From fd66c8789e6a265595586144c032985873a081f8d67e4745d8ef71f0d8e93748 Mon Sep 17 00:00:00 2001 From: Pedro Monreal Gonzalez Date: Fri, 17 Nov 2023 11:27:55 +0000 Subject: [PATCH] Accepting request 1127282 from home:pmonrealgonzalez:branches:security:tls - Update to 3.8.2: [bsc#1217277, CVE-2023-5981] * libgnutls: Fix timing side-channel inside RSA-PSK key exchange. [GNUTLS-SA-2023-10-23, CVSS: medium] [CVE-2023-5981] * libgnutls: Add API functions to perform ECDH and DH key agreement The functionality has been there for a long time though they were not available as part of the public API. This enables applications to implement custom protocols leveraging non-interactive key agreement with ECDH and DH. * libgnutls: Added support for AES-GCM-SIV ciphers (RFC 8452) The new algorithms GNUTLS_CIPHER_AES_128_SIV_GCM and GNUTLS_CIPHER_AES_256_SIV_GCM have been added to be used through the AEAD interface. Note that, unlike GNUTLS_CIPHER_AES_{128,256}_SIV_GCM, the authentication tag is appended to the ciphertext, not prepended. * libgnutls: transparent KTLS support is extended to FreeBSD kernel The kernel TLS feature can now be enabled on FreeBSD as well as Linux when compiled with the --enable-ktls configure option. * gnutls-cli: New option --starttls-name Depending on deployment, application protocols such as XMPP may require a different origin address than the external address to be presented prior to STARTTLS negotiation. The --starttls-name can be used to specify specify the addresses separately. * API and ABI modifications: - gnutls_pubkey_import_dh_raw: New function - gnutls_privkey_import_dh_raw: New function - gnutls_pubkey_export_dh_raw: New function - gnutls_privkey_export_dh_raw: New function - gnutls_x509_privkey_import_dh_raw: New function - gnutls_privkey_derive_secret: New function - GNUTLS_KEYGEN_DH: New enum member of gnutls_keygen_types_t OBS-URL: https://build.opensuse.org/request/show/1127282 OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=101 --- gnutls-3.8.1.tar.xz | 3 - gnutls-3.8.1.tar.xz.sig | Bin 685 -> 0 bytes gnutls-3.8.2.tar.xz | 3 + gnutls-3.8.2.tar.xz.sig | Bin 0 -> 685 bytes gnutls-FIPS-140-3-references.patch | 324 +++++++++--------- ...s-GNUTLS_NO_EXTENSIONS-compatibility.patch | 56 --- gnutls.changes | 38 ++ gnutls.spec | 4 +- 8 files changed, 204 insertions(+), 224 deletions(-) delete mode 100644 gnutls-3.8.1.tar.xz delete mode 100644 gnutls-3.8.1.tar.xz.sig create mode 100644 gnutls-3.8.2.tar.xz create mode 100644 gnutls-3.8.2.tar.xz.sig delete mode 100644 gnutls-GNUTLS_NO_EXTENSIONS-compatibility.patch diff --git a/gnutls-3.8.1.tar.xz b/gnutls-3.8.1.tar.xz deleted file mode 100644 index 320348f..0000000 --- a/gnutls-3.8.1.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:ba8b9e15ae20aba88f44661978f5b5863494316fe7e722ede9d069fe6294829c -size 6447056 diff --git a/gnutls-3.8.1.tar.xz.sig b/gnutls-3.8.1.tar.xz.sig deleted file mode 100644 index b455610869483509cd67353f06a26d2b867db5c3103bdbe487fea847de99bf33..0000000000000000000000000000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 685 zcmV;e0#f~mbp!ww3IH7zAp~7U%MW%m1*ZiyR`hyxrbx5-A`ArrWX!xb0162ZdUd8q zv-u(nJQ4u?8hQ2?f@2(4zaNo>{ygpSwd zm~jOHWX#E;0162Z)&+!)*XEdU*E0|Rj~pTE!aKZhL515b;R=b3Hr~DVPMzS+G#;*7 zm-KhBSj`Y}_EE;A^ku~U@n2TxQE!X2#~VDLym?F2^K>JniZ-Bfus+Z& z-l`ZG!Qc-nmzl##-h(KnZk~xw>h%C1Bmp?E`zY;0xdnTANqO*7 z9B)(Wt4)`p9cl9M4Zbd&$UGw8uE82!(vFxB(B3cU^D#k&=;9U(sCJ^wv;L$ro zU{CGLRGM`6!Ev7)5#_q=k3ZCE%FI*_CdWPFlAn}^D<$=+f1|4eFy*Vi)IrSKE;aq! zjN7B@V`ckm1}n#69ihZHMM=%S>g9(hk-m2NyC$ex6$QC=y$gS7E=!-|IMLqh?Xt@0 z4`98C2pdVeR!6^QMZ1A;^`M8h5*PeQXVkOCepH3-SKG9eCuntNM=O)|4B!BQH?NwO zS&X1w>bZJu)688NWgo@!(Ey diff --git a/gnutls-3.8.2.tar.xz b/gnutls-3.8.2.tar.xz new file mode 100644 index 0000000..6705100 --- /dev/null +++ b/gnutls-3.8.2.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e765e5016ffa9b9dd243e363a0460d577074444ee2491267db2e96c9c2adef77 +size 6456540 diff --git a/gnutls-3.8.2.tar.xz.sig b/gnutls-3.8.2.tar.xz.sig new file mode 100644 index 0000000000000000000000000000000000000000000000000000000000000000..43978a0b0ff3c624192a0cb53893c9cc47ac34ffe5154746b5e1ef123dbb3a3e GIT binary patch literal 685 zcmV;e0#f~mbp!ww3IH7zAp~7U%MW%m1*ZiyR`hyxrbx5-A`ArrWmKHY0162ZdUd8q zv-u(n9r*zMCTI$z!=szQN#WAGV_#}X^Q+_udu?#HS6MpT%B;+p0RKz|tgN(BRNc{r z8*dLs>2IlhB@Q_`S6i0$$s5vk4zaNo>{ygpSwd zm~jOHWmK%=0162Z)&+!)*XEdUCejc8UMHWaflz>l}MeWUvz^b zlqBGfc?h8cUscu>AqIE%d$QF^31Ps$VH^XkTzH0wO|Cmc7wkY9q$Se~g#Fv64%&g~ zo&7dOcc@ayfA$!