rpm/gnutls
SHA256
1
0
Fork 0
forked from pool/gnutls
Code Pull Requests Activity

Accepting request 1139454 from home:pmonrealgonzalez:branches:security:tls

Browse Source 
- Update to 3.8.3:
  * libgnutls: Fix more timing side-channel inside RSA-PSK key
    exchange. [GNUTLS-SA-2024-01-14, CVSS: medium]
    [bsc#1218865, CVE-2024-0553]
  * libgnutls: Fix assertion failure when verifying a certificate
    chain with a cycle of cross signatures.
    [GNUTLS-SA-2024-01-09, CVSS: medium] [bsc#1218862, CVE-2024-0567]
  * libgnutls: Fix regression in handling Ed25519 keys stored in
    PKCS#11 token certtool was unable to handle Ed25519 keys
    generated on PKCS#11 with pkcs11-tool (OpenSC).
    This is a regression introduced in 3.8.2.
  * Rebase gnutls-FIPS-140-3-references.patch
  * Updated upstream gnutls.keyring

OBS-URL: https://build.opensuse.org/request/show/1139454
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=103
This commit is contained in:
Pedro Monreal Gonzalez 2024-01-17 12:54:44 +00:00 committed by Git OBS Bridge
parent fd66c8789e
commit 6af759b42f
8 changed files with 162 additions and 145 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
gnutls-3.8.2.tar.xz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:e765e5016ffa9b9dd243e363a0460d577074444ee2491267db2e96c9c2adef77
size 6456540

BIN
gnutls-3.8.2.tar.xz.sig
View File

Binary file not shown.

BIN
gnutls-3.8.3.tar.xz (Stored with Git LFS) Normal file
View File

Binary file not shown.

BIN
gnutls-3.8.3.tar.xz.sig Normal file
View File

Binary file not shown.

