pool/gnutls
SHA256
17
0
Fork 1
Code Issues Pull Requests Activity

Compare commits

base: pool:factory
Branches Tags
pool:factory pool:slfo-main pool:slfo-1.2
..
compare: pool:slfo-main
Branches Tags
pool:factory pool:slfo-main pool:slfo-1.2

2 Commits
factory ... slfo-main

Author SHA256 Message Date
Angel Yankov
319000bc5b Fix CVE-2025-9820 2025-11-24 12:24:01 +02:00
Adrian Schröter
9ea88ec3aa Sync changes to SLFO-1.2 branch 2025-08-20 09:19:43 +02:00
19 changed files with 731 additions and 406 deletions
Expand all files Collapse all files

24
gnutls-3.8.10-disable-ktls_test.patch Normal file
View File

@@ -0,0 +1,24 @@
Index: gnutls-3.8.10/tests/Makefile.am
===================================================================
--- gnutls-3.8.10.orig/tests/Makefile.am
+++ gnutls-3.8.10/tests/Makefile.am
@@ -527,13 +527,13 @@ if !WINDOWS
#
if ENABLE_KTLS
-indirect_tests += gnutls_ktls
-dist_check_SCRIPTS += ktls.sh
+#indirect_tests += gnutls_ktls
+#dist_check_SCRIPTS += ktls.sh
-indirect_tests += ktls_keyupdate
-ktls_keyupdate_SOURCES = tls13/key_update.c
-ktls_keyupdate_CFLAGS = -DUSE_KTLS
-dist_check_SCRIPTS += ktls_keyupdate.sh
+#indirect_tests += ktls_keyupdate
+#ktls_keyupdate_SOURCES = tls13/key_update.c
+#ktls_keyupdate_CFLAGS = -DUSE_KTLS
+#dist_check_SCRIPTS += ktls_keyupdate.sh
endif
dist_check_SCRIPTS += dtls/dtls.sh #dtls/dtls-resume.sh #dtls/dtls-nb

BIN
gnutls-3.8.10.tar.xz LFS Normal file
View File

Binary file not shown.

BIN
gnutls-3.8.10.tar.xz.sig Normal file
View File

Binary file not shown.

3
gnutls-3.8.11.tar.xz
View File

@@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:91bd23c4a86ebc6152e81303d20cf6ceaeb97bc8f84266d0faec6e29f17baa20
size 6939944

BIN
gnutls-3.8.11.tar.xz.sig
View File

Binary file not shown.

248
gnutls-CVE-2025-9820.patch Normal file
View File

@@ -0,0 +1,248 @@
From 1d56f96f6ab5034d677136b9d50b5a75dff0faf5 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Tue, 18 Nov 2025 13:17:55 +0900
Subject: [PATCH] pkcs11: avoid stack overwrite when initializing a token
If gnutls_pkcs11_token_init is called with label longer than 32
characters, the internal storage used to blank-fill it would
overflow. This adds a guard to prevent that.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
.gitignore | 2 +
NEWS | 4 +
lib/pkcs11_write.c | 5 +-
tests/Makefile.am | 2 +-
tests/pkcs11/long-label.c | 164 ++++++++++++++++++++++++++++++++++++++
5 files changed, 174 insertions(+), 3 deletions(-)
create mode 100644 tests/pkcs11/long-label.c
Index: gnutls-3.8.10/NEWS
===================================================================
--- gnutls-3.8.10.orig/NEWS
+++ gnutls-3.8.10/NEWS
@@ -5,6 +5,12 @@ Copyright (C) 2000-2016 Free Software Fo
Copyright (C) 2013-2019 Nikos Mavrogiannopoulos
See the end for copying conditions.
+ * Version 3.8.11 (unreleased)
+
+** libgnutls: Fix stack overwrite in gnutls_pkcs11_token_init
+ Reported by Luigino Camastra from Aisle Research. [GNUTLS-SA-2025-11-18,
+ CVSS: low] [CVE-2025-9820]
+
* Version 3.8.10 (released 2025-07-08)
** libgnutls: Fix NULL pointer dereference when 2nd Client Hello omits PSK
Index: gnutls-3.8.10/lib/pkcs11_write.c
===================================================================
--- gnutls-3.8.10.orig/lib/pkcs11_write.c
+++ gnutls-3.8.10/lib/pkcs11_write.c
@@ -28,6 +28,7 @@
#include "pkcs11x.h"
#include "x509/common.h"
#include "pk.h"
+#include "minmax.h"
static const ck_bool_t tval = 1;
static const ck_bool_t fval = 0;
@@ -1172,7 +1173,7 @@ int gnutls_pkcs11_delete_url(const char
* gnutls_pkcs11_token_init:
* @token_url: A PKCS #11 URL specifying a token
* @so_pin: Security Officer's PIN
- * @label: A name to be used for the token
+ * @label: A name to be used for the token, at most 32 characters
*
* This function will initialize (format) a token. If the token is
* at a factory defaults state the security officer's PIN given will be
@@ -1210,7 +1211,7 @@ int gnutls_pkcs11_token_init(const char
/* so it seems memset has other uses than zeroing! */
memset(flabel, ' ', sizeof(flabel));
if (label != NULL)
- memcpy(flabel, label, strlen(label));
+ memcpy(flabel, label, MIN(sizeof(flabel), strlen(label)));
rv = pkcs11_init_token(module, slot, (uint8_t *)so_pin, strlen(so_pin),
(uint8_t *)flabel);
Index: gnutls-3.8.10/tests/Makefile.am
===================================================================
--- gnutls-3.8.10.orig/tests/Makefile.am
+++ gnutls-3.8.10/tests/Makefile.am
@@ -503,7 +503,7 @@ pathbuf_CPPFLAGS = $(AM_CPPFLAGS) \
if ENABLE_PKCS11
if !WINDOWS
ctests += tls13/post-handshake-with-cert-pkcs11 pkcs11/tls-neg-pkcs11-no-key \
- global-init-override pkcs11/distrust-after
+ global-init-override pkcs11/distrust-after pkcs11/long-label
tls13_post_handshake_with_cert_pkcs11_DEPENDENCIES = libpkcs11mock2.la libutils.la
tls13_post_handshake_with_cert_pkcs11_LDADD = $(LDADD) $(LIBDL)
pkcs11_tls_neg_pkcs11_no_key_DEPENDENCIES = libpkcs11mock2.la libutils.la
Index: gnutls-3.8.10/tests/pkcs11/long-label.c
===================================================================
--- /dev/null
+++ gnutls-3.8.10/tests/pkcs11/long-label.c
@@ -0,0 +1,164 @@
+/*
+ * Copyright (C) 2025 Red Hat, Inc.
+ *
+ * Author: Daiki Ueno
+ *
+ * This file is part of GnuTLS.
+ *
+ * GnuTLS is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GnuTLS is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>
+ */
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+#if defined(_WIN32)
+
+int main(void)
+{
+ exit(77);
+}
+
+#else
+
+#include <string.h>
+#include <unistd.h>
+#include <gnutls/gnutls.h>
+
+#include "cert-common.h"
+#include "pkcs11/softhsm.h"
+#include "utils.h"
+
+/* This program tests that a token can be initialized with
+ * a label longer than 32 characters.
+ */
+
+static void tls_log_func(int level, const char *str)
+{
+ fprintf(stderr, "server|<%d>| %s", level, str);
+}
+
+#define PIN "1234"
+
+#define CONFIG_NAME "softhsm-long-label"
+#define CONFIG CONFIG_NAME ".config"
+
+static int pin_func(void *userdata, int attempt, const char *url,
+ const char *label, unsigned flags, char *pin,
+ size_t pin_max)
+{
+ if (attempt == 0) {
+ strcpy(pin, PIN);
+ return 0;
+ }
+ return -1;
+}
+
+static void test(const char *provider)
+{
+ int ret;
+ size_t i;
+
+ gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
+
+ success("test with %s\n", provider);
+
+ if (debug) {
+ gnutls_global_set_log_function(tls_log_func);
+ gnutls_global_set_log_level(4711);
+ }
+
+ /* point to SoftHSM token that libpkcs11mock4.so internally uses */
+ setenv(SOFTHSM_ENV, CONFIG, 1);
+
+ gnutls_pkcs11_set_pin_function(pin_func, NULL);
+
+ ret = gnutls_pkcs11_add_provider(provider, "trusted");
+ if (ret != 0) {
+ fail("gnutls_pkcs11_add_provider: %s\n", gnutls_strerror(ret));
+ }
+
+ /* initialize softhsm token */
+ ret = gnutls_pkcs11_token_init(
+ SOFTHSM_URL, PIN,
+ "this is a very long label whose length exceeds 32");
+ if (ret < 0) {
+ fail("gnutls_pkcs11_token_init: %s\n", gnutls_strerror(ret));
+ }
+
+ for (i = 0;; i++) {
+ char *url = NULL;
+
+ ret = gnutls_pkcs11_token_get_url(i, 0, &url);
+ if (ret < 0)
+ break;
+ if (strstr(url,
+ "token=this%20is%20a%20very%20long%20label%20whose"))
+ break;
+ }
+ if (ret < 0)
+ fail("gnutls_pkcs11_token_get_url: %s\n", gnutls_strerror(ret));
+
+ gnutls_pkcs11_deinit();
+}
+
+void doit(void)
+{
+ const char *bin;
+ const char *lib;
+ char buf[128];
+
+ if (gnutls_fips140_mode_enabled())
+ exit(77);
+
+ /* this must be called once in the program */
+ global_init();
+
+ /* we call gnutls_pkcs11_init manually */
+ gnutls_pkcs11_deinit();
+
+ /* check if softhsm module is loadable */
+ lib = softhsm_lib();
+
+ /* initialize SoftHSM token that libpkcs11mock4.so internally uses */
+ bin = softhsm_bin();
+
+ set_softhsm_conf(CONFIG);
+ snprintf(buf, sizeof(buf),
+ "%s --init-token --slot 0 --label test --so-pin " PIN
+ " --pin " PIN,
+ bin);
+ system(buf);
+
+ test(lib);
+
+ lib = getenv("P11MOCKLIB4");
+ if (lib == NULL) {
+ fail("P11MOCKLIB4 is not set\n");
+ }
+
+ set_softhsm_conf(CONFIG);
+ snprintf(buf, sizeof(buf),
+ "%s --init-token --slot 0 --label test --so-pin " PIN
+ " --pin " PIN,
+ bin);
+ system(buf);
+
+ test(lib);
+}
+#endif /* _WIN32 */