&+#=fgRk9<^lge@4cD@vheAF%~Y7$K>oSS{Uk!eTTfaJ5(zII#T z2C*~Q4w$(@(om-np}QbWrM$rL_;5~TE$(ArXn>dbmj}sMf)B8}z(7Bwgxh ze}uE@LRYz2P{4Qn7>GYXSs^uP9b-*SWMB#QM}x<{MObpwiy&>EJ%c`|aX8>V`gu zI^2_}ZS#pgjAeHDrwMsmZSfQ7pA>@e8JV||lT7!hT}ZI], [dladdr (0, 0);]) @@ -25,10 +25,10 @@ Index: gnutls-3.8.1/configure.ac AC_ARG_WITH(fips140-module-name, AS_HELP_STRING([--with-fips140-module-name], [specify the FIPS140 module name]), -Index: gnutls-3.8.1/doc/cha-gtls-app.texi +Index: gnutls-3.8.2/doc/cha-gtls-app.texi =================================================================== ---- gnutls-3.8.1.orig/doc/cha-gtls-app.texi -+++ gnutls-3.8.1/doc/cha-gtls-app.texi +--- gnutls-3.8.2.orig/doc/cha-gtls-app.texi ++++ gnutls-3.8.2/doc/cha-gtls-app.texi @@ -222,7 +222,7 @@ CPU. The currently available options are @end itemize @@ -38,10 +38,10 @@ Index: gnutls-3.8.1/doc/cha-gtls-app.texi if set to one it will force the FIPS mode enablement. @end multitable -Index: gnutls-3.8.1/doc/cha-internals.texi +Index: gnutls-3.8.2/doc/cha-internals.texi =================================================================== ---- gnutls-3.8.1.orig/doc/cha-internals.texi -+++ gnutls-3.8.1/doc/cha-internals.texi +--- gnutls-3.8.2.orig/doc/cha-internals.texi ++++ gnutls-3.8.2/doc/cha-internals.texi @@ -14,7 +14,7 @@ happens inside the black box. * TLS Hello Extension Handling:: * Cryptographic Backend:: @@ -162,11 +162,11 @@ Index: gnutls-3.8.1/doc/cha-internals.texi operation. It can be attached to the current execution thread with @funcref{gnutls_fips140_push_context} and its internal state will be updated until it is detached with -Index: gnutls-3.8.1/doc/enums.texi +Index: gnutls-3.8.2/doc/enums.texi =================================================================== ---- gnutls-3.8.1.orig/doc/enums.texi -+++ gnutls-3.8.1/doc/enums.texi -@@ -1184,7 +1184,7 @@ application traffic secret is installed +--- gnutls-3.8.2.orig/doc/enums.texi ++++ gnutls-3.8.2/doc/enums.texi +@@ -1188,7 +1188,7 @@ application traffic secret is installed @c gnutls_fips_mode_t @table @code @item GNUTLS_@-FIPS140_@-DISABLED @@ -175,7 +175,7 @@ Index: gnutls-3.8.1/doc/enums.texi @item GNUTLS_@-FIPS140_@-STRICT The default mode; all forbidden operations will cause an operation failure via error code. -@@ -1192,8 +1192,8 @@ operation failure via error code. +@@ -1196,8 +1196,8 @@ operation failure via error code. A transient state during library initialization. That state cannot be set or seen by applications. @item GNUTLS_@-FIPS140_@-LAX @@ -186,10 +186,10 @@ Index: gnutls-3.8.1/doc/enums.texi application is aware of the followed security policy, and needs to utilize disallowed operations for other reasons (e.g., compatibility). @item GNUTLS_@-FIPS140_@-LOG -Index: gnutls-3.8.1/doc/functions/gnutls_fips140_set_mode +Index: gnutls-3.8.2/doc/functions/gnutls_fips140_set_mode =================================================================== ---- gnutls-3.8.1.orig/doc/functions/gnutls_fips140_set_mode -+++ gnutls-3.8.1/doc/functions/gnutls_fips140_set_mode +--- gnutls-3.8.2.orig/doc/functions/gnutls_fips140_set_mode ++++ gnutls-3.8.2/doc/functions/gnutls_fips140_set_mode @@ -3,7 +3,7 @@ @@ -215,10 +215,10 @@ Index: gnutls-3.8.1/doc/functions/gnutls_fips140_set_mode values for @code{mode} or to @code{GNUTLS_FIPS140_SELFTESTS} mode, the library switches to @code{GNUTLS_FIPS140_STRICT} mode. -Index: gnutls-3.8.1/doc/gnutls.html +Index: gnutls-3.8.2/doc/gnutls.html =================================================================== ---- gnutls-3.8.1.orig/doc/gnutls.html -+++ gnutls-3.8.1/doc/gnutls.html +--- gnutls-3.8.2.orig/doc/gnutls.html ++++ gnutls-3.8.2/doc/gnutls.html @@ -484,7 +484,7 @@ Documentation License”.
  • 11.4 TLS Extension Handling
  • 11.5 Cryptographic Backend
    • @@ -237,7 +237,7 @@ Index: gnutls-3.8.1/doc/gnutls.html if set to one it will force the FIPS mode enablement. -@@ -18437,7 +18437,7 @@ None: +@@ -18446,7 +18446,7 @@ None: --inline-commands-prefix=str Change the default delimiter for inline commands --provider=file Specify the PKCS #11 provider library - file must pre-exist @@ -246,7 +246,7 @@ Index: gnutls-3.8.1/doc/gnutls.html --list-config Reports the configuration of the library --logfile=str Redirect informational messages to a specific file --keymatexport=str Label used for exporting keying material -@@ -19445,7 +19445,7 @@ happens inside the black box. +@@ -19468,7 +19468,7 @@ happens inside the black box.
  • TLS Extension Handling
  • Cryptographic Backend
  • Random Number Generators
    • @@ -255,7 +255,7 @@ Index: gnutls-3.8.1/doc/gnutls.html
    @@ -302,7 +302,7 @@ Index: gnutls-3.8.1/doc/gnutls.html as follows.

