Accepting request 964662 from security:tls

OBS-URL: https://build.opensuse.org/request/show/964662
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=135

gnutls-3.7.3.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:fc59c43bc31ab20a6977ff083029277a31935b8355ce387b634fa433f8f6c49a
-size 6119292

gnutls-3.7.4.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e6adbebcfbc95867de01060d93c789938cf89cc1d1f6ef9ef661890f6217451f
+size 6131772

gnutls-FIPS-PBKDF2-KAT-requirements.patch

@@ -0,0 +1,21 @@
+Index: gnutls-3.7.3/lib/crypto-selftests.c
+===================================================================
+--- gnutls-3.7.3.orig/lib/crypto-selftests.c
++++ gnutls-3.7.3/lib/crypto-selftests.c
+@@ -3112,6 +3112,16 @@ const struct pbkdf2_vectors_st pbkdf2_sh
+ 		    "\x84\x1b\x51\xc9\xb3\x17\x6a\x27\x2b\xde\xbb\xa1\xd0\x78"
+ 		    "\x47\x8f\x62\xb3\x97\xf3\x3c\x8d"),
+ 	},
++	/* Test vector extracted from https://dev.gnupg.org/source/libgcrypt/browse/master/cipher/kdf.c */
++	{
++		STR(key, key_size, "passwordPASSWORDpassword"),
++		STR(salt, salt_size, "saltSALTsaltSALTsaltSALTsaltSALTsalt"),
++		.iter_count = 4096,
++		STR(output, output_size,
++		    "\x34\x8c\x89\xdb\xcb\xd3\x2b\x2f\x32\xd8\x14\xb8\x11\x6e"
++		    "\x84\xcf\x2b\x17\x34\x7e\xbc\x18\x00\x18\x1c\x4e\x2a\x1f"
++		    "\xb8\xdd\x53\xe1\xc6\x35\x51\x8c\x7d\xac\x47\xe9"),
++	},
+ };
+ 
+ static int test_pbkdf2(gnutls_mac_algorithm_t mac,

gnutls-FIPS-disable-failing-tests.patch

@@ -0,0 +1,27 @@
+Index: gnutls-3.7.3/guile/Makefile.am
+===================================================================
+--- gnutls-3.7.3.orig/guile/Makefile.am
++++ gnutls-3.7.3/guile/Makefile.am
+@@ -102,8 +102,6 @@ endif HAVE_GUILD
+ #
+ 
+ TESTS =						\
+-  tests/anonymous-auth.scm			\
+-  tests/session-record-port.scm			\
+   tests/pkcs-import-export.scm			\
+   tests/errors.scm				\
+   tests/x509-certificates.scm			\
+Index: gnutls-3.7.3/guile/Makefile.in
+===================================================================
+--- gnutls-3.7.3.orig/guile/Makefile.in
++++ gnutls-3.7.3/guile/Makefile.in
+@@ -2320,8 +2320,7 @@ CLEANFILES = modules/gnutls.scm $(am__ap
+ #
+ # Tests.
+ #
+-TESTS = tests/anonymous-auth.scm tests/session-record-port.scm \
+-	tests/pkcs-import-export.scm tests/errors.scm \
++TESTS = tests/pkcs-import-export.scm tests/errors.scm \
+ 	tests/x509-certificates.scm tests/x509-auth.scm \
+ 	tests/reauth.scm tests/priorities.scm $(am__append_2)
+ TESTS_ENVIRONMENT = \

gnutls.changes

@@ -1,3 +1,36 @@
+-------------------------------------------------------------------
+Fri Mar 18 18:31:06 UTC 2022 - Pedro Monreal <pmonreal@suse.com>
+
+- FIPS: Additional PBKDF2 requirements for KAT [bsc#1184669]
+  * The IG 10.3.A and SP800-132 require some minimum parameters for
+    the salt length, password length and iteration count. These
+    parameters should be also used in the KAT.
+  * Add gnutls-FIPS-PBKDF2-KAT-requirements.patch
+- Enable to run the regression tests also in FIPS mode.
+
+-------------------------------------------------------------------
+Fri Mar 18 08:59:49 UTC 2022 - Pedro Monreal <pmonreal@suse.com>
+
+- Update to 3.7.4:
+  * libgnutls: Added support for certificate compression as defined
+    in RFC8879.
+  * certtool: Added option --compress-cert that allows user to
+    specify compression  methods for certificate compression.
+  * libgnutls: GnuTLS can now be compiled with --enable-strict-x509
+    configure option to enforce stricter certificate sanity checks
+    that are compliant with RFC5280.
+  * libgnutls: Removed IA5String type from DirectoryString within
+    issuer and subject name to make DirectoryString RFC5280 compliant.
+  * libgnutls: Added function to retrieve the name of current
+    ciphersuite from session.
+  * Bump libgnutlsxx soname due to ABI break
+  * API and ABI modifications:
+    - GNUTLS_COMP_BROTLI: New gnutls_compression_method_t enum member
+    - GNUTLS_COMP_ZSTD: New gnutls_compression_method_t enum member
+    - gnutls_compress_certificate_get_selected_method: Added
+    - gnutls_compress_certificate_set_methods: Added
+  * Update gnutls.keyring
+
 -------------------------------------------------------------------
 Sun Feb 27 07:52:30 UTC 2022 - Dirk Müller <dmueller@suse.com>
 
