diff --git a/gnutls-3.8.10-disable-ktls_test.patch b/gnutls-3.8.10-disable-ktls_test.patch deleted file mode 100644 index 8060e59..0000000 --- a/gnutls-3.8.10-disable-ktls_test.patch +++ /dev/null @@ -1,24 +0,0 @@ -Index: gnutls-3.8.10/tests/Makefile.am -=================================================================== ---- gnutls-3.8.10.orig/tests/Makefile.am -+++ gnutls-3.8.10/tests/Makefile.am -@@ -527,13 +527,13 @@ if !WINDOWS - # - - if ENABLE_KTLS --indirect_tests += gnutls_ktls --dist_check_SCRIPTS += ktls.sh -+#indirect_tests += gnutls_ktls -+#dist_check_SCRIPTS += ktls.sh - --indirect_tests += ktls_keyupdate --ktls_keyupdate_SOURCES = tls13/key_update.c --ktls_keyupdate_CFLAGS = -DUSE_KTLS --dist_check_SCRIPTS += ktls_keyupdate.sh -+#indirect_tests += ktls_keyupdate -+#ktls_keyupdate_SOURCES = tls13/key_update.c -+#ktls_keyupdate_CFLAGS = -DUSE_KTLS -+#dist_check_SCRIPTS += ktls_keyupdate.sh - endif - - dist_check_SCRIPTS += dtls/dtls.sh #dtls/dtls-resume.sh #dtls/dtls-nb diff --git a/gnutls-3.8.10.tar.xz b/gnutls-3.8.10.tar.xz deleted file mode 100644 index d7947df..0000000 --- a/gnutls-3.8.10.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:db7fab7cce791e7727ebbef2334301c821d79a550ec55c9ef096b610b03eb6b7 -size 6909856 diff --git a/gnutls-3.8.10.tar.xz.sig b/gnutls-3.8.10.tar.xz.sig deleted file mode 100644 index bf232f9..0000000 Binary files a/gnutls-3.8.10.tar.xz.sig and /dev/null differ diff --git a/gnutls-3.8.11.tar.xz b/gnutls-3.8.11.tar.xz new file mode 100644 index 0000000..1aa100a --- /dev/null +++ b/gnutls-3.8.11.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:91bd23c4a86ebc6152e81303d20cf6ceaeb97bc8f84266d0faec6e29f17baa20 +size 6939944 diff --git a/gnutls-3.8.11.tar.xz.sig b/gnutls-3.8.11.tar.xz.sig new file mode 100644 index 0000000..4d74e21 Binary files /dev/null and b/gnutls-3.8.11.tar.xz.sig differ diff --git a/gnutls-FIPS-140-3-references.patch b/gnutls-FIPS-140-3-references.patch index defd6cb..4a45a12 100644 --- a/gnutls-FIPS-140-3-references.patch +++ b/gnutls-FIPS-140-3-references.patch @@ -1,8 +1,8 @@ -Index: gnutls-3.8.10/configure.ac +Index: gnutls-3.8.11/configure.ac =================================================================== ---- gnutls-3.8.10.orig/configure.ac -+++ gnutls-3.8.10/configure.ac -@@ -665,19 +665,19 @@ LT_INIT([disable-static,win32-dll,shared +--- gnutls-3.8.11.orig/configure.ac ++++ gnutls-3.8.11/configure.ac +@@ -664,19 +664,19 @@ LT_INIT([disable-static,win32-dll,shared AC_LIB_HAVE_LINKFLAGS(dl,, [#include ], [dladdr (0, 0);]) AC_ARG_ENABLE(fips140-mode, @@ -25,10 +25,10 @@ Index: gnutls-3.8.10/configure.ac AC_ARG_WITH(fips140-module-name, AS_HELP_STRING([--with-fips140-module-name], [specify the FIPS140 module name]), -Index: gnutls-3.8.10/doc/cha-gtls-app.texi +Index: gnutls-3.8.11/doc/cha-gtls-app.texi =================================================================== ---- gnutls-3.8.10.orig/doc/cha-gtls-app.texi -+++ gnutls-3.8.10/doc/cha-gtls-app.texi +--- gnutls-3.8.11.orig/doc/cha-gtls-app.texi ++++ gnutls-3.8.11/doc/cha-gtls-app.texi @@ -222,7 +222,7 @@ CPU. The currently available options are @end itemize @@ -38,10 +38,10 @@ Index: gnutls-3.8.10/doc/cha-gtls-app.texi if set to one it will force the FIPS mode enablement. @end multitable -Index: gnutls-3.8.10/doc/cha-internals.texi +Index: gnutls-3.8.11/doc/cha-internals.texi =================================================================== ---- gnutls-3.8.10.orig/doc/cha-internals.texi -+++ gnutls-3.8.10/doc/cha-internals.texi +--- gnutls-3.8.11.orig/doc/cha-internals.texi ++++ gnutls-3.8.11/doc/cha-internals.texi @@ -14,7 +14,7 @@ happens inside the black box. * TLS Hello Extension Handling:: * Cryptographic Backend:: @@ -162,11 +162,11 @@ Index: gnutls-3.8.10/doc/cha-internals.texi operation. It can be attached to the current execution thread with @funcref{gnutls_fips140_push_context} and its internal state will be updated until it is detached with -Index: gnutls-3.8.10/doc/enums.texi +Index: gnutls-3.8.11/doc/enums.texi =================================================================== ---- gnutls-3.8.10.orig/doc/enums.texi -+++ gnutls-3.8.10/doc/enums.texi -@@ -1230,7 +1230,7 @@ application traffic secret is installed +--- gnutls-3.8.11.orig/doc/enums.texi ++++ gnutls-3.8.11/doc/enums.texi +@@ -1236,7 +1236,7 @@ application traffic secret is installed @c gnutls_fips_mode_t @table @code @item GNUTLS_@-FIPS140_@-DISABLED @@ -175,7 +175,7 @@ Index: gnutls-3.8.10/doc/enums.texi @item GNUTLS_@-FIPS140_@-STRICT The default mode; all forbidden operations will cause an operation failure via error code. -@@ -1238,8 +1238,8 @@ operation failure via error code. +@@ -1244,8 +1244,8 @@ operation failure via error code. A transient state during library initialization. That state cannot be set or seen by applications. @item GNUTLS_@-FIPS140_@-LAX @@ -186,10 +186,10 @@ Index: gnutls-3.8.10/doc/enums.texi application is aware of the followed security policy, and needs to utilize disallowed operations for other reasons (e.g., compatibility). @item GNUTLS_@-FIPS140_@-LOG -Index: gnutls-3.8.10/doc/functions/gnutls_fips140_set_mode +Index: gnutls-3.8.11/doc/functions/gnutls_fips140_set_mode =================================================================== ---- gnutls-3.8.10.orig/doc/functions/gnutls_fips140_set_mode -+++ gnutls-3.8.10/doc/functions/gnutls_fips140_set_mode +--- gnutls-3.8.11.orig/doc/functions/gnutls_fips140_set_mode ++++ gnutls-3.8.11/doc/functions/gnutls_fips140_set_mode @@ -3,7 +3,7 @@ @@ -215,19 +215,19 @@ Index: gnutls-3.8.10/doc/functions/gnutls_fips140_set_mode values for @code{mode} or to @code{GNUTLS_FIPS140_SELFTESTS} mode, the library switches to @code{GNUTLS_FIPS140_STRICT} mode. -Index: gnutls-3.8.10/doc/gnutls.html +Index: gnutls-3.8.11/doc/gnutls.html =================================================================== ---- gnutls-3.8.10.orig/doc/gnutls.html -+++ gnutls-3.8.10/doc/gnutls.html +--- gnutls-3.8.11.orig/doc/gnutls.html ++++ gnutls-3.8.11/doc/gnutls.html @@ -490,7 +490,7 @@ Documentation License”.
  • 11.4 TLS Extension Handling
    • -
  • 11.5 Cryptographic Backend
    • +
  • 11.5 Cryptographic Backend
  • 11.6 Random Number Generators
    • --
  • 11.7 FIPS140-2 mode
    • -+
  • 11.7 FIPS140-3 mode
    • +-
  • 11.7 FIPS140-2 mode
    • ++
  • 11.7 FIPS140-3 mode
    • -
  • Appendix A Upgrading from previous versions
    • -
  • Appendix B Support +
  • Appendix A Upgrading from previous versions
    • +
  • Appendix B Support @@ -9050,7 +9050,7 @@ CPU. The currently available options are
  • 0x200000: Enable VIA PHE
  • 0x400000: Enable VIA PHE SHA512 @@ -237,7 +237,7 @@ Index: gnutls-3.8.10/doc/gnutls.html if set to one it will force the FIPS mode enablement. -@@ -18547,7 +18547,7 @@ None: +@@ -18559,7 +18559,7 @@ None: --inline-commands-prefix=str Change the default delimiter for inline commands --provider=file Specify the PKCS #11 provider library - file must pre-exist @@ -246,7 +246,7 @@ Index: gnutls-3.8.10/doc/gnutls.html --list-config Reports the configuration of the library --logfile=str Redirect informational messages to a specific file --keymatexport=str Label used for exporting keying material -@@ -19567,7 +19567,7 @@ happens inside the black box. +@@ -19579,7 +19579,7 @@ happens inside the black box.
  • TLS Extension Handling
  • Cryptographic Backend
  • Random Number Generators
    • @@ -255,7 +255,7 @@ Index: gnutls-3.8.10/doc/gnutls.html
    -@@ -20092,7 +20092,7 @@ For more information see

    @@ -264,7 +264,7 @@ Index: gnutls-3.8.10/doc/gnutls.html

    11.6 Random Number Generators

    -@@ -20100,7 +20100,7 @@ Next: GnuTLS provides two random generators. The default, and the AES-DRBG random generator which is only used when the library is compiled with support for @@ -273,7 +273,7 @@ Index: gnutls-3.8.10/doc/gnutls.html

    The default generator - inner workings

    -@@ -20237,22 +20237,22 @@ on the above paragraph, all levels are i +@@ -20249,22 +20249,22 @@ on the above paragraph, all levels are i

    Previous: , Up: Internal Architecture of GnuTLS   [Contents][Index]

    @@ -302,7 +302,7 @@ Index: gnutls-3.8.10/doc/gnutls.html as follows.