      -@@ -20143,12 +20143,12 @@ as follows. +@@ -20166,12 +20166,12 @@ as follows.
    • Algorithm self-tests are run on library load
    @@ -318,7 +318,7 @@ Index: gnutls-3.8.1/doc/gnutls.html
  • Any cryptographic operation will be refused if any of the self-tests failed
    • -@@ -20157,7 +20157,7 @@ modified as follows. +@@ -20180,7 +20180,7 @@ modified as follows. environment variable GNUTLS_SKIP_FIPS_INTEGRITY_CHECKS will disable the library integrity tests on startup, and the variable GNUTLS_FORCE_FIPS_MODE can be set to force a value from @@ -327,7 +327,7 @@ Index: gnutls-3.8.1/doc/gnutls.html mode, while ’0’ will disable it.

    The integrity checks for the dependent libraries and GnuTLS are performed -@@ -20165,13 +20165,13 @@ using ’.hmac’ files which ar +@@ -20188,13 +20188,13 @@ using ’.hmac’ files which ar key for the operations can be provided on compile-time with the configure option ’–with-fips140-key’. The MAC algorithm used is HMAC-SHA256.

    @@ -344,7 +344,7 @@ Index: gnutls-3.8.1/doc/gnutls.html the application can relax these requirements via gnutls_fips140_set_mode which can switch to alternative modes as in Figure 11.5.

    -@@ -20180,7 +20180,7 @@ which can switch to alternative modes as +@@ -20203,7 +20203,7 @@ which can switch to alternative modes as
    GNUTLS_FIPS140_DISABLED
    @@ -353,7 +353,7 @@ Index: gnutls-3.8.1/doc/gnutls.html

    GNUTLS_FIPS140_STRICT

    The default mode; all forbidden operations will cause an -@@ -20191,8 +20191,8 @@ operation failure via error code. +@@ -20214,8 +20214,8 @@ operation failure via error code. cannot be set or seen by applications.

    GNUTLS_FIPS140_LAX
    @@ -364,7 +364,7 @@ Index: gnutls-3.8.1/doc/gnutls.html application is aware of the followed security policy, and needs to utilize disallowed operations for other reasons (e.g., compatibility).

    -@@ -20204,7 +20204,7 @@ to a message to the audit callback funct +@@ -20227,7 +20227,7 @@ to a message to the audit callback funct

    Figure 11.5: The gnutls_fips_mode_t enumeration.

    The intention of this API is to be used by applications which may run in @@ -373,7 +373,7 @@ Index: gnutls-3.8.1/doc/gnutls.html e.g., for non-security related purposes. In these cases applications should wrap the non-compliant code within blocks like the following.

    -@@ -20233,9 +20233,9 @@ if (gnutls_fips140_mode_enabled()) +@@ -20256,9 +20256,9 @@ if (gnutls_fips140_mode_enabled())

    The reason of the GNUTLS_FIPS140_SET_MODE_THREAD flag in the previous calls is to localize the change in the mode. Note also, that such a block has no effect when the library is not operating @@ -385,7 +385,7 @@ Index: gnutls-3.8.1/doc/gnutls.html 

    gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, 0);
    -@@ -20258,7 +20258,7 @@ performed within a given context. +@@ -20281,7 +20281,7 @@ performed within a given context.
    int gnutls_fips140_pop_context ( void)
    @@ -394,7 +394,7 @@ Index: gnutls-3.8.1/doc/gnutls.html operation. It can be attached to the current execution thread with gnutls_fips140_push_context and its internal state will be updated until it is detached with -@@ -20631,8 +20631,8 @@ Previous: @@ -405,7 +405,7 @@ Index: gnutls-3.8.1/doc/gnutls.html

    -@@ -24544,7 +24544,7 @@ unusable. This function is not thread-s +@@ -24569,7 +24569,7 @@ unusable. This function is not thread-s

    gnutls_fips140_set_mode

    Function: void gnutls_fips140_set_mode (gnutls_fips_mode_t mode, unsigned flags)
    @@ -414,7 +414,7 @@ Index: gnutls-3.8.1/doc/gnutls.html

    flags: should be zero or GNUTLS_FIPS140_SET_MODE_THREAD

    -@@ -24553,13 +24553,13 @@ unusable. This function is not thread-s +@@ -24578,13 +24578,13 @@ unusable. This function is not thread-s behavior with no flags after threads are created is undefined.

    When the flag GNUTLS_FIPS140_SET_MODE_THREAD is specified @@ -430,7 +430,7 @@ Index: gnutls-3.8.1/doc/gnutls.html values for mode or to GNUTLS_FIPS140_SELFTESTS mode, the library switches to GNUTLS_FIPS140_STRICT mode.

