Accepting request 1089038 from security:tls

OBS-URL: https://build.opensuse.org/request/show/1089038 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=148
2023-05-26 18:15:10 +00:00 · 2023-05-26 18:15:10 +00:00 · b32aec3158
commit b32aec3158
parent e0d0851cae c7bc1d9ee7
4 changed files with 44 additions and 17 deletions
--- a/baselibs.conf
+++ b/baselibs.conf
@ -1,7 +1,7 @@
 libgnutls30
  obsoletes "gnutls-<targettype>"
+  provides "libgnutls30-<targettype> = <version>-%release"
+  obsoletes "libgnutls30-<targettype> < <version>-%release"
 libgnutls-devel
  requires -libgnutls-<targettype>
  requires "libgnutls30-<targettype> = <version>"
-libgnutls30-hmac
-  requires "libgnutls30-<targettype> = <version>-%release"
--- a/gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch
+++ b/gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch
@ -0,0 +1,24 @@
+Index: gnutls-3.8.0/lib/fips.c
+===================================================================
+--- gnutls-3.8.0.orig/lib/fips.c
+++ gnutls-3.8.0/lib/fips.c
+@@ -467,6 +467,11 @@ static int check_binary_integrity(void)
+ 	ret = check_lib_hmac(&hmac.gnutls, paths.gnutls);
+ 	if (ret < 0)
+ 		return ret;
+# if 0
+	/* Disable nettle, hogweed and gpm HMAC verification as
+	 * they are calculated during build of the respective
+	 * packages and can differ from the ones listed here.
+	 */
+ 	ret = check_lib_hmac(&hmac.nettle, paths.nettle);
+ 	if (ret < 0)
+ 		return ret;
+@@ -476,6 +481,7 @@ static int check_binary_integrity(void)
+ 	ret = check_lib_hmac(&hmac.gmp, paths.gmp);
+ 	if (ret < 0)
+ 		return ret;
+# endif
+ 
+ 	return 0;
+ }
--- a/gnutls.changes
+++ b/gnutls.changes
@ -1,3 +1,16 @@
+-------------------------------------------------------------------
+Wed May 24 11:01:10 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
+
+- FIPS: Skip the fixed HMAC verification for nettle, hogweed and
+  gmp libraries. These calculated HMACs change for every build of
+  each of these packages, we only have to verify that for gnutls.
+  * Add gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch [bsc#1211476]
+
+-------------------------------------------------------------------
+Mon May 22 11:32:53 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
+
+- FIPS: Merge libgnutls30-hmac package into the library [bsc#1185116]
+
 -------------------------------------------------------------------
 Mon May 15 09:57:45 UTC 2023 - Guillaume GARDET <guillaume.gardet@opensuse.org>

--- a/gnutls.spec
+++ b/gnutls.spec
@ -62,9 +62,11 @@ Patch100:       gnutls-FIPS-PCT-DH.patch
 Patch101:       gnutls-FIPS-PCT-ECDH.patch
 #PATCH-FIX-SUSE bsc#1207346 FIPS: Change FIPS 140-2 references to FIPS 140-3
 Patch102:       gnutls-FIPS-140-3-references.patch
+#PATCH-FIX-SUSE bsc#1211476 FIPS: Skip fixed HMAC verification for nettle, hogweed and gmp
+Patch103:       gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch
 %if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
 #PATCH-FIX-SUSE bsc#1202146 FIPS: Port gnutls to use jitterentropy
-Patch103:       gnutls-FIPS-jitterentropy.patch
+Patch104:       gnutls-FIPS-jitterentropy.patch
 %endif
 BuildRequires:  autogen
 BuildRequires:  automake
@ -118,10 +120,10 @@ of the IETF's TLS working group.

 %package -n libgnutls%{gnutls_sover}
 Summary:        The GNU Transport Layer Security Library
-# install libgnutls and libgnutls-hmac close together (bsc#1090765)
 License:        LGPL-2.1-or-later
 Group:          System/Libraries
-Suggests:       libgnutls%{gnutls_sover}-hmac = %{version}-%{release}
+Provides:       libgnutls%{gnutls_sover}-hmac = %{version}-%{release}
+Obsoletes:      libgnutls%{gnutls_sover}-hmac < %{version}-%{release}
 %if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
 Requires:       crypto-policies
 %endif
@ -131,15 +133,6 @@ The GnuTLS library provides a secure layer over a reliable transport
 layer. Currently the GnuTLS library implements the proposed standards
 of the IETF's TLS working group.

-%package -n libgnutls%{gnutls_sover}-hmac
-Summary:        Checksums of the GNU Transport Layer Security Library
-License:        LGPL-2.1-or-later
-Group:          System/Libraries
-Requires:       libgnutls%{gnutls_sover} = %{version}-%{release}
-
-%description -n libgnutls%{gnutls_sover}-hmac
-FIPS SHA256 checksums of the libgnutls library.
-
 %if %{with dane}
 %package -n libgnutls-dane%{gnutls_dane_sover}
 Summary:        DANE support for the GNU Transport Layer Security Library
@ -339,9 +332,6 @@ GNUTLS_FORCE_FIPS_MODE=1 make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=
 %files -n libgnutls%{gnutls_sover}
 %license LICENSE
 %{_libdir}/libgnutls.so.%{gnutls_sover}*
-
-%files -n libgnutls%{gnutls_sover}-hmac
-%license LICENSE
 %{_libdir}/.libgnutls.so.%{gnutls_sover}*.hmac

 %if %{with dane}