386
gnutls-FIPS-140-3-references.patch
View File

@@ -1,8 +1,8 @@
Index: gnutls-3.8.11/configure.ac
Index: gnutls-3.8.10/configure.ac
===================================================================
--- gnutls-3.8.11.orig/configure.ac
+++ gnutls-3.8.11/configure.ac
@@ -664,19 +664,19 @@ LT_INIT([disable-static,win32-dll,shared
--- gnutls-3.8.10.orig/configure.ac
+++ gnutls-3.8.10/configure.ac
@@ -665,19 +665,19 @@ LT_INIT([disable-static,win32-dll,shared
AC_LIB_HAVE_LINKFLAGS(dl,, [#include <dlfcn.h>], [dladdr (0, 0);])
AC_ARG_ENABLE(fips140-mode,
@@ -25,10 +25,10 @@ Index: gnutls-3.8.11/configure.ac
AC_ARG_WITH(fips140-module-name, AS_HELP_STRING([--with-fips140-module-name],
[specify the FIPS140 module name]),
Index: gnutls-3.8.11/doc/cha-gtls-app.texi
Index: gnutls-3.8.10/doc/cha-gtls-app.texi
===================================================================
--- gnutls-3.8.11.orig/doc/cha-gtls-app.texi
+++ gnutls-3.8.11/doc/cha-gtls-app.texi
--- gnutls-3.8.10.orig/doc/cha-gtls-app.texi
+++ gnutls-3.8.10/doc/cha-gtls-app.texi
@@ -222,7 +222,7 @@ CPU. The currently available options are
@end itemize
@@ -38,10 +38,10 @@ Index: gnutls-3.8.11/doc/cha-gtls-app.texi
if set to one it will force the FIPS mode enablement.
@end multitable
Index: gnutls-3.8.11/doc/cha-internals.texi
Index: gnutls-3.8.10/doc/cha-internals.texi
===================================================================
--- gnutls-3.8.11.orig/doc/cha-internals.texi
+++ gnutls-3.8.11/doc/cha-internals.texi
--- gnutls-3.8.10.orig/doc/cha-internals.texi
+++ gnutls-3.8.10/doc/cha-internals.texi
@@ -14,7 +14,7 @@ happens inside the black box.
* TLS Hello Extension Handling::
* Cryptographic Backend::
@@ -162,11 +162,11 @@ Index: gnutls-3.8.11/doc/cha-internals.texi
operation. It can be attached to the current execution thread with
@funcref{gnutls_fips140_push_context} and its internal state will be
updated until it is detached with
Index: gnutls-3.8.11/doc/enums.texi
Index: gnutls-3.8.10/doc/enums.texi
===================================================================
--- gnutls-3.8.11.orig/doc/enums.texi
+++ gnutls-3.8.11/doc/enums.texi
@@ -1236,7 +1236,7 @@ application traffic secret is installed
--- gnutls-3.8.10.orig/doc/enums.texi
+++ gnutls-3.8.10/doc/enums.texi
@@ -1230,7 +1230,7 @@ application traffic secret is installed
@c gnutls_fips_mode_t
@table @code
@item GNUTLS_@-FIPS140_@-DISABLED
@@ -175,7 +175,7 @@ Index: gnutls-3.8.11/doc/enums.texi
@item GNUTLS_@-FIPS140_@-STRICT
The default mode; all forbidden operations will cause an
operation failure via error code.
@@ -1244,8 +1244,8 @@ operation failure via error code.
@@ -1238,8 +1238,8 @@ operation failure via error code.
A transient state during library initialization. That state
cannot be set or seen by applications.
@item GNUTLS_@-FIPS140_@-LAX
@@ -186,10 +186,10 @@ Index: gnutls-3.8.11/doc/enums.texi
application is aware of the followed security policy, and needs
to utilize disallowed operations for other reasons (e.g., compatibility).
@item GNUTLS_@-FIPS140_@-LOG
Index: gnutls-3.8.11/doc/functions/gnutls_fips140_set_mode
Index: gnutls-3.8.10/doc/functions/gnutls_fips140_set_mode
===================================================================
--- gnutls-3.8.11.orig/doc/functions/gnutls_fips140_set_mode
+++ gnutls-3.8.11/doc/functions/gnutls_fips140_set_mode
--- gnutls-3.8.10.orig/doc/functions/gnutls_fips140_set_mode
+++ gnutls-3.8.10/doc/functions/gnutls_fips140_set_mode
@@ -3,7 +3,7 @@
@@ -215,19 +215,19 @@ Index: gnutls-3.8.11/doc/functions/gnutls_fips140_set_mode
values for @code{mode} or to @code{GNUTLS_FIPS140_SELFTESTS} mode, the library
switches to @code{GNUTLS_FIPS140_STRICT} mode.
Index: gnutls-3.8.11/doc/gnutls.html
Index: gnutls-3.8.10/doc/gnutls.html
===================================================================
--- gnutls-3.8.11.orig/doc/gnutls.html
+++ gnutls-3.8.11/doc/gnutls.html
--- gnutls-3.8.10.orig/doc/gnutls.html
+++ gnutls-3.8.10/doc/gnutls.html
@@ -490,7 +490,7 @@ Documentation License&rdquo;.
<li><a id="toc-TLS-Extension-Handling" href="#TLS-Hello-Extension-Handling">11.4 TLS Extension Handling</a></li>
<li><a id="toc-Cryptographic-Backend" href="#Cryptographic-Backend">11.5 Cryptographic Backend</a></li>
<li><a id="toc-Cryptographic-Backend-1" href="#Cryptographic-Backend">11.5 Cryptographic Backend</a></li>
<li><a id="toc-Random-Number-Generators" href="#Random-Number-Generators_002dinternals">11.6 Random Number Generators</a></li>
- <li><a id="toc-FIPS140_002d2-mode" href="#FIPS140_002d2-mode">11.7 FIPS140-2 mode</a></li>
+ <li><a id="toc-FIPS140_002d2-mode" href="#FIPS140_002d2-mode">11.7 FIPS140-3 mode</a></li>
- <li><a id="toc-FIPS140_002d2-mode-1" href="#FIPS140_002d2-mode">11.7 FIPS140-2 mode</a></li>
+ <li><a id="toc-FIPS140_002d2-mode-1" href="#FIPS140_002d2-mode">11.7 FIPS140-3 mode</a></li>
</ul></li>
<li><a id="toc-Upgrading-from-previous-versions" href="#Upgrading-from-previous-versions">Appendix A Upgrading from previous versions</a></li>
<li><a id="toc-Support" href="#Support">Appendix B Support</a>
<li><a id="toc-Upgrading-from-previous-versions-1" href="#Upgrading-from-previous-versions">Appendix A Upgrading from previous versions</a></li>
<li><a id="toc-Support-1" href="#Support">Appendix B Support</a>
@@ -9050,7 +9050,7 @@ CPU. The currently available options are
</li><li>0x200000: Enable VIA PHE
</li><li>0x400000: Enable VIA PHE SHA512
@@ -237,7 +237,7 @@ Index: gnutls-3.8.11/doc/gnutls.html
if set to one it will force the FIPS mode enablement.</td></tr>
</tbody>
</table>
@@ -18559,7 +18559,7 @@ None:
@@ -18547,7 +18547,7 @@ None:
--inline-commands-prefix=str Change the default delimiter for inline commands
--provider=file Specify the PKCS #11 provider library
- file must pre-exist
@@ -246,7 +246,7 @@ Index: gnutls-3.8.11/doc/gnutls.html
--list-config Reports the configuration of the library
--logfile=str Redirect informational messages to a specific file
--keymatexport=str Label used for exporting keying material
@@ -19579,7 +19579,7 @@ happens inside the black box.
@@ -19567,7 +19567,7 @@ happens inside the black box.
<li><a href="#TLS-Hello-Extension-Handling" accesskey="4">TLS Extension Handling</a></li>
<li><a href="#Cryptographic-Backend" accesskey="5">Cryptographic Backend</a></li>
<li><a href="#Random-Number-Generators_002dinternals" accesskey="6">Random Number Generators</a></li>
@@ -255,7 +255,7 @@ Index: gnutls-3.8.11/doc/gnutls.html
</ul>
<hr>
<div class="section-level-extent" id="The-TLS-Protocol">
@@ -20104,7 +20104,7 @@ For more information see <a class="ref"
@@ -20092,7 +20092,7 @@ For more information see <a class="ref"
<div class="section-level-extent" id="Random-Number-Generators_002dinternals">
<div class="nav-panel">
<p>
@@ -264,7 +264,7 @@ Index: gnutls-3.8.11/doc/gnutls.html
</div>
<h3 class="section" id="Random-Number-Generators"><span>11.6 Random Number Generators<a class="copiable-link" href="#Random-Number-Generators"> &para;</a></span></h3>
@@ -20112,7 +20112,7 @@ Next: <a href="#FIPS140_002d2-mode" acce
@@ -20100,7 +20100,7 @@ Next: <a href="#FIPS140_002d2-mode" acce
<p>GnuTLS provides two random generators. The default, and the AES-DRBG random
generator which is only used when the library is compiled with support for
@@ -273,7 +273,7 @@ Index: gnutls-3.8.11/doc/gnutls.html
</p>
<h4 class="subheading" id="The-default-generator-_002d-inner-workings"><span>The default generator - inner workings<a class="copiable-link" href="#The-default-generator-_002d-inner-workings"> &para;</a></span></h4>
@@ -20249,22 +20249,22 @@ on the above paragraph, all levels are i
@@ -20237,22 +20237,22 @@ on the above paragraph, all levels are i
<p>
Previous: <a href="#Random-Number-Generators_002dinternals" accesskey="p" rel="prev">Random Number Generators</a>, Up: <a href="#Internal-architecture-of-GnuTLS" accesskey="u" rel="up">Internal Architecture of GnuTLS</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Function-and-Data-Index" title="Index" rel="index">Index</a>]</p>
</div>
@@ -302,7 +302,7 @@ Index: gnutls-3.8.11/doc/gnutls.html
as follows.
</p>
<ul class="itemize mark-bullet">
@@ -20273,12 +20273,12 @@ as follows.
@@ -20261,12 +20261,12 @@ as follows.
</li><li>Algorithm self-tests are run on library load
</li></ul>
@@ -318,7 +318,7 @@ Index: gnutls-3.8.11/doc/gnutls.html
</li><li>Any cryptographic operation will be refused if any of the self-tests failed
</li></ul>
@@ -20287,7 +20287,7 @@ modified as follows.
@@ -20275,7 +20275,7 @@ modified as follows.
environment variable <code class="code">GNUTLS_SKIP_FIPS_INTEGRITY_CHECKS</code> will disable
the library integrity tests on startup, and the variable
<code class="code">GNUTLS_FORCE_FIPS_MODE</code> can be set to force a value from
@@ -327,7 +327,7 @@ Index: gnutls-3.8.11/doc/gnutls.html
mode, while &rsquo;0&rsquo; will disable it.
</p>
<p>The integrity checks for the dependent libraries and GnuTLS are performed
@@ -20295,13 +20295,13 @@ using &rsquo;.hmac&rsquo; files which ar
@@ -20283,13 +20283,13 @@ using &rsquo;.hmac&rsquo; files which ar
key for the operations can be provided on compile-time with the configure
option &rsquo;&ndash;with-fips140-key&rsquo;. The MAC algorithm used is HMAC-SHA256.
</p>
@@ -344,7 +344,7 @@ Index: gnutls-3.8.11/doc/gnutls.html
the application can relax these requirements via <a class="ref" href="#gnutls_005ffips140_005fset_005fmode">gnutls_fips140_set_mode</a>
which can switch to alternative modes as in <a class="ref" href="#gnutls_005ffips_005fmode_005ft">Figure 11.5</a>.
</p>
@@ -20310,7 +20310,7 @@ which can switch to alternative modes as
@@ -20298,7 +20298,7 @@ which can switch to alternative modes as
<dl class="table">
<dt><code class="code">GNUTLS_FIPS140_DISABLED</code></dt>
@@ -353,7 +353,7 @@ Index: gnutls-3.8.11/doc/gnutls.html
</p></dd>
<dt><code class="code">GNUTLS_FIPS140_STRICT</code></dt>
<dd><p>The default mode; all forbidden operations will cause an
@@ -20321,8 +20321,8 @@ operation failure via error code.
@@ -20309,8 +20309,8 @@ operation failure via error code.
cannot be set or seen by applications.
</p></dd>
<dt><code class="code">GNUTLS_FIPS140_LAX</code></dt>
@@ -364,7 +364,7 @@ Index: gnutls-3.8.11/doc/gnutls.html
application is aware of the followed security policy, and needs
to utilize disallowed operations for other reasons (e.g., compatibility).
</p></dd>
@@ -20333,7 +20333,7 @@ to a message to the audit callback funct
@@ -20321,7 +20321,7 @@ to a message to the audit callback funct
</dl>
<div class="caption"><p><strong class="strong">Figure 11.5: </strong>The <code class="code">gnutls_fips_mode_t</code> enumeration.</p></div></div>
<p>The intention of this API is to be used by applications which may run in
@@ -373,7 +373,7 @@ Index: gnutls-3.8.11/doc/gnutls.html
e.g., for non-security related purposes. In these cases applications should
wrap the non-compliant code within blocks like the following.
</p>
@@ -20362,9 +20362,9 @@ if (gnutls_fips140_mode_enabled())
@@ -20350,9 +20350,9 @@ if (gnutls_fips140_mode_enabled())
<p>The reason of the <code class="code">GNUTLS_FIPS140_SET_MODE_THREAD</code> flag in the
previous calls is to localize the change in the mode. Note also, that
such a block has no effect when the library is not operating
@@ -385,7 +385,7 @@ Index: gnutls-3.8.11/doc/gnutls.html
</p><div class="example">
<pre class="example-preformatted">gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, 0);
</pre></div>
@@ -20387,7 +20387,7 @@ performed within a given context.
@@ -20375,7 +20375,7 @@ performed within a given context.
<dt><code class="code"><var class="var">int</var> <a class="ref" href="#gnutls_005ffips140_005fpop_005fcontext">gnutls_fips140_pop_context</a> ( <var class="var">void</var>)</code></dt>
</dl>
@@ -394,7 +394,7 @@ Index: gnutls-3.8.11/doc/gnutls.html
operation. It can be attached to the current execution thread with
<a class="ref" href="#gnutls_005ffips140_005fpush_005fcontext">gnutls_fips140_push_context</a> and its internal state will be
updated until it is detached with
@@ -20760,8 +20760,8 @@ Previous: <a href="#Contributing" access
@@ -20748,8 +20748,8 @@ Previous: <a href="#Contributing" access
to an auditor that the crypto component follows some best practices, such
as unit testing and reliance on well known crypto primitives.
</p>
@@ -405,16 +405,16 @@ Index: gnutls-3.8.11/doc/gnutls.html
</p>
<hr>
</div>
@@ -24725,7 +24725,7 @@ unusable. This function is not thread-s
@@ -24680,7 +24680,7 @@ unusable. This function is not thread-s
<h4 class="subheading" id="gnutls_005ffips140_005fset_005fmode-1"><span>gnutls_fips140_set_mode<a class="copiable-link" href="#gnutls_005ffips140_005fset_005fmode-1"> &para;</a></span></h4>
<a class="anchor" id="gnutls_005ffips140_005fset_005fmode"></a><dl class="first-deftypefn first-deftypefun-alias-first-deftypefn def-block">
<dt class="deftypefn deftypefun-alias-deftypefn def-line" id="index-gnutls_005ffips140_005fset_005fmode"><span class="category-def">Function: </span><span><code class="def-type">void</code> <strong class="def-name">gnutls_fips140_set_mode</strong> <code class="def-code-arguments">(gnutls_fips_mode_t <var class="var">mode</var>, unsigned <var class="var">flags</var>)</code><a class="copiable-link" href="#index-gnutls_005ffips140_005fset_005fmode"> &para;</a></span></dt>
<a class="anchor" id="gnutls_005ffips140_005fset_005fmode"></a><dl class="first-deftypefn first-deftypefun-alias-first-deftypefn">
<dt class="deftypefn deftypefun-alias-deftypefn" id="index-gnutls_005ffips140_005fset_005fmode"><span class="category-def">Function: </span><span><code class="def-type">void</code> <strong class="def-name">gnutls_fips140_set_mode</strong> <code class="def-code-arguments">(gnutls_fips_mode_t <var class="var">mode</var>, unsigned <var class="var">flags</var>)</code><a class="copiable-link" href="#index-gnutls_005ffips140_005fset_005fmode"> &para;</a></span></dt>
-<dd><p><var class="var">mode</var>: the FIPS140-2 mode to switch to
+<dd><p><var class="var">mode</var>: the FIPS140-3 mode to switch to
</p>
<p><var class="var">flags</var>: should be zero or <code class="code">GNUTLS_FIPS140_SET_MODE_THREAD</code>
</p>
@@ -24734,13 +24734,13 @@ unusable. This function is not thread-s
@@ -24689,13 +24689,13 @@ unusable. This function is not thread-s
behavior with no flags after threads are created is undefined.
</p>
<p>When the flag <code class="code">GNUTLS_FIPS140_SET_MODE_THREAD</code> is specified
@@ -430,7 +430,7 @@ Index: gnutls-3.8.11/doc/gnutls.html
values for <code class="code">mode</code> or to <code class="code">GNUTLS_FIPS140_SELFTESTS</code> mode, the library
switches to <code class="code">GNUTLS_FIPS140_STRICT</code> mode.
</p>
@@ -47261,7 +47261,7 @@ Next: <a href="#Concept-Index" accesskey
@@ -47153,7 +47153,7 @@ Next: <a href="#Concept-Index" accesskey
<tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffingerprint"><code>gnutls_fingerprint</code></a></td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffips140_005fcontext_005fdeinit"><code>gnutls_fips140_context_deinit</code></a></td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffips140_005fcontext_005finit"><code>gnutls_fips140_context_init</code></a></td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
@@ -439,11 +439,11 @@ Index: gnutls-3.8.11/doc/gnutls.html
<tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffips140_005fget_005foperation_005fstate-1"><code>gnutls_fips140_get_operation_state</code></a></td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffips140_005fmode_005fenabled"><code>gnutls_fips140_mode_enabled</code></a></td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffips140_005fpop_005fcontext"><code>gnutls_fips140_pop_context</code></a></td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
Index: gnutls-3.8.11/doc/gnutls.info-3
Index: gnutls-3.8.10/doc/gnutls.info-3
===================================================================
--- gnutls-3.8.11.orig/doc/gnutls.info-3
+++ gnutls-3.8.11/doc/gnutls.info-3
@@ -2322,7 +2322,7 @@ to more. Both will exit with a st
--- gnutls-3.8.10.orig/doc/gnutls.info-3
+++ gnutls-3.8.10/doc/gnutls.info-3
@@ -2319,7 +2319,7 @@ to more. Both will exit with a st
--inline-commands-prefix=str Change the default delimiter for inline commands
--provider=file Specify the PKCS #11 provider library
- file must pre-exist
@@ -461,7 +461,7 @@ Index: gnutls-3.8.11/doc/gnutls.info-3