    -@@ -46765,7 +46765,7 @@ Next: gnutls_fingerprintCore TLS API gnutls_fips140_context_deinitCore TLS API gnutls_fips140_context_initCore TLS API @@ -439,11 +439,11 @@ Index: gnutls-3.8.1/doc/gnutls.html gnutls_fips140_get_operation_stateCore TLS API gnutls_fips140_mode_enabledCore TLS API gnutls_fips140_pop_contextCore TLS API -Index: gnutls-3.8.1/doc/gnutls.info-3 +Index: gnutls-3.8.2/doc/gnutls.info-3 =================================================================== ---- gnutls-3.8.1.orig/doc/gnutls.info-3 -+++ gnutls-3.8.1/doc/gnutls.info-3 -@@ -2241,7 +2241,7 @@ to ‘more’. Both will exit with a st +--- gnutls-3.8.2.orig/doc/gnutls.info-3 ++++ gnutls-3.8.2/doc/gnutls.info-3 +@@ -2248,7 +2248,7 @@ to ‘more’. Both will exit with a st --inline-commands-prefix=str Change the default delimiter for inline commands --provider=file Specify the PKCS #11 provider library - file must pre-exist @@ -452,7 +452,7 @@ Index: gnutls-3.8.1/doc/gnutls.info-3 --list-config Reports the configuration of the library --logfile=str Redirect informational messages to a specific file --keymatexport=str Label used for exporting keying material -@@ -3379,7 +3379,7 @@ to know what happens inside the black bo +@@ -3401,7 +3401,7 @@ to know what happens inside the black bo * TLS Hello Extension Handling:: * Cryptographic Backend:: * Random Number Generators-internals:: @@ -461,7 +461,7 @@ Index: gnutls-3.8.1/doc/gnutls.info-3  File: gnutls.info, Node: The TLS Protocol, Next: TLS Handshake Protocol, Up: Internal architecture of GnuTLS -@@ -3911,7 +3911,7 @@ and abstract key types::. +@@ -3933,7 +3933,7 @@ and abstract key types::. kernel implementation of ‘/dev/crypto’.  @@ -470,7 +470,7 @@ Index: gnutls-3.8.1/doc/gnutls.info-3 11.6 Random Number Generators ============================= -@@ -3921,7 +3921,7 @@ About the generators +@@ -3943,7 +3943,7 @@ About the generators GnuTLS provides two random generators. The default, and the AES-DRBG random generator which is only used when the library is compiled with @@ -479,7 +479,7 @@ Index: gnutls-3.8.1/doc/gnutls.info-3 The default generator - inner workings -------------------------------------- -@@ -4153,7 +4153,7 @@ in *note Figure 11.5: gnutls_fips_mode_t +@@ -4175,7 +4175,7 @@ in *note Figure 11.5: gnutls_fips_mode_t Figure 11.5: The ‘gnutls_fips_mode_t’ enumeration. The intention of this API is to be used by applications which may run in @@ -488,7 +488,7 @@ Index: gnutls-3.8.1/doc/gnutls.info-3 set, e.g., for non-security related purposes. In these cases applications should wrap the non-compliant code within blocks like the following. -@@ -4177,10 +4177,10 @@ are macros to simplify the following seq +@@ -4199,10 +4199,10 @@ are macros to simplify the following seq The reason of the ‘GNUTLS_FIPS140_SET_MODE_THREAD’ flag in the previous calls is to localize the change in the mode. Note also, that such a @@ -501,7 +501,7 @@ Index: gnutls-3.8.1/doc/gnutls.info-3 gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, 0); Service indicator -@@ -4662,8 +4662,8 @@ There are certifications from national o +@@ -4684,8 +4684,8 @@ There are certifications from national o practices, such as unit testing and reliance on well known crypto primitives. @@ -512,7 +512,7 @@ Index: gnutls-3.8.1/doc/gnutls.info-3  File: gnutls.info, Node: Error codes, Next: Supported ciphersuites, Prev: Support, Up: Top -@@ -9128,7 +9128,7 @@ gnutls_fips140_set_mode +@@ -9152,7 +9152,7 @@ gnutls_fips140_set_mode -- Function: void gnutls_fips140_set_mode (gnutls_fips_mode_t MODE, unsigned FLAGS) @@ -521,11 +521,11 @@ Index: gnutls-3.8.1/doc/gnutls.info-3 FLAGS: should be zero or ‘GNUTLS_FIPS140_SET_MODE_THREAD’ -Index: gnutls-3.8.1/doc/invoke-gnutls-cli.texi +Index: gnutls-3.8.2/doc/invoke-gnutls-cli.texi =================================================================== ---- gnutls-3.8.1.orig/doc/invoke-gnutls-cli.texi -+++ gnutls-3.8.1/doc/invoke-gnutls-cli.texi -@@ -99,7 +99,7 @@ None: +--- gnutls-3.8.2.orig/doc/invoke-gnutls-cli.texi ++++ gnutls-3.8.2/doc/invoke-gnutls-cli.texi +@@ -102,7 +102,7 @@ None: --inline-commands-prefix=str Change the default delimiter for inline commands --provider=file Specify the PKCS #11 provider library - file must pre-exist @@ -534,11 +534,11 @@ Index: gnutls-3.8.1/doc/invoke-gnutls-cli.texi --list-config Reports the configuration of the library --logfile=str Redirect informational messages to a specific file --keymatexport=str Label used for exporting keying material -Index: gnutls-3.8.1/doc/manpages/gnutls-cli.1 +Index: gnutls-3.8.2/doc/manpages/gnutls-cli.1 =================================================================== ---- gnutls-3.8.1.orig/doc/manpages/gnutls-cli.1 -+++ gnutls-3.8.1/doc/manpages/gnutls-cli.1 -@@ -389,7 +389,7 @@ Specify the PKCS #11 provider library. +--- gnutls-3.8.2.orig/doc/manpages/gnutls-cli.1 ++++ gnutls-3.8.2/doc/manpages/gnutls-cli.1 +@@ -398,7 +398,7 @@ Specify the PKCS #11 provider library. This will override the default options in /etc/gnutls/pkcs11.conf .TP .NOP \f\*[B-Font]\-\-fips140\-mode\f[] @@ -547,11 +547,11 @@ Index: gnutls-3.8.1/doc/manpages/gnutls-cli.1 .sp .TP .NOP \f\*[B-Font]\-\-list\-config\f[] -Index: gnutls-3.8.1/doc/reference/html/gnutls-gnutls.html +Index: gnutls-3.8.2/doc/reference/html/gnutls-gnutls.html =================================================================== ---- gnutls-3.8.1.orig/doc/reference/html/gnutls-gnutls.html -+++ gnutls-3.8.1/doc/reference/html/gnutls-gnutls.html -@@ -20862,12 +20862,12 @@ gnutls_fips140_set_mode (

    When the flag GNUTLS_FIPS140_SET_MODE_THREAD is specified @@ -566,7 +566,7 @@ Index: gnutls-3.8.1/doc/reference/html/gnutls-gnutls.html values for mode or to GNUTLS_FIPS140_SELFTESTS mode, the library switches to GNUTLS_FIPS140_STRICT mode.

    -@@ -20882,7 +20882,7 @@ switches to

    mode

    @@ -575,7 +575,7 @@ Index: gnutls-3.8.1/doc/reference/html/gnutls-gnutls.html   -@@ -25880,7 +25880,7 @@ encryption

    +@@ -25904,7 +25904,7 @@ encryption

    enum gnutls_fips_mode_t

    @@ -584,7 +584,7 @@ Index: gnutls-3.8.1/doc/reference/html/gnutls-gnutls.html

    Members

    -@@ -25893,7 +25893,7 @@ encryption

    +@@ -25917,7 +25917,7 @@ encryption

    -@@ -25916,8 +25916,8 @@ operation failure via error code.

    +@@ -25940,8 +25940,8 @@ operation failure via error code.