280
gnutls-FIPS-140-3-references.patch
View File

@ -1,7 +1,7 @@
Index: gnutls-3.8.2/configure.ac Index: gnutls-3.8.3/configure.ac
=================================================================== ===================================================================
--- gnutls-3.8.2.orig/configure.ac --- gnutls-3.8.3.orig/configure.ac
+++ gnutls-3.8.2/configure.ac +++ gnutls-3.8.3/configure.ac
@@ -623,19 +623,19 @@ LT_INIT([disable-static,win32-dll,shared @@ -623,19 +623,19 @@ LT_INIT([disable-static,win32-dll,shared
AC_LIB_HAVE_LINKFLAGS(dl,, [#include <dlfcn.h>], [dladdr (0, 0);]) AC_LIB_HAVE_LINKFLAGS(dl,, [#include <dlfcn.h>], [dladdr (0, 0);])
@ -25,10 +25,10 @@ Index: gnutls-3.8.2/configure.ac
AC_ARG_WITH(fips140-module-name, AS_HELP_STRING([--with-fips140-module-name], AC_ARG_WITH(fips140-module-name, AS_HELP_STRING([--with-fips140-module-name],
[specify the FIPS140 module name]), [specify the FIPS140 module name]),
Index: gnutls-3.8.2/doc/cha-gtls-app.texi Index: gnutls-3.8.3/doc/cha-gtls-app.texi
=================================================================== ===================================================================
--- gnutls-3.8.2.orig/doc/cha-gtls-app.texi --- gnutls-3.8.3.orig/doc/cha-gtls-app.texi
+++ gnutls-3.8.2/doc/cha-gtls-app.texi +++ gnutls-3.8.3/doc/cha-gtls-app.texi
@@ -222,7 +222,7 @@ CPU. The currently available options are @@ -222,7 +222,7 @@ CPU. The currently available options are
@end itemize @end itemize
@ -38,10 +38,10 @@ Index: gnutls-3.8.2/doc/cha-gtls-app.texi
if set to one it will force the FIPS mode enablement. if set to one it will force the FIPS mode enablement.
@end multitable @end multitable
Index: gnutls-3.8.2/doc/cha-internals.texi Index: gnutls-3.8.3/doc/cha-internals.texi
=================================================================== ===================================================================
--- gnutls-3.8.2.orig/doc/cha-internals.texi --- gnutls-3.8.3.orig/doc/cha-internals.texi
+++ gnutls-3.8.2/doc/cha-internals.texi +++ gnutls-3.8.3/doc/cha-internals.texi
@@ -14,7 +14,7 @@ happens inside the black box. @@ -14,7 +14,7 @@ happens inside the black box.
* TLS Hello Extension Handling:: * TLS Hello Extension Handling::
* Cryptographic Backend:: * Cryptographic Backend::
@ -162,10 +162,10 @@ Index: gnutls-3.8.2/doc/cha-internals.texi
operation. It can be attached to the current execution thread with operation. It can be attached to the current execution thread with
@funcref{gnutls_fips140_push_context} and its internal state will be @funcref{gnutls_fips140_push_context} and its internal state will be
updated until it is detached with updated until it is detached with
Index: gnutls-3.8.2/doc/enums.texi Index: gnutls-3.8.3/doc/enums.texi
=================================================================== ===================================================================
--- gnutls-3.8.2.orig/doc/enums.texi --- gnutls-3.8.3.orig/doc/enums.texi
+++ gnutls-3.8.2/doc/enums.texi +++ gnutls-3.8.3/doc/enums.texi
@@ -1188,7 +1188,7 @@ application traffic secret is installed @@ -1188,7 +1188,7 @@ application traffic secret is installed
@c gnutls_fips_mode_t @c gnutls_fips_mode_t
@table @code @table @code
@ -186,10 +186,10 @@ Index: gnutls-3.8.2/doc/enums.texi
application is aware of the followed security policy, and needs application is aware of the followed security policy, and needs
to utilize disallowed operations for other reasons (e.g., compatibility). to utilize disallowed operations for other reasons (e.g., compatibility).
@item GNUTLS_@-FIPS140_@-LOG @item GNUTLS_@-FIPS140_@-LOG
Index: gnutls-3.8.2/doc/functions/gnutls_fips140_set_mode Index: gnutls-3.8.3/doc/functions/gnutls_fips140_set_mode
=================================================================== ===================================================================
--- gnutls-3.8.2.orig/doc/functions/gnutls_fips140_set_mode --- gnutls-3.8.3.orig/doc/functions/gnutls_fips140_set_mode
+++ gnutls-3.8.2/doc/functions/gnutls_fips140_set_mode +++ gnutls-3.8.3/doc/functions/gnutls_fips140_set_mode
@@ -3,7 +3,7 @@ @@ -3,7 +3,7 @@
@ -215,10 +215,10 @@ Index: gnutls-3.8.2/doc/functions/gnutls_fips140_set_mode
values for @code{mode} or to @code{GNUTLS_FIPS140_SELFTESTS} mode, the library values for @code{mode} or to @code{GNUTLS_FIPS140_SELFTESTS} mode, the library
switches to @code{GNUTLS_FIPS140_STRICT} mode. switches to @code{GNUTLS_FIPS140_STRICT} mode.
Index: gnutls-3.8.2/doc/gnutls.html Index: gnutls-3.8.3/doc/gnutls.html
=================================================================== ===================================================================
--- gnutls-3.8.2.orig/doc/gnutls.html --- gnutls-3.8.3.orig/doc/gnutls.html
+++ gnutls-3.8.2/doc/gnutls.html +++ gnutls-3.8.3/doc/gnutls.html
@@ -484,7 +484,7 @@ Documentation License&rdquo;. @@ -484,7 +484,7 @@ Documentation License&rdquo;.
<li><a id="toc-TLS-Extension-Handling" href="#TLS-Hello-Extension-Handling">11.4 TLS Extension Handling</a></li> <li><a id="toc-TLS-Extension-Handling" href="#TLS-Hello-Extension-Handling">11.4 TLS Extension Handling</a></li>
<li><a id="toc-Cryptographic-Backend-1" href="#Cryptographic-Backend">11.5 Cryptographic Backend</a></li> <li><a id="toc-Cryptographic-Backend-1" href="#Cryptographic-Backend">11.5 Cryptographic Backend</a></li>
@ -430,7 +430,7 @@ Index: gnutls-3.8.2/doc/gnutls.html
values for <code class="code">mode</code> or to <code class="code">GNUTLS_FIPS140_SELFTESTS</code> mode, the library values for <code class="code">mode</code> or to <code class="code">GNUTLS_FIPS140_SELFTESTS</code> mode, the library
switches to <code class="code">GNUTLS_FIPS140_STRICT</code> mode. switches to <code class="code">GNUTLS_FIPS140_STRICT</code> mode.
</p> </p>
@@ -46924,7 +46924,7 @@ Next: <a href="#Concept-Index" accesskey @@ -46927,7 +46927,7 @@ Next: <a href="#Concept-Index" accesskey
<tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffingerprint"><code>gnutls_fingerprint</code></a>:</td><td>&nbsp;</td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr> <tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffingerprint"><code>gnutls_fingerprint</code></a>:</td><td>&nbsp;</td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffips140_005fcontext_005fdeinit"><code>gnutls_fips140_context_deinit</code></a>:</td><td>&nbsp;</td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr> <tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffips140_005fcontext_005fdeinit"><code>gnutls_fips140_context_deinit</code></a>:</td><td>&nbsp;</td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffips140_005fcontext_005finit"><code>gnutls_fips140_context_init</code></a>:</td><td>&nbsp;</td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr> <tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffips140_005fcontext_005finit"><code>gnutls_fips140_context_init</code></a>:</td><td>&nbsp;</td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
@ -439,11 +439,11 @@ Index: gnutls-3.8.2/doc/gnutls.html
<tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffips140_005fget_005foperation_005fstate-1"><code>gnutls_fips140_get_operation_state</code></a>:</td><td>&nbsp;</td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr> <tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffips140_005fget_005foperation_005fstate-1"><code>gnutls_fips140_get_operation_state</code></a>:</td><td>&nbsp;</td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffips140_005fmode_005fenabled"><code>gnutls_fips140_mode_enabled</code></a>:</td><td>&nbsp;</td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr> <tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffips140_005fmode_005fenabled"><code>gnutls_fips140_mode_enabled</code></a>:</td><td>&nbsp;</td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffips140_005fpop_005fcontext"><code>gnutls_fips140_pop_context</code></a>:</td><td>&nbsp;</td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr> <tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffips140_005fpop_005fcontext"><code>gnutls_fips140_pop_context</code></a>:</td><td>&nbsp;</td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
Index: gnutls-3.8.2/doc/gnutls.info-3 Index: gnutls-3.8.3/doc/gnutls.info-3
=================================================================== ===================================================================
--- gnutls-3.8.2.orig/doc/gnutls.info-3 --- gnutls-3.8.3.orig/doc/gnutls.info-3
+++ gnutls-3.8.2/doc/gnutls.info-3 +++ gnutls-3.8.3/doc/gnutls.info-3
@@ -2248,7 +2248,7 @@ to more. Both will exit with a st @@ -2247,7 +2247,7 @@ to more. Both will exit with a st
--inline-commands-prefix=str Change the default delimiter for inline commands --inline-commands-prefix=str Change the default delimiter for inline commands
--provider=file Specify the PKCS #11 provider library --provider=file Specify the PKCS #11 provider library
- file must pre-exist - file must pre-exist
@ -452,7 +452,7 @@ Index: gnutls-3.8.2/doc/gnutls.info-3
--list-config Reports the configuration of the library --list-config Reports the configuration of the library
--logfile=str Redirect informational messages to a specific file --logfile=str Redirect informational messages to a specific file
--keymatexport=str Label used for exporting keying material --keymatexport=str Label used for exporting keying material
@@ -3401,7 +3401,7 @@ to know what happens inside the black bo @@ -3400,7 +3400,7 @@ to know what happens inside the black bo
* TLS Hello Extension Handling:: * TLS Hello Extension Handling::
* Cryptographic Backend:: * Cryptographic Backend::
* Random Number Generators-internals:: * Random Number Generators-internals::
@ -461,7 +461,7 @@ Index: gnutls-3.8.2/doc/gnutls.info-3
 
File: gnutls.info, Node: The TLS Protocol, Next: TLS Handshake Protocol, Up: Internal architecture of GnuTLS File: gnutls.info, Node: The TLS Protocol, Next: TLS Handshake Protocol, Up: Internal architecture of GnuTLS
@@ -3933,7 +3933,7 @@ and abstract key types::. @@ -3932,7 +3932,7 @@ and abstract key types::.
kernel implementation of /dev/crypto. kernel implementation of /dev/crypto.
 