File: gnutls.info, Node: The TLS Protocol, Next: TLS Handshake Protocol, Up: Internal architecture of GnuTLS
@@ -3996,7 +3996,7 @@ and abstract key types::.
@@ -4000,7 +4000,7 @@ and abstract key types::.
kernel implementation of /dev/crypto.

@@ -470,7 +470,7 @@ Index: gnutls-3.8.11/doc/gnutls.info-3
11.6 Random Number Generators
=============================
@@ -4006,7 +4006,7 @@ About the generators
@@ -4010,7 +4010,7 @@ About the generators
GnuTLS provides two random generators. The default, and the AES-DRBG
random generator which is only used when the library is compiled with
@@ -479,7 +479,7 @@ Index: gnutls-3.8.11/doc/gnutls.info-3
The default generator - inner workings
--------------------------------------
@@ -4237,7 +4237,7 @@ in *note Figure 11.5: gnutls_fips_mode_t
@@ -4241,7 +4241,7 @@ in *note Figure 11.5: gnutls_fips_mode_t
Figure 11.5: The gnutls_fips_mode_t enumeration.
The intention of this API is to be used by applications which may run in
@@ -488,7 +488,7 @@ Index: gnutls-3.8.11/doc/gnutls.info-3
set, e.g., for non-security related purposes. In these cases
applications should wrap the non-compliant code within blocks like the
following.
@@ -4261,10 +4261,10 @@ are macros to simplify the following seq
@@ -4265,10 +4265,10 @@ are macros to simplify the following seq
The reason of the GNUTLS_FIPS140_SET_MODE_THREAD flag in the previous
calls is to localize the change in the mode. Note also, that such a
@@ -501,7 +501,7 @@ Index: gnutls-3.8.11/doc/gnutls.info-3
gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, 0);
Service indicator
@@ -4746,8 +4746,8 @@ There are certifications from national o
@@ -4750,8 +4750,8 @@ There are certifications from national o
practices, such as unit testing and reliance on well known crypto
primitives.
@@ -512,7 +512,7 @@ Index: gnutls-3.8.11/doc/gnutls.info-3