    -@@ -27552,4 +27552,4 @@ This is used by
    Generated by GTK-Doc V1.33.1 - \ No newline at end of file + -Index: gnutls-3.8.1/lib/fips.c +Index: gnutls-3.8.2/lib/fips.c =================================================================== ---- gnutls-3.8.1.orig/lib/fips.c -+++ gnutls-3.8.1/lib/fips.c +--- gnutls-3.8.2.orig/lib/fips.c ++++ gnutls-3.8.2/lib/fips.c @@ -121,7 +121,7 @@ unsigned _gnutls_fips_mode_enabled(void) } @@ -734,10 +734,10 @@ Index: gnutls-3.8.1/lib/fips.c } gnutls_fips140_context_deinit(fips_context); } -Index: gnutls-3.8.1/lib/fips.h +Index: gnutls-3.8.2/lib/fips.h =================================================================== ---- gnutls-3.8.1.orig/lib/fips.h -+++ gnutls-3.8.1/lib/fips.h +--- gnutls-3.8.2.orig/lib/fips.h ++++ gnutls-3.8.2/lib/fips.h @@ -160,7 +160,7 @@ is_cipher_algo_allowed_in_fips(gnutls_ci } @@ -778,10 +778,10 @@ Index: gnutls-3.8.1/lib/fips.h gnutls_cipher_get_name(algo)); FALLTHROUGH; case GNUTLS_FIPS140_DISABLED: -Index: gnutls-3.8.1/lib/global.c +Index: gnutls-3.8.2/lib/global.c =================================================================== ---- gnutls-3.8.1.orig/lib/global.c -+++ gnutls-3.8.1/lib/global.c +--- gnutls-3.8.2.orig/lib/global.c ++++ gnutls-3.8.2/lib/global.c @@ -337,12 +337,12 @@ static int _gnutls_global_init(unsigned #ifdef ENABLE_FIPS140 @@ -815,11 +815,11 @@ Index: gnutls-3.8.1/lib/global.c if (res != 2) { gnutls_assert(); goto out; -Index: gnutls-3.8.1/lib/includes/gnutls/gnutls.h.in +Index: gnutls-3.8.2/lib/includes/gnutls/gnutls.h.in =================================================================== ---- gnutls-3.8.1.orig/lib/includes/gnutls/gnutls.h.in -+++ gnutls-3.8.1/lib/includes/gnutls/gnutls.h.in -@@ -3192,16 +3192,16 @@ typedef int (*gnutls_alert_read_func)(gn +--- gnutls-3.8.2.orig/lib/includes/gnutls/gnutls.h.in ++++ gnutls-3.8.2/lib/includes/gnutls/gnutls.h.in +@@ -3199,16 +3199,16 @@ typedef int (*gnutls_alert_read_func)(gn void gnutls_alert_set_read_function(gnutls_session_t session, gnutls_alert_read_func func); @@ -840,7 +840,7 @@ Index: gnutls-3.8.1/lib/includes/gnutls/gnutls.h.in * application is aware of the followed security policy, and needs * to utilize disallowed operations for other reasons (e.g., compatibility). * @GNUTLS_FIPS140_LOG: Similarly to %GNUTLS_FIPS140_LAX, it allows forbidden operations; any use of them results -@@ -3209,7 +3209,7 @@ unsigned gnutls_fips140_mode_enabled(voi +@@ -3216,7 +3216,7 @@ unsigned gnutls_fips140_mode_enabled(voi * @GNUTLS_FIPS140_SELFTESTS: A transient state during library initialization. That state * cannot be set or seen by applications. * @@ -849,11 +849,11 @@ Index: gnutls-3.8.1/lib/includes/gnutls/gnutls.h.in */ typedef enum gnutls_fips_mode_t { GNUTLS_FIPS140_DISABLED = 0, -Index: gnutls-3.8.1/src/cli.c +Index: gnutls-3.8.2/src/cli.c =================================================================== ---- gnutls-3.8.1.orig/src/cli.c -+++ gnutls-3.8.1/src/cli.c -@@ -1634,10 +1634,10 @@ static void cmd_parser(int argc, char ** +--- gnutls-3.8.2.orig/src/cli.c ++++ gnutls-3.8.2/src/cli.c +@@ -1635,10 +1635,10 @@ static void cmd_parser(int argc, char ** if (HAVE_OPT(FIPS140_MODE)) { if (gnutls_fips140_mode_enabled() != 0) { @@ -866,11 +866,11 @@ Index: gnutls-3.8.1/src/cli.c exit(1); } -Index: gnutls-3.8.1/src/gnutls-cli-options.c +Index: gnutls-3.8.2/src/gnutls-cli-options.c =================================================================== ---- gnutls-3.8.1.orig/src/gnutls-cli-options.c -+++ gnutls-3.8.1/src/gnutls-cli-options.c -@@ -791,7 +791,7 @@ usage (FILE *out, int status) +--- gnutls-3.8.2.orig/src/gnutls-cli-options.c ++++ gnutls-3.8.2/src/gnutls-cli-options.c +@@ -810,7 +810,7 @@ usage (FILE *out, int status) " --inline-commands-prefix=str Change the default delimiter for inline commands\n" " --provider=file Specify the PKCS #11 provider library\n" " - file must pre-exist\n" @@ -879,10 +879,10 @@ Index: gnutls-3.8.1/src/gnutls-cli-options.c " --list-config Reports the configuration of the library\n" " --logfile=str Redirect informational messages to a specific file\n" " --keymatexport=str Label used for exporting keying material\n" -Index: gnutls-3.8.1/tests/cert-tests/gost.sh +Index: gnutls-3.8.2/tests/cert-tests/gost.sh =================================================================== ---- gnutls-3.8.1.orig/tests/cert-tests/gost.sh -+++ gnutls-3.8.1/tests/cert-tests/gost.sh +--- gnutls-3.8.2.orig/tests/cert-tests/gost.sh ++++ gnutls-3.8.2/tests/cert-tests/gost.sh @@ -38,7 +38,7 @@ if ! test -x "${CERTTOOL}"; then fi @@ -892,10 +892,10 @@ Index: gnutls-3.8.1/tests/cert-tests/gost.sh exit 77 fi -Index: gnutls-3.8.1/tests/cert-tests/pkcs12-corner-cases.sh +Index: gnutls-3.8.2/tests/cert-tests/pkcs12-corner-cases.sh =================================================================== ---- gnutls-3.8.1.orig/tests/cert-tests/pkcs12-corner-cases.sh -+++ gnutls-3.8.1/tests/cert-tests/pkcs12-corner-cases.sh +--- gnutls-3.8.2.orig/tests/cert-tests/pkcs12-corner-cases.sh ++++ gnutls-3.8.2/tests/cert-tests/pkcs12-corner-cases.sh @@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then fi @@ -905,10 +905,10 @@ Index: gnutls-3.8.1/tests/cert-tests/pkcs12-corner-cases.sh exit 77 fi -Index: gnutls-3.8.1/tests/cert-tests/pkcs12-encode.sh +Index: gnutls-3.8.2/tests/cert-tests/pkcs12-encode.sh =================================================================== ---- gnutls-3.8.1.orig/tests/cert-tests/pkcs12-encode.sh -+++ gnutls-3.8.1/tests/cert-tests/pkcs12-encode.sh +--- gnutls-3.8.2.orig/tests/cert-tests/pkcs12-encode.sh ++++ gnutls-3.8.2/tests/cert-tests/pkcs12-encode.sh @@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then fi @@ -918,10 +918,10 @@ Index: gnutls-3.8.1/tests/cert-tests/pkcs12-encode.sh exit 77 fi -Index: gnutls-3.8.1/tests/cert-tests/pkcs12-gost.sh +Index: gnutls-3.8.2/tests/cert-tests/pkcs12-gost.sh =================================================================== ---- gnutls-3.8.1.orig/tests/cert-tests/pkcs12-gost.sh -+++ gnutls-3.8.1/tests/cert-tests/pkcs12-gost.sh +--- gnutls-3.8.2.orig/tests/cert-tests/pkcs12-gost.sh ++++ gnutls-3.8.2/tests/cert-tests/pkcs12-gost.sh @@ -29,7 +29,7 @@ if ! test -x "${CERTTOOL}"; then fi @@ -931,10 +931,10 @@ Index: gnutls-3.8.1/tests/cert-tests/pkcs12-gost.sh exit 77 fi -Index: gnutls-3.8.1/tests/cert-tests/pkcs12.sh +Index: gnutls-3.8.2/tests/cert-tests/pkcs12.sh =================================================================== ---- gnutls-3.8.1.orig/tests/cert-tests/pkcs12.sh -+++ gnutls-3.8.1/tests/cert-tests/pkcs12.sh +--- gnutls-3.8.2.orig/tests/cert-tests/pkcs12.sh ++++ gnutls-3.8.2/tests/cert-tests/pkcs12.sh @@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then fi @@ -944,10 +944,10 @@ Index: gnutls-3.8.1/tests/cert-tests/pkcs12.sh exit 77 fi -Index: gnutls-3.8.1/tests/cert-tests/pkcs8-decode.sh +Index: gnutls-3.8.2/tests/cert-tests/pkcs8-decode.sh =================================================================== ---- gnutls-3.8.1.orig/tests/cert-tests/pkcs8-decode.sh -+++ gnutls-3.8.1/tests/cert-tests/pkcs8-decode.sh +--- gnutls-3.8.2.orig/tests/cert-tests/pkcs8-decode.sh ++++ gnutls-3.8.2/tests/cert-tests/pkcs8-decode.sh @@ -29,7 +29,7 @@ if ! test -x "${CERTTOOL}"; then fi @@ -957,10 +957,10 @@ Index: gnutls-3.8.1/tests/cert-tests/pkcs8-decode.sh exit 77 fi -Index: gnutls-3.8.1/tests/cert-tests/pkcs8-eddsa.sh +Index: gnutls-3.8.2/tests/cert-tests/pkcs8-eddsa.sh =================================================================== ---- gnutls-3.8.1.orig/tests/cert-tests/pkcs8-eddsa.sh -+++ gnutls-3.8.1/tests/cert-tests/pkcs8-eddsa.sh +--- gnutls-3.8.2.orig/tests/cert-tests/pkcs8-eddsa.sh ++++ gnutls-3.8.2/tests/cert-tests/pkcs8-eddsa.sh @@ -29,7 +29,7 @@ if ! test -x "${CERTTOOL}"; then fi @@ -970,10 +970,10 @@ Index: gnutls-3.8.1/tests/cert-tests/pkcs8-eddsa.sh exit 77 fi -Index: gnutls-3.8.1/tests/cert-tests/pkcs8-gost.sh +Index: gnutls-3.8.2/tests/cert-tests/pkcs8-gost.sh =================================================================== ---- gnutls-3.8.1.orig/tests/cert-tests/pkcs8-gost.sh -+++ gnutls-3.8.1/tests/cert-tests/pkcs8-gost.sh +--- gnutls-3.8.2.orig/tests/cert-tests/pkcs8-gost.sh ++++ gnutls-3.8.2/tests/cert-tests/pkcs8-gost.sh @@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then fi @@ -983,10 +983,10 @@ Index: gnutls-3.8.1/tests/cert-tests/pkcs8-gost.sh exit 77 fi -Index: gnutls-3.8.1/tests/cert-tests/pkcs8.sh +Index: gnutls-3.8.2/tests/cert-tests/pkcs8.sh =================================================================== ---- gnutls-3.8.1.orig/tests/cert-tests/pkcs8.sh -+++ gnutls-3.8.1/tests/cert-tests/pkcs8.sh +--- gnutls-3.8.2.orig/tests/cert-tests/pkcs8.sh ++++ gnutls-3.8.2/tests/cert-tests/pkcs8.sh @@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then fi @@ -996,10 +996,10 @@ Index: gnutls-3.8.1/tests/cert-tests/pkcs8.sh exit 77 fi -Index: gnutls-3.8.1/tests/cipher-listings.sh +Index: gnutls-3.8.2/tests/cipher-listings.sh =================================================================== ---- gnutls-3.8.1.orig/tests/cipher-listings.sh -+++ gnutls-3.8.1/tests/cipher-listings.sh +--- gnutls-3.8.2.orig/tests/cipher-listings.sh ++++ gnutls-3.8.2/tests/cipher-listings.sh @@ -63,7 +63,7 @@ check() ${CLI} --fips140-mode @@ -1009,10 +1009,10 @@ Index: gnutls-3.8.1/tests/cipher-listings.sh exit 77 fi -Index: gnutls-3.8.1/tests/testpkcs11.sh +Index: gnutls-3.8.2/tests/testpkcs11.sh =================================================================== ---- gnutls-3.8.1.orig/tests/testpkcs11.sh -+++ gnutls-3.8.1/tests/testpkcs11.sh +--- gnutls-3.8.2.orig/tests/testpkcs11.sh ++++ gnutls-3.8.2/tests/testpkcs11.sh @@ -26,7 +26,7 @@ RETCODE=0 @@ -1022,10 +1022,10 @@ Index: gnutls-3.8.1/tests/testpkcs11.sh exit 77 fi -Index: gnutls-3.8.1/doc/enums/gnutls_fips_mode_t +Index: gnutls-3.8.2/doc/enums/gnutls_fips_mode_t =================================================================== ---- gnutls-3.8.1.orig/doc/enums/gnutls_fips_mode_t -+++ gnutls-3.8.1/doc/enums/gnutls_fips_mode_t +--- gnutls-3.8.2.orig/doc/enums/gnutls_fips_mode_t ++++ gnutls-3.8.2/doc/enums/gnutls_fips_mode_t @@ -3,7 +3,7 @@ @c gnutls_fips_mode_t @table @code @@ -1046,10 +1046,10 @@ Index: gnutls-3.8.1/doc/enums/gnutls_fips_mode_t application is aware of the followed security policy, and needs to utilize disallowed operations for other reasons (e.g., compatibility). @item GNUTLS_@-FIPS140_@-LOG -Index: gnutls-3.8.1/doc/gnutls-api.texi +Index: gnutls-3.8.2/doc/gnutls-api.texi =================================================================== ---- gnutls-3.8.1.orig/doc/gnutls-api.texi -+++ gnutls-3.8.1/doc/gnutls-api.texi +--- gnutls-3.8.2.orig/doc/gnutls-api.texi ++++ gnutls-3.8.2/doc/gnutls-api.texi @@ -3275,7 +3275,7 @@ unusable. This function