rpm/gnutls
SHA256
1
0
Fork 0
forked from pool/gnutls
Code Pull Requests Activity

Accepting request 1189560 from security:tls

Browse Source 
OBS-URL: https://build.opensuse.org/request/show/1189560
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=156
This commit is contained in:
Dominique Leuenberger 2024-07-26 14:14:59 +00:00 committed by Git OBS Bridge
commit 2f495ab11a
8 changed files with 220 additions and 201 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
gnutls-3.8.5.tar.xz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:66269a2cfe0e1c2dabec87bdbbd8ab656f396edd9a40dd006978e003cfa52bfc
size 6491504

BIN
gnutls-3.8.5.tar.xz.sig
View File

Binary file not shown.

3
gnutls-3.8.6.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:2e1588aae53cb32d43937f1f4eca28febd9c0c7aa1734fc5dd61a7e81e0ebcdd
size 6517476

BIN
gnutls-3.8.6.tar.xz.sig Normal file
View File

Binary file not shown.

356
gnutls-FIPS-140-3-references.patch
View File

@ -1,7 +1,7 @@
Index: gnutls-3.8.5/configure.ac
Index: gnutls-3.8.6/configure.ac
===================================================================
--- gnutls-3.8.5.orig/configure.ac
+++ gnutls-3.8.5/configure.ac
--- gnutls-3.8.6.orig/configure.ac
+++ gnutls-3.8.6/configure.ac
@@ -623,19 +623,19 @@ LT_INIT([disable-static,win32-dll,shared
AC_LIB_HAVE_LINKFLAGS(dl,, [#include <dlfcn.h>], [dladdr (0, 0);])
@ -25,10 +25,10 @@ Index: gnutls-3.8.5/configure.ac
AC_ARG_WITH(fips140-module-name, AS_HELP_STRING([--with-fips140-module-name],
[specify the FIPS140 module name]),
Index: gnutls-3.8.5/doc/cha-gtls-app.texi
Index: gnutls-3.8.6/doc/cha-gtls-app.texi
===================================================================
--- gnutls-3.8.5.orig/doc/cha-gtls-app.texi
+++ gnutls-3.8.5/doc/cha-gtls-app.texi
--- gnutls-3.8.6.orig/doc/cha-gtls-app.texi
+++ gnutls-3.8.6/doc/cha-gtls-app.texi
@@ -222,7 +222,7 @@ CPU. The currently available options are
@end itemize
@ -38,10 +38,10 @@ Index: gnutls-3.8.5/doc/cha-gtls-app.texi
if set to one it will force the FIPS mode enablement.
@end multitable
Index: gnutls-3.8.5/doc/cha-internals.texi
Index: gnutls-3.8.6/doc/cha-internals.texi
===================================================================
--- gnutls-3.8.5.orig/doc/cha-internals.texi
+++ gnutls-3.8.5/doc/cha-internals.texi
--- gnutls-3.8.6.orig/doc/cha-internals.texi
+++ gnutls-3.8.6/doc/cha-internals.texi
@@ -14,7 +14,7 @@ happens inside the black box.
* TLS Hello Extension Handling::
* Cryptographic Backend::
@ -162,11 +162,11 @@ Index: gnutls-3.8.5/doc/cha-internals.texi
operation. It can be attached to the current execution thread with
@funcref{gnutls_fips140_push_context} and its internal state will be
updated until it is detached with
Index: gnutls-3.8.5/doc/enums.texi
Index: gnutls-3.8.6/doc/enums.texi
===================================================================
--- gnutls-3.8.5.orig/doc/enums.texi
+++ gnutls-3.8.5/doc/enums.texi
@@ -1190,7 +1190,7 @@ application traffic secret is installed
--- gnutls-3.8.6.orig/doc/enums.texi
+++ gnutls-3.8.6/doc/enums.texi
@@ -1192,7 +1192,7 @@ application traffic secret is installed
@c gnutls_fips_mode_t
@table @code
@item GNUTLS_@-FIPS140_@-DISABLED
@ -175,7 +175,7 @@ Index: gnutls-3.8.5/doc/enums.texi
@item GNUTLS_@-FIPS140_@-STRICT
The default mode; all forbidden operations will cause an
operation failure via error code.
@@ -1198,8 +1198,8 @@ operation failure via error code.
@@ -1200,8 +1200,8 @@ operation failure via error code.
A transient state during library initialization. That state
cannot be set or seen by applications.
@item GNUTLS_@-FIPS140_@-LAX
@ -186,10 +186,10 @@ Index: gnutls-3.8.5/doc/enums.texi
application is aware of the followed security policy, and needs
to utilize disallowed operations for other reasons (e.g., compatibility).
@item GNUTLS_@-FIPS140_@-LOG
Index: gnutls-3.8.5/doc/functions/gnutls_fips140_set_mode
Index: gnutls-3.8.6/doc/functions/gnutls_fips140_set_mode
===================================================================
--- gnutls-3.8.5.orig/doc/functions/gnutls_fips140_set_mode
+++ gnutls-3.8.5/doc/functions/gnutls_fips140_set_mode
--- gnutls-3.8.6.orig/doc/functions/gnutls_fips140_set_mode
+++ gnutls-3.8.6/doc/functions/gnutls_fips140_set_mode
@@ -3,7 +3,7 @@
@ -215,10 +215,10 @@ Index: gnutls-3.8.5/doc/functions/gnutls_fips140_set_mode
values for @code{mode} or to @code{GNUTLS_FIPS140_SELFTESTS} mode, the library
switches to @code{GNUTLS_FIPS140_STRICT} mode.
Index: gnutls-3.8.5/doc/gnutls.html
Index: gnutls-3.8.6/doc/gnutls.html
===================================================================
--- gnutls-3.8.5.orig/doc/gnutls.html
+++ gnutls-3.8.5/doc/gnutls.html
--- gnutls-3.8.6.orig/doc/gnutls.html
+++ gnutls-3.8.6/doc/gnutls.html
@@ -485,7 +485,7 @@ Documentation License&rdquo;.
<li><a id="toc-TLS-Extension-Handling" href="#TLS-Hello-Extension-Handling">11.4 TLS Extension Handling</a></li>
<li><a id="toc-Cryptographic-Backend-1" href="#Cryptographic-Backend">11.5 Cryptographic Backend</a></li>
@ -228,7 +228,7 @@ Index: gnutls-3.8.5/doc/gnutls.html
</ul></li>
<li><a id="toc-Upgrading-from-previous-versions-1" href="#Upgrading-from-previous-versions">Appendix A Upgrading from previous versions</a></li>
<li><a id="toc-Support-1" href="#Support">Appendix B Support</a>
@@ -9045,7 +9045,7 @@ CPU. The currently available options are
@@ -9046,7 +9046,7 @@ CPU. The currently available options are
</li><li>0x200000: Enable VIA PHE
</li><li>0x400000: Enable VIA PHE SHA512
</li></ul></td></tr>
@ -237,7 +237,7 @@ Index: gnutls-3.8.5/doc/gnutls.html
if set to one it will force the FIPS mode enablement.</td></tr>
</tbody>
</table>
@@ -18477,7 +18477,7 @@ None:
@@ -18481,7 +18481,7 @@ None:
--inline-commands-prefix=str Change the default delimiter for inline commands
--provider=file Specify the PKCS #11 provider library
- file must pre-exist
@ -246,7 +246,7 @@ Index: gnutls-3.8.5/doc/gnutls.html
--list-config Reports the configuration of the library
--logfile=str Redirect informational messages to a specific file
--keymatexport=str Label used for exporting keying material
@@ -19499,7 +19499,7 @@ happens inside the black box.
@@ -19503,7 +19503,7 @@ happens inside the black box.
<li><a href="#TLS-Hello-Extension-Handling" accesskey="4">TLS Extension Handling</a></li>
<li><a href="#Cryptographic-Backend" accesskey="5">Cryptographic Backend</a></li>
<li><a href="#Random-Number-Generators_002dinternals" accesskey="6">Random Number Generators</a></li>
@ -255,7 +255,7 @@ Index: gnutls-3.8.5/doc/gnutls.html
</ul>
<hr>
<div class="section-level-extent" id="The-TLS-Protocol">
@@ -20028,7 +20028,7 @@ For more information see <a class="ref"
@@ -20032,7 +20032,7 @@ For more information see <a class="ref"
<div class="section-level-extent" id="Random-Number-Generators_002dinternals">
<div class="nav-panel">
<p>
@ -264,7 +264,7 @@ Index: gnutls-3.8.5/doc/gnutls.html
</div>
<h3 class="section" id="Random-Number-Generators">11.6 Random Number Generators</h3>
@@ -20036,7 +20036,7 @@ Next: <a href="#FIPS140_002d2-mode" acce
@@ -20040,7 +20040,7 @@ Next: <a href="#FIPS140_002d2-mode" acce
<p>GnuTLS provides two random generators. The default, and the AES-DRBG random
generator which is only used when the library is compiled with support for
@ -273,7 +273,7 @@ Index: gnutls-3.8.5/doc/gnutls.html
</p>
<h4 class="subheading" id="The-default-generator-_002d-inner-workings">The default generator - inner workings</h4>
@@ -20173,22 +20173,22 @@ on the above paragraph, all levels are i
@@ -20177,22 +20177,22 @@ on the above paragraph, all levels are i
<p>
Previous: <a href="#Random-Number-Generators_002dinternals" accesskey="p" rel="prev">Random Number Generators</a>, Up: <a href="#Internal-architecture-of-GnuTLS" accesskey="u" rel="up">Internal Architecture of GnuTLS</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Function-and-Data-Index" title="Index" rel="index">Index</a>]</p>
</div>
@ -302,7 +302,7 @@ Index: gnutls-3.8.5/doc/gnutls.html
as follows.
</p>
<ul class="itemize mark-bullet">
