Accepting request 1088822 from home:pmonrealgonzalez:branches:security:tls

- FIPS: Skip the fixed HMAC verification for nettle, hogweed and gmp libraries. These calculated HMACs change for every build of each of these packages, we only have to verify that for gnutls. * Add gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch [bsc#1211476] - FIPS: Merge libgnutls30-hmac package into the library [bsc#1185116] OBS-URL: https://build.opensuse.org/request/show/1088822 OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=93
2023-05-25 13:43:53 +00:00 · 2023-05-25 13:43:53 +00:00 · c7bc1d9ee7
commit c7bc1d9ee7
parent 51b1afe59a
4 changed files with 44 additions and 17 deletions
--- a/baselibs.conf
+++ b/baselibs.conf
@ -1,7 +1,7 @@
 libgnutls30
  obsoletes "gnutls-<targettype>"
+  provides "libgnutls30-<targettype> = <version>-%release"
+  obsoletes "libgnutls30-<targettype> < <version>-%release"
 libgnutls-devel
  requires -libgnutls-<targettype>
  requires "libgnutls30-<targettype> = <version>"
-libgnutls30-hmac
-  requires "libgnutls30-<targettype> = <version>-%release"
--- a/gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch
+++ b/gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch
@ -0,0 +1,24 @@
+Index: gnutls-3.8.0/lib/fips.c
+===================================================================
+--- gnutls-3.8.0.orig/lib/fips.c
+++ gnutls-3.8.0/lib/fips.c
+@@ -467,6 +467,11 @@ static int check_binary_integrity(void)
+ 	ret = check_lib_hmac(&hmac.gnutls, paths.gnutls);
+ 	if (ret < 0)
+ 		return ret;
+# if 0
+	/* Disable nettle, hogweed and gpm HMAC verification as
+	 * they are calculated during build of the respective
+	 * packages and can differ from the ones listed here.
+	 */
+ 	ret = check_lib_hmac(&hmac.nettle, paths.nettle);
+ 	if (ret < 0)
+ 		return ret;
+@@ -476,6 +481,7 @@ static int check_binary_integrity(void)
+ 	ret = check_lib_hmac(&hmac.gmp, paths.gmp);
+ 	if (ret < 0)
+ 		return ret;
+# endif
+ 
+ 	return 0;
+ }
--- a/gnutls.changes
+++ b/gnutls.changes
@ -1,3 +1,16 @@
+-------------------------------------------------------------------
+Wed May 24 11:01:10 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
+
+- FIPS: Skip the fixed HMAC verification for nettle, hogweed and
+  gmp libraries. These calculated HMACs change for every build of
+  each of these packages, we only have to verify that for gnutls.
+  * Add gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch [bsc#1211476]
+
+-------------------------------------------------------------------
+Mon May 22 11:32:53 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
+
+- FIPS: Merge libgnutls30-hmac package into the library [bsc#1185116]
+
 -------------------------------------------------------------------
 Mon May 15 09:57:45 UTC 2023 - Guillaume GARDET <guillaume.gardet@opensuse.org>

--- a/gnutls.spec
+++ b/gnutls.spec
@ -62,9 +62,11 @@ Patch100:       gnutls-FIPS-PCT-DH.patch
 Patch101:       gnutls-FIPS-PCT-ECDH.patch
 #PATCH-FIX-SUSE bsc#1207346 FIPS: Change FIPS 140-2 references to FIPS 140-3
 Patch102:       gnutls-FIPS-140-3-references.patch
+#PATCH-FIX-SUSE bsc#1211476 FIPS: Skip fixed HMAC verification for nettle, hogweed and gmp
+Patch103:       gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch
 %if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
 #PATCH-FIX-SUSE bsc#1202146 FIPS: Port gnutls to use jitterentropy
-Patch103:       gnutls-FIPS-jitterentropy.patch
+Patch104:       gnutls-FIPS-jitterentropy.patch
 %endif
 BuildRequires:  autogen
 BuildRequires:  automake
@ -118,10 +120,10 @@ of the IETF's TLS working group.

 %package -n libgnutls%{gnutls_sover}
 Summary:        The GNU Transport Layer Security Library
-# install libgnutls and libgnutls-hmac close together (bsc#1090765)
 License:        LGPL-2.1-or-later
 Group:          System/Libraries
-Suggests:       libgnutls%{gnutls_sover}-hmac = %{version}-%{release}
+Provides:       libgnutls%{gnutls_sover}-hmac = %{version}-%{release}
+Obsoletes:      libgnutls%{gnutls_sover}-hmac < %{version}-%{release}
 %if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
 Requires:       crypto-policies
 %endif
@ -131,15 +133,6 @@ The GnuTLS library provides a secure layer over a reliable transport
 layer. Currently the GnuTLS library implements the proposed standards
 of the IETF's TLS working group.

-%package -n libgnutls%{gnutls_sover}-hmac
-Summary:        Checksums of the GNU Transport Layer Security Library
-License:        LGPL-2.1-or-later
-Group:          System/Libraries
-Requires:       libgnutls%{gnutls_sover} = %{version}-%{release}
-
-%description -n libgnutls%{gnutls_sover}-hmac
-FIPS SHA256 checksums of the libgnutls library.
-
 %if %{with dane}
 %package -n libgnutls-dane%{gnutls_dane_sover}
 Summary:        DANE support for the GNU Transport Layer Security Library
@ -339,9 +332,6 @@ GNUTLS_FORCE_FIPS_MODE=1 make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=
 %files -n libgnutls%{gnutls_sover}
 %license LICENSE
 %{_libdir}/libgnutls.so.%{gnutls_sover}*
-
-%files -n libgnutls%{gnutls_sover}-hmac
-%license LICENSE
 %{_libdir}/.libgnutls.so.%{gnutls_sover}*.hmac

 %if %{with dane}