From eccec72a4b5c2749e6fae3bf7058d141dba97ed2a34fe58793cd79a60f9bf148 Mon Sep 17 00:00:00 2001 From: Pedro Monreal Gonzalez Date: Wed, 2 Nov 2022 21:55:38 +0000 Subject: [PATCH] Accepting request 1032959 from home:pmonrealgonzalez:branches:security:tls - Temporarily revert the jitterentropy patches in s390 and s390x architectures until a fix is provided [bsc#1204937] - Consolidate the FIPS .hmac files [bsc#1199881, bsc#1203245] * Package the FIPS .hmac files * Remove not needed gnutls-FIPS-Run-CFB8-without-offset.patch OBS-URL: https://build.opensuse.org/request/show/1032959 OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=79 --- gnutls-FIPS-hmac-check-only-libgnutls.patch | 20 ------------- gnutls.changes | 18 ++++++------ gnutls.spec | 32 +++++++-------------- 3 files changed, 20 insertions(+), 50 deletions(-) delete mode 100644 gnutls-FIPS-hmac-check-only-libgnutls.patch diff --git a/gnutls-FIPS-hmac-check-only-libgnutls.patch b/gnutls-FIPS-hmac-check-only-libgnutls.patch deleted file mode 100644 index e43418a..0000000 --- a/gnutls-FIPS-hmac-check-only-libgnutls.patch +++ /dev/null @@ -1,20 +0,0 @@ -Index: gnutls-3.7.8/lib/fips.c -=================================================================== ---- gnutls-3.7.8.orig/lib/fips.c -+++ gnutls-3.7.8/lib/fips.c -@@ -402,6 +402,7 @@ static int check_binary_integrity(void) - ret = check_lib_hmac(&file.gnutls, GNUTLS_LIBRARY_NAME, "gnutls_global_init"); - if (ret < 0) - return ret; -+#if 0 - ret = check_lib_hmac(&file.nettle, NETTLE_LIBRARY_NAME, "nettle_aes_set_encrypt_key"); - if (ret < 0) - return ret; -@@ -411,6 +412,7 @@ static int check_binary_integrity(void) - ret = check_lib_hmac(&file.gmp, GMP_LIBRARY_NAME, "__gmpz_init"); - if (ret < 0) - return ret; -+#endif - - return 0; - } diff --git a/gnutls.changes b/gnutls.changes index 822c649..20d9a0f 100644 --- a/gnutls.changes +++ b/gnutls.changes @@ -1,15 +1,15 @@ +------------------------------------------------------------------- +Wed Nov 2 20:51:43 UTC 2022 - Pedro Monreal + +- Temporarily revert the jitterentropy patches in s390 and s390x + architectures until a fix is provided [bsc#1204937] + ------------------------------------------------------------------- Fri Oct 14 11:35:33 UTC 2022 - Pedro Monreal -- The FIPS hmac is now calculated with an internal tool since - commit a86c8e87189e23920ae622da5e572cb4e1a6e0ed and it has - been renamed to .gnutls.hmac. [bsc#1199881, bsc#1203245] - * Remove the fipscheck build dependency - * Check only the calculated hmac for libgnutls.so.30 since the - calculated hmacs for libnettle.so.8, libhogweed.so.6 and - libgmp.so.10 in .gnutls.hmac are incorrect. - * Add gnutls-FIPS-hmac-check-only-libgnutls.patch - * Remove gnutls-FIPS-Run-CFB8-without-offset.patch +- Consolidate the FIPS .hmac files [bsc#1199881, bsc#1203245] + * Package the FIPS .hmac files + * Remove not needed gnutls-FIPS-Run-CFB8-without-offset.patch ------------------------------------------------------------------- Sun Oct 9 12:53:27 UTC 2022 - Pedro Monreal diff --git a/gnutls.spec b/gnutls.spec index 2db0599..585ab48 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -52,21 +52,22 @@ Patch1: gnutls-FIPS-TLS_KDF_selftest.patch Patch2: gnutls-FIPS-disable-failing-tests.patch Patch3: gnutls_ECDSA_signing.patch %if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400 +%ifnarch s390 s390x #PATCH-FIX-SUSE bsc#1202146 FIPS: Port gnutls to use jitterentropy Patch4: gnutls-FIPS-jitterentropy.patch #PATCH-FIX-SUSE bsc#1202146 FIPS: Set error state when jent init failed in FIPS mode Patch5: gnutls-FIPS-Set-error-state-when-jent-init-failed.patch %endif +%endif #PATCH-FIX-SUSE bsc#1190698 FIPS: SLI gnutls_pbkdf2: verify keylengths and allow SHA only Patch6: gnutls-FIPS-SLI-pbkdf2-verify-keylengths-only-SHA.patch #PATCH-FIX-UPSTREAM bsc#1203779 Make XTS key check failure not fatal Patch7: gnutls-Make-XTS-key-check-failure-not-fatal.patch -#PATCH-FIX-SUSE bsc#1199881 FIPS: Check only the calculated hmac for libgnutls.so.%%{gnutls_sover} -Patch8: gnutls-FIPS-hmac-check-only-libgnutls.patch BuildRequires: autogen BuildRequires: automake BuildRequires: datefudge BuildRequires: fdupes +BuildRequires: fipscheck BuildRequires: gcc-c++ BuildRequires: gtk-doc # The test suite calls /usr/bin/ss from iproute2. It's our own duty to ensure we have it present @@ -257,6 +258,13 @@ autoreconf -fiv %install %make_install + +# Compute FIPS hmac using the brp-50-generate-fips-hmac script +export BRP_FIPSHMAC_FILES=%{buildroot}%{_libdir}/libgnutls.so.%{gnutls_sover} + +./lib/fipshmac "%{buildroot}%{_libdir}/libgnutls.so.%{gnutls_sover}" > %{buildroot}%{_libdir}/.gnutls.hmac +sed -i "s^%{buildroot}/usr^^" %{buildroot}%{_libdir}/.gnutls.hmac + rm -rf %{buildroot}%{_datadir}/locale/en@{,bold}quot # Do not package static libs and libtool files find %{buildroot} -type f -name "*.la" -delete -print @@ -275,25 +283,6 @@ rm -rf %{buildroot}%{_datadir}/doc/gnutls %find_lang libgnutls --all-name -# the hmac hashes: -# -# this is a hack that re-defines the __os_install_post macro -# for a simple reason: the macro strips the binaries and thereby -# invalidates a HMAC that may have been created earlier. -# solution: create the hashes _after_ the macro runs. -# -# this shows up earlier because otherwise the %%expand of -# the macro is too late. -# remark: This is the same as running -# openssl dgst -sha256 -hmac 'orboDeJITITejsirpADONivirpUkvarP' -# note: The FIPS hmac is now calculated with an internal tool since -# commit a86c8e87189e23920ae622da5e572cb4e1a6e0ed and the file -# has been renamed to .gnutls.hmac -%{expand:%%global __os_install_post {%__os_install_post -./lib/fipshmac "%{buildroot}%{_libdir}/libgnutls.so.30" > %{buildroot}%{_libdir}/.gnutls.hmac -sed -i "s^%{buildroot}/usr^^" %{buildroot}%{_libdir}/.gnutls.hmac -}} - %check %if ! 0%{?qemu_user_space_build} %make_build check GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null || { @@ -343,6 +332,7 @@ GNUTLS_FORCE_FIPS_MODE=1 make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE= %files -n libgnutls%{gnutls_sover}-hmac %license LICENSE +%{_libdir}/.libgnutls.so.%{gnutls_sover}*.hmac %{_libdir}/.gnutls.hmac %if %{with dane}