@@ -20197,12 +20197,12 @@ as follows.
@@ -20201,12 +20201,12 @@ as follows.
</li><li>Algorithm self-tests are run on library load
</li></ul>
@ -318,7 +318,7 @@ Index: gnutls-3.8.5/doc/gnutls.html
</li><li>Any cryptographic operation will be refused if any of the self-tests failed
</li></ul>
@@ -20211,7 +20211,7 @@ modified as follows.
@@ -20215,7 +20215,7 @@ modified as follows.
environment variable <code class="code">GNUTLS_SKIP_FIPS_INTEGRITY_CHECKS</code> will disable
the library integrity tests on startup, and the variable
<code class="code">GNUTLS_FORCE_FIPS_MODE</code> can be set to force a value from
@ -327,7 +327,7 @@ Index: gnutls-3.8.5/doc/gnutls.html
mode, while &rsquo;0&rsquo; will disable it.
</p>
<p>The integrity checks for the dependent libraries and GnuTLS are performed
@@ -20219,13 +20219,13 @@ using &rsquo;.hmac&rsquo; files which ar
@@ -20223,13 +20223,13 @@ using &rsquo;.hmac&rsquo; files which ar
key for the operations can be provided on compile-time with the configure
option &rsquo;&ndash;with-fips140-key&rsquo;. The MAC algorithm used is HMAC-SHA256.
</p>
@ -344,7 +344,7 @@ Index: gnutls-3.8.5/doc/gnutls.html
the application can relax these requirements via <a class="ref" href="#gnutls_005ffips140_005fset_005fmode">gnutls_fips140_set_mode</a>
which can switch to alternative modes as in <a class="ref" href="#gnutls_005ffips_005fmode_005ft">Figure 11.5</a>.
</p>
@@ -20234,7 +20234,7 @@ which can switch to alternative modes as
@@ -20238,7 +20238,7 @@ which can switch to alternative modes as
<dl class="table">
<dt><code class="code">GNUTLS_FIPS140_DISABLED</code></dt>
@ -353,7 +353,7 @@ Index: gnutls-3.8.5/doc/gnutls.html
</p></dd>
<dt><code class="code">GNUTLS_FIPS140_STRICT</code></dt>
<dd><p>The default mode; all forbidden operations will cause an
@@ -20245,8 +20245,8 @@ operation failure via error code.
@@ -20249,8 +20249,8 @@ operation failure via error code.
cannot be set or seen by applications.
</p></dd>
<dt><code class="code">GNUTLS_FIPS140_LAX</code></dt>
@ -364,7 +364,7 @@ Index: gnutls-3.8.5/doc/gnutls.html
application is aware of the followed security policy, and needs
to utilize disallowed operations for other reasons (e.g., compatibility).
</p></dd>
@@ -20258,7 +20258,7 @@ to a message to the audit callback funct
@@ -20262,7 +20262,7 @@ to a message to the audit callback funct
<div class="caption"><p><strong class="strong">Figure 11.5: </strong>The <code class="code">gnutls_fips_mode_t</code> enumeration.</p></div></div>
<p>The intention of this API is to be used by applications which may run in
@ -373,7 +373,7 @@ Index: gnutls-3.8.5/doc/gnutls.html
e.g., for non-security related purposes. In these cases applications should
wrap the non-compliant code within blocks like the following.
</p>
@@ -20287,9 +20287,9 @@ if (gnutls_fips140_mode_enabled())
@@ -20291,9 +20291,9 @@ if (gnutls_fips140_mode_enabled())
<p>The reason of the <code class="code">GNUTLS_FIPS140_SET_MODE_THREAD</code> flag in the
previous calls is to localize the change in the mode. Note also, that
such a block has no effect when the library is not operating
@ -385,7 +385,7 @@ Index: gnutls-3.8.5/doc/gnutls.html
</p><div class="example">
<pre class="example-preformatted">gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, 0);
</pre></div>
@@ -20312,7 +20312,7 @@ performed within a given context.
@@ -20316,7 +20316,7 @@ performed within a given context.
<dt><code class="code"><var class="var">int</var> <a class="ref" href="#gnutls_005ffips140_005fpop_005fcontext">gnutls_fips140_pop_context</a> ( <var class="var">void</var>)</code></dt>
</dl>
@ -394,7 +394,7 @@ Index: gnutls-3.8.5/doc/gnutls.html
operation. It can be attached to the current execution thread with
<a class="ref" href="#gnutls_005ffips140_005fpush_005fcontext">gnutls_fips140_push_context</a> and its internal state will be
updated until it is detached with
@@ -20685,8 +20685,8 @@ Previous: <a href="#Contributing" access
@@ -20689,8 +20689,8 @@ Previous: <a href="#Contributing" access
to an auditor that the crypto component follows some best practices, such
as unit testing and reliance on well known crypto primitives.
</p>
@ -405,7 +405,7 @@ Index: gnutls-3.8.5/doc/gnutls.html
</p>
<hr>
</div>
@@ -24602,7 +24602,7 @@ unusable. This function is not thread-s
@@ -24607,7 +24607,7 @@ unusable. This function is not thread-s
<h4 class="subheading" id="gnutls_005ffips140_005fset_005fmode-1">gnutls_fips140_set_mode</h4>
<a class="anchor" id="gnutls_005ffips140_005fset_005fmode"></a><dl class="first-deftypefn first-deftypefun-alias-first-deftypefn">
<dt class="deftypefn deftypefun-alias-deftypefn" id="index-gnutls_005ffips140_005fset_005fmode"><span class="category-def">Function: </span><span><code class="def-type">void</code> <strong class="def-name">gnutls_fips140_set_mode</strong> <code class="def-code-arguments">(gnutls_fips_mode_t <var class="var">mode</var>, unsigned <var class="var">flags</var>)</code><a class="copiable-link" href='#index-gnutls_005ffips140_005fset_005fmode'> &para;</a></span></dt>
@ -414,7 +414,7 @@ Index: gnutls-3.8.5/doc/gnutls.html
</p>
<p><var class="var">flags</var>: should be zero or <code class="code">GNUTLS_FIPS140_SET_MODE_THREAD</code>
</p>
@@ -24611,13 +24611,13 @@ unusable. This function is not thread-s
@@ -24616,13 +24616,13 @@ unusable. This function is not thread-s
behavior with no flags after threads are created is undefined.
</p>
<p>When the flag <code class="code">GNUTLS_FIPS140_SET_MODE_THREAD</code> is specified
@ -430,7 +430,7 @@ Index: gnutls-3.8.5/doc/gnutls.html
values for <code class="code">mode</code> or to <code class="code">GNUTLS_FIPS140_SELFTESTS</code> mode, the library
switches to <code class="code">GNUTLS_FIPS140_STRICT</code> mode.
</p>
@@ -46996,7 +46996,7 @@ Next: <a href="#Concept-Index" accesskey
@@ -47043,7 +47043,7 @@ Next: <a href="#Concept-Index" accesskey
<tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffingerprint"><code>gnutls_fingerprint</code></a>:</td><td>&nbsp;</td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffips140_005fcontext_005fdeinit"><code>gnutls_fips140_context_deinit</code></a>:</td><td>&nbsp;</td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffips140_005fcontext_005finit"><code>gnutls_fips140_context_init</code></a>:</td><td>&nbsp;</td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
@ -439,11 +439,11 @@ Index: gnutls-3.8.5/doc/gnutls.html
<tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffips140_005fget_005foperation_005fstate-1"><code>gnutls_fips140_get_operation_state</code></a>:</td><td>&nbsp;</td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffips140_005fmode_005fenabled"><code>gnutls_fips140_mode_enabled</code></a>:</td><td>&nbsp;</td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffips140_005fpop_005fcontext"><code>gnutls_fips140_pop_context</code></a>:</td><td>&nbsp;</td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
Index: gnutls-3.8.5/doc/gnutls.info-3
Index: gnutls-3.8.6/doc/gnutls.info-3
===================================================================
--- gnutls-3.8.5.orig/doc/gnutls.info-3
+++ gnutls-3.8.5/doc/gnutls.info-3
@@ -2262,7 +2262,7 @@ to more. Both will exit with a st
--- gnutls-3.8.6.orig/doc/gnutls.info-3
+++ gnutls-3.8.6/doc/gnutls.info-3
@@ -2264,7 +2264,7 @@ to more. Both will exit with a st
--inline-commands-prefix=str Change the default delimiter for inline commands
--provider=file Specify the PKCS #11 provider library
- file must pre-exist
@ -452,7 +452,7 @@ Index: gnutls-3.8.5/doc/gnutls.info-3
--list-config Reports the configuration of the library
--logfile=str Redirect informational messages to a specific file
--keymatexport=str Label used for exporting keying material
@@ -3415,7 +3415,7 @@ to know what happens inside the black bo
@@ -3417,7 +3417,7 @@ to know what happens inside the black bo
* TLS Hello Extension Handling::
* Cryptographic Backend::
* Random Number Generators-internals::
@ -461,7 +461,7 @@ Index: gnutls-3.8.5/doc/gnutls.info-3

