changed, 595 insertions(+), 1 deletion(-) create mode 100644 gnutls-gnutls-cli-debug.patch create mode 100644 gnutls-ignore-duplicate-certificates.patch create mode 100644 gnutls-test-fixes.patch diff --git a/gnutls-gnutls-cli-debug.patch b/gnutls-gnutls-cli-debug.patch new file mode 100644 index 0000000..1156efd --- /dev/null +++ b/gnutls-gnutls-cli-debug.patch @@ -0,0 +1,39 @@ +From 5a64e896a56ef602bb86242bbac01e4319f12cbe Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Tue, 9 Feb 2021 15:26:07 +0100 +Subject: [PATCH] tests/gnutls-cli-debug.sh: don't unset system priority + settings + +When the test is exercised, GNUTLS_SYSTEM_PRIORITY_FILE is set in many +places, such as TESTS_ENVIRONMENT tests/Makefile.am or a packaging +system that runs the test in a restricted environment. Unsetting it +after a temporary use forces the remaining part of the test to use the +default system priority, which might not be the intention of the user. + +Signed-off-by: Daiki Ueno +--- + tests/gnutls-cli-debug.sh | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/tests/gnutls-cli-debug.sh b/tests/gnutls-cli-debug.sh +index a73910dea6..3c3e2214e5 100755 +--- a/tests/gnutls-cli-debug.sh ++++ b/tests/gnutls-cli-debug.sh +@@ -184,13 +184,11 @@ cat <<_EOF_ > ${TMPFILE} + tls-disabled-cipher = CAMELLIA-128-CBC + tls-disabled-cipher = CAMELLIA-256-CBC + _EOF_ +-export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}" + ++GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}" \ + timeout 1800 datefudge "2017-08-9" \ + "${DCLI}" -p "${PORT}" localhost >$OUTFILE 2>&1 || fail ${PID} "gnutls-cli-debug run should have succeeded!" + +-unset GNUTLS_SYSTEM_PRIORITY_FILE +- + kill ${PID} + wait + +-- +GitLab + diff --git a/gnutls-ignore-duplicate-certificates.patch b/gnutls-ignore-duplicate-certificates.patch new file mode 100644 index 0000000..ffed25e --- /dev/null +++ b/gnutls-ignore-duplicate-certificates.patch @@ -0,0 +1,403 @@ +From 09b40be6e0e0a59ba4bd764067eb353241043a70 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Mon, 28 Dec 2020 12:14:13 +0100 +Subject: [PATCH] gnutls_x509_trust_list_verify_crt2: ignore duplicate + certificates + +The commit ebb19db9165fed30d73c83bab1b1b8740c132dfd caused a +regression, where duplicate certificates in a certificate chain are no +longer ignored but treated as a non-contiguous segment and that +results in calling the issuer callback, or a verification failure. + +This adds a mechanism to record certificates already seen in the +chain, and skip them while still allow the caller to inject missing +certificates. + +Signed-off-by: Daiki Ueno +Co-authored-by: Andreas Metzler +--- + lib/x509/common.c | 8 ++ + lib/x509/verify-high.c | 157 +++++++++++++++++++++++++++++++------ + tests/missingissuer.c | 2 + + tests/test-chains-issuer.h | 101 +++++++++++++++++++++++- + 4 files changed, 245 insertions(+), 23 deletions(-) + +diff --git a/lib/x509/common.c b/lib/x509/common.c +index 3301aaad0c..10c8db53c0 100644 +--- a/lib/x509/common.c ++++ b/lib/x509/common.c +@@ -1758,6 +1758,14 @@ unsigned int _gnutls_sort_clist(gnutls_x509_crt_t *clist, + * increasing DEFAULT_MAX_VERIFY_DEPTH. + */ + for (i = 0; i < clist_size; i++) { ++ /* Self-signed certificate found in the chain; skip it ++ * as it should only appear in the trusted set. ++ */ ++ if (gnutls_x509_crt_check_issuer(clist[i], clist[i])) { ++ _gnutls_cert_log("self-signed cert found", clist[i]); ++ continue; ++ } ++ + for (j = 1; j < clist_size; j++) { + if (i == j) + continue; +diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c +index 588e7ee0dc..9a16e6b42a 100644 +--- a/lib/x509/verify-high.c ++++ b/lib/x509/verify-high.c +@@ -67,6 +67,80 @@ struct gnutls_x509_trust_list_iter { + + #define DEFAULT_SIZE 127 + ++struct cert_set_node_st { ++ gnutls_x509_crt_t *certs; ++ unsigned int size; ++}; ++ ++struct cert_set_st { ++ struct cert_set_node_st *node; ++ unsigned int size; ++}; ++ ++static int ++cert_set_init(struct cert_set_st *set, unsigned int size) ++{ ++ memset(set, 0, sizeof(*set)); ++ ++ set->size = size; ++ set->node = gnutls_calloc(size, sizeof(*set->node)); ++ if (!set->node) { ++ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); ++ } ++ ++ return 0; ++} ++ ++static void ++cert_set_deinit(struct cert_set_st *set) ++{ ++ size_t i; ++ ++ for (i = 0; i < set->size; i++) { ++ gnutls_free(set->node[i].certs); ++ } ++ ++ gnutls_free(set->node); ++} ++ ++static bool ++cert_set_contains(struct cert_set_st *set, const gnutls_x509_crt_t cert) ++{ ++ size_t hash, i; ++ ++ hash = hash_pjw_bare(cert->raw_dn.data, cert->raw_dn.size); ++ hash %= set->size; ++ ++ for (i = 0; i < set->node[hash].size; i++) { ++ if (unlikely(gnutls_x509_crt_equals(set->node[hash].certs[i], cert))) { ++ return true; ++ } ++ } ++ ++ return false; ++} ++ ++static int ++cert_set_add(struct cert_set_st *set, const gnutls_x509_crt_t cert) ++{ ++ size_t hash; ++ ++ hash = hash_pjw_bare(cert->raw_dn.data, cert->raw_dn.size); ++ hash %= set->size; ++ ++ set->node[hash].certs = ++ gnutls_realloc_fast(set->node[hash].certs, ++ (set->node[hash].size + 1) * ++ sizeof(*set->node[hash].certs)); ++ if (!set->node[hash].certs) { ++ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); ++ } ++ set->node[hash].certs[set->node[hash].size] = cert; ++ set->node[hash].size++; ++ ++ return 0; ++} ++ + /** + * gnutls_x509_trust_list_init: + * @list: A pointer to the type to be initialized +@@ -1328,6 +1402,7 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, + unsigned have_set_name = 0; + unsigned saved_output; + gnutls_datum_t ip = {NULL, 0}; ++ struct cert_set_st cert_set = { NULL, 0 }; + + if (cert_list == NULL || cert_list_size < 1) + return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); +@@ -1376,36 +1451,68 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, + memcpy(sorted, cert_list, cert_list_size * sizeof(gnutls_x509_crt_t)); + cert_list = sorted; + ++ ret = cert_set_init(&cert_set, DEFAULT_MAX_VERIFY_DEPTH); ++ if (ret < 0) { ++ return ret; ++ } ++ + for (i = 0; i < cert_list_size && +- cert_list_size <= DEFAULT_MAX_VERIFY_DEPTH; i++) { +- if (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN)) { +- unsigned int sorted_size; ++ cert_list_size <= DEFAULT_MAX_VERIFY_DEPTH; ) { ++ unsigned int sorted_size = 1; ++ unsigned int j; ++ gnutls_x509_crt_t issuer; + ++ if (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN)) { + sorted_size = _gnutls_sort_clist(&cert_list[i], + cert_list_size - i); +- i += sorted_size - 1; + } + +- if (i == cert_list_size - 1) { +- gnutls_x509_crt_t issuer; +- +- /* If it is the last certificate and its issuer is +- * known, don't need to run issuer callback. */ +- if (_gnutls_trust_list_get_issuer(list, +- cert_list[i], +- &issuer, +- 0) == 0) { ++ /* Remove duplicates. Start with index 1, as the first element ++ * may be re-checked after issuer retrieval. */ ++ for (j = 1; j < sorted_size; j++) { ++ if (cert_set_contains(&cert_set, cert_list[i + j])) { ++ if (i + j < cert_list_size - 1) { ++ memmove(&cert_list[i + j], ++ &cert_list[i + j + 1], ++ sizeof(cert_list[i])); ++ } ++ cert_list_size--; + break; + } +- } else if (gnutls_x509_crt_check_issuer(cert_list[i], +- cert_list[i + 1])) { +- /* There is no gap between this and the next +- * certificate. */ ++ } ++ /* Found a duplicate, try again with the same index. */ ++ if (j < sorted_size) { ++ continue; ++ } ++ ++ /* Record the certificates seen. */ ++ for (j = 0; j < sorted_size; j++, i++) { ++ ret = cert_set_add(&cert_set, cert_list[i]); ++ if (ret < 0) { ++ goto cleanup; ++ } ++ } ++ ++ /* If the issuer of the certificate is known, no need ++ * for further processing. */ ++ if (_gnutls_trust_list_get_issuer(list, ++ cert_list[i - 1], ++ &issuer, ++ 0) == 0) { ++ cert_list_size = i; ++ break; ++ } ++ ++ /* If there is no gap between this and the next certificate, ++ * proceed with the next certificate. */ ++ if (i < cert_list_size && ++ gnutls_x509_crt_check_issuer(cert_list[i - 1], ++ cert_list[i])) { + continue; + } + + ret = retrieve_issuers(list, +- cert_list[i], ++ cert_list[i - 1], + &retrieved[retrieved_size], + DEFAULT_MAX_VERIFY_DEPTH - + MAX(retrieved_size, +@@ -1413,15 +1520,20 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, + if (ret < 0) { + break; + } else if (ret > 0) { +- memmove(&cert_list[i + 1 + ret], +- &cert_list[i + 1], +- (cert_list_size - i - 1) * ++ assert((unsigned int)ret <= ++ DEFAULT_MAX_VERIFY_DEPTH - cert_list_size); ++ memmove(&cert_list[i + ret], ++ &cert_list[i], ++ (cert_list_size - i) * + sizeof(gnutls_x509_crt_t)); +- memcpy(&cert_list[i + 1], ++ memcpy(&cert_list[i], + &retrieved[retrieved_size], + ret * sizeof(gnutls_x509_crt_t)); + retrieved_size += ret; + cert_list_size += ret; ++ ++ /* Start again from the end of the previous segment. */ ++ i--; + } + } + +@@ -1581,6 +1693,7 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, + for (i = 0; i < retrieved_size; i++) { + gnutls_x509_crt_deinit(retrieved[i]); + } ++ cert_set_deinit(&cert_set); + return ret; + } + +diff --git a/tests/missingissuer.c b/tests/missingissuer.c +index f21e2b6b0c..226d095929 100644 +--- a/tests/missingissuer.c ++++ b/tests/missingissuer.c +@@ -145,6 +145,8 @@ void doit(void) + printf("[%d]: Chain '%s'...