42cf463b57
- Reduce the number of patches: * Merge gnutls-FIPS-jitterentropy-deinit-threads.patch into the main jitterentropy patch gnutls-FIPS-jitterentropy.patch * Merge the soname gnutls-fips-sonames-check.patch and V3 gnutls-FIPS-HMAC-x86_64-v3-opt.patch patches together into gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch * Remove gnutls-set-cligen-python-interp.patch with a sed command.
Marcus Meissner2025-11-24 10:49:16 +00:00
8412719df6
- Build with leancrypto. The liboqs support for post-quantum cryptography (PQC) has been removed and is only provided through leancrypto.
Pedro Monreal Gonzalez2025-07-16 09:21:10 +00:00
81f2d36642
- Update to 3.8.10: * libgnutls: Fix NULL pointer dereference when 2nd Client Hello omits PSK Reported by Stefan Bühler. [GNUTLS-SA-2025-07-07-4, CVSS: medium] [bsc#1246299, CVE-2025-6395] * libgnutls: Fix heap read buffer overrun in parsing X.509 SCTS timestamps Spotted by oss-fuzz and reported by OpenAI Security Research Team, and fix developed by Andrew Hamilton. [GNUTLS-SA-2025-07-07-1, CVSS: medium] [bsc#1246233, CVE-2025-32989] * libgnutls: Fix double-free upon error when exporting otherName in SAN Reported by OpenAI Security Research Team. [GNUTLS-SA-2025-07-07-2, CVSS: low] [bsc#1246232, CVE-2025-32988] * certtool: Fix 1-byte write buffer overrun when parsing template Reported by David Aitel. [GNUTLS-SA-2025-07-07-3, CVSS: low] [bsc#1246267, CVE-2025-32990] * libgnutls: PKCS#11 modules can now be used to override the default cryptographic backend. Use the [provider] section in the system-wide config to specify path and pin to the module (see system-wide config Documentation). * libgnutls: Linux kernel version 6.14 brings a Kernel TLS (kTLS) key update support. The library running on the aforementioned version now utilizes the kernel’s key update mechanism when kTLS is enabled, allowing uninterrupted TLS session. The --enable-ktls configure option as well as the system-wide kTLS configuration(see GnuTLS Documentation) are still required to enable this feature. * libgnutls: liboqs support for PQC has been removed For maintenance purposes, support for post-quantum cryptography (PQC) is now only provided through leancrypto. The experimental key exchange algorithm, X25519Kyber768Draft00, which is based on the round 3 candidate of Kyber and only supported through liboqs has also been removed altogether. * libgnutls: TLS certificate compression methods can now be set with
Pedro Monreal Gonzalez2025-07-15 07:34:08 +00:00
20f38b1453
- enable ktls support - enable brotli and zstd compression support
Lucas Mulling2025-07-14 01:12:35 +00:00
f6d4418be4
- Fix FIPS mode running on Tumbleweed [bsc#1237101] * When nettle or libhogweed are installed with glbic-hwcaps for x86_64-v3, some paths differ and we are unable to match the hmac file for the lib. * Add gnutls-FIPS-HMAC-x86_64-v3-opt.patch
Pedro Monreal Gonzalez2025-04-29 08:05:41 +00:00
7953f0ffcf
Accepting request 1268601 from security:tls
Ana Guerrero2025-04-14 10:55:31 +00:00
5aa6f611ec
Accepting request 1255878 from security:tls
Ana Guerrero2025-03-26 20:17:57 +00:00
d0cf2319d1
- FIPS: Mark SHA-1 as non-approved in the SLI for all operations. [jsc#PED-12224] * Add gnutls-FIPS-disable-mac-sha1.patch
Pedro Monreal Gonzalez2025-03-25 09:35:55 +00:00
f82cc71bfb
- Update to 3.8.9 - libgnutls: leancrypto was added as an interim option for PQC The library can now be built with leancrypto instead of liboqs for post-quantum cryptography (PQC), when configured with --with-leancrypto option instead of --with-liboqs. - libgnutls: Experimental support for ML-DSA signature algorithm The library and certtool now support ML-DSA signature algorithm as defined in FIPS 204 and based on draft-ietf-lamps-dilithium-certificates-04. This feature is currently marked as experimental and can only be enabled when compiled with --with-leancrypto or --with-liboqs. Contributed by David Dudas. - libgnutls: Support for ML-KEM-1024 key encapsulation mechanism The support for ML-KEM post-quantum key encapsulation mechanisms has been extended to cover ML-KEM-1024, in addition to ML-KEM-768. MLKEM1024 is only offered as SecP384r1MLKEM1024 hybrid as per draft-kwiatkowski-tls-ecdhe-mlkem-03. - libgnutls: Fix potential DoS in handling certificates with numerous name constraints, as a follow-up of CVE-2024-12133 in libtasn1. The bundled copy of libtasn1 has also been updated to the latest 4.20.0 release to complete the fix. Reported by Bing Shi (#1553). [GNUTLS-SA-2025-02-07, CVSS: medium] [bsc#1236974, CVE-2024-12243 - Licensing information moved to REAMDE.md, COPYING, COPYING.LESSERv2 * Rebased gnutls-FIPS-140-3-references.patch * Rebased gnutls-FIPS-TLS_KDF_selftest.patch * Rebased gnutls-FIPS-jitterentropy.patch * Rebased gnutls-disable-flaky-test-dtls-resume.patch * Rebased gnutls-srp-test-SIGPIPE.patch * Rebased gnutls-3.5.11-skip-trust-store-tests.patch * Add gnutls-set-cligen-python-interp.patch