File: gnutls.info, Node: The TLS Protocol, Next: TLS Handshake Protocol, Up: Internal architecture of GnuTLS
@@ -3947,7 +3947,7 @@ and abstract key types::.
@@ -3949,7 +3949,7 @@ and abstract key types::.
kernel implementation of /dev/crypto.

@ -470,7 +470,7 @@ Index: gnutls-3.8.5/doc/gnutls.info-3
11.6 Random Number Generators
=============================
@@ -3957,7 +3957,7 @@ About the generators
@@ -3959,7 +3959,7 @@ About the generators
GnuTLS provides two random generators. The default, and the AES-DRBG
random generator which is only used when the library is compiled with
@ -479,7 +479,7 @@ Index: gnutls-3.8.5/doc/gnutls.info-3
The default generator - inner workings
--------------------------------------
@@ -4189,7 +4189,7 @@ in *note Figure 11.5: gnutls_fips_mode_t
@@ -4191,7 +4191,7 @@ in *note Figure 11.5: gnutls_fips_mode_t
Figure 11.5: The gnutls_fips_mode_t enumeration.
The intention of this API is to be used by applications which may run in
@ -488,7 +488,7 @@ Index: gnutls-3.8.5/doc/gnutls.info-3
set, e.g., for non-security related purposes. In these cases
applications should wrap the non-compliant code within blocks like the
following.
@@ -4213,10 +4213,10 @@ are macros to simplify the following seq
@@ -4215,10 +4215,10 @@ are macros to simplify the following seq
The reason of the GNUTLS_FIPS140_SET_MODE_THREAD flag in the previous
calls is to localize the change in the mode. Note also, that such a
@ -501,7 +501,7 @@ Index: gnutls-3.8.5/doc/gnutls.info-3
gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, 0);
Service indicator
@@ -4698,8 +4698,8 @@ There are certifications from national o
@@ -4700,8 +4700,8 @@ There are certifications from national o
practices, such as unit testing and reliance on well known crypto
primitives.
@ -512,7 +512,7 @@ Index: gnutls-3.8.5/doc/gnutls.info-3