File: gnutls.info, Node: Error codes, Next: Supported ciphersuites, Prev: Support, Up: Top
@@ -9267,7 +9267,7 @@ gnutls_fips140_set_mode
@@ -9236,7 +9236,7 @@ gnutls_fips140_set_mode
-- Function: void gnutls_fips140_set_mode (gnutls_fips_mode_t MODE,
unsigned FLAGS)
@@ -521,10 +521,10 @@ Index: gnutls-3.8.11/doc/gnutls.info-3
FLAGS: should be zero or GNUTLS_FIPS140_SET_MODE_THREAD
Index: gnutls-3.8.11/doc/invoke-gnutls-cli.texi
Index: gnutls-3.8.10/doc/invoke-gnutls-cli.texi
===================================================================
--- gnutls-3.8.11.orig/doc/invoke-gnutls-cli.texi
+++ gnutls-3.8.11/doc/invoke-gnutls-cli.texi
--- gnutls-3.8.10.orig/doc/invoke-gnutls-cli.texi
+++ gnutls-3.8.10/doc/invoke-gnutls-cli.texi
@@ -102,7 +102,7 @@ None:
--inline-commands-prefix=str Change the default delimiter for inline commands
--provider=file Specify the PKCS #11 provider library
@@ -534,10 +534,10 @@ Index: gnutls-3.8.11/doc/invoke-gnutls-cli.texi
--list-config Reports the configuration of the library
--logfile=str Redirect informational messages to a specific file
--keymatexport=str Label used for exporting keying material
Index: gnutls-3.8.11/doc/manpages/gnutls-cli.1
Index: gnutls-3.8.10/doc/manpages/gnutls-cli.1
===================================================================
--- gnutls-3.8.11.orig/doc/manpages/gnutls-cli.1
+++ gnutls-3.8.11/doc/manpages/gnutls-cli.1
--- gnutls-3.8.10.orig/doc/manpages/gnutls-cli.1
+++ gnutls-3.8.10/doc/manpages/gnutls-cli.1
@@ -398,7 +398,7 @@ Specify the PKCS #11 provider library.
This will override the default options in /etc/gnutls/pkcs11.conf
.TP
@@ -547,11 +547,11 @@ Index: gnutls-3.8.11/doc/manpages/gnutls-cli.1
.sp
.TP
.NOP \f\*[B-Font]\-\-list\-config\f[]
Index: gnutls-3.8.11/doc/reference/html/gnutls-gnutls.html
Index: gnutls-3.8.10/doc/reference/html/gnutls-gnutls.html
===================================================================
--- gnutls-3.8.11.orig/doc/reference/html/gnutls-gnutls.html
+++ gnutls-3.8.11/doc/reference/html/gnutls-gnutls.html
@@ -21079,12 +21079,12 @@ gnutls_fips140_set_mode (<em class="para
--- gnutls-3.8.10.orig/doc/reference/html/gnutls-gnutls.html
+++ gnutls-3.8.10/doc/reference/html/gnutls-gnutls.html
@@ -20874,12 +20874,12 @@ gnutls_fips140_set_mode (<em class="para
(globally), and should be called prior to creating any threads. Its
behavior with no flags after threads are created is undefined.</p>
<p>When the flag <a class="link" href="gnutls-gnutls.html#GNUTLS-FIPS140-SET-MODE-THREAD:CAPS" title="GNUTLS_FIPS140_SET_MODE_THREAD"><code class="literal">GNUTLS_FIPS140_SET_MODE_THREAD</code></a> is specified
@@ -566,7 +566,7 @@ Index: gnutls-3.8.11/doc/reference/html/gnutls-gnutls.html
values for <em class="parameter"><code>mode</code></em>
or to <a class="link" href="gnutls-gnutls.html#GNUTLS-FIPS140-SELFTESTS:CAPS"><code class="literal">GNUTLS_FIPS140_SELFTESTS</code></a> mode, the library
switches to <a class="link" href="gnutls-gnutls.html#GNUTLS-FIPS140-STRICT:CAPS"><code class="literal">GNUTLS_FIPS140_STRICT</code></a> mode.</p>
@@ -21099,7 +21099,7 @@ switches to <a class="link" href="gnutls
@@ -20894,7 +20894,7 @@ switches to <a class="link" href="gnutls
<tbody>
<tr>
<td class="parameter_name"><p>mode</p></td>
@@ -575,7 +575,7 @@ Index: gnutls-3.8.11/doc/reference/html/gnutls-gnutls.html
<td class="parameter_annotations"> </td>
</tr>
<tr>
@@ -26311,7 +26311,7 @@ encryption</p>
@@ -26035,7 +26035,7 @@ encryption</p>
<hr>
<div class="refsect2">
<a name="gnutls-fips-mode-t"></a><h3>enum gnutls_fips_mode_t</h3>
@@ -584,7 +584,7 @@ Index: gnutls-3.8.11/doc/reference/html/gnutls-gnutls.html
<div class="refsect3">
<a name="gnutls-fips-mode-t.members"></a><h4>Members</h4>
<div class="informaltable"><table class="informaltable" width="100%" border="0">
@@ -26324,7 +26324,7 @@ encryption</p>
@@ -26048,7 +26048,7 @@ encryption</p>
<tr>
<td class="enum_member_name"><p><a name="GNUTLS-FIPS140-DISABLED:CAPS"></a>GNUTLS_FIPS140_DISABLED</p></td>
<td class="enum_member_description">
@@ -593,7 +593,7 @@ Index: gnutls-3.8.11/doc/reference/html/gnutls-gnutls.html
</td>
<td class="enum_member_annotations"> </td>
</tr>
@@ -26347,8 +26347,8 @@ operation failure via error code.</p>
@@ -26071,8 +26071,8 @@ operation failure via error code.</p>
<tr>
<td class="enum_member_name"><p><a name="GNUTLS-FIPS140-LAX:CAPS"></a>GNUTLS_FIPS140_LAX</p></td>
<td class="enum_member_description">
@@ -604,17 +604,17 @@ Index: gnutls-3.8.11/doc/reference/html/gnutls-gnutls.html
application is aware of the followed security policy, and needs
to utilize disallowed operations for other reasons (e.g., compatibility).</p>
</td>
@@ -27988,4 +27988,4 @@ This is used by <a class="link" href="gn
@@ -27712,4 +27712,4 @@ This is used by <a class="link" href="gn
<div class="footer">
<hr>Generated by GTK-Doc V1.34.0</div>
</body>
-</html>
\ No newline at end of file
+</html>
Index: gnutls-3.8.11/lib/fips.c
Index: gnutls-3.8.10/lib/fips.c
===================================================================
--- gnutls-3.8.11.orig/lib/fips.c
+++ gnutls-3.8.11/lib/fips.c
--- gnutls-3.8.10.orig/lib/fips.c
+++ gnutls-3.8.10/lib/fips.c
@@ -121,7 +121,7 @@ unsigned _gnutls_fips_mode_enabled(void)
}
@@ -633,7 +633,7 @@ Index: gnutls-3.8.11/lib/fips.c
ret = GNUTLS_FIPS140_SELFTESTS;
goto exit;
}
@@ -730,7 +730,7 @@ unsigned gnutls_fips140_mode_enabled(voi
@@ -745,7 +745,7 @@ unsigned gnutls_fips140_mode_enabled(voi
/**
* gnutls_fips140_set_mode:
@@ -642,7 +642,7 @@ Index: gnutls-3.8.11/lib/fips.c
* @flags: should be zero or %GNUTLS_FIPS140_SET_MODE_THREAD
*
* That function is not thread-safe when changing the mode with no flags
@@ -738,13 +738,13 @@ unsigned gnutls_fips140_mode_enabled(voi
@@ -753,13 +753,13 @@ unsigned gnutls_fips140_mode_enabled(voi
* behavior with no flags after threads are created is undefined.
*
* When the flag %GNUTLS_FIPS140_SET_MODE_THREAD is specified
@@ -658,7 +658,7 @@ Index: gnutls-3.8.11/lib/fips.c
* values for @mode or to %GNUTLS_FIPS140_SELFTESTS mode, the library
* switches to %GNUTLS_FIPS140_STRICT mode.
*
@@ -756,10 +756,10 @@ void gnutls_fips140_set_mode(gnutls_fips
@@ -771,10 +771,10 @@ void gnutls_fips140_set_mode(gnutls_fips
gnutls_fips_mode_t prev = _gnutls_fips_mode_enabled();
if (prev == GNUTLS_FIPS140_DISABLED ||
prev == GNUTLS_FIPS140_SELFTESTS) {
@@ -671,7 +671,7 @@ Index: gnutls-3.8.11/lib/fips.c
return;
}
@@ -772,7 +772,7 @@ void gnutls_fips140_set_mode(gnutls_fips
@@ -787,7 +787,7 @@ void gnutls_fips140_set_mode(gnutls_fips
case GNUTLS_FIPS140_SELFTESTS:
_gnutls_audit_log(
NULL,
@@ -680,7 +680,7 @@ Index: gnutls-3.8.11/lib/fips.c
mode = GNUTLS_FIPS140_STRICT;
break;
default:
@@ -948,7 +948,7 @@ void _gnutls_switch_fips_state(gnutls_fi
@@ -963,7 +963,7 @@ void _gnutls_switch_fips_state(gnutls_fi
}
if (!_tfips_context) {
@@ -689,7 +689,7 @@ Index: gnutls-3.8.11/lib/fips.c
return;
}
@@ -962,7 +962,7 @@ void _gnutls_switch_fips_state(gnutls_fi
@@ -977,7 +977,7 @@ void _gnutls_switch_fips_state(gnutls_fi
if (mode != GNUTLS_FIPS140_LAX) {
_gnutls_audit_log(
NULL,
@@ -698,7 +698,7 @@ Index: gnutls-3.8.11/lib/fips.c
operation_state_to_string(state));
}
_tfips_context->state = state;
@@ -973,7 +973,7 @@ void _gnutls_switch_fips_state(gnutls_fi
@@ -988,7 +988,7 @@ void _gnutls_switch_fips_state(gnutls_fi
if (mode != GNUTLS_FIPS140_LAX) {
_gnutls_audit_log(
NULL,
@@ -707,7 +707,7 @@ Index: gnutls-3.8.11/lib/fips.c
operation_state_to_string(state));
}
_tfips_context->state = state;
@@ -985,7 +985,7 @@ void _gnutls_switch_fips_state(gnutls_fi
@@ -1000,7 +1000,7 @@ void _gnutls_switch_fips_state(gnutls_fi
if (mode != GNUTLS_FIPS140_LAX) {
_gnutls_audit_log(
NULL,
@@ -716,7 +716,7 @@ Index: gnutls-3.8.11/lib/fips.c
operation_state_to_string(
_tfips_context->state),
operation_state_to_string(state));
@@ -1047,7 +1047,7 @@ int gnutls_fips140_run_self_tests(void)
@@ -1062,7 +1062,7 @@ int gnutls_fips140_run_self_tests(void)
ret < 0) {
_gnutls_switch_lib_state(LIB_STATE_ERROR);
_gnutls_audit_log(NULL,
@@ -725,7 +725,7 @@ Index: gnutls-3.8.11/lib/fips.c
} else {
/* Restore the previous library state */
_gnutls_switch_lib_state(prev_lib_state);
@@ -1059,7 +1059,7 @@ int gnutls_fips140_run_self_tests(void)
@@ -1074,7 +1074,7 @@ int gnutls_fips140_run_self_tests(void)
if (gnutls_fips140_pop_context() < 0) {
_gnutls_switch_lib_state(LIB_STATE_ERROR);
_gnutls_audit_log(
@@ -734,11 +734,11 @@ Index: gnutls-3.8.11/lib/fips.c
}
gnutls_fips140_context_deinit(fips_context);
}
Index: gnutls-3.8.11/lib/fips.h
Index: gnutls-3.8.10/lib/fips.h
===================================================================
--- gnutls-3.8.11.orig/lib/fips.h
+++ gnutls-3.8.11/lib/fips.h
@@ -164,7 +164,7 @@ is_cipher_algo_allowed_in_fips(gnutls_ci
--- gnutls-3.8.10.orig/lib/fips.h
+++ gnutls-3.8.10/lib/fips.h
@@ -161,7 +161,7 @@ is_cipher_algo_allowed_in_fips(gnutls_ci
}
#ifdef ENABLE_FIPS140
@@ -747,7 +747,7 @@ Index: gnutls-3.8.11/lib/fips.h
* and return an error if necessary or ignore */
#define FIPS_RULE(condition, ret_error, ...) \
{ \
@@ -174,10 +174,10 @@ is_cipher_algo_allowed_in_fips(gnutls_ci
@@ -171,10 +171,10 @@ is_cipher_algo_allowed_in_fips(gnutls_ci
if (_mode == GNUTLS_FIPS140_LOG) { \
_gnutls_audit_log( \
NULL, \
@@ -760,7 +760,7 @@ Index: gnutls-3.8.11/lib/fips.h
return ret_error; \
} \
} \
@@ -192,7 +192,7 @@ inline static bool is_mac_algo_allowed(g
@@ -189,7 +189,7 @@ inline static bool is_mac_algo_allowed(g
switch (mode) {
case GNUTLS_FIPS140_LOG:
_gnutls_audit_log(NULL,
@@ -769,7 +769,7 @@ Index: gnutls-3.8.11/lib/fips.h
gnutls_mac_get_name(algo));
FALLTHROUGH;
case GNUTLS_FIPS140_DISABLED:
@@ -214,7 +214,7 @@ inline static bool is_cipher_algo_allowe
@@ -211,7 +211,7 @@ inline static bool is_cipher_algo_allowe
switch (mode) {
case GNUTLS_FIPS140_LOG:
_gnutls_audit_log(NULL,
@@ -778,11 +778,11 @@ Index: gnutls-3.8.11/lib/fips.h
gnutls_cipher_get_name(algo));
FALLTHROUGH;
case GNUTLS_FIPS140_DISABLED:
Index: gnutls-3.8.11/lib/global.c
Index: gnutls-3.8.10/lib/global.c
===================================================================
--- gnutls-3.8.11.orig/lib/global.c
+++ gnutls-3.8.11/lib/global.c
@@ -359,12 +359,12 @@ static int _gnutls_global_init(unsigned
--- gnutls-3.8.10.orig/lib/global.c
+++ gnutls-3.8.10/lib/global.c
@@ -349,12 +349,12 @@ static int _gnutls_global_init(unsigned
#ifdef ENABLE_FIPS140
res = _gnutls_fips_mode_enabled();
@@ -797,7 +797,7 @@ Index: gnutls-3.8.11/lib/global.c
_gnutls_priority_update_fips();
/* first round of self checks, these are done on the
@@ -374,7 +374,7 @@ static int _gnutls_global_init(unsigned
@@ -364,7 +364,7 @@ static int _gnutls_global_init(unsigned
if (ret < 0) {
_gnutls_switch_lib_state(LIB_STATE_ERROR);
_gnutls_audit_log(
@@ -806,7 +806,7 @@ Index: gnutls-3.8.11/lib/global.c
if (res != 2) {
gnutls_assert();
goto out;
@@ -400,7 +400,7 @@ static int _gnutls_global_init(unsigned
@@ -390,7 +390,7 @@ static int _gnutls_global_init(unsigned
if (ret < 0) {
_gnutls_switch_lib_state(LIB_STATE_ERROR);
_gnutls_audit_log(
@@ -815,11 +815,11 @@ Index: gnutls-3.8.11/lib/global.c
if (res != 2) {
gnutls_assert();
goto out;
Index: gnutls-3.8.11/lib/includes/gnutls/gnutls.h.in
Index: gnutls-3.8.10/lib/includes/gnutls/gnutls.h.in
===================================================================
--- gnutls-3.8.11.orig/lib/includes/gnutls/gnutls.h.in
+++ gnutls-3.8.11/lib/includes/gnutls/gnutls.h.in
@@ -3251,16 +3251,16 @@ typedef int (*gnutls_alert_read_func)(gn
--- gnutls-3.8.10.orig/lib/includes/gnutls/gnutls.h.in
+++ gnutls-3.8.10/lib/includes/gnutls/gnutls.h.in
@@ -3236,16 +3236,16 @@ typedef int (*gnutls_alert_read_func)(gn
void gnutls_alert_set_read_function(gnutls_session_t session,
gnutls_alert_read_func func);
@@ -840,7 +840,7 @@ Index: gnutls-3.8.11/lib/includes/gnutls/gnutls.h.in
* application is aware of the followed security policy, and needs
* to utilize disallowed operations for other reasons (e.g., compatibility).
* @GNUTLS_FIPS140_LOG: Similarly to %GNUTLS_FIPS140_LAX, it allows forbidden operations; any use of them results
@@ -3268,7 +3268,7 @@ unsigned gnutls_fips140_mode_enabled(voi
@@ -3253,7 +3253,7 @@ unsigned gnutls_fips140_mode_enabled(voi
* @GNUTLS_FIPS140_SELFTESTS: A transient state during library initialization. That state
* cannot be set or seen by applications.
*
@@ -849,10 +849,10 @@ Index: gnutls-3.8.11/lib/includes/gnutls/gnutls.h.in
*/
typedef enum gnutls_fips_mode_t {
GNUTLS_FIPS140_DISABLED = 0,
Index: gnutls-3.8.11/src/cli.c
Index: gnutls-3.8.10/src/cli.c
===================================================================
--- gnutls-3.8.11.orig/src/cli.c
+++ gnutls-3.8.11/src/cli.c
--- gnutls-3.8.10.orig/src/cli.c
+++ gnutls-3.8.10/src/cli.c
@@ -1635,10 +1635,10 @@ static void cmd_parser(int argc, char **
if (HAVE_OPT(FIPS140_MODE)) {
@@ -866,10 +866,10 @@ Index: gnutls-3.8.11/src/cli.c
exit(1);
}
Index: gnutls-3.8.11/src/gnutls-cli-options.c
Index: gnutls-3.8.10/src/gnutls-cli-options.c
===================================================================
--- gnutls-3.8.11.orig/src/gnutls-cli-options.c
+++ gnutls-3.8.11/src/gnutls-cli-options.c
--- gnutls-3.8.10.orig/src/gnutls-cli-options.c
+++ gnutls-3.8.10/src/gnutls-cli-options.c
@@ -843,7 +843,7 @@ usage (FILE *out, int status)
" --inline-commands-prefix=str Change the default delimiter for inline commands\n"
" --provider=file Specify the PKCS #11 provider library\n"
@@ -879,10 +879,10 @@ Index: gnutls-3.8.11/src/gnutls-cli-options.c
" --list-config Reports the configuration of the library\n"
" --logfile=str Redirect informational messages to a specific file\n"
" --keymatexport=str Label used for exporting keying material\n"
Index: gnutls-3.8.11/tests/cert-tests/gost.sh
Index: gnutls-3.8.10/tests/cert-tests/gost.sh
===================================================================
--- gnutls-3.8.11.orig/tests/cert-tests/gost.sh
+++ gnutls-3.8.11/tests/cert-tests/gost.sh