@ -470,7 +470,7 @@ Index: gnutls-3.8.2/doc/gnutls.info-3
11.6 Random Number Generators 11.6 Random Number Generators
============================= =============================
@@ -3943,7 +3943,7 @@ About the generators @@ -3942,7 +3942,7 @@ About the generators
GnuTLS provides two random generators. The default, and the AES-DRBG GnuTLS provides two random generators. The default, and the AES-DRBG
random generator which is only used when the library is compiled with random generator which is only used when the library is compiled with
@ -479,7 +479,7 @@ Index: gnutls-3.8.2/doc/gnutls.info-3
The default generator - inner workings The default generator - inner workings
-------------------------------------- --------------------------------------
@@ -4175,7 +4175,7 @@ in *note Figure 11.5: gnutls_fips_mode_t @@ -4174,7 +4174,7 @@ in *note Figure 11.5: gnutls_fips_mode_t
Figure 11.5: The gnutls_fips_mode_t enumeration. Figure 11.5: The gnutls_fips_mode_t enumeration.
The intention of this API is to be used by applications which may run in The intention of this API is to be used by applications which may run in
@ -488,7 +488,7 @@ Index: gnutls-3.8.2/doc/gnutls.info-3
set, e.g., for non-security related purposes. In these cases set, e.g., for non-security related purposes. In these cases
applications should wrap the non-compliant code within blocks like the applications should wrap the non-compliant code within blocks like the
following. following.
@@ -4199,10 +4199,10 @@ are macros to simplify the following seq @@ -4198,10 +4198,10 @@ are macros to simplify the following seq
The reason of the GNUTLS_FIPS140_SET_MODE_THREAD flag in the previous The reason of the GNUTLS_FIPS140_SET_MODE_THREAD flag in the previous
calls is to localize the change in the mode. Note also, that such a calls is to localize the change in the mode. Note also, that such a
@ -501,7 +501,7 @@ Index: gnutls-3.8.2/doc/gnutls.info-3
gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, 0); gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, 0);
Service indicator Service indicator
@@ -4684,8 +4684,8 @@ There are certifications from national o @@ -4683,8 +4683,8 @@ There are certifications from national o
practices, such as unit testing and reliance on well known crypto practices, such as unit testing and reliance on well known crypto
primitives. primitives.
@ -512,7 +512,7 @@ Index: gnutls-3.8.2/doc/gnutls.info-3
 