File: gnutls.info, Node: Error codes, Next: Supported ciphersuites, Prev: Support, Up: Top
@@ -9169,7 +9169,7 @@ gnutls_fips140_set_mode
@@ -9172,7 +9172,7 @@ gnutls_fips140_set_mode
-- Function: void gnutls_fips140_set_mode (gnutls_fips_mode_t MODE,
unsigned FLAGS)
@ -521,10 +521,10 @@ Index: gnutls-3.8.5/doc/gnutls.info-3
FLAGS: should be zero or GNUTLS_FIPS140_SET_MODE_THREAD
Index: gnutls-3.8.5/doc/invoke-gnutls-cli.texi
Index: gnutls-3.8.6/doc/invoke-gnutls-cli.texi
===================================================================
--- gnutls-3.8.5.orig/doc/invoke-gnutls-cli.texi
+++ gnutls-3.8.5/doc/invoke-gnutls-cli.texi
--- gnutls-3.8.6.orig/doc/invoke-gnutls-cli.texi
+++ gnutls-3.8.6/doc/invoke-gnutls-cli.texi
@@ -102,7 +102,7 @@ None:
--inline-commands-prefix=str Change the default delimiter for inline commands
--provider=file Specify the PKCS #11 provider library
@ -534,10 +534,10 @@ Index: gnutls-3.8.5/doc/invoke-gnutls-cli.texi
--list-config Reports the configuration of the library
--logfile=str Redirect informational messages to a specific file
--keymatexport=str Label used for exporting keying material
Index: gnutls-3.8.5/doc/manpages/gnutls-cli.1
Index: gnutls-3.8.6/doc/manpages/gnutls-cli.1
===================================================================
--- gnutls-3.8.5.orig/doc/manpages/gnutls-cli.1
+++ gnutls-3.8.5/doc/manpages/gnutls-cli.1
--- gnutls-3.8.6.orig/doc/manpages/gnutls-cli.1
+++ gnutls-3.8.6/doc/manpages/gnutls-cli.1
@@ -398,7 +398,7 @@ Specify the PKCS #11 provider library.
This will override the default options in /etc/gnutls/pkcs11.conf
.TP
@ -547,10 +547,10 @@ Index: gnutls-3.8.5/doc/manpages/gnutls-cli.1
.sp
.TP
.NOP \f\*[B-Font]\-\-list\-config\f[]
Index: gnutls-3.8.5/doc/reference/html/gnutls-gnutls.html
Index: gnutls-3.8.6/doc/reference/html/gnutls-gnutls.html
===================================================================
--- gnutls-3.8.5.orig/doc/reference/html/gnutls-gnutls.html
+++ gnutls-3.8.5/doc/reference/html/gnutls-gnutls.html
--- gnutls-3.8.6.orig/doc/reference/html/gnutls-gnutls.html
+++ gnutls-3.8.6/doc/reference/html/gnutls-gnutls.html
@@ -20870,12 +20870,12 @@ gnutls_fips140_set_mode (<em class="para
(globally), and should be called prior to creating any threads. Its
behavior with no flags after threads are created is undefined.</p>
@ -575,7 +575,7 @@ Index: gnutls-3.8.5/doc/reference/html/gnutls-gnutls.html
<td class="parameter_annotations"> </td>
</tr>
<tr>
@@ -25915,7 +25915,7 @@ encryption</p>
@@ -25920,7 +25920,7 @@ encryption</p>
<hr>
<div class="refsect2">
<a name="gnutls-fips-mode-t"></a><h3>enum gnutls_fips_mode_t</h3>
@ -584,7 +584,7 @@ Index: gnutls-3.8.5/doc/reference/html/gnutls-gnutls.html
<div class="refsect3">
<a name="gnutls-fips-mode-t.members"></a><h4>Members</h4>
<div class="informaltable"><table class="informaltable" width="100%" border="0">
@@ -25928,7 +25928,7 @@ encryption</p>
@@ -25933,7 +25933,7 @@ encryption</p>
<tr>
<td class="enum_member_name"><p><a name="GNUTLS-FIPS140-DISABLED:CAPS"></a>GNUTLS_FIPS140_DISABLED</p></td>
<td class="enum_member_description">
@ -593,7 +593,7 @@ Index: gnutls-3.8.5/doc/reference/html/gnutls-gnutls.html
</td>
<td class="enum_member_annotations"> </td>
</tr>
@@ -25951,8 +25951,8 @@ operation failure via error code.</p>
@@ -25956,8 +25956,8 @@ operation failure via error code.</p>
<tr>
<td class="enum_member_name"><p><a name="GNUTLS-FIPS140-LAX:CAPS"></a>GNUTLS_FIPS140_LAX</p></td>
<td class="enum_member_description">
@ -604,17 +604,17 @@ Index: gnutls-3.8.5/doc/reference/html/gnutls-gnutls.html
application is aware of the followed security policy, and needs
to utilize disallowed operations for other reasons (e.g., compatibility).</p>
</td>
@@ -27592,4 +27592,4 @@ This is used by <a class="link" href="gn
@@ -27597,4 +27597,4 @@ This is used by <a class="link" href="gn
<div class="footer">
<hr>Generated by GTK-Doc V1.33.1</div>
</body>
-</html>
\ No newline at end of file
+</html>
Index: gnutls-3.8.5/lib/fips.c
Index: gnutls-3.8.6/lib/fips.c
===================================================================
--- gnutls-3.8.5.orig/lib/fips.c
+++ gnutls-3.8.5/lib/fips.c
--- gnutls-3.8.6.orig/lib/fips.c
+++ gnutls-3.8.6/lib/fips.c
@@ -121,7 +121,7 @@ unsigned _gnutls_fips_mode_enabled(void)
}
@ -633,7 +633,7 @@ Index: gnutls-3.8.5/lib/fips.c
ret = GNUTLS_FIPS140_SELFTESTS;
goto exit;
}
@@ -712,7 +712,7 @@ unsigned gnutls_fips140_mode_enabled(voi
@@ -722,7 +722,7 @@ unsigned gnutls_fips140_mode_enabled(voi
/**
* gnutls_fips140_set_mode:
@ -642,7 +642,7 @@ Index: gnutls-3.8.5/lib/fips.c
* @flags: should be zero or %GNUTLS_FIPS140_SET_MODE_THREAD
*
* That function is not thread-safe when changing the mode with no flags
@@ -720,13 +720,13 @@ unsigned gnutls_fips140_mode_enabled(voi
@@ -730,13 +730,13 @@ unsigned gnutls_fips140_mode_enabled(voi
* behavior with no flags after threads are created is undefined.
*
* When the flag %GNUTLS_FIPS140_SET_MODE_THREAD is specified
@ -658,7 +658,7 @@ Index: gnutls-3.8.5/lib/fips.c
* values for @mode or to %GNUTLS_FIPS140_SELFTESTS mode, the library
* switches to %GNUTLS_FIPS140_STRICT mode.
*
@@ -738,10 +738,10 @@ void gnutls_fips140_set_mode(gnutls_fips
@@ -748,10 +748,10 @@ void gnutls_fips140_set_mode(gnutls_fips
gnutls_fips_mode_t prev = _gnutls_fips_mode_enabled();
if (prev == GNUTLS_FIPS140_DISABLED ||
prev == GNUTLS_FIPS140_SELFTESTS) {
@ -671,7 +671,7 @@ Index: gnutls-3.8.5/lib/fips.c
return;
}
@@ -754,7 +754,7 @@ void gnutls_fips140_set_mode(gnutls_fips
@@ -764,7 +764,7 @@ void gnutls_fips140_set_mode(gnutls_fips
case GNUTLS_FIPS140_SELFTESTS:
_gnutls_audit_log(
NULL,
@ -680,7 +680,7 @@ Index: gnutls-3.8.5/lib/fips.c
mode = GNUTLS_FIPS140_STRICT;
break;
default:
@@ -930,7 +930,7 @@ void _gnutls_switch_fips_state(gnutls_fi
@@ -940,7 +940,7 @@ void _gnutls_switch_fips_state(gnutls_fi
}
if (!_tfips_context) {
@ -689,7 +689,7 @@ Index: gnutls-3.8.5/lib/fips.c
return;
}
@@ -944,7 +944,7 @@ void _gnutls_switch_fips_state(gnutls_fi
@@ -954,7 +954,7 @@ void _gnutls_switch_fips_state(gnutls_fi
if (mode != GNUTLS_FIPS140_LAX) {
_gnutls_audit_log(
NULL,
@ -698,7 +698,7 @@ Index: gnutls-3.8.5/lib/fips.c
operation_state_to_string(state));
}
_tfips_context->state = state;
@@ -955,7 +955,7 @@ void _gnutls_switch_fips_state(gnutls_fi