@@ -92,6 +125,7 @@ Tue Jan 18 15:59:11 UTC 2022 - Pedro Monreal <pmonreal@suse.com>
 Tue Jan 18 14:41:04 UTC 2022 - Pedro Monreal <pmonreal@suse.com>
 
 - FIPS: Fix regression tests in fips and non-fips mode [bsc#1194468]
+  * Add gnutls-FIPS-disable-failing-tests.patch
   * Remove patches:
     - gnutls-temporarily_disable_broken_guile_reauth_test.patch
     - disable-psk-file-test.patch

gnutls.keyring

@@ -1684,3 +1684,17 @@ EIO6onUt+miSB15Qg7DF7/rvFPnDIZYr3t+MkaPlmjpXEUV/psdnytVWFcGxHdY0
 NA+R/e4eeyThgRet5M+0+9Duynj/ACpfWq/dxXbWRfY=
 =Q7yu
 -----END PGP PUBLIC KEY BLOCK-----
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mDMEYcRaoxYJKwYBBAHaRw8BAQdA5U8Cb4ZMYCjuAa6tqNKbRxXzycS2iLvNzWki
+bGD2fe60JVpvbHRhbiBGcmlkcmljaCA8emZyaWRyaWNAcmVkaGF0LmNvbT6ImgQT
+FgoAQhYhBF1Gyw92NAWnBTVW9Hp1pkiz+SIMBQJhxFqjAhsDBQkDwmcABQsJCAcC
+AyICAQYVCgkICwIEFgIDAQIeBwIXgAAKCRB6daZIs/kiDGnYAQCiU94/eIspZzzx
+V17pylayAEv23s5uKvlGo1Ml1ySrZAEA8Q2rACBmdTpUfoW3LG3MJI0l1XP3kMEu
+WDBiM84D2gK4OARhxFqjEgorBgEEAZdVAQUBAQdAxKg6y4A69qT7doTni8/zKuKy
+QKXEORZTCNxkcnz3dXoDAQgHiH4EGBYKACYWIQRdRssPdjQFpwU1VvR6daZIs/ki
+DAUCYcRaowIbDAUJA8JnAAAKCRB6daZIs/kiDM/EAP0VN87WwaMcNwZcyocG/B9f
+419IojEx70PzMIBBlPctAgD/R/qamAlnggADzmS1PCF8+2W6Erc+HV2W/u2+wVJu
+7w0=
+=6FAm
+-----END PGP PUBLIC KEY BLOCK-----

gnutls.spec

@@ -17,7 +17,7 @@
 
 
 %define gnutls_sover 30
-%define gnutlsxx_sover 28
+%define gnutlsxx_sover 30
 %define gnutls_dane_sover 0
 # unbound isn't in SLE (bsc#1086428)
 %if 0%{?is_opensuse}
@@ -34,7 +34,7 @@
 %bcond_with tpm
 %bcond_without guile
 Name:           gnutls
-Version:        3.7.3
+Version:        3.7.4
 Release:        0
 Summary:        The GNU Transport Layer Security Library
 License:        GPL-3.0-or-later AND LGPL-2.1-or-later
@@ -47,6 +47,9 @@ Source3:        baselibs.conf
 Patch0:         gnutls-3.5.11-skip-trust-store-tests.patch
 Patch1:         gnutls-3.6.6-set_guile_site_dir.patch
 Patch2:         gnutls-FIPS-TLS_KDF_selftest.patch
+Patch3:         gnutls-FIPS-disable-failing-tests.patch
+#PATCH-FIX-SUSE bsc#1184669 FIPS: Additional PBKDF2 requirements for KAT
+Patch4:         gnutls-FIPS-PBKDF2-KAT-requirements.patch
 BuildRequires:  autogen
 BuildRequires:  automake
 BuildRequires:  datefudge
@@ -250,8 +253,6 @@ export BRP_FIPSHMAC_FILES=%{buildroot}%{_libdir}/libgnutls.so.%{gnutls_sover}
 # install docs
 mkdir -p %{buildroot}%{_docdir}/libgnutls-devel/
 cp doc/gnutls.html doc/*.png %{buildroot}%{_docdir}/libgnutls-devel/
-mkdir -p %{buildroot}%{_docdir}/libgnutls-devel/reference
-cp doc/reference/html/* %{buildroot}%{_docdir}/libgnutls-devel/reference/
 mkdir -p %{buildroot}%{_docdir}/libgnutls-devel/examples
 cp doc/examples/*.{c,h} %{buildroot}%{_docdir}/libgnutls-devel/examples/
 
@@ -265,11 +266,15 @@ rm -rf %{buildroot}%{_datadir}/doc/gnutls
 
 %check
 %if ! 0%{?qemu_user_space_build}
-# export GNUTLS_FORCE_FIPS_MODE=1
 make %{?_smp_mflags} check GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null || {
     find -name test-suite.log -print -exec cat {} +
     exit 1
 }
+#Run the regression tests also in FIPS mode
+GNUTLS_FORCE_FIPS_MODE=1 make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null || {
+    find -name test-suite.log -print -exec cat {} +
+    exit 1
+}
 %endif
 
 %post -n libgnutls%{gnutls_sover} -p /sbin/ldconfig