File: gnutls.info, Node: Error codes, Next: Supported ciphersuites, Prev: Support, Up: Top File: gnutls.info, Node: Error codes, Next: Supported ciphersuites, Prev: Support, Up: Top
@@ -9152,7 +9152,7 @@ gnutls_fips140_set_mode @@ -9151,7 +9151,7 @@ gnutls_fips140_set_mode
-- Function: void gnutls_fips140_set_mode (gnutls_fips_mode_t MODE, -- Function: void gnutls_fips140_set_mode (gnutls_fips_mode_t MODE,
unsigned FLAGS) unsigned FLAGS)
@ -521,10 +521,10 @@ Index: gnutls-3.8.2/doc/gnutls.info-3
FLAGS: should be zero or GNUTLS_FIPS140_SET_MODE_THREAD FLAGS: should be zero or GNUTLS_FIPS140_SET_MODE_THREAD
Index: gnutls-3.8.2/doc/invoke-gnutls-cli.texi Index: gnutls-3.8.3/doc/invoke-gnutls-cli.texi
=================================================================== ===================================================================
--- gnutls-3.8.2.orig/doc/invoke-gnutls-cli.texi --- gnutls-3.8.3.orig/doc/invoke-gnutls-cli.texi
+++ gnutls-3.8.2/doc/invoke-gnutls-cli.texi +++ gnutls-3.8.3/doc/invoke-gnutls-cli.texi
@@ -102,7 +102,7 @@ None: @@ -102,7 +102,7 @@ None:
--inline-commands-prefix=str Change the default delimiter for inline commands --inline-commands-prefix=str Change the default delimiter for inline commands
--provider=file Specify the PKCS #11 provider library --provider=file Specify the PKCS #11 provider library
@ -534,10 +534,10 @@ Index: gnutls-3.8.2/doc/invoke-gnutls-cli.texi
--list-config Reports the configuration of the library --list-config Reports the configuration of the library
--logfile=str Redirect informational messages to a specific file --logfile=str Redirect informational messages to a specific file
--keymatexport=str Label used for exporting keying material --keymatexport=str Label used for exporting keying material
Index: gnutls-3.8.2/doc/manpages/gnutls-cli.1 Index: gnutls-3.8.3/doc/manpages/gnutls-cli.1
=================================================================== ===================================================================
--- gnutls-3.8.2.orig/doc/manpages/gnutls-cli.1 --- gnutls-3.8.3.orig/doc/manpages/gnutls-cli.1
+++ gnutls-3.8.2/doc/manpages/gnutls-cli.1 +++ gnutls-3.8.3/doc/manpages/gnutls-cli.1
@@ -398,7 +398,7 @@ Specify the PKCS #11 provider library. @@ -398,7 +398,7 @@ Specify the PKCS #11 provider library.
This will override the default options in /etc/gnutls/pkcs11.conf This will override the default options in /etc/gnutls/pkcs11.conf
.TP .TP
@ -547,10 +547,10 @@ Index: gnutls-3.8.2/doc/manpages/gnutls-cli.1
.sp .sp
.TP .TP
.NOP \f\*[B-Font]\-\-list\-config\f[] .NOP \f\*[B-Font]\-\-list\-config\f[]
Index: gnutls-3.8.2/doc/reference/html/gnutls-gnutls.html Index: gnutls-3.8.3/doc/reference/html/gnutls-gnutls.html
=================================================================== ===================================================================
--- gnutls-3.8.2.orig/doc/reference/html/gnutls-gnutls.html --- gnutls-3.8.3.orig/doc/reference/html/gnutls-gnutls.html
+++ gnutls-3.8.2/doc/reference/html/gnutls-gnutls.html +++ gnutls-3.8.3/doc/reference/html/gnutls-gnutls.html
@@ -20866,12 +20866,12 @@ gnutls_fips140_set_mode (<em class="para @@ -20866,12 +20866,12 @@ gnutls_fips140_set_mode (<em class="para
(globally), and should be called prior to creating any threads. Its (globally), and should be called prior to creating any threads. Its
behavior with no flags after threads are created is undefined.</p> behavior with no flags after threads are created is undefined.</p>
@ -611,10 +611,10 @@ Index: gnutls-3.8.2/doc/reference/html/gnutls-gnutls.html
-</html> -</html>
\ No newline at end of file \ No newline at end of file
+</html> +</html>
Index: gnutls-3.8.2/lib/fips.c Index: gnutls-3.8.3/lib/fips.c
=================================================================== ===================================================================
--- gnutls-3.8.2.orig/lib/fips.c --- gnutls-3.8.3.orig/lib/fips.c
+++ gnutls-3.8.2/lib/fips.c +++ gnutls-3.8.3/lib/fips.c
@@ -121,7 +121,7 @@ unsigned _gnutls_fips_mode_enabled(void) @@ -121,7 +121,7 @@ unsigned _gnutls_fips_mode_enabled(void)
} }
@ -633,7 +633,7 @@ Index: gnutls-3.8.2/lib/fips.c
ret = GNUTLS_FIPS140_SELFTESTS; ret = GNUTLS_FIPS140_SELFTESTS;
goto exit; goto exit;
} }
@@ -692,7 +692,7 @@ unsigned gnutls_fips140_mode_enabled(voi @@ -694,7 +694,7 @@ unsigned gnutls_fips140_mode_enabled(voi
/** /**
* gnutls_fips140_set_mode: * gnutls_fips140_set_mode:
@ -642,7 +642,7 @@ Index: gnutls-3.8.2/lib/fips.c
* @flags: should be zero or %GNUTLS_FIPS140_SET_MODE_THREAD * @flags: should be zero or %GNUTLS_FIPS140_SET_MODE_THREAD
* *
* That function is not thread-safe when changing the mode with no flags * That function is not thread-safe when changing the mode with no flags
@@ -700,13 +700,13 @@ unsigned gnutls_fips140_mode_enabled(voi @@ -702,13 +702,13 @@ unsigned gnutls_fips140_mode_enabled(voi
* behavior with no flags after threads are created is undefined. * behavior with no flags after threads are created is undefined.
* *
* When the flag %GNUTLS_FIPS140_SET_MODE_THREAD is specified * When the flag %GNUTLS_FIPS140_SET_MODE_THREAD is specified
@ -658,7 +658,7 @@ Index: gnutls-3.8.2/lib/fips.c
* values for @mode or to %GNUTLS_FIPS140_SELFTESTS mode, the library * values for @mode or to %GNUTLS_FIPS140_SELFTESTS mode, the library
* switches to %GNUTLS_FIPS140_STRICT mode. * switches to %GNUTLS_FIPS140_STRICT mode.
* *
@@ -718,10 +718,10 @@ void gnutls_fips140_set_mode(gnutls_fips @@ -720,10 +720,10 @@ void gnutls_fips140_set_mode(gnutls_fips
gnutls_fips_mode_t prev = _gnutls_fips_mode_enabled(); gnutls_fips_mode_t prev = _gnutls_fips_mode_enabled();
if (prev == GNUTLS_FIPS140_DISABLED || if (prev == GNUTLS_FIPS140_DISABLED ||
prev == GNUTLS_FIPS140_SELFTESTS) { prev == GNUTLS_FIPS140_SELFTESTS) {
@ -671,7 +671,7 @@ Index: gnutls-3.8.2/lib/fips.c
return; return;
} }
@@ -734,7 +734,7 @@ void gnutls_fips140_set_mode(gnutls_fips @@ -736,7 +736,7 @@ void gnutls_fips140_set_mode(gnutls_fips
case GNUTLS_FIPS140_SELFTESTS: case GNUTLS_FIPS140_SELFTESTS:
_gnutls_audit_log( _gnutls_audit_log(
NULL, NULL,
@ -680,7 +680,7 @@ Index: gnutls-3.8.2/lib/fips.c
mode = GNUTLS_FIPS140_STRICT; mode = GNUTLS_FIPS140_STRICT;
break; break;
default: default:
@@ -910,7 +910,7 @@ void _gnutls_switch_fips_state(gnutls_fi @@ -912,7 +912,7 @@ void _gnutls_switch_fips_state(gnutls_fi
} }
if (!_tfips_context) { if (!_tfips_context) {
@ -689,7 +689,7 @@ Index: gnutls-3.8.2/lib/fips.c
return; return;
} }
@@ -924,7 +924,7 @@ void _gnutls_switch_fips_state(gnutls_fi @@ -926,7 +926,7 @@ void _gnutls_switch_fips_state(gnutls_fi
if (mode != GNUTLS_FIPS140_LAX) { if (mode != GNUTLS_FIPS140_LAX) {
_gnutls_audit_log( _gnutls_audit_log(
NULL, NULL,
@ -698,7 +698,7 @@ Index: gnutls-3.8.2/lib/fips.c
operation_state_to_string(state)); operation_state_to_string(state));
} }
_tfips_context->state = state; _tfips_context->state = state;
@@ -935,7 +935,7 @@ void _gnutls_switch_fips_state(gnutls_fi @@ -937,7 +937,7 @@ void _gnutls_switch_fips_state(gnutls_fi
if (mode != GNUTLS_FIPS140_LAX) { if (mode != GNUTLS_FIPS140_LAX) {
_gnutls_audit_log( _gnutls_audit_log(