@@ -965,7 +965,7 @@ void _gnutls_switch_fips_state(gnutls_fi
if (mode != GNUTLS_FIPS140_LAX) {
_gnutls_audit_log(
NULL,
@ -707,7 +707,7 @@ Index: gnutls-3.8.5/lib/fips.c
operation_state_to_string(state));
}
_tfips_context->state = state;
@@ -967,7 +967,7 @@ void _gnutls_switch_fips_state(gnutls_fi
@@ -977,7 +977,7 @@ void _gnutls_switch_fips_state(gnutls_fi
if (mode != GNUTLS_FIPS140_LAX) {
_gnutls_audit_log(
NULL,
@ -716,7 +716,7 @@ Index: gnutls-3.8.5/lib/fips.c
operation_state_to_string(
_tfips_context->state),
operation_state_to_string(state));
@@ -1029,7 +1029,7 @@ int gnutls_fips140_run_self_tests(void)
@@ -1039,7 +1039,7 @@ int gnutls_fips140_run_self_tests(void)
ret < 0) {
_gnutls_switch_lib_state(LIB_STATE_ERROR);
_gnutls_audit_log(NULL,
@ -725,7 +725,7 @@ Index: gnutls-3.8.5/lib/fips.c
} else {
/* Restore the previous library state */
_gnutls_switch_lib_state(prev_lib_state);
@@ -1041,7 +1041,7 @@ int gnutls_fips140_run_self_tests(void)
@@ -1051,7 +1051,7 @@ int gnutls_fips140_run_self_tests(void)
if (gnutls_fips140_pop_context() < 0) {
_gnutls_switch_lib_state(LIB_STATE_ERROR);
_gnutls_audit_log(
@ -734,11 +734,11 @@ Index: gnutls-3.8.5/lib/fips.c
}
gnutls_fips140_context_deinit(fips_context);
}
Index: gnutls-3.8.5/lib/fips.h
Index: gnutls-3.8.6/lib/fips.h
===================================================================
--- gnutls-3.8.5.orig/lib/fips.h
+++ gnutls-3.8.5/lib/fips.h
@@ -160,7 +160,7 @@ is_cipher_algo_allowed_in_fips(gnutls_ci
--- gnutls-3.8.6.orig/lib/fips.h
+++ gnutls-3.8.6/lib/fips.h
@@ -163,7 +163,7 @@ is_cipher_algo_allowed_in_fips(gnutls_ci
}
#ifdef ENABLE_FIPS140
@ -747,7 +747,7 @@ Index: gnutls-3.8.5/lib/fips.h
* and return an error if necessary or ignore */
#define FIPS_RULE(condition, ret_error, ...) \
{ \
@@ -170,10 +170,10 @@ is_cipher_algo_allowed_in_fips(gnutls_ci
@@ -173,10 +173,10 @@ is_cipher_algo_allowed_in_fips(gnutls_ci
if (_mode == GNUTLS_FIPS140_LOG) { \
_gnutls_audit_log( \
NULL, \
@ -760,7 +760,7 @@ Index: gnutls-3.8.5/lib/fips.h
return ret_error; \
} \
} \
@@ -188,7 +188,7 @@ inline static bool is_mac_algo_allowed(g
@@ -191,7 +191,7 @@ inline static bool is_mac_algo_allowed(g
switch (mode) {
case GNUTLS_FIPS140_LOG:
_gnutls_audit_log(NULL,
@ -769,7 +769,7 @@ Index: gnutls-3.8.5/lib/fips.h
gnutls_mac_get_name(algo));
FALLTHROUGH;
case GNUTLS_FIPS140_DISABLED:
@@ -210,7 +210,7 @@ inline static bool is_cipher_algo_allowe
@@ -213,7 +213,7 @@ inline static bool is_cipher_algo_allowe
switch (mode) {
case GNUTLS_FIPS140_LOG:
_gnutls_audit_log(NULL,
@ -778,10 +778,10 @@ Index: gnutls-3.8.5/lib/fips.h
gnutls_cipher_get_name(algo));
FALLTHROUGH;
case GNUTLS_FIPS140_DISABLED:
Index: gnutls-3.8.5/lib/global.c
Index: gnutls-3.8.6/lib/global.c
===================================================================
--- gnutls-3.8.5.orig/lib/global.c
+++ gnutls-3.8.5/lib/global.c
--- gnutls-3.8.6.orig/lib/global.c
+++ gnutls-3.8.6/lib/global.c
@@ -338,12 +338,12 @@ static int _gnutls_global_init(unsigned
#ifdef ENABLE_FIPS140
@ -815,11 +815,11 @@ Index: gnutls-3.8.5/lib/global.c
if (res != 2) {
gnutls_assert();
goto out;
Index: gnutls-3.8.5/lib/includes/gnutls/gnutls.h.in
Index: gnutls-3.8.6/lib/includes/gnutls/gnutls.h.in
===================================================================
--- gnutls-3.8.5.orig/lib/includes/gnutls/gnutls.h.in
+++ gnutls-3.8.5/lib/includes/gnutls/gnutls.h.in
@@ -3201,16 +3201,16 @@ typedef int (*gnutls_alert_read_func)(gn
--- gnutls-3.8.6.orig/lib/includes/gnutls/gnutls.h.in
+++ gnutls-3.8.6/lib/includes/gnutls/gnutls.h.in
@@ -3203,16 +3203,16 @@ typedef int (*gnutls_alert_read_func)(gn
void gnutls_alert_set_read_function(gnutls_session_t session,
gnutls_alert_read_func func);
@ -840,7 +840,7 @@ Index: gnutls-3.8.5/lib/includes/gnutls/gnutls.h.in
* application is aware of the followed security policy, and needs
* to utilize disallowed operations for other reasons (e.g., compatibility).
* @GNUTLS_FIPS140_LOG: Similarly to %GNUTLS_FIPS140_LAX, it allows forbidden operations; any use of them results
@@ -3218,7 +3218,7 @@ unsigned gnutls_fips140_mode_enabled(voi
@@ -3220,7 +3220,7 @@ unsigned gnutls_fips140_mode_enabled(voi
* @GNUTLS_FIPS140_SELFTESTS: A transient state during library initialization. That state
* cannot be set or seen by applications.
*
@ -849,10 +849,10 @@ Index: gnutls-3.8.5/lib/includes/gnutls/gnutls.h.in
*/
typedef enum gnutls_fips_mode_t {
GNUTLS_FIPS140_DISABLED = 0,
Index: gnutls-3.8.5/src/cli.c
Index: gnutls-3.8.6/src/cli.c
===================================================================
--- gnutls-3.8.5.orig/src/cli.c
+++ gnutls-3.8.5/src/cli.c
--- gnutls-3.8.6.orig/src/cli.c
+++ gnutls-3.8.6/src/cli.c
@@ -1635,10 +1635,10 @@ static void cmd_parser(int argc, char **
if (HAVE_OPT(FIPS140_MODE)) {
@ -866,10 +866,10 @@ Index: gnutls-3.8.5/src/cli.c
exit(1);
}
Index: gnutls-3.8.5/src/gnutls-cli-options.c
Index: gnutls-3.8.6/src/gnutls-cli-options.c
===================================================================
--- gnutls-3.8.5.orig/src/gnutls-cli-options.c
+++ gnutls-3.8.5/src/gnutls-cli-options.c
--- gnutls-3.8.6.orig/src/gnutls-cli-options.c
+++ gnutls-3.8.6/src/gnutls-cli-options.c
@@ -810,7 +810,7 @@ usage (FILE *out, int status)
" --inline-commands-prefix=str Change the default delimiter for inline commands\n"
" --provider=file Specify the PKCS #11 provider library\n"
@ -879,10 +879,10 @@ Index: gnutls-3.8.5/src/gnutls-cli-options.c
" --list-config Reports the configuration of the library\n"
" --logfile=str Redirect informational messages to a specific file\n"
" --keymatexport=str Label used for exporting keying material\n"
Index: gnutls-3.8.5/tests/cert-tests/gost.sh
Index: gnutls-3.8.6/tests/cert-tests/gost.sh
===================================================================
--- gnutls-3.8.5.orig/tests/cert-tests/gost.sh
+++ gnutls-3.8.5/tests/cert-tests/gost.sh
--- gnutls-3.8.6.orig/tests/cert-tests/gost.sh
+++ gnutls-3.8.6/tests/cert-tests/gost.sh
@@ -38,7 +38,7 @@ if ! test -x "${CERTTOOL}"; then
fi
@ -892,10 +892,10 @@ Index: gnutls-3.8.5/tests/cert-tests/gost.sh
exit 77
fi
Index: gnutls-3.8.5/tests/cert-tests/pkcs12-corner-cases.sh
Index: gnutls-3.8.6/tests/cert-tests/pkcs12-corner-cases.sh
===================================================================