\n", (int)i, chains[i].name); + + for (j = 0; chains[i].chain[j]; j++) { ++ assert(j < MAX_CHAIN); ++ + if (debug > 2) + printf("\tAdding certificate %d...", (int)j); + +diff --git a/tests/test-chains-issuer.h b/tests/test-chains-issuer.h +index 543e2d71fb..bf1e65c956 100644 +--- a/tests/test-chains-issuer.h ++++ b/tests/test-chains-issuer.h +@@ -24,7 +24,7 @@ + #ifndef GNUTLS_TESTS_TEST_CHAINS_ISSUER_H + #define GNUTLS_TESTS_TEST_CHAINS_ISSUER_H + +-#define MAX_CHAIN 6 ++#define MAX_CHAIN 15 + + #define SERVER_CERT "-----BEGIN CERTIFICATE-----\n" \ + "MIIDATCCAbmgAwIBAgIUQdvdegP8JFszFHLfV4+lrEdafzAwPQYJKoZIhvcNAQEK\n" \ +@@ -338,11 +338,102 @@ static const char *missing_middle_unrelated_extra_insert[] = { + NULL, + }; + ++static const char *missing_middle_single_duplicate[] = { ++ SERVER_CERT, ++ SERVER_CERT, ++ CA_CERT_5, ++ CA_CERT_5, ++ CA_CERT_4, ++ CA_CERT_4, ++ CA_CERT_2, ++ CA_CERT_2, ++ CA_CERT_1, ++ CA_CERT_1, ++ NULL, ++}; ++ ++static const char *missing_middle_multiple_duplicate[] = { ++ SERVER_CERT, ++ SERVER_CERT, ++ CA_CERT_5, ++ CA_CERT_5, ++ CA_CERT_4, ++ CA_CERT_4, ++ CA_CERT_1, ++ CA_CERT_1, ++ NULL, ++}; ++ ++static const char *missing_last_single_duplicate[] = { ++ SERVER_CERT, ++ SERVER_CERT, ++ CA_CERT_5, ++ CA_CERT_5, ++ CA_CERT_4, ++ CA_CERT_4, ++ CA_CERT_3, ++ CA_CERT_3, ++ CA_CERT_2, ++ CA_CERT_2, ++ NULL, ++}; ++ ++static const char *missing_last_multiple_duplicate[] = { ++ SERVER_CERT, ++ SERVER_CERT, ++ CA_CERT_5, ++ CA_CERT_5, ++ CA_CERT_4, ++ CA_CERT_4, ++ CA_CERT_3, ++ CA_CERT_3, ++ NULL, ++}; ++ ++static const char *missing_skip_single_duplicate[] = { ++ SERVER_CERT, ++ SERVER_CERT, ++ CA_CERT_5, ++ CA_CERT_5, ++ CA_CERT_3, ++ CA_CERT_3, ++ CA_CERT_1, ++ CA_CERT_1, ++ NULL, ++}; ++ ++static const char *missing_skip_multiple_duplicate[] = { ++ SERVER_CERT, ++ SERVER_CERT, ++ CA_CERT_5, ++ CA_CERT_5, ++ CA_CERT_3, ++ CA_CERT_3, ++ NULL, ++}; ++ + static const char *missing_ca[] = { + CA_CERT_0, + NULL, + }; + ++static const char *middle_single_duplicate_ca[] = { ++ SERVER_CERT, ++ CA_CERT_5, ++ CA_CERT_0, ++ CA_CERT_4, ++ CA_CERT_0, ++ CA_CERT_2, ++ CA_CERT_0, ++ CA_CERT_1, ++ NULL, ++}; ++ ++static const char *missing_middle_single_duplicate_ca_unrelated_insert[] = { ++ CA_CERT_0, ++ NULL, ++}; ++ + static struct chains { + const char *name; + const char **chain; +@@ -377,6 +468,14 @@ static struct chains { + { "skip multiple unsorted", missing_skip_multiple_unsorted, missing_skip_multiple_insert, missing_ca, 0, 0 }, + { "unrelated", missing_middle_single, missing_middle_unrelated_insert, missing_ca, 0, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_NOT_FOUND }, + { "unrelated extra", missing_middle_single, missing_middle_unrelated_extra_insert, missing_ca, 0, 0 }, ++ { "middle single