Pedro Monreal Gonzalez
a4ac49a50a
- jitterentropy: Release the memory of the entropy collector when
using jitterentropy with phtreads as there is also a
pre-intitization done in the main thread. [bsc#1221242]
* Add gnutls-FIPS-jitterentropy-deinit-threads.patch
- Update to 3.8.4:
* libgnutls: RSA-OAEP encryption scheme is now supported
To use it with an unrestricted RSA private key, one would need to
initialize a gnutls_x509_spki_t object with necessary parameters
for RSA-OAEP and attach it to the private key. It is also possible
to import restricted private keys if they are stored in PKCS#8
format.
* libgnutls: Fix side-channel in the deterministic ECDSA.
Reported by George Pantelakis (#1516).
[GNUTLS-SA-2023-12-04, CVSS: medium] [bsc#1221746, CVE-2024-28834]
* libgnutls: Fixed a bug where certtool crashed when verifying a
certificate chain with more than 16 certificates. Reported by
William Woodruff (#1525) and yixiangzhike (#1527).
[GNUTLS-SA-2024-01-23, CVSS: medium] [bsc#1221747, CVE-2024-28835]
* libgnutls: Compression libraries are now loaded dynamically as needed
instead of all being loaded during gnutls library initialization.
As a result, the library initialization should be faster.
* build: The gnutls library can now be linked with the static library
of GMP. Note that in order for this to work libgmp.a needs to be
compiled with -fPIC and libhogweed in Nettle also has to be linked
to the static library of GMP. This can be used to prevent custom
memory allocators from being overriden by other applications.
* API and ABI modifications:
- gnutls_x509_spki_get_rsa_oaep_params: New function.
- gnutls_x509_spki_set_rsa_oaep_params: New function.
OBS-URL: https://build.opensuse.org/request/show/1161324
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=107
118 lines
3.6 KiB
Diff
118 lines
3.6 KiB
Diff
Index: gnutls-3.8.4/lib/fips.c
|
|
===================================================================
|
|
--- gnutls-3.8.4.orig/lib/fips.c
|
|
+++ gnutls-3.8.4/lib/fips.c
|
|
@@ -175,20 +175,32 @@ struct hmac_entry {
|
|
struct hmac_file {
|
|
int version;
|
|
struct hmac_entry gnutls;
|
|
+#if 0
|
|
+ /* Disable nettle, hogweed and gmp HMAC verification as
|
|
+ * they are calculated during build of the respective
|
|
+ * packages and can differ from the ones listed here.
|
|
+ */
|
|
struct hmac_entry nettle;
|
|
struct hmac_entry hogweed;
|
|
#ifdef GMP_LIBRARY_SONAME
|
|
struct hmac_entry gmp;
|
|
#endif
|
|
+#endif
|
|
};
|
|
|
|
struct lib_paths {
|
|
char gnutls[GNUTLS_PATH_MAX];
|
|
+#if 0
|
|
+ /* Disable nettle, hogweed and gmp HMAC verification as
|
|
+ * they are calculated during build of the respective
|
|
+ * packages and can differ from the ones listed here.
|
|
+ */
|
|
char nettle[GNUTLS_PATH_MAX];
|
|
char hogweed[GNUTLS_PATH_MAX];
|
|
#ifdef GMP_LIBRARY_SONAME
|
|
char gmp[GNUTLS_PATH_MAX];
|
|
#endif
|
|
+#endif
|
|
};
|
|
|
|
/*
|
|
@@ -248,6 +252,11 @@ static int handler(void *user, const cha
|
|
}
|
|
} else if (!strcmp(section, GNUTLS_LIBRARY_NAME)) {
|
|
return lib_handler(&p->gnutls, section, name, value);
|
|
+#if 0
|
|
+ /* Disable nettle, hogweed and gmp HMAC verification as
|
|
+ * they are calculated during build of the respective
|
|
+ * packages and can differ from the ones listed here.
|
|
+ */
|
|
} else if (!strcmp(section, NETTLE_LIBRARY_NAME)) {
|
|
return lib_handler(&p->nettle, section, name, value);
|
|
} else if (!strcmp(section, HOGWEED_LIBRARY_NAME)) {
|
|
@@ -256,6 +265,7 @@ static int handler(void *user, const cha
|
|
} else if (!strcmp(section, GMP_LIBRARY_NAME)) {
|
|
return lib_handler(&p->gmp, section, name, value);
|
|
#endif
|
|
+#endif
|
|
} else {
|
|
return 0;
|
|
}
|
|
@@ -401,6 +411,11 @@ static int callback(struct dl_phdr_info
|
|
|
|
if (!strcmp(soname, GNUTLS_LIBRARY_SONAME))
|
|
_gnutls_str_cpy(paths->gnutls, GNUTLS_PATH_MAX, path);
|
|
+#if 0
|
|
+ /* Disable nettle, hogweed and gmp HMAC verification as
|
|
+ * they are calculated during build of the respective
|
|
+ * packages and can differ from the ones listed here.
|
|
+ */
|
|
else if (!strcmp(soname, NETTLE_LIBRARY_SONAME))
|
|
_gnutls_str_cpy(paths->nettle, GNUTLS_PATH_MAX, path);
|
|
else if (!strcmp(soname, HOGWEED_LIBRARY_SONAME))
|
|
@@ -409,6 +424,7 @@ static int callback(struct dl_phdr_info
|
|
else if (!strcmp(soname, GMP_LIBRARY_SONAME))
|
|
_gnutls_str_cpy(paths->gmp, GNUTLS_PATH_MAX, path);
|
|
#endif
|
|
+#endif
|
|
return 0;
|
|
}
|
|
|
|
@@ -421,6 +437,11 @@ static int load_lib_paths(struct lib_pat
|
|
_gnutls_debug_log("Gnutls library path was not found\n");
|
|
return gnutls_assert_val(GNUTLS_E_FILE_ERROR);
|
|
}
|
|
+#if 0
|
|
+ /* Disable nettle, hogweed and gmp HMAC verification as
|
|
+ * they are calculated during build of the respective
|
|
+ * packages and can differ from the ones listed here.
|
|
+ */
|
|
if (paths->nettle[0] == '\0') {
|
|
_gnutls_debug_log("Nettle library path was not found\n");
|
|
return gnutls_assert_val(GNUTLS_E_FILE_ERROR);
|
|
@@ -435,6 +456,7 @@ static int load_lib_paths(struct lib_pat
|
|
return gnutls_assert_val(GNUTLS_E_FILE_ERROR);
|
|
}
|
|
#endif
|
|
+#endif
|
|
|
|
return GNUTLS_E_SUCCESS;
|
|
}
|
|
@@ -481,6 +503,11 @@ static int check_binary_integrity(void)
|
|
ret = check_lib_hmac(&hmac.gnutls, paths.gnutls);
|
|
if (ret < 0)
|
|
return ret;
|
|
+# if 0
|
|
+ /* Disable nettle, hogweed and gmp HMAC verification as
|
|
+ * they are calculated during build of the respective
|
|
+ * packages and can differ from the ones listed here.
|
|
+ */
|
|
ret = check_lib_hmac(&hmac.nettle, paths.nettle);
|
|
if (ret < 0)
|
|
return ret;
|
|
@@ -492,6 +519,7 @@ static int check_binary_integrity(void)
|
|
if (ret < 0)
|
|
return ret;
|
|
#endif
|
|
+#endif
|
|
|
|
return 0;
|
|
}
|