--- gnutls-3.8.5.orig/tests/cert-tests/pkcs12-corner-cases.sh
+++ gnutls-3.8.5/tests/cert-tests/pkcs12-corner-cases.sh
--- gnutls-3.8.6.orig/tests/cert-tests/pkcs12-corner-cases.sh
+++ gnutls-3.8.6/tests/cert-tests/pkcs12-corner-cases.sh
@@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then
fi
@ -905,10 +905,10 @@ Index: gnutls-3.8.5/tests/cert-tests/pkcs12-corner-cases.sh
exit 77
fi
Index: gnutls-3.8.5/tests/cert-tests/pkcs12-encode.sh
Index: gnutls-3.8.6/tests/cert-tests/pkcs12-encode.sh
===================================================================
--- gnutls-3.8.5.orig/tests/cert-tests/pkcs12-encode.sh
+++ gnutls-3.8.5/tests/cert-tests/pkcs12-encode.sh
--- gnutls-3.8.6.orig/tests/cert-tests/pkcs12-encode.sh
+++ gnutls-3.8.6/tests/cert-tests/pkcs12-encode.sh
@@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then
fi
@ -918,10 +918,10 @@ Index: gnutls-3.8.5/tests/cert-tests/pkcs12-encode.sh
exit 77
fi
Index: gnutls-3.8.5/tests/cert-tests/pkcs12-gost.sh
Index: gnutls-3.8.6/tests/cert-tests/pkcs12-gost.sh
===================================================================
--- gnutls-3.8.5.orig/tests/cert-tests/pkcs12-gost.sh
+++ gnutls-3.8.5/tests/cert-tests/pkcs12-gost.sh
--- gnutls-3.8.6.orig/tests/cert-tests/pkcs12-gost.sh
+++ gnutls-3.8.6/tests/cert-tests/pkcs12-gost.sh
@@ -29,7 +29,7 @@ if ! test -x "${CERTTOOL}"; then
fi
@ -931,10 +931,10 @@ Index: gnutls-3.8.5/tests/cert-tests/pkcs12-gost.sh
exit 77
fi
Index: gnutls-3.8.5/tests/cert-tests/pkcs12.sh
Index: gnutls-3.8.6/tests/cert-tests/pkcs12.sh
===================================================================
--- gnutls-3.8.5.orig/tests/cert-tests/pkcs12.sh
+++ gnutls-3.8.5/tests/cert-tests/pkcs12.sh
--- gnutls-3.8.6.orig/tests/cert-tests/pkcs12.sh
+++ gnutls-3.8.6/tests/cert-tests/pkcs12.sh
@@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then
fi
@ -944,10 +944,10 @@ Index: gnutls-3.8.5/tests/cert-tests/pkcs12.sh
exit 77
fi
Index: gnutls-3.8.5/tests/cert-tests/pkcs8-decode.sh
Index: gnutls-3.8.6/tests/cert-tests/pkcs8-decode.sh
===================================================================
--- gnutls-3.8.5.orig/tests/cert-tests/pkcs8-decode.sh
+++ gnutls-3.8.5/tests/cert-tests/pkcs8-decode.sh
--- gnutls-3.8.6.orig/tests/cert-tests/pkcs8-decode.sh
+++ gnutls-3.8.6/tests/cert-tests/pkcs8-decode.sh
@@ -29,7 +29,7 @@ if ! test -x "${CERTTOOL}"; then
fi
@ -957,10 +957,10 @@ Index: gnutls-3.8.5/tests/cert-tests/pkcs8-decode.sh
exit 77
fi
Index: gnutls-3.8.5/tests/cert-tests/pkcs8-eddsa.sh
Index: gnutls-3.8.6/tests/cert-tests/pkcs8-eddsa.sh
===================================================================
--- gnutls-3.8.5.orig/tests/cert-tests/pkcs8-eddsa.sh
+++ gnutls-3.8.5/tests/cert-tests/pkcs8-eddsa.sh
--- gnutls-3.8.6.orig/tests/cert-tests/pkcs8-eddsa.sh
+++ gnutls-3.8.6/tests/cert-tests/pkcs8-eddsa.sh
@@ -29,7 +29,7 @@ if ! test -x "${CERTTOOL}"; then
fi
@ -970,10 +970,10 @@ Index: gnutls-3.8.5/tests/cert-tests/pkcs8-eddsa.sh
exit 77
fi
Index: gnutls-3.8.5/tests/cert-tests/pkcs8-gost.sh
Index: gnutls-3.8.6/tests/cert-tests/pkcs8-gost.sh
===================================================================
--- gnutls-3.8.5.orig/tests/cert-tests/pkcs8-gost.sh
+++ gnutls-3.8.5/tests/cert-tests/pkcs8-gost.sh
--- gnutls-3.8.6.orig/tests/cert-tests/pkcs8-gost.sh
+++ gnutls-3.8.6/tests/cert-tests/pkcs8-gost.sh
@@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then
fi
@ -983,10 +983,10 @@ Index: gnutls-3.8.5/tests/cert-tests/pkcs8-gost.sh
exit 77
fi
Index: gnutls-3.8.5/tests/cert-tests/pkcs8.sh
Index: gnutls-3.8.6/tests/cert-tests/pkcs8.sh
===================================================================
--- gnutls-3.8.5.orig/tests/cert-tests/pkcs8.sh
+++ gnutls-3.8.5/tests/cert-tests/pkcs8.sh
--- gnutls-3.8.6.orig/tests/cert-tests/pkcs8.sh
+++ gnutls-3.8.6/tests/cert-tests/pkcs8.sh
@@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then
fi
@ -996,10 +996,10 @@ Index: gnutls-3.8.5/tests/cert-tests/pkcs8.sh
exit 77
fi
Index: gnutls-3.8.5/tests/cipher-listings.sh
Index: gnutls-3.8.6/tests/cipher-listings.sh
===================================================================
--- gnutls-3.8.5.orig/tests/cipher-listings.sh
+++ gnutls-3.8.5/tests/cipher-listings.sh
--- gnutls-3.8.6.orig/tests/cipher-listings.sh
+++ gnutls-3.8.6/tests/cipher-listings.sh
@@ -63,7 +63,7 @@ check()
${CLI} --fips140-mode
@ -1009,10 +1009,10 @@ Index: gnutls-3.8.5/tests/cipher-listings.sh
exit 77
fi
Index: gnutls-3.8.5/tests/testpkcs11.sh
Index: gnutls-3.8.6/tests/testpkcs11.sh
===================================================================
--- gnutls-3.8.5.orig/tests/testpkcs11.sh
+++ gnutls-3.8.5/tests/testpkcs11.sh
--- gnutls-3.8.6.orig/tests/testpkcs11.sh
+++ gnutls-3.8.6/tests/testpkcs11.sh
@@ -26,7 +26,7 @@
RETCODE=0
@ -1022,10 +1022,10 @@ Index: gnutls-3.8.5/tests/testpkcs11.sh
exit 77
fi
Index: gnutls-3.8.5/doc/enums/gnutls_fips_mode_t
Index: gnutls-3.8.6/doc/enums/gnutls_fips_mode_t
===================================================================
--- gnutls-3.8.5.orig/doc/enums/gnutls_fips_mode_t
+++ gnutls-3.8.5/doc/enums/gnutls_fips_mode_t
--- gnutls-3.8.6.orig/doc/enums/gnutls_fips_mode_t
+++ gnutls-3.8.6/doc/enums/gnutls_fips_mode_t
@@ -3,7 +3,7 @@
@c gnutls_fips_mode_t
@table @code
@ -1046,10 +1046,10 @@ Index: gnutls-3.8.5/doc/enums/gnutls_fips_mode_t
application is aware of the followed security policy, and needs
to utilize disallowed operations for other reasons (e.g., compatibility).
@item GNUTLS_@-FIPS140_@-LOG
Index: gnutls-3.8.5/doc/gnutls-api.texi
Index: gnutls-3.8.6/doc/gnutls-api.texi
===================================================================
--- gnutls-3.8.5.orig/doc/gnutls-api.texi
+++ gnutls-3.8.5/doc/gnutls-api.texi
--- gnutls-3.8.6.orig/doc/gnutls-api.texi
+++ gnutls-3.8.6/doc/gnutls-api.texi
@@ -3275,7 +3275,7 @@ unusable. This function is not thread-s
@subheading gnutls_fips140_set_mode
@anchor{gnutls_fips140_set_mode}
@ -1075,10 +1075,10 @@ Index: gnutls-3.8.5/doc/gnutls-api.texi
values for @code{mode} or to @code{GNUTLS_FIPS140_SELFTESTS} mode, the library
switches to @code{GNUTLS_FIPS140_STRICT} mode.
Index: gnutls-3.8.5/lib/ext/session_ticket.c
Index: gnutls-3.8.6/lib/ext/session_ticket.c
===================================================================
