Accepting request 964661 from home:pmonrealgonzalez:branches:security:tls

- FIPS: Additional PBKDF2 requirements for KAT [bsc#1184669] * The IG 10.3.A and SP800-132 require some minimum parameters for the salt length, password length and iteration count. These parameters should be also used in the KAT. * Add gnutls-FIPS-PBKDF2-KAT-requirements.patch - Enable to run the regression tests also in FIPS mode. * Add gnutls-FIPS-disable-failing-tests.patch OBS-URL: https://build.opensuse.org/request/show/964661 OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=61
2022-03-24 12:48:13 +00:00 · 2022-03-24 12:48:13 +00:00 · 2ab102c19b
commit 2ab102c19b
parent b1e657b45b
4 changed files with 67 additions and 1 deletions
--- a/gnutls-FIPS-PBKDF2-KAT-requirements.patch
+++ b/gnutls-FIPS-PBKDF2-KAT-requirements.patch
@ -0,0 +1,21 @@
+Index: gnutls-3.7.3/lib/crypto-selftests.c
+===================================================================
+--- gnutls-3.7.3.orig/lib/crypto-selftests.c
+++ gnutls-3.7.3/lib/crypto-selftests.c
+@@ -3112,6 +3112,16 @@ const struct pbkdf2_vectors_st pbkdf2_sh
+ 		    "\x84\x1b\x51\xc9\xb3\x17\x6a\x27\x2b\xde\xbb\xa1\xd0\x78"
+ 		    "\x47\x8f\x62\xb3\x97\xf3\x3c\x8d"),
+ 	},
+	/* Test vector extracted from https://dev.gnupg.org/source/libgcrypt/browse/master/cipher/kdf.c */
+	{
+		STR(key, key_size, "passwordPASSWORDpassword"),
+		STR(salt, salt_size, "saltSALTsaltSALTsaltSALTsaltSALTsalt"),
+		.iter_count = 4096,
+		STR(output, output_size,
+		    "\x34\x8c\x89\xdb\xcb\xd3\x2b\x2f\x32\xd8\x14\xb8\x11\x6e"
+		    "\x84\xcf\x2b\x17\x34\x7e\xbc\x18\x00\x18\x1c\x4e\x2a\x1f"
+		    "\xb8\xdd\x53\xe1\xc6\x35\x51\x8c\x7d\xac\x47\xe9"),
+	},
+ };
+ 
+ static int test_pbkdf2(gnutls_mac_algorithm_t mac,
--- a/gnutls-FIPS-disable-failing-tests.patch
+++ b/gnutls-FIPS-disable-failing-tests.patch
@ -0,0 +1,27 @@
+Index: gnutls-3.7.3/guile/Makefile.am
+===================================================================
+--- gnutls-3.7.3.orig/guile/Makefile.am
+++ gnutls-3.7.3/guile/Makefile.am
+@@ -102,8 +102,6 @@ endif HAVE_GUILD
+ #
+ 
+ TESTS =						\
+-  tests/anonymous-auth.scm			\
+-  tests/session-record-port.scm			\
+   tests/pkcs-import-export.scm			\
+   tests/errors.scm				\
+   tests/x509-certificates.scm			\
+Index: gnutls-3.7.3/guile/Makefile.in
+===================================================================
+--- gnutls-3.7.3.orig/guile/Makefile.in
+++ gnutls-3.7.3/guile/Makefile.in
+@@ -2320,8 +2320,7 @@ CLEANFILES = modules/gnutls.scm $(am__ap
+ #
+ # Tests.
+ #
+-TESTS = tests/anonymous-auth.scm tests/session-record-port.scm \
+-	tests/pkcs-import-export.scm tests/errors.scm \
+TESTS = tests/pkcs-import-export.scm tests/errors.scm \
+ 	tests/x509-certificates.scm tests/x509-auth.scm \
+ 	tests/reauth.scm tests/priorities.scm $(am__append_2)
+ TESTS_ENVIRONMENT = \
--- a/gnutls.changes
+++ b/gnutls.changes
@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Fri Mar 18 18:31:06 UTC 2022 - Pedro Monreal <pmonreal@suse.com>
+
+- FIPS: Additional PBKDF2 requirements for KAT [bsc#1184669]
+  * The IG 10.3.A and SP800-132 require some minimum parameters for
+    the salt length, password length and iteration count. These
+    parameters should be also used in the KAT.
+  * Add gnutls-FIPS-PBKDF2-KAT-requirements.patch
+- Enable to run the regression tests also in FIPS mode.
+
 -------------------------------------------------------------------
 Fri Mar 18 08:59:49 UTC 2022 - Pedro Monreal <pmonreal@suse.com>

@ -115,6 +125,7 @@ Tue Jan 18 15:59:11 UTC 2022 - Pedro Monreal <pmonreal@suse.com>
 Tue Jan 18 14:41:04 UTC 2022 - Pedro Monreal <pmonreal@suse.com>

 - FIPS: Fix regression tests in fips and non-fips mode [bsc#1194468]
+  * Add gnutls-FIPS-disable-failing-tests.patch
  * Remove patches:
    - gnutls-temporarily_disable_broken_guile_reauth_test.patch
    - disable-psk-file-test.patch
--- a/gnutls.spec
+++ b/gnutls.spec
@ -47,6 +47,9 @@ Source3:        baselibs.conf
 Patch0:         gnutls-3.5.11-skip-trust-store-tests.patch
 Patch1:         gnutls-3.6.6-set_guile_site_dir.patch
 Patch2:         gnutls-FIPS-TLS_KDF_selftest.patch
+Patch3:         gnutls-FIPS-disable-failing-tests.patch
+#PATCH-FIX-SUSE bsc#1184669 FIPS: Additional PBKDF2 requirements for KAT
+Patch4:         gnutls-FIPS-PBKDF2-KAT-requirements.patch
 BuildRequires:  autogen
 BuildRequires:  automake
 BuildRequires:  datefudge
@ -263,11 +266,15 @@ rm -rf %{buildroot}%{_datadir}/doc/gnutls

 %check
 %if ! 0%{?qemu_user_space_build}
-# export GNUTLS_FORCE_FIPS_MODE=1
 make %{?_smp_mflags} check GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null || {
    find -name test-suite.log -print -exec cat {} +
    exit 1
 }
+#Run the regression tests also in FIPS mode
+GNUTLS_FORCE_FIPS_MODE=1 make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null || {
+    find -name test-suite.log -print -exec cat {} +
+    exit 1
+}
 %endif

 %post -n libgnutls%{gnutls_sover} -p /sbin/ldconfig