    @@ -318,7 +318,7 @@ Index: gnutls-3.8.10/doc/gnutls.html
  • Any cryptographic operation will be refused if any of the self-tests failed
    • -@@ -20275,7 +20275,7 @@ modified as follows. +@@ -20287,7 +20287,7 @@ modified as follows. environment variable GNUTLS_SKIP_FIPS_INTEGRITY_CHECKS will disable the library integrity tests on startup, and the variable GNUTLS_FORCE_FIPS_MODE can be set to force a value from @@ -327,7 +327,7 @@ Index: gnutls-3.8.10/doc/gnutls.html mode, while ’0’ will disable it.

    The integrity checks for the dependent libraries and GnuTLS are performed -@@ -20283,13 +20283,13 @@ using ’.hmac’ files which ar +@@ -20295,13 +20295,13 @@ using ’.hmac’ files which ar key for the operations can be provided on compile-time with the configure option ’–with-fips140-key’. The MAC algorithm used is HMAC-SHA256.

    @@ -344,7 +344,7 @@ Index: gnutls-3.8.10/doc/gnutls.html the application can relax these requirements via gnutls_fips140_set_mode which can switch to alternative modes as in Figure 11.5.

    -@@ -20298,7 +20298,7 @@ which can switch to alternative modes as +@@ -20310,7 +20310,7 @@ which can switch to alternative modes as
    GNUTLS_FIPS140_DISABLED
    @@ -353,7 +353,7 @@ Index: gnutls-3.8.10/doc/gnutls.html

    GNUTLS_FIPS140_STRICT

    The default mode; all forbidden operations will cause an -@@ -20309,8 +20309,8 @@ operation failure via error code. +@@ -20321,8 +20321,8 @@ operation failure via error code. cannot be set or seen by applications.

    GNUTLS_FIPS140_LAX
    @@ -364,7 +364,7 @@ Index: gnutls-3.8.10/doc/gnutls.html application is aware of the followed security policy, and needs to utilize disallowed operations for other reasons (e.g., compatibility).

    -@@ -20321,7 +20321,7 @@ to a message to the audit callback funct +@@ -20333,7 +20333,7 @@ to a message to the audit callback funct

    Figure 11.5: The gnutls_fips_mode_t enumeration.

    The intention of this API is to be used by applications which may run in @@ -373,7 +373,7 @@ Index: gnutls-3.8.10/doc/gnutls.html e.g., for non-security related purposes. In these cases applications should wrap the non-compliant code within blocks like the following.

    -@@ -20350,9 +20350,9 @@ if (gnutls_fips140_mode_enabled()) +@@ -20362,9 +20362,9 @@ if (gnutls_fips140_mode_enabled())

    The reason of the GNUTLS_FIPS140_SET_MODE_THREAD flag in the previous calls is to localize the change in the mode. Note also, that such a block has no effect when the library is not operating @@ -385,7 +385,7 @@ Index: gnutls-3.8.10/doc/gnutls.html 

    gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, 0);
    -@@ -20375,7 +20375,7 @@ performed within a given context. +@@ -20387,7 +20387,7 @@ performed within a given context.
    int gnutls_fips140_pop_context ( void)
    @@ -394,7 +394,7 @@ Index: gnutls-3.8.10/doc/gnutls.html operation. It can be attached to the current execution thread with gnutls_fips140_push_context and its internal state will be updated until it is detached with -@@ -20748,8 +20748,8 @@ Previous: @@ -405,16 +405,16 @@ Index: gnutls-3.8.10/doc/gnutls.html

    -@@ -24680,7 +24680,7 @@ unusable. This function is not thread-s +@@ -24725,7 +24725,7 @@ unusable. This function is not thread-s

    gnutls_fips140_set_mode

    -
    -
    Function: void gnutls_fips140_set_mode (gnutls_fips_mode_t mode, unsigned flags)
    +
    +
    Function: void gnutls_fips140_set_mode (gnutls_fips_mode_t mode, unsigned flags)
    -

    mode: the FIPS140-2 mode to switch to +

    mode: the FIPS140-3 mode to switch to

    flags: should be zero or GNUTLS_FIPS140_SET_MODE_THREAD

    -@@ -24689,13 +24689,13 @@ unusable. This function is not thread-s +@@ -24734,13 +24734,13 @@ unusable. This function is not thread-s behavior with no flags after threads are created is undefined.

    When the flag GNUTLS_FIPS140_SET_MODE_THREAD is specified @@ -430,7 +430,7 @@ Index: gnutls-3.8.10/doc/gnutls.html values for mode or to GNUTLS_FIPS140_SELFTESTS mode, the library switches to GNUTLS_FIPS140_STRICT mode.

    -@@ -47153,7 +47153,7 @@ Next: gnutls_fingerprintCore TLS API gnutls_fips140_context_deinitCore TLS API gnutls_fips140_context_initCore TLS API @@ -439,11 +439,11 @@ Index: gnutls-3.8.10/doc/gnutls.html gnutls_fips140_get_operation_stateCore TLS API gnutls_fips140_mode_enabledCore TLS API gnutls_fips140_pop_contextCore TLS API -Index: gnutls-3.8.10/doc/gnutls.info-3 +Index: gnutls-3.8.11/doc/gnutls.info-3 =================================================================== ---- gnutls-3.8.10.orig/doc/gnutls.info-3 -+++ gnutls-3.8.10/doc/gnutls.info-3 -@@ -2319,7 +2319,7 @@ to ‘more’. Both will exit with a st +--- gnutls-3.8.11.orig/doc/gnutls.info-3 ++++ gnutls-3.8.11/doc/gnutls.info-3 +@@ -2322,7 +2322,7 @@ to ‘more’. Both will exit with a st --inline-commands-prefix=str Change the default delimiter for inline commands --provider=file Specify the PKCS #11 provider library - file must pre-exist @@ -461,7 +461,7 @@ Index: gnutls-3.8.10/doc/gnutls.info-3  File: gnutls.info, Node: The TLS Protocol, Next: TLS Handshake Protocol, Up: Internal architecture of GnuTLS -@@ -4000,7 +4000,7 @@ and abstract key types::. +@@ -3996,7 +3996,7 @@ and abstract key types::. kernel implementation of ‘/dev/crypto’.  @@ -470,7 +470,7 @@ Index: gnutls-3.8.10/doc/gnutls.info-3 11.6 Random Number Generators ============================= -@@ -4010,7 +4010,7 @@ About the generators +@@ -4006,7 +4006,7 @@ About the generators GnuTLS provides two random generators. The default, and the AES-DRBG random generator which is only used when the library is compiled with @@ -479,7 +479,7 @@ Index: gnutls-3.8.10/doc/gnutls.info-3 The default generator - inner workings -------------------------------------- -@@ -4241,7 +4241,7 @@ in *note Figure 11.5: gnutls_fips_mode_t +@@ -4237,7 +4237,7 @@ in *note Figure 11.5: gnutls_fips_mode_t Figure 11.5: The ‘gnutls_fips_mode_t’ enumeration. The intention of this API is to be used by applications which may run in @@ -488,7 +488,7 @@ Index: gnutls-3.8.10/doc/gnutls.info-3 set, e.g., for non-security related purposes. In these cases applications should wrap the non-compliant code within blocks like the following. -@@ -4265,10 +4265,10 @@ are macros to simplify the following seq +@@ -4261,10 +4261,10 @@ are macros to simplify the following seq The reason of the ‘GNUTLS_FIPS140_SET_MODE_THREAD’ flag in the previous calls is to localize the change in the mode. Note also, that such a @@ -501,7 +501,7 @@ Index: gnutls-3.8.10/doc/gnutls.info-3 gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, 0); Service indicator -@@ -4750,8 +4750,8 @@ There are certifications from national o +@@ -4746,8 +4746,8 @@ There are certifications from national o practices, such as unit testing and reliance on well known crypto primitives. @@ -512,7 +512,7 @@ Index: gnutls-3.8.10/doc/gnutls.info-3  File: gnutls.info, Node: Error codes, Next: Supported ciphersuites, Prev: Support, Up: Top -@@ -9236,7 +9236,7 @@ gnutls_fips140_set_mode +@@ -9267,7 +9267,7 @@ gnutls_fips140_set_mode -- Function: void gnutls_fips140_set_mode (gnutls_fips_mode_t MODE, unsigned FLAGS) @@ -521,10 +521,10 @@ Index: gnutls-3.8.10/doc/gnutls.info-3 FLAGS: should be zero or ‘GNUTLS_FIPS140_SET_MODE_THREAD’ -Index: gnutls-3.8.10/doc/invoke-gnutls-cli.texi +Index: gnutls-3.8.11/doc/invoke-gnutls-cli.texi =================================================================== ---- gnutls-3.8.10.orig/doc/invoke-gnutls-cli.texi -+++ gnutls-3.8.10/doc/invoke-gnutls-cli.texi +--- gnutls-3.8.11.orig/doc/invoke-gnutls-cli.texi ++++ gnutls-3.8.11/doc/invoke-gnutls-cli.texi @@ -102,7 +102,7 @@ None: --inline-commands-prefix=str Change the default delimiter for inline commands --provider=file Specify the PKCS #11 provider library @@ -534,10 +534,10 @@ Index: gnutls-3.8.10/doc/invoke-gnutls-cli.texi --list-config Reports the configuration of the library --logfile=str Redirect informational messages to a specific file --keymatexport=str Label used for exporting keying material -Index: gnutls-3.8.10/doc/manpages/gnutls-cli.1 +Index: gnutls-3.8.11/doc/manpages/gnutls-cli.1 =================================================================== ---- gnutls-3.8.10.orig/doc/manpages/gnutls-cli.1 -+++ gnutls-3.8.10/doc/manpages/gnutls-cli.1 +--- gnutls-3.8.11.orig/doc/manpages/gnutls-cli.1 ++++ gnutls-3.8.11/doc/manpages/gnutls-cli.1 @@ -398,7 +398,7 @@ Specify the PKCS #11 provider library. This will override the default options in /etc/gnutls/pkcs11.conf .TP @@ -547,11 +547,11 @@ Index: gnutls-3.8.10/doc/manpages/gnutls-cli.1 .sp .TP .NOP \f\*[B-Font]\-\-list\-config\f[] -Index: gnutls-3.8.10/doc/reference/html/gnutls-gnutls.html +Index: gnutls-3.8.11/doc/reference/html/gnutls-gnutls.html =================================================================== ---- gnutls-3.8.10.orig/doc/reference/html/gnutls-gnutls.html -+++ gnutls-3.8.10/doc/reference/html/gnutls-gnutls.html -@@ -20874,12 +20874,12 @@ gnutls_fips140_set_mode (

    When the flag GNUTLS_FIPS140_SET_MODE_THREAD is specified @@ -566,7 +566,7 @@ Index: gnutls-3.8.10/doc/reference/html/gnutls-gnutls.html values for mode or to GNUTLS_FIPS140_SELFTESTS mode, the library switches to GNUTLS_FIPS140_STRICT mode.