NULL, NULL,
@ -707,7 +707,7 @@ Index: gnutls-3.8.2/lib/fips.c
operation_state_to_string(state)); operation_state_to_string(state));
} }
_tfips_context->state = state; _tfips_context->state = state;
@@ -947,7 +947,7 @@ void _gnutls_switch_fips_state(gnutls_fi @@ -949,7 +949,7 @@ void _gnutls_switch_fips_state(gnutls_fi
if (mode != GNUTLS_FIPS140_LAX) { if (mode != GNUTLS_FIPS140_LAX) {
_gnutls_audit_log( _gnutls_audit_log(
NULL, NULL,
@ -716,7 +716,7 @@ Index: gnutls-3.8.2/lib/fips.c
operation_state_to_string( operation_state_to_string(
_tfips_context->state), _tfips_context->state),
operation_state_to_string(state)); operation_state_to_string(state));
@@ -1009,7 +1009,7 @@ int gnutls_fips140_run_self_tests(void) @@ -1011,7 +1011,7 @@ int gnutls_fips140_run_self_tests(void)
ret < 0) { ret < 0) {
_gnutls_switch_lib_state(LIB_STATE_ERROR); _gnutls_switch_lib_state(LIB_STATE_ERROR);
_gnutls_audit_log(NULL, _gnutls_audit_log(NULL,
@ -725,7 +725,7 @@ Index: gnutls-3.8.2/lib/fips.c
} else { } else {
/* Restore the previous library state */ /* Restore the previous library state */
_gnutls_switch_lib_state(prev_lib_state); _gnutls_switch_lib_state(prev_lib_state);
@@ -1021,7 +1021,7 @@ int gnutls_fips140_run_self_tests(void) @@ -1023,7 +1023,7 @@ int gnutls_fips140_run_self_tests(void)
if (gnutls_fips140_pop_context() < 0) { if (gnutls_fips140_pop_context() < 0) {
_gnutls_switch_lib_state(LIB_STATE_ERROR); _gnutls_switch_lib_state(LIB_STATE_ERROR);
_gnutls_audit_log( _gnutls_audit_log(
@ -734,10 +734,10 @@ Index: gnutls-3.8.2/lib/fips.c
} }
gnutls_fips140_context_deinit(fips_context); gnutls_fips140_context_deinit(fips_context);
} }
Index: gnutls-3.8.2/lib/fips.h Index: gnutls-3.8.3/lib/fips.h
=================================================================== ===================================================================
--- gnutls-3.8.2.orig/lib/fips.h --- gnutls-3.8.3.orig/lib/fips.h
+++ gnutls-3.8.2/lib/fips.h +++ gnutls-3.8.3/lib/fips.h
@@ -160,7 +160,7 @@ is_cipher_algo_allowed_in_fips(gnutls_ci @@ -160,7 +160,7 @@ is_cipher_algo_allowed_in_fips(gnutls_ci
} }
@ -778,10 +778,10 @@ Index: gnutls-3.8.2/lib/fips.h
gnutls_cipher_get_name(algo)); gnutls_cipher_get_name(algo));
FALLTHROUGH; FALLTHROUGH;
case GNUTLS_FIPS140_DISABLED: case GNUTLS_FIPS140_DISABLED:
Index: gnutls-3.8.2/lib/global.c Index: gnutls-3.8.3/lib/global.c
=================================================================== ===================================================================
--- gnutls-3.8.2.orig/lib/global.c --- gnutls-3.8.3.orig/lib/global.c
+++ gnutls-3.8.2/lib/global.c +++ gnutls-3.8.3/lib/global.c
@@ -337,12 +337,12 @@ static int _gnutls_global_init(unsigned @@ -337,12 +337,12 @@ static int _gnutls_global_init(unsigned
#ifdef ENABLE_FIPS140 #ifdef ENABLE_FIPS140
@ -815,10 +815,10 @@ Index: gnutls-3.8.2/lib/global.c
if (res != 2) { if (res != 2) {
gnutls_assert(); gnutls_assert();
goto out; goto out;
Index: gnutls-3.8.2/lib/includes/gnutls/gnutls.h.in Index: gnutls-3.8.3/lib/includes/gnutls/gnutls.h.in
=================================================================== ===================================================================
--- gnutls-3.8.2.orig/lib/includes/gnutls/gnutls.h.in --- gnutls-3.8.3.orig/lib/includes/gnutls/gnutls.h.in
+++ gnutls-3.8.2/lib/includes/gnutls/gnutls.h.in +++ gnutls-3.8.3/lib/includes/gnutls/gnutls.h.in
@@ -3199,16 +3199,16 @@ typedef int (*gnutls_alert_read_func)(gn @@ -3199,16 +3199,16 @@ typedef int (*gnutls_alert_read_func)(gn
void gnutls_alert_set_read_function(gnutls_session_t session, void gnutls_alert_set_read_function(gnutls_session_t session,
gnutls_alert_read_func func); gnutls_alert_read_func func);
@ -849,10 +849,10 @@ Index: gnutls-3.8.2/lib/includes/gnutls/gnutls.h.in
*/ */
typedef enum gnutls_fips_mode_t { typedef enum gnutls_fips_mode_t {
GNUTLS_FIPS140_DISABLED = 0, GNUTLS_FIPS140_DISABLED = 0,
Index: gnutls-3.8.2/src/cli.c Index: gnutls-3.8.3/src/cli.c
=================================================================== ===================================================================
--- gnutls-3.8.2.orig/src/cli.c --- gnutls-3.8.3.orig/src/cli.c
+++ gnutls-3.8.2/src/cli.c +++ gnutls-3.8.3/src/cli.c
@@ -1635,10 +1635,10 @@ static void cmd_parser(int argc, char ** @@ -1635,10 +1635,10 @@ static void cmd_parser(int argc, char **
if (HAVE_OPT(FIPS140_MODE)) { if (HAVE_OPT(FIPS140_MODE)) {
@ -866,10 +866,10 @@ Index: gnutls-3.8.2/src/cli.c
exit(1); exit(1);
} }
Index: gnutls-3.8.2/src/gnutls-cli-options.c Index: gnutls-3.8.3/src/gnutls-cli-options.c
=================================================================== ===================================================================
--- gnutls-3.8.2.orig/src/gnutls-cli-options.c --- gnutls-3.8.3.orig/src/gnutls-cli-options.c
+++ gnutls-3.8.2/src/gnutls-cli-options.c +++ gnutls-3.8.3/src/gnutls-cli-options.c
@@ -810,7 +810,7 @@ usage (FILE *out, int status) @@ -810,7 +810,7 @@ usage (FILE *out, int status)
" --inline-commands-prefix=str Change the default delimiter for inline commands\n" " --inline-commands-prefix=str Change the default delimiter for inline commands\n"
" --provider=file Specify the PKCS #11 provider library\n" " --provider=file Specify the PKCS #11 provider library\n"
@ -879,10 +879,10 @@ Index: gnutls-3.8.2/src/gnutls-cli-options.c
" --list-config Reports the configuration of the library\n" " --list-config Reports the configuration of the library\n"
" --logfile=str Redirect informational messages to a specific file\n" " --logfile=str Redirect informational messages to a specific file\n"
" --keymatexport=str Label used for exporting keying material\n" " --keymatexport=str Label used for exporting keying material\n"
Index: gnutls-3.8.2/tests/cert-tests/gost.sh Index: gnutls-3.8.3/tests/cert-tests/gost.sh
=================================================================== ===================================================================
--- gnutls-3.8.2.orig/tests/cert-tests/gost.sh --- gnutls-3.8.3.orig/tests/cert-tests/gost.sh
+++ gnutls-3.8.2/tests/cert-tests/gost.sh +++ gnutls-3.8.3/tests/cert-tests/gost.sh
@@ -38,7 +38,7 @@ if ! test -x "${CERTTOOL}"; then @@ -38,7 +38,7 @@ if ! test -x "${CERTTOOL}"; then
fi fi
@ -892,10 +892,10 @@ Index: gnutls-3.8.2/tests/cert-tests/gost.sh
exit 77 exit 77
fi fi
Index: gnutls-3.8.2/tests/cert-tests/pkcs12-corner-cases.sh Index: gnutls-3.8.3/tests/cert-tests/pkcs12-corner-cases.sh
=================================================================== ===================================================================
--- gnutls-3.8.2.orig/tests/cert-tests/pkcs12-corner-cases.sh --- gnutls-3.8.3.orig/tests/cert-tests/pkcs12-corner-cases.sh
+++ gnutls-3.8.2/tests/cert-tests/pkcs12-corner-cases.sh +++ gnutls-3.8.3/tests/cert-tests/pkcs12-corner-cases.sh
@@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then @@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then
fi fi
@ -905,10 +905,10 @@ Index: gnutls-3.8.2/tests/cert-tests/pkcs12-corner-cases.sh
exit 77 exit 77
fi fi
Index: gnutls-3.8.2/tests/cert-tests/pkcs12-encode.sh Index: gnutls-3.8.3/tests/cert-tests/pkcs12-encode.sh
