Accepting request 1032959 from home:pmonrealgonzalez:branches:security:tls

- Temporarily revert the jitterentropy patches in s390 and s390x architectures until a fix is provided [bsc#1204937] - Consolidate the FIPS .hmac files [bsc#1199881, bsc#1203245] * Package the FIPS .hmac files * Remove not needed gnutls-FIPS-Run-CFB8-without-offset.patch OBS-URL: https://build.opensuse.org/request/show/1032959 OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=79
2022-11-02 21:55:38 +00:00 · 2022-11-02 21:55:38 +00:00 · eccec72a4b
commit eccec72a4b
parent f914173517
3 changed files with 20 additions and 50 deletions
--- a/gnutls-FIPS-hmac-check-only-libgnutls.patch
+++ b/gnutls-FIPS-hmac-check-only-libgnutls.patch
@ -1,20 +0,0 @@
 Index: gnutls-3.7.8/lib/fips.c
 ===================================================================
 --- gnutls-3.7.8.orig/lib/fips.c
 +++ gnutls-3.7.8/lib/fips.c
@@ -402,6 +402,7 @@ static int check_binary_integrity(void)
 	ret = check_lib_hmac(&file.gnutls, GNUTLS_LIBRARY_NAME, "gnutls_global_init");
 	if (ret < 0)
 		return ret;
 +#if 0
 	ret = check_lib_hmac(&file.nettle, NETTLE_LIBRARY_NAME, "nettle_aes_set_encrypt_key");
 	if (ret < 0)
 		return ret;
@@ -411,6 +412,7 @@ static int check_binary_integrity(void)
 	ret = check_lib_hmac(&file.gmp, GMP_LIBRARY_NAME, "__gmpz_init");
 	if (ret < 0)
 		return ret;
 +#endif
 	return 0;
 }
--- a/gnutls.changes
+++ b/gnutls.changes
@ -1,15 +1,15 @@
 -------------------------------------------------------------------
 Wed Nov  2 20:51:43 UTC 2022 - Pedro Monreal <pmonreal@suse.com>
 - Temporarily revert the jitterentropy patches in s390 and s390x
  architectures until a fix is provided [bsc#1204937]
 -------------------------------------------------------------------
 Fri Oct 14 11:35:33 UTC 2022 - Pedro Monreal <pmonreal@suse.com>
- The FIPS hmac is now calculated with an internal tool since
+- Consolidate the FIPS .hmac files [bsc#1199881, bsc#1203245]
-  commit a86c8e87189e23920ae622da5e572cb4e1a6e0ed and it has
+  * Package the FIPS .hmac files
-  been renamed to .gnutls.hmac. [bsc#1199881, bsc#1203245]
+  * Remove not needed gnutls-FIPS-Run-CFB8-without-offset.patch
  * Remove the fipscheck build dependency
  * Check only the calculated hmac for libgnutls.so.30 since the
    calculated hmacs for libnettle.so.8, libhogweed.so.6 and
    libgmp.so.10 in .gnutls.hmac are incorrect.
  * Add gnutls-FIPS-hmac-check-only-libgnutls.patch
  * Remove gnutls-FIPS-Run-CFB8-without-offset.patch
 -------------------------------------------------------------------
 Sun Oct  9 12:53:27 UTC 2022 - Pedro Monreal <pmonreal@suse.com>
--- a/gnutls.spec
+++ b/gnutls.spec
@ -52,21 +52,22 @@ Patch1:         gnutls-FIPS-TLS_KDF_selftest.patch
 Patch2:         gnutls-FIPS-disable-failing-tests.patch
 Patch3:         gnutls_ECDSA_signing.patch
 %if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
 %ifnarch s390 s390x
 #PATCH-FIX-SUSE bsc#1202146 FIPS: Port gnutls to use jitterentropy
 Patch4:         gnutls-FIPS-jitterentropy.patch
 #PATCH-FIX-SUSE bsc#1202146 FIPS: Set error state when jent init failed in FIPS mode
 Patch5:         gnutls-FIPS-Set-error-state-when-jent-init-failed.patch
 %endif
 %endif
 #PATCH-FIX-SUSE bsc#1190698 FIPS: SLI gnutls_pbkdf2: verify keylengths and allow SHA only
 Patch6:         gnutls-FIPS-SLI-pbkdf2-verify-keylengths-only-SHA.patch
 #PATCH-FIX-UPSTREAM bsc#1203779 Make XTS key check failure not fatal
 Patch7:         gnutls-Make-XTS-key-check-failure-not-fatal.patch
 #PATCH-FIX-SUSE bsc#1199881 FIPS: Check only the calculated hmac for libgnutls.so.%%{gnutls_sover}
 Patch8:         gnutls-FIPS-hmac-check-only-libgnutls.patch
 BuildRequires:  autogen
 BuildRequires:  automake
 BuildRequires:  datefudge
 BuildRequires:  fdupes
 BuildRequires:  fipscheck
 BuildRequires:  gcc-c++
 BuildRequires:  gtk-doc
 # The test suite calls /usr/bin/ss from iproute2. It's our own duty to ensure we have it present
@ -257,6 +258,13 @@ autoreconf -fiv
 %install
 %make_install
 # Compute FIPS hmac using the brp-50-generate-fips-hmac script
 export BRP_FIPSHMAC_FILES=%{buildroot}%{_libdir}/libgnutls.so.%{gnutls_sover}
 ./lib/fipshmac "%{buildroot}%{_libdir}/libgnutls.so.%{gnutls_sover}" > %{buildroot}%{_libdir}/.gnutls.hmac
 sed -i "s^%{buildroot}/usr^^" %{buildroot}%{_libdir}/.gnutls.hmac
 rm -rf %{buildroot}%{_datadir}/locale/en@{,bold}quot
 # Do not package static libs and libtool files
 find %{buildroot} -type f -name "*.la" -delete -print
@ -275,25 +283,6 @@ rm -rf %{buildroot}%{_datadir}/doc/gnutls
 %find_lang libgnutls --all-name
 # the hmac hashes:
 #
 # this is a hack that re-defines the __os_install_post macro
 # for a simple reason: the macro strips the binaries and thereby
 # invalidates a HMAC that may have been created earlier.
 # solution: create the hashes _after_ the macro runs.
 #
 # this shows up earlier because otherwise the %%expand of
 # the macro is too late.
 # remark: This is the same as running
 #   openssl dgst -sha256 -hmac 'orboDeJITITejsirpADONivirpUkvarP'
 # note: The FIPS hmac is now calculated with an internal tool since
 #   commit a86c8e87189e23920ae622da5e572cb4e1a6e0ed and the file
 #   has been renamed to .gnutls.hmac
 %{expand:%%global __os_install_post {%__os_install_post
 ./lib/fipshmac "%{buildroot}%{_libdir}/libgnutls.so.30" > %{buildroot}%{_libdir}/.gnutls.hmac
 sed -i "s^%{buildroot}/usr^^" %{buildroot}%{_libdir}/.gnutls.hmac
 }}
 %check
 %if ! 0%{?qemu_user_space_build}
 %make_build check GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null || {
@ -343,6 +332,7 @@ GNUTLS_FORCE_FIPS_MODE=1 make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=
 %files -n libgnutls%{gnutls_sover}-hmac
 %license LICENSE
 %{_libdir}/.libgnutls.so.%{gnutls_sover}*.hmac
 %{_libdir}/.gnutls.hmac
 %if %{with dane}