duplicate", missing_middle_single_duplicate, missing_middle_single_insert, missing_ca, 0, 0 }, ++ { "middle multiple duplicate", missing_middle_multiple_duplicate, missing_middle_multiple_insert, missing_ca, 0, 0 }, ++ { "last single duplicate", missing_last_single_duplicate, missing_last_single_insert, missing_ca, 0, 0 }, ++ { "last multiple duplicate", missing_last_multiple_duplicate, missing_last_multiple_insert, missing_ca, 0, 0 }, ++ { "skip single duplicate", missing_skip_single_duplicate, missing_skip_single_insert, missing_ca, 0, 0 }, ++ { "skip multiple duplicate", missing_skip_multiple_duplicate, missing_skip_multiple_insert, missing_ca, 0, 0 }, ++ { "middle single duplicate ca", middle_single_duplicate_ca, missing_middle_single_insert, missing_ca, 0, 0 }, ++ { "middle single duplicate ca - insert unrelated", middle_single_duplicate_ca, missing_middle_single_duplicate_ca_unrelated_insert, missing_ca, 0, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_NOT_FOUND }, + { NULL, NULL, NULL, NULL }, + }; + +-- +GitLab + diff --git a/gnutls-test-fixes.patch b/gnutls-test-fixes.patch new file mode 100644 index 0000000..0cad930 --- /dev/null +++ b/gnutls-test-fixes.patch @@ -0,0 +1,117 @@ +diff --git a/tests/testpkcs11.sh b/tests/testpkcs11.sh +index 38b9585bc002ac9d32003ec7127153f9950ad1b1..09a6274776935f07f91a5be1eb79a573165ded93 100755 +--- a/tests/testpkcs11.sh ++++ b/tests/testpkcs11.sh +@@ -67,6 +67,8 @@ have_ed25519=0 + P11TOOL="${VALGRIND} ${P11TOOL} --batch" + SERV="${SERV} -q" + ++TESTDATE=2020-12-01 ++ + . ${srcdir}/scripts/common.sh + + rm -f "${LOGFILE}" +@@ -79,6 +81,8 @@ exit_error () { + exit 1 + } + ++skip_if_no_datefudge ++ + # $1: token + # $2: PIN + # $3: filename +@@ -523,6 +527,7 @@ write_certificate_test () { + pubkey="$5" + + echo -n "* Generating client certificate... " ++ datefudge -s "$TESTDATE" \ + "${CERTTOOL}" ${CERTTOOL_PARAM} ${ADDITIONAL_PARAM} --generate-certificate --load-ca-privkey "${cakey}" --load-ca-certificate "${cacert}" \ + --template ${srcdir}/testpkcs11-certs/client-tmpl --load-privkey "${token};object=gnutls-client;object-type=private" \ + --load-pubkey "$pubkey" --outfile tmp-client.crt >>"${LOGFILE}" 2>&1 +@@ -900,7 +905,9 @@ use_certificate_test () { + echo -n "* Using PKCS #11 with gnutls-cli (${txt})... " + # start server + eval "${GETPORT}" +- launch_server ${ADDITIONAL_PARAM} --echo --priority NORMAL --x509certfile="${certfile}" \ ++ launch_bare_server datefudge -s "$TESTDATE" \ ++ $VALGRIND $SERV $DEBUG -p "$PORT" \ ++ ${ADDITIONAL_PARAM} --debug 10 --echo --priority NORMAL --x509certfile="${certfile}" \ + --x509keyfile="$keyfile" --x509cafile="${cafile}" \ + --verify-client-cert --require-client-cert >>"${LOGFILE}" 2>&1 + +@@ -908,13 +915,16 @@ use_certificate_test () { + wait_server ${PID} + + # connect to server using SC ++ datefudge -s "$TESTDATE" \ + ${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509cafile="${cafile}" >"${LOGFILE}" 2>&1 && \ + fail ${PID} "Connection should have failed!" + ++ datefudge -s "$TESTDATE" \ + ${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509certfile="${certfile}" \ + --x509keyfile="$keyfile" --x509cafile="${cafile}" >"${LOGFILE}" 2>&1 || \ + fail ${PID} "Connection (with files) should have succeeded!" + ++ datefudge -s "$TESTDATE" \ + ${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509certfile="${token};object=gnutls-client;object-type=cert" \ + --x509keyfile="${token};object=gnutls-client;object-type=private" \ + --x509cafile="${cafile}" >"${LOGFILE}" 2>&1 || \ +diff --git a/tests/tpmtool_test.sh b/tests/tpmtool_test.sh +index eba502612a293eb11134a62ce749ff87e6778ab2..77fe17e59341a344590ea22f62076e4db54dd91a 100755 +--- a/tests/tpmtool_test.sh ++++ b/tests/tpmtool_test.sh +@@ -138,6 +138,7 @@ start_tcsd() + local tcsd_conf=$workdir/tcsd.conf + local tcsd_system_ps_file=$workdir/system_ps_file + local tcsd_pidfile=$workdir/tcsd.pid ++ local owner + + start_swtpm "$workdir" + [ $? -ne 0 ] && return 1 +@@ -146,20 +147,36 @@ start_tcsd() + port = $TCSD_LISTEN_PORT + system_ps_file = $tcsd_system_ps_file + _EOF_ ++ # older versions of trousers require tss:tss ownership of the ++ # config file, later ones root:tss ++ for owner in tss root; do ++ if [ "$owner" = "tss" ]; then ++ chmod 0600 $tcsd_conf ++ else ++ chmod 0640 $tcsd_conf ++ fi ++ chown $owner:tss $tcsd_conf + +- chown tss:tss $tcsd_conf +- chmod 0600 $tcsd_conf ++ bash -c "TCSD_USE_TCP_DEVICE=1 TCSD_TCP_DEVICE_PORT=$SWTPM_SERVER_PORT tcsd -c $tcsd_conf -e -f &>/dev/null & echo \$! > $tcsd_pidfile; wait" & ++ BASH_PID=$! + +- bash -c "TCSD_USE_TCP_DEVICE=1 TCSD_TCP_DEVICE_PORT=$SWTPM_SERVER_PORT tcsd -c $tcsd_conf -e -f &>/dev/null & echo \$! > $tcsd_pidfile; wait" & +- BASH_PID=$! ++ if wait_for_file $tcsd_pidfile 3; then ++ echo "Could not get TCSD's PID file" ++ return 1 ++ fi + +- if wait_for_file $tcsd_pidfile 3; then +- echo "Could not get TCSD's PID file" +- return 1 +- fi ++ sleep 0.5 ++ TCSD_PID=$(cat $tcsd_pidfile) ++ kill -0 "${TCSD_PID}" ++ if [ $? -ne 0 ]; then ++ # Try again with other owner ++ continue ++ fi ++ return 0 ++ done + +- TCSD_PID=$(cat $tcsd_pidfile) +- return 0 ++ echo "TCSD could not be started" ++ return 1 + } + + stop_tcsd() diff --git a/gnutls.changes b/gnutls.changes index c555ffe..48532e6 100644 --- a/gnutls.changes +++ b/gnutls.changes @@ -1,3 +1,25 @@ +------------------------------------------------------------------- +Wed Feb 10 12:08:05 UTC 2021 - Pedro Monreal + +- Fix the test suite for tests/gnutls-cli-debug.sh [bsc#1171565] + * Don't unset system priority settings in gnutls-cli-debug.sh + * Upstream: gitlab.com/gnutls/gnutls/merge_requests/1387 +- Add gnutls-gnutls-cli-debug.patch + +------------------------------------------------------------------- +Wed Feb 10 11:17:51 UTC 2021 - Pedro Monreal + +- Fix: Test certificates in tests/testpkcs11-certs have expired + * Upstream bug: gitlab.com/gnutls/gnutls/issues/1135 +- Add gnutls-test-fixes.patch + +------------------------------------------------------------------- +Mon