=================================================================== ===================================================================
--- gnutls-3.8.2.orig/tests/cert-tests/pkcs12-encode.sh --- gnutls-3.8.3.orig/tests/cert-tests/pkcs12-encode.sh
+++ gnutls-3.8.2/tests/cert-tests/pkcs12-encode.sh +++ gnutls-3.8.3/tests/cert-tests/pkcs12-encode.sh
@@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then @@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then
fi fi
@ -918,10 +918,10 @@ Index: gnutls-3.8.2/tests/cert-tests/pkcs12-encode.sh
exit 77 exit 77
fi fi
Index: gnutls-3.8.2/tests/cert-tests/pkcs12-gost.sh Index: gnutls-3.8.3/tests/cert-tests/pkcs12-gost.sh
=================================================================== ===================================================================
--- gnutls-3.8.2.orig/tests/cert-tests/pkcs12-gost.sh --- gnutls-3.8.3.orig/tests/cert-tests/pkcs12-gost.sh
+++ gnutls-3.8.2/tests/cert-tests/pkcs12-gost.sh +++ gnutls-3.8.3/tests/cert-tests/pkcs12-gost.sh
@@ -29,7 +29,7 @@ if ! test -x "${CERTTOOL}"; then @@ -29,7 +29,7 @@ if ! test -x "${CERTTOOL}"; then
fi fi
@ -931,10 +931,10 @@ Index: gnutls-3.8.2/tests/cert-tests/pkcs12-gost.sh
exit 77 exit 77
fi fi
Index: gnutls-3.8.2/tests/cert-tests/pkcs12.sh Index: gnutls-3.8.3/tests/cert-tests/pkcs12.sh
=================================================================== ===================================================================
--- gnutls-3.8.2.orig/tests/cert-tests/pkcs12.sh --- gnutls-3.8.3.orig/tests/cert-tests/pkcs12.sh
+++ gnutls-3.8.2/tests/cert-tests/pkcs12.sh +++ gnutls-3.8.3/tests/cert-tests/pkcs12.sh
@@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then @@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then
fi fi
@ -944,10 +944,10 @@ Index: gnutls-3.8.2/tests/cert-tests/pkcs12.sh
exit 77 exit 77
fi fi
Index: gnutls-3.8.2/tests/cert-tests/pkcs8-decode.sh Index: gnutls-3.8.3/tests/cert-tests/pkcs8-decode.sh
=================================================================== ===================================================================
--- gnutls-3.8.2.orig/tests/cert-tests/pkcs8-decode.sh --- gnutls-3.8.3.orig/tests/cert-tests/pkcs8-decode.sh
+++ gnutls-3.8.2/tests/cert-tests/pkcs8-decode.sh +++ gnutls-3.8.3/tests/cert-tests/pkcs8-decode.sh
@@ -29,7 +29,7 @@ if ! test -x "${CERTTOOL}"; then @@ -29,7 +29,7 @@ if ! test -x "${CERTTOOL}"; then
fi fi
@ -957,10 +957,10 @@ Index: gnutls-3.8.2/tests/cert-tests/pkcs8-decode.sh
exit 77 exit 77
fi fi
Index: gnutls-3.8.2/tests/cert-tests/pkcs8-eddsa.sh Index: gnutls-3.8.3/tests/cert-tests/pkcs8-eddsa.sh
=================================================================== ===================================================================
--- gnutls-3.8.2.orig/tests/cert-tests/pkcs8-eddsa.sh --- gnutls-3.8.3.orig/tests/cert-tests/pkcs8-eddsa.sh
+++ gnutls-3.8.2/tests/cert-tests/pkcs8-eddsa.sh +++ gnutls-3.8.3/tests/cert-tests/pkcs8-eddsa.sh
@@ -29,7 +29,7 @@ if ! test -x "${CERTTOOL}"; then @@ -29,7 +29,7 @@ if ! test -x "${CERTTOOL}"; then
fi fi
@ -970,10 +970,10 @@ Index: gnutls-3.8.2/tests/cert-tests/pkcs8-eddsa.sh
exit 77 exit 77
fi fi
Index: gnutls-3.8.2/tests/cert-tests/pkcs8-gost.sh Index: gnutls-3.8.3/tests/cert-tests/pkcs8-gost.sh
=================================================================== ===================================================================
--- gnutls-3.8.2.orig/tests/cert-tests/pkcs8-gost.sh --- gnutls-3.8.3.orig/tests/cert-tests/pkcs8-gost.sh
+++ gnutls-3.8.2/tests/cert-tests/pkcs8-gost.sh +++ gnutls-3.8.3/tests/cert-tests/pkcs8-gost.sh
@@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then @@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then
fi fi
@ -983,10 +983,10 @@ Index: gnutls-3.8.2/tests/cert-tests/pkcs8-gost.sh
exit 77 exit 77
fi fi
Index: gnutls-3.8.2/tests/cert-tests/pkcs8.sh Index: gnutls-3.8.3/tests/cert-tests/pkcs8.sh
=================================================================== ===================================================================
--- gnutls-3.8.2.orig/tests/cert-tests/pkcs8.sh --- gnutls-3.8.3.orig/tests/cert-tests/pkcs8.sh
+++ gnutls-3.8.2/tests/cert-tests/pkcs8.sh +++ gnutls-3.8.3/tests/cert-tests/pkcs8.sh
@@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then @@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then
fi fi
@ -996,10 +996,10 @@ Index: gnutls-3.8.2/tests/cert-tests/pkcs8.sh
exit 77 exit 77
fi fi
Index: gnutls-3.8.2/tests/cipher-listings.sh Index: gnutls-3.8.3/tests/cipher-listings.sh
=================================================================== ===================================================================
--- gnutls-3.8.2.orig/tests/cipher-listings.sh --- gnutls-3.8.3.orig/tests/cipher-listings.sh
+++ gnutls-3.8.2/tests/cipher-listings.sh +++ gnutls-3.8.3/tests/cipher-listings.sh
@@ -63,7 +63,7 @@ check() @@ -63,7 +63,7 @@ check()
${CLI} --fips140-mode ${CLI} --fips140-mode
@ -1009,10 +1009,10 @@ Index: gnutls-3.8.2/tests/cipher-listings.sh
exit 77 exit 77
fi fi
Index: gnutls-3.8.2/tests/testpkcs11.sh Index: gnutls-3.8.3/tests/testpkcs11.sh
=================================================================== ===================================================================
--- gnutls-3.8.2.orig/tests/testpkcs11.sh --- gnutls-3.8.3.orig/tests/testpkcs11.sh
+++ gnutls-3.8.2/tests/testpkcs11.sh +++ gnutls-3.8.3/tests/testpkcs11.sh
@@ -26,7 +26,7 @@ @@ -26,7 +26,7 @@
RETCODE=0 RETCODE=0
@ -1022,10 +1022,10 @@ Index: gnutls-3.8.2/tests/testpkcs11.sh
exit 77 exit 77
fi fi
Index: gnutls-3.8.2/doc/enums/gnutls_fips_mode_t Index: gnutls-3.8.3/doc/enums/gnutls_fips_mode_t
=================================================================== ===================================================================
--- gnutls-3.8.2.orig/doc/enums/gnutls_fips_mode_t --- gnutls-3.8.3.orig/doc/enums/gnutls_fips_mode_t
+++ gnutls-3.8.2/doc/enums/gnutls_fips_mode_t +++ gnutls-3.8.3/doc/enums/gnutls_fips_mode_t
@@ -3,7 +3,7 @@ @@ -3,7 +3,7 @@
@c gnutls_fips_mode_t @c gnutls_fips_mode_t
@table @code @table @code
@ -1046,10 +1046,10 @@ Index: gnutls-3.8.2/doc/enums/gnutls_fips_mode_t
application is aware of the followed security policy, and needs application is aware of the followed security policy, and needs
to utilize disallowed operations for other reasons (e.g., compatibility). to utilize disallowed operations for other reasons (e.g., compatibility).
@item GNUTLS_@-FIPS140_@-LOG @item GNUTLS_@-FIPS140_@-LOG
Index: gnutls-3.8.2/doc/gnutls-api.texi Index: gnutls-3.8.3/doc/gnutls-api.texi
=================================================================== ===================================================================
--- gnutls-3.8.2.orig/doc/gnutls-api.texi --- gnutls-3.8.3.orig/doc/gnutls-api.texi
+++ gnutls-3.8.2/doc/gnutls-api.texi +++ gnutls-3.8.3/doc/gnutls-api.texi
@@ -3275,7 +3275,7 @@ unusable. This function is not thread-s @@ -3275,7 +3275,7 @@ unusable. This function is not thread-s
@subheading gnutls_fips140_set_mode @subheading gnutls_fips140_set_mode
@anchor{gnutls_fips140_set_mode} @anchor{gnutls_fips140_set_mode}
