From e21a7d807659dbe6a2aec74026c038c9ea849583742f1a5c695f07b5cdc3fce6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Chv=C3=A1tal?= <tchvatal@suse.com>
Date: Thu, 2 Apr 2020 10:58:27 +0000
Subject: [PATCH] Accepting request 790830 from
 home:vitezslav_cizek:branches:security:tls

- Use correct nettle .so version when looking for a FIPS checksum
  (bsc#1166635)
  * add gnutls-fips_correct_nettle_soversion.patch

- Update to 3.6.13
  * libgnutls: Fix a DTLS-protocol regression (caused by TLS1.3
support)
    The DTLS client would not contribute any randomness to the DTLS negotiation,
    breaking the security guarantees of the DTLS protocol (#960)
    [GNUTLS-SA-2020-03-31, CVSS: high] (bsc#1168345)
  * libgnutls: Added new APIs to access KDF algorithms (#813).
  * libgnutls: Added new callback gnutls_keylog_func that enables a custom
    logging functionality.
  * libgnutls: Added support for non-null terminated usernames in PSK
    negotiation (#586).
  * gnutls-cli-debug: Improved support for old servers that only support
    SSL 3.0.

- Split off FIPS checksums into a separate libgnutls30-hmac
  subpackage (bsc#1152692)

OBS-URL: https://build.opensuse.org/request/show/790830
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=32
---
 gnutls-3.6.12.tar.xz                       |   3 ---
 gnutls-3.6.12.tar.xz.sig                   | Bin 310 -> 0 bytes
 gnutls-3.6.13.tar.xz                       |   3 +++
 gnutls-3.6.13.tar.xz.sig                   | Bin 0 -> 442 bytes
 gnutls-fips_correct_nettle_soversion.patch |  13 +++++++++
 gnutls.changes                             |  30 +++++++++++++++++++++
 gnutls.spec                                |  20 +++++++++++---
 7 files changed, 62 insertions(+), 7 deletions(-)
 delete mode 100644 gnutls-3.6.12.tar.xz
 delete mode 100644 gnutls-3.6.12.tar.xz.sig
 create mode 100644 gnutls-3.6.13.tar.xz
 create mode 100644 gnutls-3.6.13.tar.xz.sig
 create mode 100644 gnutls-fips_correct_nettle_soversion.patch

diff --git a/gnutls-3.6.12.tar.xz b/gnutls-3.6.12.tar.xz
deleted file mode 100644
index 84557d0..0000000
--- a/gnutls-3.6.12.tar.xz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:bfacf16e342949ffd977a9232556092c47164bd26e166736cf3459a870506c4b
-size 5942064
diff --git a/gnutls-3.6.12.tar.xz.sig b/gnutls-3.6.12.tar.xz.sig
deleted file mode 100644
index f00331ed8f1546dbe258bbf3210a1f0121c8d8ae202807dfc7f81c790ba2fec2..0000000000000000000000000000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 310
zcmV-60m=S}0W$;u0SEvc79j*#`?XxB^Qfx~P&aef97u=pXPRXN0$w%s-2e&+5ZD|@
zhw*2cWo;b@0F!@p=vfrY_ZIuQ92NcXBoZy?>&wp!z;a{H<P({9a%-=$fRKbeG)Syg
zYU0R8=6x%b7%@Jlwp(XFpOES1btgg%FsiY_H8eB_ZyhN#aGtl1Obd^>T;AFaee=GB
zF?K}xq}s}Rfxpdpp*}{<ychaHfeY#8>-v-vx9Zr%j<t`=<DYeYJ*7UB!ih2dYkasN
z#nwv6wT^E5_Qe2xnvA=ItEyeOC4ek+y4+Q;`~Ad|C&)el{;yEVu;?`=qZ!7LciLun
zr&(*Zjje*SnPbMYTyzC$;}YnQg`Np>C_1c&EP@jSiKa&{d<f#zV#yxyYg?fB1N(Wu
I^%EZVIo?{B+W-In