    -@@ -20894,7 +20894,7 @@ switches to

    mode

    @@ -575,7 +575,7 @@ Index: gnutls-3.8.10/doc/reference/html/gnutls-gnutls.html   -@@ -26035,7 +26035,7 @@ encryption

    +@@ -26311,7 +26311,7 @@ encryption

    enum gnutls_fips_mode_t

    @@ -584,7 +584,7 @@ Index: gnutls-3.8.10/doc/reference/html/gnutls-gnutls.html

    Members

    -@@ -26048,7 +26048,7 @@ encryption

    +@@ -26324,7 +26324,7 @@ encryption

    -@@ -26071,8 +26071,8 @@ operation failure via error code.

    +@@ -26347,8 +26347,8 @@ operation failure via error code.

    -@@ -27712,4 +27712,4 @@ This is used by
    Generated by GTK-Doc V1.34.0 - \ No newline at end of file + -Index: gnutls-3.8.10/lib/fips.c +Index: gnutls-3.8.11/lib/fips.c =================================================================== ---- gnutls-3.8.10.orig/lib/fips.c -+++ gnutls-3.8.10/lib/fips.c +--- gnutls-3.8.11.orig/lib/fips.c ++++ gnutls-3.8.11/lib/fips.c @@ -121,7 +121,7 @@ unsigned _gnutls_fips_mode_enabled(void) } @@ -633,7 +633,7 @@ Index: gnutls-3.8.10/lib/fips.c ret = GNUTLS_FIPS140_SELFTESTS; goto exit; } -@@ -745,7 +745,7 @@ unsigned gnutls_fips140_mode_enabled(voi +@@ -730,7 +730,7 @@ unsigned gnutls_fips140_mode_enabled(voi /** * gnutls_fips140_set_mode: @@ -642,7 +642,7 @@ Index: gnutls-3.8.10/lib/fips.c * @flags: should be zero or %GNUTLS_FIPS140_SET_MODE_THREAD * * That function is not thread-safe when changing the mode with no flags -@@ -753,13 +753,13 @@ unsigned gnutls_fips140_mode_enabled(voi +@@ -738,13 +738,13 @@ unsigned gnutls_fips140_mode_enabled(voi * behavior with no flags after threads are created is undefined. * * When the flag %GNUTLS_FIPS140_SET_MODE_THREAD is specified @@ -658,7 +658,7 @@ Index: gnutls-3.8.10/lib/fips.c * values for @mode or to %GNUTLS_FIPS140_SELFTESTS mode, the library * switches to %GNUTLS_FIPS140_STRICT mode. * -@@ -771,10 +771,10 @@ void gnutls_fips140_set_mode(gnutls_fips +@@ -756,10 +756,10 @@ void gnutls_fips140_set_mode(gnutls_fips gnutls_fips_mode_t prev = _gnutls_fips_mode_enabled(); if (prev == GNUTLS_FIPS140_DISABLED || prev == GNUTLS_FIPS140_SELFTESTS) { @@ -671,7 +671,7 @@ Index: gnutls-3.8.10/lib/fips.c return; } -@@ -787,7 +787,7 @@ void gnutls_fips140_set_mode(gnutls_fips +@@ -772,7 +772,7 @@ void gnutls_fips140_set_mode(gnutls_fips case GNUTLS_FIPS140_SELFTESTS: _gnutls_audit_log( NULL, @@ -680,7 +680,7 @@ Index: gnutls-3.8.10/lib/fips.c mode = GNUTLS_FIPS140_STRICT; break; default: -@@ -963,7 +963,7 @@ void _gnutls_switch_fips_state(gnutls_fi +@@ -948,7 +948,7 @@ void _gnutls_switch_fips_state(gnutls_fi } if (!_tfips_context) { @@ -689,7 +689,7 @@ Index: gnutls-3.8.10/lib/fips.c return; } -@@ -977,7 +977,7 @@ void _gnutls_switch_fips_state(gnutls_fi +@@ -962,7 +962,7 @@ void _gnutls_switch_fips_state(gnutls_fi if (mode != GNUTLS_FIPS140_LAX) { _gnutls_audit_log( NULL, @@ -698,7 +698,7 @@ Index: gnutls-3.8.10/lib/fips.c operation_state_to_string(state)); } _tfips_context->state = state; -@@ -988,7 +988,7 @@ void _gnutls_switch_fips_state(gnutls_fi +@@ -973,7 +973,7 @@ void _gnutls_switch_fips_state(gnutls_fi if (mode != GNUTLS_FIPS140_LAX) { _gnutls_audit_log( NULL, @@ -707,7 +707,7 @@ Index: gnutls-3.8.10/lib/fips.c operation_state_to_string(state)); } _tfips_context->state = state; -@@ -1000,7 +1000,7 @@ void _gnutls_switch_fips_state(gnutls_fi +@@ -985,7 +985,7 @@ void _gnutls_switch_fips_state(gnutls_fi if (mode != GNUTLS_FIPS140_LAX) { _gnutls_audit_log( NULL, @@ -716,7 +716,7 @@ Index: gnutls-3.8.10/lib/fips.c operation_state_to_string( _tfips_context->state), operation_state_to_string(state)); -@@ -1062,7 +1062,7 @@ int gnutls_fips140_run_self_tests(void) +@@ -1047,7 +1047,7 @@ int gnutls_fips140_run_self_tests(void) ret < 0) { _gnutls_switch_lib_state(LIB_STATE_ERROR); _gnutls_audit_log(NULL, @@ -725,7 +725,7 @@ Index: gnutls-3.8.10/lib/fips.c } else { /* Restore the previous library state */ _gnutls_switch_lib_state(prev_lib_state); -@@ -1074,7 +1074,7 @@ int gnutls_fips140_run_self_tests(void) +@@ -1059,7 +1059,7 @@ int gnutls_fips140_run_self_tests(void) if (gnutls_fips140_pop_context() < 0) { _gnutls_switch_lib_state(LIB_STATE_ERROR); _gnutls_audit_log( @@ -734,11 +734,11 @@ Index: gnutls-3.8.10/lib/fips.c } gnutls_fips140_context_deinit(fips_context); } -Index: gnutls-3.8.10/lib/fips.h +Index: gnutls-3.8.11/lib/fips.h =================================================================== ---- gnutls-3.8.10.orig/lib/fips.h -+++ gnutls-3.8.10/lib/fips.h -@@ -161,7 +161,7 @@ is_cipher_algo_allowed_in_fips(gnutls_ci +--- gnutls-3.8.11.orig/lib/fips.h ++++ gnutls-3.8.11/lib/fips.h +@@ -164,7 +164,7 @@ is_cipher_algo_allowed_in_fips(gnutls_ci } #ifdef ENABLE_FIPS140 @@ -747,7 +747,7 @@ Index: gnutls-3.8.10/lib/fips.h * and return an error if necessary or ignore */ #define FIPS_RULE(condition, ret_error, ...) \ { \ -@@ -171,10 +171,10 @@ is_cipher_algo_allowed_in_fips(gnutls_ci +@@ -174,10 +174,10 @@ is_cipher_algo_allowed_in_fips(gnutls_ci if (_mode == GNUTLS_FIPS140_LOG) { \ _gnutls_audit_log( \ NULL, \ @@ -760,7 +760,7 @@ Index: gnutls-3.8.10/lib/fips.h return ret_error; \ } \ } \ -@@ -189,7 +189,7 @@ inline static bool is_mac_algo_allowed(g +@@ -192,7 +192,7 @@ inline static bool is_mac_algo_allowed(g switch (mode) { case GNUTLS_FIPS140_LOG: _gnutls_audit_log(NULL, @@ -769,7 +769,7 @@ Index: gnutls-3.8.10/lib/fips.h gnutls_mac_get_name(algo)); FALLTHROUGH; case GNUTLS_FIPS140_DISABLED: -@@ -211,7 +211,7 @@ inline static bool is_cipher_algo_allowe +@@ -214,7 +214,7 @@ inline static bool is_cipher_algo_allowe switch (mode) { case GNUTLS_FIPS140_LOG: _gnutls_audit_log(NULL, @@ -778,11 +778,11 @@ Index: gnutls-3.8.10/lib/fips.h gnutls_cipher_get_name(algo)); FALLTHROUGH; case GNUTLS_FIPS140_DISABLED: -Index: gnutls-3.8.10/lib/global.c +Index: gnutls-3.8.11/lib/global.c =================================================================== ---- gnutls-3.8.10.orig/lib/global.c -+++ gnutls-3.8.10/lib/global.c -@@ -349,12 +349,12 @@ static int _gnutls_global_init(unsigned +--- gnutls-3.8.11.orig/lib/global.c ++++ gnutls-3.8.11/lib/global.c +@@ -359,12 +359,12 @@ static int _gnutls_global_init(unsigned #ifdef ENABLE_FIPS140 res = _gnutls_fips_mode_enabled(); @@ -797,7 +797,7 @@ Index: gnutls-3.8.10/lib/global.c _gnutls_priority_update_fips(); /* first round of self checks, these are done on the -@@ -364,7 +364,7 @@ static int _gnutls_global_init(unsigned +@@ -374,7 +374,7 @@ static int _gnutls_global_init(unsigned if (ret < 0) { _gnutls_switch_lib_state(LIB_STATE_ERROR); _gnutls_audit_log( @@ -806,7 +806,7 @@ Index: gnutls-3.8.10/lib/global.c if (res != 2) { gnutls_assert(); goto out; -@@ -390,7 +390,7 @@ static int _gnutls_global_init(unsigned +@@ -400,7 +400,7 @@ static int _gnutls_global_init(unsigned if (ret < 0) { _gnutls_switch_lib_state(LIB_STATE_ERROR); _gnutls_audit_log( @@ -815,11 +815,11 @@ Index: gnutls-3.8.10/lib/global.c if (res != 2) { gnutls_assert(); goto out; -Index: gnutls-3.8.10/lib/includes/gnutls/gnutls.h.in +Index: gnutls-3.8.11/lib/includes/gnutls/gnutls.h.in =================================================================== ---- gnutls-3.8.10.orig/lib/includes/gnutls/gnutls.h.in -+++ gnutls-3.8.10/lib/includes/gnutls/gnutls.h.in -@@ -3236,16 +3236,16 @@ typedef int (*gnutls_alert_read_func)(gn +--- gnutls-3.8.11.orig/lib/includes/gnutls/gnutls.h.in ++++ gnutls-3.8.11/lib/includes/gnutls/gnutls.h.in +@@ -3251,16 +3251,16 @@ typedef int (*gnutls_alert_read_func)(gn void gnutls_alert_set_read_function(gnutls_session_t session, gnutls_alert_read_func func); @@ -840,7 +840,7 @@ Index: gnutls-3.8.10/lib/includes/gnutls/gnutls.h.in * application is aware of the followed security policy, and needs * to utilize disallowed operations for other reasons (e.g., compatibility). * @GNUTLS_FIPS140_LOG: Similarly to %GNUTLS_FIPS140_LAX, it allows forbidden operations; any use of them results -@@ -3253,7 +3253,7 @@ unsigned gnutls_fips140_mode_enabled(voi +@@ -3268,7 +3268,7 @@ unsigned gnutls_fips140_mode_enabled(voi * @GNUTLS_FIPS140_SELFTESTS: A transient state during library