Accepting request 1034572 from home:pmonrealgonzalez:branches:security:tls

- Verify only the libgnutls library HMAC [bsc#1199881]
  * Do not use the brp-50-generate-fips-hmac script as this
    is now calculated with the internal fipshmac tool.
  * Add gnutls-verify-library-HMAC.patch

- Disable flaky test that fails in s390x architecture:
  * Add gnutls-disable-flaky-test-dtls-resume.patch
- Consolidate the FIPS hmac files [bsc#1203245]
  * Use the gnutls fipshmac tool instead of the brp-check-suse
    and rename it to reflect on the library version.
- Add a gnutls.rpmlintrc file to remove a hidden-file-or-dir false
  positive for the FIPS hmac calculation.

OBS-URL: https://build.opensuse.org/request/show/1034572
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=80

gnutls-disable-flaky-test-dtls-resume.patch

@@ -0,0 +1,13 @@
+Index: gnutls-3.7.8/tests/Makefile.am
+===================================================================
+--- gnutls-3.7.8.orig/tests/Makefile.am
++++ gnutls-3.7.8/tests/Makefile.am
+@@ -508,7 +508,7 @@ if !WINDOWS
+ # List of tests not available/functional under windows
+ #
+ 
+-dist_check_SCRIPTS += dtls/dtls.sh dtls/dtls-resume.sh #dtls/dtls-nb
++dist_check_SCRIPTS += dtls/dtls.sh #dtls/dtls-resume.sh #dtls/dtls-nb
+ 
+ indirect_tests += dtls-stress
+ 

gnutls-verify-library-HMAC.patch

@@ -0,0 +1,21 @@
+Index: gnutls-3.7.8/lib/fips.c
+===================================================================
+--- gnutls-3.7.8.orig/lib/fips.c
++++ gnutls-3.7.8/lib/fips.c
+@@ -402,6 +402,8 @@ static int check_binary_integrity(void)
+ 	ret = check_lib_hmac(&file.gnutls, GNUTLS_LIBRARY_NAME, "gnutls_global_init");
+ 	if (ret < 0)
+ 		return ret;
++	/* Check only the binary integrity of the libgnutls library */
++#if 0
+ 	ret = check_lib_hmac(&file.nettle, NETTLE_LIBRARY_NAME, "nettle_aes_set_encrypt_key");
+ 	if (ret < 0)
+ 		return ret;
+@@ -411,6 +413,7 @@ static int check_binary_integrity(void)
+ 	ret = check_lib_hmac(&file.gmp, GMP_LIBRARY_NAME, "__gmpz_init");
+ 	if (ret < 0)
+ 		return ret;
++#endif
+ 
+ 	return 0;
+ }

gnutls.changes

@@ -1,15 +1,28 @@
+-------------------------------------------------------------------
+Tue Nov  8 12:52:18 UTC 2022 - Pedro Monreal <pmonreal@suse.com>
+
+- Verify only the libgnutls library HMAC [bsc#1199881]
+  * Do not use the brp-50-generate-fips-hmac script as this
+    is now calculated with the internal fipshmac tool.
+  * Add gnutls-verify-library-HMAC.patch
+
 -------------------------------------------------------------------
 Wed Nov  2 20:51:43 UTC 2022 - Pedro Monreal <pmonreal@suse.com>
 
 - Temporarily revert the jitterentropy patches in s390 and s390x
   architectures until a fix is provided [bsc#1204937]
+- Disable flaky test that fails in s390x architecture:
+  * Add gnutls-disable-flaky-test-dtls-resume.patch
 
 -------------------------------------------------------------------
 Fri Oct 14 11:35:33 UTC 2022 - Pedro Monreal <pmonreal@suse.com>
 
-- Consolidate the FIPS .hmac files [bsc#1199881, bsc#1203245]
+- Consolidate the FIPS hmac files [bsc#1203245]
-  * Package the FIPS .hmac files
+  * Use the gnutls fipshmac tool instead of the brp-check-suse
+    and rename it to reflect on the library version.
   * Remove not needed gnutls-FIPS-Run-CFB8-without-offset.patch
+- Add a gnutls.rpmlintrc file to remove a hidden-file-or-dir false
+  positive for the FIPS hmac calculation.
 