--- gnutls-3.8.10.orig/tests/cert-tests/gost.sh
+++ gnutls-3.8.10/tests/cert-tests/gost.sh
@@ -38,7 +38,7 @@ if ! test -x "${CERTTOOL}"; then
fi
@@ -892,10 +892,10 @@ Index: gnutls-3.8.11/tests/cert-tests/gost.sh
exit 77
fi
Index: gnutls-3.8.11/tests/cert-tests/pkcs12-corner-cases.sh
Index: gnutls-3.8.10/tests/cert-tests/pkcs12-corner-cases.sh
===================================================================
--- gnutls-3.8.11.orig/tests/cert-tests/pkcs12-corner-cases.sh
+++ gnutls-3.8.11/tests/cert-tests/pkcs12-corner-cases.sh
--- gnutls-3.8.10.orig/tests/cert-tests/pkcs12-corner-cases.sh
+++ gnutls-3.8.10/tests/cert-tests/pkcs12-corner-cases.sh
@@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then
fi
@@ -905,10 +905,10 @@ Index: gnutls-3.8.11/tests/cert-tests/pkcs12-corner-cases.sh
exit 77
fi
Index: gnutls-3.8.11/tests/cert-tests/pkcs12-encode.sh
Index: gnutls-3.8.10/tests/cert-tests/pkcs12-encode.sh
===================================================================
--- gnutls-3.8.11.orig/tests/cert-tests/pkcs12-encode.sh
+++ gnutls-3.8.11/tests/cert-tests/pkcs12-encode.sh
--- gnutls-3.8.10.orig/tests/cert-tests/pkcs12-encode.sh
+++ gnutls-3.8.10/tests/cert-tests/pkcs12-encode.sh
@@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then
fi
@@ -918,10 +918,10 @@ Index: gnutls-3.8.11/tests/cert-tests/pkcs12-encode.sh
exit 77
fi
Index: gnutls-3.8.11/tests/cert-tests/pkcs12-gost.sh
Index: gnutls-3.8.10/tests/cert-tests/pkcs12-gost.sh
===================================================================
--- gnutls-3.8.11.orig/tests/cert-tests/pkcs12-gost.sh
+++ gnutls-3.8.11/tests/cert-tests/pkcs12-gost.sh
--- gnutls-3.8.10.orig/tests/cert-tests/pkcs12-gost.sh
+++ gnutls-3.8.10/tests/cert-tests/pkcs12-gost.sh
@@ -29,7 +29,7 @@ if ! test -x "${CERTTOOL}"; then
fi
@@ -931,10 +931,10 @@ Index: gnutls-3.8.11/tests/cert-tests/pkcs12-gost.sh
exit 77
fi
Index: gnutls-3.8.11/tests/cert-tests/pkcs12.sh
Index: gnutls-3.8.10/tests/cert-tests/pkcs12.sh
===================================================================
--- gnutls-3.8.11.orig/tests/cert-tests/pkcs12.sh
+++ gnutls-3.8.11/tests/cert-tests/pkcs12.sh
--- gnutls-3.8.10.orig/tests/cert-tests/pkcs12.sh
+++ gnutls-3.8.10/tests/cert-tests/pkcs12.sh
@@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then
fi
@@ -944,10 +944,10 @@ Index: gnutls-3.8.11/tests/cert-tests/pkcs12.sh
exit 77
fi
Index: gnutls-3.8.11/tests/cert-tests/pkcs8-decode.sh
Index: gnutls-3.8.10/tests/cert-tests/pkcs8-decode.sh
===================================================================
--- gnutls-3.8.11.orig/tests/cert-tests/pkcs8-decode.sh
+++ gnutls-3.8.11/tests/cert-tests/pkcs8-decode.sh
--- gnutls-3.8.10.orig/tests/cert-tests/pkcs8-decode.sh
+++ gnutls-3.8.10/tests/cert-tests/pkcs8-decode.sh
@@ -29,7 +29,7 @@ if ! test -x "${CERTTOOL}"; then
fi
@@ -957,10 +957,10 @@ Index: gnutls-3.8.11/tests/cert-tests/pkcs8-decode.sh
exit 77
fi
Index: gnutls-3.8.11/tests/cert-tests/pkcs8-eddsa.sh
Index: gnutls-3.8.10/tests/cert-tests/pkcs8-eddsa.sh
===================================================================
--- gnutls-3.8.11.orig/tests/cert-tests/pkcs8-eddsa.sh
+++ gnutls-3.8.11/tests/cert-tests/pkcs8-eddsa.sh
--- gnutls-3.8.10.orig/tests/cert-tests/pkcs8-eddsa.sh
+++ gnutls-3.8.10/tests/cert-tests/pkcs8-eddsa.sh
@@ -29,7 +29,7 @@ if ! test -x "${CERTTOOL}"; then
fi
@@ -970,10 +970,10 @@ Index: gnutls-3.8.11/tests/cert-tests/pkcs8-eddsa.sh
exit 77
fi
Index: gnutls-3.8.11/tests/cert-tests/pkcs8-gost.sh
Index: gnutls-3.8.10/tests/cert-tests/pkcs8-gost.sh
===================================================================
--- gnutls-3.8.11.orig/tests/cert-tests/pkcs8-gost.sh
+++ gnutls-3.8.11/tests/cert-tests/pkcs8-gost.sh
--- gnutls-3.8.10.orig/tests/cert-tests/pkcs8-gost.sh
+++ gnutls-3.8.10/tests/cert-tests/pkcs8-gost.sh
@@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then
fi
@@ -983,10 +983,10 @@ Index: gnutls-3.8.11/tests/cert-tests/pkcs8-gost.sh
exit 77
fi
Index: gnutls-3.8.11/tests/cert-tests/pkcs8.sh
Index: gnutls-3.8.10/tests/cert-tests/pkcs8.sh
===================================================================
--- gnutls-3.8.11.orig/tests/cert-tests/pkcs8.sh
+++ gnutls-3.8.11/tests/cert-tests/pkcs8.sh
--- gnutls-3.8.10.orig/tests/cert-tests/pkcs8.sh
+++ gnutls-3.8.10/tests/cert-tests/pkcs8.sh
@@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then
fi
@@ -996,10 +996,10 @@ Index: gnutls-3.8.11/tests/cert-tests/pkcs8.sh
exit 77
fi
Index: gnutls-3.8.11/tests/cipher-listings.sh
Index: gnutls-3.8.10/tests/cipher-listings.sh
===================================================================
--- gnutls-3.8.11.orig/tests/cipher-listings.sh
+++ gnutls-3.8.11/tests/cipher-listings.sh
--- gnutls-3.8.10.orig/tests/cipher-listings.sh
+++ gnutls-3.8.10/tests/cipher-listings.sh
@@ -63,7 +63,7 @@ check()
${CLI} --fips140-mode
@@ -1009,10 +1009,10 @@ Index: gnutls-3.8.11/tests/cipher-listings.sh
exit 77
fi
Index: gnutls-3.8.11/tests/testpkcs11.sh
Index: gnutls-3.8.10/tests/testpkcs11.sh
===================================================================
--- gnutls-3.8.11.orig/tests/testpkcs11.sh
+++ gnutls-3.8.11/tests/testpkcs11.sh
--- gnutls-3.8.10.orig/tests/testpkcs11.sh
+++ gnutls-3.8.10/tests/testpkcs11.sh
@@ -26,7 +26,7 @@
RETCODE=0
@@ -1022,10 +1022,10 @@ Index: gnutls-3.8.11/tests/testpkcs11.sh
exit 77
fi
Index: gnutls-3.8.11/doc/enums/gnutls_fips_mode_t
Index: gnutls-3.8.10/doc/enums/gnutls_fips_mode_t
===================================================================
--- gnutls-3.8.11.orig/doc/enums/gnutls_fips_mode_t
+++ gnutls-3.8.11/doc/enums/gnutls_fips_mode_t
--- gnutls-3.8.10.orig/doc/enums/gnutls_fips_mode_t
+++ gnutls-3.8.10/doc/enums/gnutls_fips_mode_t
@@ -3,7 +3,7 @@
@c gnutls_fips_mode_t
@table @code
@@ -1046,11 +1046,11 @@ Index: gnutls-3.8.11/doc/enums/gnutls_fips_mode_t
application is aware of the followed security policy, and needs
to utilize disallowed operations for other reasons (e.g., compatibility).
@item GNUTLS_@-FIPS140_@-LOG
Index: gnutls-3.8.11/doc/gnutls-api.texi
Index: gnutls-3.8.10/doc/gnutls-api.texi
===================================================================
--- gnutls-3.8.11.orig/doc/gnutls-api.texi
+++ gnutls-3.8.11/doc/gnutls-api.texi
@@ -3319,7 +3319,7 @@ unusable. This function is not thread-s
--- gnutls-3.8.10.orig/doc/gnutls-api.texi
+++ gnutls-3.8.10/doc/gnutls-api.texi
@@ -3279,7 +3279,7 @@ unusable. This function is not thread-s
@subheading gnutls_fips140_set_mode
@anchor{gnutls_fips140_set_mode}
@deftypefun {void} {gnutls_fips140_set_mode} (gnutls_fips_mode_t @var{mode}, unsigned @var{flags})
@@ -1059,7 +1059,7 @@ Index: gnutls-3.8.11/doc/gnutls-api.texi
@var{flags}: should be zero or @code{GNUTLS_FIPS140_SET_MODE_THREAD}
@@ -3328,13 +3328,13 @@ That function is not thread-safe when ch
@@ -3288,13 +3288,13 @@ That function is not thread-safe when ch
behavior with no flags after threads are created is undefined.
When the flag @code{GNUTLS_FIPS140_SET_MODE_THREAD} is specified
@@ -1075,10 +1075,10 @@ Index: gnutls-3.8.11/doc/gnutls-api.texi
values for @code{mode} or to @code{GNUTLS_FIPS140_SELFTESTS} mode, the library
switches to @code{GNUTLS_FIPS140_STRICT} mode.
Index: gnutls-3.8.11/lib/ext/session_ticket.c
Index: gnutls-3.8.10/lib/ext/session_ticket.c
===================================================================
--- gnutls-3.8.11.orig/lib/ext/session_ticket.c
+++ gnutls-3.8.11/lib/ext/session_ticket.c
--- gnutls-3.8.10.orig/lib/ext/session_ticket.c
+++ gnutls-3.8.10/lib/ext/session_ticket.c
@@ -517,7 +517,7 @@ int gnutls_session_ticket_key_generate(g
{
if (_gnutls_fips_mode_enabled()) {
@@ -1088,11 +1088,11 @@ Index: gnutls-3.8.11/lib/ext/session_ticket.c
* some limits on allowed key size, thus it is not
* used. These limits do not affect this function as
* it does not generate a "key" but rather key material
Index: gnutls-3.8.11/lib/libgnutls.map
Index: gnutls-3.8.10/lib/libgnutls.map
===================================================================
--- gnutls-3.8.11.orig/lib/libgnutls.map
+++ gnutls-3.8.11/lib/libgnutls.map
@@ -1473,7 +1473,7 @@ GNUTLS_FIPS140_3_4 {
--- gnutls-3.8.10.orig/lib/libgnutls.map
+++ gnutls-3.8.10/lib/libgnutls.map
@@ -1459,7 +1459,7 @@ GNUTLS_FIPS140_3_4 {
gnutls_hkdf_self_test;
gnutls_pbkdf2_self_test;
gnutls_tlsprf_self_test;
@@ -1101,10 +1101,10 @@ Index: gnutls-3.8.11/lib/libgnutls.map
drbg_aes_reseed;
drbg_aes_init;
drbg_aes_generate;
Index: gnutls-3.8.11/lib/nettle/mac.c
Index: gnutls-3.8.10/lib/nettle/mac.c
===================================================================
--- gnutls-3.8.11.orig/lib/nettle/mac.c
+++ gnutls-3.8.11/lib/nettle/mac.c
--- gnutls-3.8.10.orig/lib/nettle/mac.c
+++ gnutls-3.8.10/lib/nettle/mac.c
@@ -292,7 +292,7 @@ static void _wrap_gmac_digest(void *_ctx
static int _mac_ctx_init(gnutls_mac_algorithm_t algo,
struct nettle_mac_ctx *ctx)
@@ -1123,11 +1123,11 @@ Index: gnutls-3.8.11/lib/nettle/mac.c
* gnutls_hash_init() and gnutls_hmac_init() */
ctx->finished = NULL;
Index: gnutls-3.8.11/config.h.in
Index: gnutls-3.8.10/config.h.in
===================================================================
--- gnutls-3.8.11.orig/config.h.in
+++ gnutls-3.8.11/config.h.in
@@ -107,7 +107,7 @@
--- gnutls-3.8.10.orig/config.h.in
+++ gnutls-3.8.10/config.h.in
@@ -104,7 +104,7 @@
/* enable DHE */
#undef ENABLE_ECDHE
@@ -1136,7 +1136,7 @@ Index: gnutls-3.8.11/config.h.in
#undef ENABLE_FIPS140
/* enable GOST */
@@ -150,7 +150,7 @@
@@ -147,7 +147,7 @@
/* Define this to 1 if F_DUPFD behavior does not match POSIX */
#undef FCNTL_DUPFD_BUGGY
@@ -1145,23 +1145,23 @@ Index: gnutls-3.8.11/config.h.in
#undef FIPS_KEY
/* The FIPS140 module name */
Index: gnutls-3.8.11/configure
Index: gnutls-3.8.10/configure
===================================================================
--- gnutls-3.8.11.orig/configure
+++ gnutls-3.8.11/configure
@@ -4501,7 +4501,7 @@ Optional Features:
shared library versioning (aka "SONAME") variant to
provide on AIX, [default=aix].
--- gnutls-3.8.10.orig/configure
+++ gnutls-3.8.10/configure
@@ -4484,7 +4484,7 @@ Optional Features:
--enable-fast-install[=PKGS]
optimize for fast installation [default=yes]
--disable-libtool-lock avoid locking (might break parallel builds)
- --enable-fips140-mode enable FIPS140-2 mode
+ --enable-fips140-mode enable FIPS140-3 mode
--enable-strict-x509 enable stricter sanity checks for x509 certificates
--disable-non-suiteb-curves
disable curves not in SuiteB
Index: gnutls-3.8.11/doc/cha-support.texi
Index: gnutls-3.8.10/doc/cha-support.texi
===================================================================
--- gnutls-3.8.11.orig/doc/cha-support.texi
+++ gnutls-3.8.11/doc/cha-support.texi
--- gnutls-3.8.10.orig/doc/cha-support.texi
+++ gnutls-3.8.10/doc/cha-support.texi
@@ -134,5 +134,5 @@ There are certifications from national o
to an auditor that the crypto component follows some best practices, such
as unit testing and reliance on well known crypto primitives.
@@ -1170,10 +1170,10 @@ Index: gnutls-3.8.11/doc/cha-support.texi
-See @ref{FIPS140-2 mode} for more information.
+GnuTLS has support for the FIPS 140-3 certification under Red Hat Enterprise Linux.
+See @ref{FIPS140-3 mode} for more information.
Index: gnutls-3.8.11/src/gnutls-cli-options.json
Index: gnutls-3.8.10/src/gnutls-cli-options.json
===================================================================
--- gnutls-3.8.11.orig/src/gnutls-cli-options.json
+++ gnutls-3.8.11/src/gnutls-cli-options.json
--- gnutls-3.8.10.orig/src/gnutls-cli-options.json
+++ gnutls-3.8.10/src/gnutls-cli-options.json
@@ -384,7 +384,7 @@
},
{
@@ -1183,10 +1183,10 @@ Index: gnutls-3.8.11/src/gnutls-cli-options.json
},
{
"long-option": "list-config",
Index: gnutls-3.8.11/tests/pkcs11-tool.sh
Index: gnutls-3.8.10/tests/pkcs11-tool.sh
===================================================================
--- gnutls-3.8.11.orig/tests/pkcs11-tool.sh
+++ gnutls-3.8.11/tests/pkcs11-tool.sh
--- gnutls-3.8.10.orig/tests/pkcs11-tool.sh
+++ gnutls-3.8.10/tests/pkcs11-tool.sh
@@ -30,7 +30,7 @@ set -x
: ${DIFF=diff}
@@ -1196,10 +1196,10 @@ Index: gnutls-3.8.11/tests/pkcs11-tool.sh
exit 77
fi
Index: gnutls-3.8.11/doc/manpages/gnutls_fips140_set_mode.3
Index: gnutls-3.8.10/doc/manpages/gnutls_fips140_set_mode.3
===================================================================
--- gnutls-3.8.11.orig/doc/manpages/gnutls_fips140_set_mode.3
+++ gnutls-3.8.11/doc/manpages/gnutls_fips140_set_mode.3
--- gnutls-3.8.10.orig/doc/manpages/gnutls_fips140_set_mode.3
+++ gnutls-3.8.10/doc/manpages/gnutls_fips140_set_mode.3
@@ -8,7 +8,7 @@ gnutls_fips140_set_mode \- API function
.BI "void gnutls_fips140_set_mode(gnutls_fips_mode_t " mode ", unsigned " flags ");"
.SH ARGUMENTS
@@ -1225,16 +1225,16 @@ Index: gnutls-3.8.11/doc/manpages/gnutls_fips140_set_mode.3
values for \fImode\fP or to \fBGNUTLS_FIPS140_SELFTESTS\fP mode, the library
switches to \fBGNUTLS_FIPS140_STRICT\fP mode.
.SH "SINCE"
Index: gnutls-3.8.11/doc/gnutls.info
Index: gnutls-3.8.10/doc/gnutls.info
===================================================================
--- gnutls-3.8.11.orig/doc/gnutls.info
+++ gnutls-3.8.11/doc/gnutls.info
@@ -624,7 +624,7 @@ Ref: fig-crypto-layers747098
Ref: Cryptographic Backend-Footnote-1750404
Ref: Cryptographic Backend-Footnote-2750489
Node: Random Number Generators-internals750601
-Node: FIPS140-2 mode758057
+Node: FIPS140-3 mode758057
Ref: gnutls_fips_mode_t760721
Node: Upgrading from previous versions764389
Node: Support778627
--- gnutls-3.8.10.orig/doc/gnutls.info
+++ gnutls-3.8.10/doc/gnutls.info
@@ -624,7 +624,7 @@ Ref: fig-crypto-layers746569
Ref: Cryptographic Backend-Footnote-1749876
Ref: Cryptographic Backend-Footnote-2749961
Node: Random Number Generators-internals750073
-Node: FIPS140-2 mode757529
+Node: FIPS140-3 mode757529
Ref: gnutls_fips_mode_t760193
Node: Upgrading from previous versions763861
Node: Support778099