initialization. That state * cannot be set or seen by applications. * @@ -849,10 +849,10 @@ Index: gnutls-3.8.10/lib/includes/gnutls/gnutls.h.in */ typedef enum gnutls_fips_mode_t { GNUTLS_FIPS140_DISABLED = 0, -Index: gnutls-3.8.10/src/cli.c +Index: gnutls-3.8.11/src/cli.c =================================================================== ---- gnutls-3.8.10.orig/src/cli.c -+++ gnutls-3.8.10/src/cli.c +--- gnutls-3.8.11.orig/src/cli.c ++++ gnutls-3.8.11/src/cli.c @@ -1635,10 +1635,10 @@ static void cmd_parser(int argc, char ** if (HAVE_OPT(FIPS140_MODE)) { @@ -866,10 +866,10 @@ Index: gnutls-3.8.10/src/cli.c exit(1); } -Index: gnutls-3.8.10/src/gnutls-cli-options.c +Index: gnutls-3.8.11/src/gnutls-cli-options.c =================================================================== ---- gnutls-3.8.10.orig/src/gnutls-cli-options.c -+++ gnutls-3.8.10/src/gnutls-cli-options.c +--- gnutls-3.8.11.orig/src/gnutls-cli-options.c ++++ gnutls-3.8.11/src/gnutls-cli-options.c @@ -843,7 +843,7 @@ usage (FILE *out, int status) " --inline-commands-prefix=str Change the default delimiter for inline commands\n" " --provider=file Specify the PKCS #11 provider library\n" @@ -879,10 +879,10 @@ Index: gnutls-3.8.10/src/gnutls-cli-options.c " --list-config Reports the configuration of the library\n" " --logfile=str Redirect informational messages to a specific file\n" " --keymatexport=str Label used for exporting keying material\n" -Index: gnutls-3.8.10/tests/cert-tests/gost.sh +Index: gnutls-3.8.11/tests/cert-tests/gost.sh =================================================================== ---- gnutls-3.8.10.orig/tests/cert-tests/gost.sh -+++ gnutls-3.8.10/tests/cert-tests/gost.sh +--- gnutls-3.8.11.orig/tests/cert-tests/gost.sh ++++ gnutls-3.8.11/tests/cert-tests/gost.sh @@ -38,7 +38,7 @@ if ! test -x "${CERTTOOL}"; then fi @@ -892,10 +892,10 @@ Index: gnutls-3.8.10/tests/cert-tests/gost.sh exit 77 fi -Index: gnutls-3.8.10/tests/cert-tests/pkcs12-corner-cases.sh +Index: gnutls-3.8.11/tests/cert-tests/pkcs12-corner-cases.sh =================================================================== ---- gnutls-3.8.10.orig/tests/cert-tests/pkcs12-corner-cases.sh -+++ gnutls-3.8.10/tests/cert-tests/pkcs12-corner-cases.sh +--- gnutls-3.8.11.orig/tests/cert-tests/pkcs12-corner-cases.sh ++++ gnutls-3.8.11/tests/cert-tests/pkcs12-corner-cases.sh @@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then fi @@ -905,10 +905,10 @@ Index: gnutls-3.8.10/tests/cert-tests/pkcs12-corner-cases.sh exit 77 fi -Index: gnutls-3.8.10/tests/cert-tests/pkcs12-encode.sh +Index: gnutls-3.8.11/tests/cert-tests/pkcs12-encode.sh =================================================================== ---- gnutls-3.8.10.orig/tests/cert-tests/pkcs12-encode.sh -+++ gnutls-3.8.10/tests/cert-tests/pkcs12-encode.sh +--- gnutls-3.8.11.orig/tests/cert-tests/pkcs12-encode.sh ++++ gnutls-3.8.11/tests/cert-tests/pkcs12-encode.sh @@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then fi @@ -918,10 +918,10 @@ Index: gnutls-3.8.10/tests/cert-tests/pkcs12-encode.sh exit 77 fi -Index: gnutls-3.8.10/tests/cert-tests/pkcs12-gost.sh +Index: gnutls-3.8.11/tests/cert-tests/pkcs12-gost.sh =================================================================== ---- gnutls-3.8.10.orig/tests/cert-tests/pkcs12-gost.sh -+++ gnutls-3.8.10/tests/cert-tests/pkcs12-gost.sh +--- gnutls-3.8.11.orig/tests/cert-tests/pkcs12-gost.sh ++++ gnutls-3.8.11/tests/cert-tests/pkcs12-gost.sh @@ -29,7 +29,7 @@ if ! test -x "${CERTTOOL}"; then fi @@ -931,10 +931,10 @@ Index: gnutls-3.8.10/tests/cert-tests/pkcs12-gost.sh exit 77 fi -Index: gnutls-3.8.10/tests/cert-tests/pkcs12.sh +Index: gnutls-3.8.11/tests/cert-tests/pkcs12.sh =================================================================== ---- gnutls-3.8.10.orig/tests/cert-tests/pkcs12.sh -+++ gnutls-3.8.10/tests/cert-tests/pkcs12.sh +--- gnutls-3.8.11.orig/tests/cert-tests/pkcs12.sh ++++ gnutls-3.8.11/tests/cert-tests/pkcs12.sh @@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then fi @@ -944,10 +944,10 @@ Index: gnutls-3.8.10/tests/cert-tests/pkcs12.sh exit 77 fi -Index: gnutls-3.8.10/tests/cert-tests/pkcs8-decode.sh +Index: gnutls-3.8.11/tests/cert-tests/pkcs8-decode.sh =================================================================== ---- gnutls-3.8.10.orig/tests/cert-tests/pkcs8-decode.sh -+++ gnutls-3.8.10/tests/cert-tests/pkcs8-decode.sh +--- gnutls-3.8.11.orig/tests/cert-tests/pkcs8-decode.sh ++++ gnutls-3.8.11/tests/cert-tests/pkcs8-decode.sh @@ -29,7 +29,7 @@ if ! test -x "${CERTTOOL}"; then fi @@ -957,10 +957,10 @@ Index: gnutls-3.8.10/tests/cert-tests/pkcs8-decode.sh exit 77 fi -Index: gnutls-3.8.10/tests/cert-tests/pkcs8-eddsa.sh +Index: gnutls-3.8.11/tests/cert-tests/pkcs8-eddsa.sh =================================================================== ---- gnutls-3.8.10.orig/tests/cert-tests/pkcs8-eddsa.sh -+++ gnutls-3.8.10/tests/cert-tests/pkcs8-eddsa.sh +--- gnutls-3.8.11.orig/tests/cert-tests/pkcs8-eddsa.sh ++++ gnutls-3.8.11/tests/cert-tests/pkcs8-eddsa.sh @@ -29,7 +29,7 @@ if ! test -x "${CERTTOOL}"; then fi @@ -970,10 +970,10 @@ Index: gnutls-3.8.10/tests/cert-tests/pkcs8-eddsa.sh exit 77 fi -Index: gnutls-3.8.10/tests/cert-tests/pkcs8-gost.sh +Index: gnutls-3.8.11/tests/cert-tests/pkcs8-gost.sh =================================================================== ---- gnutls-3.8.10.orig/tests/cert-tests/pkcs8-gost.sh -+++ gnutls-3.8.10/tests/cert-tests/pkcs8-gost.sh +--- gnutls-3.8.11.orig/tests/cert-tests/pkcs8-gost.sh ++++ gnutls-3.8.11/tests/cert-tests/pkcs8-gost.sh @@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then fi @@ -983,10 +983,10 @@ Index: gnutls-3.8.10/tests/cert-tests/pkcs8-gost.sh exit 77 fi -Index: gnutls-3.8.10/tests/cert-tests/pkcs8.sh +Index: gnutls-3.8.11/tests/cert-tests/pkcs8.sh =================================================================== ---- gnutls-3.8.10.orig/tests/cert-tests/pkcs8.sh -+++ gnutls-3.8.10/tests/cert-tests/pkcs8.sh +--- gnutls-3.8.11.orig/tests/cert-tests/pkcs8.sh ++++ gnutls-3.8.11/tests/cert-tests/pkcs8.sh @@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then fi @@ -996,10 +996,10 @@ Index: gnutls-3.8.10/tests/cert-tests/pkcs8.sh exit 77 fi -Index: gnutls-3.8.10/tests/cipher-listings.sh +Index: gnutls-3.8.11/tests/cipher-listings.sh =================================================================== ---- gnutls-3.8.10.orig/tests/cipher-listings.sh -+++ gnutls-3.8.10/tests/cipher-listings.sh +--- gnutls-3.8.11.orig/tests/cipher-listings.sh ++++ gnutls-3.8.11/tests/cipher-listings.sh @@ -63,7 +63,7 @@ check() ${CLI} --fips140-mode @@ -1009,10 +1009,10 @@ Index: gnutls-3.8.10/tests/cipher-listings.sh exit 77 fi -Index: gnutls-3.8.10/tests/testpkcs11.sh +Index: gnutls-3.8.11/tests/testpkcs11.sh =================================================================== ---- gnutls-3.8.10.orig/tests/testpkcs11.sh -+++ gnutls-3.8.10/tests/testpkcs11.sh +--- gnutls-3.8.11.orig/tests/testpkcs11.sh ++++ gnutls-3.8.11/tests/testpkcs11.sh @@ -26,7 +26,7 @@ RETCODE=0 @@ -1022,10 +1022,10 @@ Index: gnutls-3.8.10/tests/testpkcs11.sh exit 77 fi -Index: gnutls-3.8.10/doc/enums/gnutls_fips_mode_t +Index: gnutls-3.8.11/doc/enums/gnutls_fips_mode_t =================================================================== ---- gnutls-3.8.10.orig/doc/enums/gnutls_fips_mode_t -+++ gnutls-3.8.10/doc/enums/gnutls_fips_mode_t +--- gnutls-3.8.11.orig/doc/enums/gnutls_fips_mode_t ++++ gnutls-3.8.11/doc/enums/gnutls_fips_mode_t @@ -3,7 +3,7 @@ @c gnutls_fips_mode_t @table @code @@ -1046,11 +1046,11 @@ Index: gnutls-3.8.10/doc/enums/gnutls_fips_mode_t application is aware of the followed security policy, and needs to utilize disallowed operations for other reasons (e.g., compatibility). @item GNUTLS_@-FIPS140_@-LOG -Index: gnutls-3.8.10/doc/gnutls-api.texi +Index: gnutls-3.8.11/doc/gnutls-api.texi =================================================================== ---- gnutls-3.8.10.orig/doc/gnutls-api.texi -+++ gnutls-3.8.10/doc/gnutls-api.texi -@@ -3279,7 +3279,7 @@ unusable. This function is not thread-s +--- gnutls-3.8.11.orig/doc/gnutls-api.texi ++++ gnutls-3.8.11/doc/gnutls-api.texi +@@ -3319,7 +3319,7 @@ unusable. This function is not thread-s @subheading gnutls_fips140_set_mode @anchor{gnutls_fips140_set_mode} @deftypefun {void} {gnutls_fips140_set_mode} (gnutls_fips_mode_t @var{mode}, unsigned @var{flags}) @@ -1059,7 +1059,7 @@ Index: gnutls-3.8.10/doc/gnutls-api.texi @var{flags}: should be zero or @code{GNUTLS_FIPS140_SET_MODE_THREAD} -@@ -3288,13 +3288,13 @@ That function is not thread-safe when ch +@@ -3328,13 +3328,13 @@ That function is not thread-safe when ch behavior with no flags after threads are created is undefined. When the flag @code{GNUTLS_FIPS140_SET_MODE_THREAD} is specified @@ -1075,10 +1075,10 @@ Index: gnutls-3.8.10/doc/gnutls-api.texi values for @code{mode} or to @code{GNUTLS_FIPS140_SELFTESTS} mode, the library switches to @code{GNUTLS_FIPS140_STRICT} mode. -Index: gnutls-3.8.10/lib/ext/session_ticket.c +Index: gnutls-3.8.11/lib/ext/session_ticket.c =================================================================== ---- gnutls-3.8.10.orig/lib/ext/session_ticket.c -+++ gnutls-3.8.10/lib/ext/session_ticket.c +--- gnutls-3.8.11.orig/lib/ext/session_ticket.c ++++ gnutls-3.8.11/lib/ext/session_ticket.c @@ -517,7 +517,7 @@ int gnutls_session_ticket_key_generate(g { if (_gnutls_fips_mode_enabled()) { @@ -1088,11 +1088,11 @@ Index: gnutls-3.8.10/lib/ext/session_ticket.c * some limits on allowed key size, thus it is not * used. These limits do not affect this function as * it does not generate a "key" but rather key material -Index: gnutls-3.8.10/lib/libgnutls.map +Index: gnutls-3.8.11/lib/libgnutls.map =================================================================== ---- gnutls-3.8.10.orig/lib/libgnutls.map -+++ gnutls-3.8.10/lib/libgnutls.map -@@ -1459,7 +1459,7 @@ GNUTLS_FIPS140_3_4 { +--- gnutls-3.8.11.orig/lib/libgnutls.map ++++ gnutls-3.8.11/lib/libgnutls.map +@@ -1473,7 +1473,7 @@ GNUTLS_FIPS140_3_4 { gnutls_hkdf_self_test; gnutls_pbkdf2_self_test; gnutls_tlsprf_self_test; @@ -1101,10 +1101,10 @@ Index: gnutls-3.8.10/lib/libgnutls.map drbg_aes_reseed; drbg_aes_init; drbg_aes_generate; -Index: gnutls-3.8.10/lib/nettle/mac.c +Index: gnutls-3.8.11/lib/nettle/mac.c =================================================================== ---- gnutls-3.8.10.orig/lib/nettle/mac.c -+++ gnutls-3.8.10/lib/nettle/mac.c +--- gnutls-3.8.11.orig/lib/nettle/mac.c ++++ gnutls-3.8.11/lib/nettle/mac.c @@ -292,7 +292,7 @@ static void _wrap_gmac_digest(void *_ctx static int _mac_ctx_init(gnutls_mac_algorithm_t algo, struct nettle_mac_ctx *ctx) @@ -1123,11 +1123,11 @@ Index: gnutls-3.8.10/lib/nettle/mac.c * gnutls_hash_init() and gnutls_hmac_init() */ ctx->finished = NULL; -Index: gnutls-3.8.10/config.h.in +Index: gnutls-3.8.11/config.h.in =================================================================== ---- gnutls-3.8.10.orig/config.h.in -+++ gnutls-3.8.10/config.h.in -@@ -104,7 +104,7 @@ +--- gnutls-3.8.11.orig/config.h.in ++++ gnutls-3.8.11/config.h.in +@@ -107,7 +107,7 @@ /* enable DHE */ #undef ENABLE_ECDHE @@ -1136,7 +1136,7 @@ Index: gnutls-3.8.10/config.h.in #undef ENABLE_FIPS140 /* enable GOST */ -@@ -147,7 +147,7 @@ +@@ -150,7 +150,7 @@ /* Define this to 1 if F_DUPFD behavior does not match POSIX */ #undef FCNTL_DUPFD_BUGGY @@ -1145,23 +1145,23 @@ Index: gnutls-3.8.10/config.h.in #undef FIPS_KEY /* The FIPS140 module name */ -Index: gnutls-3.8.10/configure +Index: gnutls-3.8.11/configure =================================================================== ---- gnutls-3.8.10.orig/configure -+++ gnutls-3.8.10/configure -@@ -4484,7 +4484,7 @@ Optional Features: - --enable-fast-install[=PKGS] - optimize for fast installation [default=yes] +--- gnutls-3.8.11.orig/configure ++++ gnutls-3.8.11/configure +@@ -4501,7 +4501,7 @@ Optional Features: + shared library versioning (aka "SONAME") variant to + provide on AIX, [default=aix]. --disable-libtool-lock avoid locking (might break parallel builds) - --enable-fips140-mode enable FIPS140-2 mode + --enable-fips140-mode enable FIPS140-3 mode --enable-strict-x509 enable stricter sanity checks for x509 certificates --disable-non-suiteb-curves disable curves not in SuiteB -Index: gnutls-3.8.10/doc/cha-support.texi +Index: gnutls-3.8.11/doc/cha-support.texi =================================================================== ---- gnutls-3.8.10.orig/doc/cha-support.texi -+++ gnutls-3.8.10/doc/cha-support.texi +--- gnutls-3.8.11.orig/doc/cha-support.texi ++++ gnutls-3.8.11/doc/cha-support.texi @@ -134,5 +134,5 @@ There are certifications from national o to an auditor that the crypto component follows some best practices, such as unit testing and reliance on well known crypto primitives. @@ -1170,10 +1170,10 @@ Index: gnutls-3.8.10/doc/cha-support.texi -See @ref{FIPS140-2 mode} for more information. +GnuTLS has support for the FIPS 140-3 certification under Red Hat Enterprise Linux. +See @ref{FIPS140-3 mode} for more information. -Index: gnutls-3.8.10/src/gnutls-cli-options.json +Index: gnutls-3.8.11/src/gnutls-cli-options.json =================================================================== ---- gnutls-3.8.10.orig/src/gnutls-cli-options.json -+++ gnutls-3.8.10/src/gnutls-cli-options.json +--- gnutls-3.8.11.orig/src/gnutls-cli-options.json ++++ gnutls-3.8.11/src/gnutls-cli-options.json @@ -384,7 +384,7 @@ }, { @@ -1183,10 +1183,10 @@ Index: gnutls-3.8.10/src/gnutls-cli-options.json }, { "long-option": "list-config", -Index: gnutls-3.8.10/tests/pkcs11-tool.sh +Index: gnutls-3.8.11/tests/pkcs11-tool.sh =================================================================== ---- gnutls-3.8.10.orig/tests/pkcs11-tool.sh -+++ gnutls-3.8.10/tests/pkcs11-tool.sh +--- gnutls-3.8.11.orig/tests/pkcs11-tool.sh ++++ gnutls-3.8.11/tests/pkcs11-tool.sh @@ -30,7 +30,7 @@ set -x : ${DIFF=diff} @@ -1196,10 +1196,10 @@ Index: gnutls-3.8.10/tests/pkcs11-tool.sh exit 77 fi -Index: gnutls-3.8.10/doc/manpages/gnutls_fips140_set_mode.3 +Index: gnutls-3.8.11/doc/manpages/gnutls_fips140_set_mode.3 =================================================================== ---- gnutls-3.8.10.orig/doc/manpages/gnutls_fips140_set_mode.3 -+++ gnutls-3.8.10/doc/manpages/gnutls_fips140_set_mode.3 +--- gnutls-3.8.11.orig/doc/manpages/gnutls_fips140_set_mode.3 ++++ gnutls-3.8.11/doc/manpages/gnutls_fips140_set_mode.3 @@ -8,7 +8,7 @@ gnutls_fips140_set_mode \- API function .BI "void gnutls_fips140_set_mode(gnutls_fips_mode_t " mode ", unsigned " flags ");" .SH ARGUMENTS @@ -1225,16 +1225,16 @@ Index: gnutls-3.8.10/doc/manpages/gnutls_fips140_set_mode.3 values for \fImode\fP or to \fBGNUTLS_FIPS140_SELFTESTS\fP mode, the library switches to \fBGNUTLS_FIPS140_STRICT\fP mode. .SH "SINCE" -Index: gnutls-3.8.10/doc/gnutls.info +Index: gnutls-3.8.11/doc/gnutls.info =================================================================== ---- gnutls-3.8.10.orig/doc/gnutls.info -+++ gnutls-3.8.10/doc/gnutls.info -@@ -624,7 +624,7 @@ Ref: fig-crypto-layers746569 - Ref: Cryptographic Backend-Footnote-1749876 - Ref: Cryptographic Backend-Footnote-2749961 - Node: Random Number Generators-internals750073 --Node: FIPS140-2 mode757529 -+Node: FIPS140-3 mode757529 - Ref: gnutls_fips_mode_t760193 - Node: Upgrading from previous versions763861 - Node: Support778099 +--- gnutls-3.8.11.orig/doc/gnutls.info ++++ gnutls-3.8.11/doc/gnutls.info +@@ -624,7 +624,7 @@ Ref: fig-crypto-layers747098 + Ref: Cryptographic Backend-Footnote-1750404 + Ref: Cryptographic Backend-Footnote-2750489 + Node: Random Number Generators-internals750601 +-Node: FIPS140-2 mode758057 ++Node: FIPS140-3 mode758057 + Ref: gnutls_fips_mode_t760721 + Node: Upgrading from previous versions764389 + Node: Support778627 diff --git a/gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch b/gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch index 98c53aa..396af26 100644 --- a/gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch +++ b/gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch @@ -1,8 +1,52 @@ -Index: gnutls-3.8.8/lib/fips.c +Index: gnutls-3.8.11/lib/fips.c =================================================================== ---- gnutls-3.8.8.orig/lib/fips.c -+++ gnutls-3.8.8/lib/fips.c -@@ -349,11 +349,90 @@ static int load_hmac_file(struct hmac_fi +--- gnutls-3.8.11.orig/lib/fips.c ++++ gnutls-3.8.11/lib/fips.c +@@ -268,6 +268,29 @@ static int handler(void *user, const cha + return 1; + } + ++ ++/* In case of x86_64-v3 optmizations, names might differ in version numbers. ++ * @mac_file: buffer where the hmac file path will be written to ++ * @lib_path: path to the dependent library, used to deduce hmac file path ++ * @file_name: The file name of the library ++ */ ++ static void get_hwcaps_lib_hmac_path(char *mac_file, const char *lib_path, char *file_name) { ++ // Cut name short if more than SOVER is present ++ char *soname = strstr(file_name, ".so."); ++ char correct_ext[256]; ++ memset(correct_ext, 0x0, 256); ++ soname += strlen(".so."); ++ for (uint32_t i = 0; i < strlen(soname); i++) { ++ if (soname[i] == '.') { ++ int proper_len = soname - file_name + i; ++ strncpy(correct_ext, file_name, proper_len); ++ snprintf(mac_file, 256, "%.