is not thread-s @subheading gnutls_fips140_set_mode @anchor{gnutls_fips140_set_mode} @@ -1075,10 +1075,10 @@ Index: gnutls-3.8.1/doc/gnutls-api.texi values for @code{mode} or to @code{GNUTLS_FIPS140_SELFTESTS} mode, the library switches to @code{GNUTLS_FIPS140_STRICT} mode. -Index: gnutls-3.8.1/lib/ext/session_ticket.c +Index: gnutls-3.8.2/lib/ext/session_ticket.c =================================================================== ---- gnutls-3.8.1.orig/lib/ext/session_ticket.c -+++ gnutls-3.8.1/lib/ext/session_ticket.c +--- gnutls-3.8.2.orig/lib/ext/session_ticket.c ++++ gnutls-3.8.2/lib/ext/session_ticket.c @@ -517,7 +517,7 @@ int gnutls_session_ticket_key_generate(g { if (_gnutls_fips_mode_enabled()) { @@ -1088,11 +1088,11 @@ Index: gnutls-3.8.1/lib/ext/session_ticket.c * some limits on allowed key size, thus it is not * used. These limits do not affect this function as * it does not generate a "key" but rather key material -Index: gnutls-3.8.1/lib/libgnutls.map +Index: gnutls-3.8.2/lib/libgnutls.map =================================================================== ---- gnutls-3.8.1.orig/lib/libgnutls.map -+++ gnutls-3.8.1/lib/libgnutls.map -@@ -1428,7 +1428,7 @@ GNUTLS_FIPS140_3_4 { +--- gnutls-3.8.2.orig/lib/libgnutls.map ++++ gnutls-3.8.2/lib/libgnutls.map +@@ -1441,7 +1441,7 @@ GNUTLS_FIPS140_3_4 { gnutls_hkdf_self_test; gnutls_pbkdf2_self_test; gnutls_tlsprf_self_test; @@ -1101,10 +1101,10 @@ Index: gnutls-3.8.1/lib/libgnutls.map drbg_aes_reseed; drbg_aes_init; drbg_aes_generate; -Index: gnutls-3.8.1/lib/nettle/mac.c +Index: gnutls-3.8.2/lib/nettle/mac.c =================================================================== ---- gnutls-3.8.1.orig/lib/nettle/mac.c -+++ gnutls-3.8.1/lib/nettle/mac.c +--- gnutls-3.8.2.orig/lib/nettle/mac.c ++++ gnutls-3.8.2/lib/nettle/mac.c @@ -262,7 +262,7 @@ static void _wrap_gmac_digest(void *_ctx static int _mac_ctx_init(gnutls_mac_algorithm_t algo, struct nettle_mac_ctx *ctx) @@ -1123,10 +1123,10 @@ Index: gnutls-3.8.1/lib/nettle/mac.c * gnutls_hash_init() and gnutls_hmac_init() */ switch (algo) { case GNUTLS_DIG_MD5: -Index: gnutls-3.8.1/config.h.in +Index: gnutls-3.8.2/config.h.in =================================================================== ---- gnutls-3.8.1.orig/config.h.in -+++ gnutls-3.8.1/config.h.in +--- gnutls-3.8.2.orig/config.h.in ++++ gnutls-3.8.2/config.h.in @@ -82,7 +82,7 @@ /* enable DHE */ #undef ENABLE_ECDHE @@ -1145,11 +1145,11 @@ Index: gnutls-3.8.1/config.h.in #undef FIPS_KEY /* The FIPS140 module name */ -Index: gnutls-3.8.1/configure +Index: gnutls-3.8.2/configure =================================================================== ---- gnutls-3.8.1.orig/configure -+++ gnutls-3.8.1/configure -@@ -3826,7 +3826,7 @@ Optional Features: +--- gnutls-3.8.2.orig/configure ++++ gnutls-3.8.2/configure +@@ -3828,7 +3828,7 @@ Optional Features: --enable-fast-install[=PKGS] optimize for fast installation [default=yes] --disable-libtool-lock avoid locking (might break parallel builds) @@ -1158,10 +1158,10 @@ Index: gnutls-3.8.1/configure --enable-strict-x509 enable stricter sanity checks for x509 certificates --disable-non-suiteb-curves disable curves not in SuiteB -Index: gnutls-3.8.1/doc/cha-support.texi +Index: gnutls-3.8.2/doc/cha-support.texi =================================================================== ---- gnutls-3.8.1.orig/doc/cha-support.texi -+++ gnutls-3.8.1/doc/cha-support.texi +--- gnutls-3.8.2.orig/doc/cha-support.texi ++++ gnutls-3.8.2/doc/cha-support.texi @@ -134,5 +134,5 @@ There are certifications from national o to an auditor that the crypto component follows some best practices, such as unit testing and reliance on well known crypto primitives. @@ -1170,24 +1170,24 @@ Index: gnutls-3.8.1/doc/cha-support.texi -See @ref{FIPS140-2 mode} for more information. +GnuTLS has support for the FIPS 140-3 certification under Red Hat Enterprise Linux. +See @ref{FIPS140-3 mode} for more information. -Index: gnutls-3.8.1/doc/gnutls.info +Index: gnutls-3.8.2/doc/gnutls.info =================================================================== ---- gnutls-3.8.1.orig/doc/gnutls.info -+++ gnutls-3.8.1/doc/gnutls.info -@@ -618,7 +618,7 @@ Ref: fig-crypto-layers743604 - Ref: Cryptographic Backend-Footnote-1746916 - Ref: Cryptographic Backend-Footnote-2747001 - Node: Random Number Generators-internals747113 --Node: FIPS140-2 mode754583 -+Node: FIPS140-3 mode754583 - Ref: gnutls_fips_mode_t757281 - Node: Upgrading from previous versions760950 - Node: Support775192 -Index: gnutls-3.8.1/src/gnutls-cli-options.json +--- gnutls-3.8.2.orig/doc/gnutls.info ++++ gnutls-3.8.2/doc/gnutls.info +@@ -619,7 +619,7 @@ Ref: fig-crypto-layers744475 + Ref: Cryptographic Backend-Footnote-1747787 + Ref: Cryptographic Backend-Footnote-2747872 + Node: Random Number Generators-internals747984 +-Node: FIPS140-2 mode755454 ++Node: FIPS140-3 mode755454 + Ref: gnutls_fips_mode_t758152 + Node: Upgrading from previous versions761821 + Node: Support776063 +Index: gnutls-3.8.2/src/gnutls-cli-options.json =================================================================== ---- gnutls-3.8.1.orig/src/gnutls-cli-options.json -+++ gnutls-3.8.1/src/gnutls-cli-options.json -@@ -372,7 +372,7 @@ +--- gnutls-3.8.2.orig/src/gnutls-cli-options.json ++++ gnutls-3.8.2/src/gnutls-cli-options.json +@@ -384,7 +384,7 @@ }, { "long-option": "fips140-mode", diff --git