diff --git a/gnutls-3.6.13.tar.xz b/gnutls-3.6.13.tar.xz
new file mode 100644
index 0000000..7f366b0
--- /dev/null
+++ b/gnutls-3.6.13.tar.xz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:32041df447d9f4644570cf573c9f60358e865637d69b7e59d1159b7240b52f38
+size 5958956
diff --git a/gnutls-3.6.13.tar.xz.sig b/gnutls-3.6.13.tar.xz.sig
new file mode 100644
index 0000000000000000000000000000000000000000000000000000000000000000..ac2079c348a7f8344faead5d7bf80a2cbf12ab94d4f26ed8eba416d1705044b2
GIT binary patch
literal 442
zcmV;r0Y(0a0k;GI0SEvc79j*5LP3cI*dS`BRLtBd?pV2&hEZ_^0$zgHGyn<-5Gn3h
zxt4}eai8=I9TTOf^98mCFoayO4msD@I40gTOMaKZ($l+%j(<~DV~iFzUa)-)o;Bni
z_CAS!?DeFumdqMigAD#}p)OfmBvo<jWP50!6KLYB<QJM!vqV7|@-bUS8>E8OJbX;C
zjmE&P?OW3tKIYw7E|F0-uyN#n3QX}2onP;K!9wxK-LV&`_;XZqD{lwA3LbXeCO<tr
zx6WwL!h!k2oA&{xRw=e*>p0|dp(fxnC-VbQA@Jw&nBTi;aSM#>#R+UEcqLSuvc2df
zL6=w?b20~=L#T0ei{J+W%2aJPNb+UTd%^}-AnG;-YPK$nXS<Nm%!k%R@cH}$l)KBS
z2S(^5UK+3J?NE+5tk^qpOr{t23E#h3F;;``X;r%{nYa<rB~=?(=7e{8N7yd<_Z$2g
zn=&rC1q)A*fJk^Bj;K;unOcy#M4t5p25%$8fB5R?b0QO_#mX)Vs{--aIj}f=^<q(r
kRUUE!wCvmmKUMC?Wc@Vl%!oUafgs{YZdm2dy-Wg42!WW;I{*Lx

literal 0
HcmV?d00001

diff --git a/gnutls-fips_correct_nettle_soversion.patch b/gnutls-fips_correct_nettle_soversion.patch
new file mode 100644
index 0000000..23a0e00
--- /dev/null
+++ b/gnutls-fips_correct_nettle_soversion.patch
@@ -0,0 +1,13 @@
+Index: gnutls-3.6.12/lib/fips.c
+===================================================================
+--- gnutls-3.6.12.orig/lib/fips.c	2019-06-27 06:40:43.000000000 +0200
++++ gnutls-3.6.12/lib/fips.c	2020-03-16 09:29:39.056332128 +0100
+@@ -136,7 +136,7 @@ void _gnutls_fips_mode_reset_zombie(void
+ }
+ 
+ #define GNUTLS_LIBRARY_NAME "libgnutls.so.30"
+-#define NETTLE_LIBRARY_NAME "libnettle.so.6"
++#define NETTLE_LIBRARY_NAME "libnettle.so.7"
+ #define HOGWEED_LIBRARY_NAME "libhogweed.so.4"
+ #define GMP_LIBRARY_NAME "libgmp.so.10"
+ 
diff --git a/gnutls.changes b/gnutls.changes
index b0053cf..65b95d8 100644
--- a/gnutls.changes
+++ b/gnutls.changes
@@ -1,3 +1,33 @@
+-------------------------------------------------------------------
+Thu Apr  2 09:32:01 UTC 2020 - Vítězslav Čížek <vcizek@suse.com>
+
+- Use correct nettle .so version when looking for a FIPS checksum
+  (bsc#1166635)
+  * add gnutls-fips_correct_nettle_soversion.patch
+
+-------------------------------------------------------------------
+Thu Apr  2 08:48:39 UTC 2020 - Vítězslav Čížek <vcizek@suse.com>
+
+- Update to 3.6.13
+  * libgnutls: Fix a DTLS-protocol regression (caused by TLS1.3
+support)
+    The DTLS client would not contribute any randomness to the DTLS negotiation,
+    breaking the security guarantees of the DTLS protocol (#960)
+    [GNUTLS-SA-2020-03-31, CVSS: high] (bsc#1168345)
+  * libgnutls: Added new APIs to access KDF algorithms (#813).
+  * libgnutls: Added new callback gnutls_keylog_func that enables a custom
+    logging functionality.
+  * libgnutls: Added support for non-null terminated usernames in PSK
+    negotiation (#586).
+  * gnutls-cli-debug: Improved support for old servers that only support
+    SSL 3.0.
+
+-------------------------------------------------------------------
+Mon Mar 30 12:43:33 UTC 2020 - Vítězslav Čížek <vcizek@suse.com>
+
+- Split off FIPS checksums into a separate libgnutls30-hmac
+  subpackage (bsc#1152692)
+
 -------------------------------------------------------------------
 Tue Feb  4 09:49:44 UTC 2020 - Ondřej Súkup <mimi.vx@gmail.com>
 