--- gnutls-3.8.5.orig/lib/ext/session_ticket.c
+++ gnutls-3.8.5/lib/ext/session_ticket.c
--- gnutls-3.8.6.orig/lib/ext/session_ticket.c
+++ gnutls-3.8.6/lib/ext/session_ticket.c
@@ -517,7 +517,7 @@ int gnutls_session_ticket_key_generate(g
{
if (_gnutls_fips_mode_enabled()) {
@ -1088,11 +1088,11 @@ Index: gnutls-3.8.5/lib/ext/session_ticket.c
* some limits on allowed key size, thus it is not
* used. These limits do not affect this function as
* it does not generate a "key" but rather key material
Index: gnutls-3.8.5/lib/libgnutls.map
Index: gnutls-3.8.6/lib/libgnutls.map
===================================================================
--- gnutls-3.8.5.orig/lib/libgnutls.map
+++ gnutls-3.8.5/lib/libgnutls.map
@@ -1450,7 +1450,7 @@ GNUTLS_FIPS140_3_4 {
--- gnutls-3.8.6.orig/lib/libgnutls.map
+++ gnutls-3.8.6/lib/libgnutls.map
@@ -1459,7 +1459,7 @@ GNUTLS_FIPS140_3_4 {
gnutls_hkdf_self_test;
gnutls_pbkdf2_self_test;
gnutls_tlsprf_self_test;
@ -1101,11 +1101,11 @@ Index: gnutls-3.8.5/lib/libgnutls.map
drbg_aes_reseed;
drbg_aes_init;
drbg_aes_generate;
Index: gnutls-3.8.5/lib/nettle/mac.c
Index: gnutls-3.8.6/lib/nettle/mac.c
===================================================================
--- gnutls-3.8.5.orig/lib/nettle/mac.c
+++ gnutls-3.8.5/lib/nettle/mac.c
@@ -264,7 +264,7 @@ static void _wrap_gmac_digest(void *_ctx
--- gnutls-3.8.6.orig/lib/nettle/mac.c
+++ gnutls-3.8.6/lib/nettle/mac.c
@@ -270,7 +270,7 @@ static void _wrap_gmac_digest(void *_ctx
static int _mac_ctx_init(gnutls_mac_algorithm_t algo,
struct nettle_mac_ctx *ctx)
{
@ -1114,7 +1114,7 @@ Index: gnutls-3.8.5/lib/nettle/mac.c
* gnutls_hash_init() and gnutls_hmac_init() */
ctx->set_nonce = NULL;
@@ -650,7 +650,7 @@ static void _md5_sha1_digest(void *_ctx,
@@ -663,7 +663,7 @@ static void _md5_sha1_init(void *_ctx)
static int _ctx_init(gnutls_digest_algorithm_t algo,
struct nettle_hash_ctx *ctx)
{
@ -1123,10 +1123,10 @@ Index: gnutls-3.8.5/lib/nettle/mac.c
* gnutls_hash_init() and gnutls_hmac_init() */
switch (algo) {
case GNUTLS_DIG_MD5:
Index: gnutls-3.8.5/config.h.in
Index: gnutls-3.8.6/config.h.in
===================================================================
--- gnutls-3.8.5.orig/config.h.in
+++ gnutls-3.8.5/config.h.in
--- gnutls-3.8.6.orig/config.h.in
+++ gnutls-3.8.6/config.h.in
@@ -82,7 +82,7 @@
/* enable DHE */
#undef ENABLE_ECDHE
@ -1145,11 +1145,11 @@ Index: gnutls-3.8.5/config.h.in
#undef FIPS_KEY
/* The FIPS140 module name */
Index: gnutls-3.8.5/configure
Index: gnutls-3.8.6/configure
===================================================================
--- gnutls-3.8.5.orig/configure
+++ gnutls-3.8.5/configure
@@ -3832,7 +3832,7 @@ Optional Features:
--- gnutls-3.8.6.orig/configure
+++ gnutls-3.8.6/configure
@@ -3834,7 +3834,7 @@ Optional Features:
--enable-fast-install[=PKGS]
optimize for fast installation [default=yes]
--disable-libtool-lock avoid locking (might break parallel builds)
@ -1158,10 +1158,10 @@ Index: gnutls-3.8.5/configure
--enable-strict-x509 enable stricter sanity checks for x509 certificates
--disable-non-suiteb-curves
disable curves not in SuiteB
Index: gnutls-3.8.5/doc/cha-support.texi
Index: gnutls-3.8.6/doc/cha-support.texi
===================================================================
--- gnutls-3.8.5.orig/doc/cha-support.texi
+++ gnutls-3.8.5/doc/cha-support.texi
--- gnutls-3.8.6.orig/doc/cha-support.texi
+++ gnutls-3.8.6/doc/cha-support.texi
@@ -134,5 +134,5 @@ There are certifications from national o
to an auditor that the crypto component follows some best practices, such
as unit testing and reliance on well known crypto primitives.
@ -1170,23 +1170,23 @@ Index: gnutls-3.8.5/doc/cha-support.texi
-See @ref{FIPS140-2 mode} for more information.
+GnuTLS has support for the FIPS 140-3 certification under Red Hat Enterprise Linux.
+See @ref{FIPS140-3 mode} for more information.
Index: gnutls-3.8.5/doc/gnutls.info
Index: gnutls-3.8.6/doc/gnutls.info
===================================================================
--- gnutls-3.8.5.orig/doc/gnutls.info
+++ gnutls-3.8.5/doc/gnutls.info
@@ -620,7 +620,7 @@ Ref: fig-crypto-layers745475
Ref: Cryptographic Backend-Footnote-1748787
Ref: Cryptographic Backend-Footnote-2748872
Node: Random Number Generators-internals748984
-Node: FIPS140-2 mode756454
+Node: FIPS140-3 mode756454
Ref: gnutls_fips_mode_t759152
Node: Upgrading from previous versions762821
Node: Support777063
Index: gnutls-3.8.5/src/gnutls-cli-options.json
--- gnutls-3.8.6.orig/doc/gnutls.info
+++ gnutls-3.8.6/doc/gnutls.info
@@ -620,7 +620,7 @@ Ref: fig-crypto-layers745654
Ref: Cryptographic Backend-Footnote-1748966
Ref: Cryptographic Backend-Footnote-2749051
Node: Random Number Generators-internals749163
-Node: FIPS140-2 mode756633
+Node: FIPS140-3 mode756633
Ref: gnutls_fips_mode_t759331
Node: Upgrading from previous versions763000
Node: Support777242
Index: gnutls-3.8.6/src/gnutls-cli-options.json
===================================================================
--- gnutls-3.8.5.orig/src/gnutls-cli-options.json
+++ gnutls-3.8.5/src/gnutls-cli-options.json
--- gnutls-3.8.6.orig/src/gnutls-cli-options.json
+++ gnutls-3.8.6/src/gnutls-cli-options.json
@@ -384,7 +384,7 @@
},
{
@ -1196,10 +1196,10 @@ Index: gnutls-3.8.5/src/gnutls-cli-options.json
},
{
"long-option": "list-config",
Index: gnutls-3.8.5/tests/pkcs11-tool.sh
Index: gnutls-3.8.6/tests/pkcs11-tool.sh
===================================================================
--- gnutls-3.8.5.orig/tests/pkcs11-tool.sh
+++ gnutls-3.8.5/tests/pkcs11-tool.sh
--- gnutls-3.8.6.orig/tests/pkcs11-tool.sh
+++ gnutls-3.8.6/tests/pkcs11-tool.sh
@@ -30,7 +30,7 @@ set -x
: ${DIFF=diff}
@ -1209,10 +1209,10 @@ Index: gnutls-3.8.5/tests/pkcs11-tool.sh
exit 77
fi
Index: gnutls-3.8.5/doc/manpages/gnutls_fips140_set_mode.3
Index: gnutls-3.8.6/doc/manpages/gnutls_fips140_set_mode.3
===================================================================
--- gnutls-3.8.5.orig/doc/manpages/gnutls_fips140_set_mode.3
+++ gnutls-3.8.5/doc/manpages/gnutls_fips140_set_mode.3
--- gnutls-3.8.6.orig/doc/manpages/gnutls_fips140_set_mode.3
+++ gnutls-3.8.6/doc/manpages/gnutls_fips140_set_mode.3
@@ -8,7 +8,7 @@ gnutls_fips140_set_mode \- API function
.BI "void gnutls_fips140_set_mode(gnutls_fips_mode_t " mode ", unsigned " flags ");"
.SH ARGUMENTS