80
gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch
View File

@@ -1,52 +1,8 @@
Index: gnutls-3.8.11/lib/fips.c
Index: gnutls-3.8.8/lib/fips.c
===================================================================
--- gnutls-3.8.11.orig/lib/fips.c
+++ gnutls-3.8.11/lib/fips.c
@@ -268,6 +268,29 @@ static int handler(void *user, const cha
return 1;
}
+
+/* In case of x86_64-v3 optmizations, names might differ in version numbers.
+ * @mac_file: buffer where the hmac file path will be written to
+ * @lib_path: path to the dependent library, used to deduce hmac file path
+ * @file_name: The file name of the library
+ */
+ static void get_hwcaps_lib_hmac_path(char *mac_file, const char *lib_path, char *file_name) {
+ // Cut name short if more than SOVER is present
+ char *soname = strstr(file_name, ".so.");
+ char correct_ext[256];
+ memset(correct_ext, 0x0, 256);
+ soname += strlen(".so.");
+ for (uint32_t i = 0; i < strlen(soname); i++) {
+ if (soname[i] == '.') {
+ int proper_len = soname - file_name + i;
+ strncpy(correct_ext, file_name, proper_len);
+ snprintf(mac_file, 256, "%.*s/.%.*s.hmac",
+ (int)(file_name-lib_path),lib_path,proper_len,correct_ext);
+ break;
+ }
+ }
+}
+
/*
* get_hmac_path:
* @mac_file: buffer where the hmac file path will be written to
@@ -300,6 +323,13 @@ static int get_hmac_path(char *mac_file,
if (ret == 0)
return GNUTLS_E_SUCCESS;
+ if (strstr(gnutls_path, "glibc-hwcaps")) {
+ get_hwcaps_lib_hmac_path(mac_file, gnutls_path, p + 1);
+ ret = _gnutls_file_exists(mac_file);
+ if (ret == 0)
+ return GNUTLS_E_SUCCESS;
+ }
+
if (p == NULL)
ret = snprintf(mac_file, mac_file_size, "fipscheck/.%s.hmac",
gnutls_path);
@@ -349,11 +379,90 @@ static int load_hmac_file(struct hmac_fi
--- gnutls-3.8.8.orig/lib/fips.c
+++ gnutls-3.8.8/lib/fips.c
@@ -349,11 +349,90 @@ static int load_hmac_file(struct hmac_fi
}
/*
@@ -138,46 +94,26 @@ Index: gnutls-3.8.11/lib/fips.c
*
* Returns: 0 on successful HMAC verification, a negative error code otherwise
*/
@@ -405,18 +514,18 @@ static int callback(struct dl_phdr_info
const char *soname = last_component(path);
struct lib_paths *paths = (struct lib_paths *)data;
- if (!strcmp(soname, GNUTLS_LIBRARY_SONAME))
+ if (!strncmp(soname, GNUTLS_LIBRARY_SONAME, strlen(GNUTLS_LIBRARY_SONAME)))
_gnutls_str_cpy(paths->gnutls, GNUTLS_PATH_MAX, path);
#ifdef NETTLE_LIBRARY_SONAME
- else if (!strcmp(soname, NETTLE_LIBRARY_SONAME))
+ else if (!strncmp(soname, NETTLE_LIBRARY_SONAME, strlen(NETTLE_LIBRARY_SONAME)))
_gnutls_str_cpy(paths->nettle, GNUTLS_PATH_MAX, path);
#endif
#ifdef HOGWEED_LIBRARY_SONAME
- else if (!strcmp(soname, HOGWEED_LIBRARY_SONAME))
+ else if (!strncmp(soname, HOGWEED_LIBRARY_SONAME, strlen(HOGWEED_LIBRARY_SONAME)))
_gnutls_str_cpy(paths->hogweed, GNUTLS_PATH_MAX, path);
#endif
#ifdef GMP_LIBRARY_SONAME
- else if (!strcmp(soname, GMP_LIBRARY_SONAME))
+ else if (!strncmp(soname, GMP_LIBRARY_SONAME, strlen(GMP_LIBRARY_SONAME)))
_gnutls_str_cpy(paths->gmp, GNUTLS_PATH_MAX, path);
#endif
return 0;
@@ -496,17 +605,17 @@ static int check_binary_integrity(void)
@@ -496,17 +575,20 @@ static int check_binary_integrity(void)
if (ret < 0)
return ret;
#ifdef NETTLE_LIBRARY_SONAME
- ret = check_lib_hmac(&hmac.nettle, paths.nettle);
+ //ret = check_lib_hmac(&hmac.nettle, paths.nettle);
+ ret = check_dep_lib_hmac(paths.nettle);
if (ret < 0)
return ret;
#endif
#ifdef HOGWEED_LIBRARY_SONAME
- ret = check_lib_hmac(&hmac.hogweed, paths.hogweed);
+ //ret = check_lib_hmac(&hmac.hogweed, paths.hogweed);
+ ret = check_dep_lib_hmac(paths.hogweed);
if (ret < 0)
return ret;
#endif
#ifdef GMP_LIBRARY_SONAME
- ret = check_lib_hmac(&hmac.gmp, paths.gmp);
+ //ret = check_lib_hmac(&hmac.gmp, paths.gmp);
+ ret = check_dep_lib_hmac(paths.gmp);
if (ret < 0)
return ret;

