Accepting request 790830 from home:vitezslav_cizek:branches:security:tls

- Use correct nettle .so version when looking for a FIPS checksum
  (bsc#1166635)
  * add gnutls-fips_correct_nettle_soversion.patch

- Update to 3.6.13
  * libgnutls: Fix a DTLS-protocol regression (caused by TLS1.3
support)
    The DTLS client would not contribute any randomness to the DTLS negotiation,
    breaking the security guarantees of the DTLS protocol (#960)
    [GNUTLS-SA-2020-03-31, CVSS: high] (bsc#1168345)
  * libgnutls: Added new APIs to access KDF algorithms (#813).
  * libgnutls: Added new callback gnutls_keylog_func that enables a custom
    logging functionality.
  * libgnutls: Added support for non-null terminated usernames in PSK
    negotiation (#586).
  * gnutls-cli-debug: Improved support for old servers that only support
    SSL 3.0.

- Split off FIPS checksums into a separate libgnutls30-hmac
  subpackage (bsc#1152692)

OBS-URL: https://build.opensuse.org/request/show/790830
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=32

gnutls-3.6.12.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:bfacf16e342949ffd977a9232556092c47164bd26e166736cf3459a870506c4b
-size 5942064

gnutls-3.6.13.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:32041df447d9f4644570cf573c9f60358e865637d69b7e59d1159b7240b52f38
+size 5958956

gnutls-fips_correct_nettle_soversion.patch

@@ -0,0 +1,13 @@
+Index: gnutls-3.6.12/lib/fips.c
+===================================================================
+--- gnutls-3.6.12.orig/lib/fips.c	2019-06-27 06:40:43.000000000 +0200
++++ gnutls-3.6.12/lib/fips.c	2020-03-16 09:29:39.056332128 +0100
+@@ -136,7 +136,7 @@ void _gnutls_fips_mode_reset_zombie(void
+ }
+ 
+ #define GNUTLS_LIBRARY_NAME "libgnutls.so.30"
+-#define NETTLE_LIBRARY_NAME "libnettle.so.6"
++#define NETTLE_LIBRARY_NAME "libnettle.so.7"
+ #define HOGWEED_LIBRARY_NAME "libhogweed.so.4"
+ #define GMP_LIBRARY_NAME "libgmp.so.10"
+ 

gnutls.changes

@@ -1,3 +1,33 @@
+-------------------------------------------------------------------
+Thu Apr  2 09:32:01 UTC 2020 - Vítězslav Čížek <vcizek@suse.com>
+
+- Use correct nettle .so version when looking for a FIPS checksum
+  (bsc#1166635)
+  * add gnutls-fips_correct_nettle_soversion.patch
+
+-------------------------------------------------------------------
+Thu Apr  2 08:48:39 UTC 2020 - Vítězslav Čížek <vcizek@suse.com>
+
+- Update to 3.6.13
+  * libgnutls: Fix a DTLS-protocol regression (caused by TLS1.3
+support)
+    The DTLS client would not contribute any randomness to the DTLS negotiation,
+    breaking the security guarantees of the DTLS protocol (#960)
+    [GNUTLS-SA-2020-03-31, CVSS: high] (bsc#1168345)
+  * libgnutls: Added new APIs to access KDF algorithms (#813).
+  * libgnutls: Added new callback gnutls_keylog_func that enables a custom
+    logging functionality.
+  * libgnutls: Added support for non-null terminated usernames in PSK
+    negotiation (#586).
+  * gnutls-cli-debug: Improved support for old servers that only support
+    SSL 3.0.
+
+-------------------------------------------------------------------
+Mon Mar 30 12:43:33 UTC 2020 - Vítězslav Čížek <vcizek@suse.com>
+
+- Split off FIPS checksums into a separate libgnutls30-hmac
+  subpackage (bsc#1152692)
+
 -------------------------------------------------------------------
 Tue Feb  4 09:49:44 UTC 2020 - Ondřej Súkup <mimi.vx@gmail.com>
 

gnutls.spec

@@ -28,7 +28,7 @@
 %bcond_with tpm
 %bcond_without guile
 Name:           gnutls
-Version:        3.6.12
+Version:        3.6.13
 Release:        0
 Summary:        The GNU Transport Layer Security Library
 License:        LGPL-2.1-or-later AND GPL-3.0-or-later
@@ -39,6 +39,7 @@ Source1:        ftp://ftp.gnutls.org/gcrypt/gnutls/v3.6/%{name}-%{version}.tar.x
 Source2:        %{name}.keyring
 Source3:        baselibs.conf
 Patch1:         gnutls-3.5.11-skip-trust-store-tests.patch
+Patch2:         gnutls-fips_correct_nettle_soversion.patch
 Patch4:         gnutls-3.6.6-set_guile_site_dir.patch
 BuildRequires:  autogen
 BuildRequires:  automake
@@ -86,14 +87,25 @@ of the IETF's TLS working group.
 
 %package -n libgnutls%{gnutls_sover}
 Summary:        The GNU Transport Layer Security Library
+# install libopenssl and libopenssl-hmac close together (bsc#1090765)
 License:        LGPL-2.1-or-later
 Group:          System/Libraries
+Suggests:       libgnutls%{gnutls_sover}-hmac = %{version}-%{release}
 
 %description -n libgnutls%{gnutls_sover}
 The GnuTLS library provides a secure layer over a reliable transport
 layer. Currently the GnuTLS library implements the proposed standards
 of the IETF's TLS working group.
 
+%package -n libgnutls%{gnutls_sover}-hmac
+Summary:        Checksums of the GNU Transport Layer Security Library
+License:        LGPL-2.1-or-later
+Group:          System/Libraries
+Requires:       libgnutls%{gnutls_sover} = %{version}-%{release}
+
+%description -n libgnutls%{gnutls_sover}-hmac
+FIPS SHA256 checksums of the libgnutls library.
+
 %package -n libgnutls-dane%{gnutls_dane_sover}
 Summary:        DANE support for the GNU Transport Layer Security Library
 License:        LGPL-2.1-or-later
@@ -157,9 +169,7 @@ Requires:       guile
 GnuTLS Wrappers for GNU Guile, a dialect of Scheme.
 
 %prep
-%setup -q
+%autosetup -p1
-%patch1 -p1
-%patch4 -p1
 
 %build
 export LDFLAGS="-pie"
@@ -268,6 +278,8 @@ make %{?_smp_mflags} check || {
 
 %files -n libgnutls%{gnutls_sover}
 %{_libdir}/libgnutls.so.%{gnutls_sover}*
+
+%files -n libgnutls%{gnutls_sover}-hmac
 %{_libdir}/.libgnutls.so.%{gnutls_sover}*.hmac
 
 %if %{with dane}