@ -1075,10 +1075,10 @@ Index: gnutls-3.8.2/doc/gnutls-api.texi
values for @code{mode} or to @code{GNUTLS_FIPS140_SELFTESTS} mode, the library values for @code{mode} or to @code{GNUTLS_FIPS140_SELFTESTS} mode, the library
switches to @code{GNUTLS_FIPS140_STRICT} mode. switches to @code{GNUTLS_FIPS140_STRICT} mode.
Index: gnutls-3.8.2/lib/ext/session_ticket.c Index: gnutls-3.8.3/lib/ext/session_ticket.c
=================================================================== ===================================================================
--- gnutls-3.8.2.orig/lib/ext/session_ticket.c --- gnutls-3.8.3.orig/lib/ext/session_ticket.c
+++ gnutls-3.8.2/lib/ext/session_ticket.c +++ gnutls-3.8.3/lib/ext/session_ticket.c
@@ -517,7 +517,7 @@ int gnutls_session_ticket_key_generate(g @@ -517,7 +517,7 @@ int gnutls_session_ticket_key_generate(g
{ {
if (_gnutls_fips_mode_enabled()) { if (_gnutls_fips_mode_enabled()) {
@ -1088,10 +1088,10 @@ Index: gnutls-3.8.2/lib/ext/session_ticket.c
* some limits on allowed key size, thus it is not * some limits on allowed key size, thus it is not
* used. These limits do not affect this function as * used. These limits do not affect this function as
* it does not generate a "key" but rather key material * it does not generate a "key" but rather key material
Index: gnutls-3.8.2/lib/libgnutls.map Index: gnutls-3.8.3/lib/libgnutls.map
=================================================================== ===================================================================
--- gnutls-3.8.2.orig/lib/libgnutls.map --- gnutls-3.8.3.orig/lib/libgnutls.map
+++ gnutls-3.8.2/lib/libgnutls.map +++ gnutls-3.8.3/lib/libgnutls.map
@@ -1441,7 +1441,7 @@ GNUTLS_FIPS140_3_4 { @@ -1441,7 +1441,7 @@ GNUTLS_FIPS140_3_4 {
gnutls_hkdf_self_test; gnutls_hkdf_self_test;
gnutls_pbkdf2_self_test; gnutls_pbkdf2_self_test;
@ -1101,10 +1101,10 @@ Index: gnutls-3.8.2/lib/libgnutls.map
drbg_aes_reseed; drbg_aes_reseed;
drbg_aes_init; drbg_aes_init;
drbg_aes_generate; drbg_aes_generate;
Index: gnutls-3.8.2/lib/nettle/mac.c Index: gnutls-3.8.3/lib/nettle/mac.c
=================================================================== ===================================================================
--- gnutls-3.8.2.orig/lib/nettle/mac.c --- gnutls-3.8.3.orig/lib/nettle/mac.c
+++ gnutls-3.8.2/lib/nettle/mac.c +++ gnutls-3.8.3/lib/nettle/mac.c
@@ -262,7 +262,7 @@ static void _wrap_gmac_digest(void *_ctx @@ -262,7 +262,7 @@ static void _wrap_gmac_digest(void *_ctx
static int _mac_ctx_init(gnutls_mac_algorithm_t algo, static int _mac_ctx_init(gnutls_mac_algorithm_t algo,
struct nettle_mac_ctx *ctx) struct nettle_mac_ctx *ctx)
@ -1123,10 +1123,10 @@ Index: gnutls-3.8.2/lib/nettle/mac.c
* gnutls_hash_init() and gnutls_hmac_init() */ * gnutls_hash_init() and gnutls_hmac_init() */
switch (algo) { switch (algo) {
case GNUTLS_DIG_MD5: case GNUTLS_DIG_MD5:
Index: gnutls-3.8.2/config.h.in Index: gnutls-3.8.3/config.h.in
=================================================================== ===================================================================
--- gnutls-3.8.2.orig/config.h.in --- gnutls-3.8.3.orig/config.h.in
+++ gnutls-3.8.2/config.h.in +++ gnutls-3.8.3/config.h.in
@@ -82,7 +82,7 @@ @@ -82,7 +82,7 @@
/* enable DHE */ /* enable DHE */
#undef ENABLE_ECDHE #undef ENABLE_ECDHE
@ -1145,11 +1145,11 @@ Index: gnutls-3.8.2/config.h.in
#undef FIPS_KEY #undef FIPS_KEY
/* The FIPS140 module name */ /* The FIPS140 module name */
Index: gnutls-3.8.2/configure Index: gnutls-3.8.3/configure
=================================================================== ===================================================================
--- gnutls-3.8.2.orig/configure --- gnutls-3.8.3.orig/configure
+++ gnutls-3.8.2/configure +++ gnutls-3.8.3/configure
@@ -3828,7 +3828,7 @@ Optional Features: @@ -3830,7 +3830,7 @@ Optional Features:
--enable-fast-install[=PKGS] --enable-fast-install[=PKGS]
optimize for fast installation [default=yes] optimize for fast installation [default=yes]
--disable-libtool-lock avoid locking (might break parallel builds) --disable-libtool-lock avoid locking (might break parallel builds)
@ -1158,10 +1158,10 @@ Index: gnutls-3.8.2/configure
--enable-strict-x509 enable stricter sanity checks for x509 certificates --enable-strict-x509 enable stricter sanity checks for x509 certificates
--disable-non-suiteb-curves --disable-non-suiteb-curves
disable curves not in SuiteB disable curves not in SuiteB
Index: gnutls-3.8.2/doc/cha-support.texi Index: gnutls-3.8.3/doc/cha-support.texi
=================================================================== ===================================================================
--- gnutls-3.8.2.orig/doc/cha-support.texi --- gnutls-3.8.3.orig/doc/cha-support.texi
+++ gnutls-3.8.2/doc/cha-support.texi +++ gnutls-3.8.3/doc/cha-support.texi
@@ -134,5 +134,5 @@ There are certifications from national o @@ -134,5 +134,5 @@ There are certifications from national o
to an auditor that the crypto component follows some best practices, such to an auditor that the crypto component follows some best practices, such
as unit testing and reliance on well known crypto primitives. as unit testing and reliance on well known crypto primitives.
@ -1170,23 +1170,23 @@ Index: gnutls-3.8.2/doc/cha-support.texi
-See @ref{FIPS140-2 mode} for more information. -See @ref{FIPS140-2 mode} for more information.
+GnuTLS has support for the FIPS 140-3 certification under Red Hat Enterprise Linux. +GnuTLS has support for the FIPS 140-3 certification under Red Hat Enterprise Linux.
+See @ref{FIPS140-3 mode} for more information. +See @ref{FIPS140-3 mode} for more information.
Index: gnutls-3.8.2/doc/gnutls.info Index: gnutls-3.8.3/doc/gnutls.info
=================================================================== ===================================================================
--- gnutls-3.8.2.orig/doc/gnutls.info --- gnutls-3.8.3.orig/doc/gnutls.info
+++ gnutls-3.8.2/doc/gnutls.info +++ gnutls-3.8.3/doc/gnutls.info
@@ -619,7 +619,7 @@ Ref: fig-crypto-layers744475 @@ -618,7 +618,7 @@ Ref: fig-crypto-layers744471
Ref: Cryptographic Backend-Footnote-1747787 Ref: Cryptographic Backend-Footnote-1747783
Ref: Cryptographic Backend-Footnote-2747872 Ref: Cryptographic Backend-Footnote-2747868
Node: Random Number Generators-internals747984 Node: Random Number Generators-internals747980
-Node: FIPS140-2 mode755454 -Node: FIPS140-2 mode755450
+Node: FIPS140-3 mode755454 +Node: FIPS140-3 mode755450
Ref: gnutls_fips_mode_t758152 Ref: gnutls_fips_mode_t758148
Node: Upgrading from previous versions761821 Node: Upgrading from previous versions761817
Node: Support776063 Node: Support776059
Index: gnutls-3.8.2/src/gnutls-cli-options.json Index: gnutls-3.8.3/src/gnutls-cli-options.json
=================================================================== ===================================================================
--- gnutls-3.8.2.orig/src/gnutls-cli-options.json --- gnutls-3.8.3.orig/src/gnutls-cli-options.json
+++ gnutls-3.8.2/src/gnutls-cli-options.json +++ gnutls-3.8.3/src/gnutls-cli-options.json
@@ -384,7 +384,7 @@ @@ -384,7 +384,7 @@
}, },
{ {