47
gnutls-FIPS-HMAC-x86_64-v3-opt.patch Normal file
View File

@@ -0,0 +1,47 @@
Index: gnutls-3.8.9/lib/fips.c
===================================================================
--- gnutls-3.8.9.orig/lib/fips.c
+++ gnutls-3.8.9/lib/fips.c
@@ -268,6 +268,28 @@ static int handler(void *user, const cha
return 1;
}
+
+/* In case of x86_64-v3 optmizations, names might differ in version numbers.
+ * @mac_file: buffer where the hmac file path will be written to
+ * @lib_path: path to the dependent library, used to deduce hmac file path
+ * @file_name: The file name of the library
+ */
+ static void get_hwcaps_lib_hmac_path(char *mac_file, const char *lib_path, char *file_name) {
+ // Cut name short if more than SOVER is present
+ char *soname = strstr(file_name, ".so.");
+ char correct_ext[256];
+ memset(correct_ext, 0x0, 256);
+ soname += strlen(".so.");
+ for (uint32_t i = 0; i < strlen(soname); i++) {
+ if (soname[i] == '.') {
+ int proper_len = soname - file_name + i;
+ strncpy(correct_ext, file_name, proper_len);
+ snprintf(mac_file, 256, "%.*s/.%.*s.hmac", (int)(file_name-lib_path),lib_path,proper_len,correct_ext);
+ break;
+ }
+ }
+}
+
/*
* get_hmac_path:
* @mac_file: buffer where the hmac file path will be written to
@@ -300,6 +322,13 @@ static int get_hmac_path(char *mac_file,
if (ret == 0)
return GNUTLS_E_SUCCESS;
+ if (strstr(gnutls_path, "glibc-hwcaps")) {
+ get_hwcaps_lib_hmac_path(mac_file, gnutls_path, p + 1);
+ ret = _gnutls_file_exists(mac_file);
+ if (ret == 0)
+ return GNUTLS_E_SUCCESS;
+ }
+
if (p == NULL)
ret = snprintf(mac_file, mac_file_size, "fipscheck/.%s.hmac",
gnutls_path);

12
gnutls-FIPS-TLS_KDF_selftest.patch
View File

@@ -1,8 +1,8 @@
Index: gnutls-3.8.11/lib/fips.c
Index: gnutls-3.8.9/lib/fips.c
===================================================================
--- gnutls-3.8.11.orig/lib/fips.c
+++ gnutls-3.8.11/lib/fips.c
@@ -608,6 +608,26 @@ int _gnutls_fips_perform_self_checks2(vo
--- gnutls-3.8.9.orig/lib/fips.c
+++ gnutls-3.8.9/lib/fips.c
@@ -621,6 +621,26 @@ int _gnutls_fips_perform_self_checks2(vo
return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
}
@@ -27,5 +27,5 @@ Index: gnutls-3.8.11/lib/fips.c
+ }
+
/* PK */
ret = gnutls_pk_self_test(0, GNUTLS_PK_RSA_PSS);
if (ret < 0) {
if (_gnutls_config_is_rsa_pkcs1_encrypt_allowed()) {
ret = gnutls_pk_self_test(0, GNUTLS_PK_RSA);

34
gnutls-FIPS-jitterentropy-deinit-threads.patch Normal file
View File

@@ -0,0 +1,34 @@
Index: gnutls-3.8.4/lib/state.c
===================================================================
--- gnutls-3.8.4.orig/lib/state.c
+++ gnutls-3.8.4/lib/state.c
@@ -830,6 +830,12 @@ void gnutls_deinit(gnutls_session_t sess
gnutls_mutex_deinit(&session->internals.post_negotiation_lock);
gnutls_mutex_deinit(&session->internals.epoch_lock);
+#if defined(__linux__)
+# if defined(ENABLE_FIPS140)
+ _rnd_system_entropy_deinit();
+# endif
+#endif
+
gnutls_free(session);
}
Index: gnutls-3.8.4/lib/nettle/rnd.c
===================================================================
--- gnutls-3.8.4.orig/lib/nettle/rnd.c
+++ gnutls-3.8.4/lib/nettle/rnd.c
@@ -79,6 +79,12 @@ struct generators_ctx_st {
static void wrap_nettle_rnd_deinit(void *_ctx)
{
+#if defined(__linux__)
+# if defined(ENABLE_FIPS140)
+ _rnd_system_entropy_deinit();
+# endif
+#endif
+
gnutls_free(_ctx);
}

68
gnutls-FIPS-jitterentropy.patch
View File

@@ -1,7 +1,7 @@
Index: gnutls-3.8.11/lib/nettle/sysrng-linux.c
Index: gnutls-3.8.9/lib/nettle/sysrng-linux.c
===================================================================
--- gnutls-3.8.11.orig/lib/nettle/sysrng-linux.c
+++ gnutls-3.8.11/lib/nettle/sysrng-linux.c
--- gnutls-3.8.9.orig/lib/nettle/sysrng-linux.c
+++ gnutls-3.8.9/lib/nettle/sysrng-linux.c
@@ -49,6 +49,15 @@
get_entropy_func _rnd_get_system_entropy = NULL;
@@ -158,11 +158,11 @@ Index: gnutls-3.8.11/lib/nettle/sysrng-linux.c
+#endif
return;
}
Index: gnutls-3.8.11/lib/nettle/Makefile.in
Index: gnutls-3.8.9/lib/nettle/Makefile.in
===================================================================
--- gnutls-3.8.11.orig/lib/nettle/Makefile.in
+++ gnutls-3.8.11/lib/nettle/Makefile.in
@@ -522,7 +522,7 @@ am__v_CC_1 =
--- gnutls-3.8.9.orig/lib/nettle/Makefile.in
+++ gnutls-3.8.9/lib/nettle/Makefile.in
@@ -521,7 +521,7 @@ am__v_CC_1 =
CCLD = $(CC)
LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
@@ -171,10 +171,10 @@ Index: gnutls-3.8.11/lib/nettle/Makefile.in
AM_V_CCLD = $(am__v_CCLD_@AM_V@)
am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
am__v_CCLD_0 = @echo " CCLD " $@;
Index: gnutls-3.8.11/lib/nettle/Makefile.am
Index: gnutls-3.8.9/lib/nettle/Makefile.am
===================================================================
--- gnutls-3.8.11.orig/lib/nettle/Makefile.am
+++ gnutls-3.8.11/lib/nettle/Makefile.am
--- gnutls-3.8.9.orig/lib/nettle/Makefile.am
+++ gnutls-3.8.9/lib/nettle/Makefile.am
@@ -20,7 +20,7 @@
include $(top_srcdir)/lib/common.mk
@@ -184,10 +184,10 @@ Index: gnutls-3.8.11/lib/nettle/Makefile.am
AM_CPPFLAGS += \
-I$(srcdir)/int \
Index: gnutls-3.8.11/lib/nettle/rnd-fips.c
Index: gnutls-3.8.9/lib/nettle/rnd-fips.c
===================================================================
--- gnutls-3.8.11.orig/lib/nettle/rnd-fips.c
+++ gnutls-3.8.11/lib/nettle/rnd-fips.c
--- gnutls-3.8.9.orig/lib/nettle/rnd-fips.c
+++ gnutls-3.8.9/lib/nettle/rnd-fips.c
@@ -129,6 +129,10 @@ static int drbg_init(struct fips_ctx *fc
uint8_t buffer[DRBG_AES_SEED_SIZE];
int ret;
@@ -210,11 +210,11 @@ Index: gnutls-3.8.11/lib/nettle/rnd-fips.c
ret = get_entropy(fctx, buffer, sizeof(buffer));
if (ret < 0) {
_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
Index: gnutls-3.8.11/tests/Makefile.am
Index: gnutls-3.8.9/tests/Makefile.am
===================================================================
--- gnutls-3.8.11.orig/tests/Makefile.am
+++ gnutls-3.8.11/tests/Makefile.am
@@ -214,7 +214,7 @@ ctests += mini-record-2 simple gnutls_hm
--- gnutls-3.8.9.orig/tests/Makefile.am
+++ gnutls-3.8.9/tests/Makefile.am
@@ -212,7 +212,7 @@ ctests += mini-record-2 simple gnutls_hm
dtls12-cert-key-exchange dtls10-cert-key-exchange x509-cert-callback-legacy \
keylog-env ssl2-hello tlsfeature-ext dtls-rehandshake-cert-2 dtls-session-ticket-lost \
tlsfeature-crt dtls-rehandshake-cert-3 resume-with-false-start \
@@ -223,37 +223,3 @@ Index: gnutls-3.8.11/tests/Makefile.am
safe-renegotiation/srn0 safe-renegotiation/srn1 safe-renegotiation/srn2 \
safe-renegotiation/srn3 safe-renegotiation/srn4 safe-renegotiation/srn5 \
rsa-illegal-import set_x509_ocsp_multi_invalid set_key set_x509_key_file_ocsp_multi2 \
Index: gnutls-3.8.11/lib/state.c
===================================================================
--- gnutls-3.8.11.orig/lib/state.c
+++ gnutls-3.8.11/lib/state.c
@@ -834,6 +834,12 @@ void gnutls_deinit(gnutls_session_t sess
gnutls_mutex_deinit(&session->internals.post_negotiation_lock);
gnutls_mutex_deinit(&session->internals.epoch_lock);
+#if defined(__linux__)
+# if defined(ENABLE_FIPS140)
+ _rnd_system_entropy_deinit();
+# endif
+#endif
+
gnutls_free(session);
}
Index: gnutls-3.8.11/lib/nettle/rnd.c
===================================================================
--- gnutls-3.8.11.orig/lib/nettle/rnd.c
+++ gnutls-3.8.11/lib/nettle/rnd.c
@@ -79,6 +79,12 @@ struct generators_ctx_st {
static void wrap_nettle_rnd_deinit(void *_ctx)
{
+#if defined(__linux__)
+# if defined(ENABLE_FIPS140)
+ _rnd_system_entropy_deinit();
+# endif
+#endif
+
gnutls_free(_ctx);
}

13
gnutls-disable-flaky-test-dtls-resume.patch Normal file
View File

@@ -0,0 +1,13 @@
Index: gnutls-3.8.10/tests/Makefile.am
===================================================================
--- gnutls-3.8.10.orig/tests/Makefile.am
+++ gnutls-3.8.10/tests/Makefile.am
@@ -536,7 +536,7 @@ ktls_keyupdate_CFLAGS = -DUSE_KTLS
dist_check_SCRIPTS += ktls_keyupdate.sh
endif
-dist_check_SCRIPTS += dtls/dtls.sh dtls/dtls-resume.sh #dtls/dtls-nb
+dist_check_SCRIPTS += dtls/dtls.sh #dtls/dtls-resume.sh #dtls/dtls-nb
indirect_tests += dtls-stress

27
gnutls-fips-sonames-check.patch Normal file
View File

@@ -0,0 +1,27 @@
Index: gnutls-3.8.9/lib/fips.c
===================================================================
--- gnutls-3.8.9.orig/lib/fips.c
+++ gnutls-3.8.9/lib/fips.c
@@ -484,18 +484,18 @@ static int callback(struct dl_phdr_info
const char *soname = last_component(path);
struct lib_paths *paths = (struct lib_paths *)data;
- if (!strcmp(soname, GNUTLS_LIBRARY_SONAME))
+ if (!strncmp(soname, GNUTLS_LIBRARY_SONAME, strlen(GNUTLS_LIBRARY_SONAME)))
_gnutls_str_cpy(paths->gnutls, GNUTLS_PATH_MAX, path);
#ifdef NETTLE_LIBRARY_SONAME
- else if (!strcmp(soname, NETTLE_LIBRARY_SONAME))
+ else if (!strncmp(soname, NETTLE_LIBRARY_SONAME, strlen(NETTLE_LIBRARY_SONAME)))
_gnutls_str_cpy(paths->nettle, GNUTLS_PATH_MAX, path);
#endif
#ifdef HOGWEED_LIBRARY_SONAME
- else if (!strcmp(soname, HOGWEED_LIBRARY_SONAME))
+ else if (!strncmp(soname, HOGWEED_LIBRARY_SONAME, strlen(HOGWEED_LIBRARY_SONAME)))
_gnutls_str_cpy(paths->hogweed, GNUTLS_PATH_MAX, path);
#endif
#ifdef GMP_LIBRARY_SONAME
- else if (!strcmp(soname, GMP_LIBRARY_SONAME))
+ else if (!strncmp(soname, GMP_LIBRARY_SONAME, strlen(GMP_LIBRARY_SONAME)))
_gnutls_str_cpy(paths->gmp, GNUTLS_PATH_MAX, path);
#endif
return 0;

10
gnutls-set-cligen-python-interp.patch Normal file
View File

@@ -0,0 +1,10 @@
Index: gnutls-3.8.9/cligen/cli-docgen.py
===================================================================
--- gnutls-3.8.9.orig/cligen/cli-docgen.py
+++ gnutls-3.8.9/cligen/cli-docgen.py
@@ -1,4 +1,4 @@
-#!/usr/bin/python
+#!/usr/bin/python3
# Copyright (C) 2021-2022 Daiki Ueno
# SPDX-License-Identifier: LGPL-2.1-or-later

