From c53c27aadd0e4ff2f0f95da71ae87a133b06c9cb5ce4b979c0ff761d3810fef4 Mon Sep 17 00:00:00 2001 From: Pedro Monreal Gonzalez Date: Mon, 29 May 2023 08:17:01 +0000 Subject: [PATCH 1/2] Accepting request 1089525 from home:pmonrealgonzalez:branches:security:tls - FIPS: Fix baselibs.conf to mention libgnutls30-hmac [bsc#1211476] OBS-URL: https://build.opensuse.org/request/show/1089525 OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=95 --- baselibs.conf | 4 ++-- gnutls.changes | 5 +++++ 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/baselibs.conf b/baselibs.conf index b638d71..0eb5642 100644 --- a/baselibs.conf +++ b/baselibs.conf @@ -1,7 +1,7 @@ libgnutls30 obsoletes "gnutls-" - provides "libgnutls30- = -%release" - obsoletes "libgnutls30- < -%release" + provides "libgnutls30-hmac- = -%release" + obsoletes "libgnutls30-hmac- < -%release" libgnutls-devel requires -libgnutls- requires "libgnutls30- = " diff --git a/gnutls.changes b/gnutls.changes index c6a9873..026c4ec 100644 --- a/gnutls.changes +++ b/gnutls.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Mon May 29 07:27:23 UTC 2023 - Pedro Monreal + +- FIPS: Fix baselibs.conf to mention libgnutls30-hmac [bsc#1211476] + ------------------------------------------------------------------- Wed May 24 11:01:10 UTC 2023 - Pedro Monreal From 8c2487bb4bf4235ba547ed23b132e7d50385dcfae43e3348a2eaebc90694acdf Mon Sep 17 00:00:00 2001 From: Pedro Monreal Gonzalez Date: Tue, 30 May 2023 08:25:26 +0000 Subject: [PATCH 2/2] Accepting request 1089747 from home:pmonrealgonzalez:branches:security:tls Extend also the checks in gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch OBS-URL: https://build.opensuse.org/request/show/1089747 OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=96 --- gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch | 92 ++++++++++++++++++++++- gnutls.changes | 1 + 2 files changed, 91 insertions(+), 2 deletions(-) diff --git a/gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch b/gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch index 1920514..fca7603 100644 --- a/gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch +++ b/gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch @@ -2,7 +2,95 @@ Index: gnutls-3.8.0/lib/fips.c =================================================================== --- gnutls-3.8.0.orig/lib/fips.c +++ gnutls-3.8.0/lib/fips.c -@@ -467,6 +467,11 @@ static int check_binary_integrity(void) +@@ -171,16 +171,28 @@ struct hmac_entry { + struct hmac_file { + int version; + struct hmac_entry gnutls; ++#if 0 ++ /* Disable nettle, hogweed and gpm HMAC verification as ++ * they are calculated during build of the respective ++ * packages and can differ from the ones listed here. ++ */ + struct hmac_entry nettle; + struct hmac_entry hogweed; + struct hmac_entry gmp; ++#endif + }; + + struct lib_paths { + char gnutls[GNUTLS_PATH_MAX]; ++#if 0 ++ /* Disable nettle, hogweed and gpm HMAC verification as ++ * they are calculated during build of the respective ++ * packages and can differ from the ones listed here. ++ */ + char nettle[GNUTLS_PATH_MAX]; + char hogweed[GNUTLS_PATH_MAX]; + char gmp[GNUTLS_PATH_MAX]; ++#endif + }; + + /* +@@ -241,12 +253,18 @@ static int handler(void *user, const cha + } + } else if (!strcmp(section, GNUTLS_LIBRARY_NAME)) { + return lib_handler(&p->gnutls, section, name, value); ++#if 0 ++ /* Disable nettle, hogweed and gpm HMAC verification as ++ * they are calculated during build of the respective ++ * packages and can differ from the ones listed here. ++ */ + } else if (!strcmp(section, NETTLE_LIBRARY_NAME)) { + return lib_handler(&p->nettle, section, name, value); + } else if (!strcmp(section, HOGWEED_LIBRARY_NAME)) { + return lib_handler(&p->hogweed, section, name, value); + } else if (!strcmp(section, GMP_LIBRARY_NAME)) { + return lib_handler(&p->gmp, section, name, value); ++#endif + } else { + return 0; + } +@@ -391,12 +409,18 @@ static int callback(struct dl_phdr_info + + if (!strcmp(soname, GNUTLS_LIBRARY_SONAME)) + _gnutls_str_cpy(paths->gnutls, GNUTLS_PATH_MAX, path); ++#if 0 ++ /* Disable nettle, hogweed and gpm HMAC verification as ++ * they are calculated during build of the respective ++ * packages and can differ from the ones listed here. ++ */ + else if (!strcmp(soname, NETTLE_LIBRARY_SONAME)) + _gnutls_str_cpy(paths->nettle, GNUTLS_PATH_MAX, path); + else if (!strcmp(soname, HOGWEED_LIBRARY_SONAME)) + _gnutls_str_cpy(paths->hogweed, GNUTLS_PATH_MAX, path); + else if (!strcmp(soname, GMP_LIBRARY_SONAME)) + _gnutls_str_cpy(paths->gmp, GNUTLS_PATH_MAX, path); ++#endif + return 0; + } + +@@ -409,6 +433,11 @@ static int load_lib_paths(struct lib_pat + _gnutls_debug_log("Gnutls library path was not found\n"); + return gnutls_assert_val(GNUTLS_E_FILE_ERROR); + } ++#if 0 ++ /* Disable nettle, hogweed and gpm HMAC verification as ++ * they are calculated during build of the respective ++ * packages and can differ from the ones listed here. ++ */ + if (paths->nettle[0] == '\0') { + _gnutls_debug_log("Nettle library path was not found\n"); + return gnutls_assert_val(GNUTLS_E_FILE_ERROR); +@@ -421,7 +450,7 @@ static int load_lib_paths(struct lib_pat + _gnutls_debug_log("Gmp library path was not found\n"); + return gnutls_assert_val(GNUTLS_E_FILE_ERROR); + } +- ++#endif + return GNUTLS_E_SUCCESS; + } + +@@ -467,6 +496,11 @@ static int check_binary_integrity(void) ret = check_lib_hmac(&hmac.gnutls, paths.gnutls); if (ret < 0) return ret; @@ -14,7 +102,7 @@ Index: gnutls-3.8.0/lib/fips.c ret = check_lib_hmac(&hmac.nettle, paths.nettle); if (ret < 0) return ret; -@@ -476,6 +481,7 @@ static int check_binary_integrity(void) +@@ -476,6 +510,7 @@ static int check_binary_integrity(void) ret = check_lib_hmac(&hmac.gmp, paths.gmp); if (ret < 0) return ret; diff --git a/gnutls.changes b/gnutls.changes index 026c4ec..25e8ab9 100644 --- a/gnutls.changes +++ b/gnutls.changes @@ -2,6 +2,7 @@ Mon May 29 07:27:23 UTC 2023 - Pedro Monreal - FIPS: Fix baselibs.conf to mention libgnutls30-hmac [bsc#1211476] + Extend also the checks in gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch ------------------------------------------------------------------- Wed May 24 11:01:10 UTC 2023 - Pedro Monreal