17
gnutls.changes
View File

@ -1,3 +1,20 @@
-------------------------------------------------------------------
Wed Jan 17 08:41:07 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
- Update to 3.8.3:
* libgnutls: Fix more timing side-channel inside RSA-PSK key
exchange. [GNUTLS-SA-2024-01-14, CVSS: medium]
[bsc#1218865, CVE-2024-0553]
* libgnutls: Fix assertion failure when verifying a certificate
chain with a cycle of cross signatures.
[GNUTLS-SA-2024-01-09, CVSS: medium] [bsc#1218862, CVE-2024-0567]
* libgnutls: Fix regression in handling Ed25519 keys stored in
PKCS#11 token certtool was unable to handle Ed25519 keys
generated on PKCS#11 with pkcs11-tool (OpenSC).
This is a regression introduced in 3.8.2.
* Rebase gnutls-FIPS-140-3-references.patch
* Updated upstream gnutls.keyring
------------------------------------------------------------------- -------------------------------------------------------------------
Fri Nov 17 10:17:02 UTC 2023 - Pedro Monreal <pmonreal@suse.com> Fri Nov 17 10:17:02 UTC 2023 - Pedro Monreal <pmonreal@suse.com>

BIN
gnutls.keyring
View File

Binary file not shown.

4
gnutls.spec
View File

@ -1,7 +1,7 @@
# #
# spec file for package gnutls # spec file for package gnutls
# #
# Copyright (c) 2023 SUSE LLC # Copyright (c) 2024 SUSE LLC
# #
# All modifications and additions to the file contributed by third parties # All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed # remain the property of their copyright owners, unless otherwise agreed
@ -40,7 +40,7 @@
%endif %endif
%bcond_with tpm %bcond_with tpm
Name: gnutls Name: gnutls
Version: 3.8.2 Version: 3.8.3
Release: 0 Release: 0
Summary: The GNU Transport Layer Security Library Summary: The GNU Transport Layer Security Library
License: GPL-3.0-or-later AND LGPL-2.1-or-later License: GPL-3.0-or-later AND LGPL-2.1-or-later