34
gnutls-skip-pqx-test.patch Normal file
View File

@@ -0,0 +1,34 @@
Index: gnutls-3.8.10/tests/Makefile.am
===================================================================
--- gnutls-3.8.10.orig/tests/Makefile.am
+++ gnutls-3.8.10/tests/Makefile.am
@@ -628,8 +628,6 @@ ctests += win32-certopenstore
endif
-dist_check_SCRIPTS += pqc-hybrid-kx.sh
-
cpptests =
if ENABLE_CXX
if HAVE_CMOCKA
Index: gnutls-3.8.10/tests/Makefile.in
===================================================================
--- gnutls-3.8.10.orig/tests/Makefile.in
+++ gnutls-3.8.10/tests/Makefile.in
@@ -3293,7 +3293,7 @@ am__dist_check_SCRIPTS_DIST = rfc2253-es
gnutls-cli-self-signed.sh gnutls-cli-invalid-crl.sh \
gnutls-cli-rawpk.sh dh-fips-approved.sh p11-kit-trust.sh \
testpkcs11.sh certtool-pkcs11.sh pkcs11-tool.sh \
- p11-kit-load.sh danetool.sh tpmtool_test.sh pqc-hybrid-kx.sh
+ p11-kit-load.sh danetool.sh tpmtool_test.sh
AM_V_P = $(am__v_P_@AM_V@)
am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
am__v_P_0 = false
@@ -7178,7 +7178,6 @@ dist_check_SCRIPTS = rfc2253-escape-test
$(am__append_18) $(am__append_20) $(am__append_21) \
$(am__append_23) $(am__append_25) $(am__append_26) \
$(am__append_27) $(am__append_29) $(am__append_30) \
- pqc-hybrid-kx.sh
@ENABLE_KTLS_TRUE@@WINDOWS_FALSE@ktls_keyupdate_SOURCES = tls13/key_update.c
@ENABLE_KTLS_TRUE@@WINDOWS_FALSE@ktls_keyupdate_CFLAGS = -DUSE_KTLS
@WINDOWS_FALSE@dtls_stress_SOURCES = dtls/dtls-stress.c

22
gnutls-srp-test-SIGPIPE.patch Normal file
View File

@@ -0,0 +1,22 @@
Index: gnutls-3.8.9/tests/srp.c
===================================================================
--- gnutls-3.8.9.orig/tests/srp.c
+++ gnutls-3.8.9/tests/srp.c
@@ -290,7 +290,7 @@ static void start(const char *name, cons
if (child) {
int status;
/* parent */
- close(fd[0]);
+ /* close(fd[0]); */
client(fd[1], prio, user, pass, exp_err);
if (exp_err < 0) {
kill(child, SIGTERM);
@@ -300,7 +300,7 @@ static void start(const char *name, cons
check_wait_status(status);
}
} else {
- close(fd[1]);
+ /* close(fd[1]); */
server(fd[0], prio);
exit(0);
}

77
gnutls.changes
View File

@@ -1,73 +1,9 @@
-------------------------------------------------------------------
Mon Nov 24 09:54:39 UTC 2025 - Pedro Monreal <pmonreal@suse.com>
Mon Nov 24 10:23:30 UTC 2025 - Angel Yankov <angel.yankov@suse.com>
- Reduce the number of patches:
* Merge gnutls-FIPS-jitterentropy-deinit-threads.patch into the
main jitterentropy patch gnutls-FIPS-jitterentropy.patch
* Merge the soname gnutls-fips-sonames-check.patch and V3
gnutls-FIPS-HMAC-x86_64-v3-opt.patch patches together into
gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch
* Remove gnutls-set-cligen-python-interp.patch with a sed command.
-------------------------------------------------------------------
Mon Nov 24 09:29:13 UTC 2025 - Pedro Monreal <pmonreal@suse.com>
- Enable back the failing tests that have been fixed upstream:
* Remove patches:
- gnutls-disable-flaky-test-dtls-resume.patch
- gnutls-srp-test-SIGPIPE.patch
- gnutls-skip-pqx-test.patch
- gnutls-3.8.10-disable-ktls_test.patch
-------------------------------------------------------------------
Mon Nov 24 08:38:13 UTC 2025 - Pedro Monreal <pmonreal@suse.com>
- Update to 3.8.11:
* libgnutls: Fix stack overwrite in gnutls_pkcs11_token_init
Reported by Luigino Camastra from Aisle Research.
[GNUTLS-SA-2025-11-18, CVSS: low] [bsc#1254132, CVE-2025-9820]
* libgnutls: MAC algorithms for PSK binders is now configurable
The previous implementation assumed HMAC-SHA256 to calculate the
PSK binders. With the new gnutls_psk_allocate_client_credentials2()
and gnutls_psk_allocate_server_credentials2() functions, the
application can use other MAC algorithms such as HMAC-SHA384.
* libgnutls: Expose a new function to provide the maximum record send size
A new function gnutls_record_get_max_send_size() has been added to
determine the maximum size of a TLS record to be sent to the peer.
* libgnutls: Expose a new function to update keys without sending a KeyUpdate
to the peer. A new function gnutls_handshake_update_receiving_key()
has been added to allow updating the local receiving key without
sending any KeyUpdate messages.
* libgnutls: PKCS#11 cryptographic provider configuration takes a token URI
instead of a module path. To allow using a PKCS#11 module exposing
multiple tokens, the "path" configuration keyword was replaced with
the "url" keyword.
* libgnutls: Support crypto-auditing probe points
crypto-auditing is a project to monitor which cryptographic
operations are taking place in the library at run time, through
eBPF. This adds necessary probe points for that, in public key
cryptography and the TLS use-case. To enable this, run configure
with --enable-crypto-auditing.
* build: The minimum version of Nettle has been updated to 3.10
Given Nettle 3.10 is ABI compatible with 3.6 and includes several
security relevant fixes, the library's minimum requirement of
Nettle is updated to 3.10.
* build: The default priority file path is now constructed from sysconfdir
Previously, the location of the default priority file was
hard-coded to be /etc/gnutls/config. Now it takes into account of
the --sysconfdir option given to the configure script.
* API and ABI modifications: (New functions)
- gnutls_psk_allocate_client_credentials2
- gnutls_psk_allocate_server_credentials2
- gnutls_record_get_max_send_size
- gnutls_handshake_update_receiving_key
- gnutls_audit_push_context
- gnutls_audit_pop_context
- gnutls_audit_current_context
* Rebased patches:
- gnutls-FIPS-140-3-references.patch
- gnutls-FIPS-TLS_KDF_selftest.patch
- gnutls-skip-pqx-test.patch
- Security fix bsc#1254132 CVE-2025-9820
* Fix buffer overflow in gnutls_pkcs11_token_init
* Added gnutls-CVE-2025-9820.patch
-------------------------------------------------------------------
Tue Jul 15 08:12:29 UTC 2025 - Pedro Monreal <pmonreal@suse.com>
@@ -76,6 +12,11 @@ Tue Jul 15 08:12:29 UTC 2025 - Pedro Monreal <pmonreal@suse.com>
cryptography (PQC) has been removed and is only provided through
leancrypto.
-------------------------------------------------------------------
Tue Jul 15 07:40:21 UTC 2025 - Pedro Monreal <pmonreal@suse.com>
- Build with TPM 2.0 support via tpm2-0-tss.
-------------------------------------------------------------------
Mon Jul 14 17:00:21 UTC 2025 - Lucas Mulling <lucas.mulling@suse.com>

49
gnutls.spec
View File

@@ -1,7 +1,7 @@
#
# spec file for package gnutls
#
# Copyright (c) 2025 SUSE LLC and contributors
# Copyright (c) 2025 SUSE LLC
# Copyright (c) 2025 Andreas Stieger <Andreas.Stieger@gmx.de>
#
# All modifications and additions to the file contributed by third parties
@@ -40,9 +40,10 @@
%bcond_with kcapi
%endif
%bcond_with tpm
%bcond_without tpm2
%bcond_without leancrypto
Name: gnutls
Version: 3.8.11
Version: 3.8.10
Release: 0
Summary: The GNU Transport Layer Security Library
License: GPL-3.0-or-later AND LGPL-2.1-or-later
@@ -56,18 +57,32 @@ Source3: baselibs.conf
# Suppress a false positive on the .hmac file
Source4: gnutls.rpmlintrc
Patch0: gnutls-3.5.11-skip-trust-store-tests.patch
#PATCH-FIX-SUSE bsc#1176671 FIPS: Add TLS KDF selftest
Patch1: gnutls-FIPS-TLS_KDF_selftest.patch
Patch2: gnutls-disable-flaky-test-dtls-resume.patch
# PATCH-FIX-OPENSUSE The srp test fails with SIGPIPE
Patch3: gnutls-srp-test-SIGPIPE.patch
# FIPS 140-3 patches:
#PATCH-FIX-SUSE bsc#1207346 FIPS: Change FIPS 140-2 references to FIPS 140-3
Patch100: gnutls-FIPS-140-3-references.patch
#PATCH-FIX-SUSE bsc#1211476 FIPS: Skip fixed HMAC verification for nettle, hogweed and gmp
Patch2: gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch
Patch101: gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch
%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
#PATCH-FIX-SUSE bsc#1202146 FIPS: Port gnutls to use jitterentropy
Patch3: gnutls-FIPS-jitterentropy.patch
Patch102: gnutls-FIPS-jitterentropy.patch
#PATCH-FIX-SUSE bsc#1221242 Fix memleak in gnutls' jitterentropy collector
Patch103: gnutls-FIPS-jitterentropy-deinit-threads.patch
%endif
#PATCH-FIX-SUSE jsc#PED-12224 FIPS: Mark SHA1 as unapproved in the SLI
Patch4: gnutls-FIPS-disable-mac-sha1.patch
#PATCH-FIX-SUSE bsc#1207346 FIPS: Change FIPS 140-2 references to FIPS 140-3
Patch5: gnutls-FIPS-140-3-references.patch
Patch104: gnutls-set-cligen-python-interp.patch
Patch105: gnutls-skip-pqx-test.patch
Patch106: gnutls-fips-sonames-check.patch
# PATCH-FIX-SUSE jsc#jsc#PED-12224 FIPS: Mark SHA1 as unapproved in the SLI
Patch107: gnutls-FIPS-disable-mac-sha1.patch
# PATCH-FIX-SUSE bsc#1237101 GNUTLS FIPS selfcheck is failing again on tumbleweed
Patch108: gnutls-FIPS-HMAC-x86_64-v3-opt.patch
# PATCH-FIX-SUSE Disable test
Patch109: gnutls-3.8.10-disable-ktls_test.patch
# PATCH-FIX-UPSTREAM bsc#1254132 CVE-2025-9820 buffer overflow in gnutls_pkcs11_token_init
Patch110: gnutls-CVE-2025-9820.patch
BuildRequires: autogen
BuildRequires: automake
BuildRequires: datefudge
@@ -77,7 +92,7 @@ BuildRequires: gtk-doc
# The test suite calls /usr/bin/ss from iproute2. It's our own duty to ensure we have it present
BuildRequires: iproute2
BuildRequires: libidn2-devel
BuildRequires: libnettle-devel >= 3.10
BuildRequires: libnettle-devel >= 3.6
BuildRequires: libtasn1-devel >= 4.9
BuildRequires: libtool
BuildRequires: libunistring-devel
@@ -104,6 +119,9 @@ BuildRequires: net-tools-deprecated
%if %{with tpm}
BuildRequires: trousers-devel
%endif
%if %{with tpm2}
BuildRequires: tpm2-0-tss-devel >= 3.0.3
%endif
%if %{with dane}
Requires: libgnutls-dane%{gnutls_dane_sover} = %{version}
%if 0%{?suse_version} <= 1320
@@ -118,6 +136,9 @@ BuildRequires: jitterentropy-devel >= 3.4.0
Requires: crypto-policies
Requires: libjitterentropy3 >= 3.4.0
%endif
%if %{with tpm}
Recommends: trousers
%endif
%description
The GnuTLS library provides a secure layer over a reliable transport
@@ -232,6 +253,11 @@ autoreconf -fiv
%if %{without tpm}
--without-tpm \
%endif
%if %{with tpm2}
--with-tpm2 \
%else
--without-tpm2 \
%endif
%if %{with dane}
--with-unbound-root-key-file=%{_localstatedir}/lib/unbound/root.key \
%else
@@ -255,9 +281,6 @@ autoreconf -fiv
--enable-ktls \
%{nil}
# Replace python with python3 in cligen/cli-docgen.py
[ -f cligen/cli-docgen.py ] && sed -i "1s@#!.*python.*@#!$(realpath /usr/bin/python3)@" $f cligen/cli-docgen.py
%make_build
%install