Feb 8 18:05:56 UTC 2021 - Pedro Monreal + +- gnutls_x509_trust_list_verify_crt2: ignore duplicate certificates + * Upstream bug: https://gitlab.com/gnutls/gnutls/issues/1131 +- Add gnutls-ignore-duplicate-certificates.patch + ------------------------------------------------------------------- Wed Jan 27 23:33:15 UTC 2021 - Pedro Monreal @@ -22,6 +44,8 @@ Wed Jan 27 23:33:15 UTC 2021 - Pedro Monreal - Remove patch fixed upstream: * gnutls-FIPS-use_2048_bit_prime_in_DH_selftest.patch - Add version guards for the crypto-policies package +- Fix threading bug in libgnutls [bsc#1173434] + * Upstream bug: gitlab.com/gnutls/gnutls/issues/1044 ------------------------------------------------------------------- Thu Dec 17 17:16:08 UTC 2020 - Pedro Monreal diff --git a/gnutls.spec b/gnutls.spec index cc02241..80623fc 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -42,6 +42,12 @@ Patch0: gnutls-3.5.11-skip-trust-store-tests.patch Patch1: gnutls-3.6.6-set_guile_site_dir.patch Patch2: gnutls-temporarily_disable_broken_guile_reauth_test.patch Patch3: gnutls-FIPS-TLS_KDF_selftest.patch +#PATCH-FIX-UPSTREAM gitlab.com/gnutls/gnutls/issues/1131 +Patch4: gnutls-ignore-duplicate-certificates.patch +#PATCH-FIX-UPSTREAM gitlab.com/gnutls/gnutls/issues/1135 +Patch5: gnutls-test-fixes.patch +#PATCH-FIX-UPSTREAM bsc#1171565 gitlab.com/gnutls/gnutls/merge_requests/1387 +Patch6: gnutls-gnutls-cli-debug.patch BuildRequires: autogen BuildRequires: automake BuildRequires: datefudge @@ -343,14 +349,19 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null || { %if %{with guile} %files guile +%if 0%{?suse_version} > 1550 +%{_libdir}/guile/3.0/guile-gnutls*.so* %{_libdir}/guile/3.0/site-ccache %{_libdir}/guile/3.0/site-ccache/gnutls -%{_libdir}/guile/3.0/extensions/guile-gnutls-v-2.so* %{_libdir}/guile/3.0/site-ccache/gnutls.go %{_libdir}/guile/3.0/site-ccache/gnutls/extra.go %{_datadir}/guile/gnutls %{_datadir}/guile/gnutls.scm %{_datadir}/guile/gnutls/extra.scm +%else +%{_libdir}/guile/* +%{_datadir}/guile/gnutls* +%endif %endif %changelog From ae52194a463ba06ba82e686765debc1d8c09076a39d20d00e6fcd0300fa390be Mon Sep 17 00:00:00 2001 From: Pedro Monreal Gonzalez Date: Thu, 18 Feb 2021 12:52:35 +0000 Subject: [PATCH 5/5] Accepting request 873376 from home:pmonrealgonzalez:branches:security:tls Fix changelog entry OBS-URL: https://build.opensuse.org/request/show/873376 OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=47 --- gnutls.changes | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gnutls.changes b/gnutls.changes index 48532e6..fd18e4f 100644 --- a/gnutls.changes +++ b/gnutls.changes @@ -10,7 +10,7 @@ Wed Feb 10 12:08:05 UTC 2021 - Pedro Monreal Wed Feb 10 11:17:51 UTC 2021 - Pedro Monreal - Fix: Test certificates in tests/testpkcs11-certs have expired - * Upstream bug: gitlab.com/gnutls/gnutls/issues/1135 + * Upstream bug: gitlab.com/gnutls/gnutls/issues/1135 - Add gnutls-test-fixes.patch -------------------------------------------------------------------