diff --git a/gnutls.spec b/gnutls.spec
index 543f9c2..aa0e497 100644
--- a/gnutls.spec
+++ b/gnutls.spec
@@ -28,7 +28,7 @@
 %bcond_with tpm
 %bcond_without guile
 Name:           gnutls
-Version:        3.6.12
+Version:        3.6.13
 Release:        0
 Summary:        The GNU Transport Layer Security Library
 License:        LGPL-2.1-or-later AND GPL-3.0-or-later
@@ -39,6 +39,7 @@ Source1:        ftp://ftp.gnutls.org/gcrypt/gnutls/v3.6/%{name}-%{version}.tar.x
 Source2:        %{name}.keyring
 Source3:        baselibs.conf
 Patch1:         gnutls-3.5.11-skip-trust-store-tests.patch
+Patch2:         gnutls-fips_correct_nettle_soversion.patch
 Patch4:         gnutls-3.6.6-set_guile_site_dir.patch
 BuildRequires:  autogen
 BuildRequires:  automake
@@ -86,14 +87,25 @@ of the IETF's TLS working group.
 
 %package -n libgnutls%{gnutls_sover}
 Summary:        The GNU Transport Layer Security Library
+# install libopenssl and libopenssl-hmac close together (bsc#1090765)
 License:        LGPL-2.1-or-later
 Group:          System/Libraries
+Suggests:       libgnutls%{gnutls_sover}-hmac = %{version}-%{release}
 
 %description -n libgnutls%{gnutls_sover}
 The GnuTLS library provides a secure layer over a reliable transport
 layer. Currently the GnuTLS library implements the proposed standards
 of the IETF's TLS working group.
 
+%package -n libgnutls%{gnutls_sover}-hmac
+Summary:        Checksums of the GNU Transport Layer Security Library
+License:        LGPL-2.1-or-later
+Group:          System/Libraries
+Requires:       libgnutls%{gnutls_sover} = %{version}-%{release}
+
+%description -n libgnutls%{gnutls_sover}-hmac
+FIPS SHA256 checksums of the libgnutls library.
+
 %package -n libgnutls-dane%{gnutls_dane_sover}
 Summary:        DANE support for the GNU Transport Layer Security Library
 License:        LGPL-2.1-or-later
@@ -157,9 +169,7 @@ Requires:       guile
 GnuTLS Wrappers for GNU Guile, a dialect of Scheme.
 
 %prep
-%setup -q
-%patch1 -p1
-%patch4 -p1
+%autosetup -p1
 
 %build
 export LDFLAGS="-pie"
@@ -268,6 +278,8 @@ make %{?_smp_mflags} check || {
 
 %files -n libgnutls%{gnutls_sover}
 %{_libdir}/libgnutls.so.%{gnutls_sover}*
+
+%files -n libgnutls%{gnutls_sover}-hmac
 %{_libdir}/.libgnutls.so.%{gnutls_sover}*.hmac
 
 %if %{with dane}