a/gnutls-GNUTLS_NO_EXTENSIONS-compatibility.patch b/gnutls-GNUTLS_NO_EXTENSIONS-compatibility.patch deleted file mode 100644 index fe4a46b..0000000 --- a/gnutls-GNUTLS_NO_EXTENSIONS-compatibility.patch +++ /dev/null @@ -1,56 +0,0 @@ -From abfa8634db940115a11a07596ce53c8f9c4f87d2 Mon Sep 17 00:00:00 2001 -From: Adrian Bunk -Date: Sun, 6 Aug 2023 22:46:22 +0300 -Subject: [PATCH] Move the GNUTLS_NO_EXTENSIONS compatibility #define to - gnutls.h - -Signed-off-by: Adrian Bunk ---- - lib/ext/ext_master_secret.h | 3 --- - lib/includes/gnutls/gnutls.h.in | 3 +++ - lib/state.h | 3 --- - 3 files changed, 3 insertions(+), 6 deletions(-) - -diff --git a/lib/ext/ext_master_secret.h b/lib/ext/ext_master_secret.h -index 45d38178bd..419335b4e3 100644 ---- a/lib/ext/ext_master_secret.h -+++ b/lib/ext/ext_master_secret.h -@@ -23,9 +23,6 @@ - #ifndef GNUTLS_LIB_EXT_EXT_MASTER_SECRET_H - #define GNUTLS_LIB_EXT_EXT_MASTER_SECRET_H - --/* Keep backward compatibility */ --#define GNUTLS_NO_EXTENSIONS GNUTLS_NO_DEFAULT_EXTENSIONS -- - #include - - extern const hello_ext_entry_st ext_mod_ext_master_secret; -diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in -index ec132cb5c3..fc64c7a228 100644 ---- a/lib/includes/gnutls/gnutls.h.in -+++ b/lib/includes/gnutls/gnutls.h.in -@@ -542,6 +542,9 @@ typedef enum { - #define GNUTLS_ENABLE_CERT_TYPE_NEG 0 - // Here for compatibility reasons - -+/* Keep backward compatibility */ -+#define GNUTLS_NO_EXTENSIONS GNUTLS_NO_DEFAULT_EXTENSIONS -+ - /** - * gnutls_alert_level_t: - * @GNUTLS_AL_WARNING: Alert of warning severity. -diff --git a/lib/state.h b/lib/state.h -index dc086bcf0d..975ceee3a7 100644 ---- a/lib/state.h -+++ b/lib/state.h -@@ -110,7 +110,4 @@ inline static int _gnutls_PRF(gnutls_session_t session, const uint8_t *secret, - - #define DEFAULT_CERT_TYPE GNUTLS_CRT_X509 - --/* Keep backward compatibility */ --#define GNUTLS_NO_EXTENSIONS GNUTLS_NO_DEFAULT_EXTENSIONS -- - #endif /* GNUTLS_LIB_STATE_H */ --- -GitLab - diff --git a/gnutls.changes b/gnutls.changes index 3b0137e..4a8f24e 100644 --- a/gnutls.changes +++ b/gnutls.changes @@ -1,3 +1,41 @@ +------------------------------------------------------------------- +Fri Nov 17 10:17:02 UTC 2023 - Pedro Monreal + +- Update to 3.8.2: [bsc#1217277, CVE-2023-5981] + * libgnutls: Fix timing side-channel inside RSA-PSK key exchange. + [GNUTLS-SA-2023-10-23, CVSS: medium] [CVE-2023-5981] + * libgnutls: Add API functions to perform ECDH and DH key agreement + The functionality has been there for a long time though they were + not available as part of the public API. This enables applications + to implement custom protocols leveraging non-interactive key + agreement with ECDH and DH. + * libgnutls: Added support for AES-GCM-SIV ciphers (RFC 8452) + The new algorithms GNUTLS_CIPHER_AES_128_SIV_GCM and + GNUTLS_CIPHER_AES_256_SIV_GCM have been added to be used through + the AEAD interface. Note that, unlike + GNUTLS_CIPHER_AES_{128,256}_SIV_GCM, the authentication tag is + appended to the ciphertext, not prepended. + * libgnutls: transparent KTLS support is extended to FreeBSD kernel + The kernel TLS feature can now be enabled on FreeBSD as well as + Linux when compiled with the --enable-ktls configure option. + * gnutls-cli: New option --starttls-name + Depending on deployment, application protocols such as XMPP may + require a different origin address than the external address to be + presented prior to STARTTLS negotiation. The --starttls-name can + be used to specify specify the addresses separately. + * API and ABI modifications: + - gnutls_pubkey_import_dh_raw: New function + - gnutls_privkey_import_dh_raw: New function + - gnutls_pubkey_export_dh_raw: New function + - gnutls_privkey_export_dh_raw: New function + - gnutls_x509_privkey_import_dh_raw: New function + - gnutls_privkey_derive_secret: New function + - GNUTLS_KEYGEN_DH: New enum member of gnutls_keygen_types_t + - GNUTLS_CIPHER_AES_128_SIV_GCM: Added + - GNUTLS_CIPHER_AES_256_SIV_GCM: Added + * Rebase gnutls-FIPS-140-3-references.patch + * Remove upstream: gnutls-GNUTLS_NO_EXTENSIONS-compatibility.patch + ------------------------------------------------------------------- Tue Aug 22 15:00:57 UTC 2023 - Pedro Monreal diff --git a/gnutls.spec b/gnutls.spec index da69156..0403417 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -40,7 +40,7 @@ %endif %bcond_with tpm Name: gnutls -Version: 3.8.1 +Version: 3.8.2 Release: 0 Summary: The GNU Transport Layer Security Library License: GPL-3.0-or-later AND LGPL-2.1-or-later @@ -58,8 +58,6 @@ Patch1: gnutls-FIPS-TLS_KDF_selftest.patch Patch2: gnutls-disable-flaky-test-dtls-resume.patch # PATCH-FIX-OPENSUSE The srp test fails with SIGPIPE Patch3: gnutls-srp-test-SIGPIPE.patch -# PATCH-FIX-OPENSUSE Fix missing GNUTLS_NO_EXTENSIONS compatibility -Patch4: gnutls-GNUTLS_NO_EXTENSIONS-compatibility.patch # FIPS 140-3 patches: #PATCH-FIX-SUSE bsc#1207346 FIPS: Change FIPS 140-2 references to FIPS 140-3 Patch100: gnutls-FIPS-140-3-references.patch

    GNUTLS_FIPS140_DISABLED

    		 @@ -593,7 +593,7 @@ Index: gnutls-3.8.1/doc/reference/html/gnutls-gnutls.html  

    GNUTLS_FIPS140_LAX

    		 @@ -604,17 +604,17 @@ Index: gnutls-3.8.1/doc/reference/html/gnutls-gnutls.html application is aware of the followed security policy, and needs to utilize disallowed operations for other reasons (e.g., compatibility).