diff --git a/baselibs.conf b/baselibs.conf index 3f783e8..b638d71 100644 --- a/baselibs.conf +++ b/baselibs.conf @@ -1,7 +1,7 @@ libgnutls30 obsoletes "gnutls-" + provides "libgnutls30- = -%release" + obsoletes "libgnutls30- < -%release" libgnutls-devel requires -libgnutls- requires "libgnutls30- = " -libgnutls30-hmac - requires "libgnutls30- = -%release" diff --git a/gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch b/gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch new file mode 100644 index 0000000..1920514 --- /dev/null +++ b/gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch @@ -0,0 +1,24 @@ +Index: gnutls-3.8.0/lib/fips.c +=================================================================== +--- gnutls-3.8.0.orig/lib/fips.c ++++ gnutls-3.8.0/lib/fips.c +@@ -467,6 +467,11 @@ static int check_binary_integrity(void) + ret = check_lib_hmac(&hmac.gnutls, paths.gnutls); + if (ret < 0) + return ret; ++# if 0 ++ /* Disable nettle, hogweed and gpm HMAC verification as ++ * they are calculated during build of the respective ++ * packages and can differ from the ones listed here. ++ */ + ret = check_lib_hmac(&hmac.nettle, paths.nettle); + if (ret < 0) + return ret; +@@ -476,6 +481,7 @@ static int check_binary_integrity(void) + ret = check_lib_hmac(&hmac.gmp, paths.gmp); + if (ret < 0) + return ret; ++# endif + + return 0; + } diff --git a/gnutls.changes b/gnutls.changes index ca2a1de..c6a9873 100644 --- a/gnutls.changes +++ b/gnutls.changes @@ -1,3 +1,16 @@ +------------------------------------------------------------------- +Wed May 24 11:01:10 UTC 2023 - Pedro Monreal + +- FIPS: Skip the fixed HMAC verification for nettle, hogweed and + gmp libraries. These calculated HMACs change for every build of + each of these packages, we only have to verify that for gnutls. + * Add gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch [bsc#1211476] + +------------------------------------------------------------------- +Mon May 22 11:32:53 UTC 2023 - Pedro Monreal + +- FIPS: Merge libgnutls30-hmac package into the library [bsc#1185116] + ------------------------------------------------------------------- Mon May 15 09:57:45 UTC 2023 - Guillaume GARDET diff --git a/gnutls.spec b/gnutls.spec index 3451282..a8dbc1f 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -62,9 +62,11 @@ Patch100: gnutls-FIPS-PCT-DH.patch Patch101: gnutls-FIPS-PCT-ECDH.patch #PATCH-FIX-SUSE bsc#1207346 FIPS: Change FIPS 140-2 references to FIPS 140-3 Patch102: gnutls-FIPS-140-3-references.patch +#PATCH-FIX-SUSE bsc#1211476 FIPS: Skip fixed HMAC verification for nettle, hogweed and gmp +Patch103: gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch %if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400 #PATCH-FIX-SUSE bsc#1202146 FIPS: Port gnutls to use jitterentropy -Patch103: gnutls-FIPS-jitterentropy.patch +Patch104: gnutls-FIPS-jitterentropy.patch %endif BuildRequires: autogen BuildRequires: automake @@ -118,10 +120,10 @@ of the IETF's TLS working group. %package -n libgnutls%{gnutls_sover} Summary: The GNU Transport Layer Security Library -# install libgnutls and libgnutls-hmac close together (bsc#1090765) License: LGPL-2.1-or-later Group: System/Libraries -Suggests: libgnutls%{gnutls_sover}-hmac = %{version}-%{release} +Provides: libgnutls%{gnutls_sover}-hmac = %{version}-%{release} +Obsoletes: libgnutls%{gnutls_sover}-hmac < %{version}-%{release} %if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400 Requires: crypto-policies %endif @@ -131,15 +133,6 @@ The GnuTLS library provides a secure layer over a reliable transport layer. Currently the GnuTLS library implements the proposed standards of the IETF's TLS working group. -%package -n libgnutls%{gnutls_sover}-hmac -Summary: Checksums of the GNU Transport Layer Security Library -License: LGPL-2.1-or-later -Group: System/Libraries -Requires: libgnutls%{gnutls_sover} = %{version}-%{release} - -%description -n libgnutls%{gnutls_sover}-hmac -FIPS SHA256 checksums of the libgnutls library. - %if %{with dane} %package -n libgnutls-dane%{gnutls_dane_sover} Summary: DANE support for the GNU Transport Layer Security Library @@ -339,9 +332,6 @@ GNUTLS_FORCE_FIPS_MODE=1 make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE= %files -n libgnutls%{gnutls_sover} %license LICENSE %{_libdir}/libgnutls.so.%{gnutls_sover}* - -%files -n libgnutls%{gnutls_sover}-hmac -%license LICENSE %{_libdir}/.libgnutls.so.%{gnutls_sover}*.hmac %if %{with dane}