Pedro Monreal Gonzalez2025-02-24 12:46:22 +00:00
1c06047e0c
Accepting request 1224137 from security:tls
Ana Guerrero2024-11-15 14:37:54 +00:00
0e88121289
- Update to 3.8.8: - libgnutls: Experimental support for X25519MLKEM768 and SecP256r1MLKEM768 key exchange in TLS 1.3: The support for post-quantum key exchanges has been extended to cover the final standard of ML-KEM, following draft-kwiatkowski-tls-ecdhe-mlkem. The minimum supported version of liboqs is bumped to 0.11.0. - libgnutls: All records included in an OCSP response are now checked in TLS: Previously, when multiple records are provided in a single OCSP response, only the first record was considered; now all those records are examined until the server certificate matches. - libgnutls: Handling of malformed compress_certificate extension is now more standard compliant: The server behavior of receiving a malformed compress_certificate extension now more strictly follows RFC 8879; return illegal_parameter alert instead of bad_certificate, as well as overlong extension data is properly rejected. - build: More flexible library linking options for compression libraries, TPM, and liboqs support: The configure options, --with-zstd, --with-brotli, --with-zlib, --with-tpm2, and --with-liboqs now take 4 states: yes/link/dlopen/no, to specify how the libraries are linked or loaded. * Rebase gnutls-FIPS-140-3-references.patch
Pedro Monreal Gonzalez2024-11-14 09:41:10 +00:00
e4c415ffa3
Accepting request 1204664 from security:tls
Ana Guerrero2024-10-01 15:11:13 +00:00
fb6da79b80
- Build with liboqs to support the X25519Kyber768 post-quantum key exchange algorithm.
Pedro Monreal Gonzalez2024-09-30 06:48:36 +00:00
e5c41cf446
Accepting request 1198672 from security:tls
Ana Guerrero2024-09-05 13:46:14 +00:00
b97f6df6c5
- Update to 3.8.7: * libgnutls: New configure option to compile out DSA support The --disable-dsa configure option has been added to completely disable DSA algorithm support. * libgnutls: Experimental support for X25519Kyber768Draft00 key exchange in TLS. For testing purposes, the hybrid post-quantum key exchange defined in draft-tls-westerbaan-xyber768d00 has been implemented using liboqs. Since the algorithm is still not finalized, the support of this key exchange is disabled by default and can be enabled with the --with-liboqs configure option. * Rebase patches: - gnutls-FIPS-140-3-references.patch - gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch
Pedro Monreal Gonzalez2024-09-04 09:29:34 +00:00
e6e90a5708
- Update to 3.8.6: * libgnutls: PBMAC1 is now supported as a MAC mechanism for PKCS#12 To be compliant with FIPS 140-3, PKCS#12 files with MAC based on PBKDF2 (PBMAC1) is now supported, according to the specification proposed in draft-ietf-lamps-pkcs12-pbmac1. * libgnutls: SHA3 extendable output functions (XOF) are now supported SHA3 XOF, SHAKE128 and SHAKE256, are now usable through a new public API gnutls_hash_squeeze. * API and ABI modifications: - gnutls_pkcs12_generate_mac3: New function - gnutls_pkcs12_flags_t: New enum - gnutls_hash_squeeze: New function * Rebase patches: - gnutls-FIPS-140-3-references.patch - gnutls-FIPS-jitterentropy.patch
Pedro Monreal Gonzalez2024-07-25 09:27:01 +00:00
5f0bfcd373
Accepting request 1165545 from security:tls
Ana Guerrero2024-04-08 15:37:29 +00:00
ea12736003
Accepting request 1165440 from home:pmonrealgonzalez:branches:security:tls
Pedro Monreal Gonzalez2024-04-05 10:43:46 +00:00
8b77a4e97e
Accepting request 1163122 from security:tls
Ana Guerrero2024-03-28 12:52:41 +00:00
a4ac49a50a
Accepting request 1161324 from home:pmonrealgonzalez:branches:security:tls
Pedro Monreal Gonzalez2024-03-27 18:58:32 +00:00
91b174ffe3
Accepting request 1151783 from security:tls
Ana Guerrero2024-02-27 21:45:15 +00:00
Ana Guerrero
Marcus Meissner
Angel Yankov
Adrian Schröter
Dominique Leuenberger
Pedro Monreal Gonzalez
Lucas Mulling
Otto Hollmann
OBS User buildservice-autocommit
Richard Brown
Jason Sikes
Tomáš Chvátal