*s/.%.*s.hmac", ++ (int)(file_name-lib_path),lib_path,proper_len,correct_ext); ++ break; ++ } ++ } ++} ++ + /* + * get_hmac_path: + * @mac_file: buffer where the hmac file path will be written to +@@ -300,6 +323,13 @@ static int get_hmac_path(char *mac_file, + if (ret == 0) + return GNUTLS_E_SUCCESS; + ++ if (strstr(gnutls_path, "glibc-hwcaps")) { ++ get_hwcaps_lib_hmac_path(mac_file, gnutls_path, p + 1); ++ ret = _gnutls_file_exists(mac_file); ++ if (ret == 0) ++ return GNUTLS_E_SUCCESS; ++ } ++ + if (p == NULL) + ret = snprintf(mac_file, mac_file_size, "fipscheck/.%s.hmac", + gnutls_path); +@@ -349,11 +379,90 @@ static int load_hmac_file(struct hmac_fi } /* @@ -94,26 +138,46 @@ Index: gnutls-3.8.8/lib/fips.c * * Returns: 0 on successful HMAC verification, a negative error code otherwise */ -@@ -496,17 +575,20 @@ static int check_binary_integrity(void) +@@ -405,18 +514,18 @@ static int callback(struct dl_phdr_info + const char *soname = last_component(path); + struct lib_paths *paths = (struct lib_paths *)data; + +- if (!strcmp(soname, GNUTLS_LIBRARY_SONAME)) ++ if (!strncmp(soname, GNUTLS_LIBRARY_SONAME, strlen(GNUTLS_LIBRARY_SONAME))) + _gnutls_str_cpy(paths->gnutls, GNUTLS_PATH_MAX, path); + #ifdef NETTLE_LIBRARY_SONAME +- else if (!strcmp(soname, NETTLE_LIBRARY_SONAME)) ++ else if (!strncmp(soname, NETTLE_LIBRARY_SONAME, strlen(NETTLE_LIBRARY_SONAME))) + _gnutls_str_cpy(paths->nettle, GNUTLS_PATH_MAX, path); + #endif + #ifdef HOGWEED_LIBRARY_SONAME +- else if (!strcmp(soname, HOGWEED_LIBRARY_SONAME)) ++ else if (!strncmp(soname, HOGWEED_LIBRARY_SONAME, strlen(HOGWEED_LIBRARY_SONAME))) + _gnutls_str_cpy(paths->hogweed, GNUTLS_PATH_MAX, path); + #endif + #ifdef GMP_LIBRARY_SONAME +- else if (!strcmp(soname, GMP_LIBRARY_SONAME)) ++ else if (!strncmp(soname, GMP_LIBRARY_SONAME, strlen(GMP_LIBRARY_SONAME))) + _gnutls_str_cpy(paths->gmp, GNUTLS_PATH_MAX, path); + #endif + return 0; +@@ -496,17 +605,17 @@ static int check_binary_integrity(void) if (ret < 0) return ret; #ifdef NETTLE_LIBRARY_SONAME - ret = check_lib_hmac(&hmac.nettle, paths.nettle); -+ //ret = check_lib_hmac(&hmac.nettle, paths.nettle); + ret = check_dep_lib_hmac(paths.nettle); if (ret < 0) return ret; #endif #ifdef HOGWEED_LIBRARY_SONAME - ret = check_lib_hmac(&hmac.hogweed, paths.hogweed); -+ //ret = check_lib_hmac(&hmac.hogweed, paths.hogweed); + ret = check_dep_lib_hmac(paths.hogweed); if (ret < 0) return ret; #endif #ifdef GMP_LIBRARY_SONAME - ret = check_lib_hmac(&hmac.gmp, paths.gmp); -+ //ret = check_lib_hmac(&hmac.gmp, paths.gmp); + ret = check_dep_lib_hmac(paths.gmp); if (ret < 0) return ret; diff --git a/gnutls-FIPS-HMAC-x86_64-v3-opt.patch b/gnutls-FIPS-HMAC-x86_64-v3-opt.patch deleted file mode 100644 index 8644ab7..0000000 --- a/gnutls-FIPS-HMAC-x86_64-v3-opt.patch +++ /dev/null @@ -1,47 +0,0 @@ -Index: gnutls-3.8.9/lib/fips.c -=================================================================== ---- gnutls-3.8.9.orig/lib/fips.c -+++ gnutls-3.8.9/lib/fips.c -@@ -268,6 +268,28 @@ static int handler(void *user, const cha - return 1; - } - -+ -+/* In case of x86_64-v3 optmizations, names might differ in version numbers. -+ * @mac_file: buffer where the hmac file path will be written to -+ * @lib_path: path to the dependent library, used to deduce hmac file path -+ * @file_name: The file name of the library -+ */ -+ static void get_hwcaps_lib_hmac_path(char *mac_file, const char *lib_path, char *file_name) { -+ // Cut name short if more than SOVER is present -+ char *soname = strstr(file_name, ".so."); -+ char correct_ext[256]; -+ memset(correct_ext, 0x0, 256); -+ soname += strlen(".so."); -+ for (uint32_t i = 0; i < strlen(soname); i++) { -+ if (soname[i] == '.') { -+ int proper_len = soname - file_name + i; -+ strncpy(correct_ext, file_name, proper_len); -+ snprintf(mac_file, 256, "%.*s/.%.*s.hmac", (int)(file_name-lib_path),lib_path,proper_len,correct_ext); -+ break; -+ } -+ } -+} -+ - /* - * get_hmac_path: - * @mac_file: buffer where the hmac file path will be written to -@@ -300,6 +322,13 @@ static int get_hmac_path(char *mac_file, - if (ret == 0) - return GNUTLS_E_SUCCESS; - -+ if (strstr(gnutls_path, "glibc-hwcaps")) { -+ get_hwcaps_lib_hmac_path(mac_file, gnutls_path, p + 1); -+ ret = _gnutls_file_exists(mac_file); -+ if (ret == 0) -+ return GNUTLS_E_SUCCESS; -+ } -+ - if (p == NULL) - ret = snprintf(mac_file, mac_file_size, "fipscheck/.%s.hmac", - gnutls_path); diff --git a/gnutls-FIPS-TLS_KDF_selftest.patch b/gnutls-FIPS-TLS_KDF_selftest.patch index 61e218e..9cddf4f 100644 --- a/gnutls-FIPS-TLS_KDF_selftest.patch +++ b/gnutls-FIPS-TLS_KDF_selftest.patch @@ -1,8 +1,8 @@ -Index: gnutls-3.8.9/lib/fips.c +Index: gnutls-3.8.11/lib/fips.c =================================================================== ---- gnutls-3.8.9.orig/lib/fips.c -+++ gnutls-3.8.9/lib/fips.c -@@ -621,6 +621,26 @@ int _gnutls_fips_perform_self_checks2(vo +--- gnutls-3.8.11.orig/lib/fips.c ++++ gnutls-3.8.11/lib/fips.c +@@ -608,6 +608,26 @@ int _gnutls_fips_perform_self_checks2(vo return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); } @@ -27,5 +27,5 @@ Index: gnutls-3.8.9/lib/fips.c + } + /* PK */ - if (_gnutls_config_is_rsa_pkcs1_encrypt_allowed()) { - ret = gnutls_pk_self_test(0, GNUTLS_PK_RSA); + ret = gnutls_pk_self_test(0, GNUTLS_PK_RSA_PSS); + if (ret < 0) { diff --git a/gnutls-FIPS-jitterentropy-deinit-threads.patch b/gnutls-FIPS-jitterentropy-deinit-threads.patch deleted file mode 100644 index bc193e9..0000000 --- a/gnutls-FIPS-jitterentropy-deinit-threads.patch +++ /dev/null @@ -1,34 +0,0 @@ -Index: gnutls-3.8.4/lib/state.c -=================================================================== ---- gnutls-3.8.4.orig/lib/state.c -+++ gnutls-3.8.4/lib/state.c -@@ -830,6 +830,12 @@ void gnutls_deinit(gnutls_session_t sess - gnutls_mutex_deinit(&session->internals.post_negotiation_lock); - gnutls_mutex_deinit(&session->internals.epoch_lock); - -+#if defined(__linux__) -+# if defined(ENABLE_FIPS140) -+ _rnd_system_entropy_deinit(); -+# endif -+#endif -+ - gnutls_free(session); - } - -Index: gnutls-3.8.4/lib/nettle/rnd.c -=================================================================== ---- gnutls-3.8.4.orig/lib/nettle/rnd.c -+++ gnutls-3.8.4/lib/nettle/rnd.c -@@ -79,6 +79,12 @@ struct generators_ctx_st { - - static void wrap_nettle_rnd_deinit(void *_ctx) - { -+#if defined(__linux__) -+# if defined(ENABLE_FIPS140) -+ _rnd_system_entropy_deinit(); -+# endif -+#endif -+ - gnutls_free(_ctx); - } - diff --git a/gnutls-FIPS-jitterentropy.patch b/gnutls-FIPS-jitterentropy.patch index 75f787e..2b5dd6d 100644 --- a/gnutls-FIPS-jitterentropy.patch +++ b/gnutls-FIPS-jitterentropy.patch @@ -1,7 +1,7 @@ -Index: gnutls-3.8.9/lib/nettle/sysrng-linux.c +Index: gnutls-3.8.11/lib/nettle/sysrng-linux.c =================================================================== ---- gnutls-3.8.9.orig/lib/nettle/sysrng-linux.c -+++ gnutls-3.8.9/lib/nettle/sysrng-linux.c +--- gnutls-3.8.11.orig/lib/nettle/sysrng-linux.c ++++ gnutls-3.8.11/lib/nettle/sysrng-linux.c @@ -49,6 +49,15 @@ get_entropy_func _rnd_get_system_entropy = NULL; @@ -158,11 +158,11 @@ Index: gnutls-3.8.9/lib/nettle/sysrng-linux.c +#endif return; } -Index: gnutls-3.8.9/lib/nettle/Makefile.in +Index: gnutls-3.8.11/lib/nettle/Makefile.in =================================================================== ---- gnutls-3.8.9.orig/lib/nettle/Makefile.in -+++ gnutls-3.8.9/lib/nettle/Makefile.in -@@ -521,7 +521,7 @@ am__v_CC_1 = +--- gnutls-3.8.11.orig/lib/nettle/Makefile.in ++++ gnutls-3.8.11/lib/nettle/Makefile.in +@@ -522,7 +522,7 @@ am__v_CC_1 = CCLD = $(CC) LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ @@ -171,10 +171,10 @@ Index: gnutls-3.8.9/lib/nettle/Makefile.in AM_V_CCLD = $(am__v_CCLD_@AM_V@) am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) am__v_CCLD_0 = @echo " CCLD " $@; -Index: gnutls-3.8.9/lib/nettle/Makefile.am +Index: gnutls-3.8.11/lib/nettle/Makefile.am =================================================================== ---- gnutls-3.8.9.orig/lib/nettle/Makefile.am -+++ gnutls-3.8.9/lib/nettle/Makefile.am +--- gnutls-3.8.11.orig/lib/nettle/Makefile.am ++++ gnutls-3.8.11/lib/nettle/Makefile.am @@ -20,7 +20,7 @@ include $(top_srcdir)/lib/common.mk @@ -184,10 +184,10 @@ Index: gnutls-3.8.9/lib/nettle/Makefile.am AM_CPPFLAGS += \ -I$(srcdir)/int \ -Index: gnutls-3.8.9/lib/nettle/rnd-fips.c +Index: gnutls-3.8.11/lib/nettle/rnd-fips.c =================================================================== ---- gnutls-3.8.9.orig/lib/nettle/rnd-fips.c -+++ gnutls-3.8.9/lib/nettle/rnd-fips.c +--- gnutls-3.8.11.orig/lib/nettle/rnd-fips.c ++++ gnutls-3.8.11/lib/nettle/rnd-fips.c @@ -129,6 +129,10 @@ static int drbg_init(struct fips_ctx *fc uint8_t buffer[DRBG_AES_SEED_SIZE]; int ret; @@ -210,11 +210,11 @@ Index: gnutls-3.8.9/lib/nettle/rnd-fips.c ret = get_entropy(fctx, buffer, sizeof(buffer)); if (ret < 0) { _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR); -Index: gnutls-3.8.9/tests/Makefile.am +Index: gnutls-3.8.11/tests/Makefile.am =================================================================== ---- gnutls-3.8.9.orig/tests/Makefile.am -+++ gnutls-3.8.9/tests/Makefile.am -@@ -212,7 +212,7 @@ ctests += mini-record-2 simple gnutls_hm +--- gnutls-3.8.11.orig/tests/Makefile.am ++++ gnutls-3.8.11/tests/Makefile.am +@@ -214,7 +214,7 @@ ctests += mini-record-2 simple gnutls_hm dtls12-cert-key-exchange dtls10-cert-key-exchange x509-cert-callback-legacy \ keylog-env ssl2-hello tlsfeature-ext dtls-rehandshake-cert-2 dtls-session-ticket-lost \ tlsfeature-crt dtls-rehandshake-cert-3 resume-with-false-start \ @@ -223,3 +223,37 @@ Index: gnutls-3.8.9/tests/Makefile.am safe-renegotiation/srn0 safe-renegotiation/srn1 safe-renegotiation/srn2 \ safe-renegotiation/srn3 safe-renegotiation/srn4 safe-renegotiation/srn5 \ rsa-illegal-import set_x509_ocsp_multi_invalid set_key set_x509_key_file_ocsp_multi2 \ +Index: gnutls-3.8.11/lib/state.c +=================================================================== +--- gnutls-3.8.11.orig/lib/state.c ++++ gnutls-3.8.11/lib/state.c +@@ -834,6 +834,12 @@ void gnutls_deinit(gnutls_session_t sess + gnutls_mutex_deinit(&session->internals.post_negotiation_lock); + gnutls_mutex_deinit(&session->internals.epoch_lock); + ++#if defined(__linux__) ++# if defined(ENABLE_FIPS140) ++ _rnd_system_entropy_deinit(); ++# endif ++#endif ++ + gnutls_free(session); + } + +Index: gnutls-3.8.11/lib/nettle/rnd.c +=================================================================== +--- gnutls-3.8.11.orig/lib/nettle/rnd.c ++++ gnutls-3.8.11/lib/nettle/rnd.c +@@ -79,6 +79,12 @@ struct generators_ctx_st { + + static void wrap_nettle_rnd_deinit(void *_ctx) + { ++#if defined(__linux__) ++# if defined(ENABLE_FIPS140) ++ _rnd_system_entropy_deinit(); ++# endif ++#endif ++ + gnutls_free(_ctx); + } + diff --git a/gnutls-disable-flaky-test-dtls-resume.patch b/gnutls-disable-flaky-test-dtls-resume.patch deleted file mode 100644 index 7feca00..0000000 --- a/gnutls-disable-flaky-test-dtls-resume.patch +++ /dev/null @@ -1,13 +0,0 @@ -Index: gnutls-3.8.10/tests/Makefile.am -=================================================================== ---- gnutls-3.8.10.orig/tests/Makefile.am -+++ gnutls-3.8.10/tests/Makefile.am -@@ -536,7 +536,7 @@ ktls_keyupdate_CFLAGS = -DUSE_KTLS - dist_check_SCRIPTS += ktls_keyupdate.sh - endif - --dist_check_SCRIPTS += dtls/dtls.sh dtls/dtls-resume.sh #dtls/dtls-nb -+dist_check_SCRIPTS += dtls/dtls.sh #dtls/dtls-resume.sh #dtls/dtls-nb - - indirect_tests += dtls-stress - diff --git a/gnutls-fips-sonames-check.patch b/gnutls-fips-sonames-check.patch deleted file mode 100644 index bb47348..0000000 --- a/gnutls-fips-sonames-check.patch +++ /dev/null @@ -1,27 +0,0 @@ -Index: gnutls-3.8.9/lib/fips.c -=================================================================== ---- gnutls-3.8.9.orig/lib/fips.c -+++ gnutls-3.8.9/lib/fips.c -@@ -484,18 +484,18 @@ static int callback(struct dl_phdr_info - const char *soname = last_component(path); - struct lib_paths *paths = (struct lib_paths *)data; - -- if (!strcmp(soname, GNUTLS_LIBRARY_SONAME)) -+ if (!strncmp(soname, GNUTLS_LIBRARY_SONAME, strlen(GNUTLS_LIBRARY_SONAME))) - _gnutls_str_cpy(paths->gnutls, GNUTLS_PATH_MAX, path); - #ifdef NETTLE_LIBRARY_SONAME -- else if (!strcmp(soname, NETTLE_LIBRARY_SONAME)) -+ else if (!strncmp(soname, NETTLE_LIBRARY_SONAME, strlen(NETTLE_LIBRARY_SONAME))) - _gnutls_str_cpy(paths->nettle, GNUTLS_PATH_MAX, path); - #endif - #ifdef HOGWEED_LIBRARY_SONAME -- else if (!strcmp(soname, HOGWEED_LIBRARY_SONAME)) -+ else if (!strncmp(soname, HOGWEED_LIBRARY_SONAME, strlen(HOGWEED_LIBRARY_SONAME))) - _gnutls_str_cpy(paths->hogweed, GNUTLS_PATH_MAX, path); - #endif - #ifdef GMP_LIBRARY_SONAME -- else if (!strcmp(soname, GMP_LIBRARY_SONAME)) -+ else if (!strncmp(soname, GMP_LIBRARY_SONAME, strlen(GMP_LIBRARY_SONAME))) - _gnutls_str_cpy(paths->gmp, GNUTLS_PATH_MAX, path); - #endif - return 0; diff --git a/gnutls-set-cligen-python-interp.patch b/gnutls-set-cligen-python-interp.patch deleted file mode 100644 index 076f3ce..0000000 --- a/gnutls-set-cligen-python-interp.patch +++ /dev/null @@ -1,10 +0,0 @@ -Index: gnutls-3.8.9/cligen/cli-docgen.py -=================================================================== ---- gnutls-3.8.9.orig/cligen/cli-docgen.py -+++ gnutls-3.8.9/cligen/cli-docgen.py -@@ -1,4 +1,4 @@ --#!/usr/bin/python -+#!/usr/bin/python3 - # Copyright (C) 2021-2022 Daiki Ueno - # SPDX-License-Identifier: LGPL-2.1-or-later - diff --git a/gnutls-skip-pqx-test.patch b/gnutls-skip-pqx-test.patch deleted file mode 100644 index 6ac6999..0000000 --- a/gnutls-skip-pqx-test.patch +++ /dev/null @@ -1,34 +0,0 @@ -Index: gnutls-3.8.10/tests/Makefile.am -=================================================================== ---- gnutls-3.8.10.orig/tests/Makefile.am -+++ gnutls-3.8.10/tests/Makefile.am -@@ -628,8 +628,6 @@ ctests += win32-certopenstore - - endif - --dist_check_SCRIPTS += pqc-hybrid-kx.sh -- - cpptests = - if ENABLE_CXX - if HAVE_CMOCKA -Index: gnutls-3.8.10/tests/Makefile.in -=================================================================== ---- gnutls-3.8.10.orig/tests/Makefile.in -+++ gnutls-3.8.10/tests/Makefile.in -@@ -3293,7 +3293,7 @@ am__dist_check_SCRIPTS_DIST = rfc2253-es - gnutls-cli-self-signed.sh gnutls-cli-invalid-crl.sh \ - gnutls-cli-rawpk.sh dh-fips-approved.sh p11-kit-trust.sh \ - testpkcs11.sh certtool-pkcs11.sh pkcs11-tool.sh \ -- p11-kit-load.sh danetool.sh tpmtool_test.sh pqc-hybrid-kx.sh -+ p11-kit-load.sh danetool.sh tpmtool_test.sh - AM_V_P = $(am__v_P_@AM_V@) - am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) - am__v_P_0 = false -@@ -7178,7 +7178,6 @@ dist_check_SCRIPTS = rfc2253-escape-test - $(am__append_18) $(am__append_20) $(am__append_21) \ - $(am__append_23) $(am__append_25) $(am__append_26) \ - $(am__append_27) $(am__append_29) $(am__append_30) \ -- pqc-hybrid-kx.sh - @ENABLE_KTLS_TRUE@@WINDOWS_FALSE@ktls_keyupdate_SOURCES = tls13/key_update.c - @ENABLE_KTLS_TRUE@@WINDOWS_FALSE@ktls_keyupdate_CFLAGS = -DUSE_KTLS - @WINDOWS_FALSE@dtls_stress_SOURCES = dtls/dtls-stress.c diff --git a/gnutls-srp-test-SIGPIPE.patch b/gnutls-srp-test-SIGPIPE.patch deleted file mode 100644 index 228728e..0000000 --- a/gnutls-srp-test-SIGPIPE.patch +++ /dev/null @@ -1,22 +0,0 @@ -Index: gnutls-3.8.9/tests/srp.c -=================================================================== ---- gnutls-3.8.9.orig/tests/srp.c -+++ gnutls-3.8.9/tests/srp.c -@@ -290,7 +290,7 @@ static void start(const char *name, cons - if (child) { - int status; - /* parent */ -- close(fd[0]); -+ /* close(fd[0]); */ - client(fd[1], prio, user, pass, exp_err); - if (exp_err < 0) { - kill(child, SIGTERM); -@@ -300,7 +300,7 @@ static void start(const char *name, cons - check_wait_status(status); - } - } else { -- close(fd[1]); -+ /* close(fd[1]); */ - server(fd[0], prio); - exit(0); - } diff --git a/gnutls.changes b/gnutls.changes index 5004875..fafeaad 100644 --- a/gnutls.changes +++ b/gnutls.changes @@ -1,3 +1,74 @@ +------------------------------------------------------------------- +Mon Nov 24 09:54:39 UTC 2025 - Pedro Monreal + +- Reduce the number of patches: + * Merge gnutls-FIPS-jitterentropy-deinit-threads.patch into the + main jitterentropy patch gnutls-FIPS-jitterentropy.patch + * Merge the soname gnutls-fips-sonames-check.patch and V3 + gnutls-FIPS-HMAC-x86_64-v3-opt.patch patches together into + gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch + * Remove gnutls-set-cligen-python-interp.patch with a sed command. + +------------------------------------------------------------------- +Mon Nov 24 09:29:13 UTC 2025 - Pedro Monreal + +- Enable back the failing tests that have been fixed upstream: + * Remove patches: + - gnutls-disable-flaky-test-dtls-resume.patch + - gnutls-srp-test-SIGPIPE.patch + - gnutls-skip-pqx-test.patch + - gnutls-3.8.10-disable-ktls_test.patch + +------------------------------------------------------------------- +Mon Nov 24 08:38:13 UTC 2025 - Pedro Monreal + +- Update to 3.8.11: + * libgnutls: Fix stack overwrite in gnutls_pkcs11_token_init + Reported by Luigino Camastra from Aisle Research. + [GNUTLS-SA-2025-11-18, CVSS: low] [bsc#1254132, CVE-2025-9820] + * libgnutls: MAC algorithms for PSK binders is now configurable + The previous implementation assumed HMAC-SHA256 to calculate the + PSK binders. With the new gnutls_psk_allocate_client_credentials2() + and gnutls_psk_allocate_server_credentials2() functions, the + application can use other MAC algorithms such as HMAC-SHA384. + * libgnutls: Expose a new function to provide the maximum record send size + A new function gnutls_record_get_max_send_size() has been added to + determine the maximum size of a TLS record to be sent to the peer. + * libgnutls: Expose a new function to update keys without sending a KeyUpdate + to the peer. A new function gnutls_handshake_update_receiving_key() + has been added to allow updating the local receiving key without + sending any KeyUpdate messages. + * libgnutls: PKCS#11 cryptographic provider configuration takes a token URI + instead of a module path. To allow using a PKCS#11 module exposing + multiple tokens, the "path" configuration keyword was replaced with + the "url" keyword. + * libgnutls: Support crypto-auditing probe points + crypto-auditing is a project to monitor which cryptographic + operations are taking place in the library at run time, through + eBPF. This adds necessary probe points for that, in public key + cryptography and the TLS use-case. To enable this, run configure + with --enable-crypto-auditing. + * build: The minimum version of Nettle has been updated to 3.10 + Given Nettle 3.10 is ABI compatible with 3.6 and includes several + security relevant fixes, the library's minimum requirement of + Nettle is updated to 3.10. + * build: The default priority file path is now constructed from sysconfdir + Previously, the location of the default priority file was + hard-coded to be /etc/gnutls/config. Now it takes into account of + the --sysconfdir option given to the configure script. + * API and ABI modifications: (New functions) + - gnutls_psk_allocate_client_credentials2 + - gnutls_psk_allocate_server_credentials2 + - gnutls_record_get_max_send_size + - gnutls_handshake_update_receiving_key + - gnutls_audit_push_context + - gnutls_audit_pop_context + - gnutls_audit_current_context + * Rebased patches: + - gnutls-FIPS-140-3-references.patch + - gnutls-FIPS-TLS_KDF_selftest.patch + - gnutls-skip-pqx-test.patch + ------------------------------------------------------------------- Tue Jul 15 08:12:29 UTC 2025 - Pedro Monreal diff --git a/gnutls.spec b/gnutls.spec index 80eb688..a4a23f9 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,7 +1,7 @@ # # spec file for package gnutls # -# Copyright (c) 2025 SUSE LLC +# Copyright (c) 2025 SUSE LLC and contributors # Copyright (c) 2025 Andreas Stieger # # All modifications and additions to the file contributed by third parties @@ -42,7 +42,7 @@ %bcond_with tpm %bcond_without leancrypto Name: gnutls -Version: 3.8.10 +Version: 3.8.11 Release: 0 Summary: The GNU Transport Layer Security Library License: GPL-3.0-or-later AND LGPL-2.1-or-later @@ -56,30 +56,18 @@ Source3: baselibs.conf # Suppress a false positive on the .hmac file Source4: gnutls.rpmlintrc Patch0: gnutls-3.5.11-skip-trust-store-tests.patch +#PATCH-FIX-SUSE bsc#1176671 FIPS: Add TLS KDF selftest Patch1: gnutls-FIPS-TLS_KDF_selftest.patch -Patch2: gnutls-disable-flaky-test-dtls-resume.patch -# PATCH-FIX-OPENSUSE The srp test fails with SIGPIPE -Patch3: gnutls-srp-test-SIGPIPE.patch -# FIPS 140-3 patches: -#PATCH-FIX-SUSE bsc#1207346 FIPS: Change FIPS 140-2 references to FIPS 140-3 -Patch100: gnutls-FIPS-140-3-references.patch #PATCH-FIX-SUSE bsc#1211476 FIPS: Skip fixed HMAC verification for nettle, hogweed and gmp -Patch101: gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch +Patch2: gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch %if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400 #PATCH-FIX-SUSE bsc#1202146 FIPS: Port gnutls to use jitterentropy -Patch102: gnutls-FIPS-jitterentropy.patch -#PATCH-FIX-SUSE bsc#1221242 Fix memleak in gnutls' jitterentropy collector -Patch103: gnutls-FIPS-jitterentropy-deinit-threads.patch +Patch3: gnutls-FIPS-jitterentropy.patch %endif -Patch104: gnutls-set-cligen-python-interp.patch -Patch105: gnutls-skip-pqx-test.patch -Patch106: gnutls-fips-sonames-check.patch -# PATCH-FIX-SUSE jsc#jsc#PED-12224 FIPS: Mark SHA1 as unapproved in the SLI -Patch107: gnutls-FIPS-disable-mac-sha1.patch -# PATCH-FIX-SUSE bsc#1237101 GNUTLS FIPS selfcheck is failing again on tumbleweed -Patch108: gnutls-FIPS-HMAC-x86_64-v3-opt.patch -# PATCH-FIX-SUSE Disable test -Patch109: gnutls-3.8.10-disable-ktls_test.patch +#PATCH-FIX-SUSE jsc#PED-12224 FIPS: Mark SHA1 as unapproved in the SLI +Patch4: gnutls-FIPS-disable-mac-sha1.patch +#PATCH-FIX-SUSE bsc#1207346 FIPS: Change FIPS 140-2 references to FIPS 140-3 +Patch5: gnutls-FIPS-140-3-references.patch BuildRequires: autogen BuildRequires: automake BuildRequires: datefudge @@ -89,7 +77,7 @@ BuildRequires: gtk-doc # The test suite calls /usr/bin/ss from iproute2. It's our own duty to ensure we have it present BuildRequires: iproute2 BuildRequires: libidn2-devel -BuildRequires: libnettle-devel >= 3.6 +BuildRequires: libnettle-devel >= 3.10 BuildRequires: libtasn1-devel >= 4.9 BuildRequires: libtool BuildRequires: libunistring-devel @@ -267,6 +255,9 @@ autoreconf -fiv --enable-ktls \ %{nil} +# Replace python with python3 in cligen/cli-docgen.py +[ -f cligen/cli-docgen.py ] && sed -i "1s@#!.*python.*@#!$(realpath /usr/bin/python3)@" $f cligen/cli-docgen.py + %make_build %install

    GNUTLS_FIPS140_DISABLED

    		 @@ -593,7 +593,7 @@ Index: gnutls-3.8.10/doc/reference/html/gnutls-gnutls.html  

    GNUTLS_FIPS140_LAX

    		 @@ -604,17 +604,17 @@ Index: gnutls-3.8.10/doc/reference/html/gnutls-gnutls.html application is aware of the followed security policy, and needs to utilize disallowed operations for other reasons (e.g., compatibility).