38
gnutls-FIPS-jitterentropy.patch
View File

@ -1,7 +1,7 @@
Index: gnutls-3.8.1/lib/nettle/sysrng-linux.c
Index: gnutls-3.8.6/lib/nettle/sysrng-linux.c
===================================================================
--- gnutls-3.8.1.orig/lib/nettle/sysrng-linux.c
+++ gnutls-3.8.1/lib/nettle/sysrng-linux.c
--- gnutls-3.8.6.orig/lib/nettle/sysrng-linux.c
+++ gnutls-3.8.6/lib/nettle/sysrng-linux.c
@@ -49,6 +49,15 @@
get_entropy_func _rnd_get_system_entropy = NULL;
@ -158,11 +158,11 @@ Index: gnutls-3.8.1/lib/nettle/sysrng-linux.c
+#endif
return;
}
Index: gnutls-3.8.1/lib/nettle/Makefile.in
Index: gnutls-3.8.6/lib/nettle/Makefile.in
===================================================================
--- gnutls-3.8.1.orig/lib/nettle/Makefile.in
+++ gnutls-3.8.1/lib/nettle/Makefile.in
@@ -402,7 +402,7 @@ am__v_CC_1 =
--- gnutls-3.8.6.orig/lib/nettle/Makefile.in
+++ gnutls-3.8.6/lib/nettle/Makefile.in
@@ -497,7 +497,7 @@ am__v_CC_1 =
CCLD = $(CC)
LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
@ -171,10 +171,10 @@ Index: gnutls-3.8.1/lib/nettle/Makefile.in
AM_V_CCLD = $(am__v_CCLD_@AM_V@)
am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
am__v_CCLD_0 = @echo " CCLD " $@;
Index: gnutls-3.8.1/lib/nettle/Makefile.am
Index: gnutls-3.8.6/lib/nettle/Makefile.am
===================================================================
--- gnutls-3.8.1.orig/lib/nettle/Makefile.am
+++ gnutls-3.8.1/lib/nettle/Makefile.am
--- gnutls-3.8.6.orig/lib/nettle/Makefile.am
+++ gnutls-3.8.6/lib/nettle/Makefile.am
@@ -20,7 +20,7 @@
include $(top_srcdir)/lib/common.mk
@ -184,10 +184,10 @@ Index: gnutls-3.8.1/lib/nettle/Makefile.am
AM_CPPFLAGS = \
-I$(srcdir)/int \
Index: gnutls-3.8.1/lib/nettle/rnd-fips.c
Index: gnutls-3.8.6/lib/nettle/rnd-fips.c
===================================================================
--- gnutls-3.8.1.orig/lib/nettle/rnd-fips.c
+++ gnutls-3.8.1/lib/nettle/rnd-fips.c
--- gnutls-3.8.6.orig/lib/nettle/rnd-fips.c
+++ gnutls-3.8.6/lib/nettle/rnd-fips.c
@@ -129,6 +129,10 @@ static int drbg_init(struct fips_ctx *fc
uint8_t buffer[DRBG_AES_SEED_SIZE];
int ret;
@ -210,16 +210,16 @@ Index: gnutls-3.8.1/lib/nettle/rnd-fips.c
ret = get_entropy(fctx, buffer, sizeof(buffer));
if (ret < 0) {
_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
Index: gnutls-3.8.1/tests/Makefile.am
Index: gnutls-3.8.6/tests/Makefile.am
===================================================================
--- gnutls-3.8.1.orig/tests/Makefile.am
+++ gnutls-3.8.1/tests/Makefile.am
@@ -208,7 +208,7 @@ ctests += mini-record-2 simple gnutls_hm
--- gnutls-3.8.6.orig/tests/Makefile.am
+++ gnutls-3.8.6/tests/Makefile.am
@@ -209,7 +209,7 @@ ctests += mini-record-2 simple gnutls_hm
dtls12-cert-key-exchange dtls10-cert-key-exchange x509-cert-callback-legacy \
keylog-env ssl2-hello tlsfeature-ext dtls-rehandshake-cert-2 dtls-session-ticket-lost \
tlsfeature-crt dtls-rehandshake-cert-3 resume-with-false-start \
- set_x509_key_file_ocsp client-fastopen rng-sigint srp rng-pthread \
+ set_x509_key_file_ocsp client-fastopen srp rng-pthread \
- set_x509_key_file_ocsp client-fastopen rng-sigint srp \
+ set_x509_key_file_ocsp client-fastopen srp \
safe-renegotiation/srn0 safe-renegotiation/srn1 safe-renegotiation/srn2 \
safe-renegotiation/srn3 safe-renegotiation/srn4 safe-renegotiation/srn5 \
rsa-illegal-import set_x509_ocsp_multi_invalid set_key set_x509_key_file_ocsp_multi2 \

19
gnutls.changes
View File

@ -1,3 +1,22 @@
-------------------------------------------------------------------
Thu Jul 25 08:51:56 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
- Update to 3.8.6:
* libgnutls: PBMAC1 is now supported as a MAC mechanism for PKCS#12
To be compliant with FIPS 140-3, PKCS#12 files with MAC based on
PBKDF2 (PBMAC1) is now supported, according to the specification
proposed in draft-ietf-lamps-pkcs12-pbmac1.
* libgnutls: SHA3 extendable output functions (XOF) are now supported
SHA3 XOF, SHAKE128 and SHAKE256, are now usable through a new
public API gnutls_hash_squeeze.
* API and ABI modifications:
- gnutls_pkcs12_generate_mac3: New function
- gnutls_pkcs12_flags_t: New enum
- gnutls_hash_squeeze: New function
* Rebase patches:
- gnutls-FIPS-140-3-references.patch
- gnutls-FIPS-jitterentropy.patch
-------------------------------------------------------------------
Fri Apr 5 07:28:14 UTC 2024 - Pedro Monreal <pmonreal@suse.com>

2
gnutls.spec
View File

@ -40,7 +40,7 @@
%endif
%bcond_with tpm
Name: gnutls
Version: 3.8.5
Version: 3.8.6
Release: 0
Summary: The GNU Transport Layer Security Library
License: GPL-3.0-or-later AND LGPL-2.1-or-later