 -------------------------------------------------------------------
 Sun Oct  9 12:53:27 UTC 2022 - Pedro Monreal <pmonreal@suse.com>

gnutls.rpmlintrc

@@ -0,0 +1 @@
+addFilter("hidden-file-or-dir /usr/lib64/.libgnutls.so.30.hmac")

gnutls.spec

@@ -47,6 +47,8 @@ Source1:        https://www.gnupg.org/ftp/gcrypt/gnutls/v3.7/%{name}-%{version}.
 # https://gnutls.org/gnutls-release-keyring.gpg
 Source2:        gnutls.keyring
 Source3:        baselibs.conf
+# Suppress a false positive on the .hmac file
+Source4:        gnutls.rpmlintrc
 Patch0:         gnutls-3.5.11-skip-trust-store-tests.patch
 Patch1:         gnutls-FIPS-TLS_KDF_selftest.patch
 Patch2:         gnutls-FIPS-disable-failing-tests.patch
@@ -63,6 +65,9 @@ Patch5:         gnutls-FIPS-Set-error-state-when-jent-init-failed.patch
 Patch6:         gnutls-FIPS-SLI-pbkdf2-verify-keylengths-only-SHA.patch
 #PATCH-FIX-UPSTREAM bsc#1203779 Make XTS key check failure not fatal
 Patch7:         gnutls-Make-XTS-key-check-failure-not-fatal.patch
+Patch8:         gnutls-disable-flaky-test-dtls-resume.patch
+#PATCH-FIX-OPENSUSE bsc#1199881 Verify only the libgnutls library HMAC
+Patch9:         gnutls-verify-library-HMAC.patch
 BuildRequires:  autogen
 BuildRequires:  automake
 BuildRequires:  datefudge
@@ -224,6 +229,10 @@ export LDFLAGS="-pie -Wl,-z,now -Wl,-z,relro"
 export CFLAGS="%{optflags} -fPIE"
 export CXXFLAGS="%{optflags} -fPIE"
 autoreconf -fiv
+
+# Rename the internal .hmac file to include the so library version
+sed -i "s/\.gnutls\.hmac/\.libgnutls\.so\.%{gnutls_sover}\.hmac/g" lib/Makefile.am lib/Makefile.in lib/fips.c
+
 %configure \
         gl_cv_func_printf_directive_n=yes \
         gl_cv_func_printf_infinite_long_double=yes \
@@ -259,11 +268,26 @@ autoreconf -fiv
 %install
 %make_install
 
-# Compute FIPS hmac using the brp-50-generate-fips-hmac script
+# Compute the FIPS hmac using the brp-50-generate-fips-hmac script
-export BRP_FIPSHMAC_FILES=%{buildroot}%{_libdir}/libgnutls.so.%{gnutls_sover}
+# export BRP_FIPSHMAC_FILES=%%{buildroot}%%{_libdir}/libgnutls.so.%%{gnutls_sover}
 
-./lib/fipshmac "%{buildroot}%{_libdir}/libgnutls.so.%{gnutls_sover}" > %{buildroot}%{_libdir}/.gnutls.hmac
+# the hmac hashes:
-sed -i "s^%{buildroot}/usr^^" %{buildroot}%{_libdir}/.gnutls.hmac
+#
+# this is a hack that re-defines the __os_install_post macro
+# for a simple reason: the macro strips the binaries and thereby
+# invalidates a HMAC that may have been created earlier.
+# solution: create the hashes _after_ the macro runs.
+#
+# this shows up earlier because otherwise the %%expand of
+# the macro is too late.
+# remark: This is the same as running
+#   openssl dgst -sha256 -hmac 'orboDeJITITejsirpADONivirpUkvarP'
+# note: The FIPS hmac is now calculated with an internal tool since
+#   commit a86c8e87189e23920ae622da5e572cb4e1a6e0ed
+%{expand:%%global __os_install_post {%__os_install_post
+./lib/fipshmac "%{buildroot}%{_libdir}/libgnutls.so.%{gnutls_sover}" > %{buildroot}%{_libdir}/.libgnutls.so.%{gnutls_sover}.hmac
+sed -i "s^%{buildroot}/usr^^" %{buildroot}%{_libdir}/.libgnutls.so.%{gnutls_sover}.hmac
+}}
 
 rm -rf %{buildroot}%{_datadir}/locale/en@{,bold}quot
 # Do not package static libs and libtool files
@@ -333,7 +357,6 @@ GNUTLS_FORCE_FIPS_MODE=1 make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=
 %files -n libgnutls%{gnutls_sover}-hmac
 %license LICENSE
 %{_libdir}/.libgnutls.so.%{gnutls_sover}*.hmac
-%{_libdir}/.gnutls.hmac
 
 %if %{with dane}
 %files -n libgnutls-dane%{gnutls_dane_sover}